Remove BIND.

Approved by:	re (gjb)

1104 files changed, 231 insertions, 487338 deletions

diff --git a/Makefile.inc1 b/Makefile.inc1
index 84208d9..f6bbdbf 100644
--- a/Makefile.inc1
+++ b/Makefile.inc1
@@ -395,7 +395,7 @@ LIB32WMAKEFLAGS+=	\
 		-DNO_LINT
 
 LIB32WMAKE=	${LIB32WMAKEENV} ${MAKE} ${LIB32WMAKEFLAGS} \
-		-DWITHOUT_BIND -DWITHOUT_MAN -DWITHOUT_INFO -DWITHOUT_HTML
+		-DWITHOUT_MAN -DWITHOUT_INFO -DWITHOUT_HTML
 LIB32IMAKE=	${LIB32WMAKE:NINSTALL=*:NDESTDIR=*:N_LDSCRIPTROOT=*} -DNO_INCS \
 		${IMAKE_INSTALL}
 .endif
@@ -485,10 +485,6 @@ _worldtmp:
 	mtree -deU -f ${.CURDIR}/etc/mtree/BSD.debug.dist \
 	    -p ${WORLDTMP}/usr/lib >/dev/null
 .endif
-.if ${MK_BIND_LIBS} != "no"
-	mtree -deU -f ${.CURDIR}/etc/mtree/BIND.include.dist \
-	    -p ${WORLDTMP}/usr/include >/dev/null
-.endif
 .for _mtree in ${LOCAL_MTREE}
 	mtree -deU -f ${.CURDIR}/${_mtree} -p ${WORLDTMP} > /dev/null
 .endfor
diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc
index e093be4..f3eaa69 100644
--- a/ObsoleteFiles.inc
+++ b/ObsoleteFiles.inc
@@ -38,6 +38,235 @@
 #   xargs -n1 | sort | uniq -d;
 # done
 
+# 20130930: BIND removed from base
+OLD_FILES+=etc/namedb
+OLD_FILES+=etc/periodic/daily/470.status-named
+OLD_FILES+=usr/bin/dig
+OLD_FILES+=usr/bin/nslookup
+OLD_FILES+=usr/bin/nsupdate
+OLD_DIRS+=usr/include/lwres
+OLD_FILES+=usr/include/lwres/context.h
+OLD_FILES+=usr/include/lwres/int.h
+OLD_FILES+=usr/include/lwres/ipv6.h
+OLD_FILES+=usr/include/lwres/lang.h
+OLD_FILES+=usr/include/lwres/list.h
+OLD_FILES+=usr/include/lwres/lwbuffer.h
+OLD_FILES+=usr/include/lwres/lwpacket.h
+OLD_FILES+=usr/include/lwres/lwres.h
+OLD_FILES+=usr/include/lwres/net.h
+OLD_FILES+=usr/include/lwres/netdb.h
+OLD_FILES+=usr/include/lwres/platform.h
+OLD_FILES+=usr/include/lwres/result.h
+OLD_FILES+=usr/include/lwres/version.h
+OLD_FILES+=usr/lib/liblwres.a
+OLD_FILES+=usr/lib/liblwres.so
+OLD_LIBS+=usr/lib/liblwres.so.50
+OLD_FILES+=usr/lib/liblwres_p.a
+OLD_FILES+=usr/sbin/arpaname
+OLD_FILES+=usr/sbin/ddns-confgen
+OLD_FILES+=usr/sbin/dnssec-dsfromkey
+OLD_FILES+=usr/sbin/dnssec-keyfromlabel
+OLD_FILES+=usr/sbin/dnssec-keygen
+OLD_FILES+=usr/sbin/dnssec-revoke
+OLD_FILES+=usr/sbin/dnssec-settime
+OLD_FILES+=usr/sbin/dnssec-signzone
+OLD_FILES+=usr/sbin/genrandom
+OLD_FILES+=usr/sbin/isc-hmac-fixup
+OLD_FILES+=usr/sbin/lwresd
+OLD_FILES+=usr/sbin/named
+OLD_FILES+=usr/sbin/named-checkconf
+OLD_FILES+=usr/sbin/named-checkzone
+OLD_FILES+=usr/sbin/named-compilezone
+OLD_FILES+=usr/sbin/named-journalprint
+OLD_FILES+=usr/sbin/named.reconfig
+OLD_FILES+=usr/sbin/named.reload
+OLD_FILES+=usr/sbin/nsec3hash
+OLD_FILES+=usr/sbin/rndc
+OLD_FILES+=usr/sbin/rndc-confgen
+OLD_DIRS+=usr/share/doc/bind9
+OLD_FILES+=usr/share/doc/bind9/CHANGES
+OLD_FILES+=usr/share/doc/bind9/COPYRIGHT
+OLD_FILES+=usr/share/doc/bind9/FAQ
+OLD_FILES+=usr/share/doc/bind9/HISTORY
+OLD_FILES+=usr/share/doc/bind9/README
+OLD_DIRS+=usr/share/doc/bind9/arm
+OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch01.html
+OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch02.html
+OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch03.html
+OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch04.html
+OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch05.html
+OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch06.html
+OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch07.html
+OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch08.html
+OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch09.html
+OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch10.html
+OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.html
+OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.pdf
+OLD_FILES+=usr/share/doc/bind9/arm/man.arpaname.html
+OLD_FILES+=usr/share/doc/bind9/arm/man.ddns-confgen.html
+OLD_FILES+=usr/share/doc/bind9/arm/man.dig.html
+OLD_FILES+=usr/share/doc/bind9/arm/man.dnssec-dsfromkey.html
+OLD_FILES+=usr/share/doc/bind9/arm/man.dnssec-keyfromlabel.html
+OLD_FILES+=usr/share/doc/bind9/arm/man.dnssec-keygen.html
+OLD_FILES+=usr/share/doc/bind9/arm/man.dnssec-revoke.html
+OLD_FILES+=usr/share/doc/bind9/arm/man.dnssec-settime.html
+OLD_FILES+=usr/share/doc/bind9/arm/man.dnssec-signzone.html
+OLD_FILES+=usr/share/doc/bind9/arm/man.dnssec-verify.html
+OLD_FILES+=usr/share/doc/bind9/arm/man.genrandom.html
+OLD_FILES+=usr/share/doc/bind9/arm/man.host.html
+OLD_FILES+=usr/share/doc/bind9/arm/man.isc-hmac-fixup.html
+OLD_FILES+=usr/share/doc/bind9/arm/man.named-checkconf.html
+OLD_FILES+=usr/share/doc/bind9/arm/man.named-checkzone.html
+OLD_FILES+=usr/share/doc/bind9/arm/man.named-journalprint.html
+OLD_FILES+=usr/share/doc/bind9/arm/man.named.html
+OLD_FILES+=usr/share/doc/bind9/arm/man.nsec3hash.html
+OLD_FILES+=usr/share/doc/bind9/arm/man.nsupdate.html
+OLD_FILES+=usr/share/doc/bind9/arm/man.rndc-confgen.html
+OLD_FILES+=usr/share/doc/bind9/arm/man.rndc.conf.html
+OLD_FILES+=usr/share/doc/bind9/arm/man.rndc.html
+OLD_DIRS+=usr/share/doc/bind9/misc
+OLD_FILES+=usr/share/doc/bind9/misc/dnssec
+OLD_FILES+=usr/share/doc/bind9/misc/format-options.pl
+OLD_FILES+=usr/share/doc/bind9/misc/ipv6
+OLD_FILES+=usr/share/doc/bind9/misc/migration
+OLD_FILES+=usr/share/doc/bind9/misc/migration-4to9
+OLD_FILES+=usr/share/doc/bind9/misc/options
+OLD_FILES+=usr/share/doc/bind9/misc/rfc-compliance
+OLD_FILES+=usr/share/doc/bind9/misc/roadmap
+OLD_FILES+=usr/share/doc/bind9/misc/sdb
+OLD_FILES+=usr/share/doc/bind9/misc/sort-options.pl
+OLD_FILES+=usr/share/man/man1/arpaname.1.gz
+OLD_FILES+=usr/share/man/man1/dig.1.gz
+OLD_FILES+=usr/share/man/man1/nslookup.1.gz
+OLD_FILES+=usr/share/man/man1/nsupdate.1.gz
+OLD_FILES+=usr/share/man/man3/lwres.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_addr_parse.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_buffer.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_buffer_add.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_buffer_back.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_buffer_clear.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_buffer_first.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_buffer_forward.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_buffer_getmem.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_buffer_getuint16.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_buffer_getuint32.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_buffer_getuint8.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_buffer_init.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_buffer_invalidate.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_buffer_putmem.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_buffer_putuint16.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_buffer_putuint32.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_buffer_putuint8.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_buffer_subtract.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_conf_clear.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_conf_get.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_conf_init.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_conf_parse.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_conf_print.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_config.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_context.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_context_allocmem.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_context_create.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_context_destroy.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_context_freemem.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_context_initserial.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_context_nextserial.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_context_sendrecv.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_endhostent.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_endhostent_r.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_freeaddrinfo.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_freehostent.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_gabn.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_gabnrequest_free.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_gabnrequest_parse.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_gabnrequest_render.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_gabnresponse_free.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_gabnresponse_parse.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_gabnresponse_render.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_gai_strerror.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_getaddrinfo.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_getaddrsbyname.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_gethostbyaddr.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_gethostbyaddr_r.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_gethostbyname.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_gethostbyname2.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_gethostbyname_r.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_gethostent.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_gethostent_r.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_getipnode.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_getipnodebyaddr.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_getipnodebyname.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_getnamebyaddr.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_getnameinfo.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_getrrsetbyname.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_gnba.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_gnbarequest_free.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_gnbarequest_parse.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_gnbarequest_render.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_gnbaresponse_free.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_gnbaresponse_parse.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_gnbaresponse_render.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_herror.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_hstrerror.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_inetntop.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_lwpacket_parseheader.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_lwpacket_renderheader.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_net_ntop.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_noop.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_nooprequest_free.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_nooprequest_parse.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_nooprequest_render.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_noopresponse_free.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_noopresponse_parse.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_noopresponse_render.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_packet.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_resutil.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_sethostent.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_sethostent_r.3.gz
+OLD_FILES+=usr/share/man/man3/lwres_string_parse.3.gz
+OLD_FILES+=usr/share/man/man5/named.conf.5.gz
+OLD_FILES+=usr/share/man/man5/rndc.conf.5.gz
+OLD_FILES+=usr/share/man/man8/ddns-confgen.8.gz
+OLD_FILES+=usr/share/man/man8/dnssec-dsfromkey.8.gz
+OLD_FILES+=usr/share/man/man8/dnssec-keyfromlabel.8.gz
+OLD_FILES+=usr/share/man/man8/dnssec-keygen.8.gz
+OLD_FILES+=usr/share/man/man8/dnssec-revoke.8.gz
+OLD_FILES+=usr/share/man/man8/dnssec-settime.8.gz
+OLD_FILES+=usr/share/man/man8/dnssec-signzone.8.gz
+OLD_FILES+=usr/share/man/man8/genrandom.8.gz
+OLD_FILES+=usr/share/man/man8/isc-hmac-fixup.8.gz
+OLD_FILES+=usr/share/man/man8/lwresd.8.gz
+OLD_FILES+=usr/share/man/man8/named-checkconf.8.gz
+OLD_FILES+=usr/share/man/man8/named-checkzone.8.gz
+OLD_FILES+=usr/share/man/man8/named-compilezone.8.gz
+OLD_FILES+=usr/share/man/man8/named-journalprint.8.gz
+OLD_FILES+=usr/share/man/man8/named.8.gz
+OLD_FILES+=usr/share/man/man8/named.reconfig.8.gz
+OLD_FILES+=usr/share/man/man8/named.reload.8.gz
+OLD_FILES+=usr/share/man/man8/nsec3hash.8.gz
+OLD_FILES+=usr/share/man/man8/rndc-confgen.8.gz
+OLD_FILES+=usr/share/man/man8/rndc.8.gz
+OLD_DIRS+=var/named/dev
+OLD_DIRS+=var/named/etc
+OLD_DIRS+=var/named/etc/namedb
+OLD_FILES+=var/named/etc/namedb/PROTO.localhost-v6.rev
+OLD_FILES+=var/named/etc/namedb/PROTO.localhost.rev
+OLD_DIRS+=var/named/etc/namedb/dynamic
+OLD_FILES+=var/named/etc/namedb/make-localhost
+OLD_DIRS+=var/named/etc/namedb/master
+OLD_FILES+=var/named/etc/namedb/master/empty.db
+OLD_FILES+=var/named/etc/namedb/master/localhost-forward.db
+OLD_FILES+=var/named/etc/namedb/master/localhost-reverse.db
+#OLD_FILES+=var/named/etc/namedb/named.conf	# intentionally left out
+OLD_FILES+=var/named/etc/namedb/named.root
+OLD_DIRS+=var/named/etc/namedb/slave
+OLD_DIRS+=var/named/var
+OLD_DIRS+=var/named/var/dump
+OLD_DIRS+=var/named/var/log
+OLD_DIRS+=var/named/var/run
+OLD_DIRS+=var/named/var/run/named
+OLD_DIRS+=var/named/var/stats
+OLD_DIRS+=var/run/named
 # 20130908: libssh becomes private
 OLD_FILES+=usr/lib/libssh.a
 OLD_FILES+=usr/lib/libssh.so
diff --git a/contrib/bind9/CHANGES b/contrib/bind9/CHANGES
deleted file mode 100644
index 4e3152f..0000000
--- a/contrib/bind9/CHANGES
+++ /dev/null
@@ -1,11412 +0,0 @@
-	--- 9.9.3-P2 released ---
-
-3621.	[security]	Incorrect bounds checking on private type 'keydata'
-			can lead to a remotely triggerable REQUIRE failure
-			(CVE-2013-4854). [RT #34238]
-
-	--- 9.9.3-P1 released ---
-
-3584.	[security]	Caching data from an incompletely signed zone could
-			trigger an assertion failure in resolver.c [RT #33690]
-
-	--- 9.9.3 released ---
-
-3568.	[cleanup]	Add a product description line to the version file,
-			to be reported by named -v/-V. [RT #33366]
-
-3567.	[bug]		Silence clang static analyzer warnings. [RT #33365]
-
-3563.	[contrib]	zone2sqlite failed with some table names. [RT #33375]
-
-3561.	[bug]		dig: issue a warning if an EDNS query returns FORMERR
-			or NOTIMP.  Adjust usage message. [RT #33363]
-
-	--- 9.9.3rc2 released ---
-
-3560.	[bug]		isc-config.sh did not honor includedir and libdir
-			when set via configure. [RT #33345]
-
-3559.	[func]		Check that both forms of Sender Policy Framework
-			records exist or do not exist. [RT #33355]
-
-3558.	[bug]		IXFR of a DLZ stored zone was broken. [RT #33331]
-
-3557.	[bug]		Reloading redirect zones was broken. [RT #33292]
-
-3556.	[maint]		Added AAAA for D.ROOT-SERVERS.NET.
-
-3555.	[bug]		Address theoretical race conditions in acache.c
-			(change #3553 was incomplete). [RT #33252]
-
-3553.	[bug]		Address suspected double free in acache. [RT #33252]
-
-3552.	[bug]		Wrong getopt option string for 'nsupdate -r'.
-			[RT #33280]
-
-3549.	[doc]		Documentation for "request-nsid" was missing.
-			[RT #33153]
-
-3548.	[bug]		The NSID request code in resolver.c was broken
-			resulting in invalid EDNS options being sent.
-			[RT #33153]
-
-3547.	[bug]		Some malformed unknown rdata records were not properly
-			detected and rejected. [RT #33129]
-
-	--- 9.9.3rc1 released ---
-
-3546.	[func]		Add EUI48 and EUI64 types. [RT #33082]
-
-3544.	[contrib]	check5011.pl: Script to report the status of
-			managed keys as recorded in managed-keys.bind.
-			Contributed by Tony Finch <dot@dotat.at>
-
-3543.	[bug]		Update socket structure before attaching to socket
-			manager after accept. [RT #33084]
-
-3541.	[bug]		Parts of libdns were not properly initialized when
-			built in libexport mode. [RT #33028]
-
-3540.	[test]		libt_api: t_info and t_assert were not thread safe.
-
-3539.	[port]		win32: timestamp format didn't match other platforms.
-
-3538.	[test]		Running "make test" now requires loopback interfaces
-			to be set up. [RT #32452]
-
-3537.	[tuning]	Slave zones, when updated, now send NOTIFY messages
-			to peers before being dumped to disk rather than
-			after. [RT #27242]
-
-3535.	[bug]		Minor win32 cleanups. [RT #32962]
-
-3534.	[bug]		Extra text after an embedded NULL was ignored when
-			parsing zone files. [RT #32699]
-
-3533.	[contrib]	query-loc-0.4.0: memory leaks. [RT #32960]
-
-3532.	[contrib]	zkt: fixed buffer overrun, resource leaks. [RT #32960]
-
-3531.	[bug]		win32: A uninitialized value could be returned on out
-			of memory. [RT #32960]
-
-3530.	[contrib]	Better RTT tracking in queryperf. [RT #30128]
-
-3528.	[func]		New "dnssec-coverage" command scans the timing
-			metadata for a set of DNSSEC keys and reports if a
-			lapse in signing coverage has been scheduled
-			inadvertently. (Note: This tool depends on python;
-			it will not be built or installed on systems that
-			do not have a python interpreter.) [RT #28098]
-
-3527.	[compat]	Add a URI to allow applications to explicitly
-			request a particular XML schema from the statistics
-			channel, returning 404 if not supported. [RT #32481]
-
-3526.	[cleanup]	Set up dependencies for unit tests correctly during
-			build. [RT #32803]
-
-3521.	[bug]		Address memory leak in opensslecdsa_link.c. [RT #32249]
-
-3520.	[bug]		'mctx' was not being referenced counted in some places
-			where it should have been.  [RT #32794]
-
-	--- 9.9.3b2 released ---
-
-3517.	[bug]		Reorder destruction to avoid shutdown race. [RT #32777]
-
-3515.	[port]		'%T' is not portable in strftime(). [RT #32763]
-
-3514.	[bug]		The ranges for valid key sizes in ddns-confgen and
-			rndc-confgen were too constrained. Keys up to 512
-			bits are now allowed for most algorithms, and up
-			to 1024 bits for hmac-sha384 and hmac-sha512.
-			[RT #32753]
-
-3511.	[doc]		Improve documentation of redirect zones. [RT #32756]
-
-3509.	[cleanup]	Added a product line to version file to allow for
-			easy naming of different products (BIND
-			vs BIND ESV, for example). [RT #32755]
-
-3508.	[contrib]	queryperf was incorrectly rejecting the -T option.
-			[RT #32338]
-
-3507.	[bug]		Statistics channel XSL (when built with
-			--enable-newstats) had a glitch when attempting
-			to chart query data before any queries had been
-			received. [RT #32620]
-
-3505.	[bug]		When setting "max-cache-size" and "max-acache-size",
-			larger values than 4 gigabytes could not be set
-			explicitly, though larger sizes were available
-			when setting cache size to 0. This has been
-			corrected; the full range is now available.
-			[RT #32358]
-
-3503.	[doc]		Clarify size_spec syntax. [RT #32449]
-
-3501.	[func]		zone-statistics now takes three options: full,
-			terse, and none. "yes" and "no" are retained as
-			synonyms for full and terse, respectively. [RT #29165]
-
-3500.	[security]	Support NAPTR regular expression validation on
-			all platforms without using libregex, which
-			can be vulnerable to memory exhaustion attack
-			(CVE-2013-2266). [RT #32688]
-
-3499.	[doc]		Corrected ARM documentation of built-in zones.
-			[RT #32694]
-
-3498.	[bug]		zone statistics for zones which matched a potential
-			empty zone could have their zone-statistics setting
-			overridden.
-
-3496.	[func]		Improvements to RPZ performance. The "response-policy"
-			syntax now includes a "min-ns-dots" clause, with
-			default 1, to exclude top-level domains from
-			NSIP and NSDNAME checking. --enable-rpz-nsip and
-			--enable-rpz-nsdname are now the default. [RT #32251]
-
-3493.	[contrib]	Added BDBHPT dynamically-lodable DLZ module,
-			contributed by Mark Goldfinch. [RT #32549]
-
-3492.	[bug]		Fixed a regression in zone loading performance
-			due to lock contention. [RT #30399]
-
-3491.	[bug]		Slave zones using inline-signing must specify a
-			file name. [RT #31946]
-
-3489.	[bug]		--enable-developer now turns on ISC_LIST_CHECKINIT.
-			When cloning a rdataset do not copy the link contents.
-			[RT #32651]
-
-3488.	[bug]		Use after free error with DH generated keys. [RT #32649]
-
-3487.	[bug]		Change 3444 was not complete.  There was a additional
-			place where the NOQNAME proof needed to be saved.
-			[RT #32629]
-
-3486.	[bug]		named could crash when using TKEY-negotiated keys
-			that had been deleted and then recreated. [RT #32506]
-
-3485.	[cleanup]	Only compile openssl_gostlink.c if we support GOST.
-
-3483.	[bug]		Corrected XSL code in use with --enable-newstats.
-			[RT #32587]
-
-3481.	[cleanup]	Removed use of const const in atf.
-
-3480.	[bug]		Silence logging noise when setting up zone
-			statistics. [RT #32525]
-
-3479.	[bug]		Address potential memory leaks in gssapi support
-			code. [RT #32405]
-
-3478.	[port]		Fix a build failure in strict C99 environments
-			[RT #32475]
-
-3474.	[bug]		nsupdate could assert when the local and remote
-			address families didn't match. [RT #22897]
-
-3473.	[bug]		dnssec-signzone/verify could incorrectly report
-			an error condition due to an empty node above an
-			opt-out delegation lacking an NSEC3. [RT #32072]
-
-3471.	[bug]		The number of UDP dispatches now defaults to
-			the number of CPUs even if -n has been set to
-			a higher value. [RT #30964]
-
-3470.	[bug]		Slave zones could fail to dump when successfully
-			refreshing after an initial failure. [RT #31276]
-
-	--- 9.9.3b1 released ---
-
-3468.	[security]	RPZ rules to generate A records (but not AAAA records)
-			could trigger an assertion failure when used in
-			conjunction with DNS64 (CVE-2012-5689). [RT #32141]
-
-3467.	[bug]		Added checks in dnssec-keygen and dnssec-settime
-			to check for delete date < inactive date. [RT #31719]
-
-3466.	[contrib]	Corrected the DNS_CLIENTINFOMETHODS_VERSION check
-			in DLZ example driver. [RT #32275]
-
-3465.	[bug]		Handle isolated reserved ports. [RT #31778]
-
-3464.	[maint]		Updates to PKCS#11 openssl patches, supporting
-			versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]
-
-3463.	[doc]		Clarify managed-keys syntax in ARM. [RT #32232]
-
-3462.	[doc]		Clarify server selection behavior of dig when using
-			-4 or -6 options. [RT #32181]
-
-3461.	[bug]		Negative responses could incorrectly have AD=1
-			set. [RT #32237]
-
-3460.	[bug]		Only link against readline where needed. [RT #29810]
-
-3458.	[bug]		Return FORMERR when presented with a overly long
-			domain named in a request. [RT #29682]
-
-3457.	[protocol]	Add ILNP records (NID, LP, L32, L64). [RT #31836]
-
-3456.	[port]		g++47: ATF failed to compile. [RT #32012]
-
-3455.	[contrib]	queryperf: fix getopt option list. [RT #32338]
-
-3454.	[port]		sparc64: improve atomic support. [RT #25182]
-
-3453.	[bug]		'rndc addzone' of a zone with 'inline-signing yes;'
-			failed. [RT #31960]
-
-3452.	[bug]		Accept duplicate singleton records. [RT #32329]
-
-3451.	[port]		Increase per thread stack size from 64K to 1M.
-			[RT #32230]
-
-3450.	[bug]		Stop logfileconfig system test spam system logs.
-			[RT #32315]
-
-3449.	[bug]		gen.c: use the pre-processor to construct format
-			strings so that compiler can perform sanity checks;
-			check the snprintf results. [RT #17576]
-
-3448.	[bug]		The allow-query-on ACL was not processed correctly.
-			[RT #29486]
-
-3447.	[port]		Add support for libxml2-2.9.x [RT #32231]
-
-3446.	[port]		win32: Add source ID (see change #3400) to build.
-			[RT #31683]
-
-3445.	[bug]		Warn about zone files with blank owner names
-			immediately after $ORIGIN directives. [RT #31848]
-
-3444.	[bug]		The NOQNAME proof was not being returned from cached
-			insecure responses. [RT #21409]
-
-3443.	[bug]		ddns-confgen: Some TSIG algorithms were incorrectly
-			rejected when generating keys. [RT #31927]
-
-3442.	[port]		Net::DNS 0.69 introduced a non backwards compatible
-			change. [RT #32216]
-
-3441.	[maint]		D.ROOT-SERVERS.NET is now 199.7.91.13.
-
-3440.	[bug]		Reorder get_key_struct to not trigger a assertion when
-			cleaning up due to out of memory error. [RT #32131]
-
-3439.	[bug]		contrib/dlz error checking fixes. [RT #32102]
-
-3438.	[bug]		Don't accept unknown data escape in quotes. [RT #32031]
-
-3437.	[bug]		isc_buffer_init -> isc_buffer_constinit to initialize
-			buffers with constant data. [RT #32064]
-
-3436.	[bug]		Check malloc/calloc return values. [RT #32088]
-
-3435.	[bug]		Cross compilation support in configure was broken.
-			[RT #32078]
-
-3431.	[bug]		ddns-confgen: Some valid key algorithms were
-			not accepted. [RT #31927]
-
-3430.	[bug]		win32: isc_time_formatISO8601 was missing the
-			'T' between the date and time. [RT #32044]
-
-3429.	[bug]		dns_zone_getserial2 could a return success without
-			returning a valid serial. [RT #32007]
-
-3428.	[cleanup]	dig: Add timezone to date output. [RT #2269]
-
-3427.	[bug]		dig +trace incorrectly displayed name server
-			addresses instead of names. [RT #31641]
-
-3426.	[bug]		dnssec-checkds: Clearer output when records are not
-			found. [RT #31968]
-
-3425.	[bug]		"acacheentry" reference counting was broken resulting
-			in use after free. [RT #31908]
-
-3424.	[func]		dnssec-dsfromkey now emits the hash without spaces.
-			[RT #31951]
-
-3423.	[bug]		"rndc signing -nsec3param" didn't accept the full
-			range of possible values.  Address portability issues.
-			[RT #31938]
-
-3422.	[bug]		Added a clear error message for when the SOA does not
-			match the referral. [RT #31281]
-
-3421.	[bug]		Named loops when re-signing if all keys are offline.
-			[RT #31916]
-
-3420.	[bug]		Address VPATH compilation issues. [RT #31879]
-
-3419.	[bug]		Memory leak on validation cancel. [RT #31869]
-
-3417.	[func]		Optional new XML schema (version 3.0) for the
-			statistics channel adds query type statistics at the
-			zone level, and flattens the XML tree and uses
-			compressed format to optimize parsing. Includes new XSL
-			that permits charting via the Google Charts API on
-			browsers that support javascript in XSL.  To enable,
-			build with "configure --enable-newstats". [RT #30023]
-
-3416.	[bug]		Named could die on shutdown if running with 128 UDP
-			dispatches per interface. [RT #31743]
-
-3415.	[bug]		named could die with a REQUIRE failure if a validation
-			was canceled. [RT #31804]
-
-3414.	[bug]		Address locking issues found by Coverity. [RT #31626]
-
-3412.	[bug]		Copy timeval structure from control message data.
-			[RT #31548]
-
-3411.	[tuning]	Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
-			to UDP. [RT #31690]
-
-3410.	[bug]		Addressed Coverity warnings. [RT #31626]
-
-3409.	[contrib]	contrib/dane/mkdane.sh: Tool to generate TLSA RR's
-			from X.509 certificates, for use with DANE
-			(DNS-based Authentication of Named Entities).
-			[RT #30513]
-
-3408.	[bug]		Some DNSSEC-related options (update-check-ksk,
-			dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
-			are now legal in slave zones as long as
-			inline-signing is in use. [RT #31078]
-
-3406.	[bug]		mem.c: Fix compilation errors when building with
-			ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
-			Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
-
-3405.	[bug]		Handle time going backwards in acache. [RT #31253]
-
-3404.	[bug]		dnssec-signzone: When re-signing a zone, remove
-			RRSIG and NSEC records from nodes that used to be
-			in-zone but are now below a zone cut. [RT #31556]
-
-3403.	[bug]		Silence noisy OpenSSL logging. [RT #31497]
-
-3402.	[test]		The IPv6 interface numbers used for system
-			tests were incorrect on some platforms. [RT #25085]
-
-3401.	[bug]		Addressed Coverity warnings. [RT #31484]
-
-3400.	[cleanup]	"named -V" can now report a source ID string, defined
-			in the "srcid" file in the build tree and normally set
-			to the most recent git hash.  [RT #31494]
-
-3399.	[port]		netbsd: rename 'bool' parameter to avoid namespace
-			clash.  [RT #31515]
-
-3398.	[bug]		SOA parameters were not being updated with inline
-			signed zones if the zone was modified while the
-			server was offline. [RT #29272]
-
-3397.	[bug]		dig crashed when using +nssearch with +tcp. [RT #25298]
-
-3396.	[bug]		OPT records were incorrectly removed from signed,
-			truncated responses. [RT #31439]
-
-3395.	[protocol]	Add RFC 6598 reverse zones to built in empty zones
-			list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
-			[RT #31336]
-
-3394.	[bug]		Adjust 'successfully validated after lower casing
-			signer' log level and category. [RT #31414]
-
-3393.	[bug]		'host -C' could core dump if REFUSED was received.
-			[RT #31381]
-
-3391.	[bug]		A DNSKEY lookup that encountered a CNAME failed.
-			[RT #31262]
-
-3390.	[bug]		Silence clang compiler warnings. [RT #30417]
-
-3389.	[bug]		Always return NOERROR (not 0) in TSIG. [RT #31275]
-
-3388.	[bug]		Fixed several Coverity warnings.
-			Note: This change includes a fix for a bug that
-			was subsequently determined to be an exploitable
-			security vulnerability, CVE-2012-5688: named could
-			die on specific queries with dns64 enabled.
-			[RT #30996]
-
-3386.	[bug]		Address locking violation when generating new NSEC /
-			NSEC3 chains. [RT #31224]
-
-3385.	[bug]		named-checkconf didn't detect missing master lists
-			in also-notify clauses. [RT #30810]
-
-3384.	[bug]		Improved logging of crypto errors. [RT #30963]
-
-3382.	[bug]		SOA query from slave used use-v6-udp-ports range,
-			if set, regardless of the address family in use.
-			[RT #24173]
-
-3381.	[contrib]	Update queryperf to support more RR types.
-			[RT #30762]
-
-3380.	[bug]		named could die if a nonexistent master list was
-			referenced in a also-notify. [RT #31004]
-
-3379.	[bug]		isc_interval_zero and isc_time_epoch should be
-			"const (type)* const". [RT #31069]
-
-3378.	[bug]		Handle missing 'managed-keys-directory' better.
-			[RT #30625]
-
-3377.	[bug]		Removed spurious newline from NSEC3 multiline
-			output. [RT #31044]
-
-3376.	[bug]		Lack of EDNS support was being recorded without a
-			successful response. [RT #30811]
-
-3375.	[func]		Check that 'rndc dumpdb' works on a empty cache.
-			[RT #30808]
-
-3374.	[bug]		isc_parse_uint32 failed to return a range error on
-			systems with 64 bit longs. [RT #30232]
-
-3372.	[bug]		Silence spurious "deleted from unreachable cache"
-			messages.  [RT #30501]
-
-3371.	[bug]		AD=1 should behave like DO=1 when deciding whether to
-			add NS RRsets to the additional section or not.
-			[RT #30479]
-
-3316.	[tuning]	Improved locking performance when recursing.
-			[RT #28836]
-
-3315.	[tuning]	Use multiple dispatch objects for sending upstream
-			queries; this can improve performance on busy
-			multiprocessor systems by reducing lock contention.
-			[RT #28605]
-
-	--- 9.9.2 released ---
-
-3383.	[security]	A certain combination of records in the RBT could
-			cause named to hang while populating the additional
-			section of a response. [RT #31090]
-
-3373.	[bug]		win32: open raw files in binary mode. [RT #30944]
-
-3364.	[security]	Named could die on specially crafted record.
-			[RT #30416]
-
-	--- 9.9.2rc1 released ---
-
-3370.	[bug]		Address use after free while shutting down. [RT #30241]
-
-3369.	[bug]		nsupdate terminated unexpectedly in interactive mode
-			if built with readline support. [RT #29550]
-
-3368.	[bug]		<dns/iptable.h>, <dns/private.h> and <dns/zone.h>
-			were not C++ safe.
-
-3367.	[bug]		dns_dnsseckey_create() result was not being checked.
-			[RT #30685]
-
-3366.	[bug]		Fixed Read-After-Write dependency violation for IA64
-			atomic operations. [RT #25181]
-
-3365.	[bug]		Removed spurious newlines from log messages in
-			zone.c [RT #30675]
-
-3363.	[bug]		Need to allow "forward" and "fowarders" options
-			in static-stub zones; this had been overlooked.
-			[RT #30482]
-
-3362.	[bug]		Setting some option values to 0 in named.conf
-			could trigger an assertion failure on startup.
-			[RT #27730]
-
-3361.	[bug]		"rndc signing -nsec3param" didn't work correctly
-			when salt was set to '-' (no salt). [RT #30099]
-
-3360.	[bug]		'host -w' could die.  [RT #18723]
-
-3359.	[bug]		An improperly-formed TSIG secret could cause a
-			memory leak. [RT #30607]
-
-3357.	[port]		Add support for libxml2-2.8.x [RT #30440]
-
-3356.	[bug]		Cap the TTL of signed RRsets when RRSIGs are
-			approaching their expiry, so they don't remain
-			in caches after expiry. [RT #26429]
-
-3355.	[port]		Use more portable awk in verify system test.
-
-3354.	[func]		Improve OpenSSL error logging. [RT #29932]
-
-	--- 9.9.2b1 released ---
-
-3353.	[bug]		Use a single task for task exclusive operations.
-			[RT #29872]
-
-3352.	[bug]		Ensure that learned server attributes timeout of the
-			adb cache. [RT #29856]
-
-3351.	[bug]		isc_mem_put and isc_mem_putanddetach didn't report
-			caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
-			memory debugging flags are set. [RT #30243]
-
-3350.	[bug]		Memory read overrun in isc___mem_reallocate if
-			ISC_MEM_DEBUGCTX memory debugging flag is set.
-			[RT #30240]
-
-3349.	[bug]		Change #3345 was incomplete. [RT #30233]
-
-3348.	[bug]		Prevent RRSIG data from being cached if a negative
-			record matching the covering type exists at a higher
-			trust level. Such data already can't be retrieved from
-			the cache since change 3218 -- this prevents it
-			being inserted into the cache as well. [RT #26809]
-
-3347.	[bug]		dnssec-settime: Issue a warning when writing a new
-			private key file would cause a change in the
-			permissions of the existing file. [RT #27724]
-
-3346.	[security]	Bad-cache data could be used before it was
-			initialized, causing an assert. [RT #30025]
-
-3345.	[bug]		Addressed race condition when removing the last item
-			or inserting the first item in an ISC_QUEUE.
-			[RT #29539]
-
-3344.	[func]		New "dnssec-checkds" command checks a zone to
-			determine which DS records should be published
-			in the parent zone, or which DLV records should be
-			published in a DLV zone, and queries the DNS to
-			ensure that it exists. (Note: This tool depends
-			on python; it will not be built or installed on
-			systems that do not have a python interpreter.)
-			[RT #28099]
-
-3342.	[bug]		Change #3314 broke saving of stub zones to disk
-			resulting in excessive cpu usage in some cases.
-			[RT #29952]
-
-3341.	[func]		New "dnssec-verify" command checks a signed zone
-			to ensure correctness of signatures and of NSEC/NSEC3
-			chains. [RT #23673]
-
-3339.	[func]		Allow the maximum supported rsa exponent size to be
-			specified: "max-rsa-exponent-size <value>;" [RT #29228]
-
-3338.	[bug]		Address race condition in units tests: asyncload_zone
-			and asyncload_zt. [RT #26100]
-
-3337.	[bug]		Change #3294 broke support for the multiple keys
-			in controls. [RT #29694]
-
-3335.	[func]		nslookup: return a nonzero exit code when unable
-			to get an answer. [RT #29492]
-
-3334.	[bug]		Hold a zone table reference while performing a
-			asynchronous load of a zone. [RT #28326]
-
-3333.	[bug]		Setting resolver-query-timeout too low can cause
-			named to not recover if it loses connectivity.
-			[RT #29623]
-
-3332.	[bug]		Re-use cached DS rrsets if possible. [RT #29446]
-
-3331.	[security]	dns_rdataslab_fromrdataset could produce bad
-			rdataslabs. [RT #29644]
-
-3330.	[func]		Fix missing signatures on NOERROR results despite
-			RPZ rewriting.  Also
-			 - add optional "recursive-only yes|no" to the
-			   response-policy statement
-			 - add optional "max-policy-ttl" to the response-policy
-			    statement to limit the false data that
-			    "recursive-only no" can introduce into
-			    resolvers' caches
-			 - add a RPZ performance test to bin/tests/system/rpz
-			     when queryperf is available.
-			 - the encoding of PASSTHRU action to "rpz-passthru".
-			     (The old encoding is still accepted.)
-		       [RT #26172]
-
-
-3329.	[bug]		Handle RRSIG signer-name case consistently: We
-			generate RRSIG records with the signer-name in
-			lower case.  We accept them with any case, but if
-			they fail to validate, we try again in lower case.
-			[RT #27451]
-
-3328.	[bug]		Fixed inconsistent data checking in dst_parse.c.
-			[RT #29401]
-
-3317.	[func]		Add ECDSA support (RFC 6605). [RT #21918]
-
-	--- 9.9.1 released ---
-
-3318.	[tuning]	Reduce the amount of work performed while holding a
-			bucket lock when finished with a fetch context.
-			[RT #29239]
-
-3314.	[bug]		The masters list could be updated while stub_callback
-			or refresh_callback were using it. [RT #26732]
-
-3313.	[protocol]	Add TLSA record type. [RT #28989]
-
-3312.	[bug]		named-checkconf didn't detect a bad dns64 clients acl.
-			[RT #27631]
-
-3311.	[bug]		Abort the zone dump if zone->db is NULL in
-			zone.c:zone_gotwritehandle. [RT #29028]
-
-3310.	[test]		Increase table size for mutex profiling. [RT #28809]
-
-3309.	[bug]		resolver.c:fctx_finddone() was not thread safe.
-			[RT #27995]
-
-3307.	[bug]		Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
-			[RT #28956]
-
-3306.	[bug]		Improve DNS64 reverse zone performance. [RT #28563]
-
-3305.	[func]		Add wire format lookup method to sdb. [RT #28563]
-
-3304.	[bug]		Use hmctx, not mctx when freeing rbtdb->heaps.
-			[RT #28571]
-
-3303.	[bug]		named could die when reloading. [RT #28606]
-
-3302.	[bug]		dns_dnssec_findmatchingkeys could fail to find
-			keys if the zone name contained character that
-			required special mappings. [RT #28600]
-
-3301.	[contrib]	Update queryperf to build on darwin.  Add -R flag
-			for non-recursive queries. [RT #28565]
-
-3300.	[bug]		Named could die if gssapi was enabled in named.conf
-			but was not compiled in. [RT #28338]
-
-3299.	[bug]		Make SDB handle errors from database drivers better.
-			[RT #28534]
-
-3298.	[bug]		Named could dereference a NULL pointer in
-			zmgr_start_xfrin_ifquota if the zone was being removed.
-			[RT #28419]
-
-3297.	[bug]		Named could die on a malformed master file. [RT #28467]
-
-3296.	[bug]		Named could die with a INSIST failure in
-			client.c:exit_check. [RT #28346]
-
-3295.	[bug]		Adjust isc_time_secondsastimet range check to be more
-			portable. [RT # 26542]
-
-3294.	[bug]		isccc/cc.c:table_fromwire failed to free alist on
-			error. [RT #28265]
-
-3291.	[port]		Fixed a build error on systems without ENOTSUP.
-			[RT #28200]
-
-3290.	[bug]		<isc/hmacsha.h> was not being installed. [RT #28169]
-
-3273.	[bug]		AAAA responses could be returned in the additional
-			section even when filter-aaaa-on-v4 was in use.
-			[RT #27292]
-
-	--- 9.9.0 released ---
-
-	--- 9.9.0rc4 released ---
-
-3289.	[bug]		'rndc retransfer' failed for inline zones. [RT #28036]
-
-3288.	[bug]		dlz_destroy() function wasn't correctly registered
-			by the DLZ dlopen driver. [RT #28056]
-
-3287.	[port]		Update ans.pl to work with Net::DNS 0.68. [RT #28028]
-
-3286.	[bug]		Managed key maintenance timer could fail to start
-			after 'rndc reconfig'. [RT #26786]
-
-	--- 9.9.0rc3 released ---
-
-3285.	[bug]		val-frdataset was incorrectly disassociated in
-			proveunsecure after calling startfinddlvsep.
-			[RT #27928]
-
-3284.	[bug]		Address race conditions with the handling of
-			rbtnode.deadlink. [RT #27738]
-
-3283.	[bug]		Raw zones with with more than 512 records in a RRset
-			failed to load. [RT #27863]
-
-3282.	[bug]		Restrict the TTL of NS RRset to no more than that
-			of the old NS RRset when replacing it.
-			[RT #27792] [RT #27884]
-
-3281.	[bug]		SOA refresh queries could be treated as cancelled
-			despite succeeding over the loopback interface.
-			[RT #27782]
-
-3280.	[bug]		Potential double free of a rdataset on out of memory
-			with DNS64. [RT #27762]
-
-3279.	[bug]		Hold a internal reference to the zone while performing
-			a asynchronous load.  Address potential memory leak
-			if the asynchronous is cancelled. [RT #27750]
-
-3278.	[bug]		Make sure automatic key maintenance is started
-			when "auto-dnssec maintain" is turned on during
-			"rndc reconfig". [RT #26805]
-
-3277.	[bug]		win32: isc_socket_dup is not implemented. [RT #27696]
-
-3276.	[bug]		win32: ns_os_openfile failed to return NULL on
-			safe_open failure. [RT #27696]
-
-3275.	[bug]		Corrected rndc -h output; the 'rndc sync -clean'
-			option had been misspelled as '-clear'.  (To avoid
-			future confusion, both options now work.) [RT #27173]
-
-3271.	[port]		darwin: mksymtbl is not always stable, loop several
-			times before giving up.  mksymtbl was using non
-			portable perl to covert 64 bit hex strings. [RT #27653]
-
-	--- 9.9.0rc2 released ---
-
-3270.	[bug]		"rndc reload" didn't reuse existing zones correctly
-			when inline-signing was in use. [RT #27650]
-
-3269.	[port]		darwin 11 and later now built threaded by default.
-
-3268.	[bug]		Convert RRSIG expiry times to 64 timestamps to work
-			out the earliest expiry time. [RT #23311]
-
-3267.	[bug]		Memory allocation failures could be mis-reported as
-			unexpected error.  New ISC_R_UNSET result code.
-			[RT #27336]
-
-3266.	[bug]		The maximum number of NSEC3 iterations for a
-			DNSKEY RRset was not being properly computed.
-			[RT #26543]
-
-3265.	[bug]		Corrected a problem with lock ordering in the
-			inline-signing code. [RT #27557]
-
-3264.	[bug]		Automatic regeneration of signatures in an
-			inline-signing zone could stall when the server
-			was restarted. [RT #27344]
-
-3263.	[bug]		"rndc sync" did not affect the unsigned side of an
-			inline-signing zone. [RT #27337]
-
-3262.	[bug]		Signed responses were handled incorrectly by RPZ.
-			[RT #27316]
-
-3261.	[func]		RRset ordering now defaults to random. [RT #27174]
-
-3260.	[bug]		"rrset-order cyclic" could appear not to rotate
-			for some query patterns.  [RT #27170/27185]
-
-	--- 9.9.0rc1 released ---
-
-3259.	[bug]		named-compilezone: Suppress "dump zone to <file>"
-			message when writing to stdout. [RT #27109]
-
-3258.	[test]		Add "forcing full sign with unreadable keys" test.
-			[RT #27153]
-
-3257.	[bug]		Do not generate a error message when calling fsync()
-			in a pipe or socket. [RT #27109]
-
-3256.	[bug]		Disable empty zones for lwresd -C. [RT #27139]
-
-3255.	[func]		No longer require that a empty zones be explicitly
-			enabled or that a empty zone is disabled for
-			RFC 1918 empty zones to be configured. [RT #27139]
-
-3254.	[bug]		Set isc_socket_ipv6only() on the IPv6 control channels.
-			[RT #22249]
-
-3253.	[bug]		Return DNS_R_SYNTAX when the input to a text field is
-			too long. [RT #26956]
-
-3252.	[bug]		When master zones using inline-signing were
-			updated while the server was offline, the source
-			zone could fall out of sync with the signed
-			copy. They can now resynchronize. [RT #26676]
-
-3251.	[bug]		Enforce a upper bound (65535 bytes) on the amount of
-			memory dns_sdlz_putrr() can allocate per record to
-			prevent run away memory consumption on ISC_R_NOSPACE.
-			[RT #26956]
-
-3250.	[func]		'configure --enable-developer'; turn on various
-			configure options, normally off by default, that
-			we want developers to build and test with. [RT #27103]
-
-3249.	[bug]		Update log message when saving slave zones files for
-			analysis after load failures. [RT #27087]
-
-3248.	[bug]		Configure options --enable-fixed-rrset and
-			--enable-exportlib were incompatible with each
-			other. [RT #27087]
-
-3247.	[bug]		'raw' format zones failed to preserve load order
-			breaking 'fixed' sort order. [RT #27087]
-
-3246.	[bug]		Named failed to start with a empty also-notify list.
-			[RT #27087]
-
-3245.	[bug]		Don't report a error unchanged serials unless there
-			were other changes when thawing a zone with
-			ixfr-fromdifferences. [RT #26845]
-
-3244.	[func]		Added readline support to nslookup and nsupdate.
-			Also simplified nsupdate syntax to make "update"
-			and "prereq" optional. [RT #24659]
-
-3243.	[port]		freebsd,netbsd,bsdi: the thread defaults were not
-			being properly set.
-
-3242.	[func]		Extended the header of raw-format master files to
-			include the serial number of the zone from which
-			they were generated, if different (as in the case
-			of inline-signing zones).  This is to be used in
-			inline-signing zones, to track changes between the
-			unsigned and signed versions of the zone, which may
-			have different serial numbers.
-
-			(Note: raw zonefiles generated by this version of
-			BIND are no longer compatible with prior versions.
-			To generate a backward-compatible raw zonefile
-			using dnssec-signzone or named-compilezone, specify
-			output format "raw=0" instead of simply "raw".)
-			[RT #26587]
-
-3241.	[bug]		Address race conditions in the resolver code.
-			[RT #26889]
-
-3240.	[bug]		DNSKEY state change events could be missed. [RT #26874]
-
-3239.	[bug]		dns_dnssec_findmatchingkeys needs to use a consistent
-			timestamp. [RT #26883]
-
-3238.	[bug]		keyrdata was not being reinitialized in
-			lib/dns/rbtdb.c:iszonesecure. [RT#26913]
-
-3237.	[bug]		dig -6 didn't work with +trace. [RT #26906]
-
-3236.	[bug]		Backed out changes #3182 and #3202, related to
-			EDNS(0) fallback behavior. [RT #26416]
-
-3235.	[func]		dns_db_diffx, a extended dns_db_diff which returns
-			the generated diff and optionally writes it to a
-			journal. [RT #26386]
-
-3234.	[bug]		'make depend' produced invalid makefiles. [RT #26830]
-
-3233.	[bug]		'rndc freeze/thaw' didn't work for inline zones.
-			[RT #26632]
-
-3232.	[bug]		Zero zone->curmaster before return in
-			dns_zone_setmasterswithkeys(). [RT #26732]
-
-3231.	[bug]		named could fail to send a incompressible zone.
-			[RT #26796]
-
-3230.	[bug]		'dig axfr' failed to properly handle a multi-message
-			axfr with a serial of 0. [RT #26796]
-
-3229.	[bug]		Fix local variable to struct var assignment
-			found by CLANG warning.
-
-3228.	[tuning]	Dynamically grow symbol table to improve zone
-			loading performance. [RT #26523]
-
-3227.	[bug]		Interim fix to make WKS's use of getprotobyname()
-			and getservbyname() self thread safe. [RT #26232]
-
-3226.	[bug]		Address minor resource leakages. [RT #26624]
-
-3225.	[bug]		Silence spurious "setsockopt(517, IPV6_V6ONLY) failed"
-			messages. [RT #26507]
-
-3224.	[bug]		'rndc signing' argument parsing was broken. [RT #26684]
-
-3223.	[bug]		'task_test privilege_drop' generated false positives.
-			[RT #26766]
-
-3222.	[cleanup]	Replace dns_journal_{get,set}_bitws with
-			dns_journal_{get,set}_sourceserial. [RT #26634]
-
-3221.	[bug]		Fixed a potential core dump on shutdown due to
-			referencing fetch context after it's been freed.
-			[RT #26720]
-
-	--- 9.9.0b2 released ---
-
-3220.	[bug]		Change #3186 was incomplete; dns_db_rpz_findips()
-			could fail to set the database version correctly,
-			causing an assertion failure. [RT #26180]
-
-3219.	[bug]		Disable NOEDNS caching following a timeout.
-
-3218.	[security]	Cache lookup could return RRSIG data associated with
-			nonexistent records, leading to an assertion
-			failure. [RT #26590]
-
-3217.	[cleanup]	Fix build problem with --disable-static. [RT #26476]
-
-3216.	[bug]		resolver.c:validated() was not thread-safe. [RT #26478]
-
-3215.	[bug]		'rndc recursing' could cause a core dump. [RT #26495]
-
-3214.	[func]		Add 'named -U' option to set the number of UDP
-			listener threads per interface. [RT #26485]
-
-3213.	[doc]		Clarify ixfr-from-differences behavior. [RT #25188]
-
-3212.	[bug]		rbtdb.c: failed to remove a node from the deadnodes
-			list prior to adding a reference to it leading a
-			possible assertion failure. [RT #23219]
-
-3211.	[func]		dnssec-signzone: "-f -" prints to stdout; "-O full"
-			option prints in single-line-per-record format.
-			[RT #20287]
-
-3210.	[bug]		Canceling the oldest query due to recursive-client
-			overload could trigger an assertion failure. [RT #26463]
-
-3209.	[func]		Add "dnssec-lookaside 'no'".  [RT #24858]
-
-3208.	[bug]		'dig -y' handle unknown tsig algorithm better.
-			[RT #25522]
-
-3207.	[contrib]	Fixed build error in Berkeley DB DLZ module. [RT #26444]
-
-3206.	[cleanup]	Add ISC information to log at start time. [RT #25484]
-
-3205.	[func]		Upgrade dig's defaults to better reflect modern
-			nameserver behavior.  Enable "dig +adflag" and
-			"dig +edns=0" by default.  Enable "+dnssec" when
-			running "dig +trace". [RT #23497]
-
-3204.	[bug]		When a master server that has been marked as
-			unreachable sends a NOTIFY, mark it reachable
-			again. [RT #25960]
-
-3203.	[bug]		Increase log level to 'info' for validation failures
-			from expired or not-yet-valid RRSIGs. [RT #21796]
-
-3202.	[bug]		NOEDNS caching on timeout was too aggressive.
-			[RT #26416]
-
-3201.	[func]		'rndc querylog' can now be given an on/off parameter
-			instead of only being used as a toggle. [RT #18351]
-
-3200.	[doc]		Some rndc functions were undocumented or were
-			missing from 'rndc -h' output. [RT #25555]
-
-3199.	[func]		When logging client information, include the name
-			being queried. [RT #25944]
-
-3198.	[doc]		Clarified that dnssec-settime can alter keyfile
-			permissions. [RT #24866]
-
-3197.	[bug]		Don't try to log the filename and line number when
-			the config parser can't open a file. [RT #22263]
-
-3196.	[bug]		nsupdate: return nonzero exit code when target zone
-			doesn't exist. [RT #25783]
-
-3195.	[cleanup]	Silence "file not found" warnings when loading
-			managed-keys zone. [RT #26340]
-
-3194.	[doc]		Updated RFC references in the 'empty-zones-enable'
-			documentation. [RT #25203]
-
-3193.	[cleanup]	Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to
-			dnssec.h. [RT #26415]
-
-3192.	[bug]		A query structure could be used after being freed.
-			[RT #22208]
-
-3191.	[bug]		Print NULL records using "unknown" format. [RT #26392]
-
-3190.	[bug]		Underflow in error handling in isc_mutexblock_init.
-			[RT #26397]
-
-3189.	[test]		Added a summary report after system tests. [RT #25517]
-
-3188.	[bug]		zone.c:zone_refreshkeys() could fail to detach
-			references correctly when errors occurred, causing
-			a hang on shutdown. [RT #26372]
-
-3187.	[port]		win32: support for Visual Studio 2008.  [RT #26356]
-
-	--- 9.9.0b1 released ---
-
-3186.	[bug]		Version/db mis-match in rpz code. [RT #26180]
-
-3185.	[func]		New 'rndc signing' option for auto-dnssec zones:
-			 - 'rndc signing -list' displays the current
-			   state of signing operations
-			 - 'rndc signing -clear' clears the signing state
-			   records for keys that have fully signed the zone
-			 - 'rndc signing -nsec3param' sets the NSEC3
-			   parameters for the zone
-			The 'rndc keydone' syntax is removed. [RT #23729]
-
-3184.	[bug]		named had excessive cpu usage when a redirect zone was
-			configured. [RT #26013]
-
-3183.	[bug]		Added RTLD_GLOBAL flag to dlopen call. [RT #26301]
-
-3182.	[bug]		Auth servers behind firewalls which block packets
-			greater than 512 bytes may cause other servers to
-			perform poorly. Now, adb retains edns information
-			and caches noedns servers. [RT #23392/24964]
-
-3181.	[func]		Inline-signing is now supported for master zones.
-			[RT #26224]
-
-3180.	[func]		Local copies of slave zones are now saved in raw
-			format by default, to improve startup performance.
-			'masterfile-format text;' can be used to override
-			the default, if desired. [RT #25867]
-
-3179.	[port]		kfreebsd: build issues. [RT #26273]
-
-3178.	[bug]		A race condition introduced by change #3163 could
-			cause an assertion failure on shutdown. [RT #26271]
-
-3177.	[func]		'rndc keydone', remove the indicator record that
-			named has finished signing the zone with the
-			corresponding key.  [RT #26206]
-
-3176.	[doc]		Corrected example code and added a README to the
-			sample external DLZ module in contrib/dlz/example.
-			[RT #26215]
-
-3175.	[bug]		Fix how DNSSEC positive wildcard responses from a
-			NSEC3 signed zone are validated.  Stop sending a
-			unnecessary NSEC3 record when generating such
-			responses. [RT #26200]
-
-3174.	[bug]		Always compute to revoked key tag from scratch.
-			[RT #26186]
-
-3173.	[port]		Correctly validate root DS responses. [RT #25726]
-
-3172.	[port]		darwin 10.* and freebsd [89] are now built threaded by
-			default.
-
-3171.	[bug]		Exclusively lock the task when adding a zone using
-			'rndc addzone'.  [RT #25600]
-
-	--- 9.9.0a3 released ---
-
-3170.	[func]		RPZ update:
-			- fix precedence among competing rules
-			- improve ARM text including documenting rule precedence
-			- try to rewrite CNAME chains until first hit
-			- new "rpz" logging channel
-			- RDATA for CNAME rules can include wildcards
-			- replace "NO-OP" named.conf policy override with
-			  "PASSTHRU" and add "DISABLED" override ("NO-OP"
-			  is still recognized)
-			[RT #25172]
-
-3169.	[func]		Catch db/version mis-matches when calling dns_db_*().
-			[RT #26017]
-
-3168.	[bug]		Nxdomain redirection could trigger an assert with
-			a ANY query. [RT #26017]
-
-3167.	[bug]		Negative answers from forwarders were not being
-			correctly tagged making them appear to not be cached.
-			[RT #25380]
-
-3166.	[bug]		Upgrading a zone to support inline-signing failed.
-			[RT #26014]
-
-3165.	[bug]		dnssec-signzone could generate new signatures when
-			resigning, even when valid signatures were already
-			present. [RT #26025]
-
-3164.	[func]		Enable DLZ modules to retrieve client information,
-			so that responses can be changed depending on the
-			source address of the query. [RT #25768]
-
-3163.	[bug]		Use finer-grained locking in client.c to address
-			concurrency problems with large numbers of threads.
-			[RT #26044]
-
-3162.	[test]		start.pl: modified to allow for "named.args" in
-			ns*/ subdirectory to override stock arguments to
-			named. Largely from RT#26044, but no separate ticket.
-
-3161.	[bug]		zone.c:del_sigs failed to always reset rdata leading
-			assertion failures. [RT #25880]
-
-3160.	[bug]		When printing out a NSEC3 record in multiline form
-			the newline was not being printed causing type codes
-			to be run together. [RT #25873]
-
-3159.	[bug]		On some platforms, named could assert on startup
-			when running in a chrooted environment without
-			/proc. [RT #25863]
-
-3158.	[bug]		Recursive servers would prefer a particular UDP
-			socket instead of using all available sockets.
-			[RT #26038]
-
-3157.	[tuning]	Reduce the time spent in "rndc reconfig" by parsing
-			the config file before pausing the server. [RT #21373]
-
-3156.	[placeholder]
-
-	--- 9.9.0a2 released ---
-
-3155.	[bug]		Fixed a build failure when using contrib DLZ
-			drivers (e.g., mysql, postgresql, etc). [RT #25710]
-
-3154.	[bug]		Attempting to print an empty rdataset could trigger
-			an assert. [RT #25452]
-
-3153.	[func]		Extend request-ixfr to zone level and remove the
-			side effect of forcing an AXFR. [RT #25156]
-
-3152.	[cleanup]	Some versions of gcc and clang failed due to
-			incorrect use of __builtin_expect. [RT #25183]
-
-3151.	[bug]		Queries for type RRSIG or SIG could be handled
-			incorrectly.  [RT #21050]
-
-3150.	[func]		Improved startup and reconfiguration time by
-			enabling zones to load in multiple threads. [RT #25333]
-
-3149.	[placeholder]
-
-3148.	[bug]		Processing of normal queries could be stalled when
-			forwarding a UPDATE message. [RT #24711]
-
-3147.	[func]		Initial inline signing support.  [RT #23657]
-
-	--- 9.9.0a1 released ---
-
-3146.	[test]		Fixed gcc4.6.0 errors in ATF. [RT #25598]
-
-3145.	[test]		Capture output of ATF unit tests in "./atf.out" if
-			there were any errors while running them. [RT #25527]
-
-3144.	[bug]		dns_dbiterator_seek() could trigger an assert when
-			used with a nonexistent database node. [RT #25358]
-
-3143.	[bug]		Silence clang compiler warnings. [RT #25174]
-
-3142.	[bug]		NAPTR is class agnostic. [RT #25429]
-
-3141.	[bug]		Silence spurious "zone serial (0) unchanged" messages
-			associated with empty zones. [RT #25079]
-
-3140.	[func]		New command "rndc flushtree <name>" clears the
-			specified name from the server cache along with
-			all names under it. [RT #19970]
-
-3139.	[test]		Added tests from RFC 6234, RFC 2202, and RFC 1321
-			for the hashing algorithms (md5, sha1 - sha512, and
-			their hmac counterparts).  [RT #25067]
-
-3138.	[bug]		Address memory leaks and out-of-order operations when
-			shutting named down. [RT #25210]
-
-3137.	[func]		Improve hardware scalability by allowing multiple
-			worker threads to process incoming UDP packets.
-			This can significantly increase query throughput
-			on some systems.  [RT #22992]
-
-3136.	[func]		Add RFC 1918 reverse zones to the list of built-in
-			empty zones switched on by the 'empty-zones-enable'
-			option. [RT #24990]
-
-3135.	[port]		FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
-			See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
-			[RT #24950]
-
-3134.	[bug]		Improve the accuracy of dnssec-signzone's signing
-			statistics. [RT #16030]
-
-3133.	[bug]		Change #3114 was incomplete. [RT #24577]
-
-3132.	[placeholder]
-
-3131.	[tuning]	Improve scalability by allocating one zone task
-			per 100 zones at startup time, rather than using a
-			fixed-size task table. [RT #24406]
-
-3130.	[func]		Support alternate methods for managing a dynamic
-			zone's serial number.  Two methods are currently
-			defined using serial-update-method, "increment"
-			(default) and "unixtime".  [RT #23849]
-
-3129.	[bug]		Named could crash on 'rndc reconfig' when
-			allow-new-zones was set to yes and named ACLs
-			were used. [RT #22739]
-
-3128.	[func]		Inserting an NSEC3PARAM via dynamic update in an
-			auto-dnssec zone that has not been signed yet
-			will cause it to be signed with the specified NSEC3
-			parameters when keys are activated.  The
-			NSEC3PARAM record will not appear in the zone until
-			it is signed, but the parameters will be stored.
-			[RT #23684]
-
-3127.	[bug]		'rndc thaw' will now remove a zone's journal file
-			if the zone serial number has been changed and
-			ixfr-from-differences is not in use.  [RT #24687]
-
-3126.	[security]	Using DNAME record to generate replacements caused
-			RPZ to exit with a assertion failure. [RT #24766]
-
-3125.	[security]	Using wildcard CNAME records as a replacement with
-			RPZ caused named to exit with a assertion failure.
-			[RT #24715]
-
-3124.	[bug]		Use an rdataset attribute flag to indicate
-			negative-cache records rather than using rrtype 0;
-			this will prevent problems when that rrtype is
-			used in actual DNS packets. [RT #24777]
-
-3123.	[security]	Change #2912 exposed a latent flaw in
-			dns_rdataset_totext() that could cause named to
-			crash with an assertion failure. [RT #24777]
-
-3122.	[cleanup]	dnssec-settime: corrected usage message. [RT #24664]
-
-3121.	[security]	An authoritative name server sending a negative
-			response containing a very large RRset could
-			trigger an off-by-one error in the ncache code
-			and crash named. [RT #24650]
-
-3120.	[bug]		Named could fail to validate zones listed in a DLV
-			that validated insecure without using DLV and had
-			DS records in the parent zone. [RT #24631]
-
-3119.	[bug]		When rolling to a new DNSSEC key, a private-type
-			record could be created and never marked complete.
-			[RT #23253]
-
-3118.	[bug]		nsupdate could dump core on shutdown when using
-			SIG(0) keys. [RT #24604]
-
-3117.	[cleanup]	Remove doc and parser references to the
-			never-implemented 'auto-dnssec create' option.
-			[RT #24533]
-
-3116.	[func]		New 'dnssec-update-mode' option controls updates
-			of DNSSEC records in signed dynamic zones.  Set to
-			'no-resign' to disable automatic RRSIG regeneration
-			while retaining the ability to sign new or changed
-			data. [RT #24533]
-
-3115.	[bug]		Named could fail to return requested data when
-			following a CNAME that points into the same zone.
-			[RT #24455]
-
-3114.	[bug]		Retain expired RRSIGs in dynamic zones if key is
-			inactive and there is no replacement key. [RT #23136]
-
-3113.	[doc]		Document the relationship between serial-query-rate
-			and NOTIFY messages.
-
-3112.	[doc]		Add missing descriptions of the update policy name
-			types "ms-self", "ms-subdomain", "krb5-self" and
-			"krb5-subdomain", which allow machines to update
-			their own records, to the BIND 9 ARM.
-
-3111.	[bug]		Improved consistency checks for dnssec-enable and
-			dnssec-validation, added test cases to the
-			checkconf system test. [RT #24398]
-
-3110.	[bug]		dnssec-signzone: Wrong error message could appear
-			when attempting to sign with no KSK. [RT #24369]
-
-3109.	[func]		The also-notify option now uses the same syntax
-			as a zone's masters clause.  This means it is
-			now possible to specify a TSIG key to use when
-			sending notifies to a given server, or to include
-			an explicit named masters list in an also-notfiy
-			statement.  [RT #23508]
-
-3108.	[cleanup]	dnssec-signzone: Clarified some error and
-			warning messages; removed #ifdef ALLOW_KSKLESS_ZONES
-			code (use -P instead). [RT #20852]
-
-3107.	[bug]		dnssec-signzone: Report the correct number of ZSKs
-			when using -x. [RT #20852]
-
-3106.	[func]		When logging client requests, include the name of
-			the TSIG key if any. [RT #23619]
-
-3105.	[bug]		GOST support can be suppressed by "configure
-			--without-gost" [RT #24367]
-
-3104.	[bug]		Better support for cross-compiling. [RT #24367]
-
-3103.	[bug]		Configuring 'dnssec-validation auto' in a view
-			instead of in the options statement could trigger
-			an assertion failure in named-checkconf. [RT #24382]
-
-3102.	[func]		New 'dnssec-loadkeys-interval' option configures
-			how often, in minutes, to check the key repository
-			for updates when using automatic key maintenance.
-			Default is every 60 minutes (formerly hard-coded
-			to 12 hours). [RT #23744]
-
-3101.	[bug]		Zones using automatic key maintenance could fail
-			to check the key repository for updates. [RT #23744]
-
-3100.	[security]	Certain response policy zone configurations could
-			trigger an INSIST when receiving a query of type
-			RRSIG. [RT #24280]
-
-3099.	[test]		"dlz" system test now runs but gives R:SKIPPED if
-			not compiled with --with-dlz-filesystem.  [RT #24146]
-
-3098.	[bug]		DLZ zones were answering without setting the AA bit.
-			[RT #24146]
-
-3097.	[test]		Add a tool to test handling of malformed packets.
-			[RT #24096]
-
-3096.	[bug]		Set KRB5_KTNAME before calling log_cred() in
-			dst_gssapi_acceptctx(). [RT #24004]
-
-3095.	[bug]		Handle isolated reserved ports in the port range.
-			[RT #23957]
-
-3094.	[doc]		Expand dns64 documentation.
-
-3093.	[bug]		Fix gssapi/kerberos dependencies [RT #23836]
-
-3092.	[bug]		Signatures for records at the zone apex could go
-			stale due to an incorrect timer setting. [RT #23769]
-
-3091.	[bug]		Fixed a bug in which zone keys that were published
-			and then subsequently activated could fail to trigger
-			automatic signing. [RT #22911]
-
-3090.	[func]		Make --with-gssapi default [RT #23738]
-
-3089.	[func]		dnssec-dsfromkey now supports reading keys from
-			standard input "dnssec-dsfromkey -f -". [RT# 20662]
-
-3088.	[bug]		Remove bin/tests/system/logfileconfig/ns1/named.conf
-			and add setup.sh in order to resolve changing
-			named.conf issue.  [RT #23687]
-
-3087.	[bug]		DDNS updates using SIG(0) with update-policy match
-			type "external" could cause a crash. [RT #23735]
-
-3086.	[bug]		Running dnssec-settime -f on an old-style key will
-			now force an update to the new key format even if no
-			other change has been specified, using "-P now -A now"
-			as default values.  [RT #22474]
-
-3085.	[func]		New '-R' option in dnssec-signzone forces removal
-			of signatures which have not yet expired but
-			were generated by a key that no longer exists.
-			[RT #22471]
-
-3084.	[func]		A new command "rndc sync" dumps pending changes in
-			a dynamic zone to disk; "rndc sync -clean" also
-			removes the journal file after syncing.  Also,
-			"rndc freeze" no longer removes journal files.
-			[RT #22473]
-
-3083.	[bug]		NOTIFY messages were not being sent when generating
-			a NSEC3 chain incrementally. [RT #23702]
-
-3082.	[port]		strtok_r is threads only. [RT #23747]
-
-3081.	[bug]		Failure of DNAME substitution did not return
-			YXDOMAIN. [RT #23591]
-
-3080.	[cleanup]	Replaced compile time constant by STDTIME_ON_32BITS.
-			[RT #23587]
-
-3079.	[bug]		Handle isc_event_allocate failures in t_tasks.
-			[RT #23572]
-
-3078.	[func]		Added a new include file with function typedefs
-			for the DLZ "dlopen" driver. [RT #23629]
-
-3077.	[bug]		zone.c:zone_refreshkeys() incorrectly called
-			dns_zone_attach(), use zone->irefs instead. [RT #23303]
-
-3076.	[func]		New '-L' option in dnssec-keygen, dnsset-settime, and
-			dnssec-keyfromlabel sets the default TTL of the
-			key.  When possible, automatic signing will use that
-			TTL when the key is published.  [RT #23304]
-
-3075.	[bug]		dns_dnssec_findzonekeys{2} used a inconsistent
-			timestamp when determining which keys are active.
-			[RT #23642]
-
-3074.	[bug]		Make the adb cache read through for zone data and
-			glue learn for zone named is authoritative for.
-			[RT #22842]
-
-3073.	[bug]		managed-keys changes were not properly being recorded.
-			[RT #20256]
-
-3072.	[bug]		dns_dns64_aaaaok() potential NULL pointer dereference.
-			[RT #20256]
-
-3071.	[bug]		has_nsec could be used uninitialized in
-			update.c:next_active. [RT #20256]
-
-3070.	[bug]		dnssec-signzone potential NULL pointer dereference.
-			[RT #20256]
-
-3069.	[cleanup]	Silence warnings messages from clang static analysis.
-			[RT #20256]
-
-3068.	[bug]		Named failed to build with a OpenSSL without engine
-			support. [RT #23473]
-
-3067.	[bug]		ixfr-from-differences {master|slave}; failed to
-			select the master/slave zones.  [RT #23580]
-
-3066.	[func]		The DLZ "dlopen" driver is now built by default,
-			no longer requiring a configure option.  To
-			disable it, use "configure --without-dlopen".
-			Driver also supported on win32.  [RT #23467]
-
-3065.	[bug]		RRSIG could have time stamps too far in the future.
-			[RT #23356]
-
-3064.	[bug]		powerpc: add sync instructions to the end of atomic
-			operations. [RT #23469]
-
-3063.	[contrib]	More verbose error reporting from DLZ LDAP. [RT #23402]
-
-3062.	[func]		Made several changes to enhance human readability
-			of DNSSEC data in dig output and in generated
-			zone files:
-			 - DNSKEY record comments are more verbose, no
-			   longer used in multiline mode only
-			 - multiline RRSIG records reformatted
-			 - multiline output mode for NSEC3PARAM records
-			 - "dig +norrcomments" suppresses DNSKEY comments
-			 - "dig +split=X" breaks hex/base64 records into
-			   fields of width X; "dig +nosplit" disables this.
-			[RT #22820]
-
-3061.	[func]		New option "dnssec-signzone -D", only write out
-			generated DNSSEC records. [RT #22896]
-
-3060.	[func]		New option "dnssec-signzone -X <date>" allows
-			specification of a separate expiration date
-			for DNSKEY RRSIGs and other RRSIGs. [RT #22141]
-
-3059.	[test]		Added a regression test for change #3023.
-
-3058.	[bug]		Cause named to terminate at startup or rndc reconfig/
-			reload to fail, if a log file specified in the conf
-			file isn't a plain file. [RT #22771]
-
-3057.	[bug]		"rndc secroots" would abort after the first error
-			and so could miss some views. [RT #23488]
-
-3056.	[func]		Added support for URI resource record. [RT #23386]
-
-3055.	[placeholder]
-
-3054.	[bug]		Added elliptic curve support check in
-			GOST OpenSSL engine detection. [RT #23485]
-
-3053.	[bug]		Under a sustained high query load with a finite
-			max-cache-size, it was possible for cache memory
-			to be exhausted and not recovered. [RT #23371]
-
-3052.	[test]		Fixed last autosign test report. [RT #23256]
-
-3051.	[bug]		NS records obscure DNAME records at the bottom of the
-			zone if both are present. [RT #23035]
-
-3050.	[bug]		The autosign system test was timing dependent.
-			Wait for the initial autosigning to complete
-			before running the rest of the test. [RT #23035]
-
-3049.	[bug]		Save and restore the gid when creating creating
-			named.pid at startup. [RT #23290]
-
-3048.	[bug]		Fully separate view key management. [RT #23419]
-
-3047.	[bug]		DNSKEY NODATA responses not cached fixed in
-			validator.c. Tests added to dnssec system test.
-			[RT #22908]
-
-3046.	[bug]		Use RRSIG original TTL to compute validated RRset
-			and RRSIG TTL. [RT #23332]
-
-3045.	[removed]	Replaced by change #3050.
-
-3044.	[bug]		Hold the socket manager lock while freeing the socket.
-			[RT #23333]
-
-3043.	[test]		Merged in the NetBSD ATF test framework (currently
-			version 0.12) for development of future unit tests.
-			Use configure --with-atf to build ATF internally
-			or configure --with-atf=prefix to use an external
-			copy.  [RT #23209]
-
-3042.	[bug]		dig +trace could fail attempting to use IPv6
-			addresses on systems with only IPv4 connectivity.
-			[RT #23297]
-
-3041.	[bug]		dnssec-signzone failed to generate new signatures on
-			ttl changes. [RT #23330]
-
-3040.	[bug]		Named failed to validate insecure zones where a node
-			with a CNAME existed between the trust anchor and the
-			top of the zone. [RT #23338]
-
-3039.	[func]		Redirect on NXDOMAIN support. [RT #23146]
-
-3038.	[bug]		Install <dns/rpz.h>.  [RT #23342]
-
-3037.	[doc]		Update COPYRIGHT to contain all the individual
-			copyright notices that cover various parts.
-
-3036.	[bug]		Check built-in zone arguments to see if the zone
-			is re-usable or not. [RT #21914]
-
-3035.	[cleanup]	Simplify by using strlcpy. [RT #22521]
-
-3034.	[cleanup]	nslookup: use strlcpy instead of safecopy. [RT #22521]
-
-3033.	[cleanup]	Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET).
-			[RT #22521]
-
-3032.	[bug]		rdatalist.c: add missing REQUIREs. [RT #22521]
-
-3031.	[bug]		dns_rdataclass_format() handle a zero sized buffer.
-			[RT #22521]
-
-3030.	[bug]		dns_rdatatype_format() handle a zero sized buffer.
-			[RT #22521]
-
-3029.	[bug]		isc_netaddr_format() handle a zero sized buffer.
-			[RT #22521]
-
-3028.	[bug]		isc_sockaddr_format() handle a zero sized buffer.
-			[RT #22521]
-
-3027.	[bug]		Add documented REQUIREs to cfg_obj_asnetprefix() to
-			catch NULL pointer dereferences before they happen.
-			[RT #22521]
-
-3026.	[bug]		lib/isc/httpd.c: check that we have enough space
-			after calling grow_headerspace() and if not
-			re-call grow_headerspace() until we do. [RT #22521]
-
-3025.	[bug]		Fixed a possible deadlock due to zone resigning.
-			[RT #22964]
-
-3024.	[func]		RTT Banding removed due to minor security increase
-			but major impact on resolver latency. [RT #23310]
-
-3023.	[bug]		Named could be left in an inconsistent state when
-			receiving multiple AXFR response messages that were
-			not all TSIG-signed. [RT #23254]
-
-3022.	[bug]		Fixed rpz SERVFAILs after failed zone transfers
-			[RT #23246]
-
-3021.	[bug]		Change #3010 was incomplete. [RT #22296]
-
-3020.	[bug]		auto-dnssec failed to correctly update the zone when
-			changing the DNSKEY RRset. [RT #23232]
-
-3019.	[test]		Test: check apex NSEC3 records after adding DNSKEY
-			record via UPDATE. [RT #23229]
-
-3018.	[bug]		Named failed to check for the "none;" acl when deciding
-			if a zone may need to be re-signed. [RT #23120]
-
-3017.	[doc]		dnssec-keyfromlabel -I was not properly documented.
-			[RT #22887]
-
-3016.	[bug]		rndc usage missing '-b'. [RT #22937]
-
-3015.	[port]		win32: fix IN6_IS_ADDR_LINKLOCAL and
-			IN6_IS_ADDR_SITELOCAL macros. [RT #22724]
-
-3014.	[placeholder]
-
-3013.	[bug]		The DNS64 ttl was not always being set as expected.
-			[RT #23034]
-
-3012.	[bug]		Remove DNSKEY TTL change pairs before generating
-			signing records for any remaining DNSKEY changes.
-			[RT #22590]
-
-3011.	[func]		Change the default query timeout from 30 seconds
-			to 10.  Allow setting this in named.conf using the new
-			'resolver-query-timeout' option, which specifies a max
-			time in seconds.  0 means 'default' and anything longer
-			than 30 will be silently set to 30. [RT #22852]
-
-3010.	[bug]		Fixed a bug where "rndc reconfig" stopped the timer
-			for refreshing managed-keys. [RT #22296]
-
-3009.	[bug]		clients-per-query code didn't work as expected with
-			particular query patterns. [RT #22972]
-
-	--- 9.8.0b1 released ---
-
-3008.	[func]		Response policy zones (RPZ) support. [RT #21726]
-
-3007.	[bug]		Named failed to preserve the case of domain names in
-			rdata which is not compressible when writing master
-			files.  [RT #22863]
-
-3006.	[func]		Allow dynamically generated TSIG keys to be preserved
-			across restarts of named.  Initially this is for
-			TSIG keys generated using GSSAPI. [RT #22639]
-
-3005.	[port]		Solaris: Work around the lack of
-			gsskrb5_register_acceptor_identity() by setting
-			the KRB5_KTNAME environment variable to the
-			contents of tkey-gssapi-keytab.  Also fixed
-			test errors on MacOSX.  [RT #22853]
-
-3004.	[func]		DNS64 reverse support. [RT #22769]
-
-3003.	[experimental]	Added update-policy match type "external",
-			enabling named to defer the decision of whether to
-			allow a dynamic update to an external daemon.
-			(Contributed by Andrew Tridgell.) [RT #22758]
-
-3002.	[bug]		isc_mutex_init_errcheck() failed to destroy attr.
-			[RT #22766]
-
-3001.	[func]		Added a default trust anchor for the root zone, which
-			can be switched on by setting "dnssec-validation auto;"
-			in the named.conf options. [RT #21727]
-
-3000.	[bug]		More TKEY/GSS fixes:
-			 - nsupdate can now get the default realm from
-			   the user's Kerberos principal
-			 - corrected gsstest compilation flags
-			 - improved documentation
-			 - fixed some NULL dereferences
-			[RT #22795]
-
-2999.	[func]		Add GOST support (RFC 5933). [RT #20639]
-
-2998.	[func]		Add isc_task_beginexclusive and isc_task_endexclusive
-			to the task api. [RT #22776]
-
-2997.	[func]		named -V now reports the OpenSSL and libxml2 verions
-			it was compiled against. [RT #22687]
-
-2996.	[security]	Temporarily disable SO_ACCEPTFILTER support.
-			[RT #22589]
-
-2995.	[bug]		The Kerberos realm was not being correctly extracted
-			from the signer's identity. [RT #22770]
-
-2994.	[port]		NetBSD: use pthreads by default on NetBSD >= 5.0, and
-			do not use threads on earlier versions.  Also kill
-			the unproven-pthreads, mit-pthreads, and ptl2 support.
-
-2993.	[func]		Dynamically grow adb hash tables. [RT #21186]
-
-2992.	[contrib]	contrib/check-secure-delegation.pl:  A simple tool
-			for looking at a secure delegation. [RT #22059]
-
-2991.	[contrib]	contrib/zone-edit.sh: A simple zone editing tool for
-			dynamic zones. [RT #22365]
-
-2990.	[bug]		'dnssec-settime -S' no longer tests prepublication
-			interval validity when the interval is set to 0.
-			[RT #22761]
-
-2989.	[func]		Added support for writable DLZ zones. (Contributed
-			by Andrew Tridgell of the Samba project.) [RT #22629]
-
-2988.	[experimental]	Added a "dlopen" DLZ driver, allowing the creation
-			of external DLZ drivers that can be loaded as
-			shared objects at runtime rather than linked with
-			named.  Currently this is switched on via a
-			compile-time option, "configure --with-dlz-dlopen".
-			Note: the syntax for configuring DLZ zones
-			is likely to be refined in future releases.
-			(Contributed by Andrew Tridgell of the Samba
-			project.) [RT #22629]
-
-2987.	[func]		Improve ease of configuring TKEY/GSS updates by
-			adding a "tkey-gssapi-keytab" option.  If set,
-			updates will be allowed with any key matching
-			a principal in the specified keytab file.
-			"tkey-gssapi-credential" is no longer required
-			and is expected to be deprecated.  (Contributed
-			by Andrew Tridgell of the Samba project.)
-			[RT #22629]
-
-2986.	[func]		Add new zone type "static-stub".  It's like a stub
-			zone, but the nameserver names and/or their IP
-			addresses are statically configured. [RT #21474]
-
-2985.	[bug]		Add a regression test for change #2896. [RT #21324]
-
-2984.	[bug]		Don't run MX checks when the target of the MX record
-			is ".".  [RT #22645]
-
-2983.	[bug]		Include "loadkeys" in rndc help output. [RT #22493]
-
-	--- 9.8.0a1 released ---
-
-2982.	[bug]		Reference count dst keys.  dst_key_attach() can be used
-			increment the reference count.
-
-			Note: dns_tsigkey_createfromkey() callers should now
-			always call dst_key_free() rather than setting it
-			to NULL on success. [RT #22672]
-
-2981.	[func]		Partial DNS64 support (AAAA synthesis). [RT #21991]
-
-2980.	[bug]		named didn't properly handle UPDATES that changed the
-			TTL of the NSEC3PARAM RRset. [RT #22363]
-
-2979.	[bug]		named could deadlock during shutdown if two
-			"rndc stop" commands were issued at the same
-			time. [RT #22108]
-
-2978.	[port]		hpux: look for <devpoll.h> [RT #21919]
-
-2977.	[bug]		'nsupdate -l' report if the session key is missing.
-			[RT #21670]
-
-2976.	[bug]		named could die on exit after negotiating a GSS-TSIG
-			key. [RT #22573]
-
-2975.	[bug]		rbtdb.c:cleanup_dead_nodes_callback() acquired the
-			wrong lock which could lead to server deadlock.
-			[RT #22614]
-
-2974.	[bug]		Some valid UPDATE requests could fail due to a
-			consistency check examining the existing version
-			of the zone rather than the new version resulting
-			from the UPDATE. [RT #22413]
-
-2973.	[bug]		bind.keys.h was being removed by the "make clean"
-			at the end of configure resulting in build failures
-			where there is very old version of perl installed.
-			Move it to "make maintainer-clean". [RT #22230]
-
-2972.	[bug]		win32: address windows socket errors. [RT #21906]
-
-2971.	[bug]		Fixed a bug that caused journal files not to be
-			compacted on Windows systems as a result of
-			non-POSIX-compliant rename() semantics. [RT #22434]
-
-2970.	[security]	Adding a NO DATA negative cache entry failed to clear
-			any matching RRSIG records.  A subsequent lookup of
-			of NO DATA cache entry could trigger a INSIST when the
-			unexpected RRSIG was also returned with the NO DATA
-			cache entry.
-
-			CVE-2010-3613, VU#706148. [RT #22288]
-
-2969.	[security]	Fix acl type processing so that allow-query works
-			in options and view statements.  Also add a new
-			set of tests to verify proper functioning.
-
-			CVE-2010-3615, VU#510208. [RT #22418]
-
-2968.	[security]	Named could fail to prove a data set was insecure
-			before marking it as insecure.  One set of conditions
-			that can trigger this occurs naturally when rolling
-			DNSKEY algorithms.
-
-			CVE-2010-3614, VU#837744. [RT #22309]
-
-2967.	[bug]		'host -D' now turns on debugging messages earlier.
-			[RT #22361]
-
-2966.	[bug]		isc_print_vsnprintf() failed to check if there was
-			space available in the buffer when adding a left
-			justified character with a non zero width,
-			(e.g. "%-1c"). [RT #22270]
-
-2965.	[func]		Test HMAC functions using test data from RFC 2104 and
-			RFC 4634. [RT #21702]
-
-2964.	[placeholder]
-
-2963.	[security]	The allow-query acl was being applied instead of the
-			allow-query-cache acl to cache lookups. [RT #22114]
-
-2962.	[port]		win32: add more dependencies to BINDBuild.dsw.
-			[RT #22062]
-
-2961.	[bug]		Be still more selective about the non-authoritative
-			answers we apply change 2748 to. [RT #22074]
-
-2960.	[func]		Check that named accepts non-authoritative answers.
-			[RT #21594]
-
-2959.	[func]		Check that named starts with a missing masterfile.
-			[RT #22076]
-
-2958.	[bug]		named failed to start with a missing master file.
-			[RT #22076]
-
-2957.	[bug]		entropy_get() and entropy_getpseudo() failed to match
-			the API for RAND_bytes() and RAND_pseudo_bytes()
-			respectively. [RT #21962]
-
-2956.	[port]		Enable atomic operations on the PowerPC64. [RT #21899]
-
-2955.	[func]		Provide more detail in the recursing log. [RT #22043]
-
-2954.	[bug]		contrib: dlz_mysql_driver.c bad error handling on
-			build_sqldbinstance failure. [RT #21623]
-
-2953.	[bug]		Silence spurious "expected covering NSEC3, got an
-			exact match" message when returning a wildcard
-			no data response. [RT #21744]
-
-2952.	[port]		win32: named-checkzone and named-checkconf failed
-			to initialize winsock. [RT #21932]
-
-2951.	[bug]		named failed to generate a correct signed response
-			in a optout, delegation only zone with no secure
-			delegations. [RT #22007]
-
-2950.	[bug]		named failed to perform a SOA up to date check when
-			falling back to TCP on UDP timeouts when
-			ixfr-from-differences was set. [RT #21595]
-
-2949.	[bug]		dns_view_setnewzones() contained a memory leak if
-			it was called multiple times. [RT #21942]
-
-2948.	[port]		MacOS: provide a mechanism to configure the test
-			interfaces at reboot. See bin/tests/system/README
-			for details.
-
-2947.	[placeholder]
-
-2946.	[doc]		Document the default values for the minimum and maximum
-			zone refresh and retry values in the ARM. [RT #21886]
-
-2945.	[doc]		Update empty-zones list in ARM. [RT #21772]
-
-2944.	[maint]		Remove ORCHID prefix from built in empty zones.
-			[RT #21772]
-
-2943.	[func]		Add support to load new keys into managed zones
-			without signing immediately with "rndc loadkeys".
-			Add support to link keys with "dnssec-keygen -S"
-			and "dnssec-settime -S".  [RT #21351]
-
-2942.	[contrib]	zone2sqlite failed to setup the entropy sources.
-			[RT #21610]
-
-2941.	[bug]		sdb and sdlz (dlz's zone database) failed to support
-			DNAME at the zone apex.  [RT #21610]
-
-2940.	[port]		Remove connection aborted error message on
-			Windows. [RT #21549]
-
-2939.	[func]		Check that named successfully skips NSEC3 records
-			that fail to match the NSEC3PARAM record currently
-			in use. [RT# 21868]
-
-2938.	[bug]		When generating signed responses, from a signed zone
-			that uses NSEC3, named would use a uninitialized
-			pointer if it needed to skip a NSEC3 record because
-			it didn't match the selected NSEC3PARAM record for
-			zone. [RT# 21868]
-
-2937.	[bug]		Worked around an apparent race condition in over
-			memory conditions.  Without this fix a DNS cache DB or
-			ADB could incorrectly stay in an over memory state,
-			effectively refusing further caching, which
-			subsequently made a BIND 9 caching server unworkable.
-			This fix prevents this problem from happening by
-			polling the state of the memory context, rather than
-			making a copy of the state, which appeared to cause
-			a race.  This is a "workaround" in that it doesn't
-			solve the possible race per se, but several experiments
-			proved this change solves the symptom.  Also, the
-			polling overhead hasn't been reported to be an issue.
-			This bug should only affect a caching server that
-			specifies a finite max-cache-size.  It's also quite
-			likely that the bug happens only when enabling threads,
-			but it's not confirmed yet. [RT #21818]
-
-2936.	[func]		Improved configuration syntax and multiple-view
-			support for addzone/delzone feature (see change
-			#2930).  Removed "new-zone-file" option, replaced
-			with "allow-new-zones (yes|no)".  The new-zone-file
-			for each view is now created automatically, with
-			a filename generated from a hash of the view name.
-			It is no longer necessary to "include" the
-			new-zone-file in named.conf; this happens
-			automatically.  Zones that were not added via
-			"rndc addzone" can no longer be removed with
-			"rndc delzone". [RT #19447]
-
-2935.	[bug]		nsupdate: improve 'file not found' error message.
-			[RT #21871]
-
-2934.	[bug]		Use ANSI C compliant shift range in lib/isc/entropy.c.
-			[RT #21871]
-
-2933.	[bug]		'dig +nsid' used stack memory after it went out of
-			scope.  This could potentially result in a unknown,
-			potentially malformed, EDNS option being sent instead
-			of the desired NSID option. [RT #21781]
-
-2932.	[cleanup]	Corrected a numbering error in the "dnssec" test.
-			[RT #21597]
-
-2931.	[bug]		Temporarily and partially disable change 2864
-			because it would cause infinite attempts of RRSIG
-			queries.  This is an urgent care fix; we'll
-			revisit the issue and complete the fix later.
-			[RT #21710]
-
-2930.	[experimental]	New "rndc addzone" and "rndc delzone" commands
-			allow dynamic addition and deletion of zones.
-			To enable this feature, specify a "new-zone-file"
-			option at the view or options level in named.conf.
-			Zone configuration information for the new zones
-			will be written into that file.  To make the new
-			zones persist after a restart, "include" the file
-			into named.conf in the appropriate view.  (Note:
-			This feature is not yet documented, and its syntax
-			is expected to change.) [RT #19447]
-
-2929.	[bug]		Improved handling of GSS security contexts:
-			 - added LRU expiration for generated TSIGs
-			 - added the ability to use a non-default realm
-			 - added new "realm" keyword in nsupdate
-			 - limited lifetime of generated keys to 1 hour
-			   or the lifetime of the context (whichever is
-			   smaller)
-			[RT #19737]
-
-2928.	[bug]		Be more selective about the non-authoritative
-			answer we apply change 2748 to. [RT #21594]
-
-2927.	[placeholder]
-
-2926.	[placeholder]
-
-2925.	[bug]		Named failed to accept uncachable negative responses
-			from insecure zones. [RT# 21555]
-
-2924.	[func]		'rndc  secroots'  dump a combined summary of the
-			current managed keys combined with trusted keys.
-			[RT #20904]
-
-2923.	[bug]		'dig +trace' could drop core after "connection
-			timeout". [RT #21514]
-
-2922.	[contrib]	Update zkt to version 1.0.
-
-2921.	[bug]		The resolver could attempt to destroy a fetch context
-			too soon.  [RT #19878]
-
-2920.	[func]		Allow 'filter-aaaa-on-v4' to be applied selectively
-			to IPv4 clients.  New acl 'filter-aaaa' (default any).
-
-2919.	[func]		Add autosign-ksk and autosign-zsk virtual time tests.
-			[RT #20840]
-
-2918.	[maint]		Add AAAA address for I.ROOT-SERVERS.NET.
-
-2917.	[func]		Virtual time test framework. [RT #20801]
-
-2916.	[func]		Add framework to use IPv6 in tests.
-			fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7
-
-2915.	[cleanup]	Be smarter about which objects we attempt to compile
-			based on configure options. [RT #21444]
-
-2914.	[bug]		Make the "autosign" system test more portable.
-			[RT #20997]
-
-2913.	[func]		Add pkcs#11 system tests. [RT #20784]
-
-2912.	[func]		Windows clients don't like UPDATE responses that clear
-			the zone section. [RT #20986]
-
-2911.	[bug]		dnssec-signzone didn't handle out of zone records well.
-			[RT #21367]
-
-2910.	[func]		Sanity check Kerberos credentials. [RT #20986]
-
-2909.	[bug]		named-checkconf -p could die if "update-policy local;"
-			was specified in named.conf. [RT #21416]
-
-2908.	[bug]		It was possible for re-signing to stop after removing
-			a DNSKEY. [RT #21384]
-
-2907.	[bug]		The export version of libdns had undefined references.
-			[RT #21444]
-
-2906.	[bug]		Address RFC 5011 implementation issues. [RT #20903]
-
-2905.	[port]		aix: set use_atomic=yes with native compiler.
-			[RT #21402]
-
-2904.	[bug]		When using DLV, sub-zones of the zones in the DLV,
-			could be incorrectly marked as insecure instead of
-			secure leading to negative proofs failing.  This was
-			a unintended outcome from change 2890. [RT# 21392]
-
-2903.	[bug]		managed-keys-directory missing from namedconf.c.
-			[RT #21370]
-
-2902.	[func]		Add regression test for change 2897. [RT #21040]
-
-2901.	[port]		Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]
-
-2900.	[bug]		The placeholder negative caching element was not
-			properly constructed triggering a INSIST in
-			dns_ncache_towire(). [RT #21346]
-
-2899.	[port]		win32: Support linking against OpenSSL 1.0.0.
-
-2898.	[bug]		nslookup leaked memory when -domain=value was
-			specified. [RT #21301]
-
-2897.	[bug]		NSEC3 chains could be left behind when transitioning
-			to insecure. [RT #21040]
-
-2896.	[bug]		"rndc sign" failed to properly update the zone
-			when adding a DNSKEY for publication only. [RT #21045]
-
-2895.	[func]		genrandom: add support for the generation of multiple
-			files.  [RT #20917]
-
-2894.	[contrib]	DLZ LDAP support now use '$' not '%'. [RT #21294]
-
-2893.	[bug]		Improve managed keys support.  New named.conf option
-			managed-keys-directory. [RT #20924]
-
-2892.	[bug]		Handle REVOKED keys better. [RT #20961]
-
-2891.	[maint]		Update empty-zones list to match
-			draft-ietf-dnsop-default-local-zones-13. [RT# 21099]
-
-2890.	[bug]		Handle the introduction of new trusted-keys and
-			DS, DLV RRsets better. [RT #21097]
-
-2889.	[bug]		Elements of the grammar where not properly reported.
-			[RT #21046]
-
-2888.	[bug]		Only the first EDNS option was displayed. [RT #21273]
-
-2887.	[bug]		Report the keytag times in UTC in the .key file,
-			local time is presented as a comment within the
-			comment.  [RT #21223]
-
-2886.	[bug]		ctime() is not thread safe. [RT #21223]
-
-2885.	[bug]		Improve -fno-strict-aliasing support probing in
-			configure. [RT #21080]
-
-2884.	[bug]		Insufficient validation in dns_name_getlabelsequence().
-			[RT #21283]
-
-2883.	[bug]		'dig +short' failed to handle really large datasets.
-			[RT #21113]
-
-2882.	[bug]		Remove memory context from list of active contexts
-			before clearing 'magic'. [RT #21274]
-
-2881.	[bug]		Reduce the amount of time the rbtdb write lock
-			is held when closing a version. [RT #21198]
-
-2880.	[cleanup]	Make the output of dnssec-keygen and dnssec-revoke
-			consistent. [RT #21078]
-
-2879.	[contrib]	DLZ bdbhpt driver fails to close correct cursor.
-			[RT #21106]
-
-2878.	[func]		Incrementally write the master file after performing
-			a AXFR.  [RT #21010]
-
-2877.	[bug]		The validator failed to skip obviously mismatching
-			RRSIGs. [RT #21138]
-
-2876.	[bug]		Named could return SERVFAIL for negative responses
-			from unsigned zones. [RT #21131]
-
-2875.	[bug]		dns_time64_fromtext() could accept non digits.
-			[RT #21033]
-
-2874.	[bug]		Cache lack of EDNS support only after the server
-			successfully responds to the query using plain DNS.
-			[RT #20930]
-
-2873.	[bug]		Canceling a dynamic update via the dns/client module
-			could trigger an assertion failure. [RT #21133]
-
-2872.	[bug]		Modify dns/client.c:dns_client_createx() to only
-			require one of IPv4 or IPv6 rather than both.
-			[RT #21122]
-
-2871.	[bug]		Type mismatch in mem_api.c between the definition and
-			the header file, causing build failure with
-			--enable-exportlib. [RT #21138]
-
-2870.	[maint]		Add AAAA address for L.ROOT-SERVERS.NET.
-
-2869.	[bug]		Fix arguments to dns_keytable_findnextkeynode() call.
-			[RT #20877]
-
-2868.	[cleanup]	Run "make clean" at the end of configure to ensure
-			any changes made by configure are integrated.
-			Use --with-make-clean=no to disable.  [RT #20994]
-
-2867.	[bug]		Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
-			don't like it.  [RT #20986]
-
-2866.	[bug]		Windows does not like the TSIG name being compressed.
-			[RT #20986]
-
-2865.	[bug]		memset to zero event.data.  [RT #20986]
-
-2864.	[bug]		Direct SIG/RRSIG queries were not handled correctly.
-			[RT #21050]
-
-2863.	[port]		linux: disable IPv6 PMTUD and use network minimum MTU.
-			[RT #21056]
-
-2862.	[bug]		nsupdate didn't default to the parent zone when
-			updating DS records. [RT #20896]
-
-2861.	[doc]		dnssec-settime man pages didn't correctly document the
-			inactivation time. [RT #21039]
-
-2860.	[bug]		named-checkconf's usage was out of date. [RT #21039]
-
-2859.	[bug]		When canceling validation it was possible to leak
-			memory. [RT #20800]
-
-2858.	[bug]		RTT estimates were not being adjusted on ICMP errors.
-			[RT #20772]
-
-2857.	[bug]		named-checkconf did not fail on a bad trusted key.
-			[RT #20705]
-
-2856.	[bug]		The size of a memory allocation was not always properly
-			recorded. [RT #20927]
-
-2855.	[func]		nsupdate will now preserve the entered case of domain
-			names in update requests it sends. [RT #20928]
-
-2854.	[func]		dig: allow the final soa record in a axfr response to
-			be suppressed, dig +onesoa. [RT #20929]
-
-2853.	[bug]		add_sigs() could run out of scratch space. [RT #21015]
-
-2852.	[bug]		Handle broken DNSSEC trust chains better. [RT #15619]
-
-2851.	[doc]		nslookup.1, removed <informalexample> from the docbook
-			source as it produced bad nroff.  [RT #21007]
-
-2850.	[bug]		If isc_heap_insert() failed due to memory shortage
-			the heap would have corrupted entries. [RT #20951]
-
-2849.	[bug]		Don't treat errors from the xml2 library as fatal.
-			[RT #20945]
-
-2848.	[doc]		Moved README.dnssec, README.libdns, README.pkcs11 and
-			README.rfc5011 into the ARM. [RT #20899]
-
-2847.	[cleanup]	Corrected usage message in dnssec-settime. [RT #20921]
-
-2846.	[bug]		EOF on unix domain sockets was not being handled
-			correctly. [RT #20731]
-
-2845.	[bug]		RFC 5011 client could crash on shutdown. [RT #20903]
-
-2844.	[doc]		notify-delay default in ARM was wrong.  It should have
-			been five (5) seconds.
-
-2843.	[func]		Prevent dnssec-keygen and dnssec-keyfromlabel from
-			creating key files if there is a chance that the new
-			key ID will collide with an existing one after
-			either of the keys has been revoked.  (To override
-			this in the case of dnssec-keyfromlabel, use the -y
-			option.  dnssec-keygen will simply create a
-			different, non-colliding key, so an override is
-			not necessary.) [RT #20838]
-
-2842.	[func]		Added "smartsign" and improved "autosign" and
-			"dnssec" regression tests. [RT #20865]
-
-2841.	[bug]		Change 2836 was not complete. [RT #20883]
-
-2840.	[bug]		Temporary fixed pkcs11-destroy usage check.
-			[RT #20760]
-
-2839.	[bug]		A KSK revoked by named could not be deleted.
-			[RT #20881]
-
-2838.	[placeholder]
-
-2837.	[port]		Prevent Linux spurious warnings about fwrite().
-			[RT #20812]
-
-2836.	[bug]		Keys that were scheduled to become active could
-			be delayed. [RT #20874]
-
-2835.	[bug]		Key inactivity dates were inadvertently stored in
-			the private key file with the outdated tag
-			"Unpublish" rather than "Inactive".  This has been
-			fixed; however, any existing keys that had Inactive
-			dates set will now need to have them reset, using
-			'dnssec-settime -I'. [RT #20868]
-
-2834.	[bug]		HMAC-SHA* keys that were longer than the algorithm
-			digest length were used incorrectly, leading to
-			interoperability problems with other DNS
-			implementations.  This has been corrected.
-			(Note: If an oversize key is in use, and
-			compatibility is needed with an older release of
-			BIND, the new tool "isc-hmac-fixup" can convert
-			the key secret to a form that will work with all
-			versions.) [RT #20751]
-
-2833.	[cleanup]	Fix usage messages in dnssec-keygen and dnssec-settime.
-			[RT #20851]
-
-2832.	[bug]		Modify "struct stat" in lib/export/samples/nsprobe.c
-			to avoid redefinition in some OSs [RT 20831]
-
-2831.	[security]	Do not attempt to validate or cache
-			out-of-bailiwick data returned with a secure
-			answer; it must be re-fetched from its original
-			source and validated in that context. [RT #20819]
-
-2830.	[bug]		Changing the OPTOUT setting could take multiple
-			passes. [RT #20813]
-
-2829.	[bug]		Fixed potential node inconsistency in rbtdb.c.
-			[RT #20808]
-
-2828.	[security]	Cached CNAME or DNAME RR could be returned to clients
-			without DNSSEC validation. [RT #20737]
-
-2827.	[security]	Bogus NXDOMAIN could be cached as if valid. [RT #20712]
-
-2826.	[bug]		NSEC3->NSEC transitions could fail due to a lock not
-			being released.  [RT #20740]
-
-2825.	[bug]		Changing the setting of OPTOUT in a NSEC3 chain that
-			was in the process of being created was not properly
-			recorded in the zone. [RT #20786]
-
-2824.	[bug]		"rndc sign" was not being run by the correct task.
-			[RT #20759]
-
-2823.	[bug]		rbtdb.c:getsigningtime() was missing locks. [RT #20781]
-
-2822.	[bug]		rbtdb.c:loadnode() could return the wrong result.
-			[RT #20802]
-
-2821.	[doc]		Add note that named-checkconf doesn't automatically
-			read rndc.key and bind.keys [RT #20758]
-
-2820.	[func]		Handle read access failure of OpenSSL configuration
-			file more user friendly (PKCS#11 engine patch).
-			[RT #20668]
-
-2819.	[cleanup]	Removed unnecessary DNS_POINTER_MAXHOPS define.
-			[RT #20771]
-
-2818.	[cleanup]	rndc could return an incorrect error code
-			when a zone was not found. [RT #20767]
-
-2817.	[cleanup]	Removed unnecessary isc_task_endexclusive() calls.
-			[RT #20768]
-
-2816.	[bug]		previous_closest_nsec() could fail to return
-			data for NSEC3 nodes [RT #29730]
-
-2815.	[bug]		Exclusively lock the task when freezing a zone.
-			[RT #19838]
-
-2814.	[func]		Provide a definitive error message when a master
-			zone is not loaded. [RT #20757]
-
-2813.	[bug]		Better handling of unreadable DNSSEC key files.
-			[RT #20710]
-
-2812.	[bug]		Make sure updates can't result in a zone with
-			NSEC-only keys and NSEC3 records. [RT #20748]
-
-2811.	[cleanup]	Add "rndc sign" to list of commands in rndc usage
-			output. [RT #20733]
-
-2810.	[doc]		Clarified the process of transitioning an NSEC3 zone
-			to insecure. [RT #20746]
-
-2809.	[cleanup]	Restored accidentally-deleted text in usage output
-			in dnssec-settime and dnssec-revoke [RT #20739]
-
-2808.	[bug]		Remove the attempt to install atomic.h from lib/isc.
-			atomic.h is correctly installed by the architecture
-			specific subdirectories.  [RT #20722]
-
-2807.	[bug]		Fixed a possible ASSERT when reconfiguring zone
-			keys. [RT #20720]
-
-	--- 9.7.0rc1 released ---
-
-2806.	[bug]		"rdnc sign" could delay re-signing the DNSKEY
-			when it had changed. [RT #20703]
-
-2805.	[bug]		Fixed namespace problems encountered when building
-			external programs using non-exported BIND9 libraries
-			(i.e., built without --enable-exportlib). [RT #20679]
-
-2804.	[bug]		Send notifies when a zone is signed with "rndc sign"
-			or as a result of a scheduled key change. [RT #20700]
-
-2803.	[port]		win32: Install named-journalprint, nsec3hash, arpaname
-			and genrandom under windows. [RT #20670]
-
-2802.	[cleanup]	Rename journalprint to named-journalprint. [RT #20670]
-
-2801.	[func]		Detect and report records that are different according
-			to DNSSEC but are semantically equal according to plain
-			DNS.  Apply plain DNS comparisons rather than DNSSEC
-			comparisons when processing UPDATE requests.
-			dnssec-signzone now removes such semantically duplicate
-			records prior to signing the RRset.
-
-			named-checkzone -r {ignore|warn|fail} (default warn)
-			named-compilezone -r {ignore|warn|fail} (default warn)
-
-			named.conf: check-dup-records {ignore|warn|fail};
-
-2800.	[func]		Reject zones which have NS records which refer to
-			CNAMEs, DNAMEs or don't have address record (class IN
-			only).  Reject UPDATEs which would cause the zone
-			to fail the above checks if committed. [RT #20678]
-
-2799.	[cleanup]	Changed the "secure-to-insecure" option to
-			"dnssec-secure-to-insecure", and "dnskey-ksk-only"
-			to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
-
-2798.	[bug]		Addressed bugs in managed-keys initialization
-			and rollover. [RT #20683]
-
-2797.	[bug]		Don't decrement the dispatch manager's maxbuffers.
-			[RT #20613]
-
-2796.	[bug]		Missing dns_rdataset_disassociate() call in
-			dns_nsec3_delnsec3sx(). [RT #20681]
-
-2795.	[cleanup]	Add text to differentiate "update with no effect"
-			log messages. [RT #18889]
-
-2794.	[bug]		Install <isc/namespace.h>.  [RT #20677]
-
-2793.	[func]		Add "autosign" and "metadata" tests to the
-			automatic tests. [RT #19946]
-
-2792.	[func]		"filter-aaaa-on-v4" can now be set in view
-			options (if compiled in).  [RT #20635]
-
-2791.	[bug]		The installation of isc-config.sh was broken.
-			[RT #20667]
-
-2790.	[bug]		Handle DS queries to stub zones. [RT #20440]
-
-2789.	[bug]		Fixed an INSIST in dispatch.c [RT #20576]
-
-2788.	[bug]		dnssec-signzone could sign with keys that were
-			not requested [RT #20625]
-
-2787.	[bug]		Spurious log message when zone keys were
-			dynamically reconfigured. [RT #20659]
-
-2786.	[bug]		Additional could be promoted to answer. [RT #20663]
-
-	--- 9.7.0b3 released ---
-
-2785.	[bug]		Revoked keys could fail to self-sign [RT #20652]
-
-2784.	[bug]		TC was not always being set when required glue was
-			dropped. [RT #20655]
-
-2783.	[func]		Return minimal responses to EDNS/UDP queries with a UDP
-			buffer size of 512 or less.  [RT #20654]
-
-2782.	[port]		win32: use getaddrinfo() for hostname lookups.
-			[RT #20650]
-
-2781.	[bug]		Inactive keys could be used for signing. [RT #20649]
-
-2780.	[bug]		dnssec-keygen -A none didn't properly unset the
-			activation date in all cases. [RT #20648]
-
-2779.	[bug]		Dynamic key revocation could fail. [RT #20644]
-
-2778.	[bug]		dnssec-signzone could fail when a key was revoked
-			without deleting the unrevoked version. [RT #20638]
-
-2777.	[contrib]	DLZ MYSQL auto reconnect support discovery was wrong.
-
-2776.	[bug]		Change #2762 was not correct. [RT #20647]
-
-2775.	[bug]		Accept RSASHA256 and RSASHA512 as NSEC3 compatible
-			in dnssec-keyfromlabel. [RT #20643]
-
-2774.	[bug]		Existing cache DB wasn't being reused after
-			reconfiguration. [RT #20629]
-
-2773.	[bug]		In autosigned zones, the SOA could be signed
-			with the KSK. [RT #20628]
-
-2772.	[security]	When validating, track whether pending data was from
-			the additional section or not and only return it if
-			validates as secure. [RT #20438]
-
-2771.	[bug]		dnssec-signzone: DNSKEY records could be
-			corrupted when importing from key files [RT #20624]
-
-2770.	[cleanup]	Add log messages to resolver.c to indicate events
-			causing FORMERR responses. [RT #20526]
-
-2769.	[cleanup]	Change #2742 was incomplete. [RT #19589]
-
-2768.	[bug]		dnssec-signzone: -S no longer implies -g [RT #20568]
-
-2767.	[bug]		named could crash on startup if a zone was
-			configured with auto-dnssec and there was no
-			key-directory. [RT #20615]
-
-2766.	[bug]		isc_socket_fdwatchpoke() should only update the
-			socketmgr state if the socket is not pending on a
-			read or write.  [RT #20603]
-
-2765.	[bug]		Skip masters for which the TSIG key cannot be found.
-			[RT #20595]
-
-2764.	[bug]		"rndc-confgen -a" could trigger a REQUIRE. [RT #20610]
-
-2763.	[bug]		"rndc sign" didn't create an NSEC chain. [RT #20591]
-
-2762.	[bug]		DLV validation failed with a local slave DLV zone.
-			[RT #20577]
-
-2761.	[cleanup]	Enable internal symbol table for backtrace only for
-			systems that are known to work.  Currently, BSD
-			variants, Linux and Solaris are supported. [RT# 20202]
-
-2760.	[cleanup]	Corrected named-compilezone usage summary. [RT #20533]
-
-2759.	[doc]		Add information about .jbk/.jnw files to
-			the ARM. [RT #20303]
-
-2758.	[bug]		win32: Added a workaround for a windows 2008 bug
-			that could cause the UDP client handler to shut
-			down. [RT #19176]
-
-2757.	[bug]		dig: assertion failure could occur in connect
-			timeout. [RT #20599]
-
-2756.	[bug]		Fixed corrupt logfile message in update.c. [RT# 20597]
-
-2755.	[placeholder]
-
-2754.	[bug]		Secure-to-insecure transitions failed when zone
-			was signed with NSEC3. [RT #20587]
-
-2753.	[bug]		Removed an unnecessary warning that could appear when
-			building an NSEC chain. [RT #20589]
-
-2752.	[bug]		Locking violation. [RT #20587]
-
-2751.	[bug]		Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]
-
-2750.	[bug]		dig: assertion failure could occur when a server
-			didn't have an address. [RT #20579]
-
-2749.	[bug]		ixfr-from-differences generated a non-minimal ixfr
-			for NSEC3 signed zones. [RT #20452]
-
-2748.	[func]		Identify bad answers from GTLD servers and treat them
-			as referrals. [RT #18884]
-
-2747.	[bug]		Journal roll forwards failed to set the re-signing
-			time of RRSIGs correctly. [RT #20541]
-
-2746.	[port]		hpux: address signed/unsigned expansion mismatch of
-			dns_rbtnode_t.nsec. [RT #20542]
-
-2745.	[bug]		configure script didn't probe the return type of
-			gai_strerror(3) correctly. [RT #20573]
-
-2744.	[func]		Log if a query was over TCP. [RT #19961]
-
-2743.	[bug]		RRSIG could be incorrectly set in the NSEC3 record
-			for a insecure delegation.
-
-	--- 9.7.0b2 released ---
-
-2742.	[cleanup]	Clarify some DNSSEC-related log messages in
-			validator.c. [RT #19589]
-
-2741.	[func]		Allow the dnssec-keygen progress messages to be
-			suppressed (dnssec-keygen -q).  Automatically
-			suppress the progress messages when stdin is not
-			a tty. [RT #20474]
-
-2740.	[placeholder]
-
-2739.	[cleanup]	Clean up API for initializing and clearing trust
-			anchors for a view. [RT #20211]
-
-2738.	[func]		Add RSASHA256 and RSASHA512 tests to the dnssec system
-			test. [RT #20453]
-
-2737.	[func]		UPDATE requests can leak existence information.
-			[RT #17261]
-
-2736.	[func]		Improve the performance of NSEC signed zones with
-			more than a normal amount of glue below a delegation.
-			[RT #20191]
-
-2735.	[bug]		dnssec-signzone could fail to read keys
-			that were specified on the command line with
-			full paths, but weren't in the current
-			directory. [RT #20421]
-
-2734.	[port]		cygwin: arpaname did not compile. [RT #20473]
-
-2733.	[cleanup]	Clean up coding style in pkcs11-* tools. [RT #20355]
-
-2732.	[func]		Add optional filter-aaaa-on-v4 option, available
-			if built with './configure --enable-filter-aaaa'.
-			Filters out AAAA answers to clients connecting
-			via IPv4.  (This is NOT recommended for general
-			use.) [RT #20339]
-
-2731.	[func]		Additional work on change 2709.  The key parser
-			will now ignore unrecognized fields when the
-			minor version number of the private key format
-			has been increased.  It will reject any key with
-			the major version number increased. [RT #20310]
-
-2730.	[func]		Have dnssec-keygen display a progress indication
-			a la 'openssl genrsa' on standard error. Note
-			when the first '.' is followed by a long stop
-			one has the choice between slow generation vs.
-			poor random quality, i.e., '-r /dev/urandom'.
-			[RT #20284]
-
-2729.	[func]		When constructing a CNAME from a DNAME use the DNAME
-			TTL. [RT #20451]
-
-2728.	[bug]		dnssec-keygen, dnssec-keyfromlabel and
-			dnssec-signzone now warn immediately if asked to
-			write into a nonexistent directory. [RT #20278]
-
-2727.	[func]		The 'key-directory' option can now specify a relative
-			path. [RT #20154]
-
-2726.	[func]		Added support for SHA-2 DNSSEC algorithms,
-			RSASHA256 and RSASHA512. [RT #20023]
-
-2725.	[doc]		Added information about the file "managed-keys.bind"
-			to the ARM. [RT #20235]
-
-2724.	[bug]		Updates to a existing node in secure zone using NSEC
-			were failing. [RT #20448]
-
-2723.	[bug]		isc_base32_totext(), isc_base32hex_totext(), and
-			isc_base64_totext(), didn't always mark regions of
-			memory as fully consumed after conversion.  [RT #20445]
-
-2722.	[bug]		Ensure that the memory associated with the name of
-			a node in a rbt tree is not altered during the life
-			of the node. [RT #20431]
-
-2721.	[port]		Have dst__entropy_status() prime the random number
-			generator. [RT #20369]
-
-2720.	[bug]		RFC 5011 trust anchor updates could trigger an
-			assert if the DNSKEY record was unsigned. [RT #20406]
-
-2719.	[func]		Skip trusted/managed keys for unsupported algorithms.
-			[RT #20392]
-
-2718.	[bug]		The space calculations in opensslrsa_todns() were
-			incorrect. [RT #20394]
-
-2717.	[bug]		named failed to update the NSEC/NSEC3 record when
-			the last private type record was removed as a result
-			of completing the signing the zone with a key.
-			[RT #20399]
-
-2716.	[bug]		nslookup debug mode didn't return the ttl. [RT #20414]
-
-	--- 9.7.0b1 released ---
-
-2715.	[bug]		Require OpenSSL support to be explicitly disabled.
-			[RT #20288]
-
-2714.	[port]		aix/powerpc: 'asm("ics");' needs non standard assembler
-			flags.
-
-2713.	[bug]		powerpc: atomic operations missing asm("ics") /
-			__isync() calls.
-
-2712.	[func]		New 'auto-dnssec' zone option allows zone signing
-			to be fully automated in zones configured for
-			dynamic DNS.  'auto-dnssec allow;' permits a zone
-			to be signed by creating keys for it in the
-			key-directory and using 'rndc sign <zone>'.
-			'auto-dnssec maintain;' allows that too, plus it
-			also keeps the zone's DNSSEC keys up to date
-			according to their timing metadata. [RT #19943]
-
-2711.	[port]		win32: Add the bin/pkcs11 tools into the full
-			build. [RT #20372]
-
-2710.	[func]		New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
-			zone option cause a zone to be signed with only KSKs
-			signing the DNSKEY RRset, not ZSKs.  This reduces
-			the size of a DNSKEY answer.  [RT #20340]
-
-2709.	[func]		Added some data fields, currently unused, to the
-			private key file format, to allow implementation
-			of explicit key rollover in a future release
-			without impairing backward or forward compatibility.
-			[RT #20310]
-
-2708.	[func]		Insecure to secure and NSEC3 parameter changes via
-			update are now fully supported and no longer require
-			defines to enable.  We now no longer overload the
-			NSEC3PARAM flag field, nor the NSEC OPT bit at the
-			apex.  Secure to insecure changes are controlled by
-			by the named.conf option 'secure-to-insecure'.
-
-			Warning: If you had previously enabled support by
-			adding defines at compile time to BIND 9.6 you should
-			ensure that all changes that are in progress have
-			completed prior to upgrading to BIND 9.7.  BIND 9.7
-			is not backwards compatible.
-
-2707.	[func]		dnssec-keyfromlabel no longer require engine name
-			to be specified in the label if there is a default
-			engine or the -E option has been used.  Also, it
-			now uses default algorithms as dnssec-keygen does
-			(i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
-			[RT #20371]
-
-2706.	[bug]		Loading a zone with a very large NSEC3 salt could
-			trigger an assert. [RT #20368]
-
-2705.	[placeholder]
-
-2704.	[bug]		Serial of dynamic and stub zones could be inconsistent
-			with their SOA serial.  [RT #19387]
-
-2703.	[func]		Introduce an OpenSSL "engine" argument with -E
-			for all binaries which can take benefit of
-			crypto hardware. [RT #20230]
-
-2702.	[func]		Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]
-
-2701.	[doc]		Correction to ARM: hmac-md5 is no longer the only
-			supported TSIG key algorithm. [RT #18046]
-
-2700.	[doc]		The match-mapped-addresses option is discouraged.
-			[RT #12252]
-
-2699.	[bug]		Missing lock in rbtdb.c. [RT #20037]
-
-2698.	[placeholder]
-
-2697.	[port]		win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
-			S_IFREG are defined after including <isc/stat.h>.
-			[RT #20309]
-
-2696.	[bug]		named failed to successfully process some valid
-			acl constructs. [RT #20308]
-
-2695.	[func]		DHCP/DDNS - update fdwatch code for use by
-			DHCP.  Modify the api to isc_sockfdwatch_t (the
-			callback function for isc_socket_fdwatchcreate)
-			to include information about the direction (read
-			or write) and add isc_socket_fdwatchpoke.
-			[RT #20253]
-
-2694.	[bug]		Reduce default NSEC3 iterations from 100 to 10.
-			[RT #19970]
-
-2693.	[port]		Add some noreturn attributes. [RT #20257]
-
-2692.	[port]		win32: 32/64 bit cleanups. [RT #20335]
-
-2691.	[func]		dnssec-signzone: retain the existing NSEC or NSEC3
-			chain when re-signing a previously-signed zone.
-			Use -u to modify NSEC3 parameters or switch
-			between NSEC and NSEC3. [RT #20304]
-
-2690.	[bug]		win32: fix isc_thread_key_getspecific() prototype.
-			[RT #20315]
-
-2689.	[bug]		Correctly handle snprintf result. [RT #20306]
-
-2688.	[bug]		Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
-			to decide to fetch the destination address. [RT #20305]
-
-2687.	[bug]		Fixed dnssec-signzone -S handling of revoked keys.
-			Also, added warnings when revoking a ZSK, as this is
-			not defined by protocol (but is legal).  [RT #19943]
-
-2686.	[bug]		dnssec-signzone should clean the old NSEC chain when
-			signing with NSEC3 and vice versa. [RT #20301]
-
-2685.	[contrib]	Update contrib/zkt to version 0.99c. [RT #20054]
-
-2684.	[cleanup]	dig: formalize +ad and +cd as synonyms for
-			+adflag and +cdflag.  [RT #19305]
-
-2683.	[bug]		dnssec-signzone should clean out old NSEC3 chains when
-			the NSEC3 parameters used to sign the zone change.
-			[RT #20246]
-
-2682.	[bug]		"configure --enable-symtable=all" failed to
-			build. [RT #20282]
-
-2681.	[bug]		IPSECKEY RR of gateway type 3 was not correctly
-			decoded. [RT #20269]
-
-2680.	[func]		Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]
-
-2679.	[func]		dig -k can now accept TSIG keys in named.conf
-			format.  [RT #20031]
-
-2678.	[func]		Treat DS queries as if "minimal-response yes;"
-			was set. [RT #20258]
-
-2677.	[func]		Changes to key metadata behavior:
-			- Keys without "publish" or "active" dates set will
-			  no longer be used for smart signing.  However,
-			  those dates will be set to "now" by default when
-			  a key is created; to generate a key but not use
-			  it yet, use dnssec-keygen -G.
-			- New "inactive" date (dnssec-keygen/settime -I)
-			  sets the time when a key is no longer used for
-			  signing but is still published.
-			- The "unpublished" date (-U) is deprecated in
-			  favor of "deleted" (-D).
-			[RT #20247]
-
-2676.	[bug]		--with-export-installdir should have been
-			--with-export-includedir. [RT #20252]
-
-2675.	[bug]		dnssec-signzone could crash if the key directory
-			did not exist. [RT #20232]
-
-	--- 9.7.0a3 released ---
-
-2674.	[bug]		"dnssec-lookaside auto;" crashed if named was built
-			without openssl. [RT #20231]
-
-2673.	[bug]		The managed-keys.bind zone file could fail to
-			load due to a spurious result from sync_keyzone()
-			[RT #20045]
-
-2672.	[bug]		Don't enable searching in 'host' when doing reverse
-			lookups. [RT #20218]
-
-2671.	[bug]		Add support for PKCS#11 providers not returning
-			the public exponent in RSA private keys
-			(OpenCryptoki for instance) in
-			dnssec-keyfromlabel. [RT #19294]
-
-2670.	[bug]		Unexpected connect failures failed to log enough
-			information to be useful. [RT #20205]
-
-2669.	[func]		Update PKCS#11 support to support Keyper HSM.
-			Update PKCS#11 patch to be against openssl-0.9.8i.
-
-2668.	[func]		Several improvements to dnssec-* tools, including:
-			- dnssec-keygen and dnssec-settime can now set key
-			  metadata fields 0 (to unset a value, use "none")
-			- dnssec-revoke sets the revocation date in
-			  addition to the revoke bit
-			- dnssec-settime can now print individual metadata
-			  fields instead of always printing all of them,
-			  and can print them in unix epoch time format for
-			  use by scripts
-			[RT #19942]
-
-2667.	[func]		Add support for logging stack backtrace on assertion
-			failure (not available for all platforms). [RT #19780]
-
-2666.	[func]		Added an 'options' argument to dns_name_fromstring()
-			(API change from 9.7.0a2). [RT #20196]
-
-2665.	[func]		Clarify syntax for managed-keys {} statement, add
-			ARM documentation about RFC 5011 support. [RT #19874]
-
-2664.	[bug]		create_keydata() and minimal_update() in zone.c
-			didn't properly check return values for some
-			functions.  [RT #19956]
-
-2663.	[func]		win32:  allow named to run as a service using
-			"NT AUTHORITY\LocalService" as the account. [RT #19977]
-
-2662.	[bug]		lwres_getipnodebyname() and lwres_getipnodebyaddr()
-			returned a misleading error code when lwresd was
-			down. [RT #20028]
-
-2661.	[bug]		Check whether socket fd exceeds FD_SETSIZE when
-			creating lwres context. [RT #20029]
-
-2660.	[func]		Add a new set of DNS libraries for non-BIND9
-			applications.  See README.libdns. [RT #19369]
-
-2659.	[doc]		Clarify dnssec-keygen doc: key name must match zone
-			name for DNSSEC keys. [RT #19938]
-
-2658.	[bug]		dnssec-settime and dnssec-revoke didn't process
-			key file paths correctly. [RT #20078]
-
-2657.	[cleanup]	Lower "journal file <path> does not exist, creating it"
-			log level to debug 1. [RT #20058]
-
-2656.	[func]		win32: add a "tools only" check box to the installer
-			which causes it to only install dig, host, nslookup,
-			nsupdate and relevant DLLs.  [RT #19998]
-
-2655.	[doc]		Document that key-directory does not affect
-			bind.keys, rndc.key or session.key.  [RT #20155]
-
-2654.	[bug]		Improve error reporting on duplicated names for
-			deny-answer-xxx. [RT #20164]
-
-2653.	[bug]		Treat ENGINE_load_private_key() failures as key
-			not found rather than out of memory.  [RT #18033]
-
-2652.	[func]		Provide more detail about what record is being
-			deleted. [RT #20061]
-
-2651.	[bug]		Dates could print incorrectly in K*.key files on
-			64-bit systems. [RT #20076]
-
-2650.	[bug]		Assertion failure in dnssec-signzone when trying
-			to read keyset-* files. [RT #20075]
-
-2649.	[bug]		Set the domain for forward only zones. [RT #19944]
-
-2648.	[port]		win32: isc_time_seconds() was broken. [RT #19900]
-
-2647.	[bug]		Remove unnecessary SOA updates when a new KSK is
-			added. [RT #19913]
-
-2646.	[bug]		Incorrect cleanup on error in socket.c. [RT #19987]
-
-2645.	[port]		"gcc -m32" didn't work on amd64 and x86_64 platforms
-			which default to 64 bits. [RT #19927]
-
-	--- 9.7.0a2 released ---
-
-2644.	[bug]		Change #2628 caused a regression on some systems;
-			named was unable to write the PID file and would
-			fail on startup. [RT #20001]
-
-2643.	[bug]		Stub zones interacted badly with NSEC3 support.
-			[RT #19777]
-
-2642.	[bug]		nsupdate could dump core on solaris when reading
-			improperly formatted key files.  [RT #20015]
-
-2641.	[bug]		Fixed an error in parsing update-policy syntax,
-			added a regression test to check it. [RT #20007]
-
-2640.	[security]	A specially crafted update packet will cause named
-			to exit. [RT #20000]
-
-2639.	[bug]		Silence compiler warnings in gssapi code. [RT #19954]
-
-2638.	[bug]		Install arpaname. [RT #19957]
-
-2637.	[func]		Rationalize dnssec-signzone's signwithkey() calling.
-			[RT #19959]
-
-2636.	[func]		Simplify zone signing and key maintenance with the
-			dnssec-* tools.  Major changes:
-			- all dnssec-* tools now take a -K option to
-			  specify a directory in which key files will be
-			  stored
-			- DNSSEC can now store metadata indicating when
-			  they are scheduled to be published, activated,
-			  revoked or removed; these values can be set by
-			  dnssec-keygen or overwritten by the new
-			  dnssec-settime command
-			- dnssec-signzone -S (for "smart") option reads key
-			  metadata and uses it to determine automatically
-			  which keys to publish to the zone, use for
-			  signing, revoke, or remove from the zone
-			[RT #19816]
-
-2635.	[bug]		isc_inet_ntop() incorrectly handled 0.0/16 addresses.
-			[RT #19716]
-
-2634.	[port]		win32: Add support for libxml2, enable
-			statschannel. [RT #19773]
-
-2633.	[bug]		Handle 15 bit rand() functions. [RT #19783]
-
-2632.	[func]		util/kit.sh: warn if documentation appears to be out of
-			date.  [RT #19922]
-
-2631.	[bug]		Handle "//", "/./" and "/../" in mkdirpath().
-			[RT #19926 ]
-
-2630.	[func]		Improved syntax for DDNS autoconfiguration:  use
-			"update-policy local;" to switch on local DDNS in a
-			zone. (The "ddns-autoconf" option has been removed.)
-			[RT #19875]
-
-2629.	[port]		Check for seteuid()/setegid(), use setresuid()/
-			setresgid() if not present. [RT #19932]
-
-2628.	[port]		linux: Allow /var/run/named/named.pid to be opened
-			at startup with reduced capabilities in operation.
-			[RT #19884]
-
-2627.	[bug]		Named aborted if the same key was included in
-			trusted-keys more than once. [RT #19918]
-
-2626.	[bug]		Multiple trusted-keys could trigger an assertion
-			failure. [RT #19914]
-
-2625.	[bug]		Missing UNLOCK in rbtdb.c. [RT #19865]
-
-2624.	[func]		'named-checkconf -p' will print out the parsed
-			configuration. [RT #18871]
-
-2623.	[bug]		Named started searches for DS non-optimally. [RT #19915]
-
-2622.	[bug]		Printing of named.conf grammar was broken. [RT #19919]
-
-2621.	[doc]		Made copyright boilerplate consistent.  [RT #19833]
-
-2620.	[bug]		Delay thawing the zone until the reload of it has
-			completed successfully.  [RT #19750]
-
-2619.	[func]		Add support for RFC 5011, automatic trust anchor
-			maintenance.  The new "managed-keys" statement can
-			be used in place of "trusted-keys" for zones which
-			support this protocol.  (Note: this syntax is
-			expected to change prior to 9.7.0 final.) [RT #19248]
-
-2618.	[bug]		The sdb and sdlz db_interator_seek() methods could
-			loop infinitely. [RT #19847]
-
-2617.	[bug]		ifconfig.sh failed to emit an error message when
-			run from the wrong location. [RT #19375]
-
-2616.	[bug]		'host' used the nameservers from resolv.conf even
-			when a explicit nameserver was specified. [RT #19852]
-
-2615.	[bug]		"__attribute__((unused))" was in the wrong place
-			for ia64 gcc builds. [RT #19854]
-
-2614.	[port]		win32: 'named -v' should automatically be executed
-			in the foreground. [RT #19844]
-
-2613.	[placeholder]
-
-	--- 9.7.0a1 released ---
-
-2612.	[func]		Add default values for the arguments to
-			dnssec-keygen.  Without arguments, it will now
-			generate a 1024-bit RSASHA1 zone-signing key,
-			or with the -f KSK option, a 2048-bit RSASHA1
-			key-signing key. [RT #19300]
-
-2611.	[func]		Add -l option to dnssec-dsfromkey to generate
-			DLV records instead of DS records. [RT #19300]
-
-2610.	[port]		sunos: Change #2363 was not complete. [RT #19796]
-
-2609.	[func]		Simplify the configuration of dynamic zones:
-			- add ddns-confgen command to generate
-			  configuration text for named.conf
-			- add zone option "ddns-autoconf yes;", which
-			  causes named to generate a TSIG session key
-			  and allow updates to the zone using that key
-			- add '-l' (localhost) option to nsupdate, which
-			  causes nsupdate to connect to a locally-running
-			  named process using the session key generated
-			  by named
-			[RT #19284]
-
-2608.	[func]		Perform post signing verification checks in
-			dnssec-signzone.  These can be disabled with -P.
-
-			The post sign verification test ensures that for each
-			algorithm in use there is at least one non revoked
-			self signed KSK key.  That all revoked KSK keys are
-			self signed.  That all records in the zone are signed
-			by the algorithm.  [RT #19653]
-
-2607.	[bug]		named could incorrectly delete NSEC3 records for
-			empty nodes when processing a update request.
-			[RT #19749]
-
-2606.	[bug]		"delegation-only" was not being accepted in
-			delegation-only type zones. [RT #19717]
-
-2605.	[bug]		Accept DS responses from delegation only zones.
-			[RT # 19296]
-
-2604.	[func]		Add support for DNS rebinding attack prevention through
-			new options, deny-answer-addresses and
-			deny-answer-aliases.  Based on contributed code from
-			JD Nurmi, Google. [RT #18192]
-
-2603.	[port]		win32: handle .exe extension of named-checkzone and
-			named-comilezone argv[0] names under windows.
-			[RT #19767]
-
-2602.	[port]		win32: fix debugging command line build of libisccfg.
-			[RT #19767]
-
-2601.	[doc]		Mention file creation mode mask in the
-			named manual page.
-
-2600.	[doc]		ARM: miscellaneous reformatting for different
-			page widths. [RT #19574]
-
-2599.	[bug]		Address rapid memory growth when validation fails.
-			[RT #19654]
-
-2598.	[func]		Reserve the -F flag. [RT #19657]
-
-2597.	[bug]		Handle a validation failure with a insecure delegation
-			from a NSEC3 signed master/slave zone.  [RT #19464]
-
-2596.	[bug]		Stale tree nodes of cache/dynamic rbtdb could stay
-			long, leading to inefficient memory usage or rejecting
-			newer cache entries in the worst case. [RT #19563]
-
-2595.	[bug]		Fix unknown extended rcodes in dig. [RT #19625]
-
-2594.	[func]		Have rndc warn if using its default configuration
-			file when the key file also exists. [RT #19424]
-
-2593.	[bug]		Improve a corner source of SERVFAILs [RT #19632]
-
-2592.	[bug]		Treat "any" as a type in nsupdate. [RT #19455]
-
-2591.	[bug]		named could die when processing a update in
-			removed_orphaned_ds(). [RT #19507]
-
-2590.	[func]		Report zone/class of "update with no effect".
-			[RT #19542]
-
-2589.	[bug]		dns_db_unregister() failed to clear '*dbimp'.
-			[RT #19626]
-
-2588.	[bug]		SO_REUSEADDR could be set unconditionally after failure
-			of bind(2) call.  This should be rare and mostly
-			harmless, but may cause interference with other
-			processes that happen to use the same port. [RT #19642]
-
-2587.	[func]		Improve logging by reporting serial numbers for
-			when zone serial has gone backwards or unchanged.
-			[RT #19506]
-
-2586.	[bug]		Missing cleanup of SIG rdataset in searching a DLZ DB
-			or SDB. [RT #19577]
-
-2585.	[bug]		Uninitialized socket name could be referenced via a
-			statistics channel, triggering an assertion failure in
-			XML rendering. [RT #19427]
-
-2584.	[bug]		alpha: gcc optimization could break atomic operations.
-			[RT #19227]
-
-2583.	[port]		netbsd: provide a control to not add the compile
-			date to the version string, -DNO_VERSION_DATE.
-
-2582.	[bug]		Don't emit warning log message when we attempt to
-			remove non-existent journal. [RT #19516]
-
-2581.	[contrib]	dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
-			Requires MySQL 5.0.19 or later. [RT #19084]
-
-2580.	[bug]		UpdateRej statistics counter could be incremented twice
-			for one rejection. [RT #19476]
-
-2579.	[bug]		DNSSEC lookaside validation failed to handle unknown
-			algorithms. [RT #19479]
-
-2578.	[bug]		Changed default sig-signing-type to 65534, because
-			65535 turns out to be reserved.  [RT #19477]
-
-2577.	[doc]		Clarified some statistics counters. [RT #19454]
-
-2576.	[bug]		NSEC record were not being correctly signed when
-			a zone transitions from insecure to secure.
-			Handle such incorrectly signed zones. [RT #19114]
-
-2575.	[func]		New functions dns_name_fromstring() and
-			dns_name_tostring(), to simplify conversion
-			of a string to a dns_name structure and vice
-			versa. [RT #19451]
-
-2574.	[doc]		Document nsupdate -g and -o. [RT #19351]
-
-2573.	[bug]		Replacing a non-CNAME record with a CNAME record in a
-			single transaction in a signed zone failed. [RT #19397]
-
-2572.	[func]		Simplify DLV configuration, with a new option
-			"dnssec-lookaside auto;"  This is the equivalent
-			of "dnssec-lookaside . trust-anchor dlv.isc.org;"
-			plus setting a trusted-key for dlv.isc.org.
-
-			Note: The trusted key is hard-coded into named,
-			but is also stored in (and can be overridden
-			by) $sysconfdir/bind.keys.  As the ISC DLV key
-			rolls over it can be kept up to date by replacing
-			the bind.keys file with a key downloaded from
-			https://www.isc.org/solutions/dlv. [RT #18685]
-
-2571.	[func]		Add a new tool "arpaname" which translates IP addresses
-			to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
-			[RT #18976]
-
-2570.	[func]		Log the destination address the query was sent to.
-			[RT #19209]
-
-2569.	[func]		Move journalprint, nsec3hash, and genrandom
-			commands from bin/tests into bin/tools;
-			"make install" will put them in $sbindir. [RT #19301]
-
-2568.	[bug]		Report when the write to indicate a otherwise
-			successful start fails. [RT #19360]
-
-2567.	[bug]		dst__privstruct_writefile() could miss write errors.
-			write_public_key() could miss write errors.
-			dnssec-dsfromkey could miss write errors.
-			[RT #19360]
-
-2566.	[cleanup]	Clarify logged message when an insecure DNSSEC
-			response arrives from a zone thought to be secure:
-			"insecurity proof failed" instead of "not
-			insecure". [RT #19400]
-
-2565.	[func]		Add support for HIP record.  Includes new functions
-			dns_rdata_hip_first(), dns_rdata_hip_next()
-			and dns_rdata_hip_current().  [RT #19384]
-
-2564.	[bug]		Only take EDNS fallback steps when processing timeouts.
-			[RT #19405]
-
-2563.	[bug]		Dig could leak a socket causing it to wait forever
-			to exit. [RT #19359]
-
-2562.	[doc]		ARM: miscellaneous improvements, reorganization,
-			and some new content.
-
-2561.	[doc]		Add isc-config.sh(1) man page. [RT #16378]
-
-2560.	[bug]		Add #include <config.h> to iptable.c. [RT #18258]
-
-2559.	[bug]		dnssec-dsfromkey could compute bad DS records when
-			reading from a K* files.  [RT #19357]
-
-2558.	[func]		Set the ownership of missing directories created
-			for pid-file if -u has been specified on the command
-			line. [RT #19328]
-
-2557.	[cleanup]	PCI compliance:
-			* new libisc log module file
-			* isc_dir_chroot() now also changes the working
-			  directory to "/".
-			* additional INSISTs
-			* additional logging when files can't be removed.
-
-2556.	[port]		Solaris: mkdir(2) on tmpfs filesystems does not do the
-			error checks in the correct order resulting in the
-			wrong error code sometimes being returned. [RT #19249]
-
-2555.	[func]		dig: when emitting a hex dump also display the
-			corresponding characters. [RT #19258]
-
-2554.	[bug]		Validation of uppercase queries from NSEC3 zones could
-			fail. [RT #19297]
-
-2553.	[bug]		Reference leak on DNSSEC validation errors. [RT #19291]
-
-2552.	[bug]		zero-no-soa-ttl-cache was not being honored.
-			[RT #19340]
-
-2551.	[bug]		Potential Reference leak on return. [RT #19341]
-
-2550.	[bug]		Check --with-openssl=<path> finds <openssl/opensslv.h>.
-			[RT #19343]
-
-2549.	[port]		linux: define NR_OPEN if not currently defined.
-			[RT #19344]
-
-2548.	[bug]		Install iterated_hash.h. [RT #19335]
-
-2547.	[bug]		openssl_link.c:mem_realloc() could reference an
-			out-of-range area of the source buffer.  New public
-			function isc_mem_reallocate() was introduced to address
-			this bug. [RT #19313]
-
-2546.	[func]		Add --enable-openssl-hash configure flag to use
-			OpenSSL (in place of internal routine) for hash
-			functions (MD5, SHA[12] and HMAC). [RT #18815]
-
-2545.	[doc]		ARM: Legal hostname checking (check-names) is
-			for SRV RDATA too. [RT #19304]
-
-2544.	[cleanup]	Removed unused structure members in adb.c. [RT #19225]
-
-2543.	[contrib]	Update contrib/zkt to version 0.98. [RT #19113]
-
-2542.	[doc]		Update the description of dig +adflag. [RT #19290]
-
-2541.	[bug]		Conditionally update dispatch manager statistics.
-			[RT #19247]
-
-2540.	[func]		Add a nibble mode to $GENERATE. [RT #18872]
-
-2539.	[security]	Update the interaction between recursion, allow-query,
-			allow-query-cache and allow-recursion.  [RT #19198]
-
-2538.	[bug]		cache/ADB memory could grow over max-cache-size,
-			especially with threads and smaller max-cache-size
-			values. [RT #19240]
-
-2537.	[func]		Added more statistics counters including those on socket
-			I/O events and query RTT histograms. [RT #18802]
-
-2536.	[cleanup]	Silence some warnings when -Werror=format-security is
-			specified. [RT #19083]
-
-2535.	[bug]		dig +showsearch and +trace interacted badly. [RT #19091]
-
-2534.	[func]		Check NAPTR records regular expressions and
-			replacement strings to ensure they are syntactically
-			valid and consistent. [RT #18168]
-
-2533.	[doc]		ARM: document @ (at-sign). [RT #17144]
-
-2532.	[bug]		dig: check the question section of the response to
-			see if it matches the asked question. [RT #18495]
-
-2531.	[bug]		Change #2207 was incomplete. [RT #19098]
-
-2530.	[bug]		named failed to reject insecure to secure transitions
-			via UPDATE. [RT #19101]
-
-2529.	[cleanup]	Upgrade libtool to silence complaints from recent
-			version of autoconf. [RT #18657]
-
-2528.	[cleanup]	Silence spurious configure warning about
-			--datarootdir [RT #19096]
-
-2527.	[placeholder]
-
-2526.	[func]		New named option "attach-cache" that allows multiple
-			views to share a single cache to save memory and
-			improve lookup efficiency.  Based on contributed code
-			from Barclay Osborn, Google. [RT #18905]
-
-2525.	[func]		New logging category "query-errors" to provide detailed
-			internal information about query failures, especially
-			about server failures. [RT #19027]
-
-2524.	[port]		sunos: dnssec-signzone needs strtoul(). [RT #19129]
-
-2523.	[bug]		Random type rdata freed by dns_nsec_typepresent().
-			[RT #19112]
-
-2522.	[security]	Handle -1 from DSA_do_verify() and EVP_VerifyFinal().
-
-2521.	[bug]		Improve epoll cross compilation support. [RT #19047]
-
-2520.	[bug]		Update xml statistics version number to 2.0 as change
-			#2388 made the schema incompatible to the previous
-			version. [RT #19080]
-
-2519.	[bug]		dig/host with -4 or -6 didn't work if more than two
-			nameserver addresses of the excluded address family
-			preceded in resolv.conf. [RT #19081]
-
-2518.	[func]		Add support for the new CERT types from RFC 4398.
-			[RT #19077]
-
-2517.	[bug]		dig +trace with -4 or -6 failed when it chose a
-			nameserver address of the excluded address type.
-			[RT #18843]
-
-2516.	[bug]		glue sort for responses was performed even when not
-			needed. [RT #19039]
-
-2515.	[port]		win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
-			[RT #19063]
-
-2514.	[bug]		dig/host failed with -4 or -6 when resolv.conf contains
-			a nameserver of the excluded address family.
-			[RT #18848]
-
-2513.	[bug]		Fix windows cli build. [RT #19062]
-
-2512.	[func]		Print a summary of the cached records which make up
-			the negative response.  [RT #18885]
-
-2511.	[cleanup]	dns_rdata_tofmttext() add const to linebreak.
-			[RT #18885]
-
-2510.	[bug]		"dig +sigchase" could trigger REQUIRE failures.
-			[RT #19033]
-
-2509.	[bug]		Specifying a fixed query source port was broken.
-			[RT #19051]
-
-2508.	[placeholder]
-
-2507.	[func]		Log the recursion quota values when killing the
-			oldest query or refusing to recurse due to quota.
-			[RT #19022]
-
-2506.	[port]		solaris: Check at configure time if
-			hack_shutup_pthreadonceinit is needed. [RT #19037]
-
-2505.	[port]		Treat amd64 similarly to x86_64 when determining
-			atomic operation support. [RT #19031]
-
-2504.	[bug]		Address race condition in the socket code. [RT #18899]
-
-2503.	[port]		linux: improve compatibility with Linux Standard
-			Base. [RT #18793]
-
-2502.	[cleanup]	isc_radix: Improve compliance with coding style,
-			document function in <isc/radix.h>. [RT #18534]
-
-2501.	[func]		$GENERATE now supports all rdata types.  Multi-field
-			rdata types need to be quoted.  See the ARM for
-			details. [RT #18368]
-
-2500.	[contrib]	contrib/sdb/pgsql/zonetodb.c called non-existent
-			function. [RT #18582]
-
-2499.	[port]		solaris: lib/lwres/getaddrinfo.c namespace clash.
-			[RT #18837]
-
-	--- 9.6.0rc1 released ---
-
-2498.	[bug]		Removed a bogus function argument used with
-			ISC_SOCKET_USE_POLLWATCH: it could cause compiler
-			warning or crash named with the debug 1 level
-			of logging. [RT #18917]
-
-2497.	[bug]		Don't add RRSIG bit to NSEC3 bit map for insecure
-			delegation.
-
-2496.	[bug]		Add sanity length checks to NSID option. [RT #18813]
-
-2495.	[bug]		Tighten RRSIG checks. [RT #18795]
-
-2494.	[bug]		isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
-			installed. [RT #18826]
-
-2493.	[bug]		The linux capabilities code was not correctly cleaning
-			up after itself. [RT #18767]
-
-2492.	[func]		Rndc status now reports the number of cpus discovered
-			and the number of worker threads when running
-			multi-threaded. [RT #18273]
-
-2491.	[func]		Attempt to re-use a local port if we are already using
-			the port. [RT #18548]
-
-2490.	[port]		aix: work around a kernel bug where IPV6_RECVPKTINFO
-			is cleared when IPV6_V6ONLY is set. [RT #18785]
-
-2489.	[port]		solaris: Workaround Solaris's kernel bug about
-			/dev/poll:
-			http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
-			Define ISC_SOCKET_USE_POLLWATCH at build time to enable
-			this workaround. [RT #18870]
-
-2488.	[func]		Added a tool, dnssec-dsfromkey, to generate DS records
-			from keyset and .key files. [RT #18694]
-
-2487.	[bug]		Give TCP connections longer to complete. [RT #18675]
-
-2486.	[func]		The default locations for named.pid and lwresd.pid
-			are now /var/run/named/named.pid and
-			/var/run/lwresd/lwresd.pid respectively.
-
-			This allows the owner of the containing directory
-			to be set, for "named -u" support, and allows there
-			to be a permanent symbolic link in the path, for
-			"named -t" support.  [RT #18306]
-
-2485.	[bug]		Change update's the handling of obscured RRSIG
-			records.  Not all orphaned DS records were being
-			removed. [RT #18828]
-
-2484.	[bug]		It was possible to trigger a REQUIRE failure when
-			adding NSEC3 proofs to the response in
-			query_addwildcardproof().  [RT #18828]
-
-2483.	[port]		win32: chroot() is not supported. [RT #18805]
-
-2482.	[port]		libxml2: support versions 2.7.* in addition
-			to 2.6.*. [RT #18806]
-
-	--- 9.6.0b1 released ---
-
-2481.	[bug]		rbtdb.c:matchparams() failed to handle NSEC3 chain
-			collisions.  [RT #18812]
-
-2480.	[bug]		named could fail to emit all the required NSEC3
-			records.  [RT #18812]
-
-2479.	[bug]		xfrout:covers was not properly initialized. [RT #18801]
-
-2478.	[bug]		'addresses' could be used uninitialized in
-			configure_forward(). [RT #18800]
-
-2477.	[bug]		dig: the global option to print the command line is
-			+cmd not print_cmd.  Update the output to reflect
-			this. [RT #17008]
-
-2476.	[doc]		ARM: improve documentation for max-journal-size and
-			ixfr-from-differences. [RT #15909] [RT #18541]
-
-2475.	[bug]		LRU cache cleanup under overmem condition could purge
-			particular entries more aggressively. [RT #17628]
-
-2474.	[bug]		ACL structures could be allocated with insufficient
-			space, causing an array overrun. [RT #18765]
-
-2473.	[port]		linux: raise the limit on open files to the possible
-			maximum value before spawning threads; 'files'
-			specified in named.conf doesn't seem to work with
-			threads as expected. [RT #18784]
-
-2472.	[port]		linux: check the number of available cpu's before
-			calling chroot as it depends on "/proc". [RT #16923]
-
-2471.	[bug]		named-checkzone was not reporting missing mandatory
-			glue when sibling checks were disabled. [RT #18768]
-
-2470.	[bug]		Elements of the isc_radix_node_t could be incorrectly
-			overwritten.  [RT# 18719]
-
-2469.	[port]		solaris: Work around Solaris's select() limitations.
-			[RT #18769]
-
-2468.	[bug]		Resolver could try unreachable servers multiple times.
-			[RT #18739]
-
-2467.	[bug]		Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740]
-
-2466.	[doc]		ARM: explain max-cache-ttl 0 SERVFAIL issue.
-			[RT #18302]
-
-2465.	[bug]		Adb's handling of lame addresses was different
-			for IPv4 and IPv6. [RT #18738]
-
-2464.	[port]		linux: check that a capability is present before
-			trying to set it. [RT #18135]
-
-2463.	[port]		linux: POSIX doesn't include the IPv6 Advanced Socket
-			API and glibc hides parts of the IPv6 Advanced Socket
-			API as a result.  This is stupid as it breaks how the
-			two halves (Basic and Advanced) of the IPv6 Socket API
-			were designed to be used but we have to live with it.
-			Define _GNU_SOURCE to pull in the IPv6 Advanced Socket
-			API. [RT #18388]
-
-2462.	[doc]		Document -m (enable memory usage debugging)
-			option for dig. [RT #18757]
-
-2461.	[port]		sunos: Change #2363 was not complete. [RT #17513]
-
-	--- 9.6.0a1 released ---
-
-2460.	[bug]		Don't call dns_db_getnsec3parameters() on the cache.
-			[RT #18697]
-
-2459.	[contrib]	Import dnssec-zkt to contrib/zkt. [RT #18448]
-
-2458.	[doc]		ARM: update and correction for max-cache-size.
-			[RT #18294]
-
-2457.	[tuning]	max-cache-size is reverted to 0, the previous
-			default.  It should be safe because expired cache
-			entries are also purged. [RT #18684]
-
-2456.	[bug]		In ACLs, ::/0 and 0.0.0.0/0 would both match any
-			address, regardless of family.  They now correctly
-			distinguish IPv4 from IPv6.  [RT #18559]
-
-2455.	[bug]		Stop metadata being transferred via axfr/ixfr.
-			[RT #18639]
-
-2454.	[func]		nsupdate: you can now set a default ttl. [RT #18317]
-
-2453.	[bug]		Remove NULL pointer dereference in dns_journal_print().
-			[RT #18316]
-
-2452.	[func]		Improve bin/test/journalprint. [RT #18316]
-
-2451.	[port]		solaris: handle runtime linking better. [RT #18356]
-
-2450.	[doc]		Fix lwresd docbook problem for manual page.
-			[RT #18672]
-
-2449.	[placeholder]
-
-2448.	[func]		Add NSEC3 support. [RT #15452]
-
-2447.	[cleanup]	libbind has been split out as a separate product.
-
-2446.	[func]		Add a new log message about build options on startup.
-			A new command-line option '-V' for named is also
-			provided to show this information. [RT# 18645]
-
-2445.	[doc]		ARM out-of-date on empty reverse zones (list includes
-			RFC1918 address, but these are not yet compiled in).
-			[RT #18578]
-
-2444.	[port]		Linux, FreeBSD, AIX: Turn off path mtu discovery
-			(clear DF) for UDP responses and requests.
-
-2443.	[bug]		win32: UDP connect() would not generate an event,
-			and so connected UDP sockets would never clean up.
-			Fix this by doing an immediate WSAConnect() rather
-			than an io completion port type for UDP.
-
-2442.	[bug]		A lock could be destroyed twice. [RT# 18626]
-
-2441.	[bug]		isc_radix_insert() could copy radix tree nodes
-			incompletely. [RT #18573]
-
-2440.	[bug]		named-checkconf used an incorrect test to determine
-			if an ACL was set to none.
-
-2439.	[bug]		Potential NULL dereference in dns_acl_isanyornone().
-			[RT #18559]
-
-2438.	[bug]		Timeouts could be logged incorrectly under win32.
-
-2437.	[bug]		Sockets could be closed too early, leading to
-			inconsistent states in the socket module. [RT #18298]
-
-2436.	[security]	win32: UDP client handler can be shutdown. [RT #18576]
-
-2435.	[bug]		Fixed an ACL memory leak affecting win32.
-
-2434.	[bug]		Fixed a minor error-reporting bug in
-			lib/isc/win32/socket.c.
-
-2433.	[tuning]	Set initial timeout to 800ms.
-
-2432.	[bug]		More Windows socket handling improvements.  Stop
-			using I/O events and use IO Completion Ports
-			throughout.  Rewrite the receive path logic to make
-			it easier to support multiple simultaneous
-			requesters in the future.  Add stricter consistency
-			checking as a compile-time option (define
-			ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off).
-
-2431.	[bug]		Acl processing could leak memory. [RT #18323]
-
-2430.	[bug]		win32: isc_interval_set() could round down to
-			zero if the input was less than NS_INTERVAL
-			nanoseconds.  Round up instead. [RT #18549]
-
-2429.	[doc]		nsupdate should be in section 1 of the man pages.
-			[RT #18283]
-
-2428.	[bug]		dns_iptable_merge() mishandled merges of negative
-			tables. [RT #18409]
-
-2427.	[func]		Treat DNSKEY queries as if "minimal-response yes;"
-			was set. [RT #18528]
-
-2426.	[bug]		libbind: inet_net_pton() can sometimes return the
-			wrong value if excessively large net masks are
-			supplied. [RT #18512]
-
-2425.	[bug]		named didn't detect unavailable query source addresses
-			at load time. [RT #18536]
-
-2424.	[port]		configure now probes for a working epoll
-			implementation.  Allow the use of kqueue,
-			epoll and /dev/poll to be selected at compile
-			time. [RT #18277]
-
-2423.	[security]	Randomize server selection on queries, so as to
-			make forgery a little more difficult.  Instead of
-			always preferring the server with the lowest RTT,
-			pick a server with RTT within the same 128
-			millisecond band.  [RT #18441]
-
-2422.	[bug]		Handle the special return value of a empty node as
-			if it was a NXRRSET in the validator. [RT #18447]
-
-2421.	[func]		Add new command line option '-S' for named to specify
-			the max number of sockets. [RT #18493]
-			Use caution: this option may not work for some
-			operating systems without rebuilding named.
-
-2420.	[bug]		Windows socket handling cleanup.  Let the io
-			completion event send out canceled read/write
-			done events, which keeps us from writing to memory
-			we no longer have ownership of.  Add debugging
-			socket_log() function.  Rework TCP socket handling
-			to not leak sockets.
-
-2419.	[cleanup]	Document that isc_socket_create() and isc_socket_open()
-			should not be used for isc_sockettype_fdwatch sockets.
-			[RT #18521]
-
-2418.	[bug]		AXFR request on a DLZ could trigger a REQUIRE failure
-			[RT #18430]
-
-2417.	[bug]		Connecting UDP sockets for outgoing queries could
-			unexpectedly fail with an 'address already in use'
-			error. [RT #18411]
-
-2416.	[func]		Log file descriptors that cause exceeding the
-			internal maximum. [RT #18460]
-
-2415.	[bug]		'rndc dumpdb' could trigger various assertion failures
-			in rbtdb.c. [RT #18455]
-
-2414.	[bug]		A masterdump context held the database lock too long,
-			causing various troubles such as dead lock and
-			recursive lock acquisition. [RT #18311, #18456]
-
-2413.	[bug]		Fixed an unreachable code path in socket.c. [RT #18442]
-
-2412.	[bug]		win32: address a resource leak. [RT #18374]
-
-2411.	[bug]		Allow using a larger number of sockets than FD_SETSIZE
-			for select().  To enable this, set ISC_SOCKET_MAXSOCKETS
-			at compilation time.  [RT #18433]
-
-			Note: with changes #2469 and #2421 above, there is no
-			need to tweak ISC_SOCKET_MAXSOCKETS at compilation time
-			any more.
-
-2410.	[bug]		Correctly delete m_versionInfo. [RT #18432]
-
-2409.	[bug]		Only log that we disabled EDNS processing if we were
-			subsequently successful.  [RT #18029]
-
-2408.	[bug]		A duplicate TCP dispatch event could be sent, which
-			could then trigger an assertion failure in
-			resquery_response().  [RT #18275]
-
-2407.	[port]		hpux: test for sys/dyntune.h. [RT #18421]
-
-2406.	[placeholder]
-
-2405.	[cleanup]	The default value for dnssec-validation was changed to
-			"yes" in 9.5.0-P1 and all subsequent releases; this
-			was inadvertently omitted from CHANGES at the time.
-
-2404.	[port]		hpux: files unlimited support.
-
-2403.	[bug]		TSIG context leak. [RT #18341]
-
-2402.	[port]		Support Solaris 2.11 and over. [RT #18362]
-
-2401.	[bug]		Expect to get E[MN]FILE errno internal_accept()
-			(from accept() or fcntl() system calls). [RT #18358]
-
-2400.	[bug]		Log if kqueue()/epoll_create()/open(/dev/poll) fails.
-			[RT #18297]
-
-2399.	[placeholder]
-
-2398.	[bug]		Improve file descriptor management.  New,
-			temporary, named.conf option reserved-sockets,
-			default 512. [RT #18344]
-
-2397.	[bug]		gssapi_functions had too many elements. [RT #18355]
-
-2396.	[bug]		Don't set SO_REUSEADDR for randomized ports.
-			[RT #18336]
-
-2395.	[port]		Avoid warning and no effect from "files unlimited"
-			on Linux when running as root. [RT #18335]
-
-2394.	[bug]		Default configuration options set the limit for
-			open files to 'unlimited' as described in the
-			documentation. [RT #18331]
-
-2393.	[bug]		nested acls containing keys could trigger an
-			assertion in acl.c. [RT #18166]
-
-2392.	[bug]		remove 'grep -q' from acl test script, some platforms
-			don't support it. [RT #18253]
-
-2391.	[port]		hpux: cover additional recvmsg() error codes.
-			[RT #18301]
-
-2390.	[bug]		dispatch.c could make a false warning on 'odd socket'.
-			[RT #18301].
-
-2389.	[bug]		Move the "working directory writable" check to after
-			the ns_os_changeuser() call. [RT #18326]
-
-2388.	[bug]		Avoid using tables for layout purposes in
-			statistics XSL [RT #18159].
-
-2387.	[bug]		Silence compiler warnings in lib/isc/radix.c.
-			[RT #18147] [RT #18258]
-
-2386.	[func]		Add warning about too small 'open files' limit.
-			[RT #18269]
-
-2385.	[bug]		A condition variable in socket.c could leak in
-			rare error handling [RT #17968].
-
-2384.	[security]	Fully randomize UDP query ports to improve
-			forgery resilience. [RT #17949, #18098]
-
-2383.	[bug]		named could double queries when they resulted in
-			SERVFAIL due to overkilling EDNS0 failure detection.
-			[RT #18182]
-
-2382.	[doc]		Add descriptions of DHCID, IPSECKEY, SPF and SSHFP
-			to ARM.
-
-2381.	[port]		dlz/mysql: support multiple install layouts for
-			mysql.  <prefix>/include/{,mysql/}mysql.h and
-			<prefix>/lib/{,mysql/}. [RT #18152]
-
-2380.	[bug]		dns_view_find() was not returning NXDOMAIN/NXRRSET
-			proofs which, in turn, caused validation failures
-			for insecure zones immediately below a secure zone
-			the server was authoritative for. [RT #18112]
-
-2379.	[contrib]	queryperf/gen-data-queryperf.py: removed redundant
-			TLDs and supported RRs with TTLs [RT #17972]
-
-2378.	[bug]		gssapi_functions{} had a redundant member in BIND 9.5.
-			[RT #18169]
-
-2377.	[bug]		Address race condition in dnssec-signzone. [RT #18142]
-
-2376.	[bug]		Change #2144 was not complete.
-
-2375.	[placeholder]
-
-2374.	[bug]		"blackhole" ACLs could cause named to segfault due
-			to some uninitialized memory. [RT #18095]
-
-2373.	[bug]		Default values of zone ACLs were re-parsed each time a
-			new zone was configured, causing an overconsumption
-			of memory. [RT #18092]
-
-2372.	[bug]		Fixed incorrect TAG_HMACSHA256_BITS value [RT #18047]
-
-2371.	[doc]		Add +nsid option to dig man page. [RT #18039]
-
-2370.	[bug]		"rndc freeze" could trigger an assertion in named
-			when called on a nonexistent zone. [RT #18050]
-
-2369.	[bug]		libbind: Array bounds overrun on read in bitncmp().
-			[RT #18054]
-
-2368.	[port]		Linux: use libcap for capability management if
-			possible. [RT# 18026]
-
-2367.	[bug]		Improve counting of dns_resstatscounter_retry
-			[RT #18030]
-
-2366.	[bug]		Adb shutdown race. [RT #18021]
-
-2365.	[bug]		Fix a bug that caused dns_acl_isany() to return
-			spurious results. [RT #18000]
-
-2364.	[bug]		named could trigger a assertion when serving a
-			malformed signed zone. [RT #17828]
-
-2363.	[port]		sunos: pre-set "lt_cv_sys_max_cmd_len=4096;".
-			[RT #17513]
-
-2362.	[cleanup]	Make "rrset-order fixed" a compile-time option.
-			settable by "./configure --enable-fixed-rrset".
-			Disabled by default. [RT #17977]
-
-2361.	[bug]		"recursion" statistics counter could be counted
-			multiple times for a single query.  [RT #17990]
-
-2360.	[bug]		Fix a condition where we release a database version
-			(which may acquire a lock) while holding the lock.
-
-2359.	[bug]		Fix NSID bug. [RT #17942]
-
-2358.	[doc]		Update host's default query description. [RT #17934]
-
-2357.	[port]		Don't use OpenSSL's engine support in versions before
-			OpenSSL 0.9.7f. [RT #17922]
-
-2356.	[bug]		Built in mutex profiler was not scalable enough.
-			[RT #17436]
-
-2355.	[func]		Extend the number statistics counters available.
-			[RT #17590]
-
-2354.	[bug]		Failed to initialize some rdatasetheader_t elements.
-			[RT #17927]
-
-2353.	[func]		Add support for Name Server ID (RFC 5001).
-			'dig +nsid' requests NSID from server.
-			'request-nsid yes;' causes recursive server to send
-			NSID requests to upstream servers.  Server responds
-			to NSID requests with the string configured by
-			'server-id' option.  [RT #17091]
-
-2352.	[bug]		Various GSS_API fixups. [RT #17729]
-
-2351.	[bug]		convertxsl.pl generated very long lines. [RT #17906]
-
-2350.	[port]		win32: IPv6 support. [RT #17797]
-
-2349.	[func]		Provide incremental re-signing support for secure
-			dynamic zones. [RT #1091]
-
-2348.	[func]		Use the EVP interface to OpenSSL. Add PKCS#11 support.
-			Documentation is in the new README.pkcs11 file.
-			New tool, dnssec-keyfromlabel, which takes the
-			label of a key pair in a HSM and constructs a DNS
-			key pair for use by named and dnssec-signzone.
-			[RT #16844]
-
-2347.	[bug]		Delete now traverses the RB tree in the canonical
-			order. [RT #17451]
-
-2346.	[func]		Memory statistics now cover all active memory contexts
-			in increased detail. [RT #17580]
-
-2345.	[bug]		named-checkconf failed to detect when forwarders
-			were set at both the options/view level and in
-			a root zone. [RT #17671]
-
-2344.	[bug]		Improve "logging{ file ...; };" documentation.
-			[RT #17888]
-
-2343.	[bug]		(Seemingly) duplicate IPv6 entries could be
-			created in ADB. [RT #17837]
-
-2342.	[func]		Use getifaddrs() if available under Linux. [RT #17224]
-
-2341.	[bug]		libbind: add missing -I../include for off source
-			tree builds. [RT #17606]
-
-2340.	[port]		openbsd: interface configuration. [RT #17700]
-
-2339.	[port]		tru64: support for libbind. [RT #17589]
-
-2338.	[bug]		check_ds() could be called with a non DS rdataset.
-			[RT #17598]
-
-2337.	[bug]		BUILD_LDFLAGS was not being correctly set.  [RT #17614]
-
-2336.	[func]		If "named -6" is specified then listen on all IPv6
-			interfaces if there are not listen-on-v6 clauses in
-			named.conf.  [RT #17581]
-
-2335.	[port]		sunos:  libbind and *printf() support for long long.
-			[RT #17513]
-
-2334.	[bug]		Bad REQUIRES in fromstruct_in_naptr(),  off by one
-			bug in fromstruct_txt(). [RT #17609]
-
-2333.	[bug]		Fix off by one error in isc_time_nowplusinterval().
-			[RT #17608]
-
-2332.	[contrib]	query-loc-0.4.0. [RT #17602]
-
-2331.	[bug]		Failure to regenerate any signatures was not being
-			reported nor being past back to the UPDATE client.
-			[RT #17570]
-
-2330.	[bug]		Remove potential race condition when handling
-			over memory events. [RT #17572]
-
-			WARNING: API CHANGE: over memory callback
-			function now needs to call isc_mem_waterack().
-			See <isc/mem.h> for details.
-
-2329.	[bug]		Clearer help text for dig's '-x' and '-i' options.
-
-2328.	[maint]		Add AAAA addresses for A.ROOT-SERVERS.NET,
-			F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET,
-			J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and
-			M.ROOT-SERVERS.NET.
-
-2327.	[bug]		It was possible to dereference a NULL pointer in
-			rbtdb.c.  Implement dead node processing in zones as
-			we do for caches. [RT #17312]
-
-2326.	[bug]		It was possible to trigger a INSIST in the acache
-			processing.
-
-2325.	[port]		Linux: use capset() function if available. [RT #17557]
-
-2324.	[bug]		Fix IPv6 matching against "any;". [RT #17533]
-
-2323.	[port]		tru64: namespace clash. [RT #17547]
-
-2322.	[port]		MacOS: work around the limitation of setrlimit()
-			for RLIMIT_NOFILE. [RT #17526]
-
-2321.	[placeholder]
-
-2320.	[func]		Make statistics counters thread-safe for platforms
-			that support certain atomic operations. [RT #17466]
-
-2319.	[bug]		Silence Coverity warnings in
-			lib/dns/rdata/in_1/apl_42.c. [RT #17469]
-
-2318.	[port]		sunos fixes for libbind.  [RT #17514]
-
-2317.	[bug]		"make distclean" removed bind9.xsl.h. [RT #17518]
-
-2316.	[port]		Missing #include <isc/print.h> in lib/dns/gssapictx.c.
-			[RT #17513]
-
-2315.	[bug]		Used incorrect address family for mapped IPv4
-			addresses in acl.c. [RT #17519]
-
-2314.	[bug]		Uninitialized memory use on error path in
-			bin/named/lwdnoop.c.  [RT #17476]
-
-2313.	[cleanup]	Silence Coverity warnings. Handle private stacks.
-			[RT #17447] [RT #17478]
-
-2312.	[cleanup]	Silence Coverity warning in lib/isc/unix/socket.c.
-			[RT #17458]
-
-2311.	[bug]		IPv6 addresses could match IPv4 ACL entries and
-			vice versa. [RT #17462]
-
-2310.	[bug]		dig, host, nslookup: flush stdout before emitting
-			debug/fatal messages.  [RT #17501]
-
-2309.	[cleanup]	Fix Coverity warnings in lib/dns/acl.c and iptable.c.
-			[RT #17455]
-
-2308.	[cleanup]	Silence Coverity warning in bin/named/controlconf.c.
-			[RT #17495]
-
-2307.	[bug]		Remove infinite loop from lib/dns/sdb.c. [RT #17496]
-
-2306.	[bug]		Remove potential race from lib/dns/resolver.c.
-			[RT #17470]
-
-2305.	[security]	inet_network() buffer overflow. CVE-2008-0122.
-
-2304.	[bug]		Check returns from all dns_rdata_tostruct() calls.
-			[RT #17460]
-
-2303.	[bug]		Remove unnecessary code from bin/named/lwdgnba.c.
-			[RT #17471]
-
-2302.	[bug]		Fix memset() calls in lib/tests/t_api.c. [RT #17472]
-
-2301.	[bug]		Remove resource leak and fix error messages in
-			bin/tests/system/lwresd/lwtest.c. [RT #17474]
-
-2300.	[bug]		Fixed failure to close open file in
-			bin/tests/names/t_names.c. [RT #17473]
-
-2299.	[bug]		Remove unnecessary NULL check in
-			bin/nsupdate/nsupdate.c. [RT #17475]
-
-2298.	[bug]		isc_mutex_lock() failure not caught in
-			bin/tests/timers/t_timers.c. [RT #17468]
-
-2297.	[bug]		isc_entropy_createfilesource() failure not caught in
-			bin/tests/dst/t_dst.c. [RT #17467]
-
-2296.	[port]		Allow docbook stylesheet location to be specified to
-			configure. [RT #17457]
-
-2295.	[bug]		Silence static overrun error in bin/named/lwaddr.c.
-			[RT #17459]
-
-2294.	[func]		Allow the experimental statistics channels to have
-			multiple connections and ACL.
-			Note: the stats-server and stats-server-v6 options
-			available in the previous beta releases are replaced
-			with the generic statistics-channels statement.
-
-2293.	[func]		Add ACL regression test. [RT #17375]
-
-2292.	[bug]		Log if the working directory is not writable.
-			[RT #17312]
-
-2291.	[bug]		PR_SET_DUMPABLE may be set too late.  Also report
-			failure to set PR_SET_DUMPABLE. [RT #17312]
-
-2290.	[bug]		Let AD in the query signal that the client wants AD
-			set in the response. [RT #17301]
-
-2289.	[func]		named-checkzone now reports the out-of-zone CNAME
-			found. [RT #17309]
-
-2288.	[port]		win32: mark service as running when we have finished
-			loading.  [RT #17441]
-
-2287.	[bug]		Use 'volatile' if the compiler supports it. [RT #17413]
-
-2286.	[func]		Allow a TCP connection to be used as a weak
-			authentication method for reverse zones.
-			New update-policy methods tcp-self and 6to4-self.
-			[RT #17378]
-
-2285.	[func]		Test framework for client memory context management.
-			[RT #17377]
-
-2284.	[bug]		Memory leak in UPDATE prerequisite processing.
-			[RT #17377]
-
-2283.	[bug]		TSIG keys were not attaching to the memory
-			context.  TSIG keys should use the rings
-			memory context rather than the clients memory
-			context. [RT #17377]
-
-2282.	[bug]		Acl code fixups. [RT #17346] [RT #17374]
-
-2281.	[bug]		Attempts to use undefined acls were not being logged.
-			[RT #17307]
-
-2280.	[func]		Allow the experimental http server to be reached
-			over IPv6 as well as IPv4. [RT #17332]
-
-2279.	[bug]		Use setsockopt(SO_NOSIGPIPE), when available,
-			to protect applications from receiving spurious
-			SIGPIPE signals when using the resolver.
-
-2278.	[bug]		win32: handle the case where Windows returns no
-			search list or DNS suffix. [RT #17354]
-
-2277.	[bug]		Empty zone names were not correctly being caught at
-			in the post parse checks. [RT #17357]
-
-2276.	[bug]		Install <dst/gssapi.h>.  [RT# 17359]
-
-2275.	[func]		Add support to dig to perform IXFR queries over UDP.
-			[RT #17235]
-
-2274.	[func]		Log zone transfer statistics. [RT #17336]
-
-2273.	[bug]		Adjust log level to WARNING when saving inconsistent
-			stub/slave master and journal files. [RT# 17279]
-
-2272.	[bug]		Handle illegal dnssec-lookaside trust-anchor names.
-			[RT #17262]
-
-2271.	[bug]		Fix a memory leak in http server code [RT #17100]
-
-2270.	[bug]		dns_db_closeversion() version->writer could be reset
-			before it is tested. [RT #17290]
-
-2269.	[contrib]	dbus memory leaks and missing va_end calls. [RT #17232]
-
-2268.	[bug]		0.IN-ADDR.ARPA was missing from the empty zones
-			list.
-
-	--- 9.5.0b1 released ---
-
-2267.	[bug]		Radix tree node_num value could be set incorrectly,
-			causing positive ACL matches to look like negative
-			ones.  [RT #17311]
-
-2266.	[bug]		client.c:get_clientmctx() returned the same mctx
-			once the pool of mctx's was filled. [RT #17218]
-
-2265.	[bug]		Test that the memory context's basic_table is non NULL
-			before freeing.  [RT #17265]
-
-2264.	[bug]		Server prefix length was being ignored. [RT #17308]
-
-2263.	[bug]		"named-checkconf -z" failed to set default value
-			for "check-integrity".  [RT #17306]
-
-2262.	[bug]		Error status from all but the last view could be
-			lost. [RT #17292]
-
-2261.	[bug]		Fix memory leak with "any" and "none" ACLs [RT #17272]
-
-2260.	[bug]		Reported wrong clients-per-query when increasing the
-			value. [RT #17236]
-
-2259.	[placeholder]
-
-	--- 9.5.0a7 released ---
-
-2258.	[bug]		Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken.
-			[RT #17241]
-
-2257.	[bug]		win32: Use the full path to vcredist_x86.exe when
-			calling it. [RT #17222]
-
-2256.	[bug]		win32: Correctly register the installation location of
-			bindevt.dll. [RT #17159]
-
-2255.	[maint]		L.ROOT-SERVERS.NET is now 199.7.83.42.
-
-2254.	[bug]		timer.c:dispatch() failed to lock timer->lock
-			when reading timer->idle allowing it to see
-			intermediate values as timer->idle was reset by
-			isc_timer_touch(). [RT #17243]
-
-2253.	[func]		"max-cache-size" defaults to 32M.
-			"max-acache-size" defaults to 16M.
-
-2252.	[bug]		Fixed errors in sortlist code [RT #17216]
-
-2251.	[placeholder]
-
-2250.	[func]		New flag 'memstatistics' to state whether the
-			memory statistics file should be written or not.
-			Additionally named's -m option will cause the
-			statistics file to be written. [RT #17113]
-
-2249.	[bug]		Only set Authentic Data bit if client requested
-			DNSSEC, per RFC 3655 [RT #17175]
-
-2248.	[cleanup]	Fix several errors reported by Coverity. [RT #17160]
-
-2247.	[doc]		Sort doc/misc/options. [RT #17067]
-
-2246.	[bug]		Make the startup of test servers (ans.pl) more
-			robust. [RT #17147]
-
-2245.	[bug]		Validating lack of DS records at trust anchors wasn't
-			working. [RT #17151]
-
-2244.	[func]		Allow the check of nameserver names against the
-			SOA MNAME field to be disabled by specifying
-			'notify-to-soa yes;'.  [RT #17073]
-
-2243.	[func]		Configuration files without a newline at the end now
-			parse without error. [RT #17120]
-
-2242.	[bug]		nsupdate: GSS-TSIG support using the Heimdal Kerberos
-			library could require a source of random data.
-			[RT #17127]
-
-2241.	[func]		nsupdate: add a interactive 'help' command. [RT #17099]
-
-2240.	[bug]		Cleanup nsupdates GSS-TSIG support.  Convert
-			a number of INSIST()s into plain fatal() errors
-			which report the triggering result code.
-			The 'key' command wasn't disabling GSS-TSIG.
-			[RT #17099]
-
-2239.	[func]		Ship a pre built bin/named/bind9.xsl.h. [RT #17114]
-
-2238.	[bug]		It was possible to trigger a REQUIRE when a
-			validation was canceled. [RT #17106]
-
-2237.	[bug]		libbind: res_init() was not thread aware. [RT #17123]
-
-2236.	[bug]		dnssec-signzone failed to preserve the case of
-			of wildcard owner names. [RT #17085]
-
-2235.	[bug]		<isc/atomic.h> was not being installed. [RT #17135]
-
-2234.	[port]		Correct some compiler warnings on SCO OSr5 [RT #17134]
-
-2233.	[func]		Add support for O(1) ACL processing, based on
-			radix tree code originally written by Kevin
-			Brintnall. [RT #16288]
-
-2232.	[bug]		dns_adb_findaddrinfo() could fail and return
-			ISC_R_SUCCESS. [RT #17137]
-
-2231.	[bug]		Building dlzbdb (contrib/dlz/bin/dlzbdb) was broken.
-			[RT #17088]
-
-2230.	[bug]		We could INSIST reading a corrupted journal.
-			[RT #17132]
-
-2229.	[bug]		Null pointer dereference on query pool creation
-			failure. [RT #17133]
-
-2228.	[contrib]	contrib: Change 2188 was incomplete.
-
-2227.	[cleanup]	Tidied up the FAQ. [RT #17121]
-
-2226.	[placeholder]
-
-2225.	[bug]		More support for systems with no IPv4 addresses.
-			[RT #17111]
-
-2224.	[bug]		Defer journal compaction if a xfrin is in progress.
-			[RT #17119]
-
-2223.	[bug]		Make a new journal when compacting. [RT #17119]
-
-2222.	[func]		named-checkconf now checks server key references.
-			[RT #17097]
-
-2221.	[bug]		Set the event result code to reflect the actual
-			record turned to caller when a cache update is
-			rejected due to a more credible answer existing.
-			[RT #17017]
-
-2220.	[bug]		win32: Address a race condition in final shutdown of
-			the Windows socket code. [RT #17028]
-
-2219.	[bug]		Apply zone consistency checks to additions, not
-			removals, when updating. [RT #17049]
-
-2218.	[bug]		Remove unnecessary REQUIRE from dns_validator_create().
-			[RT #16976]
-
-2217.	[func]		Adjust update log levels. [RT #17092]
-
-2216.	[cleanup]	Fix a number of errors reported by Coverity.
-			[RT #17094]
-
-2215.	[bug]		Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094]
-
-2214.	[bug]		Deregister OpenSSL lock callback when cleaning
-			up.  Reorder OpenSSL cleanup so that RAND_cleanup()
-			is called before the locks are destroyed. [RT #17098]
-
-2213.	[bug]		SIG0 diagnostic failure messages were looking at the
-			wrong status code. [RT #17101]
-
-2212.	[func]		'host -m' now causes memory statistics and active
-			memory to be printed at exit. [RT 17028]
-
-2211.	[func]		Update "dynamic update temporarily disabled" message.
-			[RT #17065]
-
-2210.	[bug]		Deleting class specific records via UPDATE could
-			fail.  [RT #17074]
-
-2209.	[port]		osx: linking against user supplied static OpenSSL
-			libraries failed as the system ones were still being
-			found. [RT #17078]
-
-2208.	[port]		win32: make sure both build methods produce the
-			same output. [RT #17058]
-
-2207.	[port]		Some implementations of getaddrinfo() fail to set
-			ai_canonname correctly. [RT #17061]
-
-	--- 9.5.0a6 released ---
-
-2206.	[security]	"allow-query-cache" and "allow-recursion" now
-			cross inherit from each other.
-
-			If allow-query-cache is not set in named.conf then
-			allow-recursion is used if set, otherwise allow-query
-			is used if set, otherwise the default (localnets;
-			localhost;) is used.
-
-			If allow-recursion is not set in named.conf then
-			allow-query-cache is used if set, otherwise allow-query
-			is used if set, otherwise the default (localnets;
-			localhost;) is used.
-
-			[RT #16987]
-
-2205.	[bug]		libbind: change #2119 broke thread support. [RT #16982]
-
-2204.	[bug]		"rndc flushanme name unknown-view" caused named
-			to crash. [RT #16984]
-
-2203.	[security]	Query id generation was cryptographically weak.
-			[RT # 16915]
-
-2202.	[security]	The default acls for allow-query-cache and
-			allow-recursion were not being applied. [RT #16960]
-
-2201.	[bug]		The build failed in a separate object directory.
-			[RT #16943]
-
-2200.	[bug]		The search for cached NSEC records was stopping to
-			early leading to excessive DLV queries. [RT #16930]
-
-2199.	[bug]		win32: don't call WSAStartup() while loading dlls.
-			[RT #16911]
-
-2198.	[bug]		win32: RegCloseKey() could be called when
-			RegOpenKeyEx() failed. [RT #16911]
-
-2197.	[bug]		Add INSIST to catch negative responses which are
-			not setting the event result code appropriately.
-			[RT #16909]
-
-2196.	[port]		win32: yield processor while waiting for once to
-			to complete. [RT #16958]
-
-2195.	[func]		dnssec-keygen now defaults to nametype "ZONE"
-			when generating DNSKEYs. [RT #16954]
-
-2194.	[bug]		Close journal before calling 'done' in xfrin.c.
-
-	--- 9.5.0a5 released ---
-
-2193.	[port]		win32: BINDInstall.exe is now linked statically.
-			[RT #16906]
-
-2192.	[port]		win32: use vcredist_x86.exe to install Visual
-			Studio's redistributable dlls if building with
-			Visual Stdio 2005 or later.
-
-2191.	[func]		named-checkzone now allows dumping to stdout (-).
-			named-checkconf now has -h for help.
-			named-checkzone now has -h for help.
-			rndc now has -h for help.
-			Better handling of '-?' for usage summaries.
-			[RT #16707]
-
-2190.	[func]		Make fallback to plain DNS from EDNS due to timeouts
-			more visible.  New logging category "edns-disabled".
-			[RT #16871]
-
-2189.	[bug]		Handle socket() returning EINTR. [RT #15949]
-
-2188.	[contrib]	queryperf: autoconf changes to make the search for
-			libresolv or libbind more robust. [RT #16299]
-
-2187.	[bug]		query_addds(), query_addwildcardproof() and
-			query_addnxrrsetnsec() should take a version
-			argument. [RT #16368]
-
-2186.	[port]		cygwin: libbind: check for struct sockaddr_storage
-			independently of IPv6. [RT #16482]
-
-2185.	[port]		sunos: libbind: check for ssize_t, memmove() and
-			memchr(). [RT #16463]
-
-2184.	[bug]		bind9.xsl.h didn't build out of the source tree.
-			[RT #16830]
-
-2183.	[bug]		dnssec-signzone didn't handle offline private keys
-			well.  [RT #16832]
-
-2182.	[bug]		dns_dispatch_createtcp() and dispatch_createudp()
-			could return ISC_R_SUCCESS when they ran out of
-			memory. [RT #16365]
-
-2181.	[port]		sunos: libbind: add paths.h from BIND 8. [RT #16462]
-
-2180.	[cleanup]	Remove bit test from 'compress_test' as they
-			are no longer needed. [RT #16497]
-
-2179.	[func]		'rndc command zone' will now find 'zone' if it is
-			unique to all the views. [RT #16821]
-
-2178.	[bug]		'rndc reload' of a slave or stub zone resulted in
-			a reference leak. [RT #16867]
-
-2177.	[bug]		Array bounds overrun on read (rcodetext) at
-			debug level 10+. [RT #16798]
-
-2176.	[contrib]	dbus update to handle race condition during
-			initialization (Bugzilla 235809). [RT #16842]
-
-2175.	[bug]		win32: windows broadcast condition variable support
-			was broken. [RT #16592]
-
-2174.	[bug]		I/O errors should always be fatal when reading
-			master files. [RT #16825]
-
-2173.	[port]		win32: When compiling with MSVS 2005 SP1 we also
-			need to ship Microsoft.VC80.MFCLOC.
-
-	--- 9.5.0a4 released ---
-
-2172.	[bug]		query_addsoa() was being called with a non zone db.
-			[RT #16834]
-
-2171.	[bug]		Handle breaks in DNSSEC trust chains where the parent
-			servers are not DS aware (DS queries to the parent
-			return a referral to the child).
-
-2170.	[func]		Add acache processing to test suite. [RT #16711]
-
-2169.	[bug]		host, nslookup: when reporting NXDOMAIN report the
-			given name and not the last name searched for.
-			[RT #16763]
-
-2168.	[bug]		nsupdate: in non-interactive mode treat syntax errors
-			as fatal errors. [RT #16785]
-
-2167.	[bug]		When re-using a automatic zone named failed to
-			attach it to the new view. [RT #16786]
-
-	--- 9.5.0a3 released ---
-
-2166.	[bug]		When running in batch mode, dig could misinterpret
-			a server address as a name to be looked up, causing
-			unexpected output. [RT #16743]
-
-2165.	[func]		Allow the destination address of a query to determine
-			if we will answer the query or recurse.
-			allow-query-on, allow-recursion-on and
-			allow-query-cache-on. [RT #16291]
-
-2164.	[bug]		The code to determine how named-checkzone /
-			named-compilezone was called failed under windows.
-			[RT #16764]
-
-2163.	[bug]		If only one of query-source and query-source-v6
-			specified a port the query pools code broke (change
-			2129).  [RT #16768]
-
-2162.	[func]		Allow "rrset-order fixed" to be disabled at compile
-			time. [RT #16665]
-
-2161.	[bug]		Fix which log messages are emitted for 'rndc flush'.
-			[RT #16698]
-
-2160.	[bug]		libisc wasn't handling NULL ifa_addr pointers returned
-			from getifaddrs(). [RT #16708]
-
-	--- 9.5.0a2 released ---
-
-2159.	[bug]		Array bounds overrun in acache processing. [RT #16710]
-
-2158.	[bug]		ns_client_isself() failed to initialize key
-			leading to a REQUIRE failure. [RT #16688]
-
-2157.	[func]		dns_db_transfernode() created. [RT #16685]
-
-2156.	[bug]		Fix node reference leaks in lookup.c:lookup_find(),
-			resolver.c:validated() and resolver.c:cache_name().
-			Fix a memory leak in rbtdb.c:free_noqname().
-			Make lookup.c:lookup_find() robust against
-			event leaks. [RT #16685]
-
-2155.	[contrib]	SQLite sdb module from jaboydjr@netwalk.com.
-			[RT #16694]
-
-2154.	[func]		Scoped (e.g. IPv6 link-local) addresses may now be
-			matched in acls by omitting the scope. [RT #16599]
-
-2153.	[bug]		nsupdate could leak memory. [RT #16691]
-
-2152.	[cleanup]	Use sizeof(buf) instead of fixed number in
-			dighost.c:get_trusted_key(). [RT #16678]
-
-2151.	[bug]		Missing newline in usage message for journalprint.
-			[RT #16679]
-
-2150.	[bug]		'rrset-order cyclic' uniformly distribute the
-			starting point for the first response for a given
-			RRset. [RT #16655]
-
-2149.	[bug]		isc_mem_checkdestroyed() failed to abort on
-			if there were still active memory contexts.
-			[RT #16672]
-
-2148.	[func]		Add positive logging for rndc commands. [RT #14623]
-
-2147.	[bug]		libbind: remove potential buffer overflow from
-			hmac_link.c. [RT #16437]
-
-2146.	[cleanup]	Silence Linux's spurious "obsolete setsockopt
-			SO_BSDCOMPAT" message. [RT #16641]
-
-2145.	[bug]		Check DS/DLV digest lengths for known digests.
-			[RT #16622]
-
-2144.	[cleanup]	Suppress logging of SERVFAIL from forwarders.
-			[RT #16619]
-
-2143.	[bug]		We failed to restart the IPv6 client when the
-			kernel failed to return the destination the
-			packet was sent to. [RT #16613]
-
-2142.	[bug]		Handle master files with a modification time that
-			matches the epoch. [RT# 16612]
-
-2141.	[bug]		dig/host should not be setting IDN_ASCCHECK (IDN
-			equivalent of LDH checks).  [RT #16609]
-
-2140.	[bug]		libbind: missing unlock on pthread_key_create()
-			failures. [RT #16654]
-
-2139.	[bug]		dns_view_find() was being called with wrong type
-			in adb.c. [RT #16670]
-
-2138.	[bug]		Lock order reversal in resolver.c. [RT #16653]
-
-2137.	[port]		Mips little endian and/or mips 64 bit are now
-			supported for atomic operations. [RT#16648]
-
-2136.	[bug]		nslookup/host looped if there was no search list
-			and the host didn't exist. [RT #16657]
-
-2135.	[bug]		Uninitialized rdataset in sdlz.c. [RT# 16656]
-
-2134.	[func]		Additional statistics support. [RT #16666]
-
-2133.	[port]		powerpc:  Support both IBM and MacOS Power PC
-			assembler syntaxes. [RT #16647]
-
-2132.	[bug]		Missing unlock on out of memory in
-			dns_dispatchmgr_setudp().
-
-2131.	[contrib]	dlz/mysql: AXFR was broken. [RT #16630]
-
-2130.	[func]		Log if CD or DO were set. [RT #16640]
-
-2129.	[func]		Provide a pool of UDP sockets for queries to be
-			made over. See use-queryport-pool, queryport-pool-ports
-			and queryport-pool-updateinterval.  [RT #16415]
-
-2128.	[doc]		xsltproc --nonet, update DTD versions.  [RT #16635]
-
-2127.	[port]		Improved OpenSSL 0.9.8 support. [RT #16563]
-
-2126.	[security]	Serialize validation of type ANY responses. [RT #16555]
-
-2125.	[bug]		dns_zone_getzeronosoattl() REQUIRE failure if DLZ
-			was defined. [RT #16574]
-
-2124.	[security]	It was possible to dereference a freed fetch
-			context. [RT #16584]
-
-	--- 9.5.0a1 released ---
-
-2123.	[func]		Use Doxygen to generate internal documentation.
-			[RT #11398]
-
-2122.	[func]		Experimental http server and statistics support
-			for named via xml.
-
-2121.	[func]		Add a 10 slot dead masters cache (LRU) with a 600
-			second timeout. [RT #16553]
-
-2120.	[doc]		Fix markup on nsupdate man page. [RT #16556]
-
-2119.	[compat]	libbind: allow res_init() to succeed enough to
-			return the default domain even if it was unable
-			to allocate memory.
-
-2118.	[bug]		Handle response with long chains of domain name
-			compression pointers which point to other compression
-			pointers. [RT #16427]
-
-2117.	[bug]		DNSSEC fixes: named could fail to cache NSEC records
-			which could lead to validation failures.  named didn't
-			handle negative DS responses that were in the process
-			of being validated.  Check CNAME bit before accepting
-			NODATA proof. To be able to ignore a child NSEC there
-			must be SOA (and NS) set in the bitmap. [RT #16399]
-
-2116.	[bug]		'rndc reload' could cause the cache to continually
-			be cleaned. [RT #16401]
-
-2115.	[bug]		'rndc reconfig' could trigger a INSIST if the
-			number of masters for a zone was reduced. [RT #16444]
-
-2114.	[bug]		dig/host/nslookup: searches for names with multiple
-			labels were failing. [RT #16447]
-
-2113.	[bug]		nsupdate: if a zone is specified it should be used
-			for server discover. [RT# 16455]
-
-2112.	[security]	Warn if weak RSA exponent is used. [RT #16460]
-
-2111.	[bug]		Fix a number of errors reported by Coverity.
-			[RT #16507]
-
-2110.	[bug]		"minimal-responses yes;" interacted badly with BIND 8
-			priming queries. [RT #16491]
-
-2109.	[port]		libbind: silence aix 5.3 compiler warnings. [RT #16502]
-
-2108.	[func]		DHCID support. [RT #16456]
-
-2107.	[bug]		dighost.c: more cleanup of buffers. [RT #16499]
-
-2106.	[func]		'rndc status' now reports named's version. [RT #16426]
-
-2105.	[func]		GSS-TSIG support (RFC 3645).
-
-2104.	[port]		Fix Solaris SMF error message.
-
-2103.	[port]		Add /usr/sfw to list of locations for OpenSSL
-			under Solaris.
-
-2102.	[port]		Silence Solaris 10 warnings.
-
-2101.	[bug]		OpenSSL version checks were not quite right.
-			[RT #16476]
-
-2100.	[port]		win32: copy libeay32.dll to Build\Debug.
-			Copy Debug\named-checkzone to Debug\named-compilezone.
-
-2099.	[port]		win32: more manifest issues.
-
-2098.	[bug]		Race in rbtdb.c:no_references(), which occasionally
-			triggered an INSIST failure about the node lock
-			reference.  [RT #16411]
-
-2097.	[bug]		named could reference a destroyed memory context
-			after being reloaded / reconfigured. [RT #16428]
-
-2096.	[bug]		libbind: handle applications that fail to detect
-			res_init() failures better.
-
-2095.	[port]		libbind: alway prototype inet_cidr_ntop_ipv6() and
-			net_cidr_ntop_ipv6(). [RT #16388]
-
-2094.	[contrib]	Update named-bootconf.  [RT# 16404]
-
-2093.	[bug]		named-checkzone -s was broken.
-
-2092.	[bug]		win32: dig, host, nslookup.  Use registry config
-			if resolv.conf does not exist or no nameservers
-			listed. [RT #15877]
-
-2091.	[port]		dighost.c: race condition on cleanup. [RT #16417]
-
-2090.	[port]		win32: Visual C++ 2005 command line manifest support.
-			[RT #16417]
-
-2089.	[security]	Raise the minimum safe OpenSSL versions to
-			OpenSSL 0.9.7l and OpenSSL 0.9.8d.  Versions
-			prior to these have known security flaws which
-			are (potentially) exploitable in named. [RT #16391]
-
-2088.	[security]	Change the default RSA exponent from 3 to 65537.
-			[RT #16391]
-
-2087.	[port]		libisc failed to compile on OS's w/o a vsnprintf.
-			[RT #16382]
-
-2086.	[port]		libbind: FreeBSD now has get*by*_r() functions.
-			[RT #16403]
-
-2085.	[doc]		win32: added index.html and README to zip. [RT #16201]
-
-2084.	[contrib]	dbus update for 9.3.3rc2.
-
-2083.	[port]		win32: Visual C++ 2005 support.
-
-2082.	[doc]		Document 'cache-file' as a test only option.
-
-2081.	[port]		libbind: minor 64-bit portability fix in memcluster.c.
-			[RT #16360]
-
-2080.	[port]		libbind: res_init.c did not compile on older versions
-			of Solaris. [RT #16363]
-
-2079.	[bug]		The lame cache was not handling multiple types
-			correctly. [RT #16361]
-
-2078.	[bug]		dnssec-checkzone output style "default" was badly
-			named.  It is now called "relative". [RT #16326]
-
-2077.	[bug]		'dnssec-signzone -O raw' wasn't outputting the
-			complete signed zone. [RT #16326]
-
-2076.	[bug]		Several files were missing #include <config.h>
-			causing build failures on OSF. [RT #16341]
-
-2075.	[bug]		The spillat timer event hander could leak memory.
-			[RT #16357]
-
-2074.	[bug]		dns_request_createvia2(), dns_request_createvia3(),
-			dns_request_createraw2() and dns_request_createraw3()
-			failed to send multiple UDP requests. [RT #16349]
-
-2073.	[bug]		Incorrect semantics check for update policy "wildcard".
-			[RT #16353]
-
-2072.	[bug]		We were not generating valid HMAC SHA digests.
-			[RT #16320]
-
-2071.	[port]		Test whether gcc accepts -fno-strict-aliasing.
-			[RT #16324]
-
-2070.	[bug]		The remote address was not always displayed when
-			reporting dispatch failures. [RT #16315]
-
-2069.	[bug]		Cross compiling was not working. [RT #16330]
-
-2068.	[cleanup]	Lower incremental tuning message to debug 1.
-			[RT #16319]
-
-2067.	[bug]		'rndc' could close the socket too early triggering
-			a INSIST under Windows. [RT #16317]
-
-2066.	[security]	Handle SIG queries gracefully. [RT #16300]
-
-2065.	[bug]		libbind: probe for HPUX prototypes for
-			endprotoent_r() and endservent_r().  [RT 16313]
-
-2064.	[bug]		libbind: silence AIX compiler warnings. [RT #16218]
-
-2063.	[bug]		Change #1955 introduced a bug which caused the first
-			'rndc flush' call to not free memory. [RT #16244]
-
-2062.	[bug]		'dig +nssearch' was reusing a buffer before it had
-			been returned by the socket code. [RT #16307]
-
-2061.	[bug]		Accept expired wildcard message reversed. [RT #16296]
-
-2060.	[bug]		Enabling DLZ support could leave views partially
-			configured. [RT #16295]
-
-2059.	[bug]		Search into cache rbtdb could trigger an INSIST
-			failure while cleaning up a stale rdataset.
-			[RT #16292]
-
-2058.	[bug]		Adjust how we calculate rtt estimates in the presence
-			of authoritative servers that drop EDNS and/or CD
-			requests.  Also fallback to EDNS/512 and plain DNS
-			faster for zones with less than 3 servers.  [RT #16187]
-
-2057.	[bug]		Make setting "ra" dependent on both allow-query-cache
-			and allow-recursion. [RT #16290]
-
-2056.	[bug]		dig: ixfr= was not being treated case insensitively
-			at all times. [RT #15955]
-
-2055.	[bug]		Missing goto after dropping multicast query.
-			[RT #15944]
-
-2054.	[port]		freebsd: do not explicitly link against -lpthread.
-			[RT #16170]
-
-2053.	[port]		netbsd:libbind: silence compiler warnings. [RT #16220]
-
-2052.	[bug]		'rndc' improve connect failed message to report
-			the failing address. [RT #15978]
-
-2051.	[port]		More strtol() fixes. [RT #16249]
-
-2050.	[bug]		Parsing of NSAP records was not case insensitive.
-			[RT #16287]
-
-2049.	[bug]		Restore SOA before AXFR when falling back from
-			a attempted IXFR when transferring in a zone.
-			Allow a initial SOA query before attempting
-			a AXFR to be requested. [RT #16156]
-
-2048.	[bug]		It was possible to loop forever when using
-			avoid-v4-udp-ports / avoid-v6-udp-ports when
-			the OS always returned the same local port.
-			[RT #16182]
-
-2047.	[bug]		Failed to initialize the interface flags to zero.
-			[RT #16245]
-
-2046.	[bug]		rbtdb.c:rdataset_setadditional() could cause duplicate
-			cleanup [RT #16247].
-
-2045.	[func]		Use lock buckets for acache entries to limit memory
-			consumption. [RT #16183]
-
-2044.	[port]		Add support for atomic operations for Itanium.
-			[RT #16179]
-
-2043.	[port]		nsupdate/nslookup: Force the flushing of the prompt
-			for interactive sessions. [RT#16148]
-
-2042.	[bug]		named-checkconf was incorrectly rejecting the
-			logging category "config". [RT #16117]
-
-2041.	[bug]		"configure --with-dlz-bdb=yes" produced a bad
-			set of libraries to be linked. [RT #16129]
-
-2040.	[bug]		rbtdb no_references() could trigger an INSIST
-			failure with --enable-atomic.  [RT #16022]
-
-2039.	[func]		Check that all buffers passed to the socket code
-			have been retrieved when the socket event is freed.
-			[RT #16122]
-
-2038.	[bug]		dig/nslookup/host was unlinking from wrong list
-			when handling errors. [RT #16122]
-
-2037.	[func]		When unlinking the first or last element in a list
-			check that the list head points to the element to
-			be unlinked. [RT #15959]
-
-2036.	[bug]		'rndc recursing' could cause trigger a REQUIRE.
-			[RT #16075]
-
-2035.	[func]		Make falling back to TCP on UDP refresh failure
-			optional. Default "try-tcp-refresh yes;" for BIND 8
-			compatibility. [RT #16123]
-
-2034.	[bug]		gcc: set -fno-strict-aliasing. [RT #16124]
-
-2033.	[bug]		We weren't creating multiple client memory contexts
-			on demand as expected. [RT #16095]
-
-2032.	[bug]		Remove a INSIST in query_addadditional2(). [RT #16074]
-
-2031.	[bug]		Emit a error message when "rndc refresh" is called on
-			a non slave/stub zone. [RT # 16073]
-
-2030.	[bug]		We were being overly conservative when disabling
-			openssl engine support. [RT #16030]
-
-2029.	[bug]		host printed out the server multiple times when
-			specified on the command line. [RT #15992]
-
-2028.	[port]		linux: socket.c compatibility for old systems.
-			[RT #16015]
-
-2027.	[port]		libbind: Solaris x86 support. [RT #16020]
-
-2026.	[bug]		Rate limit the two recursive client exceeded messages.
-			[RT #16044]
-
-2025.	[func]		Update "zone serial unchanged" message. [RT #16026]
-
-2024.	[bug]		named emitted spurious "zone serial unchanged"
-			messages on reload. [RT #16027]
-
-2023.	[bug]		"make install" should create ${localstatedir}/run and
-			${sysconfdir} if they do not exist. [RT #16033]
-
-2022.	[bug]		If dnssec validation is disabled only assert CD if
-			CD was requested. [RT #16037]
-
-2021.	[bug]		dnssec-enable no; triggered a REQUIRE. [RT #16037]
-
-2020.	[bug]		rdataset_setadditional() could leak memory. [RT #16034]
-
-2019.	[tuning]	Reduce the amount of work performed per quantum
-			when cleaning the cache. [RT #15986]
-
-2018.	[bug]		Checking if the HMAC MD5 private file was broken.
-			[RT #15960]
-
-2017.	[bug]		allow-query default was not correct. [RT #15946]
-
-2016.	[bug]		Return a partial answer if recursion is not
-			allowed but requested and we had the answer
-			to the original qname. [RT #15945]
-
-2015.	[cleanup]	use-additional-cache is now acache-enable for
-			consistency.  Default acache-enable off in BIND 9.4
-			as it requires memory usage to be configured.
-			It may be enabled by default in BIND 9.5 once we
-			have more experience with it.
-
-2014.	[func]		Statistics about acache now recorded and sent
-			to log. [RT #15976]
-
-2013.	[bug]		Handle unexpected TSIGs on unsigned AXFR/IXFR
-			responses more gracefully. [RT #15941]
-
-2012.	[func]		Don't insert new acache entries if acache is full.
-			[RT #15970]
-
-2011.	[func]		dnssec-signzone can now update the SOA record of
-			the signed zone, either as an increment or as the
-			system time(). [RT #15633]
-
-2010.	[placeholder]	rt15958
-
-2009.	[bug]		libbind: Coverity fixes. [RT #15808]
-
-2008.	[func]		It is now possible to enable/disable DNSSEC
-			validation from rndc.  This is useful for the
-			mobile hosts where the current connection point
-			breaks DNSSEC (firewall/proxy).  [RT #15592]
-
-				rndc validation newstate [view]
-
-2007.	[func]		It is now possible to explicitly enable DNSSEC
-			validation.  default dnssec-validation no; to
-			be changed to yes in 9.5.0.  [RT #15674]
-
-2006.	[security]	Allow-query-cache and allow-recursion now default
-			to the built in acls "localnets" and "localhost".
-
-			This is being done to make caching servers less
-			attractive as reflective amplifying targets for
-			spoofed traffic.  This still leave authoritative
-			servers exposed.
-
-			The best fix is for full BCP 38 deployment to
-			remove spoofed traffic.
-
-2005.	[bug]		libbind: Retransmission timeouts should be
-			based on which attempt it is to the nameserver
-			and not the nameserver itself. [RT #13548]
-
-2004.	[bug]		dns_tsig_sign() could pass a NULL pointer to
-			dst_context_destroy() when cleaning up after a
-			error. [RT #15835]
-
-2003.	[bug]		libbind: The DNS name/address lookup functions could
-			occasionally follow a random pointer due to
-			structures not being completely zeroed. [RT #15806]
-
-2002.	[bug]		libbind: tighten the constraints on when
-			struct addrinfo._ai_pad exists.  [RT #15783]
-
-2001.	[func]		Check the KSK flag when updating a secure dynamic zone.
-			New zone option "update-check-ksk yes;".  [RT #15817]
-
-2000.	[bug]		memmove()/strtol() fix was incomplete. [RT #15812]
-
-1999.	[func]		Implement "rrset-order fixed". [RT #13662]
-
-1998.	[bug]		Restrict handling of fifos as sockets to just SunOS.
-			This allows named to connect to entropy gathering
-			daemons that use fifos instead of sockets. [RT #15840]
-
-1997.	[bug]		Named was failing to replace negative cache entries
-			when a positive one for the type was learnt.
-			[RT #15818]
-
-1996.	[bug]		nsupdate: if a zone has been specified it should
-			appear in the output of 'show'. [RT #15797]
-
-1995.	[bug]		'host' was reporting multiple "is an alias" messages.
-			[RT #15702]
-
-1994.	[port]		OpenSSL 0.9.8 support. [RT #15694]
-
-1993.	[bug]		Log messages, via syslog, were missing the space
-			after the timestamp if "print-time yes" was specified.
-			[RT #15844]
-
-1992.	[bug]		Not all incoming zone transfer messages included the
-			view.  [RT #15825]
-
-1991.	[cleanup]	The configuration data, once read, should be treated
-			as read only.  Expand the use of const to enforce this
-			at compile time. [RT #15813]
-
-1990.	[bug]		libbind:  isc's override of broken gettimeofday()
-			implementations was not always effective.
-			[RT #15709]
-
-1989.	[bug]		win32: don't check the service password when
-			re-installing. [RT #15882]
-
-1988.	[bug]		Remove a bus error from the SHA256/SHA512 support.
-			[RT #15878]
-
-1987.	[func]		DS/DLV SHA256 digest algorithm support. [RT #15608]
-
-1986.	[func]		Report when a zone is removed. [RT #15849]
-
-1985.	[protocol]	DLV has now been assigned a official type code of
-			32769. [RT #15807]
-
-			Note: care should be taken to ensure you upgrade
-			both named and dnssec-signzone at the same time for
-			zones with DLV records where named is the master
-			server for the zone.  Also any zones that contain
-			DLV records should be removed when upgrading a slave
-			zone.  You do not however have to upgrade all
-			servers for a zone with DLV records simultaneously.
-
-1984.	[func]		dig, nslookup and host now advertise a 4096 byte
-			EDNS UDP buffer size by default. [RT #15855]
-
-1983.	[func]		Two new update policies.  "selfsub" and "selfwild".
-			[RT #12895]
-
-1982.	[bug]		DNSKEY was being accepted on the parent side of
-			a delegation.  KEY is still accepted there for
-			RFC 3007 validated updates. [RT #15620]
-
-1981.	[bug]		win32: condition.c:wait() could fail to reattain
-			the mutex lock.
-
-1980.	[func]		dnssec-signzone: output the SOA record as the
-			first record in the signed zone. [RT #15758]
-
-1979.	[port]		linux: allow named to drop core after changing
-			user ids. [RT #15753]
-
-1978.	[port]		Handle systems which have a broken recvmsg().
-			[RT #15742]
-
-1977.	[bug]		Silence noisy log message. [RT #15704]
-
-1976.	[bug]		Handle systems with no IPv4 addresses. [RT #15695]
-
-1975.	[bug]		libbind: isc_gethexstring() could misparse multi-line
-			hex strings with comments. [RT #15814]
-
-1974.	[doc]		List each of the zone types and associated zone
-			options separately in the ARM.
-
-1973.	[func]		TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
-			HMACSHA512 support. [RT #13606]
-
-1972.	[contrib]	DBUS dynamic forwarders integration from
-			Jason Vas Dias <jvdias@redhat.com>.
-
-1971.	[port]		linux: make detection of missing IF_NAMESIZE more
-			robust. [RT #15443]
-
-1970.	[bug]		nsupdate: adjust UDP timeout when falling back to
-			unsigned SOA query. [RT #15775]
-
-1969.	[bug]		win32: the socket code was freeing the socket
-			structure too early. [RT #15776]
-
-1968.	[bug]		Missing lock in resolver.c:validated(). [RT #15739]
-
-1967.	[func]		dig/nslookup/host: warn about missing "QR". [RT #15779]
-
-1966.	[bug]		Don't set CD when we have fallen back to plain DNS.
-			[RT #15727]
-
-1965.	[func]		Suppress spurious "recursion requested but not
-			available" warning with 'dig +qr'. [RT #15780].
-
-1964.	[func]		Separate out MX and SRV to CNAME checks. [RT #15723]
-
-1963.	[port]		Tru64 4.0E doesn't support send() and recv().
-			[RT #15586]
-
-1962.	[bug]		Named failed to clear old update-policy when it
-			was removed. [RT #15491]
-
-1961.	[bug]		Check the port and address of responses forwarded
-			to dispatch. [RT #15474]
-
-1960.	[bug]		Update code should set NSEC ttls from SOA MINIMUM.
-			[RT #15465]
-
-1959.	[func]		Control the zeroing of the negative response TTL to
-			a soa query.  Defaults "zero-no-soa-ttl yes;" and
-			"zero-no-soa-ttl-cache no;". [RT #15460]
-
-1958.	[bug]		Named failed to update the zone's secure state
-			until the zone was reloaded. [RT #15412]
-
-1957.	[bug]		Dig mishandled responses to class ANY queries.
-			[RT #15402]
-
-1956.	[bug]		Improve cross compile support, 'gen' is now built
-			by native compiler.  See README for additional
-			cross compile support information. [RT #15148]
-
-1955.	[bug]		Pre-allocate the cache cleaning iterator. [RT #14998]
-
-1954.	[func]		Named now falls back to advertising EDNS with a
-			512 byte receive buffer if the initial EDNS queries
-			fail.  [RT #14852]
-
-1953.	[func]		The maximum EDNS UDP response named will send can
-			now be set in named.conf (max-udp-size).  This is
-			independent of the advertised receive buffer
-			(edns-udp-size). [RT #14852]
-
-1952.	[port]		hpux: tell the linker to build a runtime link
-			path "-Wl,+b:". [RT #14816].
-
-1951.	[security]	Drop queries from particular well known ports.
-			Don't return FORMERR to queries from particular
-			well known ports.  [RT #15636]
-
-1950.	[port]		Solaris 2.5.1 and earlier cannot bind() then connect()
-			a TCP socket. This prevents the source address being
-			set for TCP connections. [RT #15628]
-
-1949.	[func]		Addition memory leakage checks. [RT #15544]
-
-1948.	[bug]		If was possible to trigger a REQUIRE failure in
-			xfrin.c:maybe_free() if named ran out of memory.
-			[RT #15568]
-
-1947.	[func]		It is now possible to configure named to accept
-			expired RRSIGs.  Default "dnssec-accept-expired no;".
-			Setting "dnssec-accept-expired yes;" leaves named
-			vulnerable to replay attacks.  [RT #14685]
-
-1946.	[bug]		resume_dslookup() could trigger a REQUIRE failure
-			when using forwarders. [RT #15549]
-
-1945.	[cleanup]	dnssec-keygen: RSA (RSAMD5) is no longer recommended.
-			To generate a RSAMD5 key you must explicitly request
-			RSAMD5. [RT #13780]
-
-1944.	[cleanup]	isc_hash_create() does not need a read/write lock.
-			[RT #15522]
-
-1943.	[bug]		Set the loadtime after rolling forward the journal.
-			[RT #15647]
-
-1942.	[bug]		If the name of a DNSKEY match that of one in
-			trusted-keys do not attempt to validate the DNSKEY
-			using the parents DS RRset. [RT #15649]
-
-1941.	[bug]		ncache_adderesult() should set eresult even if no
-			rdataset is passed to it. [RT #15642]
-
-1940.	[bug]		Fixed a number of error conditions reported by
-			Coverity.
-
-1939.	[bug]		The resolver could dereference a null pointer after
-			validation if all the queries have timed out.
-			[RT #15528]
-
-1938.	[bug]		The validator was not correctly handling unsecure
-			negative responses at or below a SEP. [RT #15528]
-
-1937.	[bug]		sdlz doesn't handle RRSIG records. [RT #15564]
-
-1936.	[bug]		The validator could leak memory. [RT #15544]
-
-1935.	[bug]		'acache' was DO sensitive. [RT #15430]
-
-1934.	[func]		Validate pending NS RRsets, in the authority section,
-			prior to returning them if it can be done without
-			requiring DNSKEYs to be fetched.  [RT #15430]
-
-1933.	[bug]		dump_rdataset_raw() had a incorrect INSIST. [RT #15534]
-
-1932.	[bug]		hpux: LDFLAGS was getting corrupted. [RT #15530]
-
-1931.	[bug]		Per-client mctx could require a huge amount of memory,
-			particularly for a busy caching server. [RT #15519]
-
-1930.	[port]		HPUX: ia64 support. [RT #15473]
-
-1929.	[port]		FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.
-
-1928.	[bug]		Race in rbtdb.c:currentversion(). [RT #15517]
-
-1927.	[bug]		Access to soanode or nsnode in rbtdb violated the
-			lock order rule and could cause a dead lock.
-			[RT# 15518]
-
-1926.	[bug]		The Windows installer did not check for empty
-			passwords.  BINDinstall was being installed in
-			the wrong place. [RT #15483]
-
-1925.	[port]		All outer level AC_TRY_RUNs need cross compiling
-			defaults. [RT #15469]
-
-1924.	[port]		libbind: hpux ia64 support. [RT #15473]
-
-1923.	[bug]		ns_client_detach() called too early. [RT #15499]
-
-1922.	[bug]		check-tool.c:setup_logging() missing call to
-			dns_log_setcontext().
-
-1921.	[bug]		Client memory contexts were not using internal
-			malloc. [RT# 15434]
-
-1920.	[bug]		The cache rbtdb lock array was too small to
-			have the desired performance characteristics.
-			[RT #15454]
-
-1919.	[contrib]	queryperf: a set of new features: collecting/printing
-			response delays, printing intermediate results, and
-			adjusting query rate for the "target" qps.
-
-1918.	[bug]		Memory leak when checking acls. [RT #15391]
-
-1917.	[doc]		funcsynopsisinfo wasn't being treated as verbatim
-			when generating man pages. [RT #15385]
-
-1916.	[func]		Integrate contributed IDN code from JPNIC. [RT #15383]
-
-1915.	[bug]		dig +ndots was broken. [RT #15215]
-
-1914.	[protocol]	DS is required to accept mnemonic algorithms
-			(RFC 4034).  Still emit numeric algorithms for
-			compatibility with RFC 3658. [RT #15354]
-
-1913.	[func]		Integrate contributed DLZ code into named. [RT #11382]
-
-1912.	[port]		aix: atomic locking for powerpc. [RT #15020]
-
-1911.	[bug]		Update windows socket code. [RT #14965]
-
-1910.	[bug]		dig's +sigchase code overhauled. [RT #14933]
-
-1909.	[bug]		The DLV code has been re-worked to make no longer
-			query order sensitive. [RT #14933]
-
-1908.	[func]		dig now warns if 'RA' is not set in the answer when
-			'RD' was set in the query.  host/nslookup skip servers
-			that fail to set 'RA' when 'RD' is set unless a server
-			is explicitly set.  [RT #15005]
-
-1907.	[func]		host/nslookup now continue (default)/fail on SERVFAIL.
-			[RT #15006]
-
-1906.	[func]		dig now has a '-q queryname' and '+showsearch' options.
-			[RT #15034]
-
-1905.	[bug]		Strings returned from cfg_obj_asstring() should be
-			treated as read-only.  The prototype for
-			cfg_obj_asstring() has been updated to reflect this.
-			[RT #15256]
-
-1904.	[func]		Automatic empty zone creation for D.F.IP6.ARPA and
-			friends.  Note: RFC 1918 zones are not yet covered by
-			this but are likely to be in a future release.
-
-			New options: empty-server, empty-contact,
-			empty-zones-enable and disable-empty-zone.
-
-1903.	[func]		ISC string copy API.
-
-1902.	[func]		Attempt to make the amount of work performed in a
-			iteration self tuning.  The covers nodes clean from
-			the cache per iteration, nodes written to disk when
-			rewriting a master file and nodes destroyed per
-			iteration when destroying a zone or a cache.
-			[RT #14996]
-
-1901.	[cleanup]	Don't add DNSKEY records to the additional section.
-
-1900.	[bug]		ixfr-from-differences failed to ensure that the
-			serial number increased. [RT #15036]
-
-1899.	[func]		named-checkconf now validates update-policy entries.
-			[RT #14963]
-
-1898.	[bug]		Extend ISC_SOCKADDR_FORMATSIZE and
-			ISC_NETADDR_FORMATSIZE to allow for scope details.
-
-1897.	[func]		x86 and x86_64 now have separate atomic locking
-			implementations.
-
-1896.	[bug]		Recursive clients soft quota support wasn't working
-			as expected. [RT #15103]
-
-1895.	[bug]		A escaped character is, potentially, converted to
-			the output character set too early. [RT #14666]
-
-1894.	[doc]		Review ARM for BIND 9.4.
-
-1893.	[port]		Use uintptr_t if available. [RT #14606]
-
-1892.	[func]		Support for SPF rdata type. [RT #15033]
-
-1891.	[port]		freebsd: pthread_mutex_init can fail if it runs out
-			of memory. [RT #14995]
-
-1890.	[func]		Raise the UDP receive buffer size to 32k if it is
-			less than 32k. [RT #14953]
-
-1889.	[port]		sunos: non blocking i/o support. [RT #14951]
-
-1888.	[func]		Support for IPSECKEY rdata type. [RT #14967]
-
-1887.	[bug]		The cache could delete expired records too fast for
-			clients with a virtual time in the past. [RT #14991]
-
-1886.	[bug]		fctx_create() could return success even though it
-			failed. [RT #14993]
-
-1885.	[func]		dig: report the number of extra bytes still left in
-			the packet after processing all the records.
-
-1884.	[cleanup]	dighost.c: move external declarations into <dig/dig.h>.
-
-1883.	[bug]		dnssec-signzone, dnssec-keygen: handle negative debug
-			levels. [RT #14962]
-
-1882.	[func]		Limit the number of recursive clients that can be
-			waiting for a single query (<qname,qtype,qclass>) to
-			resolve.  New options clients-per-query and
-			max-clients-per-query.
-
-1881.	[func]		Add a system test for named-checkconf. [RT #14931]
-
-1880.	[func]		The lame cache is now done on a <qname,qclass,qtype>
-			basis as some servers only appear to be lame for
-			certain query types.  [RT #14916]
-
-1879.	[func]		"USE INTERNAL MALLOC" is now runtime selectable.
-			[RT #14892]
-
-1878.	[func]		Detect duplicates of UDP queries we are recursing on
-			and drop them.  New stats category "duplicate".
-			[RT #2471]
-
-1877.	[bug]		Fix unreasonably low quantum on call to
-			dns_rbt_destroy2().  Remove unnecessary unhash_node()
-			call. [RT #14919]
-
-1876.	[func]		Additional memory debugging support to track size
-			and mctx arguments. [RT #14814]
-
-1875.	[bug]		process_dhtkey() was using the wrong memory context
-			to free some memory. [RT #14890]
-
-1874.	[port]		sunos: portability fixes. [RT #14814]
-
-1873.	[port]		win32: isc__errno2result() now reports its caller.
-			[RT #13753]
-
-1872.	[port]		win32: Handle ERROR_NETNAME_DELETED.  [RT #13753]
-
-1871.	[placeholder]
-
-1870.	[func]		Added framework for handling multiple EDNS versions.
-			[RT #14873]
-
-1869.	[func]		dig can now specify the EDNS version when making
-			a query. [RT #14873]
-
-1868.	[func]		edns-udp-size can now be overridden on a per
-			server basis. [RT #14851]
-
-1867.	[bug]		It was possible to trigger a INSIST in
-			dlv_validatezonekey(). [RT #14846]
-
-1866.	[bug]		resolv.conf parse errors were being ignored by
-			dig/host/nslookup. [RT #14841]
-
-1865.	[bug]		Silently ignore nameservers in /etc/resolv.conf with
-			bad addresses. [RT #14841]
-
-1864.	[bug]		Don't try the alternative transfer source if you
-			got a answer / transfer with the main source
-			address. [RT #14802]
-
-1863.	[bug]		rrset-order "fixed" error messages not complete.
-
-1862.	[func]		Add additional zone data constancy checks.
-			named-checkzone has extended checking of NS, MX and
-			SRV record and the hosts they reference.
-			named has extended post zone load checks.
-			New zone options: check-mx and integrity-check.
-			[RT #4940]
-
-1861.	[bug]		dig could trigger a INSIST on certain malformed
-			responses. [RT #14801]
-
-1860.	[port]		solaris 2.8: hack_shutup_pthreadmutexinit was
-			incorrectly set. [RT #14775]
-
-1859.	[func]		Add support for CH A record. [RT #14695]
-
-1858.	[bug]		The flush-zones-on-shutdown option wasn't being
-			parsed. [RT #14686]
-
-1857.	[bug]		named could trigger a INSIST() if reconfigured /
-			reloaded too fast.  [RT #14673]
-
-1856.	[doc]		Switch Docbook toolchain from DSSSL to XSL.
-			[RT #11398]
-
-1855.	[bug]		ixfr-from-differences was failing to detect changes
-			of ttl due to dns_diff_subtract() was ignoring the ttl
-			of records.  [RT #14616]
-
-1854.	[bug]		lwres also needs to know the print format for
-			(long long).  [RT #13754]
-
-1853.	[bug]		Rework how DLV interacts with proveunsecure().
-			[RT #13605]
-
-1852.	[cleanup]	Remove last vestiges of dnssec-signkey and
-			dnssec-makekeyset (removed from Makefile years ago).
-
-1851.	[doc]		Doxygen comment markup. [RT #11398]
-
-1850.	[bug]		Memory leak in lwres_getipnodebyaddr(). [RT #14591]
-
-1849.	[doc]		All forms of the man pages (docbook, man, html) should
-			have consistent copyright dates.
-
-1848.	[bug]		Improve SMF integration. [RT #13238]
-
-1847.	[bug]		isc_ondestroy_init() is called too late in
-			dns_rbtdb_create()/dns_rbtdb64_create().
-			[RT #13661]
-
-1846.	[contrib]	query-loc-0.3.0 from Stephane Bortzmeyer
-			<bortzmeyer@nic.fr>.
-
-1845.	[bug]		Improve error reporting to distinguish between
-			accept()/fcntl() and socket()/fcntl() errors.
-			[RT #13745]
-
-1844.	[bug]		inet_pton() accepted more that 4 hexadecimal digits
-			for each 16 bit piece of the IPv6 address.  The text
-			representation of a IPv6 address has been tightened
-			to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt).
-			[RT #5662]
-
-1843.	[cleanup]	CINCLUDES takes precedence over CFLAGS.  This helps
-			when CFLAGS contains "-I /usr/local/include"
-			resulting in old header files being used.
-
-1842.	[port]		cmsg_len() could produce incorrect results on
-			some platform. [RT #13744]
-
-1841.	[bug]		"dig +nssearch" now makes a recursive query to
-			find the list of nameservers to query. [RT #13694]
-
-1840.	[func]		dnssec-signzone can now randomize signature end times
-			(dnssec-signzone -j jitter). [RT #13609]
-
-1839.	[bug]		<isc/hash.h> was not being installed.
-
-1838.	[cleanup]	Don't allow Linux capabilities to be inherited.
-			[RT #13707]
-
-1837.	[bug]		Compile time option ISC_FACILITY was not effective
-			for 'named -u <user>'.  [RT #13714]
-
-1836.	[cleanup]	Silence compiler warnings in hash_test.c.
-
-1835.	[bug]		Update dnssec-signzone's usage message. [RT #13657]
-
-1834.	[bug]		Bad memset in rdata_test.c. [RT #13658]
-
-1833.	[bug]		Race condition in isc_mutex_lock_profile(). [RT #13660]
-
-1832.	[bug]		named fails to return BADKEY on unknown TSIG algorithm.
-			[RT #13620]
-
-1831.	[doc]		Update named-checkzone documentation. [RT#13604]
-
-1830.	[bug]		adb lame cache has sence of test reversed. [RT #13600]
-
-1829.	[bug]		win32: "pid-file none;" broken. [RT #13563]
-
-1828.	[bug]		isc_rwlock_init() failed to properly cleanup if it
-			encountered a error. [RT #13549]
-
-1827.	[bug]		host: update usage message for '-a'. [RT #37116]
-
-1826.	[bug]		Missing DESTROYLOCK() in isc_mem_createx() on out
-			of memory error. [RT #13537]
-
-1825.	[bug]		Missing UNLOCK() on out of memory error from in
-			rbtdb.c:subtractrdataset(). [RT #13519]
-
-1824.	[bug]		Memory leak on dns_zone_setdbtype() failure.
-			[RT #13510]
-
-1823.	[bug]		Wrong macro used to check for point to point interface.
-			[RT#13418]
-
-1822.	[bug]		check-names test for RT was reversed. [RT #13382]
-
-1821.	[placeholder]
-
-1820.	[bug]		Gracefully handle acl loops. [RT #13659]
-
-1819.	[bug]		The validator needed to check both the algorithm and
-			digest types of the DS to determine if it could be
-			used to introduce a secure zone. [RT #13593]
-
-1818.	[bug]		'named-checkconf -z' triggered an INSIST. [RT #13599]
-
-1817.	[func]		Add support for additional zone file formats for
-			improving loading performance.  The masterfile-format
-			option in named.conf can be used to specify a
-			non-default format.  A separate command
-			named-compilezone was provided to generate zone files
-			in the new format.  Additionally, the -I and -O options
-			for dnssec-signzone specify the input and output
-			formats.
-
-1816.	[port]		UnixWare: failed to compile lib/isc/unix/net.c.
-			[RT #13597]
-
-1815.	[bug]		nsupdate triggered a REQUIRE if the server was set
-			without also setting the zone and it encountered
-			a CNAME and was using TSIG.  [RT #13086]
-
-1814.	[func]		UNIX domain controls are now supported.
-
-1813.	[func]		Restructured the data locking framework using
-			architecture dependent atomic operations (when
-			available), improving response performance on
-			multi-processor machines significantly.
-			x86, x86_64, alpha, powerpc, and mips are currently
-			supported.
-
-1812.	[port]		win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect.
-			[RT #13453]
-
-1811.	[func]		Preserve the case of domain names in rdata during
-			zone transfers. [RT #13547]
-
-1810.	[bug]		configure, lib/bind/configure make different default
-			decisions about whether to do a threaded build.
-			[RT #13212]
-
-1809.	[bug]		"make distclean" failed for libbind if the platform
-			is not supported.
-
-1808.	[bug]		zone.c:notify_zone() contained a race condition,
-			zone->db could change underneath it.  [RT #13511]
-
-1807.	[bug]		When forwarding (forward only) set the active domain
-			from the forward zone name. [RT #13526]
-
-1806.	[bug]		The resolver returned the wrong result when a CNAME /
-			DNAME was encountered when fetching glue from a
-			secure namespace. [RT #13501]
-
-1805.	[bug]		Pending status was not being cleared when DLV was
-			active. [RT #13501]
-
-1804.	[bug]		Ensure that if we are queried for glue that it fits
-			in the additional section or TC is set to tell the
-			client to retry using TCP. [RT #10114]
-
-1803.	[bug]		dnssec-signzone sometimes failed to remove old
-			RRSIGs. [RT #13483]
-
-1802.	[bug]		Handle connection resets better. [RT #11280]
-
-1801.	[func]		Report differences between hints and real NS rrset
-			and associated address records.
-
-1800.	[bug]		Changes #1719 allowed a INSIST to be triggered.
-			[RT #13428]
-
-1799.	[bug]		'rndc flushname' failed to flush negative cache
-			entries. [RT #13438]
-
-1798.	[func]		The server syntax has been extended to support a
-			range of servers.  [RT #11132]
-
-1797.	[func]		named-checkconf now check acls to verify that they
-			only refer to existing acls. [RT #13101]
-
-1796.	[func]		"rndc freeze/thaw" now freezes/thaws all zones.
-
-1795.	[bug]		"rndc dumpdb" was not fully documented.  Minor
-			formating issues with "rndc dumpdb -all".  [RT #13396]
-
-1794.	[func]		Named and named-checkzone can now both check for
-			non-terminal wildcard records.
-
-1793.	[func]		Extend adjusting TTL warning messages. [RT #13378]
-
-1792.	[func]		New zone option "notify-delay".  Specify a minimum
-			delay between sets of NOTIFY messages.
-
-1791.	[bug]		'host -t a' still printed out AAAA and MX records.
-			[RT #13230]
-
-1790.	[cleanup]	Move lib/dns/sec/dst up into lib/dns.  This should
-			allow parallel make to succeed.
-
-1789.	[bug]		Prerequisite test for tkey and dnssec could fail
-			with "configure --with-libtool".
-
-1788.	[bug]		libbind9.la/libbind9.so needs to link against
-			libisccfg.la/libisccfg.so.
-
-1787.	[port]		HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings.
-
-1786.	[port]		AIX: libt_api needs to be taught to look for
-			T_testlist in the main executable (--with-libtool).
-			[RT #13239]
-
-1785.	[bug]		libbind9.la/libbind9.so needs to link against
-			libisc.la/libisc.so.
-
-1784.	[cleanup]	"libtool -allow-undefined" is the default.
-			Leave hooks in configure to allow it to be set
-			if needed in the future.
-
-1783.	[cleanup]	We only need one copy of libtool.m4, ltmain.sh in the
-			source tree.
-
-1782.	[port]		OSX: --with-libtool + --enable-libbind broke on
-			__evOptMonoTime.  [RT #13219]
-
-1781.	[port]		FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810]
-
-1780.	[bug]		Update libtool to 1.5.10.
-
-1779.	[port]		OSF 5.1: libtool didn't handle -pthread correctly.
-
-1778.	[port]		HUX 11.11: fix broken IN6ADDR_ANY_INIT and
-			IN6ADDR_LOOPBACK_INIT macros.
-
-1777.	[port]		OSF 5.1: fix broken IN6ADDR_ANY_INIT and
-			IN6ADDR_LOOPBACK_INIT macros.
-
-1776.	[port]		Solaris 2.9: fix broken IN6ADDR_ANY_INIT and
-			IN6ADDR_LOOPBACK_INIT macros.
-
-1775.	[bug]		Only compile getnetent_r.c when threaded. [RT #13205]
-
-1774.	[port]		Aix: Silence compiler warnings / build failures.
-			[RT #13154]
-
-1773.	[bug]		Fast retry on host / net unreachable. [RT #13153]
-
-1772.	[placeholder]
-
-1771.	[placeholder]
-
-1770.	[bug]		named-checkconf failed to report missing a missing
-			file clause for rbt{64} master/hint zones. [RT#13009]
-
-1769.	[port]		win32: change compiler flags /MTd ==> /MDd,
-			/MT ==> /MD.
-
-1768.	[bug]		nsecnoexistnodata() could be called with a non-NSEC
-			rdataset. [RT #12907]
-
-1767.	[port]		Builds on IPv6 platforms without IPv6 Advanced API
-			support for (struct in6_pktinfo) failed.  [RT #13077]
-
-1766.	[bug]		Update the master file timestamp on successful refresh
-			as well as the journal's timestamp. [RT# 13062]
-
-1765.	[bug]		configure --with-openssl=auto failed. [RT #12937]
-
-1764.	[bug]		dns_zone_replacedb failed to emit a error message
-			if there was no SOA record in the replacement db.
-			[RT #13016]
-
-1763.	[func]		Perform sanity checks on NS records which refer to
-			'in zone' names. [RT #13002]
-
-1762.	[bug]		isc_interfaceiter_create() could return ISC_R_SUCCESS
-			even when it failed. [RT #12995]
-
-1761.	[bug]		'rndc dumpdb' didn't report unassociated entries.
-			[RT #12971]
-
-1760.	[bug]		Host / net unreachable was not penalising rtt
-			estimates. [RT #12970]
-
-1759.	[bug]		Named failed to startup if the OS supported IPv6
-			but had no IPv6 interfaces configured. [RT #12942]
-
-1758.	[func]		Don't send notify messages to self. [RT #12933]
-
-1757.	[func]		host now can turn on memory debugging flags with '-m'.
-
-1756.	[func]		named-checkconf now checks the logging configuration.
-			[RT #12352]
-
-1755.	[func]		allow-update is now settable at the options / view
-			level. [RT #6636]
-
-1754.	[bug]		We weren't always attempting to query the parent
-			server for the DS records at the zone cut.
-			[RT #12774]
-
-1753.	[bug]		Don't serve a slave zone which has no NS records.
-			[RT #12894]
-
-1752.	[port]		Move isc_app_start() to after ns_os_daemonise()
-			as some fork() implementations unblock the signals
-			that are blocked by isc_app_start(). [RT #12810]
-
-1751.	[bug]		--enable-getifaddrs failed under linux. [RT #12867]
-
-1750.	[port]		lib/bind/make/rules.in:subdirs was not bash friendly.
-			[RT #12864]
-
-1749.	[bug]		'check-names response ignore;' failed to ignore.
-			[RT #12866]
-
-1748.	[func]		dig now returns the byte count for axfr/ixfr.
-
-1747.	[bug]		BIND 8 compatibility: named/named-checkconf failed
-			to parse "host-statistics-max" in named.conf.
-
-1746.	[func]		Make public the function to read a key file,
-			dst_key_read_public(). [RT #12450]
-
-1745.	[bug]		Dig/host/nslookup accept replies from link locals
-			regardless of scope if no scope was specified when
-			query was sent. [RT #12745]
-
-1744.	[bug]		If tuple2msgname() failed to convert a tuple to
-			a name a REQUIRE could be triggered. [RT #12796]
-
-1743.	[bug]		If isc_taskmgr_create() was not able to create the
-			requested number of worker threads then destruction
-			of the manager would trigger an INSIST() failure.
-			[RT #12790]
-
-1742.	[bug]		Deleting all records at a node then adding a
-			previously existing record, in a single UPDATE
-			transaction, failed to leave / regenerate the
-			associated RRSIG records. [RT #12788]
-
-1741.	[bug]		Deleting all records at a node in a secure zone
-			using a update-policy grant failed. [RT #12787]
-
-1740.	[bug]		Replace rbt's hash algorithm as it performed badly
-			with certain zones. [RT #12729]
-
-			NOTE: a hash context now needs to be established
-			via isc_hash_create() if the application was not
-			already doing this.
-
-1739.	[bug]		dns_rbt_deletetree() could incorrectly return
-			ISC_R_QUOTA.  [RT #12695]
-
-1738.	[bug]		Enable overrun checking by default. [RT #12695]
-
-1737.	[bug]		named failed if more than 16 masters were specified.
-			[RT #12627]
-
-1736.	[bug]		dst_key_fromnamedfile() could fail to read a
-			public key. [RT #12687]
-
-1735.	[bug]		'dig +sigtrace' could die with a REQUIRE failure.
-			[RE #12688]
-
-1734.	[cleanup]	'rndc-confgen -a -t' remove extra '/' in path.
-			[RT #12588]
-
-1733.	[bug]		Return non-zero exit status on initial load failure.
-			[RT #12658]
-
-1732.	[bug]		'rrset-order name "*"' wasn't being applied to ".".
-			[RT #12467]
-
-1731.	[port]		darwin: relax version test in ifconfig.sh.
-			[RT #12581]
-
-1730.	[port]		Determine the length type used by the socket API.
-			[RT #12581]
-
-1729.	[func]		Improve check-names error messages.
-
-1728.	[doc]		Update check-names documentation.
-
-1727.	[bug]		named-checkzone: check-names support didn't match
-			documentation.
-
-1726.	[port]		aix5: add support for aix5.
-
-1725.	[port]		linux: update error message on interaction of threads,
-			capabilities and setuid support (named -u). [RT #12541]
-
-1724.	[bug]		Look for DNSKEY records with "dig +sigtrace".
-			[RT #12557]
-
-1723.	[cleanup]	Silence compiler warnings from t_tasks.c. [RT #12493]
-
-1722.	[bug]		Don't commit the journal on malformed ixfr streams.
-			[RT #12519]
-
-1721.	[bug]		Error message from the journal processing were not
-			always identifying the relevant journal. [RT #12519]
-
-1720.	[bug]		'dig +chase' did not terminate on a RFC 2308 Type 1
-			negative response. [RT #12506]
-
-1719.	[bug]		named was not correctly caching a RFC 2308 Type 1
-			negative response. [RT #12506]
-
-1718.	[bug]		nsupdate was not handling RFC 2308 Type 3 negative
-			responses when looking for the zone / master server.
-			[RT #12506]
-
-1717.	[port]		solaris: ifconfig.sh did not support Solaris 10.
-			"ifconfig.sh down" didn't work for Solaris 9.
-
-1716.	[doc]		named.conf(5) was being installed in the wrong
-			location.  [RT# 12441]
-
-1715.	[func]		'dig +trace' now randomly selects the next servers
-			to try.  Report if there is a bad delegation.
-
-1714.	[bug]		dig/host/nslookup were only trying the first
-			address when a nameserver was specified by name.
-			[RT #12286]
-
-1713.	[port]		linux: extend capset failure message to say:
-			please ensure that the capset kernel module is
-			loaded.  see insmod(8)
-
-1712.	[bug]		Missing FULLCHECK for "trusted-key" in dig.
-
-1711.	[func]		'rndc unfreeze' has been deprecated by 'rndc thaw'.
-
-1710.	[func]		'rndc notify zone [class [view]]' resend the NOTIFY
-			messages for the specified zone. [RT #9479]
-
-1709.	[port]		solaris: add SMF support from Sun.
-
-1708.	[cleanup]	Replaced dns_fullname_hash() with dns_name_fullhash()
-			for conformance to the name space convention.  Binary
-			backward compatibility to the old function name is
-			provided. [RT #12376]
-
-1707.	[contrib]	sdb/ldap updated to version 1.0-beta.
-
-1706.	[bug]		'rndc stop' failed to cause zones to be flushed
-			sometimes. [RT #12328]
-
-1705.	[func]		Allow the journal's name to be changed via named.conf.
-
-1704.	[port]		lwres needed a snprintf() implementation for
-			platforms without snprintf().  Add missing
-			"#include <isc/print.h>". [RT #12321]
-
-1703.	[bug]		named would loop sending NOTIFY messages when it
-			failed to receive a response. [RT #12322]
-
-1702.	[bug]		also-notify should not be applied to built in zones.
-			[RT #12323]
-
-1701.	[doc]		A minimal named.conf man page.
-
-1700.	[func]		nslookup is no longer to be treated as deprecated.
-			Remove "deprecated" warning message.  Add man page.
-
-1699.	[bug]		dnssec-signzone can generate "not exact" errors
-			when resigning. [RT #12281]
-
-1698.	[doc]		Use reserved IPv6 documentation prefix.
-
-1697.	[bug]		xxx-source{,-v6} was not effective when it
-			specified one of listening addresses and a
-			different port than the listening port. [RT #12257]
-
-1696.	[bug]		dnssec-signzone failed to clean out nodes that
-			consisted of only NSEC and RRSIG records.
-			[RT #12154]
-
-1695.	[bug]		DS records when forwarding require special handling.
-			[RT #12133]
-
-1694.	[bug]		Report if the builtin views of "_default" / "_bind"
-			are defined in named.conf. [RT #12023]
-
-1693.	[bug]		max-journal-size was not effective for master zones
-			with ixfr-from-differences set. [RT# 12024]
-
-1692.	[bug]		Don't set -I, -L and -R flags when libcrypto is in
-			/usr/lib. [RT #11971]
-
-1691.	[bug]		sdb's attachversion was not complete. [RT #11990]
-
-1690.	[bug]		Delay detaching view from the client until UPDATE
-			processing completes when shutting down. [RT #11714]
-
-1689.	[bug]		DNS_NAME_TOREGION() and DNS_NAME_SPLIT() macros
-			contained gratuitous semicolons. [RT #11707]
-
-1688.	[bug]		LDFLAGS was not supported.
-
-1687.	[bug]		Race condition in dispatch. [RT #10272]
-
-1686.	[bug]		Named sent a extraneous NOTIFY when it received a
-			redundant UPDATE request. [RT #11943]
-
-1685.	[bug]		Change #1679 loop tests weren't quite right.
-
-1684.	[func]		ixfr-from-differences now takes master and slave in
-			addition to yes and no at the options and view levels.
-
-1683.	[bug]		dig +sigchase could leak memory. [RT #11445]
-
-1682.	[port]		Update configure test for (long long) printf format.
-			[RT #5066]
-
-1681.	[bug]		Only set SO_REUSEADDR when a port is specified in
-			isc_socket_bind(). [RT #11742]
-
-1680.	[func]		rndc: the source address can now be specified.
-
-1679.	[bug]		When there was a single nameserver with multiple
-			addresses for a zone not all addresses were tried.
-			[RT #11706]
-
-1678.	[bug]		RRSIG should use TYPEXXXXX for unknown types.
-
-1677.	[bug]		dig: +aaonly didn't work, +aaflag undocumented.
-
-1676.	[func]		New option "allow-query-cache".  This lets
-			allow-query be used to specify the default zone
-			access level rather than having to have every
-			zone override the global value.  allow-query-cache
-			can be set at both the options and view levels.
-			If allow-query-cache is not set allow-query applies.
-
-1675.	[bug]		named would sometimes add extra NSEC records to
-			the authority section.
-
-1674.	[port]		linux: increase buffer size used to scan
-			/proc/net/if_inet6.
-
-1673.	[port]		linux: issue a error messages if IPv6 interface
-			scans fails.
-
-1672.	[cleanup]	Tests which only function in a threaded build
-			now return R:THREADONLY (rather than R:UNTESTED)
-			in a non-threaded build.
-
-1671.	[contrib]	queryperf: add NAPTR to the list of known types.
-
-1670.	[func]		Log UPDATE requests to slave zones without an acl as
-			"disabled" at debug level 3. [RT# 11657]
-
-1669.	[placeholder]
-
-1668.	[bug]		DIG_SIGCHASE was making bin/dig/host dump core.
-
-1667.	[port]		linux: not all versions have IF_NAMESIZE.
-
-1666.	[bug]		The optional port on hostnames in dual-stack-servers
-			was being ignored.
-
-1665.	[func]		rndc now allows addresses to be set in the
-			server clauses.
-
-1664.	[bug]		nsupdate needed KEY for SIG(0), not DNSKEY.
-
-1663.	[func]		Look for OpenSSL by default.
-
-1662.	[bug]		Change #1658 failed to change one use of 'type'
-			to 'keytype'.
-
-1661.	[bug]		Restore dns_name_concatenate() call in
-			adb.c:set_target().  [RT #11582]
-
-1660.	[bug]		win32: connection_reset_fix() was being called
-			unconditionally.  [RT #11595]
-
-1659.	[cleanup]	Cleanup some messages that were referring to KEY vs
-			DNSKEY, NXT vs NSEC and SIG vs RRSIG.
-
-1658.	[func]		Update dnssec-keygen to default to KEY for HMAC-MD5
-			and DH.  Tighten which options apply to KEY and
-			DNSKEY records.
-
-1657.	[doc]		ARM: document query log output.
-
-1656.	[doc]		Update DNSSEC description in ARM to cover DS, NSEC
-			DNSKEY and RRSIG.  [RT #11542]
-
-1655.	[bug]		Logging multiple versions w/o a size was broken.
-			[RT #11446]
-
-1654.	[bug]		isc_result_totext() contained array bounds read
-			error.
-
-1653.	[func]		Add key type checking to dst_key_fromfilename(),
-			DST_TYPE_KEY should be used to read TSIG, TKEY and
-			SIG(0) keys.
-
-1652.	[bug]		TKEY still uses KEY.
-
-1651.	[bug]		dig: process multiple dash options.
-
-1650.	[bug]		dig, nslookup: flush standard out after each command.
-
-1649.	[bug]		Silence "unexpected non-minimal diff" message.
-			[RT #11206]
-
-1648.	[func]		Update dnssec-lookaside named.conf syntax to support
-			multiple dnssec-lookaside namespaces (not yet
-			implemented).
-
-1647.	[bug]		It was possible trigger a INSIST when chasing a DS
-			record that required walking back over a empty node.
-			[RT #11445]
-
-1646.	[bug]		win32: logging file versions didn't work with
-			non-UNC filenames.  [RT#11486]
-
-1645.	[bug]		named could trigger a REQUIRE failure if multiple
-			masters with keys are specified.
-
-1644.	[bug]		Update the journal modification time after a
-			successful refresh query. [RT #11436]
-
-1643.	[bug]		dns_db_closeversion() could leak memory / node
-			references. [RT #11163]
-
-1642.	[port]		Support OpenSSL implementations which don't have
-			DSA support. [RT #11360]
-
-1641.	[bug]		Update the check-names description in ARM. [RT #11389]
-
-1640.	[bug]		win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was
-			incorrectly closing the socket.  [RT #11291]
-
-1639.	[func]		Initial dlv system test.
-
-1638.	[bug]		"ixfr-from-differences" could generate a REQUIRE
-			failure if the journal open failed. [RT #11347]
-
-1637.	[bug]		Node reference leak on error in addnoqname().
-
-1636.	[bug]		The dump done callback could get ISC_R_SUCCESS even if
-			a error had occurred.  The database version no longer
-			matched the version of the database that was dumped.
-
-1635.	[bug]		Memory leak on error in query_addds().
-
-1634.	[bug]		named didn't supply a useful error message when it
-			detected duplicate views.  [RT #11208]
-
-1633.	[bug]		named should return NOTIMP to update requests to a
-			slaves without a allow-update-forwarding acl specified.
-			[RT #11331]
-
-1632.	[bug]		nsupdate failed to send prerequisite only UPDATE
-			messages. [RT #11288]
-
-1631.	[bug]		dns_journal_compact() could sometimes corrupt the
-			journal. [RT #11124]
-
-1630.	[contrib]	queryperf: add support for IPv6 transport.
-
-1629.	[func]		dig now supports IPv6 scoped addresses with the
-			extended format in the local-server part. [RT #8753]
-
-1628.	[bug]		Typo in Compaq Trucluster support. [RT# 11264]
-
-1627.	[bug]		win32: sockets were not being closed when the
-			last external reference was removed. [RT# 11179]
-
-1626.	[bug]		--enable-getifaddrs was broken. [RT#11259]
-
-1625.	[bug]		named failed to load/transfer RFC2535 signed zones
-			which contained CNAMES. [RT# 11237]
-
-1624.	[bug]		zonemgr_putio() call should be locked. [RT# 11163]
-
-1623.	[bug]		A serial number of zero was being displayed in the
-			"sending notifies" log message when also-notify was
-			used. [RT #11177]
-
-1622.	[func]		probe the system to see if IPV6_(RECV)PKTINFO is
-			available, and suppress wildcard binding if not.
-
-1621.	[bug]		match-destinations did not work for IPv6 TCP queries.
-			[RT# 11156]
-
-1620.	[func]		When loading a zone report if it is signed. [RT #11149]
-
-1619.	[bug]		Missing ISC_LIST_UNLINK in end_reserved_dispatches().
-			[RT# 11118]
-
-1618.	[bug]		Fencepost errors in dns_name_ishostname() and
-			dns_name_ismailbox() could trigger a INSIST().
-
-1617.	[port]		win32: VC++ 6.0 support.
-
-1616.	[compat]	Ensure that named's version is visible in the core
-			dump. [RT #11127]
-
-1615.	[port]		Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if
-			it is defined.
-
-1614.	[port]		win32: silence resource limit messages. [RT# 11101]
-
-1613.	[bug]		Builds would fail on machines w/o a if_nametoindex().
-			Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif.
-			[RT #11119]
-
-1612.	[bug]		check-names at the option/view level could trigger
-			an INSIST. [RT# 11116]
-
-1611.	[bug]		solaris: IPv6 interface scanning failed to cope with
-			no active IPv6 interfaces.
-
-1610.	[bug]		On dual stack machines "dig -b" failed to set the
-			address type to be looked up with "@server".
-			[RT #11069]
-
-1609.	[func]		dig now has support to chase DNSSEC signature chains.
-			Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES.
-
-			DNSSEC validation code in dig coded by Olivier Courtay
-			(olivier.courtay@irisa.fr) for the IDsA project
-			(http://idsa.irisa.fr).
-
-1608.	[func]		dig and host now accept -4/-6 to select IP transport
-			to use when making queries.
-
-1607.	[bug]		dig, host and nslookup were still using random()
-			to generate query ids. [RT# 11013]
-
-1606.	[bug]		DLV insecurity proof was failing.
-
-1605.	[func]		New dns_db_find() option DNS_DBFIND_COVERINGNSEC.
-
-1604.	[bug]		A xfrout_ctx_create() failure would result in
-			xfrout_ctx_destroy() being called with a
-			partially initialized structure.
-
-1603.	[bug]		nsupdate: set interactive based on isatty().
-			[RT# 10929]
-
-1602.	[bug]		Logging to a file failed unless a size was specified.
-			[RT# 10925]
-
-1601.	[bug]		Silence spurious warning 'both "recursion no;" and
-			"allow-recursion" active' warning from view "_bind".
-			[RT# 10920]
-
-1600.	[bug]		Duplicate zone pre-load checks were not case
-			insensitive.
-
-1599.	[bug]		Fix memory leak on error path when checking named.conf.
-
-1598.	[func]		Specify that certain parts of the namespace must
-			be secure (dnssec-must-be-secure).
-
-1597.	[func]		Allow notify-source and query-source to be specified
-			on a per server basis similar to transfer-source.
-			[RT #6496]
-
-1596.	[func]		Accept 'notify-source' style syntax for query-source.
-
-1595.	[func]		New notify type 'master-only'.  Enable notify for
-			master zones only.
-
-1594.	[bug]		'rndc dumpdb' could prevent named from answering
-			queries while the dump was in progress.  [RT #10565]
-
-1593.	[bug]		rndc should return "unknown command" to unknown
-			commands. [RT# 10642]
-
-1592.	[bug]		configure_view() could leak a dispatch. [RT# 10675]
-
-1591.	[bug]		libbind: updated to BIND 8.4.5.
-
-1590.	[port]		netbsd: update thread support.
-
-1589.	[func]		DNSSEC lookaside validation.
-
-1588.	[bug]		win32: TCP sockets could become blocked. [RT #10115]
-
-1587.	[bug]		dns_message_settsigkey() failed to clear existing key.
-			[RT #10590]
-
-1586.	[func]		"check-names" is now implemented.
-
-1585.	[placeholder]
-
-1584.	[bug]		"make test" failed with a read only source tree.
-			[RT #10461]
-
-1583.	[bug]		Records add via UPDATE failed to get the correct trust
-			level. [RT #10452]
-
-1582.	[bug]		rrset-order failed to work on RRsets with more
-			than 32 elements. [RT #10381]
-
-1581.	[func]		Disable DNSSEC support by default.  To enable
-			DNSSEC specify "dnssec-enable yes;" in named.conf.
-
-1580.	[bug]		Zone destruction on final detach takes a long time.
-			[RT #3746]
-
-1579.	[bug]		Multiple task managers could not be created.
-
-1578.	[bug]		Don't use CLASS E IPv4 addresses when resolving.
-			[RT #10346]
-
-1577.	[bug]		Use isc_uint32_t in ultrasparc optimizer bug
-			workaround code. [RT #10331]
-
-1576.	[bug]		Race condition in dns_dispatch_addresponse().
-			[RT# 10272]
-
-1575.	[func]		Log TSIG name on TSIG verify failure. [RT #4404]
-
-1574.	[bug]		Don't attempt to open the controls socket(s) when
-			running tests. [RT #9091]
-
-1573.	[port]		linux: update to libtool 1.5.2 so that
-			"make install DESTDIR=/xx" works with
-			"configure --with-libtool".  [RT #9941]
-
-1572.	[bug]		nsupdate: sign the soa query to find the enclosing
-			zone if the server is specified. [RT #10148]
-
-1571.	[bug]		rbt:hash_node() could fail leaving the hash table
-			in an inconsistent state.  [RT #10208]
-
-1570.	[bug]		nsupdate failed to handle classes other than IN.
-			New keyword 'class' which sets the default class.
-			[RT #10202]
-
-1569.	[func]		nsupdate new command 'answer' which displays the
-			complete answer message to the last update.
-
-1568.	[bug]		nsupdate now reports that the update failed in
-			interactive mode. [RT# 10236]
-
-1567.	[maint]		B.ROOT-SERVERS.NET is now 192.228.79.201.
-
-1566.	[port]		Support for the cmsg framework on Solaris and HP/UX.
-			This also solved the problem that match-destinations
-			for IPv6 addresses did not work on these systems.
-			[RT #10221]
-
-1565.	[bug]		CD flag should be copied to outgoing queries unless
-			the query is under a secure entry point in which case
-			CD should be set.
-
-1564.	[func]		Attempt to provide a fallback entropy source to be
-			used if named is running chrooted and named is unable
-			to open entropy source within the chroot area.
-			[RT #10133]
-
-1563.	[bug]		Gracefully fail when unable to obtain neither an IPv4
-			nor an IPv6 dispatch. [RT #10230]
-
-1562.	[bug]		isc_socket_create() and isc_socket_accept() could
-			leak memory under error conditions. [RT #10230]
-
-1561.	[bug]		It was possible to release the same name twice if
-			named ran out of memory. [RT #10197]
-
-1560.	[port]		FreeBSD: work around FreeBSD 5.2 mapping EAI_NODATA
-			and EAI_NONAME to the same value.
-
-1559.	[port]		named should ignore SIGFSZ.
-
-1558.	[func]		New DNSSEC 'disable-algorithms'.  Support entry into
-			child zones for which we don't have a supported
-			algorithm.  Such child zones are treated as unsigned.
-
-1557.	[func]		Implement missing DNSSEC tests for
-			* NOQNAME proof with wildcard answers.
-			* NOWILDARD proof with NXDOMAIN.
-			Cache and return NOQNAME with wildcard answers.
-
-1556.	[bug]		nsupdate now treats all names as fully qualified.
-			[RT #6427]
-
-1555.	[func]		'rrset-order cyclic' no longer has a random starting
-			point per query. [RT #7572]
-
-1554.	[bug]		dig, host, nslookup failed when no nameservers
-			were specified in /etc/resolv.conf. [RT #8232]
-
-1553.	[bug]		The windows socket code could stop accepting
-			connections. [RT#10115]
-
-1552.	[bug]		Accept NOTIFY requests from mapped masters if
-			matched-mapped is set. [RT #10049]
-
-1551.	[port]		Open "/dev/null" before calling chroot().
-
-1550.	[port]		Call tzset(), if available, before calling chroot().
-
-1549.	[func]		named-checkzone can now write out the zone contents
-			in a easily parsable format (-D and -o).
-
-1548.	[bug]		When parsing APL records it was possible to silently
-			accept out of range ADDRESSFAMILY values. [RT# 9979]
-
-1547.	[bug]		Named wasted memory recording duplicate lame zone
-			entries. [RT #9341]
-
-1546.	[bug]		We were rejecting valid secure CNAME to negative
-			answers.
-
-1545.	[bug]		It was possible to leak memory if named was unable to
-			bind to the specified transfer source and TSIG was
-			being used. [RT #10120]
-
-1544.	[bug]		Named would logged a single entry to a file despite it
-			being over the specified size limit.
-
-1543.	[bug]		Logging using "versions unlimited" did not work.
-
-1542.	[placeholder]
-
-1541.	[func]		NSEC now uses new bitmap format.
-
-1540.	[bug]		"rndc reload <dynamiczone>" was silently accepted.
-			[RT #8934]
-
-1539.	[bug]		Open UDP sockets for notify-source and transfer-source
-			that use reserved ports at startup. [RT #9475]
-
-1538.	[placeholder]	rt9997
-
-1537.	[func]		New option "querylog".  If set specify whether query
-			logging is to be enabled or disabled at startup.
-
-1536.	[bug]		Windows socket code failed to log a error description
-			when returning ISC_R_UNEXPECTED. [RT #9998]
-
-1535.	[placeholder]
-
-1534.	[bug]		Race condition when priming cache. [RT# 9940]
-
-1533.	[func]		Warn if both "recursion no;" and "allow-recursion"
-			are active. [RT# 4389]
-
-1532.	[port]		netbsd: the configure test for <sys/sysctl.h>
-			requires <sys/param.h>.
-
-1531.	[port]		AIX more libtool fixes.
-
-1530.	[bug]		It was possible to trigger a INSIST() failure if a
-			slave master file was removed at just the correct
-			moment. [RT #9462]
-
-1529.	[bug]		"notify explicit;" failed to log that NOTIFY messages
-			were being sent for the zone. [RT# 9442]
-
-1528.	[cleanup]	Simplify some dns_name_ functions based on the
-			deprecation of bitstring labels.
-
-1527.	[cleanup]	Reduce the number of gettimeofday() calls without
-			losing necessary timer granularity.
-
-1526.	[func]		Implemented "additional section caching (or acache)",
-			an internal cache framework for additional section
-			content to improve response performance.  Several
-			configuration options were provided to control the
-			behavior.
-
-1525.	[bug]		dns_cache_create() could trigger a REQUIRE
-			failure in isc_mem_put() during error cleanup.
-			[RT# 9360]
-
-1524.	[port]		AIX needs to be able to resolve all symbols when
-			creating shared libraries (--with-libtool).
-
-1523.	[bug]		Fix race condition in rbtdb. [RT# 9189]
-
-1522.	[bug]		dns_db_findnode() relax the requirements on 'name'.
-			[RT# 9286]
-
-1521.	[bug]		dns_view_createresolver() failed to check the
-			result from isc_mem_create(). [RT# 9294]
-
-1520.	[protocol]	Add SSHFP (SSH Finger Print) type.
-
-1519.	[bug]		dnssec-signzone:nsec_setbit() computed the wrong
-			length of the new bitmap.
-
-1518.	[bug]		dns_nsec_buildrdata(), and hence dns_nsec_build(),
-			contained a off-by-one error when working out the
-			number of octets in the bitmap.
-
-1517.	[port]		Support for IPv6 interface scanning on HP/UX and
-			TrueUNIX 5.1.
-
-1516.	[func]		Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
-
-1515.	[func]		Allow transfer source to be set in a server statement.
-			[RT #6496]
-
-1514.	[bug]		named: isc_hash_destroy() was being called too early.
-			[RT #9160]
-
-1513.	[doc]		Add "US" to root-delegation-only exclude list.
-
-1512.	[bug]		Extend the delegation-only logging to return query
-			type, class and responding nameserver.
-
-1511.	[bug]		delegation-only was generating false positives
-			on negative answers from sub-zones.
-
-1510.	[func]		New view option "root-delegation-only".  Apply
-			delegation-only check to all TLDs and root.
-			Note there are some TLDs that are NOT delegation
-			only (e.g. DE, LV, US and MUSEUM) these can be excluded
-			from the checks by using exclude.
-
-			root-delegation-only exclude {
-				"DE"; "LV"; "US"; "MUSEUM";
-			};
-
-1509.	[bug]		Hint zones should accept delegation-only.  Forward
-			zone should not accept delegation-only.
-
-1508.	[bug]		Don't apply delegation-only checks to answers from
-			forwarders.
-
-1507.	[bug]		Handle BIND 8 style returns to NS queries to parents
-			when making delegation-only checks.
-
-1506.	[bug]		Wrong return type for dns_view_isdelegationonly().
-
-1505.	[bug]		Uninitialized rdataset in sdb. [RT #8750]
-
-1504.	[func]		New zone type "delegation-only".
-
-1503.	[port]		win32: install libeay32.dll outside of system32.
-
-1502.	[bug]		nsupdate: adjust timeouts for UPDATE requests over TCP.
-
-1501.	[func]		Allow TCP queue length to be specified via
-			named.conf, tcp-listen-queue.
-
-1500.	[bug]		host failed to lookup MX records.  Also look up
-			AAAA records.
-
-1499.	[bug]		isc_random need to be seeded better if arc4random()
-			is not used.
-
-1498.	[port]		bsdos: 5.x support.
-
-1497.	[placeholder]
-
-1496.	[port]		test for pthread_attr_setstacksize().
-
-1495.	[cleanup]	Replace hash functions with universal hash.
-
-1494.	[security]	Turn on RSA BLINDING as a precaution.
-
-1493.	[placeholder]
-
-1492.	[cleanup]	Preserve rwlock quota context when upgrading /
-			downgrading. [RT #5599]
-
-1491.	[bug]		dns_master_dump*() would produce extraneous $ORIGIN
-			lines. [RT #6206]
-
-1490.	[bug]		Accept reading state as well as working state in
-			ns_client_next(). [RT #6813]
-
-1489.	[compat]	Treat 'allow-update' on slave zones as a warning.
-			[RT #3469]
-
-1488.	[bug]		Don't override trust levels for glue addresses.
-			[RT #5764]
-
-1487.	[bug]		A REQUIRE() failure could be triggered if a zone was
-			queued for transfer and the zone was then removed.
-			[RT #6189]
-
-1486.	[bug]		isc_print_snprintf() '%%' consumed one too many format
-			characters. [RT# 8230]
-
-1485.	[bug]		gen failed to handle high type values. [RT #6225]
-
-1484.	[bug]		The number of records reported after a AXFR was wrong.
-			[RT #6229]
-
-1483.	[bug]		dig axfr failed if the message id in the answer failed
-			to match that in the request.  Only the id in the first
-			message is required to match. [RT #8138]
-
-1482.	[bug]		named could fail to start if the kernel supports
-			IPv6 but no interfaces are configured.  Similarly
-			for IPv4. [RT #6229]
-
-1481.	[bug]		Refresh and stub queries failed to use masters keys
-			if specified. [RT #7391]
-
-1480.	[bug]		Provide replay protection for rndc commands.  Full
-			replay protection requires both rndc and named to
-			be updated.  Partial replay protection (limited
-			exposure after restart) is provided if just named
-			is updated.
-
-1479.	[bug]		cfg_create_tuple() failed to handle out of
-			memory cleanup.  parse_list() would leak memory
-			on syntax errors.
-
-1478.	[port]		ifconfig.sh didn't account for other virtual
-			interfaces.  It now takes a optional argument
-			to specify the first interface number. [RT #3907]
-
-1477.	[bug]		memory leak using stub zones and TSIG.
-
-1476.	[placeholder]
-
-1475.	[port]		Probe for old sprintf().
-
-1474.	[port]		Provide strtoul() and memmove() for platforms
-			without them.
-
-1473.	[bug]		create_map() and create_string() failed to handle out
-			of memory cleanup.  [RT #6813]
-
-1472.	[contrib]	idnkit-1.0 from JPNIC, replaces mdnkit.
-
-1471.	[bug]		libbind: updated to BIND 8.4.0.
-
-1470.	[bug]		Incorrect length passed to snprintf. [RT #5966]
-
-1469.	[func]		Log end of outgoing zone transfer at same level
-			as the start of transfer is logged. [RT #4441]
-
-1468.	[func]		Internal zones are no longer counted for
-			'rndc status'.  [RT #4706]
-
-1467.	[func]		$GENERATES now supports optional class and ttl.
-
-1466.	[bug]		lwresd configuration errors resulted in memory
-			and lock leaks.  [RT #5228]
-
-1465.	[bug]		isc_base64_decodestring() and isc_base64_tobuffer()
-			failed to check that trailing bits were zero allowing
-			some invalid base64 strings to be accepted.  [RT #5397]
-
-1464.	[bug]		Preserve "out of zone" data for outgoing zone
-			transfers. [RT #5192]
-
-1463.	[bug]		dns_rdata_from{wire,struct}() failed to catch bad
-			NXT bit maps. [RT #5577]
-
-1462.	[bug]		parse_sizeval() failed to check the token type.
-			[RT #5586]
-
-1461.	[bug]		Remove deadlock from rbtdb code. [RT #5599]
-
-1460.	[bug]		inet_pton() failed to reject certain malformed
-			IPv6 literals.
-
-1459.	[placeholder]
-
-1458.	[cleanup]	sprintf() -> snprintf().
-
-1457.	[port]		Provide strlcat() and strlcpy() for platforms without
-			them.
-
-1456.	[contrib]	gen-data-queryperf.py from Stephane Bortzmeyer.
-
-1455.	[bug]		<netaddr> missing from server grammar in
-			doc/misc/options. [RT #5616]
-
-1454.	[port]		Use getifaddrs() if available for interface scanning.
-			--disable-getifaddrs to override.  Glibc currently
-			has a getifaddrs() that does not support IPv6.
-			Use --enable-getifaddrs=glibc to force the use of
-			this version under linux machines.
-
-1453.	[doc]		ARM: $GENERATE example wasn't accurate. [RT #5298]
-
-1452.	[placeholder]
-
-1451.	[bug]		rndc-confgen didn't exit with a error code for all
-			failures. [RT #5209]
-
-1450.	[bug]		Fetching expired glue failed under certain
-			circumstances.  [RT #5124]
-
-1449.	[bug]		query_addbestns() didn't handle running out of memory
-			gracefully.
-
-1448.	[bug]		Handle empty wildcards labels.
-
-1447.	[bug]		We were casting (unsigned int) to and from (void *).
-			rdataset->private4 is now rdataset->privateuint4
-			to reflect a type change.
-
-1446.	[func]		Implemented undocumented alternate transfer sources
-			from BIND 8.  See use-alt-transfer-source,
-			alt-transfer-source and alt-transfer-source-v6.
-
-			SECURITY: use-alt-transfer-source is ENABLED unless
-			you are using views.  This may cause a security risk
-			resulting in accidental disclosure of wrong zone
-			content if the master supplying different source
-			content based on IP address.  If you are not certain
-			ISC recommends setting use-alt-transfer-source no;
-
-1445.	[bug]		DNS_ADBFIND_STARTATROOT broke stub zones.  This has
-			been replaced with DNS_ADBFIND_STARTATZONE which
-			causes the search to start using the closest zone.
-
-1444.	[func]		dns_view_findzonecut2() allows you to specify if the
-			cache should be searched for zone cuts.
-
-1443.	[func]		Masters lists can now be specified and referenced
-			in zone masters clauses and other masters lists.
-
-1442.	[func]		New functions for manipulating port lists:
-			dns_portlist_create(), dns_portlist_add(),
-			dns_portlist_remove(), dns_portlist_match(),
-			dns_portlist_attach() and dns_portlist_detach().
-
-1441.	[func]		It is now possible to tell dig to bind to a specific
-			source port.
-
-1440.	[func]		It is now possible to tell named to avoid using
-			certain source ports (avoid-v4-udp-ports,
-			avoid-v6-udp-ports).
-
-1439.	[bug]		Named could return NOERROR with certain NOTIFY
-			failures.  Return NOTAUTH if the NOTIFY zone is
-			not being served.
-
-1438.	[func]		Log TSIG (if any) when logging NOTIFY requests.
-
-1437.	[bug]		Leave space for stdio to work in. [RT #5033]
-
-1436.	[func]		dns_zonemgr_resumexfrs() can be used to restart
-			stalled transfers.
-
-1435.	[bug]		zmgr_resume_xfrs() was being called read locked
-			rather than write locked.  zmgr_resume_xfrs()
-			was not being called if the zone was being
-			shutdown.
-
-1434.	[bug]		"rndc reconfig" failed to initiate the initial
-			zone transfer of new slave zones.
-
-1433.	[bug]		named could trigger a REQUIRE failure if it could
-			not get a file descriptor when attempting to write
-			a master file. [RT #4347]
-
-1432.	[func]		The advertised EDNS UDP buffer size can now be set
-			via named.conf (edns-udp-size).
-
-1431.	[bug]		isc_print_snprintf() "%s" with precision could walk off
-			end of argument. [RT #5191]
-
-1430.	[port]		linux: IPv6 interface scanning support.
-
-1429.	[bug]		Prevent the cache getting locked to old servers.
-
-1428.	[placeholder]
-
-1427.	[bug]		Race condition in adb with threaded build.
-
-1426.	[placeholder]
-
-1425.	[port]		linux/libbind: define __USE_MISC when testing *_r()
-			function prototypes in netdb.h.  [RT #4921]
-
-1424.	[bug]		EDNS version not being correctly printed.
-
-1423.	[contrib]	queryperf: added A6 and SRV.
-
-1422.	[func]		Log name/type/class when denying a query.  [RT #4663]
-
-1421.	[func]		Differentiate updates that don't succeed due to
-			prerequisites (unsuccessful) vs other reasons
-			(failed).
-
-1420.	[port]		solaris: work around gcc optimizer bug.
-
-1419.	[port]		openbsd: use /dev/arandom. [RT #4950]
-
-1418.	[bug]		'rndc reconfig' did not cause new slaves to load.
-
-1417.	[func]		ID.SERVER/CHAOS is now a built in zone.
-			See "server-id" for how to configure.
-
-1416.	[bug]		Empty node should return NOERROR NODATA, not NXDOMAIN.
-			[RT #4715]
-
-1415.	[func]		DS TTL now derived from NS ttl.  NXT TTL now derived
-			from SOA MINIMUM.
-
-1414.	[func]		Support for KSK flag.
-
-1413.	[func]		Explicitly request the (re-)generation of DS records
-			from keysets (dnssec-signzone -g).
-
-1412.	[func]		You can now specify servers to be tried if a nameserver
-			has IPv6 address and you only support IPv4 or the
-			reverse. See dual-stack-servers.
-
-1411.	[bug]		empty nodes should stop wildcard matches. [RT #4802]
-
-1410.	[func]		Handle records that live in the parent zone, e.g. DS.
-
-1409.	[bug]		DS should have attribute DNS_RDATATYPEATTR_DNSSEC.
-
-1408.	[bug]		"make distclean" was not complete. [RT #4700]
-
-1407.	[bug]		lfsr incorrectly implements the shift register.
-			[RT #4617]
-
-1406.	[bug]		dispatch initializes one of the LFSR's with a incorrect
-			polynomial.  [RT #4617]
-
-1405.	[func]		Use arc4random() if available.
-
-1404.	[bug]		libbind: ns_name_ntol() could overwrite a zero length
-			buffer.
-
-1403.	[func]		dnssec-signzone, dnssec-keygen, dnssec-makekeyset
-			dnssec-signkey now report their version in the
-			usage message.
-
-1402.	[cleanup]	A6 has been moved to experimental and is no longer
-			fully supported.
-
-1401.	[bug]		adb wasn't clearing state when the timer expired.
-
-1400.	[bug]		Block the addition of wildcard NS records by IXFR
-			or UPDATE. [RT #3502]
-
-1399.	[bug]		Use serial number arithmetic when testing SIG
-			timestamps. [RT #4268]
-
-1398.	[doc]		ARM: notify-also should have been also-notify.
-			[RT #4345]
-
-1397.	[maint]		J.ROOT-SERVERS.NET is now 192.58.128.30.
-
-1396.	[func]		dnssec-signzone: adjust the default signing time by
-			1 hour to allow for clock skew.
-
-1395.	[port]		OpenSSL 0.9.7 defines CRYPTO_LOCK_ENGINE but doesn't
-			have a working implementation.  [RT #4079]
-
-1394.	[func]		It is now possible to check if a particular element is
-			in a acl.  Remove duplicate entries from the localnets
-			acl.
-
-1393.	[port]		Bind to individual IPv6 interfaces if IPV6_IPV6ONLY
-			is not available in the kernel to prevent accidently
-			listening on IPv4 interfaces.
-
-1392.	[bug]		named-checkzone: update usage.
-
-1391.	[func]		Add support for IPv6 scoped addresses in named.
-
-1390.	[func]		host now supports ixfr.
-
-1389.	[bug]		named could fail to rotate long log files.  [RT #3666]
-
-1388.	[port]		irix: check for sys/sysctl.h and NET_RT_IFLIST before
-			defining HAVE_IFLIST_SYSCTL. [RT #3770]
-
-1387.	[bug]		named could crash due to an access to invalid memory
-			space (which caused an assertion failure) in
-			incremental cleaning.  [RT #3588]
-
-1386.	[bug]		named-checkzone -z stopped on errors in a zone.
-			[RT #3653]
-
-1385.	[bug]		Setting serial-query-rate to 10 would trigger a
-			REQUIRE failure.
-
-1384.	[bug]		host was incompatible with BIND 8 in its exit code and
-			in the output with the -l option.  [RT #3536]
-
-1383.	[func]		Track the serial number in a IXFR response and log if
-			a mismatch occurs.  This is a more specific error than
-			"not exact". [RT #3445]
-
-1382.	[bug]		make install failed with --enable-libbind. [RT #3656]
-
-1381.	[bug]		named failed to correctly process answers that
-			contained DNAME records where the resulting CNAME
-			resulted in a negative answer.
-
-1380.	[func]		'rndc recursing' dump recursing queries to
-			'recursing-file = "named.recursing";'.
-
-1379.	[func]		'rndc status' now reports tcp and recursion quota
-			states.
-
-1378.	[func]		Improved positive feedback for 'rndc {reload|refresh}.
-
-1377.	[func]		dns_zone_load{new}() now reports if the zone was
-			loaded, queued for loading to up to date.
-
-1376.	[func]		New function dns_zone_logc() to log to specified
-			category.
-
-1375.	[func]		'rndc dumpdb' now dumps the adb cache along with the
-			data cache.
-
-1374.	[func]		dns_adb_dump() now logs the lame zones associated
-			with each server.
-
-1373.	[bug]		Recovery from expired glue failed under certain
-			circumstances.
-
-1372.	[bug]		named crashes with an assertion failure on exit when
-			sharing the same port for listening and querying, and
-			changing listening addresses several times. [RT# 3509]
-
-1371.	[bug]		notify-source-v6, transfer-source-v6 and
-			query-source-v6 with explicit addresses and using the
-			same ports as named was listening on could interfere
-			with named's ability to answer queries sent to those
-			addresses.
-
-1370.	[bug]		dig '+[no]recurse' was incorrectly documented.
-
-1369.	[bug]		Adding an NS record as the lexicographically last
-			record in a secure zone didn't work.
-
-1368.	[func]		remove support for bitstring labels.
-
-1367.	[func]		Use response times to select forwarders.
-
-1366.	[contrib]	queryperf usage was incomplete.  Add '-h' for help.
-
-1365.	[func]		"localhost" and "localnets" acls now include IPv6
-			addresses / prefixes.
-
-1364.	[func]		Log file name when unable to open memory statistics
-			and dump database files. [RT# 3437]
-
-1363.	[func]		Listen-on-v6 now supports specific addresses.
-
-1362.	[bug]		remove IFF_RUNNING test when scanning interfaces.
-
-1361.	[func]		log the reason for rejecting a server when resolving
-			queries.
-
-1360.	[bug]		--enable-libbind would fail when not built in the
-			source tree for certain OS's.
-
-1359.	[security]	Support patches OpenSSL libraries.
-			http://www.cert.org/advisories/CA-2002-23.html
-
-1358.	[bug]		It was possible to trigger a INSIST when debugging
-			large dynamic updates. [RT #3390]
-
-1357.	[bug]		nsupdate was extremely wasteful of memory.
-
-1356.	[tuning]	Reduce the number of events / quantum for zone tasks.
-
-1355.	[bug]		Fix DNSSEC wildcard proof for CNAME/DNAME.
-
-1354.	[doc]		lwres man pages had illegal nroff.
-
-1353.	[contrib]	sdb/ldap to version 0.9.
-
-1352.	[bug]		dig, host, nslookup when falling back to TCP use the
-			current search entry (if any). [RT #3374]
-
-1351.	[bug]		lwres_getipnodebyname() returned the wrong name
-			when given a IPv4 literal, af=AF_INET6 and AI_MAPPED
-			was set.
-
-1350.	[bug]		dns_name_fromtext() failed to handle too many labels
-			gracefully.
-
-1349.	[security]	Minimum OpenSSL version now 0.9.6e (was 0.9.5a).
-			http://www.cert.org/advisories/CA-2002-23.html
-
-1348.	[port]		win32: Rewrote code to use I/O Completion Ports
-			in socket.c and eliminating a host of socket
-			errors. Performance is enhanced.
-
-1347.	[placeholder]
-
-1346.	[placeholder]
-
-1345.	[port]		Use a explicit -Wformat with gcc.  Not all versions
-			include it in -Wall.
-
-1344.	[func]		Log if the serial number on the master has gone
-			backwards.
-			If you have multiple machines specified in the masters
-			clause you may want to set 'multi-master yes;' to
-			suppress this warning.
-
-1343.	[func]		Log successful notifies received (info).  Adjust log
-			level for failed notifies to notice.
-
-1342.	[func]		Log remote address with TCP dispatch failures.
-
-1341.	[func]		Allow a rate limiter to be stalled.
-
-1340.	[bug]		Delay and spread out the startup refresh load.
-
-1339.	[func]		dig, host and nslookup now use IP6.ARPA for nibble
-			lookups.  Bit string lookups are no longer attempted.
-
-1338.	[placeholder]
-
-1337.	[placeholder]
-
-1336.	[func]		Nibble lookups under IP6.ARPA are now supported by
-			dns_byaddr_create().  dns_byaddr_createptrname() is
-			deprecated, use dns_byaddr_createptrname2() instead.
-
-1335.	[bug]		When performing a nonexistence proof, the validator
-			should discard parent NXTs from higher in the DNS.
-
-1334.	[bug]		When signing/verifying rdatasets, duplicate rdatas
-			need to be suppressed.
-
-1333.	[contrib]	queryperf now reports a summary of returned
-			rcodes (-c), rcodes are printed in mnemonic form (-v).
-
-1332.	[func]		Report the current serial with periodic commits when
-			rolling forward the journal.
-
-1331.	[func]		Generate DNSSEC wildcard proofs.
-
-1330.	[bug]		When processing events (non-threaded) only allow
-			the task one chance to use to use its quantum.
-
-1329.	[func]		named-checkzone will now check if nameservers that
-			appear to be IP addresses.  Available modes "fail",
-			"warn" (default) and "ignore" the results of the
-			check.
-
-1328.	[bug]		The validator could incorrectly verify an invalid
-			negative proof.
-
-1327.	[bug]		The validator would incorrectly mark data as insecure
-			when seeing a bogus signature before a correct
-			signature.
-
-1326.	[bug]		DNAME/CNAME signatures were not being cached when
-			validation was not being performed. [RT #3284]
-
-1325.	[bug]		If the tcpquota was exhausted it was possible to
-			to trigger a INSIST() failure.
-
-1324.	[port]		darwin: ifconfig.sh now supports darwin.
-
-1323.	[port]		linux: Slackware 4.0 needs <asm/unistd.h>. [RT #3205]
-
-1322.	[bug]		dnssec-signzone usage message was misleading.
-
-1321.	[bug]		If the last RRset in a zone is glue, dnssec-signzone
-			would incorrectly duplicate its output and sign it.
-
-1320.	[doc]		query-source-v6 was missing from options section.
-			[RT #3218]
-
-1319.	[func]		libbind: log attempts to exploit #1318.
-
-1318.	[bug]		libbind: Remote buffer overrun.
-
-1317.	[port]		libbind: TrueUNIX 5.1 does not like __align as a
-			element name.
-
-1316.	[bug]		libbind: gethostans() could get out of sync parsing
-			the response if there was a very long CNAME chain.
-
-1315.	[bug]		Options should apply to the internal _bind view.
-
-1314.	[port]		Handle ECONNRESET from sendmsg() [unix].
-
-1313.	[func]		Query log now says if the query was signed (S) or
-			if EDNS was used (E).
-
-1312.	[func]		Log TSIG key used w/ outgoing zone transfers.
-
-1311.	[bug]		lwres_getrrsetbyname leaked memory.  [RT #3159]
-
-1310.	[bug]		'rndc stop' failed to cause zones to be flushed
-			sometimes. [RT #3157]
-
-1309.	[func]		Log that a zone transfer was covered by a TSIG.
-
-1308.	[func]		DS (delegation signer) support.
-
-1307.	[bug]		nsupdate: allow white space base64 key data.
-
-1306.	[bug]		Badly encoded LOC record when the size, horizontal
-			precision or vertical precision was 0.1m.
-
-1305.	[bug]		Document that internal zones are included in the
-			rndc status results.
-
-1304.	[func]		New function: dns_zone_name().
-
-1303.	[func]		Option 'flush-zones-on-shutdown <boolean>;'.
-
-1302.	[func]		Extended rndc dumpdb to support dumping of zones and
-			view selection: 'dumpdb [-all|-zones|-cache] [view]'.
-
-1301.	[func]		New category 'update-security'.
-
-1300.	[port]		Compaq Trucluster support.
-
-1299.	[bug]		Set AI_ADDRCONFIG when looking up addresses
-			via getaddrinfo() (affects dig, host, nslookup, rndc
-			and nsupdate).
-
-1298.	[bug]		The CINCLUDES macro in lib/dns/sec/dst/Makefile
-			could be left with a trailing "\" after configure
-			has been run.
-
-1297.	[port]		linux: make handling EINVAL from socket() no longer
-			conditional on #ifdef LINUX.
-
-1296.	[bug]		isc_log_closefilelogs() needed to lock the log
-			context.
-
-1295.	[bug]		isc_log_setdebuglevel() needed to lock the log
-			context.
-
-1294.	[func]		libbind: no longer attempts bit string labels for
-			IPv6 reverse resolution.  Try IP6.ARPA then IP6.INT
-			for nibble style resolution.
-
-1293.	[func]		Entropy can now be retrieved from EGDs. [RT #2438]
-
-1292.	[func]		Enable IPv6 support when using ioctl style interface
-			scanning and OS supports SIOCGLIFADDR using struct
-			if_laddrreq.
-
-1291.	[func]		Enable IPv6 support when using sysctl style interface
-			scanning.
-
-1290.	[func]		"dig axfr" now reports the number of messages
-			as well as the number of records.
-
-1289.	[port]		See if -ldl is required for OpenSSL? [RT #2672]
-
-1288.	[bug]		Adjusted REQUIRE's in lib/dns/name.c to better
-			reflect written requirements.
-
-1287.	[bug]		REQUIRE that DNS_DBADD_MERGE only be set when adding
-			a rdataset to a zone db in the rbtdb implementation of
-			addrdataset.
-
-1286.	[bug]		dns_name_downcase() enforce requirement that
-			target != NULL or name->buffer != NULL.
-
-1285.	[func]		lwres: probe the system to see what address families
-			are currently in use.
-
-1284.	[bug]		The RTT estimate on unused servers was not aged.
-			[RT #2569]
-
-1283.	[func]		Use "dataready" accept filter if available.
-
-1282.	[port]		libbind: hpux 11.11 interface scanning.
-
-1281.	[func]		Log zone when unable to get private keys to update
-			zone.  Log zone when NXT records are missing from
-			secure zone.
-
-1280.	[bug]		libbind: escape '(' and ')' when converting to
-			presentation form.
-
-1279.	[port]		Darwin uses (unsigned long) for size_t. [RT #2590]
-
-1278.	[func]		dig: now supports +[no]cl +[no]ttlid.
-
-1277.	[func]		You can now create your own customized printing
-			styles: dns_master_stylecreate() and
-			dns_master_styledestroy().
-
-1276.	[bug]		libbind: const pointer conflicts in res_debug.c.
-
-1275.	[port]		libbind: hpux: treat all hpux systems as BIG_ENDIAN.
-
-1274.	[bug]		Memory leak in lwres_gnbarequest_parse().
-
-1273.	[port]		libbind: solaris: 64 bit binary compatibility.
-
-1272.	[contrib]	Berkeley DB 4.0 sdb implementation from
-			Nuno Miguel Rodrigues <nmr@co.sapo.pt>.
-
-1271.	[bug]		"recursion available: {denied,approved}" was too
-			confusing.
-
-1270.	[bug]		Check that system inet_pton() and inet_ntop() support
-			AF_INET6.
-
-1269.	[port]		Openserver: ifconfig.sh support.
-
-1268.	[port]		Openserver: the value FD_SETSIZE depends on whether
-			<sys/param.h> is included or not.  Be consistent.
-
-1267.	[func]		isc_file_openunique() now creates file using mode
-			0666 rather than 0600.
-
-1266.	[bug]		ISC_LINK_INIT, ISC_LINK_UNLINK, ISC_LIST_DEQUEUE,
-			__ISC_LINK_UNLINKUNSAFE and __ISC_LIST_DEQUEUEUNSAFE
-			are not C++ compatible, use *_TYPE versions instead.
-
-1265.	[bug]		libbind: LINK_INIT and UNLINK were not compatible with
-			C++, use LINK_INIT_TYPE and UNLINK_TYPE instead.
-
-1264.	[placeholder]
-
-1263.	[bug]		Reference after free error if dns_dispatchmgr_create()
-			failed.
-
-1262.	[bug]		ns_server_destroy() failed to set *serverp to NULL.
-
-1261.	[func]		libbind: ns_sign2() and ns_sign_tcp() now provide
-			support for compressed TSIG owner names.
-
-1260.	[func]		libbind: res_update can now update IPv6 servers,
-			new function res_findzonecut2().
-
-1259.	[bug]		libbind: get_salen() IPv6 support was broken for OSs
-			w/o sa_len.
-
-1258.	[bug]		libbind: res_nametotype() and res_nametoclass() were
-			broken.
-
-1257.	[bug]		Failure to write pid-file should not be fatal on
-			reload. [RT #2861]
-
-1256.	[contrib]	'queryperf' now has EDNS (-e) + DNSSEC DO (-D) support.
-
-1255.	[bug]		When verifying that an NXT proves nonexistence, check
-			the rcode of the message and only do the matching NXT
-			check.  That is, for NXDOMAIN responses, check that
-			the name is in the range between the NXT owner and
-			next name, and for NOERROR NODATA responses, check
-			that the type is not present in the NXT bitmap.
-
-1254.	[func]		preferred-glue option from BIND 8.3.
-
-1253.	[bug]		The dnssec system test failed to remove the correct
-			files.
-
-1252.	[bug]		Dig, host and nslookup were not checking the address
-			the answer was coming from against the address it was
-			sent to. [RT# 2692]
-
-1251.	[port]		win32: a make file contained absolute version specific
-			references.
-
-1250.	[func]		Nsupdate will report the address the update was
-			sent to.
-
-1249.	[bug]		Missing masters clause was not handled gracefully.
-			[RT #2703]
-
-1248.	[bug]		DESTDIR was not being propagated between makes.
-
-1247.	[bug]		Don't reset the interface index for link/site local
-			addresses. [RT #2576]
-
-1246.	[func]		New functions isc_sockaddr_issitelocal(),
-			isc_sockaddr_islinklocal(), isc_netaddr_issitelocal()
-			and isc_netaddr_islinklocal().
-
-1245.	[bug]		Treat ENOBUFS, ENOMEM and ENFILE as soft errors for
-			accept().
-
-1244.	[bug]		Receiving a TCP message from a blackhole address would
-			prevent further messages being received over that
-			interface.
-
-1243.	[bug]		It was possible to trigger a REQUIRE() in
-			dns_message_findtype(). [RT #2659]
-
-1242.	[bug]		named-checkzone failed if a journal existed. [RT #2657]
-
-1241.	[bug]		Drop received UDP messages with a zero source port
-			as these are invariably forged. [RT #2621]
-
-1240.	[bug]		It was possible to leak zone references by
-			specifying an incorrect zone to rndc.
-
-1239.	[bug]		Under certain circumstances named could continue to
-			use a name after it had been freed triggering
-			INSIST() failures.  [RT #2614]
-
-1238.	[bug]		It is possible to lockup the server when shutting down
-			if notifies were being processed. [RT #2591]
-
-1237.	[bug]		nslookup: "set q=type" failed.
-
-1236.	[bug]		dns_rdata{class,type}_fromtext() didn't handle non
-			NULL terminated text regions. [RT #2588]
-
-1235.	[func]		Report 'out of memory' errors from openssl.
-
-1234.	[bug]		contrib/sdb: 'zonetodb' failed to call
-			dns_result_register().  DNS_R_SEENINCLUDE should not
-			be fatal.
-
-1233.	[bug]		The flags field of a KEY record can be expressed in
-			hex as well as decimal.
-
-1232.	[bug]		unix/errno2result() didn't handle EADDRNOTAVAIL.
-
-1231.	[port]		HPUX 11.11 recvmsg() can return spurious EADDRNOTAVAIL.
-
-1230.	[bug]		isccc_cc_isreply() and isccc_cc_isack() were broken.
-
-1229.	[bug]		named would crash if it received a TSIG signed
-			query as part of an AXFR response. [RT #2570]
-
-1228.	[bug]		'make install' did not depend on 'make all'. [RT #2559]
-
-1227.	[bug]		dns_lex_getmastertoken() now returns ISC_R_BADNUMBER
-			if a number was expected and some other token was
-			found. [RT#2532]
-
-1226.	[func]		Use EDNS for zone refresh queries. [RT #2551]
-
-1225.	[func]		dns_message_setopt() no longer requires that
-			dns_message_renderbegin() to have been called.
-
-1224.	[bug]		'rrset-order' and 'sortlist' should be additive
-			not exclusive.
-
-1223.	[func]		'rrset-order' partially works 'cyclic' and 'random'
-			are supported.
-
-1222.	[bug]		Specifying 'port *' did not always result in a system
-			selected (non-reserved) port being used. [RT #2537]
-
-1221.	[bug]		Zone types 'master', 'slave' and 'stub' were not being
-			compared case insensitively. [RT #2542]
-
-1220.	[func]		Support for APL rdata type.
-
-1219.	[func]		Named now reports the TSIG extended error code when
-			signature verification fails. [RT #1651]
-
-1218.	[bug]		Named incorrectly returned SERVFAIL rather than
-			NOTAUTH when there was a TSIG BADTIME error. [RT #2519]
-
-1217.	[func]		Report locations of previous key definition when a
-			duplicate is detected.
-
-1216.	[bug]		Multiple server clauses for the same server were not
-			reported.  [RT #2514]
-
-1215.	[port]		solaris: add support to ifconfig.sh for x86 2.5.1
-
-1214.	[bug]		Win32: isc_file_renameunique() could leave zero length
-			files behind.
-
-1213.	[func]		Report view associated with client if it is not a
-			standard view (_default or _bind).
-
-1212.	[port]		libbind: 64k answer buffers were causing stack space
-			to be exceeded for certain OS.  Use heap space instead.
-
-1211.	[bug]		dns_name_fromtext() incorrectly handled certain
-			valid octal bitlabels. [RT #2483]
-
-1210.	[bug]		libbind: getnameinfo() failed to lookup IPv4 mapped /
-			compatible addresses. [RT #2461]
-
-1209.	[bug]		Dig, host, nslookup were not checking the message ids
-			on the responses. [RT #2454]
-
-1208.	[bug]		dns_master_load*() failed to log a error message if
-			an error was detected when parsing the ownername of
-			a record.  [RT #2448]
-
-1207.	[bug]		libbind: getaddrinfo() could call freeaddrinfo() with
-			an invalid pointer.
-
-1206.	[bug]		SERVFAIL and NOTIMP responses to an EDNS query should
-			trigger a non-EDNS retry.
-
-1205.	[bug]		OPT, TSIG and TKEY cannot be used to set the "class"
-			of the message. [RT #2449]
-
-1204.	[bug]		libbind: res_nupdate() failed to update the name
-			server addresses before sending the update.
-
-1203.	[func]		Report locations of previous acl and zone definitions
-			when a duplicate is detected.
-
-1202.	[func]		New functions: cfg_obj_line() and cfg_obj_file().
-
-1201.	[bug]		Require that if 'callbacks' is passed to
-			dns_rdata_fromtext(), callbacks->error and
-			callbacks->warn are initialized.
-
-1200.	[bug]		Log 'errno' that we are unable to convert to
-			isc_result_t. [RT #2404]
-
-1199.	[doc]		ARM reference to RFC 2157 should have been RFC 1918.
-			[RT #2436]
-
-1198.	[bug]		OPT printing style was not consistent with the way the
-			header fields are printed.  The DO bit was not reported
-			if set.  Report if any of the MBZ bits are set.
-
-1197.	[bug]		Attempts to define the same acl multiple times were not
-			detected.
-
-1196.	[contrib]	update mdnkit to 2.2.3.
-
-1195.	[bug]		Attempts to redefine builtin acls should be caught.
-			[RT #2403]
-
-1194.	[bug]		Not all duplicate zone definitions were being detected
-			at the named.conf checking stage. [RT #2431]
-
-1193.	[bug]		dig +besteffort parsing didn't handle packet
-			truncation.  dns_message_parse() has new flag
-			DNS_MESSAGE_IGNORETRUNCATION.
-
-1192.	[bug]		The seconds fields in LOC records were restricted
-			to three decimal places.  More decimal places should
-			be allowed but warned about.
-
-1191.	[bug]		A dynamic update removing the last non-apex name in
-			a secure zone would fail. [RT #2399]
-
-1190.	[func]		Add the "rndc freeze" and "rndc unfreeze" commands.
-			[RT #2394]
-
-1189.	[bug]		On some systems, malloc(0) returns NULL, which
-			could cause the caller to report an out of memory
-			error. [RT #2398]
-
-1188.	[bug]		Dynamic updates of a signed zone would fail if
-			some of the zone private keys were unavailable.
-
-1187.	[bug]		named was incorrectly returning DNSSEC records
-			in negative responses when the DO bit was not set.
-
-1186.	[bug]		isc_hex_tobuffer(,,length = 0) failed to unget the
-			EOL token when reading to end of line.
-
-1185.	[bug]		libbind: don't assume statp->_u._ext.ext is valid
-			unless RES_INIT is set when calling res_*init().
-
-1184.	[bug]		libbind: call res_ndestroy() if RES_INIT is set
-			when res_*init() is called.
-
-1183.	[bug]		Handle ENOSR error when writing to the internal
-			control pipe. [RT #2395]
-
-1182.	[bug]		The server could throw an assertion failure when
-			constructing a negative response packet.
-
-1181.	[func]		Add the "key-directory" configuration statement,
-			which allows the server to look for online signing
-			keys in alternate directories.
-
-1180.	[func]		dnssec-keygen should always generate keys with
-			protocol 3 (DNSSEC), since it's less confusing
-			that way.
-
-1179.	[func]		Add SIG(0) support to nsupdate.
-
-1178.	[bug]		Follow and cache (if appropriate) A6 and other
-			data chains to completion in the additional section.
-
-1177.	[func]		Report view when loading zones if it is not a
-			standard view (_default or _bind). [RT #2270]
-
-1176.	[doc]		Document that allow-v6-synthesis is only performed
-			for clients that are supplied recursive service.
-			[RT #2260]
-
-1175.	[bug]		named-checkzone and named-checkconf failed to call
-			dns_result_register() at startup which could
-			result in runtime exceptions when printing
-			"out of memory" errors. [RT #2335]
-
-1174.	[bug]		Win32: add WSAECONNRESET to the expected errors
-			from connect(). [RT #2308]
-
-1173.	[bug]		Potential memory leaks in isc_log_create() and
-			isc_log_settag(). [RT #2336]
-
-1172.	[doc]		Add CERT, GPOS, KX, NAPTR, NSAP, PX and TXT to
-			table of RR types in ARM.
-
-1171.	[func]		Added function isc_region_compare(), updated files in
-			lib/dns to use this function instead of local one.
-
-1170.	[bug]		Don't attempt to print the token when a I/O error
-			occurs when parsing named.conf. [RT #2275]
-
-1169.	[func]		Identify recursive queries in the query log.
-
-1168.	[bug]		Empty also-notify clauses were not handled. [RT #2309]
-
-1167.	[contrib]	nslint-2.1a3 (from author).
-
-1166.	[bug]		"Not Implemented" should be reported as NOTIMP,
-			not NOTIMPL. [RT #2281]
-
-1165.	[bug]		We were rejecting notify-source{-v6} in zone clauses.
-
-1164.	[bug]		Empty masters clauses in slave / stub zones were not
-			handled gracefully. [RT #2262]
-
-1163.	[func]		isc_time_formattimestamp() now includes the year.
-
-1162.	[bug]		The allow-notify option was not accepted in slave
-			zone statements.
-
-1161.	[bug]		named-checkzone looped on unbalanced brackets.
-			[RT #2248]
-
-1160.	[bug]		Generating Diffie-Hellman keys longer than 1024
-			bits could fail. [RT #2241]
-
-1159.	[bug]		MD and MF are not permitted to be loaded by RFC1123.
-
-1158.	[func]		Report the client's address when logging notify
-			messages.
-
-1157.	[func]		match-clients and match-destinations now accept
-			keys. [RT #2045]
-
-1156.	[port]		The configure test for strsep() incorrectly
-			succeeded on certain patched versions of
-			AIX 4.3.3. [RT #2190]
-
-1155.	[func]		Recover from master files being removed from under
-			us.
-
-1154.	[bug]		Don't attempt to obtain the netmask of a interface
-			if there is no address configured. [RT #2176]
-
-1153.	[func]		'rndc {stop|halt} -p' now reports the process id
-			of the instance of named being shutdown.
-
-1152.	[bug]		libbind: read buffer overflows.
-
-1151.	[bug]		nslookup failed to check that the arguments to
-			the port, timeout, and retry options were
-			valid integers and in range. [RT #2099]
-
-1150.	[bug]		named incorrectly accepted TTL values
-			containing plus or minus signs, such as
-			1d+1h-1s.
-
-1149.	[func]		New function isc_parse_uint32().
-
-1148.	[func]		'rndc-confgen -a' now provides positive feedback.
-
-1147.	[func]		Set IPV6_V6ONLY on IPv6 sockets if supported by
-			the OS.  listen-on-v6 { any; }; should no longer
-			result in IPv4 queries be accepted.  Similarly
-			control { inet :: ... }; should no longer result
-			in IPv4 connections being accepted.  This can be
-			overridden at compile time by defining
-			ISC_ALLOW_MAPPED=1.
-
-1146.	[func]		Allow IPV6_IPV6ONLY to be set/cleared on a socket if
-			supported by the OS by a new function
-			isc_socket_ipv6only().
-
-1145.	[func]		"host" no longer reports a NOERROR/NODATA response
-			by printing nothing. [RT #2065]
-
-1144.	[bug]		rndc-confgen would crash if both the -a and -t
-			options were specified. [RT #2159]
-
-1143.	[bug]		When a trusted-keys statement was present and named
-			was built without crypto support, it would leak memory.
-
-1142.	[bug]		dnssec-signzone would fail to delete temporary files
-			in some failure cases. [RT #2144]
-
-1141.	[bug]		When named rejected a control message, it would
-			leak a file descriptor and memory.  It would also
-			fail to respond, causing rndc to hang.
-			[RT #2139, #2164]
-
-1140.	[bug]		rndc-confgen did not accept IPv6 addresses as arguments
-			to the -s option. [RT #2138]
-
-1139.	[func]		It is now possible to flush a given name from the
-			cache(s) via 'rndc flushname name [view]'. [RT #2051]
-
-1138.	[func]		It is now possible to flush a given name from the
-			cache by calling the new function
-			dns_cache_flushname().
-
-1137.	[func]		It is now possible to flush a given name from the
-			ADB by calling the new function dns_adb_flushname().
-
-1136.	[bug]		CNAME records synthesized from DNAMEs did not
-			have a TTL of zero as required by RFC2672.
-			[RT #2129]
-
-1135.	[func]		You can now override the default syslog() facility for
-			named/lwresd at compile time. [RT #1982]
-
-1134.	[bug]		Multi-threaded servers could deadlock in ferror()
-			when reloading zone files. [RT #1951, #1998]
-
-1133.	[bug]		IN6_IS_ADDR_LOOPBACK was not portably defined on
-			platforms without IN6_IS_ADDR_LOOPBACK. [RT #2106]
-
-1132.	[func]		Improve UPDATE prerequisite failure diagnostic messages.
-
-1131.	[bug]		The match-destinations view option did not work with
-			IPv6 destinations. [RT #2073, #2074]
-
-1130.	[bug]		Log messages reporting an out-of-range serial number
-			did not include the out-of-range number but the
-			following token. [RT #2076]
-
-1129.	[bug]		Multi-threaded servers could crash under heavy
-			resolution load due to a race condition. [RT #2018]
-
-1128.	[func]		sdb drivers can now provide RR data in either text
-			or wire format, the latter using the new functions
-			dns_sdb_putrdata() and dns_sdb_putnamedrdata().
-
-1127.	[func]		rndc: If the server to contact has multiple addresses,
-			try all of them.
-
-1126.	[bug]		The server could access a freed event if shut
-			down while a client start event was pending
-			delivery. [RT #2061]
-
-1125.	[bug]		rndc: -k option was missing from usage message.
-			[RT #2057]
-
-1124.	[doc]		dig: +[no]dnssec, +[no]besteffort and +[no]fail
-			are now documented. [RT #2052]
-
-1123.	[bug]		dig +[no]fail did not match description. [RT #2052]
-
-1122.	[tuning]	Resolution timeout reduced from 90 to 30 seconds.
-			[RT #2046]
-
-1121.	[bug]		The server could attempt to access a NULL zone
-			table if shut down while resolving.
-			[RT #1587, #2054]
-
-1120.	[bug]		Errors in options were not fatal. [RT #2002]
-
-1119.	[func]		Added support in Win32 for NTFS file/directory ACL's
-			for access control.
-
-1118.	[bug]		On multi-threaded servers, a race condition
-			could cause an assertion failure in resolver.c
-			during resolver shutdown. [RT #2029]
-
-1117.	[port]		The configure check for in6addr_loopback incorrectly
-			succeeded on AIX 4.3 when compiling with -O2
-			because the test code was optimized away.
-			[RT #2016]
-
-1116.	[bug]		Setting transfers in a server clause, transfers-in,
-			or transfers-per-ns to a value greater than
-			2147483647 disabled transfers. [RT #2002]
-
-1115.	[func]		Set maximum values for cleaning-interval,
-			heartbeat-interval, interface-interval,
-			max-transfer-idle-in, max-transfer-idle-out,
-			max-transfer-time-in, max-transfer-time-out,
-			statistics-interval of 28 days and
-			sig-validity-interval of 3660 days. [RT #2002]
-
-1114.	[port]		Ignore more accept() errors. [RT #2021]
-
-1113.	[bug]		The allow-update-forwarding option was ignored
-			when specified in a view. [RT #2014]
-
-1112.	[placeholder]
-
-1111.	[bug]		Multi-threaded servers could deadlock processing
-			recursive queries due to a locking hierarchy
-			violation in adb.c. [RT #2017]
-
-1110.	[bug]		dig should only accept valid abbreviations of +options.
-			[RT #2003]
-
-1109.	[bug]		nsupdate accepted illegal ttl values.
-
-1108.	[bug]		On Win32, rndc was hanging when named was not running
-			due to failure to select for exceptional conditions
-			in select(). [RT #1870]
-
-1107.	[bug]		nsupdate could catch an assertion failure if an
-			invalid domain name was given as the argument to
-			the "zone" command.
-
-1106.	[bug]		After seeing an out of range TTL, nsupdate would
-			treat all TTLs as out of range. [RT #2001]
-
-1105.	[port]		OpenUNIX 8 enable threads by default. [RT #1970]
-
-1104.	[bug]		Invalid arguments to the transfer-format option
-			could cause an assertion failure. [RT #1995]
-
-1103.	[port]		OpenUNIX 8 support (ifconfig.sh). [RT #1970]
-
-1102.	[doc]		Note that query logging is enabled by directing the
-			queries category to a channel.
-
-1101.	[bug]		Array bounds read error in lwres_gai_strerror.
-
-1100.	[bug]		libbind: DNSSEC key ids were computed incorrectly.
-
-1099.	[cleanup]	libbind: defining REPORT_ERRORS in lib/bind/dst caused
-			compile time errors.
-
-1098.	[bug]		libbind: HMAC-MD5 key files are now mode 0600.
-
-1097.	[func]		libbind: RES_PRF_TRUNC for dig.
-
-1096.	[func]		libbind: "DNSSEC OK" (DO) support.
-
-1095.	[func]		libbind: resolver option: no-tld-query.  disables
-			trying unqualified as a tld.  no_tld_query is also
-			supported for FreeBSD compatibility.
-
-1094.	[func]		libbind: add support gcc's format string checking.
-
-1093.	[doc]		libbind: miscellaneous nroff fixes.
-
-1092.	[bug]		libbind: get*by*() failed to check if res_init() had
-			been called.
-
-1091.	[bug]		libbind: misplaced va_end().
-
-1090.	[bug]		libbind: dns_ho.c:add_hostent() was not returning
-			the amount of memory consumed resulting in garbage
-			address being returned.  Alignment calculations were
-			wasting space.  We weren't suppressing duplicate
-			addresses.
-
-1089.	[func]		libbind: inet_{cidr,net}_{pton,ntop}() now have IPv6
-			support.
-
-1088.	[port]		libbind: MPE/iX C.70 (incomplete)
-
-1087.	[bug]		libbind: struct __res_state too large on 64 bit arch.
-
-1086.	[port]		libbind: sunos: old sprintf.
-
-1085.	[port]		libbind: solaris: sys_nerr and sys_errlist do not
-			exist when compiling in 64 bit mode.
-
-1084.	[cleanup]	libbind: gai_strerror() rewritten.
-
-1083.	[bug]		The default control channel listened on the
-			wildcard address, not the loopback as documented.
-			[RT #1975]
-
-1082.	[bug]		The -g option to named incorrectly caused logging
-			to be sent to syslog in addition to stderr.
-			[RT #1974]
-
-1081.	[bug]		Multicast queries were incorrectly identified
-			based on the source address, not the destination
-			address.
-
-1080.	[bug]		BIND 8 compatibility: accept bare IP prefixes
-			as the second element of a two-element top level
-			sort list statement. [RT #1964]
-
-1079.	[bug]		BIND 8 compatibility: accept bare elements at top
-			level of sort list treating them as if they were
-			a single element list. [RT #1963]
-
-1078.	[bug]		We failed to correct bad tv_usec values in one case.
-			[RT #1966]
-
-1077.	[func]		Do not accept further recursive clients when
-			the total number of recursive lookups being
-			processed exceeds max-recursive-clients, even
-			if some of the lookups are internally generated.
-			[RT #1915, #1938]
-
-1076.	[bug]		A badly defined global key could trigger an assertion
-			on load/reload if views were used. [RT #1947]
-
-1075.	[bug]		Out-of-range network prefix lengths were not
-			reported. [RT #1954]
-
-1074.	[bug]		Running out of memory in dump_rdataset() could
-			cause an assertion failure. [RT #1946]
-
-1073.	[bug]		The ADB cache cleaning should also be space driven.
-			[RT #1915, #1938]
-
-1072.	[bug]		The TCP client quota could be exceeded when
-			recursion occurred. [RT #1937]
-
-1071.	[bug]		Sockets listening for TCP DNS connections
-			specified an excessive listen backlog. [RT #1937]
-
-1070.	[bug]		Copy DNSSEC OK (DO) to response as specified by
-			draft-ietf-dnsext-dnssec-okbit-03.txt.
-
-1069.	[placeholder]
-
-1068.	[bug]		errno could be overwritten by catgets(). [RT #1921]
-
-1067.	[func]		Allow quotas to be soft, isc_quota_soft().
-
-1066.	[bug]		Provide a thread safe wrapper for strerror().
-			[RT #1689]
-
-1065.	[func]		Runtime support to select new / old style interface
-			scanning using ioctls.
-
-1064.	[bug]		Do not shut down active network interfaces if we
-			are unable to scan the interface list. [RT #1921]
-
-1063.	[bug]		libbind: "make install" was failing on IRIX.
-			[RT #1919]
-
-1062.	[bug]		If the control channel listener socket was shut
-			down before server exit, the listener object could
-			be freed twice. [RT #1916]
-
-1061.	[bug]		If periodic cache cleaning happened to start
-			while cleaning due to reaching the configured
-			maximum cache size was in progress, the server
-			could catch an assertion failure. [RT #1912]
-
-1060.	[func]		Move refresh, stub and notify UDP retry processing
-			into dns_request.
-
-1059.	[func]		dns_request now support will now retry UDP queries,
-			dns_request_createvia2() and dns_request_createraw2().
-
-1058.	[func]		Limited lifetime ticker timers are now available,
-			isc_timertype_limited.
-
-1057.	[bug]		Reloading the server after adding a "file" clause
-			to a zone statement could cause the server to
-			crash due to a typo in change 1016.
-
-1056.	[bug]		Rndc could catch an assertion failure on SIGINT due
-			to an uninitialized variable. [RT #1908]
-
-1055.	[func]		Version and hostname queries can now be disabled
-			using "version none;" and "hostname none;",
-			respectively.
-
-1054.	[bug]		On Win32, cfg_categories and cfg_modules need to be
-			exported from the libisccfg DLL.
-
-1053.	[bug]		Dig did not increase its timeout when receiving
-			AXFRs unless the +time option was used. [RT #1904]
-
-1052.	[bug]		Journals were not being created in binary mode
-			resulting in "journal format not recognized" error
-			under Win32. [RT #1889]
-
-1051.	[bug]		Do not ignore a network interface completely just
-			because it has a noncontiguous netmask.  Instead,
-			omit it from the localnets ACL and issue a warning.
-			[RT #1891]
-
-1050.	[bug]		Log messages reporting malformed IP addresses in
-			address lists such as that of the forwarders option
-			failed to include the correct error code, file
-			name, and line number. [RT #1890]
-
-1049.	[func]		"pid-file none;" will disable writing a pid file.
-			[RT #1848]
-
-1048.	[bug]		Servers built with -DISC_MEM_USE_INTERNAL_MALLOC=1
-			didn't work.
-
-1047.	[bug]		named was incorrectly refusing all requests signed
-			with a TSIG key derived from an unsigned TKEY
-			negotiation with a NOERROR response. [RT #1886]
-
-1046.	[bug]		The help message for the --with-openssl configure
-			option was inaccurate. [RT #1880]
-
-1045.	[bug]		It was possible to skip saving glue for a nameserver
-			for a stub zone.
-
-1044.	[bug]		Specifying allow-transfer, notify-source, or
-			notify-source-v6 in a stub zone was not treated
-			as an error.
-
-1043.	[bug]		Specifying a transfer-source or transfer-source-v6
-			option in the zone statement for a master zone was
-			not treated as an error. [RT #1876]
-
-1042.	[bug]		The "config" logging category did not work properly.
-			[RT #1873]
-
-1041.	[bug]		Dig/host/nslookup could catch an assertion failure
-			on SIGINT due to an uninitialized variable. [RT #1867]
-
-1040.	[bug]		Multiple listen-on-v6 options with different ports
-			were not accepted. [RT #1875]
-
-1039.	[bug]		Negative responses with CNAMEs in the answer section
-			were cached incorrectly. [RT #1862]
-
-1038.	[bug]		In servers configured with a tkey-domain option,
-			TKEY queries with an owner name other than the root
-			could cause an assertion failure. [RT #1866, #1869]
-
-1037.	[bug]		Negative responses whose authority section contain
-			SOA or NS records whose owner names are not equal
-			equal to or parents of the query name should be
-			rejected. [RT #1862]
-
-1036.	[func]		Silently drop requests received via multicast as
-			long as there is no final multicast DNS standard.
-
-1035.	[bug]		If we respond to multicast queries (which we
-			currently do not), respond from a unicast address
-			as specified in RFC 1123. [RT #137]
-
-1034.	[bug]		Ignore the RD bit on multicast queries as specified
-			in RFC 1123. [RT #137]
-
-1033.	[bug]		Always respond to requests with an unsupported opcode
-			with NOTIMP, even if we don't have a matching view
-			or cannot determine the class.
-
-1032.	[func]		hostname.bind/txt/chaos now returns the name of
-			the machine hosting the nameserver.  This is useful
-			in diagnosing problems with anycast servers.
-
-1031.	[bug]		libbind.a: isc__gettimeofday() infinite recursion.
-			[RT #1858]
-
-1030.	[bug]		On systems with no resolv.conf file, nsupdate
-			exited with an error rather than defaulting
-			to using the loopback address. [RT #1836]
-
-1029.	[bug]		Some named.conf errors did not cause the loading
-			of the configuration file to return a failure
-			status even though they were logged. [RT #1847]
-
-1028.	[bug]		On Win32, dig/host/nslookup looked for resolv.conf
-			in the wrong directory. [RT #1833]
-
-1027.	[bug]		RRs having the reserved type 0 should be rejected.
-			[RT #1471]
-
-1026.	[placeholder]
-
-1025.	[bug]		Don't use multicast addresses to resolve iterative
-			queries. [RT #101]
-
-1024.	[port]		Compilation failed on HP-UX 11.11 due to
-			incompatible use of the SIOCGLIFCONF macro
-			name. [RT #1831]
-
-1023.	[func]		Accept hints without TTLs.
-
-1022.	[bug]		Don't report empty root hints as "extra data".
-			[RT #1802]
-
-1021.	[bug]		On Win32, log message timestamps were one month
-			later than they should have been, and the server
-			would exhibit unspecified behavior in December.
-
-1020.	[bug]		IXFR log messages did not distinguish between
-			true IXFRs, AXFR-style IXFRs, and mere version
-			polls. [RT #1811]
-
-1019.	[bug]		The value of the lame-ttl option was limited to 18000
-			seconds, not 1800 seconds as documented. [RT #1803]
-
-1018.	[bug]		The default log channel was not always initialized
-			correctly. [RT #1813]
-
-1017.	[bug]		When specifying TSIG keys to dig and nsupdate using
-			the -k option, they must be HMAC-MD5 keys. [RT #1810]
-
-1016.	[bug]		Slave zones with no backup file were re-transferred
-			on every server reload.
-
-1015.	[bug]		Log channels that had a "versions" option but no
-			"size" option failed to create numbered log
-			files. [RT #1783]
-
-1014.	[bug]		Some queries would cause statistics counters to
-			increment more than once or not at all. [RT #1321]
-
-1013.	[bug]		It was possible to cancel a query twice when marking
-			a server as bogus or by having a blackhole acl.
-			[RT #1776]
-
-1012.	[bug]		The -p option to named did not behave as documented.
-
-1011.	[cleanup]	Removed isc_dir_current().
-
-1010.	[bug]		The server could attempt to execute a command channel
-			command after initiating server shutdown, causing
-			an assertion failure. [RT #1766]
-
-1009.	[port]		OpenUNIX 8 support. [RT #1728]
-
-1008.	[port]		libtool.m4, ltmain.sh from libtool-1.4.2.
-
-1007.	[port]		config.guess, config.sub from autoconf-2.52.
-
-1006.	[bug]		If a KEY RR was found missing during DNSSEC validation,
-			an assertion failure could subsequently be triggered
-			in the resolver. [RT #1763]
-
-1005.	[bug]		Don't copy nonzero RCODEs from request to response.
-			[RT #1765]
-
-1004.	[port]		Deal with recvfrom() returning EHOSTDOWN. [RT #1770]
-
-1003.	[func]		Add the +retry option to dig.
-
-1002.	[bug]		When reporting an unknown class name in named.conf,
-			including the file name and line number. [RT #1759]
-
-1001.	[bug]		win32 socket code doio_recv was not catching a
-			WSACONNRESET error when a client was timing out
-			the request and closing its socket. [RT #1745]
-
-1000.	[bug]		BIND 8 compatibility: accept "HESIOD" as an alias
-			for class "HS". [RT #1759]
-
- 999.	[func]		"rndc retransfer zone [class [view]]" added.
-			[RT #1752]
-
- 998.	[func]		named-checkzone now has arguments to specify the
-			chroot directory (-t) and working directory (-w).
-			[RT #1755]
-
- 997.	[func]		Add support for RSA-SHA1 keys (RFC3110).
-
- 996.	[func]		Issue warning if the configuration filename contains
-			the chroot path.
-
- 995.	[bug]		dig, host, nslookup: using a raw IPv6 address as a
-			target address should be fatal on a IPv4 only system.
-
- 994.	[func]		Treat non-authoritative responses to queries for type
-			NS as referrals even if the NS records are in the
-			answer section, because BIND 8 servers incorrectly
-			send them that way.  This is necessary for DNSSEC
-			validation of the NS records of a secure zone to
-			succeed when the parent is a BIND 8 server. [RT #1706]
-
- 993.	[func]		dig: -v now reports the version.
-
- 992.	[doc]		dig: ~/.digrc is now documented.
-
- 991.	[func]		Lower UDP refresh timeout messages to level
-			debug 1.
-
- 990.	[bug]		The rndc-confgen man page was not installed.
-
- 989.	[bug]		Report filename if $INCLUDE fails for file related
-			errors. [RT #1736]
-
- 988.	[bug]		'additional-from-auth no;' did not work reliably
-			in the case of queries answered from the cache.
-			[RT #1436]
-
- 987.	[bug]		"dig -help" didn't show "+[no]stats".
-
- 986.	[bug]		"dig +noall" failed to clear stats and command
-			printing.
-
- 985.	[func]		Consider network interfaces to be up iff they have
-			a nonzero IP address rather than based on the
-			IFF_UP flag. [RT #1160]
-
- 984.	[bug]		Multi-threading should be enabled by default on
-			Solaris 2.7 and newer, but it wasn't.
-
- 983.	[func]		The server now supports generating IXFR difference
-			sequences for non-dynamic zones by comparing zone
-			versions, when enabled using the new config
-			option "ixfr-from-differences". [RT #1727]
-
- 982.	[func]		If "memstatistics-file" is set in options the memory
-			statistics will be written to it.
-
- 981.	[func]		The dnssec tools can now take multiple '-r randomfile'
-			arguments.
-
- 980.	[bug]		Incoming zone transfers restarting after an error
-			could trigger an assertion failure. [RT #1692]
-
- 979.	[func]		Incremental master file dumping.  dns_master_dumpinc(),
-			dns_master_dumptostreaminc(), dns_dumpctx_attach(),
-			dns_dumpctx_detach(), dns_dumpctx_cancel(),
-			dns_dumpctx_db() and dns_dumpctx_version().
-
- 978.	[bug]		dns_db_attachversion() had an invalid REQUIRE()
-			condition.
-
- 977.	[bug]		Improve "not at top of zone" error message.
-
- 976.	[func]		named-checkconf can now test load master zones
-			(named-checkconf -z). [RT #1468]
-
- 975.	[bug]		"max-cache-size default;" as a view option
-			caused an assertion failure.
-
- 974.	[bug]		"max-cache-size unlimited;" as a global option
-			was not accepted.
-
- 973.	[bug]		Failed to log the question name when logging:
-			"bad zone transfer request: non-authoritative zone
-			(NOTAUTH)".
-
- 972.	[bug]		The file modification time code in zone.c was using the
-			wrong epoch. [RT #1667]
-
- 971.	[placeholder]
-
- 970.	[func]		'max-journal-size' can now be used to set a target
-			size for a journal.
-
- 969.	[func]		dig now supports the undocumented dig 8 feature
-			of allowing arbitrary labels, not just dotted
-			decimal quads, with the -x option.  This can be
-			used to conveniently look up RFC2317 names as in
-			"dig -x 10.0.0.0-127". [RT #827, #1576, #1598]
-
- 968.	[bug]		On win32, the isc_time_now() function was unnecessarily
-			calling strtime(). [RT #1671]
-
- 967.	[bug]		On win32, the link for bindevt was not including the
-			required resource file to enable the event viewer
-			to interpret the error messages in the event log,
-			[RT #1668]
-
- 966.	[placeholder]
-
- 965.	[bug]		Including data other than root server NS and A
-			records in the root hint file could cause a rbtdb
-			node reference leak. [RT #1581, #1618]
-
- 964.	[func]		Warn if data other than root server NS and A records
-			are found in the root hint file. [RT #1581, #1618]
-
- 963.	[bug]		Bad ISC_LANG_ENDDECLS. [RT #1645]
-
- 962.	[bug]		libbind: bad "#undef", don't attempt to install
-			non-existent nlist.h. [RT #1640]
-
- 961.	[bug]		Tried to use a IPV6 feature when ISC_PLATFORM_HAVEIPV6
-			was not defined. [RT #1482]
-
- 960.	[port]		liblwres failed to build on systems with support for
-			getrrsetbyname() in the OS. [RT #1592]
-
- 959.	[port]		On FreeBSD, determine the number of CPUs by calling
-			sysctlbyname(). [RT #1584]
-
- 958.	[port]		ssize_t is not available on all platforms. [RT #1607]
-
- 957.	[bug]		sys/select.h inclusion was broken on older platforms.
-			[RT #1607]
-
- 956.	[bug]		ns_g_autorndcfile changed to ns_g_keyfile
-			in named/win32/os.c due to code changes in
-			change #953. win32 .make file for rndc-confgen
-			updated to add include path for os.h header.
-
-	--- 9.2.0rc1 released ---
-
- 955.	[bug]		When using views, the zone's class was not being
-			inherited from the view's class. [RT #1583]
-
- 954.	[bug]		When requesting AXFRs or IXFRs using dig, host, or
-			nslookup, the RD bit should not be set as zone
-			transfers are inherently non-recursive. [RT #1575]
-
- 953.	[func]		The /var/run/named.key file from change #843
-			has been replaced by /etc/rndc.key.  Both
-			named and rndc will look for this file and use
-			it to configure a default control channel key
-			if not already configured using a different
-			method (rndc.conf / controls).  Unlike
-			named.key, rndc.key is not created automatically;
-			it must be created by manually running
-			"rndc-confgen -a".
-
- 952.	[bug]		The server required manual intervention to serve the
-			affected zones if it died between creating a journal
-			and committing the first change to it.
-
- 951.	[bug]		CFLAGS was not passed to the linker when
-			linking some of the test programs under
-			bin/tests. [RT #1555].
-
- 950.	[bug]		Explicit TTLs did not properly override $TTL
-			due to a bug in change 834. [RT #1558]
-
- 949.	[bug]		host was unable to print records larger than 512
-			bytes. [RT #1557]
-
-	--- 9.2.0b2 released ---
-
- 948.	[port]		Integrated support for building on Windows NT /
-			Windows 2000.
-
- 947.	[bug]		dns_rdata_soa_t had a badly named element "mname" which
-			was really the RNAME field from RFC1035.  To avoid
-			confusion and silent errors that would occur it the
-			"origin" and "mname" elements were given their correct
-			names "mname" and "rname" respectively, the "mname"
-			element is renamed to "contact".
-
- 946.	[cleanup]	doc/misc/options is now machine-generated from the
-			configuration parser syntax tables, and therefore
-			more likely to be correct.
-
- 945.	[func]		Add the new view-specific options
-			"match-destinations" and "match-recursive-only".
-
- 944.	[func]		Check for expired signatures on load.
-
- 943.	[bug]		The server could crash when receiving a command
-			via rndc if the configuration file listed only
-			nonexistent keys in the controls statement. [RT #1530]
-
- 942.	[port]		libbind: GETNETBYADDR_ADDR_T was not correctly
-			defined on some platforms.
-
- 941.	[bug]		The configuration checker crashed if a slave
-			zone didn't contain a masters statement. [RT #1514]
-
- 940.	[bug]		Double zone locking failure on error path. [RT #1510]
-
-	--- 9.2.0b1 released ---
-
- 939.	[port]		Add the --disable-linux-caps option to configure for
-			systems that manage capabilities outside of named.
-			[RT #1503]
-
- 938.	[placeholder]
-
- 937.	[bug]		A race when shutting down a zone could trigger a
-			INSIST() failure. [RT #1034]
-
- 936.	[func]		Warn about IPv4 addresses that are not complete
-			dotted quads. [RT #1084]
-
- 935.	[bug]		inet_pton failed to reject leading zeros.
-
- 934.	[port]		Deal with systems where accept() spuriously returns
-			ECONNRESET.
-
- 933.	[bug]		configure failed doing libbind on platforms not
-			supported by BIND 8. [RT #1496]
-
-	--- 9.2.0a3 released ---
-
- 932.	[bug]		Use INSTALL_SCRIPT, not INSTALL_PROGRAM,
-			when installing isc-config.sh.
-			[RT #198, #1466]
-
- 931.	[bug]		The controls statement only attempted to verify
-			messages using the first key in the key list.
-			(9.2.0a1/a2 only).
-
- 930.	[func]		Query performance testing tool added as
-			contrib/queryperf.
-
- 929.	[placeholder]
-
- 928.	[bug]		nsupdate would send empty update packets if the
-			send (or empty line) command was run after
-			another send but before any new updates or
-			prerequisites were specified.  It should simply
-			ignore this command.
-
- 927.	[bug]		Don't hold the zone lock for the entire dump to disk.
-			[RT #1423]
-
- 926.	[bug]		The resolver could deadlock with the ADB when
-			shutting down (multi-threaded builds only).
-			[RT #1324]
-
- 925.	[cleanup]	Remove openssl from the distribution; require that
-			--with-openssl be specified if DNSSEC is needed.
-
- 924.	[port]		Extend support for pre-RFC2133 IPv6 implementation.
-			[RT #987]
-
- 923.	[bug]		Multiline TSIG secrets (and other multiline strings)
-			were not accepted in named.conf. [RT #1469]
-
- 922.	[func]		Added two new lwres_getrrsetbyname() result codes,
-			ERR_NONAME and ERR_NODATA.
-
- 921.	[bug]		lwres returned an incorrect error code if it received
-			a truncated message.
-
- 920.	[func]		Increase the lwres receive buffer size to 16K.
-			[RT #1451]
-
- 919.	[placeholder]
-
- 918.	[func]		In nsupdate, TSIG errors are no longer treated as
-			fatal errors.
-
- 917.	[func]		New nsupdate command 'key', allowing TSIG keys to
-			be specified in the nsupdate command stream rather
-			than the command line.
-
- 916.	[bug]		Specifying type ixfr to dig without specifying
-			a serial number failed in unexpected ways.
-
- 915.	[func]		The named-checkconf and named-checkzone programs
-			now have a '-v' option for printing their version.
-			[RT #1151]
-
- 914.	[bug]		Global 'server' statements were rejected when
-			using views, even though they were accepted
-			in 9.1. [RT #1368]
-
- 913.	[bug]		Cache cleaning was not sufficiently aggressive.
-			[RT #1441, #1444]
-
- 912.	[bug]		Attempts to set the 'additional-from-cache' or
-			'additional-from-auth' option to 'no' in a
-			server with recursion enabled will now
-			be ignored and cause a warning message.
-			[RT #1145]
-
- 911.	[placeholder]
-
- 910.	[port]		Some pre-RFC2133 IPv6 implementations do not define
-			IN6ADDR_ANY_INIT. [RT #1416]
-
- 909.	[placeholder]
-
- 908.	[func]		New program, rndc-confgen, to simplify setting up rndc.
-
- 907.	[func]		The ability to get entropy from either the
-			random device, a user-provided file or from
-			the keyboard was migrated from the DNSSEC tools
-			to libisc as isc_entropy_usebestsource().
-
- 906.	[port]		Separated the system independent portion of
-			lib/isc/unix/entropy.c into lib/isc/entropy.c
-			and added lib/isc/win32/entropy.c.
-
- 905.	[bug]		Configuring a forward "zone" for the root domain
-			did not work. [RT #1418]
-
- 904.	[bug]		The server would leak memory if attempting to use
-			an expired TSIG key. [RT #1406]
-
- 903.	[bug]		dig should not crash when receiving a TCP packet
-			of length 0.
-
- 902.	[bug]		The -d option was ignored if both -t and -g were also
-			specified.
-
- 901.	[placeholder]
-
- 900.	[bug]		A config.guess update changed the system identification
-			string of FreeBSD systems; configure and
-			bin/tests/system/ifconfig.sh now recognize the new
-			string.
-
-	--- 9.2.0a2 released ---
-
- 899.	[bug]		lib/dns/soa.c failed to compile on many platforms
-			due to inappropriate use of a void value.
-			[RT #1372, #1373, #1386, #1387, #1395]
-
- 898.	[bug]		"dig" failed to set a nonzero exit status
-			on UDP query timeout. [RT #1323]
-
- 897.	[bug]		A config.guess update changed the system identification
-			string of UnixWare systems; configure now recognizes
-			the new string.
-
- 896.	[bug]		If a configuration file is set on named's command line
-			and it has a relative pathname, the current directory
-			(after any possible jailing resulting from named -t)
-			will be prepended to it so that reloading works
-			properly even when a directory option is present.
-
- 895.	[func]		New function, isc_dir_current(), akin to POSIX's
-			getcwd().
-
- 894.	[bug]		When using the DNSSEC tools, a message intended to warn
-			when the keyboard was being used because of the lack
-			of a suitable random device was not being printed.
-
- 893.	[func]		Removed isc_file_test() and added isc_file_exists()
-			for the basic functionality that was being added
-			with isc_file_test().
-
- 892.	[placeholder]
-
- 891.	[bug]		Return an error when a SIG(0) signed response to
-			an unsigned query is seen.  This should actually
-			do the verification, but it's not currently
-			possible. [RT #1391]
-
- 890.	[cleanup]	The man pages no longer require the mandoc macros
-			and should now format cleanly using most versions of
-			nroff, and HTML versions of the man pages have been
-			added.  Both are generated from DocBook source.
-
- 889.	[port]		Eliminated blank lines before .TH in nroff man
-			pages since they cause problems with some versions
-			of nroff. [RT #1390]
-
- 888.	[bug]		Don't die when using TKEY to delete a nonexistent
-			TSIG key. [RT #1392]
-
- 887.	[port]		Detect broken compilers that can't call static
-			functions from inline functions. [RT #1212]
-
- 886.	[placeholder]
-
- 885.	[placeholder]
-
- 884.	[placeholder]
-
- 883.	[placeholder]
-
- 882.	[placeholder]
-
- 881.	[placeholder]
-
- 880.	[placeholder]
-
- 879.	[placeholder]
-
- 878.	[placeholder]
-
- 877.	[placeholder]
-
- 876.	[placeholder]
-
- 875.	[placeholder]
-
- 874.	[placeholder]
-
- 873.	[placeholder]
-
- 872.	[placeholder]
-
- 871.	[placeholder]
-
- 870.	[placeholder]
-
- 869.	[placeholder]
-
- 868.	[placeholder]
-
- 867.	[placeholder]
-
- 866.	[func]		Close debug only file channels when debug is set to
-			zero. [RT #1246]
-
- 865.	[bug]		The new configuration parser did not allow
-			the optional debug level in a "severity debug"
-			clause of a logging channel to be omitted.
-			This is now allowed and treated as "severity
-			debug 1;" like it does in BIND 8.2.4, not as
-			"severity debug 0;" like it did in BIND 9.1.
-			[RT #1367]
-
- 864.	[cleanup]	Multi-threading is now enabled by default on
-			OSF1, Solaris 2.7 and newer, AIX, IRIX, and HP-UX.
-
- 863.	[bug]		If an error occurred while an outgoing zone transfer
-			was starting up, the server could access a domain
-			name that had already been freed when logging a
-			message saying that the transfer was starting.
-			[RT #1383]
-
- 862.	[bug]		Use after realloc(), non portable pointer arithmetic in
-			grmerge().
-
- 861.	[port]		Add support for Mac OS X, by making it equivalent
-			to Darwin.  This was derived from the config.guess
-			file shipped with Mac OS X. [RT #1355]
-
- 860.	[func]		Drop cross class glue in zone transfers.
-
- 859.	[bug]		Cache cleaning now won't swamp the CPU if there
-			is a persistent over limit condition.
-
- 858.	[func]		isc_mem_setwater() no longer requires that when the
-			callback function is non-NULL then its hi_water
-			argument must be greater than its lo_water argument
-			(they can now be equal) or that they be non-zero.
-
- 857.	[cleanup]	Use ISC_MAGIC() to define all magic numbers for
-			structs, for our friends in EBCDIC-land.
-
- 856.	[func]		Allow partial rdatasets to be returned in answer and
-			authority sections to help non-TCP capable clients
-			recover from truncation. [RT #1301]
-
- 855.	[bug]		Stop spurious "using RFC 1035 TTL semantics" warnings.
-
- 854.	[bug]		The config parser didn't properly handle config
-			options that were specified in units of time other
-			than seconds. [RT #1372]
-
- 853.	[bug]		configure_view_acl() failed to detach existing acls.
-			[RT #1374]
-
- 852.	[bug]		Handle responses from servers which do not know
-			about IXFR.
-
- 851.	[cleanup]	The obsolete support-ixfr option was not properly
-			ignored.
-
-	--- 9.2.0a1 released ---
-
- 850.	[bug]		dns_rbt_findnode() would not find nodes that were
-			split on a bitstring label somewhere other than in
-			the last label of the node. [RT #1351]
-
- 849.	[func]		<isc/net.h> will ensure INADDR_LOOPBACK is defined.
-
- 848.	[func]		A minimum max-cache-size of two megabytes is enforced
-			by the cache cleaner.
-
- 847.	[func]		Added isc_file_test(), which currently only has
-			some very basic functionality to test for the
-			existence of a file, whether a pathname is absolute,
-			or whether a pathname is the fundamental representation
-			of the current directory.  It is intended that this
-			function can be expanded to test other things a
-			programmer might want to know about a file.
-
- 846.	[func]		A non-zero 'param' to dst_key_generate() when making an
-			hmac-md5 key means that good entropy is not required.
-
- 845.	[bug]		The access rights on the public file of a symmetric
-			key are now restricted as soon as the file is opened,
-			rather than after it has been written and closed.
-
- 844.	[func]		<isc/net.h> will ensure INADDR_LOOPBACK is defined,
-			just as <lwres/net.h> does.
-
- 843.	[func]		If no controls statement is present in named.conf,
-			or if any inet phrase of a controls statement is
-			lacking a keys clause, then a key will be automatically
-			generated by named and an rndc.conf-style file
-			named named.key will be written that uses it.  rndc
-			will use this file only if its normal configuration
-			file, or one provided on the command line, does not
-			exist.
-
- 842.	[func]		'rndc flush' now takes an optional view.
-
- 841.	[bug]		When sdb modules were not declared threadsafe, their
-			create and destroy functions were not serialized.
-
- 840.	[bug]		The config file parser could print the wrong file
-			name if an error was detected after an included file
-			was parsed. [RT #1353]
-
- 839.	[func]		Dump packets for which there was no view or that the
-			class could not be determined to category "unmatched".
-
- 838.	[port]		UnixWare 7.x.x is now suported by
-			bin/tests/system/ifconfig.sh.
-
- 837.	[cleanup]	Multi-threading is now enabled by default only on
-			OSF1, Solaris 2.7 and newer, and AIX.
-
- 836.	[func]		Upgraded libtool to 1.4.
-
- 835.	[bug]		The dispatcher could enter a busy loop if
-			it got an I/O error receiving on a UDP socket.
-			[RT #1293]
-
- 834.	[func]		Accept (but warn about) master files beginning with
-			an SOA record without an explicit TTL field and
-			lacking a $TTL directive, by using the SOA MINTTL
-			as a default TTL.  This is for backwards compatibility
-			with old versions of BIND 8, which accepted such
-			files without warning although they are illegal
-			according to RFC1035.
-
- 833.	[cleanup]	Moved dns_soa_*() from <dns/journal.h> to
-			<dns/soa.h>, and extended them to support
-			all the integer-valued fields of the SOA RR.
-
- 832.	[bug]		The default location for named.conf in named-checkconf
-			should depend on --sysconfdir like it does in named.
-			[RT #1258]
-
- 831.	[placeholder]
-
- 830.	[func]		Implement 'rndc status'.
-
- 829.	[bug]		The DNS_R_ZONECUT result code should only be returned
-			when an ANY query is made with DNS_DBFIND_GLUEOK set.
-			In all other ANY query cases, returning the delegation
-			is better.
-
- 828.	[bug]		The errno value from recvfrom() could be overwritten
-			by logging code. [RT #1293]
-
- 827.	[bug]		When an IXFR protocol error occurs, the slave
-			should retry with AXFR.
-
- 826.	[bug]		Some IXFR protocol errors were not detected.
-
- 825.	[bug]		zone.c:ns_query() detached from the wrong zone
-			reference. [RT #1264]
-
- 824.	[bug]		Correct line numbers reported by dns_master_load().
-			[RT #1263]
-
- 823.	[func]		The output of "dig -h" now goes to stdout so that it
-			can easily be piped through "more". [RT #1254]
-
- 822.	[bug]		Sending nxrrset prerequisites would crash nsupdate.
-			[RT #1248]
-
- 821.	[bug]		The program name used when logging to syslog should
-			be stripped of leading path components.
-			[RT #1178, #1232]
-
- 820.	[bug]		Name server address lookups failed to follow
-			A6 chains into the glue of local authoritative
-			zones.
-
- 819.	[bug]		In certain cases, the resolver's attempts to
-			restart an address lookup at the root could cause
-			the fetch to deadlock (with itself) instead of
-			restarting. [RT #1225]
-
- 818.	[bug]		Certain pathological responses to ANY queries could
-			cause an assertion failure. [RT #1218]
-
- 817.	[func]		Adjust timeouts for dialup zone queries.
-
- 816.	[bug]		Report potential problems with log file accessibility
-			at configuration time, since such problems can't
-			reliably be reported at the time they actually occur.
-
- 815.	[bug]		If a log file was specified with a path separator
-			character (i.e. "/") in its name and the directory
-			did not exist, the log file's name was treated as
-			though it were the directory name. [RT #1189]
-
- 814.	[bug]		Socket objects left over from accept() failures
-			were incorrectly destroyed, causing corruption
-			of socket manager data structures.
-
- 813.	[bug]		File descriptors exceeding FD_SETSIZE were handled
-			badly. [RT #1192]
-
- 812.	[bug]		dig sometimes printed incomplete IXFR responses
-			due to an uninitialized variable. [RT #1188]
-
- 811.	[bug]		Parentheses were not quoted in zone dumps. [RT #1194]
-
- 810.	[bug]		The signer name in SIG records was not properly
-			down-cased when signing/verifying records. [RT #1186]
-
- 809.	[bug]		Configuring a non-local address as a transfer-source
-			could cause an assertion failure during load.
-
- 808.	[func]		Add 'rndc flush' to flush the server's cache.
-
- 807.	[bug]		When setting up TCP connections for incoming zone
-			transfers, the transfer-source port was not
-			ignored like it should be.
-
- 806.	[bug]		DNS_R_SEENINCLUDE was failing to propagate back up
-			the calling stack to the zone maintenance level,
-			causing zones to not reload when an included file was
-			touched but the top-level zone file was not.
-
- 805.	[bug]		When using "forward only", missing root hints should
-			not cause queries to fail. [RT #1143]
-
- 804.	[bug]		Attempting to obtain entropy could fail in some
-			situations.  This would be most common on systems
-			with user-space threads. [RT #1131]
-
- 803.	[bug]		Treat all SIG queries as if they have the CD bit set,
-			otherwise no data will be returned [RT #749]
-
- 802.	[bug]		DNSSEC key tags were computed incorrectly in almost
-			all cases. [RT #1146]
-
- 801.	[bug]		nsupdate should treat lines beginning with ';' as
-			comments. [RT #1139]
-
- 800.	[bug]		dnssec-signzone produced incorrect statistics for
-			large zones. [RT #1133]
-
- 799.	[bug]		The ADB didn't find AAAA glue in a zone unless A6
-			glue was also present.
-
- 798.	[bug]		nsupdate should be able to reject bad input lines
-			and continue. [RT #1130]
-
- 797.	[func]		Issue a warning if the 'directory' option contains
-			a relative path. [RT #269]
-
- 796.	[func]		When a size limit is associated with a log file,
-			only roll it when the size is reached, not every
-			time the log file is opened. [RT #1096]
-
- 795.	[func]		Add the +multiline option to dig. [RT #1095]
-
- 794.	[func]		Implement the "port" and "default-port" statements
-			in rndc.conf.
-
- 793.	[cleanup]	The DNSSEC tools could create filenames that were
-			illegal or contained shell meta-characters.  They
-			now use a different text encoding of names that
-			doesn't have these problems. [RT #1101]
-
- 792.	[cleanup]	Replace the OMAPI command channel protocol with a
-			simpler one.
-
- 791.	[bug]		The command channel now works over IPv6.
-
- 790.	[bug]		Wildcards created using dynamic update or IXFR
-			could fail to match. [RT #1111]
-
- 789.	[bug]		The "localhost" and "localnets" ACLs did not match
-			when used as the second element of a two-element
-			sortlist item.
-
- 788.	[func]		Add the "match-mapped-addresses" option, which
-			causes IPv6 v4mapped addresses to be treated as
-			IPv4 addresses for the purpose of acl matching.
-
- 787.	[bug]		The DNSSEC tools failed to downcase domain
-			names when mapping them into file names.
-
- 786.	[bug]		When DNSSEC signing/verifying data, owner names were
-			not properly down-cased.
-
- 785.	[bug]		A race condition in the resolver could cause
-			an assertion failure. [RT #673, #872, #1048]
-
- 784.	[bug]		nsupdate and other programs would not quit properly
-			if some signals were blocked by the caller. [RT #1081]
-
- 783.	[bug]		Following CNAMEs could cause an assertion failure
-			when either using an sdb database or under very
-			rare conditions.
-
- 782.	[func]		Implement the "serial-query-rate" option.
-
- 781.	[func]		Avoid error packet loops by dropping duplicate FORMERR
-			responses. [RT #1006]
-
- 780.	[bug]		Error handling code dealing with out of memory or
-			other rare errors could lead to assertion failures
-			by calling functions on uninitialized names. [RT #1065]
-
- 779.	[func]		Added the "minimal-responses" option.
-
- 778.	[bug]		When starting cache cleaning, cleaning_timer_action()
-			returned without first pausing the iterator, which
-			could cause deadlock. [RT #998]
-
- 777.	[bug]		An empty forwarders list in a zone failed to override
-			global forwarders. [RT #995]
-
- 776.	[func]		Improved error reporting in denied messages. [RT #252]
-
- 775.	[placeholder]
-
- 774.	[func]		max-cache-size is implemented.
-
- 773.	[func]		Added isc_rwlock_trylock() to attempt to lock without
-			blocking.
-
- 772.	[bug]		Owner names could be incorrectly omitted from cache
-			dumps in the presence of negative caching entries.
-			[RT #991]
-
- 771.	[cleanup]	TSIG errors related to unsynchronized clocks
-			are logged better. [RT #919]
-
- 770.	[func]		Add the "edns yes_or_no" statement to the server
-			clause. [RT #524]
-
- 769.	[func]		Improved error reporting when parsing rdata. [RT #740]
-
- 768.	[bug]		The server did not emit an SOA when a CNAME
-			or DNAME chain ended in NXDOMAIN in an
-			authoritative zone.
-
- 767.	[placeholder]
-
- 766.	[bug]		A few cases in query_find() could leak fname.
-			This would trigger the mpctx->allocated == 0
-			assertion when the server exited.
-			[RT #739, #776, #798, #812, #818, #821, #845,
-			#892, #935, #966]
-
- 765.	[func]		ACL names are once again case insensitive, like
-			in BIND 8. [RT #252]
-
- 764.	[func]		Configuration files now allow "include" directives
-			in more places, such as inside the "view" statement.
-			[RT #377, #728, #860]
-
- 763.	[func]		Configuration files no longer have reserved words.
-			[RT #731, #753]
-
- 762.	[cleanup]	The named.conf and rndc.conf file parsers have
-			been completely rewritten.
-
- 761.	[bug]		_REENTRANT was still defined when building with
-			--disable-threads.
-
- 760.	[contrib]	Significant enhancements to the pgsql sdb driver.
-
- 759.	[bug]		The resolver didn't turn off "avoid fetches" mode
-			when restarting, possibly causing resolution
-			to fail when it should not.  This bug only affected
-			platforms which support both IPv4 and IPv6. [RT #927]
-
- 758.	[bug]		The "avoid fetches" code did not treat negative
-			cache entries correctly, causing fetches that would
-			be useful to be avoided.  This bug only affected
-			platforms which support both IPv4 and IPv6. [RT #927]
-
- 757.	[func]		Log zone transfers.
-
- 756.	[bug]		dns_zone_load() could "return" success when no master
-			file was configured.
-
- 755.	[bug]		Fix incorrectly formatted log messages in zone.c.
-
- 754.	[bug]		Certain failure conditions sending UDP packets
-			could cause the server to retry the transmission
-			indefinitely. [RT #902]
-
- 753.	[bug]		dig, host, and nslookup would fail to contact a
-			remote server if getaddrinfo() returned an IPv6
-			address on a system that doesn't support IPv6.
-			[RT #917]
-
- 752.	[func]		Correct bad tv_usec elements returned by
-			gettimeofday().
-
- 751.	[func]		Log successful zone loads / transfers.  [RT #898]
-
- 750.	[bug]		A query should not match a DNAME whose trust level
-			is pending. [RT #916]
-
- 749.	[bug]		When a query matched a DNAME in a secure zone, the
-			server did not return the signature of the DNAME.
-			[RT #915]
-
- 748.	[doc]		List supported RFCs in doc/misc/rfc-compliance.
-			[RT #781]
-
- 747.	[bug]		The code to determine whether an IXFR was possible
-			did not properly check for a database that could
-			not have a journal. [RT #865, #908]
-
- 746.	[bug]		The sdb didn't clone rdatasets properly, causing
-			a crash when the server followed delegations. [RT #905]
-
- 745.	[func]		Report the owner name of records that fail
-			semantic checks while loading.
-
- 744.	[bug]		When returning DNS_R_CNAME or DNS_R_DNAME as the
-			result of an ANY or SIG query, the resolver failed
-			to setup the return event's rdatasets, causing an
-			assertion failure in the query code. [RT #881]
-
- 743.	[bug]		Receiving a large number of certain malformed
-			answers could cause named to stop responding.
-			[RT #861]
-
- 742.	[placeholder]
-
- 741.	[port]		Support openssl-engine. [RT #709]
-
- 740.	[port]		Handle openssl library mismatches slightly better.
-
- 739.	[port]		Look for /dev/random in configure, rather than
-			assuming it will be there for only a predefined
-			set of OSes.
-
- 738.	[bug]		If a non-threadsafe sdb driver supported AXFR and
-			received an AXFR request, it would deadlock or die
-			with an assertion failure. [RT #852]
-
- 737.	[port]		stdtime.c failed to compile on certain platforms.
-
- 736.	[func]		New functions isc_task_{begin,end}exclusive().
-
- 735.	[doc]		Add BIND 4 migration notes.
-
- 734.	[bug]		An attempt to re-lock the zone lock could occur if
-			the server was shutdown during a zone transfer.
-			[RT #830]
-
- 733.	[bug]		Reference counts of dns_acl_t objects need to be
-			locked but were not. [RT #801, #821]
-
- 732.	[bug]		Glue with 0 TTL could also cause SERVFAIL. [RT #828]
-
- 731.	[bug]		Certain zone errors could cause named-checkzone to
-			fail ungracefully. [RT #819]
-
- 730.	[bug]		lwres_getaddrinfo() returns the correct result when
-			it fails to contact a server. [RT #768]
-
- 729.	[port]		pthread_setconcurrency() needs to be called on Solaris.
-
- 728.	[bug]		Fix comment processing on master file directives.
-			[RT# 757]
-
- 727.	[port]		Work around OS bug where accept() succeeds but
-			fails to fill in the peer address of the accepted
-			connection, by treating it as an error rather than
-			an assertion failure. [RT #809]
-
- 726.	[func]		Implement the "trace" and "notrace" commands in rndc.
-
- 725.	[bug]		Installing man pages could fail.
-
- 724.	[func]		New libisc functions isc_netaddr_any(),
-			isc_netaddr_any6().
-
- 723.	[bug]		Referrals whose NS RRs had a 0 TTL caused the resolver
-			to return DNS_R_SERVFAIL. [RT #783]
-
- 722.	[func]		Allow incremental loads to be canceled.
-
- 721.	[cleanup]	Load manager and dns_master_loadfilequota() are no
-			more.
-
- 720.	[bug]		Server could enter infinite loop in
-			dispatch.c:do_cancel(). [RT #733]
-
- 719.	[bug]		Rapid reloads could trigger an assertion failure.
-			[RT #743, #763]
-
- 718.	[cleanup]	"internal" is no longer a reserved word in named.conf.
-			[RT #753, #731]
-
- 717.	[bug]		Certain TKEY processing failure modes could
-			reference an uninitialized variable, causing the
-			server to crash. [RT #750]
-
- 716.	[bug]		The first line of a $INCLUDE master file was lost if
-			an origin was specified. [RT #744]
-
- 715.	[bug]		Resolving some A6 chains could cause an assertion
-			failure in adb.c. [RT #738]
-
- 714.	[bug]		Preserve interval timers across reloads unless changed.
-			[RT# 729]
-
- 713.	[func]		named-checkconf takes '-t directory' similar to named.
-			[RT #726]
-
- 712.	[bug]		Sending a large signed update message caused an
-			assertion failure. [RT #718]
-
- 711.	[bug]		The libisc and liblwres implementations of
-			inet_ntop contained an off by one error.
-
- 710.	[func]		The forwarders statement now takes an optional
-			port. [RT #418]
-
- 709.	[bug]		ANY or SIG queries for data with a TTL of 0
-			would return SERVFAIL. [RT #620]
-
- 708.	[bug]		When building with --with-openssl, the openssl headers
-			included with BIND 9 should not be used. [RT #702]
-
- 707.	[func]		The "filename" argument to named-checkzone is no
-			longer optional, to reduce confusion. [RT #612]
-
- 706.	[bug]		Zones with an explicit "allow-update { none; };"
-			were considered dynamic and therefore not reloaded
-			on SIGHUP or "rndc reload".
-
- 705.	[port]		Work out resource limit type for use where rlim_t is
-			not available. [RT #695]
-
- 704.	[port]		RLIMIT_NOFILE is not available on all platforms.
-			[RT #695]
-
- 703.	[port]		sys/select.h is needed on older platforms. [RT #695]
-
- 702.	[func]		If the address 0.0.0.0 is seen in resolv.conf,
-			use 127.0.0.1 instead. [RT #693]
-
- 701.	[func]		Root hints are now fully optional.  Class IN
-			views use compiled-in hints by default, as
-			before.  Non-IN views with no root hints now
-			provide authoritative service but not recursion.
-			A warning is logged if a view has neither root
-			hints nor authoritative data for the root. [RT #696]
-
- 700.	[bug]		$GENERATE range check was wrong. [RT #688]
-
- 699.	[bug]		The lexer mishandled empty quoted strings. [RT #694]
-
- 698.	[bug]		Aborting nsupdate with ^C would lead to several
-			race conditions.
-
- 697.	[bug]		nsupdate was not compatible with the undocumented
-			BIND 8 behavior of ignoring TTLs in "update delete"
-			commands. [RT #693]
-
- 696.	[bug]		lwresd would die with an assertion failure when passed
-			a zero-length name. [RT #692]
-
- 695.	[bug]		If the resolver attempted to query a blackholed or
-			bogus server, the resolution would fail immediately.
-
- 694.	[bug]		$GENERATE did not produce the last entry.
-			[RT #682, #683]
-
- 693.	[bug]		An empty lwres statement in named.conf caused
-			the server to crash while loading.
-
- 692.	[bug]		Deal with systems that have getaddrinfo() but not
-			gai_strerror(). [RT #679]
-
- 691.	[bug]		Configuring per-view forwarders caused an assertion
-			failure. [RT #675, #734]
-
- 690.	[func]		$GENERATE now supports DNAME. [RT #654]
-
- 689.	[doc]		man pages are now installed. [RT #210]
-
- 688.	[func]		"make tags" now works on systems with the
-			"Exuberant Ctags" etags.
-
- 687.	[bug]		Only say we have IPv6, with sufficient functionality,
-			if it has actually been tested. [RT #586]
-
- 686.	[bug]		dig and nslookup can now be properly aborted during
-			blocking operations. [RT #568]
-
- 685.	[bug]		nslookup should use the search list/domain options
-			from resolv.conf by default. [RT #405, #630]
-
- 684.	[bug]		Memory leak with view forwarders. [RT #656]
-
- 683.	[bug]		File descriptor leak in isc_lex_openfile().
-
- 682.	[bug]		nslookup displayed SOA records incorrectly. [RT #665]
-
- 681.	[bug]		$GENERATE specifying output format was broken. [RT #653]
-
- 680.	[bug]		dns_rdata_fromstruct() mishandled options bigger
-			than 255 octets.
-
- 679.	[bug]		$INCLUDE could leak memory and file descriptors on
-			reload. [RT #639]
-
- 678.	[bug]		"transfer-format one-answer;" could trigger an assertion
-			failure. [RT #646]
-
- 677.	[bug]		dnssec-signzone would occasionally use the wrong ttl
-			for database operations and fail. [RT #643]
-
- 676.	[bug]		Log messages about lame servers to category
-			'lame-servers' rather than 'resolver', so as not
-			to be gratuitously incompatible with BIND 8.
-
- 675.	[bug]		TKEY queries could cause the server to leak
-			memory.
-
- 674.	[func]		Allow messages to be TSIG signed / verified using
-			a offset from the current time.
-
- 673.	[func]		The server can now convert RFC1886-style recursive
-			lookup requests into RFC2874-style lookups, when
-			enabled using the new option "allow-v6-synthesis".
-
- 672.	[bug]		The wrong time was in the "time signed" field when
-			replying with BADTIME error.
-
- 671.	[bug]		The message code was failing to parse a message with
-			no question section and a TSIG record. [RT #628]
-
- 670.	[bug]		The lwres replacements for getaddrinfo and
-			getipnodebyname didn't properly check for the
-			existence of the sockaddr sa_len field.
-
- 669.	[bug]		dnssec-keygen now makes the public key file
-			non-world-readable for symmetric keys. [RT #403]
-
- 668.	[func]		named-checkzone now reports multiple errors in master
-			files.
-
- 667.	[bug]		On Linux, running named with the -u option and a
-			non-world-readable configuration file didn't work.
-			[RT #626]
-
- 666.	[bug]		If a request sent by dig is longer than 512 bytes,
-			use TCP.
-
- 665.	[bug]		Signed responses were not sent when the size of the
-			TSIG + question exceeded the maximum message size.
-			[RT #628]
-
- 664.	[bug]		The t_tasks and t_timers module tests are now skipped
-			when building without threads, since they require
-			threads.
-
- 663.	[func]		Accept a size_spec, not just an integer, in the
-			(unimplemented and ignored) max-ixfr-log-size option
-			for compatibility with recent versions of BIND 8.
-			[RT #613]
-
- 662.	[bug]		dns_rdata_fromtext() failed to log certain errors.
-
- 661.	[bug]		Certain UDP IXFR requests caused an assertion failure
-			(mpctx->allocated == 0). [RT #355, #394, #623]
-
- 660.	[port]		Detect multiple CPUs on HP-UX and IRIX.
-
- 659.	[performance]	Rewrite the name compression code to be much faster.
-
- 658.	[cleanup]	Remove all vestiges of 16 bit global compression.
-
- 657.	[bug]		When a listen-on statement in an lwres block does not
-			specify a port, use 921, not 53.  Also update the
-			listen-on documentation. [RT #616]
-
- 656.	[func]		Treat an unescaped newline in a quoted string as
-			an error.  This means that TXT records with missing
-			close quotes should have meaningful errors printed.
-
- 655.	[bug]		Improve error reporting on unexpected eof when loading
-			zones. [RT #611]
-
- 654.	[bug]		Origin was being forgotten in TCP retries in dig.
-			[RT #574]
-
- 653.	[bug]		+defname option in dig was reversed in sense.
-			[RT #549]
-
- 652.	[bug]		zone_saveunique() did not report the new name.
-
- 651.	[func]		The AD bit in responses now has the meaning
-			specified in <draft-ietf-dnsext-ad-is-secure>.
-
- 650.	[bug]		SIG(0) records were being generated and verified
-			incorrectly. [RT #606]
-
- 649.	[bug]		It was possible to join to an already running fctx
-			after it had "cloned" its events, but before it sent
-			them.  In this case, the event of the newly joined
-			fetch would not contain the answer, and would
-			trigger the INSIST() in fctx_sendevents().  In
-			BIND 9.0, this bug did not trigger an INSIST(), but
-			caused the fetch to fail with a SERVFAIL result.
-			[RT #588, #597, #605, #607]
-
- 648.	[port]		Add support for pre-RFC2133 IPv6 implementations.
-
- 647.	[bug]		Resolver queries sent after following multiple
-			referrals had excessively long retransmission
-			timeouts due to incorrectly counting the referrals
-			as "restarts".
-
- 646.	[bug]		The UnixWare ISC_PLATFORM_FIXIN6INADDR fix in isc/net.h
-			didn't _cleanly_ fix the problem it was trying to fix.
-
- 645.	[port]		BSD/OS 3.0 needs pthread_init(). [RT #603]
-
- 644.	[bug]		#622 needed more work. [RT #562]
-
- 643.	[bug]		xfrin error messages made more verbose, added class
-			of the zone. [RT# 599]
-
- 642.	[bug]		Break the exit_check() race in the zone module.
-			[RT #598]
-
-	--- 9.1.0b2 released ---
-
- 641.	[bug]		$GENERATE caused a uninitialized link to be used.
-			[RT #595]
-
- 640.	[bug]		Memory leak in error path could cause
-			"mpctx->allocated == 0" failure. [RT #584]
-
- 639.	[bug]		Reading entropy from the keyboard would sometimes fail.
-			[RT #591]
-
- 638.	[port]		lib/isc/random.c needed to explicitly include time.h
-			to get a prototype for time() when pthreads was not
-			being used. [RT #592]
-
- 637.	[port]		Use isc_u?int64_t instead of (unsigned) long long in
-			lib/isc/print.c.  Also allow lib/isc/print.c to
-			be compiled even if the platform does not need it.
-			[RT #592]
-
- 636.	[port]		Shut up MSVC++ about a possible loss of precision
-			in the ISC__BUFFER_PUTUINT*() macros. [RT #592]
-
- 635.	[bug]		Reloading a server with a configured blackhole list
-			would cause an assertion. [RT #590]
-
- 634.	[bug]		A log file will completely stop being written when
-			it reaches the maximum size in all cases, not just
-			when versioning is also enabled. [RT #570]
-
- 633.	[port]		Cope with rlim_t missing on BSD/OS systems. [RT #575]
-
- 632.	[bug]		The index array of the journal file was
-			corrupted as it was written to disk.
-
- 631.	[port]		Build without thread support on systems without
-			pthreads.
-
- 630.	[bug]		Locking failure in zone code. [RT #582]
-
- 629.	[bug]		9.1.0b1 dereferenced a null pointer and crashed
-			when responding to a UDP IXFR request.
-
- 628.	[bug]		If the root hints contained only AAAA addresses,
-			named would be unable to perform resolution.
-
- 627.	[bug]		The EDNS0 blackhole detection code of change 324
-			waited for three retransmissions to each server,
-			which takes much too long when a domain has many
-			name servers and all of them drop EDNS0 queries.
-			Now we retry without EDNS0 after three consecutive
-			timeouts, even if they are all from different
-			servers. [RT #143]
-
- 626.	[bug]		The lightweight resolver daemon no longer crashes
-			when asked for a SIG rrset. [RT #558]
-
- 625.	[func]		Zones now inherit their class from the enclosing view.
-
- 624.	[bug]		The zone object could get timer events after it had
-			been destroyed, causing a server crash. [RT #571]
-
- 623.	[func]		Added "named-checkconf" and "named-checkzone" program
-			for syntax checking named.conf files and zone files,
-			respectively.
-
- 622.	[bug]		A canceled request could be destroyed before
-			dns_request_destroy() was called. [RT #562]
-
- 621.	[port]		Disable IPv6 at runtime if IPv6 sockets are unusable.
-			This mostly affects Red Hat Linux 7.0, which has
-			conflicts between libc and the kernel.
-
- 620.	[bug]		dns_master_load*inc() now require 'task' and 'load'
-			to be non-null.  Also 'done' will not be called if
-			dns_master_load*inc() fails immediately. [RT #565]
-
- 619.	[placeholder]
-
- 618.	[bug]		Queries to a signed zone could sometimes cause
-			an assertion failure.
-
- 617.	[bug]		When using dynamic update to add a new RR to an
-			existing RRset with a different TTL, the journal
-			entries generated from the update did not include
-			explicit deletions and re-additions of the existing
-			RRs to update their TTL to the new value.
-
- 616.	[func]		dnssec-signzone -t output now includes performance
-			statistics.
-
- 615.	[bug]		dnssec-signzone did not like child keysets signed
-			by multiple keys.
-
- 614.	[bug]		Checks for uninitialized link fields were prone
-			to false positives, causing assertion failures.
-			The checks are now disabled by default and may
-			be re-enabled by defining ISC_LIST_CHECKINIT.
-
- 613.	[bug]		"rndc reload zone" now reloads primary zones.
-			It previously only updated slave and stub zones,
-			if an SOA query indicated an out of date serial.
-
- 612.	[cleanup]	Shutup a ridiculously noisy HP-UX compiler that
-			complains relentlessly about how its treatment
-			of 'const' has changed as well as how casting
-			sometimes tightens alignment constraints.
-
- 611.	[func]		allow-notify can be used to permit processing of
-			notify messages from hosts other than a slave's
-			masters.
-
- 610.	[func]		rndc dumpdb is now supported.
-
- 609.	[bug]		getrrsetbyname() would crash lwresd if the server
-			found more SIGs than answers. [RT #554]
-
- 608.	[func]		dnssec-signzone now adds a comment to the zone
-			with the time the file was signed.
-
- 607.	[bug]		nsupdate would fail if it encountered a CNAME or
-			DNAME in a response to an SOA query. [RT #515]
-
- 606.	[bug]		Compiling with --disable-threads failed due
-			to isc_thread_self() being incorrectly defined
-			as an integer rather than a function.
-
- 605.	[func]		New function isc_lex_getlasttokentext().
-
- 604.	[bug]		The named.conf parser could print incorrect line
-			numbers when long comments were present.
-
- 603.	[bug]		Make dig handle multiple types or classes on the same
-			query more correctly.
-
- 602.	[func]		Cope automatically with UnixWare's broken
-			IN6_IS_ADDR_* macros. [RT #539]
-
- 601.	[func]		Return a non-zero exit code if an update fails
-			in nsupdate.
-
- 600.	[bug]		Reverse lookups sometimes failed in dig, etc...
-
- 599.	[func]		Added four new functions to the libisc log API to
-			support i18n messages.  isc_log_iwrite(),
-			isc_log_ivwrite(), isc_log_iwrite1() and
-			isc_log_ivwrite1() were added.
-
- 598.	[bug]		An update-policy statement would cause the server
-			to assert while loading. [RT #536]
-
- 597.	[func]		dnssec-signzone is now multi-threaded.
-
- 596.	[bug]		DNS_RDATASLAB_FORCE and DNS_RDATASLAB_EXACT are
-			not mutually exclusive.
-
- 595.	[port]		On Linux 2.2, socket() returns EINVAL when it
-			should return EAFNOSUPPORT.  Work around this.
-			[RT #531]
-
- 594.	[func]		sdb drivers are now assumed to not be thread-safe
-			unless the DNS_SDBFLAG_THREADSAFE flag is supplied.
-
- 593.	[bug]		If a secure zone was missing all its NXTs and
-			a dynamic update was attempted, the server entered
-			an infinite loop.
-
- 592.	[bug]		The sig-validity-interval option now specifies a
-			number of days, not seconds.  This matches the
-			documentation. [RT #529]
-
-	--- 9.1.0b1 released ---
-
- 591.	[bug]		Work around non-reentrancy in openssl by disabling
-			pre-computation in keys.
-
- 590.	[doc]		There are now man pages for the lwres library in
-			doc/man/lwres.
-
- 589.	[bug]		The server could deadlock if a zone was updated
-			while being transferred out.
-
- 588.	[bug]		ctx->in_use was not being correctly initialized when
-			when pushing a file for $INCLUDE. [RT #523]
-
- 587.	[func]		A warning is now printed if the "allow-update"
-			option allows updates based on the source IP
-			address, to alert users to the fact that this
-			is insecure and becoming increasingly so as
-			servers capable of update forwarding are being
-			deployed.
-
- 586.	[bug]		multiple views with the same name were fatal. [RT #516]
-
- 585.	[func]		dns_db_addrdataset() and and dns_rdataslab_merge()
-			now support 'exact' additions in a similar manner to
-			dns_db_subtractrdataset() and dns_rdataslab_subtract().
-
- 584.	[func]		You can now say 'notify explicit'; to suppress
-			notification of the servers listed in NS records
-			and notify only those servers listed in the
-			'also-notify' option.
-
- 583.	[func]		"rndc querylog" will now toggle logging of
-			queries, like "ndc querylog" in BIND 8.
-
- 582.	[bug]		dns_zone_idetach() failed to lock the zone.
-			[RT #199, #463]
-
- 581.	[bug]		log severity was not being correctly processed.
-			[RT #485]
-
- 580.	[func]		Ignore trailing garbage on incoming DNS packets,
-			for interoperability with broken server
-			implementations. [RT #491]
-
- 579.	[bug]		nsupdate did not take a filename to read update from.
-			[RT #492]
-
- 578.	[func]		New config option "notify-source", to specify the
-			source address for notify messages.
-
- 577.	[func]		Log illegal RDATA combinations. e.g. multiple
-			singleton types, cname and other data.
-
- 576.	[doc]		isc_log_create() description did not match reality.
-
- 575.	[bug]		isc_log_create() was not setting internal state
-			correctly to reflect the default channels created.
-
- 574.	[bug]		TSIG signed queries sent by the resolver would fail to
-			have their responses validated and would leak memory.
-
- 573.	[bug]		The journal files of IXFRed slave zones were
-			inadvertently discarded on server reload, causing
-			"journal out of sync with zone" errors on subsequent
-			reloads. [RT #482]
-
- 572.	[bug]		Quoted strings were not accepted as key names in
-			address match lists.
-
- 571.	[bug]		It was possible to create an rdataset of singleton
-			type which had more than one rdata. [RT #154]
-			[RT #279]
-
- 570.	[bug]		rbtdb.c allowed zones containing nodes which had
-			both a CNAME and "other data". [RT #154]
-
- 569.	[func]		The DNSSEC AD bit will not be set on queries which
-			have not requested a DNSSEC response.
-
- 568.	[func]		Add sample simple database drivers in contrib/sdb.
-
- 567.	[bug]		Setting the zone transfer timeout to zero caused an
-			assertion failure. [RT #302]
-
- 566.	[func]		New public function dns_timer_setidle().
-
- 565.	[func]		Log queries more like BIND 8: query logging is now
-			done to category "queries", level "info". [RT #169]
-
- 564.	[func]		Add sortlist support to lwresd.
-
- 563.	[func]		New public functions dns_rdatatype_format() and
-			dns_rdataclass_format(), for convenient formatting
-			of rdata type/class mnemonics in log messages.
-
- 562.	[cleanup]	Moved lib/dns/*conf.c to bin/named where they belong.
-
- 561.	[func]		The 'datasize', 'stacksize', 'coresize' and 'files'
-			clauses of the options{} statement are now implemented.
-
- 560.	[bug]		dns_name_split did not properly the resulting prefix
-			when a maximal length bitstring label was split which
-			was preceded by another bitstring label. [RT #429]
-
- 559.	[bug]		dns_name_split did not properly create the suffix
-			when splitting within a maximal length bitstring label.
-
- 558.	[func]		New functions, isc_resource_getlimit and
-			isc_resource_setlimit.
-
- 557.	[func]		Symbolic constants for libisc integral types.
-
- 556.	[func]		The DNSSEC OK bit in the EDNS extended flags
-			is now implemented.  Responses to queries without
-			this bit set will not contain any DNSSEC records.
-
- 555.	[bug]		A slave server attempting a zone transfer could
-			crash with an assertion failure on certain
-			malformed responses from the master. [RT #457]
-
- 554.	[bug]		In some cases, not all of the dnssec tools were
-			properly installed.
-
- 553.	[bug]		Incoming zone transfers deferred due to quota
-			were not started when quota was increased but
-			only when a transfer in progress finished. [RT #456]
-
- 552.	[bug]		We were not correctly detecting the end of all c-style
-			comments. [RT #455]
-
- 551.	[func]		Implemented the 'sortlist' option.
-
- 550.	[func]		Support unknown rdata types and classes.
-
- 549.	[bug]		"make" did not immediately abort the build when a
-			subdirectory make failed [RT #450].
-
- 548.	[func]		The lexer now ungets tokens more correctly.
-
- 547.	[placeholder]
-
- 546.	[func]		Option 'lame-ttl' is now implemented.
-
- 545.	[func]		Name limit and counting options removed from dig;
-			they didn't work properly, and cannot be correctly
-			implemented without significant changes.
-
- 544.	[func]		Add statistics option, enable statistics-file option,
-			add RNDC option "dump-statistics" to write out a
-			query statistics file.
-
- 543.	[doc]		The 'port' option is now documented.
-
- 542.	[func]		Add support for update forwarding as required for
-			full compliance with RFC2136.  It is turned off
-			by default and can be enabled using the
-			'allow-update-forwarding' option.
-
- 541.	[func]		Add bogus server support.
-
- 540.	[func]		Add dialup support.
-
- 539.	[func]		Support the blackhole option.
-
- 538.	[bug]		fix buffer overruns by 1 in lwres_getnameinfo().
-
- 537.	[placeholder]
-
- 536.	[func]		Use transfer-source{-v6} when sending refresh queries.
-			Transfer-source{-v6} now take a optional port
-			parameter for setting the UDP source port.  The port
-			parameter is ignored for TCP.
-
- 535.	[func]		Use transfer-source{-v6} when forwarding update
-			requests.
-
- 534.	[func]		Ancestors have been removed from RBT chains.  Ancestor
-			information can be discerned via node parent pointers.
-
- 533.	[func]		Incorporated name hashing into the RBT database to
-			improve search speed.
-
- 532.	[func]		Implement DNS UPDATE pseudo records using
-			DNS_RDATA_UPDATE flag.
-
- 531.	[func]		Rdata really should be initialized before being assigned
-			to (dns_rdata_fromwire(), dns_rdata_fromtext(),
-			dns_rdata_clone(), dns_rdata_fromregion()),
-			check that it is.
-
- 530.	[func]		New function dns_rdata_invalidate().
-
- 529.	[bug]		521 contained a bug which caused zones to always
-			reload.  [RT #410]
-
- 528.	[func]		The ISC_LIST_XXXX macros now perform sanity checks
-			on their arguments.  ISC_LIST_XXXXUNSAFE can be use
-			to skip the checks however use with caution.
-
- 527.	[func]		New function dns_rdata_clone().
-
- 526.	[bug]		nsupdate incorrectly refused to add RRs with a TTL
-			of 0.
-
- 525.	[func]		New arguments 'options' for dns_db_subtractrdataset(),
-			and 'flags' for dns_rdataslab_subtract() allowing you
-			to request that the RR's must exist prior to deletion.
-			DNS_R_NOTEXACT is returned if the condition is not met.
-
- 524.	[func]		The 'forward' and 'forwarders' statement in
-			non-forward zones should work now.
-
- 523.	[doc]		The source to the Administrator Reference Manual is
-			now an XML file using the DocBook DTD, and is included
-			in the distribution.  The plain text version of the
-			ARM is temporarily unavailable while we figure out
-			how to generate readable plain text from the XML.
-
- 522.	[func]		The lightweight resolver daemon can now use
-			a real configuration file, and its functionality
-			can be provided by a name server.  Also, the -p and -P
-			options to lwresd have been reversed.
-
- 521.	[bug]		Detect master files which contain $INCLUDE and always
-			reload. [RT #196]
-
- 520.	[bug]		Upgraded libtool to 1.3.5, which makes shared
-			library builds almost work on AIX (and possibly
-			others).
-
- 519.	[bug]		dns_name_split() would improperly split some bitstring
-			labels, zeroing a few of the least significant bits in
-			the prefix part.  When such an improperly created
-			prefix was returned to the RBT database, the bogus
-			label was dutifully stored, corrupting the tree.
-			[RT #369]
-
- 518.	[bug]		The resolver did not realize that a DNAME which was
-			"the answer" to the client's query was "the answer",
-			and such queries would fail. [RT #399]
-
- 517.	[bug]		The resolver's DNAME code would trigger an assertion
-			if there was more than one DNAME in the chain.
-			[RT #399]
-
- 516.	[bug]		Cache lookups which had a NULL node pointer, e.g.
-			those by dns_view_find(), and which would match a
-			DNAME, would trigger an INSIST(!search.need_cleanup)
-			assertion. [RT #399]
-
- 515.	[bug]		The ssu table was not being attached / detached
-			by dns_zone_[sg]etssutable. [RT#397]
-
- 514.	[func]		Retry refresh and notify queries if they timeout.
-			[RT #388]
-
- 513.	[func]		New functionality added to rdnc and server to allow
-			individual zones to be refreshed or reloaded.
-
- 512.	[bug]		The zone transfer code could throw an exception with
-			an invalid IXFR stream.
-
- 511.	[bug]		The message code could throw an assertion on an
-			out of memory failure. [RT #392]
-
- 510.	[bug]		Remove spurious view notify warning. [RT #376]
-
- 509.	[func]		Add support for write of zone files on shutdown.
-
- 508.	[func]		dns_message_parse() can now do a best-effort
-			attempt, which should allow dig to print more invalid
-			messages.
-
- 507.	[func]		New functions dns_zone_flush(), dns_zt_flushanddetach()
-			and dns_view_flushanddetach().
-
- 506.	[func]		Do not fail to start on errors in zone files.
-
- 505.	[bug]		nsupdate was printing "unknown result code". [RT #373]
-
- 504.	[bug]		The zone was not being marked as dirty when updated via
-			IXFR.
-
- 503.	[bug]		dumptime was not being set along with
-			DNS_ZONEFLG_NEEDDUMP.
-
- 502.	[func]		On a SERVFAIL reply, DiG will now try the next server
-			in the list, unless the +fail option is specified.
-
- 501.	[bug]		Incorrect port numbers were being displayed by
-			nslookup. [RT #352]
-
- 500.	[func]		Nearly useless +details option removed from DiG.
-
- 499.	[func]		In DiG, specifying a class with -c or type with -t
-			changes command-line parsing so that classes and
-			types are only recognized if following -c or -t.
-			This allows hosts with the same name as a class or
-			type to be looked up.
-
- 498.	[doc]		There is now a man page for "dig"
-			in doc/man/bin/dig.1.
-
- 497.	[bug]		The error messages printed when an IP match list
-			contained a network address with a nonzero host
-			part where not sufficiently detailed. [RT #365]
-
- 496.	[bug]		named didn't sanity check numeric parameters. [RT #361]
-
- 495.	[bug]		nsupdate was unable to handle large records. [RT #368]
-
- 494.	[func]		Do not cache NXDOMAIN responses for SOA queries.
-
- 493.	[func]		Return non-cachable (ttl = 0) NXDOMAIN responses
-			for SOA queries.  This makes it easier to locate
-			the containing zone without polluting intermediate
-			caches.
-
- 492.	[bug]		attempting to reload a zone caused the server fail
-			to shutdown cleanly. [RT #360]
-
- 491.	[bug]		nsupdate would segfault when sending certain
-			prerequisites with empty RDATA. [RT #356]
-
- 490.	[func]		When a slave/stub zone has not yet successfully
-			obtained an SOA containing the zone's configured
-			retry time, perform the SOA query retries using
-			exponential backoff. [RT #337]
-
- 489.	[func]		The zone manager now has a "i/o" queue.
-
- 488.	[bug]		Locks weren't properly destroyed in some cases.
-
- 487.	[port]		flockfile() is not defined on all systems.
-
- 486.	[bug]		nslookup: "set all" and "server" commands showed
-			the incorrect port number if a port other than 53
-			was specified. [RT #352]
-
- 485.	[func]		When dig had more than one server to query, it would
-			send all of the messages at the same time.  Add
-			rate limiting of the transmitted messages.
-
- 484.	[bug]		When the server was reloaded after removing addresses
-			from the named.conf "listen-on" statement, sockets
-			were still listening on the removed addresses due
-			to reference count loops. [RT #325]
-
- 483.	[bug]		nslookup: "set all" showed a "search" option but it
-			was not settable.
-
- 482.	[bug]		nslookup: a plain "server" or "lserver" should be
-			treated as a lookup.
-
- 481.	[bug]		nslookup:get_next_command() stack size could exceed
-			per thread limit.
-
- 480.	[bug]		strtok() is not thread safe. [RT #349]
-
- 479.	[func]		The test suite can now be run by typing "make check"
-			or "make test" at the top level.
-
- 478.	[bug]		"make install" failed if the directory specified with
-			--prefix did not already exist.
-
- 477.	[bug]		The the isc-config.sh script could be installed before
-			its directory was created. [RT #324]
-
- 476.	[bug]		A zone could expire while a zone transfer was in
-			progress triggering a INSIST failure. [RT #329]
-
- 475.	[bug]		query_getzonedb() sometimes returned a non-null version
-			on failure.  This caused assertion failures when
-			generating query responses where names subject to
-			additional section processing pointed to a zone
-			to which access had been denied by means of the
-			allow-query option. [RT #336]
-
- 474.	[bug]		The mnemonic of the CHAOS class is CH according to
-			RFC1035, but it was printed and read only as CHAOS.
-			We now accept both forms as input, and print it
-			as CH. [RT #305]
-
- 473.	[bug]		nsupdate overran the end of the list of name servers
-			when no servers could be reached, typically causing
-			it to print the error message "dns_request_create:
-			not implemented".
-
- 472.	[bug]		Off-by-one error caused isc_time_add() to sometimes
-			produce invalid time values.
-
- 471.	[bug]		nsupdate didn't compile on HP/UX 10.20
-
- 470.	[func]		$GENERATE is now supported.  See also
-			doc/misc/migration.
-
- 469.	[bug]		"query-source address * port 53;" now works.
-
- 468.	[bug]		dns_master_load*() failed to report file and line
-			number in certain error conditions.
-
- 467.	[bug]		dns_master_load*() failed to log an error if
-			pushfile() failed.
-
- 466.	[bug]		dns_master_load*() could return success when it failed.
-
- 465.	[cleanup]	Allow 0 to be set as an omapi_value_t value by
-			omapi_value_storeint().
-
- 464.	[cleanup]	Build with openssl's RSA code instead of dnssafe.
-
- 463.	[bug]		nsupdate sent malformed SOA queries to the second
-			and subsequent name servers in resolv.conf if the
-			query sent to the first one failed.
-
- 462.	[bug]		--disable-ipv6 should work now.
-
- 461.	[bug]		Specifying an unknown key in the "keys" clause of the
-			"controls" statement caused a NULL pointer dereference.
-			[RT #316]
-
- 460.	[bug]		Much of the DNSSEC code only worked with class IN.
-
- 459.	[bug]		Nslookup processed the "set" command incorrectly.
-
- 458.	[bug]		Nslookup didn't properly check class and type values.
-			[RT #305]
-
- 457.	[bug]		Dig/host/hslookup didn't properly handle connect
-			timeouts in certain situations, causing an
-			unnecessary warning message to be printed.
-
- 456.	[bug]		Stub zones were not resetting the refresh and expire
-			counters, loadtime or clearing the DNS_ZONE_REFRESH
-			(refresh in progress) flag upon successful update.
-			This disabled further refreshing of the stub zone,
-			causing it to eventually expire. [RT #300]
-
- 455.	[doc]		Document IPv4 prefix notation does not require a
-			dotted decimal quad but may be just dotted decimal.
-
- 454.	[bug]		Enforce dotted decimal and dotted decimal quad where
-			documented as such in named.conf. [RT #304, RT #311]
-
- 453.	[bug]		Warn if the obsolete option "maintain-ixfr-base"
-			is specified in named.conf. [RT #306]
-
- 452.	[bug]		Warn if the unimplemented option "statistics-file"
-			is specified in named.conf. [RT #301]
-
- 451.	[func]		Update forwarding implemented.
-
- 450.	[func]		New function ns_client_sendraw().
-
- 449.	[bug]		isc_bitstring_copy() only works correctly if the
-			two bitstrings have the same lsb0 value, but this
-			requirement was not documented, nor was there a
-			REQUIRE for it.
-
- 448.	[bug]		Host output formatting change, to match v8. [RT #255]
-
- 447.	[bug]		Dig didn't properly retry in TCP mode after
-			a truncated reply. [RT #277]
-
- 446.	[bug]		Confusing notify log message. [RT #298]
-
- 445.	[bug]		Doing a 0 bit isc_bitstring_copy() of an lsb0
-			bitstring triggered a REQUIRE statement.  The REQUIRE
-			statement was incorrect. [RT #297]
-
- 444.	[func]		"recursion denied" messages are always logged at
-			debug level 1, now, rather than sometimes at ERROR.
-			This silences these warnings in the usual case, where
-			some clients set the RD bit in all queries.
-
- 443.	[bug]		When loading a master file failed because of an
-			unrecognized RR type name, the error message
-			did not include the file name and line number.
-			[RT #285]
-
- 442.	[bug]		TSIG signed messages that did not match any view
-			crashed the server. [RT #290]
-
- 441.	[bug]		Nodes obscured by a DNAME were inaccessible even
-			when DNS_DBFIND_GLUEOK was set.
-
- 440.	[func]		New function dns_zone_forwardupdate().
-
- 439.	[func]		New function dns_request_createraw().
-
- 438.	[func]		New function dns_message_getrawmessage().
-
- 437.	[func]		Log NOTIFY activity to the notify channel.
-
- 436.	[bug]		If recvmsg() returned EHOSTUNREACH or ENETUNREACH,
-			which sometimes happens on Linux, named would enter
-			a busy loop.  Also, unexpected socket errors were
-			not logged at a high enough logging level to be
-			useful in diagnosing this situation. [RT #275]
-
- 435.	[bug]		dns_zone_dump() overwrote existing zone files
-			rather than writing to a temporary file and
-			renaming.  This could lead to empty or partial
-			zone files being left around in certain error
-			conditions involving the initial transfer of a
-			slave zone, interfering with subsequent server
-			startup. [RT #282]
-
- 434.	[func]		New function isc_file_isabsolute().
-
- 433.	[func]		isc_base64_decodestring() now accepts newlines
-			within the base64 data.  This makes it possible
-			to break up the key data in a "trusted-keys"
-			statement into multiple lines. [RT #284]
-
- 432.	[func]		Added refresh/retry jitter.  The actual refresh/
-			retry time is now a random value between 75% and
-			100% of the configured value.
-
- 431.	[func]		Log at ISC_LOG_INFO when a zone is successfully
-			loaded.
-
- 430.	[bug]		Rewrote the lightweight resolver client management
-			code to handle shutdown correctly and general
-			cleanup.
-
- 429.	[bug]		The space reserved for a TSIG record in a response
-			was 2 bytes too short, leading to message
-			generation failures.
-
- 428.	[bug]		rbtdb.c:find_closest_nxt() erroneously returned
-			DNS_R_BADDB for nodes which had neither NXT nor SIG NXT
-			(e.g. glue).  This could cause SERVFAILs when
-			generating negative responses in a secure zone.
-
- 427.	[bug]		Avoid going into an infinite loop when the validator
-			gets a negative response to a key query where the
-			records are signed by the missing key.
-
- 426.	[bug]		Attempting to generate an oversized RSA key could
-			cause dnssec-keygen to dump core.
-
- 425.	[bug]		Warn about the auth-nxdomain default value change
-			if there is no auth-nxdomain statement in the
-			config file. [RT #287]
-
- 424.	[bug]		notify_createmessage() could trigger an assertion
-			failure when creating the notify message failed,
-			e.g. due to corrupt zones with multiple SOA records.
-			[RT #279]
-
- 423.	[bug]		When responding to a recursive query, errors that occur
-			after following a CNAME should cause the query to fail.
-			[RT #274]
-
- 422.	[func]		get rid of isc_random_t, and make isc_random_get()
-			and isc_random_jitter() use rand() internally
-			instead of local state.  Note that isc_random_*()
-			functions are only for weak, non-critical "randomness"
-			such as timing jitter and such.
-
- 421.	[bug]		nslookup would exit when given a blank line as input.
-
- 420.	[bug]		nslookup failed to implement the "exit" command.
-
- 419.	[bug]		The certificate type PKIX was misspelled as SKIX.
-
- 418.	[bug]		At debug levels >= 10, getting an unexpected
-			socket receive error would crash the server
-			while trying to log the error message.
-
- 417.	[func]		Add isc_app_block() and isc_app_unblock(), which
-			allow an application to handle signals while
-			blocking.
-
- 416.	[bug]		Slave zones with no master file tried to use a
-			NULL pointer for a journal file name when they
-			received an IXFR. [RT #273]
-
- 415.	[bug]		The logging code leaked file descriptors.
-
- 414.	[bug]		Server did not shut down until all incoming zone
-			transfers were finished.
-
- 413.	[bug]		Notify could attempt to use the zone database after
-			it had been unloaded. [RT#267]
-
- 412.	[bug]		named -v didn't print the version.
-
- 411.	[bug]		A typo in the HS A code caused an assertion failure.
-
- 410.	[bug]		lwres_gethostbyname() and company set lwres_h_errno
-			to a random value on success.
-
- 409.	[bug]		If named was shut down early in the startup
-			process, ns_omapi_shutdown() would attempt to lock
-			an uninitialized mutex. [RT #262]
-
- 408.	[bug]		stub zones could leak memory and reference counts if
-			all the masters were unreachable.
-
- 407.	[bug]		isc_rwlock_lock() would needlessly block
-			readers when it reached the read quota even
-			if no writers were waiting.
-
- 406.	[bug]		Log messages were occasionally lost or corrupted
-			due to a race condition in isc_log_doit().
-
- 405.	[func]		Add support for selective forwarding (forward zones)
-
- 404.	[bug]		The request library didn't completely work with IPv6.
-
- 403.	[bug]		"host" did not use the search list.
-
- 402.	[bug]		Treat undefined acls as errors, rather than
-			warning and then later throwing an assertion.
-			[RT #252]
-
- 401.	[func]		Added simple database API.
-
- 400.	[bug]		SIG(0) signing and verifying was done incorrectly.
-			[RT #249]
-
- 399.	[bug]		When reloading the server with a config file
-			containing a syntax error, it could catch an
-			assertion failure trying to perform zone
-			maintenance on, or sending notifies from,
-			tentatively created zones whose views were
-			never fully configured and lacked an address
-			database and request manager.
-
- 398.	[bug]		"dig" sometimes caught an assertion failure when
-			using TSIG, depending on the key length.
-
- 397.	[func]		Added utility functions dns_view_gettsig() and
-			dns_view_getpeertsig().
-
- 396.	[doc]		There is now a man page for "nsupdate"
-			in doc/man/bin/nsupdate.8.
-
- 395.	[bug]		nslookup printed incorrect RR type mnemonics
-			for RRs of type >= 21 [RT #237].
-
- 394.	[bug]		Current name was not propagated via $INCLUDE.
-
- 393.	[func]		Initial answer while loading (awl) support.
-			Entry points: dns_master_loadfileinc(),
-			dns_master_loadstreaminc(), dns_master_loadbufferinc().
-			Note: calls to dns_master_load*inc() should be rate
-			be rate limited so as to not use up all file
-			descriptors.
-
- 392.	[func]		Add ISC_R_FAMILYNOSUPPORT.  Returned when OS does
-			not support the given address family requested.
-
- 391.	[clarity]	ISC_R_FAMILY -> ISC_R_FAMILYMISMATCH.
-
- 390.	[func]		The function dns_zone_setdbtype() now takes
-			an argc/argv style vector of words and sets
-			both the zone database type and its arguments,
-			making the functions dns_zone_adddbarg()
-			and dns_zone_cleardbargs() unnecessary.
-
- 389.	[bug]		Attempting to send a request over IPv6 using
-			dns_request_create() on a system without IPv6
-			support caused an assertion failure [RT #235].
-
- 388.	[func]		dig and host can now do reverse ipv6 lookups.
-
- 387.	[func]		Add dns_byaddr_createptrname(), which converts
-			an address into the name used by a PTR query.
-
- 386.	[bug]		Missing strdup() of ACL name caused random
-			ACL matching failures [RT #228].
-
- 385.	[cleanup]	Removed functions dns_zone_equal(), dns_zone_print(),
-			and dns_zt_print().
-
- 384.	[bug]		nsupdate was incorrectly limiting TTLs to 65535 instead
-			of 2147483647.
-
- 383.	[func]		When writing a master file, print the SOA and NS
-			records (and their SIGs) before other records.
-
- 382.	[bug]		named -u failed on many Linux systems where the
-			libc provided kernel headers do not match
-			the current kernel.
-
- 381.	[bug]		Check for IPV6_RECVPKTINFO and use it instead of
-			IPV6_PKTINFO if found. [RT #229]
-
- 380.	[bug]		nsupdate didn't work with IPv6.
-
- 379.	[func]		New library function isc_sockaddr_anyofpf().
-
- 378.	[func]		named and lwresd will log the command line arguments
-			they were started with in the "starting ..." message.
-
- 377.	[bug]		When additional data lookups were refused due to
-			"allow-query", the databases were still being
-			attached causing reference leaks.
-
- 376.	[bug]		The server should always use good entropy when
-			performing cryptographic functions needing entropy.
-
- 375.	[bug]		Per-zone "allow-query" did not properly override the
-			view/global one for CNAME targets and additional
-			data [RT #220].
-
- 374.	[bug]		SOA in authoritative negative responses had wrong TTL.
-
- 373.	[func]		nslookup is now installed by "make install".
-
- 372.	[bug]		Deal with Microsoft DNS servers appending two bytes of
-			garbage to zone transfer requests.
-
- 371.	[bug]		At high debug levels, doing an outgoing zone transfer
-			of a very large RRset could cause an assertion failure
-			during logging.
-
- 370.	[bug]		The error messages for roll-forward failures were
-			overly terse.
-
- 369.	[func]		Support new named.conf options, view and zone
-			statements:
-
-				max-retry-time, min-retry-time,
-				max-refresh-time, min-refresh-time.
-
- 368.	[func]		Restructure the internal ".bind" view so that more
-			zones can be added to it.
-
- 367.	[bug]		Allow proper selection of server on nslookup command
-			line.
-
- 366.	[func]		Allow use of '-' batch file in dig for stdin.
-
- 365.	[bug]		nsupdate -k leaked memory.
-
- 364.	[func]		Added additional-from-{cache,auth}
-
- 363.	[placeholder]
-
- 362.	[bug]		rndc no longer aborts if the configuration file is
-			missing an options statement. [RT #209]
-
- 361.	[func]		When the RBT find or chain functions set the name and
-			origin for a node that stores the root label
-			the name is now set to an empty name, instead of ".",
-			to simplify later use of the name and origin by
-			dns_name_concatenate(), dns_name_totext() or
-			dns_name_format().
-
- 360.	[func]		dns_name_totext() and dns_name_format() now allow
-			an empty name to be passed, which is formatted as "@".
-
- 359.	[bug]		dnssec-signzone occasionally signed glue records.
-
- 358.	[cleanup]	Rename the intermediate files used by the dnssec
-			programs.
-
- 357.	[bug]		The zone file parser crashed if the argument
-			to $INCLUDE was a quoted string.
-
- 356.	[cleanup]	isc_task_send no longer requires event->sender to
-			be non-null.
-
- 355.	[func]		Added isc_dir_createunique(), similar to mkdtemp().
-
- 354.	[doc]		Man pages for the dnssec tools are now included in
-			the distribution, in doc/man/dnssec.
-
- 353.	[bug]		double increment in lwres/gethost.c:copytobuf().
-			[RT# 187]
-
- 352.	[bug]		Race condition in dns_client_t startup could cause
-			an assertion failure.
-
- 351.	[bug]		Constructing a response with rcode SERVFAIL to a TSIG
-			signed query could crash the server.
-
- 350.	[bug]		Also-notify lists specified in the global options
-			block were not correctly reference counted, causing
-			a memory leak.
-
- 349.	[bug]		Processing a query with the CD bit set now works
-			as expected.
-
- 348.	[func]		New boolean named.conf options 'additional-from-auth'
-			and 'additional-from-cache' now supported in view and
-			global options statement.
-
- 347.	[bug]		Don't crash if an argument is left off options in dig.
-
- 346.	[placeholder]
-
- 345.	[bug]		Large-scale changes/cleanups to dig:
-			* Significantly improve structure handling
-			* Don't pre-load entire batch files
-			* Add name/rr counting/limiting
-			* Fix SIGINT handling
-			* Shorten timeouts to match v8's behavior
-
- 344.	[bug]		When shutting down, lwresd sometimes tried
-			to shut down its client tasks twice,
-			triggering an assertion.
-
- 343.	[bug]		Although zone maintenance SOA queries and
-			notify requests were signed with TSIG keys
-			when configured for the server in case,
-			the TSIG was not verified on the response.
-
- 342.	[bug]		The wrong name was being passed to
-			dns_name_dup() when generating a TSIG
-			key using TKEY.
-
- 341.	[func]		Support 'key' clause in named.conf zone masters
-			statement to allow authentication via TSIG keys:
-
-				masters {
-					10.0.0.1 port 5353 key "foo";
-					10.0.0.2 ;
-				};
-
- 340.	[bug]		The top-level COPYRIGHT file was missing from
-			the distribution.
-
- 339.	[bug]		DNSSEC validation of the response to an ANY
-			query at a name with a CNAME RR in a secure
-			zone triggered an assertion failure.
-
- 338.	[bug]		lwresd logged to syslog as named, not lwresd.
-
- 337.	[bug]		"dig" did not recognize "nsap-ptr" as an RR type
-			on the command line.
-
- 336.	[bug]		"dig -f" used 64 k of memory for each line in
-			the file.  It now uses much less, though still
-			proportionally to the file size.
-
- 335.	[bug]		named would occasionally attempt recursion when
-			it was disallowed or undesired.
-
- 334.	[func]		Added hmac-md5 to libisc.
-
- 333.	[bug]		The resolver incorrectly accepted referrals to
-			domains that were not parents of the query name,
-			causing assertion failures.
-
- 332.	[func]		New function dns_name_reset().
-
- 331.	[bug]		Only log "recursion denied" if RD is set. [RT #178]
-
- 330.	[bug]		Many debugging messages were partially formatted
-			even when debugging was turned off, causing a
-			significant decrease in query performance.
-
- 329.	[func]		omapi_auth_register() now takes a size_t argument for
-			the length of a key's secret data.  Previously
-			OMAPI only stored secrets up to the first NUL byte.
-
- 328.	[func]		Added isc_base64_decodestring().
-
- 327.	[bug]		rndc.conf parser wasn't correctly recognizing an IP
-			address where a host specification was required.
-
- 326.	[func]		'keys' in an 'inet' control statement is now
-			required and must have at least one item in it.
-			A "not supported" warning is now issued if a 'unix'
-			control channel is defined.
-
- 325.	[bug]		isc_lex_gettoken was processing octal strings when
-			ISC_LEXOPT_CNUMBER was not set.
-
- 324.	[func]		In the resolver, turn EDNS0 off if there is no
-			response after a number of retransmissions.
-			This is to allow queries some chance of succeeding
-			even if all the authoritative servers of a zone
-			silently discard EDNS0 requests instead of
-			sending an error response like they ought to.
-
- 323.	[bug]		dns_rbt_findname() did not ignore empty rbt nodes.
-			Because of this, servers authoritative for a parent
-			and grandchild zone but not authoritative for the
-			intervening child zone did not correctly issue
-			referrals to the servers of the child zone.
-
- 322.	[bug]		Queries for KEY RRs are now sent to the parent
-			server before the authoritative one, making
-			DNSSEC insecurity proofs work in many cases
-			where they previously didn't.
-
- 321.	[bug]		When synthesizing a CNAME RR for a DNAME
-			response, query_addcname() failed to initialize
-			the type and class of the CNAME dns_rdata_t,
-			causing random failures.
-
- 320.	[func]		Multiple rndc changes: parses an rndc.conf file,
-			uses authentication to talk to named, command
-			line syntax changed.  This will all be described
-			in the ARM.
-
- 319.	[func]		The named.conf "controls" statement is now used
-			to configure the OMAPI command channel.
-
- 318.	[func]		dns_c_ndcctx_destroy() could never return anything
-			except ISC_R_SUCCESS; made it have void return instead.
-
- 317.	[func]		Use callbacks from libomapi to determine if a
-			new connection is valid, and if a key requested
-			to be used with that connection is valid.
-
- 316.	[bug]		Generate a warning if we detect an unexpected <eof>
-			but treat as <eol><eof>.
-
- 315.	[bug]		Handle non-empty blanks lines. [RT #163]
-
- 314.	[func]		The named.conf controls statement can now have
-			more than one key specified for the inet clause.
-
- 313.	[bug]		When parsing resolv.conf, don't terminate on an
-			error.  Instead, parse as much as possible, but
-			still return an error if one was found.
-
- 312.	[bug]		Increase the number of allowed elements in the
-			resolv.conf search path from 6 to 8.  If there
-			are more than this, ignore the remainder rather
-			than returning a failure in lwres_conf_parse.
-
- 311.	[bug]		lwres_conf_parse failed when the first line of
-			resolv.conf was empty or a comment.
-
- 310.	[func]		Changes to named.conf "controls" statement (inet
-			subtype only)
-
-			  - support "keys" clause
-
-				controls {
-				   inet * port 1024
-					allow { any; } keys { "foo"; }
-				}
-
-			  - allow "port xxx" to be left out of statement,
-			    in which case it defaults to omapi's default port
-			    of 953.
-
- 309.	[bug]		When sending a referral, the server did not look
-			for name server addresses as glue in the zone
-			holding the NS RRset in the case where this zone
-			was not the same as the one where it looked for
-			name server addresses as authoritative data.
-
- 308.	[bug]		Treat a SOA record not at top of zone as an error
-			when loading a zone. [RT #154]
-
- 307.	[bug]		When canceling a query, the resolver didn't check for
-			isc_socket_sendto() calls that did not yet have their
-			completion events posted, so it could (rarely) end up
-			destroying the query context and then want to use
-			it again when the send event posted, triggering an
-			assertion as it tried to cancel an already-canceled
-			query.  [RT #77]
-
- 306.	[bug]		Reading HMAC-MD5 private key files didn't work.
-
- 305.	[bug]		When reloading the server with a config file
-			containing a syntax error, it could catch an
-			assertion failure trying to perform zone
-			maintenance on tentatively created zones whose
-			views were never fully configured and lacked
-			an address database.
-
- 304.	[bug]		If more than LWRES_CONFMAXNAMESERVERS servers
-			are listed in resolv.conf, silently ignore them
-			instead of returning failure.
-
- 303.	[bug]		Add additional sanity checks to differentiate a AXFR
-			response vs a IXFR response. [RT #157]
-
- 302.	[bug]		In dig, host, and nslookup, MXNAME should be large
-			enough to hold any legal domain name in presentation
-			format + terminating NULL.
-
- 301.	[bug]		Uninitialized pointer in host:printmessage(). [RT #159]
-
- 300.	[bug]		Using both <isc/net.h> and <lwres/net.h> didn't work
-			on platforms lacking IPv6 because each included their
-			own ipv6 header file for the missing definitions.  Now
-			each library's ipv6.h defines the wrapper symbol of
-			the other (ISC_IPV6_H and LWRES_IPV6_H).
-
- 299.	[cleanup]	Get the user and group information before changing the
-			root directory, so the administrator does not need to
-			keep a copy of the user and group databases in the
-			chroot'ed environment.  Suggested by Hakan Olsson.
-
- 298.	[bug]		A mutex deadlock occurred during shutdown of the
-			interface manager under certain conditions.
-			Digital Unix systems were the most affected.
-
- 297.	[bug]		Specifying a key name that wasn't fully qualified
-			in certain parts of the config file could cause
-			an assertion failure.
-
- 296.	[bug]		"make install" from a separate build directory
-			failed unless configure had been run in the source
-			directory, too.
-
- 295.	[bug]		When invoked with type==CNAME and a message
-			not constructed by dns_message_parse(),
-			dns_message_findname() failed to find anything
-			due to checking for attribute bits that are set
-			only in dns_message_parse().  This caused an
-			infinite loop when constructing the response to
-			an ANY query at a CNAME in a secure zone.
-
- 294.	[bug]		If we run out of space in while processing glue
-			when reading a master file and commit "current name"
-			reverts to "name_current" instead of staying as
-			"name_glue".
-
- 293.	[port]		Add support for FreeBSD 4.0 system tests.
-
- 292.	[bug]		Due to problems with the way some operating systems
-			handle simultaneous listening on IPv4 and IPv6
-			addresses, the server no longer listens on IPv6
-			addresses by default.  To revert to the previous
-			behavior, specify "listen-on-v6 { any; };" in
-			the config file.
-
- 291.	[func]		Caching servers no longer send outgoing queries
-			over TCP just because the incoming recursive query
-			was a TCP one.
-
- 290.	[cleanup]	+twiddle option to dig (for testing only) removed.
-
- 289.	[cleanup]	dig is now installed in $bindir instead of $sbindir.
-			host is now installed in $bindir.  (Be sure to remove
-			any $sbindir/dig from a previous release.)
-
- 288.	[func]		rndc is now installed by "make install" into $sbindir.
-
- 287.	[bug]		rndc now works again as "rndc 127.1 reload" (for
-			only that task).  Parsing its configuration file and
-			using digital signatures for authentication has been
-			disabled until named supports the "controls" statement,
-			post-9.0.0.
-
- 286.	[bug]		On Solaris 2, when named inherited a signal state
-			where SIGHUP had the SIG_IGN action, SIGHUP would
-			be ignored rather than causing the server to reload
-			its configuration.
-
- 285.	[bug]		A change made to the dst API for beta4 inadvertently
-			broke OMAPI's creation of a dst key from an incoming
-			message, causing an assertion to be triggered.  Fixed.
-
- 284.	[func]		The DNSSEC key generation and signing tools now
-			generate randomness from keyboard input on systems
-			that lack /dev/random.
-
- 283.	[cleanup]	The 'lwresd' program is now a link to 'named'.
-
- 282.	[bug]		The lexer now returns ISC_R_RANGE if parsed integer is
-			too big for an unsigned long.
-
- 281.	[bug]		Fixed list of recognized config file category names.
-
- 280.	[func]		Add isc-config.sh, which can be used to more
-			easily build applications that link with
-			our libraries.
-
- 279.	[bug]		Private omapi function symbols shared between
-			two or more files in libomapi.a were not namespace
-			protected using the ISC convention of starting with
-			the library name and two underscores ("omapi__"...)
-
- 278.	[bug]		bin/named/logconf.c:category_fromconf() didn't take
-			note of when isc_log_categorybyname() wasn't able
-			to find the category name and would then apply the
-			channel list of the unknown category to all categories.
-
- 277.	[bug]		isc_log_categorybyname() and isc_log_modulebyname()
-			would fail to find the first member of any category
-			or module array apart from the internal defaults.
-			Thus, for example, the "notify" category was improperly
-			configured by named.
-
- 276.	[bug]		dig now supports maximum sized TCP messages.
-
- 275.	[bug]		The definition of lwres_gai_strerror() was missing
-			the lwres_ prefix.
-
- 274.	[bug]		TSIG AXFR verify failed when talking to a BIND 8
-			server.
-
- 273.	[func]		The default for the 'transfer-format' option is
-			now 'many-answers'.  This will break zone transfers
-			to BIND 4.9.5 and older unless there is an explicit
-			'one-answer' configuration.
-
- 272.	[bug]		The sending of large TCP responses was canceled
-			in mid-transmission due to a race condition
-			caused by the failure to set the client object's
-			"newstate" variable correctly when transitioning
-			to the "working" state.
-
- 271.	[func]		Attempt to probe the number of cpus in named
-			if unspecified rather than defaulting to 1.
-
- 270.	[func]		Allow maximum sized TCP answers.
-
- 269.	[bug]		Failed DNSSEC validations could cause an assertion
-			failure by causing clone_results() to be called with
-			with hevent->node == NULL.
-
- 268.	[doc]		A plain text version of the Administrator
-			Reference Manual is now included in the distribution,
-			as doc/arm/Bv9ARM.txt.
-
- 267.	[func]		Nsupdate is now provided in the distribution.
-
- 266.	[bug]		zone.c:save_nsrrset() node was not initialized.
-
- 265.	[bug]		dns_request_create() now works for TCP.
-
- 264.	[func]		Dispatch can not take TCP sockets in connecting
-			state.  Set DNS_DISPATCHATTR_CONNECTED when calling
-			dns_dispatch_createtcp() for connected TCP sockets
-			or call dns_dispatch_starttcp() when the socket is
-			connected.
-
- 263.	[func]		New logging channel type 'stderr'
-
-				channel some-name {
-					stderr;
-					severity error;
-				}
-
- 262.	[bug]		'master' was not initialized in zone.c:stub_callback().
-
- 261.	[func]		Add dns_zone_markdirty().
-
- 260.	[bug]		Running named as a non-root user failed on Linux
-			kernels new enough to support retaining capabilities
-			after setuid().
-
- 259.	[func]		New random-device and random-seed-file statements
-			for global options block of named.conf. Both accept
-			a single string argument.
-
- 258.	[bug]		Fixed printing of lwres_addr_t.address field.
-
- 257.	[bug]		The server detached the last zone manager reference
-			too early, while it could still be in use by queries.
-			This manifested itself as assertion failures during the
-			shutdown process for busy name servers. [RT #133]
-
- 256.	[func]		isc_ratelimiter_t now has attach/detach semantics, and
-			isc_ratelimiter_shutdown guarantees that the rate
-			limiter is detached from its task.
-
- 255.	[func]		New function dns_zonemgr_attach().
-
- 254.	[bug]		Suppress "query denied" messages on additional data
-			lookups.
-
-	--- 9.0.0b4 released ---
-
- 253.	[func]		resolv.conf parser now recognizes ';' and '#' as
-			comments (anywhere in line, not just as the beginning).
-
- 252.	[bug]		resolv.conf parser mishandled masks on sortlists.
-			It also aborted when an unrecognized keyword was seen,
-			now it silently ignores the entire line.
-
- 251.	[bug]		lwresd caught an assertion failure on startup.
-
- 250.	[bug]		fixed handling of size+unit when value would be too
-			large for internal representation.
-
- 249.	[cleanup]	max-cache-size config option now takes a size-spec
-			like 'datasize', except 'default' is not allowed.
-
- 248.	[bug]		global lame-ttl option was not being printed when
-			config structures were written out.
-
- 247.	[cleanup]	Rename cache-size config option to max-cache-size.
-
- 246.	[func]		Rename global option cachesize to cache-size and
-			add corresponding option to view statement.
-
- 245.	[bug]		If an uncompressed name will take more than 255
-			bytes and the buffer is sufficiently long,
-			dns_name_fromwire should return DNS_R_FORMERR,
-			not ISC_R_NOSPACE.  This bug caused cause the
-			server to catch an assertion failure when it
-			received a query for a name longer than 255
-			bytes.
-
- 244.	[bug]		empty named.conf file and empty options statement are
-			now parsed properly.
-
- 243.	[func]		new cachesize option for named.conf
-
- 242.	[cleanup]	fixed incorrect warning about auth-nxdomain usage.
-
- 241.	[cleanup]	nscount and soacount have been removed from the
-			dns_master_*() argument lists.
-
- 240.	[func]		databases now come in three flavours: zone, cache
-			and stub.
-
- 239.	[func]		If ISC_MEM_DEBUG is enabled, the variable
-			isc_mem_debugging controls whether messages
-			are printed or not.
-
- 238.	[cleanup]	A few more compilation warnings have been quieted:
-			+ missing sigwait prototype on BSD/OS 4.0/4.0.1.
-			+ PTHREAD_ONCE_INIT unbraced initializer warnings on
-				Solaris 2.8.
-			+ IN6ADDR_ANY_INIT unbraced initializer warnings on
-				BSD/OS 4.*, Linux and Solaris 2.8.
-
- 237.	[bug]		If connect() returned ENOBUFS when the resolver was
-			initiating a TCP query, the socket didn't get
-			destroyed, and the server did not shut down cleanly.
-
- 236.	[func]		Added new listen-on-v6 config file statement.
-
- 235.	[func]		Consider it a config file error if a listen-on
-			statement has an IPv6 address in it, or a
-			listen-on-v6 statement has an IPv4 address in it.
-
- 234.	[bug]		Allow a trusted-key's first field (domain-name) be
-			either a quoted or an unquoted string, instead of
-			requiring a quoted string.
-
- 233.	[cleanup]	Convert all config structure integer values to unsigned
-			integer (isc_uint32_t) to match grammar.
-
- 232.	[bug]		Allow slave zones to not have a file.
-
- 231.	[func]		Support new 'port' clause in config file options
-			section. Causes 'listen-on', 'masters' and
-			'also-notify' statements to use its value instead of
-			default (53).
-
- 230.	[func]		Replace the dst sign/verify API with a cleaner one.
-
- 229.	[func]		Support config file sig-validity-interval statement
-			in options, views and zone statements (master
-			zones only).
-
- 228.	[cleanup]	Logging messages in config module stripped of
-			trailing period.
-
- 227.	[cleanup]	The enumerated identifiers dns_rdataclass_*,
-			dns_rcode_*, dns_opcode_*, and dns_trust_* are
-			also now cast to their appropriate types, as with
-			dns_rdatatype_* in item number 225 below.
-
- 226.	[func]		dns_name_totext() now always prints the root name as
-			'.', even when omit_final_dot is true.
-
- 225.	[cleanup]	The enumerated dns_rdatatype_* identifiers are now
-			cast to dns_rdatatype_t via macros of their same name
-			so that they are of the proper integral type wherever
-			a dns_rdatatype_t is needed.
-
- 224.	[cleanup]	The entire project builds cleanly with gcc's
-			-Wcast-qual and -Wwrite-strings warnings enabled,
-			which is now the default when using gcc.  (Warnings
-			from confparser.c, because of yacc's code, are
-			unfortunately to be expected.)
-
- 223.	[func]		Several functions were re-prototyped to qualify one
-			or more of their arguments with "const".  Similarly,
-			several functions that return pointers now have
-			those pointers qualified with const.
-
- 222.	[bug]		The global 'also-notify' option was ignored.
-
- 221.	[bug]		An uninitialized variable was sometimes passed to
-			dns_rdata_freestruct() when loading a zone, causing
-			an assertion failure.
-
- 220.	[cleanup]	Set the default outgoing port in the view, and
-			set it in sockaddrs returned from the ADB.
-			[31-May-2000 explorer]
-
- 219.	[bug]		Signed truncated messages more correctly follow
-			the respective specs.
-
- 218.	[func]		When an rdataset is signed, its ttl is normalized
-			based on the signature validity period.
-
- 217.	[func]		Also-notify and trusted-keys can now be used in
-			the 'view' statement.
-
- 216.	[func]		The 'max-cache-ttl' and 'max-ncache-ttl' options
-			now work.
-
- 215.	[bug]		Failures at certain points in request processing
-			could cause the assertion INSIST(client->lockview
-			== NULL) to be triggered.
-
- 214.	[func]		New public function isc_netaddr_format(), for
-			formatting network addresses in log messages.
-
- 213.	[bug]		Don't leak memory when reloading the zone if
-			an update-policy clause was present in the old zone.
-
- 212.	[func]		Added dns_message_get/settsigkey, to make TSIG
-			key management reasonable.
-
- 211.	[func]		The 'key' and 'server' statements can now occur
-			inside 'view' statements.
-
- 210.	[bug]		The 'allow-transfer' option was ignored for slave
-			zones, and the 'transfers-per-ns' option was
-			was ignored for all zones.
-
- 209.	[cleanup]	Upgraded openssl files to new version 0.9.5a
-
- 208.	[func]		Added ISC_OFFSET_MAXIMUM for the maximum value
-			of an isc_offset_t.
-
- 207.	[func]		The dnssec tools properly use the logging subsystem.
-
- 206.	[cleanup]	dst now stores the key name as a dns_name_t, not
-			a char *.
-
- 205.	[cleanup]	On IRIX, turn off the mostly harmless warnings 1692
-			("prototyped function redeclared without prototype")
-			and 1552 ("variable ... set but not used") when
-			compiling in the lib/dns/sec/{dnssafe,openssl}
-			directories, which contain code imported from outside
-			sources.
-
- 204.	[cleanup]	On HP/UX, pass +vnocompatwarnings to the linker
-			to quiet the warnings that "The linked output may not
-			run on a PA 1.x system."
-
- 203.	[func]		notify and zone soa queries are now tsig signed when
-			appropriate.
-
- 202.	[func]		isc_lex_getsourceline() changed from returning int
-			to returning unsigned long, the type of its underlying
-			counter.
-
- 201.	[cleanup]	Removed the test/sdig program, it has been
-			replaced by bin/dig/dig.
-
-	--- 9.0.0b3 released ---
-
- 200.	[bug]		Failures in sending query responses to clients
-			(e.g., running out of network buffers) were
-			not logged.
-
- 199.	[bug]		isc_heap_delete() sometimes violated the heap
-			invariant, causing timer events not to be posted
-			when due.
-
- 198.	[func]		Dispatch managers hold memory pools which
-			any managed dispatcher may use.  This allows
-			us to avoid dipping into the memory context for
-			most allocations. [19-May-2000 explorer]
-
- 197.	[bug]		When an incoming AXFR or IXFR completes, the
-			zone's internal state is refreshed from the
-			SOA data. [19-May-2000 explorer]
-
- 196.	[func]		Dispatchers can be shared easily between views
-			and/or interfaces. [19-May-2000 explorer]
-
- 195.	[bug]		Including the NXT record of the root domain
-			in a negative response caused an assertion
-			failure.
-
- 194.	[doc]		The PDF version of the Administrator's Reference
-			Manual is no longer included in the ISC BIND9
-			distribution.
-
- 193.	[func]		changed dst_key_free() prototype.
-
- 192.	[bug]		Zone configuration validation is now done at end
-			of config file parsing, and before loading
-			callbacks.
-
- 191.	[func]		Patched to compile on UnixWare 7.x.  This platform
-			is not directly supported by the ISC.
-
- 190.	[cleanup]	The DNSSEC tools have been moved to a separate
-			directory dnssec/ and given the following new,
-			more descriptive names:
-
-			      dnssec-keygen
-			      dnssec-signzone
-			      dnssec-signkey
-			      dnssec-makekeyset
-
-			Their command line arguments have also been changed to
-			be more consistent.  dnssec-keygen now prints the
-			name of the generated key files (sans extension)
-			on standard output to simplify its use in automated
-			scripts.
-
- 189.	[func]		isc_time_secondsastimet(), a new function, will ensure
-			that the number of seconds in an isc_time_t does not
-			exceed the range of a time_t, or return ISC_R_RANGE.
-			Similarly, isc_time_now(), isc_time_nowplusinterval(),
-			isc_time_add() and isc_time_subtract() now check the
-			range for overflow/underflow.  In the case of
-			isc_time_subtract, this changed a calling requirement
-			(ie, something that could generate an assertion)
-			into merely a condition that returns an error result.
-			isc_time_add() and isc_time_subtract() were void-
-			valued before but now return isc_result_t.
-
- 188.	[func]		Log a warning message when an incoming zone transfer
-			contains out-of-zone data.
-
- 187.	[func]		isc_ratelimiter_enqueue() has an additional argument
-			'task'.
-
- 186.	[func]		dns_request_getresponse() has an additional argument
-			'preserve_order'.
-
- 185.	[bug]		Fixed up handling of ISC_MEMCLUSTER_LEGACY.  Several
-			public functions did not have an isc__ prefix, and
-			referred to functions that had previously been
-			renamed.
-
- 184.	[cleanup]	Variables/functions which began with two leading
-			underscores were made to conform to the ANSI/ISO
-			standard, which says that such names are reserved.
-
- 183.	[func]		ISC_LOG_PRINTTAG option for log channels.  Useful
-			for logging the program name or other identifier.
-
- 182.	[cleanup]	New command-line parameters for dnssec tools
-
- 181.	[func]		Added dst_key_buildfilename and dst_key_parsefilename
-
- 180.	[func]		New isc_result_t ISC_R_RANGE.  Supersedes DNS_R_RANGE.
-
- 179.	[func]		options named.conf statement *must* now come
-			before any zone or view statements.
-
- 178.	[func]		Post-load of named.conf check verifies a slave zone
-			has non-empty list of masters defined.
-
- 177.	[func]		New per-zone boolean:
-
-				enable-zone yes | no ;
-
-			intended to let a zone be disabled without having
-			to comment out the entire zone statement.
-
- 176.	[func]		New global and per-view option:
-
-				max-cache-ttl number
-
- 175.	[func]		New global and per-view option:
-
-				additional-data internal | minimal | maximal;
-
- 174.	[func]		New public function isc_sockaddr_format(), for
-			formatting socket addresses in log messages.
-
- 173.	[func]		Keep a queue of zones waiting for zone transfer
-			quota so that a new transfer can be dispatched
-			immediately whenever quota becomes available.
-
- 172.	[bug]		$TTL directive was sometimes missing from dumped
-			master files because totext_ctx_init() failed to
-			initialize ctx->current_ttl_valid.
-
- 171.	[cleanup]	On NetBSD systems, the mit-pthreads or
-			unproven-pthreads library is now always used
-			unless --with-ptl2 is explicitly specified on
-			the configure command line.  The
-			--with-mit-pthreads option is no longer needed
-			and has been removed.
-
- 170.	[cleanup]	Remove inter server consistency checks from zone,
-			these should return as a separate module in 9.1.
-			dns_zone_checkservers(), dns_zone_checkparents(),
-			dns_zone_checkchildren(), dns_zone_checkglue().
-
-			Remove dns_zone_setadb(), dns_zone_setresolver(),
-			dns_zone_setrequestmgr() these should now be found
-			via the view.
-
- 169.	[func]		ratelimiter can now process N events per interval.
-
- 168.	[bug]		include statements in named.conf caused syntax errors
-			due to not consuming the semicolon ending the include
-			statement before switching input streams.
-
- 167.	[bug]		Make lack of masters for a slave zone a soft error.
-
- 166.	[bug]		Keygen was overwriting existing keys if key_id
-			conflicted, now it will retry, and non-null keys
-			with key_id == 0 are not generated anymore.  Key
-			was not able to generate NOAUTHCONF DSA key,
-			increased RSA key size to 2048 bits.
-
- 165.	[cleanup]	Silence "end-of-loop condition not reached" warnings
-			from Solaris compiler.
-
- 164.	[func]		Added functions isc_stdio_open(), isc_stdio_close(),
-			isc_stdio_seek(), isc_stdio_read(), isc_stdio_write(),
-			isc_stdio_flush(), isc_stdio_sync(), isc_file_remove()
-			to encapsulate nonportable usage of errno and sync.
-
- 163.	[func]		Added result codes ISC_R_FILENOTFOUND and
-			ISC_R_FILEEXISTS.
-
- 162.	[bug]		Ensure proper range for arguments to ctype.h functions.
-
- 161.	[cleanup]	error in yyparse prototype that only HPUX caught.
-
- 160.	[cleanup]	getnet*() are not going to be implemented at this
-			stage.
-
- 159.	[func]		Redefinition of config file elements is now an
-			error (instead of a warning).
-
- 158.	[bug]		Log channel and category list copy routines
-			weren't assigning properly to output parameter.
-
- 157.	[port]		Fix missing prototype for getopt().
-
- 156.	[func]		Support new 'database' statement in zone.
-
-				database "quoted-string";
-
- 155.	[bug]		ns_notify_start() was not detaching the found zone.
-
- 154.	[func]		The signer now logs libdns warnings to stderr even when
-			not verbose, and in a nicer format.
-
- 153.	[func]		dns_rdata_tostruct() 'mctx' is now optional.  If 'mctx'
-			is NULL then you need to preserve the 'rdata' until
-			you have finished using the structure as there may be
-			references to the associated memory.  If 'mctx' is
-			non-NULL it is guaranteed that there are no references
-			to memory associated with 'rdata'.
-
-			dns_rdata_freestruct() must be called if 'mctx' was
-			non-NULL and may safely be called if 'mctx' was NULL.
-
- 152.	[bug]		keygen dumped core if domain name argument was omitted
-			from command line.
-
- 151.	[func]		Support 'disabled' statement in zone config (causes
-			zone to be parsed and then ignored). Currently must
-			come after the 'type' clause.
-
- 150.	[func]		Support optional ports in masters and also-notify
-			statements:
-
-				masters [ port xxx ] { y.y.y.y [ port zzz ] ; }
-
- 149.	[cleanup]	Removed unused argument 'olist' from
-			dns_c_view_unsetordering().
-
- 148.	[cleanup]	Stop issuing some warnings about some configuration
-			file statements that were not implemented, but now are.
-
- 147.	[bug]		Changed yacc union size to be smaller for yaccs that
-			put yacc-stack on the real stack.
-
- 146.	[cleanup]	More general redundant header file cleanup.  Rather
-			than continuing to itemize every header which changed,
-			this changelog entry just notes that if a header file
-			did not need another header file that it was including
-			in order to provide its advertised functionality, the
-			inclusion of the other header file was removed.  See
-			util/check-includes for how this was tested.
-
- 145.	[cleanup]	Added <isc/lang.h> and ISC_LANG_BEGINDECLS/
-			ISC_LANG_ENDDECLS to header files that had function
-			prototypes, and removed it from those that did not.
-
- 144.	[cleanup]	libdns header files too numerous to name were made
-			to conform to the same style for multiple inclusion
-			protection.
-
- 143.	[func]		Added function dns_rdatatype_isknown().
-
- 142.	[cleanup]	<isc/stdtime.h> does not need <time.h> or
-			<isc/result.h>.
-
- 141.	[bug]		Corrupt requests with multiple questions could
-			cause an assertion failure.
-
- 140.	[cleanup]	<isc/time.h> does not need <time.h> or <isc/result.h>.
-
- 139.	[cleanup]	<isc/net.h> now includes <isc/types.h> instead of
-			<isc/int.h> and <isc/result.h>.
-
- 138.	[cleanup]	isc_strtouq moved from str.[ch] to string.[ch] and
-			renamed isc_string_touint64.  isc_strsep moved from
-			strsep.c to string.c and renamed isc_string_separate.
-
- 137.	[cleanup]	<isc/commandline.h>, <isc/mem.h>, <isc/print.h>
-			<isc/serial.h>, <isc/string.h> and <isc/offset.h>
-			made to conform to the same style for multiple
-			inclusion protection.
-
- 136.	[cleanup]	<isc/commandline.h>, <isc/interfaceiter.h>,
-			<isc/net.h> and Win32's <isc/thread.h> needed
-			ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS.
-
- 135.	[cleanup]	Win32's <isc/condition.h> did not need <isc/result.h>
-			or <isc/boolean.h>, now uses <isc/types.h> in place
-			of <isc/time.h>, and needed ISC_LANG_BEGINDECLS
-			and ISC_LANG_ENDDECLS.
-
- 134.	[cleanup]	<isc/dir.h> does not need <limits.h>.
-
- 133.	[cleanup]	<isc/ipv6.h> needs <isc/platform.h>.
-
- 132.	[cleanup]	<isc/app.h> does not need <isc/task.h>, but does
-			need <isc/eventclass.h>.
-
- 131.	[cleanup]	<isc/mutex.h> and <isc/util.h> need <isc/result.h>
-			for ISC_R_* codes used in macros.
-
- 130.	[cleanup]	<isc/condition.h> does not need <pthread.h> or
-			<isc/boolean.h>, and now includes <isc/types.h>
-			instead of <isc/time.h>.
-
- 129.	[bug]		The 'default_debug' log channel was not set up when
-			'category default' was present in the config file
-
- 128.	[cleanup]	<isc/dir.h> had ISC_LANG_BEGINDECLS instead of
-			ISC_LANG_ENDDECLS at end of header.
-
- 127.	[cleanup]	The contracts for the comparison routines
-			dns_name_fullcompare(), dns_name_compare(),
-			dns_name_rdatacompare(), and dns_rdata_compare() now
-			specify that the order value returned is < 0, 0, or > 0
-			instead of -1, 0, or 1.
-
- 126.	[cleanup]	<isc/quota.h> and <isc/taskpool.h> need <isc/lang.h>.
-
- 125.	[cleanup]	<isc/eventclass.h>, <isc/ipv6.h>, <isc/magic.h>,
-			<isc/mutex.h>, <isc/once.h>, <isc/region.h>, and
-			<isc/resultclass.h> do not need <isc/lang.h>.
-
- 124.	[func]		signer now imports parent's zone key signature
-			and creates null keys/sets zone status bit for
-			children when necessary
-
- 123.	[cleanup]	<isc/event.h> does not need <stddef.h>.
-
- 122.	[cleanup]	<isc/task.h> does not need <isc/mem.h> or
-			<isc/result.h>.
-
- 121.	[cleanup]	<isc/symtab.h> does not need <isc/mem.h> or
-			<isc/result.h>.  Multiple inclusion protection
-			symbol fixed from ISC_SYMBOL_H to ISC_SYMTAB_H.
-			isc_symtab_t moved to <isc/types.h>.
-
- 120.	[cleanup]	<isc/socket.h> does not need <isc/boolean.h>,
-			<isc/bufferlist.h>, <isc/task.h>, <isc/mem.h> or
-			<isc/net.h>.
-
- 119.	[cleanup]	structure definitions for generic rdata structures do
-			not have _generic_ in their names.
-
- 118.	[cleanup]	libdns.a is now namespace-clean, on NetBSD, excepting
-			YACC crust (yyparse, etc) [2000-apr-27 explorer]
-
- 117.	[cleanup]	libdns.a changes:
-			dns_zone_clearnotify() and dns_zone_addnotify()
-			are replaced by dns_zone_setnotifyalso().
-			dns_zone_clearmasters() and dns_zone_addmaster()
-			are replaced by dns_zone_setmasters().
-
- 116.	[func]		Added <isc/offset.h> for isc_offset_t (aka off_t
-			on Unix systems).
-
- 115.	[port]		Shut up the -Wmissing-declarations warning about
-			<stdio.h>'s __sputaux on BSD/OS pre-4.1.
-
- 114.	[cleanup]	<isc/sockaddr.h> does not need <isc/buffer.h> or
-			<isc/list.h>.
-
- 113.	[func]		Utility programs dig and host added.
-
- 112.	[cleanup]	<isc/serial.h> does not need <isc/boolean.h>.
-
- 111.	[cleanup]	<isc/rwlock.h> does not need <isc/result.h> or
-			<isc/mutex.h>.
-
- 110.	[cleanup]	<isc/result.h> does not need <isc/boolean.h> or
-			<isc/list.h>.
-
- 109.	[bug]		"make depend" did nothing for
-			bin/tests/{db,mem,sockaddr,tasks,timers}/.
-
- 108.	[cleanup]	DNS_SETBIT/DNS_GETBIT/DNS_CLEARBIT moved from
-			<dns/types.h> to <dns/bit.h> and renamed to
-			DNS_BIT_SET/DNS_BIT_GET/DNS_BIT_CLEAR.
-
- 107.	[func]		Add keysigner and keysettool.
-
- 106.	[func]		Allow dnssec verifications to ignore the validity
-			period.  Used by several of the dnssec tools.
-
- 105.	[doc]		doc/dev/coding.html expanded with other
-			implicit conventions the developers have used.
-
- 104.	[bug]		Made compress_add and compress_find static to
-			lib/dns/compress.c.
-
- 103.	[func]		libisc buffer API changes for <isc/buffer.h>:
-			Added:
-				isc_buffer_base(b)          (pointer)
-				isc_buffer_current(b)       (pointer)
-				isc_buffer_active(b)        (pointer)
-				isc_buffer_used(b)          (pointer)
-				isc_buffer_length(b)            (int)
-				isc_buffer_usedlength(b)        (int)
-				isc_buffer_consumedlength(b)    (int)
-				isc_buffer_remaininglength(b)   (int)
-				isc_buffer_activelength(b)      (int)
-				isc_buffer_availablelength(b)   (int)
-			Removed:
-				ISC_BUFFER_USEDCOUNT(b)
-				ISC_BUFFER_AVAILABLECOUNT(b)
-				isc_buffer_type(b)
-			Changed names:
-				isc_buffer_used(b, r) ->
-					isc_buffer_usedregion(b, r)
-				isc_buffer_available(b, r) ->
-					isc_buffer_available_region(b, r)
-				isc_buffer_consumed(b, r) ->
-					isc_buffer_consumedregion(b, r)
-				isc_buffer_active(b, r) ->
-					isc_buffer_activeregion(b, r)
-				isc_buffer_remaining(b, r) ->
-					isc_buffer_remainingregion(b, r)
-
-			Buffer types were removed, so the ISC_BUFFERTYPE_*
-			macros are no more, and the type argument to
-			isc_buffer_init and isc_buffer_allocate were removed.
-			isc_buffer_putstr is now void (instead of isc_result_t)
-			and requires that the caller ensure that there
-			is enough available buffer space for the string.
-
- 102.	[port]		Correctly detect inet_aton, inet_pton and inet_ptop
-			on BSD/OS 4.1.
-
- 101.	[cleanup]	Quieted EGCS warnings from lib/isc/print.c.
-
- 100.	[cleanup]	<isc/random.h> does not need <isc/int.h> or
-			<isc/mutex.h>.  isc_random_t moved to <isc/types.h>.
-
-  99.	[cleanup]	Rate limiter now has separate shutdown() and
-			destroy() functions, and it guarantees that all
-			queued events are delivered even in the shutdown case.
-
-  98.	[cleanup]	<isc/print.h> does not need <stdarg.h> or <stddef.h>
-			unless ISC_PLATFORM_NEEDVSNPRINTF is defined.
-
-  97.	[cleanup]	<isc/ondestroy.h> does not need <stddef.h> or
-			<isc/event.h>.
-
-  96.	[cleanup]	<isc/mutex.h> does not need <isc/result.h>.
-
-  95.	[cleanup]	<isc/mutexblock.h> does not need <isc/result.h>.
-
-  94.	[cleanup]	Some installed header files did not compile as C++.
-
-  93.	[cleanup]	<isc/msgcat.h> does not need <isc/result.h>.
-
-  92.	[cleanup]	<isc/mem.h> does not need <stddef.h>, <isc/boolean.h>,
-			or <isc/result.h>.
-
-  91.	[cleanup]	<isc/log.h> does not need <sys/types.h> or
-			<isc/result.h>.
-
-  90.	[cleanup]	Removed unneeded ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS
-			from <named/listenlist.h>.
-
-  89.	[cleanup]	<isc/lex.h> does not need <stddef.h>.
-
-  88.	[cleanup]	<isc/interfaceiter.h> does not need <isc/result.h> or
-			<isc/mem.h>.  isc_interface_t and isc_interfaceiter_t
-			moved to <isc/types.h>.
-
-  87.	[cleanup]	<isc/heap.h> does not need <isc/boolean.h>,
-			<isc/mem.h> or <isc/result.h>.
-
-  86.	[cleanup]	isc_bufferlist_t moved from <isc/bufferlist.h> to
-			<isc/types.h>.
-
-  85.	[cleanup]	<isc/bufferlist.h> does not need <isc/buffer.h>,
-			<isc/list.h>, <isc/mem.h>, <isc/region.h> or
-			<isc/int.h>.
-
-  84.	[func]		allow-query ACL checks now apply to all data
-			added to a response.
-
-  83.	[func]		If the server is authoritative for both a
-			delegating zone and its (nonsecure) delegatee, and
-			a query is made for a KEY RR at the top of the
-			delegatee, then the server will look for a KEY
-			in the delegator if it is not found in the delegatee.
-
-  82.	[cleanup]	<isc/buffer.h> does not need <isc/list.h>.
-
-  81.	[cleanup]	<isc/int.h> and <isc/boolean.h> do not need
-			<isc/lang.h>.
-
-  80.	[cleanup]	<isc/print.h> does not need <stdio.h> or <stdlib.h>.
-
-  79.	[cleanup]	<dns/callbacks.h> does not need <stdio.h>.
-
-  78.	[cleanup]	lwres_conftest renamed to lwresconf_test for
-			consistency with other *_test programs.
-
-  77.	[cleanup]	typedef of isc_time_t and isc_interval_t moved from
-			<isc/time.h> to <isc/types.h>.
-
-  76.	[cleanup]	Rewrote keygen.
-
-  75.	[func]		Don't load a zone if its database file is older
-			than the last time the zone was loaded.
-
-  74.	[cleanup]	Removed mktemplate.o and ufile.o from libisc.a,
-			subsumed by file.o.
-
-  73.	[func]		New "file" API in libisc, including new function
-			isc_file_getmodtime, isc_mktemplate renamed to
-			isc_file_mktemplate and isc_ufile renamed to
-			isc_file_openunique.  By no means an exhaustive API,
-			it is just what's needed for now.
-
-  72.	[func]		DNS_RBTFIND_NOPREDECESSOR and DNS_RBTFIND_NOOPTIONS
-			added for dns_rbt_findnode, the former to disable the
-			setting of the chain to the predecessor, and the
-			latter to make clear when no options are set.
-
-  71.	[cleanup]	Made explicit the implicit REQUIREs of
-			isc_time_seconds, isc_time_nanoseconds, and
-			isc_time_subtract.
-
-  70.	[func]		isc_time_set() added.
-
-  69.	[bug]		The zone object's master and also-notify lists grew
-			longer with each server reload.
-
-  68.	[func]		Partial support for SIG(0) on incoming messages.
-
-  67.	[performance]	Allow use of alternate (compile-time supplied)
-			OpenSSL libraries/headers.
-
-  66.	[func]		Data in authoritative zones should have a trust level
-			beyond secure.
-
-  65.	[cleanup]	Removed obsolete typedef of dns_zone_callbackarg_t
-			from <dns/types.h>.
-
-  64.	[func]		The RBT, DB, and zone table APIs now allow the
-			caller find the most-enclosing superdomain of
-			a name.
-
-  63.	[func]		Generate NOTIFY messages.
-
-  62.	[func]		Add UDP refresh support.
-
-  61.	[cleanup]	Use single quotes consistently in log messages.
-
-  60.	[func]		Catch and disallow singleton types on message
-			parse.
-
-  59.	[bug]		Cause net/host unreachable to be a hard error
-			when sending and receiving.
-
-  58.	[bug]		bin/named/query.c could sometimes trigger the
-			(client->query.attributes & NS_QUERYATTR_NAMEBUFUSED)
-			== 0 assertion in query_newname().
-
-  57.	[func]		Added dns_nxt_typepresent()
-
-  56.	[bug]		SIG records were not properly returned in cached
-			negative answers.
-
-  55.	[bug]		Responses containing multiple names in the authority
-			section were not negatively cached.
-
-  54.	[bug]		If a fetch with sigrdataset==NULL joined one with
-			sigrdataset!=NULL or vice versa, the resolver
-			could catch an assertion or lose signature data,
-			respectively.
-
-  53.	[port]		freebsd 4.0: lib/isc/unix/socket.c requires
-			<sys/param.h>.
-
-  52.	[bug]		rndc: taskmgr and socketmgr were not initialized
-			to NULL.
-
-  51.	[cleanup]	dns/compress.h and dns/zt.h did not need to include
-			dns/rbt.h; it was needed only by compress.c and zt.c.
-
-  50.	[func]		RBT deletion no longer requires a valid chain to work,
-			and dns_rbt_deletenode was added.
-
-  49.	[func]		Each cache now has its own mctx.
-
-  48.	[func]		isc_task_create() no longer takes an mctx.
-			isc_task_mem() has been eliminated.
-
-  47.	[func]		A number of modules now use memory context reference
-			counting.
-
-  46.	[func]		Memory contexts are now reference counted.
-			Added isc_mem_inuse() and isc_mem_preallocate().
-			Renamed isc_mem_destroy_check() to
-			isc_mem_setdestroycheck().
-
-  45.	[bug]		The trusted-key statement incorrectly loaded keys.
-
-  44.	[bug]		Don't include authority data if it would force us
-			to unset the AD bit in the message.
-
-  43.	[bug]		DNSSEC verification of cached rdatasets was failing.
-
-  42.	[cleanup]	Simplified logging of messages with embedded domain
-			names by introducing a new convenience function
-			dns_name_format().
-
-  41.	[func]		Use PR_SET_KEEPCAPS on Linux 2.3.99-pre3 and later
-			to allow 'named' to run as a non-root user while
-			retaining the ability to bind() to privileged
-			ports.
-
-  40.	[func]		Introduced new logging category "dnssec" and
-			logging module "dns/validator".
-
-  39.	[cleanup]	Moved the typedefs for isc_region_t, isc_textregion_t,
-			and isc_lex_t to <isc/types.h>.
-
-  38.	[bug]		TSIG signed incoming zone transfers work now.
-
-  37.	[bug]		If the first RR in an incoming zone transfer was
-			not an SOA, the server died with an assertion failure
-			instead of just reporting an error.
-
-  36.	[cleanup]	Change DNS_R_SUCCESS (and others) to ISC_R_SUCCESS
-
-  35.	[performance]	Log messages which are of a level too high to be
-			logged by any channel in the logging configuration
-			will not cause the log mutex to be locked.
-
-  34.	[bug]		Recursion was allowed even with 'recursion no'.
-
-  33.	[func]		The RBT now maintains a parent pointer at each node.
-
-  32.	[cleanup]	bin/lwresd/client.c needs <string.h> for memset()
-			prototype.
-
-  31.	[bug]		Use ${LIBTOOL} to compile bin/named/main.@O@.
-
-  30.	[func]		config file grammar change to support optional
-			class type for a view.
-
-  29.	[func]		support new config file view options:
-
-				auth-nxdomain recursion query-source
-				query-source-v6 transfer-source
-				transfer-source-v6 max-transfer-time-out
-				max-transfer-idle-out transfer-format
-				request-ixfr provide-ixfr cleaning-interval
-				fetch-glue notify rfc2308-type1 lame-ttl
-				max-ncache-ttl min-roots
-
-  28.	[func]		support lame-ttl, min-roots and serial-queries
-			config global options.
-
-  27.	[bug]		Only include <netinet6/in6.h> on BSD/OS 4.[01]*.
-			Including it on other platforms (eg, NetBSD) can
-			cause a forced #error from the C preprocessor.
-
-  26.	[func]		new match-clients statement in config file view.
-
-  25.	[bug]		make install failed to install <isc/log.h> and
-			<isc/ondestroy.h>.
-
-  24.	[cleanup]	Eliminate some unnecessary #includes of header
-			files from header files.
-
-  23.	[cleanup]	Provide more context in log messages about client
-			requests, using a new function ns_client_log().
-
-  22.	[bug]		SIGs weren't returned in the answer section when
-			the query resulted in a fetch.
-
-  21.	[port]		Look at STD_CINCLUDES after CINCLUDES during
-			compilation, so additional system include directories
-			can be searched but header files in the bind9 source
-			tree with conflicting names take precedence.  This
-			avoids issues with installed versions of dnssafe and
-			openssl.
-
-  20.	[func]		Configuration file post-load validation of zones
-			failed if there were no zones.
-
-  19.	[bug]		dns_zone_notifyreceive() failed to unlock the zone
-			lock in certain error cases.
-
-  18.	[bug]		Use AC_TRY_LINK rather than AC_TRY_COMPILE in
-			configure.in to check for presence of in6addr_any.
-
-  17.	[func]		Do configuration file post-load validation of zones.
-
-  16.	[bug]		put quotes around key names on config file
-			output to avoid possible keyword clashes.
-
-  15.	[func]		Add dns_name_dupwithoffsets().  This function is
-			improves comparison performance for duped names.
-
-  14.	[bug]		free_rbtdb() could have 'put' unallocated memory in
-			an unlikely error path.
-
-  13.	[bug]		lib/dns/master.c and lib/dns/xfrin.c didn't ignore
-			out-of-zone data.
-
-  12.	[bug]		Fixed possible uninitialized variable error.
-
-  11.	[bug]		axfr_rrstream_first() didn't check the result code of
-			db_rr_iterator_first(), possibly causing an assertion
-			to be triggered later.
-
-  10.	[bug]		A bug in the code which makes EDNS0 OPT records in
-			bin/named/client.c and lib/dns/resolver.c could
-			trigger an assertion.
-
-   9.	[cleanup]	replaced bit-setting code in confctx.c and replaced
-			repeated code with macro calls.
-
-   8.	[bug]		Shutdown of incoming zone transfer accessed
-			freed memory.
-
-   7.	[cleanup]	removed 'listen-on' from view statement.
-
-   6.	[bug]		quote RR names when generating config file to
-			prevent possible clash with config file keywords
-			(such as 'key').
-
-   5.	[func]		syntax change to named.conf file: new ssu grant/deny
-			statements must now be enclosed by an 'update-policy'
-			block.
-
-   4.	[port]		bin/named/unix/os.c didn't compile on systems with
-			linux 2.3 kernel includes due to conflicts between
-			C library includes and the kernel includes.  We now
-			get only what we need from <linux/capability.h>, and
-			avoid pulling in other linux kernel .h files.
-
-   3.	[bug]		TKEYs go in the answer section of responses, not
-			the additional section.
-
-   2.	[bug]		Generating cryptographic randomness failed on
-			systems without /dev/random.
-
-   1.	[bug]		The installdirs rule in
-			lib/isc/unix/include/isc/Makefile.in had a typo which
-			prevented the isc directory from being created if it
-			didn't exist.
-
-	--- 9.0.0b2 released ---
-
-# This tells Emacs to use hard tabs in this file.
-# Local Variables:
-# indent-tabs-mode: t
-# End:
diff --git a/contrib/bind9/COPYRIGHT b/contrib/bind9/COPYRIGHT
deleted file mode 100644
index 525c222..0000000
--- a/contrib/bind9/COPYRIGHT
+++ /dev/null
@@ -1,518 +0,0 @@
-Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
-Copyright (C) 1996-2003  Internet Software Consortium.
-
-Permission to use, copy, modify, and/or distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-PERFORMANCE OF THIS SOFTWARE.
-
-$Id: COPYRIGHT,v 1.19 2012/01/03 23:46:59 tbox Exp $
-
-	Portions of this code release fall under one or more of the
-	following Copyright notices.  Please see individual source
-	files for details.
-
-	For binary releases also see: OpenSSL-LICENSE.
-
-Copyright (C) 1996-2001  Nominum, Inc.
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND NOMINUM DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NOMINUM BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
-OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
- -----------------------------------------------------------------------------
-
-Copyright (C) 1995-2000 by Network Associates, Inc.
-
-Permission to use, copy, modify, and/or distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
-ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
-FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
-IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
- -----------------------------------------------------------------------------
-
-Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the
-above copyright notice and this permission notice appear in all
-copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET
-DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
-STICHTING NLNET BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
-CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
-OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
-USE OR PERFORMANCE OF THIS SOFTWARE.
-
-The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
-conceived and contributed by Rob Butler.
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the
-above copyright notice and this permission notice appear in all
-copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND ROB BUTLER
-DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
-ROB BUTLER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
-CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
-OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
-USE OR PERFORMANCE OF THIS SOFTWARE.
-
- -----------------------------------------------------------------------------
-
-Copyright (c) 1987, 1990, 1993, 1994
-     The Regents of the University of California.  All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-1. Redistributions of source code must retain the above copyright
-   notice, this list of conditions and the following disclaimer.
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-3. All advertising materials mentioning features or use of this software
-   must display the following acknowledgement:
-     This product includes software developed by the University of
-     California, Berkeley and its contributors.
-4. Neither the name of the University nor the names of its contributors
-   may be used to endorse or promote products derived from this software
-   without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGE.
-
- -----------------------------------------------------------------------------
-
-Copyright (C) The Internet Society 2005.  This version of
-this module is part of RFC 4178; see the RFC itself for
-full legal notices.
-
-(The above copyright notice is per RFC 3978 5.6 (a), q.v.)
-
- -----------------------------------------------------------------------------
-
-Copyright (c) 2004 Masarykova universita
-(Masaryk University, Brno, Czech Republic)
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-1. Redistributions of source code must retain the above copyright notice,
-   this list of conditions and the following disclaimer.
-
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-
-3. Neither the name of the University nor the names of its contributors may
-   be used to endorse or promote products derived from this software
-   without specific prior written permission.
- 
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
- -----------------------------------------------------------------------------
-
-Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
-(Royal Institute of Technology, Stockholm, Sweden). 
-All rights reserved. 
-
-Redistribution and use in source and binary forms, with or without 
-modification, are permitted provided that the following conditions 
-are met: 
-
-1. Redistributions of source code must retain the above copyright 
-   notice, this list of conditions and the following disclaimer. 
-
-2. Redistributions in binary form must reproduce the above copyright 
-   notice, this list of conditions and the following disclaimer in the 
-   documentation and/or other materials provided with the distribution. 
-
-3. Neither the name of the Institute nor the names of its contributors 
-   may be used to endorse or promote products derived from this software 
-   without specific prior written permission. 
-
-THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-SUCH DAMAGE. 
-
- -----------------------------------------------------------------------------
-
-Copyright (c) 1998 Doug Rabson
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-1. Redistributions of source code must retain the above copyright
-   notice, this list of conditions and the following disclaimer.
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGE.
-
- -----------------------------------------------------------------------------
-
-Copyright ((c)) 2002, Rice University
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
-    * Redistributions of source code must retain the above copyright
-    notice, this list of conditions and the following disclaimer.
-
-    * Redistributions in binary form must reproduce the above
-    copyright notice, this list of conditions and the following
-    disclaimer in the documentation and/or other materials provided
-    with the distribution.
-
-    * Neither the name of Rice University (RICE) nor the names of its
-    contributors may be used to endorse or promote products derived
-    from this software without specific prior written permission.
-
-
-This software is provided by RICE and the contributors on an "as is"
-basis, without any representations or warranties of any kind, express
-or implied including, but not limited to, representations or
-warranties of non-infringement, merchantability or fitness for a
-particular purpose. In no event shall RICE or contributors be liable
-for any direct, indirect, incidental, special, exemplary, or
-consequential damages (including, but not limited to, procurement of
-substitute goods or services; loss of use, data, or profits; or
-business interruption) however caused and on any theory of liability,
-whether in contract, strict liability, or tort (including negligence
-or otherwise) arising in any way out of the use of this software, even
-if advised of the possibility of such damage.
-
- -----------------------------------------------------------------------------
-
-Copyright (c) 1993 by Digital Equipment Corporation.
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies, and that
-the name of Digital Equipment Corporation not be used in advertising or
-publicity pertaining to distribution of the document or software without
-specific, written prior permission.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
-WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
-OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
-CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
-DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
-PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
-ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
-SOFTWARE.
-
- -----------------------------------------------------------------------------
-
-Copyright 2000 Aaron D. Gifford.  All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-1. Redistributions of source code must retain the above copyright
-   notice, this list of conditions and the following disclaimer.
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-3. Neither the name of the copyright holder nor the names of contributors
-   may be used to endorse or promote products derived from this software
-   without specific prior written permission.
- 
-THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGE.
-
- -----------------------------------------------------------------------------
-
-Copyright (c) 1998 Doug Rabson.
-Copyright (c) 2001 Jake Burkholder.
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-1. Redistributions of source code must retain the above copyright
-   notice, this list of conditions and the following disclaimer.
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGE.
-
- -----------------------------------------------------------------------------
-
-Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-1. Redistributions of source code must retain the above copyright
-   notice, this list of conditions and the following disclaimer.
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-3. Neither the name of the project nor the names of its contributors
-   may be used to endorse or promote products derived from this software
-   without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGE.
-
- -----------------------------------------------------------------------------
-
-Copyright (c) 1999-2000 by Nortel Networks Corporation
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND NORTEL NETWORKS DISCLAIMS
-ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
-OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NORTEL NETWORKS
-BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES
-OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
-WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
-ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
-SOFTWARE.
-
- -----------------------------------------------------------------------------
-
-Copyright (c) 2000-2002 Japan Network Information Center.  All rights reserved.
- 
-By using this file, you agree to the terms and conditions set forth bellow.
-
-                        LICENSE TERMS AND CONDITIONS 
-
-The following License Terms and Conditions apply, unless a different
-license is obtained from Japan Network Information Center ("JPNIC"),
-a Japanese association, Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda,
-Chiyoda-ku, Tokyo 101-0047, Japan.
-
-1. Use, Modification and Redistribution (including distribution of any
-   modified or derived work) in source and/or binary forms is permitted
-   under this License Terms and Conditions.
-
-2. Redistribution of source code must retain the copyright notices as they
-   appear in each source code file, this License Terms and Conditions.
-
-3. Redistribution in binary form must reproduce the Copyright Notice,
-   this License Terms and Conditions, in the documentation and/or other
-   materials provided with the distribution.  For the purposes of binary
-   distribution the "Copyright Notice" refers to the following language:
-   "Copyright (c) 2000-2002 Japan Network Information Center.  All rights
-   reserved."
-
-4. The name of JPNIC may not be used to endorse or promote products
-   derived from this Software without specific prior written approval of
-   JPNIC.
-
-5. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY JPNIC
-   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
-   PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL JPNIC BE LIABLE
-   FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-   CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-   SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-   BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-   WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
-   OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
-   ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
-
- -----------------------------------------------------------------------------
-
-Copyright (C) 2004  Nominet, Ltd.
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND NOMINET DISCLAIMS ALL WARRANTIES WITH
-REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-PERFORMANCE OF THIS SOFTWARE.
-
- -----------------------------------------------------------------------------
-
-Portions Copyright RSA Security Inc.
-
-License to copy and use this software is granted provided that it is
-identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
-(Cryptoki)" in all material mentioning or referencing this software.
-
-License is also granted to make and use derivative works provided that
-such works are identified as "derived from the RSA Security Inc. PKCS #11
-Cryptographic Token Interface (Cryptoki)" in all material mentioning or
-referencing the derived work.
-
-RSA Security Inc. makes no representations concerning either the
-merchantability of this software or the suitability of this software for
-any particular purpose. It is provided "as is" without express or implied
-warranty of any kind.
-
- -----------------------------------------------------------------------------
-
-Copyright (c) 1996, David Mazieres <dm@uun.org>
-Copyright (c) 2008, Damien Miller <djm@openbsd.org>
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
------------------------------------------------------------------------------
-
-Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-
-1. Redistributions of source code must retain the above copyright
-   notice, this list of conditions and the following disclaimer.
-
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in
-   the documentation and/or other materials provided with the
-   distribution.
-
-3. All advertising materials mentioning features or use of this
-   software must display the following acknowledgment:
-   "This product includes software developed by the OpenSSL Project
-   for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-
-4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-   endorse or promote products derived from this software without
-   prior written permission. For written permission, please contact
-   licensing@OpenSSL.org.
-
-5. Products derived from this software may not be called "OpenSSL"
-   nor may "OpenSSL" appear in their names without prior written
-   permission of the OpenSSL Project.
-
-6. Redistributions of any form whatsoever must retain the following
-   acknowledgment:
-   "This product includes software developed by the OpenSSL Project
-   for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-
-THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-OF THE POSSIBILITY OF SUCH DAMAGE.
-
diff --git a/contrib/bind9/FAQ b/contrib/bind9/FAQ
deleted file mode 100644
index 5e86a08..0000000
--- a/contrib/bind9/FAQ
+++ /dev/null
@@ -1,893 +0,0 @@
-Frequently Asked Questions about BIND 9
-
-Copyright © 2004-2010, 2013 Internet Systems Consortium, Inc. ("ISC")
-
-Copyright © 2000-2003 Internet Software Consortium.
-
------------------------------------------------------------------------
-
-1. Compilation and Installation Questions
-
-Q: I'm trying to compile BIND 9, and "make" is failing due to files not
-   being found. Why?
-
-A: Using a parallel or distributed "make" to build BIND 9 is not
-   supported, and doesn't work. If you are using one of these, use normal
-   make or gmake instead.
-
-Q: Isn't "make install" supposed to generate a default named.conf?
-
-A: Short Answer: No.
-
-   Long Answer: There really isn't a default configuration which fits any
-   site perfectly. There are lots of decisions that need to be made and
-   there is no consensus on what the defaults should be. For example
-   FreeBSD uses /etc/namedb as the location where the configuration files
-   for named are stored. Others use /var/named.
-
-   What addresses to listen on? For a laptop on the move a lot you may
-   only want to listen on the loop back interfaces.
-
-   Who do you offer recursive service to? Is there are firewall to
-   consider? If so is it stateless or stateful. Are you directly on the
-   Internet? Are you on a private network? Are you on a NAT'd network? The
-   answers to all these questions change how you configure even a caching
-   name server.
-
-2. Configuration and Setup Questions
-
-Q: Why does named log the warning message "no TTL specified - using SOA
-   MINTTL instead"?
-
-A: Your zone file is illegal according to RFC1035. It must either have a
-   line like:
-
-   $TTL 86400
-
-   at the beginning, or the first record in it must have a TTL field, like
-   the "84600" in this example:
-
-   example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )
-
-Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master
-   file bar: ran out of space"?
-
-A: This is often caused by TXT records with missing close quotes. Check
-   that all TXT records containing quoted strings have both open and close
-   quotes.
-
-Q: How do I restrict people from looking up the server version?
-
-A: Put a "version" option containing something other than the real version
-   in the "options" section of named.conf. Note doing this will not
-   prevent attacks and may impede people trying to diagnose problems with
-   your server. Also it is possible to "fingerprint" nameservers to
-   determine their version.
-
-Q: How do I restrict only remote users from looking up the server version?
-
-A: The following view statement will intercept lookups as the internal
-   view that holds the version information will be matched last. The
-   caveats of the previous answer still apply, of course.
-
-   view "chaos" chaos {
-           match-clients { <those to be refused>; };
-           allow-query { none; };
-           zone "." {
-                   type hint;
-                   file "/dev/null";  // or any empty file
-           };
-   };
-
-Q: What do "no source of entropy found" or "could not open entropy source
-   foo" mean?
-
-A: The server requires a source of entropy to perform certain operations,
-   mostly DNSSEC related. These messages indicate that you have no source
-   of entropy. On systems with /dev/random or an equivalent, it is used by
-   default. A source of entropy can also be defined using the
-   random-device option in named.conf.
-
-Q: I'm trying to use TSIG to authenticate dynamic updates or zone
-   transfers. I'm sure I have the keys set up correctly, but the server is
-   rejecting the TSIG. Why?
-
-A: This may be a clock skew problem. Check that the the clocks on the
-   client and server are properly synchronised (e.g., using ntp).
-
-Q: I see a log message like the following. Why?
-
-   couldn't open pid file '/var/run/named.pid': Permission denied
-
-A: You are most likely running named as a non-root user, and that user
-   does not have permission to write in /var/run. The common ways of
-   fixing this are to create a /var/run/named directory owned by the named
-   user and set pid-file to "/var/run/named/named.pid", or set pid-file to
-   "named.pid", which will put the file in the directory specified by the
-   directory option (which, in this case, must be writable by the named
-   user).
-
-Q: I can query the nameserver from the nameserver but not from other
-   machines. Why?
-
-A: This is usually the result of the firewall configuration stopping the
-   queries and / or the replies.
-
-Q: How can I make a server a slave for both an internal and an external
-   view at the same time? When I tried, both views on the slave were
-   transferred from the same view on the master.
-
-A: You will need to give the master and slave multiple IP addresses and
-   use those to make sure you reach the correct view on the other machine.
-
-   Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
-       internal:
-           match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
-                   notify-source 10.0.1.1;
-                   transfer-source 10.0.1.1;
-                   query-source address 10.0.1.1;
-       external:
-           match-clients { any; };
-           recursion no;   // don't offer recursion to the world
-           notify-source 10.0.1.2;
-           transfer-source 10.0.1.2;
-           query-source address 10.0.1.2;
-
-   Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
-       internal:
-           match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
-           notify-source 10.0.1.3;
-           transfer-source 10.0.1.3;
-           query-source address 10.0.1.3;
-      external:
-           match-clients { any; };
-           recursion no;   // don't offer recursion to the world
-           notify-source 10.0.1.4;
-           transfer-source 10.0.1.4;
-           query-source address 10.0.1.4;
-
-   You put the external address on the alias so that all the other dns
-   clients on these boxes see the internal view by default.
-
-A: BIND 9.3 and later: Use TSIG to select the appropriate view.
-
-   Master 10.0.1.1:
-           key "external" {
-                   algorithm hmac-sha256;
-                   secret "xxxxxxxxxxxxxxxxxxxxxxxx";
-           };
-           view "internal" {
-                   match-clients { !key external; // reject message ment for the
-                                                  // external view.
-                                   10.0.1/24; };  // accept from these addresses.
-                   ...
-           };
-           view "external" {
-                   match-clients { key external; any; };
-                   server 10.0.1.2 { keys external; };  // tag messages from the
-                                                        // external view to the
-                                                        // other servers for the
-                                                        // view.
-                   recursion no;
-                   ...
-           };
-
-   Slave 10.0.1.2:
-           key "external" {
-                   algorithm hmac-sha256;
-                   secret "xxxxxxxxxxxxxxxxxxxxxxxx";
-           };
-           view "internal" {
-                   match-clients { !key external; 10.0.1/24; };
-                   ...
-           };
-           view "external" {
-                   match-clients { key external; any; };
-                   server 10.0.1.1 { keys external; };
-                   recursion no;
-                   ...
-           };
-
-Q: I get error messages like "multiple RRs of singleton type" and "CNAME
-   and other data" when transferring a zone. What does this mean?
-
-A: These indicate a malformed master zone. You can identify the exact
-   records involved by transferring the zone using dig then running
-   named-checkzone on it.
-
-   dig axfr example.com @master-server > tmp
-   named-checkzone example.com tmp
-
-   A CNAME record cannot exist with the same name as another record except
-   for the DNSSEC records which prove its existence (NSEC).
-
-   RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other
-   data should be present; this ensures that the data for a canonical name
-   and its aliases cannot be different. This rule also insures that a
-   cached CNAME can be used without checking with an authoritative server
-   for other RR types."
-
-Q: I get error messages like "named.conf:99: unexpected end of input"
-   where 99 is the last line of named.conf.
-
-A: There are unbalanced quotes in named.conf.
-
-A: Some text editors (notepad and wordpad) fail to put a line title
-   indication (e.g. CR/LF) on the last line of a text file. This can be
-   fixed by "adding" a blank line to the end of the file. Named expects to
-   see EOF immediately after EOL and treats text files where this is not
-   met as truncated.
-
-Q: How do I share a dynamic zone between multiple views?
-
-A: You choose one view to be master and the second a slave and transfer
-   the zone between views.
-
-   Master 10.0.1.1:
-           key "external" {
-                   algorithm hmac-sha256;
-                   secret "xxxxxxxxxxxxxxxxxxxxxxxx";
-           };
-
-           key "mykey" {
-                   algorithm hmac-sha256;
-                   secret "yyyyyyyyyyyyyyyyyyyyyyyy";
-           };
-
-           view "internal" {
-                   match-clients { !key external; 10.0.1/24; };
-                   server 10.0.1.1 {
-                           /* Deliver notify messages to external view. */
-                           keys { external; };
-                   };
-                   zone "example.com" {
-                           type master;
-                           file "internal/example.db";
-                           allow-update { key mykey; };
-                           also-notify { 10.0.1.1; };
-                   };
-           };
-
-           view "external" {
-                   match-clients { key external; any; };
-                   zone "example.com" {
-                           type slave;
-                           file "external/example.db";
-                           masters { 10.0.1.1; };
-                           transfer-source 10.0.1.1;
-                           // allow-update-forwarding { any; };
-                           // allow-notify { ... };
-                   };
-           };
-
-Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading
-   master file primaries/wireless.ietf56.ietf.org: no owner".
-
-A: This error is produced when a line in the master file contains leading
-   white space (tab/space) but the is no current record owner name to
-   inherit the name from. Usually this is the result of putting white
-   space before a comment, forgetting the "@" for the SOA record, or
-   indenting the master file.
-
-Q: Why are my logs in GMT (UTC).
-
-A: You are running chrooted (-t) and have not supplied local timezone
-   information in the chroot area.
-
-   FreeBSD: /etc/localtime
-   Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
-   OSF: /etc/zoneinfo/localtime
-
-   See also tzset(3) and zic(8).
-
-Q: I get "rndc: connect failed: connection refused" when I try to run
-   rndc.
-
-A: This is usually a configuration error.
-
-   First ensure that named is running and no errors are being reported at
-   startup (/var/log/messages or equivalent). Running "named -g <usual
-   arguments>" from a title can help at this point.
-
-   Secondly ensure that named is configured to use rndc either by
-   "rndc-confgen -a", rndc-confgen or manually. The Administrators
-   Reference manual has details on how to do this.
-
-   Old versions of rndc-confgen used localhost rather than 127.0.0.1 in /
-   etc/rndc.conf for the default server. Update /etc/rndc.conf if
-   necessary so that the default server listed in /etc/rndc.conf matches
-   the addresses used in named.conf. "localhost" has two address
-   (127.0.0.1 and ::1).
-
-   If you use "rndc-confgen -a" and named is running with -t or -u ensure
-   that /etc/rndc.conf has the correct ownership and that a copy is in the
-   chroot area. You can do this by re-running "rndc-confgen -a" with
-   appropriate -t and -u arguments.
-
-Q: I get "transfer of 'example.net/IN' from 192.168.4.12#53: failed while
-   receiving responses: permission denied" error messages.
-
-A: These indicate a filesystem permission error preventing named creating
-   / renaming the temporary file. These will usually also have other
-   associated error messages like
-
-   "dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"
-
-   Named needs write permission on the directory containing the file.
-   Named writes the new cache file to a temporary file then renames it to
-   the name specified in named.conf to ensure that the contents are always
-   complete. This is to prevent named loading a partial zone in the event
-   of power failure or similar interrupting the write of the master file.
-
-   Note file names are relative to the directory specified in options and
-   any chroot directory ([<chroot dir>/][<options dir>]).
-
-   If named is invoked as "named -t /chroot/DNS" with the following
-   named.conf then "/chroot/DNS/var/named/sl" needs to be writable by the
-   user named is running as.
-
-   options {
-           directory "/var/named";
-   };
-
-   zone "example.net" {
-           type slave;
-           file "sl/example.net";
-           masters { 192.168.4.12; };
-   };
-
-Q: I want to forward all DNS queries from my caching nameserver to another
-   server. But there are some domains which have to be served locally, via
-   rbldnsd.
-
-   How do I achieve this ?
-
-A: options {
-           forward only;
-           forwarders { <ip.of.primary.nameserver>; };
-   };
-
-   zone "sbl-xbl.spamhaus.org" {
-           type forward; forward only;
-           forwarders { <ip.of.rbldns.server> port 530; };
-   };
-
-   zone "list.dsbl.org" {
-           type forward; forward only;
-           forwarders { <ip.of.rbldns.server> port 530; };
-   };
-
-
-Q: Can you help me understand how BIND 9 uses memory to store DNS zones?
-
-   Some times it seems to take several times the amount of memory it needs
-   to store the zone.
-
-A: When reloading a zone named my have multiple copies of the zone in
-   memory at one time. The zone it is serving and the one it is loading.
-   If reloads are ultra fast it can have more still.
-
-   e.g. Ones that are transferring out, the one that it is serving and the
-   one that is loading.
-
-   BIND 8 destroyed the zone before loading and also killed off outgoing
-   transfers of the zone.
-
-   The new strategy allows slaves to get copies of the new zone regardless
-   of how often the master is loaded compared to the transfer time. The
-   slave might skip some intermediate versions but the transfers will
-   complete and it will keep reasonably in sync with the master.
-
-   The new strategy also allows the master to recover from syntax and
-   other errors in the master file as it still has an in-core copy of the
-   old contents.
-
-Q: I want to use IPv6 locally but I don't have a external IPv6 connection.
-   External lookups are slow.
-
-A: You can use server clauses to stop named making external lookups over
-   IPv6.
-
-   server fd81:ec6c:bd62::/48 { bogus no; }; // site ULA prefix
-   server ::/0 { bogus yes; };
-
-3. Operations Questions
-
-Q: How to change the nameservers for a zone?
-
-A: Step 1: Ensure all nameservers, new and old, are serving the same zone
-   content.
-
-   Step 2: Work out the maximum TTL of the NS RRset in the parent and
-   child zones. This is the time it will take caches to be clear of a
-   particular version of the NS RRset. If you are just removing
-   nameservers you can skip to Step 6.
-
-   Step 3: Add new nameservers to the NS RRset for the zone and wait until
-   all the servers for the zone are answering with this new NS RRset.
-
-   Step 4: Inform the parent zone of the new NS RRset then wait for all
-   the parent servers to be answering with the new NS RRset.
-
-   Step 5: Wait for cache to be clear of the old NS RRset. See Step 2 for
-   how long. If you are just adding nameservers you are done.
-
-   Step 6: Remove any old nameservers from the zones NS RRset and wait for
-   all the servers for the zone to be serving the new NS RRset.
-
-   Step 7: Inform the parent zone of the new NS RRset then wait for all
-   the parent servers to be answering with the new NS RRset.
-
-   Step 8: Wait for cache to be clear of the old NS RRset. See Step 2 for
-   how long.
-
-   Step 9: Turn off the old nameservers or remove the zone entry from the
-   configuration of the old nameservers.
-
-   Step 10: Increment the serial number and wait for the change to be
-   visible in all nameservers for the zone. This ensures that zone
-   transfers are still working after the old servers are decommissioned.
-
-   Note: the above procedure is designed to be transparent to dns clients.
-   Decommissioning the old servers too early will result in some clients
-   not being able to look up answers in the zone.
-
-   Note: while it is possible to run the addition and removal stages
-   together it is not recommended.
-
-4. General Questions
-
-Q: I keep getting log messages like the following. Why?
-
-   Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN':
-   update failed: 'RRset exists (value dependent)' prerequisite not
-   satisfied (NXRRSET)
-
-A: DNS updates allow the update request to test to see if certain
-   conditions are met prior to proceeding with the update. The message
-   above is saying that conditions were not met and the update is not
-   proceeding. See doc/rfc/rfc2136.txt for more details on prerequisites.
-
-Q: I keep getting log messages like the following. Why?
-
-   Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
-
-A: Someone is trying to update your DNS data using the RFC2136 Dynamic
-   Update protocol. Windows 2000 machines have a habit of sending dynamic
-   update requests to DNS servers without being specifically configured to
-   do so. If the update requests are coming from a Windows 2000 machine,
-   see <http://support.microsoft.com/support/kb/articles/q246/8/04.asp>
-   for information about how to turn them off.
-
-Q: When I do a "dig . ns", many of the A records for the root servers are
-   missing. Why?
-
-A: This is normal and harmless. It is a somewhat confusing side effect of
-   the way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9
-   makes to avoid promoting glue into answers.
-
-   When BIND 9 first starts up and primes its cache, it receives the root
-   server addresses as additional data in an authoritative response from a
-   root server, and these records are eligible for inclusion as additional
-   data in responses. Subsequently it receives a subset of the root server
-   addresses as additional data in a non-authoritative (referral) response
-   from a root server. This causes the addresses to now be considered
-   non-authoritative (glue) data, which is not eligible for inclusion in
-   responses.
-
-   The server does have a complete set of root server addresses cached at
-   all times, it just may not include all of them as additional data,
-   depending on whether they were last received as answers or as glue. You
-   can always look up the addresses with explicit queries like "dig
-   a.root-servers.net A".
-
-Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?
-
-A: A zone can be updated either by editing zone files and reloading the
-   server or by dynamic update, but not both. If you have enabled dynamic
-   update for a zone using the "allow-update" option, you are not supposed
-   to edit the zone file by hand, and the server will not attempt to
-   reload it.
-
-Q: Why is named listening on UDP port other than 53?
-
-A: Named uses a system selected port to make queries of other nameservers.
-   This behaviour can be overridden by using query-source to lock down the
-   port and/or address. See also notify-source and transfer-source.
-
-Q: I get warning messages like "zone example.com/IN: refresh: failure
-   trying master 1.2.3.4#53: timed out".
-
-A: Check that you can make UDP queries from the slave to the master
-
-   dig +norec example.com soa @1.2.3.4
-
-   You could be generating queries faster than the slave can cope with.
-   Lower the serial query rate.
-
-   serial-query-rate 5; // default 20
-
-Q: I don't get RRSIG's returned when I use "dig +dnssec".
-
-A: You need to ensure DNSSEC is enabled (dnssec-enable yes;).
-
-Q: Can a NS record refer to a CNAME.
-
-A: No. The rules for glue (copies of the *address* records in the parent
-   zones) and additional section processing do not allow it to work.
-
-   You would have to add both the CNAME and address records (A/AAAA) as
-   glue to the parent zone and have CNAMEs be followed when doing
-   additional section processing to make it work. No nameserver
-   implementation supports either of these requirements.
-
-Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA"
-   mean?
-
-A: If the IN-ADDR.ARPA name covered refers to a internal address space you
-   are using then you have failed to follow RFC 1918 usage rules and are
-   leaking queries to the Internet. You should establish your own zones
-   for these addresses to prevent you querying the Internet's name servers
-   for these addresses. Please see <http://as112.net/> for details of the
-   problems you are causing and the counter measures that have had to be
-   deployed.
-
-   If you are not using these private addresses then a client has queried
-   for them. You can just ignore the messages, get the offending client to
-   stop sending you these messages as they are most probably leaking them
-   or setup your own zones empty zones to serve answers to these queries.
-
-   zone "10.IN-ADDR.ARPA" {
-           type master;
-           file "empty";
-   };
-
-   zone "16.172.IN-ADDR.ARPA" {
-           type master;
-           file "empty";
-   };
-
-   ...
-
-   zone "31.172.IN-ADDR.ARPA" {
-           type master;
-           file "empty";
-   };
-
-   zone "168.192.IN-ADDR.ARPA" {
-           type master;
-           file "empty";
-   };
-
-   empty:
-   @ 10800 IN SOA <name-of-server>. <contact-email>. (
-                  1 3600 1200 604800 10800 )
-   @ 10800 IN NS <name-of-server>.
-
-   Note
-
-   Future versions of named are likely to do this automatically.
-
-Q: Will named be affected by the 2007 changes to daylight savings rules in
-   the US.
-
-A: No, so long as the machines internal clock (as reported by "date -u")
-   remains at UTC. The only visible change if you fail to upgrade your OS,
-   if you are in a affected area, will be that log messages will be a hour
-   out during the period where the old rules do not match the new rules.
-
-   For most OS's this change just means that you need to update the
-   conversion rules from UTC to local time. Normally this involves
-   updating a file in /etc (which sets the default timezone for the
-   machine) and possibly a directory which has all the conversion rules
-   for the world (e.g. /usr/share/zoneinfo). When updating the OS do not
-   forget to update any chroot areas as well. See your OS's documentation
-   for more details.
-
-   The local timezone conversion rules can also be done on a individual
-   basis by setting the TZ environment variable appropriately. See your
-   OS's documentation for more details.
-
-Q: Is there a bugzilla (or other tool) database that mere mortals can have
-   (read-only) access to for bind?
-
-A: No. The BIND 9 bug database is kept closed for a number of reasons.
-   These include, but are not limited to, that the database contains
-   proprietory information from people reporting bugs. The database has in
-   the past and may in future contain unfixed bugs which are capable of
-   bringing down most of the Internet's DNS infrastructure.
-
-   The release pages for each version contain up to date lists of bugs
-   that have been fixed post release. That is as close as we can get to
-   providing a bug database.
-
-Q: Why do queries for NSEC3 records fail to return the NSEC3 record?
-
-A: NSEC3 records are strictly meta data and can only be returned in the
-   authority section. This is done so that signing the zone using NSEC3
-   records does not bring names into existence that do not exist in the
-   unsigned version of the zone.
-
-5. Operating-System Specific Questions
-
-5.1. HPUX
-
-Q: I get the following error trying to configure BIND:
-
-   checking if unistd.h or sys/types.h defines fd_set... no
-   configure: error: need either working unistd.h or sys/select.h
-
-A: You have attempted to configure BIND with the bundled C compiler. This
-   compiler does not meet the minimum compiler requirements to for
-   building BIND. You need to install a ANSI C compiler and / or teach
-   configure how to find the ANSI C compiler. The later can be done by
-   adjusting the PATH environment variable and / or specifying the
-   compiler via CC.
-
-   ./configure CC=<compiler> ...
-
-5.2. Linux
-
-Q: Why do I get the following errors:
-
-   general: errno2result.c:109: unexpected error:
-   general: unable to convert errno to isc_result: 14: Bad address
-   client: UDP client handler shutting down due to fatal receive error: unexpected error
-
-A: This is the result of a Linux kernel bug.
-
-   See: <http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=
-   2>
-
-Q: Why does named lock up when it attempts to connect over IPSEC tunnels?
-
-A: This is due to a kernel bug where the fact that a socket is marked
-   non-blocking is ignored. It is reported that setting xfrm_larval_drop
-   to 1 helps but this may have negative side effects. See: <https://
-   bugzilla.redhat.com/show_bug.cgi?id=427629> and <http://lkml.org/lkml/
-   2007/12/4/260>.
-
-   xfrm_larval_drop can be set to 1 by the following procedure:
-
-   echo "1" > proc/sys/net/core/xfrm_larval_drop
-
-Q: Why do I see 5 (or more) copies of named on Linux?
-
-A: Linux threads each show up as a process under ps. The approximate
-   number of threads running is n+4, where n is the number of CPUs. Note
-   that the amount of memory used is not cumulative; if each process is
-   using 10M of memory, only a total of 10M is used.
-
-   Newer versions of Linux's ps command hide the individual threads and
-   require -L to display them.
-
-Q: Why does BIND 9 log "permission denied" errors accessing its
-   configuration files or zones on my Linux system even though it is
-   running as root?
-
-A: On Linux, BIND 9 drops most of its root privileges on startup. This
-   including the privilege to open files owned by other users. Therefore,
-   if the server is running as root, the configuration files and zone
-   files should also be owned by root.
-
-Q: I get the error message "named: capset failed: Operation not permitted"
-   when starting named.
-
-A: The capability module, part of "Linux Security Modules/LSM", has not
-   been loaded into the kernel. See insmod(8), modprobe(8).
-
-   The relevant modules can be loaded by running:
-
-   modprobe commoncap
-   modprobe capability
-
-Q: I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
-
-   Why can't named update slave zone database files?
-
-   Why can't named create DDNS journal files or update the master zones
-   from journals?
-
-   Why can't named create custom log files?
-
-A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
-
-   Red Hat have adopted the National Security Agency's SELinux security
-   policy (see <http://www.nsa.gov/selinux>) and recommendations for BIND
-   security , which are more secure than running named in a chroot and
-   make use of the bind-chroot environment unnecessary .
-
-   By default, named is not allowed by the SELinux policy to write, create
-   or delete any files EXCEPT in these directories:
-
-   $ROOTDIR/var/named/slaves
-   $ROOTDIR/var/named/data
-   $ROOTDIR/var/tmp
-
-
-   where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is
-   installed.
-
-   The SELinux policy particularly does NOT allow named to modify the
-   $ROOTDIR/var/named directory, the default location for master zone
-   database files.
-
-   SELinux policy overrules file access permissions - so even if all the
-   files under /var/named have ownership named:named and mode rw-rw-r--,
-   named will still not be able to write or create files except in the
-   directories above, with SELinux in Enforcing mode.
-
-   So, to allow named to update slave or DDNS zone files, it is best to
-   locate them in $ROOTDIR/var/named/slaves, with named.conf zone
-   statements such as:
-
-   zone "slave.zone." IN {
-           type slave;
-           file "slaves/slave.zone.db";
-           ...
-   };
-   zone "ddns.zone." IN  {
-           type master;
-           allow-updates {...};
-           file "slaves/ddns.zone.db";
-   };
-
-
-   To allow named to create its cache dump and statistics files, for
-   example, you could use named.conf options statements such as:
-
-   options {
-           ...
-           dump-file "/var/named/data/cache_dump.db";
-           statistics-file "/var/named/data/named_stats.txt";
-           ...
-   };
-
-
-   You can also tell SELinux to allow named to update any zone database
-   files, by setting the SELinux tunable boolean parameter
-   'named_write_master_zones=1', using the system-config-securitylevel
-   GUI, using the 'setsebool' command, or in /etc/selinux/targeted/
-   booleans.
-
-   You can disable SELinux protection for named entirely by setting the
-   'named_disable_trans=1' SELinux tunable boolean parameter.
-
-   The SELinux named policy defines these SELinux contexts for named:
-
-   named_zone_t : for zone database files       - $ROOTDIR/var/named/*
-   named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
-   named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
-
-
-   If you want to retain use of the SELinux policy for named, and put
-   named files in different locations, you can do so by changing the
-   context of the custom file locations .
-
-   To create a custom configuration file location, e.g. '/root/
-   named.conf', to use with the 'named -c' option, do:
-
-   # chcon system_u:object_r:named_conf_t /root/named.conf
-
-
-   To create a custom modifiable named data location, e.g. '/var/log/
-   named' for a log file, do:
-
-   # chcon system_u:object_r:named_cache_t /var/log/named
-
-
-   To create a custom zone file location, e.g. /root/zones/, do:
-
-   # chcon system_u:object_r:named_zone_t /root/zones/{.,*}
-
-
-   See these man-pages for more information : selinux(8), named_selinux
-   (8), chcon(1), setsebool(8)
-
-Q: I'm running BIND on Ubuntu -
-
-   Why can't named update slave zone database files?
-
-   Why can't named create DDNS journal files or update the master zones
-   from journals?
-
-   Why can't named create custom log files?
-
-A: Ubuntu uses AppArmor <http://en.wikipedia.org/wiki/AppArmor> in
-   addition to normal file system permissions to protect the system.
-
-   Adjust the paths to use those specified in /etc/apparmor.d/
-   usr.sbin.named or adjust /etc/apparmor.d/usr.sbin.named to allow named
-   to write at the location specified in named.conf.
-
-Q: Listening on individual IPv6 interfaces does not work.
-
-A: This is usually due to "/proc/net/if_inet6" not being available in the
-   chroot file system. Mount another instance of "proc" in the chroot file
-   system.
-
-   This can be be made permanent by adding a second instance to /etc/
-   fstab.
-
-   proc /proc           proc defaults 0 0
-   proc /var/named/proc proc defaults 0 0
-
-5.3. Windows
-
-Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail.
-   Why?
-
-A: This may be caused by a bug in the Windows 2000 DNS server where DNS
-   messages larger than 16K are not handled properly. This can be worked
-   around by setting the option "transfer-format one-answer;". Also check
-   whether your zone contains domain names with embedded spaces or other
-   special characters, like "John\032Doe\213s\032Computer", since such
-   names have been known to cause Windows 2000 slaves to incorrectly
-   reject the zone.
-
-Q: I get "Error 1067" when starting named under Windows.
-
-A: This is the service manager saying that named exited. You need to
-   examine the Application log in the EventViewer to find out why.
-
-   Common causes are that you failed to create "named.conf" (usually "C:\
-   windows\dns\etc\named.conf") or failed to specify the directory in
-   named.conf.
-
-   options {
-           Directory "C:\windows\dns\etc";
-   };
-
-5.4. FreeBSD
-
-Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
-
-A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to
-   use certain interrupts as a source of random events. You can make this
-   permanent by setting rand_irqs in /etc/rc.conf.
-
-   rand_irqs="3 14 15"
-
-   See also <http://people.freebsd.org/~dougb/randomness.html>.
-
-5.5. Solaris
-
-Q: How do I integrate BIND 9 and Solaris SMF
-
-A: Sun has a blog entry describing how to do this.
-
-   <http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris>
-
-5.6. Apple Mac OS X
-
-Q: How do I run BIND 9 on Apple Mac OS X?
-
-A: If you run Tiger(Mac OS 10.4) or later then this is all you need to do:
-
-   % sudo rndc-confgen  > /etc/rndc.conf
-
-   Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.:
-
-   key "rndc-key" {
-           algorithm hmac-sha256;
-           secret "uvceheVuqf17ZwIcTydddw==";
-   };
-
-   Then start the relevant service:
-
-   % sudo service org.isc.named start
-
-   This is persistent upon a reboot, so you will have to do it only once.
-
-A: Alternatively you can just generate /etc/rndc.key by running:
-
-   % sudo rndc-confgen -a
-
-   Then start the relevant service:
-
-   % sudo service org.isc.named start
-
-   Named will look for /etc/rndc.key when it starts if it doesn't have a
-   controls section or the existing controls are missing keys sub-clauses.
-   This is persistent upon a reboot, so you will have to do it only once.
-
diff --git a/contrib/bind9/FAQ.xml b/contrib/bind9/FAQ.xml
deleted file mode 100644
index d0f903b..0000000
--- a/contrib/bind9/FAQ.xml
+++ /dev/null
@@ -1,1613 +0,0 @@
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-       "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
-<!--
- - Copyright (C) 2004-2010, 2013  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: FAQ.xml,v 1.54 2010/01/19 23:48:55 tbox Exp $ -->
-
-<article class="faq">
-  <title>Frequently Asked Questions about BIND 9</title>
-  <articleinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2006</year>
-      <year>2007</year>
-      <year>2008</year>
-      <year>2009</year>
-      <year>2010</year>
-      <year>2013</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </articleinfo>
-  <qandaset defaultlabel='qanda'>
-	  
-    <qandadiv><title>Compilation and Installation Questions</title>	  
-    
-    <qandaentry>
-      <question>
-	<para>
-	  I'm trying to compile BIND 9, and "make" is failing due to
-	  files not being found.  Why?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Using a parallel or distributed "make" to build BIND 9 is
-	  not supported, and doesn't work.  If you are using one of
-	  these, use normal make or gmake instead.
-	</para>
-      </answer>
-    </qandaentry>
-    
-    <qandaentry>
-      <question>
-	<para>
-	  Isn't "make install"  supposed to generate a default named.conf?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Short Answer: No. 
-	</para>
-	<para>
-	  Long Answer: There really isn't a default configuration which fits
-	  any site perfectly.  There are lots of decisions that need to
-	  be made and there is no consensus on what the defaults should be.
-	  For example FreeBSD uses /etc/namedb as the location where the
-	  configuration files for named are stored.  Others use /var/named.
-	</para>
-	<para>
-	  What addresses to listen on?  For a laptop on the move a lot
-	  you may only want to listen on the loop back interfaces.
-	</para>
-	<para>
-	  Who do you offer recursive service to?  Is there are firewall
-	  to consider?  If so is it stateless or stateful.  Are you
-	  directly on the Internet?  Are you on a private network? Are
-	  you on a NAT'd network? The answers
-	  to all these questions change how you configure even a
-	  caching name server.
-	</para>
-      </answer>
-    </qandaentry>
-    
-    </qandadiv> <!-- Compilation and Installation Questions -->
-	    
-    <qandadiv><title>Configuration and Setup Questions</title>
-
-    <qandaentry>
-      <!-- configuration, log -->
-      <question>
-	<para>
-	  Why does named log the warning message <quote>no TTL specified -
-	  using SOA MINTTL instead</quote>?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Your zone file is illegal according to RFC1035.  It must either
-	  have a line like:
-	</para>
-	<informalexample>
-	  <programlisting>
-$TTL 86400</programlisting>
-	</informalexample>
-	<para>
-	  at the beginning, or the first record in it must have a TTL field,
-	  like the "84600" in this example:
-	</para>
-	<informalexample>
-	  <programlisting>
-example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )</programlisting>
-	</informalexample>
-      </answer>
-    </qandaentry>
-    
-    <qandaentry>
-      <!-- configuration -->
-      <question>
-	<para>
-	  Why do I get errors like <quote>dns_zone_load: zone foo/IN: loading
-	  master file bar: ran out of space</quote>?
-	</para>
-      </question>
-      <answer>
-	<para>
-	This is often caused by TXT records with missing close
-	quotes.  Check that all TXT records containing quoted strings
-	have both open and close quotes.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <!-- security -->
-      <question>
-	<para>
-	  How do I restrict people from looking up the server version?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Put a "version" option containing something other than the
-	  real version in the "options" section of named.conf.  Note
-	  doing this will not prevent attacks and may impede people
-	  trying to diagnose problems with your server.  Also it is
-	  possible to "fingerprint" nameservers to determine their
-	  version.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <!-- security -->
-      <question>
-	<para>
-	  How do I restrict only remote users from looking up the
-	  server version?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  The following view statement will intercept lookups as the
-	  internal view that holds the version information will be
-	  matched last.  The caveats of the previous answer still
-	  apply, of course.
-	</para>
-	<informalexample>
-	  <programlisting>
-view "chaos" chaos {
-	match-clients { &lt;those to be refused&gt;; };
-	allow-query { none; };
-	zone "." {
-		type hint;
-		file "/dev/null";  // or any empty file
-	};
-};</programlisting>
-	</informalexample>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <!-- configuration -->
-      <question>
-	<para>
-	  What do <quote>no source of entropy found</quote> or <quote>could not
-	  open entropy source foo</quote> mean?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  The server requires a source of entropy to perform certain
-	  operations, mostly DNSSEC related.  These messages indicate
-	  that you have no source of entropy.  On systems with
-	  /dev/random or an equivalent, it is used by default.  A
-	  source of entropy can also be defined using the random-device
-	  option in named.conf.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <!-- configuration -->
-      <question>
-	<para>
-	  I'm trying to use TSIG to authenticate dynamic updates or
-	  zone transfers.  I'm sure I have the keys set up correctly,
-	  but the server is rejecting the TSIG.  Why?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  This may be a clock skew problem.  Check that the the clocks
-	  on the client and server are properly synchronised (e.g.,
-	  using ntp).
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I see a log message like the following.  Why?
-	</para>
-	<para>
-	  couldn't open pid file '/var/run/named.pid': Permission denied
-	</para>
-      </question>
-      <answer>
-	<para>
-	  You are most likely running named as a non-root user, and
-	  that user does not have permission to write in /var/run.
-	  The common ways of fixing this are to create a /var/run/named
-	  directory owned by the named user and set pid-file to
-	  "/var/run/named/named.pid", or set pid-file to "named.pid",
-	  which will put the file in the directory specified by the
-	  directory option (which, in this case, must be writable by
-	  the named user).
-	</para>
-      </answer>
-    </qandaentry>
-    
-    <qandaentry>
-      <question>
-	<para>
-	  I can query the nameserver from the nameserver but not from other
-	  machines.  Why?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  This is usually the result of the firewall configuration stopping
-	  the queries and / or the replies.
-	</para>
-      </answer>
-    </qandaentry>
-    
-    <qandaentry>
-      <question>
-	<para>
-	  How can I make a server a slave for both an internal and
-	  an external view at the same time?  When I tried, both views
-	  on the slave were transferred from the same view on the master.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  You will need to give the master and slave multiple IP
-	  addresses and use those to make sure you reach the correct
-	  view on the other machine.
-	</para>
-	<informalexample>
-	  <programlisting>
-Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
-    internal:
-	match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
-		notify-source 10.0.1.1;
-		transfer-source 10.0.1.1;
-		query-source address 10.0.1.1;
-    external:
-	match-clients { any; };
-	recursion no;	// don't offer recursion to the world
-	notify-source 10.0.1.2;
-	transfer-source 10.0.1.2;
-	query-source address 10.0.1.2;
-
-Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
-    internal:
-	match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
-	notify-source 10.0.1.3;
-	transfer-source 10.0.1.3;
-	query-source address 10.0.1.3;
-   external:
-	match-clients { any; };
-	recursion no;	// don't offer recursion to the world
-	notify-source 10.0.1.4;
-	transfer-source 10.0.1.4;
-	query-source address 10.0.1.4;</programlisting>
-	</informalexample>
-	<para>
-	  You put the external address on the alias so that all the other
-	  dns clients on these boxes see the internal view by default.
-	</para>
-      </answer>
-      <answer>
-	<para>
-	  BIND 9.3 and later: Use TSIG to select the appropriate view.
-	</para>
-	<informalexample>
-	  <programlisting>
-Master 10.0.1.1:
-	key "external" {
-		algorithm hmac-sha256;
-		secret "xxxxxxxxxxxxxxxxxxxxxxxx";
-	};
-	view "internal" {
-		match-clients { !key external; // reject message ment for the
-					       // external view.
-				10.0.1/24; };  // accept from these addresses.
-		...
-	};
-	view "external" {
-		match-clients { key external; any; };
-		server 10.0.1.2 { keys external; };  // tag messages from the
-						     // external view to the
-						     // other servers for the
-						     // view.
-		recursion no;
-		...
-	};
-
-Slave 10.0.1.2:
-	key "external" {
-		algorithm hmac-sha256;
-		secret "xxxxxxxxxxxxxxxxxxxxxxxx";
-	};
-	view "internal" {
-		match-clients { !key external; 10.0.1/24; };
-		...
-	};
-	view "external" {
-		match-clients { key external; any; };
-		server 10.0.1.1 { keys external; };
-		recursion no;
-		...
-	};</programlisting>
-	</informalexample>
-      </answer>
-    </qandaentry>
-    
-    <qandaentry>
-      <question>
-	<para>
-	  I get error messages like <quote>multiple RRs of singleton type</quote>
-	  and <quote>CNAME and other data</quote> when transferring a zone.  What
-	  does this mean?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  These indicate a malformed master zone.  You can identify
-	  the exact records involved by transferring the zone using
-	  dig then running named-checkzone on it.
-	</para>
-	<informalexample>
-	  <programlisting>
-dig axfr example.com @master-server &gt; tmp
-named-checkzone example.com tmp</programlisting>
-	</informalexample>
-	<para>
-	  A CNAME record cannot exist with the same name as another record
-	  except for the DNSSEC records which prove its existence (NSEC).
-	</para>
-	<para>
-	  RFC 1034, Section 3.6.2: <quote>If a CNAME RR is present at a node,
-	  no other data should be present; this ensures that the data for a
-	  canonical name and its aliases cannot be different.  This rule also
-	  insures that a cached CNAME can be used without checking with an
-	  authoritative server for other RR types.</quote>
-	</para>
-      </answer>
-    </qandaentry>
-    
-    <qandaentry>
-      <question>
-	<para>
-	  I get error messages like <quote>named.conf:99: unexpected end
-	  of input</quote> where 99 is the last line of named.conf.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  There are unbalanced quotes in named.conf.
-	</para>
-      </answer>
-      <answer>
-	<para>
-	  Some text editors (notepad and wordpad) fail to put a line
-	  title indication (e.g. CR/LF) on the last line of a
-	  text file.  This can be fixed by "adding" a blank line to
-	  the end of the file.  Named expects to see EOF immediately
-	  after EOL and treats text files where this is not met as
-	  truncated.
-	</para>
-      </answer>
-    </qandaentry>
-    
-    <qandaentry>
-      <question>
-	<para>
-	  How do I share a dynamic zone between multiple views?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  You choose one view to be master and the second a slave and
-	  transfer the zone between views.
-	</para>
-	<informalexample>
-	  <programlisting>
-Master 10.0.1.1:
-	key "external" {
-		algorithm hmac-sha256;
-		secret "xxxxxxxxxxxxxxxxxxxxxxxx";
-	};
-
-	key "mykey" {
-		algorithm hmac-sha256;
-		secret "yyyyyyyyyyyyyyyyyyyyyyyy";
-	};
-
-	view "internal" {
-		match-clients { !key external; 10.0.1/24; };
-		server 10.0.1.1 {
-			/* Deliver notify messages to external view. */
-			keys { external; };
-		};
-		zone "example.com" {
-			type master;
-			file "internal/example.db";
-			allow-update { key mykey; };
-			also-notify { 10.0.1.1; };
-		};
-	};
-
-	view "external" {
-		match-clients { key external; any; };
-		zone "example.com" {
-			type slave;
-			file "external/example.db";
-			masters { 10.0.1.1; };
-			transfer-source 10.0.1.1;
-			// allow-update-forwarding { any; };
-			// allow-notify { ... };
-		};
-	};</programlisting>
-	</informalexample>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I get a error message like <quote>zone wireless.ietf56.ietf.org/IN:
-	  loading master file primaries/wireless.ietf56.ietf.org: no
-	  owner</quote>.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  This error is produced when a line in the master file
-	  contains leading white space (tab/space) but the is no
-	  current record owner name to inherit the name from.  Usually
-	  this is the result of putting white space before a comment,
-	  forgetting the "@" for the SOA record, or indenting the master
-	  file.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Why are my logs in GMT (UTC).
-	</para>
-      </question>
-      <answer>
-	<para>
-	  You are running chrooted (-t) and have not supplied local timezone
-	  information in the chroot area.
-	</para>
-	<simplelist>
-	  <member>FreeBSD: /etc/localtime</member>
-	  <member>Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo</member>
-	  <member>OSF: /etc/zoneinfo/localtime</member>
-	  </simplelist>
-	<para>
-	  See also tzset(3) and zic(8).
-	</para>
-      </answer>
-    </qandaentry>
-    
-    <qandaentry>
-      <question>
-	<para>
-	  I get <quote>rndc: connect failed: connection refused</quote> when
-	  I try to run rndc.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  This is usually a configuration error.
-	</para>
-	<para>
-	  First ensure that named is running and no errors are being
-	  reported at startup (/var/log/messages or equivalent).
-	  Running "named -g &lt;usual arguments&gt;" from a title
-	  can help at this point.
-	</para>
-	<para>
-	  Secondly ensure that named is configured to use rndc either
-	  by "rndc-confgen -a", rndc-confgen or manually.  The
-	  Administrators Reference manual has details on how to do
-	  this.
-	</para>
-	<para>
-	  Old versions of rndc-confgen used localhost rather than
-	  127.0.0.1 in /etc/rndc.conf for the default server.  Update
-	  /etc/rndc.conf if necessary so that the default server
-	  listed in /etc/rndc.conf matches the addresses used in
-	  named.conf.  "localhost" has two address (127.0.0.1 and
-	  ::1).
-	</para>
-	<para>
-	  If you use "rndc-confgen -a" and named is running with -t or -u
-	  ensure that /etc/rndc.conf has the correct ownership and that
-	  a copy is in the chroot area.  You can do this by re-running
-	  "rndc-confgen -a" with appropriate -t and -u arguments.
-	</para>
-      </answer>
-    </qandaentry>
-    
-    <qandaentry>
-      <question>
-	<para>
-	  I get <quote>transfer of 'example.net/IN' from 192.168.4.12#53:
-	  failed while receiving responses: permission denied</quote> error
-	  messages.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  These indicate a filesystem permission error preventing
-	  named creating / renaming the temporary file.  These will
-	  usually also have other associated error messages like
-	</para>
-	<informalexample>
-	  <programlisting>
-"dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"</programlisting>
-	</informalexample>
-	<para>
-	  Named needs write permission on the directory containing
-	  the file.  Named writes the new cache file to a temporary
-	  file then renames it to the name specified in named.conf
-	  to ensure that the contents are always complete.  This is
-	  to prevent named loading a partial zone in the event of
-	  power failure or similar interrupting the write of the
-	  master file.
-	</para>
-	<para>
-	  Note file names are relative to the directory specified in
-	  options and any chroot directory  ([&lt;chroot
-	  dir&gt;/][&lt;options dir&gt;]).
-	</para>
-	<informalexample>
-	  <para>
-	    If named is invoked as "named -t /chroot/DNS" with
-	    the following named.conf then "/chroot/DNS/var/named/sl"
-	    needs to be writable by the user named is running as.
-	  </para>
-	  <programlisting>
-options {
-	directory "/var/named";
-};
-
-zone "example.net" {
-	type slave;
-	file "sl/example.net";
-	masters { 192.168.4.12; };
-};</programlisting>
-	</informalexample>
-      </answer>
-    </qandaentry>
-    
-    <qandaentry>
-      <question>
-	<para>
-	  I want to forward all DNS queries from my caching nameserver to
-	  another server. But there are some domains which have to be
-	  served locally, via rbldnsd.
-	</para>
-	<para>
-	  How do I achieve this ?
-	</para>
-      </question>
-      <answer>
-        <programlisting>
-options {
-	forward only;
-	forwarders { &lt;ip.of.primary.nameserver&gt;; };
-};
-
-zone "sbl-xbl.spamhaus.org" {
-	type forward; forward only;
-	forwarders { &lt;ip.of.rbldns.server&gt; port 530; };
-};
-
-zone "list.dsbl.org" {
-	type forward; forward only;
-	forwarders { &lt;ip.of.rbldns.server&gt; port 530; };
-};
-        </programlisting>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Can you help me understand how BIND 9 uses memory to store
-	  DNS zones?
-	</para>
-	<para>
-	  Some times it seems to take several times the amount of
-	  memory it needs to store the zone.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  When reloading a zone named my have multiple copies of
-	  the zone in memory at one time.  The zone it is serving
-	  and the one it is loading.  If reloads are ultra fast it
-	  can have more still.
-	</para>
-	<para>
-	  e.g.  Ones that are transferring out, the one that it is
-	  serving and the one that is loading.
-	</para>
-	<para>
-	  BIND 8 destroyed the zone before loading and also killed
-	  off outgoing transfers of the zone.
-	</para>
-	<para>
-	  The new strategy allows slaves to get copies of the new
-	  zone regardless of how often the master is loaded compared
-	  to the transfer time.  The slave might skip some intermediate
-	  versions but the transfers will complete and it will keep
-	  reasonably in sync with the master.
-	</para>
-	<para>
-	  The new strategy also allows the master to recover from
-	  syntax and other errors in the master file as it still
-	  has an in-core copy of the old contents.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I want to use IPv6 locally but I don't have a external IPv6
-	  connection.  External lookups are slow.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  You can use server clauses to stop named making external lookups
-	  over IPv6.
-	</para>
-        <programlisting>
-server fd81:ec6c:bd62::/48 { bogus no; }; // site ULA prefix
-server ::/0 { bogus yes; };
-</programlisting>
-      </answer>
-    </qandaentry>
-    
-    </qandadiv> <!-- Configuration and Setup Questions -->
-    
-    <qandadiv><title>Operations Questions</title>
-
-    <qandaentry>
-      <question>
-	<para>
-	  How to change the nameservers for a zone?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Step 1: Ensure all nameservers, new and old, are serving the
-	  same zone content.
-	</para>
-	<para>
-	  Step 2: Work out the maximum TTL of the NS RRset in the parent and child
-	  zones.  This is the time it will take caches to be clear of a
-	  particular version of the NS RRset.
-	  If you are just removing nameservers you can skip to Step 6.
-	</para>
-	<para>
-	  Step 3: Add new nameservers to the NS RRset for the zone and
-	  wait until all the servers for the zone are answering with this
-	  new NS RRset.
-	</para>
-	<para>
-	  Step 4: Inform the parent zone of the new NS RRset then wait for all the
-	  parent servers to be answering with the new NS RRset.
-	</para>
-	<para>
-	  Step 5: Wait for cache to be clear of the old NS RRset.
-	  See Step 2 for how long.
-	  If you are just adding nameservers you are done.
-	</para>
-	<para>
-	  Step 6: Remove any old nameservers from the zones NS RRset and
-	  wait for all the servers for the zone to be serving the new NS RRset.
-	</para>
-	<para>
-	  Step 7: Inform the parent zone of the new NS RRset then wait for all the
-	  parent servers to be answering with the new NS RRset.
-	</para>
-	<para>
-	  Step 8: Wait for cache to be clear of the old NS RRset.
-	  See Step 2 for how long.
-	</para>
-	<para>
-	  Step 9: Turn off the old nameservers or remove the zone entry from
-	  the configuration of the old nameservers.
-	</para>
-	<para>
-	  Step 10: Increment the serial number and wait for the change to
-	  be visible in all nameservers for the zone.  This ensures that
-	  zone transfers are still working after the old servers are
-	  decommissioned.
-	</para>
-	<para>
-	  Note: the above procedure is designed to be transparent
-	  to dns clients.  Decommissioning the old servers too early
-	  will result in some clients not being able to look up
-	  answers in the zone.
-	</para>
-	<para>
-	  Note: while it is possible to run the addition and removal
-	  stages together it is not recommended.
-	</para>
-      </answer>
-    </qandaentry>
-
-    </qandadiv> <!-- Operations Questions -->
-
-    <qandadiv><title>General Questions</title>
-	    
-    <qandaentry>
-      <question>
-	<para>
-	  I keep getting log messages like the following.  Why?
-	</para>
-	<para>
-	  Dec  4 23:47:59 client 10.0.0.1#1355: updating zone
-	  'example.com/IN': update failed: 'RRset exists (value
-	  dependent)' prerequisite not satisfied (NXRRSET)
-	</para>
-      </question>
-      <answer>
-	<para>
-	  DNS updates allow the update request to test to see if
-	  certain conditions are met prior to proceeding with the
-	  update.  The message above is saying that conditions were
-	  not met and the update is not proceeding.  See doc/rfc/rfc2136.txt
-	  for more details on prerequisites.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I keep getting log messages like the following.  Why?
-	</para>
-	<para>
-	  Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Someone is trying to update your DNS data using the RFC2136
-	  Dynamic Update protocol.  Windows 2000 machines have a habit
-	  of sending dynamic update requests to DNS servers without
-	  being specifically configured to do so.  If the update
-	  requests are coming from a Windows 2000 machine, see
-	  <ulink
-	   url="http://support.microsoft.com/support/kb/articles/q246/8/04.asp">
-  &lt;http://support.microsoft.com/support/kb/articles/q246/8/04.asp&gt;</ulink>
-	  for information about how to turn them off.
-	</para>
-      </answer>
-    </qandaentry>
-	    
-    <qandaentry>
-      <question>
-	<para>
-	  When I do a "dig . ns", many of the A records for the root
-	  servers are missing.  Why?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  This is normal and harmless.  It is a somewhat confusing
-	  side effect of the way BIND 9 does RFC2181 trust ranking
-	  and of the efforts BIND 9 makes to avoid promoting glue
-	  into answers.
-	</para>
-	<para>
-	 When BIND 9 first starts up and primes its cache, it receives
-	 the root server addresses as additional data in an authoritative
-	 response from a root server, and these records are eligible
-	 for inclusion as additional data in responses.  Subsequently
-	 it receives a subset of the root server addresses as
-	 additional data in a non-authoritative (referral) response
-	 from a root server.  This causes the addresses to now be
-	 considered non-authoritative (glue) data, which is not
-	 eligible for inclusion in responses.
-	</para>
-	<para>
-	 The server does have a complete set of root server addresses
-	 cached at all times, it just may not include all of them
-	 as additional data, depending on whether they were last
-	 received as answers or as glue.  You can always look up the
-	 addresses with explicit queries like "dig a.root-servers.net A".
-	</para>
-      </answer>
-    </qandaentry>
-    
-    <qandaentry>
-      <question>
-	<para>
-	  Why don't my zones reload when I do an "rndc reload" or SIGHUP?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  A zone can be updated either by editing zone files and
-	  reloading the server or by dynamic update, but not both.
-	  If you have enabled dynamic update for a zone using the
-	  "allow-update" option, you are not supposed to edit the
-	  zone file by hand, and the server will not attempt to reload
-	  it.
-	</para>
-      </answer>
-    </qandaentry>
-    
-    <qandaentry>
-      <question>
-	<para>
-	  Why is named listening on UDP port other than 53?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Named uses a system selected port to make queries of other
-	  nameservers.  This behaviour can be overridden by using
-	  query-source to lock down the port and/or address.  See
-	  also notify-source and transfer-source.
-	</para>
-      </answer>
-    </qandaentry>
-    
-    <qandaentry>
-      <question>
-	<para>
-	  I get warning messages like <quote>zone example.com/IN: refresh:
-	  failure trying master 1.2.3.4#53: timed out</quote>.
-	</para>
-      </question>
-      <answer>
-	<para>
-	Check that you can make UDP queries from the slave to the master
-	</para>
-	<informalexample>
-	  <programlisting>
-dig +norec example.com soa @1.2.3.4</programlisting>
-	</informalexample>
-	<para>
-	  You could be generating queries faster than the slave can
-	  cope with.  Lower the serial query rate.
-	</para>
-	<informalexample>
-	  <programlisting>
-serial-query-rate 5; // default 20</programlisting>
-	</informalexample>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>	    
-      <question>
-	<para>
-	  I don't get RRSIG's returned when I use "dig +dnssec".
-	</para>
-      </question>
-      <answer>
-	<para>
-	  You need to ensure DNSSEC is enabled (dnssec-enable yes;).
-	</para>
-      </answer>
-    </qandaentry>
-    
-    <qandaentry>
-      <question>
-	<para>
-	  Can a NS record refer to a CNAME.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  No.  The rules for glue (copies of the *address* records
-	  in the parent zones) and additional section processing do
-	  not allow it to work.
-	</para>
-	<para>
-	  You would have to add both the CNAME and address records
-	  (A/AAAA) as glue to the parent zone and have CNAMEs be
-	  followed when doing additional section processing to make
-	  it work.  No nameserver implementation supports either of
-	  these requirements.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  What does <quote>RFC 1918 response from Internet for
-	  0.0.0.10.IN-ADDR.ARPA</quote> mean?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  If the IN-ADDR.ARPA name covered refers to a internal address
-	  space you are using then you have failed to follow RFC 1918
-	  usage rules and are leaking queries to the Internet.  You
-	  should establish your own zones for these addresses to prevent
-	  you querying the Internet's name servers for these addresses.
-	  Please see <ulink url="http://as112.net/">&lt;http://as112.net/&gt;</ulink>
-	  for details of the problems you are causing and the counter
-	  measures that have had to be deployed.
-	</para>
-	<para>
-	  If you are not using these private addresses then a client
-	  has queried for them.  You can just ignore the messages,
-	  get the offending client to stop sending you these messages
-	  as they are most probably leaking them or setup your own zones
-	  empty zones to serve answers to these queries.
-	</para>
-	<informalexample>
-	  <programlisting>
-zone "10.IN-ADDR.ARPA" {
-	type master;
-	file "empty";
-};
-
-zone "16.172.IN-ADDR.ARPA" {
-	type master;
-	file "empty";
-};
-
-...
-
-zone "31.172.IN-ADDR.ARPA" {
-	type master;
-	file "empty";
-};
-
-zone "168.192.IN-ADDR.ARPA" {
-	type master;
-	file "empty";
-};
-
-empty:
-@ 10800 IN SOA &lt;name-of-server&gt;. &lt;contact-email&gt;. (
-	       1 3600 1200 604800 10800 )
-@ 10800 IN NS &lt;name-of-server&gt;.</programlisting>
-	</informalexample>
-	<para>
-	<note>
-	  Future versions of named are likely to do this automatically.
-	</note>
-	</para>
-      </answer>
-    </qandaentry>
-    
-    <qandaentry>
-      <question>
-	<para>
-	  Will named be affected by the 2007 changes to daylight savings
-	  rules in the US.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  No, so long as the machines internal clock (as reported
-	  by "date -u") remains at UTC.  The only visible change
-	  if you fail to upgrade your OS, if you are in a affected
-	  area, will be that log messages will be a hour out during
-	  the period where the old rules do not match the new rules.
-	</para>
-	<para>
-	  For most OS's this change just means that you need to
-	  update the conversion rules from UTC to local time.
-	  Normally this involves updating a file in /etc (which
-	  sets the default timezone for the machine) and possibly
-	  a directory which has all the conversion rules for the
-	  world (e.g. /usr/share/zoneinfo).  When updating the OS
-	  do not forget to update any chroot areas as well.
-	  See your OS's documentation for more details.
-	</para>
-	<para>
-	  The local timezone conversion rules can also be done on
-	  a individual basis by setting the TZ environment variable
-	  appropriately.  See your OS's documentation for more
-	  details.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Is there a bugzilla (or other tool) database that mere
-	  mortals can have (read-only) access to for bind?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  No.  The BIND 9 bug database is kept closed for a number
-	  of reasons.  These include, but are not limited to, that
-	  the database contains proprietory information from people
-	  reporting bugs.  The database has in the past and may in
-	  future contain unfixed bugs which are capable of bringing
-	  down most of the Internet's DNS infrastructure.
-	</para>
-	<para>
-	  The release pages for each version contain up to date
-	  lists of bugs that have been fixed post release.  That
-	  is as close as we can get to providing a bug database.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Why do queries for NSEC3 records fail to return the NSEC3 record?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  NSEC3 records are strictly meta data and can only be
-	  returned in the authority section.  This is done so that
-	  signing the zone using NSEC3 records does not bring names
-	  into existence that do not exist in the unsigned version
-	  of the zone.
-	</para>
-      </answer>
-    </qandaentry>
-
-    </qandadiv> <!-- General Questions -->
-    
-    <qandadiv><title>Operating-System Specific Questions</title>
-	    
-    <qandadiv><title>HPUX</title>
-
-    <qandaentry>
-      <question>
-	<para>I get the following error trying to configure BIND:
-<programlisting>checking if unistd.h or sys/types.h defines fd_set... no
-configure: error: need either working unistd.h or sys/select.h</programlisting>
-	</para>
-      </question>
-      <answer>
-	<para>
-	  You have attempted to configure BIND with the bundled C compiler.
-	  This compiler does not meet the minimum compiler requirements to
-	  for building BIND.  You need to install a ANSI C compiler and / or
-	  teach configure how to find the ANSI C compiler.  The later can
-	  be done by adjusting the PATH environment variable and / or
-	  specifying the compiler via CC.
-	</para>
-	<informalexample>
-	  <programlisting>./configure CC=&lt;compiler&gt; ...</programlisting>
-	</informalexample>
-      </answer>
-    </qandaentry>
-
-    </qandadiv> <!-- HPUX -->
-
-    <qandadiv><title>Linux</title>
-	    
-    <qandaentry>
-      <question> 
-	<para>
-	  Why do I get the following errors:
-<programlisting>general: errno2result.c:109: unexpected error:
-general: unable to convert errno to isc_result: 14: Bad address
-client: UDP client handler shutting down due to fatal receive error: unexpected error</programlisting>
-	</para>
-      </question>
-      <answer>
-	<para>
-	  This is the result of a Linux kernel bug.
-	</para>
-	<para>
-	  See:
-	  <ulink url="http://marc.theaimsgroup.com/?l=linux-netdev&amp;m=113081708031466&amp;w=2">&lt;http://marc.theaimsgroup.com/?l=linux-netdev&amp;m=113081708031466&amp;w=2&gt;</ulink>
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Why does named lock up when it attempts to connect over IPSEC tunnels?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  This is due to a kernel bug where the fact that a socket is marked
-	  non-blocking is ignored.  It is reported that setting
-	  xfrm_larval_drop to 1 helps but this may have negative side effects.
-	  See:
-<ulink url="https://bugzilla.redhat.com/show_bug.cgi?id=427629">&lt;https://bugzilla.redhat.com/show_bug.cgi?id=427629&gt;</ulink>
-	  and
-<ulink url="http://lkml.org/lkml/2007/12/4/260">&lt;http://lkml.org/lkml/2007/12/4/260&gt;</ulink>.
-	</para>
-	<para>
-	xfrm_larval_drop can be set to 1 by the following procedure:
-<programlisting>
-echo "1" &gt; proc/sys/net/core/xfrm_larval_drop</programlisting>
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Why do I see 5 (or more) copies of named on Linux?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Linux threads each show up as a process under ps.  The
-	  approximate number of threads running is n+4, where n is
-	  the number of CPUs.  Note that the amount of memory used
-	  is not cumulative; if each process is using 10M of memory,
-	  only a total of 10M is used.
-	</para>
-	<para>
-	  Newer versions of Linux's ps command hide the individual threads
-	  and require -L to display them.
-	</para>
-      </answer>
-    </qandaentry>
-    
-    <qandaentry>
-      <question>
-	<para>
-	  Why does BIND 9 log <quote>permission denied</quote> errors accessing
-	  its configuration files or zones on my Linux system even
-	  though it is running as root?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  On Linux, BIND 9 drops most of its root privileges on
-	  startup.  This including the privilege to open files owned
-	  by other users.  Therefore, if the server is running as
-	  root, the configuration files and zone files should also
-	  be owned by root.
-	</para>
-      </answer>
-    </qandaentry>
-    
-    <qandaentry>
-      <question>
-	<para>
-	  I get the error message <quote>named: capset failed: Operation
-	  not permitted</quote> when starting named.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  The capability module, part of "Linux Security Modules/LSM",
-	  has not been loaded into the kernel.  See insmod(8), modprobe(8).
-	</para>
-	<para>
-	  The relevant modules can be loaded by running:
-<programlisting>
-modprobe commoncap
-modprobe capability</programlisting>
-	</para>
-      </answer>
-    </qandaentry>
-    
-    <qandaentry>
-      <question>
-	<para>
-	   I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
-	</para>
-	<para>
-	  Why can't named update slave zone database files?
-	</para>
-	<para>
-	  Why can't named create DDNS journal files or update
-	  the master zones from journals?
-	</para>
-	<para>
-	  Why can't named create custom log files?
-	</para>
-      </question>
-
-      <answer>
-	<para>
-	  Red Hat Security Enhanced Linux (SELinux) policy security
-	  protections :
-	</para>
-
-	<para>
-	   Red Hat have adopted the National Security Agency's
-	   SELinux security policy (see <ulink
-   url="http://www.nsa.gov/selinux">&lt;http://www.nsa.gov/selinux&gt;</ulink>)
-	   and recommendations for BIND security , which are more
-	   secure than running named in a chroot and make use of
-	   the bind-chroot environment unnecessary .
-	</para>
-
-	<para>
-	  By default, named is not allowed by the SELinux policy
-	  to write, create or delete any files EXCEPT in these
-	  directories:
-	  <informalexample>
-	    <programlisting>
-$ROOTDIR/var/named/slaves
-$ROOTDIR/var/named/data
-$ROOTDIR/var/tmp
-	    </programlisting>
-	  </informalexample>
-	  where $ROOTDIR may be set in /etc/sysconfig/named if
-	  bind-chroot is installed.
-	</para>
-
-	<para>
-	  The SELinux policy particularly does NOT allow named to modify
-	  the $ROOTDIR/var/named directory, the default location for master
-	  zone database files.
-	</para>
-
-	<para>
-	  SELinux policy overrules file access permissions - so
-	  even if all the files under /var/named have ownership
-	  named:named and mode rw-rw-r--, named will still not be
-	  able to write or create files except in the directories
-	  above, with SELinux in Enforcing mode.
-	</para>
-  
-	<para>
-	  So, to allow named to update slave or DDNS zone files,
-	  it is best to locate them in $ROOTDIR/var/named/slaves,
-	  with named.conf zone statements such as:
-	  <informalexample>
-	    <programlisting>
-zone "slave.zone." IN {
-	type slave;
-	file "slaves/slave.zone.db";
-	...
-};   
-zone "ddns.zone." IN  {
-	type master;
-	allow-updates {...};
-	file "slaves/ddns.zone.db";
-};
-	    </programlisting>
-	  </informalexample>
-	</para>
-
-	<para>
-	  To allow named to create its cache dump and statistics
-	  files, for example, you could use named.conf options
-	  statements such as:
-	  <informalexample>
-	    <programlisting>
-options {
-	...
-	dump-file "/var/named/data/cache_dump.db";
-	statistics-file "/var/named/data/named_stats.txt";
-	...
-};
-	    </programlisting>
-	  </informalexample>
-	</para>
-
-	<para>
-	  You can also tell SELinux to allow named to update any
-	  zone database files, by setting the SELinux tunable boolean
-	  parameter 'named_write_master_zones=1', using the
-	  system-config-securitylevel GUI, using the 'setsebool'
-	  command, or in /etc/selinux/targeted/booleans.
-	</para>
-  
-	<para>
-	  You can disable SELinux protection for named entirely by
-	  setting the 'named_disable_trans=1' SELinux tunable boolean
-	  parameter.
-	</para>
-    
-	<para>
-	  The SELinux named policy defines these SELinux contexts for named:
-	  <informalexample>
-	    <programlisting>
-named_zone_t : for zone database files       - $ROOTDIR/var/named/*
-named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
-named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
-	    </programlisting>
-	  </informalexample>
-	</para>
-   
-	<para>
-	  If you want to retain use of the SELinux policy for named,
-	  and put named files in different locations, you can do
-	  so by changing the context of the custom file locations
-	  .
-	</para>
-
-	<para>
-	  To create a custom configuration file location, e.g.
-	  '/root/named.conf', to use with the 'named -c' option,
-	  do:
-	  <informalexample>
-	    <programlisting>
-# chcon system_u:object_r:named_conf_t /root/named.conf
-	    </programlisting>
-	  </informalexample>
-	</para>
-  
-	<para>
-	  To create a custom modifiable named data location, e.g.
-	  '/var/log/named' for a log file, do:
-	  <informalexample>
-	    <programlisting>
-# chcon system_u:object_r:named_cache_t /var/log/named
-	    </programlisting>
-	  </informalexample>
-	</para>
-   
-	<para>
-   To create a custom zone file location, e.g. /root/zones/, do:
-	  <informalexample>
-	    <programlisting>
-# chcon system_u:object_r:named_zone_t /root/zones/{.,*}
-	    </programlisting>
-	  </informalexample>
-	</para>
-  
-	<para>
-	  See these man-pages for more information : selinux(8),
-	  named_selinux(8), chcon(1), setsebool(8)
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	   I'm running BIND on Ubuntu -
-	</para>
-	<para>
-	  Why can't named update slave zone database files?
-	</para>
-	<para>
-	  Why can't named create DDNS journal files or update
-	  the master zones from journals?
-	</para>
-	<para>
-	  Why can't named create custom log files?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Ubuntu uses AppArmor <ulink url="http://en.wikipedia.org/wiki/AppArmor">
-          &lt;http://en.wikipedia.org/wiki/AppArmor&gt;</ulink> in
-	  addition to normal file system permissions to protect the system.
-	</para>
-	<para>
-	  Adjust the paths to use those specified in /etc/apparmor.d/usr.sbin.named
-	  or adjust /etc/apparmor.d/usr.sbin.named to allow named to write at the
-	  location specified in named.conf.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Listening on individual IPv6 interfaces does not work.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  This is usually due to "/proc/net/if_inet6" not being available
-	  in the chroot file system.  Mount another instance of "proc"
-	  in the chroot file system.
-	</para>
-	<para>
-	  This can be be made permanent by adding a second instance to
-	  /etc/fstab.
-	  <informalexample>
-	    <programlisting>
-proc /proc           proc defaults 0 0
-proc /var/named/proc proc defaults 0 0</programlisting>
-	  </informalexample>
-	</para>
-      </answer>
-    </qandaentry>
-    
-    </qandadiv> <!-- Linux -->
-    
-    <qandadiv><title>Windows</title>
-	    
-    <qandaentry>
-      <question>
-	<para>
-	  Zone transfers from my BIND 9 master to my Windows 2000
-	  slave fail.  Why?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  This may be caused by a bug in the Windows 2000 DNS server
-	  where DNS messages larger than 16K are not handled properly.
-	  This can be worked around by setting the option "transfer-format
-	  one-answer;".  Also check whether your zone contains domain
-	  names with embedded spaces or other special characters,
-	  like "John\032Doe\213s\032Computer", since such names have
-	  been known to cause Windows 2000 slaves to incorrectly
-	  reject the zone.
-	</para>
-      </answer>
-    </qandaentry>
-    
-    <qandaentry>
-      <question>
-	<para>
-	  I get <quote>Error 1067</quote> when starting named under Windows.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  This is the service manager saying that named exited.   You
-	  need to examine the Application log in the EventViewer to
-	  find out why.
-	</para>
-	<para>
-	  Common causes are that you failed to create "named.conf"
-	  (usually "C:\windows\dns\etc\named.conf") or failed to
-	  specify the directory in named.conf.
-	</para>
-	<informalexample>
-	  <programlisting>
-options {
-	Directory "C:\windows\dns\etc";
-};</programlisting>
-	</informalexample>
-      </answer>
-    </qandaentry>
-	    
-    </qandadiv> <!-- Windows -->
-    
-    <qandadiv><title>FreeBSD</title>
-	    
-    <qandaentry>
-      <question>
-	<para>
-	  I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  /dev/random is not configured.  Use rndcontrol(8) to tell
-	  the kernel to use certain interrupts as a source of random
-	  events.  You can make this permanent by setting rand_irqs
-	  in /etc/rc.conf.
-	</para>
-	<informalexample>
-	  <programlisting>
-rand_irqs="3 14 15"</programlisting>
-	</informalexample>
-	<para>
-	  See also
-	  <ulink url="http://people.freebsd.org/~dougb/randomness.html">
-	  &lt;http://people.freebsd.org/~dougb/randomness.html&gt;</ulink>.
-	</para>
-      </answer>
-    </qandaentry>
-    
-    </qandadiv> <!-- FreeBSD -->
-    
-    <qandadiv><title>Solaris</title>
-	    
-    <qandaentry>
-      <question>
-	<para>
-	  How do I integrate BIND 9 and Solaris SMF
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Sun has a blog entry describing how to do this.
-	</para>
-	<para>
-	  <ulink
-	  url="http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris">
-	 &lt;http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris&gt;
-	  </ulink>
-	</para>
-      </answer>
-    </qandaentry>
-    
-    </qandadiv>
-
-    <qandadiv><title>Apple Mac OS X</title>
-
-    <qandaentry>
-      <question>
-	<para>
-	  How do I run BIND 9 on Apple Mac OS X?
-	</para>
-      </question>
-      <answer>
-	<para>
-	 If you run Tiger(Mac OS 10.4) or later then this is all you need to do:
-	</para>
-	<informalexample>
-	  <programlisting>
-% sudo rndc-confgen  > /etc/rndc.conf</programlisting>
-	</informalexample>
-	<para>
-	  Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.:
-	</para>
-	<informalexample>
-	  <programlisting>
-key "rndc-key" {
-	algorithm hmac-sha256;
-	secret "uvceheVuqf17ZwIcTydddw==";
-};</programlisting>
-	</informalexample>
-	<para>
-	  Then start the relevant service:
-	</para>
-	<informalexample>
-	  <programlisting>
-% sudo service org.isc.named start</programlisting>
-	</informalexample>
-	<para>
-	  This is persistent upon a reboot, so you will have to do it only once.
-	</para>
-      </answer>
-
-      <answer>
-	<para>
-	 Alternatively you can just generate /etc/rndc.key by running:
-	</para>
-	<informalexample>
-	  <programlisting>
-% sudo rndc-confgen -a</programlisting>
-	</informalexample>
-	<para>
-	  Then start the relevant service:
-	</para>
-	<informalexample>
-	  <programlisting>
-% sudo service org.isc.named start</programlisting>
-	</informalexample>
-	<para>
-	  Named will look for /etc/rndc.key when it starts if it
-	  doesn't have a controls section or the existing controls are
-	  missing keys sub-clauses.  This is persistent upon a
-	  reboot, so you will have to do it only once.
-	</para>
-      </answer>
-    </qandaentry>
-
-    </qandadiv>
-    
-    </qandadiv> <!-- Operating-System Specific Questions -->
-
-  </qandaset>
-</article>
diff --git a/contrib/bind9/HISTORY b/contrib/bind9/HISTORY
deleted file mode 100644
index 9a3b759..0000000
--- a/contrib/bind9/HISTORY
+++ /dev/null
@@ -1,365 +0,0 @@
-Summary of functional enhancements from prior major releases of BIND 9:
-
-BIND 9.8.0
-
-        BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
-        releases.  New features include:
-
-        - Built-in trust anchor for the root zone, which can be
-          switched on via "dnssec-validation auto;"
-        - Support for DNS64.
-        - Support for response policy zones (RPZ).
-        - Support for writable DLZ zones.
-        - Improved ease of configuration of GSS/TSIG for
-          interoperability with Active Directory
-        - Support for GOST signing algorithm for DNSSEC.
-        - Removed RTT Banding from server selection algorithm.
-        - New "static-stub" zone type.
-        - Allow configuration of resolver timeouts via
-          "resolver-query-timeout" option.
-	- The DLZ "dlopen" driver is now built by default.
-	- Added a new include file with function typedefs
-          for the DLZ "dlopen" driver.
-	- Made "--with-gssapi" default.
-	- More verbose error reporting from DLZ LDAP.
-
-BIND 9.7.0
-
-	BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
-	releases.  Most are intended to simplify DNSSEC configuration.
-
-	New features include:
-
-	- Fully automatic signing of zones by "named".
-	- Simplified configuration of DNSSEC Lookaside Validation (DLV).
-	- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
-	  command line tool or the "local" update-policy option.  (As a side
-	  effect, this also makes it easier to configure automatic zone
-	  re-signing.)
-	- New named option "attach-cache" that allows multiple views to
-	  share a single cache.
-	- DNS rebinding attack prevention.
-	- New default values for dnssec-keygen parameters.
-	- Support for RFC 5011 automated trust anchor maintenance
-	- Smart signing: simplified tools for zone signing and key
-	  maintenance.
-	- The "statistics-channels" option is now available on Windows.
-	- A new DNSSEC-aware libdns API for use by non-BIND9 applications
-	- On some platforms, named and other binaries can now print out
-	  a stack backtrace on assertion failure, to aid in debugging.
-	- A "tools only" installation mode on Windows, which only installs
-	  dig, host, nslookup and nsupdate.
-	- Improved PKCS#11 support, including Keyper support and explicit
-	  OpenSSL engine selection.
-
-BIND 9.6.0
-
-        Full NSEC3 support
-
-        Automatic zone re-signing
-
-	New update-policy methods tcp-self and 6to4-self
-
-        The BIND 8 resolver library, libbind, has been removed from the
-        BIND 9 distribution and is now available as a separate download.
-
-	Change the default pid file location from /var/run to
-	/var/run/{named,lwresd} for improved chroot/setuid support.
-
-BIND 9.5.0
-
-	GSS-TSIG support (RFC 3645).
-
-	DHCID support.
-
-	Experimental http server and statistics support for named via xml.
-
-	More detailed statistics counters including those supported in BIND 8.
-
-	Faster ACL processing.
-
-	Use Doxygen to generate internal documentation.
-
-        Efficient LRU cache-cleaning mechanism.
-
-        NSID support.
-
-BIND 9.4.0
-
-	Implemented "additional section caching (or acache)", an
-	internal cache framework for additional section content to
-	improve response performance.  Several configuration options
-	were provided to control the behavior.
-
-	New notify type 'master-only'.  Enable notify for master
-	zones only.
-
-	Accept 'notify-source' style syntax for query-source.
-
-	rndc now allows addresses to be set in the server clauses.
-
-	New option "allow-query-cache".  This lets "allow-query"
-	be used to specify the default zone access level rather
-	than having to have every zone override the global value.
-	"allow-query-cache" can be set at both the options and view
-	levels.  If "allow-query-cache" is not set then "allow-recursion"
-	is used if set, otherwise "allow-query" is used if set
-	unless "recursion no;" is set in which case "none;" is used,
-	otherwise the default (localhost; localnets;) is used.
-
-	rndc: the source address can now be specified.
-
-	ixfr-from-differences now takes master and slave in addition
-	to yes and no at the options and view levels.
-
-	Allow the journal's name to be changed via named.conf.
-
-	'rndc notify zone [class [view]]' resend the NOTIFY messages
-	for the specified zone.
-
-	'dig +trace' now randomly selects the next servers to try.
-	Report if there is a bad delegation.
-
-	Improve check-names error messages.
-
-	Make public the function to read a key file, dst_key_read_public().
-
-	dig now returns the byte count for axfr/ixfr.
-			
-	allow-update is now settable at the options / view level.
-
-	named-checkconf now checks the logging configuration.
-
-	host now can turn on memory debugging flags with '-m'.
-
-	Don't send notify messages to self.
-
-	Perform sanity checks on NS records which refer to 'in zone' names.
-
-	New zone option "notify-delay".  Specify a minimum delay
-	between sets of NOTIFY messages.
-
-	Extend adjusting TTL warning messages.
-
-	Named and named-checkzone can now both check for non-terminal
-	wildcard records.
-
-	"rndc freeze/thaw" now freezes/thaws all zones.
-
-	named-checkconf now check acls to verify that they only
-	refer to existing acls.
-
-	The server syntax has been extended to support a range of
-	servers.
-
-	Report differences between hints and real NS rrset and
-	associated address records.
-
-	Preserve the case of domain names in rdata during zone
-	transfers.
-
-	Restructured the data locking framework using architecture
-	dependent atomic operations (when available), improving
-	response performance on multi-processor machines significantly.
-	x86, x86_64, alpha, powerpc, and mips are currently supported.
-
-	UNIX domain controls are now supported.
-
-	Add support for additional zone file formats for improving
-	loading performance.  The masterfile-format option in
-	named.conf can be used to specify a non-default format.  A
-	separate command named-compilezone was provided to generate
-	zone files in the new format.  Additionally, the -I and -O
-	options for dnssec-signzone specify the input and output
-	formats.
-
-	dnssec-signzone can now randomize signature end times
-	(dnssec-signzone -j jitter).
-
-	Add support for CH A record.
-
-	Add additional zone data constancy checks.  named-checkzone
-	has extended checking of NS, MX and SRV record and the hosts
-	they reference.  named has extended post zone load checks.
-	New zone options: check-mx and integrity-check.
-
-
-	edns-udp-size can now be overridden on a per server basis.
-
-	dig can now specify the EDNS version when making a query.
-
-	Added framework for handling multiple EDNS versions.
-
-	Additional memory debugging support to track size and mctx
-	arguments.
-
-	Detect duplicates of UDP queries we are recursing on and
-	drop them.  New stats category "duplicates".
-
-	"USE INTERNAL MALLOC" is now runtime selectable.
-
-	The lame cache is now done on a <qname,qclass,qtype> basis
-	as some servers only appear to be lame for certain query
-	types.
-
-	Limit the number of recursive clients that can be waiting
-	for a single query (<qname,qtype,qclass>) to resolve.  New
-	options clients-per-query and max-clients-per-query.
-
-	dig: report the number of extra bytes still left in the
-	packet after processing all the records.
-
-	Support for IPSECKEY rdata type.
-
-	Raise the UDP recieve buffer size to 32k if it is less than 32k.
-
-	x86 and x86_64 now have seperate atomic locking implementations.
-
-	named-checkconf now validates update-policy entries.
-
-	Attempt to make the amount of work performed in a iteration
-	self tuning.  The covers nodes clean from the cache per
-	iteration, nodes written to disk when rewriting a master
-	file and nodes destroyed per iteration when destroying a
-	zone or a cache.
-
-	ISC string copy API.
-
-	Automatic empty zone creation for D.F.IP6.ARPA and friends.
-	Note: RFC 1918 zones are not yet covered by this but are
-	likely to be in a future release.
-
-	New options: empty-server, empty-contact, empty-zones-enable
-	and disable-empty-zone.
-
-	dig now has a '-q queryname' and '+showsearch' options.
-
-	host/nslookup now continue (default)/fail on SERVFAIL.
-
-	dig now warns if 'RA' is not set in the answer when 'RD'
-	was set in the query.  host/nslookup skip servers that fail
-	to set 'RA' when 'RD' is set unless a server is explicitly
-	set.
-
-	Integrate contibuted DLZ code into named.
-
-	Integrate contibuted IDN code from JPNIC.
-
-	libbind: corresponds to that from BIND 8.4.7.
-
-BIND 9.3.0
-
-	DNSSEC is now DS based (RFC 3658).
-	See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
-
-	DNSSEC lookaside validation.
-
-	check-names is now implemented.
-	rrset-order in more complete.
-
-	IPv4/IPv6 transition support, dual-stack-servers.
-
-	IXFR deltas can now be generated when loading master files,
-	ixfr-from-differences.
-
-	It is now possible to specify the size of a journal, max-journal-size.
-
-	It is now possible to define a named set of master servers to be
-	used in masters clause, masters.
-
-	The advertised EDNS UDP size can now be set, edns-udp-size.
-
-	allow-v6-synthesis has been obsoleted.
-
-	NOTE:
-	* Zones containing MD and MF will now be rejected.
-	* dig, nslookup name. now report "Not Implemented" as
-	  NOTIMP rather than NOTIMPL.  This will have impact on scripts
-	  that are looking for NOTIMPL.
-
-	libbind: corresponds to that from BIND 8.4.5.
-
-BIND 9.2.0
-
-	The size of the cache can now be limited using the
-        "max-cache-size" option.
-
-	The server can now automatically convert RFC1886-style recursive
-	lookup requests into RFC2874-style lookups, when enabled using the
-	new option "allow-v6-synthesis".  This allows stub resolvers that
-	support AAAA records but not A6 record chains or binary labels to
-	perform lookups in domains that make use of these IPv6 DNS
-	features.
-
-	Performance has been improved.
-
-	The man pages now use the more portable "man" macros rather than
-	the "mandoc" macros, and are installed by "make install".
-
-	The named.conf parser has been completely rewritten.  It now
-	supports "include" directives in more places such as inside "view"
-	statements, and it no longer has any reserved words.
-
-	The "rndc status" command is now implemented.
-
-	rndc can now be configured automatically.
-
-	A BIND 8 compatible stub resolver library is now included in
-	lib/bind.
-
-	OpenSSL has been removed from the distribution.  This means that to
-	use DNSSEC, OpenSSL must be installed and the --with-openssl option
-	must be supplied to configure.  This does not apply to the use of
-	TSIG, which does not require OpenSSL.
-
-	The source distribution now builds on Windows.  See
-	win32utils/readme1.txt and win32utils/win32-build.txt for details.
-
-	This distribution also includes a new lightweight stub
-	resolver library and associated resolver daemon that fully
-	support forward and reverse lookups of both IPv4 and IPv6
-	addresses.  This library is considered experimental and
-	is not a complete replacement for the BIND 8 resolver library.
-	Applications that use the BIND 8 res_* functions to perform
-	DNS lookups or dynamic updates still need to be linked against
-	the BIND 8 libraries.  For DNS lookups, they can also use the
-	new "getrrsetbyname()" API.
-
-	BIND 9.2 is capable of acting as an authoritative server
-	for DNSSEC secured zones.  This functionality is believed to
-	be stable and complete except for lacking support for
-	verifications involving wildcard records in secure zones.
-
-	When acting as a caching server, BIND 9.2 can be configured
-	to perform DNSSEC secure resolution on behalf of its clients.
-	This part of the DNSSEC implementation is still considered
-	experimental.  For detailed information about the state of the
-	DNSSEC implementation, see the file doc/misc/dnssec.
-
-	There are a few known bugs:
-
-	    On some systems, IPv6 and IPv4 sockets interact in
-	    unexpected ways.  For details, see doc/misc/ipv6.
-	    To reduce the impact of these problems, the server
-	    no longer listens for requests on IPv6 addresses
-	    by default.  If you need to accept DNS queries over
-	    IPv6, you must specify "listen-on-v6 { any; };"
-	    in the named.conf options statement.
-
-	    FreeBSD prior to 4.2 (and 4.2 if running as non-root)
-	    and OpenBSD prior to 2.8 log messages like
-	    "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
-	    This is due to a bug in "/dev/random" and impacts the
-	    server's DNSSEC support.
-
-	    OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
-	    OS X 10.2 (Darwin 6.0) reports errors like
-	    "fcntl(3, F_SETFL, 4): Operation not supported by device".
-	    This is due to a bug in "/dev/random" and impacts the
-	    server's DNSSEC support.
-
-	    --with-libtool does not work on AIX.
-
-	A bug in some versions of the Microsoft DNS server can cause zone
-        transfers from a BIND 9 server to a W2K server to fail.  For details,
-	see the "Zone Transfers" section in doc/misc/migration.
diff --git a/contrib/bind9/Makefile.in b/contrib/bind9/Makefile.in
deleted file mode 100644
index 7c1d665..0000000
--- a/contrib/bind9/Makefile.in
+++ /dev/null
@@ -1,90 +0,0 @@
-# Copyright (C) 2004-2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2002  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.62 2011/09/06 04:06:37 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-SUBDIRS =	make unit lib bin doc @LIBEXPORT@
-TARGETS =
-
-MANPAGES =	isc-config.sh.1
-
-HTMLPAGES =	isc-config.sh.html
-
-MANOBJS =	${MANPAGES} ${HTMLPAGES}
-
-@BIND9_MAKE_RULES@
-
-distclean::
-	rm -f config.cache config.h config.log config.status TAGS
-	rm -f libtool isc-config.sh configure.lineno
-	rm -f util/conf.sh docutil/docbook2man-wrapper.sh
-
-# XXX we should clean libtool stuff too.  Only do this after we add rules
-# to make it.
-maintainer-clean::
-	rm -f configure
-
-docclean manclean maintainer-clean::
-	rm -f ${MANOBJS}
-
-doc man:: ${MANOBJS}
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir} \
-	${DESTDIR}${localstatedir}/run ${DESTDIR}${sysconfdir}
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
-
-install:: isc-config.sh installdirs
-	${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}
-	${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1
-	${INSTALL_DATA} ${top_srcdir}/bind.keys ${DESTDIR}${sysconfdir}
-
-tags:
-	rm -f TAGS
-	find lib bin -name "*.[ch]" -print | @ETAGS@ -
-
-test check:
-	@if test -n "`${PERL} ${top_srcdir}/bin/tests/system/testsock.pl 2>&- || echo fail`"; then \
-	echo I: NOTE: The tests were not run because they require that; \
-	echo I:	the IP addresses 10.53.0.1 through 10.53.0.8 are configured; \
-	echo I:	as alias addresses on the loopback interface.  Please run; \
-	echo I:	\'bin/tests/system/ifconfig.sh up\' as root to configure; \
-	echo I:	them, then rerun the tests. Run make force-test to run the; \
-	echo I:	tests anyway.; \
-	exit 1; \
-	fi
-	${MAKE} test-force
-
-force-test: test-force
-
-test-force:
-	status=0; \
-	(cd bin/tests && ${MAKE} ${MAKEDEFS} test) || status=1; \
-	(test -f unit/unittest.sh && $(SHELL) unit/unittest.sh) || status=1; \
-	exit $$status
-
-FAQ: FAQ.xml
-	${XSLTPROC} doc/xsl/isc-docbook-text.xsl FAQ.xml | \
-	LC_ALL=C ${W3M} -T text/html -dump -cols 72 >$@.tmp
-	mv $@.tmp $@
-
-clean::
-	rm -f FAQ.tmp
diff --git a/contrib/bind9/README b/contrib/bind9/README
deleted file mode 100644
index 88d799e..0000000
--- a/contrib/bind9/README
+++ /dev/null
@@ -1,374 +0,0 @@
-BIND 9
-
-	BIND version 9 is a major rewrite of nearly all aspects of the
-	underlying BIND architecture.  Some of the important features of
-	BIND 9 are:
-
-		- DNS Security
-			DNSSEC (signed zones)
-			TSIG (signed DNS requests)
-
-		- IP version 6
-			Answers DNS queries on IPv6 sockets
-			IPv6 resource records (AAAA)
-			Experimental IPv6 Resolver Library
-
-		- DNS Protocol Enhancements
-			IXFR, DDNS, Notify, EDNS0
-			Improved standards conformance
-
-		- Views
-			One server process can provide multiple "views" of
-			the DNS namespace, e.g. an "inside" view to certain
-			clients, and an "outside" view to others.
-
-		- Multiprocessor Support
-
-		- Improved Portability Architecture
-
-
-	BIND version 9 development has been underwritten by the following
-	organizations:
-
-		Sun Microsystems, Inc.
-		Hewlett Packard
-		Compaq Computer Corporation
-		IBM
-		Process Software Corporation
-		Silicon Graphics, Inc.
-		Network Associates, Inc.
-		U.S. Defense Information Systems Agency
-		USENIX Association
-		Stichting NLnet - NLnet Foundation
-		Nominum, Inc.
-
-	For a summary of functional enhancements in previous
-	releases, see the HISTORY file.
-
-	For a detailed list of user-visible changes from
-	previous releases, see the CHANGES file.
-
-        For up-to-date release notes and errata, see
-        http://www.isc.org/software/bind9/releasenotes
-
-BIND 9.9.3
-
-	BIND 9.9.3 is a maintenance release and patches the security
-	flaws described in CVE-2012-5688, CVE-2012-5689 and CVE-2013-2266.
-
-BIND 9.9.2
-
-	BIND 9.9.2 is a maintenance release and patches the security
-	flaw described in CVE-2012-4244.
-
-BIND 9.9.1
-
-	BIND 9.9.1 is a maintenance release.
-
-BIND 9.9.0
-
-	BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
-	releases.  New features include:
-
-        - Inline signing, allowing automatic DNSSEC signing of
-          master zones without modification of the zonefile, or 
-          "bump in the wire" signing in slaves.
-        - NXDOMAIN redirection.
-        - New 'rndc flushtree' command clears all data under a given
-          name from the DNS cache.
-        - New 'rndc sync' command dumps pending changes in a dynamic
-          zone to disk without a freeze/thaw cycle.
-        - New 'rndc signing' command displays or clears signing status
-          records in 'auto-dnssec' zones.
-        - NSEC3 parameters for 'auto-dnssec' zones can now be set prior
-          to signing, eliminating the need to initially sign with NSEC.
-        - Startup time improvements on large authoritative servers.
-        - Slave zones are now saved in raw format by default.
-        - Several improvements to response policy zones (RPZ).
-        - Improved hardware scalability by using multiple threads
-          to listen for queries and using finer-grained client locking
-        - The 'also-notify' option now takes the same syntax as
-          'masters', so it can used named masterlists and TSIG keys.
-        - 'dnssec-signzone -D' writes an output file containing only DNSSEC
-          data, which can be included by the primary zone file.
-        - 'dnssec-signzone -R' forces removal of signatures that are
-          not expired but were created by a key which no longer exists.
-        - 'dnssec-signzone -X' allows a separate expiration date to
-          be specified for DNSKEY signatures from other signatures.
-        - New '-L' option to dnssec-keygen, dnssec-settime, and
-          dnssec-keyfromlabel sets the default TTL for the key.
-        - dnssec-dsfromkey now supports reading from standard input,
-          to make it easier to convert DNSKEY to DS.
-        - RFC 1918 reverse zones have been added to the empty-zones
-          table per RFC 6303.
-        - Dynamic updates can now optionally set the zone's SOA serial
-          number to the current UNIX time.
-        - DLZ modules can now retrieve the source IP address of
-          the querying client.
-        - 'request-ixfr' option can now be set at the per-zone level.
-        - 'dig +rrcomments' turns on comments about DNSKEY records,
-          indicating their key ID, algorithm and function
-        - Simplified nsupdate syntax and added readline support
-
-Building
-
-	BIND 9 currently requires a UNIX system with an ANSI C compiler,
-	basic POSIX support, and a 64 bit integer type.
-
-	We've had successful builds and tests on the following systems:
-
-		COMPAQ Tru64 UNIX 5.1B
-		Fedora Core 6
-		FreeBSD 4.10, 5.2.1, 6.2
-		HP-UX 11.11
-		Mac OS X 10.5
-		NetBSD 3.x, 4.0-beta, 5.0-beta
-		OpenBSD 3.3 and up
-		Solaris 8, 9, 9 (x86), 10
-		Ubuntu 7.04, 7.10
-		Windows XP/2003/2008
-
-        NOTE:  As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
-        Windows, including Windows NT and Windows 2000, are no longer
-        supported.
-
-	We have recent reports from the user community that a supported
-	version of BIND will build and run on the following systems:
-
-		AIX 4.3, 5L
-		CentOS 4, 4.5, 5
-		Darwin 9.0.0d1/ARM
-		Debian 4, 5, 6
-		Fedora Core 5, 7, 8
-		FreeBSD 6, 7, 8
-		HP-UX 11.23 PA
-		MacOS X 10.5, 10.6, 10.7
-		Red Hat Enterprise Linux 4, 5, 6
-		SCO OpenServer 5.0.6
-		Slackware 9, 10
-		SuSE 9, 10
-
-	To build, just
-
-		./configure
-		make
-
-	Do not use a parallel "make".
-
-	Several environment variables that can be set before running
-	configure will affect compilation:
-
-	    CC
-		The C compiler to use.	configure tries to figure
-		out the right one for supported systems.
-
-	    CFLAGS
-		C compiler flags.  Defaults to include -g and/or -O2
-		as supported by the compiler.  Please include '-g'
-		if you need to set CFLAGS.
-
-	    STD_CINCLUDES
-		System header file directories.	 Can be used to specify
-		where add-on thread or IPv6 support is, for example.
-		Defaults to empty string.
-
-	    STD_CDEFINES
-		Any additional preprocessor symbols you want defined.
-		Defaults to empty string.
-
-		Possible settings:
-		Change the default syslog facility of named/lwresd.
-		  -DISC_FACILITY=LOG_LOCAL0	
-		Enable DNSSEC signature chasing support in dig.
-		  -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
-				    -DDIG_SIGCHASE_BU=1)
-		Disable dropping queries from particular well known ports.
-		  -DNS_CLIENT_DROPPORT=0
-	        Sibling glue checking in named-checkzone is enabled by default.
-		To disable the default check set.  -DCHECK_SIBLING=0
-		named-checkzone checks out-of-zone addresses by default.
-		To disable this default set.  -DCHECK_LOCAL=0
-		To create the default pid files in ${localstatedir}/run rather
-		than ${localstatedir}/run/{named,lwresd}/ set.
-		  -DNS_RUN_PID_DIR=0
-		Enable workaround for Solaris kernel bug about /dev/poll
-		  -DISC_SOCKET_USE_POLLWATCH=1
-		  The watch timeout is also configurable, e.g.,
-		  -DISC_SOCKET_POLLWATCH_TIMEOUT=20
-
-	    LDFLAGS
-		Linker flags. Defaults to empty string.
-
-	The following need to be set when cross compiling.
-
-	    BUILD_CC
-		The native C compiler.
-	    BUILD_CFLAGS (optional)
-	    BUILD_CPPFLAGS (optional)
-		Possible Settings:
-		-DNEED_OPTARG=1		(optarg is not declared in <unistd.h>)
-	    BUILD_LDFLAGS (optional)
-	    BUILD_LIBS (optional)
-
-	To build shared libraries, specify "--with-libtool" on the
-	configure command line.
-
-	For the server to support DNSSEC, you need to build it
-	with crypto support.  You must have OpenSSL 0.9.5a
-	or newer installed and specify "--with-openssl" on the
-	configure command line.  If OpenSSL is installed under
-	a nonstandard prefix, you can tell configure where to
-	look for it using "--with-openssl=/prefix".
-
-	On some platforms it is necessary to explictly request large
-	file support to handle files bigger than 2GB.  This can be
-	done by "--enable-largefile" on the configure command line.
-
-	On some platforms, BIND 9 can be built with multithreading
-	support, allowing it to take advantage of multiple CPUs.
-	You can specify whether to build a multithreaded BIND 9 
-	by specifying "--enable-threads" or "--disable-threads"
-	on the configure command line.  The default is operating
-	system dependent.
-
-        Support for the "fixed" rrset-order option can be enabled
-        or disabled by specifying "--enable-fixed-rrset" or
-        "--disable-fixed-rrset" on the configure command line.
-        The default is "disabled", to reduce memory footprint.
-
-	If your operating system has integrated support for IPv6, it
-	will be used automatically.  If you have installed KAME IPv6
-	separately, use "--with-kame[=PATH]" to specify its location.
-
-	"make install" will install "named" and the various BIND 9 libraries.
-	By default, installation is into /usr/local, but this can be changed
-	with the "--prefix" option when running "configure".
-
-	You may specify the option "--sysconfdir" to set the directory 
-	where configuration files like "named.conf" go by default,
-	and "--localstatedir" to set the default parent directory
-	of "run/named.pid".   For backwards compatibility with BIND 8,
-	--sysconfdir defaults to "/etc" and --localstatedir defaults to
-	"/var" if no --prefix option is given.  If there is a --prefix
-	option, sysconfdir defaults to "$prefix/etc" and localstatedir
-	defaults to "$prefix/var".
-
-	To see additional configure options, run "configure --help".
-	Note that the help message does not reflect the BIND 8 
-	compatibility defaults for sysconfdir and localstatedir.
-
-	If you're planning on making changes to the BIND 9 source, you
-	should also "make depend".  If you're using Emacs, you might find
-	"make tags" helpful.
-
-	If you need to re-run configure please run "make distclean" first.
-	This will ensure that all the option changes take.
-
-	Building with gcc is not supported, unless gcc is the vendor's usual
-	compiler (e.g. the various BSD systems, Linux).
-	
-	Known compiler issues:
-	* gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
-	* gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
-	* gcc-3.3.5 powerpc generates incorrect code at -02.
-	* Irix, MipsPRO 7.4.1m is known to cause problems.
-
-	A limited test suite can be run with "make test".  Many of
-	the tests require you to configure a set of virtual IP addresses
-	on your system, and some require Perl; see bin/tests/system/README
-	for details.
-
-	SunOS 4 requires "printf" to be installed to make the shared
-	libraries.  sh-utils-1.16 provides a "printf" which compiles
-	on SunOS 4.
-
-Known limitations
-
-	Linux requires kernel build 2.6.39 or later to get the
-	performance benefits from using multiple sockets.
-
-Documentation
-
-	The BIND 9 Administrator Reference Manual is included with the
-	source distribution in DocBook XML and HTML format, in the
-	doc/arm directory.
-
-	Some of the programs in the BIND 9 distribution have man pages
-	in their directories.  In particular, the command line
-	options of "named" are documented in /bin/named/named.8.
-	There is now also a set of man pages for the lwres library.
-
-	If you are upgrading from BIND 8, please read the migration
-	notes in doc/misc/migration.  If you are upgrading from
-	BIND 4, read doc/misc/migration-4to9.
-
-	Frequently asked questions and their answers can be found in
-	FAQ.
-
-        Additional information on various subjects can be found
-        in the other README files.
-
-
-Change Log
-
-	A detailed list of all changes to BIND 9 is included in the 
-	file CHANGES, with the most recent changes listed first.
-	Change notes include tags indicating the category of the
-	change that was made; these categories are:
-
-	   [func]	  New feature
-
-	   [bug]	  General bug fix
-
-	   [security]	  Fix for a significant security flaw
-
-	   [experimental] Used for new features when the syntax
-	   		  or other aspects of the design are still
-			  in flux and may change
-
-	   [port]	  Portability enhancement
-
-	   [maint]	  Updates to built-in data such as root
-			  server addresses and keys
-
-	   [tuning]	  Changes to built-in configuration defaults
-	   		  and constants to improve performanceo
-
-	   [protocol]	  Updates to the DNS protocol such as new
-			  RR types
-
-           [test]         Changes to the automatic tests, not
-                          affecting server functionality
-
-           [cleanup]      Minor corrections and refactoring
-
-	   [doc]	  Documentation
-
-	In general, [func] and [experimental] tags will only appear
-	in new-feature releases (i.e., those with version numbers
-	ending in zero).  Some new functionality may be backported to
-	older releases on a case-by-case basis.  All other change
-	types may be applied to all currently-supported releases.
-
-
-Bug Reports and Mailing Lists
-
-	Bugs reports should be sent to
-
-		bind9-bugs@isc.org
-
-	To join the BIND Users mailing list, send mail to
-
-		bind-users-request@isc.org
-
-	archives of which can be found via
-
-		http://www.isc.org/ops/lists/
-
-	If you're planning on making changes to the BIND 9 source
-	code, you might want to join the BIND Workers mailing list.
-	Send mail to
-
-		bind-workers-request@isc.org
-
-
diff --git a/contrib/bind9/acconfig.h b/contrib/bind9/acconfig.h
deleted file mode 100644
index 3d412d9..0000000
--- a/contrib/bind9/acconfig.h
+++ /dev/null
@@ -1,148 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: acconfig.h,v 1.53 2008/12/01 23:47:44 tbox Exp $ */
-
-/*! \file */
-
-/***
- *** This file is not to be included by any public header files, because
- *** it does not get installed.
- ***/
-@TOP@
-
-/** define on DEC OSF to enable 4.4BSD style sa_len support */
-#undef _SOCKADDR_LEN
-
-/** define if your system needs pthread_init() before using pthreads */
-#undef NEED_PTHREAD_INIT
-
-/** define if your system has sigwait() */
-#undef HAVE_SIGWAIT
-
-/** define if sigwait() is the UnixWare flavor */
-#undef HAVE_UNIXWARE_SIGWAIT
-
-/** define on Solaris to get sigwait() to work using pthreads semantics */
-#undef _POSIX_PTHREAD_SEMANTICS
-
-/** define if LinuxThreads is in use */
-#undef HAVE_LINUXTHREADS
-
-/** define if sysconf() is available */
-#undef HAVE_SYSCONF
-
-/** define if sysctlbyname() is available */
-#undef HAVE_SYSCTLBYNAME
-
-/** define if catgets() is available */
-#undef HAVE_CATGETS
-
-/** define if getifaddrs() exists */
-#undef HAVE_GETIFADDRS
-
-/** define if you have the NET_RT_IFLIST sysctl variable and sys/sysctl.h */
-#undef HAVE_IFLIST_SYSCTL
-
-/** define if tzset() is available */
-#undef HAVE_TZSET
-
-/** define if struct addrinfo exists */
-#undef HAVE_ADDRINFO
-
-/** define if getaddrinfo() exists */
-#undef HAVE_GETADDRINFO
-
-/** define if gai_strerror() exists */
-#undef HAVE_GAISTRERROR
-
-/** define if arc4random() exists */
-#undef HAVE_ARC4RANDOM
-
-/**
- * define if pthread_setconcurrency() should be called to tell the
- * OS how many threads we might want to run.
- */
-#undef CALL_PTHREAD_SETCONCURRENCY
-
-/** define if IPv6 is not disabled */
-#undef WANT_IPV6
-
-/** define if flockfile() is available */
-#undef HAVE_FLOCKFILE
-
-/** define if getc_unlocked() is available */
-#undef HAVE_GETCUNLOCKED
-
-/** Shut up warnings about sputaux in stdio.h on BSD/OS pre-4.1 */
-#undef SHUTUP_SPUTAUX
-#ifdef SHUTUP_SPUTAUX
-struct __sFILE;
-extern __inline int __sputaux(int _c, struct __sFILE *_p);
-#endif
-
-/** Shut up warnings about missing sigwait prototype on BSD/OS 4.0* */
-#undef SHUTUP_SIGWAIT
-#ifdef SHUTUP_SIGWAIT
-int sigwait(const unsigned int *set, int *sig);
-#endif
-
-/** Shut up warnings from gcc -Wcast-qual on BSD/OS 4.1. */
-#undef SHUTUP_STDARG_CAST
-#if defined(SHUTUP_STDARG_CAST) && defined(__GNUC__)
-#include <stdarg.h>		/** Grr.  Must be included *every time*. */
-/**
- * The silly continuation line is to keep configure from
- * commenting out the #undef.
- */
-
-#undef \
-	va_start
-#define	va_start(ap, last) \
-	do { \
-		union { const void *konst; long *var; } _u; \
-		_u.konst = &(last); \
-		ap = (va_list)(_u.var + __va_words(__typeof(last))); \
-	} while (0)
-#endif /** SHUTUP_STDARG_CAST && __GNUC__ */
-
-/** define if the system has a random number generating device */
-#undef PATH_RANDOMDEV
-
-/** define if pthread_attr_getstacksize() is available */
-#undef HAVE_PTHREAD_ATTR_GETSTACKSIZE
-
-/** define if pthread_attr_setstacksize() is available */
-#undef HAVE_PTHREAD_ATTR_SETSTACKSIZE
-
-/** define if you have strerror in the C library. */
-#undef HAVE_STRERROR
-
-/** Define if you are running under Compaq TruCluster. */
-#undef HAVE_TRUCLUSTER
-
-/* Define if OpenSSL includes DSA support */
-#undef HAVE_OPENSSL_DSA
-
-/* Define if OpenSSL includes ECDSA support */
-#undef HAVE_OPENSSL_ECDSA
-
-/* Define to the length type used by the socket API (socklen_t, size_t, int). */
-#undef ISC_SOCKADDR_LEN_T
-
-/* Define if threads need PTHREAD_SCOPE_SYSTEM */
-#undef NEED_PTHREAD_SCOPE_SYSTEM
diff --git a/contrib/bind9/aclocal.m4 b/contrib/bind9/aclocal.m4
deleted file mode 100644
index 3f017c9..0000000
--- a/contrib/bind9/aclocal.m4
+++ /dev/null
@@ -1,5 +0,0 @@
-sinclude(libtool.m4/libtool.m4)dnl
-sinclude(libtool.m4/ltoptions.m4)dnl
-sinclude(libtool.m4/ltsugar.m4)dnl
-sinclude(libtool.m4/ltversion.m4)dnl
-sinclude(libtool.m4/lt~obsolete.m4)dnl
diff --git a/contrib/bind9/bin/Makefile.in b/contrib/bind9/bin/Makefile.in
deleted file mode 100644
index 87ca5b2..0000000
--- a/contrib/bind9/bin/Makefile.in
+++ /dev/null
@@ -1,26 +0,0 @@
-# Copyright (C) 2004, 2007, 2009, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.29 2009/10/05 12:07:08 fdupont Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	named rndc dig dnssec tools tests nsupdate \
-		check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/bin/check/Makefile.in b/contrib/bind9/bin/check/Makefile.in
deleted file mode 100644
index c191605..0000000
--- a/contrib/bind9/bin/check/Makefile.in
+++ /dev/null
@@ -1,100 +0,0 @@
-# Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000-2003  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.36 2009/12/05 23:31:40 each Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES} \
-		${ISC_INCLUDES}
-
-CDEFINES = 	-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
-CWARNINGS =
-
-DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
-BIND9LIBS =	../../lib/bind9/libbind9.@A@
-
-DNSDEPLIBS =	../../lib/dns/libdns.@A@
-ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
-BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
-
-LIBS =		${ISCLIBS} @LIBS@
-NOSYMLIBS =	${ISCNOSYMLIBS} @LIBS@
-
-SUBDIRS =
-
-# Alphabetically
-TARGETS =	named-checkconf@EXEEXT@ named-checkzone@EXEEXT@
-
-# Alphabetically
-SRCS =		named-checkconf.c named-checkzone.c check-tool.c
-
-MANPAGES =	named-checkconf.8 named-checkzone.8
-
-HTMLPAGES =	named-checkconf.html named-checkzone.html
-
-MANOBJS =	${MANPAGES} ${HTMLPAGES}
-
-@BIND9_MAKE_RULES@
-
-named-checkconf.@O@: named-checkconf.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DVERSION=\"${VERSION}\" \
-		-c ${srcdir}/named-checkconf.c
-
-named-checkzone.@O@: named-checkzone.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DVERSION=\"${VERSION}\" \
-		-c ${srcdir}/named-checkzone.c
-
-named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
-		${ISCCFGDEPLIBS} ${BIND9DEPLIBS}
-	export BASEOBJS="named-checkconf.@O@ check-tool.@O@"; \
-	export LIBS0="${BIND9LIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
-	${FINALBUILDCMD}
-
-named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	export BASEOBJS="named-checkzone.@O@ check-tool.@O@"; \
-	export LIBS0="${ISCCFGLIBS} ${DNSLIBS}"; \
-	${FINALBUILDCMD}
-
-doc man:: ${MANOBJS}
-
-docclean manclean maintainer-clean::
-	rm -f ${MANOBJS}
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-
-install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir}
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir}
-	(cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@)
-	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
-	(cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8)
-
-clean distclean::
-	rm -f ${TARGETS} r1.htm
diff --git a/contrib/bind9/bin/check/check-tool.c b/contrib/bind9/bin/check/check-tool.c
deleted file mode 100644
index 1e53407..0000000
--- a/contrib/bind9/bin/check/check-tool.c
+++ /dev/null
@@ -1,697 +0,0 @@
-/*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: check-tool.c,v 1.44 2011/12/22 07:32:39 each Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdio.h>
-
-#ifdef _WIN32
-#include <Winsock2.h>
-#endif
-
-#include "check-tool.h"
-#include <isc/buffer.h>
-#include <isc/log.h>
-#include <isc/mem.h>
-#include <isc/netdb.h>
-#include <isc/net.h>
-#include <isc/region.h>
-#include <isc/stdio.h>
-#include <isc/string.h>
-#include <isc/symtab.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-#include <dns/fixedname.h>
-#include <dns/log.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdataset.h>
-#include <dns/types.h>
-#include <dns/zone.h>
-
-#include <isccfg/log.h>
-
-#ifndef CHECK_SIBLING
-#define CHECK_SIBLING 1
-#endif
-
-#ifndef CHECK_LOCAL
-#define CHECK_LOCAL 1
-#endif
-
-#ifdef HAVE_ADDRINFO
-#ifdef HAVE_GETADDRINFO
-#ifdef HAVE_GAISTRERROR
-#define USE_GETADDRINFO
-#endif
-#endif
-#endif
-
-#define CHECK(r) \
-	do { \
-		result = (r); \
-		if (result != ISC_R_SUCCESS) \
-			goto cleanup; \
-	} while (0)
-
-#define ERR_IS_CNAME 1
-#define ERR_NO_ADDRESSES 2
-#define ERR_LOOKUP_FAILURE 3
-#define ERR_EXTRA_A 4
-#define ERR_EXTRA_AAAA 5
-#define ERR_MISSING_GLUE 5
-#define ERR_IS_MXCNAME 6
-#define ERR_IS_SRVCNAME 7
-
-static const char *dbtype[] = { "rbt" };
-
-int debug = 0;
-isc_boolean_t nomerge = ISC_TRUE;
-#if CHECK_LOCAL
-isc_boolean_t docheckmx = ISC_TRUE;
-isc_boolean_t dochecksrv = ISC_TRUE;
-isc_boolean_t docheckns = ISC_TRUE;
-#else
-isc_boolean_t docheckmx = ISC_FALSE;
-isc_boolean_t dochecksrv = ISC_FALSE;
-isc_boolean_t docheckns = ISC_FALSE;
-#endif
-unsigned int zone_options = DNS_ZONEOPT_CHECKNS |
-			    DNS_ZONEOPT_CHECKMX |
-			    DNS_ZONEOPT_MANYERRORS |
-			    DNS_ZONEOPT_CHECKNAMES |
-			    DNS_ZONEOPT_CHECKINTEGRITY |
-#if CHECK_SIBLING
-			    DNS_ZONEOPT_CHECKSIBLING |
-#endif
-			    DNS_ZONEOPT_CHECKWILDCARD |
-			    DNS_ZONEOPT_WARNMXCNAME |
-			    DNS_ZONEOPT_WARNSRVCNAME;
-
-/*
- * This needs to match the list in bin/named/log.c.
- */
-static isc_logcategory_t categories[] = {
-	{ "",		     0 },
-	{ "client",	     0 },
-	{ "network",	     0 },
-	{ "update",	     0 },
-	{ "queries",	     0 },
-	{ "unmatched", 	     0 },
-	{ "update-security", 0 },
-	{ "query-errors",    0 },
-	{ NULL,		     0 }
-};
-
-static isc_symtab_t *symtab = NULL;
-static isc_mem_t *sym_mctx;
-
-static void
-freekey(char *key, unsigned int type, isc_symvalue_t value, void *userarg) {
-	UNUSED(type);
-	UNUSED(value);
-	isc_mem_free(userarg, key);
-}
-
-static void
-add(char *key, int value) {
-	isc_result_t result;
-	isc_symvalue_t symvalue;
-
-	if (sym_mctx == NULL) {
-		result = isc_mem_create(0, 0, &sym_mctx);
-		if (result != ISC_R_SUCCESS)
-			return;
-	}
-
-	if (symtab == NULL) {
-		result = isc_symtab_create(sym_mctx, 100, freekey, sym_mctx,
-					   ISC_FALSE, &symtab);
-		if (result != ISC_R_SUCCESS)
-			return;
-	}
-
-	key = isc_mem_strdup(sym_mctx, key);
-	if (key == NULL)
-		return;
-
-	symvalue.as_pointer = NULL;
-	result = isc_symtab_define(symtab, key, value, symvalue,
-				   isc_symexists_reject);
-	if (result != ISC_R_SUCCESS)
-		isc_mem_free(sym_mctx, key);
-}
-
-static isc_boolean_t
-logged(char *key, int value) {
-	isc_result_t result;
-
-	if (symtab == NULL)
-		return (ISC_FALSE);
-
-	result = isc_symtab_lookup(symtab, key, value, NULL);
-	if (result == ISC_R_SUCCESS)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-static isc_boolean_t
-checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner,
-	dns_rdataset_t *a, dns_rdataset_t *aaaa)
-{
-#ifdef USE_GETADDRINFO
-	dns_rdataset_t *rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	struct addrinfo hints, *ai, *cur;
-	char namebuf[DNS_NAME_FORMATSIZE + 1];
-	char ownerbuf[DNS_NAME_FORMATSIZE];
-	char addrbuf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123")];
-	isc_boolean_t answer = ISC_TRUE;
-	isc_boolean_t match;
-	const char *type;
-	void *ptr = NULL;
-	int result;
-
-	REQUIRE(a == NULL || !dns_rdataset_isassociated(a) ||
-		a->type == dns_rdatatype_a);
-	REQUIRE(aaaa == NULL || !dns_rdataset_isassociated(aaaa) ||
-		aaaa->type == dns_rdatatype_aaaa);
-
-	if (a == NULL || aaaa == NULL)
-		return (answer);
-
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_flags = AI_CANONNAME;
-	hints.ai_family = PF_UNSPEC;
-	hints.ai_socktype = SOCK_STREAM;
-	hints.ai_protocol = IPPROTO_TCP;
-
-	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
-	/*
-	 * Turn off search.
-	 */
-	if (dns_name_countlabels(name) > 1U)
-		strcat(namebuf, ".");
-	dns_name_format(owner, ownerbuf, sizeof(ownerbuf));
-
-	result = getaddrinfo(namebuf, NULL, &hints, &ai);
-	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
-	switch (result) {
-	case 0:
-		/*
-		 * Work around broken getaddrinfo() implementations that
-		 * fail to set ai_canonname on first entry.
-		 */
-		cur = ai;
-		while (cur != NULL && cur->ai_canonname == NULL &&
-		       cur->ai_next != NULL)
-			cur = cur->ai_next;
-		if (cur != NULL && cur->ai_canonname != NULL &&
-		    strcasecmp(cur->ai_canonname, namebuf) != 0 &&
-		    !logged(namebuf, ERR_IS_CNAME)) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "%s/NS '%s' (out of zone) "
-				     "is a CNAME '%s' (illegal)",
-				     ownerbuf, namebuf,
-				     cur->ai_canonname);
-			/* XXX950 make fatal for 9.5.0 */
-			/* answer = ISC_FALSE; */
-			add(namebuf, ERR_IS_CNAME);
-		}
-		break;
-	case EAI_NONAME:
-#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
-	case EAI_NODATA:
-#endif
-		if (!logged(namebuf, ERR_NO_ADDRESSES)) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "%s/NS '%s' (out of zone) "
-				     "has no addresses records (A or AAAA)",
-				     ownerbuf, namebuf);
-			add(namebuf, ERR_NO_ADDRESSES);
-		}
-		/* XXX950 make fatal for 9.5.0 */
-		return (ISC_TRUE);
-
-	default:
-		if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
-			dns_zone_log(zone, ISC_LOG_WARNING,
-				     "getaddrinfo(%s) failed: %s",
-				     namebuf, gai_strerror(result));
-			add(namebuf, ERR_LOOKUP_FAILURE);
-		}
-		return (ISC_TRUE);
-	}
-
-	/*
-	 * Check that all glue records really exist.
-	 */
-	if (!dns_rdataset_isassociated(a))
-		goto checkaaaa;
-	result = dns_rdataset_first(a);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdataset_current(a, &rdata);
-		match = ISC_FALSE;
-		for (cur = ai; cur != NULL; cur = cur->ai_next) {
-			if (cur->ai_family != AF_INET)
-				continue;
-			ptr = &((struct sockaddr_in *)(cur->ai_addr))->sin_addr;
-			if (memcmp(ptr, rdata.data, rdata.length) == 0) {
-				match = ISC_TRUE;
-				break;
-			}
-		}
-		if (!match && !logged(namebuf, ERR_EXTRA_A)) {
-			dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' "
-				     "extra GLUE A record (%s)",
-				     ownerbuf, namebuf,
-				     inet_ntop(AF_INET, rdata.data,
-					       addrbuf, sizeof(addrbuf)));
-			add(namebuf, ERR_EXTRA_A);
-			/* XXX950 make fatal for 9.5.0 */
-			/* answer = ISC_FALSE; */
-		}
-		dns_rdata_reset(&rdata);
-		result = dns_rdataset_next(a);
-	}
-
- checkaaaa:
-	if (!dns_rdataset_isassociated(aaaa))
-		goto checkmissing;
-	result = dns_rdataset_first(aaaa);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdataset_current(aaaa, &rdata);
-		match = ISC_FALSE;
-		for (cur = ai; cur != NULL; cur = cur->ai_next) {
-			if (cur->ai_family != AF_INET6)
-				continue;
-			ptr = &((struct sockaddr_in6 *)(cur->ai_addr))->sin6_addr;
-			if (memcmp(ptr, rdata.data, rdata.length) == 0) {
-				match = ISC_TRUE;
-				break;
-			}
-		}
-		if (!match && !logged(namebuf, ERR_EXTRA_AAAA)) {
-			dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' "
-				     "extra GLUE AAAA record (%s)",
-				     ownerbuf, namebuf,
-				     inet_ntop(AF_INET6, rdata.data,
-					       addrbuf, sizeof(addrbuf)));
-			add(namebuf, ERR_EXTRA_AAAA);
-			/* XXX950 make fatal for 9.5.0. */
-			/* answer = ISC_FALSE; */
-		}
-		dns_rdata_reset(&rdata);
-		result = dns_rdataset_next(aaaa);
-	}
-
- checkmissing:
-	/*
-	 * Check that all addresses appear in the glue.
-	 */
-	if (!logged(namebuf, ERR_MISSING_GLUE)) {
-		isc_boolean_t missing_glue = ISC_FALSE;
-		for (cur = ai; cur != NULL; cur = cur->ai_next) {
-			switch (cur->ai_family) {
-			case AF_INET:
-				rdataset = a;
-				ptr = &((struct sockaddr_in *)(cur->ai_addr))->sin_addr;
-				type = "A";
-				break;
-			case AF_INET6:
-				rdataset = aaaa;
-				ptr = &((struct sockaddr_in6 *)(cur->ai_addr))->sin6_addr;
-				type = "AAAA";
-				break;
-			default:
-				 continue;
-			}
-			match = ISC_FALSE;
-			if (dns_rdataset_isassociated(rdataset))
-				result = dns_rdataset_first(rdataset);
-			else
-				result = ISC_R_FAILURE;
-			while (result == ISC_R_SUCCESS && !match) {
-				dns_rdataset_current(rdataset, &rdata);
-				if (memcmp(ptr, rdata.data, rdata.length) == 0)
-					match = ISC_TRUE;
-				dns_rdata_reset(&rdata);
-				result = dns_rdataset_next(rdataset);
-			}
-			if (!match) {
-				dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' "
-					     "missing GLUE %s record (%s)",
-					     ownerbuf, namebuf, type,
-					     inet_ntop(cur->ai_family, ptr,
-						       addrbuf, sizeof(addrbuf)));
-				/* XXX950 make fatal for 9.5.0. */
-				/* answer = ISC_FALSE; */
-				missing_glue = ISC_TRUE;
-			}
-		}
-		if (missing_glue)
-			add(namebuf, ERR_MISSING_GLUE);
-	}
-	freeaddrinfo(ai);
-	return (answer);
-#else
-	return (ISC_TRUE);
-#endif
-}
-
-static isc_boolean_t
-checkmx(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
-#ifdef USE_GETADDRINFO
-	struct addrinfo hints, *ai, *cur;
-	char namebuf[DNS_NAME_FORMATSIZE + 1];
-	char ownerbuf[DNS_NAME_FORMATSIZE];
-	int result;
-	int level = ISC_LOG_ERROR;
-	isc_boolean_t answer = ISC_TRUE;
-
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_flags = AI_CANONNAME;
-	hints.ai_family = PF_UNSPEC;
-	hints.ai_socktype = SOCK_STREAM;
-	hints.ai_protocol = IPPROTO_TCP;
-
-	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
-	/*
-	 * Turn off search.
-	 */
-	if (dns_name_countlabels(name) > 1U)
-		strcat(namebuf, ".");
-	dns_name_format(owner, ownerbuf, sizeof(ownerbuf));
-
-	result = getaddrinfo(namebuf, NULL, &hints, &ai);
-	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
-	switch (result) {
-	case 0:
-		/*
-		 * Work around broken getaddrinfo() implementations that
-		 * fail to set ai_canonname on first entry.
-		 */
-		cur = ai;
-		while (cur != NULL && cur->ai_canonname == NULL &&
-		       cur->ai_next != NULL)
-			cur = cur->ai_next;
-		if (cur != NULL && cur->ai_canonname != NULL &&
-		    strcasecmp(cur->ai_canonname, namebuf) != 0) {
-			if ((zone_options & DNS_ZONEOPT_WARNMXCNAME) != 0)
-				level = ISC_LOG_WARNING;
-			if ((zone_options & DNS_ZONEOPT_IGNOREMXCNAME) == 0) {
-				if (!logged(namebuf, ERR_IS_MXCNAME)) {
-					dns_zone_log(zone, level,
-						     "%s/MX '%s' (out of zone)"
-						     " is a CNAME '%s' "
-						     "(illegal)",
-						     ownerbuf, namebuf,
-						     cur->ai_canonname);
-					add(namebuf, ERR_IS_MXCNAME);
-				}
-				if (level == ISC_LOG_ERROR)
-					answer = ISC_FALSE;
-			}
-		}
-		freeaddrinfo(ai);
-		return (answer);
-
-	case EAI_NONAME:
-#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
-	case EAI_NODATA:
-#endif
-		if (!logged(namebuf, ERR_NO_ADDRESSES)) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "%s/MX '%s' (out of zone) "
-				     "has no addresses records (A or AAAA)",
-				     ownerbuf, namebuf);
-			add(namebuf, ERR_NO_ADDRESSES);
-		}
-		/* XXX950 make fatal for 9.5.0. */
-		return (ISC_TRUE);
-
-	default:
-		if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
-			dns_zone_log(zone, ISC_LOG_WARNING,
-			     "getaddrinfo(%s) failed: %s",
-			     namebuf, gai_strerror(result));
-			add(namebuf, ERR_LOOKUP_FAILURE);
-		}
-		return (ISC_TRUE);
-	}
-#else
-	return (ISC_TRUE);
-#endif
-}
-
-static isc_boolean_t
-checksrv(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
-#ifdef USE_GETADDRINFO
-	struct addrinfo hints, *ai, *cur;
-	char namebuf[DNS_NAME_FORMATSIZE + 1];
-	char ownerbuf[DNS_NAME_FORMATSIZE];
-	int result;
-	int level = ISC_LOG_ERROR;
-	isc_boolean_t answer = ISC_TRUE;
-
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_flags = AI_CANONNAME;
-	hints.ai_family = PF_UNSPEC;
-	hints.ai_socktype = SOCK_STREAM;
-	hints.ai_protocol = IPPROTO_TCP;
-
-	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
-	/*
-	 * Turn off search.
-	 */
-	if (dns_name_countlabels(name) > 1U)
-		strcat(namebuf, ".");
-	dns_name_format(owner, ownerbuf, sizeof(ownerbuf));
-
-	result = getaddrinfo(namebuf, NULL, &hints, &ai);
-	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
-	switch (result) {
-	case 0:
-		/*
-		 * Work around broken getaddrinfo() implementations that
-		 * fail to set ai_canonname on first entry.
-		 */
-		cur = ai;
-		while (cur != NULL && cur->ai_canonname == NULL &&
-		       cur->ai_next != NULL)
-			cur = cur->ai_next;
-		if (cur != NULL && cur->ai_canonname != NULL &&
-		    strcasecmp(cur->ai_canonname, namebuf) != 0) {
-			if ((zone_options & DNS_ZONEOPT_WARNSRVCNAME) != 0)
-				level = ISC_LOG_WARNING;
-			if ((zone_options & DNS_ZONEOPT_IGNORESRVCNAME) == 0) {
-				if (!logged(namebuf, ERR_IS_SRVCNAME)) {
-					dns_zone_log(zone, level, "%s/SRV '%s'"
-						     " (out of zone) is a "
-						     "CNAME '%s' (illegal)",
-						     ownerbuf, namebuf,
-						     cur->ai_canonname);
-					add(namebuf, ERR_IS_SRVCNAME);
-				}
-				if (level == ISC_LOG_ERROR)
-					answer = ISC_FALSE;
-			}
-		}
-		freeaddrinfo(ai);
-		return (answer);
-
-	case EAI_NONAME:
-#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
-	case EAI_NODATA:
-#endif
-		if (!logged(namebuf, ERR_NO_ADDRESSES)) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "%s/SRV '%s' (out of zone) "
-				     "has no addresses records (A or AAAA)",
-				     ownerbuf, namebuf);
-			add(namebuf, ERR_NO_ADDRESSES);
-		}
-		/* XXX950 make fatal for 9.5.0. */
-		return (ISC_TRUE);
-
-	default:
-		if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
-			dns_zone_log(zone, ISC_LOG_WARNING,
-				     "getaddrinfo(%s) failed: %s",
-				     namebuf, gai_strerror(result));
-			add(namebuf, ERR_LOOKUP_FAILURE);
-		}
-		return (ISC_TRUE);
-	}
-#else
-	return (ISC_TRUE);
-#endif
-}
-
-isc_result_t
-setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp) {
-	isc_logdestination_t destination;
-	isc_logconfig_t *logconfig = NULL;
-	isc_log_t *log = NULL;
-
-	RUNTIME_CHECK(isc_log_create(mctx, &log, &logconfig) == ISC_R_SUCCESS);
-	isc_log_registercategories(log, categories);
-	isc_log_setcontext(log);
-	dns_log_init(log);
-	dns_log_setcontext(log);
-	cfg_log_init(log);
-
-	destination.file.stream = errout;
-	destination.file.name = NULL;
-	destination.file.versions = ISC_LOG_ROLLNEVER;
-	destination.file.maximum_size = 0;
-	RUNTIME_CHECK(isc_log_createchannel(logconfig, "stderr",
-				       ISC_LOG_TOFILEDESC,
-				       ISC_LOG_DYNAMIC,
-				       &destination, 0) == ISC_R_SUCCESS);
-	RUNTIME_CHECK(isc_log_usechannel(logconfig, "stderr",
-					 NULL, NULL) == ISC_R_SUCCESS);
-
-	*logp = log;
-	return (ISC_R_SUCCESS);
-}
-
-/*% load the zone */
-isc_result_t
-load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
-	  dns_masterformat_t fileformat, const char *classname,
-	  dns_zone_t **zonep)
-{
-	isc_result_t result;
-	dns_rdataclass_t rdclass;
-	isc_textregion_t region;
-	isc_buffer_t buffer;
-	dns_fixedname_t fixorigin;
-	dns_name_t *origin;
-	dns_zone_t *zone = NULL;
-
-	REQUIRE(zonep == NULL || *zonep == NULL);
-
-	if (debug)
-		fprintf(stderr, "loading \"%s\" from \"%s\" class \"%s\"\n",
-			zonename, filename, classname);
-
-	CHECK(dns_zone_create(&zone, mctx));
-
-	dns_zone_settype(zone, dns_zone_master);
-
-	isc_buffer_constinit(&buffer, zonename, strlen(zonename));
-	isc_buffer_add(&buffer, strlen(zonename));
-	dns_fixedname_init(&fixorigin);
-	origin = dns_fixedname_name(&fixorigin);
-	CHECK(dns_name_fromtext(origin, &buffer, dns_rootname, 0, NULL));
-	CHECK(dns_zone_setorigin(zone, origin));
-	CHECK(dns_zone_setdbtype(zone, 1, (const char * const *) dbtype));
-	CHECK(dns_zone_setfile2(zone, filename, fileformat));
-
-	DE_CONST(classname, region.base);
-	region.length = strlen(classname);
-	CHECK(dns_rdataclass_fromtext(&rdclass, &region));
-
-	dns_zone_setclass(zone, rdclass);
-	dns_zone_setoption(zone, zone_options, ISC_TRUE);
-	dns_zone_setoption(zone, DNS_ZONEOPT_NOMERGE, nomerge);
-	if (docheckmx)
-		dns_zone_setcheckmx(zone, checkmx);
-	if (docheckns)
-		dns_zone_setcheckns(zone, checkns);
-	if (dochecksrv)
-		dns_zone_setchecksrv(zone, checksrv);
-
-	CHECK(dns_zone_load(zone));
-	if (zonep != NULL) {
-		*zonep = zone;
-		zone = NULL;
-	}
-
- cleanup:
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-	return (result);
-}
-
-/*% dump the zone */
-isc_result_t
-dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
-	  dns_masterformat_t fileformat, const dns_master_style_t *style,
-	  const isc_uint32_t rawversion)
-{
-	isc_result_t result;
-	FILE *output = stdout;
-	const char *flags;
-
-	flags = (fileformat == dns_masterformat_text) ? "w+" : "wb+";
-
-	if (debug) {
-		if (filename != NULL && strcmp(filename, "-") != 0)
-			fprintf(stderr, "dumping \"%s\" to \"%s\"\n",
-				zonename, filename);
-		else
-			fprintf(stderr, "dumping \"%s\"\n", zonename);
-	}
-
-	if (filename != NULL && strcmp(filename, "-") != 0) {
-		result = isc_stdio_open(filename, flags, &output);
-
-		if (result != ISC_R_SUCCESS) {
-			fprintf(stderr, "could not open output "
-				"file \"%s\" for writing\n", filename);
-			return (ISC_R_FAILURE);
-		}
-	}
-
-	result = dns_zone_dumptostream3(zone, output, fileformat, style,
-					rawversion);
-	if (output != stdout)
-		(void)isc_stdio_close(output);
-
-	return (result);
-}
-
-#ifdef _WIN32
-void
-InitSockets(void) {
-	WORD wVersionRequested;
-	WSADATA wsaData;
-	int err;
-
-	wVersionRequested = MAKEWORD(2, 0);
-
-	err = WSAStartup( wVersionRequested, &wsaData );
-	if (err != 0) {
-		fprintf(stderr, "WSAStartup() failed: %d\n", err);
-		exit(1);
-	}
-}
-
-void
-DestroySockets(void) {
-	WSACleanup();
-}
-#endif
-
diff --git a/contrib/bind9/bin/check/check-tool.h b/contrib/bind9/bin/check/check-tool.h
deleted file mode 100644
index 0794729..0000000
--- a/contrib/bind9/bin/check/check-tool.h
+++ /dev/null
@@ -1,61 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2010, 2011  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: check-tool.h,v 1.18 2011/12/09 23:47:02 tbox Exp $ */
-
-#ifndef CHECK_TOOL_H
-#define CHECK_TOOL_H
-
-/*! \file */
-
-#include <isc/lang.h>
-#include <isc/stdio.h>
-#include <isc/types.h>
-
-#include <dns/masterdump.h>
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp);
-
-isc_result_t
-load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
-	  dns_masterformat_t fileformat, const char *classname,
-	  dns_zone_t **zonep);
-
-isc_result_t
-dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
-	  dns_masterformat_t fileformat, const dns_master_style_t *style,
-	  const isc_uint32_t rawversion);
-
-#ifdef _WIN32
-void InitSockets(void);
-void DestroySockets(void);
-#endif
-
-extern int debug;
-extern isc_boolean_t nomerge;
-extern isc_boolean_t docheckmx;
-extern isc_boolean_t docheckns;
-extern isc_boolean_t dochecksrv;
-extern unsigned int zone_options;
-
-ISC_LANG_ENDDECLS
-
-#endif
diff --git a/contrib/bind9/bin/check/named-checkconf.8 b/contrib/bind9/bin/check/named-checkconf.8
deleted file mode 100644
index 67a8f4a..0000000
--- a/contrib/bind9/bin/check/named-checkconf.8
+++ /dev/null
@@ -1,119 +0,0 @@
-.\" Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2002 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: named\-checkconf
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: June 14, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "NAMED\-CHECKCONF" "8" "June 14, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-named\-checkconf \- named configuration file syntax checking tool
-.SH "SYNOPSIS"
-.HP 16
-\fBnamed\-checkconf\fR [\fB\-h\fR] [\fB\-v\fR] [\fB\-j\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename} [\fB\-p\fR] [\fB\-z\fR]
-.SH "DESCRIPTION"
-.PP
-\fBnamed\-checkconf\fR
-checks the syntax, but not the semantics, of a
-\fBnamed\fR
-configuration file. The file is parsed and checked for syntax errors, along with all files included by it. If no file is specified,
-\fI/etc/named.conf\fR
-is read by default.
-.PP
-Note: files that
-\fBnamed\fR
-reads in separate parser contexts, such as
-\fIrndc.key\fR
-and
-\fIbind.keys\fR, are not automatically read by
-\fBnamed\-checkconf\fR. Configuration errors in these files may cause
-\fBnamed\fR
-to fail to run, even if
-\fBnamed\-checkconf\fR
-was successful.
-\fBnamed\-checkconf\fR
-can be run on these files explicitly, however.
-.SH "OPTIONS"
-.PP
-\-h
-.RS 4
-Print the usage summary and exit.
-.RE
-.PP
-\-t \fIdirectory\fR
-.RS 4
-Chroot to
-\fIdirectory\fR
-so that include directives in the configuration file are processed as if run by a similarly chrooted named.
-.RE
-.PP
-\-v
-.RS 4
-Print the version of the
-\fBnamed\-checkconf\fR
-program and exit.
-.RE
-.PP
-\-p
-.RS 4
-Print out the
-\fInamed.conf\fR
-and included files in canonical form if no errors were detected.
-.RE
-.PP
-\-z
-.RS 4
-Perform a test load of all master zones found in
-\fInamed.conf\fR.
-.RE
-.PP
-\-j
-.RS 4
-When loading a zonefile read the journal if it exists.
-.RE
-.PP
-filename
-.RS 4
-The name of the configuration file to be checked. If not specified, it defaults to
-\fI/etc/named.conf\fR.
-.RE
-.SH "RETURN VALUES"
-.PP
-\fBnamed\-checkconf\fR
-returns an exit status of 1 if errors were detected and 0 otherwise.
-.SH "SEE ALSO"
-.PP
-\fBnamed\fR(8),
-\fBnamed\-checkzone\fR(8),
-BIND 9 Administrator Reference Manual.
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000\-2002 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/bin/check/named-checkconf.c b/contrib/bind9/bin/check/named-checkconf.c
deleted file mode 100644
index 0b3c508..0000000
--- a/contrib/bind9/bin/check/named-checkconf.c
+++ /dev/null
@@ -1,556 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: named-checkconf.c,v 1.56 2011/03/12 04:59:46 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <errno.h>
-#include <stdlib.h>
-#include <stdio.h>
-
-#include <isc/commandline.h>
-#include <isc/dir.h>
-#include <isc/entropy.h>
-#include <isc/hash.h>
-#include <isc/log.h>
-#include <isc/mem.h>
-#include <isc/result.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <isccfg/namedconf.h>
-
-#include <bind9/check.h>
-
-#include <dns/fixedname.h>
-#include <dns/log.h>
-#include <dns/name.h>
-#include <dns/result.h>
-#include <dns/zone.h>
-
-#include "check-tool.h"
-
-static const char *program = "named-checkconf";
-
-isc_log_t *logc = NULL;
-
-#define CHECK(r)\
-	do { \
-		result = (r); \
-		if (result != ISC_R_SUCCESS) \
-			goto cleanup; \
-	} while (0)
-
-/*% usage */
-ISC_PLATFORM_NORETURN_PRE static void
-usage(void) ISC_PLATFORM_NORETURN_POST;
-
-static void
-usage(void) {
-	fprintf(stderr, "usage: %s [-h] [-j] [-p] [-v] [-z] [-t directory] "
-		"[named.conf]\n", program);
-	exit(1);
-}
-
-/*% directory callback */
-static isc_result_t
-directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
-	isc_result_t result;
-	const char *directory;
-
-	REQUIRE(strcasecmp("directory", clausename) == 0);
-
-	UNUSED(arg);
-	UNUSED(clausename);
-
-	/*
-	 * Change directory.
-	 */
-	directory = cfg_obj_asstring(obj);
-	result = isc_dir_chdir(directory);
-	if (result != ISC_R_SUCCESS) {
-		cfg_obj_log(obj, logc, ISC_LOG_ERROR,
-			    "change directory to '%s' failed: %s\n",
-			    directory, isc_result_totext(result));
-		return (result);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_boolean_t
-get_maps(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) {
-	int i;
-	for (i = 0;; i++) {
-		if (maps[i] == NULL)
-			return (ISC_FALSE);
-		if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS)
-			return (ISC_TRUE);
-	}
-}
-
-static isc_boolean_t
-get_checknames(const cfg_obj_t **maps, const cfg_obj_t **obj) {
-	const cfg_listelt_t *element;
-	const cfg_obj_t *checknames;
-	const cfg_obj_t *type;
-	const cfg_obj_t *value;
-	isc_result_t result;
-	int i;
-
-	for (i = 0;; i++) {
-		if (maps[i] == NULL)
-			return (ISC_FALSE);
-		checknames = NULL;
-		result = cfg_map_get(maps[i], "check-names", &checknames);
-		if (result != ISC_R_SUCCESS)
-			continue;
-		if (checknames != NULL && !cfg_obj_islist(checknames)) {
-			*obj = checknames;
-			return (ISC_TRUE);
-		}
-		for (element = cfg_list_first(checknames);
-		     element != NULL;
-		     element = cfg_list_next(element)) {
-			value = cfg_listelt_value(element);
-			type = cfg_tuple_get(value, "type");
-			if (strcasecmp(cfg_obj_asstring(type), "master") != 0)
-				continue;
-			*obj = cfg_tuple_get(value, "mode");
-			return (ISC_TRUE);
-		}
-	}
-}
-
-static isc_result_t
-config_get(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) {
-	int i;
-
-	for (i = 0;; i++) {
-		if (maps[i] == NULL)
-			return (ISC_R_NOTFOUND);
-		if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS)
-			return (ISC_R_SUCCESS);
-	}
-}
-
-/*% configure the zone */
-static isc_result_t
-configure_zone(const char *vclass, const char *view,
-	       const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
-	       const cfg_obj_t *config, isc_mem_t *mctx)
-{
-	int i = 0;
-	isc_result_t result;
-	const char *zclass;
-	const char *zname;
-	const char *zfile;
-	const cfg_obj_t *maps[4];
-	const cfg_obj_t *zoptions = NULL;
-	const cfg_obj_t *classobj = NULL;
-	const cfg_obj_t *typeobj = NULL;
-	const cfg_obj_t *fileobj = NULL;
-	const cfg_obj_t *dbobj = NULL;
-	const cfg_obj_t *obj = NULL;
-	const cfg_obj_t *fmtobj = NULL;
-	dns_masterformat_t masterformat;
-
-	zone_options = DNS_ZONEOPT_CHECKNS | DNS_ZONEOPT_MANYERRORS;
-
-	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
-	classobj = cfg_tuple_get(zconfig, "class");
-	if (!cfg_obj_isstring(classobj))
-		zclass = vclass;
-	else
-		zclass = cfg_obj_asstring(classobj);
-
-	zoptions = cfg_tuple_get(zconfig, "options");
-	maps[i++] = zoptions;
-	if (vconfig != NULL)
-		maps[i++] = cfg_tuple_get(vconfig, "options");
-	if (config != NULL) {
-		cfg_map_get(config, "options", &obj);
-		if (obj != NULL)
-			maps[i++] = obj;
-	}
-	maps[i] = NULL;
-
-	cfg_map_get(zoptions, "type", &typeobj);
-	if (typeobj == NULL)
-		return (ISC_R_FAILURE);
-	if (strcasecmp(cfg_obj_asstring(typeobj), "master") != 0)
-		return (ISC_R_SUCCESS);
-	cfg_map_get(zoptions, "database", &dbobj);
-	if (dbobj != NULL)
-		return (ISC_R_SUCCESS);
-	cfg_map_get(zoptions, "file", &fileobj);
-	if (fileobj == NULL)
-		return (ISC_R_FAILURE);
-	zfile = cfg_obj_asstring(fileobj);
-
-	obj = NULL;
-	if (get_maps(maps, "check-dup-records", &obj)) {
-		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
-			zone_options |= DNS_ZONEOPT_CHECKDUPRR;
-			zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
-			zone_options |= DNS_ZONEOPT_CHECKDUPRR;
-			zone_options |= DNS_ZONEOPT_CHECKDUPRRFAIL;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
-			zone_options &= ~DNS_ZONEOPT_CHECKDUPRR;
-			zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
-		} else
-			INSIST(0);
-	} else {
-		zone_options |= DNS_ZONEOPT_CHECKDUPRR;
-		zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
-	}
-
-	obj = NULL;
-	if (get_maps(maps, "check-mx", &obj)) {
-		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
-			zone_options |= DNS_ZONEOPT_CHECKMX;
-			zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
-			zone_options |= DNS_ZONEOPT_CHECKMX;
-			zone_options |= DNS_ZONEOPT_CHECKMXFAIL;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
-			zone_options &= ~DNS_ZONEOPT_CHECKMX;
-			zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
-		} else
-			INSIST(0);
-	} else {
-		zone_options |= DNS_ZONEOPT_CHECKMX;
-		zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
-	}
-
-	obj = NULL;
-	if (get_maps(maps, "check-integrity", &obj)) {
-		if (cfg_obj_asboolean(obj))
-			zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
-		else
-			zone_options &= ~DNS_ZONEOPT_CHECKINTEGRITY;
-	} else
-		zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
-
-	obj = NULL;
-	if (get_maps(maps, "check-mx-cname", &obj)) {
-		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
-			zone_options |= DNS_ZONEOPT_WARNMXCNAME;
-			zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
-			zone_options &= ~DNS_ZONEOPT_WARNMXCNAME;
-			zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
-			zone_options |= DNS_ZONEOPT_WARNMXCNAME;
-			zone_options |= DNS_ZONEOPT_IGNOREMXCNAME;
-		} else
-			INSIST(0);
-	} else {
-		zone_options |= DNS_ZONEOPT_WARNMXCNAME;
-		zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
-	}
-
-	obj = NULL;
-	if (get_maps(maps, "check-srv-cname", &obj)) {
-		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
-			zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
-			zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
-			zone_options &= ~DNS_ZONEOPT_WARNSRVCNAME;
-			zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
-			zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
-			zone_options |= DNS_ZONEOPT_IGNORESRVCNAME;
-		} else
-			INSIST(0);
-	} else {
-		zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
-		zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
-	}
-
-	obj = NULL;
-	if (get_maps(maps, "check-sibling", &obj)) {
-		if (cfg_obj_asboolean(obj))
-			zone_options |= DNS_ZONEOPT_CHECKSIBLING;
-		else
-			zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
-	}
-
-	obj = NULL;
-	if (get_maps(maps, "check-spf", &obj)) {
-		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
-			zone_options |= DNS_ZONEOPT_CHECKSPF;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
-			zone_options &= ~DNS_ZONEOPT_CHECKSPF;
-		} else
-			INSIST(0);
-	} else {
-		zone_options |= DNS_ZONEOPT_CHECKSPF;
-	}
-
-	obj = NULL;
-	if (get_checknames(maps, &obj)) {
-		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
-			zone_options |= DNS_ZONEOPT_CHECKNAMES;
-			zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
-			zone_options |= DNS_ZONEOPT_CHECKNAMES;
-			zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
-			zone_options &= ~DNS_ZONEOPT_CHECKNAMES;
-			zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
-		} else
-			INSIST(0);
-	} else {
-	       zone_options |= DNS_ZONEOPT_CHECKNAMES;
-	       zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL;
-	}
-
-	masterformat = dns_masterformat_text;
-	fmtobj = NULL;
-	result = config_get(maps, "masterfile-format", &fmtobj);
-	if (result == ISC_R_SUCCESS) {
-		const char *masterformatstr = cfg_obj_asstring(fmtobj);
-		if (strcasecmp(masterformatstr, "text") == 0)
-			masterformat = dns_masterformat_text;
-		else if (strcasecmp(masterformatstr, "raw") == 0)
-			masterformat = dns_masterformat_raw;
-		else
-			INSIST(0);
-	}
-
-	result = load_zone(mctx, zname, zfile, masterformat, zclass, NULL);
-	if (result != ISC_R_SUCCESS)
-		fprintf(stderr, "%s/%s/%s: %s\n", view, zname, zclass,
-			dns_result_totext(result));
-	return(result);
-}
-
-/*% configure a view */
-static isc_result_t
-configure_view(const char *vclass, const char *view, const cfg_obj_t *config,
-	       const cfg_obj_t *vconfig, isc_mem_t *mctx)
-{
-	const cfg_listelt_t *element;
-	const cfg_obj_t *voptions;
-	const cfg_obj_t *zonelist;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-
-	voptions = NULL;
-	if (vconfig != NULL)
-		voptions = cfg_tuple_get(vconfig, "options");
-
-	zonelist = NULL;
-	if (voptions != NULL)
-		(void)cfg_map_get(voptions, "zone", &zonelist);
-	else
-		(void)cfg_map_get(config, "zone", &zonelist);
-
-	for (element = cfg_list_first(zonelist);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		const cfg_obj_t *zconfig = cfg_listelt_value(element);
-		tresult = configure_zone(vclass, view, zconfig, vconfig,
-					 config, mctx);
-		if (tresult != ISC_R_SUCCESS)
-			result = tresult;
-	}
-	return (result);
-}
-
-
-/*% load zones from the configuration */
-static isc_result_t
-load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx) {
-	const cfg_listelt_t *element;
-	const cfg_obj_t *classobj;
-	const cfg_obj_t *views;
-	const cfg_obj_t *vconfig;
-	const char *vclass;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-
-	views = NULL;
-
-	(void)cfg_map_get(config, "view", &views);
-	for (element = cfg_list_first(views);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		const char *vname;
-
-		vclass = "IN";
-		vconfig = cfg_listelt_value(element);
-		if (vconfig != NULL) {
-			classobj = cfg_tuple_get(vconfig, "class");
-			if (cfg_obj_isstring(classobj))
-				vclass = cfg_obj_asstring(classobj);
-		}
-		vname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
-		tresult = configure_view(vclass, vname, config, vconfig, mctx);
-		if (tresult != ISC_R_SUCCESS)
-			result = tresult;
-	}
-
-	if (views == NULL) {
-		tresult = configure_view("IN", "_default", config, NULL, mctx);
-		if (tresult != ISC_R_SUCCESS)
-			result = tresult;
-	}
-	return (result);
-}
-
-static void
-output(void *closure, const char *text, int textlen) {
-	UNUSED(closure);
-	if (fwrite(text, 1, textlen, stdout) != (size_t)textlen) {
-		perror("fwrite");
-		exit(1);
-	}
-}
-
-/*% The main processing routine */
-int
-main(int argc, char **argv) {
-	int c;
-	cfg_parser_t *parser = NULL;
-	cfg_obj_t *config = NULL;
-	const char *conffile = NULL;
-	isc_mem_t *mctx = NULL;
-	isc_result_t result;
-	int exit_status = 0;
-	isc_entropy_t *ectx = NULL;
-	isc_boolean_t load_zones = ISC_FALSE;
-	isc_boolean_t print = ISC_FALSE;
-
-	isc_commandline_errprint = ISC_FALSE;
-
-	while ((c = isc_commandline_parse(argc, argv, "dhjt:pvz")) != EOF) {
-		switch (c) {
-		case 'd':
-			debug++;
-			break;
-
-		case 'j':
-			nomerge = ISC_FALSE;
-			break;
-
-		case 't':
-			result = isc_dir_chroot(isc_commandline_argument);
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr, "isc_dir_chroot: %s\n",
-					isc_result_totext(result));
-				exit(1);
-			}
-			break;
-
-		case 'p':
-			print = ISC_TRUE;
-			break;
-
-		case 'v':
-			printf(VERSION "\n");
-			exit(0);
-
-		case 'z':
-			load_zones = ISC_TRUE;
-			docheckmx = ISC_FALSE;
-			docheckns = ISC_FALSE;
-			dochecksrv = ISC_FALSE;
-			break;
-
-		case '?':
-			if (isc_commandline_option != '?')
-				fprintf(stderr, "%s: invalid argument -%c\n",
-					program, isc_commandline_option);
-			/* FALLTHROUGH */
-		case 'h':
-			usage();
-
-		default:
-			fprintf(stderr, "%s: unhandled option -%c\n",
-				program, isc_commandline_option);
-			exit(1);
-		}
-	}
-
-	if (isc_commandline_index + 1 < argc)
-		usage();
-	if (argv[isc_commandline_index] != NULL)
-		conffile = argv[isc_commandline_index];
-	if (conffile == NULL || conffile[0] == '\0')
-		conffile = NAMED_CONFFILE;
-
-#ifdef _WIN32
-	InitSockets();
-#endif
-
-	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
-
-	RUNTIME_CHECK(setup_logging(mctx, stdout, &logc) == ISC_R_SUCCESS);
-
-	RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS);
-	RUNTIME_CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)
-		      == ISC_R_SUCCESS);
-
-	dns_result_register();
-
-	RUNTIME_CHECK(cfg_parser_create(mctx, logc, &parser) == ISC_R_SUCCESS);
-
-	cfg_parser_setcallback(parser, directory_callback, NULL);
-
-	if (cfg_parse_file(parser, conffile, &cfg_type_namedconf, &config) !=
-	    ISC_R_SUCCESS)
-		exit(1);
-
-	result = bind9_check_namedconf(config, logc, mctx);
-	if (result != ISC_R_SUCCESS)
-		exit_status = 1;
-
-	if (result == ISC_R_SUCCESS && load_zones) {
-		result = load_zones_fromconfig(config, mctx);
-		if (result != ISC_R_SUCCESS)
-			exit_status = 1;
-	}
-
-	if (print && exit_status == 0)
-		cfg_print(config, output, NULL);
-	cfg_obj_destroy(parser, &config);
-
-	cfg_parser_destroy(&parser);
-
-	dns_name_destroy();
-
-	isc_log_destroy(&logc);
-
-	isc_hash_destroy();
-	isc_entropy_detach(&ectx);
-
-	isc_mem_destroy(&mctx);
-
-#ifdef _WIN32
-	DestroySockets();
-#endif
-
-	return (exit_status);
-}
diff --git a/contrib/bind9/bin/check/named-checkconf.docbook b/contrib/bind9/bin/check/named-checkconf.docbook
deleted file mode 100644
index 9535e28..0000000
--- a/contrib/bind9/bin/check/named-checkconf.docbook
+++ /dev/null
@@ -1,195 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2002  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: named-checkconf.docbook,v 1.22 2009/12/28 23:21:16 each Exp $ -->
-<refentry id="man.named-checkconf">
-  <refentryinfo>
-    <date>June 14, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>named-checkconf</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <year>2009</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname><application>named-checkconf</application></refname>
-    <refpurpose>named configuration file syntax checking tool</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>named-checkconf</command>
-      <arg><option>-h</option></arg>
-      <arg><option>-v</option></arg>
-      <arg><option>-j</option></arg>
-      <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg choice="req">filename</arg>
-      <arg><option>-p</option></arg>
-      <arg><option>-z</option></arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para><command>named-checkconf</command>
-      checks the syntax, but not the semantics, of a
-      <command>named</command> configuration file.  The file is parsed
-      and checked for syntax errors, along with all files included by it.
-      If no file is specified, <filename>/etc/named.conf</filename> is read
-      by default.
-    </para>
-    <para>
-      Note: files that <command>named</command> reads in separate
-      parser contexts, such as <filename>rndc.key</filename> and
-      <filename>bind.keys</filename>, are not automatically read
-      by <command>named-checkconf</command>.  Configuration
-      errors in these files may cause <command>named</command> to
-      fail to run, even if <command>named-checkconf</command> was
-      successful.  <command>named-checkconf</command> can be run
-      on these files explicitly, however.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-
-    <variablelist>
-      <varlistentry>
-        <term>-h</term>
-        <listitem>
-          <para>
-            Print the usage summary and exit.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-t <replaceable class="parameter">directory</replaceable></term>
-        <listitem>
-          <para>
-            Chroot to <filename>directory</filename> so that include
-            directives in the configuration file are processed as if
-            run by a similarly chrooted named.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-v</term>
-        <listitem>
-          <para>
-            Print the version of the <command>named-checkconf</command>
-            program and exit.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-p</term>
-        <listitem>
-          <para>
-	    Print out the <filename>named.conf</filename> and included files
-	    in canonical form if no errors were detected.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-z</term>
-        <listitem>
-          <para>
-	    Perform a test load of all master zones found in
-	    <filename>named.conf</filename>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-j</term>
-        <listitem>
-          <para>
-            When loading a zonefile read the journal if it exists.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>filename</term>
-        <listitem>
-          <para>
-            The name of the configuration file to be checked.  If not
-            specified, it defaults to <filename>/etc/named.conf</filename>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-    </variablelist>
-
-  </refsect1>
-
-  <refsect1>
-    <title>RETURN VALUES</title>
-    <para><command>named-checkconf</command>
-      returns an exit status of 1 if
-      errors were detected and 0 otherwise.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>named-checkzone</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para><corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/check/named-checkconf.html b/contrib/bind9/bin/check/named-checkconf.html
deleted file mode 100644
index aa80c7c..0000000
--- a/contrib/bind9/bin/check/named-checkconf.html
+++ /dev/null
@@ -1,113 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2002 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>named-checkconf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="man.named-checkconf"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">named-checkconf</span> &#8212; named configuration file syntax checking tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-p</code>] [<code class="option">-z</code>]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543396"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">named-checkconf</strong></span>
-      checks the syntax, but not the semantics, of a
-      <span><strong class="command">named</strong></span> configuration file.  The file is parsed
-      and checked for syntax errors, along with all files included by it.
-      If no file is specified, <code class="filename">/etc/named.conf</code> is read
-      by default.
-    </p>
-<p>
-      Note: files that <span><strong class="command">named</strong></span> reads in separate
-      parser contexts, such as <code class="filename">rndc.key</code> and
-      <code class="filename">bind.keys</code>, are not automatically read
-      by <span><strong class="command">named-checkconf</strong></span>.  Configuration
-      errors in these files may cause <span><strong class="command">named</strong></span> to
-      fail to run, even if <span><strong class="command">named-checkconf</strong></span> was
-      successful.  <span><strong class="command">named-checkconf</strong></span> can be run
-      on these files explicitly, however.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543445"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-h</span></dt>
-<dd><p>
-            Print the usage summary and exit.
-          </p></dd>
-<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-            Chroot to <code class="filename">directory</code> so that include
-            directives in the configuration file are processed as if
-            run by a similarly chrooted named.
-          </p></dd>
-<dt><span class="term">-v</span></dt>
-<dd><p>
-            Print the version of the <span><strong class="command">named-checkconf</strong></span>
-            program and exit.
-          </p></dd>
-<dt><span class="term">-p</span></dt>
-<dd><p>
-	    Print out the <code class="filename">named.conf</code> and included files
-	    in canonical form if no errors were detected.
-          </p></dd>
-<dt><span class="term">-z</span></dt>
-<dd><p>
-	    Perform a test load of all master zones found in
-	    <code class="filename">named.conf</code>.
-          </p></dd>
-<dt><span class="term">-j</span></dt>
-<dd><p>
-            When loading a zonefile read the journal if it exists.
-          </p></dd>
-<dt><span class="term">filename</span></dt>
-<dd><p>
-            The name of the configuration file to be checked.  If not
-            specified, it defaults to <code class="filename">/etc/named.conf</code>.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543569"></a><h2>RETURN VALUES</h2>
-<p><span><strong class="command">named-checkconf</strong></span>
-      returns an exit status of 1 if
-      errors were detected and 0 otherwise.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543580"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543610"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/check/named-checkzone.8 b/contrib/bind9/bin/check/named-checkzone.8
deleted file mode 100644
index 8538ca8..0000000
--- a/contrib/bind9/bin/check/named-checkzone.8
+++ /dev/null
@@ -1,308 +0,0 @@
-.\" Copyright (C) 2004-2007, 2009-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2002 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: named\-checkzone
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: June 13, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "NAMED\-CHECKZONE" "8" "June 13, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-named\-checkzone, named\-compilezone \- zone file validity checking or converting tool
-.SH "SYNOPSIS"
-.HP 16
-\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
-.HP 18
-\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {\fB\-o\ \fR\fB\fIfilename\fR\fR} {zonename} {filename}
-.SH "DESCRIPTION"
-.PP
-\fBnamed\-checkzone\fR
-checks the syntax and integrity of a zone file. It performs the same checks as
-\fBnamed\fR
-does when loading a zone. This makes
-\fBnamed\-checkzone\fR
-useful for checking zone files before configuring them into a name server.
-.PP
-\fBnamed\-compilezone\fR
-is similar to
-\fBnamed\-checkzone\fR, but it always dumps the zone contents to a specified file in a specified format. Additionally, it applies stricter check levels by default, since the dump output will be used as an actual zone file loaded by
-\fBnamed\fR. When manually specified otherwise, the check levels must at least be as strict as those specified in the
-\fBnamed\fR
-configuration file.
-.SH "OPTIONS"
-.PP
-\-d
-.RS 4
-Enable debugging.
-.RE
-.PP
-\-h
-.RS 4
-Print the usage summary and exit.
-.RE
-.PP
-\-q
-.RS 4
-Quiet mode \- exit code only.
-.RE
-.PP
-\-v
-.RS 4
-Print the version of the
-\fBnamed\-checkzone\fR
-program and exit.
-.RE
-.PP
-\-j
-.RS 4
-When loading the zone file read the journal if it exists.
-.RE
-.PP
-\-c \fIclass\fR
-.RS 4
-Specify the class of the zone. If not specified, "IN" is assumed.
-.RE
-.PP
-\-i \fImode\fR
-.RS 4
-Perform post\-load zone integrity checks. Possible modes are
-\fB"full"\fR
-(default),
-\fB"full\-sibling"\fR,
-\fB"local"\fR,
-\fB"local\-sibling"\fR
-and
-\fB"none"\fR.
-.sp
-Mode
-\fB"full"\fR
-checks that MX records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames). Mode
-\fB"local"\fR
-only checks MX records which refer to in\-zone hostnames.
-.sp
-Mode
-\fB"full"\fR
-checks that SRV records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames). Mode
-\fB"local"\fR
-only checks SRV records which refer to in\-zone hostnames.
-.sp
-Mode
-\fB"full"\fR
-checks that delegation NS records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames). It also checks that glue address records in the zone match those advertised by the child. Mode
-\fB"local"\fR
-only checks NS records which refer to in\-zone hostnames or that some required glue exists, that is when the nameserver is in a child zone.
-.sp
-Mode
-\fB"full\-sibling"\fR
-and
-\fB"local\-sibling"\fR
-disable sibling glue checks but are otherwise the same as
-\fB"full"\fR
-and
-\fB"local"\fR
-respectively.
-.sp
-Mode
-\fB"none"\fR
-disables the checks.
-.RE
-.PP
-\-f \fIformat\fR
-.RS 4
-Specify the format of the zone file. Possible formats are
-\fB"text"\fR
-(default) and
-\fB"raw"\fR.
-.RE
-.PP
-\-F \fIformat\fR
-.RS 4
-Specify the format of the output file specified. For
-\fBnamed\-checkzone\fR, this does not cause any effects unless it dumps the zone contents.
-.sp
-Possible formats are
-\fB"text"\fR
-(default) and
-\fB"raw"\fR
-or
-\fB"raw=N"\fR, which store the zone in a binary format for rapid loading by
-\fBnamed\fR.
-\fB"raw=N"\fR
-specifies the format version of the raw zone file: if N is 0, the raw file can be read by any version of
-\fBnamed\fR; if N is 1, the file can be read by release 9.9.0 or higher. The default is 1.
-.RE
-.PP
-\-k \fImode\fR
-.RS 4
-Perform
-\fB"check\-names"\fR
-checks with the specified failure mode. Possible modes are
-\fB"fail"\fR
-(default for
-\fBnamed\-compilezone\fR),
-\fB"warn"\fR
-(default for
-\fBnamed\-checkzone\fR) and
-\fB"ignore"\fR.
-.RE
-.PP
-\-L \fIserial\fR
-.RS 4
-When compiling a zone to 'raw' format, set the "source serial" value in the header to the specified serial number. (This is expected to be used primarily for testing purposes.)
-.RE
-.PP
-\-m \fImode\fR
-.RS 4
-Specify whether MX records should be checked to see if they are addresses. Possible modes are
-\fB"fail"\fR,
-\fB"warn"\fR
-(default) and
-\fB"ignore"\fR.
-.RE
-.PP
-\-M \fImode\fR
-.RS 4
-Check if a MX record refers to a CNAME. Possible modes are
-\fB"fail"\fR,
-\fB"warn"\fR
-(default) and
-\fB"ignore"\fR.
-.RE
-.PP
-\-n \fImode\fR
-.RS 4
-Specify whether NS records should be checked to see if they are addresses. Possible modes are
-\fB"fail"\fR
-(default for
-\fBnamed\-compilezone\fR),
-\fB"warn"\fR
-(default for
-\fBnamed\-checkzone\fR) and
-\fB"ignore"\fR.
-.RE
-.PP
-\-o \fIfilename\fR
-.RS 4
-Write zone output to
-\fIfilename\fR. If
-\fIfilename\fR
-is
-\fI\-\fR
-then write to standard out. This is mandatory for
-\fBnamed\-compilezone\fR.
-.RE
-.PP
-\-r \fImode\fR
-.RS 4
-Check for records that are treated as different by DNSSEC but are semantically equal in plain DNS. Possible modes are
-\fB"fail"\fR,
-\fB"warn"\fR
-(default) and
-\fB"ignore"\fR.
-.RE
-.PP
-\-s \fIstyle\fR
-.RS 4
-Specify the style of the dumped zone file. Possible styles are
-\fB"full"\fR
-(default) and
-\fB"relative"\fR. The full format is most suitable for processing automatically by a separate script. On the other hand, the relative format is more human\-readable and is thus suitable for editing by hand. For
-\fBnamed\-checkzone\fR
-this does not cause any effects unless it dumps the zone contents. It also does not have any meaning if the output format is not text.
-.RE
-.PP
-\-S \fImode\fR
-.RS 4
-Check if a SRV record refers to a CNAME. Possible modes are
-\fB"fail"\fR,
-\fB"warn"\fR
-(default) and
-\fB"ignore"\fR.
-.RE
-.PP
-\-t \fIdirectory\fR
-.RS 4
-Chroot to
-\fIdirectory\fR
-so that include directives in the configuration file are processed as if run by a similarly chrooted named.
-.RE
-.PP
-\-T \fImode\fR
-.RS 4
-Check if Sender Policy Framework records (TXT and SPF) both exist or both don't exist. A warning is issued if they don't match. Possible modes are
-\fB"warn"\fR
-(default),
-\fB"ignore"\fR.
-.RE
-.PP
-\-w \fIdirectory\fR
-.RS 4
-chdir to
-\fIdirectory\fR
-so that relative filenames in master file $INCLUDE directives work. This is similar to the directory clause in
-\fInamed.conf\fR.
-.RE
-.PP
-\-D
-.RS 4
-Dump zone file in canonical format. This is always enabled for
-\fBnamed\-compilezone\fR.
-.RE
-.PP
-\-W \fImode\fR
-.RS 4
-Specify whether to check for non\-terminal wildcards. Non\-terminal wildcards are almost always the result of a failure to understand the wildcard matching algorithm (RFC 1034). Possible modes are
-\fB"warn"\fR
-(default) and
-\fB"ignore"\fR.
-.RE
-.PP
-zonename
-.RS 4
-The domain name of the zone being checked.
-.RE
-.PP
-filename
-.RS 4
-The name of the zone file.
-.RE
-.SH "RETURN VALUES"
-.PP
-\fBnamed\-checkzone\fR
-returns an exit status of 1 if errors were detected and 0 otherwise.
-.SH "SEE ALSO"
-.PP
-\fBnamed\fR(8),
-\fBnamed\-checkconf\fR(8),
-RFC 1035,
-BIND 9 Administrator Reference Manual.
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2004\-2007, 2009\-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000\-2002 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/bin/check/named-checkzone.c b/contrib/bind9/bin/check/named-checkzone.c
deleted file mode 100644
index 7e779c2..0000000
--- a/contrib/bind9/bin/check/named-checkzone.c
+++ /dev/null
@@ -1,544 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: named-checkzone.c,v 1.65 2011/12/22 17:29:22 each Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/app.h>
-#include <isc/commandline.h>
-#include <isc/dir.h>
-#include <isc/entropy.h>
-#include <isc/hash.h>
-#include <isc/log.h>
-#include <isc/mem.h>
-#include <isc/socket.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/fixedname.h>
-#include <dns/log.h>
-#include <dns/master.h>
-#include <dns/masterdump.h>
-#include <dns/name.h>
-#include <dns/rdataclass.h>
-#include <dns/rdataset.h>
-#include <dns/result.h>
-#include <dns/types.h>
-#include <dns/zone.h>
-
-#include "check-tool.h"
-
-static int quiet = 0;
-static isc_mem_t *mctx = NULL;
-static isc_entropy_t *ectx = NULL;
-dns_zone_t *zone = NULL;
-dns_zonetype_t zonetype = dns_zone_master;
-static int dumpzone = 0;
-static const char *output_filename;
-static char *prog_name = NULL;
-static const dns_master_style_t *outputstyle = NULL;
-static enum { progmode_check, progmode_compile } progmode;
-
-#define ERRRET(result, function) \
-	do { \
-		if (result != ISC_R_SUCCESS) { \
-			if (!quiet) \
-				fprintf(stderr, "%s() returned %s\n", \
-					function, dns_result_totext(result)); \
-			return (result); \
-		} \
-	} while (0)
-
-ISC_PLATFORM_NORETURN_PRE static void
-usage(void) ISC_PLATFORM_NORETURN_POST;
-
-static void
-usage(void) {
-	fprintf(stderr,
-		"usage: %s [-djqvD] [-c class] "
-		"[-f inputformat] [-F outputformat] "
-		"[-t directory] [-w directory] [-k (ignore|warn|fail)] "
-		"[-n (ignore|warn|fail)] [-m (ignore|warn|fail)] "
-		"[-r (ignore|warn|fail)] "
-		"[-i (full|full-sibling|local|local-sibling|none)] "
-		"[-M (ignore|warn|fail)] [-S (ignore|warn|fail)] "
-		"[-W (ignore|warn)] "
-		"%s zonename filename\n",
-		prog_name,
-		progmode == progmode_check ? "[-o filename]" : "-o filename");
-	exit(1);
-}
-
-static void
-destroy(void) {
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-	dns_name_destroy();
-}
-
-/*% main processing routine */
-int
-main(int argc, char **argv) {
-	int c;
-	char *origin = NULL;
-	char *filename = NULL;
-	isc_log_t *lctx = NULL;
-	isc_result_t result;
-	char classname_in[] = "IN";
-	char *classname = classname_in;
-	const char *workdir = NULL;
-	const char *inputformatstr = NULL;
-	const char *outputformatstr = NULL;
-	dns_masterformat_t inputformat = dns_masterformat_text;
-	dns_masterformat_t outputformat = dns_masterformat_text;
-	dns_masterrawheader_t header;
-	isc_uint32_t rawversion = 1, serialnum = 0;
-	isc_boolean_t snset = ISC_FALSE;
-	isc_boolean_t logdump = ISC_FALSE;
-	FILE *errout = stdout;
-	char *endp;
-
-	outputstyle = &dns_master_style_full;
-
-	prog_name = strrchr(argv[0], '/');
-	if (prog_name == NULL)
-		prog_name = strrchr(argv[0], '\\');
-	if (prog_name != NULL)
-		prog_name++;
-	else
-		prog_name = argv[0];
-	/*
-	 * Libtool doesn't preserve the program name prior to final
-	 * installation.  Remove the libtool prefix ("lt-").
-	 */
-	if (strncmp(prog_name, "lt-", 3) == 0)
-		prog_name += 3;
-
-#define PROGCMP(X) \
-	(strcasecmp(prog_name, X) == 0 || strcasecmp(prog_name, X ".exe") == 0)
-
-	if (PROGCMP("named-checkzone"))
-		progmode = progmode_check;
-	else if (PROGCMP("named-compilezone"))
-		progmode = progmode_compile;
-	else
-		INSIST(0);
-
-	/* Compilation specific defaults */
-	if (progmode == progmode_compile) {
-		zone_options |= (DNS_ZONEOPT_CHECKNS |
-				 DNS_ZONEOPT_FATALNS |
-				 DNS_ZONEOPT_CHECKSPF |
-				 DNS_ZONEOPT_CHECKDUPRR |
-				 DNS_ZONEOPT_CHECKNAMES |
-				 DNS_ZONEOPT_CHECKNAMESFAIL |
-				 DNS_ZONEOPT_CHECKWILDCARD);
-	} else
-		zone_options |= (DNS_ZONEOPT_CHECKDUPRR |
-				 DNS_ZONEOPT_CHECKSPF);
-
-#define ARGCMP(X) (strcmp(isc_commandline_argument, X) == 0)
-
-	isc_commandline_errprint = ISC_FALSE;
-
-	while ((c = isc_commandline_parse(argc, argv,
-			       "c:df:hi:jk:L:m:n:qr:s:t:o:vw:DF:M:S:T:W:"))
-	       != EOF) {
-		switch (c) {
-		case 'c':
-			classname = isc_commandline_argument;
-			break;
-
-		case 'd':
-			debug++;
-			break;
-
-		case 'i':
-			if (ARGCMP("full")) {
-				zone_options |= DNS_ZONEOPT_CHECKINTEGRITY |
-						DNS_ZONEOPT_CHECKSIBLING;
-				docheckmx = ISC_TRUE;
-				docheckns = ISC_TRUE;
-				dochecksrv = ISC_TRUE;
-			} else if (ARGCMP("full-sibling")) {
-				zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
-				zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
-				docheckmx = ISC_TRUE;
-				docheckns = ISC_TRUE;
-				dochecksrv = ISC_TRUE;
-			} else if (ARGCMP("local")) {
-				zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
-				zone_options |= DNS_ZONEOPT_CHECKSIBLING;
-				docheckmx = ISC_FALSE;
-				docheckns = ISC_FALSE;
-				dochecksrv = ISC_FALSE;
-			} else if (ARGCMP("local-sibling")) {
-				zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
-				zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
-				docheckmx = ISC_FALSE;
-				docheckns = ISC_FALSE;
-				dochecksrv = ISC_FALSE;
-			} else if (ARGCMP("none")) {
-				zone_options &= ~DNS_ZONEOPT_CHECKINTEGRITY;
-				zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
-				docheckmx = ISC_FALSE;
-				docheckns = ISC_FALSE;
-				dochecksrv = ISC_FALSE;
-			} else {
-				fprintf(stderr, "invalid argument to -i: %s\n",
-					isc_commandline_argument);
-				exit(1);
-			}
-			break;
-
-		case 'f':
-			inputformatstr = isc_commandline_argument;
-			break;
-
-		case 'F':
-			outputformatstr = isc_commandline_argument;
-			break;
-
-		case 'j':
-			nomerge = ISC_FALSE;
-			break;
-
-		case 'k':
-			if (ARGCMP("warn")) {
-				zone_options |= DNS_ZONEOPT_CHECKNAMES;
-				zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
-			} else if (ARGCMP("fail")) {
-				zone_options |= DNS_ZONEOPT_CHECKNAMES |
-						DNS_ZONEOPT_CHECKNAMESFAIL;
-			} else if (ARGCMP("ignore")) {
-				zone_options &= ~(DNS_ZONEOPT_CHECKNAMES |
-						  DNS_ZONEOPT_CHECKNAMESFAIL);
-			} else {
-				fprintf(stderr, "invalid argument to -k: %s\n",
-					isc_commandline_argument);
-				exit(1);
-			}
-			break;
-
-		case 'L':
-			snset = ISC_TRUE;
-			endp = NULL;
-			serialnum = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0') {
-				fprintf(stderr, "source serial number "
-						"must be numeric");
-				exit(1);
-			}
-			break;
-
-		case 'n':
-			if (ARGCMP("ignore")) {
-				zone_options &= ~(DNS_ZONEOPT_CHECKNS|
-						  DNS_ZONEOPT_FATALNS);
-			} else if (ARGCMP("warn")) {
-				zone_options |= DNS_ZONEOPT_CHECKNS;
-				zone_options &= ~DNS_ZONEOPT_FATALNS;
-			} else if (ARGCMP("fail")) {
-				zone_options |= DNS_ZONEOPT_CHECKNS|
-						DNS_ZONEOPT_FATALNS;
-			} else {
-				fprintf(stderr, "invalid argument to -n: %s\n",
-					isc_commandline_argument);
-				exit(1);
-			}
-			break;
-
-		case 'm':
-			if (ARGCMP("warn")) {
-				zone_options |= DNS_ZONEOPT_CHECKMX;
-				zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
-			} else if (ARGCMP("fail")) {
-				zone_options |= DNS_ZONEOPT_CHECKMX |
-						DNS_ZONEOPT_CHECKMXFAIL;
-			} else if (ARGCMP("ignore")) {
-				zone_options &= ~(DNS_ZONEOPT_CHECKMX |
-						  DNS_ZONEOPT_CHECKMXFAIL);
-			} else {
-				fprintf(stderr, "invalid argument to -m: %s\n",
-					isc_commandline_argument);
-				exit(1);
-			}
-			break;
-
-		case 'o':
-			output_filename = isc_commandline_argument;
-			break;
-
-		case 'q':
-			quiet++;
-			break;
-
-		case 'r':
-			if (ARGCMP("warn")) {
-				zone_options |= DNS_ZONEOPT_CHECKDUPRR;
-				zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
-			} else if (ARGCMP("fail")) {
-				zone_options |= DNS_ZONEOPT_CHECKDUPRR |
-						DNS_ZONEOPT_CHECKDUPRRFAIL;
-			} else if (ARGCMP("ignore")) {
-				zone_options &= ~(DNS_ZONEOPT_CHECKDUPRR |
-						  DNS_ZONEOPT_CHECKDUPRRFAIL);
-			} else {
-				fprintf(stderr, "invalid argument to -r: %s\n",
-					isc_commandline_argument);
-				exit(1);
-			}
-			break;
-
-		case 's':
-			if (ARGCMP("full"))
-				outputstyle = &dns_master_style_full;
-			else if (ARGCMP("relative")) {
-				outputstyle = &dns_master_style_default;
-			} else {
-				fprintf(stderr,
-					"unknown or unsupported style: %s\n",
-					isc_commandline_argument);
-				exit(1);
-			}
-			break;
-
-		case 't':
-			result = isc_dir_chroot(isc_commandline_argument);
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr, "isc_dir_chroot: %s: %s\n",
-					isc_commandline_argument,
-					isc_result_totext(result));
-				exit(1);
-			}
-			break;
-
-		case 'v':
-			printf(VERSION "\n");
-			exit(0);
-
-		case 'w':
-			workdir = isc_commandline_argument;
-			break;
-
-		case 'D':
-			dumpzone++;
-			break;
-
-		case 'M':
-			if (ARGCMP("fail")) {
-				zone_options &= ~DNS_ZONEOPT_WARNMXCNAME;
-				zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
-			} else if (ARGCMP("warn")) {
-				zone_options |= DNS_ZONEOPT_WARNMXCNAME;
-				zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
-			} else if (ARGCMP("ignore")) {
-				zone_options |= DNS_ZONEOPT_WARNMXCNAME;
-				zone_options |= DNS_ZONEOPT_IGNOREMXCNAME;
-			} else {
-				fprintf(stderr, "invalid argument to -M: %s\n",
-					isc_commandline_argument);
-				exit(1);
-			}
-			break;
-
-		case 'S':
-			if (ARGCMP("fail")) {
-				zone_options &= ~DNS_ZONEOPT_WARNSRVCNAME;
-				zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
-			} else if (ARGCMP("warn")) {
-				zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
-				zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
-			} else if (ARGCMP("ignore")) {
-				zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
-				zone_options |= DNS_ZONEOPT_IGNORESRVCNAME;
-			} else {
-				fprintf(stderr, "invalid argument to -S: %s\n",
-					isc_commandline_argument);
-				exit(1);
-			}
-			break;
-
-		case 'T':
-			if (ARGCMP("warn")) {
-				zone_options |= DNS_ZONEOPT_CHECKSPF;
-			} else if (ARGCMP("ignore")) {
-				zone_options &= ~DNS_ZONEOPT_CHECKSPF;
-			} else {
-				fprintf(stderr, "invalid argument to -T: %s\n",
-					isc_commandline_argument);
-				exit(1);
-			}
-			break;
-
-		case 'W':
-			if (ARGCMP("warn"))
-				zone_options |= DNS_ZONEOPT_CHECKWILDCARD;
-			else if (ARGCMP("ignore"))
-				zone_options &= ~DNS_ZONEOPT_CHECKWILDCARD;
-			break;
-
-		case '?':
-			if (isc_commandline_option != '?')
-				fprintf(stderr, "%s: invalid argument -%c\n",
-					prog_name, isc_commandline_option);
-			/* FALLTHROUGH */
-		case 'h':
-			usage();
-
-		default:
-			fprintf(stderr, "%s: unhandled option -%c\n",
-				prog_name, isc_commandline_option);
-			exit(1);
-		}
-	}
-
-	if (workdir != NULL) {
-		result = isc_dir_chdir(workdir);
-		if (result != ISC_R_SUCCESS) {
-			fprintf(stderr, "isc_dir_chdir: %s: %s\n",
-				workdir, isc_result_totext(result));
-			exit(1);
-		}
-	}
-
-	if (inputformatstr != NULL) {
-		if (strcasecmp(inputformatstr, "text") == 0)
-			inputformat = dns_masterformat_text;
-		else if (strcasecmp(inputformatstr, "raw") == 0)
-			inputformat = dns_masterformat_raw;
-		else if (strncasecmp(inputformatstr, "raw=", 4) == 0) {
-			inputformat = dns_masterformat_raw;
-			fprintf(stderr,
-				"WARNING: input format raw, version ignored\n");
-		} else {
-			fprintf(stderr, "unknown file format: %s\n",
-			    inputformatstr);
-			exit(1);
-		}
-	}
-
-	if (outputformatstr != NULL) {
-		if (strcasecmp(outputformatstr, "text") == 0) {
-			outputformat = dns_masterformat_text;
-		} else if (strcasecmp(outputformatstr, "raw") == 0) {
-			outputformat = dns_masterformat_raw;
-		} else if (strncasecmp(outputformatstr, "raw=", 4) == 0) {
-			char *end;
-
-			outputformat = dns_masterformat_raw;
-			rawversion = strtol(outputformatstr + 4, &end, 10);
-			if (end == outputformatstr + 4 || *end != '\0' ||
-			    rawversion > 1U) {
-				fprintf(stderr,
-					"unknown raw format version\n");
-				exit(1);
-			}
-		} else {
-			fprintf(stderr, "unknown file format: %s\n",
-				outputformatstr);
-			exit(1);
-		}
-	}
-
-	if (progmode == progmode_compile) {
-		dumpzone = 1;	/* always dump */
-		logdump = !quiet;
-		if (output_filename == NULL) {
-			fprintf(stderr,
-				"output file required, but not specified\n");
-			usage();
-		}
-	}
-
-	if (output_filename != NULL)
-		dumpzone = 1;
-
-	/*
-	 * If we are outputing to stdout then send the informational
-	 * output to stderr.
-	 */
-	if (dumpzone &&
-	    (output_filename == NULL ||
-	     strcmp(output_filename, "-") == 0 ||
-	     strcmp(output_filename, "/dev/fd/1") == 0 ||
-	     strcmp(output_filename, "/dev/stdout") == 0)) {
-		errout = stderr;
-		logdump = ISC_FALSE;
-	}
-
-	if (isc_commandline_index + 2 != argc)
-		usage();
-
-#ifdef _WIN32
-	InitSockets();
-#endif
-
-	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
-	if (!quiet)
-		RUNTIME_CHECK(setup_logging(mctx, errout, &lctx)
-			      == ISC_R_SUCCESS);
-	RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS);
-	RUNTIME_CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)
-		      == ISC_R_SUCCESS);
-
-	dns_result_register();
-
-	origin = argv[isc_commandline_index++];
-	filename = argv[isc_commandline_index++];
-	result = load_zone(mctx, origin, filename, inputformat, classname,
-			   &zone);
-
-	if (snset) {
-		dns_master_initrawheader(&header);
-		header.flags = DNS_MASTERRAW_SOURCESERIALSET;
-		header.sourceserial = serialnum;
-		dns_zone_setrawdata(zone, &header);
-	}
-
-	if (result == ISC_R_SUCCESS && dumpzone) {
-		if (logdump) {
-			fprintf(errout, "dump zone to %s...", output_filename);
-			fflush(errout);
-		}
-		result = dump_zone(origin, zone, output_filename,
-				   outputformat, outputstyle, rawversion);
-		if (logdump)
-			fprintf(errout, "done\n");
-	}
-
-	if (!quiet && result == ISC_R_SUCCESS)
-		fprintf(errout, "OK\n");
-	destroy();
-	if (lctx != NULL)
-		isc_log_destroy(&lctx);
-	isc_hash_destroy();
-	isc_entropy_detach(&ectx);
-	isc_mem_destroy(&mctx);
-#ifdef _WIN32
-	DestroySockets();
-#endif
-	return ((result == ISC_R_SUCCESS) ? 0 : 1);
-}
diff --git a/contrib/bind9/bin/check/named-checkzone.docbook b/contrib/bind9/bin/check/named-checkzone.docbook
deleted file mode 100644
index ea37fa2..0000000
--- a/contrib/bind9/bin/check/named-checkzone.docbook
+++ /dev/null
@@ -1,509 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004-2007, 2009-2011, 2013  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2002  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: named-checkzone.docbook,v 1.44 2011/12/22 07:32:39 each Exp $ -->
-<refentry id="man.named-checkzone">
-  <refentryinfo>
-    <date>June 13, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>named-checkzone</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2006</year>
-      <year>2007</year>
-      <year>2009</year>
-      <year>2010</year>
-      <year>2011</year>
-      <year>2013</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname><application>named-checkzone</application></refname>
-    <refname><application>named-compilezone</application></refname>
-    <refpurpose>zone file validity checking or converting tool</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>named-checkzone</command>
-      <arg><option>-d</option></arg>
-      <arg><option>-h</option></arg>
-      <arg><option>-j</option></arg>
-      <arg><option>-q</option></arg>
-      <arg><option>-v</option></arg>
-      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg><option>-f <replaceable class="parameter">format</replaceable></option></arg>
-      <arg><option>-F <replaceable class="parameter">format</replaceable></option></arg>
-      <arg><option>-i <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg><option>-M <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
-      <arg><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
-      <arg><option>-r <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg><option>-s <replaceable class="parameter">style</replaceable></option></arg>
-      <arg><option>-S <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg><option>-T <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg><option>-D</option></arg>
-      <arg><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg choice="req">zonename</arg>
-      <arg choice="req">filename</arg>
-    </cmdsynopsis>
-    <cmdsynopsis>
-      <command>named-compilezone</command>
-      <arg><option>-d</option></arg>
-      <arg><option>-j</option></arg>
-      <arg><option>-q</option></arg>
-      <arg><option>-v</option></arg>
-      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg><option>-C <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg><option>-f <replaceable class="parameter">format</replaceable></option></arg>
-      <arg><option>-F <replaceable class="parameter">format</replaceable></option></arg>
-      <arg><option>-i <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
-      <arg><option>-r <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg><option>-s <replaceable class="parameter">style</replaceable></option></arg>
-      <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg><option>-T <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg><option>-D</option></arg>
-      <arg><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg choice="req"><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
-      <arg choice="req">zonename</arg>
-      <arg choice="req">filename</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para><command>named-checkzone</command>
-      checks the syntax and integrity of a zone file.  It performs the
-      same checks as <command>named</command> does when loading a
-      zone.  This makes <command>named-checkzone</command> useful for
-      checking zone files before configuring them into a name server.
-    </para>
-    <para>
-        <command>named-compilezone</command> is similar to
-	<command>named-checkzone</command>, but it always dumps the
-        zone contents to a specified file in a specified format.
-	Additionally, it applies stricter check levels by default,
-        since the dump output will be used as an actual zone file
-	loaded by <command>named</command>.
-	When manually specified otherwise, the check levels must at
-        least be as strict as those specified in the
-	<command>named</command> configuration file.
-     </para>
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-
-    <variablelist>
-      <varlistentry>
-        <term>-d</term>
-        <listitem>
-          <para>
-            Enable debugging.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-h</term>
-        <listitem>
-          <para>
-            Print the usage summary and exit.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-q</term>
-        <listitem>
-          <para>
-            Quiet mode - exit code only.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-v</term>
-        <listitem>
-          <para>
-            Print the version of the <command>named-checkzone</command>
-            program and exit.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-j</term>
-        <listitem>
-          <para>
-            When loading the zone file read the journal if it exists.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-c <replaceable class="parameter">class</replaceable></term>
-        <listitem>
-          <para>
-            Specify the class of the zone.  If not specified, "IN" is assumed.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-i <replaceable class="parameter">mode</replaceable></term>
-	<listitem>
-	  <para>
-	      Perform post-load zone integrity checks.  Possible modes are
-	      <command>"full"</command> (default),
-	      <command>"full-sibling"</command>,
-	      <command>"local"</command>,
-	      <command>"local-sibling"</command> and
-	      <command>"none"</command>.
-	  </para>
-	  <para>
-	      Mode <command>"full"</command> checks that MX records
-	      refer to A or AAAA record (both in-zone and out-of-zone
-	      hostnames).  Mode <command>"local"</command> only
-	      checks MX records which refer to in-zone hostnames.
-	  </para>
-	  <para>
-	      Mode <command>"full"</command> checks that SRV records
-	      refer to A or AAAA record (both in-zone and out-of-zone
-	      hostnames).  Mode <command>"local"</command> only
-	      checks SRV records which refer to in-zone hostnames.
-	  </para>
-	  <para>
-	      Mode <command>"full"</command> checks that delegation NS
-	      records refer to A or AAAA record (both in-zone and out-of-zone
-	      hostnames).  It also checks that glue address records
-	      in the zone match those advertised by the child.
-	      Mode <command>"local"</command> only checks NS records which
-	      refer to in-zone hostnames or that some required glue exists,
-	      that is when the nameserver is in a child zone.
-	  </para>
-	  <para>
-	      Mode <command>"full-sibling"</command> and
-	      <command>"local-sibling"</command> disable sibling glue
-	      checks but are otherwise the same as <command>"full"</command>
-	      and <command>"local"</command> respectively.
-	  </para>
-	  <para>
-	      Mode <command>"none"</command> disables the checks.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-f <replaceable class="parameter">format</replaceable></term>
-	<listitem>
-	  <para>
-	    Specify the format of the zone file.
-	    Possible formats are <command>"text"</command> (default)
-	    and <command>"raw"</command>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-F <replaceable class="parameter">format</replaceable></term>
-	<listitem>
-	  <para>
-	    Specify the format of the output file specified.
-	    For <command>named-checkzone</command>,
-	    this does not cause any effects unless it dumps the zone
-	    contents.
-	  </para>
-	  <para>
-	    Possible formats are <command>"text"</command> (default)
-	    and <command>"raw"</command> or <command>"raw=N"</command>,
-            which store the zone in a binary format for rapid loading
-            by <command>named</command>.  <command>"raw=N"</command>
-            specifies the format version of the raw zone file: if N
-            is 0, the raw file can be read by any version of
-            <command>named</command>; if N is 1, the file can be read
-            by release 9.9.0 or higher.  The default is 1.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-k <replaceable class="parameter">mode</replaceable></term>
-        <listitem>
-          <para>
-            Perform <command>"check-names"</command> checks with the
-	    specified failure mode.
-            Possible modes are <command>"fail"</command>
-	    (default for <command>named-compilezone</command>),
-            <command>"warn"</command>
-	    (default for <command>named-checkzone</command>) and
-            <command>"ignore"</command>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-L <replaceable class="parameter">serial</replaceable></term>
-        <listitem>
-          <para>
-            When compiling a zone to 'raw' format, set the "source serial" 
-            value in the header to the specified serial number.  (This is
-            expected to be used primarily for testing purposes.)
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-m <replaceable class="parameter">mode</replaceable></term>
-        <listitem>
-          <para>
-            Specify whether MX records should be checked to see if they
-            are addresses.  Possible modes are <command>"fail"</command>,
-            <command>"warn"</command> (default) and
-            <command>"ignore"</command>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-M <replaceable class="parameter">mode</replaceable></term>
-        <listitem>
-	  <para>
-	    Check if a MX record refers to a CNAME.
-            Possible modes are <command>"fail"</command>,
-            <command>"warn"</command> (default) and
-            <command>"ignore"</command>.
-	  </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-n <replaceable class="parameter">mode</replaceable></term>
-        <listitem>
-          <para>
-            Specify whether NS records should be checked to see if they
-            are addresses.
-	    Possible modes are <command>"fail"</command>
-	    (default for <command>named-compilezone</command>),
-            <command>"warn"</command>
-	    (default for <command>named-checkzone</command>) and
-            <command>"ignore"</command>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-o <replaceable class="parameter">filename</replaceable></term>
-        <listitem>
-          <para>
-            Write zone output to <filename>filename</filename>.
-	    If <filename>filename</filename> is <filename>-</filename> then
-	    write to standard out.
-	    This is mandatory for <command>named-compilezone</command>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-r <replaceable class="parameter">mode</replaceable></term>
-        <listitem>
-	  <para>
-            Check for records that are treated as different by DNSSEC but
-	    are semantically equal in plain DNS.  
-            Possible modes are <command>"fail"</command>,
-            <command>"warn"</command> (default) and
-            <command>"ignore"</command>.
-	  </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-s <replaceable class="parameter">style</replaceable></term>
-	<listitem>
-	  <para>
-	    Specify the style of the dumped zone file.
-	    Possible styles are <command>"full"</command> (default)
-	    and <command>"relative"</command>.
-	    The full format is most suitable for processing
-	    automatically by a separate script.
-	    On the other hand, the relative format is more
-	    human-readable and is thus suitable for editing by hand.
-	    For <command>named-checkzone</command>
-	    this does not cause any effects unless it dumps the zone
-	    contents.
-	    It also does not have any meaning if the output format
-	    is not text.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-S <replaceable class="parameter">mode</replaceable></term>
-        <listitem>
-	  <para>
-	    Check if a SRV record refers to a CNAME.
-            Possible modes are <command>"fail"</command>,
-            <command>"warn"</command> (default) and
-            <command>"ignore"</command>.
-	  </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-t <replaceable class="parameter">directory</replaceable></term>
-        <listitem>
-          <para>
-            Chroot to <filename>directory</filename> so that
-            include
-            directives in the configuration file are processed as if
-            run by a similarly chrooted named.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-T <replaceable class="parameter">mode</replaceable></term>
-	<listitem>
-	  <para>
-	    Check if Sender Policy Framework records (TXT and SPF)
-	    both exist or both don't exist.  A warning is issued
-	    if they don't match.  Possible modes are
-	    <command>"warn"</command> (default), <command>"ignore"</command>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-w <replaceable class="parameter">directory</replaceable></term>
-        <listitem>
-          <para>
-            chdir to <filename>directory</filename> so that
-            relative
-            filenames in master file $INCLUDE directives work.  This
-            is similar to the directory clause in
-            <filename>named.conf</filename>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-D</term>
-        <listitem>
-          <para>
-            Dump zone file in canonical format.
-	    This is always enabled for <command>named-compilezone</command>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-W <replaceable class="parameter">mode</replaceable></term>
-        <listitem>
-          <para>
-            Specify whether to check for non-terminal wildcards.
-            Non-terminal wildcards are almost always the result of a
-            failure to understand the wildcard matching algorithm (RFC 1034).
-            Possible modes are <command>"warn"</command> (default)
-            and
-            <command>"ignore"</command>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>zonename</term>
-        <listitem>
-          <para>
-            The domain name of the zone being checked.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>filename</term>
-        <listitem>
-          <para>
-            The name of the zone file.
-          </para>
-        </listitem>
-      </varlistentry>
-
-    </variablelist>
-
-  </refsect1>
-
-  <refsect1>
-    <title>RETURN VALUES</title>
-    <para><command>named-checkzone</command>
-      returns an exit status of 1 if
-      errors were detected and 0 otherwise.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>named-checkconf</refentrytitle><manvolnum>8</manvolnum>  
-      </citerefentry>,
-      <citetitle>RFC 1035</citetitle>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para><corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/check/named-checkzone.html b/contrib/bind9/bin/check/named-checkzone.html
deleted file mode 100644
index 6941326..0000000
--- a/contrib/bind9/bin/check/named-checkzone.html
+++ /dev/null
@@ -1,293 +0,0 @@
-<!--
- - Copyright (C) 2004-2007, 2009-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2002 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>named-checkzone</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="man.named-checkzone"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">named-checkzone</span>, <span class="application">named-compilezone</span> &#8212; zone file validity checking or converting tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
-<div class="cmdsynopsis"><p><code class="command">named-compilezone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543736"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">named-checkzone</strong></span>
-      checks the syntax and integrity of a zone file.  It performs the
-      same checks as <span><strong class="command">named</strong></span> does when loading a
-      zone.  This makes <span><strong class="command">named-checkzone</strong></span> useful for
-      checking zone files before configuring them into a name server.
-    </p>
-<p>
-        <span><strong class="command">named-compilezone</strong></span> is similar to
-	<span><strong class="command">named-checkzone</strong></span>, but it always dumps the
-        zone contents to a specified file in a specified format.
-	Additionally, it applies stricter check levels by default,
-        since the dump output will be used as an actual zone file
-	loaded by <span><strong class="command">named</strong></span>.
-	When manually specified otherwise, the check levels must at
-        least be as strict as those specified in the
-	<span><strong class="command">named</strong></span> configuration file.
-     </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543771"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-d</span></dt>
-<dd><p>
-            Enable debugging.
-          </p></dd>
-<dt><span class="term">-h</span></dt>
-<dd><p>
-            Print the usage summary and exit.
-          </p></dd>
-<dt><span class="term">-q</span></dt>
-<dd><p>
-            Quiet mode - exit code only.
-          </p></dd>
-<dt><span class="term">-v</span></dt>
-<dd><p>
-            Print the version of the <span><strong class="command">named-checkzone</strong></span>
-            program and exit.
-          </p></dd>
-<dt><span class="term">-j</span></dt>
-<dd><p>
-            When loading the zone file read the journal if it exists.
-          </p></dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd><p>
-            Specify the class of the zone.  If not specified, "IN" is assumed.
-          </p></dd>
-<dt><span class="term">-i <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
-<p>
-	      Perform post-load zone integrity checks.  Possible modes are
-	      <span><strong class="command">"full"</strong></span> (default),
-	      <span><strong class="command">"full-sibling"</strong></span>,
-	      <span><strong class="command">"local"</strong></span>,
-	      <span><strong class="command">"local-sibling"</strong></span> and
-	      <span><strong class="command">"none"</strong></span>.
-	  </p>
-<p>
-	      Mode <span><strong class="command">"full"</strong></span> checks that MX records
-	      refer to A or AAAA record (both in-zone and out-of-zone
-	      hostnames).  Mode <span><strong class="command">"local"</strong></span> only
-	      checks MX records which refer to in-zone hostnames.
-	  </p>
-<p>
-	      Mode <span><strong class="command">"full"</strong></span> checks that SRV records
-	      refer to A or AAAA record (both in-zone and out-of-zone
-	      hostnames).  Mode <span><strong class="command">"local"</strong></span> only
-	      checks SRV records which refer to in-zone hostnames.
-	  </p>
-<p>
-	      Mode <span><strong class="command">"full"</strong></span> checks that delegation NS
-	      records refer to A or AAAA record (both in-zone and out-of-zone
-	      hostnames).  It also checks that glue address records
-	      in the zone match those advertised by the child.
-	      Mode <span><strong class="command">"local"</strong></span> only checks NS records which
-	      refer to in-zone hostnames or that some required glue exists,
-	      that is when the nameserver is in a child zone.
-	  </p>
-<p>
-	      Mode <span><strong class="command">"full-sibling"</strong></span> and
-	      <span><strong class="command">"local-sibling"</strong></span> disable sibling glue
-	      checks but are otherwise the same as <span><strong class="command">"full"</strong></span>
-	      and <span><strong class="command">"local"</strong></span> respectively.
-	  </p>
-<p>
-	      Mode <span><strong class="command">"none"</strong></span> disables the checks.
-	  </p>
-</dd>
-<dt><span class="term">-f <em class="replaceable"><code>format</code></em></span></dt>
-<dd><p>
-	    Specify the format of the zone file.
-	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
-	    and <span><strong class="command">"raw"</strong></span>.
-	  </p></dd>
-<dt><span class="term">-F <em class="replaceable"><code>format</code></em></span></dt>
-<dd>
-<p>
-	    Specify the format of the output file specified.
-	    For <span><strong class="command">named-checkzone</strong></span>,
-	    this does not cause any effects unless it dumps the zone
-	    contents.
-	  </p>
-<p>
-	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
-	    and <span><strong class="command">"raw"</strong></span> or <span><strong class="command">"raw=N"</strong></span>,
-            which store the zone in a binary format for rapid loading
-            by <span><strong class="command">named</strong></span>.  <span><strong class="command">"raw=N"</strong></span>
-            specifies the format version of the raw zone file: if N
-            is 0, the raw file can be read by any version of
-            <span><strong class="command">named</strong></span>; if N is 1, the file can be read
-            by release 9.9.0 or higher.  The default is 1.
-	  </p>
-</dd>
-<dt><span class="term">-k <em class="replaceable"><code>mode</code></em></span></dt>
-<dd><p>
-            Perform <span><strong class="command">"check-names"</strong></span> checks with the
-	    specified failure mode.
-            Possible modes are <span><strong class="command">"fail"</strong></span>
-	    (default for <span><strong class="command">named-compilezone</strong></span>),
-            <span><strong class="command">"warn"</strong></span>
-	    (default for <span><strong class="command">named-checkzone</strong></span>) and
-            <span><strong class="command">"ignore"</strong></span>.
-          </p></dd>
-<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
-<dd><p>
-            When compiling a zone to 'raw' format, set the "source serial" 
-            value in the header to the specified serial number.  (This is
-            expected to be used primarily for testing purposes.)
-          </p></dd>
-<dt><span class="term">-m <em class="replaceable"><code>mode</code></em></span></dt>
-<dd><p>
-            Specify whether MX records should be checked to see if they
-            are addresses.  Possible modes are <span><strong class="command">"fail"</strong></span>,
-            <span><strong class="command">"warn"</strong></span> (default) and
-            <span><strong class="command">"ignore"</strong></span>.
-          </p></dd>
-<dt><span class="term">-M <em class="replaceable"><code>mode</code></em></span></dt>
-<dd><p>
-	    Check if a MX record refers to a CNAME.
-            Possible modes are <span><strong class="command">"fail"</strong></span>,
-            <span><strong class="command">"warn"</strong></span> (default) and
-            <span><strong class="command">"ignore"</strong></span>.
-	  </p></dd>
-<dt><span class="term">-n <em class="replaceable"><code>mode</code></em></span></dt>
-<dd><p>
-            Specify whether NS records should be checked to see if they
-            are addresses.
-	    Possible modes are <span><strong class="command">"fail"</strong></span>
-	    (default for <span><strong class="command">named-compilezone</strong></span>),
-            <span><strong class="command">"warn"</strong></span>
-	    (default for <span><strong class="command">named-checkzone</strong></span>) and
-            <span><strong class="command">"ignore"</strong></span>.
-          </p></dd>
-<dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt>
-<dd><p>
-            Write zone output to <code class="filename">filename</code>.
-	    If <code class="filename">filename</code> is <code class="filename">-</code> then
-	    write to standard out.
-	    This is mandatory for <span><strong class="command">named-compilezone</strong></span>.
-          </p></dd>
-<dt><span class="term">-r <em class="replaceable"><code>mode</code></em></span></dt>
-<dd><p>
-            Check for records that are treated as different by DNSSEC but
-	    are semantically equal in plain DNS.  
-            Possible modes are <span><strong class="command">"fail"</strong></span>,
-            <span><strong class="command">"warn"</strong></span> (default) and
-            <span><strong class="command">"ignore"</strong></span>.
-	  </p></dd>
-<dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
-<dd><p>
-	    Specify the style of the dumped zone file.
-	    Possible styles are <span><strong class="command">"full"</strong></span> (default)
-	    and <span><strong class="command">"relative"</strong></span>.
-	    The full format is most suitable for processing
-	    automatically by a separate script.
-	    On the other hand, the relative format is more
-	    human-readable and is thus suitable for editing by hand.
-	    For <span><strong class="command">named-checkzone</strong></span>
-	    this does not cause any effects unless it dumps the zone
-	    contents.
-	    It also does not have any meaning if the output format
-	    is not text.
-	  </p></dd>
-<dt><span class="term">-S <em class="replaceable"><code>mode</code></em></span></dt>
-<dd><p>
-	    Check if a SRV record refers to a CNAME.
-            Possible modes are <span><strong class="command">"fail"</strong></span>,
-            <span><strong class="command">"warn"</strong></span> (default) and
-            <span><strong class="command">"ignore"</strong></span>.
-	  </p></dd>
-<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-            Chroot to <code class="filename">directory</code> so that
-            include
-            directives in the configuration file are processed as if
-            run by a similarly chrooted named.
-          </p></dd>
-<dt><span class="term">-T <em class="replaceable"><code>mode</code></em></span></dt>
-<dd><p>
-	    Check if Sender Policy Framework records (TXT and SPF)
-	    both exist or both don't exist.  A warning is issued
-	    if they don't match.  Possible modes are
-	    <span><strong class="command">"warn"</strong></span> (default), <span><strong class="command">"ignore"</strong></span>.
-	  </p></dd>
-<dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-            chdir to <code class="filename">directory</code> so that
-            relative
-            filenames in master file $INCLUDE directives work.  This
-            is similar to the directory clause in
-            <code class="filename">named.conf</code>.
-          </p></dd>
-<dt><span class="term">-D</span></dt>
-<dd><p>
-            Dump zone file in canonical format.
-	    This is always enabled for <span><strong class="command">named-compilezone</strong></span>.
-          </p></dd>
-<dt><span class="term">-W <em class="replaceable"><code>mode</code></em></span></dt>
-<dd><p>
-            Specify whether to check for non-terminal wildcards.
-            Non-terminal wildcards are almost always the result of a
-            failure to understand the wildcard matching algorithm (RFC 1034).
-            Possible modes are <span><strong class="command">"warn"</strong></span> (default)
-            and
-            <span><strong class="command">"ignore"</strong></span>.
-          </p></dd>
-<dt><span class="term">zonename</span></dt>
-<dd><p>
-            The domain name of the zone being checked.
-          </p></dd>
-<dt><span class="term">filename</span></dt>
-<dd><p>
-            The name of the zone file.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544612"></a><h2>RETURN VALUES</h2>
-<p><span><strong class="command">named-checkzone</strong></span>
-      returns an exit status of 1 if
-      errors were detected and 0 otherwise.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544624"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
-      <em class="citetitle">RFC 1035</em>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544657"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/confgen/Makefile.in b/contrib/bind9/bin/confgen/Makefile.in
deleted file mode 100644
index 8b3e5aa..0000000
--- a/contrib/bind9/bin/confgen/Makefile.in
+++ /dev/null
@@ -1,101 +0,0 @@
-# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.8 2009/12/05 23:31:40 each Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
-	${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
-
-CDEFINES =
-CWARNINGS =
-
-ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-ISCCCLIBS =	../../lib/isccc/libisccc.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
-DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-BIND9LIBS =	../../lib/bind9/libbind9.@A@
-
-ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
-ISCCCDEPLIBS =	../../lib/isccc/libisccc.@A@
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
-DNSDEPLIBS =	../../lib/dns/libdns.@A@
-BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
-
-RNDCLIBS =	${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@
-RNDCDEPLIBS =	${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
-
-LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
-
-NOSYMLIBS =	${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
-
-CONFDEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
-
-SRCS=		rndc-confgen.c ddns-confgen.c
-
-SUBDIRS =	unix
-
-TARGETS =	rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@
-
-MANPAGES =	rndc-confgen.8 ddns-confgen.8
-
-HTMLPAGES =	rndc-confgen.html ddns-confgen.html
-
-MANOBJS =	${MANPAGES} ${HTMLPAGES}
-
-UOBJS =		unix/os.@O@
-
-@BIND9_MAKE_RULES@
-
-rndc-confgen.@O@: rndc-confgen.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
-		-c ${srcdir}/rndc-confgen.c
-
-ddns-confgen.@O@: ddns-confgen.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${srcdir}/ddns-confgen.c
-
-rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS} 
-	export BASEOBJS="rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
-	${FINALBUILDCMD}
-
-ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS} 
-	export BASEOBJS="ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
-	${FINALBUILDCMD}
-
-doc man:: ${MANOBJS}
-
-docclean manclean maintainer-clean::
-	rm -f ${MANOBJS}
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-
-install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir}
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ddns-confgen@EXEEXT@ ${DESTDIR}${sbindir}
-	${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8
-	${INSTALL_DATA} ${srcdir}/ddns-confgen.8 ${DESTDIR}${mandir}/man8
-
-clean distclean maintainer-clean::
-	rm -f ${TARGETS}
diff --git a/contrib/bind9/bin/confgen/ddns-confgen.8 b/contrib/bind9/bin/confgen/ddns-confgen.8
deleted file mode 100644
index fd2670e..0000000
--- a/contrib/bind9/bin/confgen/ddns-confgen.8
+++ /dev/null
@@ -1,143 +0,0 @@
-.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: ddns\-confgen
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jan 29, 2009
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "DDNS\-CONFGEN" "8" "Jan 29, 2009" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-ddns\-confgen \- ddns key generation tool
-.SH "SYNOPSIS"
-.HP 13
-\fBddns\-confgen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\-s\ \fIname\fR | \-z\ \fIzone\fR] [\fB\-q\fR] [name]
-.SH "DESCRIPTION"
-.PP
-\fBddns\-confgen\fR
-generates a key for use by
-\fBnsupdate\fR
-and
-\fBnamed\fR. It simplifies configuration of dynamic zones by generating a key and providing the
-\fBnsupdate\fR
-and
-\fBnamed.conf\fR
-syntax that will be needed to use it, including an example
-\fBupdate\-policy\fR
-statement.
-.PP
-If a domain name is specified on the command line, it will be used in the name of the generated key and in the sample
-\fBnamed.conf\fR
-syntax. For example,
-\fBddns\-confgen example.com\fR
-would generate a key called "ddns\-key.example.com", and sample
-\fBnamed.conf\fR
-command that could be used in the zone definition for "example.com".
-.PP
-Note that
-\fBnamed\fR
-itself can configure a local DDNS key for use with
-\fBnsupdate \-l\fR.
-\fBddns\-confgen\fR
-is only needed when a more elaborate configuration is required: for instance, if
-\fBnsupdate\fR
-is to be used from a remote system.
-.SH "OPTIONS"
-.PP
-\-a \fIalgorithm\fR
-.RS 4
-Specifies the algorithm to use for the TSIG key. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512. The default is hmac\-sha256.
-.RE
-.PP
-\-h
-.RS 4
-Prints a short summary of the options and arguments to
-\fBddns\-confgen\fR.
-.RE
-.PP
-\-k \fIkeyname\fR
-.RS 4
-Specifies the key name of the DDNS authentication key. The default is
-\fBddns\-key\fR
-when neither the
-\fB\-s\fR
-nor
-\fB\-z\fR
-option is specified; otherwise, the default is
-\fBddns\-key\fR
-as a separate label followed by the argument of the option, e.g.,
-\fBddns\-key.example.com.\fR
-The key name must have the format of a valid domain name, consisting of letters, digits, hyphens and periods.
-.RE
-.PP
-\-q
-.RS 4
-Quiet mode: Print only the key, with no explanatory text or usage examples.
-.RE
-.PP
-\-r \fIrandomfile\fR
-.RS 4
-Specifies a source of random data for generating the authorization. If the operating system does not provide a
-\fI/dev/random\fR
-or equivalent device, the default source of randomness is keyboard input.
-\fIrandomdev\fR
-specifies the name of a character device or file containing random data to be used instead of the default. The special value
-\fIkeyboard\fR
-indicates that keyboard input should be used.
-.RE
-.PP
-\-s \fIname\fR
-.RS 4
-Single host mode: The example
-\fBnamed.conf\fR
-text shows how to set an update policy for the specified
-\fIname\fR
-using the "name" nametype. The default key name is ddns\-key.\fIname\fR. Note that the "self" nametype cannot be used, since the name to be updated may differ from the key name. This option cannot be used with the
-\fB\-z\fR
-option.
-.RE
-.PP
-\-z \fIzone\fR
-.RS 4
-zone mode: The example
-\fBnamed.conf\fR
-text shows how to set an update policy for the specified
-\fIzone\fR
-using the "zonesub" nametype, allowing updates to all subdomain names within that
-\fIzone\fR. This option cannot be used with the
-\fB\-s\fR
-option.
-.RE
-.SH "SEE ALSO"
-.PP
-\fBnsupdate\fR(1),
-\fBnamed.conf\fR(5),
-\fBnamed\fR(8),
-BIND 9 Administrator Reference Manual.
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
-.br
diff --git a/contrib/bind9/bin/confgen/ddns-confgen.c b/contrib/bind9/bin/confgen/ddns-confgen.c
deleted file mode 100644
index d655145..0000000
--- a/contrib/bind9/bin/confgen/ddns-confgen.c
+++ /dev/null
@@ -1,258 +0,0 @@
-/*
- * Copyright (C) 2009, 2011  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ddns-confgen.c,v 1.11 2011/03/12 04:59:46 tbox Exp $ */
-
-/*! \file */
-
-/**
- * ddns-confgen generates configuration files for dynamic DNS. It can
- * be used as a convenient alternative to writing the ddns.key file
- * and the corresponding key and update-policy statements in named.conf.
- */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <stdarg.h>
-
-#include <isc/assertions.h>
-#include <isc/base64.h>
-#include <isc/buffer.h>
-#include <isc/commandline.h>
-#include <isc/entropy.h>
-#include <isc/file.h>
-#include <isc/keyboard.h>
-#include <isc/mem.h>
-#include <isc/net.h>
-#include <isc/print.h>
-#include <isc/result.h>
-#include <isc/string.h>
-#include <isc/time.h>
-#include <isc/util.h>
-
-#include <dns/keyvalues.h>
-#include <dns/name.h>
-
-#include <dst/dst.h>
-#include <confgen/os.h>
-
-#include "util.h"
-#include "keygen.h"
-
-#define DEFAULT_KEYNAME		"ddns-key"
-
-static char program[256];
-const char *progname;
-
-isc_boolean_t verbose = ISC_FALSE;
-
-ISC_PLATFORM_NORETURN_PRE static void
-usage(int status) ISC_PLATFORM_NORETURN_POST;
-
-static void
-usage(int status) {
-
-	fprintf(stderr, "\
-Usage:\n\
- %s [-a alg] [-k keyname] [-r randomfile] [-q] [-s name | -z zone]\n\
-  -a alg:        algorithm (default hmac-sha256)\n\
-  -k keyname:    name of the key as it will be used in named.conf\n\
-  -r randomfile: source of random data (use \"keyboard\" for key timing)\n\
-  -s name:       domain name to be updated using the created key\n\
-  -z zone:       name of the zone as it will be used in named.conf\n\
-  -q:            quiet mode: print the key, with no explanatory text\n",
-		 progname);
-
-	exit (status);
-}
-
-int
-main(int argc, char **argv) {
-	isc_boolean_t show_final_mem = ISC_FALSE;
-	isc_boolean_t quiet = ISC_FALSE;
-	isc_buffer_t key_txtbuffer;
-	char key_txtsecret[256];
-	isc_mem_t *mctx = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
-	const char *randomfile = NULL;
-	const char *keyname = NULL;
-	const char *zone = NULL;
-	const char *self_domain = NULL;
-	char *keybuf = NULL;
-	dns_secalg_t alg = DST_ALG_HMACSHA256;
-	const char *algname = alg_totext(alg);
-	int keysize = 256;
-	int len = 0;
-	int ch;
-
-	result = isc_file_progname(*argv, program, sizeof(program));
-	if (result != ISC_R_SUCCESS)
-		memcpy(program, "ddns-confgen", 13);
-	progname = program;
-
-	isc_commandline_errprint = ISC_FALSE;
-
-	while ((ch = isc_commandline_parse(argc, argv,
-					   "a:hk:Mmr:qs:Vy:z:")) != -1) {
-		switch (ch) {
-		case 'a':
-			algname = isc_commandline_argument;
-			alg = alg_fromtext(algname);
-			if (alg == DST_ALG_UNKNOWN)
-				fatal("Unsupported algorithm '%s'", algname);
-			keysize = alg_bits(alg);
-			break;
-		case 'h':
-			usage(0);
-		case 'k':
-		case 'y':
-			keyname = isc_commandline_argument;
-			break;
-		case 'M':
-			isc_mem_debugging = ISC_MEM_DEBUGTRACE;
-			break;
-		case 'm':
-			show_final_mem = ISC_TRUE;
-			break;
-		case 'q':
-			quiet = ISC_TRUE;
-			break;
-		case 'r':
-			randomfile = isc_commandline_argument;
-			break;
-		case 's':
-			self_domain = isc_commandline_argument;
-			break;
-		case 'V':
-			verbose = ISC_TRUE;
-			break;
-		case 'z':
-			zone = isc_commandline_argument;
-			break;
-		case '?':
-			if (isc_commandline_option != '?') {
-				fprintf(stderr, "%s: invalid argument -%c\n",
-					program, isc_commandline_option);
-				usage(1);
-			} else
-				usage(0);
-			break;
-		default:
-			fprintf(stderr, "%s: unhandled option -%c\n",
-				program, isc_commandline_option);
-			exit(1);
-		}
-	}
-
-	argc -= isc_commandline_index;
-	argv += isc_commandline_index;
-	POST(argv);
-
-	if (self_domain != NULL && zone != NULL)
-		usage(1);	/* -s and -z cannot coexist */
-
-	if (argc > 0)
-		usage(1);
-
-	DO("create memory context", isc_mem_create(0, 0, &mctx));
-
-	if (keyname == NULL) {
-		const char *suffix = NULL;
-
-		keyname = DEFAULT_KEYNAME;
-		if (self_domain != NULL)
-			suffix = self_domain;
-		else if (zone != NULL)
-			suffix = zone;
-		if (suffix != NULL) {
-			len = strlen(keyname) + strlen(suffix) + 2;
-			keybuf = isc_mem_get(mctx, len);
-			if (keybuf == NULL)
-				fatal("failed to allocate memory for keyname");
-			snprintf(keybuf, len, "%s.%s", keyname, suffix);
-			keyname = (const char *) keybuf;
-		}
-	}
-
-	isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
-
-	generate_key(mctx, randomfile, alg, keysize, &key_txtbuffer);
-
-
-	if (!quiet)
-		printf("\
-# To activate this key, place the following in named.conf, and\n\
-# in a separate keyfile on the system or systems from which nsupdate\n\
-# will be run:\n");
-
-	printf("\
-key \"%s\" {\n\
-	algorithm %s;\n\
-	secret \"%.*s\";\n\
-};\n",
-	       keyname, algname,
-	       (int)isc_buffer_usedlength(&key_txtbuffer),
-	       (char *)isc_buffer_base(&key_txtbuffer));
-
-	if (!quiet) {
-		if (self_domain != NULL) {
-			printf("\n\
-# Then, in the \"zone\" statement for the zone containing the\n\
-# name \"%s\", place an \"update-policy\" statement\n\
-# like this one, adjusted as needed for your preferred permissions:\n\
-update-policy {\n\
-	  grant %s name %s ANY;\n\
-};\n",
-			       self_domain, keyname, self_domain);
-		} else if (zone != NULL) {
-			printf("\n\
-# Then, in the \"zone\" definition statement for \"%s\",\n\
-# place an \"update-policy\" statement like this one, adjusted as \n\
-# needed for your preferred permissions:\n\
-update-policy {\n\
-	  grant %s zonesub ANY;\n\
-};\n",
-			       zone, keyname);
-		} else {
-			printf("\n\
-# Then, in the \"zone\" statement for each zone you wish to dynamically\n\
-# update, place an \"update-policy\" statement granting update permission\n\
-# to this key.  For example, the following statement grants this key\n\
-# permission to update any name within the zone:\n\
-update-policy {\n\
-	grant %s zonesub ANY;\n\
-};\n",
-			       keyname);
-		}
-
-		printf("\n\
-# After the keyfile has been placed, the following command will\n\
-# execute nsupdate using this key:\n\
-nsupdate -k <keyfile>\n");
-
-	}
-
-	if (keybuf != NULL)
-		isc_mem_put(mctx, keybuf, len);
-
-	if (show_final_mem)
-		isc_mem_stats(mctx, stderr);
-
-	isc_mem_destroy(&mctx);
-
-	return (0);
-}
diff --git a/contrib/bind9/bin/confgen/ddns-confgen.docbook b/contrib/bind9/bin/confgen/ddns-confgen.docbook
deleted file mode 100644
index cedfbf5..0000000
--- a/contrib/bind9/bin/confgen/ddns-confgen.docbook
+++ /dev/null
@@ -1,218 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-	       "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: ddns-confgen.docbook,v 1.6 2009/09/18 22:08:55 fdupont Exp $ -->
-<refentry id="man.ddns-confgen">
-  <refentryinfo>
-    <date>Jan 29, 2009</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>ddns-confgen</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><application>ddns-confgen</application></refname>
-    <refpurpose>ddns key generation tool</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2009</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>ddns-confgen</command>
-      <arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
-      <arg><option>-h</option></arg>
-      <arg><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
-      <arg><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
-      <group>
-        <arg choice="plain">-s <replaceable class="parameter">name</replaceable></arg>
-        <arg choice="plain">-z <replaceable class="parameter">zone</replaceable></arg>
-      </group>
-      <arg><option>-q</option></arg>
-      <arg choice="opt">name</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para><command>ddns-confgen</command>
-      generates a key for use by <command>nsupdate</command>
-      and <command>named</command>.  It simplifies configuration
-      of dynamic zones by generating a key and providing the
-      <command>nsupdate</command> and <command>named.conf</command>
-      syntax that will be needed to use it, including an example
-      <command>update-policy</command> statement.
-    </para>
-
-    <para>
-      If a domain name is specified on the command line, it will
-      be used in the name of the generated key and in the sample
-      <command>named.conf</command> syntax.  For example,
-      <command>ddns-confgen example.com</command> would
-      generate a key called "ddns-key.example.com", and sample
-      <command>named.conf</command> command that could be used
-      in the zone definition for "example.com".
-    </para>
-
-    <para>
-      Note that <command>named</command> itself can configure a
-      local DDNS key for use with <command>nsupdate -l</command>.
-      <command>ddns-confgen</command> is only needed when a 
-      more elaborate configuration is required: for instance, if
-      <command>nsupdate</command> is to be used from a remote system.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-
-    <variablelist>
-      <varlistentry>
-	<term>-a <replaceable class="parameter">algorithm</replaceable></term>
-	<listitem>
-	  <para>
-            Specifies the algorithm to use for the TSIG key.  Available
-            choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
-            hmac-sha384 and hmac-sha512.  The default is hmac-sha256.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-h</term>
-	<listitem>
-	  <para>
-	    Prints a short summary of the options and arguments to
-	    <command>ddns-confgen</command>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-k <replaceable class="parameter">keyname</replaceable></term>
-	<listitem>
-	  <para>
-	    Specifies the key name of the DDNS authentication key.
-	    The default is <constant>ddns-key</constant> when neither
-	    the <option>-s</option> nor <option>-z</option> option is
-	    specified; otherwise, the default
-	    is <constant>ddns-key</constant> as a separate label
-	    followed by the argument of the option, e.g.,
-	    <constant>ddns-key.example.com.</constant>
-	    The key name must have the format of a valid domain name,
-	    consisting of letters, digits, hyphens and periods.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-q</term>
-	<listitem>
-	  <para>
-	    Quiet mode:  Print only the key, with no explanatory text or
-            usage examples.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-r <replaceable class="parameter">randomfile</replaceable></term>
-	<listitem>
-	  <para>
-            Specifies a source of random data for generating the
-            authorization.  If the operating system does not provide a
-            <filename>/dev/random</filename> or equivalent device, the
-            default source of randomness is keyboard input.
-            <filename>randomdev</filename> specifies the name of a
-            character device or file containing random data to be used
-            instead of the default.  The special value
-            <filename>keyboard</filename> indicates that keyboard input
-            should be used.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-s <replaceable class="parameter">name</replaceable></term>
-	<listitem>
-	  <para>
-	    Single host mode: The example <command>named.conf</command> text
-	    shows how to set an update policy for the specified
-	    <replaceable class="parameter">name</replaceable>
-	    using the "name" nametype.
-	    The default key name is
-	    ddns-key.<replaceable class="parameter">name</replaceable>.
-	    Note that the "self" nametype cannot be used, since
-	    the name to be updated may differ from the key name.
-	    This option cannot be used with the <option>-z</option> option.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-z <replaceable class="parameter">zone</replaceable></term>
-	<listitem>
-	  <para>
-	    zone mode:  The example <command>named.conf</command> text
-            shows how to set an update policy for the specified
-	    <replaceable class="parameter">zone</replaceable>
-	    using the "zonesub" nametype, allowing updates to all subdomain
-	    names within
-	    that <replaceable class="parameter">zone</replaceable>.
-	    This option cannot be used with the <option>-s</option> option.
-	  </para>
-	</listitem>
-      </varlistentry>
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-	<refentrytitle>nsupdate</refentrytitle><manvolnum>1</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-	<refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-	<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para><corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/confgen/ddns-confgen.html b/contrib/bind9/bin/confgen/ddns-confgen.html
deleted file mode 100644
index 6b2f7dc..0000000
--- a/contrib/bind9/bin/confgen/ddns-confgen.html
+++ /dev/null
@@ -1,141 +0,0 @@
-<!--
- - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>ddns-confgen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="man.ddns-confgen"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">ddns-confgen</span> &#8212; ddns key generation tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">ddns-confgen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em>  |   -z <em class="replaceable"><code>zone</code></em> ] [<code class="option">-q</code>] [name]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543396"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">ddns-confgen</strong></span>
-      generates a key for use by <span><strong class="command">nsupdate</strong></span>
-      and <span><strong class="command">named</strong></span>.  It simplifies configuration
-      of dynamic zones by generating a key and providing the
-      <span><strong class="command">nsupdate</strong></span> and <span><strong class="command">named.conf</strong></span>
-      syntax that will be needed to use it, including an example
-      <span><strong class="command">update-policy</strong></span> statement.
-    </p>
-<p>
-      If a domain name is specified on the command line, it will
-      be used in the name of the generated key and in the sample
-      <span><strong class="command">named.conf</strong></span> syntax.  For example,
-      <span><strong class="command">ddns-confgen example.com</strong></span> would
-      generate a key called "ddns-key.example.com", and sample
-      <span><strong class="command">named.conf</strong></span> command that could be used
-      in the zone definition for "example.com".
-    </p>
-<p>
-      Note that <span><strong class="command">named</strong></span> itself can configure a
-      local DDNS key for use with <span><strong class="command">nsupdate -l</strong></span>.
-      <span><strong class="command">ddns-confgen</strong></span> is only needed when a 
-      more elaborate configuration is required: for instance, if
-      <span><strong class="command">nsupdate</strong></span> is to be used from a remote system.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543456"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd><p>
-            Specifies the algorithm to use for the TSIG key.  Available
-            choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
-            hmac-sha384 and hmac-sha512.  The default is hmac-sha256.
-	  </p></dd>
-<dt><span class="term">-h</span></dt>
-<dd><p>
-	    Prints a short summary of the options and arguments to
-	    <span><strong class="command">ddns-confgen</strong></span>.
-	  </p></dd>
-<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
-<dd><p>
-	    Specifies the key name of the DDNS authentication key.
-	    The default is <code class="constant">ddns-key</code> when neither
-	    the <code class="option">-s</code> nor <code class="option">-z</code> option is
-	    specified; otherwise, the default
-	    is <code class="constant">ddns-key</code> as a separate label
-	    followed by the argument of the option, e.g.,
-	    <code class="constant">ddns-key.example.com.</code>
-	    The key name must have the format of a valid domain name,
-	    consisting of letters, digits, hyphens and periods.
-	  </p></dd>
-<dt><span class="term">-q</span></dt>
-<dd><p>
-	    Quiet mode:  Print only the key, with no explanatory text or
-            usage examples.
-	  </p></dd>
-<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
-<dd><p>
-            Specifies a source of random data for generating the
-            authorization.  If the operating system does not provide a
-            <code class="filename">/dev/random</code> or equivalent device, the
-            default source of randomness is keyboard input.
-            <code class="filename">randomdev</code> specifies the name of a
-            character device or file containing random data to be used
-            instead of the default.  The special value
-            <code class="filename">keyboard</code> indicates that keyboard input
-            should be used.
-	  </p></dd>
-<dt><span class="term">-s <em class="replaceable"><code>name</code></em></span></dt>
-<dd><p>
-	    Single host mode: The example <span><strong class="command">named.conf</strong></span> text
-	    shows how to set an update policy for the specified
-	    <em class="replaceable"><code>name</code></em>
-	    using the "name" nametype.
-	    The default key name is
-	    ddns-key.<em class="replaceable"><code>name</code></em>.
-	    Note that the "self" nametype cannot be used, since
-	    the name to be updated may differ from the key name.
-	    This option cannot be used with the <code class="option">-z</code> option.
-	  </p></dd>
-<dt><span class="term">-z <em class="replaceable"><code>zone</code></em></span></dt>
-<dd><p>
-	    zone mode:  The example <span><strong class="command">named.conf</strong></span> text
-            shows how to set an update policy for the specified
-	    <em class="replaceable"><code>zone</code></em>
-	    using the "zonesub" nametype, allowing updates to all subdomain
-	    names within
-	    that <em class="replaceable"><code>zone</code></em>.
-	    This option cannot be used with the <code class="option">-s</code> option.
-	  </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543643"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543682"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/confgen/include/confgen/os.h b/contrib/bind9/bin/confgen/include/confgen/os.h
deleted file mode 100644
index 2019701..0000000
--- a/contrib/bind9/bin/confgen/include/confgen/os.h
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: os.h,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
-
-/*! \file */
-
-#ifndef RNDC_OS_H
-#define RNDC_OS_H 1
-
-#include <isc/lang.h>
-#include <stdio.h>
-
-ISC_LANG_BEGINDECLS
-
-int set_user(FILE *fd, const char *user);
-/*%<
- * Set the owner of the file referenced by 'fd' to 'user'.
- * Returns:
- *   0 		success
- *   -1 	insufficient permissions, or 'user' does not exist.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif
diff --git a/contrib/bind9/bin/confgen/keygen.c b/contrib/bind9/bin/confgen/keygen.c
deleted file mode 100644
index d0cdafe..0000000
--- a/contrib/bind9/bin/confgen/keygen.c
+++ /dev/null
@@ -1,222 +0,0 @@
-/*
- * Copyright (C) 2009, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: keygen.c,v 1.4 2009/11/12 14:02:38 marka Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <stdarg.h>
-
-#include <isc/base64.h>
-#include <isc/buffer.h>
-#include <isc/entropy.h>
-#include <isc/file.h>
-#include <isc/keyboard.h>
-#include <isc/mem.h>
-#include <isc/result.h>
-#include <isc/string.h>
-
-#include <dns/keyvalues.h>
-#include <dns/name.h>
-
-#include <dst/dst.h>
-#include <confgen/os.h>
-
-#include "util.h"
-#include "keygen.h"
-
-/*%
- * Convert algorithm type to string.
- */
-const char *
-alg_totext(dns_secalg_t alg) {
-	switch (alg) {
-	    case DST_ALG_HMACMD5:
-		return "hmac-md5";
-	    case DST_ALG_HMACSHA1:
-		return "hmac-sha1";
-	    case DST_ALG_HMACSHA224:
-		return "hmac-sha224";
-	    case DST_ALG_HMACSHA256:
-		return "hmac-sha256";
-	    case DST_ALG_HMACSHA384:
-		return "hmac-sha384";
-	    case DST_ALG_HMACSHA512:
-		return "hmac-sha512";
-	    default:
-		return "(unknown)";
-	}
-}
-
-/*%
- * Convert string to algorithm type.
- */
-dns_secalg_t
-alg_fromtext(const char *name) {
-	if (strcmp(name, "hmac-md5") == 0)
-		return DST_ALG_HMACMD5;
-	if (strcmp(name, "hmac-sha1") == 0)
-		return DST_ALG_HMACSHA1;
-	if (strcmp(name, "hmac-sha224") == 0)
-		return DST_ALG_HMACSHA224;
-	if (strcmp(name, "hmac-sha256") == 0)
-		return DST_ALG_HMACSHA256;
-	if (strcmp(name, "hmac-sha384") == 0)
-		return DST_ALG_HMACSHA384;
-	if (strcmp(name, "hmac-sha512") == 0)
-		return DST_ALG_HMACSHA512;
-	return DST_ALG_UNKNOWN;
-}
-
-/*%
- * Return default keysize for a given algorithm type.
- */
-int
-alg_bits(dns_secalg_t alg) {
-	switch (alg) {
-	    case DST_ALG_HMACMD5:
-		return 128;
-	    case DST_ALG_HMACSHA1:
-		return 160;
-	    case DST_ALG_HMACSHA224:
-		return 224;
-	    case DST_ALG_HMACSHA256:
-		return 256;
-	    case DST_ALG_HMACSHA384:
-		return 384;
-	    case DST_ALG_HMACSHA512:
-		return 512;
-	    default:
-		return 0;
-	}
-}
-
-/*%
- * Generate a key of size 'keysize' using entropy source 'randomfile',
- * and place it in 'key_txtbuffer'
- */
-void
-generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
-	     int keysize, isc_buffer_t *key_txtbuffer) {
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_entropysource_t *entropy_source = NULL;
-	int open_keyboard = ISC_ENTROPY_KEYBOARDMAYBE;
-	int entropy_flags = 0;
-	isc_entropy_t *ectx = NULL;
-	isc_buffer_t key_rawbuffer;
-	isc_region_t key_rawregion;
-	char key_rawsecret[64];
-	dst_key_t *key = NULL;
-
-	switch (alg) {
-	    case DST_ALG_HMACMD5:
-	    case DST_ALG_HMACSHA1:
-	    case DST_ALG_HMACSHA224:
-	    case DST_ALG_HMACSHA256:
-		if (keysize < 1 || keysize > 512)
-			fatal("keysize %d out of range (must be 1-512)\n",
-			      keysize);
-		break;
-	    case DST_ALG_HMACSHA384:
-	    case DST_ALG_HMACSHA512:
-		if (keysize < 1 || keysize > 1024)
-			fatal("keysize %d out of range (must be 1-1024)\n",
-			      keysize);
-		break;
-	    default:
-		fatal("unsupported algorithm %d\n", alg);
-	}
-
-
-	DO("create entropy context", isc_entropy_create(mctx, &ectx));
-
-	if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
-		randomfile = NULL;
-		open_keyboard = ISC_ENTROPY_KEYBOARDYES;
-	}
-	DO("start entropy source", isc_entropy_usebestsource(ectx,
-							     &entropy_source,
-							     randomfile,
-							     open_keyboard));
-
-	entropy_flags = ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY;
-
-	DO("initialize dst library", dst_lib_init(mctx, ectx, entropy_flags));
-
-	DO("generate key", dst_key_generate(dns_rootname, alg,
-					    keysize, 0, 0,
-					    DNS_KEYPROTO_ANY,
-					    dns_rdataclass_in, mctx, &key));
-
-	isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
-
-	DO("dump key to buffer", dst_key_tobuffer(key, &key_rawbuffer));
-
-	isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
-
-	DO("bsse64 encode secret", isc_base64_totext(&key_rawregion, -1, "",
-						     key_txtbuffer));
-
-	/*
-	 * Shut down the entropy source now so the "stop typing" message
-	 * does not muck with the output.
-	 */
-	if (entropy_source != NULL)
-		isc_entropy_destroysource(&entropy_source);
-
-	if (key != NULL)
-		dst_key_free(&key);
-
-	isc_entropy_detach(&ectx);
-	dst_lib_destroy();
-}
-
-/*%
- * Write a key file to 'keyfile'.  If 'user' is non-NULL,
- * make that user the owner of the file.  The key will have
- * the name 'keyname' and the secret in the buffer 'secret'.
- */
-void
-write_key_file(const char *keyfile, const char *user,
-	       const char *keyname, isc_buffer_t *secret,
-	       dns_secalg_t alg) {
-	isc_result_t result;
-	const char *algname = alg_totext(alg);
-	FILE *fd = NULL;
-
-	DO("create keyfile", isc_file_safecreate(keyfile, &fd));
-
-	if (user != NULL) {
-		if (set_user(fd, user) == -1)
-			fatal("unable to set file owner\n");
-	}
-
-	fprintf(fd, "key \"%s\" {\n\talgorithm %s;\n"
-		"\tsecret \"%.*s\";\n};\n",
-		keyname, algname,
-		(int)isc_buffer_usedlength(secret),
-		(char *)isc_buffer_base(secret));
-	fflush(fd);
-	if (ferror(fd))
-		fatal("write to %s failed\n", keyfile);
-	if (fclose(fd))
-		fatal("fclose(%s) failed\n", keyfile);
-	fprintf(stderr, "wrote key file \"%s\"\n", keyfile);
-}
-
diff --git a/contrib/bind9/bin/confgen/keygen.h b/contrib/bind9/bin/confgen/keygen.h
deleted file mode 100644
index a9ded40..0000000
--- a/contrib/bind9/bin/confgen/keygen.h
+++ /dev/null
@@ -1,41 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: keygen.h,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
-
-#ifndef RNDC_KEYGEN_H
-#define RNDC_KEYGEN_H 1
-
-/*! \file */
-
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
-void generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
-		  int keysize, isc_buffer_t *key_txtbuffer);
-
-void write_key_file(const char *keyfile, const char *user,
-		    const char *keyname, isc_buffer_t *secret,
-		    dns_secalg_t alg);
-
-const char *alg_totext(dns_secalg_t alg);
-dns_secalg_t alg_fromtext(const char *name);
-int alg_bits(dns_secalg_t alg);
-
-ISC_LANG_ENDDECLS
-
-#endif /* RNDC_KEYGEN_H */
diff --git a/contrib/bind9/bin/confgen/rndc-confgen.8 b/contrib/bind9/bin/confgen/rndc-confgen.8
deleted file mode 100644
index faffdac..0000000
--- a/contrib/bind9/bin/confgen/rndc-confgen.8
+++ /dev/null
@@ -1,211 +0,0 @@
-.\" Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2001, 2003 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: rndc\-confgen
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Aug 27, 2001
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "RNDC\-CONFGEN" "8" "Aug 27, 2001" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-rndc\-confgen \- rndc key generation tool
-.SH "SYNOPSIS"
-.HP 13
-\fBrndc\-confgen\fR [\fB\-a\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-c\ \fR\fB\fIkeyfile\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\fB\-s\ \fR\fB\fIaddress\fR\fR] [\fB\-t\ \fR\fB\fIchrootdir\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR]
-.SH "DESCRIPTION"
-.PP
-\fBrndc\-confgen\fR
-generates configuration files for
-\fBrndc\fR. It can be used as a convenient alternative to writing the
-\fIrndc.conf\fR
-file and the corresponding
-\fBcontrols\fR
-and
-\fBkey\fR
-statements in
-\fInamed.conf\fR
-by hand. Alternatively, it can be run with the
-\fB\-a\fR
-option to set up a
-\fIrndc.key\fR
-file and avoid the need for a
-\fIrndc.conf\fR
-file and a
-\fBcontrols\fR
-statement altogether.
-.SH "OPTIONS"
-.PP
-\-a
-.RS 4
-Do automatic
-\fBrndc\fR
-configuration. This creates a file
-\fIrndc.key\fR
-in
-\fI/etc\fR
-(or whatever
-\fIsysconfdir\fR
-was specified as when
-BIND
-was built) that is read by both
-\fBrndc\fR
-and
-\fBnamed\fR
-on startup. The
-\fIrndc.key\fR
-file defines a default command channel and authentication key allowing
-\fBrndc\fR
-to communicate with
-\fBnamed\fR
-on the local host with no further configuration.
-.sp
-Running
-\fBrndc\-confgen \-a\fR
-allows BIND 9 and
-\fBrndc\fR
-to be used as drop\-in replacements for BIND 8 and
-\fBndc\fR, with no changes to the existing BIND 8
-\fInamed.conf\fR
-file.
-.sp
-If a more elaborate configuration than that generated by
-\fBrndc\-confgen \-a\fR
-is required, for example if rndc is to be used remotely, you should run
-\fBrndc\-confgen\fR
-without the
-\fB\-a\fR
-option and set up a
-\fIrndc.conf\fR
-and
-\fInamed.conf\fR
-as directed.
-.RE
-.PP
-\-b \fIkeysize\fR
-.RS 4
-Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is 128.
-.RE
-.PP
-\-c \fIkeyfile\fR
-.RS 4
-Used with the
-\fB\-a\fR
-option to specify an alternate location for
-\fIrndc.key\fR.
-.RE
-.PP
-\-h
-.RS 4
-Prints a short summary of the options and arguments to
-\fBrndc\-confgen\fR.
-.RE
-.PP
-\-k \fIkeyname\fR
-.RS 4
-Specifies the key name of the rndc authentication key. This must be a valid domain name. The default is
-\fBrndc\-key\fR.
-.RE
-.PP
-\-p \fIport\fR
-.RS 4
-Specifies the command channel port where
-\fBnamed\fR
-listens for connections from
-\fBrndc\fR. The default is 953.
-.RE
-.PP
-\-r \fIrandomfile\fR
-.RS 4
-Specifies a source of random data for generating the authorization. If the operating system does not provide a
-\fI/dev/random\fR
-or equivalent device, the default source of randomness is keyboard input.
-\fIrandomdev\fR
-specifies the name of a character device or file containing random data to be used instead of the default. The special value
-\fIkeyboard\fR
-indicates that keyboard input should be used.
-.RE
-.PP
-\-s \fIaddress\fR
-.RS 4
-Specifies the IP address where
-\fBnamed\fR
-listens for command channel connections from
-\fBrndc\fR. The default is the loopback address 127.0.0.1.
-.RE
-.PP
-\-t \fIchrootdir\fR
-.RS 4
-Used with the
-\fB\-a\fR
-option to specify a directory where
-\fBnamed\fR
-will run chrooted. An additional copy of the
-\fIrndc.key\fR
-will be written relative to this directory so that it will be found by the chrooted
-\fBnamed\fR.
-.RE
-.PP
-\-u \fIuser\fR
-.RS 4
-Used with the
-\fB\-a\fR
-option to set the owner of the
-\fIrndc.key\fR
-file generated. If
-\fB\-t\fR
-is also specified only the file in the chroot area has its owner changed.
-.RE
-.SH "EXAMPLES"
-.PP
-To allow
-\fBrndc\fR
-to be used with no manual configuration, run
-.PP
-\fBrndc\-confgen \-a\fR
-.PP
-To print a sample
-\fIrndc.conf\fR
-file and corresponding
-\fBcontrols\fR
-and
-\fBkey\fR
-statements to be manually inserted into
-\fInamed.conf\fR, run
-.PP
-\fBrndc\-confgen\fR
-.SH "SEE ALSO"
-.PP
-\fBrndc\fR(8),
-\fBrndc.conf\fR(5),
-\fBnamed\fR(8),
-BIND 9 Administrator Reference Manual.
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2001, 2003 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/bin/confgen/rndc-confgen.c b/contrib/bind9/bin/confgen/rndc-confgen.c
deleted file mode 100644
index e2ac079..0000000
--- a/contrib/bind9/bin/confgen/rndc-confgen.c
+++ /dev/null
@@ -1,269 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007-2009, 2011, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rndc-confgen.c,v 1.7 2011/03/12 04:59:46 tbox Exp $ */
-
-/*! \file */
-
-/**
- * rndc-confgen generates configuration files for rndc. It can be used
- * as a convenient alternative to writing the rndc.conf file and the
- * corresponding controls and key statements in named.conf by hand.
- * Alternatively, it can be run with the -a option to set up a
- * rndc.key file and avoid the need for a rndc.conf file and a
- * controls statement altogether.
- */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <stdarg.h>
-
-#include <isc/assertions.h>
-#include <isc/base64.h>
-#include <isc/buffer.h>
-#include <isc/commandline.h>
-#include <isc/entropy.h>
-#include <isc/file.h>
-#include <isc/keyboard.h>
-#include <isc/mem.h>
-#include <isc/net.h>
-#include <isc/print.h>
-#include <isc/result.h>
-#include <isc/string.h>
-#include <isc/time.h>
-#include <isc/util.h>
-
-#include <dns/keyvalues.h>
-#include <dns/name.h>
-
-#include <dst/dst.h>
-#include <confgen/os.h>
-
-#include "util.h"
-#include "keygen.h"
-
-#define DEFAULT_KEYLENGTH	128		/*% Bits. */
-#define DEFAULT_KEYNAME		"rndc-key"
-#define DEFAULT_SERVER		"127.0.0.1"
-#define DEFAULT_PORT		953
-
-static char program[256];
-const char *progname;
-
-isc_boolean_t verbose = ISC_FALSE;
-
-const char *keyfile, *keydef;
-
-ISC_PLATFORM_NORETURN_PRE static void
-usage(int status) ISC_PLATFORM_NORETURN_POST;
-
-static void
-usage(int status) {
-
-	fprintf(stderr, "\
-Usage:\n\
- %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
-[-s addr] [-t chrootdir] [-u user]\n\
-  -a:		 generate just the key clause and write it to keyfile (%s)\n\
-  -b bits:	 from 1 through 512, default %d; total length of the secret\n\
-  -c keyfile:	 specify an alternate key file (requires -a)\n\
-  -k keyname:	 the name as it will be used  in named.conf and rndc.conf\n\
-  -p port:	 the port named will listen on and rndc will connect to\n\
-  -r randomfile: source of random data (use \"keyboard\" for key timing)\n\
-  -s addr:	 the address to which rndc should connect\n\
-  -t chrootdir:	 write a keyfile in chrootdir as well (requires -a)\n\
-  -u user:	 set the keyfile owner to \"user\" (requires -a)\n",
-		 progname, keydef, DEFAULT_KEYLENGTH);
-
-	exit (status);
-}
-
-int
-main(int argc, char **argv) {
-	isc_boolean_t show_final_mem = ISC_FALSE;
-	isc_buffer_t key_txtbuffer;
-	char key_txtsecret[256];
-	isc_mem_t *mctx = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
-	const char *keyname = NULL;
-	const char *randomfile = NULL;
-	const char *serveraddr = NULL;
-	dns_secalg_t alg = DST_ALG_HMACMD5;
-	const char *algname = alg_totext(alg);
-	char *p;
-	int ch;
-	int port;
-	int keysize;
-	struct in_addr addr4_dummy;
-	struct in6_addr addr6_dummy;
-	char *chrootdir = NULL;
-	char *user = NULL;
-	isc_boolean_t keyonly = ISC_FALSE;
-	int len;
-
-	keydef = keyfile = RNDC_KEYFILE;
-
-	result = isc_file_progname(*argv, program, sizeof(program));
-	if (result != ISC_R_SUCCESS)
-		memcpy(program, "rndc-confgen", 13);
-	progname = program;
-
-	keyname = DEFAULT_KEYNAME;
-	keysize = DEFAULT_KEYLENGTH;
-	serveraddr = DEFAULT_SERVER;
-	port = DEFAULT_PORT;
-
-	isc_commandline_errprint = ISC_FALSE;
-
-	while ((ch = isc_commandline_parse(argc, argv,
-					   "ab:c:hk:Mmp:r:s:t:u:Vy")) != -1) {
-		switch (ch) {
-		case 'a':
-			keyonly = ISC_TRUE;
-			break;
-		case 'b':
-			keysize = strtol(isc_commandline_argument, &p, 10);
-			if (*p != '\0' || keysize < 0)
-				fatal("-b requires a non-negative number");
-			break;
-		case 'c':
-			keyfile = isc_commandline_argument;
-			break;
-		case 'h':
-			usage(0);
-		case 'k':
-		case 'y':	/* Compatible with rndc -y. */
-			keyname = isc_commandline_argument;
-			break;
-		case 'M':
-			isc_mem_debugging = ISC_MEM_DEBUGTRACE;
-			break;
-
-		case 'm':
-			show_final_mem = ISC_TRUE;
-			break;
-		case 'p':
-			port = strtol(isc_commandline_argument, &p, 10);
-			if (*p != '\0' || port < 0 || port > 65535)
-				fatal("port '%s' out of range",
-				      isc_commandline_argument);
-			break;
-		case 'r':
-			randomfile = isc_commandline_argument;
-			break;
-		case 's':
-			serveraddr = isc_commandline_argument;
-			if (inet_pton(AF_INET, serveraddr, &addr4_dummy) != 1 &&
-			    inet_pton(AF_INET6, serveraddr, &addr6_dummy) != 1)
-				fatal("-s should be an IPv4 or IPv6 address");
-			break;
-		case 't':
-			chrootdir = isc_commandline_argument;
-			break;
-		case 'u':
-			user = isc_commandline_argument;
-			break;
-		case 'V':
-			verbose = ISC_TRUE;
-			break;
-		case '?':
-			if (isc_commandline_option != '?') {
-				fprintf(stderr, "%s: invalid argument -%c\n",
-					program, isc_commandline_option);
-				usage(1);
-			} else
-				usage(0);
-			break;
-		default:
-			fprintf(stderr, "%s: unhandled option -%c\n",
-				program, isc_commandline_option);
-			exit(1);
-		}
-	}
-
-	argc -= isc_commandline_index;
-	argv += isc_commandline_index;
-	POST(argv);
-
-	if (argc > 0)
-		usage(1);
-
-	DO("create memory context", isc_mem_create(0, 0, &mctx));
-	isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
-
-	generate_key(mctx, randomfile, alg, keysize, &key_txtbuffer);
-
-	if (keyonly) {
-		write_key_file(keyfile, chrootdir == NULL ? user : NULL,
-			       keyname, &key_txtbuffer, alg);
-
-		if (chrootdir != NULL) {
-			char *buf;
-			len = strlen(chrootdir) + strlen(keyfile) + 2;
-			buf = isc_mem_get(mctx, len);
-			if (buf == NULL)
-				fatal("isc_mem_get(%d) failed\n", len);
-			snprintf(buf, len, "%s%s%s", chrootdir,
-				 (*keyfile != '/') ? "/" : "", keyfile);
-
-			write_key_file(buf, user, keyname, &key_txtbuffer, alg);
-			isc_mem_put(mctx, buf, len);
-		}
-	} else {
-		printf("\
-# Start of rndc.conf\n\
-key \"%s\" {\n\
-	algorithm %s;\n\
-	secret \"%.*s\";\n\
-};\n\
-\n\
-options {\n\
-	default-key \"%s\";\n\
-	default-server %s;\n\
-	default-port %d;\n\
-};\n\
-# End of rndc.conf\n\
-\n\
-# Use with the following in named.conf, adjusting the allow list as needed:\n\
-# key \"%s\" {\n\
-# 	algorithm %s;\n\
-# 	secret \"%.*s\";\n\
-# };\n\
-# \n\
-# controls {\n\
-# 	inet %s port %d\n\
-# 		allow { %s; } keys { \"%s\"; };\n\
-# };\n\
-# End of named.conf\n",
-		       keyname, algname,
-		       (int)isc_buffer_usedlength(&key_txtbuffer),
-		       (char *)isc_buffer_base(&key_txtbuffer),
-		       keyname, serveraddr, port,
-		       keyname, algname,
-		       (int)isc_buffer_usedlength(&key_txtbuffer),
-		       (char *)isc_buffer_base(&key_txtbuffer),
-		       serveraddr, port, serveraddr, keyname);
-	}
-
-	if (show_final_mem)
-		isc_mem_stats(mctx, stderr);
-
-	isc_mem_destroy(&mctx);
-
-	return (0);
-}
diff --git a/contrib/bind9/bin/confgen/rndc-confgen.docbook b/contrib/bind9/bin/confgen/rndc-confgen.docbook
deleted file mode 100644
index af2cc43..0000000
--- a/contrib/bind9/bin/confgen/rndc-confgen.docbook
+++ /dev/null
@@ -1,287 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001, 2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: rndc-confgen.docbook,v 1.4 2009/06/15 23:47:59 tbox Exp $ -->
-<refentry id="man.rndc-confgen">
-  <refentryinfo>
-    <date>Aug 27, 2001</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>rndc-confgen</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><application>rndc-confgen</application></refname>
-    <refpurpose>rndc key generation tool</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <year>2009</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2001</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>rndc-confgen</command>
-      <arg><option>-a</option></arg>
-      <arg><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
-      <arg><option>-c <replaceable class="parameter">keyfile</replaceable></option></arg>
-      <arg><option>-h</option></arg>
-      <arg><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
-      <arg><option>-p <replaceable class="parameter">port</replaceable></option></arg>
-      <arg><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
-      <arg><option>-s <replaceable class="parameter">address</replaceable></option></arg>
-      <arg><option>-t <replaceable class="parameter">chrootdir</replaceable></option></arg>
-      <arg><option>-u <replaceable class="parameter">user</replaceable></option></arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para><command>rndc-confgen</command>
-      generates configuration files
-      for <command>rndc</command>.  It can be used as a
-      convenient alternative to writing the
-      <filename>rndc.conf</filename> file
-      and the corresponding <command>controls</command>
-      and <command>key</command>
-      statements in <filename>named.conf</filename> by hand.
-      Alternatively, it can be run with the <command>-a</command>
-      option to set up a <filename>rndc.key</filename> file and
-      avoid the need for a <filename>rndc.conf</filename> file
-      and a <command>controls</command> statement altogether.
-    </para>
-
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-
-    <variablelist>
-      <varlistentry>
-        <term>-a</term>
-        <listitem>
-          <para>
-            Do automatic <command>rndc</command> configuration.
-            This creates a file <filename>rndc.key</filename>
-            in <filename>/etc</filename> (or whatever
-            <varname>sysconfdir</varname>
-            was specified as when <acronym>BIND</acronym> was
-            built)
-            that is read by both <command>rndc</command>
-            and <command>named</command> on startup.  The
-            <filename>rndc.key</filename> file defines a default
-            command channel and authentication key allowing
-            <command>rndc</command> to communicate with
-            <command>named</command> on the local host
-            with no further configuration.
-          </para>
-          <para>
-            Running <command>rndc-confgen -a</command> allows
-            BIND 9 and <command>rndc</command> to be used as
-            drop-in
-            replacements for BIND 8 and <command>ndc</command>,
-            with no changes to the existing BIND 8
-            <filename>named.conf</filename> file.
-          </para>
-          <para>
-            If a more elaborate configuration than that
-            generated by <command>rndc-confgen -a</command>
-            is required, for example if rndc is to be used remotely,
-            you should run <command>rndc-confgen</command> without
-            the
-            <command>-a</command> option and set up a
-            <filename>rndc.conf</filename> and
-            <filename>named.conf</filename>
-            as directed.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-b <replaceable class="parameter">keysize</replaceable></term>
-        <listitem>
-          <para>
-            Specifies the size of the authentication key in bits.
-            Must be between 1 and 512 bits; the default is 128.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-c <replaceable class="parameter">keyfile</replaceable></term>
-        <listitem>
-          <para>
-            Used with the <command>-a</command> option to specify
-            an alternate location for <filename>rndc.key</filename>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-h</term>
-        <listitem>
-          <para>
-            Prints a short summary of the options and arguments to
-            <command>rndc-confgen</command>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-k <replaceable class="parameter">keyname</replaceable></term>
-        <listitem>
-          <para>
-            Specifies the key name of the rndc authentication key.
-            This must be a valid domain name.
-            The default is <constant>rndc-key</constant>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-p <replaceable class="parameter">port</replaceable></term>
-        <listitem>
-          <para>
-            Specifies the command channel port where <command>named</command>
-            listens for connections from <command>rndc</command>.
-            The default is 953.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-r <replaceable class="parameter">randomfile</replaceable></term>
-        <listitem>
-          <para>
-            Specifies a source of random data for generating the
-            authorization.  If the operating
-            system does not provide a <filename>/dev/random</filename>
-            or equivalent device, the default source of randomness
-            is keyboard input.  <filename>randomdev</filename>
-            specifies
-            the name of a character device or file containing random
-            data to be used instead of the default.  The special value
-            <filename>keyboard</filename> indicates that keyboard
-            input should be used.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-s <replaceable class="parameter">address</replaceable></term>
-        <listitem>
-          <para>
-            Specifies the IP address where <command>named</command>
-            listens for command channel connections from
-            <command>rndc</command>.  The default is the loopback
-            address 127.0.0.1.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-t <replaceable class="parameter">chrootdir</replaceable></term>
-        <listitem>
-          <para>
-            Used with the <command>-a</command> option to specify
-            a directory where <command>named</command> will run
-            chrooted.  An additional copy of the <filename>rndc.key</filename>
-            will be written relative to this directory so that
-            it will be found by the chrooted <command>named</command>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-u <replaceable class="parameter">user</replaceable></term>
-        <listitem>
-          <para>
-            Used with the <command>-a</command> option to set the
-            owner
-            of the <filename>rndc.key</filename> file generated.
-            If
-            <command>-t</command> is also specified only the file
-            in
-            the chroot area has its owner changed.
-          </para>
-        </listitem>
-      </varlistentry>
-
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>EXAMPLES</title>
-    <para>
-      To allow <command>rndc</command> to be used with
-      no manual configuration, run
-    </para>
-    <para><userinput>rndc-confgen -a</userinput>
-    </para>
-    <para>
-      To print a sample <filename>rndc.conf</filename> file and
-      corresponding <command>controls</command> and <command>key</command>
-      statements to be manually inserted into <filename>named.conf</filename>,
-      run
-    </para>
-    <para><userinput>rndc-confgen</userinput>
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para><corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/confgen/rndc-confgen.html b/contrib/bind9/bin/confgen/rndc-confgen.html
deleted file mode 100644
index 03ee519..0000000
--- a/contrib/bind9/bin/confgen/rndc-confgen.html
+++ /dev/null
@@ -1,188 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001, 2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>rndc-confgen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="man.rndc-confgen"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">rndc-confgen</span> &#8212; rndc key generation tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code>  [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543433"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">rndc-confgen</strong></span>
-      generates configuration files
-      for <span><strong class="command">rndc</strong></span>.  It can be used as a
-      convenient alternative to writing the
-      <code class="filename">rndc.conf</code> file
-      and the corresponding <span><strong class="command">controls</strong></span>
-      and <span><strong class="command">key</strong></span>
-      statements in <code class="filename">named.conf</code> by hand.
-      Alternatively, it can be run with the <span><strong class="command">-a</strong></span>
-      option to set up a <code class="filename">rndc.key</code> file and
-      avoid the need for a <code class="filename">rndc.conf</code> file
-      and a <span><strong class="command">controls</strong></span> statement altogether.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543478"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-a</span></dt>
-<dd>
-<p>
-            Do automatic <span><strong class="command">rndc</strong></span> configuration.
-            This creates a file <code class="filename">rndc.key</code>
-            in <code class="filename">/etc</code> (or whatever
-            <code class="varname">sysconfdir</code>
-            was specified as when <acronym class="acronym">BIND</acronym> was
-            built)
-            that is read by both <span><strong class="command">rndc</strong></span>
-            and <span><strong class="command">named</strong></span> on startup.  The
-            <code class="filename">rndc.key</code> file defines a default
-            command channel and authentication key allowing
-            <span><strong class="command">rndc</strong></span> to communicate with
-            <span><strong class="command">named</strong></span> on the local host
-            with no further configuration.
-          </p>
-<p>
-            Running <span><strong class="command">rndc-confgen -a</strong></span> allows
-            BIND 9 and <span><strong class="command">rndc</strong></span> to be used as
-            drop-in
-            replacements for BIND 8 and <span><strong class="command">ndc</strong></span>,
-            with no changes to the existing BIND 8
-            <code class="filename">named.conf</code> file.
-          </p>
-<p>
-            If a more elaborate configuration than that
-            generated by <span><strong class="command">rndc-confgen -a</strong></span>
-            is required, for example if rndc is to be used remotely,
-            you should run <span><strong class="command">rndc-confgen</strong></span> without
-            the
-            <span><strong class="command">-a</strong></span> option and set up a
-            <code class="filename">rndc.conf</code> and
-            <code class="filename">named.conf</code>
-            as directed.
-          </p>
-</dd>
-<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
-<dd><p>
-            Specifies the size of the authentication key in bits.
-            Must be between 1 and 512 bits; the default is 128.
-          </p></dd>
-<dt><span class="term">-c <em class="replaceable"><code>keyfile</code></em></span></dt>
-<dd><p>
-            Used with the <span><strong class="command">-a</strong></span> option to specify
-            an alternate location for <code class="filename">rndc.key</code>.
-          </p></dd>
-<dt><span class="term">-h</span></dt>
-<dd><p>
-            Prints a short summary of the options and arguments to
-            <span><strong class="command">rndc-confgen</strong></span>.
-          </p></dd>
-<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
-<dd><p>
-            Specifies the key name of the rndc authentication key.
-            This must be a valid domain name.
-            The default is <code class="constant">rndc-key</code>.
-          </p></dd>
-<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd><p>
-            Specifies the command channel port where <span><strong class="command">named</strong></span>
-            listens for connections from <span><strong class="command">rndc</strong></span>.
-            The default is 953.
-          </p></dd>
-<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
-<dd><p>
-            Specifies a source of random data for generating the
-            authorization.  If the operating
-            system does not provide a <code class="filename">/dev/random</code>
-            or equivalent device, the default source of randomness
-            is keyboard input.  <code class="filename">randomdev</code>
-            specifies
-            the name of a character device or file containing random
-            data to be used instead of the default.  The special value
-            <code class="filename">keyboard</code> indicates that keyboard
-            input should be used.
-          </p></dd>
-<dt><span class="term">-s <em class="replaceable"><code>address</code></em></span></dt>
-<dd><p>
-            Specifies the IP address where <span><strong class="command">named</strong></span>
-            listens for command channel connections from
-            <span><strong class="command">rndc</strong></span>.  The default is the loopback
-            address 127.0.0.1.
-          </p></dd>
-<dt><span class="term">-t <em class="replaceable"><code>chrootdir</code></em></span></dt>
-<dd><p>
-            Used with the <span><strong class="command">-a</strong></span> option to specify
-            a directory where <span><strong class="command">named</strong></span> will run
-            chrooted.  An additional copy of the <code class="filename">rndc.key</code>
-            will be written relative to this directory so that
-            it will be found by the chrooted <span><strong class="command">named</strong></span>.
-          </p></dd>
-<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
-<dd><p>
-            Used with the <span><strong class="command">-a</strong></span> option to set the
-            owner
-            of the <code class="filename">rndc.key</code> file generated.
-            If
-            <span><strong class="command">-t</strong></span> is also specified only the file
-            in
-            the chroot area has its owner changed.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543792"></a><h2>EXAMPLES</h2>
-<p>
-      To allow <span><strong class="command">rndc</strong></span> to be used with
-      no manual configuration, run
-    </p>
-<p><strong class="userinput"><code>rndc-confgen -a</code></strong>
-    </p>
-<p>
-      To print a sample <code class="filename">rndc.conf</code> file and
-      corresponding <span><strong class="command">controls</strong></span> and <span><strong class="command">key</strong></span>
-      statements to be manually inserted into <code class="filename">named.conf</code>,
-      run
-    </p>
-<p><strong class="userinput"><code>rndc-confgen</code></strong>
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543833"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543872"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/confgen/unix/Makefile.in b/contrib/bind9/bin/confgen/unix/Makefile.in
deleted file mode 100644
index 2ab6d92..0000000
--- a/contrib/bind9/bin/confgen/unix/Makefile.in
+++ /dev/null
@@ -1,35 +0,0 @@
-# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.3 2009/06/11 23:47:55 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	-I${srcdir}/include -I${srcdir}/../include \
-		${DNS_INCLUDES} ${ISC_INCLUDES}
-
-CDEFINES =
-CWARNINGS =
-
-OBJS =		os.@O@
-
-SRCS =		os.c
-
-TARGETS =	${OBJS}
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/bin/confgen/unix/os.c b/contrib/bind9/bin/confgen/unix/os.c
deleted file mode 100644
index 3901350..0000000
--- a/contrib/bind9/bin/confgen/unix/os.c
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: os.c,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <confgen/os.h>
-
-#include <fcntl.h>
-#include <unistd.h>
-#include <sys/types.h>
-#include <pwd.h>
-#include <errno.h>
-#include <stdio.h>
-#include <sys/stat.h>
-
-int
-set_user(FILE *fd, const char *user) {
-	struct passwd *pw;
-
-	pw = getpwnam(user);
-	if (pw == NULL) {
-		errno = EINVAL;
-		return (-1);
-	}
-	return (fchown(fileno(fd), pw->pw_uid, -1));
-}
diff --git a/contrib/bind9/bin/confgen/util.c b/contrib/bind9/bin/confgen/util.c
deleted file mode 100644
index 5f5f817..0000000
--- a/contrib/bind9/bin/confgen/util.c
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: util.c,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdarg.h>
-#include <stdlib.h>
-#include <stdio.h>
-
-#include <isc/boolean.h>
-
-#include "util.h"
-
-extern isc_boolean_t verbose;
-extern const char *progname;
-
-void
-notify(const char *fmt, ...) {
-	va_list ap;
-
-	if (verbose) {
-		va_start(ap, fmt);
-		vfprintf(stderr, fmt, ap);
-		va_end(ap);
-		fputs("\n", stderr);
-	}
-}
-
-void
-fatal(const char *format, ...) {
-	va_list args;
-
-	fprintf(stderr, "%s: ", progname);
-	va_start(args, format);
-	vfprintf(stderr, format, args);
-	va_end(args);
-	fprintf(stderr, "\n");
-	exit(1);
-}
diff --git a/contrib/bind9/bin/confgen/util.h b/contrib/bind9/bin/confgen/util.h
deleted file mode 100644
index f3b2ec9..0000000
--- a/contrib/bind9/bin/confgen/util.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: util.h,v 1.4 2009/09/29 15:06:05 fdupont Exp $ */
-
-#ifndef RNDC_UTIL_H
-#define RNDC_UTIL_H 1
-
-/*! \file */
-
-#include <isc/lang.h>
-#include <isc/platform.h>
-
-#include <isc/formatcheck.h>
-
-#define NS_CONTROL_PORT		953
-
-#undef DO
-#define DO(name, function) \
-	do { \
-		result = function; \
-		if (result != ISC_R_SUCCESS) \
-			fatal("%s: %s", name, isc_result_totext(result)); \
-		else \
-			notify("%s", name); \
-	} while (0)
-
-ISC_LANG_BEGINDECLS
-
-void
-notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
-
-ISC_PLATFORM_NORETURN_PRE void
-fatal(const char *format, ...)
-ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
-
-ISC_LANG_ENDDECLS
-
-#endif /* RNDC_UTIL_H */
diff --git a/contrib/bind9/bin/dig/Makefile.in b/contrib/bind9/bin/dig/Makefile.in
deleted file mode 100644
index 5bc4db0..0000000
--- a/contrib/bind9/bin/dig/Makefile.in
+++ /dev/null
@@ -1,107 +0,0 @@
-# Copyright (C) 2004, 2005, 2007, 2009, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000-2002  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.47 2009/12/05 23:31:40 each Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-@BIND9_MAKE_INCLUDES@
-
-READLINE_LIB = @READLINE_LIB@
-
-CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} ${BIND9_INCLUDES} \
-		${ISC_INCLUDES} ${LWRES_INCLUDES} ${ISCCFG_INCLUDES}
-
-CDEFINES =	-DVERSION=\"${VERSION}\"
-CWARNINGS =
-
-ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-BIND9LIBS =	../../lib/bind9/libbind9.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
-LWRESLIBS =	../../lib/lwres/liblwres.@A@
-
-ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
-DNSDEPLIBS =	../../lib/dns/libdns.@A@
-BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
-LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
-
-DEPLIBS =	${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS} \
-		${LWRESDEPLIBS}
-
-LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
-		${ISCLIBS} @IDNLIBS@ @LIBS@
-
-NOSYMLIBS =	${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
-		${ISCNOSYMLIBS} @IDNLIBS@ @LIBS@
-
-SUBDIRS =
-
-TARGETS =	dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@
-
-OBJS =		dig.@O@ dighost.@O@ host.@O@ nslookup.@O@
-
-UOBJS =
-
-SRCS =		dig.c dighost.c host.c nslookup.c
-
-MANPAGES =	dig.1 host.1 nslookup.1
-
-HTMLPAGES =	dig.html host.html nslookup.html
-
-MANOBJS =	${MANPAGES} ${HTMLPAGES}
-
-@BIND9_MAKE_RULES@
-
-dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
-	export BASEOBJS="dig.@O@ dighost.@O@ ${UOBJS}"; \
-	${FINALBUILDCMD}
-
-host@EXEEXT@: host.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
-	export BASEOBJS="host.@O@ dighost.@O@ ${UOBJS}"; \
-	${FINALBUILDCMD}
-
-nslookup@EXEEXT@: nslookup.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
-	export BASEOBJS="nslookup.@O@ dighost.@O@ ${READLINE_LIB} ${UOBJS}"; \
-	${FINALBUILDCMD}
-
-doc man:: ${MANOBJS}
-
-docclean manclean maintainer-clean::
-	rm -f ${MANOBJS}
-
-clean distclean maintainer-clean::
-	rm -f ${TARGETS}
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
-
-install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
-		dig@EXEEXT@ ${DESTDIR}${bindir}
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
-		host@EXEEXT@ ${DESTDIR}${bindir}
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
-		nslookup@EXEEXT@ ${DESTDIR}${bindir}
-	for m in ${MANPAGES}; do \
-		${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; \
-		done
diff --git a/contrib/bind9/bin/dig/dig.1 b/contrib/bind9/bin/dig/dig.1
deleted file mode 100644
index 818c020..0000000
--- a/contrib/bind9/bin/dig/dig.1
+++ /dev/null
@@ -1,603 +0,0 @@
-.\" Copyright (C) 2004-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2003 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: dig
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "DIG" "1" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-dig \- DNS lookup utility
-.SH "SYNOPSIS"
-.HP 4
-\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-m\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIname:key\fR\fR] [\fB\-4\fR] [\fB\-6\fR] [name] [type] [class] [queryopt...]
-.HP 4
-\fBdig\fR [\fB\-h\fR]
-.HP 4
-\fBdig\fR [global\-queryopt...] [query...]
-.SH "DESCRIPTION"
-.PP
-\fBdig\fR
-(domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use
-\fBdig\fR
-to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than
-\fBdig\fR.
-.PP
-Although
-\fBdig\fR
-is normally used with command\-line arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command\-line arguments and options is printed when the
-\fB\-h\fR
-option is given. Unlike earlier versions, the BIND 9 implementation of
-\fBdig\fR
-allows multiple lookups to be issued from the command line.
-.PP
-Unless it is told to query a specific name server,
-\fBdig\fR
-will try each of the servers listed in
-\fI/etc/resolv.conf\fR. If no usable server addreses are found,
-\fBdig\fR
-will send the query to the local host.
-.PP
-When no command line arguments or options are given,
-\fBdig\fR
-will perform an NS query for "." (the root).
-.PP
-It is possible to set per\-user defaults for
-\fBdig\fR
-via
-\fI${HOME}/.digrc\fR. This file is read and any options in it are applied before the command line arguments.
-.PP
-The IN and CH class names overlap with the IN and CH top level domains names. Either use the
-\fB\-t\fR
-and
-\fB\-c\fR
-options to specify the type and class, use the
-\fB\-q\fR
-the specify the domain name, or use "IN." and "CH." when looking up these top level domains.
-.SH "SIMPLE USAGE"
-.PP
-A typical invocation of
-\fBdig\fR
-looks like:
-.sp
-.RS 4
-.nf
- dig @server name type 
-.fi
-.RE
-.sp
-where:
-.PP
-\fBserver\fR
-.RS 4
-is the name or IP address of the name server to query. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation. When the supplied
-\fIserver\fR
-argument is a hostname,
-\fBdig\fR
-resolves that name before querying that name server.
-.sp
-If no
-\fIserver\fR
-argument is provided,
-\fBdig\fR
-consults
-\fI/etc/resolv.conf\fR; if an address is found there, it queries the name server at that address. If either of the
-\fB\-4\fR
-or
-\fB\-6\fR
-options are in use, then only addresses for the corresponding transport will be tried. If no usable addresses are found,
-\fBdig\fR
-will send the query to the local host. The reply from the name server that responds is displayed.
-.RE
-.PP
-\fBname\fR
-.RS 4
-is the name of the resource record that is to be looked up.
-.RE
-.PP
-\fBtype\fR
-.RS 4
-indicates what type of query is required \(em ANY, A, MX, SIG, etc.
-\fItype\fR
-can be any valid query type. If no
-\fItype\fR
-argument is supplied,
-\fBdig\fR
-will perform a lookup for an A record.
-.RE
-.SH "OPTIONS"
-.PP
-The
-\fB\-b\fR
-option sets the source IP address of the query to
-\fIaddress\fR. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>"
-.PP
-The default query class (IN for internet) is overridden by the
-\fB\-c\fR
-option.
-\fIclass\fR
-is any valid class, such as HS for Hesiod records or CH for Chaosnet records.
-.PP
-The
-\fB\-f\fR
-option makes
-\fBdig \fR
-operate in batch mode by reading a list of lookup requests to process from the file
-\fIfilename\fR. The file contains a number of queries, one per line. Each entry in the file should be organized in the same way they would be presented as queries to
-\fBdig\fR
-using the command\-line interface.
-.PP
-The
-\fB\-m\fR
-option enables memory usage debugging.
-.PP
-If a non\-standard port number is to be queried, the
-\fB\-p\fR
-option is used.
-\fIport#\fR
-is the port number that
-\fBdig\fR
-will send its queries instead of the standard DNS port number 53. This option would be used to test a name server that has been configured to listen for queries on a non\-standard port number.
-.PP
-The
-\fB\-4\fR
-option forces
-\fBdig\fR
-to only use IPv4 query transport. The
-\fB\-6\fR
-option forces
-\fBdig\fR
-to only use IPv6 query transport.
-.PP
-The
-\fB\-t\fR
-option sets the query type to
-\fItype\fR. It can be any valid query type which is supported in BIND 9. The default query type is "A", unless the
-\fB\-x\fR
-option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required,
-\fItype\fR
-is set to
-ixfr=N. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone's SOA record was
-\fIN\fR.
-.PP
-The
-\fB\-q\fR
-option sets the query name to
-\fIname\fR. This useful do distinguish the
-\fIname\fR
-from other arguments.
-.PP
-Reverse lookups \(em mapping addresses to names \(em are simplified by the
-\fB\-x\fR
-option.
-\fIaddr\fR
-is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address. When this option is used, there is no need to provide the
-\fIname\fR,
-\fIclass\fR
-and
-\fItype\fR
-arguments.
-\fBdig\fR
-automatically performs a lookup for a name like
-11.12.13.10.in\-addr.arpa
-and sets the query type and class to PTR and IN respectively. By default, IPv6 addresses are looked up using nibble format under the IP6.ARPA domain. To use the older RFC1886 method using the IP6.INT domain specify the
-\fB\-i\fR
-option. Bit string labels (RFC2874) are now experimental and are not attempted.
-.PP
-To sign the DNS queries sent by
-\fBdig\fR
-and their responses using transaction signatures (TSIG), specify a TSIG key file using the
-\fB\-k\fR
-option. You can also specify the TSIG key itself on the command line using the
-\fB\-y\fR
-option;
-\fIhmac\fR
-is the type of the TSIG, default HMAC\-MD5,
-\fIname\fR
-is the name of the TSIG key and
-\fIkey\fR
-is the actual key. The key is a base\-64 encoded string, typically generated by
-\fBdnssec\-keygen\fR(8). Caution should be taken when using the
-\fB\-y\fR
-option on multi\-user systems as the key can be visible in the output from
-\fBps\fR(1)
-or in the shell's history file. When using TSIG authentication with
-\fBdig\fR, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate
-\fBkey\fR
-and
-\fBserver\fR
-statements in
-\fInamed.conf\fR.
-.SH "QUERY OPTIONS"
-.PP
-\fBdig\fR
-provides a number of query options which affect the way in which lookups are made and the results displayed. Some of these set or reset flag bits in the query header, some determine which sections of the answer get printed, and others determine the timeout and retry strategies.
-.PP
-Each query option is identified by a keyword preceded by a plus sign (+). Some keywords set or reset an option. These may be preceded by the string
-no
-to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form
-\fB+keyword=value\fR. The query options are:
-.PP
-\fB+[no]tcp\fR
-.RS 4
-Use [do not use] TCP when querying name servers. The default behavior is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used.
-.RE
-.PP
-\fB+[no]vc\fR
-.RS 4
-Use [do not use] TCP when querying name servers. This alternate syntax to
-\fI+[no]tcp\fR
-is provided for backwards compatibility. The "vc" stands for "virtual circuit".
-.RE
-.PP
-\fB+[no]ignore\fR
-.RS 4
-Ignore truncation in UDP responses instead of retrying with TCP. By default, TCP retries are performed.
-.RE
-.PP
-\fB+domain=somename\fR
-.RS 4
-Set the search list to contain the single domain
-\fIsomename\fR, as if specified in a
-\fBdomain\fR
-directive in
-\fI/etc/resolv.conf\fR, and enable search list processing as if the
-\fI+search\fR
-option were given.
-.RE
-.PP
-\fB+[no]search\fR
-.RS 4
-Use [do not use] the search list defined by the searchlist or domain directive in
-\fIresolv.conf\fR
-(if any). The search list is not used by default.
-.RE
-.PP
-\fB+[no]showsearch\fR
-.RS 4
-Perform [do not perform] a search showing intermediate results.
-.RE
-.PP
-\fB+[no]defname\fR
-.RS 4
-Deprecated, treated as a synonym for
-\fI+[no]search\fR
-.RE
-.PP
-\fB+[no]aaonly\fR
-.RS 4
-Sets the "aa" flag in the query.
-.RE
-.PP
-\fB+[no]aaflag\fR
-.RS 4
-A synonym for
-\fI+[no]aaonly\fR.
-.RE
-.PP
-\fB+[no]adflag\fR
-.RS 4
-Set [do not set] the AD (authentic data) bit in the query. This requests the server to return whether all of the answer and authority sections have all been validated as secure according to the security policy of the server. AD=1 indicates that all records have been validated as secure and the answer is not from a OPT\-OUT range. AD=0 indicate that some part of the answer was insecure or not validated. This bit is set by default.
-.RE
-.PP
-\fB+[no]cdflag\fR
-.RS 4
-Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses.
-.RE
-.PP
-\fB+[no]cl\fR
-.RS 4
-Display [do not display] the CLASS when printing the record.
-.RE
-.PP
-\fB+[no]ttlid\fR
-.RS 4
-Display [do not display] the TTL when printing the record.
-.RE
-.PP
-\fB+[no]recurse\fR
-.RS 4
-Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means
-\fBdig\fR
-normally sends recursive queries. Recursion is automatically disabled when the
-\fI+nssearch\fR
-or
-\fI+trace\fR
-query options are used.
-.RE
-.PP
-\fB+[no]nssearch\fR
-.RS 4
-When this option is set,
-\fBdig\fR
-attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone.
-.RE
-.PP
-\fB+[no]trace\fR
-.RS 4
-Toggle tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When tracing is enabled,
-\fBdig\fR
-makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup.
-.sp
-\fB+dnssec\fR
-is also set when +trace is set to better emulate the default queries from a nameserver.
-.RE
-.PP
-\fB+[no]cmd\fR
-.RS 4
-Toggles the printing of the initial comment in the output identifying the version of
-\fBdig\fR
-and the query options that have been applied. This comment is printed by default.
-.RE
-.PP
-\fB+[no]short\fR
-.RS 4
-Provide a terse answer. The default is to print the answer in a verbose form.
-.RE
-.PP
-\fB+[no]identify\fR
-.RS 4
-Show [or do not show] the IP address and port number that supplied the answer when the
-\fI+short\fR
-option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer.
-.RE
-.PP
-\fB+[no]comments\fR
-.RS 4
-Toggle the display of comment lines in the output. The default is to print comments.
-.RE
-.PP
-\fB+[no]rrcomments\fR
-.RS 4
-Toggle the display of per\-record comments in the output (for example, human\-readable key information about DNSKEY records). The default is not to print record comments unless multiline mode is active.
-.RE
-.PP
-\fB+split=W\fR
-.RS 4
-Split long hex\- or base64\-formatted fields in resource records into chunks of
-\fIW\fR
-characters (where
-\fIW\fR
-is rounded up to the nearest multiple of 4).
-\fI+nosplit\fR
-or
-\fI+split=0\fR
-causes fields not to be split at all. The default is 56 characters, or 44 characters when multiline mode is active.
-.RE
-.PP
-\fB+[no]stats\fR
-.RS 4
-This query option toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behavior is to print the query statistics.
-.RE
-.PP
-\fB+[no]qr\fR
-.RS 4
-Print [do not print] the query as it is sent. By default, the query is not printed.
-.RE
-.PP
-\fB+[no]question\fR
-.RS 4
-Print [do not print] the question section of a query when an answer is returned. The default is to print the question section as a comment.
-.RE
-.PP
-\fB+[no]answer\fR
-.RS 4
-Display [do not display] the answer section of a reply. The default is to display it.
-.RE
-.PP
-\fB+[no]authority\fR
-.RS 4
-Display [do not display] the authority section of a reply. The default is to display it.
-.RE
-.PP
-\fB+[no]additional\fR
-.RS 4
-Display [do not display] the additional section of a reply. The default is to display it.
-.RE
-.PP
-\fB+[no]all\fR
-.RS 4
-Set or clear all display flags.
-.RE
-.PP
-\fB+time=T\fR
-.RS 4
-Sets the timeout for a query to
-\fIT\fR
-seconds. The default timeout is 5 seconds. An attempt to set
-\fIT\fR
-to less than 1 will result in a query timeout of 1 second being applied.
-.RE
-.PP
-\fB+tries=T\fR
-.RS 4
-Sets the number of times to try UDP queries to server to
-\fIT\fR
-instead of the default, 3. If
-\fIT\fR
-is less than or equal to zero, the number of tries is silently rounded up to 1.
-.RE
-.PP
-\fB+retry=T\fR
-.RS 4
-Sets the number of times to retry UDP queries to server to
-\fIT\fR
-instead of the default, 2. Unlike
-\fI+tries\fR, this does not include the initial query.
-.RE
-.PP
-\fB+ndots=D\fR
-.RS 4
-Set the number of dots that have to appear in
-\fIname\fR
-to
-\fID\fR
-for it to be considered absolute. The default value is that defined using the ndots statement in
-\fI/etc/resolv.conf\fR, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the
-\fBsearch\fR
-or
-\fBdomain\fR
-directive in
-\fI/etc/resolv.conf\fR.
-.RE
-.PP
-\fB+bufsize=B\fR
-.RS 4
-Set the UDP message buffer size advertised using EDNS0 to
-\fIB\fR
-bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately. Values other than zero will cause a EDNS query to be sent.
-.RE
-.PP
-\fB+edns=#\fR
-.RS 4
-Specify the EDNS version to query with. Valid values are 0 to 255. Setting the EDNS version will cause a EDNS query to be sent.
-\fB+noedns\fR
-clears the remembered EDNS version. EDNS is set to 0 by default.
-.RE
-.PP
-\fB+[no]multiline\fR
-.RS 4
-Print records like the SOA records in a verbose multi\-line format with human\-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the
-\fBdig\fR
-output.
-.RE
-.PP
-\fB+[no]onesoa\fR
-.RS 4
-Print only one (starting) SOA record when performing an AXFR. The default is to print both the starting and ending SOA records.
-.RE
-.PP
-\fB+[no]fail\fR
-.RS 4
-Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behavior.
-.RE
-.PP
-\fB+[no]besteffort\fR
-.RS 4
-Attempt to display the contents of messages which are malformed. The default is to not display malformed answers.
-.RE
-.PP
-\fB+[no]dnssec\fR
-.RS 4
-Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query.
-.RE
-.PP
-\fB+[no]sigchase\fR
-.RS 4
-Chase DNSSEC signature chains. Requires dig be compiled with \-DDIG_SIGCHASE.
-.RE
-.PP
-\fB+trusted\-key=####\fR
-.RS 4
-Specifies a file containing trusted keys to be used with
-\fB+sigchase\fR. Each DNSKEY record must be on its own line.
-.sp
-If not specified,
-\fBdig\fR
-will look for
-\fI/etc/trusted\-key.key\fR
-then
-\fItrusted\-key.key\fR
-in the current directory.
-.sp
-Requires dig be compiled with \-DDIG_SIGCHASE.
-.RE
-.PP
-\fB+[no]topdown\fR
-.RS 4
-When chasing DNSSEC signature chains perform a top\-down validation. Requires dig be compiled with \-DDIG_SIGCHASE.
-.RE
-.PP
-\fB+[no]nsid\fR
-.RS 4
-Include an EDNS name server ID request when sending a query.
-.RE
-.SH "MULTIPLE QUERIES"
-.PP
-The BIND 9 implementation of
-\fBdig \fR
-supports specifying multiple queries on the command line (in addition to supporting the
-\fB\-f\fR
-batch file option). Each of those queries can be supplied with its own set of flags, options and query options.
-.PP
-In this case, each
-\fIquery\fR
-argument represent an individual query in the command\-line syntax described above. Each consists of any of the standard options and flags, the name to be looked up, an optional query type and class and any query options that should be applied to that query.
-.PP
-A global set of query options, which should be applied to all queries, can also be supplied. These global query options must precede the first tuple of name, class, type, options, flags, and query options supplied on the command line. Any global query options (except the
-\fB+[no]cmd\fR
-option) can be overridden by a query\-specific set of query options. For example:
-.sp
-.RS 4
-.nf
-dig +qr www.isc.org any \-x 127.0.0.1 isc.org ns +noqr
-.fi
-.RE
-.sp
-shows how
-\fBdig\fR
-could be used from the command line to make three lookups: an ANY query for
-www.isc.org, a reverse lookup of 127.0.0.1 and a query for the NS records of
-isc.org. A global query option of
-\fI+qr\fR
-is applied, so that
-\fBdig\fR
-shows the initial query it made for each lookup. The final query has a local query option of
-\fI+noqr\fR
-which means that
-\fBdig\fR
-will not print the initial query when it looks up the NS records for
-isc.org.
-.SH "IDN SUPPORT"
-.PP
-If
-\fBdig\fR
-has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names.
-\fBdig\fR
-appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. If you'd like to turn off the IDN support for some reason, defines the
-\fBIDN_DISABLE\fR
-environment variable. The IDN support is disabled if the variable is set when
-\fBdig\fR
-runs.
-.SH "FILES"
-.PP
-\fI/etc/resolv.conf\fR
-.PP
-\fI${HOME}/.digrc\fR
-.SH "SEE ALSO"
-.PP
-\fBhost\fR(1),
-\fBnamed\fR(8),
-\fBdnssec\-keygen\fR(8),
-RFC1035.
-.SH "BUGS"
-.PP
-There are probably too many query options.
-.SH "COPYRIGHT"
-Copyright \(co 2004\-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000\-2003 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/bin/dig/dig.c b/contrib/bind9/bin/dig/dig.c
deleted file mode 100644
index 7903710..0000000
--- a/contrib/bind9/bin/dig/dig.c
+++ /dev/null
@@ -1,1868 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dig.c,v 1.245 2011/12/07 17:23:28 each Exp $ */
-
-/*! \file */
-
-#include <config.h>
-#include <stdlib.h>
-#include <time.h>
-#include <ctype.h>
-
-#include <isc/app.h>
-#include <isc/netaddr.h>
-#include <isc/parseint.h>
-#include <isc/print.h>
-#include <isc/string.h>
-#include <isc/util.h>
-#include <isc/task.h>
-
-#include <dns/byaddr.h>
-#include <dns/fixedname.h>
-#include <dns/masterdump.h>
-#include <dns/message.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdatatype.h>
-#include <dns/rdataclass.h>
-#include <dns/result.h>
-#include <dns/tsig.h>
-
-#include <dig/dig.h>
-
-#define ADD_STRING(b, s) { 				\
-	if (strlen(s) >= isc_buffer_availablelength(b)) \
-		return (ISC_R_NOSPACE); 		\
-	else 						\
-		isc_buffer_putstr(b, s); 		\
-}
-
-#define DIG_MAX_ADDRESSES 20
-
-dig_lookup_t *default_lookup = NULL;
-
-static char *batchname = NULL;
-static FILE *batchfp = NULL;
-static char *argv0;
-static int addresscount = 0;
-
-static char domainopt[DNS_NAME_MAXTEXT];
-
-static isc_boolean_t short_form = ISC_FALSE, printcmd = ISC_TRUE,
-	ip6_int = ISC_FALSE, plusquest = ISC_FALSE, pluscomm = ISC_FALSE,
-	multiline = ISC_FALSE, nottl = ISC_FALSE, noclass = ISC_FALSE,
-	onesoa = ISC_FALSE, rrcomments = ISC_FALSE;
-static isc_uint32_t splitwidth = 0xffffffff;
-
-/*% opcode text */
-static const char * const opcodetext[] = {
-	"QUERY",
-	"IQUERY",
-	"STATUS",
-	"RESERVED3",
-	"NOTIFY",
-	"UPDATE",
-	"RESERVED6",
-	"RESERVED7",
-	"RESERVED8",
-	"RESERVED9",
-	"RESERVED10",
-	"RESERVED11",
-	"RESERVED12",
-	"RESERVED13",
-	"RESERVED14",
-	"RESERVED15"
-};
-
-/*% return code text */
-static const char * const rcodetext[] = {
-	"NOERROR",
-	"FORMERR",
-	"SERVFAIL",
-	"NXDOMAIN",
-	"NOTIMP",
-	"REFUSED",
-	"YXDOMAIN",
-	"YXRRSET",
-	"NXRRSET",
-	"NOTAUTH",
-	"NOTZONE",
-	"RESERVED11",
-	"RESERVED12",
-	"RESERVED13",
-	"RESERVED14",
-	"RESERVED15",
-	"BADVERS"
-};
-
-/*% safe rcodetext[] */
-static char *
-rcode_totext(dns_rcode_t rcode)
-{
-	static char buf[sizeof("?65535")];
-	union {
-		const char *consttext;
-		char *deconsttext;
-	} totext;
-
-	if (rcode >= (sizeof(rcodetext)/sizeof(rcodetext[0]))) {
-		snprintf(buf, sizeof(buf), "?%u", rcode);
-		totext.deconsttext = buf;
-	} else
-		totext.consttext = rcodetext[rcode];
-	return totext.deconsttext;
-}
-
-/*% print usage */
-static void
-print_usage(FILE *fp) {
-	fputs(
-"Usage:  dig [@global-server] [domain] [q-type] [q-class] {q-opt}\n"
-"            {global-d-opt} host [@local-server] {local-d-opt}\n"
-"            [ host [@local-server] {local-d-opt} [...]]\n", fp);
-}
-
-ISC_PLATFORM_NORETURN_PRE static void
-usage(void) ISC_PLATFORM_NORETURN_POST;
-
-static void
-usage(void) {
-	print_usage(stderr);
-	fputs("\nUse \"dig -h\" (or \"dig -h | more\") "
-	      "for complete list of options\n", stderr);
-	exit(1);
-}
-
-/*% version */
-static void
-version(void) {
-	fputs("DiG " VERSION "\n", stderr);
-}
-
-/*% help */
-static void
-help(void) {
-	print_usage(stdout);
-	fputs(
-"Where:  domain	  is in the Domain Name System\n"
-"        q-class  is one of (in,hs,ch,...) [default: in]\n"
-"        q-type   is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]\n"
-"                 (Use ixfr=version for type ixfr)\n"
-"        q-opt    is one of:\n"
-"                 -x dot-notation     (shortcut for reverse lookups)\n"
-"                 -i                  (use IP6.INT for IPv6 reverse lookups)\n"
-"                 -f filename         (batch mode)\n"
-"                 -b address[#port]   (bind to source address/port)\n"
-"                 -p port             (specify port number)\n"
-"                 -q name             (specify query name)\n"
-"                 -t type             (specify query type)\n"
-"                 -c class            (specify query class)\n"
-"                 -k keyfile          (specify tsig key file)\n"
-"                 -y [hmac:]name:key  (specify named base64 tsig key)\n"
-"                 -4                  (use IPv4 query transport only)\n"
-"                 -6                  (use IPv6 query transport only)\n"
-"                 -m                  (enable memory usage debugging)\n"
-"        d-opt    is of the form +keyword[=value], where keyword is:\n"
-"                 +[no]vc             (TCP mode)\n"
-"                 +[no]tcp            (TCP mode, alternate syntax)\n"
-"                 +time=###           (Set query timeout) [5]\n"
-"                 +tries=###          (Set number of UDP attempts) [3]\n"
-"                 +retry=###          (Set number of UDP retries) [2]\n"
-"                 +domain=###         (Set default domainname)\n"
-"                 +bufsize=###        (Set EDNS0 Max UDP packet size)\n"
-"                 +ndots=###          (Set NDOTS value)\n"
-"                 +[no]edns[=###]     (Set EDNS version) [0]\n"
-"                 +[no]search         (Set whether to use searchlist)\n"
-"                 +[no]showsearch     (Search with intermediate results)\n"
-"                 +[no]defname        (Ditto)\n"
-"                 +[no]recurse        (Recursive mode)\n"
-"                 +[no]ignore         (Don't revert to TCP for TC responses.)"
-"\n"
-"                 +[no]fail           (Don't try next server on SERVFAIL)\n"
-"                 +[no]besteffort     (Try to parse even illegal messages)\n"
-"                 +[no]aaonly         (Set AA flag in query (+[no]aaflag))\n"
-"                 +[no]adflag         (Set AD flag in query)\n"
-"                 +[no]cdflag         (Set CD flag in query)\n"
-"                 +[no]cl             (Control display of class in records)\n"
-"                 +[no]cmd            (Control display of command line)\n"
-"                 +[no]comments       (Control display of comment lines)\n"
-"                 +[no]rrcomments     (Control display of per-record "
-				       "comments)\n"
-"                 +[no]question       (Control display of question)\n"
-"                 +[no]answer         (Control display of answer)\n"
-"                 +[no]authority      (Control display of authority)\n"
-"                 +[no]additional     (Control display of additional)\n"
-"                 +[no]stats          (Control display of statistics)\n"
-"                 +[no]short          (Disable everything except short\n"
-"                                      form of answer)\n"
-"                 +[no]ttlid          (Control display of ttls in records)\n"
-"                 +[no]all            (Set or clear all display flags)\n"
-"                 +[no]qr             (Print question before sending)\n"
-"                 +[no]nssearch       (Search all authoritative nameservers)\n"
-"                 +[no]identify       (ID responders in short answers)\n"
-"                 +[no]trace          (Trace delegation down from root [+dnssec])\n"
-"                 +[no]dnssec         (Request DNSSEC records)\n"
-"                 +[no]nsid           (Request Name Server ID)\n"
-#ifdef DIG_SIGCHASE
-"                 +[no]sigchase       (Chase DNSSEC signatures)\n"
-"                 +trusted-key=####   (Trusted Key when chasing DNSSEC sigs)\n"
-#if DIG_SIGCHASE_TD
-"                 +[no]topdown        (Do DNSSEC validation top down mode)\n"
-#endif
-#endif
-"                 +[no]split=##       (Split hex/base64 fields into chunks)\n"
-"                 +[no]multiline      (Print records in an expanded format)\n"
-"                 +[no]onesoa         (AXFR prints only one soa record)\n"
-"        global d-opts and servers (before host name) affect all queries.\n"
-"        local d-opts and servers (after host name) affect only that lookup.\n"
-"        -h                           (print help and exit)\n"
-"        -v                           (print version and exit)\n",
-	stdout);
-}
-
-/*%
- * Callback from dighost.c to print the received message.
- */
-void
-received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
-	isc_uint64_t diff;
-	isc_time_t now;
-	time_t tnow;
-	struct tm tmnow;
-	char time_str[100];
-	char fromtext[ISC_SOCKADDR_FORMATSIZE];
-
-	isc_sockaddr_format(from, fromtext, sizeof(fromtext));
-
-	TIME_NOW(&now);
-
-	if (query->lookup->stats && !short_form) {
-		diff = isc_time_microdiff(&now, &query->time_sent);
-		printf(";; Query time: %ld msec\n", (long int)diff/1000);
-		printf(";; SERVER: %s(%s)\n", fromtext, query->servname);
-		time(&tnow);
-		tmnow  = *localtime(&tnow);
-		if (strftime(time_str, sizeof(time_str),
-			     "%a %b %d %H:%M:%S %Z %Y", &tmnow) > 0U)
-			printf(";; WHEN: %s\n", time_str);
-		if (query->lookup->doing_xfr) {
-			printf(";; XFR size: %u records (messages %u, "
-			       "bytes %" ISC_PRINT_QUADFORMAT "u)\n",
-			       query->rr_count, query->msg_count,
-			       query->byte_count);
-		} else {
-			printf(";; MSG SIZE  rcvd: %u\n", bytes);
-		}
-		if (key != NULL) {
-			if (!validated)
-				puts(";; WARNING -- Some TSIG could not "
-				     "be validated");
-		}
-		if ((key == NULL) && (keysecret[0] != 0)) {
-			puts(";; WARNING -- TSIG key was not used.");
-		}
-		puts("");
-	} else if (query->lookup->identify && !short_form) {
-		diff = isc_time_microdiff(&now, &query->time_sent);
-		printf(";; Received %" ISC_PRINT_QUADFORMAT "u bytes "
-		       "from %s(%s) in %d ms\n\n",
-		       query->lookup->doing_xfr ?
-				query->byte_count : (isc_uint64_t)bytes,
-		       fromtext, query->userarg,
-		       (int)diff/1000);
-	}
-}
-
-/*
- * Callback from dighost.c to print that it is trying a server.
- * Not used in dig.
- * XXX print_trying
- */
-void
-trying(char *frm, dig_lookup_t *lookup) {
-	UNUSED(frm);
-	UNUSED(lookup);
-}
-
-/*%
- * Internal print routine used to print short form replies.
- */
-static isc_result_t
-say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) {
-	isc_result_t result;
-	isc_uint64_t diff;
-	isc_time_t now;
-	char store[sizeof("12345678901234567890")];
-
-	if (query->lookup->trace || query->lookup->ns_search_only) {
-		result = dns_rdatatype_totext(rdata->type, buf);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		ADD_STRING(buf, " ");
-	}
-	result = dns_rdata_totext(rdata, NULL, buf);
-	if (result == ISC_R_NOSPACE)
-		return (result);
-	check_result(result, "dns_rdata_totext");
-	if (query->lookup->identify) {
-		TIME_NOW(&now);
-		diff = isc_time_microdiff(&now, &query->time_sent);
-		ADD_STRING(buf, " from server ");
-		ADD_STRING(buf, query->servname);
-		snprintf(store, 19, " in %d ms.", (int)diff/1000);
-		ADD_STRING(buf, store);
-	}
-	ADD_STRING(buf, "\n");
-	return (ISC_R_SUCCESS);
-}
-
-/*%
- * short_form message print handler.  Calls above say_message()
- */
-static isc_result_t
-short_answer(dns_message_t *msg, dns_messagetextflag_t flags,
-	     isc_buffer_t *buf, dig_query_t *query)
-{
-	dns_name_t *name;
-	dns_rdataset_t *rdataset;
-	isc_result_t result, loopresult;
-	dns_name_t empty_name;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-
-	UNUSED(flags);
-
-	dns_name_init(&empty_name, NULL);
-	result = dns_message_firstname(msg, DNS_SECTION_ANSWER);
-	if (result == ISC_R_NOMORE)
-		return (ISC_R_SUCCESS);
-	else if (result != ISC_R_SUCCESS)
-		return (result);
-
-	for (;;) {
-		name = NULL;
-		dns_message_currentname(msg, DNS_SECTION_ANSWER, &name);
-
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			loopresult = dns_rdataset_first(rdataset);
-			while (loopresult == ISC_R_SUCCESS) {
-				dns_rdataset_current(rdataset, &rdata);
-				result = say_message(&rdata, query,
-						     buf);
-				if (result == ISC_R_NOSPACE)
-					return (result);
-				check_result(result, "say_message");
-				loopresult = dns_rdataset_next(rdataset);
-				dns_rdata_reset(&rdata);
-			}
-		}
-		result = dns_message_nextname(msg, DNS_SECTION_ANSWER);
-		if (result == ISC_R_NOMORE)
-			break;
-		else if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-#ifdef DIG_SIGCHASE
-isc_result_t
-printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
-	      isc_buffer_t *target)
-{
-	isc_result_t result;
-	dns_master_style_t *style = NULL;
-	unsigned int styleflags = 0;
-
-	if (rdataset == NULL || owner_name == NULL || target == NULL)
-		return(ISC_FALSE);
-
-	styleflags |= DNS_STYLEFLAG_REL_OWNER;
-	if (nottl)
-		styleflags |= DNS_STYLEFLAG_NO_TTL;
-	if (noclass)
-		styleflags |= DNS_STYLEFLAG_NO_CLASS;
-	if (rrcomments)
-		styleflags |= DNS_STYLEFLAG_RRCOMMENT;
-	if (multiline) {
-		styleflags |= DNS_STYLEFLAG_OMIT_OWNER;
-		styleflags |= DNS_STYLEFLAG_OMIT_CLASS;
-		styleflags |= DNS_STYLEFLAG_REL_DATA;
-		styleflags |= DNS_STYLEFLAG_OMIT_TTL;
-		styleflags |= DNS_STYLEFLAG_TTL;
-		styleflags |= DNS_STYLEFLAG_MULTILINE;
-		styleflags |= DNS_STYLEFLAG_COMMENT;
-		styleflags |= DNS_STYLEFLAG_RRCOMMENT;
-	}
-
-	if (multiline || (nottl && noclass))
-		result = dns_master_stylecreate2(&style, styleflags,
-						24, 24, 24, 32, 80, 8,
-						splitwidth, mctx);
-	else if (nottl || noclass)
-		result = dns_master_stylecreate2(&style, styleflags,
-						24, 24, 32, 40, 80, 8,
-						splitwidth, mctx);
-	else
-		result = dns_master_stylecreate2(&style, styleflags,
-						24, 32, 40, 48, 80, 8,
-						splitwidth, mctx);
-	check_result(result, "dns_master_stylecreate");
-
-	result = dns_master_rdatasettotext(owner_name, rdataset, style, target);
-
-	if (style != NULL)
-		dns_master_styledestroy(&style, mctx);
-
-	return(result);
-}
-#endif
-
-/*
- * Callback from dighost.c to print the reply from a server
- */
-isc_result_t
-printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
-	isc_result_t result;
-	dns_messagetextflag_t flags;
-	isc_buffer_t *buf = NULL;
-	unsigned int len = OUTPUTBUF;
-	dns_master_style_t *style = NULL;
-	unsigned int styleflags = 0;
-
-	styleflags |= DNS_STYLEFLAG_REL_OWNER;
-	if (query->lookup->comments)
-		styleflags |= DNS_STYLEFLAG_COMMENT;
-	if (rrcomments)
-		styleflags |= DNS_STYLEFLAG_RRCOMMENT;
-	if (nottl)
-		styleflags |= DNS_STYLEFLAG_NO_TTL;
-	if (noclass)
-		styleflags |= DNS_STYLEFLAG_NO_CLASS;
-	if (multiline) {
-		styleflags |= DNS_STYLEFLAG_OMIT_OWNER;
-		styleflags |= DNS_STYLEFLAG_OMIT_CLASS;
-		styleflags |= DNS_STYLEFLAG_REL_DATA;
-		styleflags |= DNS_STYLEFLAG_OMIT_TTL;
-		styleflags |= DNS_STYLEFLAG_TTL;
-		styleflags |= DNS_STYLEFLAG_MULTILINE;
-		styleflags |= DNS_STYLEFLAG_RRCOMMENT;
-	}
-	if (multiline || (nottl && noclass))
-		result = dns_master_stylecreate2(&style, styleflags,
-						 24, 24, 24, 32, 80, 8,
-						 splitwidth, mctx);
-	else if (nottl || noclass)
-		result = dns_master_stylecreate2(&style, styleflags,
-						 24, 24, 32, 40, 80, 8,
-						 splitwidth, mctx);
-	else
-		result = dns_master_stylecreate2(&style, styleflags,
-						 24, 32, 40, 48, 80, 8,
-						 splitwidth, mctx);
-	check_result(result, "dns_master_stylecreate");
-
-	if (query->lookup->cmdline[0] != 0) {
-		if (!short_form)
-			fputs(query->lookup->cmdline, stdout);
-		query->lookup->cmdline[0]=0;
-	}
-	debug("printmessage(%s %s %s)", headers ? "headers" : "noheaders",
-	      query->lookup->comments ? "comments" : "nocomments",
-	      short_form ? "short_form" : "long_form");
-
-	flags = 0;
-	if (!headers) {
-		flags |= DNS_MESSAGETEXTFLAG_NOHEADERS;
-		flags |= DNS_MESSAGETEXTFLAG_NOCOMMENTS;
-	}
-	if (onesoa && query->lookup->rdtype == dns_rdatatype_axfr)
-		flags |= (query->msg_count == 0) ? DNS_MESSAGETEXTFLAG_ONESOA :
-						   DNS_MESSAGETEXTFLAG_OMITSOA;
-	if (!query->lookup->comments)
-		flags |= DNS_MESSAGETEXTFLAG_NOCOMMENTS;
-
-	result = isc_buffer_allocate(mctx, &buf, len);
-	check_result(result, "isc_buffer_allocate");
-
-	if (query->lookup->comments && !short_form) {
-		if (query->lookup->cmdline[0] != 0)
-			printf("; %s\n", query->lookup->cmdline);
-		if (msg == query->lookup->sendmsg)
-			printf(";; Sending:\n");
-		else
-			printf(";; Got answer:\n");
-
-		if (headers) {
-			printf(";; ->>HEADER<<- opcode: %s, status: %s, "
-			       "id: %u\n",
-			       opcodetext[msg->opcode],
-			       rcode_totext(msg->rcode),
-			       msg->id);
-			printf(";; flags:");
-			if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0)
-				printf(" qr");
-			if ((msg->flags & DNS_MESSAGEFLAG_AA) != 0)
-				printf(" aa");
-			if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0)
-				printf(" tc");
-			if ((msg->flags & DNS_MESSAGEFLAG_RD) != 0)
-				printf(" rd");
-			if ((msg->flags & DNS_MESSAGEFLAG_RA) != 0)
-				printf(" ra");
-			if ((msg->flags & DNS_MESSAGEFLAG_AD) != 0)
-				printf(" ad");
-			if ((msg->flags & DNS_MESSAGEFLAG_CD) != 0)
-				printf(" cd");
-			if ((msg->flags & 0x0040U) != 0)
-				printf("; MBZ: 0x4");
-
-			printf("; QUERY: %u, ANSWER: %u, "
-			       "AUTHORITY: %u, ADDITIONAL: %u\n",
-			       msg->counts[DNS_SECTION_QUESTION],
-			       msg->counts[DNS_SECTION_ANSWER],
-			       msg->counts[DNS_SECTION_AUTHORITY],
-			       msg->counts[DNS_SECTION_ADDITIONAL]);
-
-			if (msg != query->lookup->sendmsg &&
-			    (msg->flags & DNS_MESSAGEFLAG_RD) != 0 &&
-			    (msg->flags & DNS_MESSAGEFLAG_RA) == 0)
-				printf(";; WARNING: recursion requested "
-				       "but not available\n");
-		}
-		if (msg != query->lookup->sendmsg &&
-		    query->lookup->edns != -1 && msg->opt == NULL &&
-		    (msg->rcode == dns_rcode_formerr ||
-		     msg->rcode == dns_rcode_notimp))
-			printf("\n;; WARNING: EDNS query returned status "
-			       "%s - retry with '+noedns'\n",
-			       rcode_totext(msg->rcode));
-		if (msg != query->lookup->sendmsg && extrabytes != 0U)
-			printf(";; WARNING: Messages has %u extra byte%s at "
-			       "end\n", extrabytes, extrabytes != 0 ? "s" : "");
-	}
-
-repopulate_buffer:
-
-	if (query->lookup->comments && headers && !short_form) {
-		result = dns_message_pseudosectiontotext(msg,
-			 DNS_PSEUDOSECTION_OPT,
-			 style, flags, buf);
-		if (result == ISC_R_NOSPACE) {
-buftoosmall:
-			len += OUTPUTBUF;
-			isc_buffer_free(&buf);
-			result = isc_buffer_allocate(mctx, &buf, len);
-			if (result == ISC_R_SUCCESS)
-				goto repopulate_buffer;
-			else
-				goto cleanup;
-		}
-		check_result(result,
-		     "dns_message_pseudosectiontotext");
-	}
-
-	if (query->lookup->section_question && headers) {
-		if (!short_form) {
-			result = dns_message_sectiontotext(msg,
-						       DNS_SECTION_QUESTION,
-						       style, flags, buf);
-			if (result == ISC_R_NOSPACE)
-				goto buftoosmall;
-			check_result(result, "dns_message_sectiontotext");
-		}
-	}
-	if (query->lookup->section_answer) {
-		if (!short_form) {
-			result = dns_message_sectiontotext(msg,
-						       DNS_SECTION_ANSWER,
-						       style, flags, buf);
-			if (result == ISC_R_NOSPACE)
-				goto buftoosmall;
-			check_result(result, "dns_message_sectiontotext");
-		} else {
-			result = short_answer(msg, flags, buf, query);
-			if (result == ISC_R_NOSPACE)
-				goto buftoosmall;
-			check_result(result, "short_answer");
-		}
-	}
-	if (query->lookup->section_authority) {
-		if (!short_form) {
-			result = dns_message_sectiontotext(msg,
-						       DNS_SECTION_AUTHORITY,
-						       style, flags, buf);
-			if (result == ISC_R_NOSPACE)
-				goto buftoosmall;
-			check_result(result, "dns_message_sectiontotext");
-		}
-	}
-	if (query->lookup->section_additional) {
-		if (!short_form) {
-			result = dns_message_sectiontotext(msg,
-						      DNS_SECTION_ADDITIONAL,
-						      style, flags, buf);
-			if (result == ISC_R_NOSPACE)
-				goto buftoosmall;
-			check_result(result, "dns_message_sectiontotext");
-			/*
-			 * Only print the signature on the first record.
-			 */
-			if (headers) {
-				result = dns_message_pseudosectiontotext(
-						   msg,
-						   DNS_PSEUDOSECTION_TSIG,
-						   style, flags, buf);
-				if (result == ISC_R_NOSPACE)
-					goto buftoosmall;
-				check_result(result,
-					  "dns_message_pseudosectiontotext");
-				result = dns_message_pseudosectiontotext(
-						   msg,
-						   DNS_PSEUDOSECTION_SIG0,
-						   style, flags, buf);
-				if (result == ISC_R_NOSPACE)
-					goto buftoosmall;
-				check_result(result,
-					   "dns_message_pseudosectiontotext");
-			}
-		}
-	}
-
-	if (headers && query->lookup->comments && !short_form)
-		printf("\n");
-
-	printf("%.*s", (int)isc_buffer_usedlength(buf),
-	       (char *)isc_buffer_base(buf));
-	isc_buffer_free(&buf);
-
-cleanup:
-	if (style != NULL)
-		dns_master_styledestroy(&style, mctx);
-	return (result);
-}
-
-/*%
- * print the greeting message when the program first starts up.
- */
-static void
-printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
-	int i;
-	int remaining;
-	static isc_boolean_t first = ISC_TRUE;
-	char append[MXNAME];
-
-	if (printcmd) {
-		lookup->cmdline[sizeof(lookup->cmdline) - 1] = 0;
-		snprintf(lookup->cmdline, sizeof(lookup->cmdline),
-			 "%s; <<>> DiG " VERSION " <<>>",
-			 first?"\n":"");
-		i = 1;
-		while (i < argc) {
-			snprintf(append, sizeof(append), " %s", argv[i++]);
-			remaining = sizeof(lookup->cmdline) -
-				    strlen(lookup->cmdline) - 1;
-			strncat(lookup->cmdline, append, remaining);
-		}
-		remaining = sizeof(lookup->cmdline) -
-			    strlen(lookup->cmdline) - 1;
-		strncat(lookup->cmdline, "\n", remaining);
-		if (first && addresscount != 0) {
-			snprintf(append, sizeof(append),
-				 "; (%d server%s found)\n",
-				 addresscount,
-				 addresscount > 1 ? "s" : "");
-			remaining = sizeof(lookup->cmdline) -
-				    strlen(lookup->cmdline) - 1;
-			strncat(lookup->cmdline, append, remaining);
-		}
-		if (first) {
-			snprintf(append, sizeof(append),
-				 ";; global options:%s%s\n",
-				 short_form ? " +short" : "",
-				 printcmd ? " +cmd" : "");
-			first = ISC_FALSE;
-			remaining = sizeof(lookup->cmdline) -
-				    strlen(lookup->cmdline) - 1;
-			strncat(lookup->cmdline, append, remaining);
-		}
-	}
-}
-
-/*%
- * We're not using isc_commandline_parse() here since the command line
- * syntax of dig is quite a bit different from that which can be described
- * by that routine.
- * XXX doc options
- */
-
-static void
-plus_option(char *option, isc_boolean_t is_batchfile,
-	    dig_lookup_t *lookup)
-{
-	isc_result_t result;
-	char option_store[256];
-	char *cmd, *value, *ptr;
-	isc_uint32_t num;
-	isc_boolean_t state = ISC_TRUE;
-#ifdef DIG_SIGCHASE
-	size_t n;
-#endif
-
-	strncpy(option_store, option, sizeof(option_store));
-	option_store[sizeof(option_store)-1]=0;
-	ptr = option_store;
-	cmd = next_token(&ptr,"=");
-	if (cmd == NULL) {
-		printf(";; Invalid option %s\n", option_store);
-		return;
-	}
-	value = ptr;
-	if (strncasecmp(cmd, "no", 2)==0) {
-		cmd += 2;
-		state = ISC_FALSE;
-	}
-
-#define FULLCHECK(A) \
-	do { \
-		size_t _l = strlen(cmd); \
-		if (_l >= sizeof(A) || strncasecmp(cmd, A, _l) != 0) \
-			goto invalid_option; \
-	} while (0)
-#define FULLCHECK2(A, B) \
-	do { \
-		size_t _l = strlen(cmd); \
-		if ((_l >= sizeof(A) || strncasecmp(cmd, A, _l) != 0) && \
-		    (_l >= sizeof(B) || strncasecmp(cmd, B, _l) != 0)) \
-			goto invalid_option; \
-	} while (0)
-
-	switch (cmd[0]) {
-	case 'a':
-		switch (cmd[1]) {
-		case 'a': /* aaonly / aaflag */
-			FULLCHECK2("aaonly", "aaflag");
-			lookup->aaonly = state;
-			break;
-		case 'd':
-			switch (cmd[2]) {
-			case 'd': /* additional */
-				FULLCHECK("additional");
-				lookup->section_additional = state;
-				break;
-			case 'f': /* adflag */
-			case '\0': /* +ad is a synonym for +adflag */
-				FULLCHECK("adflag");
-				lookup->adflag = state;
-				break;
-			default:
-				goto invalid_option;
-			}
-			break;
-		case 'l': /* all */
-			FULLCHECK("all");
-			lookup->section_question = state;
-			lookup->section_authority = state;
-			lookup->section_answer = state;
-			lookup->section_additional = state;
-			lookup->comments = state;
-			rrcomments = state;
-			lookup->stats = state;
-			printcmd = state;
-			break;
-		case 'n': /* answer */
-			FULLCHECK("answer");
-			lookup->section_answer = state;
-			break;
-		case 'u': /* authority */
-			FULLCHECK("authority");
-			lookup->section_authority = state;
-			break;
-		default:
-			goto invalid_option;
-		}
-		break;
-	case 'b':
-		switch (cmd[1]) {
-		case 'e':/* besteffort */
-			FULLCHECK("besteffort");
-			lookup->besteffort = state;
-			break;
-		case 'u':/* bufsize */
-			FULLCHECK("bufsize");
-			if (value == NULL)
-				goto need_value;
-			if (!state)
-				goto invalid_option;
-			result = parse_uint(&num, value, COMMSIZE,
-					    "buffer size");
-			if (result != ISC_R_SUCCESS)
-				fatal("Couldn't parse buffer size");
-			lookup->udpsize = num;
-			break;
-		default:
-			goto invalid_option;
-		}
-		break;
-	case 'c':
-		switch (cmd[1]) {
-		case 'd':/* cdflag */
-			switch (cmd[2]) {
-			case 'f': /* cdflag */
-			case '\0': /* +cd is a synonym for +cdflag */
-				FULLCHECK("cdflag");
-				lookup->cdflag = state;
-				break;
-			default:
-				goto invalid_option;
-			}
-			break;
-		case 'l': /* cl */
-			FULLCHECK("cl");
-			noclass = ISC_TF(!state);
-			break;
-		case 'm': /* cmd */
-			FULLCHECK("cmd");
-			printcmd = state;
-			break;
-		case 'o': /* comments */
-			FULLCHECK("comments");
-			lookup->comments = state;
-			if (lookup == default_lookup)
-				pluscomm = state;
-			break;
-		default:
-			goto invalid_option;
-		}
-		break;
-	case 'd':
-		switch (cmd[1]) {
-		case 'e': /* defname */
-			FULLCHECK("defname");
-			if (!lookup->trace) {
-				usesearch = state;
-			}
-			break;
-		case 'n': /* dnssec */
-			FULLCHECK("dnssec");
-			if (state && lookup->edns == -1)
-				lookup->edns = 0;
-			lookup->dnssec = state;
-			break;
-		case 'o': /* domain */
-			FULLCHECK("domain");
-			if (value == NULL)
-				goto need_value;
-			if (!state)
-				goto invalid_option;
-			strncpy(domainopt, value, sizeof(domainopt));
-			domainopt[sizeof(domainopt)-1] = '\0';
-			break;
-		default:
-			goto invalid_option;
-		}
-		break;
-	case 'e':
-		FULLCHECK("edns");
-		if (!state) {
-			lookup->edns = -1;
-			break;
-		}
-		if (value == NULL) {
-			lookup->edns = 0;
-			break;
-		}
-		result = parse_uint(&num, value, 255, "edns");
-		if (result != ISC_R_SUCCESS)
-			fatal("Couldn't parse edns");
-		lookup->edns = num;
-		break;
-	case 'f': /* fail */
-		FULLCHECK("fail");
-		lookup->servfail_stops = state;
-		break;
-	case 'i':
-		switch (cmd[1]) {
-		case 'd': /* identify */
-			FULLCHECK("identify");
-			lookup->identify = state;
-			break;
-		case 'g': /* ignore */
-		default: /* Inherits default for compatibility */
-			FULLCHECK("ignore");
-			lookup->ignore = ISC_TRUE;
-		}
-		break;
-	case 'm': /* multiline */
-		FULLCHECK("multiline");
-		multiline = state;
-		break;
-	case 'n':
-		switch (cmd[1]) {
-		case 'd': /* ndots */
-			FULLCHECK("ndots");
-			if (value == NULL)
-				goto need_value;
-			if (!state)
-				goto invalid_option;
-			result = parse_uint(&num, value, MAXNDOTS, "ndots");
-			if (result != ISC_R_SUCCESS)
-				fatal("Couldn't parse ndots");
-			ndots = num;
-			break;
-		case 's':
-			switch (cmd[2]) {
-			case 'i': /* nsid */
-				FULLCHECK("nsid");
-				if (state && lookup->edns == -1)
-					lookup->edns = 0;
-				lookup->nsid = state;
-				break;
-			case 's': /* nssearch */
-				FULLCHECK("nssearch");
-				lookup->ns_search_only = state;
-				if (state) {
-					lookup->trace_root = ISC_TRUE;
-					lookup->recurse = ISC_TRUE;
-					lookup->identify = ISC_TRUE;
-					lookup->stats = ISC_FALSE;
-					lookup->comments = ISC_FALSE;
-					rrcomments = ISC_FALSE;
-					lookup->section_additional = ISC_FALSE;
-					lookup->section_authority = ISC_FALSE;
-					lookup->section_question = ISC_FALSE;
-					lookup->rdtype = dns_rdatatype_ns;
-					lookup->rdtypeset = ISC_TRUE;
-					short_form = ISC_TRUE;
-				}
-				break;
-			default:
-				goto invalid_option;
-			}
-			break;
-		default:
-			goto invalid_option;
-		}
-		break;
-	case 'o':
-		FULLCHECK("onesoa");
-		onesoa = state;
-		break;
-	case 'q':
-		switch (cmd[1]) {
-		case 'r': /* qr */
-			FULLCHECK("qr");
-			qr = state;
-			break;
-		case 'u': /* question */
-			FULLCHECK("question");
-			lookup->section_question = state;
-			if (lookup == default_lookup)
-				plusquest = state;
-			break;
-		default:
-			goto invalid_option;
-		}
-		break;
-	case 'r':
-		switch (cmd[1]) {
-		case 'e':
-			switch (cmd[2]) {
-			case 'c': /* recurse */
-				FULLCHECK("recurse");
-				lookup->recurse = state;
-				break;
-			case 't': /* retry / retries */
-				FULLCHECK2("retry", "retries");
-				if (value == NULL)
-					goto need_value;
-				if (!state)
-					goto invalid_option;
-				result = parse_uint(&lookup->retries, value,
-						    MAXTRIES - 1, "retries");
-				if (result != ISC_R_SUCCESS)
-					fatal("Couldn't parse retries");
-				lookup->retries++;
-				break;
-			default:
-				goto invalid_option;
-			}
-			break;
-		case 'r': /* rrcomments */
-			FULLCHECK("rrcomments");
-			rrcomments = state;
-			break;
-		default:
-			goto invalid_option;
-		}
-		break;
-	case 's':
-		switch (cmd[1]) {
-		case 'e': /* search */
-			FULLCHECK("search");
-			if (!lookup->trace) {
-				usesearch = state;
-			}
-			break;
-		case 'h':
-			if (cmd[2] != 'o')
-				goto invalid_option;
-			switch (cmd[3]) {
-			case 'r': /* short */
-				FULLCHECK("short");
-				short_form = state;
-				if (state) {
-					printcmd = ISC_FALSE;
-					lookup->section_additional = ISC_FALSE;
-					lookup->section_answer = ISC_TRUE;
-					lookup->section_authority = ISC_FALSE;
-					lookup->section_question = ISC_FALSE;
-					lookup->comments = ISC_FALSE;
-					rrcomments = ISC_FALSE;
-					lookup->stats = ISC_FALSE;
-				}
-				break;
-			case 'w': /* showsearch */
-				FULLCHECK("showsearch");
-				if (!lookup->trace) {
-					showsearch = state;
-					usesearch = state;
-				}
-				break;
-			default:
-				goto invalid_option;
-			}
-			break;
-#ifdef DIG_SIGCHASE
-		case 'i': /* sigchase */
-			FULLCHECK("sigchase");
-			lookup->sigchase = state;
-			if (lookup->sigchase)
-				lookup->dnssec = ISC_TRUE;
-			break;
-#endif
-		case 'p': /* split */
-			FULLCHECK("split");
-			if (value != NULL && !state)
-				goto invalid_option;
-			if (!state) {
-				splitwidth = 0;
-				break;
-			} else if (value == NULL)
-				break;
-
-			result = parse_uint(&splitwidth, value,
-					    1023, "split");
-			if (splitwidth % 4 != 0) {
-				splitwidth = ((splitwidth + 3) / 4) * 4;
-				fprintf(stderr, ";; Warning, split must be "
-						"a multiple of 4; adjusting "
-						"to %d\n", splitwidth);
-			}
-			/*
-			 * There is an adjustment done in the
-			 * totext_<rrtype>() functions which causes
-			 * splitwidth to shrink.  This is okay when we're
-			 * using the default width but incorrect in this
-			 * case, so we correct for it
-			 */
-			if (splitwidth)
-				splitwidth += 3;
-			if (result != ISC_R_SUCCESS)
-				fatal("Couldn't parse retries");
-			break;
-		case 't': /* stats */
-			FULLCHECK("stats");
-			lookup->stats = state;
-			break;
-		default:
-			goto invalid_option;
-		}
-		break;
-	case 't':
-		switch (cmd[1]) {
-		case 'c': /* tcp */
-			FULLCHECK("tcp");
-			if (!is_batchfile)
-				lookup->tcp_mode = state;
-			break;
-		case 'i': /* timeout */
-			FULLCHECK("timeout");
-			if (value == NULL)
-				goto need_value;
-			if (!state)
-				goto invalid_option;
-			result = parse_uint(&timeout, value, MAXTIMEOUT,
-					    "timeout");
-			if (result != ISC_R_SUCCESS)
-				fatal("Couldn't parse timeout");
-			if (timeout == 0)
-				timeout = 1;
-			break;
-#if DIG_SIGCHASE_TD
-		case 'o': /* topdown */
-			FULLCHECK("topdown");
-			lookup->do_topdown = state;
-			break;
-#endif
-		case 'r':
-			switch (cmd[2]) {
-			case 'a': /* trace */
-				FULLCHECK("trace");
-				lookup->trace = state;
-				lookup->trace_root = state;
-				if (state) {
-					lookup->recurse = ISC_FALSE;
-					lookup->identify = ISC_TRUE;
-					lookup->comments = ISC_FALSE;
-					rrcomments = ISC_FALSE;
-					lookup->stats = ISC_FALSE;
-					lookup->section_additional = ISC_FALSE;
-					lookup->section_authority = ISC_TRUE;
-					lookup->section_question = ISC_FALSE;
-					lookup->dnssec = ISC_TRUE;
-					usesearch = ISC_FALSE;
-				}
-				break;
-			case 'i': /* tries */
-				FULLCHECK("tries");
-				if (value == NULL)
-					goto need_value;
-				if (!state)
-					goto invalid_option;
-				result = parse_uint(&lookup->retries, value,
-						    MAXTRIES, "tries");
-				if (result != ISC_R_SUCCESS)
-					fatal("Couldn't parse tries");
-				if (lookup->retries == 0)
-					lookup->retries = 1;
-				break;
-#ifdef DIG_SIGCHASE
-			case 'u': /* trusted-key */
-				FULLCHECK("trusted-key");
-				if (value == NULL)
-					goto need_value;
-				if (!state)
-					goto invalid_option;
-				n = strlcpy(trustedkey, ptr,
-					    sizeof(trustedkey));
-				if (n >= sizeof(trustedkey))
-					fatal("trusted key too large");
-				break;
-#endif
-			default:
-				goto invalid_option;
-			}
-			break;
-		case 't': /* ttlid */
-			FULLCHECK("ttlid");
-			nottl = ISC_TF(!state);
-			break;
-		default:
-			goto invalid_option;
-		}
-		break;
-	case 'v':
-		FULLCHECK("vc");
-		if (!is_batchfile)
-			lookup->tcp_mode = state;
-		break;
-	default:
-	invalid_option:
-	need_value:
-		fprintf(stderr, "Invalid option: +%s\n",
-			 option);
-		usage();
-	}
-	return;
-}
-
-/*%
- * #ISC_TRUE returned if value was used
- */
-static const char *single_dash_opts = "46dhimnv";
-static const char *dash_opts = "46bcdfhikmnptvyx";
-static isc_boolean_t
-dash_option(char *option, char *next, dig_lookup_t **lookup,
-	    isc_boolean_t *open_type_class, isc_boolean_t *need_clone,
-	    isc_boolean_t config_only, int argc, char **argv,
-	    isc_boolean_t *firstarg)
-{
-	char opt, *value, *ptr, *ptr2, *ptr3;
-	isc_result_t result;
-	isc_boolean_t value_from_next;
-	isc_textregion_t tr;
-	dns_rdatatype_t rdtype;
-	dns_rdataclass_t rdclass;
-	char textname[MXNAME];
-	struct in_addr in4;
-	struct in6_addr in6;
-	in_port_t srcport;
-	char *hash, *cmd;
-	isc_uint32_t num;
-
-	while (strpbrk(option, single_dash_opts) == &option[0]) {
-		/*
-		 * Since the -[46dhimnv] options do not take an argument,
-		 * account for them (in any number and/or combination)
-		 * if they appear as the first character(s) of a q-opt.
-		 */
-		opt = option[0];
-		switch (opt) {
-		case '4':
-			if (have_ipv4) {
-				isc_net_disableipv6();
-				have_ipv6 = ISC_FALSE;
-			} else {
-				fatal("can't find IPv4 networking");
-				/* NOTREACHED */
-				return (ISC_FALSE);
-			}
-			break;
-		case '6':
-			if (have_ipv6) {
-				isc_net_disableipv4();
-				have_ipv4 = ISC_FALSE;
-			} else {
-				fatal("can't find IPv6 networking");
-				/* NOTREACHED */
-				return (ISC_FALSE);
-			}
-			break;
-		case 'd':
-			ptr = strpbrk(&option[1], dash_opts);
-			if (ptr != &option[1]) {
-				cmd = option;
-				FULLCHECK("debug");
-				debugging = ISC_TRUE;
-				return (ISC_FALSE);
-			} else
-				debugging = ISC_TRUE;
-			break;
-		case 'h':
-			help();
-			exit(0);
-			break;
-		case 'i':
-			ip6_int = ISC_TRUE;
-			break;
-		case 'm': /* memdebug */
-			/* memdebug is handled in preparse_args() */
-			break;
-		case 'n':
-			/* deprecated */
-			break;
-		case 'v':
-			version();
-			exit(0);
-			break;
-		}
-		if (strlen(option) > 1U)
-			option = &option[1];
-		else
-			return (ISC_FALSE);
-	}
-	opt = option[0];
-	if (strlen(option) > 1U) {
-		value_from_next = ISC_FALSE;
-		value = &option[1];
-	} else {
-		value_from_next = ISC_TRUE;
-		value = next;
-	}
-	if (value == NULL)
-		goto invalid_option;
-	switch (opt) {
-	case 'b':
-		hash = strchr(value, '#');
-		if (hash != NULL) {
-			result = parse_uint(&num, hash + 1, MAXPORT,
-					    "port number");
-			if (result != ISC_R_SUCCESS)
-				fatal("Couldn't parse port number");
-			srcport = num;
-			*hash = '\0';
-		} else
-			srcport = 0;
-		if (have_ipv6 && inet_pton(AF_INET6, value, &in6) == 1) {
-			isc_sockaddr_fromin6(&bind_address, &in6, srcport);
-			isc_net_disableipv4();
-		} else if (have_ipv4 && inet_pton(AF_INET, value, &in4) == 1) {
-			isc_sockaddr_fromin(&bind_address, &in4, srcport);
-			isc_net_disableipv6();
-		} else {
-			if (hash != NULL)
-				*hash = '#';
-			fatal("invalid address %s", value);
-		}
-		if (hash != NULL)
-			*hash = '#';
-		specified_source = ISC_TRUE;
-		return (value_from_next);
-	case 'c':
-		if ((*lookup)->rdclassset) {
-			fprintf(stderr, ";; Warning, extra class option\n");
-		}
-		*open_type_class = ISC_FALSE;
-		tr.base = value;
-		tr.length = strlen(value);
-		result = dns_rdataclass_fromtext(&rdclass,
-						 (isc_textregion_t *)&tr);
-		if (result == ISC_R_SUCCESS) {
-			(*lookup)->rdclass = rdclass;
-			(*lookup)->rdclassset = ISC_TRUE;
-		} else
-			fprintf(stderr, ";; Warning, ignoring "
-				"invalid class %s\n",
-				value);
-		return (value_from_next);
-	case 'f':
-		batchname = value;
-		return (value_from_next);
-	case 'k':
-		strncpy(keyfile, value, sizeof(keyfile));
-		keyfile[sizeof(keyfile)-1]=0;
-		return (value_from_next);
-	case 'p':
-		result = parse_uint(&num, value, MAXPORT, "port number");
-		if (result != ISC_R_SUCCESS)
-			fatal("Couldn't parse port number");
-		port = num;
-		return (value_from_next);
-	case 'q':
-		if (!config_only) {
-			if (*need_clone)
-				(*lookup) = clone_lookup(default_lookup,
-							 ISC_TRUE);
-			*need_clone = ISC_TRUE;
-			strncpy((*lookup)->textname, value,
-				sizeof((*lookup)->textname));
-			(*lookup)->textname[sizeof((*lookup)->textname)-1]=0;
-			(*lookup)->trace_root = ISC_TF((*lookup)->trace  ||
-						     (*lookup)->ns_search_only);
-			(*lookup)->new_search = ISC_TRUE;
-			if (*firstarg) {
-				printgreeting(argc, argv, *lookup);
-				*firstarg = ISC_FALSE;
-			}
-			ISC_LIST_APPEND(lookup_list, (*lookup), link);
-			debug("looking up %s", (*lookup)->textname);
-		}
-		return (value_from_next);
-	case 't':
-		*open_type_class = ISC_FALSE;
-		if (strncasecmp(value, "ixfr=", 5) == 0) {
-			rdtype = dns_rdatatype_ixfr;
-			result = ISC_R_SUCCESS;
-		} else {
-			tr.base = value;
-			tr.length = strlen(value);
-			result = dns_rdatatype_fromtext(&rdtype,
-						(isc_textregion_t *)&tr);
-			if (result == ISC_R_SUCCESS &&
-			    rdtype == dns_rdatatype_ixfr) {
-				result = DNS_R_UNKNOWN;
-			}
-		}
-		if (result == ISC_R_SUCCESS) {
-			if ((*lookup)->rdtypeset) {
-				fprintf(stderr, ";; Warning, "
-						"extra type option\n");
-			}
-			if (rdtype == dns_rdatatype_ixfr) {
-				isc_uint32_t serial;
-				(*lookup)->rdtype = dns_rdatatype_ixfr;
-				(*lookup)->rdtypeset = ISC_TRUE;
-				result = parse_uint(&serial, &value[5],
-					   MAXSERIAL, "serial number");
-				if (result != ISC_R_SUCCESS)
-					fatal("Couldn't parse serial number");
-				(*lookup)->ixfr_serial = serial;
-				(*lookup)->section_question = plusquest;
-				(*lookup)->comments = pluscomm;
-				(*lookup)->tcp_mode = ISC_TRUE;
-			} else {
-				(*lookup)->rdtype = rdtype;
-				(*lookup)->rdtypeset = ISC_TRUE;
-				if (rdtype == dns_rdatatype_axfr) {
-					(*lookup)->section_question = plusquest;
-					(*lookup)->comments = pluscomm;
-				}
-				(*lookup)->ixfr_serial = ISC_FALSE;
-			}
-		} else
-			fprintf(stderr, ";; Warning, ignoring "
-				 "invalid type %s\n",
-				 value);
-		return (value_from_next);
-	case 'y':
-		ptr = next_token(&value,":");	/* hmac type or name */
-		if (ptr == NULL) {
-			usage();
-		}
-		ptr2 = next_token(&value, ":");	/* name or secret */
-		if (ptr2 == NULL)
-			usage();
-		ptr3 = next_token(&value,":"); /* secret or NULL */
-		if (ptr3 != NULL) {
-			parse_hmac(ptr);
-			ptr = ptr2;
-			ptr2 = ptr3;
-		} else  {
-			hmacname = DNS_TSIG_HMACMD5_NAME;
-			digestbits = 0;
-		}
-		strncpy(keynametext, ptr, sizeof(keynametext));
-		keynametext[sizeof(keynametext)-1]=0;
-		strncpy(keysecret, ptr2, sizeof(keysecret));
-		keysecret[sizeof(keysecret)-1]=0;
-		return (value_from_next);
-	case 'x':
-		if (*need_clone)
-			*lookup = clone_lookup(default_lookup, ISC_TRUE);
-		*need_clone = ISC_TRUE;
-		if (get_reverse(textname, sizeof(textname), value,
-				ip6_int, ISC_FALSE) == ISC_R_SUCCESS) {
-			strncpy((*lookup)->textname, textname,
-				sizeof((*lookup)->textname));
-			debug("looking up %s", (*lookup)->textname);
-			(*lookup)->trace_root = ISC_TF((*lookup)->trace  ||
-						(*lookup)->ns_search_only);
-			(*lookup)->ip6_int = ip6_int;
-			if (!(*lookup)->rdtypeset)
-				(*lookup)->rdtype = dns_rdatatype_ptr;
-			if (!(*lookup)->rdclassset)
-				(*lookup)->rdclass = dns_rdataclass_in;
-			(*lookup)->new_search = ISC_TRUE;
-			if (*firstarg) {
-				printgreeting(argc, argv, *lookup);
-				*firstarg = ISC_FALSE;
-			}
-			ISC_LIST_APPEND(lookup_list, *lookup, link);
-		} else {
-			fprintf(stderr, "Invalid IP address %s\n", value);
-			exit(1);
-		}
-		return (value_from_next);
-	invalid_option:
-	default:
-		fprintf(stderr, "Invalid option: -%s\n", option);
-		usage();
-	}
-	/* NOTREACHED */
-	return (ISC_FALSE);
-}
-
-/*%
- * Because we may be trying to do memory allocation recording, we're going
- * to need to parse the arguments for the -m *before* we start the main
- * argument parsing routine.
- *
- * I'd prefer not to have to do this, but I am not quite sure how else to
- * fix the problem.  Argument parsing in dig involves memory allocation
- * by its nature, so it can't be done in the main argument parser.
- */
-static void
-preparse_args(int argc, char **argv) {
-	int rc;
-	char **rv;
-	char *option;
-
-	rc = argc;
-	rv = argv;
-	for (rc--, rv++; rc > 0; rc--, rv++) {
-		if (rv[0][0] != '-')
-			continue;
-		option = &rv[0][1];
-		while (strpbrk(option, single_dash_opts) == &option[0]) {
-			if (option[0] == 'm') {
-				memdebugging = ISC_TRUE;
-				isc_mem_debugging = ISC_MEM_DEBUGTRACE |
-					ISC_MEM_DEBUGRECORD;
-				return;
-			}
-			option = &option[1];
-		}
-	}
-}
-
-static void
-parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
-	   int argc, char **argv) {
-	isc_result_t result;
-	isc_textregion_t tr;
-	isc_boolean_t firstarg = ISC_TRUE;
-	dig_lookup_t *lookup = NULL;
-	dns_rdatatype_t rdtype;
-	dns_rdataclass_t rdclass;
-	isc_boolean_t open_type_class = ISC_TRUE;
-	char batchline[MXNAME];
-	int bargc;
-	char *bargv[64];
-	int rc;
-	char **rv;
-#ifndef NOPOSIX
-	char *homedir;
-	char rcfile[256];
-#endif
-	char *input;
-	int i;
-	isc_boolean_t need_clone = ISC_TRUE;
-
-	/*
-	 * The semantics for parsing the args is a bit complex; if
-	 * we don't have a host yet, make the arg apply globally,
-	 * otherwise make it apply to the latest host.  This is
-	 * a bit different than the previous versions, but should
-	 * form a consistent user interface.
-	 *
-	 * First, create a "default lookup" which won't actually be used
-	 * anywhere, except for cloning into new lookups
-	 */
-
-	debug("parse_args()");
-	if (!is_batchfile) {
-		debug("making new lookup");
-		default_lookup = make_empty_lookup();
-		default_lookup->adflag = ISC_TRUE;
-		default_lookup->edns = 0;
-
-#ifndef NOPOSIX
-		/*
-		 * Treat ${HOME}/.digrc as a special batchfile
-		 */
-		INSIST(batchfp == NULL);
-		homedir = getenv("HOME");
-		if (homedir != NULL) {
-			unsigned int n;
-			n = snprintf(rcfile, sizeof(rcfile), "%s/.digrc",
-				     homedir);
-			if (n < sizeof(rcfile))
-				batchfp = fopen(rcfile, "r");
-		}
-		if (batchfp != NULL) {
-			while (fgets(batchline, sizeof(batchline),
-				     batchfp) != 0) {
-				debug("config line %s", batchline);
-				bargc = 1;
-				input = batchline;
-				bargv[bargc] = next_token(&input, " \t\r\n");
-				while ((bargv[bargc] != NULL) &&
-				       (bargc < 62)) {
-					bargc++;
-					bargv[bargc] =
-						next_token(&input, " \t\r\n");
-				}
-
-				bargv[0] = argv[0];
-				argv0 = argv[0];
-
-				for(i = 0; i < bargc; i++)
-					debug(".digrc argv %d: %s",
-					      i, bargv[i]);
-				parse_args(ISC_TRUE, ISC_TRUE, bargc,
-					   (char **)bargv);
-			}
-			fclose(batchfp);
-		}
-#endif
-	}
-
-	if (is_batchfile && !config_only) {
-		/* Processing '-f batchfile'. */
-		lookup = clone_lookup(default_lookup, ISC_TRUE);
-		need_clone = ISC_FALSE;
-	} else
-		lookup = default_lookup;
-
-	rc = argc;
-	rv = argv;
-	for (rc--, rv++; rc > 0; rc--, rv++) {
-		debug("main parsing %s", rv[0]);
-		if (strncmp(rv[0], "%", 1) == 0)
-			break;
-		if (strncmp(rv[0], "@", 1) == 0) {
-			addresscount = getaddresses(lookup, &rv[0][1], NULL);
-		} else if (rv[0][0] == '+') {
-			plus_option(&rv[0][1], is_batchfile,
-				    lookup);
-		} else if (rv[0][0] == '-') {
-			if (rc <= 1) {
-				if (dash_option(&rv[0][1], NULL,
-						&lookup, &open_type_class,
-						&need_clone, config_only,
-						argc, argv, &firstarg)) {
-					rc--;
-					rv++;
-				}
-			} else {
-				if (dash_option(&rv[0][1], rv[1],
-						&lookup, &open_type_class,
-						&need_clone, config_only,
-						argc, argv, &firstarg)) {
-					rc--;
-					rv++;
-				}
-			}
-		} else {
-			/*
-			 * Anything which isn't an option
-			 */
-			if (open_type_class) {
-				if (strncasecmp(rv[0], "ixfr=", 5) == 0) {
-					rdtype = dns_rdatatype_ixfr;
-					result = ISC_R_SUCCESS;
-				} else {
-					tr.base = rv[0];
-					tr.length = strlen(rv[0]);
-					result = dns_rdatatype_fromtext(&rdtype,
-						(isc_textregion_t *)&tr);
-					if (result == ISC_R_SUCCESS &&
-					    rdtype == dns_rdatatype_ixfr) {
-						fprintf(stderr, ";; Warning, "
-							"ixfr requires a "
-							"serial number\n");
-						continue;
-					}
-				}
-				if (result == ISC_R_SUCCESS) {
-					if (lookup->rdtypeset) {
-						fprintf(stderr, ";; Warning, "
-							"extra type option\n");
-					}
-					if (rdtype == dns_rdatatype_ixfr) {
-						isc_uint32_t serial;
-						lookup->rdtype =
-							dns_rdatatype_ixfr;
-						lookup->rdtypeset = ISC_TRUE;
-						result = parse_uint(&serial,
-								    &rv[0][5],
-								    MAXSERIAL,
-							      "serial number");
-						if (result != ISC_R_SUCCESS)
-							fatal("Couldn't parse "
-							      "serial number");
-						lookup->ixfr_serial = serial;
-						lookup->section_question =
-							plusquest;
-						lookup->comments = pluscomm;
-						lookup->tcp_mode = ISC_TRUE;
-					} else {
-						lookup->rdtype = rdtype;
-						lookup->rdtypeset = ISC_TRUE;
-						if (rdtype ==
-						    dns_rdatatype_axfr) {
-						    lookup->section_question =
-								plusquest;
-						    lookup->comments = pluscomm;
-						}
-						lookup->ixfr_serial = ISC_FALSE;
-					}
-					continue;
-				}
-				result = dns_rdataclass_fromtext(&rdclass,
-						     (isc_textregion_t *)&tr);
-				if (result == ISC_R_SUCCESS) {
-					if (lookup->rdclassset) {
-						fprintf(stderr, ";; Warning, "
-							"extra class option\n");
-					}
-					lookup->rdclass = rdclass;
-					lookup->rdclassset = ISC_TRUE;
-					continue;
-				}
-			}
-
-			if (!config_only) {
-				if (need_clone)
-					lookup = clone_lookup(default_lookup,
-								      ISC_TRUE);
-				need_clone = ISC_TRUE;
-				strncpy(lookup->textname, rv[0],
-					sizeof(lookup->textname));
-				lookup->textname[sizeof(lookup->textname)-1]=0;
-				lookup->trace_root = ISC_TF(lookup->trace  ||
-						     lookup->ns_search_only);
-				lookup->new_search = ISC_TRUE;
-				if (firstarg) {
-					printgreeting(argc, argv, lookup);
-					firstarg = ISC_FALSE;
-				}
-				ISC_LIST_APPEND(lookup_list, lookup, link);
-				debug("looking up %s", lookup->textname);
-			}
-			/* XXX Error message */
-		}
-	}
-
-	/*
-	 * If we have a batchfile, seed the lookup list with the
-	 * first entry, then trust the callback in dighost_shutdown
-	 * to get the rest
-	 */
-	if ((batchname != NULL) && !(is_batchfile)) {
-		if (strcmp(batchname, "-") == 0)
-			batchfp = stdin;
-		else
-			batchfp = fopen(batchname, "r");
-		if (batchfp == NULL) {
-			perror(batchname);
-			if (exitcode < 8)
-				exitcode = 8;
-			fatal("couldn't open specified batch file");
-		}
-		/* XXX Remove code dup from shutdown code */
-	next_line:
-		if (fgets(batchline, sizeof(batchline), batchfp) != 0) {
-			bargc = 1;
-			debug("batch line %s", batchline);
-			if (batchline[0] == '\r' || batchline[0] == '\n'
-			    || batchline[0] == '#' || batchline[0] == ';')
-				goto next_line;
-			input = batchline;
-			bargv[bargc] = next_token(&input, " \t\r\n");
-			while ((bargv[bargc] != NULL) && (bargc < 14)) {
-				bargc++;
-				bargv[bargc] = next_token(&input, " \t\r\n");
-			}
-
-			bargv[0] = argv[0];
-			argv0 = argv[0];
-
-			for(i = 0; i < bargc; i++)
-				debug("batch argv %d: %s", i, bargv[i]);
-			parse_args(ISC_TRUE, ISC_FALSE, bargc, (char **)bargv);
-			return;
-		}
-		return;
-	}
-	/*
-	 * If no lookup specified, search for root
-	 */
-	if ((lookup_list.head == NULL) && !config_only) {
-		if (need_clone)
-			lookup = clone_lookup(default_lookup, ISC_TRUE);
-		need_clone = ISC_TRUE;
-		lookup->trace_root = ISC_TF(lookup->trace ||
-					    lookup->ns_search_only);
-		lookup->new_search = ISC_TRUE;
-		strcpy(lookup->textname, ".");
-		lookup->rdtype = dns_rdatatype_ns;
-		lookup->rdtypeset = ISC_TRUE;
-		if (firstarg) {
-			printgreeting(argc, argv, lookup);
-			firstarg = ISC_FALSE;
-		}
-		ISC_LIST_APPEND(lookup_list, lookup, link);
-	}
-	if (!need_clone)
-		destroy_lookup(lookup);
-}
-
-/*
- * Callback from dighost.c to allow program-specific shutdown code.
- * Here, we're possibly reading from a batch file, then shutting down
- * for real if there's nothing in the batch file to read.
- */
-void
-dighost_shutdown(void) {
-	char batchline[MXNAME];
-	int bargc;
-	char *bargv[16];
-	char *input;
-	int i;
-
-	if (batchname == NULL) {
-		isc_app_shutdown();
-		return;
-	}
-
-	fflush(stdout);
-	if (feof(batchfp)) {
-		batchname = NULL;
-		isc_app_shutdown();
-		if (batchfp != stdin)
-			fclose(batchfp);
-		return;
-	}
-
-	if (fgets(batchline, sizeof(batchline), batchfp) != 0) {
-		debug("batch line %s", batchline);
-		bargc = 1;
-		input = batchline;
-		bargv[bargc] = next_token(&input, " \t\r\n");
-		while ((bargv[bargc] != NULL) && (bargc < 14)) {
-			bargc++;
-			bargv[bargc] = next_token(&input, " \t\r\n");
-		}
-
-		bargv[0] = argv0;
-
-		for(i = 0; i < bargc; i++)
-			debug("batch argv %d: %s", i, bargv[i]);
-		parse_args(ISC_TRUE, ISC_FALSE, bargc, (char **)bargv);
-		start_lookup();
-	} else {
-		batchname = NULL;
-		if (batchfp != stdin)
-			fclose(batchfp);
-		isc_app_shutdown();
-		return;
-	}
-}
-
-/*% Main processing routine for dig */
-int
-main(int argc, char **argv) {
-	isc_result_t result;
-
-	ISC_LIST_INIT(lookup_list);
-	ISC_LIST_INIT(server_list);
-	ISC_LIST_INIT(search_list);
-
-	debug("main()");
-	preparse_args(argc, argv);
-	progname = argv[0];
-	result = isc_app_start();
-	check_result(result, "isc_app_start");
-	setup_libs();
-	parse_args(ISC_FALSE, ISC_FALSE, argc, argv);
-	setup_system();
-	if (domainopt[0] != '\0') {
-		set_search_domain(domainopt);
-		usesearch = ISC_TRUE;
-	}
-	result = isc_app_onrun(mctx, global_task, onrun_callback, NULL);
-	check_result(result, "isc_app_onrun");
-	isc_app_run();
-	destroy_lookup(default_lookup);
-	if (batchname != NULL) {
-		if (batchfp != stdin)
-			fclose(batchfp);
-		batchname = NULL;
-	}
-#ifdef DIG_SIGCHASE
-	clean_trustedkey();
-#endif
-	cancel_all();
-	destroy_libs();
-	isc_app_finish();
-	return (exitcode);
-}
diff --git a/contrib/bind9/bin/dig/dig.docbook b/contrib/bind9/bin/dig/dig.docbook
deleted file mode 100644
index 028f0fc..0000000
--- a/contrib/bind9/bin/dig/dig.docbook
+++ /dev/null
@@ -1,1003 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004-2011, 2013  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: dig.docbook,v 1.51 2011/11/04 11:02:50 jreed Exp $ -->
-<refentry id="man.dig">
-
-  <refentryinfo>
-    <date>Jun 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>dig</refentrytitle>
-    <manvolnum>1</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname>dig</refname>
-    <refpurpose>DNS lookup utility</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2006</year>
-      <year>2007</year>
-      <year>2008</year>
-      <year>2009</year>
-      <year>2010</year>
-      <year>2011</year>
-      <year>2013</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>dig</command>
-      <arg choice="opt">@server</arg>
-      <arg><option>-b <replaceable class="parameter">address</replaceable></option></arg>
-      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg><option>-f <replaceable class="parameter">filename</replaceable></option></arg>
-      <arg><option>-k <replaceable class="parameter">filename</replaceable></option></arg>
-      <arg><option>-m</option></arg>
-      <arg><option>-p <replaceable class="parameter">port#</replaceable></option></arg>
-      <arg><option>-q <replaceable class="parameter">name</replaceable></option></arg>
-      <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
-      <arg><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
-      <arg><option>-y <replaceable class="parameter"><optional>hmac:</optional>name:key</replaceable></option></arg>
-      <arg><option>-4</option></arg>
-      <arg><option>-6</option></arg>
-      <arg choice="opt">name</arg>
-      <arg choice="opt">type</arg>
-      <arg choice="opt">class</arg>
-      <arg choice="opt" rep="repeat">queryopt</arg>
-    </cmdsynopsis>
-
-    <cmdsynopsis>
-      <command>dig</command>
-      <arg><option>-h</option></arg>
-    </cmdsynopsis>
-
-    <cmdsynopsis>
-      <command>dig</command>
-      <arg choice="opt" rep="repeat">global-queryopt</arg>
-      <arg choice="opt" rep="repeat">query</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para><command>dig</command>
-      (domain information groper) is a flexible tool
-      for interrogating DNS name servers.  It performs DNS lookups and
-      displays the answers that are returned from the name server(s) that
-      were queried.  Most DNS administrators use <command>dig</command> to
-      troubleshoot DNS problems because of its flexibility, ease of use and
-      clarity of output.  Other lookup tools tend to have less functionality
-      than <command>dig</command>.
-    </para>
-
-    <para>
-      Although <command>dig</command> is normally used with
-      command-line
-      arguments, it also has a batch mode of operation for reading lookup
-      requests from a file.  A brief summary of its command-line arguments
-      and options is printed when the <option>-h</option> option is given.
-      Unlike earlier versions, the BIND 9 implementation of
-      <command>dig</command> allows multiple lookups to be issued
-      from the
-      command line.
-    </para>
-
-    <para>
-      Unless it is told to query a specific name server,
-      <command>dig</command> will try each of the servers listed in
-      <filename>/etc/resolv.conf</filename>. If no usable server addreses
-      are found, <command>dig</command> will send the query to the local
-      host.
-    </para>
-
-    <para>
-      When no command line arguments or options are given,
-      <command>dig</command> will perform an NS query for "." (the root).
-    </para>
-
-    <para>
-      It is possible to set per-user defaults for <command>dig</command> via
-      <filename>${HOME}/.digrc</filename>.  This file is read and
-      any options in it
-      are applied before the command line arguments.
-    </para>
-
-    <para>
-      The IN and CH class names overlap with the IN and CH top level
-      domains names.  Either use the <option>-t</option> and
-      <option>-c</option> options to specify the type and class, 
-      use the <option>-q</option> the specify the domain name, or
-      use "IN." and "CH." when looking up these top level domains.
-    </para>
-
-  </refsect1>
-
-  <refsect1>
-    <title>SIMPLE USAGE</title>
-
-    <para>
-      A typical invocation of <command>dig</command> looks like:
-      <programlisting> dig @server name type </programlisting>
-      where:
-
-      <variablelist>
-
-        <varlistentry>
-          <term><constant>server</constant></term>
-          <listitem>
-            <para>
-              is the name or IP address of the name server to query.  This
-              can be an IPv4 address in dotted-decimal notation or an IPv6
-              address in colon-delimited notation.  When the supplied
-              <parameter>server</parameter> argument is a hostname,
-              <command>dig</command> resolves that name before querying
-              that name server.
-            </para>
-            <para>
-              If no <parameter>server</parameter> argument is
-              provided, <command>dig</command> consults
-              <filename>/etc/resolv.conf</filename>; if an
-              address is found there, it queries the name server at
-              that address. If either of the <option>-4</option> or
-              <option>-6</option> options are in use, then
-              only addresses for the corresponding transport
-              will be tried.  If no usable addresses are found,
-              <command>dig</command> will send the query to the
-              local host.  The reply from the name server that
-              responds is displayed.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><constant>name</constant></term>
-          <listitem>
-            <para>
-              is the name of the resource record that is to be looked up.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><constant>type</constant></term>
-          <listitem>
-            <para>
-              indicates what type of query is required &mdash;
-              ANY, A, MX, SIG, etc.
-              <parameter>type</parameter> can be any valid query
-              type.  If no
-              <parameter>type</parameter> argument is supplied,
-              <command>dig</command> will perform a lookup for an
-              A record.
-            </para>
-          </listitem>
-        </varlistentry>
-
-      </variablelist>
-    </para>
-
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-
-    <para>
-      The <option>-b</option> option sets the source IP address of the query
-      to <parameter>address</parameter>.  This must be a valid
-      address on
-      one of the host's network interfaces or "0.0.0.0" or "::".  An optional
-      port
-      may be specified by appending "#&lt;port&gt;"
-    </para>
-
-    <para>
-      The default query class (IN for internet) is overridden by the
-      <option>-c</option> option.  <parameter>class</parameter> is
-      any valid
-      class, such as HS for Hesiod records or CH for Chaosnet records.
-    </para>
-
-    <para>
-      The <option>-f</option> option makes <command>dig </command>
-      operate
-      in batch mode by reading a list of lookup requests to process from the
-      file <parameter>filename</parameter>.  The file contains a
-      number of
-      queries, one per line.  Each entry in the file should be organized in
-      the same way they would be presented as queries to
-      <command>dig</command> using the command-line interface.
-    </para>
-
-    <para>
-      The <option>-m</option> option enables memory usage debugging.
-      <!-- It enables ISC_MEM_DEBUGTRACE and ISC_MEM_DEBUGRECORD
-           documented in include/isc/mem.h -->
-    </para>
-
-    <para>
-      If a non-standard port number is to be queried, the
-      <option>-p</option> option is used.  <parameter>port#</parameter> is
-      the port number that <command>dig</command> will send its
-      queries
-      instead of the standard DNS port number 53.  This option would be used
-      to test a name server that has been configured to listen for queries
-      on a non-standard port number.
-    </para>
-
-    <para>
-      The <option>-4</option> option forces <command>dig</command>
-      to only
-      use IPv4 query transport.  The <option>-6</option> option forces
-      <command>dig</command> to only use IPv6 query transport.
-    </para>
-
-    <para>
-      The <option>-t</option> option sets the query type to
-      <parameter>type</parameter>.  It can be any valid query type
-      which is
-      supported in BIND 9.  The default query type is "A", unless the
-      <option>-x</option> option is supplied to indicate a reverse lookup.
-      A zone transfer can be requested by specifying a type of AXFR.  When
-      an incremental zone transfer (IXFR) is required,
-      <parameter>type</parameter> is set to <literal>ixfr=N</literal>.
-      The incremental zone transfer will contain the changes made to the zone
-      since the serial number in the zone's SOA record was
-      <parameter>N</parameter>.
-    </para>
-
-    <para>
-      The <option>-q</option> option sets the query name to 
-      <parameter>name</parameter>.  This useful do distinguish the
-      <parameter>name</parameter> from other arguments.
-    </para>
-
-    <para>
-      Reverse lookups &mdash; mapping addresses to names &mdash; are simplified by the
-      <option>-x</option> option.  <parameter>addr</parameter> is
-      an IPv4
-      address in dotted-decimal notation, or a colon-delimited IPv6 address.
-      When this option is used, there is no need to provide the
-      <parameter>name</parameter>, <parameter>class</parameter> and
-      <parameter>type</parameter> arguments.  <command>dig</command>
-      automatically performs a lookup for a name like
-      <literal>11.12.13.10.in-addr.arpa</literal> and sets the
-      query type and
-      class to PTR and IN respectively.  By default, IPv6 addresses are
-      looked up using nibble format under the IP6.ARPA domain.
-      To use the older RFC1886 method using the IP6.INT domain
-      specify the <option>-i</option> option.  Bit string labels (RFC2874)
-      are now experimental and are not attempted.
-    </para>
-
-    <para>
-      To sign the DNS queries sent by <command>dig</command> and
-      their
-      responses using transaction signatures (TSIG), specify a TSIG key file
-      using the <option>-k</option> option.  You can also specify the TSIG
-      key itself on the command line using the <option>-y</option> option;
-      <parameter>hmac</parameter> is the type of the TSIG, default HMAC-MD5,
-      <parameter>name</parameter> is the name of the TSIG key and
-      <parameter>key</parameter> is the actual key.  The key is a
-      base-64
-      encoded string, typically generated by
-      <citerefentry>
-        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>.
-
-      Caution should be taken when using the <option>-y</option> option on
-      multi-user systems as the key can be visible in the output from
-      <citerefentry>
-        <refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum>
-      </citerefentry>
-      or in the shell's history file.  When
-      using TSIG authentication with <command>dig</command>, the name
-      server that is queried needs to know the key and algorithm that is
-      being used.  In BIND, this is done by providing appropriate
-      <command>key</command> and <command>server</command> statements in
-      <filename>named.conf</filename>.
-    </para>
-
-  </refsect1>
-
-  <refsect1>
-    <title>QUERY OPTIONS</title>
-
-    <para><command>dig</command>
-      provides a number of query options which affect
-      the way in which lookups are made and the results displayed.  Some of
-      these set or reset flag bits in the query header, some determine which
-      sections of the answer get printed, and others determine the timeout
-      and retry strategies.
-    </para>
-
-    <para>
-      Each query option is identified by a keyword preceded by a plus sign
-      (<literal>+</literal>).  Some keywords set or reset an
-      option.  These may be preceded
-      by the string <literal>no</literal> to negate the meaning of
-      that keyword.  Other
-      keywords assign values to options like the timeout interval.  They
-      have the form <option>+keyword=value</option>.
-      The query options are:
-
-      <variablelist>
-
-        <varlistentry>
-          <term><option>+[no]tcp</option></term>
-          <listitem>
-            <para>
-              Use [do not use] TCP when querying name servers.  The default
-              behavior is to use UDP unless an AXFR or IXFR query is
-              requested, in
-              which case a TCP connection is used.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]vc</option></term>
-          <listitem>
-            <para>
-              Use [do not use] TCP when querying name servers.  This alternate
-              syntax to <parameter>+[no]tcp</parameter> is
-              provided for backwards
-              compatibility.  The "vc" stands for "virtual circuit".
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]ignore</option></term>
-          <listitem>
-            <para>
-              Ignore truncation in UDP responses instead of retrying with TCP.
-               By
-              default, TCP retries are performed.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+domain=somename</option></term>
-          <listitem>
-            <para>
-              Set the search list to contain the single domain
-              <parameter>somename</parameter>, as if specified in
-              a
-              <command>domain</command> directive in
-              <filename>/etc/resolv.conf</filename>, and enable
-              search list
-              processing as if the <parameter>+search</parameter>
-              option were given.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]search</option></term>
-          <listitem>
-            <para>
-              Use [do not use] the search list defined by the searchlist or
-              domain
-              directive in <filename>resolv.conf</filename> (if
-              any).
-              The search list is not used by default.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]showsearch</option></term>
-          <listitem>
-            <para>
-              Perform [do not perform] a search showing intermediate
-	      results.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]defname</option></term>
-          <listitem>
-            <para>
-              Deprecated, treated as a synonym for <parameter>+[no]search</parameter>
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]aaonly</option></term>
-          <listitem>
-            <para>
-              Sets the "aa" flag in the query.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]aaflag</option></term>
-          <listitem>
-            <para>
-              A synonym for <parameter>+[no]aaonly</parameter>.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]adflag</option></term>
-	  <listitem>
-	    <para>
-	      Set [do not set] the AD (authentic data) bit in the
-	      query.  This requests the server to return whether
-	      all of the answer and authority sections have all
-	      been validated as secure according to the security
-	      policy of the server.  AD=1 indicates that all records
-	      have been validated as secure and the answer is not
-	      from a OPT-OUT range.  AD=0 indicate that some part
-	      of the answer was insecure or not validated.  This
-	      bit is set by default.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]cdflag</option></term>
-          <listitem>
-            <para>
-              Set [do not set] the CD (checking disabled) bit in the query.
-              This
-              requests the server to not perform DNSSEC validation of
-              responses.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]cl</option></term>
-          <listitem>
-            <para>
-              Display [do not display] the CLASS when printing the record.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]ttlid</option></term>
-          <listitem>
-            <para>
-              Display [do not display] the TTL when printing the record.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]recurse</option></term>
-	  <listitem>
-	    <para>
-	      Toggle the setting of the RD (recursion desired) bit
-	      in the query.  This bit is set by default, which means
-	      <command>dig</command> normally sends recursive
-	      queries.  Recursion is automatically disabled when
-	      the <parameter>+nssearch</parameter> or
-	      <parameter>+trace</parameter> query options are used.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]nssearch</option></term>
-          <listitem>
-            <para>
-              When this option is set, <command>dig</command>
-              attempts to find the
-              authoritative name servers for the zone containing the name
-              being
-              looked up and display the SOA record that each name server has
-              for the
-              zone.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]trace</option></term>
-          <listitem>
-	    <para>
-	      Toggle tracing of the delegation path from the root
-	      name servers for the name being looked up.  Tracing
-	      is disabled by default.  When tracing is enabled,
-	      <command>dig</command> makes iterative queries to
-	      resolve the name being looked up.  It will follow
-	      referrals from the root servers, showing the answer
-	      from each server that was used to resolve the lookup.
-	    </para>
-	    <para>
-	      <command>+dnssec</command> is also set when +trace is
-	      set to better emulate the default queries from a nameserver.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]cmd</option></term>
-          <listitem>
-            <para>
-              Toggles the printing of the initial comment in the output
-              identifying
-              the version of <command>dig</command> and the query
-              options that have
-              been applied.  This comment is printed by default.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]short</option></term>
-          <listitem>
-            <para>
-              Provide a terse answer.  The default is to print the answer in a
-              verbose form.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]identify</option></term>
-          <listitem>
-            <para>
-              Show [or do not show] the IP address and port number that
-              supplied the
-              answer when the <parameter>+short</parameter> option
-              is enabled.  If
-              short form answers are requested, the default is not to show the
-              source address and port number of the server that provided the
-              answer.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]comments</option></term>
-          <listitem>
-            <para>
-              Toggle the display of comment lines in the output.  The default
-              is to print comments.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]rrcomments</option></term>
-          <listitem>
-            <para>
-              Toggle the display of per-record comments in the output (for
-              example, human-readable key information about DNSKEY records).
-              The default is not to print record comments unless multiline
-              mode is active.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+split=W</option></term>
-          <listitem>
-            <para>
-              Split long hex- or base64-formatted fields in resource
-              records into chunks of <parameter>W</parameter> characters
-              (where <parameter>W</parameter> is rounded up to the nearest
-              multiple of 4).
-              <parameter>+nosplit</parameter> or
-              <parameter>+split=0</parameter> causes fields not to be
-              split at all.  The default is 56 characters, or 44 characters
-              when multiline mode is active.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]stats</option></term>
-          <listitem>
-            <para>
-              This query option toggles the printing of statistics: when the
-              query
-              was made, the size of the reply and so on.  The default
-              behavior is
-              to print the query statistics.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]qr</option></term>
-          <listitem>
-            <para>
-              Print [do not print] the query as it is sent.
-              By default, the query is not printed.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]question</option></term>
-          <listitem>
-            <para>
-              Print [do not print] the question section of a query when an
-              answer is
-              returned.  The default is to print the question section as a
-              comment.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]answer</option></term>
-          <listitem>
-            <para>
-              Display [do not display] the answer section of a reply.  The
-              default
-              is to display it.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]authority</option></term>
-          <listitem>
-            <para>
-              Display [do not display] the authority section of a reply.  The
-              default is to display it.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]additional</option></term>
-          <listitem>
-            <para>
-              Display [do not display] the additional section of a reply.
-              The default is to display it.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]all</option></term>
-          <listitem>
-            <para>
-              Set or clear all display flags.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+time=T</option></term>
-          <listitem>
-            <para>
-
-              Sets the timeout for a query to
-              <parameter>T</parameter> seconds.  The default
-	      timeout is 5 seconds.
-              An attempt to set <parameter>T</parameter> to less
-              than 1 will result
-              in a query timeout of 1 second being applied.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+tries=T</option></term>
-          <listitem>
-            <para>
-              Sets the number of times to try UDP queries to server to
-              <parameter>T</parameter> instead of the default, 3.
-              If
-              <parameter>T</parameter> is less than or equal to
-              zero, the number of
-              tries is silently rounded up to 1.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+retry=T</option></term>
-          <listitem>
-            <para>
-              Sets the number of times to retry UDP queries to server to
-              <parameter>T</parameter> instead of the default, 2.
-              Unlike
-              <parameter>+tries</parameter>, this does not include
-              the initial
-              query.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+ndots=D</option></term>
-          <listitem>
-            <para>
-              Set the number of dots that have to appear in
-              <parameter>name</parameter> to <parameter>D</parameter> for it to be
-              considered absolute.  The default value is that defined using
-              the
-              ndots statement in <filename>/etc/resolv.conf</filename>, or 1 if no
-              ndots statement is present.  Names with fewer dots are
-              interpreted as
-              relative names and will be searched for in the domains listed in
-              the
-              <option>search</option> or <option>domain</option> directive in
-              <filename>/etc/resolv.conf</filename>.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+bufsize=B</option></term>
-          <listitem>
-            <para>
-              Set the UDP message buffer size advertised using EDNS0 to
-              <parameter>B</parameter> bytes.  The maximum and minimum sizes
-	      of this buffer are 65535 and 0 respectively.  Values outside
-	      this range are rounded up or down appropriately.  
-	      Values other than zero will cause a EDNS query to be sent.
-            </para>
-          </listitem>
-        </varlistentry>
-
-	<varlistentry>
-	  <term><option>+edns=#</option></term>
-	  <listitem>
-	    <para>
-	       Specify the EDNS version to query with.  Valid values
-	       are 0 to 255.  Setting the EDNS version will cause
-	       a EDNS query to be sent.  <option>+noedns</option>
-	       clears the remembered EDNS version.  EDNS is set to
-	       0 by default.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]multiline</option></term>
-          <listitem>
-            <para>
-              Print records like the SOA records in a verbose multi-line
-              format with human-readable comments.  The default is to print
-              each record on a single line, to facilitate machine parsing
-              of the <command>dig</command> output.
-            </para>
-          </listitem>
-        </varlistentry>
-
-	<varlistentry>
-	  <term><option>+[no]onesoa</option></term>
-	  <listitem>
-	    <para>
-	      Print only one (starting) SOA record when performing
-	      an AXFR. The default is to print both the starting and
-	      ending SOA records.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]fail</option></term>
-          <listitem>
-            <para>
-              Do not try the next server if you receive a SERVFAIL.  The
-              default is
-              to not try the next server which is the reverse of normal stub
-              resolver
-              behavior.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]besteffort</option></term>
-          <listitem>
-            <para>
-              Attempt to display the contents of messages which are malformed.
-              The default is to not display malformed answers.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]dnssec</option></term>
-          <listitem>
-            <para>
-              Requests DNSSEC records be sent by setting the DNSSEC OK bit
-              (DO)
-              in the OPT record in the additional section of the query.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]sigchase</option></term>
-          <listitem>
-            <para>
-              Chase DNSSEC signature chains.  Requires dig be compiled with
-              -DDIG_SIGCHASE.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+trusted-key=####</option></term>
-          <listitem>
-            <para>
-              Specifies a file containing trusted keys to be used with
-	      <option>+sigchase</option>.  Each DNSKEY record must be
-	      on its own line.
-            </para>
-	    <para>
-	      If not specified, <command>dig</command> will look for
-	      <filename>/etc/trusted-key.key</filename> then
-	      <filename>trusted-key.key</filename> in the current directory.
-	    </para>
-	    <para>
-              Requires dig be compiled with -DDIG_SIGCHASE.
-	    </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]topdown</option></term>
-          <listitem>
-            <para>
-              When chasing DNSSEC signature chains perform a top-down
-              validation.
-              Requires dig be compiled with -DDIG_SIGCHASE.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><option>+[no]nsid</option></term>
-          <listitem>
-            <para>
-              Include an EDNS name server ID request when sending a query.
-            </para>
-          </listitem>
-        </varlistentry>
-
-
-      </variablelist>
-
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>MULTIPLE QUERIES</title>
-
-    <para>
-      The BIND 9 implementation of <command>dig </command>
-      supports
-      specifying multiple queries on the command line (in addition to
-      supporting the <option>-f</option> batch file option).  Each of those
-      queries can be supplied with its own set of flags, options and query
-      options.
-    </para>
-
-    <para>
-      In this case, each <parameter>query</parameter> argument
-      represent an
-      individual query in the command-line syntax described above.  Each
-      consists of any of the standard options and flags, the name to be
-      looked up, an optional query type and class and any query options that
-      should be applied to that query.
-    </para>
-
-    <para>
-      A global set of query options, which should be applied to all queries,
-      can also be supplied.  These global query options must precede the
-      first tuple of name, class, type, options, flags, and query options
-      supplied on the command line.  Any global query options (except
-      the <option>+[no]cmd</option> option) can be
-      overridden by a query-specific set of query options.  For example:
-      <programlisting>
-dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-</programlisting>
-      shows how <command>dig</command> could be used from the
-      command line
-      to make three lookups: an ANY query for <literal>www.isc.org</literal>, a
-      reverse lookup of 127.0.0.1 and a query for the NS records of
-      <literal>isc.org</literal>.
-
-      A global query option of <parameter>+qr</parameter> is
-      applied, so
-      that <command>dig</command> shows the initial query it made
-      for each
-      lookup.  The final query has a local query option of
-      <parameter>+noqr</parameter> which means that <command>dig</command>
-      will not print the initial query when it looks up the NS records for
-      <literal>isc.org</literal>.
-    </para>
-
-  </refsect1>
-
-  <refsect1>
-    <title>IDN SUPPORT</title>
-    <para>
-      If <command>dig</command> has been built with IDN (internationalized
-      domain name) support, it can accept and display non-ASCII domain names.
-      <command>dig</command> appropriately converts character encoding of
-      domain name before sending a request to DNS server or displaying a
-      reply from the server.
-      If you'd like to turn off the IDN support for some reason, defines
-      the <envar>IDN_DISABLE</envar> environment variable.
-      The IDN support is disabled if the variable is set when 
-      <command>dig</command> runs.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>FILES</title>
-    <para><filename>/etc/resolv.conf</filename>
-    </para>
-    <para><filename>${HOME}/.digrc</filename>
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>RFC1035</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>BUGS</title>
-    <para>
-      There are probably too many query options.
-    </para>
-  </refsect1>
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/dig/dig.html b/contrib/bind9/bin/dig/dig.html
deleted file mode 100644
index 768582e..0000000
--- a/contrib/bind9/bin/dig/dig.html
+++ /dev/null
@@ -1,673 +0,0 @@
-<!--
- - Copyright (C) 2004-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dig</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="man.dig"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>dig &#8212; DNS lookup utility</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dig</code>  [@server] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-k <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-m</code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]name:key</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] [name] [type] [class] [queryopt...]</p></div>
-<div class="cmdsynopsis"><p><code class="command">dig</code>  [<code class="option">-h</code>]</p></div>
-<div class="cmdsynopsis"><p><code class="command">dig</code>  [global-queryopt...] [query...]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543530"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">dig</strong></span>
-      (domain information groper) is a flexible tool
-      for interrogating DNS name servers.  It performs DNS lookups and
-      displays the answers that are returned from the name server(s) that
-      were queried.  Most DNS administrators use <span><strong class="command">dig</strong></span> to
-      troubleshoot DNS problems because of its flexibility, ease of use and
-      clarity of output.  Other lookup tools tend to have less functionality
-      than <span><strong class="command">dig</strong></span>.
-    </p>
-<p>
-      Although <span><strong class="command">dig</strong></span> is normally used with
-      command-line
-      arguments, it also has a batch mode of operation for reading lookup
-      requests from a file.  A brief summary of its command-line arguments
-      and options is printed when the <code class="option">-h</code> option is given.
-      Unlike earlier versions, the BIND 9 implementation of
-      <span><strong class="command">dig</strong></span> allows multiple lookups to be issued
-      from the
-      command line.
-    </p>
-<p>
-      Unless it is told to query a specific name server,
-      <span><strong class="command">dig</strong></span> will try each of the servers listed in
-      <code class="filename">/etc/resolv.conf</code>. If no usable server addreses
-      are found, <span><strong class="command">dig</strong></span> will send the query to the local
-      host.
-    </p>
-<p>
-      When no command line arguments or options are given,
-      <span><strong class="command">dig</strong></span> will perform an NS query for "." (the root).
-    </p>
-<p>
-      It is possible to set per-user defaults for <span><strong class="command">dig</strong></span> via
-      <code class="filename">${HOME}/.digrc</code>.  This file is read and
-      any options in it
-      are applied before the command line arguments.
-    </p>
-<p>
-      The IN and CH class names overlap with the IN and CH top level
-      domains names.  Either use the <code class="option">-t</code> and
-      <code class="option">-c</code> options to specify the type and class, 
-      use the <code class="option">-q</code> the specify the domain name, or
-      use "IN." and "CH." when looking up these top level domains.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543609"></a><h2>SIMPLE USAGE</h2>
-<p>
-      A typical invocation of <span><strong class="command">dig</strong></span> looks like:
-      </p>
-<pre class="programlisting"> dig @server name type </pre>
-<p>
-      where:
-
-      </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">server</code></span></dt>
-<dd>
-<p>
-              is the name or IP address of the name server to query.  This
-              can be an IPv4 address in dotted-decimal notation or an IPv6
-              address in colon-delimited notation.  When the supplied
-              <em class="parameter"><code>server</code></em> argument is a hostname,
-              <span><strong class="command">dig</strong></span> resolves that name before querying
-              that name server.
-            </p>
-<p>
-              If no <em class="parameter"><code>server</code></em> argument is
-              provided, <span><strong class="command">dig</strong></span> consults
-              <code class="filename">/etc/resolv.conf</code>; if an
-              address is found there, it queries the name server at
-              that address. If either of the <code class="option">-4</code> or
-              <code class="option">-6</code> options are in use, then
-              only addresses for the corresponding transport
-              will be tried.  If no usable addresses are found,
-              <span><strong class="command">dig</strong></span> will send the query to the
-              local host.  The reply from the name server that
-              responds is displayed.
-            </p>
-</dd>
-<dt><span class="term"><code class="constant">name</code></span></dt>
-<dd><p>
-              is the name of the resource record that is to be looked up.
-            </p></dd>
-<dt><span class="term"><code class="constant">type</code></span></dt>
-<dd><p>
-              indicates what type of query is required &#8212;
-              ANY, A, MX, SIG, etc.
-              <em class="parameter"><code>type</code></em> can be any valid query
-              type.  If no
-              <em class="parameter"><code>type</code></em> argument is supplied,
-              <span><strong class="command">dig</strong></span> will perform a lookup for an
-              A record.
-            </p></dd>
-</dl></div>
-<p>
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543713"></a><h2>OPTIONS</h2>
-<p>
-      The <code class="option">-b</code> option sets the source IP address of the query
-      to <em class="parameter"><code>address</code></em>.  This must be a valid
-      address on
-      one of the host's network interfaces or "0.0.0.0" or "::".  An optional
-      port
-      may be specified by appending "#&lt;port&gt;"
-    </p>
-<p>
-      The default query class (IN for internet) is overridden by the
-      <code class="option">-c</code> option.  <em class="parameter"><code>class</code></em> is
-      any valid
-      class, such as HS for Hesiod records or CH for Chaosnet records.
-    </p>
-<p>
-      The <code class="option">-f</code> option makes <span><strong class="command">dig </strong></span>
-      operate
-      in batch mode by reading a list of lookup requests to process from the
-      file <em class="parameter"><code>filename</code></em>.  The file contains a
-      number of
-      queries, one per line.  Each entry in the file should be organized in
-      the same way they would be presented as queries to
-      <span><strong class="command">dig</strong></span> using the command-line interface.
-    </p>
-<p>
-      The <code class="option">-m</code> option enables memory usage debugging.
-      
-    </p>
-<p>
-      If a non-standard port number is to be queried, the
-      <code class="option">-p</code> option is used.  <em class="parameter"><code>port#</code></em> is
-      the port number that <span><strong class="command">dig</strong></span> will send its
-      queries
-      instead of the standard DNS port number 53.  This option would be used
-      to test a name server that has been configured to listen for queries
-      on a non-standard port number.
-    </p>
-<p>
-      The <code class="option">-4</code> option forces <span><strong class="command">dig</strong></span>
-      to only
-      use IPv4 query transport.  The <code class="option">-6</code> option forces
-      <span><strong class="command">dig</strong></span> to only use IPv6 query transport.
-    </p>
-<p>
-      The <code class="option">-t</code> option sets the query type to
-      <em class="parameter"><code>type</code></em>.  It can be any valid query type
-      which is
-      supported in BIND 9.  The default query type is "A", unless the
-      <code class="option">-x</code> option is supplied to indicate a reverse lookup.
-      A zone transfer can be requested by specifying a type of AXFR.  When
-      an incremental zone transfer (IXFR) is required,
-      <em class="parameter"><code>type</code></em> is set to <code class="literal">ixfr=N</code>.
-      The incremental zone transfer will contain the changes made to the zone
-      since the serial number in the zone's SOA record was
-      <em class="parameter"><code>N</code></em>.
-    </p>
-<p>
-      The <code class="option">-q</code> option sets the query name to 
-      <em class="parameter"><code>name</code></em>.  This useful do distinguish the
-      <em class="parameter"><code>name</code></em> from other arguments.
-    </p>
-<p>
-      Reverse lookups &#8212; mapping addresses to names &#8212; are simplified by the
-      <code class="option">-x</code> option.  <em class="parameter"><code>addr</code></em> is
-      an IPv4
-      address in dotted-decimal notation, or a colon-delimited IPv6 address.
-      When this option is used, there is no need to provide the
-      <em class="parameter"><code>name</code></em>, <em class="parameter"><code>class</code></em> and
-      <em class="parameter"><code>type</code></em> arguments.  <span><strong class="command">dig</strong></span>
-      automatically performs a lookup for a name like
-      <code class="literal">11.12.13.10.in-addr.arpa</code> and sets the
-      query type and
-      class to PTR and IN respectively.  By default, IPv6 addresses are
-      looked up using nibble format under the IP6.ARPA domain.
-      To use the older RFC1886 method using the IP6.INT domain
-      specify the <code class="option">-i</code> option.  Bit string labels (RFC2874)
-      are now experimental and are not attempted.
-    </p>
-<p>
-      To sign the DNS queries sent by <span><strong class="command">dig</strong></span> and
-      their
-      responses using transaction signatures (TSIG), specify a TSIG key file
-      using the <code class="option">-k</code> option.  You can also specify the TSIG
-      key itself on the command line using the <code class="option">-y</code> option;
-      <em class="parameter"><code>hmac</code></em> is the type of the TSIG, default HMAC-MD5,
-      <em class="parameter"><code>name</code></em> is the name of the TSIG key and
-      <em class="parameter"><code>key</code></em> is the actual key.  The key is a
-      base-64
-      encoded string, typically generated by
-      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
-
-      Caution should be taken when using the <code class="option">-y</code> option on
-      multi-user systems as the key can be visible in the output from
-      <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>
-      or in the shell's history file.  When
-      using TSIG authentication with <span><strong class="command">dig</strong></span>, the name
-      server that is queried needs to know the key and algorithm that is
-      being used.  In BIND, this is done by providing appropriate
-      <span><strong class="command">key</strong></span> and <span><strong class="command">server</strong></span> statements in
-      <code class="filename">named.conf</code>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544061"></a><h2>QUERY OPTIONS</h2>
-<p><span><strong class="command">dig</strong></span>
-      provides a number of query options which affect
-      the way in which lookups are made and the results displayed.  Some of
-      these set or reset flag bits in the query header, some determine which
-      sections of the answer get printed, and others determine the timeout
-      and retry strategies.
-    </p>
-<p>
-      Each query option is identified by a keyword preceded by a plus sign
-      (<code class="literal">+</code>).  Some keywords set or reset an
-      option.  These may be preceded
-      by the string <code class="literal">no</code> to negate the meaning of
-      that keyword.  Other
-      keywords assign values to options like the timeout interval.  They
-      have the form <code class="option">+keyword=value</code>.
-      The query options are:
-
-      </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
-<dd><p>
-              Use [do not use] TCP when querying name servers.  The default
-              behavior is to use UDP unless an AXFR or IXFR query is
-              requested, in
-              which case a TCP connection is used.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]vc</code></span></dt>
-<dd><p>
-              Use [do not use] TCP when querying name servers.  This alternate
-              syntax to <em class="parameter"><code>+[no]tcp</code></em> is
-              provided for backwards
-              compatibility.  The "vc" stands for "virtual circuit".
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]ignore</code></span></dt>
-<dd><p>
-              Ignore truncation in UDP responses instead of retrying with TCP.
-               By
-              default, TCP retries are performed.
-            </p></dd>
-<dt><span class="term"><code class="option">+domain=somename</code></span></dt>
-<dd><p>
-              Set the search list to contain the single domain
-              <em class="parameter"><code>somename</code></em>, as if specified in
-              a
-              <span><strong class="command">domain</strong></span> directive in
-              <code class="filename">/etc/resolv.conf</code>, and enable
-              search list
-              processing as if the <em class="parameter"><code>+search</code></em>
-              option were given.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]search</code></span></dt>
-<dd><p>
-              Use [do not use] the search list defined by the searchlist or
-              domain
-              directive in <code class="filename">resolv.conf</code> (if
-              any).
-              The search list is not used by default.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]showsearch</code></span></dt>
-<dd><p>
-              Perform [do not perform] a search showing intermediate
-	      results.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]defname</code></span></dt>
-<dd><p>
-              Deprecated, treated as a synonym for <em class="parameter"><code>+[no]search</code></em>
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]aaonly</code></span></dt>
-<dd><p>
-              Sets the "aa" flag in the query.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]aaflag</code></span></dt>
-<dd><p>
-              A synonym for <em class="parameter"><code>+[no]aaonly</code></em>.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]adflag</code></span></dt>
-<dd><p>
-	      Set [do not set] the AD (authentic data) bit in the
-	      query.  This requests the server to return whether
-	      all of the answer and authority sections have all
-	      been validated as secure according to the security
-	      policy of the server.  AD=1 indicates that all records
-	      have been validated as secure and the answer is not
-	      from a OPT-OUT range.  AD=0 indicate that some part
-	      of the answer was insecure or not validated.  This
-	      bit is set by default.
-	    </p></dd>
-<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
-<dd><p>
-              Set [do not set] the CD (checking disabled) bit in the query.
-              This
-              requests the server to not perform DNSSEC validation of
-              responses.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]cl</code></span></dt>
-<dd><p>
-              Display [do not display] the CLASS when printing the record.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]ttlid</code></span></dt>
-<dd><p>
-              Display [do not display] the TTL when printing the record.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]recurse</code></span></dt>
-<dd><p>
-	      Toggle the setting of the RD (recursion desired) bit
-	      in the query.  This bit is set by default, which means
-	      <span><strong class="command">dig</strong></span> normally sends recursive
-	      queries.  Recursion is automatically disabled when
-	      the <em class="parameter"><code>+nssearch</code></em> or
-	      <em class="parameter"><code>+trace</code></em> query options are used.
-	    </p></dd>
-<dt><span class="term"><code class="option">+[no]nssearch</code></span></dt>
-<dd><p>
-              When this option is set, <span><strong class="command">dig</strong></span>
-              attempts to find the
-              authoritative name servers for the zone containing the name
-              being
-              looked up and display the SOA record that each name server has
-              for the
-              zone.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]trace</code></span></dt>
-<dd>
-<p>
-	      Toggle tracing of the delegation path from the root
-	      name servers for the name being looked up.  Tracing
-	      is disabled by default.  When tracing is enabled,
-	      <span><strong class="command">dig</strong></span> makes iterative queries to
-	      resolve the name being looked up.  It will follow
-	      referrals from the root servers, showing the answer
-	      from each server that was used to resolve the lookup.
-	    </p>
-<p>
-	      <span><strong class="command">+dnssec</strong></span> is also set when +trace is
-	      set to better emulate the default queries from a nameserver.
-	    </p>
-</dd>
-<dt><span class="term"><code class="option">+[no]cmd</code></span></dt>
-<dd><p>
-              Toggles the printing of the initial comment in the output
-              identifying
-              the version of <span><strong class="command">dig</strong></span> and the query
-              options that have
-              been applied.  This comment is printed by default.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]short</code></span></dt>
-<dd><p>
-              Provide a terse answer.  The default is to print the answer in a
-              verbose form.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]identify</code></span></dt>
-<dd><p>
-              Show [or do not show] the IP address and port number that
-              supplied the
-              answer when the <em class="parameter"><code>+short</code></em> option
-              is enabled.  If
-              short form answers are requested, the default is not to show the
-              source address and port number of the server that provided the
-              answer.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
-<dd><p>
-              Toggle the display of comment lines in the output.  The default
-              is to print comments.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
-<dd><p>
-              Toggle the display of per-record comments in the output (for
-              example, human-readable key information about DNSKEY records).
-              The default is not to print record comments unless multiline
-              mode is active.
-            </p></dd>
-<dt><span class="term"><code class="option">+split=W</code></span></dt>
-<dd><p>
-              Split long hex- or base64-formatted fields in resource
-              records into chunks of <em class="parameter"><code>W</code></em> characters
-              (where <em class="parameter"><code>W</code></em> is rounded up to the nearest
-              multiple of 4).
-              <em class="parameter"><code>+nosplit</code></em> or
-              <em class="parameter"><code>+split=0</code></em> causes fields not to be
-              split at all.  The default is 56 characters, or 44 characters
-              when multiline mode is active.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]stats</code></span></dt>
-<dd><p>
-              This query option toggles the printing of statistics: when the
-              query
-              was made, the size of the reply and so on.  The default
-              behavior is
-              to print the query statistics.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]qr</code></span></dt>
-<dd><p>
-              Print [do not print] the query as it is sent.
-              By default, the query is not printed.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]question</code></span></dt>
-<dd><p>
-              Print [do not print] the question section of a query when an
-              answer is
-              returned.  The default is to print the question section as a
-              comment.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]answer</code></span></dt>
-<dd><p>
-              Display [do not display] the answer section of a reply.  The
-              default
-              is to display it.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]authority</code></span></dt>
-<dd><p>
-              Display [do not display] the authority section of a reply.  The
-              default is to display it.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]additional</code></span></dt>
-<dd><p>
-              Display [do not display] the additional section of a reply.
-              The default is to display it.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]all</code></span></dt>
-<dd><p>
-              Set or clear all display flags.
-            </p></dd>
-<dt><span class="term"><code class="option">+time=T</code></span></dt>
-<dd><p>
-
-              Sets the timeout for a query to
-              <em class="parameter"><code>T</code></em> seconds.  The default
-	      timeout is 5 seconds.
-              An attempt to set <em class="parameter"><code>T</code></em> to less
-              than 1 will result
-              in a query timeout of 1 second being applied.
-            </p></dd>
-<dt><span class="term"><code class="option">+tries=T</code></span></dt>
-<dd><p>
-              Sets the number of times to try UDP queries to server to
-              <em class="parameter"><code>T</code></em> instead of the default, 3.
-              If
-              <em class="parameter"><code>T</code></em> is less than or equal to
-              zero, the number of
-              tries is silently rounded up to 1.
-            </p></dd>
-<dt><span class="term"><code class="option">+retry=T</code></span></dt>
-<dd><p>
-              Sets the number of times to retry UDP queries to server to
-              <em class="parameter"><code>T</code></em> instead of the default, 2.
-              Unlike
-              <em class="parameter"><code>+tries</code></em>, this does not include
-              the initial
-              query.
-            </p></dd>
-<dt><span class="term"><code class="option">+ndots=D</code></span></dt>
-<dd><p>
-              Set the number of dots that have to appear in
-              <em class="parameter"><code>name</code></em> to <em class="parameter"><code>D</code></em> for it to be
-              considered absolute.  The default value is that defined using
-              the
-              ndots statement in <code class="filename">/etc/resolv.conf</code>, or 1 if no
-              ndots statement is present.  Names with fewer dots are
-              interpreted as
-              relative names and will be searched for in the domains listed in
-              the
-              <code class="option">search</code> or <code class="option">domain</code> directive in
-              <code class="filename">/etc/resolv.conf</code>.
-            </p></dd>
-<dt><span class="term"><code class="option">+bufsize=B</code></span></dt>
-<dd><p>
-              Set the UDP message buffer size advertised using EDNS0 to
-              <em class="parameter"><code>B</code></em> bytes.  The maximum and minimum sizes
-	      of this buffer are 65535 and 0 respectively.  Values outside
-	      this range are rounded up or down appropriately.  
-	      Values other than zero will cause a EDNS query to be sent.
-            </p></dd>
-<dt><span class="term"><code class="option">+edns=#</code></span></dt>
-<dd><p>
-	       Specify the EDNS version to query with.  Valid values
-	       are 0 to 255.  Setting the EDNS version will cause
-	       a EDNS query to be sent.  <code class="option">+noedns</code>
-	       clears the remembered EDNS version.  EDNS is set to
-	       0 by default.
-	    </p></dd>
-<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
-<dd><p>
-              Print records like the SOA records in a verbose multi-line
-              format with human-readable comments.  The default is to print
-              each record on a single line, to facilitate machine parsing
-              of the <span><strong class="command">dig</strong></span> output.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]onesoa</code></span></dt>
-<dd><p>
-	      Print only one (starting) SOA record when performing
-	      an AXFR. The default is to print both the starting and
-	      ending SOA records.
-	    </p></dd>
-<dt><span class="term"><code class="option">+[no]fail</code></span></dt>
-<dd><p>
-              Do not try the next server if you receive a SERVFAIL.  The
-              default is
-              to not try the next server which is the reverse of normal stub
-              resolver
-              behavior.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]besteffort</code></span></dt>
-<dd><p>
-              Attempt to display the contents of messages which are malformed.
-              The default is to not display malformed answers.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
-<dd><p>
-              Requests DNSSEC records be sent by setting the DNSSEC OK bit
-              (DO)
-              in the OPT record in the additional section of the query.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]sigchase</code></span></dt>
-<dd><p>
-              Chase DNSSEC signature chains.  Requires dig be compiled with
-              -DDIG_SIGCHASE.
-            </p></dd>
-<dt><span class="term"><code class="option">+trusted-key=####</code></span></dt>
-<dd>
-<p>
-              Specifies a file containing trusted keys to be used with
-	      <code class="option">+sigchase</code>.  Each DNSKEY record must be
-	      on its own line.
-            </p>
-<p>
-	      If not specified, <span><strong class="command">dig</strong></span> will look for
-	      <code class="filename">/etc/trusted-key.key</code> then
-	      <code class="filename">trusted-key.key</code> in the current directory.
-	    </p>
-<p>
-              Requires dig be compiled with -DDIG_SIGCHASE.
-	    </p>
-</dd>
-<dt><span class="term"><code class="option">+[no]topdown</code></span></dt>
-<dd><p>
-              When chasing DNSSEC signature chains perform a top-down
-              validation.
-              Requires dig be compiled with -DDIG_SIGCHASE.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]nsid</code></span></dt>
-<dd><p>
-              Include an EDNS name server ID request when sending a query.
-            </p></dd>
-</dl></div>
-<p>
-
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2545324"></a><h2>MULTIPLE QUERIES</h2>
-<p>
-      The BIND 9 implementation of <span><strong class="command">dig </strong></span>
-      supports
-      specifying multiple queries on the command line (in addition to
-      supporting the <code class="option">-f</code> batch file option).  Each of those
-      queries can be supplied with its own set of flags, options and query
-      options.
-    </p>
-<p>
-      In this case, each <em class="parameter"><code>query</code></em> argument
-      represent an
-      individual query in the command-line syntax described above.  Each
-      consists of any of the standard options and flags, the name to be
-      looked up, an optional query type and class and any query options that
-      should be applied to that query.
-    </p>
-<p>
-      A global set of query options, which should be applied to all queries,
-      can also be supplied.  These global query options must precede the
-      first tuple of name, class, type, options, flags, and query options
-      supplied on the command line.  Any global query options (except
-      the <code class="option">+[no]cmd</code> option) can be
-      overridden by a query-specific set of query options.  For example:
-      </p>
-<pre class="programlisting">
-dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-</pre>
-<p>
-      shows how <span><strong class="command">dig</strong></span> could be used from the
-      command line
-      to make three lookups: an ANY query for <code class="literal">www.isc.org</code>, a
-      reverse lookup of 127.0.0.1 and a query for the NS records of
-      <code class="literal">isc.org</code>.
-
-      A global query option of <em class="parameter"><code>+qr</code></em> is
-      applied, so
-      that <span><strong class="command">dig</strong></span> shows the initial query it made
-      for each
-      lookup.  The final query has a local query option of
-      <em class="parameter"><code>+noqr</code></em> which means that <span><strong class="command">dig</strong></span>
-      will not print the initial query when it looks up the NS records for
-      <code class="literal">isc.org</code>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2545386"></a><h2>IDN SUPPORT</h2>
-<p>
-      If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
-      domain name) support, it can accept and display non-ASCII domain names.
-      <span><strong class="command">dig</strong></span> appropriately converts character encoding of
-      domain name before sending a request to DNS server or displaying a
-      reply from the server.
-      If you'd like to turn off the IDN support for some reason, defines
-      the <code class="envar">IDN_DISABLE</code> environment variable.
-      The IDN support is disabled if the variable is set when 
-      <span><strong class="command">dig</strong></span> runs.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2545409"></a><h2>FILES</h2>
-<p><code class="filename">/etc/resolv.conf</code>
-    </p>
-<p><code class="filename">${HOME}/.digrc</code>
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2545426"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
-      <em class="citetitle">RFC1035</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2545531"></a><h2>BUGS</h2>
-<p>
-      There are probably too many query options.
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/dig/dighost.c b/contrib/bind9/bin/dig/dighost.c
deleted file mode 100644
index 3c4b335..0000000
--- a/contrib/bind9/bin/dig/dighost.c
+++ /dev/null
@@ -1,5789 +0,0 @@
-/*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dighost.c,v 1.345 2011/12/07 17:23:28 each Exp $ */
-
-/*! \file
- *  \note
- * Notice to programmers:  Do not use this code as an example of how to
- * use the ISC library to perform DNS lookups.  Dig and Host both operate
- * on the request level, since they allow fine-tuning of output and are
- * intended as debugging tools.  As a result, they perform many of the
- * functions which could be better handled using the dns_resolver
- * functions in most applications.
- */
-
-#include <config.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <limits.h>
-
-#ifdef HAVE_LOCALE_H
-#include <locale.h>
-#endif
-
-#ifdef WITH_IDN
-#include <idn/result.h>
-#include <idn/log.h>
-#include <idn/resconf.h>
-#include <idn/api.h>
-#endif
-
-#include <dns/byaddr.h>
-#ifdef DIG_SIGCHASE
-#include <dns/dnssec.h>
-#include <dns/ds.h>
-#include <dns/nsec.h>
-#include <isc/random.h>
-#include <ctype.h>
-#endif
-#include <dns/fixedname.h>
-#include <dns/log.h>
-#include <dns/message.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/result.h>
-#include <dns/tsig.h>
-
-#include <dst/dst.h>
-#include <dst/result.h>
-
-#include <isc/app.h>
-#include <isc/base64.h>
-#include <isc/entropy.h>
-#include <isc/file.h>
-#include <isc/lang.h>
-#include <isc/log.h>
-#include <isc/netaddr.h>
-#ifdef DIG_SIGCHASE
-#include <isc/netdb.h>
-#endif
-#include <isc/parseint.h>
-#include <isc/print.h>
-#include <isc/random.h>
-#include <isc/result.h>
-#include <isc/serial.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/timer.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-#include <isccfg/namedconf.h>
-
-#include <lwres/lwres.h>
-#include <lwres/net.h>
-
-#include <bind9/getaddresses.h>
-
-#include <dig/dig.h>
-
-#if ! defined(NS_INADDRSZ)
-#define NS_INADDRSZ	 4
-#endif
-
-#if ! defined(NS_IN6ADDRSZ)
-#define NS_IN6ADDRSZ	16
-#endif
-
-static lwres_context_t *lwctx = NULL;
-static lwres_conf_t *lwconf;
-
-dig_lookuplist_t lookup_list;
-dig_serverlist_t server_list;
-dig_searchlistlist_t search_list;
-
-isc_boolean_t
-	check_ra = ISC_FALSE,
-	have_ipv4 = ISC_FALSE,
-	have_ipv6 = ISC_FALSE,
-	specified_source = ISC_FALSE,
-	free_now = ISC_FALSE,
-	cancel_now = ISC_FALSE,
-	usesearch = ISC_FALSE,
-	showsearch = ISC_FALSE,
-	qr = ISC_FALSE,
-	is_dst_up = ISC_FALSE;
-in_port_t port = 53;
-unsigned int timeout = 0;
-unsigned int extrabytes;
-isc_mem_t *mctx = NULL;
-isc_log_t *lctx = NULL;
-isc_taskmgr_t *taskmgr = NULL;
-isc_task_t *global_task = NULL;
-isc_timermgr_t *timermgr = NULL;
-isc_socketmgr_t *socketmgr = NULL;
-isc_sockaddr_t bind_address;
-isc_sockaddr_t bind_any;
-int sendcount = 0;
-int recvcount = 0;
-int sockcount = 0;
-int ndots = -1;
-int tries = 3;
-int lookup_counter = 0;
-
-#ifdef WITH_IDN
-static void		initialize_idn(void);
-static isc_result_t	output_filter(isc_buffer_t *buffer,
-				      unsigned int used_org,
-				      isc_boolean_t absolute);
-static idn_result_t	append_textname(char *name, const char *origin,
-					size_t namesize);
-static void		idn_check_result(idn_result_t r, const char *msg);
-
-#define MAXDLEN		256
-int  idnoptions	= 0;
-#endif
-
-/*%
- * Exit Codes:
- *
- *\li	0   Everything went well, including things like NXDOMAIN
- *\li	1   Usage error
- *\li	7   Got too many RR's or Names
- *\li	8   Couldn't open batch file
- *\li	9   No reply from server
- *\li	10  Internal error
- */
-int exitcode = 0;
-int fatalexit = 0;
-char keynametext[MXNAME];
-char keyfile[MXNAME] = "";
-char keysecret[MXNAME] = "";
-dns_name_t *hmacname = NULL;
-unsigned int digestbits = 0;
-isc_buffer_t *namebuf = NULL;
-dns_tsigkey_t *key = NULL;
-isc_boolean_t validated = ISC_TRUE;
-isc_entropy_t *entp = NULL;
-isc_mempool_t *commctx = NULL;
-isc_boolean_t debugging = ISC_FALSE;
-isc_boolean_t memdebugging = ISC_FALSE;
-char *progname = NULL;
-isc_mutex_t lookup_lock;
-dig_lookup_t *current_lookup = NULL;
-
-#ifdef DIG_SIGCHASE
-
-isc_result_t	  get_trusted_key(isc_mem_t *mctx);
-dns_rdataset_t *  sigchase_scanname(dns_rdatatype_t type,
-				    dns_rdatatype_t covers,
-				    isc_boolean_t *lookedup,
-				    dns_name_t *rdata_name);
-dns_rdataset_t *  chase_scanname_section(dns_message_t *msg,
-					 dns_name_t *name,
-					 dns_rdatatype_t type,
-					 dns_rdatatype_t covers,
-					 int section);
-isc_result_t	  advanced_rrsearch(dns_rdataset_t **rdataset,
-				    dns_name_t *name,
-				    dns_rdatatype_t type,
-				    dns_rdatatype_t covers,
-				    isc_boolean_t *lookedup);
-isc_result_t	  sigchase_verify_sig_key(dns_name_t *name,
-					  dns_rdataset_t *rdataset,
-					  dst_key_t* dnsseckey,
-					  dns_rdataset_t *sigrdataset,
-					  isc_mem_t *mctx);
-isc_result_t	  sigchase_verify_sig(dns_name_t *name,
-				      dns_rdataset_t *rdataset,
-				      dns_rdataset_t *keyrdataset,
-				      dns_rdataset_t *sigrdataset,
-				      isc_mem_t *mctx);
-isc_result_t	  sigchase_verify_ds(dns_name_t *name,
-				     dns_rdataset_t *keyrdataset,
-				     dns_rdataset_t *dsrdataset,
-				     isc_mem_t *mctx);
-void		  sigchase(dns_message_t *msg);
-void		  print_rdata(dns_rdata_t *rdata, isc_mem_t *mctx);
-void		  print_rdataset(dns_name_t *name,
-				 dns_rdataset_t *rdataset, isc_mem_t *mctx);
-void		  dup_name(dns_name_t *source, dns_name_t* target,
-			   isc_mem_t *mctx);
-void		  free_name(dns_name_t *name, isc_mem_t *mctx);
-void		  dump_database(void);
-void		  dump_database_section(dns_message_t *msg, int section);
-dns_rdataset_t *  search_type(dns_name_t *name, dns_rdatatype_t type,
-			      dns_rdatatype_t covers);
-isc_result_t	  contains_trusted_key(dns_name_t *name,
-				       dns_rdataset_t *rdataset,
-				       dns_rdataset_t *sigrdataset,
-				       isc_mem_t *mctx);
-void		  print_type(dns_rdatatype_t type);
-isc_result_t	  prove_nx_domain(dns_message_t * msg,
-				  dns_name_t * name,
-				  dns_name_t * rdata_name,
-				  dns_rdataset_t ** rdataset,
-				  dns_rdataset_t ** sigrdataset);
-isc_result_t	  prove_nx_type(dns_message_t * msg, dns_name_t *name,
-				dns_rdataset_t *nsec,
-				dns_rdataclass_t class,
-				dns_rdatatype_t type,
-				dns_name_t * rdata_name,
-				dns_rdataset_t ** rdataset,
-				dns_rdataset_t ** sigrdataset);
-isc_result_t	  prove_nx(dns_message_t * msg, dns_name_t * name,
-			   dns_rdataclass_t class,
-			   dns_rdatatype_t type,
-			   dns_name_t * rdata_name,
-			   dns_rdataset_t ** rdataset,
-			   dns_rdataset_t ** sigrdataset);
-static void	  nameFromString(const char *str, dns_name_t *p_ret);
-int		  inf_name(dns_name_t * name1, dns_name_t * name2);
-isc_result_t	  opentmpkey(isc_mem_t *mctx, const char *file,
-			     char **tempp, FILE **fp);
-isc_result_t	  removetmpkey(isc_mem_t *mctx, const char *file);
-void		  clean_trustedkey(void);
-void		  insert_trustedkey(dst_key_t **key);
-#if DIG_SIGCHASE_BU
-isc_result_t	  getneededrr(dns_message_t *msg);
-void		  sigchase_bottom_up(dns_message_t *msg);
-void		  sigchase_bu(dns_message_t *msg);
-#endif
-#if DIG_SIGCHASE_TD
-isc_result_t	  initialization(dns_name_t *name);
-isc_result_t	  prepare_lookup(dns_name_t *name);
-isc_result_t	  grandfather_pb_test(dns_name_t * zone_name,
-				      dns_rdataset_t *sigrdataset);
-isc_result_t	  child_of_zone(dns_name_t *name,
-				dns_name_t *zone_name,
-				dns_name_t *child_name);
-void		  sigchase_td(dns_message_t *msg);
-#endif
-char trustedkey[MXNAME] = "";
-
-dns_rdataset_t *chase_rdataset = NULL;
-dns_rdataset_t *chase_sigrdataset = NULL;
-dns_rdataset_t *chase_dsrdataset = NULL;
-dns_rdataset_t *chase_sigdsrdataset = NULL;
-dns_rdataset_t *chase_keyrdataset = NULL;
-dns_rdataset_t *chase_sigkeyrdataset = NULL;
-dns_rdataset_t *chase_nsrdataset = NULL;
-
-dns_name_t chase_name; /* the query name */
-#if DIG_SIGCHASE_TD
-/*
- * the current name is the parent name when we follow delegation
- */
-dns_name_t chase_current_name;
-/*
- * the child name is used for delegation (NS DS responses in AUTHORITY section)
- */
-dns_name_t chase_authority_name;
-#endif
-#if DIG_SIGCHASE_BU
-dns_name_t chase_signame;
-#endif
-
-
-isc_boolean_t chase_siglookedup = ISC_FALSE;
-isc_boolean_t chase_keylookedup = ISC_FALSE;
-isc_boolean_t chase_sigkeylookedup = ISC_FALSE;
-isc_boolean_t chase_dslookedup = ISC_FALSE;
-isc_boolean_t chase_sigdslookedup = ISC_FALSE;
-#if DIG_SIGCHASE_TD
-isc_boolean_t chase_nslookedup = ISC_FALSE;
-isc_boolean_t chase_lookedup = ISC_FALSE;
-
-
-isc_boolean_t delegation_follow = ISC_FALSE;
-isc_boolean_t grandfather_pb = ISC_FALSE;
-isc_boolean_t have_response = ISC_FALSE;
-isc_boolean_t have_delegation_ns = ISC_FALSE;
-dns_message_t * error_message = NULL;
-#endif
-
-isc_boolean_t dsvalidating = ISC_FALSE;
-isc_boolean_t chase_name_dup = ISC_FALSE;
-
-ISC_LIST(dig_message_t) chase_message_list;
-ISC_LIST(dig_message_t) chase_message_list2;
-
-
-#define MAX_TRUSTED_KEY 5
-typedef struct struct_trusted_key_list {
-	dst_key_t * key[MAX_TRUSTED_KEY];
-	int nb_tk;
-} struct_tk_list;
-
-struct_tk_list tk_list = { {NULL, NULL, NULL, NULL, NULL}, 0};
-
-#endif
-
-#define DIG_MAX_ADDRESSES 20
-
-/*%
- * Apply and clear locks at the event level in global task.
- * Can I get rid of these using shutdown events?  XXX
- */
-#define LOCK_LOOKUP {\
-	debug("lock_lookup %s:%d", __FILE__, __LINE__);\
-	check_result(isc_mutex_lock((&lookup_lock)), "isc_mutex_lock");\
-	debug("success");\
-}
-#define UNLOCK_LOOKUP {\
-	debug("unlock_lookup %s:%d", __FILE__, __LINE__);\
-	check_result(isc_mutex_unlock((&lookup_lock)),\
-		     "isc_mutex_unlock");\
-}
-
-static void
-cancel_lookup(dig_lookup_t *lookup);
-
-static void
-recv_done(isc_task_t *task, isc_event_t *event);
-
-static void
-send_udp(dig_query_t *query);
-
-static void
-connect_timeout(isc_task_t *task, isc_event_t *event);
-
-static void
-launch_next_query(dig_query_t *query, isc_boolean_t include_question);
-
-
-static void *
-mem_alloc(void *arg, size_t size) {
-	return (isc_mem_get(arg, size));
-}
-
-static void
-mem_free(void *arg, void *mem, size_t size) {
-	isc_mem_put(arg, mem, size);
-}
-
-char *
-next_token(char **stringp, const char *delim) {
-	char *res;
-
-	do {
-		res = strsep(stringp, delim);
-		if (res == NULL)
-			break;
-	} while (*res == '\0');
-	return (res);
-}
-
-static int
-count_dots(char *string) {
-	char *s;
-	int i = 0;
-
-	s = string;
-	while (*s != '\0') {
-		if (*s == '.')
-			i++;
-		s++;
-	}
-	return (i);
-}
-
-static void
-hex_dump(isc_buffer_t *b) {
-	unsigned int len, i;
-	isc_region_t r;
-
-	isc_buffer_usedregion(b, &r);
-
-	printf("%d bytes\n", r.length);
-	for (len = 0; len < r.length; len++) {
-		printf("%02x ", r.base[len]);
-		if (len % 16 == 15) {
-			fputs("         ", stdout);
-			for (i = len - 15; i <= len; i++) {
-				if (r.base[i] >= '!' && r.base[i] <= '}')
-					putchar(r.base[i]);
-				else
-					putchar('.');
-			}
-			printf("\n");
-		}
-	}
-	if (len % 16 != 0) {
-		for (i = len; (i % 16) != 0; i++)
-			fputs("   ", stdout);
-		fputs("         ", stdout);
-		for (i = ((len>>4)<<4); i < len; i++) {
-			if (r.base[i] >= '!' && r.base[i] <= '}')
-				putchar(r.base[i]);
-			else
-				putchar('.');
-		}
-		printf("\n");
-	}
-}
-
-/*%
- * Append 'len' bytes of 'text' at '*p', failing with
- * ISC_R_NOSPACE if that would advance p past 'end'.
- */
-static isc_result_t
-append(const char *text, int len, char **p, char *end) {
-	if (len > end - *p)
-		return (ISC_R_NOSPACE);
-	memcpy(*p, text, len);
-	*p += len;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-reverse_octets(const char *in, char **p, char *end) {
-	char *dot = strchr(in, '.');
-	int len;
-	if (dot != NULL) {
-		isc_result_t result;
-		result = reverse_octets(dot + 1, p, end);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		result = append(".", 1, p, end);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		len = dot - in;
-	} else {
-		len = strlen(in);
-	}
-	return (append(in, len, p, end));
-}
-
-isc_result_t
-get_reverse(char *reverse, size_t len, char *value, isc_boolean_t ip6_int,
-	    isc_boolean_t strict)
-{
-	int r;
-	isc_result_t result;
-	isc_netaddr_t addr;
-
-	addr.family = AF_INET6;
-	r = inet_pton(AF_INET6, value, &addr.type.in6);
-	if (r > 0) {
-		/* This is a valid IPv6 address. */
-		dns_fixedname_t fname;
-		dns_name_t *name;
-		unsigned int options = 0;
-
-		if (ip6_int)
-			options |= DNS_BYADDROPT_IPV6INT;
-		dns_fixedname_init(&fname);
-		name = dns_fixedname_name(&fname);
-		result = dns_byaddr_createptrname2(&addr, options, name);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		dns_name_format(name, reverse, len);
-		return (ISC_R_SUCCESS);
-	} else {
-		/*
-		 * Not a valid IPv6 address.  Assume IPv4.
-		 * If 'strict' is not set, construct the
-		 * in-addr.arpa name by blindly reversing
-		 * octets whether or not they look like integers,
-		 * so that this can be used for RFC2317 names
-		 * and such.
-		 */
-		char *p = reverse;
-		char *end = reverse + len;
-		if (strict && inet_pton(AF_INET, value, &addr.type.in) != 1)
-			return (DNS_R_BADDOTTEDQUAD);
-		result = reverse_octets(value, &p, end);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		/* Append .in-addr.arpa. and a terminating NUL. */
-		result = append(".in-addr.arpa.", 15, &p, end);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		return (ISC_R_SUCCESS);
-	}
-}
-
-void
-fatal(const char *format, ...) {
-	va_list args;
-
-	fflush(stdout);
-	fprintf(stderr, "%s: ", progname);
-	va_start(args, format);
-	vfprintf(stderr, format, args);
-	va_end(args);
-	fprintf(stderr, "\n");
-	if (exitcode < 10)
-		exitcode = 10;
-	if (fatalexit != 0)
-		exitcode = fatalexit;
-	exit(exitcode);
-}
-
-void
-debug(const char *format, ...) {
-	va_list args;
-
-	if (debugging) {
-		fflush(stdout);
-		va_start(args, format);
-		vfprintf(stderr, format, args);
-		va_end(args);
-		fprintf(stderr, "\n");
-	}
-}
-
-void
-check_result(isc_result_t result, const char *msg) {
-	if (result != ISC_R_SUCCESS) {
-		fatal("%s: %s", msg, isc_result_totext(result));
-	}
-}
-
-/*%
- * Create a server structure, which is part of the lookup structure.
- * This is little more than a linked list of servers to query in hopes
- * of finding the answer the user is looking for
- */
-dig_server_t *
-make_server(const char *servname, const char *userarg) {
-	dig_server_t *srv;
-
-	REQUIRE(servname != NULL);
-
-	debug("make_server(%s)", servname);
-	srv = isc_mem_allocate(mctx, sizeof(struct dig_server));
-	if (srv == NULL)
-		fatal("memory allocation failure in %s:%d",
-		      __FILE__, __LINE__);
-	strlcpy(srv->servername, servname, MXNAME);
-	strlcpy(srv->userarg, userarg, MXNAME);
-	ISC_LINK_INIT(srv, link);
-	return (srv);
-}
-
-static int
-addr2af(int lwresaddrtype)
-{
-	int af = 0;
-
-	switch (lwresaddrtype) {
-	case LWRES_ADDRTYPE_V4:
-		af = AF_INET;
-		break;
-
-	case LWRES_ADDRTYPE_V6:
-		af = AF_INET6;
-		break;
-	}
-
-	return (af);
-}
-
-/*%
- * Create a copy of the server list from the lwres configuration structure.
- * The dest list must have already had ISC_LIST_INIT applied.
- */
-static void
-copy_server_list(lwres_conf_t *confdata, dig_serverlist_t *dest) {
-	dig_server_t *newsrv;
-	char tmp[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")];
-	int af;
-	int i;
-
-	debug("copy_server_list()");
-	for (i = 0; i < confdata->nsnext; i++) {
-		af = addr2af(confdata->nameservers[i].family);
-
-		if (af == AF_INET && !have_ipv4)
-			continue;
-		if (af == AF_INET6 && !have_ipv6)
-			continue;
-
-		lwres_net_ntop(af, confdata->nameservers[i].address,
-				   tmp, sizeof(tmp));
-		newsrv = make_server(tmp, tmp);
-		ISC_LINK_INIT(newsrv, link);
-		ISC_LIST_ENQUEUE(*dest, newsrv, link);
-	}
-}
-
-void
-flush_server_list(void) {
-	dig_server_t *s, *ps;
-
-	debug("flush_server_list()");
-	s = ISC_LIST_HEAD(server_list);
-	while (s != NULL) {
-		ps = s;
-		s = ISC_LIST_NEXT(s, link);
-		ISC_LIST_DEQUEUE(server_list, ps, link);
-		isc_mem_free(mctx, ps);
-	}
-}
-
-void
-set_nameserver(char *opt) {
-	isc_result_t result;
-	isc_sockaddr_t sockaddrs[DIG_MAX_ADDRESSES];
-	isc_netaddr_t netaddr;
-	int count, i;
-	dig_server_t *srv;
-	char tmp[ISC_NETADDR_FORMATSIZE];
-
-	if (opt == NULL)
-		return;
-
-	result = bind9_getaddresses(opt, 0, sockaddrs,
-				    DIG_MAX_ADDRESSES, &count);
-	if (result != ISC_R_SUCCESS)
-		fatal("couldn't get address for '%s': %s",
-		      opt, isc_result_totext(result));
-
-	flush_server_list();
-
-	for (i = 0; i < count; i++) {
-		isc_netaddr_fromsockaddr(&netaddr, &sockaddrs[i]);
-		isc_netaddr_format(&netaddr, tmp, sizeof(tmp));
-		srv = make_server(tmp, opt);
-		if (srv == NULL)
-			fatal("memory allocation failure");
-		ISC_LIST_APPEND(server_list, srv, link);
-	}
-}
-
-static isc_result_t
-add_nameserver(lwres_conf_t *confdata, const char *addr, int af) {
-
-	int i = confdata->nsnext;
-
-	if (confdata->nsnext >= LWRES_CONFMAXNAMESERVERS)
-		return (ISC_R_FAILURE);
-
-	switch (af) {
-	case AF_INET:
-		confdata->nameservers[i].family = LWRES_ADDRTYPE_V4;
-		confdata->nameservers[i].length = NS_INADDRSZ;
-		break;
-	case AF_INET6:
-		confdata->nameservers[i].family = LWRES_ADDRTYPE_V6;
-		confdata->nameservers[i].length = NS_IN6ADDRSZ;
-		break;
-	default:
-		return (ISC_R_FAILURE);
-	}
-
-	if (lwres_net_pton(af, addr, &confdata->nameservers[i].address) == 1) {
-		confdata->nsnext++;
-		return (ISC_R_SUCCESS);
-	}
-	return (ISC_R_FAILURE);
-}
-
-/*%
- * Produce a cloned server list.  The dest list must have already had
- * ISC_LIST_INIT applied.
- */
-void
-clone_server_list(dig_serverlist_t src, dig_serverlist_t *dest) {
-	dig_server_t *srv, *newsrv;
-
-	debug("clone_server_list()");
-	srv = ISC_LIST_HEAD(src);
-	while (srv != NULL) {
-		newsrv = make_server(srv->servername, srv->userarg);
-		ISC_LINK_INIT(newsrv, link);
-		ISC_LIST_ENQUEUE(*dest, newsrv, link);
-		srv = ISC_LIST_NEXT(srv, link);
-	}
-}
-
-/*%
- * Create an empty lookup structure, which holds all the information needed
- * to get an answer to a user's question.  This structure contains two
- * linked lists: the server list (servers to query) and the query list
- * (outstanding queries which have been made to the listed servers).
- */
-dig_lookup_t *
-make_empty_lookup(void) {
-	dig_lookup_t *looknew;
-
-	debug("make_empty_lookup()");
-
-	INSIST(!free_now);
-
-	looknew = isc_mem_allocate(mctx, sizeof(struct dig_lookup));
-	if (looknew == NULL)
-		fatal("memory allocation failure in %s:%d",
-		       __FILE__, __LINE__);
-	looknew->pending = ISC_TRUE;
-	looknew->textname[0] = 0;
-	looknew->cmdline[0] = 0;
-	looknew->rdtype = dns_rdatatype_a;
-	looknew->qrdtype = dns_rdatatype_a;
-	looknew->rdclass = dns_rdataclass_in;
-	looknew->rdtypeset = ISC_FALSE;
-	looknew->rdclassset = ISC_FALSE;
-	looknew->sendspace = NULL;
-	looknew->sendmsg = NULL;
-	looknew->name = NULL;
-	looknew->oname = NULL;
-	looknew->timer = NULL;
-	looknew->xfr_q = NULL;
-	looknew->current_query = NULL;
-	looknew->doing_xfr = ISC_FALSE;
-	looknew->ixfr_serial = 0;
-	looknew->trace = ISC_FALSE;
-	looknew->trace_root = ISC_FALSE;
-	looknew->identify = ISC_FALSE;
-	looknew->identify_previous_line = ISC_FALSE;
-	looknew->ignore = ISC_FALSE;
-	looknew->servfail_stops = ISC_TRUE;
-	looknew->besteffort = ISC_TRUE;
-	looknew->dnssec = ISC_FALSE;
-	looknew->nsid = ISC_FALSE;
-#ifdef DIG_SIGCHASE
-	looknew->sigchase = ISC_FALSE;
-#if DIG_SIGCHASE_TD
-	looknew->do_topdown = ISC_FALSE;
-	looknew->trace_root_sigchase = ISC_FALSE;
-	looknew->rdtype_sigchaseset = ISC_FALSE;
-	looknew->rdtype_sigchase = dns_rdatatype_any;
-	looknew->qrdtype_sigchase = dns_rdatatype_any;
-	looknew->rdclass_sigchase = dns_rdataclass_in;
-	looknew->rdclass_sigchaseset = ISC_FALSE;
-#endif
-#endif
-	looknew->udpsize = 0;
-	looknew->edns = -1;
-	looknew->recurse = ISC_TRUE;
-	looknew->aaonly = ISC_FALSE;
-	looknew->adflag = ISC_FALSE;
-	looknew->cdflag = ISC_FALSE;
-	looknew->ns_search_only = ISC_FALSE;
-	looknew->origin = NULL;
-	looknew->tsigctx = NULL;
-	looknew->querysig = NULL;
-	looknew->retries = tries;
-	looknew->nsfound = 0;
-	looknew->tcp_mode = ISC_FALSE;
-	looknew->ip6_int = ISC_FALSE;
-	looknew->comments = ISC_TRUE;
-	looknew->stats = ISC_TRUE;
-	looknew->section_question = ISC_TRUE;
-	looknew->section_answer = ISC_TRUE;
-	looknew->section_authority = ISC_TRUE;
-	looknew->section_additional = ISC_TRUE;
-	looknew->new_search = ISC_FALSE;
-	looknew->done_as_is = ISC_FALSE;
-	looknew->need_search = ISC_FALSE;
-	ISC_LINK_INIT(looknew, link);
-	ISC_LIST_INIT(looknew->q);
-	ISC_LIST_INIT(looknew->connecting);
-	ISC_LIST_INIT(looknew->my_server_list);
-	return (looknew);
-}
-
-/*%
- * Clone a lookup, perhaps copying the server list.  This does not clone
- * the query list, since it will be regenerated by the setup_lookup()
- * function, nor does it queue up the new lookup for processing.
- * Caution: If you don't clone the servers, you MUST clone the server
- * list separately from somewhere else, or construct it by hand.
- */
-dig_lookup_t *
-clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
-	dig_lookup_t *looknew;
-
-	debug("clone_lookup()");
-
-	INSIST(!free_now);
-
-	looknew = make_empty_lookup();
-	INSIST(looknew != NULL);
-	strlcpy(looknew->textname, lookold->textname, MXNAME);
-#if DIG_SIGCHASE_TD
-	strlcpy(looknew->textnamesigchase, lookold->textnamesigchase, MXNAME);
-#endif
-	strlcpy(looknew->cmdline, lookold->cmdline, MXNAME);
-	looknew->textname[MXNAME-1] = 0;
-	looknew->rdtype = lookold->rdtype;
-	looknew->qrdtype = lookold->qrdtype;
-	looknew->rdclass = lookold->rdclass;
-	looknew->rdtypeset = lookold->rdtypeset;
-	looknew->rdclassset = lookold->rdclassset;
-	looknew->doing_xfr = lookold->doing_xfr;
-	looknew->ixfr_serial = lookold->ixfr_serial;
-	looknew->trace = lookold->trace;
-	looknew->trace_root = lookold->trace_root;
-	looknew->identify = lookold->identify;
-	looknew->identify_previous_line = lookold->identify_previous_line;
-	looknew->ignore = lookold->ignore;
-	looknew->servfail_stops = lookold->servfail_stops;
-	looknew->besteffort = lookold->besteffort;
-	looknew->dnssec = lookold->dnssec;
-	looknew->nsid = lookold->nsid;
-#ifdef DIG_SIGCHASE
-	looknew->sigchase = lookold->sigchase;
-#if DIG_SIGCHASE_TD
-	looknew->do_topdown = lookold->do_topdown;
-	looknew->trace_root_sigchase = lookold->trace_root_sigchase;
-	looknew->rdtype_sigchaseset = lookold->rdtype_sigchaseset;
-	looknew->rdtype_sigchase = lookold->rdtype_sigchase;
-	looknew->qrdtype_sigchase = lookold->qrdtype_sigchase;
-	looknew->rdclass_sigchase = lookold->rdclass_sigchase;
-	looknew->rdclass_sigchaseset = lookold->rdclass_sigchaseset;
-#endif
-#endif
-	looknew->udpsize = lookold->udpsize;
-	looknew->edns = lookold->edns;
-	looknew->recurse = lookold->recurse;
-	looknew->aaonly = lookold->aaonly;
-	looknew->adflag = lookold->adflag;
-	looknew->cdflag = lookold->cdflag;
-	looknew->ns_search_only = lookold->ns_search_only;
-	looknew->tcp_mode = lookold->tcp_mode;
-	looknew->comments = lookold->comments;
-	looknew->stats = lookold->stats;
-	looknew->section_question = lookold->section_question;
-	looknew->section_answer = lookold->section_answer;
-	looknew->section_authority = lookold->section_authority;
-	looknew->section_additional = lookold->section_additional;
-	looknew->retries = lookold->retries;
-	looknew->tsigctx = NULL;
-	looknew->need_search = lookold->need_search;
-	looknew->done_as_is = lookold->done_as_is;
-
-	if (servers)
-		clone_server_list(lookold->my_server_list,
-				  &looknew->my_server_list);
-	return (looknew);
-}
-
-/*%
- * Requeue a lookup for further processing, perhaps copying the server
- * list.  The new lookup structure is returned to the caller, and is
- * queued for processing.  If servers are not cloned in the requeue, they
- * must be added before allowing the current event to complete, since the
- * completion of the event may result in the next entry on the lookup
- * queue getting run.
- */
-dig_lookup_t *
-requeue_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
-	dig_lookup_t *looknew;
-
-	debug("requeue_lookup()");
-
-	lookup_counter++;
-	if (lookup_counter > LOOKUP_LIMIT)
-		fatal("too many lookups");
-
-	looknew = clone_lookup(lookold, servers);
-	INSIST(looknew != NULL);
-
-	debug("before insertion, init@%p -> %p, new@%p -> %p",
-	      lookold, lookold->link.next, looknew, looknew->link.next);
-	ISC_LIST_PREPEND(lookup_list, looknew, link);
-	debug("after insertion, init -> %p, new = %p, new -> %p",
-	      lookold, looknew, looknew->link.next);
-	return (looknew);
-}
-
-
-static void
-setup_text_key(void) {
-	isc_result_t result;
-	dns_name_t keyname;
-	isc_buffer_t secretbuf;
-	int secretsize;
-	unsigned char *secretstore;
-
-	debug("setup_text_key()");
-	result = isc_buffer_allocate(mctx, &namebuf, MXNAME);
-	check_result(result, "isc_buffer_allocate");
-	dns_name_init(&keyname, NULL);
-	check_result(result, "dns_name_init");
-	isc_buffer_putstr(namebuf, keynametext);
-	secretsize = strlen(keysecret) * 3 / 4;
-	secretstore = isc_mem_allocate(mctx, secretsize);
-	if (secretstore == NULL)
-		fatal("memory allocation failure in %s:%d",
-		      __FILE__, __LINE__);
-	isc_buffer_init(&secretbuf, secretstore, secretsize);
-	result = isc_base64_decodestring(keysecret, &secretbuf);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	secretsize = isc_buffer_usedlength(&secretbuf);
-
-	if (hmacname == NULL) {
-		result = DST_R_UNSUPPORTEDALG;
-		goto failure;
-	}
-
-	result = dns_name_fromtext(&keyname, namebuf, dns_rootname, 0, namebuf);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	result = dns_tsigkey_create(&keyname, hmacname, secretstore,
-				    secretsize, ISC_FALSE, NULL, 0, 0, mctx,
-				    NULL, &key);
- failure:
-	if (result != ISC_R_SUCCESS)
-		printf(";; Couldn't create key %s: %s\n",
-		       keynametext, isc_result_totext(result));
-	else
-		dst_key_setbits(key->key, digestbits);
-
-	isc_mem_free(mctx, secretstore);
-	dns_name_invalidate(&keyname);
-	isc_buffer_free(&namebuf);
-}
-
-isc_result_t
-parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
-	   const char *desc) {
-	isc_uint32_t n;
-	isc_result_t result = isc_parse_uint32(&n, value, 10);
-	if (result == ISC_R_SUCCESS && n > max)
-		result = ISC_R_RANGE;
-	if (result != ISC_R_SUCCESS) {
-		printf("invalid %s '%s': %s\n", desc,
-		       value, isc_result_totext(result));
-		return (result);
-	}
-	*uip = n;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_uint32_t
-parse_bits(char *arg, const char *desc, isc_uint32_t max) {
-	isc_result_t result;
-	isc_uint32_t tmp;
-
-	result = parse_uint(&tmp, arg, max, desc);
-	if (result != ISC_R_SUCCESS)
-		fatal("couldn't parse digest bits");
-	tmp = (tmp + 7) & ~0x7U;
-	return (tmp);
-}
-
-
-/*
- * Parse HMAC algorithm specification
- */
-void
-parse_hmac(const char *hmac) {
-	char buf[20];
-	int len;
-
-	REQUIRE(hmac != NULL);
-
-	len = strlen(hmac);
-	if (len >= (int) sizeof(buf))
-		fatal("unknown key type '%.*s'", len, hmac);
-	strlcpy(buf, hmac, sizeof(buf));
-
-	digestbits = 0;
-
-	if (strcasecmp(buf, "hmac-md5") == 0) {
-		hmacname = DNS_TSIG_HMACMD5_NAME;
-	} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
-		hmacname = DNS_TSIG_HMACMD5_NAME;
-		digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128);
-	} else if (strcasecmp(buf, "hmac-sha1") == 0) {
-		hmacname = DNS_TSIG_HMACSHA1_NAME;
-		digestbits = 0;
-	} else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) {
-		hmacname = DNS_TSIG_HMACSHA1_NAME;
-		digestbits = parse_bits(&buf[10], "digest-bits [0..160]", 160);
-	} else if (strcasecmp(buf, "hmac-sha224") == 0) {
-		hmacname = DNS_TSIG_HMACSHA224_NAME;
-	} else if (strncasecmp(buf, "hmac-sha224-", 12) == 0) {
-		hmacname = DNS_TSIG_HMACSHA224_NAME;
-		digestbits = parse_bits(&buf[12], "digest-bits [0..224]", 224);
-	} else if (strcasecmp(buf, "hmac-sha256") == 0) {
-		hmacname = DNS_TSIG_HMACSHA256_NAME;
-	} else if (strncasecmp(buf, "hmac-sha256-", 12) == 0) {
-		hmacname = DNS_TSIG_HMACSHA256_NAME;
-		digestbits = parse_bits(&buf[12], "digest-bits [0..256]", 256);
-	} else if (strcasecmp(buf, "hmac-sha384") == 0) {
-		hmacname = DNS_TSIG_HMACSHA384_NAME;
-	} else if (strncasecmp(buf, "hmac-sha384-", 12) == 0) {
-		hmacname = DNS_TSIG_HMACSHA384_NAME;
-		digestbits = parse_bits(&buf[12], "digest-bits [0..384]", 384);
-	} else if (strcasecmp(buf, "hmac-sha512") == 0) {
-		hmacname = DNS_TSIG_HMACSHA512_NAME;
-	} else if (strncasecmp(buf, "hmac-sha512-", 12) == 0) {
-		hmacname = DNS_TSIG_HMACSHA512_NAME;
-		digestbits = parse_bits(&buf[12], "digest-bits [0..512]", 512);
-	} else {
-		fprintf(stderr, ";; Warning, ignoring "
-			"invalid TSIG algorithm %s\n", buf);
-	}
-}
-
-/*
- * Get a key from a named.conf format keyfile
- */
-static isc_result_t
-read_confkey(void) {
-	isc_log_t *lctx = NULL;
-	cfg_parser_t *pctx = NULL;
-	cfg_obj_t *file = NULL;
-	const cfg_obj_t *key = NULL;
-	const cfg_obj_t *secretobj = NULL;
-	const cfg_obj_t *algorithmobj = NULL;
-	const char *keyname;
-	const char *secretstr;
-	const char *algorithm;
-	isc_result_t result;
-
-	if (! isc_file_exists(keyfile))
-		return (ISC_R_FILENOTFOUND);
-
-	result = cfg_parser_create(mctx, lctx, &pctx);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = cfg_parse_file(pctx, keyfile, &cfg_type_sessionkey,
-				&file);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = cfg_map_get(file, "key", &key);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	(void) cfg_map_get(key, "secret", &secretobj);
-	(void) cfg_map_get(key, "algorithm", &algorithmobj);
-	if (secretobj == NULL || algorithmobj == NULL)
-		fatal("key must have algorithm and secret");
-
-	keyname = cfg_obj_asstring(cfg_map_getname(key));
-	secretstr = cfg_obj_asstring(secretobj);
-	algorithm = cfg_obj_asstring(algorithmobj);
-
-	strlcpy(keynametext, keyname, sizeof(keynametext));
-	strlcpy(keysecret, secretstr, sizeof(keysecret));
-	parse_hmac(algorithm);
-	setup_text_key();
-
- cleanup:
-	if (pctx != NULL) {
-		if (file != NULL)
-			cfg_obj_destroy(pctx, &file);
-		cfg_parser_destroy(&pctx);
-	}
-
-	return (result);
-}
-
-static void
-setup_file_key(void) {
-	isc_result_t result;
-	dst_key_t *dstkey = NULL;
-
-	debug("setup_file_key()");
-
-	/* Try reading the key from a K* pair */
-	result = dst_key_fromnamedfile(keyfile, NULL,
-				       DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx,
-				       &dstkey);
-
-	/* If that didn't work, try reading it as a session.key keyfile */
-	if (result != ISC_R_SUCCESS) {
-		result = read_confkey();
-		if (result == ISC_R_SUCCESS)
-			return;
-	}
-
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "Couldn't read key from %s: %s\n",
-			keyfile, isc_result_totext(result));
-		goto failure;
-	}
-
-	switch (dst_key_alg(dstkey)) {
-	case DST_ALG_HMACMD5:
-		hmacname = DNS_TSIG_HMACMD5_NAME;
-		break;
-	case DST_ALG_HMACSHA1:
-		hmacname = DNS_TSIG_HMACSHA1_NAME;
-		break;
-	case DST_ALG_HMACSHA224:
-		hmacname = DNS_TSIG_HMACSHA224_NAME;
-		break;
-	case DST_ALG_HMACSHA256:
-		hmacname = DNS_TSIG_HMACSHA256_NAME;
-		break;
-	case DST_ALG_HMACSHA384:
-		hmacname = DNS_TSIG_HMACSHA384_NAME;
-		break;
-	case DST_ALG_HMACSHA512:
-		hmacname = DNS_TSIG_HMACSHA512_NAME;
-		break;
-	default:
-		printf(";; Couldn't create key %s: bad algorithm\n",
-		       keynametext);
-		goto failure;
-	}
-	result = dns_tsigkey_createfromkey(dst_key_name(dstkey), hmacname,
-					   dstkey, ISC_FALSE, NULL, 0, 0,
-					   mctx, NULL, &key);
-	if (result != ISC_R_SUCCESS) {
-		printf(";; Couldn't create key %s: %s\n",
-		       keynametext, isc_result_totext(result));
-		goto failure;
-	}
- failure:
-	if (dstkey != NULL)
-		dst_key_free(&dstkey);
-}
-
-static dig_searchlist_t *
-make_searchlist_entry(char *domain) {
-	dig_searchlist_t *search;
-	search = isc_mem_allocate(mctx, sizeof(*search));
-	if (search == NULL)
-		fatal("memory allocation failure in %s:%d",
-		      __FILE__, __LINE__);
-	strlcpy(search->origin, domain, MXNAME);
-	search->origin[MXNAME-1] = 0;
-	ISC_LINK_INIT(search, link);
-	return (search);
-}
-
-static void
-clear_searchlist(void) {
-	dig_searchlist_t *search;
-	while ((search = ISC_LIST_HEAD(search_list)) != NULL) {
-		ISC_LIST_UNLINK(search_list, search, link);
-		isc_mem_free(mctx, search);
-	}
-}
-
-static void
-create_search_list(lwres_conf_t *confdata) {
-	int i;
-	dig_searchlist_t *search;
-
-	debug("create_search_list()");
-	clear_searchlist();
-
-	for (i = 0; i < confdata->searchnxt; i++) {
-		search = make_searchlist_entry(confdata->search[i]);
-		ISC_LIST_APPEND(search_list, search, link);
-	}
-}
-
-/*%
- * Setup the system as a whole, reading key information and resolv.conf
- * settings.
- */
-void
-setup_system(void) {
-	dig_searchlist_t *domain = NULL;
-	lwres_result_t lwresult;
-	unsigned int lwresflags;
-
-	debug("setup_system()");
-
-	lwresflags = LWRES_CONTEXT_SERVERMODE;
-	if (have_ipv4)
-		lwresflags |= LWRES_CONTEXT_USEIPV4;
-	if (have_ipv6)
-		lwresflags |= LWRES_CONTEXT_USEIPV6;
-
-	lwresult = lwres_context_create(&lwctx, mctx, mem_alloc, mem_free,
-					lwresflags);
-	if (lwresult != LWRES_R_SUCCESS)
-		fatal("lwres_context_create failed");
-
-	lwresult = lwres_conf_parse(lwctx, RESOLV_CONF);
-	if (lwresult != LWRES_R_SUCCESS && lwresult != LWRES_R_NOTFOUND)
-		fatal("parse of %s failed", RESOLV_CONF);
-
-	lwconf = lwres_conf_get(lwctx);
-
-	/* Make the search list */
-	if (lwconf->searchnxt > 0)
-		create_search_list(lwconf);
-	else { /* No search list. Use the domain name if any */
-		if (lwconf->domainname != NULL) {
-			domain = make_searchlist_entry(lwconf->domainname);
-			ISC_LIST_APPEND(search_list, domain, link);
-			domain  = NULL;
-		}
-	}
-
-	if (ndots == -1) {
-		ndots = lwconf->ndots;
-		debug("ndots is %d.", ndots);
-	}
-
-	/* If user doesn't specify server use nameservers from resolv.conf. */
-	if (ISC_LIST_EMPTY(server_list))
-		copy_server_list(lwconf, &server_list);
-
-	/* If we don't find a nameserver fall back to localhost */
-	if (ISC_LIST_EMPTY(server_list)) {
-		if (have_ipv4) {
-			lwresult = add_nameserver(lwconf, "127.0.0.1", AF_INET);
-			if (lwresult != ISC_R_SUCCESS)
-				fatal("add_nameserver failed");
-		}
-		if (have_ipv6) {
-			lwresult = add_nameserver(lwconf, "::1", AF_INET6);
-			if (lwresult != ISC_R_SUCCESS)
-				fatal("add_nameserver failed");
-		}
-
-		copy_server_list(lwconf, &server_list);
-	}
-
-#ifdef WITH_IDN
-	initialize_idn();
-#endif
-
-	if (keyfile[0] != 0)
-		setup_file_key();
-	else if (keysecret[0] != 0)
-		setup_text_key();
-#ifdef DIG_SIGCHASE
-	/* Setup the list of messages for +sigchase */
-	ISC_LIST_INIT(chase_message_list);
-	ISC_LIST_INIT(chase_message_list2);
-	dns_name_init(&chase_name, NULL);
-#if DIG_SIGCHASE_TD
-	dns_name_init(&chase_current_name, NULL);
-	dns_name_init(&chase_authority_name, NULL);
-#endif
-#if DIG_SIGCHASE_BU
-	dns_name_init(&chase_signame, NULL);
-#endif
-
-#endif
-
-}
-
-/*%
- * Override the search list derived from resolv.conf by 'domain'.
- */
-void
-set_search_domain(char *domain) {
-	dig_searchlist_t *search;
-
-	clear_searchlist();
-	search = make_searchlist_entry(domain);
-	ISC_LIST_APPEND(search_list, search, link);
-}
-
-/*%
- * Setup the ISC and DNS libraries for use by the system.
- */
-void
-setup_libs(void) {
-	isc_result_t result;
-	isc_logconfig_t *logconfig = NULL;
-
-	debug("setup_libs()");
-
-	result = isc_net_probeipv4();
-	if (result == ISC_R_SUCCESS)
-		have_ipv4 = ISC_TRUE;
-
-	result = isc_net_probeipv6();
-	if (result == ISC_R_SUCCESS)
-		have_ipv6 = ISC_TRUE;
-	if (!have_ipv6 && !have_ipv4)
-		fatal("can't find either v4 or v6 networking");
-
-	result = isc_mem_create(0, 0, &mctx);
-	check_result(result, "isc_mem_create");
-
-	result = isc_log_create(mctx, &lctx, &logconfig);
-	check_result(result, "isc_log_create");
-
-	isc_log_setcontext(lctx);
-	dns_log_init(lctx);
-	dns_log_setcontext(lctx);
-
-	result = isc_log_usechannel(logconfig, "default_debug", NULL, NULL);
-	check_result(result, "isc_log_usechannel");
-
-	isc_log_setdebuglevel(lctx, 0);
-
-	result = isc_taskmgr_create(mctx, 1, 0, &taskmgr);
-	check_result(result, "isc_taskmgr_create");
-
-	result = isc_task_create(taskmgr, 0, &global_task);
-	check_result(result, "isc_task_create");
-
-	result = isc_timermgr_create(mctx, &timermgr);
-	check_result(result, "isc_timermgr_create");
-
-	result = isc_socketmgr_create(mctx, &socketmgr);
-	check_result(result, "isc_socketmgr_create");
-
-	result = isc_entropy_create(mctx, &entp);
-	check_result(result, "isc_entropy_create");
-
-	result = dst_lib_init(mctx, entp, 0);
-	check_result(result, "dst_lib_init");
-	is_dst_up = ISC_TRUE;
-
-	result = isc_mempool_create(mctx, COMMSIZE, &commctx);
-	check_result(result, "isc_mempool_create");
-	isc_mempool_setname(commctx, "COMMPOOL");
-	/*
-	 * 6 and 2 set as reasonable parameters for 3 or 4 nameserver
-	 * systems.
-	 */
-	isc_mempool_setfreemax(commctx, 6);
-	isc_mempool_setfillcount(commctx, 2);
-
-	result = isc_mutex_init(&lookup_lock);
-	check_result(result, "isc_mutex_init");
-
-	dns_result_register();
-}
-
-/*%
- * Add EDNS0 option record to a message.  Currently, the only supported
- * options are UDP buffer size, the DO bit, and NSID request.
- */
-static void
-add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_uint16_t edns,
-	isc_boolean_t dnssec, isc_boolean_t nsid)
-{
-	dns_rdataset_t *rdataset = NULL;
-	dns_rdatalist_t *rdatalist = NULL;
-	dns_rdata_t *rdata = NULL;
-	isc_result_t result;
-
-	debug("add_opt()");
-	result = dns_message_gettemprdataset(msg, &rdataset);
-	check_result(result, "dns_message_gettemprdataset");
-	dns_rdataset_init(rdataset);
-	result = dns_message_gettemprdatalist(msg, &rdatalist);
-	check_result(result, "dns_message_gettemprdatalist");
-	result = dns_message_gettemprdata(msg, &rdata);
-	check_result(result, "dns_message_gettemprdata");
-
-	debug("setting udp size of %d", udpsize);
-	rdatalist->type = dns_rdatatype_opt;
-	rdatalist->covers = 0;
-	rdatalist->rdclass = udpsize;
-	rdatalist->ttl = edns << 16;
-	if (dnssec)
-		rdatalist->ttl |= DNS_MESSAGEEXTFLAG_DO;
-	if (nsid) {
-		isc_buffer_t *b = NULL;
-
-		result = isc_buffer_allocate(mctx, &b, 4);
-		check_result(result, "isc_buffer_allocate");
-		isc_buffer_putuint16(b, DNS_OPT_NSID);
-		isc_buffer_putuint16(b, 0);
-		rdata->data = isc_buffer_base(b);
-		rdata->length = isc_buffer_usedlength(b);
-		dns_message_takebuffer(msg, &b);
-	} else {
-		rdata->data = NULL;
-		rdata->length = 0;
-	}
-	ISC_LIST_INIT(rdatalist->rdata);
-	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-	dns_rdatalist_tordataset(rdatalist, rdataset);
-	result = dns_message_setopt(msg, rdataset);
-	check_result(result, "dns_message_setopt");
-}
-
-/*%
- * Add a question section to a message, asking for the specified name,
- * type, and class.
- */
-static void
-add_question(dns_message_t *message, dns_name_t *name,
-	     dns_rdataclass_t rdclass, dns_rdatatype_t rdtype)
-{
-	dns_rdataset_t *rdataset;
-	isc_result_t result;
-
-	debug("add_question()");
-	rdataset = NULL;
-	result = dns_message_gettemprdataset(message, &rdataset);
-	check_result(result, "dns_message_gettemprdataset()");
-	dns_rdataset_init(rdataset);
-	dns_rdataset_makequestion(rdataset, rdclass, rdtype);
-	ISC_LIST_APPEND(name->list, rdataset, link);
-}
-
-/*%
- * Check if we're done with all the queued lookups, which is true iff
- * all sockets, sends, and recvs are accounted for (counters == 0),
- * and the lookup list is empty.
- * If we are done, pass control back out to dighost_shutdown() (which is
- * part of dig.c, host.c, or nslookup.c) to either shutdown the system as
- * a whole or reseed the lookup list.
- */
-static void
-check_if_done(void) {
-	debug("check_if_done()");
-	debug("list %s", ISC_LIST_EMPTY(lookup_list) ? "empty" : "full");
-	if (ISC_LIST_EMPTY(lookup_list) && current_lookup == NULL &&
-	    sendcount == 0) {
-		INSIST(sockcount == 0);
-		INSIST(recvcount == 0);
-		debug("shutting down");
-		dighost_shutdown();
-	}
-}
-
-/*%
- * Clear out a query when we're done with it.  WARNING: This routine
- * WILL invalidate the query pointer.
- */
-static void
-clear_query(dig_query_t *query) {
-	dig_lookup_t *lookup;
-
-	REQUIRE(query != NULL);
-
-	debug("clear_query(%p)", query);
-
-	lookup = query->lookup;
-
-	if (lookup->current_query == query)
-		lookup->current_query = NULL;
-
-	if (ISC_LINK_LINKED(query, link))
-		ISC_LIST_UNLINK(lookup->q, query, link);
-	if (ISC_LINK_LINKED(query, clink))
-		ISC_LIST_UNLINK(lookup->connecting, query, clink);
-	if (ISC_LINK_LINKED(&query->recvbuf, link))
-		ISC_LIST_DEQUEUE(query->recvlist, &query->recvbuf,
-				 link);
-	if (ISC_LINK_LINKED(&query->lengthbuf, link))
-		ISC_LIST_DEQUEUE(query->lengthlist, &query->lengthbuf,
-				 link);
-	INSIST(query->recvspace != NULL);
-
-	if (query->sock != NULL) {
-		isc_socket_detach(&query->sock);
-		sockcount--;
-		debug("sockcount=%d", sockcount);
-	}
-	isc_mempool_put(commctx, query->recvspace);
-	isc_buffer_invalidate(&query->recvbuf);
-	isc_buffer_invalidate(&query->lengthbuf);
-	if (query->waiting_senddone)
-		query->pending_free = ISC_TRUE;
-	else
-		isc_mem_free(mctx, query);
-}
-
-/*%
- * Try and clear out a lookup if we're done with it.  Return ISC_TRUE if
- * the lookup was successfully cleared.  If ISC_TRUE is returned, the
- * lookup pointer has been invalidated.
- */
-static isc_boolean_t
-try_clear_lookup(dig_lookup_t *lookup) {
-	dig_query_t *q;
-
-	REQUIRE(lookup != NULL);
-
-	debug("try_clear_lookup(%p)", lookup);
-
-	if (ISC_LIST_HEAD(lookup->q) != NULL ||
-	    ISC_LIST_HEAD(lookup->connecting) != NULL)
-	{
-		if (debugging) {
-			q = ISC_LIST_HEAD(lookup->q);
-			while (q != NULL) {
-				debug("query to %s still pending", q->servname);
-				q = ISC_LIST_NEXT(q, link);
-			}
-
-			q = ISC_LIST_HEAD(lookup->connecting);
-			while (q != NULL) {
-				debug("query to %s still connecting",
-				      q->servname);
-				q = ISC_LIST_NEXT(q, clink);
-			}
-		}
-		return (ISC_FALSE);
-	}
-
-	/*
-	 * At this point, we know there are no queries on the lookup,
-	 * so can make it go away also.
-	 */
-	destroy_lookup(lookup);
-	return (ISC_TRUE);
-}
-
-void
-destroy_lookup(dig_lookup_t *lookup) {
-	dig_server_t *s;
-	void *ptr;
-
-	debug("destroy");
-	s = ISC_LIST_HEAD(lookup->my_server_list);
-	while (s != NULL) {
-		debug("freeing server %p belonging to %p", s, lookup);
-		ptr = s;
-		s = ISC_LIST_NEXT(s, link);
-		ISC_LIST_DEQUEUE(lookup->my_server_list,
-				 (dig_server_t *)ptr, link);
-		isc_mem_free(mctx, ptr);
-	}
-	if (lookup->sendmsg != NULL)
-		dns_message_destroy(&lookup->sendmsg);
-	if (lookup->querysig != NULL) {
-		debug("freeing buffer %p", lookup->querysig);
-		isc_buffer_free(&lookup->querysig);
-	}
-	if (lookup->timer != NULL)
-		isc_timer_detach(&lookup->timer);
-	if (lookup->sendspace != NULL)
-		isc_mempool_put(commctx, lookup->sendspace);
-
-	if (lookup->tsigctx != NULL)
-		dst_context_destroy(&lookup->tsigctx);
-
-	isc_mem_free(mctx, lookup);
-}
-
-/*%
- * If we can, start the next lookup in the queue running.
- * This assumes that the lookup on the head of the queue hasn't been
- * started yet.  It also removes the lookup from the head of the queue,
- * setting the current_lookup pointer pointing to it.
- */
-void
-start_lookup(void) {
-	debug("start_lookup()");
-	if (cancel_now)
-		return;
-
-	/*
-	 * If there's a current lookup running, we really shouldn't get
-	 * here.
-	 */
-	INSIST(current_lookup == NULL);
-
-	current_lookup = ISC_LIST_HEAD(lookup_list);
-	/*
-	 * Put the current lookup somewhere so cancel_all can find it
-	 */
-	if (current_lookup != NULL) {
-		ISC_LIST_DEQUEUE(lookup_list, current_lookup, link);
-#if DIG_SIGCHASE_TD
-		if (current_lookup->do_topdown &&
-		    !current_lookup->rdtype_sigchaseset) {
-			dst_key_t *trustedkey = NULL;
-			isc_buffer_t *b = NULL;
-			isc_region_t r;
-			isc_result_t result;
-			dns_name_t query_name;
-			dns_name_t *key_name;
-			int i;
-
-			result = get_trusted_key(mctx);
-			if (result != ISC_R_SUCCESS) {
-				printf("\n;; No trusted key, "
-				       "+sigchase option is disabled\n");
-				current_lookup->sigchase = ISC_FALSE;
-				goto novalidation;
-			}
-			dns_name_init(&query_name, NULL);
-			nameFromString(current_lookup->textname, &query_name);
-
-			for (i = 0; i < tk_list.nb_tk; i++) {
-				key_name = dst_key_name(tk_list.key[i]);
-
-				if (dns_name_issubdomain(&query_name,
-							 key_name) == ISC_TRUE)
-					trustedkey = tk_list.key[i];
-				/*
-				 * Verify temp is really the lowest
-				 * WARNING
-				 */
-			}
-			if (trustedkey == NULL) {
-				printf("\n;; The queried zone: ");
-				dns_name_print(&query_name, stdout);
-				printf(" isn't a subdomain of any Trusted Keys"
-				       ": +sigchase option is disable\n");
-				current_lookup->sigchase = ISC_FALSE;
-				free_name(&query_name, mctx);
-				goto novalidation;
-			}
-			free_name(&query_name, mctx);
-
-			current_lookup->rdtype_sigchase
-				= current_lookup->rdtype;
-			current_lookup->rdtype_sigchaseset
-				= current_lookup->rdtypeset;
-			current_lookup->rdtype = dns_rdatatype_ns;
-
-			current_lookup->qrdtype_sigchase
-				= current_lookup->qrdtype;
-			current_lookup->qrdtype = dns_rdatatype_ns;
-
-			current_lookup->rdclass_sigchase
-				= current_lookup->rdclass;
-			current_lookup->rdclass_sigchaseset
-				= current_lookup->rdclassset;
-			current_lookup->rdclass = dns_rdataclass_in;
-
-			strlcpy(current_lookup->textnamesigchase,
-				current_lookup->textname, MXNAME);
-
-			current_lookup->trace_root_sigchase = ISC_TRUE;
-
-			result = isc_buffer_allocate(mctx, &b, BUFSIZE);
-			check_result(result, "isc_buffer_allocate");
-			result = dns_name_totext(dst_key_name(trustedkey),
-						 ISC_FALSE, b);
-			check_result(result, "dns_name_totext");
-			isc_buffer_usedregion(b, &r);
-			r.base[r.length] = '\0';
-			strlcpy(current_lookup->textname, (char*)r.base,
-				MXNAME);
-			isc_buffer_free(&b);
-
-			nameFromString(current_lookup->textnamesigchase,
-				       &chase_name);
-
-			dns_name_init(&chase_authority_name, NULL);
-		}
-	novalidation:
-#endif
-		setup_lookup(current_lookup);
-		do_lookup(current_lookup);
-	} else {
-		check_if_done();
-	}
-}
-
-/*%
- * If we can, clear the current lookup and start the next one running.
- * This calls try_clear_lookup, so may invalidate the lookup pointer.
- */
-static void
-check_next_lookup(dig_lookup_t *lookup) {
-
-	INSIST(!free_now);
-
-	debug("check_next_lookup(%p)", lookup);
-
-	if (ISC_LIST_HEAD(lookup->q) != NULL) {
-		debug("still have a worker");
-		return;
-	}
-	if (try_clear_lookup(lookup)) {
-		current_lookup = NULL;
-		start_lookup();
-	}
-}
-
-/*%
- * Create and queue a new lookup as a followup to the current lookup,
- * based on the supplied message and section.  This is used in trace and
- * name server search modes to start a new lookup using servers from
- * NS records in a reply. Returns the number of followup lookups made.
- */
-static int
-followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
-{
-	dig_lookup_t *lookup = NULL;
-	dig_server_t *srv = NULL;
-	dns_rdataset_t *rdataset = NULL;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_name_t *name = NULL;
-	isc_result_t result;
-	isc_boolean_t success = ISC_FALSE;
-	int numLookups = 0;
-	int num;
-	isc_result_t lresult, addresses_result;
-	char bad_namestr[DNS_NAME_FORMATSIZE];
-	dns_name_t *domain;
-	isc_boolean_t horizontal = ISC_FALSE, bad = ISC_FALSE;
-
-	INSIST(!free_now);
-
-	debug("following up %s", query->lookup->textname);
-
-	addresses_result = ISC_R_SUCCESS;
-	bad_namestr[0] = '\0';
-	for (result = dns_message_firstname(msg, section);
-	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(msg, section)) {
-		name = NULL;
-		dns_message_currentname(msg, section, &name);
-
-		if (section == DNS_SECTION_AUTHORITY) {
-			rdataset = NULL;
-			result = dns_message_findtype(name, dns_rdatatype_soa,
-						      0, &rdataset);
-			if (result == ISC_R_SUCCESS)
-				return (0);
-		}
-		rdataset = NULL;
-		result = dns_message_findtype(name, dns_rdatatype_ns, 0,
-					      &rdataset);
-		if (result != ISC_R_SUCCESS)
-			continue;
-
-		debug("found NS set");
-
-		if (query->lookup->trace && !query->lookup->trace_root) {
-			dns_namereln_t namereln;
-			unsigned int nlabels;
-			int order;
-
-			domain = dns_fixedname_name(&query->lookup->fdomain);
-			namereln = dns_name_fullcompare(name, domain,
-							&order, &nlabels);
-			if (namereln == dns_namereln_equal) {
-				if (!horizontal)
-					printf(";; BAD (HORIZONTAL) REFERRAL\n");
-				horizontal = ISC_TRUE;
-			} else if (namereln != dns_namereln_subdomain) {
-				if (!bad)
-					printf(";; BAD REFERRAL\n");
-				bad = ISC_TRUE;
-				continue;
-			}
-		}
-
-		for (result = dns_rdataset_first(rdataset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(rdataset)) {
-			char namestr[DNS_NAME_FORMATSIZE];
-			dns_rdata_ns_t ns;
-
-			if (query->lookup->trace_root &&
-			    query->lookup->nsfound >= MXSERV)
-				break;
-
-			dns_rdataset_current(rdataset, &rdata);
-
-			query->lookup->nsfound++;
-			result = dns_rdata_tostruct(&rdata, &ns, NULL);
-			check_result(result, "dns_rdata_tostruct");
-			dns_name_format(&ns.name, namestr, sizeof(namestr));
-			dns_rdata_freestruct(&ns);
-
-			/* Initialize lookup if we've not yet */
-			debug("found NS %s", namestr);
-			if (!success) {
-				success = ISC_TRUE;
-				lookup_counter++;
-				lookup = requeue_lookup(query->lookup,
-							ISC_FALSE);
-				cancel_lookup(query->lookup);
-				lookup->doing_xfr = ISC_FALSE;
-				if (!lookup->trace_root &&
-				    section == DNS_SECTION_ANSWER)
-					lookup->trace = ISC_FALSE;
-				else
-					lookup->trace = query->lookup->trace;
-				lookup->ns_search_only =
-					query->lookup->ns_search_only;
-				lookup->trace_root = ISC_FALSE;
-				if (lookup->ns_search_only)
-					lookup->recurse = ISC_FALSE;
-				dns_fixedname_init(&lookup->fdomain);
-				domain = dns_fixedname_name(&lookup->fdomain);
-				dns_name_copy(name, domain, NULL);
-			}
-			debug("adding server %s", namestr);
-			num = getaddresses(lookup, namestr, &lresult);
-			if (lresult != ISC_R_SUCCESS) {
-				debug("couldn't get address for '%s': %s",
-				      namestr, isc_result_totext(lresult));
-				if (addresses_result == ISC_R_SUCCESS) {
-					addresses_result = lresult;
-					strcpy(bad_namestr, namestr);
-				}
-			}
-			numLookups += num;
-			dns_rdata_reset(&rdata);
-		}
-	}
-	if (numLookups == 0 && addresses_result != ISC_R_SUCCESS) {
-		fatal("couldn't get address for '%s': %s",
-		      bad_namestr, isc_result_totext(result));
-	}
-
-	if (lookup == NULL &&
-	    section == DNS_SECTION_ANSWER &&
-	    (query->lookup->trace || query->lookup->ns_search_only))
-		return (followup_lookup(msg, query, DNS_SECTION_AUTHORITY));
-
-	/*
-	 * Randomize the order the nameserver will be tried.
-	 */
-	if (numLookups > 1) {
-		isc_uint32_t i, j;
-		dig_serverlist_t my_server_list;
-		dig_server_t *next;
-
-		ISC_LIST_INIT(my_server_list);
-
-		i = numLookups;
-		for (srv = ISC_LIST_HEAD(lookup->my_server_list);
-		     srv != NULL;
-		     srv = ISC_LIST_HEAD(lookup->my_server_list)) {
-			INSIST(i > 0);
-			isc_random_get(&j);
-			j %= i;
-			next = ISC_LIST_NEXT(srv, link);
-			while (j-- > 0 && next != NULL) {
-				srv = next;
-				next = ISC_LIST_NEXT(srv, link);
-			}
-			ISC_LIST_DEQUEUE(lookup->my_server_list, srv, link);
-			ISC_LIST_APPEND(my_server_list, srv, link);
-			i--;
-		}
-		ISC_LIST_APPENDLIST(lookup->my_server_list,
-				    my_server_list, link);
-	}
-
-	return (numLookups);
-}
-
-/*%
- * Create and queue a new lookup using the next origin from the search
- * list, read in setup_system().
- *
- * Return ISC_TRUE iff there was another searchlist entry.
- */
-static isc_boolean_t
-next_origin(dig_query_t *query) {
-	dig_lookup_t *lookup;
-	dig_searchlist_t *search;
-
-	INSIST(!free_now);
-
-	debug("next_origin()");
-	debug("following up %s", query->lookup->textname);
-
-	if (!usesearch)
-		/*
-		 * We're not using a search list, so don't even think
-		 * about finding the next entry.
-		 */
-		return (ISC_FALSE);
-	if (query->lookup->origin == NULL && !query->lookup->need_search)
-		/*
-		 * Then we just did rootorg; there's nothing left.
-		 */
-		return (ISC_FALSE);
-	if (query->lookup->origin == NULL && query->lookup->need_search) {
-		lookup = requeue_lookup(query->lookup, ISC_TRUE);
-		lookup->origin = ISC_LIST_HEAD(search_list);
-		lookup->need_search = ISC_FALSE;
-	} else {
-		search = ISC_LIST_NEXT(query->lookup->origin, link);
-		if (search == NULL && query->lookup->done_as_is)
-			return (ISC_FALSE);
-		lookup = requeue_lookup(query->lookup, ISC_TRUE);
-		lookup->origin = search;
-	}
-	cancel_lookup(query->lookup);
-	return (ISC_TRUE);
-}
-
-/*%
- * Insert an SOA record into the sendmessage in a lookup.  Used for
- * creating IXFR queries.
- */
-static void
-insert_soa(dig_lookup_t *lookup) {
-	isc_result_t result;
-	dns_rdata_soa_t soa;
-	dns_rdata_t *rdata = NULL;
-	dns_rdatalist_t *rdatalist = NULL;
-	dns_rdataset_t *rdataset = NULL;
-	dns_name_t *soaname = NULL;
-
-	debug("insert_soa()");
-	soa.mctx = mctx;
-	soa.serial = lookup->ixfr_serial;
-	soa.refresh = 0;
-	soa.retry = 0;
-	soa.expire = 0;
-	soa.minimum = 0;
-	soa.common.rdclass = lookup->rdclass;
-	soa.common.rdtype = dns_rdatatype_soa;
-
-	dns_name_init(&soa.origin, NULL);
-	dns_name_init(&soa.contact, NULL);
-
-	dns_name_clone(dns_rootname, &soa.origin);
-	dns_name_clone(dns_rootname, &soa.contact);
-
-	isc_buffer_init(&lookup->rdatabuf, lookup->rdatastore,
-			sizeof(lookup->rdatastore));
-
-	result = dns_message_gettemprdata(lookup->sendmsg, &rdata);
-	check_result(result, "dns_message_gettemprdata");
-
-	result = dns_rdata_fromstruct(rdata, lookup->rdclass,
-				      dns_rdatatype_soa, &soa,
-				      &lookup->rdatabuf);
-	check_result(result, "isc_rdata_fromstruct");
-
-	result = dns_message_gettemprdatalist(lookup->sendmsg, &rdatalist);
-	check_result(result, "dns_message_gettemprdatalist");
-
-	result = dns_message_gettemprdataset(lookup->sendmsg, &rdataset);
-	check_result(result, "dns_message_gettemprdataset");
-
-	dns_rdatalist_init(rdatalist);
-	rdatalist->type = dns_rdatatype_soa;
-	rdatalist->rdclass = lookup->rdclass;
-	rdatalist->covers = 0;
-	rdatalist->ttl = 0;
-	ISC_LIST_INIT(rdatalist->rdata);
-	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-
-	dns_rdataset_init(rdataset);
-	dns_rdatalist_tordataset(rdatalist, rdataset);
-
-	result = dns_message_gettempname(lookup->sendmsg, &soaname);
-	check_result(result, "dns_message_gettempname");
-	dns_name_init(soaname, NULL);
-	dns_name_clone(lookup->name, soaname);
-	ISC_LIST_INIT(soaname->list);
-	ISC_LIST_APPEND(soaname->list, rdataset, link);
-	dns_message_addname(lookup->sendmsg, soaname, DNS_SECTION_AUTHORITY);
-}
-
-/*%
- * Setup the supplied lookup structure, making it ready to start sending
- * queries to servers.  Create and initialize the message to be sent as
- * well as the query structures and buffer space for the replies.  If the
- * server list is empty, clone it from the system default list.
- */
-void
-setup_lookup(dig_lookup_t *lookup) {
-	isc_result_t result;
-	isc_uint32_t id;
-	int len;
-	dig_server_t *serv;
-	dig_query_t *query;
-	isc_buffer_t b;
-	dns_compress_t cctx;
-	char store[MXNAME];
-#ifdef WITH_IDN
-	idn_result_t mr;
-	char utf8_textname[MXNAME], utf8_origin[MXNAME], idn_textname[MXNAME];
-#endif
-
-#ifdef WITH_IDN
-	result = dns_name_settotextfilter(output_filter);
-	check_result(result, "dns_name_settotextfilter");
-#endif
-
-	REQUIRE(lookup != NULL);
-	INSIST(!free_now);
-
-	debug("setup_lookup(%p)", lookup);
-
-	result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER,
-				    &lookup->sendmsg);
-	check_result(result, "dns_message_create");
-
-	if (lookup->new_search) {
-		debug("resetting lookup counter.");
-		lookup_counter = 0;
-	}
-
-	if (ISC_LIST_EMPTY(lookup->my_server_list)) {
-		debug("cloning server list");
-		clone_server_list(server_list, &lookup->my_server_list);
-	}
-	result = dns_message_gettempname(lookup->sendmsg, &lookup->name);
-	check_result(result, "dns_message_gettempname");
-	dns_name_init(lookup->name, NULL);
-
-	isc_buffer_init(&lookup->namebuf, lookup->namespace,
-			sizeof(lookup->namespace));
-	isc_buffer_init(&lookup->onamebuf, lookup->onamespace,
-			sizeof(lookup->onamespace));
-
-#ifdef WITH_IDN
-	/*
-	 * We cannot convert `textname' and `origin' separately.
-	 * `textname' doesn't contain TLD, but local mapping needs
-	 * TLD.
-	 */
-	mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP, lookup->textname,
-			    utf8_textname, sizeof(utf8_textname));
-	idn_check_result(mr, "convert textname to UTF-8");
-#endif
-
-	/*
-	 * If the name has too many dots, force the origin to be NULL
-	 * (which produces an absolute lookup).  Otherwise, take the origin
-	 * we have if there's one in the struct already.  If it's NULL,
-	 * take the first entry in the searchlist iff either usesearch
-	 * is TRUE or we got a domain line in the resolv.conf file.
-	 */
-	if (lookup->new_search) {
-#ifdef WITH_IDN
-		if ((count_dots(utf8_textname) >= ndots) || !usesearch) {
-			lookup->origin = NULL; /* Force abs lookup */
-			lookup->done_as_is = ISC_TRUE;
-			lookup->need_search = usesearch;
-		} else if (lookup->origin == NULL && usesearch) {
-			lookup->origin = ISC_LIST_HEAD(search_list);
-			lookup->need_search = ISC_FALSE;
-		}
-#else
-		if ((count_dots(lookup->textname) >= ndots) || !usesearch) {
-			lookup->origin = NULL; /* Force abs lookup */
-			lookup->done_as_is = ISC_TRUE;
-			lookup->need_search = usesearch;
-		} else if (lookup->origin == NULL && usesearch) {
-			lookup->origin = ISC_LIST_HEAD(search_list);
-			lookup->need_search = ISC_FALSE;
-		}
-#endif
-	}
-
-#ifdef WITH_IDN
-	if (lookup->origin != NULL) {
-		mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP,
-				    lookup->origin->origin, utf8_origin,
-				    sizeof(utf8_origin));
-		idn_check_result(mr, "convert origin to UTF-8");
-		mr = append_textname(utf8_textname, utf8_origin,
-				     sizeof(utf8_textname));
-		idn_check_result(mr, "append origin to textname");
-	}
-	mr = idn_encodename(idnoptions | IDN_LOCALMAP | IDN_NAMEPREP |
-			    IDN_IDNCONV | IDN_LENCHECK, utf8_textname,
-			    idn_textname, sizeof(idn_textname));
-	idn_check_result(mr, "convert UTF-8 textname to IDN encoding");
-#else
-	if (lookup->origin != NULL) {
-		debug("trying origin %s", lookup->origin->origin);
-		result = dns_message_gettempname(lookup->sendmsg,
-						 &lookup->oname);
-		check_result(result, "dns_message_gettempname");
-		dns_name_init(lookup->oname, NULL);
-		/* XXX Helper funct to conv char* to name? */
-		len = strlen(lookup->origin->origin);
-		isc_buffer_init(&b, lookup->origin->origin, len);
-		isc_buffer_add(&b, len);
-		result = dns_name_fromtext(lookup->oname, &b, dns_rootname,
-					   0, &lookup->onamebuf);
-		if (result != ISC_R_SUCCESS) {
-			dns_message_puttempname(lookup->sendmsg,
-						&lookup->name);
-			dns_message_puttempname(lookup->sendmsg,
-						&lookup->oname);
-			fatal("'%s' is not in legal name syntax (%s)",
-			      lookup->origin->origin,
-			      isc_result_totext(result));
-		}
-		if (lookup->trace && lookup->trace_root) {
-			dns_name_clone(dns_rootname, lookup->name);
-		} else {
-			len = strlen(lookup->textname);
-			isc_buffer_init(&b, lookup->textname, len);
-			isc_buffer_add(&b, len);
-			result = dns_name_fromtext(lookup->name, &b,
-						   lookup->oname, 0,
-						   &lookup->namebuf);
-		}
-		if (result != ISC_R_SUCCESS) {
-			dns_message_puttempname(lookup->sendmsg,
-						&lookup->name);
-			dns_message_puttempname(lookup->sendmsg,
-						&lookup->oname);
-			fatal("'%s' is not in legal name syntax (%s)",
-			      lookup->textname, isc_result_totext(result));
-		}
-		dns_message_puttempname(lookup->sendmsg, &lookup->oname);
-	} else
-#endif
-	{
-		debug("using root origin");
-		if (lookup->trace && lookup->trace_root)
-			dns_name_clone(dns_rootname, lookup->name);
-		else {
-#ifdef WITH_IDN
-			len = strlen(idn_textname);
-			isc_buffer_init(&b, idn_textname, len);
-			isc_buffer_add(&b, len);
-			result = dns_name_fromtext(lookup->name, &b,
-						   dns_rootname, 0,
-						   &lookup->namebuf);
-#else
-			len = strlen(lookup->textname);
-			isc_buffer_init(&b, lookup->textname, len);
-			isc_buffer_add(&b, len);
-			result = dns_name_fromtext(lookup->name, &b,
-						   dns_rootname, 0,
-						   &lookup->namebuf);
-#endif
-		}
-		if (result != ISC_R_SUCCESS) {
-			dns_message_puttempname(lookup->sendmsg,
-						&lookup->name);
-			isc_buffer_init(&b, store, MXNAME);
-			fatal("'%s' is not a legal name "
-			      "(%s)", lookup->textname,
-			      isc_result_totext(result));
-		}
-	}
-	dns_name_format(lookup->name, store, sizeof(store));
-	trying(store, lookup);
-	INSIST(dns_name_isabsolute(lookup->name));
-
-	isc_random_get(&id);
-	lookup->sendmsg->id = (unsigned short)id & 0xFFFF;
-	lookup->sendmsg->opcode = dns_opcode_query;
-	lookup->msgcounter = 0;
-	/*
-	 * If this is a trace request, completely disallow recursion, since
-	 * it's meaningless for traces.
-	 */
-	if (lookup->trace || (lookup->ns_search_only && !lookup->trace_root))
-		lookup->recurse = ISC_FALSE;
-
-	if (lookup->recurse &&
-	    lookup->rdtype != dns_rdatatype_axfr &&
-	    lookup->rdtype != dns_rdatatype_ixfr) {
-		debug("recursive query");
-		lookup->sendmsg->flags |= DNS_MESSAGEFLAG_RD;
-	}
-
-	/* XXX aaflag */
-	if (lookup->aaonly) {
-		debug("AA query");
-		lookup->sendmsg->flags |= DNS_MESSAGEFLAG_AA;
-	}
-
-	if (lookup->adflag) {
-		debug("AD query");
-		lookup->sendmsg->flags |= DNS_MESSAGEFLAG_AD;
-	}
-
-	if (lookup->cdflag) {
-		debug("CD query");
-		lookup->sendmsg->flags |= DNS_MESSAGEFLAG_CD;
-	}
-
-	dns_message_addname(lookup->sendmsg, lookup->name,
-			    DNS_SECTION_QUESTION);
-
-	if (lookup->trace && lookup->trace_root) {
-		lookup->qrdtype = lookup->rdtype;
-		lookup->rdtype = dns_rdatatype_ns;
-	}
-
-	if ((lookup->rdtype == dns_rdatatype_axfr) ||
-	    (lookup->rdtype == dns_rdatatype_ixfr)) {
-		/*
-		 * Force TCP mode if we're doing an axfr.
-		 */
-		if (lookup->rdtype == dns_rdatatype_axfr) {
-			lookup->doing_xfr = ISC_TRUE;
-			lookup->tcp_mode = ISC_TRUE;
-		} else if (lookup->tcp_mode) {
-			lookup->doing_xfr = ISC_TRUE;
-		}
-	}
-
-	add_question(lookup->sendmsg, lookup->name, lookup->rdclass,
-		     lookup->rdtype);
-
-	/* add_soa */
-	if (lookup->rdtype == dns_rdatatype_ixfr)
-		insert_soa(lookup);
-
-	/* XXX Insist this? */
-	lookup->tsigctx = NULL;
-	lookup->querysig = NULL;
-	if (key != NULL) {
-		debug("initializing keys");
-		result = dns_message_settsigkey(lookup->sendmsg, key);
-		check_result(result, "dns_message_settsigkey");
-	}
-
-	lookup->sendspace = isc_mempool_get(commctx);
-	if (lookup->sendspace == NULL)
-		fatal("memory allocation failure");
-
-	result = dns_compress_init(&cctx, -1, mctx);
-	check_result(result, "dns_compress_init");
-
-	debug("starting to render the message");
-	isc_buffer_init(&lookup->renderbuf, lookup->sendspace, COMMSIZE);
-	result = dns_message_renderbegin(lookup->sendmsg, &cctx,
-					 &lookup->renderbuf);
-	check_result(result, "dns_message_renderbegin");
-	if (lookup->udpsize > 0 || lookup->dnssec || lookup->edns > -1) {
-		if (lookup->udpsize == 0)
-			lookup->udpsize = 4096;
-		if (lookup->edns < 0)
-			lookup->edns = 0;
-		add_opt(lookup->sendmsg, lookup->udpsize,
-			lookup->edns, lookup->dnssec, lookup->nsid);
-	}
-
-	result = dns_message_rendersection(lookup->sendmsg,
-					   DNS_SECTION_QUESTION, 0);
-	check_result(result, "dns_message_rendersection");
-	result = dns_message_rendersection(lookup->sendmsg,
-					   DNS_SECTION_AUTHORITY, 0);
-	check_result(result, "dns_message_rendersection");
-	result = dns_message_renderend(lookup->sendmsg);
-	check_result(result, "dns_message_renderend");
-	debug("done rendering");
-
-	dns_compress_invalidate(&cctx);
-
-	/*
-	 * Force TCP mode if the request is larger than 512 bytes.
-	 */
-	if (isc_buffer_usedlength(&lookup->renderbuf) > 512)
-		lookup->tcp_mode = ISC_TRUE;
-
-	lookup->pending = ISC_FALSE;
-
-	for (serv = ISC_LIST_HEAD(lookup->my_server_list);
-	     serv != NULL;
-	     serv = ISC_LIST_NEXT(serv, link)) {
-		query = isc_mem_allocate(mctx, sizeof(dig_query_t));
-		if (query == NULL)
-			fatal("memory allocation failure in %s:%d",
-			      __FILE__, __LINE__);
-		debug("create query %p linked to lookup %p",
-		       query, lookup);
-		query->lookup = lookup;
-		query->waiting_connect = ISC_FALSE;
-		query->waiting_senddone = ISC_FALSE;
-		query->pending_free = ISC_FALSE;
-		query->recv_made = ISC_FALSE;
-		query->first_pass = ISC_TRUE;
-		query->first_soa_rcvd = ISC_FALSE;
-		query->second_rr_rcvd = ISC_FALSE;
-		query->first_repeat_rcvd = ISC_FALSE;
-		query->warn_id = ISC_TRUE;
-		query->first_rr_serial = 0;
-		query->second_rr_serial = 0;
-		query->servname = serv->servername;
-		query->userarg = serv->userarg;
-		query->rr_count = 0;
-		query->msg_count = 0;
-		query->byte_count = 0;
-		ISC_LIST_INIT(query->recvlist);
-		ISC_LIST_INIT(query->lengthlist);
-		query->sock = NULL;
-		query->recvspace = isc_mempool_get(commctx);
-		if (query->recvspace == NULL)
-			fatal("memory allocation failure");
-
-		isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE);
-		isc_buffer_init(&query->lengthbuf, query->lengthspace, 2);
-		isc_buffer_init(&query->slbuf, query->slspace, 2);
-		query->sendbuf = lookup->renderbuf;
-
-		ISC_LINK_INIT(query, clink);
-		ISC_LINK_INIT(query, link);
-		ISC_LIST_ENQUEUE(lookup->q, query, link);
-	}
-	/* XXX qrflag, print_query, etc... */
-	if (!ISC_LIST_EMPTY(lookup->q) && qr) {
-		extrabytes = 0;
-		printmessage(ISC_LIST_HEAD(lookup->q), lookup->sendmsg,
-			     ISC_TRUE);
-	}
-}
-
-/*%
- * Event handler for send completion.  Track send counter, and clear out
- * the query if the send was canceled.
- */
-static void
-send_done(isc_task_t *_task, isc_event_t *event) {
-	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
-	isc_buffer_t *b = NULL;
-	dig_query_t *query, *next;
-	dig_lookup_t *l;
-
-	REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE);
-
-	UNUSED(_task);
-
-	LOCK_LOOKUP;
-
-	debug("send_done()");
-	sendcount--;
-	debug("sendcount=%d", sendcount);
-	INSIST(sendcount >= 0);
-
-	for  (b = ISC_LIST_HEAD(sevent->bufferlist);
-	      b != NULL;
-	      b = ISC_LIST_HEAD(sevent->bufferlist))
-		ISC_LIST_DEQUEUE(sevent->bufferlist, b, link);
-
-	query = event->ev_arg;
-	query->waiting_senddone = ISC_FALSE;
-	l = query->lookup;
-
-	if (l->ns_search_only && !l->trace_root && !l->tcp_mode) {
-		debug("sending next, since searching");
-		next = ISC_LIST_NEXT(query, link);
-		if (next != NULL)
-			send_udp(next);
-	}
-
-	isc_event_free(&event);
-
-	if (query->pending_free)
-		isc_mem_free(mctx, query);
-
-	check_if_done();
-	UNLOCK_LOOKUP;
-}
-
-/*%
- * Cancel a lookup, sending isc_socket_cancel() requests to all outstanding
- * IO sockets.  The cancel handlers should take care of cleaning up the
- * query and lookup structures
- */
-static void
-cancel_lookup(dig_lookup_t *lookup) {
-	dig_query_t *query, *next;
-
-	debug("cancel_lookup()");
-	query = ISC_LIST_HEAD(lookup->q);
-	while (query != NULL) {
-		next = ISC_LIST_NEXT(query, link);
-		if (query->sock != NULL) {
-			isc_socket_cancel(query->sock, global_task,
-					  ISC_SOCKCANCEL_ALL);
-			check_if_done();
-		} else {
-			clear_query(query);
-		}
-		query = next;
-	}
-	if (lookup->timer != NULL)
-		isc_timer_detach(&lookup->timer);
-	lookup->pending = ISC_FALSE;
-	lookup->retries = 0;
-}
-
-static void
-bringup_timer(dig_query_t *query, unsigned int default_timeout) {
-	dig_lookup_t *l;
-	unsigned int local_timeout;
-	isc_result_t result;
-
-	debug("bringup_timer()");
-	/*
-	 * If the timer already exists, that means we're calling this
-	 * a second time (for a retry).  Don't need to recreate it,
-	 * just reset it.
-	 */
-	l = query->lookup;
-	if (ISC_LIST_NEXT(query, link) != NULL)
-		local_timeout = SERVER_TIMEOUT;
-	else {
-		if (timeout == 0)
-			local_timeout = default_timeout;
-		else
-			local_timeout = timeout;
-	}
-	debug("have local timeout of %d", local_timeout);
-	isc_interval_set(&l->interval, local_timeout, 0);
-	if (l->timer != NULL)
-		isc_timer_detach(&l->timer);
-	result = isc_timer_create(timermgr, isc_timertype_once, NULL,
-				  &l->interval, global_task, connect_timeout,
-				  l, &l->timer);
-	check_result(result, "isc_timer_create");
-}
-
-static void
-force_timeout(dig_lookup_t *l, dig_query_t *query) {
-	isc_event_t *event;
-
-	debug("force_timeout ()");
-	event = isc_event_allocate(mctx, query, ISC_TIMEREVENT_IDLE,
-				   connect_timeout, l,
-				   sizeof(isc_event_t));
-	if (event == NULL) {
-		fatal("isc_event_allocate: %s",
-		      isc_result_totext(ISC_R_NOMEMORY));
-	}
-	isc_task_send(global_task, &event);
-
-	/*
-	 * The timer may have expired if, for example, get_address() takes
-	 * long time and the timer was running on a different thread.
-	 * We need to cancel the possible timeout event not to confuse
-	 * ourselves due to the duplicate events.
-	 */
-	if (l->timer != NULL)
-		isc_timer_detach(&l->timer);
-}
-
-
-static void
-connect_done(isc_task_t *task, isc_event_t *event);
-
-/*%
- * Unlike send_udp, this can't be called multiple times with the same
- * query.  When we retry TCP, we requeue the whole lookup, which should
- * start anew.
- */
-static void
-send_tcp_connect(dig_query_t *query) {
-	isc_result_t result;
-	dig_query_t *next;
-	dig_lookup_t *l;
-
-	debug("send_tcp_connect(%p)", query);
-
-	l = query->lookup;
-	query->waiting_connect = ISC_TRUE;
-	query->lookup->current_query = query;
-	result = get_address(query->servname, port, &query->sockaddr);
-	if (result != ISC_R_SUCCESS) {
-		/*
-		 * This servname doesn't have an address.  Try the next server
-		 * by triggering an immediate 'timeout' (we lie, but the effect
-		 * is the same).
-		 */
-		force_timeout(l, query);
-		return;
-	}
-
-	if (specified_source &&
-	    (isc_sockaddr_pf(&query->sockaddr) !=
-	     isc_sockaddr_pf(&bind_address))) {
-		printf(";; Skipping server %s, incompatible "
-		       "address family\n", query->servname);
-		query->waiting_connect = ISC_FALSE;
-		next = ISC_LIST_NEXT(query, link);
-		l = query->lookup;
-		clear_query(query);
-		if (next == NULL) {
-			printf(";; No acceptable nameservers\n");
-			check_next_lookup(l);
-			return;
-		}
-		send_tcp_connect(next);
-		return;
-	}
-
-	INSIST(query->sock == NULL);
-	result = isc_socket_create(socketmgr,
-				   isc_sockaddr_pf(&query->sockaddr),
-				   isc_sockettype_tcp, &query->sock);
-	check_result(result, "isc_socket_create");
-	sockcount++;
-	debug("sockcount=%d", sockcount);
-	if (specified_source)
-		result = isc_socket_bind(query->sock, &bind_address,
-					 ISC_SOCKET_REUSEADDRESS);
-	else {
-		if ((isc_sockaddr_pf(&query->sockaddr) == AF_INET) &&
-		    have_ipv4)
-			isc_sockaddr_any(&bind_any);
-		else
-			isc_sockaddr_any6(&bind_any);
-		result = isc_socket_bind(query->sock, &bind_any, 0);
-	}
-	check_result(result, "isc_socket_bind");
-	bringup_timer(query, TCP_TIMEOUT);
-	result = isc_socket_connect(query->sock, &query->sockaddr,
-				    global_task, connect_done, query);
-	check_result(result, "isc_socket_connect");
-	/*
-	 * If we're at the endgame of a nameserver search, we need to
-	 * immediately bring up all the queries.  Do it here.
-	 */
-	if (l->ns_search_only && !l->trace_root) {
-		debug("sending next, since searching");
-		next = ISC_LIST_NEXT(query, link);
-		if (ISC_LINK_LINKED(query, link))
-			ISC_LIST_DEQUEUE(l->q, query, link);
-		ISC_LIST_ENQUEUE(l->connecting, query, clink);
-		if (next != NULL)
-			send_tcp_connect(next);
-	}
-}
-
-/*%
- * Send a UDP packet to the remote nameserver, possible starting the
- * recv action as well.  Also make sure that the timer is running and
- * is properly reset.
- */
-static void
-send_udp(dig_query_t *query) {
-	dig_lookup_t *l = NULL;
-	isc_result_t result;
-
-	debug("send_udp(%p)", query);
-
-	l = query->lookup;
-	bringup_timer(query, UDP_TIMEOUT);
-	l->current_query = query;
-	debug("working on lookup %p, query %p", query->lookup, query);
-	if (!query->recv_made) {
-		/* XXX Check the sense of this, need assertion? */
-		query->waiting_connect = ISC_FALSE;
-		result = get_address(query->servname, port, &query->sockaddr);
-		if (result != ISC_R_SUCCESS) {
-			/* This servname doesn't have an address. */
-			force_timeout(l, query);
-			return;
-		}
-
-		result = isc_socket_create(socketmgr,
-					   isc_sockaddr_pf(&query->sockaddr),
-					   isc_sockettype_udp, &query->sock);
-		check_result(result, "isc_socket_create");
-		sockcount++;
-		debug("sockcount=%d", sockcount);
-		if (specified_source) {
-			result = isc_socket_bind(query->sock, &bind_address,
-						 ISC_SOCKET_REUSEADDRESS);
-		} else {
-			isc_sockaddr_anyofpf(&bind_any,
-					isc_sockaddr_pf(&query->sockaddr));
-			result = isc_socket_bind(query->sock, &bind_any, 0);
-		}
-		check_result(result, "isc_socket_bind");
-
-		query->recv_made = ISC_TRUE;
-		ISC_LINK_INIT(&query->recvbuf, link);
-		ISC_LIST_ENQUEUE(query->recvlist, &query->recvbuf,
-				 link);
-		debug("recving with lookup=%p, query=%p, sock=%p",
-		      query->lookup, query, query->sock);
-		result = isc_socket_recvv(query->sock, &query->recvlist, 1,
-					  global_task, recv_done, query);
-		check_result(result, "isc_socket_recvv");
-		recvcount++;
-		debug("recvcount=%d", recvcount);
-	}
-	ISC_LIST_INIT(query->sendlist);
-	ISC_LIST_ENQUEUE(query->sendlist, &query->sendbuf, link);
-	debug("sending a request");
-	TIME_NOW(&query->time_sent);
-	INSIST(query->sock != NULL);
-	query->waiting_senddone = ISC_TRUE;
-	result = isc_socket_sendtov(query->sock, &query->sendlist,
-				    global_task, send_done, query,
-				    &query->sockaddr, NULL);
-	check_result(result, "isc_socket_sendtov");
-	sendcount++;
-}
-
-/*%
- * IO timeout handler, used for both connect and recv timeouts.  If
- * retries are still allowed, either resend the UDP packet or queue a
- * new TCP lookup.  Otherwise, cancel the lookup.
- */
-static void
-connect_timeout(isc_task_t *task, isc_event_t *event) {
-	dig_lookup_t *l = NULL;
-	dig_query_t *query = NULL, *next, *cq;
-
-	UNUSED(task);
-	REQUIRE(event->ev_type == ISC_TIMEREVENT_IDLE);
-
-	debug("connect_timeout()");
-
-	LOCK_LOOKUP;
-	l = event->ev_arg;
-	query = l->current_query;
-	isc_event_free(&event);
-
-	INSIST(!free_now);
-
-	if ((query != NULL) && (query->lookup->current_query != NULL) &&
-	    (ISC_LIST_NEXT(query->lookup->current_query, link) != NULL)) {
-		debug("trying next server...");
-		cq = query->lookup->current_query;
-		if (!l->tcp_mode)
-			send_udp(ISC_LIST_NEXT(cq, link));
-		else {
-			if (query->sock != NULL)
-				isc_socket_cancel(query->sock, NULL,
-						  ISC_SOCKCANCEL_ALL);
-			next = ISC_LIST_NEXT(cq, link);
-			if (next != NULL)
-				send_tcp_connect(next);
-		}
-		UNLOCK_LOOKUP;
-		return;
-	}
-
-	if (l->retries > 1) {
-		if (!l->tcp_mode) {
-			l->retries--;
-			debug("resending UDP request to first server");
-			send_udp(ISC_LIST_HEAD(l->q));
-		} else {
-			debug("making new TCP request, %d tries left",
-			      l->retries);
-			l->retries--;
-			requeue_lookup(l, ISC_TRUE);
-			cancel_lookup(l);
-			check_next_lookup(l);
-		}
-	} else {
-		fputs(l->cmdline, stdout);
-		printf(";; connection timed out; no servers could be "
-		       "reached\n");
-		cancel_lookup(l);
-		check_next_lookup(l);
-		if (exitcode < 9)
-			exitcode = 9;
-	}
-	UNLOCK_LOOKUP;
-}
-
-/*%
- * Event handler for the TCP recv which gets the length header of TCP
- * packets.  Start the next recv of length bytes.
- */
-static void
-tcp_length_done(isc_task_t *task, isc_event_t *event) {
-	isc_socketevent_t *sevent;
-	isc_buffer_t *b = NULL;
-	isc_result_t result;
-	dig_query_t *query = NULL;
-	dig_lookup_t *l;
-	isc_uint16_t length;
-
-	REQUIRE(event->ev_type == ISC_SOCKEVENT_RECVDONE);
-	INSIST(!free_now);
-
-	UNUSED(task);
-
-	debug("tcp_length_done()");
-
-	LOCK_LOOKUP;
-	sevent = (isc_socketevent_t *)event;
-	query = event->ev_arg;
-
-	recvcount--;
-	INSIST(recvcount >= 0);
-
-	b = ISC_LIST_HEAD(sevent->bufferlist);
-	INSIST(b ==  &query->lengthbuf);
-	ISC_LIST_DEQUEUE(sevent->bufferlist, b, link);
-
-	if (sevent->result == ISC_R_CANCELED) {
-		isc_event_free(&event);
-		l = query->lookup;
-		clear_query(query);
-		check_next_lookup(l);
-		UNLOCK_LOOKUP;
-		return;
-	}
-	if (sevent->result != ISC_R_SUCCESS) {
-		char sockstr[ISC_SOCKADDR_FORMATSIZE];
-		isc_sockaddr_format(&query->sockaddr, sockstr,
-				    sizeof(sockstr));
-		printf(";; communications error to %s: %s\n",
-		       sockstr, isc_result_totext(sevent->result));
-		l = query->lookup;
-		isc_socket_detach(&query->sock);
-		sockcount--;
-		debug("sockcount=%d", sockcount);
-		INSIST(sockcount >= 0);
-		isc_event_free(&event);
-		clear_query(query);
-		check_next_lookup(l);
-		UNLOCK_LOOKUP;
-		return;
-	}
-	length = isc_buffer_getuint16(b);
-	if (length == 0) {
-		isc_event_free(&event);
-		launch_next_query(query, ISC_FALSE);
-		UNLOCK_LOOKUP;
-		return;
-	}
-
-	/*
-	 * Even though the buffer was already init'ed, we need
-	 * to redo it now, to force the length we want.
-	 */
-	isc_buffer_invalidate(&query->recvbuf);
-	isc_buffer_init(&query->recvbuf, query->recvspace, length);
-	ENSURE(ISC_LIST_EMPTY(query->recvlist));
-	ISC_LINK_INIT(&query->recvbuf, link);
-	ISC_LIST_ENQUEUE(query->recvlist, &query->recvbuf, link);
-	debug("recving with lookup=%p, query=%p", query->lookup, query);
-	result = isc_socket_recvv(query->sock, &query->recvlist, length, task,
-				  recv_done, query);
-	check_result(result, "isc_socket_recvv");
-	recvcount++;
-	debug("resubmitted recv request with length %d, recvcount=%d",
-	      length, recvcount);
-	isc_event_free(&event);
-	UNLOCK_LOOKUP;
-}
-
-/*%
- * For transfers that involve multiple recvs (XFR's in particular),
- * launch the next recv.
- */
-static void
-launch_next_query(dig_query_t *query, isc_boolean_t include_question) {
-	isc_result_t result;
-	dig_lookup_t *l;
-
-	INSIST(!free_now);
-
-	debug("launch_next_query()");
-
-	if (!query->lookup->pending) {
-		debug("ignoring launch_next_query because !pending");
-		isc_socket_detach(&query->sock);
-		sockcount--;
-		debug("sockcount=%d", sockcount);
-		INSIST(sockcount >= 0);
-		query->waiting_connect = ISC_FALSE;
-		l = query->lookup;
-		clear_query(query);
-		check_next_lookup(l);
-		return;
-	}
-
-	isc_buffer_clear(&query->slbuf);
-	isc_buffer_clear(&query->lengthbuf);
-	isc_buffer_putuint16(&query->slbuf, (isc_uint16_t) query->sendbuf.used);
-	ISC_LIST_INIT(query->sendlist);
-	ISC_LINK_INIT(&query->slbuf, link);
-	ISC_LIST_ENQUEUE(query->sendlist, &query->slbuf, link);
-	if (include_question)
-		ISC_LIST_ENQUEUE(query->sendlist, &query->sendbuf, link);
-	ISC_LINK_INIT(&query->lengthbuf, link);
-	ISC_LIST_ENQUEUE(query->lengthlist, &query->lengthbuf, link);
-
-	result = isc_socket_recvv(query->sock, &query->lengthlist, 0,
-				  global_task, tcp_length_done, query);
-	check_result(result, "isc_socket_recvv");
-	recvcount++;
-	debug("recvcount=%d", recvcount);
-	if (!query->first_soa_rcvd) {
-		debug("sending a request in launch_next_query");
-		TIME_NOW(&query->time_sent);
-		query->waiting_senddone = ISC_TRUE;
-		result = isc_socket_sendv(query->sock, &query->sendlist,
-					  global_task, send_done, query);
-		check_result(result, "isc_socket_sendv");
-		sendcount++;
-		debug("sendcount=%d", sendcount);
-	}
-	query->waiting_connect = ISC_FALSE;
-#if 0
-	check_next_lookup(query->lookup);
-#endif
-	return;
-}
-
-/*%
- * Event handler for TCP connect complete.  Make sure the connection was
- * successful, then pass into launch_next_query to actually send the
- * question.
- */
-static void
-connect_done(isc_task_t *task, isc_event_t *event) {
-	isc_socketevent_t *sevent = NULL;
-	dig_query_t *query = NULL, *next;
-	dig_lookup_t *l;
-
-	UNUSED(task);
-
-	REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT);
-	INSIST(!free_now);
-
-	debug("connect_done()");
-
-	LOCK_LOOKUP;
-	sevent = (isc_socketevent_t *)event;
-	query = sevent->ev_arg;
-
-	INSIST(query->waiting_connect);
-
-	query->waiting_connect = ISC_FALSE;
-
-	if (sevent->result == ISC_R_CANCELED) {
-		debug("in cancel handler");
-		isc_socket_detach(&query->sock);
-		INSIST(sockcount > 0);
-		sockcount--;
-		debug("sockcount=%d", sockcount);
-		query->waiting_connect = ISC_FALSE;
-		isc_event_free(&event);
-		l = query->lookup;
-		clear_query(query);
-		check_next_lookup(l);
-		UNLOCK_LOOKUP;
-		return;
-	}
-	if (sevent->result != ISC_R_SUCCESS) {
-		char sockstr[ISC_SOCKADDR_FORMATSIZE];
-
-		debug("unsuccessful connection: %s",
-		      isc_result_totext(sevent->result));
-		isc_sockaddr_format(&query->sockaddr, sockstr, sizeof(sockstr));
-		if (sevent->result != ISC_R_CANCELED)
-			printf(";; Connection to %s(%s) for %s failed: "
-			       "%s.\n", sockstr,
-			       query->servname, query->lookup->textname,
-			       isc_result_totext(sevent->result));
-		isc_socket_detach(&query->sock);
-		sockcount--;
-		INSIST(sockcount >= 0);
-		/* XXX Clean up exitcodes */
-		if (exitcode < 9)
-			exitcode = 9;
-		debug("sockcount=%d", sockcount);
-		query->waiting_connect = ISC_FALSE;
-		isc_event_free(&event);
-		l = query->lookup;
-		if (l->current_query != NULL)
-			next = ISC_LIST_NEXT(l->current_query, link);
-		else
-			next = NULL;
-		clear_query(query);
-		if (next != NULL) {
-			bringup_timer(next, TCP_TIMEOUT);
-			send_tcp_connect(next);
-		} else
-			check_next_lookup(l);
-		UNLOCK_LOOKUP;
-		return;
-	}
-	launch_next_query(query, ISC_TRUE);
-	isc_event_free(&event);
-	UNLOCK_LOOKUP;
-}
-
-/*%
- * Check if the ongoing XFR needs more data before it's complete, using
- * the semantics of IXFR and AXFR protocols.  Much of the complexity of
- * this routine comes from determining when an IXFR is complete.
- * ISC_FALSE means more data is on the way, and the recv has been issued.
- */
-static isc_boolean_t
-check_for_more_data(dig_query_t *query, dns_message_t *msg,
-		    isc_socketevent_t *sevent)
-{
-	dns_rdataset_t *rdataset = NULL;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_soa_t soa;
-	isc_uint32_t ixfr_serial = query->lookup->ixfr_serial, serial;
-	isc_result_t result;
-	isc_boolean_t ixfr = query->lookup->rdtype == dns_rdatatype_ixfr;
-	isc_boolean_t axfr = query->lookup->rdtype == dns_rdatatype_axfr;
-
-	debug("check_for_more_data()");
-
-	/*
-	 * By the time we're in this routine, we know we're doing
-	 * either an AXFR or IXFR.  If there's no second_rr_type,
-	 * then we don't yet know which kind of answer we got back
-	 * from the server.  Here, we're going to walk through the
-	 * rr's in the message, acting as necessary whenever we hit
-	 * an SOA rr.
-	 */
-
-	query->msg_count++;
-	query->byte_count += sevent->n;
-	result = dns_message_firstname(msg, DNS_SECTION_ANSWER);
-	if (result != ISC_R_SUCCESS) {
-		puts("; Transfer failed.");
-		return (ISC_TRUE);
-	}
-	do {
-		dns_name_t *name;
-		name = NULL;
-		dns_message_currentname(msg, DNS_SECTION_ANSWER,
-					&name);
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			result = dns_rdataset_first(rdataset);
-			if (result != ISC_R_SUCCESS)
-				continue;
-			do {
-				query->rr_count++;
-				dns_rdata_reset(&rdata);
-				dns_rdataset_current(rdataset, &rdata);
-				/*
-				 * If this is the first rr, make sure
-				 * it's an SOA
-				 */
-				if ((!query->first_soa_rcvd) &&
-				    (rdata.type != dns_rdatatype_soa)) {
-					puts("; Transfer failed.  "
-					     "Didn't start with SOA answer.");
-					return (ISC_TRUE);
-				}
-				if ((!query->second_rr_rcvd) &&
-				    (rdata.type != dns_rdatatype_soa)) {
-					query->second_rr_rcvd = ISC_TRUE;
-					query->second_rr_serial = 0;
-					debug("got the second rr as nonsoa");
-					axfr = ISC_TRUE;
-					goto next_rdata;
-				}
-
-				/*
-				 * If the record is anything except an SOA
-				 * now, just continue on...
-				 */
-				if (rdata.type != dns_rdatatype_soa)
-					goto next_rdata;
-
-				/* Now we have an SOA.  Work with it. */
-				debug("got an SOA");
-				result = dns_rdata_tostruct(&rdata, &soa, NULL);
-				check_result(result, "dns_rdata_tostruct");
-				serial = soa.serial;
-				dns_rdata_freestruct(&soa);
-				if (!query->first_soa_rcvd) {
-					query->first_soa_rcvd = ISC_TRUE;
-					query->first_rr_serial = serial;
-					debug("this is the first serial %u",
-					      serial);
-					if (ixfr && isc_serial_ge(ixfr_serial,
-								  serial)) {
-						debug("got up to date "
-						      "response");
-						goto doexit;
-					}
-					goto next_rdata;
-				}
-				if (axfr) {
-					debug("doing axfr, got second SOA");
-					goto doexit;
-				}
-				if (!query->second_rr_rcvd) {
-					if (query->first_rr_serial == serial) {
-						debug("doing ixfr, got "
-						      "empty zone");
-						goto doexit;
-					}
-					debug("this is the second serial %u",
-					      serial);
-					query->second_rr_rcvd = ISC_TRUE;
-					query->second_rr_serial = serial;
-					goto next_rdata;
-				}
-				/*
-				 * If we get to this point, we're doing an
-				 * IXFR and have to start really looking
-				 * at serial numbers.
-				 */
-				if (query->first_rr_serial == serial) {
-					debug("got a match for ixfr");
-					if (!query->first_repeat_rcvd) {
-						query->first_repeat_rcvd =
-							ISC_TRUE;
-						goto next_rdata;
-					}
-					debug("done with ixfr");
-					goto doexit;
-				}
-				debug("meaningless soa %u", serial);
-			next_rdata:
-				result = dns_rdataset_next(rdataset);
-			} while (result == ISC_R_SUCCESS);
-		}
-		result = dns_message_nextname(msg, DNS_SECTION_ANSWER);
-	} while (result == ISC_R_SUCCESS);
-	launch_next_query(query, ISC_FALSE);
-	return (ISC_FALSE);
- doexit:
-	received(sevent->n, &sevent->address, query);
-	return (ISC_TRUE);
-}
-
-/*%
- * Event handler for recv complete.  Perform whatever actions are necessary,
- * based on the specifics of the user's request.
- */
-static void
-recv_done(isc_task_t *task, isc_event_t *event) {
-	isc_socketevent_t *sevent = NULL;
-	dig_query_t *query = NULL;
-	isc_buffer_t *b = NULL;
-	dns_message_t *msg = NULL;
-#ifdef DIG_SIGCHASE
-	dig_message_t *chase_msg = NULL;
-	dig_message_t *chase_msg2 = NULL;
-#endif
-	isc_result_t result;
-	dig_lookup_t *n, *l;
-	isc_boolean_t docancel = ISC_FALSE;
-	isc_boolean_t match = ISC_TRUE;
-	unsigned int parseflags;
-	dns_messageid_t id;
-	unsigned int msgflags;
-#ifdef DIG_SIGCHASE
-	isc_result_t do_sigchase = ISC_FALSE;
-
-	dns_message_t *msg_temp = NULL;
-	isc_region_t r;
-	isc_buffer_t *buf = NULL;
-#endif
-
-	UNUSED(task);
-	INSIST(!free_now);
-
-	debug("recv_done()");
-
-	LOCK_LOOKUP;
-	recvcount--;
-	debug("recvcount=%d", recvcount);
-	INSIST(recvcount >= 0);
-
-	query = event->ev_arg;
-	debug("lookup=%p, query=%p", query->lookup, query);
-
-	l = query->lookup;
-
-	REQUIRE(event->ev_type == ISC_SOCKEVENT_RECVDONE);
-	sevent = (isc_socketevent_t *)event;
-
-	b = ISC_LIST_HEAD(sevent->bufferlist);
-	INSIST(b == &query->recvbuf);
-	ISC_LIST_DEQUEUE(sevent->bufferlist, &query->recvbuf, link);
-
-	if ((l->tcp_mode) && (l->timer != NULL))
-		isc_timer_touch(l->timer);
-	if ((!l->pending && !l->ns_search_only) || cancel_now) {
-		debug("no longer pending.  Got %s",
-			isc_result_totext(sevent->result));
-		query->waiting_connect = ISC_FALSE;
-
-		isc_event_free(&event);
-		clear_query(query);
-		check_next_lookup(l);
-		UNLOCK_LOOKUP;
-		return;
-	}
-
-	if (sevent->result != ISC_R_SUCCESS) {
-		if (sevent->result == ISC_R_CANCELED) {
-			debug("in recv cancel handler");
-			query->waiting_connect = ISC_FALSE;
-		} else {
-			printf(";; communications error: %s\n",
-			       isc_result_totext(sevent->result));
-			isc_socket_detach(&query->sock);
-			sockcount--;
-			debug("sockcount=%d", sockcount);
-			INSIST(sockcount >= 0);
-		}
-		isc_event_free(&event);
-		clear_query(query);
-		check_next_lookup(l);
-		UNLOCK_LOOKUP;
-		return;
-	}
-
-	if (!l->tcp_mode &&
-	    !isc_sockaddr_compare(&sevent->address, &query->sockaddr,
-				  ISC_SOCKADDR_CMPADDR|
-				  ISC_SOCKADDR_CMPPORT|
-				  ISC_SOCKADDR_CMPSCOPE|
-				  ISC_SOCKADDR_CMPSCOPEZERO)) {
-		char buf1[ISC_SOCKADDR_FORMATSIZE];
-		char buf2[ISC_SOCKADDR_FORMATSIZE];
-		isc_sockaddr_t any;
-
-		if (isc_sockaddr_pf(&query->sockaddr) == AF_INET)
-			isc_sockaddr_any(&any);
-		else
-			isc_sockaddr_any6(&any);
-
-		/*
-		* We don't expect a match when the packet is
-		* sent to 0.0.0.0, :: or to a multicast addresses.
-		* XXXMPA broadcast needs to be handled here as well.
-		*/
-		if ((!isc_sockaddr_eqaddr(&query->sockaddr, &any) &&
-		     !isc_sockaddr_ismulticast(&query->sockaddr)) ||
-		    isc_sockaddr_getport(&query->sockaddr) !=
-		    isc_sockaddr_getport(&sevent->address)) {
-			isc_sockaddr_format(&sevent->address, buf1,
-			sizeof(buf1));
-			isc_sockaddr_format(&query->sockaddr, buf2,
-			sizeof(buf2));
-			printf(";; reply from unexpected source: %s,"
-			" expected %s\n", buf1, buf2);
-			match = ISC_FALSE;
-		}
-	}
-
-	result = dns_message_peekheader(b, &id, &msgflags);
-	if (result != ISC_R_SUCCESS || l->sendmsg->id != id) {
-		match = ISC_FALSE;
-		if (l->tcp_mode) {
-			isc_boolean_t fail = ISC_TRUE;
-			if (result == ISC_R_SUCCESS) {
-				if (!query->first_soa_rcvd ||
-				     query->warn_id)
-					printf(";; %s: ID mismatch: "
-					       "expected ID %u, got %u\n",
-					       query->first_soa_rcvd ?
-					       "WARNING" : "ERROR",
-					       l->sendmsg->id, id);
-				if (query->first_soa_rcvd)
-					fail = ISC_FALSE;
-				query->warn_id = ISC_FALSE;
-			} else
-				printf(";; ERROR: short "
-				       "(< header size) message\n");
-			if (fail) {
-				isc_event_free(&event);
-				clear_query(query);
-				check_next_lookup(l);
-				UNLOCK_LOOKUP;
-				return;
-			}
-			match = ISC_TRUE;
-		} else if (result == ISC_R_SUCCESS)
-			printf(";; Warning: ID mismatch: "
-			       "expected ID %u, got %u\n", l->sendmsg->id, id);
-		else
-			printf(";; Warning: short "
-			       "(< header size) message received\n");
-	}
-
-	if (result == ISC_R_SUCCESS && (msgflags & DNS_MESSAGEFLAG_QR) == 0)
-		printf(";; Warning: query response not set\n");
-
-	if (!match)
-		goto udp_mismatch;
-
-	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
-	check_result(result, "dns_message_create");
-
-	if (key != NULL) {
-		if (l->querysig == NULL) {
-			debug("getting initial querysig");
-			result = dns_message_getquerytsig(l->sendmsg, mctx,
-							  &l->querysig);
-			check_result(result, "dns_message_getquerytsig");
-		}
-		result = dns_message_setquerytsig(msg, l->querysig);
-		check_result(result, "dns_message_setquerytsig");
-		result = dns_message_settsigkey(msg, key);
-		check_result(result, "dns_message_settsigkey");
-		msg->tsigctx = l->tsigctx;
-		l->tsigctx = NULL;
-		if (l->msgcounter != 0)
-			msg->tcp_continuation = 1;
-		l->msgcounter++;
-	}
-
-	debug("before parse starts");
-	parseflags = DNS_MESSAGEPARSE_PRESERVEORDER;
-#ifdef DIG_SIGCHASE
-	if (!l->sigchase) {
-		do_sigchase = ISC_FALSE;
-	} else {
-		parseflags = 0;
-		do_sigchase = ISC_TRUE;
-	}
-#endif
-	if (l->besteffort) {
-		parseflags |= DNS_MESSAGEPARSE_BESTEFFORT;
-		parseflags |= DNS_MESSAGEPARSE_IGNORETRUNCATION;
-	}
-	result = dns_message_parse(msg, b, parseflags);
-	if (result == DNS_R_RECOVERABLE) {
-		printf(";; Warning: Message parser reports malformed "
-		       "message packet.\n");
-		result = ISC_R_SUCCESS;
-	}
-	if (result != ISC_R_SUCCESS) {
-		printf(";; Got bad packet: %s\n", isc_result_totext(result));
-		hex_dump(b);
-		query->waiting_connect = ISC_FALSE;
-		dns_message_destroy(&msg);
-		isc_event_free(&event);
-		clear_query(query);
-		cancel_lookup(l);
-		check_next_lookup(l);
-		UNLOCK_LOOKUP;
-		return;
-	}
-	if (msg->counts[DNS_SECTION_QUESTION] != 0) {
-		match = ISC_TRUE;
-		for (result = dns_message_firstname(msg, DNS_SECTION_QUESTION);
-		     result == ISC_R_SUCCESS && match;
-		     result = dns_message_nextname(msg, DNS_SECTION_QUESTION)) {
-			dns_name_t *name = NULL;
-			dns_rdataset_t *rdataset;
-
-			dns_message_currentname(msg, DNS_SECTION_QUESTION,
-						&name);
-			for (rdataset = ISC_LIST_HEAD(name->list);
-			     rdataset != NULL;
-			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-				if (l->rdtype != rdataset->type ||
-				    l->rdclass != rdataset->rdclass ||
-				    !dns_name_equal(l->name, name)) {
-					char namestr[DNS_NAME_FORMATSIZE];
-					char typebuf[DNS_RDATATYPE_FORMATSIZE];
-					char classbuf[DNS_RDATACLASS_FORMATSIZE];
-					dns_name_format(name, namestr,
-							sizeof(namestr));
-					dns_rdatatype_format(rdataset->type,
-							     typebuf,
-							     sizeof(typebuf));
-					dns_rdataclass_format(rdataset->rdclass,
-							      classbuf,
-							      sizeof(classbuf));
-					printf(";; Question section mismatch: "
-					       "got %s/%s/%s\n",
-					       namestr, typebuf, classbuf);
-					match = ISC_FALSE;
-				}
-			}
-		}
-		if (!match) {
-			dns_message_destroy(&msg);
-			if (l->tcp_mode) {
-				isc_event_free(&event);
-				clear_query(query);
-				check_next_lookup(l);
-				UNLOCK_LOOKUP;
-				return;
-			} else
-				goto udp_mismatch;
-		}
-	}
-	if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0 &&
-	    !l->ignore && !l->tcp_mode) {
-		printf(";; Truncated, retrying in TCP mode.\n");
-		n = requeue_lookup(l, ISC_TRUE);
-		n->tcp_mode = ISC_TRUE;
-		n->origin = query->lookup->origin;
-		dns_message_destroy(&msg);
-		isc_event_free(&event);
-		clear_query(query);
-		cancel_lookup(l);
-		check_next_lookup(l);
-		UNLOCK_LOOKUP;
-		return;
-	}
-	if ((msg->rcode == dns_rcode_servfail && !l->servfail_stops) ||
-	    (check_ra && (msg->flags & DNS_MESSAGEFLAG_RA) == 0 && l->recurse))
-	{
-		dig_query_t *next = ISC_LIST_NEXT(query, link);
-		if (l->current_query == query)
-			l->current_query = NULL;
-		if (next != NULL) {
-			debug("sending query %p\n", next);
-			if (l->tcp_mode)
-				send_tcp_connect(next);
-			else
-				send_udp(next);
-		}
-		/*
-		 * If our query is at the head of the list and there
-		 * is no next, we're the only one left, so fall
-		 * through to print the message.
-		 */
-		if ((ISC_LIST_HEAD(l->q) != query) ||
-		    (ISC_LIST_NEXT(query, link) != NULL)) {
-			if( l->comments == ISC_TRUE )
-				printf(";; Got %s from %s, "
-				       "trying next server\n",
-				       msg->rcode == dns_rcode_servfail ?
-				       "SERVFAIL reply" :
-				       "recursion not available",
-				       query->servname);
-			clear_query(query);
-			check_next_lookup(l);
-			dns_message_destroy(&msg);
-			isc_event_free(&event);
-			UNLOCK_LOOKUP;
-			return;
-		}
-	}
-
-	if (key != NULL) {
-		result = dns_tsig_verify(&query->recvbuf, msg, NULL, NULL);
-		if (result != ISC_R_SUCCESS) {
-			printf(";; Couldn't verify signature: %s\n",
-			       isc_result_totext(result));
-			validated = ISC_FALSE;
-		}
-		l->tsigctx = msg->tsigctx;
-		msg->tsigctx = NULL;
-		if (l->querysig != NULL) {
-			debug("freeing querysig buffer %p", l->querysig);
-			isc_buffer_free(&l->querysig);
-		}
-		result = dns_message_getquerytsig(msg, mctx, &l->querysig);
-		check_result(result,"dns_message_getquerytsig");
-	}
-
-	extrabytes = isc_buffer_remaininglength(b);
-
-	debug("after parse");
-	if (l->doing_xfr && l->xfr_q == NULL) {
-		l->xfr_q = query;
-		/*
-		 * Once we are in the XFR message, increase
-		 * the timeout to much longer, so brief network
-		 * outages won't cause the XFR to abort
-		 */
-		if (timeout != INT_MAX && l->timer != NULL) {
-			unsigned int local_timeout;
-
-			if (timeout == 0) {
-				if (l->tcp_mode)
-					local_timeout = TCP_TIMEOUT * 4;
-				else
-					local_timeout = UDP_TIMEOUT * 4;
-			} else {
-				if (timeout < (INT_MAX / 4))
-					local_timeout = timeout * 4;
-				else
-					local_timeout = INT_MAX;
-			}
-			debug("have local timeout of %d", local_timeout);
-			isc_interval_set(&l->interval, local_timeout, 0);
-			result = isc_timer_reset(l->timer,
-						 isc_timertype_once,
-						 NULL,
-						 &l->interval,
-						 ISC_FALSE);
-			check_result(result, "isc_timer_reset");
-		}
-	}
-
-	if (!l->doing_xfr || l->xfr_q == query) {
-		if (msg->rcode != dns_rcode_noerror &&
-		    (l->origin != NULL || l->need_search)) {
-			if (!next_origin(query) || showsearch) {
-				printmessage(query, msg, ISC_TRUE);
-				received(b->used, &sevent->address, query);
-			}
-		} else if (!l->trace && !l->ns_search_only) {
-#ifdef DIG_SIGCHASE
-			if (!do_sigchase)
-#endif
-				printmessage(query, msg, ISC_TRUE);
-		} else if (l->trace) {
-			int n = 0;
-			int count = msg->counts[DNS_SECTION_ANSWER];
-
-			debug("in TRACE code");
-			if (!l->ns_search_only)
-				printmessage(query, msg, ISC_TRUE);
-
-			l->rdtype = l->qrdtype;
-			if (l->trace_root || (l->ns_search_only && count > 0)) {
-				if (!l->trace_root)
-					l->rdtype = dns_rdatatype_soa;
-				n = followup_lookup(msg, query,
-						    DNS_SECTION_ANSWER);
-				l->trace_root = ISC_FALSE;
-			} else if (count == 0)
-				n = followup_lookup(msg, query,
-						    DNS_SECTION_AUTHORITY);
-			if (n == 0)
-				docancel = ISC_TRUE;
-		} else {
-			debug("in NSSEARCH code");
-
-			if (l->trace_root) {
-				/*
-				 * This is the initial NS query.
-				 */
-				int n;
-
-				l->rdtype = dns_rdatatype_soa;
-				n = followup_lookup(msg, query,
-						    DNS_SECTION_ANSWER);
-				if (n == 0)
-					docancel = ISC_TRUE;
-				l->trace_root = ISC_FALSE;
-				usesearch = ISC_FALSE;
-			} else
-#ifdef DIG_SIGCHASE
-				if (!do_sigchase)
-#endif
-				printmessage(query, msg, ISC_TRUE);
-		}
-#ifdef DIG_SIGCHASE
-		if (do_sigchase) {
-			chase_msg = isc_mem_allocate(mctx,
-						     sizeof(dig_message_t));
-			if (chase_msg == NULL) {
-				fatal("Memory allocation failure in %s:%d",
-				      __FILE__, __LINE__);
-			}
-			ISC_LIST_INITANDAPPEND(chase_message_list, chase_msg,
-					       link);
-			if (dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE,
-					       &msg_temp) != ISC_R_SUCCESS) {
-				fatal("dns_message_create in %s:%d",
-				      __FILE__, __LINE__);
-			}
-
-			isc_buffer_usedregion(b, &r);
-			result = isc_buffer_allocate(mctx, &buf, r.length);
-
-			check_result(result, "isc_buffer_allocate");
-			result =  isc_buffer_copyregion(buf, &r);
-			check_result(result, "isc_buffer_copyregion");
-
-			result =  dns_message_parse(msg_temp, buf, 0);
-
-			isc_buffer_free(&buf);
-			chase_msg->msg = msg_temp;
-
-			chase_msg2 = isc_mem_allocate(mctx,
-						      sizeof(dig_message_t));
-			if (chase_msg2 == NULL) {
-				fatal("Memory allocation failure in %s:%d",
-				      __FILE__, __LINE__);
-			}
-			ISC_LIST_INITANDAPPEND(chase_message_list2, chase_msg2,
-					       link);
-			chase_msg2->msg = msg;
-		}
-#endif
-	}
-
-#ifdef DIG_SIGCHASE
-	if (l->sigchase && ISC_LIST_EMPTY(lookup_list)) {
-		sigchase(msg_temp);
-	}
-#endif
-
-	if (l->pending)
-		debug("still pending.");
-	if (l->doing_xfr) {
-		if (query != l->xfr_q) {
-			dns_message_destroy(&msg);
-			isc_event_free(&event);
-			query->waiting_connect = ISC_FALSE;
-			UNLOCK_LOOKUP;
-			return;
-		}
-		if (!docancel)
-			docancel = check_for_more_data(query, msg, sevent);
-		if (docancel) {
-			dns_message_destroy(&msg);
-			clear_query(query);
-			cancel_lookup(l);
-			check_next_lookup(l);
-		}
-	} else {
-
-		if (msg->rcode == dns_rcode_noerror || l->origin == NULL) {
-
-#ifdef DIG_SIGCHASE
-			if (!l->sigchase)
-#endif
-				received(b->used, &sevent->address, query);
-		}
-
-		if (!query->lookup->ns_search_only)
-			query->lookup->pending = ISC_FALSE;
-		if (!query->lookup->ns_search_only ||
-		    query->lookup->trace_root || docancel) {
-#ifdef DIG_SIGCHASE
-			if (!do_sigchase)
-#endif
-				dns_message_destroy(&msg);
-
-			cancel_lookup(l);
-		}
-		clear_query(query);
-		check_next_lookup(l);
-	}
-	if (msg != NULL) {
-#ifdef DIG_SIGCHASE
-		if (do_sigchase)
-			msg = NULL;
-		else
-#endif
-			dns_message_destroy(&msg);
-	}
-	isc_event_free(&event);
-	UNLOCK_LOOKUP;
-	return;
-
- udp_mismatch:
-	isc_buffer_invalidate(&query->recvbuf);
-	isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE);
-	ISC_LIST_ENQUEUE(query->recvlist, &query->recvbuf, link);
-	result = isc_socket_recvv(query->sock, &query->recvlist, 1,
-				  global_task, recv_done, query);
-	check_result(result, "isc_socket_recvv");
-	recvcount++;
-	isc_event_free(&event);
-	UNLOCK_LOOKUP;
-	return;
-}
-
-/*%
- * Turn a name into an address, using system-supplied routines.  This is
- * used in looking up server names, etc... and needs to use system-supplied
- * routines, since they may be using a non-DNS system for these lookups.
- */
-isc_result_t
-get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) {
-	int count;
-	isc_result_t result;
-
-	isc_app_block();
-	result = bind9_getaddresses(host, port, sockaddr, 1, &count);
-	isc_app_unblock();
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	INSIST(count == 1);
-
-	return (ISC_R_SUCCESS);
-}
-
-int
-getaddresses(dig_lookup_t *lookup, const char *host, isc_result_t *resultp) {
-	isc_result_t result;
-	isc_sockaddr_t sockaddrs[DIG_MAX_ADDRESSES];
-	isc_netaddr_t netaddr;
-	int count, i;
-	dig_server_t *srv;
-	char tmp[ISC_NETADDR_FORMATSIZE];
-
-	result = bind9_getaddresses(host, 0, sockaddrs,
-				    DIG_MAX_ADDRESSES, &count);
-	if (resultp != NULL)
-		*resultp = result;
-	if (result != ISC_R_SUCCESS) {
-		if (resultp == NULL)
-			fatal("couldn't get address for '%s': %s",
-			      host, isc_result_totext(result));
-		return 0;
-	}
-
-	for (i = 0; i < count; i++) {
-		isc_netaddr_fromsockaddr(&netaddr, &sockaddrs[i]);
-		isc_netaddr_format(&netaddr, tmp, sizeof(tmp));
-		srv = make_server(tmp, host);
-		ISC_LIST_APPEND(lookup->my_server_list, srv, link);
-	}
-
-	return count;
-}
-
-/*%
- * Initiate either a TCP or UDP lookup
- */
-void
-do_lookup(dig_lookup_t *lookup) {
-	dig_query_t *query;
-
-	REQUIRE(lookup != NULL);
-
-	debug("do_lookup()");
-	lookup->pending = ISC_TRUE;
-	query = ISC_LIST_HEAD(lookup->q);
-	if (query != NULL) {
-		if (lookup->tcp_mode)
-			send_tcp_connect(query);
-		else
-			send_udp(query);
-	}
-}
-
-/*%
- * Start everything in action upon task startup.
- */
-void
-onrun_callback(isc_task_t *task, isc_event_t *event) {
-	UNUSED(task);
-
-	isc_event_free(&event);
-	LOCK_LOOKUP;
-	start_lookup();
-	UNLOCK_LOOKUP;
-}
-
-/*%
- * Make everything on the lookup queue go away.  Mainly used by the
- * SIGINT handler.
- */
-void
-cancel_all(void) {
-	dig_lookup_t *l, *n;
-	dig_query_t *q, *nq;
-
-	debug("cancel_all()");
-
-	LOCK_LOOKUP;
-	if (free_now) {
-		UNLOCK_LOOKUP;
-		return;
-	}
-	cancel_now = ISC_TRUE;
-	if (current_lookup != NULL) {
-		if (current_lookup->timer != NULL)
-			isc_timer_detach(&current_lookup->timer);
-		q = ISC_LIST_HEAD(current_lookup->q);
-		while (q != NULL) {
-			debug("canceling query %p, belonging to %p",
-			      q, current_lookup);
-			nq = ISC_LIST_NEXT(q, link);
-			if (q->sock != NULL) {
-				isc_socket_cancel(q->sock, NULL,
-						  ISC_SOCKCANCEL_ALL);
-			} else {
-				clear_query(q);
-			}
-			q = nq;
-		}
-	}
-	l = ISC_LIST_HEAD(lookup_list);
-	while (l != NULL) {
-		n = ISC_LIST_NEXT(l, link);
-		ISC_LIST_DEQUEUE(lookup_list, l, link);
-		try_clear_lookup(l);
-		l = n;
-	}
-	UNLOCK_LOOKUP;
-}
-
-/*%
- * Destroy all of the libs we are using, and get everything ready for a
- * clean shutdown.
- */
-void
-destroy_libs(void) {
-#ifdef DIG_SIGCHASE
-	void * ptr;
-	dig_message_t *chase_msg;
-#endif
-#ifdef WITH_IDN
-	isc_result_t result;
-#endif
-
-	debug("destroy_libs()");
-	if (global_task != NULL) {
-		debug("freeing task");
-		isc_task_detach(&global_task);
-	}
-	/*
-	 * The taskmgr_destroy() call blocks until all events are cleared
-	 * from the task.
-	 */
-	if (taskmgr != NULL) {
-		debug("freeing taskmgr");
-		isc_taskmgr_destroy(&taskmgr);
-	}
-	LOCK_LOOKUP;
-	REQUIRE(sockcount == 0);
-	REQUIRE(recvcount == 0);
-	REQUIRE(sendcount == 0);
-
-	INSIST(ISC_LIST_HEAD(lookup_list) == NULL);
-	INSIST(current_lookup == NULL);
-	INSIST(!free_now);
-
-	free_now = ISC_TRUE;
-
-	lwres_conf_clear(lwctx);
-	lwres_context_destroy(&lwctx);
-
-	flush_server_list();
-
-	clear_searchlist();
-
-#ifdef WITH_IDN
-	result = dns_name_settotextfilter(NULL);
-	check_result(result, "dns_name_settotextfilter");
-#endif
-	dns_name_destroy();
-
-	if (commctx != NULL) {
-		debug("freeing commctx");
-		isc_mempool_destroy(&commctx);
-	}
-	if (socketmgr != NULL) {
-		debug("freeing socketmgr");
-		isc_socketmgr_destroy(&socketmgr);
-	}
-	if (timermgr != NULL) {
-		debug("freeing timermgr");
-		isc_timermgr_destroy(&timermgr);
-	}
-	if (key != NULL) {
-		debug("freeing key %p", key);
-		dns_tsigkey_detach(&key);
-	}
-	if (namebuf != NULL)
-		isc_buffer_free(&namebuf);
-
-	if (is_dst_up) {
-		debug("destroy DST lib");
-		dst_lib_destroy();
-		is_dst_up = ISC_FALSE;
-	}
-	if (entp != NULL) {
-		debug("detach from entropy");
-		isc_entropy_detach(&entp);
-	}
-
-	UNLOCK_LOOKUP;
-	DESTROYLOCK(&lookup_lock);
-#ifdef DIG_SIGCHASE
-
-	debug("Destroy the messages kept for sigchase");
-	/* Destroy the messages kept for sigchase */
-	chase_msg = ISC_LIST_HEAD(chase_message_list);
-
-	while (chase_msg != NULL) {
-		INSIST(chase_msg->msg != NULL);
-		dns_message_destroy(&(chase_msg->msg));
-		ptr = chase_msg;
-		chase_msg = ISC_LIST_NEXT(chase_msg, link);
-		isc_mem_free(mctx, ptr);
-	}
-
-	chase_msg = ISC_LIST_HEAD(chase_message_list2);
-
-	while (chase_msg != NULL) {
-		INSIST(chase_msg->msg != NULL);
-		dns_message_destroy(&(chase_msg->msg));
-		ptr = chase_msg;
-		chase_msg = ISC_LIST_NEXT(chase_msg, link);
-		isc_mem_free(mctx, ptr);
-	}
-	if (dns_name_dynamic(&chase_name))
-		free_name(&chase_name, mctx);
-#if DIG_SIGCHASE_TD
-	if (dns_name_dynamic(&chase_current_name))
-		free_name(&chase_current_name, mctx);
-	if (dns_name_dynamic(&chase_authority_name))
-		free_name(&chase_authority_name, mctx);
-#endif
-#if DIG_SIGCHASE_BU
-	if (dns_name_dynamic(&chase_signame))
-		free_name(&chase_signame, mctx);
-#endif
-
-#endif
-	debug("Removing log context");
-	isc_log_destroy(&lctx);
-
-	debug("Destroy memory");
-	if (memdebugging != 0)
-		isc_mem_stats(mctx, stderr);
-	if (mctx != NULL)
-		isc_mem_destroy(&mctx);
-}
-
-#ifdef WITH_IDN
-static void
-initialize_idn(void) {
-	idn_result_t r;
-	isc_result_t result;
-
-#ifdef HAVE_SETLOCALE
-	/* Set locale */
-	(void)setlocale(LC_ALL, "");
-#endif
-	/* Create configuration context. */
-	r = idn_nameinit(1);
-	if (r != idn_success)
-		fatal("idn api initialization failed: %s",
-		      idn_result_tostring(r));
-
-	/* Set domain name -> text post-conversion filter. */
-	result = dns_name_settotextfilter(output_filter);
-	check_result(result, "dns_name_settotextfilter");
-}
-
-static isc_result_t
-output_filter(isc_buffer_t *buffer, unsigned int used_org,
-	      isc_boolean_t absolute)
-{
-	char tmp1[MAXDLEN], tmp2[MAXDLEN];
-	size_t fromlen, tolen;
-	isc_boolean_t end_with_dot;
-
-	/*
-	 * Copy contents of 'buffer' to 'tmp1', supply trailing dot
-	 * if 'absolute' is true, and terminate with NUL.
-	 */
-	fromlen = isc_buffer_usedlength(buffer) - used_org;
-	if (fromlen >= MAXDLEN)
-		return (ISC_R_SUCCESS);
-	memcpy(tmp1, (char *)isc_buffer_base(buffer) + used_org, fromlen);
-	end_with_dot = (tmp1[fromlen - 1] == '.') ? ISC_TRUE : ISC_FALSE;
-	if (absolute && !end_with_dot) {
-		fromlen++;
-		if (fromlen >= MAXDLEN)
-			return (ISC_R_SUCCESS);
-		tmp1[fromlen - 1] = '.';
-	}
-	tmp1[fromlen] = '\0';
-
-	/*
-	 * Convert contents of 'tmp1' to local encoding.
-	 */
-	if (idn_decodename(IDN_DECODE_APP, tmp1, tmp2, MAXDLEN) != idn_success)
-		return (ISC_R_SUCCESS);
-	strcpy(tmp1, tmp2);
-
-	/*
-	 * Copy the converted contents in 'tmp1' back to 'buffer'.
-	 * If we have appended trailing dot, remove it.
-	 */
-	tolen = strlen(tmp1);
-	if (absolute && !end_with_dot && tmp1[tolen - 1] == '.')
-		tolen--;
-
-	if (isc_buffer_length(buffer) < used_org + tolen)
-		return (ISC_R_NOSPACE);
-
-	isc_buffer_subtract(buffer, isc_buffer_usedlength(buffer) - used_org);
-	memcpy(isc_buffer_used(buffer), tmp1, tolen);
-	isc_buffer_add(buffer, tolen);
-
-	return (ISC_R_SUCCESS);
-}
-
-static idn_result_t
-append_textname(char *name, const char *origin, size_t namesize) {
-	size_t namelen = strlen(name);
-	size_t originlen = strlen(origin);
-
-	/* Already absolute? */
-	if (namelen > 0 && name[namelen - 1] == '.')
-		return idn_success;
-
-	/* Append dot and origin */
-
-	if (namelen + 1 + originlen >= namesize)
-		return idn_buffer_overflow;
-
-	name[namelen++] = '.';
-	(void)strcpy(name + namelen, origin);
-	return idn_success;
-}
-
-static void
-idn_check_result(idn_result_t r, const char *msg) {
-	if (r != idn_success) {
-		exitcode = 1;
-		fatal("%s: %s", msg, idn_result_tostring(r));
-	}
-}
-#endif /* WITH_IDN */
-
-#ifdef DIG_SIGCHASE
-void
-print_type(dns_rdatatype_t type)
-{
-	isc_buffer_t * b = NULL;
-	isc_result_t result;
-	isc_region_t r;
-
-	result = isc_buffer_allocate(mctx, &b, 4000);
-	check_result(result, "isc_buffer_allocate");
-
-	result = dns_rdatatype_totext(type, b);
-	check_result(result, "print_type");
-
-	isc_buffer_usedregion(b, &r);
-	r.base[r.length] = '\0';
-
-	printf("%s", r.base);
-
-	isc_buffer_free(&b);
-}
-
-void
-dump_database_section(dns_message_t *msg, int section)
-{
-	dns_name_t *msg_name=NULL;
-
-	dns_rdataset_t *rdataset;
-
-	do {
-		dns_message_currentname(msg, section, &msg_name);
-
-		for (rdataset = ISC_LIST_HEAD(msg_name->list); rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			dns_name_print(msg_name, stdout);
-			printf("\n");
-			print_rdataset(msg_name, rdataset, mctx);
-			printf("end\n");
-		}
-		msg_name = NULL;
-	} while (dns_message_nextname(msg, section) == ISC_R_SUCCESS);
-}
-
-void
-dump_database(void) {
-	dig_message_t * msg;
-
-	for (msg = ISC_LIST_HEAD(chase_message_list);  msg != NULL;
-	     msg = ISC_LIST_NEXT(msg, link)) {
-		if (dns_message_firstname(msg->msg, DNS_SECTION_ANSWER)
-		    == ISC_R_SUCCESS)
-			dump_database_section(msg->msg, DNS_SECTION_ANSWER);
-
-		if (dns_message_firstname(msg->msg, DNS_SECTION_AUTHORITY)
-		    == ISC_R_SUCCESS)
-			dump_database_section(msg->msg, DNS_SECTION_AUTHORITY);
-
-		if (dns_message_firstname(msg->msg, DNS_SECTION_ADDITIONAL)
-		    == ISC_R_SUCCESS)
-			dump_database_section(msg->msg, DNS_SECTION_ADDITIONAL);
-	}
-}
-
-
-dns_rdataset_t *
-search_type(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers) {
-	dns_rdataset_t *rdataset;
-	dns_rdata_sig_t siginfo;
-	dns_rdata_t sigrdata = DNS_RDATA_INIT;
-	isc_result_t result;
-
-	for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
-	     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-		if (type == dns_rdatatype_any) {
-			if (rdataset->type != dns_rdatatype_rrsig)
-				return (rdataset);
-		} else if ((type == dns_rdatatype_rrsig) &&
-			   (rdataset->type == dns_rdatatype_rrsig)) {
-			result = dns_rdataset_first(rdataset);
-			check_result(result, "empty rdataset");
-			dns_rdataset_current(rdataset, &sigrdata);
-			result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
-			check_result(result, "sigrdata tostruct siginfo");
-
-			if ((siginfo.covered == covers) ||
-			    (covers == dns_rdatatype_any)) {
-				dns_rdata_reset(&sigrdata);
-				dns_rdata_freestruct(&siginfo);
-				return (rdataset);
-			}
-			dns_rdata_reset(&sigrdata);
-			dns_rdata_freestruct(&siginfo);
-		} else if (rdataset->type == type)
-			return (rdataset);
-	}
-	return (NULL);
-}
-
-dns_rdataset_t *
-chase_scanname_section(dns_message_t *msg, dns_name_t *name,
-		       dns_rdatatype_t type, dns_rdatatype_t covers,
-		       int section)
-{
-	dns_rdataset_t *rdataset;
-	dns_name_t *msg_name = NULL;
-
-	do {
-		dns_message_currentname(msg, section, &msg_name);
-		if (dns_name_compare(msg_name, name) == 0) {
-			rdataset = search_type(msg_name, type, covers);
-			if (rdataset != NULL)
-				return (rdataset);
-		}
-		msg_name = NULL;
-	} while (dns_message_nextname(msg, section) == ISC_R_SUCCESS);
-
-	return (NULL);
-}
-
-
-dns_rdataset_t *
-chase_scanname(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers)
-{
-	dns_rdataset_t *rdataset = NULL;
-	dig_message_t * msg;
-
-	for (msg = ISC_LIST_HEAD(chase_message_list2);  msg != NULL;
-	     msg = ISC_LIST_NEXT(msg, link)) {
-		if (dns_message_firstname(msg->msg, DNS_SECTION_ANSWER)
-		    == ISC_R_SUCCESS)
-			rdataset = chase_scanname_section(msg->msg, name,
-							  type, covers,
-							  DNS_SECTION_ANSWER);
-			if (rdataset != NULL)
-				return (rdataset);
-		if (dns_message_firstname(msg->msg, DNS_SECTION_AUTHORITY)
-		    == ISC_R_SUCCESS)
-			rdataset =
-				chase_scanname_section(msg->msg, name,
-						       type, covers,
-						       DNS_SECTION_AUTHORITY);
-			if (rdataset != NULL)
-				return (rdataset);
-		if (dns_message_firstname(msg->msg, DNS_SECTION_ADDITIONAL)
-		    == ISC_R_SUCCESS)
-			rdataset =
-				chase_scanname_section(msg->msg, name, type,
-						       covers,
-						       DNS_SECTION_ADDITIONAL);
-			if (rdataset != NULL)
-				return (rdataset);
-	}
-
-	return (NULL);
-}
-
-dns_rdataset_t *
-sigchase_scanname(dns_rdatatype_t type, dns_rdatatype_t covers,
-		  isc_boolean_t * lookedup, dns_name_t *rdata_name)
-{
-	dig_lookup_t *lookup;
-	isc_buffer_t *b = NULL;
-	isc_region_t r;
-	isc_result_t result;
-	dns_rdataset_t * temp;
-	dns_rdatatype_t querytype;
-
-	temp = chase_scanname(rdata_name, type, covers);
-	if (temp != NULL)
-		return (temp);
-
-	if (*lookedup == ISC_TRUE)
-		return (NULL);
-
-	lookup = clone_lookup(current_lookup, ISC_TRUE);
-	lookup->trace_root = ISC_FALSE;
-	lookup->new_search = ISC_TRUE;
-
-	result = isc_buffer_allocate(mctx, &b, BUFSIZE);
-	check_result(result, "isc_buffer_allocate");
-	result = dns_name_totext(rdata_name, ISC_FALSE, b);
-	check_result(result, "dns_name_totext");
-	isc_buffer_usedregion(b, &r);
-	r.base[r.length] = '\0';
-	strlcpy(lookup->textname, (char*)r.base, sizeof(lookup->textname));
-	isc_buffer_free(&b);
-
-	if (type ==  dns_rdatatype_rrsig)
-		querytype = covers;
-	else
-		querytype = type;
-
-	if (querytype == 0 || querytype == 255) {
-		printf("Error in the queried type: %d\n", querytype);
-		return (NULL);
-	}
-
-	lookup->rdtype = querytype;
-	lookup->rdtypeset = ISC_TRUE;
-	lookup->qrdtype = querytype;
-	*lookedup = ISC_TRUE;
-
-	ISC_LIST_APPEND(lookup_list, lookup, link);
-	printf("\n\nLaunch a query to find a RRset of type ");
-	print_type(type);
-	printf(" for zone: %s\n", lookup->textname);
-	return (NULL);
-}
-
-void
-insert_trustedkey(dst_key_t **keyp)
-{
-	if (*keyp == NULL)
-		return;
-	if (tk_list.nb_tk >= MAX_TRUSTED_KEY)
-		return;
-
-	tk_list.key[tk_list.nb_tk++] = *keyp;
-	*keyp = NULL;
-	return;
-}
-
-void
-clean_trustedkey()
-{
-	int i = 0;
-
-	for (i= 0; i < MAX_TRUSTED_KEY; i++) {
-		if (tk_list.key[i] != NULL) {
-			dst_key_free(&tk_list.key[i]);
-			tk_list.key[i] = NULL;
-		} else
-			break;
-	}
-	tk_list.nb_tk = 0;
-	return;
-}
-
-char alphnum[] =
-	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
-
-isc_result_t
-removetmpkey(isc_mem_t *mctx, const char *file)
-{
-	char *tempnamekey = NULL;
-	int tempnamekeylen;
-	isc_result_t result;
-
-	tempnamekeylen = strlen(file)+10;
-
-	tempnamekey = isc_mem_allocate(mctx, tempnamekeylen);
-	if (tempnamekey == NULL)
-		return (ISC_R_NOMEMORY);
-
-	memset(tempnamekey, 0, tempnamekeylen);
-
-	strcat(tempnamekey, file);
-	strcat(tempnamekey,".key");
-	isc_file_remove(tempnamekey);
-
-	result = isc_file_remove(tempnamekey);
-	isc_mem_free(mctx, tempnamekey);
-	return (result);
-}
-
-isc_result_t
-opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) {
-	FILE *f = NULL;
-	isc_result_t result;
-	char *tempname = NULL;
-	char *tempnamekey = NULL;
-	int tempnamelen;
-	int tempnamekeylen;
-	char *x;
-	char *cp;
-	isc_uint32_t which;
-
-	while (1) {
-		tempnamelen = strlen(file) + 20;
-		tempname = isc_mem_allocate(mctx, tempnamelen);
-		if (tempname == NULL)
-			return (ISC_R_NOMEMORY);
-		memset(tempname, 0, tempnamelen);
-
-		result = isc_file_mktemplate(file, tempname, tempnamelen);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-
-		cp = tempname;
-		while (*cp != '\0')
-			cp++;
-		if (cp == tempname) {
-			isc_mem_free(mctx, tempname);
-			return (ISC_R_FAILURE);
-		}
-
-		x = cp--;
-		while (cp >= tempname && *cp == 'X') {
-			isc_random_get(&which);
-			*cp = alphnum[which % (sizeof(alphnum) - 1)];
-			x = cp--;
-		}
-
-		tempnamekeylen = tempnamelen+5;
-		tempnamekey = isc_mem_allocate(mctx, tempnamekeylen);
-		if (tempnamekey == NULL)
-			return (ISC_R_NOMEMORY);
-
-		memset(tempnamekey, 0, tempnamekeylen);
-		strlcpy(tempnamekey, tempname, tempnamelen);
-		strcat(tempnamekey ,".key");
-
-
-		if (isc_file_exists(tempnamekey)) {
-			isc_mem_free(mctx, tempnamekey);
-			isc_mem_free(mctx, tempname);
-			continue;
-		}
-
-		if ((f = fopen(tempnamekey, "w")) == NULL) {
-			printf("get_trusted_key(): trusted key not found %s\n",
-			       tempnamekey);
-			return (ISC_R_FAILURE);
-		}
-		break;
-	}
-	isc_mem_free(mctx, tempnamekey);
-	*tempp = tempname;
-	*fp = f;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	isc_mem_free(mctx, tempname);
-
-	return (result);
-}
-
-isc_result_t
-get_trusted_key(isc_mem_t *mctx)
-{
-	isc_result_t result;
-	const char *filename = NULL;
-	char *filetemp = NULL;
-	char buf[1500];
-	FILE *fp, *fptemp;
-	dst_key_t *key = NULL;
-
-	result = isc_file_exists(trustedkey);
-	if (result !=  ISC_TRUE) {
-		result = isc_file_exists("/etc/trusted-key.key");
-		if (result !=  ISC_TRUE) {
-			result = isc_file_exists("./trusted-key.key");
-			if (result !=  ISC_TRUE)
-				return (ISC_R_FAILURE);
-			else
-				filename = "./trusted-key.key";
-		} else
-			filename = "/etc/trusted-key.key";
-	} else
-		filename = trustedkey;
-
-	if (filename == NULL) {
-		printf("No trusted key\n");
-		return (ISC_R_FAILURE);
-	}
-
-	if ((fp = fopen(filename, "r")) == NULL) {
-		printf("get_trusted_key(): trusted key not found %s\n",
-		       filename);
-		return (ISC_R_FAILURE);
-	}
-	while (fgets(buf, sizeof(buf), fp) != NULL) {
-		result = opentmpkey(mctx,"tmp_file", &filetemp, &fptemp);
-		if (result != ISC_R_SUCCESS) {
-			fclose(fp);
-			return (ISC_R_FAILURE);
-		}
-		if (fputs(buf, fptemp) < 0) {
-			fclose(fp);
-			fclose(fptemp);
-			return (ISC_R_FAILURE);
-		}
-		fclose(fptemp);
-		result = dst_key_fromnamedfile(filetemp, NULL, DST_TYPE_PUBLIC,
-					       mctx, &key);
-		removetmpkey(mctx, filetemp);
-		isc_mem_free(mctx, filetemp);
-		if (result !=  ISC_R_SUCCESS) {
-			fclose(fp);
-			return (ISC_R_FAILURE);
-		}
-#if 0
-		dst_key_tofile(key, DST_TYPE_PUBLIC,"/tmp");
-#endif
-		insert_trustedkey(&key);
-		if (key != NULL)
-			dst_key_free(&key);
-	}
-	fclose(fp);
-	return (ISC_R_SUCCESS);
-}
-
-
-static void
-nameFromString(const char *str, dns_name_t *p_ret) {
-	size_t len = strlen(str);
-	isc_result_t result;
-	isc_buffer_t buffer;
-	dns_fixedname_t fixedname;
-
-	REQUIRE(p_ret != NULL);
-	REQUIRE(str != NULL);
-
-	isc_buffer_init(&buffer, str, len);
-	isc_buffer_add(&buffer, len);
-
-	dns_fixedname_init(&fixedname);
-	result = dns_name_fromtext(dns_fixedname_name(&fixedname), &buffer,
-				   dns_rootname, DNS_NAME_DOWNCASE, NULL);
-	check_result(result, "nameFromString");
-
-	if (dns_name_dynamic(p_ret))
-		free_name(p_ret, mctx);
-
-	result = dns_name_dup(dns_fixedname_name(&fixedname), mctx, p_ret);
-	check_result(result, "nameFromString");
-}
-
-
-#if DIG_SIGCHASE_TD
-isc_result_t
-prepare_lookup(dns_name_t *name)
-{
-	isc_result_t result;
-	dig_lookup_t *lookup = NULL;
-	dig_server_t *s;
-	void *ptr;
-
-	lookup = clone_lookup(current_lookup, ISC_TRUE);
-	lookup->trace_root = ISC_FALSE;
-	lookup->new_search = ISC_TRUE;
-	lookup->trace_root_sigchase = ISC_FALSE;
-
-	strlcpy(lookup->textname, lookup->textnamesigchase, MXNAME);
-
-	lookup->rdtype = lookup->rdtype_sigchase;
-	lookup->rdtypeset = ISC_TRUE;
-	lookup->qrdtype = lookup->qrdtype_sigchase;
-
-	s = ISC_LIST_HEAD(lookup->my_server_list);
-	while (s != NULL) {
-		debug("freeing server %p belonging to %p",
-		      s, lookup);
-		ptr = s;
-		s = ISC_LIST_NEXT(s, link);
-		ISC_LIST_DEQUEUE(lookup->my_server_list,
-				 (dig_server_t *)ptr, link);
-		isc_mem_free(mctx, ptr);
-	}
-
-
-	for (result = dns_rdataset_first(chase_nsrdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(chase_nsrdataset)) {
-		char namestr[DNS_NAME_FORMATSIZE];
-		dns_rdata_ns_t ns;
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		dig_server_t * srv = NULL;
-#define __FOLLOW_GLUE__
-#ifdef __FOLLOW_GLUE__
-		isc_buffer_t *b = NULL;
-		isc_result_t result;
-		isc_region_t r;
-		dns_rdataset_t *rdataset = NULL;
-		isc_boolean_t true = ISC_TRUE;
-#endif
-
-		memset(namestr, 0, DNS_NAME_FORMATSIZE);
-
-		dns_rdataset_current(chase_nsrdataset, &rdata);
-
-		result = dns_rdata_tostruct(&rdata, &ns, NULL);
-		check_result(result, "dns_rdata_tostruct");
-
-#ifdef __FOLLOW_GLUE__
-
-		result = advanced_rrsearch(&rdataset, &ns.name,
-					   dns_rdatatype_aaaa,
-					   dns_rdatatype_any, &true);
-		if (result == ISC_R_SUCCESS) {
-			for (result = dns_rdataset_first(rdataset);
-			     result == ISC_R_SUCCESS;
-			     result = dns_rdataset_next(rdataset)) {
-				dns_rdata_t aaaa = DNS_RDATA_INIT;
-				dns_rdataset_current(rdataset, &aaaa);
-
-				result = isc_buffer_allocate(mctx, &b, 80);
-				check_result(result, "isc_buffer_allocate");
-
-				dns_rdata_totext(&aaaa, &ns.name, b);
-				isc_buffer_usedregion(b, &r);
-				r.base[r.length] = '\0';
-				strlcpy(namestr, (char*)r.base,
-					DNS_NAME_FORMATSIZE);
-				isc_buffer_free(&b);
-				dns_rdata_reset(&aaaa);
-
-
-				srv = make_server(namestr, namestr);
-
-				ISC_LIST_APPEND(lookup->my_server_list,
-						srv, link);
-			}
-		}
-
-		rdataset = NULL;
-		result = advanced_rrsearch(&rdataset, &ns.name, dns_rdatatype_a,
-					   dns_rdatatype_any, &true);
-		if (result == ISC_R_SUCCESS) {
-			for (result = dns_rdataset_first(rdataset);
-			     result == ISC_R_SUCCESS;
-			     result = dns_rdataset_next(rdataset)) {
-				dns_rdata_t a = DNS_RDATA_INIT;
-				dns_rdataset_current(rdataset, &a);
-
-				result = isc_buffer_allocate(mctx, &b, 80);
-				check_result(result, "isc_buffer_allocate");
-
-				dns_rdata_totext(&a, &ns.name, b);
-				isc_buffer_usedregion(b, &r);
-				r.base[r.length] = '\0';
-				strlcpy(namestr, (char*)r.base,
-					DNS_NAME_FORMATSIZE);
-				isc_buffer_free(&b);
-				dns_rdata_reset(&a);
-				printf("ns name: %s\n", namestr);
-
-
-				srv = make_server(namestr, namestr);
-
-				ISC_LIST_APPEND(lookup->my_server_list,
-						srv, link);
-			}
-		}
-#else
-
-		dns_name_format(&ns.name, namestr, sizeof(namestr));
-		printf("ns name: ");
-		dns_name_print(&ns.name, stdout);
-		printf("\n");
-		srv = make_server(namestr, namestr);
-
-		ISC_LIST_APPEND(lookup->my_server_list, srv, link);
-
-#endif
-		dns_rdata_freestruct(&ns);
-		dns_rdata_reset(&rdata);
-
-	}
-
-	ISC_LIST_APPEND(lookup_list, lookup, link);
-	printf("\nLaunch a query to find a RRset of type ");
-	print_type(lookup->rdtype);
-	printf(" for zone: %s", lookup->textname);
-	printf(" with nameservers:");
-	printf("\n");
-	print_rdataset(name, chase_nsrdataset, mctx);
-	return (ISC_R_SUCCESS);
-}
-
-
-isc_result_t
-child_of_zone(dns_name_t * name, dns_name_t * zone_name,
-	      dns_name_t * child_name)
-{
-	dns_namereln_t name_reln;
-	int orderp;
-	unsigned int nlabelsp;
-
-	name_reln = dns_name_fullcompare(name, zone_name, &orderp, &nlabelsp);
-	if (name_reln != dns_namereln_subdomain ||
-	    dns_name_countlabels(name) <= dns_name_countlabels(zone_name) + 1) {
-		printf("\n;; ERROR : ");
-		dns_name_print(name, stdout);
-		printf(" is not a subdomain of: ");
-		dns_name_print(zone_name, stdout);
-		printf(" FAILED\n\n");
-		return (ISC_R_FAILURE);
-	}
-
-	dns_name_getlabelsequence(name,
-				  dns_name_countlabels(name) -
-				  dns_name_countlabels(zone_name) -1,
-				  dns_name_countlabels(zone_name) +1,
-				  child_name);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t  *sigrdataset)
-{
-	isc_result_t result;
-	dns_rdata_t sigrdata = DNS_RDATA_INIT;
-	dns_rdata_sig_t siginfo;
-
-	result = dns_rdataset_first(sigrdataset);
-	check_result(result, "empty RRSIG dataset");
-	dns_rdata_init(&sigrdata);
-
-	do {
-		dns_rdataset_current(sigrdataset, &sigrdata);
-
-		result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
-		check_result(result, "sigrdata tostruct siginfo");
-
-		if (dns_name_compare(&siginfo.signer, zone_name) == 0) {
-			dns_rdata_freestruct(&siginfo);
-			dns_rdata_reset(&sigrdata);
-			return (ISC_R_SUCCESS);
-		}
-
-		dns_rdata_freestruct(&siginfo);
-		dns_rdata_reset(&sigrdata);
-
-	} while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS);
-
-	dns_rdata_reset(&sigrdata);
-
-	return (ISC_R_FAILURE);
-}
-
-
-isc_result_t
-initialization(dns_name_t *name)
-{
-	isc_result_t   result;
-	isc_boolean_t  true = ISC_TRUE;
-
-	chase_nsrdataset = NULL;
-	result = advanced_rrsearch(&chase_nsrdataset, name, dns_rdatatype_ns,
-				   dns_rdatatype_any, &true);
-	if (result != ISC_R_SUCCESS) {
-		printf("\n;; NS RRset is missing to continue validation:"
-		       " FAILED\n\n");
-		return (ISC_R_FAILURE);
-	}
-	INSIST(chase_nsrdataset != NULL);
-	prepare_lookup(name);
-
-	dup_name(name, &chase_current_name, mctx);
-
-	return (ISC_R_SUCCESS);
-}
-#endif
-
-void
-print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset, isc_mem_t *mctx)
-{
-	isc_buffer_t *b = NULL;
-	isc_result_t result;
-	isc_region_t r;
-
-	result = isc_buffer_allocate(mctx, &b, 9000);
-	check_result(result, "isc_buffer_allocate");
-
-	printrdataset(name, rdataset, b);
-
-	isc_buffer_usedregion(b, &r);
-	r.base[r.length] = '\0';
-
-
-	printf("%s\n", r.base);
-
-	isc_buffer_free(&b);
-}
-
-
-void
-dup_name(dns_name_t *source, dns_name_t *target, isc_mem_t *mctx) {
-	isc_result_t result;
-
-	if (dns_name_dynamic(target))
-		free_name(target, mctx);
-	result = dns_name_dup(source, mctx, target);
-	check_result(result, "dns_name_dup");
-}
-
-void
-free_name(dns_name_t *name, isc_mem_t *mctx) {
-	dns_name_free(name, mctx);
-	dns_name_init(name, NULL);
-}
-
-/*
- *
- * take a DNSKEY RRset and the RRSIG RRset corresponding in parameter
- * return ISC_R_SUCCESS if the DNSKEY RRset contains a trusted_key
- * 			and the RRset is valid
- * return ISC_R_NOTFOUND if not contains trusted key
-			or if the RRset isn't valid
- * return ISC_R_FAILURE if problem
- *
- */
-isc_result_t
-contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset,
-		     dns_rdataset_t *sigrdataset,
-		     isc_mem_t *mctx)
-{
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dst_key_t *dnsseckey = NULL;
-	int i;
-
-	if (name == NULL || rdataset == NULL)
-		return (ISC_R_FAILURE);
-
-	result = dns_rdataset_first(rdataset);
-	check_result(result, "empty rdataset");
-
-	do {
-		dns_rdataset_current(rdataset, &rdata);
-		INSIST(rdata.type == dns_rdatatype_dnskey);
-
-		result = dns_dnssec_keyfromrdata(name, &rdata,
-						 mctx, &dnsseckey);
-		check_result(result, "dns_dnssec_keyfromrdata");
-
-
-		for (i = 0; i < tk_list.nb_tk; i++) {
-			if (dst_key_compare(tk_list.key[i], dnsseckey)
-			    == ISC_TRUE) {
-				dns_rdata_reset(&rdata);
-
-				printf(";; Ok, find a Trusted Key in the "
-				       "DNSKEY RRset: %d\n",
-				       dst_key_id(dnsseckey));
-				if (sigchase_verify_sig_key(name, rdataset,
-							    dnsseckey,
-							    sigrdataset,
-							    mctx)
-				    == ISC_R_SUCCESS) {
-					dst_key_free(&dnsseckey);
-					dnsseckey = NULL;
-					return (ISC_R_SUCCESS);
-				}
-			}
-		}
-
-		dns_rdata_reset(&rdata);
-		if (dnsseckey != NULL)
-			dst_key_free(&dnsseckey);
-	} while (dns_rdataset_next(rdataset) == ISC_R_SUCCESS);
-
-	return (ISC_R_NOTFOUND);
-}
-
-isc_result_t
-sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset,
-		    dns_rdataset_t *keyrdataset,
-		    dns_rdataset_t *sigrdataset,
-		    isc_mem_t *mctx)
-{
-	isc_result_t result;
-	dns_rdata_t keyrdata = DNS_RDATA_INIT;
-	dst_key_t *dnsseckey = NULL;
-
-	result = dns_rdataset_first(keyrdataset);
-	check_result(result, "empty DNSKEY dataset");
-	dns_rdata_init(&keyrdata);
-
-	do {
-		dns_rdataset_current(keyrdataset, &keyrdata);
-		INSIST(keyrdata.type == dns_rdatatype_dnskey);
-
-		result = dns_dnssec_keyfromrdata(name, &keyrdata,
-						 mctx, &dnsseckey);
-		check_result(result, "dns_dnssec_keyfromrdata");
-
-		result = sigchase_verify_sig_key(name, rdataset, dnsseckey,
-						 sigrdataset, mctx);
-		if (result == ISC_R_SUCCESS) {
-			dns_rdata_reset(&keyrdata);
-			dst_key_free(&dnsseckey);
-			return (ISC_R_SUCCESS);
-		}
-		dst_key_free(&dnsseckey);
-		dns_rdata_reset(&keyrdata);
-	} while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS);
-
-	dns_rdata_reset(&keyrdata);
-
-	return (ISC_R_NOTFOUND);
-}
-
-isc_result_t
-sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset,
-			dst_key_t *dnsseckey, dns_rdataset_t *sigrdataset,
-			isc_mem_t *mctx)
-{
-	isc_result_t result;
-	dns_rdata_t sigrdata = DNS_RDATA_INIT;
-	dns_rdata_sig_t siginfo;
-
-	result = dns_rdataset_first(sigrdataset);
-	check_result(result, "empty RRSIG dataset");
-	dns_rdata_init(&sigrdata);
-
-	do {
-		dns_rdataset_current(sigrdataset, &sigrdata);
-
-		result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
-		check_result(result, "sigrdata tostruct siginfo");
-
-		/*
-		 * Test if the id of the DNSKEY is
-		 * the id of the DNSKEY signer's
-		 */
-		if (siginfo.keyid == dst_key_id(dnsseckey)) {
-
-			result = dns_rdataset_first(rdataset);
-			check_result(result, "empty DS dataset");
-
-			result = dns_dnssec_verify(name, rdataset, dnsseckey,
-						   ISC_FALSE, mctx, &sigrdata);
-
-			printf(";; VERIFYING ");
-			print_type(rdataset->type);
-			printf(" RRset for ");
-			dns_name_print(name, stdout);
-			printf(" with DNSKEY:%d: %s\n", dst_key_id(dnsseckey),
-			       isc_result_totext(result));
-
-			if (result == ISC_R_SUCCESS) {
-				dns_rdata_reset(&sigrdata);
-				return (result);
-			}
-		}
-		dns_rdata_freestruct(&siginfo);
-		dns_rdata_reset(&sigrdata);
-
-	} while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS);
-
-	dns_rdata_reset(&sigrdata);
-
-	return (ISC_R_NOTFOUND);
-}
-
-
-isc_result_t
-sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
-		   dns_rdataset_t *dsrdataset, isc_mem_t *mctx)
-{
-	isc_result_t result;
-	dns_rdata_t keyrdata = DNS_RDATA_INIT;
-	dns_rdata_t newdsrdata = DNS_RDATA_INIT;
-	dns_rdata_t dsrdata = DNS_RDATA_INIT;
-	dns_rdata_ds_t dsinfo;
-	dst_key_t *dnsseckey = NULL;
-	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
-
-	result = dns_rdataset_first(dsrdataset);
-	check_result(result, "empty DSset dataset");
-	do {
-		dns_rdataset_current(dsrdataset, &dsrdata);
-
-		result = dns_rdata_tostruct(&dsrdata, &dsinfo, NULL);
-		check_result(result, "dns_rdata_tostruct for DS");
-
-		result = dns_rdataset_first(keyrdataset);
-		check_result(result, "empty KEY dataset");
-
-		do {
-			dns_rdataset_current(keyrdataset, &keyrdata);
-			INSIST(keyrdata.type == dns_rdatatype_dnskey);
-
-			result = dns_dnssec_keyfromrdata(name, &keyrdata,
-							 mctx, &dnsseckey);
-			check_result(result, "dns_dnssec_keyfromrdata");
-
-			/*
-			 * Test if the id of the DNSKEY is the
-			 * id of DNSKEY referenced by the DS
-			 */
-			if (dsinfo.key_tag == dst_key_id(dnsseckey)) {
-
-				result = dns_ds_buildrdata(name, &keyrdata,
-							   dsinfo.digest_type,
-							   dsbuf, &newdsrdata);
-				dns_rdata_freestruct(&dsinfo);
-
-				if (result != ISC_R_SUCCESS) {
-					dns_rdata_reset(&keyrdata);
-					dns_rdata_reset(&newdsrdata);
-					dns_rdata_reset(&dsrdata);
-					dst_key_free(&dnsseckey);
-					dns_rdata_freestruct(&dsinfo);
-					printf("Oops: impossible to build"
-					       " new DS rdata\n");
-					return (result);
-				}
-
-
-				if (dns_rdata_compare(&dsrdata,
-						      &newdsrdata) == 0) {
-					printf(";; OK a DS valids a DNSKEY"
-					       " in the RRset\n");
-					printf(";; Now verify that this"
-					       " DNSKEY validates the "
-					       "DNSKEY RRset\n");
-
-					result = sigchase_verify_sig_key(name,
-							 keyrdataset,
-							 dnsseckey,
-							 chase_sigkeyrdataset,
-							 mctx);
-					if (result ==  ISC_R_SUCCESS) {
-						dns_rdata_reset(&keyrdata);
-						dns_rdata_reset(&newdsrdata);
-						dns_rdata_reset(&dsrdata);
-						dst_key_free(&dnsseckey);
-
-						return (result);
-					}
-				} else {
-					printf(";; This DS is NOT the DS for"
-					       " the chasing KEY: FAILED\n");
-				}
-
-				dns_rdata_reset(&newdsrdata);
-			}
-			dst_key_free(&dnsseckey);
-			dns_rdata_reset(&keyrdata);
-			dnsseckey = NULL;
-		} while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS);
-		dns_rdata_reset(&dsrdata);
-
-	} while (dns_rdataset_next(chase_dsrdataset) == ISC_R_SUCCESS);
-
-	dns_rdata_reset(&keyrdata);
-	dns_rdata_reset(&newdsrdata);
-	dns_rdata_reset(&dsrdata);
-
-	return (ISC_R_NOTFOUND);
-}
-
-/*
- *
- * take a pointer on a rdataset in parameter and try to resolv it.
- * the searched rrset is a rrset on 'name' with type 'type'
- * (and if the type is a rrsig the signature cover 'covers').
- * the lookedup is to known if you have already done the query on the net.
- * ISC_R_SUCCESS: if we found the rrset
- * ISC_R_NOTFOUND: we do not found the rrset in cache
- * and we do a query on the net
- * ISC_R_FAILURE: rrset not found
- */
-isc_result_t
-advanced_rrsearch(dns_rdataset_t **rdataset, dns_name_t *name,
-		  dns_rdatatype_t type, dns_rdatatype_t covers,
-		  isc_boolean_t *lookedup)
-{
-	isc_boolean_t  tmplookedup;
-
-	INSIST(rdataset != NULL);
-
-	if (*rdataset != NULL)
-		return (ISC_R_SUCCESS);
-
-	tmplookedup = *lookedup;
-	if ((*rdataset = sigchase_scanname(type, covers,
-					   lookedup, name)) == NULL) {
-		if (tmplookedup)
-			return (ISC_R_FAILURE);
-		return (ISC_R_NOTFOUND);
-	}
-	*lookedup = ISC_FALSE;
-	return (ISC_R_SUCCESS);
-}
-
-
-
-#if DIG_SIGCHASE_TD
-void
-sigchase_td(dns_message_t *msg)
-{
-	isc_result_t result;
-	dns_name_t *name = NULL;
-	isc_boolean_t have_answer = ISC_FALSE;
-	isc_boolean_t true = ISC_TRUE;
-
-	if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER))
-	    == ISC_R_SUCCESS) {
-		dns_message_currentname(msg, DNS_SECTION_ANSWER, &name);
-		if (current_lookup->trace_root_sigchase) {
-			initialization(name);
-			return;
-		}
-		have_answer = true;
-	} else {
-		if (!current_lookup->trace_root_sigchase) {
-			result = dns_message_firstname(msg,
-						       DNS_SECTION_AUTHORITY);
-			if (result == ISC_R_SUCCESS)
-				dns_message_currentname(msg,
-							DNS_SECTION_AUTHORITY,
-							&name);
-			chase_nsrdataset
-				= chase_scanname_section(msg, name,
-							 dns_rdatatype_ns,
-							 dns_rdatatype_any,
-							 DNS_SECTION_AUTHORITY);
-			dup_name(name, &chase_authority_name, mctx);
-			if (chase_nsrdataset != NULL) {
-				have_delegation_ns = ISC_TRUE;
-				printf("no response but there is a delegation"
-				       " in authority section:");
-				dns_name_print(name, stdout);
-				printf("\n");
-			} else {
-				printf("no response and no delegation in "
-				       "authority section but a reference"
-				       " to: ");
-				dns_name_print(name, stdout);
-				printf("\n");
-				error_message = msg;
-			}
-		} else {
-			printf(";; NO ANSWERS: %s\n",
-			       isc_result_totext(result));
-			free_name(&chase_name, mctx);
-			clean_trustedkey();
-			return;
-		}
-	}
-
-
-	if (have_answer) {
-		chase_rdataset
-			= chase_scanname_section(msg, &chase_name,
-						 current_lookup
-						 ->rdtype_sigchase,
-						 dns_rdatatype_any,
-						 DNS_SECTION_ANSWER);
-		if (chase_rdataset != NULL)
-			have_response = ISC_TRUE;
-	}
-
-	result = advanced_rrsearch(&chase_keyrdataset,
-				   &chase_current_name,
-				   dns_rdatatype_dnskey,
-				   dns_rdatatype_any,
-				   &chase_keylookedup);
-	if (result == ISC_R_FAILURE) {
-		printf("\n;; DNSKEY is missing to continue validation:"
-		       " FAILED\n\n");
-		goto cleanandgo;
-	}
-	if (result == ISC_R_NOTFOUND)
-		return;
-	INSIST(chase_keyrdataset != NULL);
-	printf("\n;; DNSKEYset:\n");
-	print_rdataset(&chase_current_name , chase_keyrdataset, mctx);
-
-
-	result = advanced_rrsearch(&chase_sigkeyrdataset,
-				   &chase_current_name,
-				   dns_rdatatype_rrsig,
-				   dns_rdatatype_dnskey,
-				   &chase_sigkeylookedup);
-	if (result == ISC_R_FAILURE) {
-		printf("\n;; RRSIG of DNSKEY is missing to continue validation:"
-		       " FAILED\n\n");
-		goto cleanandgo;
-	}
-	if (result == ISC_R_NOTFOUND)
-		return;
-	INSIST(chase_sigkeyrdataset != NULL);
-	printf("\n;; RRSIG of the DNSKEYset:\n");
-	print_rdataset(&chase_current_name , chase_sigkeyrdataset, mctx);
-
-
-	if (!chase_dslookedup && !chase_nslookedup) {
-		if (!delegation_follow) {
-			result = contains_trusted_key(&chase_current_name,
-						      chase_keyrdataset,
-						      chase_sigkeyrdataset,
-						      mctx);
-		} else {
-			INSIST(chase_dsrdataset != NULL);
-			INSIST(chase_sigdsrdataset != NULL);
-			result = sigchase_verify_ds(&chase_current_name,
-						    chase_keyrdataset,
-						    chase_dsrdataset,
-						    mctx);
-		}
-
-		if (result != ISC_R_SUCCESS) {
-			printf("\n;; chain of trust can't be validated:"
-			       " FAILED\n\n");
-			goto cleanandgo;
-		} else {
-			chase_dsrdataset = NULL;
-			chase_sigdsrdataset = NULL;
-		}
-	}
-
-	if (have_response || (!have_delegation_ns && !have_response)) {
-		/* test if it's a grand father case */
-
-		if (have_response) {
-			result = advanced_rrsearch(&chase_sigrdataset,
-						   &chase_name,
-						   dns_rdatatype_rrsig,
-						   current_lookup
-						   ->rdtype_sigchase,
-						   &true);
-			if (result == ISC_R_FAILURE) {
-				printf("\n;; RRset is missing to continue"
-				       " validation SHOULD NOT APPEND:"
-				       " FAILED\n\n");
-				goto cleanandgo;
-			}
-
-		} else {
-			result = advanced_rrsearch(&chase_sigrdataset,
-						   &chase_authority_name,
-						   dns_rdatatype_rrsig,
-						   dns_rdatatype_any,
-						   &true);
-			if (result == ISC_R_FAILURE) {
-				printf("\n;; RRSIG is missing  to continue"
-				       " validation SHOULD NOT APPEND:"
-				       " FAILED\n\n");
-				goto cleanandgo;
-			}
-		}
-		result =  grandfather_pb_test(&chase_current_name,
-					      chase_sigrdataset);
-		if (result != ISC_R_SUCCESS) {
-			dns_name_t tmp_name;
-
-			printf("\n;; We are in a Grand Father Problem:"
-			       " See 2.2.1 in RFC 3568\n");
-			chase_rdataset = NULL;
-			chase_sigrdataset = NULL;
-			have_response = ISC_FALSE;
-			have_delegation_ns = ISC_FALSE;
-
-			dns_name_init(&tmp_name, NULL);
-			result = child_of_zone(&chase_name, &chase_current_name,
-					       &tmp_name);
-			if (dns_name_dynamic(&chase_authority_name))
-				free_name(&chase_authority_name, mctx);
-			dup_name(&tmp_name, &chase_authority_name, mctx);
-			printf(";; and we try to continue chain of trust"
-			       " validation of the zone: ");
-			dns_name_print(&chase_authority_name, stdout);
-			printf("\n");
-			have_delegation_ns = ISC_TRUE;
-		} else {
-			if (have_response)
-				goto finalstep;
-			else
-				chase_sigrdataset = NULL;
-		}
-	}
-
-	if (have_delegation_ns) {
-		chase_nsrdataset = NULL;
-		result = advanced_rrsearch(&chase_nsrdataset,
-					   &chase_authority_name,
-					   dns_rdatatype_ns,
-					   dns_rdatatype_any,
-					   &chase_nslookedup);
-		if (result == ISC_R_FAILURE) {
-			printf("\n;;NSset is missing to continue validation:"
-			       " FAILED\n\n");
-			goto cleanandgo;
-		}
-		if (result == ISC_R_NOTFOUND) {
-			return;
-		}
-		INSIST(chase_nsrdataset != NULL);
-
-		result = advanced_rrsearch(&chase_dsrdataset,
-					   &chase_authority_name,
-					   dns_rdatatype_ds,
-					   dns_rdatatype_any,
-					   &chase_dslookedup);
-		if (result == ISC_R_FAILURE) {
-			printf("\n;; DSset is missing to continue validation:"
-			       " FAILED\n\n");
-			goto cleanandgo;
-		}
-		if (result == ISC_R_NOTFOUND)
-			return;
-		INSIST(chase_dsrdataset != NULL);
-		printf("\n;; DSset:\n");
-		print_rdataset(&chase_authority_name , chase_dsrdataset, mctx);
-
-		result = advanced_rrsearch(&chase_sigdsrdataset,
-					   &chase_authority_name,
-					   dns_rdatatype_rrsig,
-					   dns_rdatatype_ds,
-					   &true);
-		if (result != ISC_R_SUCCESS) {
-			printf("\n;; DSset is missing to continue validation:"
-			       " FAILED\n\n");
-			goto cleanandgo;
-		}
-		printf("\n;; RRSIGset of DSset\n");
-		print_rdataset(&chase_authority_name,
-			       chase_sigdsrdataset, mctx);
-		INSIST(chase_sigdsrdataset != NULL);
-
-		result = sigchase_verify_sig(&chase_authority_name,
-					     chase_dsrdataset,
-					     chase_keyrdataset,
-					     chase_sigdsrdataset, mctx);
-		if (result != ISC_R_SUCCESS) {
-			printf("\n;; Impossible to verify the DSset:"
-			       " FAILED\n\n");
-			goto cleanandgo;
-		}
-		chase_keyrdataset = NULL;
-		chase_sigkeyrdataset = NULL;
-
-
-		prepare_lookup(&chase_authority_name);
-
-		have_response = ISC_FALSE;
-		have_delegation_ns = ISC_FALSE;
-		delegation_follow = ISC_TRUE;
-		error_message = NULL;
-		dup_name(&chase_authority_name, &chase_current_name, mctx);
-		free_name(&chase_authority_name, mctx);
-		return;
-	}
-
-
-	if (error_message != NULL) {
-		dns_rdataset_t *rdataset;
-		dns_rdataset_t *sigrdataset;
-		dns_name_t rdata_name;
-		isc_result_t ret = ISC_R_FAILURE;
-
-		dns_name_init(&rdata_name, NULL);
-		result = prove_nx(error_message, &chase_name,
-				  current_lookup->rdclass_sigchase,
-				  current_lookup->rdtype_sigchase, &rdata_name,
-				  &rdataset, &sigrdataset);
-		if (rdataset == NULL || sigrdataset == NULL ||
-		    dns_name_countlabels(&rdata_name) == 0) {
-			printf("\n;; Impossible to verify the non-existence,"
-			       " the NSEC RRset can't be validated:"
-			       " FAILED\n\n");
-			goto cleanandgo;
-		}
-		ret = sigchase_verify_sig(&rdata_name, rdataset,
-					  chase_keyrdataset,
-					  sigrdataset, mctx);
-		if (ret != ISC_R_SUCCESS) {
-			free_name(&rdata_name, mctx);
-			printf("\n;; Impossible to verify the NSEC RR to prove"
-			       " the non-existence : FAILED\n\n");
-			goto cleanandgo;
-		}
-		free_name(&rdata_name, mctx);
-		if (result != ISC_R_SUCCESS) {
-			printf("\n;; Impossible to verify the non-existence:"
-			       " FAILED\n\n");
-			goto cleanandgo;
-		} else {
-			printf("\n;; OK the query doesn't have response but"
-			       " we have validate this fact : SUCCESS\n\n");
-			goto cleanandgo;
-		}
-	}
-
- cleanandgo:
-	printf(";; cleanandgo \n");
-	if (dns_name_dynamic(&chase_current_name))
-		free_name(&chase_current_name, mctx);
-	if (dns_name_dynamic(&chase_authority_name))
-		free_name(&chase_authority_name, mctx);
-	clean_trustedkey();
-	return;
-
-	finalstep :
-		result = advanced_rrsearch(&chase_rdataset, &chase_name,
-					   current_lookup->rdtype_sigchase,
-					   dns_rdatatype_any ,
-					   &true);
-	if (result == ISC_R_FAILURE) {
-		printf("\n;; RRsig of RRset is missing to continue validation"
-		       " SHOULD NOT APPEND: FAILED\n\n");
-		goto cleanandgo;
-	}
-	result = sigchase_verify_sig(&chase_name, chase_rdataset,
-				     chase_keyrdataset,
-				     chase_sigrdataset, mctx);
-	if (result != ISC_R_SUCCESS) {
-		printf("\n;; Impossible to verify the RRset : FAILED\n\n");
-		/*
-		  printf("RRset:\n");
-		  print_rdataset(&chase_name , chase_rdataset, mctx);
-		  printf("DNSKEYset:\n");
-		  print_rdataset(&chase_name , chase_keyrdataset, mctx);
-		  printf("RRSIG of RRset:\n");
-		  print_rdataset(&chase_name , chase_sigrdataset, mctx);
-		  printf("\n");
-		*/
-		goto cleanandgo;
-	} else {
-		printf("\n;; The Answer:\n");
-		print_rdataset(&chase_name , chase_rdataset, mctx);
-
-		printf("\n;; FINISH : we have validate the DNSSEC chain"
-		       " of trust: SUCCESS\n\n");
-		goto cleanandgo;
-	}
-}
-
-#endif
-
-
-#if DIG_SIGCHASE_BU
-
-isc_result_t
-getneededrr(dns_message_t *msg)
-{
-	isc_result_t result;
-	dns_name_t *name = NULL;
-	dns_rdata_t sigrdata = DNS_RDATA_INIT;
-	dns_rdata_sig_t siginfo;
-	isc_boolean_t   true = ISC_TRUE;
-
-	if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER))
-	    != ISC_R_SUCCESS) {
-		printf(";; NO ANSWERS: %s\n", isc_result_totext(result));
-
-		if (chase_name.ndata == NULL)
-			return (ISC_R_ADDRNOTAVAIL);
-	} else {
-		dns_message_currentname(msg, DNS_SECTION_ANSWER, &name);
-	}
-
-	/* What do we chase? */
-	if (chase_rdataset == NULL) {
-		result = advanced_rrsearch(&chase_rdataset, name,
-					   dns_rdatatype_any,
-					   dns_rdatatype_any, &true);
-		if (result != ISC_R_SUCCESS) {
-			printf("\n;; No Answers: Validation FAILED\n\n");
-			return (ISC_R_NOTFOUND);
-		}
-		dup_name(name, &chase_name, mctx);
-		printf(";; RRset to chase:\n");
-		print_rdataset(&chase_name, chase_rdataset, mctx);
-	}
-	INSIST(chase_rdataset != NULL);
-
-
-	if (chase_sigrdataset == NULL) {
-		result = advanced_rrsearch(&chase_sigrdataset, name,
-					   dns_rdatatype_rrsig,
-					   chase_rdataset->type,
-					   &chase_siglookedup);
-		if (result == ISC_R_FAILURE) {
-			printf("\n;; RRSIG is missing for continue validation:"
-			       " FAILED\n\n");
-			if (dns_name_dynamic(&chase_name))
-				free_name(&chase_name, mctx);
-			return (ISC_R_NOTFOUND);
-		}
-		if (result == ISC_R_NOTFOUND) {
-			return (ISC_R_NOTFOUND);
-		}
-		printf("\n;; RRSIG of the RRset to chase:\n");
-		print_rdataset(&chase_name, chase_sigrdataset, mctx);
-	}
-	INSIST(chase_sigrdataset != NULL);
-
-
-	/* first find the DNSKEY name */
-	result = dns_rdataset_first(chase_sigrdataset);
-	check_result(result, "empty RRSIG dataset");
-	dns_rdataset_current(chase_sigrdataset, &sigrdata);
-	result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
-	check_result(result, "sigrdata tostruct siginfo");
-	dup_name(&siginfo.signer, &chase_signame, mctx);
-	dns_rdata_freestruct(&siginfo);
-	dns_rdata_reset(&sigrdata);
-
-	/* Do we have a key?  */
-	if (chase_keyrdataset == NULL) {
-		result = advanced_rrsearch(&chase_keyrdataset,
-					   &chase_signame,
-					   dns_rdatatype_dnskey,
-					   dns_rdatatype_any,
-					   &chase_keylookedup);
-		if (result == ISC_R_FAILURE) {
-			printf("\n;; DNSKEY is missing to continue validation:"
-			       " FAILED\n\n");
-			free_name(&chase_signame, mctx);
-			if (dns_name_dynamic(&chase_name))
-				free_name(&chase_name, mctx);
-			return (ISC_R_NOTFOUND);
-		}
-		if (result == ISC_R_NOTFOUND) {
-			free_name(&chase_signame, mctx);
-			return (ISC_R_NOTFOUND);
-		}
-		printf("\n;; DNSKEYset that signs the RRset to chase:\n");
-		print_rdataset(&chase_signame, chase_keyrdataset, mctx);
-	}
-	INSIST(chase_keyrdataset != NULL);
-
-	if (chase_sigkeyrdataset == NULL) {
-		result = advanced_rrsearch(&chase_sigkeyrdataset,
-					   &chase_signame,
-					   dns_rdatatype_rrsig,
-					   dns_rdatatype_dnskey,
-					   &chase_sigkeylookedup);
-		if (result == ISC_R_FAILURE) {
-			printf("\n;; RRSIG for DNSKEY  is missing  to continue"
-			       " validation : FAILED\n\n");
-			free_name(&chase_signame, mctx);
-			if (dns_name_dynamic(&chase_name))
-				free_name(&chase_name, mctx);
-			return (ISC_R_NOTFOUND);
-		}
-		if (result == ISC_R_NOTFOUND) {
-			free_name(&chase_signame, mctx);
-			return (ISC_R_NOTFOUND);
-		}
-		printf("\n;; RRSIG of the DNSKEYset that signs the "
-		       "RRset to chase:\n");
-		print_rdataset(&chase_signame, chase_sigkeyrdataset, mctx);
-	}
-	INSIST(chase_sigkeyrdataset != NULL);
-
-
-	if (chase_dsrdataset == NULL) {
-		result = advanced_rrsearch(&chase_dsrdataset, &chase_signame,
-					   dns_rdatatype_ds,
-					   dns_rdatatype_any,
-		&chase_dslookedup);
-		if (result == ISC_R_FAILURE) {
-			printf("\n;; WARNING There is no DS for the zone: ");
-			dns_name_print(&chase_signame, stdout);
-			printf("\n");
-		}
-		if (result == ISC_R_NOTFOUND) {
-			free_name(&chase_signame, mctx);
-			return (ISC_R_NOTFOUND);
-		}
-		if (chase_dsrdataset != NULL) {
-			printf("\n;; DSset of the DNSKEYset\n");
-			print_rdataset(&chase_signame, chase_dsrdataset, mctx);
-		}
-	}
-
-	if (chase_dsrdataset != NULL) {
-		/*
-		 * if there is no RRSIG of DS,
-		 * we don't want to search on the network
-		 */
-		result = advanced_rrsearch(&chase_sigdsrdataset,
-					   &chase_signame,
-					   dns_rdatatype_rrsig,
-					   dns_rdatatype_ds, &true);
-		if (result == ISC_R_FAILURE) {
-			printf(";; WARNING : NO RRSIG DS : RRSIG DS"
-			       " should come with DS\n");
-			/*
-			 * We continue even the DS couldn't be validated,
-			 * because the DNSKEY could be a Trusted Key.
-			 */
-			chase_dsrdataset = NULL;
-		} else {
-			printf("\n;; RRSIG of the DSset of the DNSKEYset\n");
-			print_rdataset(&chase_signame, chase_sigdsrdataset,
-				       mctx);
-		}
-	}
-	return (1);
-}
-
-
-
-void
-sigchase_bu(dns_message_t *msg)
-{
-	isc_result_t result;
-	int ret;
-
-	if (tk_list.nb_tk == 0) {
-		result = get_trusted_key(mctx);
-		if (result != ISC_R_SUCCESS) {
-			printf("No trusted keys present\n");
-			return;
-		}
-	}
-
-
-	ret = getneededrr(msg);
-	if (ret == ISC_R_NOTFOUND)
-		return;
-
-	if (ret == ISC_R_ADDRNOTAVAIL) {
-		/* We have no response */
-		dns_rdataset_t *rdataset;
-		dns_rdataset_t *sigrdataset;
-		dns_name_t rdata_name;
-		dns_name_t query_name;
-
-
-		dns_name_init(&query_name, NULL);
-		dns_name_init(&rdata_name, NULL);
-		nameFromString(current_lookup->textname, &query_name);
-
-		result = prove_nx(msg, &query_name, current_lookup->rdclass,
-				  current_lookup->rdtype, &rdata_name,
-				  &rdataset, &sigrdataset);
-		free_name(&query_name, mctx);
-		if (rdataset == NULL || sigrdataset == NULL ||
-		    dns_name_countlabels(&rdata_name) == 0) {
-			printf("\n;; Impossible to verify the Non-existence,"
-			       " the NSEC RRset can't be validated: "
-			       "FAILED\n\n");
-			clean_trustedkey();
-			return;
-		}
-
-		if (result != ISC_R_SUCCESS) {
-			printf("\n No Answers and impossible to prove the"
-			       " unsecurity : Validation FAILED\n\n");
-			clean_trustedkey();
-			return;
-		}
-		printf(";; An NSEC prove the non-existence of a answers,"
-		       " Now we want validate this NSEC\n");
-
-		dup_name(&rdata_name, &chase_name, mctx);
-		free_name(&rdata_name, mctx);
-		chase_rdataset =  rdataset;
-		chase_sigrdataset = sigrdataset;
-		chase_keyrdataset = NULL;
-		chase_sigkeyrdataset = NULL;
-		chase_dsrdataset = NULL;
-		chase_sigdsrdataset = NULL;
-		chase_siglookedup = ISC_FALSE;
-		chase_keylookedup = ISC_FALSE;
-		chase_dslookedup = ISC_FALSE;
-		chase_sigdslookedup = ISC_FALSE;
-		sigchase(msg);
-		clean_trustedkey();
-		return;
-	}
-
-
-	printf("\n\n\n;; WE HAVE MATERIAL, WE NOW DO VALIDATION\n");
-
-	result = sigchase_verify_sig(&chase_name, chase_rdataset,
-				     chase_keyrdataset,
-				     chase_sigrdataset, mctx);
-	if (result != ISC_R_SUCCESS) {
-		free_name(&chase_name, mctx);
-		free_name(&chase_signame, mctx);
-		printf(";; No DNSKEY is valid to check the RRSIG"
-		       " of the RRset: FAILED\n");
-		clean_trustedkey();
-		return;
-	}
-	printf(";; OK We found DNSKEY (or more) to validate the RRset\n");
-
-	result = contains_trusted_key(&chase_signame, chase_keyrdataset,
-				      chase_sigkeyrdataset, mctx);
-	if (result ==  ISC_R_SUCCESS) {
-		free_name(&chase_name, mctx);
-		free_name(&chase_signame, mctx);
-		printf("\n;; Ok this DNSKEY is a Trusted Key,"
-		       " DNSSEC validation is ok: SUCCESS\n\n");
-		clean_trustedkey();
-		return;
-	}
-
-	printf(";; Now, we are going to validate this DNSKEY by the DS\n");
-
-	if (chase_dsrdataset == NULL) {
-		free_name(&chase_name, mctx);
-		free_name(&chase_signame, mctx);
-		printf(";; the DNSKEY isn't trusted-key and there isn't"
-		       " DS to validate the DNSKEY: FAILED\n");
-		clean_trustedkey();
-		return;
-	}
-
-	result =  sigchase_verify_ds(&chase_signame, chase_keyrdataset,
-				     chase_dsrdataset, mctx);
-	if (result !=  ISC_R_SUCCESS) {
-		free_name(&chase_signame, mctx);
-		free_name(&chase_name, mctx);
-		printf(";; ERROR no DS validates a DNSKEY in the"
-		       " DNSKEY RRset: FAILED\n");
-		clean_trustedkey();
-		return;
-	} else
-		printf(";; OK this DNSKEY (validated by the DS) validates"
-		       " the RRset of the DNSKEYs, thus the DNSKEY validates"
-		       " the RRset\n");
-	INSIST(chase_sigdsrdataset != NULL);
-
-	dup_name(&chase_signame, &chase_name, mctx);
-	free_name(&chase_signame, mctx);
-	chase_rdataset = chase_dsrdataset;
-	chase_sigrdataset = chase_sigdsrdataset;
-	chase_keyrdataset = NULL;
-	chase_sigkeyrdataset = NULL;
-	chase_dsrdataset = NULL;
-	chase_sigdsrdataset = NULL;
-	chase_siglookedup = chase_keylookedup = ISC_FALSE;
-	chase_dslookedup = chase_sigdslookedup = ISC_FALSE;
-
-	printf(";; Now, we want to validate the DS :  recursive call\n");
-	sigchase(msg);
-	return;
-}
-#endif
-
-void
-sigchase(dns_message_t *msg) {
-#if DIG_SIGCHASE_TD
-	if (current_lookup->do_topdown) {
-		sigchase_td(msg);
-		return;
-	}
-#endif
-#if DIG_SIGCHASE_BU
-	sigchase_bu(msg);
-	return;
-#endif
-}
-
-
-/*
- * return 1  if name1  <  name2
- *	  0  if name1  == name2
- *	  -1 if name1  >  name2
- *    and -2 if problem
- */
-int
-inf_name(dns_name_t *name1, dns_name_t *name2)
-{
-	dns_label_t  label1;
-	dns_label_t  label2;
-	unsigned int nblabel1;
-	unsigned int nblabel2;
-	int min_lum_label;
-	int i;
-	int ret = -2;
-
-	nblabel1 = dns_name_countlabels(name1);
-	nblabel2 = dns_name_countlabels(name2);
-
-	if (nblabel1 >= nblabel2)
-		min_lum_label = nblabel2;
-	else
-		min_lum_label = nblabel1;
-
-
-	for (i=1 ; i < min_lum_label; i++) {
-		dns_name_getlabel(name1, nblabel1 -1  - i, &label1);
-		dns_name_getlabel(name2, nblabel2 -1  - i, &label2);
-		if ((ret = isc_region_compare(&label1, &label2)) != 0) {
-			if (ret < 0)
-				return (-1);
-			else if (ret > 0)
-				return (1);
-		}
-	}
-	if (nblabel1 == nblabel2)
-		return (0);
-
-	if (nblabel1 < nblabel2)
-		return (-1);
-	else
-		return (1);
-}
-
-/**
- *
- *
- *
- */
-isc_result_t
-prove_nx_domain(dns_message_t *msg,
-		dns_name_t *name,
-		dns_name_t *rdata_name,
-		dns_rdataset_t **rdataset,
-		dns_rdataset_t **sigrdataset)
-{
-	isc_result_t ret = ISC_R_FAILURE;
-	isc_result_t result = ISC_R_NOTFOUND;
-	dns_rdataset_t *nsecset = NULL;
-	dns_rdataset_t *signsecset = NULL ;
-	dns_rdata_t nsec = DNS_RDATA_INIT;
-	dns_name_t *nsecname;
-	dns_rdata_nsec_t nsecstruct;
-
-	if ((result = dns_message_firstname(msg, DNS_SECTION_AUTHORITY))
-	    != ISC_R_SUCCESS) {
-		printf(";; nothing in authority section : impossible to"
-		       " validate the non-existence : FAILED\n");
-		return (ISC_R_FAILURE);
-	}
-
-	do {
-		nsecname = NULL;
-		dns_message_currentname(msg, DNS_SECTION_AUTHORITY, &nsecname);
-		nsecset = search_type(nsecname, dns_rdatatype_nsec,
-				      dns_rdatatype_any);
-		if (nsecset == NULL)
-			continue;
-
-		printf("There is a NSEC for this zone in the"
-		       " AUTHORITY section:\n");
-		print_rdataset(nsecname, nsecset, mctx);
-
-		for (result = dns_rdataset_first(nsecset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(nsecset)) {
-			dns_rdataset_current(nsecset, &nsec);
-
-
-			signsecset
-				= chase_scanname_section(msg, nsecname,
-						 dns_rdatatype_rrsig,
-						 dns_rdatatype_nsec,
-						 DNS_SECTION_AUTHORITY);
-			if (signsecset == NULL) {
-				printf(";; no RRSIG NSEC in authority section:"
-				       " impossible to validate the "
-				       "non-existence: FAILED\n");
-				return (ISC_R_FAILURE);
-			}
-
-			ret = dns_rdata_tostruct(&nsec, &nsecstruct, NULL);
-			check_result(ret,"dns_rdata_tostruct");
-
-			if ((inf_name(nsecname, &nsecstruct.next) == 1 &&
-			     inf_name(name, &nsecstruct.next) == 1) ||
-			    (inf_name(name, nsecname) == 1 &&
-			     inf_name(&nsecstruct.next, name) == 1)) {
-				dns_rdata_freestruct(&nsecstruct);
-				*rdataset = nsecset;
-				*sigrdataset = signsecset;
-				dup_name(nsecname, rdata_name, mctx);
-
-				return (ISC_R_SUCCESS);
-			}
-
-			dns_rdata_freestruct(&nsecstruct);
-			dns_rdata_reset(&nsec);
-		}
-	} while (dns_message_nextname(msg, DNS_SECTION_AUTHORITY)
-		 == ISC_R_SUCCESS);
-
-	*rdataset = NULL;
-	*sigrdataset =  NULL;
-	rdata_name = NULL;
-	return (ISC_R_FAILURE);
-}
-
-/**
- *
- *
- *
- *
- *
- */
-isc_result_t
-prove_nx_type(dns_message_t *msg, dns_name_t *name, dns_rdataset_t *nsecset,
-	      dns_rdataclass_t class, dns_rdatatype_t type,
-	      dns_name_t *rdata_name, dns_rdataset_t **rdataset,
-	      dns_rdataset_t **sigrdataset)
-{
-	isc_result_t ret;
-	dns_rdataset_t *signsecset;
-	dns_rdata_t nsec = DNS_RDATA_INIT;
-
-	UNUSED(class);
-
-	ret = dns_rdataset_first(nsecset);
-	check_result(ret,"dns_rdataset_first");
-
-	dns_rdataset_current(nsecset, &nsec);
-
-	ret = dns_nsec_typepresent(&nsec, type);
-	if (ret == ISC_R_SUCCESS)
-		printf("OK the NSEC said that the type doesn't exist \n");
-
-	signsecset = chase_scanname_section(msg, name,
-					    dns_rdatatype_rrsig,
-					    dns_rdatatype_nsec,
-					    DNS_SECTION_AUTHORITY);
-	if (signsecset == NULL) {
-		printf("There isn't RRSIG NSEC for the zone \n");
-		return (ISC_R_FAILURE);
-	}
-	dup_name(name, rdata_name, mctx);
-	*rdataset = nsecset;
-	*sigrdataset = signsecset;
-
-	return (ret);
-}
-
-/**
- *
- *
- *
- *
- */
-isc_result_t
-prove_nx(dns_message_t *msg, dns_name_t *name, dns_rdataclass_t class,
-	 dns_rdatatype_t type, dns_name_t *rdata_name,
-	 dns_rdataset_t **rdataset, dns_rdataset_t **sigrdataset)
-{
-	isc_result_t ret;
-	dns_rdataset_t *nsecset = NULL;
-
-	printf("We want to prove the non-existence of a type of rdata %d"
-	       " or of the zone: \n", type);
-
-	if ((ret = dns_message_firstname(msg, DNS_SECTION_AUTHORITY))
-	    != ISC_R_SUCCESS) {
-		printf(";; nothing in authority section : impossible to"
-		       " validate the non-existence : FAILED\n");
-		return (ISC_R_FAILURE);
-	}
-
-	nsecset = chase_scanname_section(msg, name, dns_rdatatype_nsec,
-					 dns_rdatatype_any,
-					 DNS_SECTION_AUTHORITY);
-	if (nsecset != NULL) {
-		printf("We have a NSEC for this zone :OK\n");
-		ret = prove_nx_type(msg, name, nsecset, class,
-				    type, rdata_name, rdataset,
-				    sigrdataset);
-		if (ret != ISC_R_SUCCESS) {
-			printf("prove_nx: ERROR type exist\n");
-			return (ret);
-		} else {
-			printf("prove_nx: OK type does not exist\n");
-			return (ISC_R_SUCCESS);
-		}
-	} else {
-		printf("there is no NSEC for this zone: validating "
-		       "that the zone doesn't exist\n");
-		ret = prove_nx_domain(msg, name, rdata_name,
-				      rdataset, sigrdataset);
-		return (ret);
-	}
-	/* Never get here */
-}
-#endif
diff --git a/contrib/bind9/bin/dig/host.1 b/contrib/bind9/bin/dig/host.1
deleted file mode 100644
index b6eb81b..0000000
--- a/contrib/bind9/bin/dig/host.1
+++ /dev/null
@@ -1,219 +0,0 @@
-.\" Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2002 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: host
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "HOST" "1" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-host \- DNS lookup utility
-.SH "SYNOPSIS"
-.HP 5
-\fBhost\fR [\fB\-aCdlnrsTwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-4\fR] [\fB\-6\fR] {name} [server]
-.SH "DESCRIPTION"
-.PP
-\fBhost\fR
-is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. When no arguments or options are given,
-\fBhost\fR
-prints a short summary of its command line arguments and options.
-.PP
-\fIname\fR
-is the domain name that is to be looked up. It can also be a dotted\-decimal IPv4 address or a colon\-delimited IPv6 address, in which case
-\fBhost\fR
-will by default perform a reverse lookup for that address.
-\fIserver\fR
-is an optional argument which is either the name or IP address of the name server that
-\fBhost\fR
-should query instead of the server or servers listed in
-\fI/etc/resolv.conf\fR.
-.PP
-The
-\fB\-a\fR
-(all) option is equivalent to setting the
-\fB\-v\fR
-option and asking
-\fBhost\fR
-to make a query of type ANY.
-.PP
-When the
-\fB\-C\fR
-option is used,
-\fBhost\fR
-will attempt to display the SOA records for zone
-\fIname\fR
-from all the listed authoritative name servers for that zone. The list of name servers is defined by the NS records that are found for the zone.
-.PP
-The
-\fB\-c\fR
-option instructs to make a DNS query of class
-\fIclass\fR. This can be used to lookup Hesiod or Chaosnet class resource records. The default class is IN (Internet).
-.PP
-Verbose output is generated by
-\fBhost\fR
-when the
-\fB\-d\fR
-or
-\fB\-v\fR
-option is used. The two options are equivalent. They have been provided for backwards compatibility. In previous versions, the
-\fB\-d\fR
-option switched on debugging traces and
-\fB\-v\fR
-enabled verbose output.
-.PP
-List mode is selected by the
-\fB\-l\fR
-option. This makes
-\fBhost\fR
-perform a zone transfer for zone
-\fIname\fR. Transfer the zone printing out the NS, PTR and address records (A/AAAA). If combined with
-\fB\-a\fR
-all records will be printed.
-.PP
-The
-\fB\-i\fR
-option specifies that reverse lookups of IPv6 addresses should use the IP6.INT domain as defined in RFC1886. The default is to use IP6.ARPA.
-.PP
-The
-\fB\-N\fR
-option sets the number of dots that have to be in
-\fIname\fR
-for it to be considered absolute. The default value is that defined using the ndots statement in
-\fI/etc/resolv.conf\fR, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the
-\fBsearch\fR
-or
-\fBdomain\fR
-directive in
-\fI/etc/resolv.conf\fR.
-.PP
-The number of UDP retries for a lookup can be changed with the
-\fB\-R\fR
-option.
-\fInumber\fR
-indicates how many times
-\fBhost\fR
-will repeat a query that does not get answered. The default number of retries is 1. If
-\fInumber\fR
-is negative or zero, the number of retries will default to 1.
-.PP
-Non\-recursive queries can be made via the
-\fB\-r\fR
-option. Setting this option clears the
-\fBRD\fR
-\(em recursion desired \(em bit in the query which
-\fBhost\fR
-makes. This should mean that the name server receiving the query will not attempt to resolve
-\fIname\fR. The
-\fB\-r\fR
-option enables
-\fBhost\fR
-to mimic the behavior of a name server by making non\-recursive queries and expecting to receive answers to those queries that are usually referrals to other name servers.
-.PP
-By default,
-\fBhost\fR
-uses UDP when making queries. The
-\fB\-T\fR
-option makes it use a TCP connection when querying the name server. TCP will be automatically selected for queries that require it, such as zone transfer (AXFR) requests.
-.PP
-The
-\fB\-4\fR
-option forces
-\fBhost\fR
-to only use IPv4 query transport. The
-\fB\-6\fR
-option forces
-\fBhost\fR
-to only use IPv6 query transport.
-.PP
-The
-\fB\-t\fR
-option is used to select the query type.
-\fItype\fR
-can be any recognized query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified,
-\fBhost\fR
-automatically selects an appropriate query type. By default, it looks for A, AAAA, and MX records, but if the
-\fB\-C\fR
-option was given, queries will be made for SOA records, and if
-\fIname\fR
-is a dotted\-decimal IPv4 address or colon\-delimited IPv6 address,
-\fBhost\fR
-will query for PTR records. If a query type of IXFR is chosen the starting serial number can be specified by appending an equal followed by the starting serial number (e.g. \-t IXFR=12345678).
-.PP
-The time to wait for a reply can be controlled through the
-\fB\-W\fR
-and
-\fB\-w\fR
-options. The
-\fB\-W\fR
-option makes
-\fBhost\fR
-wait for
-\fIwait\fR
-seconds. If
-\fIwait\fR
-is less than one, the wait interval is set to one second. When the
-\fB\-w\fR
-option is used,
-\fBhost\fR
-will effectively wait forever for a reply. The time to wait for a response will be set to the number of seconds given by the hardware's maximum value for an integer quantity.
-.PP
-The
-\fB\-s\fR
-option tells
-\fBhost\fR
-\fInot\fR
-to send the query to the next nameserver if any server responds with a SERVFAIL response, which is the reverse of normal stub resolver behavior.
-.PP
-The
-\fB\-m\fR
-can be used to set the memory usage debugging flags
-\fIrecord\fR,
-\fIusage\fR
-and
-\fItrace\fR.
-.SH "IDN SUPPORT"
-.PP
-If
-\fBhost\fR
-has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names.
-\fBhost\fR
-appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. If you'd like to turn off the IDN support for some reason, defines the
-\fBIDN_DISABLE\fR
-environment variable. The IDN support is disabled if the variable is set when
-\fBhost\fR
-runs.
-.SH "FILES"
-.PP
-\fI/etc/resolv.conf\fR
-.SH "SEE ALSO"
-.PP
-\fBdig\fR(1),
-\fBnamed\fR(8).
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007\-2009 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000\-2002 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/bin/dig/host.c b/contrib/bind9/bin/dig/host.c
deleted file mode 100644
index 49fe991..0000000
--- a/contrib/bind9/bin/dig/host.c
+++ /dev/null
@@ -1,892 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: host.c,v 1.127 2011/03/11 06:11:20 marka Exp $ */
-
-/*! \file */
-
-#include <config.h>
-#include <stdlib.h>
-#include <limits.h>
-
-#ifdef HAVE_LOCALE_H
-#include <locale.h>
-#endif
-
-#ifdef WITH_IDN
-#include <idn/result.h>
-#include <idn/log.h>
-#include <idn/resconf.h>
-#include <idn/api.h>
-#endif
-
-#include <isc/app.h>
-#include <isc/commandline.h>
-#include <isc/netaddr.h>
-#include <isc/print.h>
-#include <isc/string.h>
-#include <isc/util.h>
-#include <isc/task.h>
-#include <isc/stdlib.h>
-
-#include <dns/byaddr.h>
-#include <dns/fixedname.h>
-#include <dns/message.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdataset.h>
-#include <dns/rdatatype.h>
-#include <dns/rdatastruct.h>
-
-#include <dig/dig.h>
-
-static isc_boolean_t short_form = ISC_TRUE, listed_server = ISC_FALSE;
-static isc_boolean_t default_lookups = ISC_TRUE;
-static int seen_error = -1;
-static isc_boolean_t list_addresses = ISC_TRUE;
-static dns_rdatatype_t list_type = dns_rdatatype_a;
-static isc_boolean_t printed_server = ISC_FALSE;
-
-static const char *opcodetext[] = {
-	"QUERY",
-	"IQUERY",
-	"STATUS",
-	"RESERVED3",
-	"NOTIFY",
-	"UPDATE",
-	"RESERVED6",
-	"RESERVED7",
-	"RESERVED8",
-	"RESERVED9",
-	"RESERVED10",
-	"RESERVED11",
-	"RESERVED12",
-	"RESERVED13",
-	"RESERVED14",
-	"RESERVED15"
-};
-
-static const char *rcodetext[] = {
-	"NOERROR",
-	"FORMERR",
-	"SERVFAIL",
-	"NXDOMAIN",
-	"NOTIMP",
-	"REFUSED",
-	"YXDOMAIN",
-	"YXRRSET",
-	"NXRRSET",
-	"NOTAUTH",
-	"NOTZONE",
-	"RESERVED11",
-	"RESERVED12",
-	"RESERVED13",
-	"RESERVED14",
-	"RESERVED15",
-	"BADVERS"
-};
-
-struct rtype {
-	unsigned int type;
-	const char *text;
-};
-
-struct rtype rtypes[] = {
-	{ 1, 	"has address" },
-	{ 2, 	"name server" },
-	{ 5, 	"is an alias for" },
-	{ 11,	"has well known services" },
-	{ 12,	"domain name pointer" },
-	{ 13,	"host information" },
-	{ 15,	"mail is handled by" },
-	{ 16,	"descriptive text" },
-	{ 19,	"x25 address" },
-	{ 20,	"ISDN address" },
-	{ 24,	"has signature" },
-	{ 25,	"has key" },
-	{ 28,	"has IPv6 address" },
-	{ 29,	"location" },
-	{ 0, NULL }
-};
-
-static char *
-rcode_totext(dns_rcode_t rcode)
-{
-	static char buf[sizeof("?65535")];
-	union {
-		const char *consttext;
-		char *deconsttext;
-	} totext;
-
-	if (rcode >= (sizeof(rcodetext)/sizeof(rcodetext[0]))) {
-		snprintf(buf, sizeof(buf), "?%u", rcode);
-		totext.deconsttext = buf;
-	} else
-		totext.consttext = rcodetext[rcode];
-	return totext.deconsttext;
-}
-
-ISC_PLATFORM_NORETURN_PRE static void
-show_usage(void) ISC_PLATFORM_NORETURN_POST;
-
-static void
-show_usage(void) {
-	fputs(
-"Usage: host [-aCdlriTwv] [-c class] [-N ndots] [-t type] [-W time]\n"
-"            [-R number] [-m flag] hostname [server]\n"
-"       -a is equivalent to -v -t ANY\n"
-"       -c specifies query class for non-IN data\n"
-"       -C compares SOA records on authoritative nameservers\n"
-"       -d is equivalent to -v\n"
-"       -l lists all hosts in a domain, using AXFR\n"
-"       -i IP6.INT reverse lookups\n"
-"       -N changes the number of dots allowed before root lookup is done\n"
-"       -r disables recursive processing\n"
-"       -R specifies number of retries for UDP packets\n"
-"       -s a SERVFAIL response should stop query\n"
-"       -t specifies the query type\n"
-"       -T enables TCP/IP mode\n"
-"       -v enables verbose output\n"
-"       -w specifies to wait forever for a reply\n"
-"       -W specifies how long to wait for a reply\n"
-"       -4 use IPv4 query transport only\n"
-"       -6 use IPv6 query transport only\n"
-"       -m set memory debugging flag (trace|record|usage)\n", stderr);
-	exit(1);
-}
-
-void
-dighost_shutdown(void) {
-	isc_app_shutdown();
-}
-
-void
-received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
-	isc_time_t now;
-	int diff;
-
-	if (!short_form) {
-		char fromtext[ISC_SOCKADDR_FORMATSIZE];
-		isc_sockaddr_format(from, fromtext, sizeof(fromtext));
-		TIME_NOW(&now);
-		diff = (int) isc_time_microdiff(&now, &query->time_sent);
-		printf("Received %u bytes from %s in %d ms\n",
-		       bytes, fromtext, diff/1000);
-	}
-}
-
-void
-trying(char *frm, dig_lookup_t *lookup) {
-	UNUSED(lookup);
-
-	if (!short_form)
-		printf("Trying \"%s\"\n", frm);
-}
-
-static void
-say_message(dns_name_t *name, const char *msg, dns_rdata_t *rdata,
-	    dig_query_t *query)
-{
-	isc_buffer_t *b = NULL;
-	char namestr[DNS_NAME_FORMATSIZE];
-	isc_region_t r;
-	isc_result_t result;
-	unsigned int bufsize = BUFSIZ;
-
-	dns_name_format(name, namestr, sizeof(namestr));
- retry:
-	result = isc_buffer_allocate(mctx, &b, bufsize);
-	check_result(result, "isc_buffer_allocate");
-	result = dns_rdata_totext(rdata, NULL, b);
-	if (result == ISC_R_NOSPACE) {
-		isc_buffer_free(&b);
-		bufsize *= 2;
-		goto retry;
-	}
-	check_result(result, "dns_rdata_totext");
-	isc_buffer_usedregion(b, &r);
-	if (query->lookup->identify_previous_line) {
-		printf("Nameserver %s:\n\t",
-			query->servname);
-	}
-	printf("%s %s %.*s", namestr,
-	       msg, (int)r.length, (char *)r.base);
-	if (query->lookup->identify) {
-		printf(" on server %s", query->servname);
-	}
-	printf("\n");
-	isc_buffer_free(&b);
-}
-#ifdef DIG_SIGCHASE
-/* Just for compatibility : not use in host program */
-isc_result_t
-printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
-	      isc_buffer_t *target)
-{
-  UNUSED(owner_name);
-  UNUSED(rdataset);
-  UNUSED(target);
-  return(ISC_FALSE);
-}
-#endif
-static isc_result_t
-printsection(dns_message_t *msg, dns_section_t sectionid,
-	     const char *section_name, isc_boolean_t headers,
-	     dig_query_t *query)
-{
-	dns_name_t *name, *print_name;
-	dns_rdataset_t *rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_buffer_t target;
-	isc_result_t result, loopresult;
-	isc_region_t r;
-	dns_name_t empty_name;
-	char t[4096];
-	isc_boolean_t first;
-	isc_boolean_t no_rdata;
-
-	if (sectionid == DNS_SECTION_QUESTION)
-		no_rdata = ISC_TRUE;
-	else
-		no_rdata = ISC_FALSE;
-
-	if (headers)
-		printf(";; %s SECTION:\n", section_name);
-
-	dns_name_init(&empty_name, NULL);
-
-	result = dns_message_firstname(msg, sectionid);
-	if (result == ISC_R_NOMORE)
-		return (ISC_R_SUCCESS);
-	else if (result != ISC_R_SUCCESS)
-		return (result);
-
-	for (;;) {
-		name = NULL;
-		dns_message_currentname(msg, sectionid, &name);
-
-		isc_buffer_init(&target, t, sizeof(t));
-		first = ISC_TRUE;
-		print_name = name;
-
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			if (query->lookup->rdtype == dns_rdatatype_axfr &&
-			    !((!list_addresses &&
-			       (list_type == dns_rdatatype_any ||
-				rdataset->type == list_type)) ||
-			      (list_addresses &&
-			       (rdataset->type == dns_rdatatype_a ||
-				rdataset->type == dns_rdatatype_aaaa ||
-				rdataset->type == dns_rdatatype_ns ||
-				rdataset->type == dns_rdatatype_ptr))))
-				continue;
-			if (!short_form) {
-				result = dns_rdataset_totext(rdataset,
-							     print_name,
-							     ISC_FALSE,
-							     no_rdata,
-							     &target);
-				if (result != ISC_R_SUCCESS)
-					return (result);
-#ifdef USEINITALWS
-				if (first) {
-					print_name = &empty_name;
-					first = ISC_FALSE;
-				}
-#else
-				UNUSED(first); /* Shut up compiler. */
-#endif
-			} else {
-				loopresult = dns_rdataset_first(rdataset);
-				while (loopresult == ISC_R_SUCCESS) {
-					struct rtype *t;
-					const char *rtt;
-					char typebuf[DNS_RDATATYPE_FORMATSIZE];
-					char typebuf2[DNS_RDATATYPE_FORMATSIZE
-						     + 20];
-					dns_rdataset_current(rdataset, &rdata);
-
-					for (t = rtypes; t->text != NULL; t++) {
-						if (t->type == rdata.type) {
-							rtt = t->text;
-							goto found;
-						}
-					}
-
-					dns_rdatatype_format(rdata.type,
-							     typebuf,
-							     sizeof(typebuf));
-					snprintf(typebuf2, sizeof(typebuf2),
-						 "has %s record", typebuf);
-					rtt = typebuf2;
-				found:
-					say_message(print_name, rtt,
-						    &rdata, query);
-					dns_rdata_reset(&rdata);
-					loopresult =
-						dns_rdataset_next(rdataset);
-				}
-			}
-		}
-		if (!short_form) {
-			isc_buffer_usedregion(&target, &r);
-			if (no_rdata)
-				printf(";%.*s", (int)r.length,
-				       (char *)r.base);
-			else
-				printf("%.*s", (int)r.length, (char *)r.base);
-		}
-
-		result = dns_message_nextname(msg, sectionid);
-		if (result == ISC_R_NOMORE)
-			break;
-		else if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-printrdata(dns_message_t *msg, dns_rdataset_t *rdataset, dns_name_t *owner,
-	   const char *set_name, isc_boolean_t headers)
-{
-	isc_buffer_t target;
-	isc_result_t result;
-	isc_region_t r;
-	char t[4096];
-
-	UNUSED(msg);
-	if (headers)
-		printf(";; %s SECTION:\n", set_name);
-
-	isc_buffer_init(&target, t, sizeof(t));
-
-	result = dns_rdataset_totext(rdataset, owner, ISC_FALSE, ISC_FALSE,
-				     &target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_buffer_usedregion(&target, &r);
-	printf("%.*s", (int)r.length, (char *)r.base);
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
-	isc_result_t result;
-	dns_rdataset_t *rdataset;
-	dns_rdata_cname_t cname;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	unsigned int i = msg->counts[DNS_SECTION_ANSWER];
-
-	while (i-- > 0) {
-		rdataset = NULL;
-		result = dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
-					      dns_rdatatype_cname, 0, NULL,
-					      &rdataset);
-		if (result != ISC_R_SUCCESS)
-			return;
-		result = dns_rdataset_first(rdataset);
-		check_result(result, "dns_rdataset_first");
-		dns_rdata_reset(&rdata);
-		dns_rdataset_current(rdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &cname, NULL);
-		check_result(result, "dns_rdata_tostruct");
-		dns_name_copy(&cname.cname, qname, NULL);
-		dns_rdata_freestruct(&cname);
-	}
-}
-
-isc_result_t
-printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
-	isc_boolean_t did_flag = ISC_FALSE;
-	dns_rdataset_t *opt, *tsig = NULL;
-	dns_name_t *tsigname;
-	isc_result_t result = ISC_R_SUCCESS;
-	int force_error;
-
-	UNUSED(headers);
-
-	/*
-	 * We get called multiple times.
-	 * Preserve any existing error status.
-	 */
-	force_error = (seen_error == 1) ? 1 : 0;
-	seen_error = 1;
-	if (listed_server && !printed_server) {
-		char sockstr[ISC_SOCKADDR_FORMATSIZE];
-
-		printf("Using domain server:\n");
-		printf("Name: %s\n", query->userarg);
-		isc_sockaddr_format(&query->sockaddr, sockstr,
-				    sizeof(sockstr));
-		printf("Address: %s\n", sockstr);
-		printf("Aliases: \n\n");
-		printed_server = ISC_TRUE;
-	}
-
-	if (msg->rcode != 0) {
-		char namestr[DNS_NAME_FORMATSIZE];
-		dns_name_format(query->lookup->name, namestr, sizeof(namestr));
-
-		if (query->lookup->identify_previous_line)
-			printf("Nameserver %s:\n\t%s not found: %d(%s)\n",
-			       query->servname,
-			       (msg->rcode != dns_rcode_nxdomain) ? namestr :
-			       query->lookup->textname, msg->rcode,
-			       rcode_totext(msg->rcode));
-		else
-			printf("Host %s not found: %d(%s)\n",
-			       (msg->rcode != dns_rcode_nxdomain) ? namestr :
-			       query->lookup->textname, msg->rcode,
-			       rcode_totext(msg->rcode));
-		return (ISC_R_SUCCESS);
-	}
-
-	if (default_lookups && query->lookup->rdtype == dns_rdatatype_a) {
-		char namestr[DNS_NAME_FORMATSIZE];
-		dig_lookup_t *lookup;
-		dns_fixedname_t fixed;
-		dns_name_t *name;
-
-		/* Add AAAA and MX lookups. */
-		dns_fixedname_init(&fixed);
-		name = dns_fixedname_name(&fixed);
-		dns_name_copy(query->lookup->name, name, NULL);
-		chase_cnamechain(msg, name);
-		dns_name_format(name, namestr, sizeof(namestr));
-		lookup = clone_lookup(query->lookup, ISC_FALSE);
-		if (lookup != NULL) {
-			strncpy(lookup->textname, namestr,
-				sizeof(lookup->textname));
-			lookup->textname[sizeof(lookup->textname)-1] = 0;
-			lookup->rdtype = dns_rdatatype_aaaa;
-			lookup->rdtypeset = ISC_TRUE;
-			lookup->origin = NULL;
-			lookup->retries = tries;
-			ISC_LIST_APPEND(lookup_list, lookup, link);
-		}
-		lookup = clone_lookup(query->lookup, ISC_FALSE);
-		if (lookup != NULL) {
-			strncpy(lookup->textname, namestr,
-				sizeof(lookup->textname));
-			lookup->textname[sizeof(lookup->textname)-1] = 0;
-			lookup->rdtype = dns_rdatatype_mx;
-			lookup->rdtypeset = ISC_TRUE;
-			lookup->origin = NULL;
-			lookup->retries = tries;
-			ISC_LIST_APPEND(lookup_list, lookup, link);
-		}
-	}
-
-	if (!short_form) {
-		printf(";; ->>HEADER<<- opcode: %s, status: %s, id: %u\n",
-		       opcodetext[msg->opcode], rcode_totext(msg->rcode),
-		       msg->id);
-		printf(";; flags: ");
-		if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) {
-			printf("qr");
-			did_flag = ISC_TRUE;
-		}
-		if ((msg->flags & DNS_MESSAGEFLAG_AA) != 0) {
-			printf("%saa", did_flag ? " " : "");
-			did_flag = ISC_TRUE;
-		}
-		if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
-			printf("%stc", did_flag ? " " : "");
-			did_flag = ISC_TRUE;
-		}
-		if ((msg->flags & DNS_MESSAGEFLAG_RD) != 0) {
-			printf("%srd", did_flag ? " " : "");
-			did_flag = ISC_TRUE;
-		}
-		if ((msg->flags & DNS_MESSAGEFLAG_RA) != 0) {
-			printf("%sra", did_flag ? " " : "");
-			did_flag = ISC_TRUE;
-		}
-		if ((msg->flags & DNS_MESSAGEFLAG_AD) != 0) {
-			printf("%sad", did_flag ? " " : "");
-			did_flag = ISC_TRUE;
-		}
-		if ((msg->flags & DNS_MESSAGEFLAG_CD) != 0) {
-			printf("%scd", did_flag ? " " : "");
-			did_flag = ISC_TRUE;
-			POST(did_flag);
-		}
-		printf("; QUERY: %u, ANSWER: %u, "
-		       "AUTHORITY: %u, ADDITIONAL: %u\n",
-		       msg->counts[DNS_SECTION_QUESTION],
-		       msg->counts[DNS_SECTION_ANSWER],
-		       msg->counts[DNS_SECTION_AUTHORITY],
-		       msg->counts[DNS_SECTION_ADDITIONAL]);
-		opt = dns_message_getopt(msg);
-		if (opt != NULL)
-			printf(";; EDNS: version: %u, udp=%u\n",
-			       (unsigned int)((opt->ttl & 0x00ff0000) >> 16),
-			       (unsigned int)opt->rdclass);
-		tsigname = NULL;
-		tsig = dns_message_gettsig(msg, &tsigname);
-		if (tsig != NULL)
-			printf(";; PSEUDOSECTIONS: TSIG\n");
-	}
-	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_QUESTION]) &&
-	    !short_form) {
-		printf("\n");
-		result = printsection(msg, DNS_SECTION_QUESTION, "QUESTION",
-				      ISC_TRUE, query);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER])) {
-		if (!short_form)
-			printf("\n");
-		result = printsection(msg, DNS_SECTION_ANSWER, "ANSWER",
-				      ISC_TF(!short_form), query);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_AUTHORITY]) &&
-	    !short_form) {
-		printf("\n");
-		result = printsection(msg, DNS_SECTION_AUTHORITY, "AUTHORITY",
-				      ISC_TRUE, query);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ADDITIONAL]) &&
-	    !short_form) {
-		printf("\n");
-		result = printsection(msg, DNS_SECTION_ADDITIONAL,
-				      "ADDITIONAL", ISC_TRUE, query);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	if ((tsig != NULL) && !short_form) {
-		printf("\n");
-		result = printrdata(msg, tsig, tsigname,
-				    "PSEUDOSECTION TSIG", ISC_TRUE);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	if (!short_form)
-		printf("\n");
-
-	if (short_form && !default_lookups &&
-	    ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER])) {
-		char namestr[DNS_NAME_FORMATSIZE];
-		char typestr[DNS_RDATATYPE_FORMATSIZE];
-		dns_name_format(query->lookup->name, namestr, sizeof(namestr));
-		dns_rdatatype_format(query->lookup->rdtype, typestr,
-				     sizeof(typestr));
-		printf("%s has no %s record\n", namestr, typestr);
-	}
-	seen_error = force_error;
-	return (result);
-}
-
-static const char * optstring = "46ac:dilnm:rst:vwCDN:R:TW:";
-
-static void
-pre_parse_args(int argc, char **argv) {
-	int c;
-
-	while ((c = isc_commandline_parse(argc, argv, optstring)) != -1) {
-		switch (c) {
-		case 'm':
-			memdebugging = ISC_TRUE;
-			if (strcasecmp("trace", isc_commandline_argument) == 0)
-				isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
-			else if (!strcasecmp("record",
-					     isc_commandline_argument) == 0)
-				isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
-			else if (strcasecmp("usage",
-					    isc_commandline_argument) == 0)
-				isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
-			break;
-
-		case '4': break;
-		case '6': break;
-		case 'a': break;
-		case 'c': break;
-		case 'd': break;
-		case 'i': break;
-		case 'l': break;
-		case 'n': break;
-		case 'r': break;
-		case 's': break;
-		case 't': break;
-		case 'v': break;
-		case 'w': break;
-		case 'C': break;
-		case 'D':
-			debugging = ISC_TRUE;
-			break;
-		case 'N': break;
-		case 'R': break;
-		case 'T': break;
-		case 'W': break;
-		default:
-			show_usage();
-		}
-	}
-	isc_commandline_reset = ISC_TRUE;
-	isc_commandline_index = 1;
-}
-
-static void
-parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
-	char hostname[MXNAME];
-	dig_lookup_t *lookup;
-	int c;
-	char store[MXNAME];
-	isc_textregion_t tr;
-	isc_result_t result = ISC_R_SUCCESS;
-	dns_rdatatype_t rdtype;
-	dns_rdataclass_t rdclass;
-	isc_uint32_t serial = 0;
-
-	UNUSED(is_batchfile);
-
-	lookup = make_empty_lookup();
-
-	lookup->servfail_stops = ISC_FALSE;
-	lookup->comments = ISC_FALSE;
-
-	while ((c = isc_commandline_parse(argc, argv, optstring)) != -1) {
-		switch (c) {
-		case 'l':
-			lookup->tcp_mode = ISC_TRUE;
-			lookup->rdtype = dns_rdatatype_axfr;
-			lookup->rdtypeset = ISC_TRUE;
-			fatalexit = 3;
-			break;
-		case 'v':
-		case 'd':
-			short_form = ISC_FALSE;
-			break;
-		case 'r':
-			lookup->recurse = ISC_FALSE;
-			break;
-		case 't':
-			if (strncasecmp(isc_commandline_argument,
-					"ixfr=", 5) == 0) {
-				rdtype = dns_rdatatype_ixfr;
-				/* XXXMPA add error checking */
-				serial = strtoul(isc_commandline_argument + 5,
-						 NULL, 10);
-				result = ISC_R_SUCCESS;
-			} else {
-				tr.base = isc_commandline_argument;
-				tr.length = strlen(isc_commandline_argument);
-				result = dns_rdatatype_fromtext(&rdtype,
-						   (isc_textregion_t *)&tr);
-			}
-
-			if (result != ISC_R_SUCCESS) {
-				fatalexit = 2;
-				fatal("invalid type: %s\n",
-				      isc_commandline_argument);
-			}
-			if (!lookup->rdtypeset ||
-			    lookup->rdtype != dns_rdatatype_axfr)
-				lookup->rdtype = rdtype;
-			lookup->rdtypeset = ISC_TRUE;
-#ifdef WITH_IDN
-			idnoptions = 0;
-#endif
-			if (rdtype == dns_rdatatype_axfr) {
-				/* -l -t any -v */
-				list_type = dns_rdatatype_any;
-				short_form = ISC_FALSE;
-				lookup->tcp_mode = ISC_TRUE;
-			} else if (rdtype == dns_rdatatype_ixfr) {
-				lookup->ixfr_serial = serial;
-				lookup->tcp_mode = ISC_TRUE;
-				list_type = rdtype;
-#ifdef WITH_IDN
-			} else if (rdtype == dns_rdatatype_a ||
-				   rdtype == dns_rdatatype_aaaa ||
-				   rdtype == dns_rdatatype_mx) {
-				idnoptions = IDN_ASCCHECK;
-				list_type = rdtype;
-#endif
-			} else
-				list_type = rdtype;
-			list_addresses = ISC_FALSE;
-			default_lookups = ISC_FALSE;
-			break;
-		case 'c':
-			tr.base = isc_commandline_argument;
-			tr.length = strlen(isc_commandline_argument);
-			result = dns_rdataclass_fromtext(&rdclass,
-						   (isc_textregion_t *)&tr);
-
-			if (result != ISC_R_SUCCESS) {
-				fatalexit = 2;
-				fatal("invalid class: %s\n",
-				      isc_commandline_argument);
-			} else {
-				lookup->rdclass = rdclass;
-				lookup->rdclassset = ISC_TRUE;
-			}
-			default_lookups = ISC_FALSE;
-			break;
-		case 'a':
-			if (!lookup->rdtypeset ||
-			    lookup->rdtype != dns_rdatatype_axfr)
-				lookup->rdtype = dns_rdatatype_any;
-			list_type = dns_rdatatype_any;
-			list_addresses = ISC_FALSE;
-			lookup->rdtypeset = ISC_TRUE;
-			short_form = ISC_FALSE;
-			default_lookups = ISC_FALSE;
-			break;
-		case 'i':
-			lookup->ip6_int = ISC_TRUE;
-			break;
-		case 'n':
-			/* deprecated */
-			break;
-		case 'm':
-			/* Handled by pre_parse_args(). */
-			break;
-		case 'w':
-			/*
-			 * The timer routines are coded such that
-			 * timeout==MAXINT doesn't enable the timer
-			 */
-			timeout = INT_MAX;
-			break;
-		case 'W':
-			timeout = atoi(isc_commandline_argument);
-			if (timeout < 1)
-				timeout = 1;
-			break;
-		case 'R':
-			tries = atoi(isc_commandline_argument) + 1;
-			if (tries < 2)
-				tries = 2;
-			break;
-		case 'T':
-			lookup->tcp_mode = ISC_TRUE;
-			break;
-		case 'C':
-			debug("showing all SOAs");
-			lookup->rdtype = dns_rdatatype_ns;
-			lookup->rdtypeset = ISC_TRUE;
-			lookup->rdclass = dns_rdataclass_in;
-			lookup->rdclassset = ISC_TRUE;
-			lookup->ns_search_only = ISC_TRUE;
-			lookup->trace_root = ISC_TRUE;
-			lookup->identify_previous_line = ISC_TRUE;
-			default_lookups = ISC_FALSE;
-			break;
-		case 'N':
-			debug("setting NDOTS to %s",
-			      isc_commandline_argument);
-			ndots = atoi(isc_commandline_argument);
-			break;
-		case 'D':
-			/* Handled by pre_parse_args(). */
-			break;
-		case '4':
-			if (have_ipv4) {
-				isc_net_disableipv6();
-				have_ipv6 = ISC_FALSE;
-			} else
-				fatal("can't find IPv4 networking");
-			break;
-		case '6':
-			if (have_ipv6) {
-				isc_net_disableipv4();
-				have_ipv4 = ISC_FALSE;
-			} else
-				fatal("can't find IPv6 networking");
-			break;
-		case 's':
-			lookup->servfail_stops = ISC_TRUE;
-			break;
-		}
-	}
-
-	lookup->retries = tries;
-
-	if (isc_commandline_index >= argc)
-		show_usage();
-
-	strlcpy(hostname, argv[isc_commandline_index], sizeof(hostname));
-
-	if (argc > isc_commandline_index + 1) {
-		set_nameserver(argv[isc_commandline_index+1]);
-		debug("server is %s", argv[isc_commandline_index+1]);
-		listed_server = ISC_TRUE;
-	} else
-		check_ra = ISC_TRUE;
-
-	lookup->pending = ISC_FALSE;
-	if (get_reverse(store, sizeof(store), hostname,
-			lookup->ip6_int, ISC_TRUE) == ISC_R_SUCCESS) {
-		strncpy(lookup->textname, store, sizeof(lookup->textname));
-		lookup->textname[sizeof(lookup->textname)-1] = 0;
-		lookup->rdtype = dns_rdatatype_ptr;
-		lookup->rdtypeset = ISC_TRUE;
-		default_lookups = ISC_FALSE;
-	} else {
-		strncpy(lookup->textname, hostname, sizeof(lookup->textname));
-		lookup->textname[sizeof(lookup->textname)-1]=0;
-		usesearch = ISC_TRUE;
-	}
-	lookup->new_search = ISC_TRUE;
-	ISC_LIST_APPEND(lookup_list, lookup, link);
-}
-
-int
-main(int argc, char **argv) {
-	isc_result_t result;
-
-	tries = 2;
-
-	ISC_LIST_INIT(lookup_list);
-	ISC_LIST_INIT(server_list);
-	ISC_LIST_INIT(search_list);
-
-	fatalexit = 1;
-#ifdef WITH_IDN
-	idnoptions = IDN_ASCCHECK;
-#endif
-
-	debug("main()");
-	progname = argv[0];
-	pre_parse_args(argc, argv);
-	result = isc_app_start();
-	check_result(result, "isc_app_start");
-	setup_libs();
-	parse_args(ISC_FALSE, argc, argv);
-	setup_system();
-	result = isc_app_onrun(mctx, global_task, onrun_callback, NULL);
-	check_result(result, "isc_app_onrun");
-	isc_app_run();
-	cancel_all();
-	destroy_libs();
-	isc_app_finish();
-	return ((seen_error == 0) ? 0 : 1);
-}
diff --git a/contrib/bind9/bin/dig/host.docbook b/contrib/bind9/bin/dig/host.docbook
deleted file mode 100644
index bc435f9..0000000
--- a/contrib/bind9/bin/dig/host.docbook
+++ /dev/null
@@ -1,279 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2002  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: host.docbook,v 1.20 2009/01/20 23:47:56 tbox Exp $ -->
-<refentry id="man.host">
-
-  <refentryinfo>
-    <date>Jun 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>host</refentrytitle>
-    <manvolnum>1</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname>host</refname>
-    <refpurpose>DNS lookup utility</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <year>2008</year>
-      <year>2009</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>host</command>
-      <arg><option>-aCdlnrsTwv</option></arg>
-      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg><option>-N <replaceable class="parameter">ndots</replaceable></option></arg>
-      <arg><option>-R <replaceable class="parameter">number</replaceable></option></arg>
-      <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
-      <arg><option>-W <replaceable class="parameter">wait</replaceable></option></arg>
-      <arg><option>-m <replaceable class="parameter">flag</replaceable></option></arg>
-      <arg><option>-4</option></arg>
-      <arg><option>-6</option></arg>
-      <arg choice="req">name</arg>
-      <arg choice="opt">server</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-
-    <para><command>host</command>
-      is a simple utility for performing DNS lookups.
-      It is normally used to convert names to IP addresses and vice versa.
-      When no arguments or options are given,
-      <command>host</command>
-      prints a short summary of its command line arguments and options.
-    </para>
-
-    <para><parameter>name</parameter> is the domain name that is to be
-      looked
-      up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
-      IPv6 address, in which case <command>host</command> will by
-      default
-      perform a reverse lookup for that address.
-      <parameter>server</parameter> is an optional argument which
-      is either
-      the name or IP address of the name server that <command>host</command>
-      should query instead of the server or servers listed in
-      <filename>/etc/resolv.conf</filename>.
-    </para>
-
-    <para>
-      The <option>-a</option> (all) option is equivalent to setting the
-      <option>-v</option> option and asking <command>host</command> to make
-      a query of type ANY.
-    </para>
-
-    <para>
-      When the <option>-C</option> option is used, <command>host</command>
-      will attempt to display the SOA records for zone
-      <parameter>name</parameter> from all the listed
-      authoritative name
-      servers for that zone.  The list of name servers is defined by the NS
-      records that are found for the zone.
-    </para>
-
-    <para>
-      The <option>-c</option> option instructs to make a DNS query of class
-      <parameter>class</parameter>.  This can be used to lookup
-      Hesiod or
-      Chaosnet class resource records.  The default class is IN (Internet).
-    </para>
-
-    <para>
-      Verbose output is generated by <command>host</command> when
-      the
-      <option>-d</option> or <option>-v</option> option is used.  The two
-      options are equivalent.  They have been provided for backwards
-      compatibility.  In previous versions, the <option>-d</option> option
-      switched on debugging traces and <option>-v</option> enabled verbose
-      output.
-    </para>
-
-    <para>
-      List mode is selected by the <option>-l</option> option.  This makes
-      <command>host</command> perform a zone transfer for zone
-      <parameter>name</parameter>.  Transfer the zone printing out
-      the NS, PTR
-      and address records (A/AAAA).  If combined with <option>-a</option>
-      all records will be printed.
-    </para>
-
-    <para>
-      The <option>-i</option>
-      option specifies that reverse lookups of IPv6 addresses should
-      use the IP6.INT domain as defined in RFC1886.
-      The default is to use IP6.ARPA.
-    </para>
-
-    <para>
-      The <option>-N</option> option sets the number of dots that have to be
-      in <parameter>name</parameter> for it to be considered
-      absolute.  The
-      default value is that defined using the ndots statement in
-      <filename>/etc/resolv.conf</filename>, or 1 if no ndots
-      statement is
-      present.  Names with fewer dots are interpreted as relative names and
-      will be searched for in the domains listed in the <type>search</type>
-      or <type>domain</type> directive in
-      <filename>/etc/resolv.conf</filename>.
-    </para>
-
-    <para>
-      The number of UDP retries for a lookup can be changed with the
-      <option>-R</option> option.  <parameter>number</parameter>
-      indicates
-      how many times <command>host</command> will repeat a query
-      that does
-      not get answered.  The default number of retries is 1.  If
-      <parameter>number</parameter> is negative or zero, the
-      number of
-      retries will default to 1.
-    </para>
-
-    <para>
-      Non-recursive queries can be made via the <option>-r</option> option.
-      Setting this option clears the <type>RD</type> &mdash; recursion
-      desired &mdash; bit in the query which <command>host</command> makes.
-      This should mean that the name server receiving the query will not
-      attempt to resolve <parameter>name</parameter>.  The
-      <option>-r</option> option enables <command>host</command>
-      to mimic
-      the behavior of a name server by making non-recursive queries and
-      expecting to receive answers to those queries that are usually
-      referrals to other name servers.
-    </para>
-
-    <para>
-      By default, <command>host</command> uses UDP when making
-      queries.  The
-      <option>-T</option> option makes it use a TCP connection when querying
-      the name server.  TCP will be automatically selected for queries that
-      require it, such as zone transfer (AXFR) requests.
-    </para>
-
-    <para>
-      The <option>-4</option> option forces <command>host</command> to only
-      use IPv4 query transport.  The <option>-6</option> option forces
-      <command>host</command> to only use IPv6 query transport.
-    </para>
-
-    <para>
-      The <option>-t</option> option is used to select the query type.
-      <parameter>type</parameter> can be any recognized query
-      type: CNAME,
-      NS, SOA, SIG, KEY, AXFR, etc.  When no query type is specified,
-      <command>host</command> automatically selects an appropriate
-      query
-      type.  By default, it looks for A, AAAA, and MX records, but if the
-      <option>-C</option> option was given, queries will be made for SOA
-      records, and if <parameter>name</parameter> is a
-      dotted-decimal IPv4
-      address or colon-delimited IPv6 address, <command>host</command> will
-      query for PTR records.  If a query type of IXFR is chosen the starting
-      serial number can be specified by appending an equal followed by the
-      starting serial number (e.g. -t IXFR=12345678).
-    </para>
-
-    <para>
-      The time to wait for a reply can be controlled through the
-      <option>-W</option> and <option>-w</option> options.  The
-      <option>-W</option> option makes <command>host</command>
-      wait for
-      <parameter>wait</parameter> seconds.  If <parameter>wait</parameter>
-      is less than one, the wait interval is set to one second.  When the
-      <option>-w</option> option is used, <command>host</command>
-      will
-      effectively wait forever for a reply.  The time to wait for a response
-      will be set to the number of seconds given by the hardware's maximum
-      value for an integer quantity.
-    </para>
-
-    <para>
-      The <option>-s</option> option tells <command>host</command> 
-      <emphasis>not</emphasis> to send the query to the next nameserver
-      if any server responds with a SERVFAIL response, which is the
-      reverse of normal stub resolver behavior.
-    </para>
-
-    <para>
-      The <option>-m</option> can be used to set the memory usage debugging
-      flags
-      <parameter>record</parameter>, <parameter>usage</parameter> and
-      <parameter>trace</parameter>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>IDN SUPPORT</title>
-    <para>
-      If <command>host</command> has been built with IDN (internationalized
-      domain name) support, it can accept and display non-ASCII domain names. 
-      <command>host</command> appropriately converts character encoding of
-      domain name before sending a request to DNS server or displaying a
-      reply from the server.
-      If you'd like to turn off the IDN support for some reason, defines
-      the <envar>IDN_DISABLE</envar> environment variable.
-      The IDN support is disabled if the variable is set when
-      <command>host</command> runs.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>FILES</title>
-    <para><filename>/etc/resolv.conf</filename>
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>.
-    </para>
-
-  </refsect1>
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/dig/host.html b/contrib/bind9/bin/dig/host.html
deleted file mode 100644
index d5fb6e7..0000000
--- a/contrib/bind9/bin/dig/host.html
+++ /dev/null
@@ -1,212 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2002 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>host</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="man.host"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>host &#8212; DNS lookup utility</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">host</code>  [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543436"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">host</strong></span>
-      is a simple utility for performing DNS lookups.
-      It is normally used to convert names to IP addresses and vice versa.
-      When no arguments or options are given,
-      <span><strong class="command">host</strong></span>
-      prints a short summary of its command line arguments and options.
-    </p>
-<p><em class="parameter"><code>name</code></em> is the domain name that is to be
-      looked
-      up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
-      IPv6 address, in which case <span><strong class="command">host</strong></span> will by
-      default
-      perform a reverse lookup for that address.
-      <em class="parameter"><code>server</code></em> is an optional argument which
-      is either
-      the name or IP address of the name server that <span><strong class="command">host</strong></span>
-      should query instead of the server or servers listed in
-      <code class="filename">/etc/resolv.conf</code>.
-    </p>
-<p>
-      The <code class="option">-a</code> (all) option is equivalent to setting the
-      <code class="option">-v</code> option and asking <span><strong class="command">host</strong></span> to make
-      a query of type ANY.
-    </p>
-<p>
-      When the <code class="option">-C</code> option is used, <span><strong class="command">host</strong></span>
-      will attempt to display the SOA records for zone
-      <em class="parameter"><code>name</code></em> from all the listed
-      authoritative name
-      servers for that zone.  The list of name servers is defined by the NS
-      records that are found for the zone.
-    </p>
-<p>
-      The <code class="option">-c</code> option instructs to make a DNS query of class
-      <em class="parameter"><code>class</code></em>.  This can be used to lookup
-      Hesiod or
-      Chaosnet class resource records.  The default class is IN (Internet).
-    </p>
-<p>
-      Verbose output is generated by <span><strong class="command">host</strong></span> when
-      the
-      <code class="option">-d</code> or <code class="option">-v</code> option is used.  The two
-      options are equivalent.  They have been provided for backwards
-      compatibility.  In previous versions, the <code class="option">-d</code> option
-      switched on debugging traces and <code class="option">-v</code> enabled verbose
-      output.
-    </p>
-<p>
-      List mode is selected by the <code class="option">-l</code> option.  This makes
-      <span><strong class="command">host</strong></span> perform a zone transfer for zone
-      <em class="parameter"><code>name</code></em>.  Transfer the zone printing out
-      the NS, PTR
-      and address records (A/AAAA).  If combined with <code class="option">-a</code>
-      all records will be printed.
-    </p>
-<p>
-      The <code class="option">-i</code>
-      option specifies that reverse lookups of IPv6 addresses should
-      use the IP6.INT domain as defined in RFC1886.
-      The default is to use IP6.ARPA.
-    </p>
-<p>
-      The <code class="option">-N</code> option sets the number of dots that have to be
-      in <em class="parameter"><code>name</code></em> for it to be considered
-      absolute.  The
-      default value is that defined using the ndots statement in
-      <code class="filename">/etc/resolv.conf</code>, or 1 if no ndots
-      statement is
-      present.  Names with fewer dots are interpreted as relative names and
-      will be searched for in the domains listed in the <span class="type">search</span>
-      or <span class="type">domain</span> directive in
-      <code class="filename">/etc/resolv.conf</code>.
-    </p>
-<p>
-      The number of UDP retries for a lookup can be changed with the
-      <code class="option">-R</code> option.  <em class="parameter"><code>number</code></em>
-      indicates
-      how many times <span><strong class="command">host</strong></span> will repeat a query
-      that does
-      not get answered.  The default number of retries is 1.  If
-      <em class="parameter"><code>number</code></em> is negative or zero, the
-      number of
-      retries will default to 1.
-    </p>
-<p>
-      Non-recursive queries can be made via the <code class="option">-r</code> option.
-      Setting this option clears the <span class="type">RD</span> &#8212; recursion
-      desired &#8212; bit in the query which <span><strong class="command">host</strong></span> makes.
-      This should mean that the name server receiving the query will not
-      attempt to resolve <em class="parameter"><code>name</code></em>.  The
-      <code class="option">-r</code> option enables <span><strong class="command">host</strong></span>
-      to mimic
-      the behavior of a name server by making non-recursive queries and
-      expecting to receive answers to those queries that are usually
-      referrals to other name servers.
-    </p>
-<p>
-      By default, <span><strong class="command">host</strong></span> uses UDP when making
-      queries.  The
-      <code class="option">-T</code> option makes it use a TCP connection when querying
-      the name server.  TCP will be automatically selected for queries that
-      require it, such as zone transfer (AXFR) requests.
-    </p>
-<p>
-      The <code class="option">-4</code> option forces <span><strong class="command">host</strong></span> to only
-      use IPv4 query transport.  The <code class="option">-6</code> option forces
-      <span><strong class="command">host</strong></span> to only use IPv6 query transport.
-    </p>
-<p>
-      The <code class="option">-t</code> option is used to select the query type.
-      <em class="parameter"><code>type</code></em> can be any recognized query
-      type: CNAME,
-      NS, SOA, SIG, KEY, AXFR, etc.  When no query type is specified,
-      <span><strong class="command">host</strong></span> automatically selects an appropriate
-      query
-      type.  By default, it looks for A, AAAA, and MX records, but if the
-      <code class="option">-C</code> option was given, queries will be made for SOA
-      records, and if <em class="parameter"><code>name</code></em> is a
-      dotted-decimal IPv4
-      address or colon-delimited IPv6 address, <span><strong class="command">host</strong></span> will
-      query for PTR records.  If a query type of IXFR is chosen the starting
-      serial number can be specified by appending an equal followed by the
-      starting serial number (e.g. -t IXFR=12345678).
-    </p>
-<p>
-      The time to wait for a reply can be controlled through the
-      <code class="option">-W</code> and <code class="option">-w</code> options.  The
-      <code class="option">-W</code> option makes <span><strong class="command">host</strong></span>
-      wait for
-      <em class="parameter"><code>wait</code></em> seconds.  If <em class="parameter"><code>wait</code></em>
-      is less than one, the wait interval is set to one second.  When the
-      <code class="option">-w</code> option is used, <span><strong class="command">host</strong></span>
-      will
-      effectively wait forever for a reply.  The time to wait for a response
-      will be set to the number of seconds given by the hardware's maximum
-      value for an integer quantity.
-    </p>
-<p>
-      The <code class="option">-s</code> option tells <span><strong class="command">host</strong></span> 
-      <span class="emphasis"><em>not</em></span> to send the query to the next nameserver
-      if any server responds with a SERVFAIL response, which is the
-      reverse of normal stub resolver behavior.
-    </p>
-<p>
-      The <code class="option">-m</code> can be used to set the memory usage debugging
-      flags
-      <em class="parameter"><code>record</code></em>, <em class="parameter"><code>usage</code></em> and
-      <em class="parameter"><code>trace</code></em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543802"></a><h2>IDN SUPPORT</h2>
-<p>
-      If <span><strong class="command">host</strong></span> has been built with IDN (internationalized
-      domain name) support, it can accept and display non-ASCII domain names. 
-      <span><strong class="command">host</strong></span> appropriately converts character encoding of
-      domain name before sending a request to DNS server or displaying a
-      reply from the server.
-      If you'd like to turn off the IDN support for some reason, defines
-      the <code class="envar">IDN_DISABLE</code> environment variable.
-      The IDN support is disabled if the variable is set when
-      <span><strong class="command">host</strong></span> runs.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543825"></a><h2>FILES</h2>
-<p><code class="filename">/etc/resolv.conf</code>
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543836"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/dig/include/dig/dig.h b/contrib/bind9/bin/dig/include/dig/dig.h
deleted file mode 100644
index f04440c..0000000
--- a/contrib/bind9/bin/dig/include/dig/dig.h
+++ /dev/null
@@ -1,419 +0,0 @@
-/*
- * Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dig.h,v 1.114 2011/12/07 17:23:28 each Exp $ */
-
-#ifndef DIG_H
-#define DIG_H
-
-/*! \file */
-
-#include <dns/rdatalist.h>
-
-#include <dst/dst.h>
-
-#include <isc/boolean.h>
-#include <isc/buffer.h>
-#include <isc/bufferlist.h>
-#include <isc/formatcheck.h>
-#include <isc/lang.h>
-#include <isc/list.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/sockaddr.h>
-#include <isc/socket.h>
-
-#define MXSERV 20
-#define MXNAME (DNS_NAME_MAXTEXT+1)
-#define MXRD 32
-/*% Buffer Size */
-#define BUFSIZE 512
-#define COMMSIZE 0xffff
-#ifndef RESOLV_CONF
-/*% location of resolve.conf */
-#define RESOLV_CONF "/etc/resolv.conf"
-#endif
-/*% output buffer */
-#define OUTPUTBUF 32767
-/*% Max RR Limit */
-#define MAXRRLIMIT 0xffffffff
-#define MAXTIMEOUT 0xffff
-/*% Max number of tries */
-#define MAXTRIES 0xffffffff
-/*% Max number of dots */
-#define MAXNDOTS 0xffff
-/*% Max number of ports */
-#define MAXPORT 0xffff
-/*% Max serial number */
-#define MAXSERIAL 0xffffffff
-
-/*% Default TCP Timeout */
-#define TCP_TIMEOUT 10
-/*% Default UDP Timeout */
-#define UDP_TIMEOUT 5
-
-#define SERVER_TIMEOUT 1
-
-#define LOOKUP_LIMIT 64
-/*%
- * Lookup_limit is just a limiter, keeping too many lookups from being
- * created.  It's job is mainly to prevent the program from running away
- * in a tight loop of constant lookups.  It's value is arbitrary.
- */
-
-/*
- * Defaults for the sigchase suboptions.  Consolidated here because
- * these control the layout of dig_lookup_t (among other things).
- */
-#ifdef DIG_SIGCHASE
-#ifndef DIG_SIGCHASE_BU
-#define DIG_SIGCHASE_BU 1
-#endif
-#ifndef DIG_SIGCHASE_TD
-#define DIG_SIGCHASE_TD 1
-#endif
-#endif
-
-ISC_LANG_BEGINDECLS
-
-typedef struct dig_lookup dig_lookup_t;
-typedef struct dig_query dig_query_t;
-typedef struct dig_server dig_server_t;
-#ifdef DIG_SIGCHASE
-typedef struct dig_message dig_message_t;
-#endif
-typedef ISC_LIST(dig_server_t) dig_serverlist_t;
-typedef struct dig_searchlist dig_searchlist_t;
-
-/*% The dig_lookup structure */
-struct dig_lookup {
-	isc_boolean_t
-		pending, /*%< Pending a successful answer */
-		waiting_connect,
-		doing_xfr,
-		ns_search_only, /*%< dig +nssearch, host -C */
-		identify, /*%< Append an "on server <foo>" message */
-		identify_previous_line, /*% Prepend a "Nameserver <foo>:"
-					   message, with newline and tab */
-		ignore,
-		recurse,
-		aaonly,
-		adflag,
-		cdflag,
-		trace, /*% dig +trace */
-		trace_root, /*% initial query for either +trace or +nssearch */
-		tcp_mode,
-		ip6_int,
-		comments,
-		stats,
-		section_question,
-		section_answer,
-		section_authority,
-		section_additional,
-		servfail_stops,
-		new_search,
-		need_search,
-		done_as_is,
-		besteffort,
-		dnssec,
-		nsid;   /*% Name Server ID (RFC 5001) */
-#ifdef DIG_SIGCHASE
-isc_boolean_t	sigchase;
-#if DIG_SIGCHASE_TD
-	isc_boolean_t do_topdown,
-		trace_root_sigchase,
-		rdtype_sigchaseset,
-		rdclass_sigchaseset;
-	/* Name we are going to validate RRset */
-	char textnamesigchase[MXNAME];
-#endif
-#endif
-
-	char textname[MXNAME]; /*% Name we're going to be looking up */
-	char cmdline[MXNAME];
-	dns_rdatatype_t rdtype;
-	dns_rdatatype_t qrdtype;
-#if DIG_SIGCHASE_TD
-	dns_rdatatype_t rdtype_sigchase;
-	dns_rdatatype_t qrdtype_sigchase;
-	dns_rdataclass_t rdclass_sigchase;
-#endif
-	dns_rdataclass_t rdclass;
-	isc_boolean_t rdtypeset;
-	isc_boolean_t rdclassset;
-	char namespace[BUFSIZE];
-	char onamespace[BUFSIZE];
-	isc_buffer_t namebuf;
-	isc_buffer_t onamebuf;
-	isc_buffer_t renderbuf;
-	char *sendspace;
-	dns_name_t *name;
-	isc_timer_t *timer;
-	isc_interval_t interval;
-	dns_message_t *sendmsg;
-	dns_name_t *oname;
-	ISC_LINK(dig_lookup_t) link;
-	ISC_LIST(dig_query_t) q;
-	ISC_LIST(dig_query_t) connecting;
-	dig_query_t *current_query;
-	dig_serverlist_t my_server_list;
-	dig_searchlist_t *origin;
-	dig_query_t *xfr_q;
-	isc_uint32_t retries;
-	int nsfound;
-	isc_uint16_t udpsize;
-	isc_int16_t edns;
-	isc_uint32_t ixfr_serial;
-	isc_buffer_t rdatabuf;
-	char rdatastore[MXNAME];
-	dst_context_t *tsigctx;
-	isc_buffer_t *querysig;
-	isc_uint32_t msgcounter;
-	dns_fixedname_t fdomain;
-};
-
-/*% The dig_query structure */
-struct dig_query {
-	dig_lookup_t *lookup;
-	isc_boolean_t waiting_connect,
-		pending_free,
-		waiting_senddone,
-		first_pass,
-		first_soa_rcvd,
-		second_rr_rcvd,
-		first_repeat_rcvd,
-		recv_made,
-		warn_id;
-	isc_uint32_t first_rr_serial;
-	isc_uint32_t second_rr_serial;
-	isc_uint32_t msg_count;
-	isc_uint32_t rr_count;
-	char *servname;
-	char *userarg;
-	isc_bufferlist_t sendlist,
-		recvlist,
-		lengthlist;
-	isc_buffer_t recvbuf,
-		lengthbuf,
-		slbuf;
-	char *recvspace,
-		lengthspace[4],
-		slspace[4];
-	isc_socket_t *sock;
-	ISC_LINK(dig_query_t) link;
-	ISC_LINK(dig_query_t) clink;
-	isc_sockaddr_t sockaddr;
-	isc_time_t time_sent;
-	isc_uint64_t byte_count;
-	isc_buffer_t sendbuf;
-};
-
-struct dig_server {
-	char servername[MXNAME];
-	char userarg[MXNAME];
-	ISC_LINK(dig_server_t) link;
-};
-
-struct dig_searchlist {
-	char origin[MXNAME];
-	ISC_LINK(dig_searchlist_t) link;
-};
-#ifdef DIG_SIGCHASE
-struct dig_message {
-		dns_message_t *msg;
-		ISC_LINK(dig_message_t) link;
-};
-#endif
-
-typedef ISC_LIST(dig_searchlist_t) dig_searchlistlist_t;
-typedef ISC_LIST(dig_lookup_t) dig_lookuplist_t;
-
-/*
- * Externals from dighost.c
- */
-
-extern dig_lookuplist_t lookup_list;
-extern dig_serverlist_t server_list;
-extern dig_searchlistlist_t search_list;
-extern unsigned int extrabytes;
-
-extern isc_boolean_t check_ra, have_ipv4, have_ipv6, specified_source,
-	usesearch, showsearch, qr;
-extern in_port_t port;
-extern unsigned int timeout;
-extern isc_mem_t *mctx;
-extern dns_messageid_t id;
-extern int sendcount;
-extern int ndots;
-extern int lookup_counter;
-extern int exitcode;
-extern isc_sockaddr_t bind_address;
-extern char keynametext[MXNAME];
-extern char keyfile[MXNAME];
-extern char keysecret[MXNAME];
-extern dns_name_t *hmacname;
-extern unsigned int digestbits;
-#ifdef DIG_SIGCHASE
-extern char trustedkey[MXNAME];
-#endif
-extern dns_tsigkey_t *key;
-extern isc_boolean_t validated;
-extern isc_taskmgr_t *taskmgr;
-extern isc_task_t *global_task;
-extern isc_boolean_t free_now;
-extern isc_boolean_t debugging, memdebugging;
-
-extern char *progname;
-extern int tries;
-extern int fatalexit;
-#ifdef WITH_IDN
-extern int idnoptions;
-#endif
-
-/*
- * Routines in dighost.c.
- */
-isc_result_t
-get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr);
-
-int
-getaddresses(dig_lookup_t *lookup, const char *host, isc_result_t *resultp);
-
-isc_result_t
-get_reverse(char *reverse, size_t len, char *value, isc_boolean_t ip6_int,
-	    isc_boolean_t strict);
-
-ISC_PLATFORM_NORETURN_PRE void
-fatal(const char *format, ...)
-ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
-
-void
-debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
-
-void
-check_result(isc_result_t result, const char *msg);
-
-void
-setup_lookup(dig_lookup_t *lookup);
-
-void
-destroy_lookup(dig_lookup_t *lookup);
-
-void
-do_lookup(dig_lookup_t *lookup);
-
-void
-start_lookup(void);
-
-void
-onrun_callback(isc_task_t *task, isc_event_t *event);
-
-int
-dhmain(int argc, char **argv);
-
-void
-setup_libs(void);
-
-void
-setup_system(void);
-
-isc_result_t
-parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
-	   const char *desc);
-
-void
-parse_hmac(const char *hmacstr);
-
-dig_lookup_t *
-requeue_lookup(dig_lookup_t *lookold, isc_boolean_t servers);
-
-dig_lookup_t *
-make_empty_lookup(void);
-
-dig_lookup_t *
-clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers);
-
-dig_server_t *
-make_server(const char *servname, const char *userarg);
-
-void
-flush_server_list(void);
-
-void
-set_nameserver(char *opt);
-
-void
-clone_server_list(dig_serverlist_t src,
-		  dig_serverlist_t *dest);
-
-void
-cancel_all(void);
-
-void
-destroy_libs(void);
-
-void
-set_search_domain(char *domain);
-
-#ifdef DIG_SIGCHASE
-void
-clean_trustedkey(void);
-#endif
-
-/*
- * Routines to be defined in dig.c, host.c, and nslookup.c.
- */
-#ifdef DIG_SIGCHASE
-isc_result_t
-printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
-	      isc_buffer_t *target);
-#endif
-
-isc_result_t
-printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers);
-/*%<
- * Print the final result of the lookup.
- */
-
-void
-received(int bytes, isc_sockaddr_t *from, dig_query_t *query);
-/*%<
- * Print a message about where and when the response
- * was received from, like the final comment in the
- * output of "dig".
- */
-
-void
-trying(char *frm, dig_lookup_t *lookup);
-
-void
-dighost_shutdown(void);
-
-char *
-next_token(char **stringp, const char *delim);
-
-#ifdef DIG_SIGCHASE
-/* Chasing functions */
-dns_rdataset_t *
-chase_scanname(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers);
-void
-chase_sig(dns_message_t *msg);
-#endif
-
-ISC_LANG_ENDDECLS
-
-#endif
diff --git a/contrib/bind9/bin/dig/nslookup.1 b/contrib/bind9/bin/dig/nslookup.1
deleted file mode 100644
index f988995..0000000
--- a/contrib/bind9/bin/dig/nslookup.1
+++ /dev/null
@@ -1,258 +0,0 @@
-.\" Copyright (C) 2004-2007, 2010 Internet Systems Consortium, Inc. ("ISC")
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: nslookup
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "NSLOOKUP" "1" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-nslookup \- query Internet name servers interactively
-.SH "SYNOPSIS"
-.HP 9
-\fBnslookup\fR [\fB\-option\fR] [name\ |\ \-] [server]
-.SH "DESCRIPTION"
-.PP
-\fBNslookup\fR
-is a program to query Internet domain name servers.
-\fBNslookup\fR
-has two modes: interactive and non\-interactive. Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain. Non\-interactive mode is used to print just the name and requested information for a host or domain.
-.SH "ARGUMENTS"
-.PP
-Interactive mode is entered in the following cases:
-.TP 4
-1.
-when no arguments are given (the default name server will be used)
-.TP 4
-2.
-when the first argument is a hyphen (\-) and the second argument is the host name or Internet address of a name server.
-.sp
-.RE
-.PP
-Non\-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument. The optional second argument specifies the host name or address of a name server.
-.PP
-Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type:
-.sp
-.RS 4
-.nf
-nslookup \-query=hinfo  \-timeout=10
-.fi
-.RE
-.sp
-.SH "INTERACTIVE COMMANDS"
-.PP
-\fBhost\fR [server]
-.RS 4
-Look up information for host using the current default server or using server, if specified. If host is an Internet address and the query type is A or PTR, the name of the host is returned. If host is a name and does not have a trailing period, the search list is used to qualify the name.
-.sp
-To look up a host not in the current domain, append a period to the name.
-.RE
-.PP
-\fBserver\fR \fIdomain\fR
-.RS 4
-.RE
-.PP
-\fBlserver\fR \fIdomain\fR
-.RS 4
-Change the default server to
-\fIdomain\fR;
-\fBlserver\fR
-uses the initial server to look up information about
-\fIdomain\fR, while
-\fBserver\fR
-uses the current default server. If an authoritative answer can't be found, the names of servers that might have the answer are returned.
-.RE
-.PP
-\fBroot\fR
-.RS 4
-not implemented
-.RE
-.PP
-\fBfinger\fR
-.RS 4
-not implemented
-.RE
-.PP
-\fBls\fR
-.RS 4
-not implemented
-.RE
-.PP
-\fBview\fR
-.RS 4
-not implemented
-.RE
-.PP
-\fBhelp\fR
-.RS 4
-not implemented
-.RE
-.PP
-\fB?\fR
-.RS 4
-not implemented
-.RE
-.PP
-\fBexit\fR
-.RS 4
-Exits the program.
-.RE
-.PP
-\fBset\fR \fIkeyword\fR\fI[=value]\fR
-.RS 4
-This command is used to change state information that affects the lookups. Valid keywords are:
-.RS 4
-.PP
-\fBall\fR
-.RS 4
-Prints the current values of the frequently used options to
-\fBset\fR. Information about the current default server and host is also printed.
-.RE
-.PP
-\fBclass=\fR\fIvalue\fR
-.RS 4
-Change the query class to one of:
-.RS 4
-.PP
-\fBIN\fR
-.RS 4
-the Internet class
-.RE
-.PP
-\fBCH\fR
-.RS 4
-the Chaos class
-.RE
-.PP
-\fBHS\fR
-.RS 4
-the Hesiod class
-.RE
-.PP
-\fBANY\fR
-.RS 4
-wildcard
-.RE
-.RE
-.IP "" 4
-The class specifies the protocol group of the information.
-.sp
-(Default = IN; abbreviation = cl)
-.RE
-.PP
-\fB \fR\fB\fI[no]\fR\fR\fBdebug\fR
-.RS 4
-Turn on or off the display of the full response packet and any intermediate response packets when searching.
-.sp
-(Default = nodebug; abbreviation =
-[no]deb)
-.RE
-.PP
-\fB \fR\fB\fI[no]\fR\fR\fBd2\fR
-.RS 4
-Turn debugging mode on or off. This displays more about what nslookup is doing.
-.sp
-(Default = nod2)
-.RE
-.PP
-\fBdomain=\fR\fIname\fR
-.RS 4
-Sets the search list to
-\fIname\fR.
-.RE
-.PP
-\fB \fR\fB\fI[no]\fR\fR\fBsearch\fR
-.RS 4
-If the lookup request contains at least one period but doesn't end with a trailing period, append the domain names in the domain search list to the request until an answer is received.
-.sp
-(Default = search)
-.RE
-.PP
-\fBport=\fR\fIvalue\fR
-.RS 4
-Change the default TCP/UDP name server port to
-\fIvalue\fR.
-.sp
-(Default = 53; abbreviation = po)
-.RE
-.PP
-\fBquerytype=\fR\fIvalue\fR
-.RS 4
-.RE
-.PP
-\fBtype=\fR\fIvalue\fR
-.RS 4
-Change the type of the information query.
-.sp
-(Default = A; abbreviations = q, ty)
-.RE
-.PP
-\fB \fR\fB\fI[no]\fR\fR\fBrecurse\fR
-.RS 4
-Tell the name server to query other servers if it does not have the information.
-.sp
-(Default = recurse; abbreviation = [no]rec)
-.RE
-.PP
-\fBretry=\fR\fInumber\fR
-.RS 4
-Set the number of retries to number.
-.RE
-.PP
-\fBtimeout=\fR\fInumber\fR
-.RS 4
-Change the initial timeout interval for waiting for a reply to number seconds.
-.RE
-.PP
-\fB \fR\fB\fI[no]\fR\fR\fBvc\fR
-.RS 4
-Always use a virtual circuit when sending requests to the server.
-.sp
-(Default = novc)
-.RE
-.PP
-\fB \fR\fB\fI[no]\fR\fR\fBfail\fR
-.RS 4
-Try the next nameserver if a nameserver responds with SERVFAIL or a referral (nofail) or terminate query (fail) on such a response.
-.sp
-(Default = nofail)
-.RE
-.RE
-.IP "" 4
-.RE
-.SH "FILES"
-.PP
-\fI/etc/resolv.conf\fR
-.SH "SEE ALSO"
-.PP
-\fBdig\fR(1),
-\fBhost\fR(1),
-\fBnamed\fR(8).
-.SH "AUTHOR"
-.PP
-Andrew Cherenson
-.SH "COPYRIGHT"
-Copyright \(co 2004\-2007, 2010 Internet Systems Consortium, Inc. ("ISC")
-.br
diff --git a/contrib/bind9/bin/dig/nslookup.c b/contrib/bind9/bin/dig/nslookup.c
deleted file mode 100644
index 6864716..0000000
--- a/contrib/bind9/bin/dig/nslookup.c
+++ /dev/null
@@ -1,921 +0,0 @@
-/*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: nslookup.c,v 1.130 2011/12/16 23:01:16 each Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <unistd.h>
-
-#include <isc/app.h>
-#include <isc/buffer.h>
-#include <isc/commandline.h>
-#include <isc/event.h>
-#include <isc/parseint.h>
-#include <isc/print.h>
-#include <isc/string.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-#include <isc/task.h>
-#include <isc/netaddr.h>
-
-#include <dns/message.h>
-#include <dns/name.h>
-#include <dns/fixedname.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/byaddr.h>
-
-#include <dig/dig.h>
-
-#if defined(HAVE_READLINE)
-#include <readline/readline.h>
-#include <readline/history.h>
-#endif
-
-static isc_boolean_t short_form = ISC_TRUE,
-	tcpmode = ISC_FALSE,
-	identify = ISC_FALSE, stats = ISC_TRUE,
-	comments = ISC_TRUE, section_question = ISC_TRUE,
-	section_answer = ISC_TRUE, section_authority = ISC_TRUE,
-	section_additional = ISC_TRUE, recurse = ISC_TRUE,
-	aaonly = ISC_FALSE, nofail = ISC_TRUE;
-
-static isc_boolean_t interactive;
-
-static isc_boolean_t in_use = ISC_FALSE;
-static char defclass[MXRD] = "IN";
-static char deftype[MXRD] = "A";
-static isc_event_t *global_event = NULL;
-static int query_error = 1, print_error = 0;
-
-static char domainopt[DNS_NAME_MAXTEXT];
-
-static const char *rcodetext[] = {
-	"NOERROR",
-	"FORMERR",
-	"SERVFAIL",
-	"NXDOMAIN",
-	"NOTIMP",
-	"REFUSED",
-	"YXDOMAIN",
-	"YXRRSET",
-	"NXRRSET",
-	"NOTAUTH",
-	"NOTZONE",
-	"RESERVED11",
-	"RESERVED12",
-	"RESERVED13",
-	"RESERVED14",
-	"RESERVED15",
-	"BADVERS"
-};
-
-static const char *rtypetext[] = {
-	"rtype_0 = ",			/* 0 */
-	"internet address = ",		/* 1 */
-	"nameserver = ",		/* 2 */
-	"md = ",			/* 3 */
-	"mf = ",			/* 4 */
-	"canonical name = ",		/* 5 */
-	"soa = ",			/* 6 */
-	"mb = ",			/* 7 */
-	"mg = ",			/* 8 */
-	"mr = ",			/* 9 */
-	"rtype_10 = ",			/* 10 */
-	"protocol = ",			/* 11 */
-	"name = ",			/* 12 */
-	"hinfo = ",			/* 13 */
-	"minfo = ",			/* 14 */
-	"mail exchanger = ",		/* 15 */
-	"text = ",			/* 16 */
-	"rp = ",       			/* 17 */
-	"afsdb = ",			/* 18 */
-	"x25 address = ",		/* 19 */
-	"isdn address = ",		/* 20 */
-	"rt = ",			/* 21 */
-	"nsap = ",			/* 22 */
-	"nsap_ptr = ",			/* 23 */
-	"signature = ",			/* 24 */
-	"key = ",			/* 25 */
-	"px = ",			/* 26 */
-	"gpos = ",			/* 27 */
-	"has AAAA address ",		/* 28 */
-	"loc = ",			/* 29 */
-	"next = ",			/* 30 */
-	"rtype_31 = ",			/* 31 */
-	"rtype_32 = ",			/* 32 */
-	"service = ",			/* 33 */
-	"rtype_34 = ",			/* 34 */
-	"naptr = ",			/* 35 */
-	"kx = ",			/* 36 */
-	"cert = ",			/* 37 */
-	"v6 address = ",		/* 38 */
-	"dname = ",			/* 39 */
-	"rtype_40 = ",			/* 40 */
-	"optional = "			/* 41 */
-};
-
-#define N_KNOWN_RRTYPES (sizeof(rtypetext) / sizeof(rtypetext[0]))
-
-static void flush_lookup_list(void);
-static void getinput(isc_task_t *task, isc_event_t *event);
-
-static char *
-rcode_totext(dns_rcode_t rcode)
-{
-	static char buf[sizeof("?65535")];
-	union {
-		const char *consttext;
-		char *deconsttext;
-	} totext;
-
-	if (rcode >= (sizeof(rcodetext)/sizeof(rcodetext[0]))) {
-		snprintf(buf, sizeof(buf), "?%u", rcode);
-		totext.deconsttext = buf;
-	} else
-		totext.consttext = rcodetext[rcode];
-	return totext.deconsttext;
-}
-
-void
-dighost_shutdown(void) {
-	isc_event_t *event = global_event;
-
-	flush_lookup_list();
-	debug("dighost_shutdown()");
-
-	if (!in_use) {
-		isc_app_shutdown();
-		return;
-	}
-
-	isc_task_send(global_task, &event);
-}
-
-static void
-printsoa(dns_rdata_t *rdata) {
-	dns_rdata_soa_t soa;
-	isc_result_t result;
-	char namebuf[DNS_NAME_FORMATSIZE];
-
-	result = dns_rdata_tostruct(rdata, &soa, NULL);
-	check_result(result, "dns_rdata_tostruct");
-
-	dns_name_format(&soa.origin, namebuf, sizeof(namebuf));
-	printf("\torigin = %s\n", namebuf);
-	dns_name_format(&soa.contact, namebuf, sizeof(namebuf));
-	printf("\tmail addr = %s\n", namebuf);
-	printf("\tserial = %u\n", soa.serial);
-	printf("\trefresh = %u\n", soa.refresh);
-	printf("\tretry = %u\n", soa.retry);
-	printf("\texpire = %u\n", soa.expire);
-	printf("\tminimum = %u\n", soa.minimum);
-	dns_rdata_freestruct(&soa);
-}
-
-static void
-printa(dns_rdata_t *rdata) {
-	isc_result_t result;
-	char text[sizeof("255.255.255.255")];
-	isc_buffer_t b;
-
-	isc_buffer_init(&b, text, sizeof(text));
-	result = dns_rdata_totext(rdata, NULL, &b);
-	check_result(result, "dns_rdata_totext");
-	printf("Address: %.*s\n", (int)isc_buffer_usedlength(&b),
-	       (char *)isc_buffer_base(&b));
-}
-#ifdef DIG_SIGCHASE
-/* Just for compatibility : not use in host program */
-isc_result_t
-printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
-	      isc_buffer_t *target)
-{
-	UNUSED(owner_name);
-	UNUSED(rdataset);
-	UNUSED(target);
-	return(ISC_FALSE);
-}
-#endif
-static void
-printrdata(dns_rdata_t *rdata) {
-	isc_result_t result;
-	isc_buffer_t *b = NULL;
-	unsigned int size = 1024;
-	isc_boolean_t done = ISC_FALSE;
-
-	if (rdata->type < N_KNOWN_RRTYPES)
-		printf("%s", rtypetext[rdata->type]);
-	else
-		printf("rdata_%d = ", rdata->type);
-
-	while (!done) {
-		result = isc_buffer_allocate(mctx, &b, size);
-		if (result != ISC_R_SUCCESS)
-			check_result(result, "isc_buffer_allocate");
-		result = dns_rdata_totext(rdata, NULL, b);
-		if (result == ISC_R_SUCCESS) {
-			printf("%.*s\n", (int)isc_buffer_usedlength(b),
-			       (char *)isc_buffer_base(b));
-			done = ISC_TRUE;
-		} else if (result != ISC_R_NOSPACE)
-			check_result(result, "dns_rdata_totext");
-		isc_buffer_free(&b);
-		size *= 2;
-	}
-}
-
-static isc_result_t
-printsection(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers,
-	     dns_section_t section) {
-	isc_result_t result, loopresult;
-	dns_name_t *name;
-	dns_rdataset_t *rdataset = NULL;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	char namebuf[DNS_NAME_FORMATSIZE];
-
-	UNUSED(query);
-	UNUSED(headers);
-
-	debug("printsection()");
-
-	result = dns_message_firstname(msg, section);
-	if (result == ISC_R_NOMORE)
-		return (ISC_R_SUCCESS);
-	else if (result != ISC_R_SUCCESS)
-		return (result);
-	for (;;) {
-		name = NULL;
-		dns_message_currentname(msg, section,
-					&name);
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			loopresult = dns_rdataset_first(rdataset);
-			while (loopresult == ISC_R_SUCCESS) {
-				dns_rdataset_current(rdataset, &rdata);
-				switch (rdata.type) {
-				case dns_rdatatype_a:
-					if (section != DNS_SECTION_ANSWER)
-						goto def_short_section;
-					dns_name_format(name, namebuf,
-							sizeof(namebuf));
-					printf("Name:\t%s\n", namebuf);
-					printa(&rdata);
-					break;
-				case dns_rdatatype_soa:
-					dns_name_format(name, namebuf,
-							sizeof(namebuf));
-					printf("%s\n", namebuf);
-					printsoa(&rdata);
-					break;
-				default:
-				def_short_section:
-					dns_name_format(name, namebuf,
-							sizeof(namebuf));
-					printf("%s\t", namebuf);
-					printrdata(&rdata);
-					break;
-				}
-				dns_rdata_reset(&rdata);
-				loopresult = dns_rdataset_next(rdataset);
-			}
-		}
-		result = dns_message_nextname(msg, section);
-		if (result == ISC_R_NOMORE)
-			break;
-		else if (result != ISC_R_SUCCESS) {
-			return (result);
-		}
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-detailsection(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers,
-	     dns_section_t section) {
-	isc_result_t result, loopresult;
-	dns_name_t *name;
-	dns_rdataset_t *rdataset = NULL;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	char namebuf[DNS_NAME_FORMATSIZE];
-
-	UNUSED(query);
-
-	debug("detailsection()");
-
-	if (headers) {
-		switch (section) {
-		case DNS_SECTION_QUESTION:
-			puts("    QUESTIONS:");
-			break;
-		case DNS_SECTION_ANSWER:
-			puts("    ANSWERS:");
-			break;
-		case DNS_SECTION_AUTHORITY:
-			puts("    AUTHORITY RECORDS:");
-			break;
-		case DNS_SECTION_ADDITIONAL:
-			puts("    ADDITIONAL RECORDS:");
-			break;
-		}
-	}
-
-	result = dns_message_firstname(msg, section);
-	if (result == ISC_R_NOMORE)
-		return (ISC_R_SUCCESS);
-	else if (result != ISC_R_SUCCESS)
-		return (result);
-	for (;;) {
-		name = NULL;
-		dns_message_currentname(msg, section,
-					&name);
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			if (section == DNS_SECTION_QUESTION) {
-				dns_name_format(name, namebuf,
-						sizeof(namebuf));
-				printf("\t%s, ", namebuf);
-				dns_rdatatype_format(rdataset->type,
-						     namebuf,
-						     sizeof(namebuf));
-				printf("type = %s, ", namebuf);
-				dns_rdataclass_format(rdataset->rdclass,
-						      namebuf,
-						      sizeof(namebuf));
-				printf("class = %s\n", namebuf);
-			}
-			loopresult = dns_rdataset_first(rdataset);
-			while (loopresult == ISC_R_SUCCESS) {
-				dns_rdataset_current(rdataset, &rdata);
-
-				dns_name_format(name, namebuf,
-						sizeof(namebuf));
-				printf("    ->  %s\n", namebuf);
-
-				switch (rdata.type) {
-				case dns_rdatatype_soa:
-					printsoa(&rdata);
-					break;
-				default:
-					printf("\t");
-					printrdata(&rdata);
-				}
-				dns_rdata_reset(&rdata);
-				printf("\tttl = %u\n", rdataset->ttl);
-				loopresult = dns_rdataset_next(rdataset);
-			}
-		}
-		result = dns_message_nextname(msg, section);
-		if (result == ISC_R_NOMORE)
-			break;
-		else if (result != ISC_R_SUCCESS) {
-			return (result);
-		}
-	}
-	return (ISC_R_SUCCESS);
-}
-
-void
-received(int bytes, isc_sockaddr_t *from, dig_query_t *query)
-{
-	UNUSED(bytes);
-	UNUSED(from);
-	UNUSED(query);
-}
-
-void
-trying(char *frm, dig_lookup_t *lookup) {
-	UNUSED(frm);
-	UNUSED(lookup);
-
-}
-
-isc_result_t
-printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
-	char servtext[ISC_SOCKADDR_FORMATSIZE];
-
-	/* I've we've gotten this far, we've reached a server. */
-	query_error = 0;
-
-	debug("printmessage()");
-
-	isc_sockaddr_format(&query->sockaddr, servtext, sizeof(servtext));
-	printf("Server:\t\t%s\n", query->userarg);
-	printf("Address:\t%s\n", servtext);
-
-	puts("");
-
-	if (!short_form) {
-		isc_boolean_t headers = ISC_TRUE;
-		puts("------------");
-		/*		detailheader(query, msg);*/
-		detailsection(query, msg, headers, DNS_SECTION_QUESTION);
-		detailsection(query, msg, headers, DNS_SECTION_ANSWER);
-		detailsection(query, msg, headers, DNS_SECTION_AUTHORITY);
-		detailsection(query, msg, headers, DNS_SECTION_ADDITIONAL);
-		puts("------------");
-	}
-
-	if (msg->rcode != 0) {
-		char nametext[DNS_NAME_FORMATSIZE];
-		dns_name_format(query->lookup->name,
-				nametext, sizeof(nametext));
-		printf("** server can't find %s: %s\n",
-		       (msg->rcode != dns_rcode_nxdomain) ? nametext :
-		       query->lookup->textname, rcode_totext(msg->rcode));
-		debug("returning with rcode == 0");
-
-		/* the lookup failed */
-		print_error |= 1;
-		return (ISC_R_SUCCESS);
-	}
-
-	if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0)
-		puts("Non-authoritative answer:");
-	if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER]))
-		printsection(query, msg, headers, DNS_SECTION_ANSWER);
-	else
-		printf("*** Can't find %s: No answer\n",
-		       query->lookup->textname);
-
-	if (((msg->flags & DNS_MESSAGEFLAG_AA) == 0) &&
-	    (query->lookup->rdtype != dns_rdatatype_a)) {
-		puts("\nAuthoritative answers can be found from:");
-		printsection(query, msg, headers,
-			     DNS_SECTION_AUTHORITY);
-		printsection(query, msg, headers,
-			     DNS_SECTION_ADDITIONAL);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static void
-show_settings(isc_boolean_t full, isc_boolean_t serv_only) {
-	dig_server_t *srv;
-	isc_sockaddr_t sockaddr;
-	dig_searchlist_t *listent;
-	isc_result_t result;
-
-	srv = ISC_LIST_HEAD(server_list);
-
-	while (srv != NULL) {
-		char sockstr[ISC_SOCKADDR_FORMATSIZE];
-
-		result = get_address(srv->servername, port, &sockaddr);
-		check_result(result, "get_address");
-
-		isc_sockaddr_format(&sockaddr, sockstr, sizeof(sockstr));
-		printf("Default server: %s\nAddress: %s\n",
-			srv->userarg, sockstr);
-		if (!full)
-			return;
-		srv = ISC_LIST_NEXT(srv, link);
-	}
-	if (serv_only)
-		return;
-	printf("\nSet options:\n");
-	printf("  %s\t\t\t%s\t\t%s\n",
-	       tcpmode ? "vc" : "novc",
-	       short_form ? "nodebug" : "debug",
-	       debugging ? "d2" : "nod2");
-	printf("  %s\t\t%s\n",
-	       usesearch ? "search" : "nosearch",
-	       recurse ? "recurse" : "norecurse");
-	printf("  timeout = %d\t\tretry = %d\tport = %d\n",
-	       timeout, tries, port);
-	printf("  querytype = %-8s\tclass = %s\n", deftype, defclass);
-	printf("  srchlist = ");
-	for (listent = ISC_LIST_HEAD(search_list);
-	     listent != NULL;
-	     listent = ISC_LIST_NEXT(listent, link)) {
-		     printf("%s", listent->origin);
-		     if (ISC_LIST_NEXT(listent, link) != NULL)
-			     printf("/");
-	}
-	printf("\n");
-}
-
-static isc_boolean_t
-testtype(char *typetext) {
-	isc_result_t result;
-	isc_textregion_t tr;
-	dns_rdatatype_t rdtype;
-
-	tr.base = typetext;
-	tr.length = strlen(typetext);
-	result = dns_rdatatype_fromtext(&rdtype, &tr);
-	if (result == ISC_R_SUCCESS)
-		return (ISC_TRUE);
-	else {
-		printf("unknown query type: %s\n", typetext);
-		return (ISC_FALSE);
-	}
-}
-
-static isc_boolean_t
-testclass(char *typetext) {
-	isc_result_t result;
-	isc_textregion_t tr;
-	dns_rdataclass_t rdclass;
-
-	tr.base = typetext;
-	tr.length = strlen(typetext);
-	result = dns_rdataclass_fromtext(&rdclass, &tr);
-	if (result == ISC_R_SUCCESS)
-		return (ISC_TRUE);
-	else {
-		printf("unknown query class: %s\n", typetext);
-		return (ISC_FALSE);
-	}
-}
-
-static void
-set_port(const char *value) {
-	isc_uint32_t n;
-	isc_result_t result = parse_uint(&n, value, 65535, "port");
-	if (result == ISC_R_SUCCESS)
-		port = (isc_uint16_t) n;
-}
-
-static void
-set_timeout(const char *value) {
-	isc_uint32_t n;
-	isc_result_t result = parse_uint(&n, value, UINT_MAX, "timeout");
-	if (result == ISC_R_SUCCESS)
-		timeout = n;
-}
-
-static void
-set_tries(const char *value) {
-	isc_uint32_t n;
-	isc_result_t result = parse_uint(&n, value, INT_MAX, "tries");
-	if (result == ISC_R_SUCCESS)
-		tries = n;
-}
-
-static void
-setoption(char *opt) {
-	if (strncasecmp(opt, "all", 4) == 0) {
-		show_settings(ISC_TRUE, ISC_FALSE);
-	} else if (strncasecmp(opt, "class=", 6) == 0) {
-		if (testclass(&opt[6]))
-			strlcpy(defclass, &opt[6], sizeof(defclass));
-	} else if (strncasecmp(opt, "cl=", 3) == 0) {
-		if (testclass(&opt[3]))
-			strlcpy(defclass, &opt[3], sizeof(defclass));
-	} else if (strncasecmp(opt, "type=", 5) == 0) {
-		if (testtype(&opt[5]))
-			strlcpy(deftype, &opt[5], sizeof(deftype));
-	} else if (strncasecmp(opt, "ty=", 3) == 0) {
-		if (testtype(&opt[3]))
-			strlcpy(deftype, &opt[3], sizeof(deftype));
-	} else if (strncasecmp(opt, "querytype=", 10) == 0) {
-		if (testtype(&opt[10]))
-			strlcpy(deftype, &opt[10], sizeof(deftype));
-	} else if (strncasecmp(opt, "query=", 6) == 0) {
-		if (testtype(&opt[6]))
-			strlcpy(deftype, &opt[6], sizeof(deftype));
-	} else if (strncasecmp(opt, "qu=", 3) == 0) {
-		if (testtype(&opt[3]))
-			strlcpy(deftype, &opt[3], sizeof(deftype));
-	} else if (strncasecmp(opt, "q=", 2) == 0) {
-		if (testtype(&opt[2]))
-			strlcpy(deftype, &opt[2], sizeof(deftype));
-	} else if (strncasecmp(opt, "domain=", 7) == 0) {
-		strlcpy(domainopt, &opt[7], sizeof(domainopt));
-		set_search_domain(domainopt);
-		usesearch = ISC_TRUE;
-	} else if (strncasecmp(opt, "do=", 3) == 0) {
-		strlcpy(domainopt, &opt[3], sizeof(domainopt));
-		set_search_domain(domainopt);
-		usesearch = ISC_TRUE;
-	} else if (strncasecmp(opt, "port=", 5) == 0) {
-		set_port(&opt[5]);
-	} else if (strncasecmp(opt, "po=", 3) == 0) {
-		set_port(&opt[3]);
-	} else if (strncasecmp(opt, "timeout=", 8) == 0) {
-		set_timeout(&opt[8]);
-	} else if (strncasecmp(opt, "t=", 2) == 0) {
-		set_timeout(&opt[2]);
-	} else if (strncasecmp(opt, "rec", 3) == 0) {
-		recurse = ISC_TRUE;
-	} else if (strncasecmp(opt, "norec", 5) == 0) {
-		recurse = ISC_FALSE;
-	} else if (strncasecmp(opt, "retry=", 6) == 0) {
-		set_tries(&opt[6]);
-	} else if (strncasecmp(opt, "ret=", 4) == 0) {
-		set_tries(&opt[4]);
-	} else if (strncasecmp(opt, "def", 3) == 0) {
-		usesearch = ISC_TRUE;
-	} else if (strncasecmp(opt, "nodef", 5) == 0) {
-		usesearch = ISC_FALSE;
-	} else if (strncasecmp(opt, "vc", 3) == 0) {
-		tcpmode = ISC_TRUE;
-	} else if (strncasecmp(opt, "novc", 5) == 0) {
-		tcpmode = ISC_FALSE;
-	} else if (strncasecmp(opt, "deb", 3) == 0) {
-		short_form = ISC_FALSE;
-		showsearch = ISC_TRUE;
-	} else if (strncasecmp(opt, "nodeb", 5) == 0) {
-		short_form = ISC_TRUE;
-		showsearch = ISC_FALSE;
-	} else if (strncasecmp(opt, "d2", 2) == 0) {
-		debugging = ISC_TRUE;
-	} else if (strncasecmp(opt, "nod2", 4) == 0) {
-		debugging = ISC_FALSE;
-	} else if (strncasecmp(opt, "search", 3) == 0) {
-		usesearch = ISC_TRUE;
-	} else if (strncasecmp(opt, "nosearch", 5) == 0) {
-		usesearch = ISC_FALSE;
-	} else if (strncasecmp(opt, "sil", 3) == 0) {
-		/* deprecation_msg = ISC_FALSE; */
-	} else if (strncasecmp(opt, "fail", 3) == 0) {
-		nofail=ISC_FALSE;
-	} else if (strncasecmp(opt, "nofail", 3) == 0) {
-		nofail=ISC_TRUE;
-	} else {
-		printf("*** Invalid option: %s\n", opt);
-	}
-}
-
-static void
-addlookup(char *opt) {
-	dig_lookup_t *lookup;
-	isc_result_t result;
-	isc_textregion_t tr;
-	dns_rdatatype_t rdtype;
-	dns_rdataclass_t rdclass;
-	char store[MXNAME];
-
-	debug("addlookup()");
-	tr.base = deftype;
-	tr.length = strlen(deftype);
-	result = dns_rdatatype_fromtext(&rdtype, &tr);
-	if (result != ISC_R_SUCCESS) {
-		printf("unknown query type: %s\n", deftype);
-		rdclass = dns_rdatatype_a;
-	}
-	tr.base = defclass;
-	tr.length = strlen(defclass);
-	result = dns_rdataclass_fromtext(&rdclass, &tr);
-	if (result != ISC_R_SUCCESS) {
-		printf("unknown query class: %s\n", defclass);
-		rdclass = dns_rdataclass_in;
-	}
-	lookup = make_empty_lookup();
-	if (get_reverse(store, sizeof(store), opt, lookup->ip6_int, ISC_TRUE)
-	    == ISC_R_SUCCESS) {
-		strlcpy(lookup->textname, store, sizeof(lookup->textname));
-		lookup->rdtype = dns_rdatatype_ptr;
-		lookup->rdtypeset = ISC_TRUE;
-	} else {
-		strlcpy(lookup->textname, opt, sizeof(lookup->textname));
-		lookup->rdtype = rdtype;
-		lookup->rdtypeset = ISC_TRUE;
-	}
-	lookup->rdclass = rdclass;
-	lookup->rdclassset = ISC_TRUE;
-	lookup->trace = ISC_FALSE;
-	lookup->trace_root = lookup->trace;
-	lookup->ns_search_only = ISC_FALSE;
-	lookup->identify = identify;
-	lookup->recurse = recurse;
-	lookup->aaonly = aaonly;
-	lookup->retries = tries;
-	lookup->udpsize = 0;
-	lookup->comments = comments;
-	lookup->tcp_mode = tcpmode;
-	lookup->stats = stats;
-	lookup->section_question = section_question;
-	lookup->section_answer = section_answer;
-	lookup->section_authority = section_authority;
-	lookup->section_additional = section_additional;
-	lookup->new_search = ISC_TRUE;
-	if (nofail)
-		lookup->servfail_stops = ISC_FALSE;
-	ISC_LIST_INIT(lookup->q);
-	ISC_LINK_INIT(lookup, link);
-	ISC_LIST_APPEND(lookup_list, lookup, link);
-	lookup->origin = NULL;
-	ISC_LIST_INIT(lookup->my_server_list);
-	debug("looking up %s", lookup->textname);
-}
-
-static void
-do_next_command(char *input) {
-	char *ptr, *arg;
-
-	ptr = next_token(&input, " \t\r\n");
-	if (ptr == NULL)
-		return;
-	arg = next_token(&input, " \t\r\n");
-	if ((strcasecmp(ptr, "set") == 0) &&
-	    (arg != NULL))
-		setoption(arg);
-	else if ((strcasecmp(ptr, "server") == 0) ||
-		 (strcasecmp(ptr, "lserver") == 0)) {
-		isc_app_block();
-		set_nameserver(arg);
-		check_ra = ISC_FALSE;
-		isc_app_unblock();
-		show_settings(ISC_TRUE, ISC_TRUE);
-	} else if (strcasecmp(ptr, "exit") == 0) {
-		in_use = ISC_FALSE;
-	} else if (strcasecmp(ptr, "help") == 0 ||
-		   strcasecmp(ptr, "?") == 0) {
-		printf("The '%s' command is not yet implemented.\n", ptr);
-	} else if (strcasecmp(ptr, "finger") == 0 ||
-		   strcasecmp(ptr, "root") == 0 ||
-		   strcasecmp(ptr, "ls") == 0 ||
-		   strcasecmp(ptr, "view") == 0) {
-		printf("The '%s' command is not implemented.\n", ptr);
-	} else
-		addlookup(ptr);
-}
-
-static void
-get_next_command(void) {
-	char *buf;
-	char *ptr;
-
-	fflush(stdout);
-	buf = isc_mem_allocate(mctx, COMMSIZE);
-	if (buf == NULL)
-		fatal("memory allocation failure");
-	isc_app_block();
-	if (interactive) {
-#ifdef HAVE_READLINE
-		ptr = readline("> ");
-		if (ptr != NULL && *ptr != '\0')
-			add_history(ptr);
-#else
-		fputs("> ", stderr);
-		fflush(stderr);
-		ptr = fgets(buf, COMMSIZE, stdin);
-#endif
-	} else
-		ptr = fgets(buf, COMMSIZE, stdin);
-	isc_app_unblock();
-	if (ptr == NULL) {
-		in_use = ISC_FALSE;
-	} else
-		do_next_command(ptr);
-#ifdef HAVE_READLINE
-	if (interactive)
-		free(ptr);
-#endif
-	isc_mem_free(mctx, buf);
-}
-
-static void
-parse_args(int argc, char **argv) {
-	isc_boolean_t have_lookup = ISC_FALSE;
-
-	usesearch = ISC_TRUE;
-	for (argc--, argv++; argc > 0; argc--, argv++) {
-		debug("main parsing %s", argv[0]);
-		if (argv[0][0] == '-') {
-			if (argv[0][1] != 0)
-				setoption(&argv[0][1]);
-			else
-				have_lookup = ISC_TRUE;
-		} else {
-			if (!have_lookup) {
-				have_lookup = ISC_TRUE;
-				in_use = ISC_TRUE;
-				addlookup(argv[0]);
-			} else {
-				set_nameserver(argv[0]);
-				check_ra = ISC_FALSE;
-			}
-		}
-	}
-}
-
-static void
-flush_lookup_list(void) {
-	dig_lookup_t *l, *lp;
-	dig_query_t *q, *qp;
-	dig_server_t *s, *sp;
-
-	lookup_counter = 0;
-	l = ISC_LIST_HEAD(lookup_list);
-	while (l != NULL) {
-		q = ISC_LIST_HEAD(l->q);
-		while (q != NULL) {
-			if (q->sock != NULL) {
-				isc_socket_cancel(q->sock, NULL,
-						  ISC_SOCKCANCEL_ALL);
-				isc_socket_detach(&q->sock);
-			}
-			if (ISC_LINK_LINKED(&q->recvbuf, link))
-				ISC_LIST_DEQUEUE(q->recvlist, &q->recvbuf,
-						 link);
-			if (ISC_LINK_LINKED(&q->lengthbuf, link))
-				ISC_LIST_DEQUEUE(q->lengthlist, &q->lengthbuf,
-						 link);
-			isc_buffer_invalidate(&q->recvbuf);
-			isc_buffer_invalidate(&q->lengthbuf);
-			qp = q;
-			q = ISC_LIST_NEXT(q, link);
-			ISC_LIST_DEQUEUE(l->q, qp, link);
-			isc_mem_free(mctx, qp);
-		}
-		s = ISC_LIST_HEAD(l->my_server_list);
-		while (s != NULL) {
-			sp = s;
-			s = ISC_LIST_NEXT(s, link);
-			ISC_LIST_DEQUEUE(l->my_server_list, sp, link);
-			isc_mem_free(mctx, sp);
-
-		}
-		if (l->sendmsg != NULL)
-			dns_message_destroy(&l->sendmsg);
-		if (l->timer != NULL)
-			isc_timer_detach(&l->timer);
-		lp = l;
-		l = ISC_LIST_NEXT(l, link);
-		ISC_LIST_DEQUEUE(lookup_list, lp, link);
-		isc_mem_free(mctx, lp);
-	}
-}
-
-static void
-getinput(isc_task_t *task, isc_event_t *event) {
-	UNUSED(task);
-	if (global_event == NULL)
-		global_event = event;
-	while (in_use) {
-		get_next_command();
-		if (ISC_LIST_HEAD(lookup_list) != NULL) {
-			start_lookup();
-			return;
-		}
-	}
-	isc_app_shutdown();
-}
-
-int
-main(int argc, char **argv) {
-	isc_result_t result;
-
-	interactive = ISC_TF(isatty(0));
-
-	ISC_LIST_INIT(lookup_list);
-	ISC_LIST_INIT(server_list);
-	ISC_LIST_INIT(search_list);
-
-	check_ra = ISC_TRUE;
-
-	result = isc_app_start();
-	check_result(result, "isc_app_start");
-
-	setup_libs();
-	progname = argv[0];
-
-	parse_args(argc, argv);
-
-	setup_system();
-	if (domainopt[0] != '\0')
-		set_search_domain(domainopt);
-	if (in_use)
-		result = isc_app_onrun(mctx, global_task, onrun_callback,
-				       NULL);
-	else
-		result = isc_app_onrun(mctx, global_task, getinput, NULL);
-	check_result(result, "isc_app_onrun");
-	in_use = ISC_TF(!in_use);
-
-	(void)isc_app_run();
-
-	puts("");
-	debug("done, and starting to shut down");
-	if (global_event != NULL)
-		isc_event_free(&global_event);
-	cancel_all();
-	destroy_libs();
-	isc_app_finish();
-
-	return (query_error | print_error);
-}
diff --git a/contrib/bind9/bin/dig/nslookup.docbook b/contrib/bind9/bin/dig/nslookup.docbook
deleted file mode 100644
index f4d497b..0000000
--- a/contrib/bind9/bin/dig/nslookup.docbook
+++ /dev/null
@@ -1,497 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004-2007, 2010  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: nslookup.docbook,v 1.18 2010/02/22 23:49:11 tbox Exp $ -->
-<!--
- - Copyright (c) 1985, 1989
- -    The Regents of the University of California.  All rights reserved.
- -
- - Redistribution and use in source and binary forms, with or without
- - modification, are permitted provided that the following conditions
- - are met:
- - 1. Redistributions of source code must retain the above copyright
- -    notice, this list of conditions and the following disclaimer.
- - 2. Redistributions in binary form must reproduce the above copyright
- -    notice, this list of conditions and the following disclaimer in the
- -    documentation and/or other materials provided with the distribution.
- - 3. All advertising materials mentioning features or use of this software
- -    must display the following acknowledgement:
- -     This product includes software developed by the University of
- -     California, Berkeley and its contributors.
- - 4. Neither the name of the University nor the names of its contributors
- -    may be used to endorse or promote products derived from this software
- -    without specific prior written permission.
- -
- - THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- - ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- - ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- - FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- - DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- - OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- - HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- - LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- - OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- - SUCH DAMAGE.
--->
-<refentry>
-
-  <refentryinfo>
-    <date>Jun 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>nslookup</refentrytitle>
-    <manvolnum>1</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname>nslookup</refname>
-    <refpurpose>query Internet name servers interactively</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2006</year>
-      <year>2007</year>
-      <year>2010</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>nslookup</command>
-      <arg><option>-option</option></arg>
-      <arg choice="opt">name | -</arg>
-      <arg choice="opt">server</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para><command>Nslookup</command>
-      is a program to query Internet domain name servers.  <command>Nslookup</command>
-      has two modes: interactive and non-interactive.  Interactive mode allows
-      the user to query name servers for information about various hosts and
-      domains or to print a list of hosts in a domain.  Non-interactive mode
-      is
-      used to print just the name and requested information for a host or
-      domain.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>ARGUMENTS</title>
-    <para>
-      Interactive mode is entered in the following cases:
-      <orderedlist numeration="loweralpha">
-        <listitem>
-          <para>
-            when no arguments are given (the default name server will be used)
-          </para>
-        </listitem>
-        <listitem>
-          <para>
-            when the first argument is a hyphen (-) and the second argument is
-            the host name or Internet address of a name server.
-          </para>
-        </listitem>
-      </orderedlist>
-    </para>
-
-    <para>
-      Non-interactive mode is used when the name or Internet address of the
-      host to be looked up is given as the first argument. The optional second
-      argument specifies the host name or address of a name server.
-    </para>
-
-    <para>
-      Options can also be specified on the command line if they precede the
-      arguments and are prefixed with a hyphen.  For example, to
-      change the default query type to host information, and the initial
-      timeout to 10 seconds, type:
-      <!-- <informalexample> produces bad nroff. -->
-        <programlisting>
-nslookup -query=hinfo  -timeout=10
-</programlisting>
-      <!-- </informalexample> -->
-    </para>
-
-  </refsect1>
-
-  <refsect1>
-    <title>INTERACTIVE COMMANDS</title>
-    <variablelist>
-      <varlistentry>
-        <term><constant>host</constant> <optional>server</optional></term>
-        <listitem>
-          <para>
-            Look up information for host using the current default server or
-            using server, if specified.  If host is an Internet address and
-            the query type is A or PTR, the name of the host is returned.
-            If host is a name and does not have a trailing period, the
-            search list is used to qualify the name.
-          </para>
-
-          <para>
-            To look up a host not in the current domain, append a period to
-            the name.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><constant>server</constant> <replaceable class="parameter">domain</replaceable></term>
-        <listitem>
-          <para/>
-        </listitem>
-      </varlistentry>
-      <varlistentry>
-        <term><constant>lserver</constant> <replaceable class="parameter">domain</replaceable></term>
-        <listitem>
-          <para>
-            Change the default server to <replaceable>domain</replaceable>; <constant>lserver</constant> uses the initial
-            server to look up information about <replaceable>domain</replaceable>, while <constant>server</constant> uses
-            the current default server.  If an authoritative answer can't be
-            found, the names of servers that might have the answer are
-            returned.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><constant>root</constant></term>
-        <listitem>
-          <para>
-            not implemented
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><constant>finger</constant></term>
-        <listitem>
-          <para>
-            not implemented
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><constant>ls</constant></term>
-        <listitem>
-          <para>
-            not implemented
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><constant>view</constant></term>
-        <listitem>
-          <para>
-            not implemented
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><constant>help</constant></term>
-        <listitem>
-          <para>
-            not implemented
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><constant>?</constant></term>
-        <listitem>
-          <para>
-            not implemented
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><constant>exit</constant></term>
-        <listitem>
-          <para>
-            Exits the program.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><constant>set</constant>
-          <replaceable>keyword<optional>=value</optional></replaceable></term>
-        <listitem>
-          <para>
-            This command is used to change state information that affects
-            the lookups.  Valid keywords are:
-            <variablelist>
-              <varlistentry>
-                <term><constant>all</constant></term>
-                <listitem>
-                  <para>
-                    Prints the current values of the frequently used
-                    options to <command>set</command>.
-                    Information about the  current default
-                    server and host is also printed.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><constant>class=</constant><replaceable>value</replaceable></term>
-                <listitem>
-                  <para>
-                    Change the query class to one of:
-                    <variablelist>
-                      <varlistentry>
-                        <term><constant>IN</constant></term>
-                        <listitem>
-                          <para>
-                            the Internet class
-                          </para>
-                        </listitem>
-                      </varlistentry>
-                      <varlistentry>
-                        <term><constant>CH</constant></term>
-                        <listitem>
-                          <para>
-                            the Chaos class
-                          </para>
-                        </listitem>
-                      </varlistentry>
-                      <varlistentry>
-                        <term><constant>HS</constant></term>
-                        <listitem>
-                          <para>
-                            the Hesiod class
-                          </para>
-                        </listitem>
-                      </varlistentry>
-                      <varlistentry>
-                        <term><constant>ANY</constant></term>
-                        <listitem>
-                          <para>
-                            wildcard
-                          </para>
-                        </listitem>
-                      </varlistentry>
-                    </variablelist>
-                    The class specifies the protocol group of the information.
-
-                  </para>
-		  <para>
-                    (Default = IN; abbreviation = cl)
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><constant>
-                    <replaceable><optional>no</optional></replaceable>debug</constant></term>
-                <listitem>
-                  <para>
-		    Turn on or off the display of the full response packet and
-		    any intermediate response packets when searching.
-                  </para>
-		  <para>
-                    (Default = nodebug; abbreviation = <optional>no</optional>deb)
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><constant>
-                    <replaceable><optional>no</optional></replaceable>d2</constant></term>
-                <listitem>
-                  <para>
-                    Turn debugging mode on or off.  This displays more about
-	            what nslookup is doing.
-                  </para>
-		  <para>
-                    (Default = nod2)
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><constant>domain=</constant><replaceable>name</replaceable></term>
-                <listitem>
-                  <para>
-                    Sets the search list to <replaceable>name</replaceable>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><constant>
-                    <replaceable><optional>no</optional></replaceable>search</constant></term>
-                <listitem>
-                  <para>
-                    If the lookup request contains at least one period but
-                    doesn't end with a trailing period, append the domain
-                    names in the domain search list to the request until an
-                    answer is received.
-                  </para>
-		  <para>
-                    (Default = search)
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><constant>port=</constant><replaceable>value</replaceable></term>
-                <listitem>
-                  <para>
-                    Change the default TCP/UDP name server port to <replaceable>value</replaceable>.
-                  </para>
-		  <para>
-                    (Default = 53; abbreviation = po)
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><constant>querytype=</constant><replaceable>value</replaceable></term>
-                <listitem>
-                  <para/>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><constant>type=</constant><replaceable>value</replaceable></term>
-                <listitem>
-                  <para>
-                    Change the type of the information query.
-                  </para>
-		  <para>
-                    (Default = A; abbreviations = q, ty)
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><constant>
-                    <replaceable><optional>no</optional></replaceable>recurse</constant></term>
-                <listitem>
-                  <para>
-                    Tell the name server to query other servers if it does not
-                    have the
-                    information.
-                  </para>
-		  <para>
-                    (Default = recurse; abbreviation = [no]rec)
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><constant>retry=</constant><replaceable>number</replaceable></term>
-                <listitem>
-                  <para>
-                    Set the number of retries to number.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><constant>timeout=</constant><replaceable>number</replaceable></term>
-                <listitem>
-                  <para>
-                    Change the initial timeout interval for waiting for a
-                    reply to number seconds.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><constant>
-                    <replaceable><optional>no</optional></replaceable>vc</constant></term>
-                <listitem>
-                  <para>
-                    Always use a virtual circuit when sending requests to the
-                    server.
-                  </para>
-		  <para>
-                    (Default = novc)
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><constant>
-                    <replaceable><optional>no</optional></replaceable>fail</constant></term>
-                <listitem>
-                  <para>
-		    Try the next nameserver if a nameserver responds with
-		    SERVFAIL or a referral (nofail) or terminate query
-		    (fail) on such a response.
-		  </para>
-		  <para>
-                    (Default = nofail)
-                  </para>
-	        </listitem>
-	      </varlistentry>
-
-            </variablelist>
-          </para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>FILES</title>
-    <para><filename>/etc/resolv.conf</filename>
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>Author</title>
-    <para>
-      Andrew Cherenson
-    </para>
-  </refsect1>
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/dig/nslookup.html b/contrib/bind9/bin/dig/nslookup.html
deleted file mode 100644
index 4bf6aab..0000000
--- a/contrib/bind9/bin/dig/nslookup.html
+++ /dev/null
@@ -1,309 +0,0 @@
-<!--
- - Copyright (C) 2004-2007, 2010 Internet Systems Consortium, Inc. ("ISC")
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>nslookup</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476277"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>nslookup &#8212; query Internet name servers interactively</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">nslookup</code>  [<code class="option">-option</code>] [name | -] [server]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543361"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">Nslookup</strong></span>
-      is a program to query Internet domain name servers.  <span><strong class="command">Nslookup</strong></span>
-      has two modes: interactive and non-interactive.  Interactive mode allows
-      the user to query name servers for information about various hosts and
-      domains or to print a list of hosts in a domain.  Non-interactive mode
-      is
-      used to print just the name and requested information for a host or
-      domain.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543377"></a><h2>ARGUMENTS</h2>
-<p>
-      Interactive mode is entered in the following cases:
-      </p>
-<div class="orderedlist"><ol type="a">
-<li><p>
-            when no arguments are given (the default name server will be used)
-          </p></li>
-<li><p>
-            when the first argument is a hyphen (-) and the second argument is
-            the host name or Internet address of a name server.
-          </p></li>
-</ol></div>
-<p>
-    </p>
-<p>
-      Non-interactive mode is used when the name or Internet address of the
-      host to be looked up is given as the first argument. The optional second
-      argument specifies the host name or address of a name server.
-    </p>
-<p>
-      Options can also be specified on the command line if they precede the
-      arguments and are prefixed with a hyphen.  For example, to
-      change the default query type to host information, and the initial
-      timeout to 10 seconds, type:
-      
-        </p>
-<pre class="programlisting">
-nslookup -query=hinfo  -timeout=10
-</pre>
-<p>
-      
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543420"></a><h2>INTERACTIVE COMMANDS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">host</code> [<span class="optional">server</span>]</span></dt>
-<dd>
-<p>
-            Look up information for host using the current default server or
-            using server, if specified.  If host is an Internet address and
-            the query type is A or PTR, the name of the host is returned.
-            If host is a name and does not have a trailing period, the
-            search list is used to qualify the name.
-          </p>
-<p>
-            To look up a host not in the current domain, append a period to
-            the name.
-          </p>
-</dd>
-<dt><span class="term"><code class="constant">server</code> <em class="replaceable"><code>domain</code></em></span></dt>
-<dd><p></p></dd>
-<dt><span class="term"><code class="constant">lserver</code> <em class="replaceable"><code>domain</code></em></span></dt>
-<dd><p>
-            Change the default server to <em class="replaceable"><code>domain</code></em>; <code class="constant">lserver</code> uses the initial
-            server to look up information about <em class="replaceable"><code>domain</code></em>, while <code class="constant">server</code> uses
-            the current default server.  If an authoritative answer can't be
-            found, the names of servers that might have the answer are
-            returned.
-          </p></dd>
-<dt><span class="term"><code class="constant">root</code></span></dt>
-<dd><p>
-            not implemented
-          </p></dd>
-<dt><span class="term"><code class="constant">finger</code></span></dt>
-<dd><p>
-            not implemented
-          </p></dd>
-<dt><span class="term"><code class="constant">ls</code></span></dt>
-<dd><p>
-            not implemented
-          </p></dd>
-<dt><span class="term"><code class="constant">view</code></span></dt>
-<dd><p>
-            not implemented
-          </p></dd>
-<dt><span class="term"><code class="constant">help</code></span></dt>
-<dd><p>
-            not implemented
-          </p></dd>
-<dt><span class="term"><code class="constant">?</code></span></dt>
-<dd><p>
-            not implemented
-          </p></dd>
-<dt><span class="term"><code class="constant">exit</code></span></dt>
-<dd><p>
-            Exits the program.
-          </p></dd>
-<dt><span class="term"><code class="constant">set</code>
-          <em class="replaceable"><code>keyword[<span class="optional">=value</span>]</code></em></span></dt>
-<dd>
-<p>
-            This command is used to change state information that affects
-            the lookups.  Valid keywords are:
-            </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">all</code></span></dt>
-<dd><p>
-                    Prints the current values of the frequently used
-                    options to <span><strong class="command">set</strong></span>.
-                    Information about the  current default
-                    server and host is also printed.
-                  </p></dd>
-<dt><span class="term"><code class="constant">class=</code><em class="replaceable"><code>value</code></em></span></dt>
-<dd>
-<p>
-                    Change the query class to one of:
-                    </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">IN</code></span></dt>
-<dd><p>
-                            the Internet class
-                          </p></dd>
-<dt><span class="term"><code class="constant">CH</code></span></dt>
-<dd><p>
-                            the Chaos class
-                          </p></dd>
-<dt><span class="term"><code class="constant">HS</code></span></dt>
-<dd><p>
-                            the Hesiod class
-                          </p></dd>
-<dt><span class="term"><code class="constant">ANY</code></span></dt>
-<dd><p>
-                            wildcard
-                          </p></dd>
-</dl></div>
-<p>
-                    The class specifies the protocol group of the information.
-
-                  </p>
-<p>
-                    (Default = IN; abbreviation = cl)
-                  </p>
-</dd>
-<dt><span class="term"><code class="constant">
-                    <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>debug</code></span></dt>
-<dd>
-<p>
-		    Turn on or off the display of the full response packet and
-		    any intermediate response packets when searching.
-                  </p>
-<p>
-                    (Default = nodebug; abbreviation = [<span class="optional">no</span>]deb)
-                  </p>
-</dd>
-<dt><span class="term"><code class="constant">
-                    <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>d2</code></span></dt>
-<dd>
-<p>
-                    Turn debugging mode on or off.  This displays more about
-	            what nslookup is doing.
-                  </p>
-<p>
-                    (Default = nod2)
-                  </p>
-</dd>
-<dt><span class="term"><code class="constant">domain=</code><em class="replaceable"><code>name</code></em></span></dt>
-<dd><p>
-                    Sets the search list to <em class="replaceable"><code>name</code></em>.
-                  </p></dd>
-<dt><span class="term"><code class="constant">
-                    <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>search</code></span></dt>
-<dd>
-<p>
-                    If the lookup request contains at least one period but
-                    doesn't end with a trailing period, append the domain
-                    names in the domain search list to the request until an
-                    answer is received.
-                  </p>
-<p>
-                    (Default = search)
-                  </p>
-</dd>
-<dt><span class="term"><code class="constant">port=</code><em class="replaceable"><code>value</code></em></span></dt>
-<dd>
-<p>
-                    Change the default TCP/UDP name server port to <em class="replaceable"><code>value</code></em>.
-                  </p>
-<p>
-                    (Default = 53; abbreviation = po)
-                  </p>
-</dd>
-<dt><span class="term"><code class="constant">querytype=</code><em class="replaceable"><code>value</code></em></span></dt>
-<dd><p></p></dd>
-<dt><span class="term"><code class="constant">type=</code><em class="replaceable"><code>value</code></em></span></dt>
-<dd>
-<p>
-                    Change the type of the information query.
-                  </p>
-<p>
-                    (Default = A; abbreviations = q, ty)
-                  </p>
-</dd>
-<dt><span class="term"><code class="constant">
-                    <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt>
-<dd>
-<p>
-                    Tell the name server to query other servers if it does not
-                    have the
-                    information.
-                  </p>
-<p>
-                    (Default = recurse; abbreviation = [no]rec)
-                  </p>
-</dd>
-<dt><span class="term"><code class="constant">retry=</code><em class="replaceable"><code>number</code></em></span></dt>
-<dd><p>
-                    Set the number of retries to number.
-                  </p></dd>
-<dt><span class="term"><code class="constant">timeout=</code><em class="replaceable"><code>number</code></em></span></dt>
-<dd><p>
-                    Change the initial timeout interval for waiting for a
-                    reply to number seconds.
-                  </p></dd>
-<dt><span class="term"><code class="constant">
-                    <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>vc</code></span></dt>
-<dd>
-<p>
-                    Always use a virtual circuit when sending requests to the
-                    server.
-                  </p>
-<p>
-                    (Default = novc)
-                  </p>
-</dd>
-<dt><span class="term"><code class="constant">
-                    <em class="replaceable"><code>[<span class="optional">no</span>]</code></em>fail</code></span></dt>
-<dd>
-<p>
-		    Try the next nameserver if a nameserver responds with
-		    SERVFAIL or a referral (nofail) or terminate query
-		    (fail) on such a response.
-		  </p>
-<p>
-                    (Default = nofail)
-                  </p>
-</dd>
-</dl></div>
-<p>
-          </p>
-</dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2546286"></a><h2>FILES</h2>
-<p><code class="filename">/etc/resolv.conf</code>
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2546298"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
-      <span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2546332"></a><h2>Author</h2>
-<p>
-      Andrew Cherenson
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/dnssec/Makefile.in b/contrib/bind9/bin/dnssec/Makefile.in
deleted file mode 100644
index 4f8bceb..0000000
--- a/contrib/bind9/bin/dnssec/Makefile.in
+++ /dev/null
@@ -1,120 +0,0 @@
-# Copyright (C) 2004, 2005, 2007-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000-2002  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.42.332.1 2011/03/16 06:37:51 each Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES}
-
-CDEFINES =	-DVERSION=\"${VERSION}\" @USE_PKCS11@
-CWARNINGS =
-
-DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-ISCLIBS =	../../lib/isc/libisc.@A@
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
-
-DNSDEPLIBS =	../../lib/dns/libdns.@A@
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
-
-DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
-
-LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
-
-NOSYMLIBS =	${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
-
-# Alphabetically
-TARGETS =	dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \
-		dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
-		dnssec-revoke@EXEEXT@ dnssec-settime@EXEEXT@ \
-		dnssec-verify@EXEEXT@
-
-OBJS =		dnssectool.@O@
-
-SRCS =		dnssec-dsfromkey.c dnssec-keyfromlabel.c dnssec-keygen.c \
-		dnssec-revoke.c dnssec-settime.c dnssec-signzone.c \
-		dnssec-verify.c dnssectool.c
-
-MANPAGES =	dnssec-dsfromkey.8 dnssec-keyfromlabel.8 dnssec-keygen.8 \
-		dnssec-revoke.8 dnssec-settime.8 dnssec-signzone.8 \
-		dnssec-verify.8
-
-HTMLPAGES =	dnssec-dsfromkey.html dnssec-keyfromlabel.html \
-		dnssec-keygen.html dnssec-revoke.html \
-		dnssec-settime.html dnssec-signzone.html \
-		dnssec-verify.html
-
-MANOBJS =	${MANPAGES} ${HTMLPAGES}
-
-@BIND9_MAKE_RULES@
-
-dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
-	export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
-	${FINALBUILDCMD}
-
-dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
-	export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \
-	${FINALBUILDCMD}
-
-dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
-	export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
-	${FINALBUILDCMD}
-
-dnssec-signzone.@O@: dnssec-signzone.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-		-c ${srcdir}/dnssec-signzone.c
-
-dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
-	export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
-	${FINALBUILDCMD}
-
-dnssec-verify.@O@: dnssec-verify.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-		-c ${srcdir}/dnssec-verify.c
-
-dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
-	export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \
-	${FINALBUILDCMD}
-
-dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	dnssec-revoke.@O@ ${OBJS} ${LIBS}
-
-dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	dnssec-settime.@O@ ${OBJS} ${LIBS}
-
-doc man:: ${MANOBJS}
-
-docclean manclean maintainer-clean::
-	rm -f ${MANOBJS}
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-
-install:: ${TARGETS} installdirs
-	for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done
-	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
-
-clean distclean::
-	rm -f ${TARGETS}
-
diff --git a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8 b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8
deleted file mode 100644
index 89d4228..0000000
--- a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8
+++ /dev/null
@@ -1,157 +0,0 @@
-.\" Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC")
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: dnssec\-dsfromkey
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: August 26, 2009
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "DNSSEC\-DSFROMKEY" "8" "August 26, 2009" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-dnssec\-dsfromkey \- DNSSEC DS RR generation tool
-.SH "SYNOPSIS"
-.HP 17
-\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] {keyfile}
-.HP 17
-\fBdnssec\-dsfromkey\fR {\-s} [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-s\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-A\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {dnsname}
-.SH "DESCRIPTION"
-.PP
-\fBdnssec\-dsfromkey\fR
-outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).
-.SH "OPTIONS"
-.PP
-\-1
-.RS 4
-Use SHA\-1 as the digest algorithm (the default is to use both SHA\-1 and SHA\-256).
-.RE
-.PP
-\-2
-.RS 4
-Use SHA\-256 as the digest algorithm.
-.RE
-.PP
-\-a \fIalgorithm\fR
-.RS 4
-Select the digest algorithm. The value of
-\fBalgorithm\fR
-must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST or SHA\-384 (SHA384). These values are case insensitive.
-.RE
-.PP
-\-T \fITTL\fR
-.RS 4
-Specifies the TTL of the DS records.
-.RE
-.PP
-\-K \fIdirectory\fR
-.RS 4
-Look for key files (or, in keyset mode,
-\fIkeyset\-\fR
-files) in
-\fBdirectory\fR.
-.RE
-.PP
-\-f \fIfile\fR
-.RS 4
-Zone file mode: in place of the keyfile name, the argument is the DNS domain name of a zone master file, which can be read from
-\fBfile\fR. If the zone name is the same as
-\fBfile\fR, then it may be omitted.
-.sp
-If
-\fBfile\fR
-is set to
-"\-", then the zone data is read from the standard input. This makes it possible to use the output of the
-\fBdig\fR
-command as input, as in:
-.sp
-\fBdig dnskey example.com | dnssec\-dsfromkey \-f \- example.com\fR
-.RE
-.PP
-\-A
-.RS 4
-Include ZSK's when generating DS records. Without this option, only keys which have the KSK flag set will be converted to DS records and printed. Useful only in zone file mode.
-.RE
-.PP
-\-l \fIdomain\fR
-.RS 4
-Generate a DLV set instead of a DS set. The specified
-\fBdomain\fR
-is appended to the name for each record in the set. The DNSSEC Lookaside Validation (DLV) RR is described in RFC 4431.
-.RE
-.PP
-\-s
-.RS 4
-Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file.
-.RE
-.PP
-\-c \fIclass\fR
-.RS 4
-Specifies the DNS class (default is IN). Useful only in keyset or zone file mode.
-.RE
-.PP
-\-v \fIlevel\fR
-.RS 4
-Sets the debugging level.
-.RE
-.SH "EXAMPLE"
-.PP
-To build the SHA\-256 DS RR from the
-\fBKexample.com.+003+26160\fR
-keyfile name, the following command would be issued:
-.PP
-\fBdnssec\-dsfromkey \-2 Kexample.com.+003+26160\fR
-.PP
-The command would print something like:
-.PP
-\fBexample.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94\fR
-.SH "FILES"
-.PP
-The keyfile can be designed by the key identification
-\fIKnnnn.+aaa+iiiii\fR
-or the full file name
-\fIKnnnn.+aaa+iiiii.key\fR
-as generated by
-dnssec\-keygen(8).
-.PP
-The keyset file name is built from the
-\fBdirectory\fR, the string
-\fIkeyset\-\fR
-and the
-\fBdnsname\fR.
-.SH "CAVEAT"
-.PP
-A keyfile error can give a "file not found" even if the file exists.
-.SH "SEE ALSO"
-.PP
-\fBdnssec\-keygen\fR(8),
-\fBdnssec\-signzone\fR(8),
-BIND 9 Administrator Reference Manual,
-RFC 3658,
-RFC 4431.
-RFC 4509.
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2008\-2012 Internet Systems Consortium, Inc. ("ISC")
-.br
diff --git a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c
deleted file mode 100644
index bfedae8..0000000
--- a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c
+++ /dev/null
@@ -1,559 +0,0 @@
-/*
- * Copyright (C) 2008-2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dnssec-dsfromkey.c,v 1.24 2011/10/25 01:54:18 marka Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/buffer.h>
-#include <isc/commandline.h>
-#include <isc/entropy.h>
-#include <isc/hash.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/callbacks.h>
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/ds.h>
-#include <dns/fixedname.h>
-#include <dns/keyvalues.h>
-#include <dns/log.h>
-#include <dns/master.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatatype.h>
-#include <dns/result.h>
-
-#include <dst/dst.h>
-
-#include "dnssectool.h"
-
-#ifndef PATH_MAX
-#define PATH_MAX 1024   /* AIX, WIN32, and others don't define this. */
-#endif
-
-const char *program = "dnssec-dsfromkey";
-int verbose;
-
-static dns_rdataclass_t rdclass;
-static dns_fixedname_t	fixed;
-static dns_name_t	*name = NULL;
-static isc_mem_t	*mctx = NULL;
-static isc_uint32_t	ttl;
-
-static isc_result_t
-initname(char *setname) {
-	isc_result_t result;
-	isc_buffer_t buf;
-
-	dns_fixedname_init(&fixed);
-	name = dns_fixedname_name(&fixed);
-
-	isc_buffer_init(&buf, setname, strlen(setname));
-	isc_buffer_add(&buf, strlen(setname));
-	result = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
-	return (result);
-}
-
-static void
-db_load_from_stream(dns_db_t *db, FILE *fp) {
-	isc_result_t result;
-	dns_rdatacallbacks_t callbacks;
-
-	dns_rdatacallbacks_init(&callbacks);
-	result = dns_db_beginload(db, &callbacks.add, &callbacks.add_private);
-	if (result != ISC_R_SUCCESS)
-		fatal("dns_db_beginload failed: %s", isc_result_totext(result));
-
-	result = dns_master_loadstream(fp, name, name, rdclass, 0,
-				       &callbacks, mctx);
-	if (result != ISC_R_SUCCESS)
-		fatal("can't load from input: %s", isc_result_totext(result));
-
-	result = dns_db_endload(db, &callbacks.add_private);
-	if (result != ISC_R_SUCCESS)
-		fatal("dns_db_endload failed: %s", isc_result_totext(result));
-}
-
-static isc_result_t
-loadset(const char *filename, dns_rdataset_t *rdataset) {
-	isc_result_t	 result;
-	dns_db_t	 *db = NULL;
-	dns_dbnode_t	 *node = NULL;
-	char setname[DNS_NAME_FORMATSIZE];
-
-	dns_name_format(name, setname, sizeof(setname));
-
-	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
-			       rdclass, 0, NULL, &db);
-	if (result != ISC_R_SUCCESS)
-		fatal("can't create database");
-
-	if (strcmp(filename, "-") == 0) {
-		db_load_from_stream(db, stdin);
-		filename = "input";
-	} else {
-		result = dns_db_load(db, filename);
-		if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
-			fatal("can't load %s: %s", filename,
-			      isc_result_totext(result));
-	}
-
-	result = dns_db_findnode(db, name, ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS)
-		fatal("can't find %s node in %s", setname, filename);
-
-	result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey,
-				     0, 0, rdataset, NULL);
-
-	if (result == ISC_R_NOTFOUND)
-		fatal("no DNSKEY RR for %s in %s", setname, filename);
-	else if (result != ISC_R_SUCCESS)
-		fatal("dns_db_findrdataset");
-
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	if (db != NULL)
-		dns_db_detach(&db);
-	return (result);
-}
-
-static isc_result_t
-loadkeyset(char *dirname, dns_rdataset_t *rdataset) {
-	isc_result_t	 result;
-	char		 filename[PATH_MAX + 1];
-	isc_buffer_t	 buf;
-
-	dns_rdataset_init(rdataset);
-
-	isc_buffer_init(&buf, filename, sizeof(filename));
-	if (dirname != NULL) {
-		/* allow room for a trailing slash */
-		if (strlen(dirname) >= isc_buffer_availablelength(&buf))
-			return (ISC_R_NOSPACE);
-		isc_buffer_putstr(&buf, dirname);
-		if (dirname[strlen(dirname) - 1] != '/')
-			isc_buffer_putstr(&buf, "/");
-	}
-
-	if (isc_buffer_availablelength(&buf) < 7)
-		return (ISC_R_NOSPACE);
-	isc_buffer_putstr(&buf, "keyset-");
-
-	result = dns_name_tofilenametext(name, ISC_FALSE, &buf);
-	check_result(result, "dns_name_tofilenametext()");
-	if (isc_buffer_availablelength(&buf) == 0)
-		return (ISC_R_NOSPACE);
-	isc_buffer_putuint8(&buf, 0);
-
-	return (loadset(filename, rdataset));
-}
-
-static void
-loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
-	dns_rdata_t *rdata)
-{
-	isc_result_t  result;
-	dst_key_t     *key = NULL;
-	isc_buffer_t  keyb;
-	isc_region_t  r;
-
-	dns_rdata_init(rdata);
-
-	isc_buffer_init(&keyb, key_buf, key_buf_size);
-
-	result = dst_key_fromnamedfile(filename, NULL, DST_TYPE_PUBLIC,
-				       mctx, &key);
-	if (result != ISC_R_SUCCESS)
-		fatal("invalid keyfile name %s: %s",
-		      filename, isc_result_totext(result));
-
-	if (verbose > 2) {
-		char keystr[DST_KEY_FORMATSIZE];
-
-		dst_key_format(key, keystr, sizeof(keystr));
-		fprintf(stderr, "%s: %s\n", program, keystr);
-	}
-
-	result = dst_key_todns(key, &keyb);
-	if (result != ISC_R_SUCCESS)
-		fatal("can't decode key");
-
-	isc_buffer_usedregion(&keyb, &r);
-	dns_rdata_fromregion(rdata, dst_key_class(key),
-			     dns_rdatatype_dnskey, &r);
-
-	rdclass = dst_key_class(key);
-
-	dns_fixedname_init(&fixed);
-	name = dns_fixedname_name(&fixed);
-	result = dns_name_copy(dst_key_name(key), name, NULL);
-	if (result != ISC_R_SUCCESS)
-		fatal("can't copy name");
-
-	dst_key_free(&key);
-}
-
-static void
-logkey(dns_rdata_t *rdata)
-{
-	isc_result_t result;
-	dst_key_t    *key = NULL;
-	isc_buffer_t buf;
-	char	     keystr[DST_KEY_FORMATSIZE];
-
-	isc_buffer_init(&buf, rdata->data, rdata->length);
-	isc_buffer_add(&buf, rdata->length);
-	result = dst_key_fromdns(name, rdclass, &buf, mctx, &key);
-	if (result != ISC_R_SUCCESS)
-		return;
-
-	dst_key_format(key, keystr, sizeof(keystr));
-	fprintf(stderr, "%s: %s\n", program, keystr);
-
-	dst_key_free(&key);
-}
-
-static void
-emit(unsigned int dtype, isc_boolean_t showall, char *lookaside,
-     dns_rdata_t *rdata)
-{
-	isc_result_t result;
-	unsigned char buf[DNS_DS_BUFFERSIZE];
-	char text_buf[DST_KEY_MAXTEXTSIZE];
-	char name_buf[DNS_NAME_MAXWIRE];
-	char class_buf[10];
-	isc_buffer_t textb, nameb, classb;
-	isc_region_t r;
-	dns_rdata_t ds;
-	dns_rdata_dnskey_t dnskey;
-
-	isc_buffer_init(&textb, text_buf, sizeof(text_buf));
-	isc_buffer_init(&nameb, name_buf, sizeof(name_buf));
-	isc_buffer_init(&classb, class_buf, sizeof(class_buf));
-
-	dns_rdata_init(&ds);
-
-	result = dns_rdata_tostruct(rdata, &dnskey, NULL);
-	if (result != ISC_R_SUCCESS)
-		fatal("can't convert DNSKEY");
-
-	if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall)
-		return;
-
-	result = dns_ds_buildrdata(name, rdata, dtype, buf, &ds);
-	if (result != ISC_R_SUCCESS)
-		fatal("can't build record");
-
-	result = dns_name_totext(name, ISC_FALSE, &nameb);
-	if (result != ISC_R_SUCCESS)
-		fatal("can't print name");
-
-	/* Add lookaside origin, if set */
-	if (lookaside != NULL) {
-		if (isc_buffer_availablelength(&nameb) < strlen(lookaside))
-			fatal("DLV origin '%s' is too long", lookaside);
-		isc_buffer_putstr(&nameb, lookaside);
-		if (lookaside[strlen(lookaside) - 1] != '.') {
-			if (isc_buffer_availablelength(&nameb) < 1)
-				fatal("DLV origin '%s' is too long", lookaside);
-			isc_buffer_putstr(&nameb, ".");
-		}
-	}
-
-	result = dns_rdata_tofmttext(&ds, (dns_name_t *) NULL, 0, 0, 0, "",
-				     &textb);
-
-	if (result != ISC_R_SUCCESS)
-		fatal("can't print rdata");
-
-	result = dns_rdataclass_totext(rdclass, &classb);
-	if (result != ISC_R_SUCCESS)
-		fatal("can't print class");
-
-	isc_buffer_usedregion(&nameb, &r);
-	printf("%.*s ", (int)r.length, r.base);
-
-	if (ttl != 0U)
-		printf("%u ", ttl);
-
-	isc_buffer_usedregion(&classb, &r);
-	printf("%.*s", (int)r.length, r.base);
-
-	if (lookaside == NULL)
-		printf(" DS ");
-	else
-		printf(" DLV ");
-
-	isc_buffer_usedregion(&textb, &r);
-	printf("%.*s\n", (int)r.length, r.base);
-}
-
-ISC_PLATFORM_NORETURN_PRE static void
-usage(void) ISC_PLATFORM_NORETURN_POST;
-
-static void
-usage(void) {
-	fprintf(stderr, "Usage:\n");
-	fprintf(stderr,	"    %s options [-K dir] keyfile\n\n", program);
-	fprintf(stderr, "    %s options [-K dir] [-c class] -s dnsname\n\n",
-		program);
-	fprintf(stderr, "    %s options -f zonefile (as zone name)\n\n", program);
-	fprintf(stderr, "    %s options -f zonefile zonename\n\n", program);
-	fprintf(stderr, "Version: %s\n", VERSION);
-	fprintf(stderr, "Options:\n");
-	fprintf(stderr, "    -v <verbose level>\n");
-	fprintf(stderr, "    -K <directory>: directory in which to find "
-			"key file or keyset file\n");
-	fprintf(stderr, "    -a algorithm: digest algorithm "
-			"(SHA-1, SHA-256, GOST or SHA-384)\n");
-	fprintf(stderr, "    -1: use SHA-1\n");
-	fprintf(stderr, "    -2: use SHA-256\n");
-	fprintf(stderr, "    -l: add lookaside zone and print DLV records\n");
-	fprintf(stderr, "    -s: read keyset from keyset-<dnsname> file\n");
-	fprintf(stderr, "    -c class: rdata class for DS set (default: IN)\n");
-	fprintf(stderr, "    -T TTL\n");
-	fprintf(stderr, "    -f file: read keyset from zone file\n");
-	fprintf(stderr, "    -A: when used with -f, "
-			"include all keys in DS set, not just KSKs\n");
-	fprintf(stderr, "Output: DS or DLV RRs\n");
-
-	exit (-1);
-}
-
-int
-main(int argc, char **argv) {
-	char		*algname = NULL, *classname = NULL;
-	char		*filename = NULL, *dir = NULL, *namestr;
-	char		*lookaside = NULL;
-	char		*endp;
-	int		ch;
-	unsigned int	dtype = DNS_DSDIGEST_SHA1;
-	isc_boolean_t	both = ISC_TRUE;
-	isc_boolean_t	usekeyset = ISC_FALSE;
-	isc_boolean_t	showall = ISC_FALSE;
-	isc_result_t	result;
-	isc_log_t	*log = NULL;
-	isc_entropy_t	*ectx = NULL;
-	dns_rdataset_t	rdataset;
-	dns_rdata_t	rdata;
-
-	dns_rdata_init(&rdata);
-
-	if (argc == 1)
-		usage();
-
-	result = isc_mem_create(0, 0, &mctx);
-	if (result != ISC_R_SUCCESS)
-		fatal("out of memory");
-
-	dns_result_register();
-
-	isc_commandline_errprint = ISC_FALSE;
-
-	while ((ch = isc_commandline_parse(argc, argv,
-					   "12Aa:c:d:Ff:K:l:sT:v:h")) != -1) {
-		switch (ch) {
-		case '1':
-			dtype = DNS_DSDIGEST_SHA1;
-			both = ISC_FALSE;
-			break;
-		case '2':
-			dtype = DNS_DSDIGEST_SHA256;
-			both = ISC_FALSE;
-			break;
-		case 'A':
-			showall = ISC_TRUE;
-			break;
-		case 'a':
-			algname = isc_commandline_argument;
-			both = ISC_FALSE;
-			break;
-		case 'c':
-			classname = isc_commandline_argument;
-			break;
-		case 'd':
-			fprintf(stderr, "%s: the -d option is deprecated; "
-					"use -K\n", program);
-			/* fall through */
-		case 'K':
-			dir = isc_commandline_argument;
-			if (strlen(dir) == 0U)
-				fatal("directory must be non-empty string");
-			break;
-		case 'f':
-			filename = isc_commandline_argument;
-			break;
-		case 'l':
-			lookaside = isc_commandline_argument;
-			if (strlen(lookaside) == 0U)
-				fatal("lookaside must be a non-empty string");
-			break;
-		case 's':
-			usekeyset = ISC_TRUE;
-			break;
-		case 'T':
-			ttl = atol(isc_commandline_argument);
-			break;
-		case 'v':
-			verbose = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0')
-				fatal("-v must be followed by a number");
-			break;
-		case 'F':
-			/* Reserved for FIPS mode */
-			/* FALLTHROUGH */
-		case '?':
-			if (isc_commandline_option != '?')
-				fprintf(stderr, "%s: invalid argument -%c\n",
-					program, isc_commandline_option);
-			/* FALLTHROUGH */
-		case 'h':
-			usage();
-
-		default:
-			fprintf(stderr, "%s: unhandled option -%c\n",
-				program, isc_commandline_option);
-			exit(1);
-		}
-	}
-
-	if (algname != NULL) {
-		if (strcasecmp(algname, "SHA1") == 0 ||
-		    strcasecmp(algname, "SHA-1") == 0)
-			dtype = DNS_DSDIGEST_SHA1;
-		else if (strcasecmp(algname, "SHA256") == 0 ||
-			 strcasecmp(algname, "SHA-256") == 0)
-			dtype = DNS_DSDIGEST_SHA256;
-#ifdef HAVE_OPENSSL_GOST
-		else if (strcasecmp(algname, "GOST") == 0)
-			dtype = DNS_DSDIGEST_GOST;
-#endif
-		else if (strcasecmp(algname, "SHA384") == 0 ||
-			 strcasecmp(algname, "SHA-384") == 0)
-			dtype = DNS_DSDIGEST_SHA384;
-		else
-			fatal("unknown algorithm %s", algname);
-	}
-
-	rdclass = strtoclass(classname);
-
-	if (usekeyset && filename != NULL)
-		fatal("cannot use both -s and -f");
-
-	/* When not using -f, -A is implicit */
-	if (filename == NULL)
-		showall = ISC_TRUE;
-
-	if (argc < isc_commandline_index + 1 && filename == NULL)
-		fatal("the key file name was not specified");
-	if (argc > isc_commandline_index + 1)
-		fatal("extraneous arguments");
-
-	if (ectx == NULL)
-		setup_entropy(mctx, NULL, &ectx);
-	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	if (result != ISC_R_SUCCESS)
-		fatal("could not initialize hash");
-	result = dst_lib_init(mctx, ectx,
-			      ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
-	if (result != ISC_R_SUCCESS)
-		fatal("could not initialize dst: %s",
-		      isc_result_totext(result));
-	isc_entropy_stopcallbacksources(ectx);
-
-	setup_logging(verbose, mctx, &log);
-
-	dns_rdataset_init(&rdataset);
-
-	if (usekeyset || filename != NULL) {
-		if (argc < isc_commandline_index + 1 && filename != NULL) {
-			/* using zone name as the zone file name */
-			namestr = filename;
-		} else
-			namestr = argv[isc_commandline_index];
-
-		result = initname(namestr);
-		if (result != ISC_R_SUCCESS)
-			fatal("could not initialize name %s", namestr);
-
-		if (usekeyset)
-			result = loadkeyset(dir, &rdataset);
-		else
-			result = loadset(filename, &rdataset);
-
-		if (result != ISC_R_SUCCESS)
-			fatal("could not load DNSKEY set: %s\n",
-			      isc_result_totext(result));
-
-		for (result = dns_rdataset_first(&rdataset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&rdataset)) {
-			dns_rdata_init(&rdata);
-			dns_rdataset_current(&rdataset, &rdata);
-
-			if (verbose > 2)
-				logkey(&rdata);
-
-			if (both) {
-				emit(DNS_DSDIGEST_SHA1, showall, lookaside,
-				     &rdata);
-				emit(DNS_DSDIGEST_SHA256, showall, lookaside,
-				     &rdata);
-			} else
-				emit(dtype, showall, lookaside, &rdata);
-		}
-	} else {
-		unsigned char key_buf[DST_KEY_MAXSIZE];
-
-		loadkey(argv[isc_commandline_index], key_buf,
-			DST_KEY_MAXSIZE, &rdata);
-
-		if (both) {
-			emit(DNS_DSDIGEST_SHA1, showall, lookaside, &rdata);
-			emit(DNS_DSDIGEST_SHA256, showall, lookaside, &rdata);
-		} else
-			emit(dtype, showall, lookaside, &rdata);
-	}
-
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	cleanup_logging(&log);
-	dst_lib_destroy();
-	isc_hash_destroy();
-	cleanup_entropy(&ectx);
-	dns_name_destroy();
-	if (verbose > 10)
-		isc_mem_stats(mctx, stdout);
-	isc_mem_destroy(&mctx);
-
-	fflush(stdout);
-	if (ferror(stdout)) {
-		fprintf(stderr, "write error\n");
-		return (1);
-	} else
-		return (0);
-}
diff --git a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook
deleted file mode 100644
index 77c0994..0000000
--- a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook
+++ /dev/null
@@ -1,279 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-               [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2008-2012  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: dnssec-dsfromkey.docbook,v 1.17 2011/10/25 01:54:18 marka Exp $ -->
-<refentry id="man.dnssec-dsfromkey">
-  <refentryinfo>
-    <date>August 26, 2009</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>dnssec-dsfromkey</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><application>dnssec-dsfromkey</application></refname>
-    <refpurpose>DNSSEC DS RR generation tool</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2008</year>
-      <year>2009</year>
-      <year>2010</year>
-      <year>2011</year>
-      <year>2012</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>dnssec-dsfromkey</command>
-      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg><option>-1</option></arg>
-      <arg><option>-2</option></arg>
-      <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
-      <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
-      <arg><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
-      <arg choice="req">keyfile</arg>
-    </cmdsynopsis>
-    <cmdsynopsis>
-      <command>dnssec-dsfromkey</command>
-      <arg choice="req">-s</arg>
-      <arg><option>-1</option></arg>
-      <arg><option>-2</option></arg>
-      <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
-      <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
-      <arg><option>-s</option></arg>
-      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
-      <arg><option>-f <replaceable class="parameter">file</replaceable></option></arg>
-      <arg><option>-A</option></arg>
-      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg choice="req">dnsname</arg>
-   </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para><command>dnssec-dsfromkey</command>
-      outputs the Delegation Signer (DS) resource record (RR), as defined in
-      RFC 3658 and RFC 4509, for the given key(s).
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-
-    <variablelist>
-      <varlistentry>
-        <term>-1</term>
-        <listitem>
-          <para>
-            Use SHA-1 as the digest algorithm (the default is to use
-            both SHA-1 and SHA-256).
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-2</term>
-        <listitem>
-          <para>
-            Use SHA-256 as the digest algorithm.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-a <replaceable class="parameter">algorithm</replaceable></term>
-        <listitem>
-          <para>
-            Select the digest algorithm. The value of
-            <option>algorithm</option> must be one of SHA-1 (SHA1),
-            SHA-256 (SHA256), GOST or SHA-384 (SHA384).
-            These values are case insensitive.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-T <replaceable class="parameter">TTL</replaceable></term>
-        <listitem>
-          <para>
-            Specifies the TTL of the DS records.
-          </para>
-	  </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-K <replaceable class="parameter">directory</replaceable></term>
-        <listitem>
-          <para>
-            Look for key files (or, in keyset mode,
-            <filename>keyset-</filename> files) in
-            <option>directory</option>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-f <replaceable class="parameter">file</replaceable></term>
-        <listitem>
-          <para>
-            Zone file mode: in place of the keyfile name, the argument is
-            the DNS domain name of a zone master file, which can be read
-            from <option>file</option>.  If the zone name is the same as
-            <option>file</option>, then it may be omitted.
-          </para>
-          <para>
-            If <option>file</option> is set to <literal>"-"</literal>, then
-            the zone data is read from the standard input.  This makes it
-            possible to use the output of the <command>dig</command>
-            command as input, as in:
-          </para>
-          <para>
-            <userinput>dig dnskey example.com | dnssec-dsfromkey -f - example.com</userinput>
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-A</term>
-        <listitem>
-          <para>
-            Include ZSK's when generating DS records.  Without this option,
-            only keys which have the KSK flag set will be converted to DS
-            records and printed.  Useful only in zone file mode. 
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-l <replaceable class="parameter">domain</replaceable></term>
-        <listitem>
-          <para>
-            Generate a DLV set instead of a DS set.  The specified
-            <option>domain</option> is appended to the name for each
-            record in the set.
-            The DNSSEC Lookaside Validation (DLV) RR is described
-            in RFC 4431.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-s</term>
-        <listitem>
-          <para>
-            Keyset mode: in place of the keyfile name, the argument is
-            the DNS domain name of a keyset file.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-c <replaceable class="parameter">class</replaceable></term>
-        <listitem>
-          <para>
-            Specifies the DNS class (default is IN).  Useful only
-            in keyset or zone file mode.
-          </para>
-	  </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-v <replaceable class="parameter">level</replaceable></term>
-        <listitem>
-          <para>
-            Sets the debugging level.
-          </para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>EXAMPLE</title>
-    <para>
-      To build the SHA-256 DS RR from the
-      <userinput>Kexample.com.+003+26160</userinput>
-      keyfile name, the following command would be issued:
-    </para>
-    <para><userinput>dnssec-dsfromkey -2 Kexample.com.+003+26160</userinput>
-    </para>
-    <para>
-      The command would print something like:
-    </para>
-    <para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</userinput>
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>FILES</title>
-    <para>
-      The keyfile can be designed by the key identification
-      <filename>Knnnn.+aaa+iiiii</filename> or the full file name
-      <filename>Knnnn.+aaa+iiiii.key</filename> as generated by
-      <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
-    </para>
-    <para>
-      The keyset file name is built from the <option>directory</option>,
-      the string <filename>keyset-</filename> and the
-      <option>dnsname</option>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>CAVEAT</title>
-    <para>
-      A keyfile error can give a "file not found" even if the file exists.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
-      <citetitle>RFC 3658</citetitle>,
-      <citetitle>RFC 4431</citetitle>.
-      <citetitle>RFC 4509</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para><corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.html b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.html
deleted file mode 100644
index 50d4d78..0000000
--- a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.html
+++ /dev/null
@@ -1,169 +0,0 @@
-<!--
- - Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC")
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-dsfromkey</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">dnssec-dsfromkey</span> &#8212; DNSSEC DS RR generation tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] {keyfile}</p></div>
-<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543489"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">dnssec-dsfromkey</strong></span>
-      outputs the Delegation Signer (DS) resource record (RR), as defined in
-      RFC 3658 and RFC 4509, for the given key(s).
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543500"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-1</span></dt>
-<dd><p>
-            Use SHA-1 as the digest algorithm (the default is to use
-            both SHA-1 and SHA-256).
-          </p></dd>
-<dt><span class="term">-2</span></dt>
-<dd><p>
-            Use SHA-256 as the digest algorithm.
-          </p></dd>
-<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd><p>
-            Select the digest algorithm. The value of
-            <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
-            SHA-256 (SHA256), GOST or SHA-384 (SHA384).
-            These values are case insensitive.
-          </p></dd>
-<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
-<dd><p>
-            Specifies the TTL of the DS records.
-          </p></dd>
-<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-            Look for key files (or, in keyset mode,
-            <code class="filename">keyset-</code> files) in
-            <code class="option">directory</code>.
-          </p></dd>
-<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
-<dd>
-<p>
-            Zone file mode: in place of the keyfile name, the argument is
-            the DNS domain name of a zone master file, which can be read
-            from <code class="option">file</code>.  If the zone name is the same as
-            <code class="option">file</code>, then it may be omitted.
-          </p>
-<p>
-            If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
-            the zone data is read from the standard input.  This makes it
-            possible to use the output of the <span><strong class="command">dig</strong></span>
-            command as input, as in:
-          </p>
-<p>
-            <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
-          </p>
-</dd>
-<dt><span class="term">-A</span></dt>
-<dd><p>
-            Include ZSK's when generating DS records.  Without this option,
-            only keys which have the KSK flag set will be converted to DS
-            records and printed.  Useful only in zone file mode. 
-          </p></dd>
-<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
-<dd><p>
-            Generate a DLV set instead of a DS set.  The specified
-            <code class="option">domain</code> is appended to the name for each
-            record in the set.
-            The DNSSEC Lookaside Validation (DLV) RR is described
-            in RFC 4431.
-          </p></dd>
-<dt><span class="term">-s</span></dt>
-<dd><p>
-            Keyset mode: in place of the keyfile name, the argument is
-            the DNS domain name of a keyset file.
-          </p></dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd><p>
-            Specifies the DNS class (default is IN).  Useful only
-            in keyset or zone file mode.
-          </p></dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
-            Sets the debugging level.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543726"></a><h2>EXAMPLE</h2>
-<p>
-      To build the SHA-256 DS RR from the
-      <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
-      keyfile name, the following command would be issued:
-    </p>
-<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
-    </p>
-<p>
-      The command would print something like:
-    </p>
-<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543756"></a><h2>FILES</h2>
-<p>
-      The keyfile can be designed by the key identification
-      <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
-      <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
-      <span class="refentrytitle">dnssec-keygen</span>(8).
-    </p>
-<p>
-      The keyset file name is built from the <code class="option">directory</code>,
-      the string <code class="filename">keyset-</code> and the
-      <code class="option">dnsname</code>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543792"></a><h2>CAVEAT</h2>
-<p>
-      A keyfile error can give a "file not found" even if the file exists.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543801"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 3658</em>,
-      <em class="citetitle">RFC 4431</em>.
-      <em class="citetitle">RFC 4509</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543841"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8 b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8
deleted file mode 100644
index 0e1ea16..0000000
--- a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8
+++ /dev/null
@@ -1,228 +0,0 @@
-.\" Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC")
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: dnssec\-keyfromlabel
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: February 8, 2008
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "DNSSEC\-KEYFROMLABEL" "8" "February 8, 2008" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-dnssec\-keyfromlabel \- DNSSEC key generation tool
-.SH "SYNOPSIS"
-.HP 20
-\fBdnssec\-keyfromlabel\fR {\-l\ \fIlabel\fR} [\fB\-3\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-y\fR] {name}
-.SH "DESCRIPTION"
-.PP
-\fBdnssec\-keyfromlabel\fR
-gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034.
-.PP
-The
-\fBname\fR
-of the key is specified on the command line. This must match the name of the zone for which the key is being generated.
-.SH "OPTIONS"
-.PP
-\-a \fIalgorithm\fR
-.RS 4
-Selects the cryptographic algorithm. The value of
-\fBalgorithm\fR
-must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. These values are case insensitive.
-.sp
-If no algorithm is specified, then RSASHA1 will be used by default, unless the
-\fB\-3\fR
-option is specified, in which case NSEC3RSASHA1 will be used instead. (If
-\fB\-3\fR
-is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3.)
-.sp
-Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended.
-.sp
-Note 2: DH automatically sets the \-k flag.
-.RE
-.PP
-\-3
-.RS 4
-Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default.
-.RE
-.PP
-\-E \fIengine\fR
-.RS 4
-Specifies the name of the crypto hardware (OpenSSL engine). When compiled with PKCS#11 support it defaults to "pkcs11".
-.RE
-.PP
-\-l \fIlabel\fR
-.RS 4
-Specifies the label of the key pair in the crypto hardware. The label may be preceded by an optional OpenSSL engine name, separated by a colon, as in "pkcs11:keylabel".
-.RE
-.PP
-\-n \fInametype\fR
-.RS 4
-Specifies the owner type of the key. The value of
-\fBnametype\fR
-must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive.
-.RE
-.PP
-\-C
-.RS 4
-Compatibility mode: generates an old\-style key, without any metadata. By default,
-\fBdnssec\-keyfromlabel\fR
-will include the key's creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the
-\fB\-C\fR
-option suppresses them.
-.RE
-.PP
-\-c \fIclass\fR
-.RS 4
-Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.
-.RE
-.PP
-\-f \fIflag\fR
-.RS 4
-Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flags are KSK (Key Signing Key) and REVOKE.
-.RE
-.PP
-\-G
-.RS 4
-Generate a key, but do not publish it or sign with it. This option is incompatible with \-P and \-A.
-.RE
-.PP
-\-h
-.RS 4
-Prints a short summary of the options and arguments to
-\fBdnssec\-keyfromlabel\fR.
-.RE
-.PP
-\-K \fIdirectory\fR
-.RS 4
-Sets the directory in which the key files are to be written.
-.RE
-.PP
-\-k
-.RS 4
-Generate KEY records rather than DNSKEY records.
-.RE
-.PP
-\-L \fIttl\fR
-.RS 4
-Sets the default TTL to use for this key when it is converted into a DNSKEY RR. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence. Setting the default TTL to
-0
-or
-none
-removes it.
-.RE
-.PP
-\-p \fIprotocol\fR
-.RS 4
-Sets the protocol value for the key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
-.RE
-.PP
-\-t \fItype\fR
-.RS 4
-Indicates the use of the key.
-\fBtype\fR
-must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data.
-.RE
-.PP
-\-v \fIlevel\fR
-.RS 4
-Sets the debugging level.
-.RE
-.PP
-\-y
-.RS 4
-Allows DNSSEC key files to be generated even if the key ID would collide with that of an existing key, in the event of either key being revoked. (This is only safe to use if you are sure you won't be using RFC 5011 trust anchor maintenance with either of the keys involved.)
-.RE
-.SH "TIMING OPTIONS"
-.PP
-Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds.
-.PP
-\-P \fIdate/offset\fR
-.RS 4
-Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it. If not set, and if the \-G option has not been used, the default is "now".
-.RE
-.PP
-\-A \fIdate/offset\fR
-.RS 4
-Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it. If not set, and if the \-G option has not been used, the default is "now".
-.RE
-.PP
-\-R \fIdate/offset\fR
-.RS 4
-Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it.
-.RE
-.PP
-\-I \fIdate/offset\fR
-.RS 4
-Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it.
-.RE
-.PP
-\-D \fIdate/offset\fR
-.RS 4
-Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
-.RE
-.SH "GENERATED KEY FILES"
-.PP
-When
-\fBdnssec\-keyfromlabel\fR
-completes successfully, it prints a string of the form
-\fIKnnnn.+aaa+iiiii\fR
-to the standard output. This is an identification string for the key files it has generated.
-.TP 4
-\(bu
-\fInnnn\fR
-is the key name.
-.TP 4
-\(bu
-\fIaaa\fR
-is the numeric representation of the algorithm.
-.TP 4
-\(bu
-\fIiiiii\fR
-is the key identifier (or footprint).
-.PP
-\fBdnssec\-keyfromlabel\fR
-creates two files, with names based on the printed string.
-\fIKnnnn.+aaa+iiiii.key\fR
-contains the public key, and
-\fIKnnnn.+aaa+iiiii.private\fR
-contains the private key.
-.PP
-The
-\fI.key\fR
-file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement).
-.PP
-The
-\fI.private\fR
-file contains algorithm\-specific fields. For obvious security reasons, this file does not have general read permission.
-.SH "SEE ALSO"
-.PP
-\fBdnssec\-keygen\fR(8),
-\fBdnssec\-signzone\fR(8),
-BIND 9 Administrator Reference Manual,
-RFC 4034.
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2008\-2012 Internet Systems Consortium, Inc. ("ISC")
-.br
diff --git a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c
deleted file mode 100644
index 3ad00d7..0000000
--- a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c
+++ /dev/null
@@ -1,587 +0,0 @@
-/*
- * Copyright (C) 2007-2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dnssec-keyfromlabel.c,v 1.38 2011/11/30 00:48:51 marka Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <ctype.h>
-#include <stdlib.h>
-
-#include <isc/buffer.h>
-#include <isc/commandline.h>
-#include <isc/entropy.h>
-#include <isc/mem.h>
-#include <isc/region.h>
-#include <isc/print.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/dnssec.h>
-#include <dns/fixedname.h>
-#include <dns/keyvalues.h>
-#include <dns/log.h>
-#include <dns/name.h>
-#include <dns/rdataclass.h>
-#include <dns/result.h>
-#include <dns/secalg.h>
-
-#include <dst/dst.h>
-
-#include "dnssectool.h"
-
-#define MAX_RSA 4096 /* should be long enough... */
-
-const char *program = "dnssec-keyfromlabel";
-int verbose;
-
-#define DEFAULT_ALGORITHM "RSASHA1"
-#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
-
-static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
-			  " NSEC3DSA | NSEC3RSASHA1 |"
-			  " RSASHA256 | RSASHA512 | ECCGOST |"
-			  " ECDSAP256SHA256 | ECDSAP384SHA384";
-
-ISC_PLATFORM_NORETURN_PRE static void
-usage(void) ISC_PLATFORM_NORETURN_POST;
-
-static void
-usage(void) {
-	fprintf(stderr, "Usage:\n");
-	fprintf(stderr, "    %s -l label [options] name\n\n",
-		program);
-	fprintf(stderr, "Version: %s\n", VERSION);
-	fprintf(stderr, "Required options:\n");
-	fprintf(stderr, "    -l label: label of the key pair\n");
-	fprintf(stderr, "    name: owner of the key\n");
-	fprintf(stderr, "Other options:\n");
-	fprintf(stderr, "    -a algorithm: %s\n", algs);
-	fprintf(stderr, "       (default: RSASHA1, or "
-			       "NSEC3RSASHA1 if using -3)\n");
-	fprintf(stderr, "    -3: use NSEC3-capable algorithm\n");
-	fprintf(stderr, "    -c class (default: IN)\n");
-#ifdef USE_PKCS11
-	fprintf(stderr, "    -E enginename (default: pkcs11)\n");
-#else
-	fprintf(stderr, "    -E enginename\n");
-#endif
-	fprintf(stderr, "    -f keyflag: KSK | REVOKE\n");
-	fprintf(stderr, "    -K directory: directory in which to place "
-			"key files\n");
-	fprintf(stderr, "    -k: generate a TYPE=KEY key\n");
-	fprintf(stderr, "    -L ttl: default key TTL\n");
-	fprintf(stderr, "    -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
-	fprintf(stderr, "        (DNSKEY generation defaults to ZONE\n");
-	fprintf(stderr, "    -p protocol: default: 3 [dnssec]\n");
-	fprintf(stderr, "    -t type: "
-		"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
-		"(default: AUTHCONF)\n");
-	fprintf(stderr, "    -y: permit keys that might collide\n");
-	fprintf(stderr, "    -v verbose level\n");
-	fprintf(stderr, "Date options:\n");
-	fprintf(stderr, "    -P date/[+-]offset: set key publication date\n");
-	fprintf(stderr, "    -A date/[+-]offset: set key activation date\n");
-	fprintf(stderr, "    -R date/[+-]offset: set key revocation date\n");
-	fprintf(stderr, "    -I date/[+-]offset: set key inactivation date\n");
-	fprintf(stderr, "    -D date/[+-]offset: set key deletion date\n");
-	fprintf(stderr, "    -G: generate key only; do not set -P or -A\n");
-	fprintf(stderr, "    -C: generate a backward-compatible key, omitting"
-			" all dates\n");
-	fprintf(stderr, "Output:\n");
-	fprintf(stderr, "     K<name>+<alg>+<id>.key, "
-			"K<name>+<alg>+<id>.private\n");
-
-	exit (-1);
-}
-
-int
-main(int argc, char **argv) {
-	char		*algname = NULL, *freeit = NULL;
-	char		*nametype = NULL, *type = NULL;
-	const char	*directory = NULL;
-#ifdef USE_PKCS11
-	const char	*engine = "pkcs11";
-#else
-	const char	*engine = NULL;
-#endif
-	char		*classname = NULL;
-	char		*endp;
-	dst_key_t	*key = NULL;
-	dns_fixedname_t	fname;
-	dns_name_t	*name;
-	isc_uint16_t	flags = 0, kskflag = 0, revflag = 0;
-	dns_secalg_t	alg;
-	isc_boolean_t	oldstyle = ISC_FALSE;
-	isc_mem_t	*mctx = NULL;
-	int		ch;
-	int		protocol = -1, signatory = 0;
-	isc_result_t	ret;
-	isc_textregion_t r;
-	char		filename[255];
-	isc_buffer_t	buf;
-	isc_log_t	*log = NULL;
-	isc_entropy_t	*ectx = NULL;
-	dns_rdataclass_t rdclass;
-	int		options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
-	char		*label = NULL;
-	dns_ttl_t	ttl = 0;
-	isc_stdtime_t	publish = 0, activate = 0, revoke = 0;
-	isc_stdtime_t	inactive = 0, delete = 0;
-	isc_stdtime_t	now;
-	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
-	isc_boolean_t	setrev = ISC_FALSE, setinact = ISC_FALSE;
-	isc_boolean_t	setdel = ISC_FALSE, setttl = ISC_FALSE;
-	isc_boolean_t	unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
-	isc_boolean_t	unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
-	isc_boolean_t	unsetdel = ISC_FALSE;
-	isc_boolean_t	genonly = ISC_FALSE;
-	isc_boolean_t	use_nsec3 = ISC_FALSE;
-	isc_boolean_t   avoid_collisions = ISC_TRUE;
-	isc_boolean_t	exact;
-	unsigned char	c;
-
-	if (argc == 1)
-		usage();
-
-	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
-
-	dns_result_register();
-
-	isc_commandline_errprint = ISC_FALSE;
-
-	isc_stdtime_get(&now);
-
-	while ((ch = isc_commandline_parse(argc, argv,
-			"3a:Cc:E:f:K:kl:L:n:p:t:v:yFhGP:A:R:I:D:")) != -1)
-	{
-	    switch (ch) {
-		case '3':
-			use_nsec3 = ISC_TRUE;
-			break;
-		case 'a':
-			algname = isc_commandline_argument;
-			break;
-		case 'C':
-			oldstyle = ISC_TRUE;
-			break;
-		case 'c':
-			classname = isc_commandline_argument;
-			break;
-		case 'E':
-			engine = isc_commandline_argument;
-			break;
-		case 'f':
-			c = (unsigned char)(isc_commandline_argument[0]);
-			if (toupper(c) == 'K')
-				kskflag = DNS_KEYFLAG_KSK;
-			else if (toupper(c) == 'R')
-				revflag = DNS_KEYFLAG_REVOKE;
-			else
-				fatal("unknown flag '%s'",
-				      isc_commandline_argument);
-			break;
-		case 'K':
-			directory = isc_commandline_argument;
-			ret = try_dir(directory);
-			if (ret != ISC_R_SUCCESS)
-				fatal("cannot open directory %s: %s",
-				      directory, isc_result_totext(ret));
-			break;
-		case 'k':
-			options |= DST_TYPE_KEY;
-			break;
-		case 'L':
-			if (strcmp(isc_commandline_argument, "none") == 0)
-				ttl = 0;
-			else
-				ttl = strtottl(isc_commandline_argument);
-			setttl = ISC_TRUE;
-			break;
-		case 'l':
-			label = isc_mem_strdup(mctx, isc_commandline_argument);
-			break;
-		case 'n':
-			nametype = isc_commandline_argument;
-			break;
-		case 'p':
-			protocol = strtol(isc_commandline_argument, &endp, 10);
-			if (*endp != '\0' || protocol < 0 || protocol > 255)
-				fatal("-p must be followed by a number "
-				      "[0..255]");
-			break;
-		case 't':
-			type = isc_commandline_argument;
-			break;
-		case 'v':
-			verbose = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0')
-				fatal("-v must be followed by a number");
-			break;
-		case 'y':
-			avoid_collisions = ISC_FALSE;
-			break;
-		case 'G':
-			genonly = ISC_TRUE;
-			break;
-		case 'P':
-			if (setpub || unsetpub)
-				fatal("-P specified more than once");
-
-			if (strcasecmp(isc_commandline_argument, "none")) {
-				setpub = ISC_TRUE;
-				publish = strtotime(isc_commandline_argument,
-						    now, now);
-			} else {
-				unsetpub = ISC_TRUE;
-			}
-			break;
-		case 'A':
-			if (setact || unsetact)
-				fatal("-A specified more than once");
-
-			if (strcasecmp(isc_commandline_argument, "none")) {
-				setact = ISC_TRUE;
-				activate = strtotime(isc_commandline_argument,
-						     now, now);
-			} else {
-				unsetact = ISC_TRUE;
-			}
-			break;
-		case 'R':
-			if (setrev || unsetrev)
-				fatal("-R specified more than once");
-
-			if (strcasecmp(isc_commandline_argument, "none")) {
-				setrev = ISC_TRUE;
-				revoke = strtotime(isc_commandline_argument,
-						   now, now);
-			} else {
-				unsetrev = ISC_TRUE;
-			}
-			break;
-		case 'I':
-			if (setinact || unsetinact)
-				fatal("-I specified more than once");
-
-			if (strcasecmp(isc_commandline_argument, "none")) {
-				setinact = ISC_TRUE;
-				inactive = strtotime(isc_commandline_argument,
-						     now, now);
-			} else {
-				unsetinact = ISC_TRUE;
-			}
-			break;
-		case 'D':
-			if (setdel || unsetdel)
-				fatal("-D specified more than once");
-
-			if (strcasecmp(isc_commandline_argument, "none")) {
-				setdel = ISC_TRUE;
-				delete = strtotime(isc_commandline_argument,
-						   now, now);
-			} else {
-				unsetdel = ISC_TRUE;
-			}
-			break;
-		case 'F':
-			/* Reserved for FIPS mode */
-			/* FALLTHROUGH */
-		case '?':
-			if (isc_commandline_option != '?')
-				fprintf(stderr, "%s: invalid argument -%c\n",
-					program, isc_commandline_option);
-			/* FALLTHROUGH */
-		case 'h':
-			usage();
-
-		default:
-			fprintf(stderr, "%s: unhandled option -%c\n",
-				program, isc_commandline_option);
-			exit(1);
-		}
-	}
-
-	if (ectx == NULL)
-		setup_entropy(mctx, NULL, &ectx);
-	ret = dst_lib_init2(mctx, ectx, engine,
-			    ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
-	if (ret != ISC_R_SUCCESS)
-		fatal("could not initialize dst: %s",
-		      isc_result_totext(ret));
-
-	setup_logging(verbose, mctx, &log);
-
-	if (label == NULL)
-		fatal("the key label was not specified");
-	if (argc < isc_commandline_index + 1)
-		fatal("the key name was not specified");
-	if (argc > isc_commandline_index + 1)
-		fatal("extraneous arguments");
-
-	if (strchr(label, ':') == NULL &&
-	    engine != NULL && strlen(engine) != 0U) {
-		char *l;
-		int len;
-
-		len = strlen(label) + strlen(engine) + 2;
-		l = isc_mem_allocate(mctx, len);
-		if (l == NULL)
-			fatal("cannot allocate memory");
-		snprintf(l, len, "%s:%s", engine, label);
-		isc_mem_free(mctx, label);
-		label = l;
-	}
-
-	if (algname == NULL) {
-		if (use_nsec3)
-			algname = strdup(DEFAULT_NSEC3_ALGORITHM);
-		else
-			algname = strdup(DEFAULT_ALGORITHM);
-		if (algname == NULL)
-			fatal("strdup failed");
-		freeit = algname;
-		if (verbose > 0)
-			fprintf(stderr, "no algorithm specified; "
-				"defaulting to %s\n", algname);
-	}
-
-	if (strcasecmp(algname, "RSA") == 0) {
-		fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n"
-				"If you still wish to use RSA (RSAMD5) please "
-				"specify \"-a RSAMD5\"\n");
-		if (freeit != NULL)
-			free(freeit);
-		return (1);
-	} else {
-		r.base = algname;
-		r.length = strlen(algname);
-		ret = dns_secalg_fromtext(&alg, &r);
-		if (ret != ISC_R_SUCCESS)
-			fatal("unknown algorithm %s", algname);
-		if (alg == DST_ALG_DH)
-			options |= DST_TYPE_KEY;
-	}
-
-	if (use_nsec3 &&
-	    alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
-	    alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 &&
-	    alg != DST_ALG_ECCGOST &&
-	    alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {
-		fatal("%s is incompatible with NSEC3; "
-		      "do not use the -3 option", algname);
-	}
-
-	if (type != NULL && (options & DST_TYPE_KEY) != 0) {
-		if (strcasecmp(type, "NOAUTH") == 0)
-			flags |= DNS_KEYTYPE_NOAUTH;
-		else if (strcasecmp(type, "NOCONF") == 0)
-			flags |= DNS_KEYTYPE_NOCONF;
-		else if (strcasecmp(type, "NOAUTHCONF") == 0) {
-			flags |= (DNS_KEYTYPE_NOAUTH | DNS_KEYTYPE_NOCONF);
-		}
-		else if (strcasecmp(type, "AUTHCONF") == 0)
-			/* nothing */;
-		else
-			fatal("invalid type %s", type);
-	}
-
-	if (nametype == NULL) {
-		if ((options & DST_TYPE_KEY) != 0) /* KEY */
-			fatal("no nametype specified");
-		flags |= DNS_KEYOWNER_ZONE;	/* DNSKEY */
-	} else if (strcasecmp(nametype, "zone") == 0)
-		flags |= DNS_KEYOWNER_ZONE;
-	else if ((options & DST_TYPE_KEY) != 0)	{ /* KEY */
-		if (strcasecmp(nametype, "host") == 0 ||
-			 strcasecmp(nametype, "entity") == 0)
-			flags |= DNS_KEYOWNER_ENTITY;
-		else if (strcasecmp(nametype, "user") == 0)
-			flags |= DNS_KEYOWNER_USER;
-		else
-			fatal("invalid KEY nametype %s", nametype);
-	} else if (strcasecmp(nametype, "other") != 0) /* DNSKEY */
-		fatal("invalid DNSKEY nametype %s", nametype);
-
-	rdclass = strtoclass(classname);
-
-	if (directory == NULL)
-		directory = ".";
-
-	if ((options & DST_TYPE_KEY) != 0)  /* KEY */
-		flags |= signatory;
-	else if ((flags & DNS_KEYOWNER_ZONE) != 0) { /* DNSKEY */
-		flags |= kskflag;
-		flags |= revflag;
-	}
-
-	if (protocol == -1)
-		protocol = DNS_KEYPROTO_DNSSEC;
-	else if ((options & DST_TYPE_KEY) == 0 &&
-		 protocol != DNS_KEYPROTO_DNSSEC)
-		fatal("invalid DNSKEY protocol: %d", protocol);
-
-	if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
-		if ((flags & DNS_KEYFLAG_SIGNATORYMASK) != 0)
-			fatal("specified null key with signing authority");
-	}
-
-	if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
-	    alg == DNS_KEYALG_DH)
-		fatal("a key with algorithm '%s' cannot be a zone key",
-		      algname);
-
-	dns_fixedname_init(&fname);
-	name = dns_fixedname_name(&fname);
-	isc_buffer_init(&buf, argv[isc_commandline_index],
-			strlen(argv[isc_commandline_index]));
-	isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
-	ret = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
-	if (ret != ISC_R_SUCCESS)
-		fatal("invalid key name %s: %s", argv[isc_commandline_index],
-		      isc_result_totext(ret));
-
-	isc_buffer_init(&buf, filename, sizeof(filename) - 1);
-
-	/* associate the key */
-	ret = dst_key_fromlabel(name, alg, flags, protocol,
-				rdclass, engine, label, NULL, mctx, &key);
-	isc_entropy_stopcallbacksources(ectx);
-
-	if (ret != ISC_R_SUCCESS) {
-		char namestr[DNS_NAME_FORMATSIZE];
-		char algstr[DNS_SECALG_FORMATSIZE];
-		dns_name_format(name, namestr, sizeof(namestr));
-		dns_secalg_format(alg, algstr, sizeof(algstr));
-		fatal("failed to get key %s/%s: %s\n",
-		      namestr, algstr, isc_result_totext(ret));
-		/* NOTREACHED */
-		exit(-1);
-	}
-
-	/*
-	 * Set key timing metadata (unless using -C)
-	 *
-	 * Publish and activation dates are set to "now" by default, but
-	 * can be overridden.  Creation date is always set to "now".
-	 */
-	if (!oldstyle) {
-		dst_key_settime(key, DST_TIME_CREATED, now);
-
-		if (genonly && (setpub || setact))
-			fatal("cannot use -G together with -P or -A options");
-
-		if (setpub)
-			dst_key_settime(key, DST_TIME_PUBLISH, publish);
-		else if (setact)
-			dst_key_settime(key, DST_TIME_PUBLISH, activate);
-		else if (!genonly && !unsetpub)
-			dst_key_settime(key, DST_TIME_PUBLISH, now);
-
-		if (setact)
-			dst_key_settime(key, DST_TIME_ACTIVATE, activate);
-		else if (!genonly && !unsetact)
-			dst_key_settime(key, DST_TIME_ACTIVATE, now);
-
-		if (setrev) {
-			if (kskflag == 0)
-				fprintf(stderr, "%s: warning: Key is "
-					"not flagged as a KSK, but -R "
-					"was used. Revoking a ZSK is "
-					"legal, but undefined.\n",
-					program);
-			dst_key_settime(key, DST_TIME_REVOKE, revoke);
-		}
-
-		if (setinact)
-			dst_key_settime(key, DST_TIME_INACTIVE, inactive);
-
-		if (setdel)
-			dst_key_settime(key, DST_TIME_DELETE, delete);
-	} else {
-		if (setpub || setact || setrev || setinact ||
-		    setdel || unsetpub || unsetact ||
-		    unsetrev || unsetinact || unsetdel || genonly)
-			fatal("cannot use -C together with "
-			      "-P, -A, -R, -I, -D, or -G options");
-		/*
-		 * Compatibility mode: Private-key-format
-		 * should be set to 1.2.
-		 */
-		dst_key_setprivateformat(key, 1, 2);
-	}
-
-	/* Set default key TTL */
-	if (setttl)
-		dst_key_setttl(key, ttl);
-
-	/*
-	 * Do not overwrite an existing key.  Warn LOUDLY if there
-	 * is a risk of ID collision due to this key or another key
-	 * being revoked.
-	 */
-	if (key_collision(key, name, directory, mctx, &exact)) {
-		isc_buffer_clear(&buf);
-		ret = dst_key_buildfilename(key, 0, directory, &buf);
-		if (ret != ISC_R_SUCCESS)
-			fatal("dst_key_buildfilename returned: %s\n",
-			      isc_result_totext(ret));
-		if (exact)
-			fatal("%s: %s already exists\n", program, filename);
-
-		if (avoid_collisions)
-			fatal("%s: %s could collide with another key upon "
-			      "revokation\n", program, filename);
-
-		fprintf(stderr, "%s: WARNING: Key %s could collide with "
-				"another key upon revokation.  If you plan "
-				"to revoke keys, destroy this key and "
-				"generate a different one.\n",
-				program, filename);
-	}
-
-	ret = dst_key_tofile(key, options, directory);
-	if (ret != ISC_R_SUCCESS) {
-		char keystr[DST_KEY_FORMATSIZE];
-		dst_key_format(key, keystr, sizeof(keystr));
-		fatal("failed to write key %s: %s\n", keystr,
-		      isc_result_totext(ret));
-	}
-
-	isc_buffer_clear(&buf);
-	ret = dst_key_buildfilename(key, 0, NULL, &buf);
-	if (ret != ISC_R_SUCCESS)
-		fatal("dst_key_buildfilename returned: %s\n",
-		      isc_result_totext(ret));
-	printf("%s\n", filename);
-	dst_key_free(&key);
-
-	cleanup_logging(&log);
-	cleanup_entropy(&ectx);
-	dst_lib_destroy();
-	dns_name_destroy();
-	if (verbose > 10)
-		isc_mem_stats(mctx, stdout);
-	isc_mem_free(mctx, label);
-	isc_mem_destroy(&mctx);
-
-	if (freeit != NULL)
-		free(freeit);
-
-	return (0);
-}
diff --git a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook
deleted file mode 100644
index 0dd3c0e..0000000
--- a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook
+++ /dev/null
@@ -1,446 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2008-2012  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: dnssec-keyfromlabel.docbook,v 1.21 2011/03/17 01:40:34 each Exp $ -->
-<refentry id="man.dnssec-keyfromlabel">
-  <refentryinfo>
-    <date>February 8, 2008</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>dnssec-keyfromlabel</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><application>dnssec-keyfromlabel</application></refname>
-    <refpurpose>DNSSEC key generation tool</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2008</year>
-      <year>2009</year>
-      <year>2010</year>
-      <year>2011</year>
-      <year>2012</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>dnssec-keyfromlabel</command>
-      <arg choice="req">-l <replaceable class="parameter">label</replaceable></arg>
-      <arg><option>-3</option></arg>
-      <arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
-      <arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
-      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
-      <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
-      <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
-      <arg><option>-G</option></arg>
-      <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
-      <arg><option>-k</option></arg>
-      <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
-      <arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
-      <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
-      <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
-      <arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
-      <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
-      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg><option>-y</option></arg>
-      <arg choice="req">name</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para><command>dnssec-keyfromlabel</command>
-      gets keys with the given label from a crypto hardware and builds
-      key files for DNSSEC (Secure DNS), as defined in RFC 2535
-      and RFC 4034.  
-    </para>
-    <para>
-      The <option>name</option> of the key is specified on the command
-      line.  This must match the name of the zone for which the key is
-      being generated.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-
-    <variablelist>
-      <varlistentry>
-        <term>-a <replaceable class="parameter">algorithm</replaceable></term>
-        <listitem>
-	  <para>
-	    Selects the cryptographic algorithm.  The value of
-            <option>algorithm</option> must be one of RSAMD5, RSASHA1,
-	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
-	    ECDSAP256SHA256 or ECDSAP384SHA384.
-	    These values are case insensitive.
-	  </para>
-          <para>
-            If no algorithm is specified, then RSASHA1 will be used by
-            default, unless the <option>-3</option> option is specified,
-            in which case NSEC3RSASHA1 will be used instead.  (If
-            <option>-3</option> is used and an algorithm is specified,
-            that algorithm will be checked for compatibility with NSEC3.)
-          </para>
-          <para>
-            Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
-            algorithm, and DSA is recommended.
-          </para>
-          <para>
-            Note 2: DH automatically sets the -k flag.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-3</term>
-        <listitem>
-          <para>
-	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
-            If this option is used and no algorithm is explicitly
-            set on the command line, NSEC3RSASHA1 will be used by
-            default.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-E <replaceable class="parameter">engine</replaceable></term>
-        <listitem>
-          <para>
-            Specifies the name of the crypto hardware (OpenSSL engine).
-            When compiled with PKCS#11 support it defaults to "pkcs11".
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-l <replaceable class="parameter">label</replaceable></term>
-        <listitem>
-          <para>
-            Specifies the label of the key pair in the crypto hardware.
-            The label may be preceded by an optional OpenSSL engine name,
-            separated by a colon, as in "pkcs11:keylabel".
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-n <replaceable class="parameter">nametype</replaceable></term>
-        <listitem>
-          <para>
-            Specifies the owner type of the key.  The value of
-            <option>nametype</option> must either be ZONE (for a DNSSEC
-            zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
-            a host (KEY)),
-            USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
-            These values are case insensitive.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-C</term>
-        <listitem>
-          <para>
-	    Compatibility mode:  generates an old-style key, without
-	    any metadata.  By default, <command>dnssec-keyfromlabel</command>
-	    will include the key's creation date in the metadata stored
-	    with the private key, and other dates may be set there as well
-	    (publication date, activation date, etc).  Keys that include
-	    this data may be incompatible with older versions of BIND; the
-	    <option>-C</option> option suppresses them.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-c <replaceable class="parameter">class</replaceable></term>
-        <listitem>
-          <para>
-            Indicates that the DNS record containing the key should have
-            the specified class.  If not specified, class IN is used.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-f <replaceable class="parameter">flag</replaceable></term>
-        <listitem>
-          <para>
-            Set the specified flag in the flag field of the KEY/DNSKEY record.
-            The only recognized flags are KSK (Key Signing Key) and REVOKE.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-G</term>
-        <listitem>
-          <para>
-            Generate a key, but do not publish it or sign with it.  This
-            option is incompatible with -P and -A.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-h</term>
-        <listitem>
-          <para>
-            Prints a short summary of the options and arguments to
-            <command>dnssec-keyfromlabel</command>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-K <replaceable class="parameter">directory</replaceable></term>
-        <listitem>
-          <para>
-            Sets the directory in which the key files are to be written.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-k</term>
-        <listitem>
-          <para>
-            Generate KEY records rather than DNSKEY records.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-L <replaceable class="parameter">ttl</replaceable></term>
-        <listitem>
-          <para>
-            Sets the default TTL to use for this key when it is converted
-            into a DNSKEY RR.  If the key is imported into a zone,
-            this is the TTL that will be used for it, unless there was
-            already a DNSKEY RRset in place, in which case the existing TTL
-            would take precedence.  Setting the default TTL to
-            <literal>0</literal> or <literal>none</literal> removes it.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-p <replaceable class="parameter">protocol</replaceable></term>
-        <listitem>
-          <para>
-            Sets the protocol value for the key.  The protocol
-            is a number between 0 and 255.  The default is 3 (DNSSEC).
-            Other possible values for this argument are listed in
-            RFC 2535 and its successors.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-t <replaceable class="parameter">type</replaceable></term>
-        <listitem>
-          <para>
-            Indicates the use of the key.  <option>type</option> must be
-            one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
-            is AUTHCONF.  AUTH refers to the ability to authenticate
-            data, and CONF the ability to encrypt data.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-v <replaceable class="parameter">level</replaceable></term>
-        <listitem>
-          <para>
-            Sets the debugging level.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-y</term>
-        <listitem>
-          <para>
-            Allows DNSSEC key files to be generated even if the key ID
-	    would collide with that of an existing key, in the event of
-	    either key being revoked.  (This is only safe to use if you
-            are sure you won't be using RFC 5011 trust anchor maintenance
-            with either of the keys involved.)
-          </para>
-        </listitem>
-      </varlistentry>
-
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>TIMING OPTIONS</title>
-
-    <para>
-      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
-      If the argument begins with a '+' or '-', it is interpreted as
-      an offset from the present time.  For convenience, if such an offset
-      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
-      then the offset is computed in years (defined as 365 24-hour days,
-      ignoring leap years), months (defined as 30 24-hour days), weeks,
-      days, hours, or minutes, respectively.  Without a suffix, the offset
-      is computed in seconds.
-    </para>
-
-    <variablelist>
-      <varlistentry>
-        <term>-P <replaceable class="parameter">date/offset</replaceable></term>
-        <listitem>
-          <para>
-            Sets the date on which a key is to be published to the zone.
-            After that date, the key will be included in the zone but will
-            not be used to sign it.  If not set, and if the -G option has
-            not been used, the default is "now".
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-A <replaceable class="parameter">date/offset</replaceable></term>
-        <listitem>
-          <para>
-            Sets the date on which the key is to be activated.  After that
-            date, the key will be included in the zone and used to sign
-            it.  If not set, and if the -G option has not been used, the
-            default is "now".
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-R <replaceable class="parameter">date/offset</replaceable></term>
-        <listitem>
-          <para>
-            Sets the date on which the key is to be revoked.  After that
-            date, the key will be flagged as revoked.  It will be included
-            in the zone and will be used to sign it.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-I <replaceable class="parameter">date/offset</replaceable></term>
-        <listitem>
-          <para>
-            Sets the date on which the key is to be retired.  After that
-            date, the key will still be included in the zone, but it
-            will not be used to sign it.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-D <replaceable class="parameter">date/offset</replaceable></term>
-        <listitem>
-          <para>
-            Sets the date on which the key is to be deleted.  After that
-            date, the key will no longer be included in the zone.  (It
-            may remain in the key repository, however.)
-          </para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>GENERATED KEY FILES</title>
-    <para>
-      When <command>dnssec-keyfromlabel</command> completes
-      successfully,
-      it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
-      to the standard output.  This is an identification string for
-      the key files it has generated.
-    </para>
-    <itemizedlist>
-      <listitem>
-        <para><filename>nnnn</filename> is the key name.
-        </para>
-      </listitem>
-      <listitem>
-        <para><filename>aaa</filename> is the numeric representation
-          of the algorithm.
-        </para>
-      </listitem>
-      <listitem>
-        <para><filename>iiiii</filename> is the key identifier (or
-          footprint).
-        </para>
-      </listitem>
-    </itemizedlist>
-    <para><command>dnssec-keyfromlabel</command> 
-      creates two files, with names based
-      on the printed string.  <filename>Knnnn.+aaa+iiiii.key</filename>
-      contains the public key, and
-      <filename>Knnnn.+aaa+iiiii.private</filename> contains the
-      private key.
-    </para>
-    <para>
-      The <filename>.key</filename> file contains a DNS KEY record
-      that
-      can be inserted into a zone file (directly or with a $INCLUDE
-      statement).
-    </para>
-    <para>
-      The <filename>.private</filename> file contains
-      algorithm-specific
-      fields.  For obvious security reasons, this file does not have
-      general read permission.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
-      <citetitle>RFC 4034</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para><corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html
deleted file mode 100644
index f0e2c5c..0000000
--- a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html
+++ /dev/null
@@ -1,275 +0,0 @@
-<!--
- - Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC")
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-keyfromlabel</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">dnssec-keyfromlabel</span> &#8212; DNSSEC key generation tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code>  {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543507"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
-      gets keys with the given label from a crypto hardware and builds
-      key files for DNSSEC (Secure DNS), as defined in RFC 2535
-      and RFC 4034.  
-    </p>
-<p>
-      The <code class="option">name</code> of the key is specified on the command
-      line.  This must match the name of the zone for which the key is
-      being generated.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543525"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd>
-<p>
-	    Selects the cryptographic algorithm.  The value of
-            <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
-	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
-	    ECDSAP256SHA256 or ECDSAP384SHA384.
-	    These values are case insensitive.
-	  </p>
-<p>
-            If no algorithm is specified, then RSASHA1 will be used by
-            default, unless the <code class="option">-3</code> option is specified,
-            in which case NSEC3RSASHA1 will be used instead.  (If
-            <code class="option">-3</code> is used and an algorithm is specified,
-            that algorithm will be checked for compatibility with NSEC3.)
-          </p>
-<p>
-            Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
-            algorithm, and DSA is recommended.
-          </p>
-<p>
-            Note 2: DH automatically sets the -k flag.
-          </p>
-</dd>
-<dt><span class="term">-3</span></dt>
-<dd><p>
-	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
-            If this option is used and no algorithm is explicitly
-            set on the command line, NSEC3RSASHA1 will be used by
-            default.
-          </p></dd>
-<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
-<dd><p>
-            Specifies the name of the crypto hardware (OpenSSL engine).
-            When compiled with PKCS#11 support it defaults to "pkcs11".
-          </p></dd>
-<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
-<dd><p>
-            Specifies the label of the key pair in the crypto hardware.
-            The label may be preceded by an optional OpenSSL engine name,
-            separated by a colon, as in "pkcs11:keylabel".
-          </p></dd>
-<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
-<dd><p>
-            Specifies the owner type of the key.  The value of
-            <code class="option">nametype</code> must either be ZONE (for a DNSSEC
-            zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
-            a host (KEY)),
-            USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
-            These values are case insensitive.
-          </p></dd>
-<dt><span class="term">-C</span></dt>
-<dd><p>
-	    Compatibility mode:  generates an old-style key, without
-	    any metadata.  By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
-	    will include the key's creation date in the metadata stored
-	    with the private key, and other dates may be set there as well
-	    (publication date, activation date, etc).  Keys that include
-	    this data may be incompatible with older versions of BIND; the
-	    <code class="option">-C</code> option suppresses them.
-          </p></dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd><p>
-            Indicates that the DNS record containing the key should have
-            the specified class.  If not specified, class IN is used.
-          </p></dd>
-<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
-<dd><p>
-            Set the specified flag in the flag field of the KEY/DNSKEY record.
-            The only recognized flags are KSK (Key Signing Key) and REVOKE.
-          </p></dd>
-<dt><span class="term">-G</span></dt>
-<dd><p>
-            Generate a key, but do not publish it or sign with it.  This
-            option is incompatible with -P and -A.
-          </p></dd>
-<dt><span class="term">-h</span></dt>
-<dd><p>
-            Prints a short summary of the options and arguments to
-            <span><strong class="command">dnssec-keyfromlabel</strong></span>.
-          </p></dd>
-<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-            Sets the directory in which the key files are to be written.
-          </p></dd>
-<dt><span class="term">-k</span></dt>
-<dd><p>
-            Generate KEY records rather than DNSKEY records.
-          </p></dd>
-<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd><p>
-            Sets the default TTL to use for this key when it is converted
-            into a DNSKEY RR.  If the key is imported into a zone,
-            this is the TTL that will be used for it, unless there was
-            already a DNSKEY RRset in place, in which case the existing TTL
-            would take precedence.  Setting the default TTL to
-            <code class="literal">0</code> or <code class="literal">none</code> removes it.
-          </p></dd>
-<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
-<dd><p>
-            Sets the protocol value for the key.  The protocol
-            is a number between 0 and 255.  The default is 3 (DNSSEC).
-            Other possible values for this argument are listed in
-            RFC 2535 and its successors.
-          </p></dd>
-<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
-<dd><p>
-            Indicates the use of the key.  <code class="option">type</code> must be
-            one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
-            is AUTHCONF.  AUTH refers to the ability to authenticate
-            data, and CONF the ability to encrypt data.
-          </p></dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
-            Sets the debugging level.
-          </p></dd>
-<dt><span class="term">-y</span></dt>
-<dd><p>
-            Allows DNSSEC key files to be generated even if the key ID
-	    would collide with that of an existing key, in the event of
-	    either key being revoked.  (This is only safe to use if you
-            are sure you won't be using RFC 5011 trust anchor maintenance
-            with either of the keys involved.)
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543980"></a><h2>TIMING OPTIONS</h2>
-<p>
-      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
-      If the argument begins with a '+' or '-', it is interpreted as
-      an offset from the present time.  For convenience, if such an offset
-      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
-      then the offset is computed in years (defined as 365 24-hour days,
-      ignoring leap years), months (defined as 30 24-hour days), weeks,
-      days, hours, or minutes, respectively.  Without a suffix, the offset
-      is computed in seconds.
-    </p>
-<div class="variablelist"><dl>
-<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which a key is to be published to the zone.
-            After that date, the key will be included in the zone but will
-            not be used to sign it.  If not set, and if the -G option has
-            not been used, the default is "now".
-          </p></dd>
-<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which the key is to be activated.  After that
-            date, the key will be included in the zone and used to sign
-            it.  If not set, and if the -G option has not been used, the
-            default is "now".
-          </p></dd>
-<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which the key is to be revoked.  After that
-            date, the key will be flagged as revoked.  It will be included
-            in the zone and will be used to sign it.
-          </p></dd>
-<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which the key is to be retired.  After that
-            date, the key will still be included in the zone, but it
-            will not be used to sign it.
-          </p></dd>
-<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which the key is to be deleted.  After that
-            date, the key will no longer be included in the zone.  (It
-            may remain in the key repository, however.)
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543054"></a><h2>GENERATED KEY FILES</h2>
-<p>
-      When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
-      successfully,
-      it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
-      to the standard output.  This is an identification string for
-      the key files it has generated.
-    </p>
-<div class="itemizedlist"><ul type="disc">
-<li><p><code class="filename">nnnn</code> is the key name.
-        </p></li>
-<li><p><code class="filename">aaa</code> is the numeric representation
-          of the algorithm.
-        </p></li>
-<li><p><code class="filename">iiiii</code> is the key identifier (or
-          footprint).
-        </p></li>
-</ul></div>
-<p><span><strong class="command">dnssec-keyfromlabel</strong></span> 
-      creates two files, with names based
-      on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
-      contains the public key, and
-      <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
-      private key.
-    </p>
-<p>
-      The <code class="filename">.key</code> file contains a DNS KEY record
-      that
-      can be inserted into a zone file (directly or with a $INCLUDE
-      statement).
-    </p>
-<p>
-      The <code class="filename">.private</code> file contains
-      algorithm-specific
-      fields.  For obvious security reasons, this file does not have
-      general read permission.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543127"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 4034</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543160"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.8 b/contrib/bind9/bin/dnssec/dnssec-keygen.8
deleted file mode 100644
index 90daddd..0000000
--- a/contrib/bind9/bin/dnssec/dnssec-keygen.8
+++ /dev/null
@@ -1,308 +0,0 @@
-.\" Copyright (C) 2004, 2005, 2007-2012 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2003 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: dnssec\-keygen
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: June 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "DNSSEC\-KEYGEN" "8" "June 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-dnssec\-keygen \- DNSSEC key generation tool
-.SH "SYNOPSIS"
-.HP 14
-\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-k\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
-.SH "DESCRIPTION"
-.PP
-\fBdnssec\-keygen\fR
-generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY (Transaction Key) as defined in RFC 2930.
-.PP
-The
-\fBname\fR
-of the key is specified on the command line. For DNSSEC keys, this must match the name of the zone for which the key is being generated.
-.SH "OPTIONS"
-.PP
-\-a \fIalgorithm\fR
-.RS 4
-Selects the cryptographic algorithm. For DNSSEC keys, the value of
-\fBalgorithm\fR
-must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512. These values are case insensitive.
-.sp
-If no algorithm is specified, then RSASHA1 will be used by default, unless the
-\fB\-3\fR
-option is specified, in which case NSEC3RSASHA1 will be used instead. (If
-\fB\-3\fR
-is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3.)
-.sp
-Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC\-MD5 is mandatory.
-.sp
-Note 2: DH, HMAC\-MD5, and HMAC\-SHA1 through HMAC\-SHA512 automatically set the \-T KEY option.
-.RE
-.PP
-\-b \fIkeysize\fR
-.RS 4
-Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits. Elliptic curve algorithms don't need this parameter.
-.sp
-The key size does not need to be specified if using a default algorithm. The default key size is 1024 bits for zone signing keys (ZSK's) and 2048 bits for key signing keys (KSK's, generated with
-\fB\-f KSK\fR). However, if an algorithm is explicitly specified with the
-\fB\-a\fR, then there is no default key size, and the
-\fB\-b\fR
-must be used.
-.RE
-.PP
-\-n \fInametype\fR
-.RS 4
-Specifies the owner type of the key. The value of
-\fBnametype\fR
-must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. Defaults to ZONE for DNSKEY generation.
-.RE
-.PP
-\-3
-.RS 4
-Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default. Note that RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 and ECDSAP384SHA384 algorithms are NSEC3\-capable.
-.RE
-.PP
-\-C
-.RS 4
-Compatibility mode: generates an old\-style key, without any metadata. By default,
-\fBdnssec\-keygen\fR
-will include the key's creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the
-\fB\-C\fR
-option suppresses them.
-.RE
-.PP
-\-c \fIclass\fR
-.RS 4
-Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.
-.RE
-.PP
-\-E \fIengine\fR
-.RS 4
-Uses a crypto hardware (OpenSSL engine) for random number and, when supported, key generation. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.
-.RE
-.PP
-\-f \fIflag\fR
-.RS 4
-Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flags are KSK (Key Signing Key) and REVOKE.
-.RE
-.PP
-\-G
-.RS 4
-Generate a key, but do not publish it or sign with it. This option is incompatible with \-P and \-A.
-.RE
-.PP
-\-g \fIgenerator\fR
-.RS 4
-If generating a Diffie Hellman key, use this generator. Allowed values are 2 and 5. If no generator is specified, a known prime from RFC 2539 will be used if possible; otherwise the default is 2.
-.RE
-.PP
-\-h
-.RS 4
-Prints a short summary of the options and arguments to
-\fBdnssec\-keygen\fR.
-.RE
-.PP
-\-K \fIdirectory\fR
-.RS 4
-Sets the directory in which the key files are to be written.
-.RE
-.PP
-\-k
-.RS 4
-Deprecated in favor of \-T KEY.
-.RE
-.PP
-\-L \fIttl\fR
-.RS 4
-Sets the default TTL to use for this key when it is converted into a DNSKEY RR. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence. Setting the default TTL to
-0
-or
-none
-removes it.
-.RE
-.PP
-\-p \fIprotocol\fR
-.RS 4
-Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
-.RE
-.PP
-\-q
-.RS 4
-Quiet mode: Suppresses unnecessary output, including progress indication. Without this option, when
-\fBdnssec\-keygen\fR
-is run interactively to generate an RSA or DSA key pair, it will print a string of symbols to
-\fIstderr\fR
-indicating the progress of the key generation. A '.' indicates that a random number has been found which passed an initial sieve test; '+' means a number has passed a single round of the Miller\-Rabin primality test; a space means that the number has passed all the tests and is a satisfactory key.
-.RE
-.PP
-\-r \fIrandomdev\fR
-.RS 4
-Specifies the source of randomness. If the operating system does not provide a
-\fI/dev/random\fR
-or equivalent device, the default source of randomness is keyboard input.
-\fIrandomdev\fR
-specifies the name of a character device or file containing random data to be used instead of the default. The special value
-\fIkeyboard\fR
-indicates that keyboard input should be used.
-.RE
-.PP
-\-S \fIkey\fR
-.RS 4
-Create a new key which is an explicit successor to an existing key. The name, algorithm, size, and type of the key will be set to match the existing key. The activation date of the new key will be set to the inactivation date of the existing one. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days.
-.RE
-.PP
-\-s \fIstrength\fR
-.RS 4
-Specifies the strength value of the key. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC.
-.RE
-.PP
-\-T \fIrrtype\fR
-.RS 4
-Specifies the resource record type to use for the key.
-\fBrrtype\fR
-must be either DNSKEY or KEY. The default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0).
-Using any TSIG algorithm (HMAC\-* or DH) forces this option to KEY.
-.RE
-.PP
-\-t \fItype\fR
-.RS 4
-Indicates the use of the key.
-\fBtype\fR
-must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data.
-.RE
-.PP
-\-v \fIlevel\fR
-.RS 4
-Sets the debugging level.
-.RE
-.SH "TIMING OPTIONS"
-.PP
-Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds.
-.PP
-\-P \fIdate/offset\fR
-.RS 4
-Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it. If not set, and if the \-G option has not been used, the default is "now".
-.RE
-.PP
-\-A \fIdate/offset\fR
-.RS 4
-Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it. If not set, and if the \-G option has not been used, the default is "now".
-.RE
-.PP
-\-R \fIdate/offset\fR
-.RS 4
-Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it.
-.RE
-.PP
-\-I \fIdate/offset\fR
-.RS 4
-Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it.
-.RE
-.PP
-\-D \fIdate/offset\fR
-.RS 4
-Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
-.RE
-.PP
-\-i \fIinterval\fR
-.RS 4
-Sets the prepublication interval for a key. If set, then the publication and activation dates must be separated by at least this much time. If the activation date is specified but the publication date isn't, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn't, then activation will be set to this much time after publication.
-.sp
-If the key is being created as an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero.
-.sp
-As with date offsets, if the argument is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the interval is measured in years, months, weeks, days, hours, or minutes, respectively. Without a suffix, the interval is measured in seconds.
-.RE
-.SH "GENERATED KEYS"
-.PP
-When
-\fBdnssec\-keygen\fR
-completes successfully, it prints a string of the form
-\fIKnnnn.+aaa+iiiii\fR
-to the standard output. This is an identification string for the key it has generated.
-.TP 4
-\(bu
-\fInnnn\fR
-is the key name.
-.TP 4
-\(bu
-\fIaaa\fR
-is the numeric representation of the algorithm.
-.TP 4
-\(bu
-\fIiiiii\fR
-is the key identifier (or footprint).
-.PP
-\fBdnssec\-keygen\fR
-creates two files, with names based on the printed string.
-\fIKnnnn.+aaa+iiiii.key\fR
-contains the public key, and
-\fIKnnnn.+aaa+iiiii.private\fR
-contains the private key.
-.PP
-The
-\fI.key\fR
-file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement).
-.PP
-The
-\fI.private\fR
-file contains algorithm\-specific fields. For obvious security reasons, this file does not have general read permission.
-.PP
-Both
-\fI.key\fR
-and
-\fI.private\fR
-files are generated for symmetric encryption algorithms such as HMAC\-MD5, even though the public and private key are equivalent.
-.SH "EXAMPLE"
-.PP
-To generate a 768\-bit DSA key for the domain
-\fBexample.com\fR, the following command would be issued:
-.PP
-\fBdnssec\-keygen \-a DSA \-b 768 \-n ZONE example.com\fR
-.PP
-The command would print a string of the form:
-.PP
-\fBKexample.com.+003+26160\fR
-.PP
-In this example,
-\fBdnssec\-keygen\fR
-creates the files
-\fIKexample.com.+003+26160.key\fR
-and
-\fIKexample.com.+003+26160.private\fR.
-.SH "SEE ALSO"
-.PP
-\fBdnssec\-signzone\fR(8),
-BIND 9 Administrator Reference Manual,
-RFC 2539,
-RFC 2845,
-RFC 4034.
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007\-2012 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000\-2003 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.c b/contrib/bind9/bin/dnssec/dnssec-keygen.c
deleted file mode 100644
index 1e61ca3..0000000
--- a/contrib/bind9/bin/dnssec/dnssec-keygen.c
+++ /dev/null
@@ -1,1054 +0,0 @@
-/*
- * Portions Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dnssec-keygen.c,v 1.120 2011/11/30 00:48:51 marka Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <ctype.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#include <isc/buffer.h>
-#include <isc/commandline.h>
-#include <isc/entropy.h>
-#include <isc/mem.h>
-#include <isc/region.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/dnssec.h>
-#include <dns/fixedname.h>
-#include <dns/keyvalues.h>
-#include <dns/log.h>
-#include <dns/name.h>
-#include <dns/rdataclass.h>
-#include <dns/result.h>
-#include <dns/secalg.h>
-
-#include <dst/dst.h>
-
-#include "dnssectool.h"
-
-#define MAX_RSA 4096 /* should be long enough... */
-
-const char *program = "dnssec-keygen";
-int verbose;
-
-#define DEFAULT_ALGORITHM "RSASHA1"
-#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
-
-ISC_PLATFORM_NORETURN_PRE static void
-usage(void) ISC_PLATFORM_NORETURN_POST;
-
-static void progress(int p);
-
-static void
-usage(void) {
-	fprintf(stderr, "Usage:\n");
-	fprintf(stderr, "    %s [options] name\n\n", program);
-	fprintf(stderr, "Version: %s\n", VERSION);
-	fprintf(stderr, "    name: owner of the key\n");
-	fprintf(stderr, "Options:\n");
-	fprintf(stderr, "    -K <directory>: write keys into directory\n");
-	fprintf(stderr, "    -a <algorithm>:\n");
-	fprintf(stderr, "        RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1"
-				" | NSEC3DSA |\n");
-	fprintf(stderr, "        RSASHA256 | RSASHA512 | ECCGOST |\n");
-	fprintf(stderr, "        ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
-	fprintf(stderr, "        DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
-				"HMAC-SHA256 | \n");
-	fprintf(stderr, "        HMAC-SHA384 | HMAC-SHA512\n");
-	fprintf(stderr, "       (default: RSASHA1, or "
-			       "NSEC3RSASHA1 if using -3)\n");
-	fprintf(stderr, "    -3: use NSEC3-capable algorithm\n");
-	fprintf(stderr, "    -b <key size in bits>:\n");
-	fprintf(stderr, "        RSAMD5:\t[512..%d]\n", MAX_RSA);
-	fprintf(stderr, "        RSASHA1:\t[512..%d]\n", MAX_RSA);
-	fprintf(stderr, "        NSEC3RSASHA1:\t[512..%d]\n", MAX_RSA);
-	fprintf(stderr, "        RSASHA256:\t[512..%d]\n", MAX_RSA);
-	fprintf(stderr, "        RSASHA512:\t[1024..%d]\n", MAX_RSA);
-	fprintf(stderr, "        DH:\t\t[128..4096]\n");
-	fprintf(stderr, "        DSA:\t\t[512..1024] and divisible by 64\n");
-	fprintf(stderr, "        NSEC3DSA:\t[512..1024] and divisible "
-				"by 64\n");
-	fprintf(stderr, "        ECCGOST:\tignored\n");
-	fprintf(stderr, "        ECDSAP256SHA256:\tignored\n");
-	fprintf(stderr, "        ECDSAP384SHA384:\tignored\n");
-	fprintf(stderr, "        HMAC-MD5:\t[1..512]\n");
-	fprintf(stderr, "        HMAC-SHA1:\t[1..160]\n");
-	fprintf(stderr, "        HMAC-SHA224:\t[1..224]\n");
-	fprintf(stderr, "        HMAC-SHA256:\t[1..256]\n");
-	fprintf(stderr, "        HMAC-SHA384:\t[1..384]\n");
-	fprintf(stderr, "        HMAC-SHA512:\t[1..512]\n");
-	fprintf(stderr, "        (if using the default algorithm, key size\n"
-			"        defaults to 2048 for KSK, or 1024 for all "
-			"others)\n");
-	fprintf(stderr, "    -n <nametype>: ZONE | HOST | ENTITY | "
-					    "USER | OTHER\n");
-	fprintf(stderr, "        (DNSKEY generation defaults to ZONE)\n");
-	fprintf(stderr, "    -c <class>: (default: IN)\n");
-	fprintf(stderr, "    -d <digest bits> (0 => max, default)\n");
-#ifdef USE_PKCS11
-	fprintf(stderr, "    -E <engine name> (default \"pkcs11\")\n");
-#else
-	fprintf(stderr, "    -E <engine name>\n");
-#endif
-	fprintf(stderr, "    -f <keyflag>: KSK | REVOKE\n");
-	fprintf(stderr, "    -g <generator>: use specified generator "
-			"(DH only)\n");
-	fprintf(stderr, "    -L <ttl>: default key TTL\n");
-	fprintf(stderr, "    -p <protocol>: (default: 3 [dnssec])\n");
-	fprintf(stderr, "    -r <randomdev>: a file containing random data\n");
-	fprintf(stderr, "    -s <strength>: strength value this key signs DNS "
-			"records with (default: 0)\n");
-	fprintf(stderr, "    -T <rrtype>: DNSKEY | KEY (default: DNSKEY; "
-			"use KEY for SIG(0))\n");
-	fprintf(stderr, "        ECCGOST:\tignored\n");
-	fprintf(stderr, "    -t <type>: "
-			"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
-			"(default: AUTHCONF)\n");
-	fprintf(stderr, "    -h: print usage and exit\n");
-	fprintf(stderr, "    -m <memory debugging mode>:\n");
-	fprintf(stderr, "       usage | trace | record | size | mctx\n");
-	fprintf(stderr, "    -v <level>: set verbosity level (0 - 10)\n");
-	fprintf(stderr, "Timing options:\n");
-	fprintf(stderr, "    -P date/[+-]offset/none: set key publication date "
-						"(default: now)\n");
-	fprintf(stderr, "    -A date/[+-]offset/none: set key activation date "
-						"(default: now)\n");
-	fprintf(stderr, "    -R date/[+-]offset/none: set key "
-						     "revocation date\n");
-	fprintf(stderr, "    -I date/[+-]offset/none: set key "
-						     "inactivation date\n");
-	fprintf(stderr, "    -D date/[+-]offset/none: set key deletion date\n");
-	fprintf(stderr, "    -G: generate key only; do not set -P or -A\n");
-	fprintf(stderr, "    -C: generate a backward-compatible key, omitting "
-			"all dates\n");
-	fprintf(stderr, "    -S <key>: generate a successor to an existing "
-				      "key\n");
-	fprintf(stderr, "    -i <interval>: prepublication interval for "
-					   "successor key "
-					   "(default: 30 days)\n");
-	fprintf(stderr, "Output:\n");
-	fprintf(stderr, "     K<name>+<alg>+<id>.key, "
-			"K<name>+<alg>+<id>.private\n");
-
-	exit (-1);
-}
-
-static isc_boolean_t
-dsa_size_ok(int size) {
-	return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0));
-}
-
-static void
-progress(int p)
-{
-	char c = '*';
-
-	switch (p) {
-	case 0:
-		c = '.';
-		break;
-	case 1:
-		c = '+';
-		break;
-	case 2:
-		c = '*';
-		break;
-	case 3:
-		c = ' ';
-		break;
-	default:
-		break;
-	}
-	(void) putc(c, stderr);
-	(void) fflush(stderr);
-}
-
-int
-main(int argc, char **argv) {
-	char		*algname = NULL, *freeit = NULL;
-	char		*nametype = NULL, *type = NULL;
-	char		*classname = NULL;
-	char		*endp;
-	dst_key_t	*key = NULL;
-	dns_fixedname_t	fname;
-	dns_name_t	*name;
-	isc_uint16_t	flags = 0, kskflag = 0, revflag = 0;
-	dns_secalg_t	alg;
-	isc_boolean_t	conflict = ISC_FALSE, null_key = ISC_FALSE;
-	isc_boolean_t	oldstyle = ISC_FALSE;
-	isc_mem_t	*mctx = NULL;
-	int		ch, generator = 0, param = 0;
-	int		protocol = -1, size = -1, signatory = 0;
-	isc_result_t	ret;
-	isc_textregion_t r;
-	char		filename[255];
-	const char	*directory = NULL;
-	const char	*predecessor = NULL;
-	dst_key_t	*prevkey = NULL;
-	isc_buffer_t	buf;
-	isc_log_t	*log = NULL;
-	isc_entropy_t	*ectx = NULL;
-#ifdef USE_PKCS11
-	const char	*engine = "pkcs11";
-#else
-	const char	*engine = NULL;
-#endif
-	dns_rdataclass_t rdclass;
-	int		options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
-	int		dbits = 0;
-	dns_ttl_t	ttl = 0;
-	isc_boolean_t	use_default = ISC_FALSE, use_nsec3 = ISC_FALSE;
-	isc_stdtime_t	publish = 0, activate = 0, revoke = 0;
-	isc_stdtime_t	inactive = 0, delete = 0;
-	isc_stdtime_t	now;
-	int		prepub = -1;
-	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
-	isc_boolean_t	setrev = ISC_FALSE, setinact = ISC_FALSE;
-	isc_boolean_t	setdel = ISC_FALSE, setttl = ISC_FALSE;
-	isc_boolean_t	unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
-	isc_boolean_t	unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
-	isc_boolean_t	unsetdel = ISC_FALSE;
-	isc_boolean_t	genonly = ISC_FALSE;
-	isc_boolean_t	quiet = ISC_FALSE;
-	isc_boolean_t	show_progress = ISC_FALSE;
-	unsigned char	c;
-
-	if (argc == 1)
-		usage();
-
-	dns_result_register();
-
-	isc_commandline_errprint = ISC_FALSE;
-
-	/*
-	 * Process memory debugging argument first.
-	 */
-#define CMDLINE_FLAGS "3A:a:b:Cc:D:d:E:eFf:Gg:hI:i:K:kL:m:n:P:p:qR:r:S:s:T:t:v:"
-	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
-		switch (ch) {
-		case 'm':
-			if (strcasecmp(isc_commandline_argument, "record") == 0)
-				isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
-			if (strcasecmp(isc_commandline_argument, "trace") == 0)
-				isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
-			if (strcasecmp(isc_commandline_argument, "usage") == 0)
-				isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
-			if (strcasecmp(isc_commandline_argument, "size") == 0)
-				isc_mem_debugging |= ISC_MEM_DEBUGSIZE;
-			if (strcasecmp(isc_commandline_argument, "mctx") == 0)
-				isc_mem_debugging |= ISC_MEM_DEBUGCTX;
-			break;
-		default:
-			break;
-		}
-	}
-	isc_commandline_reset = ISC_TRUE;
-
-	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
-
-	isc_stdtime_get(&now);
-
-	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
-	    switch (ch) {
-		case '3':
-			use_nsec3 = ISC_TRUE;
-			break;
-		case 'a':
-			algname = isc_commandline_argument;
-			break;
-		case 'b':
-			size = strtol(isc_commandline_argument, &endp, 10);
-			if (*endp != '\0' || size < 0)
-				fatal("-b requires a non-negative number");
-			break;
-		case 'C':
-			oldstyle = ISC_TRUE;
-			break;
-		case 'c':
-			classname = isc_commandline_argument;
-			break;
-		case 'd':
-			dbits = strtol(isc_commandline_argument, &endp, 10);
-			if (*endp != '\0' || dbits < 0)
-				fatal("-d requires a non-negative number");
-			break;
-		case 'E':
-			engine = isc_commandline_argument;
-			break;
-		case 'e':
-			fprintf(stderr,
-				"phased-out option -e "
-				"(was 'use (RSA) large exponent)\n");
-			break;
-		case 'f':
-			c = (unsigned char)(isc_commandline_argument[0]);
-			if (toupper(c) == 'K')
-				kskflag = DNS_KEYFLAG_KSK;
-			else if (toupper(c) == 'R')
-				revflag = DNS_KEYFLAG_REVOKE;
-			else
-				fatal("unknown flag '%s'",
-				      isc_commandline_argument);
-			break;
-		case 'g':
-			generator = strtol(isc_commandline_argument,
-					   &endp, 10);
-			if (*endp != '\0' || generator <= 0)
-				fatal("-g requires a positive number");
-			break;
-		case 'K':
-			directory = isc_commandline_argument;
-			ret = try_dir(directory);
-			if (ret != ISC_R_SUCCESS)
-				fatal("cannot open directory %s: %s",
-				      directory, isc_result_totext(ret));
-			break;
-		case 'k':
-			fatal("The -k option has been deprecated.\n"
-			      "To generate a key-signing key, use -f KSK.\n"
-			      "To generate a key with TYPE=KEY, use -T KEY.\n");
-			break;
-		case 'L':
-			if (strcmp(isc_commandline_argument, "none") == 0)
-				ttl = 0;
-			else
-				ttl = strtottl(isc_commandline_argument);
-			setttl = ISC_TRUE;
-			break;
-		case 'n':
-			nametype = isc_commandline_argument;
-			break;
-		case 'm':
-			break;
-		case 'p':
-			protocol = strtol(isc_commandline_argument, &endp, 10);
-			if (*endp != '\0' || protocol < 0 || protocol > 255)
-				fatal("-p must be followed by a number "
-				      "[0..255]");
-			break;
-		case 'q':
-			quiet = ISC_TRUE;
-			break;
-		case 'r':
-			setup_entropy(mctx, isc_commandline_argument, &ectx);
-			break;
-		case 's':
-			signatory = strtol(isc_commandline_argument,
-					   &endp, 10);
-			if (*endp != '\0' || signatory < 0 || signatory > 15)
-				fatal("-s must be followed by a number "
-				      "[0..15]");
-			break;
-		case 'T':
-			if (strcasecmp(isc_commandline_argument, "KEY") == 0)
-				options |= DST_TYPE_KEY;
-			else if (strcasecmp(isc_commandline_argument,
-				 "DNSKEY") == 0)
-				/* default behavior */
-				;
-			else
-				fatal("unknown type '%s'",
-				      isc_commandline_argument);
-			break;
-		case 't':
-			type = isc_commandline_argument;
-			break;
-		case 'v':
-			endp = NULL;
-			verbose = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0')
-				fatal("-v must be followed by a number");
-			break;
-		case 'z':
-			/* already the default */
-			break;
-		case 'G':
-			genonly = ISC_TRUE;
-			break;
-		case 'P':
-			if (setpub || unsetpub)
-				fatal("-P specified more than once");
-
-			if (strcasecmp(isc_commandline_argument, "none")) {
-				setpub = ISC_TRUE;
-				publish = strtotime(isc_commandline_argument,
-						    now, now);
-			} else {
-				unsetpub = ISC_TRUE;
-			}
-			break;
-		case 'A':
-			if (setact || unsetact)
-				fatal("-A specified more than once");
-
-			if (strcasecmp(isc_commandline_argument, "none")) {
-				setact = ISC_TRUE;
-				activate = strtotime(isc_commandline_argument,
-						     now, now);
-			} else {
-				unsetact = ISC_TRUE;
-			}
-			break;
-		case 'R':
-			if (setrev || unsetrev)
-				fatal("-R specified more than once");
-
-			if (strcasecmp(isc_commandline_argument, "none")) {
-				setrev = ISC_TRUE;
-				revoke = strtotime(isc_commandline_argument,
-						   now, now);
-			} else {
-				unsetrev = ISC_TRUE;
-			}
-			break;
-		case 'I':
-			if (setinact || unsetinact)
-				fatal("-I specified more than once");
-
-			if (strcasecmp(isc_commandline_argument, "none")) {
-				setinact = ISC_TRUE;
-				inactive = strtotime(isc_commandline_argument,
-						     now, now);
-			} else {
-				unsetinact = ISC_TRUE;
-			}
-			break;
-		case 'D':
-			if (setdel || unsetdel)
-				fatal("-D specified more than once");
-
-			if (strcasecmp(isc_commandline_argument, "none")) {
-				setdel = ISC_TRUE;
-				delete = strtotime(isc_commandline_argument,
-						   now, now);
-			} else {
-				unsetdel = ISC_TRUE;
-			}
-			break;
-		case 'S':
-			predecessor = isc_commandline_argument;
-			break;
-		case 'i':
-			prepub = strtottl(isc_commandline_argument);
-			break;
-		case 'F':
-			/* Reserved for FIPS mode */
-			/* FALLTHROUGH */
-		case '?':
-			if (isc_commandline_option != '?')
-				fprintf(stderr, "%s: invalid argument -%c\n",
-					program, isc_commandline_option);
-			/* FALLTHROUGH */
-		case 'h':
-			usage();
-
-		default:
-			fprintf(stderr, "%s: unhandled option -%c\n",
-				program, isc_commandline_option);
-			exit(1);
-		}
-	}
-
-	if (!isatty(0))
-		quiet = ISC_TRUE;
-
-	if (ectx == NULL)
-		setup_entropy(mctx, NULL, &ectx);
-	ret = dst_lib_init2(mctx, ectx, engine,
-			    ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
-	if (ret != ISC_R_SUCCESS)
-		fatal("could not initialize dst: %s",
-		      isc_result_totext(ret));
-
-	setup_logging(verbose, mctx, &log);
-
-	if (predecessor == NULL) {
-		if (prepub == -1)
-			prepub = 0;
-
-		if (argc < isc_commandline_index + 1)
-			fatal("the key name was not specified");
-		if (argc > isc_commandline_index + 1)
-			fatal("extraneous arguments");
-
-		dns_fixedname_init(&fname);
-		name = dns_fixedname_name(&fname);
-		isc_buffer_init(&buf, argv[isc_commandline_index],
-				strlen(argv[isc_commandline_index]));
-		isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
-		ret = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
-		if (ret != ISC_R_SUCCESS)
-			fatal("invalid key name %s: %s",
-			      argv[isc_commandline_index],
-			      isc_result_totext(ret));
-
-		if (algname == NULL) {
-			use_default = ISC_TRUE;
-			if (use_nsec3)
-				algname = strdup(DEFAULT_NSEC3_ALGORITHM);
-			else
-				algname = strdup(DEFAULT_ALGORITHM);
-			if (algname == NULL)
-				fatal("strdup failed");
-			freeit = algname;
-			if (verbose > 0)
-				fprintf(stderr, "no algorithm specified; "
-						"defaulting to %s\n", algname);
-		}
-
-		if (strcasecmp(algname, "RSA") == 0) {
-			fprintf(stderr, "The use of RSA (RSAMD5) is not "
-					"recommended.\nIf you still wish to "
-					"use RSA (RSAMD5) please specify "
-					"\"-a RSAMD5\"\n");
-			INSIST(freeit == NULL);
-			return (1);
-		} else if (strcasecmp(algname, "HMAC-MD5") == 0)
-			alg = DST_ALG_HMACMD5;
-		else if (strcasecmp(algname, "HMAC-SHA1") == 0)
-			alg = DST_ALG_HMACSHA1;
-		else if (strcasecmp(algname, "HMAC-SHA224") == 0)
-			alg = DST_ALG_HMACSHA224;
-		else if (strcasecmp(algname, "HMAC-SHA256") == 0)
-			alg = DST_ALG_HMACSHA256;
-		else if (strcasecmp(algname, "HMAC-SHA384") == 0)
-			alg = DST_ALG_HMACSHA384;
-		else if (strcasecmp(algname, "HMAC-SHA512") == 0)
-			alg = DST_ALG_HMACSHA512;
-		else {
-			r.base = algname;
-			r.length = strlen(algname);
-			ret = dns_secalg_fromtext(&alg, &r);
-			if (ret != ISC_R_SUCCESS)
-				fatal("unknown algorithm %s", algname);
-			if (alg == DST_ALG_DH)
-				options |= DST_TYPE_KEY;
-		}
-
-		if (use_nsec3 &&
-		    alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
-		    alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 &&
-		    alg != DST_ALG_ECCGOST &&
-		    alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {
-			fatal("%s is incompatible with NSEC3; "
-			      "do not use the -3 option", algname);
-		}
-
-		if (type != NULL && (options & DST_TYPE_KEY) != 0) {
-			if (strcasecmp(type, "NOAUTH") == 0)
-				flags |= DNS_KEYTYPE_NOAUTH;
-			else if (strcasecmp(type, "NOCONF") == 0)
-				flags |= DNS_KEYTYPE_NOCONF;
-			else if (strcasecmp(type, "NOAUTHCONF") == 0) {
-				flags |= (DNS_KEYTYPE_NOAUTH |
-					  DNS_KEYTYPE_NOCONF);
-				if (size < 0)
-					size = 0;
-			}
-			else if (strcasecmp(type, "AUTHCONF") == 0)
-				/* nothing */;
-			else
-				fatal("invalid type %s", type);
-		}
-
-		if (size < 0) {
-			if (use_default) {
-				if ((kskflag & DNS_KEYFLAG_KSK) != 0)
-					size = 2048;
-				else
-					size = 1024;
-				if (verbose > 0)
-					fprintf(stderr, "key size not "
-							"specified; defaulting"
-							" to %d\n", size);
-			} else if (alg != DST_ALG_ECCGOST &&
-				   alg != DST_ALG_ECDSA256 &&
-				   alg != DST_ALG_ECDSA384)
-				fatal("key size not specified (-b option)");
-		}
-
-		if (!oldstyle && prepub > 0) {
-			if (setpub && setact && (activate - prepub) < publish)
-				fatal("Activation and publication dates "
-				      "are closer together than the\n\t"
-				      "prepublication interval.");
-
-			if (!setpub && !setact) {
-				setpub = setact = ISC_TRUE;
-				publish = now;
-				activate = now + prepub;
-			} else if (setpub && !setact) {
-				setact = ISC_TRUE;
-				activate = publish + prepub;
-			} else if (setact && !setpub) {
-				setpub = ISC_TRUE;
-				publish = activate - prepub;
-			}
-
-			if ((activate - prepub) < now)
-				fatal("Time until activation is shorter "
-				      "than the\n\tprepublication interval.");
-		}
-	} else {
-		char keystr[DST_KEY_FORMATSIZE];
-		isc_stdtime_t when;
-		int major, minor;
-
-		if (prepub == -1)
-			prepub = (30 * 86400);
-
-		if (algname != NULL)
-			fatal("-S and -a cannot be used together");
-		if (size >= 0)
-			fatal("-S and -b cannot be used together");
-		if (nametype != NULL)
-			fatal("-S and -n cannot be used together");
-		if (type != NULL)
-			fatal("-S and -t cannot be used together");
-		if (setpub || unsetpub)
-			fatal("-S and -P cannot be used together");
-		if (setact || unsetact)
-			fatal("-S and -A cannot be used together");
-		if (use_nsec3)
-			fatal("-S and -3 cannot be used together");
-		if (oldstyle)
-			fatal("-S and -C cannot be used together");
-		if (genonly)
-			fatal("-S and -G cannot be used together");
-
-		ret = dst_key_fromnamedfile(predecessor, directory,
-					    DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
-					    mctx, &prevkey);
-		if (ret != ISC_R_SUCCESS)
-			fatal("Invalid keyfile %s: %s",
-			      filename, isc_result_totext(ret));
-		if (!dst_key_isprivate(prevkey))
-			fatal("%s is not a private key", filename);
-
-		name = dst_key_name(prevkey);
-		alg = dst_key_alg(prevkey);
-		size = dst_key_size(prevkey);
-		flags = dst_key_flags(prevkey);
-
-		dst_key_format(prevkey, keystr, sizeof(keystr));
-		dst_key_getprivateformat(prevkey, &major, &minor);
-		if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
-			fatal("Key %s has incompatible format version %d.%d\n\t"
-			      "It is not possible to generate a successor key.",
-			      keystr, major, minor);
-
-		ret = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &when);
-		if (ret != ISC_R_SUCCESS)
-			fatal("Key %s has no activation date.\n\t"
-			      "You must use dnssec-settime -A to set one "
-			      "before generating a successor.", keystr);
-
-		ret = dst_key_gettime(prevkey, DST_TIME_INACTIVE, &activate);
-		if (ret != ISC_R_SUCCESS)
-			fatal("Key %s has no inactivation date.\n\t"
-			      "You must use dnssec-settime -I to set one "
-			      "before generating a successor.", keystr);
-
-		publish = activate - prepub;
-		if (publish < now)
-			fatal("Key %s becomes inactive\n\t"
-			      "sooner than the prepublication period "
-			      "for the new key ends.\n\t"
-			      "Either change the inactivation date with "
-			      "dnssec-settime -I,\n\t"
-			      "or use the -i option to set a shorter "
-			      "prepublication interval.", keystr);
-
-		ret = dst_key_gettime(prevkey, DST_TIME_DELETE, &when);
-		if (ret != ISC_R_SUCCESS)
-			fprintf(stderr, "%s: WARNING: Key %s has no removal "
-					"date;\n\t it will remain in the zone "
-					"indefinitely after rollover.\n\t "
-					"You can use dnssec-settime -D to "
-					"change this.\n", program, keystr);
-
-		setpub = setact = ISC_TRUE;
-	}
-
-	switch (alg) {
-	case DNS_KEYALG_RSAMD5:
-	case DNS_KEYALG_RSASHA1:
-	case DNS_KEYALG_NSEC3RSASHA1:
-	case DNS_KEYALG_RSASHA256:
-		if (size != 0 && (size < 512 || size > MAX_RSA))
-			fatal("RSA key size %d out of range", size);
-		break;
-	case DNS_KEYALG_RSASHA512:
-		if (size != 0 && (size < 1024 || size > MAX_RSA))
-			fatal("RSA key size %d out of range", size);
-		break;
-	case DNS_KEYALG_DH:
-		if (size != 0 && (size < 128 || size > 4096))
-			fatal("DH key size %d out of range", size);
-		break;
-	case DNS_KEYALG_DSA:
-	case DNS_KEYALG_NSEC3DSA:
-		if (size != 0 && !dsa_size_ok(size))
-			fatal("invalid DSS key size: %d", size);
-		break;
-	case DST_ALG_ECCGOST:
-	case DST_ALG_ECDSA256:
-	case DST_ALG_ECDSA384:
-		break;
-	case DST_ALG_HMACMD5:
-		options |= DST_TYPE_KEY;
-		if (size < 1 || size > 512)
-			fatal("HMAC-MD5 key size %d out of range", size);
-		if (dbits != 0 && (dbits < 80 || dbits > 128))
-			fatal("HMAC-MD5 digest bits %d out of range", dbits);
-		if ((dbits % 8) != 0)
-			fatal("HMAC-MD5 digest bits %d not divisible by 8",
-			      dbits);
-		break;
-	case DST_ALG_HMACSHA1:
-		options |= DST_TYPE_KEY;
-		if (size < 1 || size > 160)
-			fatal("HMAC-SHA1 key size %d out of range", size);
-		if (dbits != 0 && (dbits < 80 || dbits > 160))
-			fatal("HMAC-SHA1 digest bits %d out of range", dbits);
-		if ((dbits % 8) != 0)
-			fatal("HMAC-SHA1 digest bits %d not divisible by 8",
-			      dbits);
-		break;
-	case DST_ALG_HMACSHA224:
-		options |= DST_TYPE_KEY;
-		if (size < 1 || size > 224)
-			fatal("HMAC-SHA224 key size %d out of range", size);
-		if (dbits != 0 && (dbits < 112 || dbits > 224))
-			fatal("HMAC-SHA224 digest bits %d out of range", dbits);
-		if ((dbits % 8) != 0)
-			fatal("HMAC-SHA224 digest bits %d not divisible by 8",
-			      dbits);
-		break;
-	case DST_ALG_HMACSHA256:
-		options |= DST_TYPE_KEY;
-		if (size < 1 || size > 256)
-			fatal("HMAC-SHA256 key size %d out of range", size);
-		if (dbits != 0 && (dbits < 128 || dbits > 256))
-			fatal("HMAC-SHA256 digest bits %d out of range", dbits);
-		if ((dbits % 8) != 0)
-			fatal("HMAC-SHA256 digest bits %d not divisible by 8",
-			      dbits);
-		break;
-	case DST_ALG_HMACSHA384:
-		options |= DST_TYPE_KEY;
-		if (size < 1 || size > 384)
-			fatal("HMAC-384 key size %d out of range", size);
-		if (dbits != 0 && (dbits < 192 || dbits > 384))
-			fatal("HMAC-SHA384 digest bits %d out of range", dbits);
-		if ((dbits % 8) != 0)
-			fatal("HMAC-SHA384 digest bits %d not divisible by 8",
-			      dbits);
-		break;
-	case DST_ALG_HMACSHA512:
-		options |= DST_TYPE_KEY;
-		if (size < 1 || size > 512)
-			fatal("HMAC-SHA512 key size %d out of range", size);
-		if (dbits != 0 && (dbits < 256 || dbits > 512))
-			fatal("HMAC-SHA512 digest bits %d out of range", dbits);
-		if ((dbits % 8) != 0)
-			fatal("HMAC-SHA512 digest bits %d not divisible by 8",
-			      dbits);
-		break;
-	}
-
-	if (alg != DNS_KEYALG_DH && generator != 0)
-		fatal("specified DH generator for a non-DH key");
-
-	if (nametype == NULL) {
-		if ((options & DST_TYPE_KEY) != 0) /* KEY / HMAC */
-			fatal("no nametype specified");
-		flags |= DNS_KEYOWNER_ZONE;	/* DNSKEY */
-	} else if (strcasecmp(nametype, "zone") == 0)
-		flags |= DNS_KEYOWNER_ZONE;
-	else if ((options & DST_TYPE_KEY) != 0)	{ /* KEY / HMAC */
-		if (strcasecmp(nametype, "host") == 0 ||
-			 strcasecmp(nametype, "entity") == 0)
-			flags |= DNS_KEYOWNER_ENTITY;
-		else if (strcasecmp(nametype, "user") == 0)
-			flags |= DNS_KEYOWNER_USER;
-		else
-			fatal("invalid KEY nametype %s", nametype);
-	} else if (strcasecmp(nametype, "other") != 0) /* DNSKEY */
-		fatal("invalid DNSKEY nametype %s", nametype);
-
-	rdclass = strtoclass(classname);
-
-	if (directory == NULL)
-		directory = ".";
-
-	if ((options & DST_TYPE_KEY) != 0)  /* KEY / HMAC */
-		flags |= signatory;
-	else if ((flags & DNS_KEYOWNER_ZONE) != 0) { /* DNSKEY */
-		flags |= kskflag;
-		flags |= revflag;
-	}
-
-	if (protocol == -1)
-		protocol = DNS_KEYPROTO_DNSSEC;
-	else if ((options & DST_TYPE_KEY) == 0 &&
-		 protocol != DNS_KEYPROTO_DNSSEC)
-		fatal("invalid DNSKEY protocol: %d", protocol);
-
-	if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
-		if (size > 0)
-			fatal("specified null key with non-zero size");
-		if ((flags & DNS_KEYFLAG_SIGNATORYMASK) != 0)
-			fatal("specified null key with signing authority");
-	}
-
-	if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
-	    (alg == DNS_KEYALG_DH || alg == DST_ALG_HMACMD5 ||
-	     alg == DST_ALG_HMACSHA1 || alg == DST_ALG_HMACSHA224 ||
-	     alg == DST_ALG_HMACSHA256 || alg == DST_ALG_HMACSHA384 ||
-	     alg == DST_ALG_HMACSHA512))
-		fatal("a key with algorithm '%s' cannot be a zone key",
-		      algname);
-
-	switch(alg) {
-	case DNS_KEYALG_RSAMD5:
-	case DNS_KEYALG_RSASHA1:
-	case DNS_KEYALG_NSEC3RSASHA1:
-	case DNS_KEYALG_RSASHA256:
-	case DNS_KEYALG_RSASHA512:
-		show_progress = ISC_TRUE;
-		break;
-
-	case DNS_KEYALG_DH:
-		param = generator;
-		break;
-
-	case DNS_KEYALG_DSA:
-	case DNS_KEYALG_NSEC3DSA:
-	case DST_ALG_ECCGOST:
-	case DST_ALG_ECDSA256:
-	case DST_ALG_ECDSA384:
-		show_progress = ISC_TRUE;
-		/* fall through */
-
-	case DST_ALG_HMACMD5:
-	case DST_ALG_HMACSHA1:
-	case DST_ALG_HMACSHA224:
-	case DST_ALG_HMACSHA256:
-	case DST_ALG_HMACSHA384:
-	case DST_ALG_HMACSHA512:
-		param = 0;
-		break;
-	}
-
-	if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY)
-		null_key = ISC_TRUE;
-
-	isc_buffer_init(&buf, filename, sizeof(filename) - 1);
-
-	do {
-		conflict = ISC_FALSE;
-
-		if (!quiet && show_progress) {
-			fprintf(stderr, "Generating key pair.");
-			ret = dst_key_generate2(name, alg, size, param, flags,
-						protocol, rdclass, mctx, &key,
-						&progress);
-			putc('\n', stderr);
-			fflush(stderr);
-		} else {
-			ret = dst_key_generate2(name, alg, size, param, flags,
-						protocol, rdclass, mctx, &key,
-						NULL);
-		}
-
-		isc_entropy_stopcallbacksources(ectx);
-
-		if (ret != ISC_R_SUCCESS) {
-			char namestr[DNS_NAME_FORMATSIZE];
-			char algstr[DNS_SECALG_FORMATSIZE];
-			dns_name_format(name, namestr, sizeof(namestr));
-			dns_secalg_format(alg, algstr, sizeof(algstr));
-			fatal("failed to generate key %s/%s: %s\n",
-			      namestr, algstr, isc_result_totext(ret));
-			/* NOTREACHED */
-			exit(-1);
-		}
-
-		dst_key_setbits(key, dbits);
-
-		/*
-		 * Set key timing metadata (unless using -C)
-		 *
-		 * Creation date is always set to "now".
-		 *
-		 * For a new key without an explicit predecessor, publish
-		 * and activation dates are set to "now" by default, but
-		 * can both be overridden.
-		 *
-		 * For a successor key, activation is set to match the
-		 * predecessor's inactivation date.  Publish is set to 30
-		 * days earlier than that (XXX: this should be configurable).
-		 * If either of the resulting dates are in the past, that's
-		 * an error; the inactivation date of the predecessor key
-		 * must be updated before a successor key can be created.
-		 */
-		if (!oldstyle) {
-			dst_key_settime(key, DST_TIME_CREATED, now);
-
-			if (genonly && (setpub || setact))
-				fatal("cannot use -G together with "
-				      "-P or -A options");
-
-			if (setpub)
-				dst_key_settime(key, DST_TIME_PUBLISH, publish);
-			else if (setact)
-				dst_key_settime(key, DST_TIME_PUBLISH,
-						activate);
-			else if (!genonly && !unsetpub)
-				dst_key_settime(key, DST_TIME_PUBLISH, now);
-
-			if (setact)
-				dst_key_settime(key, DST_TIME_ACTIVATE,
-						activate);
-			else if (!genonly && !unsetact)
-				dst_key_settime(key, DST_TIME_ACTIVATE, now);
-
-			if (setrev) {
-				if (kskflag == 0)
-					fprintf(stderr, "%s: warning: Key is "
-						"not flagged as a KSK, but -R "
-						"was used. Revoking a ZSK is "
-						"legal, but undefined.\n",
-						program);
-				dst_key_settime(key, DST_TIME_REVOKE, revoke);
-			}
-
-			if (setinact)
-				dst_key_settime(key, DST_TIME_INACTIVE,
-						inactive);
-
-			if (setdel) {
-				if (setinact && delete < inactive)
-					fprintf(stderr, "%s: warning: Key is "
-						"scheduled to be deleted "
-						"before it is scheduled to be "
-						"made inactive.\n",
-						program);
-				dst_key_settime(key, DST_TIME_DELETE, delete);
-			}
-		} else {
-			if (setpub || setact || setrev || setinact ||
-			    setdel || unsetpub || unsetact ||
-			    unsetrev || unsetinact || unsetdel || genonly)
-				fatal("cannot use -C together with "
-				      "-P, -A, -R, -I, -D, or -G options");
-			/*
-			 * Compatibility mode: Private-key-format
-			 * should be set to 1.2.
-			 */
-			dst_key_setprivateformat(key, 1, 2);
-		}
-
-		/* Set the default key TTL */
-		if (setttl)
-			dst_key_setttl(key, ttl);
-
-		/*
-		 * Do not overwrite an existing key, or create a key
-		 * if there is a risk of ID collision due to this key
-		 * or another key being revoked.
-		 */
-		if (key_collision(key, name, directory, mctx, NULL)) {
-			conflict = ISC_TRUE;
-			if (null_key) {
-				dst_key_free(&key);
-				break;
-			}
-
-			if (verbose > 0) {
-				isc_buffer_clear(&buf);
-				ret = dst_key_buildfilename(key, 0,
-							    directory, &buf);
-				if (ret == ISC_R_SUCCESS)
-					fprintf(stderr,
-						"%s: %s already exists, or "
-						"might collide with another "
-						"key upon revokation.  "
-						"Generating a new key\n",
-						program, filename);
-			}
-
-			dst_key_free(&key);
-		}
-	} while (conflict == ISC_TRUE);
-
-	if (conflict)
-		fatal("cannot generate a null key due to possible key ID "
-		      "collision");
-
-	ret = dst_key_tofile(key, options, directory);
-	if (ret != ISC_R_SUCCESS) {
-		char keystr[DST_KEY_FORMATSIZE];
-		dst_key_format(key, keystr, sizeof(keystr));
-		fatal("failed to write key %s: %s\n", keystr,
-		      isc_result_totext(ret));
-	}
-
-	isc_buffer_clear(&buf);
-	ret = dst_key_buildfilename(key, 0, NULL, &buf);
-	if (ret != ISC_R_SUCCESS)
-		fatal("dst_key_buildfilename returned: %s\n",
-		      isc_result_totext(ret));
-	printf("%s\n", filename);
-	dst_key_free(&key);
-	if (prevkey != NULL)
-		dst_key_free(&prevkey);
-
-	cleanup_logging(&log);
-	cleanup_entropy(&ectx);
-	dst_lib_destroy();
-	dns_name_destroy();
-	if (verbose > 10)
-		isc_mem_stats(mctx, stdout);
-	isc_mem_destroy(&mctx);
-
-	if (freeit != NULL)
-		free(freeit);
-
-	return (0);
-}
diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.docbook b/contrib/bind9/bin/dnssec/dnssec-keygen.docbook
deleted file mode 100644
index bc50c02..0000000
--- a/contrib/bind9/bin/dnssec/dnssec-keygen.docbook
+++ /dev/null
@@ -1,623 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005, 2007-2012  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: dnssec-keygen.docbook,v 1.38 2011/03/17 23:47:29 tbox Exp $ -->
-<refentry id="man.dnssec-keygen">
-  <refentryinfo>
-    <date>June 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>dnssec-keygen</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><application>dnssec-keygen</application></refname>
-    <refpurpose>DNSSEC key generation tool</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <year>2008</year>
-      <year>2009</year>
-      <year>2010</year>
-      <year>2011</year>
-      <year>2012</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>dnssec-keygen</command>
-      <arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
-      <arg ><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
-      <arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
-      <arg><option>-3</option></arg>
-      <arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
-      <arg><option>-C</option></arg>
-      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
-      <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
-      <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
-      <arg><option>-G</option></arg>
-      <arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
-      <arg><option>-h</option></arg>
-      <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
-      <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
-      <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
-      <arg><option>-k</option></arg>
-      <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
-      <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
-      <arg><option>-q</option></arg>
-      <arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
-      <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
-      <arg><option>-S <replaceable class="parameter">key</replaceable></option></arg>
-      <arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
-      <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
-      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg><option>-z</option></arg>
-      <arg choice="req">name</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para><command>dnssec-keygen</command>
-      generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
-      and RFC 4034.  It can also generate keys for use with
-      TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
-      (Transaction Key) as defined in RFC 2930.
-    </para>
-    <para>
-      The <option>name</option> of the key is specified on the command
-      line.  For DNSSEC keys, this must match the name of the zone for
-      which the key is being generated.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-
-    <variablelist>
-      <varlistentry>
-        <term>-a <replaceable class="parameter">algorithm</replaceable></term>
-        <listitem>
-          <para>
-            Selects the cryptographic algorithm.  For DNSSEC keys, the value
-            of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
-	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
-	    ECDSAP256SHA256 or ECDSAP384SHA384.
-	    For TSIG/TKEY, the value must
-            be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
-            HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512.  These values are
-            case insensitive.
-          </para>
-          <para>
-            If no algorithm is specified, then RSASHA1 will be used by
-            default, unless the <option>-3</option> option is specified,
-            in which case NSEC3RSASHA1 will be used instead.  (If
-            <option>-3</option> is used and an algorithm is specified,
-            that algorithm will be checked for compatibility with NSEC3.)
-          </para>
-          <para>
-            Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
-            algorithm, and DSA is recommended.  For TSIG, HMAC-MD5 is
-	    mandatory.
-          </para>
-          <para>
-            Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
-            automatically set the -T KEY option.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-b <replaceable class="parameter">keysize</replaceable></term>
-        <listitem>
-          <para>
-            Specifies the number of bits in the key.  The choice of key
-            size depends on the algorithm used.  RSA keys must be
-            between 512 and 2048 bits.  Diffie Hellman keys must be between
-            128 and 4096 bits.  DSA keys must be between 512 and 1024
-            bits and an exact multiple of 64.  HMAC keys must be
-            between 1 and 512 bits. Elliptic curve algorithms don't need
-            this parameter.
-          </para>
-          <para>
-            The key size does not need to be specified if using a default
-            algorithm.  The default key size is 1024 bits for zone signing
-            keys (ZSK's) and 2048 bits for key signing keys (KSK's,
-            generated with <option>-f KSK</option>).  However, if an
-            algorithm is explicitly specified with the <option>-a</option>,
-            then there is no default key size, and the <option>-b</option>
-            must be used.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-n <replaceable class="parameter">nametype</replaceable></term>
-        <listitem>
-          <para>
-            Specifies the owner type of the key.  The value of
-            <option>nametype</option> must either be ZONE (for a DNSSEC
-            zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
-            a host (KEY)),
-            USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
-            These values are case insensitive.  Defaults to ZONE for DNSKEY
-	    generation.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-3</term>
-        <listitem>
-          <para>
-	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
-            If this option is used and no algorithm is explicitly
-            set on the command line, NSEC3RSASHA1 will be used by
-            default. Note that RSASHA256, RSASHA512, ECCGOST,
-	    ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
-	    are NSEC3-capable.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-C</term>
-        <listitem>
-          <para>
-	    Compatibility mode:  generates an old-style key, without
-	    any metadata.  By default, <command>dnssec-keygen</command>
-	    will include the key's creation date in the metadata stored
-	    with the private key, and other dates may be set there as well
-	    (publication date, activation date, etc).  Keys that include
-	    this data may be incompatible with older versions of BIND; the
-	    <option>-C</option> option suppresses them.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-c <replaceable class="parameter">class</replaceable></term>
-        <listitem>
-          <para>
-            Indicates that the DNS record containing the key should have
-            the specified class.  If not specified, class IN is used.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-E <replaceable class="parameter">engine</replaceable></term>
-        <listitem>
-          <para>
-            Uses a crypto hardware (OpenSSL engine) for random number
-            and, when supported, key generation. When compiled with PKCS#11
-            support it defaults to pkcs11; the empty name resets it to
-            no engine.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-f <replaceable class="parameter">flag</replaceable></term>
-        <listitem>
-          <para>
-            Set the specified flag in the flag field of the KEY/DNSKEY record.
-            The only recognized flags are KSK (Key Signing Key) and REVOKE.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-G</term>
-        <listitem>
-          <para>
-            Generate a key, but do not publish it or sign with it.  This
-            option is incompatible with -P and -A.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-g <replaceable class="parameter">generator</replaceable></term>
-        <listitem>
-          <para>
-            If generating a Diffie Hellman key, use this generator.
-            Allowed values are 2 and 5.  If no generator
-            is specified, a known prime from RFC 2539 will be used
-            if possible; otherwise the default is 2.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-h</term>
-        <listitem>
-          <para>
-            Prints a short summary of the options and arguments to
-            <command>dnssec-keygen</command>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-K <replaceable class="parameter">directory</replaceable></term>
-        <listitem>
-          <para>
-            Sets the directory in which the key files are to be written.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-k</term>
-        <listitem>
-          <para>
-            Deprecated in favor of -T KEY.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-L <replaceable class="parameter">ttl</replaceable></term>
-        <listitem>
-          <para>
-            Sets the default TTL to use for this key when it is converted
-            into a DNSKEY RR.  If the key is imported into a zone,
-            this is the TTL that will be used for it, unless there was
-            already a DNSKEY RRset in place, in which case the existing TTL
-            would take precedence.  Setting the default TTL to
-            <literal>0</literal> or <literal>none</literal> removes it.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-p <replaceable class="parameter">protocol</replaceable></term>
-        <listitem>
-          <para>
-            Sets the protocol value for the generated key.  The protocol
-            is a number between 0 and 255.  The default is 3 (DNSSEC).
-            Other possible values for this argument are listed in
-            RFC 2535 and its successors.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-q</term>
-        <listitem>
-          <para>
-            Quiet mode: Suppresses unnecessary output, including
-            progress indication.  Without this option, when
-            <command>dnssec-keygen</command> is run interactively
-            to generate an RSA or DSA key pair, it will print a string
-            of symbols to <filename>stderr</filename> indicating the
-            progress of the key generation.  A '.' indicates that a
-            random number has been found which passed an initial
-            sieve test; '+' means a number has passed a single
-            round of the Miller-Rabin primality test; a space
-            means that the number has passed all the tests and is
-            a satisfactory key.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-r <replaceable class="parameter">randomdev</replaceable></term>
-        <listitem>
-          <para>
-            Specifies the source of randomness.  If the operating
-            system does not provide a <filename>/dev/random</filename>
-            or equivalent device, the default source of randomness
-            is keyboard input.  <filename>randomdev</filename>
-            specifies
-            the name of a character device or file containing random
-            data to be used instead of the default.  The special value
-            <filename>keyboard</filename> indicates that keyboard
-            input should be used.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-S <replaceable class="parameter">key</replaceable></term>
-        <listitem>
-          <para>
-            Create a new key which is an explicit successor to an
-            existing key.  The name, algorithm, size, and type of the
-            key will be set to match the existing key.  The activation
-            date of the new key will be set to the inactivation date of
-            the existing one.  The publication date will be set to the
-            activation date minus the prepublication interval, which
-            defaults to 30 days.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-s <replaceable class="parameter">strength</replaceable></term>
-        <listitem>
-          <para>
-            Specifies the strength value of the key.  The strength is
-            a number between 0 and 15, and currently has no defined
-            purpose in DNSSEC.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-T <replaceable class="parameter">rrtype</replaceable></term>
-        <listitem>
-          <para>
-            Specifies the resource record type to use for the key.
-            <option>rrtype</option> must be either DNSKEY or KEY.  The
-            default is DNSKEY when using a DNSSEC algorithm, but it can be
-            overridden to KEY for use with SIG(0).
-          <para>
-          </para>
-            Using any TSIG algorithm (HMAC-* or DH) forces this option
-            to KEY.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-t <replaceable class="parameter">type</replaceable></term>
-        <listitem>
-          <para>
-            Indicates the use of the key.  <option>type</option> must be
-            one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
-            is AUTHCONF.  AUTH refers to the ability to authenticate
-            data, and CONF the ability to encrypt data.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-v <replaceable class="parameter">level</replaceable></term>
-        <listitem>
-          <para>
-            Sets the debugging level.
-          </para>
-        </listitem>
-      </varlistentry>
-
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>TIMING OPTIONS</title>
-
-    <para>
-      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
-      If the argument begins with a '+' or '-', it is interpreted as
-      an offset from the present time.  For convenience, if such an offset
-      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
-      then the offset is computed in years (defined as 365 24-hour days,
-      ignoring leap years), months (defined as 30 24-hour days), weeks,
-      days, hours, or minutes, respectively.  Without a suffix, the offset
-      is computed in seconds.
-    </para>
-
-    <variablelist>
-      <varlistentry>
-        <term>-P <replaceable class="parameter">date/offset</replaceable></term>
-        <listitem>
-          <para>
-            Sets the date on which a key is to be published to the zone.
-            After that date, the key will be included in the zone but will
-            not be used to sign it.  If not set, and if the -G option has
-            not been used, the default is "now".
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-A <replaceable class="parameter">date/offset</replaceable></term>
-        <listitem>
-          <para>
-            Sets the date on which the key is to be activated.  After that
-            date, the key will be included in the zone and used to sign
-            it.  If not set, and if the -G option has not been used, the
-            default is "now".
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-R <replaceable class="parameter">date/offset</replaceable></term>
-        <listitem>
-          <para>
-            Sets the date on which the key is to be revoked.  After that
-            date, the key will be flagged as revoked.  It will be included
-            in the zone and will be used to sign it.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-I <replaceable class="parameter">date/offset</replaceable></term>
-        <listitem>
-          <para>
-            Sets the date on which the key is to be retired.  After that
-            date, the key will still be included in the zone, but it
-            will not be used to sign it.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-D <replaceable class="parameter">date/offset</replaceable></term>
-        <listitem>
-          <para>
-            Sets the date on which the key is to be deleted.  After that
-            date, the key will no longer be included in the zone.  (It
-            may remain in the key repository, however.)
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-i <replaceable class="parameter">interval</replaceable></term>
-        <listitem>
-          <para>
-            Sets the prepublication interval for a key.  If set, then
-            the publication and activation dates must be separated by at least
-            this much time.  If the activation date is specified but the
-            publication date isn't, then the publication date will default
-            to this much time before the activation date; conversely, if
-            the publication date is specified but activation date isn't,
-            then activation will be set to this much time after publication.
-          </para>
-          <para>
-            If the key is being created as an explicit successor to another
-            key, then the default prepublication interval is 30 days; 
-            otherwise it is zero.
-          </para>
-          <para>
-            As with date offsets, if the argument is followed by one of
-            the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
-            interval is measured in years, months, weeks, days, hours,
-            or minutes, respectively.  Without a suffix, the interval is
-            measured in seconds.
-          </para>
-        </listitem>
-      </varlistentry>
-
-    </variablelist>
-  </refsect1>
-
-
-  <refsect1>
-    <title>GENERATED KEYS</title>
-    <para>
-      When <command>dnssec-keygen</command> completes
-      successfully,
-      it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
-      to the standard output.  This is an identification string for
-      the key it has generated.
-    </para>
-    <itemizedlist>
-      <listitem>
-        <para><filename>nnnn</filename> is the key name.
-        </para>
-      </listitem>
-      <listitem>
-        <para><filename>aaa</filename> is the numeric representation
-          of the
-          algorithm.
-        </para>
-      </listitem>
-      <listitem>
-        <para><filename>iiiii</filename> is the key identifier (or
-          footprint).
-        </para>
-      </listitem>
-    </itemizedlist>
-    <para><command>dnssec-keygen</command> 
-      creates two files, with names based
-      on the printed string.  <filename>Knnnn.+aaa+iiiii.key</filename>
-      contains the public key, and
-      <filename>Knnnn.+aaa+iiiii.private</filename> contains the
-      private
-      key.
-    </para>
-    <para>
-      The <filename>.key</filename> file contains a DNS KEY record
-      that
-      can be inserted into a zone file (directly or with a $INCLUDE
-      statement).
-    </para>
-    <para>
-      The <filename>.private</filename> file contains
-      algorithm-specific
-      fields.  For obvious security reasons, this file does not have
-      general read permission.
-    </para>
-    <para>
-      Both <filename>.key</filename> and <filename>.private</filename>
-      files are generated for symmetric encryption algorithms such as
-      HMAC-MD5, even though the public and private key are equivalent.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>EXAMPLE</title>
-    <para>
-      To generate a 768-bit DSA key for the domain
-      <userinput>example.com</userinput>, the following command would be
-      issued:
-    </para>
-    <para><userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
-    </para>
-    <para>
-      The command would print a string of the form:
-    </para>
-    <para><userinput>Kexample.com.+003+26160</userinput>
-    </para>
-    <para>
-      In this example, <command>dnssec-keygen</command> creates
-      the files <filename>Kexample.com.+003+26160.key</filename>
-      and
-      <filename>Kexample.com.+003+26160.private</filename>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
-      <citetitle>RFC 2539</citetitle>,
-      <citetitle>RFC 2845</citetitle>,
-      <citetitle>RFC 4034</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para><corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.html b/contrib/bind9/bin/dnssec/dnssec-keygen.html
deleted file mode 100644
index ecf512b..0000000
--- a/contrib/bind9/bin/dnssec/dnssec-keygen.html
+++ /dev/null
@@ -1,411 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005, 2007-2012 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-keygen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543590"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">dnssec-keygen</strong></span>
-      generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
-      and RFC 4034.  It can also generate keys for use with
-      TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
-      (Transaction Key) as defined in RFC 2930.
-    </p>
-<p>
-      The <code class="option">name</code> of the key is specified on the command
-      line.  For DNSSEC keys, this must match the name of the zone for
-      which the key is being generated.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543608"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd>
-<p>
-            Selects the cryptographic algorithm.  For DNSSEC keys, the value
-            of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
-	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
-	    ECDSAP256SHA256 or ECDSAP384SHA384.
-	    For TSIG/TKEY, the value must
-            be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
-            HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512.  These values are
-            case insensitive.
-          </p>
-<p>
-            If no algorithm is specified, then RSASHA1 will be used by
-            default, unless the <code class="option">-3</code> option is specified,
-            in which case NSEC3RSASHA1 will be used instead.  (If
-            <code class="option">-3</code> is used and an algorithm is specified,
-            that algorithm will be checked for compatibility with NSEC3.)
-          </p>
-<p>
-            Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
-            algorithm, and DSA is recommended.  For TSIG, HMAC-MD5 is
-	    mandatory.
-          </p>
-<p>
-            Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
-            automatically set the -T KEY option.
-          </p>
-</dd>
-<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
-<dd>
-<p>
-            Specifies the number of bits in the key.  The choice of key
-            size depends on the algorithm used.  RSA keys must be
-            between 512 and 2048 bits.  Diffie Hellman keys must be between
-            128 and 4096 bits.  DSA keys must be between 512 and 1024
-            bits and an exact multiple of 64.  HMAC keys must be
-            between 1 and 512 bits. Elliptic curve algorithms don't need
-            this parameter.
-          </p>
-<p>
-            The key size does not need to be specified if using a default
-            algorithm.  The default key size is 1024 bits for zone signing
-            keys (ZSK's) and 2048 bits for key signing keys (KSK's,
-            generated with <code class="option">-f KSK</code>).  However, if an
-            algorithm is explicitly specified with the <code class="option">-a</code>,
-            then there is no default key size, and the <code class="option">-b</code>
-            must be used.
-          </p>
-</dd>
-<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
-<dd><p>
-            Specifies the owner type of the key.  The value of
-            <code class="option">nametype</code> must either be ZONE (for a DNSSEC
-            zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
-            a host (KEY)),
-            USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
-            These values are case insensitive.  Defaults to ZONE for DNSKEY
-	    generation.
-          </p></dd>
-<dt><span class="term">-3</span></dt>
-<dd><p>
-	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
-            If this option is used and no algorithm is explicitly
-            set on the command line, NSEC3RSASHA1 will be used by
-            default. Note that RSASHA256, RSASHA512, ECCGOST,
-	    ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
-	    are NSEC3-capable.
-          </p></dd>
-<dt><span class="term">-C</span></dt>
-<dd><p>
-	    Compatibility mode:  generates an old-style key, without
-	    any metadata.  By default, <span><strong class="command">dnssec-keygen</strong></span>
-	    will include the key's creation date in the metadata stored
-	    with the private key, and other dates may be set there as well
-	    (publication date, activation date, etc).  Keys that include
-	    this data may be incompatible with older versions of BIND; the
-	    <code class="option">-C</code> option suppresses them.
-          </p></dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd><p>
-            Indicates that the DNS record containing the key should have
-            the specified class.  If not specified, class IN is used.
-          </p></dd>
-<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
-<dd><p>
-            Uses a crypto hardware (OpenSSL engine) for random number
-            and, when supported, key generation. When compiled with PKCS#11
-            support it defaults to pkcs11; the empty name resets it to
-            no engine.
-          </p></dd>
-<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
-<dd><p>
-            Set the specified flag in the flag field of the KEY/DNSKEY record.
-            The only recognized flags are KSK (Key Signing Key) and REVOKE.
-          </p></dd>
-<dt><span class="term">-G</span></dt>
-<dd><p>
-            Generate a key, but do not publish it or sign with it.  This
-            option is incompatible with -P and -A.
-          </p></dd>
-<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
-<dd><p>
-            If generating a Diffie Hellman key, use this generator.
-            Allowed values are 2 and 5.  If no generator
-            is specified, a known prime from RFC 2539 will be used
-            if possible; otherwise the default is 2.
-          </p></dd>
-<dt><span class="term">-h</span></dt>
-<dd><p>
-            Prints a short summary of the options and arguments to
-            <span><strong class="command">dnssec-keygen</strong></span>.
-          </p></dd>
-<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-            Sets the directory in which the key files are to be written.
-          </p></dd>
-<dt><span class="term">-k</span></dt>
-<dd><p>
-            Deprecated in favor of -T KEY.
-          </p></dd>
-<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd><p>
-            Sets the default TTL to use for this key when it is converted
-            into a DNSKEY RR.  If the key is imported into a zone,
-            this is the TTL that will be used for it, unless there was
-            already a DNSKEY RRset in place, in which case the existing TTL
-            would take precedence.  Setting the default TTL to
-            <code class="literal">0</code> or <code class="literal">none</code> removes it.
-          </p></dd>
-<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
-<dd><p>
-            Sets the protocol value for the generated key.  The protocol
-            is a number between 0 and 255.  The default is 3 (DNSSEC).
-            Other possible values for this argument are listed in
-            RFC 2535 and its successors.
-          </p></dd>
-<dt><span class="term">-q</span></dt>
-<dd><p>
-            Quiet mode: Suppresses unnecessary output, including
-            progress indication.  Without this option, when
-            <span><strong class="command">dnssec-keygen</strong></span> is run interactively
-            to generate an RSA or DSA key pair, it will print a string
-            of symbols to <code class="filename">stderr</code> indicating the
-            progress of the key generation.  A '.' indicates that a
-            random number has been found which passed an initial
-            sieve test; '+' means a number has passed a single
-            round of the Miller-Rabin primality test; a space
-            means that the number has passed all the tests and is
-            a satisfactory key.
-          </p></dd>
-<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
-<dd><p>
-            Specifies the source of randomness.  If the operating
-            system does not provide a <code class="filename">/dev/random</code>
-            or equivalent device, the default source of randomness
-            is keyboard input.  <code class="filename">randomdev</code>
-            specifies
-            the name of a character device or file containing random
-            data to be used instead of the default.  The special value
-            <code class="filename">keyboard</code> indicates that keyboard
-            input should be used.
-          </p></dd>
-<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
-<dd><p>
-            Create a new key which is an explicit successor to an
-            existing key.  The name, algorithm, size, and type of the
-            key will be set to match the existing key.  The activation
-            date of the new key will be set to the inactivation date of
-            the existing one.  The publication date will be set to the
-            activation date minus the prepublication interval, which
-            defaults to 30 days.
-          </p></dd>
-<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
-<dd><p>
-            Specifies the strength value of the key.  The strength is
-            a number between 0 and 15, and currently has no defined
-            purpose in DNSSEC.
-          </p></dd>
-<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
-<dd>
-<p>
-            Specifies the resource record type to use for the key.
-            <code class="option">rrtype</code> must be either DNSKEY or KEY.  The
-            default is DNSKEY when using a DNSSEC algorithm, but it can be
-            overridden to KEY for use with SIG(0).
-          </p>
-<p>
-          </p>
-<p>
-            Using any TSIG algorithm (HMAC-* or DH) forces this option
-            to KEY.
-          </p>
-</dd>
-<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
-<dd><p>
-            Indicates the use of the key.  <code class="option">type</code> must be
-            one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
-            is AUTHCONF.  AUTH refers to the ability to authenticate
-            data, and CONF the ability to encrypt data.
-          </p></dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
-            Sets the debugging level.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544187"></a><h2>TIMING OPTIONS</h2>
-<p>
-      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
-      If the argument begins with a '+' or '-', it is interpreted as
-      an offset from the present time.  For convenience, if such an offset
-      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
-      then the offset is computed in years (defined as 365 24-hour days,
-      ignoring leap years), months (defined as 30 24-hour days), weeks,
-      days, hours, or minutes, respectively.  Without a suffix, the offset
-      is computed in seconds.
-    </p>
-<div class="variablelist"><dl>
-<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which a key is to be published to the zone.
-            After that date, the key will be included in the zone but will
-            not be used to sign it.  If not set, and if the -G option has
-            not been used, the default is "now".
-          </p></dd>
-<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which the key is to be activated.  After that
-            date, the key will be included in the zone and used to sign
-            it.  If not set, and if the -G option has not been used, the
-            default is "now".
-          </p></dd>
-<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which the key is to be revoked.  After that
-            date, the key will be flagged as revoked.  It will be included
-            in the zone and will be used to sign it.
-          </p></dd>
-<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which the key is to be retired.  After that
-            date, the key will still be included in the zone, but it
-            will not be used to sign it.
-          </p></dd>
-<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which the key is to be deleted.  After that
-            date, the key will no longer be included in the zone.  (It
-            may remain in the key repository, however.)
-          </p></dd>
-<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
-<dd>
-<p>
-            Sets the prepublication interval for a key.  If set, then
-            the publication and activation dates must be separated by at least
-            this much time.  If the activation date is specified but the
-            publication date isn't, then the publication date will default
-            to this much time before the activation date; conversely, if
-            the publication date is specified but activation date isn't,
-            then activation will be set to this much time after publication.
-          </p>
-<p>
-            If the key is being created as an explicit successor to another
-            key, then the default prepublication interval is 30 days; 
-            otherwise it is zero.
-          </p>
-<p>
-            As with date offsets, if the argument is followed by one of
-            the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
-            interval is measured in years, months, weeks, days, hours,
-            or minutes, respectively.  Without a suffix, the interval is
-            measured in seconds.
-          </p>
-</dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544377"></a><h2>GENERATED KEYS</h2>
-<p>
-      When <span><strong class="command">dnssec-keygen</strong></span> completes
-      successfully,
-      it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
-      to the standard output.  This is an identification string for
-      the key it has generated.
-    </p>
-<div class="itemizedlist"><ul type="disc">
-<li><p><code class="filename">nnnn</code> is the key name.
-        </p></li>
-<li><p><code class="filename">aaa</code> is the numeric representation
-          of the
-          algorithm.
-        </p></li>
-<li><p><code class="filename">iiiii</code> is the key identifier (or
-          footprint).
-        </p></li>
-</ul></div>
-<p><span><strong class="command">dnssec-keygen</strong></span> 
-      creates two files, with names based
-      on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
-      contains the public key, and
-      <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
-      private
-      key.
-    </p>
-<p>
-      The <code class="filename">.key</code> file contains a DNS KEY record
-      that
-      can be inserted into a zone file (directly or with a $INCLUDE
-      statement).
-    </p>
-<p>
-      The <code class="filename">.private</code> file contains
-      algorithm-specific
-      fields.  For obvious security reasons, this file does not have
-      general read permission.
-    </p>
-<p>
-      Both <code class="filename">.key</code> and <code class="filename">.private</code>
-      files are generated for symmetric encryption algorithms such as
-      HMAC-MD5, even though the public and private key are equivalent.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544459"></a><h2>EXAMPLE</h2>
-<p>
-      To generate a 768-bit DSA key for the domain
-      <strong class="userinput"><code>example.com</code></strong>, the following command would be
-      issued:
-    </p>
-<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
-    </p>
-<p>
-      The command would print a string of the form:
-    </p>
-<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
-    </p>
-<p>
-      In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
-      the files <code class="filename">Kexample.com.+003+26160.key</code>
-      and
-      <code class="filename">Kexample.com.+003+26160.private</code>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544571"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 2539</em>,
-      <em class="citetitle">RFC 2845</em>,
-      <em class="citetitle">RFC 4034</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544602"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/dnssec/dnssec-revoke.8 b/contrib/bind9/bin/dnssec/dnssec-revoke.8
deleted file mode 100644
index 2af719e..0000000
--- a/contrib/bind9/bin/dnssec/dnssec-revoke.8
+++ /dev/null
@@ -1,88 +0,0 @@
-.\" Copyright (C) 2009, 2011 Internet Systems Consortium, Inc. ("ISC")
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: dnssec\-revoke
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: June 1, 2009
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "DNSSEC\-REVOKE" "8" "June 1, 2009" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-dnssec\-revoke \- Set the REVOKED bit on a DNSSEC key
-.SH "SYNOPSIS"
-.HP 14
-\fBdnssec\-revoke\fR [\fB\-hr\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\fR] [\fB\-R\fR] {keyfile}
-.SH "DESCRIPTION"
-.PP
-\fBdnssec\-revoke\fR
-reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the now\-revoked key.
-.SH "OPTIONS"
-.PP
-\-h
-.RS 4
-Emit usage message and exit.
-.RE
-.PP
-\-K \fIdirectory\fR
-.RS 4
-Sets the directory in which the key files are to reside.
-.RE
-.PP
-\-r
-.RS 4
-After writing the new keyset files remove the original keyset files.
-.RE
-.PP
-\-v \fIlevel\fR
-.RS 4
-Sets the debugging level.
-.RE
-.PP
-\-E \fIengine\fR
-.RS 4
-Use the given OpenSSL engine. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.
-.RE
-.PP
-\-f
-.RS 4
-Force overwrite: Causes
-\fBdnssec\-revoke\fR
-to write the new key pair even if a file already exists matching the algorithm and key ID of the revoked key.
-.RE
-.PP
-\-R
-.RS 4
-Print the key tag of the key with the REVOKE bit set but do not revoke the key.
-.RE
-.SH "SEE ALSO"
-.PP
-\fBdnssec\-keygen\fR(8),
-BIND 9 Administrator Reference Manual,
-RFC 5011.
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2009, 2011 Internet Systems Consortium, Inc. ("ISC")
-.br
diff --git a/contrib/bind9/bin/dnssec/dnssec-revoke.c b/contrib/bind9/bin/dnssec/dnssec-revoke.c
deleted file mode 100644
index 7b11581..0000000
--- a/contrib/bind9/bin/dnssec/dnssec-revoke.c
+++ /dev/null
@@ -1,276 +0,0 @@
-/*
- * Copyright (C) 2009-2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dnssec-revoke.c,v 1.24 2011/10/20 23:46:51 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <unistd.h>
-
-#include <isc/buffer.h>
-#include <isc/commandline.h>
-#include <isc/entropy.h>
-#include <isc/file.h>
-#include <isc/hash.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/keyvalues.h>
-#include <dns/result.h>
-
-#include <dst/dst.h>
-
-#include "dnssectool.h"
-
-const char *program = "dnssec-revoke";
-int verbose;
-
-static isc_mem_t	*mctx = NULL;
-
-ISC_PLATFORM_NORETURN_PRE static void
-usage(void) ISC_PLATFORM_NORETURN_POST;
-
-static void
-usage(void) {
-	fprintf(stderr, "Usage:\n");
-	fprintf(stderr,	"    %s [options] keyfile\n\n", program);
-	fprintf(stderr, "Version: %s\n", VERSION);
-#ifdef USE_PKCS11
-	fprintf(stderr, "    -E engine:    specify OpenSSL engine "
-					   "(default \"pkcs11\")\n");
-#else
-	fprintf(stderr, "    -E engine:    specify OpenSSL engine\n");
-#endif
-	fprintf(stderr, "    -f:	   force overwrite\n");
-	fprintf(stderr, "    -K directory: use directory for key files\n");
-	fprintf(stderr, "    -h:	   help\n");
-	fprintf(stderr, "    -r:	   remove old keyfiles after "
-					   "creating revoked version\n");
-	fprintf(stderr, "    -v level:	   set level of verbosity\n");
-	fprintf(stderr, "Output:\n");
-	fprintf(stderr, "     K<name>+<alg>+<new id>.key, "
-			     "K<name>+<alg>+<new id>.private\n");
-
-	exit (-1);
-}
-
-int
-main(int argc, char **argv) {
-	isc_result_t result;
-#ifdef USE_PKCS11
-	const char *engine = "pkcs11";
-#else
-	const char *engine = NULL;
-#endif
-	char *filename = NULL, *dir = NULL;
-	char newname[1024], oldname[1024];
-	char keystr[DST_KEY_FORMATSIZE];
-	char *endp;
-	int ch;
-	isc_entropy_t *ectx = NULL;
-	dst_key_t *key = NULL;
-	isc_uint32_t flags;
-	isc_buffer_t buf;
-	isc_boolean_t force = ISC_FALSE;
-	isc_boolean_t remove = ISC_FALSE;
-	isc_boolean_t id = ISC_FALSE;
-
-	if (argc == 1)
-		usage();
-
-	result = isc_mem_create(0, 0, &mctx);
-	if (result != ISC_R_SUCCESS)
-		fatal("Out of memory");
-
-	dns_result_register();
-
-	isc_commandline_errprint = ISC_FALSE;
-
-	while ((ch = isc_commandline_parse(argc, argv, "E:fK:rRhv:")) != -1) {
-		switch (ch) {
-		    case 'E':
-			engine = isc_commandline_argument;
-			break;
-		    case 'f':
-			force = ISC_TRUE;
-			break;
-		    case 'K':
-			/*
-			 * We don't have to copy it here, but do it to
-			 * simplify cleanup later
-			 */
-			dir = isc_mem_strdup(mctx, isc_commandline_argument);
-			if (dir == NULL) {
-				fatal("Failed to allocate memory for "
-				      "directory");
-			}
-			break;
-		    case 'r':
-			remove = ISC_TRUE;
-			break;
-		    case 'R':
-			id = ISC_TRUE;
-			break;
-		    case 'v':
-			verbose = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0')
-				fatal("-v must be followed by a number");
-			break;
-		    case '?':
-			if (isc_commandline_option != '?')
-				fprintf(stderr, "%s: invalid argument -%c\n",
-					program, isc_commandline_option);
-			/* Falls into */
-		    case 'h':
-			usage();
-
-		    default:
-			fprintf(stderr, "%s: unhandled option -%c\n",
-				program, isc_commandline_option);
-			exit(1);
-		}
-	}
-
-	if (argc < isc_commandline_index + 1 ||
-	    argv[isc_commandline_index] == NULL)
-		fatal("The key file name was not specified");
-	if (argc > isc_commandline_index + 1)
-		fatal("Extraneous arguments");
-
-	if (dir != NULL) {
-		filename = argv[isc_commandline_index];
-	} else {
-		result = isc_file_splitpath(mctx, argv[isc_commandline_index],
-					    &dir, &filename);
-		if (result != ISC_R_SUCCESS)
-			fatal("cannot process filename %s: %s",
-			      argv[isc_commandline_index],
-			      isc_result_totext(result));
-		if (strcmp(dir, ".") == 0) {
-			isc_mem_free(mctx, dir);
-			dir = NULL;
-		}
-	}
-
-	if (ectx == NULL)
-		setup_entropy(mctx, NULL, &ectx);
-	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	if (result != ISC_R_SUCCESS)
-		fatal("Could not initialize hash");
-	result = dst_lib_init2(mctx, ectx, engine,
-			       ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
-	if (result != ISC_R_SUCCESS)
-		fatal("Could not initialize dst: %s",
-		      isc_result_totext(result));
-	isc_entropy_stopcallbacksources(ectx);
-
-	result = dst_key_fromnamedfile(filename, dir,
-				       DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
-				       mctx, &key);
-	if (result != ISC_R_SUCCESS)
-		fatal("Invalid keyfile name %s: %s",
-		      filename, isc_result_totext(result));
-
-	if (id) {
-		fprintf(stdout, "%u\n", dst_key_rid(key));
-		goto cleanup;
-	}
-	dst_key_format(key, keystr, sizeof(keystr));
-
-	if (verbose > 2)
-		fprintf(stderr, "%s: %s\n", program, keystr);
-
-	if (force)
-		set_keyversion(key);
-	else
-		check_keyversion(key, keystr);
-
-
-	flags = dst_key_flags(key);
-	if ((flags & DNS_KEYFLAG_REVOKE) == 0) {
-		isc_stdtime_t now;
-
-		if ((flags & DNS_KEYFLAG_KSK) == 0)
-			fprintf(stderr, "%s: warning: Key is not flagged "
-					"as a KSK. Revoking a ZSK is "
-					"legal, but undefined.\n",
-					program);
-
-		isc_stdtime_get(&now);
-		dst_key_settime(key, DST_TIME_REVOKE, now);
-
-		dst_key_setflags(key, flags | DNS_KEYFLAG_REVOKE);
-
-		isc_buffer_init(&buf, newname, sizeof(newname));
-		dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
-
-		if (access(newname, F_OK) == 0 && !force) {
-			fatal("Key file %s already exists; "
-			      "use -f to force overwrite", newname);
-		}
-
-		result = dst_key_tofile(key, DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
-					dir);
-		if (result != ISC_R_SUCCESS) {
-			dst_key_format(key, keystr, sizeof(keystr));
-			fatal("Failed to write key %s: %s", keystr,
-			      isc_result_totext(result));
-		}
-
-		isc_buffer_clear(&buf);
-		dst_key_buildfilename(key, 0, dir, &buf);
-		printf("%s\n", newname);
-
-		/*
-		 * Remove old key file, if told to (and if
-		 * it isn't the same as the new file)
-		 */
-		if (remove && dst_key_alg(key) != DST_ALG_RSAMD5) {
-			isc_buffer_init(&buf, oldname, sizeof(oldname));
-			dst_key_setflags(key, flags & ~DNS_KEYFLAG_REVOKE);
-			dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);
-			if (strcmp(oldname, newname) == 0)
-				goto cleanup;
-			if (access(oldname, F_OK) == 0)
-				unlink(oldname);
-			isc_buffer_clear(&buf);
-			dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
-			if (access(oldname, F_OK) == 0)
-				unlink(oldname);
-		}
-	} else {
-		dst_key_format(key, keystr, sizeof(keystr));
-		fatal("Key %s is already revoked", keystr);
-	}
-
-cleanup:
-	dst_key_free(&key);
-	dst_lib_destroy();
-	isc_hash_destroy();
-	cleanup_entropy(&ectx);
-	if (verbose > 10)
-		isc_mem_stats(mctx, stdout);
-	if (dir != NULL)
-		isc_mem_free(mctx, dir);
-	isc_mem_destroy(&mctx);
-
-	return (0);
-}
diff --git a/contrib/bind9/bin/dnssec/dnssec-revoke.docbook b/contrib/bind9/bin/dnssec/dnssec-revoke.docbook
deleted file mode 100644
index 4062f5e..0000000
--- a/contrib/bind9/bin/dnssec/dnssec-revoke.docbook
+++ /dev/null
@@ -1,161 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-               [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2009, 2011  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: dnssec-revoke.docbook,v 1.9 2011/10/20 23:46:51 tbox Exp $ -->
-<refentry id="man.dnssec-revoke">
-  <refentryinfo>
-    <date>June 1, 2009</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>dnssec-revoke</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><application>dnssec-revoke</application></refname>
-    <refpurpose>Set the REVOKED bit on a DNSSEC key</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2009</year>
-      <year>2011</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>dnssec-revoke</command>
-      <arg><option>-hr</option></arg>
-      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
-      <arg><option>-f</option></arg>
-      <arg><option>-R</option></arg>
-      <arg choice="req">keyfile</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para><command>dnssec-revoke</command>
-      reads a DNSSEC key file, sets the REVOKED bit on the key as defined
-      in RFC 5011, and creates a new pair of key files containing the
-      now-revoked key.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-
-    <variablelist>
-      <varlistentry>
-	<term>-h</term>
-        <listitem>
-	  <para>
-	    Emit usage message and exit.
-	  </para>
-        </listitem>
-      </varlistentry>
-  
-      <varlistentry>
-        <term>-K <replaceable class="parameter">directory</replaceable></term>
-        <listitem>
-          <para>
-            Sets the directory in which the key files are to reside.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-r</term>
-        <listitem>
-	  <para>
-	    After writing the new keyset files remove the original keyset
-	    files.
-	  </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-v <replaceable class="parameter">level</replaceable></term>
-        <listitem>
-          <para>
-            Sets the debugging level.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-E <replaceable class="parameter">engine</replaceable></term>
-        <listitem>
-          <para>
-            Use the given OpenSSL engine. When compiled with PKCS#11 support
-            it defaults to pkcs11; the empty name resets it to no engine.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-f</term>
-        <listitem>
-          <para>
-            Force overwrite: Causes <command>dnssec-revoke</command> to
-            write the new key pair even if a file already exists matching
-            the algorithm and key ID of the revoked key.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-R</term>
-        <listitem>
-          <para>
-	    Print the key tag of the key with the REVOKE bit set but do
-	    not revoke the key.
-          </para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
-      <citetitle>RFC 5011</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para><corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/dnssec/dnssec-revoke.html b/contrib/bind9/bin/dnssec/dnssec-revoke.html
deleted file mode 100644
index b3b71b9..0000000
--- a/contrib/bind9/bin/dnssec/dnssec-revoke.html
+++ /dev/null
@@ -1,92 +0,0 @@
-<!--
- - Copyright (C) 2009, 2011 Internet Systems Consortium, Inc. ("ISC")
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-revoke</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="man.dnssec-revoke"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">dnssec-revoke</span> &#8212; Set the REVOKED bit on a DNSSEC key</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code>  [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] [<code class="option">-R</code>] {keyfile}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543382"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">dnssec-revoke</strong></span>
-      reads a DNSSEC key file, sets the REVOKED bit on the key as defined
-      in RFC 5011, and creates a new pair of key files containing the
-      now-revoked key.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543394"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-h</span></dt>
-<dd><p>
-	    Emit usage message and exit.
-	  </p></dd>
-<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-            Sets the directory in which the key files are to reside.
-          </p></dd>
-<dt><span class="term">-r</span></dt>
-<dd><p>
-	    After writing the new keyset files remove the original keyset
-	    files.
-	  </p></dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
-            Sets the debugging level.
-          </p></dd>
-<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
-<dd><p>
-            Use the given OpenSSL engine. When compiled with PKCS#11 support
-            it defaults to pkcs11; the empty name resets it to no engine.
-          </p></dd>
-<dt><span class="term">-f</span></dt>
-<dd><p>
-            Force overwrite: Causes <span><strong class="command">dnssec-revoke</strong></span> to
-            write the new key pair even if a file already exists matching
-            the algorithm and key ID of the revoked key.
-          </p></dd>
-<dt><span class="term">-R</span></dt>
-<dd><p>
-	    Print the key tag of the key with the REVOKE bit set but do
-	    not revoke the key.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543512"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 5011</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543537"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/dnssec/dnssec-settime.8 b/contrib/bind9/bin/dnssec/dnssec-settime.8
deleted file mode 100644
index 7c0c3b2..0000000
--- a/contrib/bind9/bin/dnssec/dnssec-settime.8
+++ /dev/null
@@ -1,175 +0,0 @@
-.\" Copyright (C) 2009-2011 Internet Systems Consortium, Inc. ("ISC")
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: dnssec\-settime
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: July 15, 2009
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "DNSSEC\-SETTIME" "8" "July 15, 2009" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-dnssec\-settime \- Set the key timing metadata for a DNSSEC key
-.SH "SYNOPSIS"
-.HP 15
-\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile}
-.SH "DESCRIPTION"
-.PP
-\fBdnssec\-settime\fR
-reads a DNSSEC private key file and sets the key timing metadata as specified by the
-\fB\-P\fR,
-\fB\-A\fR,
-\fB\-R\fR,
-\fB\-I\fR, and
-\fB\-D\fR
-options. The metadata can then be used by
-\fBdnssec\-signzone\fR
-or other signing software to determine when a key is to be published, whether it should be used for signing a zone, etc.
-.PP
-If none of these options is set on the command line, then
-\fBdnssec\-settime\fR
-simply prints the key timing metadata already stored in the key.
-.PP
-When key metadata fields are changed, both files of a key pair (\fIKnnnn.+aaa+iiiii.key\fR
-and
-\fIKnnnn.+aaa+iiiii.private\fR) are regenerated. Metadata fields are stored in the private file. A human\-readable description of the metadata is also placed in comments in the key file. The private file's permissions are always set to be inaccessible to anyone other than the owner (mode 0600).
-.SH "OPTIONS"
-.PP
-\-f
-.RS 4
-Force an update of an old\-format key with no metadata fields. Without this option,
-\fBdnssec\-settime\fR
-will fail when attempting to update a legacy key. With this option, the key will be recreated in the new format, but with the original key data retained. The key's creation date will be set to the present time. If no other values are specified, then the key's publication and activation dates will also be set to the present time.
-.RE
-.PP
-\-K \fIdirectory\fR
-.RS 4
-Sets the directory in which the key files are to reside.
-.RE
-.PP
-\-L \fIttl\fR
-.RS 4
-Sets the default TTL to use for this key when it is converted into a DNSKEY RR. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence. Setting the default TTL to
-0
-or
-none
-removes it.
-.RE
-.PP
-\-h
-.RS 4
-Emit usage message and exit.
-.RE
-.PP
-\-v \fIlevel\fR
-.RS 4
-Sets the debugging level.
-.RE
-.PP
-\-E \fIengine\fR
-.RS 4
-Use the given OpenSSL engine. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.
-.RE
-.SH "TIMING OPTIONS"
-.PP
-Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds. To unset a date, use 'none'.
-.PP
-\-P \fIdate/offset\fR
-.RS 4
-Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it.
-.RE
-.PP
-\-A \fIdate/offset\fR
-.RS 4
-Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it.
-.RE
-.PP
-\-R \fIdate/offset\fR
-.RS 4
-Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it.
-.RE
-.PP
-\-I \fIdate/offset\fR
-.RS 4
-Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it.
-.RE
-.PP
-\-D \fIdate/offset\fR
-.RS 4
-Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
-.RE
-.PP
-\-S \fIpredecessor key\fR
-.RS 4
-Select a key for which the key being modified will be an explicit successor. The name, algorithm, size, and type of the predecessor key must exactly match those of the key being modified. The activation date of the successor key will be set to the inactivation date of the predecessor. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days.
-.RE
-.PP
-\-i \fIinterval\fR
-.RS 4
-Sets the prepublication interval for a key. If set, then the publication and activation dates must be separated by at least this much time. If the activation date is specified but the publication date isn't, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn't, then activation will be set to this much time after publication.
-.sp
-If the key is being set to be an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero.
-.sp
-As with date offsets, if the argument is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the interval is measured in years, months, weeks, days, hours, or minutes, respectively. Without a suffix, the interval is measured in seconds.
-.RE
-.SH "PRINTING OPTIONS"
-.PP
-\fBdnssec\-settime\fR
-can also be used to print the timing metadata associated with a key.
-.PP
-\-u
-.RS 4
-Print times in UNIX epoch format.
-.RE
-.PP
-\-p \fIC/P/A/R/I/D/all\fR
-.RS 4
-Print a specific metadata value or set of metadata values. The
-\fB\-p\fR
-option may be followed by one or more of the following letters to indicate which value or values to print:
-\fBC\fR
-for the creation date,
-\fBP\fR
-for the publication date,
-\fBA\fR
-for the activation date,
-\fBR\fR
-for the revocation date,
-\fBI\fR
-for the inactivation date, or
-\fBD\fR
-for the deletion date. To print all of the metadata, use
-\fB\-p all\fR.
-.RE
-.SH "SEE ALSO"
-.PP
-\fBdnssec\-keygen\fR(8),
-\fBdnssec\-signzone\fR(8),
-BIND 9 Administrator Reference Manual,
-RFC 5011.
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2009\-2011 Internet Systems Consortium, Inc. ("ISC")
-.br
diff --git a/contrib/bind9/bin/dnssec/dnssec-settime.c b/contrib/bind9/bin/dnssec/dnssec-settime.c
deleted file mode 100644
index 4c88a07..0000000
--- a/contrib/bind9/bin/dnssec/dnssec-settime.c
+++ /dev/null
@@ -1,624 +0,0 @@
-/*
- * Copyright (C) 2009-2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dnssec-settime.c,v 1.32 2011/06/02 20:24:45 each Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <unistd.h>
-#include <errno.h>
-#include <time.h>
-
-#include <isc/buffer.h>
-#include <isc/commandline.h>
-#include <isc/entropy.h>
-#include <isc/file.h>
-#include <isc/hash.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/keyvalues.h>
-#include <dns/result.h>
-#include <dns/log.h>
-
-#include <dst/dst.h>
-
-#include "dnssectool.h"
-
-const char *program = "dnssec-settime";
-int verbose;
-
-static isc_mem_t	*mctx = NULL;
-
-ISC_PLATFORM_NORETURN_PRE static void
-usage(void) ISC_PLATFORM_NORETURN_POST;
-
-static void
-usage(void) {
-	fprintf(stderr, "Usage:\n");
-	fprintf(stderr,	"    %s [options] keyfile\n\n", program);
-	fprintf(stderr, "Version: %s\n", VERSION);
-	fprintf(stderr, "General options:\n");
-#ifdef USE_PKCS11
-	fprintf(stderr, "    -E engine:          specify OpenSSL engine "
-						 "(default \"pkcs11\")\n");
-#else
-	fprintf(stderr, "    -E engine:          specify OpenSSL engine\n");
-#endif
-	fprintf(stderr, "    -f:                 force update of old-style "
-						 "keys\n");
-	fprintf(stderr, "    -K directory:       set key file location\n");
-	fprintf(stderr, "    -L ttl:             set default key TTL\n");
-	fprintf(stderr, "    -v level:           set level of verbosity\n");
-	fprintf(stderr, "    -h:                 help\n");
-	fprintf(stderr, "Timing options:\n");
-	fprintf(stderr, "    -P date/[+-]offset/none: set/unset key "
-						     "publication date\n");
-	fprintf(stderr, "    -A date/[+-]offset/none: set/unset key "
-						     "activation date\n");
-	fprintf(stderr, "    -R date/[+-]offset/none: set/unset key "
-						     "revocation date\n");
-	fprintf(stderr, "    -I date/[+-]offset/none: set/unset key "
-						     "inactivation date\n");
-	fprintf(stderr, "    -D date/[+-]offset/none: set/unset key "
-						     "deletion date\n");
-	fprintf(stderr, "Printing options:\n");
-	fprintf(stderr, "    -p C/P/A/R/I/D/all: print a particular time "
-						"value or values\n");
-	fprintf(stderr, "    -u:                 print times in unix epoch "
-						"format\n");
-	fprintf(stderr, "Output:\n");
-	fprintf(stderr, "     K<name>+<alg>+<new id>.key, "
-			     "K<name>+<alg>+<new id>.private\n");
-
-	exit (-1);
-}
-
-static void
-printtime(dst_key_t *key, int type, const char *tag, isc_boolean_t epoch,
-	  FILE *stream)
-{
-	isc_result_t result;
-	const char *output = NULL;
-	isc_stdtime_t when;
-
-	if (tag != NULL)
-		fprintf(stream, "%s: ", tag);
-
-	result = dst_key_gettime(key, type, &when);
-	if (result == ISC_R_NOTFOUND) {
-		fprintf(stream, "UNSET\n");
-	} else if (epoch) {
-		fprintf(stream, "%d\n", (int) when);
-	} else {
-		time_t time = when;
-		output = ctime(&time);
-		fprintf(stream, "%s", output);
-	}
-}
-
-int
-main(int argc, char **argv) {
-	isc_result_t	result;
-#ifdef USE_PKCS11
-	const char	*engine = "pkcs11";
-#else
-	const char	*engine = NULL;
-#endif
-	char		*filename = NULL, *directory = NULL;
-	char		newname[1024];
-	char		keystr[DST_KEY_FORMATSIZE];
-	char		*endp, *p;
-	int		ch;
-	isc_entropy_t	*ectx = NULL;
-	const char	*predecessor = NULL;
-	dst_key_t	*prevkey = NULL;
-	dst_key_t	*key = NULL;
-	isc_buffer_t	buf;
-	dns_name_t	*name = NULL;
-	dns_secalg_t 	alg = 0;
-	unsigned int 	size = 0;
-	isc_uint16_t	flags = 0;
-	int		prepub = -1;
-	dns_ttl_t	ttl = 0;
-	isc_stdtime_t	now;
-	isc_stdtime_t	pub = 0, act = 0, rev = 0, inact = 0, del = 0;
-	isc_stdtime_t	prevact = 0, previnact = 0, prevdel = 0;
-	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
-	isc_boolean_t	setrev = ISC_FALSE, setinact = ISC_FALSE;
-	isc_boolean_t	setdel = ISC_FALSE, setttl = ISC_FALSE;
-	isc_boolean_t	unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
-	isc_boolean_t	unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
-	isc_boolean_t	unsetdel = ISC_FALSE;
-	isc_boolean_t	printcreate = ISC_FALSE, printpub = ISC_FALSE;
-	isc_boolean_t	printact = ISC_FALSE,  printrev = ISC_FALSE;
-	isc_boolean_t	printinact = ISC_FALSE, printdel = ISC_FALSE;
-	isc_boolean_t	force = ISC_FALSE;
-	isc_boolean_t   epoch = ISC_FALSE;
-	isc_boolean_t   changed = ISC_FALSE;
-	isc_log_t       *log = NULL;
-
-	if (argc == 1)
-		usage();
-
-	result = isc_mem_create(0, 0, &mctx);
-	if (result != ISC_R_SUCCESS)
-		fatal("Out of memory");
-
-	setup_logging(verbose, mctx, &log);
-
-	dns_result_register();
-
-	isc_commandline_errprint = ISC_FALSE;
-
-	isc_stdtime_get(&now);
-
-#define CMDLINE_FLAGS "A:D:E:fhI:i:K:L:P:p:R:S:uv:"
-	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
-		switch (ch) {
-		case 'E':
-			engine = isc_commandline_argument;
-			break;
-		case 'f':
-			force = ISC_TRUE;
-			break;
-		case 'p':
-			p = isc_commandline_argument;
-			if (!strcasecmp(p, "all")) {
-				printcreate = ISC_TRUE;
-				printpub = ISC_TRUE;
-				printact = ISC_TRUE;
-				printrev = ISC_TRUE;
-				printinact = ISC_TRUE;
-				printdel = ISC_TRUE;
-				break;
-			}
-
-			do {
-				switch (*p++) {
-				case 'C':
-					printcreate = ISC_TRUE;
-					break;
-				case 'P':
-					printpub = ISC_TRUE;
-					break;
-				case 'A':
-					printact = ISC_TRUE;
-					break;
-				case 'R':
-					printrev = ISC_TRUE;
-					break;
-				case 'I':
-					printinact = ISC_TRUE;
-					break;
-				case 'D':
-					printdel = ISC_TRUE;
-					break;
-				case ' ':
-					break;
-				default:
-					usage();
-					break;
-				}
-			} while (*p != '\0');
-			break;
-		case 'u':
-			epoch = ISC_TRUE;
-			break;
-		case 'K':
-			/*
-			 * We don't have to copy it here, but do it to
-			 * simplify cleanup later
-			 */
-			directory = isc_mem_strdup(mctx,
-						   isc_commandline_argument);
-			if (directory == NULL) {
-				fatal("Failed to allocate memory for "
-				      "directory");
-			}
-			break;
-		case 'L':
-			if (strcmp(isc_commandline_argument, "none") == 0)
-				ttl = 0;
-			else
-				ttl = strtottl(isc_commandline_argument);
-			setttl = ISC_TRUE;
-			break;
-		case 'v':
-			verbose = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0')
-				fatal("-v must be followed by a number");
-			break;
-		case 'P':
-			if (setpub || unsetpub)
-				fatal("-P specified more than once");
-
-			changed = ISC_TRUE;
-			if (!strcasecmp(isc_commandline_argument, "none")) {
-				unsetpub = ISC_TRUE;
-			} else {
-				setpub = ISC_TRUE;
-				pub = strtotime(isc_commandline_argument,
-						now, now);
-			}
-			break;
-		case 'A':
-			if (setact || unsetact)
-				fatal("-A specified more than once");
-
-			changed = ISC_TRUE;
-			if (!strcasecmp(isc_commandline_argument, "none")) {
-				unsetact = ISC_TRUE;
-			} else {
-				setact = ISC_TRUE;
-				act = strtotime(isc_commandline_argument,
-						now, now);
-			}
-			break;
-		case 'R':
-			if (setrev || unsetrev)
-				fatal("-R specified more than once");
-
-			changed = ISC_TRUE;
-			if (!strcasecmp(isc_commandline_argument, "none")) {
-				unsetrev = ISC_TRUE;
-			} else {
-				setrev = ISC_TRUE;
-				rev = strtotime(isc_commandline_argument,
-						now, now);
-			}
-			break;
-		case 'I':
-			if (setinact || unsetinact)
-				fatal("-I specified more than once");
-
-			changed = ISC_TRUE;
-			if (!strcasecmp(isc_commandline_argument, "none")) {
-				unsetinact = ISC_TRUE;
-			} else {
-				setinact = ISC_TRUE;
-				inact = strtotime(isc_commandline_argument,
-						now, now);
-			}
-			break;
-		case 'D':
-			if (setdel || unsetdel)
-				fatal("-D specified more than once");
-
-			changed = ISC_TRUE;
-			if (!strcasecmp(isc_commandline_argument, "none")) {
-				unsetdel = ISC_TRUE;
-			} else {
-				setdel = ISC_TRUE;
-				del = strtotime(isc_commandline_argument,
-						now, now);
-			}
-			break;
-		case 'S':
-			predecessor = isc_commandline_argument;
-			break;
-		case 'i':
-			prepub = strtottl(isc_commandline_argument);
-			break;
-		case '?':
-			if (isc_commandline_option != '?')
-				fprintf(stderr, "%s: invalid argument -%c\n",
-					program, isc_commandline_option);
-			/* Falls into */
-		case 'h':
-			usage();
-
-		default:
-			fprintf(stderr, "%s: unhandled option -%c\n",
-				program, isc_commandline_option);
-			exit(1);
-		}
-	}
-
-	if (argc < isc_commandline_index + 1 ||
-	    argv[isc_commandline_index] == NULL)
-		fatal("The key file name was not specified");
-	if (argc > isc_commandline_index + 1)
-		fatal("Extraneous arguments");
-
-	if (ectx == NULL)
-		setup_entropy(mctx, NULL, &ectx);
-	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	if (result != ISC_R_SUCCESS)
-		fatal("Could not initialize hash");
-	result = dst_lib_init2(mctx, ectx, engine,
-			       ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
-	if (result != ISC_R_SUCCESS)
-		fatal("Could not initialize dst: %s",
-		      isc_result_totext(result));
-	isc_entropy_stopcallbacksources(ectx);
-
-	if (predecessor != NULL) {
-		char keystr[DST_KEY_FORMATSIZE];
-		int major, minor;
-
-		if (prepub == -1)
-			prepub = (30 * 86400);
-
-		if (setpub || unsetpub)
-			fatal("-S and -P cannot be used together");
-		if (setact || unsetact)
-			fatal("-S and -A cannot be used together");
-
-		result = dst_key_fromnamedfile(predecessor, directory,
-					       DST_TYPE_PUBLIC |
-					       DST_TYPE_PRIVATE,
-					       mctx, &prevkey);
-		if (result != ISC_R_SUCCESS)
-			fatal("Invalid keyfile %s: %s",
-			      filename, isc_result_totext(result));
-		if (!dst_key_isprivate(prevkey))
-			fatal("%s is not a private key", filename);
-
-		name = dst_key_name(prevkey);
-		alg = dst_key_alg(prevkey);
-		size = dst_key_size(prevkey);
-		flags = dst_key_flags(prevkey);
-
-		dst_key_format(prevkey, keystr, sizeof(keystr));
-		dst_key_getprivateformat(prevkey, &major, &minor);
-		if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
-			fatal("Predecessor has incompatible format "
-			      "version %d.%d\n\t", major, minor);
-
-		result = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &prevact);
-		if (result != ISC_R_SUCCESS)
-			fatal("Predecessor has no activation date. "
-			      "You must set one before\n\t"
-			      "generating a successor.");
-
-		result = dst_key_gettime(prevkey, DST_TIME_INACTIVE,
-					 &previnact);
-		if (result != ISC_R_SUCCESS)
-			fatal("Predecessor has no inactivation date. "
-			      "You must set one before\n\t"
-			      "generating a successor.");
-
-		pub = prevact - prepub;
-		if (pub < now && prepub != 0)
-			fatal("Predecessor will become inactive before the\n\t"
-			      "prepublication period ends.  Either change "
-			      "its inactivation date,\n\t"
-			      "or use the -i option to set a shorter "
-			      "prepublication interval.");
-
-		result = dst_key_gettime(prevkey, DST_TIME_DELETE, &prevdel);
-		if (result != ISC_R_SUCCESS)
-			fprintf(stderr, "%s: warning: Predecessor has no "
-					"removal date;\n\t"
-					"it will remain in the zone "
-					"indefinitely after rollover.\n",
-					program);
-		else if (prevdel < previnact)
-			fprintf(stderr, "%s: warning: Predecessor is "
-					"scheduled to be deleted\n\t"
-					"before it is scheduled to be "
-					"inactive.\n", program);
-
-		changed = setpub = setact = ISC_TRUE;
-		dst_key_free(&prevkey);
-	} else {
-		if (prepub < 0)
-			prepub = 0;
-
-		if (prepub > 0) {
-			if (setpub && setact && (act - prepub) < pub)
-				fatal("Activation and publication dates "
-				      "are closer together than the\n\t"
-				      "prepublication interval.");
-
-			if (setpub && !setact) {
-				setact = ISC_TRUE;
-				act = pub + prepub;
-			} else if (setact && !setpub) {
-				setpub = ISC_TRUE;
-				pub = act - prepub;
-			}
-
-			if ((act - prepub) < now)
-				fatal("Time until activation is shorter "
-				      "than the\n\tprepublication interval.");
-		}
-	}
-
-	if (directory != NULL) {
-		filename = argv[isc_commandline_index];
-	} else {
-		result = isc_file_splitpath(mctx, argv[isc_commandline_index],
-					    &directory, &filename);
-		if (result != ISC_R_SUCCESS)
-			fatal("cannot process filename %s: %s",
-			      argv[isc_commandline_index],
-			      isc_result_totext(result));
-	}
-
-	result = dst_key_fromnamedfile(filename, directory,
-				       DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
-				       mctx, &key);
-	if (result != ISC_R_SUCCESS)
-		fatal("Invalid keyfile %s: %s",
-		      filename, isc_result_totext(result));
-
-	if (!dst_key_isprivate(key))
-		fatal("%s is not a private key", filename);
-
-	dst_key_format(key, keystr, sizeof(keystr));
-
-	if (predecessor != NULL) {
-		if (!dns_name_equal(name, dst_key_name(key)))
-			fatal("Key name mismatch");
-		if (alg != dst_key_alg(key))
-			fatal("Key algorithm mismatch");
-		if (size != dst_key_size(key))
-			fatal("Key size mismatch");
-		if (flags != dst_key_flags(key))
-			fatal("Key flags mismatch");
-	}
-
-	prevdel = previnact = 0;
-	if ((setdel && setinact && del < inact) ||
-	    (dst_key_gettime(key, DST_TIME_INACTIVE,
-			     &previnact) == ISC_R_SUCCESS &&
-	     setdel && !setinact && del < previnact) ||
-	    (dst_key_gettime(key, DST_TIME_DELETE,
-			     &prevdel) == ISC_R_SUCCESS &&
-	     setinact && !setdel && prevdel < inact) ||
-	    (!setdel && !setinact && prevdel < previnact))
-		fprintf(stderr, "%s: warning: Key is scheduled to "
-				"be deleted before it is\n\t"
-				"scheduled to be inactive.\n",
-			program);
-
-	if (force)
-		set_keyversion(key);
-	else
-		check_keyversion(key, keystr);
-
-	if (verbose > 2)
-		fprintf(stderr, "%s: %s\n", program, keystr);
-
-	/*
-	 * Set time values.
-	 */
-	if (setpub)
-		dst_key_settime(key, DST_TIME_PUBLISH, pub);
-	else if (unsetpub)
-		dst_key_unsettime(key, DST_TIME_PUBLISH);
-
-	if (setact)
-		dst_key_settime(key, DST_TIME_ACTIVATE, act);
-	else if (unsetact)
-		dst_key_unsettime(key, DST_TIME_ACTIVATE);
-
-	if (setrev) {
-		if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0)
-			fprintf(stderr, "%s: warning: Key %s is already "
-					"revoked; changing the revocation date "
-					"will not affect this.\n",
-					program, keystr);
-		if ((dst_key_flags(key) & DNS_KEYFLAG_KSK) == 0)
-			fprintf(stderr, "%s: warning: Key %s is not flagged as "
-					"a KSK, but -R was used.  Revoking a "
-					"ZSK is legal, but undefined.\n",
-					program, keystr);
-		dst_key_settime(key, DST_TIME_REVOKE, rev);
-	} else if (unsetrev) {
-		if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0)
-			fprintf(stderr, "%s: warning: Key %s is already "
-					"revoked; removing the revocation date "
-					"will not affect this.\n",
-					program, keystr);
-		dst_key_unsettime(key, DST_TIME_REVOKE);
-	}
-
-	if (setinact)
-		dst_key_settime(key, DST_TIME_INACTIVE, inact);
-	else if (unsetinact)
-		dst_key_unsettime(key, DST_TIME_INACTIVE);
-
-	if (setdel)
-		dst_key_settime(key, DST_TIME_DELETE, del);
-	else if (unsetdel)
-		dst_key_unsettime(key, DST_TIME_DELETE);
-
-	if (setttl)
-		dst_key_setttl(key, ttl);
-
-	/*
-	 * No metadata changes were made but we're forcing an upgrade
-	 * to the new format anyway: use "-P now -A now" as the default
-	 */
-	if (force && !changed) {
-		dst_key_settime(key, DST_TIME_PUBLISH, now);
-		dst_key_settime(key, DST_TIME_ACTIVATE, now);
-		changed = ISC_TRUE;
-	}
-
-	if (!changed && setttl)
-		changed = ISC_TRUE;
-
-	/*
-	 * Print out time values, if -p was used.
-	 */
-	if (printcreate)
-		printtime(key, DST_TIME_CREATED, "Created", epoch, stdout);
-
-	if (printpub)
-		printtime(key, DST_TIME_PUBLISH, "Publish", epoch, stdout);
-
-	if (printact)
-		printtime(key, DST_TIME_ACTIVATE, "Activate", epoch, stdout);
-
-	if (printrev)
-		printtime(key, DST_TIME_REVOKE, "Revoke", epoch, stdout);
-
-	if (printinact)
-		printtime(key, DST_TIME_INACTIVE, "Inactive", epoch, stdout);
-
-	if (printdel)
-		printtime(key, DST_TIME_DELETE, "Delete", epoch, stdout);
-
-	if (changed) {
-		isc_buffer_init(&buf, newname, sizeof(newname));
-		result = dst_key_buildfilename(key, DST_TYPE_PUBLIC, directory,
-					       &buf);
-		if (result != ISC_R_SUCCESS) {
-			fatal("Failed to build public key filename: %s",
-			      isc_result_totext(result));
-		}
-
-		result = dst_key_tofile(key, DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
-					directory);
-		if (result != ISC_R_SUCCESS) {
-			dst_key_format(key, keystr, sizeof(keystr));
-			fatal("Failed to write key %s: %s", keystr,
-			      isc_result_totext(result));
-		}
-
-		printf("%s\n", newname);
-
-		isc_buffer_clear(&buf);
-		result = dst_key_buildfilename(key, DST_TYPE_PRIVATE, directory,
-					       &buf);
-		if (result != ISC_R_SUCCESS) {
-			fatal("Failed to build private key filename: %s",
-			      isc_result_totext(result));
-		}
-		printf("%s\n", newname);
-	}
-
-	dst_key_free(&key);
-	dst_lib_destroy();
-	isc_hash_destroy();
-	cleanup_entropy(&ectx);
-	if (verbose > 10)
-		isc_mem_stats(mctx, stdout);
-	cleanup_logging(&log);
-	isc_mem_free(mctx, directory);
-	isc_mem_destroy(&mctx);
-
-	return (0);
-}
diff --git a/contrib/bind9/bin/dnssec/dnssec-settime.docbook b/contrib/bind9/bin/dnssec/dnssec-settime.docbook
deleted file mode 100644
index bc6870b..0000000
--- a/contrib/bind9/bin/dnssec/dnssec-settime.docbook
+++ /dev/null
@@ -1,338 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-               [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2009-2011  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: dnssec-settime.docbook,v 1.15 2011/11/03 20:21:37 each Exp $ -->
-<refentry id="man.dnssec-settime">
-  <refentryinfo>
-    <date>July 15, 2009</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>dnssec-settime</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><application>dnssec-settime</application></refname>
-    <refpurpose>Set the key timing metadata for a DNSSEC key</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2009</year>
-      <year>2010</year>
-      <year>2011</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>dnssec-settime</command>
-      <arg><option>-f</option></arg>
-      <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
-      <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
-      <arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
-      <arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
-      <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
-      <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
-      <arg><option>-h</option></arg>
-      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
-      <arg choice="req">keyfile</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para><command>dnssec-settime</command>
-      reads a DNSSEC private key file and sets the key timing metadata
-      as specified by the <option>-P</option>, <option>-A</option>,
-      <option>-R</option>, <option>-I</option>, and <option>-D</option>
-      options.  The metadata can then be used by
-      <command>dnssec-signzone</command> or other signing software to
-      determine when a key is to be published, whether it should be
-      used for signing a zone, etc.
-    </para>
-    <para>
-      If none of these options is set on the command line,
-      then <command>dnssec-settime</command> simply prints the key timing
-      metadata already stored in the key.
-    </para>
-    <para>
-      When key metadata fields are changed, both files of a key
-      pair (<filename>Knnnn.+aaa+iiiii.key</filename> and
-      <filename>Knnnn.+aaa+iiiii.private</filename>) are regenerated.
-      Metadata fields are stored in the private file.  A human-readable
-      description of the metadata is also placed in comments in the key
-      file.  The private file's permissions are always set to be
-      inaccessible to anyone other than the owner (mode 0600).
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-
-    <variablelist>
-      <varlistentry>
-	<term>-f</term>
-        <listitem>
-	  <para>
-	    Force an update of an old-format key with no metadata fields.
-            Without this option, <command>dnssec-settime</command> will
-            fail when attempting to update a legacy key.  With this option,
-            the key will be recreated in the new format, but with the
-            original key data retained.  The key's creation date will be
-            set to the present time.  If no other values are specified, 
-            then the key's publication and activation dates will also 
-            be set to the present time.
-	  </para>
-        </listitem>
-      </varlistentry>
-  
-      <varlistentry>
-        <term>-K <replaceable class="parameter">directory</replaceable></term>
-        <listitem>
-          <para>
-            Sets the directory in which the key files are to reside.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-L <replaceable class="parameter">ttl</replaceable></term>
-        <listitem>
-          <para>
-            Sets the default TTL to use for this key when it is converted
-            into a DNSKEY RR.  If the key is imported into a zone,
-            this is the TTL that will be used for it, unless there was
-            already a DNSKEY RRset in place, in which case the existing TTL
-            would take precedence.  Setting the default TTL to
-            <literal>0</literal> or <literal>none</literal> removes it.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-h</term>
-        <listitem>
-	  <para>
-	    Emit usage message and exit.
-	  </para>
-        </listitem>
-      </varlistentry>
-  
-      <varlistentry>
-        <term>-v <replaceable class="parameter">level</replaceable></term>
-        <listitem>
-          <para>
-            Sets the debugging level.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-E <replaceable class="parameter">engine</replaceable></term>
-        <listitem>
-          <para>
-            Use the given OpenSSL engine. When compiled with PKCS#11 support
-            it defaults to pkcs11; the empty name resets it to no engine.
-          </para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>TIMING OPTIONS</title>
-    <para>
-      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
-      If the argument begins with a '+' or '-', it is interpreted as
-      an offset from the present time.  For convenience, if such an offset
-      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
-      then the offset is computed in years (defined as 365 24-hour days,
-      ignoring leap years), months (defined as 30 24-hour days), weeks,
-      days, hours, or minutes, respectively.  Without a suffix, the offset
-      is computed in seconds.  To unset a date, use 'none'.
-    </para>
-
-    <variablelist>
-      <varlistentry>
-        <term>-P <replaceable class="parameter">date/offset</replaceable></term>
-        <listitem>
-          <para>
-            Sets the date on which a key is to be published to the zone.
-            After that date, the key will be included in the zone but will
-            not be used to sign it.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-A <replaceable class="parameter">date/offset</replaceable></term>
-        <listitem>
-          <para>
-            Sets the date on which the key is to be activated.  After that
-            date, the key will be included in the zone and used to sign
-            it.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-R <replaceable class="parameter">date/offset</replaceable></term>
-        <listitem>
-          <para>
-            Sets the date on which the key is to be revoked.  After that
-            date, the key will be flagged as revoked.  It will be included
-            in the zone and will be used to sign it.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-I <replaceable class="parameter">date/offset</replaceable></term>
-        <listitem>
-          <para>
-            Sets the date on which the key is to be retired.  After that
-            date, the key will still be included in the zone, but it
-            will not be used to sign it.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-D <replaceable class="parameter">date/offset</replaceable></term>
-        <listitem>
-          <para>
-            Sets the date on which the key is to be deleted.  After that
-            date, the key will no longer be included in the zone.  (It
-            may remain in the key repository, however.)
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-S <replaceable class="parameter">predecessor key</replaceable></term>
-        <listitem>
-          <para>
-            Select a key for which the key being modified will be an
-            explicit successor.  The name, algorithm, size, and type of the
-            predecessor key must exactly match those of the key being
-            modified.  The activation date of the successor key will be set
-            to the inactivation date of the predecessor.  The publication
-            date will be set to the activation date minus the prepublication
-            interval, which defaults to 30 days.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-i <replaceable class="parameter">interval</replaceable></term>
-        <listitem>
-          <para>
-            Sets the prepublication interval for a key.  If set, then
-            the publication and activation dates must be separated by at least
-            this much time.  If the activation date is specified but the
-            publication date isn't, then the publication date will default
-            to this much time before the activation date; conversely, if
-            the publication date is specified but activation date isn't,
-            then activation will be set to this much time after publication.
-          </para>
-          <para>
-            If the key is being set to be an explicit successor to another
-            key, then the default prepublication interval is 30 days; 
-            otherwise it is zero.
-          </para>
-          <para>
-            As with date offsets, if the argument is followed by one of
-            the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
-            interval is measured in years, months, weeks, days, hours,
-            or minutes, respectively.  Without a suffix, the interval is
-            measured in seconds.
-          </para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>PRINTING OPTIONS</title>
-    <para>
-      <command>dnssec-settime</command> can also be used to print the
-      timing metadata associated with a key.
-    </para>
-
-    <variablelist>
-      <varlistentry>
-	<term>-u</term>
-        <listitem>
-	  <para>
-	    Print times in UNIX epoch format.
-	  </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-p <replaceable class="parameter">C/P/A/R/I/D/all</replaceable></term>
-        <listitem>
-	  <para>
-	    Print a specific metadata value or set of metadata values.
-            The <option>-p</option> option may be followed by one or more
-            of the following letters to indicate which value or values to print:
-            <option>C</option> for the creation date,
-            <option>P</option> for the publication date,
-            <option>A</option> for the activation date,
-            <option>R</option> for the revocation date,
-            <option>I</option> for the inactivation date, or
-            <option>D</option> for the deletion date.
-            To print all of the metadata, use <option>-p all</option>.
-	  </para>
-        </listitem>
-      </varlistentry>
-
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
-      <citetitle>RFC 5011</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para><corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/dnssec/dnssec-settime.html b/contrib/bind9/bin/dnssec/dnssec-settime.html
deleted file mode 100644
index 7b02265..0000000
--- a/contrib/bind9/bin/dnssec/dnssec-settime.html
+++ /dev/null
@@ -1,220 +0,0 @@
-<!--
- - Copyright (C) 2009-2011 Internet Systems Consortium, Inc. ("ISC")
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-settime</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="man.dnssec-settime"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">dnssec-settime</span> &#8212; Set the key timing metadata for a DNSSEC key</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code>  [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543432"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">dnssec-settime</strong></span>
-      reads a DNSSEC private key file and sets the key timing metadata
-      as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
-      <code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>
-      options.  The metadata can then be used by
-      <span><strong class="command">dnssec-signzone</strong></span> or other signing software to
-      determine when a key is to be published, whether it should be
-      used for signing a zone, etc.
-    </p>
-<p>
-      If none of these options is set on the command line,
-      then <span><strong class="command">dnssec-settime</strong></span> simply prints the key timing
-      metadata already stored in the key.
-    </p>
-<p>
-      When key metadata fields are changed, both files of a key
-      pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
-      <code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
-      Metadata fields are stored in the private file.  A human-readable
-      description of the metadata is also placed in comments in the key
-      file.  The private file's permissions are always set to be
-      inaccessible to anyone other than the owner (mode 0600).
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543480"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-f</span></dt>
-<dd><p>
-	    Force an update of an old-format key with no metadata fields.
-            Without this option, <span><strong class="command">dnssec-settime</strong></span> will
-            fail when attempting to update a legacy key.  With this option,
-            the key will be recreated in the new format, but with the
-            original key data retained.  The key's creation date will be
-            set to the present time.  If no other values are specified, 
-            then the key's publication and activation dates will also 
-            be set to the present time.
-	  </p></dd>
-<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-            Sets the directory in which the key files are to reside.
-          </p></dd>
-<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd><p>
-            Sets the default TTL to use for this key when it is converted
-            into a DNSKEY RR.  If the key is imported into a zone,
-            this is the TTL that will be used for it, unless there was
-            already a DNSKEY RRset in place, in which case the existing TTL
-            would take precedence.  Setting the default TTL to
-            <code class="literal">0</code> or <code class="literal">none</code> removes it.
-          </p></dd>
-<dt><span class="term">-h</span></dt>
-<dd><p>
-	    Emit usage message and exit.
-	  </p></dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
-            Sets the debugging level.
-          </p></dd>
-<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
-<dd><p>
-            Use the given OpenSSL engine. When compiled with PKCS#11 support
-            it defaults to pkcs11; the empty name resets it to no engine.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543664"></a><h2>TIMING OPTIONS</h2>
-<p>
-      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
-      If the argument begins with a '+' or '-', it is interpreted as
-      an offset from the present time.  For convenience, if such an offset
-      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
-      then the offset is computed in years (defined as 365 24-hour days,
-      ignoring leap years), months (defined as 30 24-hour days), weeks,
-      days, hours, or minutes, respectively.  Without a suffix, the offset
-      is computed in seconds.  To unset a date, use 'none'.
-    </p>
-<div class="variablelist"><dl>
-<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which a key is to be published to the zone.
-            After that date, the key will be included in the zone but will
-            not be used to sign it.
-          </p></dd>
-<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which the key is to be activated.  After that
-            date, the key will be included in the zone and used to sign
-            it.
-          </p></dd>
-<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which the key is to be revoked.  After that
-            date, the key will be flagged as revoked.  It will be included
-            in the zone and will be used to sign it.
-          </p></dd>
-<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which the key is to be retired.  After that
-            date, the key will still be included in the zone, but it
-            will not be used to sign it.
-          </p></dd>
-<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which the key is to be deleted.  After that
-            date, the key will no longer be included in the zone.  (It
-            may remain in the key repository, however.)
-          </p></dd>
-<dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
-<dd><p>
-            Select a key for which the key being modified will be an
-            explicit successor.  The name, algorithm, size, and type of the
-            predecessor key must exactly match those of the key being
-            modified.  The activation date of the successor key will be set
-            to the inactivation date of the predecessor.  The publication
-            date will be set to the activation date minus the prepublication
-            interval, which defaults to 30 days.
-          </p></dd>
-<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
-<dd>
-<p>
-            Sets the prepublication interval for a key.  If set, then
-            the publication and activation dates must be separated by at least
-            this much time.  If the activation date is specified but the
-            publication date isn't, then the publication date will default
-            to this much time before the activation date; conversely, if
-            the publication date is specified but activation date isn't,
-            then activation will be set to this much time after publication.
-          </p>
-<p>
-            If the key is being set to be an explicit successor to another
-            key, then the default prepublication interval is 30 days; 
-            otherwise it is zero.
-          </p>
-<p>
-            As with date offsets, if the argument is followed by one of
-            the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
-            interval is measured in years, months, weeks, days, hours,
-            or minutes, respectively.  Without a suffix, the interval is
-            measured in seconds.
-          </p>
-</dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543802"></a><h2>PRINTING OPTIONS</h2>
-<p>
-      <span><strong class="command">dnssec-settime</strong></span> can also be used to print the
-      timing metadata associated with a key.
-    </p>
-<div class="variablelist"><dl>
-<dt><span class="term">-u</span></dt>
-<dd><p>
-	    Print times in UNIX epoch format.
-	  </p></dd>
-<dt><span class="term">-p <em class="replaceable"><code>C/P/A/R/I/D/all</code></em></span></dt>
-<dd><p>
-	    Print a specific metadata value or set of metadata values.
-            The <code class="option">-p</code> option may be followed by one or more
-            of the following letters to indicate which value or values to print:
-            <code class="option">C</code> for the creation date,
-            <code class="option">P</code> for the publication date,
-            <code class="option">A</code> for the activation date,
-            <code class="option">R</code> for the revocation date,
-            <code class="option">I</code> for the inactivation date, or
-            <code class="option">D</code> for the deletion date.
-            To print all of the metadata, use <code class="option">-p all</code>.
-	  </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543880"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 5011</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2542138"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.8 b/contrib/bind9/bin/dnssec/dnssec-signzone.8
deleted file mode 100644
index c917495..0000000
--- a/contrib/bind9/bin/dnssec/dnssec-signzone.8
+++ /dev/null
@@ -1,434 +0,0 @@
-.\" Copyright (C) 2004-2009, 2011 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2003 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: dnssec\-signzone
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: June 05, 2009
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "DNSSEC\-SIGNZONE" "8" "June 05, 2009" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-dnssec\-signzone \- DNSSEC zone signing tool
-.SH "SYNOPSIS"
-.HP 16
-\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-P\fR] [\fB\-p\fR] [\fB\-R\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-t\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-X\ \fR\fB\fIextended\ end\-time\fR\fR] [\fB\-x\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
-.SH "DESCRIPTION"
-.PP
-\fBdnssec\-signzone\fR
-signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a
-\fIkeyset\fR
-file for each child zone.
-.SH "OPTIONS"
-.PP
-\-a
-.RS 4
-Verify all generated signatures.
-.RE
-.PP
-\-c \fIclass\fR
-.RS 4
-Specifies the DNS class of the zone.
-.RE
-.PP
-\-C
-.RS 4
-Compatibility mode: Generate a
-\fIkeyset\-\fR\fI\fIzonename\fR\fR
-file in addition to
-\fIdsset\-\fR\fI\fIzonename\fR\fR
-when signing a zone, for use by older versions of
-\fBdnssec\-signzone\fR.
-.RE
-.PP
-\-d \fIdirectory\fR
-.RS 4
-Look for
-\fIdsset\-\fR
-or
-\fIkeyset\-\fR
-files in
-\fBdirectory\fR.
-.RE
-.PP
-\-D
-.RS 4
-Output only those record types automatically managed by
-\fBdnssec\-signzone\fR, i.e. RRSIG, NSEC, NSEC3 and NSEC3PARAM records. If smart signing (\fB\-S\fR) is used, DNSKEY records are also included. The resulting file can be included in the original zone file with
-\fB$INCLUDE\fR. This option cannot be combined with
-\fB\-O raw\fR
-or serial number updating.
-.RE
-.PP
-\-E \fIengine\fR
-.RS 4
-Uses a crypto hardware (OpenSSL engine) for the crypto operations it supports, for instance signing with private keys from a secure key store. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.
-.RE
-.PP
-\-g
-.RS 4
-Generate DS records for child zones from
-\fIdsset\-\fR
-or
-\fIkeyset\-\fR
-file. Existing DS records will be removed.
-.RE
-.PP
-\-K \fIdirectory\fR
-.RS 4
-Key repository: Specify a directory to search for DNSSEC keys. If not specified, defaults to the current directory.
-.RE
-.PP
-\-k \fIkey\fR
-.RS 4
-Treat specified key as a key signing key ignoring any key flags. This option may be specified multiple times.
-.RE
-.PP
-\-l \fIdomain\fR
-.RS 4
-Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records.
-.RE
-.PP
-\-s \fIstart\-time\fR
-.RS 4
-Specify the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no
-\fBstart\-time\fR
-is specified, the current time minus 1 hour (to allow for clock skew) is used.
-.RE
-.PP
-\-e \fIend\-time\fR
-.RS 4
-Specify the date and time when the generated RRSIG records expire. As with
-\fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no
-\fBend\-time\fR
-is specified, 30 days from the start time is used as a default.
-\fBend\-time\fR
-must be later than
-\fBstart\-time\fR.
-.RE
-.PP
-\-X \fIextended end\-time\fR
-.RS 4
-Specify the date and time when the generated RRSIG records for the DNSKEY RRset will expire. This is to be used in cases when the DNSKEY signatures need to persist longer than signatures on other records; e.g., when the private component of the KSK is kept offline and the KSK signature is to be refreshed manually.
-.sp
-As with
-\fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no
-\fBextended end\-time\fR
-is specified, the value of
-\fBend\-time\fR
-is used as the default. (\fBend\-time\fR, in turn, defaults to 30 days from the start time.)
-\fBextended end\-time\fR
-must be later than
-\fBstart\-time\fR.
-.RE
-.PP
-\-f \fIoutput\-file\fR
-.RS 4
-The name of the output file containing the signed zone. The default is to append
-\fI.signed\fR
-to the input filename. If
-\fBoutput\-file\fR
-is set to
-"\-", then the signed zone is written to the standard output, with a default output format of "full".
-.RE
-.PP
-\-h
-.RS 4
-Prints a short summary of the options and arguments to
-\fBdnssec\-signzone\fR.
-.RE
-.PP
-\-i \fIinterval\fR
-.RS 4
-When a previously\-signed zone is passed as input, records may be resigned. The
-\fBinterval\fR
-option specifies the cycle interval as an offset from the current time (in seconds). If a RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced.
-.sp
-The default cycle interval is one quarter of the difference between the signature end and start times. So if neither
-\fBend\-time\fR
-or
-\fBstart\-time\fR
-are specified,
-\fBdnssec\-signzone\fR
-generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they would be replaced.
-.RE
-.PP
-\-I \fIinput\-format\fR
-.RS 4
-The format of the input zone file. Possible formats are
-\fB"text"\fR
-(default) and
-\fB"raw"\fR. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be signed directly. The use of this option does not make much sense for non\-dynamic zones.
-.RE
-.PP
-\-j \fIjitter\fR
-.RS 4
-When signing a zone with a fixed signature lifetime, all RRSIG records issued at the time of signing expires simultaneously. If the zone is incrementally signed, i.e. a previously\-signed zone is passed as input to the signer, all expired signatures have to be regenerated at about the same time. The
-\fBjitter\fR
-option specifies a jitter window that will be used to randomize the signature expire time, thus spreading incremental signature regeneration over time.
-.sp
-Signature lifetime jitter also to some extent benefits validators and servers by spreading out cache expiration, i.e. if large numbers of RRSIGs don't expire at the same time from all caches there will be less congestion than if all validators need to refetch at mostly the same time.
-.RE
-.PP
-\-L \fIserial\fR
-.RS 4
-When writing a signed zone to 'raw' format, set the "source serial" value in the header to the specified serial number. (This is expected to be used primarily for testing purposes.)
-.RE
-.PP
-\-n \fIncpus\fR
-.RS 4
-Specifies the number of threads to use. By default, one thread is started for each detected CPU.
-.RE
-.PP
-\-N \fIsoa\-serial\-format\fR
-.RS 4
-The SOA serial number format of the signed zone. Possible formats are
-\fB"keep"\fR
-(default),
-\fB"increment"\fR
-and
-\fB"unixtime"\fR.
-.RS 4
-.PP
-\fB"keep"\fR
-.RS 4
-Do not modify the SOA serial number.
-.RE
-.PP
-\fB"increment"\fR
-.RS 4
-Increment the SOA serial number using RFC 1982 arithmetics.
-.RE
-.PP
-\fB"unixtime"\fR
-.RS 4
-Set the SOA serial number to the number of seconds since epoch.
-.RE
-.RE
-.RE
-.PP
-\-o \fIorigin\fR
-.RS 4
-The zone origin. If not specified, the name of the zone file is assumed to be the origin.
-.RE
-.PP
-\-O \fIoutput\-format\fR
-.RS 4
-The format of the output file containing the signed zone. Possible formats are
-\fB"text"\fR
-(default)
-\fB"full"\fR, which is text output in a format suitable for processing by external scripts, and
-\fB"raw"\fR
-or
-\fB"raw=N"\fR, which store the zone in a binary format for rapid loading by
-\fBnamed\fR.
-\fB"raw=N"\fR
-specifies the format version of the raw zone file: if N is 0, the raw file can be read by any version of
-\fBnamed\fR; if N is 1, the file can be read by release 9.9.0 or higher. The default is 1.
-.RE
-.PP
-\-p
-.RS 4
-Use pseudo\-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited.
-.RE
-.PP
-\-P
-.RS 4
-Disable post sign verification tests.
-.sp
-The post sign verification test ensures that for each algorithm in use there is at least one non revoked self signed KSK key, that all revoked KSK keys are self signed, and that all records in the zone are signed by the algorithm. This option skips these tests.
-.RE
-.PP
-\-R
-.RS 4
-Remove signatures from keys that no longer exist.
-.sp
-Normally, when a previously\-signed zone is passed as input to the signer, and a DNSKEY record has been removed and replaced with a new one, signatures from the old key that are still within their validity period are retained. This allows the zone to continue to validate with cached copies of the old DNSKEY RRset. The
-\fB\-R\fR
-forces
-\fBdnssec\-signzone\fR
-to remove all orphaned signatures.
-.RE
-.PP
-\-r \fIrandomdev\fR
-.RS 4
-Specifies the source of randomness. If the operating system does not provide a
-\fI/dev/random\fR
-or equivalent device, the default source of randomness is keyboard input.
-\fIrandomdev\fR
-specifies the name of a character device or file containing random data to be used instead of the default. The special value
-\fIkeyboard\fR
-indicates that keyboard input should be used.
-.RE
-.PP
-\-S
-.RS 4
-Smart signing: Instructs
-\fBdnssec\-signzone\fR
-to search the key repository for keys that match the zone being signed, and to include them in the zone if appropriate.
-.sp
-When a key is found, its timing metadata is examined to determine how it should be used, according to the following rules. Each successive rule takes priority over the prior ones:
-.RS 4
-.PP
-.RS 4
-If no timing metadata has been set for the key, the key is published in the zone and used to sign the zone.
-.RE
-.PP
-.RS 4
-If the key's publication date is set and is in the past, the key is published in the zone.
-.RE
-.PP
-.RS 4
-If the key's activation date is set and in the past, the key is published (regardless of publication date) and used to sign the zone.
-.RE
-.PP
-.RS 4
-If the key's revocation date is set and in the past, and the key is published, then the key is revoked, and the revoked key is used to sign the zone.
-.RE
-.PP
-.RS 4
-If either of the key's unpublication or deletion dates are set and in the past, the key is NOT published or used to sign the zone, regardless of any other metadata.
-.RE
-.RE
-.RE
-.PP
-\-T \fIttl\fR
-.RS 4
-Specifies a TTL to be used for new DNSKEY records imported into the zone from the key repository. If not specified, the default is the TTL value from the zone's SOA record. This option is ignored when signing without
-\fB\-S\fR, since DNSKEY records are not imported from the key repository in that case. It is also ignored if there are any pre\-existing DNSKEY records at the zone apex, in which case new records' TTL values will be set to match them, or if any of the imported DNSKEY records had a default TTL value. In the event of a a conflict between TTL values in imported keys, the shortest one is used.
-.RE
-.PP
-\-t
-.RS 4
-Print statistics at completion.
-.RE
-.PP
-\-u
-.RS 4
-Update NSEC/NSEC3 chain when re\-signing a previously signed zone. With this option, a zone signed with NSEC can be switched to NSEC3, or a zone signed with NSEC3 can be switch to NSEC or to NSEC3 with different parameters. Without this option,
-\fBdnssec\-signzone\fR
-will retain the existing chain when re\-signing.
-.RE
-.PP
-\-v \fIlevel\fR
-.RS 4
-Sets the debugging level.
-.RE
-.PP
-\-x
-.RS 4
-Only sign the DNSKEY RRset with key\-signing keys, and omit signatures from zone\-signing keys. (This is similar to the
-\fBdnssec\-dnskey\-kskonly yes;\fR
-zone option in
-\fBnamed\fR.)
-.RE
-.PP
-\-z
-.RS 4
-Ignore KSK flag on key when determining what to sign. This causes KSK\-flagged keys to sign all records, not just the DNSKEY RRset. (This is similar to the
-\fBupdate\-check\-ksk no;\fR
-zone option in
-\fBnamed\fR.)
-.RE
-.PP
-\-3 \fIsalt\fR
-.RS 4
-Generate an NSEC3 chain with the given hex encoded salt. A dash (\fIsalt\fR) can be used to indicate that no salt is to be used when generating the NSEC3 chain.
-.RE
-.PP
-\-H \fIiterations\fR
-.RS 4
-When generating an NSEC3 chain, use this many interations. The default is 10.
-.RE
-.PP
-\-A
-.RS 4
-When generating an NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations.
-.sp
-Using this option twice (i.e.,
-\fB\-AA\fR) turns the OPTOUT flag off for all records. This is useful when using the
-\fB\-u\fR
-option to modify an NSEC3 chain which previously had OPTOUT set.
-.RE
-.PP
-zonefile
-.RS 4
-The file containing the zone to be signed.
-.RE
-.PP
-key
-.RS 4
-Specify which keys should be used to sign the zone. If no keys are specified, then the zone will be examined for DNSKEY records at the zone apex. If these are found and there are matching private keys, in the current directory, then these will be used for signing.
-.RE
-.SH "EXAMPLE"
-.PP
-The following command signs the
-\fBexample.com\fR
-zone with the DSA key generated by
-\fBdnssec\-keygen\fR
-(Kexample.com.+003+17247). Because the
-\fB\-S\fR
-option is not being used, the zone's keys must be in the master file (\fIdb.example.com\fR). This invocation looks for
-\fIdsset\fR
-files, in the current directory, so that DS records can be imported from them (\fB\-g\fR).
-.sp
-.RS 4
-.nf
-% dnssec\-signzone \-g \-o example.com db.example.com \\
-Kexample.com.+003+17247
-db.example.com.signed
-%
-.fi
-.RE
-.PP
-In the above example,
-\fBdnssec\-signzone\fR
-creates the file
-\fIdb.example.com.signed\fR. This file should be referenced in a zone statement in a
-\fInamed.conf\fR
-file.
-.PP
-This example re\-signs a previously signed zone with default parameters. The private keys are assumed to be in the current directory.
-.sp
-.RS 4
-.nf
-% cp db.example.com.signed db.example.com
-% dnssec\-signzone \-o example.com db.example.com
-db.example.com.signed
-%
-.fi
-.RE
-.SH "SEE ALSO"
-.PP
-\fBdnssec\-keygen\fR(8),
-BIND 9 Administrator Reference Manual,
-RFC 4033.
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2004\-2009, 2011 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000\-2003 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.c b/contrib/bind9/bin/dnssec/dnssec-signzone.c
deleted file mode 100644
index 83456a7..0000000
--- a/contrib/bind9/bin/dnssec/dnssec-signzone.c
+++ /dev/null
@@ -1,3746 +0,0 @@
-/*
- * Portions Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dnssec-signzone.c,v 1.285 2011/12/22 07:32:39 each Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <time.h>
-#include <unistd.h>
-
-#include <isc/app.h>
-#include <isc/base32.h>
-#include <isc/commandline.h>
-#include <isc/entropy.h>
-#include <isc/event.h>
-#include <isc/file.h>
-#include <isc/hash.h>
-#include <isc/hex.h>
-#include <isc/mem.h>
-#include <isc/mutex.h>
-#include <isc/os.h>
-#include <isc/print.h>
-#include <isc/random.h>
-#include <isc/rwlock.h>
-#include <isc/serial.h>
-#include <isc/stdio.h>
-#include <isc/stdlib.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/time.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/diff.h>
-#include <dns/dnssec.h>
-#include <dns/ds.h>
-#include <dns/fixedname.h>
-#include <dns/keyvalues.h>
-#include <dns/log.h>
-#include <dns/master.h>
-#include <dns/masterdump.h>
-#include <dns/nsec.h>
-#include <dns/nsec3.h>
-#include <dns/rdata.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/result.h>
-#include <dns/soa.h>
-#include <dns/time.h>
-
-#include <dst/dst.h>
-
-#include "dnssectool.h"
-
-#ifndef PATH_MAX
-#define PATH_MAX 1024   /* AIX, WIN32, and others don't define this. */
-#endif
-
-const char *program = "dnssec-signzone";
-int verbose;
-
-typedef struct hashlist hashlist_t;
-
-static int nsec_datatype = dns_rdatatype_nsec;
-
-#define IS_NSEC3	(nsec_datatype == dns_rdatatype_nsec3)
-#define OPTOUT(x)	(((x) & DNS_NSEC3FLAG_OPTOUT) != 0)
-
-#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)
-
-#define BUFSIZE 2048
-#define MAXDSKEYS 8
-
-#define SIGNER_EVENTCLASS	ISC_EVENTCLASS(0x4453)
-#define SIGNER_EVENT_WRITE	(SIGNER_EVENTCLASS + 0)
-#define SIGNER_EVENT_WORK	(SIGNER_EVENTCLASS + 1)
-
-#define SOA_SERIAL_KEEP		0
-#define SOA_SERIAL_INCREMENT	1
-#define SOA_SERIAL_UNIXTIME	2
-
-typedef struct signer_event sevent_t;
-struct signer_event {
-	ISC_EVENT_COMMON(sevent_t);
-	dns_fixedname_t *fname;
-	dns_dbnode_t *node;
-};
-
-static dns_dnsseckeylist_t keylist;
-static unsigned int keycount = 0;
-isc_rwlock_t keylist_lock;
-static isc_stdtime_t starttime = 0, endtime = 0, dnskey_endtime = 0, now;
-static int cycle = -1;
-static int jitter = 0;
-static isc_boolean_t tryverify = ISC_FALSE;
-static isc_boolean_t printstats = ISC_FALSE;
-static isc_mem_t *mctx = NULL;
-static isc_entropy_t *ectx = NULL;
-static dns_ttl_t zone_soa_min_ttl;
-static dns_ttl_t soa_ttl;
-static FILE *fp = NULL;
-static char *tempfile = NULL;
-static const dns_master_style_t *masterstyle;
-static dns_masterformat_t inputformat = dns_masterformat_text;
-static dns_masterformat_t outputformat = dns_masterformat_text;
-static isc_uint32_t rawversion = 1, serialnum = 0;
-static isc_boolean_t snset = ISC_FALSE;
-static unsigned int nsigned = 0, nretained = 0, ndropped = 0;
-static unsigned int nverified = 0, nverifyfailed = 0;
-static const char *directory = NULL, *dsdir = NULL;
-static isc_mutex_t namelock, statslock;
-static isc_taskmgr_t *taskmgr = NULL;
-static dns_db_t *gdb;			/* The database */
-static dns_dbversion_t *gversion;	/* The database version */
-static dns_dbiterator_t *gdbiter;	/* The database iterator */
-static dns_rdataclass_t gclass;		/* The class */
-static dns_name_t *gorigin;		/* The database origin */
-static int nsec3flags = 0;
-static dns_iterations_t nsec3iter = 10U;
-static unsigned char saltbuf[255];
-static unsigned char *salt = saltbuf;
-static size_t salt_length = 0;
-static isc_task_t *master = NULL;
-static unsigned int ntasks = 0;
-static isc_boolean_t shuttingdown = ISC_FALSE, finished = ISC_FALSE;
-static isc_boolean_t nokeys = ISC_FALSE;
-static isc_boolean_t removefile = ISC_FALSE;
-static isc_boolean_t generateds = ISC_FALSE;
-static isc_boolean_t ignore_kskflag = ISC_FALSE;
-static isc_boolean_t keyset_kskonly = ISC_FALSE;
-static dns_name_t *dlv = NULL;
-static dns_fixedname_t dlv_fixed;
-static dns_master_style_t *dsstyle = NULL;
-static unsigned int serialformat = SOA_SERIAL_KEEP;
-static unsigned int hash_length = 0;
-static isc_boolean_t unknownalg = ISC_FALSE;
-static isc_boolean_t disable_zone_check = ISC_FALSE;
-static isc_boolean_t update_chain = ISC_FALSE;
-static isc_boolean_t set_keyttl = ISC_FALSE;
-static dns_ttl_t keyttl;
-static isc_boolean_t smartsign = ISC_FALSE;
-static isc_boolean_t remove_orphans = ISC_FALSE;
-static isc_boolean_t output_dnssec_only = ISC_FALSE;
-static isc_boolean_t output_stdout = ISC_FALSE;
-
-#define INCSTAT(counter)		\
-	if (printstats) {		\
-		LOCK(&statslock);	\
-		counter++;		\
-		UNLOCK(&statslock);	\
-	}
-
-static void
-sign(isc_task_t *task, isc_event_t *event);
-
-static void
-dumpnode(dns_name_t *name, dns_dbnode_t *node) {
-	dns_rdataset_t rds;
-	dns_rdatasetiter_t *iter = NULL;
-	isc_buffer_t *buffer = NULL;
-	isc_region_t r;
-	isc_result_t result;
-	unsigned bufsize = 4096;
-
-	if (outputformat != dns_masterformat_text)
-		return;
-
-	if (!output_dnssec_only) {
-		result = dns_master_dumpnodetostream(mctx, gdb, gversion, node,
-						     name, masterstyle, fp);
-		check_result(result, "dns_master_dumpnodetostream");
-		return;
-	}
-
-	result = dns_db_allrdatasets(gdb, node, gversion, 0, &iter);
-	check_result(result, "dns_db_allrdatasets");
-
-	dns_rdataset_init(&rds);
-
-	result = isc_buffer_allocate(mctx, &buffer, bufsize);
-	check_result(result, "isc_buffer_allocate");
-
-	for (result = dns_rdatasetiter_first(iter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdatasetiter_next(iter)) {
-
-		dns_rdatasetiter_current(iter, &rds);
-
-		if (rds.type != dns_rdatatype_rrsig &&
-		    rds.type != dns_rdatatype_nsec &&
-		    rds.type != dns_rdatatype_nsec3 &&
-		    rds.type != dns_rdatatype_nsec3param &&
-		    (!smartsign || rds.type != dns_rdatatype_dnskey)) {
-			dns_rdataset_disassociate(&rds);
-			continue;
-		}
-
-		for (;;) {
-			result = dns_master_rdatasettotext(name, &rds,
-							   masterstyle, buffer);
-			if (result != ISC_R_NOSPACE)
-				break;
-
-			bufsize <<= 1;
-			isc_buffer_free(&buffer);
-			result = isc_buffer_allocate(mctx, &buffer, bufsize);
-			check_result(result, "isc_buffer_allocate");
-		}
-		check_result(result, "dns_master_rdatasettotext");
-
-		isc_buffer_usedregion(buffer, &r);
-		result = isc_stdio_write(r.base, 1, r.length, fp, NULL);
-		check_result(result, "isc_stdio_write");
-		isc_buffer_clear(buffer);
-
-		dns_rdataset_disassociate(&rds);
-	}
-
-	isc_buffer_free(&buffer);
-	dns_rdatasetiter_destroy(&iter);
-}
-
-/*%
- * Sign the given RRset with given key, and add the signature record to the
- * given tuple.
- */
-static void
-signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t *key,
-	    dns_ttl_t ttl, dns_diff_t *add, const char *logmsg)
-{
-	isc_result_t result;
-	isc_stdtime_t jendtime, expiry;
-	char keystr[DST_KEY_FORMATSIZE];
-	dns_rdata_t trdata = DNS_RDATA_INIT;
-	unsigned char array[BUFSIZE];
-	isc_buffer_t b;
-	dns_difftuple_t *tuple;
-
-	dst_key_format(key, keystr, sizeof(keystr));
-	vbprintf(1, "\t%s %s\n", logmsg, keystr);
-
-	if (rdataset->type == dns_rdatatype_dnskey)
-		expiry = dnskey_endtime;
-	else
-		expiry = endtime;
-
-	jendtime = (jitter != 0) ? isc_random_jitter(expiry, jitter) : expiry;
-	isc_buffer_init(&b, array, sizeof(array));
-	result = dns_dnssec_sign(name, rdataset, key, &starttime, &jendtime,
-				 mctx, &b, &trdata);
-	isc_entropy_stopcallbacksources(ectx);
-	if (result != ISC_R_SUCCESS) {
-		char keystr[DST_KEY_FORMATSIZE];
-		dst_key_format(key, keystr, sizeof(keystr));
-		fatal("dnskey '%s' failed to sign data: %s",
-		      keystr, isc_result_totext(result));
-	}
-	INCSTAT(nsigned);
-
-	if (tryverify) {
-		result = dns_dnssec_verify(name, rdataset, key,
-					   ISC_TRUE, mctx, &trdata);
-		if (result == ISC_R_SUCCESS) {
-			vbprintf(3, "\tsignature verified\n");
-			INCSTAT(nverified);
-		} else {
-			vbprintf(3, "\tsignature failed to verify\n");
-			INCSTAT(nverifyfailed);
-		}
-	}
-
-	tuple = NULL;
-	result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name, ttl, &trdata,
-				      &tuple);
-	check_result(result, "dns_difftuple_create");
-	dns_diff_append(add, &tuple);
-}
-
-static inline isc_boolean_t
-issigningkey(dns_dnsseckey_t *key) {
-	return (key->force_sign || key->hint_sign);
-}
-
-static inline isc_boolean_t
-ispublishedkey(dns_dnsseckey_t *key) {
-	return ((key->force_publish || key->hint_publish) &&
-		!key->hint_remove);
-}
-
-static inline isc_boolean_t
-iszonekey(dns_dnsseckey_t *key) {
-	return (ISC_TF(dns_name_equal(dst_key_name(key->key), gorigin) &&
-		       dst_key_iszonekey(key->key)));
-}
-
-static inline isc_boolean_t
-isksk(dns_dnsseckey_t *key) {
-	return (key->ksk);
-}
-
-static inline isc_boolean_t
-iszsk(dns_dnsseckey_t *key) {
-	return (ignore_kskflag || !key->ksk);
-}
-
-/*%
- * Find the key that generated an RRSIG, if it is in the key list.  If
- * so, return a pointer to it, otherwise return NULL.
- *
- * No locking is performed here, this must be done by the caller.
- */
-static dns_dnsseckey_t *
-keythatsigned_unlocked(dns_rdata_rrsig_t *rrsig) {
-	dns_dnsseckey_t *key;
-
-	for (key = ISC_LIST_HEAD(keylist);
-	     key != NULL;
-	     key = ISC_LIST_NEXT(key, link)) {
-		if (rrsig->keyid == dst_key_id(key->key) &&
-		    rrsig->algorithm == dst_key_alg(key->key) &&
-		    dns_name_equal(&rrsig->signer, dst_key_name(key->key)))
-			return (key);
-	}
-	return (NULL);
-}
-
-/*%
- * Finds the key that generated a RRSIG, if possible.  First look at the keys
- * that we've loaded already, and then see if there's a key on disk.
- */
-static dns_dnsseckey_t *
-keythatsigned(dns_rdata_rrsig_t *rrsig) {
-	isc_result_t result;
-	dst_key_t *pubkey = NULL, *privkey = NULL;
-	dns_dnsseckey_t *key = NULL;
-
-	isc_rwlock_lock(&keylist_lock, isc_rwlocktype_read);
-	key = keythatsigned_unlocked(rrsig);
-	isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_read);
-	if (key != NULL)
-		return (key);
-
-	/*
-	 * We did not find the key in our list.  Get a write lock now, since
-	 * we may be modifying the bits.  We could do the tryupgrade() dance,
-	 * but instead just get a write lock and check once again to see if
-	 * it is on our list.  It's possible someone else may have added it
-	 * after all.
-	 */
-	isc_rwlock_lock(&keylist_lock, isc_rwlocktype_write);
-	key = keythatsigned_unlocked(rrsig);
-	if (key != NULL) {
-		isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_write);
-		return (key);
-	}
-
-	result = dst_key_fromfile(&rrsig->signer, rrsig->keyid,
-				  rrsig->algorithm, DST_TYPE_PUBLIC,
-				  directory, mctx, &pubkey);
-	if (result != ISC_R_SUCCESS) {
-		isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_write);
-		return (NULL);
-	}
-
-	result = dst_key_fromfile(&rrsig->signer, rrsig->keyid,
-				  rrsig->algorithm,
-				  DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
-				  directory, mctx, &privkey);
-	if (result == ISC_R_SUCCESS) {
-		dst_key_free(&pubkey);
-		result = dns_dnsseckey_create(mctx, &privkey, &key);
-	} else
-		result = dns_dnsseckey_create(mctx, &pubkey, &key);
-
-	if (result == ISC_R_SUCCESS) {
-		key->force_publish = ISC_FALSE;
-		key->force_sign = ISC_FALSE;
-		key->index = keycount++;
-		ISC_LIST_APPEND(keylist, key, link);
-	}
-
-	isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_write);
-	return (key);
-}
-
-/*%
- * Check to see if we expect to find a key at this name.  If we see a RRSIG
- * and can't find the signing key that we expect to find, we drop the rrsig.
- * I'm not sure if this is completely correct, but it seems to work.
- */
-static isc_boolean_t
-expecttofindkey(dns_name_t *name) {
-	unsigned int options = DNS_DBFIND_NOWILD;
-	dns_fixedname_t fname;
-	isc_result_t result;
-	char namestr[DNS_NAME_FORMATSIZE];
-
-	dns_fixedname_init(&fname);
-	result = dns_db_find(gdb, name, gversion, dns_rdatatype_dnskey, options,
-			     0, NULL, dns_fixedname_name(&fname), NULL, NULL);
-	switch (result) {
-	case ISC_R_SUCCESS:
-	case DNS_R_NXDOMAIN:
-	case DNS_R_NXRRSET:
-		return (ISC_TRUE);
-	case DNS_R_DELEGATION:
-	case DNS_R_CNAME:
-	case DNS_R_DNAME:
-		return (ISC_FALSE);
-	}
-	dns_name_format(name, namestr, sizeof(namestr));
-	fatal("failure looking for '%s DNSKEY' in database: %s",
-	      namestr, isc_result_totext(result));
-	/* NOTREACHED */
-	return (ISC_FALSE); /* removes a warning */
-}
-
-static inline isc_boolean_t
-setverifies(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
-	    dns_rdata_t *rrsig)
-{
-	isc_result_t result;
-	result = dns_dnssec_verify(name, set, key, ISC_FALSE, mctx, rrsig);
-	if (result == ISC_R_SUCCESS) {
-		INCSTAT(nverified);
-		return (ISC_TRUE);
-	} else {
-		INCSTAT(nverifyfailed);
-		return (ISC_FALSE);
-	}
-}
-
-/*%
- * Signs a set.  Goes through contortions to decide if each RRSIG should
- * be dropped or retained, and then determines if any new SIGs need to
- * be generated.
- */
-static void
-signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
-	dns_rdataset_t *set)
-{
-	dns_rdataset_t sigset;
-	dns_rdata_t sigrdata = DNS_RDATA_INIT;
-	dns_rdata_rrsig_t rrsig;
-	dns_dnsseckey_t *key;
-	isc_result_t result;
-	isc_boolean_t nosigs = ISC_FALSE;
-	isc_boolean_t *wassignedby, *nowsignedby;
-	int arraysize;
-	dns_difftuple_t *tuple;
-	dns_ttl_t ttl;
-	int i;
-	char namestr[DNS_NAME_FORMATSIZE];
-	char typestr[TYPE_FORMATSIZE];
-	char sigstr[SIG_FORMATSIZE];
-
-	dns_name_format(name, namestr, sizeof(namestr));
-	type_format(set->type, typestr, sizeof(typestr));
-
-	ttl = ISC_MIN(set->ttl, endtime - starttime);
-
-	dns_rdataset_init(&sigset);
-	result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_rrsig,
-				     set->type, 0, &sigset, NULL);
-	if (result == ISC_R_NOTFOUND) {
-		result = ISC_R_SUCCESS;
-		nosigs = ISC_TRUE;
-	}
-	if (result != ISC_R_SUCCESS)
-		fatal("failed while looking for '%s RRSIG %s': %s",
-		      namestr, typestr, isc_result_totext(result));
-
-	vbprintf(1, "%s/%s:\n", namestr, typestr);
-
-	arraysize = keycount;
-	if (!nosigs)
-		arraysize += dns_rdataset_count(&sigset);
-	wassignedby = isc_mem_get(mctx, arraysize * sizeof(isc_boolean_t));
-	nowsignedby = isc_mem_get(mctx, arraysize * sizeof(isc_boolean_t));
-	if (wassignedby == NULL || nowsignedby == NULL)
-		fatal("out of memory");
-
-	for (i = 0; i < arraysize; i++)
-		wassignedby[i] = nowsignedby[i] = ISC_FALSE;
-
-	if (nosigs)
-		result = ISC_R_NOMORE;
-	else
-		result = dns_rdataset_first(&sigset);
-
-	while (result == ISC_R_SUCCESS) {
-		isc_boolean_t expired, future;
-		isc_boolean_t keep = ISC_FALSE, resign = ISC_FALSE;
-
-		dns_rdataset_current(&sigset, &sigrdata);
-
-		result = dns_rdata_tostruct(&sigrdata, &rrsig, NULL);
-		check_result(result, "dns_rdata_tostruct");
-
-		future = isc_serial_lt(now, rrsig.timesigned);
-
-		key = keythatsigned(&rrsig);
-		sig_format(&rrsig, sigstr, sizeof(sigstr));
-		if (key != NULL && issigningkey(key))
-			expired = isc_serial_gt(now + cycle, rrsig.timeexpire);
-		else
-			expired = isc_serial_gt(now, rrsig.timeexpire);
-
-		if (isc_serial_gt(rrsig.timesigned, rrsig.timeexpire)) {
-			/* rrsig is dropped and not replaced */
-			vbprintf(2, "\trrsig by %s dropped - "
-				 "invalid validity period\n",
-				 sigstr);
-		} else if (key == NULL && !future &&
-			   expecttofindkey(&rrsig.signer)) {
-			/* rrsig is dropped and not replaced */
-			vbprintf(2, "\trrsig by %s dropped - "
-				 "private dnskey not found\n",
-				 sigstr);
-		} else if (key == NULL || future) {
-			keep = (!expired && !remove_orphans);
-			vbprintf(2, "\trrsig by %s %s - dnskey not found\n",
-				 keep ? "retained" : "dropped", sigstr);
-		} else if (issigningkey(key)) {
-			wassignedby[key->index] = ISC_TRUE;
-
-			if (!expired && rrsig.originalttl == set->ttl &&
-			    setverifies(name, set, key->key, &sigrdata)) {
-				vbprintf(2, "\trrsig by %s retained\n", sigstr);
-				keep = ISC_TRUE;
-			} else {
-				vbprintf(2, "\trrsig by %s dropped - %s\n",
-					 sigstr, expired ? "expired" :
-					 rrsig.originalttl != set->ttl ?
-					 "ttl change" : "failed to verify");
-				resign = ISC_TRUE;
-			}
-		} else if (!ispublishedkey(key) && remove_orphans) {
-			vbprintf(2, "\trrsig by %s dropped - dnskey removed\n",
-				 sigstr);
-		} else if (iszonekey(key)) {
-			wassignedby[key->index] = ISC_TRUE;
-
-			if (!expired && rrsig.originalttl == set->ttl &&
-			    setverifies(name, set, key->key, &sigrdata)) {
-				vbprintf(2, "\trrsig by %s retained\n", sigstr);
-				keep = ISC_TRUE;
-			} else {
-				vbprintf(2, "\trrsig by %s dropped - %s\n",
-					 sigstr, expired ? "expired" :
-					 rrsig.originalttl != set->ttl ?
-					 "ttl change" : "failed to verify");
-			}
-		} else if (!expired) {
-			vbprintf(2, "\trrsig by %s retained\n", sigstr);
-			keep = ISC_TRUE;
-		} else {
-			vbprintf(2, "\trrsig by %s expired\n", sigstr);
-		}
-
-		if (keep) {
-			if (key != NULL)
-				nowsignedby[key->index] = ISC_TRUE;
-			INCSTAT(nretained);
-			if (sigset.ttl != ttl) {
-				vbprintf(2, "\tfixing ttl %s\n", sigstr);
-				tuple = NULL;
-				result = dns_difftuple_create(mctx,
-							      DNS_DIFFOP_DEL,
-							      name, sigset.ttl,
-							      &sigrdata,
-							      &tuple);
-				check_result(result, "dns_difftuple_create");
-				dns_diff_append(del, &tuple);
-				result = dns_difftuple_create(mctx,
-							      DNS_DIFFOP_ADD,
-							      name, ttl,
-							      &sigrdata,
-							      &tuple);
-				check_result(result, "dns_difftuple_create");
-				dns_diff_append(add, &tuple);
-			}
-		} else {
-			tuple = NULL;
-			vbprintf(2, "removing signature by %s\n", sigstr);
-			result = dns_difftuple_create(mctx, DNS_DIFFOP_DEL,
-						      name, sigset.ttl,
-						      &sigrdata, &tuple);
-			check_result(result, "dns_difftuple_create");
-			dns_diff_append(del, &tuple);
-			INCSTAT(ndropped);
-		}
-
-		if (resign) {
-			INSIST(!keep);
-
-			signwithkey(name, set, key->key, ttl, add,
-				    "resigning with dnskey");
-			nowsignedby[key->index] = ISC_TRUE;
-		}
-
-		dns_rdata_reset(&sigrdata);
-		dns_rdata_freestruct(&rrsig);
-		result = dns_rdataset_next(&sigset);
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
-	check_result(result, "dns_rdataset_first/next");
-	if (dns_rdataset_isassociated(&sigset))
-		dns_rdataset_disassociate(&sigset);
-
-	for (key = ISC_LIST_HEAD(keylist);
-	     key != NULL;
-	     key = ISC_LIST_NEXT(key, link))
-	{
-		if (nowsignedby[key->index])
-			continue;
-
-		if (!issigningkey(key))
-			continue;
-
-		if (set->type == dns_rdatatype_dnskey &&
-		     dns_name_equal(name, gorigin)) {
-			isc_boolean_t have_ksk;
-			dns_dnsseckey_t *tmpkey;
-
-			have_ksk = isksk(key);
-			for (tmpkey = ISC_LIST_HEAD(keylist);
-			     tmpkey != NULL;
-			     tmpkey = ISC_LIST_NEXT(tmpkey, link)) {
-				if (dst_key_alg(key->key) !=
-				    dst_key_alg(tmpkey->key))
-					continue;
-				if (REVOKE(tmpkey->key))
-					continue;
-				if (isksk(tmpkey))
-					have_ksk = ISC_TRUE;
-			}
-			if (isksk(key) || !have_ksk ||
-			    (iszsk(key) && !keyset_kskonly))
-				signwithkey(name, set, key->key, ttl, add,
-					    "signing with dnskey");
-		} else if (iszsk(key)) {
-			signwithkey(name, set, key->key, ttl, add,
-				    "signing with dnskey");
-		}
-	}
-
-	isc_mem_put(mctx, wassignedby, arraysize * sizeof(isc_boolean_t));
-	isc_mem_put(mctx, nowsignedby, arraysize * sizeof(isc_boolean_t));
-}
-
-struct hashlist {
-	unsigned char *hashbuf;
-	size_t entries;
-	size_t size;
-	size_t length;
-};
-
-static void
-hashlist_init(hashlist_t *l, unsigned int nodes, unsigned int length) {
-
-	l->entries = 0;
-	l->length = length + 1;
-
-	if (nodes != 0) {
-		l->size = nodes;
-		l->hashbuf = malloc(l->size * l->length);
-		if (l->hashbuf == NULL)
-			l->size = 0;
-	} else {
-		l->size = 0;
-		l->hashbuf = NULL;
-	}
-}
-
-static void
-hashlist_add(hashlist_t *l, const unsigned char *hash, size_t len)
-{
-
-	REQUIRE(len <= l->length);
-
-	if (l->entries == l->size) {
-		l->size = l->size * 2 + 100;
-		l->hashbuf = realloc(l->hashbuf, l->size * l->length);
-		if (l->hashbuf == NULL)
-			fatal("unable to grow hashlist: out of memory");
-	}
-	memset(l->hashbuf + l->entries * l->length, 0, l->length);
-	memcpy(l->hashbuf + l->entries * l->length, hash, len);
-	l->entries++;
-}
-
-static void
-hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
-		      unsigned int hashalg, unsigned int iterations,
-		      const unsigned char *salt, size_t salt_length,
-		      isc_boolean_t speculative)
-{
-	char nametext[DNS_NAME_FORMATSIZE];
-	unsigned char hash[NSEC3_MAX_HASH_LENGTH + 1];
-	unsigned int len;
-	size_t i;
-
-	len = isc_iterated_hash(hash, hashalg, iterations, salt, salt_length,
-				name->ndata, name->length);
-	if (verbose) {
-		dns_name_format(name, nametext, sizeof nametext);
-		for (i = 0 ; i < len; i++)
-			fprintf(stderr, "%02x", hash[i]);
-		fprintf(stderr, " %s\n", nametext);
-	}
-	hash[len++] = speculative ? 1 : 0;
-	hashlist_add(l, hash, len);
-}
-
-static int
-hashlist_comp(const void *a, const void *b) {
-	return (memcmp(a, b, hash_length + 1));
-}
-
-static void
-hashlist_sort(hashlist_t *l) {
-	qsort(l->hashbuf, l->entries, l->length, hashlist_comp);
-}
-
-static isc_boolean_t
-hashlist_hasdup(hashlist_t *l) {
-	unsigned char *current;
-	unsigned char *next = l->hashbuf;
-	size_t entries = l->entries;
-
-	/*
-	 * Skip initial speculative wild card hashs.
-	 */
-	while (entries > 0U && next[l->length-1] != 0U) {
-		next += l->length;
-		entries--;
-	}
-
-	current = next;
-	while (entries-- > 1U) {
-		next += l->length;
-		if (next[l->length-1] != 0)
-			continue;
-		if (memcmp(current, next, l->length - 1) == 0)
-			return (ISC_TRUE);
-		current = next;
-	}
-	return (ISC_FALSE);
-}
-
-static const unsigned char *
-hashlist_findnext(const hashlist_t *l,
-		  const unsigned char hash[NSEC3_MAX_HASH_LENGTH])
-{
-	unsigned int entries = l->entries;
-	const unsigned char *next = bsearch(hash, l->hashbuf, l->entries,
-					    l->length, hashlist_comp);
-	INSIST(next != NULL);
-
-	do {
-		if (next < l->hashbuf + (l->entries - 1) * l->length)
-			next += l->length;
-		else
-			next = l->hashbuf;
-		if (next[l->length - 1] == 0)
-			break;
-	} while (entries-- > 1);
-	INSIST(entries != 0);
-	return (next);
-}
-
-static isc_boolean_t
-hashlist_exists(const hashlist_t *l,
-		const unsigned char hash[NSEC3_MAX_HASH_LENGTH])
-{
-	if (bsearch(hash, l->hashbuf, l->entries, l->length, hashlist_comp))
-		return (ISC_TRUE);
-	else
-		return (ISC_FALSE);
-}
-
-static void
-addnowildcardhash(hashlist_t *l, /*const*/ dns_name_t *name,
-		  unsigned int hashalg, unsigned int iterations,
-		  const unsigned char *salt, size_t salt_length)
-{
-	dns_fixedname_t fixed;
-	dns_name_t *wild;
-	dns_dbnode_t *node = NULL;
-	isc_result_t result;
-	char namestr[DNS_NAME_FORMATSIZE];
-
-	dns_fixedname_init(&fixed);
-	wild = dns_fixedname_name(&fixed);
-
-	result = dns_name_concatenate(dns_wildcardname, name, wild, NULL);
-	if (result == ISC_R_NOSPACE)
-		return;
-	check_result(result,"addnowildcardhash: dns_name_concatenate()");
-
-	result = dns_db_findnode(gdb, wild, ISC_FALSE, &node);
-	if (result == ISC_R_SUCCESS) {
-		dns_db_detachnode(gdb, &node);
-		return;
-	}
-
-	if (verbose) {
-		dns_name_format(wild, namestr, sizeof(namestr));
-		fprintf(stderr, "adding no-wildcardhash for %s\n", namestr);
-	}
-
-	hashlist_add_dns_name(l, wild, hashalg, iterations, salt, salt_length,
-			      ISC_TRUE);
-}
-
-static void
-opendb(const char *prefix, dns_name_t *name, dns_rdataclass_t rdclass,
-       dns_db_t **dbp)
-{
-	char filename[PATH_MAX];
-	isc_buffer_t b;
-	isc_result_t result;
-
-	isc_buffer_init(&b, filename, sizeof(filename));
-	if (dsdir != NULL) {
-		/* allow room for a trailing slash */
-		if (strlen(dsdir) >= isc_buffer_availablelength(&b))
-			fatal("path '%s' is too long", dsdir);
-		isc_buffer_putstr(&b, dsdir);
-		if (dsdir[strlen(dsdir) - 1] != '/')
-			isc_buffer_putstr(&b, "/");
-	}
-	if (strlen(prefix) > isc_buffer_availablelength(&b))
-		fatal("path '%s' is too long", dsdir);
-	isc_buffer_putstr(&b, prefix);
-	result = dns_name_tofilenametext(name, ISC_FALSE, &b);
-	check_result(result, "dns_name_tofilenametext()");
-	if (isc_buffer_availablelength(&b) == 0) {
-		char namestr[DNS_NAME_FORMATSIZE];
-		dns_name_format(name, namestr, sizeof(namestr));
-		fatal("name '%s' is too long", namestr);
-	}
-	isc_buffer_putuint8(&b, 0);
-
-	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
-			       rdclass, 0, NULL, dbp);
-	check_result(result, "dns_db_create()");
-
-	result = dns_db_load3(*dbp, filename, inputformat, DNS_MASTER_HINT);
-	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
-		dns_db_detach(dbp);
-}
-
-/*%
- * Load the DS set for a child zone, if a dsset-* file can be found.
- * If not, try to find a keyset-* file from an earlier version of
- * dnssec-signzone, and build DS records from that.
- */
-static isc_result_t
-loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) {
-	dns_db_t *db = NULL;
-	dns_dbversion_t *ver = NULL;
-	dns_dbnode_t *node = NULL;
-	isc_result_t result;
-	dns_rdataset_t keyset;
-	dns_rdata_t key, ds;
-	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
-	dns_diff_t diff;
-	dns_difftuple_t *tuple = NULL;
-
-	opendb("dsset-", name, gclass, &db);
-	if (db != NULL) {
-		result = dns_db_findnode(db, name, ISC_FALSE, &node);
-		if (result == ISC_R_SUCCESS) {
-			dns_rdataset_init(dsset);
-			result = dns_db_findrdataset(db, node, NULL,
-						     dns_rdatatype_ds, 0, 0,
-						     dsset, NULL);
-			dns_db_detachnode(db, &node);
-			if (result == ISC_R_SUCCESS) {
-				vbprintf(2, "found DS records\n");
-				dsset->ttl = ttl;
-				dns_db_detach(&db);
-				return (result);
-			}
-		}
-		dns_db_detach(&db);
-	}
-
-	/* No DS records found; try again, looking for DNSKEY records */
-	opendb("keyset-", name, gclass, &db);
-	if (db == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-
-	result = dns_db_findnode(db, name, ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS) {
-		dns_db_detach(&db);
-		return (result);
-	}
-
-	dns_rdataset_init(&keyset);
-	result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey, 0, 0,
-				     &keyset, NULL);
-	if (result != ISC_R_SUCCESS) {
-		dns_db_detachnode(db, &node);
-		dns_db_detach(&db);
-		return (result);
-	}
-	vbprintf(2, "found DNSKEY records\n");
-
-	result = dns_db_newversion(db, &ver);
-	check_result(result, "dns_db_newversion");
-	dns_diff_init(mctx, &diff);
-
-	for (result = dns_rdataset_first(&keyset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&keyset))
-	{
-		dns_rdata_init(&key);
-		dns_rdata_init(&ds);
-		dns_rdataset_current(&keyset, &key);
-		result = dns_ds_buildrdata(name, &key, DNS_DSDIGEST_SHA1,
-					   dsbuf, &ds);
-		check_result(result, "dns_ds_buildrdata");
-
-		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name,
-					      ttl, &ds, &tuple);
-		check_result(result, "dns_difftuple_create");
-		dns_diff_append(&diff, &tuple);
-
-		dns_rdata_reset(&ds);
-		result = dns_ds_buildrdata(name, &key, DNS_DSDIGEST_SHA256,
-					   dsbuf, &ds);
-		check_result(result, "dns_ds_buildrdata");
-
-		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name,
-					      ttl, &ds, &tuple);
-		check_result(result, "dns_difftuple_create");
-		dns_diff_append(&diff, &tuple);
-	}
-
-	result = dns_diff_apply(&diff, db, ver);
-	check_result(result, "dns_diff_apply");
-	dns_diff_clear(&diff);
-
-	dns_db_closeversion(db, &ver, ISC_TRUE);
-
-	result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ds, 0, 0,
-				     dsset, NULL);
-	check_result(result, "dns_db_findrdataset");
-
-	dns_rdataset_disassociate(&keyset);
-	dns_db_detachnode(db, &node);
-	dns_db_detach(&db);
-	return (result);
-}
-
-static isc_boolean_t
-secure(dns_name_t *name, dns_dbnode_t *node) {
-	dns_rdataset_t dsset;
-	isc_result_t result;
-
-	if (dns_name_equal(name, gorigin))
-		return (ISC_FALSE);
-
-	dns_rdataset_init(&dsset);
-	result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_ds,
-				     0, 0, &dsset, NULL);
-	if (dns_rdataset_isassociated(&dsset))
-		dns_rdataset_disassociate(&dsset);
-
-	return (ISC_TF(result == ISC_R_SUCCESS));
-}
-
-/*%
- * Signs all records at a name.
- */
-static void
-signname(dns_dbnode_t *node, dns_name_t *name) {
-	isc_result_t result;
-	dns_rdataset_t rdataset;
-	dns_rdatasetiter_t *rdsiter;
-	isc_boolean_t isdelegation = ISC_FALSE;
-	dns_diff_t del, add;
-	char namestr[DNS_NAME_FORMATSIZE];
-
-	dns_rdataset_init(&rdataset);
-	dns_name_format(name, namestr, sizeof(namestr));
-
-	/*
-	 * Determine if this is a delegation point.
-	 */
-	if (is_delegation(gdb, gversion, gorigin, name, node, NULL))
-		isdelegation = ISC_TRUE;
-
-	/*
-	 * Now iterate through the rdatasets.
-	 */
-	dns_diff_init(mctx, &del);
-	dns_diff_init(mctx, &add);
-	rdsiter = NULL;
-	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
-	check_result(result, "dns_db_allrdatasets()");
-	result = dns_rdatasetiter_first(rdsiter);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdatasetiter_current(rdsiter, &rdataset);
-
-		/* If this is a RRSIG set, skip it. */
-		if (rdataset.type == dns_rdatatype_rrsig)
-			goto skip;
-
-		/*
-		 * If this name is a delegation point, skip all records
-		 * except NSEC and DS sets.  Otherwise check that there
-		 * isn't a DS record.
-		 */
-		if (isdelegation) {
-			if (rdataset.type != nsec_datatype &&
-			    rdataset.type != dns_rdatatype_ds)
-				goto skip;
-		} else if (rdataset.type == dns_rdatatype_ds) {
-			char namebuf[DNS_NAME_FORMATSIZE];
-			dns_name_format(name, namebuf, sizeof(namebuf));
-			fatal("'%s': found DS RRset without NS RRset\n",
-			      namebuf);
-		}
-
-		signset(&del, &add, node, name, &rdataset);
-
- skip:
-		dns_rdataset_disassociate(&rdataset);
-		result = dns_rdatasetiter_next(rdsiter);
-	}
-	if (result != ISC_R_NOMORE)
-		fatal("rdataset iteration for name '%s' failed: %s",
-		      namestr, isc_result_totext(result));
-
-	dns_rdatasetiter_destroy(&rdsiter);
-
-	result = dns_diff_applysilently(&del, gdb, gversion);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to delete SIGs at node '%s': %s",
-		      namestr, isc_result_totext(result));
-
-	result = dns_diff_applysilently(&add, gdb, gversion);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to add SIGs at node '%s': %s",
-		      namestr, isc_result_totext(result));
-
-	dns_diff_clear(&del);
-	dns_diff_clear(&add);
-}
-
-static inline isc_boolean_t
-active_node(dns_dbnode_t *node) {
-	dns_rdatasetiter_t *rdsiter = NULL;
-	dns_rdatasetiter_t *rdsiter2 = NULL;
-	isc_boolean_t active = ISC_FALSE;
-	isc_result_t result;
-	dns_rdataset_t rdataset;
-	dns_rdatatype_t type;
-	dns_rdatatype_t covers;
-	isc_boolean_t found;
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
-	check_result(result, "dns_db_allrdatasets()");
-	result = dns_rdatasetiter_first(rdsiter);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdatasetiter_current(rdsiter, &rdataset);
-		if (rdataset.type != dns_rdatatype_nsec &&
-		    rdataset.type != dns_rdatatype_nsec3 &&
-		    rdataset.type != dns_rdatatype_rrsig)
-			active = ISC_TRUE;
-		dns_rdataset_disassociate(&rdataset);
-		if (!active)
-			result = dns_rdatasetiter_next(rdsiter);
-		else
-			result = ISC_R_NOMORE;
-	}
-	if (result != ISC_R_NOMORE)
-		fatal("rdataset iteration failed: %s",
-		      isc_result_totext(result));
-
-	if (!active && nsec_datatype == dns_rdatatype_nsec) {
-		/*%
-		 * The node is empty of everything but NSEC / RRSIG records.
-		 */
-		for (result = dns_rdatasetiter_first(rdsiter);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdatasetiter_next(rdsiter)) {
-			dns_rdatasetiter_current(rdsiter, &rdataset);
-			result = dns_db_deleterdataset(gdb, node, gversion,
-						       rdataset.type,
-						       rdataset.covers);
-			check_result(result, "dns_db_deleterdataset()");
-			dns_rdataset_disassociate(&rdataset);
-		}
-		if (result != ISC_R_NOMORE)
-			fatal("rdataset iteration failed: %s",
-			      isc_result_totext(result));
-	} else {
-		/*
-		 * Delete RRSIGs for types that no longer exist.
-		 */
-		result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter2);
-		check_result(result, "dns_db_allrdatasets()");
-		for (result = dns_rdatasetiter_first(rdsiter);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdatasetiter_next(rdsiter)) {
-			dns_rdatasetiter_current(rdsiter, &rdataset);
-			type = rdataset.type;
-			covers = rdataset.covers;
-			dns_rdataset_disassociate(&rdataset);
-			/*
-			 * Delete the NSEC chain if we are signing with
-			 * NSEC3.
-			 */
-			if (nsec_datatype == dns_rdatatype_nsec3 &&
-			    (type == dns_rdatatype_nsec ||
-			     covers == dns_rdatatype_nsec)) {
-				result = dns_db_deleterdataset(gdb, node,
-							       gversion, type,
-							       covers);
-				check_result(result,
-					   "dns_db_deleterdataset(nsec/rrsig)");
-				continue;
-			}
-			if (type != dns_rdatatype_rrsig)
-				continue;
-			found = ISC_FALSE;
-			for (result = dns_rdatasetiter_first(rdsiter2);
-			     !found && result == ISC_R_SUCCESS;
-			     result = dns_rdatasetiter_next(rdsiter2)) {
-				dns_rdatasetiter_current(rdsiter2, &rdataset);
-				if (rdataset.type == covers)
-					found = ISC_TRUE;
-				dns_rdataset_disassociate(&rdataset);
-			}
-			if (!found) {
-				if (result != ISC_R_NOMORE)
-					fatal("rdataset iteration failed: %s",
-					      isc_result_totext(result));
-				result = dns_db_deleterdataset(gdb, node,
-							       gversion, type,
-							       covers);
-				check_result(result,
-					     "dns_db_deleterdataset(rrsig)");
-			} else if (result != ISC_R_NOMORE &&
-				   result != ISC_R_SUCCESS)
-				fatal("rdataset iteration failed: %s",
-				      isc_result_totext(result));
-		}
-		if (result != ISC_R_NOMORE)
-			fatal("rdataset iteration failed: %s",
-			      isc_result_totext(result));
-		dns_rdatasetiter_destroy(&rdsiter2);
-	}
-	dns_rdatasetiter_destroy(&rdsiter);
-
-	return (active);
-}
-
-/*%
- * Extracts the minimum TTL from the SOA record, and the SOA record's TTL.
- */
-static void
-get_soa_ttls(void) {
-	dns_rdataset_t soaset;
-	dns_fixedname_t fname;
-	dns_name_t *name;
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-
-	dns_fixedname_init(&fname);
-	name = dns_fixedname_name(&fname);
-	dns_rdataset_init(&soaset);
-	result = dns_db_find(gdb, gorigin, gversion, dns_rdatatype_soa,
-			     0, 0, NULL, name, &soaset, NULL);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to find an SOA at the zone apex: %s",
-		      isc_result_totext(result));
-
-	result = dns_rdataset_first(&soaset);
-	check_result(result, "dns_rdataset_first");
-	dns_rdataset_current(&soaset, &rdata);
-	zone_soa_min_ttl = dns_soa_getminimum(&rdata);
-	soa_ttl = soaset.ttl;
-	dns_rdataset_disassociate(&soaset);
-}
-
-/*%
- * Increment (or set if nonzero) the SOA serial
- */
-static isc_result_t
-setsoaserial(isc_uint32_t serial) {
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_uint32_t old_serial, new_serial;
-
-	result = dns_db_getoriginnode(gdb, &node);
-	if (result != ISC_R_SUCCESS)
-		return result;
-
-	dns_rdataset_init(&rdataset);
-
-	result = dns_db_findrdataset(gdb, node, gversion,
-				     dns_rdatatype_soa, 0,
-				     0, &rdataset, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = dns_rdataset_first(&rdataset);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-	dns_rdataset_current(&rdataset, &rdata);
-
-	old_serial = dns_soa_getserial(&rdata);
-
-	if (serial) {
-		/* Set SOA serial to the value provided. */
-		new_serial = serial;
-	} else {
-		/* Increment SOA serial using RFC 1982 arithmetics */
-		new_serial = (old_serial + 1) & 0xFFFFFFFF;
-		if (new_serial == 0)
-			new_serial = 1;
-	}
-
-	/* If the new serial is not likely to cause a zone transfer
-	 * (a/ixfr) from servers having the old serial, warn the user.
-	 *
-	 * RFC1982 section 7 defines the maximum increment to be
-	 * (2^(32-1))-1.  Using u_int32_t arithmetic, we can do a single
-	 * comparison.  (5 - 6 == (2^32)-1, not negative-one)
-	 */
-	if (new_serial == old_serial ||
-	    (new_serial - old_serial) > 0x7fffffffU)
-		fprintf(stderr, "%s: warning: Serial number not advanced, "
-			"zone may not transfer\n", program);
-
-	dns_soa_setserial(new_serial, &rdata);
-
-	result = dns_db_deleterdataset(gdb, node, gversion,
-				       dns_rdatatype_soa, 0);
-	check_result(result, "dns_db_deleterdataset");
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = dns_db_addrdataset(gdb, node, gversion,
-				    0, &rdataset, 0, NULL);
-	check_result(result, "dns_db_addrdataset");
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-cleanup:
-	dns_rdataset_disassociate(&rdataset);
-	if (node != NULL)
-		dns_db_detachnode(gdb, &node);
-	dns_rdata_reset(&rdata);
-
-	return (result);
-}
-
-/*%
- * Delete any RRSIG records at a node.
- */
-static void
-cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
-	dns_rdatasetiter_t *rdsiter = NULL;
-	dns_rdataset_t set;
-	isc_result_t result, dresult;
-
-	if (outputformat != dns_masterformat_text || !disable_zone_check)
-		return;
-
-	dns_rdataset_init(&set);
-	result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
-	check_result(result, "dns_db_allrdatasets");
-	result = dns_rdatasetiter_first(rdsiter);
-	while (result == ISC_R_SUCCESS) {
-		isc_boolean_t destroy = ISC_FALSE;
-		dns_rdatatype_t covers = 0;
-		dns_rdatasetiter_current(rdsiter, &set);
-		if (set.type == dns_rdatatype_rrsig) {
-			covers = set.covers;
-			destroy = ISC_TRUE;
-		}
-		dns_rdataset_disassociate(&set);
-		result = dns_rdatasetiter_next(rdsiter);
-		if (destroy) {
-			dresult = dns_db_deleterdataset(db, node, version,
-							dns_rdatatype_rrsig,
-							covers);
-			check_result(dresult, "dns_db_deleterdataset");
-		}
-	}
-	if (result != ISC_R_NOMORE)
-		fatal("rdataset iteration failed: %s",
-		      isc_result_totext(result));
-	dns_rdatasetiter_destroy(&rdsiter);
-}
-
-/*%
- * Set up the iterator and global state before starting the tasks.
- */
-static void
-presign(void) {
-	isc_result_t result;
-
-	gdbiter = NULL;
-	result = dns_db_createiterator(gdb, 0, &gdbiter);
-	check_result(result, "dns_db_createiterator()");
-}
-
-/*%
- * Clean up the iterator and global state after the tasks complete.
- */
-static void
-postsign(void) {
-	dns_dbiterator_destroy(&gdbiter);
-}
-
-/*%
- * Sign the apex of the zone.
- * Note the origin may not be the first node if there are out of zone
- * records.
- */
-static void
-signapex(void) {
-	dns_dbnode_t *node = NULL;
-	dns_fixedname_t fixed;
-	dns_name_t *name;
-	isc_result_t result;
-
-	dns_fixedname_init(&fixed);
-	name = dns_fixedname_name(&fixed);
-	result = dns_dbiterator_seek(gdbiter, gorigin);
-	check_result(result, "dns_dbiterator_seek()");
-	result = dns_dbiterator_current(gdbiter, &node, name);
-	check_dns_dbiterator_current(result);
-	signname(node, name);
-	dumpnode(name, node);
-	cleannode(gdb, gversion, node);
-	dns_db_detachnode(gdb, &node);
-	result = dns_dbiterator_first(gdbiter);
-	if (result == ISC_R_NOMORE)
-		finished = ISC_TRUE;
-	else if (result != ISC_R_SUCCESS)
-		fatal("failure iterating database: %s",
-		      isc_result_totext(result));
-}
-
-/*%
- * Assigns a node to a worker thread.  This is protected by the master task's
- * lock.
- */
-static void
-assignwork(isc_task_t *task, isc_task_t *worker) {
-	dns_fixedname_t *fname;
-	dns_name_t *name;
-	dns_dbnode_t *node;
-	sevent_t *sevent;
-	dns_rdataset_t nsec;
-	isc_boolean_t found;
-	isc_result_t result;
-	static dns_name_t *zonecut = NULL;	/* Protected by namelock. */
-	static dns_fixedname_t fzonecut;	/* Protected by namelock. */
-	static unsigned int ended = 0;		/* Protected by namelock. */
-
-	if (shuttingdown)
-		return;
-
-	LOCK(&namelock);
-	if (finished) {
-		ended++;
-		if (ended == ntasks) {
-			isc_task_detach(&task);
-			isc_app_shutdown();
-		}
-		goto unlock;
-	}
-
-	fname = isc_mem_get(mctx, sizeof(dns_fixedname_t));
-	if (fname == NULL)
-		fatal("out of memory");
-	dns_fixedname_init(fname);
-	name = dns_fixedname_name(fname);
-	node = NULL;
-	found = ISC_FALSE;
-	while (!found) {
-		result = dns_dbiterator_current(gdbiter, &node, name);
-		check_dns_dbiterator_current(result);
-		/*
-		 * The origin was handled by signapex().
-		 */
-		if (dns_name_equal(name, gorigin)) {
-			dns_db_detachnode(gdb, &node);
-			goto next;
-		}
-		/*
-		 * Sort the zone data from the glue and out-of-zone data.
-		 * For NSEC zones nodes with zone data have NSEC records.
-		 * For NSEC3 zones the NSEC3 nodes are zone data but
-		 * outside of the zone name space.  For the rest we need
-		 * to track the bottom of zone cuts.
-		 * Nodes which don't need to be signed are dumped here.
-		 */
-		dns_rdataset_init(&nsec);
-		result = dns_db_findrdataset(gdb, node, gversion,
-					     nsec_datatype, 0, 0,
-					     &nsec, NULL);
-		if (dns_rdataset_isassociated(&nsec))
-			dns_rdataset_disassociate(&nsec);
-		if (result == ISC_R_SUCCESS) {
-			found = ISC_TRUE;
-		} else if (nsec_datatype == dns_rdatatype_nsec3) {
-			if (dns_name_issubdomain(name, gorigin) &&
-			    (zonecut == NULL ||
-			     !dns_name_issubdomain(name, zonecut))) {
-				if (is_delegation(gdb, gversion, gorigin, name, node, NULL)) {
-					dns_fixedname_init(&fzonecut);
-					zonecut = dns_fixedname_name(&fzonecut);
-					dns_name_copy(name, zonecut, NULL);
-					if (!OPTOUT(nsec3flags) ||
-					    secure(name, node))
-						found = ISC_TRUE;
-				} else
-					found = ISC_TRUE;
-			}
-		}
-
-		if (!found) {
-			dumpnode(name, node);
-			dns_db_detachnode(gdb, &node);
-		}
-
- next:
-		result = dns_dbiterator_next(gdbiter);
-		if (result == ISC_R_NOMORE) {
-			finished = ISC_TRUE;
-			break;
-		} else if (result != ISC_R_SUCCESS)
-			fatal("failure iterating database: %s",
-			      isc_result_totext(result));
-	}
-	if (!found) {
-		ended++;
-		if (ended == ntasks) {
-			isc_task_detach(&task);
-			isc_app_shutdown();
-		}
-		isc_mem_put(mctx, fname, sizeof(dns_fixedname_t));
-		goto unlock;
-	}
-	sevent = (sevent_t *)
-		 isc_event_allocate(mctx, task, SIGNER_EVENT_WORK,
-				    sign, NULL, sizeof(sevent_t));
-	if (sevent == NULL)
-		fatal("failed to allocate event\n");
-
-	sevent->node = node;
-	sevent->fname = fname;
-	isc_task_send(worker, ISC_EVENT_PTR(&sevent));
- unlock:
-	UNLOCK(&namelock);
-}
-
-/*%
- * Start a worker task
- */
-static void
-startworker(isc_task_t *task, isc_event_t *event) {
-	isc_task_t *worker;
-
-	worker = (isc_task_t *)event->ev_arg;
-	assignwork(task, worker);
-	isc_event_free(&event);
-}
-
-/*%
- * Write a node to the output file, and restart the worker task.
- */
-static void
-writenode(isc_task_t *task, isc_event_t *event) {
-	isc_task_t *worker;
-	sevent_t *sevent = (sevent_t *)event;
-
-	worker = (isc_task_t *)event->ev_sender;
-	dumpnode(dns_fixedname_name(sevent->fname), sevent->node);
-	cleannode(gdb, gversion, sevent->node);
-	dns_db_detachnode(gdb, &sevent->node);
-	isc_mem_put(mctx, sevent->fname, sizeof(dns_fixedname_t));
-	assignwork(task, worker);
-	isc_event_free(&event);
-}
-
-/*%
- *  Sign a database node.
- */
-static void
-sign(isc_task_t *task, isc_event_t *event) {
-	dns_fixedname_t *fname;
-	dns_dbnode_t *node;
-	sevent_t *sevent, *wevent;
-
-	sevent = (sevent_t *)event;
-	node = sevent->node;
-	fname = sevent->fname;
-	isc_event_free(&event);
-
-	signname(node, dns_fixedname_name(fname));
-	wevent = (sevent_t *)
-		 isc_event_allocate(mctx, task, SIGNER_EVENT_WRITE,
-				    writenode, NULL, sizeof(sevent_t));
-	if (wevent == NULL)
-		fatal("failed to allocate event\n");
-	wevent->node = node;
-	wevent->fname = fname;
-	isc_task_send(master, ISC_EVENT_PTR(&wevent));
-}
-
-/*%
- * Update / remove the DS RRset.  Preserve RRSIG(DS) if possible.
- */
-static void
-add_ds(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t nsttl) {
-	dns_rdataset_t dsset;
-	dns_rdataset_t sigdsset;
-	isc_result_t result;
-
-	dns_rdataset_init(&dsset);
-	dns_rdataset_init(&sigdsset);
-	result = dns_db_findrdataset(gdb, node, gversion,
-				     dns_rdatatype_ds,
-				     0, 0, &dsset, &sigdsset);
-	if (result == ISC_R_SUCCESS) {
-		dns_rdataset_disassociate(&dsset);
-		result = dns_db_deleterdataset(gdb, node, gversion,
-					       dns_rdatatype_ds, 0);
-		check_result(result, "dns_db_deleterdataset");
-	}
-
-	result = loadds(name, nsttl, &dsset);
-	if (result == ISC_R_SUCCESS) {
-		result = dns_db_addrdataset(gdb, node, gversion, 0,
-					    &dsset, 0, NULL);
-		check_result(result, "dns_db_addrdataset");
-		dns_rdataset_disassociate(&dsset);
-		if (dns_rdataset_isassociated(&sigdsset))
-			dns_rdataset_disassociate(&sigdsset);
-	} else if (dns_rdataset_isassociated(&sigdsset)) {
-		result = dns_db_deleterdataset(gdb, node, gversion,
-					       dns_rdatatype_rrsig,
-					       dns_rdatatype_ds);
-		check_result(result, "dns_db_deleterdataset");
-		dns_rdataset_disassociate(&sigdsset);
-	}
-}
-
-/*
- * Remove records of the given type and their signatures.
- */
-static void
-remove_records(dns_dbnode_t *node, dns_rdatatype_t which,
-	       isc_boolean_t checknsec)
-{
-	isc_result_t result;
-	dns_rdatatype_t type, covers;
-	dns_rdatasetiter_t *rdsiter = NULL;
-	dns_rdataset_t rdataset;
-
-	dns_rdataset_init(&rdataset);
-
-	/*
-	 * Delete any records of the given type at the apex.
-	 */
-	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
-	check_result(result, "dns_db_allrdatasets()");
-	for (result = dns_rdatasetiter_first(rdsiter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdatasetiter_next(rdsiter)) {
-		dns_rdatasetiter_current(rdsiter, &rdataset);
-		type = rdataset.type;
-		covers = rdataset.covers;
-		dns_rdataset_disassociate(&rdataset);
-		if (type == which || covers == which) {
-			if (which == dns_rdatatype_nsec &&
-			    checknsec && !update_chain)
-				fatal("Zone contains NSEC records.  Use -u "
-				      "to update to NSEC3.");
-			if (which == dns_rdatatype_nsec3param &&
-			    checknsec && !update_chain)
-				fatal("Zone contains NSEC3 chains.  Use -u "
-				      "to update to NSEC.");
-			result = dns_db_deleterdataset(gdb, node, gversion,
-						       type, covers);
-			check_result(result, "dns_db_deleterdataset()");
-			continue;
-		}
-	}
-	dns_rdatasetiter_destroy(&rdsiter);
-}
-
-/*
- * Remove signatures covering the given type (0 == all signatures).
- */
-static void
-remove_sigs(dns_dbnode_t *node, dns_rdatatype_t which) {
-	isc_result_t result;
-	dns_rdatatype_t type, covers;
-	dns_rdatasetiter_t *rdsiter = NULL;
-	dns_rdataset_t rdataset;
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
-	check_result(result, "dns_db_allrdatasets()");
-	for (result = dns_rdatasetiter_first(rdsiter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdatasetiter_next(rdsiter)) {
-		dns_rdatasetiter_current(rdsiter, &rdataset);
-		type = rdataset.type;
-		covers = rdataset.covers;
-		dns_rdataset_disassociate(&rdataset);
-
-		if (type == dns_rdatatype_rrsig &&
-		    (covers == which || which == 0))
-		{
-			result = dns_db_deleterdataset(gdb, node, gversion,
-						       type, covers);
-			check_result(result, "dns_db_deleterdataset()");
-			continue;
-		}
-	}
-	dns_rdatasetiter_destroy(&rdsiter);
-}
-
-/*%
- * Generate NSEC records for the zone and remove NSEC3/NSEC3PARAM records.
- */
-static void
-nsecify(void) {
-	dns_dbiterator_t *dbiter = NULL;
-	dns_dbnode_t *node = NULL, *nextnode = NULL;
-	dns_fixedname_t fname, fnextname, fzonecut;
-	dns_name_t *name, *nextname, *zonecut;
-	dns_rdataset_t rdataset;
-	dns_rdatasetiter_t *rdsiter = NULL;
-	dns_rdatatype_t type, covers;
-	isc_boolean_t done = ISC_FALSE;
-	isc_result_t result;
-	isc_uint32_t nsttl = 0;
-
-	dns_rdataset_init(&rdataset);
-	dns_fixedname_init(&fname);
-	name = dns_fixedname_name(&fname);
-	dns_fixedname_init(&fnextname);
-	nextname = dns_fixedname_name(&fnextname);
-	dns_fixedname_init(&fzonecut);
-	zonecut = NULL;
-
-	/*
-	 * Remove any NSEC3 chains.
-	 */
-	result = dns_db_createiterator(gdb, DNS_DB_NSEC3ONLY, &dbiter);
-	check_result(result, "dns_db_createiterator()");
-	for (result = dns_dbiterator_first(dbiter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_dbiterator_next(dbiter)) {
-		result = dns_dbiterator_current(dbiter, &node, name);
-		check_dns_dbiterator_current(result);
-		result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
-		check_result(result, "dns_db_allrdatasets()");
-		for (result = dns_rdatasetiter_first(rdsiter);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdatasetiter_next(rdsiter)) {
-			dns_rdatasetiter_current(rdsiter, &rdataset);
-			type = rdataset.type;
-			covers = rdataset.covers;
-			dns_rdataset_disassociate(&rdataset);
-			result = dns_db_deleterdataset(gdb, node, gversion,
-						       type, covers);
-			check_result(result,
-				     "dns_db_deleterdataset(nsec3param/rrsig)");
-		}
-		dns_rdatasetiter_destroy(&rdsiter);
-		dns_db_detachnode(gdb, &node);
-	}
-	dns_dbiterator_destroy(&dbiter);
-
-	result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter);
-	check_result(result, "dns_db_createiterator()");
-
-	result = dns_dbiterator_first(dbiter);
-	check_result(result, "dns_dbiterator_first()");
-
-	while (!done) {
-		result = dns_dbiterator_current(dbiter, &node, name);
-		check_dns_dbiterator_current(result);
-		/*
-		 * Skip out-of-zone records.
-		 */
-		if (!dns_name_issubdomain(name, gorigin)) {
-			result = dns_dbiterator_next(dbiter);
-			if (result == ISC_R_NOMORE)
-				done = ISC_TRUE;
-			else
-				check_result(result, "dns_dbiterator_next()");
-			dns_db_detachnode(gdb, &node);
-			continue;
-		}
-
-		if (dns_name_equal(name, gorigin))
-			remove_records(node, dns_rdatatype_nsec3param,
-				       ISC_TRUE);
-
-		if (is_delegation(gdb, gversion, gorigin, name, node, &nsttl)) {
-			zonecut = dns_fixedname_name(&fzonecut);
-			dns_name_copy(name, zonecut, NULL);
-			remove_sigs(node, 0);
-			if (generateds)
-				add_ds(name, node, nsttl);
-		}
-
-		result = dns_dbiterator_next(dbiter);
-		nextnode = NULL;
-		while (result == ISC_R_SUCCESS) {
-			isc_boolean_t active = ISC_FALSE;
-			result = dns_dbiterator_current(dbiter, &nextnode,
-							nextname);
-			check_dns_dbiterator_current(result);
-			active = active_node(nextnode);
-			if (!active) {
-				dns_db_detachnode(gdb, &nextnode);
-				result = dns_dbiterator_next(dbiter);
-				continue;
-			}
-			if (!dns_name_issubdomain(nextname, gorigin) ||
-			    (zonecut != NULL &&
-			     dns_name_issubdomain(nextname, zonecut)))
-			{
-				remove_sigs(nextnode, 0);
-				remove_records(nextnode, dns_rdatatype_nsec,
-					       ISC_FALSE);
-				dns_db_detachnode(gdb, &nextnode);
-				result = dns_dbiterator_next(dbiter);
-				continue;
-			}
-			dns_db_detachnode(gdb, &nextnode);
-			break;
-		}
-		if (result == ISC_R_NOMORE) {
-			dns_name_clone(gorigin, nextname);
-			done = ISC_TRUE;
-		} else if (result != ISC_R_SUCCESS)
-			fatal("iterating through the database failed: %s",
-			      isc_result_totext(result));
-		dns_dbiterator_pause(dbiter);
-		result = dns_nsec_build(gdb, gversion, node, nextname,
-					zone_soa_min_ttl);
-		check_result(result, "dns_nsec_build()");
-		dns_db_detachnode(gdb, &node);
-	}
-
-	dns_dbiterator_destroy(&dbiter);
-}
-
-static void
-addnsec3param(const unsigned char *salt, size_t salt_length,
-	      unsigned int iterations)
-{
-	dns_dbnode_t *node = NULL;
-	dns_rdata_nsec3param_t nsec3param;
-	unsigned char nsec3parambuf[5 + 255];
-	dns_rdatalist_t rdatalist;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_buffer_t b;
-	isc_result_t result;
-
-	dns_rdataset_init(&rdataset);
-
-	nsec3param.common.rdclass = gclass;
-	nsec3param.common.rdtype = dns_rdatatype_nsec3param;
-	ISC_LINK_INIT(&nsec3param.common, link);
-	nsec3param.mctx = NULL;
-	nsec3param.flags = 0;
-	nsec3param.hash = unknownalg ? DNS_NSEC3_UNKNOWNALG : dns_hash_sha1;
-	nsec3param.iterations = iterations;
-	nsec3param.salt_length = salt_length;
-	DE_CONST(salt, nsec3param.salt);
-
-	isc_buffer_init(&b, nsec3parambuf, sizeof(nsec3parambuf));
-	result = dns_rdata_fromstruct(&rdata, gclass,
-				      dns_rdatatype_nsec3param,
-				      &nsec3param, &b);
-	check_result(result, "dns_rdata_fromstruct()");
-	rdatalist.rdclass = rdata.rdclass;
-	rdatalist.type = rdata.type;
-	rdatalist.covers = 0;
-	rdatalist.ttl = 0;
-	ISC_LIST_INIT(rdatalist.rdata);
-	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
-	result = dns_rdatalist_tordataset(&rdatalist, &rdataset);
-	check_result(result, "dns_rdatalist_tordataset()");
-
-	result = dns_db_findnode(gdb, gorigin, ISC_TRUE, &node);
-	check_result(result, "dns_db_find(gorigin)");
-
-	/*
-	 * Delete any current NSEC3PARAM records.
-	 */
-	result = dns_db_deleterdataset(gdb, node, gversion,
-				       dns_rdatatype_nsec3param, 0);
-	if (result == DNS_R_UNCHANGED)
-		result = ISC_R_SUCCESS;
-	check_result(result, "dddnsec3param: dns_db_deleterdataset()");
-
-	result = dns_db_addrdataset(gdb, node, gversion, 0, &rdataset,
-				    DNS_DBADD_MERGE, NULL);
-	if (result == DNS_R_UNCHANGED)
-		result = ISC_R_SUCCESS;
-	check_result(result, "addnsec3param: dns_db_addrdataset()");
-	dns_db_detachnode(gdb, &node);
-}
-
-static void
-addnsec3(dns_name_t *name, dns_dbnode_t *node,
-	 const unsigned char *salt, size_t salt_length,
-	 unsigned int iterations, hashlist_t *hashlist,
-	 dns_ttl_t ttl)
-{
-	unsigned char hash[NSEC3_MAX_HASH_LENGTH];
-	const unsigned char *nexthash;
-	unsigned char nsec3buffer[DNS_NSEC3_BUFFERSIZE];
-	dns_fixedname_t hashname;
-	dns_rdatalist_t rdatalist;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_result_t result;
-	dns_dbnode_t *nsec3node = NULL;
-	char namebuf[DNS_NAME_FORMATSIZE];
-	size_t hash_length;
-
-	dns_name_format(name, namebuf, sizeof(namebuf));
-
-	dns_fixedname_init(&hashname);
-	dns_rdataset_init(&rdataset);
-
-	dns_name_downcase(name, name, NULL);
-	result = dns_nsec3_hashname(&hashname, hash, &hash_length,
-				    name, gorigin, dns_hash_sha1, iterations,
-				    salt, salt_length);
-	check_result(result, "addnsec3: dns_nsec3_hashname()");
-	nexthash = hashlist_findnext(hashlist, hash);
-	result = dns_nsec3_buildrdata(gdb, gversion, node,
-				      unknownalg ?
-					  DNS_NSEC3_UNKNOWNALG : dns_hash_sha1,
-				      nsec3flags, iterations,
-				      salt, salt_length,
-				      nexthash, ISC_SHA1_DIGESTLENGTH,
-				      nsec3buffer, &rdata);
-	check_result(result, "addnsec3: dns_nsec3_buildrdata()");
-	rdatalist.rdclass = rdata.rdclass;
-	rdatalist.type = rdata.type;
-	rdatalist.covers = 0;
-	rdatalist.ttl = ttl;
-	ISC_LIST_INIT(rdatalist.rdata);
-	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
-	result = dns_rdatalist_tordataset(&rdatalist, &rdataset);
-	check_result(result, "dns_rdatalist_tordataset()");
-	result = dns_db_findnsec3node(gdb, dns_fixedname_name(&hashname),
-				      ISC_TRUE, &nsec3node);
-	check_result(result, "addnsec3: dns_db_findnode()");
-	result = dns_db_addrdataset(gdb, nsec3node, gversion, 0, &rdataset,
-				    0, NULL);
-	if (result == DNS_R_UNCHANGED)
-		result = ISC_R_SUCCESS;
-	check_result(result, "addnsec3: dns_db_addrdataset()");
-	dns_db_detachnode(gdb, &nsec3node);
-}
-
-/*%
- * Clean out NSEC3 record and RRSIG(NSEC3) that are not in the hash list.
- *
- * Extract the hash from the first label of 'name' then see if it
- * is in hashlist.  If 'name' is not in the hashlist then delete the
- * any NSEC3 records which have the same parameters as the chain we
- * are building.
- *
- * XXXMPA Should we also check that it of the form <hash>.<origin>?
- */
-static void
-nsec3clean(dns_name_t *name, dns_dbnode_t *node,
-	   unsigned int hashalg, unsigned int iterations,
-	   const unsigned char *salt, size_t salt_length, hashlist_t *hashlist)
-{
-	dns_label_t label;
-	dns_rdata_nsec3_t nsec3;
-	dns_rdata_t rdata, delrdata;
-	dns_rdatalist_t rdatalist;
-	dns_rdataset_t rdataset, delrdataset;
-	isc_boolean_t delete_rrsigs = ISC_FALSE;
-	isc_buffer_t target;
-	isc_result_t result;
-	unsigned char hash[NSEC3_MAX_HASH_LENGTH + 1];
-	isc_boolean_t exists;
-
-	/*
-	 * Get the first label.
-	 */
-	dns_name_getlabel(name, 0, &label);
-
-	/*
-	 * We want just the label contents.
-	 */
-	isc_region_consume(&label, 1);
-
-	/*
-	 * Decode base32hex string.
-	 */
-	isc_buffer_init(&target, hash, sizeof(hash) - 1);
-	result = isc_base32hex_decoderegion(&label, &target);
-	if (result != ISC_R_SUCCESS)
-		return;
-
-	hash[isc_buffer_usedlength(&target)] = 0;
-
-	exists = hashlist_exists(hashlist, hash);
-
-	/*
-	 * Verify that the NSEC3 parameters match the current ones
-	 * otherwise we are dealing with a different NSEC3 chain.
-	 */
-	dns_rdataset_init(&rdataset);
-	dns_rdataset_init(&delrdataset);
-
-	result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_nsec3,
-				     0, 0, &rdataset, NULL);
-	if (result != ISC_R_SUCCESS)
-		return;
-
-	/*
-	 * Delete any NSEC3 records which are not part of the current
-	 * NSEC3 chain.
-	 */
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdata_init(&rdata);
-		dns_rdataset_current(&rdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
-		check_result(result, "dns_rdata_tostruct");
-		if (exists && nsec3.hash == hashalg &&
-		    nsec3.iterations == iterations &&
-		    nsec3.salt_length == salt_length &&
-		    !memcmp(nsec3.salt, salt, salt_length))
-			continue;
-		rdatalist.rdclass = rdata.rdclass;
-		rdatalist.type = rdata.type;
-		rdatalist.covers = 0;
-		rdatalist.ttl = rdataset.ttl;
-		ISC_LIST_INIT(rdatalist.rdata);
-		dns_rdata_init(&delrdata);
-		dns_rdata_clone(&rdata, &delrdata);
-		ISC_LIST_APPEND(rdatalist.rdata, &delrdata, link);
-		result = dns_rdatalist_tordataset(&rdatalist, &delrdataset);
-		check_result(result, "dns_rdatalist_tordataset()");
-		result = dns_db_subtractrdataset(gdb, node, gversion,
-						 &delrdataset, 0, NULL);
-		dns_rdataset_disassociate(&delrdataset);
-		if (result != ISC_R_SUCCESS && result != DNS_R_NXRRSET)
-			check_result(result, "dns_db_subtractrdataset(NSEC3)");
-		delete_rrsigs = ISC_TRUE;
-	}
-	dns_rdataset_disassociate(&rdataset);
-	if (result != ISC_R_NOMORE)
-		check_result(result, "dns_rdataset_first/next");
-
-	if (!delete_rrsigs)
-		return;
-	/*
-	 * Delete the NSEC3 RRSIGs
-	 */
-	result = dns_db_deleterdataset(gdb, node, gversion,
-				       dns_rdatatype_rrsig,
-				       dns_rdatatype_nsec3);
-	if (result != ISC_R_SUCCESS && result != DNS_R_UNCHANGED)
-		check_result(result, "dns_db_deleterdataset(RRSIG(NSEC3))");
-}
-
-static void
-rrset_remove_duplicates(dns_name_t *name, dns_rdataset_t *rdataset,
-			dns_diff_t *diff)
-{
-	dns_difftuple_t *tuple = NULL;
-	isc_result_t result;
-	unsigned int count1 = 0;
-	dns_rdataset_t tmprdataset;
-
-	dns_rdataset_init(&tmprdataset);
-	for (result = dns_rdataset_first(rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(rdataset)) {
-		dns_rdata_t rdata1 = DNS_RDATA_INIT;
-		unsigned int count2 = 0;
-
-		count1++;
-		dns_rdataset_current(rdataset, &rdata1);
-		dns_rdataset_clone(rdataset, &tmprdataset);
-		for (result = dns_rdataset_first(&tmprdataset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&tmprdataset)) {
-			dns_rdata_t rdata2 = DNS_RDATA_INIT;
-			count2++;
-			if (count1 >= count2)
-				continue;
-			dns_rdataset_current(&tmprdataset, &rdata2);
-			if (dns_rdata_casecompare(&rdata1, &rdata2) == 0) {
-				result = dns_difftuple_create(mctx,
-							      DNS_DIFFOP_DEL,
-							      name,
-							      rdataset->ttl,
-							      &rdata2, &tuple);
-				check_result(result, "dns_difftuple_create");
-				dns_diff_append(diff, &tuple);
-			}
-		}
-		dns_rdataset_disassociate(&tmprdataset);
-	}
-}
-
-static void
-remove_duplicates(void) {
-	isc_result_t result;
-	dns_dbiterator_t *dbiter = NULL;
-	dns_rdatasetiter_t *rdsiter = NULL;
-	dns_diff_t diff;
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-	dns_fixedname_t fname;
-	dns_name_t *name;
-
-	dns_diff_init(mctx, &diff);
-	dns_fixedname_init(&fname);
-	name = dns_fixedname_name(&fname);
-	dns_rdataset_init(&rdataset);
-
-	result = dns_db_createiterator(gdb, 0, &dbiter);
-	check_result(result, "dns_db_createiterator()");
-
-	for (result = dns_dbiterator_first(dbiter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_dbiterator_next(dbiter)) {
-
-		result = dns_dbiterator_current(dbiter, &node, name);
-		check_dns_dbiterator_current(result);
-		result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
-		check_result(result, "dns_db_allrdatasets()");
-		for (result = dns_rdatasetiter_first(rdsiter);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdatasetiter_next(rdsiter)) {
-			dns_rdatasetiter_current(rdsiter, &rdataset);
-			rrset_remove_duplicates(name, &rdataset, &diff);
-			dns_rdataset_disassociate(&rdataset);
-		}
-		if (result != ISC_R_NOMORE)
-			fatal("rdatasets iteration failed.");
-		dns_rdatasetiter_destroy(&rdsiter);
-		dns_db_detachnode(gdb, &node);
-	}
-	if (result != ISC_R_NOMORE)
-		fatal("zone iteration failed.");
-
-	if (!ISC_LIST_EMPTY(diff.tuples)) {
-		result = dns_diff_applysilently(&diff, gdb, gversion);
-		check_result(result, "dns_diff_applysilently");
-	}
-	dns_diff_clear(&diff);
-	dns_dbiterator_destroy(&dbiter);
-}
-
-/*
- * Generate NSEC3 records for the zone.
- */
-static void
-nsec3ify(unsigned int hashalg, unsigned int iterations,
-	 const unsigned char *salt, size_t salt_length, hashlist_t *hashlist)
-{
-	dns_dbiterator_t *dbiter = NULL;
-	dns_dbnode_t *node = NULL, *nextnode = NULL;
-	dns_fixedname_t fname, fnextname, fzonecut;
-	dns_name_t *name, *nextname, *zonecut;
-	dns_rdataset_t rdataset;
-	int order;
-	isc_boolean_t active;
-	isc_boolean_t done = ISC_FALSE;
-	isc_result_t result;
-	isc_uint32_t nsttl = 0;
-	unsigned int count, nlabels;
-
-	dns_rdataset_init(&rdataset);
-	dns_fixedname_init(&fname);
-	name = dns_fixedname_name(&fname);
-	dns_fixedname_init(&fnextname);
-	nextname = dns_fixedname_name(&fnextname);
-	dns_fixedname_init(&fzonecut);
-	zonecut = NULL;
-
-	/*
-	 * Walk the zone generating the hash names.
-	 */
-	result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter);
-	check_result(result, "dns_db_createiterator()");
-
-	result = dns_dbiterator_first(dbiter);
-	check_result(result, "dns_dbiterator_first()");
-
-	while (!done) {
-		result = dns_dbiterator_current(dbiter, &node, name);
-		check_dns_dbiterator_current(result);
-		/*
-		 * Skip out-of-zone records.
-		 */
-		if (!dns_name_issubdomain(name, gorigin)) {
-			result = dns_dbiterator_next(dbiter);
-			if (result == ISC_R_NOMORE)
-				done = ISC_TRUE;
-			else
-				check_result(result, "dns_dbiterator_next()");
-			dns_db_detachnode(gdb, &node);
-			continue;
-		}
-
-		if (dns_name_equal(name, gorigin))
-			remove_records(node, dns_rdatatype_nsec, ISC_TRUE);
-
-		result = dns_dbiterator_next(dbiter);
-		nextnode = NULL;
-		while (result == ISC_R_SUCCESS) {
-			result = dns_dbiterator_current(dbiter, &nextnode,
-							nextname);
-			check_dns_dbiterator_current(result);
-			active = active_node(nextnode);
-			if (!active) {
-				dns_db_detachnode(gdb, &nextnode);
-				result = dns_dbiterator_next(dbiter);
-				continue;
-			}
-			if (!dns_name_issubdomain(nextname, gorigin) ||
-			    (zonecut != NULL &&
-			     dns_name_issubdomain(nextname, zonecut))) {
-				remove_sigs(nextnode, 0);
-				dns_db_detachnode(gdb, &nextnode);
-				result = dns_dbiterator_next(dbiter);
-				continue;
-			}
-			if (is_delegation(gdb, gversion, gorigin,
-					  nextname, nextnode, &nsttl))
-			{
-				zonecut = dns_fixedname_name(&fzonecut);
-				dns_name_copy(nextname, zonecut, NULL);
-				remove_sigs(nextnode, 0);
-				if (generateds)
-					add_ds(nextname, nextnode, nsttl);
-				if (OPTOUT(nsec3flags) &&
-				    !secure(nextname, nextnode)) {
-					dns_db_detachnode(gdb, &nextnode);
-					result = dns_dbiterator_next(dbiter);
-					continue;
-				}
-			}
-			dns_db_detachnode(gdb, &nextnode);
-			break;
-		}
-		if (result == ISC_R_NOMORE) {
-			dns_name_copy(gorigin, nextname, NULL);
-			done = ISC_TRUE;
-		} else if (result != ISC_R_SUCCESS)
-			fatal("iterating through the database failed: %s",
-			      isc_result_totext(result));
-		dns_name_downcase(name, name, NULL);
-		hashlist_add_dns_name(hashlist, name, hashalg, iterations,
-				      salt, salt_length, ISC_FALSE);
-		dns_db_detachnode(gdb, &node);
-		/*
-		 * Add hashs for empty nodes.  Use closest encloser logic.
-		 * The closest encloser either has data or is a empty
-		 * node for another <name,nextname> span so we don't add
-		 * it here.  Empty labels on nextname are within the span.
-		 */
-		dns_name_downcase(nextname, nextname, NULL);
-		dns_name_fullcompare(name, nextname, &order, &nlabels);
-		addnowildcardhash(hashlist, name, hashalg, iterations,
-				  salt, salt_length);
-		count = dns_name_countlabels(nextname);
-		while (count > nlabels + 1) {
-			count--;
-			dns_name_split(nextname, count, NULL, nextname);
-			hashlist_add_dns_name(hashlist, nextname, hashalg,
-					      iterations, salt, salt_length,
-					      ISC_FALSE);
-			addnowildcardhash(hashlist, nextname, hashalg,
-					  iterations, salt, salt_length);
-		}
-	}
-	dns_dbiterator_destroy(&dbiter);
-
-	/*
-	 * We have all the hashes now so we can sort them.
-	 */
-	hashlist_sort(hashlist);
-
-	/*
-	 * Check for duplicate hashes.  If found the salt needs to
-	 * be changed.
-	 */
-	if (hashlist_hasdup(hashlist))
-		fatal("Duplicate hash detected. Pick a different salt.");
-
-	/*
-	 * Generate the nsec3 records.
-	 */
-	zonecut = NULL;
-	done = ISC_FALSE;
-
-	addnsec3param(salt, salt_length, iterations);
-
-	/*
-	 * Clean out NSEC3 records which don't match this chain.
-	 */
-	result = dns_db_createiterator(gdb, DNS_DB_NSEC3ONLY, &dbiter);
-	check_result(result, "dns_db_createiterator()");
-
-	for (result = dns_dbiterator_first(dbiter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_dbiterator_next(dbiter)) {
-		result = dns_dbiterator_current(dbiter, &node, name);
-		check_dns_dbiterator_current(result);
-		nsec3clean(name, node, hashalg, iterations, salt, salt_length,
-			   hashlist);
-		dns_db_detachnode(gdb, &node);
-	}
-	dns_dbiterator_destroy(&dbiter);
-
-	/*
-	 * Generate / complete the new chain.
-	 */
-	result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter);
-	check_result(result, "dns_db_createiterator()");
-
-	result = dns_dbiterator_first(dbiter);
-	check_result(result, "dns_dbiterator_first()");
-
-	while (!done) {
-		result = dns_dbiterator_current(dbiter, &node, name);
-		check_dns_dbiterator_current(result);
-		/*
-		 * Skip out-of-zone records.
-		 */
-		if (!dns_name_issubdomain(name, gorigin)) {
-			result = dns_dbiterator_next(dbiter);
-			if (result == ISC_R_NOMORE)
-				done = ISC_TRUE;
-			else
-				check_result(result, "dns_dbiterator_next()");
-			dns_db_detachnode(gdb, &node);
-			continue;
-		}
-		result = dns_dbiterator_next(dbiter);
-		nextnode = NULL;
-		while (result == ISC_R_SUCCESS) {
-			result = dns_dbiterator_current(dbiter, &nextnode,
-							nextname);
-			check_dns_dbiterator_current(result);
-			active = active_node(nextnode);
-			if (!active) {
-				dns_db_detachnode(gdb, &nextnode);
-				result = dns_dbiterator_next(dbiter);
-				continue;
-			}
-			if (!dns_name_issubdomain(nextname, gorigin) ||
-			    (zonecut != NULL &&
-			     dns_name_issubdomain(nextname, zonecut))) {
-				dns_db_detachnode(gdb, &nextnode);
-				result = dns_dbiterator_next(dbiter);
-				continue;
-			}
-			if (is_delegation(gdb, gversion, gorigin,
-					  nextname, nextnode, NULL))
-			{
-				zonecut = dns_fixedname_name(&fzonecut);
-				dns_name_copy(nextname, zonecut, NULL);
-				if (OPTOUT(nsec3flags) &&
-				    !secure(nextname, nextnode)) {
-					dns_db_detachnode(gdb, &nextnode);
-					result = dns_dbiterator_next(dbiter);
-					continue;
-				}
-			}
-			dns_db_detachnode(gdb, &nextnode);
-			break;
-		}
-		if (result == ISC_R_NOMORE) {
-			dns_name_copy(gorigin, nextname, NULL);
-			done = ISC_TRUE;
-		} else if (result != ISC_R_SUCCESS)
-			fatal("iterating through the database failed: %s",
-			      isc_result_totext(result));
-		/*
-		 * We need to pause here to release the lock on the database.
-		 */
-		dns_dbiterator_pause(dbiter);
-		addnsec3(name, node, salt, salt_length, iterations,
-			 hashlist, zone_soa_min_ttl);
-		dns_db_detachnode(gdb, &node);
-		/*
-		 * Add NSEC3's for empty nodes.  Use closest encloser logic.
-		 */
-		dns_name_fullcompare(name, nextname, &order, &nlabels);
-		count = dns_name_countlabels(nextname);
-		while (count > nlabels + 1) {
-			count--;
-			dns_name_split(nextname, count, NULL, nextname);
-			addnsec3(nextname, NULL, salt, salt_length,
-				 iterations, hashlist, zone_soa_min_ttl);
-		}
-	}
-	dns_dbiterator_destroy(&dbiter);
-}
-
-/*%
- * Load the zone file from disk
- */
-static void
-loadzone(char *file, char *origin, dns_rdataclass_t rdclass, dns_db_t **db) {
-	isc_buffer_t b;
-	int len;
-	dns_fixedname_t fname;
-	dns_name_t *name;
-	isc_result_t result;
-
-	len = strlen(origin);
-	isc_buffer_init(&b, origin, len);
-	isc_buffer_add(&b, len);
-
-	dns_fixedname_init(&fname);
-	name = dns_fixedname_name(&fname);
-	result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed converting name '%s' to dns format: %s",
-		      origin, isc_result_totext(result));
-
-	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
-			       rdclass, 0, NULL, db);
-	check_result(result, "dns_db_create()");
-
-	result = dns_db_load2(*db, file, inputformat);
-	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
-		fatal("failed loading zone from '%s': %s",
-		      file, isc_result_totext(result));
-}
-
-/*%
- * Finds all public zone keys in the zone, and attempts to load the
- * private keys from disk.
- */
-static void
-loadzonekeys(isc_boolean_t preserve_keys, isc_boolean_t load_public) {
-	dns_dbnode_t *node;
-	dns_dbversion_t *currentversion = NULL;
-	isc_result_t result;
-	dns_rdataset_t rdataset, keysigs, soasigs;
-
-	node = NULL;
-	result = dns_db_findnode(gdb, gorigin, ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to find the zone's origin: %s",
-		      isc_result_totext(result));
-
-	dns_db_currentversion(gdb, &currentversion);
-
-	dns_rdataset_init(&rdataset);
-	dns_rdataset_init(&soasigs);
-	dns_rdataset_init(&keysigs);
-
-	/* Make note of the keys which signed the SOA, if any */
-	result = dns_db_findrdataset(gdb, node, currentversion,
-				     dns_rdatatype_soa, 0, 0,
-				     &rdataset, &soasigs);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	/* Preserve the TTL of the DNSKEY RRset, if any */
-	dns_rdataset_disassociate(&rdataset);
-	result = dns_db_findrdataset(gdb, node, currentversion,
-				     dns_rdatatype_dnskey, 0, 0,
-				     &rdataset, &keysigs);
-
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	if (set_keyttl && keyttl != rdataset.ttl) {
-		fprintf(stderr, "User-specified TTL (%d) conflicts "
-				"with existing DNSKEY RRset TTL.\n",
-				keyttl);
-		fprintf(stderr, "Imported keys will use the RRSet "
-				"TTL (%d) instead.\n",
-				rdataset.ttl);
-	}
-	keyttl = rdataset.ttl;
-
-	/* Load keys corresponding to the existing DNSKEY RRset. */
-	result = dns_dnssec_keylistfromrdataset(gorigin, directory, mctx,
-						&rdataset, &keysigs, &soasigs,
-						preserve_keys, load_public,
-						&keylist);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to load the zone keys: %s",
-		      isc_result_totext(result));
-
- cleanup:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	if (dns_rdataset_isassociated(&keysigs))
-		dns_rdataset_disassociate(&keysigs);
-	if (dns_rdataset_isassociated(&soasigs))
-		dns_rdataset_disassociate(&soasigs);
-	dns_db_detachnode(gdb, &node);
-	dns_db_closeversion(gdb, &currentversion, ISC_FALSE);
-}
-
-static void
-loadexplicitkeys(char *keyfiles[], int n, isc_boolean_t setksk) {
-	isc_result_t result;
-	int i;
-
-	for (i = 0; i < n; i++) {
-		dns_dnsseckey_t *key = NULL;
-		dst_key_t *newkey = NULL;
-
-		result = dst_key_fromnamedfile(keyfiles[i], directory,
-					       DST_TYPE_PUBLIC |
-					       DST_TYPE_PRIVATE,
-					       mctx, &newkey);
-		if (result != ISC_R_SUCCESS)
-			fatal("cannot load dnskey %s: %s", keyfiles[i],
-			      isc_result_totext(result));
-
-		if (!dns_name_equal(gorigin, dst_key_name(newkey)))
-			fatal("key %s not at origin\n", keyfiles[i]);
-
-		if (!dst_key_isprivate(newkey))
-			fatal("cannot sign zone with non-private dnskey %s",
-			      keyfiles[i]);
-
-		/* Skip any duplicates */
-		for (key = ISC_LIST_HEAD(keylist);
-		     key != NULL;
-		     key = ISC_LIST_NEXT(key, link)) {
-			if (dst_key_id(key->key) == dst_key_id(newkey) &&
-			    dst_key_alg(key->key) == dst_key_alg(newkey))
-				break;
-		}
-
-		if (key == NULL) {
-			/* We haven't seen this key before */
-			dns_dnsseckey_create(mctx, &newkey, &key);
-			ISC_LIST_APPEND(keylist, key, link);
-			key->source = dns_keysource_user;
-		} else {
-			dst_key_free(&key->key);
-			key->key = newkey;
-		}
-
-		key->force_publish = ISC_TRUE;
-		key->force_sign = ISC_TRUE;
-
-		if (setksk)
-			key->ksk = ISC_TRUE;
-	}
-}
-
-static void
-report(const char *format, ...) {
-	va_list args;
-	va_start(args, format);
-	vfprintf(stderr, format, args);
-	va_end(args);
-	putc('\n', stderr);
-}
-
-static void
-build_final_keylist() {
-	isc_result_t result;
-	dns_dbversion_t *ver = NULL;
-	dns_diff_t diff;
-	dns_dnsseckeylist_t matchkeys;
-	char name[DNS_NAME_FORMATSIZE];
-
-	/*
-	 * Find keys that match this zone in the key repository.
-	 */
-	ISC_LIST_INIT(matchkeys);
-	result = dns_dnssec_findmatchingkeys(gorigin, directory,
-					     mctx, &matchkeys);
-	if (result == ISC_R_NOTFOUND)
-		result = ISC_R_SUCCESS;
-	check_result(result, "dns_dnssec_findmatchingkeys");
-
-	result = dns_db_newversion(gdb, &ver);
-	check_result(result, "dns_db_newversion");
-
-	dns_diff_init(mctx, &diff);
-
-	/*
-	 * Update keylist with information from from the key repository.
-	 */
-	dns_dnssec_updatekeys(&keylist, &matchkeys, NULL, gorigin, keyttl,
-			      &diff, ignore_kskflag, mctx, report);
-
-	dns_name_format(gorigin, name, sizeof(name));
-
-	result = dns_diff_applysilently(&diff, gdb, ver);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to update DNSKEY RRset at node '%s': %s",
-		      name, isc_result_totext(result));
-
-	dns_db_closeversion(gdb, &ver, ISC_TRUE);
-
-	dns_diff_clear(&diff);
-}
-
-static void
-warnifallksk(dns_db_t *db) {
-	dns_dbversion_t *currentversion = NULL;
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_result_t result;
-	dns_rdata_dnskey_t dnskey;
-	isc_boolean_t have_non_ksk = ISC_FALSE;
-
-	dns_db_currentversion(db, &currentversion);
-
-	result = dns_db_findnode(db, gorigin, ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to find the zone's origin: %s",
-		      isc_result_totext(result));
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, currentversion,
-				     dns_rdatatype_dnskey, 0, 0, &rdataset,
-				     NULL);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to find keys at the zone apex: %s",
-		      isc_result_totext(result));
-	result = dns_rdataset_first(&rdataset);
-	check_result(result, "dns_rdataset_first");
-	while (result == ISC_R_SUCCESS) {
-		dns_rdata_reset(&rdata);
-		dns_rdataset_current(&rdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
-		check_result(result, "dns_rdata_tostruct");
-		if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0) {
-			have_non_ksk = ISC_TRUE;
-			result = ISC_R_NOMORE;
-		} else
-			result = dns_rdataset_next(&rdataset);
-		dns_rdata_freestruct(&dnskey);
-	}
-	dns_rdataset_disassociate(&rdataset);
-	dns_db_detachnode(db, &node);
-	dns_db_closeversion(db, &currentversion, ISC_FALSE);
-	if (!have_non_ksk && !ignore_kskflag) {
-		if (disable_zone_check)
-			fprintf(stderr, "%s: warning: No non-KSK DNSKEY found; "
-				"supply a ZSK or use '-z'.\n",
-				program);
-		else
-			fatal("No non-KSK DNSKEY found; "
-			      "supply a ZSK or use '-z'.");
-	}
-}
-
-static void
-set_nsec3params(isc_boolean_t update_chain, isc_boolean_t set_salt,
-		isc_boolean_t set_optout, isc_boolean_t set_iter)
-{
-	isc_result_t result;
-	dns_dbversion_t *ver = NULL;
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_nsec3_t nsec3;
-	dns_fixedname_t fname;
-	dns_name_t *hashname;
-	unsigned char orig_salt[255];
-	size_t orig_saltlen;
-	dns_hash_t orig_hash;
-	isc_uint16_t orig_iter;
-
-	dns_db_currentversion(gdb, &ver);
-	dns_rdataset_init(&rdataset);
-
-	orig_saltlen = sizeof(orig_salt);
-	result = dns_db_getnsec3parameters(gdb, ver, &orig_hash, NULL,
-					   &orig_iter, orig_salt,
-					   &orig_saltlen);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	nsec_datatype = dns_rdatatype_nsec3;
-
-	if (!update_chain && set_salt) {
-		if (salt_length != orig_saltlen ||
-		    memcmp(saltbuf, orig_salt, salt_length) != 0)
-			fatal("An NSEC3 chain exists with a different salt. "
-			      "Use -u to update it.");
-	} else if (!set_salt) {
-		salt_length = orig_saltlen;
-		memcpy(saltbuf, orig_salt, orig_saltlen);
-		salt = saltbuf;
-	}
-
-	if (!update_chain && set_iter) {
-		if (nsec3iter != orig_iter)
-			fatal("An NSEC3 chain exists with different "
-			      "iterations. Use -u to update it.");
-	} else if (!set_iter)
-		nsec3iter = orig_iter;
-
-	/*
-	 * Find an NSEC3 record to get the current OPTOUT value.
-	 * (This assumes all NSEC3 records agree.)
-	 */
-
-	dns_fixedname_init(&fname);
-	hashname = dns_fixedname_name(&fname);
-	result = dns_nsec3_hashname(&fname, NULL, NULL,
-				    gorigin, gorigin, dns_hash_sha1,
-				    orig_iter, orig_salt, orig_saltlen);
-	check_result(result, "dns_nsec3_hashname");
-
-	result = dns_db_findnsec3node(gdb, hashname, ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = dns_db_findrdataset(gdb, node, ver, dns_rdatatype_nsec3,
-				     0, 0, &rdataset, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = dns_rdataset_first(&rdataset);
-	check_result(result, "dns_rdataset_first");
-	dns_rdataset_current(&rdataset, &rdata);
-	result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
-	check_result(result, "dns_rdata_tostruct");
-
-	if (!update_chain && set_optout) {
-		if (nsec3flags != nsec3.flags)
-			fatal("An NSEC3 chain exists with%s OPTOUT. "
-			      "Use -u -%s to %s it.",
-			      OPTOUT(nsec3.flags) ? "" : "out",
-			      OPTOUT(nsec3.flags) ? "AA" : "A",
-			      OPTOUT(nsec3.flags) ? "clear" : "set");
-	} else if (!set_optout)
-		nsec3flags = nsec3.flags;
-
-	dns_rdata_freestruct(&nsec3);
-
- cleanup:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	if (node != NULL)
-		dns_db_detachnode(gdb, &node);
-	dns_db_closeversion(gdb, &ver, ISC_FALSE);
-}
-
-static void
-writeset(const char *prefix, dns_rdatatype_t type) {
-	char *filename;
-	char namestr[DNS_NAME_FORMATSIZE];
-	dns_db_t *db = NULL;
-	dns_dbversion_t *version = NULL;
-	dns_diff_t diff;
-	dns_difftuple_t *tuple = NULL;
-	dns_fixedname_t fixed;
-	dns_name_t *name;
-	dns_rdata_t rdata, ds;
-	isc_boolean_t have_ksk = ISC_FALSE;
-	isc_boolean_t have_non_ksk = ISC_FALSE;
-	isc_buffer_t b;
-	isc_buffer_t namebuf;
-	isc_region_t r;
-	isc_result_t result;
-	dns_dnsseckey_t *key, *tmpkey;
-	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
-	unsigned char keybuf[DST_KEY_MAXSIZE];
-	unsigned int filenamelen;
-	const dns_master_style_t *style =
-		(type == dns_rdatatype_dnskey) ? masterstyle : dsstyle;
-
-	isc_buffer_init(&namebuf, namestr, sizeof(namestr));
-	result = dns_name_tofilenametext(gorigin, ISC_FALSE, &namebuf);
-	check_result(result, "dns_name_tofilenametext");
-	isc_buffer_putuint8(&namebuf, 0);
-	filenamelen = strlen(prefix) + strlen(namestr);
-	if (dsdir != NULL)
-		filenamelen += strlen(dsdir) + 1;
-	filename = isc_mem_get(mctx, filenamelen + 1);
-	if (filename == NULL)
-		fatal("out of memory");
-	if (dsdir != NULL)
-		sprintf(filename, "%s/", dsdir);
-	else
-		filename[0] = 0;
-	strcat(filename, prefix);
-	strcat(filename, namestr);
-
-	dns_diff_init(mctx, &diff);
-
-	if (type == dns_rdatatype_dlv) {
-		dns_name_t tname;
-		unsigned int labels;
-
-		dns_name_init(&tname, NULL);
-		dns_fixedname_init(&fixed);
-		name = dns_fixedname_name(&fixed);
-		labels = dns_name_countlabels(gorigin);
-		dns_name_getlabelsequence(gorigin, 0, labels - 1, &tname);
-		result = dns_name_concatenate(&tname, dlv, name, NULL);
-		check_result(result, "dns_name_concatenate");
-	} else
-		name = gorigin;
-
-	for (key = ISC_LIST_HEAD(keylist);
-	     key != NULL;
-	     key = ISC_LIST_NEXT(key, link))
-	{
-		if (REVOKE(key->key))
-			continue;
-		if (isksk(key)) {
-			have_ksk = ISC_TRUE;
-			have_non_ksk = ISC_FALSE;
-		} else {
-			have_ksk = ISC_FALSE;
-			have_non_ksk = ISC_TRUE;
-		}
-		for (tmpkey = ISC_LIST_HEAD(keylist);
-		     tmpkey != NULL;
-		     tmpkey = ISC_LIST_NEXT(tmpkey, link)) {
-			if (dst_key_alg(key->key) != dst_key_alg(tmpkey->key))
-				continue;
-			if (REVOKE(tmpkey->key))
-				continue;
-			if (isksk(tmpkey))
-				have_ksk = ISC_TRUE;
-			else
-				have_non_ksk = ISC_TRUE;
-		}
-		if (have_ksk && have_non_ksk && !isksk(key))
-			continue;
-		dns_rdata_init(&rdata);
-		dns_rdata_init(&ds);
-		isc_buffer_init(&b, keybuf, sizeof(keybuf));
-		result = dst_key_todns(key->key, &b);
-		check_result(result, "dst_key_todns");
-		isc_buffer_usedregion(&b, &r);
-		dns_rdata_fromregion(&rdata, gclass, dns_rdatatype_dnskey, &r);
-		if (type != dns_rdatatype_dnskey) {
-			result = dns_ds_buildrdata(gorigin, &rdata,
-						   DNS_DSDIGEST_SHA1,
-						   dsbuf, &ds);
-			check_result(result, "dns_ds_buildrdata");
-			if (type == dns_rdatatype_dlv)
-				ds.type = dns_rdatatype_dlv;
-			result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
-						      name, 0, &ds, &tuple);
-			check_result(result, "dns_difftuple_create");
-			dns_diff_append(&diff, &tuple);
-
-			dns_rdata_reset(&ds);
-			result = dns_ds_buildrdata(gorigin, &rdata,
-						   DNS_DSDIGEST_SHA256,
-						   dsbuf, &ds);
-			check_result(result, "dns_ds_buildrdata");
-			if (type == dns_rdatatype_dlv)
-				ds.type = dns_rdatatype_dlv;
-			result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
-						      name, 0, &ds, &tuple);
-
-		} else
-			result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
-						      gorigin, zone_soa_min_ttl,
-						      &rdata, &tuple);
-		check_result(result, "dns_difftuple_create");
-		dns_diff_append(&diff, &tuple);
-	}
-
-	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
-			       gclass, 0, NULL, &db);
-	check_result(result, "dns_db_create");
-
-	result = dns_db_newversion(db, &version);
-	check_result(result, "dns_db_newversion");
-
-	result = dns_diff_apply(&diff, db, version);
-	check_result(result, "dns_diff_apply");
-	dns_diff_clear(&diff);
-
-	result = dns_master_dump(mctx, db, version, style, filename);
-	check_result(result, "dns_master_dump");
-
-	isc_mem_put(mctx, filename, filenamelen + 1);
-
-	dns_db_closeversion(db, &version, ISC_FALSE);
-	dns_db_detach(&db);
-}
-
-static void
-print_time(FILE *fp) {
-	time_t currenttime;
-
-	if (outputformat != dns_masterformat_text)
-		return;
-
-	currenttime = time(NULL);
-	fprintf(fp, "; File written on %s", ctime(&currenttime));
-}
-
-static void
-print_version(FILE *fp) {
-	if (outputformat != dns_masterformat_text)
-		return;
-
-	fprintf(fp, "; dnssec_signzone version " VERSION "\n");
-}
-
-ISC_PLATFORM_NORETURN_PRE static void
-usage(void) ISC_PLATFORM_NORETURN_POST;
-
-static void
-usage(void) {
-	fprintf(stderr, "Usage:\n");
-	fprintf(stderr, "\t%s [options] zonefile [keys]\n", program);
-
-	fprintf(stderr, "\n");
-
-	fprintf(stderr, "Version: %s\n", VERSION);
-
-	fprintf(stderr, "Options: (default value in parenthesis) \n");
-	fprintf(stderr, "\t-S:\tsmart signing: automatically finds key files\n"
-			"\t\tfor the zone and determines how they are to "
-			"be used\n");
-	fprintf(stderr, "\t-K directory:\n");
-	fprintf(stderr, "\t\tdirectory to find key files (.)\n");
-	fprintf(stderr, "\t-d directory:\n");
-	fprintf(stderr, "\t\tdirectory to find dsset-* files (.)\n");
-	fprintf(stderr, "\t-g:\t");
-	fprintf(stderr, "update DS records based on child zones' "
-			"dsset-* files\n");
-	fprintf(stderr, "\t-s [YYYYMMDDHHMMSS|+offset]:\n");
-	fprintf(stderr, "\t\tRRSIG start time "
-				"- absolute|offset (now - 1 hour)\n");
-	fprintf(stderr, "\t-e [YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
-	fprintf(stderr, "\t\tRRSIG end time "
-				"- absolute|from start|from now "
-				"(now + 30 days)\n");
-	fprintf(stderr, "\t-X [YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
-	fprintf(stderr, "\t\tDNSKEY RRSIG end "
-				"- absolute|from start|from now "
-				"(matches -e)\n");
-	fprintf(stderr, "\t-i interval:\n");
-	fprintf(stderr, "\t\tcycle interval - resign "
-				"if < interval from end ( (end-start)/4 )\n");
-	fprintf(stderr, "\t-j jitter:\n");
-	fprintf(stderr, "\t\trandomize signature end time up to jitter seconds\n");
-	fprintf(stderr, "\t-v debuglevel (0)\n");
-	fprintf(stderr, "\t-o origin:\n");
-	fprintf(stderr, "\t\tzone origin (name of zonefile)\n");
-	fprintf(stderr, "\t-f outfile:\n");
-	fprintf(stderr, "\t\tfile the signed zone is written in "
-				"(zonefile + .signed)\n");
-	fprintf(stderr, "\t-I format:\n");
-	fprintf(stderr, "\t\tfile format of input zonefile (text)\n");
-	fprintf(stderr, "\t-O format:\n");
-	fprintf(stderr, "\t\tfile format of signed zone file (text)\n");
-	fprintf(stderr, "\t-N format:\n");
-	fprintf(stderr, "\t\tsoa serial format of signed zone file (keep)\n");
-	fprintf(stderr, "\t-D:\n");
-	fprintf(stderr, "\t\toutput only DNSSEC-related records\n");
-	fprintf(stderr, "\t-r randomdev:\n");
-	fprintf(stderr,	"\t\ta file containing random data\n");
-	fprintf(stderr, "\t-a:\t");
-	fprintf(stderr, "verify generated signatures\n");
-	fprintf(stderr, "\t-c class (IN)\n");
-	fprintf(stderr, "\t-E engine:\n");
-#ifdef USE_PKCS11
-	fprintf(stderr, "\t\tname of an OpenSSL engine to use "
-				"(default is \"pkcs11\")\n");
-#else
-	fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
-#endif
-	fprintf(stderr, "\t-p:\t");
-	fprintf(stderr, "use pseudorandom data (faster but less secure)\n");
-	fprintf(stderr, "\t-P:\t");
-	fprintf(stderr, "disable post-sign verification\n");
-	fprintf(stderr, "\t-R:\t");
-	fprintf(stderr, "remove signatures from keys that no longer exist\n");
-	fprintf(stderr, "\t-T TTL:\tTTL for newly added DNSKEYs\n");
-	fprintf(stderr, "\t-t:\t");
-	fprintf(stderr, "print statistics\n");
-	fprintf(stderr, "\t-u:\t");
-	fprintf(stderr, "update or replace an existing NSEC/NSEC3 chain\n");
-	fprintf(stderr, "\t-x:\tsign DNSKEY record with KSKs only, not ZSKs\n");
-	fprintf(stderr, "\t-z:\tsign all records with KSKs\n");
-	fprintf(stderr, "\t-C:\tgenerate a keyset file, for compatibility\n"
-			"\t\twith older versions of dnssec-signzone -g\n");
-	fprintf(stderr, "\t-n ncpus (number of cpus present)\n");
-	fprintf(stderr, "\t-k key_signing_key\n");
-	fprintf(stderr, "\t-l lookasidezone\n");
-	fprintf(stderr, "\t-3 NSEC3 salt\n");
-	fprintf(stderr, "\t-H NSEC3 iterations (10)\n");
-	fprintf(stderr, "\t-A NSEC3 optout\n");
-
-	fprintf(stderr, "\n");
-
-	fprintf(stderr, "Signing Keys: ");
-	fprintf(stderr, "(default: all zone keys that have private keys)\n");
-	fprintf(stderr, "\tkeyfile (Kname+alg+tag)\n");
-	exit(0);
-}
-
-static void
-removetempfile(void) {
-	if (removefile)
-		isc_file_remove(tempfile);
-}
-
-static void
-print_stats(isc_time_t *timer_start, isc_time_t *timer_finish,
-	    isc_time_t *sign_start, isc_time_t *sign_finish)
-{
-	isc_uint64_t time_us;      /* Time in microseconds */
-	isc_uint64_t time_ms;      /* Time in milliseconds */
-	isc_uint64_t sig_ms;	   /* Signatures per millisecond */
-	FILE *out = output_stdout ? stderr : stdout;
-
-	fprintf(out, "Signatures generated:               %10d\n", nsigned);
-	fprintf(out, "Signatures retained:                %10d\n", nretained);
-	fprintf(out, "Signatures dropped:                 %10d\n", ndropped);
-	fprintf(out, "Signatures successfully verified:   %10d\n", nverified);
-	fprintf(out, "Signatures unsuccessfully "
-		     "verified: %10d\n", nverifyfailed);
-
-	time_us = isc_time_microdiff(sign_finish, sign_start);
-	time_ms = time_us / 1000;
-	fprintf(out, "Signing time in seconds:           %7u.%03u\n",
-		(unsigned int) (time_ms / 1000),
-		(unsigned int) (time_ms % 1000));
-	if (time_us > 0) {
-		sig_ms = ((isc_uint64_t)nsigned * 1000000000) / time_us;
-		fprintf(out, "Signatures per second:             %7u.%03u\n",
-			(unsigned int) sig_ms / 1000,
-			(unsigned int) sig_ms % 1000);
-	}
-
-	time_us = isc_time_microdiff(timer_finish, timer_start);
-	time_ms = time_us / 1000;
-	fprintf(out, "Runtime in seconds:                %7u.%03u\n",
-		(unsigned int) (time_ms / 1000),
-		(unsigned int) (time_ms % 1000));
-}
-
-int
-main(int argc, char *argv[]) {
-	int i, ch;
-	char *startstr = NULL, *endstr = NULL, *classname = NULL;
-	char *dnskey_endstr = NULL;
-	char *origin = NULL, *file = NULL, *output = NULL;
-	char *inputformatstr = NULL, *outputformatstr = NULL;
-	char *serialformatstr = NULL;
-	char *dskeyfile[MAXDSKEYS];
-	int ndskeys = 0;
-	char *endp;
-	isc_time_t timer_start, timer_finish;
-	isc_time_t sign_start, sign_finish;
-	dns_dnsseckey_t *key;
-	isc_result_t result;
-	isc_log_t *log = NULL;
-	isc_boolean_t pseudorandom = ISC_FALSE;
-#ifdef USE_PKCS11
-	const char *engine = "pkcs11";
-#else
-	const char *engine = NULL;
-#endif
-	unsigned int eflags;
-	isc_boolean_t free_output = ISC_FALSE;
-	int tempfilelen = 0;
-	dns_rdataclass_t rdclass;
-	isc_task_t **tasks = NULL;
-	isc_buffer_t b;
-	int len;
-	hashlist_t hashlist;
-	isc_boolean_t make_keyset = ISC_FALSE;
-	isc_boolean_t set_salt = ISC_FALSE;
-	isc_boolean_t set_optout = ISC_FALSE;
-	isc_boolean_t set_iter = ISC_FALSE;
-	isc_boolean_t nonsecify = ISC_FALSE;
-
-#define CMDLINE_FLAGS \
-	"3:AaCc:Dd:E:e:f:FghH:i:I:j:K:k:L:l:m:n:N:o:O:PpRr:s:ST:tuUv:X:xzZ:"
-
-	/*
-	 * Process memory debugging argument first.
-	 */
-	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
-		switch (ch) {
-		case 'm':
-			if (strcasecmp(isc_commandline_argument, "record") == 0)
-				isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
-			if (strcasecmp(isc_commandline_argument, "trace") == 0)
-				isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
-			if (strcasecmp(isc_commandline_argument, "usage") == 0)
-				isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
-			if (strcasecmp(isc_commandline_argument, "size") == 0)
-				isc_mem_debugging |= ISC_MEM_DEBUGSIZE;
-			if (strcasecmp(isc_commandline_argument, "mctx") == 0)
-				isc_mem_debugging |= ISC_MEM_DEBUGCTX;
-			break;
-		default:
-			break;
-		}
-	}
-	isc_commandline_reset = ISC_TRUE;
-
-	masterstyle = &dns_master_style_explicitttl;
-
-	check_result(isc_app_start(), "isc_app_start");
-
-	result = isc_mem_create(0, 0, &mctx);
-	if (result != ISC_R_SUCCESS)
-		fatal("out of memory");
-
-	dns_result_register();
-
-	isc_commandline_errprint = ISC_FALSE;
-
-	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
-		switch (ch) {
-		case '3':
-			set_salt = ISC_TRUE;
-			nsec_datatype = dns_rdatatype_nsec3;
-			if (strcmp(isc_commandline_argument, "-") != 0) {
-				isc_buffer_t target;
-				char *sarg;
-
-				sarg = isc_commandline_argument;
-				isc_buffer_init(&target, saltbuf,
-						sizeof(saltbuf));
-				result = isc_hex_decodestring(sarg, &target);
-				check_result(result,
-					     "isc_hex_decodestring(salt)");
-				salt_length = isc_buffer_usedlength(&target);
-			}
-			break;
-
-		case 'A':
-			set_optout = ISC_TRUE;
-			if (OPTOUT(nsec3flags))
-				nsec3flags &= ~DNS_NSEC3FLAG_OPTOUT;
-			else
-				nsec3flags |= DNS_NSEC3FLAG_OPTOUT;
-			break;
-
-		case 'a':
-			tryverify = ISC_TRUE;
-			break;
-
-		case 'C':
-			make_keyset = ISC_TRUE;
-			break;
-
-		case 'c':
-			classname = isc_commandline_argument;
-			break;
-
-		case 'd':
-			dsdir = isc_commandline_argument;
-			if (strlen(dsdir) == 0U)
-				fatal("DS directory must be non-empty string");
-			result = try_dir(dsdir);
-			if (result != ISC_R_SUCCESS)
-				fatal("cannot open directory %s: %s",
-				      dsdir, isc_result_totext(result));
-			break;
-
-		case 'D':
-			output_dnssec_only = ISC_TRUE;
-			break;
-
-		case 'E':
-			engine = isc_commandline_argument;
-			break;
-
-		case 'e':
-			endstr = isc_commandline_argument;
-			break;
-
-		case 'f':
-			output = isc_commandline_argument;
-			if (strcmp(output, "-") == 0)
-				output_stdout = ISC_TRUE;
-			break;
-
-		case 'g':
-			generateds = ISC_TRUE;
-			break;
-
-		case 'H':
-			set_iter = ISC_TRUE;
-			nsec3iter = strtoul(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0')
-				fatal("iterations must be numeric");
-			if (nsec3iter  > 0xffffU)
-				fatal("iterations too big");
-			break;
-
-		case 'h':
-			usage();
-			break;
-
-		case 'I':
-			inputformatstr = isc_commandline_argument;
-			break;
-
-		case 'i':
-			endp = NULL;
-			cycle = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0' || cycle < 0)
-				fatal("cycle period must be numeric and "
-				      "positive");
-			break;
-
-		case 'j':
-			endp = NULL;
-			jitter = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0' || jitter < 0)
-				fatal("jitter must be numeric and positive");
-			break;
-
-		case 'K':
-			directory = isc_commandline_argument;
-			break;
-
-		case 'k':
-			if (ndskeys == MAXDSKEYS)
-				fatal("too many key-signing keys specified");
-			dskeyfile[ndskeys++] = isc_commandline_argument;
-			break;
-
-		case 'L':
-			snset = ISC_TRUE;
-			endp = NULL;
-			serialnum = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0') {
-				fprintf(stderr, "source serial number "
-						"must be numeric");
-				exit(1);
-			}
-			break;
-
-		case 'l':
-			len = strlen(isc_commandline_argument);
-			isc_buffer_init(&b, isc_commandline_argument, len);
-			isc_buffer_add(&b, len);
-
-			dns_fixedname_init(&dlv_fixed);
-			dlv = dns_fixedname_name(&dlv_fixed);
-			result = dns_name_fromtext(dlv, &b, dns_rootname, 0,
-						   NULL);
-			check_result(result, "dns_name_fromtext(dlv)");
-			break;
-
-		case 'm':
-			break;
-
-		case 'N':
-			serialformatstr = isc_commandline_argument;
-			break;
-
-		case 'n':
-			endp = NULL;
-			ntasks = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0' || ntasks > ISC_INT32_MAX)
-				fatal("number of cpus must be numeric");
-			break;
-
-		case 'O':
-			outputformatstr = isc_commandline_argument;
-			break;
-
-		case 'o':
-			origin = isc_commandline_argument;
-			break;
-
-		case 'P':
-			disable_zone_check = ISC_TRUE;
-			break;
-
-		case 'p':
-			pseudorandom = ISC_TRUE;
-			break;
-
-		case 'R':
-			remove_orphans = ISC_TRUE;
-			break;
-
-		case 'r':
-			setup_entropy(mctx, isc_commandline_argument, &ectx);
-			break;
-
-		case 'S':
-			smartsign = ISC_TRUE;
-			break;
-
-		case 's':
-			startstr = isc_commandline_argument;
-			break;
-
-		case 'T':
-			endp = NULL;
-			set_keyttl = ISC_TRUE;
-			keyttl = strtottl(isc_commandline_argument);
-			break;
-
-		case 't':
-			printstats = ISC_TRUE;
-			break;
-
-		case 'U':	/* Undocumented for testing only. */
-			unknownalg = ISC_TRUE;
-			break;
-
-		case 'u':
-			update_chain = ISC_TRUE;
-			break;
-
-		case 'v':
-			endp = NULL;
-			verbose = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0')
-				fatal("verbose level must be numeric");
-			break;
-
-		case 'X':
-			dnskey_endstr = isc_commandline_argument;
-			break;
-
-		case 'x':
-			keyset_kskonly = ISC_TRUE;
-			break;
-
-		case 'z':
-			ignore_kskflag = ISC_TRUE;
-			break;
-
-		case 'F':
-			/* Reserved for FIPS mode */
-			/* FALLTHROUGH */
-		case '?':
-			if (isc_commandline_option != '?')
-				fprintf(stderr, "%s: invalid argument -%c\n",
-					program, isc_commandline_option);
-			usage();
-			break;
-
-		default:
-			fprintf(stderr, "%s: unhandled option -%c\n",
-				program, isc_commandline_option);
-			exit(1);
-		case 'Z':	/* Undocumented test options */
-			if (!strcmp(isc_commandline_argument, "nonsecify"))
-				nonsecify = ISC_TRUE;
-			break;
-		}
-	}
-
-	if (ectx == NULL)
-		setup_entropy(mctx, NULL, &ectx);
-	eflags = ISC_ENTROPY_BLOCKING;
-	if (!pseudorandom)
-		eflags |= ISC_ENTROPY_GOODONLY;
-
-	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	if (result != ISC_R_SUCCESS)
-		fatal("could not create hash context");
-
-	result = dst_lib_init2(mctx, ectx, engine, eflags);
-	if (result != ISC_R_SUCCESS)
-		fatal("could not initialize dst: %s",
-		      isc_result_totext(result));
-
-	isc_stdtime_get(&now);
-
-	if (startstr != NULL) {
-		starttime = strtotime(startstr, now, now);
-	} else
-		starttime = now - 3600;  /* Allow for some clock skew. */
-
-	if (endstr != NULL)
-		endtime = strtotime(endstr, now, starttime);
-	else
-		endtime = starttime + (30 * 24 * 60 * 60);
-
-	if (dnskey_endstr != NULL) {
-		dnskey_endtime = strtotime(dnskey_endstr, now, starttime);
-		if (endstr != NULL && dnskey_endtime == endtime)
-			fprintf(stderr, "WARNING: -e and -X were both set, "
-					"but have identical values.\n");
-	} else
-		dnskey_endtime = endtime;
-
-	if (cycle == -1)
-		cycle = (endtime - starttime) / 4;
-
-	if (ntasks == 0)
-		ntasks = isc_os_ncpus() * 2;
-	vbprintf(4, "using %d cpus\n", ntasks);
-
-	rdclass = strtoclass(classname);
-
-	if (directory == NULL)
-		directory = ".";
-
-	setup_logging(verbose, mctx, &log);
-
-	argc -= isc_commandline_index;
-	argv += isc_commandline_index;
-
-	if (argc < 1)
-		usage();
-
-	file = argv[0];
-
-	argc -= 1;
-	argv += 1;
-
-	if (origin == NULL)
-		origin = file;
-
-	if (output == NULL) {
-		free_output = ISC_TRUE;
-		output = isc_mem_allocate(mctx,
-					  strlen(file) + strlen(".signed") + 1);
-		if (output == NULL)
-			fatal("out of memory");
-		sprintf(output, "%s.signed", file);
-	}
-
-	if (inputformatstr != NULL) {
-		if (strcasecmp(inputformatstr, "text") == 0)
-			inputformat = dns_masterformat_text;
-		else if (strcasecmp(inputformatstr, "raw") == 0)
-			inputformat = dns_masterformat_raw;
-		else if (strncasecmp(inputformatstr, "raw=", 4) == 0) {
-			inputformat = dns_masterformat_raw;
-			fprintf(stderr,
-				"WARNING: input format version ignored\n");
-		} else
-			fatal("unknown file format: %s", inputformatstr);
-
-	}
-
-	if (outputformatstr != NULL) {
-		if (strcasecmp(outputformatstr, "text") == 0) {
-			outputformat = dns_masterformat_text;
-		} else if (strcasecmp(outputformatstr, "full") == 0) {
-			outputformat = dns_masterformat_text;
-			masterstyle = &dns_master_style_full;
-		} else if (strcasecmp(outputformatstr, "raw") == 0) {
-			outputformat = dns_masterformat_raw;
-		} else if (strncasecmp(outputformatstr, "raw=", 4) == 0) {
-			char *end;
-			outputformat = dns_masterformat_raw;
-
-			outputformat = dns_masterformat_raw;
-			rawversion = strtol(outputformatstr + 4, &end, 10);
-			if (end == outputformatstr + 4 || *end != '\0' ||
-			    rawversion > 1U) {
-				fprintf(stderr,
-					"unknown raw format version\n");
-				exit(1);
-			}
-		} else
-			fatal("unknown file format: %s\n", outputformatstr);
-	}
-
-	if (serialformatstr != NULL) {
-		if (strcasecmp(serialformatstr, "keep") == 0)
-			serialformat = SOA_SERIAL_KEEP;
-		else if (strcasecmp(serialformatstr, "increment") == 0 ||
-			 strcasecmp(serialformatstr, "incr") == 0)
-			serialformat = SOA_SERIAL_INCREMENT;
-		else if (strcasecmp(serialformatstr, "unixtime") == 0)
-			serialformat = SOA_SERIAL_UNIXTIME;
-		else
-			fatal("unknown soa serial format: %s\n",
-			      serialformatstr);
-	}
-
-	if (output_dnssec_only && outputformat != dns_masterformat_text)
-		fatal("option -D can only be used with \"-O text\"\n");
-
-	if (output_dnssec_only && serialformat != SOA_SERIAL_KEEP)
-		fatal("option -D can only be used with \"-N keep\"\n");
-
-	result = dns_master_stylecreate(&dsstyle,  DNS_STYLEFLAG_NO_TTL,
-					0, 24, 0, 0, 0, 8, mctx);
-	check_result(result, "dns_master_stylecreate");
-
-	gdb = NULL;
-	TIME_NOW(&timer_start);
-	loadzone(file, origin, rdclass, &gdb);
-	gorigin = dns_db_origin(gdb);
-	gclass = dns_db_class(gdb);
-	get_soa_ttls();
-
-	if (!set_keyttl)
-		keyttl = soa_ttl;
-
-	/*
-	 * Check for any existing NSEC3 parameters in the zone,
-	 * and use them as defaults if -u was not specified.
-	 */
-	if (update_chain && !set_optout && !set_iter && !set_salt)
-		nsec_datatype = dns_rdatatype_nsec;
-	else
-		set_nsec3params(update_chain, set_salt, set_optout, set_iter);
-
-	/*
-	 * We need to do this early on, as we start messing with the list
-	 * of keys rather early.
-	 */
-	ISC_LIST_INIT(keylist);
-	isc_rwlock_init(&keylist_lock, 0, 0);
-
-	/*
-	 * Fill keylist with:
-	 * 1) Keys listed in the DNSKEY set that have
-	 *    private keys associated, *if* no keys were
-	 *    set on the command line.
-	 * 2) ZSKs set on the command line
-	 * 3) KSKs set on the command line
-	 * 4) Any keys remaining in the DNSKEY set which
-	 *    do not have private keys associated and were
-	 *    not specified on the command line.
-	 */
-	if (argc == 0 || smartsign)
-		loadzonekeys(!smartsign, ISC_FALSE);
-	loadexplicitkeys(argv, argc, ISC_FALSE);
-	loadexplicitkeys(dskeyfile, ndskeys, ISC_TRUE);
-	loadzonekeys(!smartsign, ISC_TRUE);
-
-	/*
-	 * If we're doing smart signing, look in the key repository for
-	 * key files with metadata, and merge them with the keylist
-	 * we have now.
-	 */
-	if (smartsign)
-		build_final_keylist();
-
-	/* Now enumerate the key list */
-	for (key = ISC_LIST_HEAD(keylist);
-	     key != NULL;
-	     key = ISC_LIST_NEXT(key, link)) {
-		key->index = keycount++;
-	}
-
-	if (keycount == 0) {
-		if (disable_zone_check)
-			fprintf(stderr, "%s: warning: No keys specified "
-					"or found\n", program);
-		else
-			fatal("No signing keys specified or found.");
-		nokeys = ISC_TRUE;
-	}
-
-	warnifallksk(gdb);
-
-	if (IS_NSEC3) {
-		unsigned int max;
-		isc_boolean_t answer;
-
-		hash_length = dns_nsec3_hashlength(dns_hash_sha1);
-		hashlist_init(&hashlist, dns_db_nodecount(gdb) * 2,
-			      hash_length);
-		result = dns_nsec_nseconly(gdb, gversion, &answer);
-		if (result == ISC_R_NOTFOUND)
-			fprintf(stderr, "%s: warning: NSEC3 generation "
-				"requested with no DNSKEY; ignoring\n",
-				program);
-		else if (result != ISC_R_SUCCESS)
-			check_result(result, "dns_nsec_nseconly");
-		else if (answer)
-			fatal("NSEC3 generation requested with "
-			      "NSEC-only DNSKEY");
-
-		result = dns_nsec3_maxiterations(gdb, NULL, mctx, &max);
-		check_result(result, "dns_nsec3_maxiterations()");
-		if (nsec3iter > max)
-			fatal("NSEC3 iterations too big for weakest DNSKEY "
-			      "strength. Maximum iterations allowed %u.", max);
-	}
-
-	gversion = NULL;
-	result = dns_db_newversion(gdb, &gversion);
-	check_result(result, "dns_db_newversion()");
-
-	switch (serialformat) {
-		case SOA_SERIAL_INCREMENT:
-			setsoaserial(0);
-			break;
-		case SOA_SERIAL_UNIXTIME:
-			setsoaserial(now);
-			break;
-		case SOA_SERIAL_KEEP:
-		default:
-			/* do nothing */
-			break;
-	}
-
-	remove_duplicates();
-
-	if (!nonsecify) {
-		if (IS_NSEC3)
-			nsec3ify(dns_hash_sha1, nsec3iter, salt, salt_length,
-				 &hashlist);
-		else
-			nsecify();
-	}
-
-	if (!nokeys) {
-		writeset("dsset-", dns_rdatatype_ds);
-		if (make_keyset)
-			writeset("keyset-", dns_rdatatype_dnskey);
-		if (dlv != NULL) {
-			writeset("dlvset-", dns_rdatatype_dlv);
-		}
-	}
-
-	if (output_stdout) {
-		fp = stdout;
-		if (outputformatstr == NULL)
-			masterstyle = &dns_master_style_full;
-	} else {
-		tempfilelen = strlen(output) + 20;
-		tempfile = isc_mem_get(mctx, tempfilelen);
-		if (tempfile == NULL)
-			fatal("out of memory");
-
-		result = isc_file_mktemplate(output, tempfile, tempfilelen);
-		check_result(result, "isc_file_mktemplate");
-
-		if (outputformat == dns_masterformat_text)
-			result = isc_file_openunique(tempfile, &fp);
-		else
-			result = isc_file_bopenunique(tempfile, &fp);
-		if (result != ISC_R_SUCCESS)
-			fatal("failed to open temporary output file: %s",
-			      isc_result_totext(result));
-		removefile = ISC_TRUE;
-		setfatalcallback(&removetempfile);
-	}
-
-	print_time(fp);
-	print_version(fp);
-
-	result = isc_taskmgr_create(mctx, ntasks, 0, &taskmgr);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to create task manager: %s",
-		      isc_result_totext(result));
-
-	master = NULL;
-	result = isc_task_create(taskmgr, 0, &master);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to create task: %s", isc_result_totext(result));
-
-	tasks = isc_mem_get(mctx, ntasks * sizeof(isc_task_t *));
-	if (tasks == NULL)
-		fatal("out of memory");
-	for (i = 0; i < (int)ntasks; i++) {
-		tasks[i] = NULL;
-		result = isc_task_create(taskmgr, 0, &tasks[i]);
-		if (result != ISC_R_SUCCESS)
-			fatal("failed to create task: %s",
-			      isc_result_totext(result));
-	}
-
-	RUNTIME_CHECK(isc_mutex_init(&namelock) == ISC_R_SUCCESS);
-	if (printstats)
-		RUNTIME_CHECK(isc_mutex_init(&statslock) == ISC_R_SUCCESS);
-
-	presign();
-	TIME_NOW(&sign_start);
-	signapex();
-	if (!finished) {
-		/*
-		 * There is more work to do.  Spread it out over multiple
-		 * processors if possible.
-		 */
-		for (i = 0; i < (int)ntasks; i++) {
-			result = isc_app_onrun(mctx, master, startworker,
-					       tasks[i]);
-			if (result != ISC_R_SUCCESS)
-				fatal("failed to start task: %s",
-				      isc_result_totext(result));
-		}
-		(void)isc_app_run();
-		if (!finished)
-			fatal("process aborted by user");
-	} else
-		isc_task_detach(&master);
-	shuttingdown = ISC_TRUE;
-	for (i = 0; i < (int)ntasks; i++)
-		isc_task_detach(&tasks[i]);
-	isc_taskmgr_destroy(&taskmgr);
-	isc_mem_put(mctx, tasks, ntasks * sizeof(isc_task_t *));
-	postsign();
-	TIME_NOW(&sign_finish);
-
-	if (!disable_zone_check)
-		verifyzone(gdb, gversion, gorigin, mctx,
-			   ignore_kskflag, keyset_kskonly);
-
-	if (outputformat != dns_masterformat_text) {
-		dns_masterrawheader_t header;
-		dns_master_initrawheader(&header);
-		if (rawversion == 0U)
-			header.flags = DNS_MASTERRAW_COMPAT;
-		else if (snset) {
-			header.flags = DNS_MASTERRAW_SOURCESERIALSET;
-			header.sourceserial = serialnum;
-		}
-		result = dns_master_dumptostream3(mctx, gdb, gversion,
-						  masterstyle, outputformat,
-						  &header, fp);
-		check_result(result, "dns_master_dumptostream3");
-	}
-
-	DESTROYLOCK(&namelock);
-	if (printstats)
-		DESTROYLOCK(&statslock);
-
-	if (!output_stdout) {
-		result = isc_stdio_close(fp);
-		check_result(result, "isc_stdio_close");
-		removefile = ISC_FALSE;
-
-		result = isc_file_rename(tempfile, output);
-		if (result != ISC_R_SUCCESS)
-			fatal("failed to rename temp file to %s: %s\n",
-			      output, isc_result_totext(result));
-
-		printf("%s\n", output);
-	}
-
-	dns_db_closeversion(gdb, &gversion, ISC_FALSE);
-	dns_db_detach(&gdb);
-
-	while (!ISC_LIST_EMPTY(keylist)) {
-		key = ISC_LIST_HEAD(keylist);
-		ISC_LIST_UNLINK(keylist, key, link);
-		dns_dnsseckey_destroy(mctx, &key);
-	}
-
-	if (tempfilelen != 0)
-		isc_mem_put(mctx, tempfile, tempfilelen);
-
-	if (free_output)
-		isc_mem_free(mctx, output);
-
-	dns_master_styledestroy(&dsstyle, mctx);
-
-	cleanup_logging(&log);
-	dst_lib_destroy();
-	isc_hash_destroy();
-	cleanup_entropy(&ectx);
-	dns_name_destroy();
-	if (verbose > 10)
-		isc_mem_stats(mctx, stdout);
-	isc_mem_destroy(&mctx);
-
-	(void) isc_app_finish();
-
-	if (printstats) {
-		TIME_NOW(&timer_finish);
-		print_stats(&timer_start, &timer_finish,
-			    &sign_start, &sign_finish);
-	}
-
-	return (0);
-}
diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.docbook b/contrib/bind9/bin/dnssec/dnssec-signzone.docbook
deleted file mode 100644
index e427fc1..0000000
--- a/contrib/bind9/bin/dnssec/dnssec-signzone.docbook
+++ /dev/null
@@ -1,782 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004-2009, 2011  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: dnssec-signzone.docbook,v 1.52 2011/12/22 07:32:40 each Exp $ -->
-<refentry id="man.dnssec-signzone">
-  <refentryinfo>
-    <date>June 05, 2009</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>dnssec-signzone</application></refentrytitle>
-   <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><application>dnssec-signzone</application></refname>
-    <refpurpose>DNSSEC zone signing tool</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2006</year>
-      <year>2007</year>
-      <year>2008</year>
-      <year>2009</year>
-      <year>2011</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>dnssec-signzone</command>
-      <arg><option>-a</option></arg>
-      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg><option>-D</option></arg>
-      <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
-      <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
-      <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
-      <arg><option>-g</option></arg>
-      <arg><option>-h</option></arg>
-      <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
-      <arg><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
-      <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
-      <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
-      <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
-      <arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
-      <arg><option>-N <replaceable class="parameter">soa-serial-format</replaceable></option></arg>
-      <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
-      <arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
-      <arg><option>-P</option></arg>
-      <arg><option>-p</option></arg>
-      <arg><option>-R</option></arg>
-      <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
-      <arg><option>-S</option></arg>
-      <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
-      <arg><option>-T <replaceable class="parameter">ttl</replaceable></option></arg>
-      <arg><option>-t</option></arg>
-      <arg><option>-u</option></arg>
-      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg><option>-X <replaceable class="parameter">extended end-time</replaceable></option></arg>
-      <arg><option>-x</option></arg>
-      <arg><option>-z</option></arg>
-      <arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
-      <arg><option>-H <replaceable class="parameter">iterations</replaceable></option></arg>
-      <arg><option>-A</option></arg>
-      <arg choice="req">zonefile</arg>
-      <arg rep="repeat">key</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para><command>dnssec-signzone</command>
-      signs a zone.  It generates
-      NSEC and RRSIG records and produces a signed version of the
-      zone. The security status of delegations from the signed zone
-      (that is, whether the child zones are secure or not) is
-      determined by the presence or absence of a
-      <filename>keyset</filename> file for each child zone.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-
-    <variablelist>
-      <varlistentry>
-        <term>-a</term>
-        <listitem>
-          <para>
-            Verify all generated signatures.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-c <replaceable class="parameter">class</replaceable></term>
-        <listitem>
-          <para>
-            Specifies the DNS class of the zone.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-C</term>
-        <listitem>
-          <para>
-            Compatibility mode: Generate a
-            <filename>keyset-<replaceable>zonename</replaceable></filename>
-            file in addition to
-            <filename>dsset-<replaceable>zonename</replaceable></filename>
-            when signing a zone, for use by older versions of
-            <command>dnssec-signzone</command>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-d <replaceable class="parameter">directory</replaceable></term>
-        <listitem>
-          <para>
-            Look for <filename>dsset-</filename> or
-            <filename>keyset-</filename> files in <option>directory</option>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-D</term>
-        <listitem>
-          <para>
-	    Output only those record types automatically managed by
-	    <command>dnssec-signzone</command>, i.e. RRSIG, NSEC,
-	    NSEC3 and NSEC3PARAM records. If smart signing
-	    (<option>-S</option>) is used, DNSKEY records are also
-	    included. The resulting file can be included in the original
-	    zone file with <command>$INCLUDE</command>. This option
-	    cannot be combined with <option>-O raw</option> or serial
-	    number updating.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-E <replaceable class="parameter">engine</replaceable></term>
-        <listitem>
-          <para>
-            Uses a crypto hardware (OpenSSL engine) for the crypto operations
-            it supports, for instance signing with private keys from
-            a secure key store. When compiled with PKCS#11 support
-            it defaults to pkcs11; the empty name resets it to no engine.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-g</term>
-        <listitem>
-          <para>
-            Generate DS records for child zones from
-            <filename>dsset-</filename> or <filename>keyset-</filename>
-            file.  Existing DS records will be removed.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-K <replaceable class="parameter">directory</replaceable></term>
-        <listitem>
-          <para>
-            Key repository: Specify a directory to search for DNSSEC keys.
-            If not specified, defaults to the current directory.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-k <replaceable class="parameter">key</replaceable></term>
-        <listitem>
-          <para>
-            Treat specified key as a key signing key ignoring any
-            key flags.  This option may be specified multiple times.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-l <replaceable class="parameter">domain</replaceable></term>
-        <listitem>
-          <para>
-            Generate a DLV set in addition to the key (DNSKEY) and DS sets.
-            The domain is appended to the name of the records.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-s <replaceable class="parameter">start-time</replaceable></term>
-        <listitem>
-          <para>
-            Specify the date and time when the generated RRSIG records
-            become valid.  This can be either an absolute or relative
-            time.  An absolute start time is indicated by a number
-            in YYYYMMDDHHMMSS notation; 20000530144500 denotes
-            14:45:00 UTC on May 30th, 2000.  A relative start time is
-            indicated by +N, which is N seconds from the current time.
-            If no <option>start-time</option> is specified, the current
-            time minus 1 hour (to allow for clock skew) is used.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-e <replaceable class="parameter">end-time</replaceable></term>
-        <listitem>
-          <para>
-            Specify the date and time when the generated RRSIG records
-            expire.  As with <option>start-time</option>, an absolute
-            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
-            to the start time is indicated with +N, which is N seconds from
-            the start time.  A time relative to the current time is
-            indicated with now+N.  If no <option>end-time</option> is
-            specified, 30 days from the start time is used as a default.
-            <option>end-time</option> must be later than
-            <option>start-time</option>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-X <replaceable class="parameter">extended end-time</replaceable></term>
-        <listitem>
-          <para>
-            Specify the date and time when the generated RRSIG records
-            for the DNSKEY RRset will expire.  This is to be used in cases
-            when the DNSKEY signatures need to persist longer than
-            signatures on other records; e.g., when the private component
-            of the KSK is kept offline and the KSK signature is to be
-            refreshed manually.
-          </para>
-          <para>
-            As with <option>start-time</option>, an absolute
-            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
-            to the start time is indicated with +N, which is N seconds from
-            the start time.  A time relative to the current time is
-            indicated with now+N.  If no <option>extended end-time</option> is
-            specified, the value of <option>end-time</option> is used as
-            the default.  (<option>end-time</option>, in turn, defaults to
-            30 days from the start time.) <option>extended end-time</option>
-            must be later than <option>start-time</option>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-f <replaceable class="parameter">output-file</replaceable></term>
-        <listitem>
-          <para>
-            The name of the output file containing the signed zone.  The
-            default is to append <filename>.signed</filename> to
-            the input filename.  If <option>output-file</option> is
-            set to <literal>"-"</literal>, then the signed zone is
-            written to the standard output, with a default output
-            format of "full".
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-h</term>
-        <listitem>
-          <para>
-            Prints a short summary of the options and arguments to
-            <command>dnssec-signzone</command>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-i <replaceable class="parameter">interval</replaceable></term>
-        <listitem>
-          <para>
-            When a previously-signed zone is passed as input, records
-            may be resigned.  The <option>interval</option> option
-            specifies the cycle interval as an offset from the current
-            time (in seconds).  If a RRSIG record expires after the
-            cycle interval, it is retained.  Otherwise, it is considered
-            to be expiring soon, and it will be replaced.
-          </para>
-          <para>
-            The default cycle interval is one quarter of the difference
-            between the signature end and start times.  So if neither
-            <option>end-time</option> or <option>start-time</option>
-            are specified, <command>dnssec-signzone</command>
-            generates
-            signatures that are valid for 30 days, with a cycle
-            interval of 7.5 days.  Therefore, if any existing RRSIG records
-            are due to expire in less than 7.5 days, they would be
-            replaced.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-I <replaceable class="parameter">input-format</replaceable></term>
-        <listitem>
-          <para>
-            The format of the input zone file.
-	    Possible formats are <command>"text"</command> (default)
-	    and <command>"raw"</command>.
-	    This option is primarily intended to be used for dynamic
-            signed zones so that the dumped zone file in a non-text
-            format containing updates can be signed directly.
-	    The use of this option does not make much sense for
-	    non-dynamic zones.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-j <replaceable class="parameter">jitter</replaceable></term>
-        <listitem>
-          <para>
-            When signing a zone with a fixed signature lifetime, all
-            RRSIG records issued at the time of signing expires
-            simultaneously.  If the zone is incrementally signed, i.e.
-            a previously-signed zone is passed as input to the signer,
-            all expired signatures have to be regenerated at about the
-            same time.  The <option>jitter</option> option specifies a
-            jitter window that will be used to randomize the signature
-            expire time, thus spreading incremental signature
-            regeneration over time.
-          </para>
-          <para>
-            Signature lifetime jitter also to some extent benefits
-            validators and servers by spreading out cache expiration,
-            i.e. if large numbers of RRSIGs don't expire at the same time
-            from all caches there will be less congestion than if all
-            validators need to refetch at mostly the same time.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-L <replaceable class="parameter">serial</replaceable></term>
-        <listitem>
-          <para>
-            When writing a signed zone to 'raw' format, set the "source serial" 
-            value in the header to the specified serial number.  (This is
-            expected to be used primarily for testing purposes.)
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-n <replaceable class="parameter">ncpus</replaceable></term>
-        <listitem>
-          <para>
-            Specifies the number of threads to use.  By default, one
-            thread is started for each detected CPU.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-N <replaceable class="parameter">soa-serial-format</replaceable></term>
-        <listitem>
-          <para>
-            The SOA serial number format of the signed zone.
-	    Possible formats are <command>"keep"</command> (default),
-            <command>"increment"</command> and
-	    <command>"unixtime"</command>.
-          </para>
-
-          <variablelist>
-	    <varlistentry>
-	      <term><command>"keep"</command></term>
-              <listitem>
-                <para>Do not modify the SOA serial number.</para>
-	      </listitem>
-            </varlistentry>
-
-	    <varlistentry>
-	      <term><command>"increment"</command></term>
-              <listitem>
-                <para>Increment the SOA serial number using RFC 1982
-                      arithmetics.</para>
-	      </listitem>
-            </varlistentry>
-
-	    <varlistentry>
-	      <term><command>"unixtime"</command></term>
-              <listitem>
-                <para>Set the SOA serial number to the number of seconds
-	        since epoch.</para>
-	      </listitem>
-            </varlistentry>
-	 </variablelist>
-
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-o <replaceable class="parameter">origin</replaceable></term>
-        <listitem>
-          <para>
-            The zone origin.  If not specified, the name of the zone file
-            is assumed to be the origin.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-O <replaceable class="parameter">output-format</replaceable></term>
-        <listitem>
-          <para>
-            The format of the output file containing the signed zone.
-	    Possible formats are <command>"text"</command> (default)
-	    <command>"full"</command>, which is text output in a
-            format suitable for processing by external scripts,
-            and <command>"raw"</command> or <command>"raw=N"</command>,
-            which store the zone in a binary format for rapid loading
-            by <command>named</command>.  <command>"raw=N"</command>
-            specifies the format version of the raw zone file: if N
-            is 0, the raw file can be read by any version of
-            <command>named</command>; if N is 1, the file can be
-            read by release 9.9.0 or higher.  The default is 1.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-p</term>
-        <listitem>
-          <para>
-            Use pseudo-random data when signing the zone.  This is faster,
-            but less secure, than using real random data.  This option
-            may be useful when signing large zones or when the entropy
-            source is limited.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-P</term>
-        <listitem>
-          <para>
-	    Disable post sign verification tests.
-          </para>
-          <para>
-	    The post sign verification test ensures that for each algorithm
-	    in use there is at least one non revoked self signed KSK key,
-	    that all revoked KSK keys are self signed, and that all records
-	    in the zone are signed by the algorithm.
-	    This option skips these tests.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-R</term>
-        <listitem>
-          <para>
-	    Remove signatures from keys that no longer exist.
-          </para>
-          <para>
-            Normally, when a previously-signed zone is passed as input
-            to the signer, and a DNSKEY record has been removed and
-            replaced with a new one, signatures from the old key 
-            that are still within their validity period are retained.
-	    This allows the zone to continue to validate with cached
-	    copies of the old DNSKEY RRset.  The <option>-R</option> forces
-            <command>dnssec-signzone</command> to remove all orphaned
-            signatures.
-          </para>
-        </listitem>
-      </varlistentry>
-      <varlistentry>
-        <term>-r <replaceable class="parameter">randomdev</replaceable></term>
-        <listitem>
-          <para>
-            Specifies the source of randomness.  If the operating
-            system does not provide a <filename>/dev/random</filename>
-            or equivalent device, the default source of randomness
-            is keyboard input.  <filename>randomdev</filename>
-            specifies
-            the name of a character device or file containing random
-            data to be used instead of the default.  The special value
-            <filename>keyboard</filename> indicates that keyboard
-            input should be used.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-S</term>
-        <listitem>
-          <para>
-            Smart signing: Instructs <command>dnssec-signzone</command> to
-            search the key repository for keys that match the zone being
-            signed, and to include them in the zone if appropriate.
-          </para>
-          <para>
-            When a key is found, its timing metadata is examined to
-            determine how it should be used, according to the following
-            rules.  Each successive rule takes priority over the prior
-            ones:
-          </para>
-          <variablelist>
-	    <varlistentry>
-              <listitem>
-                <para>
-                  If no timing metadata has been set for the key, the key is
-                  published in the zone and used to sign the zone.
-                </para>
-	      </listitem>
-            </varlistentry>
-
-	    <varlistentry>
-              <listitem>
-                <para>
-                  If the key's publication date is set and is in the past, the
-                  key is published in the zone.
-                </para>
-	      </listitem>
-            </varlistentry>
-
-	    <varlistentry>
-              <listitem>
-                <para>
-                  If the key's activation date is set and in the past, the
-                  key is published (regardless of publication date) and
-                  used to sign the zone.  
-                </para>
-	      </listitem>
-            </varlistentry>
-
-	    <varlistentry>
-              <listitem>
-                <para>
-                  If the key's revocation date is set and in the past, and the
-                  key is published, then the key is revoked, and the revoked key
-                  is used to sign the zone.
-                </para>
-	      </listitem>
-            </varlistentry>
-
-	    <varlistentry>
-              <listitem>
-                <para>
-                  If either of the key's unpublication or deletion dates are set
-                  and in the past, the key is NOT published or used to sign the
-                  zone, regardless of any other metadata.
-                </para>
-	      </listitem>
-            </varlistentry>
-	 </variablelist>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-T <replaceable class="parameter">ttl</replaceable></term>
-        <listitem>
-          <para>
-            Specifies a TTL to be used for new DNSKEY records imported
-            into the zone from the key repository.  If not
-            specified, the default is the TTL value from the zone's SOA
-            record.  This option is ignored when signing without
-            <option>-S</option>, since DNSKEY records are not imported
-            from the key repository in that case.  It is also ignored if
-            there are any pre-existing DNSKEY records at the zone apex,
-            in which case new records' TTL values will be set to match
-            them, or if any of the imported DNSKEY records had a default
-            TTL value.  In the event of a a conflict between TTL values in
-            imported keys, the shortest one is used.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-t</term>
-        <listitem>
-          <para>
-            Print statistics at completion.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-u</term>
-        <listitem>
-          <para>
-            Update NSEC/NSEC3 chain when re-signing a previously signed
-            zone.  With this option, a zone signed with NSEC can be
-            switched to NSEC3, or a zone signed with NSEC3 can
-            be switch to NSEC or to NSEC3 with different parameters.
-            Without this option, <command>dnssec-signzone</command> will
-            retain the existing chain when re-signing.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-v <replaceable class="parameter">level</replaceable></term>
-        <listitem>
-          <para>
-            Sets the debugging level.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-x</term>
-        <listitem>
-          <para>
-            Only sign the DNSKEY RRset with key-signing keys, and omit
-            signatures from zone-signing keys.  (This is similar to the
-            <command>dnssec-dnskey-kskonly yes;</command> zone option in
-            <command>named</command>.)
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-z</term>
-        <listitem>
-          <para>
-            Ignore KSK flag on key when determining what to sign.  This
-            causes KSK-flagged keys to sign all records, not just the
-            DNSKEY RRset.  (This is similar to the
-            <command>update-check-ksk no;</command> zone option in
-            <command>named</command>.)
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-3 <replaceable class="parameter">salt</replaceable></term>
-        <listitem>
-          <para>
-            Generate an NSEC3 chain with the given hex encoded salt.
-	    A dash (<replaceable class="parameter">salt</replaceable>) can
-	    be used to indicate that no salt is to be used when generating		    the NSEC3 chain.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-H <replaceable class="parameter">iterations</replaceable></term>
-        <listitem>
-          <para>
-	    When generating an NSEC3 chain, use this many interations.  The
-	    default is 10.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-A</term>
-        <listitem>
-          <para>
-	    When generating an NSEC3 chain set the OPTOUT flag on all
-	    NSEC3 records and do not generate NSEC3 records for insecure
-	    delegations.
-          </para>
-          <para>
-	    Using this option twice (i.e., <option>-AA</option>)
-	    turns the OPTOUT flag off for all records.  This is useful
-	    when using the <option>-u</option> option to modify an NSEC3
-	    chain which previously had OPTOUT set.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>zonefile</term>
-        <listitem>
-          <para>
-            The file containing the zone to be signed.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>key</term>
-        <listitem>
-          <para>
-	    Specify which keys should be used to sign the zone.  If
-	    no keys are specified, then the zone will be examined
-	    for DNSKEY records at the zone apex.  If these are found and
-	    there are matching private keys, in the current directory,
-	    then these will be used for signing.
-          </para>
-        </listitem>
-      </varlistentry>
-
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>EXAMPLE</title>
-    <para>
-      The following command signs the <userinput>example.com</userinput>
-      zone with the DSA key generated by <command>dnssec-keygen</command>
-      (Kexample.com.+003+17247).  Because the <command>-S</command> option
-      is not being used, the zone's keys must be in the master file
-      (<filename>db.example.com</filename>).  This invocation looks
-      for <filename>dsset</filename> files, in the current directory,
-      so that DS records can be imported from them (<command>-g</command>).
-    </para>
-<programlisting>% dnssec-signzone -g -o example.com db.example.com \
-Kexample.com.+003+17247
-db.example.com.signed
-%</programlisting>
-    <para>
-      In the above example, <command>dnssec-signzone</command> creates
-      the file <filename>db.example.com.signed</filename>.  This
-      file should be referenced in a zone statement in a
-      <filename>named.conf</filename> file.
-    </para>
-    <para>
-      This example re-signs a previously signed zone with default parameters.
-      The private keys are assumed to be in the current directory.
-    </para>
-<programlisting>% cp db.example.com.signed db.example.com
-% dnssec-signzone -o example.com db.example.com
-db.example.com.signed
-%</programlisting>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
-      <citetitle>RFC 4033</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para><corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.html b/contrib/bind9/bin/dnssec/dnssec-signzone.html
deleted file mode 100644
index 3799453..0000000
--- a/contrib/bind9/bin/dnssec/dnssec-signzone.html
+++ /dev/null
@@ -1,491 +0,0 @@
-<!--
- - Copyright (C) 2004-2009, 2011 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-signzone</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543626"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">dnssec-signzone</strong></span>
-      signs a zone.  It generates
-      NSEC and RRSIG records and produces a signed version of the
-      zone. The security status of delegations from the signed zone
-      (that is, whether the child zones are secure or not) is
-      determined by the presence or absence of a
-      <code class="filename">keyset</code> file for each child zone.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543641"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-a</span></dt>
-<dd><p>
-            Verify all generated signatures.
-          </p></dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd><p>
-            Specifies the DNS class of the zone.
-          </p></dd>
-<dt><span class="term">-C</span></dt>
-<dd><p>
-            Compatibility mode: Generate a
-            <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
-            file in addition to
-            <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
-            when signing a zone, for use by older versions of
-            <span><strong class="command">dnssec-signzone</strong></span>.
-          </p></dd>
-<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-            Look for <code class="filename">dsset-</code> or
-            <code class="filename">keyset-</code> files in <code class="option">directory</code>.
-          </p></dd>
-<dt><span class="term">-D</span></dt>
-<dd><p>
-	    Output only those record types automatically managed by
-	    <span><strong class="command">dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
-	    NSEC3 and NSEC3PARAM records. If smart signing
-	    (<code class="option">-S</code>) is used, DNSKEY records are also
-	    included. The resulting file can be included in the original
-	    zone file with <span><strong class="command">$INCLUDE</strong></span>. This option
-	    cannot be combined with <code class="option">-O raw</code> or serial
-	    number updating.
-          </p></dd>
-<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
-<dd><p>
-            Uses a crypto hardware (OpenSSL engine) for the crypto operations
-            it supports, for instance signing with private keys from
-            a secure key store. When compiled with PKCS#11 support
-            it defaults to pkcs11; the empty name resets it to no engine.
-          </p></dd>
-<dt><span class="term">-g</span></dt>
-<dd><p>
-            Generate DS records for child zones from
-            <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
-            file.  Existing DS records will be removed.
-          </p></dd>
-<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-            Key repository: Specify a directory to search for DNSSEC keys.
-            If not specified, defaults to the current directory.
-          </p></dd>
-<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
-<dd><p>
-            Treat specified key as a key signing key ignoring any
-            key flags.  This option may be specified multiple times.
-          </p></dd>
-<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
-<dd><p>
-            Generate a DLV set in addition to the key (DNSKEY) and DS sets.
-            The domain is appended to the name of the records.
-          </p></dd>
-<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
-<dd><p>
-            Specify the date and time when the generated RRSIG records
-            become valid.  This can be either an absolute or relative
-            time.  An absolute start time is indicated by a number
-            in YYYYMMDDHHMMSS notation; 20000530144500 denotes
-            14:45:00 UTC on May 30th, 2000.  A relative start time is
-            indicated by +N, which is N seconds from the current time.
-            If no <code class="option">start-time</code> is specified, the current
-            time minus 1 hour (to allow for clock skew) is used.
-          </p></dd>
-<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
-<dd><p>
-            Specify the date and time when the generated RRSIG records
-            expire.  As with <code class="option">start-time</code>, an absolute
-            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
-            to the start time is indicated with +N, which is N seconds from
-            the start time.  A time relative to the current time is
-            indicated with now+N.  If no <code class="option">end-time</code> is
-            specified, 30 days from the start time is used as a default.
-            <code class="option">end-time</code> must be later than
-            <code class="option">start-time</code>.
-          </p></dd>
-<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
-<dd>
-<p>
-            Specify the date and time when the generated RRSIG records
-            for the DNSKEY RRset will expire.  This is to be used in cases
-            when the DNSKEY signatures need to persist longer than
-            signatures on other records; e.g., when the private component
-            of the KSK is kept offline and the KSK signature is to be
-            refreshed manually.
-          </p>
-<p>
-            As with <code class="option">start-time</code>, an absolute
-            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
-            to the start time is indicated with +N, which is N seconds from
-            the start time.  A time relative to the current time is
-            indicated with now+N.  If no <code class="option">extended end-time</code> is
-            specified, the value of <code class="option">end-time</code> is used as
-            the default.  (<code class="option">end-time</code>, in turn, defaults to
-            30 days from the start time.) <code class="option">extended end-time</code>
-            must be later than <code class="option">start-time</code>.
-          </p>
-</dd>
-<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
-<dd><p>
-            The name of the output file containing the signed zone.  The
-            default is to append <code class="filename">.signed</code> to
-            the input filename.  If <code class="option">output-file</code> is
-            set to <code class="literal">"-"</code>, then the signed zone is
-            written to the standard output, with a default output
-            format of "full".
-          </p></dd>
-<dt><span class="term">-h</span></dt>
-<dd><p>
-            Prints a short summary of the options and arguments to
-            <span><strong class="command">dnssec-signzone</strong></span>.
-          </p></dd>
-<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
-<dd>
-<p>
-            When a previously-signed zone is passed as input, records
-            may be resigned.  The <code class="option">interval</code> option
-            specifies the cycle interval as an offset from the current
-            time (in seconds).  If a RRSIG record expires after the
-            cycle interval, it is retained.  Otherwise, it is considered
-            to be expiring soon, and it will be replaced.
-          </p>
-<p>
-            The default cycle interval is one quarter of the difference
-            between the signature end and start times.  So if neither
-            <code class="option">end-time</code> or <code class="option">start-time</code>
-            are specified, <span><strong class="command">dnssec-signzone</strong></span>
-            generates
-            signatures that are valid for 30 days, with a cycle
-            interval of 7.5 days.  Therefore, if any existing RRSIG records
-            are due to expire in less than 7.5 days, they would be
-            replaced.
-          </p>
-</dd>
-<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
-<dd><p>
-            The format of the input zone file.
-	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
-	    and <span><strong class="command">"raw"</strong></span>.
-	    This option is primarily intended to be used for dynamic
-            signed zones so that the dumped zone file in a non-text
-            format containing updates can be signed directly.
-	    The use of this option does not make much sense for
-	    non-dynamic zones.
-          </p></dd>
-<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
-<dd>
-<p>
-            When signing a zone with a fixed signature lifetime, all
-            RRSIG records issued at the time of signing expires
-            simultaneously.  If the zone is incrementally signed, i.e.
-            a previously-signed zone is passed as input to the signer,
-            all expired signatures have to be regenerated at about the
-            same time.  The <code class="option">jitter</code> option specifies a
-            jitter window that will be used to randomize the signature
-            expire time, thus spreading incremental signature
-            regeneration over time.
-          </p>
-<p>
-            Signature lifetime jitter also to some extent benefits
-            validators and servers by spreading out cache expiration,
-            i.e. if large numbers of RRSIGs don't expire at the same time
-            from all caches there will be less congestion than if all
-            validators need to refetch at mostly the same time.
-          </p>
-</dd>
-<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
-<dd><p>
-            When writing a signed zone to 'raw' format, set the "source serial" 
-            value in the header to the specified serial number.  (This is
-            expected to be used primarily for testing purposes.)
-          </p></dd>
-<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
-<dd><p>
-            Specifies the number of threads to use.  By default, one
-            thread is started for each detected CPU.
-          </p></dd>
-<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
-<dd>
-<p>
-            The SOA serial number format of the signed zone.
-	    Possible formats are <span><strong class="command">"keep"</strong></span> (default),
-            <span><strong class="command">"increment"</strong></span> and
-	    <span><strong class="command">"unixtime"</strong></span>.
-          </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
-<dd><p>Do not modify the SOA serial number.</p></dd>
-<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
-<dd><p>Increment the SOA serial number using RFC 1982
-                      arithmetics.</p></dd>
-<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
-<dd><p>Set the SOA serial number to the number of seconds
-	        since epoch.</p></dd>
-</dl></div>
-</dd>
-<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
-<dd><p>
-            The zone origin.  If not specified, the name of the zone file
-            is assumed to be the origin.
-          </p></dd>
-<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
-<dd><p>
-            The format of the output file containing the signed zone.
-	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
-	    <span><strong class="command">"full"</strong></span>, which is text output in a
-            format suitable for processing by external scripts,
-            and <span><strong class="command">"raw"</strong></span> or <span><strong class="command">"raw=N"</strong></span>,
-            which store the zone in a binary format for rapid loading
-            by <span><strong class="command">named</strong></span>.  <span><strong class="command">"raw=N"</strong></span>
-            specifies the format version of the raw zone file: if N
-            is 0, the raw file can be read by any version of
-            <span><strong class="command">named</strong></span>; if N is 1, the file can be
-            read by release 9.9.0 or higher.  The default is 1.
-          </p></dd>
-<dt><span class="term">-p</span></dt>
-<dd><p>
-            Use pseudo-random data when signing the zone.  This is faster,
-            but less secure, than using real random data.  This option
-            may be useful when signing large zones or when the entropy
-            source is limited.
-          </p></dd>
-<dt><span class="term">-P</span></dt>
-<dd>
-<p>
-	    Disable post sign verification tests.
-          </p>
-<p>
-	    The post sign verification test ensures that for each algorithm
-	    in use there is at least one non revoked self signed KSK key,
-	    that all revoked KSK keys are self signed, and that all records
-	    in the zone are signed by the algorithm.
-	    This option skips these tests.
-          </p>
-</dd>
-<dt><span class="term">-R</span></dt>
-<dd>
-<p>
-	    Remove signatures from keys that no longer exist.
-          </p>
-<p>
-            Normally, when a previously-signed zone is passed as input
-            to the signer, and a DNSKEY record has been removed and
-            replaced with a new one, signatures from the old key 
-            that are still within their validity period are retained.
-	    This allows the zone to continue to validate with cached
-	    copies of the old DNSKEY RRset.  The <code class="option">-R</code> forces
-            <span><strong class="command">dnssec-signzone</strong></span> to remove all orphaned
-            signatures.
-          </p>
-</dd>
-<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
-<dd><p>
-            Specifies the source of randomness.  If the operating
-            system does not provide a <code class="filename">/dev/random</code>
-            or equivalent device, the default source of randomness
-            is keyboard input.  <code class="filename">randomdev</code>
-            specifies
-            the name of a character device or file containing random
-            data to be used instead of the default.  The special value
-            <code class="filename">keyboard</code> indicates that keyboard
-            input should be used.
-          </p></dd>
-<dt><span class="term">-S</span></dt>
-<dd>
-<p>
-            Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
-            search the key repository for keys that match the zone being
-            signed, and to include them in the zone if appropriate.
-          </p>
-<p>
-            When a key is found, its timing metadata is examined to
-            determine how it should be used, according to the following
-            rules.  Each successive rule takes priority over the prior
-            ones:
-          </p>
-<div class="variablelist"><dl>
-<dt></dt>
-<dd><p>
-                  If no timing metadata has been set for the key, the key is
-                  published in the zone and used to sign the zone.
-                </p></dd>
-<dt></dt>
-<dd><p>
-                  If the key's publication date is set and is in the past, the
-                  key is published in the zone.
-                </p></dd>
-<dt></dt>
-<dd><p>
-                  If the key's activation date is set and in the past, the
-                  key is published (regardless of publication date) and
-                  used to sign the zone.  
-                </p></dd>
-<dt></dt>
-<dd><p>
-                  If the key's revocation date is set and in the past, and the
-                  key is published, then the key is revoked, and the revoked key
-                  is used to sign the zone.
-                </p></dd>
-<dt></dt>
-<dd><p>
-                  If either of the key's unpublication or deletion dates are set
-                  and in the past, the key is NOT published or used to sign the
-                  zone, regardless of any other metadata.
-                </p></dd>
-</dl></div>
-</dd>
-<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd><p>
-            Specifies a TTL to be used for new DNSKEY records imported
-            into the zone from the key repository.  If not
-            specified, the default is the TTL value from the zone's SOA
-            record.  This option is ignored when signing without
-            <code class="option">-S</code>, since DNSKEY records are not imported
-            from the key repository in that case.  It is also ignored if
-            there are any pre-existing DNSKEY records at the zone apex,
-            in which case new records' TTL values will be set to match
-            them, or if any of the imported DNSKEY records had a default
-            TTL value.  In the event of a a conflict between TTL values in
-            imported keys, the shortest one is used.
-          </p></dd>
-<dt><span class="term">-t</span></dt>
-<dd><p>
-            Print statistics at completion.
-          </p></dd>
-<dt><span class="term">-u</span></dt>
-<dd><p>
-            Update NSEC/NSEC3 chain when re-signing a previously signed
-            zone.  With this option, a zone signed with NSEC can be
-            switched to NSEC3, or a zone signed with NSEC3 can
-            be switch to NSEC or to NSEC3 with different parameters.
-            Without this option, <span><strong class="command">dnssec-signzone</strong></span> will
-            retain the existing chain when re-signing.
-          </p></dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
-            Sets the debugging level.
-          </p></dd>
-<dt><span class="term">-x</span></dt>
-<dd><p>
-            Only sign the DNSKEY RRset with key-signing keys, and omit
-            signatures from zone-signing keys.  (This is similar to the
-            <span><strong class="command">dnssec-dnskey-kskonly yes;</strong></span> zone option in
-            <span><strong class="command">named</strong></span>.)
-          </p></dd>
-<dt><span class="term">-z</span></dt>
-<dd><p>
-            Ignore KSK flag on key when determining what to sign.  This
-            causes KSK-flagged keys to sign all records, not just the
-            DNSKEY RRset.  (This is similar to the
-            <span><strong class="command">update-check-ksk no;</strong></span> zone option in
-            <span><strong class="command">named</strong></span>.)
-          </p></dd>
-<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
-<dd><p>
-            Generate an NSEC3 chain with the given hex encoded salt.
-	    A dash (<em class="replaceable"><code>salt</code></em>) can
-	    be used to indicate that no salt is to be used when generating		    the NSEC3 chain.
-          </p></dd>
-<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
-<dd><p>
-	    When generating an NSEC3 chain, use this many interations.  The
-	    default is 10.
-          </p></dd>
-<dt><span class="term">-A</span></dt>
-<dd>
-<p>
-	    When generating an NSEC3 chain set the OPTOUT flag on all
-	    NSEC3 records and do not generate NSEC3 records for insecure
-	    delegations.
-          </p>
-<p>
-	    Using this option twice (i.e., <code class="option">-AA</code>)
-	    turns the OPTOUT flag off for all records.  This is useful
-	    when using the <code class="option">-u</code> option to modify an NSEC3
-	    chain which previously had OPTOUT set.
-          </p>
-</dd>
-<dt><span class="term">zonefile</span></dt>
-<dd><p>
-            The file containing the zone to be signed.
-          </p></dd>
-<dt><span class="term">key</span></dt>
-<dd><p>
-	    Specify which keys should be used to sign the zone.  If
-	    no keys are specified, then the zone will be examined
-	    for DNSKEY records at the zone apex.  If these are found and
-	    there are matching private keys, in the current directory,
-	    then these will be used for signing.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2545127"></a><h2>EXAMPLE</h2>
-<p>
-      The following command signs the <strong class="userinput"><code>example.com</code></strong>
-      zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
-      (Kexample.com.+003+17247).  Because the <span><strong class="command">-S</strong></span> option
-      is not being used, the zone's keys must be in the master file
-      (<code class="filename">db.example.com</code>).  This invocation looks
-      for <code class="filename">dsset</code> files, in the current directory,
-      so that DS records can be imported from them (<span><strong class="command">-g</strong></span>).
-    </p>
-<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
-Kexample.com.+003+17247
-db.example.com.signed
-%</pre>
-<p>
-      In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
-      the file <code class="filename">db.example.com.signed</code>.  This
-      file should be referenced in a zone statement in a
-      <code class="filename">named.conf</code> file.
-    </p>
-<p>
-      This example re-signs a previously signed zone with default parameters.
-      The private keys are assumed to be in the current directory.
-    </p>
-<pre class="programlisting">% cp db.example.com.signed db.example.com
-% dnssec-signzone -o example.com db.example.com
-db.example.com.signed
-%</pre>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2545182"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 4033</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2545207"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/dnssec/dnssec-verify.8 b/contrib/bind9/bin/dnssec/dnssec-verify.8
deleted file mode 100644
index 1de88fa..0000000
--- a/contrib/bind9/bin/dnssec/dnssec-verify.8
+++ /dev/null
@@ -1,97 +0,0 @@
-.\" Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
-.\"
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: dnssec\-verify
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: April 12, 2012
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "DNSSEC\-VERIFY" "8" "April 12, 2012" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-dnssec\-verify \- DNSSEC zone verification tool
-.SH "SYNOPSIS"
-.HP 14
-\fBdnssec\-verify\fR [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-x\fR] [\fB\-z\fR] {zonefile}
-.SH "DESCRIPTION"
-.PP
-\fBdnssec\-verify\fR
-verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 chains are complete.
-.SH "OPTIONS"
-.PP
-\-c \fIclass\fR
-.RS 4
-Specifies the DNS class of the zone.
-.RE
-.PP
-\-I \fIinput\-format\fR
-.RS 4
-The format of the input zone file. Possible formats are
-\fB"text"\fR
-(default) and
-\fB"raw"\fR. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be verified independently. The use of this option does not make much sense for non\-dynamic zones.
-.RE
-.PP
-\-o \fIorigin\fR
-.RS 4
-The zone origin. If not specified, the name of the zone file is assumed to be the origin.
-.RE
-.PP
-\-v \fIlevel\fR
-.RS 4
-Sets the debugging level.
-.RE
-.PP
-\-x
-.RS 4
-Only verify that the DNSKEY RRset is signed with key\-signing keys. Without this flag, it is assumed that the DNSKEY RRset will be signed by all active keys. When this flag is set, it will not be an error if the DNSKEY RRset is not signed by zone\-signing keys. This corresponds to the
-\fB\-x\fR
-option in
-\fBdnssec\-signzone\fR.
-.RE
-.PP
-\-z
-.RS 4
-Ignore the KSK flag on the keys when determining whether the zone if correctly signed. Without this flag it is assumed that there will be a non\-revoked, self\-signed DNSKEY with the KSK flag set for each algorithm and that RRsets other than DNSKEY RRset will be signed with a different DNSKEY without the KSK flag set.
-.sp
-With this flag set, we only require that for each algorithm, there will be at least one non\-revoked, self\-signed DNSKEY, regardless of the KSK flag state, and that other RRsets will be signed by a non\-revoked key for the same algorithm that includes the self\-signed key; the same key may be used for both purposes. This corresponds to the
-\fB\-z\fR
-option in
-\fBdnssec\-signzone\fR.
-.RE
-.PP
-zonefile
-.RS 4
-The file containing the zone to be signed.
-.RE
-.SH "SEE ALSO"
-.PP
-\fBdnssec\-signzone\fR(8),
-BIND 9 Administrator Reference Manual,
-RFC 4033.
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2012 Internet Systems Consortium, Inc. ("ISC")
-.br
diff --git a/contrib/bind9/bin/dnssec/dnssec-verify.c b/contrib/bind9/bin/dnssec/dnssec-verify.c
deleted file mode 100644
index 682896c..0000000
--- a/contrib/bind9/bin/dnssec/dnssec-verify.c
+++ /dev/null
@@ -1,328 +0,0 @@
-/*
- * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dnssec-verify.c,v 1.1.2.1 2011/03/16 06:37:51 each Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <time.h>
-
-#include <isc/app.h>
-#include <isc/base32.h>
-#include <isc/commandline.h>
-#include <isc/entropy.h>
-#include <isc/event.h>
-#include <isc/file.h>
-#include <isc/hash.h>
-#include <isc/hex.h>
-#include <isc/mem.h>
-#include <isc/mutex.h>
-#include <isc/os.h>
-#include <isc/print.h>
-#include <isc/random.h>
-#include <isc/rwlock.h>
-#include <isc/serial.h>
-#include <isc/stdio.h>
-#include <isc/stdlib.h>
-#include <isc/string.h>
-#include <isc/time.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/diff.h>
-#include <dns/dnssec.h>
-#include <dns/ds.h>
-#include <dns/fixedname.h>
-#include <dns/keyvalues.h>
-#include <dns/log.h>
-#include <dns/master.h>
-#include <dns/masterdump.h>
-#include <dns/nsec.h>
-#include <dns/nsec3.h>
-#include <dns/rdata.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/result.h>
-#include <dns/soa.h>
-#include <dns/time.h>
-
-#include <dst/dst.h>
-
-#include "dnssectool.h"
-
-const char *program = "dnssec-verify";
-int verbose;
-
-static isc_stdtime_t now;
-static isc_mem_t *mctx = NULL;
-static isc_entropy_t *ectx = NULL;
-static dns_masterformat_t inputformat = dns_masterformat_text;
-static dns_db_t *gdb;			/* The database */
-static dns_dbversion_t *gversion;	/* The database version */
-static dns_rdataclass_t gclass;		/* The class */
-static dns_name_t *gorigin;		/* The database origin */
-static isc_boolean_t ignore_kskflag = ISC_FALSE;
-static isc_boolean_t keyset_kskonly = ISC_FALSE;
-
-/*%
- * Load the zone file from disk
- */
-static void
-loadzone(char *file, char *origin, dns_rdataclass_t rdclass, dns_db_t **db) {
-	isc_buffer_t b;
-	int len;
-	dns_fixedname_t fname;
-	dns_name_t *name;
-	isc_result_t result;
-
-	len = strlen(origin);
-	isc_buffer_init(&b, origin, len);
-	isc_buffer_add(&b, len);
-
-	dns_fixedname_init(&fname);
-	name = dns_fixedname_name(&fname);
-	result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed converting name '%s' to dns format: %s",
-		      origin, isc_result_totext(result));
-
-	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
-			       rdclass, 0, NULL, db);
-	check_result(result, "dns_db_create()");
-
-	result = dns_db_load2(*db, file, inputformat);
-	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
-		fatal("failed loading zone from '%s': %s",
-		      file, isc_result_totext(result));
-}
-
-ISC_PLATFORM_NORETURN_PRE static void
-usage(void) ISC_PLATFORM_NORETURN_POST;
-
-static void
-usage(void) {
-	fprintf(stderr, "Usage:\n");
-	fprintf(stderr, "\t%s [options] zonefile [keys]\n", program);
-
-	fprintf(stderr, "\n");
-
-	fprintf(stderr, "Version: %s\n", VERSION);
-
-	fprintf(stderr, "Options: (default value in parenthesis) \n");
-	fprintf(stderr, "\t-v debuglevel (0)\n");
-	fprintf(stderr, "\t-o origin:\n");
-	fprintf(stderr, "\t\tzone origin (name of zonefile)\n");
-	fprintf(stderr, "\t-I format:\n");
-	fprintf(stderr, "\t\tfile format of input zonefile (text)\n");
-	fprintf(stderr, "\t-c class (IN)\n");
-	fprintf(stderr, "\t-E engine:\n");
-#ifdef USE_PKCS11
-	fprintf(stderr, "\t\tname of an OpenSSL engine to use "
-				"(default is \"pkcs11\")\n");
-#else
-	fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
-#endif
-	fprintf(stderr, "\t-x:\tDNSKEY record signed with KSKs only, "
-			"not ZSKs\n");
-	fprintf(stderr, "\t-z:\tAll records signed with KSKs\n");
-	exit(0);
-}
-
-int
-main(int argc, char *argv[]) {
-	char *origin = NULL, *file = NULL;
-	char *inputformatstr = NULL;
-	isc_result_t result;
-	isc_log_t *log = NULL;
-#ifdef USE_PKCS11
-	const char *engine = "pkcs11";
-#else
-	const char *engine = NULL;
-#endif
-	char *classname = NULL;
-	dns_rdataclass_t rdclass;
-	char ch, *endp;
-
-#define CMDLINE_FLAGS \
-	"m:o:I:c:E:v:xz"
-
-	/*
-	 * Process memory debugging argument first.
-	 */
-	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
-		switch (ch) {
-		case 'm':
-			if (strcasecmp(isc_commandline_argument, "record") == 0)
-				isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
-			if (strcasecmp(isc_commandline_argument, "trace") == 0)
-				isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
-			if (strcasecmp(isc_commandline_argument, "usage") == 0)
-				isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
-			if (strcasecmp(isc_commandline_argument, "size") == 0)
-				isc_mem_debugging |= ISC_MEM_DEBUGSIZE;
-			if (strcasecmp(isc_commandline_argument, "mctx") == 0)
-				isc_mem_debugging |= ISC_MEM_DEBUGCTX;
-			break;
-		default:
-			break;
-		}
-	}
-	isc_commandline_reset = ISC_TRUE;
-	check_result(isc_app_start(), "isc_app_start");
-
-	result = isc_mem_create(0, 0, &mctx);
-	if (result != ISC_R_SUCCESS)
-		fatal("out of memory");
-
-	dns_result_register();
-
-	isc_commandline_errprint = ISC_FALSE;
-
-	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
-		switch (ch) {
-		case 'c':
-			classname = isc_commandline_argument;
-			break;
-
-		case 'E':
-			engine = isc_commandline_argument;
-			break;
-
-		case 'h':
-			usage();
-			break;
-
-		case 'I':
-			inputformatstr = isc_commandline_argument;
-			break;
-
-		case 'm':
-			break;
-
-		case 'o':
-			origin = isc_commandline_argument;
-			break;
-
-		case 'v':
-			endp = NULL;
-			verbose = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0')
-				fatal("verbose level must be numeric");
-			break;
-
-		case 'x':
-			keyset_kskonly = ISC_TRUE;
-			break;
-
-		case 'z':
-			ignore_kskflag = ISC_TRUE;
-			break;
-
-		case '?':
-			if (isc_commandline_option != '?')
-				fprintf(stderr, "%s: invalid argument -%c\n",
-					program, isc_commandline_option);
-			usage();
-			break;
-
-		default:
-			fprintf(stderr, "%s: unhandled option -%c\n",
-				program, isc_commandline_option);
-			exit(1);
-		}
-	}
-
-	if (ectx == NULL)
-		setup_entropy(mctx, NULL, &ectx);
-
-	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	if (result != ISC_R_SUCCESS)
-		fatal("could not create hash context");
-
-	result = dst_lib_init2(mctx, ectx, engine, ISC_ENTROPY_BLOCKING);
-	if (result != ISC_R_SUCCESS)
-		fatal("could not initialize dst: %s",
-		      isc_result_totext(result));
-
-	isc_stdtime_get(&now);
-
-	rdclass = strtoclass(classname);
-
-	setup_logging(verbose, mctx, &log);
-
-	argc -= isc_commandline_index;
-	argv += isc_commandline_index;
-
-	if (argc < 1)
-		usage();
-
-	file = argv[0];
-
-	argc -= 1;
-	argv += 1;
-
-	POST(argc);
-	POST(argv);
-
-	if (origin == NULL)
-		origin = file;
-
-	if (inputformatstr != NULL) {
-		if (strcasecmp(inputformatstr, "text") == 0)
-			inputformat = dns_masterformat_text;
-		else if (strcasecmp(inputformatstr, "raw") == 0)
-			inputformat = dns_masterformat_raw;
-		else
-			fatal("unknown file format: %s\n", inputformatstr);
-	}
-
-	gdb = NULL;
-	fprintf(stderr, "Loading zone '%s' from file '%s'\n", origin, file);
-	loadzone(file, origin, rdclass, &gdb);
-	gorigin = dns_db_origin(gdb);
-	gclass = dns_db_class(gdb);
-
-	gversion = NULL;
-	result = dns_db_newversion(gdb, &gversion);
-	check_result(result, "dns_db_newversion()");
-
-	verifyzone(gdb, gversion, gorigin, mctx,
-		   ignore_kskflag, keyset_kskonly);
-
-	dns_db_closeversion(gdb, &gversion, ISC_FALSE);
-	dns_db_detach(&gdb);
-
-	cleanup_logging(&log);
-	dst_lib_destroy();
-	isc_hash_destroy();
-	cleanup_entropy(&ectx);
-	dns_name_destroy();
-	if (verbose > 10)
-		isc_mem_stats(mctx, stdout);
-	isc_mem_destroy(&mctx);
-
-	(void) isc_app_finish();
-
-	return (0);
-}
diff --git a/contrib/bind9/bin/dnssec/dnssec-verify.docbook b/contrib/bind9/bin/dnssec/dnssec-verify.docbook
deleted file mode 100644
index 0835df1..0000000
--- a/contrib/bind9/bin/dnssec/dnssec-verify.docbook
+++ /dev/null
@@ -1,185 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: dnssec-verify.docbook,v 1.52 2011/12/22 07:32:40 each Exp $ -->
-<refentry id="man.dnssec-verify">
-  <refentryinfo>
-    <date>April 12, 2012</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>dnssec-verify</application></refentrytitle>
-   <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><application>dnssec-verify</application></refname>
-    <refpurpose>DNSSEC zone verification tool</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2012</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>dnssec-verify</command>
-      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
-      <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
-      <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
-      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg><option>-x</option></arg>
-      <arg><option>-z</option></arg>
-      <arg choice="req">zonefile</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para><command>dnssec-verify</command>
-      verifies that a zone is fully signed for each algorithm found
-      in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
-      chains are complete.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-
-    <variablelist>
-      <varlistentry>
-        <term>-c <replaceable class="parameter">class</replaceable></term>
-        <listitem>
-          <para>
-            Specifies the DNS class of the zone.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-I <replaceable class="parameter">input-format</replaceable></term>
-        <listitem>
-          <para>
-            The format of the input zone file.
-	    Possible formats are <command>"text"</command> (default)
-	    and <command>"raw"</command>.
-	    This option is primarily intended to be used for dynamic
-            signed zones so that the dumped zone file in a non-text
-            format containing updates can be verified independently.
-	    The use of this option does not make much sense for
-	    non-dynamic zones.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-o <replaceable class="parameter">origin</replaceable></term>
-        <listitem>
-          <para>
-            The zone origin.  If not specified, the name of the zone file
-            is assumed to be the origin.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-v <replaceable class="parameter">level</replaceable></term>
-        <listitem>
-          <para>
-            Sets the debugging level.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-x</term>
-        <listitem>
-          <para>
-            Only verify that the DNSKEY RRset is signed with key-signing
-            keys.  Without this flag, it is assumed that the DNSKEY RRset
-            will be signed by all active keys.  When this flag is set,
-            it will not be an error if the DNSKEY RRset is not signed
-            by zone-signing keys.  This corresponds to the <option>-x</option>
-            option in <command>dnssec-signzone</command>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-z</term>
-	<listitem>
-	  <para>
-	    Ignore the KSK flag on the keys when determining whether
-            the zone if correctly signed.  Without this flag it is
-	    assumed that there will be a non-revoked, self-signed
-	    DNSKEY with the KSK flag set for each algorithm and
-	    that RRsets other than DNSKEY RRset will be signed with
-            a different DNSKEY without the KSK flag set.
-	  </para>
-	  <para>
-	    With this flag set, we only require that for each algorithm,
-            there will be at least one non-revoked, self-signed DNSKEY,
-            regardless of the KSK flag state, and that other RRsets
-	    will be signed by a non-revoked key for the same algorithm
-            that includes the self-signed key; the same key may be used
-            for both purposes.  This corresponds to the <option>-z</option>
-            option in <command>dnssec-signzone</command>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>zonefile</term>
-        <listitem>
-          <para>
-            The file containing the zone to be signed.
-          </para>
-        </listitem>
-      </varlistentry>
-
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para>
-      <citerefentry>
-        <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
-      <citetitle>RFC 4033</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para><corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/dnssec/dnssec-verify.html b/contrib/bind9/bin/dnssec/dnssec-verify.html
deleted file mode 100644
index 135556f..0000000
--- a/contrib/bind9/bin/dnssec/dnssec-verify.html
+++ /dev/null
@@ -1,117 +0,0 @@
-<!--
- - Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-verify</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="man.dnssec-verify"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">dnssec-verify</span> &#8212; DNSSEC zone verification tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code>  [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543390"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">dnssec-verify</strong></span>
-      verifies that a zone is fully signed for each algorithm found
-      in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
-      chains are complete.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543402"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd><p>
-            Specifies the DNS class of the zone.
-          </p></dd>
-<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
-<dd><p>
-            The format of the input zone file.
-	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
-	    and <span><strong class="command">"raw"</strong></span>.
-	    This option is primarily intended to be used for dynamic
-            signed zones so that the dumped zone file in a non-text
-            format containing updates can be verified independently.
-	    The use of this option does not make much sense for
-	    non-dynamic zones.
-          </p></dd>
-<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
-<dd><p>
-            The zone origin.  If not specified, the name of the zone file
-            is assumed to be the origin.
-          </p></dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
-            Sets the debugging level.
-          </p></dd>
-<dt><span class="term">-x</span></dt>
-<dd><p>
-            Only verify that the DNSKEY RRset is signed with key-signing
-            keys.  Without this flag, it is assumed that the DNSKEY RRset
-            will be signed by all active keys.  When this flag is set,
-            it will not be an error if the DNSKEY RRset is not signed
-            by zone-signing keys.  This corresponds to the <code class="option">-x</code>
-            option in <span><strong class="command">dnssec-signzone</strong></span>.
-          </p></dd>
-<dt><span class="term">-z</span></dt>
-<dd>
-<p>
-	    Ignore the KSK flag on the keys when determining whether
-            the zone if correctly signed.  Without this flag it is
-	    assumed that there will be a non-revoked, self-signed
-	    DNSKEY with the KSK flag set for each algorithm and
-	    that RRsets other than DNSKEY RRset will be signed with
-            a different DNSKEY without the KSK flag set.
-	  </p>
-<p>
-	    With this flag set, we only require that for each algorithm,
-            there will be at least one non-revoked, self-signed DNSKEY,
-            regardless of the KSK flag state, and that other RRsets
-	    will be signed by a non-revoked key for the same algorithm
-            that includes the self-signed key; the same key may be used
-            for both purposes.  This corresponds to the <code class="option">-z</code>
-            option in <span><strong class="command">dnssec-signzone</strong></span>.
-	  </p>
-</dd>
-<dt><span class="term">zonefile</span></dt>
-<dd><p>
-            The file containing the zone to be signed.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543543"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 4033</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543637"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/dnssec/dnssectool.c b/contrib/bind9/bin/dnssec/dnssectool.c
deleted file mode 100644
index 7c8c6ce..0000000
--- a/contrib/bind9/bin/dnssec/dnssectool.c
+++ /dev/null
@@ -1,1801 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dnssectool.c,v 1.63 2011/10/21 03:55:33 marka Exp $ */
-
-/*! \file */
-
-/*%
- * DNSSEC Support Routines.
- */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/base32.h>
-#include <isc/buffer.h>
-#include <isc/dir.h>
-#include <isc/entropy.h>
-#include <isc/heap.h>
-#include <isc/list.h>
-#include <isc/mem.h>
-#include <isc/string.h>
-#include <isc/time.h>
-#include <isc/util.h>
-#include <isc/print.h>
-
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/dnssec.h>
-#include <dns/fixedname.h>
-#include <dns/keyvalues.h>
-#include <dns/log.h>
-#include <dns/name.h>
-#include <dns/nsec.h>
-#include <dns/nsec3.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdataclass.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatatype.h>
-#include <dns/result.h>
-#include <dns/secalg.h>
-#include <dns/time.h>
-
-#include "dnssectool.h"
-
-static isc_heap_t *expected_chains, *found_chains;
-
-struct nsec3_chain_fixed {
-	isc_uint8_t	hash;
-	isc_uint8_t	salt_length;
-	isc_uint8_t	next_length;
-	isc_uint16_t	iterations;
-	/* unsigned char salt[0]; */
-	/* unsigned char owner[0]; */
-	/* unsigned char next[0]; */
-};
-
-extern int verbose;
-extern const char *program;
-
-typedef struct entropysource entropysource_t;
-
-struct entropysource {
-	isc_entropysource_t *source;
-	isc_mem_t *mctx;
-	ISC_LINK(entropysource_t) link;
-};
-
-static ISC_LIST(entropysource_t) sources;
-static fatalcallback_t *fatalcallback = NULL;
-
-void
-fatal(const char *format, ...) {
-	va_list args;
-
-	fprintf(stderr, "%s: fatal: ", program);
-	va_start(args, format);
-	vfprintf(stderr, format, args);
-	va_end(args);
-	fprintf(stderr, "\n");
-	if (fatalcallback != NULL)
-		(*fatalcallback)();
-	exit(1);
-}
-
-void
-setfatalcallback(fatalcallback_t *callback) {
-	fatalcallback = callback;
-}
-
-void
-check_result(isc_result_t result, const char *message) {
-	if (result != ISC_R_SUCCESS)
-		fatal("%s: %s", message, isc_result_totext(result));
-}
-
-void
-vbprintf(int level, const char *fmt, ...) {
-	va_list ap;
-	if (level > verbose)
-		return;
-	va_start(ap, fmt);
-	fprintf(stderr, "%s: ", program);
-	vfprintf(stderr, fmt, ap);
-	va_end(ap);
-}
-
-void
-type_format(const dns_rdatatype_t type, char *cp, unsigned int size) {
-	isc_buffer_t b;
-	isc_region_t r;
-	isc_result_t result;
-
-	isc_buffer_init(&b, cp, size - 1);
-	result = dns_rdatatype_totext(type, &b);
-	check_result(result, "dns_rdatatype_totext()");
-	isc_buffer_usedregion(&b, &r);
-	r.base[r.length] = 0;
-}
-
-void
-sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size) {
-	char namestr[DNS_NAME_FORMATSIZE];
-	char algstr[DNS_NAME_FORMATSIZE];
-
-	dns_name_format(&sig->signer, namestr, sizeof(namestr));
-	dns_secalg_format(sig->algorithm, algstr, sizeof(algstr));
-	snprintf(cp, size, "%s/%s/%d", namestr, algstr, sig->keyid);
-}
-
-void
-setup_logging(int verbose, isc_mem_t *mctx, isc_log_t **logp) {
-	isc_result_t result;
-	isc_logdestination_t destination;
-	isc_logconfig_t *logconfig = NULL;
-	isc_log_t *log = NULL;
-	int level;
-
-	if (verbose < 0)
-		verbose = 0;
-	switch (verbose) {
-	case 0:
-		/*
-		 * We want to see warnings about things like out-of-zone
-		 * data in the master file even when not verbose.
-		 */
-		level = ISC_LOG_WARNING;
-		break;
-	case 1:
-		level = ISC_LOG_INFO;
-		break;
-	default:
-		level = ISC_LOG_DEBUG(verbose - 2 + 1);
-		break;
-	}
-
-	RUNTIME_CHECK(isc_log_create(mctx, &log, &logconfig) == ISC_R_SUCCESS);
-	isc_log_setcontext(log);
-	dns_log_init(log);
-	dns_log_setcontext(log);
-
-	RUNTIME_CHECK(isc_log_settag(logconfig, program) == ISC_R_SUCCESS);
-
-	/*
-	 * Set up a channel similar to default_stderr except:
-	 *  - the logging level is passed in
-	 *  - the program name and logging level are printed
-	 *  - no time stamp is printed
-	 */
-	destination.file.stream = stderr;
-	destination.file.name = NULL;
-	destination.file.versions = ISC_LOG_ROLLNEVER;
-	destination.file.maximum_size = 0;
-	result = isc_log_createchannel(logconfig, "stderr",
-				       ISC_LOG_TOFILEDESC,
-				       level,
-				       &destination,
-				       ISC_LOG_PRINTTAG|ISC_LOG_PRINTLEVEL);
-	check_result(result, "isc_log_createchannel()");
-
-	RUNTIME_CHECK(isc_log_usechannel(logconfig, "stderr",
-					 NULL, NULL) == ISC_R_SUCCESS);
-
-	*logp = log;
-}
-
-void
-cleanup_logging(isc_log_t **logp) {
-	isc_log_t *log;
-
-	REQUIRE(logp != NULL);
-
-	log = *logp;
-	if (log == NULL)
-		return;
-	isc_log_destroy(&log);
-	isc_log_setcontext(NULL);
-	dns_log_setcontext(NULL);
-	logp = NULL;
-}
-
-void
-setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
-	isc_result_t result;
-	isc_entropysource_t *source = NULL;
-	entropysource_t *elt;
-	int usekeyboard = ISC_ENTROPY_KEYBOARDMAYBE;
-
-	REQUIRE(ectx != NULL);
-
-	if (*ectx == NULL) {
-		result = isc_entropy_create(mctx, ectx);
-		if (result != ISC_R_SUCCESS)
-			fatal("could not create entropy object");
-		ISC_LIST_INIT(sources);
-	}
-
-	if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
-		usekeyboard = ISC_ENTROPY_KEYBOARDYES;
-		randomfile = NULL;
-	}
-
-	result = isc_entropy_usebestsource(*ectx, &source, randomfile,
-					   usekeyboard);
-
-	if (result != ISC_R_SUCCESS)
-		fatal("could not initialize entropy source: %s",
-		      isc_result_totext(result));
-
-	if (source != NULL) {
-		elt = isc_mem_get(mctx, sizeof(*elt));
-		if (elt == NULL)
-			fatal("out of memory");
-		elt->source = source;
-		elt->mctx = mctx;
-		ISC_LINK_INIT(elt, link);
-		ISC_LIST_APPEND(sources, elt, link);
-	}
-}
-
-void
-cleanup_entropy(isc_entropy_t **ectx) {
-	entropysource_t *source;
-	while (!ISC_LIST_EMPTY(sources)) {
-		source = ISC_LIST_HEAD(sources);
-		ISC_LIST_UNLINK(sources, source, link);
-		isc_entropy_destroysource(&source->source);
-		isc_mem_put(source->mctx, source, sizeof(*source));
-	}
-	isc_entropy_detach(ectx);
-}
-
-static isc_stdtime_t
-time_units(isc_stdtime_t offset, char *suffix, const char *str) {
-	switch (suffix[0]) {
-	    case 'Y': case 'y':
-		return (offset * (365 * 24 * 3600));
-	    case 'M': case 'm':
-		switch (suffix[1]) {
-		    case 'O': case 'o':
-			return (offset * (30 * 24 * 3600));
-		    case 'I': case 'i':
-			return (offset * 60);
-		    case '\0':
-			fatal("'%s' ambiguous: use 'mi' for minutes "
-			      "or 'mo' for months", str);
-		    default:
-			fatal("time value %s is invalid", str);
-		}
-		/* NOTREACHED */
-		break;
-	    case 'W': case 'w':
-		return (offset * (7 * 24 * 3600));
-	    case 'D': case 'd':
-		return (offset * (24 * 3600));
-	    case 'H': case 'h':
-		return (offset * 3600);
-	    case 'S': case 's': case '\0':
-		return (offset);
-	    default:
-		fatal("time value %s is invalid", str);
-	}
-	/* NOTREACHED */
-	return(0); /* silence compiler warning */
-}
-
-dns_ttl_t
-strtottl(const char *str) {
-	const char *orig = str;
-	dns_ttl_t ttl;
-	char *endp;
-
-	ttl = strtol(str, &endp, 0);
-	if (ttl == 0 && endp == str)
-		fatal("TTL must be numeric");
-	ttl = time_units(ttl, endp, orig);
-	return (ttl);
-}
-
-isc_stdtime_t
-strtotime(const char *str, isc_int64_t now, isc_int64_t base) {
-	isc_int64_t val, offset;
-	isc_result_t result;
-	const char *orig = str;
-	char *endp;
-
-	if ((str[0] == '0' || str[0] == '-') && str[1] == '\0')
-		return ((isc_stdtime_t) 0);
-
-	if (strncmp(str, "now", 3) == 0) {
-		base = now;
-		str += 3;
-	}
-
-	if (str[0] == '\0')
-		return ((isc_stdtime_t) base);
-	else if (str[0] == '+') {
-		offset = strtol(str + 1, &endp, 0);
-		offset = time_units((isc_stdtime_t) offset, endp, orig);
-		val = base + offset;
-	} else if (str[0] == '-') {
-		offset = strtol(str + 1, &endp, 0);
-		offset = time_units((isc_stdtime_t) offset, endp, orig);
-		val = base - offset;
-	} else if (strlen(str) == 8U) {
-		char timestr[15];
-		sprintf(timestr, "%s000000", str);
-		result = dns_time64_fromtext(timestr, &val);
-		if (result != ISC_R_SUCCESS)
-			fatal("time value %s is invalid: %s", orig,
-			      isc_result_totext(result));
-	} else if (strlen(str) > 14U) {
-		fatal("time value %s is invalid", orig);
-	} else {
-		result = dns_time64_fromtext(str, &val);
-		if (result != ISC_R_SUCCESS)
-			fatal("time value %s is invalid: %s", orig,
-			      isc_result_totext(result));
-	}
-
-	return ((isc_stdtime_t) val);
-}
-
-dns_rdataclass_t
-strtoclass(const char *str) {
-	isc_textregion_t r;
-	dns_rdataclass_t rdclass;
-	isc_result_t ret;
-
-	if (str == NULL)
-		return dns_rdataclass_in;
-	DE_CONST(str, r.base);
-	r.length = strlen(str);
-	ret = dns_rdataclass_fromtext(&rdclass, &r);
-	if (ret != ISC_R_SUCCESS)
-		fatal("unknown class %s", str);
-	return (rdclass);
-}
-
-isc_result_t
-try_dir(const char *dirname) {
-	isc_result_t result;
-	isc_dir_t d;
-
-	isc_dir_init(&d);
-	result = isc_dir_open(&d, dirname);
-	if (result == ISC_R_SUCCESS) {
-		isc_dir_close(&d);
-	}
-	return (result);
-}
-
-/*
- * Check private key version compatibility.
- */
-void
-check_keyversion(dst_key_t *key, char *keystr) {
-	int major, minor;
-	dst_key_getprivateformat(key, &major, &minor);
-	INSIST(major <= DST_MAJOR_VERSION); /* invalid private key */
-
-	if (major < DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
-		fatal("Key %s has incompatible format version %d.%d, "
-		      "use -f to force upgrade to new version.",
-		      keystr, major, minor);
-	if (minor > DST_MINOR_VERSION)
-		fatal("Key %s has incompatible format version %d.%d, "
-		      "use -f to force downgrade to current version.",
-		      keystr, major, minor);
-}
-
-void
-set_keyversion(dst_key_t *key) {
-	int major, minor;
-	dst_key_getprivateformat(key, &major, &minor);
-	INSIST(major <= DST_MAJOR_VERSION);
-
-	if (major != DST_MAJOR_VERSION || minor != DST_MINOR_VERSION)
-		dst_key_setprivateformat(key, DST_MAJOR_VERSION,
-					 DST_MINOR_VERSION);
-
-	/*
-	 * If the key is from a version older than 1.3, set
-	 * set the creation date
-	 */
-	if (major < 1 || (major == 1 && minor <= 2)) {
-		isc_stdtime_t now;
-		isc_stdtime_get(&now);
-		dst_key_settime(key, DST_TIME_CREATED, now);
-	}
-}
-
-isc_boolean_t
-key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir,
-	      isc_mem_t *mctx, isc_boolean_t *exact)
-{
-	isc_result_t result;
-	isc_boolean_t conflict = ISC_FALSE;
-	dns_dnsseckeylist_t matchkeys;
-	dns_dnsseckey_t *key = NULL;
-	isc_uint16_t id, oldid;
-	isc_uint32_t rid, roldid;
-	dns_secalg_t alg;
-
-	if (exact != NULL)
-		*exact = ISC_FALSE;
-
-	id = dst_key_id(dstkey);
-	rid = dst_key_rid(dstkey);
-	alg = dst_key_alg(dstkey);
-
-	ISC_LIST_INIT(matchkeys);
-	result = dns_dnssec_findmatchingkeys(name, dir, mctx, &matchkeys);
-	if (result == ISC_R_NOTFOUND)
-		return (ISC_FALSE);
-
-	while (!ISC_LIST_EMPTY(matchkeys) && !conflict) {
-		key = ISC_LIST_HEAD(matchkeys);
-		if (dst_key_alg(key->key) != alg)
-			goto next;
-
-		oldid = dst_key_id(key->key);
-		roldid = dst_key_rid(key->key);
-
-		if (oldid == rid || roldid == id || id == oldid) {
-			conflict = ISC_TRUE;
-			if (id != oldid) {
-				if (verbose > 1)
-					fprintf(stderr, "Key ID %d could "
-						"collide with %d\n",
-						id, oldid);
-			} else {
-				if (exact != NULL)
-					*exact = ISC_TRUE;
-				if (verbose > 1)
-					fprintf(stderr, "Key ID %d exists\n",
-						id);
-			}
-		}
-
- next:
-		ISC_LIST_UNLINK(matchkeys, key, link);
-		dns_dnsseckey_destroy(mctx, &key);
-	}
-
-	/* Finish freeing the list */
-	while (!ISC_LIST_EMPTY(matchkeys)) {
-		key = ISC_LIST_HEAD(matchkeys);
-		ISC_LIST_UNLINK(matchkeys, key, link);
-		dns_dnsseckey_destroy(mctx, &key);
-	}
-
-	return (conflict);
-}
-
-isc_boolean_t
-is_delegation(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
-	      dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp)
-{
-	dns_rdataset_t nsset;
-	isc_result_t result;
-
-	if (dns_name_equal(name, origin))
-		return (ISC_FALSE);
-
-	dns_rdataset_init(&nsset);
-	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_ns,
-				     0, 0, &nsset, NULL);
-	if (dns_rdataset_isassociated(&nsset)) {
-		if (ttlp != NULL)
-			*ttlp = nsset.ttl;
-		dns_rdataset_disassociate(&nsset);
-	}
-
-	return (ISC_TF(result == ISC_R_SUCCESS));
-}
-
-static isc_boolean_t
-goodsig(dns_name_t *origin, dns_rdata_t *sigrdata, dns_name_t *name,
-	dns_rdataset_t *keyrdataset, dns_rdataset_t *rdataset, isc_mem_t *mctx)
-{
-	dns_rdata_dnskey_t key;
-	dns_rdata_rrsig_t sig;
-	dst_key_t *dstkey = NULL;
-	isc_result_t result;
-
-	result = dns_rdata_tostruct(sigrdata, &sig, NULL);
-	check_result(result, "dns_rdata_tostruct()");
-
-	for (result = dns_rdataset_first(keyrdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(keyrdataset)) {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		dns_rdataset_current(keyrdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &key, NULL);
-		check_result(result, "dns_rdata_tostruct()");
-		result = dns_dnssec_keyfromrdata(origin, &rdata, mctx,
-						 &dstkey);
-		if (result != ISC_R_SUCCESS)
-			return (ISC_FALSE);
-		if (sig.algorithm != key.algorithm ||
-		    sig.keyid != dst_key_id(dstkey) ||
-		    !dns_name_equal(&sig.signer, origin)) {
-			dst_key_free(&dstkey);
-			continue;
-		}
-		result = dns_dnssec_verify(name, rdataset, dstkey, ISC_FALSE,
-					   mctx, sigrdata);
-		dst_key_free(&dstkey);
-		if (result == ISC_R_SUCCESS)
-			return(ISC_TRUE);
-	}
-	return (ISC_FALSE);
-}
-
-static isc_result_t
-verifynsec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	   dns_dbnode_t *node, dns_name_t *nextname)
-{
-	unsigned char buffer[DNS_NSEC_BUFFERSIZE];
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char nextbuf[DNS_NAME_FORMATSIZE];
-	char found[DNS_NAME_FORMATSIZE];
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_t tmprdata = DNS_RDATA_INIT;
-	dns_rdata_nsec_t nsec;
-	isc_result_t result;
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec,
-				     0, 0, &rdataset, NULL);
-	if (result != ISC_R_SUCCESS) {
-		dns_name_format(name, namebuf, sizeof(namebuf));
-		fprintf(stderr, "Missing NSEC record for %s\n", namebuf);
-		goto failure;
-	}
-
-	result = dns_rdataset_first(&rdataset);
-	check_result(result, "dns_rdataset_first()");
-
-	dns_rdataset_current(&rdataset, &rdata);
-	result = dns_rdata_tostruct(&rdata, &nsec, NULL);
-	check_result(result, "dns_rdata_tostruct()");
-	/* Check bit next name is consistent */
-	if (!dns_name_equal(&nsec.next, nextname)) {
-		dns_name_format(name, namebuf, sizeof(namebuf));
-		dns_name_format(nextname, nextbuf, sizeof(nextbuf));
-		dns_name_format(&nsec.next, found, sizeof(found));
-		fprintf(stderr, "Bad NSEC record for %s, next name "
-				"mismatch (expected:%s, found:%s)\n", namebuf,
-				nextbuf, found);
-		goto failure;
-	}
-	/* Check bit map is consistent */
-	result = dns_nsec_buildrdata(db, ver, node, nextname, buffer,
-				     &tmprdata);
-	check_result(result, "dns_nsec_buildrdata()");
-	if (dns_rdata_compare(&rdata, &tmprdata) != 0) {
-		dns_name_format(name, namebuf, sizeof(namebuf));
-		fprintf(stderr, "Bad NSEC record for %s, bit map "
-				"mismatch\n", namebuf);
-		goto failure;
-	}
-	result = dns_rdataset_next(&rdataset);
-	if (result != ISC_R_NOMORE) {
-		dns_name_format(name, namebuf, sizeof(namebuf));
-		fprintf(stderr, "Multipe NSEC records for %s\n", namebuf);
-		goto failure;
-
-	}
-	dns_rdataset_disassociate(&rdataset);
-	return (ISC_R_SUCCESS);
- failure:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	return (ISC_R_FAILURE);
-}
-
-static void
-check_no_rrsig(dns_db_t *db, dns_dbversion_t *ver, dns_rdataset_t *rdataset,
-	       dns_name_t *name, dns_dbnode_t *node)
-{
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char typebuf[80];
-	dns_rdataset_t sigrdataset;
-	dns_rdatasetiter_t *rdsiter = NULL;
-	isc_result_t result;
-
-	dns_rdataset_init(&sigrdataset);
-	result = dns_db_allrdatasets(db, node, ver, 0, &rdsiter);
-	check_result(result, "dns_db_allrdatasets()");
-	for (result = dns_rdatasetiter_first(rdsiter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdatasetiter_next(rdsiter)) {
-		dns_rdatasetiter_current(rdsiter, &sigrdataset);
-		if (sigrdataset.type == dns_rdatatype_rrsig &&
-		    sigrdataset.covers == rdataset->type)
-			break;
-		dns_rdataset_disassociate(&sigrdataset);
-	}
-	if (result == ISC_R_SUCCESS) {
-		dns_name_format(name, namebuf, sizeof(namebuf));
-		type_format(rdataset->type, typebuf, sizeof(typebuf));
-		fprintf(stderr, "Warning: Found unexpected signatures for "
-			"%s/%s\n", namebuf, typebuf);
-	}
-	if (dns_rdataset_isassociated(&sigrdataset))
-		dns_rdataset_disassociate(&sigrdataset);
-	dns_rdatasetiter_destroy(&rdsiter);
-}
-
-static isc_boolean_t
-chain_compare(void *arg1, void *arg2) {
-	struct nsec3_chain_fixed *e1 = arg1, *e2 = arg2;
-	size_t len;
-
-	/*
-	 * Do each element in turn to get a stable sort.
-	 */
-	if (e1->hash < e2->hash)
-		return (ISC_TRUE);
-	if (e1->hash > e2->hash)
-		return (ISC_FALSE);
-	if (e1->iterations < e2->iterations)
-		return (ISC_TRUE);
-	if (e1->iterations > e2->iterations)
-		return (ISC_FALSE);
-	if (e1->salt_length < e2->salt_length)
-		return (ISC_TRUE);
-	if (e1->salt_length > e2->salt_length)
-		return (ISC_FALSE);
-	if (e1->next_length < e2->next_length)
-		return (ISC_TRUE);
-	if (e1->next_length > e2->next_length)
-		return (ISC_FALSE);
-	len = e1->salt_length + 2 * e1->next_length;
-	if (memcmp(e1 + 1, e2 + 1, len) < 0)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-static isc_boolean_t
-chain_equal(struct nsec3_chain_fixed *e1, struct nsec3_chain_fixed *e2) {
-	size_t len;
-
-	if (e1->hash != e2->hash)
-		return (ISC_FALSE);
-	if (e1->iterations != e2->iterations)
-		return (ISC_FALSE);
-	if (e1->salt_length != e2->salt_length)
-		return (ISC_FALSE);
-	if (e1->next_length != e2->next_length)
-		return (ISC_FALSE);
-	len = e1->salt_length + 2 * e1->next_length;
-	if (memcmp(e1 + 1, e2 + 1, len) != 0)
-		return (ISC_FALSE);
-	return (ISC_TRUE);
-}
-
-static isc_result_t
-record_nsec3(const unsigned char *rawhash, const dns_rdata_nsec3_t *nsec3,
-	     isc_mem_t *mctx, isc_heap_t *chains)
-{
-	struct nsec3_chain_fixed *element;
-	size_t len;
-	unsigned char *cp;
-	isc_result_t result;
-
-	len = sizeof(*element) + nsec3->next_length * 2 + nsec3->salt_length;
-
-	element = isc_mem_get(mctx, len);
-	if (element == NULL)
-		return (ISC_R_NOMEMORY);
-	memset(element, 0, len);
-	element->hash = nsec3->hash;
-	element->salt_length = nsec3->salt_length;
-	element->next_length = nsec3->next_length;
-	element->iterations = nsec3->iterations;
-	cp = (unsigned char *)(element + 1);
-	memcpy(cp, nsec3->salt, nsec3->salt_length);
-	cp += nsec3->salt_length;
-	memcpy(cp, rawhash, nsec3->next_length);
-	cp += nsec3->next_length;
-	memcpy(cp, nsec3->next, nsec3->next_length);
-	result = isc_heap_insert(chains, element);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "isc_heap_insert failed: %s\n",
-			isc_result_totext(result));
-		isc_mem_put(mctx, element, len);
-	}
-	return (result);
-}
-
-static isc_result_t
-match_nsec3(dns_name_t *name, isc_mem_t *mctx,
-	    dns_rdata_nsec3param_t *nsec3param, dns_rdataset_t *rdataset,
-	    unsigned char types[8192], unsigned int maxtype,
-	    unsigned char *rawhash, size_t rhsize)
-{
-	unsigned char cbm[8244];
-	char namebuf[DNS_NAME_FORMATSIZE];
-	dns_rdata_nsec3_t nsec3;
-	isc_result_t result;
-	unsigned int len;
-
-	/*
-	 * Find matching NSEC3 record.
-	 */
-	for (result = dns_rdataset_first(rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(rdataset)) {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		dns_rdataset_current(rdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
-		check_result(result, "dns_rdata_tostruct()");
-		if (nsec3.hash == nsec3param->hash &&
-		    nsec3.next_length == rhsize &&
-		    nsec3.iterations == nsec3param->iterations &&
-		    nsec3.salt_length == nsec3param->salt_length &&
-		    memcmp(nsec3.salt, nsec3param->salt,
-			   nsec3param->salt_length) == 0)
-			break;
-	}
-	if (result != ISC_R_SUCCESS) {
-		dns_name_format(name, namebuf, sizeof(namebuf));
-		fprintf(stderr, "Missing NSEC3 record for %s\n", namebuf);
-		return (result);
-	}
-
-	/*
-	 * Check the type list.
-	 */
-	len = dns_nsec_compressbitmap(cbm, types, maxtype);
-	if (nsec3.len != len || memcmp(cbm, nsec3.typebits, len) != 0) {
-		dns_name_format(name, namebuf, sizeof(namebuf));
-		fprintf(stderr, "Bad NSEC3 record for %s, bit map "
-				"mismatch\n", namebuf);
-		return (ISC_R_FAILURE);
-	}
-
-	/*
-	 * Record chain.
-	 */
-	result = record_nsec3(rawhash, &nsec3, mctx, expected_chains);
-	check_result(result, "record_nsec3()");
-
-	/*
-	 * Make sure there is only one NSEC3 record with this set of
-	 * parameters.
-	 */
-	for (result = dns_rdataset_next(rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(rdataset)) {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		dns_rdataset_current(rdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
-		check_result(result, "dns_rdata_tostruct()");
-		if (nsec3.hash == nsec3param->hash &&
-		    nsec3.iterations == nsec3param->iterations &&
-		    nsec3.salt_length == nsec3param->salt_length &&
-		    memcmp(nsec3.salt, nsec3param->salt,
-			   nsec3.salt_length) == 0) {
-			dns_name_format(name, namebuf, sizeof(namebuf));
-			fprintf(stderr, "Multiple NSEC3 records with the "
-				"same parameter set for %s", namebuf);
-			result = DNS_R_DUPLICATE;
-			break;
-		}
-	}
-	if (result != ISC_R_NOMORE)
-		return (result);
-
-	result = ISC_R_SUCCESS;
-	return (result);
-}
-
-static isc_boolean_t
-innsec3params(dns_rdata_nsec3_t *nsec3, dns_rdataset_t *nsec3paramset) {
-	dns_rdata_nsec3param_t nsec3param;
-	isc_result_t result;
-
-	for (result = dns_rdataset_first(nsec3paramset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(nsec3paramset)) {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-
-		dns_rdataset_current(nsec3paramset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
-		check_result(result, "dns_rdata_tostruct()");
-		if (nsec3param.flags == 0 &&
-		    nsec3param.hash == nsec3->hash &&
-		    nsec3param.iterations == nsec3->iterations &&
-		    nsec3param.salt_length == nsec3->salt_length &&
-		    memcmp(nsec3param.salt, nsec3->salt,
-			   nsec3->salt_length) == 0)
-			return (ISC_TRUE);
-	}
-	return (ISC_FALSE);
-}
-
-static isc_result_t
-record_found(dns_db_t *db, dns_dbversion_t *ver, isc_mem_t *mctx,
-	     dns_name_t *name, dns_dbnode_t *node,
-	     dns_rdataset_t *nsec3paramset)
-{
-	unsigned char owner[NSEC3_MAX_HASH_LENGTH];
-	dns_rdata_nsec3_t nsec3;
-	dns_rdataset_t rdataset;
-	dns_label_t hashlabel;
-	isc_buffer_t b;
-	isc_result_t result;
-
-	if (nsec3paramset == NULL || !dns_rdataset_isassociated(nsec3paramset))
-		return (ISC_R_SUCCESS);
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3,
-				     0, 0, &rdataset, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (ISC_R_SUCCESS);
-
-	dns_name_getlabel(name, 0, &hashlabel);
-	isc_region_consume(&hashlabel, 1);
-	isc_buffer_init(&b, owner, sizeof(owner));
-	result = isc_base32hex_decoderegion(&hashlabel, &b);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		dns_rdataset_current(&rdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
-		check_result(result, "dns_rdata_tostruct()");
-		if (nsec3.next_length != isc_buffer_usedlength(&b))
-			continue;
-		/*
-		 * We only care about NSEC3 records that match a NSEC3PARAM
-		 * record.
-		 */
-		if (!innsec3params(&nsec3, nsec3paramset))
-			continue;
-
-		/*
-		 * Record chain.
-		 */
-		result = record_nsec3(owner, &nsec3, mctx, found_chains);
-		check_result(result, "record_nsec3()");
-	}
-
- cleanup:
-	dns_rdataset_disassociate(&rdataset);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_boolean_t
-isoptout(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
-	 dns_rdata_t *nsec3rdata)
-{
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_nsec3_t nsec3;
-	dns_rdata_nsec3param_t nsec3param;
-	dns_fixedname_t fixed;
-	dns_name_t *hashname;
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	unsigned char rawhash[NSEC3_MAX_HASH_LENGTH];
-	size_t rhsize = sizeof(rawhash);
-	isc_boolean_t ret;
-
-	result = dns_rdata_tostruct(nsec3rdata, &nsec3param, NULL);
-	check_result(result, "dns_rdata_tostruct()");
-
-	dns_fixedname_init(&fixed);
-	result = dns_nsec3_hashname(&fixed, rawhash, &rhsize, origin, origin,
-				    nsec3param.hash, nsec3param.iterations,
-				    nsec3param.salt, nsec3param.salt_length);
-	check_result(result, "dns_nsec3_hashname()");
-
-	dns_rdataset_init(&rdataset);
-	hashname = dns_fixedname_name(&fixed);
-	result = dns_db_findnsec3node(db, hashname, ISC_FALSE, &node);
-	if (result == ISC_R_SUCCESS)
-		result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3,
-					     0, 0, &rdataset, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (ISC_FALSE);
-
-	result = dns_rdataset_first(&rdataset);
-	check_result(result, "dns_rdataset_first()");
-
-	dns_rdataset_current(&rdataset, &rdata);
-
-	result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
-	if (result != ISC_R_SUCCESS)
-		ret = ISC_FALSE;
-	else
-		ret = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0);
-
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-
-	return (ret);
-}
-
-static isc_result_t
-verifynsec3(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
-	    isc_mem_t *mctx, dns_name_t *name, dns_rdata_t *rdata,
-	    isc_boolean_t delegation, isc_boolean_t empty,
-	    unsigned char types[8192], unsigned int maxtype)
-{
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char hashbuf[DNS_NAME_FORMATSIZE];
-	dns_rdataset_t rdataset;
-	dns_rdata_nsec3param_t nsec3param;
-	dns_fixedname_t fixed;
-	dns_name_t *hashname;
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	unsigned char rawhash[NSEC3_MAX_HASH_LENGTH];
-	size_t rhsize = sizeof(rawhash);
-	isc_boolean_t optout;
-
-	result = dns_rdata_tostruct(rdata, &nsec3param, NULL);
-	check_result(result, "dns_rdata_tostruct()");
-
-	if (nsec3param.flags != 0)
-		return (ISC_R_SUCCESS);
-
-	if (!dns_nsec3_supportedhash(nsec3param.hash))
-		return (ISC_R_SUCCESS);
-
-	optout = isoptout(db, ver, origin, rdata);
-
-	dns_fixedname_init(&fixed);
-	result = dns_nsec3_hashname(&fixed, rawhash, &rhsize, name, origin,
-				    nsec3param.hash, nsec3param.iterations,
-				    nsec3param.salt, nsec3param.salt_length);
-	check_result(result, "dns_nsec3_hashname()");
-
-	/*
-	 * We don't use dns_db_find() here as it works with the choosen
-	 * nsec3 chain and we may also be called with uncommitted data
-	 * from dnssec-signzone so the secure status of the zone may not
-	 * be up to date.
-	 */
-	dns_rdataset_init(&rdataset);
-	hashname = dns_fixedname_name(&fixed);
-	result = dns_db_findnsec3node(db, hashname, ISC_FALSE, &node);
-	if (result == ISC_R_SUCCESS)
-		result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3,
-					     0, 0, &rdataset, NULL);
-	if (result != ISC_R_SUCCESS &&
-	    (!delegation || (empty && !optout) ||
-	     (!empty && dns_nsec_isset(types, dns_rdatatype_ds))))
-	{
-		dns_name_format(name, namebuf, sizeof(namebuf));
-		dns_name_format(hashname, hashbuf, sizeof(hashbuf));
-		fprintf(stderr, "Missing NSEC3 record for %s (%s)\n",
-			namebuf, hashbuf);
-	} else if (result == ISC_R_NOTFOUND &&
-		   delegation && (!empty || optout))
-	{
-		result = ISC_R_SUCCESS;
-	} else if (result == ISC_R_SUCCESS) {
-		result = match_nsec3(name, mctx, &nsec3param, &rdataset,
-				     types, maxtype, rawhash, rhsize);
-	}
-
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-
-	return (result);
-}
-
-static isc_result_t
-verifynsec3s(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
-	     isc_mem_t *mctx, dns_name_t *name, dns_rdataset_t *nsec3paramset,
-	     isc_boolean_t delegation, isc_boolean_t empty,
-	     unsigned char types[8192], unsigned int maxtype)
-{
-	isc_result_t result;
-
-	for (result = dns_rdataset_first(nsec3paramset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(nsec3paramset)) {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-
-		dns_rdataset_current(nsec3paramset, &rdata);
-		result = verifynsec3(db, ver, origin, mctx, name, &rdata,
-				     delegation, empty, types, maxtype);
-		if (result != ISC_R_SUCCESS)
-			break;
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	return (result);
-}
-
-static void
-verifyset(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
-	  isc_mem_t *mctx, dns_rdataset_t *rdataset, dns_name_t *name,
-	  dns_dbnode_t *node, dns_rdataset_t *keyrdataset,
-	  unsigned char *act_algorithms, unsigned char *bad_algorithms)
-{
-	unsigned char set_algorithms[256];
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char algbuf[80];
-	char typebuf[80];
-	dns_rdataset_t sigrdataset;
-	dns_rdatasetiter_t *rdsiter = NULL;
-	isc_result_t result;
-	int i;
-
-	dns_rdataset_init(&sigrdataset);
-	result = dns_db_allrdatasets(db, node, ver, 0, &rdsiter);
-	check_result(result, "dns_db_allrdatasets()");
-	for (result = dns_rdatasetiter_first(rdsiter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdatasetiter_next(rdsiter)) {
-		dns_rdatasetiter_current(rdsiter, &sigrdataset);
-		if (sigrdataset.type == dns_rdatatype_rrsig &&
-		    sigrdataset.covers == rdataset->type)
-			break;
-		dns_rdataset_disassociate(&sigrdataset);
-	}
-	if (result != ISC_R_SUCCESS) {
-		dns_name_format(name, namebuf, sizeof(namebuf));
-		type_format(rdataset->type, typebuf, sizeof(typebuf));
-		fprintf(stderr, "No signatures for %s/%s\n", namebuf, typebuf);
-		for (i = 0; i < 256; i++)
-			if (act_algorithms[i] != 0)
-				bad_algorithms[i] = 1;
-		dns_rdatasetiter_destroy(&rdsiter);
-		return;
-	}
-
-	memset(set_algorithms, 0, sizeof(set_algorithms));
-	for (result = dns_rdataset_first(&sigrdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&sigrdataset)) {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		dns_rdata_rrsig_t sig;
-
-		dns_rdataset_current(&sigrdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &sig, NULL);
-		check_result(result, "dns_rdata_tostruct()");
-		if (rdataset->ttl != sig.originalttl) {
-			dns_name_format(name, namebuf, sizeof(namebuf));
-			type_format(rdataset->type, typebuf, sizeof(typebuf));
-			fprintf(stderr, "TTL mismatch for %s %s keytag %u\n",
-				namebuf, typebuf, sig.keyid);
-			continue;
-		}
-		if ((set_algorithms[sig.algorithm] != 0) ||
-		    (act_algorithms[sig.algorithm] == 0))
-			continue;
-		if (goodsig(origin, &rdata, name, keyrdataset, rdataset, mctx))
-			set_algorithms[sig.algorithm] = 1;
-	}
-	dns_rdatasetiter_destroy(&rdsiter);
-	if (memcmp(set_algorithms, act_algorithms, sizeof(set_algorithms))) {
-		dns_name_format(name, namebuf, sizeof(namebuf));
-		type_format(rdataset->type, typebuf, sizeof(typebuf));
-		for (i = 0; i < 256; i++)
-			if ((act_algorithms[i] != 0) &&
-			    (set_algorithms[i] == 0)) {
-				dns_secalg_format(i, algbuf, sizeof(algbuf));
-				fprintf(stderr, "No correct %s signature for "
-					"%s %s\n", algbuf, namebuf, typebuf);
-				bad_algorithms[i] = 1;
-			}
-	}
-	dns_rdataset_disassociate(&sigrdataset);
-}
-
-static isc_result_t
-verifynode(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
-	   isc_mem_t *mctx, dns_name_t *name, dns_dbnode_t *node,
-	   isc_boolean_t delegation, dns_rdataset_t *keyrdataset,
-	   unsigned char *act_algorithms, unsigned char *bad_algorithms,
-	   dns_rdataset_t *nsecset, dns_rdataset_t *nsec3paramset,
-	   dns_name_t *nextname)
-{
-	unsigned char types[8192];
-	unsigned int maxtype = 0;
-	dns_rdataset_t rdataset; dns_rdatasetiter_t *rdsiter = NULL;
-	isc_result_t result, tresult;
-
-	memset(types, 0, sizeof(types));
-	result = dns_db_allrdatasets(db, node, ver, 0, &rdsiter);
-	check_result(result, "dns_db_allrdatasets()");
-	result = dns_rdatasetiter_first(rdsiter);
-	dns_rdataset_init(&rdataset);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdatasetiter_current(rdsiter, &rdataset);
-		/*
-		 * If we are not at a delegation then everything should be
-		 * signed.  If we are at a delegation then only the DS set
-		 * is signed.  The NS set is not signed at a delegation but
-		 * its existance is recorded in the bit map.  Anything else
-		 * other than NSEC and DS is not signed at a delegation.
-		 */
-		if (rdataset.type != dns_rdatatype_rrsig &&
-		    rdataset.type != dns_rdatatype_dnskey &&
-		    (!delegation || rdataset.type == dns_rdatatype_ds ||
-		     rdataset.type == dns_rdatatype_nsec)) {
-			verifyset(db, ver, origin, mctx, &rdataset,
-				  name, node, keyrdataset,
-				  act_algorithms, bad_algorithms);
-			dns_nsec_setbit(types, rdataset.type, 1);
-			if (rdataset.type > maxtype)
-				maxtype = rdataset.type;
-		} else if (rdataset.type != dns_rdatatype_rrsig &&
-			   rdataset.type != dns_rdatatype_dnskey) {
-			if (rdataset.type == dns_rdatatype_ns)
-				dns_nsec_setbit(types, rdataset.type, 1);
-			check_no_rrsig(db, ver, &rdataset, name, node);
-		} else
-			dns_nsec_setbit(types, rdataset.type, 1);
-		dns_rdataset_disassociate(&rdataset);
-		result = dns_rdatasetiter_next(rdsiter);
-	}
-	if (result != ISC_R_NOMORE)
-		fatal("rdataset iteration failed: %s",
-		      isc_result_totext(result));
-	dns_rdatasetiter_destroy(&rdsiter);
-
-	result = ISC_R_SUCCESS;
-
-	if (nsecset != NULL && dns_rdataset_isassociated(nsecset))
-		result = verifynsec(db, ver, name, node, nextname);
-
-	if (nsec3paramset != NULL && dns_rdataset_isassociated(nsec3paramset)) {
-		tresult = verifynsec3s(db, ver, origin, mctx, name,
-				       nsec3paramset, delegation, ISC_FALSE,
-				       types, maxtype);
-		if (result == ISC_R_SUCCESS && tresult != ISC_R_SUCCESS)
-			result = tresult;
-	}
-	return (result);
-}
-
-static isc_boolean_t
-is_empty(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node) {
-	dns_rdatasetiter_t *rdsiter = NULL;
-	isc_result_t result;
-
-	result = dns_db_allrdatasets(db, node, ver, 0, &rdsiter);
-	check_result(result, "dns_db_allrdatasets()");
-	result = dns_rdatasetiter_first(rdsiter);
-	dns_rdatasetiter_destroy(&rdsiter);
-	if (result == ISC_R_NOMORE)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-static void
-check_no_nsec(dns_name_t *name, dns_dbnode_t *node, dns_db_t *db,
-	      dns_dbversion_t *ver)
-{
-	dns_rdataset_t rdataset;
-	isc_result_t result;
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec,
-				     0, 0, &rdataset, NULL);
-	if (result != ISC_R_NOTFOUND) {
-		char namebuf[DNS_NAME_FORMATSIZE];
-		dns_name_format(name, namebuf, sizeof(namebuf));
-		fatal("unexpected NSEC RRset at %s\n", namebuf);
-	}
-
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-}
-
-static isc_boolean_t
-newchain(const struct nsec3_chain_fixed *first,
-	 const struct nsec3_chain_fixed *e)
-{
-	if (first->hash != e->hash ||
-	    first->iterations != e->iterations ||
-	    first->salt_length != e->salt_length ||
-	    first->next_length != e->next_length ||
-	    memcmp(first + 1, e + 1, first->salt_length) != 0)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-static void
-free_element(isc_mem_t *mctx, struct nsec3_chain_fixed *e) {
-	size_t len;
-
-	len = sizeof(*e) + e->salt_length + 2 * e->next_length;
-	isc_mem_put(mctx, e, len);
-}
-
-static isc_boolean_t
-checknext(const struct nsec3_chain_fixed *first,
-	  const struct nsec3_chain_fixed *e)
-{
-	char buf[512];
-	const unsigned char *d1 = (const unsigned char *)(first + 1);
-	const unsigned char *d2 = (const unsigned char *)(e + 1);
-	isc_buffer_t b;
-	isc_region_t sr;
-
-	d1 += first->salt_length + first->next_length;
-	d2 += e->salt_length;
-
-	if (memcmp(d1, d2, first->next_length) == 0)
-		return (ISC_TRUE);
-
-	DE_CONST(d1 - first->next_length, sr.base);
-	sr.length = first->next_length;
-	isc_buffer_init(&b, buf, sizeof(buf));
-	isc_base32hex_totext(&sr, 1, "", &b);
-	fprintf(stderr, "Break in NSEC3 chain at: %.*s\n",
-		(int) isc_buffer_usedlength(&b), buf);
-
-	DE_CONST(d1, sr.base);
-	sr.length = first->next_length;
-	isc_buffer_init(&b, buf, sizeof(buf));
-	isc_base32hex_totext(&sr, 1, "", &b);
-	fprintf(stderr, "Expected: %.*s\n", (int) isc_buffer_usedlength(&b),
-		buf);
-
-	DE_CONST(d2, sr.base);
-	sr.length = first->next_length;
-	isc_buffer_init(&b, buf, sizeof(buf));
-	isc_base32hex_totext(&sr, 1, "", &b);
-	fprintf(stderr, "Found: %.*s\n", (int) isc_buffer_usedlength(&b), buf);
-
-	return (ISC_FALSE);
-}
-
-#define EXPECTEDANDFOUND "Expected and found NSEC3 chains not equal\n"
-
-static isc_result_t
-verify_nsec3_chains(isc_mem_t *mctx) {
-	isc_result_t result = ISC_R_SUCCESS;
-	struct nsec3_chain_fixed *e, *f = NULL;
-	struct nsec3_chain_fixed *first = NULL, *prev = NULL;
-
-	while ((e = isc_heap_element(expected_chains, 1)) != NULL) {
-		isc_heap_delete(expected_chains, 1);
-		if (f == NULL)
-			f = isc_heap_element(found_chains, 1);
-		if (f != NULL) {
-			isc_heap_delete(found_chains, 1);
-
-			/*
-			 * Check that they match.
-			 */
-			if (chain_equal(e, f)) {
-				free_element(mctx, f);
-				f = NULL;
-			} else {
-				if (result == ISC_R_SUCCESS)
-					fprintf(stderr, EXPECTEDANDFOUND);
-				result = ISC_R_FAILURE;
-				/*
-				 * Attempt to resync found_chain.
-				 */
-				while (f != NULL && !chain_compare(e, f)) {
-					free_element(mctx, f);
-					f = isc_heap_element(found_chains, 1);
-					if (f != NULL)
-						isc_heap_delete(found_chains, 1);
-					if (f != NULL && chain_equal(e, f)) {
-						free_element(mctx, f);
-						f = NULL;
-						break;
-					}
-				}
-			}
-		} else if (result == ISC_R_SUCCESS) {
-			fprintf(stderr, EXPECTEDANDFOUND);
-			result = ISC_R_FAILURE;
-		}
-		if (first == NULL || newchain(first, e)) {
-			if (prev != NULL) {
-				if (!checknext(prev, first))
-					result = ISC_R_FAILURE;
-				if (prev != first)
-					free_element(mctx, prev);
-			}
-			if (first != NULL)
-				free_element(mctx, first);
-			prev = first = e;
-			continue;
-		}
-		if (!checknext(prev, e))
-			result = ISC_R_FAILURE;
-		if (prev != first)
-			free_element(mctx, prev);
-		prev = e;
-	}
-	if (prev != NULL) {
-		if (!checknext(prev, first))
-			result = ISC_R_FAILURE;
-		if (prev != first)
-			free_element(mctx, prev);
-	}
-	if (first != NULL)
-		free_element(mctx, first);
-	do {
-		if (f != NULL) {
-			if (result == ISC_R_SUCCESS) {
-				fprintf(stderr, EXPECTEDANDFOUND);
-				result = ISC_R_FAILURE;
-			}
-			free_element(mctx, f);
-		}
-		f = isc_heap_element(found_chains, 1);
-		if (f != NULL)
-			isc_heap_delete(found_chains, 1);
-	} while (f != NULL);
-
-	return (result);
-}
-
-static isc_result_t
-verifyemptynodes(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
-		 isc_mem_t *mctx, dns_name_t *name, dns_name_t *prevname,
-		 isc_boolean_t isdelegation, dns_rdataset_t *nsec3paramset)
-{
-	dns_namereln_t reln;
-	int order;
-	unsigned int labels, nlabels, i;
-	dns_name_t suffix;
-	isc_result_t result = ISC_R_SUCCESS, tresult;
-
-	reln = dns_name_fullcompare(prevname, name, &order, &labels);
-	if (order >= 0)
-		return (result);
-
-	nlabels = dns_name_countlabels(name);
-
-	if (reln == dns_namereln_commonancestor ||
-	    reln == dns_namereln_contains) {
-		dns_name_init(&suffix, NULL);
-		for (i = labels + 1; i < nlabels; i++) {
-			dns_name_getlabelsequence(name, nlabels - i, i,
-						  &suffix);
-			if (nsec3paramset != NULL &&
-			     dns_rdataset_isassociated(nsec3paramset)) {
-				tresult = verifynsec3s(db, ver, origin, mctx,
-						       &suffix, nsec3paramset,
-						       isdelegation, ISC_TRUE,
-						       NULL, 0);
-				if (result == ISC_R_SUCCESS &&
-				    tresult != ISC_R_SUCCESS)
-					result = tresult;
-			}
-		}
-	}
-	return (result);
-}
-
-/*%
- * Verify that certain things are sane:
- *
- *   The apex has a DNSKEY record with at least one KSK, and at least
- *   one ZSK if the -x flag was not used.
- *
- *   The DNSKEY record was signed with at least one of the KSKs in this
- *   set.
- *
- *   The rest of the zone was signed with at least one of the ZSKs
- *   present in the DNSKEY RRSET.
- */
-void
-verifyzone(dns_db_t *db, dns_dbversion_t *ver,
-	   dns_name_t *origin, isc_mem_t *mctx,
-	   isc_boolean_t ignore_kskflag, isc_boolean_t keyset_kskonly)
-{
-	char algbuf[80];
-	dns_dbiterator_t *dbiter = NULL;
-	dns_dbnode_t *node = NULL, *nextnode = NULL;
-	dns_fixedname_t fname, fnextname, fprevname, fzonecut;
-	dns_name_t *name, *nextname, *prevname, *zonecut;
-	dns_rdata_dnskey_t dnskey;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdataset_t keyset, soaset;
-	dns_rdataset_t keysigs, soasigs;
-	dns_rdataset_t nsecset, nsecsigs;
-	dns_rdataset_t nsec3paramset, nsec3paramsigs;
-	int i;
-	isc_boolean_t done = ISC_FALSE;
-	isc_boolean_t first = ISC_TRUE;
-	isc_boolean_t goodksk = ISC_FALSE;
-	isc_boolean_t goodzsk = ISC_FALSE;
-	isc_result_t result, vresult = ISC_R_UNSET;
-	unsigned char revoked_ksk[256];
-	unsigned char revoked_zsk[256];
-	unsigned char standby_ksk[256];
-	unsigned char standby_zsk[256];
-	unsigned char ksk_algorithms[256];
-	unsigned char zsk_algorithms[256];
-	unsigned char bad_algorithms[256];
-	unsigned char act_algorithms[256];
-
-	result = isc_heap_create(mctx, chain_compare, NULL, 1024,
-				 &expected_chains);
-	check_result(result, "isc_heap_create()");
-	result = isc_heap_create(mctx, chain_compare, NULL, 1024,
-				 &found_chains);
-	check_result(result, "isc_heap_create()");
-
-	result = dns_db_findnode(db, origin, ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to find the zone's origin: %s",
-		      isc_result_totext(result));
-
-	dns_rdataset_init(&keyset);
-	dns_rdataset_init(&keysigs);
-	dns_rdataset_init(&soaset);
-	dns_rdataset_init(&soasigs);
-	dns_rdataset_init(&nsecset);
-	dns_rdataset_init(&nsecsigs);
-	dns_rdataset_init(&nsec3paramset);
-	dns_rdataset_init(&nsec3paramsigs);
-	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey,
-				     0, 0, &keyset, &keysigs);
-	if (result != ISC_R_SUCCESS)
-		fatal("Zone contains no DNSSEC keys\n");
-
-	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_soa,
-				     0, 0, &soaset, &soasigs);
-	if (result != ISC_R_SUCCESS)
-		fatal("Zone contains no SOA record\n");
-
-	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec,
-				     0, 0, &nsecset, &nsecsigs);
-	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
-		fatal("NSEC lookup failed\n");
-
-	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
-				     0, 0, &nsec3paramset, &nsec3paramsigs);
-	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
-		fatal("NSEC3PARAM lookup failed\n");
-
-	if (!dns_rdataset_isassociated(&keysigs))
-		fatal("DNSKEY is not signed (keys offline or inactive?)\n");
-
-	if (!dns_rdataset_isassociated(&soasigs))
-		fatal("SOA is not signed (keys offline or inactive?)\n");
-
-	if (dns_rdataset_isassociated(&nsecset) &&
-	    !dns_rdataset_isassociated(&nsecsigs))
-		fatal("NSEC is not signed (keys offline or inactive?)\n");
-
-	if (dns_rdataset_isassociated(&nsec3paramset) &&
-	    !dns_rdataset_isassociated(&nsec3paramsigs))
-		fatal("NSEC3PARAM is not signed (keys offline or inactive?)\n");
-
-	if (!dns_rdataset_isassociated(&nsecset) &&
-	    !dns_rdataset_isassociated(&nsec3paramset))
-		fatal("No valid NSEC/NSEC3 chain for testing\n");
-
-	dns_db_detachnode(db, &node);
-
-	memset(revoked_ksk, 0, sizeof(revoked_ksk));
-	memset(revoked_zsk, 0, sizeof(revoked_zsk));
-	memset(standby_ksk, 0, sizeof(standby_ksk));
-	memset(standby_zsk, 0, sizeof(standby_zsk));
-	memset(ksk_algorithms, 0, sizeof(ksk_algorithms));
-	memset(zsk_algorithms, 0, sizeof(zsk_algorithms));
-	memset(bad_algorithms, 0, sizeof(bad_algorithms));
-	memset(act_algorithms, 0, sizeof(act_algorithms));
-
-	/*
-	 * Check that the DNSKEY RR has at least one self signing KSK
-	 * and one ZSK per algorithm in it (or, if -x was used, one
-	 * self-signing KSK).
-	 */
-	for (result = dns_rdataset_first(&keyset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&keyset)) {
-		dns_rdataset_current(&keyset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
-		check_result(result, "dns_rdata_tostruct");
-
-		if ((dnskey.flags & DNS_KEYOWNER_ZONE) == 0)
-			;
-		else if ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0) {
-			if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 &&
-			    !dns_dnssec_selfsigns(&rdata, origin, &keyset,
-						  &keysigs, ISC_FALSE,
-						  mctx)) {
-				char namebuf[DNS_NAME_FORMATSIZE];
-				char buffer[1024];
-				isc_buffer_t buf;
-
-				dns_name_format(origin, namebuf,
-						sizeof(namebuf));
-				isc_buffer_init(&buf, buffer, sizeof(buffer));
-				result = dns_rdata_totext(&rdata, NULL, &buf);
-				check_result(result, "dns_rdata_totext");
-				fatal("revoked KSK is not self signed:\n"
-				      "%s DNSKEY %.*s", namebuf,
-				      (int)isc_buffer_usedlength(&buf), buffer);
-			}
-			if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 &&
-			     revoked_ksk[dnskey.algorithm] != 255)
-				revoked_ksk[dnskey.algorithm]++;
-			else if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 &&
-				 revoked_zsk[dnskey.algorithm] != 255)
-				revoked_zsk[dnskey.algorithm]++;
-		} else if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0) {
-			if (dns_dnssec_selfsigns(&rdata, origin, &keyset,
-						 &keysigs, ISC_FALSE, mctx)) {
-				if (ksk_algorithms[dnskey.algorithm] != 255)
-					ksk_algorithms[dnskey.algorithm]++;
-				goodksk = ISC_TRUE;
-			} else {
-				if (standby_ksk[dnskey.algorithm] != 255)
-					standby_ksk[dnskey.algorithm]++;
-			}
-		} else if (dns_dnssec_selfsigns(&rdata, origin, &keyset,
-						&keysigs, ISC_FALSE, mctx)) {
-			if (zsk_algorithms[dnskey.algorithm] != 255)
-				zsk_algorithms[dnskey.algorithm]++;
-			goodzsk = ISC_TRUE;
-		} else if (dns_dnssec_signs(&rdata, origin, &soaset,
-					    &soasigs, ISC_FALSE, mctx)) {
-			if (zsk_algorithms[dnskey.algorithm] != 255)
-				zsk_algorithms[dnskey.algorithm]++;
-		} else {
-			if (standby_zsk[dnskey.algorithm] != 255)
-				standby_zsk[dnskey.algorithm]++;
-		}
-		dns_rdata_freestruct(&dnskey);
-		dns_rdata_reset(&rdata);
-	}
-	dns_rdataset_disassociate(&keysigs);
-	dns_rdataset_disassociate(&soaset);
-	dns_rdataset_disassociate(&soasigs);
-	if (dns_rdataset_isassociated(&nsecsigs))
-		dns_rdataset_disassociate(&nsecsigs);
-	if (dns_rdataset_isassociated(&nsec3paramsigs))
-		dns_rdataset_disassociate(&nsec3paramsigs);
-
-	if (ignore_kskflag ) {
-		if (!goodksk && !goodzsk)
-			fatal("No self-signed DNSKEY found.");
-	} else if (!goodksk)
-		fatal("No self-signed KSK DNSKEY found.  Supply an active\n"
-		      "key with the KSK flag set, or use '-P'.");
-
-	fprintf(stderr, "Verifying the zone using the following algorithms:");
-	for (i = 0; i < 256; i++) {
-		if (ignore_kskflag)
-			act_algorithms[i] = (ksk_algorithms[i] != 0 ||
-					     zsk_algorithms[i] != 0) ? 1 : 0;
-		else
-			act_algorithms[i] = ksk_algorithms[i] != 0 ? 1 : 0;
-		if (act_algorithms[i] != 0) {
-			dns_secalg_format(i, algbuf, sizeof(algbuf));
-			fprintf(stderr, " %s", algbuf);
-		}
-	}
-	fprintf(stderr, ".\n");
-
-	if (!ignore_kskflag && !keyset_kskonly) {
-		for (i = 0; i < 256; i++) {
-			/*
-			 * The counts should both be zero or both be non-zero.
-			 * Mark the algorithm as bad if this is not met.
-			 */
-			if ((ksk_algorithms[i] != 0) ==
-			    (zsk_algorithms[i] != 0))
-				continue;
-			dns_secalg_format(i, algbuf, sizeof(algbuf));
-			fprintf(stderr, "Missing %s for algorithm %s\n",
-				(ksk_algorithms[i] != 0)
-				   ? "ZSK"
-				   : "self-signed KSK",
-				algbuf);
-			bad_algorithms[i] = 1;
-		}
-	}
-
-	/*
-	 * Check that all the other records were signed by keys that are
-	 * present in the DNSKEY RRSET.
-	 */
-
-	dns_fixedname_init(&fname);
-	name = dns_fixedname_name(&fname);
-	dns_fixedname_init(&fnextname);
-	nextname = dns_fixedname_name(&fnextname);
-	dns_fixedname_init(&fprevname);
-	prevname = NULL;
-	dns_fixedname_init(&fzonecut);
-	zonecut = NULL;
-
-	result = dns_db_createiterator(db, DNS_DB_NONSEC3, &dbiter);
-	check_result(result, "dns_db_createiterator()");
-
-	result = dns_dbiterator_first(dbiter);
-	check_result(result, "dns_dbiterator_first()");
-
-	while (!done) {
-		isc_boolean_t isdelegation = ISC_FALSE;
-
-		result = dns_dbiterator_current(dbiter, &node, name);
-		check_dns_dbiterator_current(result);
-		if (!dns_name_issubdomain(name, origin)) {
-			check_no_nsec(name, node, db, ver);
-			dns_db_detachnode(db, &node);
-			result = dns_dbiterator_next(dbiter);
-			if (result == ISC_R_NOMORE)
-				done = ISC_TRUE;
-			else
-				check_result(result, "dns_dbiterator_next()");
-			continue;
-		}
-		if (is_delegation(db, ver, origin, name, node, NULL)) {
-			zonecut = dns_fixedname_name(&fzonecut);
-			dns_name_copy(name, zonecut, NULL);
-			isdelegation = ISC_TRUE;
-		}
-		nextnode = NULL;
-		result = dns_dbiterator_next(dbiter);
-		while (result == ISC_R_SUCCESS) {
-			result = dns_dbiterator_current(dbiter, &nextnode,
-							nextname);
-			check_dns_dbiterator_current(result);
-			if (!dns_name_issubdomain(nextname, origin) ||
-			    (zonecut != NULL &&
-			     dns_name_issubdomain(nextname, zonecut)))
-			{
-				check_no_nsec(nextname, nextnode, db, ver);
-				dns_db_detachnode(db, &nextnode);
-				result = dns_dbiterator_next(dbiter);
-				continue;
-			}
-			if (is_empty(db, ver, nextnode)) {
-				dns_db_detachnode(db, &nextnode);
-				result = dns_dbiterator_next(dbiter);
-				continue;
-			}
-			dns_db_detachnode(db, &nextnode);
-			break;
-		}
-		if (result == ISC_R_NOMORE) {
-			done = ISC_TRUE;
-			nextname = origin;
-		} else if (result != ISC_R_SUCCESS)
-			fatal("iterating through the database failed: %s",
-			      isc_result_totext(result));
-		result = verifynode(db, ver, origin, mctx, name, node,
-				    isdelegation, &keyset, act_algorithms,
-				    bad_algorithms, &nsecset, &nsec3paramset,
-				    nextname);
-		if (vresult == ISC_R_UNSET)
-			vresult = ISC_R_SUCCESS;
-		if (vresult == ISC_R_SUCCESS && result != ISC_R_SUCCESS)
-			vresult = result;
-		if (prevname != NULL) {
-			result = verifyemptynodes(db, ver, origin, mctx, name,
-						  prevname, isdelegation,
-						  &nsec3paramset);
-		} else
-			prevname = dns_fixedname_name(&fprevname);
-		dns_name_copy(name, prevname, NULL);
-		if (vresult == ISC_R_SUCCESS && result != ISC_R_SUCCESS)
-			vresult = result;
-		dns_db_detachnode(db, &node);
-	}
-
-	dns_dbiterator_destroy(&dbiter);
-
-	result = dns_db_createiterator(db, DNS_DB_NSEC3ONLY, &dbiter);
-	check_result(result, "dns_db_createiterator()");
-
-	for (result = dns_dbiterator_first(dbiter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_dbiterator_next(dbiter) ) {
-		result = dns_dbiterator_current(dbiter, &node, name);
-		check_dns_dbiterator_current(result);
-		result = verifynode(db, ver, origin, mctx, name, node,
-				    ISC_FALSE, &keyset, act_algorithms,
-				    bad_algorithms, NULL, NULL, NULL);
-		check_result(result, "verifynode");
-		record_found(db, ver, mctx, name, node, &nsec3paramset);
-		dns_db_detachnode(db, &node);
-	}
-	dns_dbiterator_destroy(&dbiter);
-
-	dns_rdataset_disassociate(&keyset);
-	if (dns_rdataset_isassociated(&nsecset))
-		dns_rdataset_disassociate(&nsecset);
-	if (dns_rdataset_isassociated(&nsec3paramset))
-		dns_rdataset_disassociate(&nsec3paramset);
-
-	result = verify_nsec3_chains(mctx);
-	if (vresult == ISC_R_UNSET)
-		vresult = ISC_R_SUCCESS;
-	if (result != ISC_R_SUCCESS && vresult == ISC_R_SUCCESS)
-		vresult = result;
-	isc_heap_destroy(&expected_chains);
-	isc_heap_destroy(&found_chains);
-
-	/*
-	 * If we made it this far, we have what we consider a properly signed
-	 * zone.  Set the good flag.
-	 */
-	for (i = 0; i < 256; i++) {
-		if (bad_algorithms[i] != 0) {
-			if (first)
-				fprintf(stderr, "The zone is not fully signed "
-					"for the following algorithms:");
-			dns_secalg_format(i, algbuf, sizeof(algbuf));
-			fprintf(stderr, " %s", algbuf);
-			first = ISC_FALSE;
-		}
-	}
-	if (!first) {
-		fprintf(stderr, ".\n");
-		fatal("DNSSEC completeness test failed.");
-	}
-
-	if (vresult != ISC_R_SUCCESS)
-		fatal("DNSSEC completeness test failed (%s).",
-		      dns_result_totext(vresult));
-
-	if (goodksk || ignore_kskflag) {
-		/*
-		 * Print the success summary.
-		 */
-		fprintf(stderr, "Zone fully signed:\n");
-		for (i = 0; i < 256; i++) {
-			if ((ksk_algorithms[i] != 0) ||
-			    (standby_ksk[i] != 0) ||
-			    (revoked_zsk[i] != 0) ||
-			    (zsk_algorithms[i] != 0) ||
-			    (standby_zsk[i] != 0) ||
-			    (revoked_zsk[i] != 0)) {
-				dns_secalg_format(i, algbuf, sizeof(algbuf));
-				fprintf(stderr, "Algorithm: %s: KSKs: "
-					"%u active, %u stand-by, %u revoked\n",
-					algbuf, ksk_algorithms[i],
-					standby_ksk[i], revoked_ksk[i]);
-				fprintf(stderr, "%*sZSKs: "
-					"%u active, %u %s, %u revoked\n",
-					(int) strlen(algbuf) + 13, "",
-					zsk_algorithms[i],
-					standby_zsk[i],
-					keyset_kskonly ? "present" : "stand-by",
-					revoked_zsk[i]);
-			}
-		}
-	}
-}
diff --git a/contrib/bind9/bin/dnssec/dnssectool.h b/contrib/bind9/bin/dnssec/dnssectool.h
deleted file mode 100644
index 09b4fb1..0000000
--- a/contrib/bind9/bin/dnssec/dnssectool.h
+++ /dev/null
@@ -1,97 +0,0 @@
-/*
- * Copyright (C) 2004, 2007-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dnssectool.h,v 1.33 2011/10/20 23:46:51 tbox Exp $ */
-
-#ifndef DNSSECTOOL_H
-#define DNSSECTOOL_H 1
-
-#include <isc/log.h>
-#include <isc/stdtime.h>
-#include <dns/rdatastruct.h>
-#include <dst/dst.h>
-
-#define check_dns_dbiterator_current(result) \
-	check_result((result == DNS_R_NEWORIGIN) ? ISC_R_SUCCESS : result, \
-		     "dns_dbiterator_current()")
-
-
-typedef void (fatalcallback_t)(void);
-
-ISC_PLATFORM_NORETURN_PRE void
-fatal(const char *format, ...)
-ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
-
-void
-setfatalcallback(fatalcallback_t *callback);
-
-void
-check_result(isc_result_t result, const char *message);
-
-void
-vbprintf(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
-
-void
-type_format(const dns_rdatatype_t type, char *cp, unsigned int size);
-#define TYPE_FORMATSIZE 20
-
-void
-sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size);
-#define SIG_FORMATSIZE (DNS_NAME_FORMATSIZE + DNS_SECALG_FORMATSIZE + sizeof("65535"))
-
-void
-setup_logging(int verbose, isc_mem_t *mctx, isc_log_t **logp);
-
-void
-cleanup_logging(isc_log_t **logp);
-
-void
-setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx);
-
-void
-cleanup_entropy(isc_entropy_t **ectx);
-
-dns_ttl_t strtottl(const char *str);
-
-isc_stdtime_t
-strtotime(const char *str, isc_int64_t now, isc_int64_t base);
-
-dns_rdataclass_t
-strtoclass(const char *str);
-
-isc_result_t
-try_dir(const char *dirname);
-
-void
-check_keyversion(dst_key_t *key, char *keystr);
-
-void
-set_keyversion(dst_key_t *key);
-
-isc_boolean_t
-key_collision(dst_key_t *key, dns_name_t *name, const char *dir,
-	      isc_mem_t *mctx, isc_boolean_t *exact);
-
-isc_boolean_t
-is_delegation(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
-		      dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp);
-
-void
-verifyzone(dns_db_t *db, dns_dbversion_t *ver,
-		   dns_name_t *origin, isc_mem_t *mctx,
-		   isc_boolean_t ignore_kskflag, isc_boolean_t keyset_kskonly);
-#endif /* DNSSEC_DNSSECTOOL_H */
diff --git a/contrib/bind9/bin/named/Makefile.in b/contrib/bind9/bin/named/Makefile.in
deleted file mode 100644
index 6894135..0000000
--- a/contrib/bind9/bin/named/Makefile.in
+++ /dev/null
@@ -1,185 +0,0 @@
-# Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2002  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.116 2011/03/10 23:47:49 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-@BIND9_PRODUCT@
-
-@BIND9_DESCRIPTION@
-
-@BIND9_SRCID@
-
-@BIND9_CONFIGARGS@
-
-@BIND9_MAKE_INCLUDES@
-
-#
-# Add database drivers here.
-#
-DBDRIVER_OBJS =
-DBDRIVER_SRCS =
-DBDRIVER_INCLUDES =
-DBDRIVER_LIBS =
-
-DLZ_DRIVER_DIR =	${top_srcdir}/contrib/dlz/drivers
-
-DLZDRIVER_OBJS =	@DLZ_DRIVER_OBJS@
-DLZDRIVER_SRCS =	@DLZ_DRIVER_SRCS@
-DLZDRIVER_INCLUDES =	@DLZ_DRIVER_INCLUDES@
-DLZDRIVER_LIBS =	@DLZ_DRIVER_LIBS@
-
-CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
-		${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
-		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
-		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
-
-CDEFINES =      @CONTRIB_DLZ@ @USE_PKCS11@ @USE_OPENSSL@
-
-CWARNINGS =
-
-DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-ISCCCLIBS =	../../lib/isccc/libisccc.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
-LWRESLIBS =	../../lib/lwres/liblwres.@A@
-BIND9LIBS =	../../lib/bind9/libbind9.@A@
-
-DNSDEPLIBS =	../../lib/dns/libdns.@A@
-ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
-ISCCCDEPLIBS =	../../lib/isccc/libisccc.@A@
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
-LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
-BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
-
-DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
-		${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
-
-LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
-		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
-		${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
-
-NOSYMLIBS =	${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
-		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \
-		${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
-
-SUBDIRS =	unix
-
-TARGETS =	named@EXEEXT@ lwresd@EXEEXT@
-
-OBJS =		builtin.@O@ client.@O@ config.@O@ control.@O@ \
-		controlconf.@O@ interfacemgr.@O@ \
-		listenlist.@O@ log.@O@ logconf.@O@ main.@O@ notify.@O@ \
-		query.@O@ server.@O@ sortlist.@O@ statschannel.@O@ \
-		tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
-		zoneconf.@O@ \
-		lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
-		lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \
-		${DLZDRIVER_OBJS} ${DBDRIVER_OBJS}
-
-UOBJS =		unix/os.@O@ unix/dlz_dlopen_driver.@O@
-
-SYMOBJS =	symtbl.@O@
-
-SRCS =		builtin.c client.c config.c control.c \
-		controlconf.c interfacemgr.c \
-		listenlist.c log.c logconf.c main.c notify.c \
-		query.c server.c sortlist.c statschannel.c symtbl.c symtbl-empty.c \
-		tkeyconf.c tsigconf.c update.c xfrout.c \
-		zoneconf.c \
-		lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
-		lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \
-		${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
-
-MANPAGES =	named.8 lwresd.8 named.conf.5
-
-HTMLPAGES =	named.html lwresd.html named.conf.html
-
-MANOBJS =	${MANPAGES} ${HTMLPAGES}
-
-@BIND9_MAKE_RULES@
-
-main.@O@: main.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DVERSION=\"${VERSION}\" \
-		-DPRODUCT=\"${PRODUCT}\" \
-		-DDESCRIPTION=\"${DESCRIPTION}\" \
-		-DSRCID=\"${SRCID}\" \
-		-DCONFIGARGS="\"${CONFIGARGS}\"" \
-		-DNS_LOCALSTATEDIR=\"${localstatedir}\" \
-		-DNS_SYSCONFDIR=\"${sysconfdir}\" -c ${srcdir}/main.c
-
-bind.keys.h: ${top_srcdir}/bind.keys ${srcdir}/bindkeys.pl
-	${PERL} ${srcdir}/bindkeys.pl < ${top_srcdir}/bind.keys > $@
-
-config.@O@: config.c bind.keys.h
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DVERSION=\"${VERSION}\" \
-		-DSRCID=\"${SRCID}\" \
-		-DNS_LOCALSTATEDIR=\"${localstatedir}\" \
-		-DNS_SYSCONFDIR=\"${sysconfdir}\" \
-		-c ${srcdir}/config.c
-
-named@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS}
-	export MAKE_SYMTABLE="yes"; \
-	export BASEOBJS="${OBJS} ${UOBJS}"; \
-	${FINALBUILDCMD}
-
-lwresd@EXEEXT@: named@EXEEXT@
-	rm -f lwresd@EXEEXT@
-	@LN@ named@EXEEXT@ lwresd@EXEEXT@
-
-doc man:: ${MANOBJS}
-
-docclean manclean maintainer-clean::
-	rm -f ${MANOBJS}
-
-clean distclean maintainer-clean::
-	rm -f ${TARGETS} ${OBJS}
-
-maintainer-clean::
-	rm -f bind.keys.h
-
-bind9.xsl.h: bind9.xsl ${srcdir}/convertxsl.pl
-	${PERL} ${srcdir}/convertxsl.pl < ${srcdir}/bind9.xsl > bind9.xsl.h
-
-bind9.ver3.xsl.h: bind9.ver3.xsl ${srcdir}/convertxsl.pl
-	${PERL} ${srcdir}/convertxsl.pl < ${srcdir}/bind9.ver3.xsl > bind9.ver3.xsl.h
-
-depend: bind9.xsl.h bind9.ver3.xsl.h
-statschannel.@O@: bind9.xsl.h bind9.ver3.xsl.h
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-
-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
-	(cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
-	${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8
-	${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8
-	${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5
-
-@DLZ_DRIVER_RULES@
-
-named-symtbl.@O@: named-symtbl.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c named-symtbl.c
diff --git a/contrib/bind9/bin/named/bind.keys.h b/contrib/bind9/bin/named/bind.keys.h
deleted file mode 100644
index 61e3f70..0000000
--- a/contrib/bind9/bin/named/bind.keys.h
+++ /dev/null
@@ -1,99 +0,0 @@
-/*
- * Generated by bindkeys.pl 1.7 2011/01/04 23:47:13 tbox Exp  
- * From bind.keys 1.7 2011/01/03 23:45:07 each Exp  
- */
-#define TRUSTED_KEYS "\
-# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
-# which are included as part of BIND 9.  As of the current release, the only\n\
-# trust anchors it contains are those for the DNS root zone (\".\"), and for\n\
-# the ISC DNSSEC Lookaside Validation zone (\"dlv.isc.org\").  Trust anchors\n\
-# for any other zones MUST be configured elsewhere; if they are configured\n\
-# here, they will not be recognized or used by named.\n\
-#\n\
-# The built-in trust anchors are provided for convenience of configuration.\n\
-# They are not activated within named.conf unless specifically switched on.\n\
-# To use the built-in root key, set \"dnssec-validation auto;\" in\n\
-# named.conf options.  To use the built-in DLV key, set\n\
-# \"dnssec-lookaside auto;\".  Without these options being set,\n\
-# the keys in this file are ignored.\n\
-#\n\
-# This file is NOT expected to be user-configured.\n\
-#\n\
-# These keys are current as of January 2011.  If any key fails to\n\
-# initialize correctly, it may have expired.  In that event you should\n\
-# replace this file with a current version.  The latest version of\n\
-# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
-\n\
-trusted-keys {\n\
-	# ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
-        # NOTE: This key is activated by setting \"dnssec-lookaside auto;\"\n\
-        # in named.conf.\n\
-	dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
-		brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
-		1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
-		ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
-		Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
-		QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
-		TDN0YUuWrBNh\";\n\
-\n\
-	# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml\n\
-	# for current trust anchor information.\n\
-        # NOTE: This key is activated by setting \"dnssec-validation auto;\"\n\
-        # in named.conf.\n\
-	. 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
-		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
-		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
-		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
-		W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
-		Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
-		QxA+Uk1ihz0=\";\n\
-};\n\
-"
-
-#define MANAGED_KEYS "\
-# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
-# which are included as part of BIND 9.  As of the current release, the only\n\
-# trust anchors it contains are those for the DNS root zone (\".\"), and for\n\
-# the ISC DNSSEC Lookaside Validation zone (\"dlv.isc.org\").  Trust anchors\n\
-# for any other zones MUST be configured elsewhere; if they are configured\n\
-# here, they will not be recognized or used by named.\n\
-#\n\
-# The built-in trust anchors are provided for convenience of configuration.\n\
-# They are not activated within named.conf unless specifically switched on.\n\
-# To use the built-in root key, set \"dnssec-validation auto;\" in\n\
-# named.conf options.  To use the built-in DLV key, set\n\
-# \"dnssec-lookaside auto;\".  Without these options being set,\n\
-# the keys in this file are ignored.\n\
-#\n\
-# This file is NOT expected to be user-configured.\n\
-#\n\
-# These keys are current as of January 2011.  If any key fails to\n\
-# initialize correctly, it may have expired.  In that event you should\n\
-# replace this file with a current version.  The latest version of\n\
-# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
-\n\
-managed-keys {\n\
-	# ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
-        # NOTE: This key is activated by setting \"dnssec-lookaside auto;\"\n\
-        # in named.conf.\n\
-	dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
-		brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
-		1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
-		ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
-		Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
-		QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
-		TDN0YUuWrBNh\";\n\
-\n\
-	# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml\n\
-	# for current trust anchor information.\n\
-        # NOTE: This key is activated by setting \"dnssec-validation auto;\"\n\
-        # in named.conf.\n\
-	. initial-key 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
-		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
-		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
-		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
-		W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
-		Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
-		QxA+Uk1ihz0=\";\n\
-};\n\
-"
diff --git a/contrib/bind9/bin/named/bind9.ver3.xsl b/contrib/bind9/bin/named/bind9.ver3.xsl
deleted file mode 100644
index 22e5c45..0000000
--- a/contrib/bind9/bin/named/bind9.ver3.xsl
+++ /dev/null
@@ -1,738 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- - Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id$ -->
-
-<!-- %Id: bind9.xsl,v 1.21 2009/01/27 23:47:54 tbox Exp % -->
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" version="1.0">
-  <xsl:output method="html" indent="yes" version="4.0"/>
-  <xsl:template match="statistics[@version=&quot;3.0&quot;]">
-    <html>
-      <head>
-        <xsl:if test="system-property('xsl:vendor')!='Transformiix'">
-          <!-- Non Mozilla specific markup -->
-          <script type="text/javascript" src="https://www.google.com/jsapi"/>
-          <script type="text/javascript">
-        
-        google.load("visualization", "1", {packages:["corechart"]});
-        google.setOnLoadCallback(loadGraphs);
-
-        var graphs=[];
-        
-        function drawChart(chart_title,target,data) {
-          var data = google.visualization.arrayToDataTable(data);
-
-          var options = {
-            title: chart_title
-          };
-          
-          var chart = new google.visualization.BarChart(document.getElementById(target));
-          chart.draw(data, options);
-        }
-        
-        function loadGraphs(){
-          //alert("here we are!");
-          var g;
-            
-          // Server Incoming query Types
-          while(g = graphs.shift()){
-            // alert("going for: " + g.target);
-            if(g.data.length > 1){
-              drawChart(g.title,g.target,g.data);
-            }
-          }
-        }
-        
-            // Server Incoming Queries Types         
-           graphs.push({
-                        'title' : "Server Incoming Query Types",
-                        'target': 'chart_incoming_qtypes',
-                        'data': [['Type','Counter'],<xsl:for-each select="server/counters[@type=&quot;qtype&quot;]/counter">['<xsl:value-of select="@name"/>',<xsl:value-of select="."/>],</xsl:for-each>]
-                        });
-
-
-           // Server Incoming Requests         
-           graphs.push({
-                        'title' : "Server Incoming Requests",
-                        'target': 'chart_incoming_requests',
-                        'data': [['Requests','Counter'],<xsl:for-each select="server/counters[@type=&quot;opcode&quot;]/counter">['<xsl:value-of select="@name"/>',<xsl:value-of select="."/>],</xsl:for-each>]});
-        
-        
-        
-        
-      </script>
-        </xsl:if>
-        <style type="text/css">
-     body {
-      font-family: sans-serif;
-      background-color: #ffffff;
-      color: #000000;
-      font-size: 10pt;
-     }
-     
-     .odd{
-      background-color: #f0f0f0;
-     }
-     
-     .even{
-      background-color: #ffffff;
-     }
-     
-     p.footer{
-      font-style:italic;
-      color: grey;
-     }
-
-     table {
-      border-collapse: collapse;
-      border: 1px solid grey;
-     }
-
-     table.counters{
-      border: 1px solid grey;
-      width: 500px;
-     }
-     
-     table.counters th {
-      text-align: center;
-      border: 1px solid grey;
-      width: 120px;
-     }
-    table.counters td{
-      text-align:center;
-      
-    }
-    
-    table.counters tr:hover{
-      background-color: #99ddff;
-    }
- 
-     .totals {
-      background-color: rgb(1,169,206);
-      color: #ffffff;
-     }
-
-     td, th {
-      padding-right: 5px;
-      padding-left: 5px;
-      border: 1px solid grey;
-     }
-
-     .header h1 {
-      color: rgb(1,169,206);
-      padding: 0px;
-     }
-
-     .content {
-      background-color: #ffffff;
-      color: #000000;
-      padding: 4px;
-     }
-
-     .item {
-      padding: 4px;
-      text-align: right;
-     }
-
-     .value {
-      padding: 4px;
-      font-weight: bold;
-     }
-
-
-     h2 {
-       color: grey;
-       font-size: 14pt;
-       width:500px;
-       text-align:center;
-     }
-     
-     h3 {
-       color: #444444;
-       font-size: 12pt;
-       width:500px;
-       text-align:center;
-       
-     }
-     h4 {
-        color:  rgb(1,169,206);
-        font-size: 10pt;
-       width:500px;
-       text-align:center;
-        
-     }
-
-     .pie {
-      width:500px;
-      height: 500px;
-     }
-
-      </style>
-        <title>ISC BIND 9 Statistics</title>
-      </head>
-      <body>
-        <div class="header">
-          <h1>ISC Bind 9 Configuration and Statistics</h1>
-        </div>
-        <hr/>
-        <h2>Server Times</h2>
-        <table class="counters">
-          <tr>
-            <th>Boot time:</th>
-            <td>
-              <xsl:value-of select="server/boot-time"/>
-            </td>
-          </tr>
-          <tr>
-            <th>Sample time:</th>
-            <td>
-              <xsl:value-of select="server/current-time"/>
-            </td>
-          </tr>
-        </table>
-        <br/>
-        <h2>Incoming Requests</h2>
-        <xsl:if test="system-property('xsl:vendor')!='Transformiix'">
-          <!-- Non Mozilla specific markup -->
-          <div class="pie" id="chart_incoming_requests">[no incoming requests]</div>
-        </xsl:if>
-        <table class="counters">
-          <xsl:for-each select="server/counters[@type=&quot;opcode&quot;]/counter">
-            <xsl:sort select="." data-type="number" order="descending"/>
-            <tr>
-              <th>
-                <xsl:value-of select="@name"/>
-              </th>
-              <td>
-                <xsl:value-of select="."/>
-              </td>
-            </tr>
-          </xsl:for-each>
-          <tr>
-            <th class="totals">Total:</th>
-            <td class="totals">
-              <xsl:value-of select="sum(server/counters[@type=&quot;opcode&quot;]/counter)"/>
-            </td>
-          </tr>
-        </table>
-        <br/>
-        <h3>Incoming Queries by Type</h3>
-        <xsl:if test="system-property('xsl:vendor')!='Transformiix'">
-          <!-- Non Mozilla specific markup -->
-          <div class="pie" id="chart_incoming_qtypes">[no incoming queries]</div>
-        </xsl:if>
-        <table class="counters">
-          <xsl:for-each select="server/counters[@type=&quot;qtype&quot;]/counter">
-            <xsl:sort select="." data-type="number" order="descending"/>
-            <xsl:variable name="css-class">
-              <xsl:choose>
-                <xsl:when test="position() mod 2 = 0">even</xsl:when>
-                <xsl:otherwise>odd</xsl:otherwise>
-              </xsl:choose>
-            </xsl:variable>
-            <tr class="{$css-class}">
-              <th>
-                <xsl:value-of select="@name"/>
-              </th>
-              <td>
-                <xsl:value-of select="."/>
-              </td>
-            </tr>
-          </xsl:for-each>
-          <tr>
-            <th class="totals">Total:</th>
-            <td class="totals">
-              <xsl:value-of select="sum(server/counters[@type=&quot;qtype&quot;]/counter)"/>
-            </td>
-          </tr>
-        </table>
-        <br/>
-        <h2>Outgoing Queries per view</h2>
-        <xsl:for-each select="views/view[count(counters[@type=&quot;resqtype&quot;]/counter) &gt; 0]">
-          <h3>View <xsl:value-of select="@name"/></h3>
-          <xsl:if test="system-property('xsl:vendor')!='Transformiix'">
-            <!-- Non Mozilla specific markup -->
-          <script type="text/javascript">
-                graphs.push({
-                              'title': "Outgoing queries for view: <xsl:value-of select="@name"/>",
-                              'target': 'chart_outgoing_queries_view_<xsl:value-of select="@name"/>',
-                              'data': [['Type','Counter'],<xsl:for-each select="counters[@type=&quot;resqtype&quot;]/counter">['<xsl:value-of select="@name"/>',<xsl:value-of select="."/>],</xsl:for-each>]
-                              });
-                              
-            </script>
-          <xsl:variable name="target">
-            <xsl:value-of select="@name"/>
-          </xsl:variable>
-            <div class="pie" id="chart_outgoing_queries_view_{$target}"/>
-          </xsl:if>
-          <table class="counters">
-            <xsl:for-each select="counters[@type=&quot;resqtype&quot;]/counter">
-              <xsl:sort select="." data-type="number" order="descending"/>
-              <xsl:variable name="css-class1">
-                <xsl:choose>
-                  <xsl:when test="position() mod 2 = 0">even</xsl:when>
-                  <xsl:otherwise>odd</xsl:otherwise>
-                </xsl:choose>
-              </xsl:variable>
-              <tr class="{$css-class1}">
-                <th>
-                  <xsl:value-of select="@name"/>
-                </th>
-                <td>
-                  <xsl:value-of select="."/>
-                </td>
-              </tr>
-            </xsl:for-each>
-          </table>
-          <br/>
-        </xsl:for-each>
-        <h2>Server Statistics</h2>
-        <xsl:if test="system-property('xsl:vendor')!='Transformiix'">
-          <!-- Non Mozilla specific markup -->
-        <script type="text/javascript">
-                graphs.push({
-                              'title' : "Server Counters",
-                              'target': 'chart_server_nsstat_restype',
-                              'data': [['Type','Counter'],<xsl:for-each select="server/counters[@type=&quot;nsstat&quot;]/counter[.&gt;0]">['<xsl:value-of select="@name"/>',<xsl:value-of select="."/>],</xsl:for-each>]
-                              });
-                              
-            </script>
-          <div class="pie" id="chart_server_nsstat_restype"/>
-        </xsl:if>
-        <table class="counters">
-          <xsl:for-each select="server/counters[@type=&quot;nsstat&quot;]/counter[.&gt;0]">
-            <xsl:sort select="." data-type="number" order="descending"/>
-            <xsl:variable name="css-class2">
-              <xsl:choose>
-                <xsl:when test="position() mod 2 = 0">even</xsl:when>
-                <xsl:otherwise>odd</xsl:otherwise>
-              </xsl:choose>
-            </xsl:variable>
-            <tr class="{$css-class2}">
-              <th>
-                <xsl:value-of select="@name"/>
-              </th>
-              <td>
-                <xsl:value-of select="."/>
-              </td>
-            </tr>
-          </xsl:for-each>
-        </table>
-        <br/>
-        <h2>Zone Maintenance Statistics</h2>
-        <xsl:if test="system-property('xsl:vendor')!='Transformiix'">
-        <script type="text/javascript">
-                      graphs.push({
-                                    'title' : "Zone Maintenance Stats",
-                                    'target': 'chart_server_zone_maint',
-                                    'data': [['Type','Counter'],<xsl:for-each select="server/counters[@type=&quot;zonestat&quot;]/counter">['<xsl:value-of select="@name"/>',<xsl:value-of select="."/>],</xsl:for-each>]
-                                    });
-
-                  </script>
-          <!-- Non Mozilla specific markup -->
-          <div class="pie" id="chart_server_zone_maint"/>
-        </xsl:if>
-        <table class="counters">
-          <xsl:for-each select="server/counters[@type=&quot;zonestat&quot;]/counter">
-            <xsl:sort select="." data-type="number" order="descending"/>
-            <xsl:variable name="css-class3">
-              <xsl:choose>
-                <xsl:when test="position() mod 2 = 0">even</xsl:when>
-                <xsl:otherwise>odd</xsl:otherwise>
-              </xsl:choose>
-            </xsl:variable>
-            <tr class="{$css-class3}">
-              <th>
-                <xsl:value-of select="@name"/>
-              </th>
-              <td>
-                <xsl:value-of select="."/>
-              </td>
-            </tr>
-          </xsl:for-each>
-        </table>
-        <h2>Resolver Statistics (Common)</h2>
-        <table class="counters">
-          <xsl:for-each select="server/counters[@type=&quot;restat&quot;]/counter">
-            <xsl:sort select="." data-type="number" order="descending"/>
-            <xsl:variable name="css-class4">
-              <xsl:choose>
-                <xsl:when test="position() mod 2 = 0">even</xsl:when>
-                <xsl:otherwise>odd</xsl:otherwise>
-              </xsl:choose>
-            </xsl:variable>
-            <tr class="{$css-class4}">
-              <th>
-                <xsl:value-of select="@name"/>
-              </th>
-              <td>
-                <xsl:value-of select="."/>
-              </td>
-            </tr>
-          </xsl:for-each>
-        </table>
-        <xsl:for-each select="views/view">
-          <h3>Resolver Statistics for View <xsl:value-of select="@name"/></h3>
-          <table class="counters">
-            <xsl:for-each select="counters[@type=&quot;resstats&quot;]/counter[.&gt;0]">
-              <xsl:sort select="." data-type="number" order="descending"/>
-              <xsl:variable name="css-class5">
-                <xsl:choose>
-                  <xsl:when test="position() mod 2 = 0">even</xsl:when>
-                  <xsl:otherwise>odd</xsl:otherwise>
-                </xsl:choose>
-              </xsl:variable>
-              <tr class="{$css-class5}">
-                <th>
-                  <xsl:value-of select="@name"/>
-                </th>
-                <td>
-                  <xsl:value-of select="."/>
-                </td>
-              </tr>
-            </xsl:for-each>
-          </table>
-        </xsl:for-each>
-        <h3>Cache DB RRsets for View <xsl:value-of select="@name"/></h3>
-        <xsl:for-each select="views/view">
-          <table class="counters">
-            <xsl:for-each select="cache/rrset">
-              <xsl:variable name="css-class6">
-                <xsl:choose>
-                  <xsl:when test="position() mod 2 = 0">even</xsl:when>
-                  <xsl:otherwise>odd</xsl:otherwise>
-                </xsl:choose>
-              </xsl:variable>
-              <tr class="{$css-class6}">
-                <th>
-                  <xsl:value-of select="name"/>
-                </th>
-                <td>
-                  <xsl:value-of select="counter"/>
-                </td>
-              </tr>
-            </xsl:for-each>
-          </table>
-          <br/>
-        </xsl:for-each>
-        <h2>Socket I/O Statistics</h2>
-        <table class="counters">
-          <xsl:for-each select="server/counters[@type=&quot;sockstat&quot;]/counter[.&gt;0]">
-            <xsl:variable name="css-class7">
-              <xsl:choose>
-                <xsl:when test="position() mod 2 = 0">even</xsl:when>
-                <xsl:otherwise>odd</xsl:otherwise>
-              </xsl:choose>
-            </xsl:variable>
-            <tr class="{$css-class7}">
-              <th>
-                <xsl:value-of select="@name"/>
-              </th>
-              <td>
-                <xsl:value-of select="."/>
-              </td>
-            </tr>
-          </xsl:for-each>
-        </table>
-        <br/>
-        <br/>
-        <h2>Response Codes per view/zone</h2>
-        <xsl:for-each select="views/view[zones/zone/counters[@type=&quot;rcode&quot;]/counter &gt;0]">
-          <h3>View <xsl:value-of select="@name"/></h3>
-          <xsl:variable name="thisview">
-            <xsl:value-of select="@name"/>
-          </xsl:variable>
-          <xsl:for-each select="zones/zone">
-            <xsl:if test="counters[@type=&quot;rcode&quot;]/counter[. &gt; 0]">
-              <h4>Zone <xsl:value-of select="@name"/></h4>
-              <xsl:if test="system-property('xsl:vendor')!='Transformiix'">
-                <!-- Non Mozilla specific markup -->
-              <script type="text/javascript">
-                      graphs.push({
-                                    'title': "Response Codes for zone <xsl:value-of select="@name"/>",
-                                    'target': 'chart_rescode_<xsl:value-of select="../../@name"/>_<xsl:value-of select="@name"/>',
-                                    'data': [['Type','Counter'],<xsl:for-each select="counters[@type=&quot;rcode&quot;]/counter[.&gt;0 and @name != &quot;QryAuthAns&quot;]">['<xsl:value-of select="@name"/>',<xsl:value-of select="."/>],</xsl:for-each>]
-                                    });
-
-                  </script>
-              <xsl:variable name="target">
-                <xsl:value-of select="@name"/>
-              </xsl:variable>
-                <div class="pie" id="chart_rescode_{$thisview}_{$target}"/>
-              </xsl:if>
-              <table class="counters">
-                <xsl:for-each select="counters[@type=&quot;rcode&quot;]/counter[.&gt;0 and @name != &quot;QryAuthAns&quot;]">
-                  <xsl:sort select="."/>
-                  <xsl:variable name="css-class10">
-                    <xsl:choose>
-                      <xsl:when test="position() mod 2 = 0">even</xsl:when>
-                      <xsl:otherwise>odd</xsl:otherwise>
-                    </xsl:choose>
-                  </xsl:variable>
-                  <tr class="{$css-class10}">
-                    <th>
-                      <xsl:value-of select="@name"/>
-                    </th>
-                    <td>
-                      <xsl:value-of select="."/>
-                    </td>
-                  </tr>
-                </xsl:for-each>
-              </table>
-            </xsl:if>
-          </xsl:for-each>
-        </xsl:for-each>
-        <h2>Received QTYPES per view/zone</h2>
-        <xsl:for-each select="views/view[zones/zone/counters[@type=&quot;qtype&quot;]/counter &gt;0]">
-          <h3>View <xsl:value-of select="@name"/></h3>
-          <xsl:variable name="thisview2">
-            <xsl:value-of select="@name"/>
-          </xsl:variable>
-          <xsl:for-each select="zones/zone">
-            <xsl:if test="counters[@type=&quot;qtype&quot;]/counter[count(.) &gt; 0]">
-              <h4>Zone <xsl:value-of select="@name"/></h4>
-              <xsl:if test="system-property('xsl:vendor')!='Transformiix'">
-                <!-- Non Mozilla specific markup -->
-              <script type="text/javascript">
-                      graphs.push({
-                                    'title': "Query Types for zone <xsl:value-of select="@name"/>",
-                                    'target': 'chart_qtype_<xsl:value-of select="../../@name"/>_<xsl:value-of select="@name"/>',
-                                    'data': [['Type','Counter'],<xsl:for-each select="counters[@type=&quot;qtype&quot;]/counter[.&gt;0 and @name != &quot;QryAuthAns&quot;]">['<xsl:value-of select="@name"/>',<xsl:value-of select="."/>],</xsl:for-each>]
-                                    });
-
-                  </script>
-              <xsl:variable name="target">
-                <xsl:value-of select="@name"/>
-              </xsl:variable>
-                <div class="pie" id="chart_qtype_{$thisview2}_{$target}"/>
-              </xsl:if>
-              <table class="counters">
-                <xsl:for-each select="counters[@type=&quot;qtype&quot;]/counter">
-                  <xsl:sort select="."/>
-                  <xsl:variable name="css-class11">
-                    <xsl:choose>
-                      <xsl:when test="position() mod 2 = 0">even</xsl:when>
-                      <xsl:otherwise>odd</xsl:otherwise>
-                    </xsl:choose>
-                  </xsl:variable>
-                  <tr class="{$css-class11}">
-                    <th>
-                      <xsl:value-of select="@name"/>
-                    </th>
-                    <td>
-                      <xsl:value-of select="."/>
-                    </td>
-                  </tr>
-                </xsl:for-each>
-              </table>
-            </xsl:if>
-          </xsl:for-each>
-        </xsl:for-each>
-        <h2>Network Status</h2>
-        <table class="counters">
-          <tr>
-            <th>ID</th>
-            <th>Name</th>
-            <th>Type</th>
-            <th>References</th>
-            <th>LocalAddress</th>
-            <th>PeerAddress</th>
-            <th>State</th>
-          </tr>
-          <xsl:for-each select="socketmgr/sockets/socket">
-            <xsl:sort select="id"/>
-            <xsl:variable name="css-class12">
-              <xsl:choose>
-                <xsl:when test="position() mod 2 = 0">even</xsl:when>
-                <xsl:otherwise>odd</xsl:otherwise>
-              </xsl:choose>
-            </xsl:variable>
-            <tr class="{$css-class12}">
-              <td>
-                <xsl:value-of select="id"/>
-              </td>
-              <td>
-                <xsl:value-of select="name"/>
-              </td>
-              <td>
-                <xsl:value-of select="type"/>
-              </td>
-              <td>
-                <xsl:value-of select="references"/>
-              </td>
-              <td>
-                <xsl:value-of select="local-address"/>
-              </td>
-              <td>
-                <xsl:value-of select="peer-address"/>
-              </td>
-              <td>
-                <xsl:for-each select="states">
-                  <xsl:value-of select="."/>
-                </xsl:for-each>
-              </td>
-            </tr>
-          </xsl:for-each>
-        </table>
-        <br/>
-        <h2>Task Manager Configuration</h2>
-        <table class="counters">
-          <tr>
-            <th class="even">Thread-Model</th>
-            <td>
-              <xsl:value-of select="taskmgr/thread-model/type"/>
-            </td>
-          </tr>
-          <tr class="odd">
-            <th>Worker Threads</th>
-            <td>
-              <xsl:value-of select="taskmgr/thread-model/worker-threads"/>
-            </td>
-          </tr>
-          <tr class="even">
-            <th>Default Quantum</th>
-            <td>
-              <xsl:value-of select="taskmgr/thread-model/default-quantum"/>
-            </td>
-          </tr>
-          <tr class="odd">
-            <th>Tasks Running</th>
-            <td>
-              <xsl:value-of select="taskmgr/thread-model/tasks-running"/>
-            </td>
-          </tr>
-        </table>
-        <br/>
-        <h2>Tasks</h2>
-        <table class="counters">
-          <tr>
-            <th>ID</th>
-            <th>Name</th>
-            <th>References</th>
-            <th>State</th>
-            <th>Quantum</th>
-          </tr>
-          <xsl:for-each select="taskmgr/tasks/task">
-            <xsl:sort select="name"/>
-            <xsl:variable name="css-class14">
-              <xsl:choose>
-                <xsl:when test="position() mod 2 = 0">even</xsl:when>
-                <xsl:otherwise>odd</xsl:otherwise>
-              </xsl:choose>
-            </xsl:variable>
-            <tr class="{$css-class14}">
-              <td>
-                <xsl:value-of select="id"/>
-              </td>
-              <td>
-                <xsl:value-of select="name"/>
-              </td>
-              <td>
-                <xsl:value-of select="references"/>
-              </td>
-              <td>
-                <xsl:value-of select="state"/>
-              </td>
-              <td>
-                <xsl:value-of select="quantum"/>
-              </td>
-            </tr>
-          </xsl:for-each>
-        </table>
-        <br/>
-        <h2>Memory Usage Summary</h2>
-        <table class="counters">
-          <xsl:for-each select="memory/summary/*">
-            <xsl:variable name="css-class13">
-              <xsl:choose>
-                <xsl:when test="position() mod 2 = 0">even</xsl:when>
-                <xsl:otherwise>odd</xsl:otherwise>
-              </xsl:choose>
-            </xsl:variable>
-            <tr class="{$css-class13}">
-              <th>
-                <xsl:value-of select="name()"/>
-              </th>
-              <td>
-                <xsl:value-of select="."/>
-              </td>
-            </tr>
-          </xsl:for-each>
-        </table>
-        <br/>
-        <h2>Memory Contexts</h2>
-        <table class="counters">
-          <tr>
-            <th>ID</th>
-            <th>Name</th>
-            <th>References</th>
-            <th>TotalUse</th>
-            <th>InUse</th>
-            <th>MaxUse</th>
-            <th>BlockSize</th>
-            <th>Pools</th>
-            <th>HiWater</th>
-            <th>LoWater</th>
-          </tr>
-          <xsl:for-each select="memory/contexts/context">
-            <xsl:sort select="total" data-type="number" order="descending"/>
-            <xsl:variable name="css-class14">
-              <xsl:choose>
-                <xsl:when test="position() mod 2 = 0">even</xsl:when>
-                <xsl:otherwise>odd</xsl:otherwise>
-              </xsl:choose>
-            </xsl:variable>
-            <tr class="{$css-class14}">
-              <td>
-                <xsl:value-of select="id"/>
-              </td>
-              <td>
-                <xsl:value-of select="name"/>
-              </td>
-              <td>
-                <xsl:value-of select="references"/>
-              </td>
-              <td>
-                <xsl:value-of select="total"/>
-              </td>
-              <td>
-                <xsl:value-of select="inuse"/>
-              </td>
-              <td>
-                <xsl:value-of select="maxinuse"/>
-              </td>
-              <td>
-                <xsl:value-of select="blocksize"/>
-              </td>
-              <td>
-                <xsl:value-of select="pools"/>
-              </td>
-              <td>
-                <xsl:value-of select="hiwater"/>
-              </td>
-              <td>
-                <xsl:value-of select="lowater"/>
-              </td>
-            </tr>
-          </xsl:for-each>
-        </table>
-        <hr/>
-        <p class="footer">Internet Systems Consortium Inc.<br/><a href="http://www.isc.org">http://www.isc.org</a></p>
-      </body>
-    </html>
-  </xsl:template>
-</xsl:stylesheet>
diff --git a/contrib/bind9/bin/named/bind9.ver3.xsl.h b/contrib/bind9/bin/named/bind9.ver3.xsl.h
deleted file mode 100644
index c55714a..0000000
--- a/contrib/bind9/bin/named/bind9.ver3.xsl.h
+++ /dev/null
@@ -1,740 +0,0 @@
-/*
- * Generated by convertxsl.pl 1.14 2008/07/17 23:43:26 jinmei Exp  
- * From <!-- %Id: bind9.xsl 1.21 2009/01/27 23:47:54 tbox Exp %
- */
-static char xslmsg[] =
-	"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
-	"<!--\n"
-	" - Copyright (C) 2006-2009 Internet Systems Consortium, Inc. (\"ISC\")\n"
-	" -\n"
-	" - Permission to use, copy, modify, and/or distribute this software for any\n"
-	" - purpose with or without fee is hereby granted, provided that the above\n"
-	" - copyright notice and this permission notice appear in all copies.\n"
-	" -\n"
-	" - THE SOFTWARE IS PROVIDED \"AS IS\" AND ISC DISCLAIMS ALL WARRANTIES WITH\n"
-	" - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY\n"
-	" - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,\n"
-	" - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM\n"
-	" - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE\n"
-	" - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR\n"
-	" - PERFORMANCE OF THIS SOFTWARE.\n"
-	"-->\n"
-	"<!-- \045Id: bind9.xsl,v 1.21 2009/01/27 23:47:54 tbox Exp \045 -->\n"
-	"<xsl:stylesheet xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\" xmlns=\"http://www.w3.org/1999/xhtml\" version=\"1.0\">\n"
-	" <xsl:output method=\"html\" indent=\"yes\" version=\"4.0\"/>\n"
-	" <xsl:template match=\"statistics[@version=&quot;3.0&quot;]\">\n"
-	" <html>\n"
-	" <head>\n"
-	" <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"
-	" <!-- Non Mozilla specific markup -->\n"
-	" <script type=\"text/javascript\" src=\"https://www.google.com/jsapi\"/>\n"
-	" <script type=\"text/javascript\">\n"
-	" \n"
-	" google.load(\"visualization\", \"1\", {packages:[\"corechart\"]});\n"
-	" google.setOnLoadCallback(loadGraphs);\n"
-	"\n"
-	" var graphs=[];\n"
-	" \n"
-	" function drawChart(chart_title,target,data) {\n"
-	" var data = google.visualization.arrayToDataTable(data);\n"
-	"\n"
-	" var options = {\n"
-	" title: chart_title\n"
-	" };\n"
-	" \n"
-	" var chart = new google.visualization.BarChart(document.getElementById(target));\n"
-	" chart.draw(data, options);\n"
-	" }\n"
-	" \n"
-	" function loadGraphs(){\n"
-	" //alert(\"here we are!\");\n"
-	" var g;\n"
-	" \n"
-	" // Server Incoming query Types\n"
-	" while(g = graphs.shift()){\n"
-	" // alert(\"going for: \" + g.target);\n"
-	" if(g.data.length > 1){\n"
-	" drawChart(g.title,g.target,g.data);\n"
-	" }\n"
-	" }\n"
-	" }\n"
-	" \n"
-	" // Server Incoming Queries Types \n"
-	" graphs.push({\n"
-	" 'title' : \"Server Incoming Query Types\",\n"
-	" 'target': 'chart_incoming_qtypes',\n"
-	" 'data': [['Type','Counter'],<xsl:for-each select=\"server/counters[@type=&quot;qtype&quot;]/counter\">['<xsl:value-of select=\"@name\"/>',<xsl:value-of select=\".\"/>],</xsl:for-each>]\n"
-	" });\n"
-	"\n"
-	"\n"
-	" // Server Incoming Requests \n"
-	" graphs.push({\n"
-	" 'title' : \"Server Incoming Requests\",\n"
-	" 'target': 'chart_incoming_requests',\n"
-	" 'data': [['Requests','Counter'],<xsl:for-each select=\"server/counters[@type=&quot;opcode&quot;]/counter\">['<xsl:value-of select=\"@name\"/>',<xsl:value-of select=\".\"/>],</xsl:for-each>]});\n"
-	" \n"
-	" \n"
-	" \n"
-	" \n"
-	" </script>\n"
-	" </xsl:if>\n"
-	" <style type=\"text/css\">\n"
-	" body {\n"
-	" font-family: sans-serif;\n"
-	" background-color: #ffffff;\n"
-	" color: #000000;\n"
-	" font-size: 10pt;\n"
-	" }\n"
-	" \n"
-	" .odd{\n"
-	" background-color: #f0f0f0;\n"
-	" }\n"
-	" \n"
-	" .even{\n"
-	" background-color: #ffffff;\n"
-	" }\n"
-	" \n"
-	" p.footer{\n"
-	" font-style:italic;\n"
-	" color: grey;\n"
-	" }\n"
-	"\n"
-	" table {\n"
-	" border-collapse: collapse;\n"
-	" border: 1px solid grey;\n"
-	" }\n"
-	"\n"
-	" table.counters{\n"
-	" border: 1px solid grey;\n"
-	" width: 500px;\n"
-	" }\n"
-	" \n"
-	" table.counters th {\n"
-	" text-align: center;\n"
-	" border: 1px solid grey;\n"
-	" width: 120px;\n"
-	" }\n"
-	" table.counters td{\n"
-	" text-align:center;\n"
-	" \n"
-	" }\n"
-	" \n"
-	" table.counters tr:hover{\n"
-	" background-color: #99ddff;\n"
-	" }\n"
-	" \n"
-	" .totals {\n"
-	" background-color: rgb(1,169,206);\n"
-	" color: #ffffff;\n"
-	" }\n"
-	"\n"
-	" td, th {\n"
-	" padding-right: 5px;\n"
-	" padding-left: 5px;\n"
-	" border: 1px solid grey;\n"
-	" }\n"
-	"\n"
-	" .header h1 {\n"
-	" color: rgb(1,169,206);\n"
-	" padding: 0px;\n"
-	" }\n"
-	"\n"
-	" .content {\n"
-	" background-color: #ffffff;\n"
-	" color: #000000;\n"
-	" padding: 4px;\n"
-	" }\n"
-	"\n"
-	" .item {\n"
-	" padding: 4px;\n"
-	" text-align: right;\n"
-	" }\n"
-	"\n"
-	" .value {\n"
-	" padding: 4px;\n"
-	" font-weight: bold;\n"
-	" }\n"
-	"\n"
-	"\n"
-	" h2 {\n"
-	" color: grey;\n"
-	" font-size: 14pt;\n"
-	" width:500px;\n"
-	" text-align:center;\n"
-	" }\n"
-	" \n"
-	" h3 {\n"
-	" color: #444444;\n"
-	" font-size: 12pt;\n"
-	" width:500px;\n"
-	" text-align:center;\n"
-	" \n"
-	" }\n"
-	" h4 {\n"
-	" color: rgb(1,169,206);\n"
-	" font-size: 10pt;\n"
-	" width:500px;\n"
-	" text-align:center;\n"
-	" \n"
-	" }\n"
-	"\n"
-	" .pie {\n"
-	" width:500px;\n"
-	" height: 500px;\n"
-	" }\n"
-	"\n"
-	" </style>\n"
-	" <title>ISC BIND 9 Statistics</title>\n"
-	" </head>\n"
-	" <body>\n"
-	" <div class=\"header\">\n"
-	" <h1>ISC Bind 9 Configuration and Statistics</h1>\n"
-	" </div>\n"
-	" <hr/>\n"
-	" <h2>Server Times</h2>\n"
-	" <table class=\"counters\">\n"
-	" <tr>\n"
-	" <th>Boot time:</th>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"server/boot-time\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" <tr>\n"
-	" <th>Sample time:</th>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"server/current-time\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" </table>\n"
-	" <br/>\n"
-	" <h2>Incoming Requests</h2>\n"
-	" <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"
-	" <!-- Non Mozilla specific markup -->\n"
-	" <div class=\"pie\" id=\"chart_incoming_requests\">[graph incoming requests]</div>\n"
-	" </xsl:if>\n"
-	" <table class=\"counters\">\n"
-	" <xsl:for-each select=\"server/counters[@type=&quot;opcode&quot;]/counter\">\n"
-	" <xsl:sort select=\".\" data-type=\"number\" order=\"descending\"/>\n"
-	" <tr>\n"
-	" <th>\n"
-	" <xsl:value-of select=\"@name\"/>\n"
-	" </th>\n"
-	" <td>\n"
-	" <xsl:value-of select=\".\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" </xsl:for-each>\n"
-	" <tr>\n"
-	" <th class=\"totals\">Total:</th>\n"
-	" <td class=\"totals\">\n"
-	" <xsl:value-of select=\"sum(server/counters[@type=&quot;opcode&quot;]/counter)\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" </table>\n"
-	" <br/>\n"
-	" <h3>Incoming Queries by Type</h3>\n"
-	" <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"
-	" <!-- Non Mozilla specific markup -->\n"
-	" <div class=\"pie\" id=\"chart_incoming_qtypes\">[graph incoming qtypes]</div>\n"
-	" </xsl:if>\n"
-	" <table class=\"counters\">\n"
-	" <xsl:for-each select=\"server/counters[@type=&quot;qtype&quot;]/counter\">\n"
-	" <xsl:sort select=\".\" data-type=\"number\" order=\"descending\"/>\n"
-	" <xsl:variable name=\"css-class\">\n"
-	" <xsl:choose>\n"
-	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
-	" <xsl:otherwise>odd</xsl:otherwise>\n"
-	" </xsl:choose>\n"
-	" </xsl:variable>\n"
-	" <tr class=\"{$css-class}\">\n"
-	" <th>\n"
-	" <xsl:value-of select=\"@name\"/>\n"
-	" </th>\n"
-	" <td>\n"
-	" <xsl:value-of select=\".\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" </xsl:for-each>\n"
-	" <tr>\n"
-	" <th class=\"totals\">Total:</th>\n"
-	" <td class=\"totals\">\n"
-	" <xsl:value-of select=\"sum(server/counters[@type=&quot;qtype&quot;]/counter)\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" </table>\n"
-	" <br/>\n"
-	" <h2>Outgoing Queries per view</h2>\n"
-	" <xsl:for-each select=\"views/view[count(counters[@type=&quot;resqtype&quot;]/counter) &gt; 0]\">\n"
-	" <h3>View <xsl:value-of select=\"@name\"/></h3>\n"
-	" <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"
-	" <!-- Non Mozilla specific markup -->\n"
-	" <script type=\"text/javascript\">\n"
-	" graphs.push({\n"
-	" 'title': \"Outgoing queries for view: <xsl:value-of select=\"@name\"/>\",\n"
-	" 'target': 'chart_outgoing_queries_view_<xsl:value-of select=\"@name\"/>',\n"
-	" 'data': [['Type','Counter'],<xsl:for-each select=\"counters[@type=&quot;resqtype&quot;]/counter\">['<xsl:value-of select=\"@name\"/>',<xsl:value-of select=\".\"/>],</xsl:for-each>]\n"
-	" });\n"
-	" \n"
-	" </script>\n"
-	" <xsl:variable name=\"target\">\n"
-	" <xsl:value-of select=\"@name\"/>\n"
-	" </xsl:variable>\n"
-	" <div class=\"pie\" id=\"chart_outgoing_queries_view_{$target}\"/>\n"
-	" </xsl:if>\n"
-	" <table class=\"counters\">\n"
-	" <xsl:for-each select=\"counters[@type=&quot;resqtype&quot;]/counter\">\n"
-	" <xsl:sort select=\".\" data-type=\"number\" order=\"descending\"/>\n"
-	" <xsl:variable name=\"css-class1\">\n"
-	" <xsl:choose>\n"
-	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
-	" <xsl:otherwise>odd</xsl:otherwise>\n"
-	" </xsl:choose>\n"
-	" </xsl:variable>\n"
-	" <tr class=\"{$css-class1}\">\n"
-	" <th>\n"
-	" <xsl:value-of select=\"@name\"/>\n"
-	" </th>\n"
-	" <td>\n"
-	" <xsl:value-of select=\".\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" </xsl:for-each>\n"
-	" </table>\n"
-	" <br/>\n"
-	" </xsl:for-each>\n"
-	" <h2>Server Statistics</h2>\n"
-	" <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"
-	" <!-- Non Mozilla specific markup -->\n"
-	" <script type=\"text/javascript\">\n"
-	" graphs.push({\n"
-	" 'title' : \"Server Response Types\",\n"
-	" 'target': 'chart_server_nsstat_restype',\n"
-	" 'data': [['Type','Counter'],<xsl:for-each select=\"server/counters[@type=&quot;nsstat&quot;]/counter[.&gt;0]\">['<xsl:value-of select=\"@name\"/>',<xsl:value-of select=\".\"/>],</xsl:for-each>]\n"
-	" });\n"
-	" \n"
-	" </script>\n"
-	" <div class=\"pie\" id=\"chart_server_nsstat_restype\"/>\n"
-	" </xsl:if>\n"
-	" <table class=\"counters\">\n"
-	" <xsl:for-each select=\"server/counters[@type=&quot;nsstat&quot;]/counter[.&gt;0]\">\n"
-	" <xsl:sort select=\".\" data-type=\"number\" order=\"descending\"/>\n"
-	" <xsl:variable name=\"css-class2\">\n"
-	" <xsl:choose>\n"
-	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
-	" <xsl:otherwise>odd</xsl:otherwise>\n"
-	" </xsl:choose>\n"
-	" </xsl:variable>\n"
-	" <tr class=\"{$css-class2}\">\n"
-	" <th>\n"
-	" <xsl:value-of select=\"@name\"/>\n"
-	" </th>\n"
-	" <td>\n"
-	" <xsl:value-of select=\".\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" </xsl:for-each>\n"
-	" </table>\n"
-	" <br/>\n"
-	" <h2>Zone Maintenance Statistics</h2>\n"
-	" <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"
-	" <script type=\"text/javascript\">\n"
-	" graphs.push({\n"
-	" 'title' : \"Zone Maintenance Stats\",\n"
-	" 'target': 'chart_server_zone_maint',\n"
-	" 'data': [['Type','Counter'],<xsl:for-each select=\"server/counters[@type=&quot;zonestat&quot;]/counter\">['<xsl:value-of select=\"@name\"/>',<xsl:value-of select=\".\"/>],</xsl:for-each>]\n"
-	" });\n"
-	"\n"
-	" </script>\n"
-	" <!-- Non Mozilla specific markup -->\n"
-	" <div class=\"pie\" id=\"chart_server_zone_maint\"/>\n"
-	" </xsl:if>\n"
-	" <table class=\"counters\">\n"
-	" <xsl:for-each select=\"server/counters[@type=&quot;zonestat&quot;]/counter\">\n"
-	" <xsl:sort select=\".\" data-type=\"number\" order=\"descending\"/>\n"
-	" <xsl:variable name=\"css-class3\">\n"
-	" <xsl:choose>\n"
-	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
-	" <xsl:otherwise>odd</xsl:otherwise>\n"
-	" </xsl:choose>\n"
-	" </xsl:variable>\n"
-	" <tr class=\"{$css-class3}\">\n"
-	" <th>\n"
-	" <xsl:value-of select=\"@name\"/>\n"
-	" </th>\n"
-	" <td>\n"
-	" <xsl:value-of select=\".\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" </xsl:for-each>\n"
-	" </table>\n"
-	" <h2>Resolver Statistics (Common)</h2>\n"
-	" <table class=\"counters\">\n"
-	" <xsl:for-each select=\"server/counters[@type=&quot;restat&quot;]/counter\">\n"
-	" <xsl:sort select=\".\" data-type=\"number\" order=\"descending\"/>\n"
-	" <xsl:variable name=\"css-class4\">\n"
-	" <xsl:choose>\n"
-	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
-	" <xsl:otherwise>odd</xsl:otherwise>\n"
-	" </xsl:choose>\n"
-	" </xsl:variable>\n"
-	" <tr class=\"{$css-class4}\">\n"
-	" <th>\n"
-	" <xsl:value-of select=\"@name\"/>\n"
-	" </th>\n"
-	" <td>\n"
-	" <xsl:value-of select=\".\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" </xsl:for-each>\n"
-	" </table>\n"
-	" <xsl:for-each select=\"views/view\">\n"
-	" <h3>Resolver Statistics for View <xsl:value-of select=\"@name\"/></h3>\n"
-	" <table class=\"counters\">\n"
-	" <xsl:for-each select=\"counters[@type=&quot;resstats&quot;]/counter[.&gt;0]\">\n"
-	" <xsl:sort select=\".\" data-type=\"number\" order=\"descending\"/>\n"
-	" <xsl:variable name=\"css-class5\">\n"
-	" <xsl:choose>\n"
-	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
-	" <xsl:otherwise>odd</xsl:otherwise>\n"
-	" </xsl:choose>\n"
-	" </xsl:variable>\n"
-	" <tr class=\"{$css-class5}\">\n"
-	" <th>\n"
-	" <xsl:value-of select=\"@name\"/>\n"
-	" </th>\n"
-	" <td>\n"
-	" <xsl:value-of select=\".\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" </xsl:for-each>\n"
-	" </table>\n"
-	" </xsl:for-each>\n"
-	" <h3>Cache DB RRsets for View <xsl:value-of select=\"@name\"/></h3>\n"
-	" <xsl:for-each select=\"views/view\">\n"
-	" <table class=\"counters\">\n"
-	" <xsl:for-each select=\"cache/rrset\">\n"
-	" <xsl:variable name=\"css-class6\">\n"
-	" <xsl:choose>\n"
-	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
-	" <xsl:otherwise>odd</xsl:otherwise>\n"
-	" </xsl:choose>\n"
-	" </xsl:variable>\n"
-	" <tr class=\"{$css-class6}\">\n"
-	" <th>\n"
-	" <xsl:value-of select=\"name\"/>\n"
-	" </th>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"counter\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" </xsl:for-each>\n"
-	" </table>\n"
-	" <br/>\n"
-	" </xsl:for-each>\n"
-	" <h2>Socket I/O Statistics</h2>\n"
-	" <table class=\"counters\">\n"
-	" <xsl:for-each select=\"server/counters[@type=&quot;sockstat&quot;]/counter[.&gt;0]\">\n"
-	" <xsl:variable name=\"css-class7\">\n"
-	" <xsl:choose>\n"
-	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
-	" <xsl:otherwise>odd</xsl:otherwise>\n"
-	" </xsl:choose>\n"
-	" </xsl:variable>\n"
-	" <tr class=\"{$css-class7}\">\n"
-	" <th>\n"
-	" <xsl:value-of select=\"@name\"/>\n"
-	" </th>\n"
-	" <td>\n"
-	" <xsl:value-of select=\".\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" </xsl:for-each>\n"
-	" </table>\n"
-	" <br/>\n"
-	" <br/>\n"
-	" <h2>Response Codes per view/zone</h2>\n"
-	" <xsl:for-each select=\"views/view[zones/zone/counters[@type=&quot;rcode&quot;]/counter &gt;0]\">\n"
-	" <h3>View <xsl:value-of select=\"@name\"/></h3>\n"
-	" <xsl:variable name=\"thisview\">\n"
-	" <xsl:value-of select=\"@name\"/>\n"
-	" </xsl:variable>\n"
-	" <xsl:for-each select=\"zones/zone\">\n"
-	" <xsl:if test=\"counters[@type=&quot;rcode&quot;]/counter[. &gt; 0]\">\n"
-	" <h4>Zone <xsl:value-of select=\"@name\"/></h4>\n"
-	" <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"
-	" <!-- Non Mozilla specific markup -->\n"
-	" <script type=\"text/javascript\">\n"
-	" graphs.push({\n"
-	" 'title': \"Response Codes for zone <xsl:value-of select=\"@name\"/>\",\n"
-	" 'target': 'chart_rescode_<xsl:value-of select=\"../../@name\"/>_<xsl:value-of select=\"@name\"/>',\n"
-	" 'data': [['Type','Counter'],<xsl:for-each select=\"counters[@type=&quot;rcode&quot;]/counter[.&gt;0 and @name != &quot;QryAuthAns&quot;]\">['<xsl:value-of select=\"@name\"/>',<xsl:value-of select=\".\"/>],</xsl:for-each>]\n"
-	" });\n"
-	"\n"
-	" </script>\n"
-	" <xsl:variable name=\"target\">\n"
-	" <xsl:value-of select=\"@name\"/>\n"
-	" </xsl:variable>\n"
-	" <div class=\"pie\" id=\"chart_rescode_{$thisview}_{$target}\"/>\n"
-	" </xsl:if>\n"
-	" <table class=\"counters\">\n"
-	" <xsl:for-each select=\"counters[@type=&quot;rcode&quot;]/counter[.&gt;0 and @name != &quot;QryAuthAns&quot;]\">\n"
-	" <xsl:sort select=\".\"/>\n"
-	" <xsl:variable name=\"css-class10\">\n"
-	" <xsl:choose>\n"
-	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
-	" <xsl:otherwise>odd</xsl:otherwise>\n"
-	" </xsl:choose>\n"
-	" </xsl:variable>\n"
-	" <tr class=\"{$css-class10}\">\n"
-	" <th>\n"
-	" <xsl:value-of select=\"@name\"/>\n"
-	" </th>\n"
-	" <td>\n"
-	" <xsl:value-of select=\".\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" </xsl:for-each>\n"
-	" </table>\n"
-	" </xsl:if>\n"
-	" </xsl:for-each>\n"
-	" </xsl:for-each>\n"
-	" <h2>Received QTYPES per view/zone</h2>\n"
-	" <xsl:for-each select=\"views/view[zones/zone/counters[@type=&quot;qtype&quot;]/counter &gt;0]\">\n"
-	" <h3>View <xsl:value-of select=\"@name\"/></h3>\n"
-	" <xsl:variable name=\"thisview2\">\n"
-	" <xsl:value-of select=\"@name\"/>\n"
-	" </xsl:variable>\n"
-	" <xsl:for-each select=\"zones/zone\">\n"
-	" <xsl:if test=\"counters[@type=&quot;qtype&quot;]/counter[count(.) &gt; 0]\">\n"
-	" <h4>Zone <xsl:value-of select=\"@name\"/></h4>\n"
-	" <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"
-	" <!-- Non Mozilla specific markup -->\n"
-	" <script type=\"text/javascript\">\n"
-	" graphs.push({\n"
-	" 'title': \"Query Types for zone <xsl:value-of select=\"@name\"/>\",\n"
-	" 'target': 'chart_qtype_<xsl:value-of select=\"../../@name\"/>_<xsl:value-of select=\"@name\"/>',\n"
-	" 'data': [['Type','Counter'],<xsl:for-each select=\"counters[@type=&quot;qtype&quot;]/counter[.&gt;0 and @name != &quot;QryAuthAns&quot;]\">['<xsl:value-of select=\"@name\"/>',<xsl:value-of select=\".\"/>],</xsl:for-each>]\n"
-	" });\n"
-	"\n"
-	" </script>\n"
-	" <xsl:variable name=\"target\">\n"
-	" <xsl:value-of select=\"@name\"/>\n"
-	" </xsl:variable>\n"
-	" <div class=\"pie\" id=\"chart_qtype_{$thisview2}_{$target}\"/>\n"
-	" </xsl:if>\n"
-	" <table class=\"counters\">\n"
-	" <xsl:for-each select=\"counters[@type=&quot;qtype&quot;]/counter\">\n"
-	" <xsl:sort select=\".\"/>\n"
-	" <xsl:variable name=\"css-class11\">\n"
-	" <xsl:choose>\n"
-	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
-	" <xsl:otherwise>odd</xsl:otherwise>\n"
-	" </xsl:choose>\n"
-	" </xsl:variable>\n"
-	" <tr class=\"{$css-class11}\">\n"
-	" <th>\n"
-	" <xsl:value-of select=\"@name\"/>\n"
-	" </th>\n"
-	" <td>\n"
-	" <xsl:value-of select=\".\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" </xsl:for-each>\n"
-	" </table>\n"
-	" </xsl:if>\n"
-	" </xsl:for-each>\n"
-	" </xsl:for-each>\n"
-	" <h2>Network Status</h2>\n"
-	" <table class=\"counters\">\n"
-	" <tr>\n"
-	" <th>ID</th>\n"
-	" <th>Name</th>\n"
-	" <th>Type</th>\n"
-	" <th>References</th>\n"
-	" <th>LocalAddress</th>\n"
-	" <th>PeerAddress</th>\n"
-	" <th>State</th>\n"
-	" </tr>\n"
-	" <xsl:for-each select=\"socketmgr/sockets/socket\">\n"
-	" <xsl:sort select=\"id\"/>\n"
-	" <xsl:variable name=\"css-class12\">\n"
-	" <xsl:choose>\n"
-	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
-	" <xsl:otherwise>odd</xsl:otherwise>\n"
-	" </xsl:choose>\n"
-	" </xsl:variable>\n"
-	" <tr class=\"{$css-class12}\">\n"
-	" <td>\n"
-	" <xsl:value-of select=\"id\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"name\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"type\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"references\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"local-address\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"peer-address\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:for-each select=\"states\">\n"
-	" <xsl:value-of select=\".\"/>\n"
-	" </xsl:for-each>\n"
-	" </td>\n"
-	" </tr>\n"
-	" </xsl:for-each>\n"
-	" </table>\n"
-	" <br/>\n"
-	" <h2>Task Manager Configuration</h2>\n"
-	" <table class=\"counters\">\n"
-	" <tr>\n"
-	" <th class=\"even\">Thread-Model</th>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"taskmgr/thread-model/type\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" <tr class=\"odd\">\n"
-	" <th>Worker Threads</th>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"taskmgr/thread-model/worker-threads\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" <tr class=\"even\">\n"
-	" <th>Default Quantum</th>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"taskmgr/thread-model/default-quantum\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" <tr class=\"odd\">\n"
-	" <th>Tasks Running</th>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"taskmgr/thread-model/tasks-running\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" </table>\n"
-	" <br/>\n"
-	" <h2>Tasks</h2>\n"
-	" <table class=\"counters\">\n"
-	" <tr>\n"
-	" <th>ID</th>\n"
-	" <th>Name</th>\n"
-	" <th>References</th>\n"
-	" <th>State</th>\n"
-	" <th>Quantum</th>\n"
-	" </tr>\n"
-	" <xsl:for-each select=\"taskmgr/tasks/task\">\n"
-	" <xsl:sort select=\"name\"/>\n"
-	" <xsl:variable name=\"css-class14\">\n"
-	" <xsl:choose>\n"
-	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
-	" <xsl:otherwise>odd</xsl:otherwise>\n"
-	" </xsl:choose>\n"
-	" </xsl:variable>\n"
-	" <tr class=\"{$css-class14}\">\n"
-	" <td>\n"
-	" <xsl:value-of select=\"id\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"name\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"references\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"state\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"quantum\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" </xsl:for-each>\n"
-	" </table>\n"
-	" <br/>\n"
-	" <h2>Memory Usage Summary</h2>\n"
-	" <table class=\"counters\">\n"
-	" <xsl:for-each select=\"memory/summary/*\">\n"
-	" <xsl:variable name=\"css-class13\">\n"
-	" <xsl:choose>\n"
-	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
-	" <xsl:otherwise>odd</xsl:otherwise>\n"
-	" </xsl:choose>\n"
-	" </xsl:variable>\n"
-	" <tr class=\"{$css-class13}\">\n"
-	" <th>\n"
-	" <xsl:value-of select=\"name()\"/>\n"
-	" </th>\n"
-	" <td>\n"
-	" <xsl:value-of select=\".\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" </xsl:for-each>\n"
-	" </table>\n"
-	" <br/>\n"
-	" <h2>Memory Contexts</h2>\n"
-	" <table class=\"counters\">\n"
-	" <tr>\n"
-	" <th>ID</th>\n"
-	" <th>Name</th>\n"
-	" <th>References</th>\n"
-	" <th>TotalUse</th>\n"
-	" <th>InUse</th>\n"
-	" <th>MaxUse</th>\n"
-	" <th>BlockSize</th>\n"
-	" <th>Pools</th>\n"
-	" <th>HiWater</th>\n"
-	" <th>LoWater</th>\n"
-	" </tr>\n"
-	" <xsl:for-each select=\"memory/contexts/context\">\n"
-	" <xsl:sort select=\"total\" data-type=\"number\" order=\"descending\"/>\n"
-	" <xsl:variable name=\"css-class14\">\n"
-	" <xsl:choose>\n"
-	" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
-	" <xsl:otherwise>odd</xsl:otherwise>\n"
-	" </xsl:choose>\n"
-	" </xsl:variable>\n"
-	" <tr class=\"{$css-class14}\">\n"
-	" <td>\n"
-	" <xsl:value-of select=\"id\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"name\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"references\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"total\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"inuse\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"maxinuse\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"blocksize\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"pools\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"hiwater\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"lowater\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" </xsl:for-each>\n"
-	" </table>\n"
-	" <hr/>\n"
-	" <p class=\"footer\">Internet Systems Consortium Inc.<br/><a href=\"http://www.isc.org\">http://www.isc.org</a></p>\n"
-	" </body>\n"
-	" </html>\n"
-	" </xsl:template>\n"
-	"</xsl:stylesheet>\n";
diff --git a/contrib/bind9/bin/named/bind9.xsl b/contrib/bind9/bin/named/bind9.xsl
deleted file mode 100644
index 8063cc6..0000000
--- a/contrib/bind9/bin/named/bind9.xsl
+++ /dev/null
@@ -1,492 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- - Copyright (C) 2006-2009  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: bind9.xsl,v 1.21 2009/01/27 23:47:54 tbox Exp $ -->
-
-<xsl:stylesheet version="1.0"
-   xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-   xmlns="http://www.w3.org/1999/xhtml">
-  <xsl:template match="isc/bind/statistics">
-    <html>
-      <head>
-        <style type="text/css">
-body {
-	font-family: sans-serif;
-	background-color: #ffffff;
-	color: #000000;
-}
-
-table {
-	border-collapse: collapse;
-}
-
-tr.rowh {
-	text-align: center;
-	border: 1px solid #000000;
-	background-color: #8080ff;
-	color: #ffffff;
-}
-
-tr.row {
-	text-align: right;
-	border: 1px solid #000000;
-	background-color: teal;
-	color: #ffffff;
-}
-
-tr.lrow {
-	text-align: left;
-	border: 1px solid #000000;
-	background-color: teal;
-	color: #ffffff;
-}
-
-td, th {
-	padding-right: 5px;
-	padding-left: 5px;
-}
-
-.header h1 {
-	background-color: teal;
-	color: #ffffff;
-	padding: 4px;
-}
-
-.content {
-	background-color: #ffffff;
-	color: #000000;
-	padding: 4px;
-}
-
-.item {
-	padding: 4px;
-	align: right;
-}
-
-.value {
-	padding: 4px;
-	font-weight: bold;
-}
-
-div.statcounter h2 {
-	text-align: center;
-	font-size: large;
-	border: 1px solid #000000;
-	background-color: #8080ff;
-	color: #ffffff;
-}
-
-div.statcounter dl {
-	float: left;
-	margin-top: 0;
-	margin-bottom: 0;
-	margin-left: 0;
-	margin-right: 0;
-}
-
-div.statcounter dt {
-	width: 200px;
-	text-align: center;
-	font-weight: bold;
-	border: 0.5px solid #000000;
-	background-color: #8080ff;
-	color: #ffffff;
-}
-
-div.statcounter dd {
-	width: 200px;
-	text-align: right;
-	border: 0.5px solid #000000;
-	background-color: teal;
-	color: #ffffff;
-	margin-left: 0;
-	margin-right: 0;
-}
-
-div.statcounter br {
-	clear: left;
-}
-        </style>
-        <title>BIND 9 Statistics</title>
-      </head>
-      <body>
-	<div class="header">
-	  <h1>Bind 9 Configuration and Statistics</h1>
-	</div>
-
-	<br/>
-
-	<table>
-	  <tr class="rowh"><th colspan="2">Times</th></tr>
-	  <tr class="lrow">
-	    <td>boot-time</td>
-	    <td><xsl:value-of select="server/boot-time"/></td>
-	  </tr>
-	  <tr class="lrow">
-	    <td>current-time</td>
-	    <td><xsl:value-of select="server/current-time"/></td>
-	  </tr>
-	</table>
-
-	<br/>
-
-	<table>
-	  <tr class="rowh"><th colspan="2">Incoming Requests</th></tr>
-	  <xsl:for-each select="server/requests/opcode">
-	    <tr class="lrow">
-	      <td><xsl:value-of select="name"/></td>
-	      <td><xsl:value-of select="counter"/></td>
-	    </tr>
-	  </xsl:for-each>
-	</table>
-
-	<br/>
-
-	<table>
-	  <tr class="rowh"><th colspan="2">Incoming Queries</th></tr>
-	  <xsl:for-each select="server/queries-in/rdtype">
-	    <tr class="lrow">
-	      <td><xsl:value-of select="name"/></td>
-	      <td><xsl:value-of select="counter"/></td>
-	    </tr>
-	  </xsl:for-each>
-	</table>
-
-	<br/>
-
-	<xsl:for-each select="views/view">
-	  <table>
-	    <tr class="rowh">
-	      <th colspan="2">Outgoing Queries from View <xsl:value-of select="name"/></th>
-	    </tr>
-	    <xsl:for-each select="rdtype">
-	      <tr class="lrow">
-		<td><xsl:value-of select="name"/></td>
-		<td><xsl:value-of select="counter"/></td>
-	      </tr>
-	    </xsl:for-each>
-	  </table>
-	  <br/>
-	</xsl:for-each>
-
-	<br/>
-
-	<div class="statcounter">
-	  <h2>Server Statistics</h2>
-	  <xsl:for-each select="server/nsstat">
-	    <dl>
-	      <dt><xsl:value-of select="name"/></dt>
-	      <dd><xsl:value-of select="counter"/></dd>
-	    </dl>
-	  </xsl:for-each>
-	  <br/>
-	</div>
-
-	<div class="statcounter">
-	  <h2>Zone Maintenance Statistics</h2>
-	  <xsl:for-each select="server/zonestat">
-	    <dl>
-	      <dt><xsl:value-of select="name"/></dt>
-	      <dd><xsl:value-of select="counter"/></dd>
-	    </dl>
-	  </xsl:for-each>
-	  <br />
-	</div>
-
-	<div class="statcounter">
-	  <h2>Resolver Statistics (Common)</h2>
-	  <xsl:for-each select="server/resstat">
-	    <dl>
-	      <dt><xsl:value-of select="name"/></dt>
-	      <dd><xsl:value-of select="counter"/></dd>
-	    </dl>
-	  </xsl:for-each>
-	  <br />
-	</div>
-
-	<xsl:for-each select="views/view">
-	  <div class="statcounter">
-	    <h2>Resolver Statistics for View <xsl:value-of select="name"/></h2>
-	    <xsl:for-each select="resstat">
-	      <dl>
-		<dt><xsl:value-of select="name"/></dt>
-		<dd><xsl:value-of select="counter"/></dd>
-	      </dl>
-	    </xsl:for-each>
-	    <br />
-	  </div>
-	</xsl:for-each>
-
-	<br />
-
-	<xsl:for-each select="views/view">
-	  <table>
-	    <tr class="rowh">
-	      <th colspan="2">Cache DB RRsets for View <xsl:value-of select="name"/></th>
-	    </tr>
-	    <xsl:for-each select="cache/rrset">
-	      <tr class="lrow">
-		<td><xsl:value-of select="name"/></td>
-		<td><xsl:value-of select="counter"/></td>
-	      </tr>
-	    </xsl:for-each>
-	  </table>
-	  <br/>
-	</xsl:for-each>
-
-	<div class="statcounter">
-	  <h2>Socket I/O Statistics</h2>
-	  <xsl:for-each select="server/sockstat">
-	    <dl>
-	      <dt><xsl:value-of select="name"/></dt>
-	      <dd><xsl:value-of select="counter"/></dd>
-	    </dl>
-	  </xsl:for-each>
-	  <br/>
-	</div>
-
-	<br/>
-
-        <xsl:for-each select="views/view">
-          <table>
-            <tr class="rowh">
-              <th colspan="10">Zones for View <xsl:value-of select="name"/></th>
-            </tr>
-            <tr class="rowh">
-              <th>Name</th>
-              <th>Class</th>
-              <th>Serial</th>
-              <th>Success</th>
-              <th>Referral</th>
-              <th>NXRRSET</th>
-              <th>NXDOMAIN</th>
-              <th>Failure</th>
-	      <th>XfrReqDone</th>
-	      <th>XfrRej</th>
-            </tr>
-            <xsl:for-each select="zones/zone">
-              <tr class="lrow">
-                <td>
-                  <xsl:value-of select="name"/>
-                </td>
-                <td>
-                  <xsl:value-of select="rdataclass"/>
-                </td>
-                <td>
-                  <xsl:value-of select="serial"/>
-                </td>
-                <td>
-                  <xsl:value-of select="counters/QrySuccess"/>
-                </td>
-                <td>
-                  <xsl:value-of select="counters/QryReferral"/>
-                </td>
-                <td>
-                  <xsl:value-of select="counters/QryNxrrset"/>
-                </td>
-                <td>
-                  <xsl:value-of select="counters/QryNXDOMAIN"/>
-                </td>
-                <td>
-                  <xsl:value-of select="counters/QryFailure"/>
-                </td>
-                <td>
-                  <xsl:value-of select="counters/XfrReqDone"/>
-                </td>
-                <td>
-                  <xsl:value-of select="counters/XfrRej"/>
-                </td>
-              </tr>
-            </xsl:for-each>
-          </table>
-          <br/>
-        </xsl:for-each>
-
-        <br/>
-
-        <table>
-          <tr class="rowh">
-            <th colspan="7">Network Status</th>
-          </tr>
-          <tr class="rowh">
-            <th>ID</th>
-	    <th>Name</th>
-            <th>Type</th>
-            <th>References</th>
-            <th>LocalAddress</th>
-            <th>PeerAddress</th>
-            <th>State</th>
-          </tr>
-          <xsl:for-each select="socketmgr/sockets/socket">
-            <tr class="lrow">
-              <td>
-                <xsl:value-of select="id"/>
-              </td>
-              <td>
-                <xsl:value-of select="name"/>
-              </td>
-              <td>
-                <xsl:value-of select="type"/>
-              </td>
-              <td>
-                <xsl:value-of select="references"/>
-              </td>
-              <td>
-                <xsl:value-of select="local-address"/>
-              </td>
-              <td>
-                <xsl:value-of select="peer-address"/>
-              </td>
-              <td>
-                <xsl:for-each select="states">
-                  <xsl:value-of select="."/>
-                </xsl:for-each>
-              </td>
-            </tr>
-          </xsl:for-each>
-        </table>
-        <br/>
-        <table>
-          <tr class="rowh">
-            <th colspan="2">Task Manager Configuration</th>
-          </tr>
-          <tr class="lrow">
-            <td>Thread-Model</td>
-            <td>
-              <xsl:value-of select="taskmgr/thread-model/type"/>
-            </td>
-          </tr>
-          <tr class="lrow">
-            <td>Worker Threads</td>
-            <td>
-              <xsl:value-of select="taskmgr/thread-model/worker-threads"/>
-            </td>
-          </tr>
-          <tr class="lrow">
-            <td>Default Quantum</td>
-            <td>
-              <xsl:value-of select="taskmgr/thread-model/default-quantum"/>
-            </td>
-          </tr>
-          <tr class="lrow">
-            <td>Tasks Running</td>
-            <td>
-              <xsl:value-of select="taskmgr/thread-model/tasks-running"/>
-            </td>
-          </tr>
-        </table>
-        <br/>
-        <table>
-          <tr class="rowh">
-            <th colspan="5">Tasks</th>
-          </tr>
-          <tr class="rowh">
-            <th>ID</th>
-            <th>Name</th>
-            <th>References</th>
-            <th>State</th>
-            <th>Quantum</th>
-          </tr>
-          <xsl:for-each select="taskmgr/tasks/task">
-            <tr class="lrow">
-              <td>
-                <xsl:value-of select="id"/>
-              </td>
-              <td>
-                <xsl:value-of select="name"/>
-              </td>
-              <td>
-                <xsl:value-of select="references"/>
-              </td>
-              <td>
-                <xsl:value-of select="state"/>
-              </td>
-              <td>
-                <xsl:value-of select="quantum"/>
-              </td>
-            </tr>
-          </xsl:for-each>
-        </table>
-	<br />
-	<table>
-          <tr class="rowh">
-            <th colspan="4">Memory Usage Summary</th>
-          </tr>
-	  <xsl:for-each select="memory/summary/*">
-	    <tr class="lrow">
-	      <td><xsl:value-of select="name()"/></td>
-	      <td><xsl:value-of select="."/></td>
-	    </tr>
-	  </xsl:for-each>
-	</table>
-	<br />
-	<table>
-          <tr class="rowh">
-            <th colspan="10">Memory Contexts</th>
-          </tr>
-	  <tr class="rowh">
-	    <th>ID</th>
-	    <th>Name</th>
-	    <th>References</th>
-	    <th>TotalUse</th>
-	    <th>InUse</th>
-	    <th>MaxUse</th>
-	    <th>BlockSize</th>
-	    <th>Pools</th>
-	    <th>HiWater</th>
-	    <th>LoWater</th>
-	  </tr>
-	  <xsl:for-each select="memory/contexts/context">
-	    <tr class="lrow">
-	      <td>
-		<xsl:value-of select="id"/>
-	      </td>
-              <td>
-                <xsl:value-of select="name"/>
-              </td>
-	      <td>
-		<xsl:value-of select="references"/>
-	      </td>
-	      <td>
-		<xsl:value-of select="total"/>
-	      </td>
-	      <td>
-		<xsl:value-of select="inuse"/>
-	      </td>
-	      <td>
-		<xsl:value-of select="maxinuse"/>
-	      </td>
-	      <td>
-		<xsl:value-of select="blocksize"/>
-	      </td>
-	      <td>
-		<xsl:value-of select="pools"/>
-	      </td>
-	      <td>
-		<xsl:value-of select="hiwater"/>
-	      </td>
-	      <td>
-		<xsl:value-of select="lowater"/>
-	      </td>
-	    </tr>
-	  </xsl:for-each>
-	</table>
-
-      </body>
-    </html>
-  </xsl:template>
-</xsl:stylesheet>
diff --git a/contrib/bind9/bin/named/bind9.xsl.h b/contrib/bind9/bin/named/bind9.xsl.h
deleted file mode 100644
index 19a58ff..0000000
--- a/contrib/bind9/bin/named/bind9.xsl.h
+++ /dev/null
@@ -1,497 +0,0 @@
-/*
- * Generated by convertxsl.pl 1.14 2008/07/17 23:43:26 jinmei Exp  
- * From bind9.xsl 1.21 2009/01/27 23:47:54 tbox Exp 
- */
-static char xslmsg[] =
-	"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
-	"<!--\n"
-	" - Copyright (C) 2006-2009 Internet Systems Consortium, Inc. (\"ISC\")\n"
-	" -\n"
-	" - Permission to use, copy, modify, and/or distribute this software for any\n"
-	" - purpose with or without fee is hereby granted, provided that the above\n"
-	" - copyright notice and this permission notice appear in all copies.\n"
-	" -\n"
-	" - THE SOFTWARE IS PROVIDED \"AS IS\" AND ISC DISCLAIMS ALL WARRANTIES WITH\n"
-	" - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY\n"
-	" - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,\n"
-	" - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM\n"
-	" - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE\n"
-	" - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR\n"
-	" - PERFORMANCE OF THIS SOFTWARE.\n"
-	"-->\n"
-	"\n"
-	"<!-- \045Id: bind9.xsl,v 1.21 2009/01/27 23:47:54 tbox Exp \045 -->\n"
-	"\n"
-	"<xsl:stylesheet version=\"1.0\"\n"
-	" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"\n"
-	" xmlns=\"http://www.w3.org/1999/xhtml\">\n"
-	" <xsl:template match=\"isc/bind/statistics\">\n"
-	" <html>\n"
-	" <head>\n"
-	" <style type=\"text/css\">\n"
-	"body {\n"
-	" font-family: sans-serif;\n"
-	" background-color: #ffffff;\n"
-	" color: #000000;\n"
-	"}\n"
-	"\n"
-	"table {\n"
-	" border-collapse: collapse;\n"
-	"}\n"
-	"\n"
-	"tr.rowh {\n"
-	" text-align: center;\n"
-	" border: 1px solid #000000;\n"
-	" background-color: #8080ff;\n"
-	" color: #ffffff;\n"
-	"}\n"
-	"\n"
-	"tr.row {\n"
-	" text-align: right;\n"
-	" border: 1px solid #000000;\n"
-	" background-color: teal;\n"
-	" color: #ffffff;\n"
-	"}\n"
-	"\n"
-	"tr.lrow {\n"
-	" text-align: left;\n"
-	" border: 1px solid #000000;\n"
-	" background-color: teal;\n"
-	" color: #ffffff;\n"
-	"}\n"
-	"\n"
-	"td, th {\n"
-	" padding-right: 5px;\n"
-	" padding-left: 5px;\n"
-	"}\n"
-	"\n"
-	".header h1 {\n"
-	" background-color: teal;\n"
-	" color: #ffffff;\n"
-	" padding: 4px;\n"
-	"}\n"
-	"\n"
-	".content {\n"
-	" background-color: #ffffff;\n"
-	" color: #000000;\n"
-	" padding: 4px;\n"
-	"}\n"
-	"\n"
-	".item {\n"
-	" padding: 4px;\n"
-	" align: right;\n"
-	"}\n"
-	"\n"
-	".value {\n"
-	" padding: 4px;\n"
-	" font-weight: bold;\n"
-	"}\n"
-	"\n"
-	"div.statcounter h2 {\n"
-	" text-align: center;\n"
-	" font-size: large;\n"
-	" border: 1px solid #000000;\n"
-	" background-color: #8080ff;\n"
-	" color: #ffffff;\n"
-	"}\n"
-	"\n"
-	"div.statcounter dl {\n"
-	" float: left;\n"
-	" margin-top: 0;\n"
-	" margin-bottom: 0;\n"
-	" margin-left: 0;\n"
-	" margin-right: 0;\n"
-	"}\n"
-	"\n"
-	"div.statcounter dt {\n"
-	" width: 200px;\n"
-	" text-align: center;\n"
-	" font-weight: bold;\n"
-	" border: 0.5px solid #000000;\n"
-	" background-color: #8080ff;\n"
-	" color: #ffffff;\n"
-	"}\n"
-	"\n"
-	"div.statcounter dd {\n"
-	" width: 200px;\n"
-	" text-align: right;\n"
-	" border: 0.5px solid #000000;\n"
-	" background-color: teal;\n"
-	" color: #ffffff;\n"
-	" margin-left: 0;\n"
-	" margin-right: 0;\n"
-	"}\n"
-	"\n"
-	"div.statcounter br {\n"
-	" clear: left;\n"
-	"}\n"
-	" </style>\n"
-	" <title>BIND 9 Statistics</title>\n"
-	" </head>\n"
-	" <body>\n"
-	" <div class=\"header\">\n"
-	" <h1>Bind 9 Configuration and Statistics</h1>\n"
-	" </div>\n"
-	"\n"
-	" <br/>\n"
-	"\n"
-	" <table>\n"
-	" <tr class=\"rowh\"><th colspan=\"2\">Times</th></tr>\n"
-	" <tr class=\"lrow\">\n"
-	" <td>boot-time</td>\n"
-	" <td><xsl:value-of select=\"server/boot-time\"/></td>\n"
-	" </tr>\n"
-	" <tr class=\"lrow\">\n"
-	" <td>current-time</td>\n"
-	" <td><xsl:value-of select=\"server/current-time\"/></td>\n"
-	" </tr>\n"
-	" </table>\n"
-	"\n"
-	" <br/>\n"
-	"\n"
-	" <table>\n"
-	" <tr class=\"rowh\"><th colspan=\"2\">Incoming Requests</th></tr>\n"
-	" <xsl:for-each select=\"server/requests/opcode\">\n"
-	" <tr class=\"lrow\">\n"
-	" <td><xsl:value-of select=\"name\"/></td>\n"
-	" <td><xsl:value-of select=\"counter\"/></td>\n"
-	" </tr>\n"
-	" </xsl:for-each>\n"
-	" </table>\n"
-	"\n"
-	" <br/>\n"
-	"\n"
-	" <table>\n"
-	" <tr class=\"rowh\"><th colspan=\"2\">Incoming Queries</th></tr>\n"
-	" <xsl:for-each select=\"server/queries-in/rdtype\">\n"
-	" <tr class=\"lrow\">\n"
-	" <td><xsl:value-of select=\"name\"/></td>\n"
-	" <td><xsl:value-of select=\"counter\"/></td>\n"
-	" </tr>\n"
-	" </xsl:for-each>\n"
-	" </table>\n"
-	"\n"
-	" <br/>\n"
-	"\n"
-	" <xsl:for-each select=\"views/view\">\n"
-	" <table>\n"
-	" <tr class=\"rowh\">\n"
-	" <th colspan=\"2\">Outgoing Queries from View <xsl:value-of select=\"name\"/></th>\n"
-	" </tr>\n"
-	" <xsl:for-each select=\"rdtype\">\n"
-	" <tr class=\"lrow\">\n"
-	" <td><xsl:value-of select=\"name\"/></td>\n"
-	" <td><xsl:value-of select=\"counter\"/></td>\n"
-	" </tr>\n"
-	" </xsl:for-each>\n"
-	" </table>\n"
-	" <br/>\n"
-	" </xsl:for-each>\n"
-	"\n"
-	" <br/>\n"
-	"\n"
-	" <div class=\"statcounter\">\n"
-	" <h2>Server Statistics</h2>\n"
-	" <xsl:for-each select=\"server/nsstat\">\n"
-	" <dl>\n"
-	" <dt><xsl:value-of select=\"name\"/></dt>\n"
-	" <dd><xsl:value-of select=\"counter\"/></dd>\n"
-	" </dl>\n"
-	" </xsl:for-each>\n"
-	" <br/>\n"
-	" </div>\n"
-	"\n"
-	" <div class=\"statcounter\">\n"
-	" <h2>Zone Maintenance Statistics</h2>\n"
-	" <xsl:for-each select=\"server/zonestat\">\n"
-	" <dl>\n"
-	" <dt><xsl:value-of select=\"name\"/></dt>\n"
-	" <dd><xsl:value-of select=\"counter\"/></dd>\n"
-	" </dl>\n"
-	" </xsl:for-each>\n"
-	" <br />\n"
-	" </div>\n"
-	"\n"
-	" <div class=\"statcounter\">\n"
-	" <h2>Resolver Statistics (Common)</h2>\n"
-	" <xsl:for-each select=\"server/resstat\">\n"
-	" <dl>\n"
-	" <dt><xsl:value-of select=\"name\"/></dt>\n"
-	" <dd><xsl:value-of select=\"counter\"/></dd>\n"
-	" </dl>\n"
-	" </xsl:for-each>\n"
-	" <br />\n"
-	" </div>\n"
-	"\n"
-	" <xsl:for-each select=\"views/view\">\n"
-	" <div class=\"statcounter\">\n"
-	" <h2>Resolver Statistics for View <xsl:value-of select=\"name\"/></h2>\n"
-	" <xsl:for-each select=\"resstat\">\n"
-	" <dl>\n"
-	" <dt><xsl:value-of select=\"name\"/></dt>\n"
-	" <dd><xsl:value-of select=\"counter\"/></dd>\n"
-	" </dl>\n"
-	" </xsl:for-each>\n"
-	" <br />\n"
-	" </div>\n"
-	" </xsl:for-each>\n"
-	"\n"
-	" <br />\n"
-	"\n"
-	" <xsl:for-each select=\"views/view\">\n"
-	" <table>\n"
-	" <tr class=\"rowh\">\n"
-	" <th colspan=\"2\">Cache DB RRsets for View <xsl:value-of select=\"name\"/></th>\n"
-	" </tr>\n"
-	" <xsl:for-each select=\"cache/rrset\">\n"
-	" <tr class=\"lrow\">\n"
-	" <td><xsl:value-of select=\"name\"/></td>\n"
-	" <td><xsl:value-of select=\"counter\"/></td>\n"
-	" </tr>\n"
-	" </xsl:for-each>\n"
-	" </table>\n"
-	" <br/>\n"
-	" </xsl:for-each>\n"
-	"\n"
-	" <div class=\"statcounter\">\n"
-	" <h2>Socket I/O Statistics</h2>\n"
-	" <xsl:for-each select=\"server/sockstat\">\n"
-	" <dl>\n"
-	" <dt><xsl:value-of select=\"name\"/></dt>\n"
-	" <dd><xsl:value-of select=\"counter\"/></dd>\n"
-	" </dl>\n"
-	" </xsl:for-each>\n"
-	" <br/>\n"
-	" </div>\n"
-	"\n"
-	" <br/>\n"
-	"\n"
-	" <xsl:for-each select=\"views/view\">\n"
-	" <table>\n"
-	" <tr class=\"rowh\">\n"
-	" <th colspan=\"10\">Zones for View <xsl:value-of select=\"name\"/></th>\n"
-	" </tr>\n"
-	" <tr class=\"rowh\">\n"
-	" <th>Name</th>\n"
-	" <th>Class</th>\n"
-	" <th>Serial</th>\n"
-	" <th>Success</th>\n"
-	" <th>Referral</th>\n"
-	" <th>NXRRSET</th>\n"
-	" <th>NXDOMAIN</th>\n"
-	" <th>Failure</th>\n"
-	" <th>XfrReqDone</th>\n"
-	" <th>XfrRej</th>\n"
-	" </tr>\n"
-	" <xsl:for-each select=\"zones/zone\">\n"
-	" <tr class=\"lrow\">\n"
-	" <td>\n"
-	" <xsl:value-of select=\"name\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"rdataclass\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"serial\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"counters/QrySuccess\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"counters/QryReferral\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"counters/QryNxrrset\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"counters/QryNXDOMAIN\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"counters/QryFailure\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"counters/XfrReqDone\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"counters/XfrRej\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" </xsl:for-each>\n"
-	" </table>\n"
-	" <br/>\n"
-	" </xsl:for-each>\n"
-	"\n"
-	" <br/>\n"
-	"\n"
-	" <table>\n"
-	" <tr class=\"rowh\">\n"
-	" <th colspan=\"7\">Network Status</th>\n"
-	" </tr>\n"
-	" <tr class=\"rowh\">\n"
-	" <th>ID</th>\n"
-	" <th>Name</th>\n"
-	" <th>Type</th>\n"
-	" <th>References</th>\n"
-	" <th>LocalAddress</th>\n"
-	" <th>PeerAddress</th>\n"
-	" <th>State</th>\n"
-	" </tr>\n"
-	" <xsl:for-each select=\"socketmgr/sockets/socket\">\n"
-	" <tr class=\"lrow\">\n"
-	" <td>\n"
-	" <xsl:value-of select=\"id\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"name\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"type\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"references\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"local-address\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"peer-address\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:for-each select=\"states\">\n"
-	" <xsl:value-of select=\".\"/>\n"
-	" </xsl:for-each>\n"
-	" </td>\n"
-	" </tr>\n"
-	" </xsl:for-each>\n"
-	" </table>\n"
-	" <br/>\n"
-	" <table>\n"
-	" <tr class=\"rowh\">\n"
-	" <th colspan=\"2\">Task Manager Configuration</th>\n"
-	" </tr>\n"
-	" <tr class=\"lrow\">\n"
-	" <td>Thread-Model</td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"taskmgr/thread-model/type\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" <tr class=\"lrow\">\n"
-	" <td>Worker Threads</td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"taskmgr/thread-model/worker-threads\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" <tr class=\"lrow\">\n"
-	" <td>Default Quantum</td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"taskmgr/thread-model/default-quantum\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" <tr class=\"lrow\">\n"
-	" <td>Tasks Running</td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"taskmgr/thread-model/tasks-running\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" </table>\n"
-	" <br/>\n"
-	" <table>\n"
-	" <tr class=\"rowh\">\n"
-	" <th colspan=\"5\">Tasks</th>\n"
-	" </tr>\n"
-	" <tr class=\"rowh\">\n"
-	" <th>ID</th>\n"
-	" <th>Name</th>\n"
-	" <th>References</th>\n"
-	" <th>State</th>\n"
-	" <th>Quantum</th>\n"
-	" </tr>\n"
-	" <xsl:for-each select=\"taskmgr/tasks/task\">\n"
-	" <tr class=\"lrow\">\n"
-	" <td>\n"
-	" <xsl:value-of select=\"id\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"name\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"references\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"state\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"quantum\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" </xsl:for-each>\n"
-	" </table>\n"
-	" <br />\n"
-	" <table>\n"
-	" <tr class=\"rowh\">\n"
-	" <th colspan=\"4\">Memory Usage Summary</th>\n"
-	" </tr>\n"
-	" <xsl:for-each select=\"memory/summary/*\">\n"
-	" <tr class=\"lrow\">\n"
-	" <td><xsl:value-of select=\"name()\"/></td>\n"
-	" <td><xsl:value-of select=\".\"/></td>\n"
-	" </tr>\n"
-	" </xsl:for-each>\n"
-	" </table>\n"
-	" <br />\n"
-	" <table>\n"
-	" <tr class=\"rowh\">\n"
-	" <th colspan=\"10\">Memory Contexts</th>\n"
-	" </tr>\n"
-	" <tr class=\"rowh\">\n"
-	" <th>ID</th>\n"
-	" <th>Name</th>\n"
-	" <th>References</th>\n"
-	" <th>TotalUse</th>\n"
-	" <th>InUse</th>\n"
-	" <th>MaxUse</th>\n"
-	" <th>BlockSize</th>\n"
-	" <th>Pools</th>\n"
-	" <th>HiWater</th>\n"
-	" <th>LoWater</th>\n"
-	" </tr>\n"
-	" <xsl:for-each select=\"memory/contexts/context\">\n"
-	" <tr class=\"lrow\">\n"
-	" <td>\n"
-	" <xsl:value-of select=\"id\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"name\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"references\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"total\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"inuse\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"maxinuse\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"blocksize\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"pools\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"hiwater\"/>\n"
-	" </td>\n"
-	" <td>\n"
-	" <xsl:value-of select=\"lowater\"/>\n"
-	" </td>\n"
-	" </tr>\n"
-	" </xsl:for-each>\n"
-	" </table>\n"
-	"\n"
-	" </body>\n"
-	" </html>\n"
-	" </xsl:template>\n"
-	"</xsl:stylesheet>\n";
diff --git a/contrib/bind9/bin/named/builtin.c b/contrib/bind9/bin/named/builtin.c
deleted file mode 100644
index 4604cb3..0000000
--- a/contrib/bind9/bin/named/builtin.c
+++ /dev/null
@@ -1,576 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: builtin.c,v 1.26 2012/01/21 19:44:18 each Exp $ */
-
-/*! \file
- * \brief
- * The built-in "version", "hostname", "id", "authors" and "empty" databases.
- */
-
-#include <config.h>
-
-#include <string.h>
-#include <stdio.h>
-
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/result.h>
-#include <isc/util.h>
-
-#include <dns/result.h>
-#include <dns/sdb.h>
-
-#include <named/builtin.h>
-#include <named/globals.h>
-#include <named/server.h>
-#include <named/os.h>
-
-typedef struct builtin builtin_t;
-
-static isc_result_t do_version_lookup(dns_sdblookup_t *lookup);
-static isc_result_t do_hostname_lookup(dns_sdblookup_t *lookup);
-static isc_result_t do_authors_lookup(dns_sdblookup_t *lookup);
-static isc_result_t do_id_lookup(dns_sdblookup_t *lookup);
-static isc_result_t do_empty_lookup(dns_sdblookup_t *lookup);
-static isc_result_t do_dns64_lookup(dns_sdblookup_t *lookup);
-
-/*
- * We can't use function pointers as the db_data directly
- * because ANSI C does not guarantee that function pointers
- * can safely be cast to void pointers and back.
- */
-
-struct builtin {
-	isc_result_t (*do_lookup)(dns_sdblookup_t *lookup);
-	char *server;
-	char *contact;
-};
-
-static builtin_t version_builtin = { do_version_lookup,  NULL, NULL };
-static builtin_t hostname_builtin = { do_hostname_lookup, NULL, NULL };
-static builtin_t authors_builtin = { do_authors_lookup, NULL, NULL };
-static builtin_t id_builtin = { do_id_lookup, NULL, NULL };
-static builtin_t empty_builtin = { do_empty_lookup, NULL, NULL };
-static builtin_t dns64_builtin = { do_dns64_lookup, NULL, NULL };
-
-static dns_sdbimplementation_t *builtin_impl;
-static dns_sdbimplementation_t *dns64_impl;
-
-/*
- * Pre computed HEX * 16 or 1 table.
- */
-static const unsigned char hex16[256] = {
-	 1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1, /*00*/
-	 1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,	/*10*/
-	 1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1, /*20*/
-	 0, 16, 32, 48, 64, 80, 96,112,128,144,  1,  1,  1,  1,  1,  1,	/*30*/
-	 1,160,176,192,208,224,240,  1,  1,  1,  1,  1,  1,  1,  1,  1, /*40*/
-	 1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1, /*50*/
-	 1,160,176,192,208,224,240,  1,  1,  1,  1,  1,  1,  1,  1,  1, /*60*/
-	 1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1, /*70*/
-	 1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1, /*80*/
-	 1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1, /*90*/
-	 1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1, /*A0*/
-	 1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1, /*B0*/
-	 1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1, /*C0*/
-	 1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1, /*D0*/
-	 1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1, /*E0*/
-	 1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1  /*F0*/
-};
-
-const unsigned char decimal[] = "0123456789";
-
-static size_t
-dns64_rdata(unsigned char *v, size_t start, unsigned char *rdata) {
-	size_t i, j = 0;
-
-	for (i = 0; i < 4U; i++) {
-		unsigned char c = v[start++];
-		if (start == 7U)
-			start++;
-		if (c > 99) {
-			rdata[j++] = 3;
-			rdata[j++] = decimal[c/100]; c = c % 100;
-			rdata[j++] = decimal[c/10]; c = c % 10;
-			rdata[j++] = decimal[c];
-		} else if (c > 9) {
-			rdata[j++] = 2;
-			rdata[j++] = decimal[c/10]; c = c % 10;
-			rdata[j++] = decimal[c];
-		} else {
-			rdata[j++] = 1;
-			rdata[j++] = decimal[c];
-		}
-	}
-	memcpy(&rdata[j], "\07in-addr\04arpa", 14);
-	return (j + 14);
-}
-
-static isc_result_t
-dns64_cname(const dns_name_t *zone, const dns_name_t *name,
-	    dns_sdblookup_t *lookup)
-{
-	size_t zlen, nlen, j, len;
-	unsigned char v[16], n;
-	unsigned int i;
-	unsigned char rdata[sizeof("123.123.123.123.in-addr.arpa.")];
-	unsigned char *ndata;
-
-	/*
-	 * The combined length of the zone and name is 74.
-	 *
-	 * The minimum zone length is 10 ((3)ip6(4)arpa(0)).
-	 *
-	 * The length of name should always be even as we are expecting
-	 * a series of nibbles.
-	 */
-	zlen = zone->length;
-	nlen = name->length;
-	if ((zlen + nlen) > 74U || zlen < 10U || (nlen % 2) != 0U)
-		return (ISC_R_NOTFOUND);
-
-	/*
-	 * We assume the zone name is well formed.
-	 */
-
-	/*
-	 * XXXMPA We could check the dns64 suffix here if we need to.
-	 */
-	/*
-	 * Check that name is a series of nibbles.
-	 * Compute the byte values that correspond to the nibbles as we go.
-	 *
-	 * Shift the final result 4 bits, by setting 'i' to 1, if we if we
-	 * have a odd number of nibbles so that "must be zero" tests below
-	 * are byte aligned and we correctly return ISC_R_NOTFOUND or
-	 * ISC_R_SUCCESS.  We will not generate a CNAME in this case.
-	 */
-	ndata = name->ndata;
-	i = (nlen % 4) == 2U ? 1 : 0;
-	j = nlen;
-	memset(v, 0, sizeof(v));
-	while (j != 0U) {
-		INSIST((i/2) < sizeof(v));
-		if (ndata[0] != 1)
-			return (ISC_R_NOTFOUND);
-		n = hex16[ndata[1]&0xff];
-		if (n == 1)
-			return (ISC_R_NOTFOUND);
-		v[i/2] = n | (v[i/2]>>4);
-		j -= 2;
-		ndata += 2;
-		i++;
-	}
-
-	/*
-	 * If we get here then we know name only consisted of nibbles.
-	 * Now we need to determine if the name exists or not and whether
-	 * it corresponds to a empty node in the zone or there should be
-	 * a CNAME.
-	 */
-#define ZLEN(x) (10 + (x)/2)
-	switch (zlen) {
-	case ZLEN(32):	/* prefix len 32 */
-		/*
-		 * The nibbles that map to this byte must be zero for 'name'
-		 * to exist in the zone.
-		 */
-		if (nlen > 16U && v[(nlen-1)/4 - 4] != 0)
-			return (ISC_R_NOTFOUND);
-		/*
-		 * If the total length is not 74 then this is a empty node
-		 * so return success.
-		 */
-		if (nlen + zlen != 74U)
-			return (ISC_R_SUCCESS);
-		len = dns64_rdata(v, 8, rdata);
-		break;
-	case ZLEN(40):	/* prefix len 40 */
-		/*
-		 * The nibbles that map to this byte must be zero for 'name'
-		 * to exist in the zone.
-		 */
-		if (nlen > 12U && v[(nlen-1)/4 - 3] != 0)
-			return (ISC_R_NOTFOUND);
-		/*
-		 * If the total length is not 74 then this is a empty node
-		 * so return success.
-		 */
-		if (nlen + zlen != 74U)
-			return (ISC_R_SUCCESS);
-		len = dns64_rdata(v, 6, rdata);
-		break;
-	case ZLEN(48):	/* prefix len 48 */
-		/*
-		 * The nibbles that map to this byte must be zero for 'name'
-		 * to exist in the zone.
-		 */
-		if (nlen > 8U && v[(nlen-1)/4 - 2] != 0)
-			return (ISC_R_NOTFOUND);
-		/*
-		 * If the total length is not 74 then this is a empty node
-		 * so return success.
-		 */
-		if (nlen + zlen != 74U)
-			return (ISC_R_SUCCESS);
-		len = dns64_rdata(v, 5, rdata);
-		break;
-	case ZLEN(56):	/* prefix len 56 */
-		/*
-		 * The nibbles that map to this byte must be zero for 'name'
-		 * to exist in the zone.
-		 */
-		if (nlen > 4U && v[(nlen-1)/4 - 1] != 0)
-			return (ISC_R_NOTFOUND);
-		/*
-		 * If the total length is not 74 then this is a empty node
-		 * so return success.
-		 */
-		if (nlen + zlen != 74U)
-			return (ISC_R_SUCCESS);
-		len = dns64_rdata(v, 4, rdata);
-		break;
-	case ZLEN(64):	/* prefix len 64 */
-		/*
-		 * The nibbles that map to this byte must be zero for 'name'
-		 * to exist in the zone.
-		 */
-		if (v[(nlen-1)/4] != 0)
-			return (ISC_R_NOTFOUND);
-		/*
-		 * If the total length is not 74 then this is a empty node
-		 * so return success.
-		 */
-		if (nlen + zlen != 74U)
-			return (ISC_R_SUCCESS);
-		len = dns64_rdata(v, 3, rdata);
-		break;
-	case ZLEN(96):	/* prefix len 96 */
-		/*
-		 * If the total length is not 74 then this is a empty node
-		 * so return success.
-		 */
-		if (nlen + zlen != 74U)
-			return (ISC_R_SUCCESS);
-		len = dns64_rdata(v, 0, rdata);
-		break;
-	default:
-		/*
-		 * This should never be reached unless someone adds a
-		 * zone declaration with this internal type to named.conf.
-		 */
-		return (ISC_R_NOTFOUND);
-	}
-	return (dns_sdb_putrdata(lookup, dns_rdatatype_cname, 600, rdata, len));
-}
-
-static isc_result_t
-builtin_lookup(const char *zone, const char *name, void *dbdata,
-	       dns_sdblookup_t *lookup, dns_clientinfomethods_t *methods,
-	       dns_clientinfo_t *clientinfo)
-{
-	builtin_t *b = (builtin_t *) dbdata;
-
-	UNUSED(zone);
-	UNUSED(methods);
-	UNUSED(clientinfo);
-
-	if (strcmp(name, "@") == 0)
-		return (b->do_lookup(lookup));
-	else
-		return (ISC_R_NOTFOUND);
-}
-
-static isc_result_t
-dns64_lookup(const dns_name_t *zone, const dns_name_t *name, void *dbdata,
-	     dns_sdblookup_t *lookup, dns_clientinfomethods_t *methods,
-	     dns_clientinfo_t *clientinfo)
-{
-	builtin_t *b = (builtin_t *) dbdata;
-
-	UNUSED(methods);
-	UNUSED(clientinfo);
-
-	if (name->labels == 0 && name->length == 0)
-		return (b->do_lookup(lookup));
-	else
-		return (dns64_cname(zone, name, lookup));
-}
-
-static isc_result_t
-put_txt(dns_sdblookup_t *lookup, const char *text) {
-	unsigned char buf[256];
-	unsigned int len = strlen(text);
-	if (len > 255)
-		len = 255; /* Silently truncate */
-	buf[0] = len;
-	memcpy(&buf[1], text, len);
-	return (dns_sdb_putrdata(lookup, dns_rdatatype_txt, 0, buf, len + 1));
-}
-
-static isc_result_t
-do_version_lookup(dns_sdblookup_t *lookup) {
-	if (ns_g_server->version_set) {
-		if (ns_g_server->version == NULL)
-			return (ISC_R_SUCCESS);
-		else
-			return (put_txt(lookup, ns_g_server->version));
-	} else {
-		return (put_txt(lookup, ns_g_version));
-	}
-}
-
-static isc_result_t
-do_hostname_lookup(dns_sdblookup_t *lookup) {
-	if (ns_g_server->hostname_set) {
-		if (ns_g_server->hostname == NULL)
-			return (ISC_R_SUCCESS);
-		else
-			return (put_txt(lookup, ns_g_server->hostname));
-	} else {
-		char buf[256];
-		isc_result_t result = ns_os_gethostname(buf, sizeof(buf));
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		return (put_txt(lookup, buf));
-	}
-}
-
-static isc_result_t
-do_authors_lookup(dns_sdblookup_t *lookup) {
-	isc_result_t result;
-	const char **p;
-	static const char *authors[] = {
-		"Mark Andrews",
-		"Curtis Blackburn",
-		"James Brister",
-		"Ben Cottrell",
-		"John H. DuBois III",
-		"Francis Dupont",
-		"Michael Graff",
-		"Andreas Gustafsson",
-		"Bob Halley",
-		"Evan Hunt",
-		"JINMEI Tatuya",
-		"David Lawrence",
-		"Scott Mann",
-		"Danny Mayer",
-		"Damien Neil",
-		"Matt Nelson",
-		"Jeremy C. Reed",
-		"Michael Sawyer",
-		"Brian Wellington",
-		NULL
-	};
-
-	/*
-	 * If a version string is specified, disable the authors.bind zone.
-	 */
-	if (ns_g_server->version_set)
-		return (ISC_R_SUCCESS);
-
-	for (p = authors; *p != NULL; p++) {
-		result = put_txt(lookup, *p);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-do_id_lookup(dns_sdblookup_t *lookup) {
-
-	if (ns_g_server->server_usehostname) {
-		char buf[256];
-		isc_result_t result = ns_os_gethostname(buf, sizeof(buf));
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		return (put_txt(lookup, buf));
-	}
-
-	if (ns_g_server->server_id == NULL)
-		return (ISC_R_SUCCESS);
-	else
-		return (put_txt(lookup, ns_g_server->server_id));
-}
-
-static isc_result_t
-do_dns64_lookup(dns_sdblookup_t *lookup) {
-	UNUSED(lookup);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-do_empty_lookup(dns_sdblookup_t *lookup) {
-
-	UNUSED(lookup);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-builtin_authority(const char *zone, void *dbdata, dns_sdblookup_t *lookup) {
-	isc_result_t result;
-	const char *contact = "hostmaster";
-	const char *server = "@";
-	builtin_t *b = (builtin_t *) dbdata;
-
-	UNUSED(zone);
-	UNUSED(dbdata);
-
-	if (b == &empty_builtin) {
-		server = ".";
-		contact = ".";
-	} else {
-		if (b->server != NULL)
-			server = b->server;
-		if (b->contact != NULL)
-			contact = b->contact;
-	}
-
-	result = dns_sdb_putsoa(lookup, server, contact, 0);
-	if (result != ISC_R_SUCCESS)
-		return (ISC_R_FAILURE);
-
-	result = dns_sdb_putrr(lookup, "ns", 0, server);
-	if (result != ISC_R_SUCCESS)
-		return (ISC_R_FAILURE);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-builtin_create(const char *zone, int argc, char **argv,
-	       void *driverdata, void **dbdata)
-{
-	REQUIRE(argc >= 1);
-
-	UNUSED(zone);
-	UNUSED(driverdata);
-
-	if (strcmp(argv[0], "empty") == 0 || strcmp(argv[0], "dns64") == 0) {
-		if (argc != 3)
-			return (DNS_R_SYNTAX);
-	} else if (argc != 1)
-		return (DNS_R_SYNTAX);
-
-	if (strcmp(argv[0], "version") == 0)
-		*dbdata = &version_builtin;
-	else if (strcmp(argv[0], "hostname") == 0)
-		*dbdata = &hostname_builtin;
-	else if (strcmp(argv[0], "authors") == 0)
-		*dbdata = &authors_builtin;
-	else if (strcmp(argv[0], "id") == 0)
-		*dbdata = &id_builtin;
-	else if (strcmp(argv[0], "empty") == 0 ||
-		 strcmp(argv[0], "dns64") == 0) {
-		builtin_t *empty;
-		char *server;
-		char *contact;
-		/*
-		 * We don't want built-in zones to fail.  Fallback to
-		 * the static configuration if memory allocation fails.
-		 */
-		empty = isc_mem_get(ns_g_mctx, sizeof(*empty));
-		server = isc_mem_strdup(ns_g_mctx, argv[1]);
-		contact = isc_mem_strdup(ns_g_mctx, argv[2]);
-		if (empty == NULL || server == NULL || contact == NULL) {
-			if (strcmp(argv[0], "empty") == 0)
-				*dbdata = &empty_builtin;
-			else
-				*dbdata = &dns64_builtin;
-			if (server != NULL)
-				isc_mem_free(ns_g_mctx, server);
-			if (contact != NULL)
-				isc_mem_free(ns_g_mctx, contact);
-			if (empty != NULL)
-				isc_mem_put(ns_g_mctx, empty, sizeof (*empty));
-		} else {
-			if (strcmp(argv[0], "empty") == 0)
-				memcpy(empty, &empty_builtin,
-				       sizeof (empty_builtin));
-			else
-				memcpy(empty, &dns64_builtin,
-				       sizeof (empty_builtin));
-			empty->server = server;
-			empty->contact = contact;
-			*dbdata = empty;
-		}
-	} else
-		return (ISC_R_NOTIMPLEMENTED);
-	return (ISC_R_SUCCESS);
-}
-
-static void
-builtin_destroy(const char *zone, void *driverdata, void **dbdata) {
-	builtin_t *b = (builtin_t *) *dbdata;
-
-	UNUSED(zone);
-	UNUSED(driverdata);
-
-	/*
-	 * Don't free the static versions.
-	 */
-	if (*dbdata == &version_builtin || *dbdata == &hostname_builtin ||
-	    *dbdata == &authors_builtin || *dbdata == &id_builtin ||
-	    *dbdata == &empty_builtin || *dbdata == &dns64_builtin)
-		return;
-
-	isc_mem_free(ns_g_mctx, b->server);
-	isc_mem_free(ns_g_mctx, b->contact);
-	isc_mem_put(ns_g_mctx, b, sizeof (*b));
-}
-
-static dns_sdbmethods_t builtin_methods = {
-	builtin_lookup,
-	builtin_authority,
-	NULL,		/* allnodes */
-	builtin_create,
-	builtin_destroy,
-	NULL
-};
-
-static dns_sdbmethods_t dns64_methods = {
-	NULL,
-	builtin_authority,
-	NULL,		/* allnodes */
-	builtin_create,
-	builtin_destroy,
-	dns64_lookup,
-};
-
-isc_result_t
-ns_builtin_init(void) {
-	RUNTIME_CHECK(dns_sdb_register("_builtin", &builtin_methods, NULL,
-				       DNS_SDBFLAG_RELATIVEOWNER |
-				       DNS_SDBFLAG_RELATIVERDATA,
-				       ns_g_mctx, &builtin_impl)
-		      == ISC_R_SUCCESS);
-	RUNTIME_CHECK(dns_sdb_register("_dns64", &dns64_methods, NULL,
-				       DNS_SDBFLAG_RELATIVEOWNER |
-				       DNS_SDBFLAG_RELATIVERDATA |
-				       DNS_SDBFLAG_DNS64,
-				       ns_g_mctx, &dns64_impl)
-		      == ISC_R_SUCCESS);
-	return (ISC_R_SUCCESS);
-}
-
-void
-ns_builtin_deinit(void) {
-	dns_sdb_unregister(&builtin_impl);
-	dns_sdb_unregister(&dns64_impl);
-}
diff --git a/contrib/bind9/bin/named/client.c b/contrib/bind9/bin/named/client.c
deleted file mode 100644
index 933abc7..0000000
--- a/contrib/bind9/bin/named/client.c
+++ /dev/null
@@ -1,2918 +0,0 @@
-/*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#include <config.h>
-
-#include <isc/formatcheck.h>
-#include <isc/mutex.h>
-#include <isc/once.h>
-#include <isc/platform.h>
-#include <isc/print.h>
-#include <isc/queue.h>
-#include <isc/stats.h>
-#include <isc/stdio.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/dispatch.h>
-#include <dns/events.h>
-#include <dns/message.h>
-#include <dns/peer.h>
-#include <dns/rcode.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/resolver.h>
-#include <dns/stats.h>
-#include <dns/tsig.h>
-#include <dns/view.h>
-#include <dns/zone.h>
-
-#include <named/interfacemgr.h>
-#include <named/log.h>
-#include <named/notify.h>
-#include <named/os.h>
-#include <named/server.h>
-#include <named/update.h>
-
-/***
- *** Client
- ***/
-
-/*! \file
- * Client Routines
- *
- * Important note!
- *
- * All client state changes, other than that from idle to listening, occur
- * as a result of events.  This guarantees serialization and avoids the
- * need for locking.
- *
- * If a routine is ever created that allows someone other than the client's
- * task to change the client, then the client will have to be locked.
- */
-
-#define NS_CLIENT_TRACE
-#ifdef NS_CLIENT_TRACE
-#define CTRACE(m)	ns_client_log(client, \
-				      NS_LOGCATEGORY_CLIENT, \
-				      NS_LOGMODULE_CLIENT, \
-				      ISC_LOG_DEBUG(3), \
-				      "%s", (m))
-#define MTRACE(m)	isc_log_write(ns_g_lctx, \
-				      NS_LOGCATEGORY_GENERAL, \
-				      NS_LOGMODULE_CLIENT, \
-				      ISC_LOG_DEBUG(3), \
-				      "clientmgr @%p: %s", manager, (m))
-#else
-#define CTRACE(m)	((void)(m))
-#define MTRACE(m)	((void)(m))
-#endif
-
-#define TCP_CLIENT(c)	(((c)->attributes & NS_CLIENTATTR_TCP) != 0)
-
-#define TCP_BUFFER_SIZE			(65535 + 2)
-#define SEND_BUFFER_SIZE		4096
-#define RECV_BUFFER_SIZE		4096
-
-#ifdef ISC_PLATFORM_USETHREADS
-#define NMCTXS				100
-/*%<
- * Number of 'mctx pools' for clients. (Should this be configurable?)
- * When enabling threads, we use a pool of memory contexts shared by
- * client objects, since concurrent access to a shared context would cause
- * heavy contentions.  The above constant is expected to be enough for
- * completely avoiding contentions among threads for an authoritative-only
- * server.
- */
-#else
-#define NMCTXS				0
-/*%<
- * If named with built without thread, simply share manager's context.  Using
- * a separate context in this case would simply waste memory.
- */
-#endif
-
-/*% nameserver client manager structure */
-struct ns_clientmgr {
-	/* Unlocked. */
-	unsigned int			magic;
-
-	/* The queue object has its own locks */
-	client_queue_t			inactive;     /*%< To be recycled */
-
-	isc_mem_t *			mctx;
-	isc_taskmgr_t *			taskmgr;
-	isc_timermgr_t *		timermgr;
-
-	/* Lock covers manager state. */
-	isc_mutex_t			lock;
-	isc_boolean_t			exiting;
-
-	/* Lock covers the clients list */
-	isc_mutex_t			listlock;
-	client_list_t			clients;      /*%< All active clients */
-
-	/* Lock covers the recursing list */
-	isc_mutex_t			reclock;
-	client_list_t			recursing;    /*%< Recursing clients */
-
-#if NMCTXS > 0
-	/*%< mctx pool for clients. */
-	unsigned int			nextmctx;
-	isc_mem_t *			mctxpool[NMCTXS];
-#endif
-};
-
-#define MANAGER_MAGIC			ISC_MAGIC('N', 'S', 'C', 'm')
-#define VALID_MANAGER(m)		ISC_MAGIC_VALID(m, MANAGER_MAGIC)
-
-/*!
- * Client object states.  Ordering is significant: higher-numbered
- * states are generally "more active", meaning that the client can
- * have more dynamically allocated data, outstanding events, etc.
- * In the list below, any such properties listed for state N
- * also apply to any state > N.
- *
- * To force the client into a less active state, set client->newstate
- * to that state and call exit_check().  This will cause any
- * activities defined for higher-numbered states to be aborted.
- */
-
-#define NS_CLIENTSTATE_FREED    0
-/*%<
- * The client object no longer exists.
- */
-
-#define NS_CLIENTSTATE_INACTIVE 1
-/*%<
- * The client object exists and has a task and timer.
- * Its "query" struct and sendbuf are initialized.
- * It is on the client manager's list of inactive clients.
- * It has a message and OPT, both in the reset state.
- */
-
-#define NS_CLIENTSTATE_READY    2
-/*%<
- * The client object is either a TCP or a UDP one, and
- * it is associated with a network interface.  It is on the
- * client manager's list of active clients.
- *
- * If it is a TCP client object, it has a TCP listener socket
- * and an outstanding TCP listen request.
- *
- * If it is a UDP client object, it has a UDP listener socket
- * and an outstanding UDP receive request.
- */
-
-#define NS_CLIENTSTATE_READING  3
-/*%<
- * The client object is a TCP client object that has received
- * a connection.  It has a tcpsocket, tcpmsg, TCP quota, and an
- * outstanding TCP read request.  This state is not used for
- * UDP client objects.
- */
-
-#define NS_CLIENTSTATE_WORKING  4
-/*%<
- * The client object has received a request and is working
- * on it.  It has a view, and it may have any of a non-reset OPT,
- * recursion quota, and an outstanding write request.
- */
-
-#define NS_CLIENTSTATE_RECURSING  5
-/*%<
- * The client object is recursing.  It will be on the 'recursing'
- * list.
- */
-
-#define NS_CLIENTSTATE_MAX      9
-/*%<
- * Sentinel value used to indicate "no state".  When client->newstate
- * has this value, we are not attempting to exit the current state.
- * Must be greater than any valid state.
- */
-
-/*
- * Enable ns_client_dropport() by default.
- */
-#ifndef NS_CLIENT_DROPPORT
-#define NS_CLIENT_DROPPORT 1
-#endif
-
-unsigned int ns_client_requests;
-
-static void client_read(ns_client_t *client);
-static void client_accept(ns_client_t *client);
-static void client_udprecv(ns_client_t *client);
-static void clientmgr_destroy(ns_clientmgr_t *manager);
-static isc_boolean_t exit_check(ns_client_t *client);
-static void ns_client_endrequest(ns_client_t *client);
-static void client_start(isc_task_t *task, isc_event_t *event);
-static void client_request(isc_task_t *task, isc_event_t *event);
-static void ns_client_dumpmessage(ns_client_t *client, const char *reason);
-static isc_result_t get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
-			       dns_dispatch_t *disp, isc_boolean_t tcp);
-
-void
-ns_client_recursing(ns_client_t *client) {
-	REQUIRE(NS_CLIENT_VALID(client));
-	REQUIRE(client->state == NS_CLIENTSTATE_WORKING);
-
-	LOCK(&client->manager->reclock);
-	client->newstate = client->state = NS_CLIENTSTATE_RECURSING;
-	ISC_LIST_APPEND(client->manager->recursing, client, rlink);
-	UNLOCK(&client->manager->reclock);
-}
-
-void
-ns_client_killoldestquery(ns_client_t *client) {
-	ns_client_t *oldest;
-	REQUIRE(NS_CLIENT_VALID(client));
-
-	LOCK(&client->manager->reclock);
-	oldest = ISC_LIST_HEAD(client->manager->recursing);
-	if (oldest != NULL) {
-		ISC_LIST_UNLINK(client->manager->recursing, oldest, rlink);
-		UNLOCK(&client->manager->reclock);
-		ns_query_cancel(oldest);
-	} else
-		UNLOCK(&client->manager->reclock);
-}
-
-void
-ns_client_settimeout(ns_client_t *client, unsigned int seconds) {
-	isc_result_t result;
-	isc_interval_t interval;
-
-	isc_interval_set(&interval, seconds, 0);
-	result = isc_timer_reset(client->timer, isc_timertype_once, NULL,
-				 &interval, ISC_FALSE);
-	client->timerset = ISC_TRUE;
-	if (result != ISC_R_SUCCESS) {
-		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
-			      "setting timeout: %s",
-			      isc_result_totext(result));
-		/* Continue anyway. */
-	}
-}
-
-/*%
- * Check for a deactivation or shutdown request and take appropriate
- * action.  Returns ISC_TRUE if either is in progress; in this case
- * the caller must no longer use the client object as it may have been
- * freed.
- */
-static isc_boolean_t
-exit_check(ns_client_t *client) {
-	isc_boolean_t destroy_manager = ISC_FALSE;
-	ns_clientmgr_t *manager = NULL;
-
-	REQUIRE(NS_CLIENT_VALID(client));
-	manager = client->manager;
-
-	if (client->state <= client->newstate)
-		return (ISC_FALSE); /* Business as usual. */
-
-	INSIST(client->newstate < NS_CLIENTSTATE_RECURSING);
-
-	/*
-	 * We need to detach from the view early when shutting down
-	 * the server to break the following vicious circle:
-	 *
-	 *  - The resolver will not shut down until the view refcount is zero
-	 *  - The view refcount does not go to zero until all clients detach
-	 *  - The client does not detach from the view until references is zero
-	 *  - references does not go to zero until the resolver has shut down
-	 *
-	 * Keep the view attached until any outstanding updates complete.
-	 */
-	if (client->nupdates == 0 &&
-	    client->newstate == NS_CLIENTSTATE_FREED && client->view != NULL)
-		dns_view_detach(&client->view);
-
-	if (client->state == NS_CLIENTSTATE_WORKING ||
-	    client->state == NS_CLIENTSTATE_RECURSING)
-	{
-		INSIST(client->newstate <= NS_CLIENTSTATE_READING);
-		/*
-		 * Let the update processing complete.
-		 */
-		if (client->nupdates > 0)
-			return (ISC_TRUE);
-
-		/*
-		 * We are trying to abort request processing.
-		 */
-		if (client->nsends > 0) {
-			isc_socket_t *socket;
-			if (TCP_CLIENT(client))
-				socket = client->tcpsocket;
-			else
-				socket = client->udpsocket;
-			isc_socket_cancel(socket, client->task,
-					  ISC_SOCKCANCEL_SEND);
-		}
-
-		if (! (client->nsends == 0 && client->nrecvs == 0 &&
-		       client->references == 0))
-		{
-			/*
-			 * Still waiting for I/O cancel completion.
-			 * or lingering references.
-			 */
-			return (ISC_TRUE);
-		}
-
-		/*
-		 * I/O cancel is complete.  Burn down all state
-		 * related to the current request.  Ensure that
-		 * the client is no longer on the recursing list.
-		 *
-		 * We need to check whether the client is still linked,
-		 * because it may already have been removed from the
-		 * recursing list by ns_client_killoldestquery()
-		 */
-		if (client->state == NS_CLIENTSTATE_RECURSING) {
-			LOCK(&manager->reclock);
-			if (ISC_LINK_LINKED(client, rlink))
-				ISC_LIST_UNLINK(manager->recursing,
-						client, rlink);
-			UNLOCK(&manager->reclock);
-		}
-		ns_client_endrequest(client);
-
-		client->state = NS_CLIENTSTATE_READING;
-		INSIST(client->recursionquota == NULL);
-
-		if (NS_CLIENTSTATE_READING == client->newstate) {
-			client_read(client);
-			client->newstate = NS_CLIENTSTATE_MAX;
-			return (ISC_TRUE); /* We're done. */
-		}
-	}
-
-	if (client->state == NS_CLIENTSTATE_READING) {
-		/*
-		 * We are trying to abort the current TCP connection,
-		 * if any.
-		 */
-		INSIST(client->recursionquota == NULL);
-		INSIST(client->newstate <= NS_CLIENTSTATE_READY);
-		if (client->nreads > 0)
-			dns_tcpmsg_cancelread(&client->tcpmsg);
-		if (! client->nreads == 0) {
-			/* Still waiting for read cancel completion. */
-			return (ISC_TRUE);
-		}
-
-		if (client->tcpmsg_valid) {
-			dns_tcpmsg_invalidate(&client->tcpmsg);
-			client->tcpmsg_valid = ISC_FALSE;
-		}
-		if (client->tcpsocket != NULL) {
-			CTRACE("closetcp");
-			isc_socket_detach(&client->tcpsocket);
-		}
-
-		if (client->tcpquota != NULL)
-			isc_quota_detach(&client->tcpquota);
-
-		if (client->timerset) {
-			(void)isc_timer_reset(client->timer,
-					      isc_timertype_inactive,
-					      NULL, NULL, ISC_TRUE);
-			client->timerset = ISC_FALSE;
-		}
-
-		client->peeraddr_valid = ISC_FALSE;
-
-		client->state = NS_CLIENTSTATE_READY;
-		INSIST(client->recursionquota == NULL);
-
-		/*
-		 * Now the client is ready to accept a new TCP connection
-		 * or UDP request, but we may have enough clients doing
-		 * that already.  Check whether this client needs to remain
-		 * active and force it to go inactive if not.
-		 *
-		 * UDP clients go inactive at this point, but TCP clients
-		 * may remain active if we have fewer active TCP client
-		 * objects than desired due to an earlier quota exhaustion.
-		 */
-		if (client->mortal && TCP_CLIENT(client) && !ns_g_clienttest) {
-			LOCK(&client->interface->lock);
-			if (client->interface->ntcpcurrent <
-				    client->interface->ntcptarget)
-				client->mortal = ISC_FALSE;
-			UNLOCK(&client->interface->lock);
-		}
-
-		/*
-		 * We don't need the client; send it to the inactive
-		 * queue for recycling.
-		 */
-		if (client->mortal) {
-			if (client->newstate > NS_CLIENTSTATE_INACTIVE)
-				client->newstate = NS_CLIENTSTATE_INACTIVE;
-		}
-
-		if (NS_CLIENTSTATE_READY == client->newstate) {
-			if (TCP_CLIENT(client)) {
-				client_accept(client);
-			} else
-				client_udprecv(client);
-			client->newstate = NS_CLIENTSTATE_MAX;
-			return (ISC_TRUE);
-		}
-	}
-
-	if (client->state == NS_CLIENTSTATE_READY) {
-		INSIST(client->newstate <= NS_CLIENTSTATE_INACTIVE);
-
-		/*
-		 * We are trying to enter the inactive state.
-		 */
-		if (client->naccepts > 0)
-			isc_socket_cancel(client->tcplistener, client->task,
-					  ISC_SOCKCANCEL_ACCEPT);
-
-		/* Still waiting for accept cancel completion. */
-		if (! (client->naccepts == 0))
-			return (ISC_TRUE);
-
-		/* Accept cancel is complete. */
-		if (client->nrecvs > 0)
-			isc_socket_cancel(client->udpsocket, client->task,
-					  ISC_SOCKCANCEL_RECV);
-
-		/* Still waiting for recv cancel completion. */
-		if (! (client->nrecvs == 0))
-			return (ISC_TRUE);
-
-		/* Still waiting for control event to be delivered */
-		if (client->nctls > 0)
-			return (ISC_TRUE);
-
-		/* Deactivate the client. */
-		if (client->interface)
-			ns_interface_detach(&client->interface);
-
-		INSIST(client->naccepts == 0);
-		INSIST(client->recursionquota == NULL);
-		if (client->tcplistener != NULL)
-			isc_socket_detach(&client->tcplistener);
-
-		if (client->udpsocket != NULL)
-			isc_socket_detach(&client->udpsocket);
-
-		if (client->dispatch != NULL)
-			dns_dispatch_detach(&client->dispatch);
-
-		client->attributes = 0;
-		client->mortal = ISC_FALSE;
-
-		/*
-		 * Put the client on the inactive list.  If we are aiming for
-		 * the "freed" state, it will be removed from the inactive
-		 * list shortly, and we need to keep the manager locked until
-		 * that has been done, lest the manager decide to reactivate
-		 * the dying client inbetween.
-		 */
-		client->state = NS_CLIENTSTATE_INACTIVE;
-		INSIST(client->recursionquota == NULL);
-
-		if (client->state == client->newstate) {
-			client->newstate = NS_CLIENTSTATE_MAX;
-			if (!ns_g_clienttest && manager != NULL &&
-			    !manager->exiting)
-				ISC_QUEUE_PUSH(manager->inactive, client,
-					       ilink);
-			if (client->needshutdown)
-				isc_task_shutdown(client->task);
-			return (ISC_TRUE);
-		}
-	}
-
-	if (client->state == NS_CLIENTSTATE_INACTIVE) {
-		INSIST(client->newstate == NS_CLIENTSTATE_FREED);
-		/*
-		 * We are trying to free the client.
-		 *
-		 * When "shuttingdown" is true, either the task has received
-		 * its shutdown event or no shutdown event has ever been
-		 * set up.  Thus, we have no outstanding shutdown
-		 * event at this point.
-		 */
-		REQUIRE(client->state == NS_CLIENTSTATE_INACTIVE);
-
-		INSIST(client->recursionquota == NULL);
-		INSIST(!ISC_QLINK_LINKED(client, ilink));
-
-		ns_query_free(client);
-		isc_mem_put(client->mctx, client->recvbuf, RECV_BUFFER_SIZE);
-		isc_event_free((isc_event_t **)&client->sendevent);
-		isc_event_free((isc_event_t **)&client->recvevent);
-		isc_timer_detach(&client->timer);
-
-		if (client->tcpbuf != NULL)
-			isc_mem_put(client->mctx, client->tcpbuf,
-				    TCP_BUFFER_SIZE);
-		if (client->opt != NULL) {
-			INSIST(dns_rdataset_isassociated(client->opt));
-			dns_rdataset_disassociate(client->opt);
-			dns_message_puttemprdataset(client->message,
-						    &client->opt);
-		}
-
-		dns_message_destroy(&client->message);
-		if (manager != NULL) {
-			LOCK(&manager->listlock);
-			ISC_LIST_UNLINK(manager->clients, client, link);
-			LOCK(&manager->lock);
-			if (manager->exiting &&
-			    ISC_LIST_EMPTY(manager->clients))
-				destroy_manager = ISC_TRUE;
-			UNLOCK(&manager->lock);
-			UNLOCK(&manager->listlock);
-		}
-
-		/*
-		 * Detaching the task must be done after unlinking from
-		 * the manager's lists because the manager accesses
-		 * client->task.
-		 */
-		if (client->task != NULL)
-			isc_task_detach(&client->task);
-
-		CTRACE("free");
-		client->magic = 0;
-
-		/*
-		 * Check that there are no other external references to
-		 * the memory context.
-		 */
-		if (ns_g_clienttest && isc_mem_references(client->mctx) != 1) {
-			isc_mem_stats(client->mctx, stderr);
-			INSIST(0);
-		}
-		isc_mem_putanddetach(&client->mctx, client, sizeof(*client));
-	}
-
-	if (destroy_manager && manager != NULL)
-		clientmgr_destroy(manager);
-
-	return (ISC_TRUE);
-}
-
-/*%
- * The client's task has received the client's control event
- * as part of the startup process.
- */
-static void
-client_start(isc_task_t *task, isc_event_t *event) {
-	ns_client_t *client = (ns_client_t *) event->ev_arg;
-
-	INSIST(task == client->task);
-
-	UNUSED(task);
-
-	INSIST(client->nctls == 1);
-	client->nctls--;
-
-	if (exit_check(client))
-		return;
-
-	if (TCP_CLIENT(client)) {
-		client_accept(client);
-	} else {
-		client_udprecv(client);
-	}
-}
-
-
-/*%
- * The client's task has received a shutdown event.
- */
-static void
-client_shutdown(isc_task_t *task, isc_event_t *event) {
-	ns_client_t *client;
-
-	REQUIRE(event != NULL);
-	REQUIRE(event->ev_type == ISC_TASKEVENT_SHUTDOWN);
-	client = event->ev_arg;
-	REQUIRE(NS_CLIENT_VALID(client));
-	REQUIRE(task == client->task);
-
-	UNUSED(task);
-
-	CTRACE("shutdown");
-
-	isc_event_free(&event);
-
-	if (client->shutdown != NULL) {
-		(client->shutdown)(client->shutdown_arg, ISC_R_SHUTTINGDOWN);
-		client->shutdown = NULL;
-		client->shutdown_arg = NULL;
-	}
-
-	if (ISC_QLINK_LINKED(client, ilink))
-		ISC_QUEUE_UNLINK(client->manager->inactive, client, ilink);
-
-	client->newstate = NS_CLIENTSTATE_FREED;
-	client->needshutdown = ISC_FALSE;
-	(void)exit_check(client);
-}
-
-static void
-ns_client_endrequest(ns_client_t *client) {
-	INSIST(client->naccepts == 0);
-	INSIST(client->nreads == 0);
-	INSIST(client->nsends == 0);
-	INSIST(client->nrecvs == 0);
-	INSIST(client->nupdates == 0);
-	INSIST(client->state == NS_CLIENTSTATE_WORKING ||
-	       client->state == NS_CLIENTSTATE_RECURSING);
-
-	CTRACE("endrequest");
-
-	if (client->next != NULL) {
-		(client->next)(client);
-		client->next = NULL;
-	}
-
-	if (client->view != NULL)
-		dns_view_detach(&client->view);
-	if (client->opt != NULL) {
-		INSIST(dns_rdataset_isassociated(client->opt));
-		dns_rdataset_disassociate(client->opt);
-		dns_message_puttemprdataset(client->message, &client->opt);
-	}
-
-	client->signer = NULL;
-	client->udpsize = 512;
-	client->extflags = 0;
-	client->ednsversion = -1;
-	dns_message_reset(client->message, DNS_MESSAGE_INTENTPARSE);
-
-	if (client->recursionquota != NULL)
-		isc_quota_detach(&client->recursionquota);
-
-	/*
-	 * Clear all client attributes that are specific to
-	 * the request; that's all except the TCP flag.
-	 */
-	client->attributes &= NS_CLIENTATTR_TCP;
-}
-
-void
-ns_client_next(ns_client_t *client, isc_result_t result) {
-	int newstate;
-
-	REQUIRE(NS_CLIENT_VALID(client));
-	REQUIRE(client->state == NS_CLIENTSTATE_WORKING ||
-		client->state == NS_CLIENTSTATE_RECURSING ||
-		client->state == NS_CLIENTSTATE_READING);
-
-	CTRACE("next");
-
-	if (result != ISC_R_SUCCESS)
-		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
-			      "request failed: %s", isc_result_totext(result));
-
-	/*
-	 * An error processing a TCP request may have left
-	 * the connection out of sync.  To be safe, we always
-	 * sever the connection when result != ISC_R_SUCCESS.
-	 */
-	if (result == ISC_R_SUCCESS && TCP_CLIENT(client))
-		newstate = NS_CLIENTSTATE_READING;
-	else
-		newstate = NS_CLIENTSTATE_READY;
-
-	if (client->newstate > newstate)
-		client->newstate = newstate;
-	(void)exit_check(client);
-}
-
-
-static void
-client_senddone(isc_task_t *task, isc_event_t *event) {
-	ns_client_t *client;
-	isc_socketevent_t *sevent = (isc_socketevent_t *) event;
-
-	REQUIRE(sevent != NULL);
-	REQUIRE(sevent->ev_type == ISC_SOCKEVENT_SENDDONE);
-	client = sevent->ev_arg;
-	REQUIRE(NS_CLIENT_VALID(client));
-	REQUIRE(task == client->task);
-	REQUIRE(sevent == client->sendevent);
-
-	UNUSED(task);
-
-	CTRACE("senddone");
-
-	if (sevent->result != ISC_R_SUCCESS)
-		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
-			      "error sending response: %s",
-			      isc_result_totext(sevent->result));
-
-	INSIST(client->nsends > 0);
-	client->nsends--;
-
-	if (client->tcpbuf != NULL) {
-		INSIST(TCP_CLIENT(client));
-		isc_mem_put(client->mctx, client->tcpbuf, TCP_BUFFER_SIZE);
-		client->tcpbuf = NULL;
-	}
-
-	ns_client_next(client, ISC_R_SUCCESS);
-}
-
-/*%
- * We only want to fail with ISC_R_NOSPACE when called from
- * ns_client_sendraw() and not when called from ns_client_send(),
- * tcpbuffer is NULL when called from ns_client_sendraw() and
- * length != 0.  tcpbuffer != NULL when called from ns_client_send()
- * and length == 0.
- */
-
-static isc_result_t
-client_allocsendbuf(ns_client_t *client, isc_buffer_t *buffer,
-		    isc_buffer_t *tcpbuffer, isc_uint32_t length,
-		    unsigned char *sendbuf, unsigned char **datap)
-{
-	unsigned char *data;
-	isc_uint32_t bufsize;
-	isc_result_t result;
-
-	INSIST(datap != NULL);
-	INSIST((tcpbuffer == NULL && length != 0) ||
-	       (tcpbuffer != NULL && length == 0));
-
-	if (TCP_CLIENT(client)) {
-		INSIST(client->tcpbuf == NULL);
-		if (length + 2 > TCP_BUFFER_SIZE) {
-			result = ISC_R_NOSPACE;
-			goto done;
-		}
-		client->tcpbuf = isc_mem_get(client->mctx, TCP_BUFFER_SIZE);
-		if (client->tcpbuf == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto done;
-		}
-		data = client->tcpbuf;
-		if (tcpbuffer != NULL) {
-			isc_buffer_init(tcpbuffer, data, TCP_BUFFER_SIZE);
-			isc_buffer_init(buffer, data + 2, TCP_BUFFER_SIZE - 2);
-		} else {
-			isc_buffer_init(buffer, data, TCP_BUFFER_SIZE);
-			INSIST(length <= 0xffff);
-			isc_buffer_putuint16(buffer, (isc_uint16_t)length);
-		}
-	} else {
-		data = sendbuf;
-		if (client->udpsize < SEND_BUFFER_SIZE)
-			bufsize = client->udpsize;
-		else
-			bufsize = SEND_BUFFER_SIZE;
-		if (length > bufsize) {
-			result = ISC_R_NOSPACE;
-			goto done;
-		}
-		isc_buffer_init(buffer, data, bufsize);
-	}
-	*datap = data;
-	result = ISC_R_SUCCESS;
-
- done:
-	return (result);
-}
-
-static isc_result_t
-client_sendpkg(ns_client_t *client, isc_buffer_t *buffer) {
-	struct in6_pktinfo *pktinfo;
-	isc_result_t result;
-	isc_region_t r;
-	isc_sockaddr_t *address;
-	isc_socket_t *socket;
-	isc_netaddr_t netaddr;
-	int match;
-	unsigned int sockflags = ISC_SOCKFLAG_IMMEDIATE;
-
-	if (TCP_CLIENT(client)) {
-		socket = client->tcpsocket;
-		address = NULL;
-	} else {
-		socket = client->udpsocket;
-		address = &client->peeraddr;
-
-		isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
-		if (ns_g_server->blackholeacl != NULL &&
-		    dns_acl_match(&netaddr, NULL,
-				  ns_g_server->blackholeacl,
-				  &ns_g_server->aclenv,
-				  &match, NULL) == ISC_R_SUCCESS &&
-		    match > 0)
-			return (DNS_R_BLACKHOLED);
-		sockflags |= ISC_SOCKFLAG_NORETRY;
-	}
-
-	if ((client->attributes & NS_CLIENTATTR_PKTINFO) != 0 &&
-	    (client->attributes & NS_CLIENTATTR_MULTICAST) == 0)
-		pktinfo = &client->pktinfo;
-	else
-		pktinfo = NULL;
-
-	isc_buffer_usedregion(buffer, &r);
-
-	CTRACE("sendto");
-
-	result = isc_socket_sendto2(socket, &r, client->task,
-				    address, pktinfo,
-				    client->sendevent, sockflags);
-	if (result == ISC_R_SUCCESS || result == ISC_R_INPROGRESS) {
-		client->nsends++;
-		if (result == ISC_R_SUCCESS)
-			client_senddone(client->task,
-					(isc_event_t *)client->sendevent);
-		result = ISC_R_SUCCESS;
-	}
-	return (result);
-}
-
-void
-ns_client_sendraw(ns_client_t *client, dns_message_t *message) {
-	isc_result_t result;
-	unsigned char *data;
-	isc_buffer_t buffer;
-	isc_region_t r;
-	isc_region_t *mr;
-	unsigned char sendbuf[SEND_BUFFER_SIZE];
-
-	REQUIRE(NS_CLIENT_VALID(client));
-
-	CTRACE("sendraw");
-
-	mr = dns_message_getrawmessage(message);
-	if (mr == NULL) {
-		result = ISC_R_UNEXPECTEDEND;
-		goto done;
-	}
-
-	result = client_allocsendbuf(client, &buffer, NULL, mr->length,
-				     sendbuf, &data);
-	if (result != ISC_R_SUCCESS)
-		goto done;
-
-	/*
-	 * Copy message to buffer and fixup id.
-	 */
-	isc_buffer_availableregion(&buffer, &r);
-	result = isc_buffer_copyregion(&buffer, mr);
-	if (result != ISC_R_SUCCESS)
-		goto done;
-	r.base[0] = (client->message->id >> 8) & 0xff;
-	r.base[1] = client->message->id & 0xff;
-
-	result = client_sendpkg(client, &buffer);
-	if (result == ISC_R_SUCCESS)
-		return;
-
- done:
-	if (client->tcpbuf != NULL) {
-		isc_mem_put(client->mctx, client->tcpbuf, TCP_BUFFER_SIZE);
-		client->tcpbuf = NULL;
-	}
-	ns_client_next(client, result);
-}
-
-void
-ns_client_send(ns_client_t *client) {
-	isc_result_t result;
-	unsigned char *data;
-	isc_buffer_t buffer;
-	isc_buffer_t tcpbuffer;
-	isc_region_t r;
-	dns_compress_t cctx;
-	isc_boolean_t cleanup_cctx = ISC_FALSE;
-	unsigned char sendbuf[SEND_BUFFER_SIZE];
-	unsigned int render_opts;
-	unsigned int preferred_glue;
-	isc_boolean_t opt_included = ISC_FALSE;
-
-	REQUIRE(NS_CLIENT_VALID(client));
-
-	CTRACE("send");
-
-	if ((client->attributes & NS_CLIENTATTR_RA) != 0)
-		client->message->flags |= DNS_MESSAGEFLAG_RA;
-
-	if ((client->attributes & NS_CLIENTATTR_WANTDNSSEC) != 0)
-		render_opts = 0;
-	else
-		render_opts = DNS_MESSAGERENDER_OMITDNSSEC;
-
-	preferred_glue = 0;
-	if (client->view != NULL) {
-		if (client->view->preferred_glue == dns_rdatatype_a)
-			preferred_glue = DNS_MESSAGERENDER_PREFER_A;
-		else if (client->view->preferred_glue == dns_rdatatype_aaaa)
-			preferred_glue = DNS_MESSAGERENDER_PREFER_AAAA;
-	}
-
-#ifdef ALLOW_FILTER_AAAA_ON_V4
-	/*
-	 * filter-aaaa-on-v4 yes or break-dnssec option to suppress
-	 * AAAA records
-	 * We already know that request came via IPv4,
-	 * that we have both AAAA and A records,
-	 * and that we either have no signatures that the client wants
-	 * or we are supposed to break DNSSEC.
-	 *
-	 * Override preferred glue if necessary.
-	 */
-	if ((client->attributes & NS_CLIENTATTR_FILTER_AAAA) != 0) {
-		render_opts |= DNS_MESSAGERENDER_FILTER_AAAA;
-		if (preferred_glue == DNS_MESSAGERENDER_PREFER_AAAA)
-			preferred_glue = DNS_MESSAGERENDER_PREFER_A;
-	}
-#endif
-
-	/*
-	 * XXXRTH  The following doesn't deal with TCP buffer resizing.
-	 */
-	result = client_allocsendbuf(client, &buffer, &tcpbuffer, 0,
-				     sendbuf, &data);
-	if (result != ISC_R_SUCCESS)
-		goto done;
-
-	result = dns_compress_init(&cctx, -1, client->mctx);
-	if (result != ISC_R_SUCCESS)
-		goto done;
-	cleanup_cctx = ISC_TRUE;
-
-	result = dns_message_renderbegin(client->message, &cctx, &buffer);
-	if (result != ISC_R_SUCCESS)
-		goto done;
-
-	if (client->opt != NULL) {
-		result = dns_message_setopt(client->message, client->opt);
-		opt_included = ISC_TRUE;
-		client->opt = NULL;
-		if (result != ISC_R_SUCCESS)
-			goto done;
-	}
-	result = dns_message_rendersection(client->message,
-					   DNS_SECTION_QUESTION, 0);
-	if (result == ISC_R_NOSPACE) {
-		client->message->flags |= DNS_MESSAGEFLAG_TC;
-		goto renderend;
-	}
-	if (result != ISC_R_SUCCESS)
-		goto done;
-	result = dns_message_rendersection(client->message,
-					   DNS_SECTION_ANSWER,
-					   DNS_MESSAGERENDER_PARTIAL |
-					   render_opts);
-	if (result == ISC_R_NOSPACE) {
-		client->message->flags |= DNS_MESSAGEFLAG_TC;
-		goto renderend;
-	}
-	if (result != ISC_R_SUCCESS)
-		goto done;
-	result = dns_message_rendersection(client->message,
-					   DNS_SECTION_AUTHORITY,
-					   DNS_MESSAGERENDER_PARTIAL |
-					   render_opts);
-	if (result == ISC_R_NOSPACE) {
-		client->message->flags |= DNS_MESSAGEFLAG_TC;
-		goto renderend;
-	}
-	if (result != ISC_R_SUCCESS)
-		goto done;
-	result = dns_message_rendersection(client->message,
-					   DNS_SECTION_ADDITIONAL,
-					   preferred_glue | render_opts);
-	if (result != ISC_R_SUCCESS && result != ISC_R_NOSPACE)
-		goto done;
- renderend:
-	result = dns_message_renderend(client->message);
-
-	if (result != ISC_R_SUCCESS)
-		goto done;
-
-	if (cleanup_cctx) {
-		dns_compress_invalidate(&cctx);
-		cleanup_cctx = ISC_FALSE;
-	}
-
-	if (TCP_CLIENT(client)) {
-		isc_buffer_usedregion(&buffer, &r);
-		isc_buffer_putuint16(&tcpbuffer, (isc_uint16_t) r.length);
-		isc_buffer_add(&tcpbuffer, r.length);
-		result = client_sendpkg(client, &tcpbuffer);
-	} else
-		result = client_sendpkg(client, &buffer);
-
-	/* update statistics (XXXJT: is it okay to access message->xxxkey?) */
-	isc_stats_increment(ns_g_server->nsstats, dns_nsstatscounter_response);
-	if (opt_included) {
-		isc_stats_increment(ns_g_server->nsstats,
-				    dns_nsstatscounter_edns0out);
-	}
-	if (client->message->tsigkey != NULL) {
-		isc_stats_increment(ns_g_server->nsstats,
-				    dns_nsstatscounter_tsigout);
-	}
-	if (client->message->sig0key != NULL) {
-		isc_stats_increment(ns_g_server->nsstats,
-				    dns_nsstatscounter_sig0out);
-	}
-	if ((client->message->flags & DNS_MESSAGEFLAG_TC) != 0)
-		isc_stats_increment(ns_g_server->nsstats,
-				    dns_nsstatscounter_truncatedresp);
-
-	if (result == ISC_R_SUCCESS)
-		return;
-
- done:
-	if (client->tcpbuf != NULL) {
-		isc_mem_put(client->mctx, client->tcpbuf, TCP_BUFFER_SIZE);
-		client->tcpbuf = NULL;
-	}
-
-	if (cleanup_cctx)
-		dns_compress_invalidate(&cctx);
-
-	ns_client_next(client, result);
-}
-
-#if NS_CLIENT_DROPPORT
-#define DROPPORT_NO		0
-#define DROPPORT_REQUEST	1
-#define DROPPORT_RESPONSE	2
-/*%
- * ns_client_dropport determines if certain requests / responses
- * should be dropped based on the port number.
- *
- * Returns:
- * \li	0:	Don't drop.
- * \li	1:	Drop request.
- * \li	2:	Drop (error) response.
- */
-static int
-ns_client_dropport(in_port_t port) {
-	switch (port) {
-	case 7: /* echo */
-	case 13: /* daytime */
-	case 19: /* chargen */
-	case 37: /* time */
-		return (DROPPORT_REQUEST);
-	case 464: /* kpasswd */
-		return (DROPPORT_RESPONSE);
-	}
-	return (DROPPORT_NO);
-}
-#endif
-
-void
-ns_client_error(ns_client_t *client, isc_result_t result) {
-	dns_rcode_t rcode;
-	dns_message_t *message;
-
-	REQUIRE(NS_CLIENT_VALID(client));
-
-	CTRACE("error");
-
-	message = client->message;
-	rcode = dns_result_torcode(result);
-
-#if NS_CLIENT_DROPPORT
-	/*
-	 * Don't send FORMERR to ports on the drop port list.
-	 */
-	if (rcode == dns_rcode_formerr &&
-	    ns_client_dropport(isc_sockaddr_getport(&client->peeraddr)) !=
-	    DROPPORT_NO) {
-		char buf[64];
-		isc_buffer_t b;
-
-		isc_buffer_init(&b, buf, sizeof(buf) - 1);
-		if (dns_rcode_totext(rcode, &b) != ISC_R_SUCCESS)
-			isc_buffer_putstr(&b, "UNKNOWN RCODE");
-		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10),
-			      "dropped error (%.*s) response: suspicious port",
-			      (int)isc_buffer_usedlength(&b), buf);
-		ns_client_next(client, ISC_R_SUCCESS);
-		return;
-	}
-#endif
-
-	/*
-	 * Message may be an in-progress reply that we had trouble
-	 * with, in which case QR will be set.  We need to clear QR before
-	 * calling dns_message_reply() to avoid triggering an assertion.
-	 */
-	message->flags &= ~DNS_MESSAGEFLAG_QR;
-	/*
-	 * AA and AD shouldn't be set.
-	 */
-	message->flags &= ~(DNS_MESSAGEFLAG_AA | DNS_MESSAGEFLAG_AD);
-	result = dns_message_reply(message, ISC_TRUE);
-	if (result != ISC_R_SUCCESS) {
-		/*
-		 * It could be that we've got a query with a good header,
-		 * but a bad question section, so we try again with
-		 * want_question_section set to ISC_FALSE.
-		 */
-		result = dns_message_reply(message, ISC_FALSE);
-		if (result != ISC_R_SUCCESS) {
-			ns_client_next(client, result);
-			return;
-		}
-	}
-	message->rcode = rcode;
-
-	/*
-	 * FORMERR loop avoidance:  If we sent a FORMERR message
-	 * with the same ID to the same client less than two
-	 * seconds ago, assume that we are in an infinite error
-	 * packet dialog with a server for some protocol whose
-	 * error responses look enough like DNS queries to
-	 * elicit a FORMERR response.  Drop a packet to break
-	 * the loop.
-	 */
-	if (rcode == dns_rcode_formerr) {
-		if (isc_sockaddr_equal(&client->peeraddr,
-				       &client->formerrcache.addr) &&
-		    message->id == client->formerrcache.id &&
-		    client->requesttime - client->formerrcache.time < 2) {
-			/* Drop packet. */
-			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-				      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1),
-				      "possible error packet loop, "
-				      "FORMERR dropped");
-			ns_client_next(client, result);
-			return;
-		}
-		client->formerrcache.addr = client->peeraddr;
-		client->formerrcache.time = client->requesttime;
-		client->formerrcache.id = message->id;
-	}
-	ns_client_send(client);
-}
-
-static inline isc_result_t
-client_addopt(ns_client_t *client) {
-	dns_rdataset_t *rdataset;
-	dns_rdatalist_t *rdatalist;
-	dns_rdata_t *rdata;
-	isc_result_t result;
-	dns_view_t *view;
-	dns_resolver_t *resolver;
-	isc_uint16_t udpsize;
-
-	REQUIRE(client->opt == NULL);	/* XXXRTH free old. */
-
-	rdatalist = NULL;
-	result = dns_message_gettemprdatalist(client->message, &rdatalist);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	rdata = NULL;
-	result = dns_message_gettemprdata(client->message, &rdata);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	rdataset = NULL;
-	result = dns_message_gettemprdataset(client->message, &rdataset);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_rdataset_init(rdataset);
-
-	rdatalist->type = dns_rdatatype_opt;
-	rdatalist->covers = 0;
-
-	/*
-	 * Set the maximum UDP buffer size.
-	 */
-	view = client->view;
-	resolver = (view != NULL) ? view->resolver : NULL;
-	if (resolver != NULL)
-		udpsize = dns_resolver_getudpsize(resolver);
-	else
-		udpsize = ns_g_udpsize;
-	rdatalist->rdclass = udpsize;
-
-	/*
-	 * Set EXTENDED-RCODE, VERSION and Z to 0.
-	 */
-	rdatalist->ttl = (client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE);
-
-	/* Set EDNS options if applicable */
-	if (client->attributes & NS_CLIENTATTR_WANTNSID &&
-	    (ns_g_server->server_id != NULL ||
-	     ns_g_server->server_usehostname)) {
-		/*
-		 * Space required for NSID data:
-		 *   2 bytes for opt code
-		 * + 2 bytes for NSID length
-		 * + NSID itself
-		 */
-		char nsid[BUFSIZ], *nsidp;
-		isc_buffer_t *buffer = NULL;
-
-		if (ns_g_server->server_usehostname) {
-			isc_result_t result;
-			result = ns_os_gethostname(nsid, sizeof(nsid));
-			if (result != ISC_R_SUCCESS) {
-				goto no_nsid;
-			}
-			nsidp = nsid;
-		} else
-			nsidp = ns_g_server->server_id;
-
-		rdata->length = strlen(nsidp) + 4;
-		result = isc_buffer_allocate(client->mctx, &buffer,
-					     rdata->length);
-		if (result != ISC_R_SUCCESS)
-			goto no_nsid;
-
-		isc_buffer_putuint16(buffer, DNS_OPT_NSID);
-		isc_buffer_putuint16(buffer, strlen(nsidp));
-		isc_buffer_putstr(buffer, nsidp);
-		rdata->data = buffer->base;
-		dns_message_takebuffer(client->message, &buffer);
-	} else {
-no_nsid:
-		rdata->data = NULL;
-		rdata->length = 0;
-	}
-
-	rdata->rdclass = rdatalist->rdclass;
-	rdata->type = rdatalist->type;
-	rdata->flags = 0;
-
-	ISC_LIST_INIT(rdatalist->rdata);
-	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset)
-		      == ISC_R_SUCCESS);
-
-	client->opt = rdataset;
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_boolean_t
-allowed(isc_netaddr_t *addr, dns_name_t *signer, dns_acl_t *acl) {
-	int match;
-	isc_result_t result;
-
-	if (acl == NULL)
-		return (ISC_TRUE);
-	result = dns_acl_match(addr, signer, acl, &ns_g_server->aclenv,
-			       &match, NULL);
-	if (result == ISC_R_SUCCESS && match > 0)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-/*
- * Callback to see if a non-recursive query coming from 'srcaddr' to
- * 'destaddr', with optional key 'mykey' for class 'rdclass' would be
- * delivered to 'myview'.
- *
- * We run this unlocked as both the view list and the interface list
- * are updated when the appropriate task has exclusivity.
- */
-isc_boolean_t
-ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey,
-		 isc_sockaddr_t *srcaddr, isc_sockaddr_t *dstaddr,
-		 dns_rdataclass_t rdclass, void *arg)
-{
-	dns_view_t *view;
-	dns_tsigkey_t *key = NULL;
-	dns_name_t *tsig = NULL;
-	isc_netaddr_t netsrc;
-	isc_netaddr_t netdst;
-
-	UNUSED(arg);
-
-	/*
-	 * ns_g_server->interfacemgr is task exclusive locked.
-	 */
-	if (ns_g_server->interfacemgr == NULL)
-		return (ISC_TRUE);
-
-	if (!ns_interfacemgr_listeningon(ns_g_server->interfacemgr, dstaddr))
-		return (ISC_FALSE);
-
-	isc_netaddr_fromsockaddr(&netsrc, srcaddr);
-	isc_netaddr_fromsockaddr(&netdst, dstaddr);
-
-	for (view = ISC_LIST_HEAD(ns_g_server->viewlist);
-	     view != NULL;
-	     view = ISC_LIST_NEXT(view, link)) {
-
-		if (view->matchrecursiveonly)
-			continue;
-
-		if (rdclass != view->rdclass)
-			continue;
-
-		if (mykey != NULL) {
-			isc_boolean_t match;
-			isc_result_t result;
-
-			result = dns_view_gettsig(view, &mykey->name, &key);
-			if (result != ISC_R_SUCCESS)
-				continue;
-			match = dst_key_compare(mykey->key, key->key);
-			dns_tsigkey_detach(&key);
-			if (!match)
-				continue;
-			tsig = dns_tsigkey_identity(mykey);
-		}
-
-		if (allowed(&netsrc, tsig, view->matchclients) &&
-		    allowed(&netdst, tsig, view->matchdestinations))
-			break;
-	}
-	return (ISC_TF(view == myview));
-}
-
-/*
- * Handle an incoming request event from the socket (UDP case)
- * or tcpmsg (TCP case).
- */
-static void
-client_request(isc_task_t *task, isc_event_t *event) {
-	ns_client_t *client;
-	isc_socketevent_t *sevent;
-	isc_result_t result;
-	isc_result_t sigresult = ISC_R_SUCCESS;
-	isc_buffer_t *buffer;
-	isc_buffer_t tbuffer;
-	dns_view_t *view;
-	dns_rdataset_t *opt;
-	dns_name_t *signame;
-	isc_boolean_t ra;	/* Recursion available. */
-	isc_netaddr_t netaddr;
-	int match;
-	dns_messageid_t id;
-	unsigned int flags;
-	isc_boolean_t notimp;
-	dns_rdata_t rdata;
-	isc_uint16_t optcode;
-
-	REQUIRE(event != NULL);
-	client = event->ev_arg;
-	REQUIRE(NS_CLIENT_VALID(client));
-	REQUIRE(task == client->task);
-
-	INSIST(client->recursionquota == NULL);
-
-	INSIST(client->state == (TCP_CLIENT(client) ?
-				       NS_CLIENTSTATE_READING :
-				       NS_CLIENTSTATE_READY));
-
-	ns_client_requests++;
-
-	if (event->ev_type == ISC_SOCKEVENT_RECVDONE) {
-		INSIST(!TCP_CLIENT(client));
-		sevent = (isc_socketevent_t *)event;
-		REQUIRE(sevent == client->recvevent);
-		isc_buffer_init(&tbuffer, sevent->region.base, sevent->n);
-		isc_buffer_add(&tbuffer, sevent->n);
-		buffer = &tbuffer;
-		result = sevent->result;
-		if (result == ISC_R_SUCCESS) {
-			client->peeraddr = sevent->address;
-			client->peeraddr_valid = ISC_TRUE;
-		}
-		if ((sevent->attributes & ISC_SOCKEVENTATTR_PKTINFO) != 0) {
-			client->attributes |= NS_CLIENTATTR_PKTINFO;
-			client->pktinfo = sevent->pktinfo;
-		}
-		if ((sevent->attributes & ISC_SOCKEVENTATTR_MULTICAST) != 0)
-			client->attributes |= NS_CLIENTATTR_MULTICAST;
-		client->nrecvs--;
-	} else {
-		INSIST(TCP_CLIENT(client));
-		REQUIRE(event->ev_type == DNS_EVENT_TCPMSG);
-		REQUIRE(event->ev_sender == &client->tcpmsg);
-		buffer = &client->tcpmsg.buffer;
-		result = client->tcpmsg.result;
-		INSIST(client->nreads == 1);
-		/*
-		 * client->peeraddr was set when the connection was accepted.
-		 */
-		client->nreads--;
-	}
-
-	if (exit_check(client))
-		goto cleanup;
-	client->state = client->newstate = NS_CLIENTSTATE_WORKING;
-
-	isc_task_getcurrenttime(task, &client->requesttime);
-	client->now = client->requesttime;
-
-	if (result != ISC_R_SUCCESS) {
-		if (TCP_CLIENT(client)) {
-			ns_client_next(client, result);
-		} else {
-			if  (result != ISC_R_CANCELED)
-				isc_log_write(ns_g_lctx, NS_LOGCATEGORY_CLIENT,
-					      NS_LOGMODULE_CLIENT,
-					      ISC_LOG_ERROR,
-					      "UDP client handler shutting "
-					      "down due to fatal receive "
-					      "error: %s",
-					      isc_result_totext(result));
-			isc_task_shutdown(client->task);
-		}
-		goto cleanup;
-	}
-
-	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
-
-#if NS_CLIENT_DROPPORT
-	if (ns_client_dropport(isc_sockaddr_getport(&client->peeraddr)) ==
-	    DROPPORT_REQUEST) {
-		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10),
-			      "dropped request: suspicious port");
-		ns_client_next(client, ISC_R_SUCCESS);
-		goto cleanup;
-	}
-#endif
-
-	ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-		      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
-		      "%s request",
-		      TCP_CLIENT(client) ? "TCP" : "UDP");
-
-	/*
-	 * Check the blackhole ACL for UDP only, since TCP is done in
-	 * client_newconn.
-	 */
-	if (!TCP_CLIENT(client)) {
-
-		if (ns_g_server->blackholeacl != NULL &&
-		    dns_acl_match(&netaddr, NULL, ns_g_server->blackholeacl,
-				  &ns_g_server->aclenv,
-				  &match, NULL) == ISC_R_SUCCESS &&
-		    match > 0)
-		{
-			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-				      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10),
-				      "blackholed UDP datagram");
-			ns_client_next(client, ISC_R_SUCCESS);
-			goto cleanup;
-		}
-	}
-
-	/*
-	 * Silently drop multicast requests for the present.
-	 * XXXMPA revisit this as mDNS spec was published.
-	 */
-	if ((client->attributes & NS_CLIENTATTR_MULTICAST) != 0) {
-		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2),
-			      "dropping multicast request");
-		ns_client_next(client, DNS_R_REFUSED);
-		goto cleanup;
-	}
-
-	result = dns_message_peekheader(buffer, &id, &flags);
-	if (result != ISC_R_SUCCESS) {
-		/*
-		 * There isn't enough header to determine whether
-		 * this was a request or a response.  Drop it.
-		 */
-		ns_client_next(client, result);
-		goto cleanup;
-	}
-
-	/*
-	 * The client object handles requests, not responses.
-	 * If this is a UDP response, forward it to the dispatcher.
-	 * If it's a TCP response, discard it here.
-	 */
-	if ((flags & DNS_MESSAGEFLAG_QR) != 0) {
-		if (TCP_CLIENT(client)) {
-			CTRACE("unexpected response");
-			ns_client_next(client, DNS_R_FORMERR);
-			goto cleanup;
-		} else {
-			dns_dispatch_importrecv(client->dispatch, event);
-			ns_client_next(client, ISC_R_SUCCESS);
-			goto cleanup;
-		}
-	}
-
-	/*
-	 * Update some statistics counters.  Don't count responses.
-	 */
-	if (isc_sockaddr_pf(&client->peeraddr) == PF_INET) {
-		isc_stats_increment(ns_g_server->nsstats,
-				    dns_nsstatscounter_requestv4);
-	} else {
-		isc_stats_increment(ns_g_server->nsstats,
-				    dns_nsstatscounter_requestv6);
-	}
-	if (TCP_CLIENT(client))
-		isc_stats_increment(ns_g_server->nsstats,
-				    dns_nsstatscounter_tcp);
-
-	/*
-	 * It's a request.  Parse it.
-	 */
-	result = dns_message_parse(client->message, buffer, 0);
-	if (result != ISC_R_SUCCESS) {
-		/*
-		 * Parsing the request failed.  Send a response
-		 * (typically FORMERR or SERVFAIL).
-		 */
-		ns_client_error(client, result);
-		goto cleanup;
-	}
-
-	dns_opcodestats_increment(ns_g_server->opcodestats,
-				  client->message->opcode);
-	switch (client->message->opcode) {
-	case dns_opcode_query:
-	case dns_opcode_update:
-	case dns_opcode_notify:
-		notimp = ISC_FALSE;
-		break;
-	case dns_opcode_iquery:
-	default:
-		notimp = ISC_TRUE;
-		break;
-	}
-
-	client->message->rcode = dns_rcode_noerror;
-
-	/* RFC1123 section 6.1.3.2 */
-	if ((client->attributes & NS_CLIENTATTR_MULTICAST) != 0)
-		client->message->flags &= ~DNS_MESSAGEFLAG_RD;
-
-	/*
-	 * Deal with EDNS.
-	 */
-	opt = dns_message_getopt(client->message);
-	if (opt != NULL) {
-		/*
-		 * Set the client's UDP buffer size.
-		 */
-		client->udpsize = opt->rdclass;
-
-		/*
-		 * If the requested UDP buffer size is less than 512,
-		 * ignore it and use 512.
-		 */
-		if (client->udpsize < 512)
-			client->udpsize = 512;
-
-		/*
-		 * Get the flags out of the OPT record.
-		 */
-		client->extflags = (isc_uint16_t)(opt->ttl & 0xFFFF);
-
-		/*
-		 * Do we understand this version of EDNS?
-		 *
-		 * XXXRTH need library support for this!
-		 */
-		client->ednsversion = (opt->ttl & 0x00FF0000) >> 16;
-		if (client->ednsversion > 0) {
-			isc_stats_increment(ns_g_server->nsstats,
-					    dns_nsstatscounter_badednsver);
-			result = client_addopt(client);
-			if (result == ISC_R_SUCCESS)
-				result = DNS_R_BADVERS;
-			ns_client_error(client, result);
-			goto cleanup;
-		}
-
-		/* Check for NSID request */
-		result = dns_rdataset_first(opt);
-		if (result == ISC_R_SUCCESS) {
-			dns_rdata_init(&rdata);
-			dns_rdataset_current(opt, &rdata);
-			if (rdata.length >= 2) {
-				isc_buffer_t nsidbuf;
-				isc_buffer_init(&nsidbuf,
-						rdata.data, rdata.length);
-				isc_buffer_add(&nsidbuf, rdata.length);
-				optcode = isc_buffer_getuint16(&nsidbuf);
-				if (optcode == DNS_OPT_NSID)
-					client->attributes |=
-						NS_CLIENTATTR_WANTNSID;
-			}
-		}
-
-		isc_stats_increment(ns_g_server->nsstats,
-				    dns_nsstatscounter_edns0in);
-
-		/*
-		 * Create an OPT for our reply.
-		 */
-		result = client_addopt(client);
-		if (result != ISC_R_SUCCESS) {
-			ns_client_error(client, result);
-			goto cleanup;
-		}
-	}
-
-	if (client->message->rdclass == 0) {
-		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1),
-			      "message class could not be determined");
-		ns_client_dumpmessage(client,
-				      "message class could not be determined");
-		ns_client_error(client, notimp ? DNS_R_NOTIMP : DNS_R_FORMERR);
-		goto cleanup;
-	}
-
-	/*
-	 * Determine the destination address.  If the receiving interface is
-	 * bound to a specific address, we simply use it regardless of the
-	 * address family.  All IPv4 queries should fall into this case.
-	 * Otherwise, if this is a TCP query, get the address from the
-	 * receiving socket (this needs a system call and can be heavy).
-	 * For IPv6 UDP queries, we get this from the pktinfo structure (if
-	 * supported).
-	 * If all the attempts fail (this can happen due to memory shortage,
-	 * etc), we regard this as an error for safety.
-	 */
-	if ((client->interface->flags & NS_INTERFACEFLAG_ANYADDR) == 0)
-		isc_netaddr_fromsockaddr(&client->destaddr,
-					 &client->interface->addr);
-	else {
-		isc_sockaddr_t sockaddr;
-		result = ISC_R_FAILURE;
-
-		if (TCP_CLIENT(client))
-			result = isc_socket_getsockname(client->tcpsocket,
-							&sockaddr);
-		if (result == ISC_R_SUCCESS)
-			isc_netaddr_fromsockaddr(&client->destaddr, &sockaddr);
-		if (result != ISC_R_SUCCESS &&
-		    client->interface->addr.type.sa.sa_family == AF_INET6 &&
-		    (client->attributes & NS_CLIENTATTR_PKTINFO) != 0) {
-			/*
-			 * XXXJT technically, we should convert the receiving
-			 * interface ID to a proper scope zone ID.  However,
-			 * due to the fact there is no standard API for this,
-			 * we only handle link-local addresses and use the
-			 * interface index as link ID.  Despite the assumption,
-			 * it should cover most typical cases.
-			 */
-			isc_netaddr_fromin6(&client->destaddr,
-					    &client->pktinfo.ipi6_addr);
-			if (IN6_IS_ADDR_LINKLOCAL(&client->pktinfo.ipi6_addr))
-				isc_netaddr_setzone(&client->destaddr,
-						client->pktinfo.ipi6_ifindex);
-			result = ISC_R_SUCCESS;
-		}
-		if (result != ISC_R_SUCCESS) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "failed to get request's "
-					 "destination: %s",
-					 isc_result_totext(result));
-			ns_client_next(client, ISC_R_SUCCESS);
-			goto cleanup;
-		}
-	}
-
-	/*
-	 * Find a view that matches the client's source address.
-	 */
-	for (view = ISC_LIST_HEAD(ns_g_server->viewlist);
-	     view != NULL;
-	     view = ISC_LIST_NEXT(view, link)) {
-		if (client->message->rdclass == view->rdclass ||
-		    client->message->rdclass == dns_rdataclass_any)
-		{
-			dns_name_t *tsig = NULL;
-
-			sigresult = dns_message_rechecksig(client->message,
-							   view);
-			if (sigresult == ISC_R_SUCCESS)
-				tsig = dns_tsigkey_identity(client->message->tsigkey);
-
-			if (allowed(&netaddr, tsig, view->matchclients) &&
-			    allowed(&client->destaddr, tsig,
-				    view->matchdestinations) &&
-			    !((client->message->flags & DNS_MESSAGEFLAG_RD)
-			      == 0 && view->matchrecursiveonly))
-			{
-				dns_view_attach(view, &client->view);
-				break;
-			}
-		}
-	}
-
-	if (view == NULL) {
-		char classname[DNS_RDATACLASS_FORMATSIZE];
-
-		/*
-		 * Do a dummy TSIG verification attempt so that the
-		 * response will have a TSIG if the query did, as
-		 * required by RFC2845.
-		 */
-		isc_buffer_t b;
-		isc_region_t *r;
-
-		dns_message_resetsig(client->message);
-
-		r = dns_message_getrawmessage(client->message);
-		isc_buffer_init(&b, r->base, r->length);
-		isc_buffer_add(&b, r->length);
-		(void)dns_tsig_verify(&b, client->message, NULL, NULL);
-
-		dns_rdataclass_format(client->message->rdclass, classname,
-				      sizeof(classname));
-		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1),
-			      "no matching view in class '%s'", classname);
-		ns_client_dumpmessage(client, "no matching view in class");
-		ns_client_error(client, notimp ? DNS_R_NOTIMP : DNS_R_REFUSED);
-		goto cleanup;
-	}
-
-	ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-		      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(5),
-		      "using view '%s'", view->name);
-
-	/*
-	 * Check for a signature.  We log bad signatures regardless of
-	 * whether they ultimately cause the request to be rejected or
-	 * not.  We do not log the lack of a signature unless we are
-	 * debugging.
-	 */
-	client->signer = NULL;
-	dns_name_init(&client->signername, NULL);
-	result = dns_message_signer(client->message, &client->signername);
-	if (result != ISC_R_NOTFOUND) {
-		signame = NULL;
-		if (dns_message_gettsig(client->message, &signame) != NULL) {
-			isc_stats_increment(ns_g_server->nsstats,
-					    dns_nsstatscounter_tsigin);
-		} else {
-			isc_stats_increment(ns_g_server->nsstats,
-					    dns_nsstatscounter_sig0in);
-		}
-
-	}
-	if (result == ISC_R_SUCCESS) {
-		char namebuf[DNS_NAME_FORMATSIZE];
-		dns_name_format(&client->signername, namebuf, sizeof(namebuf));
-		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
-			      "request has valid signature: %s", namebuf);
-		client->signer = &client->signername;
-	} else if (result == ISC_R_NOTFOUND) {
-		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
-			      "request is not signed");
-	} else if (result == DNS_R_NOIDENTITY) {
-		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
-			      "request is signed by a nonauthoritative key");
-	} else {
-		char tsigrcode[64];
-		isc_buffer_t b;
-		dns_rcode_t status;
-		isc_result_t tresult;
-
-		/* There is a signature, but it is bad. */
-		isc_stats_increment(ns_g_server->nsstats,
-				    dns_nsstatscounter_invalidsig);
-		signame = NULL;
-		if (dns_message_gettsig(client->message, &signame) != NULL) {
-			char namebuf[DNS_NAME_FORMATSIZE];
-			char cnamebuf[DNS_NAME_FORMATSIZE];
-			dns_name_format(signame, namebuf, sizeof(namebuf));
-			status = client->message->tsigstatus;
-			isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1);
-			tresult = dns_tsigrcode_totext(status, &b);
-			INSIST(tresult == ISC_R_SUCCESS);
-			tsigrcode[isc_buffer_usedlength(&b)] = '\0';
-			if (client->message->tsigkey->generated) {
-				dns_name_format(client->message->tsigkey->creator,
-						cnamebuf, sizeof(cnamebuf));
-				ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-					      NS_LOGMODULE_CLIENT,
-					      ISC_LOG_ERROR,
-					      "request has invalid signature: "
-					      "TSIG %s (%s): %s (%s)", namebuf,
-					      cnamebuf,
-					      isc_result_totext(result),
-					      tsigrcode);
-			} else {
-				ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-					      NS_LOGMODULE_CLIENT,
-					      ISC_LOG_ERROR,
-					      "request has invalid signature: "
-					      "TSIG %s: %s (%s)", namebuf,
-					      isc_result_totext(result),
-					      tsigrcode);
-			}
-		} else {
-			status = client->message->sig0status;
-			isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1);
-			tresult = dns_tsigrcode_totext(status, &b);
-			INSIST(tresult == ISC_R_SUCCESS);
-			tsigrcode[isc_buffer_usedlength(&b)] = '\0';
-			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-				      NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
-				      "request has invalid signature: %s (%s)",
-				      isc_result_totext(result), tsigrcode);
-		}
-		/*
-		 * Accept update messages signed by unknown keys so that
-		 * update forwarding works transparently through slaves
-		 * that don't have all the same keys as the master.
-		 */
-		if (!(client->message->tsigstatus == dns_tsigerror_badkey &&
-		      client->message->opcode == dns_opcode_update)) {
-			ns_client_error(client, sigresult);
-			goto cleanup;
-		}
-	}
-
-	/*
-	 * Decide whether recursive service is available to this client.
-	 * We do this here rather than in the query code so that we can
-	 * set the RA bit correctly on all kinds of responses, not just
-	 * responses to ordinary queries.  Note if you can't query the
-	 * cache there is no point in setting RA.
-	 */
-	ra = ISC_FALSE;
-	if (client->view->resolver != NULL &&
-	    client->view->recursion == ISC_TRUE &&
-	    ns_client_checkaclsilent(client, NULL,
-				     client->view->recursionacl,
-				     ISC_TRUE) == ISC_R_SUCCESS &&
-	    ns_client_checkaclsilent(client, NULL,
-				     client->view->cacheacl,
-				     ISC_TRUE) == ISC_R_SUCCESS &&
-	    ns_client_checkaclsilent(client, &client->destaddr,
-				     client->view->recursiononacl,
-				     ISC_TRUE) == ISC_R_SUCCESS &&
-	    ns_client_checkaclsilent(client, &client->destaddr,
-				     client->view->cacheonacl,
-				     ISC_TRUE) == ISC_R_SUCCESS)
-		ra = ISC_TRUE;
-
-	if (ra == ISC_TRUE)
-		client->attributes |= NS_CLIENTATTR_RA;
-
-	ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_CLIENT,
-		      ISC_LOG_DEBUG(3), ra ? "recursion available" :
-					     "recursion not available");
-
-	/*
-	 * Adjust maximum UDP response size for this client.
-	 */
-	if (client->udpsize > 512) {
-		dns_peer_t *peer = NULL;
-		isc_uint16_t udpsize = view->maxudp;
-		(void) dns_peerlist_peerbyaddr(view->peers, &netaddr, &peer);
-		if (peer != NULL)
-			dns_peer_getmaxudp(peer, &udpsize);
-		if (client->udpsize > udpsize)
-			client->udpsize = udpsize;
-	}
-
-	/*
-	 * Dispatch the request.
-	 */
-	switch (client->message->opcode) {
-	case dns_opcode_query:
-		CTRACE("query");
-		ns_query_start(client);
-		break;
-	case dns_opcode_update:
-		CTRACE("update");
-		ns_client_settimeout(client, 60);
-		ns_update_start(client, sigresult);
-		break;
-	case dns_opcode_notify:
-		CTRACE("notify");
-		ns_client_settimeout(client, 60);
-		ns_notify_start(client);
-		break;
-	case dns_opcode_iquery:
-		CTRACE("iquery");
-		ns_client_error(client, DNS_R_NOTIMP);
-		break;
-	default:
-		CTRACE("unknown opcode");
-		ns_client_error(client, DNS_R_NOTIMP);
-	}
-
- cleanup:
-	return;
-}
-
-static void
-client_timeout(isc_task_t *task, isc_event_t *event) {
-	ns_client_t *client;
-
-	REQUIRE(event != NULL);
-	REQUIRE(event->ev_type == ISC_TIMEREVENT_LIFE ||
-		event->ev_type == ISC_TIMEREVENT_IDLE);
-	client = event->ev_arg;
-	REQUIRE(NS_CLIENT_VALID(client));
-	REQUIRE(task == client->task);
-	REQUIRE(client->timer != NULL);
-
-	UNUSED(task);
-
-	CTRACE("timeout");
-
-	isc_event_free(&event);
-
-	if (client->shutdown != NULL) {
-		(client->shutdown)(client->shutdown_arg, ISC_R_TIMEDOUT);
-		client->shutdown = NULL;
-		client->shutdown_arg = NULL;
-	}
-
-	if (client->newstate > NS_CLIENTSTATE_READY)
-		client->newstate = NS_CLIENTSTATE_READY;
-	(void)exit_check(client);
-}
-
-static isc_result_t
-get_clientmctx(ns_clientmgr_t *manager, isc_mem_t **mctxp) {
-	isc_mem_t *clientmctx;
-	isc_result_t result;
-#if NMCTXS > 0
-	unsigned int nextmctx;
-#endif
-
-	MTRACE("clientmctx");
-
-	/*
-	 * Caller must be holding the manager lock.
-	 */
-	if (ns_g_clienttest) {
-		result = isc_mem_create(0, 0, mctxp);
-		if (result == ISC_R_SUCCESS)
-			isc_mem_setname(*mctxp, "client", NULL);
-		return (result);
-	}
-#if NMCTXS > 0
-	nextmctx = manager->nextmctx++;
-	if (manager->nextmctx == NMCTXS)
-		manager->nextmctx = 0;
-
-	INSIST(nextmctx < NMCTXS);
-
-	clientmctx = manager->mctxpool[nextmctx];
-	if (clientmctx == NULL) {
-		result = isc_mem_create(0, 0, &clientmctx);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		isc_mem_setname(clientmctx, "client", NULL);
-
-		manager->mctxpool[nextmctx] = clientmctx;
-	}
-#else
-	clientmctx = manager->mctx;
-#endif
-
-	isc_mem_attach(clientmctx, mctxp);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
-	ns_client_t *client;
-	isc_result_t result;
-	isc_mem_t *mctx = NULL;
-
-	/*
-	 * Caller must be holding the manager lock.
-	 *
-	 * Note: creating a client does not add the client to the
-	 * manager's client list or set the client's manager pointer.
-	 * The caller is responsible for that.
-	 */
-
-	REQUIRE(clientp != NULL && *clientp == NULL);
-
-	result = get_clientmctx(manager, &mctx);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	client = isc_mem_get(mctx, sizeof(*client));
-	if (client == NULL) {
-		isc_mem_detach(&mctx);
-		return (ISC_R_NOMEMORY);
-	}
-	client->mctx = mctx;
-
-	client->task = NULL;
-	result = isc_task_create(manager->taskmgr, 0, &client->task);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_client;
-	isc_task_setname(client->task, "client", client);
-
-	client->timer = NULL;
-	result = isc_timer_create(manager->timermgr, isc_timertype_inactive,
-				  NULL, NULL, client->task, client_timeout,
-				  client, &client->timer);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_task;
-	client->timerset = ISC_FALSE;
-
-	client->message = NULL;
-	result = dns_message_create(client->mctx, DNS_MESSAGE_INTENTPARSE,
-				    &client->message);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_timer;
-
-	/* XXXRTH  Hardwired constants */
-
-	client->sendevent = (isc_socketevent_t *)
-			    isc_event_allocate(client->mctx, client,
-					       ISC_SOCKEVENT_SENDDONE,
-					       client_senddone, client,
-					       sizeof(isc_socketevent_t));
-	if (client->sendevent == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_message;
-	}
-
-	client->recvbuf = isc_mem_get(client->mctx, RECV_BUFFER_SIZE);
-	if  (client->recvbuf == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_sendevent;
-	}
-
-	client->recvevent = (isc_socketevent_t *)
-			    isc_event_allocate(client->mctx, client,
-					       ISC_SOCKEVENT_RECVDONE,
-					       client_request, client,
-					       sizeof(isc_socketevent_t));
-	if (client->recvevent == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_recvbuf;
-	}
-
-	client->magic = NS_CLIENT_MAGIC;
-	client->manager = NULL;
-	client->state = NS_CLIENTSTATE_INACTIVE;
-	client->newstate = NS_CLIENTSTATE_MAX;
-	client->naccepts = 0;
-	client->nreads = 0;
-	client->nsends = 0;
-	client->nrecvs = 0;
-	client->nupdates = 0;
-	client->nctls = 0;
-	client->references = 0;
-	client->attributes = 0;
-	client->view = NULL;
-	client->dispatch = NULL;
-	client->udpsocket = NULL;
-	client->tcplistener = NULL;
-	client->tcpsocket = NULL;
-	client->tcpmsg_valid = ISC_FALSE;
-	client->tcpbuf = NULL;
-	client->opt = NULL;
-	client->udpsize = 512;
-	client->extflags = 0;
-	client->ednsversion = -1;
-	client->next = NULL;
-	client->shutdown = NULL;
-	client->shutdown_arg = NULL;
-	client->signer = NULL;
-	dns_name_init(&client->signername, NULL);
-	client->mortal = ISC_FALSE;
-	client->tcpquota = NULL;
-	client->recursionquota = NULL;
-	client->interface = NULL;
-	client->peeraddr_valid = ISC_FALSE;
-#ifdef ALLOW_FILTER_AAAA_ON_V4
-	client->filter_aaaa = dns_v4_aaaa_ok;
-#endif
-	client->needshutdown = ns_g_clienttest;
-
-	ISC_EVENT_INIT(&client->ctlevent, sizeof(client->ctlevent), 0, NULL,
-		       NS_EVENT_CLIENTCONTROL, client_start, client, client,
-		       NULL, NULL);
-	/*
-	 * Initialize FORMERR cache to sentinel value that will not match
-	 * any actual FORMERR response.
-	 */
-	isc_sockaddr_any(&client->formerrcache.addr);
-	client->formerrcache.time = 0;
-	client->formerrcache.id = 0;
-	ISC_LINK_INIT(client, link);
-	ISC_LINK_INIT(client, rlink);
-	ISC_QLINK_INIT(client, ilink);
-
-	/*
-	 * We call the init routines for the various kinds of client here,
-	 * after we have created an otherwise valid client, because some
-	 * of them call routines that REQUIRE(NS_CLIENT_VALID(client)).
-	 */
-	result = ns_query_init(client);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_recvevent;
-
-	result = isc_task_onshutdown(client->task, client_shutdown, client);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_query;
-
-	CTRACE("create");
-
-	*clientp = client;
-
-	return (ISC_R_SUCCESS);
-
- cleanup_query:
-	ns_query_free(client);
-
- cleanup_recvevent:
-	isc_event_free((isc_event_t **)&client->recvevent);
-
- cleanup_recvbuf:
-	isc_mem_put(client->mctx, client->recvbuf, RECV_BUFFER_SIZE);
-
- cleanup_sendevent:
-	isc_event_free((isc_event_t **)&client->sendevent);
-
-	client->magic = 0;
-
- cleanup_message:
-	dns_message_destroy(&client->message);
-
- cleanup_timer:
-	isc_timer_detach(&client->timer);
-
- cleanup_task:
-	isc_task_detach(&client->task);
-
- cleanup_client:
-	isc_mem_putanddetach(&client->mctx, client, sizeof(*client));
-
-	return (result);
-}
-
-static void
-client_read(ns_client_t *client) {
-	isc_result_t result;
-
-	CTRACE("read");
-
-	result = dns_tcpmsg_readmessage(&client->tcpmsg, client->task,
-					client_request, client);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	/*
-	 * Set a timeout to limit the amount of time we will wait
-	 * for a request on this TCP connection.
-	 */
-	ns_client_settimeout(client, 30);
-
-	client->state = client->newstate = NS_CLIENTSTATE_READING;
-	INSIST(client->nreads == 0);
-	INSIST(client->recursionquota == NULL);
-	client->nreads++;
-
-	return;
- fail:
-	ns_client_next(client, result);
-}
-
-static void
-client_newconn(isc_task_t *task, isc_event_t *event) {
-	ns_client_t *client = event->ev_arg;
-	isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
-	isc_result_t result;
-
-	REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
-	REQUIRE(NS_CLIENT_VALID(client));
-	REQUIRE(client->task == task);
-
-	UNUSED(task);
-
-	INSIST(client->state == NS_CLIENTSTATE_READY);
-
-	INSIST(client->naccepts == 1);
-	client->naccepts--;
-
-	LOCK(&client->interface->lock);
-	INSIST(client->interface->ntcpcurrent > 0);
-	client->interface->ntcpcurrent--;
-	UNLOCK(&client->interface->lock);
-
-	/*
-	 * We must take ownership of the new socket before the exit
-	 * check to make sure it gets destroyed if we decide to exit.
-	 */
-	if (nevent->result == ISC_R_SUCCESS) {
-		client->tcpsocket = nevent->newsocket;
-		isc_socket_setname(client->tcpsocket, "client-tcp", NULL);
-		client->state = NS_CLIENTSTATE_READING;
-		INSIST(client->recursionquota == NULL);
-
-		(void)isc_socket_getpeername(client->tcpsocket,
-					     &client->peeraddr);
-		client->peeraddr_valid = ISC_TRUE;
-		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-			   NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
-			   "new TCP connection");
-	} else {
-		/*
-		 * XXXRTH  What should we do?  We're trying to accept but
-		 *	   it didn't work.  If we just give up, then TCP
-		 *	   service may eventually stop.
-		 *
-		 *	   For now, we just go idle.
-		 *
-		 *	   Going idle is probably the right thing if the
-		 *	   I/O was canceled.
-		 */
-		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
-			      "accept failed: %s",
-			      isc_result_totext(nevent->result));
-	}
-
-	if (exit_check(client))
-		goto freeevent;
-
-	if (nevent->result == ISC_R_SUCCESS) {
-		int match;
-		isc_netaddr_t netaddr;
-
-		isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
-
-		if (ns_g_server->blackholeacl != NULL &&
-		    dns_acl_match(&netaddr, NULL,
-				  ns_g_server->blackholeacl,
-				  &ns_g_server->aclenv,
-				  &match, NULL) == ISC_R_SUCCESS &&
-		    match > 0)
-		{
-			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-				      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10),
-				      "blackholed connection attempt");
-			client->newstate = NS_CLIENTSTATE_READY;
-			(void)exit_check(client);
-			goto freeevent;
-		}
-
-		INSIST(client->tcpmsg_valid == ISC_FALSE);
-		dns_tcpmsg_init(client->mctx, client->tcpsocket,
-				&client->tcpmsg);
-		client->tcpmsg_valid = ISC_TRUE;
-
-		/*
-		 * Let a new client take our place immediately, before
-		 * we wait for a request packet.  If we don't,
-		 * telnetting to port 53 (once per CPU) will
-		 * deny service to legitimate TCP clients.
-		 */
-		result = isc_quota_attach(&ns_g_server->tcpquota,
-					  &client->tcpquota);
-		if (result == ISC_R_SUCCESS)
-			result = ns_client_replace(client);
-		if (result != ISC_R_SUCCESS) {
-			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-				      NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
-				      "no more TCP clients: %s",
-				      isc_result_totext(result));
-		}
-
-		client_read(client);
-	}
-
- freeevent:
-	isc_event_free(&event);
-}
-
-static void
-client_accept(ns_client_t *client) {
-	isc_result_t result;
-
-	CTRACE("accept");
-
-	result = isc_socket_accept(client->tcplistener, client->task,
-				   client_newconn, client);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_socket_accept() failed: %s",
-				 isc_result_totext(result));
-		/*
-		 * XXXRTH  What should we do?  We're trying to accept but
-		 *	   it didn't work.  If we just give up, then TCP
-		 *	   service may eventually stop.
-		 *
-		 *	   For now, we just go idle.
-		 */
-		return;
-	}
-	INSIST(client->naccepts == 0);
-	client->naccepts++;
-	LOCK(&client->interface->lock);
-	client->interface->ntcpcurrent++;
-	UNLOCK(&client->interface->lock);
-}
-
-static void
-client_udprecv(ns_client_t *client) {
-	isc_result_t result;
-	isc_region_t r;
-
-	CTRACE("udprecv");
-
-	r.base = client->recvbuf;
-	r.length = RECV_BUFFER_SIZE;
-	result = isc_socket_recv2(client->udpsocket, &r, 1,
-				  client->task, client->recvevent, 0);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_socket_recv2() failed: %s",
-				 isc_result_totext(result));
-		/*
-		 * This cannot happen in the current implementation, since
-		 * isc_socket_recv2() cannot fail if flags == 0.
-		 *
-		 * If this does fail, we just go idle.
-		 */
-		return;
-	}
-	INSIST(client->nrecvs == 0);
-	client->nrecvs++;
-}
-
-void
-ns_client_attach(ns_client_t *source, ns_client_t **targetp) {
-	REQUIRE(NS_CLIENT_VALID(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	source->references++;
-	ns_client_log(source, NS_LOGCATEGORY_CLIENT,
-		      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10),
-		      "ns_client_attach: ref = %d", source->references);
-	*targetp = source;
-}
-
-void
-ns_client_detach(ns_client_t **clientp) {
-	ns_client_t *client = *clientp;
-
-	client->references--;
-	INSIST(client->references >= 0);
-	*clientp = NULL;
-	ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-		      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10),
-		      "ns_client_detach: ref = %d", client->references);
-	(void)exit_check(client);
-}
-
-isc_boolean_t
-ns_client_shuttingdown(ns_client_t *client) {
-	return (ISC_TF(client->newstate == NS_CLIENTSTATE_FREED));
-}
-
-isc_result_t
-ns_client_replace(ns_client_t *client) {
-	isc_result_t result;
-
-	CTRACE("replace");
-
-	REQUIRE(client != NULL);
-	REQUIRE(client->manager != NULL);
-
-	result = get_client(client->manager, client->interface,
-			    client->dispatch, TCP_CLIENT(client));
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * The responsibility for listening for new requests is hereby
-	 * transferred to the new client.  Therefore, the old client
-	 * should refrain from listening for any more requests.
-	 */
-	client->mortal = ISC_TRUE;
-
-	return (ISC_R_SUCCESS);
-}
-
-/***
- *** Client Manager
- ***/
-
-static void
-clientmgr_destroy(ns_clientmgr_t *manager) {
-#if NMCTXS > 0
-	int i;
-#endif
-
-	REQUIRE(ISC_LIST_EMPTY(manager->clients));
-
-	MTRACE("clientmgr_destroy");
-
-#if NMCTXS > 0
-	for (i = 0; i < NMCTXS; i++) {
-		if (manager->mctxpool[i] != NULL)
-			isc_mem_detach(&manager->mctxpool[i]);
-	}
-#endif
-
-	ISC_QUEUE_DESTROY(manager->inactive);
-	DESTROYLOCK(&manager->lock);
-	DESTROYLOCK(&manager->listlock);
-	DESTROYLOCK(&manager->reclock);
-	manager->magic = 0;
-	isc_mem_put(manager->mctx, manager, sizeof(*manager));
-}
-
-isc_result_t
-ns_clientmgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
-		    isc_timermgr_t *timermgr, ns_clientmgr_t **managerp)
-{
-	ns_clientmgr_t *manager;
-	isc_result_t result;
-#if NMCTXS > 0
-	int i;
-#endif
-
-	manager = isc_mem_get(mctx, sizeof(*manager));
-	if (manager == NULL)
-		return (ISC_R_NOMEMORY);
-
-	result = isc_mutex_init(&manager->lock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_manager;
-
-	result = isc_mutex_init(&manager->listlock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_lock;
-
-	result = isc_mutex_init(&manager->reclock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_listlock;
-
-	manager->mctx = mctx;
-	manager->taskmgr = taskmgr;
-	manager->timermgr = timermgr;
-	manager->exiting = ISC_FALSE;
-	ISC_LIST_INIT(manager->clients);
-	ISC_LIST_INIT(manager->recursing);
-	ISC_QUEUE_INIT(manager->inactive, ilink);
-#if NMCTXS > 0
-	manager->nextmctx = 0;
-	for (i = 0; i < NMCTXS; i++)
-		manager->mctxpool[i] = NULL; /* will be created on-demand */
-#endif
-	manager->magic = MANAGER_MAGIC;
-
-	MTRACE("create");
-
-	*managerp = manager;
-
-	return (ISC_R_SUCCESS);
-
- cleanup_listlock:
-	(void) isc_mutex_destroy(&manager->listlock);
-
- cleanup_lock:
-	(void) isc_mutex_destroy(&manager->lock);
-
- cleanup_manager:
-	isc_mem_put(manager->mctx, manager, sizeof(*manager));
-
-	return (result);
-}
-
-void
-ns_clientmgr_destroy(ns_clientmgr_t **managerp) {
-	isc_result_t result;
-	ns_clientmgr_t *manager;
-	ns_client_t *client;
-	isc_boolean_t need_destroy = ISC_FALSE, unlock = ISC_FALSE;
-
-	REQUIRE(managerp != NULL);
-	manager = *managerp;
-	REQUIRE(VALID_MANAGER(manager));
-
-	MTRACE("destroy");
-
-	/*
-	 * Check for success because we may already be task-exclusive
-	 * at this point.  Only if we succeed at obtaining an exclusive
-	 * lock now will we need to relinquish it later.
-	 */
-	result = isc_task_beginexclusive(ns_g_server->task);
-	if (result == ISC_R_SUCCESS)
-		unlock = ISC_TRUE;
-
-	manager->exiting = ISC_TRUE;
-
-	for (client = ISC_LIST_HEAD(manager->clients);
-	     client != NULL;
-	     client = ISC_LIST_NEXT(client, link))
-		isc_task_shutdown(client->task);
-
-	if (ISC_LIST_EMPTY(manager->clients))
-		need_destroy = ISC_TRUE;
-
-	if (unlock)
-		isc_task_endexclusive(ns_g_server->task);
-
-	if (need_destroy)
-		clientmgr_destroy(manager);
-
-	*managerp = NULL;
-}
-
-static isc_result_t
-get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
-	   dns_dispatch_t *disp, isc_boolean_t tcp)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_event_t *ev;
-	ns_client_t *client;
-	MTRACE("get client");
-
-	REQUIRE(manager != NULL);
-
-	if (manager->exiting)
-		return (ISC_R_SHUTTINGDOWN);
-
-	/*
-	 * Allocate a client.  First try to get a recycled one;
-	 * if that fails, make a new one.
-	 */
-	client = NULL;
-	if (!ns_g_clienttest)
-		ISC_QUEUE_POP(manager->inactive, ilink, client);
-
-	if (client != NULL)
-		MTRACE("recycle");
-	else {
-		MTRACE("create new");
-
-		LOCK(&manager->lock);
-		result = client_create(manager, &client);
-		UNLOCK(&manager->lock);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-
-		LOCK(&manager->listlock);
-		ISC_LIST_APPEND(manager->clients, client, link);
-		UNLOCK(&manager->listlock);
-	}
-
-	client->manager = manager;
-	ns_interface_attach(ifp, &client->interface);
-	client->state = NS_CLIENTSTATE_READY;
-	INSIST(client->recursionquota == NULL);
-
-	if (tcp) {
-		client->attributes |= NS_CLIENTATTR_TCP;
-		isc_socket_attach(ifp->tcpsocket,
-				  &client->tcplistener);
-	} else {
-		isc_socket_t *sock;
-
-		dns_dispatch_attach(disp, &client->dispatch);
-		sock = dns_dispatch_getsocket(client->dispatch);
-		isc_socket_attach(sock, &client->udpsocket);
-	}
-
-	INSIST(client->nctls == 0);
-	client->nctls++;
-	ev = &client->ctlevent;
-	isc_task_send(client->task, &ev);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n,
-			   ns_interface_t *ifp, isc_boolean_t tcp)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	unsigned int disp;
-
-	REQUIRE(VALID_MANAGER(manager));
-	REQUIRE(n > 0);
-
-	MTRACE("createclients");
-
-	for (disp = 0; disp < n; disp++) {
-		result = get_client(manager, ifp, ifp->udpdispatch[disp], tcp);
-		if (result != ISC_R_SUCCESS)
-			break;
-	}
-
-	return (result);
-}
-
-isc_sockaddr_t *
-ns_client_getsockaddr(ns_client_t *client) {
-	return (&client->peeraddr);
-}
-
-isc_result_t
-ns_client_checkaclsilent(ns_client_t *client, isc_netaddr_t *netaddr,
-			 dns_acl_t *acl, isc_boolean_t default_allow)
-{
-	isc_result_t result;
-	isc_netaddr_t tmpnetaddr;
-	int match;
-
-	if (acl == NULL) {
-		if (default_allow)
-			goto allow;
-		else
-			goto deny;
-	}
-
-	if (netaddr == NULL) {
-		isc_netaddr_fromsockaddr(&tmpnetaddr, &client->peeraddr);
-		netaddr = &tmpnetaddr;
-	}
-
-	result = dns_acl_match(netaddr, client->signer, acl,
-			       &ns_g_server->aclenv, &match, NULL);
-
-	if (result != ISC_R_SUCCESS)
-		goto deny; /* Internal error, already logged. */
-	if (match > 0)
-		goto allow;
-	goto deny; /* Negative match or no match. */
-
- allow:
-	return (ISC_R_SUCCESS);
-
- deny:
-	return (DNS_R_REFUSED);
-}
-
-isc_result_t
-ns_client_checkacl(ns_client_t *client, isc_sockaddr_t *sockaddr,
-		   const char *opname, dns_acl_t *acl,
-		   isc_boolean_t default_allow, int log_level)
-{
-	isc_result_t result;
-	isc_netaddr_t netaddr;
-
-	if (sockaddr != NULL)
-		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
-
-	result = ns_client_checkaclsilent(client, sockaddr ? &netaddr : NULL,
-					  acl, default_allow);
-
-	if (result == ISC_R_SUCCESS)
-		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
-			      "%s approved", opname);
-	else
-		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-			      NS_LOGMODULE_CLIENT,
-			      log_level, "%s denied", opname);
-	return (result);
-}
-
-static void
-ns_client_name(ns_client_t *client, char *peerbuf, size_t len) {
-	if (client->peeraddr_valid)
-		isc_sockaddr_format(&client->peeraddr, peerbuf, len);
-	else
-		snprintf(peerbuf, len, "@%p", client);
-}
-
-void
-ns_client_logv(ns_client_t *client, isc_logcategory_t *category,
-	       isc_logmodule_t *module, int level, const char *fmt, va_list ap)
-{
-	char msgbuf[2048];
-	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
-	char signerbuf[DNS_NAME_FORMATSIZE], qnamebuf[DNS_NAME_FORMATSIZE];
-	const char *viewname = "";
-	const char *sep1 = "", *sep2 = "", *sep3 = "", *sep4 = "";
-	const char *signer = "", *qname = "";
-	dns_name_t *q = NULL;
-
-	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
-
-	ns_client_name(client, peerbuf, sizeof(peerbuf));
-
-	if (client->signer != NULL) {
-		dns_name_format(client->signer, signerbuf, sizeof(signerbuf));
-		sep1 = "/key ";
-		signer = signerbuf;
-	}
-
-	q = client->query.origqname != NULL
-		? client->query.origqname : client->query.qname;
-	if (q != NULL) {
-		dns_name_format(q, qnamebuf, sizeof(qnamebuf));
-		sep2 = " (";
-		sep3 = ")";
-		qname = qnamebuf;
-	}
-
-	if (client->view != NULL && strcmp(client->view->name, "_bind") != 0 &&
-	    strcmp(client->view->name, "_default") != 0) {
-		sep4 = ": view ";
-		viewname = client->view->name;
-	}
-
-	isc_log_write(ns_g_lctx, category, module, level,
-		      "client %s%s%s%s%s%s%s%s: %s",
-		      peerbuf, sep1, signer, sep2, qname, sep3,
-		      sep4, viewname, msgbuf);
-}
-
-void
-ns_client_log(ns_client_t *client, isc_logcategory_t *category,
-	   isc_logmodule_t *module, int level, const char *fmt, ...)
-{
-	va_list ap;
-
-	if (! isc_log_wouldlog(ns_g_lctx, level))
-		return;
-
-	va_start(ap, fmt);
-	ns_client_logv(client, category, module, level, fmt, ap);
-	va_end(ap);
-}
-
-void
-ns_client_aclmsg(const char *msg, dns_name_t *name, dns_rdatatype_t type,
-		 dns_rdataclass_t rdclass, char *buf, size_t len)
-{
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char typebuf[DNS_RDATATYPE_FORMATSIZE];
-	char classbuf[DNS_RDATACLASS_FORMATSIZE];
-
-	dns_name_format(name, namebuf, sizeof(namebuf));
-	dns_rdatatype_format(type, typebuf, sizeof(typebuf));
-	dns_rdataclass_format(rdclass, classbuf, sizeof(classbuf));
-	(void)snprintf(buf, len, "%s '%s/%s/%s'", msg, namebuf, typebuf,
-		       classbuf);
-}
-
-static void
-ns_client_dumpmessage(ns_client_t *client, const char *reason) {
-	isc_buffer_t buffer;
-	char *buf = NULL;
-	int len = 1024;
-	isc_result_t result;
-
-	/*
-	 * Note that these are multiline debug messages.  We want a newline
-	 * to appear in the log after each message.
-	 */
-
-	do {
-		buf = isc_mem_get(client->mctx, len);
-		if (buf == NULL)
-			break;
-		isc_buffer_init(&buffer, buf, len);
-		result = dns_message_totext(client->message,
-					    &dns_master_style_debug,
-					    0, &buffer);
-		if (result == ISC_R_NOSPACE) {
-			isc_mem_put(client->mctx, buf, len);
-			len += 1024;
-		} else if (result == ISC_R_SUCCESS)
-			ns_client_log(client, NS_LOGCATEGORY_UNMATCHED,
-				      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1),
-				      "%s\n%.*s", reason,
-				       (int)isc_buffer_usedlength(&buffer),
-				       buf);
-	} while (result == ISC_R_NOSPACE);
-
-	if (buf != NULL)
-		isc_mem_put(client->mctx, buf, len);
-}
-
-void
-ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager) {
-	ns_client_t *client;
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char original[DNS_NAME_FORMATSIZE];
-	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
-	char typebuf[DNS_RDATATYPE_FORMATSIZE];
-	char classbuf[DNS_RDATACLASS_FORMATSIZE];
-	const char *name;
-	const char *sep;
-	const char *origfor;
-	dns_rdataset_t *rdataset;
-
-	REQUIRE(VALID_MANAGER(manager));
-
-	LOCK(&manager->reclock);
-	client = ISC_LIST_HEAD(manager->recursing);
-	while (client != NULL) {
-		INSIST(client->state == NS_CLIENTSTATE_RECURSING);
-
-		ns_client_name(client, peerbuf, sizeof(peerbuf));
-		if (client->view != NULL &&
-		    strcmp(client->view->name, "_bind") != 0 &&
-		    strcmp(client->view->name, "_default") != 0) {
-			name = client->view->name;
-			sep = ": view ";
-		} else {
-			name = "";
-			sep = "";
-		}
-
-		LOCK(&client->query.fetchlock);
-		INSIST(client->query.qname != NULL);
-		dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
-		if (client->query.qname != client->query.origqname &&
-		    client->query.origqname != NULL) {
-			origfor = " for ";
-			dns_name_format(client->query.origqname, original,
-					sizeof(original));
-		} else {
-			origfor = "";
-			original[0] = '\0';
-		}
-		rdataset = ISC_LIST_HEAD(client->query.qname->list);
-		if (rdataset == NULL && client->query.origqname != NULL)
-			rdataset = ISC_LIST_HEAD(client->query.origqname->list);
-		if (rdataset != NULL) {
-			dns_rdatatype_format(rdataset->type, typebuf,
-					     sizeof(typebuf));
-			dns_rdataclass_format(rdataset->rdclass, classbuf,
-					      sizeof(classbuf));
-		} else {
-			strcpy(typebuf, "-");
-			strcpy(classbuf, "-");
-		}
-		UNLOCK(&client->query.fetchlock);
-		fprintf(f, "; client %s%s%s: id %u '%s/%s/%s'%s%s "
-			"requesttime %d\n", peerbuf, sep, name,
-			client->message->id, namebuf, typebuf, classbuf,
-			origfor, original, client->requesttime);
-		client = ISC_LIST_NEXT(client, rlink);
-	}
-	UNLOCK(&manager->reclock);
-}
-
-void
-ns_client_qnamereplace(ns_client_t *client, dns_name_t *name) {
-	LOCK(&client->query.fetchlock);
-	if (client->query.restarts > 0) {
-		/*
-		 * client->query.qname was dynamically allocated.
-		 */
-		dns_message_puttempname(client->message,
-					&client->query.qname);
-	}
-	client->query.qname = name;
-	UNLOCK(&client->query.fetchlock);
-}
-
-isc_result_t
-ns_client_sourceip(dns_clientinfo_t *ci, isc_sockaddr_t **addrp) {
-	ns_client_t *client = (ns_client_t *) ci->data;
-
-	REQUIRE(NS_CLIENT_VALID(client));
-	REQUIRE(addrp != NULL);
-
-	*addrp = &client->peeraddr;
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/bin/named/config.c b/contrib/bind9/bin/named/config.c
deleted file mode 100644
index fa349ee..0000000
--- a/contrib/bind9/bin/named/config.c
+++ /dev/null
@@ -1,863 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: config.c,v 1.123 2012/01/06 23:46:41 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/buffer.h>
-#include <isc/log.h>
-#include <isc/mem.h>
-#include <isc/parseint.h>
-#include <isc/region.h>
-#include <isc/result.h>
-#include <isc/sockaddr.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <isccfg/namedconf.h>
-
-#include <dns/fixedname.h>
-#include <dns/name.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatatype.h>
-#include <dns/tsig.h>
-#include <dns/zone.h>
-
-#include <dst/dst.h>
-
-#include <named/config.h>
-#include <named/globals.h>
-
-#include "bind.keys.h"
-
-/*% default configuration */
-static char defaultconf[] = "\
-options {\n\
-#	blackhole {none;};\n"
-#ifndef WIN32
-"	coresize default;\n\
-	datasize default;\n\
-	files unlimited;\n\
-	stacksize default;\n"
-#endif
-"#	session-keyfile \"" NS_LOCALSTATEDIR "/run/named/session.key\";\n\
-	session-keyname local-ddns;\n\
-	session-keyalg hmac-sha256;\n\
-	deallocate-on-exit true;\n\
-#	directory <none>\n\
-	dump-file \"named_dump.db\";\n\
-	fake-iquery no;\n\
-	has-old-clients false;\n\
-	heartbeat-interval 60;\n\
-	host-statistics no;\n\
-	interface-interval 60;\n\
-	listen-on {any;};\n\
-	listen-on-v6 {none;};\n\
-	match-mapped-addresses no;\n\
-	max-rsa-exponent-size 0; /* no limit */\n\
-	memstatistics-file \"named.memstats\";\n\
-	multiple-cnames no;\n\
-#	named-xfer <obsolete>;\n\
-#	pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\
-	bindkeys-file \"" NS_SYSCONFDIR "/bind.keys\";\n\
-	port 53;\n\
-	recursing-file \"named.recursing\";\n\
-	secroots-file \"named.secroots\";\n\
-"
-#ifdef PATH_RANDOMDEV
-"\
-	random-device \"" PATH_RANDOMDEV "\";\n\
-"
-#endif
-"\
-	recursive-clients 1000;\n\
-	resolver-query-timeout 10;\n\
-	rrset-order { order random; };\n\
-	serial-queries 20;\n\
-	serial-query-rate 20;\n\
-	server-id none;\n\
-	statistics-file \"named.stats\";\n\
-	statistics-interval 60;\n\
-	tcp-clients 100;\n\
-	tcp-listen-queue 3;\n\
-#	tkey-dhkey <none>\n\
-#	tkey-gssapi-credential <none>\n\
-#	tkey-domain <none>\n\
-	transfers-per-ns 2;\n\
-	transfers-in 10;\n\
-	transfers-out 10;\n\
-	treat-cr-as-space true;\n\
-	use-id-pool true;\n\
-	use-ixfr true;\n\
-	edns-udp-size 4096;\n\
-	max-udp-size 4096;\n\
-	request-nsid false;\n\
-	reserved-sockets 512;\n\
-\n\
-	/* DLV */\n\
-	dnssec-lookaside . trust-anchor dlv.isc.org;\n\
-\n\
-	/* view */\n\
-	allow-notify {none;};\n\
-	allow-update-forwarding {none;};\n\
-	allow-query-cache { localnets; localhost; };\n\
-	allow-query-cache-on { any; };\n\
-	allow-recursion { localnets; localhost; };\n\
-	allow-recursion-on { any; };\n\
-#	allow-v6-synthesis <obsolete>;\n\
-#	sortlist <none>\n\
-#	topology <none>\n\
-	auth-nxdomain false;\n\
-	minimal-responses false;\n\
-	recursion true;\n\
-	provide-ixfr true;\n\
-	request-ixfr true;\n\
-	fetch-glue no;\n\
-	rfc2308-type1 no;\n\
-	additional-from-auth true;\n\
-	additional-from-cache true;\n\
-	query-source address *;\n\
-	query-source-v6 address *;\n\
-	notify-source *;\n\
-	notify-source-v6 *;\n\
-	cleaning-interval 0;  /* now meaningless */\n\
-	min-roots 2;\n\
-	lame-ttl 600;\n\
-	max-ncache-ttl 10800; /* 3 hours */\n\
-	max-cache-ttl 604800; /* 1 week */\n\
-	transfer-format many-answers;\n\
-	max-cache-size 0;\n\
-	check-names master fail;\n\
-	check-names slave warn;\n\
-	check-names response ignore;\n\
-	check-dup-records warn;\n\
-	check-mx warn;\n\
-	check-spf warn;\n\
-	acache-enable no;\n\
-	acache-cleaning-interval 60;\n\
-	max-acache-size 16M;\n\
-	dnssec-enable yes;\n\
-	dnssec-validation yes; \n\
-	dnssec-accept-expired no;\n\
-	clients-per-query 10;\n\
-	max-clients-per-query 100;\n\
-	zero-no-soa-ttl-cache no;\n\
-	nsec3-test-zone no;\n\
-	allow-new-zones no;\n\
-"
-#ifdef ALLOW_FILTER_AAAA_ON_V4
-"	filter-aaaa-on-v4 no;\n\
-	filter-aaaa { any; };\n\
-"
-#endif
-
-"	/* zone */\n\
-	allow-query {any;};\n\
-	allow-query-on {any;};\n\
-	allow-transfer {any;};\n\
-	notify yes;\n\
-#	also-notify <none>\n\
-	notify-delay 5;\n\
-	notify-to-soa no;\n\
-	dialup no;\n\
-#	forward <none>\n\
-#	forwarders <none>\n\
-	maintain-ixfr-base no;\n\
-#	max-ixfr-log-size <obsolete>\n\
-	transfer-source *;\n\
-	transfer-source-v6 *;\n\
-	alt-transfer-source *;\n\
-	alt-transfer-source-v6 *;\n\
-	max-transfer-time-in 120;\n\
-	max-transfer-time-out 120;\n\
-	max-transfer-idle-in 60;\n\
-	max-transfer-idle-out 60;\n\
-	max-retry-time 1209600; /* 2 weeks */\n\
-	min-retry-time 500;\n\
-	max-refresh-time 2419200; /* 4 weeks */\n\
-	min-refresh-time 300;\n\
-	multi-master no;\n\
-	dnssec-secure-to-insecure no;\n\
-	sig-validity-interval 30; /* days */\n\
-	sig-signing-nodes 100;\n\
-	sig-signing-signatures 10;\n\
-	sig-signing-type 65534;\n\
-	inline-signing no;\n\
-	zone-statistics terse;\n\
-	max-journal-size unlimited;\n\
-	ixfr-from-differences false;\n\
-	check-wildcard yes;\n\
-	check-sibling yes;\n\
-	check-integrity yes;\n\
-	check-mx-cname warn;\n\
-	check-srv-cname warn;\n\
-	zero-no-soa-ttl yes;\n\
-	update-check-ksk yes;\n\
-	serial-update-method increment;\n\
-	dnssec-update-mode maintain;\n\
-	dnssec-dnskey-kskonly no;\n\
-	dnssec-loadkeys-interval 60;\n\
-	try-tcp-refresh yes; /* BIND 8 compat */\n\
-};\n\
-"
-
-"#\n\
-#  Zones in the \"_bind\" view are NOT counted in the count of zones.\n\
-#\n\
-view \"_bind\" chaos {\n\
-	recursion no;\n\
-	notify no;\n\
-	allow-new-zones no;\n\
-\n\
-	zone \"version.bind\" chaos {\n\
-		type master;\n\
-		database \"_builtin version\";\n\
-	};\n\
-\n\
-	zone \"hostname.bind\" chaos {\n\
-		type master;\n\
-		database \"_builtin hostname\";\n\
-	};\n\
-\n\
-	zone \"authors.bind\" chaos {\n\
-		type master;\n\
-		database \"_builtin authors\";\n\
-	};\n\
-\n\
-	zone \"id.server\" chaos {\n\
-		type master;\n\
-		database \"_builtin id\";\n\
-	};\n\
-};\n\
-"
-"#\n\
-#  Default trusted key(s) for builtin DLV support\n\
-#  (used if \"dnssec-lookaside auto;\" is set and\n\
-#  sysconfdir/bind.keys doesn't exist).\n\
-#\n\
-# BEGIN MANAGED KEYS\n"
-
-/* Imported from bind.keys.h: */
-MANAGED_KEYS
-
-"# END MANAGED KEYS\n\
-";
-
-isc_result_t
-ns_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf) {
-	isc_buffer_t b;
-
-	isc_buffer_init(&b, defaultconf, sizeof(defaultconf) - 1);
-	isc_buffer_add(&b, sizeof(defaultconf) - 1);
-	return (cfg_parse_buffer(parser, &b, &cfg_type_namedconf, conf));
-}
-
-isc_result_t
-ns_config_get(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) {
-	int i;
-
-	for (i = 0;; i++) {
-		if (maps[i] == NULL)
-			return (ISC_R_NOTFOUND);
-		if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS)
-			return (ISC_R_SUCCESS);
-	}
-}
-
-isc_result_t
-ns_checknames_get(const cfg_obj_t **maps, const char *which,
-		  const cfg_obj_t **obj)
-{
-	const cfg_listelt_t *element;
-	const cfg_obj_t *checknames;
-	const cfg_obj_t *type;
-	const cfg_obj_t *value;
-	int i;
-
-	for (i = 0;; i++) {
-		if (maps[i] == NULL)
-			return (ISC_R_NOTFOUND);
-		checknames = NULL;
-		if (cfg_map_get(maps[i], "check-names",
-				&checknames) == ISC_R_SUCCESS) {
-			/*
-			 * Zone map entry is not a list.
-			 */
-			if (checknames != NULL && !cfg_obj_islist(checknames)) {
-				*obj = checknames;
-				return (ISC_R_SUCCESS);
-			}
-			for (element = cfg_list_first(checknames);
-			     element != NULL;
-			     element = cfg_list_next(element)) {
-				value = cfg_listelt_value(element);
-				type = cfg_tuple_get(value, "type");
-				if (strcasecmp(cfg_obj_asstring(type),
-					       which) == 0) {
-					*obj = cfg_tuple_get(value, "mode");
-					return (ISC_R_SUCCESS);
-				}
-			}
-
-		}
-	}
-}
-
-int
-ns_config_listcount(const cfg_obj_t *list) {
-	const cfg_listelt_t *e;
-	int i = 0;
-
-	for (e = cfg_list_first(list); e != NULL; e = cfg_list_next(e))
-		i++;
-
-	return (i);
-}
-
-isc_result_t
-ns_config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
-		   dns_rdataclass_t *classp) {
-	isc_textregion_t r;
-	isc_result_t result;
-
-	if (!cfg_obj_isstring(classobj)) {
-		*classp = defclass;
-		return (ISC_R_SUCCESS);
-	}
-	DE_CONST(cfg_obj_asstring(classobj), r.base);
-	r.length = strlen(r.base);
-	result = dns_rdataclass_fromtext(classp, &r);
-	if (result != ISC_R_SUCCESS)
-		cfg_obj_log(classobj, ns_g_lctx, ISC_LOG_ERROR,
-			    "unknown class '%s'", r.base);
-	return (result);
-}
-
-isc_result_t
-ns_config_gettype(const cfg_obj_t *typeobj, dns_rdatatype_t deftype,
-		   dns_rdatatype_t *typep) {
-	isc_textregion_t r;
-	isc_result_t result;
-
-	if (!cfg_obj_isstring(typeobj)) {
-		*typep = deftype;
-		return (ISC_R_SUCCESS);
-	}
-	DE_CONST(cfg_obj_asstring(typeobj), r.base);
-	r.length = strlen(r.base);
-	result = dns_rdatatype_fromtext(typep, &r);
-	if (result != ISC_R_SUCCESS)
-		cfg_obj_log(typeobj, ns_g_lctx, ISC_LOG_ERROR,
-			    "unknown type '%s'", r.base);
-	return (result);
-}
-
-dns_zonetype_t
-ns_config_getzonetype(const cfg_obj_t *zonetypeobj) {
-	dns_zonetype_t ztype = dns_zone_none;
-	const char *str;
-
-	str = cfg_obj_asstring(zonetypeobj);
-	if (strcasecmp(str, "master") == 0)
-		ztype = dns_zone_master;
-	else if (strcasecmp(str, "slave") == 0)
-		ztype = dns_zone_slave;
-	else if (strcasecmp(str, "stub") == 0)
-		ztype = dns_zone_stub;
-	else if (strcasecmp(str, "static-stub") == 0)
-		ztype = dns_zone_staticstub;
-	else if (strcasecmp(str, "redirect") == 0)
-		ztype = dns_zone_redirect;
-	else
-		INSIST(0);
-	return (ztype);
-}
-
-isc_result_t
-ns_config_getiplist(const cfg_obj_t *config, const cfg_obj_t *list,
-		    in_port_t defport, isc_mem_t *mctx,
-		    isc_sockaddr_t **addrsp, isc_uint32_t *countp)
-{
-	int count, i = 0;
-	const cfg_obj_t *addrlist;
-	const cfg_obj_t *portobj;
-	const cfg_listelt_t *element;
-	isc_sockaddr_t *addrs;
-	in_port_t port;
-	isc_result_t result;
-
-	INSIST(addrsp != NULL && *addrsp == NULL);
-	INSIST(countp != NULL);
-
-	addrlist = cfg_tuple_get(list, "addresses");
-	count = ns_config_listcount(addrlist);
-
-	portobj = cfg_tuple_get(list, "port");
-	if (cfg_obj_isuint32(portobj)) {
-		isc_uint32_t val = cfg_obj_asuint32(portobj);
-		if (val > ISC_UINT16_MAX) {
-			cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
-				    "port '%u' out of range", val);
-			return (ISC_R_RANGE);
-		}
-		port = (in_port_t) val;
-	} else if (defport != 0)
-		port = defport;
-	else {
-		result = ns_config_getport(config, &port);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	addrs = isc_mem_get(mctx, count * sizeof(isc_sockaddr_t));
-	if (addrs == NULL)
-		return (ISC_R_NOMEMORY);
-
-	for (element = cfg_list_first(addrlist);
-	     element != NULL;
-	     element = cfg_list_next(element), i++)
-	{
-		INSIST(i < count);
-		addrs[i] = *cfg_obj_assockaddr(cfg_listelt_value(element));
-		if (isc_sockaddr_getport(&addrs[i]) == 0)
-			isc_sockaddr_setport(&addrs[i], port);
-	}
-	INSIST(i == count);
-
-	*addrsp = addrs;
-	*countp = count;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-ns_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
-		    isc_uint32_t count)
-{
-	INSIST(addrsp != NULL && *addrsp != NULL);
-
-	isc_mem_put(mctx, *addrsp, count * sizeof(isc_sockaddr_t));
-	*addrsp = NULL;
-}
-
-static isc_result_t
-get_masters_def(const cfg_obj_t *cctx, const char *name,
-		const cfg_obj_t **ret)
-{
-	isc_result_t result;
-	const cfg_obj_t *masters = NULL;
-	const cfg_listelt_t *elt;
-
-	result = cfg_map_get(cctx, "masters", &masters);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	for (elt = cfg_list_first(masters);
-	     elt != NULL;
-	     elt = cfg_list_next(elt)) {
-		const cfg_obj_t *list;
-		const char *listname;
-
-		list = cfg_listelt_value(elt);
-		listname = cfg_obj_asstring(cfg_tuple_get(list, "name"));
-
-		if (strcasecmp(listname, name) == 0) {
-			*ret = list;
-			return (ISC_R_SUCCESS);
-		}
-	}
-	return (ISC_R_NOTFOUND);
-}
-
-isc_result_t
-ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
-			  isc_mem_t *mctx, isc_sockaddr_t **addrsp,
-			  dns_name_t ***keysp, isc_uint32_t *countp)
-{
-	isc_uint32_t addrcount = 0, keycount = 0, i = 0;
-	isc_uint32_t listcount = 0, l = 0, j;
-	isc_uint32_t stackcount = 0, pushed = 0;
-	isc_result_t result;
-	const cfg_listelt_t *element;
-	const cfg_obj_t *addrlist;
-	const cfg_obj_t *portobj;
-	in_port_t port;
-	dns_fixedname_t fname;
-	isc_sockaddr_t *addrs = NULL;
-	dns_name_t **keys = NULL;
-	struct { const char *name; } *lists = NULL;
-	struct {
-		const cfg_listelt_t *element;
-		in_port_t port;
-	} *stack = NULL;
-
-	REQUIRE(addrsp != NULL && *addrsp == NULL);
-	REQUIRE(keysp != NULL && *keysp == NULL);
-	REQUIRE(countp != NULL);
-
- newlist:
-	addrlist = cfg_tuple_get(list, "addresses");
-	portobj = cfg_tuple_get(list, "port");
-	if (cfg_obj_isuint32(portobj)) {
-		isc_uint32_t val = cfg_obj_asuint32(portobj);
-		if (val > ISC_UINT16_MAX) {
-			cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
-				    "port '%u' out of range", val);
-			result = ISC_R_RANGE;
-			goto cleanup;
-		}
-		port = (in_port_t) val;
-	} else {
-		result = ns_config_getport(config, &port);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-	}
-
-	result = ISC_R_NOMEMORY;
-
-	element = cfg_list_first(addrlist);
- resume:
-	for ( ;
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		const cfg_obj_t *addr;
-		const cfg_obj_t *key;
-		const char *keystr;
-		isc_buffer_t b;
-
-		addr = cfg_tuple_get(cfg_listelt_value(element),
-				     "masterselement");
-		key = cfg_tuple_get(cfg_listelt_value(element), "key");
-
-		if (!cfg_obj_issockaddr(addr)) {
-			const char *listname = cfg_obj_asstring(addr);
-			isc_result_t tresult;
-
-			/* Grow lists? */
-			if (listcount == l) {
-				void * new;
-				isc_uint32_t newlen = listcount + 16;
-				size_t newsize, oldsize;
-
-				newsize = newlen * sizeof(*lists);
-				oldsize = listcount * sizeof(*lists);
-				new = isc_mem_get(mctx, newsize);
-				if (new == NULL)
-					goto cleanup;
-				if (listcount != 0) {
-					memcpy(new, lists, oldsize);
-					isc_mem_put(mctx, lists, oldsize);
-				}
-				lists = new;
-				listcount = newlen;
-			}
-			/* Seen? */
-			for (j = 0; j < l; j++)
-				if (strcasecmp(lists[j].name, listname) == 0)
-					break;
-			if (j < l)
-				continue;
-			tresult = get_masters_def(config, listname, &list);
-			if (tresult == ISC_R_NOTFOUND) {
-				cfg_obj_log(addr, ns_g_lctx, ISC_LOG_ERROR,
-				    "masters \"%s\" not found", listname);
-
-				result = tresult;
-				goto cleanup;
-			}
-			if (tresult != ISC_R_SUCCESS)
-				goto cleanup;
-			lists[l++].name = listname;
-			/* Grow stack? */
-			if (stackcount == pushed) {
-				void * new;
-				isc_uint32_t newlen = stackcount + 16;
-				size_t newsize, oldsize;
-
-				newsize = newlen * sizeof(*stack);
-				oldsize = stackcount * sizeof(*stack);
-				new = isc_mem_get(mctx, newsize);
-				if (new == NULL)
-					goto cleanup;
-				if (stackcount != 0) {
-					memcpy(new, stack, oldsize);
-					isc_mem_put(mctx, stack, oldsize);
-				}
-				stack = new;
-				stackcount = newlen;
-			}
-			/*
-			 * We want to resume processing this list on the
-			 * next element.
-			 */
-			stack[pushed].element = cfg_list_next(element);
-			stack[pushed].port = port;
-			pushed++;
-			goto newlist;
-		}
-
-		if (i == addrcount) {
-			void * new;
-			isc_uint32_t newlen = addrcount + 16;
-			size_t newsize, oldsize;
-
-			newsize = newlen * sizeof(isc_sockaddr_t);
-			oldsize = addrcount * sizeof(isc_sockaddr_t);
-			new = isc_mem_get(mctx, newsize);
-			if (new == NULL)
-				goto cleanup;
-			if (addrcount != 0) {
-				memcpy(new, addrs, oldsize);
-				isc_mem_put(mctx, addrs, oldsize);
-			}
-			addrs = new;
-			addrcount = newlen;
-
-			newsize = newlen * sizeof(dns_name_t *);
-			oldsize = keycount * sizeof(dns_name_t *);
-			new = isc_mem_get(mctx, newsize);
-			if (new == NULL)
-				goto cleanup;
-			if (keycount != 0) {
-				memcpy(new, keys, oldsize);
-				isc_mem_put(mctx, keys, oldsize);
-			}
-			keys = new;
-			keycount = newlen;
-		}
-
-		addrs[i] = *cfg_obj_assockaddr(addr);
-		if (isc_sockaddr_getport(&addrs[i]) == 0)
-			isc_sockaddr_setport(&addrs[i], port);
-		keys[i] = NULL;
-		i++;	/* Increment here so that cleanup on error works. */
-		if (!cfg_obj_isstring(key))
-			continue;
-		keys[i - 1] = isc_mem_get(mctx, sizeof(dns_name_t));
-		if (keys[i - 1] == NULL)
-			goto cleanup;
-		dns_name_init(keys[i - 1], NULL);
-
-		keystr = cfg_obj_asstring(key);
-		isc_buffer_constinit(&b, keystr, strlen(keystr));
-		isc_buffer_add(&b, strlen(keystr));
-		dns_fixedname_init(&fname);
-		result = dns_name_fromtext(dns_fixedname_name(&fname), &b,
-					   dns_rootname, 0, NULL);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		result = dns_name_dup(dns_fixedname_name(&fname), mctx,
-				      keys[i - 1]);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-	}
-	if (pushed != 0) {
-		pushed--;
-		element = stack[pushed].element;
-		port = stack[pushed].port;
-		goto resume;
-	}
-	if (i < addrcount) {
-		void * new;
-		size_t newsize, oldsize;
-
-		newsize = i * sizeof(isc_sockaddr_t);
-		oldsize = addrcount * sizeof(isc_sockaddr_t);
-		if (i != 0) {
-			new = isc_mem_get(mctx, newsize);
-			if (new == NULL)
-				goto cleanup;
-			memcpy(new, addrs, newsize);
-		} else
-			new = NULL;
-		isc_mem_put(mctx, addrs, oldsize);
-		addrs = new;
-		addrcount = i;
-
-		newsize = i * sizeof(dns_name_t *);
-		oldsize = keycount * sizeof(dns_name_t *);
-		if (i != 0) {
-			new = isc_mem_get(mctx, newsize);
-			if (new == NULL)
-				goto cleanup;
-			memcpy(new, keys,  newsize);
-		} else
-			new = NULL;
-		isc_mem_put(mctx, keys, oldsize);
-		keys = new;
-		keycount = i;
-	}
-
-	if (lists != NULL)
-		isc_mem_put(mctx, lists, listcount * sizeof(*lists));
-	if (stack != NULL)
-		isc_mem_put(mctx, stack, stackcount * sizeof(*stack));
-
-	INSIST(keycount == addrcount);
-
-	*addrsp = addrs;
-	*keysp = keys;
-	*countp = addrcount;
-
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (addrs != NULL)
-		isc_mem_put(mctx, addrs, addrcount * sizeof(isc_sockaddr_t));
-	if (keys != NULL) {
-		for (j = 0; j < i; j++) {
-			if (keys[j] == NULL)
-				continue;
-			if (dns_name_dynamic(keys[j]))
-				dns_name_free(keys[j], mctx);
-			isc_mem_put(mctx, keys[j], sizeof(dns_name_t));
-		}
-		isc_mem_put(mctx, keys, keycount * sizeof(dns_name_t *));
-	}
-	if (lists != NULL)
-		isc_mem_put(mctx, lists, listcount * sizeof(*lists));
-	if (stack != NULL)
-		isc_mem_put(mctx, stack, stackcount * sizeof(*stack));
-	return (result);
-}
-
-void
-ns_config_putipandkeylist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
-			  dns_name_t ***keysp, isc_uint32_t count)
-{
-	unsigned int i;
-	dns_name_t **keys = *keysp;
-
-	INSIST(addrsp != NULL && *addrsp != NULL);
-
-	isc_mem_put(mctx, *addrsp, count * sizeof(isc_sockaddr_t));
-	for (i = 0; i < count; i++) {
-		if (keys[i] == NULL)
-			continue;
-		if (dns_name_dynamic(keys[i]))
-			dns_name_free(keys[i], mctx);
-		isc_mem_put(mctx, keys[i], sizeof(dns_name_t));
-	}
-	isc_mem_put(mctx, *keysp, count * sizeof(dns_name_t *));
-	*addrsp = NULL;
-	*keysp = NULL;
-}
-
-isc_result_t
-ns_config_getport(const cfg_obj_t *config, in_port_t *portp) {
-	const cfg_obj_t *maps[3];
-	const cfg_obj_t *options = NULL;
-	const cfg_obj_t *portobj = NULL;
-	isc_result_t result;
-	int i;
-
-	(void)cfg_map_get(config, "options", &options);
-	i = 0;
-	if (options != NULL)
-		maps[i++] = options;
-	maps[i++] = ns_g_defaults;
-	maps[i] = NULL;
-
-	result = ns_config_get(maps, "port", &portobj);
-	INSIST(result == ISC_R_SUCCESS);
-	if (cfg_obj_asuint32(portobj) >= ISC_UINT16_MAX) {
-		cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
-			    "port '%u' out of range",
-			    cfg_obj_asuint32(portobj));
-		return (ISC_R_RANGE);
-	}
-	*portp = (in_port_t)cfg_obj_asuint32(portobj);
-	return (ISC_R_SUCCESS);
-}
-
-struct keyalgorithms {
-	const char *str;
-	enum { hmacnone, hmacmd5, hmacsha1, hmacsha224,
-	       hmacsha256, hmacsha384, hmacsha512 } hmac;
-	unsigned int type;
-	isc_uint16_t size;
-} algorithms[] = {
-	{ "hmac-md5", hmacmd5, DST_ALG_HMACMD5, 128 },
-	{ "hmac-md5.sig-alg.reg.int", hmacmd5, DST_ALG_HMACMD5, 0 },
-	{ "hmac-md5.sig-alg.reg.int.", hmacmd5, DST_ALG_HMACMD5, 0 },
-	{ "hmac-sha1", hmacsha1, DST_ALG_HMACSHA1, 160 },
-	{ "hmac-sha224", hmacsha224, DST_ALG_HMACSHA224, 224 },
-	{ "hmac-sha256", hmacsha256, DST_ALG_HMACSHA256, 256 },
-	{ "hmac-sha384", hmacsha384, DST_ALG_HMACSHA384, 384 },
-	{ "hmac-sha512", hmacsha512, DST_ALG_HMACSHA512, 512 },
-	{  NULL, hmacnone, DST_ALG_UNKNOWN, 0 }
-};
-
-isc_result_t
-ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
-			  isc_uint16_t *digestbits)
-{
-	return (ns_config_getkeyalgorithm2(str, name, NULL, digestbits));
-}
-
-isc_result_t
-ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
-			   unsigned int *typep, isc_uint16_t *digestbits)
-{
-	int i;
-	size_t len = 0;
-	isc_uint16_t bits;
-	isc_result_t result;
-
-	for (i = 0; algorithms[i].str != NULL; i++) {
-		len = strlen(algorithms[i].str);
-		if (strncasecmp(algorithms[i].str, str, len) == 0 &&
-		    (str[len] == '\0' ||
-		     (algorithms[i].size != 0 && str[len] == '-')))
-			break;
-	}
-	if (algorithms[i].str == NULL)
-		return (ISC_R_NOTFOUND);
-	if (str[len] == '-') {
-		result = isc_parse_uint16(&bits, str + len + 1, 10);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		if (bits > algorithms[i].size)
-			return (ISC_R_RANGE);
-	} else if (algorithms[i].size == 0)
-		bits = 128;
-	else
-		bits = algorithms[i].size;
-
-	if (name != NULL) {
-		switch (algorithms[i].hmac) {
-		case hmacmd5: *name = dns_tsig_hmacmd5_name; break;
-		case hmacsha1: *name = dns_tsig_hmacsha1_name; break;
-		case hmacsha224: *name = dns_tsig_hmacsha224_name; break;
-		case hmacsha256: *name = dns_tsig_hmacsha256_name; break;
-		case hmacsha384: *name = dns_tsig_hmacsha384_name; break;
-		case hmacsha512: *name = dns_tsig_hmacsha512_name; break;
-		default:
-			INSIST(0);
-		}
-	}
-	if (typep != NULL)
-		*typep = algorithms[i].type;
-	if (digestbits != NULL)
-		*digestbits = bits;
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/bin/named/control.c b/contrib/bind9/bin/named/control.c
deleted file mode 100644
index fabe442..0000000
--- a/contrib/bind9/bin/named/control.c
+++ /dev/null
@@ -1,219 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-
-#include <isc/app.h>
-#include <isc/event.h>
-#include <isc/mem.h>
-#include <isc/string.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#include <dns/result.h>
-
-#include <isccc/alist.h>
-#include <isccc/cc.h>
-#include <isccc/result.h>
-
-#include <named/control.h>
-#include <named/log.h>
-#include <named/os.h>
-#include <named/server.h>
-#ifdef HAVE_LIBSCF
-#include <named/ns_smf_globals.h>
-#endif
-
-static isc_boolean_t
-command_compare(const char *text, const char *command) {
-	unsigned int commandlen = strlen(command);
-	if (strncasecmp(text, command, commandlen) == 0 &&
-	    (text[commandlen] == '\0' ||
-	     text[commandlen] == ' ' ||
-	     text[commandlen] == '\t'))
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-/*%
- * This function is called to process the incoming command
- * when a control channel message is received.
- */
-isc_result_t
-ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
-	isccc_sexpr_t *data;
-	char *command = NULL;
-	isc_result_t result;
-	int log_level;
-#ifdef HAVE_LIBSCF
-	ns_smf_want_disable = 0;
-#endif
-
-	data = isccc_alist_lookup(message, "_data");
-	if (data == NULL) {
-		/*
-		 * No data section.
-		 */
-		return (ISC_R_FAILURE);
-	}
-
-	result = isccc_cc_lookupstring(data, "type", &command);
-	if (result != ISC_R_SUCCESS) {
-		/*
-		 * We have no idea what this is.
-		 */
-		return (result);
-	}
-
-	/*
-	 * Compare the 'command' parameter against all known control commands.
-	 */
-	if (command_compare(command, NS_COMMAND_NULL) ||
-	    command_compare(command, NS_COMMAND_STATUS)) {
-		log_level = ISC_LOG_DEBUG(1);
-	} else {
-		log_level = ISC_LOG_INFO;
-	}
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-		      NS_LOGMODULE_CONTROL, log_level,
-		      "received control channel command '%s'",
-		      command);
-
-	if (command_compare(command, NS_COMMAND_RELOAD)) {
-		result = ns_server_reloadcommand(ns_g_server, command, text);
-	} else if (command_compare(command, NS_COMMAND_RECONFIG)) {
-		result = ns_server_reconfigcommand(ns_g_server, command);
-	} else if (command_compare(command, NS_COMMAND_REFRESH)) {
-		result = ns_server_refreshcommand(ns_g_server, command, text);
-	} else if (command_compare(command, NS_COMMAND_RETRANSFER)) {
-		result = ns_server_retransfercommand(ns_g_server, command);
-	} else if (command_compare(command, NS_COMMAND_HALT)) {
-#ifdef HAVE_LIBSCF
-		/*
-		 * If we are managed by smf(5), AND in chroot, then
-		 * we cannot connect to the smf repository, so just
-		 * return with an appropriate message back to rndc.
-		 */
-		if (ns_smf_got_instance == 1 && ns_smf_chroot == 1) {
-			result = ns_smf_add_message(text);
-			return (result);
-		}
-		/*
-		 * If we are managed by smf(5) but not in chroot,
-		 * try to disable ourselves the smf way.
-		 */
-		if (ns_smf_got_instance == 1 && ns_smf_chroot == 0)
-			ns_smf_want_disable = 1;
-		/*
-		 * If ns_smf_got_instance = 0, ns_smf_chroot
-		 * is not relevant and we fall through to
-		 * isc_app_shutdown below.
-		 */
-#endif
-		/* Do not flush master files */
-		ns_server_flushonshutdown(ns_g_server, ISC_FALSE);
-		ns_os_shutdownmsg(command, text);
-		isc_app_shutdown();
-		result = ISC_R_SUCCESS;
-	} else if (command_compare(command, NS_COMMAND_STOP)) {
-		/*
-		 * "stop" is the same as "halt" except it does
-		 * flush master files.
-		 */
-#ifdef HAVE_LIBSCF
-		if (ns_smf_got_instance == 1 && ns_smf_chroot == 1) {
-			result = ns_smf_add_message(text);
-			return (result);
-		}
-		if (ns_smf_got_instance == 1 && ns_smf_chroot == 0)
-			ns_smf_want_disable = 1;
-#endif
-		ns_server_flushonshutdown(ns_g_server, ISC_TRUE);
-		ns_os_shutdownmsg(command, text);
-		isc_app_shutdown();
-		result = ISC_R_SUCCESS;
-	} else if (command_compare(command, NS_COMMAND_DUMPSTATS)) {
-		result = ns_server_dumpstats(ns_g_server);
-	} else if (command_compare(command, NS_COMMAND_QUERYLOG)) {
-		result = ns_server_togglequerylog(ns_g_server, command);
-	} else if (command_compare(command, NS_COMMAND_DUMPDB)) {
-		ns_server_dumpdb(ns_g_server, command);
-		result = ISC_R_SUCCESS;
-	} else if (command_compare(command, NS_COMMAND_SECROOTS)) {
-		result = ns_server_dumpsecroots(ns_g_server, command);
-	} else if (command_compare(command, NS_COMMAND_TRACE)) {
-		result = ns_server_setdebuglevel(ns_g_server, command);
-	} else if (command_compare(command, NS_COMMAND_NOTRACE)) {
-		ns_g_debuglevel = 0;
-		isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel);
-		result = ISC_R_SUCCESS;
-	} else if (command_compare(command, NS_COMMAND_FLUSH)) {
-		result = ns_server_flushcache(ns_g_server, command);
-	} else if (command_compare(command, NS_COMMAND_FLUSHNAME)) {
-		result = ns_server_flushnode(ns_g_server, command, ISC_FALSE);
-	} else if (command_compare(command, NS_COMMAND_FLUSHTREE)) {
-		result = ns_server_flushnode(ns_g_server, command, ISC_TRUE);
-	} else if (command_compare(command, NS_COMMAND_STATUS)) {
-		result = ns_server_status(ns_g_server, text);
-	} else if (command_compare(command, NS_COMMAND_TSIGLIST)) {
-		result = ns_server_tsiglist(ns_g_server, text);
-	} else if (command_compare(command, NS_COMMAND_TSIGDELETE)) {
-		result = ns_server_tsigdelete(ns_g_server, command, text);
-	} else if (command_compare(command, NS_COMMAND_FREEZE)) {
-		result = ns_server_freeze(ns_g_server, ISC_TRUE, command,
-					  text);
-	} else if (command_compare(command, NS_COMMAND_UNFREEZE) ||
-		   command_compare(command, NS_COMMAND_THAW)) {
-		result = ns_server_freeze(ns_g_server, ISC_FALSE, command,
-					  text);
-	} else if (command_compare(command, NS_COMMAND_SYNC)) {
-		result = ns_server_sync(ns_g_server, command, text);
-	} else if (command_compare(command, NS_COMMAND_RECURSING)) {
-		result = ns_server_dumprecursing(ns_g_server);
-	} else if (command_compare(command, NS_COMMAND_TIMERPOKE)) {
-		result = ISC_R_SUCCESS;
-		isc_timermgr_poke(ns_g_timermgr);
-	} else if (command_compare(command, NS_COMMAND_NULL)) {
-		result = ISC_R_SUCCESS;
-	} else if (command_compare(command, NS_COMMAND_NOTIFY)) {
-		result = ns_server_notifycommand(ns_g_server, command, text);
-	} else if (command_compare(command, NS_COMMAND_VALIDATION)) {
-		result = ns_server_validation(ns_g_server, command);
-	} else if (command_compare(command, NS_COMMAND_SIGN) ||
-		   command_compare(command, NS_COMMAND_LOADKEYS)) {
-		result = ns_server_rekey(ns_g_server, command);
-	} else if (command_compare(command, NS_COMMAND_ADDZONE)) {
-		result = ns_server_add_zone(ns_g_server, command);
-	} else if (command_compare(command, NS_COMMAND_DELZONE)) {
-		result = ns_server_del_zone(ns_g_server, command);
-	} else if (command_compare(command, NS_COMMAND_SIGNING)) {
-		result = ns_server_signing(ns_g_server, command, text);
-	} else {
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
-			      "unknown control channel command '%s'",
-			      command);
-		result = DNS_R_UNKNOWNCOMMAND;
-	}
-
-	return (result);
-}
diff --git a/contrib/bind9/bin/named/controlconf.c b/contrib/bind9/bin/named/controlconf.c
deleted file mode 100644
index c46a6e1..0000000
--- a/contrib/bind9/bin/named/controlconf.c
+++ /dev/null
@@ -1,1458 +0,0 @@
-/*
- * Copyright (C) 2004-2008, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: controlconf.c,v 1.63 2011/12/22 08:07:48 marka Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/base64.h>
-#include <isc/buffer.h>
-#include <isc/event.h>
-#include <isc/mem.h>
-#include <isc/net.h>
-#include <isc/netaddr.h>
-#include <isc/random.h>
-#include <isc/result.h>
-#include <isc/stdtime.h>
-#include <isc/string.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#include <isccfg/namedconf.h>
-
-#include <bind9/check.h>
-
-#include <isccc/alist.h>
-#include <isccc/cc.h>
-#include <isccc/ccmsg.h>
-#include <isccc/events.h>
-#include <isccc/result.h>
-#include <isccc/sexpr.h>
-#include <isccc/symtab.h>
-#include <isccc/util.h>
-
-#include <dns/result.h>
-
-#include <named/config.h>
-#include <named/control.h>
-#include <named/log.h>
-#include <named/server.h>
-
-/*
- * Note: Listeners and connections are not locked.  All event handlers are
- * executed by the server task, and all callers of exported routines must
- * be running under the server task.
- */
-
-typedef struct controlkey controlkey_t;
-typedef ISC_LIST(controlkey_t) controlkeylist_t;
-
-typedef struct controlconnection controlconnection_t;
-typedef ISC_LIST(controlconnection_t) controlconnectionlist_t;
-
-typedef struct controllistener controllistener_t;
-typedef ISC_LIST(controllistener_t) controllistenerlist_t;
-
-struct controlkey {
-	char *				keyname;
-	isc_region_t			secret;
-	ISC_LINK(controlkey_t)		link;
-};
-
-struct controlconnection {
-	isc_socket_t *			sock;
-	isccc_ccmsg_t			ccmsg;
-	isc_boolean_t			ccmsg_valid;
-	isc_boolean_t			sending;
-	isc_timer_t *			timer;
-	unsigned char			buffer[2048];
-	controllistener_t *		listener;
-	isc_uint32_t			nonce;
-	ISC_LINK(controlconnection_t)	link;
-};
-
-struct controllistener {
-	ns_controls_t *			controls;
-	isc_mem_t *			mctx;
-	isc_task_t *			task;
-	isc_sockaddr_t			address;
-	isc_socket_t *			sock;
-	dns_acl_t *			acl;
-	isc_boolean_t			listening;
-	isc_boolean_t			exiting;
-	controlkeylist_t		keys;
-	controlconnectionlist_t		connections;
-	isc_sockettype_t		type;
-	isc_uint32_t			perm;
-	isc_uint32_t			owner;
-	isc_uint32_t			group;
-	ISC_LINK(controllistener_t)	link;
-};
-
-struct ns_controls {
-	ns_server_t			*server;
-	controllistenerlist_t 		listeners;
-	isc_boolean_t			shuttingdown;
-	isccc_symtab_t			*symtab;
-};
-
-static void control_newconn(isc_task_t *task, isc_event_t *event);
-static void control_recvmessage(isc_task_t *task, isc_event_t *event);
-
-#define CLOCKSKEW 300
-
-static void
-free_controlkey(controlkey_t *key, isc_mem_t *mctx) {
-	if (key->keyname != NULL)
-		isc_mem_free(mctx, key->keyname);
-	if (key->secret.base != NULL)
-		isc_mem_put(mctx, key->secret.base, key->secret.length);
-	isc_mem_put(mctx, key, sizeof(*key));
-}
-
-static void
-free_controlkeylist(controlkeylist_t *keylist, isc_mem_t *mctx) {
-	while (!ISC_LIST_EMPTY(*keylist)) {
-		controlkey_t *key = ISC_LIST_HEAD(*keylist);
-		ISC_LIST_UNLINK(*keylist, key, link);
-		free_controlkey(key, mctx);
-	}
-}
-
-static void
-free_listener(controllistener_t *listener) {
-	INSIST(listener->exiting);
-	INSIST(!listener->listening);
-	INSIST(ISC_LIST_EMPTY(listener->connections));
-
-	if (listener->sock != NULL)
-		isc_socket_detach(&listener->sock);
-
-	free_controlkeylist(&listener->keys, listener->mctx);
-
-	if (listener->acl != NULL)
-		dns_acl_detach(&listener->acl);
-
-	isc_mem_putanddetach(&listener->mctx, listener, sizeof(*listener));
-}
-
-static void
-maybe_free_listener(controllistener_t *listener) {
-	if (listener->exiting &&
-	    !listener->listening &&
-	    ISC_LIST_EMPTY(listener->connections))
-		free_listener(listener);
-}
-
-static void
-maybe_free_connection(controlconnection_t *conn) {
-	controllistener_t *listener = conn->listener;
-
-	if (conn->timer != NULL)
-		isc_timer_detach(&conn->timer);
-
-	if (conn->ccmsg_valid) {
-		isccc_ccmsg_cancelread(&conn->ccmsg);
-		return;
-	}
-
-	if (conn->sending) {
-		isc_socket_cancel(conn->sock, listener->task,
-				  ISC_SOCKCANCEL_SEND);
-		return;
-	}
-
-	ISC_LIST_UNLINK(listener->connections, conn, link);
-	isc_mem_put(listener->mctx, conn, sizeof(*conn));
-}
-
-static void
-shutdown_listener(controllistener_t *listener) {
-	controlconnection_t *conn;
-	controlconnection_t *next;
-
-	if (!listener->exiting) {
-		char socktext[ISC_SOCKADDR_FORMATSIZE];
-
-		ISC_LIST_UNLINK(listener->controls->listeners, listener, link);
-
-		isc_sockaddr_format(&listener->address, socktext,
-				    sizeof(socktext));
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_CONTROL, ISC_LOG_NOTICE,
-			      "stopping command channel on %s", socktext);
-		if (listener->type == isc_sockettype_unix)
-			isc_socket_cleanunix(&listener->address, ISC_TRUE);
-		listener->exiting = ISC_TRUE;
-	}
-
-	for (conn = ISC_LIST_HEAD(listener->connections);
-	     conn != NULL;
-	     conn = next)
-	{
-		next = ISC_LIST_NEXT(conn, link);
-		maybe_free_connection(conn);
-	}
-
-	if (listener->listening)
-		isc_socket_cancel(listener->sock, listener->task,
-				  ISC_SOCKCANCEL_ACCEPT);
-
-	maybe_free_listener(listener);
-}
-
-static isc_boolean_t
-address_ok(isc_sockaddr_t *sockaddr, dns_acl_t *acl) {
-	isc_netaddr_t netaddr;
-	isc_result_t result;
-	int match;
-
-	isc_netaddr_fromsockaddr(&netaddr, sockaddr);
-
-	result = dns_acl_match(&netaddr, NULL, acl,
-			       &ns_g_server->aclenv, &match, NULL);
-
-	if (result != ISC_R_SUCCESS || match <= 0)
-		return (ISC_FALSE);
-	else
-		return (ISC_TRUE);
-}
-
-static isc_result_t
-control_accept(controllistener_t *listener) {
-	isc_result_t result;
-	result = isc_socket_accept(listener->sock,
-				   listener->task,
-				   control_newconn, listener);
-	if (result != ISC_R_SUCCESS)
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_socket_accept() failed: %s",
-				 isc_result_totext(result));
-	else
-		listener->listening = ISC_TRUE;
-	return (result);
-}
-
-static isc_result_t
-control_listen(controllistener_t *listener) {
-	isc_result_t result;
-
-	result = isc_socket_listen(listener->sock, 0);
-	if (result != ISC_R_SUCCESS)
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_socket_listen() failed: %s",
-				 isc_result_totext(result));
-	return (result);
-}
-
-static void
-control_next(controllistener_t *listener) {
-	(void)control_accept(listener);
-}
-
-static void
-control_senddone(isc_task_t *task, isc_event_t *event) {
-	isc_socketevent_t *sevent = (isc_socketevent_t *) event;
-	controlconnection_t *conn = event->ev_arg;
-	controllistener_t *listener = conn->listener;
-	isc_socket_t *sock = (isc_socket_t *)sevent->ev_sender;
-	isc_result_t result;
-
-	REQUIRE(conn->sending);
-
-	UNUSED(task);
-
-	conn->sending = ISC_FALSE;
-
-	if (sevent->result != ISC_R_SUCCESS &&
-	    sevent->result != ISC_R_CANCELED)
-	{
-		char socktext[ISC_SOCKADDR_FORMATSIZE];
-		isc_sockaddr_t peeraddr;
-
-		(void)isc_socket_getpeername(sock, &peeraddr);
-		isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext));
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
-			      "error sending command response to %s: %s",
-			      socktext, isc_result_totext(sevent->result));
-	}
-	isc_event_free(&event);
-
-	result = isccc_ccmsg_readmessage(&conn->ccmsg, listener->task,
-					 control_recvmessage, conn);
-	if (result != ISC_R_SUCCESS) {
-		isc_socket_detach(&conn->sock);
-		maybe_free_connection(conn);
-		maybe_free_listener(listener);
-	}
-}
-
-static inline void
-log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) {
-	char socktext[ISC_SOCKADDR_FORMATSIZE];
-	isc_sockaddr_t peeraddr;
-
-	(void)isc_socket_getpeername(ccmsg->sock, &peeraddr);
-	isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext));
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-		      NS_LOGMODULE_CONTROL, ISC_LOG_ERROR,
-		      "invalid command from %s: %s",
-		      socktext, isc_result_totext(result));
-}
-
-static void
-control_recvmessage(isc_task_t *task, isc_event_t *event) {
-	controlconnection_t *conn;
-	controllistener_t *listener;
-	controlkey_t *key;
-	isccc_sexpr_t *request = NULL;
-	isccc_sexpr_t *response = NULL;
-	isccc_region_t ccregion;
-	isccc_region_t secret;
-	isc_stdtime_t now;
-	isc_buffer_t b;
-	isc_region_t r;
-	isc_uint32_t len;
-	isc_buffer_t text;
-	char textarray[1024];
-	isc_result_t result;
-	isc_result_t eresult;
-	isccc_sexpr_t *_ctrl;
-	isccc_time_t sent;
-	isccc_time_t exp;
-	isc_uint32_t nonce;
-
-	REQUIRE(event->ev_type == ISCCC_EVENT_CCMSG);
-
-	conn = event->ev_arg;
-	listener = conn->listener;
-	secret.rstart = NULL;
-
-	/* Is the server shutting down? */
-	if (listener->controls->shuttingdown)
-		goto cleanup;
-
-	if (conn->ccmsg.result != ISC_R_SUCCESS) {
-		if (conn->ccmsg.result != ISC_R_CANCELED &&
-		    conn->ccmsg.result != ISC_R_EOF)
-			log_invalid(&conn->ccmsg, conn->ccmsg.result);
-		goto cleanup;
-	}
-
-	request = NULL;
-
-	for (key = ISC_LIST_HEAD(listener->keys);
-	     key != NULL;
-	     key = ISC_LIST_NEXT(key, link))
-	{
-		ccregion.rstart = isc_buffer_base(&conn->ccmsg.buffer);
-		ccregion.rend = isc_buffer_used(&conn->ccmsg.buffer);
-		secret.rstart = isc_mem_get(listener->mctx, key->secret.length);
-		if (secret.rstart == NULL)
-			goto cleanup;
-		memcpy(secret.rstart, key->secret.base, key->secret.length);
-		secret.rend = secret.rstart + key->secret.length;
-		result = isccc_cc_fromwire(&ccregion, &request, &secret);
-		if (result == ISC_R_SUCCESS)
-			break;
-		isc_mem_put(listener->mctx, secret.rstart, REGION_SIZE(secret));
-		if (result != ISCCC_R_BADAUTH) {
-			log_invalid(&conn->ccmsg, result);
-			goto cleanup;
-		}
-	}
-
-	if (key == NULL) {
-		log_invalid(&conn->ccmsg, ISCCC_R_BADAUTH);
-		goto cleanup;
-	}
-
-	/* We shouldn't be getting a reply. */
-	if (isccc_cc_isreply(request)) {
-		log_invalid(&conn->ccmsg, ISC_R_FAILURE);
-		goto cleanup_request;
-	}
-
-	isc_stdtime_get(&now);
-
-	/*
-	 * Limit exposure to replay attacks.
-	 */
-	_ctrl = isccc_alist_lookup(request, "_ctrl");
-	if (_ctrl == NULL) {
-		log_invalid(&conn->ccmsg, ISC_R_FAILURE);
-		goto cleanup_request;
-	}
-
-	if (isccc_cc_lookupuint32(_ctrl, "_tim", &sent) == ISC_R_SUCCESS) {
-		if ((sent + CLOCKSKEW) < now || (sent - CLOCKSKEW) > now) {
-			log_invalid(&conn->ccmsg, ISCCC_R_CLOCKSKEW);
-			goto cleanup_request;
-		}
-	} else {
-		log_invalid(&conn->ccmsg, ISC_R_FAILURE);
-		goto cleanup_request;
-	}
-
-	/*
-	 * Expire messages that are too old.
-	 */
-	if (isccc_cc_lookupuint32(_ctrl, "_exp", &exp) == ISC_R_SUCCESS &&
-	    now > exp) {
-		log_invalid(&conn->ccmsg, ISCCC_R_EXPIRED);
-		goto cleanup_request;
-	}
-
-	/*
-	 * Duplicate suppression (required for UDP).
-	 */
-	isccc_cc_cleansymtab(listener->controls->symtab, now);
-	result = isccc_cc_checkdup(listener->controls->symtab, request, now);
-	if (result != ISC_R_SUCCESS) {
-		if (result == ISC_R_EXISTS)
-			result = ISCCC_R_DUPLICATE;
-		log_invalid(&conn->ccmsg, result);
-		goto cleanup_request;
-	}
-
-	if (conn->nonce != 0 &&
-	    (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS ||
-	     conn->nonce != nonce)) {
-		log_invalid(&conn->ccmsg, ISCCC_R_BADAUTH);
-		goto cleanup_request;
-	}
-
-	/*
-	 * Establish nonce.
-	 */
-	while (conn->nonce == 0)
-		isc_random_get(&conn->nonce);
-
-	isc_buffer_init(&text, textarray, sizeof(textarray));
-	eresult = ns_control_docommand(request, &text);
-
-	result = isccc_cc_createresponse(request, now, now + 60, &response);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_request;
-	if (eresult != ISC_R_SUCCESS) {
-		isccc_sexpr_t *data;
-
-		data = isccc_alist_lookup(response, "_data");
-		if (data != NULL) {
-			const char *estr = isc_result_totext(eresult);
-			if (isccc_cc_definestring(data, "err", estr) == NULL)
-				goto cleanup_response;
-		}
-	}
-
-	if (isc_buffer_usedlength(&text) > 0) {
-		isccc_sexpr_t *data;
-
-		data = isccc_alist_lookup(response, "_data");
-		if (data != NULL) {
-			char *str = (char *)isc_buffer_base(&text);
-			if (isccc_cc_definestring(data, "text", str) == NULL)
-				goto cleanup_response;
-		}
-	}
-
-	_ctrl = isccc_alist_lookup(response, "_ctrl");
-	if (_ctrl == NULL ||
-	    isccc_cc_defineuint32(_ctrl, "_nonce", conn->nonce) == NULL)
-		goto cleanup_response;
-
-	ccregion.rstart = conn->buffer + 4;
-	ccregion.rend = conn->buffer + sizeof(conn->buffer);
-	result = isccc_cc_towire(response, &ccregion, &secret);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_response;
-	isc_buffer_init(&b, conn->buffer, 4);
-	len = sizeof(conn->buffer) - REGION_SIZE(ccregion);
-	isc_buffer_putuint32(&b, len - 4);
-	r.base = conn->buffer;
-	r.length = len;
-
-	result = isc_socket_send(conn->sock, &r, task, control_senddone, conn);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_response;
-	conn->sending = ISC_TRUE;
-
-	isc_mem_put(listener->mctx, secret.rstart, REGION_SIZE(secret));
-	isccc_sexpr_free(&request);
-	isccc_sexpr_free(&response);
-	return;
-
- cleanup_response:
-	isccc_sexpr_free(&response);
-
- cleanup_request:
-	isccc_sexpr_free(&request);
-	isc_mem_put(listener->mctx, secret.rstart, REGION_SIZE(secret));
-
- cleanup:
-	isc_socket_detach(&conn->sock);
-	isccc_ccmsg_invalidate(&conn->ccmsg);
-	conn->ccmsg_valid = ISC_FALSE;
-	maybe_free_connection(conn);
-	maybe_free_listener(listener);
-}
-
-static void
-control_timeout(isc_task_t *task, isc_event_t *event) {
-	controlconnection_t *conn = event->ev_arg;
-
-	UNUSED(task);
-
-	isc_timer_detach(&conn->timer);
-	maybe_free_connection(conn);
-
-	isc_event_free(&event);
-}
-
-static isc_result_t
-newconnection(controllistener_t *listener, isc_socket_t *sock) {
-	controlconnection_t *conn;
-	isc_interval_t interval;
-	isc_result_t result;
-
-	conn = isc_mem_get(listener->mctx, sizeof(*conn));
-	if (conn == NULL)
-		return (ISC_R_NOMEMORY);
-
-	conn->sock = sock;
-	isccc_ccmsg_init(listener->mctx, sock, &conn->ccmsg);
-	conn->ccmsg_valid = ISC_TRUE;
-	conn->sending = ISC_FALSE;
-	conn->timer = NULL;
-	isc_interval_set(&interval, 60, 0);
-	result = isc_timer_create(ns_g_timermgr, isc_timertype_once,
-				  NULL, &interval, listener->task,
-				  control_timeout, conn, &conn->timer);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	conn->listener = listener;
-	conn->nonce = 0;
-	ISC_LINK_INIT(conn, link);
-
-	result = isccc_ccmsg_readmessage(&conn->ccmsg, listener->task,
-					 control_recvmessage, conn);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	isccc_ccmsg_setmaxsize(&conn->ccmsg, 2048);
-
-	ISC_LIST_APPEND(listener->connections, conn, link);
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	isccc_ccmsg_invalidate(&conn->ccmsg);
-	if (conn->timer != NULL)
-		isc_timer_detach(&conn->timer);
-	isc_mem_put(listener->mctx, conn, sizeof(*conn));
-	return (result);
-}
-
-static void
-control_newconn(isc_task_t *task, isc_event_t *event) {
-	isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
-	controllistener_t *listener = event->ev_arg;
-	isc_socket_t *sock;
-	isc_sockaddr_t peeraddr;
-	isc_result_t result;
-
-	UNUSED(task);
-
-	listener->listening = ISC_FALSE;
-
-	if (nevent->result != ISC_R_SUCCESS) {
-		if (nevent->result == ISC_R_CANCELED) {
-			shutdown_listener(listener);
-			goto cleanup;
-		}
-		goto restart;
-	}
-
-	sock = nevent->newsocket;
-	isc_socket_setname(sock, "control", NULL);
-	(void)isc_socket_getpeername(sock, &peeraddr);
-	if (listener->type == isc_sockettype_tcp &&
-	    !address_ok(&peeraddr, listener->acl)) {
-		char socktext[ISC_SOCKADDR_FORMATSIZE];
-		isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext));
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
-			      "rejected command channel message from %s",
-			      socktext);
-		isc_socket_detach(&sock);
-		goto restart;
-	}
-
-	result = newconnection(listener, sock);
-	if (result != ISC_R_SUCCESS) {
-		char socktext[ISC_SOCKADDR_FORMATSIZE];
-		isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext));
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
-			      "dropped command channel from %s: %s",
-			      socktext, isc_result_totext(result));
-		isc_socket_detach(&sock);
-		goto restart;
-	}
-
- restart:
-	control_next(listener);
- cleanup:
-	isc_event_free(&event);
-}
-
-static void
-controls_shutdown(ns_controls_t *controls) {
-	controllistener_t *listener;
-	controllistener_t *next;
-
-	for (listener = ISC_LIST_HEAD(controls->listeners);
-	     listener != NULL;
-	     listener = next)
-	{
-		/*
-		 * This is asynchronous.  As listeners shut down, they will
-		 * call their callbacks.
-		 */
-		next = ISC_LIST_NEXT(listener, link);
-		shutdown_listener(listener);
-	}
-}
-
-void
-ns_controls_shutdown(ns_controls_t *controls) {
-	controls_shutdown(controls);
-	controls->shuttingdown = ISC_TRUE;
-}
-
-static isc_result_t
-cfgkeylist_find(const cfg_obj_t *keylist, const char *keyname,
-		const cfg_obj_t **objp)
-{
-	const cfg_listelt_t *element;
-	const char *str;
-	const cfg_obj_t *obj;
-
-	for (element = cfg_list_first(keylist);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		obj = cfg_listelt_value(element);
-		str = cfg_obj_asstring(cfg_map_getname(obj));
-		if (strcasecmp(str, keyname) == 0)
-			break;
-	}
-	if (element == NULL)
-		return (ISC_R_NOTFOUND);
-	obj = cfg_listelt_value(element);
-	*objp = obj;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-controlkeylist_fromcfg(const cfg_obj_t *keylist, isc_mem_t *mctx,
-		       controlkeylist_t *keyids)
-{
-	const cfg_listelt_t *element;
-	char *newstr = NULL;
-	const char *str;
-	const cfg_obj_t *obj;
-	controlkey_t *key;
-
-	for (element = cfg_list_first(keylist);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		obj = cfg_listelt_value(element);
-		str = cfg_obj_asstring(obj);
-		newstr = isc_mem_strdup(mctx, str);
-		if (newstr == NULL)
-			goto cleanup;
-		key = isc_mem_get(mctx, sizeof(*key));
-		if (key == NULL)
-			goto cleanup;
-		key->keyname = newstr;
-		key->secret.base = NULL;
-		key->secret.length = 0;
-		ISC_LINK_INIT(key, link);
-		ISC_LIST_APPEND(*keyids, key, link);
-		newstr = NULL;
-	}
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (newstr != NULL)
-		isc_mem_free(mctx, newstr);
-	free_controlkeylist(keyids, mctx);
-	return (ISC_R_NOMEMORY);
-}
-
-static void
-register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist,
-	      controlkeylist_t *keyids, isc_mem_t *mctx, const char *socktext)
-{
-	controlkey_t *keyid, *next;
-	const cfg_obj_t *keydef;
-	char secret[1024];
-	isc_buffer_t b;
-	isc_result_t result;
-
-	/*
-	 * Find the keys corresponding to the keyids used by this listener.
-	 */
-	for (keyid = ISC_LIST_HEAD(*keyids); keyid != NULL; keyid = next) {
-		next = ISC_LIST_NEXT(keyid, link);
-
-		result = cfgkeylist_find(keylist, keyid->keyname, &keydef);
-		if (result != ISC_R_SUCCESS) {
-			cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
-				    "couldn't find key '%s' for use with "
-				    "command channel %s",
-				    keyid->keyname, socktext);
-			ISC_LIST_UNLINK(*keyids, keyid, link);
-			free_controlkey(keyid, mctx);
-		} else {
-			const cfg_obj_t *algobj = NULL;
-			const cfg_obj_t *secretobj = NULL;
-			const char *algstr = NULL;
-			const char *secretstr = NULL;
-
-			(void)cfg_map_get(keydef, "algorithm", &algobj);
-			(void)cfg_map_get(keydef, "secret", &secretobj);
-			INSIST(algobj != NULL && secretobj != NULL);
-
-			algstr = cfg_obj_asstring(algobj);
-			secretstr = cfg_obj_asstring(secretobj);
-
-			if (ns_config_getkeyalgorithm(algstr, NULL, NULL) !=
-			    ISC_R_SUCCESS)
-			{
-				cfg_obj_log(control, ns_g_lctx,
-					    ISC_LOG_WARNING,
-					    "unsupported algorithm '%s' in "
-					    "key '%s' for use with command "
-					    "channel %s",
-					    algstr, keyid->keyname, socktext);
-				ISC_LIST_UNLINK(*keyids, keyid, link);
-				free_controlkey(keyid, mctx);
-				continue;
-			}
-
-			isc_buffer_init(&b, secret, sizeof(secret));
-			result = isc_base64_decodestring(secretstr, &b);
-
-			if (result != ISC_R_SUCCESS) {
-				cfg_obj_log(keydef, ns_g_lctx, ISC_LOG_WARNING,
-					    "secret for key '%s' on "
-					    "command channel %s: %s",
-					    keyid->keyname, socktext,
-					    isc_result_totext(result));
-				ISC_LIST_UNLINK(*keyids, keyid, link);
-				free_controlkey(keyid, mctx);
-				continue;
-			}
-
-			keyid->secret.length = isc_buffer_usedlength(&b);
-			keyid->secret.base = isc_mem_get(mctx,
-							 keyid->secret.length);
-			if (keyid->secret.base == NULL) {
-				cfg_obj_log(keydef, ns_g_lctx, ISC_LOG_WARNING,
-					   "couldn't register key '%s': "
-					   "out of memory", keyid->keyname);
-				ISC_LIST_UNLINK(*keyids, keyid, link);
-				free_controlkey(keyid, mctx);
-				break;
-			}
-			memcpy(keyid->secret.base, isc_buffer_base(&b),
-			       keyid->secret.length);
-		}
-	}
-}
-
-#define CHECK(x) \
-	do { \
-		 result = (x); \
-		 if (result != ISC_R_SUCCESS) \
-			goto cleanup; \
-	} while (0)
-
-static isc_result_t
-get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
-	isc_result_t result;
-	cfg_parser_t *pctx = NULL;
-	cfg_obj_t *config = NULL;
-	const cfg_obj_t *key = NULL;
-	const cfg_obj_t *algobj = NULL;
-	const cfg_obj_t *secretobj = NULL;
-	const char *algstr = NULL;
-	const char *secretstr = NULL;
-	controlkey_t *keyid = NULL;
-	char secret[1024];
-	isc_buffer_t b;
-
-	CHECK(cfg_parser_create(mctx, ns_g_lctx, &pctx));
-	CHECK(cfg_parse_file(pctx, ns_g_keyfile, &cfg_type_rndckey, &config));
-	CHECK(cfg_map_get(config, "key", &key));
-
-	keyid = isc_mem_get(mctx, sizeof(*keyid));
-	if (keyid == NULL)
-		CHECK(ISC_R_NOMEMORY);
-	keyid->keyname = isc_mem_strdup(mctx,
-					cfg_obj_asstring(cfg_map_getname(key)));
-	keyid->secret.base = NULL;
-	keyid->secret.length = 0;
-	ISC_LINK_INIT(keyid, link);
-	if (keyid->keyname == NULL)
-		CHECK(ISC_R_NOMEMORY);
-
-	CHECK(bind9_check_key(key, ns_g_lctx));
-
-	(void)cfg_map_get(key, "algorithm", &algobj);
-	(void)cfg_map_get(key, "secret", &secretobj);
-	INSIST(algobj != NULL && secretobj != NULL);
-
-	algstr = cfg_obj_asstring(algobj);
-	secretstr = cfg_obj_asstring(secretobj);
-
-	if (ns_config_getkeyalgorithm(algstr, NULL, NULL) != ISC_R_SUCCESS) {
-		cfg_obj_log(key, ns_g_lctx,
-			    ISC_LOG_WARNING,
-			    "unsupported algorithm '%s' in "
-			    "key '%s' for use with command "
-			    "channel",
-			    algstr, keyid->keyname);
-		goto cleanup;
-	}
-
-	isc_buffer_init(&b, secret, sizeof(secret));
-	result = isc_base64_decodestring(secretstr, &b);
-
-	if (result != ISC_R_SUCCESS) {
-		cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
-			    "secret for key '%s' on command channel: %s",
-			    keyid->keyname, isc_result_totext(result));
-		goto cleanup;
-	}
-
-	keyid->secret.length = isc_buffer_usedlength(&b);
-	keyid->secret.base = isc_mem_get(mctx,
-					 keyid->secret.length);
-	if (keyid->secret.base == NULL) {
-		cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
-			   "couldn't register key '%s': "
-			   "out of memory", keyid->keyname);
-		CHECK(ISC_R_NOMEMORY);
-	}
-	memcpy(keyid->secret.base, isc_buffer_base(&b),
-	       keyid->secret.length);
-	ISC_LIST_APPEND(*keyids, keyid, link);
-	keyid = NULL;
-	result = ISC_R_SUCCESS;
-
-  cleanup:
-	if (keyid != NULL)
-		free_controlkey(keyid, mctx);
-	if (config != NULL)
-		cfg_obj_destroy(pctx, &config);
-	if (pctx != NULL)
-		cfg_parser_destroy(&pctx);
-	return (result);
-}
-
-/*
- * Ensures that both '*global_keylistp' and '*control_keylistp' are
- * valid or both are NULL.
- */
-static void
-get_key_info(const cfg_obj_t *config, const cfg_obj_t *control,
-	     const cfg_obj_t **global_keylistp,
-	     const cfg_obj_t **control_keylistp)
-{
-	isc_result_t result;
-	const cfg_obj_t *control_keylist = NULL;
-	const cfg_obj_t *global_keylist = NULL;
-
-	REQUIRE(global_keylistp != NULL && *global_keylistp == NULL);
-	REQUIRE(control_keylistp != NULL && *control_keylistp == NULL);
-
-	control_keylist = cfg_tuple_get(control, "keys");
-
-	if (!cfg_obj_isvoid(control_keylist) &&
-	    cfg_list_first(control_keylist) != NULL) {
-		result = cfg_map_get(config, "key", &global_keylist);
-
-		if (result == ISC_R_SUCCESS) {
-			*global_keylistp = global_keylist;
-			*control_keylistp = control_keylist;
-		}
-	}
-}
-
-static void
-update_listener(ns_controls_t *cp, controllistener_t **listenerp,
-		const cfg_obj_t *control, const cfg_obj_t *config,
-		isc_sockaddr_t *addr, cfg_aclconfctx_t *aclconfctx,
-		const char *socktext, isc_sockettype_t type)
-{
-	controllistener_t *listener;
-	const cfg_obj_t *allow;
-	const cfg_obj_t *global_keylist = NULL;
-	const cfg_obj_t *control_keylist = NULL;
-	dns_acl_t *new_acl = NULL;
-	controlkeylist_t keys;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	for (listener = ISC_LIST_HEAD(cp->listeners);
-	     listener != NULL;
-	     listener = ISC_LIST_NEXT(listener, link))
-		if (isc_sockaddr_equal(addr, &listener->address))
-			break;
-
-	if (listener == NULL) {
-		*listenerp = NULL;
-		return;
-	}
-
-	/*
-	 * There is already a listener for this sockaddr.
-	 * Update the access list and key information.
-	 *
-	 * First try to deal with the key situation.  There are a few
-	 * possibilities:
-	 *  (a)	It had an explicit keylist and still has an explicit keylist.
-	 *  (b)	It had an automagic key and now has an explicit keylist.
-	 *  (c)	It had an explicit keylist and now needs an automagic key.
-	 *  (d) It has an automagic key and still needs the automagic key.
-	 *
-	 * (c) and (d) are the annoying ones.  The caller needs to know
-	 * that it should use the automagic configuration for key information
-	 * in place of the named.conf configuration.
-	 *
-	 * XXXDCL There is one other hazard that has not been dealt with,
-	 * the problem that if a key change is being caused by a control
-	 * channel reload, then the response will be with the new key
-	 * and not able to be decrypted by the client.
-	 */
-	if (control != NULL)
-		get_key_info(config, control, &global_keylist,
-			     &control_keylist);
-
-	if (control_keylist != NULL) {
-		INSIST(global_keylist != NULL);
-
-		ISC_LIST_INIT(keys);
-		result = controlkeylist_fromcfg(control_keylist,
-						listener->mctx, &keys);
-		if (result == ISC_R_SUCCESS) {
-			free_controlkeylist(&listener->keys, listener->mctx);
-			listener->keys = keys;
-			register_keys(control, global_keylist, &listener->keys,
-				      listener->mctx, socktext);
-		}
-	} else {
-		free_controlkeylist(&listener->keys, listener->mctx);
-		result = get_rndckey(listener->mctx, &listener->keys);
-	}
-
-	if (result != ISC_R_SUCCESS && global_keylist != NULL) {
-		/*
-		 * This message might be a little misleading since the
-		 * "new keys" might in fact be identical to the old ones,
-		 * but tracking whether they are identical just for the
-		 * sake of avoiding this message would be too much trouble.
-		 */
-		if (control != NULL)
-			cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
-				    "couldn't install new keys for "
-				    "command channel %s: %s",
-				    socktext, isc_result_totext(result));
-		else
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
-				      "couldn't install new keys for "
-				      "command channel %s: %s",
-				      socktext, isc_result_totext(result));
-	}
-
-	/*
-	 * Now, keep the old access list unless a new one can be made.
-	 */
-	if (control != NULL && type == isc_sockettype_tcp) {
-		allow = cfg_tuple_get(control, "allow");
-		result = cfg_acl_fromconfig(allow, config, ns_g_lctx,
-					    aclconfctx, listener->mctx, 0,
-					    &new_acl);
-	} else {
-		result = dns_acl_any(listener->mctx, &new_acl);
-	}
-
-	if (result == ISC_R_SUCCESS) {
-		dns_acl_detach(&listener->acl);
-		dns_acl_attach(new_acl, &listener->acl);
-		dns_acl_detach(&new_acl);
-		/* XXXDCL say the old acl is still used? */
-	} else if (control != NULL)
-		cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
-			    "couldn't install new acl for "
-			    "command channel %s: %s",
-			    socktext, isc_result_totext(result));
-	else
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
-			      "couldn't install new acl for "
-			      "command channel %s: %s",
-			      socktext, isc_result_totext(result));
-
-	if (result == ISC_R_SUCCESS && type == isc_sockettype_unix) {
-		isc_uint32_t perm, owner, group;
-		perm  = cfg_obj_asuint32(cfg_tuple_get(control, "perm"));
-		owner = cfg_obj_asuint32(cfg_tuple_get(control, "owner"));
-		group = cfg_obj_asuint32(cfg_tuple_get(control, "group"));
-		result = ISC_R_SUCCESS;
-		if (listener->perm != perm || listener->owner != owner ||
-		    listener->group != group)
-			result = isc_socket_permunix(&listener->address, perm,
-						     owner, group);
-		if (result == ISC_R_SUCCESS) {
-			listener->perm = perm;
-			listener->owner = owner;
-			listener->group = group;
-		} else if (control != NULL)
-			cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
-				    "couldn't update ownership/permission for "
-				    "command channel %s", socktext);
-	}
-
-	*listenerp = listener;
-}
-
-static void
-add_listener(ns_controls_t *cp, controllistener_t **listenerp,
-	     const cfg_obj_t *control, const cfg_obj_t *config,
-	     isc_sockaddr_t *addr, cfg_aclconfctx_t *aclconfctx,
-	     const char *socktext, isc_sockettype_t type)
-{
-	isc_mem_t *mctx = cp->server->mctx;
-	controllistener_t *listener;
-	const cfg_obj_t *allow;
-	const cfg_obj_t *global_keylist = NULL;
-	const cfg_obj_t *control_keylist = NULL;
-	dns_acl_t *new_acl = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	listener = isc_mem_get(mctx, sizeof(*listener));
-	if (listener == NULL)
-		result = ISC_R_NOMEMORY;
-
-	if (result == ISC_R_SUCCESS) {
-		listener->mctx = NULL;
-		isc_mem_attach(mctx, &listener->mctx);
-		listener->controls = cp;
-		listener->task = cp->server->task;
-		listener->address = *addr;
-		listener->sock = NULL;
-		listener->listening = ISC_FALSE;
-		listener->exiting = ISC_FALSE;
-		listener->acl = NULL;
-		listener->type = type;
-		listener->perm = 0;
-		listener->owner = 0;
-		listener->group = 0;
-		ISC_LINK_INIT(listener, link);
-		ISC_LIST_INIT(listener->keys);
-		ISC_LIST_INIT(listener->connections);
-
-		/*
-		 * Make the acl.
-		 */
-		if (control != NULL && type == isc_sockettype_tcp) {
-			allow = cfg_tuple_get(control, "allow");
-			result = cfg_acl_fromconfig(allow, config, ns_g_lctx,
-						    aclconfctx, mctx, 0,
-						    &new_acl);
-		} else {
-			result = dns_acl_any(mctx, &new_acl);
-		}
-	}
-
-	if (result == ISC_R_SUCCESS) {
-		dns_acl_attach(new_acl, &listener->acl);
-		dns_acl_detach(&new_acl);
-
-		if (config != NULL)
-			get_key_info(config, control, &global_keylist,
-				     &control_keylist);
-
-		if (control_keylist != NULL) {
-			result = controlkeylist_fromcfg(control_keylist,
-							listener->mctx,
-							&listener->keys);
-			if (result == ISC_R_SUCCESS)
-				register_keys(control, global_keylist,
-					      &listener->keys,
-					      listener->mctx, socktext);
-		} else
-			result = get_rndckey(mctx, &listener->keys);
-
-		if (result != ISC_R_SUCCESS && control != NULL)
-			cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
-				    "couldn't install keys for "
-				    "command channel %s: %s",
-				    socktext, isc_result_totext(result));
-	}
-
-	if (result == ISC_R_SUCCESS) {
-		int pf = isc_sockaddr_pf(&listener->address);
-		if ((pf == AF_INET && isc_net_probeipv4() != ISC_R_SUCCESS) ||
-#ifdef ISC_PLATFORM_HAVESYSUNH
-		    (pf == AF_UNIX && isc_net_probeunix() != ISC_R_SUCCESS) ||
-#endif
-		    (pf == AF_INET6 && isc_net_probeipv6() != ISC_R_SUCCESS))
-			result = ISC_R_FAMILYNOSUPPORT;
-	}
-
-	if (result == ISC_R_SUCCESS && type == isc_sockettype_unix)
-		isc_socket_cleanunix(&listener->address, ISC_FALSE);
-
-	if (result == ISC_R_SUCCESS)
-		result = isc_socket_create(ns_g_socketmgr,
-					   isc_sockaddr_pf(&listener->address),
-					   type, &listener->sock);
-	if (result == ISC_R_SUCCESS)
-		isc_socket_setname(listener->sock, "control", NULL);
-
-#ifndef ISC_ALLOW_MAPPED
-	if (result == ISC_R_SUCCESS)
-		isc_socket_ipv6only(listener->sock, ISC_TRUE);
-#endif
-
-	if (result == ISC_R_SUCCESS)
-		result = isc_socket_bind(listener->sock, &listener->address,
-					 ISC_SOCKET_REUSEADDRESS);
-
-	if (result == ISC_R_SUCCESS && type == isc_sockettype_unix) {
-		listener->perm = cfg_obj_asuint32(cfg_tuple_get(control,
-								"perm"));
-		listener->owner = cfg_obj_asuint32(cfg_tuple_get(control,
-								 "owner"));
-		listener->group = cfg_obj_asuint32(cfg_tuple_get(control,
-								 "group"));
-		result = isc_socket_permunix(&listener->address, listener->perm,
-					     listener->owner, listener->group);
-	}
-	if (result == ISC_R_SUCCESS)
-		result = control_listen(listener);
-
-	if (result == ISC_R_SUCCESS)
-		result = control_accept(listener);
-
-	if (result == ISC_R_SUCCESS) {
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_CONTROL, ISC_LOG_NOTICE,
-			      "command channel listening on %s", socktext);
-		*listenerp = listener;
-
-	} else {
-		if (listener != NULL) {
-			listener->exiting = ISC_TRUE;
-			free_listener(listener);
-		}
-
-		if (control != NULL)
-			cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
-				    "couldn't add command channel %s: %s",
-				    socktext, isc_result_totext(result));
-		else
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_CONTROL, ISC_LOG_NOTICE,
-				      "couldn't add command channel %s: %s",
-				      socktext, isc_result_totext(result));
-
-		*listenerp = NULL;
-	}
-
-	/* XXXDCL return error results? fail hard? */
-}
-
-isc_result_t
-ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config,
-		      cfg_aclconfctx_t *aclconfctx)
-{
-	controllistener_t *listener;
-	controllistenerlist_t new_listeners;
-	const cfg_obj_t *controlslist = NULL;
-	const cfg_listelt_t *element, *element2;
-	char socktext[ISC_SOCKADDR_FORMATSIZE];
-
-	ISC_LIST_INIT(new_listeners);
-
-	/*
-	 * Get the list of named.conf 'controls' statements.
-	 */
-	(void)cfg_map_get(config, "controls", &controlslist);
-
-	/*
-	 * Run through the new control channel list, noting sockets that
-	 * are already being listened on and moving them to the new list.
-	 *
-	 * Identifying duplicate addr/port combinations is left to either
-	 * the underlying config code, or to the bind attempt getting an
-	 * address-in-use error.
-	 */
-	if (controlslist != NULL) {
-		for (element = cfg_list_first(controlslist);
-		     element != NULL;
-		     element = cfg_list_next(element)) {
-			const cfg_obj_t *controls;
-			const cfg_obj_t *inetcontrols = NULL;
-
-			controls = cfg_listelt_value(element);
-			(void)cfg_map_get(controls, "inet", &inetcontrols);
-			if (inetcontrols == NULL)
-				continue;
-
-			for (element2 = cfg_list_first(inetcontrols);
-			     element2 != NULL;
-			     element2 = cfg_list_next(element2)) {
-				const cfg_obj_t *control;
-				const cfg_obj_t *obj;
-				isc_sockaddr_t addr;
-
-				/*
-				 * The parser handles BIND 8 configuration file
-				 * syntax, so it allows unix phrases as well
-				 * inet phrases with no keys{} clause.
-				 */
-				control = cfg_listelt_value(element2);
-
-				obj = cfg_tuple_get(control, "address");
-				addr = *cfg_obj_assockaddr(obj);
-				if (isc_sockaddr_getport(&addr) == 0)
-					isc_sockaddr_setport(&addr,
-							     NS_CONTROL_PORT);
-
-				isc_sockaddr_format(&addr, socktext,
-						    sizeof(socktext));
-
-				isc_log_write(ns_g_lctx,
-					      NS_LOGCATEGORY_GENERAL,
-					      NS_LOGMODULE_CONTROL,
-					      ISC_LOG_DEBUG(9),
-					      "processing control channel %s",
-					      socktext);
-
-				update_listener(cp, &listener, control, config,
-						&addr, aclconfctx, socktext,
-						isc_sockettype_tcp);
-
-				if (listener != NULL)
-					/*
-					 * Remove the listener from the old
-					 * list, so it won't be shut down.
-					 */
-					ISC_LIST_UNLINK(cp->listeners,
-							listener, link);
-				else
-					/*
-					 * This is a new listener.
-					 */
-					add_listener(cp, &listener, control,
-						     config, &addr, aclconfctx,
-						     socktext,
-						     isc_sockettype_tcp);
-
-				if (listener != NULL)
-					ISC_LIST_APPEND(new_listeners,
-							listener, link);
-			}
-		}
-		for (element = cfg_list_first(controlslist);
-		     element != NULL;
-		     element = cfg_list_next(element)) {
-			const cfg_obj_t *controls;
-			const cfg_obj_t *unixcontrols = NULL;
-
-			controls = cfg_listelt_value(element);
-			(void)cfg_map_get(controls, "unix", &unixcontrols);
-			if (unixcontrols == NULL)
-				continue;
-
-			for (element2 = cfg_list_first(unixcontrols);
-			     element2 != NULL;
-			     element2 = cfg_list_next(element2)) {
-				const cfg_obj_t *control;
-				const cfg_obj_t *path;
-				isc_sockaddr_t addr;
-				isc_result_t result;
-
-				/*
-				 * The parser handles BIND 8 configuration file
-				 * syntax, so it allows unix phrases as well
-				 * inet phrases with no keys{} clause.
-				 */
-				control = cfg_listelt_value(element2);
-
-				path = cfg_tuple_get(control, "path");
-				result = isc_sockaddr_frompath(&addr,
-						      cfg_obj_asstring(path));
-				if (result != ISC_R_SUCCESS) {
-					isc_log_write(ns_g_lctx,
-					      NS_LOGCATEGORY_GENERAL,
-					      NS_LOGMODULE_CONTROL,
-					      ISC_LOG_DEBUG(9),
-					      "control channel '%s': %s",
-					      cfg_obj_asstring(path),
-					      isc_result_totext(result));
-					continue;
-				}
-
-				isc_log_write(ns_g_lctx,
-					      NS_LOGCATEGORY_GENERAL,
-					      NS_LOGMODULE_CONTROL,
-					      ISC_LOG_DEBUG(9),
-					      "processing control channel '%s'",
-					      cfg_obj_asstring(path));
-
-				update_listener(cp, &listener, control, config,
-						&addr, aclconfctx,
-						cfg_obj_asstring(path),
-						isc_sockettype_unix);
-
-				if (listener != NULL)
-					/*
-					 * Remove the listener from the old
-					 * list, so it won't be shut down.
-					 */
-					ISC_LIST_UNLINK(cp->listeners,
-							listener, link);
-				else
-					/*
-					 * This is a new listener.
-					 */
-					add_listener(cp, &listener, control,
-						     config, &addr, aclconfctx,
-						     cfg_obj_asstring(path),
-						     isc_sockettype_unix);
-
-				if (listener != NULL)
-					ISC_LIST_APPEND(new_listeners,
-							listener, link);
-			}
-		}
-	} else {
-		int i;
-
-		for (i = 0; i < 2; i++) {
-			isc_sockaddr_t addr;
-
-			if (i == 0) {
-				struct in_addr localhost;
-
-				if (isc_net_probeipv4() != ISC_R_SUCCESS)
-					continue;
-				localhost.s_addr = htonl(INADDR_LOOPBACK);
-				isc_sockaddr_fromin(&addr, &localhost, 0);
-			} else {
-				if (isc_net_probeipv6() != ISC_R_SUCCESS)
-					continue;
-				isc_sockaddr_fromin6(&addr,
-						     &in6addr_loopback, 0);
-			}
-			isc_sockaddr_setport(&addr, NS_CONTROL_PORT);
-
-			isc_sockaddr_format(&addr, socktext, sizeof(socktext));
-
-			update_listener(cp, &listener, NULL, NULL,
-					&addr, NULL, socktext,
-					isc_sockettype_tcp);
-
-			if (listener != NULL)
-				/*
-				 * Remove the listener from the old
-				 * list, so it won't be shut down.
-				 */
-				ISC_LIST_UNLINK(cp->listeners,
-						listener, link);
-			else
-				/*
-				 * This is a new listener.
-				 */
-				add_listener(cp, &listener, NULL, NULL,
-					     &addr, NULL, socktext,
-					     isc_sockettype_tcp);
-
-			if (listener != NULL)
-				ISC_LIST_APPEND(new_listeners,
-						listener, link);
-		}
-	}
-
-	/*
-	 * ns_control_shutdown() will stop whatever is on the global
-	 * listeners list, which currently only has whatever sockaddrs
-	 * were in the previous configuration (if any) that do not
-	 * remain in the current configuration.
-	 */
-	controls_shutdown(cp);
-
-	/*
-	 * Put all of the valid listeners on the listeners list.
-	 * Anything already on listeners in the process of shutting
-	 * down will be taken care of by listen_done().
-	 */
-	ISC_LIST_APPENDLIST(cp->listeners, new_listeners, link);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp) {
-	isc_mem_t *mctx = server->mctx;
-	isc_result_t result;
-	ns_controls_t *controls = isc_mem_get(mctx, sizeof(*controls));
-
-	if (controls == NULL)
-		return (ISC_R_NOMEMORY);
-	controls->server = server;
-	ISC_LIST_INIT(controls->listeners);
-	controls->shuttingdown = ISC_FALSE;
-	controls->symtab = NULL;
-	result = isccc_cc_createsymtab(&controls->symtab);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(server->mctx, controls, sizeof(*controls));
-		return (result);
-	}
-	*ctrlsp = controls;
-	return (ISC_R_SUCCESS);
-}
-
-void
-ns_controls_destroy(ns_controls_t **ctrlsp) {
-	ns_controls_t *controls = *ctrlsp;
-
-	REQUIRE(ISC_LIST_EMPTY(controls->listeners));
-
-	isccc_symtab_destroy(&controls->symtab);
-	isc_mem_put(controls->server->mctx, controls, sizeof(*controls));
-	*ctrlsp = NULL;
-}
diff --git a/contrib/bind9/bin/named/convertxsl.pl b/contrib/bind9/bin/named/convertxsl.pl
deleted file mode 100755
index f355368..0000000
--- a/contrib/bind9/bin/named/convertxsl.pl
+++ /dev/null
@@ -1,57 +0,0 @@
-#!/usr/bin/env perl
-#
-# Copyright (C) 2006-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: convertxsl.pl,v 1.14 2008/07/17 23:43:26 jinmei Exp $
-
-use strict;
-use warnings;
-
-my $rev = '$Id: convertxsl.pl,v 1.14 2008/07/17 23:43:26 jinmei Exp $';
-$rev =~ s/\$//g;
-$rev =~ s/,v//g;
-$rev =~ s/Id: //;
-
-my $xsl = "unknown";
-my $lines = '';
-
-while (<>) {
-    chomp;
-    # pickout the id for comment.
-    $xsl = $_ if (/<!-- .Id:.* -->/);
-    # convert Id string to a form not recognisable by cvs.
-    $_ =~ s/<!-- .Id:(.*). -->/<!-- \\045Id: $1\\045 -->/;
-    s/[\ \t]+/ /g;
-    s/\>\ \</\>\</g;
-    s/\"/\\\"/g;
-    s/^/\t\"/;
-    s/$/\\n\"/;
-    if ($lines eq "") {
-	    $lines .= $_;
-    } else {
-	    $lines .= "\n" . $_;
-    }
-}
-
-$xsl =~ s/\$//g;
-$xsl =~ s/<!-- Id: //;
-$xsl =~ s/ -->.*//;
-$xsl =~ s/,v//;
-
-print "/*\n * Generated by $rev \n * From $xsl\n */\n";
-print 'static char xslmsg[] =',"\n";
-print $lines;
-
-print ';', "\n";
diff --git a/contrib/bind9/bin/named/include/dlz/dlz_dlopen_driver.h b/contrib/bind9/bin/named/include/dlz/dlz_dlopen_driver.h
deleted file mode 100644
index 602b3c0..0000000
--- a/contrib/bind9/bin/named/include/dlz/dlz_dlopen_driver.h
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dlz_dlopen_driver.h,v 1.4 2011/03/17 09:25:53 fdupont Exp $ */
-
-#ifndef DLZ_DLOPEN_DRIVER_H
-#define DLZ_DLOPEN_DRIVER_H
-
-isc_result_t
-dlz_dlopen_init(isc_mem_t *mctx);
-
-void
-dlz_dlopen_clear(void);
-#endif
diff --git a/contrib/bind9/bin/named/include/named/builtin.h b/contrib/bind9/bin/named/include/named/builtin.h
deleted file mode 100644
index a5185ba..0000000
--- a/contrib/bind9/bin/named/include/named/builtin.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: builtin.h,v 1.6 2007/06/19 23:46:59 tbox Exp $ */
-
-#ifndef NAMED_BUILTIN_H
-#define NAMED_BUILTIN_H 1
-
-/*! \file */
-
-#include <isc/types.h>
-
-isc_result_t ns_builtin_init(void);
-
-void ns_builtin_deinit(void);
-
-#endif /* NAMED_BUILTIN_H */
diff --git a/contrib/bind9/bin/named/include/named/client.h b/contrib/bind9/bin/named/include/named/client.h
deleted file mode 100644
index 98e79df..0000000
--- a/contrib/bind9/bin/named/include/named/client.h
+++ /dev/null
@@ -1,387 +0,0 @@
-/*
- * Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef NAMED_CLIENT_H
-#define NAMED_CLIENT_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file
- * \brief
- * This module defines two objects, ns_client_t and ns_clientmgr_t.
- *
- * An ns_client_t object handles incoming DNS requests from clients
- * on a given network interface.
- *
- * Each ns_client_t object can handle only one TCP connection or UDP
- * request at a time.  Therefore, several ns_client_t objects are
- * typically created to serve each network interface, e.g., one
- * for handling TCP requests and a few (one per CPU) for handling
- * UDP requests.
- *
- * Incoming requests are classified as queries, zone transfer
- * requests, update requests, notify requests, etc, and handed off
- * to the appropriate request handler.  When the request has been
- * fully handled (which can be much later), the ns_client_t must be
- * notified of this by calling one of the following functions
- * exactly once in the context of its task:
- * \code
- *   ns_client_send()	(sending a non-error response)
- *   ns_client_sendraw() (sending a raw response)
- *   ns_client_error()	(sending an error response)
- *   ns_client_next()	(sending no response)
- *\endcode
- * This will release any resources used by the request and
- * and allow the ns_client_t to listen for the next request.
- *
- * A ns_clientmgr_t manages a number of ns_client_t objects.
- * New ns_client_t objects are created by calling
- * ns_clientmgr_createclients(). They are destroyed by
- * destroying their manager.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/buffer.h>
-#include <isc/magic.h>
-#include <isc/stdtime.h>
-#include <isc/quota.h>
-#include <isc/queue.h>
-
-#include <dns/db.h>
-#include <dns/fixedname.h>
-#include <dns/name.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatatype.h>
-#include <dns/tcpmsg.h>
-#include <dns/types.h>
-
-#include <named/types.h>
-#include <named/query.h>
-
-/***
- *** Types
- ***/
-
-/*% nameserver client structure */
-struct ns_client {
-	unsigned int		magic;
-	isc_mem_t *		mctx;
-	ns_clientmgr_t *	manager;
-	int			state;
-	int			newstate;
-	int			naccepts;
-	int			nreads;
-	int			nsends;
-	int			nrecvs;
-	int			nupdates;
-	int			nctls;
-	int			references;
-	isc_boolean_t		needshutdown; 	/*
-						 * Used by clienttest to get
-						 * the client to go from
-						 * inactive to free state
-						 * by shutting down the
-						 * client's task.
-						 */
-	unsigned int		attributes;
-	isc_task_t *		task;
-	dns_view_t *		view;
-	dns_dispatch_t *	dispatch;
-	isc_socket_t *		udpsocket;
-	isc_socket_t *		tcplistener;
-	isc_socket_t *		tcpsocket;
-	unsigned char *		tcpbuf;
-	dns_tcpmsg_t		tcpmsg;
-	isc_boolean_t		tcpmsg_valid;
-	isc_timer_t *		timer;
-	isc_boolean_t 		timerset;
-	dns_message_t *		message;
-	isc_socketevent_t *	sendevent;
-	isc_socketevent_t *	recvevent;
-	unsigned char *		recvbuf;
-	dns_rdataset_t *	opt;
-	isc_uint16_t		udpsize;
-	isc_uint16_t		extflags;
-	isc_int16_t		ednsversion;	/* -1 noedns */
-	void			(*next)(ns_client_t *);
-	void			(*shutdown)(void *arg, isc_result_t result);
-	void 			*shutdown_arg;
-	ns_query_t		query;
-	isc_stdtime_t		requesttime;
-	isc_stdtime_t		now;
-	dns_name_t		signername;   /*%< [T]SIG key name */
-	dns_name_t *		signer;	      /*%< NULL if not valid sig */
-	isc_boolean_t		mortal;	      /*%< Die after handling request */
-	isc_quota_t		*tcpquota;
-	isc_quota_t		*recursionquota;
-	ns_interface_t		*interface;
-	isc_sockaddr_t		peeraddr;
-	isc_boolean_t		peeraddr_valid;
-	isc_netaddr_t		destaddr;
-	struct in6_pktinfo	pktinfo;
-	isc_event_t		ctlevent;
-#ifdef ALLOW_FILTER_AAAA_ON_V4
-	dns_v4_aaaa_t		filter_aaaa;
-#endif
-	/*%
-	 * Information about recent FORMERR response(s), for
-	 * FORMERR loop avoidance.  This is separate for each
-	 * client object rather than global only to avoid
-	 * the need for locking.
-	 */
-	struct {
-		isc_sockaddr_t		addr;
-		isc_stdtime_t		time;
-		dns_messageid_t		id;
-	} formerrcache;
-
-	ISC_LINK(ns_client_t)	link;
-	ISC_LINK(ns_client_t)	rlink;
-	ISC_QLINK(ns_client_t)	ilink;
-};
-
-typedef ISC_QUEUE(ns_client_t) client_queue_t;
-typedef ISC_LIST(ns_client_t) client_list_t;
-
-#define NS_CLIENT_MAGIC			ISC_MAGIC('N','S','C','c')
-#define NS_CLIENT_VALID(c)		ISC_MAGIC_VALID(c, NS_CLIENT_MAGIC)
-
-#define NS_CLIENTATTR_TCP		0x001
-#define NS_CLIENTATTR_RA		0x002 /*%< Client gets recursive service */
-#define NS_CLIENTATTR_PKTINFO		0x004 /*%< pktinfo is valid */
-#define NS_CLIENTATTR_MULTICAST		0x008 /*%< recv'd from multicast */
-#define NS_CLIENTATTR_WANTDNSSEC	0x010 /*%< include dnssec records */
-#define NS_CLIENTATTR_WANTNSID          0x020 /*%< include nameserver ID */
-#ifdef ALLOW_FILTER_AAAA_ON_V4
-#define NS_CLIENTATTR_FILTER_AAAA	0x040 /*%< suppress AAAAs */
-#define NS_CLIENTATTR_FILTER_AAAA_RC	0x080 /*%< recursing for A against AAAA */
-#endif
-#define NS_CLIENTATTR_WANTAD		0x100 /*%< want AD in response if possible */
-
-extern unsigned int ns_client_requests;
-
-/***
- *** Functions
- ***/
-
-/*%
- * Note!  These ns_client_ routines MUST be called ONLY from the client's
- * task in order to ensure synchronization.
- */
-
-void
-ns_client_send(ns_client_t *client);
-/*%
- * Finish processing the current client request and
- * send client->message as a response.
- * \brief
- * Note!  These ns_client_ routines MUST be called ONLY from the client's
- * task in order to ensure synchronization.
- */
-
-void
-ns_client_sendraw(ns_client_t *client, dns_message_t *msg);
-/*%
- * Finish processing the current client request and
- * send msg as a response using client->message->id for the id.
- */
-
-void
-ns_client_error(ns_client_t *client, isc_result_t result);
-/*%
- * Finish processing the current client request and return
- * an error response to the client.  The error response
- * will have an RCODE determined by 'result'.
- */
-
-void
-ns_client_next(ns_client_t *client, isc_result_t result);
-/*%
- * Finish processing the current client request,
- * return no response to the client.
- */
-
-isc_boolean_t
-ns_client_shuttingdown(ns_client_t *client);
-/*%
- * Return ISC_TRUE iff the client is currently shutting down.
- */
-
-void
-ns_client_attach(ns_client_t *source, ns_client_t **target);
-/*%
- * Attach '*targetp' to 'source'.
- */
-
-void
-ns_client_detach(ns_client_t **clientp);
-/*%
- * Detach '*clientp' from its client.
- */
-
-isc_result_t
-ns_client_replace(ns_client_t *client);
-/*%
- * Try to replace the current client with a new one, so that the
- * current one can go off and do some lengthy work without
- * leaving the dispatch/socket without service.
- */
-
-void
-ns_client_settimeout(ns_client_t *client, unsigned int seconds);
-/*%
- * Set a timer in the client to go off in the specified amount of time.
- */
-
-isc_result_t
-ns_clientmgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
-		    isc_timermgr_t *timermgr, ns_clientmgr_t **managerp);
-/*%
- * Create a client manager.
- */
-
-void
-ns_clientmgr_destroy(ns_clientmgr_t **managerp);
-/*%
- * Destroy a client manager and all ns_client_t objects
- * managed by it.
- */
-
-isc_result_t
-ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n,
-			   ns_interface_t *ifp, isc_boolean_t tcp);
-/*%
- * Create up to 'n' clients listening on interface 'ifp'.
- * If 'tcp' is ISC_TRUE, the clients will listen for TCP connections,
- * otherwise for UDP requests.
- */
-
-isc_sockaddr_t *
-ns_client_getsockaddr(ns_client_t *client);
-/*%
- * Get the socket address of the client whose request is
- * currently being processed.
- */
-
-isc_result_t
-ns_client_checkaclsilent(ns_client_t *client, isc_netaddr_t *netaddr,
-			 dns_acl_t *acl, isc_boolean_t default_allow);
-
-/*%
- * Convenience function for client request ACL checking.
- *
- * Check the current client request against 'acl'.  If 'acl'
- * is NULL, allow the request iff 'default_allow' is ISC_TRUE.
- * If netaddr is NULL, check the ACL against client->peeraddr;
- * otherwise check it against netaddr.
- *
- * Notes:
- *\li	This is appropriate for checking allow-update,
- * 	allow-query, allow-transfer, etc.  It is not appropriate
- * 	for checking the blackhole list because we treat positive
- * 	matches as "allow" and negative matches as "deny"; in
- *	the case of the blackhole list this would be backwards.
- *
- * Requires:
- *\li	'client' points to a valid client.
- *\li	'netaddr' points to a valid address, or is NULL.
- *\li	'acl' points to a valid ACL, or is NULL.
- *
- * Returns:
- *\li	ISC_R_SUCCESS	if the request should be allowed
- * \li	DNS_R_REFUSED	if the request should be denied
- *\li	No other return values are possible.
- */
-
-isc_result_t
-ns_client_checkacl(ns_client_t  *client,
-		   isc_sockaddr_t *sockaddr,
-		   const char *opname, dns_acl_t *acl,
-		   isc_boolean_t default_allow,
-		   int log_level);
-/*%
- * Like ns_client_checkaclsilent, except the outcome of the check is
- * logged at log level 'log_level' if denied, and at debug 3 if approved.
- * Log messages will refer to the request as an 'opname' request.
- *
- * Requires:
- *\li	'client' points to a valid client.
- *\li	'sockaddr' points to a valid address, or is NULL.
- *\li	'acl' points to a valid ACL, or is NULL.
- *\li	'opname' points to a null-terminated string.
- */
-
-void
-ns_client_log(ns_client_t *client, isc_logcategory_t *category,
-	      isc_logmodule_t *module, int level,
-	      const char *fmt, ...) ISC_FORMAT_PRINTF(5, 6);
-
-void
-ns_client_logv(ns_client_t *client, isc_logcategory_t *category,
-	       isc_logmodule_t *module, int level, const char *fmt, va_list ap) ISC_FORMAT_PRINTF(5, 0);
-
-void
-ns_client_aclmsg(const char *msg, dns_name_t *name, dns_rdatatype_t type,
-		 dns_rdataclass_t rdclass, char *buf, size_t len);
-
-#define NS_CLIENT_ACLMSGSIZE(x) \
-	(DNS_NAME_FORMATSIZE + DNS_RDATATYPE_FORMATSIZE + \
-	 DNS_RDATACLASS_FORMATSIZE + sizeof(x) + sizeof("'/'"))
-
-void
-ns_client_recursing(ns_client_t *client);
-/*%
- * Add client to end of th recursing list.
- */
-
-void
-ns_client_killoldestquery(ns_client_t *client);
-/*%
- * Kill the oldest recursive query (recursing list head).
- */
-
-void
-ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager);
-/*%
- * Dump the outstanding recursive queries to 'f'.
- */
-
-void
-ns_client_qnamereplace(ns_client_t *client, dns_name_t *name);
-/*%
- * Replace the qname.
- */
-
-isc_boolean_t
-ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey,
-		 isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		 dns_rdataclass_t rdclass, void *arg);
-/*%
- * Isself callback.
- */
-
-isc_result_t
-ns_client_sourceip(dns_clientinfo_t *ci, isc_sockaddr_t **addrp);
-
-#endif /* NAMED_CLIENT_H */
diff --git a/contrib/bind9/bin/named/include/named/config.h b/contrib/bind9/bin/named/include/named/config.h
deleted file mode 100644
index c16c800..0000000
--- a/contrib/bind9/bin/named/include/named/config.h
+++ /dev/null
@@ -1,82 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001, 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: config.h,v 1.16 2009/06/11 23:47:55 tbox Exp $ */
-
-#ifndef NAMED_CONFIG_H
-#define NAMED_CONFIG_H 1
-
-/*! \file */
-
-#include <isccfg/cfg.h>
-
-#include <dns/types.h>
-#include <dns/zone.h>
-
-isc_result_t
-ns_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf);
-
-isc_result_t
-ns_config_get(const cfg_obj_t **maps, const char* name, const cfg_obj_t **obj);
-
-isc_result_t
-ns_checknames_get(const cfg_obj_t **maps, const char* name,
-		  const cfg_obj_t **obj);
-
-int
-ns_config_listcount(const cfg_obj_t *list);
-
-isc_result_t
-ns_config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
-		   dns_rdataclass_t *classp);
-
-isc_result_t
-ns_config_gettype(const cfg_obj_t *typeobj, dns_rdatatype_t deftype,
-		  dns_rdatatype_t *typep);
-
-dns_zonetype_t
-ns_config_getzonetype(const cfg_obj_t *zonetypeobj);
-
-isc_result_t
-ns_config_getiplist(const cfg_obj_t *config, const cfg_obj_t *list,
-		    in_port_t defport, isc_mem_t *mctx,
-		    isc_sockaddr_t **addrsp, isc_uint32_t *countp);
-
-void
-ns_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
-		    isc_uint32_t count);
-
-isc_result_t
-ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
-			  isc_mem_t *mctx, isc_sockaddr_t **addrsp,
-			  dns_name_t ***keys, isc_uint32_t *countp);
-
-void
-ns_config_putipandkeylist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
-			  dns_name_t ***keys, isc_uint32_t count);
-
-isc_result_t
-ns_config_getport(const cfg_obj_t *config, in_port_t *portp);
-
-isc_result_t
-ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
-			  isc_uint16_t *digestbits);
-isc_result_t
-ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
-			   unsigned int *typep, isc_uint16_t *digestbits);
-
-#endif /* NAMED_CONFIG_H */
diff --git a/contrib/bind9/bin/named/include/named/control.h b/contrib/bind9/bin/named/include/named/control.h
deleted file mode 100644
index d730a83..0000000
--- a/contrib/bind9/bin/named/include/named/control.h
+++ /dev/null
@@ -1,103 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef NAMED_CONTROL_H
-#define NAMED_CONTROL_H 1
-
-/*! \file
- * \brief
- * The name server command channel.
- */
-
-#include <isccc/types.h>
-
-#include <isccfg/aclconf.h>
-
-#include <named/types.h>
-
-#define NS_CONTROL_PORT			953
-
-#define NS_COMMAND_STOP		"stop"
-#define NS_COMMAND_HALT		"halt"
-#define NS_COMMAND_RELOAD	"reload"
-#define NS_COMMAND_RECONFIG	"reconfig"
-#define NS_COMMAND_REFRESH	"refresh"
-#define NS_COMMAND_RETRANSFER	"retransfer"
-#define NS_COMMAND_DUMPSTATS	"stats"
-#define NS_COMMAND_QUERYLOG	"querylog"
-#define NS_COMMAND_DUMPDB	"dumpdb"
-#define NS_COMMAND_SECROOTS	"secroots"
-#define NS_COMMAND_TRACE	"trace"
-#define NS_COMMAND_NOTRACE	"notrace"
-#define NS_COMMAND_FLUSH	"flush"
-#define NS_COMMAND_FLUSHNAME	"flushname"
-#define NS_COMMAND_FLUSHTREE	"flushtree"
-#define NS_COMMAND_STATUS	"status"
-#define NS_COMMAND_TSIGLIST	"tsig-list"
-#define NS_COMMAND_TSIGDELETE	"tsig-delete"
-#define NS_COMMAND_FREEZE	"freeze"
-#define NS_COMMAND_UNFREEZE	"unfreeze"
-#define NS_COMMAND_THAW		"thaw"
-#define NS_COMMAND_TIMERPOKE	"timerpoke"
-#define NS_COMMAND_RECURSING	"recursing"
-#define NS_COMMAND_NULL		"null"
-#define NS_COMMAND_NOTIFY	"notify"
-#define NS_COMMAND_VALIDATION	"validation"
-#define NS_COMMAND_SIGN 	"sign"
-#define NS_COMMAND_LOADKEYS 	"loadkeys"
-#define NS_COMMAND_ADDZONE	"addzone"
-#define NS_COMMAND_DELZONE	"delzone"
-#define NS_COMMAND_SYNC		"sync"
-#define NS_COMMAND_SIGNING	"signing"
-
-isc_result_t
-ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp);
-/*%<
- * Create an initial, empty set of command channels for 'server'.
- */
-
-void
-ns_controls_destroy(ns_controls_t **ctrlsp);
-/*%<
- * Destroy a set of command channels.
- *
- * Requires:
- *	Shutdown of the channels has completed.
- */
-
-isc_result_t
-ns_controls_configure(ns_controls_t *controls, const cfg_obj_t *config,
-		      cfg_aclconfctx_t *aclconfctx);
-/*%<
- * Configure zero or more command channels into 'controls'
- * as defined in the configuration parse tree 'config'.
- * The channels will evaluate ACLs in the context of
- * 'aclconfctx'.
- */
-
-void
-ns_controls_shutdown(ns_controls_t *controls);
-/*%<
- * Initiate shutdown of all the command channels in 'controls'.
- */
-
-isc_result_t
-ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text);
-
-#endif /* NAMED_CONTROL_H */
diff --git a/contrib/bind9/bin/named/include/named/globals.h b/contrib/bind9/bin/named/include/named/globals.h
deleted file mode 100644
index cbc14d8..0000000
--- a/contrib/bind9/bin/named/include/named/globals.h
+++ /dev/null
@@ -1,166 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: globals.h,v 1.92 2011/11/09 18:44:04 each Exp $ */
-
-#ifndef NAMED_GLOBALS_H
-#define NAMED_GLOBALS_H 1
-
-/*! \file */
-
-#include <isc/rwlock.h>
-#include <isc/log.h>
-#include <isc/net.h>
-
-#include <isccfg/aclconf.h>
-#include <isccfg/cfg.h>
-
-#include <dns/zone.h>
-
-#include <dst/dst.h>
-
-#include <named/types.h>
-
-#undef EXTERN
-#undef INIT
-#ifdef NS_MAIN
-#define EXTERN
-#define INIT(v)	= (v)
-#else
-#define EXTERN extern
-#define INIT(v)
-#endif
-
-#ifndef NS_RUN_PID_DIR
-#define NS_RUN_PID_DIR 1
-#endif
-
-EXTERN isc_mem_t *		ns_g_mctx		INIT(NULL);
-EXTERN unsigned int		ns_g_cpus		INIT(0);
-EXTERN unsigned int		ns_g_udpdisp		INIT(0);
-EXTERN isc_taskmgr_t *		ns_g_taskmgr		INIT(NULL);
-EXTERN dns_dispatchmgr_t *	ns_g_dispatchmgr	INIT(NULL);
-EXTERN isc_entropy_t *		ns_g_entropy		INIT(NULL);
-EXTERN isc_entropy_t *		ns_g_fallbackentropy	INIT(NULL);
-EXTERN unsigned int		ns_g_cpus_detected	INIT(1);
-
-/*
- * XXXRTH  We're going to want multiple timer managers eventually.  One
- *         for really short timers, another for client timers, and one
- *         for zone timers.
- */
-EXTERN isc_timermgr_t *		ns_g_timermgr		INIT(NULL);
-EXTERN isc_socketmgr_t *	ns_g_socketmgr		INIT(NULL);
-EXTERN cfg_parser_t *		ns_g_parser		INIT(NULL);
-EXTERN const char *		ns_g_version		INIT(VERSION);
-EXTERN const char *		ns_g_product		INIT(PRODUCT);
-EXTERN const char *		ns_g_description	INIT(DESCRIPTION);
-EXTERN const char *		ns_g_srcid		INIT(SRCID);
-EXTERN const char *		ns_g_configargs		INIT(CONFIGARGS);
-EXTERN in_port_t		ns_g_port		INIT(0);
-EXTERN in_port_t		lwresd_g_listenport	INIT(0);
-
-EXTERN ns_server_t *		ns_g_server		INIT(NULL);
-
-EXTERN isc_boolean_t		ns_g_lwresdonly		INIT(ISC_FALSE);
-
-/*
- * Logging.
- */
-EXTERN isc_log_t *		ns_g_lctx		INIT(NULL);
-EXTERN isc_logcategory_t *	ns_g_categories		INIT(NULL);
-EXTERN isc_logmodule_t *	ns_g_modules		INIT(NULL);
-EXTERN unsigned int		ns_g_debuglevel		INIT(0);
-
-/*
- * Current configuration information.
- */
-EXTERN cfg_obj_t *		ns_g_config		INIT(NULL);
-EXTERN const cfg_obj_t *	ns_g_defaults		INIT(NULL);
-EXTERN const char *		ns_g_conffile		INIT(NS_SYSCONFDIR
-							     "/named.conf");
-EXTERN cfg_obj_t *		ns_g_bindkeys		INIT(NULL);
-EXTERN const char *		ns_g_keyfile		INIT(NS_SYSCONFDIR
-							     "/rndc.key");
-
-EXTERN dns_tsigkey_t *		ns_g_sessionkey		INIT(NULL);
-EXTERN dns_name_t		ns_g_sessionkeyname;
-
-EXTERN const char *		lwresd_g_conffile	INIT(NS_SYSCONFDIR
-							     "/lwresd.conf");
-EXTERN const char *		lwresd_g_resolvconffile	INIT("/etc"
-							     "/resolv.conf");
-EXTERN isc_boolean_t		ns_g_conffileset	INIT(ISC_FALSE);
-EXTERN isc_boolean_t		lwresd_g_useresolvconf	INIT(ISC_FALSE);
-EXTERN isc_uint16_t		ns_g_udpsize		INIT(4096);
-EXTERN cfg_aclconfctx_t *	ns_g_aclconfctx		INIT(NULL);
-
-/*
- * Initial resource limits.
- */
-EXTERN isc_resourcevalue_t	ns_g_initstacksize	INIT(0);
-EXTERN isc_resourcevalue_t	ns_g_initdatasize	INIT(0);
-EXTERN isc_resourcevalue_t	ns_g_initcoresize	INIT(0);
-EXTERN isc_resourcevalue_t	ns_g_initopenfiles	INIT(0);
-
-/*
- * Misc.
- */
-EXTERN isc_boolean_t		ns_g_coreok		INIT(ISC_TRUE);
-EXTERN const char *		ns_g_chrootdir		INIT(NULL);
-EXTERN isc_boolean_t		ns_g_foreground		INIT(ISC_FALSE);
-EXTERN isc_boolean_t		ns_g_logstderr		INIT(ISC_FALSE);
-EXTERN isc_boolean_t		ns_g_nosyslog		INIT(ISC_FALSE);
-
-EXTERN const char *		ns_g_defaultsessionkeyfile
-					INIT(NS_LOCALSTATEDIR "/run/named/"
-							      "session.key");
-
-#if NS_RUN_PID_DIR
-EXTERN const char *		ns_g_defaultpidfile 	INIT(NS_LOCALSTATEDIR
-							     "/run/named/"
-							     "named.pid");
-EXTERN const char *		lwresd_g_defaultpidfile INIT(NS_LOCALSTATEDIR
-							     "/run/lwresd/"
-							     "lwresd.pid");
-#else
-EXTERN const char *		ns_g_defaultpidfile 	INIT(NS_LOCALSTATEDIR
-							     "/run/named.pid");
-EXTERN const char *		lwresd_g_defaultpidfile INIT(NS_LOCALSTATEDIR
-							     "/run/lwresd.pid");
-#endif
-
-EXTERN const char *		ns_g_username		INIT(NULL);
-
-#ifdef USE_PKCS11
-EXTERN const char *		ns_g_engine		INIT("pkcs11");
-#else
-EXTERN const char *		ns_g_engine		INIT(NULL);
-#endif
-
-EXTERN int			ns_g_listen		INIT(3);
-EXTERN isc_time_t		ns_g_boottime;
-EXTERN isc_boolean_t		ns_g_memstatistics	INIT(ISC_FALSE);
-EXTERN isc_boolean_t		ns_g_clienttest		INIT(ISC_FALSE);
-EXTERN isc_boolean_t		ns_g_nosoa		INIT(ISC_FALSE);
-EXTERN isc_boolean_t		ns_g_noaa		INIT(ISC_FALSE);
-EXTERN isc_boolean_t		ns_g_nonearest		INIT(ISC_FALSE);
-
-#undef EXTERN
-#undef INIT
-
-#endif /* NAMED_GLOBALS_H */
diff --git a/contrib/bind9/bin/named/include/named/interfacemgr.h b/contrib/bind9/bin/named/include/named/interfacemgr.h
deleted file mode 100644
index 380dbed..0000000
--- a/contrib/bind9/bin/named/include/named/interfacemgr.h
+++ /dev/null
@@ -1,179 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2011  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: interfacemgr.h,v 1.35 2011/07/28 23:47:58 tbox Exp $ */
-
-#ifndef NAMED_INTERFACEMGR_H
-#define NAMED_INTERFACEMGR_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file
- * \brief
- * The interface manager monitors the operating system's list
- * of network interfaces, creating and destroying listeners
- * as needed.
- *
- * Reliability:
- *\li	No impact expected.
- *
- * Resources:
- *
- * Security:
- * \li	The server will only be able to bind to the DNS port on
- *	newly discovered interfaces if it is running as root.
- *
- * Standards:
- *\li	The API for scanning varies greatly among operating systems.
- *	This module attempts to hide the differences.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/socket.h>
-
-#include <dns/result.h>
-
-#include <named/listenlist.h>
-#include <named/types.h>
-
-/***
- *** Types
- ***/
-
-#define IFACE_MAGIC		ISC_MAGIC('I',':','-',')')
-#define NS_INTERFACE_VALID(t)	ISC_MAGIC_VALID(t, IFACE_MAGIC)
-
-#define NS_INTERFACEFLAG_ANYADDR	0x01U	/*%< bound to "any" address */
-#define MAX_UDP_DISPATCH 128		/*%< Maximum number of UDP dispatchers
-						     to start per interface */
-/*% The nameserver interface structure */
-struct ns_interface {
-	unsigned int		magic;		/*%< Magic number. */
-	ns_interfacemgr_t *	mgr;		/*%< Interface manager. */
-	isc_mutex_t		lock;
-	int			references;	/*%< Locked */
-	unsigned int		generation;     /*%< Generation number. */
-	isc_sockaddr_t		addr;           /*%< Address and port. */
-	unsigned int		flags;		/*%< Interface characteristics */
-	char 			name[32];	/*%< Null terminated. */
-	dns_dispatch_t *	udpdispatch[MAX_UDP_DISPATCH];
-						/*%< UDP dispatchers. */
-	isc_socket_t *		tcpsocket;	/*%< TCP socket. */
-	int			ntcptarget;	/*%< Desired number of concurrent
-						     TCP accepts */
-	int			ntcpcurrent;	/*%< Current ditto, locked */
-	int			nudpdispatch;	/*%< Number of UDP dispatches */
-	ns_clientmgr_t *	clientmgr;	/*%< Client manager. */
-	ISC_LINK(ns_interface_t) link;
-};
-
-/***
- *** Functions
- ***/
-
-isc_result_t
-ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
-		       isc_socketmgr_t *socketmgr,
-		       dns_dispatchmgr_t *dispatchmgr,
-		       ns_interfacemgr_t **mgrp);
-/*%
- * Create a new interface manager.
- *
- * Initially, the new manager will not listen on any interfaces.
- * Call ns_interfacemgr_setlistenon() and/or ns_interfacemgr_setlistenon6()
- * to set nonempty listen-on lists.
- */
-
-void
-ns_interfacemgr_attach(ns_interfacemgr_t *source, ns_interfacemgr_t **target);
-
-void
-ns_interfacemgr_detach(ns_interfacemgr_t **targetp);
-
-void
-ns_interfacemgr_shutdown(ns_interfacemgr_t *mgr);
-
-void
-ns_interfacemgr_scan(ns_interfacemgr_t *mgr, isc_boolean_t verbose);
-/*%
- * Scan the operatings system's list of network interfaces
- * and create listeners when new interfaces are discovered.
- * Shut down the sockets for interfaces that go away.
- *
- * This should be called once on server startup and then
- * periodically according to the 'interface-interval' option
- * in named.conf.
- */
-
-void
-ns_interfacemgr_adjust(ns_interfacemgr_t *mgr, ns_listenlist_t *list,
-		       isc_boolean_t verbose);
-/*%
- * Similar to ns_interfacemgr_scan(), but this function also tries to see the
- * need for an explicit listen-on when a list element in 'list' is going to
- * override an already-listening a wildcard interface.
- *
- * This function does not update localhost and localnets ACLs.
- *
- * This should be called once on server startup, after configuring views and
- * zones.
- */
-
-void
-ns_interfacemgr_setlistenon4(ns_interfacemgr_t *mgr, ns_listenlist_t *value);
-/*%
- * Set the IPv4 "listen-on" list of 'mgr' to 'value'.
- * The previous IPv4 listen-on list is freed.
- */
-
-void
-ns_interfacemgr_setlistenon6(ns_interfacemgr_t *mgr, ns_listenlist_t *value);
-/*%
- * Set the IPv6 "listen-on" list of 'mgr' to 'value'.
- * The previous IPv6 listen-on list is freed.
- */
-
-dns_aclenv_t *
-ns_interfacemgr_getaclenv(ns_interfacemgr_t *mgr);
-
-void
-ns_interface_attach(ns_interface_t *source, ns_interface_t **target);
-
-void
-ns_interface_detach(ns_interface_t **targetp);
-
-void
-ns_interface_shutdown(ns_interface_t *ifp);
-/*%
- * Stop listening for queries on interface 'ifp'.
- * May safely be called multiple times.
- */
-
-void
-ns_interfacemgr_dumprecursing(FILE *f, ns_interfacemgr_t *mgr);
-
-isc_boolean_t
-ns_interfacemgr_listeningon(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr);
-
-#endif /* NAMED_INTERFACEMGR_H */
diff --git a/contrib/bind9/bin/named/include/named/listenlist.h b/contrib/bind9/bin/named/include/named/listenlist.h
deleted file mode 100644
index 9e65d5d..0000000
--- a/contrib/bind9/bin/named/include/named/listenlist.h
+++ /dev/null
@@ -1,105 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: listenlist.h,v 1.15 2007/06/19 23:46:59 tbox Exp $ */
-
-#ifndef NAMED_LISTENLIST_H
-#define NAMED_LISTENLIST_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file
- * \brief
- * "Listen lists", as in the "listen-on" configuration statement.
- */
-
-/***
- *** Imports
- ***/
-#include <isc/net.h>
-
-#include <dns/types.h>
-
-/***
- *** Types
- ***/
-
-typedef struct ns_listenelt ns_listenelt_t;
-typedef struct ns_listenlist ns_listenlist_t;
-
-struct ns_listenelt {
-	isc_mem_t *	       		mctx;
-	in_port_t			port;
-	dns_acl_t *	       		acl;
-	ISC_LINK(ns_listenelt_t)	link;
-};
-
-struct ns_listenlist {
-	isc_mem_t *			mctx;
-	int				refcount;
-	ISC_LIST(ns_listenelt_t)	elts;
-};
-
-/***
- *** Functions
- ***/
-
-isc_result_t
-ns_listenelt_create(isc_mem_t *mctx, in_port_t port,
-		    dns_acl_t *acl, ns_listenelt_t **target);
-/*%
- * Create a listen-on list element.
- */
-
-void
-ns_listenelt_destroy(ns_listenelt_t *elt);
-/*%
- * Destroy a listen-on list element.
- */
-
-isc_result_t
-ns_listenlist_create(isc_mem_t *mctx, ns_listenlist_t **target);
-/*%
- * Create a new, empty listen-on list.
- */
-
-void
-ns_listenlist_attach(ns_listenlist_t *source, ns_listenlist_t **target);
-/*%
- * Attach '*target' to '*source'.
- */
-
-void
-ns_listenlist_detach(ns_listenlist_t **listp);
-/*%
- * Detach 'listp'.
- */
-
-isc_result_t
-ns_listenlist_default(isc_mem_t *mctx, in_port_t port,
-		      isc_boolean_t enabled, ns_listenlist_t **target);
-/*%
- * Create a listen-on list with default contents, matching
- * all addresses with port 'port' (if 'enabled' is ISC_TRUE),
- * or no addresses (if 'enabled' is ISC_FALSE).
- */
-
-#endif /* NAMED_LISTENLIST_H */
-
-
diff --git a/contrib/bind9/bin/named/include/named/log.h b/contrib/bind9/bin/named/include/named/log.h
deleted file mode 100644
index 032743ac..0000000
--- a/contrib/bind9/bin/named/include/named/log.h
+++ /dev/null
@@ -1,99 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: log.h,v 1.27 2009/01/07 23:47:46 tbox Exp $ */
-
-#ifndef NAMED_LOG_H
-#define NAMED_LOG_H 1
-
-/*! \file */
-
-#include <isc/log.h>
-#include <isc/types.h>
-
-#include <dns/log.h>
-
-#include <named/globals.h>	/* Required for ns_g_(categories|modules). */
-
-/* Unused slot 0. */
-#define NS_LOGCATEGORY_CLIENT		(&ns_g_categories[1])
-#define NS_LOGCATEGORY_NETWORK		(&ns_g_categories[2])
-#define NS_LOGCATEGORY_UPDATE		(&ns_g_categories[3])
-#define NS_LOGCATEGORY_QUERIES		(&ns_g_categories[4])
-#define NS_LOGCATEGORY_UNMATCHED	(&ns_g_categories[5])
-#define NS_LOGCATEGORY_UPDATE_SECURITY	(&ns_g_categories[6])
-#define NS_LOGCATEGORY_QUERY_EERRORS	(&ns_g_categories[7])
-
-/*
- * Backwards compatibility.
- */
-#define NS_LOGCATEGORY_GENERAL		ISC_LOGCATEGORY_GENERAL
-
-#define NS_LOGMODULE_MAIN		(&ns_g_modules[0])
-#define NS_LOGMODULE_CLIENT		(&ns_g_modules[1])
-#define NS_LOGMODULE_SERVER		(&ns_g_modules[2])
-#define NS_LOGMODULE_QUERY		(&ns_g_modules[3])
-#define NS_LOGMODULE_INTERFACEMGR	(&ns_g_modules[4])
-#define NS_LOGMODULE_UPDATE		(&ns_g_modules[5])
-#define NS_LOGMODULE_XFER_IN		(&ns_g_modules[6])
-#define NS_LOGMODULE_XFER_OUT		(&ns_g_modules[7])
-#define NS_LOGMODULE_NOTIFY		(&ns_g_modules[8])
-#define NS_LOGMODULE_CONTROL		(&ns_g_modules[9])
-#define NS_LOGMODULE_LWRESD		(&ns_g_modules[10])
-
-isc_result_t
-ns_log_init(isc_boolean_t safe);
-/*%
- * Initialize the logging system and set up an initial default
- * logging default configuration that will be used until the
- * config file has been read.
- *
- * If 'safe' is true, use a default configuration that refrains
- * from opening files.  This is to avoid creating log files
- * as root.
- */
-
-isc_result_t
-ns_log_setdefaultchannels(isc_logconfig_t *lcfg);
-/*%
- * Set up logging channels according to the named defaults, which
- * may differ from the logging library defaults.  Currently,
- * this just means setting up default_debug.
- */
-
-isc_result_t
-ns_log_setsafechannels(isc_logconfig_t *lcfg);
-/*%
- * Like ns_log_setdefaultchannels(), but omits any logging to files.
- */
-
-isc_result_t
-ns_log_setdefaultcategory(isc_logconfig_t *lcfg);
-/*%
- * Set up "category default" to go to the right places.
- */
-
-isc_result_t
-ns_log_setunmatchedcategory(isc_logconfig_t *lcfg);
-/*%
- * Set up "category unmatched" to go to the right places.
- */
-
-void
-ns_log_shutdown(void);
-
-#endif /* NAMED_LOG_H */
diff --git a/contrib/bind9/bin/named/include/named/logconf.h b/contrib/bind9/bin/named/include/named/logconf.h
deleted file mode 100644
index 0354345..0000000
--- a/contrib/bind9/bin/named/include/named/logconf.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: logconf.h,v 1.17 2007/06/19 23:46:59 tbox Exp $ */
-
-#ifndef NAMED_LOGCONF_H
-#define NAMED_LOGCONF_H 1
-
-/*! \file */
-
-#include <isc/log.h>
-
-isc_result_t
-ns_log_configure(isc_logconfig_t *logconf, const cfg_obj_t *logstmt);
-/*%<
- * Set up the logging configuration in '*logconf' according to
- * the named.conf data in 'logstmt'.
- */
-
-#endif /* NAMED_LOGCONF_H */
diff --git a/contrib/bind9/bin/named/include/named/lwaddr.h b/contrib/bind9/bin/named/include/named/lwaddr.h
deleted file mode 100644
index 962aa91..0000000
--- a/contrib/bind9/bin/named/include/named/lwaddr.h
+++ /dev/null
@@ -1,36 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwaddr.h,v 1.8 2007/06/19 23:46:59 tbox Exp $ */
-
-/*! \file */
-
-#include <lwres/lwres.h>
-#include <lwres/net.h>
-
-isc_result_t
-lwaddr_netaddr_fromlwresaddr(isc_netaddr_t *na, lwres_addr_t *la);
-
-isc_result_t
-lwaddr_sockaddr_fromlwresaddr(isc_sockaddr_t *sa, lwres_addr_t *la,
-			      in_port_t port);
-
-isc_result_t
-lwaddr_lwresaddr_fromnetaddr(lwres_addr_t *la, isc_netaddr_t *na);
-
-isc_result_t
-lwaddr_lwresaddr_fromsockaddr(lwres_addr_t *la, isc_sockaddr_t *sa);
diff --git a/contrib/bind9/bin/named/include/named/lwdclient.h b/contrib/bind9/bin/named/include/named/lwdclient.h
deleted file mode 100644
index c345176..0000000
--- a/contrib/bind9/bin/named/include/named/lwdclient.h
+++ /dev/null
@@ -1,234 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwdclient.h,v 1.20 2009/01/17 23:47:42 tbox Exp $ */
-
-#ifndef NAMED_LWDCLIENT_H
-#define NAMED_LWDCLIENT_H 1
-
-/*! \file */
-
-#include <isc/event.h>
-#include <isc/eventclass.h>
-#include <isc/netaddr.h>
-#include <isc/sockaddr.h>
-#include <isc/types.h>
-
-#include <dns/fixedname.h>
-#include <dns/types.h>
-
-#include <lwres/lwres.h>
-
-#include <named/lwsearch.h>
-
-#define LWRD_EVENTCLASS		ISC_EVENTCLASS(4242)
-
-#define LWRD_SHUTDOWN		(LWRD_EVENTCLASS + 0x0001)
-
-/*% Lightweight Resolver Daemon Client */
-struct ns_lwdclient {
-	isc_sockaddr_t		address;	/*%< where to reply */
-	struct in6_pktinfo	pktinfo;
-	isc_boolean_t		pktinfo_valid;
-	ns_lwdclientmgr_t	*clientmgr;	/*%< our parent */
-	ISC_LINK(ns_lwdclient_t) link;
-	unsigned int		state;
-	void			*arg;		/*%< packet processing state */
-
-	/*
-	 * Received data info.
-	 */
-	unsigned char		buffer[LWRES_RECVLENGTH]; /*%< receive buffer */
-	isc_uint32_t		recvlength;	/*%< length recv'd */
-	lwres_lwpacket_t	pkt;
-
-	/*%
-	 * Send data state.  If sendbuf != buffer (that is, the send buffer
-	 * isn't our receive buffer) it will be freed to the lwres_context_t.
-	 */
-	unsigned char	       *sendbuf;
-	isc_uint32_t		sendlength;
-	isc_buffer_t		recv_buffer;
-
-	/*%
-	 * gabn (get address by name) state info.
-	 */
-	dns_adbfind_t		*find;
-	dns_adbfind_t		*v4find;
-	dns_adbfind_t		*v6find;
-	unsigned int		find_wanted;	/*%< Addresses we want */
-	dns_fixedname_t		query_name;
-	dns_fixedname_t		target_name;
-	ns_lwsearchctx_t	searchctx;
-	lwres_gabnresponse_t	gabn;
-
-	/*%
-	 * gnba (get name by address) state info.
-	 */
-	lwres_gnbaresponse_t	gnba;
-	dns_byaddr_t	       *byaddr;
-	unsigned int		options;
-	isc_netaddr_t		na;
-
-	/*%
-	 * grbn (get rrset by name) state info.
-	 *
-	 * Note: this also uses target_name and searchctx.
-	 */
-	lwres_grbnresponse_t	grbn;
-	dns_lookup_t	       *lookup;
-	dns_rdatatype_t		rdtype;
-
-	/*%
-	 * Alias and address info.  This is copied up to the gabn/gnba
-	 * structures eventually.
-	 *
-	 * XXXMLG We can keep all of this in a client since we only service
-	 * three packet types right now.  If we started handling more,
-	 * we'd need to use "arg" above and allocate/destroy things.
-	 */
-	char		       *aliases[LWRES_MAX_ALIASES];
-	isc_uint16_t		aliaslen[LWRES_MAX_ALIASES];
-	lwres_addr_t		addrs[LWRES_MAX_ADDRS];
-};
-
-/*%
- * Client states.
- *
- * _IDLE	The client is not doing anything at all.
- *
- * _RECV	The client is waiting for data after issuing a socket recv().
- *
- * _RECVDONE	Data has been received, and is being processed.
- *
- * _FINDWAIT	An adb (or other) request was made that cannot be satisfied
- *		immediately.  An event will wake the client up.
- *
- * _SEND	All data for a response has completed, and a reply was
- *		sent via a socket send() call.
- *
- * Badly formatted state table:
- *
- *	IDLE -> RECV when client has a recv() queued.
- *
- *	RECV -> RECVDONE when recvdone event received.
- *
- *	RECVDONE -> SEND if the data for a reply is at hand.
- *	RECVDONE -> FINDWAIT if more searching is needed, and events will
- *		eventually wake us up again.
- *
- *	FINDWAIT -> SEND when enough data was received to reply.
- *
- *	SEND -> IDLE when a senddone event was received.
- *
- *	At any time -> IDLE on error.  Sometimes this will be -> SEND
- *	instead, if enough data is on hand to reply with a meaningful
- *	error.
- *
- *	Packets which are badly formatted may or may not get error returns.
- */
-#define NS_LWDCLIENT_STATEIDLE		1
-#define NS_LWDCLIENT_STATERECV		2
-#define NS_LWDCLIENT_STATERECVDONE	3
-#define NS_LWDCLIENT_STATEFINDWAIT	4
-#define NS_LWDCLIENT_STATESEND		5
-#define NS_LWDCLIENT_STATESENDDONE	6
-
-#define NS_LWDCLIENT_ISIDLE(c)		\
-			((c)->state == NS_LWDCLIENT_STATEIDLE)
-#define NS_LWDCLIENT_ISRECV(c)		\
-			((c)->state == NS_LWDCLIENT_STATERECV)
-#define NS_LWDCLIENT_ISRECVDONE(c)	\
-			((c)->state == NS_LWDCLIENT_STATERECVDONE)
-#define NS_LWDCLIENT_ISFINDWAIT(c)	\
-			((c)->state == NS_LWDCLIENT_STATEFINDWAIT)
-#define NS_LWDCLIENT_ISSEND(c)		\
-			((c)->state == NS_LWDCLIENT_STATESEND)
-
-/*%
- * Overall magic test that means we're not idle.
- */
-#define NS_LWDCLIENT_ISRUNNING(c)	(!NS_LWDCLIENT_ISIDLE(c))
-
-#define NS_LWDCLIENT_SETIDLE(c)		\
-			((c)->state = NS_LWDCLIENT_STATEIDLE)
-#define NS_LWDCLIENT_SETRECV(c)		\
-			((c)->state = NS_LWDCLIENT_STATERECV)
-#define NS_LWDCLIENT_SETRECVDONE(c)	\
-			((c)->state = NS_LWDCLIENT_STATERECVDONE)
-#define NS_LWDCLIENT_SETFINDWAIT(c)	\
-			((c)->state = NS_LWDCLIENT_STATEFINDWAIT)
-#define NS_LWDCLIENT_SETSEND(c)		\
-			((c)->state = NS_LWDCLIENT_STATESEND)
-#define NS_LWDCLIENT_SETSENDDONE(c)	\
-			((c)->state = NS_LWDCLIENT_STATESENDDONE)
-
-/*% lightweight daemon client manager */
-struct ns_lwdclientmgr {
-	ns_lwreslistener_t     *listener;
-	isc_mem_t	       *mctx;
-	isc_socket_t	       *sock;		/*%< socket to use */
-	dns_view_t	       *view;
-	lwres_context_t	       *lwctx;		/*%< lightweight proto context */
-	isc_task_t	       *task;		/*%< owning task */
-	unsigned int		flags;
-	ISC_LINK(ns_lwdclientmgr_t)	link;
-	ISC_LIST(ns_lwdclient_t)	idle;		/*%< idle client slots */
-	ISC_LIST(ns_lwdclient_t)	running;	/*%< running clients */
-};
-
-#define NS_LWDCLIENTMGR_FLAGRECVPENDING		0x00000001
-#define NS_LWDCLIENTMGR_FLAGSHUTTINGDOWN	0x00000002
-
-isc_result_t
-ns_lwdclientmgr_create(ns_lwreslistener_t *, unsigned int, isc_taskmgr_t *);
-
-void
-ns_lwdclient_initialize(ns_lwdclient_t *, ns_lwdclientmgr_t *);
-
-isc_result_t
-ns_lwdclient_startrecv(ns_lwdclientmgr_t *);
-
-void
-ns_lwdclient_stateidle(ns_lwdclient_t *);
-
-void
-ns_lwdclient_recv(isc_task_t *, isc_event_t *);
-
-void
-ns_lwdclient_shutdown(isc_task_t *, isc_event_t *);
-
-void
-ns_lwdclient_send(isc_task_t *, isc_event_t *);
-
-isc_result_t
-ns_lwdclient_sendreply(ns_lwdclient_t *client, isc_region_t *r);
-
-/*
- * Processing functions of various types.
- */
-void ns_lwdclient_processgabn(ns_lwdclient_t *, lwres_buffer_t *);
-void ns_lwdclient_processgnba(ns_lwdclient_t *, lwres_buffer_t *);
-void ns_lwdclient_processgrbn(ns_lwdclient_t *, lwres_buffer_t *);
-void ns_lwdclient_processnoop(ns_lwdclient_t *, lwres_buffer_t *);
-
-void ns_lwdclient_errorpktsend(ns_lwdclient_t *, isc_uint32_t);
-
-void ns_lwdclient_log(int level, const char *format, ...)
-     ISC_FORMAT_PRINTF(2, 3);
-
-#endif /* NAMED_LWDCLIENT_H */
diff --git a/contrib/bind9/bin/named/include/named/lwresd.h b/contrib/bind9/bin/named/include/named/lwresd.h
deleted file mode 100644
index 565e58d..0000000
--- a/contrib/bind9/bin/named/include/named/lwresd.h
+++ /dev/null
@@ -1,121 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwresd.h,v 1.19 2007/06/19 23:46:59 tbox Exp $ */
-
-#ifndef NAMED_LWRESD_H
-#define NAMED_LWRESD_H 1
-
-/*! \file */
-
-#include <isc/types.h>
-#include <isc/sockaddr.h>
-
-#include <isccfg/cfg.h>
-
-#include <dns/types.h>
-
-struct ns_lwresd {
-	unsigned int magic;
-
-	isc_mutex_t lock;
-	dns_view_t *view;
-	ns_lwsearchlist_t *search;
-	unsigned int ndots;
-	isc_mem_t *mctx;
-	isc_boolean_t shutting_down;
-	unsigned int refs;
-};
-
-struct ns_lwreslistener {
-	unsigned int magic;
-
-	isc_mutex_t lock;
-	isc_mem_t *mctx;
-	isc_sockaddr_t address;
-	ns_lwresd_t *manager;
-	isc_socket_t *sock;
-	unsigned int refs;
-	ISC_LIST(ns_lwdclientmgr_t) cmgrs;
-	ISC_LINK(ns_lwreslistener_t) link;
-};
-
-/*%
- * Configure lwresd.
- */
-isc_result_t
-ns_lwresd_configure(isc_mem_t *mctx, const cfg_obj_t *config);
-
-isc_result_t
-ns_lwresd_parseeresolvconf(isc_mem_t *mctx, cfg_parser_t *pctx,
-			   cfg_obj_t **configp);
-
-/*%
- * Trigger shutdown.
- */
-void
-ns_lwresd_shutdown(void);
-
-/*
- * Manager functions
- */
-/*% create manager */
-isc_result_t
-ns_lwdmanager_create(isc_mem_t *mctx, const cfg_obj_t *lwres,
-		      ns_lwresd_t **lwresdp);
-
-/*% attach to manager */
-void
-ns_lwdmanager_attach(ns_lwresd_t *source, ns_lwresd_t **targetp);
-
-/*% detach from manager */
-void
-ns_lwdmanager_detach(ns_lwresd_t **lwresdp);
-
-/*
- * Listener functions
- */
-/*% attach to listener */
-void
-ns_lwreslistener_attach(ns_lwreslistener_t *source,
-			ns_lwreslistener_t **targetp);
-
-/*% detach from lister */
-void
-ns_lwreslistener_detach(ns_lwreslistener_t **listenerp);
-
-/*% link client manager */
-void
-ns_lwreslistener_unlinkcm(ns_lwreslistener_t *listener, ns_lwdclientmgr_t *cm);
-
-/*% unlink client manager */
-void
-ns_lwreslistener_linkcm(ns_lwreslistener_t *listener, ns_lwdclientmgr_t *cm);
-
-
-
-
-/*
- * INTERNAL FUNCTIONS.
- */
-void *
-ns__lwresd_memalloc(void *arg, size_t size);
-
-void
-ns__lwresd_memfree(void *arg, void *mem, size_t size);
-
-#endif /* NAMED_LWRESD_H */
diff --git a/contrib/bind9/bin/named/include/named/lwsearch.h b/contrib/bind9/bin/named/include/named/lwsearch.h
deleted file mode 100644
index c1b4f48..0000000
--- a/contrib/bind9/bin/named/include/named/lwsearch.h
+++ /dev/null
@@ -1,112 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwsearch.h,v 1.9 2007/06/19 23:46:59 tbox Exp $ */
-
-#ifndef NAMED_LWSEARCH_H
-#define NAMED_LWSEARCH_H 1
-
-#include <isc/mutex.h>
-#include <isc/result.h>
-#include <isc/types.h>
-
-#include <dns/types.h>
-
-#include <named/types.h>
-
-/*! \file
- * \brief
- * Lightweight resolver search list types and routines.
- *
- * An ns_lwsearchlist_t holds a list of search path elements.
- *
- * An ns_lwsearchctx stores the state of search list during a lookup
- * operation.
- */
-
-/*% An ns_lwsearchlist_t holds a list of search path elements. */
-struct ns_lwsearchlist {
-	unsigned int magic;
-
-	isc_mutex_t lock;
-	isc_mem_t *mctx;
-	unsigned int refs;
-	dns_namelist_t names;
-};
-/*% An ns_lwsearchctx stores the state of search list during a lookup operation. */
-struct ns_lwsearchctx {
-	dns_name_t *relname;
-	dns_name_t *searchname;
-	unsigned int ndots;
-	ns_lwsearchlist_t *list;
-	isc_boolean_t doneexact;
-	isc_boolean_t exactfirst;
-};
-
-isc_result_t
-ns_lwsearchlist_create(isc_mem_t *mctx, ns_lwsearchlist_t **listp);
-/*%<
- * Create an empty search list object.
- */
-
-void
-ns_lwsearchlist_attach(ns_lwsearchlist_t *source, ns_lwsearchlist_t **target);
-/*%<
- * Attach to a search list object.
- */
-
-void
-ns_lwsearchlist_detach(ns_lwsearchlist_t **listp);
-/*%<
- * Detach from a search list object.
- */
-
-isc_result_t
-ns_lwsearchlist_append(ns_lwsearchlist_t *list, dns_name_t *name);
-/*%<
- * Append an element to a search list.  This creates a copy of the name.
- */
-
-void
-ns_lwsearchctx_init(ns_lwsearchctx_t *sctx, ns_lwsearchlist_t *list,
-		    dns_name_t *name, unsigned int ndots);
-/*%<
- * Creates a search list context structure.
- */
-
-void
-ns_lwsearchctx_first(ns_lwsearchctx_t *sctx);
-/*%<
- * Moves the search list context iterator to the first element, which
- * is usually the exact name.
- */
-
-isc_result_t
-ns_lwsearchctx_next(ns_lwsearchctx_t *sctx);
-/*%<
- * Moves the search list context iterator to the next element.
- */
-
-isc_result_t
-ns_lwsearchctx_current(ns_lwsearchctx_t *sctx, dns_name_t *absname);
-/*%<
- * Obtains the current name to be looked up.  This involves either
- * concatenating the name with a search path element, making an
- * exact name absolute, or doing nothing.
- */
-
-#endif /* NAMED_LWSEARCH_H */
diff --git a/contrib/bind9/bin/named/include/named/main.h b/contrib/bind9/bin/named/include/named/main.h
deleted file mode 100644
index 44251fa..0000000
--- a/contrib/bind9/bin/named/include/named/main.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: main.h,v 1.17 2009/09/29 23:48:03 tbox Exp $ */
-
-#ifndef NAMED_MAIN_H
-#define NAMED_MAIN_H 1
-
-/*! \file */
-
-ISC_PLATFORM_NORETURN_PRE void
-ns_main_earlyfatal(const char *format, ...)
-ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
-
-void
-ns_main_earlywarning(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
-
-void
-ns_main_setmemstats(const char *);
-
-#endif /* NAMED_MAIN_H */
diff --git a/contrib/bind9/bin/named/include/named/notify.h b/contrib/bind9/bin/named/include/named/notify.h
deleted file mode 100644
index 4e0a57e..0000000
--- a/contrib/bind9/bin/named/include/named/notify.h
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: notify.h,v 1.16 2009/01/17 23:47:42 tbox Exp $ */
-
-#ifndef NAMED_NOTIFY_H
-#define NAMED_NOTIFY_H 1
-
-#include <named/types.h>
-#include <named/client.h>
-
-/***
- ***	Module Info
- ***/
-
-/*! \file
- * \brief
- *	RFC1996
- *	A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)
- */
-
-/***
- ***	Functions.
- ***/
-
-void
-ns_notify_start(ns_client_t *client);
-
-/*%<
- *	Examines the incoming message to determine appropriate zone.
- *	Returns FORMERR if there is not exactly one question.
- *	Returns REFUSED if we do not serve the listed zone.
- *	Pass the message to the zone module for processing
- *	and returns the return status.
- *
- * Requires
- *\li	client to be valid.
- */
-
-#endif /* NAMED_NOTIFY_H */
-
diff --git a/contrib/bind9/bin/named/include/named/ns_smf_globals.h b/contrib/bind9/bin/named/include/named/ns_smf_globals.h
deleted file mode 100644
index 3a35743..0000000
--- a/contrib/bind9/bin/named/include/named/ns_smf_globals.h
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright (C) 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ns_smf_globals.h,v 1.7 2007/06/19 23:46:59 tbox Exp $ */
-
-#ifndef NS_SMF_GLOBALS_H
-#define NS_SMF_GLOBALS_H 1
- 
-#include <libscf.h>
- 
-#undef EXTERN
-#undef INIT
-#ifdef NS_MAIN
-#define EXTERN
-#define INIT(v) = (v)
-#else
-#define EXTERN extern
-#define INIT(v)
-#endif
-                
-EXTERN unsigned int	ns_smf_got_instance	INIT(0);
-EXTERN unsigned int	ns_smf_chroot		INIT(0);
-EXTERN unsigned int	ns_smf_want_disable	INIT(0);
-
-isc_result_t ns_smf_add_message(isc_buffer_t *text);
-isc_result_t ns_smf_get_instance(char **name, int debug, isc_mem_t *mctx);
-
-#undef EXTERN
-#undef INIT
- 
-#endif /* NS_SMF_GLOBALS_H */
diff --git a/contrib/bind9/bin/named/include/named/query.h b/contrib/bind9/bin/named/include/named/query.h
deleted file mode 100644
index 6dfe96b..0000000
--- a/contrib/bind9/bin/named/include/named/query.h
+++ /dev/null
@@ -1,102 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2010, 2011  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: query.h,v 1.45 2011/01/13 04:59:24 tbox Exp $ */
-
-#ifndef NAMED_QUERY_H
-#define NAMED_QUERY_H 1
-
-/*! \file */
-
-#include <isc/types.h>
-#include <isc/buffer.h>
-#include <isc/netaddr.h>
-
-#include <dns/rdataset.h>
-#include <dns/rpz.h>
-#include <dns/types.h>
-
-#include <named/types.h>
-
-/*% nameserver database version structure */
-typedef struct ns_dbversion {
-	dns_db_t			*db;
-	dns_dbversion_t			*version;
-	isc_boolean_t			acl_checked;
-	isc_boolean_t			queryok;
-	ISC_LINK(struct ns_dbversion)	link;
-} ns_dbversion_t;
-
-/*% nameserver query structure */
-struct ns_query {
-	unsigned int			attributes;
-	unsigned int			restarts;
-	isc_boolean_t			timerset;
-	dns_name_t *			qname;
-	dns_name_t *			origqname;
-	unsigned int			dboptions;
-	unsigned int			fetchoptions;
-	dns_db_t *			gluedb;
-	dns_db_t *			authdb;
-	dns_zone_t *			authzone;
-	isc_boolean_t			authdbset;
-	isc_boolean_t			isreferral;
-	isc_mutex_t			fetchlock;
-	dns_fetch_t *			fetch;
-	dns_rpz_st_t *			rpz_st;
-	isc_bufferlist_t		namebufs;
-	ISC_LIST(ns_dbversion_t)	activeversions;
-	ISC_LIST(ns_dbversion_t)	freeversions;
-	dns_rdataset_t *		dns64_aaaa;
-	dns_rdataset_t *		dns64_sigaaaa;
-	isc_boolean_t *			dns64_aaaaok;
-	unsigned int			dns64_aaaaoklen;
-	unsigned int			dns64_options;
-	unsigned int			dns64_ttl;
-};
-
-#define NS_QUERYATTR_RECURSIONOK	0x0001
-#define NS_QUERYATTR_CACHEOK		0x0002
-#define NS_QUERYATTR_PARTIALANSWER	0x0004
-#define NS_QUERYATTR_NAMEBUFUSED	0x0008
-#define NS_QUERYATTR_RECURSING		0x0010
-#define NS_QUERYATTR_CACHEGLUEOK	0x0020
-#define NS_QUERYATTR_QUERYOKVALID	0x0040
-#define NS_QUERYATTR_QUERYOK		0x0080
-#define NS_QUERYATTR_WANTRECURSION	0x0100
-#define NS_QUERYATTR_SECURE		0x0200
-#define NS_QUERYATTR_NOAUTHORITY	0x0400
-#define NS_QUERYATTR_NOADDITIONAL	0x0800
-#define NS_QUERYATTR_CACHEACLOKVALID	0x1000
-#define NS_QUERYATTR_CACHEACLOK		0x2000
-#define NS_QUERYATTR_DNS64		0x4000
-#define NS_QUERYATTR_DNS64EXCLUDE	0x8000
-
-
-isc_result_t
-ns_query_init(ns_client_t *client);
-
-void
-ns_query_free(ns_client_t *client);
-
-void
-ns_query_start(ns_client_t *client);
-
-void
-ns_query_cancel(ns_client_t *client);
-
-#endif /* NAMED_QUERY_H */
diff --git a/contrib/bind9/bin/named/include/named/server.h b/contrib/bind9/bin/named/include/named/server.h
deleted file mode 100644
index 3ba0c64..0000000
--- a/contrib/bind9/bin/named/include/named/server.h
+++ /dev/null
@@ -1,353 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef NAMED_SERVER_H
-#define NAMED_SERVER_H 1
-
-/*! \file */
-
-#include <isc/log.h>
-#include <isc/magic.h>
-#include <isc/quota.h>
-#include <isc/sockaddr.h>
-#include <isc/types.h>
-#include <isc/xml.h>
-
-#include <dns/acl.h>
-#include <dns/types.h>
-
-#include <named/types.h>
-
-#define NS_EVENTCLASS		ISC_EVENTCLASS(0x4E43)
-#define NS_EVENT_RELOAD		(NS_EVENTCLASS + 0)
-#define NS_EVENT_CLIENTCONTROL	(NS_EVENTCLASS + 1)
-
-/*%
- * Name server state.  Better here than in lots of separate global variables.
- */
-struct ns_server {
-	unsigned int		magic;
-	isc_mem_t *		mctx;
-
-	isc_task_t *		task;
-
-	/* Configurable data. */
-	isc_quota_t		xfroutquota;
-	isc_quota_t		tcpquota;
-	isc_quota_t		recursionquota;
-	dns_acl_t		*blackholeacl;
-	char *			statsfile;	/*%< Statistics file name */
-	char *			dumpfile;	/*%< Dump file name */
-	char *			secrootsfile;	/*%< Secroots file name */
-	char *			bindkeysfile;	/*%< bind.keys file name */
-	char *			recfile;	/*%< Recursive file name */
-	isc_boolean_t		version_set;	/*%< User has set version */
-	char *			version;	/*%< User-specified version */
-	isc_boolean_t		hostname_set;	/*%< User has set hostname */
-	char *			hostname;	/*%< User-specified hostname */
-	/*% Use hostname for server id */
-	isc_boolean_t		server_usehostname;
-	char *			server_id;	/*%< User-specified server id */
-
-	/*%
-	 * Current ACL environment.  This defines the
-	 * current values of the localhost and localnets
-	 * ACLs.
-	 */
-	dns_aclenv_t		aclenv;
-
-	/* Server data structures. */
-	dns_loadmgr_t *		loadmgr;
-	dns_zonemgr_t *		zonemgr;
-	dns_viewlist_t		viewlist;
-	ns_interfacemgr_t *	interfacemgr;
-	dns_db_t *		in_roothints;
-	dns_tkeyctx_t *		tkeyctx;
-
-	isc_timer_t *		interface_timer;
-	isc_timer_t *		heartbeat_timer;
-	isc_timer_t *		pps_timer;
-
-	isc_uint32_t		interface_interval;
-	isc_uint32_t		heartbeat_interval;
-
-	isc_mutex_t		reload_event_lock;
-	isc_event_t *		reload_event;
-
-	isc_boolean_t		flushonshutdown;
-	isc_boolean_t		log_queries;	/*%< For BIND 8 compatibility */
-
-	ns_cachelist_t		cachelist;	/*%< Possibly shared caches */
-	isc_stats_t *		nsstats;	/*%< Server stats */
-	dns_stats_t *		rcvquerystats;	/*% Incoming query stats */
-	dns_stats_t *		opcodestats;	/*%< Incoming message stats */
-	isc_stats_t *		zonestats;	/*% Zone management stats */
-	isc_stats_t  *		resolverstats;	/*% Resolver stats */
-	isc_stats_t *		sockstats;	/*%< Socket stats */
-
-	ns_controls_t *		controls;	/*%< Control channels */
-	unsigned int		dispatchgen;
-	ns_dispatchlist_t	dispatches;
-
-	dns_acache_t		*acache;
-
-	ns_statschannellist_t	statschannels;
-
-	dns_tsigkey_t		*sessionkey;
-	char			*session_keyfile;
-	dns_name_t		*session_keyname;
-	unsigned int		session_keyalg;
-	isc_uint16_t		session_keybits;
-};
-
-#define NS_SERVER_MAGIC			ISC_MAGIC('S','V','E','R')
-#define NS_SERVER_VALID(s)		ISC_MAGIC_VALID(s, NS_SERVER_MAGIC)
-
-/*%
- * Server statistics counters.  Used as isc_statscounter_t values.
- */
-enum {
-	dns_nsstatscounter_requestv4 = 0,
-	dns_nsstatscounter_requestv6 = 1,
-	dns_nsstatscounter_edns0in = 2,
-	dns_nsstatscounter_badednsver = 3,
-	dns_nsstatscounter_tsigin = 4,
-	dns_nsstatscounter_sig0in = 5,
-	dns_nsstatscounter_invalidsig = 6,
-	dns_nsstatscounter_tcp = 7,
-
-	dns_nsstatscounter_authrej = 8,
-	dns_nsstatscounter_recurserej = 9,
-	dns_nsstatscounter_xfrrej = 10,
-	dns_nsstatscounter_updaterej = 11,
-
-	dns_nsstatscounter_response = 12,
-	dns_nsstatscounter_truncatedresp = 13,
-	dns_nsstatscounter_edns0out = 14,
-	dns_nsstatscounter_tsigout = 15,
-	dns_nsstatscounter_sig0out = 16,
-
-	dns_nsstatscounter_success = 17,
-	dns_nsstatscounter_authans = 18,
-	dns_nsstatscounter_nonauthans = 19,
-	dns_nsstatscounter_referral = 20,
-	dns_nsstatscounter_nxrrset = 21,
-	dns_nsstatscounter_servfail = 22,
-	dns_nsstatscounter_formerr = 23,
-	dns_nsstatscounter_nxdomain = 24,
-	dns_nsstatscounter_recursion = 25,
-	dns_nsstatscounter_duplicate = 26,
-	dns_nsstatscounter_dropped = 27,
-	dns_nsstatscounter_failure = 28,
-
-	dns_nsstatscounter_xfrdone = 29,
-
-	dns_nsstatscounter_updatereqfwd = 30,
-	dns_nsstatscounter_updaterespfwd = 31,
-	dns_nsstatscounter_updatefwdfail = 32,
-	dns_nsstatscounter_updatedone = 33,
-	dns_nsstatscounter_updatefail = 34,
-	dns_nsstatscounter_updatebadprereq = 35,
-
-	dns_nsstatscounter_rpz_rewrites = 36,
-
-	dns_nsstatscounter_max = 37
-};
-
-void
-ns_server_create(isc_mem_t *mctx, ns_server_t **serverp);
-/*%<
- * Create a server object with default settings.
- * This function either succeeds or causes the program to exit
- * with a fatal error.
- */
-
-void
-ns_server_destroy(ns_server_t **serverp);
-/*%<
- * Destroy a server object, freeing its memory.
- */
-
-void
-ns_server_reloadwanted(ns_server_t *server);
-/*%<
- * Inform a server that a reload is wanted.  This function
- * may be called asynchronously, from outside the server's task.
- * If a reload is already scheduled or in progress, the call
- * is ignored.
- */
-
-void
-ns_server_flushonshutdown(ns_server_t *server, isc_boolean_t flush);
-/*%<
- * Inform the server that the zones should be flushed to disk on shutdown.
- */
-
-isc_result_t
-ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text);
-/*%<
- * Act on a "reload" command from the command channel.
- */
-
-isc_result_t
-ns_server_reconfigcommand(ns_server_t *server, char *args);
-/*%<
- * Act on a "reconfig" command from the command channel.
- */
-
-isc_result_t
-ns_server_notifycommand(ns_server_t *server, char *args, isc_buffer_t *text);
-/*%<
- * Act on a "notify" command from the command channel.
- */
-
-isc_result_t
-ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text);
-/*%<
- * Act on a "refresh" command from the command channel.
- */
-
-isc_result_t
-ns_server_retransfercommand(ns_server_t *server, char *args);
-/*%<
- * Act on a "retransfer" command from the command channel.
- */
-
-isc_result_t
-ns_server_togglequerylog(ns_server_t *server, char *args);
-/*%<
- * Enable/disable logging of queries.  (Takes "yes" or "no" argument,
- * but can also be used as a toggle for backward comptibility.)
- */
-
-/*%
- * Dump the current statistics to the statistics file.
- */
-isc_result_t
-ns_server_dumpstats(ns_server_t *server);
-
-/*%
- * Dump the current cache to the dump file.
- */
-isc_result_t
-ns_server_dumpdb(ns_server_t *server, char *args);
-
-/*%
- * Dump the current security roots to the secroots file.
- */
-isc_result_t
-ns_server_dumpsecroots(ns_server_t *server, char *args);
-
-/*%
- * Change or increment the server debug level.
- */
-isc_result_t
-ns_server_setdebuglevel(ns_server_t *server, char *args);
-
-/*%
- * Flush the server's cache(s)
- */
-isc_result_t
-ns_server_flushcache(ns_server_t *server, char *args);
-
-/*%
- * Flush a particular name from the server's cache.  If 'tree' is false,
- * also flush the name from the ADB and badcache.  If 'tree' is true, also
- * flush all the names under the specified name.
- */
-isc_result_t
-ns_server_flushnode(ns_server_t *server, char *args, isc_boolean_t tree);
-
-/*%
- * Report the server's status.
- */
-isc_result_t
-ns_server_status(ns_server_t *server, isc_buffer_t *text);
-
-/*%
- * Report a list of dynamic and static tsig keys, per view.
- */
-isc_result_t
-ns_server_tsiglist(ns_server_t *server, isc_buffer_t *text);
-
-/*%
- * Delete a specific key (with optional view).
- */
-isc_result_t
-ns_server_tsigdelete(ns_server_t *server, char *command, isc_buffer_t *text);
-
-/*%
- * Enable or disable updates for a zone.
- */
-isc_result_t
-ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args,
-		 isc_buffer_t *text);
-
-/*%
- * Dump zone updates to disk, optionally removing the journal file
- */
-isc_result_t
-ns_server_sync(ns_server_t *server, char *args, isc_buffer_t *text);
-
-/*%
- * Update a zone's DNSKEY set from the key repository.  If
- * the command that triggered the call to this function was "sign",
- * then force a full signing of the zone.  If it was "loadkeys",
- * then don't sign the zone; any needed changes to signatures can
- * take place incrementally.
- */
-isc_result_t
-ns_server_rekey(ns_server_t *server, char *args);
-
-/*%
- * Dump the current recursive queries.
- */
-isc_result_t
-ns_server_dumprecursing(ns_server_t *server);
-
-/*%
- * Maintain a list of dispatches that require reserved ports.
- */
-void
-ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr);
-
-/*%
- * Enable or disable dnssec validation.
- */
-isc_result_t
-ns_server_validation(ns_server_t *server, char *args);
-
-/*%
- * Add a zone to a running process
- */
-isc_result_t
-ns_server_add_zone(ns_server_t *server, char *args);
-
-/*%
- * Deletes a zone from a running process
- */
-isc_result_t
-ns_server_del_zone(ns_server_t *server, char *args);
-
-/*%
- * Lists the status of the signing records for a given zone.
- */
-isc_result_t
-ns_server_signing(ns_server_t *server, char *args, isc_buffer_t *text);
-#endif /* NAMED_SERVER_H */
diff --git a/contrib/bind9/bin/named/include/named/sortlist.h b/contrib/bind9/bin/named/include/named/sortlist.h
deleted file mode 100644
index b9f6076..0000000
--- a/contrib/bind9/bin/named/include/named/sortlist.h
+++ /dev/null
@@ -1,87 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: sortlist.h,v 1.11 2007/06/19 23:46:59 tbox Exp $ */
-
-#ifndef NAMED_SORTLIST_H
-#define NAMED_SORTLIST_H 1
-
-/*! \file */
-
-#include <isc/types.h>
-
-#include <dns/types.h>
-
-/*%
- * Type for callback functions that rank addresses.
- */
-typedef int 
-(*dns_addressorderfunc_t)(const isc_netaddr_t *address, const void *arg);
-
-/*%
- * Return value type for setup_sortlist.
- */
-typedef enum {
-	NS_SORTLISTTYPE_NONE,
-	NS_SORTLISTTYPE_1ELEMENT,
-	NS_SORTLISTTYPE_2ELEMENT
-} ns_sortlisttype_t;
-
-ns_sortlisttype_t
-ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr,
-		  const void **argp);
-/*%<
- * Find the sortlist statement in 'acl' that applies to 'clientaddr', if any.
- *
- * If a 1-element sortlist item applies, return NS_SORTLISTTYPE_1ELEMENT and
- * make '*argp' point to the matching subelement.
- *
- * If a 2-element sortlist item applies, return NS_SORTLISTTYPE_2ELEMENT and
- * make '*argp' point to ACL that forms the second element.
- *
- * If no sortlist item applies, return NS_SORTLISTTYPE_NONE and set '*argp'
- * to NULL.
- */
-
-int
-ns_sortlist_addrorder1(const isc_netaddr_t *addr, const void *arg);
-/*%<
- * Find the sort order of 'addr' in 'arg', the matching element
- * of a 1-element top-level sortlist statement.
- */
-
-int
-ns_sortlist_addrorder2(const isc_netaddr_t *addr, const void *arg);
-/*%<
- * Find the sort order of 'addr' in 'arg', a topology-like
- * ACL forming the second element in a 2-element top-level
- * sortlist statement.
- */
-
-void
-ns_sortlist_byaddrsetup(dns_acl_t *sortlist_acl, isc_netaddr_t *client_addr,
-			dns_addressorderfunc_t *orderp,
-			const void **argp);
-/*%<
- * Find the sortlist statement in 'acl' that applies to 'clientaddr', if any.
- * If a sortlist statement applies, return in '*orderp' a pointer to a function
- * for ranking network addresses based on that sortlist statement, and in
- * '*argp' an argument to pass to said function.  If no sortlist statement
- * applies, set '*orderp' and '*argp' to NULL.
- */
-
-#endif /* NAMED_SORTLIST_H */
diff --git a/contrib/bind9/bin/named/include/named/statschannel.h b/contrib/bind9/bin/named/include/named/statschannel.h
deleted file mode 100644
index 0c36d8c..0000000
--- a/contrib/bind9/bin/named/include/named/statschannel.h
+++ /dev/null
@@ -1,61 +0,0 @@
-/*
- * Copyright (C) 2008  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: statschannel.h,v 1.3 2008/04/03 05:55:51 marka Exp $ */
-
-#ifndef NAMED_STATSCHANNEL_H
-#define NAMED_STATSCHANNEL_H 1
-
-/*! \file
- * \brief
- * The statistics channels built-in the name server.
- */
-
-#include <isccc/types.h>
-
-#include <isccfg/aclconf.h>
-
-#include <named/types.h>
-
-#define NS_STATSCHANNEL_HTTPPORT		80
-
-isc_result_t
-ns_statschannels_configure(ns_server_t *server, const cfg_obj_t *config,
-			   cfg_aclconfctx_t *aclconfctx);
-/*%<
- * [Re]configure the statistics channels.
- *
- * If it is no longer there but was previously configured, destroy
- * it here.
- *
- * If the IP address or port has changed, destroy the old server
- * and create a new one.
- */
-
-
-void
-ns_statschannels_shutdown(ns_server_t *server);
-/*%<
- * Initiate shutdown of all the statistics channel listeners.
- */
-
-isc_result_t
-ns_stats_dump(ns_server_t *server, FILE *fp);
-/*%<
- * Dump statistics counters managed by the server to the file fp.
- */
-
-#endif	/* NAMED_STATSCHANNEL_H */
diff --git a/contrib/bind9/bin/named/include/named/tkeyconf.h b/contrib/bind9/bin/named/include/named/tkeyconf.h
deleted file mode 100644
index 02bd718..0000000
--- a/contrib/bind9/bin/named/include/named/tkeyconf.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: tkeyconf.h,v 1.16 2007/06/19 23:46:59 tbox Exp $ */
-
-#ifndef NS_TKEYCONF_H
-#define NS_TKEYCONF_H 1
-
-/*! \file */
-
-#include <isc/types.h>
-#include <isc/lang.h>
-
-#include <isccfg/cfg.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
-		      isc_entropy_t *ectx, dns_tkeyctx_t **tctxp);
-/*%<
- * 	Create a TKEY context and configure it, including the default DH key
- *	and default domain, according to 'options'.
- *
- *	Requires:
- *\li		'cfg' is a valid configuration options object.
- *\li		'mctx' is not NULL
- *\li		'ectx' is not NULL
- *\li		'tctx' is not NULL
- *\li		'*tctx' is NULL
- *
- *	Returns:
- *\li		ISC_R_SUCCESS
- *\li		ISC_R_NOMEMORY
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* NS_TKEYCONF_H */
diff --git a/contrib/bind9/bin/named/include/named/tsigconf.h b/contrib/bind9/bin/named/include/named/tsigconf.h
deleted file mode 100644
index 30bdf31..0000000
--- a/contrib/bind9/bin/named/include/named/tsigconf.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: tsigconf.h,v 1.18 2009/06/11 23:47:55 tbox Exp $ */
-
-#ifndef NS_TSIGCONF_H
-#define NS_TSIGCONF_H 1
-
-/*! \file */
-
-#include <isc/types.h>
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-ns_tsigkeyring_fromconfig(const cfg_obj_t *config, const cfg_obj_t *vconfig,
-			  isc_mem_t *mctx, dns_tsig_keyring_t **ringp);
-/*%<
- * Create a TSIG key ring and configure it according to the 'key'
- * statements in the global and view configuration objects.
- *
- *	Requires:
- *	\li	'config' is not NULL.
- *	\li	'vconfig' is not NULL.
- *	\li	'mctx' is not NULL
- *	\li	'ringp' is not NULL, and '*ringp' is NULL
- *
- *	Returns:
- *	\li	ISC_R_SUCCESS
- *	\li	ISC_R_NOMEMORY
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* NS_TSIGCONF_H */
diff --git a/contrib/bind9/bin/named/include/named/types.h b/contrib/bind9/bin/named/include/named/types.h
deleted file mode 100644
index 7a7886e..0000000
--- a/contrib/bind9/bin/named/include/named/types.h
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: types.h,v 1.31 2009/01/09 23:47:45 tbox Exp $ */
-
-#ifndef NAMED_TYPES_H
-#define NAMED_TYPES_H 1
-
-/*! \file */
-
-#include <dns/types.h>
-
-typedef struct ns_cache			ns_cache_t;
-typedef ISC_LIST(ns_cache_t)		ns_cachelist_t;
-typedef struct ns_client		ns_client_t;
-typedef struct ns_clientmgr		ns_clientmgr_t;
-typedef struct ns_query			ns_query_t;
-typedef struct ns_server 		ns_server_t;
-typedef struct ns_xmld			ns_xmld_t;
-typedef struct ns_xmldmgr		ns_xmldmgr_t;
-typedef struct ns_interface 		ns_interface_t;
-typedef struct ns_interfacemgr		ns_interfacemgr_t;
-typedef struct ns_lwresd		ns_lwresd_t;
-typedef struct ns_lwreslistener		ns_lwreslistener_t;
-typedef struct ns_lwdclient		ns_lwdclient_t;
-typedef struct ns_lwdclientmgr		ns_lwdclientmgr_t;
-typedef struct ns_lwsearchlist		ns_lwsearchlist_t;
-typedef struct ns_lwsearchctx		ns_lwsearchctx_t;
-typedef struct ns_controls		ns_controls_t;
-typedef struct ns_dispatch		ns_dispatch_t;
-typedef ISC_LIST(ns_dispatch_t)		ns_dispatchlist_t;
-typedef struct ns_statschannel		ns_statschannel_t;
-typedef ISC_LIST(ns_statschannel_t)	ns_statschannellist_t;
-#endif /* NAMED_TYPES_H */
diff --git a/contrib/bind9/bin/named/include/named/update.h b/contrib/bind9/bin/named/include/named/update.h
deleted file mode 100644
index a34570c..0000000
--- a/contrib/bind9/bin/named/include/named/update.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: update.h,v 1.13 2007/06/19 23:46:59 tbox Exp $ */
-
-#ifndef NAMED_UPDATE_H
-#define NAMED_UPDATE_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file
- * \brief
- * RFC2136 Dynamic Update
- */
-
-/***
- *** Imports
- ***/
-
-#include <dns/types.h>
-#include <dns/result.h>
-
-/***
- *** Types.
- ***/
-
-/***
- *** Functions
- ***/
-
-void
-ns_update_start(ns_client_t *client, isc_result_t sigresult);
-
-#endif /* NAMED_UPDATE_H */
diff --git a/contrib/bind9/bin/named/include/named/xfrout.h b/contrib/bind9/bin/named/include/named/xfrout.h
deleted file mode 100644
index 4bb79a3..0000000
--- a/contrib/bind9/bin/named/include/named/xfrout.h
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: xfrout.h,v 1.12 2007/06/19 23:46:59 tbox Exp $ */
-
-#ifndef NAMED_XFROUT_H
-#define NAMED_XFROUT_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file 
- * \brief
- * Outgoing zone transfers (AXFR + IXFR).
- */
-
-/***
- *** Functions
- ***/
-
-void
-ns_xfr_start(ns_client_t *client, dns_rdatatype_t xfrtype);
-
-#endif /* NAMED_XFROUT_H */
diff --git a/contrib/bind9/bin/named/include/named/zoneconf.h b/contrib/bind9/bin/named/include/named/zoneconf.h
deleted file mode 100644
index 0e684d2..0000000
--- a/contrib/bind9/bin/named/include/named/zoneconf.h
+++ /dev/null
@@ -1,78 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2010, 2011  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: zoneconf.h,v 1.30 2011/08/30 23:46:51 tbox Exp $ */
-
-#ifndef NS_ZONECONF_H
-#define NS_ZONECONF_H 1
-
-/*! \file */
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-#include <isccfg/aclconf.h>
-#include <isccfg/cfg.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
-		  const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac,
-		  dns_zone_t *zone, dns_zone_t *raw);
-/*%<
- * Configure or reconfigure a zone according to the named.conf
- * data in 'cctx' and 'czone'.
- *
- * The zone origin is not configured, it is assumed to have been set
- * at zone creation time.
- *
- * Require:
- * \li	'lctx' to be initialized or NULL.
- * \li	'cctx' to be initialized or NULL.
- * \li	'ac' to point to an initialized ns_aclconfctx_t.
- * \li	'czone' to be initialized.
- * \li	'zone' to be initialized.
- */
-
-isc_boolean_t
-ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig);
-/*%<
- * If 'zone' can be safely reconfigured according to the configuration
- * data in 'zconfig', return ISC_TRUE.  If the configuration data is so
- * different from the current zone state that the zone needs to be destroyed
- * and recreated, return ISC_FALSE.
- */
-
-
-isc_result_t
-ns_zone_configure_writeable_dlz(dns_dlzdb_t *dlzdatabase, dns_zone_t *zone,
-				dns_rdataclass_t rdclass, dns_name_t *name);
-/*%>
- * configure a DLZ zone, setting up the database methods and calling
- * postload to load the origin values
- *
- * Require:
- * \li	'dlzdatabase' to be a valid dlz database
- * \li	'zone' to be initialized.
- * \li	'rdclass' to be a valid rdataclass
- * \li	'name' to be a valid zone origin name
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* NS_ZONECONF_H */
diff --git a/contrib/bind9/bin/named/interfacemgr.c b/contrib/bind9/bin/named/interfacemgr.c
deleted file mode 100644
index 84bf21d..0000000
--- a/contrib/bind9/bin/named/interfacemgr.c
+++ /dev/null
@@ -1,1003 +0,0 @@
-/*
- * Copyright (C) 2004-2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: interfacemgr.c,v 1.101 2011/11/09 18:44:03 each Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/interfaceiter.h>
-#include <isc/os.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/util.h>
-
-#include <dns/acl.h>
-#include <dns/dispatch.h>
-
-#include <named/client.h>
-#include <named/log.h>
-#include <named/interfacemgr.h>
-
-#define IFMGR_MAGIC			ISC_MAGIC('I', 'F', 'M', 'G')
-#define NS_INTERFACEMGR_VALID(t)	ISC_MAGIC_VALID(t, IFMGR_MAGIC)
-
-#define IFMGR_COMMON_LOGARGS \
-	ns_g_lctx, NS_LOGCATEGORY_NETWORK, NS_LOGMODULE_INTERFACEMGR
-
-/*% nameserver interface manager structure */
-struct ns_interfacemgr {
-	unsigned int		magic;		/*%< Magic number. */
-	int			references;
-	isc_mutex_t		lock;
-	isc_mem_t *		mctx;		/*%< Memory context. */
-	isc_taskmgr_t *		taskmgr;	/*%< Task manager. */
-	isc_socketmgr_t *	socketmgr;	/*%< Socket manager. */
-	dns_dispatchmgr_t *	dispatchmgr;
-	unsigned int		generation;	/*%< Current generation no. */
-	ns_listenlist_t *	listenon4;
-	ns_listenlist_t *	listenon6;
-	dns_aclenv_t		aclenv;		/*%< Localhost/localnets ACLs */
-	ISC_LIST(ns_interface_t) interfaces;	/*%< List of interfaces. */
-	ISC_LIST(isc_sockaddr_t) listenon;
-};
-
-static void
-purge_old_interfaces(ns_interfacemgr_t *mgr);
-
-static void
-clearlistenon(ns_interfacemgr_t *mgr);
-
-isc_result_t
-ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
-		       isc_socketmgr_t *socketmgr,
-		       dns_dispatchmgr_t *dispatchmgr,
-		       ns_interfacemgr_t **mgrp)
-{
-	isc_result_t result;
-	ns_interfacemgr_t *mgr;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(mgrp != NULL);
-	REQUIRE(*mgrp == NULL);
-
-	mgr = isc_mem_get(mctx, sizeof(*mgr));
-	if (mgr == NULL)
-		return (ISC_R_NOMEMORY);
-
-	mgr->mctx = NULL;
-	isc_mem_attach(mctx, &mgr->mctx);
-
-	result = isc_mutex_init(&mgr->lock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_mem;
-
-	mgr->taskmgr = taskmgr;
-	mgr->socketmgr = socketmgr;
-	mgr->dispatchmgr = dispatchmgr;
-	mgr->generation = 1;
-	mgr->listenon4 = NULL;
-	mgr->listenon6 = NULL;
-
-	ISC_LIST_INIT(mgr->interfaces);
-	ISC_LIST_INIT(mgr->listenon);
-
-	/*
-	 * The listen-on lists are initially empty.
-	 */
-	result = ns_listenlist_create(mctx, &mgr->listenon4);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_mem;
-	ns_listenlist_attach(mgr->listenon4, &mgr->listenon6);
-
-	result = dns_aclenv_init(mctx, &mgr->aclenv);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_listenon;
-
-	mgr->references = 1;
-	mgr->magic = IFMGR_MAGIC;
-	*mgrp = mgr;
-	return (ISC_R_SUCCESS);
-
- cleanup_listenon:
-	ns_listenlist_detach(&mgr->listenon4);
-	ns_listenlist_detach(&mgr->listenon6);
- cleanup_mem:
-	isc_mem_putanddetach(&mgr->mctx, mgr, sizeof(*mgr));
-	return (result);
-}
-
-static void
-ns_interfacemgr_destroy(ns_interfacemgr_t *mgr) {
-	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
-	dns_aclenv_destroy(&mgr->aclenv);
-	ns_listenlist_detach(&mgr->listenon4);
-	ns_listenlist_detach(&mgr->listenon6);
-	clearlistenon(mgr);
-	DESTROYLOCK(&mgr->lock);
-	mgr->magic = 0;
-	isc_mem_putanddetach(&mgr->mctx, mgr, sizeof(*mgr));
-}
-
-dns_aclenv_t *
-ns_interfacemgr_getaclenv(ns_interfacemgr_t *mgr) {
-	return (&mgr->aclenv);
-}
-
-void
-ns_interfacemgr_attach(ns_interfacemgr_t *source, ns_interfacemgr_t **target) {
-	REQUIRE(NS_INTERFACEMGR_VALID(source));
-	LOCK(&source->lock);
-	INSIST(source->references > 0);
-	source->references++;
-	UNLOCK(&source->lock);
-	*target = source;
-}
-
-void
-ns_interfacemgr_detach(ns_interfacemgr_t **targetp) {
-	isc_result_t need_destroy = ISC_FALSE;
-	ns_interfacemgr_t *target = *targetp;
-	REQUIRE(target != NULL);
-	REQUIRE(NS_INTERFACEMGR_VALID(target));
-	LOCK(&target->lock);
-	REQUIRE(target->references > 0);
-	target->references--;
-	if (target->references == 0)
-		need_destroy = ISC_TRUE;
-	UNLOCK(&target->lock);
-	if (need_destroy)
-		ns_interfacemgr_destroy(target);
-	*targetp = NULL;
-}
-
-void
-ns_interfacemgr_shutdown(ns_interfacemgr_t *mgr) {
-	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
-
-	/*%
-	 * Shut down and detach all interfaces.
-	 * By incrementing the generation count, we make purge_old_interfaces()
-	 * consider all interfaces "old".
-	 */
-	mgr->generation++;
-	purge_old_interfaces(mgr);
-}
-
-
-static isc_result_t
-ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
-		    const char *name, ns_interface_t **ifpret)
-{
-	ns_interface_t *ifp;
-	isc_result_t result;
-	int disp;
-
-	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
-
-	ifp = isc_mem_get(mgr->mctx, sizeof(*ifp));
-	if (ifp == NULL)
-		return (ISC_R_NOMEMORY);
-
-	ifp->mgr = NULL;
-	ifp->generation = mgr->generation;
-	ifp->addr = *addr;
-	ifp->flags = 0;
-	strncpy(ifp->name, name, sizeof(ifp->name));
-	ifp->name[sizeof(ifp->name)-1] = '\0';
-	ifp->clientmgr = NULL;
-
-	result = isc_mutex_init(&ifp->lock);
-	if (result != ISC_R_SUCCESS)
-		goto lock_create_failure;
-
-	result = ns_clientmgr_create(mgr->mctx, mgr->taskmgr,
-				     ns_g_timermgr,
-				     &ifp->clientmgr);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "ns_clientmgr_create() failed: %s",
-			      isc_result_totext(result));
-		goto clientmgr_create_failure;
-	}
-
-	for (disp = 0; disp < MAX_UDP_DISPATCH; disp++)
-		ifp->udpdispatch[disp] = NULL;
-
-	ifp->tcpsocket = NULL;
-
-	/*
-	 * Create a single TCP client object.  It will replace itself
-	 * with a new one as soon as it gets a connection, so the actual
-	 * connections will be handled in parallel even though there is
-	 * only one client initially.
-	 */
-	ifp->ntcptarget = 1;
-	ifp->ntcpcurrent = 0;
-	ifp->nudpdispatch = 0;
-
-	ISC_LINK_INIT(ifp, link);
-
-	ns_interfacemgr_attach(mgr, &ifp->mgr);
-	ISC_LIST_APPEND(mgr->interfaces, ifp, link);
-
-	ifp->references = 1;
-	ifp->magic = IFACE_MAGIC;
-	*ifpret = ifp;
-
-	return (ISC_R_SUCCESS);
-
- clientmgr_create_failure:
-	DESTROYLOCK(&ifp->lock);
-
- lock_create_failure:
-	ifp->magic = 0;
-	isc_mem_put(mgr->mctx, ifp, sizeof(*ifp));
-
-	return (ISC_R_UNEXPECTED);
-}
-
-static isc_result_t
-ns_interface_listenudp(ns_interface_t *ifp) {
-	isc_result_t result;
-	unsigned int attrs;
-	unsigned int attrmask;
-	int disp, i;
-
-	attrs = 0;
-	attrs |= DNS_DISPATCHATTR_UDP;
-	if (isc_sockaddr_pf(&ifp->addr) == AF_INET)
-		attrs |= DNS_DISPATCHATTR_IPV4;
-	else
-		attrs |= DNS_DISPATCHATTR_IPV6;
-	attrs |= DNS_DISPATCHATTR_NOLISTEN;
-	attrmask = 0;
-	attrmask |= DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_TCP;
-	attrmask |= DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6;
-
-	ifp->nudpdispatch = ISC_MIN(ns_g_udpdisp, MAX_UDP_DISPATCH);
-	for (disp = 0; disp < ifp->nudpdispatch; disp++) {
-		result = dns_dispatch_getudp_dup(ifp->mgr->dispatchmgr,
-						 ns_g_socketmgr,
-						 ns_g_taskmgr, &ifp->addr,
-						 4096, 1000, 32768, 8219, 8237,
-						 attrs, attrmask,
-						 &ifp->udpdispatch[disp],
-						 disp == 0
-						    ? NULL
-						    : ifp->udpdispatch[0]);
-		if (result != ISC_R_SUCCESS) {
-			isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
-				      "could not listen on UDP socket: %s",
-				      isc_result_totext(result));
-			goto udp_dispatch_failure;
-		}
-
-	}
-
-	result = ns_clientmgr_createclients(ifp->clientmgr, ifp->nudpdispatch,
-					    ifp, ISC_FALSE);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "UDP ns_clientmgr_createclients(): %s",
-				 isc_result_totext(result));
-		goto addtodispatch_failure;
-	}
-
-	return (ISC_R_SUCCESS);
-
- addtodispatch_failure:
-	for (i = disp - 1; i <= 0; i--) {
-		dns_dispatch_changeattributes(ifp->udpdispatch[i], 0,
-					      DNS_DISPATCHATTR_NOLISTEN);
-		dns_dispatch_detach(&(ifp->udpdispatch[i]));
-	}
-	ifp->nudpdispatch = 0;
-
- udp_dispatch_failure:
-	return (result);
-}
-
-static isc_result_t
-ns_interface_accepttcp(ns_interface_t *ifp) {
-	isc_result_t result;
-
-	/*
-	 * Open a TCP socket.
-	 */
-	result = isc_socket_create(ifp->mgr->socketmgr,
-				   isc_sockaddr_pf(&ifp->addr),
-				   isc_sockettype_tcp,
-				   &ifp->tcpsocket);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
-				 "creating TCP socket: %s",
-				 isc_result_totext(result));
-		goto tcp_socket_failure;
-	}
-	isc_socket_setname(ifp->tcpsocket, "dispatcher", NULL);
-#ifndef ISC_ALLOW_MAPPED
-	isc_socket_ipv6only(ifp->tcpsocket, ISC_TRUE);
-#endif
-	result = isc_socket_bind(ifp->tcpsocket, &ifp->addr,
-				 ISC_SOCKET_REUSEADDRESS);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
-				 "binding TCP socket: %s",
-				 isc_result_totext(result));
-		goto tcp_bind_failure;
-	}
-	result = isc_socket_listen(ifp->tcpsocket, ns_g_listen);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
-				 "listening on TCP socket: %s",
-				 isc_result_totext(result));
-		goto tcp_listen_failure;
-	}
-
-	/*
-	 * If/when there a multiple filters listen to the
-	 * result.
-	 */
-	(void)isc_socket_filter(ifp->tcpsocket, "dataready");
-
-	result = ns_clientmgr_createclients(ifp->clientmgr,
-					    ifp->ntcptarget, ifp,
-					    ISC_TRUE);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "TCP ns_clientmgr_createclients(): %s",
-				 isc_result_totext(result));
-		goto accepttcp_failure;
-	}
-	return (ISC_R_SUCCESS);
-
- accepttcp_failure:
- tcp_listen_failure:
- tcp_bind_failure:
-	isc_socket_detach(&ifp->tcpsocket);
- tcp_socket_failure:
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-ns_interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
-		   const char *name, ns_interface_t **ifpret,
-		   isc_boolean_t accept_tcp)
-{
-	isc_result_t result;
-	ns_interface_t *ifp = NULL;
-	REQUIRE(ifpret != NULL && *ifpret == NULL);
-
-	result = ns_interface_create(mgr, addr, name, &ifp);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = ns_interface_listenudp(ifp);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_interface;
-
-	if (accept_tcp == ISC_TRUE) {
-		result = ns_interface_accepttcp(ifp);
-		if (result != ISC_R_SUCCESS) {
-			/*
-			 * XXXRTH We don't currently have a way to easily stop
-			 * dispatch service, so we currently return
-			 * ISC_R_SUCCESS (the UDP stuff will work even if TCP
-			 * creation failed).  This will be fixed later.
-			 */
-			result = ISC_R_SUCCESS;
-		}
-	}
-	*ifpret = ifp;
-	return (result);
-
- cleanup_interface:
-	ISC_LIST_UNLINK(ifp->mgr->interfaces, ifp, link);
-	ns_interface_detach(&ifp);
-	return (result);
-}
-
-void
-ns_interface_shutdown(ns_interface_t *ifp) {
-	if (ifp->clientmgr != NULL)
-		ns_clientmgr_destroy(&ifp->clientmgr);
-}
-
-static void
-ns_interface_destroy(ns_interface_t *ifp) {
-	isc_mem_t *mctx = ifp->mgr->mctx;
-	int disp;
-
-	REQUIRE(NS_INTERFACE_VALID(ifp));
-
-	ns_interface_shutdown(ifp);
-
-	for (disp = 0; disp < ifp->nudpdispatch; disp++)
-		if (ifp->udpdispatch[disp] != NULL) {
-			dns_dispatch_changeattributes(ifp->udpdispatch[disp], 0,
-						    DNS_DISPATCHATTR_NOLISTEN);
-			dns_dispatch_detach(&(ifp->udpdispatch[disp]));
-		}
-
-	if (ifp->tcpsocket != NULL)
-		isc_socket_detach(&ifp->tcpsocket);
-
-	DESTROYLOCK(&ifp->lock);
-
-	ns_interfacemgr_detach(&ifp->mgr);
-
-	ifp->magic = 0;
-	isc_mem_put(mctx, ifp, sizeof(*ifp));
-}
-
-void
-ns_interface_attach(ns_interface_t *source, ns_interface_t **target) {
-	REQUIRE(NS_INTERFACE_VALID(source));
-	LOCK(&source->lock);
-	INSIST(source->references > 0);
-	source->references++;
-	UNLOCK(&source->lock);
-	*target = source;
-}
-
-void
-ns_interface_detach(ns_interface_t **targetp) {
-	isc_result_t need_destroy = ISC_FALSE;
-	ns_interface_t *target = *targetp;
-	REQUIRE(target != NULL);
-	REQUIRE(NS_INTERFACE_VALID(target));
-	LOCK(&target->lock);
-	REQUIRE(target->references > 0);
-	target->references--;
-	if (target->references == 0)
-		need_destroy = ISC_TRUE;
-	UNLOCK(&target->lock);
-	if (need_destroy)
-		ns_interface_destroy(target);
-	*targetp = NULL;
-}
-
-/*%
- * Search the interface list for an interface whose address and port
- * both match those of 'addr'.  Return a pointer to it, or NULL if not found.
- */
-static ns_interface_t *
-find_matching_interface(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr) {
-	ns_interface_t *ifp;
-	for (ifp = ISC_LIST_HEAD(mgr->interfaces); ifp != NULL;
-	     ifp = ISC_LIST_NEXT(ifp, link)) {
-		if (isc_sockaddr_equal(&ifp->addr, addr))
-			break;
-	}
-	return (ifp);
-}
-
-/*%
- * Remove any interfaces whose generation number is not the current one.
- */
-static void
-purge_old_interfaces(ns_interfacemgr_t *mgr) {
-	ns_interface_t *ifp, *next;
-	for (ifp = ISC_LIST_HEAD(mgr->interfaces); ifp != NULL; ifp = next) {
-		INSIST(NS_INTERFACE_VALID(ifp));
-		next = ISC_LIST_NEXT(ifp, link);
-		if (ifp->generation != mgr->generation) {
-			char sabuf[256];
-			ISC_LIST_UNLINK(ifp->mgr->interfaces, ifp, link);
-			isc_sockaddr_format(&ifp->addr, sabuf, sizeof(sabuf));
-			isc_log_write(IFMGR_COMMON_LOGARGS,
-				      ISC_LOG_INFO,
-				      "no longer listening on %s", sabuf);
-			ns_interface_shutdown(ifp);
-			ns_interface_detach(&ifp);
-		}
-	}
-}
-
-static isc_result_t
-clearacl(isc_mem_t *mctx, dns_acl_t **aclp) {
-	dns_acl_t *newacl = NULL;
-	isc_result_t result;
-	result = dns_acl_create(mctx, 0, &newacl);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_acl_detach(aclp);
-	dns_acl_attach(newacl, aclp);
-	dns_acl_detach(&newacl);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_boolean_t
-listenon_is_ip6_any(ns_listenelt_t *elt) {
-	REQUIRE(elt && elt->acl);
-	return dns_acl_isany(elt->acl);
-}
-
-static isc_result_t
-setup_locals(ns_interfacemgr_t *mgr, isc_interface_t *interface) {
-	isc_result_t result;
-	unsigned int prefixlen;
-	isc_netaddr_t *netaddr;
-
-	netaddr = &interface->address;
-
-	/* First add localhost address */
-	prefixlen = (netaddr->family == AF_INET) ? 32 : 128;
-	result = dns_iptable_addprefix(mgr->aclenv.localhost->iptable,
-				       netaddr, prefixlen, ISC_TRUE);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/* Then add localnets prefix */
-	result = isc_netaddr_masktoprefixlen(&interface->netmask,
-					     &prefixlen);
-
-	/* Non contiguous netmasks not allowed by IPv6 arch. */
-	if (result != ISC_R_SUCCESS && netaddr->family == AF_INET6)
-		return (result);
-
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(IFMGR_COMMON_LOGARGS,
-			      ISC_LOG_WARNING,
-			      "omitting IPv4 interface %s from "
-			      "localnets ACL: %s",
-			      interface->name,
-			      isc_result_totext(result));
-		return (ISC_R_SUCCESS);
-	}
-
-	result = dns_iptable_addprefix(mgr->aclenv.localnets->iptable,
-				       netaddr, prefixlen, ISC_TRUE);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-setup_listenon(ns_interfacemgr_t *mgr, isc_interface_t *interface,
-	       in_port_t port)
-{
-	isc_sockaddr_t *addr;
-	isc_sockaddr_t *old;
-
-	addr = isc_mem_get(mgr->mctx, sizeof(*addr));
-	if (addr == NULL)
-		return;
-
-	isc_sockaddr_fromnetaddr(addr, &interface->address, port);
-
-	for (old = ISC_LIST_HEAD(mgr->listenon);
-	     old != NULL;
-	     old = ISC_LIST_NEXT(old, link))
-		if (isc_sockaddr_equal(addr, old))
-			break;
-
-	if (old != NULL)
-		isc_mem_put(mgr->mctx, addr, sizeof(*addr));
-	else
-		ISC_LIST_APPEND(mgr->listenon, addr, link);
-}
-
-static void
-clearlistenon(ns_interfacemgr_t *mgr) {
-	isc_sockaddr_t *old;
-
-	old = ISC_LIST_HEAD(mgr->listenon);
-	while (old != NULL) {
-		ISC_LIST_UNLINK(mgr->listenon, old, link);
-		isc_mem_put(mgr->mctx, old, sizeof(*old));
-		old = ISC_LIST_HEAD(mgr->listenon);
-	}
-}
-
-static isc_result_t
-do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen,
-	isc_boolean_t verbose)
-{
-	isc_interfaceiter_t *iter = NULL;
-	isc_boolean_t scan_ipv4 = ISC_FALSE;
-	isc_boolean_t scan_ipv6 = ISC_FALSE;
-	isc_boolean_t adjusting = ISC_FALSE;
-	isc_boolean_t ipv6only = ISC_TRUE;
-	isc_boolean_t ipv6pktinfo = ISC_TRUE;
-	isc_result_t result;
-	isc_netaddr_t zero_address, zero_address6;
-	ns_listenelt_t *le;
-	isc_sockaddr_t listen_addr;
-	ns_interface_t *ifp;
-	isc_boolean_t log_explicit = ISC_FALSE;
-	isc_boolean_t dolistenon;
-
-	if (ext_listen != NULL)
-		adjusting = ISC_TRUE;
-
-	if (isc_net_probeipv6() == ISC_R_SUCCESS)
-		scan_ipv6 = ISC_TRUE;
-#ifdef WANT_IPV6
-	else
-		isc_log_write(IFMGR_COMMON_LOGARGS,
-			      verbose ? ISC_LOG_INFO : ISC_LOG_DEBUG(1),
-			      "no IPv6 interfaces found");
-#endif
-
-	if (isc_net_probeipv4() == ISC_R_SUCCESS)
-		scan_ipv4 = ISC_TRUE;
-	else
-		isc_log_write(IFMGR_COMMON_LOGARGS,
-			      verbose ? ISC_LOG_INFO : ISC_LOG_DEBUG(1),
-			      "no IPv4 interfaces found");
-
-	/*
-	 * A special, but typical case; listen-on-v6 { any; }.
-	 * When we can make the socket IPv6-only, open a single wildcard
-	 * socket for IPv6 communication.  Otherwise, make separate socket
-	 * for each IPv6 address in order to avoid accepting IPv4 packets
-	 * as the form of mapped addresses unintentionally unless explicitly
-	 * allowed.
-	 */
-#ifndef ISC_ALLOW_MAPPED
-	if (scan_ipv6 == ISC_TRUE &&
-	    isc_net_probe_ipv6only() != ISC_R_SUCCESS) {
-		ipv6only = ISC_FALSE;
-		log_explicit = ISC_TRUE;
-	}
-#endif
-	if (scan_ipv6 == ISC_TRUE &&
-	    isc_net_probe_ipv6pktinfo() != ISC_R_SUCCESS) {
-		ipv6pktinfo = ISC_FALSE;
-		log_explicit = ISC_TRUE;
-	}
-	if (scan_ipv6 == ISC_TRUE && ipv6only && ipv6pktinfo) {
-		for (le = ISC_LIST_HEAD(mgr->listenon6->elts);
-		     le != NULL;
-		     le = ISC_LIST_NEXT(le, link)) {
-			struct in6_addr in6a;
-
-			if (!listenon_is_ip6_any(le))
-				continue;
-
-			in6a = in6addr_any;
-			isc_sockaddr_fromin6(&listen_addr, &in6a, le->port);
-
-			ifp = find_matching_interface(mgr, &listen_addr);
-			if (ifp != NULL) {
-				ifp->generation = mgr->generation;
-			} else {
-				isc_log_write(IFMGR_COMMON_LOGARGS,
-					      ISC_LOG_INFO,
-					      "listening on IPv6 "
-					      "interfaces, port %u",
-					      le->port);
-				result = ns_interface_setup(mgr, &listen_addr,
-							    "<any>", &ifp,
-							    ISC_TRUE);
-				if (result == ISC_R_SUCCESS)
-					ifp->flags |= NS_INTERFACEFLAG_ANYADDR;
-				else
-					isc_log_write(IFMGR_COMMON_LOGARGS,
-						      ISC_LOG_ERROR,
-						      "listening on all IPv6 "
-						      "interfaces failed");
-				/* Continue. */
-			}
-		}
-	}
-
-	isc_netaddr_any(&zero_address);
-	isc_netaddr_any6(&zero_address6);
-
-	result = isc_interfaceiter_create(mgr->mctx, &iter);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (adjusting == ISC_FALSE) {
-		result = clearacl(mgr->mctx, &mgr->aclenv.localhost);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_iter;
-		result = clearacl(mgr->mctx, &mgr->aclenv.localnets);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_iter;
-		clearlistenon(mgr);
-	}
-
-	for (result = isc_interfaceiter_first(iter);
-	     result == ISC_R_SUCCESS;
-	     result = isc_interfaceiter_next(iter))
-	{
-		isc_interface_t interface;
-		ns_listenlist_t *ll;
-		unsigned int family;
-
-		result = isc_interfaceiter_current(iter, &interface);
-		if (result != ISC_R_SUCCESS)
-			break;
-
-		family = interface.address.family;
-		if (family != AF_INET && family != AF_INET6)
-			continue;
-		if (scan_ipv4 == ISC_FALSE && family == AF_INET)
-			continue;
-		if (scan_ipv6 == ISC_FALSE && family == AF_INET6)
-			continue;
-
-		/*
-		 * Test for the address being nonzero rather than testing
-		 * INTERFACE_F_UP, because on some systems the latter
-		 * follows the media state and we could end up ignoring
-		 * the interface for an entire rescan interval due to
-		 * a temporary media glitch at rescan time.
-		 */
-		if (family == AF_INET &&
-		    isc_netaddr_equal(&interface.address, &zero_address)) {
-			continue;
-		}
-		if (family == AF_INET6 &&
-		    isc_netaddr_equal(&interface.address, &zero_address6)) {
-			continue;
-		}
-
-		if (adjusting == ISC_FALSE) {
-			result = setup_locals(mgr, &interface);
-			if (result != ISC_R_SUCCESS)
-				goto ignore_interface;
-		}
-
-		ll = (family == AF_INET) ? mgr->listenon4 : mgr->listenon6;
-		dolistenon = ISC_TRUE;
-		for (le = ISC_LIST_HEAD(ll->elts);
-		     le != NULL;
-		     le = ISC_LIST_NEXT(le, link))
-		{
-			int match;
-			isc_boolean_t ipv6_wildcard = ISC_FALSE;
-			isc_netaddr_t listen_netaddr;
-			isc_sockaddr_t listen_sockaddr;
-
-			/*
-			 * Construct a socket address for this IP/port
-			 * combination.
-			 */
-			if (family == AF_INET) {
-				isc_netaddr_fromin(&listen_netaddr,
-						   &interface.address.type.in);
-			} else {
-				isc_netaddr_fromin6(&listen_netaddr,
-						    &interface.address.type.in6);
-				isc_netaddr_setzone(&listen_netaddr,
-						    interface.address.zone);
-			}
-			isc_sockaddr_fromnetaddr(&listen_sockaddr,
-						 &listen_netaddr,
-						 le->port);
-
-			/*
-			 * See if the address matches the listen-on statement;
-			 * if not, ignore the interface.
-			 */
-			(void)dns_acl_match(&listen_netaddr, NULL, le->acl,
-					    &mgr->aclenv, &match, NULL);
-			if (match <= 0)
-				continue;
-
-			if (adjusting == ISC_FALSE && dolistenon == ISC_TRUE) {
-				setup_listenon(mgr, &interface, le->port);
-				dolistenon = ISC_FALSE;
-			}
-
-			/*
-			 * The case of "any" IPv6 address will require
-			 * special considerations later, so remember it.
-			 */
-			if (family == AF_INET6 && ipv6only && ipv6pktinfo &&
-			    listenon_is_ip6_any(le))
-				ipv6_wildcard = ISC_TRUE;
-
-			/*
-			 * When adjusting interfaces with extra a listening
-			 * list, see if the address matches the extra list.
-			 * If it does, and is also covered by a wildcard
-			 * interface, we need to listen on the address
-			 * explicitly.
-			 */
-			if (adjusting == ISC_TRUE) {
-				ns_listenelt_t *ele;
-
-				match = 0;
-				for (ele = ISC_LIST_HEAD(ext_listen->elts);
-				     ele != NULL;
-				     ele = ISC_LIST_NEXT(ele, link)) {
-					(void)dns_acl_match(&listen_netaddr,
-							    NULL, ele->acl,
-							    NULL, &match, NULL);
-					if (match > 0 &&
-					    (ele->port == le->port ||
-					    ele->port == 0))
-						break;
-					else
-						match = 0;
-				}
-				if (ipv6_wildcard == ISC_TRUE && match == 0)
-					continue;
-			}
-
-			ifp = find_matching_interface(mgr, &listen_sockaddr);
-			if (ifp != NULL) {
-				ifp->generation = mgr->generation;
-			} else {
-				char sabuf[ISC_SOCKADDR_FORMATSIZE];
-
-				if (adjusting == ISC_FALSE &&
-				    ipv6_wildcard == ISC_TRUE)
-					continue;
-
-				if (log_explicit && family == AF_INET6 &&
-				    !adjusting && listenon_is_ip6_any(le)) {
-					isc_log_write(IFMGR_COMMON_LOGARGS,
-						      verbose ? ISC_LOG_INFO :
-							      ISC_LOG_DEBUG(1),
-						      "IPv6 socket API is "
-						      "incomplete; explicitly "
-						      "binding to each IPv6 "
-						      "address separately");
-					log_explicit = ISC_FALSE;
-				}
-				isc_sockaddr_format(&listen_sockaddr,
-						    sabuf, sizeof(sabuf));
-				isc_log_write(IFMGR_COMMON_LOGARGS,
-					      ISC_LOG_INFO,
-					      "%s"
-					      "listening on %s interface "
-					      "%s, %s",
-					      (adjusting == ISC_TRUE) ?
-					      "additionally " : "",
-					      (family == AF_INET) ?
-					      "IPv4" : "IPv6",
-					      interface.name, sabuf);
-
-				result = ns_interface_setup(mgr,
-							    &listen_sockaddr,
-							    interface.name,
-							    &ifp,
-							    (adjusting == ISC_TRUE) ?
-							    ISC_FALSE :
-							    ISC_TRUE);
-
-				if (result != ISC_R_SUCCESS) {
-					isc_log_write(IFMGR_COMMON_LOGARGS,
-						      ISC_LOG_ERROR,
-						      "creating %s interface "
-						      "%s failed; interface "
-						      "ignored",
-						      (family == AF_INET) ?
-						      "IPv4" : "IPv6",
-						      interface.name);
-				}
-				/* Continue. */
-			}
-
-		}
-		continue;
-
-	ignore_interface:
-		isc_log_write(IFMGR_COMMON_LOGARGS,
-			      ISC_LOG_ERROR,
-			      "ignoring %s interface %s: %s",
-			      (family == AF_INET) ? "IPv4" : "IPv6",
-			      interface.name, isc_result_totext(result));
-		continue;
-	}
-	if (result != ISC_R_NOMORE)
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "interface iteration failed: %s",
-				 isc_result_totext(result));
-	else
-		result = ISC_R_SUCCESS;
- cleanup_iter:
-	isc_interfaceiter_destroy(&iter);
-	return (result);
-}
-
-static void
-ns_interfacemgr_scan0(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen,
-		      isc_boolean_t verbose)
-{
-	isc_boolean_t purge = ISC_TRUE;
-
-	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
-
-	mgr->generation++;	/* Increment the generation count. */
-
-	if (do_scan(mgr, ext_listen, verbose) != ISC_R_SUCCESS)
-		purge = ISC_FALSE;
-
-	/*
-	 * Now go through the interface list and delete anything that
-	 * does not have the current generation number.  This is
-	 * how we catch interfaces that go away or change their
-	 * addresses.
-	 */
-	if (purge)
-		purge_old_interfaces(mgr);
-
-	/*
-	 * Warn if we are not listening on any interface, unless
-	 * we're in lwresd-only mode, in which case that is to
-	 * be expected.
-	 */
-	if (ext_listen == NULL &&
-	    ISC_LIST_EMPTY(mgr->interfaces) && ! ns_g_lwresdonly) {
-		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_WARNING,
-			      "not listening on any interfaces");
-	}
-}
-
-void
-ns_interfacemgr_scan(ns_interfacemgr_t *mgr, isc_boolean_t verbose) {
-	ns_interfacemgr_scan0(mgr, NULL, verbose);
-}
-
-void
-ns_interfacemgr_adjust(ns_interfacemgr_t *mgr, ns_listenlist_t *list,
-		       isc_boolean_t verbose)
-{
-	ns_interfacemgr_scan0(mgr, list, verbose);
-}
-
-void
-ns_interfacemgr_setlistenon4(ns_interfacemgr_t *mgr, ns_listenlist_t *value) {
-	LOCK(&mgr->lock);
-	ns_listenlist_detach(&mgr->listenon4);
-	ns_listenlist_attach(value, &mgr->listenon4);
-	UNLOCK(&mgr->lock);
-}
-
-void
-ns_interfacemgr_setlistenon6(ns_interfacemgr_t *mgr, ns_listenlist_t *value) {
-	LOCK(&mgr->lock);
-	ns_listenlist_detach(&mgr->listenon6);
-	ns_listenlist_attach(value, &mgr->listenon6);
-	UNLOCK(&mgr->lock);
-}
-
-void
-ns_interfacemgr_dumprecursing(FILE *f, ns_interfacemgr_t *mgr) {
-	ns_interface_t *interface;
-
-	LOCK(&mgr->lock);
-	interface = ISC_LIST_HEAD(mgr->interfaces);
-	while (interface != NULL) {
-		if (interface->clientmgr != NULL)
-			ns_client_dumprecursing(f, interface->clientmgr);
-		interface = ISC_LIST_NEXT(interface, link);
-	}
-	UNLOCK(&mgr->lock);
-}
-
-isc_boolean_t
-ns_interfacemgr_listeningon(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr) {
-	isc_sockaddr_t *old;
-
-	for (old = ISC_LIST_HEAD(mgr->listenon);
-	     old != NULL;
-	     old = ISC_LIST_NEXT(old, link))
-		if (isc_sockaddr_equal(old, addr))
-			return (ISC_TRUE);
-	return (ISC_FALSE);
-}
diff --git a/contrib/bind9/bin/named/listenlist.c b/contrib/bind9/bin/named/listenlist.c
deleted file mode 100644
index 513fe9c..0000000
--- a/contrib/bind9/bin/named/listenlist.c
+++ /dev/null
@@ -1,138 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: listenlist.c,v 1.14 2007/06/19 23:46:59 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/util.h>
-
-#include <dns/acl.h>
-
-#include <named/listenlist.h>
-
-static void
-destroy(ns_listenlist_t *list);
-
-isc_result_t
-ns_listenelt_create(isc_mem_t *mctx, in_port_t port,
-		    dns_acl_t *acl, ns_listenelt_t **target)
-{
-	ns_listenelt_t *elt = NULL;
-	REQUIRE(target != NULL && *target == NULL);
-	elt = isc_mem_get(mctx, sizeof(*elt));
-	if (elt == NULL)
-		return (ISC_R_NOMEMORY);
-	elt->mctx = mctx;
-	ISC_LINK_INIT(elt, link);
-	elt->port = port;
-	elt->acl = acl;
-	*target = elt;
-	return (ISC_R_SUCCESS);
-}
-
-void
-ns_listenelt_destroy(ns_listenelt_t *elt) {
-	if (elt->acl != NULL)
-		dns_acl_detach(&elt->acl);
-	isc_mem_put(elt->mctx, elt, sizeof(*elt));
-}
-
-isc_result_t
-ns_listenlist_create(isc_mem_t *mctx, ns_listenlist_t **target) {
-	ns_listenlist_t *list = NULL;
-	REQUIRE(target != NULL && *target == NULL);
-	list = isc_mem_get(mctx, sizeof(*list));
-	if (list == NULL)
-		return (ISC_R_NOMEMORY);
-	list->mctx = mctx;
-	list->refcount = 1;
-	ISC_LIST_INIT(list->elts);
-	*target = list;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-destroy(ns_listenlist_t *list) {
-	ns_listenelt_t *elt, *next;
-	for (elt = ISC_LIST_HEAD(list->elts);
-	     elt != NULL;
-	     elt = next)
-	{
-		next = ISC_LIST_NEXT(elt, link);
-		ns_listenelt_destroy(elt);
-	}
-	isc_mem_put(list->mctx, list, sizeof(*list));
-}
-
-void
-ns_listenlist_attach(ns_listenlist_t *source, ns_listenlist_t **target) {
-	INSIST(source->refcount > 0);
-	source->refcount++;
-	*target = source;
-}
-
-void
-ns_listenlist_detach(ns_listenlist_t **listp) {
-	ns_listenlist_t *list = *listp;
-	INSIST(list->refcount > 0);
-	list->refcount--;
-	if (list->refcount == 0)
-		destroy(list);
-	*listp = NULL;
-}
-
-isc_result_t
-ns_listenlist_default(isc_mem_t *mctx, in_port_t port,
-		      isc_boolean_t enabled, ns_listenlist_t **target)
-{
-	isc_result_t result;
-	dns_acl_t *acl = NULL;
-	ns_listenelt_t *elt = NULL;
-	ns_listenlist_t *list = NULL;
-
-	REQUIRE(target != NULL && *target == NULL);
-	if (enabled)
-		result = dns_acl_any(mctx, &acl);
-	else
-		result = dns_acl_none(mctx, &acl);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = ns_listenelt_create(mctx, port, acl, &elt);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_acl;
-
-	result = ns_listenlist_create(mctx, &list);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_listenelt;
-
-	ISC_LIST_APPEND(list->elts, elt, link);
-
-	*target = list;
-	return (ISC_R_SUCCESS);
-
- cleanup_listenelt:
-	ns_listenelt_destroy(elt);
- cleanup_acl:
-	dns_acl_detach(&acl);
- cleanup:
-	return (result);
-}
diff --git a/contrib/bind9/bin/named/log.c b/contrib/bind9/bin/named/log.c
deleted file mode 100644
index a34dea4..0000000
--- a/contrib/bind9/bin/named/log.c
+++ /dev/null
@@ -1,236 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: log.c,v 1.49 2009/01/07 01:46:40 jinmei Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/result.h>
-
-#include <isccfg/log.h>
-
-#include <named/log.h>
-
-#ifndef ISC_FACILITY
-#define ISC_FACILITY LOG_DAEMON
-#endif
-
-/*%
- * When adding a new category, be sure to add the appropriate
- * \#define to <named/log.h> and to update the list in
- * bin/check/check-tool.c.
- */
-static isc_logcategory_t categories[] = {
-	{ "",		 		0 },
-	{ "client",	 		0 },
-	{ "network",	 		0 },
-	{ "update",	 		0 },
-	{ "queries",	 		0 },
-	{ "unmatched",	 		0 },
-	{ "update-security",		0 },
-	{ "query-errors",		0 },
-	{ NULL, 			0 }
-};
-
-/*%
- * When adding a new module, be sure to add the appropriate
- * \#define to <dns/log.h>.
- */
-static isc_logmodule_t modules[] = {
-	{ "main",	 		0 },
-	{ "client",	 		0 },
-	{ "server",		 	0 },
-	{ "query",		 	0 },
-	{ "interfacemgr",	 	0 },
-	{ "update",	 		0 },
-	{ "xfer-in",	 		0 },
-	{ "xfer-out",	 		0 },
-	{ "notify",	 		0 },
-	{ "control",	 		0 },
-	{ "lwresd",	 		0 },
-	{ NULL, 			0 }
-};
-
-isc_result_t
-ns_log_init(isc_boolean_t safe) {
-	isc_result_t result;
-	isc_logconfig_t *lcfg = NULL;
-
-	ns_g_categories = categories;
-	ns_g_modules = modules;
-
-	/*
-	 * Setup a logging context.
-	 */
-	result = isc_log_create(ns_g_mctx, &ns_g_lctx, &lcfg);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * named-checktool.c:setup_logging() needs to be kept in sync.
-	 */
-	isc_log_registercategories(ns_g_lctx, ns_g_categories);
-	isc_log_registermodules(ns_g_lctx, ns_g_modules);
-	isc_log_setcontext(ns_g_lctx);
-	dns_log_init(ns_g_lctx);
-	dns_log_setcontext(ns_g_lctx);
-	cfg_log_init(ns_g_lctx);
-
-	if (safe)
-		result = ns_log_setsafechannels(lcfg);
-	else
-		result = ns_log_setdefaultchannels(lcfg);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = ns_log_setdefaultcategory(lcfg);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	isc_log_destroy(&ns_g_lctx);
-	isc_log_setcontext(NULL);
-	dns_log_setcontext(NULL);
-
-	return (result);
-}
-
-isc_result_t
-ns_log_setdefaultchannels(isc_logconfig_t *lcfg) {
-	isc_result_t result;
-	isc_logdestination_t destination;
-
-	/*
-	 * By default, the logging library makes "default_debug" log to
-	 * stderr.  In BIND, we want to override this and log to named.run
-	 * instead, unless the -g option was given.
-	 */
-	if (! ns_g_logstderr) {
-		destination.file.stream = NULL;
-		destination.file.name = "named.run";
-		destination.file.versions = ISC_LOG_ROLLNEVER;
-		destination.file.maximum_size = 0;
-		result = isc_log_createchannel(lcfg, "default_debug",
-					       ISC_LOG_TOFILE,
-					       ISC_LOG_DYNAMIC,
-					       &destination,
-					       ISC_LOG_PRINTTIME|
-					       ISC_LOG_DEBUGONLY);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-	}
-
-#if ISC_FACILITY != LOG_DAEMON
-	destination.facility = ISC_FACILITY;
-	result = isc_log_createchannel(lcfg, "default_syslog",
-				       ISC_LOG_TOSYSLOG, ISC_LOG_INFO,
-				       &destination, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-#endif
-
-	/*
-	 * Set the initial debug level.
-	 */
-	isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel);
-
-	result = ISC_R_SUCCESS;
-
- cleanup:
-	return (result);
-}
-
-isc_result_t
-ns_log_setsafechannels(isc_logconfig_t *lcfg) {
-	isc_result_t result;
-#if ISC_FACILITY != LOG_DAEMON
-	isc_logdestination_t destination;
-#endif
-
-	if (! ns_g_logstderr) {
-		result = isc_log_createchannel(lcfg, "default_debug",
-					       ISC_LOG_TONULL,
-					       ISC_LOG_DYNAMIC,
-					       NULL, 0);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-
-		/*
-		 * Setting the debug level to zero should get the output
-		 * discarded a bit faster.
-		 */
-		isc_log_setdebuglevel(ns_g_lctx, 0);
-	} else {
-		isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel);
-	}
-
-#if ISC_FACILITY != LOG_DAEMON
-	destination.facility = ISC_FACILITY;
-	result = isc_log_createchannel(lcfg, "default_syslog",
-				       ISC_LOG_TOSYSLOG, ISC_LOG_INFO,
-				       &destination, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-#endif
-
-	result = ISC_R_SUCCESS;
-
- cleanup:
-	return (result);
-}
-
-isc_result_t
-ns_log_setdefaultcategory(isc_logconfig_t *lcfg) {
-	isc_result_t result;
-
-	if (! ns_g_logstderr && ! ns_g_nosyslog) {
-		result = isc_log_usechannel(lcfg, "default_syslog",
-					    ISC_LOGCATEGORY_DEFAULT, NULL);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-	}
-
-	result = isc_log_usechannel(lcfg, "default_debug",
-				    ISC_LOGCATEGORY_DEFAULT, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = ISC_R_SUCCESS;
-
- cleanup:
-	return (result);
-}
-
-isc_result_t
-ns_log_setunmatchedcategory(isc_logconfig_t *lcfg) {
-	isc_result_t result;
-
-	result = isc_log_usechannel(lcfg, "null",
-				    NS_LOGCATEGORY_UNMATCHED, NULL);
-	return (result);
-}
-
-void
-ns_log_shutdown(void) {
-	isc_log_destroy(&ns_g_lctx);
-	isc_log_setcontext(NULL);
-	dns_log_setcontext(NULL);
-}
diff --git a/contrib/bind9/bin/named/logconf.c b/contrib/bind9/bin/named/logconf.c
deleted file mode 100644
index b99a167..0000000
--- a/contrib/bind9/bin/named/logconf.c
+++ /dev/null
@@ -1,314 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2011, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: logconf.c,v 1.45 2011/03/05 23:52:29 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/file.h>
-#include <isc/offset.h>
-#include <isc/result.h>
-#include <isc/stdio.h>
-#include <isc/string.h>
-#include <isc/syslog.h>
-
-#include <isccfg/cfg.h>
-#include <isccfg/log.h>
-
-#include <named/log.h>
-#include <named/logconf.h>
-
-#define CHECK(op) \
-	do { result = (op); 				  	 \
-	       if (result != ISC_R_SUCCESS) goto cleanup; 	 \
-	} while (0)
-
-/*%
- * Set up a logging category according to the named.conf data
- * in 'ccat' and add it to 'lctx'.
- */
-static isc_result_t
-category_fromconf(const cfg_obj_t *ccat, isc_logconfig_t *lctx) {
-	isc_result_t result;
-	const char *catname;
-	isc_logcategory_t *category;
-	isc_logmodule_t *module;
-	const cfg_obj_t *destinations = NULL;
-	const cfg_listelt_t *element = NULL;
-
-	catname = cfg_obj_asstring(cfg_tuple_get(ccat, "name"));
-	category = isc_log_categorybyname(ns_g_lctx, catname);
-	if (category == NULL) {
-		cfg_obj_log(ccat, ns_g_lctx, ISC_LOG_ERROR,
-			    "unknown logging category '%s' ignored",
-			    catname);
-		/*
-		 * Allow further processing by returning success.
-		 */
-		return (ISC_R_SUCCESS);
-	}
-
-	module = NULL;
-
-	destinations = cfg_tuple_get(ccat, "destinations");
-	for (element = cfg_list_first(destinations);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		const cfg_obj_t *channel = cfg_listelt_value(element);
-		const char *channelname = cfg_obj_asstring(channel);
-
-		result = isc_log_usechannel(lctx, channelname, category,
-					    module);
-		if (result != ISC_R_SUCCESS) {
-			isc_log_write(ns_g_lctx, CFG_LOGCATEGORY_CONFIG,
-				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-				      "logging channel '%s': %s", channelname,
-				      isc_result_totext(result));
-			return (result);
-		}
-	}
-	return (ISC_R_SUCCESS);
-}
-
-/*%
- * Set up a logging channel according to the named.conf data
- * in 'cchan' and add it to 'lctx'.
- */
-static isc_result_t
-channel_fromconf(const cfg_obj_t *channel, isc_logconfig_t *lctx) {
-	isc_result_t result;
-	isc_logdestination_t dest;
-	unsigned int type;
-	unsigned int flags = 0;
-	int level;
-	const char *channelname;
-	const cfg_obj_t *fileobj = NULL;
-	const cfg_obj_t *syslogobj = NULL;
-	const cfg_obj_t *nullobj = NULL;
-	const cfg_obj_t *stderrobj = NULL;
-	const cfg_obj_t *severity = NULL;
-	int i;
-
-	channelname = cfg_obj_asstring(cfg_map_getname(channel));
-
-	(void)cfg_map_get(channel, "file", &fileobj);
-	(void)cfg_map_get(channel, "syslog", &syslogobj);
-	(void)cfg_map_get(channel, "null", &nullobj);
-	(void)cfg_map_get(channel, "stderr", &stderrobj);
-
-	i = 0;
-	if (fileobj != NULL)
-		i++;
-	if (syslogobj != NULL)
-		i++;
-	if (nullobj != NULL)
-		i++;
-	if (stderrobj != NULL)
-		i++;
-
-	if (i != 1) {
-		cfg_obj_log(channel, ns_g_lctx, ISC_LOG_ERROR,
-			      "channel '%s': exactly one of file, syslog, "
-			      "null, and stderr must be present", channelname);
-		return (ISC_R_FAILURE);
-	}
-
-	type = ISC_LOG_TONULL;
-
-	if (fileobj != NULL) {
-		const cfg_obj_t *pathobj = cfg_tuple_get(fileobj, "file");
-		const cfg_obj_t *sizeobj = cfg_tuple_get(fileobj, "size");
-		const cfg_obj_t *versionsobj =
-				 cfg_tuple_get(fileobj, "versions");
-		isc_int32_t versions = ISC_LOG_ROLLNEVER;
-		isc_offset_t size = 0;
-
-		type = ISC_LOG_TOFILE;
-
-		if (versionsobj != NULL && cfg_obj_isuint32(versionsobj))
-			versions = cfg_obj_asuint32(versionsobj);
-		if (versionsobj != NULL && cfg_obj_isstring(versionsobj) &&
-		    strcasecmp(cfg_obj_asstring(versionsobj), "unlimited") == 0)
-			versions = ISC_LOG_ROLLINFINITE;
-		if (sizeobj != NULL &&
-		    cfg_obj_isuint64(sizeobj) &&
-		    cfg_obj_asuint64(sizeobj) < ISC_OFFSET_MAXIMUM)
-			size = (isc_offset_t)cfg_obj_asuint64(sizeobj);
-		dest.file.stream = NULL;
-		dest.file.name = cfg_obj_asstring(pathobj);
-		dest.file.versions = versions;
-		dest.file.maximum_size = size;
-	} else if (syslogobj != NULL) {
-		int facility = LOG_DAEMON;
-
-		type = ISC_LOG_TOSYSLOG;
-
-		if (cfg_obj_isstring(syslogobj)) {
-			const char *facilitystr = cfg_obj_asstring(syslogobj);
-			(void)isc_syslog_facilityfromstring(facilitystr,
-							    &facility);
-		}
-		dest.facility = facility;
-	} else if (stderrobj != NULL) {
-		type = ISC_LOG_TOFILEDESC;
-		dest.file.stream = stderr;
-		dest.file.name = NULL;
-		dest.file.versions = ISC_LOG_ROLLNEVER;
-		dest.file.maximum_size = 0;
-	}
-
-	/*
-	 * Munge flags.
-	 */
-	{
-		const cfg_obj_t *printcat = NULL;
-		const cfg_obj_t *printsev = NULL;
-		const cfg_obj_t *printtime = NULL;
-
-		(void)cfg_map_get(channel, "print-category", &printcat);
-		(void)cfg_map_get(channel, "print-severity", &printsev);
-		(void)cfg_map_get(channel, "print-time", &printtime);
-
-		if (printcat != NULL && cfg_obj_asboolean(printcat))
-			flags |= ISC_LOG_PRINTCATEGORY;
-		if (printtime != NULL && cfg_obj_asboolean(printtime))
-			flags |= ISC_LOG_PRINTTIME;
-		if (printsev != NULL && cfg_obj_asboolean(printsev))
-			flags |= ISC_LOG_PRINTLEVEL;
-	}
-
-	level = ISC_LOG_INFO;
-	if (cfg_map_get(channel, "severity", &severity) == ISC_R_SUCCESS) {
-		if (cfg_obj_isstring(severity)) {
-			const char *str = cfg_obj_asstring(severity);
-			if (strcasecmp(str, "critical") == 0)
-				level = ISC_LOG_CRITICAL;
-			else if (strcasecmp(str, "error") == 0)
-				level = ISC_LOG_ERROR;
-			else if (strcasecmp(str, "warning") == 0)
-				level = ISC_LOG_WARNING;
-			else if (strcasecmp(str, "notice") == 0)
-				level = ISC_LOG_NOTICE;
-			else if (strcasecmp(str, "info") == 0)
-				level = ISC_LOG_INFO;
-			else if (strcasecmp(str, "dynamic") == 0)
-				level = ISC_LOG_DYNAMIC;
-		} else
-			/* debug */
-			level = cfg_obj_asuint32(severity);
-	}
-
-	result = isc_log_createchannel(lctx, channelname,
-				       type, level, &dest, flags);
-
-	if (result == ISC_R_SUCCESS && type == ISC_LOG_TOFILE) {
-		FILE *fp;
-
-		/*
-		 * Test to make sure that file is a plain file.
-		 * Fix defect #22771
-		*/
-		result = isc_file_isplainfile(dest.file.name);
-		if (result == ISC_R_SUCCESS ||
-		    result == ISC_R_FILENOTFOUND) {
-			/*
-			 * Test that the file can be opened, since
-			 * isc_log_open() can't effectively report
-			 * failures when called in
-			 * isc_log_doit().
-			 */
-			result = isc_stdio_open(dest.file.name, "a", &fp);
-			if (result != ISC_R_SUCCESS) {
-				syslog(LOG_ERR,
-					"isc_stdio_open '%s' failed: %s",
-					dest.file.name,
-					isc_result_totext(result));
-				fprintf(stderr,
-					"isc_stdio_open '%s' failed: %s",
-					dest.file.name,
-					isc_result_totext(result));
-			} else
-				(void)isc_stdio_close(fp);
-			goto done;
-		}
-		if (!ns_g_nosyslog)
-			syslog(LOG_ERR, "isc_file_isplainfile '%s' failed: %s",
-			       dest.file.name, isc_result_totext(result));
-		fprintf(stderr, "isc_file_isplainfile '%s' failed: %s",
-			dest.file.name, isc_result_totext(result));
-	}
-
- done:
-	return (result);
-}
-
-isc_result_t
-ns_log_configure(isc_logconfig_t *logconf, const cfg_obj_t *logstmt) {
-	isc_result_t result;
-	const cfg_obj_t *channels = NULL;
-	const cfg_obj_t *categories = NULL;
-	const cfg_listelt_t *element;
-	isc_boolean_t default_set = ISC_FALSE;
-	isc_boolean_t unmatched_set = ISC_FALSE;
-	const cfg_obj_t *catname;
-
-	CHECK(ns_log_setdefaultchannels(logconf));
-
-	(void)cfg_map_get(logstmt, "channel", &channels);
-	for (element = cfg_list_first(channels);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		const cfg_obj_t *channel = cfg_listelt_value(element);
-		CHECK(channel_fromconf(channel, logconf));
-	}
-
-	(void)cfg_map_get(logstmt, "category", &categories);
-	for (element = cfg_list_first(categories);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		const cfg_obj_t *category = cfg_listelt_value(element);
-		CHECK(category_fromconf(category, logconf));
-		if (!default_set) {
-			catname = cfg_tuple_get(category, "name");
-			if (strcmp(cfg_obj_asstring(catname), "default") == 0)
-				default_set = ISC_TRUE;
-		}
-		if (!unmatched_set) {
-			catname = cfg_tuple_get(category, "name");
-			if (strcmp(cfg_obj_asstring(catname), "unmatched") == 0)
-				unmatched_set = ISC_TRUE;
-		}
-	}
-
-	if (!default_set)
-		CHECK(ns_log_setdefaultcategory(logconf));
-
-	if (!unmatched_set)
-		CHECK(ns_log_setunmatchedcategory(logconf));
-
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (logconf != NULL)
-		isc_logconfig_destroy(&logconf);
-	return (result);
-}
diff --git a/contrib/bind9/bin/named/lwaddr.c b/contrib/bind9/bin/named/lwaddr.c
deleted file mode 100644
index ed7880a..0000000
--- a/contrib/bind9/bin/named/lwaddr.c
+++ /dev/null
@@ -1,94 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwaddr.c,v 1.10 2008/01/11 23:46:56 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <string.h>
-
-#include <isc/result.h>
-#include <isc/netaddr.h>
-#include <isc/sockaddr.h>
-
-#include <lwres/lwres.h>
-
-#include <named/lwaddr.h>
-
-/*%
- * Convert addresses from lwres to isc format.
- */
-isc_result_t
-lwaddr_netaddr_fromlwresaddr(isc_netaddr_t *na, lwres_addr_t *la) {
-	if (la->family != LWRES_ADDRTYPE_V4 && la->family != LWRES_ADDRTYPE_V6)
-		return (ISC_R_FAMILYNOSUPPORT);
-
-	if (la->family == LWRES_ADDRTYPE_V4) {
-		struct in_addr ina;
-		memcpy(&ina.s_addr, la->address, 4);
-		isc_netaddr_fromin(na, &ina);
-	} else {
-		struct in6_addr ina6;
-		memcpy(&ina6.s6_addr, la->address, 16);
-		isc_netaddr_fromin6(na, &ina6);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-lwaddr_sockaddr_fromlwresaddr(isc_sockaddr_t *sa, lwres_addr_t *la,
-			      in_port_t port)
-{
-	isc_netaddr_t na;
-	isc_result_t result;
-
-	result = lwaddr_netaddr_fromlwresaddr(&na, la);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_sockaddr_fromnetaddr(sa, &na, port);
-	return (ISC_R_SUCCESS);
-}
-
-/*%
- * Convert addresses from isc to lwres format.
- */
-
-isc_result_t
-lwaddr_lwresaddr_fromnetaddr(lwres_addr_t *la, isc_netaddr_t *na) {
-	if (na->family != AF_INET && na->family != AF_INET6)
-		return (ISC_R_FAMILYNOSUPPORT);
-
-	if (na->family == AF_INET) {
-		la->family = LWRES_ADDRTYPE_V4;
-		la->length = 4;
-		memcpy(la->address, &na->type.in, 4);
-	} else {
-		la->family = LWRES_ADDRTYPE_V6;
-		la->length = 16;
-		memcpy(la->address, &na->type.in6, 16);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-lwaddr_lwresaddr_fromsockaddr(lwres_addr_t *la, isc_sockaddr_t *sa) {
-	isc_netaddr_t na;
-	isc_netaddr_fromsockaddr(&na, sa);
-	return (lwaddr_lwresaddr_fromnetaddr(la, &na));
-}
diff --git a/contrib/bind9/bin/named/lwdclient.c b/contrib/bind9/bin/named/lwdclient.c
deleted file mode 100644
index a843134..0000000
--- a/contrib/bind9/bin/named/lwdclient.c
+++ /dev/null
@@ -1,468 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwdclient.c,v 1.22 2007/06/18 23:47:18 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/socket.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/util.h>
-
-#include <dns/adb.h>
-#include <dns/view.h>
-#include <dns/log.h>
-
-#include <named/types.h>
-#include <named/log.h>
-#include <named/lwresd.h>
-#include <named/lwdclient.h>
-
-#define SHUTTINGDOWN(cm) ((cm->flags & NS_LWDCLIENTMGR_FLAGSHUTTINGDOWN) != 0)
-
-static void
-lwdclientmgr_shutdown_callback(isc_task_t *task, isc_event_t *ev);
-
-void
-ns_lwdclient_log(int level, const char *format, ...) {
-	va_list args;
-
-	va_start(args, format);
-	isc_log_vwrite(dns_lctx,
-		       DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ADB,
-		       ISC_LOG_DEBUG(level), format, args);
-	va_end(args);
-}
-
-isc_result_t
-ns_lwdclientmgr_create(ns_lwreslistener_t *listener, unsigned int nclients,
-		    isc_taskmgr_t *taskmgr)
-{
-	ns_lwresd_t *lwresd = listener->manager;
-	ns_lwdclientmgr_t *cm;
-	ns_lwdclient_t *client;
-	unsigned int i;
-	isc_result_t result = ISC_R_FAILURE;
-
-	cm = isc_mem_get(lwresd->mctx, sizeof(ns_lwdclientmgr_t));
-	if (cm == NULL)
-		return (ISC_R_NOMEMORY);
-
-	cm->listener = NULL;
-	ns_lwreslistener_attach(listener, &cm->listener);
-	cm->mctx = lwresd->mctx;
-	cm->sock = NULL;
-	isc_socket_attach(listener->sock, &cm->sock);
-	cm->view = lwresd->view;
-	cm->lwctx = NULL;
-	cm->task = NULL;
-	cm->flags = 0;
-	ISC_LINK_INIT(cm, link);
-	ISC_LIST_INIT(cm->idle);
-	ISC_LIST_INIT(cm->running);
-
-	if (lwres_context_create(&cm->lwctx, cm->mctx,
-				 ns__lwresd_memalloc, ns__lwresd_memfree,
-				 LWRES_CONTEXT_SERVERMODE)
-	    != ISC_R_SUCCESS)
-		goto errout;
-
-	for (i = 0; i < nclients; i++) {
-		client = isc_mem_get(lwresd->mctx, sizeof(ns_lwdclient_t));
-		if (client != NULL) {
-			ns_lwdclient_log(50, "created client %p, manager %p",
-					 client, cm);
-			ns_lwdclient_initialize(client, cm);
-		}
-	}
-
-	/*
-	 * If we could create no clients, clean up and return.
-	 */
-	if (ISC_LIST_EMPTY(cm->idle))
-		goto errout;
-
-	result = isc_task_create(taskmgr, 0, &cm->task);
-	if (result != ISC_R_SUCCESS)
-		goto errout;
-	isc_task_setname(cm->task, "lwdclient", NULL);
-
-	/*
-	 * This MUST be last, since there is no way to cancel an onshutdown...
-	 */
-	result = isc_task_onshutdown(cm->task, lwdclientmgr_shutdown_callback,
-				     cm);
-	if (result != ISC_R_SUCCESS)
-		goto errout;
-
-	ns_lwreslistener_linkcm(listener, cm);
-
-	return (ISC_R_SUCCESS);
-
- errout:
-	client = ISC_LIST_HEAD(cm->idle);
-	while (client != NULL) {
-		ISC_LIST_UNLINK(cm->idle, client, link);
-		isc_mem_put(lwresd->mctx, client, sizeof(*client));
-		client = ISC_LIST_HEAD(cm->idle);
-	}
-
-	if (cm->task != NULL)
-		isc_task_detach(&cm->task);
-
-	if (cm->lwctx != NULL)
-		lwres_context_destroy(&cm->lwctx);
-
-	isc_mem_put(lwresd->mctx, cm, sizeof(*cm));
-	return (result);
-}
-
-static void
-lwdclientmgr_destroy(ns_lwdclientmgr_t *cm) {
-	ns_lwdclient_t *client;
-	ns_lwreslistener_t *listener;
-
-	if (!SHUTTINGDOWN(cm))
-		return;
-
-	/*
-	 * run through the idle list and free the clients there.  Idle
-	 * clients do not have a recv running nor do they have any finds
-	 * or similar running.
-	 */
-	client = ISC_LIST_HEAD(cm->idle);
-	while (client != NULL) {
-		ns_lwdclient_log(50, "destroying client %p, manager %p",
-				 client, cm);
-		ISC_LIST_UNLINK(cm->idle, client, link);
-		isc_mem_put(cm->mctx, client, sizeof(*client));
-		client = ISC_LIST_HEAD(cm->idle);
-	}
-
-	if (!ISC_LIST_EMPTY(cm->running))
-		return;
-
-	lwres_context_destroy(&cm->lwctx);
-	cm->view = NULL;
-	isc_socket_detach(&cm->sock);
-	isc_task_detach(&cm->task);
-
-	listener = cm->listener;
-	ns_lwreslistener_unlinkcm(listener, cm);
-	ns_lwdclient_log(50, "destroying manager %p", cm);
-	isc_mem_put(cm->mctx, cm, sizeof(*cm));
-	ns_lwreslistener_detach(&listener);
-}
-
-static void
-process_request(ns_lwdclient_t *client) {
-	lwres_buffer_t b;
-	isc_result_t result;
-
-	lwres_buffer_init(&b, client->buffer, client->recvlength);
-	lwres_buffer_add(&b, client->recvlength);
-
-	result = lwres_lwpacket_parseheader(&b, &client->pkt);
-	if (result != ISC_R_SUCCESS) {
-		ns_lwdclient_log(50, "invalid packet header received");
-		goto restart;
-	}
-
-	ns_lwdclient_log(50, "opcode %08x", client->pkt.opcode);
-
-	switch (client->pkt.opcode) {
-	case LWRES_OPCODE_GETADDRSBYNAME:
-		ns_lwdclient_processgabn(client, &b);
-		return;
-	case LWRES_OPCODE_GETNAMEBYADDR:
-		ns_lwdclient_processgnba(client, &b);
-		return;
-	case LWRES_OPCODE_GETRDATABYNAME:
-		ns_lwdclient_processgrbn(client, &b);
-		return;
-	case LWRES_OPCODE_NOOP:
-		ns_lwdclient_processnoop(client, &b);
-		return;
-	default:
-		ns_lwdclient_log(50, "unknown opcode %08x", client->pkt.opcode);
-		goto restart;
-	}
-
-	/*
-	 * Drop the packet.
-	 */
- restart:
-	ns_lwdclient_log(50, "restarting client %p...", client);
-	ns_lwdclient_stateidle(client);
-}
-
-void
-ns_lwdclient_recv(isc_task_t *task, isc_event_t *ev) {
-	isc_result_t result;
-	ns_lwdclient_t *client = ev->ev_arg;
-	ns_lwdclientmgr_t *cm = client->clientmgr;
-	isc_socketevent_t *dev = (isc_socketevent_t *)ev;
-
-	INSIST(dev->region.base == client->buffer);
-	INSIST(NS_LWDCLIENT_ISRECV(client));
-
-	NS_LWDCLIENT_SETRECVDONE(client);
-
-	INSIST((cm->flags & NS_LWDCLIENTMGR_FLAGRECVPENDING) != 0);
-	cm->flags &= ~NS_LWDCLIENTMGR_FLAGRECVPENDING;
-
-	ns_lwdclient_log(50,
-			 "event received: task %p, length %u, result %u (%s)",
-			 task, dev->n, dev->result,
-			 isc_result_totext(dev->result));
-
-	if (dev->result != ISC_R_SUCCESS) {
-		isc_event_free(&ev);
-		dev = NULL;
-
-		/*
-		 * Go idle.
-		 */
-		ns_lwdclient_stateidle(client);
-
-		return;
-	}
-
-	client->recvlength = dev->n;
-	client->address = dev->address;
-	if ((dev->attributes & ISC_SOCKEVENTATTR_PKTINFO) != 0) {
-		client->pktinfo = dev->pktinfo;
-		client->pktinfo_valid = ISC_TRUE;
-	} else
-		client->pktinfo_valid = ISC_FALSE;
-	isc_event_free(&ev);
-	dev = NULL;
-
-	result = ns_lwdclient_startrecv(cm);
-	if (result != ISC_R_SUCCESS)
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_LWRESD, ISC_LOG_ERROR,
-			      "could not start lwres "
-			      "client handler: %s",
-			      isc_result_totext(result));
-
-	process_request(client);
-}
-
-/*
- * This function will start a new recv() on a socket for this client manager.
- */
-isc_result_t
-ns_lwdclient_startrecv(ns_lwdclientmgr_t *cm) {
-	ns_lwdclient_t *client;
-	isc_result_t result;
-	isc_region_t r;
-
-	if (SHUTTINGDOWN(cm)) {
-		lwdclientmgr_destroy(cm);
-		return (ISC_R_SUCCESS);
-	}
-
-	/*
-	 * If a recv is already running, don't bother.
-	 */
-	if ((cm->flags & NS_LWDCLIENTMGR_FLAGRECVPENDING) != 0)
-		return (ISC_R_SUCCESS);
-
-	/*
-	 * If we have no idle slots, just return success.
-	 */
-	client = ISC_LIST_HEAD(cm->idle);
-	if (client == NULL)
-		return (ISC_R_SUCCESS);
-	INSIST(NS_LWDCLIENT_ISIDLE(client));
-
-	/*
-	 * Issue the recv.  If it fails, return that it did.
-	 */
-	r.base = client->buffer;
-	r.length = LWRES_RECVLENGTH;
-	result = isc_socket_recv(cm->sock, &r, 0, cm->task, ns_lwdclient_recv,
-				 client);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Set the flag to say we've issued a recv() call.
-	 */
-	cm->flags |= NS_LWDCLIENTMGR_FLAGRECVPENDING;
-
-	/*
-	 * Remove the client from the idle list, and put it on the running
-	 * list.
-	 */
-	NS_LWDCLIENT_SETRECV(client);
-	ISC_LIST_UNLINK(cm->idle, client, link);
-	ISC_LIST_APPEND(cm->running, client, link);
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-lwdclientmgr_shutdown_callback(isc_task_t *task, isc_event_t *ev) {
-	ns_lwdclientmgr_t *cm = ev->ev_arg;
-	ns_lwdclient_t *client;
-
-	REQUIRE(!SHUTTINGDOWN(cm));
-
-	ns_lwdclient_log(50, "got shutdown event, task %p, lwdclientmgr %p",
-			 task, cm);
-
-	/*
-	 * run through the idle list and free the clients there.  Idle
-	 * clients do not have a recv running nor do they have any finds
-	 * or similar running.
-	 */
-	client = ISC_LIST_HEAD(cm->idle);
-	while (client != NULL) {
-		ns_lwdclient_log(50, "destroying client %p, manager %p",
-				 client, cm);
-		ISC_LIST_UNLINK(cm->idle, client, link);
-		isc_mem_put(cm->mctx, client, sizeof(*client));
-		client = ISC_LIST_HEAD(cm->idle);
-	}
-
-	/*
-	 * Cancel any pending I/O.
-	 */
-	isc_socket_cancel(cm->sock, task, ISC_SOCKCANCEL_ALL);
-
-	/*
-	 * Run through the running client list and kill off any finds
-	 * in progress.
-	 */
-	client = ISC_LIST_HEAD(cm->running);
-	while (client != NULL) {
-		if (client->find != client->v4find
-		    && client->find != client->v6find)
-			dns_adb_cancelfind(client->find);
-		if (client->v4find != NULL)
-			dns_adb_cancelfind(client->v4find);
-		if (client->v6find != NULL)
-			dns_adb_cancelfind(client->v6find);
-		client = ISC_LIST_NEXT(client, link);
-	}
-
-	cm->flags |= NS_LWDCLIENTMGR_FLAGSHUTTINGDOWN;
-
-	isc_event_free(&ev);
-}
-
-/*
- * Do all the crap needed to move a client from the run queue to the idle
- * queue.
- */
-void
-ns_lwdclient_stateidle(ns_lwdclient_t *client) {
-	ns_lwdclientmgr_t *cm;
-	isc_result_t result;
-
-	cm = client->clientmgr;
-
-	INSIST(client->sendbuf == NULL);
-	INSIST(client->sendlength == 0);
-	INSIST(client->arg == NULL);
-	INSIST(client->v4find == NULL);
-	INSIST(client->v6find == NULL);
-
-	ISC_LIST_UNLINK(cm->running, client, link);
-	ISC_LIST_PREPEND(cm->idle, client, link);
-
-	NS_LWDCLIENT_SETIDLE(client);
-
-	result = ns_lwdclient_startrecv(cm);
-	if (result != ISC_R_SUCCESS)
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_LWRESD, ISC_LOG_ERROR,
-			      "could not start lwres "
-			      "client handler: %s",
-			      isc_result_totext(result));
-}
-
-void
-ns_lwdclient_send(isc_task_t *task, isc_event_t *ev) {
-	ns_lwdclient_t *client = ev->ev_arg;
-	ns_lwdclientmgr_t *cm = client->clientmgr;
-	isc_socketevent_t *dev = (isc_socketevent_t *)ev;
-
-	UNUSED(task);
-	UNUSED(dev);
-
-	INSIST(NS_LWDCLIENT_ISSEND(client));
-	INSIST(client->sendbuf == dev->region.base);
-
-	ns_lwdclient_log(50, "task %p for client %p got send-done event",
-			 task, client);
-
-	if (client->sendbuf != client->buffer)
-		lwres_context_freemem(cm->lwctx, client->sendbuf,
-				      client->sendlength);
-	client->sendbuf = NULL;
-	client->sendlength = 0;
-
-	ns_lwdclient_stateidle(client);
-
-	isc_event_free(&ev);
-}
-
-isc_result_t
-ns_lwdclient_sendreply(ns_lwdclient_t *client, isc_region_t *r) {
-	struct in6_pktinfo *pktinfo;
-	ns_lwdclientmgr_t *cm = client->clientmgr;
-
-	if (client->pktinfo_valid)
-		pktinfo = &client->pktinfo;
-	else
-		pktinfo = NULL;
-	return (isc_socket_sendto(cm->sock, r, cm->task, ns_lwdclient_send,
-				  client, &client->address, pktinfo));
-}
-
-void
-ns_lwdclient_initialize(ns_lwdclient_t *client, ns_lwdclientmgr_t *cmgr) {
-	client->clientmgr = cmgr;
-	ISC_LINK_INIT(client, link);
-	NS_LWDCLIENT_SETIDLE(client);
-	client->arg = NULL;
-
-	client->recvlength = 0;
-
-	client->sendbuf = NULL;
-	client->sendlength = 0;
-
-	client->find = NULL;
-	client->v4find = NULL;
-	client->v6find = NULL;
-	client->find_wanted = 0;
-
-	client->options = 0;
-	client->byaddr = NULL;
-
-	client->lookup = NULL;
-
-	client->pktinfo_valid = ISC_FALSE;
-
-	ISC_LIST_APPEND(cmgr->idle, client, link);
-}
diff --git a/contrib/bind9/bin/named/lwderror.c b/contrib/bind9/bin/named/lwderror.c
deleted file mode 100644
index 33f247a..0000000
--- a/contrib/bind9/bin/named/lwderror.c
+++ /dev/null
@@ -1,80 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwderror.c,v 1.12 2007/06/19 23:46:59 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/socket.h>
-#include <isc/util.h>
-
-#include <named/types.h>
-#include <named/lwdclient.h>
-
-/*%
- * Generate an error packet for the client, schedule a send, and put us in
- * the SEND state.
- *
- * The client->pkt structure will be modified to form an error return.
- * The receiver needs to verify that it is in fact an error, and do the
- * right thing with it.  The opcode will be unchanged.  The result needs
- * to be set before calling this function.
- *
- * The only change this code makes is to set the receive buffer size to the
- * size we use, set the reply bit, and recompute any security information.
- */
-void
-ns_lwdclient_errorpktsend(ns_lwdclient_t *client, isc_uint32_t _result) {
-	isc_result_t result;
-	int lwres;
-	isc_region_t r;
-	lwres_buffer_t b;
-
-	REQUIRE(NS_LWDCLIENT_ISRUNNING(client));
-
-	/*
-	 * Since we are only sending the packet header, we can safely toss
-	 * the receive buffer.  This means we won't need to allocate space
-	 * for sending an error reply.  This is a Good Thing.
-	 */
-	client->pkt.length = LWRES_LWPACKET_LENGTH;
-	client->pkt.pktflags |= LWRES_LWPACKETFLAG_RESPONSE;
-	client->pkt.recvlength = LWRES_RECVLENGTH;
-	client->pkt.authtype = 0; /* XXXMLG */
-	client->pkt.authlength = 0;
-	client->pkt.result = _result;
-
-	lwres_buffer_init(&b, client->buffer, LWRES_RECVLENGTH);
-	lwres = lwres_lwpacket_renderheader(&b, &client->pkt);
-	if (lwres != LWRES_R_SUCCESS) {
-		ns_lwdclient_stateidle(client);
-		return;
-	}
-
-	r.base = client->buffer;
-	r.length = b.used;
-	client->sendbuf = client->buffer;
-	result = ns_lwdclient_sendreply(client, &r);
-	if (result != ISC_R_SUCCESS) {
-		ns_lwdclient_stateidle(client);
-		return;
-	}
-
-	NS_LWDCLIENT_SETSEND(client);
-}
diff --git a/contrib/bind9/bin/named/lwdgabn.c b/contrib/bind9/bin/named/lwdgabn.c
deleted file mode 100644
index c4b598b..0000000
--- a/contrib/bind9/bin/named/lwdgabn.c
+++ /dev/null
@@ -1,657 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwdgabn.c,v 1.24 2009/09/02 23:48:01 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/netaddr.h>
-#include <isc/sockaddr.h>
-#include <isc/socket.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/util.h>
-
-#include <dns/adb.h>
-#include <dns/events.h>
-#include <dns/result.h>
-
-#include <named/types.h>
-#include <named/lwaddr.h>
-#include <named/lwdclient.h>
-#include <named/lwresd.h>
-#include <named/lwsearch.h>
-#include <named/sortlist.h>
-
-#define NEED_V4(c)	((((c)->find_wanted & LWRES_ADDRTYPE_V4) != 0) \
-			 && ((c)->v4find == NULL))
-#define NEED_V6(c)	((((c)->find_wanted & LWRES_ADDRTYPE_V6) != 0) \
-			 && ((c)->v6find == NULL))
-
-static isc_result_t start_find(ns_lwdclient_t *);
-static void restart_find(ns_lwdclient_t *);
-static void init_gabn(ns_lwdclient_t *);
-
-/*%
- * Destroy any finds.  This can be used to "start over from scratch" and
- * should only be called when events are _not_ being generated by the finds.
- */
-static void
-cleanup_gabn(ns_lwdclient_t *client) {
-	ns_lwdclient_log(50, "cleaning up client %p", client);
-
-	if (client->v6find != NULL) {
-		if (client->v6find == client->v4find)
-			client->v6find = NULL;
-		else
-			dns_adb_destroyfind(&client->v6find);
-	}
-	if (client->v4find != NULL)
-		dns_adb_destroyfind(&client->v4find);
-}
-
-static void
-setup_addresses(ns_lwdclient_t *client, dns_adbfind_t *find, unsigned int at) {
-	dns_adbaddrinfo_t *ai;
-	lwres_addr_t *addr;
-	int af;
-	const struct sockaddr *sa;
-	isc_result_t result;
-
-	if (at == DNS_ADBFIND_INET)
-		af = AF_INET;
-	else
-		af = AF_INET6;
-
-	ai = ISC_LIST_HEAD(find->list);
-	while (ai != NULL && client->gabn.naddrs < LWRES_MAX_ADDRS) {
-		sa = &ai->sockaddr.type.sa;
-		if (sa->sa_family != af)
-			goto next;
-
-		addr = &client->addrs[client->gabn.naddrs];
-
-		result = lwaddr_lwresaddr_fromsockaddr(addr, &ai->sockaddr);
-		if (result != ISC_R_SUCCESS)
-			goto next;
-
-		ns_lwdclient_log(50, "adding address %p, family %d, length %d",
-				 addr->address, addr->family, addr->length);
-
-		client->gabn.naddrs++;
-		REQUIRE(!LWRES_LINK_LINKED(addr, link));
-		LWRES_LIST_APPEND(client->gabn.addrs, addr, link);
-
-	next:
-		ai = ISC_LIST_NEXT(ai, publink);
-	}
-}
-
-typedef struct {
-	isc_netaddr_t address;
-	int rank;
-} rankedaddress;
-
-static int
-addr_compare(const void *av, const void *bv) {
-	const rankedaddress *a = (const rankedaddress *) av;
-	const rankedaddress *b = (const rankedaddress *) bv;
-	return (a->rank - b->rank);
-}
-
-static void
-sort_addresses(ns_lwdclient_t *client) {
-	unsigned int naddrs;
-	rankedaddress *addrs;
-	isc_netaddr_t remote;
-	dns_addressorderfunc_t order;
-	const void *arg;
-	ns_lwresd_t *lwresd = client->clientmgr->listener->manager;
-	unsigned int i;
-	isc_result_t result;
-
-	naddrs = client->gabn.naddrs;
-
-	if (naddrs <= 1 || lwresd->view->sortlist == NULL)
-		return;
-
-	addrs = isc_mem_get(lwresd->mctx, sizeof(rankedaddress) * naddrs);
-	if (addrs == NULL)
-		return;
-
-	isc_netaddr_fromsockaddr(&remote, &client->address);
-	ns_sortlist_byaddrsetup(lwresd->view->sortlist,
-				&remote, &order, &arg);
-	if (order == NULL) {
-		isc_mem_put(lwresd->mctx, addrs,
-			    sizeof(rankedaddress) * naddrs);
-		return;
-	}
-	for (i = 0; i < naddrs; i++) {
-		result = lwaddr_netaddr_fromlwresaddr(&addrs[i].address,
-						      &client->addrs[i]);
-		INSIST(result == ISC_R_SUCCESS);
-		addrs[i].rank = (*order)(&addrs[i].address, arg);
-	}
-	qsort(addrs, naddrs, sizeof(rankedaddress), addr_compare);
-	for (i = 0; i < naddrs; i++) {
-		result = lwaddr_lwresaddr_fromnetaddr(&client->addrs[i],
-						      &addrs[i].address);
-		INSIST(result == ISC_R_SUCCESS);
-	}
-
-	isc_mem_put(lwresd->mctx, addrs, sizeof(rankedaddress) * naddrs);
-}
-
-static void
-generate_reply(ns_lwdclient_t *client) {
-	isc_result_t result;
-	int lwres;
-	isc_region_t r;
-	lwres_buffer_t lwb;
-	ns_lwdclientmgr_t *cm;
-
-	cm = client->clientmgr;
-	lwb.base = NULL;
-
-	ns_lwdclient_log(50, "generating gabn reply for client %p", client);
-
-	/*
-	 * We must make certain the client->find is not still active.
-	 * If it is either the v4 or v6 answer, just set it to NULL and
-	 * let the cleanup code destroy it.  Otherwise, destroy it now.
-	 */
-	if (client->find == client->v4find || client->find == client->v6find)
-		client->find = NULL;
-	else
-		if (client->find != NULL)
-			dns_adb_destroyfind(&client->find);
-
-	/*
-	 * perhaps there are some here?
-	 */
-	if (NEED_V6(client) && client->v4find != NULL)
-		client->v6find = client->v4find;
-
-	/*
-	 * Run through the finds we have and wire them up to the gabn
-	 * structure.
-	 */
-	LWRES_LIST_INIT(client->gabn.addrs);
-	if (client->v4find != NULL)
-		setup_addresses(client, client->v4find, DNS_ADBFIND_INET);
-	if (client->v6find != NULL)
-		setup_addresses(client, client->v6find, DNS_ADBFIND_INET6);
-
-	/*
-	 * If there are no addresses, try the next element in the search
-	 * path, if there are any more.  Otherwise, fall through into
-	 * the error handling code below.
-	 */
-	if (client->gabn.naddrs == 0) {
-		do {
-			result = ns_lwsearchctx_next(&client->searchctx);
-			if (result == ISC_R_SUCCESS) {
-				cleanup_gabn(client);
-				result = start_find(client);
-				if (result == ISC_R_SUCCESS)
-					return;
-			}
-		} while (result == ISC_R_SUCCESS);
-	}
-
-	/*
-	 * Render the packet.
-	 */
-	client->pkt.recvlength = LWRES_RECVLENGTH;
-	client->pkt.authtype = 0; /* XXXMLG */
-	client->pkt.authlength = 0;
-
-	/*
-	 * If there are no addresses, return failure.
-	 */
-	if (client->gabn.naddrs != 0)
-		client->pkt.result = LWRES_R_SUCCESS;
-	else
-		client->pkt.result = LWRES_R_NOTFOUND;
-
-	sort_addresses(client);
-
-	lwres = lwres_gabnresponse_render(cm->lwctx, &client->gabn,
-					  &client->pkt, &lwb);
-	if (lwres != LWRES_R_SUCCESS)
-		goto out;
-
-	r.base = lwb.base;
-	r.length = lwb.used;
-	client->sendbuf = r.base;
-	client->sendlength = r.length;
-	result = ns_lwdclient_sendreply(client, &r);
-	if (result != ISC_R_SUCCESS)
-		goto out;
-
-	NS_LWDCLIENT_SETSEND(client);
-
-	/*
-	 * All done!
-	 */
-	cleanup_gabn(client);
-
-	return;
-
- out:
-	cleanup_gabn(client);
-
-	if (lwb.base != NULL)
-		lwres_context_freemem(client->clientmgr->lwctx,
-				      lwb.base, lwb.length);
-
-	ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
-}
-
-/*
- * Take the current real name, move it to an alias slot (if any are
- * open) then put this new name in as the real name for the target.
- *
- * Return success if it can be rendered, otherwise failure.  Note that
- * not having enough alias slots open is NOT a failure.
- */
-static isc_result_t
-add_alias(ns_lwdclient_t *client) {
-	isc_buffer_t b;
-	isc_result_t result;
-	isc_uint16_t naliases;
-
-	b = client->recv_buffer;
-
-	/*
-	 * Render the new name to the buffer.
-	 */
-	result = dns_name_totext(dns_fixedname_name(&client->target_name),
-				 ISC_TRUE, &client->recv_buffer);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Are there any open slots?
-	 */
-	naliases = client->gabn.naliases;
-	if (naliases < LWRES_MAX_ALIASES) {
-		client->gabn.aliases[naliases] = client->gabn.realname;
-		client->gabn.aliaslen[naliases] = client->gabn.realnamelen;
-		client->gabn.naliases++;
-	}
-
-	/*
-	 * Save this name away as the current real name.
-	 */
-	client->gabn.realname = (char *)(b.base) + b.used;
-	client->gabn.realnamelen = client->recv_buffer.used - b.used;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-store_realname(ns_lwdclient_t *client) {
-	isc_buffer_t b;
-	isc_result_t result;
-	dns_name_t *tname;
-
-	b = client->recv_buffer;
-
-	tname = dns_fixedname_name(&client->target_name);
-	result = ns_lwsearchctx_current(&client->searchctx, tname);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Render the new name to the buffer.
-	 */
-	result = dns_name_totext(tname, ISC_TRUE, &client->recv_buffer);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Save this name away as the current real name.
-	 */
-	client->gabn.realname = (char *) b.base + b.used;
-	client->gabn.realnamelen = client->recv_buffer.used - b.used;
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-process_gabn_finddone(isc_task_t *task, isc_event_t *ev) {
-	ns_lwdclient_t *client = ev->ev_arg;
-	isc_eventtype_t evtype;
-	isc_boolean_t claimed;
-
-	ns_lwdclient_log(50, "find done for task %p, client %p", task, client);
-
-	evtype = ev->ev_type;
-	isc_event_free(&ev);
-
-	/*
-	 * No more info to be had?  If so, we have all the good stuff
-	 * right now, so we can render things.
-	 */
-	claimed = ISC_FALSE;
-	if (evtype == DNS_EVENT_ADBNOMOREADDRESSES) {
-		if (NEED_V4(client)) {
-			client->v4find = client->find;
-			claimed = ISC_TRUE;
-		}
-		if (NEED_V6(client)) {
-			client->v6find = client->find;
-			claimed = ISC_TRUE;
-		}
-		if (client->find != NULL) {
-			if (claimed)
-				client->find = NULL;
-			else
-				dns_adb_destroyfind(&client->find);
-
-		}
-		generate_reply(client);
-		return;
-	}
-
-	/*
-	 * We probably don't need this find anymore.  We're either going to
-	 * reissue it, or an error occurred.  Either way, we're done with
-	 * it.
-	 */
-	if ((client->find != client->v4find)
-	    && (client->find != client->v6find)) {
-		dns_adb_destroyfind(&client->find);
-	} else {
-		client->find = NULL;
-	}
-
-	/*
-	 * We have some new information we can gather.  Run off and fetch
-	 * it.
-	 */
-	if (evtype == DNS_EVENT_ADBMOREADDRESSES) {
-		restart_find(client);
-		return;
-	}
-
-	/*
-	 * An error or other strangeness happened.  Drop this query.
-	 */
-	cleanup_gabn(client);
-	ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
-}
-
-static void
-restart_find(ns_lwdclient_t *client) {
-	unsigned int options;
-	isc_result_t result;
-	isc_boolean_t claimed;
-
-	ns_lwdclient_log(50, "starting find for client %p", client);
-
-	/*
-	 * Issue a find for the name contained in the request.  We won't
-	 * set the bit that says "anything is good enough" -- we want it
-	 * all.
-	 */
-	options = 0;
-	options |= DNS_ADBFIND_WANTEVENT;
-	options |= DNS_ADBFIND_RETURNLAME;
-
-	/*
-	 * Set the bits up here to mark that we want this address family
-	 * and that we do not currently have a find pending.  We will
-	 * set that bit again below if it turns out we will get an event.
-	 */
-	if (NEED_V4(client))
-		options |= DNS_ADBFIND_INET;
-	if (NEED_V6(client))
-		options |= DNS_ADBFIND_INET6;
-
- find_again:
-	INSIST(client->find == NULL);
-	result = dns_adb_createfind(client->clientmgr->view->adb,
-				    client->clientmgr->task,
-				    process_gabn_finddone, client,
-				    dns_fixedname_name(&client->target_name),
-				    dns_rootname, 0, options, 0,
-				    dns_fixedname_name(&client->target_name),
-				    client->clientmgr->view->dstport,
-				    &client->find);
-
-	/*
-	 * Did we get an alias?  If so, save it and re-issue the query.
-	 */
-	if (result == DNS_R_ALIAS) {
-		ns_lwdclient_log(50, "found alias, restarting query");
-		dns_adb_destroyfind(&client->find);
-		cleanup_gabn(client);
-		result = add_alias(client);
-		if (result != ISC_R_SUCCESS) {
-			ns_lwdclient_log(50,
-					 "out of buffer space adding alias");
-			ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
-			return;
-		}
-		goto find_again;
-	}
-
-	ns_lwdclient_log(50, "find returned %d (%s)", result,
-			 isc_result_totext(result));
-
-	/*
-	 * Did we get an error?
-	 */
-	if (result != ISC_R_SUCCESS) {
-		if (client->find != NULL)
-			dns_adb_destroyfind(&client->find);
-		cleanup_gabn(client);
-		ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
-		return;
-	}
-
-	claimed = ISC_FALSE;
-
-	/*
-	 * Did we get our answer to V4 addresses?
-	 */
-	if (NEED_V4(client)
-	    && ((client->find->query_pending & DNS_ADBFIND_INET) == 0)) {
-		ns_lwdclient_log(50, "client %p ipv4 satisfied by find %p",
-				 client, client->find);
-		claimed = ISC_TRUE;
-		client->v4find = client->find;
-	}
-
-	/*
-	 * Did we get our answer to V6 addresses?
-	 */
-	if (NEED_V6(client)
-	    && ((client->find->query_pending & DNS_ADBFIND_INET6) == 0)) {
-		ns_lwdclient_log(50, "client %p ipv6 satisfied by find %p",
-				 client, client->find);
-		claimed = ISC_TRUE;
-		client->v6find = client->find;
-	}
-
-	/*
-	 * If we're going to get an event, set our internal pending flag
-	 * and return.  When we get an event back we'll do the right
-	 * thing, basically by calling this function again, perhaps with a
-	 * new target name.
-	 *
-	 * If we have both v4 and v6, and we are still getting an event,
-	 * we have a programming error, so die hard.
-	 */
-	if ((client->find->options & DNS_ADBFIND_WANTEVENT) != 0) {
-		ns_lwdclient_log(50, "event will be sent");
-		INSIST(client->v4find == NULL || client->v6find == NULL);
-		return;
-	}
-	ns_lwdclient_log(50, "no event will be sent");
-	if (claimed)
-		client->find = NULL;
-	else
-		dns_adb_destroyfind(&client->find);
-
-	/*
-	 * We seem to have everything we asked for, or at least we are
-	 * able to respond with things we've learned.
-	 */
-
-	generate_reply(client);
-}
-
-static isc_result_t
-start_find(ns_lwdclient_t *client) {
-	isc_result_t result;
-
-	/*
-	 * Initialize the real name and alias arrays in the reply we're
-	 * going to build up.
-	 */
-	init_gabn(client);
-
-	result = store_realname(client);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	restart_find(client);
-	return (ISC_R_SUCCESS);
-
-}
-
-static void
-init_gabn(ns_lwdclient_t *client) {
-	int i;
-
-	/*
-	 * Initialize the real name and alias arrays in the reply we're
-	 * going to build up.
-	 */
-	for (i = 0; i < LWRES_MAX_ALIASES; i++) {
-		client->aliases[i] = NULL;
-		client->aliaslen[i] = 0;
-	}
-	for (i = 0; i < LWRES_MAX_ADDRS; i++) {
-		client->addrs[i].family = 0;
-		client->addrs[i].length = 0;
-		memset(client->addrs[i].address, 0, LWRES_ADDR_MAXLEN);
-		LWRES_LINK_INIT(&client->addrs[i], link);
-	}
-
-	client->gabn.naliases = 0;
-	client->gabn.naddrs = 0;
-	client->gabn.realname = NULL;
-	client->gabn.aliases = client->aliases;
-	client->gabn.realnamelen = 0;
-	client->gabn.aliaslen = client->aliaslen;
-	LWRES_LIST_INIT(client->gabn.addrs);
-	client->gabn.base = NULL;
-	client->gabn.baselen = 0;
-
-	/*
-	 * Set up the internal buffer to point to the receive region.
-	 */
-	isc_buffer_init(&client->recv_buffer, client->buffer, LWRES_RECVLENGTH);
-}
-
-/*
- * When we are called, we can be assured that:
- *
- *	client->sockaddr contains the address we need to reply to,
- *
- *	client->pkt contains the packet header data,
- *
- *	the packet "checks out" overall -- any MD5 hashes or crypto
- *	bits have been verified,
- *
- *	"b" points to the remaining data after the packet header
- *	was parsed off.
- *
- *	We are in a the RECVDONE state.
- *
- * From this state we will enter the SEND state if we happen to have
- * everything we need or we need to return an error packet, or to the
- * FINDWAIT state if we need to look things up.
- */
-void
-ns_lwdclient_processgabn(ns_lwdclient_t *client, lwres_buffer_t *b) {
-	isc_result_t result;
-	lwres_gabnrequest_t *req;
-	ns_lwdclientmgr_t *cm;
-	isc_buffer_t namebuf;
-
-	REQUIRE(NS_LWDCLIENT_ISRECVDONE(client));
-
-	cm = client->clientmgr;
-	req = NULL;
-
-	result = lwres_gabnrequest_parse(client->clientmgr->lwctx,
-					 b, &client->pkt, &req);
-	if (result != LWRES_R_SUCCESS)
-		goto out;
-	if (req->name == NULL)
-		goto out;
-
-	isc_buffer_init(&namebuf, req->name, req->namelen);
-	isc_buffer_add(&namebuf, req->namelen);
-
-	dns_fixedname_init(&client->target_name);
-	dns_fixedname_init(&client->query_name);
-	result = dns_name_fromtext(dns_fixedname_name(&client->query_name),
-				   &namebuf, NULL, 0, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto out;
-	ns_lwsearchctx_init(&client->searchctx,
-			    cm->listener->manager->search,
-			    dns_fixedname_name(&client->query_name),
-			    cm->listener->manager->ndots);
-	ns_lwsearchctx_first(&client->searchctx);
-
-	client->find_wanted = req->addrtypes;
-	ns_lwdclient_log(50, "client %p looking for addrtypes %08x",
-			 client, client->find_wanted);
-
-	/*
-	 * We no longer need to keep this around.
-	 */
-	lwres_gabnrequest_free(client->clientmgr->lwctx, &req);
-
-	/*
-	 * Start the find.
-	 */
-	result = start_find(client);
-	if (result != ISC_R_SUCCESS)
-		goto out;
-
-	return;
-
-	/*
-	 * We're screwed.  Return an error packet to our caller.
-	 */
- out:
-	if (req != NULL)
-		lwres_gabnrequest_free(client->clientmgr->lwctx, &req);
-
-	ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
-}
diff --git a/contrib/bind9/bin/named/lwdgnba.c b/contrib/bind9/bin/named/lwdgnba.c
deleted file mode 100644
index dfc2ad6..0000000
--- a/contrib/bind9/bin/named/lwdgnba.c
+++ /dev/null
@@ -1,270 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwdgnba.c,v 1.22 2008/01/14 23:46:56 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/socket.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/util.h>
-
-#include <dns/adb.h>
-#include <dns/byaddr.h>
-#include <dns/result.h>
-
-#include <named/types.h>
-#include <named/lwdclient.h>
-
-static void start_byaddr(ns_lwdclient_t *);
-
-static void
-byaddr_done(isc_task_t *task, isc_event_t *event) {
-	ns_lwdclient_t *client;
-	ns_lwdclientmgr_t *cm;
-	dns_byaddrevent_t *bevent;
-	int lwres;
-	lwres_buffer_t lwb;
-	dns_name_t *name;
-	isc_result_t result;
-	lwres_result_t lwresult;
-	isc_region_t r;
-	isc_buffer_t b;
-	lwres_gnbaresponse_t *gnba;
-	isc_uint16_t naliases;
-
-	UNUSED(task);
-
-	lwb.base = NULL;
-	client = event->ev_arg;
-	cm = client->clientmgr;
-	INSIST(client->byaddr == (dns_byaddr_t *)event->ev_sender);
-
-	bevent = (dns_byaddrevent_t *)event;
-	gnba = &client->gnba;
-
-	ns_lwdclient_log(50, "byaddr event result = %s",
-			 isc_result_totext(bevent->result));
-
-	result = bevent->result;
-	if (result != ISC_R_SUCCESS) {
-		dns_byaddr_destroy(&client->byaddr);
-		isc_event_free(&event);
-		bevent = NULL;
-
-		if (client->na.family != AF_INET6 ||
-		    (client->options & DNS_BYADDROPT_IPV6INT) != 0) {
-			if (result == DNS_R_NCACHENXDOMAIN ||
-			    result == DNS_R_NCACHENXRRSET ||
-			    result == DNS_R_NXDOMAIN ||
-			    result == DNS_R_NXRRSET)
-				lwresult = LWRES_R_NOTFOUND;
-			else
-				lwresult = LWRES_R_FAILURE;
-			ns_lwdclient_errorpktsend(client, lwresult);
-			return;
-		}
-
-		/*
-		 * Fall back to ip6.int reverse if the default ip6.arpa
-		 * fails.
-		 */
-		client->options |= DNS_BYADDROPT_IPV6INT;
-
-		start_byaddr(client);
-		return;
-	}
-
-	for (name = ISC_LIST_HEAD(bevent->names);
-	     name != NULL;
-	     name = ISC_LIST_NEXT(name, link))
-	{
-		b = client->recv_buffer;
-
-		result = dns_name_totext(name, ISC_TRUE, &client->recv_buffer);
-		if (result != ISC_R_SUCCESS)
-			goto out;
-		ns_lwdclient_log(50, "found name '%.*s'",
-				 (int)(client->recv_buffer.used - b.used),
-				 (char *)(b.base) + b.used);
-		if (gnba->realname == NULL) {
-			gnba->realname = (char *)(b.base) + b.used;
-			gnba->realnamelen = client->recv_buffer.used - b.used;
-		} else {
-			naliases = gnba->naliases;
-			if (naliases >= LWRES_MAX_ALIASES)
-				break;
-			gnba->aliases[naliases] = (char *)(b.base) + b.used;
-			gnba->aliaslen[naliases] =
-				client->recv_buffer.used - b.used;
-			gnba->naliases++;
-		}
-	}
-
-	dns_byaddr_destroy(&client->byaddr);
-	isc_event_free(&event);
-
-	/*
-	 * Render the packet.
-	 */
-	client->pkt.recvlength = LWRES_RECVLENGTH;
-	client->pkt.authtype = 0; /* XXXMLG */
-	client->pkt.authlength = 0;
-	client->pkt.result = LWRES_R_SUCCESS;
-
-	lwres = lwres_gnbaresponse_render(cm->lwctx,
-					  gnba, &client->pkt, &lwb);
-	if (lwres != LWRES_R_SUCCESS)
-		goto out;
-
-	r.base = lwb.base;
-	r.length = lwb.used;
-	client->sendbuf = r.base;
-	client->sendlength = r.length;
-	result = ns_lwdclient_sendreply(client, &r);
-	if (result != ISC_R_SUCCESS)
-		goto out;
-
-	NS_LWDCLIENT_SETSEND(client);
-
-	return;
-
- out:
-	if (client->byaddr != NULL)
-		dns_byaddr_destroy(&client->byaddr);
-	if (lwb.base != NULL)
-		lwres_context_freemem(cm->lwctx,
-				      lwb.base, lwb.length);
-
-	if (event != NULL)
-		isc_event_free(&event);
-}
-
-static void
-start_byaddr(ns_lwdclient_t *client) {
-	isc_result_t result;
-	ns_lwdclientmgr_t *cm;
-
-	cm = client->clientmgr;
-
-	INSIST(client->byaddr == NULL);
-
-	result = dns_byaddr_create(cm->mctx, &client->na, cm->view,
-				   client->options, cm->task, byaddr_done,
-				   client, &client->byaddr);
-	if (result != ISC_R_SUCCESS) {
-		ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
-		return;
-	}
-}
-
-static void
-init_gnba(ns_lwdclient_t *client) {
-	int i;
-
-	/*
-	 * Initialize the real name and alias arrays in the reply we're
-	 * going to build up.
-	 */
-	for (i = 0; i < LWRES_MAX_ALIASES; i++) {
-		client->aliases[i] = NULL;
-		client->aliaslen[i] = 0;
-	}
-	for (i = 0; i < LWRES_MAX_ADDRS; i++) {
-		client->addrs[i].family = 0;
-		client->addrs[i].length = 0;
-		memset(client->addrs[i].address, 0, LWRES_ADDR_MAXLEN);
-		LWRES_LINK_INIT(&client->addrs[i], link);
-	}
-
-	client->gnba.naliases = 0;
-	client->gnba.realname = NULL;
-	client->gnba.aliases = client->aliases;
-	client->gnba.realnamelen = 0;
-	client->gnba.aliaslen = client->aliaslen;
-	client->gnba.base = NULL;
-	client->gnba.baselen = 0;
-	isc_buffer_init(&client->recv_buffer, client->buffer, LWRES_RECVLENGTH);
-}
-
-void
-ns_lwdclient_processgnba(ns_lwdclient_t *client, lwres_buffer_t *b) {
-	lwres_gnbarequest_t *req;
-	isc_result_t result;
-	isc_sockaddr_t sa;
-	ns_lwdclientmgr_t *cm;
-
-	REQUIRE(NS_LWDCLIENT_ISRECVDONE(client));
-	INSIST(client->byaddr == NULL);
-
-	cm = client->clientmgr;
-	req = NULL;
-
-	result = lwres_gnbarequest_parse(cm->lwctx,
-					 b, &client->pkt, &req);
-	if (result != LWRES_R_SUCCESS)
-		goto out;
-
-	client->options = 0;
-	if (req->addr.family == LWRES_ADDRTYPE_V4) {
-		client->na.family = AF_INET;
-		if (req->addr.length != 4)
-			goto out;
-		memcpy(&client->na.type.in, req->addr.address, 4);
-	} else if (req->addr.family == LWRES_ADDRTYPE_V6) {
-		client->na.family = AF_INET6;
-		if (req->addr.length != 16)
-			goto out;
-		memcpy(&client->na.type.in6, req->addr.address, 16);
-	} else {
-		goto out;
-	}
-	isc_sockaddr_fromnetaddr(&sa, &client->na, 53);
-
-	ns_lwdclient_log(50, "client %p looking for addrtype %08x",
-			 client, req->addr.family);
-
-	/*
-	 * We no longer need to keep this around.
-	 */
-	lwres_gnbarequest_free(cm->lwctx, &req);
-
-	/*
-	 * Initialize the real name and alias arrays in the reply we're
-	 * going to build up.
-	 */
-	init_gnba(client);
-	client->options = 0;
-
-	/*
-	 * Start the find.
-	 */
-	start_byaddr(client);
-
-	return;
-
-	/*
-	 * We're screwed.  Return an error packet to our caller.
-	 */
- out:
-	if (req != NULL)
-		lwres_gnbarequest_free(cm->lwctx, &req);
-
-	ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
-}
diff --git a/contrib/bind9/bin/named/lwdgrbn.c b/contrib/bind9/bin/named/lwdgrbn.c
deleted file mode 100644
index 5c858cb..0000000
--- a/contrib/bind9/bin/named/lwdgrbn.c
+++ /dev/null
@@ -1,513 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwdgrbn.c,v 1.22 2009/09/02 23:48:01 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/socket.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/lookup.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/result.h>
-#include <dns/view.h>
-
-#include <named/types.h>
-#include <named/lwdclient.h>
-#include <named/lwresd.h>
-#include <named/lwsearch.h>
-
-static void start_lookup(ns_lwdclient_t *);
-
-static isc_result_t
-fill_array(int *pos, dns_rdataset_t *rdataset,
-	   int size, unsigned char **rdatas, lwres_uint16_t *rdatalen)
-{
-	dns_rdata_t rdata;
-	isc_result_t result;
-	isc_region_t r;
-
-	UNUSED(size);
-
-	dns_rdata_init(&rdata);
-	for (result = dns_rdataset_first(rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(rdataset))
-	{
-		INSIST(*pos < size);
-		dns_rdataset_current(rdataset, &rdata);
-		dns_rdata_toregion(&rdata, &r);
-		rdatas[*pos] = r.base;
-		rdatalen[*pos] = r.length;
-		dns_rdata_reset(&rdata);
-		(*pos)++;
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	return (result);
-}
-
-static isc_result_t
-iterate_node(lwres_grbnresponse_t *grbn, dns_db_t *db, dns_dbnode_t *node,
-	     isc_mem_t *mctx)
-{
-	int used = 0, count;
-	int size = 8, oldsize = 0;
-	unsigned char **rdatas = NULL, **oldrdatas = NULL, **newrdatas = NULL;
-	lwres_uint16_t *lens = NULL, *oldlens = NULL, *newlens = NULL;
-	dns_rdatasetiter_t *iter = NULL;
-	dns_rdataset_t set;
-	dns_ttl_t ttl = ISC_INT32_MAX;
-	lwres_uint32_t flags = LWRDATA_VALIDATED;
-	isc_result_t result = ISC_R_NOMEMORY;
-
-	result = dns_db_allrdatasets(db, node, NULL, 0, &iter);
-	if (result != ISC_R_SUCCESS)
-		goto out;
-
-	rdatas = isc_mem_get(mctx, size * sizeof(*rdatas));
-	if (rdatas == NULL)
-		goto out;
-	lens = isc_mem_get(mctx, size * sizeof(*lens));
-	if (lens == NULL)
-		goto out;
-
-	for (result = dns_rdatasetiter_first(iter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdatasetiter_next(iter))
-	{
-		result = ISC_R_NOMEMORY;
-		dns_rdataset_init(&set);
-		dns_rdatasetiter_current(iter, &set);
-
-		if (set.type != dns_rdatatype_rrsig) {
-			dns_rdataset_disassociate(&set);
-			continue;
-		}
-
-		count = dns_rdataset_count(&set);
-		if (used + count > size) {
-			/* copy & reallocate */
-			oldsize = size;
-			oldrdatas = rdatas;
-			oldlens = lens;
-			rdatas = NULL;
-			lens = NULL;
-
-			size *= 2;
-
-			rdatas = isc_mem_get(mctx, size * sizeof(*rdatas));
-			if (rdatas == NULL)
-				goto out;
-			lens = isc_mem_get(mctx, size * sizeof(*lens));
-			if (lens == NULL)
-				goto out;
-			memcpy(rdatas, oldrdatas, used * sizeof(*rdatas));
-			memcpy(lens, oldlens, used * sizeof(*lens));
-			isc_mem_put(mctx, oldrdatas,
-				    oldsize * sizeof(*oldrdatas));
-			isc_mem_put(mctx, oldlens, oldsize * sizeof(*oldlens));
-			oldrdatas = NULL;
-			oldlens = NULL;
-		}
-		if (set.ttl < ttl)
-			ttl = set.ttl;
-		if (set.trust != dns_trust_secure)
-			flags &= (~LWRDATA_VALIDATED);
-		result = fill_array(&used, &set, size, rdatas, lens);
-		dns_rdataset_disassociate(&set);
-		if (result != ISC_R_SUCCESS)
-			goto out;
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	if (result != ISC_R_SUCCESS)
-		goto out;
-	dns_rdatasetiter_destroy(&iter);
-
-	/*
-	 * If necessary, shrink and copy the arrays.
-	 */
-	if (size != used) {
-		result = ISC_R_NOMEMORY;
-		newrdatas = isc_mem_get(mctx, used * sizeof(*rdatas));
-		if (newrdatas == NULL)
-			goto out;
-		newlens = isc_mem_get(mctx, used * sizeof(*lens));
-		if (newlens == NULL)
-			goto out;
-		memcpy(newrdatas, rdatas, used * sizeof(*rdatas));
-		memcpy(newlens, lens, used * sizeof(*lens));
-		isc_mem_put(mctx, rdatas, size * sizeof(*rdatas));
-		isc_mem_put(mctx, lens, size * sizeof(*lens));
-		grbn->rdatas = newrdatas;
-		grbn->rdatalen = newlens;
-	} else {
-		grbn->rdatas = rdatas;
-		grbn->rdatalen = lens;
-	}
-	grbn->nrdatas = used;
-	grbn->ttl = ttl;
-	grbn->flags = flags;
-	return (ISC_R_SUCCESS);
-
- out:
-	dns_rdatasetiter_destroy(&iter);
-	if (rdatas != NULL)
-		isc_mem_put(mctx, rdatas, size * sizeof(*rdatas));
-	if (lens != NULL)
-		isc_mem_put(mctx, lens, size * sizeof(*lens));
-	if (oldrdatas != NULL)
-		isc_mem_put(mctx, oldrdatas, oldsize * sizeof(*oldrdatas));
-	if (oldlens != NULL)
-		isc_mem_put(mctx, oldlens, oldsize * sizeof(*oldlens));
-	if (newrdatas != NULL)
-		isc_mem_put(mctx, newrdatas, used * sizeof(*oldrdatas));
-	return (result);
-}
-
-static void
-lookup_done(isc_task_t *task, isc_event_t *event) {
-	ns_lwdclient_t *client;
-	ns_lwdclientmgr_t *cm;
-	dns_lookupevent_t *levent;
-	lwres_buffer_t lwb;
-	dns_name_t *name;
-	dns_rdataset_t *rdataset;
-	dns_rdataset_t *sigrdataset;
-	isc_result_t result;
-	lwres_result_t lwresult;
-	isc_region_t r;
-	isc_buffer_t b;
-	lwres_grbnresponse_t *grbn;
-	int i;
-
-	UNUSED(task);
-
-	lwb.base = NULL;
-	client = event->ev_arg;
-	cm = client->clientmgr;
-	INSIST(client->lookup == (dns_lookup_t *)event->ev_sender);
-
-	levent = (dns_lookupevent_t *)event;
-	grbn = &client->grbn;
-
-	ns_lwdclient_log(50, "lookup event result = %s",
-			 isc_result_totext(levent->result));
-
-	result = levent->result;
-	if (result != ISC_R_SUCCESS) {
-		dns_lookup_destroy(&client->lookup);
-		isc_event_free(&event);
-		levent = NULL;
-
-		switch (result) {
-		case DNS_R_NXDOMAIN:
-		case DNS_R_NCACHENXDOMAIN:
-			result = ns_lwsearchctx_next(&client->searchctx);
-			if (result != ISC_R_SUCCESS)
-				lwresult = LWRES_R_NOTFOUND;
-			else {
-				start_lookup(client);
-				return;
-			}
-			break;
-		case DNS_R_NXRRSET:
-		case DNS_R_NCACHENXRRSET:
-			lwresult = LWRES_R_TYPENOTFOUND;
-			break;
-		default:
-			lwresult = LWRES_R_FAILURE;
-		}
-		ns_lwdclient_errorpktsend(client, lwresult);
-		return;
-	}
-
-	name = levent->name;
-	b = client->recv_buffer;
-
-	grbn->flags = 0;
-
-	grbn->nrdatas = 0;
-	grbn->rdatas = NULL;
-	grbn->rdatalen = NULL;
-
-	grbn->nsigs = 0;
-	grbn->sigs = NULL;
-	grbn->siglen = NULL;
-
-	result = dns_name_totext(name, ISC_TRUE, &client->recv_buffer);
-	if (result != ISC_R_SUCCESS)
-		goto out;
-	grbn->realname = (char *)isc_buffer_used(&b);
-	grbn->realnamelen = isc_buffer_usedlength(&client->recv_buffer) -
-			    isc_buffer_usedlength(&b);
-	ns_lwdclient_log(50, "found name '%.*s'", grbn->realnamelen,
-			 grbn->realname);
-
-	grbn->rdclass = cm->view->rdclass;
-	grbn->rdtype = client->rdtype;
-
-	rdataset = levent->rdataset;
-	if (rdataset != NULL) {
-		/* The normal case */
-		grbn->nrdatas = dns_rdataset_count(rdataset);
-		grbn->rdatas = isc_mem_get(cm->mctx, grbn->nrdatas *
-					   sizeof(unsigned char *));
-		if (grbn->rdatas == NULL)
-			goto out;
-		grbn->rdatalen = isc_mem_get(cm->mctx, grbn->nrdatas *
-					     sizeof(lwres_uint16_t));
-		if (grbn->rdatalen == NULL)
-			goto out;
-
-		i = 0;
-		result = fill_array(&i, rdataset, grbn->nrdatas, grbn->rdatas,
-				    grbn->rdatalen);
-		if (result != ISC_R_SUCCESS)
-			goto out;
-		INSIST(i == grbn->nrdatas);
-		grbn->ttl = rdataset->ttl;
-		if (rdataset->trust == dns_trust_secure)
-			grbn->flags |= LWRDATA_VALIDATED;
-	} else {
-		/* The SIG query case */
-		result = iterate_node(grbn, levent->db, levent->node,
-				      cm->mctx);
-		if (result != ISC_R_SUCCESS)
-			goto out;
-	}
-	ns_lwdclient_log(50, "filled in %d rdata%s", grbn->nrdatas,
-			 (grbn->nrdatas == 1) ? "" : "s");
-
-	sigrdataset = levent->sigrdataset;
-	if (sigrdataset != NULL) {
-		grbn->nsigs = dns_rdataset_count(sigrdataset);
-		grbn->sigs = isc_mem_get(cm->mctx, grbn->nsigs *
-					 sizeof(unsigned char *));
-		if (grbn->sigs == NULL)
-			goto out;
-		grbn->siglen = isc_mem_get(cm->mctx, grbn->nsigs *
-					   sizeof(lwres_uint16_t));
-		if (grbn->siglen == NULL)
-			goto out;
-
-		i = 0;
-		result = fill_array(&i, sigrdataset, grbn->nsigs, grbn->sigs,
-				    grbn->siglen);
-		if (result != ISC_R_SUCCESS)
-			goto out;
-		INSIST(i == grbn->nsigs);
-		ns_lwdclient_log(50, "filled in %d signature%s", grbn->nsigs,
-				 (grbn->nsigs == 1) ? "" : "s");
-	}
-
-	dns_lookup_destroy(&client->lookup);
-	isc_event_free(&event);
-
-	/*
-	 * Render the packet.
-	 */
-	client->pkt.recvlength = LWRES_RECVLENGTH;
-	client->pkt.authtype = 0; /* XXXMLG */
-	client->pkt.authlength = 0;
-	client->pkt.result = LWRES_R_SUCCESS;
-
-	lwresult = lwres_grbnresponse_render(cm->lwctx,
-					     grbn, &client->pkt, &lwb);
-	if (lwresult != LWRES_R_SUCCESS)
-		goto out;
-
-	isc_mem_put(cm->mctx, grbn->rdatas,
-		    grbn->nrdatas * sizeof(unsigned char *));
-	isc_mem_put(cm->mctx, grbn->rdatalen,
-		    grbn->nrdatas * sizeof(lwres_uint16_t));
-
-	if (grbn->sigs != NULL)
-		isc_mem_put(cm->mctx, grbn->sigs,
-			    grbn->nsigs * sizeof(unsigned char *));
-	if (grbn->siglen != NULL)
-		isc_mem_put(cm->mctx, grbn->siglen,
-			    grbn->nsigs * sizeof(lwres_uint16_t));
-
-	r.base = lwb.base;
-	r.length = lwb.used;
-	client->sendbuf = r.base;
-	client->sendlength = r.length;
-	result = ns_lwdclient_sendreply(client, &r);
-	if (result != ISC_R_SUCCESS)
-		goto out2;
-
-	NS_LWDCLIENT_SETSEND(client);
-
-	return;
-
- out:
-	if (grbn->rdatas != NULL)
-		isc_mem_put(cm->mctx, grbn->rdatas,
-			    grbn->nrdatas * sizeof(unsigned char *));
-	if (grbn->rdatalen != NULL)
-		isc_mem_put(cm->mctx, grbn->rdatalen,
-			    grbn->nrdatas * sizeof(lwres_uint16_t));
-
-	if (grbn->sigs != NULL)
-		isc_mem_put(cm->mctx, grbn->sigs,
-			    grbn->nsigs * sizeof(unsigned char *));
-	if (grbn->siglen != NULL)
-		isc_mem_put(cm->mctx, grbn->siglen,
-			    grbn->nsigs * sizeof(lwres_uint16_t));
- out2:
-	if (client->lookup != NULL)
-		dns_lookup_destroy(&client->lookup);
-	if (lwb.base != NULL)
-		lwres_context_freemem(cm->lwctx, lwb.base, lwb.length);
-
-	if (event != NULL)
-		isc_event_free(&event);
-
-	ns_lwdclient_log(50, "error constructing getrrsetbyname response");
-	ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
-}
-
-static void
-start_lookup(ns_lwdclient_t *client) {
-	isc_result_t result;
-	ns_lwdclientmgr_t *cm;
-	dns_fixedname_t absname;
-
-	cm = client->clientmgr;
-
-	INSIST(client->lookup == NULL);
-
-	dns_fixedname_init(&absname);
-	result = ns_lwsearchctx_current(&client->searchctx,
-					dns_fixedname_name(&absname));
-	/*
-	 * This will return failure if relative name + suffix is too long.
-	 * In this case, just go on to the next entry in the search path.
-	 */
-	if (result != ISC_R_SUCCESS)
-		start_lookup(client);
-
-	result = dns_lookup_create(cm->mctx,
-				   dns_fixedname_name(&absname),
-				   client->rdtype, cm->view,
-				   client->options, cm->task, lookup_done,
-				   client, &client->lookup);
-	if (result != ISC_R_SUCCESS) {
-		ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
-		return;
-	}
-}
-
-static void
-init_grbn(ns_lwdclient_t *client) {
-	client->grbn.rdclass = 0;
-	client->grbn.rdtype = 0;
-	client->grbn.ttl = 0;
-	client->grbn.nrdatas = 0;
-	client->grbn.realname = NULL;
-	client->grbn.realnamelen = 0;
-	client->grbn.rdatas = 0;
-	client->grbn.rdatalen = 0;
-	client->grbn.base = NULL;
-	client->grbn.baselen = 0;
-	isc_buffer_init(&client->recv_buffer, client->buffer, LWRES_RECVLENGTH);
-}
-
-void
-ns_lwdclient_processgrbn(ns_lwdclient_t *client, lwres_buffer_t *b) {
-	lwres_grbnrequest_t *req;
-	isc_result_t result;
-	ns_lwdclientmgr_t *cm;
-	isc_buffer_t namebuf;
-
-	REQUIRE(NS_LWDCLIENT_ISRECVDONE(client));
-	INSIST(client->byaddr == NULL);
-
-	cm = client->clientmgr;
-	req = NULL;
-
-	result = lwres_grbnrequest_parse(cm->lwctx,
-					 b, &client->pkt, &req);
-	if (result != LWRES_R_SUCCESS)
-		goto out;
-	if (req->name == NULL)
-		goto out;
-
-	client->options = 0;
-	if (req->rdclass != cm->view->rdclass)
-		goto out;
-
-	if (req->rdclass == dns_rdataclass_any ||
-	    req->rdtype == dns_rdatatype_any)
-		goto out;
-
-	client->rdtype = req->rdtype;
-
-	isc_buffer_init(&namebuf, req->name, req->namelen);
-	isc_buffer_add(&namebuf, req->namelen);
-
-	dns_fixedname_init(&client->query_name);
-	result = dns_name_fromtext(dns_fixedname_name(&client->query_name),
-				   &namebuf, NULL, 0, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto out;
-	ns_lwsearchctx_init(&client->searchctx,
-			    cm->listener->manager->search,
-			    dns_fixedname_name(&client->query_name),
-			    cm->listener->manager->ndots);
-	ns_lwsearchctx_first(&client->searchctx);
-
-	ns_lwdclient_log(50, "client %p looking for type %d",
-			 client, client->rdtype);
-
-	/*
-	 * We no longer need to keep this around.
-	 */
-	lwres_grbnrequest_free(cm->lwctx, &req);
-
-	/*
-	 * Initialize the real name and alias arrays in the reply we're
-	 * going to build up.
-	 */
-	init_grbn(client);
-
-	/*
-	 * Start the find.
-	 */
-	start_lookup(client);
-
-	return;
-
-	/*
-	 * We're screwed.  Return an error packet to our caller.
-	 */
- out:
-	if (req != NULL)
-		lwres_grbnrequest_free(cm->lwctx, &req);
-
-	ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
-}
diff --git a/contrib/bind9/bin/named/lwdnoop.c b/contrib/bind9/bin/named/lwdnoop.c
deleted file mode 100644
index 14d8e0c..0000000
--- a/contrib/bind9/bin/named/lwdnoop.c
+++ /dev/null
@@ -1,87 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwdnoop.c,v 1.13 2008/01/22 23:28:04 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/socket.h>
-#include <isc/util.h>
-
-#include <named/types.h>
-#include <named/lwdclient.h>
-
-void
-ns_lwdclient_processnoop(ns_lwdclient_t *client, lwres_buffer_t *b) {
-	lwres_nooprequest_t *req;
-	lwres_noopresponse_t resp;
-	isc_result_t result;
-	lwres_result_t lwres;
-	isc_region_t r;
-	lwres_buffer_t lwb;
-
-	REQUIRE(NS_LWDCLIENT_ISRECVDONE(client));
-	INSIST(client->byaddr == NULL);
-
-	req = NULL;
-
-	result = lwres_nooprequest_parse(client->clientmgr->lwctx,
-					 b, &client->pkt, &req);
-	if (result != LWRES_R_SUCCESS)
-		goto send_error;
-
-	client->pkt.recvlength = LWRES_RECVLENGTH;
-	client->pkt.authtype = 0; /* XXXMLG */
-	client->pkt.authlength = 0;
-	client->pkt.result = LWRES_R_SUCCESS;
-
-	resp.datalength = req->datalength;
-	resp.data = req->data;
-
-	lwres = lwres_noopresponse_render(client->clientmgr->lwctx, &resp,
-					  &client->pkt, &lwb);
-	if (lwres != LWRES_R_SUCCESS)
-		goto cleanup_req;
-
-	r.base = lwb.base;
-	r.length = lwb.used;
-	client->sendbuf = r.base;
-	client->sendlength = r.length;
-	result = ns_lwdclient_sendreply(client, &r);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_lwb;
-
-	/*
-	 * We can now destroy request.
-	 */
-	lwres_nooprequest_free(client->clientmgr->lwctx, &req);
-
-	NS_LWDCLIENT_SETSEND(client);
-
-	return;
-
- cleanup_lwb:
-	lwres_context_freemem(client->clientmgr->lwctx, lwb.base, lwb.length);
-
- cleanup_req:
-	lwres_nooprequest_free(client->clientmgr->lwctx, &req);
-
- send_error:
-	ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
-}
diff --git a/contrib/bind9/bin/named/lwresd.8 b/contrib/bind9/bin/named/lwresd.8
deleted file mode 100644
index 47a6b78..0000000
--- a/contrib/bind9/bin/named/lwresd.8
+++ /dev/null
@@ -1,223 +0,0 @@
-.\" Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: lwresd
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: June 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "LWRESD" "8" "June 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwresd \- lightweight resolver daemon
-.SH "SYNOPSIS"
-.HP 7
-\fBlwresd\fR [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-C\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-i\ \fR\fB\fIpid\-file\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-P\ \fR\fB\fIport\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-4\fR] [\fB\-6\fR]
-.SH "DESCRIPTION"
-.PP
-\fBlwresd\fR
-is the daemon providing name lookup services to clients that use the BIND 9 lightweight resolver library. It is essentially a stripped\-down, caching\-only name server that answers queries using the BIND 9 lightweight resolver protocol rather than the DNS protocol.
-.PP
-\fBlwresd\fR
-listens for resolver queries on a UDP port on the IPv4 loopback interface, 127.0.0.1. This means that
-\fBlwresd\fR
-can only be used by processes running on the local machine. By default, UDP port number 921 is used for lightweight resolver requests and responses.
-.PP
-Incoming lightweight resolver requests are decoded by the server which then resolves them using the DNS protocol. When the DNS lookup completes,
-\fBlwresd\fR
-encodes the answers in the lightweight resolver format and returns them to the client that made the request.
-.PP
-If
-\fI/etc/resolv.conf\fR
-contains any
-\fBnameserver\fR
-entries,
-\fBlwresd\fR
-sends recursive DNS queries to those servers. This is similar to the use of forwarders in a caching name server. If no
-\fBnameserver\fR
-entries are present, or if forwarding fails,
-\fBlwresd\fR
-resolves the queries autonomously starting at the root name servers, using a built\-in list of root server hints.
-.SH "OPTIONS"
-.PP
-\-4
-.RS 4
-Use IPv4 only even if the host machine is capable of IPv6.
-\fB\-4\fR
-and
-\fB\-6\fR
-are mutually exclusive.
-.RE
-.PP
-\-6
-.RS 4
-Use IPv6 only even if the host machine is capable of IPv4.
-\fB\-4\fR
-and
-\fB\-6\fR
-are mutually exclusive.
-.RE
-.PP
-\-c \fIconfig\-file\fR
-.RS 4
-Use
-\fIconfig\-file\fR
-as the configuration file instead of the default,
-\fI/etc/lwresd.conf\fR.
-\fB\-c\fR
-can not be used with
-\fB\-C\fR.
-.RE
-.PP
-\-C \fIconfig\-file\fR
-.RS 4
-Use
-\fIconfig\-file\fR
-as the configuration file instead of the default,
-\fI/etc/resolv.conf\fR.
-\fB\-C\fR
-can not be used with
-\fB\-c\fR.
-.RE
-.PP
-\-d \fIdebug\-level\fR
-.RS 4
-Set the daemon's debug level to
-\fIdebug\-level\fR. Debugging traces from
-\fBlwresd\fR
-become more verbose as the debug level increases.
-.RE
-.PP
-\-f
-.RS 4
-Run the server in the foreground (i.e. do not daemonize).
-.RE
-.PP
-\-g
-.RS 4
-Run the server in the foreground and force all logging to
-\fIstderr\fR.
-.RE
-.PP
-\-i \fIpid\-file\fR
-.RS 4
-Use
-\fIpid\-file\fR
-as the PID file instead of the default,
-\fI/var/run/lwresd/lwresd.pid\fR.
-.RE
-.PP
-\-m \fIflag\fR
-.RS 4
-Turn on memory usage debugging flags. Possible flags are
-\fIusage\fR,
-\fItrace\fR,
-\fIrecord\fR,
-\fIsize\fR, and
-\fImctx\fR. These correspond to the ISC_MEM_DEBUGXXXX flags described in
-\fI<isc/mem.h>\fR.
-.RE
-.PP
-\-n \fI#cpus\fR
-.RS 4
-Create
-\fI#cpus\fR
-worker threads to take advantage of multiple CPUs. If not specified,
-\fBlwresd\fR
-will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created.
-.RE
-.PP
-\-P \fIport\fR
-.RS 4
-Listen for lightweight resolver queries on port
-\fIport\fR. If not specified, the default is port 921.
-.RE
-.PP
-\-p \fIport\fR
-.RS 4
-Send DNS lookups to port
-\fIport\fR. If not specified, the default is port 53. This provides a way of testing the lightweight resolver daemon with a name server that listens for queries on a non\-standard port number.
-.RE
-.PP
-\-s
-.RS 4
-Write memory usage statistics to
-\fIstdout\fR
-on exit.
-.RS
-.B "Note:"
-This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release.
-.RE
-.RE
-.PP
-\-t \fIdirectory\fR
-.RS 4
-Chroot to
-\fIdirectory\fR
-after processing the command line arguments, but before reading the configuration file.
-.RS
-.B "Warning:"
-This option should be used in conjunction with the
-\fB\-u\fR
-option, as chrooting a process running as root doesn't enhance security on most systems; the way
-\fBchroot(2)\fR
-is defined allows a process with root privileges to escape a chroot jail.
-.RE
-.RE
-.PP
-\-u \fIuser\fR
-.RS 4
-Setuid to
-\fIuser\fR
-after completing privileged operations, such as creating sockets that listen on privileged ports.
-.RE
-.PP
-\-v
-.RS 4
-Report the version number and exit.
-.RE
-.SH "FILES"
-.PP
-\fI/etc/resolv.conf\fR
-.RS 4
-The default configuration file.
-.RE
-.PP
-\fI/var/run/lwresd.pid\fR
-.RS 4
-The default process\-id file.
-.RE
-.SH "SEE ALSO"
-.PP
-\fBnamed\fR(8),
-\fBlwres\fR(3),
-\fBresolver\fR(5).
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007\-2009 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/bin/named/lwresd.c b/contrib/bind9/bin/named/lwresd.c
deleted file mode 100644
index 7ee2196..0000000
--- a/contrib/bind9/bin/named/lwresd.c
+++ /dev/null
@@ -1,869 +0,0 @@
-/*
- * Copyright (C) 2004-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwresd.c,v 1.60 2009/09/02 23:48:01 tbox Exp $ */
-
-/*! \file
- * \brief
- * Main program for the Lightweight Resolver Daemon.
- *
- * To paraphrase the old saying about X11, "It's not a lightweight deamon
- * for resolvers, it's a deamon for lightweight resolvers".
- */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/list.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/once.h>
-#include <isc/print.h>
-#include <isc/socket.h>
-#include <isc/task.h>
-#include <isc/util.h>
-
-#include <isccfg/namedconf.h>
-
-#include <dns/log.h>
-#include <dns/result.h>
-#include <dns/view.h>
-
-#include <named/config.h>
-#include <named/globals.h>
-#include <named/log.h>
-#include <named/lwaddr.h>
-#include <named/lwresd.h>
-#include <named/lwdclient.h>
-#include <named/lwsearch.h>
-#include <named/server.h>
-
-#define LWRESD_MAGIC		ISC_MAGIC('L', 'W', 'R', 'D')
-#define VALID_LWRESD(l)		ISC_MAGIC_VALID(l, LWRESD_MAGIC)
-
-#define LWRESLISTENER_MAGIC	ISC_MAGIC('L', 'W', 'R', 'L')
-#define VALID_LWRESLISTENER(l)	ISC_MAGIC_VALID(l, LWRESLISTENER_MAGIC)
-
-/*!
- * The total number of clients we can handle will be NTASKS * NRECVS.
- */
-#define NTASKS		2	/*%< tasks to create to handle lwres queries */
-#define NRECVS		2	/*%< max clients per task */
-
-typedef ISC_LIST(ns_lwreslistener_t) ns_lwreslistenerlist_t;
-
-static ns_lwreslistenerlist_t listeners;
-static isc_mutex_t listeners_lock;
-static isc_once_t once = ISC_ONCE_INIT;
-
-
-static void
-initialize_mutex(void) {
-	RUNTIME_CHECK(isc_mutex_init(&listeners_lock) == ISC_R_SUCCESS);
-}
-
-
-/*%
- * Wrappers around our memory management stuff, for the lwres functions.
- */
-void *
-ns__lwresd_memalloc(void *arg, size_t size) {
-	return (isc_mem_get(arg, size));
-}
-
-void
-ns__lwresd_memfree(void *arg, void *mem, size_t size) {
-	isc_mem_put(arg, mem, size);
-}
-
-
-#define CHECK(op)						\
-	do { result = (op);					\
-		if (result != ISC_R_SUCCESS) goto cleanup;	\
-	} while (0)
-
-static isc_result_t
-buffer_putstr(isc_buffer_t *b, const char *s) {
-	unsigned int len = strlen(s);
-	if (isc_buffer_availablelength(b) <= len)
-		return (ISC_R_NOSPACE);
-	isc_buffer_putmem(b, (const unsigned char *)s, len);
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Convert a resolv.conf file into a config structure.
- */
-isc_result_t
-ns_lwresd_parseeresolvconf(isc_mem_t *mctx, cfg_parser_t *pctx,
-			   cfg_obj_t **configp)
-{
-	char text[4096];
-	char str[16];
-	isc_buffer_t b;
-	lwres_context_t *lwctx = NULL;
-	lwres_conf_t *lwc = NULL;
-	isc_sockaddr_t sa;
-	isc_netaddr_t na;
-	int i;
-	isc_result_t result;
-	lwres_result_t lwresult;
-
-	lwctx = NULL;
-	lwresult = lwres_context_create(&lwctx, mctx, ns__lwresd_memalloc,
-					ns__lwresd_memfree,
-					LWRES_CONTEXT_SERVERMODE);
-	if (lwresult != LWRES_R_SUCCESS) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
-	}
-
-	lwresult = lwres_conf_parse(lwctx, lwresd_g_resolvconffile);
-	if (lwresult != LWRES_R_SUCCESS) {
-		result = DNS_R_SYNTAX;
-		goto cleanup;
-	}
-
-	lwc = lwres_conf_get(lwctx);
-	INSIST(lwc != NULL);
-
-	isc_buffer_init(&b, text, sizeof(text));
-
-	CHECK(buffer_putstr(&b, "options {\n"));
-
-	/*
-	 * Build the list of forwarders.
-	 */
-	if (lwc->nsnext > 0) {
-		CHECK(buffer_putstr(&b, "\tforwarders {\n"));
-
-		for (i = 0; i < lwc->nsnext; i++) {
-			CHECK(lwaddr_sockaddr_fromlwresaddr(
-							&sa,
-							&lwc->nameservers[i],
-							ns_g_port));
-			isc_netaddr_fromsockaddr(&na, &sa);
-			CHECK(buffer_putstr(&b, "\t\t"));
-			CHECK(isc_netaddr_totext(&na, &b));
-			CHECK(buffer_putstr(&b, ";\n"));
-		}
-		CHECK(buffer_putstr(&b, "\t};\n"));
-	}
-
-	/*
-	 * Build the sortlist
-	 */
-	if (lwc->sortlistnxt > 0) {
-		CHECK(buffer_putstr(&b, "\tsortlist {\n"));
-		CHECK(buffer_putstr(&b, "\t\t{\n"));
-		CHECK(buffer_putstr(&b, "\t\t\tany;\n"));
-		CHECK(buffer_putstr(&b, "\t\t\t{\n"));
-		for (i = 0; i < lwc->sortlistnxt; i++) {
-			lwres_addr_t *lwaddr = &lwc->sortlist[i].addr;
-			lwres_addr_t *lwmask = &lwc->sortlist[i].mask;
-			unsigned int mask;
-
-			CHECK(lwaddr_sockaddr_fromlwresaddr(&sa, lwmask, 0));
-			isc_netaddr_fromsockaddr(&na, &sa);
-			result = isc_netaddr_masktoprefixlen(&na, &mask);
-			if (result != ISC_R_SUCCESS) {
-				char addrtext[ISC_NETADDR_FORMATSIZE];
-				isc_netaddr_format(&na, addrtext,
-						   sizeof(addrtext));
-				isc_log_write(ns_g_lctx,
-					      NS_LOGCATEGORY_GENERAL,
-					      NS_LOGMODULE_LWRESD,
-					      ISC_LOG_ERROR,
-					      "processing sortlist: '%s' is "
-					      "not a valid netmask",
-					      addrtext);
-				goto cleanup;
-			}
-
-			CHECK(lwaddr_sockaddr_fromlwresaddr(&sa, lwaddr, 0));
-			isc_netaddr_fromsockaddr(&na, &sa);
-
-			CHECK(buffer_putstr(&b, "\t\t\t\t"));
-			CHECK(isc_netaddr_totext(&na, &b));
-			snprintf(str, sizeof(str), "%u", mask);
-			CHECK(buffer_putstr(&b, "/"));
-			CHECK(buffer_putstr(&b, str));
-			CHECK(buffer_putstr(&b, ";\n"));
-		}
-		CHECK(buffer_putstr(&b, "\t\t\t};\n"));
-		CHECK(buffer_putstr(&b, "\t\t};\n"));
-		CHECK(buffer_putstr(&b, "\t};\n"));
-	}
-
-	CHECK(buffer_putstr(&b, "};\n\n"));
-
-	CHECK(buffer_putstr(&b, "lwres {\n"));
-
-	/*
-	 * Build the search path
-	 */
-	if (lwc->searchnxt > 0) {
-		if (lwc->searchnxt > 0) {
-			CHECK(buffer_putstr(&b, "\tsearch {\n"));
-			for (i = 0; i < lwc->searchnxt; i++) {
-				CHECK(buffer_putstr(&b, "\t\t\""));
-				CHECK(buffer_putstr(&b, lwc->search[i]));
-				CHECK(buffer_putstr(&b, "\";\n"));
-			}
-			CHECK(buffer_putstr(&b, "\t};\n"));
-		}
-	}
-
-	/*
-	 * Build the ndots line
-	 */
-	if (lwc->ndots != 1) {
-		CHECK(buffer_putstr(&b, "\tndots "));
-		snprintf(str, sizeof(str), "%u", lwc->ndots);
-		CHECK(buffer_putstr(&b, str));
-		CHECK(buffer_putstr(&b, ";\n"));
-	}
-
-	/*
-	 * Build the listen-on line
-	 */
-	if (lwc->lwnext > 0) {
-		CHECK(buffer_putstr(&b, "\tlisten-on {\n"));
-
-		for (i = 0; i < lwc->lwnext; i++) {
-			CHECK(lwaddr_sockaddr_fromlwresaddr(&sa,
-							    &lwc->lwservers[i],
-							    0));
-			isc_netaddr_fromsockaddr(&na, &sa);
-			CHECK(buffer_putstr(&b, "\t\t"));
-			CHECK(isc_netaddr_totext(&na, &b));
-			CHECK(buffer_putstr(&b, ";\n"));
-		}
-		CHECK(buffer_putstr(&b, "\t};\n"));
-	}
-
-	CHECK(buffer_putstr(&b, "};\n"));
-
-#if 0
-	printf("%.*s\n",
-	       (int)isc_buffer_usedlength(&b),
-	       (char *)isc_buffer_base(&b));
-#endif
-
-	lwres_conf_clear(lwctx);
-	lwres_context_destroy(&lwctx);
-
-	return (cfg_parse_buffer(pctx, &b, &cfg_type_namedconf, configp));
-
- cleanup:
-
-	if (lwctx != NULL) {
-		lwres_conf_clear(lwctx);
-		lwres_context_destroy(&lwctx);
-	}
-
-	return (result);
-}
-
-
-/*
- * Handle lwresd manager objects
- */
-isc_result_t
-ns_lwdmanager_create(isc_mem_t *mctx, const cfg_obj_t *lwres,
-		     ns_lwresd_t **lwresdp)
-{
-	ns_lwresd_t *lwresd;
-	const char *vname;
-	dns_rdataclass_t vclass;
-	const cfg_obj_t *obj, *viewobj, *searchobj;
-	const cfg_listelt_t *element;
-	isc_result_t result;
-
-	INSIST(lwresdp != NULL && *lwresdp == NULL);
-
-	lwresd = isc_mem_get(mctx, sizeof(ns_lwresd_t));
-	if (lwresd == NULL)
-		return (ISC_R_NOMEMORY);
-
-	lwresd->mctx = NULL;
-	isc_mem_attach(mctx, &lwresd->mctx);
-	lwresd->view = NULL;
-	lwresd->search = NULL;
-	lwresd->refs = 1;
-
-	obj = NULL;
-	(void)cfg_map_get(lwres, "ndots", &obj);
-	if (obj != NULL)
-		lwresd->ndots = cfg_obj_asuint32(obj);
-	else
-		lwresd->ndots = 1;
-
-	RUNTIME_CHECK(isc_mutex_init(&lwresd->lock) == ISC_R_SUCCESS);
-
-	lwresd->shutting_down = ISC_FALSE;
-
-	viewobj = NULL;
-	(void)cfg_map_get(lwres, "view", &viewobj);
-	if (viewobj != NULL) {
-		vname = cfg_obj_asstring(cfg_tuple_get(viewobj, "name"));
-		obj = cfg_tuple_get(viewobj, "class");
-		result = ns_config_getclass(obj, dns_rdataclass_in, &vclass);
-		if (result != ISC_R_SUCCESS)
-			goto fail;
-	} else {
-		vname = "_default";
-		vclass = dns_rdataclass_in;
-	}
-
-	result = dns_viewlist_find(&ns_g_server->viewlist, vname, vclass,
-				   &lwresd->view);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_LWRESD, ISC_LOG_WARNING,
-			      "couldn't find view %s", vname);
-		goto fail;
-	}
-
-	searchobj = NULL;
-	(void)cfg_map_get(lwres, "search", &searchobj);
-	if (searchobj != NULL) {
-		lwresd->search = NULL;
-		result = ns_lwsearchlist_create(lwresd->mctx,
-						&lwresd->search);
-		if (result != ISC_R_SUCCESS) {
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_LWRESD, ISC_LOG_WARNING,
-				      "couldn't create searchlist");
-			goto fail;
-		}
-		for (element = cfg_list_first(searchobj);
-		     element != NULL;
-		     element = cfg_list_next(element))
-		{
-			const cfg_obj_t *search;
-			const char *searchstr;
-			isc_buffer_t namebuf;
-			dns_fixedname_t fname;
-			dns_name_t *name;
-
-			search = cfg_listelt_value(element);
-			searchstr = cfg_obj_asstring(search);
-
-			dns_fixedname_init(&fname);
-			name = dns_fixedname_name(&fname);
-			isc_buffer_constinit(&namebuf, searchstr,
-					strlen(searchstr));
-			isc_buffer_add(&namebuf, strlen(searchstr));
-			result = dns_name_fromtext(name, &namebuf,
-						   dns_rootname, 0, NULL);
-			if (result != ISC_R_SUCCESS) {
-				isc_log_write(ns_g_lctx,
-					      NS_LOGCATEGORY_GENERAL,
-					      NS_LOGMODULE_LWRESD,
-					      ISC_LOG_WARNING,
-					      "invalid name %s in searchlist",
-					      searchstr);
-				continue;
-			}
-
-			result = ns_lwsearchlist_append(lwresd->search, name);
-			if (result != ISC_R_SUCCESS) {
-				isc_log_write(ns_g_lctx,
-					      NS_LOGCATEGORY_GENERAL,
-					      NS_LOGMODULE_LWRESD,
-					      ISC_LOG_WARNING,
-					      "couldn't update searchlist");
-				goto fail;
-			}
-		}
-	}
-
-	lwresd->magic = LWRESD_MAGIC;
-
-	*lwresdp = lwresd;
-	return (ISC_R_SUCCESS);
-
- fail:
-	if (lwresd->view != NULL)
-		dns_view_detach(&lwresd->view);
-	if (lwresd->search != NULL)
-		ns_lwsearchlist_detach(&lwresd->search);
-	if (lwresd->mctx != NULL)
-		isc_mem_detach(&lwresd->mctx);
-	isc_mem_put(mctx, lwresd, sizeof(ns_lwresd_t));
-	return (result);
-}
-
-void
-ns_lwdmanager_attach(ns_lwresd_t *source, ns_lwresd_t **targetp) {
-	INSIST(VALID_LWRESD(source));
-	INSIST(targetp != NULL && *targetp == NULL);
-
-	LOCK(&source->lock);
-	source->refs++;
-	UNLOCK(&source->lock);
-
-	*targetp = source;
-}
-
-void
-ns_lwdmanager_detach(ns_lwresd_t **lwresdp) {
-	ns_lwresd_t *lwresd;
-	isc_mem_t *mctx;
-	isc_boolean_t done = ISC_FALSE;
-
-	INSIST(lwresdp != NULL && *lwresdp != NULL);
-	INSIST(VALID_LWRESD(*lwresdp));
-
-	lwresd = *lwresdp;
-	*lwresdp = NULL;
-
-	LOCK(&lwresd->lock);
-	INSIST(lwresd->refs > 0);
-	lwresd->refs--;
-	if (lwresd->refs == 0)
-		done = ISC_TRUE;
-	UNLOCK(&lwresd->lock);
-
-	if (!done)
-		return;
-
-	dns_view_detach(&lwresd->view);
-	if (lwresd->search != NULL)
-		ns_lwsearchlist_detach(&lwresd->search);
-	mctx = lwresd->mctx;
-	lwresd->magic = 0;
-	isc_mem_put(mctx, lwresd, sizeof(*lwresd));
-	isc_mem_detach(&mctx);
-}
-
-
-/*
- * Handle listener objects
- */
-void
-ns_lwreslistener_attach(ns_lwreslistener_t *source,
-			ns_lwreslistener_t **targetp)
-{
-	INSIST(VALID_LWRESLISTENER(source));
-	INSIST(targetp != NULL && *targetp == NULL);
-
-	LOCK(&source->lock);
-	source->refs++;
-	UNLOCK(&source->lock);
-
-	*targetp = source;
-}
-
-void
-ns_lwreslistener_detach(ns_lwreslistener_t **listenerp) {
-	ns_lwreslistener_t *listener;
-	isc_mem_t *mctx;
-	isc_boolean_t done = ISC_FALSE;
-
-	INSIST(listenerp != NULL && *listenerp != NULL);
-	INSIST(VALID_LWRESLISTENER(*listenerp));
-
-	listener = *listenerp;
-
-	LOCK(&listener->lock);
-	INSIST(listener->refs > 0);
-	listener->refs--;
-	if (listener->refs == 0)
-		done = ISC_TRUE;
-	UNLOCK(&listener->lock);
-
-	if (!done)
-		return;
-
-	if (listener->manager != NULL)
-		ns_lwdmanager_detach(&listener->manager);
-
-	if (listener->sock != NULL)
-		isc_socket_detach(&listener->sock);
-
-	listener->magic = 0;
-	mctx = listener->mctx;
-	isc_mem_put(mctx, listener, sizeof(*listener));
-	isc_mem_detach(&mctx);
-	listenerp = NULL;
-}
-
-static isc_result_t
-listener_create(isc_mem_t *mctx, ns_lwresd_t *lwresd,
-		ns_lwreslistener_t **listenerp)
-{
-	ns_lwreslistener_t *listener;
-	isc_result_t result;
-
-	REQUIRE(listenerp != NULL && *listenerp == NULL);
-
-	listener = isc_mem_get(mctx, sizeof(ns_lwreslistener_t));
-	if (listener == NULL)
-		return (ISC_R_NOMEMORY);
-
-	result = isc_mutex_init(&listener->lock);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, listener, sizeof(ns_lwreslistener_t));
-		return (result);
-	}
-
-	listener->magic = LWRESLISTENER_MAGIC;
-	listener->refs = 1;
-
-	listener->sock = NULL;
-
-	listener->manager = NULL;
-	ns_lwdmanager_attach(lwresd, &listener->manager);
-
-	listener->mctx = NULL;
-	isc_mem_attach(mctx, &listener->mctx);
-
-	ISC_LINK_INIT(listener, link);
-	ISC_LIST_INIT(listener->cmgrs);
-
-	*listenerp = listener;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-listener_bind(ns_lwreslistener_t *listener, isc_sockaddr_t *address) {
-	isc_socket_t *sock = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
-	int pf;
-
-	pf = isc_sockaddr_pf(address);
-	if ((pf == AF_INET && isc_net_probeipv4() != ISC_R_SUCCESS) ||
-	    (pf == AF_INET6 && isc_net_probeipv6() != ISC_R_SUCCESS))
-		return (ISC_R_FAMILYNOSUPPORT);
-
-	listener->address = *address;
-
-	if (isc_sockaddr_getport(&listener->address) == 0) {
-		in_port_t port;
-		port = lwresd_g_listenport;
-		if (port == 0)
-			port = LWRES_UDP_PORT;
-		isc_sockaddr_setport(&listener->address, port);
-	}
-
-	sock = NULL;
-	result = isc_socket_create(ns_g_socketmgr, pf,
-				   isc_sockettype_udp, &sock);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_LWRESD, ISC_LOG_WARNING,
-			      "failed to create lwres socket: %s",
-			      isc_result_totext(result));
-		return (result);
-	}
-
-	result = isc_socket_bind(sock, &listener->address,
-				 ISC_SOCKET_REUSEADDRESS);
-	if (result != ISC_R_SUCCESS) {
-		char socktext[ISC_SOCKADDR_FORMATSIZE];
-		isc_sockaddr_format(&listener->address, socktext,
-				    sizeof(socktext));
-		isc_socket_detach(&sock);
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_LWRESD, ISC_LOG_WARNING,
-			      "failed to add lwres socket: %s: %s",
-			      socktext, isc_result_totext(result));
-		return (result);
-	}
-	listener->sock = sock;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-listener_copysock(ns_lwreslistener_t *oldlistener,
-		  ns_lwreslistener_t *newlistener)
-{
-	newlistener->address = oldlistener->address;
-	isc_socket_attach(oldlistener->sock, &newlistener->sock);
-}
-
-static isc_result_t
-listener_startclients(ns_lwreslistener_t *listener) {
-	ns_lwdclientmgr_t *cm;
-	unsigned int i;
-	isc_result_t result;
-
-	/*
-	 * Create the client managers.
-	 */
-	result = ISC_R_SUCCESS;
-	for (i = 0; i < NTASKS && result == ISC_R_SUCCESS; i++)
-		result = ns_lwdclientmgr_create(listener, NRECVS,
-						ns_g_taskmgr);
-
-	/*
-	 * Ensure that we have created at least one.
-	 */
-	if (ISC_LIST_EMPTY(listener->cmgrs))
-		return (result);
-
-	/*
-	 * Walk the list of clients and start each one up.
-	 */
-	LOCK(&listener->lock);
-	cm = ISC_LIST_HEAD(listener->cmgrs);
-	while (cm != NULL) {
-		result = ns_lwdclient_startrecv(cm);
-		if (result != ISC_R_SUCCESS)
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_LWRESD, ISC_LOG_ERROR,
-				      "could not start lwres "
-				      "client handler: %s",
-				      isc_result_totext(result));
-		cm = ISC_LIST_NEXT(cm, link);
-	}
-	UNLOCK(&listener->lock);
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-listener_shutdown(ns_lwreslistener_t *listener) {
-	ns_lwdclientmgr_t *cm;
-
-	cm = ISC_LIST_HEAD(listener->cmgrs);
-	while (cm != NULL) {
-		isc_task_shutdown(cm->task);
-		cm = ISC_LIST_NEXT(cm, link);
-	}
-}
-
-static isc_result_t
-find_listener(isc_sockaddr_t *address, ns_lwreslistener_t **listenerp) {
-	ns_lwreslistener_t *listener;
-
-	INSIST(listenerp != NULL && *listenerp == NULL);
-
-	for (listener = ISC_LIST_HEAD(listeners);
-	     listener != NULL;
-	     listener = ISC_LIST_NEXT(listener, link))
-	{
-		if (!isc_sockaddr_equal(address, &listener->address))
-			continue;
-		*listenerp = listener;
-		return (ISC_R_SUCCESS);
-	}
-	return (ISC_R_NOTFOUND);
-}
-
-void
-ns_lwreslistener_unlinkcm(ns_lwreslistener_t *listener, ns_lwdclientmgr_t *cm)
-{
-	REQUIRE(VALID_LWRESLISTENER(listener));
-
-	LOCK(&listener->lock);
-	ISC_LIST_UNLINK(listener->cmgrs, cm, link);
-	UNLOCK(&listener->lock);
-}
-
-void
-ns_lwreslistener_linkcm(ns_lwreslistener_t *listener, ns_lwdclientmgr_t *cm) {
-	REQUIRE(VALID_LWRESLISTENER(listener));
-
-	/*
-	 * This does no locking, since it's called early enough that locking
-	 * isn't needed.
-	 */
-	ISC_LIST_APPEND(listener->cmgrs, cm, link);
-}
-
-static isc_result_t
-configure_listener(isc_sockaddr_t *address, ns_lwresd_t *lwresd,
-		   isc_mem_t *mctx, ns_lwreslistenerlist_t *newlisteners)
-{
-	ns_lwreslistener_t *listener, *oldlistener = NULL;
-	char socktext[ISC_SOCKADDR_FORMATSIZE];
-	isc_result_t result;
-
-	(void)find_listener(address, &oldlistener);
-	listener = NULL;
-	result = listener_create(mctx, lwresd, &listener);
-	if (result != ISC_R_SUCCESS) {
-		isc_sockaddr_format(address, socktext, sizeof(socktext));
-		isc_log_write(ns_g_lctx, ISC_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_LWRESD, ISC_LOG_WARNING,
-			      "lwres failed to configure %s: %s",
-			      socktext, isc_result_totext(result));
-		return (result);
-	}
-
-	/*
-	 * If there's already a listener, don't rebind the socket.
-	 */
-	if (oldlistener == NULL) {
-		result = listener_bind(listener, address);
-		if (result != ISC_R_SUCCESS) {
-			ns_lwreslistener_detach(&listener);
-			return (ISC_R_SUCCESS);
-		}
-	} else
-		listener_copysock(oldlistener, listener);
-
-	result = listener_startclients(listener);
-	if (result != ISC_R_SUCCESS) {
-		isc_sockaddr_format(address, socktext, sizeof(socktext));
-		isc_log_write(ns_g_lctx, ISC_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_LWRESD, ISC_LOG_WARNING,
-			      "lwres: failed to start %s: %s", socktext,
-			      isc_result_totext(result));
-		ns_lwreslistener_detach(&listener);
-		return (ISC_R_SUCCESS);
-	}
-
-	if (oldlistener != NULL) {
-		/*
-		 * Remove the old listener from the old list and shut it down.
-		 */
-		ISC_LIST_UNLINK(listeners, oldlistener, link);
-		listener_shutdown(oldlistener);
-		ns_lwreslistener_detach(&oldlistener);
-	} else {
-		isc_sockaddr_format(address, socktext, sizeof(socktext));
-		isc_log_write(ns_g_lctx, ISC_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_LWRESD, ISC_LOG_NOTICE,
-			      "lwres listening on %s", socktext);
-	}
-
-	ISC_LIST_APPEND(*newlisteners, listener, link);
-	return (result);
-}
-
-isc_result_t
-ns_lwresd_configure(isc_mem_t *mctx, const cfg_obj_t *config) {
-	const cfg_obj_t *lwreslist = NULL;
-	const cfg_obj_t *lwres = NULL;
-	const cfg_obj_t *listenerslist = NULL;
-	const cfg_listelt_t *element = NULL;
-	ns_lwreslistener_t *listener;
-	ns_lwreslistenerlist_t newlisteners;
-	isc_result_t result;
-	char socktext[ISC_SOCKADDR_FORMATSIZE];
-	isc_sockaddr_t *addrs = NULL;
-	ns_lwresd_t *lwresd = NULL;
-	isc_uint32_t count = 0;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(config != NULL);
-
-	RUNTIME_CHECK(isc_once_do(&once, initialize_mutex) == ISC_R_SUCCESS);
-
-	ISC_LIST_INIT(newlisteners);
-
-	result = cfg_map_get(config, "lwres", &lwreslist);
-	if (result != ISC_R_SUCCESS)
-		return (ISC_R_SUCCESS);
-
-	LOCK(&listeners_lock);
-	/*
-	 * Run through the new lwres address list, noting sockets that
-	 * are already being listened on and moving them to the new list.
-	 *
-	 * Identifying duplicates addr/port combinations is left to either
-	 * the underlying config code, or to the bind attempt getting an
-	 * address-in-use error.
-	 */
-	for (element = cfg_list_first(lwreslist);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		in_port_t port;
-
-		lwres = cfg_listelt_value(element);
-		CHECK(ns_lwdmanager_create(mctx, lwres, &lwresd));
-
-		port = lwresd_g_listenport;
-		if (port == 0)
-			port = LWRES_UDP_PORT;
-
-		listenerslist = NULL;
-		(void)cfg_map_get(lwres, "listen-on", &listenerslist);
-		if (listenerslist == NULL) {
-			struct in_addr localhost;
-			isc_sockaddr_t address;
-
-			localhost.s_addr = htonl(INADDR_LOOPBACK);
-			isc_sockaddr_fromin(&address, &localhost, port);
-			CHECK(configure_listener(&address, lwresd, mctx,
-						 &newlisteners));
-		} else {
-			isc_uint32_t i;
-
-			CHECK(ns_config_getiplist(config, listenerslist,
-						  port, mctx, &addrs, &count));
-			for (i = 0; i < count; i++)
-				CHECK(configure_listener(&addrs[i], lwresd,
-							 mctx, &newlisteners));
-			ns_config_putiplist(mctx, &addrs, count);
-		}
-		ns_lwdmanager_detach(&lwresd);
-	}
-
-	/*
-	 * Shutdown everything on the listeners list, and remove them from
-	 * the list.  Then put all of the new listeners on it.
-	 */
-
-	while (!ISC_LIST_EMPTY(listeners)) {
-		listener = ISC_LIST_HEAD(listeners);
-		ISC_LIST_UNLINK(listeners, listener, link);
-
-		isc_sockaddr_format(&listener->address,
-				    socktext, sizeof(socktext));
-
-		listener_shutdown(listener);
-		ns_lwreslistener_detach(&listener);
-
-		isc_log_write(ns_g_lctx, ISC_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_LWRESD, ISC_LOG_NOTICE,
-			      "lwres no longer listening on %s", socktext);
-	}
-
- cleanup:
-	ISC_LIST_APPENDLIST(listeners, newlisteners, link);
-
-	if (addrs != NULL)
-		ns_config_putiplist(mctx, &addrs, count);
-
-	if (lwresd != NULL)
-		ns_lwdmanager_detach(&lwresd);
-
-	UNLOCK(&listeners_lock);
-
-	return (result);
-}
-
-void
-ns_lwresd_shutdown(void) {
-	ns_lwreslistener_t *listener;
-
-	RUNTIME_CHECK(isc_once_do(&once, initialize_mutex) == ISC_R_SUCCESS);
-
-	while (!ISC_LIST_EMPTY(listeners)) {
-		listener = ISC_LIST_HEAD(listeners);
-		ISC_LIST_UNLINK(listeners, listener, link);
-		ns_lwreslistener_detach(&listener);
-	}
-}
diff --git a/contrib/bind9/bin/named/lwresd.docbook b/contrib/bind9/bin/named/lwresd.docbook
deleted file mode 100644
index dddfe5e..0000000
--- a/contrib/bind9/bin/named/lwresd.docbook
+++ /dev/null
@@ -1,374 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwresd.docbook,v 1.20 2009/01/20 23:47:56 tbox Exp $ -->
-<refentry>
-  <refentryinfo>
-    <date>June 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>lwresd</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><application>lwresd</application></refname>
-    <refpurpose>lightweight resolver daemon</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <year>2008</year>
-      <year>2009</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>lwresd</command>
-      <arg><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
-      <arg><option>-C <replaceable class="parameter">config-file</replaceable></option></arg>
-      <arg><option>-d <replaceable class="parameter">debug-level</replaceable></option></arg>
-      <arg><option>-f</option></arg>
-      <arg><option>-g</option></arg>
-      <arg><option>-i <replaceable class="parameter">pid-file</replaceable></option></arg>
-      <arg><option>-m <replaceable class="parameter">flag</replaceable></option></arg>
-      <arg><option>-n <replaceable class="parameter">#cpus</replaceable></option></arg>
-      <arg><option>-P <replaceable class="parameter">port</replaceable></option></arg>
-      <arg><option>-p <replaceable class="parameter">port</replaceable></option></arg>
-      <arg><option>-s</option></arg>
-      <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg><option>-u <replaceable class="parameter">user</replaceable></option></arg>
-      <arg><option>-v</option></arg>
-      <arg><option>-4</option></arg>
-      <arg><option>-6</option></arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-
-    <para><command>lwresd</command>
-      is the daemon providing name lookup
-      services to clients that use the BIND 9 lightweight resolver
-      library.  It is essentially a stripped-down, caching-only name
-      server that answers queries using the BIND 9 lightweight
-      resolver protocol rather than the DNS protocol.
-    </para>
-
-    <para><command>lwresd</command> 
-      listens for resolver queries on a
-      UDP port on the IPv4 loopback interface, 127.0.0.1.  This
-      means that <command>lwresd</command> can only be used by
-      processes running on the local machine.  By default, UDP port
-      number 921 is used for lightweight resolver requests and
-      responses.
-    </para>
-    <para>
-      Incoming lightweight resolver requests are decoded by the
-      server which then resolves them using the DNS protocol.  When
-      the DNS lookup completes, <command>lwresd</command> encodes
-      the answers in the lightweight resolver format and returns
-      them to the client that made the request.
-    </para>
-    <para>
-      If <filename>/etc/resolv.conf</filename> contains any
-      <option>nameserver</option> entries, <command>lwresd</command>
-      sends recursive DNS queries to those servers.  This is similar
-      to the use of forwarders in a caching name server.  If no
-      <option>nameserver</option> entries are present, or if
-      forwarding fails, <command>lwresd</command> resolves the
-      queries autonomously starting at the root name servers, using
-      a built-in list of root server hints.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-
-    <variablelist>
-
-      <varlistentry>
-        <term>-4</term>
-        <listitem>
-          <para>
-            Use IPv4 only even if the host machine is capable of IPv6.
-            <option>-4</option> and <option>-6</option> are mutually
-            exclusive.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-6</term>
-        <listitem>
-          <para>
-            Use IPv6 only even if the host machine is capable of IPv4.
-            <option>-4</option> and <option>-6</option> are mutually
-            exclusive.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <!-- this is in source but not mentioned? does this matter? -->
-      <varlistentry>
-        <term>-c <replaceable class="parameter">config-file</replaceable></term>
-        <listitem>
-          <para>
-            Use <replaceable class="parameter">config-file</replaceable> as the
-            configuration file instead of the default,
-            <filename>/etc/lwresd.conf</filename>.
-	    <!-- Should this be an absolute path name? -->
-	    <option>-c</option> can not be used with <option>-C</option>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-C <replaceable class="parameter">config-file</replaceable></term>
-        <listitem>
-          <para>
-            Use <replaceable class="parameter">config-file</replaceable> as the
-            configuration file instead of the default,
-            <filename>/etc/resolv.conf</filename>.
-	    <option>-C</option> can not be used with <option>-c</option>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-d <replaceable class="parameter">debug-level</replaceable></term>
-        <listitem>
-          <para>
-            Set the daemon's debug level to <replaceable class="parameter">debug-level</replaceable>.
-            Debugging traces from <command>lwresd</command> become
-            		more verbose as the debug level increases.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-f</term>
-        <listitem>
-          <para>
-            Run the server in the foreground (i.e. do not daemonize).
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-g</term>
-        <listitem>
-          <para>
-            Run the server in the foreground and force all logging
-            to <filename>stderr</filename>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-i <replaceable class="parameter">pid-file</replaceable></term>
-        <listitem>
-          <para>
-            Use <replaceable class="parameter">pid-file</replaceable> as the
-            PID file instead of the default,
-            <filename>/var/run/lwresd/lwresd.pid</filename>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-m <replaceable class="parameter">flag</replaceable></term>
-        <listitem>
-          <para>
-            Turn on memory usage debugging flags.  Possible flags are
-            <replaceable class="parameter">usage</replaceable>,
-            <replaceable class="parameter">trace</replaceable>,
-            <replaceable class="parameter">record</replaceable>,
-            <replaceable class="parameter">size</replaceable>, and
-            <replaceable class="parameter">mctx</replaceable>.  
-            These correspond to the ISC_MEM_DEBUGXXXX flags described in
-            <filename>&lt;isc/mem.h&gt;</filename>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-n <replaceable class="parameter">#cpus</replaceable></term>
-        <listitem>
-          <para>
-            Create <replaceable class="parameter">#cpus</replaceable> worker threads
-            to take advantage of multiple CPUs.  If not specified,
-            <command>lwresd</command> will try to determine the
-            number of CPUs present and create one thread per CPU.
-            If it is unable to determine the number of CPUs, a
-            single worker thread will be created.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-P <replaceable class="parameter">port</replaceable></term>
-        <listitem>
-          <para>
-            Listen for lightweight resolver queries on port
-            <replaceable class="parameter">port</replaceable>.  If
-            		not specified, the default is port 921.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-p <replaceable class="parameter">port</replaceable></term>
-        <listitem>
-          <para>
-            Send DNS lookups to port <replaceable class="parameter">port</replaceable>.  If not
-            specified, the default is port 53.  This provides a
-            way of testing the lightweight resolver daemon with a
-            name server that listens for queries on a non-standard
-            port number.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-s</term>
-        <listitem>
-          <para>
-            Write memory usage statistics to <filename>stdout</filename>
-            on exit.
-          </para>
-          <note>
-            <para>
-              This option is mainly of interest to BIND 9 developers
-              and may be removed or changed in a future release.
-            </para>
-          </note>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-t <replaceable class="parameter">directory</replaceable></term>
-        <listitem>
-          <para>Chroot
-	    to <replaceable class="parameter">directory</replaceable> after
-            processing the command line arguments, but before
-            reading the configuration file.
-          </para>
-          <warning>
-            <para>
-              This option should be used in conjunction with the
-              <option>-u</option> option, as chrooting a process
-              running as root doesn't enhance security on most
-              systems; the way <function>chroot(2)</function> is
-              defined allows a process with root privileges to
-              escape a chroot jail.
-            </para>
-          </warning>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-u <replaceable class="parameter">user</replaceable></term>
-        <listitem>
-          <para>Setuid
-	    to <replaceable class="parameter">user</replaceable> after completing
-            privileged operations, such as creating sockets that
-            listen on privileged ports.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-v</term>
-        <listitem>
-          <para>
-            Report the version number and exit.
-          </para>
-        </listitem>
-      </varlistentry>
-
-    </variablelist>
-
-  </refsect1>
-
-  <refsect1>
-    <title>FILES</title>
-
-    <variablelist>
-
-      <varlistentry>
-        <term><filename>/etc/resolv.conf</filename></term>
-        <listitem>
-          <para>
-            The default configuration file.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><filename>/var/run/lwresd.pid</filename></term>
-        <listitem>
-          <para>
-            The default process-id file.
-          </para>
-        </listitem>
-      </varlistentry>
-
-    </variablelist>
-
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>resolver</refentrytitle><manvolnum>5</manvolnum>
-      </citerefentry>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para><corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/named/lwresd.html b/contrib/bind9/bin/named/lwresd.html
deleted file mode 100644
index 5dc01be..0000000
--- a/contrib/bind9/bin/named/lwresd.html
+++ /dev/null
@@ -1,225 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwresd</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476274"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">lwresd</span> &#8212; lightweight resolver daemon</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">lwresd</code>  [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-C <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-i <em class="replaceable"><code>pid-file</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-P <em class="replaceable"><code>port</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-4</code>] [<code class="option">-6</code>]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543469"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">lwresd</strong></span>
-      is the daemon providing name lookup
-      services to clients that use the BIND 9 lightweight resolver
-      library.  It is essentially a stripped-down, caching-only name
-      server that answers queries using the BIND 9 lightweight
-      resolver protocol rather than the DNS protocol.
-    </p>
-<p><span><strong class="command">lwresd</strong></span> 
-      listens for resolver queries on a
-      UDP port on the IPv4 loopback interface, 127.0.0.1.  This
-      means that <span><strong class="command">lwresd</strong></span> can only be used by
-      processes running on the local machine.  By default, UDP port
-      number 921 is used for lightweight resolver requests and
-      responses.
-    </p>
-<p>
-      Incoming lightweight resolver requests are decoded by the
-      server which then resolves them using the DNS protocol.  When
-      the DNS lookup completes, <span><strong class="command">lwresd</strong></span> encodes
-      the answers in the lightweight resolver format and returns
-      them to the client that made the request.
-    </p>
-<p>
-      If <code class="filename">/etc/resolv.conf</code> contains any
-      <code class="option">nameserver</code> entries, <span><strong class="command">lwresd</strong></span>
-      sends recursive DNS queries to those servers.  This is similar
-      to the use of forwarders in a caching name server.  If no
-      <code class="option">nameserver</code> entries are present, or if
-      forwarding fails, <span><strong class="command">lwresd</strong></span> resolves the
-      queries autonomously starting at the root name servers, using
-      a built-in list of root server hints.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543516"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-4</span></dt>
-<dd><p>
-            Use IPv4 only even if the host machine is capable of IPv6.
-            <code class="option">-4</code> and <code class="option">-6</code> are mutually
-            exclusive.
-          </p></dd>
-<dt><span class="term">-6</span></dt>
-<dd><p>
-            Use IPv6 only even if the host machine is capable of IPv4.
-            <code class="option">-4</code> and <code class="option">-6</code> are mutually
-            exclusive.
-          </p></dd>
-<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
-<dd><p>
-            Use <em class="replaceable"><code>config-file</code></em> as the
-            configuration file instead of the default,
-            <code class="filename">/etc/lwresd.conf</code>.
-	    
-	    <code class="option">-c</code> can not be used with <code class="option">-C</code>.
-          </p></dd>
-<dt><span class="term">-C <em class="replaceable"><code>config-file</code></em></span></dt>
-<dd><p>
-            Use <em class="replaceable"><code>config-file</code></em> as the
-            configuration file instead of the default,
-            <code class="filename">/etc/resolv.conf</code>.
-	    <code class="option">-C</code> can not be used with <code class="option">-c</code>.
-          </p></dd>
-<dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt>
-<dd><p>
-            Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>.
-            Debugging traces from <span><strong class="command">lwresd</strong></span> become
-            		more verbose as the debug level increases.
-          </p></dd>
-<dt><span class="term">-f</span></dt>
-<dd><p>
-            Run the server in the foreground (i.e. do not daemonize).
-          </p></dd>
-<dt><span class="term">-g</span></dt>
-<dd><p>
-            Run the server in the foreground and force all logging
-            to <code class="filename">stderr</code>.
-          </p></dd>
-<dt><span class="term">-i <em class="replaceable"><code>pid-file</code></em></span></dt>
-<dd><p>
-            Use <em class="replaceable"><code>pid-file</code></em> as the
-            PID file instead of the default,
-            <code class="filename">/var/run/lwresd/lwresd.pid</code>.
-          </p></dd>
-<dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt>
-<dd><p>
-            Turn on memory usage debugging flags.  Possible flags are
-            <em class="replaceable"><code>usage</code></em>,
-            <em class="replaceable"><code>trace</code></em>,
-            <em class="replaceable"><code>record</code></em>,
-            <em class="replaceable"><code>size</code></em>, and
-            <em class="replaceable"><code>mctx</code></em>.  
-            These correspond to the ISC_MEM_DEBUGXXXX flags described in
-            <code class="filename">&lt;isc/mem.h&gt;</code>.
-          </p></dd>
-<dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt>
-<dd><p>
-            Create <em class="replaceable"><code>#cpus</code></em> worker threads
-            to take advantage of multiple CPUs.  If not specified,
-            <span><strong class="command">lwresd</strong></span> will try to determine the
-            number of CPUs present and create one thread per CPU.
-            If it is unable to determine the number of CPUs, a
-            single worker thread will be created.
-          </p></dd>
-<dt><span class="term">-P <em class="replaceable"><code>port</code></em></span></dt>
-<dd><p>
-            Listen for lightweight resolver queries on port
-            <em class="replaceable"><code>port</code></em>.  If
-            		not specified, the default is port 921.
-          </p></dd>
-<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd><p>
-            Send DNS lookups to port <em class="replaceable"><code>port</code></em>.  If not
-            specified, the default is port 53.  This provides a
-            way of testing the lightweight resolver daemon with a
-            name server that listens for queries on a non-standard
-            port number.
-          </p></dd>
-<dt><span class="term">-s</span></dt>
-<dd>
-<p>
-            Write memory usage statistics to <code class="filename">stdout</code>
-            on exit.
-          </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-              This option is mainly of interest to BIND 9 developers
-              and may be removed or changed in a future release.
-            </p>
-</div>
-</dd>
-<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-<p>Chroot
-	    to <em class="replaceable"><code>directory</code></em> after
-            processing the command line arguments, but before
-            reading the configuration file.
-          </p>
-<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Warning</h3>
-<p>
-              This option should be used in conjunction with the
-              <code class="option">-u</code> option, as chrooting a process
-              running as root doesn't enhance security on most
-              systems; the way <code class="function">chroot(2)</code> is
-              defined allows a process with root privileges to
-              escape a chroot jail.
-            </p>
-</div>
-</dd>
-<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
-<dd><p>Setuid
-	    to <em class="replaceable"><code>user</code></em> after completing
-            privileged operations, such as creating sockets that
-            listen on privileged ports.
-          </p></dd>
-<dt><span class="term">-v</span></dt>
-<dd><p>
-            Report the version number and exit.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543933"></a><h2>FILES</h2>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="filename">/etc/resolv.conf</code></span></dt>
-<dd><p>
-            The default configuration file.
-          </p></dd>
-<dt><span class="term"><code class="filename">/var/run/lwresd.pid</code></span></dt>
-<dd><p>
-            The default process-id file.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543973"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
-      <span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544007"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/named/lwsearch.c b/contrib/bind9/bin/named/lwsearch.c
deleted file mode 100644
index 6754c98..0000000
--- a/contrib/bind9/bin/named/lwsearch.c
+++ /dev/null
@@ -1,206 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwsearch.c,v 1.13 2007/06/19 23:46:59 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/mutex.h>
-#include <isc/result.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-#include <dns/name.h>
-#include <dns/types.h>
-
-#include <named/lwsearch.h>
-#include <named/types.h>
-
-#define LWSEARCHLIST_MAGIC		ISC_MAGIC('L', 'W', 'S', 'L')
-#define VALID_LWSEARCHLIST(l)		ISC_MAGIC_VALID(l, LWSEARCHLIST_MAGIC)
-
-isc_result_t
-ns_lwsearchlist_create(isc_mem_t *mctx, ns_lwsearchlist_t **listp) {
-	ns_lwsearchlist_t *list;
-	isc_result_t result;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(listp != NULL && *listp == NULL);
-
-	list = isc_mem_get(mctx, sizeof(ns_lwsearchlist_t));
-	if (list == NULL)
-		return (ISC_R_NOMEMORY);
-	
-	result = isc_mutex_init(&list->lock);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, list, sizeof(ns_lwsearchlist_t));
-		return (result);
-	}
-	list->mctx = NULL;
-	isc_mem_attach(mctx, &list->mctx);
-	list->refs = 1;
-	ISC_LIST_INIT(list->names);
-	list->magic = LWSEARCHLIST_MAGIC;
-
-	*listp = list;
-	return (ISC_R_SUCCESS);
-}
-
-void
-ns_lwsearchlist_attach(ns_lwsearchlist_t *source, ns_lwsearchlist_t **target) {
-	REQUIRE(VALID_LWSEARCHLIST(source));
-	REQUIRE(target != NULL && *target == NULL);
-
-	LOCK(&source->lock);
-	INSIST(source->refs > 0);
-	source->refs++;
-	INSIST(source->refs != 0);
-	UNLOCK(&source->lock);
-
-	*target = source;
-}
-
-void
-ns_lwsearchlist_detach(ns_lwsearchlist_t **listp) {
-	ns_lwsearchlist_t *list;
-	isc_mem_t *mctx;
-
-	REQUIRE(listp != NULL);
-	list = *listp;
-	REQUIRE(VALID_LWSEARCHLIST(list));
-
-	LOCK(&list->lock);
-	INSIST(list->refs > 0);
-	list->refs--;
-	UNLOCK(&list->lock);
-
-	*listp = NULL;
-	if (list->refs != 0)
-		return;
-
-	mctx = list->mctx;
-	while (!ISC_LIST_EMPTY(list->names)) {
-		dns_name_t *name = ISC_LIST_HEAD(list->names);
-		ISC_LIST_UNLINK(list->names, name, link);
-		dns_name_free(name, list->mctx);
-		isc_mem_put(list->mctx, name, sizeof(dns_name_t));
-	}
-	list->magic = 0;
-	isc_mem_put(mctx, list, sizeof(ns_lwsearchlist_t));
-	isc_mem_detach(&mctx);
-}
-
-isc_result_t
-ns_lwsearchlist_append(ns_lwsearchlist_t *list, dns_name_t *name) {
-	dns_name_t *newname;
-	isc_result_t result;
-
-	REQUIRE(VALID_LWSEARCHLIST(list));
-	REQUIRE(name != NULL);
-
-	newname = isc_mem_get(list->mctx, sizeof(dns_name_t));
-	if (newname == NULL)
-		return (ISC_R_NOMEMORY);
-	dns_name_init(newname, NULL);
-	result = dns_name_dup(name, list->mctx, newname);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(list->mctx, newname, sizeof(dns_name_t));
-		return (result);
-	}
-	ISC_LINK_INIT(newname, link);
-	ISC_LIST_APPEND(list->names, newname, link);
-	return (ISC_R_SUCCESS);
-}
-
-void
-ns_lwsearchctx_init(ns_lwsearchctx_t *sctx, ns_lwsearchlist_t *list,
-		    dns_name_t *name, unsigned int ndots)
-{
-	INSIST(sctx != NULL);
-	sctx->relname = name;
-	sctx->searchname = NULL;
-	sctx->doneexact = ISC_FALSE;
-	sctx->exactfirst = ISC_FALSE;
-	sctx->ndots = ndots;
-	if (dns_name_isabsolute(name) || list == NULL) {
-		sctx->list = NULL;
-		return;
-	}
-	sctx->list = list;
-	sctx->searchname = ISC_LIST_HEAD(sctx->list->names);
-	if (dns_name_countlabels(name) > ndots)
-		sctx->exactfirst = ISC_TRUE;
-}
-
-void
-ns_lwsearchctx_first(ns_lwsearchctx_t *sctx) {
-	REQUIRE(sctx != NULL);
-	UNUSED(sctx);
-}
-
-isc_result_t
-ns_lwsearchctx_next(ns_lwsearchctx_t *sctx) {
-	REQUIRE(sctx != NULL);
-
-	if (sctx->list == NULL)
-		return (ISC_R_NOMORE);
-
-	if (sctx->searchname == NULL) {
-		INSIST (!sctx->exactfirst || sctx->doneexact);
-		if (sctx->exactfirst || sctx->doneexact)
-			return (ISC_R_NOMORE);
-		sctx->doneexact = ISC_TRUE;
-	} else {
-		if (sctx->exactfirst && !sctx->doneexact)
-			sctx->doneexact = ISC_TRUE;
-		else {
-			sctx->searchname = ISC_LIST_NEXT(sctx->searchname,
-							 link);
-			if (sctx->searchname == NULL && sctx->doneexact)
-				return (ISC_R_NOMORE);
-		}
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-ns_lwsearchctx_current(ns_lwsearchctx_t *sctx, dns_name_t *absname) {
-	dns_name_t *tname;
-	isc_boolean_t useexact = ISC_FALSE;
-
-	REQUIRE(sctx != NULL);
-
-	if (sctx->list == NULL ||
-	    sctx->searchname == NULL ||
-	    (sctx->exactfirst && !sctx->doneexact))
-		useexact = ISC_TRUE;
-
-	if (useexact) {
-		if (dns_name_isabsolute(sctx->relname))
-			tname = NULL;
-		else
-			tname = dns_rootname;
-	} else
-		tname = sctx->searchname;
-
-	return (dns_name_concatenate(sctx->relname, tname, absname, NULL));
-}
diff --git a/contrib/bind9/bin/named/main.c b/contrib/bind9/bin/named/main.c
deleted file mode 100644
index a546724..0000000
--- a/contrib/bind9/bin/named/main.c
+++ /dev/null
@@ -1,1170 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <ctype.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/app.h>
-#include <isc/backtrace.h>
-#include <isc/commandline.h>
-#include <isc/dir.h>
-#include <isc/entropy.h>
-#include <isc/file.h>
-#include <isc/hash.h>
-#include <isc/os.h>
-#include <isc/platform.h>
-#include <isc/print.h>
-#include <isc/resource.h>
-#include <isc/stdio.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#include <isccc/result.h>
-
-#include <dns/dispatch.h>
-#include <dns/name.h>
-#include <dns/result.h>
-#include <dns/view.h>
-
-#include <dst/result.h>
-
-#include <dlz/dlz_dlopen_driver.h>
-
-/*
- * Defining NS_MAIN provides storage declarations (rather than extern)
- * for variables in named/globals.h.
- */
-#define NS_MAIN 1
-
-#include <named/builtin.h>
-#include <named/control.h>
-#include <named/globals.h>	/* Explicit, though named/log.h includes it. */
-#include <named/interfacemgr.h>
-#include <named/log.h>
-#include <named/os.h>
-#include <named/server.h>
-#include <named/lwresd.h>
-#include <named/main.h>
-#ifdef HAVE_LIBSCF
-#include <named/ns_smf_globals.h>
-#endif
-
-#ifdef OPENSSL
-#include <openssl/opensslv.h>
-#endif
-#ifdef HAVE_LIBXML2
-#include <libxml/xmlversion.h>
-#endif
-/*
- * Include header files for database drivers here.
- */
-/* #include "xxdb.h" */
-
-#ifdef CONTRIB_DLZ
-/*
- * Include contributed DLZ drivers if appropriate.
- */
-#include <dlz/dlz_drivers.h>
-#endif
-
-/*
- * The maximum number of stack frames to dump on assertion failure.
- */
-#ifndef BACKTRACE_MAXFRAME
-#define BACKTRACE_MAXFRAME 128
-#endif
-
-static isc_boolean_t	want_stats = ISC_FALSE;
-static char		program_name[ISC_DIR_NAMEMAX] = "named";
-static char		absolute_conffile[ISC_DIR_PATHMAX];
-static char		saved_command_line[512];
-static char		version[512];
-static unsigned int	maxsocks = 0;
-static int		maxudp = 0;
-
-void
-ns_main_earlywarning(const char *format, ...) {
-	va_list args;
-
-	va_start(args, format);
-	if (ns_g_lctx != NULL) {
-		isc_log_vwrite(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			       NS_LOGMODULE_MAIN, ISC_LOG_WARNING,
-			       format, args);
-	} else {
-		fprintf(stderr, "%s: ", program_name);
-		vfprintf(stderr, format, args);
-		fprintf(stderr, "\n");
-		fflush(stderr);
-	}
-	va_end(args);
-}
-
-void
-ns_main_earlyfatal(const char *format, ...) {
-	va_list args;
-
-	va_start(args, format);
-	if (ns_g_lctx != NULL) {
-		isc_log_vwrite(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			       NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
-			       format, args);
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			       NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
-			       "exiting (due to early fatal error)");
-	} else {
-		fprintf(stderr, "%s: ", program_name);
-		vfprintf(stderr, format, args);
-		fprintf(stderr, "\n");
-		fflush(stderr);
-	}
-	va_end(args);
-
-	exit(1);
-}
-
-ISC_PLATFORM_NORETURN_PRE static void
-assertion_failed(const char *file, int line, isc_assertiontype_t type,
-		 const char *cond) ISC_PLATFORM_NORETURN_POST;
-
-static void
-assertion_failed(const char *file, int line, isc_assertiontype_t type,
-		 const char *cond)
-{
-	void *tracebuf[BACKTRACE_MAXFRAME];
-	int i, nframes;
-	isc_result_t result;
-	const char *logsuffix = "";
-	const char *fname;
-
-	/*
-	 * Handle assertion failures.
-	 */
-
-	if (ns_g_lctx != NULL) {
-		/*
-		 * Reset the assertion callback in case it is the log
-		 * routines causing the assertion.
-		 */
-		isc_assertion_setcallback(NULL);
-
-		result = isc_backtrace_gettrace(tracebuf, BACKTRACE_MAXFRAME,
-						&nframes);
-		if (result == ISC_R_SUCCESS && nframes > 0)
-			logsuffix = ", back trace";
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
-			      "%s:%d: %s(%s) failed%s", file, line,
-			      isc_assertion_typetotext(type), cond, logsuffix);
-		if (result == ISC_R_SUCCESS) {
-			for (i = 0; i < nframes; i++) {
-				unsigned long offset;
-
-				fname = NULL;
-				result = isc_backtrace_getsymbol(tracebuf[i],
-								 &fname,
-								 &offset);
-				if (result == ISC_R_SUCCESS) {
-					isc_log_write(ns_g_lctx,
-						      NS_LOGCATEGORY_GENERAL,
-						      NS_LOGMODULE_MAIN,
-						      ISC_LOG_CRITICAL,
-						      "#%d %p in %s()+0x%lx", i,
-						      tracebuf[i], fname,
-						      offset);
-				} else {
-					isc_log_write(ns_g_lctx,
-						      NS_LOGCATEGORY_GENERAL,
-						      NS_LOGMODULE_MAIN,
-						      ISC_LOG_CRITICAL,
-						      "#%d %p in ??", i,
-						      tracebuf[i]);
-				}
-			}
-		}
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
-			      "exiting (due to assertion failure)");
-	} else {
-		fprintf(stderr, "%s:%d: %s(%s) failed\n",
-			file, line, isc_assertion_typetotext(type), cond);
-		fflush(stderr);
-	}
-
-	if (ns_g_coreok)
-		abort();
-	exit(1);
-}
-
-ISC_PLATFORM_NORETURN_PRE static void
-library_fatal_error(const char *file, int line, const char *format,
-		    va_list args)
-ISC_FORMAT_PRINTF(3, 0) ISC_PLATFORM_NORETURN_POST;
-
-static void
-library_fatal_error(const char *file, int line, const char *format,
-		    va_list args)
-{
-	/*
-	 * Handle isc_error_fatal() calls from our libraries.
-	 */
-
-	if (ns_g_lctx != NULL) {
-		/*
-		 * Reset the error callback in case it is the log
-		 * routines causing the assertion.
-		 */
-		isc_error_setfatal(NULL);
-
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
-			      "%s:%d: fatal error:", file, line);
-		isc_log_vwrite(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			       NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
-			       format, args);
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
-			      "exiting (due to fatal error in library)");
-	} else {
-		fprintf(stderr, "%s:%d: fatal error: ", file, line);
-		vfprintf(stderr, format, args);
-		fprintf(stderr, "\n");
-		fflush(stderr);
-	}
-
-	if (ns_g_coreok)
-		abort();
-	exit(1);
-}
-
-static void
-library_unexpected_error(const char *file, int line, const char *format,
-			 va_list args) ISC_FORMAT_PRINTF(3, 0);
-
-static void
-library_unexpected_error(const char *file, int line, const char *format,
-			 va_list args)
-{
-	/*
-	 * Handle isc_error_unexpected() calls from our libraries.
-	 */
-
-	if (ns_g_lctx != NULL) {
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_MAIN, ISC_LOG_ERROR,
-			      "%s:%d: unexpected error:", file, line);
-		isc_log_vwrite(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			       NS_LOGMODULE_MAIN, ISC_LOG_ERROR,
-			       format, args);
-	} else {
-		fprintf(stderr, "%s:%d: fatal error: ", file, line);
-		vfprintf(stderr, format, args);
-		fprintf(stderr, "\n");
-		fflush(stderr);
-	}
-}
-
-static void
-lwresd_usage(void) {
-	fprintf(stderr,
-		"usage: lwresd [-4|-6] [-c conffile | -C resolvconffile] "
-		"[-d debuglevel]\n"
-		"              [-f|-g] [-n number_of_cpus] [-p port] "
-		"[-P listen-port] [-s]\n"
-		"              [-t chrootdir] [-u username] [-i pidfile]\n"
-		"              [-m {usage|trace|record|size|mctx}]\n");
-}
-
-static void
-usage(void) {
-	if (ns_g_lwresdonly) {
-		lwresd_usage();
-		return;
-	}
-	fprintf(stderr,
-		"usage: named [-4|-6] [-c conffile] [-d debuglevel] "
-		"[-E engine] [-f|-g]\n"
-		"             [-n number_of_cpus] [-p port] [-s] "
-		"[-t chrootdir] [-u username]\n"
-		"             [-m {usage|trace|record|size|mctx}]\n");
-}
-
-static void
-save_command_line(int argc, char *argv[]) {
-	int i;
-	char *src;
-	char *dst;
-	char *eob;
-	const char truncated[] = "...";
-	isc_boolean_t quoted = ISC_FALSE;
-
-	dst = saved_command_line;
-	eob = saved_command_line + sizeof(saved_command_line);
-
-	for (i = 1; i < argc && dst < eob; i++) {
-		*dst++ = ' ';
-
-		src = argv[i];
-		while (*src != '\0' && dst < eob) {
-			/*
-			 * This won't perfectly produce a shell-independent
-			 * pastable command line in all circumstances, but
-			 * comes close, and for practical purposes will
-			 * nearly always be fine.
-			 */
-			if (quoted || isalnum(*src & 0xff) ||
-			    *src == '-' || *src == '_' ||
-			    *src == '.' || *src == '/') {
-				*dst++ = *src++;
-				quoted = ISC_FALSE;
-			} else {
-				*dst++ = '\\';
-				quoted = ISC_TRUE;
-			}
-		}
-	}
-
-	INSIST(sizeof(saved_command_line) >= sizeof(truncated));
-
-	if (dst == eob)
-		strcpy(eob - sizeof(truncated), truncated);
-	else
-		*dst = '\0';
-}
-
-static int
-parse_int(char *arg, const char *desc) {
-	char *endp;
-	int tmp;
-	long int ltmp;
-
-	ltmp = strtol(arg, &endp, 10);
-	tmp = (int) ltmp;
-	if (*endp != '\0')
-		ns_main_earlyfatal("%s '%s' must be numeric", desc, arg);
-	if (tmp < 0 || tmp != ltmp)
-		ns_main_earlyfatal("%s '%s' out of range", desc, arg);
-	return (tmp);
-}
-
-static struct flag_def {
-	const char *name;
-	unsigned int value;
-} mem_debug_flags[] = {
-	{ "trace",  ISC_MEM_DEBUGTRACE },
-	{ "record", ISC_MEM_DEBUGRECORD },
-	{ "usage", ISC_MEM_DEBUGUSAGE },
-	{ "size", ISC_MEM_DEBUGSIZE },
-	{ "mctx", ISC_MEM_DEBUGCTX },
-	{ NULL, 0 }
-};
-
-static void
-set_flags(const char *arg, struct flag_def *defs, unsigned int *ret) {
-	for (;;) {
-		const struct flag_def *def;
-		const char *end = strchr(arg, ',');
-		int arglen;
-		if (end == NULL)
-			end = arg + strlen(arg);
-		arglen = end - arg;
-		for (def = defs; def->name != NULL; def++) {
-			if (arglen == (int)strlen(def->name) &&
-			    memcmp(arg, def->name, arglen) == 0) {
-				*ret |= def->value;
-				goto found;
-			}
-		}
-		ns_main_earlyfatal("unrecognized flag '%.*s'", arglen, arg);
-	 found:
-		if (*end == '\0')
-			break;
-		arg = end + 1;
-	}
-}
-
-static void
-parse_command_line(int argc, char *argv[]) {
-	int ch;
-	int port;
-	isc_boolean_t disable6 = ISC_FALSE;
-	isc_boolean_t disable4 = ISC_FALSE;
-
-	save_command_line(argc, argv);
-
-	isc_commandline_errprint = ISC_FALSE;
-	while ((ch = isc_commandline_parse(argc, argv,
-					   "46c:C:d:E:fFgi:lm:n:N:p:P:"
-					   "sS:t:T:U:u:vVx:")) != -1) {
-		switch (ch) {
-		case '4':
-			if (disable4)
-				ns_main_earlyfatal("cannot specify -4 and -6");
-			if (isc_net_probeipv4() != ISC_R_SUCCESS)
-				ns_main_earlyfatal("IPv4 not supported by OS");
-			isc_net_disableipv6();
-			disable6 = ISC_TRUE;
-			break;
-		case '6':
-			if (disable6)
-				ns_main_earlyfatal("cannot specify -4 and -6");
-			if (isc_net_probeipv6() != ISC_R_SUCCESS)
-				ns_main_earlyfatal("IPv6 not supported by OS");
-			isc_net_disableipv4();
-			disable4 = ISC_TRUE;
-			break;
-		case 'c':
-			ns_g_conffile = isc_commandline_argument;
-			lwresd_g_conffile = isc_commandline_argument;
-			if (lwresd_g_useresolvconf)
-				ns_main_earlyfatal("cannot specify -c and -C");
-			ns_g_conffileset = ISC_TRUE;
-			break;
-		case 'C':
-			lwresd_g_resolvconffile = isc_commandline_argument;
-			if (ns_g_conffileset)
-				ns_main_earlyfatal("cannot specify -c and -C");
-			lwresd_g_useresolvconf = ISC_TRUE;
-			break;
-		case 'd':
-			ns_g_debuglevel = parse_int(isc_commandline_argument,
-						    "debug level");
-			break;
-		case 'E':
-			ns_g_engine = isc_commandline_argument;
-			break;
-		case 'f':
-			ns_g_foreground = ISC_TRUE;
-			break;
-		case 'g':
-			ns_g_foreground = ISC_TRUE;
-			ns_g_logstderr = ISC_TRUE;
-			break;
-		/* XXXBEW -i should be removed */
-		case 'i':
-			lwresd_g_defaultpidfile = isc_commandline_argument;
-			break;
-		case 'l':
-			ns_g_lwresdonly = ISC_TRUE;
-			break;
-		case 'm':
-			set_flags(isc_commandline_argument, mem_debug_flags,
-				  &isc_mem_debugging);
-			break;
-		case 'N': /* Deprecated. */
-		case 'n':
-			ns_g_cpus = parse_int(isc_commandline_argument,
-					      "number of cpus");
-			if (ns_g_cpus == 0)
-				ns_g_cpus = 1;
-			break;
-		case 'p':
-			port = parse_int(isc_commandline_argument, "port");
-			if (port < 1 || port > 65535)
-				ns_main_earlyfatal("port '%s' out of range",
-						   isc_commandline_argument);
-			ns_g_port = port;
-			break;
-		/* XXXBEW Should -P be removed? */
-		case 'P':
-			port = parse_int(isc_commandline_argument, "port");
-			if (port < 1 || port > 65535)
-				ns_main_earlyfatal("port '%s' out of range",
-						   isc_commandline_argument);
-			lwresd_g_listenport = port;
-			break;
-		case 's':
-			/* XXXRTH temporary syntax */
-			want_stats = ISC_TRUE;
-			break;
-		case 'S':
-			maxsocks = parse_int(isc_commandline_argument,
-					     "max number of sockets");
-			break;
-		case 't':
-			/* XXXJAB should we make a copy? */
-			ns_g_chrootdir = isc_commandline_argument;
-			break;
-		case 'T':	/* NOT DOCUMENTED */
-			/*
-			 * clienttest: make clients single shot with their
-			 * 	       own memory context.
-			 */
-			if (!strcmp(isc_commandline_argument, "clienttest"))
-				ns_g_clienttest = ISC_TRUE;
-			else if (!strcmp(isc_commandline_argument, "nosoa"))
-				ns_g_nosoa = ISC_TRUE;
-			else if (!strcmp(isc_commandline_argument, "noaa"))
-				ns_g_noaa = ISC_TRUE;
-			else if (!strcmp(isc_commandline_argument, "maxudp512"))
-				maxudp = 512;
-			else if (!strcmp(isc_commandline_argument, "maxudp1460"))
-				maxudp = 1460;
-			else if (!strcmp(isc_commandline_argument, "nosyslog"))
-				ns_g_nosyslog = ISC_TRUE;
-			else if (!strcmp(isc_commandline_argument, "nonearest"))
-				ns_g_nonearest = ISC_TRUE;
-			else
-				fprintf(stderr, "unknown -T flag '%s\n",
-					isc_commandline_argument);
-			break;
-		case 'U':
-			ns_g_udpdisp = parse_int(isc_commandline_argument,
-						 "number of UDP listeners "
-						 "per interface");
-			break;
-		case 'u':
-			ns_g_username = isc_commandline_argument;
-			break;
-		case 'v':
-			printf("%s %s", ns_g_product, ns_g_version);
-			if (*ns_g_description != 0)
-				printf(" %s", ns_g_description);
-			printf("\n");
-			exit(0);
-		case 'V':
-			printf("%s %s", ns_g_product, ns_g_version);
-			if (*ns_g_description != 0)
-				printf(" %s", ns_g_description);
-			printf(" <id:%s> built with %s\n", ns_g_srcid,
-				ns_g_configargs);
-#ifdef OPENSSL
-			printf("using OpenSSL version: %s\n",
-			       OPENSSL_VERSION_TEXT);
-#endif
-#ifdef HAVE_LIBXML2
-			printf("using libxml2 version: %s\n",
-			       LIBXML_DOTTED_VERSION);
-#endif
-			exit(0);
-		case 'F':
-			/* Reserved for FIPS mode */
-			/* FALLTHROUGH */
-		case '?':
-			usage();
-			if (isc_commandline_option == '?')
-				exit(0);
-			ns_main_earlyfatal("unknown option '-%c'",
-					   isc_commandline_option);
-			/* FALLTHROUGH */
-		default:
-			ns_main_earlyfatal("parsing options returned %d", ch);
-		}
-	}
-
-	argc -= isc_commandline_index;
-	argv += isc_commandline_index;
-	POST(argv);
-
-	if (argc > 0) {
-		usage();
-		ns_main_earlyfatal("extra command line arguments");
-	}
-}
-
-static isc_result_t
-create_managers(void) {
-	isc_result_t result;
-	unsigned int socks;
-
-#ifdef ISC_PLATFORM_USETHREADS
-	if (ns_g_cpus == 0)
-		ns_g_cpus = ns_g_cpus_detected;
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-		      ISC_LOG_INFO, "found %u CPU%s, using %u worker thread%s",
-		      ns_g_cpus_detected, ns_g_cpus_detected == 1 ? "" : "s",
-		      ns_g_cpus, ns_g_cpus == 1 ? "" : "s");
-#else
-	ns_g_cpus = 1;
-#endif
-#ifdef WIN32
-	ns_g_udpdisp = 1;
-#else
-	if (ns_g_udpdisp == 0)
-		ns_g_udpdisp = ns_g_cpus_detected;
-	if (ns_g_udpdisp > ns_g_cpus)
-		ns_g_udpdisp = ns_g_cpus;
-#endif
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-		      ISC_LOG_INFO, "using %u UDP listener%s per interface",
-		      ns_g_udpdisp, ns_g_udpdisp == 1 ? "" : "s");
-
-	result = isc_taskmgr_create(ns_g_mctx, ns_g_cpus, 0, &ns_g_taskmgr);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_taskmgr_create() failed: %s",
-				 isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-
-	result = isc_timermgr_create(ns_g_mctx, &ns_g_timermgr);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_timermgr_create() failed: %s",
-				 isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-
-	result = isc_socketmgr_create2(ns_g_mctx, &ns_g_socketmgr, maxsocks);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_socketmgr_create() failed: %s",
-				 isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-	isc__socketmgr_maxudp(ns_g_socketmgr, maxudp);
-	result = isc_socketmgr_getmaxsockets(ns_g_socketmgr, &socks);
-	if (result == ISC_R_SUCCESS) {
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER,
-			      ISC_LOG_INFO, "using up to %u sockets", socks);
-	}
-
-	result = isc_entropy_create(ns_g_mctx, &ns_g_entropy);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_entropy_create() failed: %s",
-				 isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-
-	result = isc_hash_create(ns_g_mctx, ns_g_entropy, DNS_NAME_MAXWIRE);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_hash_create() failed: %s",
-				 isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-destroy_managers(void) {
-	ns_lwresd_shutdown();
-
-	isc_entropy_detach(&ns_g_entropy);
-	if (ns_g_fallbackentropy != NULL)
-		isc_entropy_detach(&ns_g_fallbackentropy);
-
-	/*
-	 * isc_taskmgr_destroy() will block until all tasks have exited,
-	 */
-	isc_taskmgr_destroy(&ns_g_taskmgr);
-	isc_timermgr_destroy(&ns_g_timermgr);
-	isc_socketmgr_destroy(&ns_g_socketmgr);
-
-	/*
-	 * isc_hash_destroy() cannot be called as long as a resolver may be
-	 * running.  Calling this after isc_taskmgr_destroy() ensures the
-	 * call is safe.
-	 */
-	isc_hash_destroy();
-}
-
-static void
-dump_symboltable() {
-	int i;
-	isc_result_t result;
-	const char *fname;
-	const void *addr;
-
-	if (isc__backtrace_nsymbols == 0)
-		return;
-
-	if (!isc_log_wouldlog(ns_g_lctx, ISC_LOG_DEBUG(99)))
-		return;
-
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
-		      ISC_LOG_DEBUG(99), "Symbol table:");
-
-	for (i = 0, result = ISC_R_SUCCESS; result == ISC_R_SUCCESS; i++) {
-		addr = NULL;
-		fname = NULL;
-		result = isc_backtrace_getsymbolfromindex(i, &addr, &fname);
-		if (result == ISC_R_SUCCESS) {
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_MAIN, ISC_LOG_DEBUG(99),
-				      "[%d] %p %s", i, addr, fname);
-		}
-	}
-}
-
-static void
-setup(void) {
-	isc_result_t result;
-	isc_resourcevalue_t old_openfiles;
-#ifdef HAVE_LIBSCF
-	char *instance = NULL;
-#endif
-
-	/*
-	 * Get the user and group information before changing the root
-	 * directory, so the administrator does not need to keep a copy
-	 * of the user and group databases in the chroot'ed environment.
-	 */
-	ns_os_inituserinfo(ns_g_username);
-
-	/*
-	 * Initialize time conversion information
-	 */
-	ns_os_tzset();
-
-	ns_os_opendevnull();
-
-#ifdef HAVE_LIBSCF
-	/* Check if named is under smf control, before chroot. */
-	result = ns_smf_get_instance(&instance, 0, ns_g_mctx);
-	/* We don't care about instance, just check if we got one. */
-	if (result == ISC_R_SUCCESS)
-		ns_smf_got_instance = 1;
-	else
-		ns_smf_got_instance = 0;
-	if (instance != NULL)
-		isc_mem_free(ns_g_mctx, instance);
-#endif /* HAVE_LIBSCF */
-
-#ifdef PATH_RANDOMDEV
-	/*
-	 * Initialize system's random device as fallback entropy source
-	 * if running chroot'ed.
-	 */
-	if (ns_g_chrootdir != NULL) {
-		result = isc_entropy_create(ns_g_mctx, &ns_g_fallbackentropy);
-		if (result != ISC_R_SUCCESS)
-			ns_main_earlyfatal("isc_entropy_create() failed: %s",
-					   isc_result_totext(result));
-
-		result = isc_entropy_createfilesource(ns_g_fallbackentropy,
-						      PATH_RANDOMDEV);
-		if (result != ISC_R_SUCCESS) {
-			ns_main_earlywarning("could not open pre-chroot "
-					     "entropy source %s: %s",
-					     PATH_RANDOMDEV,
-					     isc_result_totext(result));
-			isc_entropy_detach(&ns_g_fallbackentropy);
-		}
-	}
-#endif
-
-#ifdef ISC_PLATFORM_USETHREADS
-	/*
-	 * Check for the number of cpu's before ns_os_chroot().
-	 */
-	ns_g_cpus_detected = isc_os_ncpus();
-#endif
-
-	ns_os_chroot(ns_g_chrootdir);
-
-	/*
-	 * For operating systems which have a capability mechanism, now
-	 * is the time to switch to minimal privs and change our user id.
-	 * On traditional UNIX systems, this call will be a no-op, and we
-	 * will change the user ID after reading the config file the first
-	 * time.  (We need to read the config file to know which possibly
-	 * privileged ports to bind() to.)
-	 */
-	ns_os_minprivs();
-
-	result = ns_log_init(ISC_TF(ns_g_username != NULL));
-	if (result != ISC_R_SUCCESS)
-		ns_main_earlyfatal("ns_log_init() failed: %s",
-				   isc_result_totext(result));
-
-	/*
-	 * Now is the time to daemonize (if we're not running in the
-	 * foreground).  We waited until now because we wanted to get
-	 * a valid logging context setup.  We cannot daemonize any later,
-	 * because calling create_managers() will create threads, which
-	 * would be lost after fork().
-	 */
-	if (!ns_g_foreground)
-		ns_os_daemonize();
-
-	/*
-	 * We call isc_app_start() here as some versions of FreeBSD's fork()
-	 * destroys all the signal handling it sets up.
-	 */
-	result = isc_app_start();
-	if (result != ISC_R_SUCCESS)
-		ns_main_earlyfatal("isc_app_start() failed: %s",
-				   isc_result_totext(result));
-
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
-		      ISC_LOG_NOTICE, "starting %s %s%s", ns_g_product,
-		      ns_g_version, saved_command_line);
-
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
-		      ISC_LOG_NOTICE, "built with %s", ns_g_configargs);
-
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
-		      ISC_LOG_NOTICE,
-		      "----------------------------------------------------");
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
-		      ISC_LOG_NOTICE,
-		      "BIND 9 is maintained by Internet Systems Consortium,");
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
-		      ISC_LOG_NOTICE,
-		      "Inc. (ISC), a non-profit 501(c)(3) public-benefit ");
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
-		      ISC_LOG_NOTICE,
-		      "corporation.  Support and training for BIND 9 are ");
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
-		      ISC_LOG_NOTICE,
-		      "available at https://www.isc.org/support");
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
-		      ISC_LOG_NOTICE,
-		      "----------------------------------------------------");
-
-	dump_symboltable();
-
-	/*
-	 * Get the initial resource limits.
-	 */
-	(void)isc_resource_getlimit(isc_resource_stacksize,
-				    &ns_g_initstacksize);
-	(void)isc_resource_getlimit(isc_resource_datasize,
-				    &ns_g_initdatasize);
-	(void)isc_resource_getlimit(isc_resource_coresize,
-				    &ns_g_initcoresize);
-	(void)isc_resource_getlimit(isc_resource_openfiles,
-				    &ns_g_initopenfiles);
-
-	/*
-	 * System resources cannot effectively be tuned on some systems.
-	 * Raise the limit in such cases for safety.
-	 */
-	old_openfiles = ns_g_initopenfiles;
-	ns_os_adjustnofile();
-	(void)isc_resource_getlimit(isc_resource_openfiles,
-				    &ns_g_initopenfiles);
-	if (old_openfiles != ns_g_initopenfiles) {
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_MAIN, ISC_LOG_NOTICE,
-			      "adjusted limit on open files from "
-			      "%" ISC_PRINT_QUADFORMAT "u to "
-			      "%" ISC_PRINT_QUADFORMAT "u",
-			      old_openfiles, ns_g_initopenfiles);
-	}
-
-	/*
-	 * If the named configuration filename is relative, prepend the current
-	 * directory's name before possibly changing to another directory.
-	 */
-	if (! isc_file_isabsolute(ns_g_conffile)) {
-		result = isc_file_absolutepath(ns_g_conffile,
-					       absolute_conffile,
-					       sizeof(absolute_conffile));
-		if (result != ISC_R_SUCCESS)
-			ns_main_earlyfatal("could not construct absolute path "
-					   "of configuration file: %s",
-					   isc_result_totext(result));
-		ns_g_conffile = absolute_conffile;
-	}
-
-	/*
-	 * Record the server's startup time.
-	 */
-	result = isc_time_now(&ns_g_boottime);
-	if (result != ISC_R_SUCCESS)
-		ns_main_earlyfatal("isc_time_now() failed: %s",
-				   isc_result_totext(result));
-
-	result = create_managers();
-	if (result != ISC_R_SUCCESS)
-		ns_main_earlyfatal("create_managers() failed: %s",
-				   isc_result_totext(result));
-
-	ns_builtin_init();
-
-	/*
-	 * Add calls to register sdb drivers here.
-	 */
-	/* xxdb_init(); */
-
-#ifdef ISC_DLZ_DLOPEN
-	/*
-	 * Register the DLZ "dlopen" driver.
-	 */
-	result = dlz_dlopen_init(ns_g_mctx);
-	if (result != ISC_R_SUCCESS)
-		ns_main_earlyfatal("dlz_dlopen_init() failed: %s",
-				   isc_result_totext(result));
-#endif
-
-#if CONTRIB_DLZ
-	/*
-	 * Register any other contributed DLZ drivers.
-	 */
-	result = dlz_drivers_init();
-	if (result != ISC_R_SUCCESS)
-		ns_main_earlyfatal("dlz_drivers_init() failed: %s",
-				   isc_result_totext(result));
-#endif
-
-	ns_server_create(ns_g_mctx, &ns_g_server);
-}
-
-static void
-cleanup(void) {
-	destroy_managers();
-
-	ns_server_destroy(&ns_g_server);
-
-	ns_builtin_deinit();
-
-	/*
-	 * Add calls to unregister sdb drivers here.
-	 */
-	/* xxdb_clear(); */
-
-#ifdef CONTRIB_DLZ
-	/*
-	 * Unregister contributed DLZ drivers.
-	 */
-	dlz_drivers_clear();
-#endif
-#ifdef ISC_DLZ_DLOPEN
-	/*
-	 * Unregister "dlopen" DLZ driver.
-	 */
-	dlz_dlopen_clear();
-#endif
-
-	dns_name_destroy();
-
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
-		      ISC_LOG_NOTICE, "exiting");
-	ns_log_shutdown();
-}
-
-static char *memstats = NULL;
-
-void
-ns_main_setmemstats(const char *filename) {
-	/*
-	 * Caller has to ensure locking.
-	 */
-
-	if (memstats != NULL) {
-		free(memstats);
-		memstats = NULL;
-	}
-	if (filename == NULL)
-		return;
-	memstats = malloc(strlen(filename) + 1);
-	if (memstats)
-		strcpy(memstats, filename);
-}
-
-#ifdef HAVE_LIBSCF
-/*
- * Get FMRI for the named process.
- */
-isc_result_t
-ns_smf_get_instance(char **ins_name, int debug, isc_mem_t *mctx) {
-	scf_handle_t *h = NULL;
-	int namelen;
-	char *instance;
-
-	REQUIRE(ins_name != NULL && *ins_name == NULL);
-
-	if ((h = scf_handle_create(SCF_VERSION)) == NULL) {
-		if (debug)
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "scf_handle_create() failed: %s",
-					 scf_strerror(scf_error()));
-		return (ISC_R_FAILURE);
-	}
-
-	if (scf_handle_bind(h) == -1) {
-		if (debug)
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "scf_handle_bind() failed: %s",
-					 scf_strerror(scf_error()));
-		scf_handle_destroy(h);
-		return (ISC_R_FAILURE);
-	}
-
-	if ((namelen = scf_myname(h, NULL, 0)) == -1) {
-		if (debug)
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "scf_myname() failed: %s",
-					 scf_strerror(scf_error()));
-		scf_handle_destroy(h);
-		return (ISC_R_FAILURE);
-	}
-
-	if ((instance = isc_mem_allocate(mctx, namelen + 1)) == NULL) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "ns_smf_get_instance memory "
-				 "allocation failed: %s",
-				 isc_result_totext(ISC_R_NOMEMORY));
-		scf_handle_destroy(h);
-		return (ISC_R_FAILURE);
-	}
-
-	if (scf_myname(h, instance, namelen + 1) == -1) {
-		if (debug)
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "scf_myname() failed: %s",
-					 scf_strerror(scf_error()));
-		scf_handle_destroy(h);
-		isc_mem_free(mctx, instance);
-		return (ISC_R_FAILURE);
-	}
-
-	scf_handle_destroy(h);
-	*ins_name = instance;
-	return (ISC_R_SUCCESS);
-}
-#endif /* HAVE_LIBSCF */
-
-int
-main(int argc, char *argv[]) {
-	isc_result_t result;
-#ifdef HAVE_LIBSCF
-	char *instance = NULL;
-#endif
-
-	/*
-	 * Record version in core image.
-	 * strings named.core | grep "named version:"
-	 */
-	strlcat(version,
-#if defined(NO_VERSION_DATE) || !defined(__DATE__)
-		"named version: BIND " VERSION " <" SRCID ">",
-#else
-		"named version: BIND " VERSION " <" SRCID "> (" __DATE__ ")",
-#endif
-		sizeof(version));
-	result = isc_file_progname(*argv, program_name, sizeof(program_name));
-	if (result != ISC_R_SUCCESS)
-		ns_main_earlyfatal("program name too long");
-
-	if (strcmp(program_name, "lwresd") == 0)
-		ns_g_lwresdonly = ISC_TRUE;
-
-	if (result != ISC_R_SUCCESS)
-		ns_main_earlyfatal("failed to build internal symbol table");
-
-	isc_assertion_setcallback(assertion_failed);
-	isc_error_setfatal(library_fatal_error);
-	isc_error_setunexpected(library_unexpected_error);
-
-	ns_os_init(program_name);
-
-	dns_result_register();
-	dst_result_register();
-	isccc_result_register();
-
-	parse_command_line(argc, argv);
-
-	/*
-	 * Warn about common configuration error.
-	 */
-	if (ns_g_chrootdir != NULL) {
-		int len = strlen(ns_g_chrootdir);
-		if (strncmp(ns_g_chrootdir, ns_g_conffile, len) == 0 &&
-		    (ns_g_conffile[len] == '/' || ns_g_conffile[len] == '\\'))
-			ns_main_earlywarning("config filename (-c %s) contains "
-					     "chroot path (-t %s)",
-					     ns_g_conffile, ns_g_chrootdir);
-	}
-
-	result = isc_mem_create(0, 0, &ns_g_mctx);
-	if (result != ISC_R_SUCCESS)
-		ns_main_earlyfatal("isc_mem_create() failed: %s",
-				   isc_result_totext(result));
-	isc_mem_setname(ns_g_mctx, "main", NULL);
-
-	setup();
-
-	/*
-	 * Start things running and then wait for a shutdown request
-	 * or reload.
-	 */
-	do {
-		result = isc_app_run();
-
-		if (result == ISC_R_RELOAD) {
-			ns_server_reloadwanted(ns_g_server);
-		} else if (result != ISC_R_SUCCESS) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_app_run(): %s",
-					 isc_result_totext(result));
-			/*
-			 * Force exit.
-			 */
-			result = ISC_R_SUCCESS;
-		}
-	} while (result != ISC_R_SUCCESS);
-
-#ifdef HAVE_LIBSCF
-	if (ns_smf_want_disable == 1) {
-		result = ns_smf_get_instance(&instance, 1, ns_g_mctx);
-		if (result == ISC_R_SUCCESS && instance != NULL) {
-			if (smf_disable_instance(instance, 0) != 0)
-				UNEXPECTED_ERROR(__FILE__, __LINE__,
-						 "smf_disable_instance() "
-						 "failed for %s : %s",
-						 instance,
-						 scf_strerror(scf_error()));
-		}
-		if (instance != NULL)
-			isc_mem_free(ns_g_mctx, instance);
-	}
-#endif /* HAVE_LIBSCF */
-
-	cleanup();
-
-	if (want_stats) {
-		isc_mem_stats(ns_g_mctx, stdout);
-		isc_mutex_stats(stdout);
-	}
-
-	if (ns_g_memstatistics && memstats != NULL) {
-		FILE *fp = NULL;
-		result = isc_stdio_open(memstats, "w", &fp);
-		if (result == ISC_R_SUCCESS) {
-			isc_mem_stats(ns_g_mctx, fp);
-			isc_mutex_stats(fp);
-			isc_stdio_close(fp);
-		}
-	}
-	isc_mem_destroy(&ns_g_mctx);
-	isc_mem_checkdestroyed(stderr);
-
-	ns_main_setmemstats(NULL);
-
-	isc_app_finish();
-
-	ns_os_closedevnull();
-
-	ns_os_shutdown();
-
-	return (0);
-}
diff --git a/contrib/bind9/bin/named/named.8 b/contrib/bind9/bin/named/named.8
deleted file mode 100644
index b27be31..0000000
--- a/contrib/bind9/bin/named/named.8
+++ /dev/null
@@ -1,286 +0,0 @@
-.\" Copyright (C) 2004-2009, 2011, 2013 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: named
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: May 21, 2009
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "NAMED" "8" "May 21, 2009" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-named \- Internet domain name server
-.SH "SYNOPSIS"
-.HP 6
-\fBnamed\fR [\fB\-4\fR] [\fB\-6\fR] [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-E\ \fR\fB\fIengine\-name\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-S\ \fR\fB\fI#max\-socks\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-U\ \fR\fB\fI#listeners\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-V\fR] [\fB\-x\ \fR\fB\fIcache\-file\fR\fR]
-.SH "DESCRIPTION"
-.PP
-\fBnamed\fR
-is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more information on the DNS, see RFCs 1033, 1034, and 1035.
-.PP
-When invoked without arguments,
-\fBnamed\fR
-will read the default configuration file
-\fI/etc/named.conf\fR, read any initial data, and listen for queries.
-.SH "OPTIONS"
-.PP
-\-4
-.RS 4
-Use IPv4 only even if the host machine is capable of IPv6.
-\fB\-4\fR
-and
-\fB\-6\fR
-are mutually exclusive.
-.RE
-.PP
-\-6
-.RS 4
-Use IPv6 only even if the host machine is capable of IPv4.
-\fB\-4\fR
-and
-\fB\-6\fR
-are mutually exclusive.
-.RE
-.PP
-\-c \fIconfig\-file\fR
-.RS 4
-Use
-\fIconfig\-file\fR
-as the configuration file instead of the default,
-\fI/etc/named.conf\fR. To ensure that reloading the configuration file continues to work after the server has changed its working directory due to to a possible
-\fBdirectory\fR
-option in the configuration file,
-\fIconfig\-file\fR
-should be an absolute pathname.
-.RE
-.PP
-\-d \fIdebug\-level\fR
-.RS 4
-Set the daemon's debug level to
-\fIdebug\-level\fR. Debugging traces from
-\fBnamed\fR
-become more verbose as the debug level increases.
-.RE
-.PP
-\-E \fIengine\-name\fR
-.RS 4
-Use a crypto hardware (OpenSSL engine) for the crypto operations it supports, for instance re\-signing with private keys from a secure key store. When compiled with PKCS#11 support
-\fIengine\-name\fR
-defaults to pkcs11, the empty name resets it to no engine.
-.RE
-.PP
-\-f
-.RS 4
-Run the server in the foreground (i.e. do not daemonize).
-.RE
-.PP
-\-g
-.RS 4
-Run the server in the foreground and force all logging to
-\fIstderr\fR.
-.RE
-.PP
-\-m \fIflag\fR
-.RS 4
-Turn on memory usage debugging flags. Possible flags are
-\fIusage\fR,
-\fItrace\fR,
-\fIrecord\fR,
-\fIsize\fR, and
-\fImctx\fR. These correspond to the ISC_MEM_DEBUGXXXX flags described in
-\fI<isc/mem.h>\fR.
-.RE
-.PP
-\-n \fI#cpus\fR
-.RS 4
-Create
-\fI#cpus\fR
-worker threads to take advantage of multiple CPUs. If not specified,
-\fBnamed\fR
-will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created.
-.RE
-.PP
-\-p \fIport\fR
-.RS 4
-Listen for queries on port
-\fIport\fR. If not specified, the default is port 53.
-.RE
-.PP
-\-s
-.RS 4
-Write memory usage statistics to
-\fIstdout\fR
-on exit.
-.RS
-.B "Note:"
-This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release.
-.RE
-.RE
-.PP
-\-S \fI#max\-socks\fR
-.RS 4
-Allow
-\fBnamed\fR
-to use up to
-\fI#max\-socks\fR
-sockets.
-.RS
-.B "Warning:"
-This option should be unnecessary for the vast majority of users. The use of this option could even be harmful because the specified value may exceed the limitation of the underlying system API. It is therefore set only when the default configuration causes exhaustion of file descriptors and the operational environment is known to support the specified number of sockets. Note also that the actual maximum number is normally a little fewer than the specified value because
-\fBnamed\fR
-reserves some file descriptors for its internal use.
-.RE
-.RE
-.PP
-\-t \fIdirectory\fR
-.RS 4
-Chroot to
-\fIdirectory\fR
-after processing the command line arguments, but before reading the configuration file.
-.RS
-.B "Warning:"
-This option should be used in conjunction with the
-\fB\-u\fR
-option, as chrooting a process running as root doesn't enhance security on most systems; the way
-\fBchroot(2)\fR
-is defined allows a process with root privileges to escape a chroot jail.
-.RE
-.RE
-.PP
-\-U \fI#listeners\fR
-.RS 4
-Use
-\fI#listeners\fR
-worker threads to listen for incoming UDP packets on each address. If not specified,
-\fBnamed\fR
-will use the number of detected CPUs. If
-\fB\-n\fR
-has been set to a higher value than the number of CPUs, then
-\fB\-U\fR
-may be increased as high as that value, but no higher.
-.RE
-.PP
-\-u \fIuser\fR
-.RS 4
-Setuid to
-\fIuser\fR
-after completing privileged operations, such as creating sockets that listen on privileged ports.
-.RS
-.B "Note:"
-On Linux,
-\fBnamed\fR
-uses the kernel's capability mechanism to drop all root privileges except the ability to
-\fBbind(2)\fR
-to a privileged port and set process resource limits. Unfortunately, this means that the
-\fB\-u\fR
-option only works when
-\fBnamed\fR
-is run on kernel 2.2.18 or later, or kernel 2.3.99\-pre3 or later, since previous kernels did not allow privileges to be retained after
-\fBsetuid(2)\fR.
-.RE
-.RE
-.PP
-\-v
-.RS 4
-Report the version number and exit.
-.RE
-.PP
-\-V
-.RS 4
-Report the version number and build options, and exit.
-.RE
-.PP
-\-x \fIcache\-file\fR
-.RS 4
-Load data from
-\fIcache\-file\fR
-into the cache of the default view.
-.RS
-.B "Warning:"
-This option must not be used. It is only of interest to BIND 9 developers and may be removed or changed in a future release.
-.RE
-.RE
-.SH "SIGNALS"
-.PP
-In routine operation, signals should not be used to control the nameserver;
-\fBrndc\fR
-should be used instead.
-.PP
-SIGHUP
-.RS 4
-Force a reload of the server.
-.RE
-.PP
-SIGINT, SIGTERM
-.RS 4
-Shut down the server.
-.RE
-.PP
-The result of sending any other signals to the server is undefined.
-.SH "CONFIGURATION"
-.PP
-The
-\fBnamed\fR
-configuration file is too complex to describe in detail here. A complete description is provided in the
-BIND 9 Administrator Reference Manual.
-.PP
-\fBnamed\fR
-inherits the
-\fBumask\fR
-(file creation mode mask) from the parent process. If files created by
-\fBnamed\fR, such as journal files, need to have custom permissions, the
-\fBumask\fR
-should be set explicitly in the script used to start the
-\fBnamed\fR
-process.
-.SH "FILES"
-.PP
-\fI/etc/named.conf\fR
-.RS 4
-The default configuration file.
-.RE
-.PP
-\fI/var/run/named/named.pid\fR
-.RS 4
-The default process\-id file.
-.RE
-.SH "SEE ALSO"
-.PP
-RFC 1033,
-RFC 1034,
-RFC 1035,
-\fBnamed\-checkconf\fR(8),
-\fBnamed\-checkzone\fR(8),
-\fBrndc\fR(8),
-\fBlwresd\fR(8),
-\fBnamed.conf\fR(5),
-BIND 9 Administrator Reference Manual.
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2004\-2009, 2011, 2013 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001, 2003 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/bin/named/named.conf.5 b/contrib/bind9/bin/named/named.conf.5
deleted file mode 100644
index 8d01222..0000000
--- a/contrib/bind9/bin/named/named.conf.5
+++ /dev/null
@@ -1,600 +0,0 @@
-.\" Copyright (C) 2004-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: \fInamed.conf\fR
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Aug 13, 2004
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "\fINAMED.CONF\fR" "5" "Aug 13, 2004" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-named.conf \- configuration file for named
-.SH "SYNOPSIS"
-.HP 11
-\fBnamed.conf\fR
-.SH "DESCRIPTION"
-.PP
-\fInamed.conf\fR
-is the configuration file for
-\fBnamed\fR. Statements are enclosed in braces and terminated with a semi\-colon. Clauses in the statements are also semi\-colon terminated. The usual comment styles are supported:
-.PP
-C style: /* */
-.PP
-C++ style: // to end of line
-.PP
-Unix style: # to end of line
-.SH "ACL"
-.sp
-.RS 4
-.nf
-acl \fIstring\fR { \fIaddress_match_element\fR; ... };
-.fi
-.RE
-.SH "KEY"
-.sp
-.RS 4
-.nf
-key \fIdomain_name\fR {
-	algorithm \fIstring\fR;
-	secret \fIstring\fR;
-};
-.fi
-.RE
-.SH "MASTERS"
-.sp
-.RS 4
-.nf
-masters \fIstring\fR [ port \fIinteger\fR ] {
-	( \fImasters\fR | \fIipv4_address\fR [port \fIinteger\fR] |
-	\fIipv6_address\fR [port \fIinteger\fR] ) [ key \fIstring\fR ]; ...
-};
-.fi
-.RE
-.SH "SERVER"
-.sp
-.RS 4
-.nf
-server ( \fIipv4_address\fR\fI[/prefixlen]\fR | \fIipv6_address\fR\fI[/prefixlen]\fR ) {
-	bogus \fIboolean\fR;
-	edns \fIboolean\fR;
-	edns\-udp\-size \fIinteger\fR;
-	max\-udp\-size \fIinteger\fR;
-	provide\-ixfr \fIboolean\fR;
-	request\-ixfr \fIboolean\fR;
-	keys \fIserver_key\fR;
-	transfers \fIinteger\fR;
-	transfer\-format ( many\-answers | one\-answer );
-	transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	support\-ixfr \fIboolean\fR; // obsolete
-};
-.fi
-.RE
-.SH "TRUSTED\-KEYS"
-.sp
-.RS 4
-.nf
-trusted\-keys {
-	\fIdomain_name\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; ... 
-};
-.fi
-.RE
-.SH "MANAGED\-KEYS"
-.sp
-.RS 4
-.nf
-managed\-keys {
-	\fIdomain_name\fR \fBinitial\-key\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; ... 
-};
-.fi
-.RE
-.SH "CONTROLS"
-.sp
-.RS 4
-.nf
-controls {
-	inet ( \fIipv4_address\fR | \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ]
-		allow { \fIaddress_match_element\fR; ... }
-		[ keys { \fIstring\fR; ... } ];
-	unix \fIunsupported\fR; // not implemented
-};
-.fi
-.RE
-.SH "LOGGING"
-.sp
-.RS 4
-.nf
-logging {
-	channel \fIstring\fR {
-		file \fIlog_file\fR;
-		syslog \fIoptional_facility\fR;
-		null;
-		stderr;
-		severity \fIlog_severity\fR;
-		print\-time \fIboolean\fR;
-		print\-severity \fIboolean\fR;
-		print\-category \fIboolean\fR;
-	};
-	category \fIstring\fR { \fIstring\fR; ... };
-};
-.fi
-.RE
-.SH "LWRES"
-.sp
-.RS 4
-.nf
-lwres {
-	listen\-on [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ...
-	};
-	view \fIstring\fR \fIoptional_class\fR;
-	search { \fIstring\fR; ... };
-	ndots \fIinteger\fR;
-};
-.fi
-.RE
-.SH "OPTIONS"
-.sp
-.RS 4
-.nf
-options {
-	avoid\-v4\-udp\-ports { \fIport\fR; ... };
-	avoid\-v6\-udp\-ports { \fIport\fR; ... };
-	blackhole { \fIaddress_match_element\fR; ... };
-	coresize \fIsize\fR;
-	datasize \fIsize\fR;
-	directory \fIquoted_string\fR;
-	dump\-file \fIquoted_string\fR;
-	files \fIsize\fR;
-	heartbeat\-interval \fIinteger\fR;
-	host\-statistics \fIboolean\fR; // not implemented
-	host\-statistics\-max \fInumber\fR; // not implemented
-	hostname ( \fIquoted_string\fR | none );
-	interface\-interval \fIinteger\fR;
-	listen\-on [ port \fIinteger\fR ] { \fIaddress_match_element\fR; ... };
-	listen\-on\-v6 [ port \fIinteger\fR ] { \fIaddress_match_element\fR; ... };
-	match\-mapped\-addresses \fIboolean\fR;
-	memstatistics\-file \fIquoted_string\fR;
-	pid\-file ( \fIquoted_string\fR | none );
-	port \fIinteger\fR;
-	querylog \fIboolean\fR;
-	recursing\-file \fIquoted_string\fR;
-	reserved\-sockets \fIinteger\fR;
-	random\-device \fIquoted_string\fR;
-	recursive\-clients \fIinteger\fR;
-	serial\-query\-rate \fIinteger\fR;
-	server\-id ( \fIquoted_string\fR | none );
-	stacksize \fIsize\fR;
-	statistics\-file \fIquoted_string\fR;
-	statistics\-interval \fIinteger\fR; // not yet implemented
-	tcp\-clients \fIinteger\fR;
-	tcp\-listen\-queue \fIinteger\fR;
-	tkey\-dhkey \fIquoted_string\fR \fIinteger\fR;
-	tkey\-gssapi\-credential \fIquoted_string\fR;
-	tkey\-gssapi\-keytab \fIquoted_string\fR;
-	tkey\-domain \fIquoted_string\fR;
-	transfers\-per\-ns \fIinteger\fR;
-	transfers\-in \fIinteger\fR;
-	transfers\-out \fIinteger\fR;
-	use\-ixfr \fIboolean\fR;
-	version ( \fIquoted_string\fR | none );
-	allow\-recursion { \fIaddress_match_element\fR; ... };
-	allow\-recursion\-on { \fIaddress_match_element\fR; ... };
-	sortlist { \fIaddress_match_element\fR; ... };
-	topology { \fIaddress_match_element\fR; ... }; // not implemented
-	auth\-nxdomain \fIboolean\fR; // default changed
-	minimal\-responses \fIboolean\fR;
-	recursion \fIboolean\fR;
-	rrset\-order {
-		[ class \fIstring\fR ] [ type \fIstring\fR ]
-		[ name \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; ...
-	};
-	provide\-ixfr \fIboolean\fR;
-	request\-ixfr \fIboolean\fR;
-	rfc2308\-type1 \fIboolean\fR; // not yet implemented
-	additional\-from\-auth \fIboolean\fR;
-	additional\-from\-cache \fIboolean\fR;
-	query\-source ( ( \fIipv4_address\fR | * ) | [ address ( \fIipv4_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
-	query\-source\-v6 ( ( \fIipv6_address\fR | * ) | [ address ( \fIipv6_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
-	use\-queryport\-pool \fIboolean\fR;
-	queryport\-pool\-ports \fIinteger\fR;
-	queryport\-pool\-updateinterval \fIinteger\fR;
-	cleaning\-interval \fIinteger\fR;
-	resolver\-query\-timeout \fIinteger\fR;
-	min\-roots \fIinteger\fR; // not implemented
-	lame\-ttl \fIinteger\fR;
-	max\-ncache\-ttl \fIinteger\fR;
-	max\-cache\-ttl \fIinteger\fR;
-	transfer\-format ( many\-answers | one\-answer );
-	max\-cache\-size \fIsize\fR;
-	max\-acache\-size \fIsize\fR;
-	clients\-per\-query \fInumber\fR;
-	max\-clients\-per\-query \fInumber\fR;
-	check\-names ( master | slave | response )
-		( fail | warn | ignore );
-	check\-mx ( fail | warn | ignore );
-	check\-integrity \fIboolean\fR;
-	check\-mx\-cname ( fail | warn | ignore );
-	check\-srv\-cname ( fail | warn | ignore );
-	cache\-file \fIquoted_string\fR; // test option
-	suppress\-initial\-notify \fIboolean\fR; // not yet implemented
-	preferred\-glue \fIstring\fR;
-	dual\-stack\-servers [ port \fIinteger\fR ] {
-		( \fIquoted_string\fR [port \fIinteger\fR] |
-		\fIipv4_address\fR [port \fIinteger\fR] |
-		\fIipv6_address\fR [port \fIinteger\fR] ); ...
-	};
-	edns\-udp\-size \fIinteger\fR;
-	max\-udp\-size \fIinteger\fR;
-	root\-delegation\-only [ exclude { \fIquoted_string\fR; ... } ];
-	disable\-algorithms \fIstring\fR { \fIstring\fR; ... };
-	dnssec\-enable \fIboolean\fR;
-	dnssec\-validation \fIboolean\fR;
-	dnssec\-lookaside ( \fIauto\fR | \fIno\fR | \fIdomain\fR trust\-anchor \fIdomain\fR );
-	dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
-	dnssec\-accept\-expired \fIboolean\fR;
-	dns64\-server \fIstring\fR;
-	dns64\-contact \fIstring\fR;
-	dns64 \fIprefix\fR {
-		clients { <replacable>acl</replacable>; };
-		exclude { <replacable>acl</replacable>; };
-		mapped { <replacable>acl</replacable>; };
-		break\-dnssec \fIboolean\fR;
-		recursive\-only \fIboolean\fR;
-		suffix \fIipv6_address\fR;
-	};
-	empty\-server \fIstring\fR;
-	empty\-contact \fIstring\fR;
-	empty\-zones\-enable \fIboolean\fR;
-	disable\-empty\-zone \fIstring\fR;
-	dialup \fIdialuptype\fR;
-	ixfr\-from\-differences \fIixfrdiff\fR;
-	allow\-query { \fIaddress_match_element\fR; ... };
-	allow\-query\-on { \fIaddress_match_element\fR; ... };
-	allow\-query\-cache { \fIaddress_match_element\fR; ... };
-	allow\-query\-cache\-on { \fIaddress_match_element\fR; ... };
-	allow\-transfer { \fIaddress_match_element\fR; ... };
-	allow\-update { \fIaddress_match_element\fR; ... };
-	allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
-	update\-check\-ksk \fIboolean\fR;
-	dnssec\-dnskey\-kskonly \fIboolean\fR;
-	masterfile\-format ( text | raw );
-	notify \fInotifytype\fR;
-	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-delay \fIseconds\fR;
-	notify\-to\-soa \fIboolean\fR;
-	also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
-		[ port \fIinteger\fR ]; ...
-		[ key \fIkeyname\fR ] ... };
-	allow\-notify { \fIaddress_match_element\fR; ... };
-	forward ( first | only );
-	forwarders [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ...
-	};
-	max\-journal\-size \fIsize_no_default\fR;
-	max\-transfer\-time\-in \fIinteger\fR;
-	max\-transfer\-time\-out \fIinteger\fR;
-	max\-transfer\-idle\-in \fIinteger\fR;
-	max\-transfer\-idle\-out \fIinteger\fR;
-	max\-retry\-time \fIinteger\fR;
-	min\-retry\-time \fIinteger\fR;
-	max\-refresh\-time \fIinteger\fR;
-	min\-refresh\-time \fIinteger\fR;
-	multi\-master \fIboolean\fR;
-	sig\-validity\-interval \fIinteger\fR;
-	sig\-re\-signing\-interval \fIinteger\fR;
-	sig\-signing\-nodes \fIinteger\fR;
-	sig\-signing\-signatures \fIinteger\fR;
-	sig\-signing\-type \fIinteger\fR;
-	transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	use\-alt\-transfer\-source \fIboolean\fR;
-	zone\-statistics \fIboolean\fR;
-	key\-directory \fIquoted_string\fR;
-	managed\-keys\-directory \fIquoted_string\fR;
-	auto\-dnssec \fBallow\fR|\fBmaintain\fR|\fBcreate\fR|\fBoff\fR;
-	try\-tcp\-refresh \fIboolean\fR;
-	zero\-no\-soa\-ttl \fIboolean\fR;
-	zero\-no\-soa\-ttl\-cache \fIboolean\fR;
-	dnssec\-secure\-to\-insecure \fIboolean\fR;
-	deny\-answer\-addresses {
-		\fIaddress_match_list\fR
-	} [ except\-from { \fInamelist\fR } ];
-	deny\-answer\-aliases {
-		\fInamelist\fR
-	} [ except\-from { \fInamelist\fR } ];
-	nsec3\-test\-zone \fIboolean\fR;  // testing only
-	allow\-v6\-synthesis { \fIaddress_match_element\fR; ... }; // obsolete
-	deallocate\-on\-exit \fIboolean\fR; // obsolete
-	fake\-iquery \fIboolean\fR; // obsolete
-	fetch\-glue \fIboolean\fR; // obsolete
-	has\-old\-clients \fIboolean\fR; // obsolete
-	maintain\-ixfr\-base \fIboolean\fR; // obsolete
-	max\-ixfr\-log\-size \fIsize\fR; // obsolete
-	multiple\-cnames \fIboolean\fR; // obsolete
-	named\-xfer \fIquoted_string\fR; // obsolete
-	serial\-queries \fIinteger\fR; // obsolete
-	treat\-cr\-as\-space \fIboolean\fR; // obsolete
-	use\-id\-pool \fIboolean\fR; // obsolete
-};
-.fi
-.RE
-.SH "VIEW"
-.sp
-.RS 4
-.nf
-view \fIstring\fR \fIoptional_class\fR {
-	match\-clients { \fIaddress_match_element\fR; ... };
-	match\-destinations { \fIaddress_match_element\fR; ... };
-	match\-recursive\-only \fIboolean\fR;
-	key \fIstring\fR {
-		algorithm \fIstring\fR;
-		secret \fIstring\fR;
-	};
-	zone \fIstring\fR \fIoptional_class\fR {
-		...
-	};
-	server ( \fIipv4_address\fR\fI[/prefixlen]\fR | \fIipv6_address\fR\fI[/prefixlen]\fR ) {
-		...
-	};
-	trusted\-keys {
-		\fIstring\fR \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR;
-		[...]
-	};
-	allow\-recursion { \fIaddress_match_element\fR; ... };
-	allow\-recursion\-on { \fIaddress_match_element\fR; ... };
-	sortlist { \fIaddress_match_element\fR; ... };
-	topology { \fIaddress_match_element\fR; ... }; // not implemented
-	auth\-nxdomain \fIboolean\fR; // default changed
-	minimal\-responses \fIboolean\fR;
-	recursion \fIboolean\fR;
-	rrset\-order {
-		[ class \fIstring\fR ] [ type \fIstring\fR ]
-		[ name \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; ...
-	};
-	provide\-ixfr \fIboolean\fR;
-	request\-ixfr \fIboolean\fR;
-	rfc2308\-type1 \fIboolean\fR; // not yet implemented
-	additional\-from\-auth \fIboolean\fR;
-	additional\-from\-cache \fIboolean\fR;
-	query\-source ( ( \fIipv4_address\fR | * ) | [ address ( \fIipv4_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
-	query\-source\-v6 ( ( \fIipv6_address\fR | * ) | [ address ( \fIipv6_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
-	use\-queryport\-pool \fIboolean\fR;
-	queryport\-pool\-ports \fIinteger\fR;
-	queryport\-pool\-updateinterval \fIinteger\fR;
-	cleaning\-interval \fIinteger\fR;
-	resolver\-query\-timeout \fIinteger\fR;
-	min\-roots \fIinteger\fR; // not implemented
-	lame\-ttl \fIinteger\fR;
-	max\-ncache\-ttl \fIinteger\fR;
-	max\-cache\-ttl \fIinteger\fR;
-	transfer\-format ( many\-answers | one\-answer );
-	max\-cache\-size \fIsize\fR;
-	max\-acache\-size \fIsize\fR;
-	clients\-per\-query \fInumber\fR;
-	max\-clients\-per\-query \fInumber\fR;
-	check\-names ( master | slave | response )
-		( fail | warn | ignore );
-	check\-mx ( fail | warn | ignore );
-	check\-integrity \fIboolean\fR;
-	check\-mx\-cname ( fail | warn | ignore );
-	check\-srv\-cname ( fail | warn | ignore );
-	cache\-file \fIquoted_string\fR; // test option
-	suppress\-initial\-notify \fIboolean\fR; // not yet implemented
-	preferred\-glue \fIstring\fR;
-	dual\-stack\-servers [ port \fIinteger\fR ] {
-		( \fIquoted_string\fR [port \fIinteger\fR] |
-		\fIipv4_address\fR [port \fIinteger\fR] |
-		\fIipv6_address\fR [port \fIinteger\fR] ); ...
-	};
-	edns\-udp\-size \fIinteger\fR;
-	max\-udp\-size \fIinteger\fR;
-	root\-delegation\-only [ exclude { \fIquoted_string\fR; ... } ];
-	disable\-algorithms \fIstring\fR { \fIstring\fR; ... };
-	dnssec\-enable \fIboolean\fR;
-	dnssec\-validation \fIboolean\fR;
-	dnssec\-lookaside ( \fIauto\fR | \fIno\fR | \fIdomain\fR trust\-anchor \fIdomain\fR );
-	dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
-	dnssec\-accept\-expired \fIboolean\fR;
-	dns64\-server \fIstring\fR;
-	dns64\-contact \fIstring\fR;
-	dns64 \fIprefix\fR {
-		clients { <replacable>acl</replacable>; };
-		exclude { <replacable>acl</replacable>; };
-		mapped { <replacable>acl</replacable>; };
-		break\-dnssec \fIboolean\fR;
-		recursive\-only \fIboolean\fR;
-		suffix \fIipv6_address\fR;
-	};
-	empty\-server \fIstring\fR;
-	empty\-contact \fIstring\fR;
-	empty\-zones\-enable \fIboolean\fR;
-	disable\-empty\-zone \fIstring\fR;
-	dialup \fIdialuptype\fR;
-	ixfr\-from\-differences \fIixfrdiff\fR;
-	allow\-query { \fIaddress_match_element\fR; ... };
-	allow\-query\-on { \fIaddress_match_element\fR; ... };
-	allow\-query\-cache { \fIaddress_match_element\fR; ... };
-	allow\-query\-cache\-on { \fIaddress_match_element\fR; ... };
-	allow\-transfer { \fIaddress_match_element\fR; ... };
-	allow\-update { \fIaddress_match_element\fR; ... };
-	allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
-	update\-check\-ksk \fIboolean\fR;
-	dnssec\-dnskey\-kskonly \fIboolean\fR;
-	masterfile\-format ( text | raw );
-	notify \fInotifytype\fR;
-	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-delay \fIseconds\fR;
-	notify\-to\-soa \fIboolean\fR;
-	also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
-		[ port \fIinteger\fR ]; ...
-		[ key \fIkeyname\fR ] ... };
-	allow\-notify { \fIaddress_match_element\fR; ... };
-	forward ( first | only );
-	forwarders [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ...
-	};
-	max\-journal\-size \fIsize_no_default\fR;
-	max\-transfer\-time\-in \fIinteger\fR;
-	max\-transfer\-time\-out \fIinteger\fR;
-	max\-transfer\-idle\-in \fIinteger\fR;
-	max\-transfer\-idle\-out \fIinteger\fR;
-	max\-retry\-time \fIinteger\fR;
-	min\-retry\-time \fIinteger\fR;
-	max\-refresh\-time \fIinteger\fR;
-	min\-refresh\-time \fIinteger\fR;
-	multi\-master \fIboolean\fR;
-	sig\-validity\-interval \fIinteger\fR;
-	transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	use\-alt\-transfer\-source \fIboolean\fR;
-	zone\-statistics \fIboolean\fR;
-	try\-tcp\-refresh \fIboolean\fR;
-	key\-directory \fIquoted_string\fR;
-	zero\-no\-soa\-ttl \fIboolean\fR;
-	zero\-no\-soa\-ttl\-cache \fIboolean\fR;
-	dnssec\-secure\-to\-insecure \fIboolean\fR;
-	allow\-v6\-synthesis { \fIaddress_match_element\fR; ... }; // obsolete
-	fetch\-glue \fIboolean\fR; // obsolete
-	maintain\-ixfr\-base \fIboolean\fR; // obsolete
-	max\-ixfr\-log\-size \fIsize\fR; // obsolete
-};
-.fi
-.RE
-.SH "ZONE"
-.sp
-.RS 4
-.nf
-zone \fIstring\fR \fIoptional_class\fR {
-	type ( master | slave | stub | hint | redirect |
-		forward | delegation\-only );
-	file \fIquoted_string\fR;
-	masters [ port \fIinteger\fR ] {
-		( \fImasters\fR |
-		\fIipv4_address\fR [port \fIinteger\fR] |
-		\fIipv6_address\fR [ port \fIinteger\fR ] ) [ key \fIstring\fR ]; ...
-	};
-	database \fIstring\fR;
-	delegation\-only \fIboolean\fR;
-	check\-names ( fail | warn | ignore );
-	check\-mx ( fail | warn | ignore );
-	check\-integrity \fIboolean\fR;
-	check\-mx\-cname ( fail | warn | ignore );
-	check\-srv\-cname ( fail | warn | ignore );
-	dialup \fIdialuptype\fR;
-	ixfr\-from\-differences \fIboolean\fR;
-	journal \fIquoted_string\fR;
-	zero\-no\-soa\-ttl \fIboolean\fR;
-	dnssec\-secure\-to\-insecure \fIboolean\fR;
-	allow\-query { \fIaddress_match_element\fR; ... };
-	allow\-query\-on { \fIaddress_match_element\fR; ... };
-	allow\-transfer { \fIaddress_match_element\fR; ... };
-	allow\-update { \fIaddress_match_element\fR; ... };
-	allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
-	update\-policy \fIlocal\fR | \fI {
-		( grant | deny ) \fR\fI\fIstring\fR\fR\fI
-		( name | subdomain | wildcard | self | selfsub | selfwild |
-                  krb5\-self | ms\-self | krb5\-subdomain | ms\-subdomain |
-		  tcp\-self | zonesub | 6to4\-self ) \fR\fI\fIstring\fR\fR\fI
-		\fR\fI\fIrrtypelist\fR\fR\fI;
-		\fR\fI[...]\fR\fI
-	}\fR;
-	update\-check\-ksk \fIboolean\fR;
-	dnssec\-dnskey\-kskonly \fIboolean\fR;
-	masterfile\-format ( text | raw );
-	notify \fInotifytype\fR;
-	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-delay \fIseconds\fR;
-	notify\-to\-soa \fIboolean\fR;
-	also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
-		[ port \fIinteger\fR ]; ...
-		[ key \fIkeyname\fR ] ... };
-	allow\-notify { \fIaddress_match_element\fR; ... };
-	forward ( first | only );
-	forwarders [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ...
-	};
-	max\-journal\-size \fIsize_no_default\fR;
-	max\-transfer\-time\-in \fIinteger\fR;
-	max\-transfer\-time\-out \fIinteger\fR;
-	max\-transfer\-idle\-in \fIinteger\fR;
-	max\-transfer\-idle\-out \fIinteger\fR;
-	max\-retry\-time \fIinteger\fR;
-	min\-retry\-time \fIinteger\fR;
-	max\-refresh\-time \fIinteger\fR;
-	min\-refresh\-time \fIinteger\fR;
-	multi\-master \fIboolean\fR;
-	request\-ixfr \fIboolean\fR;
-	sig\-validity\-interval \fIinteger\fR;
-	transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	use\-alt\-transfer\-source \fIboolean\fR;
-	zone\-statistics \fIboolean\fR;
-	try\-tcp\-refresh \fIboolean\fR;
-	key\-directory \fIquoted_string\fR;
-	nsec3\-test\-zone \fIboolean\fR;  // testing only
-	ixfr\-base \fIquoted_string\fR; // obsolete
-	ixfr\-tmp\-file \fIquoted_string\fR; // obsolete
-	maintain\-ixfr\-base \fIboolean\fR; // obsolete
-	max\-ixfr\-log\-size \fIsize\fR; // obsolete
-	pubkey \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; // obsolete
-};
-.fi
-.RE
-.SH "FILES"
-.PP
-\fI/etc/named.conf\fR
-.SH "SEE ALSO"
-.PP
-\fBnamed\fR(8),
-\fBnamed\-checkconf\fR(8),
-\fBrndc\fR(8),
-BIND 9 Administrator Reference Manual.
-.SH "COPYRIGHT"
-Copyright \(co 2004\-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
-.br
diff --git a/contrib/bind9/bin/named/named.conf.docbook b/contrib/bind9/bin/named/named.conf.docbook
deleted file mode 100644
index d778706..0000000
--- a/contrib/bind9/bin/named/named.conf.docbook
+++ /dev/null
@@ -1,687 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004-2011, 2013  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: named.conf.docbook,v 1.55 2011/11/07 00:25:53 each Exp $ -->
-<refentry>
-  <refentryinfo>
-    <date>Aug 13, 2004</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><filename>named.conf</filename></refentrytitle>
-    <manvolnum>5</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><filename>named.conf</filename></refname>
-    <refpurpose>configuration file for named</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2006</year>
-      <year>2007</year>
-      <year>2008</year>
-      <year>2009</year>
-      <year>2010</year>
-      <year>2011</year>
-      <year>2013</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>named.conf</command>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para><filename>named.conf</filename> is the configuration file
-      for
-      <command>named</command>.  Statements are enclosed
-      in braces and terminated with a semi-colon.  Clauses in
-      the statements are also semi-colon terminated.  The usual
-      comment styles are supported:
-    </para>
-    <para>
-      C style: /* */
-    </para>
-    <para>
-      C++ style: // to end of line
-    </para>
-    <para>
-      Unix style: # to end of line
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>ACL</title>
-    <literallayout>
-acl <replaceable>string</replaceable> { <replaceable>address_match_element</replaceable>; ... };
-
-</literallayout>
-  </refsect1>
-
-  <refsect1>
-    <title>KEY</title>
-    <literallayout>
-key <replaceable>domain_name</replaceable> {
-	algorithm <replaceable>string</replaceable>;
-	secret <replaceable>string</replaceable>;
-};
-</literallayout>
-  </refsect1>
-
-  <refsect1>
-    <title>MASTERS</title>
-    <literallayout>
-masters <replaceable>string</replaceable> <optional> port <replaceable>integer</replaceable> </optional> {
-	( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
-	<replaceable>ipv6_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> ) <optional> key <replaceable>string</replaceable> </optional>; ...
-};
-</literallayout>
-  </refsect1>
-
-  <refsect1>
-    <title>SERVER</title>
-    <literallayout>
-server ( <replaceable>ipv4_address<optional>/prefixlen</optional></replaceable> | <replaceable>ipv6_address<optional>/prefixlen</optional></replaceable> ) {
-	bogus <replaceable>boolean</replaceable>;
-	edns <replaceable>boolean</replaceable>;
-	edns-udp-size <replaceable>integer</replaceable>;
-	max-udp-size <replaceable>integer</replaceable>;
-	provide-ixfr <replaceable>boolean</replaceable>;
-	request-ixfr <replaceable>boolean</replaceable>;
-	keys <replaceable>server_key</replaceable>;
-	transfers <replaceable>integer</replaceable>;
-	transfer-format ( many-answers | one-answer );
-	transfer-source ( <replaceable>ipv4_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-
-	support-ixfr <replaceable>boolean</replaceable>; // obsolete
-};
-</literallayout>
-  </refsect1>
-
-  <refsect1>
-    <title>TRUSTED-KEYS</title>
-    <literallayout>
-trusted-keys {
-	<replaceable>domain_name</replaceable> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ... 
-};
-</literallayout>
-  </refsect1>
-
-  <refsect1>
-    <title>MANAGED-KEYS</title>
-    <literallayout>
-managed-keys {
-	<replaceable>domain_name</replaceable> <constant>initial-key</constant> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ... 
-};
-</literallayout>
-  </refsect1>
-
-  <refsect1>
-    <title>CONTROLS</title>
-    <literallayout>
-controls {
-	inet ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>
-		allow { <replaceable>address_match_element</replaceable>; ... }
-		<optional> keys { <replaceable>string</replaceable>; ... } </optional>;
-	unix <replaceable>unsupported</replaceable>; // not implemented
-};
-</literallayout>
-  </refsect1>
-
-  <refsect1>
-    <title>LOGGING</title>
-    <literallayout>
-logging {
-	channel <replaceable>string</replaceable> {
-		file <replaceable>log_file</replaceable>;
-		syslog <replaceable>optional_facility</replaceable>;
-		null;
-		stderr;
-		severity <replaceable>log_severity</replaceable>;
-		print-time <replaceable>boolean</replaceable>;
-		print-severity <replaceable>boolean</replaceable>;
-		print-category <replaceable>boolean</replaceable>;
-	};
-	category <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
-};
-</literallayout>
-  </refsect1>
-
-  <refsect1>
-    <title>LWRES</title>
-    <literallayout>
-lwres {
-	listen-on <optional> port <replaceable>integer</replaceable> </optional> {
-		( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ...
-	};
-	view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>;
-	search { <replaceable>string</replaceable>; ... };
-	ndots <replaceable>integer</replaceable>;
-};
-</literallayout>
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-    <literallayout>
-options {
-	avoid-v4-udp-ports { <replaceable>port</replaceable>; ... };
-	avoid-v6-udp-ports { <replaceable>port</replaceable>; ... };
-	blackhole { <replaceable>address_match_element</replaceable>; ... };
-	coresize <replaceable>size</replaceable>;
-	datasize <replaceable>size</replaceable>;
-	directory <replaceable>quoted_string</replaceable>;
-	dump-file <replaceable>quoted_string</replaceable>;
-	files <replaceable>size</replaceable>;
-	heartbeat-interval <replaceable>integer</replaceable>;
-	host-statistics <replaceable>boolean</replaceable>; // not implemented
-	host-statistics-max <replaceable>number</replaceable>; // not implemented
-	hostname ( <replaceable>quoted_string</replaceable> | none );
-	interface-interval <replaceable>integer</replaceable>;
-	listen-on <optional> port <replaceable>integer</replaceable> </optional> { <replaceable>address_match_element</replaceable>; ... };
-	listen-on-v6 <optional> port <replaceable>integer</replaceable> </optional> { <replaceable>address_match_element</replaceable>; ... };
-	match-mapped-addresses <replaceable>boolean</replaceable>;
-	memstatistics-file <replaceable>quoted_string</replaceable>;
-	pid-file ( <replaceable>quoted_string</replaceable> | none );
-	port <replaceable>integer</replaceable>;
-	querylog <replaceable>boolean</replaceable>;
-	recursing-file <replaceable>quoted_string</replaceable>;
-	reserved-sockets <replaceable>integer</replaceable>;
-	random-device <replaceable>quoted_string</replaceable>;
-	recursive-clients <replaceable>integer</replaceable>;
-	serial-query-rate <replaceable>integer</replaceable>;
-	server-id ( <replaceable>quoted_string</replaceable> | none );
-	stacksize <replaceable>size</replaceable>;
-	statistics-file <replaceable>quoted_string</replaceable>;
-	statistics-interval <replaceable>integer</replaceable>; // not yet implemented
-	tcp-clients <replaceable>integer</replaceable>;
-	tcp-listen-queue <replaceable>integer</replaceable>;
-	tkey-dhkey <replaceable>quoted_string</replaceable> <replaceable>integer</replaceable>;
-	tkey-gssapi-credential <replaceable>quoted_string</replaceable>;
-	tkey-gssapi-keytab <replaceable>quoted_string</replaceable>;
-	tkey-domain <replaceable>quoted_string</replaceable>;
-	transfers-per-ns <replaceable>integer</replaceable>;
-	transfers-in <replaceable>integer</replaceable>;
-	transfers-out <replaceable>integer</replaceable>;
-	use-ixfr <replaceable>boolean</replaceable>;
-	version ( <replaceable>quoted_string</replaceable> | none );
-	allow-recursion { <replaceable>address_match_element</replaceable>; ... };
-	allow-recursion-on { <replaceable>address_match_element</replaceable>; ... };
-	sortlist { <replaceable>address_match_element</replaceable>; ... };
-	topology { <replaceable>address_match_element</replaceable>; ... }; // not implemented
-	auth-nxdomain <replaceable>boolean</replaceable>; // default changed
-	minimal-responses <replaceable>boolean</replaceable>;
-	recursion <replaceable>boolean</replaceable>;
-	rrset-order {
-		<optional> class <replaceable>string</replaceable> </optional> <optional> type <replaceable>string</replaceable> </optional>
-		<optional> name <replaceable>quoted_string</replaceable> </optional> <replaceable>string</replaceable> <replaceable>string</replaceable>; ...
-	};
-	provide-ixfr <replaceable>boolean</replaceable>;
-	request-ixfr <replaceable>boolean</replaceable>;
-	rfc2308-type1 <replaceable>boolean</replaceable>; // not yet implemented
-	additional-from-auth <replaceable>boolean</replaceable>;
-	additional-from-cache <replaceable>boolean</replaceable>;
-	query-source ( ( <replaceable>ipv4_address</replaceable> | * ) | <optional> address ( <replaceable>ipv4_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	query-source-v6 ( ( <replaceable>ipv6_address</replaceable> | * ) | <optional> address ( <replaceable>ipv6_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	use-queryport-pool <replaceable>boolean</replaceable>;
-	queryport-pool-ports <replaceable>integer</replaceable>;
-	queryport-pool-updateinterval <replaceable>integer</replaceable>;
-	cleaning-interval <replaceable>integer</replaceable>;
-	resolver-query-timeout <replaceable>integer</replaceable>;
-	min-roots <replaceable>integer</replaceable>; // not implemented
-	lame-ttl <replaceable>integer</replaceable>;
-	max-ncache-ttl <replaceable>integer</replaceable>;
-	max-cache-ttl <replaceable>integer</replaceable>;
-	transfer-format ( many-answers | one-answer );
-	max-cache-size <replaceable>size</replaceable>;
-	max-acache-size <replaceable>size</replaceable>;
-	clients-per-query <replaceable>number</replaceable>;
-	max-clients-per-query <replaceable>number</replaceable>;
-	check-names ( master | slave | response )
-		( fail | warn | ignore );
-	check-mx ( fail | warn | ignore );
-	check-integrity <replaceable>boolean</replaceable>;
-	check-mx-cname ( fail | warn | ignore );
-	check-srv-cname ( fail | warn | ignore );
-	cache-file <replaceable>quoted_string</replaceable>; // test option
-	suppress-initial-notify <replaceable>boolean</replaceable>; // not yet implemented
-	preferred-glue <replaceable>string</replaceable>;
-	dual-stack-servers <optional> port <replaceable>integer</replaceable> </optional> {
-		( <replaceable>quoted_string</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
-		<replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
-		<replaceable>ipv6_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> ); ...
-	};
-	edns-udp-size <replaceable>integer</replaceable>;
-	max-udp-size <replaceable>integer</replaceable>;
-	root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>;
-	disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
-	dnssec-enable <replaceable>boolean</replaceable>;
-	dnssec-validation <replaceable>boolean</replaceable>;
-	dnssec-lookaside ( <replaceable>auto</replaceable> | <replaceable>no</replaceable> | <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable> );
-	dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
-	dnssec-accept-expired <replaceable>boolean</replaceable>;
-
-	dns64-server <replaceable>string</replaceable>;
-	dns64-contact <replaceable>string</replaceable>;
-	dns64 <replaceable>prefix</replaceable> {
-		clients { <replacable>acl</replacable>; };
-		exclude { <replacable>acl</replacable>; };
-		mapped { <replacable>acl</replacable>; };
-		break-dnssec <replaceable>boolean</replaceable>;
-		recursive-only <replaceable>boolean</replaceable>;
-		suffix <replaceable>ipv6_address</replaceable>;
-	};
-
-	empty-server <replaceable>string</replaceable>;
-	empty-contact <replaceable>string</replaceable>;
-	empty-zones-enable <replaceable>boolean</replaceable>;
-	disable-empty-zone <replaceable>string</replaceable>;
-
-	dialup <replaceable>dialuptype</replaceable>;
-	ixfr-from-differences <replaceable>ixfrdiff</replaceable>;
-
-	allow-query { <replaceable>address_match_element</replaceable>; ... };
-	allow-query-on { <replaceable>address_match_element</replaceable>; ... };
-	allow-query-cache { <replaceable>address_match_element</replaceable>; ... };
-	allow-query-cache-on { <replaceable>address_match_element</replaceable>; ... };
-	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
-	allow-update { <replaceable>address_match_element</replaceable>; ... };
-	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
-	update-check-ksk <replaceable>boolean</replaceable>;
-	dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
-
-	masterfile-format ( text | raw );
-	notify <replaceable>notifytype</replaceable>;
-	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	notify-delay <replaceable>seconds</replaceable>;
-	notify-to-soa <replaceable>boolean</replaceable>;
-	also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> )
-		<optional> port <replaceable>integer</replaceable> </optional>; ...
-		<optional> key <replaceable>keyname</replaceable> </optional> ... };
-	allow-notify { <replaceable>address_match_element</replaceable>; ... };
-
-	forward ( first | only );
-	forwarders <optional> port <replaceable>integer</replaceable> </optional> {
-		( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ...
-	};
-
-	max-journal-size <replaceable>size_no_default</replaceable>;
-	max-transfer-time-in <replaceable>integer</replaceable>;
-	max-transfer-time-out <replaceable>integer</replaceable>;
-	max-transfer-idle-in <replaceable>integer</replaceable>;
-	max-transfer-idle-out <replaceable>integer</replaceable>;
-	max-retry-time <replaceable>integer</replaceable>;
-	min-retry-time <replaceable>integer</replaceable>;
-	max-refresh-time <replaceable>integer</replaceable>;
-	min-refresh-time <replaceable>integer</replaceable>;
-	multi-master <replaceable>boolean</replaceable>;
-
-	sig-validity-interval <replaceable>integer</replaceable>;
-	sig-re-signing-interval <replaceable>integer</replaceable>;
-	sig-signing-nodes <replaceable>integer</replaceable>;
-	sig-signing-signatures <replaceable>integer</replaceable>;
-	sig-signing-type <replaceable>integer</replaceable>;
-
-	transfer-source ( <replaceable>ipv4_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-
-	alt-transfer-source ( <replaceable>ipv4_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	use-alt-transfer-source <replaceable>boolean</replaceable>;
-
-	zone-statistics <replaceable>boolean</replaceable>;
-	key-directory <replaceable>quoted_string</replaceable>;
-	managed-keys-directory <replaceable>quoted_string</replaceable>;
-	auto-dnssec <constant>allow</constant>|<constant>maintain</constant>|<constant>create</constant>|<constant>off</constant>;
-	try-tcp-refresh <replaceable>boolean</replaceable>;
-	zero-no-soa-ttl <replaceable>boolean</replaceable>;
-	zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
-	dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
-	deny-answer-addresses {
-		<replaceable>address_match_list</replaceable>
-	} <optional> except-from { <replaceable>namelist</replaceable> } </optional>;
-	deny-answer-aliases {
-		<replaceable>namelist</replaceable>
-	} <optional> except-from { <replaceable>namelist</replaceable> } </optional>;
-
-	nsec3-test-zone <replaceable>boolean</replaceable>;  // testing only
-
-	allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete
-	deallocate-on-exit <replaceable>boolean</replaceable>; // obsolete
-	fake-iquery <replaceable>boolean</replaceable>; // obsolete
-	fetch-glue <replaceable>boolean</replaceable>; // obsolete
-	has-old-clients <replaceable>boolean</replaceable>; // obsolete
-	maintain-ixfr-base <replaceable>boolean</replaceable>; // obsolete
-	max-ixfr-log-size <replaceable>size</replaceable>; // obsolete
-	multiple-cnames <replaceable>boolean</replaceable>; // obsolete
-	named-xfer <replaceable>quoted_string</replaceable>; // obsolete
-	serial-queries <replaceable>integer</replaceable>; // obsolete
-	treat-cr-as-space <replaceable>boolean</replaceable>; // obsolete
-	use-id-pool <replaceable>boolean</replaceable>; // obsolete
-};
-</literallayout>
-  </refsect1>
-
-  <refsect1>
-    <title>VIEW</title>
-    <literallayout>
-view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> {
-	match-clients { <replaceable>address_match_element</replaceable>; ... };
-	match-destinations { <replaceable>address_match_element</replaceable>; ... };
-	match-recursive-only <replaceable>boolean</replaceable>;
-
-	key <replaceable>string</replaceable> {
-		algorithm <replaceable>string</replaceable>;
-		secret <replaceable>string</replaceable>;
-	};
-
-	zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> {
-		...
-	};
-
-	server ( <replaceable>ipv4_address<optional>/prefixlen</optional></replaceable> | <replaceable>ipv6_address<optional>/prefixlen</optional></replaceable> ) {
-		...
-	};
-
-	trusted-keys {
-		<replaceable>string</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>;
-		<optional>...</optional>
-	};
-
-	allow-recursion { <replaceable>address_match_element</replaceable>; ... };
-	allow-recursion-on { <replaceable>address_match_element</replaceable>; ... };
-	sortlist { <replaceable>address_match_element</replaceable>; ... };
-	topology { <replaceable>address_match_element</replaceable>; ... }; // not implemented
-	auth-nxdomain <replaceable>boolean</replaceable>; // default changed
-	minimal-responses <replaceable>boolean</replaceable>;
-	recursion <replaceable>boolean</replaceable>;
-	rrset-order {
-		<optional> class <replaceable>string</replaceable> </optional> <optional> type <replaceable>string</replaceable> </optional>
-		<optional> name <replaceable>quoted_string</replaceable> </optional> <replaceable>string</replaceable> <replaceable>string</replaceable>; ...
-	};
-	provide-ixfr <replaceable>boolean</replaceable>;
-	request-ixfr <replaceable>boolean</replaceable>;
-	rfc2308-type1 <replaceable>boolean</replaceable>; // not yet implemented
-	additional-from-auth <replaceable>boolean</replaceable>;
-	additional-from-cache <replaceable>boolean</replaceable>;
-	query-source ( ( <replaceable>ipv4_address</replaceable> | * ) | <optional> address ( <replaceable>ipv4_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	query-source-v6 ( ( <replaceable>ipv6_address</replaceable> | * ) | <optional> address ( <replaceable>ipv6_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	use-queryport-pool <replaceable>boolean</replaceable>;
-	queryport-pool-ports <replaceable>integer</replaceable>;
-	queryport-pool-updateinterval <replaceable>integer</replaceable>;
-	cleaning-interval <replaceable>integer</replaceable>;
-	resolver-query-timeout <replaceable>integer</replaceable>;
-	min-roots <replaceable>integer</replaceable>; // not implemented
-	lame-ttl <replaceable>integer</replaceable>;
-	max-ncache-ttl <replaceable>integer</replaceable>;
-	max-cache-ttl <replaceable>integer</replaceable>;
-	transfer-format ( many-answers | one-answer );
-	max-cache-size <replaceable>size</replaceable>;
-	max-acache-size <replaceable>size</replaceable>;
-	clients-per-query <replaceable>number</replaceable>;
-	max-clients-per-query <replaceable>number</replaceable>;
-	check-names ( master | slave | response )
-		( fail | warn | ignore );
-	check-mx ( fail | warn | ignore );
-	check-integrity <replaceable>boolean</replaceable>;
-	check-mx-cname ( fail | warn | ignore );
-	check-srv-cname ( fail | warn | ignore );
-	cache-file <replaceable>quoted_string</replaceable>; // test option
-	suppress-initial-notify <replaceable>boolean</replaceable>; // not yet implemented
-	preferred-glue <replaceable>string</replaceable>;
-	dual-stack-servers <optional> port <replaceable>integer</replaceable> </optional> {
-		( <replaceable>quoted_string</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
-		<replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
-		<replaceable>ipv6_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> ); ...
-	};
-	edns-udp-size <replaceable>integer</replaceable>;
-	max-udp-size <replaceable>integer</replaceable>;
-	root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>;
-	disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
-	dnssec-enable <replaceable>boolean</replaceable>;
-	dnssec-validation <replaceable>boolean</replaceable>;
-	dnssec-lookaside ( <replaceable>auto</replaceable> | <replaceable>no</replaceable> | <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable> );
-	dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
-	dnssec-accept-expired <replaceable>boolean</replaceable>;
-
-	dns64-server <replaceable>string</replaceable>;
-	dns64-contact <replaceable>string</replaceable>;
-	dns64 <replaceable>prefix</replaceable> {
-		clients { <replacable>acl</replacable>; };
-		exclude { <replacable>acl</replacable>; };
-		mapped { <replacable>acl</replacable>; };
-		break-dnssec <replaceable>boolean</replaceable>;
-		recursive-only <replaceable>boolean</replaceable>;
-		suffix <replaceable>ipv6_address</replaceable>;
-	};
-
-	empty-server <replaceable>string</replaceable>;
-	empty-contact <replaceable>string</replaceable>;
-	empty-zones-enable <replaceable>boolean</replaceable>;
-	disable-empty-zone <replaceable>string</replaceable>;
-
-	dialup <replaceable>dialuptype</replaceable>;
-	ixfr-from-differences <replaceable>ixfrdiff</replaceable>;
-
-	allow-query { <replaceable>address_match_element</replaceable>; ... };
-	allow-query-on { <replaceable>address_match_element</replaceable>; ... };
-	allow-query-cache { <replaceable>address_match_element</replaceable>; ... };
-	allow-query-cache-on { <replaceable>address_match_element</replaceable>; ... };
-	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
-	allow-update { <replaceable>address_match_element</replaceable>; ... };
-	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
-	update-check-ksk <replaceable>boolean</replaceable>;
-	dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
-
-	masterfile-format ( text | raw );
-	notify <replaceable>notifytype</replaceable>;
-	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	notify-delay <replaceable>seconds</replaceable>;
-	notify-to-soa <replaceable>boolean</replaceable>;
-	also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> )
-		<optional> port <replaceable>integer</replaceable> </optional>; ...
-		<optional> key <replaceable>keyname</replaceable> </optional> ... };
-	allow-notify { <replaceable>address_match_element</replaceable>; ... };
-
-	forward ( first | only );
-	forwarders <optional> port <replaceable>integer</replaceable> </optional> {
-		( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ...
-	};
-
-	max-journal-size <replaceable>size_no_default</replaceable>;
-	max-transfer-time-in <replaceable>integer</replaceable>;
-	max-transfer-time-out <replaceable>integer</replaceable>;
-	max-transfer-idle-in <replaceable>integer</replaceable>;
-	max-transfer-idle-out <replaceable>integer</replaceable>;
-	max-retry-time <replaceable>integer</replaceable>;
-	min-retry-time <replaceable>integer</replaceable>;
-	max-refresh-time <replaceable>integer</replaceable>;
-	min-refresh-time <replaceable>integer</replaceable>;
-	multi-master <replaceable>boolean</replaceable>;
-	sig-validity-interval <replaceable>integer</replaceable>;
-
-	transfer-source ( <replaceable>ipv4_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-
-	alt-transfer-source ( <replaceable>ipv4_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	use-alt-transfer-source <replaceable>boolean</replaceable>;
-
-	zone-statistics <replaceable>boolean</replaceable>;
-	try-tcp-refresh <replaceable>boolean</replaceable>;
-	key-directory <replaceable>quoted_string</replaceable>;
-	zero-no-soa-ttl <replaceable>boolean</replaceable>;
-	zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
-	dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
-
-	allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete
-	fetch-glue <replaceable>boolean</replaceable>; // obsolete
-	maintain-ixfr-base <replaceable>boolean</replaceable>; // obsolete
-	max-ixfr-log-size <replaceable>size</replaceable>; // obsolete
-};
-</literallayout>
-  </refsect1>
-
-  <refsect1>
-    <title>ZONE</title>
-    <literallayout>
-zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> {
-	type ( master | slave | stub | hint | redirect |
-		forward | delegation-only );
-	file <replaceable>quoted_string</replaceable>;
-
-	masters <optional> port <replaceable>integer</replaceable> </optional> {
-		( <replaceable>masters</replaceable> |
-		<replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
-		<replaceable>ipv6_address</replaceable> <optional> port <replaceable>integer</replaceable> </optional> ) <optional> key <replaceable>string</replaceable> </optional>; ...
-	};
-
-	database <replaceable>string</replaceable>;
-	delegation-only <replaceable>boolean</replaceable>;
-	check-names ( fail | warn | ignore );
-	check-mx ( fail | warn | ignore );
-	check-integrity <replaceable>boolean</replaceable>;
-	check-mx-cname ( fail | warn | ignore );
-	check-srv-cname ( fail | warn | ignore );
-	dialup <replaceable>dialuptype</replaceable>;
-	ixfr-from-differences <replaceable>boolean</replaceable>;
-	journal <replaceable>quoted_string</replaceable>;
-	zero-no-soa-ttl <replaceable>boolean</replaceable>;
-	dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
-
-	allow-query { <replaceable>address_match_element</replaceable>; ... };
-	allow-query-on { <replaceable>address_match_element</replaceable>; ... };
-	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
-	allow-update { <replaceable>address_match_element</replaceable>; ... };
-	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
-	update-policy <replaceable>local</replaceable> | <replaceable> {
-		( grant | deny ) <replaceable>string</replaceable>
-		( name | subdomain | wildcard | self | selfsub | selfwild |
-                  krb5-self | ms-self | krb5-subdomain | ms-subdomain |
-		  tcp-self | zonesub | 6to4-self ) <replaceable>string</replaceable>
-		<replaceable>rrtypelist</replaceable>;
-		<optional>...</optional>
-	}</replaceable>;
-	update-check-ksk <replaceable>boolean</replaceable>;
-	dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
-
-	masterfile-format ( text | raw );
-	notify <replaceable>notifytype</replaceable>;
-	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	notify-delay <replaceable>seconds</replaceable>;
-	notify-to-soa <replaceable>boolean</replaceable>;
-	also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> )
-		<optional> port <replaceable>integer</replaceable> </optional>; ...
-		<optional> key <replaceable>keyname</replaceable> </optional> ... };
-	allow-notify { <replaceable>address_match_element</replaceable>; ... };
-
-	forward ( first | only );
-	forwarders <optional> port <replaceable>integer</replaceable> </optional> {
-		( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ...
-	};
-
-	max-journal-size <replaceable>size_no_default</replaceable>;
-	max-transfer-time-in <replaceable>integer</replaceable>;
-	max-transfer-time-out <replaceable>integer</replaceable>;
-	max-transfer-idle-in <replaceable>integer</replaceable>;
-	max-transfer-idle-out <replaceable>integer</replaceable>;
-	max-retry-time <replaceable>integer</replaceable>;
-	min-retry-time <replaceable>integer</replaceable>;
-	max-refresh-time <replaceable>integer</replaceable>;
-	min-refresh-time <replaceable>integer</replaceable>;
-	multi-master <replaceable>boolean</replaceable>;
-	request-ixfr <replaceable>boolean</replaceable>;
-	sig-validity-interval <replaceable>integer</replaceable>;
-
-	transfer-source ( <replaceable>ipv4_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-
-	alt-transfer-source ( <replaceable>ipv4_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	use-alt-transfer-source <replaceable>boolean</replaceable>;
-
-	zone-statistics <replaceable>boolean</replaceable>;
-	try-tcp-refresh <replaceable>boolean</replaceable>;
-	key-directory <replaceable>quoted_string</replaceable>;
-
-	nsec3-test-zone <replaceable>boolean</replaceable>;  // testing only
-
-	ixfr-base <replaceable>quoted_string</replaceable>; // obsolete
-	ixfr-tmp-file <replaceable>quoted_string</replaceable>; // obsolete
-	maintain-ixfr-base <replaceable>boolean</replaceable>; // obsolete
-	max-ixfr-log-size <replaceable>size</replaceable>; // obsolete
-	pubkey <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; // obsolete
-};
-</literallayout>
-  </refsect1>
-
-  <refsect1>
-    <title>FILES</title>
-    <para><filename>/etc/named.conf</filename>
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>named-checkconf</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
-    </para>
-  </refsect1>
-
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/named/named.conf.html b/contrib/bind9/bin/named/named.conf.html
deleted file mode 100644
index 23d9391..0000000
--- a/contrib/bind9/bin/named/named.conf.html
+++ /dev/null
@@ -1,638 +0,0 @@
-<!--
- - Copyright (C) 2004-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>named.conf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476274"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><code class="filename">named.conf</code> &#8212; configuration file for named</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named.conf</code> </p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543357"></a><h2>DESCRIPTION</h2>
-<p><code class="filename">named.conf</code> is the configuration file
-      for
-      <span><strong class="command">named</strong></span>.  Statements are enclosed
-      in braces and terminated with a semi-colon.  Clauses in
-      the statements are also semi-colon terminated.  The usual
-      comment styles are supported:
-    </p>
-<p>
-      C style: /* */
-    </p>
-<p>
-      C++ style: // to end of line
-    </p>
-<p>
-      Unix style: # to end of line
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543385"></a><h2>ACL</h2>
-<div class="literallayout"><p><br>
-acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543401"></a><h2>KEY</h2>
-<div class="literallayout"><p><br>
-key <em class="replaceable"><code>domain_name</code></em> {<br>
-	algorithm <em class="replaceable"><code>string</code></em>;<br>
-	secret <em class="replaceable"><code>string</code></em>;<br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543420"></a><h2>MASTERS</h2>
-<div class="literallayout"><p><br>
-masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-	( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-	<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ...<br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543466"></a><h2>SERVER</h2>
-<div class="literallayout"><p><br>
-server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br>
-	bogus <em class="replaceable"><code>boolean</code></em>;<br>
-	edns <em class="replaceable"><code>boolean</code></em>;<br>
-	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	keys <em class="replaceable"><code>server_key</code></em>;<br>
-	transfers <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-format ( many-answers | one-answer );<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	support-ixfr <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543534"></a><h2>TRUSTED-KEYS</h2>
-<div class="literallayout"><p><br>
-trusted-keys {<br>
-	<em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ... <br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543560"></a><h2>MANAGED-KEYS</h2>
-<div class="literallayout"><p><br>
-managed-keys {<br>
-	<em class="replaceable"><code>domain_name</code></em> <code class="constant">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ... <br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543589"></a><h2>CONTROLS</h2>
-<div class="literallayout"><p><br>
-controls {<br>
-	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
-		allow { <em class="replaceable"><code>address_match_element</code></em>; ... }<br>
-		[<span class="optional"> keys { <em class="replaceable"><code>string</code></em>; ... } </span>];<br>
-	unix <em class="replaceable"><code>unsupported</code></em>; // not implemented<br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543624"></a><h2>LOGGING</h2>
-<div class="literallayout"><p><br>
-logging {<br>
-	channel <em class="replaceable"><code>string</code></em> {<br>
-		file <em class="replaceable"><code>log_file</code></em>;<br>
-		syslog <em class="replaceable"><code>optional_facility</code></em>;<br>
-		null;<br>
-		stderr;<br>
-		severity <em class="replaceable"><code>log_severity</code></em>;<br>
-		print-time <em class="replaceable"><code>boolean</code></em>;<br>
-		print-severity <em class="replaceable"><code>boolean</code></em>;<br>
-		print-category <em class="replaceable"><code>boolean</code></em>;<br>
-	};<br>
-	category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543662"></a><h2>LWRES</h2>
-<div class="literallayout"><p><br>
-lwres {<br>
-	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-	view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em>;<br>
-	search { <em class="replaceable"><code>string</code></em>; ... };<br>
-	ndots <em class="replaceable"><code>integer</code></em>;<br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543704"></a><h2>OPTIONS</h2>
-<div class="literallayout"><p><br>
-options {<br>
-	avoid-v4-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br>
-	avoid-v6-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br>
-	blackhole { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	coresize <em class="replaceable"><code>size</code></em>;<br>
-	datasize <em class="replaceable"><code>size</code></em>;<br>
-	directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-	dump-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	files <em class="replaceable"><code>size</code></em>;<br>
-	heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br>
-	host-statistics <em class="replaceable"><code>boolean</code></em>; // not implemented<br>
-	host-statistics-max <em class="replaceable"><code>number</code></em>; // not implemented<br>
-	hostname ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
-	interface-interval <em class="replaceable"><code>integer</code></em>;<br>
-	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	match-mapped-addresses <em class="replaceable"><code>boolean</code></em>;<br>
-	memstatistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	pid-file ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
-	port <em class="replaceable"><code>integer</code></em>;<br>
-	querylog <em class="replaceable"><code>boolean</code></em>;<br>
-	recursing-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	reserved-sockets <em class="replaceable"><code>integer</code></em>;<br>
-	random-device <em class="replaceable"><code>quoted_string</code></em>;<br>
-	recursive-clients <em class="replaceable"><code>integer</code></em>;<br>
-	serial-query-rate <em class="replaceable"><code>integer</code></em>;<br>
-	server-id ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
-	stacksize <em class="replaceable"><code>size</code></em>;<br>
-	statistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	statistics-interval <em class="replaceable"><code>integer</code></em>; // not yet implemented<br>
-	tcp-clients <em class="replaceable"><code>integer</code></em>;<br>
-	tcp-listen-queue <em class="replaceable"><code>integer</code></em>;<br>
-	tkey-dhkey <em class="replaceable"><code>quoted_string</code></em> <em class="replaceable"><code>integer</code></em>;<br>
-	tkey-gssapi-credential <em class="replaceable"><code>quoted_string</code></em>;<br>
-	tkey-gssapi-keytab <em class="replaceable"><code>quoted_string</code></em>;<br>
-	tkey-domain <em class="replaceable"><code>quoted_string</code></em>;<br>
-	transfers-per-ns <em class="replaceable"><code>integer</code></em>;<br>
-	transfers-in <em class="replaceable"><code>integer</code></em>;<br>
-	transfers-out <em class="replaceable"><code>integer</code></em>;<br>
-	use-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	version ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
-	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	topology { <em class="replaceable"><code>address_match_element</code></em>; ... }; // not implemented<br>
-	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
-	minimal-responses <em class="replaceable"><code>boolean</code></em>;<br>
-	recursion <em class="replaceable"><code>boolean</code></em>;<br>
-	rrset-order {<br>
-		[<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>]<br>
-		[<span class="optional"> name <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ...<br>
-	};<br>
-	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	rfc2308-type1 <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
-	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	query-source ( ( <em class="replaceable"><code>ipv4_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	query-source-v6 ( ( <em class="replaceable"><code>ipv6_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-queryport-pool <em class="replaceable"><code>boolean</code></em>;<br>
-	queryport-pool-ports <em class="replaceable"><code>integer</code></em>;<br>
-	queryport-pool-updateinterval <em class="replaceable"><code>integer</code></em>;<br>
-	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
-	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
-	min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br>
-	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-format ( many-answers | one-answer );<br>
-	max-cache-size <em class="replaceable"><code>size</code></em>;<br>
-	max-acache-size <em class="replaceable"><code>size</code></em>;<br>
-	clients-per-query <em class="replaceable"><code>number</code></em>;<br>
-	max-clients-per-query <em class="replaceable"><code>number</code></em>;<br>
-	check-names ( master | slave | response )<br>
-		( fail | warn | ignore );<br>
-	check-mx ( fail | warn | ignore );<br>
-	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
-	check-mx-cname ( fail | warn | ignore );<br>
-	check-srv-cname ( fail | warn | ignore );<br>
-	cache-file <em class="replaceable"><code>quoted_string</code></em>; // test option<br>
-	suppress-initial-notify <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
-	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ); ...<br>
-	};<br>
-	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
-	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-validation <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> | <em class="replaceable"><code>no</code></em> | <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> );<br>
-	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	dns64-server <em class="replaceable"><code>string</code></em>;<br>
-	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
-	dns64 <em class="replaceable"><code>prefix</code></em> {<br>
-		clients { <font color="red">&lt;replacable&gt;acl&lt;/replacable&gt;</font>; };<br>
-		exclude { <font color="red">&lt;replacable&gt;acl&lt;/replacable&gt;</font>; };<br>
-		mapped { <font color="red">&lt;replacable&gt;acl&lt;/replacable&gt;</font>; };<br>
-		break-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
-		recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
-		suffix <em class="replaceable"><code>ipv6_address</code></em>;<br>
-	};<br>
-<br>
-	empty-server <em class="replaceable"><code>string</code></em>;<br>
-	empty-contact <em class="replaceable"><code>string</code></em>;<br>
-	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
-<br>
-	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
-	ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br>
-<br>
-	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	masterfile-format ( text | raw );<br>
-	notify <em class="replaceable"><code>notifytype</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-delay <em class="replaceable"><code>seconds</code></em>;<br>
-	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
-		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-		[<span class="optional"> key <em class="replaceable"><code>keyname</code></em> </span>] ... };<br>
-	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
-	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-<br>
-	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
-	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
-	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br>
-	sig-re-signing-interval <em class="replaceable"><code>integer</code></em>;<br>
-	sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
-	sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
-	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
-	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-	managed-keys-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-	auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">create</code>|<code class="constant">off</code>;<br>
-	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
-	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
-	zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
-	deny-answer-addresses {<br>
-		<em class="replaceable"><code>address_match_list</code></em><br>
-	} [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];<br>
-	deny-answer-aliases {<br>
-		<em class="replaceable"><code>namelist</code></em><br>
-	} [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];<br>
-<br>
-	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>;  // testing only<br>
-<br>
-	allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... }; // obsolete<br>
-	deallocate-on-exit <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	fake-iquery <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	fetch-glue <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	has-old-clients <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br>
-	multiple-cnames <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	named-xfer <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-	serial-queries <em class="replaceable"><code>integer</code></em>; // obsolete<br>
-	treat-cr-as-space <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	use-id-pool <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544585"></a><h2>VIEW</h2>
-<div class="literallayout"><p><br>
-view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
-	match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	match-destinations { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	match-recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	key <em class="replaceable"><code>string</code></em> {<br>
-		algorithm <em class="replaceable"><code>string</code></em>;<br>
-		secret <em class="replaceable"><code>string</code></em>;<br>
-	};<br>
-<br>
-	zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
-		...<br>
-	};<br>
-<br>
-	server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br>
-		...<br>
-	};<br>
-<br>
-	trusted-keys {<br>
-		<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>;<br>
-		[<span class="optional">...</span>]<br>
-	};<br>
-<br>
-	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	topology { <em class="replaceable"><code>address_match_element</code></em>; ... }; // not implemented<br>
-	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
-	minimal-responses <em class="replaceable"><code>boolean</code></em>;<br>
-	recursion <em class="replaceable"><code>boolean</code></em>;<br>
-	rrset-order {<br>
-		[<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>]<br>
-		[<span class="optional"> name <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ...<br>
-	};<br>
-	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	rfc2308-type1 <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
-	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	query-source ( ( <em class="replaceable"><code>ipv4_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	query-source-v6 ( ( <em class="replaceable"><code>ipv6_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-queryport-pool <em class="replaceable"><code>boolean</code></em>;<br>
-	queryport-pool-ports <em class="replaceable"><code>integer</code></em>;<br>
-	queryport-pool-updateinterval <em class="replaceable"><code>integer</code></em>;<br>
-	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
-	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
-	min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br>
-	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-format ( many-answers | one-answer );<br>
-	max-cache-size <em class="replaceable"><code>size</code></em>;<br>
-	max-acache-size <em class="replaceable"><code>size</code></em>;<br>
-	clients-per-query <em class="replaceable"><code>number</code></em>;<br>
-	max-clients-per-query <em class="replaceable"><code>number</code></em>;<br>
-	check-names ( master | slave | response )<br>
-		( fail | warn | ignore );<br>
-	check-mx ( fail | warn | ignore );<br>
-	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
-	check-mx-cname ( fail | warn | ignore );<br>
-	check-srv-cname ( fail | warn | ignore );<br>
-	cache-file <em class="replaceable"><code>quoted_string</code></em>; // test option<br>
-	suppress-initial-notify <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
-	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ); ...<br>
-	};<br>
-	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	max-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
-	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-validation <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> | <em class="replaceable"><code>no</code></em> | <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> );<br>
-	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	dns64-server <em class="replaceable"><code>string</code></em>;<br>
-	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
-	dns64 <em class="replaceable"><code>prefix</code></em> {<br>
-		clients { <font color="red">&lt;replacable&gt;acl&lt;/replacable&gt;</font>; };<br>
-		exclude { <font color="red">&lt;replacable&gt;acl&lt;/replacable&gt;</font>; };<br>
-		mapped { <font color="red">&lt;replacable&gt;acl&lt;/replacable&gt;</font>; };<br>
-		break-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
-		recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
-		suffix <em class="replaceable"><code>ipv6_address</code></em>;<br>
-	};<br>
-<br>
-	empty-server <em class="replaceable"><code>string</code></em>;<br>
-	empty-contact <em class="replaceable"><code>string</code></em>;<br>
-	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	disable-empty-zone <em class="replaceable"><code>string</code></em>;<br>
-<br>
-	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
-	ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br>
-<br>
-	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	masterfile-format ( text | raw );<br>
-	notify <em class="replaceable"><code>notifytype</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-delay <em class="replaceable"><code>seconds</code></em>;<br>
-	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
-		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-		[<span class="optional"> key <em class="replaceable"><code>keyname</code></em> </span>] ... };<br>
-	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
-	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-<br>
-	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
-	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
-	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
-	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
-	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
-	zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... }; // obsolete<br>
-	fetch-glue <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2545301"></a><h2>ZONE</h2>
-<div class="literallayout"><p><br>
-zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
-	type ( master | slave | stub | hint | redirect |<br>
-		forward | delegation-only );<br>
-	file <em class="replaceable"><code>quoted_string</code></em>;<br>
-<br>
-	masters [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>masters</code></em> |<br>
-		<em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ...<br>
-	};<br>
-<br>
-	database <em class="replaceable"><code>string</code></em>;<br>
-	delegation-only <em class="replaceable"><code>boolean</code></em>;<br>
-	check-names ( fail | warn | ignore );<br>
-	check-mx ( fail | warn | ignore );<br>
-	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
-	check-mx-cname ( fail | warn | ignore );<br>
-	check-srv-cname ( fail | warn | ignore );<br>
-	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
-	ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br>
-	journal <em class="replaceable"><code>quoted_string</code></em>;<br>
-	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	update-policy <em class="replaceable"><code>local</code></em> | <em class="replaceable"><code> {<br>
-		( grant | deny ) <em class="replaceable"><code>string</code></em><br>
-		( name | subdomain | wildcard | self | selfsub | selfwild |<br>
-                  krb5-self | ms-self | krb5-subdomain | ms-subdomain |<br>
-		  tcp-self | zonesub | 6to4-self ) <em class="replaceable"><code>string</code></em><br>
-		<em class="replaceable"><code>rrtypelist</code></em>;<br>
-		[<span class="optional">...</span>]<br>
-	}</code></em>;<br>
-	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	masterfile-format ( text | raw );<br>
-	notify <em class="replaceable"><code>notifytype</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-delay <em class="replaceable"><code>seconds</code></em>;<br>
-	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
-		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-		[<span class="optional"> key <em class="replaceable"><code>keyname</code></em> </span>] ... };<br>
-	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
-	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-<br>
-	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
-	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
-	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
-	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
-	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
-	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-<br>
-	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>;  // testing only<br>
-<br>
-	ixfr-base <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-	ixfr-tmp-file <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-	maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br>
-	pubkey <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2545690"></a><h2>FILES</h2>
-<p><code class="filename">/etc/named.conf</code>
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2545702"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/named/named.docbook b/contrib/bind9/bin/named/named.docbook
deleted file mode 100644
index 1f08e19..0000000
--- a/contrib/bind9/bin/named/named.docbook
+++ /dev/null
@@ -1,489 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004-2009, 2011, 2013  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: named.docbook,v 1.28 2011/11/09 23:46:23 tbox Exp $ -->
-<refentry id="man.named">
-  <refentryinfo>
-    <date>May 21, 2009</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>named</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><application>named</application></refname>
-    <refpurpose>Internet domain name server</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2006</year>
-      <year>2007</year>
-      <year>2008</year>
-      <year>2009</year>
-      <year>2011</year>
-      <year>2013</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>named</command>
-      <arg><option>-4</option></arg>
-      <arg><option>-6</option></arg>
-      <arg><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
-      <arg><option>-d <replaceable class="parameter">debug-level</replaceable></option></arg>
-      <arg><option>-E <replaceable class="parameter">engine-name</replaceable></option></arg>
-      <arg><option>-f</option></arg>
-      <arg><option>-g</option></arg>
-      <arg><option>-m <replaceable class="parameter">flag</replaceable></option></arg>
-      <arg><option>-n <replaceable class="parameter">#cpus</replaceable></option></arg>
-      <arg><option>-p <replaceable class="parameter">port</replaceable></option></arg>
-      <arg><option>-s</option></arg>
-      <arg><option>-S <replaceable class="parameter">#max-socks</replaceable></option></arg>
-      <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg><option>-U <replaceable class="parameter">#listeners</replaceable></option></arg>
-      <arg><option>-u <replaceable class="parameter">user</replaceable></option></arg>
-      <arg><option>-v</option></arg>
-      <arg><option>-V</option></arg>
-      <arg><option>-x <replaceable class="parameter">cache-file</replaceable></option></arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para><command>named</command>
-      is a Domain Name System (DNS) server,
-      part of the BIND 9 distribution from ISC.  For more
-      information on the DNS, see RFCs 1033, 1034, and 1035.
-    </para>
-    <para>
-      When invoked without arguments, <command>named</command>
-      will
-      read the default configuration file
-      <filename>/etc/named.conf</filename>, read any initial
-      data, and listen for queries.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-
-    <variablelist>
-      <varlistentry>
-        <term>-4</term>
-        <listitem>
-          <para>
-            Use IPv4 only even if the host machine is capable of IPv6.
-            <option>-4</option> and <option>-6</option> are mutually
-            exclusive.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-6</term>
-        <listitem>
-          <para>
-            Use IPv6 only even if the host machine is capable of IPv4.
-            <option>-4</option> and <option>-6</option> are mutually
-            exclusive.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-c <replaceable class="parameter">config-file</replaceable></term>
-        <listitem>
-          <para>
-            Use <replaceable class="parameter">config-file</replaceable> as the
-            configuration file instead of the default,
-            <filename>/etc/named.conf</filename>.  To
-            ensure that reloading the configuration file continues
-            to work after the server has changed its working
-            directory due to to a possible
-            <option>directory</option> option in the configuration
-            file, <replaceable class="parameter">config-file</replaceable> should be
-            an absolute pathname.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-d <replaceable class="parameter">debug-level</replaceable></term>
-        <listitem>
-          <para>
-            Set the daemon's debug level to <replaceable class="parameter">debug-level</replaceable>.
-            Debugging traces from <command>named</command> become
-            more verbose as the debug level increases.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-E <replaceable class="parameter">engine-name</replaceable></term>
-        <listitem>
-          <para>
-            Use a crypto hardware (OpenSSL engine) for the crypto operations
-            it supports, for instance re-signing with private keys from
-            a secure key store. When compiled with PKCS#11 support
-            <replaceable class="parameter">engine-name</replaceable>
-            defaults to pkcs11, the empty name resets it to no engine.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-f</term>
-        <listitem>
-          <para>
-            Run the server in the foreground (i.e. do not daemonize).
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-g</term>
-        <listitem>
-          <para>
-            Run the server in the foreground and force all logging
-            to <filename>stderr</filename>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-m <replaceable class="parameter">flag</replaceable></term>
-        <listitem>
-          <para>
-	    Turn on memory usage debugging flags.  Possible flags are
-	    <replaceable class="parameter">usage</replaceable>,
-	    <replaceable class="parameter">trace</replaceable>,
-	    <replaceable class="parameter">record</replaceable>,
-	    <replaceable class="parameter">size</replaceable>, and
-	    <replaceable class="parameter">mctx</replaceable>.
-	    These correspond to the ISC_MEM_DEBUGXXXX flags described in
-	    <filename>&lt;isc/mem.h&gt;</filename>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-n <replaceable class="parameter">#cpus</replaceable></term>
-        <listitem>
-          <para>
-            Create <replaceable class="parameter">#cpus</replaceable> worker threads
-            to take advantage of multiple CPUs.  If not specified,
-            <command>named</command> will try to determine the
-            number of CPUs present and create one thread per CPU.
-            If it is unable to determine the number of CPUs, a
-            single worker thread will be created.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-p <replaceable class="parameter">port</replaceable></term>
-        <listitem>
-          <para>
-            Listen for queries on port <replaceable class="parameter">port</replaceable>.  If not
-            specified, the default is port 53.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-s</term>
-        <listitem>
-          <para>
-            Write memory usage statistics to <filename>stdout</filename> on exit.
-          </para>
-          <note>
-            <para>
-              This option is mainly of interest to BIND 9 developers
-              and may be removed or changed in a future release.
-            </para>
-          </note>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-S <replaceable class="parameter">#max-socks</replaceable></term>
-        <listitem>
-	  <para>
-	    Allow <command>named</command> to use up to
-	    <replaceable class="parameter">#max-socks</replaceable> sockets.
-	  </para>
-          <warning>
-            <para>
-              This option should be unnecessary for the vast majority
-              of users.
-	      The use of this option could even be harmful because the
-              specified value may exceed the limitation of the
-              underlying system API.
-	      It is therefore set only when the default configuration
-              causes exhaustion of file descriptors and the
-              operational environment is known to support the
-              specified number of sockets.
-	      Note also that the actual maximum number is normally a little
-              fewer than the specified value because
-	      <command>named</command> reserves some file descriptors
-	      for its internal use.
-            </para>
-          </warning>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-t <replaceable class="parameter">directory</replaceable></term>
-        <listitem>
-          <para>Chroot
-	    to <replaceable class="parameter">directory</replaceable> after
-            processing the command line arguments, but before
-            reading the configuration file.
-          </para>
-          <warning>
-            <para>
-              This option should be used in conjunction with the
-              <option>-u</option> option, as chrooting a process
-              running as root doesn't enhance security on most
-              systems; the way <function>chroot(2)</function> is
-              defined allows a process with root privileges to
-              escape a chroot jail.
-            </para>
-          </warning>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-U <replaceable class="parameter">#listeners</replaceable></term>
-        <listitem>
-          <para>
-            Use <replaceable class="parameter">#listeners</replaceable>
-            worker threads to listen for incoming UDP packets on each
-            address.  If not specified, <command>named</command> will
-            use the number of detected CPUs.  If <option>-n</option>
-            has been set to a higher value than the number of CPUs,
-            then <option>-U</option> may be increased as high as that
-            value, but no higher.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-u <replaceable class="parameter">user</replaceable></term>
-        <listitem>
-          <para>Setuid
-	    to <replaceable class="parameter">user</replaceable> after completing
-            privileged operations, such as creating sockets that
-            listen on privileged ports.
-          </para>
-          <note>
-            <para>
-              On Linux, <command>named</command> uses the kernel's
-              		capability mechanism to drop all root privileges
-              except the ability to <function>bind(2)</function> to
-              a
-              privileged port and set process resource limits.
-              Unfortunately, this means that the <option>-u</option>
-              option only works when <command>named</command> is
-              run
-              on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or
-              later, since previous kernels did not allow privileges
-              to be retained after <function>setuid(2)</function>.
-            </para>
-          </note>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-v</term>
-        <listitem>
-          <para>
-            Report the version number and exit.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-V</term>
-        <listitem>
-          <para>
-            Report the version number and build options, and exit.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-x <replaceable class="parameter">cache-file</replaceable></term>
-        <listitem>
-          <para>
-            Load data from <replaceable class="parameter">cache-file</replaceable> into the
-            cache of the default view.
-          </para>
-          <warning>
-            <para>
-              This option must not be used.  It is only of interest
-              to BIND 9 developers and may be removed or changed in a
-              future release.
-            </para>
-          </warning>
-        </listitem>
-      </varlistentry>
-
-    </variablelist>
-
-  </refsect1>
-
-  <refsect1>
-    <title>SIGNALS</title>
-    <para>
-      In routine operation, signals should not be used to control
-      the nameserver; <command>rndc</command> should be used
-      instead.
-    </para>
-
-    <variablelist>
-
-      <varlistentry>
-        <term>SIGHUP</term>
-        <listitem>
-          <para>
-            Force a reload of the server.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>SIGINT, SIGTERM</term>
-        <listitem>
-          <para>
-            Shut down the server.
-          </para>
-        </listitem>
-      </varlistentry>
-
-    </variablelist>
-
-    <para>
-      The result of sending any other signals to the server is undefined.
-    </para>
-
-  </refsect1>
-
-  <refsect1>
-    <title>CONFIGURATION</title>
-    <para>
-      The <command>named</command> configuration file is too complex
-      to describe in detail here.  A complete description is provided
-      in the
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
-    </para>
-
-    <para>
-      <command>named</command> inherits the <function>umask</function>
-      (file creation mode mask) from the parent process. If files
-      created by <command>named</command>, such as journal files,
-      need to have custom permissions, the <function>umask</function>
-      should be set explicitly in the script used to start the
-      <command>named</command> process.
-    </para>
-
-  </refsect1>
-
-  <refsect1>
-    <title>FILES</title>
-
-    <variablelist>
-
-      <varlistentry>
-        <term><filename>/etc/named.conf</filename></term>
-        <listitem>
-          <para>
-            The default configuration file.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><filename>/var/run/named/named.pid</filename></term>
-        <listitem>
-          <para>
-            The default process-id file.
-          </para>
-        </listitem>
-      </varlistentry>
-
-    </variablelist>
-
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citetitle>RFC 1033</citetitle>,
-      <citetitle>RFC 1034</citetitle>,
-      <citetitle>RFC 1035</citetitle>,
-      <citerefentry>
-        <refentrytitle>named-checkconf</refentrytitle>
-	<manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>named-checkzone</refentrytitle>
-	<manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>rndc</refentrytitle>
-	<manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>lwresd</refentrytitle>
-	<manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-	<refentrytitle>named.conf</refentrytitle>
-	<manvolnum>5</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para><corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/named/named.html b/contrib/bind9/bin/named/named.html
deleted file mode 100644
index fc8de51..0000000
--- a/contrib/bind9/bin/named/named.html
+++ /dev/null
@@ -1,310 +0,0 @@
-<!--
- - Copyright (C) 2004-2009, 2011, 2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>named</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="man.named"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">named</span> &#8212; Internet domain name server</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named</code>  [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine-name</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-U <em class="replaceable"><code>#listeners</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543497"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">named</strong></span>
-      is a Domain Name System (DNS) server,
-      part of the BIND 9 distribution from ISC.  For more
-      information on the DNS, see RFCs 1033, 1034, and 1035.
-    </p>
-<p>
-      When invoked without arguments, <span><strong class="command">named</strong></span>
-      will
-      read the default configuration file
-      <code class="filename">/etc/named.conf</code>, read any initial
-      data, and listen for queries.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543522"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-4</span></dt>
-<dd><p>
-            Use IPv4 only even if the host machine is capable of IPv6.
-            <code class="option">-4</code> and <code class="option">-6</code> are mutually
-            exclusive.
-          </p></dd>
-<dt><span class="term">-6</span></dt>
-<dd><p>
-            Use IPv6 only even if the host machine is capable of IPv4.
-            <code class="option">-4</code> and <code class="option">-6</code> are mutually
-            exclusive.
-          </p></dd>
-<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
-<dd><p>
-            Use <em class="replaceable"><code>config-file</code></em> as the
-            configuration file instead of the default,
-            <code class="filename">/etc/named.conf</code>.  To
-            ensure that reloading the configuration file continues
-            to work after the server has changed its working
-            directory due to to a possible
-            <code class="option">directory</code> option in the configuration
-            file, <em class="replaceable"><code>config-file</code></em> should be
-            an absolute pathname.
-          </p></dd>
-<dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt>
-<dd><p>
-            Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>.
-            Debugging traces from <span><strong class="command">named</strong></span> become
-            more verbose as the debug level increases.
-          </p></dd>
-<dt><span class="term">-E <em class="replaceable"><code>engine-name</code></em></span></dt>
-<dd><p>
-            Use a crypto hardware (OpenSSL engine) for the crypto operations
-            it supports, for instance re-signing with private keys from
-            a secure key store. When compiled with PKCS#11 support
-            <em class="replaceable"><code>engine-name</code></em>
-            defaults to pkcs11, the empty name resets it to no engine.
-          </p></dd>
-<dt><span class="term">-f</span></dt>
-<dd><p>
-            Run the server in the foreground (i.e. do not daemonize).
-          </p></dd>
-<dt><span class="term">-g</span></dt>
-<dd><p>
-            Run the server in the foreground and force all logging
-            to <code class="filename">stderr</code>.
-          </p></dd>
-<dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt>
-<dd><p>
-	    Turn on memory usage debugging flags.  Possible flags are
-	    <em class="replaceable"><code>usage</code></em>,
-	    <em class="replaceable"><code>trace</code></em>,
-	    <em class="replaceable"><code>record</code></em>,
-	    <em class="replaceable"><code>size</code></em>, and
-	    <em class="replaceable"><code>mctx</code></em>.
-	    These correspond to the ISC_MEM_DEBUGXXXX flags described in
-	    <code class="filename">&lt;isc/mem.h&gt;</code>.
-          </p></dd>
-<dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt>
-<dd><p>
-            Create <em class="replaceable"><code>#cpus</code></em> worker threads
-            to take advantage of multiple CPUs.  If not specified,
-            <span><strong class="command">named</strong></span> will try to determine the
-            number of CPUs present and create one thread per CPU.
-            If it is unable to determine the number of CPUs, a
-            single worker thread will be created.
-          </p></dd>
-<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd><p>
-            Listen for queries on port <em class="replaceable"><code>port</code></em>.  If not
-            specified, the default is port 53.
-          </p></dd>
-<dt><span class="term">-s</span></dt>
-<dd>
-<p>
-            Write memory usage statistics to <code class="filename">stdout</code> on exit.
-          </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-              This option is mainly of interest to BIND 9 developers
-              and may be removed or changed in a future release.
-            </p>
-</div>
-</dd>
-<dt><span class="term">-S <em class="replaceable"><code>#max-socks</code></em></span></dt>
-<dd>
-<p>
-	    Allow <span><strong class="command">named</strong></span> to use up to
-	    <em class="replaceable"><code>#max-socks</code></em> sockets.
-	  </p>
-<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Warning</h3>
-<p>
-              This option should be unnecessary for the vast majority
-              of users.
-	      The use of this option could even be harmful because the
-              specified value may exceed the limitation of the
-              underlying system API.
-	      It is therefore set only when the default configuration
-              causes exhaustion of file descriptors and the
-              operational environment is known to support the
-              specified number of sockets.
-	      Note also that the actual maximum number is normally a little
-              fewer than the specified value because
-	      <span><strong class="command">named</strong></span> reserves some file descriptors
-	      for its internal use.
-            </p>
-</div>
-</dd>
-<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-<p>Chroot
-	    to <em class="replaceable"><code>directory</code></em> after
-            processing the command line arguments, but before
-            reading the configuration file.
-          </p>
-<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Warning</h3>
-<p>
-              This option should be used in conjunction with the
-              <code class="option">-u</code> option, as chrooting a process
-              running as root doesn't enhance security on most
-              systems; the way <code class="function">chroot(2)</code> is
-              defined allows a process with root privileges to
-              escape a chroot jail.
-            </p>
-</div>
-</dd>
-<dt><span class="term">-U <em class="replaceable"><code>#listeners</code></em></span></dt>
-<dd><p>
-            Use <em class="replaceable"><code>#listeners</code></em>
-            worker threads to listen for incoming UDP packets on each
-            address.  If not specified, <span><strong class="command">named</strong></span> will
-            use the number of detected CPUs.  If <code class="option">-n</code>
-            has been set to a higher value than the number of CPUs,
-            then <code class="option">-U</code> may be increased as high as that
-            value, but no higher.
-          </p></dd>
-<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
-<dd>
-<p>Setuid
-	    to <em class="replaceable"><code>user</code></em> after completing
-            privileged operations, such as creating sockets that
-            listen on privileged ports.
-          </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-              On Linux, <span><strong class="command">named</strong></span> uses the kernel's
-              		capability mechanism to drop all root privileges
-              except the ability to <code class="function">bind(2)</code> to
-              a
-              privileged port and set process resource limits.
-              Unfortunately, this means that the <code class="option">-u</code>
-              option only works when <span><strong class="command">named</strong></span> is
-              run
-              on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or
-              later, since previous kernels did not allow privileges
-              to be retained after <code class="function">setuid(2)</code>.
-            </p>
-</div>
-</dd>
-<dt><span class="term">-v</span></dt>
-<dd><p>
-            Report the version number and exit.
-          </p></dd>
-<dt><span class="term">-V</span></dt>
-<dd><p>
-            Report the version number and build options, and exit.
-          </p></dd>
-<dt><span class="term">-x <em class="replaceable"><code>cache-file</code></em></span></dt>
-<dd>
-<p>
-            Load data from <em class="replaceable"><code>cache-file</code></em> into the
-            cache of the default view.
-          </p>
-<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Warning</h3>
-<p>
-              This option must not be used.  It is only of interest
-              to BIND 9 developers and may be removed or changed in a
-              future release.
-            </p>
-</div>
-</dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544012"></a><h2>SIGNALS</h2>
-<p>
-      In routine operation, signals should not be used to control
-      the nameserver; <span><strong class="command">rndc</strong></span> should be used
-      instead.
-    </p>
-<div class="variablelist"><dl>
-<dt><span class="term">SIGHUP</span></dt>
-<dd><p>
-            Force a reload of the server.
-          </p></dd>
-<dt><span class="term">SIGINT, SIGTERM</span></dt>
-<dd><p>
-            Shut down the server.
-          </p></dd>
-</dl></div>
-<p>
-      The result of sending any other signals to the server is undefined.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544060"></a><h2>CONFIGURATION</h2>
-<p>
-      The <span><strong class="command">named</strong></span> configuration file is too complex
-      to describe in detail here.  A complete description is provided
-      in the
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-<p>
-      <span><strong class="command">named</strong></span> inherits the <code class="function">umask</code>
-      (file creation mode mask) from the parent process. If files
-      created by <span><strong class="command">named</strong></span>, such as journal files,
-      need to have custom permissions, the <code class="function">umask</code>
-      should be set explicitly in the script used to start the
-      <span><strong class="command">named</strong></span> process.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544233"></a><h2>FILES</h2>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
-<dd><p>
-            The default configuration file.
-          </p></dd>
-<dt><span class="term"><code class="filename">/var/run/named/named.pid</code></span></dt>
-<dd><p>
-            The default process-id file.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544273"></a><h2>SEE ALSO</h2>
-<p><em class="citetitle">RFC 1033</em>,
-      <em class="citetitle">RFC 1034</em>,
-      <em class="citetitle">RFC 1035</em>,
-      <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544343"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/named/notify.c b/contrib/bind9/bin/named/notify.c
deleted file mode 100644
index de52b8c..0000000
--- a/contrib/bind9/bin/named/notify.c
+++ /dev/null
@@ -1,174 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: notify.c,v 1.37 2007/06/19 23:46:59 tbox Exp $ */
-
-#include <config.h>
-
-#include <isc/log.h>
-#include <isc/print.h>
-
-#include <dns/message.h>
-#include <dns/rdataset.h>
-#include <dns/result.h>
-#include <dns/tsig.h>
-#include <dns/view.h>
-#include <dns/zone.h>
-#include <dns/zt.h>
-
-#include <named/log.h>
-#include <named/notify.h>
-
-/*! \file
- * \brief
- * This module implements notify as in RFC1996.
- */
-
-static void
-notify_log(ns_client_t *client, int level, const char *fmt, ...) {
-	va_list ap;
-
-	va_start(ap, fmt);
-	ns_client_logv(client, DNS_LOGCATEGORY_NOTIFY, NS_LOGMODULE_NOTIFY,
-		       level, fmt, ap);
-	va_end(ap);
-}
-
-static void
-respond(ns_client_t *client, isc_result_t result) {
-	dns_rcode_t rcode;
-	dns_message_t *message;
-	isc_result_t msg_result;
-
-	message = client->message;
-	rcode = dns_result_torcode(result);
-
-	msg_result = dns_message_reply(message, ISC_TRUE);
-	if (msg_result != ISC_R_SUCCESS)
-		msg_result = dns_message_reply(message, ISC_FALSE);
-	if (msg_result != ISC_R_SUCCESS) {
-		ns_client_next(client, msg_result);
-		return;
-	}
-	message->rcode = rcode;
-	if (rcode == dns_rcode_noerror)
-		message->flags |= DNS_MESSAGEFLAG_AA;
-	else
-		message->flags &= ~DNS_MESSAGEFLAG_AA;
-	ns_client_send(client);
-}
-
-void
-ns_notify_start(ns_client_t *client) {
-	dns_message_t *request = client->message;
-	isc_result_t result;
-	dns_name_t *zonename;
-	dns_rdataset_t *zone_rdataset;
-	dns_zone_t *zone = NULL;
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char tsigbuf[DNS_NAME_FORMATSIZE + sizeof(": TSIG ''")];
-	dns_tsigkey_t *tsigkey;
-
-	/*
-	 * Interpret the question section.
-	 */
-	result = dns_message_firstname(request, DNS_SECTION_QUESTION);
-	if (result != ISC_R_SUCCESS) {
-		notify_log(client, ISC_LOG_NOTICE,
-			   "notify question section empty");
-		goto formerr;
-	}
-
-	/*
-	 * The question section must contain exactly one question.
-	 */
-	zonename = NULL;
-	dns_message_currentname(request, DNS_SECTION_QUESTION, &zonename);
-	zone_rdataset = ISC_LIST_HEAD(zonename->list);
-	if (ISC_LIST_NEXT(zone_rdataset, link) != NULL) {
-		notify_log(client, ISC_LOG_NOTICE,
-			   "notify question section contains multiple RRs");
-		goto formerr;
-	}
-
-	/* The zone section must have exactly one name. */
-	result = dns_message_nextname(request, DNS_SECTION_ZONE);
-	if (result != ISC_R_NOMORE) {
-		notify_log(client, ISC_LOG_NOTICE,
-			   "notify question section contains multiple RRs");
-		goto formerr;
-	}
-
-	/* The one rdataset must be an SOA. */
-	if (zone_rdataset->type != dns_rdatatype_soa) {
-		notify_log(client, ISC_LOG_NOTICE,
-			   "notify question section contains no SOA");
-		goto formerr;
-	}
-
-	tsigkey = dns_message_gettsigkey(request);
-	if (tsigkey != NULL) {
-		dns_name_format(&tsigkey->name, namebuf, sizeof(namebuf));
-
-		if (tsigkey->generated) {
-			char cnamebuf[DNS_NAME_FORMATSIZE];
-			dns_name_format(tsigkey->creator, cnamebuf,
-					sizeof(cnamebuf));
-			snprintf(tsigbuf, sizeof(tsigbuf), ": TSIG '%s' (%s)",
-				 namebuf, cnamebuf);
-		} else {
-			snprintf(tsigbuf, sizeof(tsigbuf), ": TSIG '%s'",
-				 namebuf);
-		}
-	} else
-		tsigbuf[0] = '\0';
-	dns_name_format(zonename, namebuf, sizeof(namebuf));
-	result = dns_zt_find(client->view->zonetable, zonename, 0, NULL,
-			     &zone);
-	if (result != ISC_R_SUCCESS)
-		goto notauth;
-
-	switch (dns_zone_gettype(zone)) {
-	case dns_zone_master:
-	case dns_zone_slave:
-	case dns_zone_stub:	/* Allow dialup passive to work. */
-		notify_log(client, ISC_LOG_INFO,
-			   "received notify for zone '%s'%s", namebuf, tsigbuf);
-		respond(client, dns_zone_notifyreceive(zone,
-			ns_client_getsockaddr(client), request));
-		break;
-	default:
-		goto notauth;
-	}
-	dns_zone_detach(&zone);
-	return;
-
- notauth:
-	notify_log(client, ISC_LOG_NOTICE,
-		   "received notify for zone '%s'%s: not authoritative",
-		   namebuf, tsigbuf);
-	result = DNS_R_NOTAUTH;
-	goto failure;
-
- formerr:
-	result = DNS_R_FORMERR;
-
- failure:
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-	respond(client, result);
-}
diff --git a/contrib/bind9/bin/named/query.c b/contrib/bind9/bin/named/query.c
deleted file mode 100644
index 5093cb2..0000000
--- a/contrib/bind9/bin/named/query.c
+++ /dev/null
@@ -1,7659 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <string.h>
-
-#include <isc/hex.h>
-#include <isc/mem.h>
-#include <isc/serial.h>
-#include <isc/stats.h>
-#include <isc/util.h>
-
-#include <dns/adb.h>
-#include <dns/byaddr.h>
-#include <dns/db.h>
-#include <dns/dlz.h>
-#include <dns/dns64.h>
-#include <dns/dnssec.h>
-#include <dns/events.h>
-#include <dns/message.h>
-#include <dns/ncache.h>
-#include <dns/nsec3.h>
-#include <dns/order.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/resolver.h>
-#include <dns/result.h>
-#include <dns/stats.h>
-#include <dns/tkey.h>
-#include <dns/view.h>
-#include <dns/zone.h>
-#include <dns/zt.h>
-
-#include <named/client.h>
-#include <named/globals.h>
-#include <named/log.h>
-#include <named/server.h>
-#include <named/sortlist.h>
-#include <named/xfrout.h>
-
-#if 0
-/*
- * It has been recommended that DNS64 be changed to return excluded
- * AAAA addresses if DNS64 synthesis does not occur.  This minimises
- * the impact on the lookup results.  While most DNS AAAA lookups are
- * done to send IP packets to a host, not all of them are and filtering
- * excluded addresses has a negative impact on those uses.
- */
-#define dns64_bis_return_excluded_addresses 1
-#endif
-
-/*% Partial answer? */
-#define PARTIALANSWER(c)	(((c)->query.attributes & \
-				  NS_QUERYATTR_PARTIALANSWER) != 0)
-/*% Use Cache? */
-#define USECACHE(c)		(((c)->query.attributes & \
-				  NS_QUERYATTR_CACHEOK) != 0)
-/*% Recursion OK? */
-#define RECURSIONOK(c)		(((c)->query.attributes & \
-				  NS_QUERYATTR_RECURSIONOK) != 0)
-/*% Recursing? */
-#define RECURSING(c)		(((c)->query.attributes & \
-				  NS_QUERYATTR_RECURSING) != 0)
-/*% Cache glue ok? */
-#define CACHEGLUEOK(c)		(((c)->query.attributes & \
-				  NS_QUERYATTR_CACHEGLUEOK) != 0)
-/*% Want Recursion? */
-#define WANTRECURSION(c)	(((c)->query.attributes & \
-				  NS_QUERYATTR_WANTRECURSION) != 0)
-/*% Want DNSSEC? */
-#define WANTDNSSEC(c)		(((c)->attributes & \
-				  NS_CLIENTATTR_WANTDNSSEC) != 0)
-/*% Want WANTAD? */
-#define WANTAD(c)		(((c)->attributes & \
-				  NS_CLIENTATTR_WANTAD) != 0)
-
-/*% No authority? */
-#define NOAUTHORITY(c)		(((c)->query.attributes & \
-				  NS_QUERYATTR_NOAUTHORITY) != 0)
-/*% No additional? */
-#define NOADDITIONAL(c)		(((c)->query.attributes & \
-				  NS_QUERYATTR_NOADDITIONAL) != 0)
-/*% Secure? */
-#define SECURE(c)		(((c)->query.attributes & \
-				  NS_QUERYATTR_SECURE) != 0)
-/*% DNS64 A lookup? */
-#define DNS64(c)		(((c)->query.attributes & \
-				  NS_QUERYATTR_DNS64) != 0)
-
-#define DNS64EXCLUDE(c)		(((c)->query.attributes & \
-				  NS_QUERYATTR_DNS64EXCLUDE) != 0)
-
-/*% No QNAME Proof? */
-#define NOQNAME(r)		(((r)->attributes & \
-				  DNS_RDATASETATTR_NOQNAME) != 0)
-
-#if 0
-#define CTRACE(m)       isc_log_write(ns_g_lctx, \
-				      NS_LOGCATEGORY_CLIENT, \
-				      NS_LOGMODULE_QUERY, \
-				      ISC_LOG_DEBUG(3), \
-				      "client %p: %s", client, (m))
-#define QTRACE(m)       isc_log_write(ns_g_lctx, \
-				      NS_LOGCATEGORY_GENERAL, \
-				      NS_LOGMODULE_QUERY, \
-				      ISC_LOG_DEBUG(3), \
-				      "query %p: %s", query, (m))
-#else
-#define CTRACE(m) ((void)m)
-#define QTRACE(m) ((void)m)
-#endif
-
-#define DNS_GETDB_NOEXACT 0x01U
-#define DNS_GETDB_NOLOG 0x02U
-#define DNS_GETDB_PARTIAL 0x04U
-#define DNS_GETDB_IGNOREACL 0x08U
-
-#define PENDINGOK(x)	(((x) & DNS_DBFIND_PENDINGOK) != 0)
-
-typedef struct client_additionalctx {
-	ns_client_t *client;
-	dns_rdataset_t *rdataset;
-} client_additionalctx_t;
-
-static isc_result_t
-query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype);
-
-static isc_boolean_t
-validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
-	 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
-
-static void
-query_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
-		       dns_dbversion_t *version, ns_client_t *client,
-		       dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
-		       dns_name_t *fname, isc_boolean_t exact,
-		       dns_name_t *found);
-
-static inline void
-log_queryerror(ns_client_t *client, isc_result_t result, int line, int level);
-
-static void
-rpz_st_clear(ns_client_t *client);
-
-/*%
- * Increment query statistics counters.
- */
-static inline void
-inc_stats(ns_client_t *client, isc_statscounter_t counter) {
-	dns_zone_t *zone = client->query.authzone;
-	isc_stats_t *zonestats;
-#ifdef NEWSTATS
-	dns_rdatatype_t qtype;
-	dns_rdataset_t *rdataset;
-	dns_stats_t *querystats = NULL;
-#endif
-
-	isc_stats_increment(ns_g_server->nsstats, counter);
-
-	if (zone == NULL)
-		return;
-
-	/* Do regular response type stats */
-	zonestats = dns_zone_getrequeststats(zone);
-
-	if (zonestats != NULL)
-		isc_stats_increment(zonestats, counter);
-
-#ifdef NEWSTATS
-	/* Do query type statistics
-	 *
-	 * We only increment per-type if we're using the authoriative
-	 * answer counter, preventing double-counting.
-	 */
-	if (counter == dns_nsstatscounter_authans) {
-		querystats = dns_zone_getrcvquerystats(zone);
-		if (querystats != NULL) {
-			rdataset = ISC_LIST_HEAD(client->query.qname->list);
-			if (rdataset != NULL) {
-				qtype = rdataset->type;
-				dns_rdatatypestats_increment(querystats, qtype);
-			}
-		}
-	}
-#endif
-}
-
-static void
-query_send(ns_client_t *client) {
-	isc_statscounter_t counter;
-
-	if ((client->message->flags & DNS_MESSAGEFLAG_AA) == 0)
-		inc_stats(client, dns_nsstatscounter_nonauthans);
-	else
-		inc_stats(client, dns_nsstatscounter_authans);
-
-	if (client->message->rcode == dns_rcode_noerror) {
-		dns_section_t answer = DNS_SECTION_ANSWER;
-		if (ISC_LIST_EMPTY(client->message->sections[answer])) {
-			if (client->query.isreferral)
-				counter = dns_nsstatscounter_referral;
-			else
-				counter = dns_nsstatscounter_nxrrset;
-		} else
-			counter = dns_nsstatscounter_success;
-	} else if (client->message->rcode == dns_rcode_nxdomain)
-		counter = dns_nsstatscounter_nxdomain;
-	else /* We end up here in case of YXDOMAIN, and maybe others */
-		counter = dns_nsstatscounter_failure;
-
-	inc_stats(client, counter);
-	ns_client_send(client);
-}
-
-static void
-query_error(ns_client_t *client, isc_result_t result, int line) {
-	int loglevel = ISC_LOG_DEBUG(3);
-
-	switch (result) {
-	case DNS_R_SERVFAIL:
-		loglevel = ISC_LOG_DEBUG(1);
-		inc_stats(client, dns_nsstatscounter_servfail);
-		break;
-	case DNS_R_FORMERR:
-		inc_stats(client, dns_nsstatscounter_formerr);
-		break;
-	default:
-		inc_stats(client, dns_nsstatscounter_failure);
-		break;
-	}
-
-	log_queryerror(client, result, line, loglevel);
-
-	ns_client_error(client, result);
-}
-
-static void
-query_next(ns_client_t *client, isc_result_t result) {
-	if (result == DNS_R_DUPLICATE)
-		inc_stats(client, dns_nsstatscounter_duplicate);
-	else if (result == DNS_R_DROP)
-		inc_stats(client, dns_nsstatscounter_dropped);
-	else
-		inc_stats(client, dns_nsstatscounter_failure);
-	ns_client_next(client, result);
-}
-
-static inline void
-query_freefreeversions(ns_client_t *client, isc_boolean_t everything) {
-	ns_dbversion_t *dbversion, *dbversion_next;
-	unsigned int i;
-
-	for (dbversion = ISC_LIST_HEAD(client->query.freeversions), i = 0;
-	     dbversion != NULL;
-	     dbversion = dbversion_next, i++)
-	{
-		dbversion_next = ISC_LIST_NEXT(dbversion, link);
-		/*
-		 * If we're not freeing everything, we keep the first three
-		 * dbversions structures around.
-		 */
-		if (i > 3 || everything) {
-			ISC_LIST_UNLINK(client->query.freeversions, dbversion,
-					link);
-			isc_mem_put(client->mctx, dbversion,
-				    sizeof(*dbversion));
-		}
-	}
-}
-
-void
-ns_query_cancel(ns_client_t *client) {
-	LOCK(&client->query.fetchlock);
-	if (client->query.fetch != NULL) {
-		dns_resolver_cancelfetch(client->query.fetch);
-
-		client->query.fetch = NULL;
-	}
-	UNLOCK(&client->query.fetchlock);
-}
-
-static inline void
-query_putrdataset(ns_client_t *client, dns_rdataset_t **rdatasetp) {
-	dns_rdataset_t *rdataset = *rdatasetp;
-
-	CTRACE("query_putrdataset");
-	if (rdataset != NULL) {
-		if (dns_rdataset_isassociated(rdataset))
-			dns_rdataset_disassociate(rdataset);
-		dns_message_puttemprdataset(client->message, rdatasetp);
-	}
-	CTRACE("query_putrdataset: done");
-}
-
-static inline void
-query_reset(ns_client_t *client, isc_boolean_t everything) {
-	isc_buffer_t *dbuf, *dbuf_next;
-	ns_dbversion_t *dbversion, *dbversion_next;
-
-	/*%
-	 * Reset the query state of a client to its default state.
-	 */
-
-	/*
-	 * Cancel the fetch if it's running.
-	 */
-	ns_query_cancel(client);
-
-	/*
-	 * Cleanup any active versions.
-	 */
-	for (dbversion = ISC_LIST_HEAD(client->query.activeversions);
-	     dbversion != NULL;
-	     dbversion = dbversion_next) {
-		dbversion_next = ISC_LIST_NEXT(dbversion, link);
-		dns_db_closeversion(dbversion->db, &dbversion->version,
-				    ISC_FALSE);
-		dns_db_detach(&dbversion->db);
-		ISC_LIST_INITANDAPPEND(client->query.freeversions,
-				      dbversion, link);
-	}
-	ISC_LIST_INIT(client->query.activeversions);
-
-	if (client->query.authdb != NULL)
-		dns_db_detach(&client->query.authdb);
-	if (client->query.authzone != NULL)
-		dns_zone_detach(&client->query.authzone);
-
-	if (client->query.dns64_aaaa != NULL)
-		query_putrdataset(client, &client->query.dns64_aaaa);
-	if (client->query.dns64_sigaaaa != NULL)
-		query_putrdataset(client, &client->query.dns64_sigaaaa);
-	if (client->query.dns64_aaaaok != NULL) {
-		isc_mem_put(client->mctx, client->query.dns64_aaaaok,
-			    client->query.dns64_aaaaoklen *
-			    sizeof(isc_boolean_t));
-		client->query.dns64_aaaaok =  NULL;
-		client->query.dns64_aaaaoklen =  0;
-	}
-
-	query_freefreeversions(client, everything);
-
-	for (dbuf = ISC_LIST_HEAD(client->query.namebufs);
-	     dbuf != NULL;
-	     dbuf = dbuf_next) {
-		dbuf_next = ISC_LIST_NEXT(dbuf, link);
-		if (dbuf_next != NULL || everything) {
-			ISC_LIST_UNLINK(client->query.namebufs, dbuf, link);
-			isc_buffer_free(&dbuf);
-		}
-	}
-
-	if (client->query.restarts > 0) {
-		/*
-		 * client->query.qname was dynamically allocated.
-		 */
-		dns_message_puttempname(client->message,
-					&client->query.qname);
-	}
-	client->query.qname = NULL;
-	client->query.attributes = (NS_QUERYATTR_RECURSIONOK |
-				    NS_QUERYATTR_CACHEOK |
-				    NS_QUERYATTR_SECURE);
-	client->query.restarts = 0;
-	client->query.timerset = ISC_FALSE;
-	if (client->query.rpz_st != NULL) {
-		rpz_st_clear(client);
-		if (everything) {
-			isc_mem_put(client->mctx, client->query.rpz_st,
-				    sizeof(*client->query.rpz_st));
-			client->query.rpz_st = NULL;
-		}
-	}
-	client->query.origqname = NULL;
-	client->query.dboptions = 0;
-	client->query.fetchoptions = 0;
-	client->query.gluedb = NULL;
-	client->query.authdbset = ISC_FALSE;
-	client->query.isreferral = ISC_FALSE;
-	client->query.dns64_options = 0;
-	client->query.dns64_ttl = ISC_UINT32_MAX;
-}
-
-static void
-query_next_callback(ns_client_t *client) {
-	query_reset(client, ISC_FALSE);
-}
-
-void
-ns_query_free(ns_client_t *client) {
-	query_reset(client, ISC_TRUE);
-}
-
-static inline isc_result_t
-query_newnamebuf(ns_client_t *client) {
-	isc_buffer_t *dbuf;
-	isc_result_t result;
-
-	CTRACE("query_newnamebuf");
-	/*%
-	 * Allocate a name buffer.
-	 */
-
-	dbuf = NULL;
-	result = isc_buffer_allocate(client->mctx, &dbuf, 1024);
-	if (result != ISC_R_SUCCESS) {
-		CTRACE("query_newnamebuf: isc_buffer_allocate failed: done");
-		return (result);
-	}
-	ISC_LIST_APPEND(client->query.namebufs, dbuf, link);
-
-	CTRACE("query_newnamebuf: done");
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_buffer_t *
-query_getnamebuf(ns_client_t *client) {
-	isc_buffer_t *dbuf;
-	isc_result_t result;
-	isc_region_t r;
-
-	CTRACE("query_getnamebuf");
-	/*%
-	 * Return a name buffer with space for a maximal name, allocating
-	 * a new one if necessary.
-	 */
-
-	if (ISC_LIST_EMPTY(client->query.namebufs)) {
-		result = query_newnamebuf(client);
-		if (result != ISC_R_SUCCESS) {
-		    CTRACE("query_getnamebuf: query_newnamebuf failed: done");
-			return (NULL);
-		}
-	}
-
-	dbuf = ISC_LIST_TAIL(client->query.namebufs);
-	INSIST(dbuf != NULL);
-	isc_buffer_availableregion(dbuf, &r);
-	if (r.length < 255) {
-		result = query_newnamebuf(client);
-		if (result != ISC_R_SUCCESS) {
-		    CTRACE("query_getnamebuf: query_newnamebuf failed: done");
-			return (NULL);
-
-		}
-		dbuf = ISC_LIST_TAIL(client->query.namebufs);
-		isc_buffer_availableregion(dbuf, &r);
-		INSIST(r.length >= 255);
-	}
-	CTRACE("query_getnamebuf: done");
-	return (dbuf);
-}
-
-static inline void
-query_keepname(ns_client_t *client, dns_name_t *name, isc_buffer_t *dbuf) {
-	isc_region_t r;
-
-	CTRACE("query_keepname");
-	/*%
-	 * 'name' is using space in 'dbuf', but 'dbuf' has not yet been
-	 * adjusted to take account of that.  We do the adjustment.
-	 */
-
-	REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) != 0);
-
-	dns_name_toregion(name, &r);
-	isc_buffer_add(dbuf, r.length);
-	dns_name_setbuffer(name, NULL);
-	client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED;
-}
-
-static inline void
-query_releasename(ns_client_t *client, dns_name_t **namep) {
-	dns_name_t *name = *namep;
-
-	/*%
-	 * 'name' is no longer needed.  Return it to our pool of temporary
-	 * names.  If it is using a name buffer, relinquish its exclusive
-	 * rights on the buffer.
-	 */
-
-	CTRACE("query_releasename");
-	if (dns_name_hasbuffer(name)) {
-		INSIST((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED)
-		       != 0);
-		client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED;
-	}
-	dns_message_puttempname(client->message, namep);
-	CTRACE("query_releasename: done");
-}
-
-static inline dns_name_t *
-query_newname(ns_client_t *client, isc_buffer_t *dbuf,
-	      isc_buffer_t *nbuf)
-{
-	dns_name_t *name;
-	isc_region_t r;
-	isc_result_t result;
-
-	REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) == 0);
-
-	CTRACE("query_newname");
-	name = NULL;
-	result = dns_message_gettempname(client->message, &name);
-	if (result != ISC_R_SUCCESS) {
-		CTRACE("query_newname: dns_message_gettempname failed: done");
-		return (NULL);
-	}
-	isc_buffer_availableregion(dbuf, &r);
-	isc_buffer_init(nbuf, r.base, r.length);
-	dns_name_init(name, NULL);
-	dns_name_setbuffer(name, nbuf);
-	client->query.attributes |= NS_QUERYATTR_NAMEBUFUSED;
-
-	CTRACE("query_newname: done");
-	return (name);
-}
-
-static inline dns_rdataset_t *
-query_newrdataset(ns_client_t *client) {
-	dns_rdataset_t *rdataset;
-	isc_result_t result;
-
-	CTRACE("query_newrdataset");
-	rdataset = NULL;
-	result = dns_message_gettemprdataset(client->message, &rdataset);
-	if (result != ISC_R_SUCCESS) {
-	  CTRACE("query_newrdataset: "
-		 "dns_message_gettemprdataset failed: done");
-		return (NULL);
-	}
-	dns_rdataset_init(rdataset);
-
-	CTRACE("query_newrdataset: done");
-	return (rdataset);
-}
-
-static inline isc_result_t
-query_newdbversion(ns_client_t *client, unsigned int n) {
-	unsigned int i;
-	ns_dbversion_t *dbversion;
-
-	for (i = 0; i < n; i++) {
-		dbversion = isc_mem_get(client->mctx, sizeof(*dbversion));
-		if (dbversion != NULL) {
-			dbversion->db = NULL;
-			dbversion->version = NULL;
-			ISC_LIST_INITANDAPPEND(client->query.freeversions,
-					      dbversion, link);
-		} else {
-			/*
-			 * We only return ISC_R_NOMEMORY if we couldn't
-			 * allocate anything.
-			 */
-			if (i == 0)
-				return (ISC_R_NOMEMORY);
-			else
-				return (ISC_R_SUCCESS);
-		}
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline ns_dbversion_t *
-query_getdbversion(ns_client_t *client) {
-	isc_result_t result;
-	ns_dbversion_t *dbversion;
-
-	if (ISC_LIST_EMPTY(client->query.freeversions)) {
-		result = query_newdbversion(client, 1);
-		if (result != ISC_R_SUCCESS)
-			return (NULL);
-	}
-	dbversion = ISC_LIST_HEAD(client->query.freeversions);
-	INSIST(dbversion != NULL);
-	ISC_LIST_UNLINK(client->query.freeversions, dbversion, link);
-
-	return (dbversion);
-}
-
-isc_result_t
-ns_query_init(ns_client_t *client) {
-	isc_result_t result;
-
-	ISC_LIST_INIT(client->query.namebufs);
-	ISC_LIST_INIT(client->query.activeversions);
-	ISC_LIST_INIT(client->query.freeversions);
-	client->query.restarts = 0;
-	client->query.timerset = ISC_FALSE;
-	client->query.rpz_st = NULL;
-	client->query.qname = NULL;
-	result = isc_mutex_init(&client->query.fetchlock);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	client->query.fetch = NULL;
-	client->query.authdb = NULL;
-	client->query.authzone = NULL;
-	client->query.authdbset = ISC_FALSE;
-	client->query.isreferral = ISC_FALSE;
-	client->query.dns64_aaaa = NULL;
-	client->query.dns64_sigaaaa = NULL;
-	client->query.dns64_aaaaok = NULL;
-	client->query.dns64_aaaaoklen = 0;
-	query_reset(client, ISC_FALSE);
-	result = query_newdbversion(client, 3);
-	if (result != ISC_R_SUCCESS) {
-		DESTROYLOCK(&client->query.fetchlock);
-		return (result);
-	}
-	result = query_newnamebuf(client);
-	if (result != ISC_R_SUCCESS)
-		query_freefreeversions(client, ISC_TRUE);
-
-	return (result);
-}
-
-static inline ns_dbversion_t *
-query_findversion(ns_client_t *client, dns_db_t *db)
-{
-	ns_dbversion_t *dbversion;
-
-	/*%
-	 * We may already have done a query related to this
-	 * database.  If so, we must be sure to make subsequent
-	 * queries from the same version.
-	 */
-	for (dbversion = ISC_LIST_HEAD(client->query.activeversions);
-	     dbversion != NULL;
-	     dbversion = ISC_LIST_NEXT(dbversion, link)) {
-		if (dbversion->db == db)
-			break;
-	}
-
-	if (dbversion == NULL) {
-		/*
-		 * This is a new zone for this query.  Add it to
-		 * the active list.
-		 */
-		dbversion = query_getdbversion(client);
-		if (dbversion == NULL)
-			return (NULL);
-		dns_db_attach(db, &dbversion->db);
-		dns_db_currentversion(db, &dbversion->version);
-		dbversion->acl_checked = ISC_FALSE;
-		dbversion->queryok = ISC_FALSE;
-		ISC_LIST_APPEND(client->query.activeversions,
-				dbversion, link);
-	}
-
-	return (dbversion);
-}
-
-static inline isc_result_t
-query_validatezonedb(ns_client_t *client, dns_name_t *name,
-		     dns_rdatatype_t qtype, unsigned int options,
-		     dns_zone_t *zone, dns_db_t *db,
-		     dns_dbversion_t **versionp)
-{
-	isc_result_t result;
-	dns_acl_t *queryacl, *queryonacl;
-	ns_dbversion_t *dbversion;
-
-	REQUIRE(zone != NULL);
-	REQUIRE(db != NULL);
-
-	/*
-	 * This limits our searching to the zone where the first name
-	 * (the query target) was looked for.  This prevents following
-	 * CNAMES or DNAMES into other zones and prevents returning
-	 * additional data from other zones.
-	 */
-	if (!client->view->additionalfromauth &&
-	    client->query.authdbset &&
-	    db != client->query.authdb)
-		return (DNS_R_REFUSED);
-
-	/*
-	 * Non recursive query to a static-stub zone is prohibited; its
-	 * zone content is not public data, but a part of local configuration
-	 * and should not be disclosed.
-	 */
-	if (dns_zone_gettype(zone) == dns_zone_staticstub &&
-	    !RECURSIONOK(client)) {
-		return (DNS_R_REFUSED);
-	}
-
-	/*
-	 * If the zone has an ACL, we'll check it, otherwise
-	 * we use the view's "allow-query" ACL.  Each ACL is only checked
-	 * once per query.
-	 *
-	 * Also, get the database version to use.
-	 */
-
-	/*
-	 * Get the current version of this database.
-	 */
-	dbversion = query_findversion(client, db);
-	if (dbversion == NULL)
-		return (DNS_R_SERVFAIL);
-
-	if ((options & DNS_GETDB_IGNOREACL) != 0)
-		goto approved;
-	if (dbversion->acl_checked) {
-		if (!dbversion->queryok)
-			return (DNS_R_REFUSED);
-		goto approved;
-	}
-
-	queryacl = dns_zone_getqueryacl(zone);
-	if (queryacl == NULL) {
-		queryacl = client->view->queryacl;
-		if ((client->query.attributes &
-		     NS_QUERYATTR_QUERYOKVALID) != 0) {
-			/*
-			 * We've evaluated the view's queryacl already.  If
-			 * NS_QUERYATTR_QUERYOK is set, then the client is
-			 * allowed to make queries, otherwise the query should
-			 * be refused.
-			 */
-			dbversion->acl_checked = ISC_TRUE;
-			if ((client->query.attributes &
-			     NS_QUERYATTR_QUERYOK) == 0) {
-				dbversion->queryok = ISC_FALSE;
-				return (DNS_R_REFUSED);
-			}
-			dbversion->queryok = ISC_TRUE;
-			goto approved;
-		}
-	}
-
-	result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE);
-	if ((options & DNS_GETDB_NOLOG) == 0) {
-		char msg[NS_CLIENT_ACLMSGSIZE("query")];
-		if (result == ISC_R_SUCCESS) {
-			if (isc_log_wouldlog(ns_g_lctx, ISC_LOG_DEBUG(3))) {
-				ns_client_aclmsg("query", name, qtype,
-						 client->view->rdclass,
-						 msg, sizeof(msg));
-				ns_client_log(client,
-					      DNS_LOGCATEGORY_SECURITY,
-					      NS_LOGMODULE_QUERY,
-					      ISC_LOG_DEBUG(3),
-					      "%s approved", msg);
-			}
-		} else {
-			ns_client_aclmsg("query", name, qtype,
-					 client->view->rdclass,
-					 msg, sizeof(msg));
-			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-				      NS_LOGMODULE_QUERY, ISC_LOG_INFO,
-				      "%s denied", msg);
-		}
-	}
-
-	if (queryacl == client->view->queryacl) {
-		if (result == ISC_R_SUCCESS) {
-			/*
-			 * We were allowed by the default
-			 * "allow-query" ACL.  Remember this so we
-			 * don't have to check again.
-			 */
-			client->query.attributes |= NS_QUERYATTR_QUERYOK;
-		}
-		/*
-		 * We've now evaluated the view's query ACL, and
-		 * the NS_QUERYATTR_QUERYOK attribute is now valid.
-		 */
-		client->query.attributes |= NS_QUERYATTR_QUERYOKVALID;
-	}
-
-	/* If and only if we've gotten this far, check allow-query-on too */
-	if (result == ISC_R_SUCCESS) {
-		queryonacl = dns_zone_getqueryonacl(zone);
-		if (queryonacl == NULL)
-			queryonacl = client->view->queryonacl;
-
-		result = ns_client_checkaclsilent(client, NULL,
-						  queryonacl, ISC_TRUE);
-		if ((options & DNS_GETDB_NOLOG) == 0 &&
-		    result != ISC_R_SUCCESS)
-			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-				      NS_LOGMODULE_QUERY, ISC_LOG_INFO,
-				      "query-on denied");
-	}
-
-	dbversion->acl_checked = ISC_TRUE;
-	if (result != ISC_R_SUCCESS) {
-		dbversion->queryok = ISC_FALSE;
-		return (DNS_R_REFUSED);
-	}
-	dbversion->queryok = ISC_TRUE;
-
- approved:
-	/* Transfer ownership, if necessary. */
-	if (versionp != NULL)
-		*versionp = dbversion->version;
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
-		unsigned int options, dns_zone_t **zonep, dns_db_t **dbp,
-		dns_dbversion_t **versionp)
-{
-	isc_result_t result;
-	unsigned int ztoptions;
-	dns_zone_t *zone = NULL;
-	dns_db_t *db = NULL;
-	isc_boolean_t partial = ISC_FALSE;
-
-	REQUIRE(zonep != NULL && *zonep == NULL);
-	REQUIRE(dbp != NULL && *dbp == NULL);
-
-	/*%
-	 * Find a zone database to answer the query.
-	 */
-	ztoptions = ((options & DNS_GETDB_NOEXACT) != 0) ?
-		DNS_ZTFIND_NOEXACT : 0;
-
-	result = dns_zt_find(client->view->zonetable, name, ztoptions, NULL,
-			     &zone);
-	if (result == DNS_R_PARTIALMATCH)
-		partial = ISC_TRUE;
-	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
-		result = dns_zone_getdb(zone, &db);
-
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	result = query_validatezonedb(client, name, qtype, options, zone, db,
-				      versionp);
-
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	/* Transfer ownership. */
-	*zonep = zone;
-	*dbp = db;
-
-	if (partial && (options & DNS_GETDB_PARTIAL) != 0)
-		return (DNS_R_PARTIALMATCH);
-	return (ISC_R_SUCCESS);
-
- fail:
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-	if (db != NULL)
-		dns_db_detach(&db);
-
-	return (result);
-}
-
-static void
-rpz_log_rewrite(ns_client_t *client, isc_boolean_t disabled,
-		dns_rpz_policy_t policy, dns_rpz_type_t type,
-		dns_zone_t *zone, dns_name_t *rpz_qname)
-{
-	isc_stats_t *zonestats;
-	char qname_buf[DNS_NAME_FORMATSIZE];
-	char rpz_qname_buf[DNS_NAME_FORMATSIZE];
-
-	/*
-	 * Count enabled rewrites in the global counter.
-	 * Count both enabled and disabled rewrites for each zone.
-	 */
-	if (!disabled && policy != DNS_RPZ_POLICY_PASSTHRU) {
-		isc_stats_increment(ns_g_server->nsstats,
-				    dns_nsstatscounter_rpz_rewrites);
-	}
-	if (zone != NULL) {
-		zonestats = dns_zone_getrequeststats(zone);
-		if (zonestats != NULL)
-			isc_stats_increment(zonestats,
-					    dns_nsstatscounter_rpz_rewrites);
-	}
-
-	if (!isc_log_wouldlog(ns_g_lctx, DNS_RPZ_INFO_LEVEL))
-		return;
-
-	dns_name_format(client->query.qname, qname_buf, sizeof(qname_buf));
-	dns_name_format(rpz_qname, rpz_qname_buf, sizeof(rpz_qname_buf));
-
-	ns_client_log(client, DNS_LOGCATEGORY_RPZ, NS_LOGMODULE_QUERY,
-		      DNS_RPZ_INFO_LEVEL, "%srpz %s %s rewrite %s via %s",
-		      disabled ? "disabled " : "",
-		      dns_rpz_type2str(type), dns_rpz_policy2str(policy),
-		      qname_buf, rpz_qname_buf);
-}
-
-static void
-rpz_log_fail(ns_client_t *client, int level,
-	     dns_rpz_type_t rpz_type, dns_name_t *name,
-	     const char *str, isc_result_t result)
-{
-	char namebuf1[DNS_NAME_FORMATSIZE];
-	char namebuf2[DNS_NAME_FORMATSIZE];
-
-	if (!isc_log_wouldlog(ns_g_lctx, level))
-		return;
-
-	/*
-	 * bin/tests/system/rpz/tests.sh looks for "rpz.*failed".
-	 */
-	dns_name_format(client->query.qname, namebuf1, sizeof(namebuf1));
-	dns_name_format(name, namebuf2, sizeof(namebuf2));
-	ns_client_log(client, NS_LOGCATEGORY_QUERY_EERRORS,
-		      NS_LOGMODULE_QUERY, level,
-		      "rpz %s rewrite %s via %s %sfailed: %s",
-		      dns_rpz_type2str(rpz_type),
-		      namebuf1, namebuf2, str, isc_result_totext(result));
-}
-
-/*
- * Get a policy rewrite zone database.
- */
-static isc_result_t
-rpz_getdb(ns_client_t *client, dns_rpz_type_t rpz_type, dns_name_t *rpz_qname,
-	  dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp)
-{
-	char namebuf1[DNS_NAME_FORMATSIZE];
-	char namebuf2[DNS_NAME_FORMATSIZE];
-	dns_dbversion_t *rpz_version = NULL;
-	isc_result_t result;
-
-	result = query_getzonedb(client, rpz_qname, dns_rdatatype_any,
-				 DNS_GETDB_IGNOREACL, zonep, dbp, &rpz_version);
-	if (result == ISC_R_SUCCESS) {
-		if (isc_log_wouldlog(ns_g_lctx, DNS_RPZ_DEBUG_LEVEL2)) {
-			dns_name_format(client->query.qname, namebuf1,
-					sizeof(namebuf1));
-			dns_name_format(rpz_qname, namebuf2, sizeof(namebuf2));
-			ns_client_log(client, DNS_LOGCATEGORY_RPZ,
-				      NS_LOGMODULE_QUERY, DNS_RPZ_DEBUG_LEVEL2,
-				      "try rpz %s rewrite %s via %s",
-				      dns_rpz_type2str(rpz_type),
-				      namebuf1, namebuf2);
-		}
-		*versionp = rpz_version;
-		return (ISC_R_SUCCESS);
-	}
-	rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, rpz_qname,
-		     "query_getzonedb() ", result);
-	return (result);
-}
-
-static inline isc_result_t
-query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
-		 dns_db_t **dbp, unsigned int options)
-{
-	isc_result_t result;
-	isc_boolean_t check_acl;
-	dns_db_t *db = NULL;
-
-	REQUIRE(dbp != NULL && *dbp == NULL);
-
-	/*%
-	 * Find a cache database to answer the query.
-	 * This may fail with DNS_R_REFUSED if the client
-	 * is not allowed to use the cache.
-	 */
-
-	if (!USECACHE(client))
-		return (DNS_R_REFUSED);
-	dns_db_attach(client->view->cachedb, &db);
-
-	if ((client->query.attributes & NS_QUERYATTR_CACHEACLOKVALID) != 0) {
-		/*
-		 * We've evaluated the view's cacheacl already.  If
-		 * NS_QUERYATTR_CACHEACLOK is set, then the client is
-		 * allowed to make queries, otherwise the query should
-		 * be refused.
-		 */
-		check_acl = ISC_FALSE;
-		if ((client->query.attributes & NS_QUERYATTR_CACHEACLOK) == 0)
-			goto refuse;
-	} else {
-		/*
-		 * We haven't evaluated the view's queryacl yet.
-		 */
-		check_acl = ISC_TRUE;
-	}
-
-	if (check_acl) {
-		isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
-		char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")];
-
-		result = ns_client_checkaclsilent(client, NULL,
-						  client->view->cacheacl,
-						  ISC_TRUE);
-		if (result == ISC_R_SUCCESS) {
-			/*
-			 * We were allowed by the "allow-query-cache" ACL.
-			 * Remember this so we don't have to check again.
-			 */
-			client->query.attributes |=
-				NS_QUERYATTR_CACHEACLOK;
-			if (log && isc_log_wouldlog(ns_g_lctx,
-						     ISC_LOG_DEBUG(3)))
-			{
-				ns_client_aclmsg("query (cache)", name, qtype,
-						 client->view->rdclass,
-						 msg, sizeof(msg));
-				ns_client_log(client,
-					      DNS_LOGCATEGORY_SECURITY,
-					      NS_LOGMODULE_QUERY,
-					      ISC_LOG_DEBUG(3),
-					      "%s approved", msg);
-			}
-		} else if (log) {
-			ns_client_aclmsg("query (cache)", name, qtype,
-					 client->view->rdclass, msg,
-					 sizeof(msg));
-			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-				      NS_LOGMODULE_QUERY, ISC_LOG_INFO,
-				      "%s denied", msg);
-		}
-		/*
-		 * We've now evaluated the view's query ACL, and
-		 * the NS_QUERYATTR_CACHEACLOKVALID attribute is now valid.
-		 */
-		client->query.attributes |= NS_QUERYATTR_CACHEACLOKVALID;
-
-		if (result != ISC_R_SUCCESS)
-			goto refuse;
-	}
-
-	/* Approved. */
-
-	/* Transfer ownership. */
-	*dbp = db;
-
-	return (ISC_R_SUCCESS);
-
- refuse:
-	result = DNS_R_REFUSED;
-
-	if (db != NULL)
-		dns_db_detach(&db);
-
-	return (result);
-}
-
-
-static inline isc_result_t
-query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
-	    unsigned int options, dns_zone_t **zonep, dns_db_t **dbp,
-	    dns_dbversion_t **versionp, isc_boolean_t *is_zonep)
-{
-	isc_result_t result;
-
-	isc_result_t tresult;
-	unsigned int namelabels;
-	unsigned int zonelabels;
-	dns_zone_t *zone = NULL;
-	dns_db_t *tdbp;
-
-	REQUIRE(zonep != NULL && *zonep == NULL);
-
-	tdbp = NULL;
-
-	/* Calculate how many labels are in name. */
-	namelabels = dns_name_countlabels(name);
-	zonelabels = 0;
-
-	/* Try to find name in bind's standard database. */
-	result = query_getzonedb(client, name, qtype, options, &zone,
-				 dbp, versionp);
-
-	/* See how many labels are in the zone's name.	  */
-	if (result == ISC_R_SUCCESS && zone != NULL)
-		zonelabels = dns_name_countlabels(dns_zone_getorigin(zone));
-	/*
-	 * If # zone labels < # name labels, try to find an even better match
-	 * Only try if a DLZ driver is loaded for this view
-	 */
-	if (zonelabels < namelabels && client->view->dlzdatabase != NULL) {
-		tresult = dns_dlzfindzone(client->view, name,
-					  zonelabels, &tdbp);
-		 /* If we successful, we found a better match. */
-		if (tresult == ISC_R_SUCCESS) {
-			/*
-			 * If the previous search returned a zone, detach it.
-			 */
-			if (zone != NULL)
-				dns_zone_detach(&zone);
-
-			/*
-			 * If the previous search returned a database,
-			 * detach it.
-			 */
-			if (*dbp != NULL)
-				dns_db_detach(dbp);
-
-			/*
-			 * If the previous search returned a version, clear it.
-			 */
-			*versionp = NULL;
-
-			/*
-			 * Get our database version.
-			 */
-			dns_db_currentversion(tdbp, versionp);
-
-			/*
-			 * Be sure to return our database.
-			 */
-			*dbp = tdbp;
-
-			/*
-			 * We return a null zone, No stats for DLZ zones.
-			 */
-			zone = NULL;
-			result = tresult;
-		}
-	}
-
-	/* If successful, Transfer ownership of zone. */
-	if (result == ISC_R_SUCCESS) {
-		*zonep = zone;
-		/*
-		 * If neither attempt above succeeded, return the cache instead
-		 */
-		*is_zonep = ISC_TRUE;
-	} else if (result == ISC_R_NOTFOUND) {
-		result = query_getcachedb(client, name, qtype, dbp, options);
-		*is_zonep = ISC_FALSE;
-	}
-	return (result);
-}
-
-static inline isc_boolean_t
-query_isduplicate(ns_client_t *client, dns_name_t *name,
-		  dns_rdatatype_t type, dns_name_t **mnamep)
-{
-	dns_section_t section;
-	dns_name_t *mname = NULL;
-	isc_result_t result;
-
-	CTRACE("query_isduplicate");
-
-	for (section = DNS_SECTION_ANSWER;
-	     section <= DNS_SECTION_ADDITIONAL;
-	     section++) {
-		result = dns_message_findname(client->message, section,
-					      name, type, 0, &mname, NULL);
-		if (result == ISC_R_SUCCESS) {
-			/*
-			 * We've already got this RRset in the response.
-			 */
-			CTRACE("query_isduplicate: true: done");
-			return (ISC_TRUE);
-		} else if (result == DNS_R_NXRRSET) {
-			/*
-			 * The name exists, but the rdataset does not.
-			 */
-			if (section == DNS_SECTION_ADDITIONAL)
-				break;
-		} else
-			RUNTIME_CHECK(result == DNS_R_NXDOMAIN);
-		mname = NULL;
-	}
-
-	if (mnamep != NULL)
-		*mnamep = mname;
-
-	CTRACE("query_isduplicate: false: done");
-	return (ISC_FALSE);
-}
-
-static isc_result_t
-query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
-	ns_client_t *client = arg;
-	isc_result_t result, eresult;
-	dns_dbnode_t *node;
-	dns_db_t *db;
-	dns_name_t *fname, *mname;
-	dns_rdataset_t *rdataset, *sigrdataset, *trdataset;
-	isc_buffer_t *dbuf;
-	isc_buffer_t b;
-	dns_dbversion_t *version;
-	isc_boolean_t added_something, need_addname;
-	dns_zone_t *zone;
-	dns_rdatatype_t type;
-	dns_clientinfomethods_t cm;
-	dns_clientinfo_t ci;
-
-	REQUIRE(NS_CLIENT_VALID(client));
-	REQUIRE(qtype != dns_rdatatype_any);
-
-	if (!WANTDNSSEC(client) && dns_rdatatype_isdnssec(qtype))
-		return (ISC_R_SUCCESS);
-
-	CTRACE("query_addadditional");
-
-	/*
-	 * Initialization.
-	 */
-	eresult = ISC_R_SUCCESS;
-	fname = NULL;
-	rdataset = NULL;
-	sigrdataset = NULL;
-	trdataset = NULL;
-	db = NULL;
-	version = NULL;
-	node = NULL;
-	added_something = ISC_FALSE;
-	need_addname = ISC_FALSE;
-	zone = NULL;
-
-	dns_clientinfomethods_init(&cm, ns_client_sourceip);
-	dns_clientinfo_init(&ci, client);
-
-	/*
-	 * We treat type A additional section processing as if it
-	 * were "any address type" additional section processing.
-	 * To avoid multiple lookups, we do an 'any' database
-	 * lookup and iterate over the node.
-	 */
-	if (qtype == dns_rdatatype_a)
-		type = dns_rdatatype_any;
-	else
-		type = qtype;
-
-	/*
-	 * Get some resources.
-	 */
-	dbuf = query_getnamebuf(client);
-	if (dbuf == NULL)
-		goto cleanup;
-	fname = query_newname(client, dbuf, &b);
-	rdataset = query_newrdataset(client);
-	if (fname == NULL || rdataset == NULL)
-		goto cleanup;
-	if (WANTDNSSEC(client)) {
-		sigrdataset = query_newrdataset(client);
-		if (sigrdataset == NULL)
-			goto cleanup;
-	}
-
-	/*
-	 * Look for a zone database that might contain authoritative
-	 * additional data.
-	 */
-	result = query_getzonedb(client, name, qtype, DNS_GETDB_NOLOG,
-				 &zone, &db, &version);
-	if (result != ISC_R_SUCCESS)
-		goto try_cache;
-
-	CTRACE("query_addadditional: db_find");
-
-	/*
-	 * Since we are looking for authoritative data, we do not set
-	 * the GLUEOK flag.  Glue will be looked for later, but not
-	 * necessarily in the same database.
-	 */
-	node = NULL;
-	result = dns_db_findext(db, name, version, type,
-				client->query.dboptions,
-				client->now, &node, fname, &cm, &ci,
-				rdataset, sigrdataset);
-	if (result == ISC_R_SUCCESS) {
-		if (sigrdataset != NULL && !dns_db_issecure(db) &&
-		    dns_rdataset_isassociated(sigrdataset))
-			dns_rdataset_disassociate(sigrdataset);
-		goto found;
-	}
-
-	if (dns_rdataset_isassociated(rdataset))
-		dns_rdataset_disassociate(rdataset);
-	if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset))
-		dns_rdataset_disassociate(sigrdataset);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	version = NULL;
-	dns_db_detach(&db);
-
-	/*
-	 * No authoritative data was found.  The cache is our next best bet.
-	 */
-
- try_cache:
-	result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG);
-	if (result != ISC_R_SUCCESS)
-		/*
-		 * Most likely the client isn't allowed to query the cache.
-		 */
-		goto try_glue;
-	/*
-	 * Attempt to validate glue.
-	 */
-	if (sigrdataset == NULL) {
-		sigrdataset = query_newrdataset(client);
-		if (sigrdataset == NULL)
-			goto cleanup;
-	}
-	result = dns_db_findext(db, name, version, type,
-				client->query.dboptions |
-				 DNS_DBFIND_GLUEOK | DNS_DBFIND_ADDITIONALOK,
-				client->now, &node, fname, &cm, &ci,
-				rdataset, sigrdataset);
-	if (result == DNS_R_GLUE &&
-	    validate(client, db, fname, rdataset, sigrdataset))
-		result = ISC_R_SUCCESS;
-	if (!WANTDNSSEC(client))
-		query_putrdataset(client, &sigrdataset);
-	if (result == ISC_R_SUCCESS)
-		goto found;
-
-	if (dns_rdataset_isassociated(rdataset))
-		dns_rdataset_disassociate(rdataset);
-	if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset))
-		dns_rdataset_disassociate(sigrdataset);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	dns_db_detach(&db);
-
- try_glue:
-	/*
-	 * No cached data was found.  Glue is our last chance.
-	 * RFC1035 sayeth:
-	 *
-	 *	NS records cause both the usual additional section
-	 *	processing to locate a type A record, and, when used
-	 *	in a referral, a special search of the zone in which
-	 *	they reside for glue information.
-	 *
-	 * This is the "special search".  Note that we must search
-	 * the zone where the NS record resides, not the zone it
-	 * points to, and that we only do the search in the delegation
-	 * case (identified by client->query.gluedb being set).
-	 */
-
-	if (client->query.gluedb == NULL)
-		goto cleanup;
-
-	/*
-	 * Don't poison caches using the bailiwick protection model.
-	 */
-	if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb)))
-		goto cleanup;
-
-	dns_db_attach(client->query.gluedb, &db);
-	result = dns_db_findext(db, name, version, type,
-				client->query.dboptions | DNS_DBFIND_GLUEOK,
-				client->now, &node, fname, &cm, &ci,
-				rdataset, sigrdataset);
-	if (!(result == ISC_R_SUCCESS ||
-	      result == DNS_R_ZONECUT ||
-	      result == DNS_R_GLUE))
-		goto cleanup;
-
- found:
-	/*
-	 * We have found a potential additional data rdataset, or
-	 * at least a node to iterate over.
-	 */
-	query_keepname(client, fname, dbuf);
-
-	/*
-	 * If we have an rdataset, add it to the additional data
-	 * section.
-	 */
-	mname = NULL;
-	if (dns_rdataset_isassociated(rdataset) &&
-	    !query_isduplicate(client, fname, type, &mname)) {
-		if (mname != NULL) {
-			INSIST(mname != fname);
-			query_releasename(client, &fname);
-			fname = mname;
-		} else
-			need_addname = ISC_TRUE;
-		ISC_LIST_APPEND(fname->list, rdataset, link);
-		trdataset = rdataset;
-		rdataset = NULL;
-		added_something = ISC_TRUE;
-		/*
-		 * Note: we only add SIGs if we've added the type they cover,
-		 * so we do not need to check if the SIG rdataset is already
-		 * in the response.
-		 */
-		if (sigrdataset != NULL &&
-		    dns_rdataset_isassociated(sigrdataset))
-		{
-			ISC_LIST_APPEND(fname->list, sigrdataset, link);
-			sigrdataset = NULL;
-		}
-	}
-
-	if (qtype == dns_rdatatype_a) {
-#ifdef ALLOW_FILTER_AAAA_ON_V4
-		isc_boolean_t have_a = ISC_FALSE;
-#endif
-
-		/*
-		 * We now go looking for A and AAAA records, along with
-		 * their signatures.
-		 *
-		 * XXXRTH  This code could be more efficient.
-		 */
-		if (rdataset != NULL) {
-			if (dns_rdataset_isassociated(rdataset))
-				dns_rdataset_disassociate(rdataset);
-		} else {
-			rdataset = query_newrdataset(client);
-			if (rdataset == NULL)
-				goto addname;
-		}
-		if (sigrdataset != NULL) {
-			if (dns_rdataset_isassociated(sigrdataset))
-				dns_rdataset_disassociate(sigrdataset);
-		} else if (WANTDNSSEC(client)) {
-			sigrdataset = query_newrdataset(client);
-			if (sigrdataset == NULL)
-				goto addname;
-		}
-		if (query_isduplicate(client, fname, dns_rdatatype_a, NULL))
-			goto aaaa_lookup;
-		result = dns_db_findrdataset(db, node, version,
-					     dns_rdatatype_a, 0,
-					     client->now,
-					     rdataset, sigrdataset);
-		if (result == DNS_R_NCACHENXDOMAIN)
-			goto addname;
-		if (result == DNS_R_NCACHENXRRSET) {
-			dns_rdataset_disassociate(rdataset);
-			if (sigrdataset != NULL &&
-			    dns_rdataset_isassociated(sigrdataset))
-				dns_rdataset_disassociate(sigrdataset);
-		}
-		if (result == ISC_R_SUCCESS) {
-			mname = NULL;
-#ifdef ALLOW_FILTER_AAAA_ON_V4
-			have_a = ISC_TRUE;
-#endif
-			if (!query_isduplicate(client, fname,
-					       dns_rdatatype_a, &mname)) {
-				if (mname != fname) {
-					if (mname != NULL) {
-						query_releasename(client, &fname);
-						fname = mname;
-					} else
-						need_addname = ISC_TRUE;
-				}
-				ISC_LIST_APPEND(fname->list, rdataset, link);
-				added_something = ISC_TRUE;
-				if (sigrdataset != NULL &&
-				    dns_rdataset_isassociated(sigrdataset))
-				{
-					ISC_LIST_APPEND(fname->list,
-							sigrdataset, link);
-					sigrdataset =
-						query_newrdataset(client);
-				}
-				rdataset = query_newrdataset(client);
-				if (rdataset == NULL)
-					goto addname;
-				if (WANTDNSSEC(client) && sigrdataset == NULL)
-					goto addname;
-			} else {
-				dns_rdataset_disassociate(rdataset);
-				if (sigrdataset != NULL &&
-				    dns_rdataset_isassociated(sigrdataset))
-					dns_rdataset_disassociate(sigrdataset);
-			}
-		}
-  aaaa_lookup:
-		if (query_isduplicate(client, fname, dns_rdatatype_aaaa, NULL))
-			goto addname;
-		result = dns_db_findrdataset(db, node, version,
-					     dns_rdatatype_aaaa, 0,
-					     client->now,
-					     rdataset, sigrdataset);
-		if (result == DNS_R_NCACHENXDOMAIN)
-			goto addname;
-		if (result == DNS_R_NCACHENXRRSET) {
-			dns_rdataset_disassociate(rdataset);
-			if (sigrdataset != NULL &&
-			    dns_rdataset_isassociated(sigrdataset))
-				dns_rdataset_disassociate(sigrdataset);
-		}
-		if (result == ISC_R_SUCCESS) {
-			mname = NULL;
-			/*
-			 * There's an A; check whether we're filtering AAAA
-			 */
-#ifdef ALLOW_FILTER_AAAA_ON_V4
-			if (have_a &&
-			    (client->filter_aaaa == dns_v4_aaaa_break_dnssec ||
-			    (client->filter_aaaa == dns_v4_aaaa_filter &&
-			     (!WANTDNSSEC(client) || sigrdataset == NULL ||
-			      !dns_rdataset_isassociated(sigrdataset)))))
-				goto addname;
-#endif
-			if (!query_isduplicate(client, fname,
-					       dns_rdatatype_aaaa, &mname)) {
-				if (mname != fname) {
-					if (mname != NULL) {
-						query_releasename(client, &fname);
-						fname = mname;
-					} else
-						need_addname = ISC_TRUE;
-				}
-				ISC_LIST_APPEND(fname->list, rdataset, link);
-				added_something = ISC_TRUE;
-				if (sigrdataset != NULL &&
-				    dns_rdataset_isassociated(sigrdataset))
-				{
-					ISC_LIST_APPEND(fname->list,
-							sigrdataset, link);
-					sigrdataset = NULL;
-				}
-				rdataset = NULL;
-			}
-		}
-	}
-
- addname:
-	CTRACE("query_addadditional: addname");
-	/*
-	 * If we haven't added anything, then we're done.
-	 */
-	if (!added_something)
-		goto cleanup;
-
-	/*
-	 * We may have added our rdatasets to an existing name, if so, then
-	 * need_addname will be ISC_FALSE.  Whether we used an existing name
-	 * or a new one, we must set fname to NULL to prevent cleanup.
-	 */
-	if (need_addname)
-		dns_message_addname(client->message, fname,
-				    DNS_SECTION_ADDITIONAL);
-	fname = NULL;
-
-	/*
-	 * In a few cases, we want to add additional data for additional
-	 * data.  It's simpler to just deal with special cases here than
-	 * to try to create a general purpose mechanism and allow the
-	 * rdata implementations to do it themselves.
-	 *
-	 * This involves recursion, but the depth is limited.  The
-	 * most complex case is adding a SRV rdataset, which involves
-	 * recursing to add address records, which in turn can cause
-	 * recursion to add KEYs.
-	 */
-	if (type == dns_rdatatype_srv && trdataset != NULL) {
-		/*
-		 * If we're adding SRV records to the additional data
-		 * section, it's helpful if we add the SRV additional data
-		 * as well.
-		 */
-		eresult = dns_rdataset_additionaldata(trdataset,
-						      query_addadditional,
-						      client);
-	}
-
- cleanup:
-	CTRACE("query_addadditional: cleanup");
-	query_putrdataset(client, &rdataset);
-	if (sigrdataset != NULL)
-		query_putrdataset(client, &sigrdataset);
-	if (fname != NULL)
-		query_releasename(client, &fname);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	if (db != NULL)
-		dns_db_detach(&db);
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-
-	CTRACE("query_addadditional: done");
-	return (eresult);
-}
-
-static inline void
-query_discardcache(ns_client_t *client, dns_rdataset_t *rdataset_base,
-		   dns_rdatasetadditional_t additionaltype,
-		   dns_rdatatype_t type, dns_zone_t **zonep, dns_db_t **dbp,
-		   dns_dbversion_t **versionp, dns_dbnode_t **nodep,
-		   dns_name_t *fname)
-{
-	dns_rdataset_t *rdataset;
-
-	while  ((rdataset = ISC_LIST_HEAD(fname->list)) != NULL) {
-		ISC_LIST_UNLINK(fname->list, rdataset, link);
-		query_putrdataset(client, &rdataset);
-	}
-	if (*versionp != NULL)
-		dns_db_closeversion(*dbp, versionp, ISC_FALSE);
-	if (*nodep != NULL)
-		dns_db_detachnode(*dbp, nodep);
-	if (*dbp != NULL)
-		dns_db_detach(dbp);
-	if (*zonep != NULL)
-		dns_zone_detach(zonep);
-	(void)dns_rdataset_putadditional(client->view->acache, rdataset_base,
-					 additionaltype, type);
-}
-
-static inline isc_result_t
-query_iscachevalid(dns_zone_t *zone, dns_db_t *db, dns_db_t *db0,
-		   dns_dbversion_t *version)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	dns_dbversion_t *version_current = NULL;
-	dns_db_t *db_current = db0;
-
-	if (db_current == NULL) {
-		result = dns_zone_getdb(zone, &db_current);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	dns_db_currentversion(db_current, &version_current);
-	if (db_current != db || version_current != version) {
-		result = ISC_R_FAILURE;
-		goto cleanup;
-	}
-
- cleanup:
-	dns_db_closeversion(db_current, &version_current, ISC_FALSE);
-	if (db0 == NULL && db_current != NULL)
-		dns_db_detach(&db_current);
-
-	return (result);
-}
-
-static isc_result_t
-query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
-	client_additionalctx_t *additionalctx = arg;
-	dns_rdataset_t *rdataset_base;
-	ns_client_t *client;
-	isc_result_t result, eresult;
-	dns_dbnode_t *node, *cnode;
-	dns_db_t *db, *cdb;
-	dns_name_t *fname, *mname0, cfname;
-	dns_rdataset_t *rdataset, *sigrdataset;
-	dns_rdataset_t *crdataset, *crdataset_next;
-	isc_buffer_t *dbuf;
-	isc_buffer_t b;
-	dns_dbversion_t *version, *cversion;
-	isc_boolean_t added_something, need_addname, needadditionalcache;
-	isc_boolean_t need_sigrrset;
-	dns_zone_t *zone;
-	dns_rdatatype_t type;
-	dns_rdatasetadditional_t additionaltype;
-	dns_clientinfomethods_t cm;
-	dns_clientinfo_t ci;
-
-	/*
-	 * If we don't have an additional cache call query_addadditional.
-	 */
-	client = additionalctx->client;
-	REQUIRE(NS_CLIENT_VALID(client));
-
-	if (qtype != dns_rdatatype_a || client->view->acache == NULL) {
-		/*
-		 * This function is optimized for "address" types.  For other
-		 * types, use a generic routine.
-		 * XXX: ideally, this function should be generic enough.
-		 */
-		return (query_addadditional(additionalctx->client,
-					    name, qtype));
-	}
-
-	/*
-	 * Initialization.
-	 */
-	rdataset_base = additionalctx->rdataset;
-	eresult = ISC_R_SUCCESS;
-	fname = NULL;
-	rdataset = NULL;
-	sigrdataset = NULL;
-	db = NULL;
-	cdb = NULL;
-	version = NULL;
-	cversion = NULL;
-	node = NULL;
-	cnode = NULL;
-	added_something = ISC_FALSE;
-	need_addname = ISC_FALSE;
-	zone = NULL;
-	needadditionalcache = ISC_FALSE;
-	POST(needadditionalcache);
-	additionaltype = dns_rdatasetadditional_fromauth;
-	dns_name_init(&cfname, NULL);
-	dns_clientinfomethods_init(&cm, ns_client_sourceip);
-	dns_clientinfo_init(&ci, client);
-
-	CTRACE("query_addadditional2");
-
-	/*
-	 * We treat type A additional section processing as if it
-	 * were "any address type" additional section processing.
-	 * To avoid multiple lookups, we do an 'any' database
-	 * lookup and iterate over the node.
-	 * XXXJT: this approach can cause a suboptimal result when the cache
-	 * DB only has partial address types and the glue DB has remaining
-	 * ones.
-	 */
-	type = dns_rdatatype_any;
-
-	/*
-	 * Get some resources.
-	 */
-	dbuf = query_getnamebuf(client);
-	if (dbuf == NULL)
-		goto cleanup;
-	fname = query_newname(client, dbuf, &b);
-	if (fname == NULL)
-		goto cleanup;
-	dns_name_setbuffer(&cfname, &b); /* share the buffer */
-
-	/* Check additional cache */
-	result = dns_rdataset_getadditional(rdataset_base, additionaltype,
-					    type, client->view->acache, &zone,
-					    &cdb, &cversion, &cnode, &cfname,
-					    client->message, client->now);
-	if (result != ISC_R_SUCCESS)
-		goto findauthdb;
-	if (zone == NULL) {
-		CTRACE("query_addadditional2: auth zone not found");
-		goto try_cache;
-	}
-
-	/* Is the cached DB up-to-date? */
-	result = query_iscachevalid(zone, cdb, NULL, cversion);
-	if (result != ISC_R_SUCCESS) {
-		CTRACE("query_addadditional2: old auth additional cache");
-		query_discardcache(client, rdataset_base, additionaltype,
-				   type, &zone, &cdb, &cversion, &cnode,
-				   &cfname);
-		goto findauthdb;
-	}
-
-	if (cnode == NULL) {
-		/*
-		 * We have a negative cache.  We don't have to check the zone
-		 * ACL, since the result (not using this zone) would be same
-		 * regardless of the result.
-		 */
-		CTRACE("query_addadditional2: negative auth additional cache");
-		dns_db_closeversion(cdb, &cversion, ISC_FALSE);
-		dns_db_detach(&cdb);
-		dns_zone_detach(&zone);
-		goto try_cache;
-	}
-
-	result = query_validatezonedb(client, name, qtype, DNS_GETDB_NOLOG,
-				      zone, cdb, NULL);
-	if (result != ISC_R_SUCCESS) {
-		query_discardcache(client, rdataset_base, additionaltype,
-				   type, &zone, &cdb, &cversion, &cnode,
-				   &cfname);
-		goto try_cache;
-	}
-
-	/* We've got an active cache. */
-	CTRACE("query_addadditional2: auth additional cache");
-	dns_db_closeversion(cdb, &cversion, ISC_FALSE);
-	db = cdb;
-	node = cnode;
-	dns_name_clone(&cfname, fname);
-	query_keepname(client, fname, dbuf);
-	goto foundcache;
-
-	/*
-	 * Look for a zone database that might contain authoritative
-	 * additional data.
-	 */
- findauthdb:
-	result = query_getzonedb(client, name, qtype, DNS_GETDB_NOLOG,
-				 &zone, &db, &version);
-	if (result != ISC_R_SUCCESS) {
-		/* Cache the negative result */
-		(void)dns_rdataset_setadditional(rdataset_base, additionaltype,
-						 type, client->view->acache,
-						 NULL, NULL, NULL, NULL,
-						 NULL);
-		goto try_cache;
-	}
-
-	CTRACE("query_addadditional2: db_find");
-
-	/*
-	 * Since we are looking for authoritative data, we do not set
-	 * the GLUEOK flag.  Glue will be looked for later, but not
-	 * necessarily in the same database.
-	 */
-	node = NULL;
-	result = dns_db_findext(db, name, version, type,
-				client->query.dboptions,
-				client->now, &node, fname, &cm, &ci,
-				NULL, NULL);
-	if (result == ISC_R_SUCCESS)
-		goto found;
-
-	/* Cache the negative result */
-	(void)dns_rdataset_setadditional(rdataset_base, additionaltype,
-					 type, client->view->acache, zone, db,
-					 version, NULL, fname);
-
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	version = NULL;
-	dns_db_detach(&db);
-
-	/*
-	 * No authoritative data was found.  The cache is our next best bet.
-	 */
-
- try_cache:
-	additionaltype = dns_rdatasetadditional_fromcache;
-	result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG);
-	if (result != ISC_R_SUCCESS)
-		/*
-		 * Most likely the client isn't allowed to query the cache.
-		 */
-		goto try_glue;
-
-	result = dns_db_findext(db, name, version, type,
-				client->query.dboptions |
-				 DNS_DBFIND_GLUEOK | DNS_DBFIND_ADDITIONALOK,
-				client->now, &node, fname, &cm, &ci,
-				NULL, NULL);
-	if (result == ISC_R_SUCCESS)
-		goto found;
-
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	dns_db_detach(&db);
-
- try_glue:
-	/*
-	 * No cached data was found.  Glue is our last chance.
-	 * RFC1035 sayeth:
-	 *
-	 *	NS records cause both the usual additional section
-	 *	processing to locate a type A record, and, when used
-	 *	in a referral, a special search of the zone in which
-	 *	they reside for glue information.
-	 *
-	 * This is the "special search".  Note that we must search
-	 * the zone where the NS record resides, not the zone it
-	 * points to, and that we only do the search in the delegation
-	 * case (identified by client->query.gluedb being set).
-	 */
-	if (client->query.gluedb == NULL)
-		goto cleanup;
-
-	/*
-	 * Don't poison caches using the bailiwick protection model.
-	 */
-	if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb)))
-		goto cleanup;
-
-	/* Check additional cache */
-	additionaltype = dns_rdatasetadditional_fromglue;
-	result = dns_rdataset_getadditional(rdataset_base, additionaltype,
-					    type, client->view->acache, NULL,
-					    &cdb, &cversion, &cnode, &cfname,
-					    client->message, client->now);
-	if (result != ISC_R_SUCCESS)
-		goto findglue;
-
-	result = query_iscachevalid(zone, cdb, client->query.gluedb, cversion);
-	if (result != ISC_R_SUCCESS) {
-		CTRACE("query_addadditional2: old glue additional cache");
-		query_discardcache(client, rdataset_base, additionaltype,
-				   type, &zone, &cdb, &cversion, &cnode,
-				   &cfname);
-		goto findglue;
-	}
-
-	if (cnode == NULL) {
-		/* We have a negative cache. */
-		CTRACE("query_addadditional2: negative glue additional cache");
-		dns_db_closeversion(cdb, &cversion, ISC_FALSE);
-		dns_db_detach(&cdb);
-		goto cleanup;
-	}
-
-	/* Cache hit. */
-	CTRACE("query_addadditional2: glue additional cache");
-	dns_db_closeversion(cdb, &cversion, ISC_FALSE);
-	db = cdb;
-	node = cnode;
-	dns_name_clone(&cfname, fname);
-	query_keepname(client, fname, dbuf);
-	goto foundcache;
-
- findglue:
-	dns_db_attach(client->query.gluedb, &db);
-	result = dns_db_findext(db, name, version, type,
-				client->query.dboptions | DNS_DBFIND_GLUEOK,
-				client->now, &node, fname, &cm, &ci,
-				NULL, NULL);
-	if (!(result == ISC_R_SUCCESS ||
-	      result == DNS_R_ZONECUT ||
-	      result == DNS_R_GLUE)) {
-		/* cache the negative result */
-		(void)dns_rdataset_setadditional(rdataset_base, additionaltype,
-						 type, client->view->acache,
-						 NULL, db, version, NULL,
-						 fname);
-		goto cleanup;
-	}
-
- found:
-	/*
-	 * We have found a DB node to iterate over from a DB.
-	 * We are going to look for address RRsets (i.e., A and AAAA) in the DB
-	 * node we've just found.  We'll then store the complete information
-	 * in the additional data cache.
-	 */
-	dns_name_clone(fname, &cfname);
-	query_keepname(client, fname, dbuf);
-	needadditionalcache = ISC_TRUE;
-
-	rdataset = query_newrdataset(client);
-	if (rdataset == NULL)
-		goto cleanup;
-
-	sigrdataset = query_newrdataset(client);
-	if (sigrdataset == NULL)
-		goto cleanup;
-
-	if (additionaltype == dns_rdatasetadditional_fromcache &&
-	    query_isduplicate(client, fname, dns_rdatatype_a, NULL))
-		goto aaaa_lookup;
-	/*
-	 * Find A RRset with sig RRset.  Even if we don't find a sig RRset
-	 * for a client using DNSSEC, we'll continue the process to make a
-	 * complete list to be cached.  However, we need to cancel the
-	 * caching when something unexpected happens, in order to avoid
-	 * caching incomplete information.
-	 */
-	result = dns_db_findrdataset(db, node, version, dns_rdatatype_a, 0,
-				     client->now, rdataset, sigrdataset);
-	/*
-	 * If we can't promote glue/pending from the cache to secure
-	 * then drop it.
-	 */
-	if (result == ISC_R_SUCCESS &&
-	    additionaltype == dns_rdatasetadditional_fromcache &&
-	    (DNS_TRUST_PENDING(rdataset->trust) ||
-	     DNS_TRUST_GLUE(rdataset->trust)) &&
-	    !validate(client, db, fname, rdataset, sigrdataset)) {
-		dns_rdataset_disassociate(rdataset);
-		if (dns_rdataset_isassociated(sigrdataset))
-			dns_rdataset_disassociate(sigrdataset);
-		result = ISC_R_NOTFOUND;
-	}
-	if (result == DNS_R_NCACHENXDOMAIN)
-		goto setcache;
-	if (result == DNS_R_NCACHENXRRSET) {
-		dns_rdataset_disassociate(rdataset);
-		if (dns_rdataset_isassociated(sigrdataset))
-			dns_rdataset_disassociate(sigrdataset);
-	}
-	if (result == ISC_R_SUCCESS) {
-		/* Remember the result as a cache */
-		ISC_LIST_APPEND(cfname.list, rdataset, link);
-		if (dns_rdataset_isassociated(sigrdataset)) {
-			ISC_LIST_APPEND(cfname.list, sigrdataset, link);
-			sigrdataset = query_newrdataset(client);
-		}
-		rdataset = query_newrdataset(client);
-		if (sigrdataset == NULL || rdataset == NULL) {
-			/* do not cache incomplete information */
-			goto foundcache;
-		}
-	}
-
- aaaa_lookup:
-	if (additionaltype == dns_rdatasetadditional_fromcache &&
-	    query_isduplicate(client, fname, dns_rdatatype_aaaa, NULL))
-		goto foundcache;
-	/* Find AAAA RRset with sig RRset */
-	result = dns_db_findrdataset(db, node, version, dns_rdatatype_aaaa,
-				     0, client->now, rdataset, sigrdataset);
-	/*
-	 * If we can't promote glue/pending from the cache to secure
-	 * then drop it.
-	 */
-	if (result == ISC_R_SUCCESS &&
-	    additionaltype == dns_rdatasetadditional_fromcache &&
-	    (DNS_TRUST_PENDING(rdataset->trust) ||
-	     DNS_TRUST_GLUE(rdataset->trust)) &&
-	    !validate(client, db, fname, rdataset, sigrdataset)) {
-		dns_rdataset_disassociate(rdataset);
-		if (dns_rdataset_isassociated(sigrdataset))
-			dns_rdataset_disassociate(sigrdataset);
-		result = ISC_R_NOTFOUND;
-	}
-	if (result == ISC_R_SUCCESS) {
-		ISC_LIST_APPEND(cfname.list, rdataset, link);
-		rdataset = NULL;
-		if (dns_rdataset_isassociated(sigrdataset)) {
-			ISC_LIST_APPEND(cfname.list, sigrdataset, link);
-			sigrdataset = NULL;
-		}
-	}
-
- setcache:
-	/*
-	 * Set the new result in the cache if required.  We do not support
-	 * caching additional data from a cache DB.
-	 */
-	if (needadditionalcache == ISC_TRUE &&
-	    (additionaltype == dns_rdatasetadditional_fromauth ||
-	     additionaltype == dns_rdatasetadditional_fromglue)) {
-		(void)dns_rdataset_setadditional(rdataset_base, additionaltype,
-						 type, client->view->acache,
-						 zone, db, version, node,
-						 &cfname);
-	}
-
- foundcache:
-	need_sigrrset = ISC_FALSE;
-	mname0 = NULL;
-	for (crdataset = ISC_LIST_HEAD(cfname.list);
-	     crdataset != NULL;
-	     crdataset = crdataset_next) {
-		dns_name_t *mname;
-
-		crdataset_next = ISC_LIST_NEXT(crdataset, link);
-
-		mname = NULL;
-		if (crdataset->type == dns_rdatatype_a ||
-		    crdataset->type == dns_rdatatype_aaaa) {
-			if (!query_isduplicate(client, fname, crdataset->type,
-					       &mname)) {
-				if (mname != fname) {
-					if (mname != NULL) {
-						/*
-						 * A different type of this name is
-						 * already stored in the additional
-						 * section.  We'll reuse the name.
-						 * Note that this should happen at most
-						 * once.  Otherwise, fname->link could
-						 * leak below.
-						 */
-						INSIST(mname0 == NULL);
-
-						query_releasename(client, &fname);
-						fname = mname;
-						mname0 = mname;
-					} else
-						need_addname = ISC_TRUE;
-				}
-				ISC_LIST_UNLINK(cfname.list, crdataset, link);
-				ISC_LIST_APPEND(fname->list, crdataset, link);
-				added_something = ISC_TRUE;
-				need_sigrrset = ISC_TRUE;
-			} else
-				need_sigrrset = ISC_FALSE;
-		} else if (crdataset->type == dns_rdatatype_rrsig &&
-			   need_sigrrset && WANTDNSSEC(client)) {
-			ISC_LIST_UNLINK(cfname.list, crdataset, link);
-			ISC_LIST_APPEND(fname->list, crdataset, link);
-			added_something = ISC_TRUE; /* just in case */
-			need_sigrrset = ISC_FALSE;
-		}
-	}
-
-	CTRACE("query_addadditional2: addname");
-
-	/*
-	 * If we haven't added anything, then we're done.
-	 */
-	if (!added_something)
-		goto cleanup;
-
-	/*
-	 * We may have added our rdatasets to an existing name, if so, then
-	 * need_addname will be ISC_FALSE.  Whether we used an existing name
-	 * or a new one, we must set fname to NULL to prevent cleanup.
-	 */
-	if (need_addname)
-		dns_message_addname(client->message, fname,
-				    DNS_SECTION_ADDITIONAL);
-	fname = NULL;
-
- cleanup:
-	CTRACE("query_addadditional2: cleanup");
-
-	if (rdataset != NULL)
-		query_putrdataset(client, &rdataset);
-	if (sigrdataset != NULL)
-		query_putrdataset(client, &sigrdataset);
-	while  ((crdataset = ISC_LIST_HEAD(cfname.list)) != NULL) {
-		ISC_LIST_UNLINK(cfname.list, crdataset, link);
-		query_putrdataset(client, &crdataset);
-	}
-	if (fname != NULL)
-		query_releasename(client, &fname);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	if (db != NULL)
-		dns_db_detach(&db);
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-
-	CTRACE("query_addadditional2: done");
-	return (eresult);
-}
-
-static inline void
-query_addrdataset(ns_client_t *client, dns_name_t *fname,
-		  dns_rdataset_t *rdataset)
-{
-	client_additionalctx_t additionalctx;
-
-	/*
-	 * Add 'rdataset' and any pertinent additional data to
-	 * 'fname', a name in the response message for 'client'.
-	 */
-
-	CTRACE("query_addrdataset");
-
-	ISC_LIST_APPEND(fname->list, rdataset, link);
-
-	if (client->view->order != NULL)
-		rdataset->attributes |= dns_order_find(client->view->order,
-						       fname, rdataset->type,
-						       rdataset->rdclass);
-	rdataset->attributes |= DNS_RDATASETATTR_LOADORDER;
-
-	if (NOADDITIONAL(client))
-		return;
-
-	/*
-	 * Add additional data.
-	 *
-	 * We don't care if dns_rdataset_additionaldata() fails.
-	 */
-	additionalctx.client = client;
-	additionalctx.rdataset = rdataset;
-	(void)dns_rdataset_additionaldata(rdataset, query_addadditional2,
-					  &additionalctx);
-	CTRACE("query_addrdataset: done");
-}
-
-static isc_result_t
-query_dns64(ns_client_t *client, dns_name_t **namep, dns_rdataset_t *rdataset,
-	    dns_rdataset_t *sigrdataset, isc_buffer_t *dbuf,
-	    dns_section_t section)
-{
-	dns_name_t *name, *mname;
-	dns_rdata_t *dns64_rdata;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdatalist_t *dns64_rdatalist;
-	dns_rdataset_t *dns64_rdataset;
-	dns_rdataset_t *mrdataset;
-	isc_buffer_t *buffer;
-	isc_region_t r;
-	isc_result_t result;
-	dns_view_t *view = client->view;
-	isc_netaddr_t netaddr;
-	dns_dns64_t *dns64;
-	unsigned int flags = 0;
-
-	/*%
-	 * To the current response for 'client', add the answer RRset
-	 * '*rdatasetp' and an optional signature set '*sigrdatasetp', with
-	 * owner name '*namep', to section 'section', unless they are
-	 * already there.  Also add any pertinent additional data.
-	 *
-	 * If 'dbuf' is not NULL, then '*namep' is the name whose data is
-	 * stored in 'dbuf'.  In this case, query_addrrset() guarantees that
-	 * when it returns the name will either have been kept or released.
-	 */
-	CTRACE("query_dns64");
-	name = *namep;
-	mname = NULL;
-	mrdataset = NULL;
-	buffer = NULL;
-	dns64_rdata = NULL;
-	dns64_rdataset = NULL;
-	dns64_rdatalist = NULL;
-	result = dns_message_findname(client->message, section,
-				      name, dns_rdatatype_aaaa,
-				      rdataset->covers,
-				      &mname, &mrdataset);
-	if (result == ISC_R_SUCCESS) {
-		/*
-		 * We've already got an RRset of the given name and type.
-		 * There's nothing else to do;
-		 */
-		CTRACE("query_dns64: dns_message_findname succeeded: done");
-		if (dbuf != NULL)
-			query_releasename(client, namep);
-		return (ISC_R_SUCCESS);
-	} else if (result == DNS_R_NXDOMAIN) {
-		/*
-		 * The name doesn't exist.
-		 */
-		if (dbuf != NULL)
-			query_keepname(client, name, dbuf);
-		dns_message_addname(client->message, name, section);
-		*namep = NULL;
-		mname = name;
-	} else {
-		RUNTIME_CHECK(result == DNS_R_NXRRSET);
-		if (dbuf != NULL)
-			query_releasename(client, namep);
-	}
-
-	if (rdataset->trust != dns_trust_secure &&
-	    (section == DNS_SECTION_ANSWER ||
-	     section == DNS_SECTION_AUTHORITY))
-		client->query.attributes &= ~NS_QUERYATTR_SECURE;
-
-	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
-
-	result = isc_buffer_allocate(client->mctx, &buffer, view->dns64cnt *
-				     16 * dns_rdataset_count(rdataset));
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_message_gettemprdataset(client->message, &dns64_rdataset);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_message_gettemprdatalist(client->message,
-					      &dns64_rdatalist);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	dns_rdataset_init(dns64_rdataset);
-	dns_rdatalist_init(dns64_rdatalist);
-	dns64_rdatalist->rdclass = dns_rdataclass_in;
-	dns64_rdatalist->type = dns_rdatatype_aaaa;
-	if (client->query.dns64_ttl != ISC_UINT32_MAX)
-		dns64_rdatalist->ttl = ISC_MIN(rdataset->ttl,
-					       client->query.dns64_ttl);
-	else
-		dns64_rdatalist->ttl = ISC_MIN(rdataset->ttl, 600);
-
-	if (RECURSIONOK(client))
-		flags |= DNS_DNS64_RECURSIVE;
-
-	/*
-	 * We use the signatures from the A lookup to set DNS_DNS64_DNSSEC
-	 * as this provides a easy way to see if the answer was signed.
-	 */
-	if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset))
-		flags |= DNS_DNS64_DNSSEC;
-
-	for (result = dns_rdataset_first(rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(rdataset)) {
-		for (dns64 = ISC_LIST_HEAD(client->view->dns64);
-		     dns64 != NULL; dns64 = dns_dns64_next(dns64)) {
-
-			dns_rdataset_current(rdataset, &rdata);
-			isc__buffer_availableregion(buffer, &r);
-			INSIST(r.length >= 16);
-			result = dns_dns64_aaaafroma(dns64, &netaddr,
-						     client->signer,
-						     &ns_g_server->aclenv,
-						     flags, rdata.data, r.base);
-			if (result != ISC_R_SUCCESS) {
-				dns_rdata_reset(&rdata);
-				continue;
-			}
-			isc_buffer_add(buffer, 16);
-			isc_buffer_remainingregion(buffer, &r);
-			isc_buffer_forward(buffer, 16);
-			result = dns_message_gettemprdata(client->message,
-							  &dns64_rdata);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-			dns_rdata_init(dns64_rdata);
-			dns_rdata_fromregion(dns64_rdata, dns_rdataclass_in,
-					     dns_rdatatype_aaaa, &r);
-			ISC_LIST_APPEND(dns64_rdatalist->rdata, dns64_rdata,
-					link);
-			dns64_rdata = NULL;
-			dns_rdata_reset(&rdata);
-		}
-	}
-	if (result != ISC_R_NOMORE)
-		goto cleanup;
-
-	if (ISC_LIST_EMPTY(dns64_rdatalist->rdata))
-		goto cleanup;
-
-	result = dns_rdatalist_tordataset(dns64_rdatalist, dns64_rdataset);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	client->query.attributes |= NS_QUERYATTR_NOADDITIONAL;
-	dns64_rdataset->trust = rdataset->trust;
-	query_addrdataset(client, mname, dns64_rdataset);
-	dns64_rdataset = NULL;
-	dns64_rdatalist = NULL;
-	dns_message_takebuffer(client->message, &buffer);
-	result = ISC_R_SUCCESS;
-
- cleanup:
-	if (buffer != NULL)
-		isc_buffer_free(&buffer);
-
-	if (dns64_rdata != NULL)
-		dns_message_puttemprdata(client->message, &dns64_rdata);
-
-	if (dns64_rdataset != NULL)
-		dns_message_puttemprdataset(client->message, &dns64_rdataset);
-
-	if (dns64_rdatalist != NULL) {
-		for (dns64_rdata = ISC_LIST_HEAD(dns64_rdatalist->rdata);
-		     dns64_rdata != NULL;
-		     dns64_rdata = ISC_LIST_HEAD(dns64_rdatalist->rdata))
-		{
-			ISC_LIST_UNLINK(dns64_rdatalist->rdata,
-					dns64_rdata, link);
-			dns_message_puttemprdata(client->message, &dns64_rdata);
-		}
-		dns_message_puttemprdatalist(client->message, &dns64_rdatalist);
-	}
-
-	CTRACE("query_dns64: done");
-	return (result);
-}
-
-static void
-query_filter64(ns_client_t *client, dns_name_t **namep,
-	       dns_rdataset_t *rdataset, isc_buffer_t *dbuf,
-	       dns_section_t section)
-{
-	dns_name_t *name, *mname;
-	dns_rdata_t *myrdata;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdatalist_t *myrdatalist;
-	dns_rdataset_t *myrdataset;
-	isc_buffer_t *buffer;
-	isc_region_t r;
-	isc_result_t result;
-	unsigned int i;
-
-	CTRACE("query_filter64");
-
-	INSIST(client->query.dns64_aaaaok != NULL);
-	INSIST(client->query.dns64_aaaaoklen == dns_rdataset_count(rdataset));
-
-	name = *namep;
-	mname = NULL;
-	buffer = NULL;
-	myrdata = NULL;
-	myrdataset = NULL;
-	myrdatalist = NULL;
-	result = dns_message_findname(client->message, section,
-				      name, dns_rdatatype_aaaa,
-				      rdataset->covers,
-				      &mname, &myrdataset);
-	if (result == ISC_R_SUCCESS) {
-		/*
-		 * We've already got an RRset of the given name and type.
-		 * There's nothing else to do;
-		 */
-		CTRACE("query_filter64: dns_message_findname succeeded: done");
-		if (dbuf != NULL)
-			query_releasename(client, namep);
-		return;
-	} else if (result == DNS_R_NXDOMAIN) {
-		mname = name;
-		*namep = NULL;
-	} else {
-		RUNTIME_CHECK(result == DNS_R_NXRRSET);
-		if (dbuf != NULL)
-			query_releasename(client, namep);
-		dbuf = NULL;
-	}
-
-	if (rdataset->trust != dns_trust_secure &&
-	    (section == DNS_SECTION_ANSWER ||
-	     section == DNS_SECTION_AUTHORITY))
-		client->query.attributes &= ~NS_QUERYATTR_SECURE;
-
-	result = isc_buffer_allocate(client->mctx, &buffer,
-				     16 * dns_rdataset_count(rdataset));
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_message_gettemprdataset(client->message, &myrdataset);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_message_gettemprdatalist(client->message, &myrdatalist);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	dns_rdataset_init(myrdataset);
-	dns_rdatalist_init(myrdatalist);
-	myrdatalist->rdclass = dns_rdataclass_in;
-	myrdatalist->type = dns_rdatatype_aaaa;
-	myrdatalist->ttl = rdataset->ttl;
-
-	i = 0;
-	for (result = dns_rdataset_first(rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(rdataset)) {
-		if (!client->query.dns64_aaaaok[i++])
-			continue;
-		dns_rdataset_current(rdataset, &rdata);
-		INSIST(rdata.length == 16);
-		isc_buffer_putmem(buffer, rdata.data, rdata.length);
-		isc_buffer_remainingregion(buffer, &r);
-		isc_buffer_forward(buffer, rdata.length);
-		result = dns_message_gettemprdata(client->message, &myrdata);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		dns_rdata_init(myrdata);
-		dns_rdata_fromregion(myrdata, dns_rdataclass_in,
-				     dns_rdatatype_aaaa, &r);
-		ISC_LIST_APPEND(myrdatalist->rdata, myrdata, link);
-		myrdata = NULL;
-		dns_rdata_reset(&rdata);
-	}
-	if (result != ISC_R_NOMORE)
-		goto cleanup;
-
-	result = dns_rdatalist_tordataset(myrdatalist, myrdataset);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	client->query.attributes |= NS_QUERYATTR_NOADDITIONAL;
-	if (mname == name) {
-		if (dbuf != NULL)
-			query_keepname(client, name, dbuf);
-		dns_message_addname(client->message, name, section);
-		dbuf = NULL;
-	}
-	myrdataset->trust = rdataset->trust;
-	query_addrdataset(client, mname, myrdataset);
-	myrdataset = NULL;
-	myrdatalist = NULL;
-	dns_message_takebuffer(client->message, &buffer);
-
- cleanup:
-	if (buffer != NULL)
-		isc_buffer_free(&buffer);
-
-	if (myrdata != NULL)
-		dns_message_puttemprdata(client->message, &myrdata);
-
-	if (myrdataset != NULL)
-		dns_message_puttemprdataset(client->message, &myrdataset);
-
-	if (myrdatalist != NULL) {
-		for (myrdata = ISC_LIST_HEAD(myrdatalist->rdata);
-		     myrdata != NULL;
-		     myrdata = ISC_LIST_HEAD(myrdatalist->rdata))
-		{
-			ISC_LIST_UNLINK(myrdatalist->rdata, myrdata, link);
-			dns_message_puttemprdata(client->message, &myrdata);
-		}
-		dns_message_puttemprdatalist(client->message, &myrdatalist);
-	}
-	if (dbuf != NULL)
-		query_releasename(client, &name);
-
-	CTRACE("query_filter64: done");
-}
-
-static void
-query_addrrset(ns_client_t *client, dns_name_t **namep,
-	       dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp,
-	       isc_buffer_t *dbuf, dns_section_t section)
-{
-	dns_name_t *name, *mname;
-	dns_rdataset_t *rdataset, *mrdataset, *sigrdataset;
-	isc_result_t result;
-
-	/*%
-	 * To the current response for 'client', add the answer RRset
-	 * '*rdatasetp' and an optional signature set '*sigrdatasetp', with
-	 * owner name '*namep', to section 'section', unless they are
-	 * already there.  Also add any pertinent additional data.
-	 *
-	 * If 'dbuf' is not NULL, then '*namep' is the name whose data is
-	 * stored in 'dbuf'.  In this case, query_addrrset() guarantees that
-	 * when it returns the name will either have been kept or released.
-	 */
-	CTRACE("query_addrrset");
-	name = *namep;
-	rdataset = *rdatasetp;
-	if (sigrdatasetp != NULL)
-		sigrdataset = *sigrdatasetp;
-	else
-		sigrdataset = NULL;
-	mname = NULL;
-	mrdataset = NULL;
-	result = dns_message_findname(client->message, section,
-				      name, rdataset->type, rdataset->covers,
-				      &mname, &mrdataset);
-	if (result == ISC_R_SUCCESS) {
-		/*
-		 * We've already got an RRset of the given name and type.
-		 * There's nothing else to do;
-		 */
-		CTRACE("query_addrrset: dns_message_findname succeeded: done");
-		if (dbuf != NULL)
-			query_releasename(client, namep);
-		return;
-	} else if (result == DNS_R_NXDOMAIN) {
-		/*
-		 * The name doesn't exist.
-		 */
-		if (dbuf != NULL)
-			query_keepname(client, name, dbuf);
-		dns_message_addname(client->message, name, section);
-		*namep = NULL;
-		mname = name;
-	} else {
-		RUNTIME_CHECK(result == DNS_R_NXRRSET);
-		if (dbuf != NULL)
-			query_releasename(client, namep);
-	}
-
-	if (rdataset->trust != dns_trust_secure &&
-	    (section == DNS_SECTION_ANSWER ||
-	     section == DNS_SECTION_AUTHORITY))
-		client->query.attributes &= ~NS_QUERYATTR_SECURE;
-	/*
-	 * Note: we only add SIGs if we've added the type they cover, so
-	 * we do not need to check if the SIG rdataset is already in the
-	 * response.
-	 */
-	query_addrdataset(client, mname, rdataset);
-	*rdatasetp = NULL;
-	if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) {
-		/*
-		 * We have a signature.  Add it to the response.
-		 */
-		ISC_LIST_APPEND(mname->list, sigrdataset, link);
-		*sigrdatasetp = NULL;
-	}
-	CTRACE("query_addrrset: done");
-}
-
-static inline isc_result_t
-query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version,
-	     unsigned int override_ttl, isc_boolean_t isassociated)
-{
-	dns_name_t *name;
-	dns_dbnode_t *node;
-	isc_result_t result, eresult;
-	dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
-	dns_rdataset_t **sigrdatasetp = NULL;
-	dns_clientinfomethods_t cm;
-	dns_clientinfo_t ci;
-
-	CTRACE("query_addsoa");
-	/*
-	 * Initialization.
-	 */
-	eresult = ISC_R_SUCCESS;
-	name = NULL;
-	rdataset = NULL;
-	node = NULL;
-
-	dns_clientinfomethods_init(&cm, ns_client_sourceip);
-	dns_clientinfo_init(&ci, client);
-
-	/*
-	 * Don't add the SOA record for test which set "-T nosoa".
-	 */
-	if (ns_g_nosoa && (!WANTDNSSEC(client) || !isassociated))
-		return (ISC_R_SUCCESS);
-
-	/*
-	 * Get resources and make 'name' be the database origin.
-	 */
-	result = dns_message_gettempname(client->message, &name);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_name_init(name, NULL);
-	dns_name_clone(dns_db_origin(db), name);
-	rdataset = query_newrdataset(client);
-	if (rdataset == NULL) {
-		eresult = DNS_R_SERVFAIL;
-		goto cleanup;
-	}
-	if (WANTDNSSEC(client) && dns_db_issecure(db)) {
-		sigrdataset = query_newrdataset(client);
-		if (sigrdataset == NULL) {
-			eresult = DNS_R_SERVFAIL;
-			goto cleanup;
-		}
-	}
-
-	/*
-	 * Find the SOA.
-	 */
-	result = dns_db_getoriginnode(db, &node);
-	if (result == ISC_R_SUCCESS) {
-		result = dns_db_findrdataset(db, node, version,
-					     dns_rdatatype_soa, 0, client->now,
-					     rdataset, sigrdataset);
-	} else {
-		dns_fixedname_t foundname;
-		dns_name_t *fname;
-
-		dns_fixedname_init(&foundname);
-		fname = dns_fixedname_name(&foundname);
-
-		result = dns_db_findext(db, name, version, dns_rdatatype_soa,
-					client->query.dboptions, 0, &node,
-					fname, &cm, &ci, rdataset, sigrdataset);
-	}
-	if (result != ISC_R_SUCCESS) {
-		/*
-		 * This is bad.  We tried to get the SOA RR at the zone top
-		 * and it didn't work!
-		 */
-		eresult = DNS_R_SERVFAIL;
-	} else {
-		/*
-		 * Extract the SOA MINIMUM.
-		 */
-		dns_rdata_soa_t soa;
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		result = dns_rdataset_first(rdataset);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		dns_rdataset_current(rdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &soa, NULL);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-
-		if (override_ttl != ISC_UINT32_MAX &&
-		    override_ttl < rdataset->ttl) {
-			rdataset->ttl = override_ttl;
-			if (sigrdataset != NULL)
-				sigrdataset->ttl = override_ttl;
-		}
-
-		/*
-		 * Add the SOA and its SIG to the response, with the
-		 * TTLs adjusted per RFC2308 section 3.
-		 */
-		if (rdataset->ttl > soa.minimum)
-			rdataset->ttl = soa.minimum;
-		if (sigrdataset != NULL && sigrdataset->ttl > soa.minimum)
-			sigrdataset->ttl = soa.minimum;
-
-		if (sigrdataset != NULL)
-			sigrdatasetp = &sigrdataset;
-		else
-			sigrdatasetp = NULL;
-		query_addrrset(client, &name, &rdataset, sigrdatasetp, NULL,
-			       DNS_SECTION_AUTHORITY);
-	}
-
- cleanup:
-	query_putrdataset(client, &rdataset);
-	if (sigrdataset != NULL)
-		query_putrdataset(client, &sigrdataset);
-	if (name != NULL)
-		query_releasename(client, &name);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-
-	return (eresult);
-}
-
-static inline isc_result_t
-query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) {
-	dns_name_t *name, *fname;
-	dns_dbnode_t *node;
-	isc_result_t result, eresult;
-	dns_fixedname_t foundname;
-	dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
-	dns_rdataset_t **sigrdatasetp = NULL;
-	dns_clientinfomethods_t cm;
-	dns_clientinfo_t ci;
-
-	CTRACE("query_addns");
-	/*
-	 * Initialization.
-	 */
-	eresult = ISC_R_SUCCESS;
-	name = NULL;
-	rdataset = NULL;
-	node = NULL;
-	dns_fixedname_init(&foundname);
-	fname = dns_fixedname_name(&foundname);
-	dns_clientinfomethods_init(&cm, ns_client_sourceip);
-	dns_clientinfo_init(&ci, client);
-
-	/*
-	 * Get resources and make 'name' be the database origin.
-	 */
-	result = dns_message_gettempname(client->message, &name);
-	if (result != ISC_R_SUCCESS) {
-		CTRACE("query_addns: dns_message_gettempname failed: done");
-		return (result);
-	}
-	dns_name_init(name, NULL);
-	dns_name_clone(dns_db_origin(db), name);
-	rdataset = query_newrdataset(client);
-	if (rdataset == NULL) {
-		CTRACE("query_addns: query_newrdataset failed");
-		eresult = DNS_R_SERVFAIL;
-		goto cleanup;
-	}
-	if (WANTDNSSEC(client) && dns_db_issecure(db)) {
-		sigrdataset = query_newrdataset(client);
-		if (sigrdataset == NULL) {
-			CTRACE("query_addns: query_newrdataset failed");
-			eresult = DNS_R_SERVFAIL;
-			goto cleanup;
-		}
-	}
-
-	/*
-	 * Find the NS rdataset.
-	 */
-	result = dns_db_getoriginnode(db, &node);
-	if (result == ISC_R_SUCCESS) {
-		result = dns_db_findrdataset(db, node, version,
-					     dns_rdatatype_ns, 0, client->now,
-					     rdataset, sigrdataset);
-	} else {
-		CTRACE("query_addns: calling dns_db_find");
-		result = dns_db_findext(db, name, NULL, dns_rdatatype_ns,
-					client->query.dboptions, 0, &node,
-					fname, &cm, &ci, rdataset, sigrdataset);
-		CTRACE("query_addns: dns_db_find complete");
-	}
-	if (result != ISC_R_SUCCESS) {
-		CTRACE("query_addns: "
-		       "dns_db_findrdataset or dns_db_find failed");
-		/*
-		 * This is bad.  We tried to get the NS rdataset at the zone
-		 * top and it didn't work!
-		 */
-		eresult = DNS_R_SERVFAIL;
-	} else {
-		if (sigrdataset != NULL)
-			sigrdatasetp = &sigrdataset;
-		else
-			sigrdatasetp = NULL;
-		query_addrrset(client, &name, &rdataset, sigrdatasetp, NULL,
-			       DNS_SECTION_AUTHORITY);
-	}
-
- cleanup:
-	CTRACE("query_addns: cleanup");
-	query_putrdataset(client, &rdataset);
-	if (sigrdataset != NULL)
-		query_putrdataset(client, &sigrdataset);
-	if (name != NULL)
-		query_releasename(client, &name);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-
-	CTRACE("query_addns: done");
-	return (eresult);
-}
-
-static isc_result_t
-query_add_cname(ns_client_t *client, dns_name_t *qname, dns_name_t *tname,
-		dns_trust_t trust, dns_ttl_t ttl)
-{
-	dns_rdataset_t *rdataset;
-	dns_rdatalist_t *rdatalist;
-	dns_rdata_t *rdata;
-	isc_region_t r;
-	dns_name_t *aname;
-	isc_result_t result;
-
-	/*
-	 * We assume the name data referred to by tname won't go away.
-	 */
-
-	aname = NULL;
-	result = dns_message_gettempname(client->message, &aname);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	result = dns_name_dup(qname, client->mctx, aname);
-	if (result != ISC_R_SUCCESS) {
-		dns_message_puttempname(client->message, &aname);
-		return (result);
-	}
-
-	rdatalist = NULL;
-	result = dns_message_gettemprdatalist(client->message, &rdatalist);
-	if (result != ISC_R_SUCCESS) {
-		dns_message_puttempname(client->message, &aname);
-		return (result);
-	}
-	rdata = NULL;
-	result = dns_message_gettemprdata(client->message, &rdata);
-	if (result != ISC_R_SUCCESS) {
-		dns_message_puttempname(client->message, &aname);
-		dns_message_puttemprdatalist(client->message, &rdatalist);
-		return (result);
-	}
-	rdataset = NULL;
-	result = dns_message_gettemprdataset(client->message, &rdataset);
-	if (result != ISC_R_SUCCESS) {
-		dns_message_puttempname(client->message, &aname);
-		dns_message_puttemprdatalist(client->message, &rdatalist);
-		dns_message_puttemprdata(client->message, &rdata);
-		return (result);
-	}
-	dns_rdataset_init(rdataset);
-	rdatalist->type = dns_rdatatype_cname;
-	rdatalist->covers = 0;
-	rdatalist->rdclass = client->message->rdclass;
-	rdatalist->ttl = ttl;
-
-	dns_name_toregion(tname, &r);
-	rdata->data = r.base;
-	rdata->length = r.length;
-	rdata->rdclass = client->message->rdclass;
-	rdata->type = dns_rdatatype_cname;
-
-	ISC_LIST_INIT(rdatalist->rdata);
-	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset)
-		      == ISC_R_SUCCESS);
-	rdataset->trust = trust;
-
-	query_addrrset(client, &aname, &rdataset, NULL, NULL,
-		       DNS_SECTION_ANSWER);
-	if (rdataset != NULL) {
-		if (dns_rdataset_isassociated(rdataset))
-			dns_rdataset_disassociate(rdataset);
-		dns_message_puttemprdataset(client->message, &rdataset);
-	}
-	if (aname != NULL)
-		dns_message_puttempname(client->message, &aname);
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Mark the RRsets as secure.  Update the cache (db) to reflect the
- * change in trust level.
- */
-static void
-mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name,
-	    dns_rdata_rrsig_t *rrsig, dns_rdataset_t *rdataset,
-	    dns_rdataset_t *sigrdataset)
-{
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	dns_clientinfomethods_t cm;
-	dns_clientinfo_t ci;
-	isc_stdtime_t now;
-
-	rdataset->trust = dns_trust_secure;
-	sigrdataset->trust = dns_trust_secure;
-	dns_clientinfomethods_init(&cm, ns_client_sourceip);
-	dns_clientinfo_init(&ci, client);
-
-	/*
-	 * Save the updated secure state.  Ignore failures.
-	 */
-	result = dns_db_findnodeext(db, name, ISC_TRUE, &cm, &ci, &node);
-	if (result != ISC_R_SUCCESS)
-		return;
-
-	isc_stdtime_get(&now);
-	dns_rdataset_trimttl(rdataset, sigrdataset, rrsig, now,
-			     client->view->acceptexpired);
-
-	(void)dns_db_addrdataset(db, node, NULL, client->now, rdataset,
-				 0, NULL);
-	(void)dns_db_addrdataset(db, node, NULL, client->now, sigrdataset,
-				 0, NULL);
-	dns_db_detachnode(db, &node);
-}
-
-/*
- * Find the secure key that corresponds to rrsig.
- * Note: 'keyrdataset' maintains state between successive calls,
- * there may be multiple keys with the same keyid.
- * Return ISC_FALSE if we have exhausted all the possible keys.
- */
-static isc_boolean_t
-get_key(ns_client_t *client, dns_db_t *db, dns_rdata_rrsig_t *rrsig,
-	dns_rdataset_t *keyrdataset, dst_key_t **keyp)
-{
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	isc_boolean_t secure = ISC_FALSE;
-	dns_clientinfomethods_t cm;
-	dns_clientinfo_t ci;
-
-	dns_clientinfomethods_init(&cm, ns_client_sourceip);
-	dns_clientinfo_init(&ci, client);
-
-	if (!dns_rdataset_isassociated(keyrdataset)) {
-		result = dns_db_findnodeext(db, &rrsig->signer, ISC_FALSE,
-					    &cm, &ci, &node);
-		if (result != ISC_R_SUCCESS)
-			return (ISC_FALSE);
-
-		result = dns_db_findrdataset(db, node, NULL,
-					     dns_rdatatype_dnskey, 0,
-					     client->now, keyrdataset, NULL);
-		dns_db_detachnode(db, &node);
-		if (result != ISC_R_SUCCESS)
-			return (ISC_FALSE);
-
-		if (keyrdataset->trust != dns_trust_secure)
-			return (ISC_FALSE);
-
-		result = dns_rdataset_first(keyrdataset);
-	} else
-		result = dns_rdataset_next(keyrdataset);
-
-	for ( ; result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(keyrdataset)) {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		isc_buffer_t b;
-
-		dns_rdataset_current(keyrdataset, &rdata);
-		isc_buffer_init(&b, rdata.data, rdata.length);
-		isc_buffer_add(&b, rdata.length);
-		result = dst_key_fromdns(&rrsig->signer, rdata.rdclass, &b,
-					 client->mctx, keyp);
-		if (result != ISC_R_SUCCESS)
-			continue;
-		if (rrsig->algorithm == (dns_secalg_t)dst_key_alg(*keyp) &&
-		    rrsig->keyid == (dns_keytag_t)dst_key_id(*keyp) &&
-		    dst_key_iszonekey(*keyp)) {
-			secure = ISC_TRUE;
-			break;
-		}
-		dst_key_free(keyp);
-	}
-	return (secure);
-}
-
-static isc_boolean_t
-verify(dst_key_t *key, dns_name_t *name, dns_rdataset_t *rdataset,
-       dns_rdata_t *rdata, ns_client_t *client)
-{
-	isc_result_t result;
-	dns_fixedname_t fixed;
-	isc_boolean_t ignore = ISC_FALSE;
-
-	dns_fixedname_init(&fixed);
-
-again:
-	result = dns_dnssec_verify3(name, rdataset, key, ignore,
-				    client->view->maxbits, client->mctx,
-				    rdata, NULL);
-	if (result == DNS_R_SIGEXPIRED && client->view->acceptexpired) {
-		ignore = ISC_TRUE;
-		goto again;
-	}
-	if (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-/*
- * Validate the rdataset if possible with available records.
- */
-static isc_boolean_t
-validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
-	 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_rrsig_t rrsig;
-	dst_key_t *key = NULL;
-	dns_rdataset_t keyrdataset;
-
-	if (sigrdataset == NULL || !dns_rdataset_isassociated(sigrdataset))
-		return (ISC_FALSE);
-
-	for (result = dns_rdataset_first(sigrdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(sigrdataset)) {
-
-		dns_rdata_reset(&rdata);
-		dns_rdataset_current(sigrdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (ISC_FALSE);
-		if (!dns_resolver_algorithm_supported(client->view->resolver,
-						      name, rrsig.algorithm))
-			continue;
-		if (!dns_name_issubdomain(name, &rrsig.signer))
-			continue;
-		dns_rdataset_init(&keyrdataset);
-		do {
-			if (!get_key(client, db, &rrsig, &keyrdataset, &key))
-				break;
-			if (verify(key, name, rdataset, &rdata, client)) {
-				dst_key_free(&key);
-				dns_rdataset_disassociate(&keyrdataset);
-				mark_secure(client, db, name, &rrsig,
-					    rdataset, sigrdataset);
-				return (ISC_TRUE);
-			}
-			dst_key_free(&key);
-		} while (1);
-		if (dns_rdataset_isassociated(&keyrdataset))
-			dns_rdataset_disassociate(&keyrdataset);
-	}
-	return (ISC_FALSE);
-}
-
-static void
-query_addbestns(ns_client_t *client) {
-	dns_db_t *db, *zdb;
-	dns_dbnode_t *node;
-	dns_name_t *fname, *zfname;
-	dns_rdataset_t *rdataset, *sigrdataset, *zrdataset, *zsigrdataset;
-	isc_boolean_t is_zone, use_zone;
-	isc_buffer_t *dbuf;
-	isc_result_t result;
-	dns_dbversion_t *version;
-	dns_zone_t *zone;
-	isc_buffer_t b;
-	dns_clientinfomethods_t cm;
-	dns_clientinfo_t ci;
-
-	CTRACE("query_addbestns");
-	fname = NULL;
-	zfname = NULL;
-	rdataset = NULL;
-	zrdataset = NULL;
-	sigrdataset = NULL;
-	zsigrdataset = NULL;
-	node = NULL;
-	db = NULL;
-	zdb = NULL;
-	version = NULL;
-	zone = NULL;
-	is_zone = ISC_FALSE;
-	use_zone = ISC_FALSE;
-
-	dns_clientinfomethods_init(&cm, ns_client_sourceip);
-	dns_clientinfo_init(&ci, client);
-
-	/*
-	 * Find the right database.
-	 */
-	result = query_getdb(client, client->query.qname, dns_rdatatype_ns, 0,
-			     &zone, &db, &version, &is_zone);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
- db_find:
-	/*
-	 * We'll need some resources...
-	 */
-	dbuf = query_getnamebuf(client);
-	if (dbuf == NULL)
-		goto cleanup;
-	fname = query_newname(client, dbuf, &b);
-	rdataset = query_newrdataset(client);
-	if (fname == NULL || rdataset == NULL)
-		goto cleanup;
-	/*
-	 * Get the RRSIGs if the client requested them or if we may
-	 * need to validate answers from the cache.
-	 */
-	if (WANTDNSSEC(client) || !is_zone) {
-		sigrdataset = query_newrdataset(client);
-		if (sigrdataset == NULL)
-			goto cleanup;
-	}
-
-	/*
-	 * Now look for the zonecut.
-	 */
-	if (is_zone) {
-		result = dns_db_findext(db, client->query.qname, version,
-					dns_rdatatype_ns,
-					client->query.dboptions,
-					client->now, &node, fname,
-					&cm, &ci, rdataset, sigrdataset);
-		if (result != DNS_R_DELEGATION)
-			goto cleanup;
-		if (USECACHE(client)) {
-			query_keepname(client, fname, dbuf);
-			zdb = db;
-			zfname = fname;
-			fname = NULL;
-			zrdataset = rdataset;
-			rdataset = NULL;
-			zsigrdataset = sigrdataset;
-			sigrdataset = NULL;
-			dns_db_detachnode(db, &node);
-			version = NULL;
-			db = NULL;
-			dns_db_attach(client->view->cachedb, &db);
-			is_zone = ISC_FALSE;
-			goto db_find;
-		}
-	} else {
-		result = dns_db_findzonecut(db, client->query.qname,
-					    client->query.dboptions,
-					    client->now, &node, fname,
-					    rdataset, sigrdataset);
-		if (result == ISC_R_SUCCESS) {
-			if (zfname != NULL &&
-			    !dns_name_issubdomain(fname, zfname)) {
-				/*
-				 * We found a zonecut in the cache, but our
-				 * zone delegation is better.
-				 */
-				use_zone = ISC_TRUE;
-			}
-		} else if (result == ISC_R_NOTFOUND && zfname != NULL) {
-			/*
-			 * We didn't find anything in the cache, but we
-			 * have a zone delegation, so use it.
-			 */
-			use_zone = ISC_TRUE;
-		} else
-			goto cleanup;
-	}
-
-	if (use_zone) {
-		query_releasename(client, &fname);
-		fname = zfname;
-		zfname = NULL;
-		/*
-		 * We've already done query_keepname() on
-		 * zfname, so we must set dbuf to NULL to
-		 * prevent query_addrrset() from trying to
-		 * call query_keepname() again.
-		 */
-		dbuf = NULL;
-		query_putrdataset(client, &rdataset);
-		if (sigrdataset != NULL)
-			query_putrdataset(client, &sigrdataset);
-		rdataset = zrdataset;
-		zrdataset = NULL;
-		sigrdataset = zsigrdataset;
-		zsigrdataset = NULL;
-	}
-
-	/*
-	 * Attempt to validate RRsets that are pending or that are glue.
-	 */
-	if ((DNS_TRUST_PENDING(rdataset->trust) ||
-	     (sigrdataset != NULL && DNS_TRUST_PENDING(sigrdataset->trust)))
-	    && !validate(client, db, fname, rdataset, sigrdataset) &&
-	    !PENDINGOK(client->query.dboptions))
-		goto cleanup;
-
-	if ((DNS_TRUST_GLUE(rdataset->trust) ||
-	     (sigrdataset != NULL && DNS_TRUST_GLUE(sigrdataset->trust))) &&
-	    !validate(client, db, fname, rdataset, sigrdataset) &&
-	    SECURE(client) && WANTDNSSEC(client))
-		goto cleanup;
-
-	/*
-	 * If the answer is secure only add NS records if they are secure		 * when the client may be looking for AD in the response.
-	 */
-	if (SECURE(client) && (WANTDNSSEC(client) || WANTAD(client)) &&
-	    ((rdataset->trust != dns_trust_secure) ||
-	    (sigrdataset != NULL && sigrdataset->trust != dns_trust_secure)))
-		goto cleanup;
-
-	/*
-	 * If the client doesn't want DNSSEC we can discard the sigrdataset
-	 * now.
-	 */
-	if (!WANTDNSSEC(client))
-		query_putrdataset(client, &sigrdataset);
-	query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf,
-		       DNS_SECTION_AUTHORITY);
-
- cleanup:
-	if (rdataset != NULL)
-		query_putrdataset(client, &rdataset);
-	if (sigrdataset != NULL)
-		query_putrdataset(client, &sigrdataset);
-	if (fname != NULL)
-		query_releasename(client, &fname);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	if (db != NULL)
-		dns_db_detach(&db);
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-	if (zdb != NULL) {
-		query_putrdataset(client, &zrdataset);
-		if (zsigrdataset != NULL)
-			query_putrdataset(client, &zsigrdataset);
-		if (zfname != NULL)
-			query_releasename(client, &zfname);
-		dns_db_detach(&zdb);
-	}
-}
-
-static void
-fixrdataset(ns_client_t *client, dns_rdataset_t **rdataset) {
-	if (*rdataset == NULL)
-		*rdataset = query_newrdataset(client);
-	else  if (dns_rdataset_isassociated(*rdataset))
-		dns_rdataset_disassociate(*rdataset);
-}
-
-static void
-fixfname(ns_client_t *client, dns_name_t **fname, isc_buffer_t **dbuf,
-	 isc_buffer_t *nbuf)
-{
-	if (*fname == NULL) {
-		*dbuf = query_getnamebuf(client);
-		if (*dbuf == NULL)
-			return;
-		*fname = query_newname(client, *dbuf, nbuf);
-	}
-}
-
-static void
-query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node,
-	    dns_dbversion_t *version, dns_name_t *name)
-{
-	dns_fixedname_t fixed;
-	dns_name_t *fname = NULL;
-	dns_name_t *rname;
-	dns_rdataset_t *rdataset, *sigrdataset;
-	isc_buffer_t *dbuf, b;
-	isc_result_t result;
-	unsigned int count;
-
-	CTRACE("query_addds");
-	rname = NULL;
-	rdataset = NULL;
-	sigrdataset = NULL;
-
-	/*
-	 * We'll need some resources...
-	 */
-	rdataset = query_newrdataset(client);
-	sigrdataset = query_newrdataset(client);
-	if (rdataset == NULL || sigrdataset == NULL)
-		goto cleanup;
-
-	/*
-	 * Look for the DS record, which may or may not be present.
-	 */
-	result = dns_db_findrdataset(db, node, version, dns_rdatatype_ds, 0,
-				     client->now, rdataset, sigrdataset);
-	/*
-	 * If we didn't find it, look for an NSEC.
-	 */
-	if (result == ISC_R_NOTFOUND)
-		result = dns_db_findrdataset(db, node, version,
-					     dns_rdatatype_nsec, 0, client->now,
-					     rdataset, sigrdataset);
-	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
-		goto addnsec3;
-	if (!dns_rdataset_isassociated(rdataset) ||
-	    !dns_rdataset_isassociated(sigrdataset))
-		goto addnsec3;
-
-	/*
-	 * We've already added the NS record, so if the name's not there,
-	 * we have other problems.  Use this name rather than calling
-	 * query_addrrset().
-	 */
-	result = dns_message_firstname(client->message, DNS_SECTION_AUTHORITY);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	rname = NULL;
-	dns_message_currentname(client->message, DNS_SECTION_AUTHORITY,
-				&rname);
-	result = dns_message_findtype(rname, dns_rdatatype_ns, 0, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	ISC_LIST_APPEND(rname->list, rdataset, link);
-	ISC_LIST_APPEND(rname->list, sigrdataset, link);
-	rdataset = NULL;
-	sigrdataset = NULL;
-	return;
-
-   addnsec3:
-	if (!dns_db_iszone(db))
-		goto cleanup;
-	/*
-	 * Add the NSEC3 which proves the DS does not exist.
-	 */
-	dbuf = query_getnamebuf(client);
-	if (dbuf == NULL)
-		goto cleanup;
-	fname = query_newname(client, dbuf, &b);
-	dns_fixedname_init(&fixed);
-	if (dns_rdataset_isassociated(rdataset))
-		dns_rdataset_disassociate(rdataset);
-	if (dns_rdataset_isassociated(sigrdataset))
-		dns_rdataset_disassociate(sigrdataset);
-	query_findclosestnsec3(name, db, version, client, rdataset,
-			       sigrdataset, fname, ISC_TRUE,
-			       dns_fixedname_name(&fixed));
-	if (!dns_rdataset_isassociated(rdataset))
-		goto cleanup;
-	query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf,
-		       DNS_SECTION_AUTHORITY);
-	/*
-	 * Did we find the closest provable encloser instead?
-	 * If so add the nearest to the closest provable encloser.
-	 */
-	if (!dns_name_equal(name, dns_fixedname_name(&fixed))) {
-		count = dns_name_countlabels(dns_fixedname_name(&fixed)) + 1;
-		dns_name_getlabelsequence(name,
-					  dns_name_countlabels(name) - count,
-					  count, dns_fixedname_name(&fixed));
-		fixfname(client, &fname, &dbuf, &b);
-		fixrdataset(client, &rdataset);
-		fixrdataset(client, &sigrdataset);
-		if (fname == NULL || rdataset == NULL || sigrdataset == NULL)
-				goto cleanup;
-		query_findclosestnsec3(dns_fixedname_name(&fixed), db, version,
-				       client, rdataset, sigrdataset, fname,
-				       ISC_FALSE, NULL);
-		if (!dns_rdataset_isassociated(rdataset))
-			goto cleanup;
-		query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf,
-			       DNS_SECTION_AUTHORITY);
-	}
-
- cleanup:
-	if (rdataset != NULL)
-		query_putrdataset(client, &rdataset);
-	if (sigrdataset != NULL)
-		query_putrdataset(client, &sigrdataset);
-	if (fname != NULL)
-		query_releasename(client, &fname);
-}
-
-static void
-query_addwildcardproof(ns_client_t *client, dns_db_t *db,
-		       dns_dbversion_t *version, dns_name_t *name,
-		       isc_boolean_t ispositive, isc_boolean_t nodata)
-{
-	isc_buffer_t *dbuf, b;
-	dns_name_t *fname;
-	dns_rdataset_t *rdataset, *sigrdataset;
-	dns_fixedname_t wfixed;
-	dns_name_t *wname;
-	dns_dbnode_t *node;
-	unsigned int options;
-	unsigned int olabels, nlabels, labels;
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_nsec_t nsec;
-	isc_boolean_t have_wname;
-	int order;
-	dns_fixedname_t cfixed;
-	dns_name_t *cname;
-	dns_clientinfomethods_t cm;
-	dns_clientinfo_t ci;
-
-	CTRACE("query_addwildcardproof");
-	fname = NULL;
-	rdataset = NULL;
-	sigrdataset = NULL;
-	node = NULL;
-
-	dns_clientinfomethods_init(&cm, ns_client_sourceip);
-	dns_clientinfo_init(&ci, client);
-
-	/*
-	 * Get the NOQNAME proof then if !ispositive
-	 * get the NOWILDCARD proof.
-	 *
-	 * DNS_DBFIND_NOWILD finds the NSEC records that covers the
-	 * name ignoring any wildcard.  From the owner and next names
-	 * of this record you can compute which wildcard (if it exists)
-	 * will match by finding the longest common suffix of the
-	 * owner name and next names with the qname and prefixing that
-	 * with the wildcard label.
-	 *
-	 * e.g.
-	 *   Given:
-	 *	example SOA
-	 *	example NSEC b.example
-	 *	b.example A
-	 *	b.example NSEC a.d.example
-	 *	a.d.example A
-	 *	a.d.example NSEC g.f.example
-	 *	g.f.example A
-	 *	g.f.example NSEC z.i.example
-	 *	z.i.example A
-	 *	z.i.example NSEC example
-	 *
-	 *   QNAME:
-	 *   a.example -> example NSEC b.example
-	 *	owner common example
-	 *	next common example
-	 *	wild *.example
-	 *   d.b.example -> b.example NSEC a.d.example
-	 *	owner common b.example
-	 *	next common example
-	 *	wild *.b.example
-	 *   a.f.example -> a.d.example NSEC g.f.example
-	 *	owner common example
-	 *	next common f.example
-	 *	wild *.f.example
-	 *  j.example -> z.i.example NSEC example
-	 *	owner common example
-	 *	next common example
-	 *	wild *.example
-	 */
-	options = client->query.dboptions | DNS_DBFIND_NOWILD;
-	dns_fixedname_init(&wfixed);
-	wname = dns_fixedname_name(&wfixed);
- again:
-	have_wname = ISC_FALSE;
-	/*
-	 * We'll need some resources...
-	 */
-	dbuf = query_getnamebuf(client);
-	if (dbuf == NULL)
-		goto cleanup;
-	fname = query_newname(client, dbuf, &b);
-	rdataset = query_newrdataset(client);
-	sigrdataset = query_newrdataset(client);
-	if (fname == NULL || rdataset == NULL || sigrdataset == NULL)
-		goto cleanup;
-
-	result = dns_db_findext(db, name, version, dns_rdatatype_nsec,
-				options, 0, &node, fname, &cm, &ci,
-				rdataset, sigrdataset);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-
-	if (!dns_rdataset_isassociated(rdataset)) {
-		/*
-		 * No NSEC proof available, return NSEC3 proofs instead.
-		 */
-		dns_fixedname_init(&cfixed);
-		cname = dns_fixedname_name(&cfixed);
-		/*
-		 * Find the closest encloser.
-		 */
-		dns_name_copy(name, cname, NULL);
-		while (result == DNS_R_NXDOMAIN) {
-			labels = dns_name_countlabels(cname) - 1;
-			/*
-			 * Sanity check.
-			 */
-			if (labels == 0U)
-				goto cleanup;
-			dns_name_split(cname, labels, NULL, cname);
-			result = dns_db_findext(db, cname, version,
-						dns_rdatatype_nsec,
-						options, 0, NULL, fname,
-						&cm, &ci, NULL, NULL);
-		}
-		/*
-		 * Add closest (provable) encloser NSEC3.
-		 */
-		query_findclosestnsec3(cname, db, NULL, client, rdataset,
-				       sigrdataset, fname, ISC_TRUE, cname);
-		if (!dns_rdataset_isassociated(rdataset))
-			goto cleanup;
-		if (!ispositive)
-			query_addrrset(client, &fname, &rdataset, &sigrdataset,
-				       dbuf, DNS_SECTION_AUTHORITY);
-
-		/*
-		 * Replace resources which were consumed by query_addrrset.
-		 */
-		if (fname == NULL) {
-			dbuf = query_getnamebuf(client);
-			if (dbuf == NULL)
-				goto cleanup;
-			fname = query_newname(client, dbuf, &b);
-		}
-
-		if (rdataset == NULL)
-			rdataset = query_newrdataset(client);
-		else if (dns_rdataset_isassociated(rdataset))
-			dns_rdataset_disassociate(rdataset);
-
-		if (sigrdataset == NULL)
-			sigrdataset = query_newrdataset(client);
-		else if (dns_rdataset_isassociated(sigrdataset))
-			dns_rdataset_disassociate(sigrdataset);
-
-		if (fname == NULL || rdataset == NULL || sigrdataset == NULL)
-			goto cleanup;
-		/*
-		 * Add no qname proof.
-		 */
-		labels = dns_name_countlabels(cname) + 1;
-		if (dns_name_countlabels(name) == labels)
-			dns_name_copy(name, wname, NULL);
-		else
-			dns_name_split(name, labels, NULL, wname);
-
-		query_findclosestnsec3(wname, db, NULL, client, rdataset,
-				       sigrdataset, fname, ISC_FALSE, NULL);
-		if (!dns_rdataset_isassociated(rdataset))
-			goto cleanup;
-		query_addrrset(client, &fname, &rdataset, &sigrdataset,
-			       dbuf, DNS_SECTION_AUTHORITY);
-
-		if (ispositive)
-			goto cleanup;
-
-		/*
-		 * Replace resources which were consumed by query_addrrset.
-		 */
-		if (fname == NULL) {
-			dbuf = query_getnamebuf(client);
-			if (dbuf == NULL)
-				goto cleanup;
-			fname = query_newname(client, dbuf, &b);
-		}
-
-		if (rdataset == NULL)
-			rdataset = query_newrdataset(client);
-		else if (dns_rdataset_isassociated(rdataset))
-			dns_rdataset_disassociate(rdataset);
-
-		if (sigrdataset == NULL)
-			sigrdataset = query_newrdataset(client);
-		else if (dns_rdataset_isassociated(sigrdataset))
-			dns_rdataset_disassociate(sigrdataset);
-
-		if (fname == NULL || rdataset == NULL || sigrdataset == NULL)
-			goto cleanup;
-		/*
-		 * Add the no wildcard proof.
-		 */
-		result = dns_name_concatenate(dns_wildcardname,
-					      cname, wname, NULL);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-
-		query_findclosestnsec3(wname, db, NULL, client, rdataset,
-				       sigrdataset, fname, nodata, NULL);
-		if (!dns_rdataset_isassociated(rdataset))
-			goto cleanup;
-		query_addrrset(client, &fname, &rdataset, &sigrdataset,
-			       dbuf, DNS_SECTION_AUTHORITY);
-
-		goto cleanup;
-	} else if (result == DNS_R_NXDOMAIN) {
-		if (!ispositive)
-			result = dns_rdataset_first(rdataset);
-		if (result == ISC_R_SUCCESS) {
-			dns_rdataset_current(rdataset, &rdata);
-			result = dns_rdata_tostruct(&rdata, &nsec, NULL);
-		}
-		if (result == ISC_R_SUCCESS) {
-			(void)dns_name_fullcompare(name, fname, &order,
-						   &olabels);
-			(void)dns_name_fullcompare(name, &nsec.next, &order,
-						   &nlabels);
-			/*
-			 * Check for a pathological condition created when
-			 * serving some malformed signed zones and bail out.
-			 */
-			if (dns_name_countlabels(name) == nlabels)
-				goto cleanup;
-
-			if (olabels > nlabels)
-				dns_name_split(name, olabels, NULL, wname);
-			else
-				dns_name_split(name, nlabels, NULL, wname);
-			result = dns_name_concatenate(dns_wildcardname,
-						      wname, wname, NULL);
-			if (result == ISC_R_SUCCESS)
-				have_wname = ISC_TRUE;
-			dns_rdata_freestruct(&nsec);
-		}
-		query_addrrset(client, &fname, &rdataset, &sigrdataset,
-			       dbuf, DNS_SECTION_AUTHORITY);
-	}
-	if (rdataset != NULL)
-		query_putrdataset(client, &rdataset);
-	if (sigrdataset != NULL)
-		query_putrdataset(client, &sigrdataset);
-	if (fname != NULL)
-		query_releasename(client, &fname);
-	if (have_wname) {
-		ispositive = ISC_TRUE;	/* prevent loop */
-		if (!dns_name_equal(name, wname)) {
-			name = wname;
-			goto again;
-		}
-	}
- cleanup:
-	if (rdataset != NULL)
-		query_putrdataset(client, &rdataset);
-	if (sigrdataset != NULL)
-		query_putrdataset(client, &sigrdataset);
-	if (fname != NULL)
-		query_releasename(client, &fname);
-}
-
-static void
-query_addnxrrsetnsec(ns_client_t *client, dns_db_t *db,
-		     dns_dbversion_t *version, dns_name_t **namep,
-		     dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp)
-{
-	dns_name_t *name;
-	dns_rdataset_t *sigrdataset;
-	dns_rdata_t sigrdata;
-	dns_rdata_rrsig_t sig;
-	unsigned int labels;
-	isc_buffer_t *dbuf, b;
-	dns_name_t *fname;
-	isc_result_t result;
-
-	name = *namep;
-	if ((name->attributes & DNS_NAMEATTR_WILDCARD) == 0) {
-		query_addrrset(client, namep, rdatasetp, sigrdatasetp,
-			       NULL, DNS_SECTION_AUTHORITY);
-		return;
-	}
-
-	if (sigrdatasetp == NULL)
-		return;
-
-	sigrdataset = *sigrdatasetp;
-	if (sigrdataset == NULL || !dns_rdataset_isassociated(sigrdataset))
-		return;
-	result = dns_rdataset_first(sigrdataset);
-	if (result != ISC_R_SUCCESS)
-		return;
-	dns_rdata_init(&sigrdata);
-	dns_rdataset_current(sigrdataset, &sigrdata);
-	result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
-	if (result != ISC_R_SUCCESS)
-		return;
-
-	labels = dns_name_countlabels(name);
-	if ((unsigned int)sig.labels + 1 >= labels)
-		return;
-
-	/* XXX */
-	query_addwildcardproof(client, db, version, client->query.qname,
-			       ISC_TRUE, ISC_FALSE);
-
-	/*
-	 * We'll need some resources...
-	 */
-	dbuf = query_getnamebuf(client);
-	if (dbuf == NULL)
-		return;
-	fname = query_newname(client, dbuf, &b);
-	if (fname == NULL)
-		return;
-	dns_name_split(name, sig.labels + 1, NULL, fname);
-	/* This will succeed, since we've stripped labels. */
-	RUNTIME_CHECK(dns_name_concatenate(dns_wildcardname, fname, fname,
-					   NULL) == ISC_R_SUCCESS);
-	query_addrrset(client, &fname, rdatasetp, sigrdatasetp,
-		       dbuf, DNS_SECTION_AUTHORITY);
-}
-
-static void
-query_resume(isc_task_t *task, isc_event_t *event) {
-	dns_fetchevent_t *devent = (dns_fetchevent_t *)event;
-	dns_fetch_t *fetch;
-	ns_client_t *client;
-	isc_boolean_t fetch_canceled, client_shuttingdown;
-	isc_result_t result;
-	isc_logcategory_t *logcategory = NS_LOGCATEGORY_QUERY_EERRORS;
-	int errorloglevel;
-
-	/*
-	 * Resume a query after recursion.
-	 */
-
-	UNUSED(task);
-
-	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
-	client = devent->ev_arg;
-	REQUIRE(NS_CLIENT_VALID(client));
-	REQUIRE(task == client->task);
-	REQUIRE(RECURSING(client));
-
-	LOCK(&client->query.fetchlock);
-	if (client->query.fetch != NULL) {
-		/*
-		 * This is the fetch we've been waiting for.
-		 */
-		INSIST(devent->fetch == client->query.fetch);
-		client->query.fetch = NULL;
-		fetch_canceled = ISC_FALSE;
-		/*
-		 * Update client->now.
-		 */
-		isc_stdtime_get(&client->now);
-	} else {
-		/*
-		 * This is a fetch completion event for a canceled fetch.
-		 * Clean up and don't resume the find.
-		 */
-		fetch_canceled = ISC_TRUE;
-	}
-	UNLOCK(&client->query.fetchlock);
-	INSIST(client->query.fetch == NULL);
-
-	client->query.attributes &= ~NS_QUERYATTR_RECURSING;
-	fetch = devent->fetch;
-	devent->fetch = NULL;
-
-	/*
-	 * If this client is shutting down, or this transaction
-	 * has timed out, do not resume the find.
-	 */
-	client_shuttingdown = ns_client_shuttingdown(client);
-	if (fetch_canceled || client_shuttingdown) {
-		if (devent->node != NULL)
-			dns_db_detachnode(devent->db, &devent->node);
-		if (devent->db != NULL)
-			dns_db_detach(&devent->db);
-		query_putrdataset(client, &devent->rdataset);
-		if (devent->sigrdataset != NULL)
-			query_putrdataset(client, &devent->sigrdataset);
-		isc_event_free(&event);
-		if (fetch_canceled)
-			query_error(client, DNS_R_SERVFAIL, __LINE__);
-		else
-			query_next(client, ISC_R_CANCELED);
-		/*
-		 * This may destroy the client.
-		 */
-		ns_client_detach(&client);
-	} else {
-		result = query_find(client, devent, 0);
-		if (result != ISC_R_SUCCESS) {
-			if (result == DNS_R_SERVFAIL)
-				errorloglevel = ISC_LOG_DEBUG(2);
-			else
-				errorloglevel = ISC_LOG_DEBUG(4);
-			if (isc_log_wouldlog(ns_g_lctx, errorloglevel)) {
-				dns_resolver_logfetch(fetch, ns_g_lctx,
-						      logcategory,
-						      NS_LOGMODULE_QUERY,
-						      errorloglevel, ISC_FALSE);
-			}
-		}
-	}
-
-	dns_resolver_destroyfetch(&fetch);
-}
-
-static isc_result_t
-query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
-	      dns_name_t *qdomain, dns_rdataset_t *nameservers,
-	      isc_boolean_t resuming)
-{
-	isc_result_t result;
-	dns_rdataset_t *rdataset, *sigrdataset;
-	isc_sockaddr_t *peeraddr;
-
-	if (!resuming)
-		inc_stats(client, dns_nsstatscounter_recursion);
-
-	/*
-	 * We are about to recurse, which means that this client will
-	 * be unavailable for serving new requests for an indeterminate
-	 * amount of time.  If this client is currently responsible
-	 * for handling incoming queries, set up a new client
-	 * object to handle them while we are waiting for a
-	 * response.  There is no need to replace TCP clients
-	 * because those have already been replaced when the
-	 * connection was accepted (if allowed by the TCP quota).
-	 */
-	if (client->recursionquota == NULL) {
-		result = isc_quota_attach(&ns_g_server->recursionquota,
-					  &client->recursionquota);
-		if  (result == ISC_R_SOFTQUOTA) {
-			static isc_stdtime_t last = 0;
-			isc_stdtime_t now;
-			isc_stdtime_get(&now);
-			if (now != last) {
-				last = now;
-				ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-					      NS_LOGMODULE_QUERY,
-					      ISC_LOG_WARNING,
-					      "recursive-clients soft limit "
-					      "exceeded (%d/%d/%d), "
-					      "aborting oldest query",
-					      client->recursionquota->used,
-					      client->recursionquota->soft,
-					      client->recursionquota->max);
-			}
-			ns_client_killoldestquery(client);
-			result = ISC_R_SUCCESS;
-		} else if (result == ISC_R_QUOTA) {
-			static isc_stdtime_t last = 0;
-			isc_stdtime_t now;
-			isc_stdtime_get(&now);
-			if (now != last) {
-				last = now;
-				ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-					      NS_LOGMODULE_QUERY,
-					      ISC_LOG_WARNING,
-					      "no more recursive clients "
-					      "(%d/%d/%d): %s",
-					      ns_g_server->recursionquota.used,
-					      ns_g_server->recursionquota.soft,
-					      ns_g_server->recursionquota.max,
-					      isc_result_totext(result));
-			}
-			ns_client_killoldestquery(client);
-		}
-		if (result == ISC_R_SUCCESS && !client->mortal &&
-		    (client->attributes & NS_CLIENTATTR_TCP) == 0) {
-			result = ns_client_replace(client);
-			if (result != ISC_R_SUCCESS) {
-				ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-					      NS_LOGMODULE_QUERY,
-					      ISC_LOG_WARNING,
-					      "ns_client_replace() failed: %s",
-					      isc_result_totext(result));
-				isc_quota_detach(&client->recursionquota);
-			}
-		}
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		ns_client_recursing(client);
-	}
-
-	/*
-	 * Invoke the resolver.
-	 */
-	REQUIRE(nameservers == NULL || nameservers->type == dns_rdatatype_ns);
-	REQUIRE(client->query.fetch == NULL);
-
-	rdataset = query_newrdataset(client);
-	if (rdataset == NULL)
-		return (ISC_R_NOMEMORY);
-	if (WANTDNSSEC(client)) {
-		sigrdataset = query_newrdataset(client);
-		if (sigrdataset == NULL) {
-			query_putrdataset(client, &rdataset);
-			return (ISC_R_NOMEMORY);
-		}
-	} else
-		sigrdataset = NULL;
-
-	if (client->query.timerset == ISC_FALSE)
-		ns_client_settimeout(client, 60);
-	if ((client->attributes & NS_CLIENTATTR_TCP) == 0)
-		peeraddr = &client->peeraddr;
-	else
-		peeraddr = NULL;
-	result = dns_resolver_createfetch2(client->view->resolver,
-					   qname, qtype, qdomain, nameservers,
-					   NULL, peeraddr, client->message->id,
-					   client->query.fetchoptions,
-					   client->task,
-					   query_resume, client,
-					   rdataset, sigrdataset,
-					   &client->query.fetch);
-
-	if (result == ISC_R_SUCCESS) {
-		/*
-		 * Record that we're waiting for an event.  A client which
-		 * is shutting down will not be destroyed until all the
-		 * events have been received.
-		 */
-	} else {
-		query_putrdataset(client, &rdataset);
-		if (sigrdataset != NULL)
-			query_putrdataset(client, &sigrdataset);
-	}
-
-	return (result);
-}
-
-static inline void
-rpz_clean(dns_zone_t **zonep, dns_db_t **dbp, dns_dbnode_t **nodep,
-	  dns_rdataset_t **rdatasetp)
-{
-	if (nodep != NULL && *nodep != NULL) {
-		REQUIRE(dbp != NULL && *dbp != NULL);
-		dns_db_detachnode(*dbp, nodep);
-	}
-	if (dbp != NULL && *dbp != NULL)
-		dns_db_detach(dbp);
-	if (zonep != NULL && *zonep != NULL)
-		dns_zone_detach(zonep);
-	if (rdatasetp != NULL && *rdatasetp != NULL &&
-	    dns_rdataset_isassociated(*rdatasetp))
-		dns_rdataset_disassociate(*rdatasetp);
-}
-
-static void
-rpz_match_clear(dns_rpz_st_t *st)
-{
-	rpz_clean(&st->m.zone, &st->m.db, &st->m.node, &st->m.rdataset);
-	st->m.version = NULL;
-}
-
-static inline isc_result_t
-rpz_ready(ns_client_t *client, dns_zone_t **zonep, dns_db_t **dbp,
-	  dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp)
-{
-	REQUIRE(rdatasetp != NULL);
-
-	rpz_clean(zonep, dbp, nodep, rdatasetp);
-	if (*rdatasetp == NULL) {
-		*rdatasetp = query_newrdataset(client);
-		if (*rdatasetp == NULL)
-			return (DNS_R_SERVFAIL);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static void
-rpz_st_clear(ns_client_t *client) {
-	dns_rpz_st_t *st = client->query.rpz_st;
-
-	if (st->m.rdataset != NULL)
-		query_putrdataset(client, &st->m.rdataset);
-	rpz_match_clear(st);
-
-	rpz_clean(NULL, &st->r.db, NULL, NULL);
-	if (st->r.ns_rdataset != NULL)
-		query_putrdataset(client, &st->r.ns_rdataset);
-	if (st->r.r_rdataset != NULL)
-		query_putrdataset(client, &st->r.r_rdataset);
-
-	rpz_clean(&st->q.zone, &st->q.db, &st->q.node, NULL);
-	if (st->q.rdataset != NULL)
-		query_putrdataset(client, &st->q.rdataset);
-	if (st->q.sigrdataset != NULL)
-		query_putrdataset(client, &st->q.sigrdataset);
-	st->state = 0;
-	st->m.type = DNS_RPZ_TYPE_BAD;
-	st->m.policy = DNS_RPZ_POLICY_MISS;
-}
-
-/*
- * Get NS, A, or AAAA rrset for response policy zone checks.
- */
-static isc_result_t
-rpz_rrset_find(ns_client_t *client, dns_rpz_type_t rpz_type,
-	       dns_name_t *name, dns_rdatatype_t type,
-	       dns_db_t **dbp, dns_dbversion_t *version,
-	       dns_rdataset_t **rdatasetp, isc_boolean_t resuming)
-{
-	dns_rpz_st_t *st;
-	isc_boolean_t is_zone;
-	dns_dbnode_t *node;
-	dns_fixedname_t fixed;
-	dns_name_t *found;
-	isc_result_t result;
-	dns_clientinfomethods_t cm;
-	dns_clientinfo_t ci;
-
-	dns_clientinfomethods_init(&cm, ns_client_sourceip);
-	dns_clientinfo_init(&ci, client);
-
-	st = client->query.rpz_st;
-	if ((st->state & DNS_RPZ_RECURSING) != 0) {
-		INSIST(st->r.r_type == type);
-		INSIST(dns_name_equal(name, st->r_name));
-		INSIST(*rdatasetp == NULL ||
-		       !dns_rdataset_isassociated(*rdatasetp));
-		st->state &= ~DNS_RPZ_RECURSING;
-		*dbp = st->r.db;
-		st->r.db = NULL;
-		if (*rdatasetp != NULL)
-			query_putrdataset(client, rdatasetp);
-		*rdatasetp = st->r.r_rdataset;
-		st->r.r_rdataset = NULL;
-		result = st->r.r_result;
-		if (result == DNS_R_DELEGATION) {
-			rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
-				     rpz_type, name,
-				     "rpz_rrset_find(1) ", result);
-			st->m.policy = DNS_RPZ_POLICY_ERROR;
-			result = DNS_R_SERVFAIL;
-		}
-		return (result);
-	}
-
-	result = rpz_ready(client, NULL, NULL, NULL, rdatasetp);
-	if (result != ISC_R_SUCCESS) {
-		st->m.policy = DNS_RPZ_POLICY_ERROR;
-		return (result);
-	}
-	if (*dbp != NULL) {
-		is_zone = ISC_FALSE;
-	} else {
-		dns_zone_t *zone;
-
-		version = NULL;
-		zone = NULL;
-		result = query_getdb(client, name, type, 0, &zone, dbp,
-				     &version, &is_zone);
-		if (result != ISC_R_SUCCESS) {
-			rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
-				     rpz_type, name,
-				     "rpz_rrset_find(2) ", result);
-			st->m.policy = DNS_RPZ_POLICY_ERROR;
-			if (zone != NULL)
-				dns_zone_detach(&zone);
-			return (result);
-		}
-		if (zone != NULL)
-			dns_zone_detach(&zone);
-	}
-
-	node = NULL;
-	dns_fixedname_init(&fixed);
-	found = dns_fixedname_name(&fixed);
-	result = dns_db_findext(*dbp, name, version, type, DNS_DBFIND_GLUEOK,
-				client->now, &node, found,
-				&cm, &ci, *rdatasetp, NULL);
-	if (result == DNS_R_DELEGATION && is_zone && USECACHE(client)) {
-		/*
-		 * Try the cache if we're authoritative for an
-		 * ancestor but not the domain itself.
-		 */
-		rpz_clean(NULL, dbp, &node, rdatasetp);
-		version = NULL;
-		dns_db_attach(client->view->cachedb, dbp);
-		result = dns_db_findext(*dbp, name, version, dns_rdatatype_ns,
-					0, client->now, &node, found,
-					&cm, &ci, *rdatasetp, NULL);
-	}
-	rpz_clean(NULL, dbp, &node, NULL);
-	if (result == DNS_R_DELEGATION) {
-		rpz_clean(NULL, NULL, NULL, rdatasetp);
-		/*
-		 * Recurse for NS rrset or A or AAAA rrset for an NS.
-		 * Do not recurse for addresses for the query name.
-		 */
-		if (rpz_type == DNS_RPZ_TYPE_IP) {
-			result = DNS_R_NXRRSET;
-		} else {
-			dns_name_copy(name, st->r_name, NULL);
-			result = query_recurse(client, type, st->r_name,
-					       NULL, NULL, resuming);
-			if (result == ISC_R_SUCCESS) {
-				st->state |= DNS_RPZ_RECURSING;
-				result = DNS_R_DELEGATION;
-			}
-		}
-	}
-	return (result);
-}
-
-/*
- * Check the IP address in an A or AAAA rdataset against
- * the IP or NSIP response policy rules of a view.
- */
-static isc_result_t
-rpz_rewrite_ip(ns_client_t *client, dns_rdataset_t *rdataset,
-	       dns_rpz_type_t rpz_type)
-{
-	dns_rpz_st_t *st;
-	dns_dbversion_t *version;
-	dns_zone_t *zone;
-	dns_db_t *db;
-	dns_rpz_zone_t *rpz;
-	isc_result_t result;
-
-	st = client->query.rpz_st;
-	if (st->m.rdataset == NULL) {
-		st->m.rdataset = query_newrdataset(client);
-		if (st->m.rdataset == NULL)
-			return (DNS_R_SERVFAIL);
-	}
-	zone = NULL;
-	db = NULL;
-	for (rpz = ISC_LIST_HEAD(client->view->rpz_zones);
-	     rpz != NULL;
-	     rpz = ISC_LIST_NEXT(rpz, link)) {
-		if (!RECURSIONOK(client) && rpz->recursive_only)
-			continue;
-
-		/*
-		 * Do not check policy zones that cannot replace a policy
-		 * already known to match.
-		 */
-		if (st->m.policy != DNS_RPZ_POLICY_MISS) {
-			if (st->m.rpz->num < rpz->num)
-				break;
-			if (st->m.rpz->num == rpz->num &&
-			    st->m.type < rpz_type)
-				continue;
-		}
-
-		/*
-		 * Find the database for this policy zone to get its radix tree.
-		 */
-		version = NULL;
-		result = rpz_getdb(client, rpz_type, &rpz->origin,
-				   &zone, &db, &version);
-		if (result != ISC_R_SUCCESS) {
-			rpz_clean(&zone, &db, NULL, NULL);
-			continue;
-		}
-		/*
-		 * Look for a better (e.g. longer prefix) hit for an IP address
-		 * in this rdataset in this radix tree than than the previous
-		 * hit, if any.  Note the domain name and quality of the
-		 * best hit.
-		 */
-		dns_db_rpz_findips(rpz, rpz_type, zone, db, version,
-				   rdataset, st, client->query.rpz_st->qname);
-		rpz_clean(&zone, &db, NULL, NULL);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Look for an A or AAAA rdataset
- * and check for IP or NSIP rewrite policy rules.
- */
-static isc_result_t
-rpz_rewrite_rrset(ns_client_t *client, dns_rpz_type_t rpz_type,
-		  dns_rdatatype_t type, dns_name_t *name,
-		  dns_db_t **dbp, dns_dbversion_t *version,
-		  dns_rdataset_t **rdatasetp, isc_boolean_t resuming)
-{
-	isc_result_t result;
-
-	result = rpz_rrset_find(client, rpz_type, name, type, dbp, version,
-				rdatasetp, resuming);
-	switch (result) {
-	case ISC_R_SUCCESS:
-	case DNS_R_GLUE:
-	case DNS_R_ZONECUT:
-		result = rpz_rewrite_ip(client, *rdatasetp, rpz_type);
-		break;
-	case DNS_R_EMPTYNAME:
-	case DNS_R_EMPTYWILD:
-	case DNS_R_NXDOMAIN:
-	case DNS_R_NCACHENXDOMAIN:
-	case DNS_R_NXRRSET:
-	case DNS_R_NCACHENXRRSET:
-	case ISC_R_NOTFOUND:
-		result = ISC_R_SUCCESS;
-		break;
-	case DNS_R_DELEGATION:
-	case DNS_R_DUPLICATE:
-	case DNS_R_DROP:
-		break;
-	case DNS_R_CNAME:
-	case DNS_R_DNAME:
-		rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, rpz_type,
-			     name, "NS address rewrite rrset ", result);
-		result = ISC_R_SUCCESS;
-		break;
-	default:
-		if (client->query.rpz_st->m.policy != DNS_RPZ_POLICY_ERROR) {
-			client->query.rpz_st->m.policy = DNS_RPZ_POLICY_ERROR;
-			rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type,
-				     name, "NS address rewrite rrset ", result);
-		}
-		break;
-	}
-	return (result);
-}
-
-/*
- * Look for both A and AAAA rdatasets
- * and check for IP or NSIP rewrite policy rules.
- * Look only for addresses that will be in the ANSWER section
- * when checking for IP rules.
- */
-static isc_result_t
-rpz_rewrite_rrsets(ns_client_t *client, dns_rpz_type_t rpz_type,
-		   dns_name_t *name, dns_rdatatype_t type,
-		   dns_rdataset_t **rdatasetp, isc_boolean_t resuming)
-{
-	dns_rpz_st_t *st;
-	dns_dbversion_t *version;
-	dns_db_t *ipdb;
-	isc_result_t result;
-
-	st = client->query.rpz_st;
-	version = NULL;
-	ipdb = NULL;
-	if ((st->state & DNS_RPZ_DONE_IPv4) == 0 &&
-	    ((rpz_type == DNS_RPZ_TYPE_NSIP) ?
-	     (st->state & DNS_RPZ_HAVE_NSIPv4) :
-	     (st->state & DNS_RPZ_HAVE_IP)) != 0 &&
-	    (type == dns_rdatatype_any || type == dns_rdatatype_a)) {
-		result = rpz_rewrite_rrset(client, rpz_type, dns_rdatatype_a,
-					   name, &ipdb, version, rdatasetp,
-					   resuming);
-		if (result == ISC_R_SUCCESS)
-			st->state |= DNS_RPZ_DONE_IPv4;
-	} else {
-		result = ISC_R_SUCCESS;
-	}
-	if (result == ISC_R_SUCCESS &&
-	    ((rpz_type == DNS_RPZ_TYPE_NSIP) ?
-	     (st->state & DNS_RPZ_HAVE_NSIPv6) :
-	     (st->state & DNS_RPZ_HAVE_IP)) != 0 &&
-	    (type == dns_rdatatype_any || type == dns_rdatatype_aaaa)) {
-		result = rpz_rewrite_rrset(client, rpz_type, dns_rdatatype_aaaa,
-					   name, &ipdb, version, rdatasetp,
-					   resuming);
-	}
-	if (ipdb != NULL)
-		dns_db_detach(&ipdb);
-	return (result);
-}
-
-/*
- * Get the rrset from a response policy zone.
- */
-static isc_result_t
-rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
-	 dns_name_t *sname, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type,
-	 dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp,
-	 dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp,
-	 dns_rpz_policy_t *policyp)
-{
-	dns_rpz_policy_t policy;
-	dns_fixedname_t fixed;
-	dns_name_t *found;
-	isc_result_t result;
-	dns_clientinfomethods_t cm;
-	dns_clientinfo_t ci;
-
-	REQUIRE(nodep != NULL);
-
-	dns_clientinfomethods_init(&cm, ns_client_sourceip);
-	dns_clientinfo_init(&ci, client);
-
-	result = rpz_ready(client, zonep, dbp, nodep, rdatasetp);
-	if (result != ISC_R_SUCCESS) {
-		*policyp = DNS_RPZ_POLICY_ERROR;
-		return (result);
-	}
-
-	/*
-	 * Try to get either a CNAME or the type of record demanded by the
-	 * request from the policy zone.
-	 */
-	*versionp = NULL;
-	result = rpz_getdb(client, rpz_type, qnamef, zonep, dbp, versionp);
-	if (result != ISC_R_SUCCESS) {
-		*policyp = DNS_RPZ_POLICY_MISS;
-		return (DNS_R_NXDOMAIN);
-	}
-
-	dns_fixedname_init(&fixed);
-	found = dns_fixedname_name(&fixed);
-	result = dns_db_findext(*dbp, qnamef, *versionp, dns_rdatatype_any, 0,
-				client->now, nodep, found, &cm, &ci,
-				*rdatasetp, NULL);
-	if (result == ISC_R_SUCCESS) {
-		dns_rdatasetiter_t *rdsiter;
-
-		rdsiter = NULL;
-		result = dns_db_allrdatasets(*dbp, *nodep, *versionp, 0,
-					     &rdsiter);
-		if (result != ISC_R_SUCCESS) {
-			dns_db_detachnode(*dbp, nodep);
-			rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type,
-				     qnamef, "allrdatasets() ", result);
-			*policyp = DNS_RPZ_POLICY_ERROR;
-			return (DNS_R_SERVFAIL);
-		}
-		for (result = dns_rdatasetiter_first(rdsiter);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdatasetiter_next(rdsiter)) {
-			dns_rdatasetiter_current(rdsiter, *rdatasetp);
-			if ((*rdatasetp)->type == dns_rdatatype_cname ||
-			    (*rdatasetp)->type == qtype)
-				break;
-			dns_rdataset_disassociate(*rdatasetp);
-		}
-		dns_rdatasetiter_destroy(&rdsiter);
-		if (result != ISC_R_SUCCESS) {
-			if (result != ISC_R_NOMORE) {
-				rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
-					     rpz_type, qnamef, "rdatasetiter ",
-					     result);
-				*policyp = DNS_RPZ_POLICY_ERROR;
-				return (DNS_R_SERVFAIL);
-			}
-			/*
-			 * Ask again to get the right DNS_R_DNAME/NXRRSET/...
-			 * result if there is neither a CNAME nor target type.
-			 */
-			if (dns_rdataset_isassociated(*rdatasetp))
-				dns_rdataset_disassociate(*rdatasetp);
-			dns_db_detachnode(*dbp, nodep);
-
-			if (qtype == dns_rdatatype_rrsig ||
-			    qtype == dns_rdatatype_sig)
-				result = DNS_R_NXRRSET;
-			else
-				result = dns_db_findext(*dbp, qnamef, *versionp,
-							qtype, 0, client->now,
-							nodep, found, &cm, &ci,
-							*rdatasetp, NULL);
-		}
-	}
-	switch (result) {
-	case ISC_R_SUCCESS:
-		if ((*rdatasetp)->type != dns_rdatatype_cname) {
-			policy = DNS_RPZ_POLICY_RECORD;
-		} else {
-			policy = dns_rpz_decode_cname(rpz, *rdatasetp, sname);
-			if ((policy == DNS_RPZ_POLICY_RECORD ||
-			     policy == DNS_RPZ_POLICY_WILDCNAME) &&
-			    qtype != dns_rdatatype_cname &&
-			    qtype != dns_rdatatype_any)
-				result = DNS_R_CNAME;
-		}
-		break;
-	case DNS_R_NXRRSET:
-		policy = DNS_RPZ_POLICY_NODATA;
-		break;
-	case DNS_R_DNAME:
-		/*
-		 * DNAME policy RRs have very few if any uses that are not
-		 * better served with simple wildcards.  Making the work would
-		 * require complications to get the number of labels matched
-		 * in the name or the found name to the main DNS_R_DNAME case
-		 * in query_find().
-		 */
-		dns_rdataset_disassociate(*rdatasetp);
-		dns_db_detachnode(*dbp, nodep);
-		/*
-		 * Fall through to treat it as a miss.
-		 */
-	case DNS_R_NXDOMAIN:
-	case DNS_R_EMPTYNAME:
-		/*
-		 * If we don't get a qname hit,
-		 * see if it is worth looking for other types.
-		 */
-		(void)dns_db_rpz_enabled(*dbp, client->query.rpz_st);
-		dns_db_detach(dbp);
-		dns_zone_detach(zonep);
-		result = DNS_R_NXDOMAIN;
-		policy = DNS_RPZ_POLICY_MISS;
-		break;
-	default:
-		dns_db_detach(dbp);
-		dns_zone_detach(zonep);
-		rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, qnamef,
-			     "", result);
-		return (DNS_R_SERVFAIL);
-	}
-
-	*policyp = policy;
-	return (result);
-}
-
-/*
- * Build and look for a QNAME or NSDNAME owner name in a response policy zone.
- */
-static isc_result_t
-rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
-		 dns_rpz_type_t rpz_type, dns_rdataset_t **rdatasetp)
-{
-	dns_rpz_st_t *st;
-	dns_rpz_zone_t *rpz;
-	dns_fixedname_t prefixf, rpz_qnamef;
-	dns_name_t *prefix, *suffix, *rpz_qname;
-	dns_zone_t *zone;
-	dns_db_t *db;
-	dns_dbversion_t *version;
-	dns_dbnode_t *node;
-	dns_rpz_policy_t policy;
-	unsigned int labels;
-	isc_result_t result;
-
-	st = client->query.rpz_st;
-	zone = NULL;
-	db = NULL;
-	node = NULL;
-
-	for (rpz = ISC_LIST_HEAD(client->view->rpz_zones);
-	     rpz != NULL;
-	     rpz = ISC_LIST_NEXT(rpz, link)) {
-		if (!RECURSIONOK(client) && rpz->recursive_only)
-			continue;
-
-		/*
-		 * Do not check policy zones that cannot replace a policy
-		 * already known to match.
-		 */
-		if (st->m.policy != DNS_RPZ_POLICY_MISS) {
-			if (st->m.rpz->num < rpz->num)
-				break;
-			if (st->m.rpz->num == rpz->num &&
-			    st->m.type < rpz_type)
-				continue;
-		}
-		/*
-		 * Construct the policy's owner name.
-		 */
-		dns_fixedname_init(&prefixf);
-		prefix = dns_fixedname_name(&prefixf);
-		dns_name_split(qname, 1, prefix, NULL);
-		if (rpz_type == DNS_RPZ_TYPE_NSDNAME)
-			suffix = &rpz->nsdname;
-		else
-			suffix = &rpz->origin;
-		dns_fixedname_init(&rpz_qnamef);
-		rpz_qname = dns_fixedname_name(&rpz_qnamef);
-		for (;;) {
-			result = dns_name_concatenate(prefix, suffix,
-						      rpz_qname, NULL);
-			if (result == ISC_R_SUCCESS)
-				break;
-			INSIST(result == DNS_R_NAMETOOLONG);
-			/*
-			 * Trim the name until it is not too long.
-			 */
-			labels = dns_name_countlabels(prefix);
-			if (labels < 2) {
-				rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
-					     rpz_type, suffix,
-					     "concatentate() ", result);
-				return (ISC_R_SUCCESS);
-			}
-			if (labels+1 == dns_name_countlabels(qname)) {
-				rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1,
-					     rpz_type, suffix,
-					     "concatentate() ", result);
-			}
-			dns_name_split(prefix, labels - 1, NULL, prefix);
-		}
-
-		/*
-		 * See if the policy record exists and get its policy.
-		 */
-		result = rpz_find(client, qtype, rpz_qname, qname, rpz,
-				  rpz_type, &zone, &db, &version, &node,
-				  rdatasetp, &policy);
-		switch (result) {
-		case DNS_R_NXDOMAIN:
-			break;
-		case DNS_R_SERVFAIL:
-			rpz_clean(&zone, &db, &node, rdatasetp);
-			st->m.policy = DNS_RPZ_POLICY_ERROR;
-			return (DNS_R_SERVFAIL);
-		default:
-			/*
-			 * We are dealing with names here.
-			 * With more than one applicable policy, prefer
-			 * the earliest configured policy,
-			 * QNAME over IP over NSDNAME over NSIP,
-			 * and the smallest name.
-			 * Because of the testing above,
-			 * we known st->m.rpz->num >= rpz->num  and either
-			 * st->m.rpz->num > rpz->num or st->m.type >= rpz_type
-			 */
-			if (st->m.policy != DNS_RPZ_POLICY_MISS &&
-			    rpz->num == st->m.rpz->num &&
-			    (st->m.type < rpz_type ||
-			     (st->m.type == rpz_type &&
-			      0 >= dns_name_compare(rpz_qname, st->qname))))
-				continue;
-#if 0
-			/*
-			 * This code would block a customer reported information
-			 * leak of rpz rules by rewriting requests in the
-			 * rpz-ip, rpz-nsip, rpz-nsdname,and rpz-passthru TLDs.
-			 * Without this code, a bad guy could request
-			 * 24.0.3.2.10.rpz-ip. to find the policy rule for
-			 * 10.2.3.0/14.  It is an insignificant leak and this
-			 * code is not worth its cost, because the bad guy
-			 * could publish "evil.com A 10.2.3.4" and request
-			 * evil.com to get the same information.
-			 * Keep code with "#if 0" in case customer demand
-			 * is irresistible.
-			 *
-			 * We have the less frequent case of a triggered
-			 * policy.  Check that we have not trigger on one
-			 * of the pretend RPZ TLDs.
-			 * This test would make it impossible to rewrite
-			 * names in TLDs that start with "rpz-" should
-			 * ICANN ever allow such TLDs.
-			 */
-			labels = dns_name_countlabels(qname);
-			if (labels >= 2) {
-				dns_label_t label;
-
-				dns_name_getlabel(qname, labels-2, &label);
-				if (label.length >= sizeof(DNS_RPZ_PREFIX)-1 &&
-				    strncasecmp((const char *)label.base+1,
-						DNS_RPZ_PREFIX,
-						sizeof(DNS_RPZ_PREFIX)-1) == 0)
-					continue;
-			}
-#endif
-			/*
-			 * Merely log DNS_RPZ_POLICY_DISABLED hits.
-			 */
-			if (rpz->policy == DNS_RPZ_POLICY_DISABLED) {
-				rpz_log_rewrite(client, ISC_TRUE, policy,
-						rpz_type, zone, rpz_qname);
-				continue;
-			}
-
-			rpz_match_clear(st);
-			st->m.rpz = rpz;
-			st->m.type = rpz_type;
-			st->m.prefix = 0;
-			st->m.policy = policy;
-			st->m.result = result;
-			dns_name_copy(rpz_qname, st->qname, NULL);
-			if (*rdatasetp != NULL &&
-			    dns_rdataset_isassociated(*rdatasetp)) {
-				dns_rdataset_t *trdataset;
-
-				trdataset = st->m.rdataset;
-				st->m.rdataset = *rdatasetp;
-				*rdatasetp = trdataset;
-				st->m.ttl = ISC_MIN(st->m.rdataset->ttl,
-						    rpz->max_policy_ttl);
-			} else {
-				st->m.ttl = ISC_MIN(DNS_RPZ_TTL_DEFAULT,
-						    rpz->max_policy_ttl);
-			}
-			st->m.node = node;
-			node = NULL;
-			st->m.db = db;
-			db = NULL;
-			st->m.version = version;
-			st->m.zone = zone;
-			zone = NULL;
-		}
-	}
-
-	rpz_clean(&zone, &db, &node, rdatasetp);
-	return (ISC_R_SUCCESS);
-}
-
-static void
-rpz_rewrite_ns_skip(ns_client_t *client, dns_name_t *nsname,
-		    isc_result_t result, int level, const char *str)
-{
-	dns_rpz_st_t *st;
-
-	st = client->query.rpz_st;
-
-	if (str != NULL)
-		rpz_log_fail(client, level, DNS_RPZ_TYPE_NSIP, nsname,
-			     str, result);
-	if (st->r.ns_rdataset != NULL &&
-	    dns_rdataset_isassociated(st->r.ns_rdataset))
-		dns_rdataset_disassociate(st->r.ns_rdataset);
-
-	st->r.label--;
-}
-
-/*
- * Look for response policy zone QNAME, NSIP, and NSDNAME rewriting.
- */
-static isc_result_t
-rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
-	    isc_boolean_t resuming)
-{
-	dns_rpz_st_t *st;
-	dns_rdataset_t *rdataset;
-	dns_fixedname_t nsnamef;
-	dns_name_t *nsname;
-	isc_boolean_t ck_ip;
-	isc_result_t result;
-
-	st = client->query.rpz_st;
-	if (st == NULL) {
-		st = isc_mem_get(client->mctx, sizeof(*st));
-		if (st == NULL)
-			return (ISC_R_NOMEMORY);
-		st->state = 0;
-		memset(&st->m, 0, sizeof(st->m));
-		st->m.type = DNS_RPZ_TYPE_BAD;
-		st->m.policy = DNS_RPZ_POLICY_MISS;
-		memset(&st->r, 0, sizeof(st->r));
-		memset(&st->q, 0, sizeof(st->q));
-		dns_fixedname_init(&st->_qnamef);
-		dns_fixedname_init(&st->_r_namef);
-		dns_fixedname_init(&st->_fnamef);
-		st->qname = dns_fixedname_name(&st->_qnamef);
-		st->r_name = dns_fixedname_name(&st->_r_namef);
-		st->fname = dns_fixedname_name(&st->_fnamef);
-		client->query.rpz_st = st;
-	}
-
-	/*
-	 * There is nothing to rewrite if the main query failed.
-	 */
-	switch (qresult) {
-	case ISC_R_SUCCESS:
-	case DNS_R_GLUE:
-	case DNS_R_ZONECUT:
-		ck_ip = ISC_TRUE;
-		break;
-	case DNS_R_EMPTYNAME:
-	case DNS_R_NXRRSET:
-	case DNS_R_NXDOMAIN:
-	case DNS_R_EMPTYWILD:
-	case DNS_R_NCACHENXDOMAIN:
-	case DNS_R_NCACHENXRRSET:
-	case DNS_R_CNAME:
-	case DNS_R_DNAME:
-		ck_ip = ISC_FALSE;
-		break;
-	case DNS_R_DELEGATION:
-	case ISC_R_NOTFOUND:
-		return (ISC_R_SUCCESS);
-	case ISC_R_FAILURE:
-	case ISC_R_TIMEDOUT:
-	case DNS_R_BROKENCHAIN:
-		rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL3, DNS_RPZ_TYPE_QNAME,
-			     client->query.qname,
-			     "stop on qresult in rpz_rewrite() ",
-			     qresult);
-		return (ISC_R_SUCCESS);
-	default:
-		rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, DNS_RPZ_TYPE_QNAME,
-			     client->query.qname,
-			     "stop on unrecognized qresult in rpz_rewrite() ",
-			     qresult);
-		return (ISC_R_SUCCESS);
-	}
-
-	rdataset = NULL;
-	if ((st->state & DNS_RPZ_DONE_QNAME) == 0) {
-		/*
-		 * Check rules for the query name if this is the first time
-		 * for the current qname, i.e. we've not been recursing.
-		 * There is a first time for each name in a CNAME chain.
-		 */
-		result = rpz_rewrite_name(client, qtype, client->query.qname,
-					  DNS_RPZ_TYPE_QNAME, &rdataset);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-
-		st->r.label = dns_name_countlabels(client->query.qname);
-
-		st->state &= ~(DNS_RPZ_DONE_QNAME_IP | DNS_RPZ_DONE_IPv4);
-		st->state |= DNS_RPZ_DONE_QNAME;
-	}
-
-	/*
-	 * Check known IP addresses for the query name.
-	 * Any recursion required for the query has already happened.
-	 * Do not check addresses that will not be in the ANSWER section.
-	 */
-	if ((st->state & DNS_RPZ_DONE_QNAME_IP) == 0 &&
-	    (st->state & DNS_RPZ_HAVE_IP) != 0 && ck_ip) {
-		result = rpz_rewrite_rrsets(client, DNS_RPZ_TYPE_IP,
-					    client->query.qname, qtype,
-					    &rdataset, resuming);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		st->state &= ~DNS_RPZ_DONE_IPv4;
-		st->state |= DNS_RPZ_DONE_QNAME_IP;
-	}
-
-	/*
-	 * Stop looking for rules if there are none of the other kinds.
-	 */
-	if ((st->state & (DNS_RPZ_HAVE_NSIPv4 | DNS_RPZ_HAVE_NSIPv6 |
-			  DNS_RPZ_HAVE_NSDNAME)) == 0) {
-		result = ISC_R_SUCCESS;
-		goto cleanup;
-	}
-
-	dns_fixedname_init(&nsnamef);
-	dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef));
-	while (st->r.label > client->view->rpz_min_ns_labels) {
-		/*
-		 * Get NS rrset for each domain in the current qname.
-		 */
-		if (st->r.label == dns_name_countlabels(client->query.qname)) {
-			nsname = client->query.qname;
-		} else {
-			nsname = dns_fixedname_name(&nsnamef);
-			dns_name_split(client->query.qname, st->r.label,
-				       NULL, nsname);
-		}
-		if (st->r.ns_rdataset == NULL ||
-		    !dns_rdataset_isassociated(st->r.ns_rdataset)) {
-			dns_db_t *db = NULL;
-			result = rpz_rrset_find(client, DNS_RPZ_TYPE_NSDNAME,
-						nsname, dns_rdatatype_ns,
-						&db, NULL, &st->r.ns_rdataset,
-						resuming);
-			if (db != NULL)
-				dns_db_detach(&db);
-			if (st->m.policy == DNS_RPZ_POLICY_ERROR)
-				goto cleanup;
-			switch (result) {
-			case ISC_R_SUCCESS:
-				result = dns_rdataset_first(st->r.ns_rdataset);
-				if (result != ISC_R_SUCCESS)
-					goto cleanup;
-				st->state &= ~(DNS_RPZ_DONE_NSDNAME |
-					       DNS_RPZ_DONE_IPv4);
-				break;
-			case DNS_R_DELEGATION:
-				goto cleanup;
-			case DNS_R_EMPTYNAME:
-			case DNS_R_NXRRSET:
-			case DNS_R_EMPTYWILD:
-			case DNS_R_NXDOMAIN:
-			case DNS_R_NCACHENXDOMAIN:
-			case DNS_R_NCACHENXRRSET:
-			case ISC_R_NOTFOUND:
-			case DNS_R_CNAME:
-			case DNS_R_DNAME:
-				rpz_rewrite_ns_skip(client, nsname, result,
-						    0, NULL);
-				continue;
-			case ISC_R_TIMEDOUT:
-			case DNS_R_BROKENCHAIN:
-			case ISC_R_FAILURE:
-				rpz_rewrite_ns_skip(client, nsname, result,
-						DNS_RPZ_DEBUG_LEVEL3,
-						"NS db_find() ");
-				continue;
-			default:
-				rpz_rewrite_ns_skip(client, nsname, result,
-						DNS_RPZ_INFO_LEVEL,
-						"unrecognized NS db_find() ");
-				continue;
-			}
-		}
-		/*
-		 * Check all NS names.
-		 */
-		do {
-			dns_rdata_ns_t ns;
-			dns_rdata_t nsrdata = DNS_RDATA_INIT;
-
-			dns_rdataset_current(st->r.ns_rdataset, &nsrdata);
-			result = dns_rdata_tostruct(&nsrdata, &ns, NULL);
-			dns_rdata_reset(&nsrdata);
-			if (result != ISC_R_SUCCESS) {
-				rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
-					     DNS_RPZ_TYPE_NSIP, nsname,
-					     "rdata_tostruct() ", result);
-				st->m.policy = DNS_RPZ_POLICY_ERROR;
-				goto cleanup;
-			}
-			/*
-			 * Do nothing about "NS ."
-			 */
-			if (dns_name_equal(&ns.name, dns_rootname)) {
-				dns_rdata_freestruct(&ns);
-				result = dns_rdataset_next(st->r.ns_rdataset);
-				continue;
-			}
-			/*
-			 * Check this NS name if we did not handle it
-			 * during a previous recursion.
-			 */
-			if ((st->state & DNS_RPZ_DONE_NSDNAME) == 0 &&
-			    (st->state & DNS_RPZ_HAVE_NSDNAME) != 0) {
-				result = rpz_rewrite_name(client, qtype,
-							&ns.name,
-							DNS_RPZ_TYPE_NSDNAME,
-							&rdataset);
-				if (result != ISC_R_SUCCESS) {
-					dns_rdata_freestruct(&ns);
-					goto cleanup;
-				}
-				st->state |= DNS_RPZ_DONE_NSDNAME;
-			}
-			/*
-			 * Check all IP addresses for this NS name.
-			 */
-			result = rpz_rewrite_rrsets(client, DNS_RPZ_TYPE_NSIP,
-						    &ns.name, dns_rdatatype_any,
-						    &rdataset, resuming);
-			dns_rdata_freestruct(&ns);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-			st->state &= ~(DNS_RPZ_DONE_NSDNAME |
-				       DNS_RPZ_DONE_IPv4);
-			result = dns_rdataset_next(st->r.ns_rdataset);
-		} while (result == ISC_R_SUCCESS);
-		dns_rdataset_disassociate(st->r.ns_rdataset);
-		st->r.label--;
-	}
-
-	/*
-	 * Use the best, if any, hit.
-	 */
-	result = ISC_R_SUCCESS;
-
-cleanup:
-	if (st->m.policy != DNS_RPZ_POLICY_MISS &&
-	    st->m.policy != DNS_RPZ_POLICY_ERROR &&
-	    st->m.rpz->policy != DNS_RPZ_POLICY_GIVEN)
-		st->m.policy = st->m.rpz->policy;
-	if (st->m.policy == DNS_RPZ_POLICY_MISS ||
-	    st->m.policy == DNS_RPZ_POLICY_PASSTHRU ||
-	    st->m.policy == DNS_RPZ_POLICY_ERROR) {
-		if (st->m.policy == DNS_RPZ_POLICY_PASSTHRU &&
-		    result != DNS_R_DELEGATION)
-			rpz_log_rewrite(client, ISC_FALSE, st->m.policy,
-					st->m.type, st->m.zone, st->qname);
-		rpz_match_clear(st);
-	}
-	if (st->m.policy == DNS_RPZ_POLICY_ERROR) {
-		st->m.type = DNS_RPZ_TYPE_BAD;
-		result = DNS_R_SERVFAIL;
-	}
-	query_putrdataset(client, &rdataset);
-	if ((st->state & DNS_RPZ_RECURSING) == 0)
-		rpz_clean(NULL, &st->r.db, NULL, &st->r.ns_rdataset);
-
-	return (result);
-}
-
-/*
- * See if response policy zone rewriting is allowed by a lack of interest
- * by the client in DNSSEC or a lack of signatures.
- */
-static isc_boolean_t
-rpz_ck_dnssec(ns_client_t *client, isc_result_t result,
-	      dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	dns_fixedname_t fixed;
-	dns_name_t *found;
-	dns_rdataset_t trdataset;
-	dns_rdatatype_t type;
-
-	if (client->view->rpz_break_dnssec)
-		return (ISC_TRUE);
-	/*
-	 * sigrdataset == NULL if and only !WANTDNSSEC(client)
-	 */
-	if (sigrdataset == NULL)
-		return (ISC_TRUE);
-	if (dns_rdataset_isassociated(sigrdataset))
-		return (ISC_FALSE);
-
-	/*
-	 * We are happy to rewrite nothing.
-	 */
-	if (rdataset == NULL || !dns_rdataset_isassociated(rdataset))
-		return (ISC_TRUE);
-	/*
-	 * Do not rewrite if there is any sign of signatures.
-	 */
-	if (rdataset->type == dns_rdatatype_nsec ||
-	    rdataset->type == dns_rdatatype_nsec3 ||
-	    rdataset->type == dns_rdatatype_rrsig)
-		return (ISC_FALSE);
-
-	/*
-	 * Look for a signature in a negative cache rdataset.
-	 */
-	if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) == 0)
-		return (ISC_TRUE);
-	dns_fixedname_init(&fixed);
-	found = dns_fixedname_name(&fixed);
-	dns_rdataset_init(&trdataset);
-	for (result = dns_rdataset_first(rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(rdataset)) {
-		dns_ncache_current(rdataset, found, &trdataset);
-		type = trdataset.type;
-		dns_rdataset_disassociate(&trdataset);
-		if (type == dns_rdatatype_nsec ||
-		    type == dns_rdatatype_nsec3 ||
-		    type == dns_rdatatype_rrsig)
-			return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-/*
- * Add a CNAME to the query response, including translating foo.evil.com and
- *	*.evil.com CNAME *.example.com
- * to
- *	foo.evil.com CNAME foo.evil.com.example.com
- */
-static isc_result_t
-rpz_add_cname(ns_client_t *client, dns_rpz_st_t *st,
-	      dns_name_t *cname, dns_name_t *fname, isc_buffer_t *dbuf)
-{
-	dns_fixedname_t prefix, suffix;
-	unsigned int labels;
-	isc_result_t result;
-
-	labels = dns_name_countlabels(cname);
-	if (labels > 2 && dns_name_iswildcard(cname)) {
-		dns_fixedname_init(&prefix);
-		dns_name_split(client->query.qname, 1,
-			       dns_fixedname_name(&prefix), NULL);
-		dns_fixedname_init(&suffix);
-		dns_name_split(cname, labels-1,
-			       NULL, dns_fixedname_name(&suffix));
-		result = dns_name_concatenate(dns_fixedname_name(&prefix),
-					      dns_fixedname_name(&suffix),
-					      fname, NULL);
-		if (result == DNS_R_NAMETOOLONG)
-			client->message->rcode = dns_rcode_yxdomain;
-	} else {
-		result = dns_name_copy(cname, fname, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	}
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	query_keepname(client, fname, dbuf);
-	result = query_add_cname(client, client->query.qname,
-				 fname, dns_trust_authanswer, st->m.ttl);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	rpz_log_rewrite(client, ISC_FALSE, st->m.policy,
-			st->m.type, st->m.zone, st->qname);
-	ns_client_qnamereplace(client, fname);
-	/*
-	 * Turn off DNSSEC because the results of a
-	 * response policy zone cannot verify.
-	 */
-	client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
-				DNS_MESSAGEFLAG_AD);
-	return (ISC_R_SUCCESS);
-}
-
-#define MAX_RESTARTS 16
-
-#define QUERY_ERROR(r) \
-do { \
-	eresult = r; \
-	want_restart = ISC_FALSE; \
-	line = __LINE__; \
-} while (0)
-
-#define RECURSE_ERROR(r) \
-do { \
-	if ((r) == DNS_R_DUPLICATE || (r) == DNS_R_DROP) \
-		QUERY_ERROR(r); \
-	else \
-		QUERY_ERROR(DNS_R_SERVFAIL); \
-} while (0)
-
-/*
- * Extract a network address from the RDATA of an A or AAAA
- * record.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOTIMPLEMENTED	The rdata is not a known address type.
- */
-static isc_result_t
-rdata_tonetaddr(const dns_rdata_t *rdata, isc_netaddr_t *netaddr) {
-	struct in_addr ina;
-	struct in6_addr in6a;
-
-	switch (rdata->type) {
-	case dns_rdatatype_a:
-		INSIST(rdata->length == 4);
-		memcpy(&ina.s_addr, rdata->data, 4);
-		isc_netaddr_fromin(netaddr, &ina);
-		return (ISC_R_SUCCESS);
-	case dns_rdatatype_aaaa:
-		INSIST(rdata->length == 16);
-		memcpy(in6a.s6_addr, rdata->data, 16);
-		isc_netaddr_fromin6(netaddr, &in6a);
-		return (ISC_R_SUCCESS);
-	default:
-		return (ISC_R_NOTIMPLEMENTED);
-	}
-}
-
-/*
- * Find the sort order of 'rdata' in the topology-like
- * ACL forming the second element in a 2-element top-level
- * sortlist statement.
- */
-static int
-query_sortlist_order_2element(const dns_rdata_t *rdata, const void *arg) {
-	isc_netaddr_t netaddr;
-
-	if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS)
-		return (INT_MAX);
-	return (ns_sortlist_addrorder2(&netaddr, arg));
-}
-
-/*
- * Find the sort order of 'rdata' in the matching element
- * of a 1-element top-level sortlist statement.
- */
-static int
-query_sortlist_order_1element(const dns_rdata_t *rdata, const void *arg) {
-	isc_netaddr_t netaddr;
-
-	if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS)
-		return (INT_MAX);
-	return (ns_sortlist_addrorder1(&netaddr, arg));
-}
-
-/*
- * Find the sortlist statement that applies to 'client' and set up
- * the sortlist info in in client->message appropriately.
- */
-static void
-setup_query_sortlist(ns_client_t *client) {
-	isc_netaddr_t netaddr;
-	dns_rdatasetorderfunc_t order = NULL;
-	const void *order_arg = NULL;
-
-	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
-	switch (ns_sortlist_setup(client->view->sortlist,
-			       &netaddr, &order_arg)) {
-	case NS_SORTLISTTYPE_1ELEMENT:
-		order = query_sortlist_order_1element;
-		break;
-	case NS_SORTLISTTYPE_2ELEMENT:
-		order = query_sortlist_order_2element;
-		break;
-	case NS_SORTLISTTYPE_NONE:
-		order = NULL;
-		break;
-	default:
-		INSIST(0);
-		break;
-	}
-	dns_message_setsortorder(client->message, order, order_arg);
-}
-
-static void
-query_addnoqnameproof(ns_client_t *client, dns_rdataset_t *rdataset) {
-	isc_buffer_t *dbuf, b;
-	dns_name_t *fname;
-	dns_rdataset_t *neg, *negsig;
-	isc_result_t result = ISC_R_NOMEMORY;
-
-	CTRACE("query_addnoqnameproof");
-
-	fname = NULL;
-	neg = NULL;
-	negsig = NULL;
-
-	dbuf = query_getnamebuf(client);
-	if (dbuf == NULL)
-		goto cleanup;
-	fname = query_newname(client, dbuf, &b);
-	neg = query_newrdataset(client);
-	negsig = query_newrdataset(client);
-	if (fname == NULL || neg == NULL || negsig == NULL)
-		goto cleanup;
-
-	result = dns_rdataset_getnoqname(rdataset, fname, neg, negsig);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-	query_addrrset(client, &fname, &neg, &negsig, dbuf,
-		       DNS_SECTION_AUTHORITY);
-
-	if ((rdataset->attributes & DNS_RDATASETATTR_CLOSEST) == 0)
-		goto cleanup;
-
-	if (fname == NULL) {
-		dbuf = query_getnamebuf(client);
-		if (dbuf == NULL)
-			goto cleanup;
-		fname = query_newname(client, dbuf, &b);
-	}
-	if (neg == NULL)
-		neg = query_newrdataset(client);
-	else if (dns_rdataset_isassociated(neg))
-		dns_rdataset_disassociate(neg);
-	if (negsig == NULL)
-		negsig = query_newrdataset(client);
-	else if (dns_rdataset_isassociated(negsig))
-		dns_rdataset_disassociate(negsig);
-	if (fname == NULL || neg == NULL || negsig == NULL)
-		goto cleanup;
-	result = dns_rdataset_getclosest(rdataset, fname, neg, negsig);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-	query_addrrset(client, &fname, &neg, &negsig, dbuf,
-		       DNS_SECTION_AUTHORITY);
-
- cleanup:
-	if (neg != NULL)
-		query_putrdataset(client, &neg);
-	if (negsig != NULL)
-		query_putrdataset(client, &negsig);
-	if (fname != NULL)
-		query_releasename(client, &fname);
-}
-
-static inline void
-answer_in_glue(ns_client_t *client, dns_rdatatype_t qtype) {
-	dns_name_t *name;
-	dns_message_t *msg;
-	dns_section_t section = DNS_SECTION_ADDITIONAL;
-	dns_rdataset_t *rdataset = NULL;
-
-	msg = client->message;
-	for (name = ISC_LIST_HEAD(msg->sections[section]);
-	     name != NULL;
-	     name = ISC_LIST_NEXT(name, link))
-		if (dns_name_equal(name, client->query.qname)) {
-			for (rdataset = ISC_LIST_HEAD(name->list);
-			     rdataset != NULL;
-			     rdataset = ISC_LIST_NEXT(rdataset, link))
-				if (rdataset->type == qtype)
-					break;
-			break;
-		}
-	if (rdataset != NULL) {
-		ISC_LIST_UNLINK(msg->sections[section], name, link);
-		ISC_LIST_PREPEND(msg->sections[section], name, link);
-		ISC_LIST_UNLINK(name->list, rdataset, link);
-		ISC_LIST_PREPEND(name->list, rdataset, link);
-		rdataset->attributes |= DNS_RDATASETATTR_REQUIREDGLUE;
-	}
-}
-
-#define NS_NAME_INIT(A,B) \
-	 { \
-		DNS_NAME_MAGIC, \
-		A, sizeof(A), sizeof(B), \
-		DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE, \
-		B, NULL, { (void *)-1, (void *)-1}, \
-		{NULL, NULL} \
-	}
-
-static unsigned char inaddr10_offsets[] = { 0, 3, 11, 16 };
-static unsigned char inaddr172_offsets[] = { 0, 3, 7, 15, 20 };
-static unsigned char inaddr192_offsets[] = { 0, 4, 8, 16, 21 };
-
-static unsigned char inaddr10[] = "\00210\007IN-ADDR\004ARPA";
-
-static unsigned char inaddr16172[] = "\00216\003172\007IN-ADDR\004ARPA";
-static unsigned char inaddr17172[] = "\00217\003172\007IN-ADDR\004ARPA";
-static unsigned char inaddr18172[] = "\00218\003172\007IN-ADDR\004ARPA";
-static unsigned char inaddr19172[] = "\00219\003172\007IN-ADDR\004ARPA";
-static unsigned char inaddr20172[] = "\00220\003172\007IN-ADDR\004ARPA";
-static unsigned char inaddr21172[] = "\00221\003172\007IN-ADDR\004ARPA";
-static unsigned char inaddr22172[] = "\00222\003172\007IN-ADDR\004ARPA";
-static unsigned char inaddr23172[] = "\00223\003172\007IN-ADDR\004ARPA";
-static unsigned char inaddr24172[] = "\00224\003172\007IN-ADDR\004ARPA";
-static unsigned char inaddr25172[] = "\00225\003172\007IN-ADDR\004ARPA";
-static unsigned char inaddr26172[] = "\00226\003172\007IN-ADDR\004ARPA";
-static unsigned char inaddr27172[] = "\00227\003172\007IN-ADDR\004ARPA";
-static unsigned char inaddr28172[] = "\00228\003172\007IN-ADDR\004ARPA";
-static unsigned char inaddr29172[] = "\00229\003172\007IN-ADDR\004ARPA";
-static unsigned char inaddr30172[] = "\00230\003172\007IN-ADDR\004ARPA";
-static unsigned char inaddr31172[] = "\00231\003172\007IN-ADDR\004ARPA";
-
-static unsigned char inaddr168192[] = "\003168\003192\007IN-ADDR\004ARPA";
-
-static dns_name_t rfc1918names[] = {
-	NS_NAME_INIT(inaddr10, inaddr10_offsets),
-	NS_NAME_INIT(inaddr16172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr17172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr18172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr19172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr20172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr21172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr22172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr23172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr24172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr25172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr26172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr27172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr28172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr29172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr30172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr31172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr168192, inaddr192_offsets)
-};
-
-
-static unsigned char prisoner_data[] = "\010prisoner\004iana\003org";
-static unsigned char hostmaster_data[] = "\012hostmaster\014root-servers\003org";
-
-static unsigned char prisoner_offsets[] = { 0, 9, 14, 18 };
-static unsigned char hostmaster_offsets[] = { 0, 11, 24, 28 };
-
-static dns_name_t prisoner = NS_NAME_INIT(prisoner_data, prisoner_offsets);
-static dns_name_t hostmaster = NS_NAME_INIT(hostmaster_data, hostmaster_offsets);
-
-static void
-warn_rfc1918(ns_client_t *client, dns_name_t *fname, dns_rdataset_t *rdataset) {
-	unsigned int i;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_soa_t soa;
-	dns_rdataset_t found;
-	isc_result_t result;
-
-	for (i = 0; i < (sizeof(rfc1918names)/sizeof(*rfc1918names)); i++) {
-		if (dns_name_issubdomain(fname, &rfc1918names[i])) {
-			dns_rdataset_init(&found);
-			result = dns_ncache_getrdataset(rdataset,
-							&rfc1918names[i],
-							dns_rdatatype_soa,
-							&found);
-			if (result != ISC_R_SUCCESS)
-				return;
-
-			result = dns_rdataset_first(&found);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			dns_rdataset_current(&found, &rdata);
-			result = dns_rdata_tostruct(&rdata, &soa, NULL);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			if (dns_name_equal(&soa.origin, &prisoner) &&
-			    dns_name_equal(&soa.contact, &hostmaster)) {
-				char buf[DNS_NAME_FORMATSIZE];
-				dns_name_format(fname, buf, sizeof(buf));
-				ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-					      NS_LOGMODULE_QUERY,
-					      ISC_LOG_WARNING,
-					      "RFC 1918 response from "
-					      "Internet for %s", buf);
-			}
-			dns_rdataset_disassociate(&found);
-			return;
-		}
-	}
-}
-
-static void
-query_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
-		       dns_dbversion_t *version, ns_client_t *client,
-		       dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
-		       dns_name_t *fname, isc_boolean_t exact,
-		       dns_name_t *found)
-{
-	unsigned char salt[256];
-	size_t salt_length;
-	isc_uint16_t iterations;
-	isc_result_t result;
-	unsigned int dboptions;
-	dns_fixedname_t fixed;
-	dns_hash_t hash;
-	dns_name_t name;
-	int order;
-	unsigned int count;
-	dns_rdata_nsec3_t nsec3;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_boolean_t optout;
-	dns_clientinfomethods_t cm;
-	dns_clientinfo_t ci;
-
-	salt_length = sizeof(salt);
-	result = dns_db_getnsec3parameters(db, version, &hash, NULL,
-					   &iterations, salt, &salt_length);
-	if (result != ISC_R_SUCCESS)
-		return;
-
-	dns_name_init(&name, NULL);
-	dns_name_clone(qname, &name);
-	dns_clientinfomethods_init(&cm, ns_client_sourceip);
-	dns_clientinfo_init(&ci, client);
-
-	/*
-	 * Map unknown algorithm to known value.
-	 */
-	if (hash == DNS_NSEC3_UNKNOWNALG)
-		hash = 1;
-
- again:
-	dns_fixedname_init(&fixed);
-	result = dns_nsec3_hashname(&fixed, NULL, NULL, &name,
-				    dns_db_origin(db), hash,
-				    iterations, salt, salt_length);
-	if (result != ISC_R_SUCCESS)
-		return;
-
-	dboptions = client->query.dboptions | DNS_DBFIND_FORCENSEC3;
-	result = dns_db_findext(db, dns_fixedname_name(&fixed), version,
-				dns_rdatatype_nsec3, dboptions, client->now,
-				NULL, fname, &cm, &ci, rdataset, sigrdataset);
-
-	if (result == DNS_R_NXDOMAIN) {
-		if (!dns_rdataset_isassociated(rdataset)) {
-			return;
-		}
-		result = dns_rdataset_first(rdataset);
-		INSIST(result == ISC_R_SUCCESS);
-		dns_rdataset_current(rdataset, &rdata);
-		dns_rdata_tostruct(&rdata, &nsec3, NULL);
-		dns_rdata_reset(&rdata);
-		optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0);
-		if (found != NULL && optout &&
-		    dns_name_fullcompare(&name, dns_db_origin(db), &order,
-					 &count) == dns_namereln_subdomain) {
-			dns_rdataset_disassociate(rdataset);
-			if (dns_rdataset_isassociated(sigrdataset))
-				dns_rdataset_disassociate(sigrdataset);
-			count = dns_name_countlabels(&name) - 1;
-			dns_name_getlabelsequence(&name, 1, count, &name);
-			ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
-				      NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3),
-				      "looking for closest provable encloser");
-			goto again;
-		}
-		if (exact)
-			ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
-				      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
-				      "expected a exact match NSEC3, got "
-				      "a covering record");
-
-	} else if (result != ISC_R_SUCCESS) {
-		return;
-	} else if (!exact)
-		ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
-			      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
-			      "expected covering NSEC3, got an exact match");
-	if (found != NULL)
-		dns_name_copy(&name, found, NULL);
-	return;
-}
-
-#ifdef ALLOW_FILTER_AAAA_ON_V4
-static isc_boolean_t
-is_v4_client(ns_client_t *client) {
-	if (isc_sockaddr_pf(&client->peeraddr) == AF_INET)
-		return (ISC_TRUE);
-	if (isc_sockaddr_pf(&client->peeraddr) == AF_INET6 &&
-	    IN6_IS_ADDR_V4MAPPED(&client->peeraddr.type.sin6.sin6_addr))
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-#endif
-
-static isc_uint32_t
-dns64_ttl(dns_db_t *db, dns_dbversion_t *version) {
-	dns_dbnode_t *node = NULL;
-	dns_rdata_soa_t soa;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdataset_t rdataset;
-	isc_result_t result;
-	isc_uint32_t ttl = ISC_UINT32_MAX;
-
-	dns_rdataset_init(&rdataset);
-
-	result = dns_db_getoriginnode(db, &node);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa,
-				     0, 0, &rdataset, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_rdataset_first(&rdataset);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	dns_rdataset_current(&rdataset, &rdata);
-	result = dns_rdata_tostruct(&rdata, &soa, NULL);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	ttl = ISC_MIN(rdataset.ttl, soa.minimum);
-
-cleanup:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	return (ttl);
-}
-
-static isc_boolean_t
-dns64_aaaaok(ns_client_t *client, dns_rdataset_t *rdataset,
-	     dns_rdataset_t *sigrdataset)
-{
-	isc_netaddr_t netaddr;
-	dns_dns64_t *dns64 = ISC_LIST_HEAD(client->view->dns64);
-	unsigned int flags = 0;
-	unsigned int i, count;
-	isc_boolean_t *aaaaok;
-
-	INSIST(client->query.dns64_aaaaok == NULL);
-	INSIST(client->query.dns64_aaaaoklen == 0);
-	INSIST(client->query.dns64_aaaa == NULL);
-	INSIST(client->query.dns64_sigaaaa == NULL);
-
-	if (dns64 == NULL)
-		return (ISC_TRUE);
-
-	if (RECURSIONOK(client))
-		flags |= DNS_DNS64_RECURSIVE;
-
-	if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset))
-		flags |= DNS_DNS64_DNSSEC;
-
-	count = dns_rdataset_count(rdataset);
-	aaaaok = isc_mem_get(client->mctx, sizeof(isc_boolean_t) * count);
-
-	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
-	if (dns_dns64_aaaaok(dns64, &netaddr, client->signer,
-			     &ns_g_server->aclenv, flags, rdataset,
-			     aaaaok, count)) {
-		for (i = 0; i < count; i++) {
-			if (aaaaok != NULL && !aaaaok[i]) {
-				client->query.dns64_aaaaok = aaaaok;
-				client->query.dns64_aaaaoklen = count;
-				break;
-			}
-		}
-		if (i == count && aaaaok != NULL)
-			isc_mem_put(client->mctx, aaaaok,
-				    sizeof(isc_boolean_t) * count);
-		return (ISC_TRUE);
-	}
-	if (aaaaok != NULL)
-		isc_mem_put(client->mctx, aaaaok,
-			    sizeof(isc_boolean_t) * count);
-	return (ISC_FALSE);
-}
-
-/*
- * Look for the name and type in the redirection zone.  If found update
- * the arguments as appropriate.  Return ISC_TRUE if a update was
- * performed.
- *
- * Only perform the update if the client is in the allow query acl and
- * returning the update would not cause a DNSSEC validation failure.
- */
-static isc_boolean_t
-redirect(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset,
-	 dns_dbnode_t **nodep, dns_db_t **dbp, dns_dbversion_t **versionp,
-	 dns_rdatatype_t qtype)
-{
-	dns_db_t *db = NULL;
-	dns_dbnode_t *node = NULL;
-	dns_fixedname_t fixed;
-	dns_name_t *found;
-	dns_rdataset_t trdataset;
-	isc_result_t result;
-	dns_rdatatype_t type;
-	dns_clientinfomethods_t cm;
-	dns_clientinfo_t ci;
-	ns_dbversion_t *dbversion;
-
-	CTRACE("redirect");
-
-	if (client->view->redirect == NULL)
-		return (ISC_FALSE);
-
-	dns_fixedname_init(&fixed);
-	found = dns_fixedname_name(&fixed);
-	dns_rdataset_init(&trdataset);
-
-	dns_clientinfomethods_init(&cm, ns_client_sourceip);
-	dns_clientinfo_init(&ci, client);
-
-	if (WANTDNSSEC(client) && dns_db_iszone(*dbp) && dns_db_issecure(*dbp))
-		return (ISC_FALSE);
-
-	if (WANTDNSSEC(client) && dns_rdataset_isassociated(rdataset)) {
-		if (rdataset->trust == dns_trust_secure)
-			return (ISC_FALSE);
-		if (rdataset->trust == dns_trust_ultimate &&
-		    (rdataset->type == dns_rdatatype_nsec ||
-		     rdataset->type == dns_rdatatype_nsec3))
-			return (ISC_FALSE);
-		if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
-			for (result = dns_rdataset_first(rdataset);
-			     result == ISC_R_SUCCESS;
-			     result = dns_rdataset_next(rdataset)) {
-				dns_ncache_current(rdataset, found, &trdataset);
-				type = trdataset.type;
-				dns_rdataset_disassociate(&trdataset);
-				if (type == dns_rdatatype_nsec ||
-				    type == dns_rdatatype_nsec3 ||
-				    type == dns_rdatatype_rrsig)
-					return (ISC_FALSE);
-			}
-		}
-	}
-
-	result = ns_client_checkaclsilent(client, NULL,
-				 dns_zone_getqueryacl(client->view->redirect),
-					  ISC_TRUE);
-	if (result != ISC_R_SUCCESS)
-		return (ISC_FALSE);
-
-	result = dns_zone_getdb(client->view->redirect, &db);
-	if (result != ISC_R_SUCCESS)
-		return (ISC_FALSE);
-
-	dbversion = query_findversion(client, db);
-	if (dbversion == NULL) {
-		dns_db_detach(&db);
-		return (ISC_FALSE);
-	}
-
-	/*
-	 * Lookup the requested data in the redirect zone.
-	 */
-	result = dns_db_findext(db, client->query.qname, dbversion->version,
-				qtype, 0, client->now, &node, found, &cm, &ci,
-				&trdataset, NULL);
-	if (result != ISC_R_SUCCESS) {
-		if (dns_rdataset_isassociated(&trdataset))
-			dns_rdataset_disassociate(&trdataset);
-		if (node != NULL)
-			dns_db_detachnode(db, &node);
-		dns_db_detach(&db);
-		return (ISC_FALSE);
-	}
-	CTRACE("redirect: found data: done");
-
-	dns_name_copy(found, name, NULL);
-	if (dns_rdataset_isassociated(rdataset))
-		dns_rdataset_disassociate(rdataset);
-	if (dns_rdataset_isassociated(&trdataset)) {
-		dns_rdataset_clone(&trdataset, rdataset);
-		dns_rdataset_disassociate(&trdataset);
-	}
-	if (*nodep != NULL)
-		dns_db_detachnode(*dbp, nodep);
-	dns_db_detach(dbp);
-	dns_db_attachnode(db, node, nodep);
-	dns_db_attach(db, dbp);
-	dns_db_detachnode(db, &node);
-	dns_db_detach(&db);
-	*versionp = dbversion->version;
-
-	client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
-				     NS_QUERYATTR_NOADDITIONAL);
-
-	return (ISC_TRUE);
-}
-
-/*
- * Do the bulk of query processing for the current query of 'client'.
- * If 'event' is non-NULL, we are returning from recursion and 'qtype'
- * is ignored.  Otherwise, 'qtype' is the query type.
- */
-static isc_result_t
-query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
-{
-	dns_db_t *db, *zdb;
-	dns_dbnode_t *node;
-	dns_rdatatype_t type;
-	dns_name_t *fname, *zfname, *tname, *prefix;
-	dns_rdataset_t *rdataset, *trdataset;
-	dns_rdataset_t *sigrdataset, *zrdataset, *zsigrdataset;
-	dns_rdataset_t **sigrdatasetp;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdatasetiter_t *rdsiter;
-	isc_boolean_t want_restart, authoritative, is_zone, need_wildcardproof;
-	isc_boolean_t is_staticstub_zone;
-	unsigned int n, nlabels;
-	dns_namereln_t namereln;
-	int order;
-	isc_buffer_t *dbuf;
-	isc_buffer_t b;
-	isc_result_t result, eresult;
-	dns_fixedname_t fixed;
-	dns_fixedname_t wildcardname;
-	dns_dbversion_t *version, *zversion;
-	dns_zone_t *zone;
-	dns_rdata_cname_t cname;
-	dns_rdata_dname_t dname;
-	unsigned int options;
-	isc_boolean_t empty_wild;
-	dns_rdataset_t *noqname;
-	dns_rpz_st_t *rpz_st;
-	isc_boolean_t resuming;
-	int line = -1;
-	isc_boolean_t dns64_exclude, dns64;
-	dns_clientinfomethods_t cm;
-	dns_clientinfo_t ci;
-
-	CTRACE("query_find");
-
-	/*
-	 * One-time initialization.
-	 *
-	 * It's especially important to initialize anything that the cleanup
-	 * code might cleanup.
-	 */
-
-	eresult = ISC_R_SUCCESS;
-	fname = NULL;
-	zfname = NULL;
-	rdataset = NULL;
-	zrdataset = NULL;
-	sigrdataset = NULL;
-	zsigrdataset = NULL;
-	zversion = NULL;
-	node = NULL;
-	db = NULL;
-	zdb = NULL;
-	version = NULL;
-	zone = NULL;
-	need_wildcardproof = ISC_FALSE;
-	empty_wild = ISC_FALSE;
-	dns64_exclude = dns64 = ISC_FALSE;
-	options = 0;
-	resuming = ISC_FALSE;
-	is_zone = ISC_FALSE;
-	is_staticstub_zone = ISC_FALSE;
-
-	dns_clientinfomethods_init(&cm, ns_client_sourceip);
-	dns_clientinfo_init(&ci, client);
-
-	if (event != NULL) {
-		/*
-		 * We're returning from recursion.  Restore the query context
-		 * and resume.
-		 */
-		want_restart = ISC_FALSE;
-
-		rpz_st = client->query.rpz_st;
-		if (rpz_st != NULL &&
-		    (rpz_st->state & DNS_RPZ_RECURSING) != 0) {
-			is_zone = rpz_st->q.is_zone;
-			authoritative = rpz_st->q.authoritative;
-			zone = rpz_st->q.zone;
-			rpz_st->q.zone = NULL;
-			node = rpz_st->q.node;
-			rpz_st->q.node = NULL;
-			db = rpz_st->q.db;
-			rpz_st->q.db = NULL;
-			rdataset = rpz_st->q.rdataset;
-			rpz_st->q.rdataset = NULL;
-			sigrdataset = rpz_st->q.sigrdataset;
-			rpz_st->q.sigrdataset = NULL;
-			qtype = rpz_st->q.qtype;
-
-			rpz_st->r.db = event->db;
-			if (event->node != NULL)
-				dns_db_detachnode(event->db, &event->node);
-			rpz_st->r.r_type = event->qtype;
-			rpz_st->r.r_rdataset = event->rdataset;
-			query_putrdataset(client, &event->sigrdataset);
-		} else {
-			authoritative = ISC_FALSE;
-
-			qtype = event->qtype;
-			db = event->db;
-			node = event->node;
-			rdataset = event->rdataset;
-			sigrdataset = event->sigrdataset;
-		}
-
-		if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig)
-			type = dns_rdatatype_any;
-		else
-			type = qtype;
-
-		if (DNS64(client)) {
-			client->query.attributes &= ~NS_QUERYATTR_DNS64;
-			dns64 = ISC_TRUE;
-		}
-		if (DNS64EXCLUDE(client)) {
-			client->query.attributes &= ~NS_QUERYATTR_DNS64EXCLUDE;
-			dns64_exclude = ISC_TRUE;
-		}
-
-		/*
-		 * We'll need some resources...
-		 */
-		dbuf = query_getnamebuf(client);
-		if (dbuf == NULL) {
-			QUERY_ERROR(DNS_R_SERVFAIL);
-			goto cleanup;
-		}
-		fname = query_newname(client, dbuf, &b);
-		if (fname == NULL) {
-			QUERY_ERROR(DNS_R_SERVFAIL);
-			goto cleanup;
-		}
-		if (rpz_st != NULL &&
-		    (rpz_st->state & DNS_RPZ_RECURSING) != 0) {
-			tname = rpz_st->fname;
-		} else {
-			tname = dns_fixedname_name(&event->foundname);
-		}
-		result = dns_name_copy(tname, fname, NULL);
-		if (result != ISC_R_SUCCESS) {
-			QUERY_ERROR(DNS_R_SERVFAIL);
-			goto cleanup;
-		}
-		if (rpz_st != NULL &&
-		    (rpz_st->state & DNS_RPZ_RECURSING) != 0) {
-			rpz_st->r.r_result = event->result;
-			result = rpz_st->q.result;
-			isc_event_free(ISC_EVENT_PTR(&event));
-		} else {
-			result = event->result;
-		}
-		resuming = ISC_TRUE;
-		goto resume;
-	}
-
-	/*
-	 * Not returning from recursion.
-	 */
-
-	/*
-	 * If it's a SIG query, we'll iterate the node.
-	 */
-	if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig)
-		type = dns_rdatatype_any;
-	else
-		type = qtype;
-
- restart:
-	CTRACE("query_find: restart");
-	want_restart = ISC_FALSE;
-	authoritative = ISC_FALSE;
-	version = NULL;
-	need_wildcardproof = ISC_FALSE;
-
-	if (client->view->checknames &&
-	    !dns_rdata_checkowner(client->query.qname,
-				  client->message->rdclass,
-				  qtype, ISC_FALSE)) {
-		char namebuf[DNS_NAME_FORMATSIZE];
-		char typename[DNS_RDATATYPE_FORMATSIZE];
-		char classname[DNS_RDATACLASS_FORMATSIZE];
-
-		dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
-		dns_rdatatype_format(qtype, typename, sizeof(typename));
-		dns_rdataclass_format(client->message->rdclass, classname,
-				      sizeof(classname));
-		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-			      NS_LOGMODULE_QUERY, ISC_LOG_ERROR,
-			      "check-names failure %s/%s/%s", namebuf,
-			      typename, classname);
-		QUERY_ERROR(DNS_R_REFUSED);
-		goto cleanup;
-	}
-
-	/*
-	 * First we must find the right database.
-	 */
-	options &= DNS_GETDB_NOLOG; /* Preserve DNS_GETDB_NOLOG. */
-	if (dns_rdatatype_atparent(qtype) &&
-	    !dns_name_equal(client->query.qname, dns_rootname))
-		options |= DNS_GETDB_NOEXACT;
-	result = query_getdb(client, client->query.qname, qtype, options,
-			     &zone, &db, &version, &is_zone);
-	if ((result != ISC_R_SUCCESS || !is_zone) && !RECURSIONOK(client) &&
-	    (options & DNS_GETDB_NOEXACT) != 0 && qtype == dns_rdatatype_ds) {
-		/*
-		 * Look to see if we are authoritative for the
-		 * child zone if the query type is DS.
-		 */
-		dns_db_t *tdb = NULL;
-		dns_zone_t *tzone = NULL;
-		dns_dbversion_t *tversion = NULL;
-		isc_result_t tresult;
-
-		tresult = query_getzonedb(client, client->query.qname, qtype,
-					 DNS_GETDB_PARTIAL, &tzone, &tdb,
-					 &tversion);
-		if (tresult == ISC_R_SUCCESS) {
-			options &= ~DNS_GETDB_NOEXACT;
-			query_putrdataset(client, &rdataset);
-			if (db != NULL)
-				dns_db_detach(&db);
-			if (zone != NULL)
-				dns_zone_detach(&zone);
-			version = tversion;
-			db = tdb;
-			zone = tzone;
-			is_zone = ISC_TRUE;
-			result = ISC_R_SUCCESS;
-		} else {
-			if (tdb != NULL)
-				dns_db_detach(&tdb);
-			if (tzone != NULL)
-				dns_zone_detach(&tzone);
-		}
-	}
-	if (result != ISC_R_SUCCESS) {
-		if (result == DNS_R_REFUSED) {
-			if (WANTRECURSION(client)) {
-				inc_stats(client,
-					  dns_nsstatscounter_recurserej);
-			} else
-				inc_stats(client, dns_nsstatscounter_authrej);
-			if (!PARTIALANSWER(client))
-				QUERY_ERROR(DNS_R_REFUSED);
-		} else
-			QUERY_ERROR(DNS_R_SERVFAIL);
-		goto cleanup;
-	}
-
-	is_staticstub_zone = ISC_FALSE;
-	if (is_zone) {
-		authoritative = ISC_TRUE;
-		if (zone != NULL &&
-		    dns_zone_gettype(zone) == dns_zone_staticstub)
-			is_staticstub_zone = ISC_TRUE;
-	}
-
-	if (event == NULL && client->query.restarts == 0) {
-		if (is_zone) {
-			if (zone != NULL) {
-				/*
-				 * if is_zone = true, zone = NULL then this is
-				 * a DLZ zone.  Don't attempt to attach zone.
-				 */
-				dns_zone_attach(zone, &client->query.authzone);
-			}
-			dns_db_attach(db, &client->query.authdb);
-		}
-		client->query.authdbset = ISC_TRUE;
-	}
-
- db_find:
-	CTRACE("query_find: db_find");
-	/*
-	 * We'll need some resources...
-	 */
-	dbuf = query_getnamebuf(client);
-	if (dbuf == NULL) {
-		QUERY_ERROR(DNS_R_SERVFAIL);
-		goto cleanup;
-	}
-	fname = query_newname(client, dbuf, &b);
-	rdataset = query_newrdataset(client);
-	if (fname == NULL || rdataset == NULL) {
-		QUERY_ERROR(DNS_R_SERVFAIL);
-		goto cleanup;
-	}
-	if (WANTDNSSEC(client) && (!is_zone || dns_db_issecure(db))) {
-		sigrdataset = query_newrdataset(client);
-		if (sigrdataset == NULL) {
-			QUERY_ERROR(DNS_R_SERVFAIL);
-			goto cleanup;
-		}
-	}
-
-	/*
-	 * Now look for an answer in the database.
-	 */
-	result = dns_db_findext(db, client->query.qname, version, type,
-				client->query.dboptions, client->now,
-				&node, fname, &cm, &ci, rdataset, sigrdataset);
-
- resume:
-	CTRACE("query_find: resume");
-
-	if (!ISC_LIST_EMPTY(client->view->rpz_zones) &&
-	    (RECURSIONOK(client) || !client->view->rpz_recursive_only) &&
-	    rpz_ck_dnssec(client, result, rdataset, sigrdataset) &&
-	    !RECURSING(client) &&
-	    (client->query.rpz_st == NULL ||
-	     (client->query.rpz_st->state & DNS_RPZ_REWRITTEN) == 0) &&
-	    !dns_name_equal(client->query.qname, dns_rootname)) {
-		isc_result_t rresult;
-
-		rresult = rpz_rewrite(client, qtype, result, resuming);
-		rpz_st = client->query.rpz_st;
-		switch (rresult) {
-		case ISC_R_SUCCESS:
-			break;
-		case DNS_R_DELEGATION:
-			/*
-			 * recursing for NS names or addresses,
-			 * so save the main query state
-			 */
-			rpz_st->q.qtype = qtype;
-			rpz_st->q.is_zone = is_zone;
-			rpz_st->q.authoritative = authoritative;
-			rpz_st->q.zone = zone;
-			zone = NULL;
-			rpz_st->q.db = db;
-			db = NULL;
-			rpz_st->q.node = node;
-			node = NULL;
-			rpz_st->q.rdataset = rdataset;
-			rdataset = NULL;
-			rpz_st->q.sigrdataset = sigrdataset;
-			sigrdataset = NULL;
-			dns_name_copy(fname, rpz_st->fname, NULL);
-			rpz_st->q.result = result;
-			client->query.attributes |= NS_QUERYATTR_RECURSING;
-			goto cleanup;
-		default:
-			RECURSE_ERROR(rresult);
-			goto cleanup;
-		}
-		if (rpz_st->m.policy != DNS_RPZ_POLICY_MISS)
-			rpz_st->state |= DNS_RPZ_REWRITTEN;
-		if (rpz_st->m.policy != DNS_RPZ_POLICY_MISS &&
-		    rpz_st->m.policy != DNS_RPZ_POLICY_PASSTHRU &&
-		    rpz_st->m.policy != DNS_RPZ_POLICY_ERROR) {
-			if (rpz_st->m.type == DNS_RPZ_TYPE_QNAME) {
-				result = dns_name_copy(client->query.qname,
-						       fname, NULL);
-				RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			}
-			rpz_clean(&zone, &db, &node, NULL);
-			if (rpz_st->m.rdataset != NULL) {
-				query_putrdataset(client, &rdataset);
-				rdataset = rpz_st->m.rdataset;
-				rpz_st->m.rdataset = NULL;
-			} else if (rdataset != NULL &&
-				   dns_rdataset_isassociated(rdataset)) {
-				dns_rdataset_disassociate(rdataset);
-			}
-			node = rpz_st->m.node;
-			rpz_st->m.node = NULL;
-			db = rpz_st->m.db;
-			rpz_st->m.db = NULL;
-			version = rpz_st->m.version;
-			rpz_st->m.version = NULL;
-			zone = rpz_st->m.zone;
-			rpz_st->m.zone = NULL;
-
-			switch (rpz_st->m.policy) {
-			case DNS_RPZ_POLICY_NXDOMAIN:
-				result = DNS_R_NXDOMAIN;
-				break;
-			case DNS_RPZ_POLICY_NODATA:
-				result = DNS_R_NXRRSET;
-				break;
-			case DNS_RPZ_POLICY_RECORD:
-				result = rpz_st->m.result;
-				if (qtype == dns_rdatatype_any &&
-				    result != DNS_R_CNAME) {
-					/*
-					 * We will add all of the rdatasets of
-					 * the node by iterating, setting the
-					 * TTL then.
-					 */
-					if (dns_rdataset_isassociated(rdataset))
-					    dns_rdataset_disassociate(rdataset);
-				} else {
-					/*
-					 * We will add this rdataset.
-					 */
-					rdataset->ttl = ISC_MIN(rdataset->ttl,
-							    rpz_st->m.ttl);
-				}
-				break;
-			case DNS_RPZ_POLICY_WILDCNAME:
-				result = dns_rdataset_first(rdataset);
-				RUNTIME_CHECK(result == ISC_R_SUCCESS);
-				dns_rdataset_current(rdataset, &rdata);
-				result = dns_rdata_tostruct(&rdata, &cname,
-							    NULL);
-				RUNTIME_CHECK(result == ISC_R_SUCCESS);
-				dns_rdata_reset(&rdata);
-				result = rpz_add_cname(client, rpz_st,
-						       &cname.cname,
-						       fname, dbuf);
-				if (result != ISC_R_SUCCESS)
-					goto cleanup;
-				fname = NULL;
-				want_restart = ISC_TRUE;
-				goto cleanup;
-			case DNS_RPZ_POLICY_CNAME:
-				/*
-				 * Add overridding CNAME from a named.conf
-				 * response-policy statement
-				 */
-				result = rpz_add_cname(client, rpz_st,
-						       &rpz_st->m.rpz->cname,
-						       fname, dbuf);
-				if (result != ISC_R_SUCCESS)
-					goto cleanup;
-				fname = NULL;
-				want_restart = ISC_TRUE;
-				goto cleanup;
-			default:
-				INSIST(0);
-			}
-
-			/*
-			 * Turn off DNSSEC because the results of a
-			 * response policy zone cannot verify.
-			 */
-			client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
-						DNS_MESSAGEFLAG_AD);
-			query_putrdataset(client, &sigrdataset);
-			rpz_st->q.is_zone = is_zone;
-			is_zone = ISC_TRUE;
-			rpz_log_rewrite(client, ISC_FALSE, rpz_st->m.policy,
-					rpz_st->m.type, zone, rpz_st->qname);
-		}
-	}
-
-	switch (result) {
-	case ISC_R_SUCCESS:
-		/*
-		 * This case is handled in the main line below.
-		 */
-		break;
-	case DNS_R_GLUE:
-	case DNS_R_ZONECUT:
-		/*
-		 * These cases are handled in the main line below.
-		 */
-		INSIST(is_zone);
-		authoritative = ISC_FALSE;
-		break;
-	case ISC_R_NOTFOUND:
-		/*
-		 * The cache doesn't even have the root NS.  Get them from
-		 * the hints DB.
-		 */
-		INSIST(!is_zone);
-		if (db != NULL)
-			dns_db_detach(&db);
-
-		if (client->view->hints == NULL) {
-			/* We have no hints. */
-			result = ISC_R_FAILURE;
-		} else {
-			dns_db_attach(client->view->hints, &db);
-			result = dns_db_findext(db, dns_rootname,
-						NULL, dns_rdatatype_ns,
-						0, client->now, &node,
-						fname, &cm, &ci,
-						rdataset, sigrdataset);
-		}
-		if (result != ISC_R_SUCCESS) {
-			/*
-			 * Nonsensical root hints may require cleanup.
-			 */
-			if (dns_rdataset_isassociated(rdataset))
-				dns_rdataset_disassociate(rdataset);
-			if (sigrdataset != NULL &&
-			    dns_rdataset_isassociated(sigrdataset))
-				dns_rdataset_disassociate(sigrdataset);
-			if (node != NULL)
-				dns_db_detachnode(db, &node);
-
-			/*
-			 * We don't have any root server hints, but
-			 * we may have working forwarders, so try to
-			 * recurse anyway.
-			 */
-			if (RECURSIONOK(client)) {
-				result = query_recurse(client, qtype,
-						       client->query.qname,
-						       NULL, NULL, resuming);
-				if (result == ISC_R_SUCCESS) {
-					client->query.attributes |=
-						NS_QUERYATTR_RECURSING;
-					if (dns64)
-						client->query.attributes |=
-							NS_QUERYATTR_DNS64;
-					if (dns64_exclude)
-						client->query.attributes |=
-						      NS_QUERYATTR_DNS64EXCLUDE;
-				} else
-					RECURSE_ERROR(result);
-				goto cleanup;
-			} else {
-				/* Unable to give root server referral. */
-				QUERY_ERROR(DNS_R_SERVFAIL);
-				goto cleanup;
-			}
-		}
-		/*
-		 * XXXRTH  We should trigger root server priming here.
-		 */
-		/* FALLTHROUGH */
-	case DNS_R_DELEGATION:
-		authoritative = ISC_FALSE;
-		if (is_zone) {
-			/*
-			 * Look to see if we are authoritative for the
-			 * child zone if the query type is DS.
-			 */
-			if (!RECURSIONOK(client) &&
-			    (options & DNS_GETDB_NOEXACT) != 0 &&
-			    qtype == dns_rdatatype_ds) {
-				dns_db_t *tdb = NULL;
-				dns_zone_t *tzone = NULL;
-				dns_dbversion_t *tversion = NULL;
-				result = query_getzonedb(client,
-							 client->query.qname,
-							 qtype,
-							 DNS_GETDB_PARTIAL,
-							 &tzone, &tdb,
-							 &tversion);
-				if (result == ISC_R_SUCCESS) {
-					options &= ~DNS_GETDB_NOEXACT;
-					query_putrdataset(client, &rdataset);
-					if (sigrdataset != NULL)
-						query_putrdataset(client,
-								  &sigrdataset);
-					if (fname != NULL)
-						query_releasename(client,
-								  &fname);
-					if (node != NULL)
-						dns_db_detachnode(db, &node);
-					if (db != NULL)
-						dns_db_detach(&db);
-					if (zone != NULL)
-						dns_zone_detach(&zone);
-					version = tversion;
-					db = tdb;
-					zone = tzone;
-					authoritative = ISC_TRUE;
-					goto db_find;
-				}
-				if (tdb != NULL)
-					dns_db_detach(&tdb);
-				if (tzone != NULL)
-					dns_zone_detach(&tzone);
-			}
-			/*
-			 * We're authoritative for an ancestor of QNAME.
-			 */
-			if (!USECACHE(client) || !RECURSIONOK(client)) {
-				dns_fixedname_t fixed;
-
-				dns_fixedname_init(&fixed);
-				dns_name_copy(fname,
-					      dns_fixedname_name(&fixed), NULL);
-
-				/*
-				 * If we don't have a cache, this is the best
-				 * answer.
-				 *
-				 * If the client is making a nonrecursive
-				 * query we always give out the authoritative
-				 * delegation.  This way even if we get
-				 * junk in our cache, we won't fail in our
-				 * role as the delegating authority if another
-				 * nameserver asks us about a delegated
-				 * subzone.
-				 *
-				 * We enable the retrieval of glue for this
-				 * database by setting client->query.gluedb.
-				 */
-				client->query.gluedb = db;
-				client->query.isreferral = ISC_TRUE;
-				/*
-				 * We must ensure NOADDITIONAL is off,
-				 * because the generation of
-				 * additional data is required in
-				 * delegations.
-				 */
-				client->query.attributes &=
-					~NS_QUERYATTR_NOADDITIONAL;
-				if (sigrdataset != NULL)
-					sigrdatasetp = &sigrdataset;
-				else
-					sigrdatasetp = NULL;
-				query_addrrset(client, &fname,
-					       &rdataset, sigrdatasetp,
-					       dbuf, DNS_SECTION_AUTHORITY);
-				client->query.gluedb = NULL;
-				if (WANTDNSSEC(client))
-					query_addds(client, db, node, version,
-						   dns_fixedname_name(&fixed));
-			} else {
-				/*
-				 * We might have a better answer or delegation
-				 * in the cache.  We'll remember the current
-				 * values of fname, rdataset, and sigrdataset.
-				 * We'll then go looking for QNAME in the
-				 * cache.  If we find something better, we'll
-				 * use it instead.
-				 */
-				query_keepname(client, fname, dbuf);
-				zdb = db;
-				zfname = fname;
-				fname = NULL;
-				zrdataset = rdataset;
-				rdataset = NULL;
-				zsigrdataset = sigrdataset;
-				sigrdataset = NULL;
-				dns_db_detachnode(db, &node);
-				zversion = version;
-				version = NULL;
-				db = NULL;
-				dns_db_attach(client->view->cachedb, &db);
-				is_zone = ISC_FALSE;
-				goto db_find;
-			}
-		} else {
-			if (zfname != NULL &&
-			    (!dns_name_issubdomain(fname, zfname) ||
-			     (is_staticstub_zone &&
-			      dns_name_equal(fname, zfname)))) {
-				/*
-				 * In the following cases use "authoritative"
-				 * data instead of the cache delegation:
-				 * 1. We've already got a delegation from
-				 *    authoritative data, and it is better
-				 *    than what we found in the cache.
-				 * 2. The query name matches the origin name
-				 *    of a static-stub zone.  This needs to be
-				 *    considered for the case where the NS of
-				 *    the static-stub zone and the cached NS
-				 *    are different.  We still need to contact
-				 *    the nameservers configured in the
-				 *    static-stub zone.
-				 */
-				query_releasename(client, &fname);
-				fname = zfname;
-				zfname = NULL;
-				/*
-				 * We've already done query_keepname() on
-				 * zfname, so we must set dbuf to NULL to
-				 * prevent query_addrrset() from trying to
-				 * call query_keepname() again.
-				 */
-				dbuf = NULL;
-				query_putrdataset(client, &rdataset);
-				if (sigrdataset != NULL)
-					query_putrdataset(client,
-							  &sigrdataset);
-				rdataset = zrdataset;
-				zrdataset = NULL;
-				sigrdataset = zsigrdataset;
-				zsigrdataset = NULL;
-				version = zversion;
-				zversion = NULL;
-				/*
-				 * We don't clean up zdb here because we
-				 * may still need it.  It will get cleaned
-				 * up by the main cleanup code.
-				 */
-			}
-
-			if (RECURSIONOK(client)) {
-				/*
-				 * Recurse!
-				 */
-				if (dns_rdatatype_atparent(type))
-					result = query_recurse(client, qtype,
-							 client->query.qname,
-							 NULL, NULL, resuming);
-				else if (dns64)
-					result = query_recurse(client,
-							 dns_rdatatype_a,
-							 client->query.qname,
-							 NULL, NULL, resuming);
-				else
-					result = query_recurse(client, qtype,
-							 client->query.qname,
-							 fname, rdataset,
-							 resuming);
-
-				if (result == ISC_R_SUCCESS) {
-					client->query.attributes |=
-						NS_QUERYATTR_RECURSING;
-					if (dns64)
-						client->query.attributes |=
-							NS_QUERYATTR_DNS64;
-					if (dns64_exclude)
-						client->query.attributes |=
-						      NS_QUERYATTR_DNS64EXCLUDE;
-				} else if (result == DNS_R_DUPLICATE ||
-					 result == DNS_R_DROP)
-					QUERY_ERROR(result);
-				else
-					RECURSE_ERROR(result);
-			} else {
-				dns_fixedname_t fixed;
-
-				dns_fixedname_init(&fixed);
-				dns_name_copy(fname,
-					      dns_fixedname_name(&fixed), NULL);
-				/*
-				 * This is the best answer.
-				 */
-				client->query.attributes |=
-					NS_QUERYATTR_CACHEGLUEOK;
-				client->query.gluedb = zdb;
-				client->query.isreferral = ISC_TRUE;
-				/*
-				 * We must ensure NOADDITIONAL is off,
-				 * because the generation of
-				 * additional data is required in
-				 * delegations.
-				 */
-				client->query.attributes &=
-					~NS_QUERYATTR_NOADDITIONAL;
-				if (sigrdataset != NULL)
-					sigrdatasetp = &sigrdataset;
-				else
-					sigrdatasetp = NULL;
-				query_addrrset(client, &fname,
-					       &rdataset, sigrdatasetp,
-					       dbuf, DNS_SECTION_AUTHORITY);
-				client->query.gluedb = NULL;
-				client->query.attributes &=
-					~NS_QUERYATTR_CACHEGLUEOK;
-				if (WANTDNSSEC(client))
-					query_addds(client, db, node, version,
-						   dns_fixedname_name(&fixed));
-			}
-		}
-		goto cleanup;
-
-	case DNS_R_EMPTYNAME:
-	case DNS_R_NXRRSET:
-	iszone_nxrrset:
-		INSIST(is_zone);
-
-#ifdef dns64_bis_return_excluded_addresses
-		if (dns64)
-#else
-		if (dns64 && !dns64_exclude)
-#endif
-		{
-			/*
-			 * Restore the answers from the previous AAAA lookup.
-			 */
-			if (rdataset != NULL)
-				query_putrdataset(client, &rdataset);
-			if (sigrdataset != NULL)
-				query_putrdataset(client, &sigrdataset);
-			rdataset = client->query.dns64_aaaa;
-			sigrdataset = client->query.dns64_sigaaaa;
-			client->query.dns64_aaaa = NULL;
-			client->query.dns64_sigaaaa = NULL;
-			if (fname == NULL) {
-				dbuf = query_getnamebuf(client);
-				if (dbuf == NULL) {
-					QUERY_ERROR(DNS_R_SERVFAIL);
-					goto cleanup;
-				}
-				fname = query_newname(client, dbuf, &b);
-				if (fname == NULL) {
-					QUERY_ERROR(DNS_R_SERVFAIL);
-					goto cleanup;
-				}
-			}
-			dns_name_copy(client->query.qname, fname, NULL);
-			dns64 = ISC_FALSE;
-#ifdef dns64_bis_return_excluded_addresses
-			/*
-			 * Resume the diverted processing of the AAAA response?
-			 */
-			if (dns64_excluded)
-				break;
-#endif
-		} else if (result == DNS_R_NXRRSET &&
-			   !ISC_LIST_EMPTY(client->view->dns64) &&
-			   client->message->rdclass == dns_rdataclass_in &&
-			   qtype == dns_rdatatype_aaaa)
-		{
-			/*
-			 * Look to see if there are A records for this
-			 * name.
-			 */
-			INSIST(client->query.dns64_aaaa == NULL);
-			INSIST(client->query.dns64_sigaaaa == NULL);
-			client->query.dns64_aaaa = rdataset;
-			client->query.dns64_sigaaaa = sigrdataset;
-			client->query.dns64_ttl = dns64_ttl(db, version);
-			query_releasename(client, &fname);
-			dns_db_detachnode(db, &node);
-			rdataset = NULL;
-			sigrdataset = NULL;
-			type = qtype = dns_rdatatype_a;
-			rpz_st = client->query.rpz_st;
-			if (rpz_st != NULL) {
-				/*
-				 * Arrange for RPZ rewriting of any A records.
-				 */
-				if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
-					is_zone = rpz_st->q.is_zone;
-				rpz_st_clear(client);
-			}
-			dns64 = ISC_TRUE;
-			goto db_find;
-		}
-
-		/*
-		 * Look for a NSEC3 record if we don't have a NSEC record.
-		 */
- nxrrset_rrsig:
-		if (!dns_rdataset_isassociated(rdataset) &&
-		     WANTDNSSEC(client)) {
-			if ((fname->attributes & DNS_NAMEATTR_WILDCARD) == 0) {
-				dns_name_t *found;
-				dns_name_t *qname;
-
-				dns_fixedname_init(&fixed);
-				found = dns_fixedname_name(&fixed);
-				qname = client->query.qname;
-
-				query_findclosestnsec3(qname, db, version,
-						       client, rdataset,
-						       sigrdataset, fname,
-						       ISC_TRUE, found);
-				/*
-				 * Did we find the closest provable encloser
-				 * instead? If so add the nearest to the
-				 * closest provable encloser.
-				 */
-				if (dns_rdataset_isassociated(rdataset) &&
-				    !dns_name_equal(qname, found) &&
-				    !(ns_g_nonearest &&
-				      qtype != dns_rdatatype_ds))
-				{
-					unsigned int count;
-					unsigned int skip;
-
-					/*
-					 * Add the closest provable encloser.
-					 */
-					query_addrrset(client, &fname,
-						       &rdataset, &sigrdataset,
-						       dbuf,
-						       DNS_SECTION_AUTHORITY);
-
-					count = dns_name_countlabels(found)
-							 + 1;
-					skip = dns_name_countlabels(qname) -
-							 count;
-					dns_name_getlabelsequence(qname, skip,
-								  count,
-								  found);
-
-					fixfname(client, &fname, &dbuf, &b);
-					fixrdataset(client, &rdataset);
-					fixrdataset(client, &sigrdataset);
-					if (fname == NULL ||
-					    rdataset == NULL ||
-					    sigrdataset == NULL) {
-						QUERY_ERROR(DNS_R_SERVFAIL);
-						goto cleanup;
-					}
-					/*
-					 * 'nearest' doesn't exist so
-					 * 'exist' is set to ISC_FALSE.
-					 */
-					query_findclosestnsec3(found, db,
-							       version,
-							       client,
-							       rdataset,
-							       sigrdataset,
-							       fname,
-							       ISC_FALSE,
-							       NULL);
-				}
-			} else {
-				query_releasename(client, &fname);
-				query_addwildcardproof(client, db, version,
-						       client->query.qname,
-						       ISC_FALSE, ISC_TRUE);
-			}
-		}
-		if (dns_rdataset_isassociated(rdataset)) {
-			/*
-			 * If we've got a NSEC record, we need to save the
-			 * name now because we're going call query_addsoa()
-			 * below, and it needs to use the name buffer.
-			 */
-			query_keepname(client, fname, dbuf);
-		} else if (fname != NULL) {
-			/*
-			 * We're not going to use fname, and need to release
-			 * our hold on the name buffer so query_addsoa()
-			 * may use it.
-			 */
-			query_releasename(client, &fname);
-		}
-		/*
-		 * Add SOA.
-		 */
-		result = query_addsoa(client, db, version, ISC_UINT32_MAX,
-				      dns_rdataset_isassociated(rdataset));
-		if (result != ISC_R_SUCCESS) {
-			QUERY_ERROR(result);
-			goto cleanup;
-		}
-		/*
-		 * Add NSEC record if we found one.
-		 */
-		if (WANTDNSSEC(client)) {
-			if (dns_rdataset_isassociated(rdataset))
-				query_addnxrrsetnsec(client, db, version,
-						     &fname, &rdataset,
-						     &sigrdataset);
-		}
-		goto cleanup;
-
-	case DNS_R_EMPTYWILD:
-		empty_wild = ISC_TRUE;
-		/* FALLTHROUGH */
-
-	case DNS_R_NXDOMAIN:
-		INSIST(is_zone);
-		if (!empty_wild &&
-		    redirect(client, fname, rdataset, &node, &db, &version,
-			     type))
-			break;
-		if (dns_rdataset_isassociated(rdataset)) {
-			/*
-			 * If we've got a NSEC record, we need to save the
-			 * name now because we're going call query_addsoa()
-			 * below, and it needs to use the name buffer.
-			 */
-			query_keepname(client, fname, dbuf);
-		} else if (fname != NULL) {
-			/*
-			 * We're not going to use fname, and need to release
-			 * our hold on the name buffer so query_addsoa()
-			 * may use it.
-			 */
-			query_releasename(client, &fname);
-		}
-
-		/*
-		 * Add SOA.  If the query was for a SOA record force the
-		 * ttl to zero so that it is possible for clients to find
-		 * the containing zone of an arbitrary name with a stub
-		 * resolver and not have it cached.
-		 */
-		if (qtype == dns_rdatatype_soa &&
-		    zone != NULL &&
-		    dns_zone_getzeronosoattl(zone))
-			result = query_addsoa(client, db, version, 0,
-					  dns_rdataset_isassociated(rdataset));
-		else
-			result = query_addsoa(client, db, version,
-					      ISC_UINT32_MAX,
-					  dns_rdataset_isassociated(rdataset));
-		if (result != ISC_R_SUCCESS) {
-			QUERY_ERROR(result);
-			goto cleanup;
-		}
-
-		if (WANTDNSSEC(client)) {
-			/*
-			 * Add NSEC record if we found one.
-			 */
-			if (dns_rdataset_isassociated(rdataset))
-				query_addrrset(client, &fname, &rdataset,
-					       &sigrdataset,
-					       NULL, DNS_SECTION_AUTHORITY);
-			query_addwildcardproof(client, db, version,
-					       client->query.qname, ISC_FALSE,
-					       ISC_FALSE);
-		}
-
-		/*
-		 * Set message rcode.
-		 */
-		if (empty_wild)
-			client->message->rcode = dns_rcode_noerror;
-		else
-			client->message->rcode = dns_rcode_nxdomain;
-		goto cleanup;
-
-	case DNS_R_NCACHENXDOMAIN:
-		if (redirect(client, fname, rdataset, &node, &db, &version,
-			     type))
-			break;
-	case DNS_R_NCACHENXRRSET:
-	ncache_nxrrset:
-		INSIST(!is_zone);
-		authoritative = ISC_FALSE;
-		/*
-		 * Set message rcode, if required.
-		 */
-		if (result == DNS_R_NCACHENXDOMAIN)
-			client->message->rcode = dns_rcode_nxdomain;
-		/*
-		 * Look for RFC 1918 leakage from Internet.
-		 */
-		if (result == DNS_R_NCACHENXDOMAIN &&
-		    qtype == dns_rdatatype_ptr &&
-		    client->message->rdclass == dns_rdataclass_in &&
-		    dns_name_countlabels(fname) == 7)
-			warn_rfc1918(client, fname, rdataset);
-
-#ifdef dns64_bis_return_excluded_addresses
-		if (dns64)
-#else
-		if (dns64 && !dns64_exclude)
-#endif
-		{
-			/*
-			 * Restore the answers from the previous AAAA lookup.
-			 */
-			if (rdataset != NULL)
-				query_putrdataset(client, &rdataset);
-			if (sigrdataset != NULL)
-				query_putrdataset(client, &sigrdataset);
-			rdataset = client->query.dns64_aaaa;
-			sigrdataset = client->query.dns64_sigaaaa;
-			client->query.dns64_aaaa = NULL;
-			client->query.dns64_sigaaaa = NULL;
-			if (fname == NULL) {
-				dbuf = query_getnamebuf(client);
-				if (dbuf == NULL) {
-					QUERY_ERROR(DNS_R_SERVFAIL);
-					goto cleanup;
-				}
-				fname = query_newname(client, dbuf, &b);
-				if (fname == NULL) {
-					QUERY_ERROR(DNS_R_SERVFAIL);
-					goto cleanup;
-				}
-			}
-			dns_name_copy(client->query.qname, fname, NULL);
-			dns64 = ISC_FALSE;
-#ifdef dns64_bis_return_excluded_addresses
-			if (dns64_excluded)
-				break;
-#endif
-		} else if (result == DNS_R_NCACHENXRRSET &&
-			   !ISC_LIST_EMPTY(client->view->dns64) &&
-			   client->message->rdclass == dns_rdataclass_in &&
-			   qtype == dns_rdatatype_aaaa)
-		{
-			/*
-			 * Look to see if there are A records for this
-			 * name.
-			 */
-			INSIST(client->query.dns64_aaaa == NULL);
-			INSIST(client->query.dns64_sigaaaa == NULL);
-			client->query.dns64_aaaa = rdataset;
-			client->query.dns64_sigaaaa = sigrdataset;
-			/*
-			 * If the ttl is zero we need to workout if we have just
-			 * decremented to zero or if there was no negative cache
-			 * ttl in the answer.
-			 */
-			if (rdataset->ttl != 0)
-				client->query.dns64_ttl = rdataset->ttl;
-			else if (dns_rdataset_first(rdataset) == ISC_R_SUCCESS)
-				client->query.dns64_ttl = 0;
-			query_releasename(client, &fname);
-			dns_db_detachnode(db, &node);
-			rdataset = NULL;
-			sigrdataset = NULL;
-			fname = NULL;
-			type = qtype = dns_rdatatype_a;
-			rpz_st = client->query.rpz_st;
-			if (rpz_st != NULL) {
-				/*
-				 * Arrange for RPZ rewriting of any A records.
-				 */
-				if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
-					is_zone = rpz_st->q.is_zone;
-				rpz_st_clear(client);
-			}
-			dns64 = ISC_TRUE;
-			goto db_find;
-		}
-
-		/*
-		 * We don't call query_addrrset() because we don't need any
-		 * of its extra features (and things would probably break!).
-		 */
-		query_keepname(client, fname, dbuf);
-		dns_message_addname(client->message, fname,
-				    DNS_SECTION_AUTHORITY);
-		ISC_LIST_APPEND(fname->list, rdataset, link);
-		fname = NULL;
-		rdataset = NULL;
-		goto cleanup;
-
-	case DNS_R_CNAME:
-		/*
-		 * Keep a copy of the rdataset.  We have to do this because
-		 * query_addrrset may clear 'rdataset' (to prevent the
-		 * cleanup code from cleaning it up).
-		 */
-		trdataset = rdataset;
-		/*
-		 * Add the CNAME to the answer section.
-		 */
-		if (sigrdataset != NULL)
-			sigrdatasetp = &sigrdataset;
-		else
-			sigrdatasetp = NULL;
-		if (WANTDNSSEC(client) &&
-		    (fname->attributes & DNS_NAMEATTR_WILDCARD) != 0)
-		{
-			dns_fixedname_init(&wildcardname);
-			dns_name_copy(fname, dns_fixedname_name(&wildcardname),
-				      NULL);
-			need_wildcardproof = ISC_TRUE;
-		}
-		if (NOQNAME(rdataset) && WANTDNSSEC(client))
-			noqname = rdataset;
-		else
-			noqname = NULL;
-		query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf,
-			       DNS_SECTION_ANSWER);
-		if (noqname != NULL)
-			query_addnoqnameproof(client, noqname);
-		/*
-		 * We set the PARTIALANSWER attribute so that if anything goes
-		 * wrong later on, we'll return what we've got so far.
-		 */
-		client->query.attributes |= NS_QUERYATTR_PARTIALANSWER;
-		/*
-		 * Reset qname to be the target name of the CNAME and restart
-		 * the query.
-		 */
-		tname = NULL;
-		result = dns_message_gettempname(client->message, &tname);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		result = dns_rdataset_first(trdataset);
-		if (result != ISC_R_SUCCESS) {
-			dns_message_puttempname(client->message, &tname);
-			goto cleanup;
-		}
-		dns_rdataset_current(trdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &cname, NULL);
-		dns_rdata_reset(&rdata);
-		if (result != ISC_R_SUCCESS) {
-			dns_message_puttempname(client->message, &tname);
-			goto cleanup;
-		}
-		dns_name_init(tname, NULL);
-		result = dns_name_dup(&cname.cname, client->mctx, tname);
-		if (result != ISC_R_SUCCESS) {
-			dns_message_puttempname(client->message, &tname);
-			dns_rdata_freestruct(&cname);
-			goto cleanup;
-		}
-		dns_rdata_freestruct(&cname);
-		ns_client_qnamereplace(client, tname);
-		want_restart = ISC_TRUE;
-		if (!WANTRECURSION(client))
-			options |= DNS_GETDB_NOLOG;
-		goto addauth;
-	case DNS_R_DNAME:
-		/*
-		 * Compare the current qname to the found name.  We need
-		 * to know how many labels and bits are in common because
-		 * we're going to have to split qname later on.
-		 */
-		namereln = dns_name_fullcompare(client->query.qname, fname,
-						&order, &nlabels);
-		INSIST(namereln == dns_namereln_subdomain);
-		/*
-		 * Keep a copy of the rdataset.  We have to do this because
-		 * query_addrrset may clear 'rdataset' (to prevent the
-		 * cleanup code from cleaning it up).
-		 */
-		trdataset = rdataset;
-		/*
-		 * Add the DNAME to the answer section.
-		 */
-		if (sigrdataset != NULL)
-			sigrdatasetp = &sigrdataset;
-		else
-			sigrdatasetp = NULL;
-		if (WANTDNSSEC(client) &&
-		    (fname->attributes & DNS_NAMEATTR_WILDCARD) != 0)
-		{
-			dns_fixedname_init(&wildcardname);
-			dns_name_copy(fname, dns_fixedname_name(&wildcardname),
-				      NULL);
-			need_wildcardproof = ISC_TRUE;
-		}
-		query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf,
-			       DNS_SECTION_ANSWER);
-		/*
-		 * We set the PARTIALANSWER attribute so that if anything goes
-		 * wrong later on, we'll return what we've got so far.
-		 */
-		client->query.attributes |= NS_QUERYATTR_PARTIALANSWER;
-		/*
-		 * Get the target name of the DNAME.
-		 */
-		tname = NULL;
-		result = dns_message_gettempname(client->message, &tname);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		result = dns_rdataset_first(trdataset);
-		if (result != ISC_R_SUCCESS) {
-			dns_message_puttempname(client->message, &tname);
-			goto cleanup;
-		}
-		dns_rdataset_current(trdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &dname, NULL);
-		dns_rdata_reset(&rdata);
-		if (result != ISC_R_SUCCESS) {
-			dns_message_puttempname(client->message, &tname);
-			goto cleanup;
-		}
-		dns_name_clone(&dname.dname, tname);
-		dns_rdata_freestruct(&dname);
-		/*
-		 * Construct the new qname consisting of
-		 * <found name prefix>.<dname target>
-		 */
-		dns_fixedname_init(&fixed);
-		prefix = dns_fixedname_name(&fixed);
-		dns_name_split(client->query.qname, nlabels, prefix, NULL);
-		INSIST(fname == NULL);
-		dbuf = query_getnamebuf(client);
-		if (dbuf == NULL) {
-			dns_message_puttempname(client->message, &tname);
-			goto cleanup;
-		}
-		fname = query_newname(client, dbuf, &b);
-		if (fname == NULL) {
-			dns_message_puttempname(client->message, &tname);
-			goto cleanup;
-		}
-		result = dns_name_concatenate(prefix, tname, fname, NULL);
-		dns_message_puttempname(client->message, &tname);
-
-		/*
-		 * RFC2672, section 4.1, subsection 3c says
-		 * we should return YXDOMAIN if the constructed
-		 * name would be too long.
-		 */
-		if (result == DNS_R_NAMETOOLONG)
-			client->message->rcode = dns_rcode_yxdomain;
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-
-		query_keepname(client, fname, dbuf);
-		/*
-		 * Synthesize a CNAME consisting of
-		 *   <old qname> <dname ttl> CNAME <new qname>
-		 *	    with <dname trust value>
-		 *
-		 * Synthesize a CNAME so old old clients that don't understand
-		 * DNAME can chain.
-		 *
-		 * We do not try to synthesize a signature because we hope
-		 * that security aware servers will understand DNAME.  Also,
-		 * even if we had an online key, making a signature
-		 * on-the-fly is costly, and not really legitimate anyway
-		 * since the synthesized CNAME is NOT in the zone.
-		 */
-		result = query_add_cname(client, client->query.qname, fname,
-					 trdataset->trust, trdataset->ttl);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		/*
-		 * Switch to the new qname and restart.
-		 */
-		ns_client_qnamereplace(client, fname);
-		fname = NULL;
-		want_restart = ISC_TRUE;
-		if (!WANTRECURSION(client))
-			options |= DNS_GETDB_NOLOG;
-		goto addauth;
-	default:
-		/*
-		 * Something has gone wrong.
-		 */
-		QUERY_ERROR(DNS_R_SERVFAIL);
-		goto cleanup;
-	}
-
-	if (WANTDNSSEC(client) &&
-	    (fname->attributes & DNS_NAMEATTR_WILDCARD) != 0)
-	{
-		dns_fixedname_init(&wildcardname);
-		dns_name_copy(fname, dns_fixedname_name(&wildcardname), NULL);
-		need_wildcardproof = ISC_TRUE;
-	}
-
-#ifdef ALLOW_FILTER_AAAA_ON_V4
-	if (client->view->v4_aaaa != dns_v4_aaaa_ok &&
-	    is_v4_client(client) &&
-	    ns_client_checkaclsilent(client, NULL,
-				     client->view->v4_aaaa_acl,
-				     ISC_TRUE) == ISC_R_SUCCESS)
-		client->filter_aaaa = client->view->v4_aaaa;
-	else
-		client->filter_aaaa = dns_v4_aaaa_ok;
-
-#endif
-
-	if (type == dns_rdatatype_any) {
-#ifdef ALLOW_FILTER_AAAA_ON_V4
-		isc_boolean_t have_aaaa, have_a, have_sig;
-
-		/*
-		 * The filter-aaaa-on-v4 option should
-		 * suppress AAAAs for IPv4 clients if there is an A.
-		 * If we are not authoritative, assume there is a A
-		 * even in if it is not in our cache.  This assumption could
-		 * be wrong but it is a good bet.
-		 */
-		have_aaaa = ISC_FALSE;
-		have_a = !authoritative;
-		have_sig = ISC_FALSE;
-#endif
-		/*
-		 * XXXRTH  Need to handle zonecuts with special case
-		 * code.
-		 */
-		n = 0;
-		rdsiter = NULL;
-		result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
-		if (result != ISC_R_SUCCESS) {
-			QUERY_ERROR(DNS_R_SERVFAIL);
-			goto cleanup;
-		}
-
-		/*
-		 * Calling query_addrrset() with a non-NULL dbuf is going
-		 * to either keep or release the name.  We don't want it to
-		 * release fname, since we may have to call query_addrrset()
-		 * more than once.  That means we have to call query_keepname()
-		 * now, and pass a NULL dbuf to query_addrrset().
-		 *
-		 * If we do a query_addrrset() below, we must set fname to
-		 * NULL before leaving this block, otherwise we might try to
-		 * cleanup fname even though we're using it!
-		 */
-		query_keepname(client, fname, dbuf);
-		tname = fname;
-		result = dns_rdatasetiter_first(rdsiter);
-		while (result == ISC_R_SUCCESS) {
-			dns_rdatasetiter_current(rdsiter, rdataset);
-#ifdef ALLOW_FILTER_AAAA_ON_V4
-			/*
-			 * Notice the presence of A and AAAAs so
-			 * that AAAAs can be hidden from IPv4 clients.
-			 */
-			if (client->filter_aaaa != dns_v4_aaaa_ok) {
-				if (rdataset->type == dns_rdatatype_aaaa)
-					have_aaaa = ISC_TRUE;
-				else if (rdataset->type == dns_rdatatype_a)
-					have_a = ISC_TRUE;
-			}
-#endif
-			if (is_zone && qtype == dns_rdatatype_any &&
-			    !dns_db_issecure(db) &&
-			    dns_rdatatype_isdnssec(rdataset->type)) {
-				/*
-				 * The zone is transitioning from insecure
-				 * to secure. Hide the dnssec records from
-				 * ANY queries.
-				 */
-				dns_rdataset_disassociate(rdataset);
-			} else if ((qtype == dns_rdatatype_any ||
-			     rdataset->type == qtype) && rdataset->type != 0) {
-#ifdef ALLOW_FILTER_AAAA_ON_V4
-				if (dns_rdatatype_isdnssec(rdataset->type))
-					have_sig = ISC_TRUE;
-#endif
-				if (NOQNAME(rdataset) && WANTDNSSEC(client))
-					noqname = rdataset;
-				else
-					noqname = NULL;
-				rpz_st = client->query.rpz_st;
-				if (rpz_st != NULL)
-					rdataset->ttl = ISC_MIN(rdataset->ttl,
-							    rpz_st->m.ttl);
-				query_addrrset(client,
-					       fname != NULL ? &fname : &tname,
-					       &rdataset, NULL,
-					       NULL, DNS_SECTION_ANSWER);
-				if (noqname != NULL)
-					query_addnoqnameproof(client, noqname);
-				n++;
-				INSIST(tname != NULL);
-				/*
-				 * rdataset is non-NULL only in certain
-				 * pathological cases involving DNAMEs.
-				 */
-				if (rdataset != NULL)
-					query_putrdataset(client, &rdataset);
-				rdataset = query_newrdataset(client);
-				if (rdataset == NULL)
-					break;
-			} else {
-				/*
-				 * We're not interested in this rdataset.
-				 */
-				dns_rdataset_disassociate(rdataset);
-			}
-			result = dns_rdatasetiter_next(rdsiter);
-		}
-
-#ifdef ALLOW_FILTER_AAAA_ON_V4
-		/*
-		 * Filter AAAAs if there is an A and there is no signature
-		 * or we are supposed to break DNSSEC.
-		 */
-		if (client->filter_aaaa == dns_v4_aaaa_break_dnssec)
-			client->attributes |= NS_CLIENTATTR_FILTER_AAAA;
-		else if (client->filter_aaaa != dns_v4_aaaa_ok &&
-			 have_aaaa && have_a &&
-			 (!have_sig || !WANTDNSSEC(client)))
-			  client->attributes |= NS_CLIENTATTR_FILTER_AAAA;
-#endif
-		if (fname != NULL)
-			dns_message_puttempname(client->message, &fname);
-
-		if (n == 0) {
-			/*
-			 * No matching rdatasets found in cache. If we were
-			 * searching for RRSIG/SIG, that's probably okay;
-			 * otherwise this is an error condition.
-			 */
-			if ((qtype == dns_rdatatype_rrsig ||
-			     qtype == dns_rdatatype_sig) &&
-			    result == ISC_R_NOMORE) {
-				if (!is_zone) {
-					authoritative = ISC_FALSE;
-					dns_rdatasetiter_destroy(&rdsiter);
-					client->attributes &= ~NS_CLIENTATTR_RA;
-					goto addauth;
-				}
-
-				if (dns_db_issecure(db)) {
-					char namebuf[DNS_NAME_FORMATSIZE];
-					dns_name_format(client->query.qname,
-							namebuf,
-							sizeof(namebuf));
-					ns_client_log(client,
-						      DNS_LOGCATEGORY_DNSSEC,
-						      NS_LOGMODULE_QUERY,
-						      ISC_LOG_WARNING,
-						      "missing signature "
-						      "for %s", namebuf);
-				}
-
-				dns_rdatasetiter_destroy(&rdsiter);
-				fname = query_newname(client, dbuf, &b);
-				goto nxrrset_rrsig;
-			} else
-				result = DNS_R_SERVFAIL;
-		}
-
-		dns_rdatasetiter_destroy(&rdsiter);
-		if (result != ISC_R_NOMORE) {
-			QUERY_ERROR(DNS_R_SERVFAIL);
-			goto cleanup;
-		}
-	} else {
-		/*
-		 * This is the "normal" case -- an ordinary question to which
-		 * we know the answer.
-		 */
-
-#ifdef ALLOW_FILTER_AAAA_ON_V4
-		/*
-		 * Optionally hide AAAAs from IPv4 clients if there is an A.
-		 * We add the AAAAs now, but might refuse to render them later
-		 * after DNSSEC is figured out.
-		 * This could be more efficient, but the whole idea is
-		 * so fundamentally wrong, unavoidably inaccurate, and
-		 * unneeded that it is best to keep it as short as possible.
-		 */
-		if (client->filter_aaaa == dns_v4_aaaa_break_dnssec ||
-		    (client->filter_aaaa == dns_v4_aaaa_filter &&
-		     (!WANTDNSSEC(client) || sigrdataset == NULL ||
-		     !dns_rdataset_isassociated(sigrdataset))))
-		{
-			if (qtype == dns_rdatatype_aaaa) {
-				trdataset = query_newrdataset(client);
-				result = dns_db_findrdataset(db, node, version,
-							     dns_rdatatype_a, 0,
-							     client->now,
-							     trdataset, NULL);
-				if (dns_rdataset_isassociated(trdataset))
-					dns_rdataset_disassociate(trdataset);
-				query_putrdataset(client, &trdataset);
-
-				/*
-				 * We have an AAAA but the A is not in our cache.
-				 * Assume any result other than DNS_R_DELEGATION
-				 * or ISC_R_NOTFOUND means there is no A and
-				 * so AAAAs are ok.
-				 * Assume there is no A if we can't recurse
-				 * for this client, although that could be
-				 * the wrong answer. What else can we do?
-				 * Besides, that we have the AAAA and are using
-				 * this mechanism suggests that we care more
-				 * about As than AAAAs and would have cached
-				 * the A if it existed.
-				 */
-				if (result == ISC_R_SUCCESS) {
-					client->attributes |=
-						    NS_CLIENTATTR_FILTER_AAAA;
-
-				} else if (authoritative ||
-					   !RECURSIONOK(client) ||
-					   (result != DNS_R_DELEGATION &&
-					    result != ISC_R_NOTFOUND)) {
-					client->attributes &=
-						    ~NS_CLIENTATTR_FILTER_AAAA;
-				} else {
-					/*
-					 * This is an ugly kludge to recurse
-					 * for the A and discard the result.
-					 *
-					 * Continue to add the AAAA now.
-					 * We'll make a note to not render it
-					 * if the recursion for the A succeeds.
-					 */
-					result = query_recurse(client,
-							dns_rdatatype_a,
-							client->query.qname,
-							NULL, NULL, resuming);
-					if (result == ISC_R_SUCCESS) {
-					    client->attributes |=
-						    NS_CLIENTATTR_FILTER_AAAA_RC;
-					    client->query.attributes |=
-							NS_QUERYATTR_RECURSING;
-					}
-				}
-
-			} else if (qtype == dns_rdatatype_a &&
-				   (client->attributes &
-					    NS_CLIENTATTR_FILTER_AAAA_RC) != 0) {
-				client->attributes &=
-					    ~NS_CLIENTATTR_FILTER_AAAA_RC;
-				client->attributes |=
-					    NS_CLIENTATTR_FILTER_AAAA;
-				dns_rdataset_disassociate(rdataset);
-				if (sigrdataset != NULL &&
-				    dns_rdataset_isassociated(sigrdataset))
-					dns_rdataset_disassociate(sigrdataset);
-				goto cleanup;
-			}
-		}
-#endif
-		/*
-		 * Check to see if the AAAA RRset has non-excluded addresses
-		 * in it.  If not look for a A RRset.
-		 */
-		INSIST(client->query.dns64_aaaaok == NULL);
-
-		if (qtype == dns_rdatatype_aaaa && !dns64_exclude &&
-		    !ISC_LIST_EMPTY(client->view->dns64) &&
-		    client->message->rdclass == dns_rdataclass_in &&
-		    !dns64_aaaaok(client, rdataset, sigrdataset)) {
-			/*
-			 * Look to see if there are A records for this
-			 * name.
-			 */
-			client->query.dns64_aaaa = rdataset;
-			client->query.dns64_sigaaaa = sigrdataset;
-			client->query.dns64_ttl = rdataset->ttl;
-			query_releasename(client, &fname);
-			dns_db_detachnode(db, &node);
-			rdataset = NULL;
-			sigrdataset = NULL;
-			type = qtype = dns_rdatatype_a;
-			rpz_st = client->query.rpz_st;
-			if (rpz_st != NULL) {
-				/*
-				 * Arrange for RPZ rewriting of any A records.
-				 */
-				if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
-					is_zone = rpz_st->q.is_zone;
-				rpz_st_clear(client);
-			}
-			dns64_exclude = dns64 = ISC_TRUE;
-			goto db_find;
-		}
-
-		if (sigrdataset != NULL)
-			sigrdatasetp = &sigrdataset;
-		else
-			sigrdatasetp = NULL;
-		if (NOQNAME(rdataset) && WANTDNSSEC(client))
-			noqname = rdataset;
-		else
-			noqname = NULL;
-		/*
-		 * BIND 8 priming queries need the additional section.
-		 */
-		if (is_zone && qtype == dns_rdatatype_ns &&
-		    dns_name_equal(client->query.qname, dns_rootname))
-			client->query.attributes &= ~NS_QUERYATTR_NOADDITIONAL;
-
-		if (dns64) {
-			qtype = type = dns_rdatatype_aaaa;
-			result = query_dns64(client, &fname, rdataset,
-					     sigrdataset, dbuf,
-					     DNS_SECTION_ANSWER);
-			dns_rdataset_disassociate(rdataset);
-			dns_message_puttemprdataset(client->message, &rdataset);
-			if (result == ISC_R_NOMORE) {
-#ifndef dns64_bis_return_excluded_addresses
-				if (dns64_exclude) {
-					if (!is_zone)
-						goto cleanup;
-					/*
-					 * Add a fake SOA record.
-					 */
-					(void)query_addsoa(client, db, version,
-							   600, ISC_FALSE);
-					goto cleanup;
-				}
-#endif
-				if (is_zone)
-					goto iszone_nxrrset;
-				else
-					goto ncache_nxrrset;
-			} else if (result != ISC_R_SUCCESS) {
-				eresult = result;
-				goto cleanup;
-			}
-		} else if (client->query.dns64_aaaaok != NULL) {
-			query_filter64(client, &fname, rdataset, dbuf,
-				       DNS_SECTION_ANSWER);
-			query_putrdataset(client, &rdataset);
-		} else
-			query_addrrset(client, &fname, &rdataset,
-				       sigrdatasetp, dbuf, DNS_SECTION_ANSWER);
-
-		if (noqname != NULL)
-			query_addnoqnameproof(client, noqname);
-		/*
-		 * We shouldn't ever fail to add 'rdataset'
-		 * because it's already in the answer.
-		 */
-		INSIST(rdataset == NULL);
-	}
-
- addauth:
-	CTRACE("query_find: addauth");
-	/*
-	 * Add NS records to the authority section (if we haven't already
-	 * added them to the answer section).
-	 */
-	if (!want_restart && !NOAUTHORITY(client)) {
-		if (is_zone) {
-			if (!((qtype == dns_rdatatype_ns ||
-			       qtype == dns_rdatatype_any) &&
-			      dns_name_equal(client->query.qname,
-					     dns_db_origin(db))))
-				(void)query_addns(client, db, version);
-		} else if (qtype != dns_rdatatype_ns) {
-			if (fname != NULL)
-				query_releasename(client, &fname);
-			query_addbestns(client);
-		}
-	}
-
-	/*
-	 * Add NSEC records to the authority section if they're needed for
-	 * DNSSEC wildcard proofs.
-	 */
-	if (need_wildcardproof && dns_db_issecure(db))
-		query_addwildcardproof(client, db, version,
-				       dns_fixedname_name(&wildcardname),
-				       ISC_TRUE, ISC_FALSE);
- cleanup:
-	CTRACE("query_find: cleanup");
-	/*
-	 * General cleanup.
-	 */
-	rpz_st = client->query.rpz_st;
-	if (rpz_st != NULL && (rpz_st->state & DNS_RPZ_RECURSING) == 0) {
-		rpz_match_clear(rpz_st);
-		rpz_st->state &= ~DNS_RPZ_DONE_QNAME;
-	}
-	if (rdataset != NULL)
-		query_putrdataset(client, &rdataset);
-	if (sigrdataset != NULL)
-		query_putrdataset(client, &sigrdataset);
-	if (fname != NULL)
-		query_releasename(client, &fname);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	if (db != NULL)
-		dns_db_detach(&db);
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-	if (zdb != NULL) {
-		query_putrdataset(client, &zrdataset);
-		if (zsigrdataset != NULL)
-			query_putrdataset(client, &zsigrdataset);
-		if (zfname != NULL)
-			query_releasename(client, &zfname);
-		dns_db_detach(&zdb);
-	}
-	if (event != NULL)
-		isc_event_free(ISC_EVENT_PTR(&event));
-
-	/*
-	 * AA bit.
-	 */
-	if (client->query.restarts == 0 && !authoritative) {
-		/*
-		 * We're not authoritative, so we must ensure the AA bit
-		 * isn't set.
-		 */
-		client->message->flags &= ~DNS_MESSAGEFLAG_AA;
-	}
-
-	/*
-	 * Restart the query?
-	 */
-	if (want_restart && client->query.restarts < MAX_RESTARTS) {
-		client->query.restarts++;
-		goto restart;
-	}
-
-	if (eresult != ISC_R_SUCCESS &&
-	    (!PARTIALANSWER(client) || WANTRECURSION(client))) {
-		if (eresult == DNS_R_DUPLICATE || eresult == DNS_R_DROP) {
-			/*
-			 * This was a duplicate query that we are
-			 * recursing on.  Don't send a response now.
-			 * The original query will still cause a response.
-			 */
-			query_next(client, eresult);
-		} else {
-			/*
-			 * If we don't have any answer to give the client,
-			 * or if the client requested recursion and thus wanted
-			 * the complete answer, send an error response.
-			 */
-			INSIST(line >= 0);
-			query_error(client, eresult, line);
-		}
-		ns_client_detach(&client);
-	} else if (!RECURSING(client)) {
-		/*
-		 * We are done.  Set up sortlist data for the message
-		 * rendering code, make a final tweak to the AA bit if the
-		 * auth-nxdomain config option says so, then render and
-		 * send the response.
-		 */
-		setup_query_sortlist(client);
-
-		/*
-		 * If this is a referral and the answer to the question
-		 * is in the glue sort it to the start of the additional
-		 * section.
-		 */
-		if (ISC_LIST_EMPTY(client->message->sections[DNS_SECTION_ANSWER]) &&
-		    client->message->rcode == dns_rcode_noerror &&
-		    (qtype == dns_rdatatype_a || qtype == dns_rdatatype_aaaa))
-			answer_in_glue(client, qtype);
-
-		if (client->message->rcode == dns_rcode_nxdomain &&
-		    client->view->auth_nxdomain == ISC_TRUE)
-			client->message->flags |= DNS_MESSAGEFLAG_AA;
-
-		/*
-		 * If the response is somehow unexpected for the client and this
-		 * is a result of recursion, return an error to the caller
-		 * to indicate it may need to be logged.
-		 */
-		if (resuming &&
-		    (ISC_LIST_EMPTY(client->message->sections[DNS_SECTION_ANSWER]) ||
-		     client->message->rcode != dns_rcode_noerror))
-			eresult = ISC_R_FAILURE;
-
-		query_send(client);
-		ns_client_detach(&client);
-	}
-	CTRACE("query_find: done");
-
-	return (eresult);
-}
-
-static inline void
-log_query(ns_client_t *client, unsigned int flags, unsigned int extflags) {
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char typename[DNS_RDATATYPE_FORMATSIZE];
-	char classname[DNS_RDATACLASS_FORMATSIZE];
-	char onbuf[ISC_NETADDR_FORMATSIZE];
-	dns_rdataset_t *rdataset;
-	int level = ISC_LOG_INFO;
-
-	if (! isc_log_wouldlog(ns_g_lctx, level))
-		return;
-
-	rdataset = ISC_LIST_HEAD(client->query.qname->list);
-	INSIST(rdataset != NULL);
-	dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
-	dns_rdataclass_format(rdataset->rdclass, classname, sizeof(classname));
-	dns_rdatatype_format(rdataset->type, typename, sizeof(typename));
-	isc_netaddr_format(&client->destaddr, onbuf, sizeof(onbuf));
-
-	ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY,
-		      level, "query: %s %s %s %s%s%s%s%s%s (%s)", namebuf,
-		      classname, typename, WANTRECURSION(client) ? "+" : "-",
-		      (client->signer != NULL) ? "S": "",
-		      (client->opt != NULL) ? "E" : "",
-		      ((client->attributes & NS_CLIENTATTR_TCP) != 0) ?
-				 "T" : "",
-		      ((extflags & DNS_MESSAGEEXTFLAG_DO) != 0) ? "D" : "",
-		      ((flags & DNS_MESSAGEFLAG_CD) != 0) ? "C" : "",
-		      onbuf);
-}
-
-static inline void
-log_queryerror(ns_client_t *client, isc_result_t result, int line, int level) {
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char typename[DNS_RDATATYPE_FORMATSIZE];
-	char classname[DNS_RDATACLASS_FORMATSIZE];
-	const char *namep, *typep, *classp, *sep1, *sep2;
-	dns_rdataset_t *rdataset;
-
-	if (!isc_log_wouldlog(ns_g_lctx, level))
-		return;
-
-	namep = typep = classp = sep1 = sep2 = "";
-
-	/*
-	 * Query errors can happen for various reasons.  In some cases we cannot
-	 * even assume the query contains a valid question section, so we should
-	 * expect exceptional cases.
-	 */
-	if (client->query.origqname != NULL) {
-		dns_name_format(client->query.origqname, namebuf,
-				sizeof(namebuf));
-		namep = namebuf;
-		sep1 = " for ";
-
-		rdataset = ISC_LIST_HEAD(client->query.origqname->list);
-		if (rdataset != NULL) {
-			dns_rdataclass_format(rdataset->rdclass, classname,
-					      sizeof(classname));
-			classp = classname;
-			dns_rdatatype_format(rdataset->type, typename,
-					     sizeof(typename));
-			typep = typename;
-			sep2 = "/";
-		}
-	}
-
-	ns_client_log(client, NS_LOGCATEGORY_QUERY_EERRORS, NS_LOGMODULE_QUERY,
-		      level, "query failed (%s)%s%s%s%s%s%s at %s:%d",
-		      isc_result_totext(result), sep1, namep, sep2,
-		      classp, sep2, typep, __FILE__, line);
-}
-
-void
-ns_query_start(ns_client_t *client) {
-	isc_result_t result;
-	dns_message_t *message = client->message;
-	dns_rdataset_t *rdataset;
-	ns_client_t *qclient;
-	dns_rdatatype_t qtype;
-	unsigned int saved_extflags = client->extflags;
-	unsigned int saved_flags = client->message->flags;
-
-	CTRACE("ns_query_start");
-
-	/*
-	 * Test only.
-	 */
-	if (ns_g_clienttest && (client->attributes & NS_CLIENTATTR_TCP) == 0)
-		RUNTIME_CHECK(ns_client_replace(client) == ISC_R_SUCCESS);
-
-	/*
-	 * Ensure that appropriate cleanups occur.
-	 */
-	client->next = query_next_callback;
-
-	/*
-	 * Behave as if we don't support DNSSEC if not enabled.
-	 */
-	if (!client->view->enablednssec) {
-		message->flags &= ~DNS_MESSAGEFLAG_CD;
-		client->extflags &= ~DNS_MESSAGEEXTFLAG_DO;
-		if (client->opt != NULL)
-			client->opt->ttl &= ~DNS_MESSAGEEXTFLAG_DO;
-	}
-
-	if ((message->flags & DNS_MESSAGEFLAG_RD) != 0)
-		client->query.attributes |= NS_QUERYATTR_WANTRECURSION;
-
-	if ((client->extflags & DNS_MESSAGEEXTFLAG_DO) != 0)
-		client->attributes |= NS_CLIENTATTR_WANTDNSSEC;
-
-	if (client->view->minimalresponses)
-		client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
-					     NS_QUERYATTR_NOADDITIONAL);
-
-	if ((client->view->cachedb == NULL)
-	    || (!client->view->additionalfromcache)) {
-		/*
-		 * We don't have a cache.  Turn off cache support and
-		 * recursion.
-		 */
-		client->query.attributes &=
-			~(NS_QUERYATTR_RECURSIONOK|NS_QUERYATTR_CACHEOK);
-	} else if ((client->attributes & NS_CLIENTATTR_RA) == 0 ||
-		   (message->flags & DNS_MESSAGEFLAG_RD) == 0) {
-		/*
-		 * If the client isn't allowed to recurse (due to
-		 * "recursion no", the allow-recursion ACL, or the
-		 * lack of a resolver in this view), or if it
-		 * doesn't want recursion, turn recursion off.
-		 */
-		client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK;
-	}
-
-	/*
-	 * Get the question name.
-	 */
-	result = dns_message_firstname(message, DNS_SECTION_QUESTION);
-	if (result != ISC_R_SUCCESS) {
-		query_error(client, result, __LINE__);
-		return;
-	}
-	dns_message_currentname(message, DNS_SECTION_QUESTION,
-				&client->query.qname);
-	client->query.origqname = client->query.qname;
-	result = dns_message_nextname(message, DNS_SECTION_QUESTION);
-	if (result != ISC_R_NOMORE) {
-		if (result == ISC_R_SUCCESS) {
-			/*
-			 * There's more than one QNAME in the question
-			 * section.
-			 */
-			query_error(client, DNS_R_FORMERR, __LINE__);
-		} else
-			query_error(client, result, __LINE__);
-		return;
-	}
-
-	if (ns_g_server->log_queries)
-		log_query(client, saved_flags, saved_extflags);
-
-	/*
-	 * Check for multiple question queries, since edns1 is dead.
-	 */
-	if (message->counts[DNS_SECTION_QUESTION] > 1) {
-		query_error(client, DNS_R_FORMERR, __LINE__);
-		return;
-	}
-
-	/*
-	 * Check for meta-queries like IXFR and AXFR.
-	 */
-	rdataset = ISC_LIST_HEAD(client->query.qname->list);
-	INSIST(rdataset != NULL);
-	qtype = rdataset->type;
-	dns_rdatatypestats_increment(ns_g_server->rcvquerystats, qtype);
-
-	if (dns_rdatatype_ismeta(qtype)) {
-		switch (qtype) {
-		case dns_rdatatype_any:
-			break; /* Let query_find handle it. */
-		case dns_rdatatype_ixfr:
-		case dns_rdatatype_axfr:
-			ns_xfr_start(client, rdataset->type);
-			return;
-		case dns_rdatatype_maila:
-		case dns_rdatatype_mailb:
-			query_error(client, DNS_R_NOTIMP, __LINE__);
-			return;
-		case dns_rdatatype_tkey:
-			result = dns_tkey_processquery(client->message,
-						ns_g_server->tkeyctx,
-						client->view->dynamickeys);
-			if (result == ISC_R_SUCCESS)
-				query_send(client);
-			else
-				query_error(client, result, __LINE__);
-			return;
-		default: /* TSIG, etc. */
-			query_error(client, DNS_R_FORMERR, __LINE__);
-			return;
-		}
-	}
-
-	/*
-	 * Turn on minimal response for DNSKEY and DS queries.
-	 */
-	if (qtype == dns_rdatatype_dnskey || qtype == dns_rdatatype_ds)
-		client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
-					     NS_QUERYATTR_NOADDITIONAL);
-
-	/*
-	 * Turn on minimal responses for EDNS/UDP bufsize 512 queries.
-	 */
-	if (client->opt != NULL && client->udpsize <= 512U &&
-	    (client->attributes & NS_CLIENTATTR_TCP) == 0)
-		client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
-					     NS_QUERYATTR_NOADDITIONAL);
-
-	/*
-	 * If the client has requested that DNSSEC checking be disabled,
-	 * allow lookups to return pending data and instruct the resolver
-	 * to return data before validation has completed.
-	 *
-	 * We don't need to set DNS_DBFIND_PENDINGOK when validation is
-	 * disabled as there will be no pending data.
-	 */
-	if (message->flags & DNS_MESSAGEFLAG_CD ||
-	    qtype == dns_rdatatype_rrsig)
-	{
-		client->query.dboptions |= DNS_DBFIND_PENDINGOK;
-		client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE;
-	} else if (!client->view->enablevalidation)
-		client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE;
-
-	/*
-	 * Allow glue NS records to be added to the authority section
-	 * if the answer is secure.
-	 */
-	if (message->flags & DNS_MESSAGEFLAG_CD)
-		client->query.attributes &= ~NS_QUERYATTR_SECURE;
-
-	/*
-	 * Set NS_CLIENTATTR_WANTDNSSEC if the client has set AD in the query.
-	 * This allows AD to be returned on queries without DO set.
-	 */
-	if ((message->flags & DNS_MESSAGEFLAG_AD) != 0)
-		client->attributes |= NS_CLIENTATTR_WANTAD;
-
-	/*
-	 * This is an ordinary query.
-	 */
-	result = dns_message_reply(message, ISC_TRUE);
-	if (result != ISC_R_SUCCESS) {
-		query_next(client, result);
-		return;
-	}
-
-	/*
-	 * Assume authoritative response until it is known to be
-	 * otherwise.
-	 *
-	 * If "-T noaa" has been set on the command line don't set
-	 * AA on authoritative answers.
-	 */
-	if (!ns_g_noaa)
-		message->flags |= DNS_MESSAGEFLAG_AA;
-
-	/*
-	 * Set AD.  We must clear it if we add non-validated data to a
-	 * response.
-	 */
-	if (WANTDNSSEC(client) || WANTAD(client))
-		message->flags |= DNS_MESSAGEFLAG_AD;
-
-	qclient = NULL;
-	ns_client_attach(client, &qclient);
-	(void)query_find(qclient, NULL, qtype);
-}
diff --git a/contrib/bind9/bin/named/server.c b/contrib/bind9/bin/named/server.c
deleted file mode 100644
index aef922b..0000000
--- a/contrib/bind9/bin/named/server.c
+++ /dev/null
@@ -1,8267 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <unistd.h>
-#include <limits.h>
-#include <ctype.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-
-#include <isc/app.h>
-#include <isc/base64.h>
-#include <isc/dir.h>
-#include <isc/entropy.h>
-#include <isc/file.h>
-#include <isc/hash.h>
-#include <isc/hex.h>
-#include <isc/httpd.h>
-#include <isc/lex.h>
-#include <isc/parseint.h>
-#include <isc/portset.h>
-#include <isc/print.h>
-#include <isc/refcount.h>
-#include <isc/resource.h>
-#include <isc/sha2.h>
-#include <isc/socket.h>
-#include <isc/stat.h>
-#include <isc/stats.h>
-#include <isc/stdio.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-#include <isc/xml.h>
-
-#include <isccfg/namedconf.h>
-
-#include <bind9/check.h>
-
-#include <dns/acache.h>
-#include <dns/adb.h>
-#include <dns/cache.h>
-#include <dns/db.h>
-#include <dns/dispatch.h>
-#include <dns/dlz.h>
-#include <dns/dns64.h>
-#include <dns/forward.h>
-#include <dns/journal.h>
-#include <dns/keytable.h>
-#include <dns/keyvalues.h>
-#include <dns/lib.h>
-#include <dns/master.h>
-#include <dns/masterdump.h>
-#include <dns/order.h>
-#include <dns/peer.h>
-#include <dns/portlist.h>
-#include <dns/private.h>
-#include <dns/rbt.h>
-#include <dns/rdataclass.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/resolver.h>
-#include <dns/rootns.h>
-#include <dns/secalg.h>
-#include <dns/stats.h>
-#include <dns/tkey.h>
-#include <dns/tsig.h>
-#include <dns/view.h>
-#include <dns/zone.h>
-#include <dns/zt.h>
-
-#include <dst/dst.h>
-#include <dst/result.h>
-
-#include <named/client.h>
-#include <named/config.h>
-#include <named/control.h>
-#include <named/interfacemgr.h>
-#include <named/log.h>
-#include <named/logconf.h>
-#include <named/lwresd.h>
-#include <named/main.h>
-#include <named/os.h>
-#include <named/server.h>
-#include <named/statschannel.h>
-#include <named/tkeyconf.h>
-#include <named/tsigconf.h>
-#include <named/zoneconf.h>
-#ifdef HAVE_LIBSCF
-#include <named/ns_smf_globals.h>
-#include <stdlib.h>
-#endif
-
-#ifndef PATH_MAX
-#define PATH_MAX 1024
-#endif
-
-#ifndef SIZE_MAX
-#define SIZE_MAX ((size_t)-1)
-#endif
-
-/*%
- * Check an operation for failure.  Assumes that the function
- * using it has a 'result' variable and a 'cleanup' label.
- */
-#define CHECK(op) \
-	do { result = (op);					 \
-	       if (result != ISC_R_SUCCESS) goto cleanup;	 \
-	} while (0)
-
-#define CHECKM(op, msg) \
-	do { result = (op);					  \
-	       if (result != ISC_R_SUCCESS) {			  \
-			isc_log_write(ns_g_lctx,		  \
-				      NS_LOGCATEGORY_GENERAL,	  \
-				      NS_LOGMODULE_SERVER,	  \
-				      ISC_LOG_ERROR,		  \
-				      "%s: %s", msg,		  \
-				      isc_result_totext(result)); \
-			goto cleanup;				  \
-		}						  \
-	} while (0)						  \
-
-#define CHECKMF(op, msg, file) \
-	do { result = (op);					  \
-	       if (result != ISC_R_SUCCESS) {			  \
-			isc_log_write(ns_g_lctx,		  \
-				      NS_LOGCATEGORY_GENERAL,	  \
-				      NS_LOGMODULE_SERVER,	  \
-				      ISC_LOG_ERROR,		  \
-				      "%s '%s': %s", msg, file,	  \
-				      isc_result_totext(result)); \
-			goto cleanup;				  \
-		}						  \
-	} while (0)						  \
-
-#define CHECKFATAL(op, msg) \
-	do { result = (op);					  \
-	       if (result != ISC_R_SUCCESS)			  \
-			fatal(msg, result);			  \
-	} while (0)						  \
-
-/*%
- * Maximum ADB size for views that share a cache.  Use this limit to suppress
- * the total of memory footprint, which should be the main reason for sharing
- * a cache.  Only effective when a finite max-cache-size is specified.
- * This is currently defined to be 8MB.
- */
-#define MAX_ADB_SIZE_FOR_CACHESHARE	8388608U
-
-struct ns_dispatch {
-	isc_sockaddr_t			addr;
-	unsigned int			dispatchgen;
-	dns_dispatch_t			*dispatch;
-	ISC_LINK(struct ns_dispatch)	link;
-};
-
-struct ns_cache {
-	dns_cache_t			*cache;
-	dns_view_t			*primaryview;
-	isc_boolean_t			needflush;
-	isc_boolean_t			adbsizeadjusted;
-	ISC_LINK(ns_cache_t)		link;
-};
-
-struct dumpcontext {
-	isc_mem_t			*mctx;
-	isc_boolean_t			dumpcache;
-	isc_boolean_t			dumpzones;
-	FILE				*fp;
-	ISC_LIST(struct viewlistentry)	viewlist;
-	struct viewlistentry		*view;
-	struct zonelistentry		*zone;
-	dns_dumpctx_t			*mdctx;
-	dns_db_t			*db;
-	dns_db_t			*cache;
-	isc_task_t			*task;
-	dns_dbversion_t			*version;
-};
-
-struct viewlistentry {
-	dns_view_t			*view;
-	ISC_LINK(struct viewlistentry)	link;
-	ISC_LIST(struct zonelistentry)	zonelist;
-};
-
-struct zonelistentry {
-	dns_zone_t			*zone;
-	ISC_LINK(struct zonelistentry)	link;
-};
-
-/*%
- * Configuration context to retain for each view that allows
- * new zones to be added at runtime.
- */
-struct cfg_context {
-	isc_mem_t *			mctx;
-	cfg_parser_t *			parser;
-	cfg_obj_t *			config;
-	cfg_parser_t *			nzparser;
-	cfg_obj_t *			nzconfig;
-	cfg_aclconfctx_t *		actx;
-};
-
-/*%
- * Holds state information for the initial zone loading process.
- * Uses the isc_refcount structure to count the number of views
- * with pending zone loads, dereferencing as each view finishes.
- */
-typedef struct {
-		ns_server_t *server;
-		isc_refcount_t refs;
-} ns_zoneload_t;
-
-/*
- * These zones should not leak onto the Internet.
- */
-const char *empty_zones[] = {
-	/* RFC 1918 */
-	"10.IN-ADDR.ARPA",
-	"16.172.IN-ADDR.ARPA",
-	"17.172.IN-ADDR.ARPA",
-	"18.172.IN-ADDR.ARPA",
-	"19.172.IN-ADDR.ARPA",
-	"20.172.IN-ADDR.ARPA",
-	"21.172.IN-ADDR.ARPA",
-	"22.172.IN-ADDR.ARPA",
-	"23.172.IN-ADDR.ARPA",
-	"24.172.IN-ADDR.ARPA",
-	"25.172.IN-ADDR.ARPA",
-	"26.172.IN-ADDR.ARPA",
-	"27.172.IN-ADDR.ARPA",
-	"28.172.IN-ADDR.ARPA",
-	"29.172.IN-ADDR.ARPA",
-	"30.172.IN-ADDR.ARPA",
-	"31.172.IN-ADDR.ARPA",
-	"168.192.IN-ADDR.ARPA",
-
-	/* RFC 6598 */
-	"64.100.IN-ADDR.ARPA",
-	"65.100.IN-ADDR.ARPA",
-	"66.100.IN-ADDR.ARPA",
-	"67.100.IN-ADDR.ARPA",
-	"68.100.IN-ADDR.ARPA",
-	"69.100.IN-ADDR.ARPA",
-	"70.100.IN-ADDR.ARPA",
-	"71.100.IN-ADDR.ARPA",
-	"72.100.IN-ADDR.ARPA",
-	"73.100.IN-ADDR.ARPA",
-	"74.100.IN-ADDR.ARPA",
-	"75.100.IN-ADDR.ARPA",
-	"76.100.IN-ADDR.ARPA",
-	"77.100.IN-ADDR.ARPA",
-	"78.100.IN-ADDR.ARPA",
-	"79.100.IN-ADDR.ARPA",
-	"80.100.IN-ADDR.ARPA",
-	"81.100.IN-ADDR.ARPA",
-	"82.100.IN-ADDR.ARPA",
-	"83.100.IN-ADDR.ARPA",
-	"84.100.IN-ADDR.ARPA",
-	"85.100.IN-ADDR.ARPA",
-	"86.100.IN-ADDR.ARPA",
-	"87.100.IN-ADDR.ARPA",
-	"88.100.IN-ADDR.ARPA",
-	"89.100.IN-ADDR.ARPA",
-	"90.100.IN-ADDR.ARPA",
-	"91.100.IN-ADDR.ARPA",
-	"92.100.IN-ADDR.ARPA",
-	"93.100.IN-ADDR.ARPA",
-	"94.100.IN-ADDR.ARPA",
-	"95.100.IN-ADDR.ARPA",
-	"96.100.IN-ADDR.ARPA",
-	"97.100.IN-ADDR.ARPA",
-	"98.100.IN-ADDR.ARPA",
-	"99.100.IN-ADDR.ARPA",
-	"100.100.IN-ADDR.ARPA",
-	"101.100.IN-ADDR.ARPA",
-	"102.100.IN-ADDR.ARPA",
-	"103.100.IN-ADDR.ARPA",
-	"104.100.IN-ADDR.ARPA",
-	"105.100.IN-ADDR.ARPA",
-	"106.100.IN-ADDR.ARPA",
-	"107.100.IN-ADDR.ARPA",
-	"108.100.IN-ADDR.ARPA",
-	"109.100.IN-ADDR.ARPA",
-	"110.100.IN-ADDR.ARPA",
-	"111.100.IN-ADDR.ARPA",
-	"112.100.IN-ADDR.ARPA",
-	"113.100.IN-ADDR.ARPA",
-	"114.100.IN-ADDR.ARPA",
-	"115.100.IN-ADDR.ARPA",
-	"116.100.IN-ADDR.ARPA",
-	"117.100.IN-ADDR.ARPA",
-	"118.100.IN-ADDR.ARPA",
-	"119.100.IN-ADDR.ARPA",
-	"120.100.IN-ADDR.ARPA",
-	"121.100.IN-ADDR.ARPA",
-	"122.100.IN-ADDR.ARPA",
-	"123.100.IN-ADDR.ARPA",
-	"124.100.IN-ADDR.ARPA",
-	"125.100.IN-ADDR.ARPA",
-	"126.100.IN-ADDR.ARPA",
-	"127.100.IN-ADDR.ARPA",
-
-	/* RFC 5735 and RFC 5737 */
-	"0.IN-ADDR.ARPA",	/* THIS NETWORK */
-	"127.IN-ADDR.ARPA",	/* LOOPBACK */
-	"254.169.IN-ADDR.ARPA",	/* LINK LOCAL */
-	"2.0.192.IN-ADDR.ARPA",	/* TEST NET */
-	"100.51.198.IN-ADDR.ARPA",	/* TEST NET 2 */
-	"113.0.203.IN-ADDR.ARPA",	/* TEST NET 3 */
-	"255.255.255.255.IN-ADDR.ARPA",	/* BROADCAST */
-
-	/* Local IPv6 Unicast Addresses */
-	"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA",
-	"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA",
-	/* LOCALLY ASSIGNED LOCAL ADDRESS SCOPE */
-	"D.F.IP6.ARPA",
-	"8.E.F.IP6.ARPA",	/* LINK LOCAL */
-	"9.E.F.IP6.ARPA",	/* LINK LOCAL */
-	"A.E.F.IP6.ARPA",	/* LINK LOCAL */
-	"B.E.F.IP6.ARPA",	/* LINK LOCAL */
-
-	/* Example Prefix, RFC 3849. */
-	"8.B.D.0.1.0.0.2.IP6.ARPA",
-
-	NULL
-};
-
-ISC_PLATFORM_NORETURN_PRE static void
-fatal(const char *msg, isc_result_t result) ISC_PLATFORM_NORETURN_POST;
-
-static void
-ns_server_reload(isc_task_t *task, isc_event_t *event);
-
-static isc_result_t
-ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
-			cfg_aclconfctx_t *actx,
-			isc_mem_t *mctx, ns_listenelt_t **target);
-static isc_result_t
-ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
-			 cfg_aclconfctx_t *actx,
-			 isc_mem_t *mctx, ns_listenlist_t **target);
-
-static isc_result_t
-configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
-		  const cfg_obj_t *forwarders, const cfg_obj_t *forwardtype);
-
-static isc_result_t
-configure_alternates(const cfg_obj_t *config, dns_view_t *view,
-		     const cfg_obj_t *alternates);
-
-static isc_result_t
-configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
-	       const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
-	       cfg_aclconfctx_t *aclconf, isc_boolean_t added);
-
-static isc_result_t
-add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx);
-
-static void
-end_reserved_dispatches(ns_server_t *server, isc_boolean_t all);
-
-static void
-newzone_cfgctx_destroy(void **cfgp);
-
-/*%
- * Configure a single view ACL at '*aclp'.  Get its configuration from
- * 'vconfig' (for per-view configuration) and maybe from 'config'
- */
-static isc_result_t
-configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config,
-		   const char *aclname, const char *acltuplename,
-		   cfg_aclconfctx_t *actx, isc_mem_t *mctx, dns_acl_t **aclp)
-{
-	isc_result_t result;
-	const cfg_obj_t *maps[3];
-	const cfg_obj_t *aclobj = NULL;
-	int i = 0;
-
-	if (*aclp != NULL)
-		dns_acl_detach(aclp);
-	if (vconfig != NULL)
-		maps[i++] = cfg_tuple_get(vconfig, "options");
-	if (config != NULL) {
-		const cfg_obj_t *options = NULL;
-		(void)cfg_map_get(config, "options", &options);
-		if (options != NULL)
-			maps[i++] = options;
-	}
-	maps[i] = NULL;
-
-	(void)ns_config_get(maps, aclname, &aclobj);
-	if (aclobj == NULL)
-		/*
-		 * No value available.	*aclp == NULL.
-		 */
-		return (ISC_R_SUCCESS);
-
-	if (acltuplename != NULL) {
-		/*
-		 * If the ACL is given in an optional tuple, retrieve it.
-		 * The parser should have ensured that a valid object be
-		 * returned.
-		 */
-		aclobj = cfg_tuple_get(aclobj, acltuplename);
-	}
-
-	result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx,
-				    actx, mctx, 0, aclp);
-
-	return (result);
-}
-
-/*%
- * Configure a sortlist at '*aclp'.  Essentially the same as
- * configure_view_acl() except it calls cfg_acl_fromconfig with a
- * nest_level value of 2.
- */
-static isc_result_t
-configure_view_sortlist(const cfg_obj_t *vconfig, const cfg_obj_t *config,
-			cfg_aclconfctx_t *actx, isc_mem_t *mctx,
-			dns_acl_t **aclp)
-{
-	isc_result_t result;
-	const cfg_obj_t *maps[3];
-	const cfg_obj_t *aclobj = NULL;
-	int i = 0;
-
-	if (*aclp != NULL)
-		dns_acl_detach(aclp);
-	if (vconfig != NULL)
-		maps[i++] = cfg_tuple_get(vconfig, "options");
-	if (config != NULL) {
-		const cfg_obj_t *options = NULL;
-		(void)cfg_map_get(config, "options", &options);
-		if (options != NULL)
-			maps[i++] = options;
-	}
-	maps[i] = NULL;
-
-	(void)ns_config_get(maps, "sortlist", &aclobj);
-	if (aclobj == NULL)
-		return (ISC_R_SUCCESS);
-
-	/*
-	 * Use a nest level of 3 for the "top level" of the sortlist;
-	 * this means each entry in the top three levels will be stored
-	 * as lists of separate, nested ACLs, rather than merged together
-	 * into IP tables as is usually done with ACLs.
-	 */
-	result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx,
-				    actx, mctx, 3, aclp);
-
-	return (result);
-}
-
-static isc_result_t
-configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config,
-			 const char *confname, const char *conftuplename,
-			 isc_mem_t *mctx, dns_rbt_t **rbtp)
-{
-	isc_result_t result;
-	const cfg_obj_t *maps[3];
-	const cfg_obj_t *obj = NULL;
-	const cfg_listelt_t *element;
-	int i = 0;
-	dns_fixedname_t fixed;
-	dns_name_t *name;
-	isc_buffer_t b;
-	const char *str;
-	const cfg_obj_t *nameobj;
-
-	if (*rbtp != NULL)
-		dns_rbt_destroy(rbtp);
-	if (vconfig != NULL)
-		maps[i++] = cfg_tuple_get(vconfig, "options");
-	if (config != NULL) {
-		const cfg_obj_t *options = NULL;
-		(void)cfg_map_get(config, "options", &options);
-		if (options != NULL)
-			maps[i++] = options;
-	}
-	maps[i] = NULL;
-
-	(void)ns_config_get(maps, confname, &obj);
-	if (obj == NULL)
-		/*
-		 * No value available.	*rbtp == NULL.
-		 */
-		return (ISC_R_SUCCESS);
-
-	if (conftuplename != NULL) {
-		obj = cfg_tuple_get(obj, conftuplename);
-		if (cfg_obj_isvoid(obj))
-			return (ISC_R_SUCCESS);
-	}
-
-	result = dns_rbt_create(mctx, NULL, NULL, rbtp);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	dns_fixedname_init(&fixed);
-	name = dns_fixedname_name(&fixed);
-	for (element = cfg_list_first(obj);
-	     element != NULL;
-	     element = cfg_list_next(element)) {
-		nameobj = cfg_listelt_value(element);
-		str = cfg_obj_asstring(nameobj);
-		isc_buffer_constinit(&b, str, strlen(str));
-		isc_buffer_add(&b, strlen(str));
-		CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
-		/*
-		 * We don't need the node data, but need to set dummy data to
-		 * avoid a partial match with an empty node.  For example, if
-		 * we have foo.example.com and bar.example.com, we'd get a match
-		 * for baz.example.com, which is not the expected result.
-		 * We simply use (void *)1 as the dummy data.
-		 */
-		result = dns_rbt_addname(*rbtp, name, (void *)1);
-		if (result != ISC_R_SUCCESS) {
-			cfg_obj_log(nameobj, ns_g_lctx, ISC_LOG_ERROR,
-				    "failed to add %s for %s: %s",
-				    str, confname, isc_result_totext(result));
-			goto cleanup;
-		}
-
-	}
-
-	return (result);
-
-  cleanup:
-	dns_rbt_destroy(rbtp);
-	return (result);
-
-}
-
-static isc_result_t
-dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
-		  isc_boolean_t managed, dst_key_t **target, isc_mem_t *mctx)
-{
-	dns_rdataclass_t viewclass;
-	dns_rdata_dnskey_t keystruct;
-	isc_uint32_t flags, proto, alg;
-	const char *keystr, *keynamestr;
-	unsigned char keydata[4096];
-	isc_buffer_t keydatabuf;
-	unsigned char rrdata[4096];
-	isc_buffer_t rrdatabuf;
-	isc_region_t r;
-	dns_fixedname_t fkeyname;
-	dns_name_t *keyname;
-	isc_buffer_t namebuf;
-	isc_result_t result;
-	dst_key_t *dstkey = NULL;
-
-	INSIST(target != NULL && *target == NULL);
-
-	flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
-	proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
-	alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm"));
-	keyname = dns_fixedname_name(&fkeyname);
-	keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
-
-	if (managed) {
-		const char *initmethod;
-		initmethod = cfg_obj_asstring(cfg_tuple_get(key, "init"));
-
-		if (strcasecmp(initmethod, "initial-key") != 0) {
-			cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
-				    "managed key '%s': "
-				    "invalid initialization method '%s'",
-				    keynamestr, initmethod);
-			result = ISC_R_FAILURE;
-			goto cleanup;
-		}
-	}
-
-	if (vconfig == NULL)
-		viewclass = dns_rdataclass_in;
-	else {
-		const cfg_obj_t *classobj = cfg_tuple_get(vconfig, "class");
-		CHECK(ns_config_getclass(classobj, dns_rdataclass_in,
-					 &viewclass));
-	}
-	keystruct.common.rdclass = viewclass;
-	keystruct.common.rdtype = dns_rdatatype_dnskey;
-	/*
-	 * The key data in keystruct is not dynamically allocated.
-	 */
-	keystruct.mctx = NULL;
-
-	ISC_LINK_INIT(&keystruct.common, link);
-
-	if (flags > 0xffff)
-		CHECKM(ISC_R_RANGE, "key flags");
-	if (proto > 0xff)
-		CHECKM(ISC_R_RANGE, "key protocol");
-	if (alg > 0xff)
-		CHECKM(ISC_R_RANGE, "key algorithm");
-	keystruct.flags = (isc_uint16_t)flags;
-	keystruct.protocol = (isc_uint8_t)proto;
-	keystruct.algorithm = (isc_uint8_t)alg;
-
-	isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
-	isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
-
-	keystr = cfg_obj_asstring(cfg_tuple_get(key, "key"));
-	CHECK(isc_base64_decodestring(keystr, &keydatabuf));
-	isc_buffer_usedregion(&keydatabuf, &r);
-	keystruct.datalen = r.length;
-	keystruct.data = r.base;
-
-	if ((keystruct.algorithm == DST_ALG_RSASHA1 ||
-	     keystruct.algorithm == DST_ALG_RSAMD5) &&
-	    r.length > 1 && r.base[0] == 1 && r.base[1] == 3)
-		cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
-			    "%s key '%s' has a weak exponent",
-			    managed ? "managed" : "trusted",
-			    keynamestr);
-
-	CHECK(dns_rdata_fromstruct(NULL,
-				   keystruct.common.rdclass,
-				   keystruct.common.rdtype,
-				   &keystruct, &rrdatabuf));
-	dns_fixedname_init(&fkeyname);
-	isc_buffer_constinit(&namebuf, keynamestr, strlen(keynamestr));
-	isc_buffer_add(&namebuf, strlen(keynamestr));
-	CHECK(dns_name_fromtext(keyname, &namebuf, dns_rootname, 0, NULL));
-	CHECK(dst_key_fromdns(keyname, viewclass, &rrdatabuf,
-			      mctx, &dstkey));
-
-	*target = dstkey;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (result == DST_R_NOCRYPTO) {
-		cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
-			    "ignoring %s key for '%s': no crypto support",
-			    managed ? "managed" : "trusted",
-			    keynamestr);
-	} else if (result == DST_R_UNSUPPORTEDALG) {
-		cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
-			    "skipping %s key for '%s': %s",
-			    managed ? "managed" : "trusted",
-			    keynamestr, isc_result_totext(result));
-	} else {
-		cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
-			    "configuring %s key for '%s': %s",
-			    managed ? "managed" : "trusted",
-			    keynamestr, isc_result_totext(result));
-		result = ISC_R_FAILURE;
-	}
-
-	if (dstkey != NULL)
-		dst_key_free(&dstkey);
-
-	return (result);
-}
-
-static isc_result_t
-load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
-	       dns_view_t *view, isc_boolean_t managed,
-	       dns_name_t *keyname, isc_mem_t *mctx)
-{
-	const cfg_listelt_t *elt, *elt2;
-	const cfg_obj_t *key, *keylist;
-	dst_key_t *dstkey = NULL;
-	isc_result_t result;
-	dns_keytable_t *secroots = NULL;
-
-	CHECK(dns_view_getsecroots(view, &secroots));
-
-	for (elt = cfg_list_first(keys);
-	     elt != NULL;
-	     elt = cfg_list_next(elt)) {
-		keylist = cfg_listelt_value(elt);
-
-		for (elt2 = cfg_list_first(keylist);
-		     elt2 != NULL;
-		     elt2 = cfg_list_next(elt2)) {
-			key = cfg_listelt_value(elt2);
-			result = dstkey_fromconfig(vconfig, key, managed,
-						   &dstkey, mctx);
-			if (result ==  DST_R_UNSUPPORTEDALG) {
-				result = ISC_R_SUCCESS;
-				continue;
-			}
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-
-			/*
-			 * If keyname was specified, we only add that key.
-			 */
-			if (keyname != NULL &&
-			    !dns_name_equal(keyname, dst_key_name(dstkey)))
-			{
-				dst_key_free(&dstkey);
-				continue;
-			}
-
-			CHECK(dns_keytable_add(secroots, managed, &dstkey));
-		}
-	}
-
- cleanup:
-	if (dstkey != NULL)
-		dst_key_free(&dstkey);
-	if (secroots != NULL)
-		dns_keytable_detach(&secroots);
-	if (result == DST_R_NOCRYPTO)
-		result = ISC_R_SUCCESS;
-	return (result);
-}
-
-/*%
- * Configure DNSSEC keys for a view.
- *
- * The per-view configuration values and the server-global defaults are read
- * from 'vconfig' and 'config'.
- */
-static isc_result_t
-configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
-			  const cfg_obj_t *config, const cfg_obj_t *bindkeys,
-			  isc_boolean_t auto_dlv, isc_boolean_t auto_root,
-			  isc_mem_t *mctx)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	const cfg_obj_t *view_keys = NULL;
-	const cfg_obj_t *global_keys = NULL;
-	const cfg_obj_t *view_managed_keys = NULL;
-	const cfg_obj_t *global_managed_keys = NULL;
-	const cfg_obj_t *maps[4];
-	const cfg_obj_t *voptions = NULL;
-	const cfg_obj_t *options = NULL;
-	const cfg_obj_t *obj = NULL;
-	const char *directory;
-	int i = 0;
-
-	/* We don't need trust anchors for the _bind view */
-	if (strcmp(view->name, "_bind") == 0 &&
-	    view->rdclass == dns_rdataclass_chaos) {
-		return (ISC_R_SUCCESS);
-	}
-
-	if (vconfig != NULL) {
-		voptions = cfg_tuple_get(vconfig, "options");
-		if (voptions != NULL) {
-			(void) cfg_map_get(voptions, "trusted-keys",
-					   &view_keys);
-			(void) cfg_map_get(voptions, "managed-keys",
-					   &view_managed_keys);
-			maps[i++] = voptions;
-		}
-	}
-
-	if (config != NULL) {
-		(void)cfg_map_get(config, "trusted-keys", &global_keys);
-		(void)cfg_map_get(config, "managed-keys", &global_managed_keys);
-		(void)cfg_map_get(config, "options", &options);
-		if (options != NULL) {
-			maps[i++] = options;
-		}
-	}
-
-	maps[i++] = ns_g_defaults;
-	maps[i] = NULL;
-
-	result = dns_view_initsecroots(view, mctx);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-			      "couldn't create keytable");
-		return (ISC_R_UNEXPECTED);
-	}
-
-	if (auto_dlv && view->rdclass == dns_rdataclass_in) {
-		const cfg_obj_t *builtin_keys = NULL;
-		const cfg_obj_t *builtin_managed_keys = NULL;
-
-		isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
-			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-			      "using built-in DLV key for view %s",
-			      view->name);
-
-		/*
-		 * If bind.keys exists, it overrides the managed-keys
-		 * clause hard-coded in ns_g_config.
-		 */
-		if (bindkeys != NULL) {
-			(void)cfg_map_get(bindkeys, "trusted-keys",
-					  &builtin_keys);
-			(void)cfg_map_get(bindkeys, "managed-keys",
-					  &builtin_managed_keys);
-		} else {
-			(void)cfg_map_get(ns_g_config, "trusted-keys",
-					  &builtin_keys);
-			(void)cfg_map_get(ns_g_config, "managed-keys",
-					  &builtin_managed_keys);
-		}
-
-		if (builtin_keys != NULL)
-			CHECK(load_view_keys(builtin_keys, vconfig, view,
-					     ISC_FALSE, view->dlv, mctx));
-		if (builtin_managed_keys != NULL)
-			CHECK(load_view_keys(builtin_managed_keys, vconfig,
-					     view, ISC_TRUE, view->dlv, mctx));
-	}
-
-	if (auto_root && view->rdclass == dns_rdataclass_in) {
-		const cfg_obj_t *builtin_keys = NULL;
-		const cfg_obj_t *builtin_managed_keys = NULL;
-
-		isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
-			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-			      "using built-in root key for view %s",
-			      view->name);
-
-		/*
-		 * If bind.keys exists, it overrides the managed-keys
-		 * clause hard-coded in ns_g_config.
-		 */
-		if (bindkeys != NULL) {
-			(void)cfg_map_get(bindkeys, "trusted-keys",
-					  &builtin_keys);
-			(void)cfg_map_get(bindkeys, "managed-keys",
-					  &builtin_managed_keys);
-		} else {
-			(void)cfg_map_get(ns_g_config, "trusted-keys",
-					  &builtin_keys);
-			(void)cfg_map_get(ns_g_config, "managed-keys",
-					  &builtin_managed_keys);
-		}
-
-		if (builtin_keys != NULL)
-			CHECK(load_view_keys(builtin_keys, vconfig, view,
-					     ISC_FALSE, dns_rootname, mctx));
-		if (builtin_managed_keys != NULL)
-			CHECK(load_view_keys(builtin_managed_keys, vconfig,
-					     view, ISC_TRUE, dns_rootname,
-					     mctx));
-	}
-
-	CHECK(load_view_keys(view_keys, vconfig, view, ISC_FALSE,
-			     NULL, mctx));
-	CHECK(load_view_keys(view_managed_keys, vconfig, view, ISC_TRUE,
-			     NULL, mctx));
-
-	if (view->rdclass == dns_rdataclass_in) {
-		CHECK(load_view_keys(global_keys, vconfig, view, ISC_FALSE,
-				     NULL, mctx));
-		CHECK(load_view_keys(global_managed_keys, vconfig, view,
-				     ISC_TRUE, NULL, mctx));
-	}
-
-	/*
-	 * Add key zone for managed-keys.
-	 */
-	obj = NULL;
-	(void)ns_config_get(maps, "managed-keys-directory", &obj);
-	directory = (obj != NULL ? cfg_obj_asstring(obj) : NULL);
-	if (directory != NULL)
-		result = isc_file_isdirectory(directory);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
-			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-			      "invalid managed-keys-directory %s: %s",
-			      directory, isc_result_totext(result));
-		goto cleanup;
-
-	}
-	CHECK(add_keydata_zone(view, directory, ns_g_mctx));
-
-  cleanup:
-	return (result);
-}
-
-static isc_result_t
-mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver) {
-	const cfg_listelt_t *element;
-	const cfg_obj_t *obj;
-	const char *str;
-	dns_fixedname_t fixed;
-	dns_name_t *name;
-	isc_boolean_t value;
-	isc_result_t result;
-	isc_buffer_t b;
-
-	dns_fixedname_init(&fixed);
-	name = dns_fixedname_name(&fixed);
-	for (element = cfg_list_first(mbs);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		obj = cfg_listelt_value(element);
-		str = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
-		isc_buffer_constinit(&b, str, strlen(str));
-		isc_buffer_add(&b, strlen(str));
-		CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
-		value = cfg_obj_asboolean(cfg_tuple_get(obj, "value"));
-		CHECK(dns_resolver_setmustbesecure(resolver, name, value));
-	}
-
-	result = ISC_R_SUCCESS;
-
- cleanup:
-	return (result);
-}
-
-/*%
- * Get a dispatch appropriate for the resolver of a given view.
- */
-static isc_result_t
-get_view_querysource_dispatch(const cfg_obj_t **maps,
-			      int af, dns_dispatch_t **dispatchp,
-			      isc_boolean_t is_firstview)
-{
-	isc_result_t result = ISC_R_FAILURE;
-	dns_dispatch_t *disp;
-	isc_sockaddr_t sa;
-	unsigned int attrs, attrmask;
-	const cfg_obj_t *obj = NULL;
-	unsigned int maxdispatchbuffers;
-
-	switch (af) {
-	case AF_INET:
-		result = ns_config_get(maps, "query-source", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		break;
-	case AF_INET6:
-		result = ns_config_get(maps, "query-source-v6", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		break;
-	default:
-		INSIST(0);
-	}
-
-	sa = *(cfg_obj_assockaddr(obj));
-	INSIST(isc_sockaddr_pf(&sa) == af);
-
-	/*
-	 * If we don't support this address family, we're done!
-	 */
-	switch (af) {
-	case AF_INET:
-		result = isc_net_probeipv4();
-		break;
-	case AF_INET6:
-		result = isc_net_probeipv6();
-		break;
-	default:
-		INSIST(0);
-	}
-	if (result != ISC_R_SUCCESS)
-		return (ISC_R_SUCCESS);
-
-	/*
-	 * Try to find a dispatcher that we can share.
-	 */
-	attrs = 0;
-	attrs |= DNS_DISPATCHATTR_UDP;
-	switch (af) {
-	case AF_INET:
-		attrs |= DNS_DISPATCHATTR_IPV4;
-		break;
-	case AF_INET6:
-		attrs |= DNS_DISPATCHATTR_IPV6;
-		break;
-	}
-	if (isc_sockaddr_getport(&sa) == 0) {
-		attrs |= DNS_DISPATCHATTR_EXCLUSIVE;
-		maxdispatchbuffers = 4096;
-	} else {
-		INSIST(obj != NULL);
-		if (is_firstview) {
-			cfg_obj_log(obj, ns_g_lctx, ISC_LOG_INFO,
-				    "using specific query-source port "
-				    "suppresses port randomization and can be "
-				    "insecure.");
-		}
-		maxdispatchbuffers = 1000;
-	}
-
-	attrmask = 0;
-	attrmask |= DNS_DISPATCHATTR_UDP;
-	attrmask |= DNS_DISPATCHATTR_TCP;
-	attrmask |= DNS_DISPATCHATTR_IPV4;
-	attrmask |= DNS_DISPATCHATTR_IPV6;
-
-	disp = NULL;
-	result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr,
-				     ns_g_taskmgr, &sa, 4096,
-				     maxdispatchbuffers, 32768, 16411, 16433,
-				     attrs, attrmask, &disp);
-	if (result != ISC_R_SUCCESS) {
-		isc_sockaddr_t any;
-		char buf[ISC_SOCKADDR_FORMATSIZE];
-
-		switch (af) {
-		case AF_INET:
-			isc_sockaddr_any(&any);
-			break;
-		case AF_INET6:
-			isc_sockaddr_any6(&any);
-			break;
-		}
-		if (isc_sockaddr_equal(&sa, &any))
-			return (ISC_R_SUCCESS);
-		isc_sockaddr_format(&sa, buf, sizeof(buf));
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-			      "could not get query source dispatcher (%s)",
-			      buf);
-		return (result);
-	}
-
-	*dispatchp = disp;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-configure_order(dns_order_t *order, const cfg_obj_t *ent) {
-	dns_rdataclass_t rdclass;
-	dns_rdatatype_t rdtype;
-	const cfg_obj_t *obj;
-	dns_fixedname_t fixed;
-	unsigned int mode = 0;
-	const char *str;
-	isc_buffer_t b;
-	isc_result_t result;
-	isc_boolean_t addroot;
-
-	result = ns_config_getclass(cfg_tuple_get(ent, "class"),
-				    dns_rdataclass_any, &rdclass);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = ns_config_gettype(cfg_tuple_get(ent, "type"),
-				   dns_rdatatype_any, &rdtype);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	obj = cfg_tuple_get(ent, "name");
-	if (cfg_obj_isstring(obj))
-		str = cfg_obj_asstring(obj);
-	else
-		str = "*";
-	addroot = ISC_TF(strcmp(str, "*") == 0);
-	isc_buffer_constinit(&b, str, strlen(str));
-	isc_buffer_add(&b, strlen(str));
-	dns_fixedname_init(&fixed);
-	result = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
-				   dns_rootname, 0, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	obj = cfg_tuple_get(ent, "ordering");
-	INSIST(cfg_obj_isstring(obj));
-	str = cfg_obj_asstring(obj);
-	if (!strcasecmp(str, "fixed"))
-		mode = DNS_RDATASETATTR_FIXEDORDER;
-	else if (!strcasecmp(str, "random"))
-		mode = DNS_RDATASETATTR_RANDOMIZE;
-	else if (!strcasecmp(str, "cyclic"))
-		mode = 0;
-	else
-		INSIST(0);
-
-	/*
-	 * "*" should match everything including the root (BIND 8 compat).
-	 * As dns_name_matcheswildcard(".", "*.") returns FALSE add a
-	 * explicit entry for "." when the name is "*".
-	 */
-	if (addroot) {
-		result = dns_order_add(order, dns_rootname,
-				       rdtype, rdclass, mode);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	return (dns_order_add(order, dns_fixedname_name(&fixed),
-			      rdtype, rdclass, mode));
-}
-
-static isc_result_t
-configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
-	isc_netaddr_t na;
-	dns_peer_t *peer;
-	const cfg_obj_t *obj;
-	const char *str;
-	isc_result_t result;
-	unsigned int prefixlen;
-
-	cfg_obj_asnetprefix(cfg_map_getname(cpeer), &na, &prefixlen);
-
-	peer = NULL;
-	result = dns_peer_newprefix(mctx, &na, prefixlen, &peer);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	obj = NULL;
-	(void)cfg_map_get(cpeer, "bogus", &obj);
-	if (obj != NULL)
-		CHECK(dns_peer_setbogus(peer, cfg_obj_asboolean(obj)));
-
-	obj = NULL;
-	(void)cfg_map_get(cpeer, "provide-ixfr", &obj);
-	if (obj != NULL)
-		CHECK(dns_peer_setprovideixfr(peer, cfg_obj_asboolean(obj)));
-
-	obj = NULL;
-	(void)cfg_map_get(cpeer, "request-ixfr", &obj);
-	if (obj != NULL)
-		CHECK(dns_peer_setrequestixfr(peer, cfg_obj_asboolean(obj)));
-
-	obj = NULL;
-	(void)cfg_map_get(cpeer, "request-nsid", &obj);
-	if (obj != NULL)
-		CHECK(dns_peer_setrequestnsid(peer, cfg_obj_asboolean(obj)));
-
-	obj = NULL;
-	(void)cfg_map_get(cpeer, "edns", &obj);
-	if (obj != NULL)
-		CHECK(dns_peer_setsupportedns(peer, cfg_obj_asboolean(obj)));
-
-	obj = NULL;
-	(void)cfg_map_get(cpeer, "edns-udp-size", &obj);
-	if (obj != NULL) {
-		isc_uint32_t udpsize = cfg_obj_asuint32(obj);
-		if (udpsize < 512)
-			udpsize = 512;
-		if (udpsize > 4096)
-			udpsize = 4096;
-		CHECK(dns_peer_setudpsize(peer, (isc_uint16_t)udpsize));
-	}
-
-	obj = NULL;
-	(void)cfg_map_get(cpeer, "max-udp-size", &obj);
-	if (obj != NULL) {
-		isc_uint32_t udpsize = cfg_obj_asuint32(obj);
-		if (udpsize < 512)
-			udpsize = 512;
-		if (udpsize > 4096)
-			udpsize = 4096;
-		CHECK(dns_peer_setmaxudp(peer, (isc_uint16_t)udpsize));
-	}
-
-	obj = NULL;
-	(void)cfg_map_get(cpeer, "transfers", &obj);
-	if (obj != NULL)
-		CHECK(dns_peer_settransfers(peer, cfg_obj_asuint32(obj)));
-
-	obj = NULL;
-	(void)cfg_map_get(cpeer, "transfer-format", &obj);
-	if (obj != NULL) {
-		str = cfg_obj_asstring(obj);
-		if (strcasecmp(str, "many-answers") == 0)
-			CHECK(dns_peer_settransferformat(peer,
-							 dns_many_answers));
-		else if (strcasecmp(str, "one-answer") == 0)
-			CHECK(dns_peer_settransferformat(peer,
-							 dns_one_answer));
-		else
-			INSIST(0);
-	}
-
-	obj = NULL;
-	(void)cfg_map_get(cpeer, "keys", &obj);
-	if (obj != NULL) {
-		result = dns_peer_setkeybycharp(peer, cfg_obj_asstring(obj));
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-	}
-
-	obj = NULL;
-	if (na.family == AF_INET)
-		(void)cfg_map_get(cpeer, "transfer-source", &obj);
-	else
-		(void)cfg_map_get(cpeer, "transfer-source-v6", &obj);
-	if (obj != NULL) {
-		result = dns_peer_settransfersource(peer,
-						    cfg_obj_assockaddr(obj));
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
-	}
-
-	obj = NULL;
-	if (na.family == AF_INET)
-		(void)cfg_map_get(cpeer, "notify-source", &obj);
-	else
-		(void)cfg_map_get(cpeer, "notify-source-v6", &obj);
-	if (obj != NULL) {
-		result = dns_peer_setnotifysource(peer,
-						  cfg_obj_assockaddr(obj));
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
-	}
-
-	obj = NULL;
-	if (na.family == AF_INET)
-		(void)cfg_map_get(cpeer, "query-source", &obj);
-	else
-		(void)cfg_map_get(cpeer, "query-source-v6", &obj);
-	if (obj != NULL) {
-		result = dns_peer_setquerysource(peer,
-						 cfg_obj_assockaddr(obj));
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
-	}
-
-	*peerp = peer;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	dns_peer_detach(&peer);
-	return (result);
-}
-
-static isc_result_t
-disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
-	isc_result_t result;
-	const cfg_obj_t *algorithms;
-	const cfg_listelt_t *element;
-	const char *str;
-	dns_fixedname_t fixed;
-	dns_name_t *name;
-	isc_buffer_t b;
-
-	dns_fixedname_init(&fixed);
-	name = dns_fixedname_name(&fixed);
-	str = cfg_obj_asstring(cfg_tuple_get(disabled, "name"));
-	isc_buffer_constinit(&b, str, strlen(str));
-	isc_buffer_add(&b, strlen(str));
-	CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
-
-	algorithms = cfg_tuple_get(disabled, "algorithms");
-	for (element = cfg_list_first(algorithms);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		isc_textregion_t r;
-		dns_secalg_t alg;
-
-		DE_CONST(cfg_obj_asstring(cfg_listelt_value(element)), r.base);
-		r.length = strlen(r.base);
-
-		result = dns_secalg_fromtext(&alg, &r);
-		if (result != ISC_R_SUCCESS) {
-			isc_uint8_t ui;
-			result = isc_parse_uint8(&ui, r.base, 10);
-			alg = ui;
-		}
-		if (result != ISC_R_SUCCESS) {
-			cfg_obj_log(cfg_listelt_value(element),
-				    ns_g_lctx, ISC_LOG_ERROR,
-				    "invalid algorithm");
-			CHECK(result);
-		}
-		CHECK(dns_resolver_disable_algorithm(resolver, name, alg));
-	}
- cleanup:
-	return (result);
-}
-
-static isc_boolean_t
-on_disable_list(const cfg_obj_t *disablelist, dns_name_t *zonename) {
-	const cfg_listelt_t *element;
-	dns_fixedname_t fixed;
-	dns_name_t *name;
-	isc_result_t result;
-	const cfg_obj_t *value;
-	const char *str;
-	isc_buffer_t b;
-
-	dns_fixedname_init(&fixed);
-	name = dns_fixedname_name(&fixed);
-
-	for (element = cfg_list_first(disablelist);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		value = cfg_listelt_value(element);
-		str = cfg_obj_asstring(value);
-		isc_buffer_constinit(&b, str, strlen(str));
-		isc_buffer_add(&b, strlen(str));
-		result = dns_name_fromtext(name, &b, dns_rootname,
-					   0, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		if (dns_name_equal(name, zonename))
-			return (ISC_TRUE);
-	}
-	return (ISC_FALSE);
-}
-
-static void
-check_dbtype(dns_zone_t **zonep, unsigned int dbtypec, const char **dbargv,
-	     isc_mem_t *mctx)
-{
-	char **argv = NULL;
-	unsigned int i;
-	isc_result_t result;
-
-	result = dns_zone_getdbtype(*zonep, &argv, mctx);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_detach(zonep);
-		return;
-	}
-
-	/*
-	 * Check that all the arguments match.
-	 */
-	for (i = 0; i < dbtypec; i++)
-		if (argv[i] == NULL || strcmp(argv[i], dbargv[i]) != 0) {
-			dns_zone_detach(zonep);
-			break;
-		}
-
-	/*
-	 * Check that there are not extra arguments.
-	 */
-	if (i == dbtypec && argv[i] != NULL)
-		dns_zone_detach(zonep);
-	isc_mem_free(mctx, argv);
-}
-
-static isc_result_t
-setquerystats(dns_zone_t *zone, isc_mem_t *mctx, dns_zonestat_level_t level) {
-	isc_result_t result;
-	isc_stats_t *zoneqrystats;
-
-	dns_zone_setstatlevel(zone, level);
-
-	zoneqrystats = NULL;
-	if (level == dns_zonestat_full) {
-		result = isc_stats_create(mctx, &zoneqrystats,
-					  dns_nsstatscounter_max);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	dns_zone_setrequeststats(zone, zoneqrystats);
-	if (zoneqrystats != NULL)
-		isc_stats_detach(&zoneqrystats);
-
-	return (ISC_R_SUCCESS);
-}
-
-static ns_cache_t *
-cachelist_find(ns_cachelist_t *cachelist, const char *cachename) {
-	ns_cache_t *nsc;
-
-	for (nsc = ISC_LIST_HEAD(*cachelist);
-	     nsc != NULL;
-	     nsc = ISC_LIST_NEXT(nsc, link)) {
-		if (strcmp(dns_cache_getname(nsc->cache), cachename) == 0)
-			return (nsc);
-	}
-
-	return (NULL);
-}
-
-static isc_boolean_t
-cache_reusable(dns_view_t *originview, dns_view_t *view,
-	       isc_boolean_t new_zero_no_soattl)
-{
-	if (originview->checknames != view->checknames ||
-	    dns_resolver_getzeronosoattl(originview->resolver) !=
-	    new_zero_no_soattl ||
-	    originview->acceptexpired != view->acceptexpired ||
-	    originview->enablevalidation != view->enablevalidation ||
-	    originview->maxcachettl != view->maxcachettl ||
-	    originview->maxncachettl != view->maxncachettl) {
-		return (ISC_FALSE);
-	}
-
-	return (ISC_TRUE);
-}
-
-static isc_boolean_t
-cache_sharable(dns_view_t *originview, dns_view_t *view,
-	       isc_boolean_t new_zero_no_soattl,
-	       unsigned int new_cleaning_interval,
-	       isc_uint64_t new_max_cache_size)
-{
-	/*
-	 * If the cache cannot even reused for the same view, it cannot be
-	 * shared with other views.
-	 */
-	if (!cache_reusable(originview, view, new_zero_no_soattl))
-		return (ISC_FALSE);
-
-	/*
-	 * Check other cache related parameters that must be consistent among
-	 * the sharing views.
-	 */
-	if (dns_cache_getcleaninginterval(originview->cache) !=
-	    new_cleaning_interval ||
-	    dns_cache_getcachesize(originview->cache) != new_max_cache_size) {
-		return (ISC_FALSE);
-	}
-
-	return (ISC_TRUE);
-}
-
-/*
- * Callback from DLZ configure when the driver sets up a writeable zone
- */
-static isc_result_t
-dlzconfigure_callback(dns_view_t *view, dns_zone_t *zone) {
-	dns_name_t *origin = dns_zone_getorigin(zone);
-	dns_rdataclass_t zclass = view->rdclass;
-	isc_result_t result;
-
-	result = dns_zonemgr_managezone(ns_g_server->zonemgr, zone);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_zone_setstats(zone, ns_g_server->zonestats);
-
-	return (ns_zone_configure_writeable_dlz(view->dlzdatabase,
-						zone, zclass, origin));
-}
-
-static isc_result_t
-dns64_reverse(dns_view_t *view, isc_mem_t *mctx, isc_netaddr_t *na,
-	      unsigned int prefixlen, const char *server,
-	      const char *contact)
-{
-	char *cp;
-	char reverse[48+sizeof("ip6.arpa.")];
-	const char *dns64_dbtype[4] = { "_dns64", "dns64", ".", "." };
-	const char *sep = ": view ";
-	const char *viewname = view->name;
-	const unsigned char *s6;
-	dns_fixedname_t fixed;
-	dns_name_t *name;
-	dns_zone_t *zone = NULL;
-	int dns64_dbtypec = 4;
-	isc_buffer_t b;
-	isc_result_t result;
-
-	REQUIRE(prefixlen == 32 || prefixlen == 40 || prefixlen == 48 ||
-		prefixlen == 56 || prefixlen == 64 || prefixlen == 96);
-
-	if (!strcmp(viewname, "_default")) {
-		sep = "";
-		viewname = "";
-	}
-
-	/*
-	 * Construct the reverse name of the zone.
-	 */
-	cp = reverse;
-	s6 = na->type.in6.s6_addr;
-	while (prefixlen > 0) {
-		prefixlen -= 8;
-		sprintf(cp, "%x.%x.", s6[prefixlen/8] & 0xf,
-			(s6[prefixlen/8] >> 4) & 0xf);
-		cp += 4;
-	}
-	strcat(cp, "ip6.arpa.");
-
-	/*
-	 * Create the actual zone.
-	 */
-	if (server != NULL)
-		dns64_dbtype[2] = server;
-	if (contact != NULL)
-		dns64_dbtype[3] = contact;
-	dns_fixedname_init(&fixed);
-	name = dns_fixedname_name(&fixed);
-	isc_buffer_constinit(&b, reverse, strlen(reverse));
-	isc_buffer_add(&b, strlen(reverse));
-	CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
-	CHECK(dns_zone_create(&zone, mctx));
-	CHECK(dns_zone_setorigin(zone, name));
-	dns_zone_setview(zone, view);
-	CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
-	dns_zone_setclass(zone, view->rdclass);
-	dns_zone_settype(zone, dns_zone_master);
-	dns_zone_setstats(zone, ns_g_server->zonestats);
-	CHECK(dns_zone_setdbtype(zone, dns64_dbtypec, dns64_dbtype));
-	if (view->queryacl != NULL)
-		dns_zone_setqueryacl(zone, view->queryacl);
-	if (view->queryonacl != NULL)
-		dns_zone_setqueryonacl(zone, view->queryonacl);
-	dns_zone_setdialup(zone, dns_dialuptype_no);
-	dns_zone_setnotifytype(zone, dns_notifytype_no);
-	dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE);
-	CHECK(setquerystats(zone, mctx, dns_zonestat_none));	/* XXXMPA */
-	CHECK(dns_view_addzone(view, zone));
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-		      ISC_LOG_INFO, "dns64 reverse zone%s%s: %s", sep,
-		      viewname, reverse);
-
-cleanup:
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-	return (result);
-}
-
-static isc_result_t
-configure_rpz_name(dns_view_t *view, const cfg_obj_t *obj, dns_name_t *name,
-		   const char *str, const char *msg)
-{
-	isc_result_t result;
-
-	result = dns_name_fromstring(name, str, DNS_NAME_DOWNCASE, view->mctx);
-	if (result != ISC_R_SUCCESS)
-		cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
-			    "invalid %s '%s'", msg, str);
-	return (result);
-}
-
-static isc_result_t
-configure_rpz_name2(dns_view_t *view, const cfg_obj_t *obj, dns_name_t *name,
-		    const char *str, const dns_name_t *origin)
-{
-	isc_result_t result;
-
-	result = dns_name_fromstring2(name, str, origin, DNS_NAME_DOWNCASE,
-				      view->mctx);
-	if (result != ISC_R_SUCCESS)
-		cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
-			    "invalid zone '%s'", str);
-	return (result);
-}
-
-static isc_result_t
-configure_rpz(dns_view_t *view, const cfg_listelt_t *element,
-	      isc_boolean_t recursive_only_def, dns_ttl_t ttl_def)
-{
-	const cfg_obj_t *rpz_obj, *obj;
-	const char *str;
-	dns_rpz_zone_t *old, *new;
-	isc_result_t result;
-
-	rpz_obj = cfg_listelt_value(element);
-
-	new = isc_mem_get(view->mctx, sizeof(*new));
-	if (new == NULL) {
-		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
-			    "no memory for response policy zones");
-		return (ISC_R_NOMEMORY);
-	}
-
-	memset(new, 0, sizeof(*new));
-	dns_name_init(&new->origin, NULL);
-	dns_name_init(&new->nsdname, NULL);
-	dns_name_init(&new->passthru, NULL);
-	dns_name_init(&new->cname, NULL);
-	ISC_LIST_INITANDAPPEND(view->rpz_zones, new, link);
-
-	obj = cfg_tuple_get(rpz_obj, "recursive-only");
-	if (cfg_obj_isvoid(obj)) {
-		new->recursive_only = recursive_only_def;
-	} else {
-		new->recursive_only = cfg_obj_asboolean(obj);
-	}
-	if (!new->recursive_only)
-		view->rpz_recursive_only = ISC_FALSE;
-
-	obj = cfg_tuple_get(rpz_obj, "max-policy-ttl");
-	if (cfg_obj_isuint32(obj)) {
-		new->max_policy_ttl = cfg_obj_asuint32(obj);
-	} else {
-		new->max_policy_ttl = ttl_def;
-	}
-
-	str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "zone name"));
-	result = configure_rpz_name(view, rpz_obj, &new->origin, str, "zone");
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (dns_name_equal(&new->origin, dns_rootname)) {
-		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
-			    "invalid zone name '%s'", str);
-		return (DNS_R_EMPTYLABEL);
-	}
-	for (old = ISC_LIST_HEAD(view->rpz_zones);
-	     old != new;
-	     old = ISC_LIST_NEXT(old, link)) {
-		++new->num;
-		if (dns_name_equal(&old->origin, &new->origin)) {
-			cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
-				    "duplicate '%s'", str);
-			result = DNS_R_DUPLICATE;
-			return (result);
-		}
-	}
-
-	result = configure_rpz_name2(view, rpz_obj, &new->nsdname,
-				     DNS_RPZ_NSDNAME_ZONE, &new->origin);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = configure_rpz_name(view, rpz_obj, &new->passthru,
-				    DNS_RPZ_PASSTHRU_ZONE, "zone");
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	obj = cfg_tuple_get(rpz_obj, "policy");
-	if (cfg_obj_isvoid(obj)) {
-		new->policy = DNS_RPZ_POLICY_GIVEN;
-	} else {
-		str = cfg_obj_asstring(cfg_tuple_get(obj, "policy name"));
-		new->policy = dns_rpz_str2policy(str);
-		INSIST(new->policy != DNS_RPZ_POLICY_ERROR);
-		if (new->policy == DNS_RPZ_POLICY_CNAME) {
-			str = cfg_obj_asstring(cfg_tuple_get(obj, "cname"));
-			result = configure_rpz_name(view, rpz_obj, &new->cname,
-						    str, "cname");
-			if (result != ISC_R_SUCCESS)
-				return (result);
-		}
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Configure 'view' according to 'vconfig', taking defaults from 'config'
- * where values are missing in 'vconfig'.
- *
- * When configuring the default view, 'vconfig' will be NULL and the
- * global defaults in 'config' used exclusively.
- */
-static isc_result_t
-configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
-	       ns_cachelist_t *cachelist, const cfg_obj_t *bindkeys,
-	       isc_mem_t *mctx, cfg_aclconfctx_t *actx,
-	       isc_boolean_t need_hints)
-{
-	const cfg_obj_t *maps[4];
-	const cfg_obj_t *cfgmaps[3];
-	const cfg_obj_t *optionmaps[3];
-	const cfg_obj_t *options = NULL;
-	const cfg_obj_t *voptions = NULL;
-	const cfg_obj_t *forwardtype;
-	const cfg_obj_t *forwarders;
-	const cfg_obj_t *alternates;
-	const cfg_obj_t *zonelist;
-	const cfg_obj_t *dlz;
-	unsigned int dlzargc;
-	char **dlzargv;
-	const cfg_obj_t *disabled;
-	const cfg_obj_t *obj;
-	const cfg_listelt_t *element;
-	in_port_t port;
-	dns_cache_t *cache = NULL;
-	isc_result_t result;
-	unsigned int cleaning_interval;
-	size_t max_cache_size;
-	size_t max_acache_size;
-	size_t max_adb_size;
-	isc_uint32_t lame_ttl;
-	dns_tsig_keyring_t *ring = NULL;
-	dns_view_t *pview = NULL;	/* Production view */
-	isc_mem_t *cmctx = NULL, *hmctx = NULL;
-	dns_dispatch_t *dispatch4 = NULL;
-	dns_dispatch_t *dispatch6 = NULL;
-	isc_boolean_t reused_cache = ISC_FALSE;
-	isc_boolean_t shared_cache = ISC_FALSE;
-	int i = 0, j = 0, k = 0;
-	const char *str;
-	const char *cachename = NULL;
-	dns_order_t *order = NULL;
-	isc_uint32_t udpsize;
-	isc_uint32_t maxbits;
-	unsigned int resopts = 0;
-	dns_zone_t *zone = NULL;
-	isc_uint32_t max_clients_per_query;
-	const char *sep = ": view ";
-	const char *viewname = view->name;
-	const char *forview = " for view ";
-	isc_boolean_t empty_zones_enable;
-	const cfg_obj_t *disablelist = NULL;
-	isc_stats_t *resstats = NULL;
-	dns_stats_t *resquerystats = NULL;
-	isc_boolean_t auto_dlv = ISC_FALSE;
-	isc_boolean_t auto_root = ISC_FALSE;
-	ns_cache_t *nsc;
-	isc_boolean_t zero_no_soattl;
-	dns_acl_t *clients = NULL, *mapped = NULL, *excluded = NULL;
-	unsigned int query_timeout, ndisp;
-	struct cfg_context *nzctx;
-	dns_rpz_zone_t *rpz;
-
-	REQUIRE(DNS_VIEW_VALID(view));
-
-	if (config != NULL)
-		(void)cfg_map_get(config, "options", &options);
-
-	/*
-	 * maps: view options, options, defaults
-	 * cfgmaps: view options, config
-	 * optionmaps: view options, options
-	 */
-	if (vconfig != NULL) {
-		voptions = cfg_tuple_get(vconfig, "options");
-		maps[i++] = voptions;
-		optionmaps[j++] = voptions;
-		cfgmaps[k++] = voptions;
-	}
-	if (options != NULL) {
-		maps[i++] = options;
-		optionmaps[j++] = options;
-	}
-
-	maps[i++] = ns_g_defaults;
-	maps[i] = NULL;
-	optionmaps[j] = NULL;
-	if (config != NULL)
-		cfgmaps[k++] = config;
-	cfgmaps[k] = NULL;
-
-	if (!strcmp(viewname, "_default")) {
-		sep = "";
-		viewname = "";
-		forview = "";
-		POST(forview);
-	}
-
-	/*
-	 * Set the view's port number for outgoing queries.
-	 */
-	CHECKM(ns_config_getport(config, &port), "port");
-	dns_view_setdstport(view, port);
-
-	/*
-	 * Create additional cache for this view and zones under the view
-	 * if explicitly enabled.
-	 * XXX950 default to on.
-	 */
-	obj = NULL;
-	(void)ns_config_get(maps, "acache-enable", &obj);
-	if (obj != NULL && cfg_obj_asboolean(obj)) {
-		cmctx = NULL;
-		CHECK(isc_mem_create(0, 0, &cmctx));
-		CHECK(dns_acache_create(&view->acache, cmctx, ns_g_taskmgr,
-					ns_g_timermgr));
-		isc_mem_setname(cmctx, "acache", NULL);
-		isc_mem_detach(&cmctx);
-	}
-	if (view->acache != NULL) {
-		obj = NULL;
-		result = ns_config_get(maps, "acache-cleaning-interval", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		dns_acache_setcleaninginterval(view->acache,
-					       cfg_obj_asuint32(obj) * 60);
-
-		obj = NULL;
-		result = ns_config_get(maps, "max-acache-size", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		if (cfg_obj_isstring(obj)) {
-			str = cfg_obj_asstring(obj);
-			INSIST(strcasecmp(str, "unlimited") == 0);
-			max_acache_size = ISC_UINT32_MAX;
-		} else {
-			isc_resourcevalue_t value;
-			value = cfg_obj_asuint64(obj);
-			if (value > SIZE_MAX) {
-				cfg_obj_log(obj, ns_g_lctx,
-					    ISC_LOG_WARNING,
-					    "'max-acache-size "
-					    "%" ISC_PRINT_QUADFORMAT "u' "
-					    "is too large for this "
-					    "system; reducing to %lu",
-					    value, (unsigned long)SIZE_MAX);
-				value = SIZE_MAX;
-			}
-			max_acache_size = (size_t) value;
-		}
-		dns_acache_setcachesize(view->acache, max_acache_size);
-	}
-
-	CHECK(configure_view_acl(vconfig, config, "allow-query", NULL, actx,
-				 ns_g_mctx, &view->queryacl));
-	if (view->queryacl == NULL) {
-		CHECK(configure_view_acl(NULL, ns_g_config, "allow-query",
-					 NULL, actx, ns_g_mctx,
-					 &view->queryacl));
-	}
-
-	/*
-	 * Make the list of response policy zone names for a view that
-	 * is used for real lookups and so cares about hints.
-	 */
-	obj = NULL;
-	if (view->rdclass == dns_rdataclass_in && need_hints &&
-	    ns_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS) {
-		const cfg_obj_t *rpz_obj;
-		isc_boolean_t recursive_only_def;
-		dns_ttl_t ttl_def;
-
-		rpz_obj = cfg_tuple_get(obj, "recursive-only");
-		if (!cfg_obj_isvoid(rpz_obj) &&
-		    !cfg_obj_asboolean(rpz_obj))
-			recursive_only_def = ISC_FALSE;
-		else
-			recursive_only_def = ISC_TRUE;
-
-		rpz_obj = cfg_tuple_get(obj, "break-dnssec");
-		if (!cfg_obj_isvoid(rpz_obj) &&
-		    cfg_obj_asboolean(rpz_obj))
-			view->rpz_break_dnssec = ISC_TRUE;
-		else
-			view->rpz_break_dnssec = ISC_FALSE;
-
-		rpz_obj = cfg_tuple_get(obj, "max-policy-ttl");
-		if (cfg_obj_isuint32(rpz_obj))
-			ttl_def = cfg_obj_asuint32(rpz_obj);
-		else
-			ttl_def = DNS_RPZ_MAX_TTL_DEFAULT;
-
-		rpz_obj = cfg_tuple_get(obj, "min-ns-dots");
-		if (cfg_obj_isuint32(rpz_obj))
-			view->rpz_min_ns_labels = cfg_obj_asuint32(rpz_obj) + 1;
-		else
-			view->rpz_min_ns_labels = 2;
-
-		element = cfg_list_first(cfg_tuple_get(obj, "zone list"));
-		while (element != NULL) {
-			result = configure_rpz(view, element,
-					       recursive_only_def, ttl_def);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-			element = cfg_list_next(element);
-		}
-	}
-
-	/*
-	 * Configure the zones.
-	 */
-	zonelist = NULL;
-	if (voptions != NULL)
-		(void)cfg_map_get(voptions, "zone", &zonelist);
-	else
-		(void)cfg_map_get(config, "zone", &zonelist);
-
-	/*
-	 * Load zone configuration
-	 */
-	for (element = cfg_list_first(zonelist);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		const cfg_obj_t *zconfig = cfg_listelt_value(element);
-		CHECK(configure_zone(config, zconfig, vconfig, mctx, view,
-				     actx, ISC_FALSE));
-	}
-
-	for (rpz = ISC_LIST_HEAD(view->rpz_zones);
-	     rpz != NULL;
-	     rpz = ISC_LIST_NEXT(rpz, link))
-	{
-		if (!rpz->defined) {
-			char namebuf[DNS_NAME_FORMATSIZE];
-
-			dns_name_format(&rpz->origin, namebuf, sizeof(namebuf));
-			cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
-				    "'%s' is not a master or slave zone",
-				    namebuf);
-			result = ISC_R_NOTFOUND;
-			goto cleanup;
-		}
-	}
-
-	/*
-	 * If we're allowing added zones, then load zone configuration
-	 * from the newzone file for zones that were added during previous
-	 * runs.
-	 */
-	nzctx = view->new_zone_config;
-	if (nzctx != NULL && nzctx->nzconfig != NULL) {
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-			      "loading additional zones for view '%s'",
-			      view->name);
-
-		zonelist = NULL;
-		cfg_map_get(nzctx->nzconfig, "zone", &zonelist);
-
-		for (element = cfg_list_first(zonelist);
-		     element != NULL;
-		     element = cfg_list_next(element))
-		{
-			const cfg_obj_t *zconfig = cfg_listelt_value(element);
-			CHECK(configure_zone(config, zconfig, vconfig,
-					     mctx, view, actx,
-					     ISC_TRUE));
-		}
-	}
-
-	/*
-	 * Create Dynamically Loadable Zone driver.
-	 */
-	dlz = NULL;
-	if (voptions != NULL)
-		(void)cfg_map_get(voptions, "dlz", &dlz);
-	else
-		(void)cfg_map_get(config, "dlz", &dlz);
-
-	obj = NULL;
-	if (dlz != NULL) {
-		(void)cfg_map_get(cfg_tuple_get(dlz, "options"),
-				  "database", &obj);
-		if (obj != NULL) {
-			char *s = isc_mem_strdup(mctx, cfg_obj_asstring(obj));
-			if (s == NULL) {
-				result = ISC_R_NOMEMORY;
-				goto cleanup;
-			}
-
-			result = dns_dlzstrtoargv(mctx, s, &dlzargc, &dlzargv);
-			if (result != ISC_R_SUCCESS) {
-				isc_mem_free(mctx, s);
-				goto cleanup;
-			}
-
-			obj = cfg_tuple_get(dlz, "name");
-			result = dns_dlzcreate(mctx, cfg_obj_asstring(obj),
-					       dlzargv[0], dlzargc, dlzargv,
-					       &view->dlzdatabase);
-			isc_mem_free(mctx, s);
-			isc_mem_put(mctx, dlzargv, dlzargc * sizeof(*dlzargv));
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-
-			/*
-			 * If the dlz backend supports configuration,
-			 * then call its configure method now.
-			 */
-			result = dns_dlzconfigure(view, dlzconfigure_callback);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-		}
-	}
-
-	/*
-	 * Obtain configuration parameters that affect the decision of whether
-	 * we can reuse/share an existing cache.
-	 */
-	obj = NULL;
-	result = ns_config_get(maps, "cleaning-interval", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	cleaning_interval = cfg_obj_asuint32(obj) * 60;
-
-	obj = NULL;
-	result = ns_config_get(maps, "max-cache-size", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	if (cfg_obj_isstring(obj)) {
-		str = cfg_obj_asstring(obj);
-		INSIST(strcasecmp(str, "unlimited") == 0);
-		max_cache_size = ISC_UINT32_MAX;
-	} else {
-		isc_resourcevalue_t value;
-		value = cfg_obj_asuint64(obj);
-		if (value > SIZE_MAX) {
-			cfg_obj_log(obj, ns_g_lctx,
-				    ISC_LOG_WARNING,
-				    "'max-cache-size "
-				    "%" ISC_PRINT_QUADFORMAT "u' "
-				    "is too large for this "
-				    "system; reducing to %lu",
-				    value, (unsigned long)SIZE_MAX);
-			value = SIZE_MAX;
-		}
-		max_cache_size = (size_t) value;
-	}
-
-	/* Check-names. */
-	obj = NULL;
-	result = ns_checknames_get(maps, "response", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-
-	str = cfg_obj_asstring(obj);
-	if (strcasecmp(str, "fail") == 0) {
-		resopts |= DNS_RESOLVER_CHECKNAMES |
-			DNS_RESOLVER_CHECKNAMESFAIL;
-		view->checknames = ISC_TRUE;
-	} else if (strcasecmp(str, "warn") == 0) {
-		resopts |= DNS_RESOLVER_CHECKNAMES;
-		view->checknames = ISC_FALSE;
-	} else if (strcasecmp(str, "ignore") == 0) {
-		view->checknames = ISC_FALSE;
-	} else
-		INSIST(0);
-
-	obj = NULL;
-	result = ns_config_get(maps, "zero-no-soa-ttl-cache", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	zero_no_soattl = cfg_obj_asboolean(obj);
-
-	obj = NULL;
-	result = ns_config_get(maps, "dns64", &obj);
-	if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") &&
-	    strcmp(view->name, "_meta")) {
-		const cfg_listelt_t *element;
-		isc_netaddr_t na, suffix, *sp;
-		unsigned int prefixlen;
-		const char *server, *contact;
-		const cfg_obj_t *myobj;
-
-		myobj = NULL;
-		result = ns_config_get(maps, "dns64-server", &myobj);
-		if (result == ISC_R_SUCCESS)
-			server = cfg_obj_asstring(myobj);
-		else
-			server = NULL;
-
-		myobj = NULL;
-		result = ns_config_get(maps, "dns64-contact", &myobj);
-		if (result == ISC_R_SUCCESS)
-			contact = cfg_obj_asstring(myobj);
-		else
-			contact = NULL;
-
-		for (element = cfg_list_first(obj);
-		     element != NULL;
-		     element = cfg_list_next(element))
-		{
-			const cfg_obj_t *map = cfg_listelt_value(element);
-			dns_dns64_t *dns64 = NULL;
-			unsigned int dns64options = 0;
-
-			cfg_obj_asnetprefix(cfg_map_getname(map), &na,
-					    &prefixlen);
-
-			obj = NULL;
-			(void)cfg_map_get(map, "suffix", &obj);
-			if (obj != NULL) {
-				sp = &suffix;
-				isc_netaddr_fromsockaddr(sp,
-						      cfg_obj_assockaddr(obj));
-			} else
-				sp = NULL;
-
-			clients = mapped = excluded = NULL;
-			obj = NULL;
-			(void)cfg_map_get(map, "clients", &obj);
-			if (obj != NULL) {
-				result = cfg_acl_fromconfig(obj, config,
-							    ns_g_lctx, actx,
-							    mctx, 0, &clients);
-				if (result != ISC_R_SUCCESS)
-					goto cleanup;
-			}
-			obj = NULL;
-			(void)cfg_map_get(map, "mapped", &obj);
-			if (obj != NULL) {
-				result = cfg_acl_fromconfig(obj, config,
-							    ns_g_lctx, actx,
-							    mctx, 0, &mapped);
-				if (result != ISC_R_SUCCESS)
-					goto cleanup;
-			}
-			obj = NULL;
-			(void)cfg_map_get(map, "exclude", &obj);
-			if (obj != NULL) {
-				result = cfg_acl_fromconfig(obj, config,
-							    ns_g_lctx, actx,
-							    mctx, 0, &excluded);
-				if (result != ISC_R_SUCCESS)
-					goto cleanup;
-			}
-
-			obj = NULL;
-			(void)cfg_map_get(map, "recursive-only", &obj);
-			if (obj != NULL && cfg_obj_asboolean(obj))
-				dns64options |= DNS_DNS64_RECURSIVE_ONLY;
-
-			obj = NULL;
-			(void)cfg_map_get(map, "break-dnssec", &obj);
-			if (obj != NULL && cfg_obj_asboolean(obj))
-				dns64options |= DNS_DNS64_BREAK_DNSSEC;
-
-			result = dns_dns64_create(mctx, &na, prefixlen, sp,
-						  clients, mapped, excluded,
-						  dns64options, &dns64);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-			dns_dns64_append(&view->dns64, dns64);
-			view->dns64cnt++;
-			result = dns64_reverse(view, mctx, &na, prefixlen,
-					       server, contact);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-			if (clients != NULL)
-				dns_acl_detach(&clients);
-			if (mapped != NULL)
-				dns_acl_detach(&mapped);
-			if (excluded != NULL)
-				dns_acl_detach(&excluded);
-		}
-	}
-
-	obj = NULL;
-	result = ns_config_get(maps, "dnssec-accept-expired", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	view->acceptexpired = cfg_obj_asboolean(obj);
-
-	obj = NULL;
-	result = ns_config_get(maps, "dnssec-validation", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	if (cfg_obj_isboolean(obj)) {
-		view->enablevalidation = cfg_obj_asboolean(obj);
-	} else {
-		/* If dnssec-validation is not boolean, it must be "auto" */
-		view->enablevalidation = ISC_TRUE;
-		auto_root = ISC_TRUE;
-	}
-
-	obj = NULL;
-	result = ns_config_get(maps, "max-cache-ttl", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	view->maxcachettl = cfg_obj_asuint32(obj);
-
-	obj = NULL;
-	result = ns_config_get(maps, "max-ncache-ttl", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	view->maxncachettl = cfg_obj_asuint32(obj);
-	if (view->maxncachettl > 7 * 24 * 3600)
-		view->maxncachettl = 7 * 24 * 3600;
-
-	/*
-	 * Configure the view's cache.
-	 *
-	 * First, check to see if there are any attach-cache options.  If yes,
-	 * attempt to lookup an existing cache at attach it to the view.  If
-	 * there is not one, then try to reuse an existing cache if possible;
-	 * otherwise create a new cache.
-	 *
-	 * Note that the ADB is not preserved or shared in either case.
-	 *
-	 * When a matching view is found, the associated statistics are also
-	 * retrieved and reused.
-	 *
-	 * XXX Determining when it is safe to reuse or share a cache is tricky.
-	 * When the view's configuration changes, the cached data may become
-	 * invalid because it reflects our old view of the world.  We check
-	 * some of the configuration parameters that could invalidate the cache
-	 * or otherwise make it unsharable, but there are other configuration
-	 * options that should be checked.  For example, if a view uses a
-	 * forwarder, changes in the forwarder configuration may invalidate
-	 * the cache.  At the moment, it's the administrator's responsibility to
-	 * ensure these configuration options don't invalidate reusing/sharing.
-	 */
-	obj = NULL;
-	result = ns_config_get(maps, "attach-cache", &obj);
-	if (result == ISC_R_SUCCESS)
-		cachename = cfg_obj_asstring(obj);
-	else
-		cachename = view->name;
-	cache = NULL;
-	nsc = cachelist_find(cachelist, cachename);
-	if (nsc != NULL) {
-		if (!cache_sharable(nsc->primaryview, view, zero_no_soattl,
-				    cleaning_interval, max_cache_size)) {
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-				      "views %s and %s can't share the cache "
-				      "due to configuration parameter mismatch",
-				      nsc->primaryview->name, view->name);
-			result = ISC_R_FAILURE;
-			goto cleanup;
-		}
-		dns_cache_attach(nsc->cache, &cache);
-		shared_cache = ISC_TRUE;
-	} else {
-		if (strcmp(cachename, view->name) == 0) {
-			result = dns_viewlist_find(&ns_g_server->viewlist,
-						   cachename, view->rdclass,
-						   &pview);
-			if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
-				goto cleanup;
-			if (pview != NULL) {
-				if (!cache_reusable(pview, view,
-						    zero_no_soattl)) {
-					isc_log_write(ns_g_lctx,
-						      NS_LOGCATEGORY_GENERAL,
-						      NS_LOGMODULE_SERVER,
-						      ISC_LOG_DEBUG(1),
-						      "cache cannot be reused "
-						      "for view %s due to "
-						      "configuration parameter "
-						      "mismatch", view->name);
-				} else {
-					INSIST(pview->cache != NULL);
-					isc_log_write(ns_g_lctx,
-						      NS_LOGCATEGORY_GENERAL,
-						      NS_LOGMODULE_SERVER,
-						      ISC_LOG_DEBUG(3),
-						      "reusing existing cache");
-					reused_cache = ISC_TRUE;
-					dns_cache_attach(pview->cache, &cache);
-				}
-				dns_view_getresstats(pview, &resstats);
-				dns_view_getresquerystats(pview,
-							  &resquerystats);
-				dns_view_detach(&pview);
-			}
-		}
-		if (cache == NULL) {
-			/*
-			 * Create a cache with the desired name.  This normally
-			 * equals the view name, but may also be a forward
-			 * reference to a view that share the cache with this
-			 * view but is not yet configured.  If it is not the
-			 * view name but not a forward reference either, then it
-			 * is simply a named cache that is not shared.
-			 *
-			 * We use two separate memory contexts for the
-			 * cache, for the main cache memory and the heap
-			 * memory.
-			 */
-			CHECK(isc_mem_create(0, 0, &cmctx));
-			isc_mem_setname(cmctx, "cache", NULL);
-			CHECK(isc_mem_create(0, 0, &hmctx));
-			isc_mem_setname(hmctx, "cache_heap", NULL);
-			CHECK(dns_cache_create3(cmctx, hmctx, ns_g_taskmgr,
-						ns_g_timermgr, view->rdclass,
-						cachename, "rbt", 0, NULL,
-						&cache));
-			isc_mem_detach(&cmctx);
-			isc_mem_detach(&hmctx);
-		}
-		nsc = isc_mem_get(mctx, sizeof(*nsc));
-		if (nsc == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup;
-		}
-		nsc->cache = NULL;
-		dns_cache_attach(cache, &nsc->cache);
-		nsc->primaryview = view;
-		nsc->needflush = ISC_FALSE;
-		nsc->adbsizeadjusted = ISC_FALSE;
-		ISC_LINK_INIT(nsc, link);
-		ISC_LIST_APPEND(*cachelist, nsc, link);
-	}
-	dns_view_setcache2(view, cache, shared_cache);
-
-	/*
-	 * cache-file cannot be inherited if views are present, but this
-	 * should be caught by the configuration checking stage.
-	 */
-	obj = NULL;
-	result = ns_config_get(maps, "cache-file", &obj);
-	if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") != 0) {
-		CHECK(dns_cache_setfilename(cache, cfg_obj_asstring(obj)));
-		if (!reused_cache && !shared_cache)
-			CHECK(dns_cache_load(cache));
-	}
-
-	dns_cache_setcleaninginterval(cache, cleaning_interval);
-	dns_cache_setcachesize(cache, max_cache_size);
-
-	dns_cache_detach(&cache);
-
-	/*
-	 * Resolver.
-	 *
-	 * XXXRTH  Hardwired number of tasks.
-	 */
-	CHECK(get_view_querysource_dispatch(maps, AF_INET, &dispatch4,
-					    ISC_TF(ISC_LIST_PREV(view, link)
-						   == NULL)));
-	CHECK(get_view_querysource_dispatch(maps, AF_INET6, &dispatch6,
-					    ISC_TF(ISC_LIST_PREV(view, link)
-						   == NULL)));
-	if (dispatch4 == NULL && dispatch6 == NULL) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "unable to obtain neither an IPv4 nor"
-				 " an IPv6 dispatch");
-		result = ISC_R_UNEXPECTED;
-		goto cleanup;
-	}
-
-	ndisp = 4 * ISC_MIN(ns_g_udpdisp, MAX_UDP_DISPATCH);
-	CHECK(dns_view_createresolver(view, ns_g_taskmgr, 31, ndisp,
-				      ns_g_socketmgr, ns_g_timermgr,
-				      resopts, ns_g_dispatchmgr,
-				      dispatch4, dispatch6));
-
-	if (resstats == NULL) {
-		CHECK(isc_stats_create(mctx, &resstats,
-				       dns_resstatscounter_max));
-	}
-	dns_view_setresstats(view, resstats);
-	if (resquerystats == NULL)
-		CHECK(dns_rdatatypestats_create(mctx, &resquerystats));
-	dns_view_setresquerystats(view, resquerystats);
-
-	/*
-	 * Set the ADB cache size to 1/8th of the max-cache-size or
-	 * MAX_ADB_SIZE_FOR_CACHESHARE when the cache is shared.
-	 */
-	max_adb_size = 0;
-	if (max_cache_size != 0U) {
-		max_adb_size = max_cache_size / 8;
-		if (max_adb_size == 0U)
-			max_adb_size = 1;	/* Force minimum. */
-		if (view != nsc->primaryview &&
-		    max_adb_size > MAX_ADB_SIZE_FOR_CACHESHARE) {
-			max_adb_size = MAX_ADB_SIZE_FOR_CACHESHARE;
-			if (!nsc->adbsizeadjusted) {
-				dns_adb_setadbsize(nsc->primaryview->adb,
-						   MAX_ADB_SIZE_FOR_CACHESHARE);
-				nsc->adbsizeadjusted = ISC_TRUE;
-			}
-		}
-	}
-	dns_adb_setadbsize(view->adb, max_adb_size);
-
-	/*
-	 * Set resolver's lame-ttl.
-	 */
-	obj = NULL;
-	result = ns_config_get(maps, "lame-ttl", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	lame_ttl = cfg_obj_asuint32(obj);
-	if (lame_ttl > 1800)
-		lame_ttl = 1800;
-	dns_resolver_setlamettl(view->resolver, lame_ttl);
-
-	/*
-	 * Set the resolver's query timeout.
-	 */
-	obj = NULL;
-	result = ns_config_get(maps, "resolver-query-timeout", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	query_timeout = cfg_obj_asuint32(obj);
-	dns_resolver_settimeout(view->resolver, query_timeout);
-
-	/* Specify whether to use 0-TTL for negative response for SOA query */
-	dns_resolver_setzeronosoattl(view->resolver, zero_no_soattl);
-
-	/*
-	 * Set the resolver's EDNS UDP size.
-	 */
-	obj = NULL;
-	result = ns_config_get(maps, "edns-udp-size", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	udpsize = cfg_obj_asuint32(obj);
-	if (udpsize < 512)
-		udpsize = 512;
-	if (udpsize > 4096)
-		udpsize = 4096;
-	dns_resolver_setudpsize(view->resolver, (isc_uint16_t)udpsize);
-
-	/*
-	 * Set the maximum UDP response size.
-	 */
-	obj = NULL;
-	result = ns_config_get(maps, "max-udp-size", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	udpsize = cfg_obj_asuint32(obj);
-	if (udpsize < 512)
-		udpsize = 512;
-	if (udpsize > 4096)
-		udpsize = 4096;
-	view->maxudp = udpsize;
-
-	/*
-	 * Set the maximum rsa exponent bits.
-	 */
-	obj = NULL;
-	result = ns_config_get(maps, "max-rsa-exponent-size", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	maxbits = cfg_obj_asuint32(obj);
-	if (maxbits != 0 && maxbits < 35)
-		maxbits = 35;
-	if (maxbits > 4096)
-		maxbits = 4096;
-	view->maxbits = maxbits;
-
-	/*
-	 * Set supported DNSSEC algorithms.
-	 */
-	dns_resolver_reset_algorithms(view->resolver);
-	disabled = NULL;
-	(void)ns_config_get(maps, "disable-algorithms", &disabled);
-	if (disabled != NULL) {
-		for (element = cfg_list_first(disabled);
-		     element != NULL;
-		     element = cfg_list_next(element))
-			CHECK(disable_algorithms(cfg_listelt_value(element),
-						 view->resolver));
-	}
-
-	/*
-	 * A global or view "forwarders" option, if present,
-	 * creates an entry for "." in the forwarding table.
-	 */
-	forwardtype = NULL;
-	forwarders = NULL;
-	(void)ns_config_get(maps, "forward", &forwardtype);
-	(void)ns_config_get(maps, "forwarders", &forwarders);
-	if (forwarders != NULL)
-		CHECK(configure_forward(config, view, dns_rootname,
-					forwarders, forwardtype));
-
-	/*
-	 * Dual Stack Servers.
-	 */
-	alternates = NULL;
-	(void)ns_config_get(maps, "dual-stack-servers", &alternates);
-	if (alternates != NULL)
-		CHECK(configure_alternates(config, view, alternates));
-
-	/*
-	 * We have default hints for class IN if we need them.
-	 */
-	if (view->rdclass == dns_rdataclass_in && view->hints == NULL)
-		dns_view_sethints(view, ns_g_server->in_roothints);
-
-	/*
-	 * If we still have no hints, this is a non-IN view with no
-	 * "hints zone" configured.  Issue a warning, except if this
-	 * is a root server.  Root servers never need to consult
-	 * their hints, so it's no point requiring users to configure
-	 * them.
-	 */
-	if (view->hints == NULL) {
-		dns_zone_t *rootzone = NULL;
-		(void)dns_view_findzone(view, dns_rootname, &rootzone);
-		if (rootzone != NULL) {
-			dns_zone_detach(&rootzone);
-			need_hints = ISC_FALSE;
-		}
-		if (need_hints)
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-				      "no root hints for view '%s'",
-				      view->name);
-	}
-
-	/*
-	 * Configure the view's TSIG keys.
-	 */
-	CHECK(ns_tsigkeyring_fromconfig(config, vconfig, view->mctx, &ring));
-	if (ns_g_server->sessionkey != NULL) {
-		CHECK(dns_tsigkeyring_add(ring, ns_g_server->session_keyname,
-					  ns_g_server->sessionkey));
-	}
-	dns_view_setkeyring(view, ring);
-	dns_tsigkeyring_detach(&ring);
-
-	/*
-	 * See if we can re-use a dynamic key ring.
-	 */
-	result = dns_viewlist_find(&ns_g_server->viewlist, view->name,
-				   view->rdclass, &pview);
-	if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
-		goto cleanup;
-	if (pview != NULL) {
-		dns_view_getdynamickeyring(pview, &ring);
-		if (ring != NULL)
-			dns_view_setdynamickeyring(view, ring);
-		dns_tsigkeyring_detach(&ring);
-		dns_view_detach(&pview);
-	} else
-		dns_view_restorekeyring(view);
-
-	/*
-	 * Configure the view's peer list.
-	 */
-	{
-		const cfg_obj_t *peers = NULL;
-		const cfg_listelt_t *element;
-		dns_peerlist_t *newpeers = NULL;
-
-		(void)ns_config_get(cfgmaps, "server", &peers);
-		CHECK(dns_peerlist_new(mctx, &newpeers));
-		for (element = cfg_list_first(peers);
-		     element != NULL;
-		     element = cfg_list_next(element))
-		{
-			const cfg_obj_t *cpeer = cfg_listelt_value(element);
-			dns_peer_t *peer;
-
-			CHECK(configure_peer(cpeer, mctx, &peer));
-			dns_peerlist_addpeer(newpeers, peer);
-			dns_peer_detach(&peer);
-		}
-		dns_peerlist_detach(&view->peers);
-		view->peers = newpeers; /* Transfer ownership. */
-	}
-
-	/*
-	 *	Configure the views rrset-order.
-	 */
-	{
-		const cfg_obj_t *rrsetorder = NULL;
-		const cfg_listelt_t *element;
-
-		(void)ns_config_get(maps, "rrset-order", &rrsetorder);
-		CHECK(dns_order_create(mctx, &order));
-		for (element = cfg_list_first(rrsetorder);
-		     element != NULL;
-		     element = cfg_list_next(element))
-		{
-			const cfg_obj_t *ent = cfg_listelt_value(element);
-
-			CHECK(configure_order(order, ent));
-		}
-		if (view->order != NULL)
-			dns_order_detach(&view->order);
-		dns_order_attach(order, &view->order);
-		dns_order_detach(&order);
-	}
-	/*
-	 * Copy the aclenv object.
-	 */
-	dns_aclenv_copy(&view->aclenv, &ns_g_server->aclenv);
-
-	/*
-	 * Configure the "match-clients" and "match-destinations" ACL.
-	 */
-	CHECK(configure_view_acl(vconfig, config, "match-clients", NULL, actx,
-				 ns_g_mctx, &view->matchclients));
-	CHECK(configure_view_acl(vconfig, config, "match-destinations", NULL,
-				 actx, ns_g_mctx, &view->matchdestinations));
-
-	/*
-	 * Configure the "match-recursive-only" option.
-	 */
-	obj = NULL;
-	(void)ns_config_get(maps, "match-recursive-only", &obj);
-	if (obj != NULL && cfg_obj_asboolean(obj))
-		view->matchrecursiveonly = ISC_TRUE;
-	else
-		view->matchrecursiveonly = ISC_FALSE;
-
-	/*
-	 * Configure other configurable data.
-	 */
-	obj = NULL;
-	result = ns_config_get(maps, "recursion", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	view->recursion = cfg_obj_asboolean(obj);
-
-	obj = NULL;
-	result = ns_config_get(maps, "auth-nxdomain", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	view->auth_nxdomain = cfg_obj_asboolean(obj);
-
-	obj = NULL;
-	result = ns_config_get(maps, "minimal-responses", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	view->minimalresponses = cfg_obj_asboolean(obj);
-
-	obj = NULL;
-	result = ns_config_get(maps, "transfer-format", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	str = cfg_obj_asstring(obj);
-	if (strcasecmp(str, "many-answers") == 0)
-		view->transfer_format = dns_many_answers;
-	else if (strcasecmp(str, "one-answer") == 0)
-		view->transfer_format = dns_one_answer;
-	else
-		INSIST(0);
-
-	/*
-	 * Set sources where additional data and CNAME/DNAME
-	 * targets for authoritative answers may be found.
-	 */
-	obj = NULL;
-	result = ns_config_get(maps, "additional-from-auth", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	view->additionalfromauth = cfg_obj_asboolean(obj);
-	if (view->recursion && ! view->additionalfromauth) {
-		cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
-			    "'additional-from-auth no' is only supported "
-			    "with 'recursion no'");
-		view->additionalfromauth = ISC_TRUE;
-	}
-
-	obj = NULL;
-	result = ns_config_get(maps, "additional-from-cache", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	view->additionalfromcache = cfg_obj_asboolean(obj);
-	if (view->recursion && ! view->additionalfromcache) {
-		cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
-			    "'additional-from-cache no' is only supported "
-			    "with 'recursion no'");
-		view->additionalfromcache = ISC_TRUE;
-	}
-
-	/*
-	 * Set "allow-query-cache", "allow-query-cache-on",
-	 * "allow-recursion", and "allow-recursion-on" acls if
-	 * configured in named.conf.
-	 */
-	CHECK(configure_view_acl(vconfig, config, "allow-query-cache", NULL,
-				 actx, ns_g_mctx, &view->cacheacl));
-	CHECK(configure_view_acl(vconfig, config, "allow-query-cache-on", NULL,
-				 actx, ns_g_mctx, &view->cacheonacl));
-	if (view->cacheonacl == NULL)
-		CHECK(configure_view_acl(NULL, ns_g_config,
-					 "allow-query-cache-on", NULL, actx,
-					 ns_g_mctx, &view->cacheonacl));
-	if (strcmp(view->name, "_bind") != 0) {
-		CHECK(configure_view_acl(vconfig, config, "allow-recursion",
-					 NULL, actx, ns_g_mctx,
-					 &view->recursionacl));
-		CHECK(configure_view_acl(vconfig, config, "allow-recursion-on",
-					 NULL, actx, ns_g_mctx,
-					 &view->recursiononacl));
-	}
-
-	/*
-	 * "allow-query-cache" inherits from "allow-recursion" if set,
-	 * otherwise from "allow-query" if set.
-	 * "allow-recursion" inherits from "allow-query-cache" if set,
-	 * otherwise from "allow-query" if set.
-	 */
-	if (view->cacheacl == NULL && view->recursionacl != NULL)
-		dns_acl_attach(view->recursionacl, &view->cacheacl);
-	/*
-	 * XXXEACH: This call to configure_view_acl() is redundant.  We
-	 * are leaving it as it is because we are making a minimal change
-	 * for a patch release.  In the future this should be changed to
-	 * dns_acl_attach(view->queryacl, &view->cacheacl).
-	 */
-	if (view->cacheacl == NULL && view->recursion)
-		CHECK(configure_view_acl(vconfig, config, "allow-query", NULL,
-					 actx, ns_g_mctx, &view->cacheacl));
-	if (view->recursion &&
-	    view->recursionacl == NULL && view->cacheacl != NULL)
-		dns_acl_attach(view->cacheacl, &view->recursionacl);
-
-	/*
-	 * Set default "allow-recursion", "allow-recursion-on" and
-	 * "allow-query-cache" acls.
-	 */
-	if (view->recursionacl == NULL && view->recursion)
-		CHECK(configure_view_acl(NULL, ns_g_config,
-					 "allow-recursion", NULL,
-					 actx, ns_g_mctx,
-					 &view->recursionacl));
-	if (view->recursiononacl == NULL && view->recursion)
-		CHECK(configure_view_acl(NULL, ns_g_config,
-					 "allow-recursion-on", NULL,
-					 actx, ns_g_mctx,
-					 &view->recursiononacl));
-	if (view->cacheacl == NULL) {
-		if (view->recursion)
-			CHECK(configure_view_acl(NULL, ns_g_config,
-						 "allow-query-cache", NULL,
-						 actx, ns_g_mctx,
-						 &view->cacheacl));
-		else
-			CHECK(dns_acl_none(mctx, &view->cacheacl));
-	}
-
-	/*
-	 * Filter setting on addresses in the answer section.
-	 */
-	CHECK(configure_view_acl(vconfig, config, "deny-answer-addresses",
-				 "acl", actx, ns_g_mctx, &view->denyansweracl));
-	CHECK(configure_view_nametable(vconfig, config, "deny-answer-addresses",
-				       "except-from", ns_g_mctx,
-				       &view->answeracl_exclude));
-
-	/*
-	 * Filter setting on names (CNAME/DNAME targets) in the answer section.
-	 */
-	CHECK(configure_view_nametable(vconfig, config, "deny-answer-aliases",
-				       "name", ns_g_mctx,
-				       &view->denyanswernames));
-	CHECK(configure_view_nametable(vconfig, config, "deny-answer-aliases",
-				       "except-from", ns_g_mctx,
-				       &view->answernames_exclude));
-
-	/*
-	 * Configure sortlist, if set
-	 */
-	CHECK(configure_view_sortlist(vconfig, config, actx, ns_g_mctx,
-				      &view->sortlist));
-
-	/*
-	 * Configure default allow-transfer, allow-notify, allow-update
-	 * and allow-update-forwarding ACLs, if set, so they can be
-	 * inherited by zones.
-	 */
-	if (view->notifyacl == NULL)
-		CHECK(configure_view_acl(NULL, ns_g_config,
-					 "allow-notify", NULL, actx,
-					 ns_g_mctx, &view->notifyacl));
-	if (view->transferacl == NULL)
-		CHECK(configure_view_acl(NULL, ns_g_config,
-					 "allow-transfer", NULL, actx,
-					 ns_g_mctx, &view->transferacl));
-	if (view->updateacl == NULL)
-		CHECK(configure_view_acl(NULL, ns_g_config,
-					 "allow-update", NULL, actx,
-					 ns_g_mctx, &view->updateacl));
-	if (view->upfwdacl == NULL)
-		CHECK(configure_view_acl(NULL, ns_g_config,
-					 "allow-update-forwarding", NULL, actx,
-					 ns_g_mctx, &view->upfwdacl));
-
-	obj = NULL;
-	result = ns_config_get(maps, "provide-ixfr", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	view->provideixfr = cfg_obj_asboolean(obj);
-
-	obj = NULL;
-	result = ns_config_get(maps, "request-nsid", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	view->requestnsid = cfg_obj_asboolean(obj);
-
-	obj = NULL;
-	result = ns_config_get(maps, "max-clients-per-query", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	max_clients_per_query = cfg_obj_asuint32(obj);
-
-	obj = NULL;
-	result = ns_config_get(maps, "clients-per-query", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	dns_resolver_setclientsperquery(view->resolver,
-					cfg_obj_asuint32(obj),
-					max_clients_per_query);
-
-#ifdef ALLOW_FILTER_AAAA_ON_V4
-	obj = NULL;
-	result = ns_config_get(maps, "filter-aaaa-on-v4", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	if (cfg_obj_isboolean(obj)) {
-		if (cfg_obj_asboolean(obj))
-			view->v4_aaaa = dns_v4_aaaa_filter;
-		else
-			view->v4_aaaa = dns_v4_aaaa_ok;
-	} else {
-		const char *v4_aaaastr = cfg_obj_asstring(obj);
-		if (strcasecmp(v4_aaaastr, "break-dnssec") == 0)
-			view->v4_aaaa = dns_v4_aaaa_break_dnssec;
-		else
-			INSIST(0);
-	}
-	CHECK(configure_view_acl(vconfig, config, "filter-aaaa", NULL,
-				 actx, ns_g_mctx, &view->v4_aaaa_acl));
-#endif
-
-	obj = NULL;
-	result = ns_config_get(maps, "dnssec-enable", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	view->enablednssec = cfg_obj_asboolean(obj);
-
-	obj = NULL;
-	result = ns_config_get(optionmaps, "dnssec-lookaside", &obj);
-	if (result == ISC_R_SUCCESS) {
-		/* If set to "auto", use the version from the defaults */
-		const cfg_obj_t *dlvobj;
-		const char *dom;
-		dlvobj = cfg_listelt_value(cfg_list_first(obj));
-		dom = cfg_obj_asstring(cfg_tuple_get(dlvobj, "domain"));
-		if (cfg_obj_isvoid(cfg_tuple_get(dlvobj, "trust-anchor"))) {
-			/* If "no", skip; if "auto", use global default */
-			if (!strcasecmp(dom, "no"))
-				result = ISC_R_NOTFOUND;
-			else if (!strcasecmp(dom, "auto")) {
-				auto_dlv = ISC_TRUE;
-				obj = NULL;
-				result = cfg_map_get(ns_g_defaults,
-						     "dnssec-lookaside", &obj);
-			}
-		}
-	}
-
-	if (result == ISC_R_SUCCESS) {
-		for (element = cfg_list_first(obj);
-		     element != NULL;
-		     element = cfg_list_next(element))
-		{
-			const char *str;
-			isc_buffer_t b;
-			dns_name_t *dlv;
-
-			obj = cfg_listelt_value(element);
-			str = cfg_obj_asstring(cfg_tuple_get(obj,
-							     "trust-anchor"));
-			isc_buffer_constinit(&b, str, strlen(str));
-			isc_buffer_add(&b, strlen(str));
-			dlv = dns_fixedname_name(&view->dlv_fixed);
-			CHECK(dns_name_fromtext(dlv, &b, dns_rootname,
-						DNS_NAME_DOWNCASE, NULL));
-			view->dlv = dns_fixedname_name(&view->dlv_fixed);
-		}
-	} else
-		view->dlv = NULL;
-
-	/*
-	 * For now, there is only one kind of trusted keys, the
-	 * "security roots".
-	 */
-	CHECK(configure_view_dnsseckeys(view, vconfig, config, bindkeys,
-					auto_dlv, auto_root, mctx));
-	dns_resolver_resetmustbesecure(view->resolver);
-	obj = NULL;
-	result = ns_config_get(maps, "dnssec-must-be-secure", &obj);
-	if (result == ISC_R_SUCCESS)
-		CHECK(mustbesecure(obj, view->resolver));
-
-	obj = NULL;
-	result = ns_config_get(maps, "preferred-glue", &obj);
-	if (result == ISC_R_SUCCESS) {
-		str = cfg_obj_asstring(obj);
-		if (strcasecmp(str, "a") == 0)
-			view->preferred_glue = dns_rdatatype_a;
-		else if (strcasecmp(str, "aaaa") == 0)
-			view->preferred_glue = dns_rdatatype_aaaa;
-		else
-			view->preferred_glue = 0;
-	} else
-		view->preferred_glue = 0;
-
-	obj = NULL;
-	result = ns_config_get(maps, "root-delegation-only", &obj);
-	if (result == ISC_R_SUCCESS) {
-		dns_view_setrootdelonly(view, ISC_TRUE);
-		if (!cfg_obj_isvoid(obj)) {
-			dns_fixedname_t fixed;
-			dns_name_t *name;
-			isc_buffer_t b;
-			const char *str;
-			const cfg_obj_t *exclude;
-
-			dns_fixedname_init(&fixed);
-			name = dns_fixedname_name(&fixed);
-			for (element = cfg_list_first(obj);
-			     element != NULL;
-			     element = cfg_list_next(element)) {
-				exclude = cfg_listelt_value(element);
-				str = cfg_obj_asstring(exclude);
-				isc_buffer_constinit(&b, str, strlen(str));
-				isc_buffer_add(&b, strlen(str));
-				CHECK(dns_name_fromtext(name, &b, dns_rootname,
-							0, NULL));
-				CHECK(dns_view_excludedelegationonly(view,
-								     name));
-			}
-		}
-	} else
-		dns_view_setrootdelonly(view, ISC_FALSE);
-
-	/*
-	 * Setup automatic empty zones.  If recursion is off then
-	 * they are disabled by default.
-	 */
-	obj = NULL;
-	(void)ns_config_get(maps, "empty-zones-enable", &obj);
-	(void)ns_config_get(maps, "disable-empty-zone", &disablelist);
-	if (obj == NULL && disablelist == NULL &&
-	    view->rdclass == dns_rdataclass_in) {
-		empty_zones_enable = view->recursion;
-	} else if (view->rdclass == dns_rdataclass_in) {
-		if (obj != NULL)
-			empty_zones_enable = cfg_obj_asboolean(obj);
-		else
-			empty_zones_enable = view->recursion;
-	} else {
-		empty_zones_enable = ISC_FALSE;
-	}
-	if (empty_zones_enable && !lwresd_g_useresolvconf) {
-		const char *empty;
-		int empty_zone = 0;
-		dns_fixedname_t fixed;
-		dns_name_t *name;
-		isc_buffer_t buffer;
-		const char *str;
-		char server[DNS_NAME_FORMATSIZE + 1];
-		char contact[DNS_NAME_FORMATSIZE + 1];
-		const char *empty_dbtype[4] =
-				    { "_builtin", "empty", NULL, NULL };
-		int empty_dbtypec = 4;
-		dns_zonestat_level_t statlevel;
-
-		dns_fixedname_init(&fixed);
-		name = dns_fixedname_name(&fixed);
-
-		obj = NULL;
-		result = ns_config_get(maps, "empty-server", &obj);
-		if (result == ISC_R_SUCCESS) {
-			str = cfg_obj_asstring(obj);
-			isc_buffer_constinit(&buffer, str, strlen(str));
-			isc_buffer_add(&buffer, strlen(str));
-			CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
-						NULL));
-			isc_buffer_init(&buffer, server, sizeof(server) - 1);
-			CHECK(dns_name_totext(name, ISC_FALSE, &buffer));
-			server[isc_buffer_usedlength(&buffer)] = 0;
-			empty_dbtype[2] = server;
-		} else
-			empty_dbtype[2] = "@";
-
-		obj = NULL;
-		result = ns_config_get(maps, "empty-contact", &obj);
-		if (result == ISC_R_SUCCESS) {
-			str = cfg_obj_asstring(obj);
-			isc_buffer_constinit(&buffer, str, strlen(str));
-			isc_buffer_add(&buffer, strlen(str));
-			CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
-						NULL));
-			isc_buffer_init(&buffer, contact, sizeof(contact) - 1);
-			CHECK(dns_name_totext(name, ISC_FALSE, &buffer));
-			contact[isc_buffer_usedlength(&buffer)] = 0;
-			empty_dbtype[3] = contact;
-		} else
-			empty_dbtype[3] = ".";
-
-		obj = NULL;
-		result = ns_config_get(maps, "zone-statistics", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		if (cfg_obj_isboolean(obj)) {
-			if (cfg_obj_asboolean(obj))
-				statlevel = dns_zonestat_full;
-			else
-				statlevel = dns_zonestat_terse; /* XXX */
-		} else {
-			const char *levelstr = cfg_obj_asstring(obj);
-			if (strcasecmp(levelstr, "full") == 0)
-				statlevel = dns_zonestat_full;
-			else if (strcasecmp(levelstr, "terse") == 0)
-				statlevel = dns_zonestat_terse;
-			else if (strcasecmp(levelstr, "none") == 0)
-				statlevel = dns_zonestat_none;
-			else
-				INSIST(0);
-		}
-
-		for (empty = empty_zones[empty_zone];
-		     empty != NULL;
-		     empty = empty_zones[++empty_zone])
-		{
-			dns_forwarders_t *forwarders = NULL;
-			dns_view_t *pview = NULL;
-
-			isc_buffer_constinit(&buffer, empty, strlen(empty));
-			isc_buffer_add(&buffer, strlen(empty));
-			/*
-			 * Look for zone on drop list.
-			 */
-			CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
-						NULL));
-			if (disablelist != NULL &&
-			    on_disable_list(disablelist, name))
-				continue;
-
-			/*
-			 * This zone already exists.
-			 */
-			(void)dns_view_findzone(view, name, &zone);
-			if (zone != NULL) {
-				dns_zone_detach(&zone);
-				continue;
-			}
-
-			/*
-			 * If we would forward this name don't add a
-			 * empty zone for it.
-			 */
-			result = dns_fwdtable_find(view->fwdtable, name,
-						   &forwarders);
-			if (result == ISC_R_SUCCESS &&
-			    forwarders->fwdpolicy == dns_fwdpolicy_only)
-				continue;
-
-			/*
-			 * See if we can re-use a existing zone.
-			 */
-			result = dns_viewlist_find(&ns_g_server->viewlist,
-						   view->name, view->rdclass,
-						   &pview);
-			if (result != ISC_R_NOTFOUND &&
-			    result != ISC_R_SUCCESS)
-				goto cleanup;
-
-			if (pview != NULL) {
-				(void)dns_view_findzone(pview, name, &zone);
-				dns_view_detach(&pview);
-				if (zone != NULL)
-					check_dbtype(&zone, empty_dbtypec,
-						     empty_dbtype, mctx);
-				if (zone != NULL) {
-					dns_zone_setview(zone, view);
-					CHECK(dns_view_addzone(view, zone));
-					CHECK(setquerystats(zone, mctx,
-							    statlevel));
-					dns_zone_detach(&zone);
-					continue;
-				}
-			}
-
-			CHECK(dns_zonemgr_createzone(ns_g_server->zonemgr,
-						     &zone));
-			CHECK(dns_zone_setorigin(zone, name));
-			dns_zone_setview(zone, view);
-			CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr,
-						     zone));
-			dns_zone_setclass(zone, view->rdclass);
-			dns_zone_settype(zone, dns_zone_master);
-			dns_zone_setstats(zone, ns_g_server->zonestats);
-			CHECK(dns_zone_setdbtype(zone, empty_dbtypec,
-						 empty_dbtype));
-			if (view->queryacl != NULL)
-				dns_zone_setqueryacl(zone, view->queryacl);
-			if (view->queryonacl != NULL)
-				dns_zone_setqueryonacl(zone, view->queryonacl);
-			dns_zone_setdialup(zone, dns_dialuptype_no);
-			dns_zone_setnotifytype(zone, dns_notifytype_no);
-			dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS,
-					   ISC_TRUE);
-			CHECK(setquerystats(zone, mctx, statlevel));
-			CHECK(dns_view_addzone(view, zone));
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-				      "automatic empty zone%s%s: %s",
-				      sep, viewname,  empty);
-			dns_zone_detach(&zone);
-		}
-	}
-
-	result = ISC_R_SUCCESS;
-
- cleanup:
-	if (clients != NULL)
-		dns_acl_detach(&clients);
-	if (mapped != NULL)
-		dns_acl_detach(&mapped);
-	if (excluded != NULL)
-		dns_acl_detach(&excluded);
-	if (ring != NULL)
-		dns_tsigkeyring_detach(&ring);
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-	if (dispatch4 != NULL)
-		dns_dispatch_detach(&dispatch4);
-	if (dispatch6 != NULL)
-		dns_dispatch_detach(&dispatch6);
-	if (resstats != NULL)
-		isc_stats_detach(&resstats);
-	if (resquerystats != NULL)
-		dns_stats_detach(&resquerystats);
-	if (order != NULL)
-		dns_order_detach(&order);
-	if (cmctx != NULL)
-		isc_mem_detach(&cmctx);
-	if (hmctx != NULL)
-		isc_mem_detach(&hmctx);
-
-	if (cache != NULL)
-		dns_cache_detach(&cache);
-
-	return (result);
-}
-
-static isc_result_t
-configure_hints(dns_view_t *view, const char *filename) {
-	isc_result_t result;
-	dns_db_t *db;
-
-	db = NULL;
-	result = dns_rootns_create(view->mctx, view->rdclass, filename, &db);
-	if (result == ISC_R_SUCCESS) {
-		dns_view_sethints(view, db);
-		dns_db_detach(&db);
-	}
-
-	return (result);
-}
-
-static isc_result_t
-configure_alternates(const cfg_obj_t *config, dns_view_t *view,
-		     const cfg_obj_t *alternates)
-{
-	const cfg_obj_t *portobj;
-	const cfg_obj_t *addresses;
-	const cfg_listelt_t *element;
-	isc_result_t result = ISC_R_SUCCESS;
-	in_port_t port;
-
-	/*
-	 * Determine which port to send requests to.
-	 */
-	if (ns_g_lwresdonly && ns_g_port != 0)
-		port = ns_g_port;
-	else
-		CHECKM(ns_config_getport(config, &port), "port");
-
-	if (alternates != NULL) {
-		portobj = cfg_tuple_get(alternates, "port");
-		if (cfg_obj_isuint32(portobj)) {
-			isc_uint32_t val = cfg_obj_asuint32(portobj);
-			if (val > ISC_UINT16_MAX) {
-				cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
-					    "port '%u' out of range", val);
-				return (ISC_R_RANGE);
-			}
-			port = (in_port_t) val;
-		}
-	}
-
-	addresses = NULL;
-	if (alternates != NULL)
-		addresses = cfg_tuple_get(alternates, "addresses");
-
-	for (element = cfg_list_first(addresses);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		const cfg_obj_t *alternate = cfg_listelt_value(element);
-		isc_sockaddr_t sa;
-
-		if (!cfg_obj_issockaddr(alternate)) {
-			dns_fixedname_t fixed;
-			dns_name_t *name;
-			const char *str = cfg_obj_asstring(cfg_tuple_get(
-							   alternate, "name"));
-			isc_buffer_t buffer;
-			in_port_t myport = port;
-
-			isc_buffer_constinit(&buffer, str, strlen(str));
-			isc_buffer_add(&buffer, strlen(str));
-			dns_fixedname_init(&fixed);
-			name = dns_fixedname_name(&fixed);
-			CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
-						NULL));
-
-			portobj = cfg_tuple_get(alternate, "port");
-			if (cfg_obj_isuint32(portobj)) {
-				isc_uint32_t val = cfg_obj_asuint32(portobj);
-				if (val > ISC_UINT16_MAX) {
-					cfg_obj_log(portobj, ns_g_lctx,
-						    ISC_LOG_ERROR,
-						    "port '%u' out of range",
-						     val);
-					return (ISC_R_RANGE);
-				}
-				myport = (in_port_t) val;
-			}
-			CHECK(dns_resolver_addalternate(view->resolver, NULL,
-							name, myport));
-			continue;
-		}
-
-		sa = *cfg_obj_assockaddr(alternate);
-		if (isc_sockaddr_getport(&sa) == 0)
-			isc_sockaddr_setport(&sa, port);
-		CHECK(dns_resolver_addalternate(view->resolver, &sa,
-						NULL, 0));
-	}
-
- cleanup:
-	return (result);
-}
-
-static isc_result_t
-configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
-		  const cfg_obj_t *forwarders, const cfg_obj_t *forwardtype)
-{
-	const cfg_obj_t *portobj;
-	const cfg_obj_t *faddresses;
-	const cfg_listelt_t *element;
-	dns_fwdpolicy_t fwdpolicy = dns_fwdpolicy_none;
-	isc_sockaddrlist_t addresses;
-	isc_sockaddr_t *sa;
-	isc_result_t result;
-	in_port_t port;
-
-	ISC_LIST_INIT(addresses);
-
-	/*
-	 * Determine which port to send forwarded requests to.
-	 */
-	if (ns_g_lwresdonly && ns_g_port != 0)
-		port = ns_g_port;
-	else
-		CHECKM(ns_config_getport(config, &port), "port");
-
-	if (forwarders != NULL) {
-		portobj = cfg_tuple_get(forwarders, "port");
-		if (cfg_obj_isuint32(portobj)) {
-			isc_uint32_t val = cfg_obj_asuint32(portobj);
-			if (val > ISC_UINT16_MAX) {
-				cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
-					    "port '%u' out of range", val);
-				return (ISC_R_RANGE);
-			}
-			port = (in_port_t) val;
-		}
-	}
-
-	faddresses = NULL;
-	if (forwarders != NULL)
-		faddresses = cfg_tuple_get(forwarders, "addresses");
-
-	for (element = cfg_list_first(faddresses);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		const cfg_obj_t *forwarder = cfg_listelt_value(element);
-		sa = isc_mem_get(view->mctx, sizeof(isc_sockaddr_t));
-		if (sa == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup;
-		}
-		*sa = *cfg_obj_assockaddr(forwarder);
-		if (isc_sockaddr_getport(sa) == 0)
-			isc_sockaddr_setport(sa, port);
-		ISC_LINK_INIT(sa, link);
-		ISC_LIST_APPEND(addresses, sa, link);
-	}
-
-	if (ISC_LIST_EMPTY(addresses)) {
-		if (forwardtype != NULL)
-			cfg_obj_log(forwarders, ns_g_lctx, ISC_LOG_WARNING,
-				    "no forwarders seen; disabling "
-				    "forwarding");
-		fwdpolicy = dns_fwdpolicy_none;
-	} else {
-		if (forwardtype == NULL)
-			fwdpolicy = dns_fwdpolicy_first;
-		else {
-			const char *forwardstr = cfg_obj_asstring(forwardtype);
-			if (strcasecmp(forwardstr, "first") == 0)
-				fwdpolicy = dns_fwdpolicy_first;
-			else if (strcasecmp(forwardstr, "only") == 0)
-				fwdpolicy = dns_fwdpolicy_only;
-			else
-				INSIST(0);
-		}
-	}
-
-	result = dns_fwdtable_add(view->fwdtable, origin, &addresses,
-				  fwdpolicy);
-	if (result != ISC_R_SUCCESS) {
-		char namebuf[DNS_NAME_FORMATSIZE];
-		dns_name_format(origin, namebuf, sizeof(namebuf));
-		cfg_obj_log(forwarders, ns_g_lctx, ISC_LOG_WARNING,
-			    "could not set up forwarding for domain '%s': %s",
-			    namebuf, isc_result_totext(result));
-		goto cleanup;
-	}
-
-	result = ISC_R_SUCCESS;
-
- cleanup:
-
-	while (!ISC_LIST_EMPTY(addresses)) {
-		sa = ISC_LIST_HEAD(addresses);
-		ISC_LIST_UNLINK(addresses, sa, link);
-		isc_mem_put(view->mctx, sa, sizeof(isc_sockaddr_t));
-	}
-
-	return (result);
-}
-
-static isc_result_t
-get_viewinfo(const cfg_obj_t *vconfig, const char **namep,
-	     dns_rdataclass_t *classp)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	const char *viewname;
-	dns_rdataclass_t viewclass;
-
-	REQUIRE(namep != NULL && *namep == NULL);
-	REQUIRE(classp != NULL);
-
-	if (vconfig != NULL) {
-		const cfg_obj_t *classobj = NULL;
-
-		viewname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
-		classobj = cfg_tuple_get(vconfig, "class");
-		result = ns_config_getclass(classobj, dns_rdataclass_in,
-					    &viewclass);
-	} else {
-		viewname = "_default";
-		viewclass = dns_rdataclass_in;
-	}
-
-	*namep = viewname;
-	*classp = viewclass;
-
-	return (result);
-}
-
-/*
- * Find a view based on its configuration info and attach to it.
- *
- * If 'vconfig' is NULL, attach to the default view.
- */
-static isc_result_t
-find_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist,
-	  dns_view_t **viewp)
-{
-	isc_result_t result;
-	const char *viewname = NULL;
-	dns_rdataclass_t viewclass;
-	dns_view_t *view = NULL;
-
-	result = get_viewinfo(vconfig, &viewname, &viewclass);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dns_viewlist_find(viewlist, viewname, viewclass, &view);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	*viewp = view;
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Create a new view and add it to the list.
- *
- * If 'vconfig' is NULL, create the default view.
- *
- * The view created is attached to '*viewp'.
- */
-static isc_result_t
-create_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist,
-	    dns_view_t **viewp)
-{
-	isc_result_t result;
-	const char *viewname = NULL;
-	dns_rdataclass_t viewclass;
-	dns_view_t *view = NULL;
-
-	result = get_viewinfo(vconfig, &viewname, &viewclass);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dns_viewlist_find(viewlist, viewname, viewclass, &view);
-	if (result == ISC_R_SUCCESS)
-		return (ISC_R_EXISTS);
-	if (result != ISC_R_NOTFOUND)
-		return (result);
-	INSIST(view == NULL);
-
-	result = dns_view_create(ns_g_mctx, viewclass, viewname, &view);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	ISC_LIST_APPEND(*viewlist, view, link);
-	dns_view_attach(view, viewp);
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Configure or reconfigure a zone.
- */
-static isc_result_t
-configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
-	       const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
-	       cfg_aclconfctx_t *aclconf, isc_boolean_t added)
-{
-	dns_view_t *pview = NULL;	/* Production view */
-	dns_zone_t *zone = NULL;	/* New or reused zone */
-	dns_zone_t *raw = NULL;		/* New or reused raw zone */
-	dns_zone_t *dupzone = NULL;
-	const cfg_obj_t *options = NULL;
-	const cfg_obj_t *zoptions = NULL;
-	const cfg_obj_t *typeobj = NULL;
-	const cfg_obj_t *forwarders = NULL;
-	const cfg_obj_t *forwardtype = NULL;
-	const cfg_obj_t *only = NULL;
-	const cfg_obj_t *signing = NULL;
-	isc_result_t result;
-	isc_result_t tresult;
-	isc_buffer_t buffer;
-	dns_fixedname_t fixorigin;
-	dns_name_t *origin;
-	const char *zname;
-	dns_rdataclass_t zclass;
-	const char *ztypestr;
-	isc_boolean_t is_rpz;
-	dns_rpz_zone_t *rpz;
-
-	options = NULL;
-	(void)cfg_map_get(config, "options", &options);
-
-	zoptions = cfg_tuple_get(zconfig, "options");
-
-	/*
-	 * Get the zone origin as a dns_name_t.
-	 */
-	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
-	isc_buffer_constinit(&buffer, zname, strlen(zname));
-	isc_buffer_add(&buffer, strlen(zname));
-	dns_fixedname_init(&fixorigin);
-	CHECK(dns_name_fromtext(dns_fixedname_name(&fixorigin),
-				&buffer, dns_rootname, 0, NULL));
-	origin = dns_fixedname_name(&fixorigin);
-
-	CHECK(ns_config_getclass(cfg_tuple_get(zconfig, "class"),
-				 view->rdclass, &zclass));
-	if (zclass != view->rdclass) {
-		const char *vname = NULL;
-		if (vconfig != NULL)
-			vname = cfg_obj_asstring(cfg_tuple_get(vconfig,
-							       "name"));
-		else
-			vname = "<default view>";
-
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-			      "zone '%s': wrong class for view '%s'",
-			      zname, vname);
-		result = ISC_R_FAILURE;
-		goto cleanup;
-	}
-
-	(void)cfg_map_get(zoptions, "type", &typeobj);
-	if (typeobj == NULL) {
-		cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
-			    "zone '%s' 'type' not specified", zname);
-		return (ISC_R_FAILURE);
-	}
-	ztypestr = cfg_obj_asstring(typeobj);
-
-	/*
-	 * "hints zones" aren't zones.	If we've got one,
-	 * configure it and return.
-	 */
-	if (strcasecmp(ztypestr, "hint") == 0) {
-		const cfg_obj_t *fileobj = NULL;
-		if (cfg_map_get(zoptions, "file", &fileobj) != ISC_R_SUCCESS) {
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-				      "zone '%s': 'file' not specified",
-				      zname);
-			result = ISC_R_FAILURE;
-			goto cleanup;
-		}
-		if (dns_name_equal(origin, dns_rootname)) {
-			const char *hintsfile = cfg_obj_asstring(fileobj);
-
-			result = configure_hints(view, hintsfile);
-			if (result != ISC_R_SUCCESS) {
-				isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-					      NS_LOGMODULE_SERVER,
-					      ISC_LOG_ERROR,
-					      "could not configure root hints "
-					      "from '%s': %s", hintsfile,
-					      isc_result_totext(result));
-				goto cleanup;
-			}
-			/*
-			 * Hint zones may also refer to delegation only points.
-			 */
-			only = NULL;
-			tresult = cfg_map_get(zoptions, "delegation-only",
-					      &only);
-			if (tresult == ISC_R_SUCCESS && cfg_obj_asboolean(only))
-				CHECK(dns_view_adddelegationonly(view, origin));
-		} else {
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-				      "ignoring non-root hint zone '%s'",
-				      zname);
-			result = ISC_R_SUCCESS;
-		}
-		/* Skip ordinary zone processing. */
-		goto cleanup;
-	}
-
-	/*
-	 * "forward zones" aren't zones either.  Translate this syntax into
-	 * the appropriate selective forwarding configuration and return.
-	 */
-	if (strcasecmp(ztypestr, "forward") == 0) {
-		forwardtype = NULL;
-		forwarders = NULL;
-
-		(void)cfg_map_get(zoptions, "forward", &forwardtype);
-		(void)cfg_map_get(zoptions, "forwarders", &forwarders);
-		result = configure_forward(config, view, origin, forwarders,
-					   forwardtype);
-		goto cleanup;
-	}
-
-	/*
-	 * "delegation-only zones" aren't zones either.
-	 */
-	if (strcasecmp(ztypestr, "delegation-only") == 0) {
-		result = dns_view_adddelegationonly(view, origin);
-		goto cleanup;
-	}
-
-	/*
-	 * Redirect zones only require minimal configuration.
-	 */
-	if (strcasecmp(ztypestr, "redirect") == 0) {
-		if (view->redirect != NULL) {
-			cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
-				    "redirect zone already exists");
-			result = ISC_R_EXISTS;
-			goto cleanup;
-		}
-		result = dns_viewlist_find(&ns_g_server->viewlist, view->name,
-					   view->rdclass, &pview);
-		if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
-			goto cleanup;
-		if (pview != NULL && pview->redirect != NULL) {
-			dns_zone_attach(pview->redirect, &zone);
-			dns_zone_setview(zone, view);
-		} else {
-			CHECK(dns_zonemgr_createzone(ns_g_server->zonemgr,
-						     &zone));
-			CHECK(dns_zone_setorigin(zone, origin));
-			dns_zone_setview(zone, view);
-			CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr,
-						     zone));
-			dns_zone_setstats(zone, ns_g_server->zonestats);
-		}
-		CHECK(ns_zone_configure(config, vconfig, zconfig, aclconf,
-					zone, NULL));
-		dns_zone_attach(zone, &view->redirect);
-		goto cleanup;
-	}
-
-	/*
-	 * Check for duplicates in the new zone table.
-	 */
-	result = dns_view_findzone(view, origin, &dupzone);
-	if (result == ISC_R_SUCCESS) {
-		/*
-		 * We already have this zone!
-		 */
-		cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
-			    "zone '%s' already exists", zname);
-		dns_zone_detach(&dupzone);
-		result = ISC_R_EXISTS;
-		goto cleanup;
-	}
-	INSIST(dupzone == NULL);
-
-	/*
-	 * Note whether this is a response policy zone.
-	 */
-	is_rpz = ISC_FALSE;
-	for (rpz = ISC_LIST_HEAD(view->rpz_zones);
-	     rpz != NULL;
-	     rpz = ISC_LIST_NEXT(rpz, link))
-	{
-		if (dns_name_equal(&rpz->origin, origin)) {
-			is_rpz = ISC_TRUE;
-			rpz->defined = ISC_TRUE;
-			break;
-		}
-	}
-
-	/*
-	 * See if we can reuse an existing zone.  This is
-	 * only possible if all of these are true:
-	 *   - The zone's view exists
-	 *   - A zone with the right name exists in the view
-	 *   - The zone is compatible with the config
-	 *     options (e.g., an existing master zone cannot
-	 *     be reused if the options specify a slave zone)
-	 *   - The zone was and is or was not and is not a policy zone
-	 */
-	result = dns_viewlist_find(&ns_g_server->viewlist, view->name,
-				   view->rdclass, &pview);
-	if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
-		goto cleanup;
-	if (pview != NULL)
-		result = dns_view_findzone(pview, origin, &zone);
-	if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	if (zone != NULL && !ns_zone_reusable(zone, zconfig))
-		dns_zone_detach(&zone);
-
-	if (zone != NULL && is_rpz != dns_zone_get_rpz(zone))
-		dns_zone_detach(&zone);
-
-	if (zone != NULL) {
-		/*
-		 * We found a reusable zone.  Make it use the
-		 * new view.
-		 */
-		dns_zone_setview(zone, view);
-		if (view->acache != NULL)
-			dns_zone_setacache(zone, view->acache);
-	} else {
-		/*
-		 * We cannot reuse an existing zone, we have
-		 * to create a new one.
-		 */
-		CHECK(dns_zonemgr_createzone(ns_g_server->zonemgr, &zone));
-		CHECK(dns_zone_setorigin(zone, origin));
-		dns_zone_setview(zone, view);
-		if (view->acache != NULL)
-			dns_zone_setacache(zone, view->acache);
-		CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
-		dns_zone_setstats(zone, ns_g_server->zonestats);
-	}
-
-	if (is_rpz) {
-		result = dns_zone_rpz_enable(zone);
-		if (result != ISC_R_SUCCESS) {
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-				      "zone '%s': incompatible"
-				      " masterfile-format or database"
-				      " for a response policy zone",
-				      zname);
-			goto cleanup;
-		}
-	}
-
-	/*
-	 * If the zone contains a 'forwarders' statement, configure
-	 * selective forwarding.
-	 */
-	forwarders = NULL;
-	if (cfg_map_get(zoptions, "forwarders", &forwarders) == ISC_R_SUCCESS)
-	{
-		forwardtype = NULL;
-		(void)cfg_map_get(zoptions, "forward", &forwardtype);
-		CHECK(configure_forward(config, view, origin, forwarders,
-					forwardtype));
-	}
-
-	/*
-	 * Stub and forward zones may also refer to delegation only points.
-	 */
-	only = NULL;
-	if (cfg_map_get(zoptions, "delegation-only", &only) == ISC_R_SUCCESS)
-	{
-		if (cfg_obj_asboolean(only))
-			CHECK(dns_view_adddelegationonly(view, origin));
-	}
-
-	/*
-	 * Mark whether the zone was originally added at runtime or not
-	 */
-	dns_zone_setadded(zone, added);
-
-	signing = NULL;
-	if ((strcasecmp(ztypestr, "master") == 0 ||
-	     strcasecmp(ztypestr, "slave") == 0) &&
-	    cfg_map_get(zoptions, "inline-signing", &signing) == ISC_R_SUCCESS &&
-	    cfg_obj_asboolean(signing))
-	{
-		dns_zone_getraw(zone, &raw);
-		if (raw == NULL) {
-			CHECK(dns_zone_create(&raw, mctx));
-			CHECK(dns_zone_setorigin(raw, origin));
-			dns_zone_setview(raw, view);
-			if (view->acache != NULL)
-				dns_zone_setacache(raw, view->acache);
-			dns_zone_setstats(raw, ns_g_server->zonestats);
-			CHECK(dns_zone_link(zone, raw));
-		}
-	}
-
-	/*
-	 * Configure the zone.
-	 */
-	CHECK(ns_zone_configure(config, vconfig, zconfig, aclconf, zone, raw));
-
-	/*
-	 * Add the zone to its view in the new view list.
-	 */
-	CHECK(dns_view_addzone(view, zone));
-
-	/*
-	 * Ensure that zone keys are reloaded on reconfig
-	 */
-	if ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_MAINTAIN) != 0)
-		dns_zone_rekey(zone, ISC_FALSE);
-
- cleanup:
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-	if (raw != NULL)
-		dns_zone_detach(&raw);
-	if (pview != NULL)
-		dns_view_detach(&pview);
-
-	return (result);
-}
-
-/*
- * Configure built-in zone for storing managed-key data.
- */
-
-#define KEYZONE "managed-keys.bind"
-#define MKEYS ".mkeys"
-
-static isc_result_t
-add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx) {
-	isc_result_t result;
-	dns_view_t *pview = NULL;
-	dns_zone_t *zone = NULL;
-	dns_acl_t *none = NULL;
-	char filename[PATH_MAX];
-	char buffer[ISC_SHA256_DIGESTSTRINGLENGTH + sizeof(MKEYS)];
-	int n;
-
-	REQUIRE(view != NULL);
-
-	/* See if we can re-use an existing keydata zone. */
-	result = dns_viewlist_find(&ns_g_server->viewlist,
-				   view->name, view->rdclass,
-				   &pview);
-	if (result != ISC_R_NOTFOUND &&
-	    result != ISC_R_SUCCESS)
-		return (result);
-
-	if (pview != NULL && pview->managed_keys != NULL) {
-		dns_zone_attach(pview->managed_keys, &view->managed_keys);
-		dns_zone_setview(pview->managed_keys, view);
-		dns_view_detach(&pview);
-		dns_zone_synckeyzone(view->managed_keys);
-		return (ISC_R_SUCCESS);
-	}
-
-	/* No existing keydata zone was found; create one */
-	CHECK(dns_zonemgr_createzone(ns_g_server->zonemgr, &zone));
-	CHECK(dns_zone_setorigin(zone, dns_rootname));
-
-	isc_sha256_data((void *)view->name, strlen(view->name), buffer);
-	strcat(buffer, MKEYS);
-	n = snprintf(filename, sizeof(filename), "%s%s%s",
-		     directory ? directory : "", directory ? "/" : "",
-		     strcmp(view->name, "_default") == 0 ? KEYZONE : buffer);
-	if (n < 0 || (size_t)n >= sizeof(filename)) {
-		result = (n < 0) ? ISC_R_FAILURE : ISC_R_NOSPACE;
-		goto cleanup;
-	}
-	CHECK(dns_zone_setfile(zone, filename));
-
-	dns_zone_setview(zone, view);
-	dns_zone_settype(zone, dns_zone_key);
-	dns_zone_setclass(zone, view->rdclass);
-
-	CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
-
-	if (view->acache != NULL)
-		dns_zone_setacache(zone, view->acache);
-
-	CHECK(dns_acl_none(mctx, &none));
-	dns_zone_setqueryacl(zone, none);
-	dns_zone_setqueryonacl(zone, none);
-	dns_acl_detach(&none);
-
-	dns_zone_setdialup(zone, dns_dialuptype_no);
-	dns_zone_setnotifytype(zone, dns_notifytype_no);
-	dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE);
-	dns_zone_setjournalsize(zone, 0);
-
-	dns_zone_setstats(zone, ns_g_server->zonestats);
-	CHECK(setquerystats(zone, mctx, dns_zonestat_none));
-
-	if (view->managed_keys != NULL)
-		dns_zone_detach(&view->managed_keys);
-	dns_zone_attach(zone, &view->managed_keys);
-
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-		      "set up managed keys zone for view %s, file '%s'",
-		      view->name, filename);
-
-cleanup:
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-	if (none != NULL)
-		dns_acl_detach(&none);
-
-	return (result);
-}
-
-/*
- * Configure a single server quota.
- */
-static void
-configure_server_quota(const cfg_obj_t **maps, const char *name,
-		       isc_quota_t *quota)
-{
-	const cfg_obj_t *obj = NULL;
-	isc_result_t result;
-
-	result = ns_config_get(maps, name, &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	isc_quota_max(quota, cfg_obj_asuint32(obj));
-}
-
-/*
- * This function is called as soon as the 'directory' statement has been
- * parsed.  This can be extended to support other options if necessary.
- */
-static isc_result_t
-directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
-	isc_result_t result;
-	const char *directory;
-
-	REQUIRE(strcasecmp("directory", clausename) == 0);
-
-	UNUSED(arg);
-	UNUSED(clausename);
-
-	/*
-	 * Change directory.
-	 */
-	directory = cfg_obj_asstring(obj);
-
-	if (! isc_file_ischdiridempotent(directory))
-		cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
-			    "option 'directory' contains relative path '%s'",
-			    directory);
-
-	result = isc_dir_chdir(directory);
-	if (result != ISC_R_SUCCESS) {
-		cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
-			    "change directory to '%s' failed: %s",
-			    directory, isc_result_totext(result));
-		return (result);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-scan_interfaces(ns_server_t *server, isc_boolean_t verbose) {
-	isc_boolean_t match_mapped = server->aclenv.match_mapped;
-
-	ns_interfacemgr_scan(server->interfacemgr, verbose);
-	/*
-	 * Update the "localhost" and "localnets" ACLs to match the
-	 * current set of network interfaces.
-	 */
-	dns_aclenv_copy(&server->aclenv,
-			ns_interfacemgr_getaclenv(server->interfacemgr));
-
-	server->aclenv.match_mapped = match_mapped;
-}
-
-static isc_result_t
-add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr,
-	      isc_boolean_t wcardport_ok)
-{
-	ns_listenelt_t *lelt = NULL;
-	dns_acl_t *src_acl = NULL;
-	isc_result_t result;
-	isc_sockaddr_t any_sa6;
-	isc_netaddr_t netaddr;
-
-	REQUIRE(isc_sockaddr_pf(addr) == AF_INET6);
-
-	isc_sockaddr_any6(&any_sa6);
-	if (!isc_sockaddr_equal(&any_sa6, addr) &&
-	    (wcardport_ok || isc_sockaddr_getport(addr) != 0)) {
-		isc_netaddr_fromin6(&netaddr, &addr->type.sin6.sin6_addr);
-
-		result = dns_acl_create(mctx, 0, &src_acl);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-
-		result = dns_iptable_addprefix(src_acl->iptable,
-					       &netaddr, 128, ISC_TRUE);
-		if (result != ISC_R_SUCCESS)
-			goto clean;
-
-		result = ns_listenelt_create(mctx, isc_sockaddr_getport(addr),
-					     src_acl, &lelt);
-		if (result != ISC_R_SUCCESS)
-			goto clean;
-		ISC_LIST_APPEND(list->elts, lelt, link);
-	}
-
-	return (ISC_R_SUCCESS);
-
- clean:
-	INSIST(lelt == NULL);
-	dns_acl_detach(&src_acl);
-
-	return (result);
-}
-
-/*
- * Make a list of xxx-source addresses and call ns_interfacemgr_adjust()
- * to update the listening interfaces accordingly.
- * We currently only consider IPv6, because this only affects IPv6 wildcard
- * sockets.
- */
-static void
-adjust_interfaces(ns_server_t *server, isc_mem_t *mctx) {
-	isc_result_t result;
-	ns_listenlist_t *list = NULL;
-	dns_view_t *view;
-	dns_zone_t *zone, *next;
-	isc_sockaddr_t addr, *addrp;
-
-	result = ns_listenlist_create(mctx, &list);
-	if (result != ISC_R_SUCCESS)
-		return;
-
-	for (view = ISC_LIST_HEAD(server->viewlist);
-	     view != NULL;
-	     view = ISC_LIST_NEXT(view, link)) {
-		dns_dispatch_t *dispatch6;
-
-		dispatch6 = dns_resolver_dispatchv6(view->resolver);
-		if (dispatch6 == NULL)
-			continue;
-		result = dns_dispatch_getlocaladdress(dispatch6, &addr);
-		if (result != ISC_R_SUCCESS)
-			goto fail;
-
-		/*
-		 * We always add non-wildcard address regardless of whether
-		 * the port is 'any' (the fourth arg is TRUE): if the port is
-		 * specific, we need to add it since it may conflict with a
-		 * listening interface; if it's zero, we'll dynamically open
-		 * query ports, and some of them may override an existing
-		 * wildcard IPv6 port.
-		 */
-		result = add_listenelt(mctx, list, &addr, ISC_TRUE);
-		if (result != ISC_R_SUCCESS)
-			goto fail;
-	}
-
-	zone = NULL;
-	for (result = dns_zone_first(server->zonemgr, &zone);
-	     result == ISC_R_SUCCESS;
-	     next = NULL, result = dns_zone_next(zone, &next), zone = next) {
-		dns_view_t *zoneview;
-
-		/*
-		 * At this point the zone list may contain a stale zone
-		 * just removed from the configuration.  To see the validity,
-		 * check if the corresponding view is in our current view list.
-		 * There may also be old zones that are still in the process
-		 * of shutting down and have detached from their old view
-		 * (zoneview == NULL).
-		 */
-		zoneview = dns_zone_getview(zone);
-		if (zoneview == NULL)
-			continue;
-		for (view = ISC_LIST_HEAD(server->viewlist);
-		     view != NULL && view != zoneview;
-		     view = ISC_LIST_NEXT(view, link))
-			;
-		if (view == NULL)
-			continue;
-
-		addrp = dns_zone_getnotifysrc6(zone);
-		result = add_listenelt(mctx, list, addrp, ISC_FALSE);
-		if (result != ISC_R_SUCCESS)
-			goto fail;
-
-		addrp = dns_zone_getxfrsource6(zone);
-		result = add_listenelt(mctx, list, addrp, ISC_FALSE);
-		if (result != ISC_R_SUCCESS)
-			goto fail;
-	}
-
-	ns_interfacemgr_adjust(server->interfacemgr, list, ISC_TRUE);
-
- clean:
-	ns_listenlist_detach(&list);
-	return;
-
- fail:
-	/*
-	 * Even when we failed the procedure, most of other interfaces
-	 * should work correctly.  We therefore just warn it.
-	 */
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-		      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-		      "could not adjust the listen-on list; "
-		      "some interfaces may not work");
-	goto clean;
-}
-
-/*
- * This event callback is invoked to do periodic network
- * interface scanning.
- */
-static void
-interface_timer_tick(isc_task_t *task, isc_event_t *event) {
-	isc_result_t result;
-	ns_server_t *server = (ns_server_t *) event->ev_arg;
-	INSIST(task == server->task);
-	UNUSED(task);
-	isc_event_free(&event);
-	/*
-	 * XXX should scan interfaces unlocked and get exclusive access
-	 * only to replace ACLs.
-	 */
-	result = isc_task_beginexclusive(server->task);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	scan_interfaces(server, ISC_FALSE);
-	isc_task_endexclusive(server->task);
-}
-
-static void
-heartbeat_timer_tick(isc_task_t *task, isc_event_t *event) {
-	ns_server_t *server = (ns_server_t *) event->ev_arg;
-	dns_view_t *view;
-
-	UNUSED(task);
-	isc_event_free(&event);
-	view = ISC_LIST_HEAD(server->viewlist);
-	while (view != NULL) {
-		dns_view_dialup(view);
-		view = ISC_LIST_NEXT(view, link);
-	}
-}
-
-static void
-pps_timer_tick(isc_task_t *task, isc_event_t *event) {
-	static unsigned int oldrequests = 0;
-	unsigned int requests = ns_client_requests;
-
-	UNUSED(task);
-	isc_event_free(&event);
-
-	/*
-	 * Don't worry about wrapping as the overflow result will be right.
-	 */
-	dns_pps = (requests - oldrequests) / 1200;
-	oldrequests = requests;
-}
-
-/*
- * Replace the current value of '*field', a dynamically allocated
- * string or NULL, with a dynamically allocated copy of the
- * null-terminated string pointed to by 'value', or NULL.
- */
-static isc_result_t
-setstring(ns_server_t *server, char **field, const char *value) {
-	char *copy;
-
-	if (value != NULL) {
-		copy = isc_mem_strdup(server->mctx, value);
-		if (copy == NULL)
-			return (ISC_R_NOMEMORY);
-	} else {
-		copy = NULL;
-	}
-
-	if (*field != NULL)
-		isc_mem_free(server->mctx, *field);
-
-	*field = copy;
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Replace the current value of '*field', a dynamically allocated
- * string or NULL, with another dynamically allocated string
- * or NULL if whether 'obj' is a string or void value, respectively.
- */
-static isc_result_t
-setoptstring(ns_server_t *server, char **field, const cfg_obj_t *obj) {
-	if (cfg_obj_isvoid(obj))
-		return (setstring(server, field, NULL));
-	else
-		return (setstring(server, field, cfg_obj_asstring(obj)));
-}
-
-static void
-set_limit(const cfg_obj_t **maps, const char *configname,
-	  const char *description, isc_resource_t resourceid,
-	  isc_resourcevalue_t defaultvalue)
-{
-	const cfg_obj_t *obj = NULL;
-	const char *resource;
-	isc_resourcevalue_t value;
-	isc_result_t result;
-
-	if (ns_config_get(maps, configname, &obj) != ISC_R_SUCCESS)
-		return;
-
-	if (cfg_obj_isstring(obj)) {
-		resource = cfg_obj_asstring(obj);
-		if (strcasecmp(resource, "unlimited") == 0)
-			value = ISC_RESOURCE_UNLIMITED;
-		else {
-			INSIST(strcasecmp(resource, "default") == 0);
-			value = defaultvalue;
-		}
-	} else
-		value = cfg_obj_asuint64(obj);
-
-	result = isc_resource_setlimit(resourceid, value);
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-		      result == ISC_R_SUCCESS ?
-			ISC_LOG_DEBUG(3) : ISC_LOG_WARNING,
-		      "set maximum %s to %" ISC_PRINT_QUADFORMAT "u: %s",
-		      description, value, isc_result_totext(result));
-}
-
-#define SETLIMIT(cfgvar, resource, description) \
-	set_limit(maps, cfgvar, description, isc_resource_ ## resource, \
-		  ns_g_init ## resource)
-
-static void
-set_limits(const cfg_obj_t **maps) {
-	SETLIMIT("stacksize", stacksize, "stack size");
-	SETLIMIT("datasize", datasize, "data size");
-	SETLIMIT("coresize", coresize, "core size");
-	SETLIMIT("files", openfiles, "open files");
-}
-
-static void
-portset_fromconf(isc_portset_t *portset, const cfg_obj_t *ports,
-		 isc_boolean_t positive)
-{
-	const cfg_listelt_t *element;
-
-	for (element = cfg_list_first(ports);
-	     element != NULL;
-	     element = cfg_list_next(element)) {
-		const cfg_obj_t *obj = cfg_listelt_value(element);
-
-		if (cfg_obj_isuint32(obj)) {
-			in_port_t port = (in_port_t)cfg_obj_asuint32(obj);
-
-			if (positive)
-				isc_portset_add(portset, port);
-			else
-				isc_portset_remove(portset, port);
-		} else {
-			const cfg_obj_t *obj_loport, *obj_hiport;
-			in_port_t loport, hiport;
-
-			obj_loport = cfg_tuple_get(obj, "loport");
-			loport = (in_port_t)cfg_obj_asuint32(obj_loport);
-			obj_hiport = cfg_tuple_get(obj, "hiport");
-			hiport = (in_port_t)cfg_obj_asuint32(obj_hiport);
-
-			if (positive)
-				isc_portset_addrange(portset, loport, hiport);
-			else {
-				isc_portset_removerange(portset, loport,
-							hiport);
-			}
-		}
-	}
-}
-
-static isc_result_t
-removed(dns_zone_t *zone, void *uap) {
-	const char *type;
-
-	if (dns_zone_getview(zone) != uap)
-		return (ISC_R_SUCCESS);
-
-	switch (dns_zone_gettype(zone)) {
-	case dns_zone_master:
-		type = "master";
-		break;
-	case dns_zone_slave:
-		type = "slave";
-		break;
-	case dns_zone_stub:
-		type = "stub";
-		break;
-	case dns_zone_redirect:
-		type = "redirect";
-		break;
-	default:
-		type = "other";
-		break;
-	}
-	dns_zone_log(zone, ISC_LOG_INFO, "(%s) removed", type);
-	return (ISC_R_SUCCESS);
-}
-
-static void
-cleanup_session_key(ns_server_t *server, isc_mem_t *mctx) {
-	if (server->session_keyfile != NULL) {
-		isc_file_remove(server->session_keyfile);
-		isc_mem_free(mctx, server->session_keyfile);
-		server->session_keyfile = NULL;
-	}
-
-	if (server->session_keyname != NULL) {
-		if (dns_name_dynamic(server->session_keyname))
-			dns_name_free(server->session_keyname, mctx);
-		isc_mem_put(mctx, server->session_keyname, sizeof(dns_name_t));
-		server->session_keyname = NULL;
-	}
-
-	if (server->sessionkey != NULL)
-		dns_tsigkey_detach(&server->sessionkey);
-
-	server->session_keyalg = DST_ALG_UNKNOWN;
-	server->session_keybits = 0;
-}
-
-static isc_result_t
-generate_session_key(const char *filename, const char *keynamestr,
-		     dns_name_t *keyname, const char *algstr,
-		     dns_name_t *algname, unsigned int algtype,
-		     isc_uint16_t bits, isc_mem_t *mctx,
-		     dns_tsigkey_t **tsigkeyp)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	dst_key_t *key = NULL;
-	isc_buffer_t key_txtbuffer;
-	isc_buffer_t key_rawbuffer;
-	char key_txtsecret[256];
-	char key_rawsecret[64];
-	isc_region_t key_rawregion;
-	isc_stdtime_t now;
-	dns_tsigkey_t *tsigkey = NULL;
-	FILE *fp = NULL;
-
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-		      "generating session key for dynamic DNS");
-
-	/* generate key */
-	result = dst_key_generate(keyname, algtype, bits, 1, 0,
-				  DNS_KEYPROTO_ANY, dns_rdataclass_in,
-				  mctx, &key);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Dump the key to the buffer for later use.  Should be done before
-	 * we transfer the ownership of key to tsigkey.
-	 */
-	isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
-	CHECK(dst_key_tobuffer(key, &key_rawbuffer));
-
-	isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
-	isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
-	CHECK(isc_base64_totext(&key_rawregion, -1, "", &key_txtbuffer));
-
-	/* Store the key in tsigkey. */
-	isc_stdtime_get(&now);
-	CHECK(dns_tsigkey_createfromkey(dst_key_name(key), algname, key,
-					ISC_FALSE, NULL, now, now, mctx, NULL,
-					&tsigkey));
-
-	/* Dump the key to the key file. */
-	fp = ns_os_openfile(filename, S_IRUSR|S_IWUSR, ISC_TRUE);
-	if (fp == NULL) {
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-			      "could not create %s", filename);
-		result = ISC_R_NOPERM;
-		goto cleanup;
-	}
-
-	fprintf(fp, "key \"%s\" {\n"
-		"\talgorithm %s;\n"
-		"\tsecret \"%.*s\";\n};\n", keynamestr, algstr,
-		(int) isc_buffer_usedlength(&key_txtbuffer),
-		(char*) isc_buffer_base(&key_txtbuffer));
-
-	RUNTIME_CHECK(isc_stdio_flush(fp) == ISC_R_SUCCESS);
-	RUNTIME_CHECK(isc_stdio_close(fp) == ISC_R_SUCCESS);
-
-	dst_key_free(&key);
-
-	*tsigkeyp = tsigkey;
-
-	return (ISC_R_SUCCESS);
-
-  cleanup:
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-		      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-		      "failed to generate session key "
-		      "for dynamic DNS: %s", isc_result_totext(result));
-	if (tsigkey != NULL)
-		dns_tsigkey_detach(&tsigkey);
-	if (key != NULL)
-		dst_key_free(&key);
-
-	return (result);
-}
-
-static isc_result_t
-configure_session_key(const cfg_obj_t **maps, ns_server_t *server,
-		      isc_mem_t *mctx)
-{
-	const char *keyfile, *keynamestr, *algstr;
-	unsigned int algtype;
-	dns_fixedname_t fname;
-	dns_name_t *keyname, *algname;
-	isc_buffer_t buffer;
-	isc_uint16_t bits;
-	const cfg_obj_t *obj;
-	isc_boolean_t need_deleteold = ISC_FALSE;
-	isc_boolean_t need_createnew = ISC_FALSE;
-	isc_result_t result;
-
-	obj = NULL;
-	result = ns_config_get(maps, "session-keyfile", &obj);
-	if (result == ISC_R_SUCCESS) {
-		if (cfg_obj_isvoid(obj))
-			keyfile = NULL; /* disable it */
-		else
-			keyfile = cfg_obj_asstring(obj);
-	} else
-		keyfile = ns_g_defaultsessionkeyfile;
-
-	obj = NULL;
-	result = ns_config_get(maps, "session-keyname", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	keynamestr = cfg_obj_asstring(obj);
-	dns_fixedname_init(&fname);
-	isc_buffer_constinit(&buffer, keynamestr, strlen(keynamestr));
-	isc_buffer_add(&buffer, strlen(keynamestr));
-	keyname = dns_fixedname_name(&fname);
-	result = dns_name_fromtext(keyname, &buffer, dns_rootname, 0, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	obj = NULL;
-	result = ns_config_get(maps, "session-keyalg", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	algstr = cfg_obj_asstring(obj);
-	algname = NULL;
-	result = ns_config_getkeyalgorithm2(algstr, &algname, &algtype, &bits);
-	if (result != ISC_R_SUCCESS) {
-		const char *s = " (keeping current key)";
-
-		cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, "session-keyalg: "
-			    "unsupported or unknown algorithm '%s'%s",
-			    algstr,
-			    server->session_keyfile != NULL ? s : "");
-		return (result);
-	}
-
-	/* See if we need to (re)generate a new key. */
-	if (keyfile == NULL) {
-		if (server->session_keyfile != NULL)
-			need_deleteold = ISC_TRUE;
-	} else if (server->session_keyfile == NULL)
-		need_createnew = ISC_TRUE;
-	else if (strcmp(keyfile, server->session_keyfile) != 0 ||
-		 !dns_name_equal(server->session_keyname, keyname) ||
-		 server->session_keyalg != algtype ||
-		 server->session_keybits != bits) {
-		need_deleteold = ISC_TRUE;
-		need_createnew = ISC_TRUE;
-	}
-
-	if (need_deleteold) {
-		INSIST(server->session_keyfile != NULL);
-		INSIST(server->session_keyname != NULL);
-		INSIST(server->sessionkey != NULL);
-
-		cleanup_session_key(server, mctx);
-	}
-
-	if (need_createnew) {
-		INSIST(server->sessionkey == NULL);
-		INSIST(server->session_keyfile == NULL);
-		INSIST(server->session_keyname == NULL);
-		INSIST(server->session_keyalg == DST_ALG_UNKNOWN);
-		INSIST(server->session_keybits == 0);
-
-		server->session_keyname = isc_mem_get(mctx, sizeof(dns_name_t));
-		if (server->session_keyname == NULL)
-			goto cleanup;
-		dns_name_init(server->session_keyname, NULL);
-		CHECK(dns_name_dup(keyname, mctx, server->session_keyname));
-
-		server->session_keyfile = isc_mem_strdup(mctx, keyfile);
-		if (server->session_keyfile == NULL)
-			goto cleanup;
-
-		server->session_keyalg = algtype;
-		server->session_keybits = bits;
-
-		CHECK(generate_session_key(keyfile, keynamestr, keyname, algstr,
-					   algname, algtype, bits, mctx,
-					   &server->sessionkey));
-	}
-
-	return (result);
-
-  cleanup:
-	cleanup_session_key(server, mctx);
-	return (result);
-}
-
-static isc_result_t
-setup_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
-	       cfg_parser_t *parser, cfg_aclconfctx_t *actx)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_boolean_t allow = ISC_FALSE;
-	struct cfg_context *nzcfg = NULL;
-	cfg_parser_t *nzparser = NULL;
-	cfg_obj_t *nzconfig = NULL;
-	const cfg_obj_t *maps[4];
-	const cfg_obj_t *options = NULL, *voptions = NULL;
-	const cfg_obj_t *nz = NULL;
-	int i = 0;
-
-	REQUIRE (config != NULL);
-
-	if (vconfig != NULL)
-		voptions = cfg_tuple_get(vconfig, "options");
-	if (voptions != NULL)
-		maps[i++] = voptions;
-	result = cfg_map_get(config, "options", &options);
-	if (result == ISC_R_SUCCESS)
-		maps[i++] = options;
-	maps[i++] = ns_g_defaults;
-	maps[i] = NULL;
-
-	result = ns_config_get(maps, "allow-new-zones", &nz);
-	if (result == ISC_R_SUCCESS)
-		allow = cfg_obj_asboolean(nz);
-
-	if (!allow) {
-		dns_view_setnewzones(view, ISC_FALSE, NULL, NULL);
-		return (ISC_R_SUCCESS);
-	}
-
-	nzcfg = isc_mem_get(view->mctx, sizeof(*nzcfg));
-	if (nzcfg == NULL) {
-		dns_view_setnewzones(view, ISC_FALSE, NULL, NULL);
-		return (ISC_R_NOMEMORY);
-	}
-
-	dns_view_setnewzones(view, allow, nzcfg, newzone_cfgctx_destroy);
-
-	memset(nzcfg, 0, sizeof(*nzcfg));
-	isc_mem_attach(view->mctx, &nzcfg->mctx);
-	cfg_obj_attach(config, &nzcfg->config);
-	cfg_parser_attach(parser, &nzcfg->parser);
-	cfg_aclconfctx_attach(actx, &nzcfg->actx);
-
-	/*
-	 * Attempt to create a parser and parse the newzones
-	 * file.  If successful, preserve both; otherwise leave
-	 * them NULL.
-	 */
-	result = cfg_parser_create(view->mctx, ns_g_lctx, &nzparser);
-	if (result == ISC_R_SUCCESS)
-		result = cfg_parse_file(nzparser, view->new_zone_file,
-					&cfg_type_newzones, &nzconfig);
-	if (result == ISC_R_SUCCESS) {
-		cfg_parser_attach(nzparser, &nzcfg->nzparser);
-		cfg_obj_attach(nzconfig, &nzcfg->nzconfig);
-	}
-
-	if (nzparser != NULL) {
-		if (nzconfig != NULL)
-			cfg_obj_destroy(nzparser, &nzconfig);
-		cfg_parser_destroy(&nzparser);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static int
-count_zones(const cfg_obj_t *conf) {
-	const cfg_obj_t *zonelist = NULL;
-	const cfg_listelt_t *element;
-	int n = 0;
-
-	REQUIRE(conf != NULL);
-
-	cfg_map_get(conf, "zone", &zonelist);
-	for (element = cfg_list_first(zonelist);
-	     element != NULL;
-	     element = cfg_list_next(element))
-		n++;
-
-	return (n);
-}
-
-static isc_result_t
-load_configuration(const char *filename, ns_server_t *server,
-		   isc_boolean_t first_time)
-{
-	cfg_obj_t *config = NULL, *bindkeys = NULL;
-	cfg_parser_t *conf_parser = NULL, *bindkeys_parser = NULL;
-	const cfg_listelt_t *element;
-	const cfg_obj_t *builtin_views;
-	const cfg_obj_t *maps[3];
-	const cfg_obj_t *obj;
-	const cfg_obj_t *options;
-	const cfg_obj_t *usev4ports, *avoidv4ports, *usev6ports, *avoidv6ports;
-	const cfg_obj_t *views;
-	dns_view_t *view = NULL;
-	dns_view_t *view_next;
-	dns_viewlist_t tmpviewlist;
-	dns_viewlist_t viewlist, builtin_viewlist;
-	in_port_t listen_port, udpport_low, udpport_high;
-	int i;
-	isc_interval_t interval;
-	isc_portset_t *v4portset = NULL;
-	isc_portset_t *v6portset = NULL;
-	isc_resourcevalue_t nfiles;
-	isc_result_t result;
-	isc_uint32_t heartbeat_interval;
-	isc_uint32_t interface_interval;
-	isc_uint32_t reserved;
-	isc_uint32_t udpsize;
-	ns_cachelist_t cachelist, tmpcachelist;
-	unsigned int maxsocks;
-	ns_cache_t *nsc;
-	struct cfg_context *nzctx;
-	int num_zones = 0;
-	isc_boolean_t exclusive = ISC_FALSE;
-
-	ISC_LIST_INIT(viewlist);
-	ISC_LIST_INIT(builtin_viewlist);
-	ISC_LIST_INIT(cachelist);
-
-	/* Create the ACL configuration context */
-	if (ns_g_aclconfctx != NULL)
-		cfg_aclconfctx_detach(&ns_g_aclconfctx);
-	CHECK(cfg_aclconfctx_create(ns_g_mctx, &ns_g_aclconfctx));
-
-	/*
-	 * Parse the global default pseudo-config file.
-	 */
-	if (first_time) {
-		CHECK(ns_config_parsedefaults(ns_g_parser, &ns_g_config));
-		RUNTIME_CHECK(cfg_map_get(ns_g_config, "options",
-					  &ns_g_defaults) == ISC_R_SUCCESS);
-	}
-
-	/*
-	 * Parse the configuration file using the new config code.
-	 */
-	result = ISC_R_FAILURE;
-	config = NULL;
-
-	/*
-	 * Unless this is lwresd with the -C option, parse the config file.
-	 */
-	if (!(ns_g_lwresdonly && lwresd_g_useresolvconf)) {
-		isc_log_write(ns_g_lctx,
-			      NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-			      ISC_LOG_INFO, "loading configuration from '%s'",
-			      filename);
-		CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &conf_parser));
-		cfg_parser_setcallback(conf_parser, directory_callback, NULL);
-		result = cfg_parse_file(conf_parser, filename,
-					&cfg_type_namedconf, &config);
-	}
-
-	/*
-	 * If this is lwresd with the -C option, or lwresd with no -C or -c
-	 * option where the above parsing failed, parse resolv.conf.
-	 */
-	if (ns_g_lwresdonly &&
-	    (lwresd_g_useresolvconf ||
-	     (!ns_g_conffileset && result == ISC_R_FILENOTFOUND)))
-	{
-		isc_log_write(ns_g_lctx,
-			      NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-			      ISC_LOG_INFO, "loading configuration from '%s'",
-			      lwresd_g_resolvconffile);
-		if (conf_parser != NULL)
-			cfg_parser_destroy(&conf_parser);
-		CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &conf_parser));
-		result = ns_lwresd_parseeresolvconf(ns_g_mctx, conf_parser,
-						    &config);
-	}
-	CHECK(result);
-
-	/*
-	 * Check the validity of the configuration.
-	 */
-	CHECK(bind9_check_namedconf(config, ns_g_lctx, ns_g_mctx));
-
-	/*
-	 * Fill in the maps array, used for resolving defaults.
-	 */
-	i = 0;
-	options = NULL;
-	result = cfg_map_get(config, "options", &options);
-	if (result == ISC_R_SUCCESS)
-		maps[i++] = options;
-	maps[i++] = ns_g_defaults;
-	maps[i] = NULL;
-
-	/*
-	 * If bind.keys exists, load it.  If "dnssec-lookaside auto"
-	 * is turned on, the keys found there will be used as default
-	 * trust anchors.
-	 */
-	obj = NULL;
-	result = ns_config_get(maps, "bindkeys-file", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	CHECKM(setstring(server, &server->bindkeysfile,
-	       cfg_obj_asstring(obj)), "strdup");
-
-	if (access(server->bindkeysfile, R_OK) == 0) {
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-			      "reading built-in trusted "
-			      "keys from file '%s'", server->bindkeysfile);
-
-		CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx,
-					&bindkeys_parser));
-
-		result = cfg_parse_file(bindkeys_parser, server->bindkeysfile,
-					&cfg_type_bindkeys, &bindkeys);
-		CHECK(result);
-	}
-
-	/* Ensure exclusive access to configuration data. */
-	if (!exclusive) {
-		result = isc_task_beginexclusive(server->task);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		exclusive = ISC_TRUE;
-	}
-
-	/*
-	 * Set process limits, which (usually) needs to be done as root.
-	 */
-	set_limits(maps);
-
-	/*
-	 * Check if max number of open sockets that the system allows is
-	 * sufficiently large.	Failing this condition is not necessarily fatal,
-	 * but may cause subsequent runtime failures for a busy recursive
-	 * server.
-	 */
-	result = isc_socketmgr_getmaxsockets(ns_g_socketmgr, &maxsocks);
-	if (result != ISC_R_SUCCESS)
-		maxsocks = 0;
-	result = isc_resource_getcurlimit(isc_resource_openfiles, &nfiles);
-	if (result == ISC_R_SUCCESS && (isc_resourcevalue_t)maxsocks > nfiles) {
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-			      "max open files (%" ISC_PRINT_QUADFORMAT "u)"
-			      " is smaller than max sockets (%u)",
-			      nfiles, maxsocks);
-	}
-
-	/*
-	 * Set the number of socket reserved for TCP, stdio etc.
-	 */
-	obj = NULL;
-	result = ns_config_get(maps, "reserved-sockets", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	reserved = cfg_obj_asuint32(obj);
-	if (maxsocks != 0) {
-		if (maxsocks < 128U)			/* Prevent underflow. */
-			reserved = 0;
-		else if (reserved > maxsocks - 128U)	/* Minimum UDP space. */
-			reserved = maxsocks - 128;
-	}
-	/* Minimum TCP/stdio space. */
-	if (reserved < 128U)
-		reserved = 128;
-	if (reserved + 128U > maxsocks && maxsocks != 0) {
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-			      "less than 128 UDP sockets available after "
-			      "applying 'reserved-sockets' and 'maxsockets'");
-	}
-	isc__socketmgr_setreserved(ns_g_socketmgr, reserved);
-
-	/*
-	 * Configure various server options.
-	 */
-	configure_server_quota(maps, "transfers-out", &server->xfroutquota);
-	configure_server_quota(maps, "tcp-clients", &server->tcpquota);
-	configure_server_quota(maps, "recursive-clients",
-			       &server->recursionquota);
-	if (server->recursionquota.max > 1000)
-		isc_quota_soft(&server->recursionquota,
-			       server->recursionquota.max - 100);
-	else
-		isc_quota_soft(&server->recursionquota, 0);
-
-	CHECK(configure_view_acl(NULL, config, "blackhole", NULL,
-				 ns_g_aclconfctx, ns_g_mctx,
-				 &server->blackholeacl));
-	if (server->blackholeacl != NULL)
-		dns_dispatchmgr_setblackhole(ns_g_dispatchmgr,
-					     server->blackholeacl);
-
-	obj = NULL;
-	result = ns_config_get(maps, "match-mapped-addresses", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	server->aclenv.match_mapped = cfg_obj_asboolean(obj);
-
-	CHECKM(ns_statschannels_configure(ns_g_server, config, ns_g_aclconfctx),
-	       "configuring statistics server(s)");
-
-	/*
-	 * Configure sets of UDP query source ports.
-	 */
-	CHECKM(isc_portset_create(ns_g_mctx, &v4portset),
-	       "creating UDP port set");
-	CHECKM(isc_portset_create(ns_g_mctx, &v6portset),
-	       "creating UDP port set");
-
-	usev4ports = NULL;
-	usev6ports = NULL;
-	avoidv4ports = NULL;
-	avoidv6ports = NULL;
-
-	(void)ns_config_get(maps, "use-v4-udp-ports", &usev4ports);
-	if (usev4ports != NULL)
-		portset_fromconf(v4portset, usev4ports, ISC_TRUE);
-	else {
-		CHECKM(isc_net_getudpportrange(AF_INET, &udpport_low,
-					       &udpport_high),
-		       "get the default UDP/IPv4 port range");
-		if (udpport_low == udpport_high)
-			isc_portset_add(v4portset, udpport_low);
-		else {
-			isc_portset_addrange(v4portset, udpport_low,
-					     udpport_high);
-		}
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-			      "using default UDP/IPv4 port range: [%d, %d]",
-			      udpport_low, udpport_high);
-	}
-	(void)ns_config_get(maps, "avoid-v4-udp-ports", &avoidv4ports);
-	if (avoidv4ports != NULL)
-		portset_fromconf(v4portset, avoidv4ports, ISC_FALSE);
-
-	(void)ns_config_get(maps, "use-v6-udp-ports", &usev6ports);
-	if (usev6ports != NULL)
-		portset_fromconf(v6portset, usev6ports, ISC_TRUE);
-	else {
-		CHECKM(isc_net_getudpportrange(AF_INET6, &udpport_low,
-					       &udpport_high),
-		       "get the default UDP/IPv6 port range");
-		if (udpport_low == udpport_high)
-			isc_portset_add(v6portset, udpport_low);
-		else {
-			isc_portset_addrange(v6portset, udpport_low,
-					     udpport_high);
-		}
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-			      "using default UDP/IPv6 port range: [%d, %d]",
-			      udpport_low, udpport_high);
-	}
-	(void)ns_config_get(maps, "avoid-v6-udp-ports", &avoidv6ports);
-	if (avoidv6ports != NULL)
-		portset_fromconf(v6portset, avoidv6ports, ISC_FALSE);
-
-	dns_dispatchmgr_setavailports(ns_g_dispatchmgr, v4portset, v6portset);
-
-	/*
-	 * Set the EDNS UDP size when we don't match a view.
-	 */
-	obj = NULL;
-	result = ns_config_get(maps, "edns-udp-size", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	udpsize = cfg_obj_asuint32(obj);
-	if (udpsize < 512)
-		udpsize = 512;
-	if (udpsize > 4096)
-		udpsize = 4096;
-	ns_g_udpsize = (isc_uint16_t)udpsize;
-
-	/*
-	 * Configure the zone manager.
-	 */
-	obj = NULL;
-	result = ns_config_get(maps, "transfers-in", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	dns_zonemgr_settransfersin(server->zonemgr, cfg_obj_asuint32(obj));
-
-	obj = NULL;
-	result = ns_config_get(maps, "transfers-per-ns", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	dns_zonemgr_settransfersperns(server->zonemgr, cfg_obj_asuint32(obj));
-
-	obj = NULL;
-	result = ns_config_get(maps, "serial-query-rate", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	dns_zonemgr_setserialqueryrate(server->zonemgr, cfg_obj_asuint32(obj));
-
-	/*
-	 * Determine which port to use for listening for incoming connections.
-	 */
-	if (ns_g_port != 0)
-		listen_port = ns_g_port;
-	else
-		CHECKM(ns_config_getport(config, &listen_port), "port");
-
-	/*
-	 * Find the listen queue depth.
-	 */
-	obj = NULL;
-	result = ns_config_get(maps, "tcp-listen-queue", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	ns_g_listen = cfg_obj_asuint32(obj);
-	if (ns_g_listen < 3)
-		ns_g_listen = 3;
-
-	/*
-	 * Configure the interface manager according to the "listen-on"
-	 * statement.
-	 */
-	{
-		const cfg_obj_t *clistenon = NULL;
-		ns_listenlist_t *listenon = NULL;
-
-		clistenon = NULL;
-		/*
-		 * Even though listen-on is present in the default
-		 * configuration, we can't use it here, since it isn't
-		 * used if we're in lwresd mode.  This way is easier.
-		 */
-		if (options != NULL)
-			(void)cfg_map_get(options, "listen-on", &clistenon);
-		if (clistenon != NULL) {
-			/* check return code? */
-			(void)ns_listenlist_fromconfig(clistenon, config,
-						       ns_g_aclconfctx,
-						       ns_g_mctx, &listenon);
-		} else if (!ns_g_lwresdonly) {
-			/*
-			 * Not specified, use default.
-			 */
-			CHECK(ns_listenlist_default(ns_g_mctx, listen_port,
-						    ISC_TRUE, &listenon));
-		}
-		if (listenon != NULL) {
-			ns_interfacemgr_setlistenon4(server->interfacemgr,
-						     listenon);
-			ns_listenlist_detach(&listenon);
-		}
-	}
-	/*
-	 * Ditto for IPv6.
-	 */
-	{
-		const cfg_obj_t *clistenon = NULL;
-		ns_listenlist_t *listenon = NULL;
-
-		if (options != NULL)
-			(void)cfg_map_get(options, "listen-on-v6", &clistenon);
-		if (clistenon != NULL) {
-			/* check return code? */
-			(void)ns_listenlist_fromconfig(clistenon, config,
-						       ns_g_aclconfctx,
-						       ns_g_mctx, &listenon);
-		} else if (!ns_g_lwresdonly) {
-			isc_boolean_t enable;
-			/*
-			 * Not specified, use default.
-			 */
-			enable = ISC_TF(isc_net_probeipv4() != ISC_R_SUCCESS);
-			CHECK(ns_listenlist_default(ns_g_mctx, listen_port,
-						    enable, &listenon));
-		}
-		if (listenon != NULL) {
-			ns_interfacemgr_setlistenon6(server->interfacemgr,
-						     listenon);
-			ns_listenlist_detach(&listenon);
-		}
-	}
-
-	/*
-	 * Rescan the interface list to pick up changes in the
-	 * listen-on option.  It's important that we do this before we try
-	 * to configure the query source, since the dispatcher we use might
-	 * be shared with an interface.
-	 */
-	scan_interfaces(server, ISC_TRUE);
-
-	/*
-	 * Arrange for further interface scanning to occur periodically
-	 * as specified by the "interface-interval" option.
-	 */
-	obj = NULL;
-	result = ns_config_get(maps, "interface-interval", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	interface_interval = cfg_obj_asuint32(obj) * 60;
-	if (interface_interval == 0) {
-		CHECK(isc_timer_reset(server->interface_timer,
-				      isc_timertype_inactive,
-				      NULL, NULL, ISC_TRUE));
-	} else if (server->interface_interval != interface_interval) {
-		isc_interval_set(&interval, interface_interval, 0);
-		CHECK(isc_timer_reset(server->interface_timer,
-				      isc_timertype_ticker,
-				      NULL, &interval, ISC_FALSE));
-	}
-	server->interface_interval = interface_interval;
-
-	/*
-	 * Configure the dialup heartbeat timer.
-	 */
-	obj = NULL;
-	result = ns_config_get(maps, "heartbeat-interval", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	heartbeat_interval = cfg_obj_asuint32(obj) * 60;
-	if (heartbeat_interval == 0) {
-		CHECK(isc_timer_reset(server->heartbeat_timer,
-				      isc_timertype_inactive,
-				      NULL, NULL, ISC_TRUE));
-	} else if (server->heartbeat_interval != heartbeat_interval) {
-		isc_interval_set(&interval, heartbeat_interval, 0);
-		CHECK(isc_timer_reset(server->heartbeat_timer,
-				      isc_timertype_ticker,
-				      NULL, &interval, ISC_FALSE));
-	}
-	server->heartbeat_interval = heartbeat_interval;
-
-	isc_interval_set(&interval, 1200, 0);
-	CHECK(isc_timer_reset(server->pps_timer, isc_timertype_ticker, NULL,
-			      &interval, ISC_FALSE));
-
-	/*
-	 * Write the PID file.
-	 */
-	obj = NULL;
-	if (ns_config_get(maps, "pid-file", &obj) == ISC_R_SUCCESS)
-		if (cfg_obj_isvoid(obj))
-			ns_os_writepidfile(NULL, first_time);
-		else
-			ns_os_writepidfile(cfg_obj_asstring(obj), first_time);
-	else if (ns_g_lwresdonly)
-		ns_os_writepidfile(lwresd_g_defaultpidfile, first_time);
-	else
-		ns_os_writepidfile(ns_g_defaultpidfile, first_time);
-
-	/*
-	 * Configure the server-wide session key.  This must be done before
-	 * configure views because zone configuration may need to know
-	 * session-keyname.
-	 *
-	 * Failure of session key generation isn't fatal at this time; if it
-	 * turns out that a session key is really needed but doesn't exist,
-	 * we'll treat it as a fatal error then.
-	 */
-	(void)configure_session_key(maps, server, ns_g_mctx);
-
-	views = NULL;
-	(void)cfg_map_get(config, "view", &views);
-
-	/*
-	 * Create the views and count all the configured zones in
-	 * order to correctly size the zone manager's task table.
-	 * (We only count zones for configured views; the built-in
-	 * "bind" view can be ignored as it only adds a negligible
-	 * number of zones.)
-	 *
-	 * If we're allowing new zones, we need to be able to find the
-	 * new zone file and count those as well.  So we setup the new
-	 * zone configuration context, but otherwise view configuration
-	 * waits until after the zone manager's task list has been sized.
-	 */
-	for (element = cfg_list_first(views);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		cfg_obj_t *vconfig = cfg_listelt_value(element);
-		const cfg_obj_t *voptions = cfg_tuple_get(vconfig, "options");
-		view = NULL;
-
-		CHECK(create_view(vconfig, &viewlist, &view));
-		INSIST(view != NULL);
-
-		num_zones += count_zones(voptions);
-		CHECK(setup_newzones(view, config, vconfig, conf_parser,
-				     ns_g_aclconfctx));
-
-		nzctx = view->new_zone_config;
-		if (nzctx != NULL && nzctx->nzconfig != NULL)
-			num_zones += count_zones(nzctx->nzconfig);
-
-		dns_view_detach(&view);
-	}
-
-	/*
-	 * If there were no explicit views then we do the default
-	 * view here.
-	 */
-	if (views == NULL) {
-		CHECK(create_view(NULL, &viewlist, &view));
-		INSIST(view != NULL);
-
-		num_zones = count_zones(config);
-
-		CHECK(setup_newzones(view, config, NULL,  conf_parser,
-				     ns_g_aclconfctx));
-
-		nzctx = view->new_zone_config;
-		if (nzctx != NULL && nzctx->nzconfig != NULL)
-			num_zones += count_zones(nzctx->nzconfig);
-
-		dns_view_detach(&view);
-	}
-
-	/*
-	 * Zones have been counted; set the zone manager task pool size.
-	 */
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-		      "sizing zone task pool based on %d zones", num_zones);
-	CHECK(dns_zonemgr_setsize(ns_g_server->zonemgr, num_zones));
-
-	/*
-	 * Configure and freeze all explicit views.  Explicit
-	 * views that have zones were already created at parsing
-	 * time, but views with no zones must be created here.
-	 */
-	for (element = cfg_list_first(views);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		cfg_obj_t *vconfig = cfg_listelt_value(element);
-
-		view = NULL;
-		CHECK(find_view(vconfig, &viewlist, &view));
-		CHECK(configure_view(view, config, vconfig,
-				     &cachelist, bindkeys, ns_g_mctx,
-				     ns_g_aclconfctx, ISC_TRUE));
-		dns_view_freeze(view);
-		dns_view_detach(&view);
-	}
-
-	/*
-	 * Make sure we have a default view if and only if there
-	 * were no explicit views.
-	 */
-	if (views == NULL) {
-		view = NULL;
-		CHECK(find_view(NULL, &viewlist, &view));
-		CHECK(configure_view(view, config, NULL,
-				     &cachelist, bindkeys,
-				     ns_g_mctx, ns_g_aclconfctx, ISC_TRUE));
-		dns_view_freeze(view);
-		dns_view_detach(&view);
-	}
-
-	/*
-	 * Create (or recreate) the built-in views.
-	 */
-	builtin_views = NULL;
-	RUNTIME_CHECK(cfg_map_get(ns_g_config, "view",
-				  &builtin_views) == ISC_R_SUCCESS);
-	for (element = cfg_list_first(builtin_views);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		cfg_obj_t *vconfig = cfg_listelt_value(element);
-
-		CHECK(create_view(vconfig, &builtin_viewlist, &view));
-		CHECK(configure_view(view, config, vconfig,
-				     &cachelist, bindkeys,
-				     ns_g_mctx, ns_g_aclconfctx, ISC_FALSE));
-		dns_view_freeze(view);
-		dns_view_detach(&view);
-		view = NULL;
-	}
-
-	/* Now combine the two viewlists into one */
-	ISC_LIST_APPENDLIST(viewlist, builtin_viewlist, link);
-
-	/* Swap our new view list with the production one. */
-	tmpviewlist = server->viewlist;
-	server->viewlist = viewlist;
-	viewlist = tmpviewlist;
-
-	/* Make the view list available to each of the views */
-	view = ISC_LIST_HEAD(server->viewlist);
-	while (view != NULL) {
-		view->viewlist = &server->viewlist;
-		view = ISC_LIST_NEXT(view, link);
-	}
-
-	/* Swap our new cache list with the production one. */
-	tmpcachelist = server->cachelist;
-	server->cachelist = cachelist;
-	cachelist = tmpcachelist;
-
-	/* Load the TKEY information from the configuration. */
-	if (options != NULL) {
-		dns_tkeyctx_t *t = NULL;
-		CHECKM(ns_tkeyctx_fromconfig(options, ns_g_mctx, ns_g_entropy,
-					     &t),
-		       "configuring TKEY");
-		if (server->tkeyctx != NULL)
-			dns_tkeyctx_destroy(&server->tkeyctx);
-		server->tkeyctx = t;
-	}
-
-	/*
-	 * Bind the control port(s).
-	 */
-	CHECKM(ns_controls_configure(ns_g_server->controls, config,
-				     ns_g_aclconfctx),
-	       "binding control channel(s)");
-
-	/*
-	 * Bind the lwresd port(s).
-	 */
-	CHECKM(ns_lwresd_configure(ns_g_mctx, config),
-	       "binding lightweight resolver ports");
-
-	/*
-	 * Open the source of entropy.
-	 */
-	if (first_time) {
-		obj = NULL;
-		result = ns_config_get(maps, "random-device", &obj);
-		if (result != ISC_R_SUCCESS) {
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-				      "no source of entropy found");
-		} else {
-			const char *randomdev = cfg_obj_asstring(obj);
-			result = isc_entropy_createfilesource(ns_g_entropy,
-							      randomdev);
-			if (result != ISC_R_SUCCESS)
-				isc_log_write(ns_g_lctx,
-					      NS_LOGCATEGORY_GENERAL,
-					      NS_LOGMODULE_SERVER,
-					      ISC_LOG_INFO,
-					      "could not open entropy source "
-					      "%s: %s",
-					      randomdev,
-					      isc_result_totext(result));
-#ifdef PATH_RANDOMDEV
-			if (ns_g_fallbackentropy != NULL) {
-				if (result != ISC_R_SUCCESS) {
-					isc_log_write(ns_g_lctx,
-						      NS_LOGCATEGORY_GENERAL,
-						      NS_LOGMODULE_SERVER,
-						      ISC_LOG_INFO,
-						      "using pre-chroot entropy source "
-						      "%s",
-						      PATH_RANDOMDEV);
-					isc_entropy_detach(&ns_g_entropy);
-					isc_entropy_attach(ns_g_fallbackentropy,
-							   &ns_g_entropy);
-				}
-				isc_entropy_detach(&ns_g_fallbackentropy);
-			}
-#endif
-		}
-	}
-
-	/*
-	 * Relinquish root privileges.
-	 */
-	if (first_time)
-		ns_os_changeuser();
-
-	/*
-	 * Check that the working directory is writable.
-	 */
-	if (access(".", W_OK) != 0) {
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-			      "the working directory is not writable");
-	}
-
-	/*
-	 * Configure the logging system.
-	 *
-	 * Do this after changing UID to make sure that any log
-	 * files specified in named.conf get created by the
-	 * unprivileged user, not root.
-	 */
-	if (ns_g_logstderr) {
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-			      "ignoring config file logging "
-			      "statement due to -g option");
-	} else {
-		const cfg_obj_t *logobj = NULL;
-		isc_logconfig_t *logc = NULL;
-
-		CHECKM(isc_logconfig_create(ns_g_lctx, &logc),
-		       "creating new logging configuration");
-
-		logobj = NULL;
-		(void)cfg_map_get(config, "logging", &logobj);
-		if (logobj != NULL) {
-			CHECKM(ns_log_configure(logc, logobj),
-			       "configuring logging");
-		} else {
-			CHECKM(ns_log_setdefaultchannels(logc),
-			       "setting up default logging channels");
-			CHECKM(ns_log_setunmatchedcategory(logc),
-			       "setting up default 'category unmatched'");
-			CHECKM(ns_log_setdefaultcategory(logc),
-			       "setting up default 'category default'");
-		}
-
-		result = isc_logconfig_use(ns_g_lctx, logc);
-		if (result != ISC_R_SUCCESS) {
-			isc_logconfig_destroy(&logc);
-			CHECKM(result, "installing logging configuration");
-		}
-
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
-			      "now using logging configuration from "
-			      "config file");
-	}
-
-	/*
-	 * Set the default value of the query logging flag depending
-	 * whether a "queries" category has been defined.  This is
-	 * a disgusting hack, but we need to do this for BIND 8
-	 * compatibility.
-	 */
-	if (first_time) {
-		const cfg_obj_t *logobj = NULL;
-		const cfg_obj_t *categories = NULL;
-
-		obj = NULL;
-		if (ns_config_get(maps, "querylog", &obj) == ISC_R_SUCCESS) {
-			server->log_queries = cfg_obj_asboolean(obj);
-		} else {
-
-			(void)cfg_map_get(config, "logging", &logobj);
-			if (logobj != NULL)
-				(void)cfg_map_get(logobj, "category",
-						  &categories);
-			if (categories != NULL) {
-				const cfg_listelt_t *element;
-				for (element = cfg_list_first(categories);
-				     element != NULL;
-				     element = cfg_list_next(element))
-				{
-					const cfg_obj_t *catobj;
-					const char *str;
-
-					obj = cfg_listelt_value(element);
-					catobj = cfg_tuple_get(obj, "name");
-					str = cfg_obj_asstring(catobj);
-					if (strcasecmp(str, "queries") == 0)
-						server->log_queries = ISC_TRUE;
-				}
-			}
-		}
-	}
-
-
-	obj = NULL;
-	if (options != NULL &&
-	    cfg_map_get(options, "memstatistics", &obj) == ISC_R_SUCCESS)
-		ns_g_memstatistics = cfg_obj_asboolean(obj);
-	else
-		ns_g_memstatistics =
-			ISC_TF((isc_mem_debugging & ISC_MEM_DEBUGRECORD) != 0);
-
-	obj = NULL;
-	if (ns_config_get(maps, "memstatistics-file", &obj) == ISC_R_SUCCESS)
-		ns_main_setmemstats(cfg_obj_asstring(obj));
-	else if (ns_g_memstatistics)
-		ns_main_setmemstats("named.memstats");
-	else
-		ns_main_setmemstats(NULL);
-
-	obj = NULL;
-	result = ns_config_get(maps, "statistics-file", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	CHECKM(setstring(server, &server->statsfile, cfg_obj_asstring(obj)),
-	       "strdup");
-
-	obj = NULL;
-	result = ns_config_get(maps, "dump-file", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	CHECKM(setstring(server, &server->dumpfile, cfg_obj_asstring(obj)),
-	       "strdup");
-
-	obj = NULL;
-	result = ns_config_get(maps, "secroots-file", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	CHECKM(setstring(server, &server->secrootsfile, cfg_obj_asstring(obj)),
-	       "strdup");
-
-	obj = NULL;
-	result = ns_config_get(maps, "recursing-file", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	CHECKM(setstring(server, &server->recfile, cfg_obj_asstring(obj)),
-	       "strdup");
-
-	obj = NULL;
-	result = ns_config_get(maps, "version", &obj);
-	if (result == ISC_R_SUCCESS) {
-		CHECKM(setoptstring(server, &server->version, obj), "strdup");
-		server->version_set = ISC_TRUE;
-	} else {
-		server->version_set = ISC_FALSE;
-	}
-
-	obj = NULL;
-	result = ns_config_get(maps, "hostname", &obj);
-	if (result == ISC_R_SUCCESS) {
-		CHECKM(setoptstring(server, &server->hostname, obj), "strdup");
-		server->hostname_set = ISC_TRUE;
-	} else {
-		server->hostname_set = ISC_FALSE;
-	}
-
-	obj = NULL;
-	result = ns_config_get(maps, "server-id", &obj);
-	server->server_usehostname = ISC_FALSE;
-	if (result == ISC_R_SUCCESS && cfg_obj_isboolean(obj)) {
-		/* The parser translates "hostname" to ISC_TRUE */
-		server->server_usehostname = cfg_obj_asboolean(obj);
-		result = setstring(server, &server->server_id, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	} else if (result == ISC_R_SUCCESS) {
-		/* Found a quoted string */
-		CHECKM(setoptstring(server, &server->server_id, obj), "strdup");
-	} else {
-		result = setstring(server, &server->server_id, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	}
-
-	obj = NULL;
-	result = ns_config_get(maps, "flush-zones-on-shutdown", &obj);
-	if (result == ISC_R_SUCCESS) {
-		server->flushonshutdown = cfg_obj_asboolean(obj);
-	} else {
-		server->flushonshutdown = ISC_FALSE;
-	}
-
-	result = ISC_R_SUCCESS;
-
- cleanup:
-	if (v4portset != NULL)
-		isc_portset_destroy(ns_g_mctx, &v4portset);
-
-	if (v6portset != NULL)
-		isc_portset_destroy(ns_g_mctx, &v6portset);
-
-	if (conf_parser != NULL) {
-		if (config != NULL)
-			cfg_obj_destroy(conf_parser, &config);
-		cfg_parser_destroy(&conf_parser);
-	}
-
-	if (bindkeys_parser != NULL) {
-		if (bindkeys  != NULL)
-			cfg_obj_destroy(bindkeys_parser, &bindkeys);
-		cfg_parser_destroy(&bindkeys_parser);
-	}
-
-	if (view != NULL)
-		dns_view_detach(&view);
-
-	/*
-	 * This cleans up either the old production view list
-	 * or our temporary list depending on whether they
-	 * were swapped above or not.
-	 */
-	for (view = ISC_LIST_HEAD(viewlist);
-	     view != NULL;
-	     view = view_next) {
-		view_next = ISC_LIST_NEXT(view, link);
-		ISC_LIST_UNLINK(viewlist, view, link);
-		if (result == ISC_R_SUCCESS &&
-		    strcmp(view->name, "_bind") != 0)
-			(void)dns_zt_apply(view->zonetable, ISC_FALSE,
-					   removed, view);
-		dns_view_detach(&view);
-	}
-
-	/* Same cleanup for cache list. */
-	while ((nsc = ISC_LIST_HEAD(cachelist)) != NULL) {
-		ISC_LIST_UNLINK(cachelist, nsc, link);
-		dns_cache_detach(&nsc->cache);
-		isc_mem_put(server->mctx, nsc, sizeof(*nsc));
-	}
-
-	/*
-	 * Adjust the listening interfaces in accordance with the source
-	 * addresses specified in views and zones.
-	 */
-	if (isc_net_probeipv6() == ISC_R_SUCCESS)
-		adjust_interfaces(server, ns_g_mctx);
-
-	/* Relinquish exclusive access to configuration data. */
-	if (exclusive)
-		isc_task_endexclusive(server->task);
-
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-		      ISC_LOG_DEBUG(1), "load_configuration: %s",
-		      isc_result_totext(result));
-
-	return (result);
-}
-
-static isc_result_t
-view_loaded(void *arg) {
-	isc_result_t result;
-	ns_zoneload_t *zl = (ns_zoneload_t *) arg;
-	ns_server_t *server = zl->server;
-	unsigned int refs;
-
-
-	/*
-	 * Force zone maintenance.  Do this after loading
-	 * so that we know when we need to force AXFR of
-	 * slave zones whose master files are missing.
-	 *
-	 * We use the zoneload reference counter to let us
-	 * know when all views are finished.
-	 */
-	isc_refcount_decrement(&zl->refs, &refs);
-	if (refs != 0)
-		return (ISC_R_SUCCESS);
-
-	isc_refcount_destroy(&zl->refs);
-	isc_mem_put(server->mctx, zl, sizeof (*zl));
-
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-		      ISC_LOG_NOTICE, "all zones loaded");
-	CHECKFATAL(dns_zonemgr_forcemaint(server->zonemgr),
-		   "forcing zone maintenance");
-
-	ns_os_started();
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-		      ISC_LOG_NOTICE, "running");
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-load_zones(ns_server_t *server) {
-	isc_result_t result;
-	dns_view_t *view;
-	ns_zoneload_t *zl;
-	unsigned int refs = 0;
-
-	zl = isc_mem_get(server->mctx, sizeof (*zl));
-	if (zl == NULL)
-		return (ISC_R_NOMEMORY);
-	zl->server = server;
-
-	result = isc_task_beginexclusive(server->task);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-	isc_refcount_init(&zl->refs, 1);
-
-	/*
-	 * Schedule zones to be loaded from disk.
-	 */
-	for (view = ISC_LIST_HEAD(server->viewlist);
-	     view != NULL;
-	     view = ISC_LIST_NEXT(view, link))
-	{
-		if (view->managed_keys != NULL) {
-			result = dns_zone_load(view->managed_keys);
-			if (result != ISC_R_SUCCESS &&
-			    result != DNS_R_UPTODATE &&
-			    result != DNS_R_CONTINUE)
-				goto cleanup;
-		}
-		if (view->redirect != NULL) {
-			result = dns_zone_load(view->redirect);
-			if (result != ISC_R_SUCCESS &&
-			    result != DNS_R_UPTODATE &&
-			    result != DNS_R_CONTINUE)
-				goto cleanup;
-		}
-
-		/*
-		 * 'dns_view_asyncload' calls view_loaded if there are no
-		 * zones.
-		 */
-		isc_refcount_increment(&zl->refs, NULL);
-		CHECK(dns_view_asyncload(view, view_loaded, zl));
-	}
-
- cleanup:
-	isc_refcount_decrement(&zl->refs, &refs);
-	if (refs == 0) {
-		isc_refcount_destroy(&zl->refs);
-		isc_mem_put(server->mctx, zl, sizeof (*zl));
-	} else {
-		/*
-		 * Place the task manager into privileged mode.  This
-		 * ensures that after we leave task-exclusive mode, no
-		 * other tasks will be able to run except for the ones
-		 * that are loading zones.
-		 */
-		isc_taskmgr_setmode(ns_g_taskmgr, isc_taskmgrmode_privileged);
-	}
-
-	isc_task_endexclusive(server->task);
-	return (result);
-}
-
-static isc_result_t
-load_new_zones(ns_server_t *server, isc_boolean_t stop) {
-	isc_result_t result;
-	dns_view_t *view;
-
-	result = isc_task_beginexclusive(server->task);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-	/*
-	 * Load zone data from disk.
-	 */
-	for (view = ISC_LIST_HEAD(server->viewlist);
-	     view != NULL;
-	     view = ISC_LIST_NEXT(view, link))
-	{
-		CHECK(dns_view_loadnew(view, stop));
-
-		/* Load managed-keys data */
-		if (view->managed_keys != NULL)
-			CHECK(dns_zone_loadnew(view->managed_keys));
-		if (view->redirect != NULL)
-			CHECK(dns_zone_loadnew(view->redirect));
-	}
-
-	/*
-	 * Resume zone XFRs.
-	 */
-	dns_zonemgr_resumexfrs(server->zonemgr);
- cleanup:
-	isc_task_endexclusive(server->task);
-	return (result);
-}
-
-static void
-run_server(isc_task_t *task, isc_event_t *event) {
-	isc_result_t result;
-	ns_server_t *server = (ns_server_t *)event->ev_arg;
-
-	INSIST(task == server->task);
-
-	isc_event_free(&event);
-
-	CHECKFATAL(dns_dispatchmgr_create(ns_g_mctx, ns_g_entropy,
-					  &ns_g_dispatchmgr),
-		   "creating dispatch manager");
-
-	dns_dispatchmgr_setstats(ns_g_dispatchmgr, server->resolverstats);
-
-	CHECKFATAL(ns_interfacemgr_create(ns_g_mctx, ns_g_taskmgr,
-					  ns_g_socketmgr, ns_g_dispatchmgr,
-					  &server->interfacemgr),
-		   "creating interface manager");
-
-	CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive,
-				    NULL, NULL, server->task,
-				    interface_timer_tick,
-				    server, &server->interface_timer),
-		   "creating interface timer");
-
-	CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive,
-				    NULL, NULL, server->task,
-				    heartbeat_timer_tick,
-				    server, &server->heartbeat_timer),
-		   "creating heartbeat timer");
-
-	CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive,
-				    NULL, NULL, server->task, pps_timer_tick,
-				    server, &server->pps_timer),
-		   "creating pps timer");
-
-	CHECKFATAL(cfg_parser_create(ns_g_mctx, NULL, &ns_g_parser),
-		   "creating default configuration parser");
-
-	if (ns_g_lwresdonly)
-		CHECKFATAL(load_configuration(lwresd_g_conffile, server,
-					      ISC_TRUE),
-			   "loading configuration");
-	else
-		CHECKFATAL(load_configuration(ns_g_conffile, server, ISC_TRUE),
-			   "loading configuration");
-
-	isc_hash_init();
-
-	CHECKFATAL(load_zones(server), "loading zones");
-}
-
-void
-ns_server_flushonshutdown(ns_server_t *server, isc_boolean_t flush) {
-
-	REQUIRE(NS_SERVER_VALID(server));
-
-	server->flushonshutdown = flush;
-}
-
-static void
-shutdown_server(isc_task_t *task, isc_event_t *event) {
-	isc_result_t result;
-	dns_view_t *view, *view_next;
-	ns_server_t *server = (ns_server_t *)event->ev_arg;
-	isc_boolean_t flush = server->flushonshutdown;
-	ns_cache_t *nsc;
-
-	UNUSED(task);
-	INSIST(task == server->task);
-
-	result = isc_task_beginexclusive(server->task);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-		      ISC_LOG_INFO, "shutting down%s",
-		      flush ? ": flushing changes" : "");
-
-	ns_statschannels_shutdown(server);
-	ns_controls_shutdown(server->controls);
-	end_reserved_dispatches(server, ISC_TRUE);
-	cleanup_session_key(server, server->mctx);
-
-	if (ns_g_aclconfctx != NULL)
-		cfg_aclconfctx_detach(&ns_g_aclconfctx);
-
-	cfg_obj_destroy(ns_g_parser, &ns_g_config);
-	cfg_parser_destroy(&ns_g_parser);
-
-	for (view = ISC_LIST_HEAD(server->viewlist);
-	     view != NULL;
-	     view = view_next) {
-		view_next = ISC_LIST_NEXT(view, link);
-		ISC_LIST_UNLINK(server->viewlist, view, link);
-		if (flush)
-			dns_view_flushanddetach(&view);
-		else
-			dns_view_detach(&view);
-	}
-
-	while ((nsc = ISC_LIST_HEAD(server->cachelist)) != NULL) {
-		ISC_LIST_UNLINK(server->cachelist, nsc, link);
-		dns_cache_detach(&nsc->cache);
-		isc_mem_put(server->mctx, nsc, sizeof(*nsc));
-	}
-
-	isc_timer_detach(&server->interface_timer);
-	isc_timer_detach(&server->heartbeat_timer);
-	isc_timer_detach(&server->pps_timer);
-
-	ns_interfacemgr_shutdown(server->interfacemgr);
-	ns_interfacemgr_detach(&server->interfacemgr);
-
-	dns_dispatchmgr_destroy(&ns_g_dispatchmgr);
-
-	dns_zonemgr_shutdown(server->zonemgr);
-
-	if (ns_g_sessionkey != NULL) {
-		dns_tsigkey_detach(&ns_g_sessionkey);
-		dns_name_free(&ns_g_sessionkeyname, server->mctx);
-	}
-
-	if (server->blackholeacl != NULL)
-		dns_acl_detach(&server->blackholeacl);
-
-	dns_db_detach(&server->in_roothints);
-
-	isc_task_endexclusive(server->task);
-
-	isc_task_detach(&server->task);
-
-	isc_event_free(&event);
-}
-
-void
-ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
-	isc_result_t result;
-	ns_server_t *server = isc_mem_get(mctx, sizeof(*server));
-
-	if (server == NULL)
-		fatal("allocating server object", ISC_R_NOMEMORY);
-
-	server->mctx = mctx;
-	server->task = NULL;
-
-	/* Initialize configuration data with default values. */
-
-	result = isc_quota_init(&server->xfroutquota, 10);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	result = isc_quota_init(&server->tcpquota, 10);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	result = isc_quota_init(&server->recursionquota, 100);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-	result = dns_aclenv_init(mctx, &server->aclenv);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-	/* Initialize server data structures. */
-	server->zonemgr = NULL;
-	server->interfacemgr = NULL;
-	ISC_LIST_INIT(server->viewlist);
-	server->in_roothints = NULL;
-	server->blackholeacl = NULL;
-
-	CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL,
-				     &server->in_roothints),
-		   "setting up root hints");
-
-	CHECKFATAL(isc_mutex_init(&server->reload_event_lock),
-		   "initializing reload event lock");
-	server->reload_event =
-		isc_event_allocate(ns_g_mctx, server,
-				   NS_EVENT_RELOAD,
-				   ns_server_reload,
-				   server,
-				   sizeof(isc_event_t));
-	CHECKFATAL(server->reload_event == NULL ?
-		   ISC_R_NOMEMORY : ISC_R_SUCCESS,
-		   "allocating reload event");
-
-	CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
-				 ns_g_engine, ISC_ENTROPY_GOODONLY),
-		   "initializing DST");
-
-	server->tkeyctx = NULL;
-	CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy,
-				      &server->tkeyctx),
-		   "creating TKEY context");
-
-	/*
-	 * Setup the server task, which is responsible for coordinating
-	 * startup and shutdown of the server, as well as all exclusive
-	 * tasks.
-	 */
-	CHECKFATAL(isc_task_create(ns_g_taskmgr, 0, &server->task),
-		   "creating server task");
-	isc_task_setname(server->task, "server", server);
-	isc_taskmgr_setexcltask(ns_g_taskmgr, server->task);
-	CHECKFATAL(isc_task_onshutdown(server->task, shutdown_server, server),
-		   "isc_task_onshutdown");
-	CHECKFATAL(isc_app_onrun(ns_g_mctx, server->task, run_server, server),
-		   "isc_app_onrun");
-
-	server->interface_timer = NULL;
-	server->heartbeat_timer = NULL;
-	server->pps_timer = NULL;
-
-	server->interface_interval = 0;
-	server->heartbeat_interval = 0;
-
-	CHECKFATAL(dns_zonemgr_create(ns_g_mctx, ns_g_taskmgr, ns_g_timermgr,
-				      ns_g_socketmgr, &server->zonemgr),
-		   "dns_zonemgr_create");
-	CHECKFATAL(dns_zonemgr_setsize(server->zonemgr, 1000),
-		   "dns_zonemgr_setsize");
-
-	server->statsfile = isc_mem_strdup(server->mctx, "named.stats");
-	CHECKFATAL(server->statsfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
-		   "isc_mem_strdup");
-	server->nsstats = NULL;
-	server->rcvquerystats = NULL;
-	server->opcodestats = NULL;
-	server->zonestats = NULL;
-	server->resolverstats = NULL;
-	server->sockstats = NULL;
-	CHECKFATAL(isc_stats_create(server->mctx, &server->sockstats,
-				    isc_sockstatscounter_max),
-		   "isc_stats_create");
-	isc_socketmgr_setstats(ns_g_socketmgr, server->sockstats);
-
-	server->bindkeysfile = isc_mem_strdup(server->mctx, "bind.keys");
-	CHECKFATAL(server->bindkeysfile == NULL ? ISC_R_NOMEMORY :
-						  ISC_R_SUCCESS,
-		   "isc_mem_strdup");
-
-	server->dumpfile = isc_mem_strdup(server->mctx, "named_dump.db");
-	CHECKFATAL(server->dumpfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
-		   "isc_mem_strdup");
-
-	server->secrootsfile = isc_mem_strdup(server->mctx, "named.secroots");
-	CHECKFATAL(server->secrootsfile == NULL ? ISC_R_NOMEMORY :
-						  ISC_R_SUCCESS,
-		   "isc_mem_strdup");
-
-	server->recfile = isc_mem_strdup(server->mctx, "named.recursing");
-	CHECKFATAL(server->recfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
-		   "isc_mem_strdup");
-
-	server->hostname_set = ISC_FALSE;
-	server->hostname = NULL;
-	server->version_set = ISC_FALSE;
-	server->version = NULL;
-	server->server_usehostname = ISC_FALSE;
-	server->server_id = NULL;
-
-	CHECKFATAL(isc_stats_create(ns_g_mctx, &server->nsstats,
-				    dns_nsstatscounter_max),
-		   "dns_stats_create (server)");
-
-	CHECKFATAL(dns_rdatatypestats_create(ns_g_mctx,
-					     &server->rcvquerystats),
-		   "dns_stats_create (rcvquery)");
-
-	CHECKFATAL(dns_opcodestats_create(ns_g_mctx, &server->opcodestats),
-		   "dns_stats_create (opcode)");
-
-	CHECKFATAL(isc_stats_create(ns_g_mctx, &server->zonestats,
-				    dns_zonestatscounter_max),
-		   "dns_stats_create (zone)");
-
-	CHECKFATAL(isc_stats_create(ns_g_mctx, &server->resolverstats,
-				    dns_resstatscounter_max),
-		   "dns_stats_create (resolver)");
-
-	server->flushonshutdown = ISC_FALSE;
-	server->log_queries = ISC_FALSE;
-
-	server->controls = NULL;
-	CHECKFATAL(ns_controls_create(server, &server->controls),
-		   "ns_controls_create");
-	server->dispatchgen = 0;
-	ISC_LIST_INIT(server->dispatches);
-
-	ISC_LIST_INIT(server->statschannels);
-
-	ISC_LIST_INIT(server->cachelist);
-
-	server->sessionkey = NULL;
-	server->session_keyfile = NULL;
-	server->session_keyname = NULL;
-	server->session_keyalg = DST_ALG_UNKNOWN;
-	server->session_keybits = 0;
-
-	server->magic = NS_SERVER_MAGIC;
-	*serverp = server;
-}
-
-void
-ns_server_destroy(ns_server_t **serverp) {
-	ns_server_t *server = *serverp;
-	REQUIRE(NS_SERVER_VALID(server));
-
-	ns_controls_destroy(&server->controls);
-
-	isc_stats_detach(&server->nsstats);
-	dns_stats_detach(&server->rcvquerystats);
-	dns_stats_detach(&server->opcodestats);
-	isc_stats_detach(&server->zonestats);
-	isc_stats_detach(&server->resolverstats);
-	isc_stats_detach(&server->sockstats);
-
-	isc_mem_free(server->mctx, server->statsfile);
-	isc_mem_free(server->mctx, server->bindkeysfile);
-	isc_mem_free(server->mctx, server->dumpfile);
-	isc_mem_free(server->mctx, server->secrootsfile);
-	isc_mem_free(server->mctx, server->recfile);
-
-	if (server->version != NULL)
-		isc_mem_free(server->mctx, server->version);
-	if (server->hostname != NULL)
-		isc_mem_free(server->mctx, server->hostname);
-	if (server->server_id != NULL)
-		isc_mem_free(server->mctx, server->server_id);
-
-	if (server->zonemgr != NULL)
-		dns_zonemgr_detach(&server->zonemgr);
-
-	if (server->tkeyctx != NULL)
-		dns_tkeyctx_destroy(&server->tkeyctx);
-
-	dst_lib_destroy();
-
-	isc_event_free(&server->reload_event);
-
-	INSIST(ISC_LIST_EMPTY(server->viewlist));
-	INSIST(ISC_LIST_EMPTY(server->cachelist));
-
-	dns_aclenv_destroy(&server->aclenv);
-
-	isc_quota_destroy(&server->recursionquota);
-	isc_quota_destroy(&server->tcpquota);
-	isc_quota_destroy(&server->xfroutquota);
-
-	server->magic = 0;
-	isc_mem_put(server->mctx, server, sizeof(*server));
-	*serverp = NULL;
-}
-
-static void
-fatal(const char *msg, isc_result_t result) {
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-		      ISC_LOG_CRITICAL, "%s: %s", msg,
-		      isc_result_totext(result));
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-		      ISC_LOG_CRITICAL, "exiting (due to fatal error)");
-	exit(1);
-}
-
-static void
-start_reserved_dispatches(ns_server_t *server) {
-
-	REQUIRE(NS_SERVER_VALID(server));
-
-	server->dispatchgen++;
-}
-
-static void
-end_reserved_dispatches(ns_server_t *server, isc_boolean_t all) {
-	ns_dispatch_t *dispatch, *nextdispatch;
-
-	REQUIRE(NS_SERVER_VALID(server));
-
-	for (dispatch = ISC_LIST_HEAD(server->dispatches);
-	     dispatch != NULL;
-	     dispatch = nextdispatch) {
-		nextdispatch = ISC_LIST_NEXT(dispatch, link);
-		if (!all && server->dispatchgen == dispatch-> dispatchgen)
-			continue;
-		ISC_LIST_UNLINK(server->dispatches, dispatch, link);
-		dns_dispatch_detach(&dispatch->dispatch);
-		isc_mem_put(server->mctx, dispatch, sizeof(*dispatch));
-	}
-}
-
-void
-ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr) {
-	ns_dispatch_t *dispatch;
-	in_port_t port;
-	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
-	isc_result_t result;
-	unsigned int attrs, attrmask;
-
-	REQUIRE(NS_SERVER_VALID(server));
-
-	port = isc_sockaddr_getport(addr);
-	if (port == 0 || port >= 1024)
-		return;
-
-	for (dispatch = ISC_LIST_HEAD(server->dispatches);
-	     dispatch != NULL;
-	     dispatch = ISC_LIST_NEXT(dispatch, link)) {
-		if (isc_sockaddr_equal(&dispatch->addr, addr))
-			break;
-	}
-	if (dispatch != NULL) {
-		dispatch->dispatchgen = server->dispatchgen;
-		return;
-	}
-
-	dispatch = isc_mem_get(server->mctx, sizeof(*dispatch));
-	if (dispatch == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
-	}
-
-	dispatch->addr = *addr;
-	dispatch->dispatchgen = server->dispatchgen;
-	dispatch->dispatch = NULL;
-
-	attrs = 0;
-	attrs |= DNS_DISPATCHATTR_UDP;
-	switch (isc_sockaddr_pf(addr)) {
-	case AF_INET:
-		attrs |= DNS_DISPATCHATTR_IPV4;
-		break;
-	case AF_INET6:
-		attrs |= DNS_DISPATCHATTR_IPV6;
-		break;
-	default:
-		result = ISC_R_NOTIMPLEMENTED;
-		goto cleanup;
-	}
-	attrmask = 0;
-	attrmask |= DNS_DISPATCHATTR_UDP;
-	attrmask |= DNS_DISPATCHATTR_TCP;
-	attrmask |= DNS_DISPATCHATTR_IPV4;
-	attrmask |= DNS_DISPATCHATTR_IPV6;
-
-	result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr,
-				     ns_g_taskmgr, &dispatch->addr, 4096,
-				     1000, 32768, 16411, 16433,
-				     attrs, attrmask, &dispatch->dispatch);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	ISC_LIST_INITANDPREPEND(server->dispatches, dispatch, link);
-
-	return;
-
- cleanup:
-	if (dispatch != NULL)
-		isc_mem_put(server->mctx, dispatch, sizeof(*dispatch));
-	isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf));
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-		      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-		      "unable to create dispatch for reserved port %s: %s",
-		      addrbuf, isc_result_totext(result));
-}
-
-
-static isc_result_t
-loadconfig(ns_server_t *server) {
-	isc_result_t result;
-	start_reserved_dispatches(server);
-	result = load_configuration(ns_g_lwresdonly ?
-				    lwresd_g_conffile : ns_g_conffile,
-				    server, ISC_FALSE);
-	if (result == ISC_R_SUCCESS) {
-		end_reserved_dispatches(server, ISC_FALSE);
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-			      "reloading configuration succeeded");
-	} else {
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-			      "reloading configuration failed: %s",
-			      isc_result_totext(result));
-	}
-	return (result);
-}
-
-static isc_result_t
-reload(ns_server_t *server) {
-	isc_result_t result;
-	CHECK(loadconfig(server));
-
-	result = load_zones(server);
-	if (result == ISC_R_SUCCESS)
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-			      "reloading zones succeeded");
-	else
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-			      "reloading zones failed: %s",
-			      isc_result_totext(result));
-
- cleanup:
-	return (result);
-}
-
-static void
-reconfig(ns_server_t *server) {
-	isc_result_t result;
-	CHECK(loadconfig(server));
-
-	result = load_new_zones(server, ISC_FALSE);
-	if (result == ISC_R_SUCCESS)
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-			      "any newly configured zones are now loaded");
-	else
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-			      "loading new zones failed: %s",
-			      isc_result_totext(result));
-
- cleanup: ;
-}
-
-/*
- * Handle a reload event (from SIGHUP).
- */
-static void
-ns_server_reload(isc_task_t *task, isc_event_t *event) {
-	ns_server_t *server = (ns_server_t *)event->ev_arg;
-
-	INSIST(task = server->task);
-	UNUSED(task);
-
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-		      "received SIGHUP signal to reload zones");
-	(void)reload(server);
-
-	LOCK(&server->reload_event_lock);
-	INSIST(server->reload_event == NULL);
-	server->reload_event = event;
-	UNLOCK(&server->reload_event_lock);
-}
-
-void
-ns_server_reloadwanted(ns_server_t *server) {
-	LOCK(&server->reload_event_lock);
-	if (server->reload_event != NULL)
-		isc_task_send(server->task, &server->reload_event);
-	UNLOCK(&server->reload_event_lock);
-}
-
-static char *
-next_token(char **stringp, const char *delim) {
-	char *res;
-
-	do {
-		res = strsep(stringp, delim);
-		if (res == NULL)
-			break;
-	} while (*res == '\0');
-	return (res);
-}
-
-/*
- * Find the zone specified in the control channel command 'args',
- * if any.  If a zone is specified, point '*zonep' at it, otherwise
- * set '*zonep' to NULL.
- */
-static isc_result_t
-zone_from_args(ns_server_t *server, char *args, const char *zonetxt,
-	       dns_zone_t **zonep, const char **zonename, isc_boolean_t skip)
-{
-	char *input, *ptr;
-	char *classtxt;
-	const char *viewtxt = NULL;
-	dns_fixedname_t name;
-	isc_result_t result;
-	isc_buffer_t buf;
-	dns_view_t *view = NULL;
-	dns_rdataclass_t rdclass;
-
-	REQUIRE(zonep != NULL && *zonep == NULL);
-	REQUIRE(zonename == NULL || *zonename == NULL);
-
-	input = args;
-
-	if (skip) {
-		/* Skip the command name. */
-		ptr = next_token(&input, " \t");
-		if (ptr == NULL)
-			return (ISC_R_UNEXPECTEDEND);
-	}
-
-	/* Look for the zone name. */
-	if (zonetxt == NULL)
-		zonetxt = next_token(&input, " \t");
-	if (zonetxt == NULL)
-		return (ISC_R_SUCCESS);
-	if (zonename != NULL)
-		*zonename = zonetxt;
-
-	/* Look for the optional class name. */
-	classtxt = next_token(&input, " \t");
-	if (classtxt != NULL) {
-		/* Look for the optional view name. */
-		viewtxt = next_token(&input, " \t");
-	}
-
-	isc_buffer_constinit(&buf, zonetxt, strlen(zonetxt));
-	isc_buffer_add(&buf, strlen(zonetxt));
-	dns_fixedname_init(&name);
-	result = dns_name_fromtext(dns_fixedname_name(&name),
-				   &buf, dns_rootname, 0, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto fail1;
-
-	if (classtxt != NULL) {
-		isc_textregion_t r;
-		r.base = classtxt;
-		r.length = strlen(classtxt);
-		result = dns_rdataclass_fromtext(&rdclass, &r);
-		if (result != ISC_R_SUCCESS)
-			goto fail1;
-	} else
-		rdclass = dns_rdataclass_in;
-
-	if (viewtxt == NULL) {
-		result = dns_viewlist_findzone(&server->viewlist,
-					       dns_fixedname_name(&name),
-					       ISC_TF(classtxt == NULL),
-					       rdclass, zonep);
-	} else {
-		result = dns_viewlist_find(&server->viewlist, viewtxt,
-					   rdclass, &view);
-		if (result != ISC_R_SUCCESS)
-			goto fail1;
-
-		result = dns_zt_find(view->zonetable, dns_fixedname_name(&name),
-				     0, NULL, zonep);
-		dns_view_detach(&view);
-	}
-
-	/* Partial match? */
-	if (result != ISC_R_SUCCESS && *zonep != NULL)
-		dns_zone_detach(zonep);
-	if (result == DNS_R_PARTIALMATCH)
-		result = ISC_R_NOTFOUND;
- fail1:
-	return (result);
-}
-
-/*
- * Act on a "retransfer" command from the command channel.
- */
-isc_result_t
-ns_server_retransfercommand(ns_server_t *server, char *args) {
-	isc_result_t result;
-	dns_zone_t *zone = NULL;
-	dns_zone_t *raw = NULL;
-	dns_zonetype_t type;
-
-	result = zone_from_args(server, args, NULL, &zone, NULL, ISC_TRUE);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (zone == NULL)
-		return (ISC_R_UNEXPECTEDEND);
-	dns_zone_getraw(zone, &raw);
-	if (raw != NULL) {
-		dns_zone_detach(&zone);
-		dns_zone_attach(raw, &zone);
-		dns_zone_detach(&raw);
-	}
-	type = dns_zone_gettype(zone);
-	if (type == dns_zone_slave || type == dns_zone_stub)
-		dns_zone_forcereload(zone);
-	else
-		result = ISC_R_NOTFOUND;
-	dns_zone_detach(&zone);
-	return (result);
-}
-
-/*
- * Act on a "reload" command from the command channel.
- */
-isc_result_t
-ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
-	isc_result_t result;
-	dns_zone_t *zone = NULL;
-	dns_zonetype_t type;
-	const char *msg = NULL;
-
-	result = zone_from_args(server, args, NULL, &zone, NULL, ISC_TRUE);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (zone == NULL) {
-		result = reload(server);
-		if (result == ISC_R_SUCCESS)
-			msg = "server reload successful";
-	} else {
-		type = dns_zone_gettype(zone);
-		if (type == dns_zone_slave || type == dns_zone_stub) {
-			dns_zone_refresh(zone);
-			dns_zone_detach(&zone);
-			msg = "zone refresh queued";
-		} else {
-			result = dns_zone_load(zone);
-			dns_zone_detach(&zone);
-			switch (result) {
-			case ISC_R_SUCCESS:
-				 msg = "zone reload successful";
-				 break;
-			case DNS_R_CONTINUE:
-				msg = "zone reload queued";
-				result = ISC_R_SUCCESS;
-				break;
-			case DNS_R_UPTODATE:
-				msg = "zone reload up-to-date";
-				result = ISC_R_SUCCESS;
-				break;
-			default:
-				/* failure message will be generated by rndc */
-				break;
-			}
-		}
-	}
-	if (msg != NULL && strlen(msg) < isc_buffer_availablelength(text))
-		isc_buffer_putmem(text, (const unsigned char *)msg,
-				  strlen(msg) + 1);
-	return (result);
-}
-
-/*
- * Act on a "reconfig" command from the command channel.
- */
-isc_result_t
-ns_server_reconfigcommand(ns_server_t *server, char *args) {
-	UNUSED(args);
-
-	reconfig(server);
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Act on a "notify" command from the command channel.
- */
-isc_result_t
-ns_server_notifycommand(ns_server_t *server, char *args, isc_buffer_t *text) {
-	isc_result_t result;
-	dns_zone_t *zone = NULL;
-	const unsigned char msg[] = "zone notify queued";
-
-	result = zone_from_args(server, args, NULL, &zone, NULL, ISC_TRUE);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (zone == NULL)
-		return (ISC_R_UNEXPECTEDEND);
-
-	dns_zone_notify(zone);
-	dns_zone_detach(&zone);
-	if (sizeof(msg) <= isc_buffer_availablelength(text))
-		isc_buffer_putmem(text, msg, sizeof(msg));
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Act on a "refresh" command from the command channel.
- */
-isc_result_t
-ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
-	isc_result_t result;
-	dns_zone_t *zone = NULL;
-	const unsigned char msg1[] = "zone refresh queued";
-	const unsigned char msg2[] = "not a slave or stub zone";
-	dns_zonetype_t type;
-
-	result = zone_from_args(server, args, NULL, &zone, NULL, ISC_TRUE);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (zone == NULL)
-		return (ISC_R_UNEXPECTEDEND);
-
-	type = dns_zone_gettype(zone);
-	if (type == dns_zone_slave || type == dns_zone_stub) {
-		dns_zone_refresh(zone);
-		dns_zone_detach(&zone);
-		if (sizeof(msg1) <= isc_buffer_availablelength(text))
-			isc_buffer_putmem(text, msg1, sizeof(msg1));
-		return (ISC_R_SUCCESS);
-	}
-
-	dns_zone_detach(&zone);
-	if (sizeof(msg2) <= isc_buffer_availablelength(text))
-		isc_buffer_putmem(text, msg2, sizeof(msg2));
-	return (ISC_R_FAILURE);
-}
-
-isc_result_t
-ns_server_togglequerylog(ns_server_t *server, char *args) {
-	isc_boolean_t value;
-	char *ptr;
-
-	/* Skip the command name. */
-	ptr = next_token(&args, " \t");
-	if (ptr == NULL)
-		return (ISC_R_UNEXPECTEDEND);
-
-	ptr = next_token(&args, " \t");
-	if (ptr == NULL)
-		value = server->log_queries ? ISC_FALSE : ISC_TRUE;
-	else if (strcasecmp(ptr, "yes") == 0 || strcasecmp(ptr, "on") == 0)
-		value = ISC_TRUE;
-	else if (strcasecmp(ptr, "no") == 0 || strcasecmp(ptr, "off") == 0)
-		value = ISC_FALSE;
-	else
-		return (ISC_R_NOTFOUND);
-
-	if (server->log_queries == value)
-		return (ISC_R_SUCCESS);
-
-	server->log_queries = value;
-
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-		      "query logging is now %s",
-		      server->log_queries ? "on" : "off");
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
-			 cfg_aclconfctx_t *actx,
-			 isc_mem_t *mctx, ns_listenlist_t **target)
-{
-	isc_result_t result;
-	const cfg_listelt_t *element;
-	ns_listenlist_t *dlist = NULL;
-
-	REQUIRE(target != NULL && *target == NULL);
-
-	result = ns_listenlist_create(mctx, &dlist);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	for (element = cfg_list_first(listenlist);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		ns_listenelt_t *delt = NULL;
-		const cfg_obj_t *listener = cfg_listelt_value(element);
-		result = ns_listenelt_fromconfig(listener, config, actx,
-						 mctx, &delt);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		ISC_LIST_APPEND(dlist->elts, delt, link);
-	}
-	*target = dlist;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	ns_listenlist_detach(&dlist);
-	return (result);
-}
-
-/*
- * Create a listen list from the corresponding configuration
- * data structure.
- */
-static isc_result_t
-ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
-			cfg_aclconfctx_t *actx,
-			isc_mem_t *mctx, ns_listenelt_t **target)
-{
-	isc_result_t result;
-	const cfg_obj_t *portobj;
-	in_port_t port;
-	ns_listenelt_t *delt = NULL;
-	REQUIRE(target != NULL && *target == NULL);
-
-	portobj = cfg_tuple_get(listener, "port");
-	if (!cfg_obj_isuint32(portobj)) {
-		if (ns_g_port != 0) {
-			port = ns_g_port;
-		} else {
-			result = ns_config_getport(config, &port);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-		}
-	} else {
-		if (cfg_obj_asuint32(portobj) >= ISC_UINT16_MAX) {
-			cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
-				    "port value '%u' is out of range",
-				    cfg_obj_asuint32(portobj));
-			return (ISC_R_RANGE);
-		}
-		port = (in_port_t)cfg_obj_asuint32(portobj);
-	}
-
-	result = ns_listenelt_create(mctx, port, NULL, &delt);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = cfg_acl_fromconfig(cfg_tuple_get(listener, "acl"),
-				   config, ns_g_lctx, actx, mctx, 0,
-				   &delt->acl);
-	if (result != ISC_R_SUCCESS) {
-		ns_listenelt_destroy(delt);
-		return (result);
-	}
-	*target = delt;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-ns_server_dumpstats(ns_server_t *server) {
-	isc_result_t result;
-	FILE *fp = NULL;
-
-	CHECKMF(isc_stdio_open(server->statsfile, "a", &fp),
-		"could not open statistics dump file", server->statsfile);
-
-	result = ns_stats_dump(server, fp);
-
- cleanup:
-	if (fp != NULL)
-		(void)isc_stdio_close(fp);
-	if (result == ISC_R_SUCCESS)
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-			      "dumpstats complete");
-	else
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-			      "dumpstats failed: %s",
-			      dns_result_totext(result));
-	return (result);
-}
-
-static isc_result_t
-add_zone_tolist(dns_zone_t *zone, void *uap) {
-	struct dumpcontext *dctx = uap;
-	struct zonelistentry *zle;
-
-	zle = isc_mem_get(dctx->mctx, sizeof *zle);
-	if (zle ==  NULL)
-		return (ISC_R_NOMEMORY);
-	zle->zone = NULL;
-	dns_zone_attach(zone, &zle->zone);
-	ISC_LINK_INIT(zle, link);
-	ISC_LIST_APPEND(ISC_LIST_TAIL(dctx->viewlist)->zonelist, zle, link);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) {
-	struct viewlistentry *vle;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	/*
-	 * Prevent duplicate views.
-	 */
-	for (vle = ISC_LIST_HEAD(dctx->viewlist);
-	     vle != NULL;
-	     vle = ISC_LIST_NEXT(vle, link))
-		if (vle->view == view)
-			return (ISC_R_SUCCESS);
-
-	vle = isc_mem_get(dctx->mctx, sizeof *vle);
-	if (vle == NULL)
-		return (ISC_R_NOMEMORY);
-	vle->view = NULL;
-	dns_view_attach(view, &vle->view);
-	ISC_LINK_INIT(vle, link);
-	ISC_LIST_INIT(vle->zonelist);
-	ISC_LIST_APPEND(dctx->viewlist, vle, link);
-	if (dctx->dumpzones)
-		result = dns_zt_apply(view->zonetable, ISC_TRUE,
-				      add_zone_tolist, dctx);
-	return (result);
-}
-
-static void
-dumpcontext_destroy(struct dumpcontext *dctx) {
-	struct viewlistentry *vle;
-	struct zonelistentry *zle;
-
-	vle = ISC_LIST_HEAD(dctx->viewlist);
-	while (vle != NULL) {
-		ISC_LIST_UNLINK(dctx->viewlist, vle, link);
-		zle = ISC_LIST_HEAD(vle->zonelist);
-		while (zle != NULL) {
-			ISC_LIST_UNLINK(vle->zonelist, zle, link);
-			dns_zone_detach(&zle->zone);
-			isc_mem_put(dctx->mctx, zle, sizeof *zle);
-			zle = ISC_LIST_HEAD(vle->zonelist);
-		}
-		dns_view_detach(&vle->view);
-		isc_mem_put(dctx->mctx, vle, sizeof *vle);
-		vle = ISC_LIST_HEAD(dctx->viewlist);
-	}
-	if (dctx->version != NULL)
-		dns_db_closeversion(dctx->db, &dctx->version, ISC_FALSE);
-	if (dctx->db != NULL)
-		dns_db_detach(&dctx->db);
-	if (dctx->cache != NULL)
-		dns_db_detach(&dctx->cache);
-	if (dctx->task != NULL)
-		isc_task_detach(&dctx->task);
-	if (dctx->fp != NULL)
-		(void)isc_stdio_close(dctx->fp);
-	if (dctx->mdctx != NULL)
-		dns_dumpctx_detach(&dctx->mdctx);
-	isc_mem_put(dctx->mctx, dctx, sizeof *dctx);
-}
-
-static void
-dumpdone(void *arg, isc_result_t result) {
-	struct dumpcontext *dctx = arg;
-	char buf[1024+32];
-	const dns_master_style_t *style;
-
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	if (dctx->mdctx != NULL)
-		dns_dumpctx_detach(&dctx->mdctx);
-	if (dctx->view == NULL) {
-		dctx->view = ISC_LIST_HEAD(dctx->viewlist);
-		if (dctx->view == NULL)
-			goto done;
-		INSIST(dctx->zone == NULL);
-	} else
-		goto resume;
- nextview:
-	fprintf(dctx->fp, ";\n; Start view %s\n;\n", dctx->view->view->name);
- resume:
-	if (dctx->dumpcache && dns_view_iscacheshared(dctx->view->view)) {
-		fprintf(dctx->fp,
-			";\n; Cache of view '%s' is shared as '%s'\n",
-			dctx->view->view->name,
-			dns_cache_getname(dctx->view->view->cache));
-	} else if (dctx->zone == NULL && dctx->cache == NULL &&
-		   dctx->dumpcache)
-	{
-		style = &dns_master_style_cache;
-		/* start cache dump */
-		if (dctx->view->view->cachedb != NULL)
-			dns_db_attach(dctx->view->view->cachedb, &dctx->cache);
-		if (dctx->cache != NULL) {
-			fprintf(dctx->fp,
-				";\n; Cache dump of view '%s' (cache %s)\n;\n",
-				dctx->view->view->name,
-				dns_cache_getname(dctx->view->view->cache));
-			result = dns_master_dumptostreaminc(dctx->mctx,
-							    dctx->cache, NULL,
-							    style, dctx->fp,
-							    dctx->task,
-							    dumpdone, dctx,
-							    &dctx->mdctx);
-			if (result == DNS_R_CONTINUE)
-				return;
-			if (result == ISC_R_NOTIMPLEMENTED)
-				fprintf(dctx->fp, "; %s\n",
-					dns_result_totext(result));
-			else if (result != ISC_R_SUCCESS)
-				goto cleanup;
-		}
-	}
-	if (dctx->cache != NULL) {
-		dns_adb_dump(dctx->view->view->adb, dctx->fp);
-		dns_resolver_printbadcache(dctx->view->view->resolver,
-					   dctx->fp);
-		dns_db_detach(&dctx->cache);
-	}
-	if (dctx->dumpzones) {
-		style = &dns_master_style_full;
- nextzone:
-		if (dctx->version != NULL)
-			dns_db_closeversion(dctx->db, &dctx->version,
-					    ISC_FALSE);
-		if (dctx->db != NULL)
-			dns_db_detach(&dctx->db);
-		if (dctx->zone == NULL)
-			dctx->zone = ISC_LIST_HEAD(dctx->view->zonelist);
-		else
-			dctx->zone = ISC_LIST_NEXT(dctx->zone, link);
-		if (dctx->zone != NULL) {
-			/* start zone dump */
-			dns_zone_name(dctx->zone->zone, buf, sizeof(buf));
-			fprintf(dctx->fp, ";\n; Zone dump of '%s'\n;\n", buf);
-			result = dns_zone_getdb(dctx->zone->zone, &dctx->db);
-			if (result != ISC_R_SUCCESS) {
-				fprintf(dctx->fp, "; %s\n",
-					dns_result_totext(result));
-				goto nextzone;
-			}
-			dns_db_currentversion(dctx->db, &dctx->version);
-			result = dns_master_dumptostreaminc(dctx->mctx,
-							    dctx->db,
-							    dctx->version,
-							    style, dctx->fp,
-							    dctx->task,
-							    dumpdone, dctx,
-							    &dctx->mdctx);
-			if (result == DNS_R_CONTINUE)
-				return;
-			if (result == ISC_R_NOTIMPLEMENTED) {
-				fprintf(dctx->fp, "; %s\n",
-					dns_result_totext(result));
-				result = ISC_R_SUCCESS;
-				POST(result);
-				goto nextzone;
-			}
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-		}
-	}
-	if (dctx->view != NULL)
-		dctx->view = ISC_LIST_NEXT(dctx->view, link);
-	if (dctx->view != NULL)
-		goto nextview;
- done:
-	fprintf(dctx->fp, "; Dump complete\n");
-	result = isc_stdio_flush(dctx->fp);
-	if (result == ISC_R_SUCCESS)
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-			      "dumpdb complete");
- cleanup:
-	if (result != ISC_R_SUCCESS)
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-			      "dumpdb failed: %s", dns_result_totext(result));
-	dumpcontext_destroy(dctx);
-}
-
-isc_result_t
-ns_server_dumpdb(ns_server_t *server, char *args) {
-	struct dumpcontext *dctx = NULL;
-	dns_view_t *view;
-	isc_result_t result;
-	char *ptr;
-	const char *sep;
-
-	/* Skip the command name. */
-	ptr = next_token(&args, " \t");
-	if (ptr == NULL)
-		return (ISC_R_UNEXPECTEDEND);
-
-	dctx = isc_mem_get(server->mctx, sizeof(*dctx));
-	if (dctx == NULL)
-		return (ISC_R_NOMEMORY);
-
-	dctx->mctx = server->mctx;
-	dctx->dumpcache = ISC_TRUE;
-	dctx->dumpzones = ISC_FALSE;
-	dctx->fp = NULL;
-	ISC_LIST_INIT(dctx->viewlist);
-	dctx->view = NULL;
-	dctx->zone = NULL;
-	dctx->cache = NULL;
-	dctx->mdctx = NULL;
-	dctx->db = NULL;
-	dctx->cache = NULL;
-	dctx->task = NULL;
-	dctx->version = NULL;
-	isc_task_attach(server->task, &dctx->task);
-
-	CHECKMF(isc_stdio_open(server->dumpfile, "w", &dctx->fp),
-		"could not open dump file", server->dumpfile);
-
-	sep = (args == NULL) ? "" : ": ";
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-		      "dumpdb started%s%s", sep, (args != NULL) ? args : "");
-
-	ptr = next_token(&args, " \t");
-	if (ptr != NULL && strcmp(ptr, "-all") == 0) {
-		dctx->dumpzones = ISC_TRUE;
-		dctx->dumpcache = ISC_TRUE;
-		ptr = next_token(&args, " \t");
-	} else if (ptr != NULL && strcmp(ptr, "-cache") == 0) {
-		dctx->dumpzones = ISC_FALSE;
-		dctx->dumpcache = ISC_TRUE;
-		ptr = next_token(&args, " \t");
-	} else if (ptr != NULL && strcmp(ptr, "-zones") == 0) {
-		dctx->dumpzones = ISC_TRUE;
-		dctx->dumpcache = ISC_FALSE;
-		ptr = next_token(&args, " \t");
-	}
-
- nextview:
-	for (view = ISC_LIST_HEAD(server->viewlist);
-	     view != NULL;
-	     view = ISC_LIST_NEXT(view, link))
-	{
-		if (ptr != NULL && strcmp(view->name, ptr) != 0)
-			continue;
-		CHECK(add_view_tolist(dctx, view));
-	}
-	if (ptr != NULL) {
-		ptr = next_token(&args, " \t");
-		if (ptr != NULL)
-			goto nextview;
-	}
-	dumpdone(dctx, ISC_R_SUCCESS);
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (dctx != NULL)
-		dumpcontext_destroy(dctx);
-	return (result);
-}
-
-isc_result_t
-ns_server_dumpsecroots(ns_server_t *server, char *args) {
-	dns_view_t *view;
-	dns_keytable_t *secroots = NULL;
-	isc_result_t result;
-	char *ptr;
-	FILE *fp = NULL;
-	isc_time_t now;
-	char tbuf[64];
-
-	/* Skip the command name. */
-	ptr = next_token(&args, " \t");
-	if (ptr == NULL)
-		return (ISC_R_UNEXPECTEDEND);
-
-	ptr = next_token(&args, " \t");
-
-	CHECKMF(isc_stdio_open(server->secrootsfile, "w", &fp),
-		"could not open secroots dump file", server->secrootsfile);
-	TIME_NOW(&now);
-	isc_time_formattimestamp(&now, tbuf, sizeof(tbuf));
-	fprintf(fp, "%s\n", tbuf);
-
-	do {
-		for (view = ISC_LIST_HEAD(server->viewlist);
-		     view != NULL;
-		     view = ISC_LIST_NEXT(view, link))
-		{
-			if (ptr != NULL && strcmp(view->name, ptr) != 0)
-				continue;
-			if (secroots != NULL)
-				dns_keytable_detach(&secroots);
-			result = dns_view_getsecroots(view, &secroots);
-			if (result == ISC_R_NOTFOUND) {
-				result = ISC_R_SUCCESS;
-				continue;
-			}
-			fprintf(fp, "\n Start view %s\n\n", view->name);
-			result = dns_keytable_dump(secroots, fp);
-			if (result != ISC_R_SUCCESS)
-				fprintf(fp, " dumpsecroots failed: %s\n",
-					isc_result_totext(result));
-		}
-		if (ptr != NULL)
-			ptr = next_token(&args, " \t");
-	} while (ptr != NULL);
-
- cleanup:
-	if (secroots != NULL)
-		dns_keytable_detach(&secroots);
-	if (fp != NULL)
-		(void)isc_stdio_close(fp);
-	if (result == ISC_R_SUCCESS)
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-			      "dumpsecroots complete");
-	else
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-			      "dumpsecroots failed: %s",
-			      dns_result_totext(result));
-	return (result);
-}
-
-isc_result_t
-ns_server_dumprecursing(ns_server_t *server) {
-	FILE *fp = NULL;
-	isc_result_t result;
-
-	CHECKMF(isc_stdio_open(server->recfile, "w", &fp),
-		"could not open dump file", server->recfile);
-	fprintf(fp,";\n; Recursing Queries\n;\n");
-	ns_interfacemgr_dumprecursing(fp, server->interfacemgr);
-	fprintf(fp, "; Dump complete\n");
-
- cleanup:
-	if (fp != NULL)
-		result = isc_stdio_close(fp);
-	if (result == ISC_R_SUCCESS)
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-			      "dumprecursing complete");
-	else
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-			      "dumprecursing failed: %s",
-			      dns_result_totext(result));
-	return (result);
-}
-
-isc_result_t
-ns_server_setdebuglevel(ns_server_t *server, char *args) {
-	char *ptr;
-	char *levelstr;
-	char *endp;
-	long newlevel;
-
-	UNUSED(server);
-
-	/* Skip the command name. */
-	ptr = next_token(&args, " \t");
-	if (ptr == NULL)
-		return (ISC_R_UNEXPECTEDEND);
-
-	/* Look for the new level name. */
-	levelstr = next_token(&args, " \t");
-	if (levelstr == NULL) {
-		if (ns_g_debuglevel < 99)
-			ns_g_debuglevel++;
-	} else {
-		newlevel = strtol(levelstr, &endp, 10);
-		if (*endp != '\0' || newlevel < 0 || newlevel > 99)
-			return (ISC_R_RANGE);
-		ns_g_debuglevel = (unsigned int)newlevel;
-	}
-	isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel);
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-		      "debug level is now %d", ns_g_debuglevel);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-ns_server_validation(ns_server_t *server, char *args) {
-	char *ptr, *viewname;
-	dns_view_t *view;
-	isc_boolean_t changed = ISC_FALSE;
-	isc_result_t result;
-	isc_boolean_t enable;
-
-	/* Skip the command name. */
-	ptr = next_token(&args, " \t");
-	if (ptr == NULL)
-		return (ISC_R_UNEXPECTEDEND);
-
-	/* Find out what we are to do. */
-	ptr = next_token(&args, " \t");
-	if (ptr == NULL)
-		return (ISC_R_UNEXPECTEDEND);
-
-	if (!strcasecmp(ptr, "on") || !strcasecmp(ptr, "yes") ||
-	    !strcasecmp(ptr, "enable") || !strcasecmp(ptr, "true"))
-		enable = ISC_TRUE;
-	else if (!strcasecmp(ptr, "off") || !strcasecmp(ptr, "no") ||
-		 !strcasecmp(ptr, "disable") || !strcasecmp(ptr, "false"))
-		enable = ISC_FALSE;
-	else
-		return (DNS_R_SYNTAX);
-
-	/* Look for the view name. */
-	viewname = next_token(&args, " \t");
-
-	result = isc_task_beginexclusive(server->task);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	for (view = ISC_LIST_HEAD(server->viewlist);
-	     view != NULL;
-	     view = ISC_LIST_NEXT(view, link))
-	{
-		if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
-			continue;
-		result = dns_view_flushcache(view);
-		if (result != ISC_R_SUCCESS)
-			goto out;
-		view->enablevalidation = enable;
-		changed = ISC_TRUE;
-	}
-	if (changed)
-		result = ISC_R_SUCCESS;
-	else
-		result = ISC_R_FAILURE;
- out:
-	isc_task_endexclusive(server->task);
-	return (result);
-}
-
-isc_result_t
-ns_server_flushcache(ns_server_t *server, char *args) {
-	char *ptr, *viewname;
-	dns_view_t *view;
-	isc_boolean_t flushed;
-	isc_boolean_t found;
-	isc_result_t result;
-	ns_cache_t *nsc;
-
-	/* Skip the command name. */
-	ptr = next_token(&args, " \t");
-	if (ptr == NULL)
-		return (ISC_R_UNEXPECTEDEND);
-
-	/* Look for the view name. */
-	viewname = next_token(&args, " \t");
-
-	result = isc_task_beginexclusive(server->task);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	flushed = ISC_TRUE;
-	found = ISC_FALSE;
-
-	/*
-	 * Flushing a cache is tricky when caches are shared by multiple views.
-	 * We first identify which caches should be flushed in the local cache
-	 * list, flush these caches, and then update other views that refer to
-	 * the flushed cache DB.
-	 */
-	if (viewname != NULL) {
-		/*
-		 * Mark caches that need to be flushed.  This is an O(#view^2)
-		 * operation in the very worst case, but should be normally
-		 * much more lightweight because only a few (most typically just
-		 * one) views will match.
-		 */
-		for (view = ISC_LIST_HEAD(server->viewlist);
-		     view != NULL;
-		     view = ISC_LIST_NEXT(view, link))
-		{
-			if (strcasecmp(viewname, view->name) != 0)
-				continue;
-			found = ISC_TRUE;
-			for (nsc = ISC_LIST_HEAD(server->cachelist);
-			     nsc != NULL;
-			     nsc = ISC_LIST_NEXT(nsc, link)) {
-				if (nsc->cache == view->cache)
-					break;
-			}
-			INSIST(nsc != NULL);
-			nsc->needflush = ISC_TRUE;
-		}
-	} else
-		found = ISC_TRUE;
-
-	/* Perform flush */
-	for (nsc = ISC_LIST_HEAD(server->cachelist);
-	     nsc != NULL;
-	     nsc = ISC_LIST_NEXT(nsc, link)) {
-		if (viewname != NULL && !nsc->needflush)
-			continue;
-		nsc->needflush = ISC_TRUE;
-		result = dns_view_flushcache2(nsc->primaryview, ISC_FALSE);
-		if (result != ISC_R_SUCCESS) {
-			flushed = ISC_FALSE;
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-				      "flushing cache in view '%s' failed: %s",
-				      nsc->primaryview->name,
-				      isc_result_totext(result));
-		}
-	}
-
-	/*
-	 * Fix up views that share a flushed cache: let the views update the
-	 * cache DB they're referring to.  This could also be an expensive
-	 * operation, but should typically be marginal: the inner loop is only
-	 * necessary for views that share a cache, and if there are many such
-	 * views the number of shared cache should normally be small.
-	 * A worst case is that we have n views and n/2 caches, each shared by
-	 * two views.  Then this will be a O(n^2/4) operation.
-	 */
-	for (view = ISC_LIST_HEAD(server->viewlist);
-	     view != NULL;
-	     view = ISC_LIST_NEXT(view, link))
-	{
-		if (!dns_view_iscacheshared(view))
-			continue;
-		for (nsc = ISC_LIST_HEAD(server->cachelist);
-		     nsc != NULL;
-		     nsc = ISC_LIST_NEXT(nsc, link)) {
-			if (!nsc->needflush || nsc->cache != view->cache)
-				continue;
-			result = dns_view_flushcache2(view, ISC_TRUE);
-			if (result != ISC_R_SUCCESS) {
-				flushed = ISC_FALSE;
-				isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-					      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-					      "fixing cache in view '%s' "
-					      "failed: %s", view->name,
-					      isc_result_totext(result));
-			}
-		}
-	}
-
-	/* Cleanup the cache list. */
-	for (nsc = ISC_LIST_HEAD(server->cachelist);
-	     nsc != NULL;
-	     nsc = ISC_LIST_NEXT(nsc, link)) {
-		nsc->needflush = ISC_FALSE;
-	}
-
-	if (flushed && found) {
-		if (viewname != NULL)
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-				      "flushing cache in view '%s' succeeded",
-				      viewname);
-		else
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-				      "flushing caches in all views succeeded");
-		result = ISC_R_SUCCESS;
-	} else {
-		if (!found) {
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-				      "flushing cache in view '%s' failed: "
-				      "view not found", viewname);
-			result = ISC_R_NOTFOUND;
-		} else
-			result = ISC_R_FAILURE;
-	}
-	isc_task_endexclusive(server->task);
-	return (result);
-}
-
-isc_result_t
-ns_server_flushnode(ns_server_t *server, char *args, isc_boolean_t tree) {
-	char *ptr, *target, *viewname;
-	dns_view_t *view;
-	isc_boolean_t flushed;
-	isc_boolean_t found;
-	isc_result_t result;
-	isc_buffer_t b;
-	dns_fixedname_t fixed;
-	dns_name_t *name;
-
-	/* Skip the command name. */
-	ptr = next_token(&args, " \t");
-	if (ptr == NULL)
-		return (ISC_R_UNEXPECTEDEND);
-
-	/* Find the domain name to flush. */
-	target = next_token(&args, " \t");
-	if (target == NULL)
-		return (ISC_R_UNEXPECTEDEND);
-
-	isc_buffer_constinit(&b, target, strlen(target));
-	isc_buffer_add(&b, strlen(target));
-	dns_fixedname_init(&fixed);
-	name = dns_fixedname_name(&fixed);
-	result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/* Look for the view name. */
-	viewname = next_token(&args, " \t");
-
-	result = isc_task_beginexclusive(server->task);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	flushed = ISC_TRUE;
-	found = ISC_FALSE;
-	for (view = ISC_LIST_HEAD(server->viewlist);
-	     view != NULL;
-	     view = ISC_LIST_NEXT(view, link))
-	{
-		if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
-			continue;
-		found = ISC_TRUE;
-		/*
-		 * It's a little inefficient to try flushing name for all views
-		 * if some of the views share a single cache.  But since the
-		 * operation is lightweight we prefer simplicity here.
-		 */
-		result = dns_view_flushnode(view, name, tree);
-		if (result != ISC_R_SUCCESS) {
-			flushed = ISC_FALSE;
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-				      "flushing %s '%s' in cache view '%s' "
-				      "failed: %s",
-				      tree ? "tree" : "name",
-				      target, view->name,
-				      isc_result_totext(result));
-		}
-	}
-	if (flushed && found) {
-		if (viewname != NULL)
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-				      "flushing %s '%s' in cache view '%s' "
-				      "succeeded",
-				      tree ? "tree" : "name",
-				      target, viewname);
-		else
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-				      "flushing %s '%s' in all cache views "
-				      "succeeded",
-				      tree ? "tree" : "name",
-				      target);
-		result = ISC_R_SUCCESS;
-	} else {
-		if (!found)
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-				      "flushing %s '%s' in cache view '%s' "
-				      "failed: view not found",
-				      tree ? "tree" : "name",
-				      target, viewname);
-		result = ISC_R_FAILURE;
-	}
-	isc_task_endexclusive(server->task);
-	return (result);
-}
-
-isc_result_t
-ns_server_status(ns_server_t *server, isc_buffer_t *text) {
-	int zonecount, xferrunning, xferdeferred, soaqueries;
-	unsigned int n;
-	const char *ob = "", *cb = "", *alt = "";
-
-	if (ns_g_server->version_set) {
-		ob = " (";
-		cb = ")";
-		if (ns_g_server->version == NULL)
-			alt = "version.bind/txt/ch disabled";
-		else
-			alt = ns_g_server->version;
-	}
-	zonecount = dns_zonemgr_getcount(server->zonemgr, DNS_ZONESTATE_ANY);
-	xferrunning = dns_zonemgr_getcount(server->zonemgr,
-					   DNS_ZONESTATE_XFERRUNNING);
-	xferdeferred = dns_zonemgr_getcount(server->zonemgr,
-					    DNS_ZONESTATE_XFERDEFERRED);
-	soaqueries = dns_zonemgr_getcount(server->zonemgr,
-					  DNS_ZONESTATE_SOAQUERY);
-
-	n = snprintf((char *)isc_buffer_used(text),
-		     isc_buffer_availablelength(text),
-		     "version: %s%s%s%s\n"
-#ifdef ISC_PLATFORM_USETHREADS
-		     "CPUs found: %u\n"
-		     "worker threads: %u\n"
-		     "UDP listeners per interface: %u\n"
-#endif
-		     "number of zones: %u\n"
-		     "debug level: %d\n"
-		     "xfers running: %u\n"
-		     "xfers deferred: %u\n"
-		     "soa queries in progress: %u\n"
-		     "query logging is %s\n"
-		     "recursive clients: %d/%d/%d\n"
-		     "tcp clients: %d/%d\n"
-		     "server is up and running",
-		     ns_g_version, ob, alt, cb,
-#ifdef ISC_PLATFORM_USETHREADS
-		     ns_g_cpus_detected, ns_g_cpus, ns_g_udpdisp,
-#endif
-		     zonecount, ns_g_debuglevel, xferrunning, xferdeferred,
-		     soaqueries, server->log_queries ? "ON" : "OFF",
-		     server->recursionquota.used, server->recursionquota.soft,
-		     server->recursionquota.max,
-		     server->tcpquota.used, server->tcpquota.max);
-	if (n >= isc_buffer_availablelength(text))
-		return (ISC_R_NOSPACE);
-	isc_buffer_add(text, n);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-delete_keynames(dns_tsig_keyring_t *ring, char *target,
-		unsigned int *foundkeys)
-{
-	char namestr[DNS_NAME_FORMATSIZE];
-	isc_result_t result;
-	dns_rbtnodechain_t chain;
-	dns_name_t foundname;
-	dns_fixedname_t fixedorigin;
-	dns_name_t *origin;
-	dns_rbtnode_t *node;
-	dns_tsigkey_t *tkey;
-
-	dns_name_init(&foundname, NULL);
-	dns_fixedname_init(&fixedorigin);
-	origin = dns_fixedname_name(&fixedorigin);
-
- again:
-	dns_rbtnodechain_init(&chain, ring->mctx);
-	result = dns_rbtnodechain_first(&chain, ring->keys, &foundname,
-					origin);
-	if (result == ISC_R_NOTFOUND) {
-		dns_rbtnodechain_invalidate(&chain);
-		return (ISC_R_SUCCESS);
-	}
-	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
-		dns_rbtnodechain_invalidate(&chain);
-		return (result);
-	}
-
-	for (;;) {
-		node = NULL;
-		dns_rbtnodechain_current(&chain, &foundname, origin, &node);
-		tkey = node->data;
-
-		if (tkey != NULL) {
-			if (!tkey->generated)
-				goto nextkey;
-
-			dns_name_format(&tkey->name, namestr, sizeof(namestr));
-			if (strcmp(namestr, target) == 0) {
-				(*foundkeys)++;
-				dns_rbtnodechain_invalidate(&chain);
-				(void)dns_rbt_deletename(ring->keys,
-							 &tkey->name,
-							 ISC_FALSE);
-				goto again;
-			}
-		}
-
-	nextkey:
-		result = dns_rbtnodechain_next(&chain, &foundname, origin);
-		if (result == ISC_R_NOMORE)
-			break;
-		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
-			dns_rbtnodechain_invalidate(&chain);
-			return (result);
-		}
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-ns_server_tsigdelete(ns_server_t *server, char *command, isc_buffer_t *text) {
-	isc_result_t result;
-	unsigned int n;
-	dns_view_t *view;
-	unsigned int foundkeys = 0;
-	char *target;
-	char *viewname;
-
-	(void)next_token(&command, " \t");  /* skip command name */
-	target = next_token(&command, " \t");
-	if (target == NULL)
-		return (ISC_R_UNEXPECTEDEND);
-	viewname = next_token(&command, " \t");
-
-	result = isc_task_beginexclusive(server->task);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	for (view = ISC_LIST_HEAD(server->viewlist);
-	     view != NULL;
-	     view = ISC_LIST_NEXT(view, link)) {
-		if (viewname == NULL || strcmp(view->name, viewname) == 0) {
-			RWLOCK(&view->dynamickeys->lock, isc_rwlocktype_write);
-			result = delete_keynames(view->dynamickeys, target,
-						 &foundkeys);
-			RWUNLOCK(&view->dynamickeys->lock,
-				 isc_rwlocktype_write);
-			if (result != ISC_R_SUCCESS) {
-				isc_task_endexclusive(server->task);
-				return (result);
-			}
-		}
-	}
-	isc_task_endexclusive(server->task);
-
-	n = snprintf((char *)isc_buffer_used(text),
-		     isc_buffer_availablelength(text),
-		     "%d tsig keys deleted.\n", foundkeys);
-	if (n >= isc_buffer_availablelength(text))
-		return (ISC_R_NOSPACE);
-	isc_buffer_add(text, n);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-list_keynames(dns_view_t *view, dns_tsig_keyring_t *ring, isc_buffer_t *text,
-	     unsigned int *foundkeys)
-{
-	char namestr[DNS_NAME_FORMATSIZE];
-	char creatorstr[DNS_NAME_FORMATSIZE];
-	isc_result_t result;
-	dns_rbtnodechain_t chain;
-	dns_name_t foundname;
-	dns_fixedname_t fixedorigin;
-	dns_name_t *origin;
-	dns_rbtnode_t *node;
-	dns_tsigkey_t *tkey;
-	unsigned int n;
-	const char *viewname;
-
-	if (view != NULL)
-		viewname = view->name;
-	else
-		viewname = "(global)";
-
-	dns_name_init(&foundname, NULL);
-	dns_fixedname_init(&fixedorigin);
-	origin = dns_fixedname_name(&fixedorigin);
-	dns_rbtnodechain_init(&chain, ring->mctx);
-	result = dns_rbtnodechain_first(&chain, ring->keys, &foundname,
-					origin);
-	if (result == ISC_R_NOTFOUND) {
-		dns_rbtnodechain_invalidate(&chain);
-		return (ISC_R_SUCCESS);
-	}
-	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
-		dns_rbtnodechain_invalidate(&chain);
-		return (result);
-	}
-
-	for (;;) {
-		node = NULL;
-		dns_rbtnodechain_current(&chain, &foundname, origin, &node);
-		tkey = node->data;
-
-		if (tkey != NULL) {
-			(*foundkeys)++;
-			dns_name_format(&tkey->name, namestr, sizeof(namestr));
-			if (tkey->generated) {
-				dns_name_format(tkey->creator, creatorstr,
-						sizeof(creatorstr));
-				n = snprintf((char *)isc_buffer_used(text),
-					     isc_buffer_availablelength(text),
-					     "view \"%s\"; type \"dynamic\"; key \"%s\"; creator \"%s\";\n",
-					     viewname, namestr, creatorstr);
-			} else {
-				n = snprintf((char *)isc_buffer_used(text),
-					     isc_buffer_availablelength(text),
-					     "view \"%s\"; type \"static\"; key \"%s\";\n",
-					     viewname, namestr);
-			}
-			if (n >= isc_buffer_availablelength(text)) {
-				dns_rbtnodechain_invalidate(&chain);
-				return (ISC_R_NOSPACE);
-			}
-			isc_buffer_add(text, n);
-		}
-		result = dns_rbtnodechain_next(&chain, &foundname, origin);
-		if (result == ISC_R_NOMORE)
-			break;
-		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
-			dns_rbtnodechain_invalidate(&chain);
-			return (result);
-		}
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-ns_server_tsiglist(ns_server_t *server, isc_buffer_t *text) {
-	isc_result_t result;
-	unsigned int n;
-	dns_view_t *view;
-	unsigned int foundkeys = 0;
-
-	result = isc_task_beginexclusive(server->task);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	for (view = ISC_LIST_HEAD(server->viewlist);
-	     view != NULL;
-	     view = ISC_LIST_NEXT(view, link)) {
-		RWLOCK(&view->statickeys->lock, isc_rwlocktype_read);
-		result = list_keynames(view, view->statickeys, text,
-				       &foundkeys);
-		RWUNLOCK(&view->statickeys->lock, isc_rwlocktype_read);
-		if (result != ISC_R_SUCCESS) {
-			isc_task_endexclusive(server->task);
-			return (result);
-		}
-		RWLOCK(&view->dynamickeys->lock, isc_rwlocktype_read);
-		result = list_keynames(view, view->dynamickeys, text,
-				       &foundkeys);
-		RWUNLOCK(&view->dynamickeys->lock, isc_rwlocktype_read);
-		if (result != ISC_R_SUCCESS) {
-			isc_task_endexclusive(server->task);
-			return (result);
-		}
-	}
-	isc_task_endexclusive(server->task);
-
-	if (foundkeys == 0) {
-		n = snprintf((char *)isc_buffer_used(text),
-			     isc_buffer_availablelength(text),
-			     "no tsig keys found.\n");
-		if (n >= isc_buffer_availablelength(text))
-			return (ISC_R_NOSPACE);
-		isc_buffer_add(text, n);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Act on a "sign" or "loadkeys" command from the command channel.
- */
-isc_result_t
-ns_server_rekey(ns_server_t *server, char *args) {
-	isc_result_t result;
-	dns_zone_t *zone = NULL;
-	dns_zonetype_t type;
-	isc_uint16_t keyopts;
-	isc_boolean_t fullsign = ISC_FALSE;
-
-	if (strncasecmp(args, NS_COMMAND_SIGN, strlen(NS_COMMAND_SIGN)) == 0)
-	    fullsign = ISC_TRUE;
-
-	result = zone_from_args(server, args, NULL, &zone, NULL, ISC_TRUE);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (zone == NULL)
-		return (ISC_R_UNEXPECTEDEND);   /* XXX: or do all zones? */
-
-	type = dns_zone_gettype(zone);
-	if (type != dns_zone_master) {
-		dns_zone_detach(&zone);
-		return (DNS_R_NOTMASTER);
-	}
-
-	keyopts = dns_zone_getkeyopts(zone);
-
-	/* "rndc loadkeys" requires "auto-dnssec maintain". */
-	if ((keyopts & DNS_ZONEKEY_ALLOW) == 0)
-		result = ISC_R_NOPERM;
-	else if ((keyopts & DNS_ZONEKEY_MAINTAIN) == 0 && !fullsign)
-		result = ISC_R_NOPERM;
-	else
-		dns_zone_rekey(zone, fullsign);
-
-	dns_zone_detach(&zone);
-	return (result);
-}
-
-/*
- * Act on a "sync" command from the command channel.
-*/
-static isc_result_t
-synczone(dns_zone_t *zone, void *uap) {
-	isc_boolean_t cleanup = *(isc_boolean_t *)uap;
-	isc_result_t result;
-	dns_zone_t *raw = NULL;
-	char *journal;
-
-	dns_zone_getraw(zone, &raw);
-	if (raw != NULL) {
-		synczone(raw, uap);
-		dns_zone_detach(&raw);
-	}
-
-	result = dns_zone_flush(zone);
-	if (result != ISC_R_SUCCESS)
-		cleanup = ISC_FALSE;
-	if (cleanup) {
-		journal = dns_zone_getjournal(zone);
-		if (journal != NULL)
-			(void)isc_file_remove(journal);
-	}
-
-	return (result);
-}
-
-isc_result_t
-ns_server_sync(ns_server_t *server, char *args, isc_buffer_t *text) {
-	isc_result_t result, tresult;
-	dns_view_t *view;
-	dns_zone_t *zone = NULL;
-	char classstr[DNS_RDATACLASS_FORMATSIZE];
-	char zonename[DNS_NAME_FORMATSIZE];
-	const char *vname, *sep, *msg = NULL, *arg;
-	isc_boolean_t cleanup = ISC_FALSE;
-
-	(void) next_token(&args, " \t");
-
-	arg = next_token(&args, " \t");
-	if (arg != NULL &&
-	    (strcmp(arg, "-clean") == 0 || strcmp(arg, "-clear") == 0)) {
-		cleanup = ISC_TRUE;
-		arg = next_token(&args, " \t");
-	}
-
-	result = zone_from_args(server, args, arg, &zone, NULL, ISC_FALSE);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (zone == NULL) {
-		result = isc_task_beginexclusive(server->task);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		tresult = ISC_R_SUCCESS;
-		for (view = ISC_LIST_HEAD(server->viewlist);
-		     view != NULL;
-		     view = ISC_LIST_NEXT(view, link)) {
-			result = dns_zt_apply(view->zonetable, ISC_FALSE,
-					      synczone, &cleanup);
-			if (result != ISC_R_SUCCESS &&
-			    tresult == ISC_R_SUCCESS)
-				tresult = result;
-		}
-		isc_task_endexclusive(server->task);
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-			      "dumping all zones%s: %s",
-			      cleanup ? ", removing journal files" : "",
-			      isc_result_totext(result));
-		return (tresult);
-	}
-
-	result = isc_task_beginexclusive(server->task);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	result = synczone(zone, &cleanup);
-	isc_task_endexclusive(server->task);
-
-	if (msg != NULL && strlen(msg) < isc_buffer_availablelength(text))
-		isc_buffer_putmem(text, (const unsigned char *)msg,
-				  strlen(msg) + 1);
-
-	view = dns_zone_getview(zone);
-	if (strcmp(view->name, "_default") == 0 ||
-	    strcmp(view->name, "_bind") == 0)
-	{
-		vname = "";
-		sep = "";
-	} else {
-		vname = view->name;
-		sep = " ";
-	}
-	dns_rdataclass_format(dns_zone_getclass(zone), classstr,
-			      sizeof(classstr));
-	dns_name_format(dns_zone_getorigin(zone),
-			zonename, sizeof(zonename));
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-		      "sync: dumping zone '%s/%s'%s%s%s: %s",
-		      zonename, classstr, sep, vname,
-		      cleanup ? ", removing journal file" : "",
-		      isc_result_totext(result));
-	dns_zone_detach(&zone);
-	return (result);
-}
-
-/*
- * Act on a "freeze" or "thaw" command from the command channel.
- */
-isc_result_t
-ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args,
-		 isc_buffer_t *text)
-{
-	isc_result_t result, tresult;
-	dns_zone_t *zone = NULL, *raw = NULL;
-	dns_zonetype_t type;
-	char classstr[DNS_RDATACLASS_FORMATSIZE];
-	char zonename[DNS_NAME_FORMATSIZE];
-	dns_view_t *view;
-	const char *vname, *sep;
-	isc_boolean_t frozen;
-	const char *msg = NULL;
-
-	result = zone_from_args(server, args, NULL, &zone, NULL, ISC_TRUE);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (zone == NULL) {
-		result = isc_task_beginexclusive(server->task);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		tresult = ISC_R_SUCCESS;
-		for (view = ISC_LIST_HEAD(server->viewlist);
-		     view != NULL;
-		     view = ISC_LIST_NEXT(view, link)) {
-			result = dns_view_freezezones(view, freeze);
-			if (result != ISC_R_SUCCESS &&
-			    tresult == ISC_R_SUCCESS)
-				tresult = result;
-		}
-		isc_task_endexclusive(server->task);
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-			      "%s all zones: %s",
-			      freeze ? "freezing" : "thawing",
-			      isc_result_totext(tresult));
-		return (tresult);
-	}
-	dns_zone_getraw(zone, &raw);
-	if (raw != NULL) {
-		dns_zone_detach(&zone);
-		dns_zone_attach(raw, &zone);
-		dns_zone_detach(&raw);
-	}
-	type = dns_zone_gettype(zone);
-	if (type != dns_zone_master) {
-		dns_zone_detach(&zone);
-		return (DNS_R_NOTMASTER);
-	}
-
-	if (freeze && !dns_zone_isdynamic(zone, ISC_TRUE)) {
-		dns_zone_detach(&zone);
-		return (DNS_R_NOTDYNAMIC);
-	}
-
-	result = isc_task_beginexclusive(server->task);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	frozen = dns_zone_getupdatedisabled(zone);
-	if (freeze) {
-		if (frozen) {
-			msg = "WARNING: The zone was already frozen.\n"
-			      "Someone else may be editing it or "
-			      "it may still be re-loading.";
-			result = DNS_R_FROZEN;
-		}
-		if (result == ISC_R_SUCCESS) {
-			result = dns_zone_flush(zone);
-			if (result != ISC_R_SUCCESS)
-				msg = "Flushing the zone updates to "
-				      "disk failed.";
-		}
-		if (result == ISC_R_SUCCESS)
-			dns_zone_setupdatedisabled(zone, freeze);
-	} else {
-		if (frozen) {
-			result = dns_zone_loadandthaw(zone);
-			switch (result) {
-			case ISC_R_SUCCESS:
-			case DNS_R_UPTODATE:
-				msg = "The zone reload and thaw was "
-				      "successful.";
-				result = ISC_R_SUCCESS;
-				break;
-			case DNS_R_CONTINUE:
-				msg = "A zone reload and thaw was started.\n"
-				      "Check the logs to see the result.";
-				result = ISC_R_SUCCESS;
-				break;
-			}
-		}
-	}
-	isc_task_endexclusive(server->task);
-
-	if (msg != NULL && strlen(msg) < isc_buffer_availablelength(text))
-		isc_buffer_putmem(text, (const unsigned char *)msg,
-				  strlen(msg) + 1);
-
-	view = dns_zone_getview(zone);
-	if (strcmp(view->name, "_default") == 0 ||
-	    strcmp(view->name, "_bind") == 0)
-	{
-		vname = "";
-		sep = "";
-	} else {
-		vname = view->name;
-		sep = " ";
-	}
-	dns_rdataclass_format(dns_zone_getclass(zone), classstr,
-			      sizeof(classstr));
-	dns_name_format(dns_zone_getorigin(zone),
-			zonename, sizeof(zonename));
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-		      "%s zone '%s/%s'%s%s: %s",
-		      freeze ? "freezing" : "thawing",
-		      zonename, classstr, sep, vname,
-		      isc_result_totext(result));
-	dns_zone_detach(&zone);
-	return (result);
-}
-
-#ifdef HAVE_LIBSCF
-/*
- * This function adds a message for rndc to echo if named
- * is managed by smf and is also running chroot.
- */
-isc_result_t
-ns_smf_add_message(isc_buffer_t *text) {
-	unsigned int n;
-
-	n = snprintf((char *)isc_buffer_used(text),
-		isc_buffer_availablelength(text),
-		"use svcadm(1M) to manage named");
-	if (n >= isc_buffer_availablelength(text))
-		return (ISC_R_NOSPACE);
-	isc_buffer_add(text, n);
-	return (ISC_R_SUCCESS);
-}
-#endif /* HAVE_LIBSCF */
-
-/*
- * Act on an "addzone" command from the command channel.
- */
-isc_result_t
-ns_server_add_zone(ns_server_t *server, char *args) {
-	isc_result_t	     result;
-	isc_buffer_t	     argbuf;
-	size_t		     arglen;
-	cfg_parser_t	    *parser = NULL;
-	cfg_obj_t	    *config = NULL;
-	const cfg_obj_t	    *vconfig = NULL;
-	const cfg_obj_t	    *views = NULL;
-	const cfg_obj_t     *parms = NULL;
-	const cfg_obj_t     *obj = NULL;
-	const cfg_listelt_t *element;
-	const char	    *zonename;
-	const char	    *classname = NULL;
-	const char	    *argp;
-	const char	    *viewname = NULL;
-	dns_rdataclass_t     rdclass;
-	dns_view_t	    *view = 0;
-	isc_buffer_t	     buf, *nbuf = NULL;
-	dns_name_t	     dnsname;
-	dns_zone_t	    *zone = NULL;
-	FILE		    *fp = NULL;
-	struct cfg_context  *cfg = NULL;
-
-	/* Try to parse the argument string */
-	arglen = strlen(args);
-	isc_buffer_init(&argbuf, args, arglen);
-	isc_buffer_add(&argbuf, strlen(args));
-	CHECK(cfg_parser_create(server->mctx, ns_g_lctx, &parser));
-	CHECK(cfg_parse_buffer(parser, &argbuf, &cfg_type_addzoneconf,
-			       &config));
-	CHECK(cfg_map_get(config, "addzone", &parms));
-
-	zonename = cfg_obj_asstring(cfg_tuple_get(parms, "name"));
-	isc_buffer_constinit(&buf, zonename, strlen(zonename));
-	isc_buffer_add(&buf, strlen(zonename));
-	dns_name_init(&dnsname, NULL);
-	isc_buffer_allocate(server->mctx, &nbuf, 256);
-	dns_name_setbuffer(&dnsname, nbuf);
-	CHECK(dns_name_fromtext(&dnsname, &buf, dns_rootname, ISC_FALSE, NULL));
-
-	/* Make sense of optional class argument */
-	obj = cfg_tuple_get(parms, "class");
-	CHECK(ns_config_getclass(obj, dns_rdataclass_in, &rdclass));
-	if (rdclass != dns_rdataclass_in && obj)
-		classname = cfg_obj_asstring(obj);
-
-	/* Make sense of optional view argument */
-	obj = cfg_tuple_get(parms, "view");
-	if (obj && cfg_obj_isstring(obj))
-		viewname = cfg_obj_asstring(obj);
-	if (viewname == NULL || *viewname == '\0')
-		viewname = "_default";
-	CHECK(dns_viewlist_find(&server->viewlist, viewname, rdclass, &view));
-
-	/* Are we accepting new zones? */
-	if (view->new_zone_file == NULL) {
-		result = ISC_R_NOPERM;
-		goto cleanup;
-	}
-
-	cfg = (struct cfg_context *) view->new_zone_config;
-	if (cfg == NULL) {
-		result = ISC_R_FAILURE;
-		goto cleanup;
-	}
-
-	/* Zone shouldn't already exist */
-	result = dns_zt_find(view->zonetable, &dnsname, 0, NULL, &zone);
-	if (result == ISC_R_SUCCESS) {
-		result = ISC_R_EXISTS;
-		goto cleanup;
-	} else if (result == DNS_R_PARTIALMATCH) {
-		/* Create our sub-zone anyway */
-		dns_zone_detach(&zone);
-		zone = NULL;
-	}
-	else if (result != ISC_R_NOTFOUND)
-		goto cleanup;
-
-	/* Find the view statement */
-	cfg_map_get(cfg->config, "view", &views);
-	for (element = cfg_list_first(views);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		const char *vname;
-		vconfig = cfg_listelt_value(element);
-		vname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
-		if (vname && !strcasecmp(vname, viewname))
-			break;
-		vconfig = NULL;
-	}
-
-	/* Open save file for write configuration */
-	CHECK(isc_stdio_open(view->new_zone_file, "a", &fp));
-
-	/* Mark view unfrozen so that zone can be added */
-	result = isc_task_beginexclusive(server->task);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	dns_view_thaw(view);
-	result = configure_zone(cfg->config, parms, vconfig,
-				server->mctx, view, cfg->actx, ISC_FALSE);
-	dns_view_freeze(view);
-	isc_task_endexclusive(server->task);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	/* Is it there yet? */
-	CHECK(dns_zt_find(view->zonetable, &dnsname, 0, NULL, &zone));
-
-	/*
-	 * Load the zone from the master file.  If this fails, we'll
-	 * need to undo the configuration we've done already.
-	 */
-	result = dns_zone_loadnew(zone);
-	if (result != ISC_R_SUCCESS) {
-		dns_db_t *dbp = NULL;
-
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-			      "addzone failed; reverting.");
-
-		/* If the zone loaded partially, unload it */
-		if (dns_zone_getdb(zone, &dbp) == ISC_R_SUCCESS) {
-			dns_db_detach(&dbp);
-			dns_zone_unload(zone);
-		}
-
-		/* Remove the zone from the zone table */
-		dns_zt_unmount(view->zonetable, zone);
-		goto cleanup;
-	}
-
-	/* Flag the zone as having been added at runtime */
-	dns_zone_setadded(zone, ISC_TRUE);
-
-	/* Emit just the zone name from args */
-	CHECK(isc_stdio_write("zone ", 5, 1, fp, NULL));
-	CHECK(isc_stdio_write(zonename, strlen(zonename), 1, fp, NULL));
-	CHECK(isc_stdio_write(" ", 1, 1, fp, NULL));
-
-	/* Classname, if not default */
-	if (classname != NULL && *classname != '\0') {
-		CHECK(isc_stdio_write(classname, strlen(classname), 1, fp,
-				      NULL));
-		CHECK(isc_stdio_write(" ", 1, 1, fp, NULL));
-	}
-
-	/* Find beginning of option block from args */
-	for (argp = args; *argp; argp++, arglen--) {
-		if (*argp == '{') {	/* Assume matching '}' */
-			/* Add that to our file */
-			CHECK(isc_stdio_write(argp, arglen, 1, fp, NULL));
-
-			/* Make sure we end with a LF */
-			if (argp[arglen-1] != '\n') {
-				CHECK(isc_stdio_write("\n", 1, 1, fp, NULL));
-			}
-			break;
-		}
-	}
-
-	CHECK(isc_stdio_close(fp));
-	fp = NULL;
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				  NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-				  "zone %s added to view %s via addzone",
-				  zonename, viewname);
-
-	result = ISC_R_SUCCESS;
-
- cleanup:
-	if (fp != NULL)
-		isc_stdio_close(fp);
-	if (parser != NULL) {
-		if (config != NULL)
-			cfg_obj_destroy(parser, &config);
-		cfg_parser_destroy(&parser);
-	}
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-	if (view != NULL)
-		dns_view_detach(&view);
-	if (nbuf != NULL)
-		isc_buffer_free(&nbuf);
-
-	return (result);
-}
-
-/*
- * Act on a "delzone" command from the command channel.
- */
-isc_result_t
-ns_server_del_zone(ns_server_t *server, char *args) {
-	isc_result_t	       result;
-	dns_zone_t	      *zone = NULL;
-	dns_view_t	      *view = NULL;
-	dns_db_t	      *dbp = NULL;
-	const char	      *filename = NULL;
-	char		      *tmpname = NULL;
-	char		       buf[1024];
-	const char	      *zonename = NULL;
-	size_t		       znamelen = 0;
-	FILE		      *ifp = NULL, *ofp = NULL;
-
-	/* Parse parameters */
-	CHECK(zone_from_args(server, args, NULL, &zone, &zonename, ISC_TRUE));
-
-	if (zone == NULL) {
-		result = ISC_R_UNEXPECTEDEND;
-		goto cleanup;
-	}
-
-	/*
-	 * Was this zone originally added at runtime?
-	 * If not, we can't delete it now.
-	 */
-	if (!dns_zone_getadded(zone)) {
-		result = ISC_R_NOPERM;
-		goto cleanup;
-	}
-
-	INSIST(zonename != NULL);
-	znamelen = strlen(zonename);
-
-	/* Dig out configuration for this zone */
-	view = dns_zone_getview(zone);
-	filename = view->new_zone_file;
-	if (filename == NULL) {
-		/* No adding zones in this view */
-		result = ISC_R_FAILURE;
-		goto cleanup;
-	}
-
-	/* Rewrite zone list */
-	result = isc_stdio_open(filename, "r", &ifp);
-	if (ifp != NULL && result == ISC_R_SUCCESS) {
-		char *found = NULL, *p = NULL;
-		size_t n;
-
-		/* Create a temporary file */
-		CHECK(isc_string_printf(buf, 1023, "%s.%ld", filename,
-					(long)getpid()));
-		if (!(tmpname = isc_mem_strdup(server->mctx, buf))) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup;
-		}
-		CHECK(isc_stdio_open(tmpname, "w", &ofp));
-
-		/* Look for the entry for that zone */
-		while (fgets(buf, 1024, ifp)) {
-			/* A 'zone' line */
-			if (strncasecmp(buf, "zone", 4)) {
-				fputs(buf, ofp);
-				continue;
-			}
-			p = buf+4;
-
-			/* Locate a name */
-			while (*p &&
-			       ((*p == '"') || isspace((unsigned char)*p)))
-				p++;
-
-			/* Is that the zone we're looking for */
-			if (strncasecmp(p, zonename, znamelen)) {
-				fputs(buf, ofp);
-				continue;
-			}
-
-			/* And nothing else? */
-			p += znamelen;
-			if (isspace((unsigned char)*p) ||
-			    *p == '"' || *p == '{') {
-				/* This must be the entry */
-				found = p;
-				break;
-			}
-
-			/* Spit it out, keep looking */
-			fputs(buf, ofp);
-		}
-
-		/* Skip over an option block (matching # of braces) */
-		if (found) {
-			int obrace = 0, cbrace = 0;
-			for (;;) {
-				while (*p) {
-					if (*p == '{') obrace++;
-					if (*p == '}') cbrace++;
-					p++;
-				}
-				if (obrace && (obrace == cbrace))
-					break;
-				if (!fgets(buf, 1024, ifp))
-					break;
-				p = buf;
-			}
-
-			/* Just spool the remainder of the file out */
-			result = isc_stdio_read(buf, 1, 1024, ifp, &n);
-			while (n > 0U) {
-				if (result == ISC_R_EOF)
-					result = ISC_R_SUCCESS;
-				CHECK(result);
-				isc_stdio_write(buf, 1, n, ofp, NULL);
-				result = isc_stdio_read(buf, 1, 1024, ifp, &n);
-			}
-
-			/* Move temporary into place */
-			CHECK(isc_file_rename(tmpname, view->new_zone_file));
-		} else {
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-				      "deleted zone %s was missing from "
-				      "new zone file", zonename);
-			goto cleanup;
-		}
-	}
-
-	/* Stop answering for this zone */
-	if (dns_zone_getdb(zone, &dbp) == ISC_R_SUCCESS) {
-		dns_db_detach(&dbp);
-		dns_zone_unload(zone);
-	}
-
-	CHECK(dns_zt_unmount(view->zonetable, zone));
-
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				  NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-				  "zone %s removed via delzone", zonename);
-
-	result = ISC_R_SUCCESS;
-
- cleanup:
-	if (ifp != NULL)
-		isc_stdio_close(ifp);
-	if (ofp != NULL) {
-		isc_stdio_close(ofp);
-		isc_file_remove(tmpname);
-	}
-	if (tmpname != NULL)
-		isc_mem_free(server->mctx, tmpname);
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-
-	return (result);
-}
-
-static void
-newzone_cfgctx_destroy(void **cfgp) {
-	struct cfg_context *cfg;
-
-	REQUIRE(cfgp != NULL && *cfgp != NULL);
-
-	cfg = *cfgp;
-
-	if (cfg->actx != NULL)
-		cfg_aclconfctx_detach(&cfg->actx);
-
-	if (cfg->parser != NULL) {
-		if (cfg->config != NULL)
-			cfg_obj_destroy(cfg->parser, &cfg->config);
-		cfg_parser_destroy(&cfg->parser);
-	}
-	if (cfg->nzparser != NULL) {
-		if (cfg->nzconfig != NULL)
-			cfg_obj_destroy(cfg->nzparser, &cfg->nzconfig);
-		cfg_parser_destroy(&cfg->nzparser);
-	}
-
-	isc_mem_putanddetach(&cfg->mctx, cfg, sizeof(*cfg));
-	*cfgp = NULL;
-}
-
-isc_result_t
-ns_server_signing(ns_server_t *server, char *args, isc_buffer_t *text) {
-	isc_result_t result = ISC_R_SUCCESS;
-	dns_zone_t *zone = NULL;
-	dns_name_t *origin;
-	dns_db_t *db = NULL;
-	dns_dbnode_t *node = NULL;
-	dns_dbversion_t *version = NULL;
-	dns_rdatatype_t privatetype;
-	dns_rdataset_t privset;
-	isc_boolean_t first = ISC_TRUE;
-	isc_boolean_t list = ISC_FALSE, clear = ISC_FALSE;
-	isc_boolean_t chain = ISC_FALSE;
-	char keystr[DNS_SECALG_FORMATSIZE + 7];
-	unsigned short hash = 0, flags = 0, iter = 0, saltlen = 0;
-	unsigned char salt[255];
-	const char *ptr;
-	size_t n;
-
-	dns_rdataset_init(&privset);
-
-	/* Skip the command name. */
-	ptr = next_token(&args, " \t");
-	if (ptr == NULL)
-		return (ISC_R_UNEXPECTEDEND);
-
-	/* Find out what we are to do. */
-	ptr = next_token(&args, " \t");
-	if (ptr == NULL)
-		return (ISC_R_UNEXPECTEDEND);
-
-	if (strcasecmp(ptr, "-list") == 0)
-		list = ISC_TRUE;
-	else if ((strcasecmp(ptr, "-clear") == 0)  ||
-		 (strcasecmp(ptr, "-clean") == 0)) {
-		clear = ISC_TRUE;
-		ptr = next_token(&args, " \t");
-		if (ptr == NULL)
-			return (ISC_R_UNEXPECTEDEND);
-		memcpy(keystr, ptr, sizeof(keystr));
-	} else if(strcasecmp(ptr, "-nsec3param") == 0) {
-		const char *hashstr, *flagstr, *iterstr;
-		char nbuf[512];
-
-		chain = ISC_TRUE;
-		hashstr = next_token(&args, " \t");
-		if (hashstr == NULL)
-			return (ISC_R_UNEXPECTEDEND);
-
-		if (strcasecmp(hashstr, "none") == 0)
-			hash = 0;
-		else {
-			flagstr = next_token(&args, " \t");
-			iterstr = next_token(&args, " \t");
-			if (flagstr == NULL || iterstr == NULL)
-				return (ISC_R_UNEXPECTEDEND);
-
-			n = snprintf(nbuf, sizeof(nbuf), "%s %s %s",
-				     hashstr, flagstr, iterstr);
-			if (n == sizeof(nbuf))
-				return (ISC_R_NOSPACE);
-			n = sscanf(nbuf, "%hu %hu %hu", &hash, &flags, &iter);
-			if (n != 3U)
-				return (ISC_R_BADNUMBER);
-
-			if (hash > 0xffU || flags > 0xffU)
-				return (ISC_R_RANGE);
-
-			ptr = next_token(&args, " \t");
-			if (ptr == NULL)
-				return (ISC_R_UNEXPECTEDEND);
-			if (strcmp(ptr, "-") != 0) {
-				isc_buffer_t buf;
-
-				isc_buffer_init(&buf, salt, sizeof(salt));
-				CHECK(isc_hex_decodestring(ptr, &buf));
-				saltlen = isc_buffer_usedlength(&buf);
-			}
-		}
-	} else
-		CHECK(DNS_R_SYNTAX);
-
-	CHECK(zone_from_args(server, args, NULL, &zone, NULL, ISC_FALSE));
-	if (zone == NULL)
-		CHECK(ISC_R_UNEXPECTEDEND);
-
-	if (clear) {
-		CHECK(dns_zone_keydone(zone, keystr));
-		isc_buffer_putstr(text, "request queued");
-		isc_buffer_putuint8(text, 0);
-	} else if (chain) {
-		CHECK(dns_zone_setnsec3param(zone, (isc_uint8_t)hash,
-					     (isc_uint8_t)flags, iter,
-					     (isc_uint8_t)saltlen, salt,
-					     ISC_TRUE));
-		isc_buffer_putstr(text, "request queued");
-		isc_buffer_putuint8(text, 0);
-	} else if (list) {
-		privatetype = dns_zone_getprivatetype(zone);
-		origin = dns_zone_getorigin(zone);
-		CHECK(dns_zone_getdb(zone, &db));
-		CHECK(dns_db_findnode(db, origin, ISC_FALSE, &node));
-		dns_db_currentversion(db, &version);
-
-		result = dns_db_findrdataset(db, node, version, privatetype,
-					     dns_rdatatype_none, 0,
-					     &privset, NULL);
-		if (result == ISC_R_NOTFOUND) {
-			isc_buffer_putstr(text, "No signing records found");
-			isc_buffer_putuint8(text, 0);
-			result = ISC_R_SUCCESS;
-			goto cleanup;
-		}
-
-		for (result = dns_rdataset_first(&privset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&privset))
-		{
-			dns_rdata_t priv = DNS_RDATA_INIT;
-			char output[BUFSIZ];
-			isc_buffer_t buf;
-
-			dns_rdataset_current(&privset, &priv);
-
-			isc_buffer_init(&buf, output, sizeof(output));
-			CHECK(dns_private_totext(&priv, &buf));
-
-			if (!first)
-				isc_buffer_putstr(text, "\n");
-			first = ISC_FALSE;
-
-			n = snprintf((char *)isc_buffer_used(text),
-				     isc_buffer_availablelength(text),
-				     "%s", output);
-			if (n >= isc_buffer_availablelength(text))
-				CHECK(ISC_R_NOSPACE);
-
-			isc_buffer_add(text, n);
-		}
-
-		if (result == ISC_R_NOMORE)
-			result = ISC_R_SUCCESS;
-	}
-
- cleanup:
-	if (dns_rdataset_isassociated(&privset))
-		dns_rdataset_disassociate(&privset);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	if (version != NULL)
-		dns_db_closeversion(db, &version, ISC_FALSE);
-	if (db != NULL)
-		dns_db_detach(&db);
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-
-	return (result);
-}
diff --git a/contrib/bind9/bin/named/sortlist.c b/contrib/bind9/bin/named/sortlist.c
deleted file mode 100644
index daefa07..0000000
--- a/contrib/bind9/bin/named/sortlist.c
+++ /dev/null
@@ -1,170 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: sortlist.c,v 1.17 2007/09/14 01:46:05 marka Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/util.h>
-
-#include <dns/acl.h>
-#include <dns/result.h>
-
-#include <named/globals.h>
-#include <named/server.h>
-#include <named/sortlist.h>
-
-ns_sortlisttype_t
-ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr,
-		  const void **argp)
-{
-	unsigned int i;
-
-	if (acl == NULL)
-		goto dont_sort;
-
-	for (i = 0; i < acl->length; i++) {
-		/*
-		 * 'e' refers to the current 'top level statement'
-		 * in the sortlist (see ARM).
-		 */
-		dns_aclelement_t *e = &acl->elements[i];
-		dns_aclelement_t *try_elt;
-		dns_aclelement_t *order_elt = NULL;
-		const dns_aclelement_t *matched_elt = NULL;
-
-		if (e->type == dns_aclelementtype_nestedacl) {
-			dns_acl_t *inner = e->nestedacl;
-
-			if (inner->length == 0)
-				try_elt = e;
-			else if (inner->length > 2)
-				goto dont_sort;
-			else if (inner->elements[0].negative)
-				goto dont_sort;
-			else {
-				try_elt = &inner->elements[0];
-				if (inner->length == 2)
-					order_elt = &inner->elements[1];
-			}
-		} else {
-			/*
-			 * BIND 8 allows bare elements at the top level
-			 * as an undocumented feature.
-			 */
-			try_elt = e;
-		}
-
-		if (dns_aclelement_match(clientaddr, NULL, try_elt,
-					 &ns_g_server->aclenv,
-					 &matched_elt)) {
-			if (order_elt != NULL) {
-				if (order_elt->type ==
-				    dns_aclelementtype_nestedacl) {
-					*argp = order_elt->nestedacl;
-					return (NS_SORTLISTTYPE_2ELEMENT);
-				} else if (order_elt->type ==
-					   dns_aclelementtype_localhost &&
-					   ns_g_server->aclenv.localhost != NULL) {
-					*argp = ns_g_server->aclenv.localhost;
-					return (NS_SORTLISTTYPE_2ELEMENT);
-				} else if (order_elt->type ==
-					   dns_aclelementtype_localnets &&
-					   ns_g_server->aclenv.localnets != NULL) {
-					*argp = ns_g_server->aclenv.localnets;
-					return (NS_SORTLISTTYPE_2ELEMENT);
-				} else {
-					/*
-					 * BIND 8 allows a bare IP prefix as
-					 * the 2nd element of a 2-element
-					 * sortlist statement.
-					 */
-					*argp = order_elt;
-					return (NS_SORTLISTTYPE_1ELEMENT);
-				}
-			} else {
-				INSIST(matched_elt != NULL);
-				*argp = matched_elt;
-				return (NS_SORTLISTTYPE_1ELEMENT);
-			}
-		}
-	}
-
-	/* No match; don't sort. */
- dont_sort:
-	*argp = NULL;
-	return (NS_SORTLISTTYPE_NONE);
-}
-
-int
-ns_sortlist_addrorder2(const isc_netaddr_t *addr, const void *arg) {
-	const dns_acl_t *sortacl = (const dns_acl_t *) arg;
-	int match;
-
-	(void)dns_acl_match(addr, NULL, sortacl,
-			    &ns_g_server->aclenv,
-			    &match, NULL);
-	if (match > 0)
-		return (match);
-	else if (match < 0)
-		return (INT_MAX - (-match));
-	else
-		return (INT_MAX / 2);
-}
-
-int
-ns_sortlist_addrorder1(const isc_netaddr_t *addr, const void *arg) {
-	const dns_aclelement_t *matchelt = (const dns_aclelement_t *) arg;
-	if (dns_aclelement_match(addr, NULL, matchelt,
-				 &ns_g_server->aclenv,
-				 NULL)) {
-		return (0);
-	} else {
-		return (INT_MAX);
-	}
-}
-
-void
-ns_sortlist_byaddrsetup(dns_acl_t *sortlist_acl, isc_netaddr_t *client_addr,
-		       dns_addressorderfunc_t *orderp,
-		       const void **argp)
-{
-	ns_sortlisttype_t sortlisttype;
-
-	sortlisttype = ns_sortlist_setup(sortlist_acl, client_addr, argp);
-
-	switch (sortlisttype) {
-	case NS_SORTLISTTYPE_1ELEMENT:
-		*orderp = ns_sortlist_addrorder1;
-		break;
-	case NS_SORTLISTTYPE_2ELEMENT:
-		*orderp = ns_sortlist_addrorder2;
-		break;
-	case NS_SORTLISTTYPE_NONE:
-		*orderp = NULL;
-		break;
-	default:
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "unexpected return from ns_sortlist_setup(): "
-				 "%d", sortlisttype);
-		break;
-	}
-}
-
diff --git a/contrib/bind9/bin/named/statschannel.c b/contrib/bind9/bin/named/statschannel.c
deleted file mode 100644
index bb642cc..0000000
--- a/contrib/bind9/bin/named/statschannel.c
+++ /dev/null
@@ -1,1978 +0,0 @@
-/*
- * Copyright (C) 2008-2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: statschannel.c,v 1.28 2011/03/12 04:59:46 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/buffer.h>
-#include <isc/httpd.h>
-#include <isc/mem.h>
-#include <isc/once.h>
-#include <isc/print.h>
-#include <isc/socket.h>
-#include <isc/stats.h>
-#include <isc/task.h>
-
-#include <dns/cache.h>
-#include <dns/db.h>
-#include <dns/opcode.h>
-#include <dns/resolver.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatatype.h>
-#include <dns/stats.h>
-#include <dns/view.h>
-#include <dns/zt.h>
-
-#include <named/log.h>
-#include <named/server.h>
-#include <named/statschannel.h>
-
-#ifdef NEWSTATS
-	#include "bind9.ver3.xsl.h"
-#else /* OLDSTATS */
-	#include "bind9.xsl.h"
-#endif /* NEWSTATS */
-
-struct ns_statschannel {
-	/* Unlocked */
-	isc_httpdmgr_t				*httpdmgr;
-	isc_sockaddr_t				address;
-	isc_mem_t				*mctx;
-
-	/*
-	 * Locked by channel lock: can be referenced and modified by both
-	 * the server task and the channel task.
-	 */
-	isc_mutex_t				lock;
-	dns_acl_t				*acl;
-
-	/* Locked by server task */
-	ISC_LINK(struct ns_statschannel)	link;
-};
-
-typedef enum { statsformat_file, statsformat_xml } statsformat_t;
-
-typedef struct
-stats_dumparg {
-	statsformat_t	type;
-	void		*arg;		/* type dependent argument */
-	int		ncounters;	/* used for general statistics */
-	int		*counterindices; /* used for general statistics */
-	isc_uint64_t	*countervalues;	 /* used for general statistics */
-	isc_result_t	result;
-} stats_dumparg_t;
-
-static isc_once_t once = ISC_ONCE_INIT;
-
-/*%
- * Statistics descriptions.  These could be statistically initialized at
- * compile time, but we configure them run time in the init_desc() function
- * below so that they'll be less susceptible to counter name changes.
- */
-static const char *nsstats_desc[dns_nsstatscounter_max];
-static const char *resstats_desc[dns_resstatscounter_max];
-static const char *zonestats_desc[dns_zonestatscounter_max];
-static const char *sockstats_desc[isc_sockstatscounter_max];
-static const char *dnssecstats_desc[dns_dnssecstats_max];
-#ifdef HAVE_LIBXML2
-static const char *nsstats_xmldesc[dns_nsstatscounter_max];
-static const char *resstats_xmldesc[dns_resstatscounter_max];
-static const char *zonestats_xmldesc[dns_zonestatscounter_max];
-static const char *sockstats_xmldesc[isc_sockstatscounter_max];
-static const char *dnssecstats_xmldesc[dns_dnssecstats_max];
-#else
-#define nsstats_xmldesc NULL
-#define resstats_xmldesc NULL
-#define zonestats_xmldesc NULL
-#define sockstats_xmldesc NULL
-#define dnssecstats_xmldesc NULL
-#endif	/* HAVE_LIBXML2 */
-
-#define TRY0(a) do { xmlrc = (a); if (xmlrc < 0) goto error; } while(0)
-
-/*%
- * Mapping arrays to represent statistics counters in the order of our
- * preference, regardless of the order of counter indices.  For example,
- * nsstats_desc[nsstats_index[0]] will be the description that is shown first.
- */
-static int nsstats_index[dns_nsstatscounter_max];
-static int resstats_index[dns_resstatscounter_max];
-static int zonestats_index[dns_zonestatscounter_max];
-static int sockstats_index[isc_sockstatscounter_max];
-static int dnssecstats_index[dns_dnssecstats_max];
-
-static inline void
-set_desc(int counter, int maxcounter, const char *fdesc, const char **fdescs,
-	 const char *xdesc, const char **xdescs)
-{
-	REQUIRE(counter < maxcounter);
-	REQUIRE(fdescs[counter] == NULL);
-#ifdef HAVE_LIBXML2
-	REQUIRE(xdescs[counter] == NULL);
-#endif
-
-	fdescs[counter] = fdesc;
-#ifdef HAVE_LIBXML2
-	xdescs[counter] = xdesc;
-#else
-	UNUSED(xdesc);
-	UNUSED(xdescs);
-#endif
-}
-
-static void
-init_desc(void) {
-	int i;
-
-	/* Initialize name server statistics */
-	for (i = 0; i < dns_nsstatscounter_max; i++)
-		nsstats_desc[i] = NULL;
-#ifdef HAVE_LIBXML2
-	for (i = 0; i < dns_nsstatscounter_max; i++)
-		nsstats_xmldesc[i] = NULL;
-#endif
-
-#define SET_NSSTATDESC(counterid, desc, xmldesc) \
-	do { \
-		set_desc(dns_nsstatscounter_ ## counterid, \
-			 dns_nsstatscounter_max, \
-			 desc, nsstats_desc, xmldesc, nsstats_xmldesc); \
-		nsstats_index[i++] = dns_nsstatscounter_ ## counterid; \
-	} while (0)
-
-	i = 0;
-	SET_NSSTATDESC(requestv4, "IPv4 requests received", "Requestv4");
-	SET_NSSTATDESC(requestv6, "IPv6 requests received", "Requestv6");
-	SET_NSSTATDESC(edns0in, "requests with EDNS(0) received", "ReqEdns0");
-	SET_NSSTATDESC(badednsver,
-		       "requests with unsupported EDNS version received",
-		       "ReqBadEDNSVer");
-	SET_NSSTATDESC(tsigin, "requests with TSIG received", "ReqTSIG");
-	SET_NSSTATDESC(sig0in, "requests with SIG(0) received", "ReqSIG0");
-	SET_NSSTATDESC(invalidsig, "requests with invalid signature",
-		       "ReqBadSIG");
-	SET_NSSTATDESC(tcp, "TCP requests received", "ReqTCP");
-	SET_NSSTATDESC(authrej, "auth queries rejected", "AuthQryRej");
-	SET_NSSTATDESC(recurserej, "recursive queries rejected", "RecQryRej");
-	SET_NSSTATDESC(xfrrej, "transfer requests rejected", "XfrRej");
-	SET_NSSTATDESC(updaterej, "update requests rejected", "UpdateRej");
-	SET_NSSTATDESC(response, "responses sent", "Response");
-	SET_NSSTATDESC(truncatedresp, "truncated responses sent",
-		       "TruncatedResp");
-	SET_NSSTATDESC(edns0out, "responses with EDNS(0) sent", "RespEDNS0");
-	SET_NSSTATDESC(tsigout, "responses with TSIG sent", "RespTSIG");
-	SET_NSSTATDESC(sig0out, "responses with SIG(0) sent", "RespSIG0");
-	SET_NSSTATDESC(success, "queries resulted in successful answer",
-		       "QrySuccess");
-	SET_NSSTATDESC(authans, "queries resulted in authoritative answer",
-		       "QryAuthAns");
-	SET_NSSTATDESC(nonauthans,
-		       "queries resulted in non authoritative answer",
-		       "QryNoauthAns");
-	SET_NSSTATDESC(referral, "queries resulted in referral answer",
-		       "QryReferral");
-	SET_NSSTATDESC(nxrrset, "queries resulted in nxrrset", "QryNxrrset");
-	SET_NSSTATDESC(servfail, "queries resulted in SERVFAIL", "QrySERVFAIL");
-	SET_NSSTATDESC(formerr, "queries resulted in FORMERR", "QryFORMERR");
-	SET_NSSTATDESC(nxdomain, "queries resulted in NXDOMAIN", "QryNXDOMAIN");
-	SET_NSSTATDESC(recursion, "queries caused recursion", "QryRecursion");
-	SET_NSSTATDESC(duplicate, "duplicate queries received", "QryDuplicate");
-	SET_NSSTATDESC(dropped, "queries dropped", "QryDropped");
-	SET_NSSTATDESC(failure, "other query failures", "QryFailure");
-	SET_NSSTATDESC(xfrdone, "requested transfers completed", "XfrReqDone");
-	SET_NSSTATDESC(updatereqfwd, "update requests forwarded",
-		       "UpdateReqFwd");
-	SET_NSSTATDESC(updaterespfwd, "update responses forwarded",
-		       "UpdateRespFwd");
-	SET_NSSTATDESC(updatefwdfail, "update forward failed", "UpdateFwdFail");
-	SET_NSSTATDESC(updatedone, "updates completed", "UpdateDone");
-	SET_NSSTATDESC(updatefail, "updates failed", "UpdateFail");
-	SET_NSSTATDESC(updatebadprereq,
-		       "updates rejected due to prerequisite failure",
-		       "UpdateBadPrereq");
-	SET_NSSTATDESC(rpz_rewrites, "response policy zone rewrites",
-		       "RPZRewrites");
-	INSIST(i == dns_nsstatscounter_max);
-
-	/* Initialize resolver statistics */
-	for (i = 0; i < dns_resstatscounter_max; i++)
-		resstats_desc[i] = NULL;
-#ifdef  HAVE_LIBXML2
-	for (i = 0; i < dns_resstatscounter_max; i++)
-		resstats_xmldesc[i] = NULL;
-#endif
-
-#define SET_RESSTATDESC(counterid, desc, xmldesc) \
-	do { \
-		set_desc(dns_resstatscounter_ ## counterid, \
-			 dns_resstatscounter_max, \
-			 desc, resstats_desc, xmldesc, resstats_xmldesc); \
-		resstats_index[i++] = dns_resstatscounter_ ## counterid; \
-	} while (0)
-
-	i = 0;
-	SET_RESSTATDESC(queryv4, "IPv4 queries sent", "Queryv4");
-	SET_RESSTATDESC(queryv6, "IPv6 queries sent", "Queryv6");
-	SET_RESSTATDESC(responsev4, "IPv4 responses received", "Responsev4");
-	SET_RESSTATDESC(responsev6, "IPv6 responses received", "Responsev6");
-	SET_RESSTATDESC(nxdomain, "NXDOMAIN received", "NXDOMAIN");
-	SET_RESSTATDESC(servfail, "SERVFAIL received", "SERVFAIL");
-	SET_RESSTATDESC(formerr, "FORMERR received", "FORMERR");
-	SET_RESSTATDESC(othererror, "other errors received", "OtherError");
-	SET_RESSTATDESC(edns0fail, "EDNS(0) query failures", "EDNS0Fail");
-	SET_RESSTATDESC(mismatch, "mismatch responses received", "Mismatch");
-	SET_RESSTATDESC(truncated, "truncated responses received", "Truncated");
-	SET_RESSTATDESC(lame, "lame delegations received", "Lame");
-	SET_RESSTATDESC(retry, "query retries", "Retry");
-	SET_RESSTATDESC(dispabort, "queries aborted due to quota",
-			"QueryAbort");
-	SET_RESSTATDESC(dispsockfail, "failures in opening query sockets",
-			"QuerySockFail");
-	SET_RESSTATDESC(querytimeout, "query timeouts", "QueryTimeout");
-	SET_RESSTATDESC(gluefetchv4, "IPv4 NS address fetches", "GlueFetchv4");
-	SET_RESSTATDESC(gluefetchv6, "IPv6 NS address fetches", "GlueFetchv6");
-	SET_RESSTATDESC(gluefetchv4fail, "IPv4 NS address fetch failed",
-			"GlueFetchv4Fail");
-	SET_RESSTATDESC(gluefetchv6fail, "IPv6 NS address fetch failed",
-			"GlueFetchv6Fail");
-	SET_RESSTATDESC(val, "DNSSEC validation attempted", "ValAttempt");
-	SET_RESSTATDESC(valsuccess, "DNSSEC validation succeeded", "ValOk");
-	SET_RESSTATDESC(valnegsuccess, "DNSSEC NX validation succeeded",
-			"ValNegOk");
-	SET_RESSTATDESC(valfail, "DNSSEC validation failed", "ValFail");
-	SET_RESSTATDESC(queryrtt0, "queries with RTT < "
-			DNS_RESOLVER_QRYRTTCLASS0STR "ms",
-			"QryRTT" DNS_RESOLVER_QRYRTTCLASS0STR);
-	SET_RESSTATDESC(queryrtt1, "queries with RTT "
-			DNS_RESOLVER_QRYRTTCLASS0STR "-"
-			DNS_RESOLVER_QRYRTTCLASS1STR "ms",
-			"QryRTT" DNS_RESOLVER_QRYRTTCLASS1STR);
-	SET_RESSTATDESC(queryrtt2, "queries with RTT "
-			DNS_RESOLVER_QRYRTTCLASS1STR "-"
-			DNS_RESOLVER_QRYRTTCLASS2STR "ms",
-			"QryRTT" DNS_RESOLVER_QRYRTTCLASS2STR);
-	SET_RESSTATDESC(queryrtt3, "queries with RTT "
-			DNS_RESOLVER_QRYRTTCLASS2STR "-"
-			DNS_RESOLVER_QRYRTTCLASS3STR "ms",
-			"QryRTT" DNS_RESOLVER_QRYRTTCLASS3STR);
-	SET_RESSTATDESC(queryrtt4, "queries with RTT "
-			DNS_RESOLVER_QRYRTTCLASS3STR "-"
-			DNS_RESOLVER_QRYRTTCLASS4STR "ms",
-			"QryRTT" DNS_RESOLVER_QRYRTTCLASS4STR);
-	SET_RESSTATDESC(queryrtt5, "queries with RTT > "
-			DNS_RESOLVER_QRYRTTCLASS4STR "ms",
-			"QryRTT" DNS_RESOLVER_QRYRTTCLASS4STR "+");
-	INSIST(i == dns_resstatscounter_max);
-
-	/* Initialize zone statistics */
-	for (i = 0; i < dns_zonestatscounter_max; i++)
-		zonestats_desc[i] = NULL;
-#ifdef  HAVE_LIBXML2
-	for (i = 0; i < dns_zonestatscounter_max; i++)
-		zonestats_xmldesc[i] = NULL;
-#endif
-
-#define SET_ZONESTATDESC(counterid, desc, xmldesc) \
-	do { \
-		set_desc(dns_zonestatscounter_ ## counterid, \
-			 dns_zonestatscounter_max, \
-			 desc, zonestats_desc, xmldesc, zonestats_xmldesc); \
-		zonestats_index[i++] = dns_zonestatscounter_ ## counterid; \
-	} while (0)
-
-	i = 0;
-	SET_ZONESTATDESC(notifyoutv4, "IPv4 notifies sent", "NotifyOutv4");
-	SET_ZONESTATDESC(notifyoutv6, "IPv6 notifies sent", "NotifyOutv6");
-	SET_ZONESTATDESC(notifyinv4, "IPv4 notifies received", "NotifyInv4");
-	SET_ZONESTATDESC(notifyinv6, "IPv6 notifies received", "NotifyInv6");
-	SET_ZONESTATDESC(notifyrej, "notifies rejected", "NotifyRej");
-	SET_ZONESTATDESC(soaoutv4, "IPv4 SOA queries sent", "SOAOutv4");
-	SET_ZONESTATDESC(soaoutv6, "IPv6 SOA queries sent", "SOAOutv6");
-	SET_ZONESTATDESC(axfrreqv4, "IPv4 AXFR requested", "AXFRReqv4");
-	SET_ZONESTATDESC(axfrreqv6, "IPv6 AXFR requested", "AXFRReqv6");
-	SET_ZONESTATDESC(ixfrreqv4, "IPv4 IXFR requested", "IXFRReqv4");
-	SET_ZONESTATDESC(ixfrreqv6, "IPv6 IXFR requested", "IXFRReqv6");
-	SET_ZONESTATDESC(xfrsuccess, "transfer requests succeeded",
-			 "XfrSuccess");
-	SET_ZONESTATDESC(xfrfail, "transfer requests failed", "XfrFail");
-	INSIST(i == dns_zonestatscounter_max);
-
-	/* Initialize socket statistics */
-	for (i = 0; i < isc_sockstatscounter_max; i++)
-		sockstats_desc[i] = NULL;
-#ifdef  HAVE_LIBXML2
-	for (i = 0; i < isc_sockstatscounter_max; i++)
-		sockstats_xmldesc[i] = NULL;
-#endif
-
-#define SET_SOCKSTATDESC(counterid, desc, xmldesc) \
-	do { \
-		set_desc(isc_sockstatscounter_ ## counterid, \
-			 isc_sockstatscounter_max, \
-			 desc, sockstats_desc, xmldesc, sockstats_xmldesc); \
-		sockstats_index[i++] = isc_sockstatscounter_ ## counterid; \
-	} while (0)
-
-	i = 0;
-	SET_SOCKSTATDESC(udp4open, "UDP/IPv4 sockets opened", "UDP4Open");
-	SET_SOCKSTATDESC(udp6open, "UDP/IPv6 sockets opened", "UDP6Open");
-	SET_SOCKSTATDESC(tcp4open, "TCP/IPv4 sockets opened", "TCP4Open");
-	SET_SOCKSTATDESC(tcp6open, "TCP/IPv6 sockets opened", "TCP6Open");
-	SET_SOCKSTATDESC(unixopen, "Unix domain sockets opened", "UnixOpen");
-	SET_SOCKSTATDESC(udp4openfail, "UDP/IPv4 socket open failures",
-			 "UDP4OpenFail");
-	SET_SOCKSTATDESC(udp6openfail, "UDP/IPv6 socket open failures",
-			 "UDP6OpenFail");
-	SET_SOCKSTATDESC(tcp4openfail, "TCP/IPv4 socket open failures",
-			 "TCP4OpenFail");
-	SET_SOCKSTATDESC(tcp6openfail, "TCP/IPv6 socket open failures",
-			 "TCP6OpenFail");
-	SET_SOCKSTATDESC(unixopenfail, "Unix domain socket open failures",
-			 "UnixOpenFail");
-	SET_SOCKSTATDESC(udp4close, "UDP/IPv4 sockets closed", "UDP4Close");
-	SET_SOCKSTATDESC(udp6close, "UDP/IPv6 sockets closed", "UDP6Close");
-	SET_SOCKSTATDESC(tcp4close, "TCP/IPv4 sockets closed", "TCP4Close");
-	SET_SOCKSTATDESC(tcp6close, "TCP/IPv6 sockets closed", "TCP6Close");
-	SET_SOCKSTATDESC(unixclose, "Unix domain sockets closed", "UnixClose");
-	SET_SOCKSTATDESC(fdwatchclose, "FDwatch sockets closed",
-			 "FDWatchClose");
-	SET_SOCKSTATDESC(udp4bindfail, "UDP/IPv4 socket bind failures",
-			 "UDP4BindFail");
-	SET_SOCKSTATDESC(udp6bindfail, "UDP/IPv6 socket bind failures",
-			 "UDP6BindFail");
-	SET_SOCKSTATDESC(tcp4bindfail, "TCP/IPv4 socket bind failures",
-			 "TCP4BindFail");
-	SET_SOCKSTATDESC(tcp6bindfail, "TCP/IPv6 socket bind failures",
-			 "TCP6BindFail");
-	SET_SOCKSTATDESC(unixbindfail, "Unix domain socket bind failures",
-			 "UnixBindFail");
-	SET_SOCKSTATDESC(fdwatchbindfail, "FDwatch socket bind failures",
-			 "FdwatchBindFail");
-	SET_SOCKSTATDESC(udp4connectfail, "UDP/IPv4 socket connect failures",
-			 "UDP4ConnFail");
-	SET_SOCKSTATDESC(udp6connectfail, "UDP/IPv6 socket connect failures",
-			 "UDP6ConnFail");
-	SET_SOCKSTATDESC(tcp4connectfail, "TCP/IPv4 socket connect failures",
-			 "TCP4ConnFail");
-	SET_SOCKSTATDESC(tcp6connectfail, "TCP/IPv6 socket connect failures",
-			 "TCP6ConnFail");
-	SET_SOCKSTATDESC(unixconnectfail, "Unix domain socket connect failures",
-			 "UnixConnFail");
-	SET_SOCKSTATDESC(fdwatchconnectfail, "FDwatch socket connect failures",
-			 "FDwatchConnFail");
-	SET_SOCKSTATDESC(udp4connect, "UDP/IPv4 connections established",
-			 "UDP4Conn");
-	SET_SOCKSTATDESC(udp6connect, "UDP/IPv6 connections established",
-			 "UDP6Conn");
-	SET_SOCKSTATDESC(tcp4connect, "TCP/IPv4 connections established",
-			 "TCP4Conn");
-	SET_SOCKSTATDESC(tcp6connect, "TCP/IPv6 connections established",
-			 "TCP6Conn");
-	SET_SOCKSTATDESC(unixconnect, "Unix domain connections established",
-			 "UnixConn");
-	SET_SOCKSTATDESC(fdwatchconnect,
-			 "FDwatch domain connections established",
-			 "FDwatchConn");
-	SET_SOCKSTATDESC(tcp4acceptfail, "TCP/IPv4 connection accept failures",
-			 "TCP4AcceptFail");
-	SET_SOCKSTATDESC(tcp6acceptfail, "TCP/IPv6 connection accept failures",
-			 "TCP6AcceptFail");
-	SET_SOCKSTATDESC(unixacceptfail,
-			 "Unix domain connection accept failures",
-			 "UnixAcceptFail");
-	SET_SOCKSTATDESC(tcp4accept, "TCP/IPv4 connections accepted",
-			 "TCP4Accept");
-	SET_SOCKSTATDESC(tcp6accept, "TCP/IPv6 connections accepted",
-			 "TCP6Accept");
-	SET_SOCKSTATDESC(unixaccept, "Unix domain connections accepted",
-			 "UnixAccept");
-	SET_SOCKSTATDESC(udp4sendfail, "UDP/IPv4 send errors", "UDP4SendErr");
-	SET_SOCKSTATDESC(udp6sendfail, "UDP/IPv6 send errors", "UDP6SendErr");
-	SET_SOCKSTATDESC(tcp4sendfail, "TCP/IPv4 send errors", "TCP4SendErr");
-	SET_SOCKSTATDESC(tcp6sendfail, "TCP/IPv6 send errors", "TCP6SendErr");
-	SET_SOCKSTATDESC(unixsendfail, "Unix domain send errors",
-			 "UnixSendErr");
-	SET_SOCKSTATDESC(fdwatchsendfail, "FDwatch send errors",
-			 "FDwatchSendErr");
-	SET_SOCKSTATDESC(udp4recvfail, "UDP/IPv4 recv errors", "UDP4RecvErr");
-	SET_SOCKSTATDESC(udp6recvfail, "UDP/IPv6 recv errors", "UDP6RecvErr");
-	SET_SOCKSTATDESC(tcp4recvfail, "TCP/IPv4 recv errors", "TCP4RecvErr");
-	SET_SOCKSTATDESC(tcp6recvfail, "TCP/IPv6 recv errors", "TCP6RecvErr");
-	SET_SOCKSTATDESC(unixrecvfail, "Unix domain recv errors",
-			 "UnixRecvErr");
-	SET_SOCKSTATDESC(fdwatchrecvfail, "FDwatch recv errors",
-			 "FDwatchRecvErr");
-	INSIST(i == isc_sockstatscounter_max);
-
-	/* Initialize DNSSEC statistics */
-	for (i = 0; i < dns_dnssecstats_max; i++)
-		dnssecstats_desc[i] = NULL;
-#ifdef  HAVE_LIBXML2
-	for (i = 0; i < dns_dnssecstats_max; i++)
-		dnssecstats_xmldesc[i] = NULL;
-#endif
-
-#define SET_DNSSECSTATDESC(counterid, desc, xmldesc) \
-	do { \
-		set_desc(dns_dnssecstats_ ## counterid, \
-			 dns_dnssecstats_max, \
-			 desc, dnssecstats_desc, \
-			 xmldesc, dnssecstats_xmldesc); \
-		dnssecstats_index[i++] = dns_dnssecstats_ ## counterid; \
-	} while (0)
-
-	i = 0;
-	SET_DNSSECSTATDESC(asis, "dnssec validation success with signer "
-			   "\"as is\"", "DNSSECasis");
-	SET_DNSSECSTATDESC(downcase, "dnssec validation success with signer "
-			   "lower cased", "DNSSECdowncase");
-	SET_DNSSECSTATDESC(wildcard, "dnssec validation of wildcard signature",
-			   "DNSSECwild");
-	SET_DNSSECSTATDESC(fail, "dnssec validation failures", "DNSSECfail");
-	INSIST(i == dns_dnssecstats_max);
-
-	/* Sanity check */
-	for (i = 0; i < dns_nsstatscounter_max; i++)
-		INSIST(nsstats_desc[i] != NULL);
-	for (i = 0; i < dns_resstatscounter_max; i++)
-		INSIST(resstats_desc[i] != NULL);
-	for (i = 0; i < dns_zonestatscounter_max; i++)
-		INSIST(zonestats_desc[i] != NULL);
-	for (i = 0; i < isc_sockstatscounter_max; i++)
-		INSIST(sockstats_desc[i] != NULL);
-	for (i = 0; i < dns_dnssecstats_max; i++)
-		INSIST(dnssecstats_desc[i] != NULL);
-#ifdef  HAVE_LIBXML2
-	for (i = 0; i < dns_nsstatscounter_max; i++)
-		INSIST(nsstats_xmldesc[i] != NULL);
-	for (i = 0; i < dns_resstatscounter_max; i++)
-		INSIST(resstats_xmldesc[i] != NULL);
-	for (i = 0; i < dns_zonestatscounter_max; i++)
-		INSIST(zonestats_xmldesc[i] != NULL);
-	for (i = 0; i < isc_sockstatscounter_max; i++)
-		INSIST(sockstats_xmldesc[i] != NULL);
-	for (i = 0; i < dns_dnssecstats_max; i++)
-		INSIST(dnssecstats_xmldesc[i] != NULL);
-#endif
-}
-
-/*%
- * Dump callback functions.
- */
-static void
-generalstat_dump(isc_statscounter_t counter, isc_uint64_t val, void *arg) {
-	stats_dumparg_t *dumparg = arg;
-
-	REQUIRE(counter < dumparg->ncounters);
-	dumparg->countervalues[counter] = val;
-}
-
-static isc_result_t
-dump_counters(isc_stats_t *stats, statsformat_t type, void *arg,
-	      const char *category, const char **desc, int ncounters,
-	      int *indices, isc_uint64_t *values, int options)
-{
-	int i, index;
-	isc_uint64_t value;
-	stats_dumparg_t dumparg;
-	FILE *fp;
-#ifdef HAVE_LIBXML2
-	xmlTextWriterPtr writer;
-	int xmlrc;
-#endif
-
-#ifndef HAVE_LIBXML2
-	UNUSED(category);
-#endif
-
-	dumparg.type = type;
-	dumparg.ncounters = ncounters;
-	dumparg.counterindices = indices;
-	dumparg.countervalues = values;
-
-	memset(values, 0, sizeof(values[0]) * ncounters);
-	isc_stats_dump(stats, generalstat_dump, &dumparg, options);
-
-	for (i = 0; i < ncounters; i++) {
-		index = indices[i];
-		value = values[index];
-
-		if (value == 0 && (options & ISC_STATSDUMP_VERBOSE) == 0)
-			continue;
-
-		switch (dumparg.type) {
-		case statsformat_file:
-			fp = arg;
-			fprintf(fp, "%20" ISC_PRINT_QUADFORMAT "u %s\n",
-				value, desc[index]);
-			break;
-		case statsformat_xml:
-#ifdef HAVE_LIBXML2
-#ifdef NEWSTATS
-		writer = arg;
-
-		if (category != NULL) {
-			/* <NameOfCategory> */
-			TRY0(xmlTextWriterStartElement(writer,
-						       ISC_XMLCHAR
-						       category));
-			/* <name> inside category */
-			TRY0(xmlTextWriterStartElement(writer,
-						       ISC_XMLCHAR
-						       "name"));
-			TRY0(xmlTextWriterWriteString(writer,
-						      ISC_XMLCHAR
-						      desc[index]));
-			TRY0(xmlTextWriterEndElement(writer));
-			/* </name> */
-
-			/* <counter> */
-			TRY0(xmlTextWriterStartElement(writer,
-						       ISC_XMLCHAR
-						       "counter"));
-			TRY0(xmlTextWriterWriteFormatString(writer,
-				"%" ISC_PRINT_QUADFORMAT "u", value));
-
-			TRY0(xmlTextWriterEndElement(writer));
-			/* </counter> */
-			TRY0(xmlTextWriterEndElement(writer));
-			/* </NameOfCategory> */
-
-		} else {
-			TRY0(xmlTextWriterStartElement(writer,
-						       ISC_XMLCHAR
-						       "counter"));
-			TRY0(xmlTextWriterWriteAttribute(writer,
-							 ISC_XMLCHAR
-							 "name",
-							 ISC_XMLCHAR
-							 desc[index]));
-			TRY0(xmlTextWriterWriteFormatString(writer,
-				"%" ISC_PRINT_QUADFORMAT "u", value));
-			TRY0(xmlTextWriterEndElement(writer));
-			/* counter */
-		}
-#else /* !NEWSTATS */
-			writer = arg;
-
-			if (category != NULL) {
-				TRY0(xmlTextWriterStartElement(writer,
-							       ISC_XMLCHAR
-							       category));
-				TRY0(xmlTextWriterStartElement(writer,
-							       ISC_XMLCHAR
-							       "name"));
-				TRY0(xmlTextWriterWriteString(writer,
-							      ISC_XMLCHAR
-							      desc[index]));
-				TRY0(xmlTextWriterEndElement(writer)); /* name */
-
-				TRY0(xmlTextWriterStartElement(writer,
-							       ISC_XMLCHAR
-							       "counter"));
-			} else {
-				TRY0(xmlTextWriterStartElement(writer,
-							       ISC_XMLCHAR
-							       desc[index]));
-			}
-			TRY0(xmlTextWriterWriteFormatString(writer,
-							    "%"
-							    ISC_PRINT_QUADFORMAT
-							    "u", value));
-			TRY0(xmlTextWriterEndElement(writer)); /* counter */
-			if (category != NULL)
-				TRY0(xmlTextWriterEndElement(writer)); /* category */
-#endif /* NEWSTATS */
-#endif /* LIBXML2 */
-			break;
-		}
-	}
-	return (ISC_R_SUCCESS);
-#ifdef HAVE_LIBXML2
- error:
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-		      ISC_LOG_ERROR, "failed at dump_counters()");
-	return (ISC_R_FAILURE);
-#endif
-}
-
-#ifdef NEWSTATS
-static void
-rdtypestat_dump(dns_rdatastatstype_t type, isc_uint64_t val, void *arg) {
-	char typebuf[64];
-	const char *typestr;
-	stats_dumparg_t *dumparg = arg;
-	FILE *fp;
-#ifdef HAVE_LIBXML2
-	xmlTextWriterPtr writer;
-	int xmlrc;
-#endif
-
-	if ((DNS_RDATASTATSTYPE_ATTR(type) & DNS_RDATASTATSTYPE_ATTR_OTHERTYPE)
-	    == 0) {
-		dns_rdatatype_format(DNS_RDATASTATSTYPE_BASE(type), typebuf,
-				     sizeof(typebuf));
-		typestr = typebuf;
-	} else
-		typestr = "Others";
-
-	switch (dumparg->type) {
-	case statsformat_file:
-		fp = dumparg->arg;
-		fprintf(fp, "%20" ISC_PRINT_QUADFORMAT "u %s\n", val, typestr);
-		break;
-	case statsformat_xml:
-#ifdef HAVE_LIBXML2
-
-		writer = dumparg->arg;
-
-
-		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter"));
-		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "name",
-						 ISC_XMLCHAR typestr));
-
-		TRY0(xmlTextWriterWriteFormatString(writer,
-					       "%" ISC_PRINT_QUADFORMAT "u",
-					       val));
-
-		TRY0(xmlTextWriterEndElement(writer)); /* type */
-#endif
-		break;
-	}
-	return;
-#ifdef HAVE_LIBXML2
- error:
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-		      ISC_LOG_ERROR, "failed at rdtypestat_dump()");
-	dumparg->result = ISC_R_FAILURE;
-	return;
-#endif
-}
-#else  /* NEWSTATS */
-static void
-rdtypestat_dump(dns_rdatastatstype_t type, isc_uint64_t val, void *arg) {
-	char typebuf[64];
-	const char *typestr;
-	stats_dumparg_t *dumparg = arg;
-	FILE *fp;
-#ifdef HAVE_LIBXML2
-	xmlTextWriterPtr writer;
-	int xmlrc;
-#endif
-
-	if ((DNS_RDATASTATSTYPE_ATTR(type) & DNS_RDATASTATSTYPE_ATTR_OTHERTYPE)
-	    == 0) {
-		dns_rdatatype_format(DNS_RDATASTATSTYPE_BASE(type), typebuf,
-				     sizeof(typebuf));
-		typestr = typebuf;
-	} else
-		typestr = "Others";
-
-	switch (dumparg->type) {
-	case statsformat_file:
-		fp = dumparg->arg;
-		fprintf(fp, "%20" ISC_PRINT_QUADFORMAT "u %s\n", val, typestr);
-		break;
-	case statsformat_xml:
-#ifdef HAVE_LIBXML2
-		writer = dumparg->arg;
-
-		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "rdtype"));
-
-		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "name"));
-		TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR typestr));
-		TRY0(xmlTextWriterEndElement(writer)); /* name */
-
-		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter"));
-		TRY0(xmlTextWriterWriteFormatString(writer,
-					       "%" ISC_PRINT_QUADFORMAT "u",
-					       val));
-		TRY0(xmlTextWriterEndElement(writer)); /* counter */
-
-		TRY0(xmlTextWriterEndElement(writer)); /* rdtype */
-#endif
-		break;
-	}
-	return;
-#ifdef HAVE_LIBXML2
- error:
-	dumparg->result = ISC_R_FAILURE;
-	return;
-#endif
-}
-#endif  /* NEWSTATS */
-
-static void
-rdatasetstats_dump(dns_rdatastatstype_t type, isc_uint64_t val, void *arg) {
-	stats_dumparg_t *dumparg = arg;
-	FILE *fp;
-	char typebuf[64];
-	const char *typestr;
-	isc_boolean_t nxrrset = ISC_FALSE;
-#ifdef HAVE_LIBXML2
-	xmlTextWriterPtr writer;
-	int xmlrc;
-#endif
-
-	if ((DNS_RDATASTATSTYPE_ATTR(type) & DNS_RDATASTATSTYPE_ATTR_NXDOMAIN)
-	    != 0) {
-		typestr = "NXDOMAIN";
-	} else if ((DNS_RDATASTATSTYPE_ATTR(type) &
-		    DNS_RDATASTATSTYPE_ATTR_OTHERTYPE) != 0) {
-		typestr = "Others";
-	} else {
-		dns_rdatatype_format(DNS_RDATASTATSTYPE_BASE(type), typebuf,
-				     sizeof(typebuf));
-		typestr = typebuf;
-	}
-
-	if ((DNS_RDATASTATSTYPE_ATTR(type) & DNS_RDATASTATSTYPE_ATTR_NXRRSET)
-	    != 0)
-		nxrrset = ISC_TRUE;
-
-	switch (dumparg->type) {
-	case statsformat_file:
-		fp = dumparg->arg;
-		fprintf(fp, "%20" ISC_PRINT_QUADFORMAT "u %s%s\n", val,
-			nxrrset ? "!" : "", typestr);
-		break;
-	case statsformat_xml:
-#ifdef HAVE_LIBXML2
-		writer = dumparg->arg;
-
-		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "rrset"));
-		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "name"));
-		TRY0(xmlTextWriterWriteFormatString(writer, "%s%s",
-					       nxrrset ? "!" : "", typestr));
-		TRY0(xmlTextWriterEndElement(writer)); /* name */
-
-		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter"));
-		TRY0(xmlTextWriterWriteFormatString(writer,
-					       "%" ISC_PRINT_QUADFORMAT "u",
-					       val));
-		TRY0(xmlTextWriterEndElement(writer)); /* counter */
-
-		TRY0(xmlTextWriterEndElement(writer)); /* rrset */
-#endif
-		break;
-	}
-	return;
-#ifdef HAVE_LIBXML2
- error:
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-		      ISC_LOG_ERROR, "failed at rdatasetstats_dump()");
-	dumparg->result = ISC_R_FAILURE;
-#endif
-
-}
-
-#ifdef NEWSTATS
-static void
-opcodestat_dump(dns_opcode_t code, isc_uint64_t val, void *arg) {
-	FILE *fp;
-	isc_buffer_t b;
-	char codebuf[64];
-	stats_dumparg_t *dumparg = arg;
-#ifdef HAVE_LIBXML2
-	xmlTextWriterPtr writer;
-	int xmlrc;
-#endif
-
-	isc_buffer_init(&b, codebuf, sizeof(codebuf) - 1);
-	dns_opcode_totext(code, &b);
-	codebuf[isc_buffer_usedlength(&b)] = '\0';
-
-	switch (dumparg->type) {
-	case statsformat_file:
-		fp = dumparg->arg;
-		fprintf(fp, "%20" ISC_PRINT_QUADFORMAT "u %s\n", val, codebuf);
-		break;
-	case statsformat_xml:
-#ifdef HAVE_LIBXML2
-		writer = dumparg->arg;
-		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter"));
-		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "name",
-						 ISC_XMLCHAR codebuf ));
-		TRY0(xmlTextWriterWriteFormatString(writer,
-						       "%" ISC_PRINT_QUADFORMAT "u",
-						       val));
-		TRY0(xmlTextWriterEndElement(writer)); /* counter */
-#endif
-		break;
-	}
-	return;
-
-#ifdef HAVE_LIBXML2
- error:
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-		      ISC_LOG_ERROR, "failed at opcodestat_dump()");
-	dumparg->result = ISC_R_FAILURE;
-	return;
-#endif
-}
-#else  /* NEWSTATS */
-static void
-opcodestat_dump(dns_opcode_t code, isc_uint64_t val, void *arg) {
-	FILE *fp;
-	isc_buffer_t b;
-	char codebuf[64];
-	stats_dumparg_t *dumparg = arg;
-#ifdef HAVE_LIBXML2
-	xmlTextWriterPtr writer;
-	int xmlrc;
-#endif
-
-	isc_buffer_init(&b, codebuf, sizeof(codebuf) - 1);
-	dns_opcode_totext(code, &b);
-	codebuf[isc_buffer_usedlength(&b)] = '\0';
-
-	switch (dumparg->type) {
-	case statsformat_file:
-		fp = dumparg->arg;
-		fprintf(fp, "%20" ISC_PRINT_QUADFORMAT "u %s\n", val, codebuf);
-		break;
-	case statsformat_xml:
-#ifdef HAVE_LIBXML2
-		writer = dumparg->arg;
-
-		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "opcode"));
-
-		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "name"));
-		TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR codebuf));
-		TRY0(xmlTextWriterEndElement(writer)); /* name */
-
-		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter"));
-		TRY0(xmlTextWriterWriteFormatString(writer,
-					       "%" ISC_PRINT_QUADFORMAT "u",
-					       val));
-		TRY0(xmlTextWriterEndElement(writer)); /* counter */
-
-		TRY0(xmlTextWriterEndElement(writer)); /* opcode */
-#endif
-		break;
-	}
-	return;
-
-#ifdef HAVE_LIBXML2
- error:
-	dumparg->result = ISC_R_FAILURE;
-	return;
-#endif
-}
-#endif  /* NEWSTATS */
-
-#ifdef HAVE_LIBXML2
-
-/* XXXMLG below here sucks. (not so much) */
-
-#ifdef NEWSTATS
-static isc_result_t
-zone_xmlrender(dns_zone_t *zone, void *arg) {
-	isc_result_t result;
-	char buf[1024 + 32];	/* sufficiently large for zone name and class */
-	char *zone_name_only = NULL;
-	dns_rdataclass_t rdclass;
-	isc_uint32_t serial;
-	xmlTextWriterPtr writer = arg;
-	isc_stats_t *zonestats;
-	dns_stats_t *rcvquerystats;
-	dns_zonestat_level_t statlevel;
-	isc_uint64_t nsstat_values[dns_nsstatscounter_max];
-	int xmlrc;
-	stats_dumparg_t dumparg;
-
-	statlevel = dns_zone_getstatlevel(zone);
-	if (statlevel == dns_zonestat_none)
-		return (ISC_R_SUCCESS);
-
-	dumparg.type = statsformat_xml;
-	dumparg.arg = writer;
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "zone"));
-	dns_zone_name(zone, buf, sizeof(buf));
-	zone_name_only = strtok(buf, "/");
-	if(zone_name_only == NULL)
-		zone_name_only = buf;
-
-	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "name",
-					 ISC_XMLCHAR zone_name_only));
-	rdclass = dns_zone_getclass(zone);
-	dns_rdataclass_format(rdclass, buf, sizeof(buf));
-	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "rdataclass",
-					 ISC_XMLCHAR buf));
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "serial"));
-	if (dns_zone_getserial2(zone, &serial) == ISC_R_SUCCESS)
-		TRY0(xmlTextWriterWriteFormatString(writer, "%u", serial));
-	else
-		TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR "-"));
-	TRY0(xmlTextWriterEndElement(writer)); /* serial */
-
-	zonestats = dns_zone_getrequeststats(zone);
-	rcvquerystats = dns_zone_getrcvquerystats(zone);
-	if (statlevel == dns_zonestat_full && zonestats != NULL) {
-		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
-		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
-						 ISC_XMLCHAR "rcode"));
-
-		result = dump_counters(zonestats, statsformat_xml, writer,
-				       NULL, nsstats_xmldesc,
-				       dns_nsstatscounter_max, nsstats_index,
-				       nsstat_values, ISC_STATSDUMP_VERBOSE);
-		if (result != ISC_R_SUCCESS)
-			goto error;
-		/* counters type="rcode"*/
-		TRY0(xmlTextWriterEndElement(writer));
-	}
-
-	if (statlevel == dns_zonestat_full && rcvquerystats != NULL) {
-		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
-		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
-						 ISC_XMLCHAR "qtype"));
-
-		dumparg.result = ISC_R_SUCCESS;
-		dns_rdatatypestats_dump(rcvquerystats, rdtypestat_dump,
-					&dumparg, 0);
-		if(dumparg.result != ISC_R_SUCCESS)
-			goto error;
-
-		/* counters type="qtype"*/
-		TRY0(xmlTextWriterEndElement(writer));
-	}
-
-	TRY0(xmlTextWriterEndElement(writer)); /* zone */
-
-	return (ISC_R_SUCCESS);
- error:
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-		      ISC_LOG_ERROR, "Failed at zone_xmlrender()");
-	return (ISC_R_FAILURE);
-}
-#else  /* NEWSTATS */
-static isc_result_t
-zone_xmlrender(dns_zone_t *zone, void *arg) {
-	char buf[1024 + 32];	/* sufficiently large for zone name and class */
-	dns_rdataclass_t rdclass;
-	isc_uint32_t serial;
-	xmlTextWriterPtr writer = arg;
-	isc_stats_t *zonestats;
-	isc_uint64_t nsstat_values[dns_nsstatscounter_max];
-	int xmlrc;
-	isc_result_t result;
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "zone"));
-
-	dns_zone_name(zone, buf, sizeof(buf));
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "name"));
-	TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR buf));
-	TRY0(xmlTextWriterEndElement(writer));
-
-	rdclass = dns_zone_getclass(zone);
-	dns_rdataclass_format(rdclass, buf, sizeof(buf));
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "rdataclass"));
-	TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR buf));
-	TRY0(xmlTextWriterEndElement(writer));
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "serial"));
-	if (dns_zone_getserial2(zone, &serial) == ISC_R_SUCCESS)
-		TRY0(xmlTextWriterWriteFormatString(writer, "%u", serial));
-	else
-		TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR "-"));
-	TRY0(xmlTextWriterEndElement(writer));
-
-	zonestats = dns_zone_getrequeststats(zone);
-	if (zonestats != NULL) {
-		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
-		result = dump_counters(zonestats, statsformat_xml, writer, NULL,
-				      nsstats_xmldesc, dns_nsstatscounter_max,
-				      nsstats_index, nsstat_values,
-				      ISC_STATSDUMP_VERBOSE);
-		if (result != ISC_R_SUCCESS)
-			goto error;
-		TRY0(xmlTextWriterEndElement(writer)); /* counters */
-	}
-
-	TRY0(xmlTextWriterEndElement(writer)); /* zone */
-
-	return (ISC_R_SUCCESS);
- error:
-	return (ISC_R_FAILURE);
-}
-#endif  /* NEWSTATS */
-
-#ifdef NEWSTATS
-static isc_result_t
-generatexml(ns_server_t *server, int *buflen, xmlChar **buf) {
-	char boottime[sizeof "yyyy-mm-ddThh:mm:ssZ"];
-	char nowstr[sizeof "yyyy-mm-ddThh:mm:ssZ"];
-	isc_time_t now;
-	xmlTextWriterPtr writer = NULL;
-	xmlDocPtr doc = NULL;
-	int xmlrc;
-	dns_view_t *view;
-	stats_dumparg_t dumparg;
-	dns_stats_t *cacherrstats;
-	isc_uint64_t nsstat_values[dns_nsstatscounter_max];
-	isc_uint64_t resstat_values[dns_resstatscounter_max];
-	isc_uint64_t zonestat_values[dns_zonestatscounter_max];
-	isc_uint64_t sockstat_values[isc_sockstatscounter_max];
-	isc_result_t result;
-
-	isc_time_now(&now);
-	isc_time_formatISO8601(&ns_g_boottime, boottime, sizeof boottime);
-	isc_time_formatISO8601(&now, nowstr, sizeof nowstr);
-
-	writer = xmlNewTextWriterDoc(&doc, 0);
-	if (writer == NULL)
-		goto error;
-	TRY0(xmlTextWriterStartDocument(writer, NULL, "UTF-8", NULL));
-	TRY0(xmlTextWriterWritePI(writer, ISC_XMLCHAR "xml-stylesheet",
-			ISC_XMLCHAR "type=\"text/xsl\" href=\"/bind9.ver3.xsl\""));
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "statistics"));
-	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version",
-					 ISC_XMLCHAR "3.0"));
-
-	/* Set common fields for statistics dump */
-	dumparg.type = statsformat_xml;
-	dumparg.arg = writer;
-
-	/*
-	 * Start by rendering the views we know of here.  For each view we
-	 * know of, call its rendering function.
-	 */
-	view = ISC_LIST_HEAD(server->viewlist);
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "views"));
-	while (view != NULL) {
-		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "view"));
-		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "name",
-						 ISC_XMLCHAR view->name));
-
-		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "zones"));
-		result = dns_zt_apply(view->zonetable, ISC_TRUE, zone_xmlrender,
-				      writer);
-		if (result != ISC_R_SUCCESS)
-			goto error;
-		TRY0(xmlTextWriterEndElement(writer)); /* zones */
-
-		TRY0(xmlTextWriterStartElement(writer,
-					       ISC_XMLCHAR "counters"));
-		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
-						 ISC_XMLCHAR "resqtype"));
-
-		if (view->resquerystats != NULL) {
-			dumparg.result = ISC_R_SUCCESS;
-			dns_rdatatypestats_dump(view->resquerystats,
-						rdtypestat_dump, &dumparg, 0);
-			if (dumparg.result != ISC_R_SUCCESS)
-				goto error;
-		}
-		TRY0(xmlTextWriterEndElement(writer));
-
-		/* <resstats> */
-		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
-		TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
-						 ISC_XMLCHAR "resstats"));
-		if (view->resstats != NULL) {
-			result = dump_counters(view->resstats,
-					       statsformat_xml, writer,
-					       NULL, resstats_xmldesc,
-					       dns_resstatscounter_max,
-					       resstats_index, resstat_values,
-					       ISC_STATSDUMP_VERBOSE);
-			if (result != ISC_R_SUCCESS)
-				goto error;
-		}
-		TRY0(xmlTextWriterEndElement(writer)); /* </resstats> */
-
-		cacherrstats = dns_db_getrrsetstats(view->cachedb);
-		if (cacherrstats != NULL) {
-			TRY0(xmlTextWriterStartElement(writer,
-						       ISC_XMLCHAR "cache"));
-			TRY0(xmlTextWriterWriteAttribute(writer,
-					 ISC_XMLCHAR "name",
-					 ISC_XMLCHAR
-					 dns_cache_getname(view->cache)));
-			dumparg.result = ISC_R_SUCCESS;
-			dns_rdatasetstats_dump(cacherrstats, rdatasetstats_dump,
-					       &dumparg, 0);
-			if (dumparg.result != ISC_R_SUCCESS)
-				goto error;
-			TRY0(xmlTextWriterEndElement(writer)); /* cache */
-		}
-
-		TRY0(xmlTextWriterEndElement(writer)); /* view */
-
-		view = ISC_LIST_NEXT(view, link);
-	}
-	TRY0(xmlTextWriterEndElement(writer)); /* views */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "socketmgr"));
-	isc_socketmgr_renderxml(ns_g_socketmgr, writer);
-	TRY0(xmlTextWriterEndElement(writer)); /* socketmgr */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "taskmgr"));
-	isc_taskmgr_renderxml(ns_g_taskmgr, writer);
-	TRY0(xmlTextWriterEndElement(writer)); /* taskmgr */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "server"));
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "boot-time"));
-	TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR boottime));
-	TRY0(xmlTextWriterEndElement(writer)); /* boot-time */
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "current-time"));
-	TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR nowstr));
-	TRY0(xmlTextWriterEndElement(writer));  /* current-time */
-
-	dumparg.result = ISC_R_SUCCESS;
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
-	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
-					 ISC_XMLCHAR "opcode"));
-
-	dns_opcodestats_dump(server->opcodestats, opcodestat_dump, &dumparg,
-			     0);
-	if (dumparg.result != ISC_R_SUCCESS)
-		goto error;
-
-	TRY0(xmlTextWriterEndElement(writer)); /* counters type=opcode */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
-	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
-					 ISC_XMLCHAR "qtype"));
-
-	dumparg.result = ISC_R_SUCCESS;
-	dns_rdatatypestats_dump(server->rcvquerystats, rdtypestat_dump,
-				&dumparg, 0);
-	if (dumparg.result != ISC_R_SUCCESS)
-		goto error;
-	TRY0(xmlTextWriterEndElement(writer)); /* counters */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
-	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
-					 ISC_XMLCHAR "nsstat"));
-
-	result = dump_counters(server->nsstats, statsformat_xml,
-			       writer, NULL, nsstats_xmldesc,
-			       dns_nsstatscounter_max,
-			       nsstats_index, nsstat_values,
-			       ISC_STATSDUMP_VERBOSE);
-	if (result != ISC_R_SUCCESS)
-		goto error;
-
-	TRY0(xmlTextWriterEndElement(writer)); /* counters type=nsstat */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
-	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
-					 ISC_XMLCHAR "zonestat"));
-
-	result = dump_counters(server->zonestats, statsformat_xml, writer,
-			       NULL, zonestats_xmldesc,
-			       dns_zonestatscounter_max, zonestats_index,
-			       zonestat_values, ISC_STATSDUMP_VERBOSE);
-	if (result != ISC_R_SUCCESS)
-		goto error;
-
-	TRY0(xmlTextWriterEndElement(writer)); /* counters type=zonestat */
-
-	/*
-	 * Most of the common resolver statistics entries are 0, so we don't
-	 * use the verbose dump here.
-	 */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
-	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
-					 ISC_XMLCHAR "resstat"));
-	result = dump_counters(server->resolverstats, statsformat_xml,
-			       writer, NULL, resstats_xmldesc,
-			       dns_resstatscounter_max, resstats_index,
-			       resstat_values, 0);
-	if (result != ISC_R_SUCCESS)
-		goto error;
-
-	TRY0(xmlTextWriterEndElement(writer)); /* counters type=resstat */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
-	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "type",
-					 ISC_XMLCHAR "sockstat"));
-
-	result = dump_counters(server->sockstats, statsformat_xml,
-			       writer, NULL, sockstats_xmldesc,
-			       isc_sockstatscounter_max, sockstats_index,
-			       sockstat_values, ISC_STATSDUMP_VERBOSE);
-	if (result != ISC_R_SUCCESS)
-		goto error;
-
-	TRY0(xmlTextWriterEndElement(writer)); /* counters type=sockstat */
-
-	TRY0(xmlTextWriterEndElement(writer)); /* server */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "memory"));
-	isc_mem_renderxml(writer);
-	TRY0(xmlTextWriterEndElement(writer)); /* memory */
-
-	TRY0(xmlTextWriterEndElement(writer)); /* statistics */
-
-	TRY0(xmlTextWriterEndDocument(writer));
-
-	xmlFreeTextWriter(writer);
-
-	xmlDocDumpFormatMemoryEnc(doc, buf, buflen, "UTF-8", 0);
-	xmlFreeDoc(doc);
-	return (ISC_R_SUCCESS);
-
- error:
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-		      ISC_LOG_ERROR, "failed generating XML response");
-	if (writer != NULL)
-		xmlFreeTextWriter(writer);
-	if (doc != NULL)
-		xmlFreeDoc(doc);
-	return (ISC_R_FAILURE);
-}
-#else /* OLDSTATS */
-static isc_result_t
-generatexml(ns_server_t *server, int *buflen, xmlChar **buf) {
-	char boottime[sizeof "yyyy-mm-ddThh:mm:ssZ"];
-	char nowstr[sizeof "yyyy-mm-ddThh:mm:ssZ"];
-	isc_time_t now;
-	xmlTextWriterPtr writer = NULL;
-	xmlDocPtr doc = NULL;
-	int xmlrc;
-	dns_view_t *view;
-	stats_dumparg_t dumparg;
-	dns_stats_t *cachestats;
-	isc_uint64_t nsstat_values[dns_nsstatscounter_max];
-	isc_uint64_t resstat_values[dns_resstatscounter_max];
-	isc_uint64_t zonestat_values[dns_zonestatscounter_max];
-	isc_uint64_t sockstat_values[isc_sockstatscounter_max];
-	isc_result_t result;
-
-	isc_time_now(&now);
-	isc_time_formatISO8601(&ns_g_boottime, boottime, sizeof boottime);
-	isc_time_formatISO8601(&now, nowstr, sizeof nowstr);
-
-	writer = xmlNewTextWriterDoc(&doc, 0);
-	if (writer == NULL)
-		goto error;
-	TRY0(xmlTextWriterStartDocument(writer, NULL, "UTF-8", NULL));
-	TRY0(xmlTextWriterWritePI(writer, ISC_XMLCHAR "xml-stylesheet",
-			ISC_XMLCHAR "type=\"text/xsl\" href=\"/bind9.xsl\""));
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "isc"));
-	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version",
-					 ISC_XMLCHAR "1.0"));
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "bind"));
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "statistics"));
-	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version",
-					 ISC_XMLCHAR "2.2"));
-
-	/* Set common fields for statistics dump */
-	dumparg.type = statsformat_xml;
-	dumparg.arg = writer;
-
-	/*
-	 * Start by rendering the views we know of here.  For each view we
-	 * know of, call its rendering function.
-	 */
-	view = ISC_LIST_HEAD(server->viewlist);
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "views"));
-	while (view != NULL) {
-		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "view"));
-
-		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "name"));
-		TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR view->name));
-		TRY0(xmlTextWriterEndElement(writer));
-
-		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "zones"));
-		result = dns_zt_apply(view->zonetable, ISC_TRUE, zone_xmlrender,
-				      writer);
-		if (result != ISC_R_SUCCESS)
-			goto error;
-		TRY0(xmlTextWriterEndElement(writer));
-
-		if (view->resquerystats != NULL) {
-			dumparg.result = ISC_R_SUCCESS;
-			dns_rdatatypestats_dump(view->resquerystats,
-						rdtypestat_dump, &dumparg, 0);
-			if (dumparg.result != ISC_R_SUCCESS)
-				goto error;
-		}
-
-		if (view->resstats != NULL) {
-			result = dump_counters(view->resstats, statsformat_xml,
-					       writer, "resstat",
-					       resstats_xmldesc,
-					       dns_resstatscounter_max,
-					       resstats_index, resstat_values,
-					       ISC_STATSDUMP_VERBOSE);
-			if (result != ISC_R_SUCCESS)
-				goto error;
-		}
-
-		cachestats = dns_db_getrrsetstats(view->cachedb);
-		if (cachestats != NULL) {
-			TRY0(xmlTextWriterStartElement(writer,
-						       ISC_XMLCHAR "cache"));
-			TRY0(xmlTextWriterWriteAttribute(writer,
-					 ISC_XMLCHAR "name",
-					 ISC_XMLCHAR
-					 dns_cache_getname(view->cache)));
-			dumparg.result = ISC_R_SUCCESS;
-			dns_rdatasetstats_dump(cachestats, rdatasetstats_dump,
-					       &dumparg, 0);
-			if (dumparg.result != ISC_R_SUCCESS)
-				goto error;
-			TRY0(xmlTextWriterEndElement(writer)); /* cache */
-		}
-
-		TRY0(xmlTextWriterEndElement(writer)); /* view */
-
-		view = ISC_LIST_NEXT(view, link);
-	}
-	TRY0(xmlTextWriterEndElement(writer)); /* views */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "socketmgr"));
-	TRY0(isc_socketmgr_renderxml(ns_g_socketmgr, writer));
-	TRY0(xmlTextWriterEndElement(writer)); /* socketmgr */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "taskmgr"));
-	TRY0(isc_taskmgr_renderxml(ns_g_taskmgr, writer));
-	TRY0(xmlTextWriterEndElement(writer)); /* taskmgr */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "server"));
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "boot-time"));
-	TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR boottime));
-	TRY0(xmlTextWriterEndElement(writer));
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "current-time"));
-	TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR nowstr));
-	TRY0(xmlTextWriterEndElement(writer));
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "requests"));
-	dumparg.result = ISC_R_SUCCESS;
-	dns_opcodestats_dump(server->opcodestats, opcodestat_dump, &dumparg,
-			     0);
-	if (dumparg.result != ISC_R_SUCCESS)
-		goto error;
-	TRY0(xmlTextWriterEndElement(writer)); /* requests */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "queries-in"));
-	dumparg.result = ISC_R_SUCCESS;
-	dns_rdatatypestats_dump(server->rcvquerystats, rdtypestat_dump,
-				&dumparg, 0);
-	if (dumparg.result != ISC_R_SUCCESS)
-		goto error;
-	TRY0(xmlTextWriterEndElement(writer)); /* queries-in */
-
-	result = dump_counters(server->nsstats, statsformat_xml, writer,
-			       "nsstat", nsstats_xmldesc,
-				dns_nsstatscounter_max,
-				nsstats_index, nsstat_values,
-				ISC_STATSDUMP_VERBOSE);
-	if (result != ISC_R_SUCCESS)
-		goto error;
-
-	result = dump_counters(server->zonestats, statsformat_xml, writer,
-			       "zonestat", zonestats_xmldesc,
-			       dns_zonestatscounter_max, zonestats_index,
-			       zonestat_values, ISC_STATSDUMP_VERBOSE);
-	if (result != ISC_R_SUCCESS)
-		goto error;
-
-	/*
-	 * Most of the common resolver statistics entries are 0, so we don't
-	 * use the verbose dump here.
-	 */
-	result = dump_counters(server->resolverstats, statsformat_xml, writer,
-			       "resstat", resstats_xmldesc,
-			       dns_resstatscounter_max, resstats_index,
-			       resstat_values, 0);
-	if (result != ISC_R_SUCCESS)
-		goto error;
-
-	result = dump_counters(server->sockstats, statsformat_xml, writer,
-			       "sockstat", sockstats_xmldesc,
-			       isc_sockstatscounter_max, sockstats_index,
-			       sockstat_values, ISC_STATSDUMP_VERBOSE);
-	if (result != ISC_R_SUCCESS)
-		goto error;
-
-	TRY0(xmlTextWriterEndElement(writer)); /* server */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "memory"));
-	TRY0(isc_mem_renderxml(writer));
-	TRY0(xmlTextWriterEndElement(writer)); /* memory */
-
-	TRY0(xmlTextWriterEndElement(writer)); /* statistics */
-	TRY0(xmlTextWriterEndElement(writer)); /* bind */
-	TRY0(xmlTextWriterEndElement(writer)); /* isc */
-
-	TRY0(xmlTextWriterEndDocument(writer));
-
-	xmlFreeTextWriter(writer);
-
-	xmlDocDumpFormatMemoryEnc(doc, buf, buflen, "UTF-8", 1);
-	xmlFreeDoc(doc);
-	return (ISC_R_SUCCESS);
-
- error:
-	if (writer != NULL)
-		xmlFreeTextWriter(writer);
-	if (doc != NULL)
-		xmlFreeDoc(doc);
-	return (ISC_R_FAILURE);
-}
-#endif /* NEWSTATS */
-
-static void
-wrap_xmlfree(isc_buffer_t *buffer, void *arg) {
-	UNUSED(arg);
-
-	xmlFree(isc_buffer_base(buffer));
-}
-
-static isc_result_t
-render_index(const char *url, const char *querystring, void *arg,
-	     unsigned int *retcode, const char **retmsg, const char **mimetype,
-	     isc_buffer_t *b, isc_httpdfree_t **freecb,
-	     void **freecb_args)
-{
-	unsigned char *msg;
-	int msglen;
-	ns_server_t *server = arg;
-	isc_result_t result;
-
-	UNUSED(url);
-	UNUSED(querystring);
-
-	result = generatexml(server, &msglen, &msg);
-
-	if (result == ISC_R_SUCCESS) {
-		*retcode = 200;
-		*retmsg = "OK";
-		*mimetype = "text/xml";
-		isc_buffer_reinit(b, msg, msglen);
-		isc_buffer_add(b, msglen);
-		*freecb = wrap_xmlfree;
-		*freecb_args = NULL;
-	} else
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-			      "failed at rendering XML()");
-
-	return (result);
-}
-
-#endif	/* HAVE_LIBXML2 */
-
-static isc_result_t
-render_xsl(const char *url, const char *querystring, void *args,
-	   unsigned int *retcode, const char **retmsg, const char **mimetype,
-	   isc_buffer_t *b, isc_httpdfree_t **freecb,
-	   void **freecb_args)
-{
-	UNUSED(url);
-	UNUSED(querystring);
-	UNUSED(args);
-
-	*retcode = 200;
-	*retmsg = "OK";
-	*mimetype = "text/xslt+xml";
-	isc_buffer_reinit(b, xslmsg, strlen(xslmsg));
-	isc_buffer_add(b, strlen(xslmsg));
-	*freecb = NULL;
-	*freecb_args = NULL;
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-shutdown_listener(ns_statschannel_t *listener) {
-	char socktext[ISC_SOCKADDR_FORMATSIZE];
-	isc_sockaddr_format(&listener->address, socktext, sizeof(socktext));
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-		      ISC_LOG_NOTICE, "stopping statistics channel on %s",
-		      socktext);
-
-	isc_httpdmgr_shutdown(&listener->httpdmgr);
-}
-
-static isc_boolean_t
-client_ok(const isc_sockaddr_t *fromaddr, void *arg) {
-	ns_statschannel_t *listener = arg;
-	isc_netaddr_t netaddr;
-	char socktext[ISC_SOCKADDR_FORMATSIZE];
-	int match;
-
-	REQUIRE(listener != NULL);
-
-	isc_netaddr_fromsockaddr(&netaddr, fromaddr);
-
-	LOCK(&listener->lock);
-	if (dns_acl_match(&netaddr, NULL, listener->acl, &ns_g_server->aclenv,
-			  &match, NULL) == ISC_R_SUCCESS && match > 0) {
-		UNLOCK(&listener->lock);
-		return (ISC_TRUE);
-	}
-	UNLOCK(&listener->lock);
-
-	isc_sockaddr_format(fromaddr, socktext, sizeof(socktext));
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-		      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-		      "rejected statistics connection from %s", socktext);
-
-	return (ISC_FALSE);
-}
-
-static void
-destroy_listener(void *arg) {
-	ns_statschannel_t *listener = arg;
-
-	REQUIRE(listener != NULL);
-	REQUIRE(!ISC_LINK_LINKED(listener, link));
-
-	/* We don't have to acquire the lock here since it's already unlinked */
-	dns_acl_detach(&listener->acl);
-
-	DESTROYLOCK(&listener->lock);
-	isc_mem_putanddetach(&listener->mctx, listener, sizeof(*listener));
-}
-
-static isc_result_t
-add_listener(ns_server_t *server, ns_statschannel_t **listenerp,
-	     const cfg_obj_t *listen_params, const cfg_obj_t *config,
-	     isc_sockaddr_t *addr, cfg_aclconfctx_t *aclconfctx,
-	     const char *socktext)
-{
-	isc_result_t result;
-	ns_statschannel_t *listener;
-	isc_task_t *task = NULL;
-	isc_socket_t *sock = NULL;
-	const cfg_obj_t *allow;
-	dns_acl_t *new_acl = NULL;
-
-	listener = isc_mem_get(server->mctx, sizeof(*listener));
-	if (listener == NULL)
-		return (ISC_R_NOMEMORY);
-
-	listener->httpdmgr = NULL;
-	listener->address = *addr;
-	listener->acl = NULL;
-	listener->mctx = NULL;
-	ISC_LINK_INIT(listener, link);
-
-	result = isc_mutex_init(&listener->lock);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(server->mctx, listener, sizeof(*listener));
-		return (ISC_R_FAILURE);
-	}
-
-	isc_mem_attach(server->mctx, &listener->mctx);
-
-	allow = cfg_tuple_get(listen_params, "allow");
-	if (allow != NULL && cfg_obj_islist(allow)) {
-		result = cfg_acl_fromconfig(allow, config, ns_g_lctx,
-					    aclconfctx, listener->mctx, 0,
-					    &new_acl);
-	} else
-		result = dns_acl_any(listener->mctx, &new_acl);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	dns_acl_attach(new_acl, &listener->acl);
-	dns_acl_detach(&new_acl);
-
-	result = isc_task_create(ns_g_taskmgr, 0, &task);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	isc_task_setname(task, "statchannel", NULL);
-
-	result = isc_socket_create(ns_g_socketmgr, isc_sockaddr_pf(addr),
-				   isc_sockettype_tcp, &sock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	isc_socket_setname(sock, "statchannel", NULL);
-
-#ifndef ISC_ALLOW_MAPPED
-	isc_socket_ipv6only(sock, ISC_TRUE);
-#endif
-
-	result = isc_socket_bind(sock, addr, ISC_SOCKET_REUSEADDRESS);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = isc_httpdmgr_create(server->mctx, sock, task, client_ok,
-				     destroy_listener, listener, ns_g_timermgr,
-				     &listener->httpdmgr);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-#ifdef HAVE_LIBXML2
-	isc_httpdmgr_addurl(listener->httpdmgr, "/", render_index, server);
-	isc_httpdmgr_addurl(listener->httpdmgr, "/xml", render_index, server);
-#ifdef NEWSTATS
-	isc_httpdmgr_addurl(listener->httpdmgr, "/xml/v3", render_index,
-			    server);
-#else /* OLDSTATS */
-	isc_httpdmgr_addurl(listener->httpdmgr, "/xml/v2", render_index,
-			    server);
-#endif /* NEWSTATS */
-#endif
-#ifdef NEWSTATS
-	isc_httpdmgr_addurl(listener->httpdmgr, "/bind9.ver3.xsl", render_xsl,
-			    server);
-#else /* OLDSTATS */
-	isc_httpdmgr_addurl(listener->httpdmgr, "/bind9.xsl", render_xsl,
-			    server);
-#endif /* NEWSTATS */
-	*listenerp = listener;
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-		      NS_LOGMODULE_SERVER, ISC_LOG_NOTICE,
-		      "statistics channel listening on %s", socktext);
-
-cleanup:
-	if (result != ISC_R_SUCCESS) {
-		if (listener->acl != NULL)
-			dns_acl_detach(&listener->acl);
-		DESTROYLOCK(&listener->lock);
-		isc_mem_putanddetach(&listener->mctx, listener,
-				     sizeof(*listener));
-	}
-	if (task != NULL)
-		isc_task_detach(&task);
-	if (sock != NULL)
-		isc_socket_detach(&sock);
-
-	return (result);
-}
-
-static void
-update_listener(ns_server_t *server, ns_statschannel_t **listenerp,
-		const cfg_obj_t *listen_params, const cfg_obj_t *config,
-		isc_sockaddr_t *addr, cfg_aclconfctx_t *aclconfctx,
-		const char *socktext)
-{
-	ns_statschannel_t *listener;
-	const cfg_obj_t *allow = NULL;
-	dns_acl_t *new_acl = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	for (listener = ISC_LIST_HEAD(server->statschannels);
-	     listener != NULL;
-	     listener = ISC_LIST_NEXT(listener, link))
-		if (isc_sockaddr_equal(addr, &listener->address))
-			break;
-
-	if (listener == NULL) {
-		*listenerp = NULL;
-		return;
-	}
-
-	/*
-	 * Now, keep the old access list unless a new one can be made.
-	 */
-	allow = cfg_tuple_get(listen_params, "allow");
-	if (allow != NULL && cfg_obj_islist(allow)) {
-		result = cfg_acl_fromconfig(allow, config, ns_g_lctx,
-					    aclconfctx, listener->mctx, 0,
-					    &new_acl);
-	} else
-		result = dns_acl_any(listener->mctx, &new_acl);
-
-	if (result == ISC_R_SUCCESS) {
-		LOCK(&listener->lock);
-
-		dns_acl_detach(&listener->acl);
-		dns_acl_attach(new_acl, &listener->acl);
-		dns_acl_detach(&new_acl);
-
-		UNLOCK(&listener->lock);
-	} else {
-		cfg_obj_log(listen_params, ns_g_lctx, ISC_LOG_WARNING,
-			    "couldn't install new acl for "
-			    "statistics channel %s: %s",
-			    socktext, isc_result_totext(result));
-	}
-
-	*listenerp = listener;
-}
-
-isc_result_t
-ns_statschannels_configure(ns_server_t *server, const cfg_obj_t *config,
-			 cfg_aclconfctx_t *aclconfctx)
-{
-	ns_statschannel_t *listener, *listener_next;
-	ns_statschannellist_t new_listeners;
-	const cfg_obj_t *statschannellist = NULL;
-	const cfg_listelt_t *element, *element2;
-	char socktext[ISC_SOCKADDR_FORMATSIZE];
-
-	RUNTIME_CHECK(isc_once_do(&once, init_desc) == ISC_R_SUCCESS);
-
-	ISC_LIST_INIT(new_listeners);
-
-	/*
-	 * Get the list of named.conf 'statistics-channels' statements.
-	 */
-	(void)cfg_map_get(config, "statistics-channels", &statschannellist);
-
-	/*
-	 * Run through the new address/port list, noting sockets that are
-	 * already being listened on and moving them to the new list.
-	 *
-	 * Identifying duplicate addr/port combinations is left to either
-	 * the underlying config code, or to the bind attempt getting an
-	 * address-in-use error.
-	 */
-	if (statschannellist != NULL) {
-#ifndef HAVE_LIBXML2
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-			      "statistics-channels specified but not effective "
-			      "due to missing XML library");
-#endif
-
-		for (element = cfg_list_first(statschannellist);
-		     element != NULL;
-		     element = cfg_list_next(element)) {
-			const cfg_obj_t *statschannel;
-			const cfg_obj_t *listenercfg = NULL;
-
-			statschannel = cfg_listelt_value(element);
-			(void)cfg_map_get(statschannel, "inet",
-					  &listenercfg);
-			if (listenercfg == NULL)
-				continue;
-
-			for (element2 = cfg_list_first(listenercfg);
-			     element2 != NULL;
-			     element2 = cfg_list_next(element2)) {
-				const cfg_obj_t *listen_params;
-				const cfg_obj_t *obj;
-				isc_sockaddr_t addr;
-
-				listen_params = cfg_listelt_value(element2);
-
-				obj = cfg_tuple_get(listen_params, "address");
-				addr = *cfg_obj_assockaddr(obj);
-				if (isc_sockaddr_getport(&addr) == 0)
-					isc_sockaddr_setport(&addr,
-						     NS_STATSCHANNEL_HTTPPORT);
-
-				isc_sockaddr_format(&addr, socktext,
-						    sizeof(socktext));
-
-				isc_log_write(ns_g_lctx,
-					      NS_LOGCATEGORY_GENERAL,
-					      NS_LOGMODULE_SERVER,
-					      ISC_LOG_DEBUG(9),
-					      "processing statistics "
-					      "channel %s",
-					      socktext);
-
-				update_listener(server, &listener,
-						listen_params, config, &addr,
-						aclconfctx, socktext);
-
-				if (listener != NULL) {
-					/*
-					 * Remove the listener from the old
-					 * list, so it won't be shut down.
-					 */
-					ISC_LIST_UNLINK(server->statschannels,
-							listener, link);
-				} else {
-					/*
-					 * This is a new listener.
-					 */
-					isc_result_t r;
-
-					r = add_listener(server, &listener,
-							 listen_params, config,
-							 &addr, aclconfctx,
-							 socktext);
-					if (r != ISC_R_SUCCESS) {
-						cfg_obj_log(listen_params,
-							    ns_g_lctx,
-							    ISC_LOG_WARNING,
-							    "couldn't allocate "
-							    "statistics channel"
-							    " %s: %s",
-							    socktext,
-							    isc_result_totext(r));
-					}
-				}
-
-				if (listener != NULL)
-					ISC_LIST_APPEND(new_listeners, listener,
-							link);
-			}
-		}
-	}
-
-	for (listener = ISC_LIST_HEAD(server->statschannels);
-	     listener != NULL;
-	     listener = listener_next) {
-		listener_next = ISC_LIST_NEXT(listener, link);
-		ISC_LIST_UNLINK(server->statschannels, listener, link);
-		shutdown_listener(listener);
-	}
-
-	ISC_LIST_APPENDLIST(server->statschannels, new_listeners, link);
-	return (ISC_R_SUCCESS);
-}
-
-void
-ns_statschannels_shutdown(ns_server_t *server) {
-	ns_statschannel_t *listener;
-
-	while ((listener = ISC_LIST_HEAD(server->statschannels)) != NULL) {
-		ISC_LIST_UNLINK(server->statschannels, listener, link);
-		shutdown_listener(listener);
-	}
-}
-
-isc_result_t
-ns_stats_dump(ns_server_t *server, FILE *fp) {
-	isc_stdtime_t now;
-	isc_result_t result;
-	dns_view_t *view;
-	dns_zone_t *zone, *next;
-	stats_dumparg_t dumparg;
-	isc_uint64_t nsstat_values[dns_nsstatscounter_max];
-	isc_uint64_t resstat_values[dns_resstatscounter_max];
-	isc_uint64_t zonestat_values[dns_zonestatscounter_max];
-	isc_uint64_t sockstat_values[isc_sockstatscounter_max];
-
-	RUNTIME_CHECK(isc_once_do(&once, init_desc) == ISC_R_SUCCESS);
-
-	/* Set common fields */
-	dumparg.type = statsformat_file;
-	dumparg.arg = fp;
-
-	isc_stdtime_get(&now);
-	fprintf(fp, "+++ Statistics Dump +++ (%lu)\n", (unsigned long)now);
-
-	fprintf(fp, "++ Incoming Requests ++\n");
-	dns_opcodestats_dump(server->opcodestats, opcodestat_dump, &dumparg, 0);
-
-	fprintf(fp, "++ Incoming Queries ++\n");
-	dns_rdatatypestats_dump(server->rcvquerystats, rdtypestat_dump,
-				&dumparg, 0);
-
-	fprintf(fp, "++ Outgoing Queries ++\n");
-	for (view = ISC_LIST_HEAD(server->viewlist);
-	     view != NULL;
-	     view = ISC_LIST_NEXT(view, link)) {
-		if (view->resquerystats == NULL)
-			continue;
-		if (strcmp(view->name, "_default") == 0)
-			fprintf(fp, "[View: default]\n");
-		else
-			fprintf(fp, "[View: %s]\n", view->name);
-		dns_rdatatypestats_dump(view->resquerystats, rdtypestat_dump,
-					&dumparg, 0);
-	}
-
-	fprintf(fp, "++ Name Server Statistics ++\n");
-	(void) dump_counters(server->nsstats, statsformat_file, fp, NULL,
-			     nsstats_desc, dns_nsstatscounter_max,
-			     nsstats_index, nsstat_values, 0);
-
-	fprintf(fp, "++ Zone Maintenance Statistics ++\n");
-	(void) dump_counters(server->zonestats, statsformat_file, fp, NULL,
-			     zonestats_desc, dns_zonestatscounter_max,
-			     zonestats_index, zonestat_values, 0);
-
-	fprintf(fp, "++ Resolver Statistics ++\n");
-	fprintf(fp, "[Common]\n");
-	(void) dump_counters(server->resolverstats, statsformat_file, fp, NULL,
-			     resstats_desc, dns_resstatscounter_max,
-			     resstats_index, resstat_values, 0);
-	for (view = ISC_LIST_HEAD(server->viewlist);
-	     view != NULL;
-	     view = ISC_LIST_NEXT(view, link)) {
-		if (view->resstats == NULL)
-			continue;
-		if (strcmp(view->name, "_default") == 0)
-			fprintf(fp, "[View: default]\n");
-		else
-			fprintf(fp, "[View: %s]\n", view->name);
-		(void) dump_counters(view->resstats, statsformat_file, fp, NULL,
-				     resstats_desc, dns_resstatscounter_max,
-				     resstats_index, resstat_values, 0);
-	}
-
-	fprintf(fp, "++ Cache DB RRsets ++\n");
-	for (view = ISC_LIST_HEAD(server->viewlist);
-	     view != NULL;
-	     view = ISC_LIST_NEXT(view, link)) {
-		dns_stats_t *cachestats;
-
-		cachestats = dns_db_getrrsetstats(view->cachedb);
-		if (cachestats == NULL)
-			continue;
-		if (strcmp(view->name, "_default") == 0)
-			fprintf(fp, "[View: default]\n");
-		else
-			fprintf(fp, "[View: %s (Cache: %s)]\n", view->name,
-				dns_cache_getname(view->cache));
-		if (dns_view_iscacheshared(view)) {
-			/*
-			 * Avoid dumping redundant statistics when the cache is
-			 * shared.
-			 */
-			continue;
-		}
-		dns_rdatasetstats_dump(cachestats, rdatasetstats_dump, &dumparg,
-				       0);
-	}
-
-	fprintf(fp, "++ Socket I/O Statistics ++\n");
-	(void) dump_counters(server->sockstats, statsformat_file, fp, NULL,
-			     sockstats_desc, isc_sockstatscounter_max,
-			     sockstats_index, sockstat_values, 0);
-
-	fprintf(fp, "++ Per Zone Query Statistics ++\n");
-	zone = NULL;
-	for (result = dns_zone_first(server->zonemgr, &zone);
-	     result == ISC_R_SUCCESS;
-	     next = NULL, result = dns_zone_next(zone, &next), zone = next)
-	{
-		isc_stats_t *zonestats = dns_zone_getrequeststats(zone);
-		if (zonestats != NULL) {
-			char zonename[DNS_NAME_FORMATSIZE];
-
-			dns_name_format(dns_zone_getorigin(zone),
-					zonename, sizeof(zonename));
-			view = dns_zone_getview(zone);
-
-			fprintf(fp, "[%s", zonename);
-			if (strcmp(view->name, "_default") != 0)
-				fprintf(fp, " (view: %s)", view->name);
-			fprintf(fp, "]\n");
-
-			(void) dump_counters(zonestats, statsformat_file, fp,
-					     NULL, nsstats_desc,
-					     dns_nsstatscounter_max,
-					     nsstats_index, nsstat_values, 0);
-		}
-	}
-
-	fprintf(fp, "--- Statistics Dump --- (%lu)\n", (unsigned long)now);
-
-	return (ISC_R_SUCCESS);	/* this function currently always succeeds */
-}
diff --git a/contrib/bind9/bin/named/tkeyconf.c b/contrib/bind9/bin/named/tkeyconf.c
deleted file mode 100644
index e952059..0000000
--- a/contrib/bind9/bin/named/tkeyconf.c
+++ /dev/null
@@ -1,136 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: tkeyconf.c,v 1.33 2010/12/20 23:47:20 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/buffer.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/mem.h>
-
-#include <isccfg/cfg.h>
-
-#include <dns/fixedname.h>
-#include <dns/keyvalues.h>
-#include <dns/name.h>
-#include <dns/tkey.h>
-
-#include <dst/gssapi.h>
-
-#include <named/tkeyconf.h>
-
-#define RETERR(x) do { \
-	result = (x); \
-	if (result != ISC_R_SUCCESS) \
-		goto failure; \
-	} while (0)
-
-#include<named/log.h>
-#define LOG(msg) \
-	isc_log_write(ns_g_lctx, \
-	NS_LOGCATEGORY_GENERAL, \
-	NS_LOGMODULE_SERVER, \
-	ISC_LOG_ERROR, \
-	"%s", msg)
-
-isc_result_t
-ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
-		      isc_entropy_t *ectx, dns_tkeyctx_t **tctxp)
-{
-	isc_result_t result;
-	dns_tkeyctx_t *tctx = NULL;
-	const char *s;
-	isc_uint32_t n;
-	dns_fixedname_t fname;
-	dns_name_t *name;
-	isc_buffer_t b;
-	const cfg_obj_t *obj;
-	int type;
-
-	result = dns_tkeyctx_create(mctx, ectx, &tctx);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	obj = NULL;
-	result = cfg_map_get(options, "tkey-dhkey", &obj);
-	if (result == ISC_R_SUCCESS) {
-		s = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
-		n = cfg_obj_asuint32(cfg_tuple_get(obj, "keyid"));
-		isc_buffer_constinit(&b, s, strlen(s));
-		isc_buffer_add(&b, strlen(s));
-		dns_fixedname_init(&fname);
-		name = dns_fixedname_name(&fname);
-		RETERR(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
-		type = DST_TYPE_PUBLIC|DST_TYPE_PRIVATE|DST_TYPE_KEY;
-		RETERR(dst_key_fromfile(name, (dns_keytag_t) n, DNS_KEYALG_DH,
-					type, NULL, mctx, &tctx->dhkey));
-	}
-
-	obj = NULL;
-	result = cfg_map_get(options, "tkey-domain", &obj);
-	if (result == ISC_R_SUCCESS) {
-		s = cfg_obj_asstring(obj);
-		isc_buffer_constinit(&b, s, strlen(s));
-		isc_buffer_add(&b, strlen(s));
-		dns_fixedname_init(&fname);
-		name = dns_fixedname_name(&fname);
-		RETERR(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
-		tctx->domain = isc_mem_get(mctx, sizeof(dns_name_t));
-		if (tctx->domain == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto failure;
-		}
-		dns_name_init(tctx->domain, NULL);
-		RETERR(dns_name_dup(name, mctx, tctx->domain));
-	}
-
-	obj = NULL;
-	result = cfg_map_get(options, "tkey-gssapi-credential", &obj);
-	if (result == ISC_R_SUCCESS) {
-		s = cfg_obj_asstring(obj);
-
-		isc_buffer_constinit(&b, s, strlen(s));
-		isc_buffer_add(&b, strlen(s));
-		dns_fixedname_init(&fname);
-		name = dns_fixedname_name(&fname);
-		RETERR(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
-		RETERR(dst_gssapi_acquirecred(name, ISC_FALSE, &tctx->gsscred));
-	}
-
-	obj = NULL;
-	result = cfg_map_get(options, "tkey-gssapi-keytab", &obj);
-	if (result == ISC_R_SUCCESS) {
-		s = cfg_obj_asstring(obj);
-		tctx->gssapi_keytab = isc_mem_strdup(mctx, s);
-		if (tctx->gssapi_keytab == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto failure;
-		}
-	}
-
-
-	*tctxp = tctx;
-	return (ISC_R_SUCCESS);
-
- failure:
-	dns_tkeyctx_destroy(&tctx);
-	return (result);
-}
-
diff --git a/contrib/bind9/bin/named/tsigconf.c b/contrib/bind9/bin/named/tsigconf.c
deleted file mode 100644
index eef87e9..0000000
--- a/contrib/bind9/bin/named/tsigconf.c
+++ /dev/null
@@ -1,183 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: tsigconf.c,v 1.35 2011/01/11 23:47:12 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/base64.h>
-#include <isc/buffer.h>
-#include <isc/mem.h>
-#include <isc/string.h>
-
-#include <isccfg/cfg.h>
-
-#include <dns/tsig.h>
-#include <dns/result.h>
-
-#include <named/log.h>
-
-#include <named/config.h>
-#include <named/tsigconf.h>
-
-static isc_result_t
-add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring,
-		 isc_mem_t *mctx)
-{
-	dns_tsigkey_t *tsigkey = NULL;
-	const cfg_listelt_t *element;
-	const cfg_obj_t *key = NULL;
-	const char *keyid = NULL;
-	unsigned char *secret = NULL;
-	int secretalloc = 0;
-	int secretlen = 0;
-	isc_result_t ret;
-	isc_stdtime_t now;
-	isc_uint16_t bits;
-
-	for (element = cfg_list_first(list);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		const cfg_obj_t *algobj = NULL;
-		const cfg_obj_t *secretobj = NULL;
-		dns_name_t keyname;
-		dns_name_t *alg;
-		const char *algstr;
-		char keynamedata[1024];
-		isc_buffer_t keynamesrc, keynamebuf;
-		const char *secretstr;
-		isc_buffer_t secretbuf;
-
-		key = cfg_listelt_value(element);
-		keyid = cfg_obj_asstring(cfg_map_getname(key));
-
-		algobj = NULL;
-		secretobj = NULL;
-		(void)cfg_map_get(key, "algorithm", &algobj);
-		(void)cfg_map_get(key, "secret", &secretobj);
-		INSIST(algobj != NULL && secretobj != NULL);
-
-		/*
-		 * Create the key name.
-		 */
-		dns_name_init(&keyname, NULL);
-		isc_buffer_constinit(&keynamesrc, keyid, strlen(keyid));
-		isc_buffer_add(&keynamesrc, strlen(keyid));
-		isc_buffer_init(&keynamebuf, keynamedata, sizeof(keynamedata));
-		ret = dns_name_fromtext(&keyname, &keynamesrc, dns_rootname,
-					DNS_NAME_DOWNCASE, &keynamebuf);
-		if (ret != ISC_R_SUCCESS)
-			goto failure;
-
-		/*
-		 * Create the algorithm.
-		 */
-		algstr = cfg_obj_asstring(algobj);
-		if (ns_config_getkeyalgorithm(algstr, &alg, &bits)
-		    != ISC_R_SUCCESS) {
-			cfg_obj_log(algobj, ns_g_lctx, ISC_LOG_ERROR,
-				    "key '%s': has a unsupported algorithm '%s'",
-				    keyid, algstr);
-			ret = DNS_R_BADALG;
-			goto failure;
-		}
-
-		secretstr = cfg_obj_asstring(secretobj);
-		secretalloc = secretlen = strlen(secretstr) * 3 / 4;
-		secret = isc_mem_get(mctx, secretlen);
-		if (secret == NULL) {
-			ret = ISC_R_NOMEMORY;
-			goto failure;
-		}
-		isc_buffer_init(&secretbuf, secret, secretlen);
-		ret = isc_base64_decodestring(secretstr, &secretbuf);
-		if (ret != ISC_R_SUCCESS)
-			goto failure;
-		secretlen = isc_buffer_usedlength(&secretbuf);
-
-		isc_stdtime_get(&now);
-		ret = dns_tsigkey_create(&keyname, alg, secret, secretlen,
-					 ISC_FALSE, NULL, now, now,
-					 mctx, ring, &tsigkey);
-		isc_mem_put(mctx, secret, secretalloc);
-		secret = NULL;
-		if (ret != ISC_R_SUCCESS)
-			goto failure;
-		/*
-		 * Set digest bits.
-		 */
-		dst_key_setbits(tsigkey->key, bits);
-		dns_tsigkey_detach(&tsigkey);
-	}
-
-	return (ISC_R_SUCCESS);
-
- failure:
-	cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
-		    "configuring key '%s': %s", keyid,
-		    isc_result_totext(ret));
-
-	if (secret != NULL)
-		isc_mem_put(mctx, secret, secretalloc);
-	return (ret);
-}
-
-isc_result_t
-ns_tsigkeyring_fromconfig(const cfg_obj_t *config, const cfg_obj_t *vconfig,
-			  isc_mem_t *mctx, dns_tsig_keyring_t **ringp)
-{
-	const cfg_obj_t *maps[3];
-	const cfg_obj_t *keylist;
-	dns_tsig_keyring_t *ring = NULL;
-	isc_result_t result;
-	int i;
-
-	REQUIRE(ringp != NULL && *ringp == NULL);
-
-	i = 0;
-	if (config != NULL)
-		maps[i++] = config;
-	if (vconfig != NULL)
-		maps[i++] = cfg_tuple_get(vconfig, "options");
-	maps[i] = NULL;
-
-	result = dns_tsigkeyring_create(mctx, &ring);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	for (i = 0; ; i++) {
-		if (maps[i] == NULL)
-			break;
-		keylist = NULL;
-		result = cfg_map_get(maps[i], "key", &keylist);
-		if (result != ISC_R_SUCCESS)
-			continue;
-		result = add_initial_keys(keylist, ring, mctx);
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-	}
-
-	*ringp = ring;
-	return (ISC_R_SUCCESS);
-
- failure:
-	dns_tsigkeyring_detach(&ring);
-	return (result);
-}
diff --git a/contrib/bind9/bin/named/unix/Makefile.in b/contrib/bind9/bin/named/unix/Makefile.in
deleted file mode 100644
index 17bb43e..0000000
--- a/contrib/bind9/bin/named/unix/Makefile.in
+++ /dev/null
@@ -1,37 +0,0 @@
-# Copyright (C) 2004, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1999-2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.15 2011/03/10 23:47:49 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	-I${srcdir}/include -I${srcdir}/../include \
-		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \
-		${DNS_INCLUDES} ${ISC_INCLUDES}
-
-CDEFINES =
-CWARNINGS =
-
-OBJS =		os.@O@ dlz_dlopen_driver.@O@
-
-SRCS =		os.c dlz_dlopen_driver.c
-
-TARGETS =	${OBJS}
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/bin/named/unix/dlz_dlopen_driver.c b/contrib/bind9/bin/named/unix/dlz_dlopen_driver.c
deleted file mode 100644
index 2ba8a02..0000000
--- a/contrib/bind9/bin/named/unix/dlz_dlopen_driver.c
+++ /dev/null
@@ -1,625 +0,0 @@
-/*
- * Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <dlfcn.h>
-
-#include <dns/log.h>
-#include <dns/result.h>
-#include <dns/dlz_dlopen.h>
-
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/result.h>
-#include <isc/util.h>
-
-#include <named/globals.h>
-
-#include <dlz/dlz_dlopen_driver.h>
-
-#ifdef ISC_DLZ_DLOPEN
-static dns_sdlzimplementation_t *dlz_dlopen = NULL;
-
-
-typedef struct dlopen_data {
-	isc_mem_t *mctx;
-	char *dl_path;
-	char *dlzname;
-	void *dl_handle;
-	void *dbdata;
-	unsigned int flags;
-	isc_mutex_t lock;
-	int version;
-	isc_boolean_t in_configure;
-
-	dlz_dlopen_version_t *dlz_version;
-	dlz_dlopen_create_t *dlz_create;
-	dlz_dlopen_findzonedb_t *dlz_findzonedb;
-	dlz_dlopen_lookup_t *dlz_lookup;
-	dlz_dlopen_authority_t *dlz_authority;
-	dlz_dlopen_allnodes_t *dlz_allnodes;
-	dlz_dlopen_allowzonexfr_t *dlz_allowzonexfr;
-	dlz_dlopen_newversion_t *dlz_newversion;
-	dlz_dlopen_closeversion_t *dlz_closeversion;
-	dlz_dlopen_configure_t *dlz_configure;
-	dlz_dlopen_ssumatch_t *dlz_ssumatch;
-	dlz_dlopen_addrdataset_t *dlz_addrdataset;
-	dlz_dlopen_subrdataset_t *dlz_subrdataset;
-	dlz_dlopen_delrdataset_t *dlz_delrdataset;
-	dlz_dlopen_destroy_t *dlz_destroy;
-} dlopen_data_t;
-
-/* Modules can choose whether they are lock-safe or not. */
-#define MAYBE_LOCK(cd) \
-	do { \
-		if ((cd->flags & DNS_SDLZFLAG_THREADSAFE) == 0 && \
-		    cd->in_configure == ISC_FALSE) \
-			LOCK(&cd->lock); \
-	} while (0)
-
-#define MAYBE_UNLOCK(cd) \
-	do { \
-		if ((cd->flags & DNS_SDLZFLAG_THREADSAFE) == 0 && \
-		    cd->in_configure == ISC_FALSE) \
-			UNLOCK(&cd->lock); \
-	} while (0)
-
-/*
- * Log a message at the given level.
- */
-static void dlopen_log(int level, const char *fmt, ...)
-{
-	va_list ap;
-	va_start(ap, fmt);
-	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-		       DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(level),
-		       fmt, ap);
-	va_end(ap);
-}
-
-/*
- * SDLZ methods
- */
-
-static isc_result_t
-dlopen_dlz_allnodes(const char *zone, void *driverarg, void *dbdata,
-		    dns_sdlzallnodes_t *allnodes)
-{
-	dlopen_data_t *cd = (dlopen_data_t *) dbdata;
-	isc_result_t result;
-
-
-	UNUSED(driverarg);
-
-	if (cd->dlz_allnodes == NULL) {
-		return (ISC_R_NOPERM);
-	}
-
-	MAYBE_LOCK(cd);
-	result = cd->dlz_allnodes(zone, cd->dbdata, allnodes);
-	MAYBE_UNLOCK(cd);
-	return (result);
-}
-
-
-static isc_result_t
-dlopen_dlz_allowzonexfr(void *driverarg, void *dbdata, const char *name,
-			const char *client)
-{
-	dlopen_data_t *cd = (dlopen_data_t *) dbdata;
-	isc_result_t result;
-
-	UNUSED(driverarg);
-
-
-	if (cd->dlz_allowzonexfr == NULL) {
-		return (ISC_R_NOPERM);
-	}
-
-	MAYBE_LOCK(cd);
-	result = cd->dlz_allowzonexfr(cd->dbdata, name, client);
-	MAYBE_UNLOCK(cd);
-	return (result);
-}
-
-static isc_result_t
-dlopen_dlz_authority(const char *zone, void *driverarg, void *dbdata,
-		     dns_sdlzlookup_t *lookup)
-{
-	dlopen_data_t *cd = (dlopen_data_t *) dbdata;
-	isc_result_t result;
-
-	UNUSED(driverarg);
-
-	if (cd->dlz_authority == NULL) {
-		return (ISC_R_NOTIMPLEMENTED);
-	}
-
-	MAYBE_LOCK(cd);
-	result = cd->dlz_authority(zone, cd->dbdata, lookup);
-	MAYBE_UNLOCK(cd);
-	return (result);
-}
-
-static isc_result_t
-dlopen_dlz_findzonedb(void *driverarg, void *dbdata, const char *name)
-{
-	dlopen_data_t *cd = (dlopen_data_t *) dbdata;
-	isc_result_t result;
-
-	UNUSED(driverarg);
-
-	MAYBE_LOCK(cd);
-	result = cd->dlz_findzonedb(cd->dbdata, name);
-	MAYBE_UNLOCK(cd);
-	return (result);
-}
-
-
-static isc_result_t
-dlopen_dlz_lookup(const char *zone, const char *name, void *driverarg,
-		  void *dbdata, dns_sdlzlookup_t *lookup,
-		  dns_clientinfomethods_t *methods,
-		  dns_clientinfo_t *clientinfo)
-{
-	dlopen_data_t *cd = (dlopen_data_t *) dbdata;
-	isc_result_t result;
-
-	UNUSED(driverarg);
-
-	MAYBE_LOCK(cd);
-	result = cd->dlz_lookup(zone, name, cd->dbdata, lookup,
-				methods, clientinfo);
-	MAYBE_UNLOCK(cd);
-	return (result);
-}
-
-/*
- * Load a symbol from the library
- */
-static void *
-dl_load_symbol(dlopen_data_t *cd, const char *symbol, isc_boolean_t mandatory) {
-	void *ptr = dlsym(cd->dl_handle, symbol);
-	if (ptr == NULL && mandatory) {
-		dlopen_log(ISC_LOG_ERROR,
-			   "dlz_dlopen: library '%s' is missing "
-			   "required symbol '%s'", cd->dl_path, symbol);
-	}
-	return (ptr);
-}
-
-/*
- * Called at startup for each dlopen zone in named.conf
- */
-static isc_result_t
-dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[],
-		  void *driverarg, void **dbdata)
-{
-	dlopen_data_t *cd;
-	isc_mem_t *mctx = NULL;
-	isc_result_t result = ISC_R_FAILURE;
-	int dlopen_flags = 0;
-
-	UNUSED(driverarg);
-
-	if (argc < 2) {
-		dlopen_log(ISC_LOG_ERROR,
-			   "dlz_dlopen driver for '%s' needs a path to "
-			   "the shared library", dlzname);
-		return (ISC_R_FAILURE);
-	}
-
-	result = isc_mem_create(0, 0, &mctx);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	cd = isc_mem_get(mctx, sizeof(*cd));
-	if (cd == NULL) {
-		isc_mem_destroy(&mctx);
-		return (ISC_R_NOMEMORY);
-	}
-	memset(cd, 0, sizeof(*cd));
-
-	cd->mctx = mctx;
-
-	cd->dl_path = isc_mem_strdup(cd->mctx, argv[1]);
-	if (cd->dl_path == NULL) {
-		goto failed;
-	}
-
-	cd->dlzname = isc_mem_strdup(cd->mctx, dlzname);
-	if (cd->dlzname == NULL) {
-		goto failed;
-	}
-
-	/* Initialize the lock */
-	result = isc_mutex_init(&cd->lock);
-	if (result != ISC_R_SUCCESS)
-		goto failed;
-
-	/* Open the library */
-	dlopen_flags = RTLD_NOW|RTLD_GLOBAL;
-
-#ifdef RTLD_DEEPBIND
-	/*
-	 * If RTLD_DEEPBIND is available then use it. This can avoid
-	 * issues with a module using a different version of a system
-	 * library than one that bind9 uses. For example, bind9 may link
-	 * to MIT kerberos, but the module may use Heimdal. If we don't
-	 * use RTLD_DEEPBIND then we could end up with Heimdal functions
-	 * calling MIT functions, which leads to bizarre results (usually
-	 * a segfault).
-	 */
-	dlopen_flags |= RTLD_DEEPBIND;
-#endif
-
-	cd->dl_handle = dlopen(cd->dl_path, dlopen_flags);
-	if (cd->dl_handle == NULL) {
-		dlopen_log(ISC_LOG_ERROR,
-			   "dlz_dlopen failed to open library '%s' - %s",
-			   cd->dl_path, dlerror());
-		goto failed;
-	}
-
-	/* Find the symbols */
-	cd->dlz_version = (dlz_dlopen_version_t *)
-		dl_load_symbol(cd, "dlz_version", ISC_TRUE);
-	cd->dlz_create = (dlz_dlopen_create_t *)
-		dl_load_symbol(cd, "dlz_create", ISC_TRUE);
-	cd->dlz_lookup = (dlz_dlopen_lookup_t *)
-		dl_load_symbol(cd, "dlz_lookup", ISC_TRUE);
-	cd->dlz_findzonedb = (dlz_dlopen_findzonedb_t *)
-		dl_load_symbol(cd, "dlz_findzonedb", ISC_TRUE);
-
-	if (cd->dlz_create == NULL ||
-	    cd->dlz_lookup == NULL ||
-	    cd->dlz_findzonedb == NULL)
-	{
-		/* We're missing a required symbol */
-		goto failed;
-	}
-
-	cd->dlz_allowzonexfr = (dlz_dlopen_allowzonexfr_t *)
-		dl_load_symbol(cd, "dlz_allowzonexfr", ISC_FALSE);
-	cd->dlz_allnodes = (dlz_dlopen_allnodes_t *)
-		dl_load_symbol(cd, "dlz_allnodes",
-			       ISC_TF(cd->dlz_allowzonexfr != NULL));
-	cd->dlz_authority = (dlz_dlopen_authority_t *)
-		dl_load_symbol(cd, "dlz_authority", ISC_FALSE);
-	cd->dlz_newversion = (dlz_dlopen_newversion_t *)
-		dl_load_symbol(cd, "dlz_newversion", ISC_FALSE);
-	cd->dlz_closeversion = (dlz_dlopen_closeversion_t *)
-		dl_load_symbol(cd, "dlz_closeversion",
-			       ISC_TF(cd->dlz_newversion != NULL));
-	cd->dlz_configure = (dlz_dlopen_configure_t *)
-		dl_load_symbol(cd, "dlz_configure", ISC_FALSE);
-	cd->dlz_ssumatch = (dlz_dlopen_ssumatch_t *)
-		dl_load_symbol(cd, "dlz_ssumatch", ISC_FALSE);
-	cd->dlz_addrdataset = (dlz_dlopen_addrdataset_t *)
-		dl_load_symbol(cd, "dlz_addrdataset", ISC_FALSE);
-	cd->dlz_subrdataset = (dlz_dlopen_subrdataset_t *)
-		dl_load_symbol(cd, "dlz_subrdataset", ISC_FALSE);
-	cd->dlz_delrdataset = (dlz_dlopen_delrdataset_t *)
-		dl_load_symbol(cd, "dlz_delrdataset", ISC_FALSE);
-	cd->dlz_destroy = (dlz_dlopen_destroy_t *)
-		dl_load_symbol(cd, "dlz_destroy", ISC_FALSE);
-
-	/* Check the version of the API is the same */
-	cd->version = cd->dlz_version(&cd->flags);
-	if (cd->version != DLZ_DLOPEN_VERSION) {
-		dlopen_log(ISC_LOG_ERROR,
-			   "dlz_dlopen: incorrect version %d "
-			   "should be %d in '%s'",
-			   cd->version, DLZ_DLOPEN_VERSION, cd->dl_path);
-		goto failed;
-	}
-
-	/*
-	 * Call the library's create function. Note that this is an
-	 * extended version of dlz create, with the addition of
-	 * named function pointers for helper functions that the
-	 * driver will need. This avoids the need for the backend to
-	 * link the BIND9 libraries
-	 */
-	MAYBE_LOCK(cd);
-	result = cd->dlz_create(dlzname, argc-1, argv+1,
-				&cd->dbdata,
-				"log", dlopen_log,
-				"putrr", dns_sdlz_putrr,
-				"putnamedrr", dns_sdlz_putnamedrr,
-				"writeable_zone", dns_dlz_writeablezone,
-				NULL);
-	MAYBE_UNLOCK(cd);
-	if (result != ISC_R_SUCCESS)
-		goto failed;
-
-	*dbdata = cd;
-
-	return (ISC_R_SUCCESS);
-
-failed:
-	dlopen_log(ISC_LOG_ERROR, "dlz_dlopen of '%s' failed", dlzname);
-	if (cd->dl_path != NULL)
-		isc_mem_free(mctx, cd->dl_path);
-	if (cd->dlzname != NULL)
-		isc_mem_free(mctx, cd->dlzname);
-	if (dlopen_flags != 0)
-		(void) isc_mutex_destroy(&cd->lock);
-#ifdef HAVE_DLCLOSE
-	if (cd->dl_handle)
-		dlclose(cd->dl_handle);
-#endif
-	isc_mem_put(mctx, cd, sizeof(*cd));
-	isc_mem_destroy(&mctx);
-	return (result);
-}
-
-
-/*
- * Called when bind is shutting down
- */
-static void
-dlopen_dlz_destroy(void *driverarg, void *dbdata) {
-	dlopen_data_t *cd = (dlopen_data_t *) dbdata;
-	isc_mem_t *mctx;
-
-	UNUSED(driverarg);
-
-	if (cd->dlz_destroy) {
-		MAYBE_LOCK(cd);
-		cd->dlz_destroy(cd->dbdata);
-		MAYBE_UNLOCK(cd);
-	}
-
-	if (cd->dl_path)
-		isc_mem_free(cd->mctx, cd->dl_path);
-	if (cd->dlzname)
-		isc_mem_free(cd->mctx, cd->dlzname);
-
-#ifdef HAVE_DLCLOSE
-	if (cd->dl_handle)
-		dlclose(cd->dl_handle);
-#endif
-
-	(void) isc_mutex_destroy(&cd->lock);
-
-	mctx = cd->mctx;
-	isc_mem_put(mctx, cd, sizeof(*cd));
-	isc_mem_destroy(&mctx);
-}
-
-/*
- * Called to start a transaction
- */
-static isc_result_t
-dlopen_dlz_newversion(const char *zone, void *driverarg, void *dbdata,
-		      void **versionp)
-{
-	dlopen_data_t *cd = (dlopen_data_t *) dbdata;
-	isc_result_t result;
-
-	UNUSED(driverarg);
-
-	if (cd->dlz_newversion == NULL)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	MAYBE_LOCK(cd);
-	result = cd->dlz_newversion(zone, cd->dbdata, versionp);
-	MAYBE_UNLOCK(cd);
-	return (result);
-}
-
-/*
- * Called to end a transaction
- */
-static void
-dlopen_dlz_closeversion(const char *zone, isc_boolean_t commit,
-			void *driverarg, void *dbdata, void **versionp)
-{
-	dlopen_data_t *cd = (dlopen_data_t *) dbdata;
-
-	UNUSED(driverarg);
-
-	if (cd->dlz_newversion == NULL) {
-		*versionp = NULL;
-		return;
-	}
-
-	MAYBE_LOCK(cd);
-	cd->dlz_closeversion(zone, commit, cd->dbdata, versionp);
-	MAYBE_UNLOCK(cd);
-}
-
-/*
- * Called on startup to configure any writeable zones
- */
-static isc_result_t
-dlopen_dlz_configure(dns_view_t *view, void *driverarg, void *dbdata) {
-	dlopen_data_t *cd = (dlopen_data_t *) dbdata;
-	isc_result_t result;
-
-	UNUSED(driverarg);
-
-	if (cd->dlz_configure == NULL)
-		return (ISC_R_SUCCESS);
-
-	MAYBE_LOCK(cd);
-	cd->in_configure = ISC_TRUE;
-	result = cd->dlz_configure(view, cd->dbdata);
-	cd->in_configure = ISC_FALSE;
-	MAYBE_UNLOCK(cd);
-
-	return (result);
-}
-
-
-/*
- * Check for authority to change a name
- */
-static isc_boolean_t
-dlopen_dlz_ssumatch(const char *signer, const char *name, const char *tcpaddr,
-		    const char *type, const char *key, isc_uint32_t keydatalen,
-		    unsigned char *keydata, void *driverarg, void *dbdata)
-{
-	dlopen_data_t *cd = (dlopen_data_t *) dbdata;
-	isc_boolean_t ret;
-
-	UNUSED(driverarg);
-
-	if (cd->dlz_ssumatch == NULL)
-		return (ISC_FALSE);
-
-	MAYBE_LOCK(cd);
-	ret = cd->dlz_ssumatch(signer, name, tcpaddr, type, key, keydatalen,
-			       keydata, cd->dbdata);
-	MAYBE_UNLOCK(cd);
-
-	return (ret);
-}
-
-
-/*
- * Add an rdataset
- */
-static isc_result_t
-dlopen_dlz_addrdataset(const char *name, const char *rdatastr,
-		       void *driverarg, void *dbdata, void *version)
-{
-	dlopen_data_t *cd = (dlopen_data_t *) dbdata;
-	isc_result_t result;
-
-	UNUSED(driverarg);
-
-	if (cd->dlz_addrdataset == NULL)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	MAYBE_LOCK(cd);
-	result = cd->dlz_addrdataset(name, rdatastr, cd->dbdata, version);
-	MAYBE_UNLOCK(cd);
-
-	return (result);
-}
-
-/*
- * Subtract an rdataset
- */
-static isc_result_t
-dlopen_dlz_subrdataset(const char *name, const char *rdatastr,
-		       void *driverarg, void *dbdata, void *version)
-{
-	dlopen_data_t *cd = (dlopen_data_t *) dbdata;
-	isc_result_t result;
-
-	UNUSED(driverarg);
-
-	if (cd->dlz_subrdataset == NULL)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	MAYBE_LOCK(cd);
-	result = cd->dlz_subrdataset(name, rdatastr, cd->dbdata, version);
-	MAYBE_UNLOCK(cd);
-
-	return (result);
-}
-
-/*
-  delete a rdataset
- */
-static isc_result_t
-dlopen_dlz_delrdataset(const char *name, const char *type,
-		       void *driverarg, void *dbdata, void *version)
-{
-	dlopen_data_t *cd = (dlopen_data_t *) dbdata;
-	isc_result_t result;
-
-	UNUSED(driverarg);
-
-	if (cd->dlz_delrdataset == NULL)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	MAYBE_LOCK(cd);
-	result = cd->dlz_delrdataset(name, type, cd->dbdata, version);
-	MAYBE_UNLOCK(cd);
-
-	return (result);
-}
-
-
-static dns_sdlzmethods_t dlz_dlopen_methods = {
-	dlopen_dlz_create,
-	dlopen_dlz_destroy,
-	dlopen_dlz_findzonedb,
-	dlopen_dlz_lookup,
-	dlopen_dlz_authority,
-	dlopen_dlz_allnodes,
-	dlopen_dlz_allowzonexfr,
-	dlopen_dlz_newversion,
-	dlopen_dlz_closeversion,
-	dlopen_dlz_configure,
-	dlopen_dlz_ssumatch,
-	dlopen_dlz_addrdataset,
-	dlopen_dlz_subrdataset,
-	dlopen_dlz_delrdataset
-};
-#endif
-
-/*
- * Register driver with BIND
- */
-isc_result_t
-dlz_dlopen_init(isc_mem_t *mctx) {
-#ifndef ISC_DLZ_DLOPEN
-	UNUSED(mctx);
-	return (ISC_R_NOTIMPLEMENTED);
-#else
-	isc_result_t result;
-
-	dlopen_log(2, "Registering DLZ_dlopen driver");
-
-	result = dns_sdlzregister("dlopen", &dlz_dlopen_methods, NULL,
-				  DNS_SDLZFLAG_RELATIVEOWNER |
-				  DNS_SDLZFLAG_THREADSAFE,
-				  mctx, &dlz_dlopen);
-
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "dns_sdlzregister() failed: %s",
-				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
-	}
-
-	return (result);
-#endif
-}
-
-
-/*
- * Unregister the driver
- */
-void
-dlz_dlopen_clear(void) {
-#ifdef ISC_DLZ_DLOPEN
-	dlopen_log(2, "Unregistering DLZ_dlopen driver");
-	if (dlz_dlopen != NULL)
-		dns_sdlzunregister(&dlz_dlopen);
-#endif
-}
diff --git a/contrib/bind9/bin/named/unix/include/named/os.h b/contrib/bind9/bin/named/unix/include/named/os.h
deleted file mode 100644
index c979e538..0000000
--- a/contrib/bind9/bin/named/unix/include/named/os.h
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: os.h,v 1.31 2009/08/05 23:47:43 tbox Exp $ */
-
-#ifndef NS_OS_H
-#define NS_OS_H 1
-
-/*! \file */
-
-#include <isc/types.h>
-
-void
-ns_os_init(const char *progname);
-
-void
-ns_os_daemonize(void);
-
-void
-ns_os_opendevnull(void);
-
-void
-ns_os_closedevnull(void);
-
-void
-ns_os_chroot(const char *root);
-
-void
-ns_os_inituserinfo(const char *username);
-
-void
-ns_os_changeuser(void);
-
-void
-ns_os_adjustnofile(void);
-
-void
-ns_os_minprivs(void);
-
-FILE *
-ns_os_openfile(const char *filename, mode_t mode, isc_boolean_t switch_user);
-
-void
-ns_os_writepidfile(const char *filename, isc_boolean_t first_time);
-
-void
-ns_os_shutdown(void);
-
-isc_result_t
-ns_os_gethostname(char *buf, size_t len);
-
-void
-ns_os_shutdownmsg(char *command, isc_buffer_t *text);
-
-void
-ns_os_tzset(void);
-
-void
-ns_os_started(void);
-
-#endif /* NS_OS_H */
diff --git a/contrib/bind9/bin/named/unix/os.c b/contrib/bind9/bin/named/unix/os.c
deleted file mode 100644
index 4f5f55c..0000000
--- a/contrib/bind9/bin/named/unix/os.c
+++ /dev/null
@@ -1,965 +0,0 @@
-/*
- * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: os.c,v 1.107 2011/03/02 00:02:54 marka Exp $ */
-
-/*! \file */
-
-#include <config.h>
-#include <stdarg.h>
-
-#include <sys/types.h>	/* dev_t FreeBSD 2.1 */
-#include <sys/stat.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <grp.h>		/* Required for initgroups() on IRIX. */
-#include <pwd.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <signal.h>
-#include <syslog.h>
-#ifdef HAVE_TZSET
-#include <time.h>
-#endif
-#include <unistd.h>
-
-#include <isc/buffer.h>
-#include <isc/file.h>
-#include <isc/print.h>
-#include <isc/resource.h>
-#include <isc/result.h>
-#include <isc/strerror.h>
-#include <isc/string.h>
-
-#include <named/main.h>
-#include <named/os.h>
-#ifdef HAVE_LIBSCF
-#include <named/ns_smf_globals.h>
-#endif
-
-static char *pidfile = NULL;
-static int devnullfd = -1;
-
-#ifndef ISC_FACILITY
-#define ISC_FACILITY LOG_DAEMON
-#endif
-
-/*
- * If there's no <linux/capability.h>, we don't care about <sys/prctl.h>
- */
-#ifndef HAVE_LINUX_CAPABILITY_H
-#undef HAVE_SYS_PRCTL_H
-#endif
-
-/*
- * Linux defines:
- *	(T) HAVE_LINUXTHREADS
- *	(C) HAVE_SYS_CAPABILITY_H (or HAVE_LINUX_CAPABILITY_H)
- *	(P) HAVE_SYS_PRCTL_H
- * The possible cases are:
- *	none:	setuid() normally
- *	T:	no setuid()
- *	C:	setuid() normally, drop caps (keep CAP_SETUID)
- *	T+C:	no setuid(), drop caps (don't keep CAP_SETUID)
- *	T+C+P:	setuid() early, drop caps (keep CAP_SETUID)
- *	C+P:	setuid() normally, drop caps (keep CAP_SETUID)
- *	P:	not possible
- *	T+P:	not possible
- *
- * if (C)
- *	caps = BIND_SERVICE + CHROOT + SETGID
- *	if ((T && C && P) || !T)
- *		caps += SETUID
- *	endif
- *	capset(caps)
- * endif
- * if (T && C && P && -u)
- *	setuid()
- * else if (T && -u)
- *	fail
- * --> start threads
- * if (!T && -u)
- *	setuid()
- * if (C && (P || !-u))
- *	caps = BIND_SERVICE
- *	capset(caps)
- * endif
- *
- * It will be nice when Linux threads work properly with setuid().
- */
-
-#ifdef HAVE_LINUXTHREADS
-static pid_t mainpid = 0;
-#endif
-
-static struct passwd *runas_pw = NULL;
-static isc_boolean_t done_setuid = ISC_FALSE;
-static int dfd[2] = { -1, -1 };
-
-#ifdef HAVE_LINUX_CAPABILITY_H
-
-static isc_boolean_t non_root = ISC_FALSE;
-static isc_boolean_t non_root_caps = ISC_FALSE;
-
-#ifdef HAVE_SYS_CAPABILITY_H
-#include <sys/capability.h>
-#else
-/*%
- * We define _LINUX_FS_H to prevent it from being included.  We don't need
- * anything from it, and the files it includes cause warnings with 2.2
- * kernels, and compilation failures (due to conflicts between <linux/string.h>
- * and <string.h>) on 2.3 kernels.
- */
-#define _LINUX_FS_H
-#include <linux/capability.h>
-#include <syscall.h>
-#ifndef SYS_capset
-#ifndef __NR_capset
-#include <asm/unistd.h> /* Slackware 4.0 needs this. */
-#endif /* __NR_capset */
-#define SYS_capset __NR_capset
-#endif /* SYS_capset */
-#endif /* HAVE_SYS_CAPABILITY_H */
-
-#ifdef HAVE_SYS_PRCTL_H
-#include <sys/prctl.h>		/* Required for prctl(). */
-
-/*
- * If the value of PR_SET_KEEPCAPS is not in <sys/prctl.h>, define it
- * here.  This allows setuid() to work on systems running a new enough
- * kernel but with /usr/include/linux pointing to "standard" kernel
- * headers.
- */
-#ifndef PR_SET_KEEPCAPS
-#define PR_SET_KEEPCAPS 8
-#endif
-
-#endif /* HAVE_SYS_PRCTL_H */
-
-#ifdef HAVE_LIBCAP
-#define SETCAPS_FUNC "cap_set_proc "
-#else
-typedef unsigned int cap_t;
-#define SETCAPS_FUNC "syscall(capset) "
-#endif /* HAVE_LIBCAP */
-
-static void
-linux_setcaps(cap_t caps) {
-#ifndef HAVE_LIBCAP
-	struct __user_cap_header_struct caphead;
-	struct __user_cap_data_struct cap;
-#endif
-	char strbuf[ISC_STRERRORSIZE];
-
-	if ((getuid() != 0 && !non_root_caps) || non_root)
-		return;
-#ifndef HAVE_LIBCAP
-	memset(&caphead, 0, sizeof(caphead));
-	caphead.version = _LINUX_CAPABILITY_VERSION;
-	caphead.pid = 0;
-	memset(&cap, 0, sizeof(cap));
-	cap.effective = caps;
-	cap.permitted = caps;
-	cap.inheritable = 0;
-#endif
-#ifdef HAVE_LIBCAP
-	if (cap_set_proc(caps) < 0) {
-#else
-	if (syscall(SYS_capset, &caphead, &cap) < 0) {
-#endif
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		ns_main_earlyfatal(SETCAPS_FUNC "failed: %s:"
-				   " please ensure that the capset kernel"
-				   " module is loaded.  see insmod(8)",
-				   strbuf);
-	}
-}
-
-#ifdef HAVE_LIBCAP
-#define SET_CAP(flag) \
-	do { \
-		capval = (flag); \
-		cap_flag_value_t curval; \
-		err = cap_get_flag(curcaps, capval, CAP_PERMITTED, &curval); \
-		if (err != -1 && curval) { \
-			err = cap_set_flag(caps, CAP_EFFECTIVE, 1, &capval, CAP_SET); \
-			if (err == -1) { \
-				isc__strerror(errno, strbuf, sizeof(strbuf)); \
-				ns_main_earlyfatal("cap_set_proc failed: %s", strbuf); \
-			} \
-			\
-			err = cap_set_flag(caps, CAP_PERMITTED, 1, &capval, CAP_SET); \
-			if (err == -1) { \
-				isc__strerror(errno, strbuf, sizeof(strbuf)); \
-				ns_main_earlyfatal("cap_set_proc failed: %s", strbuf); \
-			} \
-		} \
-	} while (0)
-#define INIT_CAP \
-	do { \
-		caps = cap_init(); \
-		if (caps == NULL) { \
-			isc__strerror(errno, strbuf, sizeof(strbuf)); \
-			ns_main_earlyfatal("cap_init failed: %s", strbuf); \
-		} \
-		curcaps = cap_get_proc(); \
-		if (curcaps == NULL) { \
-			isc__strerror(errno, strbuf, sizeof(strbuf)); \
-			ns_main_earlyfatal("cap_get_proc failed: %s", strbuf); \
-		} \
-	} while (0)
-#define FREE_CAP \
-	{ \
-		cap_free(caps); \
-		cap_free(curcaps); \
-	} while (0)
-#else
-#define SET_CAP(flag) do { caps |= (1 << (flag)); } while (0)
-#define INIT_CAP do { caps = 0; } while (0)
-#endif /* HAVE_LIBCAP */
-
-static void
-linux_initialprivs(void) {
-	cap_t caps;
-#ifdef HAVE_LIBCAP
-	cap_t curcaps;
-	cap_value_t capval;
-	char strbuf[ISC_STRERRORSIZE];
-	int err;
-#endif
-
-	/*%
-	 * We don't need most privileges, so we drop them right away.
-	 * Later on linux_minprivs() will be called, which will drop our
-	 * capabilities to the minimum needed to run the server.
-	 */
-	INIT_CAP;
-
-	/*
-	 * We need to be able to bind() to privileged ports, notably port 53!
-	 */
-	SET_CAP(CAP_NET_BIND_SERVICE);
-
-	/*
-	 * We need chroot() initially too.
-	 */
-	SET_CAP(CAP_SYS_CHROOT);
-
-#if defined(HAVE_SYS_PRCTL_H) || !defined(HAVE_LINUXTHREADS)
-	/*
-	 * We can setuid() only if either the kernel supports keeping
-	 * capabilities after setuid() (which we don't know until we've
-	 * tried) or we're not using threads.  If either of these is
-	 * true, we want the setuid capability.
-	 */
-	SET_CAP(CAP_SETUID);
-#endif
-
-	/*
-	 * Since we call initgroups, we need this.
-	 */
-	SET_CAP(CAP_SETGID);
-
-	/*
-	 * Without this, we run into problems reading a configuration file
-	 * owned by a non-root user and non-world-readable on startup.
-	 */
-	SET_CAP(CAP_DAC_READ_SEARCH);
-
-	/*
-	 * XXX  We might want to add CAP_SYS_RESOURCE, though it's not
-	 *      clear it would work right given the way linuxthreads work.
-	 * XXXDCL But since we need to be able to set the maximum number
-	 * of files, the stack size, data size, and core dump size to
-	 * support named.conf options, this is now being added to test.
-	 */
-	SET_CAP(CAP_SYS_RESOURCE);
-
-	/*
-	 * We need to be able to set the ownership of the containing
-	 * directory of the pid file when we create it.
-	 */
-	SET_CAP(CAP_CHOWN);
-
-	linux_setcaps(caps);
-
-#ifdef HAVE_LIBCAP
-	FREE_CAP;
-#endif
-}
-
-static void
-linux_minprivs(void) {
-	cap_t caps;
-#ifdef HAVE_LIBCAP
-	cap_t curcaps;
-	cap_value_t capval;
-	char strbuf[ISC_STRERRORSIZE];
-	int err;
-#endif
-
-	INIT_CAP;
-	/*%
-	 * Drop all privileges except the ability to bind() to privileged
-	 * ports.
-	 *
-	 * It's important that we drop CAP_SYS_CHROOT.  If we didn't, it
-	 * chroot() could be used to escape from the chrooted area.
-	 */
-
-	SET_CAP(CAP_NET_BIND_SERVICE);
-
-	/*
-	 * XXX  We might want to add CAP_SYS_RESOURCE, though it's not
-	 *      clear it would work right given the way linuxthreads work.
-	 * XXXDCL But since we need to be able to set the maximum number
-	 * of files, the stack size, data size, and core dump size to
-	 * support named.conf options, this is now being added to test.
-	 */
-	SET_CAP(CAP_SYS_RESOURCE);
-
-	linux_setcaps(caps);
-
-#ifdef HAVE_LIBCAP
-	FREE_CAP;
-#endif
-}
-
-#ifdef HAVE_SYS_PRCTL_H
-static void
-linux_keepcaps(void) {
-	char strbuf[ISC_STRERRORSIZE];
-	/*%
-	 * Ask the kernel to allow us to keep our capabilities after we
-	 * setuid().
-	 */
-
-	if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) {
-		if (errno != EINVAL) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			ns_main_earlyfatal("prctl() failed: %s", strbuf);
-		}
-	} else {
-		non_root_caps = ISC_TRUE;
-		if (getuid() != 0)
-			non_root = ISC_TRUE;
-	}
-}
-#endif
-
-#endif	/* HAVE_LINUX_CAPABILITY_H */
-
-
-static void
-setup_syslog(const char *progname) {
-	int options;
-
-	options = LOG_PID;
-#ifdef LOG_NDELAY
-	options |= LOG_NDELAY;
-#endif
-	openlog(isc_file_basename(progname), options, ISC_FACILITY);
-}
-
-void
-ns_os_init(const char *progname) {
-	setup_syslog(progname);
-#ifdef HAVE_LINUX_CAPABILITY_H
-	linux_initialprivs();
-#endif
-#ifdef HAVE_LINUXTHREADS
-	mainpid = getpid();
-#endif
-#ifdef SIGXFSZ
-	signal(SIGXFSZ, SIG_IGN);
-#endif
-}
-
-void
-ns_os_daemonize(void) {
-	pid_t pid;
-	char strbuf[ISC_STRERRORSIZE];
-
-	if (pipe(dfd) == -1) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		ns_main_earlyfatal("pipe(): %s", strbuf);
-	}
-
-	pid = fork();
-	if (pid == -1) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		ns_main_earlyfatal("fork(): %s", strbuf);
-	}
-	if (pid != 0) {
-		int n;
-		/*
-		 * Wait for the child to finish loading for the first time.
-		 * This would be so much simpler if fork() worked once we
-		 * were multi-threaded.
-		 */
-		(void)close(dfd[1]);
-		do {
-			char buf;
-			n = read(dfd[0], &buf, 1);
-			if (n == 1)
-				_exit(0);
-		} while (n == -1 && errno == EINTR);
-		_exit(1);
-	}
-	(void)close(dfd[0]);
-
-	/*
-	 * We're the child.
-	 */
-
-#ifdef HAVE_LINUXTHREADS
-	mainpid = getpid();
-#endif
-
-	if (setsid() == -1) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		ns_main_earlyfatal("setsid(): %s", strbuf);
-	}
-
-	/*
-	 * Try to set stdin, stdout, and stderr to /dev/null, but press
-	 * on even if it fails.
-	 *
-	 * XXXMLG The close() calls here are unneeded on all but NetBSD, but
-	 * are harmless to include everywhere.  dup2() is supposed to close
-	 * the FD if it is in use, but unproven-pthreads-0.16 is broken
-	 * and will end up closing the wrong FD.  This will be fixed eventually,
-	 * and these calls will be removed.
-	 */
-	if (devnullfd != -1) {
-		if (devnullfd != STDIN_FILENO) {
-			(void)close(STDIN_FILENO);
-			(void)dup2(devnullfd, STDIN_FILENO);
-		}
-		if (devnullfd != STDOUT_FILENO) {
-			(void)close(STDOUT_FILENO);
-			(void)dup2(devnullfd, STDOUT_FILENO);
-		}
-		if (devnullfd != STDERR_FILENO) {
-			(void)close(STDERR_FILENO);
-			(void)dup2(devnullfd, STDERR_FILENO);
-		}
-	}
-}
-
-void
-ns_os_started(void) {
-	char buf = 0;
-
-	/*
-	 * Signal to the parent that we started successfully.
-	 */
-	if (dfd[0] != -1 && dfd[1] != -1) {
-		if (write(dfd[1], &buf, 1) != 1)
-			ns_main_earlyfatal("unable to signal parent that we "
-					   "otherwise started successfully.");
-		close(dfd[1]);
-		dfd[0] = dfd[1] = -1;
-	}
-}
-
-void
-ns_os_opendevnull(void) {
-	devnullfd = open("/dev/null", O_RDWR, 0);
-}
-
-void
-ns_os_closedevnull(void) {
-	if (devnullfd != STDIN_FILENO &&
-	    devnullfd != STDOUT_FILENO &&
-	    devnullfd != STDERR_FILENO) {
-		close(devnullfd);
-		devnullfd = -1;
-	}
-}
-
-static isc_boolean_t
-all_digits(const char *s) {
-	if (*s == '\0')
-		return (ISC_FALSE);
-	while (*s != '\0') {
-		if (!isdigit((*s)&0xff))
-			return (ISC_FALSE);
-		s++;
-	}
-	return (ISC_TRUE);
-}
-
-void
-ns_os_chroot(const char *root) {
-	char strbuf[ISC_STRERRORSIZE];
-#ifdef HAVE_LIBSCF
-	ns_smf_chroot = 0;
-#endif
-	if (root != NULL) {
-#ifdef HAVE_CHROOT
-		if (chroot(root) < 0) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			ns_main_earlyfatal("chroot(): %s", strbuf);
-		}
-#else
-		ns_main_earlyfatal("chroot(): disabled");
-#endif
-		if (chdir("/") < 0) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			ns_main_earlyfatal("chdir(/): %s", strbuf);
-		}
-#ifdef HAVE_LIBSCF
-		/* Set ns_smf_chroot flag on successful chroot. */
-		ns_smf_chroot = 1;
-#endif
-	}
-}
-
-void
-ns_os_inituserinfo(const char *username) {
-	char strbuf[ISC_STRERRORSIZE];
-	if (username == NULL)
-		return;
-
-	if (all_digits(username))
-		runas_pw = getpwuid((uid_t)atoi(username));
-	else
-		runas_pw = getpwnam(username);
-	endpwent();
-
-	if (runas_pw == NULL)
-		ns_main_earlyfatal("user '%s' unknown", username);
-
-	if (getuid() == 0) {
-		if (initgroups(runas_pw->pw_name, runas_pw->pw_gid) < 0) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			ns_main_earlyfatal("initgroups(): %s", strbuf);
-		}
-	}
-
-}
-
-void
-ns_os_changeuser(void) {
-	char strbuf[ISC_STRERRORSIZE];
-	if (runas_pw == NULL || done_setuid)
-		return;
-
-	done_setuid = ISC_TRUE;
-
-#ifdef HAVE_LINUXTHREADS
-#ifdef HAVE_LINUX_CAPABILITY_H
-	if (!non_root_caps)
-		ns_main_earlyfatal("-u with Linux threads not supported: "
-				   "requires kernel support for "
-				   "prctl(PR_SET_KEEPCAPS)");
-#else
-	ns_main_earlyfatal("-u with Linux threads not supported: "
-			   "no capabilities support or capabilities "
-			   "disabled at build time");
-#endif
-#endif
-
-	if (setgid(runas_pw->pw_gid) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		ns_main_earlyfatal("setgid(): %s", strbuf);
-	}
-
-	if (setuid(runas_pw->pw_uid) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		ns_main_earlyfatal("setuid(): %s", strbuf);
-	}
-
-#if defined(HAVE_SYS_PRCTL_H) && defined(PR_SET_DUMPABLE)
-	/*
-	 * Restore the ability of named to drop core after the setuid()
-	 * call has disabled it.
-	 */
-	if (prctl(PR_SET_DUMPABLE,1,0,0,0) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		ns_main_earlywarning("prctl(PR_SET_DUMPABLE) failed: %s",
-				     strbuf);
-	}
-#endif
-#if defined(HAVE_LINUX_CAPABILITY_H) && !defined(HAVE_LINUXTHREADS)
-	linux_minprivs();
-#endif
-}
-
-void
-ns_os_adjustnofile() {
-#ifdef HAVE_LINUXTHREADS
-	isc_result_t result;
-	isc_resourcevalue_t newvalue;
-
-	/*
-	 * Linux: max number of open files specified by one thread doesn't seem
-	 * to apply to other threads on Linux.
-	 */
-	newvalue = ISC_RESOURCE_UNLIMITED;
-
-	result = isc_resource_setlimit(isc_resource_openfiles, newvalue);
-	if (result != ISC_R_SUCCESS)
-		ns_main_earlywarning("couldn't adjust limit on open files");
-#endif
-}
-
-void
-ns_os_minprivs(void) {
-#ifdef HAVE_SYS_PRCTL_H
-	linux_keepcaps();
-#endif
-
-#ifdef HAVE_LINUXTHREADS
-	ns_os_changeuser(); /* Call setuid() before threads are started */
-#endif
-
-#if defined(HAVE_LINUX_CAPABILITY_H) && defined(HAVE_LINUXTHREADS)
-	linux_minprivs();
-#endif
-}
-
-static int
-safe_open(const char *filename, mode_t mode, isc_boolean_t append) {
-	int fd;
-	struct stat sb;
-
-	if (stat(filename, &sb) == -1) {
-		if (errno != ENOENT)
-			return (-1);
-	} else if ((sb.st_mode & S_IFREG) == 0) {
-		errno = EOPNOTSUPP;
-		return (-1);
-	}
-
-	if (append)
-		fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, mode);
-	else {
-		if (unlink(filename) < 0 && errno != ENOENT)
-			return (-1);
-		fd = open(filename, O_WRONLY|O_CREAT|O_EXCL, mode);
-	}
-	return (fd);
-}
-
-static void
-cleanup_pidfile(void) {
-	int n;
-	if (pidfile != NULL) {
-		n = unlink(pidfile);
-		if (n == -1 && errno != ENOENT)
-			ns_main_earlywarning("unlink '%s': failed", pidfile);
-		free(pidfile);
-	}
-	pidfile = NULL;
-}
-
-static int
-mkdirpath(char *filename, void (*report)(const char *, ...)) {
-	char *slash = strrchr(filename, '/');
-	char strbuf[ISC_STRERRORSIZE];
-	unsigned int mode;
-
-	if (slash != NULL && slash != filename) {
-		struct stat sb;
-		*slash = '\0';
-
-		if (stat(filename, &sb) == -1) {
-			if (errno != ENOENT) {
-				isc__strerror(errno, strbuf, sizeof(strbuf));
-				(*report)("couldn't stat '%s': %s", filename,
-					  strbuf);
-				goto error;
-			}
-			if (mkdirpath(filename, report) == -1)
-				goto error;
-			/*
-			 * Handle "//", "/./" and "/../" in path.
-			 */
-			if (!strcmp(slash + 1, "") ||
-			    !strcmp(slash + 1, ".") ||
-			    !strcmp(slash + 1, "..")) {
-				*slash = '/';
-				return (0);
-			}
-			mode = S_IRUSR | S_IWUSR | S_IXUSR;	/* u=rwx */
-			mode |= S_IRGRP | S_IXGRP;		/* g=rx */
-			mode |= S_IROTH | S_IXOTH;		/* o=rx */
-			if (mkdir(filename, mode) == -1) {
-				isc__strerror(errno, strbuf, sizeof(strbuf));
-				(*report)("couldn't mkdir '%s': %s", filename,
-					  strbuf);
-				goto error;
-			}
-			if (runas_pw != NULL &&
-			    chown(filename, runas_pw->pw_uid,
-				  runas_pw->pw_gid) == -1) {
-				isc__strerror(errno, strbuf, sizeof(strbuf));
-				(*report)("couldn't chown '%s': %s", filename,
-					  strbuf);
-			}
-		}
-		*slash = '/';
-	}
-	return (0);
-
- error:
-	*slash = '/';
-	return (-1);
-}
-
-static void
-setperms(uid_t uid, gid_t gid) {
-	char strbuf[ISC_STRERRORSIZE];
-#if !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID)
-	gid_t oldgid, tmpg;
-#endif
-#if !defined(HAVE_SETEUID) && defined(HAVE_SETRESUID)
-	uid_t olduid, tmpu;
-#endif
-#if defined(HAVE_SETEGID)
-	if (getegid() != gid && setegid(gid) == -1) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		ns_main_earlywarning("unable to set effective gid to %ld: %s",
-				     (long)gid, strbuf);
-	}
-#elif defined(HAVE_SETRESGID)
-	if (getresgid(&tmpg, &oldgid, &tmpg) == -1 || oldgid != gid) {
-		if (setresgid(-1, gid, -1) == -1) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			ns_main_earlywarning("unable to set effective "
-					     "gid to %d: %s", gid, strbuf);
-		}
-	}
-#endif
-
-#if defined(HAVE_SETEUID)
-	if (geteuid() != uid && seteuid(uid) == -1) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		ns_main_earlywarning("unable to set effective uid to %ld: %s",
-				     (long)uid, strbuf);
-	}
-#elif defined(HAVE_SETRESUID)
-	if (getresuid(&tmpu, &olduid, &tmpu) == -1 || olduid != uid) {
-		if (setresuid(-1, uid, -1) == -1) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			ns_main_earlywarning("unable to set effective "
-					     "uid to %d: %s", uid, strbuf);
-		}
-	}
-#endif
-}
-
-FILE *
-ns_os_openfile(const char *filename, mode_t mode, isc_boolean_t switch_user) {
-	char strbuf[ISC_STRERRORSIZE], *f;
-	FILE *fp;
-	int fd;
-
-	/*
-	 * Make the containing directory if it doesn't exist.
-	 */
-	f = strdup(filename);
-	if (f == NULL) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		ns_main_earlywarning("couldn't strdup() '%s': %s",
-				     filename, strbuf);
-		return (NULL);
-	}
-	if (mkdirpath(f, ns_main_earlywarning) == -1) {
-		free(f);
-		return (NULL);
-	}
-	free(f);
-
-	if (switch_user && runas_pw != NULL) {
-#ifndef HAVE_LINUXTHREADS
-		gid_t oldgid = getgid();
-#endif
-		/* Set UID/GID to the one we'll be running with eventually */
-		setperms(runas_pw->pw_uid, runas_pw->pw_gid);
-
-		fd = safe_open(filename, mode, ISC_FALSE);
-
-#ifndef HAVE_LINUXTHREADS
-		/* Restore UID/GID to root */
-		setperms(0, oldgid);
-#endif /* HAVE_LINUXTHREADS */
-
-		if (fd == -1) {
-#ifndef HAVE_LINUXTHREADS
-			fd = safe_open(filename, mode, ISC_FALSE);
-			if (fd != -1) {
-				ns_main_earlywarning("Required root "
-						     "permissions to open "
-						     "'%s'.", filename);
-			} else {
-				ns_main_earlywarning("Could not open "
-						     "'%s'.", filename);
-			}
-			ns_main_earlywarning("Please check file and "
-					     "directory permissions "
-					     "or reconfigure the filename.");
-#else /* HAVE_LINUXTHREADS */
-			ns_main_earlywarning("Could not open "
-					     "'%s'.", filename);
-			ns_main_earlywarning("Please check file and "
-					     "directory permissions "
-					     "or reconfigure the filename.");
-#endif /* HAVE_LINUXTHREADS */
-		}
-	} else {
-		fd = safe_open(filename, mode, ISC_FALSE);
-	}
-
-	if (fd < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		ns_main_earlywarning("could not open file '%s': %s",
-				     filename, strbuf);
-		return (NULL);
-	}
-
-	fp = fdopen(fd, "w");
-	if (fp == NULL) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		ns_main_earlywarning("could not fdopen() file '%s': %s",
-				     filename, strbuf);
-	}
-
-	return (fp);
-}
-
-void
-ns_os_writepidfile(const char *filename, isc_boolean_t first_time) {
-	FILE *lockfile;
-	pid_t pid;
-	char strbuf[ISC_STRERRORSIZE];
-	void (*report)(const char *, ...);
-
-	/*
-	 * The caller must ensure any required synchronization.
-	 */
-
-	report = first_time ? ns_main_earlyfatal : ns_main_earlywarning;
-
-	cleanup_pidfile();
-
-	if (filename == NULL)
-		return;
-
-	pidfile = strdup(filename);
-	if (pidfile == NULL) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		(*report)("couldn't strdup() '%s': %s", filename, strbuf);
-		return;
-	}
-
-	lockfile = ns_os_openfile(filename, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH,
-				  first_time);
-	if (lockfile == NULL) {
-		cleanup_pidfile();
-		return;
-	}
-#ifdef HAVE_LINUXTHREADS
-	pid = mainpid;
-#else
-	pid = getpid();
-#endif
-	if (fprintf(lockfile, "%ld\n", (long)pid) < 0) {
-		(*report)("fprintf() to pid file '%s' failed", filename);
-		(void)fclose(lockfile);
-		cleanup_pidfile();
-		return;
-	}
-	if (fflush(lockfile) == EOF) {
-		(*report)("fflush() to pid file '%s' failed", filename);
-		(void)fclose(lockfile);
-		cleanup_pidfile();
-		return;
-	}
-	(void)fclose(lockfile);
-}
-
-void
-ns_os_shutdown(void) {
-	closelog();
-	cleanup_pidfile();
-}
-
-isc_result_t
-ns_os_gethostname(char *buf, size_t len) {
-	int n;
-
-	n = gethostname(buf, len);
-	return ((n == 0) ? ISC_R_SUCCESS : ISC_R_FAILURE);
-}
-
-static char *
-next_token(char **stringp, const char *delim) {
-	char *res;
-
-	do {
-		res = strsep(stringp, delim);
-		if (res == NULL)
-			break;
-	} while (*res == '\0');
-	return (res);
-}
-
-void
-ns_os_shutdownmsg(char *command, isc_buffer_t *text) {
-	char *input, *ptr;
-	unsigned int n;
-	pid_t pid;
-
-	input = command;
-
-	/* Skip the command name. */
-	ptr = next_token(&input, " \t");
-	if (ptr == NULL)
-		return;
-
-	ptr = next_token(&input, " \t");
-	if (ptr == NULL)
-		return;
-
-	if (strcmp(ptr, "-p") != 0)
-		return;
-
-#ifdef HAVE_LINUXTHREADS
-	pid = mainpid;
-#else
-	pid = getpid();
-#endif
-
-	n = snprintf((char *)isc_buffer_used(text),
-		     isc_buffer_availablelength(text),
-		     "pid: %ld", (long)pid);
-	/* Only send a message if it is complete. */
-	if (n > 0 && n < isc_buffer_availablelength(text))
-		isc_buffer_add(text, n);
-}
-
-void
-ns_os_tzset(void) {
-#ifdef HAVE_TZSET
-	tzset();
-#endif
-}
diff --git a/contrib/bind9/bin/named/update.c b/contrib/bind9/bin/named/update.c
deleted file mode 100644
index 0df00c0..0000000
--- a/contrib/bind9/bin/named/update.c
+++ /dev/null
@@ -1,3377 +0,0 @@
-/*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: update.c,v 1.199 2011/12/22 07:32:40 each Exp $ */
-
-#include <config.h>
-
-#include <isc/netaddr.h>
-#include <isc/print.h>
-#include <isc/serial.h>
-#include <isc/stats.h>
-#include <isc/string.h>
-#include <isc/taskpool.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/diff.h>
-#include <dns/dnssec.h>
-#include <dns/events.h>
-#include <dns/fixedname.h>
-#include <dns/journal.h>
-#include <dns/keyvalues.h>
-#include <dns/message.h>
-#include <dns/nsec.h>
-#include <dns/nsec3.h>
-#include <dns/private.h>
-#include <dns/rdataclass.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/soa.h>
-#include <dns/ssu.h>
-#include <dns/tsig.h>
-#include <dns/update.h>
-#include <dns/view.h>
-#include <dns/zone.h>
-#include <dns/zt.h>
-
-#include <named/client.h>
-#include <named/log.h>
-#include <named/server.h>
-#include <named/update.h>
-
-/*! \file
- * \brief
- * This module implements dynamic update as in RFC2136.
- */
-
-/*
- *  XXX TODO:
- * - document strict minimality
- */
-
-/**************************************************************************/
-
-/*%
- * Log level for tracing dynamic update protocol requests.
- */
-#define LOGLEVEL_PROTOCOL	ISC_LOG_INFO
-
-/*%
- * Log level for low-level debug tracing.
- */
-#define LOGLEVEL_DEBUG		ISC_LOG_DEBUG(8)
-
-/*%
- * Check an operation for failure.  These macros all assume that
- * the function using them has a 'result' variable and a 'failure'
- * label.
- */
-#define CHECK(op) \
-	do { result = (op); \
-		if (result != ISC_R_SUCCESS) goto failure; \
-	} while (0)
-
-/*%
- * Fail unconditionally with result 'code', which must not
- * be ISC_R_SUCCESS.  The reason for failure presumably has
- * been logged already.
- *
- * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
- * from complaining about "end-of-loop code not reached".
- */
-
-#define FAIL(code) \
-	do {							\
-		result = (code);				\
-		if (result != ISC_R_SUCCESS) goto failure;	\
-	} while (0)
-
-/*%
- * Fail unconditionally and log as a client error.
- * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
- * from complaining about "end-of-loop code not reached".
- */
-#define FAILC(code, msg) \
-	do {							\
-		const char *_what = "failed";			\
-		result = (code);				\
-		switch (result) {				\
-		case DNS_R_NXDOMAIN:				\
-		case DNS_R_YXDOMAIN:				\
-		case DNS_R_YXRRSET:				\
-		case DNS_R_NXRRSET:				\
-			_what = "unsuccessful";			\
-		}						\
-		update_log(client, zone, LOGLEVEL_PROTOCOL,	\
-			   "update %s: %s (%s)", _what,		\
-			   msg, isc_result_totext(result));	\
-		if (result != ISC_R_SUCCESS) goto failure;	\
-	} while (0)
-#define PREREQFAILC(code, msg) \
-	do {							\
-		inc_stats(zone, dns_nsstatscounter_updatebadprereq); \
-		FAILC(code, msg);				\
-	} while (0)
-
-#define FAILN(code, name, msg) \
-	do {								\
-		const char *_what = "failed";				\
-		result = (code);					\
-		switch (result) {					\
-		case DNS_R_NXDOMAIN:					\
-		case DNS_R_YXDOMAIN:					\
-		case DNS_R_YXRRSET:					\
-		case DNS_R_NXRRSET:					\
-			_what = "unsuccessful";				\
-		}							\
-		if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) {	\
-			char _nbuf[DNS_NAME_FORMATSIZE];		\
-			dns_name_format(name, _nbuf, sizeof(_nbuf));	\
-			update_log(client, zone, LOGLEVEL_PROTOCOL,	\
-				   "update %s: %s: %s (%s)", _what, _nbuf, \
-				   msg, isc_result_totext(result));	\
-		}							\
-		if (result != ISC_R_SUCCESS) goto failure;		\
-	} while (0)
-#define PREREQFAILN(code, name, msg) \
-	do {								\
-		inc_stats(zone, dns_nsstatscounter_updatebadprereq); \
-		FAILN(code, name, msg);					\
-	} while (0)
-
-#define FAILNT(code, name, type, msg) \
-	do {								\
-		const char *_what = "failed";				\
-		result = (code);					\
-		switch (result) {					\
-		case DNS_R_NXDOMAIN:					\
-		case DNS_R_YXDOMAIN:					\
-		case DNS_R_YXRRSET:					\
-		case DNS_R_NXRRSET:					\
-			_what = "unsuccessful";				\
-		}							\
-		if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) {	\
-			char _nbuf[DNS_NAME_FORMATSIZE];		\
-			char _tbuf[DNS_RDATATYPE_FORMATSIZE];		\
-			dns_name_format(name, _nbuf, sizeof(_nbuf));	\
-			dns_rdatatype_format(type, _tbuf, sizeof(_tbuf)); \
-			update_log(client, zone, LOGLEVEL_PROTOCOL,	\
-				   "update %s: %s/%s: %s (%s)",		\
-				   _what, _nbuf, _tbuf, msg,		\
-				   isc_result_totext(result));		\
-		}							\
-		if (result != ISC_R_SUCCESS) goto failure;		\
-	} while (0)
-#define PREREQFAILNT(code, name, type, msg)				\
-	do {								\
-		inc_stats(zone, dns_nsstatscounter_updatebadprereq); \
-		FAILNT(code, name, type, msg);				\
-	} while (0)
-
-/*%
- * Fail unconditionally and log as a server error.
- * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
- * from complaining about "end-of-loop code not reached".
- */
-#define FAILS(code, msg) \
-	do {							\
-		result = (code);				\
-		update_log(client, zone, LOGLEVEL_PROTOCOL,	\
-			   "error: %s: %s",			\
-			   msg, isc_result_totext(result));	\
-		if (result != ISC_R_SUCCESS) goto failure;	\
-	} while (0)
-
-/*
- * Return TRUE if NS_CLIENTATTR_TCP is set in the attributes other FALSE.
- */
-#define TCPCLIENT(client) (((client)->attributes & NS_CLIENTATTR_TCP) != 0)
-
-/**************************************************************************/
-
-typedef struct rr rr_t;
-
-struct rr {
-	/* dns_name_t name; */
-	isc_uint32_t		ttl;
-	dns_rdata_t		rdata;
-};
-
-typedef struct update_event update_event_t;
-
-struct update_event {
-	ISC_EVENT_COMMON(update_event_t);
-	dns_zone_t		*zone;
-	isc_result_t		result;
-	dns_message_t		*answer;
-};
-
-/**************************************************************************/
-/*
- * Forward declarations.
- */
-
-static void update_action(isc_task_t *task, isc_event_t *event);
-static void updatedone_action(isc_task_t *task, isc_event_t *event);
-static isc_result_t send_forward_event(ns_client_t *client, dns_zone_t *zone);
-static void forward_done(isc_task_t *task, isc_event_t *event);
-
-/**************************************************************************/
-
-static void
-update_log(ns_client_t *client, dns_zone_t *zone,
-	   int level, const char *fmt, ...) ISC_FORMAT_PRINTF(4, 5);
-
-static void
-update_log(ns_client_t *client, dns_zone_t *zone,
-	   int level, const char *fmt, ...)
-{
-	va_list ap;
-	char message[4096];
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char classbuf[DNS_RDATACLASS_FORMATSIZE];
-
-	if (client == NULL || zone == NULL)
-		return;
-
-	if (isc_log_wouldlog(ns_g_lctx, level) == ISC_FALSE)
-		return;
-
-	dns_name_format(dns_zone_getorigin(zone), namebuf,
-			sizeof(namebuf));
-	dns_rdataclass_format(dns_zone_getclass(zone), classbuf,
-			      sizeof(classbuf));
-
-	va_start(ap, fmt);
-	vsnprintf(message, sizeof(message), fmt, ap);
-	va_end(ap);
-
-	ns_client_log(client, NS_LOGCATEGORY_UPDATE, NS_LOGMODULE_UPDATE,
-		      level, "updating zone '%s/%s': %s",
-		      namebuf, classbuf, message);
-}
-
-static void
-update_log_cb(void *arg, dns_zone_t *zone, int level, const char *message) {
-	update_log(arg, zone, level, "%s", message);
-}
-
-/*%
- * Increment updated-related statistics counters.
- */
-static inline void
-inc_stats(dns_zone_t *zone, isc_statscounter_t counter) {
-	isc_stats_increment(ns_g_server->nsstats, counter);
-
-	if (zone != NULL) {
-		isc_stats_t *zonestats = dns_zone_getrequeststats(zone);
-		if (zonestats != NULL)
-			isc_stats_increment(zonestats, counter);
-	}
-}
-
-/*%
- * Check if we could have queried for the contents of this zone or
- * if the zone is potentially updateable.
- * If the zone can potentially be updated and the check failed then
- * log a error otherwise we log a informational message.
- */
-static isc_result_t
-checkqueryacl(ns_client_t *client, dns_acl_t *queryacl, dns_name_t *zonename,
-	      dns_acl_t *updateacl, dns_ssutable_t *ssutable)
-{
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char classbuf[DNS_RDATACLASS_FORMATSIZE];
-	int level;
-	isc_result_t result;
-
-	result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE);
-	if (result != ISC_R_SUCCESS) {
-		dns_name_format(zonename, namebuf, sizeof(namebuf));
-		dns_rdataclass_format(client->view->rdclass, classbuf,
-				      sizeof(classbuf));
-
-		level = (updateacl == NULL && ssutable == NULL) ?
-				ISC_LOG_INFO : ISC_LOG_ERROR;
-
-		ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
-			      NS_LOGMODULE_UPDATE, level,
-			      "update '%s/%s' denied due to allow-query",
-			      namebuf, classbuf);
-	} else if (updateacl == NULL && ssutable == NULL) {
-		dns_name_format(zonename, namebuf, sizeof(namebuf));
-		dns_rdataclass_format(client->view->rdclass, classbuf,
-				      sizeof(classbuf));
-
-		result = DNS_R_REFUSED;
-		ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
-			      NS_LOGMODULE_UPDATE, ISC_LOG_INFO,
-			      "update '%s/%s' denied", namebuf, classbuf);
-	}
-	return (result);
-}
-
-/*%
- * Override the default acl logging when checking whether a client
- * can update the zone or whether we can forward the request to the
- * master based on IP address.
- *
- * 'message' contains the type of operation that is being attempted.
- * 'slave' indicates if this is a slave zone.  If 'acl' is NULL then
- * log at debug=3.
- * If the zone has no access controls configured ('acl' == NULL &&
- * 'has_ssutable == ISC_FALS) log the attempt at info, otherwise
- * at error.
- *
- * If the request was signed log that we received it.
- */
-static isc_result_t
-checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message,
-	       dns_name_t *zonename, isc_boolean_t slave,
-	       isc_boolean_t has_ssutable)
-{
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char classbuf[DNS_RDATACLASS_FORMATSIZE];
-	int level = ISC_LOG_ERROR;
-	const char *msg = "denied";
-	isc_result_t result;
-
-	if (slave && acl == NULL) {
-		result = DNS_R_NOTIMP;
-		level = ISC_LOG_DEBUG(3);
-		msg = "disabled";
-	} else {
-		result = ns_client_checkaclsilent(client, NULL, acl, ISC_FALSE);
-		if (result == ISC_R_SUCCESS) {
-			level = ISC_LOG_DEBUG(3);
-			msg = "approved";
-		} else if (acl == NULL && !has_ssutable) {
-			level = ISC_LOG_INFO;
-		}
-	}
-
-	if (client->signer != NULL) {
-		dns_name_format(client->signer, namebuf, sizeof(namebuf));
-		ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
-			      NS_LOGMODULE_UPDATE, ISC_LOG_INFO,
-			      "signer \"%s\" %s", namebuf, msg);
-	}
-
-	dns_name_format(zonename, namebuf, sizeof(namebuf));
-	dns_rdataclass_format(client->view->rdclass, classbuf,
-			      sizeof(classbuf));
-
-	ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
-		      NS_LOGMODULE_UPDATE, level, "%s '%s/%s' %s",
-		      message, namebuf, classbuf, msg);
-	return (result);
-}
-
-/*%
- * Update a single RR in version 'ver' of 'db' and log the
- * update in 'diff'.
- *
- * Ensures:
- * \li	'*tuple' == NULL.  Either the tuple is freed, or its
- *	ownership has been transferred to the diff.
- */
-static isc_result_t
-do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
-	     dns_diff_t *diff)
-{
-	dns_diff_t temp_diff;
-	isc_result_t result;
-
-	/*
-	 * Create a singleton diff.
-	 */
-	dns_diff_init(diff->mctx, &temp_diff);
-	temp_diff.resign = diff->resign;
-	ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
-
-	/*
-	 * Apply it to the database.
-	 */
-	result = dns_diff_apply(&temp_diff, db, ver);
-	ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link);
-	if (result != ISC_R_SUCCESS) {
-		dns_difftuple_free(tuple);
-		return (result);
-	}
-
-	/*
-	 * Merge it into the current pending journal entry.
-	 */
-	dns_diff_appendminimal(diff, tuple);
-
-	/*
-	 * Do not clear temp_diff.
-	 */
-	return (ISC_R_SUCCESS);
-}
-
-/*%
- * Perform the updates in 'updates' in version 'ver' of 'db' and log the
- * update in 'diff'.
- *
- * Ensures:
- * \li	'updates' is empty.
- */
-static isc_result_t
-do_diff(dns_diff_t *updates, dns_db_t *db, dns_dbversion_t *ver,
-	dns_diff_t *diff)
-{
-	isc_result_t result;
-	while (! ISC_LIST_EMPTY(updates->tuples)) {
-		dns_difftuple_t *t = ISC_LIST_HEAD(updates->tuples);
-		ISC_LIST_UNLINK(updates->tuples, t, link);
-		CHECK(do_one_tuple(&t, db, ver, diff));
-	}
-	return (ISC_R_SUCCESS);
-
- failure:
-	dns_diff_clear(diff);
-	return (result);
-}
-
-static isc_result_t
-update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
-	      dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
-	      dns_rdata_t *rdata)
-{
-	dns_difftuple_t *tuple = NULL;
-	isc_result_t result;
-	result = dns_difftuple_create(diff->mctx, op,
-				      name, ttl, rdata, &tuple);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	return (do_one_tuple(&tuple, db, ver, diff));
-}
-
-/**************************************************************************/
-/*
- * Callback-style iteration over rdatasets and rdatas.
- *
- * foreach_rrset() can be used to iterate over the RRsets
- * of a name and call a callback function with each
- * one.  Similarly, foreach_rr() can be used to iterate
- * over the individual RRs at name, optionally restricted
- * to RRs of a given type.
- *
- * The callback functions are called "actions" and take
- * two arguments: a void pointer for passing arbitrary
- * context information, and a pointer to the current RRset
- * or RR.  By convention, their names end in "_action".
- */
-
-/*
- * XXXRTH  We might want to make this public somewhere in libdns.
- */
-
-/*%
- * Function type for foreach_rrset() iterator actions.
- */
-typedef isc_result_t rrset_func(void *data, dns_rdataset_t *rrset);
-
-/*%
- * Function type for foreach_rr() iterator actions.
- */
-typedef isc_result_t rr_func(void *data, rr_t *rr);
-
-/*%
- * Internal context struct for foreach_node_rr().
- */
-typedef struct {
-	rr_func *	rr_action;
-	void *		rr_action_data;
-} foreach_node_rr_ctx_t;
-
-/*%
- * Internal helper function for foreach_node_rr().
- */
-static isc_result_t
-foreach_node_rr_action(void *data, dns_rdataset_t *rdataset) {
-	isc_result_t result;
-	foreach_node_rr_ctx_t *ctx = data;
-	for (result = dns_rdataset_first(rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(rdataset))
-	{
-		rr_t rr = { 0, DNS_RDATA_INIT };
-
-		dns_rdataset_current(rdataset, &rr.rdata);
-		rr.ttl = rdataset->ttl;
-		result = (*ctx->rr_action)(ctx->rr_action_data, &rr);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	if (result != ISC_R_NOMORE)
-		return (result);
-	return (ISC_R_SUCCESS);
-}
-
-/*%
- * For each rdataset of 'name' in 'ver' of 'db', call 'action'
- * with the rdataset and 'action_data' as arguments.  If the name
- * does not exist, do nothing.
- *
- * If 'action' returns an error, abort iteration and return the error.
- */
-static isc_result_t
-foreach_rrset(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	      rrset_func *action, void *action_data)
-{
-	isc_result_t result;
-	dns_dbnode_t *node;
-	dns_rdatasetiter_t *iter;
-
-	node = NULL;
-	result = dns_db_findnode(db, name, ISC_FALSE, &node);
-	if (result == ISC_R_NOTFOUND)
-		return (ISC_R_SUCCESS);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	iter = NULL;
-	result = dns_db_allrdatasets(db, node, ver,
-				     (isc_stdtime_t) 0, &iter);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_node;
-
-	for (result = dns_rdatasetiter_first(iter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdatasetiter_next(iter))
-	{
-		dns_rdataset_t rdataset;
-
-		dns_rdataset_init(&rdataset);
-		dns_rdatasetiter_current(iter, &rdataset);
-
-		result = (*action)(action_data, &rdataset);
-
-		dns_rdataset_disassociate(&rdataset);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_iterator;
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
- cleanup_iterator:
-	dns_rdatasetiter_destroy(&iter);
-
- cleanup_node:
-	dns_db_detachnode(db, &node);
-
-	return (result);
-}
-
-/*%
- * For each RR of 'name' in 'ver' of 'db', call 'action'
- * with the RR and 'action_data' as arguments.  If the name
- * does not exist, do nothing.
- *
- * If 'action' returns an error, abort iteration
- * and return the error.
- */
-static isc_result_t
-foreach_node_rr(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-		rr_func *rr_action, void *rr_action_data)
-{
-	foreach_node_rr_ctx_t ctx;
-	ctx.rr_action = rr_action;
-	ctx.rr_action_data = rr_action_data;
-	return (foreach_rrset(db, ver, name,
-			      foreach_node_rr_action, &ctx));
-}
-
-
-/*%
- * For each of the RRs specified by 'db', 'ver', 'name', 'type',
- * (which can be dns_rdatatype_any to match any type), and 'covers', call
- * 'action' with the RR and 'action_data' as arguments. If the name
- * does not exist, or if no RRset of the given type exists at the name,
- * do nothing.
- *
- * If 'action' returns an error, abort iteration and return the error.
- */
-static isc_result_t
-foreach_rr(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	   dns_rdatatype_t type, dns_rdatatype_t covers, rr_func *rr_action,
-	   void *rr_action_data)
-{
-
-	isc_result_t result;
-	dns_dbnode_t *node;
-	dns_rdataset_t rdataset;
-
-	if (type == dns_rdatatype_any)
-		return (foreach_node_rr(db, ver, name,
-					rr_action, rr_action_data));
-
-	node = NULL;
-	if (type == dns_rdatatype_nsec3 ||
-	    (type == dns_rdatatype_rrsig && covers == dns_rdatatype_nsec3))
-		result = dns_db_findnsec3node(db, name, ISC_FALSE, &node);
-	else
-		result = dns_db_findnode(db, name, ISC_FALSE, &node);
-	if (result == ISC_R_NOTFOUND)
-		return (ISC_R_SUCCESS);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, ver, type, covers,
-				     (isc_stdtime_t) 0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND) {
-		result = ISC_R_SUCCESS;
-		goto cleanup_node;
-	}
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_node;
-
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset))
-	{
-		rr_t rr = { 0, DNS_RDATA_INIT };
-		dns_rdataset_current(&rdataset, &rr.rdata);
-		rr.ttl = rdataset.ttl;
-		result = (*rr_action)(rr_action_data, &rr);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_rdataset;
-	}
-	if (result != ISC_R_NOMORE)
-		goto cleanup_rdataset;
-	result = ISC_R_SUCCESS;
-
- cleanup_rdataset:
-	dns_rdataset_disassociate(&rdataset);
- cleanup_node:
-	dns_db_detachnode(db, &node);
-
-	return (result);
-}
-
-/**************************************************************************/
-/*
- * Various tests on the database contents (for prerequisites, etc).
- */
-
-/*%
- * Function type for predicate functions that compare a database RR 'db_rr'
- * against an update RR 'update_rr'.
- */
-typedef isc_boolean_t rr_predicate(dns_rdata_t *update_rr, dns_rdata_t *db_rr);
-
-/*%
- * Helper function for rrset_exists().
- */
-static isc_result_t
-rrset_exists_action(void *data, rr_t *rr) {
-	UNUSED(data);
-	UNUSED(rr);
-	return (ISC_R_EXISTS);
-}
-
-/*%
- * Utility macro for RR existence checking functions.
- *
- * If the variable 'result' has the value ISC_R_EXISTS or
- * ISC_R_SUCCESS, set *exists to ISC_TRUE or ISC_FALSE,
- * respectively, and return success.
- *
- * If 'result' has any other value, there was a failure.
- * Return the failure result code and do not set *exists.
- *
- * This would be more readable as "do { if ... } while(0)",
- * but that form generates tons of warnings on Solaris 2.6.
- */
-#define RETURN_EXISTENCE_FLAG				\
-	return ((result == ISC_R_EXISTS) ?		\
-		(*exists = ISC_TRUE, ISC_R_SUCCESS) :	\
-		((result == ISC_R_SUCCESS) ?		\
-		 (*exists = ISC_FALSE, ISC_R_SUCCESS) :	\
-		 result))
-
-/*%
- * Set '*exists' to true iff an rrset of the given type exists,
- * to false otherwise.
- */
-static isc_result_t
-rrset_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	     dns_rdatatype_t type, dns_rdatatype_t covers,
-	     isc_boolean_t *exists)
-{
-	isc_result_t result;
-	result = foreach_rr(db, ver, name, type, covers,
-			    rrset_exists_action, NULL);
-	RETURN_EXISTENCE_FLAG;
-}
-
-/*%
- * Helper function for cname_incompatible_rrset_exists.
- */
-static isc_result_t
-cname_compatibility_action(void *data, dns_rdataset_t *rrset) {
-	UNUSED(data);
-	if (rrset->type != dns_rdatatype_cname &&
-	    ! dns_rdatatype_isdnssec(rrset->type))
-		return (ISC_R_EXISTS);
-	return (ISC_R_SUCCESS);
-}
-
-/*%
- * Check whether there is an rrset incompatible with adding a CNAME RR,
- * i.e., anything but another CNAME (which can be replaced) or a
- * DNSSEC RR (which can coexist).
- *
- * If such an incompatible rrset exists, set '*exists' to ISC_TRUE.
- * Otherwise, set it to ISC_FALSE.
- */
-static isc_result_t
-cname_incompatible_rrset_exists(dns_db_t *db, dns_dbversion_t *ver,
-				dns_name_t *name, isc_boolean_t *exists) {
-	isc_result_t result;
-	result = foreach_rrset(db, ver, name,
-			       cname_compatibility_action, NULL);
-	RETURN_EXISTENCE_FLAG;
-}
-
-/*%
- * Helper function for rr_count().
- */
-static isc_result_t
-count_rr_action(void *data, rr_t *rr) {
-	int *countp = data;
-	UNUSED(rr);
-	(*countp)++;
-	return (ISC_R_SUCCESS);
-}
-
-/*%
- * Count the number of RRs of 'type' belonging to 'name' in 'ver' of 'db'.
- */
-static isc_result_t
-rr_count(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	 dns_rdatatype_t type, dns_rdatatype_t covers, int *countp)
-{
-	*countp = 0;
-	return (foreach_rr(db, ver, name, type, covers,
-			   count_rr_action, countp));
-}
-
-/*%
- * Context struct and helper function for name_exists().
- */
-
-static isc_result_t
-name_exists_action(void *data, dns_rdataset_t *rrset) {
-	UNUSED(data);
-	UNUSED(rrset);
-	return (ISC_R_EXISTS);
-}
-
-/*%
- * Set '*exists' to true iff the given name exists, to false otherwise.
- */
-static isc_result_t
-name_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	    isc_boolean_t *exists)
-{
-	isc_result_t result;
-	result = foreach_rrset(db, ver, name,
-			       name_exists_action, NULL);
-	RETURN_EXISTENCE_FLAG;
-}
-
-/*
- *	'ssu_check_t' is used to pass the arguments to
- *	dns_ssutable_checkrules() to the callback function
- *	ssu_checkrule().
- */
-typedef struct {
-	/* The ownername of the record to be updated. */
-	dns_name_t *name;
-
-	/* The signature's name if the request was signed. */
-	dns_name_t *signer;
-
-	/* The address of the client if the request was received via TCP. */
-	isc_netaddr_t *tcpaddr;
-
-	/* The ssu table to check against. */
-	dns_ssutable_t *table;
-
-	/* the key used for TKEY requests */
-	dst_key_t *key;
-} ssu_check_t;
-
-static isc_result_t
-ssu_checkrule(void *data, dns_rdataset_t *rrset) {
-	ssu_check_t *ssuinfo = data;
-	isc_boolean_t result;
-
-	/*
-	 * If we're deleting all records, it's ok to delete RRSIG and NSEC even
-	 * if we're normally not allowed to.
-	 */
-	if (rrset->type == dns_rdatatype_rrsig ||
-	    rrset->type == dns_rdatatype_nsec)
-		return (ISC_R_SUCCESS);
-	result = dns_ssutable_checkrules(ssuinfo->table, ssuinfo->signer,
-					 ssuinfo->name, ssuinfo->tcpaddr,
-					 rrset->type, ssuinfo->key);
-	return (result == ISC_TRUE ? ISC_R_SUCCESS : ISC_R_FAILURE);
-}
-
-static isc_boolean_t
-ssu_checkall(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	     dns_ssutable_t *ssutable, dns_name_t *signer,
-	     isc_netaddr_t *tcpaddr, dst_key_t *key)
-{
-	isc_result_t result;
-	ssu_check_t ssuinfo;
-
-	ssuinfo.name = name;
-	ssuinfo.table = ssutable;
-	ssuinfo.signer = signer;
-	ssuinfo.tcpaddr = tcpaddr;
-	ssuinfo.key = key;
-	result = foreach_rrset(db, ver, name, ssu_checkrule, &ssuinfo);
-	return (ISC_TF(result == ISC_R_SUCCESS));
-}
-
-/**************************************************************************/
-/*
- * Checking of "RRset exists (value dependent)" prerequisites.
- *
- * In the RFC2136 section 3.2.5, this is the pseudocode involving
- * a variable called "temp", a mapping of <name, type> tuples to rrsets.
- *
- * Here, we represent the "temp" data structure as (non-minimal) "dns_diff_t"
- * where each tuple has op==DNS_DIFFOP_EXISTS.
- */
-
-
-/*%
- * Append a tuple asserting the existence of the RR with
- * 'name' and 'rdata' to 'diff'.
- */
-static isc_result_t
-temp_append(dns_diff_t *diff, dns_name_t *name, dns_rdata_t *rdata) {
-	isc_result_t result;
-	dns_difftuple_t *tuple = NULL;
-
-	REQUIRE(DNS_DIFF_VALID(diff));
-	CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_EXISTS,
-				   name, 0, rdata, &tuple));
-	ISC_LIST_APPEND(diff->tuples, tuple, link);
- failure:
-	return (result);
-}
-
-/*%
- * Compare two rdatasets represented as sorted lists of tuples.
- * All list elements must have the same owner name and type.
- * Return ISC_R_SUCCESS if the rdatasets are equal, rcode(dns_rcode_nxrrset)
- * if not.
- */
-static isc_result_t
-temp_check_rrset(dns_difftuple_t *a, dns_difftuple_t *b) {
-	for (;;) {
-		if (a == NULL || b == NULL)
-			break;
-		INSIST(a->op == DNS_DIFFOP_EXISTS &&
-		       b->op == DNS_DIFFOP_EXISTS);
-		INSIST(a->rdata.type == b->rdata.type);
-		INSIST(dns_name_equal(&a->name, &b->name));
-		if (dns_rdata_casecompare(&a->rdata, &b->rdata) != 0)
-			return (DNS_R_NXRRSET);
-		a = ISC_LIST_NEXT(a, link);
-		b = ISC_LIST_NEXT(b, link);
-	}
-	if (a != NULL || b != NULL)
-		return (DNS_R_NXRRSET);
-	return (ISC_R_SUCCESS);
-}
-
-/*%
- * A comparison function defining the sorting order for the entries
- * in the "temp" data structure.  The major sort key is the owner name,
- * followed by the type and rdata.
- */
-static int
-temp_order(const void *av, const void *bv) {
-	dns_difftuple_t const * const *ap = av;
-	dns_difftuple_t const * const *bp = bv;
-	dns_difftuple_t const *a = *ap;
-	dns_difftuple_t const *b = *bp;
-	int r;
-	r = dns_name_compare(&a->name, &b->name);
-	if (r != 0)
-		return (r);
-	r = (b->rdata.type - a->rdata.type);
-	if (r != 0)
-		return (r);
-	r = dns_rdata_casecompare(&a->rdata, &b->rdata);
-	return (r);
-}
-
-/*%
- * Check the "RRset exists (value dependent)" prerequisite information
- * in 'temp' against the contents of the database 'db'.
- *
- * Return ISC_R_SUCCESS if the prerequisites are satisfied,
- * rcode(dns_rcode_nxrrset) if not.
- *
- * 'temp' must be pre-sorted.
- */
-
-static isc_result_t
-temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db,
-	   dns_dbversion_t *ver, dns_name_t *tmpname, dns_rdatatype_t *typep)
-{
-	isc_result_t result;
-	dns_name_t *name;
-	dns_dbnode_t *node;
-	dns_difftuple_t *t;
-	dns_diff_t trash;
-
-	dns_diff_init(mctx, &trash);
-
-	/*
-	 * For each name and type in the prerequisites,
-	 * construct a sorted rdata list of the corresponding
-	 * database contents, and compare the lists.
-	 */
-	t = ISC_LIST_HEAD(temp->tuples);
-	while (t != NULL) {
-		name = &t->name;
-		(void)dns_name_copy(name, tmpname, NULL);
-		*typep = t->rdata.type;
-
-		/* A new unique name begins here. */
-		node = NULL;
-		result = dns_db_findnode(db, name, ISC_FALSE, &node);
-		if (result == ISC_R_NOTFOUND) {
-			dns_diff_clear(&trash);
-			return (DNS_R_NXRRSET);
-		}
-		if (result != ISC_R_SUCCESS) {
-			dns_diff_clear(&trash);
-			return (result);
-		}
-
-		/* A new unique type begins here. */
-		while (t != NULL && dns_name_equal(&t->name, name)) {
-			dns_rdatatype_t type, covers;
-			dns_rdataset_t rdataset;
-			dns_diff_t d_rrs; /* Database RRs with
-						this name and type */
-			dns_diff_t u_rrs; /* Update RRs with
-						this name and type */
-
-			*typep = type = t->rdata.type;
-			if (type == dns_rdatatype_rrsig ||
-			    type == dns_rdatatype_sig)
-				covers = dns_rdata_covers(&t->rdata);
-			else if (type == dns_rdatatype_any) {
-				dns_db_detachnode(db, &node);
-				dns_diff_clear(&trash);
-				return (DNS_R_NXRRSET);
-			} else
-				covers = 0;
-
-			/*
-			 * Collect all database RRs for this name and type
-			 * onto d_rrs and sort them.
-			 */
-			dns_rdataset_init(&rdataset);
-			result = dns_db_findrdataset(db, node, ver, type,
-						     covers, (isc_stdtime_t) 0,
-						     &rdataset, NULL);
-			if (result != ISC_R_SUCCESS) {
-				dns_db_detachnode(db, &node);
-				dns_diff_clear(&trash);
-				return (DNS_R_NXRRSET);
-			}
-
-			dns_diff_init(mctx, &d_rrs);
-			dns_diff_init(mctx, &u_rrs);
-
-			for (result = dns_rdataset_first(&rdataset);
-			     result == ISC_R_SUCCESS;
-			     result = dns_rdataset_next(&rdataset))
-			{
-				dns_rdata_t rdata = DNS_RDATA_INIT;
-				dns_rdataset_current(&rdataset, &rdata);
-				result = temp_append(&d_rrs, name, &rdata);
-				if (result != ISC_R_SUCCESS)
-					goto failure;
-			}
-			if (result != ISC_R_NOMORE)
-				goto failure;
-			result = dns_diff_sort(&d_rrs, temp_order);
-			if (result != ISC_R_SUCCESS)
-				goto failure;
-
-			/*
-			 * Collect all update RRs for this name and type
-			 * onto u_rrs.  No need to sort them here -
-			 * they are already sorted.
-			 */
-			while (t != NULL &&
-			       dns_name_equal(&t->name, name) &&
-			       t->rdata.type == type)
-			{
-				dns_difftuple_t *next =
-					ISC_LIST_NEXT(t, link);
-				ISC_LIST_UNLINK(temp->tuples, t, link);
-				ISC_LIST_APPEND(u_rrs.tuples, t, link);
-				t = next;
-			}
-
-			/* Compare the two sorted lists. */
-			result = temp_check_rrset(ISC_LIST_HEAD(u_rrs.tuples),
-						  ISC_LIST_HEAD(d_rrs.tuples));
-			if (result != ISC_R_SUCCESS)
-				goto failure;
-
-			/*
-			 * We are done with the tuples, but we can't free
-			 * them yet because "name" still points into one
-			 * of them.  Move them on a temporary list.
-			 */
-			ISC_LIST_APPENDLIST(trash.tuples, u_rrs.tuples, link);
-			ISC_LIST_APPENDLIST(trash.tuples, d_rrs.tuples, link);
-			dns_rdataset_disassociate(&rdataset);
-
-			continue;
-
-		    failure:
-			dns_diff_clear(&d_rrs);
-			dns_diff_clear(&u_rrs);
-			dns_diff_clear(&trash);
-			dns_rdataset_disassociate(&rdataset);
-			dns_db_detachnode(db, &node);
-			return (result);
-		}
-
-		dns_db_detachnode(db, &node);
-	}
-
-	dns_diff_clear(&trash);
-	return (ISC_R_SUCCESS);
-}
-
-/**************************************************************************/
-/*
- * Conditional deletion of RRs.
- */
-
-/*%
- * Context structure for delete_if().
- */
-
-typedef struct {
-	rr_predicate *predicate;
-	dns_db_t *db;
-	dns_dbversion_t *ver;
-	dns_diff_t *diff;
-	dns_name_t *name;
-	dns_rdata_t *update_rr;
-} conditional_delete_ctx_t;
-
-/*%
- * Predicate functions for delete_if().
- */
-
-/*%
- * Return true iff 'db_rr' is neither a SOA nor an NS RR nor
- * an RRSIG nor an NSEC3PARAM nor a NSEC.
- */
-static isc_boolean_t
-type_not_soa_nor_ns_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
-	UNUSED(update_rr);
-	return ((db_rr->type != dns_rdatatype_soa &&
-		 db_rr->type != dns_rdatatype_ns &&
-		 db_rr->type != dns_rdatatype_nsec3param &&
-		 db_rr->type != dns_rdatatype_rrsig &&
-		 db_rr->type != dns_rdatatype_nsec) ?
-		ISC_TRUE : ISC_FALSE);
-}
-
-/*%
- * Return true iff 'db_rr' is neither a RRSIG nor a NSEC.
- */
-static isc_boolean_t
-type_not_dnssec(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
-	UNUSED(update_rr);
-	return ((db_rr->type != dns_rdatatype_rrsig &&
-		 db_rr->type != dns_rdatatype_nsec) ?
-		ISC_TRUE : ISC_FALSE);
-}
-
-/*%
- * Return true always.
- */
-static isc_boolean_t
-true_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
-	UNUSED(update_rr);
-	UNUSED(db_rr);
-	return (ISC_TRUE);
-}
-
-/*%
- * Return true iff the two RRs have identical rdata.
- */
-static isc_boolean_t
-rr_equal_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
-	/*
-	 * XXXRTH  This is not a problem, but we should consider creating
-	 *         dns_rdata_equal() (that used dns_name_equal()), since it
-	 *         would be faster.  Not a priority.
-	 */
-	return (dns_rdata_casecompare(update_rr, db_rr) == 0 ?
-		ISC_TRUE : ISC_FALSE);
-}
-
-/*%
- * Return true iff 'update_rr' should replace 'db_rr' according
- * to the special RFC2136 rules for CNAME, SOA, and WKS records.
- *
- * RFC2136 does not mention NSEC or DNAME, but multiple NSECs or DNAMEs
- * make little sense, so we replace those, too.
- *
- * Additionally replace RRSIG that have been generated by the same key
- * for the same type.  This simplifies refreshing a offline KSK by not
- * requiring that the old RRSIG be deleted.  It also simplifies key
- * rollover by only requiring that the new RRSIG be added.
- */
-static isc_boolean_t
-replaces_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
-	dns_rdata_rrsig_t updatesig, dbsig;
-	isc_result_t result;
-
-	if (db_rr->type != update_rr->type)
-		return (ISC_FALSE);
-	if (db_rr->type == dns_rdatatype_cname)
-		return (ISC_TRUE);
-	if (db_rr->type == dns_rdatatype_dname)
-		return (ISC_TRUE);
-	if (db_rr->type == dns_rdatatype_soa)
-		return (ISC_TRUE);
-	if (db_rr->type == dns_rdatatype_nsec)
-		return (ISC_TRUE);
-	if (db_rr->type == dns_rdatatype_rrsig) {
-		/*
-		 * Replace existing RRSIG with the same keyid,
-		 * covered and algorithm.
-		 */
-		result = dns_rdata_tostruct(db_rr, &dbsig, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		result = dns_rdata_tostruct(update_rr, &updatesig, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		if (dbsig.keyid == updatesig.keyid &&
-		    dbsig.covered == updatesig.covered &&
-		    dbsig.algorithm == updatesig.algorithm)
-			return (ISC_TRUE);
-	}
-	if (db_rr->type == dns_rdatatype_wks) {
-		/*
-		 * Compare the address and protocol fields only.  These
-		 * form the first five bytes of the RR data.  Do a
-		 * raw binary comparison; unpacking the WKS RRs using
-		 * dns_rdata_tostruct() might be cleaner in some ways.
-		 */
-		INSIST(db_rr->length >= 5 && update_rr->length >= 5);
-		return (memcmp(db_rr->data, update_rr->data, 5) == 0 ?
-			ISC_TRUE : ISC_FALSE);
-	}
-
-	if (db_rr->type == dns_rdatatype_nsec3param) {
-		if (db_rr->length != update_rr->length)
-			return (ISC_FALSE);
-		INSIST(db_rr->length >= 4 && update_rr->length >= 4);
-		/*
-		 * Replace NSEC3PARAM records that only differ by the
-		 * flags field.
-		 */
-		if (db_rr->data[0] == update_rr->data[0] &&
-		    memcmp(db_rr->data+2, update_rr->data+2,
-			   update_rr->length - 2) == 0)
-			return (ISC_TRUE);
-	}
-	return (ISC_FALSE);
-}
-
-/*%
- * Internal helper function for delete_if().
- */
-static isc_result_t
-delete_if_action(void *data, rr_t *rr) {
-	conditional_delete_ctx_t *ctx = data;
-	if ((*ctx->predicate)(ctx->update_rr, &rr->rdata)) {
-		isc_result_t result;
-		result = update_one_rr(ctx->db, ctx->ver, ctx->diff,
-				       DNS_DIFFOP_DEL, ctx->name,
-				       rr->ttl, &rr->rdata);
-		return (result);
-	} else {
-		return (ISC_R_SUCCESS);
-	}
-}
-
-/*%
- * Conditionally delete RRs.  Apply 'predicate' to the RRs
- * specified by 'db', 'ver', 'name', and 'type' (which can
- * be dns_rdatatype_any to match any type).  Delete those
- * RRs for which the predicate returns true, and log the
- * deletions in 'diff'.
- */
-static isc_result_t
-delete_if(rr_predicate *predicate, dns_db_t *db, dns_dbversion_t *ver,
-	  dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers,
-	  dns_rdata_t *update_rr, dns_diff_t *diff)
-{
-	conditional_delete_ctx_t ctx;
-	ctx.predicate = predicate;
-	ctx.db = db;
-	ctx.ver = ver;
-	ctx.diff = diff;
-	ctx.name = name;
-	ctx.update_rr = update_rr;
-	return (foreach_rr(db, ver, name, type, covers,
-			   delete_if_action, &ctx));
-}
-
-/**************************************************************************/
-/*%
- * Prepare an RR for the addition of the new RR 'ctx->update_rr',
- * with TTL 'ctx->update_rr_ttl', to its rdataset, by deleting
- * the RRs if it is replaced by the new RR or has a conflicting TTL.
- * The necessary changes are appended to ctx->del_diff and ctx->add_diff;
- * we need to do all deletions before any additions so that we don't run
- * into transient states with conflicting TTLs.
- */
-
-typedef struct {
-	dns_db_t *db;
-	dns_dbversion_t *ver;
-	dns_diff_t *diff;
-	dns_name_t *name;
-	dns_rdata_t *update_rr;
-	dns_ttl_t update_rr_ttl;
-	isc_boolean_t ignore_add;
-	dns_diff_t del_diff;
-	dns_diff_t add_diff;
-} add_rr_prepare_ctx_t;
-
-static isc_result_t
-add_rr_prepare_action(void *data, rr_t *rr) {
-	isc_result_t result = ISC_R_SUCCESS;
-	add_rr_prepare_ctx_t *ctx = data;
-	dns_difftuple_t *tuple = NULL;
-	isc_boolean_t equal;
-
-	/*
-	 * If the update RR is a "duplicate" of the update RR,
-	 * the update should be silently ignored.
-	 */
-	equal = ISC_TF(dns_rdata_casecompare(&rr->rdata, ctx->update_rr) == 0);
-	if (equal && rr->ttl == ctx->update_rr_ttl) {
-		ctx->ignore_add = ISC_TRUE;
-		return (ISC_R_SUCCESS);
-	}
-
-	/*
-	 * If this RR is "equal" to the update RR, it should
-	 * be deleted before the update RR is added.
-	 */
-	if (replaces_p(ctx->update_rr, &rr->rdata)) {
-		CHECK(dns_difftuple_create(ctx->del_diff.mctx, DNS_DIFFOP_DEL,
-					   ctx->name, rr->ttl, &rr->rdata,
-					   &tuple));
-		dns_diff_append(&ctx->del_diff, &tuple);
-		return (ISC_R_SUCCESS);
-	}
-
-	/*
-	 * If this RR differs in TTL from the update RR,
-	 * its TTL must be adjusted.
-	 */
-	if (rr->ttl != ctx->update_rr_ttl) {
-		CHECK(dns_difftuple_create(ctx->del_diff.mctx, DNS_DIFFOP_DEL,
-					   ctx->name, rr->ttl, &rr->rdata,
-					   &tuple));
-		dns_diff_append(&ctx->del_diff, &tuple);
-		if (!equal) {
-			CHECK(dns_difftuple_create(ctx->add_diff.mctx,
-						   DNS_DIFFOP_ADD, ctx->name,
-						   ctx->update_rr_ttl,
-						   &rr->rdata, &tuple));
-			dns_diff_append(&ctx->add_diff, &tuple);
-		}
-	}
- failure:
-	return (result);
-}
-
-/**************************************************************************/
-/*
- * Miscellaneous subroutines.
- */
-
-/*%
- * Extract a single update RR from 'section' of dynamic update message
- * 'msg', with consistency checking.
- *
- * Stores the owner name, rdata, and TTL of the update RR at 'name',
- * 'rdata', and 'ttl', respectively.
- */
-static void
-get_current_rr(dns_message_t *msg, dns_section_t section,
-	       dns_rdataclass_t zoneclass, dns_name_t **name,
-	       dns_rdata_t *rdata, dns_rdatatype_t *covers,
-	       dns_ttl_t *ttl, dns_rdataclass_t *update_class)
-{
-	dns_rdataset_t *rdataset;
-	isc_result_t result;
-	dns_message_currentname(msg, section, name);
-	rdataset = ISC_LIST_HEAD((*name)->list);
-	INSIST(rdataset != NULL);
-	INSIST(ISC_LIST_NEXT(rdataset, link) == NULL);
-	*covers = rdataset->covers;
-	*ttl = rdataset->ttl;
-	result = dns_rdataset_first(rdataset);
-	INSIST(result == ISC_R_SUCCESS);
-	dns_rdataset_current(rdataset, rdata);
-	INSIST(dns_rdataset_next(rdataset) == ISC_R_NOMORE);
-	*update_class = rdata->rdclass;
-	rdata->rdclass = zoneclass;
-}
-
-/*%
- * Increment the SOA serial number of database 'db', version 'ver'.
- * Replace the SOA record in the database, and log the
- * change in 'diff'.
- */
-
-	/*
-	 * XXXRTH  Failures in this routine will be worth logging, when
-	 *         we have a logging system.  Failure to find the zonename
-	 *	   or the SOA rdataset warrant at least an UNEXPECTED_ERROR().
-	 */
-
-static isc_result_t
-update_soa_serial(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
-		  isc_mem_t *mctx, dns_updatemethod_t method)
-{
-	dns_difftuple_t *deltuple = NULL;
-	dns_difftuple_t *addtuple = NULL;
-	isc_uint32_t serial;
-	isc_result_t result;
-
-	CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_DEL, &deltuple));
-	CHECK(dns_difftuple_copy(deltuple, &addtuple));
-	addtuple->op = DNS_DIFFOP_ADD;
-
-	serial = dns_soa_getserial(&addtuple->rdata);
-	serial = dns_update_soaserial(serial, method);
-	dns_soa_setserial(serial, &addtuple->rdata);
-	CHECK(do_one_tuple(&deltuple, db, ver, diff));
-	CHECK(do_one_tuple(&addtuple, db, ver, diff));
-	result = ISC_R_SUCCESS;
-
- failure:
-	if (addtuple != NULL)
-		dns_difftuple_free(&addtuple);
-	if (deltuple != NULL)
-		dns_difftuple_free(&deltuple);
-	return (result);
-}
-
-/*%
- * Check that the new SOA record at 'update_rdata' does not
- * illegally cause the SOA serial number to decrease or stay
- * unchanged relative to the existing SOA in 'db'.
- *
- * Sets '*ok' to ISC_TRUE if the update is legal, ISC_FALSE if not.
- *
- * William King points out that RFC2136 is inconsistent about
- * the case where the serial number stays unchanged:
- *
- *   section 3.4.2.2 requires a server to ignore a SOA update request
- *   if the serial number on the update SOA is less_than_or_equal to
- *   the zone SOA serial.
- *
- *   section 3.6 requires a server to ignore a SOA update request if
- *   the serial is less_than the zone SOA serial.
- *
- * Paul says 3.4.2.2 is correct.
- *
- */
-static isc_result_t
-check_soa_increment(dns_db_t *db, dns_dbversion_t *ver,
-		    dns_rdata_t *update_rdata, isc_boolean_t *ok)
-{
-	isc_uint32_t db_serial;
-	isc_uint32_t update_serial;
-	isc_result_t result;
-
-	update_serial = dns_soa_getserial(update_rdata);
-
-	result = dns_db_getsoaserial(db, ver, &db_serial);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (DNS_SERIAL_GE(db_serial, update_serial)) {
-		*ok = ISC_FALSE;
-	} else {
-		*ok = ISC_TRUE;
-	}
-
-	return (ISC_R_SUCCESS);
-
-}
-
-/**************************************************************************/
-/*%
- * The actual update code in all its glory.  We try to follow
- * the RFC2136 pseudocode as closely as possible.
- */
-
-static isc_result_t
-send_update_event(ns_client_t *client, dns_zone_t *zone) {
-	isc_result_t result = ISC_R_SUCCESS;
-	update_event_t *event = NULL;
-	isc_task_t *zonetask = NULL;
-	ns_client_t *evclient;
-
-	event = (update_event_t *)
-		isc_event_allocate(client->mctx, client, DNS_EVENT_UPDATE,
-				   update_action, NULL, sizeof(*event));
-	if (event == NULL)
-		FAIL(ISC_R_NOMEMORY);
-	event->zone = zone;
-	event->result = ISC_R_SUCCESS;
-
-	evclient = NULL;
-	ns_client_attach(client, &evclient);
-	INSIST(client->nupdates == 0);
-	client->nupdates++;
-	event->ev_arg = evclient;
-
-	dns_zone_gettask(zone, &zonetask);
-	isc_task_send(zonetask, ISC_EVENT_PTR(&event));
-
- failure:
-	if (event != NULL)
-		isc_event_free(ISC_EVENT_PTR(&event));
-	return (result);
-}
-
-static void
-respond(ns_client_t *client, isc_result_t result) {
-	isc_result_t msg_result;
-
-	msg_result = dns_message_reply(client->message, ISC_TRUE);
-	if (msg_result != ISC_R_SUCCESS)
-		goto msg_failure;
-	client->message->rcode = dns_result_torcode(result);
-
-	ns_client_send(client);
-	return;
-
- msg_failure:
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_UPDATE, NS_LOGMODULE_UPDATE,
-		      ISC_LOG_ERROR,
-		      "could not create update response message: %s",
-		      isc_result_totext(msg_result));
-	ns_client_next(client, msg_result);
-}
-
-void
-ns_update_start(ns_client_t *client, isc_result_t sigresult) {
-	dns_message_t *request = client->message;
-	isc_result_t result;
-	dns_name_t *zonename;
-	dns_rdataset_t *zone_rdataset;
-	dns_zone_t *zone = NULL, *raw = NULL;
-
-	/*
-	 * Interpret the zone section.
-	 */
-	result = dns_message_firstname(request, DNS_SECTION_ZONE);
-	if (result != ISC_R_SUCCESS)
-		FAILC(DNS_R_FORMERR, "update zone section empty");
-
-	/*
-	 * The zone section must contain exactly one "question", and
-	 * it must be of type SOA.
-	 */
-	zonename = NULL;
-	dns_message_currentname(request, DNS_SECTION_ZONE, &zonename);
-	zone_rdataset = ISC_LIST_HEAD(zonename->list);
-	if (zone_rdataset->type != dns_rdatatype_soa)
-		FAILC(DNS_R_FORMERR,
-		      "update zone section contains non-SOA");
-	if (ISC_LIST_NEXT(zone_rdataset, link) != NULL)
-		FAILC(DNS_R_FORMERR,
-		      "update zone section contains multiple RRs");
-
-	/* The zone section must have exactly one name. */
-	result = dns_message_nextname(request, DNS_SECTION_ZONE);
-	if (result != ISC_R_NOMORE)
-		FAILC(DNS_R_FORMERR,
-		      "update zone section contains multiple RRs");
-
-	result = dns_zt_find(client->view->zonetable, zonename, 0, NULL,
-			     &zone);
-	if (result != ISC_R_SUCCESS)
-		FAILC(DNS_R_NOTAUTH, "not authoritative for update zone");
-
-	/*
-	 * If there is a raw (unsigned) zone associated with this
-	 * zone then it processes the UPDATE request.
-	 */
-	dns_zone_getraw(zone, &raw);
-	if (raw != NULL) {
-		dns_zone_detach(&zone);
-		dns_zone_attach(raw, &zone);
-		dns_zone_detach(&raw);
-	}
-
-	switch(dns_zone_gettype(zone)) {
-	case dns_zone_master:
-	case dns_zone_dlz:
-		/*
-		 * We can now fail due to a bad signature as we now know
-		 * that we are the master.
-		 */
-		if (sigresult != ISC_R_SUCCESS)
-			FAIL(sigresult);
-		CHECK(send_update_event(client, zone));
-		break;
-	case dns_zone_slave:
-		CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone),
-				     "update forwarding", zonename, ISC_TRUE,
-				     ISC_FALSE));
-		CHECK(send_forward_event(client, zone));
-		break;
-	default:
-		FAILC(DNS_R_NOTAUTH, "not authoritative for update zone");
-	}
-	return;
-
- failure:
-	if (result == DNS_R_REFUSED) {
-		INSIST(dns_zone_gettype(zone) == dns_zone_slave);
-		inc_stats(zone, dns_nsstatscounter_updaterej);
-	}
-	/*
-	 * We failed without having sent an update event to the zone.
-	 * We are still in the client task context, so we can
-	 * simply give an error response without switching tasks.
-	 */
-	respond(client, result);
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-}
-
-/*%
- * DS records are not allowed to exist without corresponding NS records,
- * RFC 3658, 2.2 Protocol Change,
- * "DS RRsets MUST NOT appear at non-delegation points or at a zone's apex".
- */
-
-static isc_result_t
-remove_orphaned_ds(dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff) {
-	isc_result_t result;
-	isc_boolean_t ns_exists;
-	dns_difftuple_t *tupple;
-	dns_diff_t temp_diff;
-
-	dns_diff_init(diff->mctx, &temp_diff);
-
-	for (tupple = ISC_LIST_HEAD(diff->tuples);
-	     tupple != NULL;
-	     tupple = ISC_LIST_NEXT(tupple, link)) {
-		if (!((tupple->op == DNS_DIFFOP_DEL &&
-		       tupple->rdata.type == dns_rdatatype_ns) ||
-		      (tupple->op == DNS_DIFFOP_ADD &&
-		       tupple->rdata.type == dns_rdatatype_ds)))
-			continue;
-		CHECK(rrset_exists(db, newver, &tupple->name,
-				   dns_rdatatype_ns, 0, &ns_exists));
-		if (ns_exists &&
-		    !dns_name_equal(&tupple->name, dns_db_origin(db)))
-			continue;
-		CHECK(delete_if(true_p, db, newver, &tupple->name,
-				dns_rdatatype_ds, 0, NULL, &temp_diff));
-	}
-	result = ISC_R_SUCCESS;
-
- failure:
-	for (tupple = ISC_LIST_HEAD(temp_diff.tuples);
-	     tupple != NULL;
-	     tupple = ISC_LIST_HEAD(temp_diff.tuples)) {
-		ISC_LIST_UNLINK(temp_diff.tuples, tupple, link);
-		dns_diff_appendminimal(diff, &tupple);
-	}
-	return (result);
-}
-
-/*
- * This implements the post load integrity checks for mx records.
- */
-static isc_result_t
-check_mx(ns_client_t *client, dns_zone_t *zone,
-	 dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff)
-{
-	char tmp[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123.")];
-	char ownerbuf[DNS_NAME_FORMATSIZE];
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char altbuf[DNS_NAME_FORMATSIZE];
-	dns_difftuple_t *t;
-	dns_fixedname_t fixed;
-	dns_name_t *foundname;
-	dns_rdata_mx_t mx;
-	dns_rdata_t rdata;
-	isc_boolean_t ok = ISC_TRUE;
-	isc_boolean_t isaddress;
-	isc_result_t result;
-	struct in6_addr addr6;
-	struct in_addr addr;
-	unsigned int options;
-
-	dns_fixedname_init(&fixed);
-	foundname = dns_fixedname_name(&fixed);
-	dns_rdata_init(&rdata);
-	options = dns_zone_getoptions(zone);
-
-	for (t = ISC_LIST_HEAD(diff->tuples);
-	     t != NULL;
-	     t = ISC_LIST_NEXT(t, link)) {
-		if (t->op != DNS_DIFFOP_ADD ||
-		    t->rdata.type != dns_rdatatype_mx)
-			continue;
-
-		result = dns_rdata_tostruct(&t->rdata, &mx, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		/*
-		 * Check if we will error out if we attempt to reload the
-		 * zone.
-		 */
-		dns_name_format(&mx.mx, namebuf, sizeof(namebuf));
-		dns_name_format(&t->name, ownerbuf, sizeof(ownerbuf));
-		isaddress = ISC_FALSE;
-		if ((options & DNS_RDATA_CHECKMX) != 0 &&
-		    strlcpy(tmp, namebuf, sizeof(tmp)) < sizeof(tmp)) {
-			if (tmp[strlen(tmp) - 1] == '.')
-				tmp[strlen(tmp) - 1] = '\0';
-			if (inet_aton(tmp, &addr) == 1 ||
-			    inet_pton(AF_INET6, tmp, &addr6) == 1)
-				isaddress = ISC_TRUE;
-		}
-
-		if (isaddress && (options & DNS_RDATA_CHECKMXFAIL) != 0) {
-			update_log(client, zone, ISC_LOG_ERROR,
-				   "%s/MX: '%s': %s",
-				   ownerbuf, namebuf,
-				   dns_result_totext(DNS_R_MXISADDRESS));
-			ok = ISC_FALSE;
-		} else if (isaddress) {
-			update_log(client, zone, ISC_LOG_WARNING,
-				   "%s/MX: warning: '%s': %s",
-				   ownerbuf, namebuf,
-				   dns_result_totext(DNS_R_MXISADDRESS));
-		}
-
-		/*
-		 * Check zone integrity checks.
-		 */
-		if ((options & DNS_ZONEOPT_CHECKINTEGRITY) == 0)
-			continue;
-		result = dns_db_find(db, &mx.mx, newver, dns_rdatatype_a,
-				     0, 0, NULL, foundname, NULL, NULL);
-		if (result == ISC_R_SUCCESS)
-			continue;
-
-		if (result == DNS_R_NXRRSET) {
-			result = dns_db_find(db, &mx.mx, newver,
-					     dns_rdatatype_aaaa,
-					     0, 0, NULL, foundname,
-					     NULL, NULL);
-			if (result == ISC_R_SUCCESS)
-				continue;
-		}
-
-		if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN) {
-			update_log(client, zone, ISC_LOG_ERROR,
-				   "%s/MX '%s' has no address records "
-				   "(A or AAAA)", ownerbuf, namebuf);
-			ok = ISC_FALSE;
-		} else if (result == DNS_R_CNAME) {
-			update_log(client, zone, ISC_LOG_ERROR,
-				   "%s/MX '%s' is a CNAME (illegal)",
-				   ownerbuf, namebuf);
-			ok = ISC_FALSE;
-		} else if (result == DNS_R_DNAME) {
-			dns_name_format(foundname, altbuf, sizeof altbuf);
-			update_log(client, zone, ISC_LOG_ERROR,
-				   "%s/MX '%s' is below a DNAME '%s' (illegal)",
-				   ownerbuf, namebuf, altbuf);
-			ok = ISC_FALSE;
-		}
-	}
-	return (ok ? ISC_R_SUCCESS : DNS_R_REFUSED);
-}
-
-static isc_result_t
-rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	  const dns_rdata_t *rdata, isc_boolean_t *flag)
-{
-	dns_rdataset_t rdataset;
-	dns_dbnode_t *node = NULL;
-	isc_result_t result;
-
-	dns_rdataset_init(&rdataset);
-	if (rdata->type == dns_rdatatype_nsec3)
-		CHECK(dns_db_findnsec3node(db, name, ISC_FALSE, &node));
-	else
-		CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
-	result = dns_db_findrdataset(db, node, ver, rdata->type, 0,
-				     (isc_stdtime_t) 0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND) {
-		*flag = ISC_FALSE;
-		result = ISC_R_SUCCESS;
-		goto failure;
-	}
-
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdata_t myrdata = DNS_RDATA_INIT;
-		dns_rdataset_current(&rdataset, &myrdata);
-		if (!dns_rdata_casecompare(&myrdata, rdata))
-			break;
-	}
-	dns_rdataset_disassociate(&rdataset);
-	if (result == ISC_R_SUCCESS) {
-		*flag = ISC_TRUE;
-	} else if (result == ISC_R_NOMORE) {
-		*flag = ISC_FALSE;
-		result = ISC_R_SUCCESS;
-	}
-
- failure:
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	return (result);
-}
-
-static isc_result_t
-get_iterations(dns_db_t *db, dns_dbversion_t *ver, dns_rdatatype_t privatetype,
-	       unsigned int *iterationsp)
-{
-	dns_dbnode_t *node = NULL;
-	dns_rdata_nsec3param_t nsec3param;
-	dns_rdataset_t rdataset;
-	isc_result_t result;
-	unsigned int iterations = 0;
-
-	dns_rdataset_init(&rdataset);
-
-	result = dns_db_getoriginnode(db, &node);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
-				     0, (isc_stdtime_t) 0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND)
-		goto try_private;
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		dns_rdataset_current(&rdataset, &rdata);
-		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
-		if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0)
-			continue;
-		if (nsec3param.iterations > iterations)
-			iterations = nsec3param.iterations;
-	}
-	if (result != ISC_R_NOMORE)
-		goto failure;
-
-	dns_rdataset_disassociate(&rdataset);
-
- try_private:
-	if (privatetype == 0)
-		goto success;
-
-	result = dns_db_findrdataset(db, node, ver, privatetype,
-				     0, (isc_stdtime_t) 0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND)
-		goto success;
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
-		dns_rdata_t private = DNS_RDATA_INIT;
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-
-		dns_rdataset_current(&rdataset, &rdata);
-		if (!dns_nsec3param_fromprivate(&private, &rdata,
-						buf, sizeof(buf)))
-			continue;
-		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
-		if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0)
-			continue;
-		if (nsec3param.iterations > iterations)
-			iterations = nsec3param.iterations;
-	}
-	if (result != ISC_R_NOMORE)
-		goto failure;
-
- success:
-	*iterationsp = iterations;
-	result = ISC_R_SUCCESS;
-
- failure:
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	return (result);
-}
-
-/*
- * Prevent the zone entering a inconsistent state where
- * NSEC only DNSKEYs are present with NSEC3 chains.
- */
-static isc_result_t
-check_dnssec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
-	     dns_dbversion_t *ver, dns_diff_t *diff)
-{
-	dns_difftuple_t *tuple;
-	isc_boolean_t nseconly = ISC_FALSE, nsec3 = ISC_FALSE;
-	isc_result_t result;
-	unsigned int iterations = 0, max;
-	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
-
-	/* Scan the tuples for an NSEC-only DNSKEY or an NSEC3PARAM */
-	for (tuple = ISC_LIST_HEAD(diff->tuples);
-	     tuple != NULL;
-	     tuple = ISC_LIST_NEXT(tuple, link)) {
-		if (tuple->op != DNS_DIFFOP_ADD)
-			continue;
-
-		if (tuple->rdata.type == dns_rdatatype_dnskey) {
-			isc_uint8_t alg;
-			alg = tuple->rdata.data[3];
-			if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
-			    alg == DST_ALG_DSA || alg == DST_ALG_ECC) {
-				nseconly = ISC_TRUE;
-				break;
-			}
-		} else if (tuple->rdata.type == dns_rdatatype_nsec3param) {
-			nsec3 = ISC_TRUE;
-			break;
-		}
-	}
-
-	/* Check existing DB for NSEC-only DNSKEY */
-	if (!nseconly) {
-		result = dns_nsec_nseconly(db, ver, &nseconly);
-
-		/*
-		 * An NSEC3PARAM update can proceed without a DNSKEY (it
-		 * will trigger a delayed change), so we can ignore
-		 * ISC_R_NOTFOUND here.
-		 */
-		if (result == ISC_R_NOTFOUND)
-			result = ISC_R_SUCCESS;
-
-		CHECK(result);
-	}
-
-	/* Check existing DB for NSEC3 */
-	if (!nsec3)
-		CHECK(dns_nsec3_activex(db, ver, ISC_FALSE,
-					privatetype, &nsec3));
-
-	/* Refuse to allow NSEC3 with NSEC-only keys */
-	if (nseconly && nsec3) {
-		update_log(client, zone, ISC_LOG_ERROR,
-			   "NSEC only DNSKEYs and NSEC3 chains not allowed");
-		result = DNS_R_REFUSED;
-		goto failure;
-	}
-
-	/* Verify NSEC3 params */
-	CHECK(get_iterations(db, ver, privatetype, &iterations));
-	CHECK(dns_nsec3_maxiterations(db, ver, client->mctx, &max));
-	if (max != 0 && iterations > max) {
-		update_log(client, zone, ISC_LOG_ERROR,
-			   "too many NSEC3 iterations (%u) for "
-			   "weakest DNSKEY (%u)", iterations, max);
-		result = DNS_R_REFUSED;
-		goto failure;
-	}
-
- failure:
-	return (result);
-}
-
-/*
- * Delay NSEC3PARAM changes as they need to be applied to the whole zone.
- */
-static isc_result_t
-add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
-		       dns_dbversion_t *ver, dns_diff_t *diff)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	dns_difftuple_t *tuple, *newtuple = NULL, *next;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE + 1];
-	dns_diff_t temp_diff;
-	dns_diffop_t op;
-	isc_boolean_t flag;
-	dns_name_t *name = dns_zone_getorigin(zone);
-	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
-	isc_uint32_t ttl = 0;
-	isc_boolean_t ttl_good = ISC_FALSE;
-
-	update_log(client, zone, ISC_LOG_DEBUG(3),
-		    "checking for NSEC3PARAM changes");
-
-	dns_diff_init(diff->mctx, &temp_diff);
-
-	/*
-	 * Extract NSEC3PARAM tuples from list.
-	 */
-	for (tuple = ISC_LIST_HEAD(diff->tuples);
-	     tuple != NULL;
-	     tuple = next) {
-
-		next = ISC_LIST_NEXT(tuple, link);
-
-		if (tuple->rdata.type != dns_rdatatype_nsec3param ||
-		    !dns_name_equal(name, &tuple->name))
-			continue;
-		ISC_LIST_UNLINK(diff->tuples, tuple, link);
-		ISC_LIST_APPEND(temp_diff.tuples, tuple, link);
-	}
-
-	/*
-	 * Extract TTL changes pairs, we don't need to convert these to
-	 * delayed changes.
-	 */
-	for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
-	     tuple != NULL; tuple = next) {
-		if (tuple->op == DNS_DIFFOP_ADD) {
-			if (!ttl_good) {
-				/*
-				 * Any adds here will contain the final
-				 * NSEC3PARAM RRset TTL.
-				 */
-				ttl = tuple->ttl;
-				ttl_good = ISC_TRUE;
-			}
-			/*
-			 * Walk the temp_diff list looking for the
-			 * corresponding delete.
-			 */
-			next = ISC_LIST_HEAD(temp_diff.tuples);
-			while (next != NULL) {
-				unsigned char *next_data = next->rdata.data;
-				unsigned char *tuple_data = tuple->rdata.data;
-				if (next->op == DNS_DIFFOP_DEL &&
-				    next->rdata.length == tuple->rdata.length &&
-				    !memcmp(next_data, tuple_data,
-					    next->rdata.length)) {
-					ISC_LIST_UNLINK(temp_diff.tuples, next,
-							link);
-					ISC_LIST_APPEND(diff->tuples, next,
-							link);
-					break;
-				}
-				next = ISC_LIST_NEXT(next, link);
-			}
-			/*
-			 * If we have not found a pair move onto the next
-			 * tuple.
-			 */
-			if (next == NULL) {
-				next = ISC_LIST_NEXT(tuple, link);
-				continue;
-			}
-			/*
-			 * Find the next tuple to be processed before
-			 * unlinking then complete moving the pair to 'diff'.
-			 */
-			next = ISC_LIST_NEXT(tuple, link);
-			ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
-			ISC_LIST_APPEND(diff->tuples, tuple, link);
-		} else
-			next = ISC_LIST_NEXT(tuple, link);
-	}
-
-	/*
-	 * Preserve any ongoing changes from a BIND 9.6.x upgrade.
-	 *
-	 * Any NSEC3PARAM records with flags other than OPTOUT named
-	 * in managing and should not be touched so revert such changes
-	 * taking into account any TTL change of the NSEC3PARAM RRset.
-	 */
-	for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
-	     tuple != NULL; tuple = next) {
-		next = ISC_LIST_NEXT(tuple, link);
-		if ((tuple->rdata.data[1] & ~DNS_NSEC3FLAG_OPTOUT) != 0) {
-			/*
-			 * If we havn't had any adds then the tuple->ttl must
-			 * be the original ttl and should be used for any
-			 * future changes.
-			 */
-			if (!ttl_good) {
-				ttl = tuple->ttl;
-				ttl_good = ISC_TRUE;
-			}
-			op = (tuple->op == DNS_DIFFOP_DEL) ?
-			     DNS_DIFFOP_ADD : DNS_DIFFOP_DEL;
-			CHECK(dns_difftuple_create(diff->mctx, op, name,
-						   ttl, &tuple->rdata,
-						   &newtuple));
-			CHECK(do_one_tuple(&newtuple, db, ver, diff));
-			ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
-			dns_diff_appendminimal(diff, &tuple);
-		}
-	}
-
-	/*
-	 * We now have just the actual changes to the NSEC3PARAM RRset.
-	 * Convert the adds to delayed adds and the deletions into delayed
-	 * deletions.
-	 */
-	for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
-	     tuple != NULL; tuple = next) {
-		/*
-		 * If we havn't had any adds then the tuple->ttl must be the
-		 * original ttl and should be used for any future changes.
-		 */
-		if (!ttl_good) {
-			ttl = tuple->ttl;
-			ttl_good = ISC_TRUE;
-		}
-		if (tuple->op == DNS_DIFFOP_ADD) {
-			isc_boolean_t nseconly = ISC_FALSE;
-
-			/*
-			 * Look for any deletes which match this ADD ignoring
-			 * flags.  We don't need to explictly remove them as
-			 * they will be removed a side effect of processing
-			 * the add.
-			 */
-			next = ISC_LIST_HEAD(temp_diff.tuples);
-			while (next != NULL) {
-				unsigned char *next_data = next->rdata.data;
-				unsigned char *tuple_data = tuple->rdata.data;
-				if (next->op != DNS_DIFFOP_DEL ||
-				    next->rdata.length != tuple->rdata.length ||
-				    next_data[0] != tuple_data[0] ||
-				    next_data[2] != tuple_data[2] ||
-				    next_data[3] != tuple_data[3] ||
-				    memcmp(next_data + 4, tuple_data + 4,
-					   tuple->rdata.length - 4)) {
-					next = ISC_LIST_NEXT(next, link);
-					continue;
-				}
-				ISC_LIST_UNLINK(temp_diff.tuples, next, link);
-				ISC_LIST_APPEND(diff->tuples, next, link);
-				next = ISC_LIST_HEAD(temp_diff.tuples);
-			}
-
-			/*
-			 * Create a private-type record to signal that
-			 * we want a delayed NSEC3 chain add/delete
-			 */
-			dns_nsec3param_toprivate(&tuple->rdata, &rdata,
-						 privatetype, buf, sizeof(buf));
-			buf[2] |= DNS_NSEC3FLAG_CREATE;
-
-			/*
-			 * If the zone is not currently capable of
-			 * supporting an NSEC3 chain, then we set the
-			 * INITIAL flag to indicate that these parameters
-			 * are to be used later.
-			 */
-			result = dns_nsec_nseconly(db, ver, &nseconly);
-			if (result == ISC_R_NOTFOUND || nseconly)
-				buf[2] |= DNS_NSEC3FLAG_INITIAL;
-
-			/*
-			 * See if this CREATE request already exists.
-			 */
-			CHECK(rr_exists(db, ver, name, &rdata, &flag));
-
-			if (!flag) {
-				CHECK(dns_difftuple_create(diff->mctx,
-							   DNS_DIFFOP_ADD,
-							   name, 0, &rdata,
-							   &newtuple));
-				CHECK(do_one_tuple(&newtuple, db, ver, diff));
-			}
-
-			/*
-			 * Remove any existing CREATE request to add an
-			 * otherwise indentical chain with a reversed
-			 * OPTOUT state.
-			 */
-			buf[2] ^= DNS_NSEC3FLAG_OPTOUT;
-			CHECK(rr_exists(db, ver, name, &rdata, &flag));
-
-			if (flag) {
-				CHECK(dns_difftuple_create(diff->mctx,
-							   DNS_DIFFOP_DEL,
-							   name, 0, &rdata,
-							   &newtuple));
-				CHECK(do_one_tuple(&newtuple, db, ver, diff));
-			}
-
-			/*
-			 * Find the next tuple to be processed and remove the
-			 * temporary add record.
-			 */
-			next = ISC_LIST_NEXT(tuple, link);
-			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL,
-						   name, ttl, &tuple->rdata,
-						   &newtuple));
-			CHECK(do_one_tuple(&newtuple, db, ver, diff));
-			ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
-			dns_diff_appendminimal(diff, &tuple);
-			dns_rdata_reset(&rdata);
-		} else
-			next = ISC_LIST_NEXT(tuple, link);
-	}
-
-	for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
-	     tuple != NULL; tuple = next) {
-
-		INSIST(ttl_good);
-
-		next = ISC_LIST_NEXT(tuple, link);
-		/*
-		 * See if we already have a REMOVE request in progress.
-		 */
-		dns_nsec3param_toprivate(&tuple->rdata, &rdata, privatetype,
-					 buf, sizeof(buf));
-
-		buf[2] |= DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC;
-
-		CHECK(rr_exists(db, ver, name, &rdata, &flag));
-		if (!flag) {
-			buf[2] &= ~DNS_NSEC3FLAG_NONSEC;
-			CHECK(rr_exists(db, ver, name, &rdata, &flag));
-		}
-
-		if (!flag) {
-			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
-						   name, 0, &rdata, &newtuple));
-			CHECK(do_one_tuple(&newtuple, db, ver, diff));
-		}
-		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name,
-					   ttl, &tuple->rdata, &newtuple));
-		CHECK(do_one_tuple(&newtuple, db, ver, diff));
-		ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
-		dns_diff_appendminimal(diff, &tuple);
-		dns_rdata_reset(&rdata);
-	}
-
-	result = ISC_R_SUCCESS;
- failure:
-	dns_diff_clear(&temp_diff);
-	return (result);
-}
-
-static isc_result_t
-rollback_private(dns_db_t *db, dns_rdatatype_t privatetype,
-		 dns_dbversion_t *ver, dns_diff_t *diff)
-{
-	dns_diff_t temp_diff;
-	dns_diffop_t op;
-	dns_difftuple_t *tuple, *newtuple = NULL, *next;
-	dns_name_t *name = dns_db_origin(db);
-	isc_mem_t *mctx = diff->mctx;
-	isc_result_t result;
-
-	if (privatetype == 0)
-		return (ISC_R_SUCCESS);
-
-	dns_diff_init(mctx, &temp_diff);
-
-	/*
-	 * Extract the changes to be rolled back.
-	 */
-	for (tuple = ISC_LIST_HEAD(diff->tuples);
-	     tuple != NULL; tuple = next) {
-
-		next = ISC_LIST_NEXT(tuple, link);
-
-		if (tuple->rdata.type != privatetype ||
-		    !dns_name_equal(name, &tuple->name))
-			continue;
-
-		/*
-		 * Allow records which indicate that a zone has been
-		 * signed with a DNSKEY to be removed.
-		 */
-		if (tuple->op == DNS_DIFFOP_DEL &&
-		    tuple->rdata.length == 5 &&
-		    tuple->rdata.data[0] != 0 &&
-		    tuple->rdata.data[4] != 0)
-			continue;
-
-		ISC_LIST_UNLINK(diff->tuples, tuple, link);
-		ISC_LIST_PREPEND(temp_diff.tuples, tuple, link);
-	}
-
-	/*
-	 * Rollback the changes.
-	 */
-	while ((tuple = ISC_LIST_HEAD(temp_diff.tuples)) != NULL) {
-		op = (tuple->op == DNS_DIFFOP_DEL) ?
-		      DNS_DIFFOP_ADD : DNS_DIFFOP_DEL;
-		CHECK(dns_difftuple_create(mctx, op, name, tuple->ttl,
-					   &tuple->rdata, &newtuple));
-		CHECK(do_one_tuple(&newtuple, db, ver, &temp_diff));
-	}
-	result = ISC_R_SUCCESS;
-
- failure:
-	dns_diff_clear(&temp_diff);
-	return (result);
-}
-
-/*
- * Add records to cause the delayed signing of the zone by added DNSKEY
- * to remove the RRSIG records generated by a deleted DNSKEY.
- */
-static isc_result_t
-add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
-		    dns_dbversion_t *ver, dns_diff_t *diff)
-{
-	dns_difftuple_t *tuple, *newtuple = NULL, *next;
-	dns_rdata_dnskey_t dnskey;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_boolean_t flag;
-	isc_region_t r;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_uint16_t keyid;
-	unsigned char buf[5];
-	dns_name_t *name = dns_db_origin(db);
-	dns_diff_t temp_diff;
-
-	dns_diff_init(diff->mctx, &temp_diff);
-
-	/*
-	 * Extract the DNSKEY tuples from the list.
-	 */
-	for (tuple = ISC_LIST_HEAD(diff->tuples);
-	     tuple != NULL; tuple = next) {
-
-		next = ISC_LIST_NEXT(tuple, link);
-
-		if (tuple->rdata.type != dns_rdatatype_dnskey)
-			continue;
-
-		ISC_LIST_UNLINK(diff->tuples, tuple, link);
-		ISC_LIST_APPEND(temp_diff.tuples, tuple, link);
-	}
-
-	/*
-	 * Extract TTL changes pairs, we don't need signing records for these.
-	 */
-	for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
-	     tuple != NULL; tuple = next) {
-		if (tuple->op == DNS_DIFFOP_ADD) {
-			/*
-			 * Walk the temp_diff list looking for the
-			 * corresponding delete.
-			 */
-			next = ISC_LIST_HEAD(temp_diff.tuples);
-			while (next != NULL) {
-				unsigned char *next_data = next->rdata.data;
-				unsigned char *tuple_data = tuple->rdata.data;
-				if (next->op == DNS_DIFFOP_DEL &&
-				    dns_name_equal(&tuple->name, &next->name) &&
-				    next->rdata.length == tuple->rdata.length &&
-				    !memcmp(next_data, tuple_data,
-					    next->rdata.length)) {
-					ISC_LIST_UNLINK(temp_diff.tuples, next,
-							link);
-					ISC_LIST_APPEND(diff->tuples, next,
-							link);
-					break;
-				}
-				next = ISC_LIST_NEXT(next, link);
-			}
-			/*
-			 * If we have not found a pair move onto the next
-			 * tuple.
-			 */
-			if (next == NULL) {
-				next = ISC_LIST_NEXT(tuple, link);
-				continue;
-			}
-			/*
-			 * Find the next tuple to be processed before
-			 * unlinking then complete moving the pair to 'diff'.
-			 */
-			next = ISC_LIST_NEXT(tuple, link);
-			ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
-			ISC_LIST_APPEND(diff->tuples, tuple, link);
-		} else
-			next = ISC_LIST_NEXT(tuple, link);
-	}
-
-	/*
-	 * Process the remaining DNSKEY entries.
-	 */
-	for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
-	     tuple != NULL;
-	     tuple = ISC_LIST_HEAD(temp_diff.tuples)) {
-
-		ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
-		ISC_LIST_APPEND(diff->tuples, tuple, link);
-
-		result = dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		if ((dnskey.flags &
-		     (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
-			 != DNS_KEYOWNER_ZONE)
-			continue;
-
-		dns_rdata_toregion(&tuple->rdata, &r);
-
-		keyid = dst_region_computeid(&r, dnskey.algorithm);
-
-		buf[0] = dnskey.algorithm;
-		buf[1] = (keyid & 0xff00) >> 8;
-		buf[2] = (keyid & 0xff);
-		buf[3] = (tuple->op == DNS_DIFFOP_ADD) ? 0 : 1;
-		buf[4] = 0;
-		rdata.data = buf;
-		rdata.length = sizeof(buf);
-		rdata.type = privatetype;
-		rdata.rdclass = tuple->rdata.rdclass;
-
-		CHECK(rr_exists(db, ver, name, &rdata, &flag));
-		if (flag)
-			continue;
-		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
-					   name, 0, &rdata, &newtuple));
-		CHECK(do_one_tuple(&newtuple, db, ver, diff));
-		INSIST(newtuple == NULL);
-		/*
-		 * Remove any record which says this operation has already
-		 * completed.
-		 */
-		buf[4] = 1;
-		CHECK(rr_exists(db, ver, name, &rdata, &flag));
-		if (flag) {
-			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL,
-						   name, 0, &rdata, &newtuple));
-			CHECK(do_one_tuple(&newtuple, db, ver, diff));
-			INSIST(newtuple == NULL);
-		}
-	}
-
- failure:
-	dns_diff_clear(&temp_diff);
-	return (result);
-}
-
-static isc_boolean_t
-isdnssec(dns_db_t *db, dns_dbversion_t *ver, dns_rdatatype_t privatetype) {
-	isc_result_t result;
-	isc_boolean_t build_nsec, build_nsec3;
-
-	if (dns_db_issecure(db))
-		return (ISC_TRUE);
-
-	result = dns_private_chains(db, ver, privatetype,
-				    &build_nsec, &build_nsec3);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	return (build_nsec || build_nsec3);
-}
-
-static void
-update_action(isc_task_t *task, isc_event_t *event) {
-	update_event_t *uev = (update_event_t *) event;
-	dns_zone_t *zone = uev->zone;
-	ns_client_t *client = (ns_client_t *)event->ev_arg;
-
-	isc_result_t result;
-	dns_db_t *db = NULL;
-	dns_dbversion_t *oldver = NULL;
-	dns_dbversion_t *ver = NULL;
-	dns_diff_t diff;	/* Pending updates. */
-	dns_diff_t temp;	/* Pending RR existence assertions. */
-	isc_boolean_t soa_serial_changed = ISC_FALSE;
-	isc_mem_t *mctx = client->mctx;
-	dns_rdatatype_t covers;
-	dns_message_t *request = client->message;
-	dns_rdataclass_t zoneclass;
-	dns_name_t *zonename;
-	dns_ssutable_t *ssutable = NULL;
-	dns_fixedname_t tmpnamefixed;
-	dns_name_t *tmpname = NULL;
-	unsigned int options;
-	dns_difftuple_t *tuple;
-	dns_rdata_dnskey_t dnskey;
-	isc_boolean_t had_dnskey;
-	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
-
-	INSIST(event->ev_type == DNS_EVENT_UPDATE);
-
-	dns_diff_init(mctx, &diff);
-	dns_diff_init(mctx, &temp);
-
-	CHECK(dns_zone_getdb(zone, &db));
-	zonename = dns_db_origin(db);
-	zoneclass = dns_db_class(db);
-	dns_zone_getssutable(zone, &ssutable);
-
-	/*
-	 * Update message processing can leak record existance information
-	 * so check that we are allowed to query this zone.  Additionally
-	 * if we would refuse all updates for this zone we bail out here.
-	 */
-	CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone), zonename,
-			    dns_zone_getupdateacl(zone), ssutable));
-
-	/*
-	 * Get old and new versions now that queryacl has been checked.
-	 */
-	dns_db_currentversion(db, &oldver);
-	CHECK(dns_db_newversion(db, &ver));
-
-	/*
-	 * Check prerequisites.
-	 */
-
-	for (result = dns_message_firstname(request, DNS_SECTION_PREREQUISITE);
-	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(request, DNS_SECTION_PREREQUISITE))
-	{
-		dns_name_t *name = NULL;
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		dns_ttl_t ttl;
-		dns_rdataclass_t update_class;
-		isc_boolean_t flag;
-
-		get_current_rr(request, DNS_SECTION_PREREQUISITE, zoneclass,
-			       &name, &rdata, &covers, &ttl, &update_class);
-
-		if (ttl != 0)
-			PREREQFAILC(DNS_R_FORMERR,
-				    "prerequisite TTL is not zero");
-
-		if (! dns_name_issubdomain(name, zonename))
-			PREREQFAILN(DNS_R_NOTZONE, name,
-				    "prerequisite name is out of zone");
-
-		if (update_class == dns_rdataclass_any) {
-			if (rdata.length != 0)
-				PREREQFAILC(DNS_R_FORMERR,
-				      "class ANY prerequisite "
-				      "RDATA is not empty");
-			if (rdata.type == dns_rdatatype_any) {
-				CHECK(name_exists(db, ver, name, &flag));
-				if (! flag) {
-					PREREQFAILN(DNS_R_NXDOMAIN, name,
-						    "'name in use' "
-						    "prerequisite not "
-						    "satisfied");
-				}
-			} else {
-				CHECK(rrset_exists(db, ver, name,
-						   rdata.type, covers, &flag));
-				if (! flag) {
-					/* RRset does not exist. */
-					PREREQFAILNT(DNS_R_NXRRSET, name, rdata.type,
-					"'rrset exists (value independent)' "
-					"prerequisite not satisfied");
-				}
-			}
-		} else if (update_class == dns_rdataclass_none) {
-			if (rdata.length != 0)
-				PREREQFAILC(DNS_R_FORMERR,
-					    "class NONE prerequisite "
-					    "RDATA is not empty");
-			if (rdata.type == dns_rdatatype_any) {
-				CHECK(name_exists(db, ver, name, &flag));
-				if (flag) {
-					PREREQFAILN(DNS_R_YXDOMAIN, name,
-						    "'name not in use' "
-						    "prerequisite not "
-						    "satisfied");
-				}
-			} else {
-				CHECK(rrset_exists(db, ver, name,
-						   rdata.type, covers, &flag));
-				if (flag) {
-					/* RRset exists. */
-					PREREQFAILNT(DNS_R_YXRRSET, name,
-						     rdata.type,
-						     "'rrset does not exist' "
-						     "prerequisite not "
-						     "satisfied");
-				}
-			}
-		} else if (update_class == zoneclass) {
-			/* "temp<rr.name, rr.type> += rr;" */
-			result = temp_append(&temp, name, &rdata);
-			if (result != ISC_R_SUCCESS) {
-				UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "temp entry creation failed: %s",
-						 dns_result_totext(result));
-				FAIL(ISC_R_UNEXPECTED);
-			}
-		} else {
-			PREREQFAILC(DNS_R_FORMERR, "malformed prerequisite");
-		}
-	}
-	if (result != ISC_R_NOMORE)
-		FAIL(result);
-
-	/*
-	 * Perform the final check of the "rrset exists (value dependent)"
-	 * prerequisites.
-	 */
-	if (ISC_LIST_HEAD(temp.tuples) != NULL) {
-		dns_rdatatype_t type;
-
-		/*
-		 * Sort the prerequisite records by owner name,
-		 * type, and rdata.
-		 */
-		result = dns_diff_sort(&temp, temp_order);
-		if (result != ISC_R_SUCCESS)
-			FAILC(result, "'RRset exists (value dependent)' "
-			      "prerequisite not satisfied");
-
-		dns_fixedname_init(&tmpnamefixed);
-		tmpname = dns_fixedname_name(&tmpnamefixed);
-		result = temp_check(mctx, &temp, db, ver, tmpname, &type);
-		if (result != ISC_R_SUCCESS)
-			FAILNT(result, tmpname, type,
-			       "'RRset exists (value dependent)' "
-			       "prerequisite not satisfied");
-	}
-
-	update_log(client, zone, LOGLEVEL_DEBUG,
-		   "prerequisites are OK");
-
-	/*
-	 * Check Requestor's Permissions.  It seems a bit silly to do this
-	 * only after prerequisite testing, but that is what RFC2136 says.
-	 */
-	if (ssutable == NULL)
-		CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
-				     "update", zonename, ISC_FALSE, ISC_FALSE));
-	else if (client->signer == NULL && !TCPCLIENT(client))
-		CHECK(checkupdateacl(client, NULL, "update", zonename,
-				     ISC_FALSE, ISC_TRUE));
-
-	if (dns_zone_getupdatedisabled(zone))
-		FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled "
-				     "because the zone is frozen.  Use "
-				     "'rndc thaw' to re-enable updates.");
-
-	/*
-	 * Perform the Update Section Prescan.
-	 */
-
-	for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
-	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(request, DNS_SECTION_UPDATE))
-	{
-		dns_name_t *name = NULL;
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		dns_ttl_t ttl;
-		dns_rdataclass_t update_class;
-		get_current_rr(request, DNS_SECTION_UPDATE, zoneclass,
-			       &name, &rdata, &covers, &ttl, &update_class);
-
-		if (! dns_name_issubdomain(name, zonename))
-			FAILC(DNS_R_NOTZONE,
-			      "update RR is outside zone");
-		if (update_class == zoneclass) {
-			/*
-			 * Check for meta-RRs.  The RFC2136 pseudocode says
-			 * check for ANY|AXFR|MAILA|MAILB, but the text adds
-			 * "or any other QUERY metatype"
-			 */
-			if (dns_rdatatype_ismeta(rdata.type)) {
-				FAILC(DNS_R_FORMERR,
-				      "meta-RR in update");
-			}
-			result = dns_zone_checknames(zone, name, &rdata);
-			if (result != ISC_R_SUCCESS)
-				FAIL(DNS_R_REFUSED);
-		} else if (update_class == dns_rdataclass_any) {
-			if (ttl != 0 || rdata.length != 0 ||
-			    (dns_rdatatype_ismeta(rdata.type) &&
-			     rdata.type != dns_rdatatype_any))
-				FAILC(DNS_R_FORMERR,
-				      "meta-RR in update");
-		} else if (update_class == dns_rdataclass_none) {
-			if (ttl != 0 ||
-			    dns_rdatatype_ismeta(rdata.type))
-				FAILC(DNS_R_FORMERR,
-				      "meta-RR in update");
-		} else {
-			update_log(client, zone, ISC_LOG_WARNING,
-				   "update RR has incorrect class %d",
-				   update_class);
-			FAIL(DNS_R_FORMERR);
-		}
-
-		/*
-		 * draft-ietf-dnsind-simple-secure-update-01 says
-		 * "Unlike traditional dynamic update, the client
-		 * is forbidden from updating NSEC records."
-		 */
-		if (rdata.type == dns_rdatatype_nsec3) {
-			FAILC(DNS_R_REFUSED,
-			      "explicit NSEC3 updates are not allowed "
-			      "in secure zones");
-		} else if (rdata.type == dns_rdatatype_nsec) {
-			FAILC(DNS_R_REFUSED,
-			      "explicit NSEC updates are not allowed "
-			      "in secure zones");
-		} else if (rdata.type == dns_rdatatype_rrsig &&
-			   !dns_name_equal(name, zonename)) {
-			FAILC(DNS_R_REFUSED,
-			      "explicit RRSIG updates are currently "
-			      "not supported in secure zones except "
-			      "at the apex");
-		}
-
-		if (ssutable != NULL) {
-			isc_netaddr_t *tcpaddr, netaddr;
-			dst_key_t *tsigkey = NULL;
-			/*
-			 * If this is a TCP connection then pass the
-			 * address of the client through for tcp-self
-			 * and 6to4-self otherwise pass NULL.  This
-			 * provides weak address based authentication.
-			 */
-			if (TCPCLIENT(client)) {
-				isc_netaddr_fromsockaddr(&netaddr,
-							 &client->peeraddr);
-				tcpaddr = &netaddr;
-			} else
-				tcpaddr = NULL;
-
-			if (client->message->tsigkey != NULL)
-				tsigkey = client->message->tsigkey->key;
-
-			if (rdata.type != dns_rdatatype_any) {
-				if (!dns_ssutable_checkrules(ssutable,
-							     client->signer,
-							     name, tcpaddr,
-							     rdata.type,
-							     tsigkey))
-					FAILC(DNS_R_REFUSED,
-					      "rejected by secure update");
-			} else {
-				if (!ssu_checkall(db, ver, name, ssutable,
-						  client->signer, tcpaddr,
-						  tsigkey))
-					FAILC(DNS_R_REFUSED,
-					      "rejected by secure update");
-			}
-		}
-	}
-	if (result != ISC_R_NOMORE)
-		FAIL(result);
-
-	update_log(client, zone, LOGLEVEL_DEBUG,
-		   "update section prescan OK");
-
-	/*
-	 * Process the Update Section.
-	 */
-
-	options = dns_zone_getoptions(zone);
-	for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
-	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(request, DNS_SECTION_UPDATE))
-	{
-		dns_name_t *name = NULL;
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		dns_ttl_t ttl;
-		dns_rdataclass_t update_class;
-		isc_boolean_t flag;
-
-		get_current_rr(request, DNS_SECTION_UPDATE, zoneclass,
-			       &name, &rdata, &covers, &ttl, &update_class);
-
-		if (update_class == zoneclass) {
-
-			/*
-			 * RFC1123 doesn't allow MF and MD in master zones.				 */
-			if (rdata.type == dns_rdatatype_md ||
-			    rdata.type == dns_rdatatype_mf) {
-				char typebuf[DNS_RDATATYPE_FORMATSIZE];
-
-				dns_rdatatype_format(rdata.type, typebuf,
-						     sizeof(typebuf));
-				update_log(client, zone, LOGLEVEL_PROTOCOL,
-					   "attempt to add %s ignored",
-					   typebuf);
-				continue;
-			}
-			if ((rdata.type == dns_rdatatype_ns ||
-			     rdata.type == dns_rdatatype_dname) &&
-			    dns_name_iswildcard(name)) {
-				char typebuf[DNS_RDATATYPE_FORMATSIZE];
-
-				dns_rdatatype_format(rdata.type, typebuf,
-						     sizeof(typebuf));
-				update_log(client, zone,
-					   LOGLEVEL_PROTOCOL,
-					   "attempt to add wildcard %s record "
-					   "ignored", typebuf);
-				continue;
-			}
-			if (rdata.type == dns_rdatatype_cname) {
-				CHECK(cname_incompatible_rrset_exists(db, ver,
-								      name,
-								      &flag));
-				if (flag) {
-					update_log(client, zone,
-						   LOGLEVEL_PROTOCOL,
-						   "attempt to add CNAME "
-						   "alongside non-CNAME "
-						   "ignored");
-					continue;
-				}
-			} else {
-				CHECK(rrset_exists(db, ver, name,
-						   dns_rdatatype_cname, 0,
-						   &flag));
-				if (flag &&
-				    ! dns_rdatatype_isdnssec(rdata.type))
-				{
-					update_log(client, zone,
-						   LOGLEVEL_PROTOCOL,
-						   "attempt to add non-CNAME "
-						   "alongside CNAME ignored");
-					continue;
-				}
-			}
-			if (rdata.type == dns_rdatatype_soa) {
-				isc_boolean_t ok;
-				CHECK(rrset_exists(db, ver, name,
-						   dns_rdatatype_soa, 0,
-						   &flag));
-				if (! flag) {
-					update_log(client, zone,
-						   LOGLEVEL_PROTOCOL,
-						   "attempt to create 2nd "
-						   "SOA ignored");
-					continue;
-				}
-				CHECK(check_soa_increment(db, ver, &rdata,
-							  &ok));
-				if (! ok) {
-					update_log(client, zone,
-						   LOGLEVEL_PROTOCOL,
-						   "SOA update failed to "
-						   "increment serial, "
-						   "ignoring it");
-					continue;
-				}
-				soa_serial_changed = ISC_TRUE;
-			}
-
-			if (rdata.type == privatetype) {
-				update_log(client, zone, LOGLEVEL_PROTOCOL,
-					   "attempt to add a private type "
-					   "(%u) record rejected internal "
-					   "use only", privatetype);
-				continue;
-			}
-
-			if (rdata.type == dns_rdatatype_nsec3param) {
-				/*
-				 * Ignore attempts to add NSEC3PARAM records
-				 * with any flags other than OPTOUT.
-				 */
-				if ((rdata.data[1] & ~DNS_NSEC3FLAG_OPTOUT) != 0) {
-					update_log(client, zone,
-						   LOGLEVEL_PROTOCOL,
-						   "attempt to add NSEC3PARAM "
-						   "record with non OPTOUT "
-						   "flag");
-					continue;
-				}
-			}
-
-			if ((options & DNS_ZONEOPT_CHECKWILDCARD) != 0 &&
-			    dns_name_internalwildcard(name)) {
-				char namestr[DNS_NAME_FORMATSIZE];
-				dns_name_format(name, namestr,
-						sizeof(namestr));
-				update_log(client, zone, LOGLEVEL_PROTOCOL,
-					   "warning: ownername '%s' contains "
-					   "a non-terminal wildcard", namestr);
-			}
-
-			if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) {
-				char namestr[DNS_NAME_FORMATSIZE];
-				char typestr[DNS_RDATATYPE_FORMATSIZE];
-				dns_name_format(name, namestr,
-						sizeof(namestr));
-				dns_rdatatype_format(rdata.type, typestr,
-						     sizeof(typestr));
-				update_log(client, zone, LOGLEVEL_PROTOCOL,
-					   "adding an RR at '%s' %s",
-					   namestr, typestr);
-			}
-
-			/* Prepare the affected RRset for the addition. */
-			{
-				add_rr_prepare_ctx_t ctx;
-				ctx.db = db;
-				ctx.ver = ver;
-				ctx.diff = &diff;
-				ctx.name = name;
-				ctx.update_rr = &rdata;
-				ctx.update_rr_ttl = ttl;
-				ctx.ignore_add = ISC_FALSE;
-				dns_diff_init(mctx, &ctx.del_diff);
-				dns_diff_init(mctx, &ctx.add_diff);
-				CHECK(foreach_rr(db, ver, name, rdata.type,
-						 covers, add_rr_prepare_action,
-						 &ctx));
-
-				if (ctx.ignore_add) {
-					dns_diff_clear(&ctx.del_diff);
-					dns_diff_clear(&ctx.add_diff);
-				} else {
-					CHECK(do_diff(&ctx.del_diff, db, ver,
-						      &diff));
-					CHECK(do_diff(&ctx.add_diff, db, ver,
-						      &diff));
-					CHECK(update_one_rr(db, ver, &diff,
-							    DNS_DIFFOP_ADD,
-							    name, ttl, &rdata));
-				}
-			}
-		} else if (update_class == dns_rdataclass_any) {
-			if (rdata.type == dns_rdatatype_any) {
-				if (isc_log_wouldlog(ns_g_lctx,
-						     LOGLEVEL_PROTOCOL))
-				{
-					char namestr[DNS_NAME_FORMATSIZE];
-					dns_name_format(name, namestr,
-							sizeof(namestr));
-					update_log(client, zone,
-						   LOGLEVEL_PROTOCOL,
-						   "delete all rrsets from "
-						   "name '%s'", namestr);
-				}
-				if (dns_name_equal(name, zonename)) {
-					CHECK(delete_if(type_not_soa_nor_ns_p,
-							db, ver, name,
-							dns_rdatatype_any, 0,
-							&rdata, &diff));
-				} else {
-					CHECK(delete_if(type_not_dnssec,
-							db, ver, name,
-							dns_rdatatype_any, 0,
-							&rdata, &diff));
-				}
-			} else if (dns_name_equal(name, zonename) &&
-				   (rdata.type == dns_rdatatype_soa ||
-				    rdata.type == dns_rdatatype_ns)) {
-				update_log(client, zone, LOGLEVEL_PROTOCOL,
-					   "attempt to delete all SOA "
-					   "or NS records ignored");
-				continue;
-			} else {
-				if (isc_log_wouldlog(ns_g_lctx,
-						     LOGLEVEL_PROTOCOL))
-				{
-					char namestr[DNS_NAME_FORMATSIZE];
-					char typestr[DNS_RDATATYPE_FORMATSIZE];
-					dns_name_format(name, namestr,
-							sizeof(namestr));
-					dns_rdatatype_format(rdata.type,
-							     typestr,
-							     sizeof(typestr));
-					update_log(client, zone,
-						   LOGLEVEL_PROTOCOL,
-						   "deleting rrset at '%s' %s",
-						   namestr, typestr);
-				}
-				CHECK(delete_if(true_p, db, ver, name,
-						rdata.type, covers, &rdata,
-						&diff));
-			}
-		} else if (update_class == dns_rdataclass_none) {
-			char namestr[DNS_NAME_FORMATSIZE];
-			char typestr[DNS_RDATATYPE_FORMATSIZE];
-
-			/*
-			 * The (name == zonename) condition appears in
-			 * RFC2136 3.4.2.4 but is missing from the pseudocode.
-			 */
-			if (dns_name_equal(name, zonename)) {
-				if (rdata.type == dns_rdatatype_soa) {
-					update_log(client, zone,
-						   LOGLEVEL_PROTOCOL,
-						   "attempt to delete SOA "
-						   "ignored");
-					continue;
-				}
-				if (rdata.type == dns_rdatatype_ns) {
-					int count;
-					CHECK(rr_count(db, ver, name,
-						       dns_rdatatype_ns,
-						       0, &count));
-					if (count == 1) {
-						update_log(client, zone,
-							   LOGLEVEL_PROTOCOL,
-							   "attempt to "
-							   "delete last "
-							   "NS ignored");
-						continue;
-					}
-				}
-			}
-			dns_name_format(name, namestr, sizeof(namestr));
-			dns_rdatatype_format(rdata.type, typestr,
-					     sizeof(typestr));
-			update_log(client, zone, LOGLEVEL_PROTOCOL,
-				   "deleting an RR at %s %s", namestr, typestr);
-			CHECK(delete_if(rr_equal_p, db, ver, name, rdata.type,
-					covers, &rdata, &diff));
-		}
-	}
-	if (result != ISC_R_NOMORE)
-		FAIL(result);
-
-	/*
-	 * Check that any changes to DNSKEY/NSEC3PARAM records make sense.
-	 * If they don't then back out all changes to DNSKEY/NSEC3PARAM
-	 * records.
-	 */
-	if (! ISC_LIST_EMPTY(diff.tuples))
-		CHECK(check_dnssec(client, zone, db, ver, &diff));
-
-	if (! ISC_LIST_EMPTY(diff.tuples)) {
-		unsigned int errors = 0;
-		CHECK(dns_zone_nscheck(zone, db, ver, &errors));
-		if (errors != 0) {
-			update_log(client, zone, LOGLEVEL_PROTOCOL,
-				   "update rejected: post update name server "
-				   "sanity check failed");
-			result = DNS_R_REFUSED;
-			goto failure;
-		}
-	}
-
-	/*
-	 * If any changes were made, increment the SOA serial number,
-	 * update RRSIGs and NSECs (if zone is secure), and write the update
-	 * to the journal.
-	 */
-	if (! ISC_LIST_EMPTY(diff.tuples)) {
-		char *journalfile;
-		dns_journal_t *journal;
-		isc_boolean_t has_dnskey;
-
-		/*
-		 * Increment the SOA serial, but only if it was not
-		 * changed as a result of an update operation.
-		 */
-		if (! soa_serial_changed) {
-			CHECK(update_soa_serial(db, ver, &diff, mctx,
-				       dns_zone_getserialupdatemethod(zone)));
-		}
-
-		CHECK(check_mx(client, zone, db, ver, &diff));
-
-		CHECK(remove_orphaned_ds(db, ver, &diff));
-
-		CHECK(rrset_exists(db, ver, zonename, dns_rdatatype_dnskey,
-				   0, &has_dnskey));
-
-#define ALLOW_SECURE_TO_INSECURE(zone) \
-	((dns_zone_getoptions(zone) & DNS_ZONEOPT_SECURETOINSECURE) != 0)
-
-		if (!ALLOW_SECURE_TO_INSECURE(zone)) {
-			CHECK(rrset_exists(db, oldver, zonename,
-					   dns_rdatatype_dnskey, 0,
-					   &had_dnskey));
-			if (had_dnskey && !has_dnskey) {
-				update_log(client, zone, LOGLEVEL_PROTOCOL,
-					   "update rejected: all DNSKEY "
-					   "records removed and "
-					   "'dnssec-secure-to-insecure' "
-					   "not set");
-				result = DNS_R_REFUSED;
-				goto failure;
-			}
-		}
-
-		CHECK(rollback_private(db, privatetype, ver, &diff));
-
-		CHECK(add_signing_records(db, privatetype, ver, &diff));
-
-		CHECK(add_nsec3param_records(client, zone, db, ver, &diff));
-
-		if (had_dnskey && !has_dnskey) {
-			/*
-			 * We are transitioning from secure to insecure.
-			 * Cause all NSEC3 chains to be deleted.  When the
-			 * the last signature for the DNSKEY records are
-			 * remove any NSEC chain present will also be removed.
-			 */
-			 CHECK(dns_nsec3param_deletechains(db, ver, zone,
-							   ISC_TRUE, &diff));
-		} else if (has_dnskey && isdnssec(db, ver, privatetype)) {
-			isc_uint32_t interval;
-			dns_update_log_t log;
-
-			interval = dns_zone_getsigvalidityinterval(zone);
-			log.func = update_log_cb;
-			log.arg = client;
-			result = dns_update_signatures(&log, zone, db, oldver,
-						       ver, &diff, interval);
-
-			if (result != ISC_R_SUCCESS) {
-				update_log(client, zone,
-					   ISC_LOG_ERROR,
-					   "RRSIG/NSEC/NSEC3 update failed: %s",
-					   isc_result_totext(result));
-				goto failure;
-			}
-		}
-
-		journalfile = dns_zone_getjournal(zone);
-		if (journalfile != NULL) {
-			update_log(client, zone, LOGLEVEL_DEBUG,
-				   "writing journal %s", journalfile);
-
-			journal = NULL;
-			result = dns_journal_open(mctx, journalfile,
-						  DNS_JOURNAL_CREATE, &journal);
-			if (result != ISC_R_SUCCESS)
-				FAILS(result, "journal open failed");
-
-			result = dns_journal_write_transaction(journal, &diff);
-			if (result != ISC_R_SUCCESS) {
-				dns_journal_destroy(&journal);
-				FAILS(result, "journal write failed");
-			}
-
-			dns_journal_destroy(&journal);
-		}
-
-		/*
-		 * XXXRTH  Just a note that this committing code will have
-		 *	   to change to handle databases that need two-phase
-		 *	   commit, but this isn't a priority.
-		 */
-		update_log(client, zone, LOGLEVEL_DEBUG,
-			   "committing update transaction");
-
-		dns_db_closeversion(db, &ver, ISC_TRUE);
-
-		/*
-		 * Mark the zone as dirty so that it will be written to disk.
-		 */
-		dns_zone_markdirty(zone);
-
-		/*
-		 * Notify slaves of the change we just made.
-		 */
-		dns_zone_notify(zone);
-
-		/*
-		 * Cause the zone to be signed with the key that we
-		 * have just added or have the corresponding signatures
-		 * deleted.
-		 *
-		 * Note: we are already committed to this course of action.
-		 */
-		for (tuple = ISC_LIST_HEAD(diff.tuples);
-		     tuple != NULL;
-		     tuple = ISC_LIST_NEXT(tuple, link)) {
-			isc_region_t r;
-			dns_secalg_t algorithm;
-			isc_uint16_t keyid;
-
-			if (tuple->rdata.type != dns_rdatatype_dnskey)
-				continue;
-
-			dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
-			if ((dnskey.flags &
-			     (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
-				 != DNS_KEYOWNER_ZONE)
-				continue;
-
-			dns_rdata_toregion(&tuple->rdata, &r);
-			algorithm = dnskey.algorithm;
-			keyid = dst_region_computeid(&r, algorithm);
-
-			result = dns_zone_signwithkey(zone, algorithm, keyid,
-					ISC_TF(tuple->op == DNS_DIFFOP_DEL));
-			if (result != ISC_R_SUCCESS) {
-				update_log(client, zone, ISC_LOG_ERROR,
-					   "dns_zone_signwithkey failed: %s",
-					   dns_result_totext(result));
-			}
-		}
-
-		/*
-		 * Cause the zone to add/delete NSEC3 chains for the
-		 * deferred NSEC3PARAM changes.
-		 *
-		 * Note: we are already committed to this course of action.
-		 */
-		for (tuple = ISC_LIST_HEAD(diff.tuples);
-		     tuple != NULL;
-		     tuple = ISC_LIST_NEXT(tuple, link)) {
-			unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
-			dns_rdata_t rdata = DNS_RDATA_INIT;
-			dns_rdata_nsec3param_t nsec3param;
-
-			if (tuple->rdata.type != privatetype ||
-			    tuple->op != DNS_DIFFOP_ADD)
-				continue;
-
-			if (!dns_nsec3param_fromprivate(&tuple->rdata, &rdata,
-						   buf, sizeof(buf)))
-				continue;
-			dns_rdata_tostruct(&rdata, &nsec3param, NULL);
-			if (nsec3param.flags == 0)
-				continue;
-
-			result = dns_zone_addnsec3chain(zone, &nsec3param);
-			if (result != ISC_R_SUCCESS) {
-				update_log(client, zone, ISC_LOG_ERROR,
-					   "dns_zone_addnsec3chain failed: %s",
-					   dns_result_totext(result));
-			}
-		}
-	} else {
-		update_log(client, zone, LOGLEVEL_DEBUG, "redundant request");
-		dns_db_closeversion(db, &ver, ISC_TRUE);
-	}
-	result = ISC_R_SUCCESS;
-	goto common;
-
- failure:
-	/*
-	 * The reason for failure should have been logged at this point.
-	 */
-	if (ver != NULL) {
-		update_log(client, zone, LOGLEVEL_DEBUG,
-			   "rolling back");
-		dns_db_closeversion(db, &ver, ISC_FALSE);
-	}
-
- common:
-	dns_diff_clear(&temp);
-	dns_diff_clear(&diff);
-
-	if (oldver != NULL)
-		dns_db_closeversion(db, &oldver, ISC_FALSE);
-
-	if (db != NULL)
-		dns_db_detach(&db);
-
-	if (ssutable != NULL)
-		dns_ssutable_detach(&ssutable);
-
-	isc_task_detach(&task);
-	uev->result = result;
-	if (zone != NULL)
-		INSIST(uev->zone == zone); /* we use this later */
-	uev->ev_type = DNS_EVENT_UPDATEDONE;
-	uev->ev_action = updatedone_action;
-	isc_task_send(client->task, &event);
-	INSIST(event == NULL);
-}
-
-static void
-updatedone_action(isc_task_t *task, isc_event_t *event) {
-	update_event_t *uev = (update_event_t *) event;
-	ns_client_t *client = (ns_client_t *) event->ev_arg;
-
-	UNUSED(task);
-
-	INSIST(event->ev_type == DNS_EVENT_UPDATEDONE);
-	INSIST(task == client->task);
-
-	INSIST(client->nupdates > 0);
-	switch (uev->result) {
-	case ISC_R_SUCCESS:
-		inc_stats(uev->zone, dns_nsstatscounter_updatedone);
-		break;
-	case DNS_R_REFUSED:
-		inc_stats(uev->zone, dns_nsstatscounter_updaterej);
-		break;
-	default:
-		inc_stats(uev->zone, dns_nsstatscounter_updatefail);
-		break;
-	}
-	if (uev->zone != NULL)
-		dns_zone_detach(&uev->zone);
-	client->nupdates--;
-	respond(client, uev->result);
-	isc_event_free(&event);
-	ns_client_detach(&client);
-}
-
-/*%
- * Update forwarding support.
- */
-
-static void
-forward_fail(isc_task_t *task, isc_event_t *event) {
-	ns_client_t *client = (ns_client_t *)event->ev_arg;
-
-	UNUSED(task);
-
-	INSIST(client->nupdates > 0);
-	client->nupdates--;
-	respond(client, DNS_R_SERVFAIL);
-	isc_event_free(&event);
-	ns_client_detach(&client);
-}
-
-
-static void
-forward_callback(void *arg, isc_result_t result, dns_message_t *answer) {
-	update_event_t *uev = arg;
-	ns_client_t *client = uev->ev_arg;
-	dns_zone_t *zone = uev->zone;
-
-	if (result != ISC_R_SUCCESS) {
-		INSIST(answer == NULL);
-		uev->ev_type = DNS_EVENT_UPDATEDONE;
-		uev->ev_action = forward_fail;
-		inc_stats(zone, dns_nsstatscounter_updatefwdfail);
-	} else {
-		uev->ev_type = DNS_EVENT_UPDATEDONE;
-		uev->ev_action = forward_done;
-		uev->answer = answer;
-		inc_stats(zone, dns_nsstatscounter_updaterespfwd);
-	}
-	isc_task_send(client->task, ISC_EVENT_PTR(&uev));
-	dns_zone_detach(&zone);
-}
-
-static void
-forward_done(isc_task_t *task, isc_event_t *event) {
-	update_event_t *uev = (update_event_t *) event;
-	ns_client_t *client = (ns_client_t *)event->ev_arg;
-
-	UNUSED(task);
-
-	INSIST(client->nupdates > 0);
-	client->nupdates--;
-	ns_client_sendraw(client, uev->answer);
-	dns_message_destroy(&uev->answer);
-	isc_event_free(&event);
-	ns_client_detach(&client);
-}
-
-static void
-forward_action(isc_task_t *task, isc_event_t *event) {
-	update_event_t *uev = (update_event_t *) event;
-	dns_zone_t *zone = uev->zone;
-	ns_client_t *client = (ns_client_t *)event->ev_arg;
-	isc_result_t result;
-
-	result = dns_zone_forwardupdate(zone, client->message,
-					forward_callback, event);
-	if (result != ISC_R_SUCCESS) {
-		uev->ev_type = DNS_EVENT_UPDATEDONE;
-		uev->ev_action = forward_fail;
-		isc_task_send(client->task, &event);
-		inc_stats(zone, dns_nsstatscounter_updatefwdfail);
-		dns_zone_detach(&zone);
-	} else
-		inc_stats(zone, dns_nsstatscounter_updatereqfwd);
-	isc_task_detach(&task);
-}
-
-static isc_result_t
-send_forward_event(ns_client_t *client, dns_zone_t *zone) {
-	isc_result_t result = ISC_R_SUCCESS;
-	update_event_t *event = NULL;
-	isc_task_t *zonetask = NULL;
-	ns_client_t *evclient;
-
-	/*
-	 * This may take some time so replace this client.
-	 */
-	if (!client->mortal && (client->attributes & NS_CLIENTATTR_TCP) == 0)
-		CHECK(ns_client_replace(client));
-
-	event = (update_event_t *)
-		isc_event_allocate(client->mctx, client, DNS_EVENT_UPDATE,
-				   forward_action, NULL, sizeof(*event));
-	if (event == NULL)
-		FAIL(ISC_R_NOMEMORY);
-	event->zone = zone;
-	event->result = ISC_R_SUCCESS;
-
-	evclient = NULL;
-	ns_client_attach(client, &evclient);
-	INSIST(client->nupdates == 0);
-	client->nupdates++;
-	event->ev_arg = evclient;
-
-	dns_zone_gettask(zone, &zonetask);
-	isc_task_send(zonetask, ISC_EVENT_PTR(&event));
-
- failure:
-	if (event != NULL)
-		isc_event_free(ISC_EVENT_PTR(&event));
-	return (result);
-}
diff --git a/contrib/bind9/bin/named/xfrout.c b/contrib/bind9/bin/named/xfrout.c
deleted file mode 100644
index a0a617d..0000000
--- a/contrib/bind9/bin/named/xfrout.c
+++ /dev/null
@@ -1,1666 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#include <config.h>
-
-#include <isc/formatcheck.h>
-#include <isc/mem.h>
-#include <isc/timer.h>
-#include <isc/print.h>
-#include <isc/stats.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/dlz.h>
-#include <dns/fixedname.h>
-#include <dns/journal.h>
-#include <dns/message.h>
-#include <dns/peer.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/result.h>
-#include <dns/rriterator.h>
-#include <dns/soa.h>
-#include <dns/stats.h>
-#include <dns/timer.h>
-#include <dns/tsig.h>
-#include <dns/view.h>
-#include <dns/zone.h>
-#include <dns/zt.h>
-
-#include <named/client.h>
-#include <named/log.h>
-#include <named/server.h>
-#include <named/xfrout.h>
-
-/*! \file
- * \brief
- * Outgoing AXFR and IXFR.
- */
-
-/*
- * TODO:
- *  - IXFR over UDP
- */
-
-#define XFROUT_COMMON_LOGARGS \
-	ns_g_lctx, DNS_LOGCATEGORY_XFER_OUT, NS_LOGMODULE_XFER_OUT
-
-#define XFROUT_PROTOCOL_LOGARGS \
-	XFROUT_COMMON_LOGARGS, ISC_LOG_INFO
-
-#define XFROUT_DEBUG_LOGARGS(n) \
-	XFROUT_COMMON_LOGARGS, ISC_LOG_DEBUG(n)
-
-#define XFROUT_RR_LOGARGS \
-	XFROUT_COMMON_LOGARGS, XFROUT_RR_LOGLEVEL
-
-#define XFROUT_RR_LOGLEVEL	ISC_LOG_DEBUG(8)
-
-/*%
- * Fail unconditionally and log as a client error.
- * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
- * from complaining about "end-of-loop code not reached".
- */
-#define FAILC(code, msg) \
-	do {							\
-		result = (code);				\
-		ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT, \
-			   NS_LOGMODULE_XFER_OUT, ISC_LOG_INFO, \
-			   "bad zone transfer request: %s (%s)", \
-			   msg, isc_result_totext(code));	\
-		if (result != ISC_R_SUCCESS) goto failure;	\
-	} while (0)
-
-#define FAILQ(code, msg, question, rdclass) \
-	do {							\
-		char _buf1[DNS_NAME_FORMATSIZE];		\
-		char _buf2[DNS_RDATACLASS_FORMATSIZE]; 		\
-		result = (code);				\
-		dns_name_format(question, _buf1, sizeof(_buf1));  \
-		dns_rdataclass_format(rdclass, _buf2, sizeof(_buf2)); \
-		ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT, \
-			   NS_LOGMODULE_XFER_OUT, ISC_LOG_INFO, \
-			   "bad zone transfer request: '%s/%s': %s (%s)", \
-			   _buf1, _buf2, msg, isc_result_totext(code));	\
-		if (result != ISC_R_SUCCESS) goto failure;	\
-	} while (0)
-
-#define CHECK(op) \
-	do { result = (op); 					\
-		if (result != ISC_R_SUCCESS) goto failure; 	\
-	} while (0)
-
-/**************************************************************************/
-
-static inline void
-inc_stats(dns_zone_t *zone, isc_statscounter_t counter) {
-	isc_stats_increment(ns_g_server->nsstats, counter);
-	if (zone != NULL) {
-		isc_stats_t *zonestats = dns_zone_getrequeststats(zone);
-		if (zonestats != NULL)
-			isc_stats_increment(zonestats, counter);
-	}
-}
-
-/**************************************************************************/
-
-/*% Log an RR (for debugging) */
-
-static void
-log_rr(dns_name_t *name, dns_rdata_t *rdata, isc_uint32_t ttl) {
-	isc_result_t result;
-	isc_buffer_t buf;
-	char mem[2000];
-	dns_rdatalist_t rdl;
-	dns_rdataset_t rds;
-	dns_rdata_t rd = DNS_RDATA_INIT;
-
-	rdl.type = rdata->type;
-	rdl.rdclass = rdata->rdclass;
-	rdl.ttl = ttl;
-	if (rdata->type == dns_rdatatype_sig ||
-	    rdata->type == dns_rdatatype_rrsig)
-		rdl.covers = dns_rdata_covers(rdata);
-	else
-		rdl.covers = dns_rdatatype_none;
-	ISC_LIST_INIT(rdl.rdata);
-	ISC_LINK_INIT(&rdl, link);
-	dns_rdataset_init(&rds);
-	dns_rdata_init(&rd);
-	dns_rdata_clone(rdata, &rd);
-	ISC_LIST_APPEND(rdl.rdata, &rd, link);
-	RUNTIME_CHECK(dns_rdatalist_tordataset(&rdl, &rds) == ISC_R_SUCCESS);
-
-	isc_buffer_init(&buf, mem, sizeof(mem));
-	result = dns_rdataset_totext(&rds, name,
-				     ISC_FALSE, ISC_FALSE, &buf);
-
-	/*
-	 * We could use xfrout_log(), but that would produce
-	 * very long lines with a repetitive prefix.
-	 */
-	if (result == ISC_R_SUCCESS) {
-		/*
-		 * Get rid of final newline.
-		 */
-		INSIST(buf.used >= 1 &&
-		       ((char *) buf.base)[buf.used - 1] == '\n');
-		buf.used--;
-
-		isc_log_write(XFROUT_RR_LOGARGS, "%.*s",
-			      (int)isc_buffer_usedlength(&buf),
-			      (char *)isc_buffer_base(&buf));
-	} else {
-		isc_log_write(XFROUT_RR_LOGARGS, "<RR too large to print>");
-	}
-}
-
-/**************************************************************************/
-/*
- * An 'rrstream_t' is a polymorphic iterator that returns
- * a stream of resource records.  There are multiple implementations,
- * e.g. for generating AXFR and IXFR records streams.
- */
-
-typedef struct rrstream_methods rrstream_methods_t;
-
-typedef struct rrstream {
-	isc_mem_t 		*mctx;
-	rrstream_methods_t	*methods;
-} rrstream_t;
-
-struct rrstream_methods {
-	isc_result_t 		(*first)(rrstream_t *);
-	isc_result_t 		(*next)(rrstream_t *);
-	void			(*current)(rrstream_t *,
-					   dns_name_t **,
-					   isc_uint32_t *,
-					   dns_rdata_t **);
-	void	 		(*pause)(rrstream_t *);
-	void 			(*destroy)(rrstream_t **);
-};
-
-static void
-rrstream_noop_pause(rrstream_t *rs) {
-	UNUSED(rs);
-}
-
-/**************************************************************************/
-/*
- * An 'ixfr_rrstream_t' is an 'rrstream_t' that returns
- * an IXFR-like RR stream from a journal file.
- *
- * The SOA at the beginning of each sequence of additions
- * or deletions are included in the stream, but the extra
- * SOAs at the beginning and end of the entire transfer are
- * not included.
- */
-
-typedef struct ixfr_rrstream {
-	rrstream_t		common;
-	dns_journal_t 		*journal;
-} ixfr_rrstream_t;
-
-/* Forward declarations. */
-static void
-ixfr_rrstream_destroy(rrstream_t **sp);
-
-static rrstream_methods_t ixfr_rrstream_methods;
-
-/*
- * Returns: anything dns_journal_open() or dns_journal_iter_init()
- * may return.
- */
-
-static isc_result_t
-ixfr_rrstream_create(isc_mem_t *mctx,
-		     const char *journal_filename,
-		     isc_uint32_t begin_serial,
-		     isc_uint32_t end_serial,
-		     rrstream_t **sp)
-{
-	ixfr_rrstream_t *s;
-	isc_result_t result;
-
-	INSIST(sp != NULL && *sp == NULL);
-
-	s = isc_mem_get(mctx, sizeof(*s));
-	if (s == NULL)
-		return (ISC_R_NOMEMORY);
-	s->common.mctx = NULL;
-	isc_mem_attach(mctx, &s->common.mctx);
-	s->common.methods = &ixfr_rrstream_methods;
-	s->journal = NULL;
-
-	CHECK(dns_journal_open(mctx, journal_filename,
-			       DNS_JOURNAL_READ, &s->journal));
-	CHECK(dns_journal_iter_init(s->journal, begin_serial, end_serial));
-
-	*sp = (rrstream_t *) s;
-	return (ISC_R_SUCCESS);
-
- failure:
-	ixfr_rrstream_destroy((rrstream_t **) (void *)&s);
-	return (result);
-}
-
-static isc_result_t
-ixfr_rrstream_first(rrstream_t *rs) {
-	ixfr_rrstream_t *s = (ixfr_rrstream_t *) rs;
-	return (dns_journal_first_rr(s->journal));
-}
-
-static isc_result_t
-ixfr_rrstream_next(rrstream_t *rs) {
-	ixfr_rrstream_t *s = (ixfr_rrstream_t *) rs;
-	return (dns_journal_next_rr(s->journal));
-}
-
-static void
-ixfr_rrstream_current(rrstream_t *rs,
-		       dns_name_t **name, isc_uint32_t *ttl,
-		       dns_rdata_t **rdata)
-{
-	ixfr_rrstream_t *s = (ixfr_rrstream_t *) rs;
-	dns_journal_current_rr(s->journal, name, ttl, rdata);
-}
-
-static void
-ixfr_rrstream_destroy(rrstream_t **rsp) {
-	ixfr_rrstream_t *s = (ixfr_rrstream_t *) *rsp;
-	if (s->journal != 0)
-		dns_journal_destroy(&s->journal);
-	isc_mem_putanddetach(&s->common.mctx, s, sizeof(*s));
-}
-
-static rrstream_methods_t ixfr_rrstream_methods = {
-	ixfr_rrstream_first,
-	ixfr_rrstream_next,
-	ixfr_rrstream_current,
-	rrstream_noop_pause,
-	ixfr_rrstream_destroy
-};
-
-/**************************************************************************/
-/*
- * An 'axfr_rrstream_t' is an 'rrstream_t' that returns
- * an AXFR-like RR stream from a database.
- *
- * The SOAs at the beginning and end of the transfer are
- * not included in the stream.
- */
-
-typedef struct axfr_rrstream {
-	rrstream_t		common;
-	dns_rriterator_t	it;
-	isc_boolean_t		it_valid;
-} axfr_rrstream_t;
-
-/*
- * Forward declarations.
- */
-static void
-axfr_rrstream_destroy(rrstream_t **rsp);
-
-static rrstream_methods_t axfr_rrstream_methods;
-
-static isc_result_t
-axfr_rrstream_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *ver,
-		     rrstream_t **sp)
-{
-	axfr_rrstream_t *s;
-	isc_result_t result;
-
-	INSIST(sp != NULL && *sp == NULL);
-
-	s = isc_mem_get(mctx, sizeof(*s));
-	if (s == NULL)
-		return (ISC_R_NOMEMORY);
-	s->common.mctx = NULL;
-	isc_mem_attach(mctx, &s->common.mctx);
-	s->common.methods = &axfr_rrstream_methods;
-	s->it_valid = ISC_FALSE;
-
-	CHECK(dns_rriterator_init(&s->it, db, ver, 0));
-	s->it_valid = ISC_TRUE;
-
-	*sp = (rrstream_t *) s;
-	return (ISC_R_SUCCESS);
-
- failure:
-	axfr_rrstream_destroy((rrstream_t **) (void *)&s);
-	return (result);
-}
-
-static isc_result_t
-axfr_rrstream_first(rrstream_t *rs) {
-	axfr_rrstream_t *s = (axfr_rrstream_t *) rs;
-	isc_result_t result;
-	result = dns_rriterator_first(&s->it);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	/* Skip SOA records. */
-	for (;;) {
-		dns_name_t *name_dummy = NULL;
-		isc_uint32_t ttl_dummy;
-		dns_rdata_t *rdata = NULL;
-		dns_rriterator_current(&s->it, &name_dummy,
-				       &ttl_dummy, NULL, &rdata);
-		if (rdata->type != dns_rdatatype_soa)
-			break;
-		result = dns_rriterator_next(&s->it);
-		if (result != ISC_R_SUCCESS)
-			break;
-	}
-	return (result);
-}
-
-static isc_result_t
-axfr_rrstream_next(rrstream_t *rs) {
-	axfr_rrstream_t *s = (axfr_rrstream_t *) rs;
-	isc_result_t result;
-
-	/* Skip SOA records. */
-	for (;;) {
-		dns_name_t *name_dummy = NULL;
-		isc_uint32_t ttl_dummy;
-		dns_rdata_t *rdata = NULL;
-		result = dns_rriterator_next(&s->it);
-		if (result != ISC_R_SUCCESS)
-			break;
-		dns_rriterator_current(&s->it, &name_dummy,
-				       &ttl_dummy, NULL, &rdata);
-		if (rdata->type != dns_rdatatype_soa)
-			break;
-	}
-	return (result);
-}
-
-static void
-axfr_rrstream_current(rrstream_t *rs, dns_name_t **name, isc_uint32_t *ttl,
-		      dns_rdata_t **rdata)
-{
-	axfr_rrstream_t *s = (axfr_rrstream_t *) rs;
-	dns_rriterator_current(&s->it, name, ttl, NULL, rdata);
-}
-
-static void
-axfr_rrstream_pause(rrstream_t *rs) {
-	axfr_rrstream_t *s = (axfr_rrstream_t *) rs;
-	dns_rriterator_pause(&s->it);
-}
-
-static void
-axfr_rrstream_destroy(rrstream_t **rsp) {
-	axfr_rrstream_t *s = (axfr_rrstream_t *) *rsp;
-	if (s->it_valid)
-		dns_rriterator_destroy(&s->it);
-	isc_mem_putanddetach(&s->common.mctx, s, sizeof(*s));
-}
-
-static rrstream_methods_t axfr_rrstream_methods = {
-	axfr_rrstream_first,
-	axfr_rrstream_next,
-	axfr_rrstream_current,
-	axfr_rrstream_pause,
-	axfr_rrstream_destroy
-};
-
-/**************************************************************************/
-/*
- * An 'soa_rrstream_t' is a degenerate 'rrstream_t' that returns
- * a single SOA record.
- */
-
-typedef struct soa_rrstream {
-	rrstream_t		common;
-	dns_difftuple_t 	*soa_tuple;
-} soa_rrstream_t;
-
-/*
- * Forward declarations.
- */
-static void
-soa_rrstream_destroy(rrstream_t **rsp);
-
-static rrstream_methods_t soa_rrstream_methods;
-
-static isc_result_t
-soa_rrstream_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *ver,
-		    rrstream_t **sp)
-{
-	soa_rrstream_t *s;
-	isc_result_t result;
-
-	INSIST(sp != NULL && *sp == NULL);
-
-	s = isc_mem_get(mctx, sizeof(*s));
-	if (s == NULL)
-		return (ISC_R_NOMEMORY);
-	s->common.mctx = NULL;
-	isc_mem_attach(mctx, &s->common.mctx);
-	s->common.methods = &soa_rrstream_methods;
-	s->soa_tuple = NULL;
-
-	CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_EXISTS,
-				    &s->soa_tuple));
-
-	*sp = (rrstream_t *) s;
-	return (ISC_R_SUCCESS);
-
- failure:
-	soa_rrstream_destroy((rrstream_t **) (void *)&s);
-	return (result);
-}
-
-static isc_result_t
-soa_rrstream_first(rrstream_t *rs) {
-	UNUSED(rs);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-soa_rrstream_next(rrstream_t *rs) {
-	UNUSED(rs);
-	return (ISC_R_NOMORE);
-}
-
-static void
-soa_rrstream_current(rrstream_t *rs, dns_name_t **name, isc_uint32_t *ttl,
-		     dns_rdata_t **rdata)
-{
-	soa_rrstream_t *s = (soa_rrstream_t *) rs;
-	*name = &s->soa_tuple->name;
-	*ttl = s->soa_tuple->ttl;
-	*rdata = &s->soa_tuple->rdata;
-}
-
-static void
-soa_rrstream_destroy(rrstream_t **rsp) {
-	soa_rrstream_t *s = (soa_rrstream_t *) *rsp;
-	if (s->soa_tuple != NULL)
-		dns_difftuple_free(&s->soa_tuple);
-	isc_mem_putanddetach(&s->common.mctx, s, sizeof(*s));
-}
-
-static rrstream_methods_t soa_rrstream_methods = {
-	soa_rrstream_first,
-	soa_rrstream_next,
-	soa_rrstream_current,
-	rrstream_noop_pause,
-	soa_rrstream_destroy
-};
-
-/**************************************************************************/
-/*
- * A 'compound_rrstream_t' objects owns a soa_rrstream
- * and another rrstream, the "data stream".  It returns
- * a concatenated stream consisting of the soa_rrstream, then
- * the data stream, then the soa_rrstream again.
- *
- * The component streams are owned by the compound_rrstream_t
- * and are destroyed with it.
- */
-
-typedef struct compound_rrstream {
-	rrstream_t		common;
-	rrstream_t		*components[3];
-	int			state;
-	isc_result_t		result;
-} compound_rrstream_t;
-
-/*
- * Forward declarations.
- */
-static void
-compound_rrstream_destroy(rrstream_t **rsp);
-
-static isc_result_t
-compound_rrstream_next(rrstream_t *rs);
-
-static rrstream_methods_t compound_rrstream_methods;
-
-/*
- * Requires:
- *	soa_stream != NULL && *soa_stream != NULL
- *	data_stream != NULL && *data_stream != NULL
- *	sp != NULL && *sp == NULL
- *
- * Ensures:
- *	*soa_stream == NULL
- *	*data_stream == NULL
- *	*sp points to a valid compound_rrstream_t
- *	The soa and data streams will be destroyed
- *	when the compound_rrstream_t is destroyed.
- */
-static isc_result_t
-compound_rrstream_create(isc_mem_t *mctx, rrstream_t **soa_stream,
-			 rrstream_t **data_stream, rrstream_t **sp)
-{
-	compound_rrstream_t *s;
-
-	INSIST(sp != NULL && *sp == NULL);
-
-	s = isc_mem_get(mctx, sizeof(*s));
-	if (s == NULL)
-		return (ISC_R_NOMEMORY);
-	s->common.mctx = NULL;
-	isc_mem_attach(mctx, &s->common.mctx);
-	s->common.methods = &compound_rrstream_methods;
-	s->components[0] = *soa_stream;
-	s->components[1] = *data_stream;
-	s->components[2] = *soa_stream;
-	s->state = -1;
-	s->result = ISC_R_FAILURE;
-
-	*soa_stream = NULL;
-	*data_stream = NULL;
-	*sp = (rrstream_t *) s;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-compound_rrstream_first(rrstream_t *rs) {
-	compound_rrstream_t *s = (compound_rrstream_t *) rs;
-	s->state = 0;
-	do {
-		rrstream_t *curstream = s->components[s->state];
-		s->result = curstream->methods->first(curstream);
-	} while (s->result == ISC_R_NOMORE && s->state < 2);
-	return (s->result);
-}
-
-static isc_result_t
-compound_rrstream_next(rrstream_t *rs) {
-	compound_rrstream_t *s = (compound_rrstream_t *) rs;
-	rrstream_t *curstream = s->components[s->state];
-	s->result = curstream->methods->next(curstream);
-	while (s->result == ISC_R_NOMORE) {
-		/*
-		 * Make sure locks held by the current stream
-		 * are released before we switch streams.
-		 */
-		curstream->methods->pause(curstream);
-		if (s->state == 2)
-			return (ISC_R_NOMORE);
-		s->state++;
-		curstream = s->components[s->state];
-		s->result = curstream->methods->first(curstream);
-	}
-	return (s->result);
-}
-
-static void
-compound_rrstream_current(rrstream_t *rs, dns_name_t **name, isc_uint32_t *ttl,
-			  dns_rdata_t **rdata)
-{
-	compound_rrstream_t *s = (compound_rrstream_t *) rs;
-	rrstream_t *curstream;
-	INSIST(0 <= s->state && s->state < 3);
-	INSIST(s->result == ISC_R_SUCCESS);
-	curstream = s->components[s->state];
-	curstream->methods->current(curstream, name, ttl, rdata);
-}
-
-static void
-compound_rrstream_pause(rrstream_t *rs)
-{
-	compound_rrstream_t *s = (compound_rrstream_t *) rs;
-	rrstream_t *curstream;
-	INSIST(0 <= s->state && s->state < 3);
-	curstream = s->components[s->state];
-	curstream->methods->pause(curstream);
-}
-
-static void
-compound_rrstream_destroy(rrstream_t **rsp) {
-	compound_rrstream_t *s = (compound_rrstream_t *) *rsp;
-	s->components[0]->methods->destroy(&s->components[0]);
-	s->components[1]->methods->destroy(&s->components[1]);
-	s->components[2] = NULL; /* Copy of components[0]. */
-	isc_mem_putanddetach(&s->common.mctx, s, sizeof(*s));
-}
-
-static rrstream_methods_t compound_rrstream_methods = {
-	compound_rrstream_first,
-	compound_rrstream_next,
-	compound_rrstream_current,
-	compound_rrstream_pause,
-	compound_rrstream_destroy
-};
-
-/**************************************************************************/
-/*
- * An 'xfrout_ctx_t' contains the state of an outgoing AXFR or IXFR
- * in progress.
- */
-
-typedef struct {
-	isc_mem_t 		*mctx;
-	ns_client_t		*client;
-	unsigned int 		id;		/* ID of request */
-	dns_name_t		*qname;		/* Question name of request */
-	dns_rdatatype_t		qtype;		/* dns_rdatatype_{a,i}xfr */
-	dns_rdataclass_t	qclass;
-	dns_zone_t 		*zone;		/* (necessary for stats) */
-	dns_db_t 		*db;
-	dns_dbversion_t 	*ver;
-	isc_quota_t		*quota;
-	rrstream_t 		*stream;	/* The XFR RR stream */
-	isc_boolean_t		end_of_stream;	/* EOS has been reached */
-	isc_buffer_t 		buf;		/* Buffer for message owner
-						   names and rdatas */
-	isc_buffer_t 		txlenbuf;	/* Transmit length buffer */
-	isc_buffer_t		txbuf;		/* Transmit message buffer */
-	void 			*txmem;
-	unsigned int 		txmemlen;
-	unsigned int		nmsg;		/* Number of messages sent */
-	dns_tsigkey_t		*tsigkey;	/* Key used to create TSIG */
-	isc_buffer_t		*lasttsig;	/* the last TSIG */
-	isc_boolean_t		many_answers;
-	int			sends;		/* Send in progress */
-	isc_boolean_t		shuttingdown;
-	const char		*mnemonic;	/* Style of transfer */
-} xfrout_ctx_t;
-
-static isc_result_t
-xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client,
-		  unsigned int id, dns_name_t *qname, dns_rdatatype_t qtype,
-		  dns_rdataclass_t qclass, dns_zone_t *zone,
-		  dns_db_t *db, dns_dbversion_t *ver, isc_quota_t *quota,
-		  rrstream_t *stream, dns_tsigkey_t *tsigkey,
-		  isc_buffer_t *lasttsig,
-		  unsigned int maxtime,
-		  unsigned int idletime,
-		  isc_boolean_t many_answers,
-		  xfrout_ctx_t **xfrp);
-
-static void
-sendstream(xfrout_ctx_t *xfr);
-
-static void
-xfrout_senddone(isc_task_t *task, isc_event_t *event);
-
-static void
-xfrout_fail(xfrout_ctx_t *xfr, isc_result_t result, const char *msg);
-
-static void
-xfrout_maybe_destroy(xfrout_ctx_t *xfr);
-
-static void
-xfrout_ctx_destroy(xfrout_ctx_t **xfrp);
-
-static void
-xfrout_client_shutdown(void *arg, isc_result_t result);
-
-static void
-xfrout_log1(ns_client_t *client, dns_name_t *zonename,
-	    dns_rdataclass_t rdclass, int level,
-	    const char *fmt, ...) ISC_FORMAT_PRINTF(5, 6);
-
-static void
-xfrout_log(xfrout_ctx_t *xfr, int level, const char *fmt, ...)
-	   ISC_FORMAT_PRINTF(3, 4);
-
-/**************************************************************************/
-
-void
-ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
-	isc_result_t result;
-	dns_name_t *question_name;
-	dns_rdataset_t *question_rdataset;
-	dns_zone_t *zone = NULL;
-	dns_db_t *db = NULL;
-	dns_dbversion_t *ver = NULL;
-	dns_rdataclass_t question_class;
-	rrstream_t *soa_stream = NULL;
-	rrstream_t *data_stream = NULL;
-	rrstream_t *stream = NULL;
-	dns_difftuple_t *current_soa_tuple = NULL;
-	dns_name_t *soa_name;
-	dns_rdataset_t *soa_rdataset;
-	dns_rdata_t soa_rdata = DNS_RDATA_INIT;
-	isc_boolean_t have_soa = ISC_FALSE;
-	const char *mnemonic = NULL;
-	isc_mem_t *mctx = client->mctx;
-	dns_message_t *request = client->message;
-	xfrout_ctx_t *xfr = NULL;
-	isc_quota_t *quota = NULL;
-	dns_transfer_format_t format = client->view->transfer_format;
-	isc_netaddr_t na;
-	dns_peer_t *peer = NULL;
-	isc_buffer_t *tsigbuf = NULL;
-	char *journalfile;
-	char msg[NS_CLIENT_ACLMSGSIZE("zone transfer")];
-	char keyname[DNS_NAME_FORMATSIZE];
-	isc_boolean_t is_poll = ISC_FALSE;
-	isc_boolean_t is_dlz = ISC_FALSE;
-
-	switch (reqtype) {
-	case dns_rdatatype_axfr:
-		mnemonic = "AXFR";
-		break;
-	case dns_rdatatype_ixfr:
-		mnemonic = "IXFR";
-		break;
-	default:
-		INSIST(0);
-		break;
-	}
-
-	ns_client_log(client,
-		      DNS_LOGCATEGORY_XFER_OUT, NS_LOGMODULE_XFER_OUT,
-		      ISC_LOG_DEBUG(6), "%s request", mnemonic);
-	/*
-	 * Apply quota.
-	 */
-	result = isc_quota_attach(&ns_g_server->xfroutquota, &quota);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(XFROUT_COMMON_LOGARGS, ISC_LOG_WARNING,
-			      "%s request denied: %s", mnemonic,
-			      isc_result_totext(result));
-		goto failure;
-	}
-
-	/*
-	 * Interpret the question section.
-	 */
-	result = dns_message_firstname(request, DNS_SECTION_QUESTION);
-	INSIST(result == ISC_R_SUCCESS);
-
-	/*
-	 * The question section must contain exactly one question, and
-	 * it must be for AXFR/IXFR as appropriate.
-	 */
-	question_name = NULL;
-	dns_message_currentname(request, DNS_SECTION_QUESTION, &question_name);
-	question_rdataset = ISC_LIST_HEAD(question_name->list);
-	question_class = question_rdataset->rdclass;
-	INSIST(question_rdataset->type == reqtype);
-	if (ISC_LIST_NEXT(question_rdataset, link) != NULL)
-		FAILC(DNS_R_FORMERR, "multiple questions");
-	result = dns_message_nextname(request, DNS_SECTION_QUESTION);
-	if (result != ISC_R_NOMORE)
-		FAILC(DNS_R_FORMERR, "multiple questions");
-
-	result = dns_zt_find(client->view->zonetable, question_name, 0, NULL,
-			     &zone);
-
-	if (result != ISC_R_SUCCESS) {
-		/*
-		 * Normal zone table does not have a match.
-		 * Try the DLZ database
-		 */
-		if (client->view->dlzdatabase != NULL) {
-			result = dns_dlzallowzonexfr(client->view,
-						     question_name,
-						     &client->peeraddr,
-						     &db);
-
-			if (result == ISC_R_NOPERM) {
-				char _buf1[DNS_NAME_FORMATSIZE];
-				char _buf2[DNS_RDATACLASS_FORMATSIZE];
-
-				result = DNS_R_REFUSED;
-				dns_name_format(question_name, _buf1,
-						sizeof(_buf1));
-				dns_rdataclass_format(question_class,
-						      _buf2, sizeof(_buf2));
-				ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-					      NS_LOGMODULE_XFER_OUT,
-					      ISC_LOG_ERROR,
-					      "zone transfer '%s/%s' denied",
-					      _buf1, _buf2);
-				goto failure;
-			}
-			if (result != ISC_R_SUCCESS)
-				FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
-				      question_name, question_class);
-			is_dlz = ISC_TRUE;
-		} else {
-			/*
-			 * not DLZ and not in normal zone table, we are
-			 * not authoritative
-			 */
-			FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
-			      question_name, question_class);
-		}
-	} else {
-		/* zone table has a match */
-		switch(dns_zone_gettype(zone)) {
-			/* Master and slave zones are OK for transfer. */
-			case dns_zone_master:
-			case dns_zone_slave:
-			case dns_zone_dlz:
-				break;
-			default:
-				FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
-				      question_name, question_class);
-			}
-		CHECK(dns_zone_getdb(zone, &db));
-		dns_db_currentversion(db, &ver);
-	}
-
-	xfrout_log1(client, question_name, question_class, ISC_LOG_DEBUG(6),
-		    "%s question section OK", mnemonic);
-
-	/*
-	 * Check the authority section.  Look for a SOA record with
-	 * the same name and class as the question.
-	 */
-	for (result = dns_message_firstname(request, DNS_SECTION_AUTHORITY);
-	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(request, DNS_SECTION_AUTHORITY))
-	{
-		soa_name = NULL;
-		dns_message_currentname(request, DNS_SECTION_AUTHORITY,
-					&soa_name);
-
-		/*
-		 * Ignore data whose owner name is not the zone apex.
-		 */
-		if (! dns_name_equal(soa_name, question_name))
-			continue;
-
-		for (soa_rdataset = ISC_LIST_HEAD(soa_name->list);
-		     soa_rdataset != NULL;
-		     soa_rdataset = ISC_LIST_NEXT(soa_rdataset, link))
-		{
-			/*
-			 * Ignore non-SOA data.
-			 */
-			if (soa_rdataset->type != dns_rdatatype_soa)
-				continue;
-			if (soa_rdataset->rdclass != question_class)
-				continue;
-
-			CHECK(dns_rdataset_first(soa_rdataset));
-			dns_rdataset_current(soa_rdataset, &soa_rdata);
-			result = dns_rdataset_next(soa_rdataset);
-			if (result == ISC_R_SUCCESS)
-				FAILC(DNS_R_FORMERR,
-				      "IXFR authority section "
-				      "has multiple SOAs");
-			have_soa = ISC_TRUE;
-			goto got_soa;
-		}
-	}
- got_soa:
-	if (result != ISC_R_NOMORE)
-		CHECK(result);
-
-	xfrout_log1(client, question_name, question_class, ISC_LOG_DEBUG(6),
-		    "%s authority section OK", mnemonic);
-
-	/*
-	 * If not a DLZ zone, decide whether to allow this transfer.
-	 */
-	if (!is_dlz) {
-		ns_client_aclmsg("zone transfer", question_name, reqtype,
-				 client->view->rdclass, msg, sizeof(msg));
-		CHECK(ns_client_checkacl(client, NULL, msg,
-					 dns_zone_getxfracl(zone),
-					 ISC_TRUE, ISC_LOG_ERROR));
-	}
-
-	/*
-	 * AXFR over UDP is not possible.
-	 */
-	if (reqtype == dns_rdatatype_axfr &&
-	    (client->attributes & NS_CLIENTATTR_TCP) == 0)
-		FAILC(DNS_R_FORMERR, "attempted AXFR over UDP");
-
-	/*
-	 * Look up the requesting server in the peer table.
-	 */
-	isc_netaddr_fromsockaddr(&na, &client->peeraddr);
-	(void)dns_peerlist_peerbyaddr(client->view->peers, &na, &peer);
-
-	/*
-	 * Decide on the transfer format (one-answer or many-answers).
-	 */
-	if (peer != NULL)
-		(void)dns_peer_gettransferformat(peer, &format);
-
-	/*
-	 * Get a dynamically allocated copy of the current SOA.
-	 */
-	if (is_dlz)
-		dns_db_currentversion(db, &ver);
-
-	CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_EXISTS,
-				    &current_soa_tuple));
-
-	if (reqtype == dns_rdatatype_ixfr) {
-		isc_uint32_t begin_serial, current_serial;
-		isc_boolean_t provide_ixfr;
-
-		/*
-		 * Outgoing IXFR may have been disabled for this peer
-		 * or globally.
-		 */
-		provide_ixfr = client->view->provideixfr;
-		if (peer != NULL)
-			(void) dns_peer_getprovideixfr(peer, &provide_ixfr);
-		if (provide_ixfr == ISC_FALSE)
-			goto axfr_fallback;
-
-		if (! have_soa)
-			FAILC(DNS_R_FORMERR,
-			      "IXFR request missing SOA");
-
-		begin_serial = dns_soa_getserial(&soa_rdata);
-		current_serial = dns_soa_getserial(&current_soa_tuple->rdata);
-
-		/*
-		 * RFC1995 says "If an IXFR query with the same or
-		 * newer version number than that of the server
-		 * is received, it is replied to with a single SOA
-		 * record of the server's current version, just as
-		 * in AXFR".  The claim about AXFR is incorrect,
-		 * but other than that, we do as the RFC says.
-		 *
-		 * Sending a single SOA record is also how we refuse
-		 * IXFR over UDP (currently, we always do).
-		 */
-		if (DNS_SERIAL_GE(begin_serial, current_serial) ||
-		    (client->attributes & NS_CLIENTATTR_TCP) == 0)
-		{
-			CHECK(soa_rrstream_create(mctx, db, ver, &stream));
-			is_poll = ISC_TRUE;
-			goto have_stream;
-		}
-		journalfile = is_dlz ? NULL : dns_zone_getjournal(zone);
-		if (journalfile != NULL)
-			result = ixfr_rrstream_create(mctx,
-						      journalfile,
-						      begin_serial,
-						      current_serial,
-						      &data_stream);
-		else
-			result = ISC_R_NOTFOUND;
-		if (result == ISC_R_NOTFOUND ||
-		    result == ISC_R_RANGE) {
-			xfrout_log1(client, question_name, question_class,
-				    ISC_LOG_DEBUG(4),
-				    "IXFR version not in journal, "
-				    "falling back to AXFR");
-			mnemonic = "AXFR-style IXFR";
-			goto axfr_fallback;
-		}
-		CHECK(result);
-	} else {
-	axfr_fallback:
-		CHECK(axfr_rrstream_create(mctx, db, ver,
-					   &data_stream));
-	}
-
-	/*
-	 * Bracket the data stream with SOAs.
-	 */
-	CHECK(soa_rrstream_create(mctx, db, ver, &soa_stream));
-	CHECK(compound_rrstream_create(mctx, &soa_stream, &data_stream,
-				       &stream));
-	soa_stream = NULL;
-	data_stream = NULL;
-
- have_stream:
-	CHECK(dns_message_getquerytsig(request, mctx, &tsigbuf));
-	/*
-	 * Create the xfrout context object.  This transfers the ownership
-	 * of "stream", "db", "ver", and "quota" to the xfrout context object.
-	 */
-
-
-
-	if (is_dlz)
-		CHECK(xfrout_ctx_create(mctx, client, request->id,
-					question_name, reqtype, question_class,
-					zone, db, ver, quota, stream,
-					dns_message_gettsigkey(request),
-					tsigbuf,
-					3600,
-					3600,
-					(format == dns_many_answers) ?
-					ISC_TRUE : ISC_FALSE,
-					&xfr));
-	else
-		CHECK(xfrout_ctx_create(mctx, client, request->id,
-					question_name, reqtype, question_class,
-					zone, db, ver, quota, stream,
-					dns_message_gettsigkey(request),
-					tsigbuf,
-					dns_zone_getmaxxfrout(zone),
-					dns_zone_getidleout(zone),
-					(format == dns_many_answers) ?
-					ISC_TRUE : ISC_FALSE,
-					&xfr));
-
-	xfr->mnemonic = mnemonic;
-	stream = NULL;
-	quota = NULL;
-
-	CHECK(xfr->stream->methods->first(xfr->stream));
-
-	if (xfr->tsigkey != NULL)
-		dns_name_format(&xfr->tsigkey->name, keyname, sizeof(keyname));
-	else
-		keyname[0] = '\0';
-	if (is_poll)
-		xfrout_log1(client, question_name, question_class,
-			    ISC_LOG_DEBUG(1), "IXFR poll up to date%s%s",
-			    (xfr->tsigkey != NULL) ? ": TSIG " : "", keyname);
-	else
-		xfrout_log1(client, question_name, question_class,
-			    ISC_LOG_INFO, "%s started%s%s", mnemonic,
-			    (xfr->tsigkey != NULL) ? ": TSIG " : "", keyname);
-
-	/*
-	 * Hand the context over to sendstream().  Set xfr to NULL;
-	 * sendstream() is responsible for either passing the
-	 * context on to a later event handler or destroying it.
-	 */
-	sendstream(xfr);
-	xfr = NULL;
-
-	result = ISC_R_SUCCESS;
-
- failure:
-	if (result == DNS_R_REFUSED)
-		inc_stats(zone, dns_nsstatscounter_xfrrej);
-	if (quota != NULL)
-		isc_quota_detach(&quota);
-	if (current_soa_tuple != NULL)
-		dns_difftuple_free(&current_soa_tuple);
-	if (stream != NULL)
-		stream->methods->destroy(&stream);
-	if (soa_stream != NULL)
-		soa_stream->methods->destroy(&soa_stream);
-	if (data_stream != NULL)
-		data_stream->methods->destroy(&data_stream);
-	if (ver != NULL)
-		dns_db_closeversion(db, &ver, ISC_FALSE);
-	if (db != NULL)
-		dns_db_detach(&db);
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-	/* XXX kludge */
-	if (xfr != NULL) {
-		xfrout_fail(xfr, result, "setting up zone transfer");
-	} else if (result != ISC_R_SUCCESS) {
-		ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT,
-			      NS_LOGMODULE_XFER_OUT,
-			      ISC_LOG_DEBUG(3), "zone transfer setup failed");
-		ns_client_error(client, result);
-	}
-}
-
-static isc_result_t
-xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id,
-		  dns_name_t *qname, dns_rdatatype_t qtype,
-		  dns_rdataclass_t qclass, dns_zone_t *zone,
-		  dns_db_t *db, dns_dbversion_t *ver, isc_quota_t *quota,
-		  rrstream_t *stream, dns_tsigkey_t *tsigkey,
-		  isc_buffer_t *lasttsig, unsigned int maxtime,
-		  unsigned int idletime, isc_boolean_t many_answers,
-		  xfrout_ctx_t **xfrp)
-{
-	xfrout_ctx_t *xfr;
-	isc_result_t result;
-	unsigned int len;
-	void *mem;
-
-	INSIST(xfrp != NULL && *xfrp == NULL);
-	xfr = isc_mem_get(mctx, sizeof(*xfr));
-	if (xfr == NULL)
-		return (ISC_R_NOMEMORY);
-	xfr->mctx = NULL;
-	isc_mem_attach(mctx, &xfr->mctx);
-	xfr->client = NULL;
-	ns_client_attach(client, &xfr->client);
-	xfr->id = id;
-	xfr->qname = qname;
-	xfr->qtype = qtype;
-	xfr->qclass = qclass;
-	xfr->zone = NULL;
-	xfr->db = NULL;
-	xfr->ver = NULL;
-	if (zone != NULL)	/* zone will be NULL if it's DLZ */
-		dns_zone_attach(zone, &xfr->zone);
-	dns_db_attach(db, &xfr->db);
-	dns_db_attachversion(db, ver, &xfr->ver);
-	xfr->end_of_stream = ISC_FALSE;
-	xfr->tsigkey = tsigkey;
-	xfr->lasttsig = lasttsig;
-	xfr->txmem = NULL;
-	xfr->txmemlen = 0;
-	xfr->nmsg = 0;
-	xfr->many_answers = many_answers,
-	xfr->sends = 0;
-	xfr->shuttingdown = ISC_FALSE;
-	xfr->mnemonic = NULL;
-	xfr->buf.base = NULL;
-	xfr->buf.length = 0;
-	xfr->txmem = NULL;
-	xfr->txmemlen = 0;
-	xfr->stream = NULL;
-	xfr->quota = NULL;
-
-	/*
-	 * Allocate a temporary buffer for the uncompressed response
-	 * message data.  The size should be no more than 65535 bytes
-	 * so that the compressed data will fit in a TCP message,
-	 * and no less than 65535 bytes so that an almost maximum-sized
-	 * RR will fit.  Note that although 65535-byte RRs are allowed
-	 * in principle, they cannot be zone-transferred (at least not
-	 * if uncompressible), because the message and RR headers would
-	 * push the size of the TCP message over the 65536 byte limit.
-	 */
-	len = 65535;
-	mem = isc_mem_get(mctx, len);
-	if (mem == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto failure;
-	}
-	isc_buffer_init(&xfr->buf, mem, len);
-
-	/*
-	 * Allocate another temporary buffer for the compressed
-	 * response message and its TCP length prefix.
-	 */
-	len = 2 + 65535;
-	mem = isc_mem_get(mctx, len);
-	if (mem == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto failure;
-	}
-	isc_buffer_init(&xfr->txlenbuf, mem, 2);
-	isc_buffer_init(&xfr->txbuf, (char *) mem + 2, len - 2);
-	xfr->txmem = mem;
-	xfr->txmemlen = len;
-
-	CHECK(dns_timer_setidle(xfr->client->timer,
-				maxtime, idletime, ISC_FALSE));
-
-	/*
-	 * Register a shutdown callback with the client, so that we
-	 * can stop the transfer immediately when the client task
-	 * gets a shutdown event.
-	 */
-	xfr->client->shutdown = xfrout_client_shutdown;
-	xfr->client->shutdown_arg = xfr;
-	/*
-	 * These MUST be after the last "goto failure;" / CHECK to
-	 * prevent a double free by the caller.
-	 */
-	xfr->quota = quota;
-	xfr->stream = stream;
-
-	*xfrp = xfr;
-	return (ISC_R_SUCCESS);
-
-failure:
-	xfrout_ctx_destroy(&xfr);
-	return (result);
-}
-
-
-/*
- * Arrange to send as much as we can of "stream" without blocking.
- *
- * Requires:
- *	The stream iterator is initialized and points at an RR,
- *      or possibly at the end of the stream (that is, the
- *      _first method of the iterator has been called).
- */
-static void
-sendstream(xfrout_ctx_t *xfr) {
-	dns_message_t *tcpmsg = NULL;
-	dns_message_t *msg = NULL; /* Client message if UDP, tcpmsg if TCP */
-	isc_result_t result;
-	isc_region_t used;
-	isc_region_t region;
-	dns_rdataset_t *qrdataset;
-	dns_name_t *msgname = NULL;
-	dns_rdata_t *msgrdata = NULL;
-	dns_rdatalist_t *msgrdl = NULL;
-	dns_rdataset_t *msgrds = NULL;
-	dns_compress_t cctx;
-	isc_boolean_t cleanup_cctx = ISC_FALSE;
-
-	int n_rrs;
-
-	isc_buffer_clear(&xfr->buf);
-	isc_buffer_clear(&xfr->txlenbuf);
-	isc_buffer_clear(&xfr->txbuf);
-
-	if ((xfr->client->attributes & NS_CLIENTATTR_TCP) == 0) {
-		/*
-		 * In the UDP case, we put the response data directly into
-		 * the client message.
-		 */
-		msg = xfr->client->message;
-		CHECK(dns_message_reply(msg, ISC_TRUE));
-	} else {
-		/*
-		 * TCP. Build a response dns_message_t, temporarily storing
-		 * the raw, uncompressed owner names and RR data contiguously
-		 * in xfr->buf.  We know that if the uncompressed data fits
-		 * in xfr->buf, the compressed data will surely fit in a TCP
-		 * message.
-		 */
-
-		CHECK(dns_message_create(xfr->mctx,
-					 DNS_MESSAGE_INTENTRENDER, &tcpmsg));
-		msg = tcpmsg;
-
-		msg->id = xfr->id;
-		msg->rcode = dns_rcode_noerror;
-		msg->flags = DNS_MESSAGEFLAG_QR | DNS_MESSAGEFLAG_AA;
-		if ((xfr->client->attributes & NS_CLIENTATTR_RA) != 0)
-			msg->flags |= DNS_MESSAGEFLAG_RA;
-		CHECK(dns_message_settsigkey(msg, xfr->tsigkey));
-		CHECK(dns_message_setquerytsig(msg, xfr->lasttsig));
-		if (xfr->lasttsig != NULL)
-			isc_buffer_free(&xfr->lasttsig);
-
-		/*
-		 * Account for reserved space.
-		 */
-		if (xfr->tsigkey != NULL)
-			INSIST(msg->reserved != 0U);
-		isc_buffer_add(&xfr->buf, msg->reserved);
-
-		/*
-		 * Include a question section in the first message only.
-		 * BIND 8.2.1 will not recognize an IXFR if it does not
-		 * have a question section.
-		 */
-		if (xfr->nmsg == 0) {
-			dns_name_t *qname = NULL;
-			isc_region_t r;
-
-			/*
-			 * Reserve space for the 12-byte message header
-			 * and 4 bytes of question.
-			 */
-			isc_buffer_add(&xfr->buf, 12 + 4);
-
-			qrdataset = NULL;
-			result = dns_message_gettemprdataset(msg, &qrdataset);
-			if (result != ISC_R_SUCCESS)
-				goto failure;
-			dns_rdataset_init(qrdataset);
-			dns_rdataset_makequestion(qrdataset,
-					xfr->client->message->rdclass,
-					xfr->qtype);
-
-			result = dns_message_gettempname(msg, &qname);
-			if (result != ISC_R_SUCCESS)
-				goto failure;
-			dns_name_init(qname, NULL);
-			isc_buffer_availableregion(&xfr->buf, &r);
-			INSIST(r.length >= xfr->qname->length);
-			r.length = xfr->qname->length;
-			isc_buffer_putmem(&xfr->buf, xfr->qname->ndata,
-					  xfr->qname->length);
-			dns_name_fromregion(qname, &r);
-			ISC_LIST_INIT(qname->list);
-			ISC_LIST_APPEND(qname->list, qrdataset, link);
-
-			dns_message_addname(msg, qname, DNS_SECTION_QUESTION);
-		} else {
-			/*
-			 * Reserve space for the 12-byte message header
-			 */
-			isc_buffer_add(&xfr->buf, 12);
-			msg->tcp_continuation = 1;
-		}
-	}
-
-	/*
-	 * Try to fit in as many RRs as possible, unless "one-answer"
-	 * format has been requested.
-	 */
-	for (n_rrs = 0; ; n_rrs++) {
-		dns_name_t *name = NULL;
-		isc_uint32_t ttl;
-		dns_rdata_t *rdata = NULL;
-
-		unsigned int size;
-		isc_region_t r;
-
-		msgname = NULL;
-		msgrdata = NULL;
-		msgrdl = NULL;
-		msgrds = NULL;
-
-		xfr->stream->methods->current(xfr->stream,
-					      &name, &ttl, &rdata);
-		size = name->length + 10 + rdata->length;
-		isc_buffer_availableregion(&xfr->buf, &r);
-		if (size >= r.length) {
-			/*
-			 * RR would not fit.  If there are other RRs in the
-			 * buffer, send them now and leave this RR to the
-			 * next message.  If this RR overflows the buffer
-			 * all by itself, fail.
-			 *
-			 * In theory some RRs might fit in a TCP message
-			 * when compressed even if they do not fit when
-			 * uncompressed, but surely we don't want
-			 * to send such monstrosities to an unsuspecting
-			 * slave.
-			 */
-			if (n_rrs == 0) {
-				xfrout_log(xfr, ISC_LOG_WARNING,
-					   "RR too large for zone transfer "
-					   "(%d bytes)", size);
-				/* XXX DNS_R_RRTOOLARGE? */
-				result = ISC_R_NOSPACE;
-				goto failure;
-			}
-			break;
-		}
-
-		if (isc_log_wouldlog(ns_g_lctx, XFROUT_RR_LOGLEVEL))
-			log_rr(name, rdata, ttl); /* XXX */
-
-		result = dns_message_gettempname(msg, &msgname);
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-		dns_name_init(msgname, NULL);
-		isc_buffer_availableregion(&xfr->buf, &r);
-		INSIST(r.length >= name->length);
-		r.length = name->length;
-		isc_buffer_putmem(&xfr->buf, name->ndata, name->length);
-		dns_name_fromregion(msgname, &r);
-
-		/* Reserve space for RR header. */
-		isc_buffer_add(&xfr->buf, 10);
-
-		result = dns_message_gettemprdata(msg, &msgrdata);
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-		isc_buffer_availableregion(&xfr->buf, &r);
-		r.length = rdata->length;
-		isc_buffer_putmem(&xfr->buf, rdata->data, rdata->length);
-		dns_rdata_init(msgrdata);
-		dns_rdata_fromregion(msgrdata,
-				     rdata->rdclass, rdata->type, &r);
-
-		result = dns_message_gettemprdatalist(msg, &msgrdl);
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-		msgrdl->type = rdata->type;
-		msgrdl->rdclass = rdata->rdclass;
-		msgrdl->ttl = ttl;
-		if (rdata->type == dns_rdatatype_sig ||
-		    rdata->type == dns_rdatatype_rrsig)
-			msgrdl->covers = dns_rdata_covers(rdata);
-		else
-			msgrdl->covers = dns_rdatatype_none;
-		ISC_LINK_INIT(msgrdl, link);
-		ISC_LIST_INIT(msgrdl->rdata);
-		ISC_LIST_APPEND(msgrdl->rdata, msgrdata, link);
-
-		result = dns_message_gettemprdataset(msg, &msgrds);
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-		dns_rdataset_init(msgrds);
-		result = dns_rdatalist_tordataset(msgrdl, msgrds);
-		INSIST(result == ISC_R_SUCCESS);
-
-		ISC_LIST_APPEND(msgname->list, msgrds, link);
-
-		dns_message_addname(msg, msgname, DNS_SECTION_ANSWER);
-		msgname = NULL;
-
-		result = xfr->stream->methods->next(xfr->stream);
-		if (result == ISC_R_NOMORE) {
-			xfr->end_of_stream = ISC_TRUE;
-			break;
-		}
-		CHECK(result);
-
-		if (! xfr->many_answers)
-			break;
-	}
-
-	if ((xfr->client->attributes & NS_CLIENTATTR_TCP) != 0) {
-		CHECK(dns_compress_init(&cctx, -1, xfr->mctx));
-		dns_compress_setsensitive(&cctx, ISC_TRUE);
-		cleanup_cctx = ISC_TRUE;
-		CHECK(dns_message_renderbegin(msg, &cctx, &xfr->txbuf));
-		CHECK(dns_message_rendersection(msg, DNS_SECTION_QUESTION, 0));
-		CHECK(dns_message_rendersection(msg, DNS_SECTION_ANSWER, 0));
-		CHECK(dns_message_renderend(msg));
-		dns_compress_invalidate(&cctx);
-		cleanup_cctx = ISC_FALSE;
-
-		isc_buffer_usedregion(&xfr->txbuf, &used);
-		isc_buffer_putuint16(&xfr->txlenbuf,
-				     (isc_uint16_t)used.length);
-		region.base = xfr->txlenbuf.base;
-		region.length = 2 + used.length;
-		xfrout_log(xfr, ISC_LOG_DEBUG(8),
-			   "sending TCP message of %d bytes",
-			   used.length);
-		CHECK(isc_socket_send(xfr->client->tcpsocket, /* XXX */
-				      &region, xfr->client->task,
-				      xfrout_senddone,
-				      xfr));
-		xfr->sends++;
-	} else {
-		xfrout_log(xfr, ISC_LOG_DEBUG(8), "sending IXFR UDP response");
-		ns_client_send(xfr->client);
-		xfr->stream->methods->pause(xfr->stream);
-		xfrout_ctx_destroy(&xfr);
-		return;
-	}
-
-	/* Advance lasttsig to be the last TSIG generated */
-	CHECK(dns_message_getquerytsig(msg, xfr->mctx, &xfr->lasttsig));
-
-	xfr->nmsg++;
-
- failure:
-	if (msgname != NULL) {
-		if (msgrds != NULL) {
-			if (dns_rdataset_isassociated(msgrds))
-				dns_rdataset_disassociate(msgrds);
-			dns_message_puttemprdataset(msg, &msgrds);
-		}
-		if (msgrdl != NULL) {
-			ISC_LIST_UNLINK(msgrdl->rdata, msgrdata, link);
-			dns_message_puttemprdatalist(msg, &msgrdl);
-		}
-		if (msgrdata != NULL)
-			dns_message_puttemprdata(msg, &msgrdata);
-		dns_message_puttempname(msg, &msgname);
-	}
-
-	if (tcpmsg != NULL)
-		dns_message_destroy(&tcpmsg);
-
-	if (cleanup_cctx)
-		dns_compress_invalidate(&cctx);
-	/*
-	 * Make sure to release any locks held by database
-	 * iterators before returning from the event handler.
-	 */
-	xfr->stream->methods->pause(xfr->stream);
-
-	if (result == ISC_R_SUCCESS)
-		return;
-
-	xfrout_fail(xfr, result, "sending zone data");
-}
-
-static void
-xfrout_ctx_destroy(xfrout_ctx_t **xfrp) {
-	xfrout_ctx_t *xfr = *xfrp;
-	ns_client_t *client = NULL;
-
-	INSIST(xfr->sends == 0);
-
-	xfr->client->shutdown = NULL;
-	xfr->client->shutdown_arg = NULL;
-
-	if (xfr->stream != NULL)
-		xfr->stream->methods->destroy(&xfr->stream);
-	if (xfr->buf.base != NULL)
-		isc_mem_put(xfr->mctx, xfr->buf.base, xfr->buf.length);
-	if (xfr->txmem != NULL)
-		isc_mem_put(xfr->mctx, xfr->txmem, xfr->txmemlen);
-	if (xfr->lasttsig != NULL)
-		isc_buffer_free(&xfr->lasttsig);
-	if (xfr->quota != NULL)
-		isc_quota_detach(&xfr->quota);
-	if (xfr->ver != NULL)
-		dns_db_closeversion(xfr->db, &xfr->ver, ISC_FALSE);
-	if (xfr->zone != NULL)
-		dns_zone_detach(&xfr->zone);
-	if (xfr->db != NULL)
-		dns_db_detach(&xfr->db);
-
-	/*
-	 * We want to detch the client after we have released the memory
-	 * context as ns_client_detach checks the memory reference count.
-	 */
-	ns_client_attach(xfr->client, &client);
-	ns_client_detach(&xfr->client);
-	isc_mem_putanddetach(&xfr->mctx, xfr, sizeof(*xfr));
-	ns_client_detach(&client);
-
-	*xfrp = NULL;
-}
-
-static void
-xfrout_senddone(isc_task_t *task, isc_event_t *event) {
-	isc_socketevent_t *sev = (isc_socketevent_t *)event;
-	xfrout_ctx_t *xfr = (xfrout_ctx_t *)event->ev_arg;
-	isc_result_t evresult = sev->result;
-
-	UNUSED(task);
-
-	INSIST(event->ev_type == ISC_SOCKEVENT_SENDDONE);
-
-	isc_event_free(&event);
-	xfr->sends--;
-	INSIST(xfr->sends == 0);
-
-	(void)isc_timer_touch(xfr->client->timer);
-	if (xfr->shuttingdown == ISC_TRUE) {
-		xfrout_maybe_destroy(xfr);
-	} else if (evresult != ISC_R_SUCCESS) {
-		xfrout_fail(xfr, evresult, "send");
-	} else if (xfr->end_of_stream == ISC_FALSE) {
-		sendstream(xfr);
-	} else {
-		/* End of zone transfer stream. */
-		inc_stats(xfr->zone, dns_nsstatscounter_xfrdone);
-		xfrout_log(xfr, ISC_LOG_INFO, "%s ended", xfr->mnemonic);
-		ns_client_next(xfr->client, ISC_R_SUCCESS);
-		xfrout_ctx_destroy(&xfr);
-	}
-}
-
-static void
-xfrout_fail(xfrout_ctx_t *xfr, isc_result_t result, const char *msg) {
-	xfr->shuttingdown = ISC_TRUE;
-	xfrout_log(xfr, ISC_LOG_ERROR, "%s: %s",
-		   msg, isc_result_totext(result));
-	xfrout_maybe_destroy(xfr);
-}
-
-static void
-xfrout_maybe_destroy(xfrout_ctx_t *xfr) {
-	INSIST(xfr->shuttingdown == ISC_TRUE);
-	if (xfr->sends > 0) {
-		/*
-		 * If we are currently sending, cancel it and wait for
-		 * cancel event before destroying the context.
-		 */
-		isc_socket_cancel(xfr->client->tcpsocket, xfr->client->task,
-				  ISC_SOCKCANCEL_SEND);
-	} else {
-		ns_client_next(xfr->client, ISC_R_CANCELED);
-		xfrout_ctx_destroy(&xfr);
-	}
-}
-
-static void
-xfrout_client_shutdown(void *arg, isc_result_t result) {
-	xfrout_ctx_t *xfr = (xfrout_ctx_t *) arg;
-	xfrout_fail(xfr, result, "aborted");
-}
-
-/*
- * Log outgoing zone transfer messages in a format like
- * <client>: transfer of <zone>: <message>
- */
-
-static void
-xfrout_logv(ns_client_t *client, dns_name_t *zonename,
-	    dns_rdataclass_t rdclass, int level, const char *fmt, va_list ap)
-     ISC_FORMAT_PRINTF(5, 0);
-
-static void
-xfrout_logv(ns_client_t *client, dns_name_t *zonename,
-	    dns_rdataclass_t rdclass, int level, const char *fmt, va_list ap)
-{
-	char msgbuf[2048];
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char classbuf[DNS_RDATACLASS_FORMATSIZE];
-
-	dns_name_format(zonename, namebuf, sizeof(namebuf));
-	dns_rdataclass_format(rdclass, classbuf, sizeof(classbuf));
-	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
-	ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT,
-		      NS_LOGMODULE_XFER_OUT, level,
-		      "transfer of '%s/%s': %s", namebuf, classbuf, msgbuf);
-}
-
-/*
- * Logging function for use when a xfrout_ctx_t has not yet been created.
- */
-static void
-xfrout_log1(ns_client_t *client, dns_name_t *zonename,
-	    dns_rdataclass_t rdclass, int level, const char *fmt, ...) {
-	va_list ap;
-	va_start(ap, fmt);
-	xfrout_logv(client, zonename, rdclass, level, fmt, ap);
-	va_end(ap);
-}
-
-/*
- * Logging function for use when there is a xfrout_ctx_t.
- */
-static void
-xfrout_log(xfrout_ctx_t *xfr, int level, const char *fmt, ...) {
-	va_list ap;
-	va_start(ap, fmt);
-	xfrout_logv(xfr->client, xfr->qname, xfr->qclass, level, fmt, ap);
-	va_end(ap);
-}
diff --git a/contrib/bind9/bin/named/zoneconf.c b/contrib/bind9/bin/named/zoneconf.c
deleted file mode 100644
index 7f36b14..0000000
--- a/contrib/bind9/bin/named/zoneconf.c
+++ /dev/null
@@ -1,1722 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*% */
-
-#include <config.h>
-
-#include <isc/buffer.h>
-#include <isc/file.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/stats.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/util.h>
-
-#include <dns/acl.h>
-#include <dns/db.h>
-#include <dns/fixedname.h>
-#include <dns/log.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdatatype.h>
-#include <dns/rdataset.h>
-#include <dns/rdatalist.h>
-#include <dns/result.h>
-#include <dns/sdlz.h>
-#include <dns/ssu.h>
-#include <dns/stats.h>
-#include <dns/view.h>
-#include <dns/zone.h>
-
-#include <named/client.h>
-#include <named/config.h>
-#include <named/globals.h>
-#include <named/log.h>
-#include <named/server.h>
-#include <named/zoneconf.h>
-
-/* ACLs associated with zone */
-typedef enum {
-	allow_notify,
-	allow_query,
-	allow_query_on,
-	allow_transfer,
-	allow_update,
-	allow_update_forwarding
-} acl_type_t;
-
-#define RETERR(x) do { \
-	isc_result_t _r = (x); \
-	if (_r != ISC_R_SUCCESS) \
-		return (_r); \
-	} while (0)
-
-#define CHECK(x) do { \
-	result = (x); \
-	if (result != ISC_R_SUCCESS) \
-		goto cleanup; \
-	} while (0)
-
-/*%
- * Convenience function for configuring a single zone ACL.
- */
-static isc_result_t
-configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
-		   const cfg_obj_t *config, acl_type_t acltype,
-		   cfg_aclconfctx_t *actx, dns_zone_t *zone,
-		   void (*setzacl)(dns_zone_t *, dns_acl_t *),
-		   void (*clearzacl)(dns_zone_t *))
-{
-	isc_result_t result;
-	const cfg_obj_t *maps[5] = {NULL, NULL, NULL, NULL, NULL};
-	const cfg_obj_t *aclobj = NULL;
-	int i = 0;
-	dns_acl_t **aclp = NULL, *acl = NULL;
-	const char *aclname;
-	dns_view_t *view;
-
-	view = dns_zone_getview(zone);
-
-	switch (acltype) {
-	    case allow_notify:
-		if (view != NULL)
-			aclp = &view->notifyacl;
-		aclname = "allow-notify";
-		break;
-	    case allow_query:
-		if (view != NULL)
-			aclp = &view->queryacl;
-		aclname = "allow-query";
-		break;
-	    case allow_query_on:
-		if (view != NULL)
-			aclp = &view->queryonacl;
-		aclname = "allow-query-on";
-		break;
-	    case allow_transfer:
-		if (view != NULL)
-			aclp = &view->transferacl;
-		aclname = "allow-transfer";
-		break;
-	    case allow_update:
-		if (view != NULL)
-			aclp = &view->updateacl;
-		aclname = "allow-update";
-		break;
-	    case allow_update_forwarding:
-		if (view != NULL)
-			aclp = &view->upfwdacl;
-		aclname = "allow-update-forwarding";
-		break;
-	    default:
-		INSIST(0);
-		return (ISC_R_FAILURE);
-	}
-
-	/* First check to see if ACL is defined within the zone */
-	if (zconfig != NULL) {
-		maps[0] = cfg_tuple_get(zconfig, "options");
-		(void)ns_config_get(maps, aclname, &aclobj);
-		if (aclobj != NULL) {
-			aclp = NULL;
-			goto parse_acl;
-		}
-	}
-
-	/* Failing that, see if there's a default ACL already in the view */
-	if (aclp != NULL && *aclp != NULL) {
-		(*setzacl)(zone, *aclp);
-		return (ISC_R_SUCCESS);
-	}
-
-	/* Check for default ACLs that haven't been parsed yet */
-	if (vconfig != NULL) {
-		const cfg_obj_t *options = cfg_tuple_get(vconfig, "options");
-		if (options != NULL)
-			maps[i++] = options;
-	}
-	if (config != NULL) {
-		const cfg_obj_t *options = NULL;
-		(void)cfg_map_get(config, "options", &options);
-		if (options != NULL)
-			maps[i++] = options;
-	}
-	maps[i++] = ns_g_defaults;
-	maps[i] = NULL;
-
-	(void)ns_config_get(maps, aclname, &aclobj);
-	if (aclobj == NULL) {
-		(*clearzacl)(zone);
-		return (ISC_R_SUCCESS);
-	}
-
-parse_acl:
-	result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx, actx,
-				    dns_zone_getmctx(zone), 0, &acl);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	(*setzacl)(zone, acl);
-
-	/* Set the view default now */
-	if (aclp != NULL)
-		dns_acl_attach(acl, aclp);
-
-	dns_acl_detach(&acl);
-	return (ISC_R_SUCCESS);
-}
-
-/*%
- * Parse the zone update-policy statement.
- */
-static isc_result_t
-configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
-			const char *zname)
-{
-	const cfg_obj_t *updatepolicy = NULL;
-	const cfg_listelt_t *element, *element2;
-	dns_ssutable_t *table = NULL;
-	isc_mem_t *mctx = dns_zone_getmctx(zone);
-	isc_boolean_t autoddns = ISC_FALSE;
-	isc_result_t result;
-
-	(void)cfg_map_get(zconfig, "update-policy", &updatepolicy);
-
-	if (updatepolicy == NULL) {
-		dns_zone_setssutable(zone, NULL);
-		return (ISC_R_SUCCESS);
-	}
-
-	if (cfg_obj_isstring(updatepolicy) &&
-	    strcmp("local", cfg_obj_asstring(updatepolicy)) == 0) {
-		autoddns = ISC_TRUE;
-		updatepolicy = NULL;
-	}
-
-	result = dns_ssutable_create(mctx, &table);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	for (element = cfg_list_first(updatepolicy);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		const cfg_obj_t *stmt = cfg_listelt_value(element);
-		const cfg_obj_t *mode = cfg_tuple_get(stmt, "mode");
-		const cfg_obj_t *identity = cfg_tuple_get(stmt, "identity");
-		const cfg_obj_t *matchtype = cfg_tuple_get(stmt, "matchtype");
-		const cfg_obj_t *dname = cfg_tuple_get(stmt, "name");
-		const cfg_obj_t *typelist = cfg_tuple_get(stmt, "types");
-		const char *str;
-		isc_boolean_t grant = ISC_FALSE;
-		isc_boolean_t usezone = ISC_FALSE;
-		unsigned int mtype = DNS_SSUMATCHTYPE_NAME;
-		dns_fixedname_t fname, fident;
-		isc_buffer_t b;
-		dns_rdatatype_t *types;
-		unsigned int i, n;
-
-		str = cfg_obj_asstring(mode);
-		if (strcasecmp(str, "grant") == 0)
-			grant = ISC_TRUE;
-		else if (strcasecmp(str, "deny") == 0)
-			grant = ISC_FALSE;
-		else
-			INSIST(0);
-
-		str = cfg_obj_asstring(matchtype);
-		if (strcasecmp(str, "name") == 0)
-			mtype = DNS_SSUMATCHTYPE_NAME;
-		else if (strcasecmp(str, "subdomain") == 0)
-			mtype = DNS_SSUMATCHTYPE_SUBDOMAIN;
-		else if (strcasecmp(str, "wildcard") == 0)
-			mtype = DNS_SSUMATCHTYPE_WILDCARD;
-		else if (strcasecmp(str, "self") == 0)
-			mtype = DNS_SSUMATCHTYPE_SELF;
-		else if (strcasecmp(str, "selfsub") == 0)
-			mtype = DNS_SSUMATCHTYPE_SELFSUB;
-		else if (strcasecmp(str, "selfwild") == 0)
-			mtype = DNS_SSUMATCHTYPE_SELFWILD;
-		else if (strcasecmp(str, "ms-self") == 0)
-			mtype = DNS_SSUMATCHTYPE_SELFMS;
-		else if (strcasecmp(str, "krb5-self") == 0)
-			mtype = DNS_SSUMATCHTYPE_SELFKRB5;
-		else if (strcasecmp(str, "ms-subdomain") == 0)
-			mtype = DNS_SSUMATCHTYPE_SUBDOMAINMS;
-		else if (strcasecmp(str, "krb5-subdomain") == 0)
-			mtype = DNS_SSUMATCHTYPE_SUBDOMAINKRB5;
-		else if (strcasecmp(str, "tcp-self") == 0)
-			mtype = DNS_SSUMATCHTYPE_TCPSELF;
-		else if (strcasecmp(str, "6to4-self") == 0)
-			mtype = DNS_SSUMATCHTYPE_6TO4SELF;
-		else if (strcasecmp(str, "zonesub") == 0) {
-			mtype = DNS_SSUMATCHTYPE_SUBDOMAIN;
-			usezone = ISC_TRUE;
-		} else if (strcasecmp(str, "external") == 0)
-			mtype = DNS_SSUMATCHTYPE_EXTERNAL;
-		else
-			INSIST(0);
-
-		dns_fixedname_init(&fident);
-		str = cfg_obj_asstring(identity);
-		isc_buffer_constinit(&b, str, strlen(str));
-		isc_buffer_add(&b, strlen(str));
-		result = dns_name_fromtext(dns_fixedname_name(&fident), &b,
-					   dns_rootname, 0, NULL);
-		if (result != ISC_R_SUCCESS) {
-			cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
-				    "'%s' is not a valid name", str);
-			goto cleanup;
-		}
-
-		dns_fixedname_init(&fname);
-		if (usezone) {
-			result = dns_name_copy(dns_zone_getorigin(zone),
-					       dns_fixedname_name(&fname),
-					       NULL);
-			if (result != ISC_R_SUCCESS) {
-				cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
-					    "error copying origin: %s",
-					    isc_result_totext(result));
-				goto cleanup;
-			}
-		} else {
-			str = cfg_obj_asstring(dname);
-			isc_buffer_constinit(&b, str, strlen(str));
-			isc_buffer_add(&b, strlen(str));
-			result = dns_name_fromtext(dns_fixedname_name(&fname),
-						   &b, dns_rootname, 0, NULL);
-			if (result != ISC_R_SUCCESS) {
-				cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
-					    "'%s' is not a valid name", str);
-				goto cleanup;
-			}
-		}
-
-		n = ns_config_listcount(typelist);
-		if (n == 0)
-			types = NULL;
-		else {
-			types = isc_mem_get(mctx, n * sizeof(dns_rdatatype_t));
-			if (types == NULL) {
-				result = ISC_R_NOMEMORY;
-				goto cleanup;
-			}
-		}
-
-		i = 0;
-		for (element2 = cfg_list_first(typelist);
-		     element2 != NULL;
-		     element2 = cfg_list_next(element2))
-		{
-			const cfg_obj_t *typeobj;
-			isc_textregion_t r;
-
-			INSIST(i < n);
-
-			typeobj = cfg_listelt_value(element2);
-			str = cfg_obj_asstring(typeobj);
-			DE_CONST(str, r.base);
-			r.length = strlen(str);
-
-			result = dns_rdatatype_fromtext(&types[i++], &r);
-			if (result != ISC_R_SUCCESS) {
-				cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
-					    "'%s' is not a valid type", str);
-				isc_mem_put(mctx, types,
-					    n * sizeof(dns_rdatatype_t));
-				goto cleanup;
-			}
-		}
-		INSIST(i == n);
-
-		result = dns_ssutable_addrule(table, grant,
-					      dns_fixedname_name(&fident),
-					      mtype,
-					      dns_fixedname_name(&fname),
-					      n, types);
-		if (types != NULL)
-			isc_mem_put(mctx, types, n * sizeof(dns_rdatatype_t));
-		if (result != ISC_R_SUCCESS) {
-			goto cleanup;
-		}
-	}
-
-	/*
-	 * If "update-policy local;" and a session key exists,
-	 * then use the default policy, which is equivalent to:
-	 * update-policy { grant <session-keyname> zonesub any; };
-	 */
-	if (autoddns) {
-		dns_rdatatype_t any = dns_rdatatype_any;
-
-		if (ns_g_server->session_keyname == NULL) {
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-				      "failed to enable auto DDNS policy "
-				      "for zone %s: session key not found",
-				      zname);
-			result = ISC_R_NOTFOUND;
-			goto cleanup;
-		}
-
-		result = dns_ssutable_addrule(table, ISC_TRUE,
-					      ns_g_server->session_keyname,
-					      DNS_SSUMATCHTYPE_SUBDOMAIN,
-					      dns_zone_getorigin(zone),
-					      1, &any);
-
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-	}
-
-	result = ISC_R_SUCCESS;
-	dns_zone_setssutable(zone, table);
-
- cleanup:
-	dns_ssutable_detach(&table);
-	return (result);
-}
-
-/*
- * This is the TTL used for internally generated RRsets for static-stub zones.
- * The value doesn't matter because the mapping is static, but needs to be
- * defined for the sake of implementation.
- */
-#define STATICSTUB_SERVER_TTL 86400
-
-/*%
- * Configure an apex NS with glues for a static-stub zone.
- * For example, for the zone named "example.com", the following RRs will be
- * added to the zone DB:
- * example.com. NS example.com.
- * example.com. A 192.0.2.1
- * example.com. AAAA 2001:db8::1
- */
-static isc_result_t
-configure_staticstub_serveraddrs(const cfg_obj_t *zconfig, dns_zone_t *zone,
-				 dns_rdatalist_t *rdatalist_ns,
-				 dns_rdatalist_t *rdatalist_a,
-				 dns_rdatalist_t *rdatalist_aaaa)
-{
-	const cfg_listelt_t *element;
-	isc_mem_t *mctx = dns_zone_getmctx(zone);
-	isc_region_t region, sregion;
-	dns_rdata_t *rdata;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	for (element = cfg_list_first(zconfig);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		const isc_sockaddr_t* sa;
-		isc_netaddr_t na;
-		const cfg_obj_t *address = cfg_listelt_value(element);
-		dns_rdatalist_t *rdatalist;
-
-		sa = cfg_obj_assockaddr(address);
-		if (isc_sockaddr_getport(sa) != 0) {
-			cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
-				    "port is not configurable for "
-				    "static stub server-addresses");
-			return (ISC_R_FAILURE);
-		}
-		isc_netaddr_fromsockaddr(&na, sa);
-		if (isc_netaddr_getzone(&na) != 0) {
-			cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
-					    "scoped address is not allowed "
-					    "for static stub "
-					    "server-addresses");
-			return (ISC_R_FAILURE);
-		}
-
-		switch (na.family) {
-		case AF_INET:
-			region.length = sizeof(na.type.in);
-			rdatalist = rdatalist_a;
-			break;
-		default:
-			INSIST(na.family == AF_INET6);
-			region.length = sizeof(na.type.in6);
-			rdatalist = rdatalist_aaaa;
-			break;
-		}
-
-		rdata = isc_mem_get(mctx, sizeof(*rdata) + region.length);
-		if (rdata == NULL)
-			return (ISC_R_NOMEMORY);
-		region.base = (unsigned char *)(rdata + 1);
-		memcpy(region.base, &na.type, region.length);
-		dns_rdata_init(rdata);
-		dns_rdata_fromregion(rdata, dns_zone_getclass(zone),
-				     rdatalist->type, &region);
-		ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-	}
-
-	/*
-	 * If no address is specified (unlikely in this context, but possible),
-	 * there's nothing to do anymore.
-	 */
-	if (ISC_LIST_EMPTY(rdatalist_a->rdata) &&
-	    ISC_LIST_EMPTY(rdatalist_aaaa->rdata)) {
-		return (ISC_R_SUCCESS);
-	}
-
-	/* Add to the list an apex NS with the ns name being the origin name */
-	dns_name_toregion(dns_zone_getorigin(zone), &sregion);
-	rdata = isc_mem_get(mctx, sizeof(*rdata) + sregion.length);
-	if (rdata == NULL) {
-		/*
-		 * Already allocated data will be freed in the caller, so
-		 * we can simply return here.
-		 */
-		return (ISC_R_NOMEMORY);
-	}
-	region.length = sregion.length;
-	region.base = (unsigned char *)(rdata + 1);
-	memcpy(region.base, sregion.base, region.length);
-	dns_rdata_init(rdata);
-	dns_rdata_fromregion(rdata, dns_zone_getclass(zone),
-			     dns_rdatatype_ns, &region);
-	ISC_LIST_APPEND(rdatalist_ns->rdata, rdata, link);
-
-	return (result);
-}
-
-/*%
- * Configure an apex NS with an out-of-zone NS names for a static-stub zone.
- * For example, for the zone named "example.com", something like the following
- * RRs will be added to the zone DB:
- * example.com. NS ns.example.net.
- */
-static isc_result_t
-configure_staticstub_servernames(const cfg_obj_t *zconfig, dns_zone_t *zone,
-				 dns_rdatalist_t *rdatalist, const char *zname)
-{
-	const cfg_listelt_t *element;
-	isc_mem_t *mctx = dns_zone_getmctx(zone);
-	dns_rdata_t *rdata;
-	isc_region_t sregion, region;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	for (element = cfg_list_first(zconfig);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		const cfg_obj_t *obj;
-		const char *str;
-		dns_fixedname_t fixed_name;
-		dns_name_t *nsname;
-		isc_buffer_t b;
-
-		obj = cfg_listelt_value(element);
-		str = cfg_obj_asstring(obj);
-
-		dns_fixedname_init(&fixed_name);
-		nsname = dns_fixedname_name(&fixed_name);
-
-		isc_buffer_constinit(&b, str, strlen(str));
-		isc_buffer_add(&b, strlen(str));
-		result = dns_name_fromtext(nsname, &b, dns_rootname, 0, NULL);
-		if (result != ISC_R_SUCCESS) {
-			cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
-					    "server-name '%s' is not a valid "
-					    "name", str);
-			return (result);
-		}
-		if (dns_name_issubdomain(nsname, dns_zone_getorigin(zone))) {
-			cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
-				    "server-name '%s' must not be a "
-				    "subdomain of zone name '%s'",
-				    str, zname);
-			return (ISC_R_FAILURE);
-		}
-
-		dns_name_toregion(nsname, &sregion);
-		rdata = isc_mem_get(mctx, sizeof(*rdata) + sregion.length);
-		if (rdata == NULL)
-			return (ISC_R_NOMEMORY);
-		region.length = sregion.length;
-		region.base = (unsigned char *)(rdata + 1);
-		memcpy(region.base, sregion.base, region.length);
-		dns_rdata_init(rdata);
-		dns_rdata_fromregion(rdata, dns_zone_getclass(zone),
-				     dns_rdatatype_ns, &region);
-		ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-	}
-
-	return (result);
-}
-
-/*%
- * Configure static-stub zone.
- */
-static isc_result_t
-configure_staticstub(const cfg_obj_t *zconfig, dns_zone_t *zone,
-		     const char *zname, const char *dbtype)
-{
-	int i = 0;
-	const cfg_obj_t *obj;
-	isc_mem_t *mctx = dns_zone_getmctx(zone);
-	dns_db_t *db = NULL;
-	dns_dbversion_t *dbversion = NULL;
-	dns_dbnode_t *apexnode = NULL;
-	dns_name_t apexname;
-	isc_result_t result;
-	dns_rdataset_t rdataset;
-	dns_rdatalist_t rdatalist_ns, rdatalist_a, rdatalist_aaaa;
-	dns_rdatalist_t* rdatalists[] = {
-		&rdatalist_ns, &rdatalist_a, &rdatalist_aaaa, NULL
-	};
-	dns_rdata_t *rdata;
-	isc_region_t region;
-
-	/* Create the DB beforehand */
-	RETERR(dns_db_create(mctx, dbtype, dns_zone_getorigin(zone),
-			     dns_dbtype_stub, dns_zone_getclass(zone),
-			     0, NULL, &db));
-	dns_zone_setdb(zone, db);
-
-	dns_rdatalist_init(&rdatalist_ns);
-	rdatalist_ns.rdclass = dns_zone_getclass(zone);
-	rdatalist_ns.type = dns_rdatatype_ns;
-	rdatalist_ns.ttl = STATICSTUB_SERVER_TTL;
-
-	dns_rdatalist_init(&rdatalist_a);
-	rdatalist_a.rdclass = dns_zone_getclass(zone);
-	rdatalist_a.type = dns_rdatatype_a;
-	rdatalist_a.ttl = STATICSTUB_SERVER_TTL;
-
-	dns_rdatalist_init(&rdatalist_aaaa);
-	rdatalist_aaaa.rdclass = dns_zone_getclass(zone);
-	rdatalist_aaaa.type = dns_rdatatype_aaaa;
-	rdatalist_aaaa.ttl = STATICSTUB_SERVER_TTL;
-
-	/* Prepare zone RRs from the configuration */
-	obj = NULL;
-	result = cfg_map_get(zconfig, "server-addresses", &obj);
-	if (result == ISC_R_SUCCESS) {
-		INSIST(obj != NULL);
-		result = configure_staticstub_serveraddrs(obj, zone,
-							  &rdatalist_ns,
-							  &rdatalist_a,
-							  &rdatalist_aaaa);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-	}
-
-	obj = NULL;
-	result = cfg_map_get(zconfig, "server-names", &obj);
-	if (result == ISC_R_SUCCESS) {
-		INSIST(obj != NULL);
-		result = configure_staticstub_servernames(obj, zone,
-							  &rdatalist_ns,
-							  zname);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-	}
-
-	/*
-	 * Sanity check: there should be at least one NS RR at the zone apex
-	 * to trigger delegation.
-	 */
-	if (ISC_LIST_EMPTY(rdatalist_ns.rdata)) {
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-			      "No NS record is configured for a "
-			      "static-stub zone '%s'", zname);
-		result = ISC_R_FAILURE;
-		goto cleanup;
-	}
-
-	/*
-	 * Now add NS and glue A/AAAA RRsets to the zone DB.
-	 * First open a new version for the add operation and get a pointer
-	 * to the apex node (all RRs are of the apex name).
-	 */
-	result = dns_db_newversion(db, &dbversion);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	dns_name_init(&apexname, NULL);
-	dns_name_clone(dns_zone_getorigin(zone), &apexname);
-	result = dns_db_findnode(db, &apexname, ISC_FALSE, &apexnode);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	/* Add NS RRset */
-	dns_rdataset_init(&rdataset);
-	RUNTIME_CHECK(dns_rdatalist_tordataset(&rdatalist_ns, &rdataset)
-		      == ISC_R_SUCCESS);
-	result = dns_db_addrdataset(db, apexnode, dbversion, 0, &rdataset,
-				    0, NULL);
-	dns_rdataset_disassociate(&rdataset);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	/* Add glue A RRset, if any */
-	if (!ISC_LIST_EMPTY(rdatalist_a.rdata)) {
-		RUNTIME_CHECK(dns_rdatalist_tordataset(&rdatalist_a, &rdataset)
-			      == ISC_R_SUCCESS);
-		result = dns_db_addrdataset(db, apexnode, dbversion, 0,
-					    &rdataset, 0, NULL);
-		dns_rdataset_disassociate(&rdataset);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-	}
-
-	/* Add glue AAAA RRset, if any */
-	if (!ISC_LIST_EMPTY(rdatalist_aaaa.rdata)) {
-		RUNTIME_CHECK(dns_rdatalist_tordataset(&rdatalist_aaaa,
-						       &rdataset)
-			      == ISC_R_SUCCESS);
-		result = dns_db_addrdataset(db, apexnode, dbversion, 0,
-					    &rdataset, 0, NULL);
-		dns_rdataset_disassociate(&rdataset);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-	}
-
-	result = ISC_R_SUCCESS;
-
-  cleanup:
-	if (apexnode != NULL)
-		dns_db_detachnode(db, &apexnode);
-	if (dbversion != NULL)
-		dns_db_closeversion(db, &dbversion, ISC_TRUE);
-	if (db != NULL)
-		dns_db_detach(&db);
-	for (i = 0; rdatalists[i] != NULL; i++) {
-		while ((rdata = ISC_LIST_HEAD(rdatalists[i]->rdata)) != NULL) {
-			ISC_LIST_UNLINK(rdatalists[i]->rdata, rdata, link);
-			dns_rdata_toregion(rdata, &region);
-			isc_mem_put(mctx, rdata,
-				    sizeof(*rdata) + region.length);
-		}
-	}
-
-	return (result);
-}
-
-/*%
- * Convert a config file zone type into a server zone type.
- */
-static inline dns_zonetype_t
-zonetype_fromconfig(const cfg_obj_t *map) {
-	const cfg_obj_t *obj = NULL;
-	isc_result_t result;
-
-	result = cfg_map_get(map, "type", &obj);
-	INSIST(result == ISC_R_SUCCESS && obj != NULL);
-	return (ns_config_getzonetype(obj));
-}
-
-/*%
- * Helper function for strtoargv().  Pardon the gratuitous recursion.
- */
-static isc_result_t
-strtoargvsub(isc_mem_t *mctx, char *s, unsigned int *argcp,
-	     char ***argvp, unsigned int n)
-{
-	isc_result_t result;
-
-	/* Discard leading whitespace. */
-	while (*s == ' ' || *s == '\t')
-		s++;
-
-	if (*s == '\0') {
-		/* We have reached the end of the string. */
-		*argcp = n;
-		*argvp = isc_mem_get(mctx, n * sizeof(char *));
-		if (*argvp == NULL)
-			return (ISC_R_NOMEMORY);
-	} else {
-		char *p = s;
-		while (*p != ' ' && *p != '\t' && *p != '\0')
-			p++;
-		if (*p != '\0')
-			*p++ = '\0';
-
-		result = strtoargvsub(mctx, p, argcp, argvp, n + 1);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		(*argvp)[n] = s;
-	}
-	return (ISC_R_SUCCESS);
-}
-
-/*%
- * Tokenize the string "s" into whitespace-separated words,
- * return the number of words in '*argcp' and an array
- * of pointers to the words in '*argvp'.  The caller
- * must free the array using isc_mem_put().  The string
- * is modified in-place.
- */
-static isc_result_t
-strtoargv(isc_mem_t *mctx, char *s, unsigned int *argcp, char ***argvp) {
-	return (strtoargvsub(mctx, s, argcp, argvp, 0));
-}
-
-static void
-checknames(dns_zonetype_t ztype, const cfg_obj_t **maps,
-	   const cfg_obj_t **objp)
-{
-	const char *zone = NULL;
-	isc_result_t result;
-
-	switch (ztype) {
-	case dns_zone_slave: zone = "slave"; break;
-	case dns_zone_master: zone = "master"; break;
-	default:
-		INSIST(0);
-	}
-	result = ns_checknames_get(maps, zone, objp);
-	INSIST(result == ISC_R_SUCCESS && objp != NULL && *objp != NULL);
-}
-
-isc_result_t
-ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
-		  const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac,
-		  dns_zone_t *zone, dns_zone_t *raw)
-{
-	isc_result_t result;
-	const char *zname;
-	dns_rdataclass_t zclass;
-	dns_rdataclass_t vclass;
-	const cfg_obj_t *maps[5];
-	const cfg_obj_t *zoptions = NULL;
-	const cfg_obj_t *options = NULL;
-	const cfg_obj_t *obj;
-	const char *filename = NULL;
-	dns_notifytype_t notifytype = dns_notifytype_yes;
-	isc_sockaddr_t *addrs;
-	dns_name_t **keynames;
-	isc_uint32_t count;
-	char *cpval;
-	unsigned int dbargc;
-	char **dbargv;
-	static char default_dbtype[] = "rbt";
-	isc_mem_t *mctx = dns_zone_getmctx(zone);
-	dns_dialuptype_t dialup = dns_dialuptype_no;
-	dns_zonetype_t ztype;
-	int i;
-	isc_int32_t journal_size;
-	isc_boolean_t multi;
-	isc_boolean_t alt;
-	dns_view_t *view;
-	isc_boolean_t check = ISC_FALSE, fail = ISC_FALSE;
-	isc_boolean_t warn = ISC_FALSE, ignore = ISC_FALSE;
-	isc_boolean_t ixfrdiff;
-	dns_masterformat_t masterformat;
-	isc_stats_t *zoneqrystats;
-#ifdef NEWSTATS
-	dns_stats_t *rcvquerystats;
-#endif
-	dns_zonestat_level_t statlevel;
-	int seconds;
-	dns_zone_t *mayberaw = (raw != NULL) ? raw : zone;
-
-	i = 0;
-	if (zconfig != NULL) {
-		zoptions = cfg_tuple_get(zconfig, "options");
-		maps[i++] = zoptions;
-	}
-	if (vconfig != NULL)
-		maps[i++] = cfg_tuple_get(vconfig, "options");
-	if (config != NULL) {
-		(void)cfg_map_get(config, "options", &options);
-		if (options != NULL)
-			maps[i++] = options;
-	}
-	maps[i++] = ns_g_defaults;
-	maps[i] = NULL;
-
-	if (vconfig != NULL)
-		RETERR(ns_config_getclass(cfg_tuple_get(vconfig, "class"),
-					  dns_rdataclass_in, &vclass));
-	else
-		vclass = dns_rdataclass_in;
-
-	/*
-	 * Configure values common to all zone types.
-	 */
-
-	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
-
-	RETERR(ns_config_getclass(cfg_tuple_get(zconfig, "class"),
-				  vclass, &zclass));
-	dns_zone_setclass(zone, zclass);
-	if (raw != NULL)
-		dns_zone_setclass(raw, zclass);
-
-	ztype = zonetype_fromconfig(zoptions);
-	if (raw != NULL) {
-		dns_zone_settype(raw, ztype);
-		dns_zone_settype(zone, dns_zone_master);
-	} else
-		dns_zone_settype(zone, ztype);
-
-
-	obj = NULL;
-	result = cfg_map_get(zoptions, "database", &obj);
-	if (result == ISC_R_SUCCESS)
-		cpval = isc_mem_strdup(mctx, cfg_obj_asstring(obj));
-	else
-		cpval = default_dbtype;
-
-	if (cpval == NULL)
-		return(ISC_R_NOMEMORY);
-
-	result = strtoargv(mctx, cpval, &dbargc, &dbargv);
-	if (result != ISC_R_SUCCESS && cpval != default_dbtype) {
-		isc_mem_free(mctx, cpval);
-		return (result);
-	}
-
-	/*
-	 * ANSI C is strange here.  There is no logical reason why (char **)
-	 * cannot be promoted automatically to (const char * const *) by the
-	 * compiler w/o generating a warning.
-	 */
-	result = dns_zone_setdbtype(zone, dbargc, (const char * const *)dbargv);
-	isc_mem_put(mctx, dbargv, dbargc * sizeof(*dbargv));
-	if (cpval != default_dbtype)
-		isc_mem_free(mctx, cpval);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	obj = NULL;
-	result = cfg_map_get(zoptions, "file", &obj);
-	if (result == ISC_R_SUCCESS)
-		filename = cfg_obj_asstring(obj);
-
-	/*
-	 * Unless we're using some alternative database, a master zone
-	 * will be needing a master file.
-	 */
-	if (ztype == dns_zone_master && cpval == default_dbtype &&
-	    filename == NULL) {
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-			      "zone '%s': 'file' not specified",
-			      zname);
-		return (ISC_R_FAILURE);
-	}
-
-	if (ztype == dns_zone_slave)
-		masterformat = dns_masterformat_raw;
-	else
-		masterformat = dns_masterformat_text;
-	obj = NULL;
-	result= ns_config_get(maps, "masterfile-format", &obj);
-	if (result == ISC_R_SUCCESS) {
-		const char *masterformatstr = cfg_obj_asstring(obj);
-
-		if (strcasecmp(masterformatstr, "text") == 0)
-			masterformat = dns_masterformat_text;
-		else if (strcasecmp(masterformatstr, "raw") == 0)
-			masterformat = dns_masterformat_raw;
-		else
-			INSIST(0);
-	}
-
-	if (raw != NULL && filename != NULL) {
-#define SIGNED ".signed"
-		size_t signedlen = strlen(filename) + sizeof(SIGNED);
-		char *signedname;
-
-		RETERR(dns_zone_setfile2(raw, filename, masterformat));
-		signedname = isc_mem_get(mctx, signedlen);
-		if (signedname == NULL)
-			return (ISC_R_NOMEMORY);
-
-		(void)snprintf(signedname, signedlen, "%s" SIGNED, filename);
-		result = dns_zone_setfile2(zone, signedname,
-					   dns_masterformat_raw);
-		isc_mem_put(mctx, signedname, signedlen);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	} else
-		RETERR(dns_zone_setfile2(zone, filename, masterformat));
-
-	obj = NULL;
-	result = cfg_map_get(zoptions, "journal", &obj);
-	if (result == ISC_R_SUCCESS)
-		RETERR(dns_zone_setjournal(mayberaw, cfg_obj_asstring(obj)));
-
-	/*
-	 * Notify messages are processed by the raw zone if it exists.
-	 */
-	if (ztype == dns_zone_slave)
-		RETERR(configure_zone_acl(zconfig, vconfig, config,
-					  allow_notify, ac, mayberaw,
-					  dns_zone_setnotifyacl,
-					  dns_zone_clearnotifyacl));
-
-	/*
-	 * XXXAG This probably does not make sense for stubs.
-	 */
-	RETERR(configure_zone_acl(zconfig, vconfig, config,
-				  allow_query, ac, zone,
-				  dns_zone_setqueryacl,
-				  dns_zone_clearqueryacl));
-
-	RETERR(configure_zone_acl(zconfig, vconfig, config,
-				  allow_query_on, ac, zone,
-				  dns_zone_setqueryonacl,
-				  dns_zone_clearqueryonacl));
-
-	obj = NULL;
-	result = ns_config_get(maps, "dialup", &obj);
-	INSIST(result == ISC_R_SUCCESS && obj != NULL);
-	if (cfg_obj_isboolean(obj)) {
-		if (cfg_obj_asboolean(obj))
-			dialup = dns_dialuptype_yes;
-		else
-			dialup = dns_dialuptype_no;
-	} else {
-		const char *dialupstr = cfg_obj_asstring(obj);
-		if (strcasecmp(dialupstr, "notify") == 0)
-			dialup = dns_dialuptype_notify;
-		else if (strcasecmp(dialupstr, "notify-passive") == 0)
-			dialup = dns_dialuptype_notifypassive;
-		else if (strcasecmp(dialupstr, "refresh") == 0)
-			dialup = dns_dialuptype_refresh;
-		else if (strcasecmp(dialupstr, "passive") == 0)
-			dialup = dns_dialuptype_passive;
-		else
-			INSIST(0);
-	}
-	if (raw != NULL)
-		dns_zone_setdialup(raw, dialup);
-	dns_zone_setdialup(zone, dialup);
-
-	obj = NULL;
-	result = ns_config_get(maps, "zone-statistics", &obj);
-	INSIST(result == ISC_R_SUCCESS && obj != NULL);
-	if (cfg_obj_isboolean(obj)) {
-		if (cfg_obj_asboolean(obj))
-			statlevel = dns_zonestat_full;
-		else
-			statlevel = dns_zonestat_terse; /* XXX */
-	} else {
-		const char *levelstr = cfg_obj_asstring(obj);
-		if (strcasecmp(levelstr, "full") == 0)
-			statlevel = dns_zonestat_full;
-		else if (strcasecmp(levelstr, "terse") == 0)
-			statlevel = dns_zonestat_terse;
-		else if (strcasecmp(levelstr, "none") == 0)
-			statlevel = dns_zonestat_none;
-		else
-			INSIST(0);
-	}
-	dns_zone_setstatlevel(zone, statlevel);
-
-	zoneqrystats  = NULL;
-#ifdef NEWSTATS
-	rcvquerystats = NULL;
-#endif
-	if (statlevel == dns_zonestat_full) {
-		RETERR(isc_stats_create(mctx, &zoneqrystats,
-					dns_nsstatscounter_max));
-#ifdef NEWSTATS
-		RETERR(dns_rdatatypestats_create(mctx,
-					&rcvquerystats));
-#endif
-	}
-	dns_zone_setrequeststats(zone,  zoneqrystats );
-#ifdef NEWSTATS
-	dns_zone_setrcvquerystats(zone, rcvquerystats);
-#endif
-
-	if (zoneqrystats != NULL)
-		isc_stats_detach(&zoneqrystats);
-
-#ifdef NEWSTATS
-	if(rcvquerystats != NULL)
-		dns_stats_detach(&rcvquerystats);
-#endif
-
-	/*
-	 * Configure master functionality.  This applies
-	 * to primary masters (type "master") and slaves
-	 * acting as masters (type "slave"), but not to stubs.
-	 */
-	if (ztype != dns_zone_stub && ztype != dns_zone_staticstub &&
-	    ztype != dns_zone_redirect) {
-		obj = NULL;
-		result = ns_config_get(maps, "notify", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		if (cfg_obj_isboolean(obj)) {
-			if (cfg_obj_asboolean(obj))
-				notifytype = dns_notifytype_yes;
-			else
-				notifytype = dns_notifytype_no;
-		} else {
-			const char *notifystr = cfg_obj_asstring(obj);
-			if (strcasecmp(notifystr, "explicit") == 0)
-				notifytype = dns_notifytype_explicit;
-			else if (strcasecmp(notifystr, "master-only") == 0)
-				notifytype = dns_notifytype_masteronly;
-			else
-				INSIST(0);
-		}
-		if (raw != NULL)
-			dns_zone_setnotifytype(raw, dns_notifytype_no);
-		dns_zone_setnotifytype(zone, notifytype);
-
-		obj = NULL;
-		result = ns_config_get(maps, "also-notify", &obj);
-		if (result == ISC_R_SUCCESS) {
-			isc_uint32_t addrcount;
-			addrs = NULL;
-			keynames = NULL;
-			RETERR(ns_config_getipandkeylist(config, obj, mctx,
-							 &addrs, &keynames,
-							 &addrcount));
-			result = dns_zone_setalsonotifywithkeys(zone, addrs,
-								keynames,
-								addrcount);
-			if (addrcount != 0)
-				ns_config_putipandkeylist(mctx, &addrs,
-							  &keynames, addrcount);
-			else
-				INSIST(addrs == NULL && keynames == NULL);
-			RETERR(result);
-		} else
-			RETERR(dns_zone_setalsonotify(zone, NULL, 0));
-
-		obj = NULL;
-		result = ns_config_get(maps, "notify-source", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		RETERR(dns_zone_setnotifysrc4(zone, cfg_obj_assockaddr(obj)));
-		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
-
-		obj = NULL;
-		result = ns_config_get(maps, "notify-source-v6", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		RETERR(dns_zone_setnotifysrc6(zone, cfg_obj_assockaddr(obj)));
-		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
-
-		obj = NULL;
-		result = ns_config_get(maps, "notify-to-soa", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setoption(zone, DNS_ZONEOPT_NOTIFYTOSOA,
-				   cfg_obj_asboolean(obj));
-
-		dns_zone_setisself(zone, ns_client_isself, NULL);
-
-		RETERR(configure_zone_acl(zconfig, vconfig, config,
-					  allow_transfer, ac, zone,
-					  dns_zone_setxfracl,
-					  dns_zone_clearxfracl));
-
-		obj = NULL;
-		result = ns_config_get(maps, "max-transfer-time-out", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setmaxxfrout(zone, cfg_obj_asuint32(obj) * 60);
-
-		obj = NULL;
-		result = ns_config_get(maps, "max-transfer-idle-out", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setidleout(zone, cfg_obj_asuint32(obj) * 60);
-
-		obj = NULL;
-		result = ns_config_get(maps, "max-journal-size", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		if (raw != NULL)
-			dns_zone_setjournalsize(raw, -1);
-		dns_zone_setjournalsize(zone, -1);
-		if (cfg_obj_isstring(obj)) {
-			const char *str = cfg_obj_asstring(obj);
-			INSIST(strcasecmp(str, "unlimited") == 0);
-			journal_size = ISC_UINT32_MAX / 2;
-		} else {
-			isc_resourcevalue_t value;
-			value = cfg_obj_asuint64(obj);
-			if (value > ISC_UINT32_MAX / 2) {
-				cfg_obj_log(obj, ns_g_lctx,
-					    ISC_LOG_ERROR,
-					    "'max-journal-size "
-					    "%" ISC_PRINT_QUADFORMAT "d' "
-					    "is too large",
-					    value);
-				RETERR(ISC_R_RANGE);
-			}
-			journal_size = (isc_uint32_t)value;
-		}
-		if (raw != NULL)
-			dns_zone_setjournalsize(raw, journal_size);
-		dns_zone_setjournalsize(zone, journal_size);
-
-		obj = NULL;
-		result = ns_config_get(maps, "ixfr-from-differences", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		if (cfg_obj_isboolean(obj))
-			ixfrdiff = cfg_obj_asboolean(obj);
-		else if (!strcasecmp(cfg_obj_asstring(obj), "master") &&
-			 ztype == dns_zone_master)
-			ixfrdiff = ISC_TRUE;
-		else if (!strcasecmp(cfg_obj_asstring(obj), "slave") &&
-			ztype == dns_zone_slave)
-			ixfrdiff = ISC_TRUE;
-		else
-			ixfrdiff = ISC_FALSE;
-		if (raw != NULL) {
-			dns_zone_setoption(raw, DNS_ZONEOPT_IXFRFROMDIFFS,
-					   ISC_TRUE);
-			dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS,
-					   ISC_TRUE);
-		} else
-			dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS,
-					   ixfrdiff);
-
-		obj = NULL;
-		result = ns_config_get(maps, "request-ixfr", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setrequestixfr(zone, cfg_obj_asboolean(obj));
-
-		checknames(ztype, maps, &obj);
-		INSIST(obj != NULL);
-		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
-			fail = ISC_FALSE;
-			check = ISC_TRUE;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
-			fail = check = ISC_TRUE;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
-			fail = check = ISC_FALSE;
-		} else
-			INSIST(0);
-		if (raw != NULL) {
-			dns_zone_setoption(raw, DNS_ZONEOPT_CHECKNAMES,
-					   check);
-			dns_zone_setoption(raw, DNS_ZONEOPT_CHECKNAMESFAIL,
-					   fail);
-			dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMES,
-					   ISC_FALSE);
-			dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMESFAIL,
-					   ISC_FALSE);
-		} else {
-			dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMES,
-					   check);
-			dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMESFAIL,
-					   fail);
-		}
-
-		obj = NULL;
-		result = ns_config_get(maps, "notify-delay", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setnotifydelay(zone, cfg_obj_asuint32(obj));
-
-		obj = NULL;
-		result = ns_config_get(maps, "check-sibling", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSIBLING,
-				   cfg_obj_asboolean(obj));
-
-		obj = NULL;
-		result = ns_config_get(maps, "check-spf", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
-			check = ISC_TRUE;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
-			check = ISC_FALSE;
-		} else
-			INSIST(0);
-		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSPF, check);
-
-		obj = NULL;
-		result = ns_config_get(maps, "zero-no-soa-ttl", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setzeronosoattl(zone, cfg_obj_asboolean(obj));
-
-		obj = NULL;
-		result = ns_config_get(maps, "nsec3-test-zone", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setoption(zone, DNS_ZONEOPT_NSEC3TESTZONE,
-				   cfg_obj_asboolean(obj));
-	} else if (ztype == dns_zone_redirect) {
-		dns_zone_setnotifytype(zone, dns_notifytype_no);
-
-		obj = NULL;
-		result = ns_config_get(maps, "max-journal-size", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setjournalsize(zone, -1);
-		if (cfg_obj_isstring(obj)) {
-			const char *str = cfg_obj_asstring(obj);
-			INSIST(strcasecmp(str, "unlimited") == 0);
-			journal_size = ISC_UINT32_MAX / 2;
-		} else {
-			isc_resourcevalue_t value;
-			value = cfg_obj_asuint64(obj);
-			if (value > ISC_UINT32_MAX / 2) {
-				cfg_obj_log(obj, ns_g_lctx,
-					    ISC_LOG_ERROR,
-					    "'max-journal-size "
-					    "%" ISC_PRINT_QUADFORMAT "d' "
-					    "is too large",
-					    value);
-				RETERR(ISC_R_RANGE);
-			}
-			journal_size = (isc_uint32_t)value;
-		}
-		dns_zone_setjournalsize(zone, journal_size);
-	}
-
-	/*
-	 * Configure update-related options.  These apply to
-	 * primary masters only.
-	 */
-	if (ztype == dns_zone_master) {
-		dns_acl_t *updateacl;
-
-		RETERR(configure_zone_acl(zconfig, vconfig, config,
-					  allow_update, ac, mayberaw,
-					  dns_zone_setupdateacl,
-					  dns_zone_clearupdateacl));
-
-		updateacl = dns_zone_getupdateacl(mayberaw);
-		if (updateacl != NULL  && dns_acl_isinsecure(updateacl))
-			isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
-				      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-				      "zone '%s' allows updates by IP "
-				      "address, which is insecure",
-				      zname);
-
-		RETERR(configure_zone_ssutable(zoptions, mayberaw, zname));
-	}
-
-	if (ztype == dns_zone_master || raw != NULL) {
-		isc_boolean_t allow = ISC_FALSE, maint = ISC_FALSE;
-
-		obj = NULL;
-		result = ns_config_get(maps, "sig-validity-interval", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		{
-			const cfg_obj_t *validity, *resign;
-
-			validity = cfg_tuple_get(obj, "validity");
-			seconds = cfg_obj_asuint32(validity) * 86400;
-			dns_zone_setsigvalidityinterval(zone, seconds);
-
-			resign = cfg_tuple_get(obj, "re-sign");
-			if (cfg_obj_isvoid(resign)) {
-				seconds /= 4;
-			} else {
-				if (seconds > 7 * 86400)
-					seconds = cfg_obj_asuint32(resign) *
-							86400;
-				else
-					seconds = cfg_obj_asuint32(resign) *
-							3600;
-			}
-			dns_zone_setsigresigninginterval(zone, seconds);
-		}
-
-		obj = NULL;
-		result = ns_config_get(maps, "key-directory", &obj);
-		if (result == ISC_R_SUCCESS) {
-			filename = cfg_obj_asstring(obj);
-			RETERR(dns_zone_setkeydirectory(zone, filename));
-		}
-
-		obj = NULL;
-		result = ns_config_get(maps, "sig-signing-signatures", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setsignatures(zone, cfg_obj_asuint32(obj));
-
-		obj = NULL;
-		result = ns_config_get(maps, "sig-signing-nodes", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setnodes(zone, cfg_obj_asuint32(obj));
-
-		obj = NULL;
-		result = ns_config_get(maps, "sig-signing-type", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setprivatetype(zone, cfg_obj_asuint32(obj));
-
-		obj = NULL;
-		result = ns_config_get(maps, "update-check-ksk", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
-				   cfg_obj_asboolean(obj));
-
-		obj = NULL;
-		result = ns_config_get(maps, "dnssec-dnskey-kskonly", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setoption(zone, DNS_ZONEOPT_DNSKEYKSKONLY,
-				   cfg_obj_asboolean(obj));
-
-		obj = NULL;
-		result = ns_config_get(maps, "dnssec-loadkeys-interval", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		RETERR(dns_zone_setrefreshkeyinterval(zone,
-						      cfg_obj_asuint32(obj)));
-
-		obj = NULL;
-		result = cfg_map_get(zoptions, "auto-dnssec", &obj);
-		if (result == ISC_R_SUCCESS) {
-			const char *arg = cfg_obj_asstring(obj);
-			if (strcasecmp(arg, "allow") == 0)
-				allow = ISC_TRUE;
-			else if (strcasecmp(arg, "maintain") == 0)
-				allow = maint = ISC_TRUE;
-			else if (strcasecmp(arg, "off") == 0)
-				;
-			else
-				INSIST(0);
-			dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow);
-			dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint);
-		}
-	}
-
-	if (ztype == dns_zone_slave) {
-		RETERR(configure_zone_acl(zconfig, vconfig, config,
-					  allow_update_forwarding, ac,
-					  mayberaw, dns_zone_setforwardacl,
-					  dns_zone_clearforwardacl));
-	}
-
-	/*%
-	 * Primary master functionality.
-	 */
-	if (ztype == dns_zone_master) {
-		obj = NULL;
-		result = ns_config_get(maps, "check-wildcard", &obj);
-		if (result == ISC_R_SUCCESS)
-			check = cfg_obj_asboolean(obj);
-		else
-			check = ISC_FALSE;
-		dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKWILDCARD, check);
-
-		obj = NULL;
-		result = ns_config_get(maps, "check-dup-records", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
-			fail = ISC_FALSE;
-			check = ISC_TRUE;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
-			fail = check = ISC_TRUE;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
-			fail = check = ISC_FALSE;
-		} else
-			INSIST(0);
-		dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKDUPRR, check);
-		dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKDUPRRFAIL, fail);
-
-		obj = NULL;
-		result = ns_config_get(maps, "check-mx", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
-			fail = ISC_FALSE;
-			check = ISC_TRUE;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
-			fail = check = ISC_TRUE;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
-			fail = check = ISC_FALSE;
-		} else
-			INSIST(0);
-		dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKMX, check);
-		dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKMXFAIL, fail);
-
-		obj = NULL;
-		result = ns_config_get(maps, "check-integrity", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKINTEGRITY,
-				   cfg_obj_asboolean(obj));
-
-		obj = NULL;
-		result = ns_config_get(maps, "check-mx-cname", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
-			warn = ISC_TRUE;
-			ignore = ISC_FALSE;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
-			warn = ignore = ISC_FALSE;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
-			warn = ignore = ISC_TRUE;
-		} else
-			INSIST(0);
-		dns_zone_setoption(mayberaw, DNS_ZONEOPT_WARNMXCNAME, warn);
-		dns_zone_setoption(mayberaw, DNS_ZONEOPT_IGNOREMXCNAME, ignore);
-
-		obj = NULL;
-		result = ns_config_get(maps, "check-srv-cname", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
-			warn = ISC_TRUE;
-			ignore = ISC_FALSE;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
-			warn = ignore = ISC_FALSE;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
-			warn = ignore = ISC_TRUE;
-		} else
-			INSIST(0);
-		dns_zone_setoption(mayberaw, DNS_ZONEOPT_WARNSRVCNAME, warn);
-		dns_zone_setoption(mayberaw, DNS_ZONEOPT_IGNORESRVCNAME,
-				   ignore);
-
-		obj = NULL;
-		result = ns_config_get(maps, "dnssec-secure-to-insecure", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setoption(mayberaw, DNS_ZONEOPT_SECURETOINSECURE,
-				   cfg_obj_asboolean(obj));
-
-		obj = NULL;
-		result = cfg_map_get(zoptions, "dnssec-update-mode", &obj);
-		if (result == ISC_R_SUCCESS) {
-			const char *arg = cfg_obj_asstring(obj);
-			if (strcasecmp(arg, "no-resign") == 0)
-				dns_zone_setkeyopt(zone, DNS_ZONEKEY_NORESIGN,
-						   ISC_TRUE);
-			else if (strcasecmp(arg, "maintain") == 0)
-				;
-			else
-				INSIST(0);
-		}
-
-		obj = NULL;
-		result = ns_config_get(maps, "serial-update-method", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		if (strcasecmp(cfg_obj_asstring(obj), "unixtime") == 0)
-			dns_zone_setserialupdatemethod(zone,
-						    dns_updatemethod_unixtime);
-		else
-			dns_zone_setserialupdatemethod(zone,
-						  dns_updatemethod_increment);
-	}
-
-	/*
-	 * Configure slave functionality.
-	 */
-	switch (ztype) {
-	case dns_zone_slave:
-	case dns_zone_stub:
-	case dns_zone_redirect:
-		count = 0;
-		obj = NULL;
-		(void)cfg_map_get(zoptions, "masters", &obj);
-		if (obj != NULL) {
-			addrs = NULL;
-			keynames = NULL;
-			RETERR(ns_config_getipandkeylist(config, obj, mctx,
-							 &addrs, &keynames,
-							 &count));
-			result = dns_zone_setmasterswithkeys(mayberaw, addrs,
-							     keynames, count);
-			if (count != 0)
-				ns_config_putipandkeylist(mctx, &addrs,
-							  &keynames, count);
-			else
-				INSIST(addrs == NULL && keynames == NULL);
-		} else
-			result = dns_zone_setmasters(mayberaw, NULL, 0);
-		RETERR(result);
-
-		multi = ISC_FALSE;
-		if (count > 1) {
-			obj = NULL;
-			result = ns_config_get(maps, "multi-master", &obj);
-			INSIST(result == ISC_R_SUCCESS && obj != NULL);
-			multi = cfg_obj_asboolean(obj);
-		}
-		dns_zone_setoption(mayberaw, DNS_ZONEOPT_MULTIMASTER, multi);
-
-		obj = NULL;
-		result = ns_config_get(maps, "max-transfer-time-in", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setmaxxfrin(mayberaw, cfg_obj_asuint32(obj) * 60);
-
-		obj = NULL;
-		result = ns_config_get(maps, "max-transfer-idle-in", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setidlein(mayberaw, cfg_obj_asuint32(obj) * 60);
-
-		obj = NULL;
-		result = ns_config_get(maps, "max-refresh-time", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setmaxrefreshtime(mayberaw, cfg_obj_asuint32(obj));
-
-		obj = NULL;
-		result = ns_config_get(maps, "min-refresh-time", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setminrefreshtime(mayberaw, cfg_obj_asuint32(obj));
-
-		obj = NULL;
-		result = ns_config_get(maps, "max-retry-time", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setmaxretrytime(mayberaw, cfg_obj_asuint32(obj));
-
-		obj = NULL;
-		result = ns_config_get(maps, "min-retry-time", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		dns_zone_setminretrytime(mayberaw, cfg_obj_asuint32(obj));
-
-		obj = NULL;
-		result = ns_config_get(maps, "transfer-source", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		RETERR(dns_zone_setxfrsource4(mayberaw,
-					      cfg_obj_assockaddr(obj)));
-		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
-
-		obj = NULL;
-		result = ns_config_get(maps, "transfer-source-v6", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		RETERR(dns_zone_setxfrsource6(mayberaw,
-					      cfg_obj_assockaddr(obj)));
-		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
-
-		obj = NULL;
-		result = ns_config_get(maps, "alt-transfer-source", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		RETERR(dns_zone_setaltxfrsource4(mayberaw,
-						 cfg_obj_assockaddr(obj)));
-
-		obj = NULL;
-		result = ns_config_get(maps, "alt-transfer-source-v6", &obj);
-		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		RETERR(dns_zone_setaltxfrsource6(mayberaw,
-						 cfg_obj_assockaddr(obj)));
-
-		obj = NULL;
-		(void)ns_config_get(maps, "use-alt-transfer-source", &obj);
-		if (obj == NULL) {
-			/*
-			 * Default off when views are in use otherwise
-			 * on for BIND 8 compatibility.
-			 */
-			view = dns_zone_getview(zone);
-			if (view != NULL && strcmp(view->name, "_default") == 0)
-				alt = ISC_TRUE;
-			else
-				alt = ISC_FALSE;
-		} else
-			alt = cfg_obj_asboolean(obj);
-		dns_zone_setoption(mayberaw, DNS_ZONEOPT_USEALTXFRSRC, alt);
-
-		obj = NULL;
-		(void)ns_config_get(maps, "try-tcp-refresh", &obj);
-		dns_zone_setoption(mayberaw, DNS_ZONEOPT_TRYTCPREFRESH,
-				   cfg_obj_asboolean(obj));
-		break;
-
-	case dns_zone_staticstub:
-		RETERR(configure_staticstub(zoptions, zone, zname,
-					    default_dbtype));
-		break;
-
-	default:
-		break;
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-
-/*
- * Set up a DLZ zone as writeable
- */
-isc_result_t
-ns_zone_configure_writeable_dlz(dns_dlzdb_t *dlzdatabase, dns_zone_t *zone,
-				dns_rdataclass_t rdclass, dns_name_t *name)
-{
-	dns_db_t *db = NULL;
-	isc_time_t now;
-	isc_result_t result;
-
-	TIME_NOW(&now);
-
-	dns_zone_settype(zone, dns_zone_dlz);
-	result = dns_sdlz_setdb(dlzdatabase, rdclass, name, &db);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	result = dns_zone_dlzpostload(zone, db);
-	dns_db_detach(&db);
-	return (result);
-}
-
-isc_boolean_t
-ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
-	const cfg_obj_t *zoptions = NULL;
-	const cfg_obj_t *obj = NULL;
-	const char *cfilename;
-	const char *zfilename;
-	dns_zone_t *raw = NULL;
-	isc_boolean_t has_raw;
-	dns_zonetype_t ztype;
-
-	zoptions = cfg_tuple_get(zconfig, "options");
-
-	/*
-	 * We always reconfigure a static-stub zone for simplicity, assuming
-	 * the amount of data to be loaded is small.
-	 */
-	if (zonetype_fromconfig(zoptions) == dns_zone_staticstub) {
-		dns_zone_log(zone, ISC_LOG_DEBUG(1),
-			     "not reusable: staticstub");
-		return (ISC_FALSE);
-	}
-
-	/* If there's a raw zone, use that for filename and type comparison */
-	dns_zone_getraw(zone, &raw);
-	if (raw != NULL) {
-		zfilename = dns_zone_getfile(raw);
-		ztype = dns_zone_gettype(raw);
-		dns_zone_detach(&raw);
-		has_raw = ISC_TRUE;
-	} else {
-		zfilename = dns_zone_getfile(zone);
-		ztype = dns_zone_gettype(zone);
-		has_raw = ISC_FALSE;
-	}
-
-	obj = NULL;
-	(void)cfg_map_get(zoptions, "inline-signing", &obj);
-	if ((obj == NULL || !cfg_obj_asboolean(obj)) && has_raw) {
-		dns_zone_log(zone, ISC_LOG_DEBUG(1),
-			     "not reusable: old zone was inline-signing");
-		return (ISC_FALSE);
-	} else if ((obj != NULL && cfg_obj_asboolean(obj)) && !has_raw) {
-		dns_zone_log(zone, ISC_LOG_DEBUG(1),
-			     "not reusable: old zone was not inline-signing");
-		return (ISC_FALSE);
-	}
-
-	if (zonetype_fromconfig(zoptions) != ztype) {
-		dns_zone_log(zone, ISC_LOG_DEBUG(1),
-			     "not reusable: type mismatch");
-		return (ISC_FALSE);
-	}
-
-	obj = NULL;
-	(void)cfg_map_get(zoptions, "file", &obj);
-	if (obj != NULL)
-		cfilename = cfg_obj_asstring(obj);
-	else
-		cfilename = NULL;
-	if (!((cfilename == NULL && zfilename == NULL) ||
-	      (cfilename != NULL && zfilename != NULL &&
-	       strcmp(cfilename, zfilename) == 0)))
-	{
-		dns_zone_log(zone, ISC_LOG_DEBUG(1),
-			     "not reusable: filename mismatch");
-		return (ISC_FALSE);
-	}
-
-	return (ISC_TRUE);
-}
diff --git a/contrib/bind9/bin/nsupdate/Makefile.in b/contrib/bind9/bin/nsupdate/Makefile.in
deleted file mode 100644
index 09e6c14..0000000
--- a/contrib/bind9/bin/nsupdate/Makefile.in
+++ /dev/null
@@ -1,94 +0,0 @@
-# Copyright (C) 2004, 2006-2009, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000-2002  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.36 2009/12/05 23:31:40 each Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-@BIND9_MAKE_INCLUDES@
-
-READLINE_LIB = @READLINE_LIB@
-
-CINCLUDES =	${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
-		${ISC_INCLUDES} ${ISCCFG_INCLUDES} @DST_GSSAPI_INC@
-
-CDEFINES =	@USE_GSSAPI@
-CWARNINGS =
-
-LWRESLIBS =	../../lib/lwres/liblwres.@A@
-DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-BIND9LIBS =	../../lib/bind9/libbind9.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
-ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-
-LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
-DNSDEPLIBS =	../../lib/dns/libdns.@A@
-BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
-ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
-
-DEPLIBS =	${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS}
-
-LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
-
-NOSYMLIBS =	${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
-
-SUBDIRS =
-
-TARGETS =	nsupdate@EXEEXT@
-
-OBJS =		nsupdate.@O@
-
-UOBJS =
-
-SRCS =		nsupdate.c
-
-MANPAGES =	nsupdate.1
-
-HTMLPAGES =	nsupdate.html
-
-MANOBJS =	${MANPAGES} ${HTMLPAGES}
-
-@BIND9_MAKE_RULES@
-
-nsupdate.@O@: nsupdate.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DSESSION_KEYFILE=\"${localstatedir}/run/named/session.key\" \
-		-c ${srcdir}/nsupdate.c
-
-nsupdate@EXEEXT@: nsupdate.@O@ ${UOBJS} ${DEPLIBS}
-	export BASEOBJS="nsupdate.@O@ ${READLINE_LIB} ${UOBJS}"; \
-	${FINALBUILDCMD}
-
-doc man:: ${MANOBJS}
-
-docclean manclean maintainer-clean::
-	rm -f ${MANOBJS}
-
-clean distclean::
-	rm -f ${TARGETS}
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
-
-install:: nsupdate@EXEEXT@ installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} nsupdate@EXEEXT@ ${DESTDIR}${bindir}
-	${INSTALL_DATA} ${srcdir}/nsupdate.1 ${DESTDIR}${mandir}/man1
diff --git a/contrib/bind9/bin/nsupdate/nsupdate.1 b/contrib/bind9/bin/nsupdate/nsupdate.1
deleted file mode 100644
index 1e2dcaf..0000000
--- a/contrib/bind9/bin/nsupdate/nsupdate.1
+++ /dev/null
@@ -1,441 +0,0 @@
-.\" Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2003 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: nsupdate
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Aug 25, 2009
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "NSUPDATE" "1" "Aug 25, 2009" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-nsupdate \- Dynamic DNS update utility
-.SH "SYNOPSIS"
-.HP 9
-\fBnsupdate\fR [\fB\-d\fR] [\fB\-D\fR] [[\fB\-g\fR] | [\fB\-o\fR] | [\fB\-l\fR] | [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-R\ \fR\fB\fIrandomdev\fR\fR] [\fB\-v\fR] [filename]
-.SH "DESCRIPTION"
-.PP
-\fBnsupdate\fR
-is used to submit Dynamic DNS Update requests as defined in RFC 2136 to a name server. This allows resource records to be added or removed from a zone without manually editing the zone file. A single update request can contain requests to add or remove more than one resource record.
-.PP
-Zones that are under dynamic control via
-\fBnsupdate\fR
-or a DHCP server should not be edited by hand. Manual edits could conflict with dynamic updates and cause data to be lost.
-.PP
-The resource records that are dynamically added or removed with
-\fBnsupdate\fR
-have to be in the same zone. Requests are sent to the zone's master server. This is identified by the MNAME field of the zone's SOA record.
-.PP
-The
-\fB\-d\fR
-option makes
-\fBnsupdate\fR
-operate in debug mode. This provides tracing information about the update requests that are made and the replies received from the name server.
-.PP
-The
-\fB\-D\fR
-option makes
-\fBnsupdate\fR
-report additional debugging information to
-\fB\-d\fR.
-.PP
-The
-\fB\-L\fR
-option with an integer argument of zero or higher sets the logging debug level. If zero, logging is disabled.
-.PP
-Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC 2845 or the SIG(0) record described in RFC 2535 and RFC 2931 or GSS\-TSIG as described in RFC 3645. TSIG relies on a shared secret that should only be known to
-\fBnsupdate\fR
-and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC\-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to ensure they select the appropriate algorithm as well as the key when authenticating each other. For instance, suitable
-\fBkey\fR
-and
-\fBserver\fR
-statements would be added to
-\fI/etc/named.conf\fR
-so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication. SIG(0) uses public key cryptography. To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server.
-\fBnsupdate\fR
-does not read
-\fI/etc/named.conf\fR.
-.PP
-GSS\-TSIG uses Kerberos credentials. Standard GSS\-TSIG mode is switched on with the
-\fB\-g\fR
-flag. A non\-standards\-compliant variant of GSS\-TSIG used by Windows 2000 can be switched on with the
-\fB\-o\fR
-flag.
-.PP
-\fBnsupdate\fR
-uses the
-\fB\-y\fR
-or
-\fB\-k\fR
-option to provide the shared secret needed to generate a TSIG record for authenticating Dynamic DNS update requests, default type HMAC\-MD5. These options are mutually exclusive.
-.PP
-When the
-\fB\-y\fR
-option is used, a signature is generated from
-[\fIhmac:\fR]\fIkeyname:secret.\fR
-\fIkeyname\fR
-is the name of the key, and
-\fIsecret\fR
-is the base64 encoded shared secret. Use of the
-\fB\-y\fR
-option is discouraged because the shared secret is supplied as a command line argument in clear text. This may be visible in the output from
-\fBps\fR(1)
-or in a history file maintained by the user's shell.
-.PP
-With the
-\fB\-k\fR
-option,
-\fBnsupdate\fR
-reads the shared secret from the file
-\fIkeyfile\fR. Keyfiles may be in two formats: a single file containing a
-\fInamed.conf\fR\-format
-\fBkey\fR
-statement, which may be generated automatically by
-\fBddns\-confgen\fR, or a pair of files whose names are of the format
-\fIK{name}.+157.+{random}.key\fR
-and
-\fIK{name}.+157.+{random}.private\fR, which can be generated by
-\fBdnssec\-keygen\fR. The
-\fB\-k\fR
-may also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests. In this case, the key specified is not an HMAC\-MD5 key.
-.PP
-\fBnsupdate\fR
-can be run in a local\-host only mode using the
-\fB\-l\fR
-flag. This sets the server address to localhost (disabling the
-\fBserver\fR
-so that the server address cannot be overridden). Connections to the local server will use a TSIG key found in
-\fI/var/run/named/session.key\fR, which is automatically generated by
-\fBnamed\fR
-if any local master zone has set
-\fBupdate\-policy\fR
-to
-\fBlocal\fR. The location of this key file can be overridden with the
-\fB\-k\fR
-option.
-.PP
-By default,
-\fBnsupdate\fR
-uses UDP to send update requests to the name server unless they are too large to fit in a UDP request in which case TCP will be used. The
-\fB\-v\fR
-option makes
-\fBnsupdate\fR
-use a TCP connection. This may be preferable when a batch of update requests is made.
-.PP
-The
-\fB\-p\fR
-sets the default port number to use for connections to a name server. The default is 53.
-.PP
-The
-\fB\-t\fR
-option sets the maximum time an update request can take before it is aborted. The default is 300 seconds. Zero can be used to disable the timeout.
-.PP
-The
-\fB\-u\fR
-option sets the UDP retry interval. The default is 3 seconds. If zero, the interval will be computed from the timeout interval and number of UDP retries.
-.PP
-The
-\fB\-r\fR
-option sets the number of UDP retries. The default is 3. If zero, only one update request will be made.
-.PP
-The
-\fB\-R \fR\fB\fIrandomdev\fR\fR
-option specifies a source of randomness. If the operating system does not provide a
-\fI/dev/random\fR
-or equivalent device, the default source of randomness is keyboard input.
-\fIrandomdev\fR
-specifies the name of a character device or file containing random data to be used instead of the default. The special value
-\fIkeyboard\fR
-indicates that keyboard input should be used. This option may be specified multiple times.
-.SH "INPUT FORMAT"
-.PP
-\fBnsupdate\fR
-reads input from
-\fIfilename\fR
-or standard input. Each command is supplied on exactly one line of input. Some commands are for administrative purposes. The others are either update instructions or prerequisite checks on the contents of the zone. These checks set conditions that some name or set of resource records (RRset) either exists or is absent from the zone. These conditions must be met if the entire update request is to succeed. Updates will be rejected if the tests for the prerequisite conditions fail.
-.PP
-Every update request consists of zero or more prerequisites and zero or more updates. This allows a suitably authenticated update request to proceed if some specified resource records are present or missing from the zone. A blank input line (or the
-\fBsend\fR
-command) causes the accumulated commands to be sent as one Dynamic DNS update request to the name server.
-.PP
-The command formats and their meaning are as follows:
-.PP
-\fBserver\fR {servername} [port]
-.RS 4
-Sends all dynamic update requests to the name server
-\fIservername\fR. When no server statement is provided,
-\fBnsupdate\fR
-will send updates to the master server of the correct zone. The MNAME field of that zone's SOA record will identify the master server for that zone.
-\fIport\fR
-is the port number on
-\fIservername\fR
-where the dynamic update requests get sent. If no port number is specified, the default DNS port number of 53 is used.
-.RE
-.PP
-\fBlocal\fR {address} [port]
-.RS 4
-Sends all dynamic update requests using the local
-\fIaddress\fR. When no local statement is provided,
-\fBnsupdate\fR
-will send updates using an address and port chosen by the system.
-\fIport\fR
-can additionally be used to make requests come from a specific port. If no port number is specified, the system will assign one.
-.RE
-.PP
-\fBzone\fR {zonename}
-.RS 4
-Specifies that all updates are to be made to the zone
-\fIzonename\fR. If no
-\fIzone\fR
-statement is provided,
-\fBnsupdate\fR
-will attempt determine the correct zone to update based on the rest of the input.
-.RE
-.PP
-\fBclass\fR {classname}
-.RS 4
-Specify the default class. If no
-\fIclass\fR
-is specified, the default class is
-\fIIN\fR.
-.RE
-.PP
-\fBttl\fR {seconds}
-.RS 4
-Specify the default time to live for records to be added. The value
-\fInone\fR
-will clear the default ttl.
-.RE
-.PP
-\fBkey\fR {name} {secret}
-.RS 4
-Specifies that all updates are to be TSIG\-signed using the
-\fIkeyname\fR
-\fIkeysecret\fR
-pair. The
-\fBkey\fR
-command overrides any key specified on the command line via
-\fB\-y\fR
-or
-\fB\-k\fR.
-.RE
-.PP
-\fBgsstsig\fR
-.RS 4
-Use GSS\-TSIG to sign the updated. This is equivalent to specifying
-\fB\-g\fR
-on the commandline.
-.RE
-.PP
-\fBoldgsstsig\fR
-.RS 4
-Use the Windows 2000 version of GSS\-TSIG to sign the updated. This is equivalent to specifying
-\fB\-o\fR
-on the commandline.
-.RE
-.PP
-\fBrealm\fR {[realm_name]}
-.RS 4
-When using GSS\-TSIG use
-\fIrealm_name\fR
-rather than the default realm in
-\fIkrb5.conf\fR. If no realm is specified the saved realm is cleared.
-.RE
-.PP
-\fB[prereq]\fR\fB nxdomain\fR {domain\-name}
-.RS 4
-Requires that no resource record of any type exists with name
-\fIdomain\-name\fR.
-.RE
-.PP
-\fB[prereq]\fR\fB yxdomain\fR {domain\-name}
-.RS 4
-Requires that
-\fIdomain\-name\fR
-exists (has as at least one resource record, of any type).
-.RE
-.PP
-\fB[prereq]\fR\fB nxrrset\fR {domain\-name} [class] {type}
-.RS 4
-Requires that no resource record exists of the specified
-\fItype\fR,
-\fIclass\fR
-and
-\fIdomain\-name\fR. If
-\fIclass\fR
-is omitted, IN (internet) is assumed.
-.RE
-.PP
-\fB[prereq]\fR\fB yxrrset\fR {domain\-name} [class] {type}
-.RS 4
-This requires that a resource record of the specified
-\fItype\fR,
-\fIclass\fR
-and
-\fIdomain\-name\fR
-must exist. If
-\fIclass\fR
-is omitted, IN (internet) is assumed.
-.RE
-.PP
-\fB[prereq]\fR\fB yxrrset\fR {domain\-name} [class] {type} {data...}
-.RS 4
-The
-\fIdata\fR
-from each set of prerequisites of this form sharing a common
-\fItype\fR,
-\fIclass\fR, and
-\fIdomain\-name\fR
-are combined to form a set of RRs. This set of RRs must exactly match the set of RRs existing in the zone at the given
-\fItype\fR,
-\fIclass\fR, and
-\fIdomain\-name\fR. The
-\fIdata\fR
-are written in the standard text representation of the resource record's RDATA.
-.RE
-.PP
-\fB[update]\fR\fB del\fR\fB[ete]\fR {domain\-name} [ttl] [class] [type\ [data...]]
-.RS 4
-Deletes any resource records named
-\fIdomain\-name\fR. If
-\fItype\fR
-and
-\fIdata\fR
-is provided, only matching resource records will be removed. The internet class is assumed if
-\fIclass\fR
-is not supplied. The
-\fIttl\fR
-is ignored, and is only allowed for compatibility.
-.RE
-.PP
-\fB[update]\fR\fB add\fR {domain\-name} {ttl} [class] {type} {data...}
-.RS 4
-Adds a new resource record with the specified
-\fIttl\fR,
-\fIclass\fR
-and
-\fIdata\fR.
-.RE
-.PP
-\fBshow\fR
-.RS 4
-Displays the current message, containing all of the prerequisites and updates specified since the last send.
-.RE
-.PP
-\fBsend\fR
-.RS 4
-Sends the current message. This is equivalent to entering a blank line.
-.RE
-.PP
-\fBanswer\fR
-.RS 4
-Displays the answer.
-.RE
-.PP
-\fBdebug\fR
-.RS 4
-Turn on debugging.
-.RE
-.PP
-Lines beginning with a semicolon are comments and are ignored.
-.SH "EXAMPLES"
-.PP
-The examples below show how
-\fBnsupdate\fR
-could be used to insert and delete resource records from the
-\fBexample.com\fR
-zone. Notice that the input in each example contains a trailing blank line so that a group of commands are sent as one dynamic update request to the master name server for
-\fBexample.com\fR.
-.sp
-.RS 4
-.nf
-# nsupdate
-> update delete oldhost.example.com A
-> update add newhost.example.com 86400 A 172.16.1.1
-> send
-.fi
-.RE
-.sp
-.PP
-Any A records for
-\fBoldhost.example.com\fR
-are deleted. And an A record for
-\fBnewhost.example.com\fR
-with IP address 172.16.1.1 is added. The newly\-added record has a 1 day TTL (86400 seconds).
-.sp
-.RS 4
-.nf
-# nsupdate
-> prereq nxdomain nickname.example.com
-> update add nickname.example.com 86400 CNAME somehost.example.com
-> send
-.fi
-.RE
-.sp
-.PP
-The prerequisite condition gets the name server to check that there are no resource records of any type for
-\fBnickname.example.com\fR. If there are, the update request fails. If this name does not exist, a CNAME for it is added. This ensures that when the CNAME is added, it cannot conflict with the long\-standing rule in RFC 1034 that a name must not exist as any other record type if it exists as a CNAME. (The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have RRSIG, DNSKEY and NSEC records.)
-.SH "FILES"
-.PP
-\fB/etc/resolv.conf\fR
-.RS 4
-used to identify default name server
-.RE
-.PP
-\fB/var/run/named/session.key\fR
-.RS 4
-sets the default TSIG key for use in local\-only mode
-.RE
-.PP
-\fBK{name}.+157.+{random}.key\fR
-.RS 4
-base\-64 encoding of HMAC\-MD5 key created by
-\fBdnssec\-keygen\fR(8).
-.RE
-.PP
-\fBK{name}.+157.+{random}.private\fR
-.RS 4
-base\-64 encoding of HMAC\-MD5 key created by
-\fBdnssec\-keygen\fR(8).
-.RE
-.SH "SEE ALSO"
-.PP
-RFC 2136,
-RFC 3007,
-RFC 2104,
-RFC 2845,
-RFC 1034,
-RFC 2535,
-RFC 2931,
-\fBnamed\fR(8),
-\fBddns\-confgen\fR(8),
-\fBdnssec\-keygen\fR(8).
-.SH "BUGS"
-.PP
-The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases.
-.SH "COPYRIGHT"
-Copyright \(co 2004\-2012 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000\-2003 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/bin/nsupdate/nsupdate.c b/contrib/bind9/bin/nsupdate/nsupdate.c
deleted file mode 100644
index 06e5fc1..0000000
--- a/contrib/bind9/bin/nsupdate/nsupdate.c
+++ /dev/null
@@ -1,3022 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <limits.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#include <isc/app.h>
-#include <isc/base64.h>
-#include <isc/buffer.h>
-#include <isc/commandline.h>
-#include <isc/entropy.h>
-#include <isc/event.h>
-#include <isc/file.h>
-#include <isc/hash.h>
-#include <isc/lex.h>
-#include <isc/log.h>
-#include <isc/mem.h>
-#include <isc/parseint.h>
-#include <isc/print.h>
-#include <isc/random.h>
-#include <isc/region.h>
-#include <isc/sockaddr.h>
-#include <isc/socket.h>
-#include <isc/stdio.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/timer.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-#include <isccfg/namedconf.h>
-
-#include <dns/callbacks.h>
-#include <dns/dispatch.h>
-#include <dns/dnssec.h>
-#include <dns/events.h>
-#include <dns/fixedname.h>
-#include <dns/log.h>
-#include <dns/masterdump.h>
-#include <dns/message.h>
-#include <dns/name.h>
-#include <dns/rcode.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/request.h>
-#include <dns/result.h>
-#include <dns/tkey.h>
-#include <dns/tsig.h>
-
-#include <dst/dst.h>
-
-#include <lwres/lwres.h>
-#include <lwres/net.h>
-
-#ifdef GSSAPI
-#include <dst/gssapi.h>
-#include ISC_PLATFORM_KRB5HEADER
-#endif
-#include <bind9/getaddresses.h>
-
-#if defined(HAVE_READLINE)
-#include <readline/readline.h>
-#include <readline/history.h>
-#endif
-
-#ifdef HAVE_ADDRINFO
-#ifdef HAVE_GETADDRINFO
-#ifdef HAVE_GAISTRERROR
-#define USE_GETADDRINFO
-#endif
-#endif
-#endif
-
-#ifndef USE_GETADDRINFO
-#ifndef ISC_PLATFORM_NONSTDHERRNO
-extern int h_errno;
-#endif
-#endif
-
-#define MAXCMD (4 * 1024)
-#define MAXWIRE (64 * 1024)
-#define PACKETSIZE ((64 * 1024) - 1)
-#define INITTEXT (2 * 1024)
-#define MAXTEXT (128 * 1024)
-#define FIND_TIMEOUT 5
-#define TTL_MAX 2147483647U	/* Maximum signed 32 bit integer. */
-
-#define DNSDEFAULTPORT 53
-
-static isc_uint16_t dnsport = DNSDEFAULTPORT;
-
-#ifndef RESOLV_CONF
-#define RESOLV_CONF "/etc/resolv.conf"
-#endif
-
-static isc_boolean_t debugging = ISC_FALSE, ddebugging = ISC_FALSE;
-static isc_boolean_t memdebugging = ISC_FALSE;
-static isc_boolean_t have_ipv4 = ISC_FALSE;
-static isc_boolean_t have_ipv6 = ISC_FALSE;
-static isc_boolean_t is_dst_up = ISC_FALSE;
-static isc_boolean_t usevc = ISC_FALSE;
-static isc_boolean_t usegsstsig = ISC_FALSE;
-static isc_boolean_t use_win2k_gsstsig = ISC_FALSE;
-static isc_boolean_t tried_other_gsstsig = ISC_FALSE;
-static isc_boolean_t local_only = ISC_FALSE;
-static isc_taskmgr_t *taskmgr = NULL;
-static isc_task_t *global_task = NULL;
-static isc_event_t *global_event = NULL;
-static isc_log_t *lctx = NULL;
-static isc_mem_t *mctx = NULL;
-static dns_dispatchmgr_t *dispatchmgr = NULL;
-static dns_requestmgr_t *requestmgr = NULL;
-static isc_socketmgr_t *socketmgr = NULL;
-static isc_timermgr_t *timermgr = NULL;
-static dns_dispatch_t *dispatchv4 = NULL;
-static dns_dispatch_t *dispatchv6 = NULL;
-static dns_message_t *updatemsg = NULL;
-static dns_fixedname_t fuserzone;
-static dns_name_t *userzone = NULL;
-static dns_name_t *zonename = NULL;
-static dns_name_t tmpzonename;
-static dns_name_t restart_master;
-static dns_tsig_keyring_t *gssring = NULL;
-static dns_tsigkey_t *tsigkey = NULL;
-static dst_key_t *sig0key = NULL;
-static lwres_context_t *lwctx = NULL;
-static lwres_conf_t *lwconf;
-static isc_sockaddr_t *servers;
-static int ns_inuse = 0;
-static int ns_total = 0;
-static isc_sockaddr_t *userserver = NULL;
-static isc_sockaddr_t *localaddr = NULL;
-static isc_sockaddr_t *serveraddr = NULL;
-static isc_sockaddr_t tempaddr;
-static const char *keyfile = NULL;
-static char *keystr = NULL;
-static isc_entropy_t *entropy = NULL;
-static isc_boolean_t shuttingdown = ISC_FALSE;
-static FILE *input;
-static isc_boolean_t interactive = ISC_TRUE;
-static isc_boolean_t seenerror = ISC_FALSE;
-static const dns_master_style_t *style;
-static int requests = 0;
-static unsigned int logdebuglevel = 0;
-static unsigned int timeout = 300;
-static unsigned int udp_timeout = 3;
-static unsigned int udp_retries = 3;
-static dns_rdataclass_t defaultclass = dns_rdataclass_in;
-static dns_rdataclass_t zoneclass = dns_rdataclass_none;
-static dns_message_t *answer = NULL;
-static isc_uint32_t default_ttl = 0;
-static isc_boolean_t default_ttl_set = ISC_FALSE;
-
-typedef struct nsu_requestinfo {
-	dns_message_t *msg;
-	isc_sockaddr_t *addr;
-} nsu_requestinfo_t;
-
-static void
-sendrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-	    dns_message_t *msg, dns_request_t **request);
-
-ISC_PLATFORM_NORETURN_PRE static void
-fatal(const char *format, ...)
-ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
-
-static void
-debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
-
-static void
-ddebug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
-
-#ifdef GSSAPI
-static dns_fixedname_t fkname;
-static isc_sockaddr_t *kserver = NULL;
-static char *realm = NULL;
-static char servicename[DNS_NAME_FORMATSIZE];
-static dns_name_t *keyname;
-typedef struct nsu_gssinfo {
-	dns_message_t *msg;
-	isc_sockaddr_t *addr;
-	gss_ctx_id_t context;
-} nsu_gssinfo_t;
-
-static void
-start_gssrequest(dns_name_t *master);
-static void
-send_gssrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		dns_message_t *msg, dns_request_t **request,
-		gss_ctx_id_t context);
-static void
-recvgss(isc_task_t *task, isc_event_t *event);
-#endif /* GSSAPI */
-
-static void
-error(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
-
-#define STATUS_MORE	(isc_uint16_t)0
-#define STATUS_SEND	(isc_uint16_t)1
-#define STATUS_QUIT	(isc_uint16_t)2
-#define STATUS_SYNTAX	(isc_uint16_t)3
-
-typedef struct entropysource entropysource_t;
-
-struct entropysource {
-	isc_entropysource_t *source;
-	isc_mem_t *mctx;
-	ISC_LINK(entropysource_t) link;
-};
-
-static ISC_LIST(entropysource_t) sources;
-
-static void
-setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx)
-{
-	isc_result_t result;
-	isc_entropysource_t *source = NULL;
-	entropysource_t *elt;
-	int usekeyboard = ISC_ENTROPY_KEYBOARDMAYBE;
-
-	REQUIRE(ectx != NULL);
-
-	if (*ectx == NULL) {
-		result = isc_entropy_create(mctx, ectx);
-		if (result != ISC_R_SUCCESS)
-			fatal("could not create entropy object");
-		ISC_LIST_INIT(sources);
-	}
-
-	if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
-		usekeyboard = ISC_ENTROPY_KEYBOARDYES;
-		randomfile = NULL;
-	}
-
-	result = isc_entropy_usebestsource(*ectx, &source, randomfile,
-					   usekeyboard);
-
-	if (result != ISC_R_SUCCESS)
-		fatal("could not initialize entropy source: %s",
-		      isc_result_totext(result));
-
-	if (source != NULL) {
-		elt = isc_mem_get(mctx, sizeof(*elt));
-		if (elt == NULL)
-			fatal("out of memory");
-		elt->source = source;
-		elt->mctx = mctx;
-		ISC_LINK_INIT(elt, link);
-		ISC_LIST_APPEND(sources, elt, link);
-	}
-}
-
-static void
-cleanup_entropy(isc_entropy_t **ectx) {
-	entropysource_t *source;
-	while (!ISC_LIST_EMPTY(sources)) {
-		source = ISC_LIST_HEAD(sources);
-		ISC_LIST_UNLINK(sources, source, link);
-		isc_entropy_destroysource(&source->source);
-		isc_mem_put(source->mctx, source, sizeof(*source));
-	}
-	isc_entropy_detach(ectx);
-}
-
-
-static dns_rdataclass_t
-getzoneclass(void) {
-	if (zoneclass == dns_rdataclass_none)
-		zoneclass = defaultclass;
-	return (zoneclass);
-}
-
-static isc_boolean_t
-setzoneclass(dns_rdataclass_t rdclass) {
-	if (zoneclass == dns_rdataclass_none ||
-	    rdclass == dns_rdataclass_none)
-		zoneclass = rdclass;
-	if (zoneclass != rdclass)
-		return (ISC_FALSE);
-	return (ISC_TRUE);
-}
-
-static void
-fatal(const char *format, ...) {
-	va_list args;
-
-	va_start(args, format);
-	vfprintf(stderr, format, args);
-	va_end(args);
-	fprintf(stderr, "\n");
-	exit(1);
-}
-
-static void
-error(const char *format, ...) {
-	va_list args;
-
-	va_start(args, format);
-	vfprintf(stderr, format, args);
-	va_end(args);
-	fprintf(stderr, "\n");
-}
-
-static void
-debug(const char *format, ...) {
-	va_list args;
-
-	if (debugging) {
-		va_start(args, format);
-		vfprintf(stderr, format, args);
-		va_end(args);
-		fprintf(stderr, "\n");
-	}
-}
-
-static void
-ddebug(const char *format, ...) {
-	va_list args;
-
-	if (ddebugging) {
-		va_start(args, format);
-		vfprintf(stderr, format, args);
-		va_end(args);
-		fprintf(stderr, "\n");
-	}
-}
-
-static inline void
-check_result(isc_result_t result, const char *msg) {
-	if (result != ISC_R_SUCCESS)
-		fatal("%s: %s", msg, isc_result_totext(result));
-}
-
-static void *
-mem_alloc(void *arg, size_t size) {
-	return (isc_mem_get(arg, size));
-}
-
-static void
-mem_free(void *arg, void *mem, size_t size) {
-	isc_mem_put(arg, mem, size);
-}
-
-static char *
-nsu_strsep(char **stringp, const char *delim) {
-	char *string = *stringp;
-	char *s;
-	const char *d;
-	char sc, dc;
-
-	if (string == NULL)
-		return (NULL);
-
-	for (; *string != '\0'; string++) {
-		sc = *string;
-		for (d = delim; (dc = *d) != '\0'; d++) {
-			if (sc == dc)
-				break;
-		}
-		if (dc == 0)
-			break;
-	}
-
-	for (s = string; *s != '\0'; s++) {
-		sc = *s;
-		for (d = delim; (dc = *d) != '\0'; d++) {
-			if (sc == dc) {
-				*s++ = '\0';
-				*stringp = s;
-				return (string);
-			}
-		}
-	}
-	*stringp = NULL;
-	return (string);
-}
-
-static void
-reset_system(void) {
-	isc_result_t result;
-
-	ddebug("reset_system()");
-	/* If the update message is still around, destroy it */
-	if (updatemsg != NULL)
-		dns_message_reset(updatemsg, DNS_MESSAGE_INTENTRENDER);
-	else {
-		result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER,
-					    &updatemsg);
-		check_result(result, "dns_message_create");
-	}
-	updatemsg->opcode = dns_opcode_update;
-	if (usegsstsig) {
-		if (tsigkey != NULL)
-			dns_tsigkey_detach(&tsigkey);
-		if (gssring != NULL)
-			dns_tsigkeyring_detach(&gssring);
-		tried_other_gsstsig = ISC_FALSE;
-	}
-}
-
-static isc_uint16_t
-parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len) {
-	isc_uint16_t digestbits = 0;
-	isc_result_t result;
-	char buf[20];
-
-	REQUIRE(hmac != NULL && *hmac == NULL);
-	REQUIRE(hmacstr != NULL);
-
-	if (len >= sizeof(buf))
-		fatal("unknown key type '%.*s'", (int)(len), hmacstr);
-
-	strncpy(buf, hmacstr, len);
-	buf[len] = 0;
-
-	if (strcasecmp(buf, "hmac-md5") == 0) {
-		*hmac = DNS_TSIG_HMACMD5_NAME;
-	} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
-		*hmac = DNS_TSIG_HMACMD5_NAME;
-		result = isc_parse_uint16(&digestbits, &buf[9], 10);
-		if (result != ISC_R_SUCCESS || digestbits > 128)
-			fatal("digest-bits out of range [0..128]");
-		digestbits = (digestbits +7) & ~0x7U;
-	} else if (strcasecmp(buf, "hmac-sha1") == 0) {
-		*hmac = DNS_TSIG_HMACSHA1_NAME;
-	} else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) {
-		*hmac = DNS_TSIG_HMACSHA1_NAME;
-		result = isc_parse_uint16(&digestbits, &buf[10], 10);
-		if (result != ISC_R_SUCCESS || digestbits > 160)
-			fatal("digest-bits out of range [0..160]");
-		digestbits = (digestbits +7) & ~0x7U;
-	} else if (strcasecmp(buf, "hmac-sha224") == 0) {
-		*hmac = DNS_TSIG_HMACSHA224_NAME;
-	} else if (strncasecmp(buf, "hmac-sha224-", 12) == 0) {
-		*hmac = DNS_TSIG_HMACSHA224_NAME;
-		result = isc_parse_uint16(&digestbits, &buf[12], 10);
-		if (result != ISC_R_SUCCESS || digestbits > 224)
-			fatal("digest-bits out of range [0..224]");
-		digestbits = (digestbits +7) & ~0x7U;
-	} else if (strcasecmp(buf, "hmac-sha256") == 0) {
-		*hmac = DNS_TSIG_HMACSHA256_NAME;
-	} else if (strncasecmp(buf, "hmac-sha256-", 12) == 0) {
-		*hmac = DNS_TSIG_HMACSHA256_NAME;
-		result = isc_parse_uint16(&digestbits, &buf[12], 10);
-		if (result != ISC_R_SUCCESS || digestbits > 256)
-			fatal("digest-bits out of range [0..256]");
-		digestbits = (digestbits +7) & ~0x7U;
-	} else if (strcasecmp(buf, "hmac-sha384") == 0) {
-		*hmac = DNS_TSIG_HMACSHA384_NAME;
-	} else if (strncasecmp(buf, "hmac-sha384-", 12) == 0) {
-		*hmac = DNS_TSIG_HMACSHA384_NAME;
-		result = isc_parse_uint16(&digestbits, &buf[12], 10);
-		if (result != ISC_R_SUCCESS || digestbits > 384)
-			fatal("digest-bits out of range [0..384]");
-		digestbits = (digestbits +7) & ~0x7U;
-	} else if (strcasecmp(buf, "hmac-sha512") == 0) {
-		*hmac = DNS_TSIG_HMACSHA512_NAME;
-	} else if (strncasecmp(buf, "hmac-sha512-", 12) == 0) {
-		*hmac = DNS_TSIG_HMACSHA512_NAME;
-		result = isc_parse_uint16(&digestbits, &buf[12], 10);
-		if (result != ISC_R_SUCCESS || digestbits > 512)
-			fatal("digest-bits out of range [0..512]");
-		digestbits = (digestbits +7) & ~0x7U;
-	} else
-		fatal("unknown key type '%s'", buf);
-	return (digestbits);
-}
-
-static int
-basenamelen(const char *file) {
-	int len = strlen(file);
-
-	if (len > 1 && file[len - 1] == '.')
-		len -= 1;
-	else if (len > 8 && strcmp(file + len - 8, ".private") == 0)
-		len -= 8;
-	else if (len > 4 && strcmp(file + len - 4, ".key") == 0)
-		len -= 4;
-	return (len);
-}
-
-static void
-setup_keystr(void) {
-	unsigned char *secret = NULL;
-	int secretlen;
-	isc_buffer_t secretbuf;
-	isc_result_t result;
-	isc_buffer_t keynamesrc;
-	char *secretstr;
-	char *s, *n;
-	dns_fixedname_t fkeyname;
-	dns_name_t *keyname;
-	char *name;
-	dns_name_t *hmacname = NULL;
-	isc_uint16_t digestbits = 0;
-
-	dns_fixedname_init(&fkeyname);
-	keyname = dns_fixedname_name(&fkeyname);
-
-	debug("Creating key...");
-
-	s = strchr(keystr, ':');
-	if (s == NULL || s == keystr || s[1] == 0)
-		fatal("key option must specify [hmac:]keyname:secret");
-	secretstr = s + 1;
-	n = strchr(secretstr, ':');
-	if (n != NULL) {
-		if (n == secretstr || n[1] == 0)
-			fatal("key option must specify [hmac:]keyname:secret");
-		name = secretstr;
-		secretstr = n + 1;
-		digestbits = parse_hmac(&hmacname, keystr, s - keystr);
-	} else {
-		hmacname = DNS_TSIG_HMACMD5_NAME;
-		name = keystr;
-		n = s;
-	}
-
-	isc_buffer_init(&keynamesrc, name, n - name);
-	isc_buffer_add(&keynamesrc, n - name);
-
-	debug("namefromtext");
-	result = dns_name_fromtext(keyname, &keynamesrc, dns_rootname, 0, NULL);
-	check_result(result, "dns_name_fromtext");
-
-	secretlen = strlen(secretstr) * 3 / 4;
-	secret = isc_mem_allocate(mctx, secretlen);
-	if (secret == NULL)
-		fatal("out of memory");
-
-	isc_buffer_init(&secretbuf, secret, secretlen);
-	result = isc_base64_decodestring(secretstr, &secretbuf);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "could not create key from %s: %s\n",
-			keystr, isc_result_totext(result));
-		goto failure;
-	}
-
-	secretlen = isc_buffer_usedlength(&secretbuf);
-
-	debug("keycreate");
-	result = dns_tsigkey_create(keyname, hmacname, secret, secretlen,
-				    ISC_FALSE, NULL, 0, 0, mctx, NULL,
-				    &tsigkey);
-	if (result != ISC_R_SUCCESS)
-		fprintf(stderr, "could not create key from %s: %s\n",
-			keystr, dns_result_totext(result));
-	else
-		dst_key_setbits(tsigkey->key, digestbits);
- failure:
-	if (secret != NULL)
-		isc_mem_free(mctx, secret);
-}
-
-/*
- * Get a key from a named.conf format keyfile
- */
-static isc_result_t
-read_sessionkey(isc_mem_t *mctx, isc_log_t *lctx) {
-	cfg_parser_t *pctx = NULL;
-	cfg_obj_t *sessionkey = NULL;
-	const cfg_obj_t *key = NULL;
-	const cfg_obj_t *secretobj = NULL;
-	const cfg_obj_t *algorithmobj = NULL;
-	const char *keyname;
-	const char *secretstr;
-	const char *algorithm;
-	isc_result_t result;
-	int len;
-
-	if (! isc_file_exists(keyfile))
-		return (ISC_R_FILENOTFOUND);
-
-	result = cfg_parser_create(mctx, lctx, &pctx);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = cfg_parse_file(pctx, keyfile, &cfg_type_sessionkey,
-				&sessionkey);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = cfg_map_get(sessionkey, "key", &key);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	(void) cfg_map_get(key, "secret", &secretobj);
-	(void) cfg_map_get(key, "algorithm", &algorithmobj);
-	if (secretobj == NULL || algorithmobj == NULL)
-		fatal("key must have algorithm and secret");
-
-	keyname = cfg_obj_asstring(cfg_map_getname(key));
-	secretstr = cfg_obj_asstring(secretobj);
-	algorithm = cfg_obj_asstring(algorithmobj);
-
-	len = strlen(algorithm) + strlen(keyname) + strlen(secretstr) + 3;
-	keystr = isc_mem_allocate(mctx, len);
-	snprintf(keystr, len, "%s:%s:%s", algorithm, keyname, secretstr);
-	setup_keystr();
-
- cleanup:
-	if (pctx != NULL) {
-		if (sessionkey != NULL)
-			cfg_obj_destroy(pctx, &sessionkey);
-		cfg_parser_destroy(&pctx);
-	}
-
-	if (keystr != NULL)
-		isc_mem_free(mctx, keystr);
-
-	return (result);
-}
-
-static void
-setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) {
-	dst_key_t *dstkey = NULL;
-	isc_result_t result;
-	dns_name_t *hmacname = NULL;
-
-	debug("Creating key...");
-
-	if (sig0key != NULL)
-		dst_key_free(&sig0key);
-
-	/* Try reading the key from a K* pair */
-	result = dst_key_fromnamedfile(keyfile, NULL,
-				       DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx,
-				       &dstkey);
-
-	/* If that didn't work, try reading it as a session.key keyfile */
-	if (result != ISC_R_SUCCESS) {
-		result = read_sessionkey(mctx, lctx);
-		if (result == ISC_R_SUCCESS)
-			return;
-	}
-
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "could not read key from %.*s.{private,key}: "
-				"%s\n", basenamelen(keyfile), keyfile,
-				isc_result_totext(result));
-		return;
-	}
-
-	switch (dst_key_alg(dstkey)) {
-	case DST_ALG_HMACMD5:
-		hmacname = DNS_TSIG_HMACMD5_NAME;
-		break;
-	case DST_ALG_HMACSHA1:
-		hmacname = DNS_TSIG_HMACSHA1_NAME;
-		break;
-	case DST_ALG_HMACSHA224:
-		hmacname = DNS_TSIG_HMACSHA224_NAME;
-		break;
-	case DST_ALG_HMACSHA256:
-		hmacname = DNS_TSIG_HMACSHA256_NAME;
-		break;
-	case DST_ALG_HMACSHA384:
-		hmacname = DNS_TSIG_HMACSHA384_NAME;
-		break;
-	case DST_ALG_HMACSHA512:
-		hmacname = DNS_TSIG_HMACSHA512_NAME;
-		break;
-	}
-	if (hmacname != NULL) {
-		result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
-						   hmacname, dstkey, ISC_FALSE,
-						   NULL, 0, 0, mctx, NULL,
-						   &tsigkey);
-		dst_key_free(&dstkey);
-		if (result != ISC_R_SUCCESS) {
-			fprintf(stderr, "could not create key from %s: %s\n",
-				keyfile, isc_result_totext(result));
-			return;
-		}
-	} else {
-		dst_key_attach(dstkey, &sig0key);
-		dst_key_free(&dstkey);
-	}
-}
-
-static void
-doshutdown(void) {
-	isc_task_detach(&global_task);
-
-	if (userserver != NULL)
-		isc_mem_put(mctx, userserver, sizeof(isc_sockaddr_t));
-
-	if (localaddr != NULL)
-		isc_mem_put(mctx, localaddr, sizeof(isc_sockaddr_t));
-
-	if (tsigkey != NULL) {
-		ddebug("Freeing TSIG key");
-		dns_tsigkey_detach(&tsigkey);
-	}
-
-	if (sig0key != NULL) {
-		ddebug("Freeing SIG(0) key");
-		dst_key_free(&sig0key);
-	}
-
-	if (updatemsg != NULL)
-		dns_message_destroy(&updatemsg);
-
-	if (is_dst_up) {
-		ddebug("Destroy DST lib");
-		dst_lib_destroy();
-		is_dst_up = ISC_FALSE;
-	}
-
-	cleanup_entropy(&entropy);
-
-	lwres_conf_clear(lwctx);
-	lwres_context_destroy(&lwctx);
-
-	isc_mem_put(mctx, servers, ns_total * sizeof(isc_sockaddr_t));
-
-	ddebug("Destroying request manager");
-	dns_requestmgr_detach(&requestmgr);
-
-	ddebug("Freeing the dispatchers");
-	if (have_ipv4)
-		dns_dispatch_detach(&dispatchv4);
-	if (have_ipv6)
-		dns_dispatch_detach(&dispatchv6);
-
-	ddebug("Shutting down dispatch manager");
-	dns_dispatchmgr_destroy(&dispatchmgr);
-
-}
-
-static void
-maybeshutdown(void) {
-	ddebug("Shutting down request manager");
-	dns_requestmgr_shutdown(requestmgr);
-
-	if (requests != 0)
-		return;
-
-	doshutdown();
-}
-
-static void
-shutdown_program(isc_task_t *task, isc_event_t *event) {
-	REQUIRE(task == global_task);
-	UNUSED(task);
-
-	ddebug("shutdown_program()");
-	isc_event_free(&event);
-
-	shuttingdown = ISC_TRUE;
-	maybeshutdown();
-}
-
-static void
-setup_system(void) {
-	isc_result_t result;
-	isc_sockaddr_t bind_any, bind_any6;
-	lwres_result_t lwresult;
-	unsigned int attrs, attrmask;
-	int i;
-	isc_logconfig_t *logconfig = NULL;
-
-	ddebug("setup_system()");
-
-	dns_result_register();
-
-	result = isc_net_probeipv4();
-	if (result == ISC_R_SUCCESS)
-		have_ipv4 = ISC_TRUE;
-
-	result = isc_net_probeipv6();
-	if (result == ISC_R_SUCCESS)
-		have_ipv6 = ISC_TRUE;
-
-	if (!have_ipv4 && !have_ipv6)
-		fatal("could not find either IPv4 or IPv6");
-
-	result = isc_log_create(mctx, &lctx, &logconfig);
-	check_result(result, "isc_log_create");
-
-	isc_log_setcontext(lctx);
-	dns_log_init(lctx);
-	dns_log_setcontext(lctx);
-
-	result = isc_log_usechannel(logconfig, "default_debug", NULL, NULL);
-	check_result(result, "isc_log_usechannel");
-
-	isc_log_setdebuglevel(lctx, logdebuglevel);
-
-	lwresult = lwres_context_create(&lwctx, mctx, mem_alloc, mem_free, 1);
-	if (lwresult != LWRES_R_SUCCESS)
-		fatal("lwres_context_create failed");
-
-	(void)lwres_conf_parse(lwctx, RESOLV_CONF);
-	lwconf = lwres_conf_get(lwctx);
-
-	ns_total = lwconf->nsnext;
-	if (ns_total <= 0) {
-		/* No name servers in resolv.conf; default to loopback. */
-		struct in_addr localhost;
-		ns_total = 1;
-		servers = isc_mem_get(mctx, ns_total * sizeof(isc_sockaddr_t));
-		if (servers == NULL)
-			fatal("out of memory");
-		localhost.s_addr = htonl(INADDR_LOOPBACK);
-		isc_sockaddr_fromin(&servers[0], &localhost, dnsport);
-	} else {
-		servers = isc_mem_get(mctx, ns_total * sizeof(isc_sockaddr_t));
-		if (servers == NULL)
-			fatal("out of memory");
-		for (i = 0; i < ns_total; i++) {
-			if (lwconf->nameservers[i].family == LWRES_ADDRTYPE_V4) {
-				struct in_addr in4;
-				memcpy(&in4, lwconf->nameservers[i].address, 4);
-				isc_sockaddr_fromin(&servers[i], &in4, dnsport);
-			} else {
-				struct in6_addr in6;
-				memcpy(&in6, lwconf->nameservers[i].address, 16);
-				isc_sockaddr_fromin6(&servers[i], &in6,
-						     dnsport);
-			}
-		}
-	}
-
-	setup_entropy(mctx, NULL, &entropy);
-
-	result = isc_hash_create(mctx, entropy, DNS_NAME_MAXWIRE);
-	check_result(result, "isc_hash_create");
-	isc_hash_init();
-
-	result = dns_dispatchmgr_create(mctx, entropy, &dispatchmgr);
-	check_result(result, "dns_dispatchmgr_create");
-
-	result = isc_socketmgr_create(mctx, &socketmgr);
-	check_result(result, "dns_socketmgr_create");
-
-	result = isc_timermgr_create(mctx, &timermgr);
-	check_result(result, "dns_timermgr_create");
-
-	result = isc_taskmgr_create(mctx, 1, 0, &taskmgr);
-	check_result(result, "isc_taskmgr_create");
-
-	result = isc_task_create(taskmgr, 0, &global_task);
-	check_result(result, "isc_task_create");
-
-	result = isc_task_onshutdown(global_task, shutdown_program, NULL);
-	check_result(result, "isc_task_onshutdown");
-
-	result = dst_lib_init(mctx, entropy, 0);
-	check_result(result, "dst_lib_init");
-	is_dst_up = ISC_TRUE;
-
-	attrmask = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_TCP;
-	attrmask |= DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6;
-
-	if (have_ipv6) {
-		attrs = DNS_DISPATCHATTR_UDP;
-		attrs |= DNS_DISPATCHATTR_MAKEQUERY;
-		attrs |= DNS_DISPATCHATTR_IPV6;
-		isc_sockaddr_any6(&bind_any6);
-		result = dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr,
-					     &bind_any6, PACKETSIZE,
-					     4, 2, 3, 5,
-					     attrs, attrmask, &dispatchv6);
-		check_result(result, "dns_dispatch_getudp (v6)");
-	}
-
-	if (have_ipv4) {
-		attrs = DNS_DISPATCHATTR_UDP;
-		attrs |= DNS_DISPATCHATTR_MAKEQUERY;
-		attrs |= DNS_DISPATCHATTR_IPV4;
-		isc_sockaddr_any(&bind_any);
-		result = dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr,
-					     &bind_any, PACKETSIZE,
-					     4, 2, 3, 5,
-					     attrs, attrmask, &dispatchv4);
-		check_result(result, "dns_dispatch_getudp (v4)");
-	}
-
-	result = dns_requestmgr_create(mctx, timermgr,
-				       socketmgr, taskmgr, dispatchmgr,
-				       dispatchv4, dispatchv6, &requestmgr);
-	check_result(result, "dns_requestmgr_create");
-
-	if (keystr != NULL)
-		setup_keystr();
-	else if (local_only) {
-		result = read_sessionkey(mctx, lctx);
-		if (result != ISC_R_SUCCESS)
-			fatal("can't read key from %s: %s\n",
-			      keyfile, isc_result_totext(result));
-	} else if (keyfile != NULL)
-		setup_keyfile(mctx, lctx);
-}
-
-static void
-get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) {
-	int count;
-	isc_result_t result;
-
-	isc_app_block();
-	result = bind9_getaddresses(host, port, sockaddr, 1, &count);
-	isc_app_unblock();
-	if (result != ISC_R_SUCCESS)
-		fatal("couldn't get address for '%s': %s",
-		      host, isc_result_totext(result));
-	INSIST(count == 1);
-}
-
-#define PARSE_ARGS_FMT "dDML:y:ghlovk:p:r:R::t:u:"
-
-static void
-pre_parse_args(int argc, char **argv) {
-	int ch;
-
-	while ((ch = isc_commandline_parse(argc, argv, PARSE_ARGS_FMT)) != -1) {
-		switch (ch) {
-		case 'M': /* was -dm */
-			debugging = ISC_TRUE;
-			ddebugging = ISC_TRUE;
-			memdebugging = ISC_TRUE;
-			isc_mem_debugging = ISC_MEM_DEBUGTRACE |
-					    ISC_MEM_DEBUGRECORD;
-			break;
-
-		case '?':
-		case 'h':
-			if (isc_commandline_option != '?')
-				fprintf(stderr, "%s: invalid argument -%c\n",
-					argv[0], isc_commandline_option);
-			fprintf(stderr, "usage: nsupdate [-dD] [-L level] [-l]"
-				"[-g | -o | -y keyname:secret | -k keyfile] "
-				"[-v] [filename]\n");
-			exit(1);
-
-		default:
-			break;
-		}
-	}
-	isc_commandline_reset = ISC_TRUE;
-	isc_commandline_index = 1;
-}
-
-static void
-parse_args(int argc, char **argv, isc_mem_t *mctx, isc_entropy_t **ectx) {
-	int ch;
-	isc_uint32_t i;
-	isc_result_t result;
-
-	debug("parse_args");
-	while ((ch = isc_commandline_parse(argc, argv, PARSE_ARGS_FMT)) != -1) {
-		switch (ch) {
-		case 'd':
-			debugging = ISC_TRUE;
-			break;
-		case 'D': /* was -dd */
-			debugging = ISC_TRUE;
-			ddebugging = ISC_TRUE;
-			break;
-		case 'M':
-			break;
-		case 'l':
-			local_only = ISC_TRUE;
-			break;
-		case 'L':
-			result = isc_parse_uint32(&i, isc_commandline_argument,
-						  10);
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr, "bad library debug value "
-					"'%s'\n", isc_commandline_argument);
-				exit(1);
-			}
-			logdebuglevel = i;
-			break;
-		case 'y':
-			keystr = isc_commandline_argument;
-			break;
-		case 'v':
-			usevc = ISC_TRUE;
-			break;
-		case 'k':
-			keyfile = isc_commandline_argument;
-			break;
-		case 'g':
-			usegsstsig = ISC_TRUE;
-			use_win2k_gsstsig = ISC_FALSE;
-			break;
-		case 'o':
-			usegsstsig = ISC_TRUE;
-			use_win2k_gsstsig = ISC_TRUE;
-			break;
-		case 'p':
-			result = isc_parse_uint16(&dnsport,
-						  isc_commandline_argument, 10);
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr, "bad port number "
-					"'%s'\n", isc_commandline_argument);
-				exit(1);
-			}
-			break;
-		case 't':
-			result = isc_parse_uint32(&timeout,
-						  isc_commandline_argument, 10);
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr, "bad timeout '%s'\n",						isc_commandline_argument);
-				exit(1);
-			}
-			if (timeout == 0)
-				timeout = UINT_MAX;
-			break;
-		case 'u':
-			result = isc_parse_uint32(&udp_timeout,
-						  isc_commandline_argument, 10);
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr, "bad udp timeout '%s'\n",						isc_commandline_argument);
-				exit(1);
-			}
-			if (udp_timeout == 0)
-				udp_timeout = UINT_MAX;
-			break;
-		case 'r':
-			result = isc_parse_uint32(&udp_retries,
-						  isc_commandline_argument, 10);
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr, "bad udp retries '%s'\n",						isc_commandline_argument);
-				exit(1);
-			}
-			break;
-
-		case 'R':
-			setup_entropy(mctx, isc_commandline_argument, ectx);
-			break;
-
-		default:
-			fprintf(stderr, "%s: unhandled option: %c\n",
-				argv[0], isc_commandline_option);
-			exit(1);
-		}
-	}
-	if (keyfile != NULL && keystr != NULL) {
-		fprintf(stderr, "%s: cannot specify both -k and -y\n",
-			argv[0]);
-		exit(1);
-	}
-
-	if (local_only) {
-		struct in_addr localhost;
-
-		if (keyfile == NULL)
-			keyfile = SESSION_KEYFILE;
-
-		if (userserver == NULL) {
-			userserver = isc_mem_get(mctx, sizeof(isc_sockaddr_t));
-			if (userserver == NULL)
-				fatal("out of memory");
-		}
-
-		localhost.s_addr = htonl(INADDR_LOOPBACK);
-		isc_sockaddr_fromin(userserver, &localhost, dnsport);
-	}
-
-#ifdef GSSAPI
-	if (usegsstsig && (keyfile != NULL || keystr != NULL)) {
-		fprintf(stderr, "%s: cannot specify -g with -k or -y\n",
-			argv[0]);
-		exit(1);
-	}
-#else
-	if (usegsstsig) {
-		fprintf(stderr, "%s: cannot specify -g	or -o, " \
-			"program not linked with GSS API Library\n",
-			argv[0]);
-		exit(1);
-	}
-#endif
-
-	if (argv[isc_commandline_index] != NULL) {
-		if (strcmp(argv[isc_commandline_index], "-") == 0) {
-			input = stdin;
-		} else {
-			result = isc_stdio_open(argv[isc_commandline_index],
-						"r", &input);
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr, "could not open '%s': %s\n",
-					argv[isc_commandline_index],
-					isc_result_totext(result));
-				exit(1);
-			}
-		}
-		interactive = ISC_FALSE;
-	}
-}
-
-static isc_uint16_t
-parse_name(char **cmdlinep, dns_message_t *msg, dns_name_t **namep) {
-	isc_result_t result;
-	char *word;
-	isc_buffer_t *namebuf = NULL;
-	isc_buffer_t source;
-
-	word = nsu_strsep(cmdlinep, " \t\r\n");
-	if (word == NULL || *word == 0) {
-		fprintf(stderr, "could not read owner name\n");
-		return (STATUS_SYNTAX);
-	}
-
-	result = dns_message_gettempname(msg, namep);
-	check_result(result, "dns_message_gettempname");
-	result = isc_buffer_allocate(mctx, &namebuf, DNS_NAME_MAXWIRE);
-	check_result(result, "isc_buffer_allocate");
-	dns_name_init(*namep, NULL);
-	dns_name_setbuffer(*namep, namebuf);
-	dns_message_takebuffer(msg, &namebuf);
-	isc_buffer_init(&source, word, strlen(word));
-	isc_buffer_add(&source, strlen(word));
-	result = dns_name_fromtext(*namep, &source, dns_rootname, 0, NULL);
-	check_result(result, "dns_name_fromtext");
-	isc_buffer_invalidate(&source);
-	return (STATUS_MORE);
-}
-
-static isc_uint16_t
-parse_rdata(char **cmdlinep, dns_rdataclass_t rdataclass,
-	    dns_rdatatype_t rdatatype, dns_message_t *msg,
-	    dns_rdata_t *rdata)
-{
-	char *cmdline = *cmdlinep;
-	isc_buffer_t source, *buf = NULL, *newbuf = NULL;
-	isc_region_t r;
-	isc_lex_t *lex = NULL;
-	dns_rdatacallbacks_t callbacks;
-	isc_result_t result;
-
-	if (cmdline == NULL) {
-		rdata->flags = DNS_RDATA_UPDATE;
-		return (STATUS_MORE);
-	}
-
-	while (*cmdline != 0 && isspace((unsigned char)*cmdline))
-		cmdline++;
-
-	if (*cmdline != 0) {
-		dns_rdatacallbacks_init(&callbacks);
-		result = isc_lex_create(mctx, strlen(cmdline), &lex);
-		check_result(result, "isc_lex_create");
-		isc_buffer_init(&source, cmdline, strlen(cmdline));
-		isc_buffer_add(&source, strlen(cmdline));
-		result = isc_lex_openbuffer(lex, &source);
-		check_result(result, "isc_lex_openbuffer");
-		result = isc_buffer_allocate(mctx, &buf, MAXWIRE);
-		check_result(result, "isc_buffer_allocate");
-		result = dns_rdata_fromtext(NULL, rdataclass, rdatatype, lex,
-					    dns_rootname, 0, mctx, buf,
-					    &callbacks);
-		isc_lex_destroy(&lex);
-		if (result == ISC_R_SUCCESS) {
-			isc_buffer_usedregion(buf, &r);
-			result = isc_buffer_allocate(mctx, &newbuf, r.length);
-			check_result(result, "isc_buffer_allocate");
-			isc_buffer_putmem(newbuf, r.base, r.length);
-			isc_buffer_usedregion(newbuf, &r);
-			dns_rdata_fromregion(rdata, rdataclass, rdatatype, &r);
-			isc_buffer_free(&buf);
-			dns_message_takebuffer(msg, &newbuf);
-		} else {
-			fprintf(stderr, "invalid rdata format: %s\n",
-				isc_result_totext(result));
-			isc_buffer_free(&buf);
-			return (STATUS_SYNTAX);
-		}
-	} else {
-		rdata->flags = DNS_RDATA_UPDATE;
-	}
-	*cmdlinep = cmdline;
-	return (STATUS_MORE);
-}
-
-static isc_uint16_t
-make_prereq(char *cmdline, isc_boolean_t ispositive, isc_boolean_t isrrset) {
-	isc_result_t result;
-	char *word;
-	dns_name_t *name = NULL;
-	isc_textregion_t region;
-	dns_rdataset_t *rdataset = NULL;
-	dns_rdatalist_t *rdatalist = NULL;
-	dns_rdataclass_t rdataclass;
-	dns_rdatatype_t rdatatype;
-	dns_rdata_t *rdata = NULL;
-	isc_uint16_t retval;
-
-	ddebug("make_prereq()");
-
-	/*
-	 * Read the owner name
-	 */
-	retval = parse_name(&cmdline, updatemsg, &name);
-	if (retval != STATUS_MORE)
-		return (retval);
-
-	/*
-	 * If this is an rrset prereq, read the class or type.
-	 */
-	if (isrrset) {
-		word = nsu_strsep(&cmdline, " \t\r\n");
-		if (word == NULL || *word == 0) {
-			fprintf(stderr, "could not read class or type\n");
-			goto failure;
-		}
-		region.base = word;
-		region.length = strlen(word);
-		result = dns_rdataclass_fromtext(&rdataclass, &region);
-		if (result == ISC_R_SUCCESS) {
-			if (!setzoneclass(rdataclass)) {
-				fprintf(stderr, "class mismatch: %s\n", word);
-				goto failure;
-			}
-			/*
-			 * Now read the type.
-			 */
-			word = nsu_strsep(&cmdline, " \t\r\n");
-			if (word == NULL || *word == 0) {
-				fprintf(stderr, "could not read type\n");
-				goto failure;
-			}
-			region.base = word;
-			region.length = strlen(word);
-			result = dns_rdatatype_fromtext(&rdatatype, &region);
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr, "invalid type: %s\n", word);
-				goto failure;
-			}
-		} else {
-			rdataclass = getzoneclass();
-			result = dns_rdatatype_fromtext(&rdatatype, &region);
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr, "invalid type: %s\n", word);
-				goto failure;
-			}
-		}
-	} else
-		rdatatype = dns_rdatatype_any;
-
-	result = dns_message_gettemprdata(updatemsg, &rdata);
-	check_result(result, "dns_message_gettemprdata");
-
-	dns_rdata_init(rdata);
-
-	if (isrrset && ispositive) {
-		retval = parse_rdata(&cmdline, rdataclass, rdatatype,
-				     updatemsg, rdata);
-		if (retval != STATUS_MORE)
-			goto failure;
-	} else
-		rdata->flags = DNS_RDATA_UPDATE;
-
-	result = dns_message_gettemprdatalist(updatemsg, &rdatalist);
-	check_result(result, "dns_message_gettemprdatalist");
-	result = dns_message_gettemprdataset(updatemsg, &rdataset);
-	check_result(result, "dns_message_gettemprdataset");
-	dns_rdatalist_init(rdatalist);
-	rdatalist->type = rdatatype;
-	if (ispositive) {
-		if (isrrset && rdata->data != NULL)
-			rdatalist->rdclass = rdataclass;
-		else
-			rdatalist->rdclass = dns_rdataclass_any;
-	} else
-		rdatalist->rdclass = dns_rdataclass_none;
-	rdatalist->covers = 0;
-	rdatalist->ttl = 0;
-	rdata->rdclass = rdatalist->rdclass;
-	rdata->type = rdatatype;
-	ISC_LIST_INIT(rdatalist->rdata);
-	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-	dns_rdataset_init(rdataset);
-	dns_rdatalist_tordataset(rdatalist, rdataset);
-	ISC_LIST_INIT(name->list);
-	ISC_LIST_APPEND(name->list, rdataset, link);
-	dns_message_addname(updatemsg, name, DNS_SECTION_PREREQUISITE);
-	return (STATUS_MORE);
-
- failure:
-	if (name != NULL)
-		dns_message_puttempname(updatemsg, &name);
-	return (STATUS_SYNTAX);
-}
-
-static isc_uint16_t
-evaluate_prereq(char *cmdline) {
-	char *word;
-	isc_boolean_t ispositive, isrrset;
-
-	ddebug("evaluate_prereq()");
-	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (word == NULL || *word == 0) {
-		fprintf(stderr, "could not read operation code\n");
-		return (STATUS_SYNTAX);
-	}
-	if (strcasecmp(word, "nxdomain") == 0) {
-		ispositive = ISC_FALSE;
-		isrrset = ISC_FALSE;
-	} else if (strcasecmp(word, "yxdomain") == 0) {
-		ispositive = ISC_TRUE;
-		isrrset = ISC_FALSE;
-	} else if (strcasecmp(word, "nxrrset") == 0) {
-		ispositive = ISC_FALSE;
-		isrrset = ISC_TRUE;
-	} else if (strcasecmp(word, "yxrrset") == 0) {
-		ispositive = ISC_TRUE;
-		isrrset = ISC_TRUE;
-	} else {
-		fprintf(stderr, "incorrect operation code: %s\n", word);
-		return (STATUS_SYNTAX);
-	}
-	return (make_prereq(cmdline, ispositive, isrrset));
-}
-
-static isc_uint16_t
-evaluate_server(char *cmdline) {
-	char *word, *server;
-	long port;
-
-	if (local_only) {
-		fprintf(stderr, "cannot reset server in localhost-only mode\n");
-		return (STATUS_SYNTAX);
-	}
-
-	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (word == NULL || *word == 0) {
-		fprintf(stderr, "could not read server name\n");
-		return (STATUS_SYNTAX);
-	}
-	server = word;
-
-	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (word == NULL || *word == 0)
-		port = dnsport;
-	else {
-		char *endp;
-		port = strtol(word, &endp, 10);
-		if (*endp != 0) {
-			fprintf(stderr, "port '%s' is not numeric\n", word);
-			return (STATUS_SYNTAX);
-		} else if (port < 1 || port > 65535) {
-			fprintf(stderr, "port '%s' is out of range "
-				"(1 to 65535)\n", word);
-			return (STATUS_SYNTAX);
-		}
-	}
-
-	if (userserver == NULL) {
-		userserver = isc_mem_get(mctx, sizeof(isc_sockaddr_t));
-		if (userserver == NULL)
-			fatal("out of memory");
-	}
-
-	get_address(server, (in_port_t)port, userserver);
-
-	return (STATUS_MORE);
-}
-
-static isc_uint16_t
-evaluate_local(char *cmdline) {
-	char *word, *local;
-	long port;
-	struct in_addr in4;
-	struct in6_addr in6;
-
-	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (word == NULL || *word == 0) {
-		fprintf(stderr, "could not read server name\n");
-		return (STATUS_SYNTAX);
-	}
-	local = word;
-
-	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (word == NULL || *word == 0)
-		port = 0;
-	else {
-		char *endp;
-		port = strtol(word, &endp, 10);
-		if (*endp != 0) {
-			fprintf(stderr, "port '%s' is not numeric\n", word);
-			return (STATUS_SYNTAX);
-		} else if (port < 1 || port > 65535) {
-			fprintf(stderr, "port '%s' is out of range "
-				"(1 to 65535)\n", word);
-			return (STATUS_SYNTAX);
-		}
-	}
-
-	if (localaddr == NULL) {
-		localaddr = isc_mem_get(mctx, sizeof(isc_sockaddr_t));
-		if (localaddr == NULL)
-			fatal("out of memory");
-	}
-
-	if (have_ipv6 && inet_pton(AF_INET6, local, &in6) == 1)
-		isc_sockaddr_fromin6(localaddr, &in6, (in_port_t)port);
-	else if (have_ipv4 && inet_pton(AF_INET, local, &in4) == 1)
-		isc_sockaddr_fromin(localaddr, &in4, (in_port_t)port);
-	else {
-		fprintf(stderr, "invalid address %s", local);
-		return (STATUS_SYNTAX);
-	}
-
-	return (STATUS_MORE);
-}
-
-static isc_uint16_t
-evaluate_key(char *cmdline) {
-	char *namestr;
-	char *secretstr;
-	isc_buffer_t b;
-	isc_result_t result;
-	dns_fixedname_t fkeyname;
-	dns_name_t *keyname;
-	int secretlen;
-	unsigned char *secret = NULL;
-	isc_buffer_t secretbuf;
-	dns_name_t *hmacname = NULL;
-	isc_uint16_t digestbits = 0;
-	char *n;
-
-	namestr = nsu_strsep(&cmdline, " \t\r\n");
-	if (namestr == NULL || *namestr == 0) {
-		fprintf(stderr, "could not read key name\n");
-		return (STATUS_SYNTAX);
-	}
-
-	dns_fixedname_init(&fkeyname);
-	keyname = dns_fixedname_name(&fkeyname);
-
-	n = strchr(namestr, ':');
-	if (n != NULL) {
-		digestbits = parse_hmac(&hmacname, namestr, n - namestr);
-		namestr = n + 1;
-	} else
-		hmacname = DNS_TSIG_HMACMD5_NAME;
-
-	isc_buffer_init(&b, namestr, strlen(namestr));
-	isc_buffer_add(&b, strlen(namestr));
-	result = dns_name_fromtext(keyname, &b, dns_rootname, 0, NULL);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "could not parse key name\n");
-		return (STATUS_SYNTAX);
-	}
-
-	secretstr = nsu_strsep(&cmdline, "\r\n");
-	if (secretstr == NULL || *secretstr == 0) {
-		fprintf(stderr, "could not read key secret\n");
-		return (STATUS_SYNTAX);
-	}
-	secretlen = strlen(secretstr) * 3 / 4;
-	secret = isc_mem_allocate(mctx, secretlen);
-	if (secret == NULL)
-		fatal("out of memory");
-
-	isc_buffer_init(&secretbuf, secret, secretlen);
-	result = isc_base64_decodestring(secretstr, &secretbuf);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "could not create key from %s: %s\n",
-			secretstr, isc_result_totext(result));
-		isc_mem_free(mctx, secret);
-		return (STATUS_SYNTAX);
-	}
-	secretlen = isc_buffer_usedlength(&secretbuf);
-
-	if (tsigkey != NULL)
-		dns_tsigkey_detach(&tsigkey);
-	result = dns_tsigkey_create(keyname, hmacname, secret, secretlen,
-				    ISC_FALSE, NULL, 0, 0, mctx, NULL,
-				    &tsigkey);
-	isc_mem_free(mctx, secret);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "could not create key from %s %s: %s\n",
-			namestr, secretstr, dns_result_totext(result));
-		return (STATUS_SYNTAX);
-	}
-	dst_key_setbits(tsigkey->key, digestbits);
-	return (STATUS_MORE);
-}
-
-static isc_uint16_t
-evaluate_zone(char *cmdline) {
-	char *word;
-	isc_buffer_t b;
-	isc_result_t result;
-
-	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (word == NULL || *word == 0) {
-		fprintf(stderr, "could not read zone name\n");
-		return (STATUS_SYNTAX);
-	}
-
-	dns_fixedname_init(&fuserzone);
-	userzone = dns_fixedname_name(&fuserzone);
-	isc_buffer_init(&b, word, strlen(word));
-	isc_buffer_add(&b, strlen(word));
-	result = dns_name_fromtext(userzone, &b, dns_rootname, 0, NULL);
-	if (result != ISC_R_SUCCESS) {
-		userzone = NULL; /* Lest it point to an invalid name */
-		fprintf(stderr, "could not parse zone name\n");
-		return (STATUS_SYNTAX);
-	}
-
-	return (STATUS_MORE);
-}
-
-static isc_uint16_t
-evaluate_realm(char *cmdline) {
-#ifdef GSSAPI
-	char *word;
-	char buf[1024];
-
-	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (word == NULL || *word == 0) {
-		if (realm != NULL)
-			isc_mem_free(mctx, realm);
-		realm = NULL;
-		return (STATUS_MORE);
-	}
-
-	snprintf(buf, sizeof(buf), "@%s", word);
-	realm = isc_mem_strdup(mctx, buf);
-	if (realm == NULL)
-		fatal("out of memory");
-	return (STATUS_MORE);
-#else
-	UNUSED(cmdline);
-	return (STATUS_SYNTAX);
-#endif
-}
-
-static isc_uint16_t
-evaluate_ttl(char *cmdline) {
-	char *word;
-	isc_result_t result;
-	isc_uint32_t ttl;
-
-	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (word == NULL || *word == 0) {
-		fprintf(stderr, "could not ttl\n");
-		return (STATUS_SYNTAX);
-	}
-
-	if (!strcasecmp(word, "none")) {
-		default_ttl = 0;
-		default_ttl_set = ISC_FALSE;
-		return (STATUS_MORE);
-	}
-
-	result = isc_parse_uint32(&ttl, word, 10);
-	if (result != ISC_R_SUCCESS)
-		return (STATUS_SYNTAX);
-
-	if (ttl > TTL_MAX) {
-		fprintf(stderr, "ttl '%s' is out of range (0 to %u)\n",
-			word, TTL_MAX);
-		return (STATUS_SYNTAX);
-	}
-	default_ttl = ttl;
-	default_ttl_set = ISC_TRUE;
-
-	return (STATUS_MORE);
-}
-
-static isc_uint16_t
-evaluate_class(char *cmdline) {
-	char *word;
-	isc_textregion_t r;
-	isc_result_t result;
-	dns_rdataclass_t rdclass;
-
-	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (word == NULL || *word == 0) {
-		fprintf(stderr, "could not read class name\n");
-		return (STATUS_SYNTAX);
-	}
-
-	r.base = word;
-	r.length = strlen(word);
-	result = dns_rdataclass_fromtext(&rdclass, &r);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "could not parse class name: %s\n", word);
-		return (STATUS_SYNTAX);
-	}
-	switch (rdclass) {
-	case dns_rdataclass_none:
-	case dns_rdataclass_any:
-	case dns_rdataclass_reserved0:
-		fprintf(stderr, "bad default class: %s\n", word);
-		return (STATUS_SYNTAX);
-	default:
-		defaultclass = rdclass;
-	}
-
-	return (STATUS_MORE);
-}
-
-static isc_uint16_t
-update_addordelete(char *cmdline, isc_boolean_t isdelete) {
-	isc_result_t result;
-	dns_name_t *name = NULL;
-	isc_uint32_t ttl;
-	char *word;
-	dns_rdataclass_t rdataclass;
-	dns_rdatatype_t rdatatype;
-	dns_rdata_t *rdata = NULL;
-	dns_rdatalist_t *rdatalist = NULL;
-	dns_rdataset_t *rdataset = NULL;
-	isc_textregion_t region;
-	isc_uint16_t retval;
-
-	ddebug("update_addordelete()");
-
-	/*
-	 * Read the owner name.
-	 */
-	retval = parse_name(&cmdline, updatemsg, &name);
-	if (retval != STATUS_MORE)
-		return (retval);
-
-	result = dns_message_gettemprdata(updatemsg, &rdata);
-	check_result(result, "dns_message_gettemprdata");
-
-	dns_rdata_init(rdata);
-
-	/*
-	 * If this is an add, read the TTL and verify that it's in range.
-	 * If it's a delete, ignore a TTL if present (for compatibility).
-	 */
-	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (word == NULL || *word == 0) {
-		if (!isdelete) {
-			fprintf(stderr, "could not read owner ttl\n");
-			goto failure;
-		}
-		else {
-			ttl = 0;
-			rdataclass = dns_rdataclass_any;
-			rdatatype = dns_rdatatype_any;
-			rdata->flags = DNS_RDATA_UPDATE;
-			goto doneparsing;
-		}
-	}
-	result = isc_parse_uint32(&ttl, word, 10);
-	if (result != ISC_R_SUCCESS) {
-		if (isdelete) {
-			ttl = 0;
-			goto parseclass;
-		} else if (default_ttl_set) {
-			ttl = default_ttl;
-			goto parseclass;
-		} else {
-			fprintf(stderr, "ttl '%s': %s\n", word,
-				isc_result_totext(result));
-			goto failure;
-		}
-	}
-
-	if (isdelete)
-		ttl = 0;
-	else if (ttl > TTL_MAX) {
-		fprintf(stderr, "ttl '%s' is out of range (0 to %u)\n",
-			word, TTL_MAX);
-		goto failure;
-	}
-
-	/*
-	 * Read the class or type.
-	 */
-	word = nsu_strsep(&cmdline, " \t\r\n");
- parseclass:
-	if (word == NULL || *word == 0) {
-		if (isdelete) {
-			rdataclass = dns_rdataclass_any;
-			rdatatype = dns_rdatatype_any;
-			rdata->flags = DNS_RDATA_UPDATE;
-			goto doneparsing;
-		} else {
-			fprintf(stderr, "could not read class or type\n");
-			goto failure;
-		}
-	}
-	region.base = word;
-	region.length = strlen(word);
-	rdataclass = dns_rdataclass_any;
-	result = dns_rdataclass_fromtext(&rdataclass, &region);
-	if (result == ISC_R_SUCCESS && rdataclass != dns_rdataclass_any) {
-		if (!setzoneclass(rdataclass)) {
-			fprintf(stderr, "class mismatch: %s\n", word);
-			goto failure;
-		}
-		/*
-		 * Now read the type.
-		 */
-		word = nsu_strsep(&cmdline, " \t\r\n");
-		if (word == NULL || *word == 0) {
-			if (isdelete) {
-				rdataclass = dns_rdataclass_any;
-				rdatatype = dns_rdatatype_any;
-				rdata->flags = DNS_RDATA_UPDATE;
-				goto doneparsing;
-			} else {
-				fprintf(stderr, "could not read type\n");
-				goto failure;
-			}
-		}
-		region.base = word;
-		region.length = strlen(word);
-		result = dns_rdatatype_fromtext(&rdatatype, &region);
-		if (result != ISC_R_SUCCESS) {
-			fprintf(stderr, "'%s' is not a valid type: %s\n",
-				word, isc_result_totext(result));
-			goto failure;
-		}
-	} else {
-		rdataclass = getzoneclass();
-		result = dns_rdatatype_fromtext(&rdatatype, &region);
-		if (result != ISC_R_SUCCESS) {
-			fprintf(stderr, "'%s' is not a valid class or type: "
-				"%s\n", word, isc_result_totext(result));
-			goto failure;
-		}
-	}
-
-	retval = parse_rdata(&cmdline, rdataclass, rdatatype, updatemsg,
-			     rdata);
-	if (retval != STATUS_MORE)
-		goto failure;
-
-	if (isdelete) {
-		if ((rdata->flags & DNS_RDATA_UPDATE) != 0)
-			rdataclass = dns_rdataclass_any;
-		else
-			rdataclass = dns_rdataclass_none;
-	} else {
-		if ((rdata->flags & DNS_RDATA_UPDATE) != 0) {
-			fprintf(stderr, "could not read rdata\n");
-			goto failure;
-		}
-	}
-
- doneparsing:
-
-	result = dns_message_gettemprdatalist(updatemsg, &rdatalist);
-	check_result(result, "dns_message_gettemprdatalist");
-	result = dns_message_gettemprdataset(updatemsg, &rdataset);
-	check_result(result, "dns_message_gettemprdataset");
-	dns_rdatalist_init(rdatalist);
-	rdatalist->type = rdatatype;
-	rdatalist->rdclass = rdataclass;
-	rdatalist->covers = rdatatype;
-	rdatalist->ttl = (dns_ttl_t)ttl;
-	ISC_LIST_INIT(rdatalist->rdata);
-	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-	dns_rdataset_init(rdataset);
-	dns_rdatalist_tordataset(rdatalist, rdataset);
-	ISC_LIST_INIT(name->list);
-	ISC_LIST_APPEND(name->list, rdataset, link);
-	dns_message_addname(updatemsg, name, DNS_SECTION_UPDATE);
-	return (STATUS_MORE);
-
- failure:
-	if (name != NULL)
-		dns_message_puttempname(updatemsg, &name);
-	dns_message_puttemprdata(updatemsg, &rdata);
-	return (STATUS_SYNTAX);
-}
-
-static isc_uint16_t
-evaluate_update(char *cmdline) {
-	char *word;
-	isc_boolean_t isdelete;
-
-	ddebug("evaluate_update()");
-	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (word == NULL || *word == 0) {
-		fprintf(stderr, "could not read operation code\n");
-		return (STATUS_SYNTAX);
-	}
-	if (strcasecmp(word, "delete") == 0)
-		isdelete = ISC_TRUE;
-	else if (strcasecmp(word, "del") == 0)
-		isdelete = ISC_TRUE;
-	else if (strcasecmp(word, "add") == 0)
-		isdelete = ISC_FALSE;
-	else {
-		fprintf(stderr, "incorrect operation code: %s\n", word);
-		return (STATUS_SYNTAX);
-	}
-	return (update_addordelete(cmdline, isdelete));
-}
-
-static void
-setzone(dns_name_t *zonename) {
-	isc_result_t result;
-	dns_name_t *name = NULL;
-	dns_rdataset_t *rdataset = NULL;
-
-	result = dns_message_firstname(updatemsg, DNS_SECTION_ZONE);
-	if (result == ISC_R_SUCCESS) {
-		dns_message_currentname(updatemsg, DNS_SECTION_ZONE, &name);
-		dns_message_removename(updatemsg, name, DNS_SECTION_ZONE);
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_HEAD(name->list)) {
-			ISC_LIST_UNLINK(name->list, rdataset, link);
-			dns_rdataset_disassociate(rdataset);
-			dns_message_puttemprdataset(updatemsg, &rdataset);
-		}
-		dns_message_puttempname(updatemsg, &name);
-	}
-
-	if (zonename != NULL) {
-		result = dns_message_gettempname(updatemsg, &name);
-		check_result(result, "dns_message_gettempname");
-		dns_name_init(name, NULL);
-		dns_name_clone(zonename, name);
-		result = dns_message_gettemprdataset(updatemsg, &rdataset);
-		check_result(result, "dns_message_gettemprdataset");
-		dns_rdataset_makequestion(rdataset, getzoneclass(),
-					  dns_rdatatype_soa);
-		ISC_LIST_INIT(name->list);
-		ISC_LIST_APPEND(name->list, rdataset, link);
-		dns_message_addname(updatemsg, name, DNS_SECTION_ZONE);
-	}
-}
-
-static void
-show_message(FILE *stream, dns_message_t *msg, const char *description) {
-	isc_result_t result;
-	isc_buffer_t *buf = NULL;
-	int bufsz;
-
-	ddebug("show_message()");
-
-	setzone(userzone);
-
-	bufsz = INITTEXT;
-	do {
-		if (bufsz > MAXTEXT) {
-			fprintf(stderr, "could not allocate large enough "
-				"buffer to display message\n");
-			exit(1);
-		}
-		if (buf != NULL)
-			isc_buffer_free(&buf);
-		result = isc_buffer_allocate(mctx, &buf, bufsz);
-		check_result(result, "isc_buffer_allocate");
-		result = dns_message_totext(msg, style, 0, buf);
-		bufsz *= 2;
-	} while (result == ISC_R_NOSPACE);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "could not convert message to text format.\n");
-		isc_buffer_free(&buf);
-		return;
-	}
-	fprintf(stream, "%s\n%.*s", description,
-	       (int)isc_buffer_usedlength(buf), (char*)isc_buffer_base(buf));
-	isc_buffer_free(&buf);
-}
-
-static isc_uint16_t
-do_next_command(char *cmdline) {
-	char *word;
-
-	ddebug("do_next_command()");
-	word = nsu_strsep(&cmdline, " \t\r\n");
-
-	if (word == NULL || *word == 0)
-		return (STATUS_SEND);
-	if (word[0] == ';')
-		return (STATUS_MORE);
-	if (strcasecmp(word, "quit") == 0)
-		return (STATUS_QUIT);
-	if (strcasecmp(word, "prereq") == 0)
-		return (evaluate_prereq(cmdline));
-	if (strcasecmp(word, "nxdomain") == 0)
-		return (make_prereq(cmdline, ISC_FALSE, ISC_FALSE));
-	if (strcasecmp(word, "yxdomain") == 0)
-		return (make_prereq(cmdline, ISC_TRUE, ISC_FALSE));
-	if (strcasecmp(word, "nxrrset") == 0)
-		return (make_prereq(cmdline, ISC_FALSE, ISC_TRUE));
-	if (strcasecmp(word, "yxrrset") == 0)
-		return (make_prereq(cmdline, ISC_TRUE, ISC_TRUE));
-	if (strcasecmp(word, "update") == 0)
-		return (evaluate_update(cmdline));
-	if (strcasecmp(word, "delete") == 0)
-		return (update_addordelete(cmdline, ISC_TRUE));
-	if (strcasecmp(word, "del") == 0)
-		return (update_addordelete(cmdline, ISC_TRUE));
-	if (strcasecmp(word, "add") == 0)
-		return (update_addordelete(cmdline, ISC_FALSE));
-	if (strcasecmp(word, "server") == 0)
-		return (evaluate_server(cmdline));
-	if (strcasecmp(word, "local") == 0)
-		return (evaluate_local(cmdline));
-	if (strcasecmp(word, "zone") == 0)
-		return (evaluate_zone(cmdline));
-	if (strcasecmp(word, "class") == 0)
-		return (evaluate_class(cmdline));
-	if (strcasecmp(word, "send") == 0)
-		return (STATUS_SEND);
-	if (strcasecmp(word, "debug") == 0) {
-		if (debugging)
-			ddebugging = ISC_TRUE;
-		else
-			debugging = ISC_TRUE;
-		return (STATUS_MORE);
-	}
-	if (strcasecmp(word, "ttl") == 0)
-		return (evaluate_ttl(cmdline));
-	if (strcasecmp(word, "show") == 0) {
-		show_message(stdout, updatemsg, "Outgoing update query:");
-		return (STATUS_MORE);
-	}
-	if (strcasecmp(word, "answer") == 0) {
-		if (answer != NULL)
-			show_message(stdout, answer, "Answer:");
-		return (STATUS_MORE);
-	}
-	if (strcasecmp(word, "key") == 0) {
-		usegsstsig = ISC_FALSE;
-		return (evaluate_key(cmdline));
-	}
-	if (strcasecmp(word, "realm") == 0)
-		return (evaluate_realm(cmdline));
-	if (strcasecmp(word, "gsstsig") == 0) {
-#ifdef GSSAPI
-		usegsstsig = ISC_TRUE;
-		use_win2k_gsstsig = ISC_FALSE;
-#else
-		fprintf(stderr, "gsstsig not supported\n");
-#endif
-		return (STATUS_MORE);
-	}
-	if (strcasecmp(word, "oldgsstsig") == 0) {
-#ifdef GSSAPI
-		usegsstsig = ISC_TRUE;
-		use_win2k_gsstsig = ISC_TRUE;
-#else
-		fprintf(stderr, "gsstsig not supported\n");
-#endif
-		return (STATUS_MORE);
-	}
-	if (strcasecmp(word, "help") == 0) {
-		fprintf(stdout,
-"local address [port]      (set local resolver)\n"
-"server address [port]     (set master server for zone)\n"
-"send                      (send the update request)\n"
-"show                      (show the update request)\n"
-"answer                    (show the answer to the last request)\n"
-"quit                      (quit, any pending update is not sent\n"
-"help                      (display this message_\n"
-"key [hmac:]keyname secret (use TSIG to sign the request)\n"
-"gsstsig                   (use GSS_TSIG to sign the request)\n"
-"oldgsstsig                (use Microsoft's GSS_TSIG to sign the request)\n"
-"zone name                 (set the zone to be updated)\n"
-"class CLASS               (set the zone's DNS class, e.g. IN (default), CH)\n"
-"[prereq] nxdomain name    (does this name not exist)\n"
-"[prereq] yxdomain name    (does this name exist)\n"
-"[prereq] nxrrset ....     (does this RRset exist)\n"
-"[prereq] yxrrset ....     (does this RRset not exist)\n"
-"[update] add ....         (add the given record to the zone)\n"
-"[update] del[ete] ....    (remove the given record(s) from the zone)\n");
-		return (STATUS_MORE);
-	}
-	fprintf(stderr, "incorrect section name: %s\n", word);
-	return (STATUS_SYNTAX);
-}
-
-static isc_uint16_t
-get_next_command(void) {
-	isc_uint16_t result = STATUS_QUIT;
-	char cmdlinebuf[MAXCMD];
-	char *cmdline;
-
-	isc_app_block();
-	if (interactive) {
-#ifdef HAVE_READLINE
-		cmdline = readline("> ");
-		if (cmdline != NULL && *cmdline != '\0')
-			add_history(cmdline);
-#else
-		fprintf(stdout, "> ");
-		fflush(stdout);
-		cmdline = fgets(cmdlinebuf, MAXCMD, input);
-#endif
-	} else
-		cmdline = fgets(cmdlinebuf, MAXCMD, input);
-	isc_app_unblock();
-
-	if (cmdline != NULL) {
-		char *tmp = cmdline;
-
-		/*
-		 * Normalize input by removing any eol as readline()
-		 * removes eol but fgets doesn't.
-		 */
-		(void)nsu_strsep(&tmp, "\r\n");
-		result = do_next_command(cmdline);
-	}
-#ifdef HAVE_READLINE
-	if (interactive)
-		free(cmdline);
-#endif
-	return (result);
-}
-
-static isc_boolean_t
-user_interaction(void) {
-	isc_uint16_t result = STATUS_MORE;
-
-	ddebug("user_interaction()");
-	while ((result == STATUS_MORE) || (result == STATUS_SYNTAX)) {
-		result = get_next_command();
-		if (!interactive && result == STATUS_SYNTAX)
-			fatal("syntax error");
-	}
-	if (result == STATUS_SEND)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-
-}
-
-static void
-done_update(void) {
-	isc_event_t *event = global_event;
-	ddebug("done_update()");
-	isc_task_send(global_task, &event);
-}
-
-static void
-check_tsig_error(dns_rdataset_t *rdataset, isc_buffer_t *b) {
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_any_tsig_t tsig;
-
-	result = dns_rdataset_first(rdataset);
-	check_result(result, "dns_rdataset_first");
-	dns_rdataset_current(rdataset, &rdata);
-	result = dns_rdata_tostruct(&rdata, &tsig, NULL);
-	check_result(result, "dns_rdata_tostruct");
-	if (tsig.error != 0) {
-		if (isc_buffer_remaininglength(b) < 1)
-		      check_result(ISC_R_NOSPACE, "isc_buffer_remaininglength");
-		isc__buffer_putstr(b, "(" /*)*/);
-		result = dns_tsigrcode_totext(tsig.error, b);
-		check_result(result, "dns_tsigrcode_totext");
-		if (isc_buffer_remaininglength(b) < 1)
-		      check_result(ISC_R_NOSPACE, "isc_buffer_remaininglength");
-		isc__buffer_putstr(b,  /*(*/ ")");
-	}
-}
-
-static void
-update_completed(isc_task_t *task, isc_event_t *event) {
-	dns_requestevent_t *reqev = NULL;
-	isc_result_t result;
-	dns_request_t *request;
-
-	UNUSED(task);
-
-	ddebug("update_completed()");
-
-	requests--;
-
-	REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE);
-	reqev = (dns_requestevent_t *)event;
-	request = reqev->request;
-
-	if (shuttingdown) {
-		dns_request_destroy(&request);
-		isc_event_free(&event);
-		maybeshutdown();
-		return;
-	}
-
-	if (reqev->result != ISC_R_SUCCESS) {
-		fprintf(stderr, "; Communication with server failed: %s\n",
-			isc_result_totext(reqev->result));
-		seenerror = ISC_TRUE;
-		goto done;
-	}
-
-	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &answer);
-	check_result(result, "dns_message_create");
-	result = dns_request_getresponse(request, answer,
-					 DNS_MESSAGEPARSE_PRESERVEORDER);
-	switch (result) {
-	case ISC_R_SUCCESS:
-		if (answer->verify_attempted)
-			ddebug("tsig verification successful");
-		break;
-	case DNS_R_CLOCKSKEW:
-	case DNS_R_EXPECTEDTSIG:
-	case DNS_R_TSIGERRORSET:
-	case DNS_R_TSIGVERIFYFAILURE:
-	case DNS_R_UNEXPECTEDTSIG:
-	case ISC_R_FAILURE:
-#if 0
-		if (usegsstsig && answer->rcode == dns_rcode_noerror) {
-			/*
-			 * For MS DNS that violates RFC 2845, section 4.2
-			 */
-			break;
-		}
-#endif
-		fprintf(stderr, "; TSIG error with server: %s\n",
-			isc_result_totext(result));
-		seenerror = ISC_TRUE;
-		break;
-	default:
-		check_result(result, "dns_request_getresponse");
-	}
-
-	if (answer->rcode != dns_rcode_noerror) {
-		seenerror = ISC_TRUE;
-		if (!debugging) {
-			char buf[64];
-			isc_buffer_t b;
-			dns_rdataset_t *rds;
-
-			isc_buffer_init(&b, buf, sizeof(buf) - 1);
-			result = dns_rcode_totext(answer->rcode, &b);
-			check_result(result, "dns_rcode_totext");
-			rds = dns_message_gettsig(answer, NULL);
-			if (rds != NULL)
-				check_tsig_error(rds, &b);
-			fprintf(stderr, "update failed: %.*s\n",
-				(int)isc_buffer_usedlength(&b), buf);
-		}
-	}
-	if (debugging)
-		show_message(stderr, answer, "\nReply from update query:");
-
- done:
-	dns_request_destroy(&request);
-	if (usegsstsig) {
-		dns_name_free(&tmpzonename, mctx);
-		dns_name_free(&restart_master, mctx);
-	}
-	isc_event_free(&event);
-	done_update();
-}
-
-static void
-send_update(dns_name_t *zonename, isc_sockaddr_t *master,
-	    isc_sockaddr_t *srcaddr)
-{
-	isc_result_t result;
-	dns_request_t *request = NULL;
-	unsigned int options = DNS_REQUESTOPT_CASE;
-
-	ddebug("send_update()");
-
-	setzone(zonename);
-
-	if (usevc)
-		options |= DNS_REQUESTOPT_TCP;
-	if (tsigkey == NULL && sig0key != NULL) {
-		result = dns_message_setsig0key(updatemsg, sig0key);
-		check_result(result, "dns_message_setsig0key");
-	}
-	if (debugging) {
-		char addrbuf[ISC_SOCKADDR_FORMATSIZE];
-
-		isc_sockaddr_format(master, addrbuf, sizeof(addrbuf));
-		fprintf(stderr, "Sending update to %s\n", addrbuf);
-	}
-
-	/* Windows doesn't like the tsig name to be compressed. */
-	if (updatemsg->tsigname)
-		updatemsg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
-
-	result = dns_request_createvia3(requestmgr, updatemsg, srcaddr,
-					master, options, tsigkey, timeout,
-					udp_timeout, udp_retries, global_task,
-					update_completed, NULL, &request);
-	check_result(result, "dns_request_createvia3");
-
-	if (debugging)
-		show_message(stdout, updatemsg, "Outgoing update query:");
-
-	requests++;
-}
-
-static void
-recvsoa(isc_task_t *task, isc_event_t *event) {
-	dns_requestevent_t *reqev = NULL;
-	dns_request_t *request = NULL;
-	isc_result_t result, eresult;
-	dns_message_t *rcvmsg = NULL;
-	dns_section_t section;
-	dns_name_t *name = NULL;
-	dns_rdataset_t *soaset = NULL;
-	dns_rdata_soa_t soa;
-	dns_rdata_t soarr = DNS_RDATA_INIT;
-	int pass = 0;
-	dns_name_t master;
-	nsu_requestinfo_t *reqinfo;
-	dns_message_t *soaquery = NULL;
-	isc_sockaddr_t *addr;
-	isc_boolean_t seencname = ISC_FALSE;
-	dns_name_t tname;
-	unsigned int nlabels;
-
-	UNUSED(task);
-
-	ddebug("recvsoa()");
-
-	requests--;
-
-	REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE);
-	reqev = (dns_requestevent_t *)event;
-	request = reqev->request;
-	eresult = reqev->result;
-	reqinfo = reqev->ev_arg;
-	soaquery = reqinfo->msg;
-	addr = reqinfo->addr;
-
-	if (shuttingdown) {
-		dns_request_destroy(&request);
-		dns_message_destroy(&soaquery);
-		isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t));
-		isc_event_free(&event);
-		maybeshutdown();
-		return;
-	}
-
-	if (eresult != ISC_R_SUCCESS) {
-		char addrbuf[ISC_SOCKADDR_FORMATSIZE];
-
-		isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf));
-		fprintf(stderr, "; Communication with %s failed: %s\n",
-			addrbuf, isc_result_totext(eresult));
-		if (userserver != NULL)
-			fatal("could not talk to specified name server");
-		else if (++ns_inuse >= lwconf->nsnext)
-			fatal("could not talk to any default name server");
-		ddebug("Destroying request [%p]", request);
-		dns_request_destroy(&request);
-		dns_message_renderreset(soaquery);
-		dns_message_settsigkey(soaquery, NULL);
-		sendrequest(localaddr, &servers[ns_inuse], soaquery, &request);
-		isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t));
-		isc_event_free(&event);
-		setzoneclass(dns_rdataclass_none);
-		return;
-	}
-
-	isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t));
-	reqinfo = NULL;
-	isc_event_free(&event);
-	reqev = NULL;
-
-	ddebug("About to create rcvmsg");
-	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &rcvmsg);
-	check_result(result, "dns_message_create");
-	result = dns_request_getresponse(request, rcvmsg,
-					 DNS_MESSAGEPARSE_PRESERVEORDER);
-	if (result == DNS_R_TSIGERRORSET && userserver != NULL) {
-		dns_message_destroy(&rcvmsg);
-		ddebug("Destroying request [%p]", request);
-		dns_request_destroy(&request);
-		reqinfo = isc_mem_get(mctx, sizeof(nsu_requestinfo_t));
-		if (reqinfo == NULL)
-			fatal("out of memory");
-		reqinfo->msg = soaquery;
-		reqinfo->addr = addr;
-		dns_message_renderreset(soaquery);
-		ddebug("retrying soa request without TSIG");
-		result = dns_request_createvia3(requestmgr, soaquery,
-						localaddr, addr, 0, NULL,
-						FIND_TIMEOUT * 20,
-						FIND_TIMEOUT, 3,
-						global_task, recvsoa, reqinfo,
-						&request);
-		check_result(result, "dns_request_createvia");
-		requests++;
-		return;
-	}
-	check_result(result, "dns_request_getresponse");
-	section = DNS_SECTION_ANSWER;
-	POST(section);
-	if (debugging)
-		show_message(stderr, rcvmsg, "Reply from SOA query:");
-
-	if (rcvmsg->rcode != dns_rcode_noerror &&
-	    rcvmsg->rcode != dns_rcode_nxdomain)
-		fatal("response to SOA query was unsuccessful");
-
-	if (userzone != NULL && rcvmsg->rcode == dns_rcode_nxdomain) {
-		char namebuf[DNS_NAME_FORMATSIZE];
-		dns_name_format(userzone, namebuf, sizeof(namebuf));
-		error("specified zone '%s' does not exist (NXDOMAIN)",
-		      namebuf);
-		dns_message_destroy(&rcvmsg);
-		dns_request_destroy(&request);
-		dns_message_destroy(&soaquery);
-		ddebug("Out of recvsoa");
-		done_update();
-		seenerror = ISC_TRUE;
-		return;
-	}
-
- lookforsoa:
-	if (pass == 0)
-		section = DNS_SECTION_ANSWER;
-	else if (pass == 1)
-		section = DNS_SECTION_AUTHORITY;
-	else
-		goto droplabel;
-
-	result = dns_message_firstname(rcvmsg, section);
-	if (result != ISC_R_SUCCESS) {
-		pass++;
-		goto lookforsoa;
-	}
-	while (result == ISC_R_SUCCESS) {
-		name = NULL;
-		dns_message_currentname(rcvmsg, section, &name);
-		soaset = NULL;
-		result = dns_message_findtype(name, dns_rdatatype_soa, 0,
-					      &soaset);
-		if (result == ISC_R_SUCCESS)
-			break;
-		if (section == DNS_SECTION_ANSWER) {
-			dns_rdataset_t *tset = NULL;
-			if (dns_message_findtype(name, dns_rdatatype_cname, 0,
-						 &tset) == ISC_R_SUCCESS ||
-			    dns_message_findtype(name, dns_rdatatype_dname, 0,
-						 &tset) == ISC_R_SUCCESS ) {
-				seencname = ISC_TRUE;
-				break;
-			}
-		}
-
-		result = dns_message_nextname(rcvmsg, section);
-	}
-
-	if (soaset == NULL && !seencname) {
-		pass++;
-		goto lookforsoa;
-	}
-
-	if (seencname)
-		goto droplabel;
-
-	if (debugging) {
-		char namestr[DNS_NAME_FORMATSIZE];
-		dns_name_format(name, namestr, sizeof(namestr));
-		fprintf(stderr, "Found zone name: %s\n", namestr);
-	}
-
-	result = dns_rdataset_first(soaset);
-	check_result(result, "dns_rdataset_first");
-
-	dns_rdata_init(&soarr);
-	dns_rdataset_current(soaset, &soarr);
-	result = dns_rdata_tostruct(&soarr, &soa, NULL);
-	check_result(result, "dns_rdata_tostruct");
-
-	dns_name_init(&master, NULL);
-	dns_name_clone(&soa.origin, &master);
-
-	if (userzone != NULL)
-		zonename = userzone;
-	else
-		zonename = name;
-
-	if (debugging) {
-		char namestr[DNS_NAME_FORMATSIZE];
-		dns_name_format(&master, namestr, sizeof(namestr));
-		fprintf(stderr, "The master is: %s\n", namestr);
-	}
-
-	if (userserver != NULL)
-		serveraddr = userserver;
-	else {
-		char serverstr[DNS_NAME_MAXTEXT+1];
-		isc_buffer_t buf;
-
-		isc_buffer_init(&buf, serverstr, sizeof(serverstr));
-		result = dns_name_totext(&master, ISC_TRUE, &buf);
-		check_result(result, "dns_name_totext");
-		serverstr[isc_buffer_usedlength(&buf)] = 0;
-		get_address(serverstr, dnsport, &tempaddr);
-		serveraddr = &tempaddr;
-	}
-	dns_rdata_freestruct(&soa);
-
-#ifdef GSSAPI
-	if (usegsstsig) {
-		dns_name_init(&tmpzonename, NULL);
-		dns_name_dup(zonename, mctx, &tmpzonename);
-		dns_name_init(&restart_master, NULL);
-		dns_name_dup(&master, mctx, &restart_master);
-		start_gssrequest(&master);
-	} else {
-		send_update(zonename, serveraddr, localaddr);
-		setzoneclass(dns_rdataclass_none);
-	}
-#else
-	send_update(zonename, serveraddr, localaddr);
-	setzoneclass(dns_rdataclass_none);
-#endif
-
-	dns_message_destroy(&soaquery);
-	dns_request_destroy(&request);
-
- out:
-	dns_message_destroy(&rcvmsg);
-	ddebug("Out of recvsoa");
-	return;
-
- droplabel:
-	result = dns_message_firstname(soaquery, DNS_SECTION_QUESTION);
-	INSIST(result == ISC_R_SUCCESS);
-	name = NULL;
-	dns_message_currentname(soaquery, DNS_SECTION_QUESTION, &name);
-	nlabels = dns_name_countlabels(name);
-	if (nlabels == 1)
-		fatal("could not find enclosing zone");
-	dns_name_init(&tname, NULL);
-	dns_name_getlabelsequence(name, 1, nlabels - 1, &tname);
-	dns_name_clone(&tname, name);
-	dns_request_destroy(&request);
-	dns_message_renderreset(soaquery);
-	dns_message_settsigkey(soaquery, NULL);
-	if (userserver != NULL)
-		sendrequest(localaddr, userserver, soaquery, &request);
-	else
-		sendrequest(localaddr, &servers[ns_inuse], soaquery, &request);
-	goto out;
-}
-
-static void
-sendrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-	    dns_message_t *msg, dns_request_t **request)
-{
-	isc_result_t result;
-	nsu_requestinfo_t *reqinfo;
-
-	reqinfo = isc_mem_get(mctx, sizeof(nsu_requestinfo_t));
-	if (reqinfo == NULL)
-		fatal("out of memory");
-	reqinfo->msg = msg;
-	reqinfo->addr = destaddr;
-	result = dns_request_createvia3(requestmgr, msg, srcaddr, destaddr, 0,
-					(userserver != NULL) ? tsigkey : NULL,
-					FIND_TIMEOUT * 20, FIND_TIMEOUT, 3,
-					global_task, recvsoa, reqinfo, request);
-	check_result(result, "dns_request_createvia");
-	requests++;
-}
-
-#ifdef GSSAPI
-
-/*
- * Get the realm from the users kerberos ticket if possible
- */
-static void
-get_ticket_realm(isc_mem_t *mctx)
-{
-	krb5_context ctx;
-	krb5_error_code rc;
-	krb5_ccache ccache;
-	krb5_principal princ;
-	char *name, *ticket_realm;
-
-	rc = krb5_init_context(&ctx);
-	if (rc != 0)
-		return;
-
-	rc = krb5_cc_default(ctx, &ccache);
-	if (rc != 0) {
-		krb5_free_context(ctx);
-		return;
-	}
-
-	rc = krb5_cc_get_principal(ctx, ccache, &princ);
-	if (rc != 0) {
-		krb5_cc_close(ctx, ccache);
-		krb5_free_context(ctx);
-		return;
-	}
-
-	rc = krb5_unparse_name(ctx, princ, &name);
-	if (rc != 0) {
-		krb5_free_principal(ctx, princ);
-		krb5_cc_close(ctx, ccache);
-		krb5_free_context(ctx);
-		return;
-	}
-
-	ticket_realm = strrchr(name, '@');
-	if (ticket_realm != NULL) {
-		realm = isc_mem_strdup(mctx, ticket_realm);
-	}
-
-	free(name);
-	krb5_free_principal(ctx, princ);
-	krb5_cc_close(ctx, ccache);
-	krb5_free_context(ctx);
-	if (realm != NULL && debugging)
-		fprintf(stderr, "Found realm from ticket: %s\n", realm+1);
-}
-
-
-static void
-start_gssrequest(dns_name_t *master) {
-	gss_ctx_id_t context;
-	isc_buffer_t buf;
-	isc_result_t result;
-	isc_uint32_t val = 0;
-	dns_message_t *rmsg;
-	dns_request_t *request = NULL;
-	dns_name_t *servname;
-	dns_fixedname_t fname;
-	char namestr[DNS_NAME_FORMATSIZE];
-	char keystr[DNS_NAME_FORMATSIZE];
-	char *err_message = NULL;
-
-	debug("start_gssrequest");
-	usevc = ISC_TRUE;
-
-	if (gssring != NULL)
-		dns_tsigkeyring_detach(&gssring);
-	gssring = NULL;
-	result = dns_tsigkeyring_create(mctx, &gssring);
-
-	if (result != ISC_R_SUCCESS)
-		fatal("dns_tsigkeyring_create failed: %s",
-		      isc_result_totext(result));
-
-	dns_name_format(master, namestr, sizeof(namestr));
-	if (kserver == NULL) {
-		kserver = isc_mem_get(mctx, sizeof(isc_sockaddr_t));
-		if (kserver == NULL)
-			fatal("out of memory");
-	}
-	if (userserver == NULL)
-		get_address(namestr, dnsport, kserver);
-	else
-		(void)memcpy(kserver, userserver, sizeof(isc_sockaddr_t));
-
-	dns_fixedname_init(&fname);
-	servname = dns_fixedname_name(&fname);
-
-	if (realm == NULL)
-		get_ticket_realm(mctx);
-
-	result = isc_string_printf(servicename, sizeof(servicename),
-				   "DNS/%s%s", namestr, realm ? realm : "");
-	if (result != ISC_R_SUCCESS)
-		fatal("isc_string_printf(servicename) failed: %s",
-		      isc_result_totext(result));
-	isc_buffer_init(&buf, servicename, strlen(servicename));
-	isc_buffer_add(&buf, strlen(servicename));
-	result = dns_name_fromtext(servname, &buf, dns_rootname, 0, NULL);
-	if (result != ISC_R_SUCCESS)
-		fatal("dns_name_fromtext(servname) failed: %s",
-		      isc_result_totext(result));
-
-	dns_fixedname_init(&fkname);
-	keyname = dns_fixedname_name(&fkname);
-
-	isc_random_get(&val);
-	result = isc_string_printf(keystr, sizeof(keystr), "%u.sig-%s",
-				   val, namestr);
-	if (result != ISC_R_SUCCESS)
-		fatal("isc_string_printf(keystr) failed: %s",
-		      isc_result_totext(result));
-	isc_buffer_init(&buf, keystr, strlen(keystr));
-	isc_buffer_add(&buf, strlen(keystr));
-
-	result = dns_name_fromtext(keyname, &buf, dns_rootname, 0, NULL);
-	if (result != ISC_R_SUCCESS)
-		fatal("dns_name_fromtext(keyname) failed: %s",
-		      isc_result_totext(result));
-
-	/* Windows doesn't recognize name compression in the key name. */
-	keyname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
-
-	rmsg = NULL;
-	result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &rmsg);
-	if (result != ISC_R_SUCCESS)
-		fatal("dns_message_create failed: %s",
-		      isc_result_totext(result));
-
-	/* Build first request. */
-	context = GSS_C_NO_CONTEXT;
-	result = dns_tkey_buildgssquery(rmsg, keyname, servname, NULL, 0,
-					&context, use_win2k_gsstsig,
-					mctx, &err_message);
-	if (result == ISC_R_FAILURE)
-		fatal("tkey query failed: %s",
-		      err_message != NULL ? err_message : "unknown error");
-	if (result != ISC_R_SUCCESS)
-		fatal("dns_tkey_buildgssquery failed: %s",
-		      isc_result_totext(result));
-
-	send_gssrequest(localaddr, kserver, rmsg, &request, context);
-}
-
-static void
-send_gssrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		dns_message_t *msg, dns_request_t **request,
-		gss_ctx_id_t context)
-{
-	isc_result_t result;
-	nsu_gssinfo_t *reqinfo;
-	unsigned int options = 0;
-
-	debug("send_gssrequest");
-	reqinfo = isc_mem_get(mctx, sizeof(nsu_gssinfo_t));
-	if (reqinfo == NULL)
-		fatal("out of memory");
-	reqinfo->msg = msg;
-	reqinfo->addr = destaddr;
-	reqinfo->context = context;
-
-	options |= DNS_REQUESTOPT_TCP;
-	result = dns_request_createvia3(requestmgr, msg, srcaddr, destaddr,
-					options, tsigkey, FIND_TIMEOUT * 20,
-					FIND_TIMEOUT, 3, global_task, recvgss,
-					reqinfo, request);
-	check_result(result, "dns_request_createvia3");
-	if (debugging)
-		show_message(stdout, msg, "Outgoing update query:");
-	requests++;
-}
-
-static void
-recvgss(isc_task_t *task, isc_event_t *event) {
-	dns_requestevent_t *reqev = NULL;
-	dns_request_t *request = NULL;
-	isc_result_t result, eresult;
-	dns_message_t *rcvmsg = NULL;
-	nsu_gssinfo_t *reqinfo;
-	dns_message_t *tsigquery = NULL;
-	isc_sockaddr_t *addr;
-	gss_ctx_id_t context;
-	isc_buffer_t buf;
-	dns_name_t *servname;
-	dns_fixedname_t fname;
-	char *err_message = NULL;
-
-	UNUSED(task);
-
-	ddebug("recvgss()");
-
-	requests--;
-
-	REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE);
-	reqev = (dns_requestevent_t *)event;
-	request = reqev->request;
-	eresult = reqev->result;
-	reqinfo = reqev->ev_arg;
-	tsigquery = reqinfo->msg;
-	context = reqinfo->context;
-	addr = reqinfo->addr;
-
-	if (shuttingdown) {
-		dns_request_destroy(&request);
-		dns_message_destroy(&tsigquery);
-		isc_mem_put(mctx, reqinfo, sizeof(nsu_gssinfo_t));
-		isc_event_free(&event);
-		maybeshutdown();
-		return;
-	}
-
-	if (eresult != ISC_R_SUCCESS) {
-		char addrbuf[ISC_SOCKADDR_FORMATSIZE];
-
-		isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf));
-		fprintf(stderr, "; Communication with %s failed: %s\n",
-			addrbuf, isc_result_totext(eresult));
-		if (userserver != NULL)
-			fatal("could not talk to specified name server");
-		else if (++ns_inuse >= lwconf->nsnext)
-			fatal("could not talk to any default name server");
-		ddebug("Destroying request [%p]", request);
-		dns_request_destroy(&request);
-		dns_message_renderreset(tsigquery);
-		sendrequest(localaddr, &servers[ns_inuse], tsigquery,
-			    &request);
-		isc_mem_put(mctx, reqinfo, sizeof(nsu_gssinfo_t));
-		isc_event_free(&event);
-		return;
-	}
-	isc_mem_put(mctx, reqinfo, sizeof(nsu_gssinfo_t));
-
-	isc_event_free(&event);
-	reqev = NULL;
-
-	ddebug("recvgss creating rcvmsg");
-	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &rcvmsg);
-	check_result(result, "dns_message_create");
-
-	result = dns_request_getresponse(request, rcvmsg,
-					 DNS_MESSAGEPARSE_PRESERVEORDER);
-	check_result(result, "dns_request_getresponse");
-
-	if (debugging)
-		show_message(stderr, rcvmsg,
-			     "recvmsg reply from GSS-TSIG query");
-
-	if (rcvmsg->rcode == dns_rcode_formerr && !tried_other_gsstsig) {
-		ddebug("recvgss trying %s GSS-TSIG",
-		       use_win2k_gsstsig ? "Standard" : "Win2k");
-		if (use_win2k_gsstsig)
-			use_win2k_gsstsig = ISC_FALSE;
-		else
-			use_win2k_gsstsig = ISC_TRUE;
-		tried_other_gsstsig = ISC_TRUE;
-		start_gssrequest(&restart_master);
-		goto done;
-	}
-
-	if (rcvmsg->rcode != dns_rcode_noerror &&
-	    rcvmsg->rcode != dns_rcode_nxdomain)
-		fatal("response to GSS-TSIG query was unsuccessful");
-
-
-	dns_fixedname_init(&fname);
-	servname = dns_fixedname_name(&fname);
-	isc_buffer_init(&buf, servicename, strlen(servicename));
-	isc_buffer_add(&buf, strlen(servicename));
-	result = dns_name_fromtext(servname, &buf, dns_rootname, 0, NULL);
-	check_result(result, "dns_name_fromtext");
-
-	tsigkey = NULL;
-	result = dns_tkey_gssnegotiate(tsigquery, rcvmsg, servname,
-				       &context, &tsigkey, gssring,
-				       use_win2k_gsstsig,
-				       &err_message);
-	switch (result) {
-
-	case DNS_R_CONTINUE:
-		send_gssrequest(localaddr, kserver, tsigquery, &request,
-				context);
-		break;
-
-	case ISC_R_SUCCESS:
-		/*
-		 * XXXSRA Waaay too much fun here.  There's no good
-		 * reason why we need a TSIG here (the people who put
-		 * it into the spec admitted at the time that it was
-		 * not a security issue), and Windows clients don't
-		 * seem to work if named complies with the spec and
-		 * includes the gratuitous TSIG.  So we're in the
-		 * bizarre situation of having to choose between
-		 * complying with a useless requirement in the spec
-		 * and interoperating.  This is nuts.  If we can
-		 * confirm this behavior, we should ask the WG to
-		 * consider removing the requirement for the
-		 * gratuitous TSIG here.  For the moment, we ignore
-		 * the TSIG -- this too is a spec violation, but it's
-		 * the least insane thing to do.
-		 */
-#if 0
-		/*
-		 * Verify the signature.
-		 */
-		rcvmsg->state = DNS_SECTION_ANY;
-		dns_message_setquerytsig(rcvmsg, NULL);
-		result = dns_message_settsigkey(rcvmsg, tsigkey);
-		check_result(result, "dns_message_settsigkey");
-		result = dns_message_checksig(rcvmsg, NULL);
-		ddebug("tsig verification: %s", dns_result_totext(result));
-		check_result(result, "dns_message_checksig");
-#endif /* 0 */
-
-		send_update(&tmpzonename, serveraddr, localaddr);
-		setzoneclass(dns_rdataclass_none);
-		break;
-
-	default:
-		fatal("dns_tkey_negotiategss: %s %s",
-		      isc_result_totext(result),
-		      err_message != NULL ? err_message : "");
-	}
-
- done:
-	dns_request_destroy(&request);
-	dns_message_destroy(&tsigquery);
-
-	dns_message_destroy(&rcvmsg);
-	ddebug("Out of recvgss");
-}
-#endif
-
-static void
-start_update(void) {
-	isc_result_t result;
-	dns_rdataset_t *rdataset = NULL;
-	dns_name_t *name = NULL;
-	dns_request_t *request = NULL;
-	dns_message_t *soaquery = NULL;
-	dns_name_t *firstname;
-	dns_section_t section = DNS_SECTION_UPDATE;
-
-	ddebug("start_update()");
-
-	if (answer != NULL)
-		dns_message_destroy(&answer);
-
-	if (userzone != NULL && userserver != NULL && ! usegsstsig) {
-		send_update(userzone, userserver, localaddr);
-		setzoneclass(dns_rdataclass_none);
-		return;
-	}
-
-	result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER,
-				    &soaquery);
-	check_result(result, "dns_message_create");
-
-	if (userserver == NULL)
-		soaquery->flags |= DNS_MESSAGEFLAG_RD;
-
-	result = dns_message_gettempname(soaquery, &name);
-	check_result(result, "dns_message_gettempname");
-
-	result = dns_message_gettemprdataset(soaquery, &rdataset);
-	check_result(result, "dns_message_gettemprdataset");
-
-	dns_rdataset_makequestion(rdataset, getzoneclass(), dns_rdatatype_soa);
-
-	if (userzone != NULL) {
-		dns_name_init(name, NULL);
-		dns_name_clone(userzone, name);
-	} else {
-		dns_rdataset_t *tmprdataset;
-		result = dns_message_firstname(updatemsg, section);
-		if (result == ISC_R_NOMORE) {
-			section = DNS_SECTION_PREREQUISITE;
-			result = dns_message_firstname(updatemsg, section);
-		}
-		if (result != ISC_R_SUCCESS) {
-			dns_message_puttempname(soaquery, &name);
-			dns_rdataset_disassociate(rdataset);
-			dns_message_puttemprdataset(soaquery, &rdataset);
-			dns_message_destroy(&soaquery);
-			done_update();
-			return;
-		}
-		firstname = NULL;
-		dns_message_currentname(updatemsg, section, &firstname);
-		dns_name_init(name, NULL);
-		dns_name_clone(firstname, name);
-		/*
-		 * Looks to see if the first name references a DS record
-		 * and if that name is not the root remove a label as DS
-		 * records live in the parent zone so we need to start our
-		 * search one label up.
-		 */
-		tmprdataset = ISC_LIST_HEAD(firstname->list);
-		if (section == DNS_SECTION_UPDATE &&
-		    !dns_name_equal(firstname, dns_rootname) &&
-		    tmprdataset->type == dns_rdatatype_ds) {
-		    unsigned int labels = dns_name_countlabels(name);
-		    dns_name_getlabelsequence(name, 1, labels - 1, name);
-		}
-	}
-
-	ISC_LIST_INIT(name->list);
-	ISC_LIST_APPEND(name->list, rdataset, link);
-	dns_message_addname(soaquery, name, DNS_SECTION_QUESTION);
-
-	if (userserver != NULL)
-		sendrequest(localaddr, userserver, soaquery, &request);
-	else {
-		ns_inuse = 0;
-		sendrequest(localaddr, &servers[ns_inuse], soaquery, &request);
-	}
-}
-
-static void
-cleanup(void) {
-	ddebug("cleanup()");
-
-	if (answer != NULL)
-		dns_message_destroy(&answer);
-
-#ifdef GSSAPI
-	if (tsigkey != NULL) {
-		ddebug("detach tsigkey x%p", tsigkey);
-		dns_tsigkey_detach(&tsigkey);
-	}
-	if (gssring != NULL) {
-		ddebug("Detaching GSS-TSIG keyring");
-		dns_tsigkeyring_detach(&gssring);
-	}
-	if (kserver != NULL) {
-		isc_mem_put(mctx, kserver, sizeof(isc_sockaddr_t));
-		kserver = NULL;
-	}
-	if (realm != NULL) {
-		isc_mem_free(mctx, realm);
-		realm = NULL;
-	}
-#endif
-
-	if (sig0key != NULL)
-		dst_key_free(&sig0key);
-
-	ddebug("Shutting down task manager");
-	isc_taskmgr_destroy(&taskmgr);
-
-	ddebug("Destroying event");
-	isc_event_free(&global_event);
-
-	ddebug("Shutting down socket manager");
-	isc_socketmgr_destroy(&socketmgr);
-
-	ddebug("Shutting down timer manager");
-	isc_timermgr_destroy(&timermgr);
-
-	ddebug("Destroying hash context");
-	isc_hash_destroy();
-
-	ddebug("Destroying name state");
-	dns_name_destroy();
-
-	ddebug("Removing log context");
-	isc_log_destroy(&lctx);
-
-	ddebug("Destroying memory context");
-	if (memdebugging)
-		isc_mem_stats(mctx, stderr);
-	isc_mem_destroy(&mctx);
-}
-
-static void
-getinput(isc_task_t *task, isc_event_t *event) {
-	isc_boolean_t more;
-
-	UNUSED(task);
-
-	if (shuttingdown) {
-		maybeshutdown();
-		return;
-	}
-
-	if (global_event == NULL)
-		global_event = event;
-
-	reset_system();
-	more = user_interaction();
-	if (!more) {
-		isc_app_shutdown();
-		return;
-	}
-	start_update();
-	return;
-}
-
-int
-main(int argc, char **argv) {
-	isc_result_t result;
-	style = &dns_master_style_debug;
-
-	input = stdin;
-
-	interactive = ISC_TF(isatty(0));
-
-	isc_app_start();
-
-	pre_parse_args(argc, argv);
-
-	result = isc_mem_create(0, 0, &mctx);
-	check_result(result, "isc_mem_create");
-
-	parse_args(argc, argv, mctx, &entropy);
-
-	setup_system();
-
-	result = isc_app_onrun(mctx, global_task, getinput, NULL);
-	check_result(result, "isc_app_onrun");
-
-	(void)isc_app_run();
-
-	cleanup();
-
-	isc_app_finish();
-
-	if (seenerror)
-		return (2);
-	else
-		return (0);
-}
diff --git a/contrib/bind9/bin/nsupdate/nsupdate.docbook b/contrib/bind9/bin/nsupdate/nsupdate.docbook
deleted file mode 100644
index c54211c..0000000
--- a/contrib/bind9/bin/nsupdate/nsupdate.docbook
+++ /dev/null
@@ -1,770 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id$ -->
-<refentry id="man.nsupdate">
-  <refentryinfo>
-    <date>Aug 25, 2009</date>
-  </refentryinfo>
-  <refmeta>
-    <refentrytitle><application>nsupdate</application></refentrytitle>
-    <manvolnum>1</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-  <refnamediv>
-    <refname><application>nsupdate</application></refname>
-    <refpurpose>Dynamic DNS update utility</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2006</year>
-      <year>2007</year>
-      <year>2008</year>
-      <year>2009</year>
-      <year>2010</year>
-      <year>2011</year>
-      <year>2012</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>nsupdate</command>
-      <arg><option>-d</option></arg>
-      <arg><option>-D</option></arg>
-      <group>
-	<arg><option>-g</option></arg>
-	<arg><option>-o</option></arg>
-	<arg><option>-l</option></arg>
-        <arg><option>-y <replaceable class="parameter"><optional>hmac:</optional>keyname:secret</replaceable></option></arg>
-        <arg><option>-k <replaceable class="parameter">keyfile</replaceable></option></arg>
-      </group>
-      <arg><option>-t <replaceable class="parameter">timeout</replaceable></option></arg>
-      <arg><option>-u <replaceable class="parameter">udptimeout</replaceable></option></arg>
-      <arg><option>-r <replaceable class="parameter">udpretries</replaceable></option></arg>
-      <arg><option>-R <replaceable class="parameter">randomdev</replaceable></option></arg>
-      <arg><option>-v</option></arg>
-      <arg>filename</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para><command>nsupdate</command>
-      is used to submit Dynamic DNS Update requests as defined in RFC 2136
-      to a name server.
-      This allows resource records to be added or removed from a zone
-      without manually editing the zone file.
-      A single update request can contain requests to add or remove more than
-      one
-      resource record.
-    </para>
-    <para>
-      Zones that are under dynamic control via
-      <command>nsupdate</command>
-      or a DHCP server should not be edited by hand.
-      Manual edits could
-      conflict with dynamic updates and cause data to be lost.
-    </para>
-    <para>
-      The resource records that are dynamically added or removed with
-      <command>nsupdate</command>
-      have to be in the same zone.
-      Requests are sent to the zone's master server.
-      This is identified by the MNAME field of the zone's SOA record.
-    </para>
-    <para>
-      The
-      <option>-d</option>
-      option makes
-      <command>nsupdate</command>
-      operate in debug mode.
-      This provides tracing information about the update requests that are
-      made and the replies received from the name server.
-    </para>
-    <para>
-      The <option>-D</option> option makes <command>nsupdate</command>
-      report additional debugging information to <option>-d</option>.
-    </para>
-    <para>
-      The <option>-L</option> option with an integer argument of zero or
-      higher sets the logging debug level.  If zero, logging is disabled.
-    </para>
-    <para>
-      Transaction signatures can be used to authenticate the Dynamic
-      DNS updates.  These use the TSIG resource record type described
-      in RFC 2845 or the SIG(0) record described in RFC 2535 and
-      RFC 2931 or GSS-TSIG as described in RFC 3645.  TSIG relies on
-      a shared secret that should only be known to
-      <command>nsupdate</command> and the name server.  Currently,
-      the only supported encryption algorithm for TSIG is HMAC-MD5,
-      which is defined in RFC 2104.  Once other algorithms are
-      defined for TSIG, applications will need to ensure they select
-      the appropriate algorithm as well as the key when authenticating
-      each other.  For instance, suitable <type>key</type> and
-      <type>server</type> statements would be added to
-      <filename>/etc/named.conf</filename> so that the name server
-      can associate the appropriate secret key and algorithm with
-      the IP address of the client application that will be using
-      TSIG authentication.  SIG(0) uses public key cryptography.
-      To use a SIG(0) key, the public key must be stored in a KEY
-      record in a zone served by the name server.
-      <command>nsupdate</command> does not read
-      <filename>/etc/named.conf</filename>.
-    </para>
-    <para>
-      GSS-TSIG uses Kerberos credentials.  Standard GSS-TSIG mode
-      is switched on with the <option>-g</option> flag.  A
-      non-standards-compliant variant of GSS-TSIG used by Windows
-      2000 can be switched on with the <option>-o</option> flag.
-    </para>
-    <para><command>nsupdate</command>
-      uses the <option>-y</option> or <option>-k</option> option
-      to provide the shared secret needed to generate a TSIG record
-      for authenticating Dynamic DNS update requests, default type
-      HMAC-MD5.  These options are mutually exclusive. 
-    </para>
-    <para>
-      When the <option>-y</option> option is used, a signature is
-      generated from
-      <optional><parameter>hmac:</parameter></optional><parameter>keyname:secret.</parameter>
-      <parameter>keyname</parameter> is the name of the key, and
-      <parameter>secret</parameter> is the base64 encoded shared secret.
-      Use of the <option>-y</option> option is discouraged because the
-      shared secret is supplied as a command line argument in clear text.
-      This may be visible in the output from
-      <citerefentry>
-        <refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum>
-      </citerefentry>
-      or in a history file maintained by the user's shell.
-    </para>
-    <para>
-      With the
-      <option>-k</option> option, <command>nsupdate</command> reads
-      the shared secret from the file <parameter>keyfile</parameter>.
-      Keyfiles may be in two formats: a single file containing
-      a <filename>named.conf</filename>-format <command>key</command>
-      statement, which may be generated automatically by
-      <command>ddns-confgen</command>, or a pair of files whose names are
-      of the format <filename>K{name}.+157.+{random}.key</filename> and
-      <filename>K{name}.+157.+{random}.private</filename>, which can be
-      generated by <command>dnssec-keygen</command>.
-      The <option>-k</option> may also be used to specify a SIG(0) key used
-      to authenticate Dynamic DNS update requests.  In this case, the key
-      specified is not an HMAC-MD5 key.
-    </para>
-    <para>
-      <command>nsupdate</command> can be run in a local-host only mode
-      using the <option>-l</option> flag.  This sets the server address to
-      localhost (disabling the <command>server</command> so that the server
-      address cannot be overridden).  Connections to the local server will
-      use a TSIG key found in <filename>/var/run/named/session.key</filename>,
-      which is automatically generated by <command>named</command> if any
-      local master zone has set <command>update-policy</command> to
-      <command>local</command>.  The location of this key file can be
-      overridden with the <option>-k</option> option.
-    </para>
-    <para>
-      By default, <command>nsupdate</command>
-      uses UDP to send update requests to the name server unless they are too
-      large to fit in a UDP request in which case TCP will be used.
-      The
-      <option>-v</option>
-      option makes
-      <command>nsupdate</command>
-      use a TCP connection.
-      This may be preferable when a batch of update requests is made.
-    </para>
-    <para>
-      The <option>-p</option> sets the default port number to use for
-      connections to a name server.  The default is 53.
-    </para>
-    <para>
-      The <option>-t</option> option sets the maximum time an update request
-      can
-      take before it is aborted.  The default is 300 seconds.  Zero can be
-      used
-      to disable the timeout.
-    </para>
-    <para>
-      The <option>-u</option> option sets the UDP retry interval.  The default
-      is
-      3 seconds.  If zero, the interval will be computed from the timeout
-      interval
-      and number of UDP retries.
-    </para>
-    <para>
-      The <option>-r</option> option sets the number of UDP retries. The
-      default is
-      3.  If zero, only one update request will be made.
-    </para>
-    <para>
-      The <option>-R <replaceable
-      class="parameter">randomdev</replaceable></option> option
-      specifies a source of randomness.  If the operating system
-      does not provide a <filename>/dev/random</filename> or
-      equivalent device, the default source of randomness is keyboard
-      input.  <filename>randomdev</filename> specifies the name of
-      a character device or file containing random data to be used
-      instead of the default.  The special value
-      <filename>keyboard</filename> indicates that keyboard input
-      should be used.  This option may be specified multiple times.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>INPUT FORMAT</title>
-    <para><command>nsupdate</command>
-      reads input from
-      <parameter>filename</parameter>
-      or standard input.
-      Each command is supplied on exactly one line of input.
-      Some commands are for administrative purposes.
-      The others are either update instructions or prerequisite checks on the
-      contents of the zone.
-      These checks set conditions that some name or set of
-      resource records (RRset) either exists or is absent from the zone.
-      These conditions must be met if the entire update request is to succeed.
-      Updates will be rejected if the tests for the prerequisite conditions
-      fail.
-    </para>
-    <para>
-      Every update request consists of zero or more prerequisites
-      and zero or more updates.
-      This allows a suitably authenticated update request to proceed if some
-      specified resource records are present or missing from the zone.
-      A blank input line (or the <command>send</command> command)
-      causes the
-      accumulated commands to be sent as one Dynamic DNS update request to the
-      name server.
-    </para>
-    <para>
-      The command formats and their meaning are as follows:
-      <variablelist>
-
-        <varlistentry>
-          <term>
-              <command>server</command>
-              <arg choice="req">servername</arg>
-              <arg choice="opt">port</arg>
-            </term>
-          <listitem>
-            <para>
-              Sends all dynamic update requests to the name server
-              <parameter>servername</parameter>.
-              When no server statement is provided,
-              <command>nsupdate</command>
-              will send updates to the master server of the correct zone.
-              The MNAME field of that zone's SOA record will identify the
-              master
-              server for that zone.
-              <parameter>port</parameter>
-              is the port number on
-              <parameter>servername</parameter>
-              where the dynamic update requests get sent.
-              If no port number is specified, the default DNS port number of
-              53 is
-              used.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>
-              <command>local</command>
-              <arg choice="req">address</arg>
-              <arg choice="opt">port</arg>
-            </term>
-          <listitem>
-            <para>
-              Sends all dynamic update requests using the local
-              <parameter>address</parameter>.
-
-              When no local statement is provided,
-              <command>nsupdate</command>
-              will send updates using an address and port chosen by the
-              system.
-              <parameter>port</parameter>
-              can additionally be used to make requests come from a specific
-              port.
-              If no port number is specified, the system will assign one.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>
-              <command>zone</command>
-              <arg choice="req">zonename</arg>
-            </term>
-          <listitem>
-            <para>
-              Specifies that all updates are to be made to the zone
-              <parameter>zonename</parameter>.
-              If no
-              <parameter>zone</parameter>
-              statement is provided,
-              <command>nsupdate</command>
-              will attempt determine the correct zone to update based on the
-              rest of the input.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>
-              <command>class</command>
-              <arg choice="req">classname</arg>
-            </term>
-          <listitem>
-            <para>
-              Specify the default class.
-              If no <parameter>class</parameter> is specified, the
-              default class is
-              <parameter>IN</parameter>.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>
-              <command>ttl</command>
-              <arg choice="req">seconds</arg>
-            </term>
-          <listitem>
-            <para>
-              Specify the default time to live for records to be added.
-	      The value <parameter>none</parameter> will clear the default
-	      ttl.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>
-              <command>key</command>
-              <arg choice="req">name</arg>
-              <arg choice="req">secret</arg>
-            </term>
-          <listitem>
-            <para>
-              Specifies that all updates are to be TSIG-signed using the
-              <parameter>keyname</parameter> <parameter>keysecret</parameter> pair.
-              The <command>key</command> command
-              overrides any key specified on the command line via
-              <option>-y</option> or <option>-k</option>.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>
-            <command>gsstsig</command>
-          </term>
-          <listitem>
-            <para>
-	      Use GSS-TSIG to sign the updated.  This is equivalent to
-	      specifying <option>-g</option> on the commandline.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>
-            <command>oldgsstsig</command>
-          </term>
-          <listitem>
-            <para>
-	      Use the Windows 2000 version of GSS-TSIG to sign the updated.
-	      This is equivalent to specifying <option>-o</option> on the
-	      commandline.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>
-            <command>realm</command>
-            <arg choice="req"><optional>realm_name</optional></arg>
-          </term>
-          <listitem>
-            <para>
-	      When using GSS-TSIG use <parameter>realm_name</parameter> rather
-	      than the default realm in <filename>krb5.conf</filename>.  If no
-	      realm is specified the saved realm is cleared.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>
-              <command><optional>prereq</optional> nxdomain</command>
-              <arg choice="req">domain-name</arg>
-            </term>
-          <listitem>
-            <para>
-              Requires that no resource record of any type exists with name
-              <parameter>domain-name</parameter>.
-            </para>
-          </listitem>
-        </varlistentry>
-
-
-        <varlistentry>
-          <term>
-              <command><optional>prereq</optional> yxdomain</command>
-              <arg choice="req">domain-name</arg>
-            </term>
-          <listitem>
-            <para>
-              Requires that
-              <parameter>domain-name</parameter>
-              exists (has as at least one resource record, of any type).
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>
-              <command><optional>prereq</optional> nxrrset</command>
-              <arg choice="req">domain-name</arg>
-              <arg choice="opt">class</arg>
-              <arg choice="req">type</arg>
-            </term>
-          <listitem>
-            <para>
-              Requires that no resource record exists of the specified
-              <parameter>type</parameter>,
-              <parameter>class</parameter>
-              and
-              <parameter>domain-name</parameter>.
-              If
-              <parameter>class</parameter>
-              is omitted, IN (internet) is assumed.
-            </para>
-          </listitem>
-        </varlistentry>
-
-
-        <varlistentry>
-          <term>
-              <command><optional>prereq</optional> yxrrset</command>
-              <arg choice="req">domain-name</arg>
-              <arg choice="opt">class</arg>
-              <arg choice="req">type</arg>
-            </term>
-          <listitem>
-            <para>
-              This requires that a resource record of the specified
-              <parameter>type</parameter>,
-              <parameter>class</parameter>
-              and
-              <parameter>domain-name</parameter>
-              must exist.
-              If
-              <parameter>class</parameter>
-              is omitted, IN (internet) is assumed.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>
-              <command><optional>prereq</optional> yxrrset</command>
-              <arg choice="req">domain-name</arg>
-              <arg choice="opt">class</arg>
-              <arg choice="req">type</arg>
-              <arg choice="req" rep="repeat">data</arg>
-            </term>
-          <listitem>
-            <para>
-              The
-              <parameter>data</parameter>
-              from each set of prerequisites of this form
-              sharing a common
-              <parameter>type</parameter>,
-              <parameter>class</parameter>,
-              and
-              <parameter>domain-name</parameter>
-              are combined to form a set of RRs.  This set of RRs must
-              exactly match the set of RRs existing in the zone at the
-              given
-              <parameter>type</parameter>,
-              <parameter>class</parameter>,
-              and
-              <parameter>domain-name</parameter>.
-              The
-              <parameter>data</parameter>
-              are written in the standard text representation of the resource
-              record's
-              RDATA.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>
-              <command><optional>update</optional> del<optional>ete</optional></command>
-              <arg choice="req">domain-name</arg>
-              <arg choice="opt">ttl</arg>
-              <arg choice="opt">class</arg>
-              <arg choice="opt">type <arg choice="opt" rep="repeat">data</arg></arg>
-            </term>
-          <listitem>
-            <para>
-              Deletes any resource records named
-              <parameter>domain-name</parameter>.
-              If
-              <parameter>type</parameter>
-              and
-              <parameter>data</parameter>
-              is provided, only matching resource records will be removed.
-              The internet class is assumed if
-              <parameter>class</parameter>
-              is not supplied.  The
-              <parameter>ttl</parameter>
-              is ignored, and is only allowed for compatibility.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>
-              <command><optional>update</optional> add</command>
-              <arg choice="req">domain-name</arg>
-              <arg choice="req">ttl</arg>
-              <arg choice="opt">class</arg>
-              <arg choice="req">type</arg>
-              <arg choice="req" rep="repeat">data</arg>
-            </term>
-          <listitem>
-            <para>
-              Adds a new resource record with the specified
-              <parameter>ttl</parameter>,
-              <parameter>class</parameter>
-              and
-              <parameter>data</parameter>.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>
-              <command>show</command>
-            </term>
-          <listitem>
-            <para>
-              Displays the current message, containing all of the
-              prerequisites and
-              updates specified since the last send.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>
-              <command>send</command>
-            </term>
-          <listitem>
-            <para>
-              Sends the current message.  This is equivalent to entering a
-              blank line.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>
-              <command>answer</command>
-            </term>
-          <listitem>
-            <para>
-              Displays the answer.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>
-              <command>debug</command>
-            </term>
-          <listitem>
-            <para>
-              Turn on debugging.
-            </para>
-          </listitem>
-        </varlistentry>
-
-      </variablelist>
-    </para>
-
-    <para>
-      Lines beginning with a semicolon are comments and are ignored.
-    </para>
-
-  </refsect1>
-
-  <refsect1>
-    <title>EXAMPLES</title>
-    <para>
-      The examples below show how
-      <command>nsupdate</command>
-      could be used to insert and delete resource records from the
-      <type>example.com</type>
-      zone.
-      Notice that the input in each example contains a trailing blank line so
-      that
-      a group of commands are sent as one dynamic update request to the
-      master name server for
-      <type>example.com</type>.
-
-      <programlisting>
-# nsupdate
-&gt; update delete oldhost.example.com A
-&gt; update add newhost.example.com 86400 A 172.16.1.1
-&gt; send
-</programlisting>
-    </para>
-    <para>
-      Any A records for
-      <type>oldhost.example.com</type>
-      are deleted.
-      And an A record for
-      <type>newhost.example.com</type>
-      with IP address 172.16.1.1 is added.
-      The newly-added record has a 1 day TTL (86400 seconds).
-      <programlisting>
-# nsupdate
-&gt; prereq nxdomain nickname.example.com
-&gt; update add nickname.example.com 86400 CNAME somehost.example.com
-&gt; send
-</programlisting>
-    </para>
-    <para>
-      The prerequisite condition gets the name server to check that there
-      are no resource records of any type for
-      <type>nickname.example.com</type>.
-
-      If there are, the update request fails.
-      If this name does not exist, a CNAME for it is added.
-      This ensures that when the CNAME is added, it cannot conflict with the
-      long-standing rule in RFC 1034 that a name must not exist as any other
-      record type if it exists as a CNAME.
-      (The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have
-      RRSIG, DNSKEY and NSEC records.)
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>FILES</title>
-
-    <variablelist>
-      <varlistentry>
-        <term><constant>/etc/resolv.conf</constant></term>
-        <listitem>
-          <para>
-            used to identify default name server
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><constant>/var/run/named/session.key</constant></term>
-        <listitem>
-          <para>
-            sets the default TSIG key for use in local-only mode
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><constant>K{name}.+157.+{random}.key</constant></term>
-        <listitem>
-          <para>
-            base-64 encoding of HMAC-MD5 key created by
-            <citerefentry>
-              <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
-            </citerefentry>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><constant>K{name}.+157.+{random}.private</constant></term>
-        <listitem>
-          <para>
-            base-64 encoding of HMAC-MD5 key created by
-            <citerefentry>
-              <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
-            </citerefentry>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para>
-      <citetitle>RFC 2136</citetitle>,
-      <citetitle>RFC 3007</citetitle>,
-      <citetitle>RFC 2104</citetitle>,
-      <citetitle>RFC 2845</citetitle>,
-      <citetitle>RFC 1034</citetitle>,
-      <citetitle>RFC 2535</citetitle>,
-      <citetitle>RFC 2931</citetitle>,
-      <citerefentry>
-        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>ddns-confgen</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>BUGS</title>
-    <para>
-      The TSIG key is redundantly stored in two separate files.
-      This is a consequence of nsupdate using the DST library
-      for its cryptographic operations, and may change in future
-      releases.
-    </para>
-  </refsect1>
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/nsupdate/nsupdate.html b/contrib/bind9/bin/nsupdate/nsupdate.html
deleted file mode 100644
index 276d4af..0000000
--- a/contrib/bind9/bin/nsupdate/nsupdate.html
+++ /dev/null
@@ -1,584 +0,0 @@
-<!--
- - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>nsupdate</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="man.nsupdate"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">nsupdate</span> &#8212; Dynamic DNS update utility</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">nsupdate</code>  [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-g</code>] |  [<code class="option">-o</code>] |  [<code class="option">-l</code>] |  [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] |  [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [filename]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543464"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">nsupdate</strong></span>
-      is used to submit Dynamic DNS Update requests as defined in RFC 2136
-      to a name server.
-      This allows resource records to be added or removed from a zone
-      without manually editing the zone file.
-      A single update request can contain requests to add or remove more than
-      one
-      resource record.
-    </p>
-<p>
-      Zones that are under dynamic control via
-      <span><strong class="command">nsupdate</strong></span>
-      or a DHCP server should not be edited by hand.
-      Manual edits could
-      conflict with dynamic updates and cause data to be lost.
-    </p>
-<p>
-      The resource records that are dynamically added or removed with
-      <span><strong class="command">nsupdate</strong></span>
-      have to be in the same zone.
-      Requests are sent to the zone's master server.
-      This is identified by the MNAME field of the zone's SOA record.
-    </p>
-<p>
-      The
-      <code class="option">-d</code>
-      option makes
-      <span><strong class="command">nsupdate</strong></span>
-      operate in debug mode.
-      This provides tracing information about the update requests that are
-      made and the replies received from the name server.
-    </p>
-<p>
-      The <code class="option">-D</code> option makes <span><strong class="command">nsupdate</strong></span>
-      report additional debugging information to <code class="option">-d</code>.
-    </p>
-<p>
-      The <code class="option">-L</code> option with an integer argument of zero or
-      higher sets the logging debug level.  If zero, logging is disabled.
-    </p>
-<p>
-      Transaction signatures can be used to authenticate the Dynamic
-      DNS updates.  These use the TSIG resource record type described
-      in RFC 2845 or the SIG(0) record described in RFC 2535 and
-      RFC 2931 or GSS-TSIG as described in RFC 3645.  TSIG relies on
-      a shared secret that should only be known to
-      <span><strong class="command">nsupdate</strong></span> and the name server.  Currently,
-      the only supported encryption algorithm for TSIG is HMAC-MD5,
-      which is defined in RFC 2104.  Once other algorithms are
-      defined for TSIG, applications will need to ensure they select
-      the appropriate algorithm as well as the key when authenticating
-      each other.  For instance, suitable <span class="type">key</span> and
-      <span class="type">server</span> statements would be added to
-      <code class="filename">/etc/named.conf</code> so that the name server
-      can associate the appropriate secret key and algorithm with
-      the IP address of the client application that will be using
-      TSIG authentication.  SIG(0) uses public key cryptography.
-      To use a SIG(0) key, the public key must be stored in a KEY
-      record in a zone served by the name server.
-      <span><strong class="command">nsupdate</strong></span> does not read
-      <code class="filename">/etc/named.conf</code>.
-    </p>
-<p>
-      GSS-TSIG uses Kerberos credentials.  Standard GSS-TSIG mode
-      is switched on with the <code class="option">-g</code> flag.  A
-      non-standards-compliant variant of GSS-TSIG used by Windows
-      2000 can be switched on with the <code class="option">-o</code> flag.
-    </p>
-<p><span><strong class="command">nsupdate</strong></span>
-      uses the <code class="option">-y</code> or <code class="option">-k</code> option
-      to provide the shared secret needed to generate a TSIG record
-      for authenticating Dynamic DNS update requests, default type
-      HMAC-MD5.  These options are mutually exclusive. 
-    </p>
-<p>
-      When the <code class="option">-y</code> option is used, a signature is
-      generated from
-      [<span class="optional"><em class="parameter"><code>hmac:</code></em></span>]<em class="parameter"><code>keyname:secret.</code></em>
-      <em class="parameter"><code>keyname</code></em> is the name of the key, and
-      <em class="parameter"><code>secret</code></em> is the base64 encoded shared secret.
-      Use of the <code class="option">-y</code> option is discouraged because the
-      shared secret is supplied as a command line argument in clear text.
-      This may be visible in the output from
-      <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>
-      or in a history file maintained by the user's shell.
-    </p>
-<p>
-      With the
-      <code class="option">-k</code> option, <span><strong class="command">nsupdate</strong></span> reads
-      the shared secret from the file <em class="parameter"><code>keyfile</code></em>.
-      Keyfiles may be in two formats: a single file containing
-      a <code class="filename">named.conf</code>-format <span><strong class="command">key</strong></span>
-      statement, which may be generated automatically by
-      <span><strong class="command">ddns-confgen</strong></span>, or a pair of files whose names are
-      of the format <code class="filename">K{name}.+157.+{random}.key</code> and
-      <code class="filename">K{name}.+157.+{random}.private</code>, which can be
-      generated by <span><strong class="command">dnssec-keygen</strong></span>.
-      The <code class="option">-k</code> may also be used to specify a SIG(0) key used
-      to authenticate Dynamic DNS update requests.  In this case, the key
-      specified is not an HMAC-MD5 key.
-    </p>
-<p>
-      <span><strong class="command">nsupdate</strong></span> can be run in a local-host only mode
-      using the <code class="option">-l</code> flag.  This sets the server address to
-      localhost (disabling the <span><strong class="command">server</strong></span> so that the server
-      address cannot be overridden).  Connections to the local server will
-      use a TSIG key found in <code class="filename">/var/run/named/session.key</code>,
-      which is automatically generated by <span><strong class="command">named</strong></span> if any
-      local master zone has set <span><strong class="command">update-policy</strong></span> to
-      <span><strong class="command">local</strong></span>.  The location of this key file can be
-      overridden with the <code class="option">-k</code> option.
-    </p>
-<p>
-      By default, <span><strong class="command">nsupdate</strong></span>
-      uses UDP to send update requests to the name server unless they are too
-      large to fit in a UDP request in which case TCP will be used.
-      The
-      <code class="option">-v</code>
-      option makes
-      <span><strong class="command">nsupdate</strong></span>
-      use a TCP connection.
-      This may be preferable when a batch of update requests is made.
-    </p>
-<p>
-      The <code class="option">-p</code> sets the default port number to use for
-      connections to a name server.  The default is 53.
-    </p>
-<p>
-      The <code class="option">-t</code> option sets the maximum time an update request
-      can
-      take before it is aborted.  The default is 300 seconds.  Zero can be
-      used
-      to disable the timeout.
-    </p>
-<p>
-      The <code class="option">-u</code> option sets the UDP retry interval.  The default
-      is
-      3 seconds.  If zero, the interval will be computed from the timeout
-      interval
-      and number of UDP retries.
-    </p>
-<p>
-      The <code class="option">-r</code> option sets the number of UDP retries. The
-      default is
-      3.  If zero, only one update request will be made.
-    </p>
-<p>
-      The <code class="option">-R <em class="replaceable"><code>randomdev</code></em></code> option
-      specifies a source of randomness.  If the operating system
-      does not provide a <code class="filename">/dev/random</code> or
-      equivalent device, the default source of randomness is keyboard
-      input.  <code class="filename">randomdev</code> specifies the name of
-      a character device or file containing random data to be used
-      instead of the default.  The special value
-      <code class="filename">keyboard</code> indicates that keyboard input
-      should be used.  This option may be specified multiple times.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543796"></a><h2>INPUT FORMAT</h2>
-<p><span><strong class="command">nsupdate</strong></span>
-      reads input from
-      <em class="parameter"><code>filename</code></em>
-      or standard input.
-      Each command is supplied on exactly one line of input.
-      Some commands are for administrative purposes.
-      The others are either update instructions or prerequisite checks on the
-      contents of the zone.
-      These checks set conditions that some name or set of
-      resource records (RRset) either exists or is absent from the zone.
-      These conditions must be met if the entire update request is to succeed.
-      Updates will be rejected if the tests for the prerequisite conditions
-      fail.
-    </p>
-<p>
-      Every update request consists of zero or more prerequisites
-      and zero or more updates.
-      This allows a suitably authenticated update request to proceed if some
-      specified resource records are present or missing from the zone.
-      A blank input line (or the <span><strong class="command">send</strong></span> command)
-      causes the
-      accumulated commands to be sent as one Dynamic DNS update request to the
-      name server.
-    </p>
-<p>
-      The command formats and their meaning are as follows:
-      </p>
-<div class="variablelist"><dl>
-<dt><span class="term">
-              <span><strong class="command">server</strong></span>
-               {servername}
-               [port]
-            </span></dt>
-<dd><p>
-              Sends all dynamic update requests to the name server
-              <em class="parameter"><code>servername</code></em>.
-              When no server statement is provided,
-              <span><strong class="command">nsupdate</strong></span>
-              will send updates to the master server of the correct zone.
-              The MNAME field of that zone's SOA record will identify the
-              master
-              server for that zone.
-              <em class="parameter"><code>port</code></em>
-              is the port number on
-              <em class="parameter"><code>servername</code></em>
-              where the dynamic update requests get sent.
-              If no port number is specified, the default DNS port number of
-              53 is
-              used.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">local</strong></span>
-               {address}
-               [port]
-            </span></dt>
-<dd><p>
-              Sends all dynamic update requests using the local
-              <em class="parameter"><code>address</code></em>.
-
-              When no local statement is provided,
-              <span><strong class="command">nsupdate</strong></span>
-              will send updates using an address and port chosen by the
-              system.
-              <em class="parameter"><code>port</code></em>
-              can additionally be used to make requests come from a specific
-              port.
-              If no port number is specified, the system will assign one.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">zone</strong></span>
-               {zonename}
-            </span></dt>
-<dd><p>
-              Specifies that all updates are to be made to the zone
-              <em class="parameter"><code>zonename</code></em>.
-              If no
-              <em class="parameter"><code>zone</code></em>
-              statement is provided,
-              <span><strong class="command">nsupdate</strong></span>
-              will attempt determine the correct zone to update based on the
-              rest of the input.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">class</strong></span>
-               {classname}
-            </span></dt>
-<dd><p>
-              Specify the default class.
-              If no <em class="parameter"><code>class</code></em> is specified, the
-              default class is
-              <em class="parameter"><code>IN</code></em>.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">ttl</strong></span>
-               {seconds}
-            </span></dt>
-<dd><p>
-              Specify the default time to live for records to be added.
-	      The value <em class="parameter"><code>none</code></em> will clear the default
-	      ttl.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">key</strong></span>
-               {name}
-               {secret}
-            </span></dt>
-<dd><p>
-              Specifies that all updates are to be TSIG-signed using the
-              <em class="parameter"><code>keyname</code></em> <em class="parameter"><code>keysecret</code></em> pair.
-              The <span><strong class="command">key</strong></span> command
-              overrides any key specified on the command line via
-              <code class="option">-y</code> or <code class="option">-k</code>.
-            </p></dd>
-<dt><span class="term">
-            <span><strong class="command">gsstsig</strong></span>
-          </span></dt>
-<dd><p>
-	      Use GSS-TSIG to sign the updated.  This is equivalent to
-	      specifying <code class="option">-g</code> on the commandline.
-            </p></dd>
-<dt><span class="term">
-            <span><strong class="command">oldgsstsig</strong></span>
-          </span></dt>
-<dd><p>
-	      Use the Windows 2000 version of GSS-TSIG to sign the updated.
-	      This is equivalent to specifying <code class="option">-o</code> on the
-	      commandline.
-            </p></dd>
-<dt><span class="term">
-            <span><strong class="command">realm</strong></span>
-             {[<span class="optional">realm_name</span>]}
-          </span></dt>
-<dd><p>
-	      When using GSS-TSIG use <em class="parameter"><code>realm_name</code></em> rather
-	      than the default realm in <code class="filename">krb5.conf</code>.  If no
-	      realm is specified the saved realm is cleared.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">[<span class="optional">prereq</span>] nxdomain</strong></span>
-               {domain-name}
-            </span></dt>
-<dd><p>
-              Requires that no resource record of any type exists with name
-              <em class="parameter"><code>domain-name</code></em>.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">[<span class="optional">prereq</span>] yxdomain</strong></span>
-               {domain-name}
-            </span></dt>
-<dd><p>
-              Requires that
-              <em class="parameter"><code>domain-name</code></em>
-              exists (has as at least one resource record, of any type).
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">[<span class="optional">prereq</span>] nxrrset</strong></span>
-               {domain-name}
-               [class]
-               {type}
-            </span></dt>
-<dd><p>
-              Requires that no resource record exists of the specified
-              <em class="parameter"><code>type</code></em>,
-              <em class="parameter"><code>class</code></em>
-              and
-              <em class="parameter"><code>domain-name</code></em>.
-              If
-              <em class="parameter"><code>class</code></em>
-              is omitted, IN (internet) is assumed.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">[<span class="optional">prereq</span>] yxrrset</strong></span>
-               {domain-name}
-               [class]
-               {type}
-            </span></dt>
-<dd><p>
-              This requires that a resource record of the specified
-              <em class="parameter"><code>type</code></em>,
-              <em class="parameter"><code>class</code></em>
-              and
-              <em class="parameter"><code>domain-name</code></em>
-              must exist.
-              If
-              <em class="parameter"><code>class</code></em>
-              is omitted, IN (internet) is assumed.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">[<span class="optional">prereq</span>] yxrrset</strong></span>
-               {domain-name}
-               [class]
-               {type}
-               {data...}
-            </span></dt>
-<dd><p>
-              The
-              <em class="parameter"><code>data</code></em>
-              from each set of prerequisites of this form
-              sharing a common
-              <em class="parameter"><code>type</code></em>,
-              <em class="parameter"><code>class</code></em>,
-              and
-              <em class="parameter"><code>domain-name</code></em>
-              are combined to form a set of RRs.  This set of RRs must
-              exactly match the set of RRs existing in the zone at the
-              given
-              <em class="parameter"><code>type</code></em>,
-              <em class="parameter"><code>class</code></em>,
-              and
-              <em class="parameter"><code>domain-name</code></em>.
-              The
-              <em class="parameter"><code>data</code></em>
-              are written in the standard text representation of the resource
-              record's
-              RDATA.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">[<span class="optional">update</span>] del[<span class="optional">ete</span>]</strong></span>
-               {domain-name}
-               [ttl]
-               [class]
-               [type [data...]]
-            </span></dt>
-<dd><p>
-              Deletes any resource records named
-              <em class="parameter"><code>domain-name</code></em>.
-              If
-              <em class="parameter"><code>type</code></em>
-              and
-              <em class="parameter"><code>data</code></em>
-              is provided, only matching resource records will be removed.
-              The internet class is assumed if
-              <em class="parameter"><code>class</code></em>
-              is not supplied.  The
-              <em class="parameter"><code>ttl</code></em>
-              is ignored, and is only allowed for compatibility.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">[<span class="optional">update</span>] add</strong></span>
-               {domain-name}
-               {ttl}
-               [class]
-               {type}
-               {data...}
-            </span></dt>
-<dd><p>
-              Adds a new resource record with the specified
-              <em class="parameter"><code>ttl</code></em>,
-              <em class="parameter"><code>class</code></em>
-              and
-              <em class="parameter"><code>data</code></em>.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">show</strong></span>
-            </span></dt>
-<dd><p>
-              Displays the current message, containing all of the
-              prerequisites and
-              updates specified since the last send.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">send</strong></span>
-            </span></dt>
-<dd><p>
-              Sends the current message.  This is equivalent to entering a
-              blank line.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">answer</strong></span>
-            </span></dt>
-<dd><p>
-              Displays the answer.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">debug</strong></span>
-            </span></dt>
-<dd><p>
-              Turn on debugging.
-            </p></dd>
-</dl></div>
-<p>
-    </p>
-<p>
-      Lines beginning with a semicolon are comments and are ignored.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544725"></a><h2>EXAMPLES</h2>
-<p>
-      The examples below show how
-      <span><strong class="command">nsupdate</strong></span>
-      could be used to insert and delete resource records from the
-      <span class="type">example.com</span>
-      zone.
-      Notice that the input in each example contains a trailing blank line so
-      that
-      a group of commands are sent as one dynamic update request to the
-      master name server for
-      <span class="type">example.com</span>.
-
-      </p>
-<pre class="programlisting">
-# nsupdate
-&gt; update delete oldhost.example.com A
-&gt; update add newhost.example.com 86400 A 172.16.1.1
-&gt; send
-</pre>
-<p>
-    </p>
-<p>
-      Any A records for
-      <span class="type">oldhost.example.com</span>
-      are deleted.
-      And an A record for
-      <span class="type">newhost.example.com</span>
-      with IP address 172.16.1.1 is added.
-      The newly-added record has a 1 day TTL (86400 seconds).
-      </p>
-<pre class="programlisting">
-# nsupdate
-&gt; prereq nxdomain nickname.example.com
-&gt; update add nickname.example.com 86400 CNAME somehost.example.com
-&gt; send
-</pre>
-<p>
-    </p>
-<p>
-      The prerequisite condition gets the name server to check that there
-      are no resource records of any type for
-      <span class="type">nickname.example.com</span>.
-
-      If there are, the update request fails.
-      If this name does not exist, a CNAME for it is added.
-      This ensures that when the CNAME is added, it cannot conflict with the
-      long-standing rule in RFC 1034 that a name must not exist as any other
-      record type if it exists as a CNAME.
-      (The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have
-      RRSIG, DNSKEY and NSEC records.)
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544769"></a><h2>FILES</h2>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
-<dd><p>
-            used to identify default name server
-          </p></dd>
-<dt><span class="term"><code class="constant">/var/run/named/session.key</code></span></dt>
-<dd><p>
-            sets the default TSIG key for use in local-only mode
-          </p></dd>
-<dt><span class="term"><code class="constant">K{name}.+157.+{random}.key</code></span></dt>
-<dd><p>
-            base-64 encoding of HMAC-MD5 key created by
-            <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
-          </p></dd>
-<dt><span class="term"><code class="constant">K{name}.+157.+{random}.private</code></span></dt>
-<dd><p>
-            base-64 encoding of HMAC-MD5 key created by
-            <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2542121"></a><h2>SEE ALSO</h2>
-<p>
-      <em class="citetitle">RFC 2136</em>,
-      <em class="citetitle">RFC 3007</em>,
-      <em class="citetitle">RFC 2104</em>,
-      <em class="citetitle">RFC 2845</em>,
-      <em class="citetitle">RFC 1034</em>,
-      <em class="citetitle">RFC 2535</em>,
-      <em class="citetitle">RFC 2931</em>,
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">ddns-confgen</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2542179"></a><h2>BUGS</h2>
-<p>
-      The TSIG key is redundantly stored in two separate files.
-      This is a consequence of nsupdate using the DST library
-      for its cryptographic operations, and may change in future
-      releases.
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/rndc/Makefile.in b/contrib/bind9/bin/rndc/Makefile.in
deleted file mode 100644
index f6100df..0000000
--- a/contrib/bind9/bin/rndc/Makefile.in
+++ /dev/null
@@ -1,92 +0,0 @@
-# Copyright (C) 2004, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000-2002  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.49 2009/12/05 23:31:40 each Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
-	${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
-
-CDEFINES =
-CWARNINGS =
-
-ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-ISCCCLIBS =	../../lib/isccc/libisccc.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
-DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-BIND9LIBS =	../../lib/bind9/libbind9.@A@
-
-ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
-ISCCCDEPLIBS =	../../lib/isccc/libisccc.@A@
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
-DNSDEPLIBS =	../../lib/dns/libdns.@A@
-BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
-
-LIBS =		${ISCLIBS} @LIBS@
-NOSYMLIBS =	${ISCNOSYMLIBS} @LIBS@
-
-RNDCDEPLIBS =	${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
-
-CONFDEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
-
-SRCS=		rndc.c
-
-TARGETS =	rndc@EXEEXT@
-
-MANPAGES =	rndc.8 rndc.conf.5
-
-HTMLPAGES =	rndc.html rndc.conf.html
-
-MANOBJS =	${MANPAGES} ${HTMLPAGES}
-
-@BIND9_MAKE_RULES@
-
-rndc.@O@: rndc.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DVERSION=\"${VERSION}\" \
-		-DRNDC_CONFFILE=\"${sysconfdir}/rndc.conf\" \
-		-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
-		-c ${srcdir}/rndc.c
-
-rndc@EXEEXT@: rndc.@O@ util.@O@ ${RNDCDEPLIBS}
-	export BASEOBJS="rndc.@O@ util.@O@"; \
-	export LIBS0="${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS}"; \
-	${FINALBUILDCMD}
-
-doc man:: ${MANOBJS}
-
-docclean manclean maintainer-clean::
-	rm -f ${MANOBJS}
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
-
-install:: rndc@EXEEXT@ installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc@EXEEXT@ ${DESTDIR}${sbindir}
-	${INSTALL_DATA} ${srcdir}/rndc.8 ${DESTDIR}${mandir}/man8
-	${INSTALL_DATA} ${srcdir}/rndc.conf.5 ${DESTDIR}${mandir}/man5
-
-clean distclean maintainer-clean::
-	rm -f ${TARGETS}
diff --git a/contrib/bind9/bin/rndc/include/rndc/os.h b/contrib/bind9/bin/rndc/include/rndc/os.h
deleted file mode 100644
index 3f2c776..0000000
--- a/contrib/bind9/bin/rndc/include/rndc/os.h
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: os.h,v 1.12 2009/06/10 00:27:21 each Exp $ */
-
-/*! \file */
-
-#ifndef RNDC_OS_H
-#define RNDC_OS_H 1
-
-#include <isc/lang.h>
-#include <stdio.h>
-
-ISC_LANG_BEGINDECLS
-
-int set_user(FILE *fd, const char *user);
-/*%<
- * Set the owner of the file referenced by 'fd' to 'user'.
- * Returns:
- *   0 		success
- *   -1 	insufficient permissions, or 'user' does not exist.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif
diff --git a/contrib/bind9/bin/rndc/rndc.8 b/contrib/bind9/bin/rndc/rndc.8
deleted file mode 100644
index 7197ed0..0000000
--- a/contrib/bind9/bin/rndc/rndc.8
+++ /dev/null
@@ -1,148 +0,0 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: rndc
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: June 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "RNDC" "8" "June 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-rndc \- name server control utility
-.SH "SYNOPSIS"
-.HP 5
-\fBrndc\fR [\fB\-b\ \fR\fB\fIsource\-address\fR\fR] [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-k\ \fR\fB\fIkey\-file\fR\fR] [\fB\-s\ \fR\fB\fIserver\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-V\fR] [\fB\-y\ \fR\fB\fIkey_id\fR\fR] {command}
-.SH "DESCRIPTION"
-.PP
-\fBrndc\fR
-controls the operation of a name server. It supersedes the
-\fBndc\fR
-utility that was provided in old BIND releases. If
-\fBrndc\fR
-is invoked with no command line options or arguments, it prints a short summary of the supported commands and the available options and their arguments.
-.PP
-\fBrndc\fR
-communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. In the current versions of
-\fBrndc\fR
-and
-\fBnamed\fR, the only supported authentication algorithm is HMAC\-MD5, which uses a shared secret on each end of the connection. This provides TSIG\-style authentication for the command request and the name server's response. All commands sent over the channel must be signed by a key_id known to the server.
-.PP
-\fBrndc\fR
-reads a configuration file to determine how to contact the name server and decide what algorithm and key it should use.
-.SH "OPTIONS"
-.PP
-\-b \fIsource\-address\fR
-.RS 4
-Use
-\fIsource\-address\fR
-as the source address for the connection to the server. Multiple instances are permitted to allow setting of both the IPv4 and IPv6 source addresses.
-.RE
-.PP
-\-c \fIconfig\-file\fR
-.RS 4
-Use
-\fIconfig\-file\fR
-as the configuration file instead of the default,
-\fI/etc/rndc.conf\fR.
-.RE
-.PP
-\-k \fIkey\-file\fR
-.RS 4
-Use
-\fIkey\-file\fR
-as the key file instead of the default,
-\fI/etc/rndc.key\fR. The key in
-\fI/etc/rndc.key\fR
-will be used to authenticate commands sent to the server if the
-\fIconfig\-file\fR
-does not exist.
-.RE
-.PP
-\-s \fIserver\fR
-.RS 4
-\fIserver\fR
-is the name or address of the server which matches a server statement in the configuration file for
-\fBrndc\fR. If no server is supplied on the command line, the host named by the default\-server clause in the options statement of the
-\fBrndc\fR
-configuration file will be used.
-.RE
-.PP
-\-p \fIport\fR
-.RS 4
-Send commands to TCP port
-\fIport\fR
-instead of BIND 9's default control channel port, 953.
-.RE
-.PP
-\-V
-.RS 4
-Enable verbose logging.
-.RE
-.PP
-\-y \fIkey_id\fR
-.RS 4
-Use the key
-\fIkey_id\fR
-from the configuration file.
-\fIkey_id\fR
-must be known by named with the same algorithm and secret string in order for control message validation to succeed. If no
-\fIkey_id\fR
-is specified,
-\fBrndc\fR
-will first look for a key clause in the server statement of the server being used, or if no server statement is present for that host, then the default\-key clause of the options statement. Note that the configuration file contains shared secrets which are used to send authenticated control commands to name servers. It should therefore not have general read or write access.
-.RE
-.PP
-For the complete set of commands supported by
-\fBrndc\fR, see the BIND 9 Administrator Reference Manual or run
-\fBrndc\fR
-without arguments to see its help message.
-.SH "LIMITATIONS"
-.PP
-\fBrndc\fR
-does not yet support all the commands of the BIND 8
-\fBndc\fR
-utility.
-.PP
-There is currently no way to provide the shared secret for a
-\fBkey_id\fR
-without using the configuration file.
-.PP
-Several error messages could be clearer.
-.SH "SEE ALSO"
-.PP
-\fBrndc.conf\fR(5),
-\fBrndc\-confgen\fR(8),
-\fBnamed\fR(8),
-\fBnamed.conf\fR(5),
-\fBndc\fR(8),
-BIND 9 Administrator Reference Manual.
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/bin/rndc/rndc.c b/contrib/bind9/bin/rndc/rndc.c
deleted file mode 100644
index e3e6525..0000000
--- a/contrib/bind9/bin/rndc/rndc.c
+++ /dev/null
@@ -1,905 +0,0 @@
-/*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-/*
- * Principal Author: DCL
- */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/app.h>
-#include <isc/buffer.h>
-#include <isc/commandline.h>
-#include <isc/file.h>
-#include <isc/log.h>
-#include <isc/net.h>
-#include <isc/mem.h>
-#include <isc/random.h>
-#include <isc/socket.h>
-#include <isc/stdtime.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/thread.h>
-#include <isc/util.h>
-
-#include <isccfg/namedconf.h>
-
-#include <isccc/alist.h>
-#include <isccc/base64.h>
-#include <isccc/cc.h>
-#include <isccc/ccmsg.h>
-#include <isccc/result.h>
-#include <isccc/sexpr.h>
-#include <isccc/types.h>
-#include <isccc/util.h>
-
-#include <dns/name.h>
-
-#include <bind9/getaddresses.h>
-
-#include "util.h"
-
-#define SERVERADDRS 10
-
-const char *progname;
-isc_boolean_t verbose;
-
-static const char *admin_conffile;
-static const char *admin_keyfile;
-static const char *version = VERSION;
-static const char *servername = NULL;
-static isc_sockaddr_t serveraddrs[SERVERADDRS];
-static isc_sockaddr_t local4, local6;
-static isc_boolean_t local4set = ISC_FALSE, local6set = ISC_FALSE;
-static int nserveraddrs;
-static int currentaddr = 0;
-static unsigned int remoteport = 0;
-static isc_socketmgr_t *socketmgr = NULL;
-static unsigned char databuf[2048];
-static isccc_ccmsg_t ccmsg;
-static isccc_region_t secret;
-static isc_boolean_t failed = ISC_FALSE;
-static isc_boolean_t c_flag = ISC_FALSE;
-static isc_mem_t *mctx;
-static int sends, recvs, connects;
-static char *command;
-static char *args;
-static char program[256];
-static isc_socket_t *sock = NULL;
-static isc_uint32_t serial;
-
-static void rndc_startconnect(isc_sockaddr_t *addr, isc_task_t *task);
-
-ISC_PLATFORM_NORETURN_PRE static void
-usage(int status) ISC_PLATFORM_NORETURN_POST;
-
-static void
-usage(int status) {
-	fprintf(stderr, "\
-Usage: %s [-b address] [-c config] [-s server] [-p port]\n\
-	[-k key-file ] [-y key] [-V] command\n\
-\n\
-command is one of the following:\n\
-\n\
-  reload	Reload configuration file and zones.\n\
-  reload zone [class [view]]\n\
-		Reload a single zone.\n\
-  refresh zone [class [view]]\n\
-		Schedule immediate maintenance for a zone.\n\
-  retransfer zone [class [view]]\n\
-		Retransfer a single zone without checking serial number.\n\
-  freeze	Suspend updates to all dynamic zones.\n\
-  freeze zone [class [view]]\n\
-		Suspend updates to a dynamic zone.\n\
-  thaw		Enable updates to all dynamic zones and reload them.\n\
-  thaw zone [class [view]]\n\
-		Enable updates to a frozen dynamic zone and reload it.\n\
-  sync [-clean]	Dump changes to all dynamic zones to disk, and optionally\n\
-		remove their journal files.\n\
-  sync [-clean] zone [class [view]]\n\
-		Dump a single zone's changes to disk, and optionally\n\
-		remove its journal file.\n\
-  notify zone [class [view]]\n\
-		Resend NOTIFY messages for the zone.\n\
-  reconfig	Reload configuration file and new zones only.\n\
-  sign zone [class [view]]\n\
-		Update zone keys, and sign as needed.\n\
-  loadkeys zone [class [view]]\n\
-		Update keys without signing immediately.\n\
-  stats		Write server statistics to the statistics file.\n\
-  querylog newstate\n\
-		Enable / disable query logging.\n\
-  dumpdb [-all|-cache|-zones] [view ...]\n\
-		Dump cache(s) to the dump file (named_dump.db).\n\
-  secroots [view ...]\n\
-		Write security roots to the secroots file.\n\
-  stop		Save pending updates to master files and stop the server.\n\
-  stop -p	Save pending updates to master files and stop the server\n\
-		reporting process id.\n\
-  halt		Stop the server without saving pending updates.\n\
-  halt -p	Stop the server without saving pending updates reporting\n\
-		process id.\n\
-  trace		Increment debugging level by one.\n\
-  trace level	Change the debugging level.\n\
-  notrace	Set debugging level to 0.\n\
-  flush 	Flushes all of the server's caches.\n\
-  flush [view]	Flushes the server's cache for a view.\n\
-  flushname name [view]\n\
-		Flush the given name from the server's cache(s)\n\
-  flushtree name [view]\n\
-		Flush all names under the given name from the server's cache(s)\n\
-  status	Display status of the server.\n\
-  recursing	Dump the queries that are currently recursing (named.recursing)\n\
-  tsig-list	List all currently active TSIG keys, including both statically\n\
-		configured and TKEY-negotiated keys.\n\
-  tsig-delete keyname [view]	\n\
-		Delete a TKEY-negotiated TSIG key.\n\
-  validation newstate [view]\n\
-		Enable / disable DNSSEC validation.\n\
-  addzone [\"file\"] zone [class [view]] { zone-options }\n\
-		Add zone to given view. Requires new-zone-file option.\n\
-  delzone [\"file\"] zone [class [view]]\n\
-		Removes zone from given view. Requires new-zone-file option.\n\
-  signing -list zone [class [view]]\n\
-		List the private records showing the state of DNSSEC\n\
-		signing in the given zone.\n\
-  signing -clear <keyid>/<algorithm> zone [class [view]]\n\
-		Remove the private record that indicating the given key\n\
-		has finished signing the given zone.\n\
-  signing -clear all zone [class [view]]\n\
-		Remove the private records for all keys that have\n\
-		finished signing the given zone.\n\
-  signing -nsec3param none zone [class [view]]\n\
-		Remove NSEC3 chains from zone.\n\
-  signing -nsec3param hash flags iterations salt zone [class [view]]\n\
-		Add NSEC3 chain to zone if already signed.\n\
-		Prime zone with NSEC3 chain if not yet signed.\n\
-  *restart	Restart the server.\n\
-\n\
-* == not yet implemented\n\
-Version: %s\n",
-		progname, version);
-
-	exit(status);
-}
-
-static void
-get_addresses(const char *host, in_port_t port) {
-	isc_result_t result;
-	int found = 0, count;
-
-	if (*host == '/') {
-		result = isc_sockaddr_frompath(&serveraddrs[nserveraddrs],
-					       host);
-		if (result == ISC_R_SUCCESS)
-			nserveraddrs++;
-	} else {
-		count = SERVERADDRS - nserveraddrs;
-		result = bind9_getaddresses(host, port,
-					    &serveraddrs[nserveraddrs],
-					    count, &found);
-		nserveraddrs += found;
-	}
-	if (result != ISC_R_SUCCESS)
-		fatal("couldn't get address for '%s': %s",
-		      host, isc_result_totext(result));
-	INSIST(nserveraddrs > 0);
-}
-
-static void
-rndc_senddone(isc_task_t *task, isc_event_t *event) {
-	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
-
-	UNUSED(task);
-
-	sends--;
-	if (sevent->result != ISC_R_SUCCESS)
-		fatal("send failed: %s", isc_result_totext(sevent->result));
-	isc_event_free(&event);
-	if (sends == 0 && recvs == 0) {
-		isc_socket_detach(&sock);
-		isc_task_shutdown(task);
-		RUNTIME_CHECK(isc_app_shutdown() == ISC_R_SUCCESS);
-	}
-}
-
-static void
-rndc_recvdone(isc_task_t *task, isc_event_t *event) {
-	isccc_sexpr_t *response = NULL;
-	isccc_sexpr_t *data;
-	isccc_region_t source;
-	char *errormsg = NULL;
-	char *textmsg = NULL;
-	isc_result_t result;
-
-	recvs--;
-
-	if (ccmsg.result == ISC_R_EOF)
-		fatal("connection to remote host closed\n"
-		      "This may indicate that\n"
-		      "* the remote server is using an older version of"
-		      " the command protocol,\n"
-		      "* this host is not authorized to connect,\n"
-		      "* the clocks are not synchronized, or\n"
-		      "* the key is invalid.");
-
-	if (ccmsg.result != ISC_R_SUCCESS)
-		fatal("recv failed: %s", isc_result_totext(ccmsg.result));
-
-	source.rstart = isc_buffer_base(&ccmsg.buffer);
-	source.rend = isc_buffer_used(&ccmsg.buffer);
-
-	DO("parse message", isccc_cc_fromwire(&source, &response, &secret));
-
-	data = isccc_alist_lookup(response, "_data");
-	if (data == NULL)
-		fatal("no data section in response");
-	result = isccc_cc_lookupstring(data, "err", &errormsg);
-	if (result == ISC_R_SUCCESS) {
-		failed = ISC_TRUE;
-		fprintf(stderr, "%s: '%s' failed: %s\n",
-			progname, command, errormsg);
-	}
-	else if (result != ISC_R_NOTFOUND)
-		fprintf(stderr, "%s: parsing response failed: %s\n",
-			progname, isc_result_totext(result));
-
-	result = isccc_cc_lookupstring(data, "text", &textmsg);
-	if (result == ISC_R_SUCCESS)
-		printf("%s\n", textmsg);
-	else if (result != ISC_R_NOTFOUND)
-		fprintf(stderr, "%s: parsing response failed: %s\n",
-			progname, isc_result_totext(result));
-
-	isc_event_free(&event);
-	isccc_sexpr_free(&response);
-	if (sends == 0 && recvs == 0) {
-		isc_socket_detach(&sock);
-		isc_task_shutdown(task);
-		RUNTIME_CHECK(isc_app_shutdown() == ISC_R_SUCCESS);
-	}
-}
-
-static void
-rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
-	isccc_sexpr_t *response = NULL;
-	isccc_sexpr_t *_ctrl;
-	isccc_region_t source;
-	isc_result_t result;
-	isc_uint32_t nonce;
-	isccc_sexpr_t *request = NULL;
-	isccc_time_t now;
-	isc_region_t r;
-	isccc_sexpr_t *data;
-	isccc_region_t message;
-	isc_uint32_t len;
-	isc_buffer_t b;
-
-	recvs--;
-
-	if (ccmsg.result == ISC_R_EOF)
-		fatal("connection to remote host closed\n"
-		      "This may indicate that\n"
-		      "* the remote server is using an older version of"
-		      " the command protocol,\n"
-		      "* this host is not authorized to connect,\n"
-		      "* the clocks are not synchronized, or\n"
-		      "* the key is invalid.");
-
-	if (ccmsg.result != ISC_R_SUCCESS)
-		fatal("recv failed: %s", isc_result_totext(ccmsg.result));
-
-	source.rstart = isc_buffer_base(&ccmsg.buffer);
-	source.rend = isc_buffer_used(&ccmsg.buffer);
-
-	DO("parse message", isccc_cc_fromwire(&source, &response, &secret));
-
-	_ctrl = isccc_alist_lookup(response, "_ctrl");
-	if (_ctrl == NULL)
-		fatal("_ctrl section missing");
-	nonce = 0;
-	if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS)
-		nonce = 0;
-
-	isc_stdtime_get(&now);
-
-	DO("create message", isccc_cc_createmessage(1, NULL, NULL, ++serial,
-						    now, now + 60, &request));
-	data = isccc_alist_lookup(request, "_data");
-	if (data == NULL)
-		fatal("_data section missing");
-	if (isccc_cc_definestring(data, "type", args) == NULL)
-		fatal("out of memory");
-	if (nonce != 0) {
-		_ctrl = isccc_alist_lookup(request, "_ctrl");
-		if (_ctrl == NULL)
-			fatal("_ctrl section missing");
-		if (isccc_cc_defineuint32(_ctrl, "_nonce", nonce) == NULL)
-			fatal("out of memory");
-	}
-	message.rstart = databuf + 4;
-	message.rend = databuf + sizeof(databuf);
-	DO("render message", isccc_cc_towire(request, &message, &secret));
-	len = sizeof(databuf) - REGION_SIZE(message);
-	isc_buffer_init(&b, databuf, 4);
-	isc_buffer_putuint32(&b, len - 4);
-	r.length = len;
-	r.base = databuf;
-
-	isccc_ccmsg_cancelread(&ccmsg);
-	DO("schedule recv", isccc_ccmsg_readmessage(&ccmsg, task,
-						    rndc_recvdone, NULL));
-	recvs++;
-	DO("send message", isc_socket_send(sock, &r, task, rndc_senddone,
-					   NULL));
-	sends++;
-
-	isc_event_free(&event);
-	isccc_sexpr_free(&response);
-	return;
-}
-
-static void
-rndc_connected(isc_task_t *task, isc_event_t *event) {
-	char socktext[ISC_SOCKADDR_FORMATSIZE];
-	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
-	isccc_sexpr_t *request = NULL;
-	isccc_sexpr_t *data;
-	isccc_time_t now;
-	isccc_region_t message;
-	isc_region_t r;
-	isc_uint32_t len;
-	isc_buffer_t b;
-	isc_result_t result;
-
-	connects--;
-
-	if (sevent->result != ISC_R_SUCCESS) {
-		isc_sockaddr_format(&serveraddrs[currentaddr], socktext,
-				    sizeof(socktext));
-		if (sevent->result != ISC_R_CANCELED &&
-		    ++currentaddr < nserveraddrs)
-		{
-			notify("connection failed: %s: %s", socktext,
-			       isc_result_totext(sevent->result));
-			isc_socket_detach(&sock);
-			isc_event_free(&event);
-			rndc_startconnect(&serveraddrs[currentaddr], task);
-			return;
-		} else
-			fatal("connect failed: %s: %s", socktext,
-			      isc_result_totext(sevent->result));
-	}
-
-	isc_stdtime_get(&now);
-	DO("create message", isccc_cc_createmessage(1, NULL, NULL, ++serial,
-						    now, now + 60, &request));
-	data = isccc_alist_lookup(request, "_data");
-	if (data == NULL)
-		fatal("_data section missing");
-	if (isccc_cc_definestring(data, "type", "null") == NULL)
-		fatal("out of memory");
-	message.rstart = databuf + 4;
-	message.rend = databuf + sizeof(databuf);
-	DO("render message", isccc_cc_towire(request, &message, &secret));
-	len = sizeof(databuf) - REGION_SIZE(message);
-	isc_buffer_init(&b, databuf, 4);
-	isc_buffer_putuint32(&b, len - 4);
-	r.length = len;
-	r.base = databuf;
-
-	isccc_ccmsg_init(mctx, sock, &ccmsg);
-	isccc_ccmsg_setmaxsize(&ccmsg, 1024 * 1024);
-
-	DO("schedule recv", isccc_ccmsg_readmessage(&ccmsg, task,
-						    rndc_recvnonce, NULL));
-	recvs++;
-	DO("send message", isc_socket_send(sock, &r, task, rndc_senddone,
-					   NULL));
-	sends++;
-	isc_event_free(&event);
-}
-
-static void
-rndc_startconnect(isc_sockaddr_t *addr, isc_task_t *task) {
-	isc_result_t result;
-	int pf;
-	isc_sockettype_t type;
-
-	char socktext[ISC_SOCKADDR_FORMATSIZE];
-
-	isc_sockaddr_format(addr, socktext, sizeof(socktext));
-
-	notify("using server %s (%s)", servername, socktext);
-
-	pf = isc_sockaddr_pf(addr);
-	if (pf == AF_INET || pf == AF_INET6)
-		type = isc_sockettype_tcp;
-	else
-		type = isc_sockettype_unix;
-	DO("create socket", isc_socket_create(socketmgr, pf, type, &sock));
-	switch (isc_sockaddr_pf(addr)) {
-	case AF_INET:
-		DO("bind socket", isc_socket_bind(sock, &local4, 0));
-		break;
-	case AF_INET6:
-		DO("bind socket", isc_socket_bind(sock, &local6, 0));
-		break;
-	default:
-		break;
-	}
-	DO("connect", isc_socket_connect(sock, addr, task, rndc_connected,
-					 NULL));
-	connects++;
-}
-
-static void
-rndc_start(isc_task_t *task, isc_event_t *event) {
-	isc_event_free(&event);
-
-	currentaddr = 0;
-	rndc_startconnect(&serveraddrs[currentaddr], task);
-}
-
-static void
-parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
-	     cfg_parser_t **pctxp, cfg_obj_t **configp)
-{
-	isc_result_t result;
-	const char *conffile = admin_conffile;
-	const cfg_obj_t *addresses = NULL;
-	const cfg_obj_t *defkey = NULL;
-	const cfg_obj_t *options = NULL;
-	const cfg_obj_t *servers = NULL;
-	const cfg_obj_t *server = NULL;
-	const cfg_obj_t *keys = NULL;
-	const cfg_obj_t *key = NULL;
-	const cfg_obj_t *defport = NULL;
-	const cfg_obj_t *secretobj = NULL;
-	const cfg_obj_t *algorithmobj = NULL;
-	cfg_obj_t *config = NULL;
-	const cfg_obj_t *address = NULL;
-	const cfg_listelt_t *elt;
-	const char *secretstr;
-	const char *algorithm;
-	static char secretarray[1024];
-	const cfg_type_t *conftype = &cfg_type_rndcconf;
-	isc_boolean_t key_only = ISC_FALSE;
-	const cfg_listelt_t *element;
-
-	if (! isc_file_exists(conffile)) {
-		conffile = admin_keyfile;
-		conftype = &cfg_type_rndckey;
-
-		if (! isc_file_exists(conffile))
-			fatal("neither %s nor %s was found",
-			      admin_conffile, admin_keyfile);
-		key_only = ISC_TRUE;
-	} else if (! c_flag && isc_file_exists(admin_keyfile)) {
-		fprintf(stderr, "WARNING: key file (%s) exists, but using "
-			"default configuration file (%s)\n",
-			admin_keyfile, admin_conffile);
-	}
-
-	DO("create parser", cfg_parser_create(mctx, log, pctxp));
-
-	/*
-	 * The parser will output its own errors, so DO() is not used.
-	 */
-	result = cfg_parse_file(*pctxp, conffile, conftype, &config);
-	if (result != ISC_R_SUCCESS)
-		fatal("could not load rndc configuration");
-
-	if (!key_only)
-		(void)cfg_map_get(config, "options", &options);
-
-	if (key_only && servername == NULL)
-		servername = "127.0.0.1";
-	else if (servername == NULL && options != NULL) {
-		const cfg_obj_t *defserverobj = NULL;
-		(void)cfg_map_get(options, "default-server", &defserverobj);
-		if (defserverobj != NULL)
-			servername = cfg_obj_asstring(defserverobj);
-	}
-
-	if (servername == NULL)
-		fatal("no server specified and no default");
-
-	if (!key_only) {
-		(void)cfg_map_get(config, "server", &servers);
-		if (servers != NULL) {
-			for (elt = cfg_list_first(servers);
-			     elt != NULL;
-			     elt = cfg_list_next(elt))
-			{
-				const char *name;
-				server = cfg_listelt_value(elt);
-				name = cfg_obj_asstring(cfg_map_getname(server));
-				if (strcasecmp(name, servername) == 0)
-					break;
-				server = NULL;
-			}
-		}
-	}
-
-	/*
-	 * Look for the name of the key to use.
-	 */
-	if (keyname != NULL)
-		;		/* Was set on command line, do nothing. */
-	else if (server != NULL) {
-		DO("get key for server", cfg_map_get(server, "key", &defkey));
-		keyname = cfg_obj_asstring(defkey);
-	} else if (options != NULL) {
-		DO("get default key", cfg_map_get(options, "default-key",
-						  &defkey));
-		keyname = cfg_obj_asstring(defkey);
-	} else if (!key_only)
-		fatal("no key for server and no default");
-
-	/*
-	 * Get the key's definition.
-	 */
-	if (key_only)
-		DO("get key", cfg_map_get(config, "key", &key));
-	else {
-		DO("get config key list", cfg_map_get(config, "key", &keys));
-		for (elt = cfg_list_first(keys);
-		     elt != NULL;
-		     elt = cfg_list_next(elt))
-		{
-			key = cfg_listelt_value(elt);
-			if (strcasecmp(cfg_obj_asstring(cfg_map_getname(key)),
-				       keyname) == 0)
-				break;
-		}
-		if (elt == NULL)
-			fatal("no key definition for name %s", keyname);
-	}
-	(void)cfg_map_get(key, "secret", &secretobj);
-	(void)cfg_map_get(key, "algorithm", &algorithmobj);
-	if (secretobj == NULL || algorithmobj == NULL)
-		fatal("key must have algorithm and secret");
-
-	secretstr = cfg_obj_asstring(secretobj);
-	algorithm = cfg_obj_asstring(algorithmobj);
-
-	if (strcasecmp(algorithm, "hmac-md5") != 0)
-		fatal("unsupported algorithm: %s", algorithm);
-
-	secret.rstart = (unsigned char *)secretarray;
-	secret.rend = (unsigned char *)secretarray + sizeof(secretarray);
-	DO("decode base64 secret", isccc_base64_decode(secretstr, &secret));
-	secret.rend = secret.rstart;
-	secret.rstart = (unsigned char *)secretarray;
-
-	/*
-	 * Find the port to connect to.
-	 */
-	if (remoteport != 0)
-		;		/* Was set on command line, do nothing. */
-	else {
-		if (server != NULL)
-			(void)cfg_map_get(server, "port", &defport);
-		if (defport == NULL && options != NULL)
-			(void)cfg_map_get(options, "default-port", &defport);
-	}
-	if (defport != NULL) {
-		remoteport = cfg_obj_asuint32(defport);
-		if (remoteport > 65535 || remoteport == 0)
-			fatal("port %u out of range", remoteport);
-	} else if (remoteport == 0)
-		remoteport = NS_CONTROL_PORT;
-
-	if (server != NULL)
-		result = cfg_map_get(server, "addresses", &addresses);
-	else
-		result = ISC_R_NOTFOUND;
-	if (result == ISC_R_SUCCESS) {
-		for (element = cfg_list_first(addresses);
-		     element != NULL;
-		     element = cfg_list_next(element))
-		{
-			isc_sockaddr_t sa;
-
-			address = cfg_listelt_value(element);
-			if (!cfg_obj_issockaddr(address)) {
-				unsigned int myport;
-				const char *name;
-				const cfg_obj_t *obj;
-
-				obj = cfg_tuple_get(address, "name");
-				name = cfg_obj_asstring(obj);
-				obj = cfg_tuple_get(address, "port");
-				if (cfg_obj_isuint32(obj)) {
-					myport = cfg_obj_asuint32(obj);
-					if (myport > ISC_UINT16_MAX ||
-					    myport == 0)
-						fatal("port %u out of range",
-						      myport);
-				} else
-					myport = remoteport;
-				if (nserveraddrs < SERVERADDRS)
-					get_addresses(name, (in_port_t) myport);
-				else
-					fprintf(stderr, "too many address: "
-						"%s: dropped\n", name);
-				continue;
-			}
-			sa = *cfg_obj_assockaddr(address);
-			if (isc_sockaddr_getport(&sa) == 0)
-				isc_sockaddr_setport(&sa, remoteport);
-			if (nserveraddrs < SERVERADDRS)
-				serveraddrs[nserveraddrs++] = sa;
-			else {
-				char socktext[ISC_SOCKADDR_FORMATSIZE];
-
-				isc_sockaddr_format(&sa, socktext,
-						    sizeof(socktext));
-				fprintf(stderr,
-					"too many address: %s: dropped\n",
-					socktext);
-			}
-		}
-	}
-
-	if (!local4set && server != NULL) {
-		address = NULL;
-		cfg_map_get(server, "source-address", &address);
-		if (address != NULL) {
-			local4 = *cfg_obj_assockaddr(address);
-			local4set = ISC_TRUE;
-		}
-	}
-	if (!local4set && options != NULL) {
-		address = NULL;
-		cfg_map_get(options, "default-source-address", &address);
-		if (address != NULL) {
-			local4 = *cfg_obj_assockaddr(address);
-			local4set = ISC_TRUE;
-		}
-	}
-
-	if (!local6set && server != NULL) {
-		address = NULL;
-		cfg_map_get(server, "source-address-v6", &address);
-		if (address != NULL) {
-			local6 = *cfg_obj_assockaddr(address);
-			local6set = ISC_TRUE;
-		}
-	}
-	if (!local6set && options != NULL) {
-		address = NULL;
-		cfg_map_get(options, "default-source-address-v6", &address);
-		if (address != NULL) {
-			local6 = *cfg_obj_assockaddr(address);
-			local6set = ISC_TRUE;
-		}
-	}
-
-	*configp = config;
-}
-
-int
-main(int argc, char **argv) {
-	isc_boolean_t show_final_mem = ISC_FALSE;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_taskmgr_t *taskmgr = NULL;
-	isc_task_t *task = NULL;
-	isc_log_t *log = NULL;
-	isc_logconfig_t *logconfig = NULL;
-	isc_logdestination_t logdest;
-	cfg_parser_t *pctx = NULL;
-	cfg_obj_t *config = NULL;
-	const char *keyname = NULL;
-	struct in_addr in;
-	struct in6_addr in6;
-	char *p;
-	size_t argslen;
-	int ch;
-	int i;
-
-	result = isc_file_progname(*argv, program, sizeof(program));
-	if (result != ISC_R_SUCCESS)
-		memcpy(program, "rndc", 5);
-	progname = program;
-
-	admin_conffile = RNDC_CONFFILE;
-	admin_keyfile = RNDC_KEYFILE;
-
-	isc_sockaddr_any(&local4);
-	isc_sockaddr_any6(&local6);
-
-	result = isc_app_start();
-	if (result != ISC_R_SUCCESS)
-		fatal("isc_app_start() failed: %s", isc_result_totext(result));
-
-	isc_commandline_errprint = ISC_FALSE;
-
-	while ((ch = isc_commandline_parse(argc, argv, "b:c:hk:Mmp:s:Vy:"))
-	       != -1) {
-		switch (ch) {
-		case 'b':
-			if (inet_pton(AF_INET, isc_commandline_argument,
-				      &in) == 1) {
-				isc_sockaddr_fromin(&local4, &in, 0);
-				local4set = ISC_TRUE;
-			} else if (inet_pton(AF_INET6, isc_commandline_argument,
-					     &in6) == 1) {
-				isc_sockaddr_fromin6(&local6, &in6, 0);
-				local6set = ISC_TRUE;
-			}
-			break;
-
-		case 'c':
-			admin_conffile = isc_commandline_argument;
-			c_flag = ISC_TRUE;
-			break;
-
-		case 'k':
-			admin_keyfile = isc_commandline_argument;
-			break;
-
-		case 'M':
-			isc_mem_debugging = ISC_MEM_DEBUGTRACE;
-			break;
-
-		case 'm':
-			show_final_mem = ISC_TRUE;
-			break;
-
-		case 'p':
-			remoteport = atoi(isc_commandline_argument);
-			if (remoteport > 65535 || remoteport == 0)
-				fatal("port '%s' out of range",
-				      isc_commandline_argument);
-			break;
-
-		case 's':
-			servername = isc_commandline_argument;
-			break;
-
-		case 'V':
-			verbose = ISC_TRUE;
-			break;
-
-		case 'y':
-			keyname = isc_commandline_argument;
-			break;
-
-		case '?':
-			if (isc_commandline_option != '?') {
-				fprintf(stderr, "%s: invalid argument -%c\n",
-					program, isc_commandline_option);
-				usage(1);
-			}
-			/* FALLTHROUGH */
-		case 'h':
-			usage(0);
-			break;
-		default:
-			fprintf(stderr, "%s: unhandled option -%c\n",
-				program, isc_commandline_option);
-			exit(1);
-		}
-	}
-
-	argc -= isc_commandline_index;
-	argv += isc_commandline_index;
-
-	if (argc < 1)
-		usage(1);
-
-	isc_random_get(&serial);
-
-	DO("create memory context", isc_mem_create(0, 0, &mctx));
-	DO("create socket manager", isc_socketmgr_create(mctx, &socketmgr));
-	DO("create task manager", isc_taskmgr_create(mctx, 1, 0, &taskmgr));
-	DO("create task", isc_task_create(taskmgr, 0, &task));
-
-	DO("create logging context", isc_log_create(mctx, &log, &logconfig));
-	isc_log_setcontext(log);
-	DO("setting log tag", isc_log_settag(logconfig, progname));
-	logdest.file.stream = stderr;
-	logdest.file.name = NULL;
-	logdest.file.versions = ISC_LOG_ROLLNEVER;
-	logdest.file.maximum_size = 0;
-	DO("creating log channel",
-	   isc_log_createchannel(logconfig, "stderr",
-				 ISC_LOG_TOFILEDESC, ISC_LOG_INFO, &logdest,
-				 ISC_LOG_PRINTTAG|ISC_LOG_PRINTLEVEL));
-	DO("enabling log channel", isc_log_usechannel(logconfig, "stderr",
-						      NULL, NULL));
-
-	parse_config(mctx, log, keyname, &pctx, &config);
-
-	isccc_result_register();
-
-	command = *argv;
-
-	/*
-	 * Convert argc/argv into a space-delimited command string
-	 * similar to what the user might enter in interactive mode
-	 * (if that were implemented).
-	 */
-	argslen = 0;
-	for (i = 0; i < argc; i++)
-		argslen += strlen(argv[i]) + 1;
-
-	args = isc_mem_get(mctx, argslen);
-	if (args == NULL)
-		DO("isc_mem_get", ISC_R_NOMEMORY);
-
-	p = args;
-	for (i = 0; i < argc; i++) {
-		size_t len = strlen(argv[i]);
-		memcpy(p, argv[i], len);
-		p += len;
-		*p++ = ' ';
-	}
-
-	p--;
-	*p++ = '\0';
-	INSIST(p == args + argslen);
-
-	notify("%s", command);
-
-	if (strcmp(command, "restart") == 0)
-		fatal("'%s' is not implemented", command);
-
-	if (nserveraddrs == 0)
-		get_addresses(servername, (in_port_t) remoteport);
-
-	DO("post event", isc_app_onrun(mctx, task, rndc_start, NULL));
-
-	result = isc_app_run();
-	if (result != ISC_R_SUCCESS)
-		fatal("isc_app_run() failed: %s", isc_result_totext(result));
-
-	if (connects > 0 || sends > 0 || recvs > 0)
-		isc_socket_cancel(sock, task, ISC_SOCKCANCEL_ALL);
-
-	isc_task_detach(&task);
-	isc_taskmgr_destroy(&taskmgr);
-	isc_socketmgr_destroy(&socketmgr);
-	isc_log_destroy(&log);
-	isc_log_setcontext(NULL);
-
-	cfg_obj_destroy(pctx, &config);
-	cfg_parser_destroy(&pctx);
-
-	isc_mem_put(mctx, args, argslen);
-	isccc_ccmsg_invalidate(&ccmsg);
-
-	dns_name_destroy();
-
-	if (show_final_mem)
-		isc_mem_stats(mctx, stderr);
-
-	isc_mem_destroy(&mctx);
-
-	if (failed)
-		return (1);
-
-	return (0);
-}
diff --git a/contrib/bind9/bin/rndc/rndc.conf b/contrib/bind9/bin/rndc/rndc.conf
deleted file mode 100644
index 67542b9..0000000
--- a/contrib/bind9/bin/rndc/rndc.conf
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rndc.conf,v 1.11 2007/06/19 23:46:59 tbox Exp $ */
-
-/*
- * Sample rndc configuration file.
- */
-
-options {
-        default-server  localhost;
-        default-key     "key";
-};
-
-server localhost {
-        key     "key";
-};
-
-key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
-	algorithm hmac-md5;
-	secret "34f88008d07deabbe65bd01f1d233d47";
-};
-
-server "test1" {
-        key "cc64b3d1db63fc88d7cb5d2f9f57d258";
-	port 5353;
-        addresses { 10.53.0.1; };
-};
-
-key "key" {
-        algorithm       hmac-md5;
-        secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
-};
diff --git a/contrib/bind9/bin/rndc/rndc.conf.5 b/contrib/bind9/bin/rndc/rndc.conf.5
deleted file mode 100644
index 694a481..0000000
--- a/contrib/bind9/bin/rndc/rndc.conf.5
+++ /dev/null
@@ -1,214 +0,0 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: \fIrndc.conf\fR
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: June 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "\fIRNDC.CONF\fR" "5" "June 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-rndc.conf \- rndc configuration file
-.SH "SYNOPSIS"
-.HP 10
-\fBrndc.conf\fR
-.SH "DESCRIPTION"
-.PP
-\fIrndc.conf\fR
-is the configuration file for
-\fBrndc\fR, the BIND 9 name server control utility. This file has a similar structure and syntax to
-\fInamed.conf\fR. Statements are enclosed in braces and terminated with a semi\-colon. Clauses in the statements are also semi\-colon terminated. The usual comment styles are supported:
-.PP
-C style: /* */
-.PP
-C++ style: // to end of line
-.PP
-Unix style: # to end of line
-.PP
-\fIrndc.conf\fR
-is much simpler than
-\fInamed.conf\fR. The file uses three statements: an options statement, a server statement and a key statement.
-.PP
-The
-\fBoptions\fR
-statement contains five clauses. The
-\fBdefault\-server\fR
-clause is followed by the name or address of a name server. This host will be used when no name server is given as an argument to
-\fBrndc\fR. The
-\fBdefault\-key\fR
-clause is followed by the name of a key which is identified by a
-\fBkey\fR
-statement. If no
-\fBkeyid\fR
-is provided on the rndc command line, and no
-\fBkey\fR
-clause is found in a matching
-\fBserver\fR
-statement, this default key will be used to authenticate the server's commands and responses. The
-\fBdefault\-port\fR
-clause is followed by the port to connect to on the remote name server. If no
-\fBport\fR
-option is provided on the rndc command line, and no
-\fBport\fR
-clause is found in a matching
-\fBserver\fR
-statement, this default port will be used to connect. The
-\fBdefault\-source\-address\fR
-and
-\fBdefault\-source\-address\-v6\fR
-clauses which can be used to set the IPv4 and IPv6 source addresses respectively.
-.PP
-After the
-\fBserver\fR
-keyword, the server statement includes a string which is the hostname or address for a name server. The statement has three possible clauses:
-\fBkey\fR,
-\fBport\fR
-and
-\fBaddresses\fR. The key name must match the name of a key statement in the file. The port number specifies the port to connect to. If an
-\fBaddresses\fR
-clause is supplied these addresses will be used instead of the server name. Each address can take an optional port. If an
-\fBsource\-address\fR
-or
-\fBsource\-address\-v6\fR
-of supplied then these will be used to specify the IPv4 and IPv6 source addresses respectively.
-.PP
-The
-\fBkey\fR
-statement begins with an identifying string, the name of the key. The statement has two clauses.
-\fBalgorithm\fR
-identifies the encryption algorithm for
-\fBrndc\fR
-to use; currently only HMAC\-MD5 is supported. This is followed by a secret clause which contains the base\-64 encoding of the algorithm's encryption key. The base\-64 string is enclosed in double quotes.
-.PP
-There are two common ways to generate the base\-64 string for the secret. The BIND 9 program
-\fBrndc\-confgen\fR
-can be used to generate a random key, or the
-\fBmmencode\fR
-program, also known as
-\fBmimencode\fR, can be used to generate a base\-64 string from known input.
-\fBmmencode\fR
-does not ship with BIND 9 but is available on many systems. See the EXAMPLE section for sample command lines for each.
-.SH "EXAMPLE"
-.PP
-.RS 4
-.nf
-      options {
-        default\-server  localhost;
-        default\-key     samplekey;
-      };
-.fi
-.RE
-.sp
-.PP
-.RS 4
-.nf
-      server localhost {
-        key             samplekey;
-      };
-.fi
-.RE
-.sp
-.PP
-.RS 4
-.nf
-      server testserver {
-        key		testkey;
-        addresses	{ localhost port 5353; };
-      };
-.fi
-.RE
-.sp
-.PP
-.RS 4
-.nf
-      key samplekey {
-        algorithm       hmac\-md5;
-        secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
-      };
-.fi
-.RE
-.sp
-.PP
-.RS 4
-.nf
-      key testkey {
-        algorithm	hmac\-md5;
-        secret		"R3HI8P6BKw9ZwXwN3VZKuQ==";
-      };
-.fi
-.RE
-.sp
-.PP
-In the above example,
-\fBrndc\fR
-will by default use the server at localhost (127.0.0.1) and the key called samplekey. Commands to the localhost server will use the samplekey key, which must also be defined in the server's configuration file with the same name and secret. The key statement indicates that samplekey uses the HMAC\-MD5 algorithm and its secret clause contains the base\-64 encoding of the HMAC\-MD5 secret enclosed in double quotes.
-.PP
-If
-\fBrndc \-s testserver\fR
-is used then
-\fBrndc\fR
-will connect to server on localhost port 5353 using the key testkey.
-.PP
-To generate a random secret with
-\fBrndc\-confgen\fR:
-.PP
-\fBrndc\-confgen\fR
-.PP
-A complete
-\fIrndc.conf\fR
-file, including the randomly generated key, will be written to the standard output. Commented\-out
-\fBkey\fR
-and
-\fBcontrols\fR
-statements for
-\fInamed.conf\fR
-are also printed.
-.PP
-To generate a base\-64 secret with
-\fBmmencode\fR:
-.PP
-\fBecho "known plaintext for a secret" | mmencode\fR
-.SH "NAME SERVER CONFIGURATION"
-.PP
-The name server must be configured to accept rndc connections and to recognize the key specified in the
-\fIrndc.conf\fR
-file, using the controls statement in
-\fInamed.conf\fR. See the sections on the
-\fBcontrols\fR
-statement in the BIND 9 Administrator Reference Manual for details.
-.SH "SEE ALSO"
-.PP
-\fBrndc\fR(8),
-\fBrndc\-confgen\fR(8),
-\fBmmencode\fR(1),
-BIND 9 Administrator Reference Manual.
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/bin/rndc/rndc.conf.docbook b/contrib/bind9/bin/rndc/rndc.conf.docbook
deleted file mode 100644
index 9de19954..0000000
--- a/contrib/bind9/bin/rndc/rndc.conf.docbook
+++ /dev/null
@@ -1,252 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: rndc.conf.docbook,v 1.17 2007/06/18 23:47:25 tbox Exp $ -->
-<refentry id="man.rndc.conf">
-  <refentryinfo>
-    <date>June 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><filename>rndc.conf</filename></refentrytitle>
-    <manvolnum>5</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><filename>rndc.conf</filename></refname>
-    <refpurpose>rndc configuration file</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>rndc.conf</command>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para><filename>rndc.conf</filename> is the configuration file
-      for <command>rndc</command>, the BIND 9 name server control
-      utility.  This file has a similar structure and syntax to
-      <filename>named.conf</filename>.  Statements are enclosed
-      in braces and terminated with a semi-colon.  Clauses in
-      the statements are also semi-colon terminated.  The usual
-      comment styles are supported:
-    </para>
-    <para>
-      C style: /* */
-    </para>
-    <para>
-      C++ style: // to end of line
-    </para>
-    <para>
-      Unix style: # to end of line
-    </para>
-    <para><filename>rndc.conf</filename> is much simpler than
-      <filename>named.conf</filename>.  The file uses three
-      statements: an options statement, a server statement
-      and a key statement.
-    </para>
-    <para>
-      The <option>options</option> statement contains five clauses.
-      The <option>default-server</option> clause is followed by the
-      name or address of a name server.  This host will be used when
-      no name server is given as an argument to
-      <command>rndc</command>.  The <option>default-key</option>
-      clause is followed by the name of a key which is identified by
-      a <option>key</option> statement.  If no
-      <option>keyid</option> is provided on the rndc command line,
-      and no <option>key</option> clause is found in a matching
-      <option>server</option> statement, this default key will be
-      used to authenticate the server's commands and responses.  The
-      <option>default-port</option> clause is followed by the port
-      to connect to on the remote name server.  If no
-      <option>port</option> option is provided on the rndc command
-      line, and no <option>port</option> clause is found in a
-      matching <option>server</option> statement, this default port
-      will be used to connect.
-      The <option>default-source-address</option> and
-      <option>default-source-address-v6</option> clauses which
-      can be used to set the IPv4 and IPv6 source addresses
-      respectively.
-    </para>
-    <para>
-      After the <option>server</option> keyword, the server
-      statement includes a string which is the hostname or address
-      for a name server.  The statement has three possible clauses:
-      <option>key</option>, <option>port</option> and
-      <option>addresses</option>. The key name must match the
-      name of a key statement in the file.  The port number
-      specifies the port to connect to.  If an <option>addresses</option>
-      clause is supplied these addresses will be used instead of
-      the server name.  Each address can take an optional port.
-      If an <option>source-address</option> or <option>source-address-v6</option>
-      of supplied then these will be used to specify the IPv4 and IPv6
-      source addresses respectively.
-    </para>
-    <para>
-      The <option>key</option> statement begins with an identifying
-      string, the name of the key.  The statement has two clauses.
-      <option>algorithm</option> identifies the encryption algorithm
-      for <command>rndc</command> to use; currently only HMAC-MD5
-      is
-      supported.  This is followed by a secret clause which contains
-      the base-64 encoding of the algorithm's encryption key.  The
-      base-64 string is enclosed in double quotes.
-    </para>
-    <para>
-      There are two common ways to generate the base-64 string for the
-      secret.  The BIND 9 program <command>rndc-confgen</command>
-      can
-      be used to generate a random key, or the
-      <command>mmencode</command> program, also known as
-      <command>mimencode</command>, can be used to generate a
-      base-64
-      string from known input.  <command>mmencode</command> does
-      not
-      ship with BIND 9 but is available on many systems.  See the
-      EXAMPLE section for sample command lines for each.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>EXAMPLE</title>
-
-    <para><programlisting>
-      options {
-        default-server  localhost;
-        default-key     samplekey;
-      };
-</programlisting>
-    </para>
-    <para><programlisting>
-      server localhost {
-        key             samplekey;
-      };
-</programlisting>
-    </para>
-    <para><programlisting>
-      server testserver {
-        key		testkey;
-        addresses	{ localhost port 5353; };
-      };
-</programlisting>
-    </para>
-    <para><programlisting>
-      key samplekey {
-        algorithm       hmac-md5;
-        secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
-      };
-</programlisting>
-    </para>
-    <para><programlisting>
-      key testkey {
-        algorithm	hmac-md5;
-        secret		"R3HI8P6BKw9ZwXwN3VZKuQ==";
-      };
-    </programlisting>
-    </para>
-
-    <para>
-      In the above example, <command>rndc</command> will by
-      default use
-      the server at localhost (127.0.0.1) and the key called samplekey.
-      Commands to the localhost server will use the samplekey key, which
-      must also be defined in the server's configuration file with the
-      same name and secret.  The key statement indicates that samplekey
-      uses the HMAC-MD5 algorithm and its secret clause contains the
-      base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
-    </para>
-    <para>
-      If <command>rndc -s testserver</command> is used then <command>rndc</command> will
-      connect to server on localhost port 5353 using the key testkey.
-    </para>
-    <para>
-      To generate a random secret with <command>rndc-confgen</command>:
-    </para>
-    <para><userinput>rndc-confgen</userinput>
-    </para>
-    <para>
-      A complete <filename>rndc.conf</filename> file, including
-      the
-      randomly generated key, will be written to the standard
-      output.  Commented-out <option>key</option> and
-      <option>controls</option> statements for
-      <filename>named.conf</filename> are also printed.
-    </para>
-    <para>
-      To generate a base-64 secret with <command>mmencode</command>:
-    </para>
-    <para><userinput>echo "known plaintext for a secret" | mmencode</userinput>
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>NAME SERVER CONFIGURATION</title>
-    <para>
-      The name server must be configured to accept rndc connections and
-      to recognize the key specified in the <filename>rndc.conf</filename>
-      file, using the controls statement in <filename>named.conf</filename>.
-      See the sections on the <option>controls</option> statement in the
-      BIND 9 Administrator Reference Manual for details.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>rndc-confgen</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>mmencode</refentrytitle><manvolnum>1</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para><corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/rndc/rndc.conf.html b/contrib/bind9/bin/rndc/rndc.conf.html
deleted file mode 100644
index b0f904b..0000000
--- a/contrib/bind9/bin/rndc/rndc.conf.html
+++ /dev/null
@@ -1,217 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>rndc.conf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="man.rndc.conf"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><code class="filename">rndc.conf</code> &#8212; rndc configuration file</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543354"></a><h2>DESCRIPTION</h2>
-<p><code class="filename">rndc.conf</code> is the configuration file
-      for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
-      utility.  This file has a similar structure and syntax to
-      <code class="filename">named.conf</code>.  Statements are enclosed
-      in braces and terminated with a semi-colon.  Clauses in
-      the statements are also semi-colon terminated.  The usual
-      comment styles are supported:
-    </p>
-<p>
-      C style: /* */
-    </p>
-<p>
-      C++ style: // to end of line
-    </p>
-<p>
-      Unix style: # to end of line
-    </p>
-<p><code class="filename">rndc.conf</code> is much simpler than
-      <code class="filename">named.conf</code>.  The file uses three
-      statements: an options statement, a server statement
-      and a key statement.
-    </p>
-<p>
-      The <code class="option">options</code> statement contains five clauses.
-      The <code class="option">default-server</code> clause is followed by the
-      name or address of a name server.  This host will be used when
-      no name server is given as an argument to
-      <span><strong class="command">rndc</strong></span>.  The <code class="option">default-key</code>
-      clause is followed by the name of a key which is identified by
-      a <code class="option">key</code> statement.  If no
-      <code class="option">keyid</code> is provided on the rndc command line,
-      and no <code class="option">key</code> clause is found in a matching
-      <code class="option">server</code> statement, this default key will be
-      used to authenticate the server's commands and responses.  The
-      <code class="option">default-port</code> clause is followed by the port
-      to connect to on the remote name server.  If no
-      <code class="option">port</code> option is provided on the rndc command
-      line, and no <code class="option">port</code> clause is found in a
-      matching <code class="option">server</code> statement, this default port
-      will be used to connect.
-      The <code class="option">default-source-address</code> and
-      <code class="option">default-source-address-v6</code> clauses which
-      can be used to set the IPv4 and IPv6 source addresses
-      respectively.
-    </p>
-<p>
-      After the <code class="option">server</code> keyword, the server
-      statement includes a string which is the hostname or address
-      for a name server.  The statement has three possible clauses:
-      <code class="option">key</code>, <code class="option">port</code> and
-      <code class="option">addresses</code>. The key name must match the
-      name of a key statement in the file.  The port number
-      specifies the port to connect to.  If an <code class="option">addresses</code>
-      clause is supplied these addresses will be used instead of
-      the server name.  Each address can take an optional port.
-      If an <code class="option">source-address</code> or <code class="option">source-address-v6</code>
-      of supplied then these will be used to specify the IPv4 and IPv6
-      source addresses respectively.
-    </p>
-<p>
-      The <code class="option">key</code> statement begins with an identifying
-      string, the name of the key.  The statement has two clauses.
-      <code class="option">algorithm</code> identifies the encryption algorithm
-      for <span><strong class="command">rndc</strong></span> to use; currently only HMAC-MD5
-      is
-      supported.  This is followed by a secret clause which contains
-      the base-64 encoding of the algorithm's encryption key.  The
-      base-64 string is enclosed in double quotes.
-    </p>
-<p>
-      There are two common ways to generate the base-64 string for the
-      secret.  The BIND 9 program <span><strong class="command">rndc-confgen</strong></span>
-      can
-      be used to generate a random key, or the
-      <span><strong class="command">mmencode</strong></span> program, also known as
-      <span><strong class="command">mimencode</strong></span>, can be used to generate a
-      base-64
-      string from known input.  <span><strong class="command">mmencode</strong></span> does
-      not
-      ship with BIND 9 but is available on many systems.  See the
-      EXAMPLE section for sample command lines for each.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543502"></a><h2>EXAMPLE</h2>
-<pre class="programlisting">
-      options {
-        default-server  localhost;
-        default-key     samplekey;
-      };
-</pre>
-<p>
-    </p>
-<pre class="programlisting">
-      server localhost {
-        key             samplekey;
-      };
-</pre>
-<p>
-    </p>
-<pre class="programlisting">
-      server testserver {
-        key		testkey;
-        addresses	{ localhost port 5353; };
-      };
-</pre>
-<p>
-    </p>
-<pre class="programlisting">
-      key samplekey {
-        algorithm       hmac-md5;
-        secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
-      };
-</pre>
-<p>
-    </p>
-<pre class="programlisting">
-      key testkey {
-        algorithm	hmac-md5;
-        secret		"R3HI8P6BKw9ZwXwN3VZKuQ==";
-      };
-    </pre>
-<p>
-    </p>
-<p>
-      In the above example, <span><strong class="command">rndc</strong></span> will by
-      default use
-      the server at localhost (127.0.0.1) and the key called samplekey.
-      Commands to the localhost server will use the samplekey key, which
-      must also be defined in the server's configuration file with the
-      same name and secret.  The key statement indicates that samplekey
-      uses the HMAC-MD5 algorithm and its secret clause contains the
-      base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
-    </p>
-<p>
-      If <span><strong class="command">rndc -s testserver</strong></span> is used then <span><strong class="command">rndc</strong></span> will
-      connect to server on localhost port 5353 using the key testkey.
-    </p>
-<p>
-      To generate a random secret with <span><strong class="command">rndc-confgen</strong></span>:
-    </p>
-<p><strong class="userinput"><code>rndc-confgen</code></strong>
-    </p>
-<p>
-      A complete <code class="filename">rndc.conf</code> file, including
-      the
-      randomly generated key, will be written to the standard
-      output.  Commented-out <code class="option">key</code> and
-      <code class="option">controls</code> statements for
-      <code class="filename">named.conf</code> are also printed.
-    </p>
-<p>
-      To generate a base-64 secret with <span><strong class="command">mmencode</strong></span>:
-    </p>
-<p><strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong>
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543594"></a><h2>NAME SERVER CONFIGURATION</h2>
-<p>
-      The name server must be configured to accept rndc connections and
-      to recognize the key specified in the <code class="filename">rndc.conf</code>
-      file, using the controls statement in <code class="filename">named.conf</code>.
-      See the sections on the <code class="option">controls</code> statement in the
-      BIND 9 Administrator Reference Manual for details.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543616"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543654"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/rndc/rndc.docbook b/contrib/bind9/bin/rndc/rndc.docbook
deleted file mode 100644
index d407f2b..0000000
--- a/contrib/bind9/bin/rndc/rndc.docbook
+++ /dev/null
@@ -1,253 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: rndc.docbook,v 1.21 2007/12/14 20:39:14 marka Exp $ -->
-<refentry id="man.rndc">
-  <refentryinfo>
-    <date>June 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>rndc</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><application>rndc</application></refname>
-    <refpurpose>name server control utility</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>rndc</command>
-      <arg><option>-b <replaceable class="parameter">source-address</replaceable></option></arg>
-      <arg><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
-      <arg><option>-k <replaceable class="parameter">key-file</replaceable></option></arg>
-      <arg><option>-s <replaceable class="parameter">server</replaceable></option></arg>
-      <arg><option>-p <replaceable class="parameter">port</replaceable></option></arg>
-      <arg><option>-V</option></arg>
-      <arg><option>-y <replaceable class="parameter">key_id</replaceable></option></arg>
-      <arg choice="req">command</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para><command>rndc</command>
-      controls the operation of a name
-      server.  It supersedes the <command>ndc</command> utility
-      that was provided in old BIND releases.  If
-      <command>rndc</command> is invoked with no command line
-      options or arguments, it prints a short summary of the
-      supported commands and the available options and their
-      arguments.
-    </para>
-    <para><command>rndc</command>
-      communicates with the name server
-      over a TCP connection, sending commands authenticated with
-      digital signatures.  In the current versions of
-      <command>rndc</command> and <command>named</command>,
-      the only supported authentication algorithm is HMAC-MD5,
-      which uses a shared secret on each end of the connection.
-      This provides TSIG-style authentication for the command
-      request and the name server's response.  All commands sent
-      over the channel must be signed by a key_id known to the
-      server.
-    </para>
-    <para><command>rndc</command>
-      reads a configuration file to
-      determine how to contact the name server and decide what
-      algorithm and key it should use.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-
-    <variablelist>
-      <varlistentry>
-        <term>-b <replaceable class="parameter">source-address</replaceable></term>
-        <listitem>
-          <para>
-            Use <replaceable class="parameter">source-address</replaceable>
-            as the source address for the connection to the server.
-            Multiple instances are permitted to allow setting of both
-            the IPv4 and IPv6 source addresses.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-c <replaceable class="parameter">config-file</replaceable></term>
-        <listitem>
-          <para>
-            Use <replaceable class="parameter">config-file</replaceable>
-            as the configuration file instead of the default,
-            <filename>/etc/rndc.conf</filename>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-k <replaceable class="parameter">key-file</replaceable></term>
-        <listitem>
-          <para>
-            Use <replaceable class="parameter">key-file</replaceable>
-            as the key file instead of the default,
-            <filename>/etc/rndc.key</filename>.  The key in
-            <filename>/etc/rndc.key</filename> will be used to
-            authenticate
-            commands sent to the server if the <replaceable class="parameter">config-file</replaceable>
-            does not exist.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-s <replaceable class="parameter">server</replaceable></term>
-        <listitem>
-          <para><replaceable class="parameter">server</replaceable> is
-            the name or address of the server which matches a
-            server statement in the configuration file for
-            <command>rndc</command>.  If no server is supplied on the
-            command line, the host named by the default-server clause
-            in the options statement of the <command>rndc</command>
-	    configuration file will be used.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-p <replaceable class="parameter">port</replaceable></term>
-        <listitem>
-          <para>
-            Send commands to TCP port
-            <replaceable class="parameter">port</replaceable>
-            instead
-            of BIND 9's default control channel port, 953.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-V</term>
-        <listitem>
-          <para>
-            Enable verbose logging.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-y <replaceable class="parameter">key_id</replaceable></term>
-        <listitem>
-          <para>
-            Use the key <replaceable class="parameter">key_id</replaceable>
-            from the configuration file.
-            <replaceable class="parameter">key_id</replaceable>
-            must be
-            known by named with the same algorithm and secret string
-            in order for control message validation to succeed.
-            If no <replaceable class="parameter">key_id</replaceable>
-            is specified, <command>rndc</command> will first look
-            for a key clause in the server statement of the server
-            being used, or if no server statement is present for that
-            host, then the default-key clause of the options statement.
-            Note that the configuration file contains shared secrets
-            which are used to send authenticated control commands
-            to name servers.  It should therefore not have general read
-            or write access.
-          </para>
-        </listitem>
-      </varlistentry>
-
-    </variablelist>
-
-    <para>
-      For the complete set of commands supported by <command>rndc</command>,
-      see the BIND 9 Administrator Reference Manual or run
-      <command>rndc</command> without arguments to see its help
-      message.
-    </para>
-
-  </refsect1>
-
-  <refsect1>
-    <title>LIMITATIONS</title>
-    <para><command>rndc</command>
-      does not yet support all the commands of
-      the BIND 8 <command>ndc</command> utility.
-    </para>
-    <para>
-      There is currently no way to provide the shared secret for a
-      <option>key_id</option> without using the configuration file.
-    </para>
-    <para>
-      Several error messages could be clearer.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>rndc-confgen</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>ndc</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para><corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/rndc/rndc.html b/contrib/bind9/bin/rndc/rndc.html
deleted file mode 100644
index 4195c4e..0000000
--- a/contrib/bind9/bin/rndc/rndc.html
+++ /dev/null
@@ -1,165 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>rndc</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="man.rndc"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">rndc</span> &#8212; name server control utility</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">rndc</code>  [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543415"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">rndc</strong></span>
-      controls the operation of a name
-      server.  It supersedes the <span><strong class="command">ndc</strong></span> utility
-      that was provided in old BIND releases.  If
-      <span><strong class="command">rndc</strong></span> is invoked with no command line
-      options or arguments, it prints a short summary of the
-      supported commands and the available options and their
-      arguments.
-    </p>
-<p><span><strong class="command">rndc</strong></span>
-      communicates with the name server
-      over a TCP connection, sending commands authenticated with
-      digital signatures.  In the current versions of
-      <span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span>,
-      the only supported authentication algorithm is HMAC-MD5,
-      which uses a shared secret on each end of the connection.
-      This provides TSIG-style authentication for the command
-      request and the name server's response.  All commands sent
-      over the channel must be signed by a key_id known to the
-      server.
-    </p>
-<p><span><strong class="command">rndc</strong></span>
-      reads a configuration file to
-      determine how to contact the name server and decide what
-      algorithm and key it should use.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543450"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
-<dd><p>
-            Use <em class="replaceable"><code>source-address</code></em>
-            as the source address for the connection to the server.
-            Multiple instances are permitted to allow setting of both
-            the IPv4 and IPv6 source addresses.
-          </p></dd>
-<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
-<dd><p>
-            Use <em class="replaceable"><code>config-file</code></em>
-            as the configuration file instead of the default,
-            <code class="filename">/etc/rndc.conf</code>.
-          </p></dd>
-<dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt>
-<dd><p>
-            Use <em class="replaceable"><code>key-file</code></em>
-            as the key file instead of the default,
-            <code class="filename">/etc/rndc.key</code>.  The key in
-            <code class="filename">/etc/rndc.key</code> will be used to
-            authenticate
-            commands sent to the server if the <em class="replaceable"><code>config-file</code></em>
-            does not exist.
-          </p></dd>
-<dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
-<dd><p><em class="replaceable"><code>server</code></em> is
-            the name or address of the server which matches a
-            server statement in the configuration file for
-            <span><strong class="command">rndc</strong></span>.  If no server is supplied on the
-            command line, the host named by the default-server clause
-            in the options statement of the <span><strong class="command">rndc</strong></span>
-	    configuration file will be used.
-          </p></dd>
-<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd><p>
-            Send commands to TCP port
-            <em class="replaceable"><code>port</code></em>
-            instead
-            of BIND 9's default control channel port, 953.
-          </p></dd>
-<dt><span class="term">-V</span></dt>
-<dd><p>
-            Enable verbose logging.
-          </p></dd>
-<dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt>
-<dd><p>
-            Use the key <em class="replaceable"><code>key_id</code></em>
-            from the configuration file.
-            <em class="replaceable"><code>key_id</code></em>
-            must be
-            known by named with the same algorithm and secret string
-            in order for control message validation to succeed.
-            If no <em class="replaceable"><code>key_id</code></em>
-            is specified, <span><strong class="command">rndc</strong></span> will first look
-            for a key clause in the server statement of the server
-            being used, or if no server statement is present for that
-            host, then the default-key clause of the options statement.
-            Note that the configuration file contains shared secrets
-            which are used to send authenticated control commands
-            to name servers.  It should therefore not have general read
-            or write access.
-          </p></dd>
-</dl></div>
-<p>
-      For the complete set of commands supported by <span><strong class="command">rndc</strong></span>,
-      see the BIND 9 Administrator Reference Manual or run
-      <span><strong class="command">rndc</strong></span> without arguments to see its help
-      message.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543658"></a><h2>LIMITATIONS</h2>
-<p><span><strong class="command">rndc</strong></span>
-      does not yet support all the commands of
-      the BIND 8 <span><strong class="command">ndc</strong></span> utility.
-    </p>
-<p>
-      There is currently no way to provide the shared secret for a
-      <code class="option">key_id</code> without using the configuration file.
-    </p>
-<p>
-      Several error messages could be clearer.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543685"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
-      <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
-      <span class="citerefentry"><span class="refentrytitle">ndc</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543740"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/rndc/util.c b/contrib/bind9/bin/rndc/util.c
deleted file mode 100644
index c654462..0000000
--- a/contrib/bind9/bin/rndc/util.c
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: util.c,v 1.7 2007/06/19 23:46:59 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdarg.h>
-#include <stdlib.h>
-#include <stdio.h>
-
-#include <isc/boolean.h>
-
-#include "util.h"
-
-extern isc_boolean_t verbose;
-extern const char *progname;
-
-void
-notify(const char *fmt, ...) {
-	va_list ap;
-
-	if (verbose) {
-		va_start(ap, fmt);
-		vfprintf(stderr, fmt, ap);
-		va_end(ap);
-		fputs("\n", stderr);
-	}
-}
-
-void            
-fatal(const char *format, ...) {
-	va_list args;
-
-	fprintf(stderr, "%s: ", progname);
-	va_start(args, format);
-	vfprintf(stderr, format, args);
-	va_end(args);
-	fprintf(stderr, "\n");
-	exit(1);
-}               
diff --git a/contrib/bind9/bin/rndc/util.h b/contrib/bind9/bin/rndc/util.h
deleted file mode 100644
index d727714..0000000
--- a/contrib/bind9/bin/rndc/util.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: util.h,v 1.12 2009/09/29 23:48:03 tbox Exp $ */
-
-#ifndef RNDC_UTIL_H
-#define RNDC_UTIL_H 1
-
-/*! \file */
-
-#include <isc/lang.h>
-#include <isc/platform.h>
-
-#include <isc/formatcheck.h>
-
-#define NS_CONTROL_PORT		953
-
-#undef DO
-#define DO(name, function) \
-	do { \
-		result = function; \
-		if (result != ISC_R_SUCCESS) \
-			fatal("%s: %s", name, isc_result_totext(result)); \
-		else \
-			notify("%s", name); \
-	} while (0)
-
-ISC_LANG_BEGINDECLS
-
-void
-notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
-
-ISC_PLATFORM_NORETURN_PRE void
-fatal(const char *format, ...)
-ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
-
-ISC_LANG_ENDDECLS
-
-#endif /* RNDC_UTIL_H */
diff --git a/contrib/bind9/bin/tools/Makefile.in b/contrib/bind9/bin/tools/Makefile.in
deleted file mode 100644
index a396005..0000000
--- a/contrib/bind9/bin/tools/Makefile.in
+++ /dev/null
@@ -1,103 +0,0 @@
-# Copyright (C) 2009, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.13 2010/01/07 23:48:53 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
-		${LWRES_INCLUDES} ${OMAPI_INCLUDES}
-
-CDEFINES =
-CWARNINGS =
-
-DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-ISCLIBS =	../../lib/isc/libisc.@A@ @DNS_CRYPTO_LIBS@
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
-ISCCFGLIBS = 	../../lib/isccfg/libisccfg.@A@
-LWRESLIBS =	../../lib/lwres/liblwres.@A@
-
-DNSDEPLIBS =	../../lib/dns/libdns.@A@
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
-ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
-LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
-
-LIBS =		${ISCLIBS} @LIBS@
-NOSYMLIBS =	${ISCNOSYMLIBS} @LIBS@
-
-SUBDIRS = 
-
-TARGETS =	arpaname@EXEEXT@ named-journalprint@EXEEXT@ nsec3hash@EXEEXT@ \
-		genrandom@EXEEXT@ isc-hmac-fixup@EXEEXT@
-SRCS =		arpaname.c named-journalprint.c nsec3hash.c genrandom.c \
-		isc-hmac-fixup.c
-
-MANPAGES =	arpaname.1 named-journalprint.8 nsec3hash.8 genrandom.8 \
-		isc-hmac-fixup.8
-HTMLPAGES =	arpaname.html named-journalprint.html nsec3hash.html \
-		genrandom.html isc-hmac-fixup.html
-MANOBJS =	${MANPAGES} ${HTMLPAGES}
-
-@BIND9_MAKE_RULES@
-
-arpaname@EXEEXT@: arpaname.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ arpaname.@O@ \
-		${ISCLIBS} ${LIBS}
-
-named-journalprint@EXEEXT@: named-journalprint.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	export BASEOBJS="named-journalprint.@O@"; \
-	export LIBS0="${DNSLIBS}"; \
-	${FINALBUILDCMD}
-
-nsec3hash@EXEEXT@: nsec3hash.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	export BASEOBJS="nsec3hash.@O@"; \
-	export LIBS0="${DNSLIBS}"; \
-	${FINALBUILDCMD}
-
-isc-hmac-fixup@EXEEXT@: isc-hmac-fixup.@O@ ${ISCDEPLIBS}
-	export BASEOBJS="isc-hmac-fixup.@O@"; \
-	export LIBS0="${ISCLIBS}"; \
-	${FINALBUILDCMD}
-
-genrandom@EXEEXT@: genrandom.@O@
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ genrandom.@O@ @GENRANDOMLIB@ ${LIBS}
-
-doc man:: ${MANOBJS}
-
-docclean manclean maintainer-clean::
-	rm -f ${MANOBJS}
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-
-install:: ${TARGETS} installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} arpaname@EXEEXT@ ${DESTDIR}${sbindir}
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-journalprint@EXEEXT@ ${DESTDIR}${sbindir}
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} nsec3hash@EXEEXT@ ${DESTDIR}${sbindir}
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} genrandom@EXEEXT@ ${DESTDIR}${sbindir}
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} isc-hmac-fixup@EXEEXT@ ${DESTDIR}${sbindir}
-	${INSTALL_DATA} ${srcdir}/arpaname.1 ${DESTDIR}${mandir}/man1
-	${INSTALL_DATA} ${srcdir}/isc-hmac-fixup.8 ${DESTDIR}${mandir}/man8
-	${INSTALL_DATA} ${srcdir}/named-journalprint.8 ${DESTDIR}${mandir}/man8
-	${INSTALL_DATA} ${srcdir}/nsec3hash.8 ${DESTDIR}${mandir}/man8
-	${INSTALL_DATA} ${srcdir}/genrandom.8 ${DESTDIR}${mandir}/man8
-
-clean distclean::
-	rm -f ${TARGETS}
diff --git a/contrib/bind9/bin/tools/arpaname.1 b/contrib/bind9/bin/tools/arpaname.1
deleted file mode 100644
index 5b58251..0000000
--- a/contrib/bind9/bin/tools/arpaname.1
+++ /dev/null
@@ -1,48 +0,0 @@
-.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: arpaname
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: March 4, 2009
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "ARPANAME" "1" "March 4, 2009" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-arpaname \- translate IP addresses to the corresponding ARPA names
-.SH "SYNOPSIS"
-.HP 9
-\fBarpaname\fR {\fIipaddress\ \fR...}
-.SH "DESCRIPTION"
-.PP
-\fBarpaname\fR
-translates IP addresses (IPv4 and IPv6) to the corresponding IN\-ADDR.ARPA or IP6.ARPA names.
-.SH "SEE ALSO"
-.PP
-BIND 9 Administrator Reference Manual.
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
-.br
diff --git a/contrib/bind9/bin/tools/arpaname.c b/contrib/bind9/bin/tools/arpaname.c
deleted file mode 100644
index 356a883..0000000
--- a/contrib/bind9/bin/tools/arpaname.c
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: arpaname.c,v 1.4 2009/10/27 03:05:33 marka Exp $ */
-
-#include "config.h"
-
-#include <isc/net.h>
-
-#include <stdio.h>
-
-#define UNUSED(x) (void)(x)
-
-int
-main(int argc, char *argv[]) {
-	unsigned char buf[16];
-	int i;
-
-	UNUSED(argc);
-
-	while (argv[1]) {
-		if (inet_pton(AF_INET6, argv[1], buf) == 1) {
-			for (i = 15; i >= 0; i--)
-				fprintf(stdout, "%X.%X.", buf[i] & 0xf,
-					(buf[i] >> 4) & 0xf);
-			fprintf(stdout, "IP6.ARPA\n");
-			argv++;
-			continue;
-		}
-		if (inet_pton(AF_INET, argv[1], buf) == 1) {
-			fprintf(stdout, "%u.%u.%u.%u.IN-ADDR.ARPA\n",
-				buf[3], buf[2], buf[1], buf[0]);
-			argv++;
-			continue;
-		}
-		return (1);
-	}
-	fflush(stdout);
-	return(ferror(stdout));
-}
diff --git a/contrib/bind9/bin/tools/arpaname.docbook b/contrib/bind9/bin/tools/arpaname.docbook
deleted file mode 100644
index 6fb3ca2..0000000
--- a/contrib/bind9/bin/tools/arpaname.docbook
+++ /dev/null
@@ -1,76 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: arpaname.docbook,v 1.1 2009/03/04 01:30:27 marka Exp $ -->
-<refentry id="man.arpaname">
-  <refentryinfo>
-    <date>March 4, 2009</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>arpaname</application></refentrytitle>
-    <manvolnum>1</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><application>arpaname</application></refname>
-    <refpurpose>translate IP addresses to the corresponding ARPA names</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2009</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>arpaname</command>
-      <arg choice="req" rep="repeat"><replaceable class="parameter">ipaddress </replaceable></arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para>
-      <command>arpaname</command> translates IP addresses (IPv4 and
-      IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para>
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para><corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/tools/arpaname.html b/contrib/bind9/bin/tools/arpaname.html
deleted file mode 100644
index 92f46b4..0000000
--- a/contrib/bind9/bin/tools/arpaname.html
+++ /dev/null
@@ -1,52 +0,0 @@
-<!--
- - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>arpaname</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="man.arpaname"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">arpaname</span> &#8212; translate IP addresses to the corresponding ARPA names</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">arpaname</code>  {<em class="replaceable"><code>ipaddress </code></em>...}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543347"></a><h2>DESCRIPTION</h2>
-<p>
-      <span><strong class="command">arpaname</strong></span> translates IP addresses (IPv4 and
-      IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543360"></a><h2>SEE ALSO</h2>
-<p>
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543373"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/tools/genrandom.8 b/contrib/bind9/bin/tools/genrandom.8
deleted file mode 100644
index fd9ebf4..0000000
--- a/contrib/bind9/bin/tools/genrandom.8
+++ /dev/null
@@ -1,69 +0,0 @@
-.\" Copyright (C) 2009-2011 Internet Systems Consortium, Inc. ("ISC")
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: genrandom
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Feb 19, 2009
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "GENRANDOM" "8" "Feb 19, 2009" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-genrandom \- generate a file containing random data
-.SH "SYNOPSIS"
-.HP 10
-\fBgenrandom\fR [\fB\-n\ \fR\fB\fInumber\fR\fR] {\fIsize\fR} {\fIfilename\fR}
-.SH "DESCRIPTION"
-.PP
-\fBgenrandom\fR
-generates a file or a set of files containing a specified quantity of pseudo\-random data, which can be used as a source of entropy for other commands on systems with no random device.
-.SH "ARGUMENTS"
-.PP
-\-n \fInumber\fR
-.RS 4
-In place of generating one file, generates
-\fBnumber\fR
-(from 2 to 9) files, appending
-\fBnumber\fR
-to the name.
-.RE
-.PP
-size
-.RS 4
-The size of the file, in kilobytes, to generate.
-.RE
-.PP
-filename
-.RS 4
-The file name into which random data should be written.
-.RE
-.SH "SEE ALSO"
-.PP
-\fBrand\fR(3),
-\fBarc4random\fR(3)
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2009\-2011 Internet Systems Consortium, Inc. ("ISC")
-.br
diff --git a/contrib/bind9/bin/tools/genrandom.c b/contrib/bind9/bin/tools/genrandom.c
deleted file mode 100644
index 0d7eb72..0000000
--- a/contrib/bind9/bin/tools/genrandom.c
+++ /dev/null
@@ -1,137 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: genrandom.c,v 1.7 2010/05/17 23:51:04 tbox Exp $ */
-
-/*! \file */
-#include <config.h>
-
-#include <isc/commandline.h>
-#include <isc/print.h>
-#include <isc/stdlib.h>
-#include <isc/util.h>
-
-#include <stdio.h>
-#include <string.h>
-
-const char *program = "genrandom";
-
-ISC_PLATFORM_NORETURN_PRE static void
-usage(void) ISC_PLATFORM_NORETURN_POST;
-
-static void
-usage(void) {
-	fprintf(stderr, "usage: %s [-n 2..9] k file\n", program);
-	exit(1);
-}
-
-static void
-generate(char *filename, unsigned int bytes) {
-	FILE *fp;
-
-	fp = fopen(filename, "w");
-	if (fp == NULL) {
-		printf("failed to open %s\n", filename);
-		exit(1);
-	}
-
-	while (bytes > 0) {
-#ifndef HAVE_ARC4RANDOM
-		unsigned short int x = (rand() & 0xFFFF);
-#else
-		unsigned short int x = (arc4random() & 0xFFFF);
-#endif
-		unsigned char c = x & 0xFF;
-		if (putc(c, fp) == EOF) {
-			printf("error writing to %s\n", filename);
-			exit(1);
-		}
-		c = x >> 8;
-		if (putc(c, fp) == EOF) {
-			printf("error writing to %s\n", filename);
-			exit(1);
-		}
-		bytes -= 2;
-	}
-	fclose(fp);
-}
-
-int
-main(int argc, char **argv) {
-	unsigned int bytes;
-	unsigned int k;
-	char *endp;
-	int c, i, n = 1;
-	size_t len;
-	char *name;
-
-	isc_commandline_errprint = ISC_FALSE;
-
-	while ((c = isc_commandline_parse(argc, argv, "hn:")) != EOF) {
-		switch (c) {
-		case 'n':
-			n = strtol(isc_commandline_argument, &endp, 10);
-			if ((*endp != 0) || (n <= 1) || (n > 9))
-				usage();
-			break;
-
-		case '?':
-			if (isc_commandline_option != '?')
-				fprintf(stderr, "%s: invalid argument -%c\n",
-					program, isc_commandline_option);
-			/* FALLTHROUGH */
-		case 'h':
-			usage();
-
-		default:
-			fprintf(stderr, "%s: unhandled option -%c\n",
-				program, isc_commandline_option);
-			exit(1);
-		}
-	}
-
-	if (isc_commandline_index + 2 != argc)
-		usage();
-
-	k = strtoul(argv[isc_commandline_index++], &endp, 10);
-	if (*endp != 0)
-		usage();
-	bytes = k << 10;
-
-#ifndef HAVE_ARC4RANDOM
-	srand(0x12345678);
-#endif
-	if (n == 1) {
-		generate(argv[isc_commandline_index], bytes);
-		return (0);
-	}
-
-	len = strlen(argv[isc_commandline_index]) + 2;
-	name = (char *) malloc(len);
-	if (name == NULL) {
-		perror("malloc");
-		exit(1);
-	}
-
-	for (i = 1; i <= n; i++) {
-		snprintf(name, len, "%s%d", argv[isc_commandline_index], i);
-		generate(name, bytes);
-	}
-	free(name);
-
-	return (0);
-}
diff --git a/contrib/bind9/bin/tools/genrandom.docbook b/contrib/bind9/bin/tools/genrandom.docbook
deleted file mode 100644
index 33d5cf7..0000000
--- a/contrib/bind9/bin/tools/genrandom.docbook
+++ /dev/null
@@ -1,120 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2009-2011  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: genrandom.docbook,v 1.8 2011/08/08 23:46:41 tbox Exp $ -->
-<refentry id="man.genrandom">
-  <refentryinfo>
-    <date>Feb 19, 2009</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>genrandom</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><application>genrandom</application></refname>
-    <refpurpose>generate a file containing random data</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2009</year>
-      <year>2010</year>
-      <year>2011</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>genrandom</command>
-      <arg><option>-n <replaceable class="parameter">number</replaceable></option></arg>
-      <arg choice="req"><replaceable class="parameter">size</replaceable></arg>
-      <arg choice="req"><replaceable class="parameter">filename</replaceable></arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para>
-      <command>genrandom</command>
-      generates a file or a set of files containing a specified quantity
-      of pseudo-random data, which can be used as a source of entropy for
-      other commands on systems with no random device.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>ARGUMENTS</title>
-    <variablelist>
-      <varlistentry>
-        <term>-n <replaceable class="parameter">number</replaceable></term>
-        <listitem>
-          <para>
-            In place of generating one file, generates <option>number</option>
-            (from 2 to 9) files, appending <option>number</option> to the name.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>size</term>
-        <listitem>
-          <para>
-            The size of the file, in kilobytes, to generate.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>filename</term>
-        <listitem>
-          <para>
-            The file name into which random data should be written.
-          </para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para>
-      <citerefentry>
-        <refentrytitle>rand</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>arc4random</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para><corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/tools/genrandom.html b/contrib/bind9/bin/tools/genrandom.html
deleted file mode 100644
index 6b70434..0000000
--- a/contrib/bind9/bin/tools/genrandom.html
+++ /dev/null
@@ -1,73 +0,0 @@
-<!--
- - Copyright (C) 2009-2011 Internet Systems Consortium, Inc. ("ISC")
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>genrandom</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="man.genrandom"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">genrandom</span> &#8212; generate a file containing random data</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">genrandom</code>  [<code class="option">-n <em class="replaceable"><code>number</code></em></code>] {<em class="replaceable"><code>size</code></em>} {<em class="replaceable"><code>filename</code></em>}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543368"></a><h2>DESCRIPTION</h2>
-<p>
-      <span><strong class="command">genrandom</strong></span>
-      generates a file or a set of files containing a specified quantity
-      of pseudo-random data, which can be used as a source of entropy for
-      other commands on systems with no random device.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543381"></a><h2>ARGUMENTS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-n <em class="replaceable"><code>number</code></em></span></dt>
-<dd><p>
-            In place of generating one file, generates <code class="option">number</code>
-            (from 2 to 9) files, appending <code class="option">number</code> to the name.
-          </p></dd>
-<dt><span class="term">size</span></dt>
-<dd><p>
-            The size of the file, in kilobytes, to generate.
-          </p></dd>
-<dt><span class="term">filename</span></dt>
-<dd><p>
-            The file name into which random data should be written.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543442"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">rand</span>(3)</span>,
-      <span class="citerefentry"><span class="refentrytitle">arc4random</span>(3)</span>
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543468"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/tools/isc-hmac-fixup.8 b/contrib/bind9/bin/tools/isc-hmac-fixup.8
deleted file mode 100644
index 6364e54..0000000
--- a/contrib/bind9/bin/tools/isc-hmac-fixup.8
+++ /dev/null
@@ -1,61 +0,0 @@
-.\" Copyright (C) 2010, 2013 Internet Systems Consortium, Inc. ("ISC")
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: isc\-hmac\-fixup
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: January 5, 2010
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "ISC\-HMAC\-FIXUP" "8" "January 5, 2010" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-isc\-hmac\-fixup \- fixes HMAC keys generated by older versions of BIND
-.SH "SYNOPSIS"
-.HP 15
-\fBisc\-hmac\-fixup\fR {\fIalgorithm\fR} {\fIsecret\fR}
-.SH "DESCRIPTION"
-.PP
-Versions of BIND 9 up to and including BIND 9.6 had a bug causing HMAC\-SHA* TSIG keys which were longer than the digest length of the hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys longer than 256 bits, etc) to be used incorrectly, generating a message authentication code that was incompatible with other DNS implementations.
-.PP
-This bug has been fixed in BIND 9.7. However, the fix may cause incompatibility between older and newer versions of BIND, when using long keys.
-\fBisc\-hmac\-fixup\fR
-modifies those keys to restore compatibility.
-.PP
-To modify a key, run
-\fBisc\-hmac\-fixup\fR
-and specify the key's algorithm and secret on the command line. If the secret is longer than the digest length of the algorithm (64 bytes for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a new secret will be generated consisting of a hash digest of the old secret. (If the secret did not require conversion, then it will be printed without modification.)
-.SH "SECURITY CONSIDERATIONS"
-.PP
-Secrets that have been converted by
-\fBisc\-hmac\-fixup\fR
-are shortened, but as this is how the HMAC protocol works in operation anyway, it does not affect security. RFC 2104 notes, "Keys longer than [the digest length] are acceptable but the extra length would not significantly increase the function strength."
-.SH "SEE ALSO"
-.PP
-BIND 9 Administrator Reference Manual,
-RFC 2104.
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2010, 2013 Internet Systems Consortium, Inc. ("ISC")
-.br
diff --git a/contrib/bind9/bin/tools/isc-hmac-fixup.c b/contrib/bind9/bin/tools/isc-hmac-fixup.c
deleted file mode 100644
index daf391a..0000000
--- a/contrib/bind9/bin/tools/isc-hmac-fixup.c
+++ /dev/null
@@ -1,136 +0,0 @@
-/*
- * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: isc-hmac-fixup.c,v 1.4 2010/03/10 02:17:52 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/base64.h>
-#include <isc/buffer.h>
-#include <isc/md5.h>
-#include <isc/region.h>
-#include <isc/result.h>
-#include <isc/sha1.h>
-#include <isc/sha2.h>
-#include <isc/stdio.h>
-#include <isc/string.h>
-
-#define HMAC_LEN	64
-
-int
-main(int argc, char **argv)  {
-	isc_buffer_t buf;
-	unsigned char key[1024];
-	char secret[1024];
-	char base64[(1024*4)/3];
-	isc_region_t r;
-	isc_result_t result;
-
-	if (argc != 3) {
-		fprintf(stderr, "Usage:\t%s algorithm secret\n", argv[0]);
-		fprintf(stderr, "\talgorithm: (MD5 | SHA1 | SHA224 | "
-				"SHA256 | SHA384 | SHA512)\n");
-		return (1);
-	}
-
-	isc_buffer_init(&buf, secret, sizeof(secret));
-	result = isc_base64_decodestring(argv[2], &buf);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "error: %s\n", isc_result_totext(result));
-		return (1);
-	}
-	isc__buffer_usedregion(&buf, &r);
-
-	if (!strcasecmp(argv[1], "md5") ||
-	    !strcasecmp(argv[1], "hmac-md5")) {
-		if (r.length > HMAC_LEN) {
-			isc_md5_t md5ctx;
-			isc_md5_init(&md5ctx);
-			isc_md5_update(&md5ctx, r.base, r.length);
-			isc_md5_final(&md5ctx, key);
-
-			r.base = key;
-			r.length = ISC_MD5_DIGESTLENGTH;
-		}
-	} else if (!strcasecmp(argv[1], "sha1") ||
-		   !strcasecmp(argv[1], "hmac-sha1")) {
-		if (r.length > ISC_SHA1_DIGESTLENGTH) {
-			isc_sha1_t sha1ctx;
-			isc_sha1_init(&sha1ctx);
-			isc_sha1_update(&sha1ctx, r.base, r.length);
-			isc_sha1_final(&sha1ctx, key);
-
-			r.base = key;
-			r.length = ISC_SHA1_DIGESTLENGTH;
-		}
-	} else if (!strcasecmp(argv[1], "sha224") ||
-		   !strcasecmp(argv[1], "hmac-sha224")) {
-		if (r.length > ISC_SHA224_DIGESTLENGTH) {
-			isc_sha224_t sha224ctx;
-			isc_sha224_init(&sha224ctx);
-			isc_sha224_update(&sha224ctx, r.base, r.length);
-			isc_sha224_final(key, &sha224ctx);
-
-			r.base = key;
-			r.length = ISC_SHA224_DIGESTLENGTH;
-		}
-	} else if (!strcasecmp(argv[1], "sha256") ||
-		   !strcasecmp(argv[1], "hmac-sha256")) {
-		if (r.length > ISC_SHA256_DIGESTLENGTH) {
-			isc_sha256_t sha256ctx;
-			isc_sha256_init(&sha256ctx);
-			isc_sha256_update(&sha256ctx, r.base, r.length);
-			isc_sha256_final(key, &sha256ctx);
-
-			r.base = key;
-			r.length = ISC_SHA256_DIGESTLENGTH;
-		}
-	} else if (!strcasecmp(argv[1], "sha384") ||
-		   !strcasecmp(argv[1], "hmac-sha384")) {
-		if (r.length > ISC_SHA384_DIGESTLENGTH) {
-			isc_sha384_t sha384ctx;
-			isc_sha384_init(&sha384ctx);
-			isc_sha384_update(&sha384ctx, r.base, r.length);
-			isc_sha384_final(key, &sha384ctx);
-
-			r.base = key;
-			r.length = ISC_SHA384_DIGESTLENGTH;
-		}
-	} else if (!strcasecmp(argv[1], "sha512") ||
-		   !strcasecmp(argv[1], "hmac-sha512")) {
-		if (r.length > ISC_SHA512_DIGESTLENGTH) {
-			isc_sha512_t sha512ctx;
-			isc_sha512_init(&sha512ctx);
-			isc_sha512_update(&sha512ctx, r.base, r.length);
-			isc_sha512_final(key, &sha512ctx);
-
-			r.base = key;
-			r.length = ISC_SHA512_DIGESTLENGTH;
-		}
-	} else {
-		fprintf(stderr, "unknown hmac/digest algorithm: %s\n", argv[1]);
-		return (1);
-	}
-
-	isc_buffer_init(&buf, base64, sizeof(base64));
-	result = isc_base64_totext(&r, 0, "", &buf);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "error: %s\n", isc_result_totext(result));
-		return (1);
-	}
-	fprintf(stdout, "%.*s\n", (int)isc_buffer_usedlength(&buf), base64);
-	return (0);
-}
diff --git a/contrib/bind9/bin/tools/isc-hmac-fixup.docbook b/contrib/bind9/bin/tools/isc-hmac-fixup.docbook
deleted file mode 100644
index cc72373..0000000
--- a/contrib/bind9/bin/tools/isc-hmac-fixup.docbook
+++ /dev/null
@@ -1,110 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2010, 2013  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: isc-hmac-fixup.docbook,v 1.2 2010/01/07 21:52:11 each Exp $ -->
-<refentry id="man.isc-hmac-fixup">
-  <refentryinfo>
-    <date>January 5, 2010</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>isc-hmac-fixup</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><application>isc-hmac-fixup</application></refname>
-    <refpurpose>fixes HMAC keys generated by older versions of BIND</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2010</year>
-      <year>2013</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>isc-hmac-fixup</command>
-      <arg choice="req"><replaceable class="parameter">algorithm</replaceable></arg>
-      <arg choice="req"><replaceable class="parameter">secret</replaceable></arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para>
-      Versions of BIND 9 up to and including BIND 9.6 had a bug causing
-      HMAC-SHA* TSIG keys which were longer than the digest length of the
-      hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
-      longer than 256 bits, etc) to be used incorrectly, generating a
-      message authentication code that was incompatible with other DNS
-      implementations.
-    </para>
-    <para>
-      This bug has been fixed in BIND 9.7.  However, the fix may
-      cause incompatibility between older and newer versions of
-      BIND, when using long keys.  <command>isc-hmac-fixup</command>
-      modifies those keys to restore compatibility.
-    </para>
-    <para>
-      To modify a key, run <command>isc-hmac-fixup</command> and
-      specify the key's algorithm and secret on the command line.  If the
-      secret is longer than the digest length of the algorithm (64 bytes
-      for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
-      new secret will be generated consisting of a hash digest of the old
-      secret.  (If the secret did not require conversion, then it will be
-      printed without modification.)
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SECURITY CONSIDERATIONS</title>
-    <para>
-      Secrets that have been converted by <command>isc-hmac-fixup</command>
-      are shortened, but as this is how the HMAC protocol works in
-      operation anyway, it does not affect security.  RFC 2104 notes,
-      "Keys longer than [the digest length] are acceptable but the
-      extra length would not significantly increase the function
-      strength."
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para>
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
-      <citetitle>RFC 2104</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para><corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/tools/isc-hmac-fixup.html b/contrib/bind9/bin/tools/isc-hmac-fixup.html
deleted file mode 100644
index f5ab4b5..0000000
--- a/contrib/bind9/bin/tools/isc-hmac-fixup.html
+++ /dev/null
@@ -1,83 +0,0 @@
-<!--
- - Copyright (C) 2010, 2013 Internet Systems Consortium, Inc. ("ISC")
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>isc-hmac-fixup</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">isc-hmac-fixup</span> &#8212; fixes HMAC keys generated by older versions of BIND</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code>  {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543355"></a><h2>DESCRIPTION</h2>
-<p>
-      Versions of BIND 9 up to and including BIND 9.6 had a bug causing
-      HMAC-SHA* TSIG keys which were longer than the digest length of the
-      hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
-      longer than 256 bits, etc) to be used incorrectly, generating a
-      message authentication code that was incompatible with other DNS
-      implementations.
-    </p>
-<p>
-      This bug has been fixed in BIND 9.7.  However, the fix may
-      cause incompatibility between older and newer versions of
-      BIND, when using long keys.  <span><strong class="command">isc-hmac-fixup</strong></span>
-      modifies those keys to restore compatibility.
-    </p>
-<p>
-      To modify a key, run <span><strong class="command">isc-hmac-fixup</strong></span> and
-      specify the key's algorithm and secret on the command line.  If the
-      secret is longer than the digest length of the algorithm (64 bytes
-      for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
-      new secret will be generated consisting of a hash digest of the old
-      secret.  (If the secret did not require conversion, then it will be
-      printed without modification.)
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543379"></a><h2>SECURITY CONSIDERATIONS</h2>
-<p>
-      Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
-      are shortened, but as this is how the HMAC protocol works in
-      operation anyway, it does not affect security.  RFC 2104 notes,
-      "Keys longer than [the digest length] are acceptable but the
-      extra length would not significantly increase the function
-      strength."
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543393"></a><h2>SEE ALSO</h2>
-<p>
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 2104</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543410"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/tools/named-journalprint.8 b/contrib/bind9/bin/tools/named-journalprint.8
deleted file mode 100644
index 670cd5d..0000000
--- a/contrib/bind9/bin/tools/named-journalprint.8
+++ /dev/null
@@ -1,60 +0,0 @@
-.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: named\-journalprint
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Feb 18, 2009
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "NAMED\-JOURNALPRINT" "8" "Feb 18, 2009" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-named\-journalprint \- print zone journal in human\-readable form
-.SH "SYNOPSIS"
-.HP 19
-\fBnamed\-journalprint\fR {\fIjournal\fR}
-.SH "DESCRIPTION"
-.PP
-\fBnamed\-journalprint\fR
-prints the contents of a zone journal file in a human\-readable form.
-.PP
-Journal files are automatically created by
-\fBnamed\fR
-when changes are made to dynamic zones (e.g., by
-\fBnsupdate\fR). They record each addition or deletion of a resource record, in binary format, allowing the changes to be re\-applied to the zone when the server is restarted after a shutdown or crash. By default, the name of the journal file is formed by appending the extension
-\fI.jnl\fR
-to the name of the corresponding zone file.
-.PP
-\fBnamed\-journalprint\fR
-converts the contents of a given journal file into a human\-readable text format. Each line begins with "add" or "del", to indicate whether the record was added or deleted, and continues with the resource record in master\-file format.
-.SH "SEE ALSO"
-.PP
-\fBnamed\fR(8),
-\fBnsupdate\fR(8),
-BIND 9 Administrator Reference Manual.
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
-.br
diff --git a/contrib/bind9/bin/tools/named-journalprint.c b/contrib/bind9/bin/tools/named-journalprint.c
deleted file mode 100644
index 36d1acd..0000000
--- a/contrib/bind9/bin/tools/named-journalprint.c
+++ /dev/null
@@ -1,86 +0,0 @@
-/*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: named-journalprint.c,v 1.2 2009/12/04 21:59:23 marka Exp $ */
-
-/*! \file */
-#include <config.h>
-
-#include <isc/log.h>
-#include <isc/mem.h>
-#include <isc/util.h>
-
-#include <dns/journal.h>
-#include <dns/log.h>
-#include <dns/result.h>
-#include <dns/types.h>
-
-#include <stdlib.h>
-
-/*
- * Setup logging to use stderr.
- */
-static isc_result_t
-setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp) {
-	isc_logdestination_t destination;
-	isc_logconfig_t *logconfig = NULL;
-	isc_log_t *log = NULL;
-
-	RUNTIME_CHECK(isc_log_create(mctx, &log, &logconfig) == ISC_R_SUCCESS);
-	isc_log_setcontext(log);
-	dns_log_init(log);
-	dns_log_setcontext(log);
-
-	destination.file.stream = errout;
-	destination.file.name = NULL;
-	destination.file.versions = ISC_LOG_ROLLNEVER;
-	destination.file.maximum_size = 0;
-	RUNTIME_CHECK(isc_log_createchannel(logconfig, "stderr",
-					    ISC_LOG_TOFILEDESC,
-					    ISC_LOG_DYNAMIC,
-					    &destination, 0) == ISC_R_SUCCESS);
-	RUNTIME_CHECK(isc_log_usechannel(logconfig, "stderr",
-					 NULL, NULL) == ISC_R_SUCCESS);
-
-	*logp = log;
-	return (ISC_R_SUCCESS);
-}
-
-int
-main(int argc, char **argv) {
-	char *file;
-	isc_mem_t *mctx = NULL;
-	isc_result_t result;
-	isc_log_t *lctx = NULL;
-
-	if (argc != 2) {
-		printf("usage: %s journal\n", argv[0]);
-		return(1);
-	}
-
-	file = argv[1];
-
-	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
-	RUNTIME_CHECK(setup_logging(mctx, stderr, &lctx) == ISC_R_SUCCESS);
-
-	result = dns_journal_print(mctx, file, stdout);
-	if (result == DNS_R_NOJOURNAL)
-		fprintf(stderr, "%s\n", dns_result_totext(result));
-	isc_log_destroy(&lctx);
-	isc_mem_detach(&mctx);
-	return(result != ISC_R_SUCCESS ? 1 : 0);
-}
diff --git a/contrib/bind9/bin/tools/named-journalprint.docbook b/contrib/bind9/bin/tools/named-journalprint.docbook
deleted file mode 100644
index d0bea2c..0000000
--- a/contrib/bind9/bin/tools/named-journalprint.docbook
+++ /dev/null
@@ -1,101 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: named-journalprint.docbook,v 1.2 2009/12/04 21:59:23 marka Exp $ -->
-<refentry id="man.named-journalprint">
-  <refentryinfo>
-    <date>Feb 18, 2009</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>named-journalprint</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><application>named-journalprint</application></refname>
-    <refpurpose>print zone journal in human-readable form</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2009</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>named-journalprint</command>
-      <arg choice="req"><replaceable class="parameter">journal</replaceable></arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para>
-      <command>named-journalprint</command>
-      prints the contents of a zone journal file in a human-readable
-      form. 
-    </para>
-    <para>
-      Journal files are automatically created by <command>named</command> 
-      when changes are made to dynamic zones (e.g., by
-      <command>nsupdate</command>).  They record each addition
-      or deletion of a resource record, in binary format, allowing the
-      changes to be re-applied to the zone when the server is
-      restarted after a shutdown or crash.  By default, the name of
-      the journal file is formed by appending the extension
-      <filename>.jnl</filename> to the name of the corresponding
-      zone file.
-    </para>
-    <para>
-      <command>named-journalprint</command> converts the contents of a given
-      journal file into a human-readable text format.  Each line begins
-      with "add" or "del", to indicate whether the record was added or
-      deleted, and continues with the resource record in master-file
-      format.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para>
-      <citerefentry>
-        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>nsupdate</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para><corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/tools/named-journalprint.html b/contrib/bind9/bin/tools/named-journalprint.html
deleted file mode 100644
index 8639ee8..0000000
--- a/contrib/bind9/bin/tools/named-journalprint.html
+++ /dev/null
@@ -1,73 +0,0 @@
-<!--
- - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>named-journalprint</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="man.named-journalprint"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">named-journalprint</span> &#8212; print zone journal in human-readable form</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-journalprint</code>  {<em class="replaceable"><code>journal</code></em>}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543344"></a><h2>DESCRIPTION</h2>
-<p>
-      <span><strong class="command">named-journalprint</strong></span>
-      prints the contents of a zone journal file in a human-readable
-      form. 
-    </p>
-<p>
-      Journal files are automatically created by <span><strong class="command">named</strong></span> 
-      when changes are made to dynamic zones (e.g., by
-      <span><strong class="command">nsupdate</strong></span>).  They record each addition
-      or deletion of a resource record, in binary format, allowing the
-      changes to be re-applied to the zone when the server is
-      restarted after a shutdown or crash.  By default, the name of
-      the journal file is formed by appending the extension
-      <code class="filename">.jnl</code> to the name of the corresponding
-      zone file.
-    </p>
-<p>
-      <span><strong class="command">named-journalprint</strong></span> converts the contents of a given
-      journal file into a human-readable text format.  Each line begins
-      with "add" or "del", to indicate whether the record was added or
-      deleted, and continues with the resource record in master-file
-      format.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543379"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">nsupdate</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543410"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/tools/nsec3hash.8 b/contrib/bind9/bin/tools/nsec3hash.8
deleted file mode 100644
index 3243910..0000000
--- a/contrib/bind9/bin/tools/nsec3hash.8
+++ /dev/null
@@ -1,70 +0,0 @@
-.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: nsec3hash
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Feb 18, 2009
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "NSEC3HASH" "8" "Feb 18, 2009" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-nsec3hash \- generate NSEC3 hash
-.SH "SYNOPSIS"
-.HP 10
-\fBnsec3hash\fR {\fIsalt\fR} {\fIalgorithm\fR} {\fIiterations\fR} {\fIdomain\fR}
-.SH "DESCRIPTION"
-.PP
-\fBnsec3hash\fR
-generates an NSEC3 hash based on a set of NSEC3 parameters. This can be used to check the validity of NSEC3 records in a signed zone.
-.SH "ARGUMENTS"
-.PP
-salt
-.RS 4
-The salt provided to the hash algorithm.
-.RE
-.PP
-algorithm
-.RS 4
-A number indicating the hash algorithm. Currently the only supported hash algorithm for NSEC3 is SHA\-1, which is indicated by the number 1; consequently "1" is the only useful value for this argument.
-.RE
-.PP
-iterations
-.RS 4
-The number of additional times the hash should be performed.
-.RE
-.PP
-domain
-.RS 4
-The domain name to be hashed.
-.RE
-.SH "SEE ALSO"
-.PP
-BIND 9 Administrator Reference Manual,
-RFC 5155.
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
-.SH "COPYRIGHT"
-Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
-.br
diff --git a/contrib/bind9/bin/tools/nsec3hash.c b/contrib/bind9/bin/tools/nsec3hash.c
deleted file mode 100644
index 57f24c2..0000000
--- a/contrib/bind9/bin/tools/nsec3hash.c
+++ /dev/null
@@ -1,122 +0,0 @@
-/*
- * Copyright (C) 2006, 2008, 2009, 2011  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: nsec3hash.c,v 1.8 2011/11/02 23:46:24 tbox Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <stdarg.h>
-
-#include <isc/base32.h>
-#include <isc/buffer.h>
-#include <isc/hex.h>
-#include <isc/iterated_hash.h>
-#include <isc/print.h>
-#include <isc/result.h>
-#include <isc/string.h>
-#include <isc/types.h>
-
-#include <dns/fixedname.h>
-#include <dns/name.h>
-#include <dns/nsec3.h>
-#include <dns/types.h>
-
-const char *program = "nsec3hash";
-
-ISC_PLATFORM_NORETURN_PRE static void
-fatal(const char *format, ...) ISC_PLATFORM_NORETURN_POST;
-
-static void
-fatal(const char *format, ...) {
-	va_list args;
-
-	fprintf(stderr, "%s: ", program);
-	va_start(args, format);
-	vfprintf(stderr, format, args);
-	va_end(args);
-	fprintf(stderr, "\n");
-	exit(1);
-}
-
-static void
-check_result(isc_result_t result, const char *message) {
-	if (result != ISC_R_SUCCESS)
-		fatal("%s: %s", message, isc_result_totext(result));
-}
-
-static void
-usage() {
-	printf("Usage: %s salt algorithm iterations domain\n", program);
-	exit(1);
-}
-
-int
-main(int argc, char **argv) {
-	dns_fixedname_t fixed;
-	dns_name_t *name;
-	isc_buffer_t buffer;
-	isc_region_t region;
-	isc_result_t result;
-	unsigned char hash[NSEC3_MAX_HASH_LENGTH];
-	unsigned char salt[DNS_NSEC3_SALTSIZE];
-	unsigned char text[1024];
-	unsigned int hash_alg;
-	unsigned int length;
-	unsigned int iterations;
-	unsigned int salt_length;
-
-	if (argc != 5)
-		usage();
-
-	if (strcmp(argv[1], "-") == 0) {
-		salt_length = 0;
-		salt[0] = 0;
-	} else {
-		isc_buffer_init(&buffer, salt, sizeof(salt));
-		result = isc_hex_decodestring(argv[1], &buffer);
-		check_result(result, "isc_hex_decodestring(salt)");
-		salt_length = isc_buffer_usedlength(&buffer);
-		if (salt_length > DNS_NSEC3_SALTSIZE)
-			fatal("salt too long");
-	}
-	hash_alg = atoi(argv[2]);
-	if (hash_alg > 255U)
-		fatal("hash algorithm too large");
-	iterations = atoi(argv[3]);
-	if (iterations > 0xffffU)
-		fatal("iterations to large");
-
-	dns_fixedname_init(&fixed);
-	name = dns_fixedname_name(&fixed);
-	isc_buffer_init(&buffer, argv[4], strlen(argv[4]));
-	isc_buffer_add(&buffer, strlen(argv[4]));
-	result = dns_name_fromtext(name, &buffer, dns_rootname, 0, NULL);
-	check_result(result, "dns_name_fromtext() failed");
-
-	dns_name_downcase(name, name, NULL);
-	length = isc_iterated_hash(hash, hash_alg, iterations,  salt,
-				   salt_length, name->ndata, name->length);
-	if (length == 0)
-		fatal("isc_iterated_hash failed");
-	region.base = hash;
-	region.length = length;
-	isc_buffer_init(&buffer, text, sizeof(text));
-	isc_base32hex_totext(&region, 1, "", &buffer);
-	fprintf(stdout, "%.*s (salt=%s, hash=%u, iterations=%u)\n",
-		(int)isc_buffer_usedlength(&buffer), text, argv[1], hash_alg, iterations);
-	return(0);
-}
diff --git a/contrib/bind9/bin/tools/nsec3hash.docbook b/contrib/bind9/bin/tools/nsec3hash.docbook
deleted file mode 100644
index d20eb83..0000000
--- a/contrib/bind9/bin/tools/nsec3hash.docbook
+++ /dev/null
@@ -1,125 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: nsec3hash.docbook,v 1.3 2009/03/02 23:47:43 tbox Exp $ -->
-<refentry id="man.nsec3hash">
-  <refentryinfo>
-    <date>Feb 18, 2009</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>nsec3hash</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><application>nsec3hash</application></refname>
-    <refpurpose>generate NSEC3 hash</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2009</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>nsec3hash</command>
-      <arg choice="req"><replaceable class="parameter">salt</replaceable></arg>
-      <arg choice="req"><replaceable class="parameter">algorithm</replaceable></arg>
-      <arg choice="req"><replaceable class="parameter">iterations</replaceable></arg>
-      <arg choice="req"><replaceable class="parameter">domain</replaceable></arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para>
-      <command>nsec3hash</command> generates an NSEC3 hash based on
-      a set of NSEC3 parameters.  This can be used to check the validity
-      of NSEC3 records in a signed zone.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>ARGUMENTS</title>
-    <variablelist>
-      <varlistentry>
-        <term>salt</term>
-        <listitem>
-          <para>
-            The salt provided to the hash algorithm.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>algorithm</term>
-        <listitem>
-          <para>
-            A number indicating the hash algorithm.  Currently the
-            only supported hash algorithm for NSEC3 is SHA-1, which is
-            indicated by the number 1; consequently "1" is the only
-            useful value for this argument.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>iterations</term>
-        <listitem>
-          <para>
-            The number of additional times the hash should be performed.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>domain</term>
-        <listitem>
-          <para>
-            The domain name to be hashed.
-          </para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para>
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
-      <citetitle>RFC 5155</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para><corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/tools/nsec3hash.html b/contrib/bind9/bin/tools/nsec3hash.html
deleted file mode 100644
index e5b5a14..0000000
--- a/contrib/bind9/bin/tools/nsec3hash.html
+++ /dev/null
@@ -1,78 +0,0 @@
-<!--
- - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>nsec3hash</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="man.nsec3hash"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">nsec3hash</span> &#8212; generate NSEC3 hash</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">nsec3hash</code>  {<em class="replaceable"><code>salt</code></em>} {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>iterations</code></em>} {<em class="replaceable"><code>domain</code></em>}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543369"></a><h2>DESCRIPTION</h2>
-<p>
-      <span><strong class="command">nsec3hash</strong></span> generates an NSEC3 hash based on
-      a set of NSEC3 parameters.  This can be used to check the validity
-      of NSEC3 records in a signed zone.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543382"></a><h2>ARGUMENTS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">salt</span></dt>
-<dd><p>
-            The salt provided to the hash algorithm.
-          </p></dd>
-<dt><span class="term">algorithm</span></dt>
-<dd><p>
-            A number indicating the hash algorithm.  Currently the
-            only supported hash algorithm for NSEC3 is SHA-1, which is
-            indicated by the number 1; consequently "1" is the only
-            useful value for this argument.
-          </p></dd>
-<dt><span class="term">iterations</span></dt>
-<dd><p>
-            The number of additional times the hash should be performed.
-          </p></dd>
-<dt><span class="term">domain</span></dt>
-<dd><p>
-            The domain name to be hashed.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543444"></a><h2>SEE ALSO</h2>
-<p>
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 5155</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543461"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/config.guess b/contrib/bind9/config.guess
deleted file mode 100644
index f8d6eac..0000000
--- a/contrib/bind9/config.guess
+++ /dev/null
@@ -1,1447 +0,0 @@
-#! /bin/sh
-# Attempt to guess a canonical system name.
-#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc.
-
-timestamp='2009-01-17'
-
-# This file is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-#
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-# Originally written by Per Bothner <per@bothner.com>.
-# Please send patches to <config-patches@gnu.org>.  Submit a context
-# diff and a properly formatted ChangeLog entry.
-#
-# This script attempts to guess a canonical system name similar to
-# config.sub.  If it succeeds, it prints the system name on stdout, and
-# exits with 0.  Otherwise, it exits with 1.
-#
-# The plan is that this can be called by configure scripts if you
-# don't specify an explicit build system type.
-
-me=`echo "$0" | sed -e 's,.*/,,'`
-
-usage="\
-Usage: $0 [OPTION]
-
-Output the configuration name of the system \`$me' is run on.
-
-Operation modes:
-  -h, --help         print this help, then exit
-  -t, --time-stamp   print date of last modification, then exit
-  -v, --version      print version number, then exit
-
-Report bugs and patches to <config-patches@gnu.org>."
-
-version="\
-GNU config.guess ($timestamp)
-
-Originally written by Per Bothner.
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004
-Free Software Foundation, Inc.
-
-This is free software; see the source for copying conditions.  There is NO
-warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
-
-help="
-Try \`$me --help' for more information."
-
-# Parse command line
-while test $# -gt 0 ; do
-  case $1 in
-    --time-stamp | --time* | -t )
-       echo "$timestamp" ; exit 0 ;;
-    --version | -v )
-       echo "$version" ; exit 0 ;;
-    --help | --h* | -h )
-       echo "$usage"; exit 0 ;;
-    -- )     # Stop option processing
-       shift; break ;;
-    - )	# Use stdin as input.
-       break ;;
-    -* )
-       echo "$me: invalid option $1$help" >&2
-       exit 1 ;;
-    * )
-       break ;;
-  esac
-done
-
-if test $# != 0; then
-  echo "$me: too many arguments$help" >&2
-  exit 1
-fi
-
-trap 'exit 1' 1 2 15
-
-# CC_FOR_BUILD -- compiler used by this script. Note that the use of a
-# compiler to aid in system detection is discouraged as it requires
-# temporary files to be created and, as you can see below, it is a
-# headache to deal with in a portable fashion.
-
-# Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still
-# use `HOST_CC' if defined, but it is deprecated.
-
-# Portable tmp directory creation inspired by the Autoconf team.
-
-set_cc_for_build='
-trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ;
-trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ;
-: ${TMPDIR=/tmp} ;
- { tmp=`(umask 077 && mktemp -d -q "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } ||
- { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } ||
- { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } ||
- { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ;
-dummy=$tmp/dummy ;
-tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ;
-case $CC_FOR_BUILD,$HOST_CC,$CC in
- ,,)    echo "int x;" > $dummy.c ;
-	for c in cc gcc c89 c99 ; do
-	  if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then
-	     CC_FOR_BUILD="$c"; break ;
-	  fi ;
-	done ;
-	if test x"$CC_FOR_BUILD" = x ; then
-	  CC_FOR_BUILD=no_compiler_found ;
-	fi
-	;;
- ,,*)   CC_FOR_BUILD=$CC ;;
- ,*,*)  CC_FOR_BUILD=$HOST_CC ;;
-esac ;'
-
-# This is needed to find uname on a Pyramid OSx when run in the BSD universe.
-# (ghazi@noc.rutgers.edu 1994-08-24)
-if (test -f /.attbin/uname) >/dev/null 2>&1 ; then
-	PATH=$PATH:/.attbin ; export PATH
-fi
-
-UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown
-UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
-UNAME_SYSTEM=`(uname -s) 2>/dev/null`  || UNAME_SYSTEM=unknown
-UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
-
-# Note: order is significant - the case branches are not exclusive.
-
-case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
-    *:NetBSD:*:*)
-	# NetBSD (nbsd) targets should (where applicable) match one or
-	# more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*,
-	# *-*-netbsdecoff* and *-*-netbsd*.  For targets that recently
-	# switched to ELF, *-*-netbsd* would select the old
-	# object file format.  This provides both forward
-	# compatibility and a consistent mechanism for selecting the
-	# object file format.
-	#
-	# Note: NetBSD doesn't particularly care about the vendor
-	# portion of the name.  We always set it to "unknown".
-	sysctl="sysctl -n hw.machine_arch"
-	UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \
-	    /usr/sbin/$sysctl 2>/dev/null || echo unknown)`
-	case "${UNAME_MACHINE_ARCH}" in
-	    armeb) machine=armeb-unknown ;;
-	    arm*) machine=arm-unknown ;;
-	    sh3el) machine=shl-unknown ;;
-	    sh3eb) machine=sh-unknown ;;
-	    *) machine=${UNAME_MACHINE_ARCH}-unknown ;;
-	esac
-	# The Operating System including object format, if it has switched
-	# to ELF recently, or will in the future.
-	case "${UNAME_MACHINE_ARCH}" in
-	    arm*|i386|m68k|ns32k|sh3*|sparc|vax)
-		eval $set_cc_for_build
-		if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
-			| grep __ELF__ >/dev/null
-		then
-		    # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout).
-		    # Return netbsd for either.  FIX?
-		    os=netbsd
-		else
-		    os=netbsdelf
-		fi
-		;;
-	    *)
-	        os=netbsd
-		;;
-	esac
-	# The OS release
-	# Debian GNU/NetBSD machines have a different userland, and
-	# thus, need a distinct triplet. However, they do not need
-	# kernel version information, so it can be replaced with a
-	# suitable tag, in the style of linux-gnu.
-	case "${UNAME_VERSION}" in
-	    Debian*)
-		release='-gnu'
-		;;
-	    *)
-		release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
-		;;
-	esac
-	# Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM:
-	# contains redundant information, the shorter form:
-	# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
-	echo "${machine}-${os}${release}"
-	exit 0 ;;
-    amd64:OpenBSD:*:*)
-	echo x86_64-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    amiga:OpenBSD:*:*)
-	echo m68k-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    cats:OpenBSD:*:*)
-	echo arm-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    hp300:OpenBSD:*:*)
-	echo m68k-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    luna88k:OpenBSD:*:*)
-    	echo m88k-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    mac68k:OpenBSD:*:*)
-	echo m68k-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    macppc:OpenBSD:*:*)
-	echo powerpc-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    mvme68k:OpenBSD:*:*)
-	echo m68k-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    mvme88k:OpenBSD:*:*)
-	echo m88k-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    mvmeppc:OpenBSD:*:*)
-	echo powerpc-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    sgi:OpenBSD:*:*)
-	echo mips64-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    sun3:OpenBSD:*:*)
-	echo m68k-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    *:OpenBSD:*:*)
-	echo ${UNAME_MACHINE}-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    *:ekkoBSD:*:*)
-	echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE}
-	exit 0 ;;
-    macppc:MirBSD:*:*)
-	echo powerppc-unknown-mirbsd${UNAME_RELEASE}
-	exit 0 ;;
-    *:MirBSD:*:*)
-	echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE}
-	exit 0 ;;
-    alpha:OSF1:*:*)
-	case $UNAME_RELEASE in
-	*4.0)
-		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
-		;;
-	*5.*)
-	        UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'`
-		;;
-	esac
-	# According to Compaq, /usr/sbin/psrinfo has been available on
-	# OSF/1 and Tru64 systems produced since 1995.  I hope that
-	# covers most systems running today.  This code pipes the CPU
-	# types through head -n 1, so we only detect the type of CPU 0.
-	ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^  The alpha \(.*\) processor.*$/\1/p' | head -n 1`
-	case "$ALPHA_CPU_TYPE" in
-	    "EV4 (21064)")
-		UNAME_MACHINE="alpha" ;;
-	    "EV4.5 (21064)")
-		UNAME_MACHINE="alpha" ;;
-	    "LCA4 (21066/21068)")
-		UNAME_MACHINE="alpha" ;;
-	    "EV5 (21164)")
-		UNAME_MACHINE="alphaev5" ;;
-	    "EV5.6 (21164A)")
-		UNAME_MACHINE="alphaev56" ;;
-	    "EV5.6 (21164PC)")
-		UNAME_MACHINE="alphapca56" ;;
-	    "EV5.7 (21164PC)")
-		UNAME_MACHINE="alphapca57" ;;
-	    "EV6 (21264)")
-		UNAME_MACHINE="alphaev6" ;;
-	    "EV6.7 (21264A)")
-		UNAME_MACHINE="alphaev67" ;;
-	    "EV6.8CB (21264C)")
-		UNAME_MACHINE="alphaev68" ;;
-	    "EV6.8AL (21264B)")
-		UNAME_MACHINE="alphaev68" ;;
-	    "EV6.8CX (21264D)")
-		UNAME_MACHINE="alphaev68" ;;
-	    "EV6.9A (21264/EV69A)")
-		UNAME_MACHINE="alphaev69" ;;
-	    "EV7 (21364)")
-		UNAME_MACHINE="alphaev7" ;;
-	    "EV7.9 (21364A)")
-		UNAME_MACHINE="alphaev79" ;;
-	esac
-	# A Pn.n version is a patched version.
-	# A Vn.n version is a released version.
-	# A Tn.n version is a released field test version.
-	# A Xn.n version is an unreleased experimental baselevel.
-	# 1.2 uses "1.2" for uname -r.
-	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
-	exit 0 ;;
-    Alpha\ *:Windows_NT*:*)
-	# How do we know it's Interix rather than the generic POSIX subsystem?
-	# Should we change UNAME_MACHINE based on the output of uname instead
-	# of the specific Alpha model?
-	echo alpha-pc-interix
-	exit 0 ;;
-    21064:Windows_NT:50:3)
-	echo alpha-dec-winnt3.5
-	exit 0 ;;
-    Amiga*:UNIX_System_V:4.0:*)
-	echo m68k-unknown-sysv4
-	exit 0;;
-    *:[Aa]miga[Oo][Ss]:*:*)
-	echo ${UNAME_MACHINE}-unknown-amigaos
-	exit 0 ;;
-    *:[Mm]orph[Oo][Ss]:*:*)
-	echo ${UNAME_MACHINE}-unknown-morphos
-	exit 0 ;;
-    *:OS/390:*:*)
-	echo i370-ibm-openedition
-	exit 0 ;;
-    *:OS400:*:*)
-        echo powerpc-ibm-os400
-	exit 0 ;;
-    arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
-	echo arm-acorn-riscix${UNAME_RELEASE}
-	exit 0;;
-    SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
-	echo hppa1.1-hitachi-hiuxmpp
-	exit 0;;
-    Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*)
-	# akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE.
-	if test "`(/bin/universe) 2>/dev/null`" = att ; then
-		echo pyramid-pyramid-sysv3
-	else
-		echo pyramid-pyramid-bsd
-	fi
-	exit 0 ;;
-    NILE*:*:*:dcosx)
-	echo pyramid-pyramid-svr4
-	exit 0 ;;
-    DRS?6000:unix:4.0:6*)
-	echo sparc-icl-nx6
-	exit 0 ;;
-    DRS?6000:UNIX_SV:4.2*:7*)
-	case `/usr/bin/uname -p` in
-	    sparc) echo sparc-icl-nx7 && exit 0 ;;
-	esac ;;
-    sun4H:SunOS:5.*:*)
-	echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit 0 ;;
-    sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
-	echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit 0 ;;
-    i86pc:SunOS:5.*:*)
-	echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit 0 ;;
-    sun4*:SunOS:6*:*)
-	# According to config.sub, this is the proper way to canonicalize
-	# SunOS6.  Hard to guess exactly what SunOS6 will be like, but
-	# it's likely to be more like Solaris than SunOS4.
-	echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit 0 ;;
-    sun4*:SunOS:*:*)
-	case "`/usr/bin/arch -k`" in
-	    Series*|S4*)
-		UNAME_RELEASE=`uname -v`
-		;;
-	esac
-	# Japanese Language versions have a version number like `4.1.3-JL'.
-	echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'`
-	exit 0 ;;
-    sun3*:SunOS:*:*)
-	echo m68k-sun-sunos${UNAME_RELEASE}
-	exit 0 ;;
-    sun*:*:4.2BSD:*)
-	UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
-	test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
-	case "`/bin/arch`" in
-	    sun3)
-		echo m68k-sun-sunos${UNAME_RELEASE}
-		;;
-	    sun4)
-		echo sparc-sun-sunos${UNAME_RELEASE}
-		;;
-	esac
-	exit 0 ;;
-    aushp:SunOS:*:*)
-	echo sparc-auspex-sunos${UNAME_RELEASE}
-	exit 0 ;;
-    # The situation for MiNT is a little confusing.  The machine name
-    # can be virtually everything (everything which is not
-    # "atarist" or "atariste" at least should have a processor
-    # > m68000).  The system name ranges from "MiNT" over "FreeMiNT"
-    # to the lowercase version "mint" (or "freemint").  Finally
-    # the system name "TOS" denotes a system which is actually not
-    # MiNT.  But MiNT is downward compatible to TOS, so this should
-    # be no problem.
-    atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
-        echo m68k-atari-mint${UNAME_RELEASE}
-	exit 0 ;;
-    atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
-	echo m68k-atari-mint${UNAME_RELEASE}
-        exit 0 ;;
-    *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
-        echo m68k-atari-mint${UNAME_RELEASE}
-	exit 0 ;;
-    milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
-        echo m68k-milan-mint${UNAME_RELEASE}
-        exit 0 ;;
-    hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
-        echo m68k-hades-mint${UNAME_RELEASE}
-        exit 0 ;;
-    *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
-        echo m68k-unknown-mint${UNAME_RELEASE}
-        exit 0 ;;
-    m68k:machten:*:*)
-	echo m68k-apple-machten${UNAME_RELEASE}
-	exit 0 ;;
-    powerpc:machten:*:*)
-	echo powerpc-apple-machten${UNAME_RELEASE}
-	exit 0 ;;
-    RISC*:Mach:*:*)
-	echo mips-dec-mach_bsd4.3
-	exit 0 ;;
-    RISC*:ULTRIX:*:*)
-	echo mips-dec-ultrix${UNAME_RELEASE}
-	exit 0 ;;
-    VAX*:ULTRIX*:*:*)
-	echo vax-dec-ultrix${UNAME_RELEASE}
-	exit 0 ;;
-    2020:CLIX:*:* | 2430:CLIX:*:*)
-	echo clipper-intergraph-clix${UNAME_RELEASE}
-	exit 0 ;;
-    mips:*:*:UMIPS | mips:*:*:RISCos)
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-#ifdef __cplusplus
-#include <stdio.h>  /* for printf() prototype */
-	int main (int argc, char *argv[]) {
-#else
-	int main (argc, argv) int argc; char *argv[]; {
-#endif
-	#if defined (host_mips) && defined (MIPSEB)
-	#if defined (SYSTYPE_SYSV)
-	  printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0);
-	#endif
-	#if defined (SYSTYPE_SVR4)
-	  printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0);
-	#endif
-	#if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD)
-	  printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0);
-	#endif
-	#endif
-	  exit (-1);
-	}
-EOF
-	$CC_FOR_BUILD -o $dummy $dummy.c \
-	  && $dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \
-	  && exit 0
-	echo mips-mips-riscos${UNAME_RELEASE}
-	exit 0 ;;
-    Motorola:PowerMAX_OS:*:*)
-	echo powerpc-motorola-powermax
-	exit 0 ;;
-    Motorola:*:4.3:PL8-*)
-	echo powerpc-harris-powermax
-	exit 0 ;;
-    Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*)
-	echo powerpc-harris-powermax
-	exit 0 ;;
-    Night_Hawk:Power_UNIX:*:*)
-	echo powerpc-harris-powerunix
-	exit 0 ;;
-    m88k:CX/UX:7*:*)
-	echo m88k-harris-cxux7
-	exit 0 ;;
-    m88k:*:4*:R4*)
-	echo m88k-motorola-sysv4
-	exit 0 ;;
-    m88k:*:3*:R3*)
-	echo m88k-motorola-sysv3
-	exit 0 ;;
-    AViiON:dgux:*:*)
-        # DG/UX returns AViiON for all architectures
-        UNAME_PROCESSOR=`/usr/bin/uname -p`
-	if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ]
-	then
-	    if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
-	       [ ${TARGET_BINARY_INTERFACE}x = x ]
-	    then
-		echo m88k-dg-dgux${UNAME_RELEASE}
-	    else
-		echo m88k-dg-dguxbcs${UNAME_RELEASE}
-	    fi
-	else
-	    echo i586-dg-dgux${UNAME_RELEASE}
-	fi
- 	exit 0 ;;
-    M88*:DolphinOS:*:*)	# DolphinOS (SVR3)
-	echo m88k-dolphin-sysv3
-	exit 0 ;;
-    M88*:*:R3*:*)
-	# Delta 88k system running SVR3
-	echo m88k-motorola-sysv3
-	exit 0 ;;
-    XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3)
-	echo m88k-tektronix-sysv3
-	exit 0 ;;
-    Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD)
-	echo m68k-tektronix-bsd
-	exit 0 ;;
-    *:IRIX*:*:*)
-	echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'`
-	exit 0 ;;
-    ????????:AIX?:[12].1:2)   # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX.
-	echo romp-ibm-aix      # uname -m gives an 8 hex-code CPU id
-	exit 0 ;;              # Note that: echo "'`uname -s`'" gives 'AIX '
-    i*86:AIX:*:*)
-	echo i386-ibm-aix
-	exit 0 ;;
-    ia64:AIX:*:*)
-	if [ -x /usr/bin/oslevel ] ; then
-		IBM_REV=`/usr/bin/oslevel`
-	else
-		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
-	fi
-	echo ${UNAME_MACHINE}-ibm-aix${IBM_REV}
-	exit 0 ;;
-    *:AIX:2:3)
-	if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then
-		eval $set_cc_for_build
-		sed 's/^		//' << EOF >$dummy.c
-		#include <sys/systemcfg.h>
-
-		main()
-			{
-			if (!__power_pc())
-				exit(1);
-			puts("powerpc-ibm-aix3.2.5");
-			exit(0);
-			}
-EOF
-		$CC_FOR_BUILD -o $dummy $dummy.c && $dummy && exit 0
-		echo rs6000-ibm-aix3.2.5
-	elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then
-		echo rs6000-ibm-aix3.2.4
-	else
-		echo rs6000-ibm-aix3.2
-	fi
-	exit 0 ;;
-    *:AIX:*:[45])
-	IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'`
-	if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then
-		IBM_ARCH=rs6000
-	else
-		IBM_ARCH=powerpc
-	fi
-	if [ -x /usr/bin/oslevel ] ; then
-		IBM_REV=`/usr/bin/oslevel`
-	else
-		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
-	fi
-	echo ${IBM_ARCH}-ibm-aix${IBM_REV}
-	exit 0 ;;
-    *:AIX:*:*)
-	echo rs6000-ibm-aix
-	exit 0 ;;
-    ibmrt:4.4BSD:*|romp-ibm:BSD:*)
-	echo romp-ibm-bsd4.4
-	exit 0 ;;
-    ibmrt:*BSD:*|romp-ibm:BSD:*)            # covers RT/PC BSD and
-	echo romp-ibm-bsd${UNAME_RELEASE}   # 4.3 with uname added to
-	exit 0 ;;                           # report: romp-ibm BSD 4.3
-    *:BOSX:*:*)
-	echo rs6000-bull-bosx
-	exit 0 ;;
-    DPX/2?00:B.O.S.:*:*)
-	echo m68k-bull-sysv3
-	exit 0 ;;
-    9000/[34]??:4.3bsd:1.*:*)
-	echo m68k-hp-bsd
-	exit 0 ;;
-    hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*)
-	echo m68k-hp-bsd4.4
-	exit 0 ;;
-    9000/[34678]??:HP-UX:*:*)
-	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
-	case "${UNAME_MACHINE}" in
-	    9000/31? )            HP_ARCH=m68000 ;;
-	    9000/[34]?? )         HP_ARCH=m68k ;;
-	    9000/[678][0-9][0-9])
-		if [ -x /usr/bin/getconf ]; then
-		    sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
-                    sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
-                    case "${sc_cpu_version}" in
-                      523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
-                      528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
-                      532)                      # CPU_PA_RISC2_0
-                        case "${sc_kernel_bits}" in
-                          32) HP_ARCH="hppa2.0n" ;;
-                          64) HP_ARCH="hppa2.0w" ;;
-			  '') HP_ARCH="hppa2.0" ;;   # HP-UX 10.20
-                        esac ;;
-                    esac
-		fi
-		if [ "${HP_ARCH}" = "" ]; then
-		    eval $set_cc_for_build
-		    sed 's/^              //' << EOF >$dummy.c
-
-              #define _HPUX_SOURCE
-              #include <stdlib.h>
-              #include <unistd.h>
-
-              int main ()
-              {
-              #if defined(_SC_KERNEL_BITS)
-                  long bits = sysconf(_SC_KERNEL_BITS);
-              #endif
-                  long cpu  = sysconf (_SC_CPU_VERSION);
-
-                  switch (cpu)
-              	{
-              	case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
-              	case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
-              	case CPU_PA_RISC2_0:
-              #if defined(_SC_KERNEL_BITS)
-              	    switch (bits)
-              		{
-              		case 64: puts ("hppa2.0w"); break;
-              		case 32: puts ("hppa2.0n"); break;
-              		default: puts ("hppa2.0"); break;
-              		} break;
-              #else  /* !defined(_SC_KERNEL_BITS) */
-              	    puts ("hppa2.0"); break;
-              #endif
-              	default: puts ("hppa1.0"); break;
-              	}
-                  exit (0);
-              }
-EOF
-		    (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
-		    test -z "$HP_ARCH" && HP_ARCH=hppa
-		fi ;;
-	esac
-	if [ ${HP_ARCH} = "hppa2.0w" ]
-	then
-	    # avoid double evaluation of $set_cc_for_build
-	    test -n "$CC_FOR_BUILD" || eval $set_cc_for_build
-	    if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E -) | grep __LP64__ >/dev/null
-	    then
-		HP_ARCH="hppa2.0w"
-	    else
-		HP_ARCH="hppa64"
-	    fi
-	fi
-	echo ${HP_ARCH}-hp-hpux${HPUX_REV}
-	exit 0 ;;
-    ia64:HP-UX:*:*)
-	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
-	echo ia64-hp-hpux${HPUX_REV}
-	exit 0 ;;
-    3050*:HI-UX:*:*)
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-	#include <unistd.h>
-	int
-	main ()
-	{
-	  long cpu = sysconf (_SC_CPU_VERSION);
-	  /* The order matters, because CPU_IS_HP_MC68K erroneously returns
-	     true for CPU_PA_RISC1_0.  CPU_IS_PA_RISC returns correct
-	     results, however.  */
-	  if (CPU_IS_PA_RISC (cpu))
-	    {
-	      switch (cpu)
-		{
-		  case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break;
-		  case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break;
-		  case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break;
-		  default: puts ("hppa-hitachi-hiuxwe2"); break;
-		}
-	    }
-	  else if (CPU_IS_HP_MC68K (cpu))
-	    puts ("m68k-hitachi-hiuxwe2");
-	  else puts ("unknown-hitachi-hiuxwe2");
-	  exit (0);
-	}
-EOF
-	$CC_FOR_BUILD -o $dummy $dummy.c && $dummy && exit 0
-	echo unknown-hitachi-hiuxwe2
-	exit 0 ;;
-    9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* )
-	echo hppa1.1-hp-bsd
-	exit 0 ;;
-    9000/8??:4.3bsd:*:*)
-	echo hppa1.0-hp-bsd
-	exit 0 ;;
-    *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*)
-	echo hppa1.0-hp-mpeix
-	exit 0 ;;
-    hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* )
-	echo hppa1.1-hp-osf
-	exit 0 ;;
-    hp8??:OSF1:*:*)
-	echo hppa1.0-hp-osf
-	exit 0 ;;
-    i*86:OSF1:*:*)
-	if [ -x /usr/sbin/sysversion ] ; then
-	    echo ${UNAME_MACHINE}-unknown-osf1mk
-	else
-	    echo ${UNAME_MACHINE}-unknown-osf1
-	fi
-	exit 0 ;;
-    parisc*:Lites*:*:*)
-	echo hppa1.1-hp-lites
-	exit 0 ;;
-    C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
-	echo c1-convex-bsd
-        exit 0 ;;
-    C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
-	if getsysinfo -f scalar_acc
-	then echo c32-convex-bsd
-	else echo c2-convex-bsd
-	fi
-        exit 0 ;;
-    C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
-	echo c34-convex-bsd
-        exit 0 ;;
-    C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
-	echo c38-convex-bsd
-        exit 0 ;;
-    C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
-	echo c4-convex-bsd
-        exit 0 ;;
-    CRAY*Y-MP:*:*:*)
-	echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit 0 ;;
-    CRAY*[A-Z]90:*:*:*)
-	echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \
-	| sed -e 's/CRAY.*\([A-Z]90\)/\1/' \
-	      -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \
-	      -e 's/\.[^.]*$/.X/'
-	exit 0 ;;
-    CRAY*TS:*:*:*)
-	echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit 0 ;;
-    CRAY*T3E:*:*:*)
-	echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit 0 ;;
-    CRAY*SV1:*:*:*)
-	echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit 0 ;;
-    *:UNICOS/mp:*:*)
-	echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit 0 ;;
-    F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
-	FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
-        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
-        FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
-        echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
-        exit 0 ;;
-    5000:UNIX_System_V:4.*:*)
-        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
-        FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
-        echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
-	exit 0 ;;
-    i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
-	echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
-	exit 0 ;;
-    sparc*:BSD/OS:*:*)
-	echo sparc-unknown-bsdi${UNAME_RELEASE}
-	exit 0 ;;
-    *:BSD/OS:*:*)
-	echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
-	exit 0 ;;
-    *:FreeBSD:*:*)
-	echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
-	exit 0 ;;
-    i*:CYGWIN*:*)
-	echo ${UNAME_MACHINE}-pc-cygwin
-	exit 0 ;;
-    i*:MINGW*:*)
-	echo ${UNAME_MACHINE}-pc-mingw32
-	exit 0 ;;
-    i*:PW*:*)
-	echo ${UNAME_MACHINE}-pc-pw32
-	exit 0 ;;
-    x86:Interix*:[34]*)
-	echo i586-pc-interix${UNAME_RELEASE}|sed -e 's/\..*//'
-	exit 0 ;;
-    [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
-	echo i${UNAME_MACHINE}-pc-mks
-	exit 0 ;;
-    i*:Windows_NT*:* | Pentium*:Windows_NT*:*)
-	# How do we know it's Interix rather than the generic POSIX subsystem?
-	# It also conflicts with pre-2.0 versions of AT&T UWIN. Should we
-	# UNAME_MACHINE based on the output of uname instead of i386?
-	echo i586-pc-interix
-	exit 0 ;;
-    i*:UWIN*:*)
-	echo ${UNAME_MACHINE}-pc-uwin
-	exit 0 ;;
-    p*:CYGWIN*:*)
-	echo powerpcle-unknown-cygwin
-	exit 0 ;;
-    prep*:SunOS:5.*:*)
-	echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit 0 ;;
-    *:GNU:*:*)
-	# the GNU system
-	echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
-	exit 0 ;;
-    *:GNU/*:*:*)
-	# other systems with GNU libc and userland
-	echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu
-	exit 0 ;;
-    i*86:Minix:*:*)
-	echo ${UNAME_MACHINE}-pc-minix
-	exit 0 ;;
-    arm*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit 0 ;;
-    cris:Linux:*:*)
-	echo cris-axis-linux-gnu
-	exit 0 ;;
-    crisv32:Linux:*:*)
-	echo crisv32-axis-linux-gnu
-	exit 0 ;;
-    frv:Linux:*:*)
-    	echo frv-unknown-linux-gnu
-	exit 0 ;;
-    ia64:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit 0 ;;
-    m32r*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit 0 ;;
-    m68*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit 0 ;;
-    mips:Linux:*:*)
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-	#undef CPU
-	#undef mips
-	#undef mipsel
-	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
-	CPU=mipsel
-	#else
-	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
-	CPU=mips
-	#else
-	CPU=
-	#endif
-	#endif
-EOF
-	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
-	test x"${CPU}" != x && echo "${CPU}-unknown-linux-gnu" && exit 0
-	;;
-    mips64:Linux:*:*)
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-	#undef CPU
-	#undef mips64
-	#undef mips64el
-	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
-	CPU=mips64el
-	#else
-	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
-	CPU=mips64
-	#else
-	CPU=
-	#endif
-	#endif
-EOF
-	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
-	test x"${CPU}" != x && echo "${CPU}-unknown-linux-gnu" && exit 0
-	;;
-    ppc:Linux:*:*)
-	echo powerpc-unknown-linux-gnu
-	exit 0 ;;
-    ppc64:Linux:*:*)
-	echo powerpc64-unknown-linux-gnu
-	exit 0 ;;
-    alpha:Linux:*:*)
-	case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
-	  EV5)   UNAME_MACHINE=alphaev5 ;;
-	  EV56)  UNAME_MACHINE=alphaev56 ;;
-	  PCA56) UNAME_MACHINE=alphapca56 ;;
-	  PCA57) UNAME_MACHINE=alphapca56 ;;
-	  EV6)   UNAME_MACHINE=alphaev6 ;;
-	  EV67)  UNAME_MACHINE=alphaev67 ;;
-	  EV68*) UNAME_MACHINE=alphaev68 ;;
-        esac
-	objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null
-	if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
-	echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
-	exit 0 ;;
-    parisc:Linux:*:* | hppa:Linux:*:*)
-	# Look for CPU level
-	case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
-	  PA7*) echo hppa1.1-unknown-linux-gnu ;;
-	  PA8*) echo hppa2.0-unknown-linux-gnu ;;
-	  *)    echo hppa-unknown-linux-gnu ;;
-	esac
-	exit 0 ;;
-    parisc64:Linux:*:* | hppa64:Linux:*:*)
-	echo hppa64-unknown-linux-gnu
-	exit 0 ;;
-    s390:Linux:*:* | s390x:Linux:*:*)
-	echo ${UNAME_MACHINE}-ibm-linux
-	exit 0 ;;
-    sh64*:Linux:*:*)
-    	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit 0 ;;
-    sh*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit 0 ;;
-    sparc:Linux:*:* | sparc64:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit 0 ;;
-    x86_64:Linux:*:*)
-	echo x86_64-unknown-linux-gnu
-	exit 0 ;;
-    i*86:Linux:*:*)
-	# The BFD linker knows what the default object file format is, so
-	# first see if it will tell us. cd to the root directory to prevent
-	# problems with other programs or directories called `ld' in the path.
-	# Set LC_ALL=C to ensure ld outputs messages in English.
-	ld_supported_targets=`cd /; LC_ALL=C ld --help 2>&1 \
-			 | sed -ne '/supported targets:/!d
-				    s/[ 	][ 	]*/ /g
-				    s/.*supported targets: *//
-				    s/ .*//
-				    p'`
-        case "$ld_supported_targets" in
-	  elf32-i386)
-		TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu"
-		;;
-	  a.out-i386-linux)
-		echo "${UNAME_MACHINE}-pc-linux-gnuaout"
-		exit 0 ;;
-	  coff-i386)
-		echo "${UNAME_MACHINE}-pc-linux-gnucoff"
-		exit 0 ;;
-	  "")
-		# Either a pre-BFD a.out linker (linux-gnuoldld) or
-		# one that does not give us useful --help.
-		echo "${UNAME_MACHINE}-pc-linux-gnuoldld"
-		exit 0 ;;
-	esac
-	# Determine whether the default compiler is a.out or elf
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-	#include <features.h>
-	#ifdef __ELF__
-	# ifdef __GLIBC__
-	#  if __GLIBC__ >= 2
-	LIBC=gnu
-	#  else
-	LIBC=gnulibc1
-	#  endif
-	# else
-	LIBC=gnulibc1
-	# endif
-	#else
-	#ifdef __INTEL_COMPILER
-	LIBC=gnu
-	#else
-	LIBC=gnuaout
-	#endif
-	#endif
-	#ifdef __dietlibc__
-	LIBC=dietlibc
-	#endif
-EOF
-	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=`
-	test x"${LIBC}" != x && echo "${UNAME_MACHINE}-pc-linux-${LIBC}" && exit 0
-	test x"${TENTATIVE}" != x && echo "${TENTATIVE}" && exit 0
-	;;
-    i*86:DYNIX/ptx:4*:*)
-	# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
-	# earlier versions are messed up and put the nodename in both
-	# sysname and nodename.
-	echo i386-sequent-sysv4
-	exit 0 ;;
-    i*86:UNIX_SV:4.2MP:2.*)
-        # Unixware is an offshoot of SVR4, but it has its own version
-        # number series starting with 2...
-        # I am not positive that other SVR4 systems won't match this,
-	# I just have to hope.  -- rms.
-        # Use sysv4.2uw... so that sysv4* matches it.
-	echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
-	exit 0 ;;
-    i*86:OS/2:*:*)
-	# If we were able to find `uname', then EMX Unix compatibility
-	# is probably installed.
-	echo ${UNAME_MACHINE}-pc-os2-emx
-	exit 0 ;;
-    i*86:XTS-300:*:STOP)
-	echo ${UNAME_MACHINE}-unknown-stop
-	exit 0 ;;
-    i*86:atheos:*:*)
-	echo ${UNAME_MACHINE}-unknown-atheos
-	exit 0 ;;
-	i*86:syllable:*:*)
-	echo ${UNAME_MACHINE}-pc-syllable
-	exit 0 ;;
-    i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*)
-	echo i386-unknown-lynxos${UNAME_RELEASE}
-	exit 0 ;;
-    i*86:*DOS:*:*)
-	echo ${UNAME_MACHINE}-pc-msdosdjgpp
-	exit 0 ;;
-    i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*)
-	UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'`
-	if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then
-		echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL}
-	else
-		echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL}
-	fi
-	exit 0 ;;
-    i*86:*:5:[78]*)
-	case `/bin/uname -X | grep "^Machine"` in
-	    *486*)	     UNAME_MACHINE=i486 ;;
-	    *Pentium)	     UNAME_MACHINE=i586 ;;
-	    *Pent*|*Celeron) UNAME_MACHINE=i686 ;;
-	esac
-	echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION}
-	exit 0 ;;
-    i*86:*:3.2:*)
-	if test -f /usr/options/cb.name; then
-		UNAME_REL=`sed -n 's/.*Version //p' </usr/options/cb.name`
-		echo ${UNAME_MACHINE}-pc-isc$UNAME_REL
-	elif /bin/uname -X 2>/dev/null >/dev/null ; then
-		UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')`
-		(/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486
-		(/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \
-			&& UNAME_MACHINE=i586
-		(/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \
-			&& UNAME_MACHINE=i686
-		(/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \
-			&& UNAME_MACHINE=i686
-		echo ${UNAME_MACHINE}-pc-sco$UNAME_REL
-	else
-		echo ${UNAME_MACHINE}-pc-sysv32
-	fi
-	exit 0 ;;
-    pc:*:*:*)
-	# Left here for compatibility:
-        # uname -m prints for DJGPP always 'pc', but it prints nothing about
-        # the processor, so we play safe by assuming i386.
-	echo i386-pc-msdosdjgpp
-        exit 0 ;;
-    Intel:Mach:3*:*)
-	echo i386-pc-mach3
-	exit 0 ;;
-    paragon:*:*:*)
-	echo i860-intel-osf1
-	exit 0 ;;
-    i860:*:4.*:*) # i860-SVR4
-	if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then
-	  echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4
-	else # Add other i860-SVR4 vendors below as they are discovered.
-	  echo i860-unknown-sysv${UNAME_RELEASE}  # Unknown i860-SVR4
-	fi
-	exit 0 ;;
-    mini*:CTIX:SYS*5:*)
-	# "miniframe"
-	echo m68010-convergent-sysv
-	exit 0 ;;
-    mc68k:UNIX:SYSTEM5:3.51m)
-	echo m68k-convergent-sysv
-	exit 0 ;;
-    M680?0:D-NIX:5.3:*)
-	echo m68k-diab-dnix
-	exit 0 ;;
-    M68*:*:R3V[5678]*:*)
-	test -r /sysV68 && echo 'm68k-motorola-sysv' && exit 0 ;;
-    3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0)
-	OS_REL=''
-	test -r /etc/.relid \
-	&& OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
-	/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
-	  && echo i486-ncr-sysv4.3${OS_REL} && exit 0
-	/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
-	  && echo i586-ncr-sysv4.3${OS_REL} && exit 0 ;;
-    3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
-        /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
-          && echo i486-ncr-sysv4 && exit 0 ;;
-    m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*)
-	echo m68k-unknown-lynxos${UNAME_RELEASE}
-	exit 0 ;;
-    mc68030:UNIX_System_V:4.*:*)
-	echo m68k-atari-sysv4
-	exit 0 ;;
-    TSUNAMI:LynxOS:2.*:*)
-	echo sparc-unknown-lynxos${UNAME_RELEASE}
-	exit 0 ;;
-    rs6000:LynxOS:2.*:*)
-	echo rs6000-unknown-lynxos${UNAME_RELEASE}
-	exit 0 ;;
-    PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*)
-	echo powerpc-unknown-lynxos${UNAME_RELEASE}
-	exit 0 ;;
-    SM[BE]S:UNIX_SV:*:*)
-	echo mips-dde-sysv${UNAME_RELEASE}
-	exit 0 ;;
-    RM*:ReliantUNIX-*:*:*)
-	echo mips-sni-sysv4
-	exit 0 ;;
-    RM*:SINIX-*:*:*)
-	echo mips-sni-sysv4
-	exit 0 ;;
-    *:SINIX-*:*:*)
-	if uname -p 2>/dev/null >/dev/null ; then
-		UNAME_MACHINE=`(uname -p) 2>/dev/null`
-		echo ${UNAME_MACHINE}-sni-sysv4
-	else
-		echo ns32k-sni-sysv
-	fi
-	exit 0 ;;
-    PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
-                      # says <Richard.M.Bartel@ccMail.Census.GOV>
-        echo i586-unisys-sysv4
-        exit 0 ;;
-    *:UNIX_System_V:4*:FTX*)
-	# From Gerald Hewes <hewes@openmarket.com>.
-	# How about differentiating between stratus architectures? -djm
-	echo hppa1.1-stratus-sysv4
-	exit 0 ;;
-    *:*:*:FTX*)
-	# From seanf@swdc.stratus.com.
-	echo i860-stratus-sysv4
-	exit 0 ;;
-    *:VOS:*:*)
-	# From Paul.Green@stratus.com.
-	echo hppa1.1-stratus-vos
-	exit 0 ;;
-    mc68*:A/UX:*:*)
-	echo m68k-apple-aux${UNAME_RELEASE}
-	exit 0 ;;
-    news*:NEWS-OS:6*:*)
-	echo mips-sony-newsos6
-	exit 0 ;;
-    R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
-	if [ -d /usr/nec ]; then
-	        echo mips-nec-sysv${UNAME_RELEASE}
-	else
-	        echo mips-unknown-sysv${UNAME_RELEASE}
-	fi
-        exit 0 ;;
-    BeBox:BeOS:*:*)	# BeOS running on hardware made by Be, PPC only.
-	echo powerpc-be-beos
-	exit 0 ;;
-    BeMac:BeOS:*:*)	# BeOS running on Mac or Mac clone, PPC only.
-	echo powerpc-apple-beos
-	exit 0 ;;
-    BePC:BeOS:*:*)	# BeOS running on Intel PC compatible.
-	echo i586-pc-beos
-	exit 0 ;;
-    SX-4:SUPER-UX:*:*)
-	echo sx4-nec-superux${UNAME_RELEASE}
-	exit 0 ;;
-    SX-5:SUPER-UX:*:*)
-	echo sx5-nec-superux${UNAME_RELEASE}
-	exit 0 ;;
-    SX-6:SUPER-UX:*:*)
-	echo sx6-nec-superux${UNAME_RELEASE}
-	exit 0 ;;
-    Power*:Rhapsody:*:*)
-	echo powerpc-apple-rhapsody${UNAME_RELEASE}
-	exit 0 ;;
-    *:Rhapsody:*:*)
-	echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE}
-	exit 0 ;;
-    *:Darwin:*:*)
-	UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown
-	case $UNAME_PROCESSOR in
-	    *86) UNAME_PROCESSOR=i686 ;;
-	    unknown) UNAME_PROCESSOR=powerpc ;;
-	esac
-	echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
-	exit 0 ;;
-    *:procnto*:*:* | *:QNX:[0123456789]*:*)
-	UNAME_PROCESSOR=`uname -p`
-	if test "$UNAME_PROCESSOR" = "x86"; then
-		UNAME_PROCESSOR=i386
-		UNAME_MACHINE=pc
-	fi
-	echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE}
-	exit 0 ;;
-    *:QNX:*:4*)
-	echo i386-pc-qnx
-	exit 0 ;;
-    NSR-?:NONSTOP_KERNEL:*:*)
-	echo nsr-tandem-nsk${UNAME_RELEASE}
-	exit 0 ;;
-    *:NonStop-UX:*:*)
-	echo mips-compaq-nonstopux
-	exit 0 ;;
-    BS2000:POSIX*:*:*)
-	echo bs2000-siemens-sysv
-	exit 0 ;;
-    DS/*:UNIX_System_V:*:*)
-	echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE}
-	exit 0 ;;
-    *:Plan9:*:*)
-	# "uname -m" is not consistent, so use $cputype instead. 386
-	# is converted to i386 for consistency with other x86
-	# operating systems.
-	if test "$cputype" = "386"; then
-	    UNAME_MACHINE=i386
-	else
-	    UNAME_MACHINE="$cputype"
-	fi
-	echo ${UNAME_MACHINE}-unknown-plan9
-	exit 0 ;;
-    *:TOPS-10:*:*)
-	echo pdp10-unknown-tops10
-	exit 0 ;;
-    *:TENEX:*:*)
-	echo pdp10-unknown-tenex
-	exit 0 ;;
-    KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*)
-	echo pdp10-dec-tops20
-	exit 0 ;;
-    XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*)
-	echo pdp10-xkl-tops20
-	exit 0 ;;
-    *:TOPS-20:*:*)
-	echo pdp10-unknown-tops20
-	exit 0 ;;
-    *:ITS:*:*)
-	echo pdp10-unknown-its
-	exit 0 ;;
-    SEI:*:*:SEIUX)
-        echo mips-sei-seiux${UNAME_RELEASE}
-	exit 0 ;;
-    *:DragonFly:*:*)
-	echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
-	exit 0 ;;
-    *:*VMS:*:*)
-    	UNAME_MACHINE=`(uname -p) 2>/dev/null`
-	case "${UNAME_MACHINE}" in
-	    A*) echo alpha-dec-vms && exit 0 ;;
-	    I*) echo ia64-dec-vms && exit 0 ;;
-	    V*) echo vax-dec-vms && exit 0 ;;
-	esac
-esac
-
-#echo '(No uname command or uname output not recognized.)' 1>&2
-#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
-
-eval $set_cc_for_build
-cat >$dummy.c <<EOF
-#ifdef _SEQUENT_
-# include <sys/types.h>
-# include <sys/utsname.h>
-#endif
-main ()
-{
-#if defined (sony)
-#if defined (MIPSEB)
-  /* BFD wants "bsd" instead of "newsos".  Perhaps BFD should be changed,
-     I don't know....  */
-  printf ("mips-sony-bsd\n"); exit (0);
-#else
-#include <sys/param.h>
-  printf ("m68k-sony-newsos%s\n",
-#ifdef NEWSOS4
-          "4"
-#else
-	  ""
-#endif
-         ); exit (0);
-#endif
-#endif
-
-#if defined (__arm) && defined (__acorn) && defined (__unix)
-  printf ("arm-acorn-riscix"); exit (0);
-#endif
-
-#if defined (hp300) && !defined (hpux)
-  printf ("m68k-hp-bsd\n"); exit (0);
-#endif
-
-#if defined (NeXT)
-#if !defined (__ARCHITECTURE__)
-#define __ARCHITECTURE__ "m68k"
-#endif
-  int version;
-  version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
-  if (version < 4)
-    printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
-  else
-    printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version);
-  exit (0);
-#endif
-
-#if defined (MULTIMAX) || defined (n16)
-#if defined (UMAXV)
-  printf ("ns32k-encore-sysv\n"); exit (0);
-#else
-#if defined (CMU)
-  printf ("ns32k-encore-mach\n"); exit (0);
-#else
-  printf ("ns32k-encore-bsd\n"); exit (0);
-#endif
-#endif
-#endif
-
-#if defined (__386BSD__)
-  printf ("i386-pc-bsd\n"); exit (0);
-#endif
-
-#if defined (sequent)
-#if defined (i386)
-  printf ("i386-sequent-dynix\n"); exit (0);
-#endif
-#if defined (ns32000)
-  printf ("ns32k-sequent-dynix\n"); exit (0);
-#endif
-#endif
-
-#if defined (_SEQUENT_)
-    struct utsname un;
-
-    uname(&un);
-
-    if (strncmp(un.version, "V2", 2) == 0) {
-	printf ("i386-sequent-ptx2\n"); exit (0);
-    }
-    if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */
-	printf ("i386-sequent-ptx1\n"); exit (0);
-    }
-    printf ("i386-sequent-ptx\n"); exit (0);
-
-#endif
-
-#if defined (vax)
-# if !defined (ultrix)
-#  include <sys/param.h>
-#  if defined (BSD)
-#   if BSD == 43
-      printf ("vax-dec-bsd4.3\n"); exit (0);
-#   else
-#    if BSD == 199006
-      printf ("vax-dec-bsd4.3reno\n"); exit (0);
-#    else
-      printf ("vax-dec-bsd\n"); exit (0);
-#    endif
-#   endif
-#  else
-    printf ("vax-dec-bsd\n"); exit (0);
-#  endif
-# else
-    printf ("vax-dec-ultrix\n"); exit (0);
-# endif
-#endif
-
-#if defined (alliant) && defined (i860)
-  printf ("i860-alliant-bsd\n"); exit (0);
-#endif
-
-  exit (1);
-}
-EOF
-
-$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && $dummy && exit 0
-
-# Apollos put the system type in the environment.
-
-test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit 0; }
-
-# Convex versions that predate uname can use getsysinfo(1)
-
-if [ -x /usr/convex/getsysinfo ]
-then
-    case `getsysinfo -f cpu_type` in
-    c1*)
-	echo c1-convex-bsd
-	exit 0 ;;
-    c2*)
-	if getsysinfo -f scalar_acc
-	then echo c32-convex-bsd
-	else echo c2-convex-bsd
-	fi
-	exit 0 ;;
-    c34*)
-	echo c34-convex-bsd
-	exit 0 ;;
-    c38*)
-	echo c38-convex-bsd
-	exit 0 ;;
-    c4*)
-	echo c4-convex-bsd
-	exit 0 ;;
-    esac
-fi
-
-cat >&2 <<EOF
-$0: unable to guess system type
-
-This script, last modified $timestamp, has failed to recognize
-the operating system you are using. It is advised that you
-download the most up to date version of the config scripts from
-
-    ftp://ftp.gnu.org/pub/gnu/config/
-
-If the version you run ($0) is already up to date, please
-send the following data and any information you think might be
-pertinent to <config-patches@gnu.org> in order to provide the needed
-information to handle your system.
-
-config.guess timestamp = $timestamp
-
-uname -m = `(uname -m) 2>/dev/null || echo unknown`
-uname -r = `(uname -r) 2>/dev/null || echo unknown`
-uname -s = `(uname -s) 2>/dev/null || echo unknown`
-uname -v = `(uname -v) 2>/dev/null || echo unknown`
-
-/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null`
-/bin/uname -X     = `(/bin/uname -X) 2>/dev/null`
-
-hostinfo               = `(hostinfo) 2>/dev/null`
-/bin/universe          = `(/bin/universe) 2>/dev/null`
-/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null`
-/bin/arch              = `(/bin/arch) 2>/dev/null`
-/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null`
-/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null`
-
-UNAME_MACHINE = ${UNAME_MACHINE}
-UNAME_RELEASE = ${UNAME_RELEASE}
-UNAME_SYSTEM  = ${UNAME_SYSTEM}
-UNAME_VERSION = ${UNAME_VERSION}
-EOF
-
-exit 1
-
-# Local variables:
-# eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "timestamp='"
-# time-stamp-format: "%:y-%02m-%02d"
-# time-stamp-end: "'"
-# End:
diff --git a/contrib/bind9/config.h.in b/contrib/bind9/config.h.in
deleted file mode 100644
index a6ddcb1..0000000
--- a/contrib/bind9/config.h.in
+++ /dev/null
@@ -1,463 +0,0 @@
-/* config.h.in.  Generated from configure.in by autoheader.  */
-/*
- * Copyright (C) 2004, 2005, 2007, 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: acconfig.h,v 1.53 2008/12/01 23:47:44 tbox Exp $ */
-
-/*! \file */
-
-/***
- *** This file is not to be included by any public header files, because
- *** it does not get installed.
- ***/
-
-/** define on DEC OSF to enable 4.4BSD style sa_len support */
-#undef _SOCKADDR_LEN
-
-/** define if your system needs pthread_init() before using pthreads */
-#undef NEED_PTHREAD_INIT
-
-/** define if your system has sigwait() */
-#undef HAVE_SIGWAIT
-
-/** define if sigwait() is the UnixWare flavor */
-#undef HAVE_UNIXWARE_SIGWAIT
-
-/** define on Solaris to get sigwait() to work using pthreads semantics */
-#undef _POSIX_PTHREAD_SEMANTICS
-
-/** define if LinuxThreads is in use */
-#undef HAVE_LINUXTHREADS
-
-/** define if sysconf() is available */
-#undef HAVE_SYSCONF
-
-/** define if sysctlbyname() is available */
-#undef HAVE_SYSCTLBYNAME
-
-/** define if catgets() is available */
-#undef HAVE_CATGETS
-
-/** define if getifaddrs() exists */
-#undef HAVE_GETIFADDRS
-
-/** define if you have the NET_RT_IFLIST sysctl variable and sys/sysctl.h */
-#undef HAVE_IFLIST_SYSCTL
-
-/** define if tzset() is available */
-#undef HAVE_TZSET
-
-/** define if struct addrinfo exists */
-#undef HAVE_ADDRINFO
-
-/** define if getaddrinfo() exists */
-#undef HAVE_GETADDRINFO
-
-/** define if gai_strerror() exists */
-#undef HAVE_GAISTRERROR
-
-/** define if arc4random() exists */
-#undef HAVE_ARC4RANDOM
-
-/**
- * define if pthread_setconcurrency() should be called to tell the
- * OS how many threads we might want to run.
- */
-#undef CALL_PTHREAD_SETCONCURRENCY
-
-/** define if IPv6 is not disabled */
-#undef WANT_IPV6
-
-/** define if flockfile() is available */
-#undef HAVE_FLOCKFILE
-
-/** define if getc_unlocked() is available */
-#undef HAVE_GETCUNLOCKED
-
-/** Shut up warnings about sputaux in stdio.h on BSD/OS pre-4.1 */
-#undef SHUTUP_SPUTAUX
-#ifdef SHUTUP_SPUTAUX
-struct __sFILE;
-extern __inline int __sputaux(int _c, struct __sFILE *_p);
-#endif
-
-/** Shut up warnings about missing sigwait prototype on BSD/OS 4.0* */
-#undef SHUTUP_SIGWAIT
-#ifdef SHUTUP_SIGWAIT
-int sigwait(const unsigned int *set, int *sig);
-#endif
-
-/** Shut up warnings from gcc -Wcast-qual on BSD/OS 4.1. */
-#undef SHUTUP_STDARG_CAST
-#if defined(SHUTUP_STDARG_CAST) && defined(__GNUC__)
-#include <stdarg.h>		/** Grr.  Must be included *every time*. */
-/**
- * The silly continuation line is to keep configure from
- * commenting out the #undef.
- */
-
-#undef \
-	va_start
-#define	va_start(ap, last) \
-	do { \
-		union { const void *konst; long *var; } _u; \
-		_u.konst = &(last); \
-		ap = (va_list)(_u.var + __va_words(__typeof(last))); \
-	} while (0)
-#endif /** SHUTUP_STDARG_CAST && __GNUC__ */
-
-/** define if the system has a random number generating device */
-#undef PATH_RANDOMDEV
-
-/** define if pthread_attr_getstacksize() is available */
-#undef HAVE_PTHREAD_ATTR_GETSTACKSIZE
-
-/** define if pthread_attr_setstacksize() is available */
-#undef HAVE_PTHREAD_ATTR_SETSTACKSIZE
-
-/** define if you have strerror in the C library. */
-#undef HAVE_STRERROR
-
-/** Define if you are running under Compaq TruCluster. */
-#undef HAVE_TRUCLUSTER
-
-/* Define if OpenSSL includes DSA support */
-#undef HAVE_OPENSSL_DSA
-
-/* Define if OpenSSL includes ECDSA support */
-#undef HAVE_OPENSSL_ECDSA
-
-/* Define to the length type used by the socket API (socklen_t, size_t, int). */
-#undef ISC_SOCKADDR_LEN_T
-
-/* Define if threads need PTHREAD_SCOPE_SYSTEM */
-#undef NEED_PTHREAD_SCOPE_SYSTEM
-
-/* Define if building universal (internal helper macro) */
-#undef AC_APPLE_UNIVERSAL_BUILD
-
-/* Define to enable the "filter-aaaa-on-v4" option. */
-#undef ALLOW_FILTER_AAAA_ON_V4
-
-/* define if ATF unit tests are to be built. */
-#undef ATF_TEST
-
-/* Define if recvmsg() does not meet all of the BSD socket API specifications.
-   */
-#undef BROKEN_RECVMSG
-
-/* Define if you cannot bind() before connect() for TCP sockets. */
-#undef BROKEN_TCP_BIND_BEFORE_CONNECT
-
-/* Define to enable "rrset-order fixed" syntax. */
-#undef DNS_RDATASET_FIXED
-
-/* Define to enable rpz-nsdname rules. */
-#undef ENABLE_RPZ_NSDNAME
-
-/* Define to enable rpz-nsip rules. */
-#undef ENABLE_RPZ_NSIP
-
-/* Solaris hack to get select_large_fdset. */
-#undef FD_SETSIZE
-
-/* Define to nothing if C supports flexible array members, and to 1 if it does
-   not. That way, with a declaration like `struct s { int n; double
-   d[FLEXIBLE_ARRAY_MEMBER]; };', the struct hack can be used with pre-C99
-   compilers. When computing the size of such an object, don't use 'sizeof
-   (struct s)' as it overestimates the size. Use 'offsetof (struct s, d)'
-   instead. Don't use 'offsetof (struct s, d[0])', as this doesn't work with
-   MSVC and with C++ compilers. */
-#undef FLEXIBLE_ARRAY_MEMBER
-
-/* Define to 1 if you have the `chroot' function. */
-#undef HAVE_CHROOT
-
-/* Define to 1 if you have the <devpoll.h> header file. */
-#undef HAVE_DEVPOLL_H
-
-/* Define to 1 if you have the `dlclose' function. */
-#undef HAVE_DLCLOSE
-
-/* Define to 1 if you have the <dlfcn.h> header file. */
-#undef HAVE_DLFCN_H
-
-/* Define to 1 if you have the `dlopen' function. */
-#undef HAVE_DLOPEN
-
-/* Define to 1 if you have the `dlsym' function. */
-#undef HAVE_DLSYM
-
-/* Define to 1 if you have the `EVP_sha256' function. */
-#undef HAVE_EVP_SHA256
-
-/* Define to 1 if you have the `EVP_sha384' function. */
-#undef HAVE_EVP_SHA384
-
-/* Define to 1 if you have the `EVP_sha512' function. */
-#undef HAVE_EVP_SHA512
-
-/* Define to 1 if you have the <fcntl.h> header file. */
-#undef HAVE_FCNTL_H
-
-/* Define to 1 if you have the <gssapi/gssapi.h> header file. */
-#undef HAVE_GSSAPI_GSSAPI_H
-
-/* Define to 1 if you have the <gssapi/gssapi_krb5.h> header file. */
-#undef HAVE_GSSAPI_GSSAPI_KRB5_H
-
-/* Define to 1 if you have the <gssapi.h> header file. */
-#undef HAVE_GSSAPI_H
-
-/* Define to 1 if you have the <gssapi_krb5.h> header file. */
-#undef HAVE_GSSAPI_KRB5_H
-
-/* Define to 1 if you have the <inttypes.h> header file. */
-#undef HAVE_INTTYPES_H
-
-/* Define to 1 if you have the <kerberosv5/krb5.h> header file. */
-#undef HAVE_KERBEROSV5_KRB5_H
-
-/* Define to 1 if you have the <krb5.h> header file. */
-#undef HAVE_KRB5_H
-
-/* Define to 1 if you have the <krb5/krb5.h> header file. */
-#undef HAVE_KRB5_KRB5_H
-
-/* Define to 1 if you have the `c' library (-lc). */
-#undef HAVE_LIBC
-
-/* Define to 1 if you have the `cap' library (-lcap). */
-#undef HAVE_LIBCAP
-
-/* if system have backtrace function */
-#undef HAVE_LIBCTRACE
-
-/* Define to 1 if you have the `c_r' library (-lc_r). */
-#undef HAVE_LIBC_R
-
-/* Define to 1 if you have the `nsl' library (-lnsl). */
-#undef HAVE_LIBNSL
-
-/* Define to 1 if you have the `pthread' library (-lpthread). */
-#undef HAVE_LIBPTHREAD
-
-/* Define to 1 if you have the `scf' library (-lscf). */
-#undef HAVE_LIBSCF
-
-/* Define to 1 if you have the `socket' library (-lsocket). */
-#undef HAVE_LIBSOCKET
-
-/* Define to 1 if you have the `thr' library (-lthr). */
-#undef HAVE_LIBTHR
-
-/* Define if libxml2 was found */
-#undef HAVE_LIBXML2
-
-/* Define to 1 if you have the <linux/capability.h> header file. */
-#undef HAVE_LINUX_CAPABILITY_H
-
-/* Define to 1 if you have the <locale.h> header file. */
-#undef HAVE_LOCALE_H
-
-/* Define to 1 if you have the <memory.h> header file. */
-#undef HAVE_MEMORY_H
-
-/* Define to 1 if you have the `nanosleep' function. */
-#undef HAVE_NANOSLEEP
-
-/* Define to 1 if you have the <net/if6.h> header file. */
-#undef HAVE_NET_IF6_H
-
-/* Define if your OpenSSL version supports ECDSA. */
-#undef HAVE_OPENSSL_ECDSA
-
-/* Define if your OpenSSL version supports GOST. */
-#undef HAVE_OPENSSL_GOST
-
-/* Define to 1 if you have the `readline' function. */
-#undef HAVE_READLINE
-
-/* Define to 1 if you have the <regex.h> header file. */
-#undef HAVE_REGEX_H
-
-/* Define to 1 if you have the `setegid' function. */
-#undef HAVE_SETEGID
-
-/* Define to 1 if you have the `seteuid' function. */
-#undef HAVE_SETEUID
-
-/* Define to 1 if you have the `setlocale' function. */
-#undef HAVE_SETLOCALE
-
-/* Define to 1 if you have the `setresgid' function. */
-#undef HAVE_SETRESGID
-
-/* Define to 1 if you have the `setresuid' function. */
-#undef HAVE_SETRESUID
-
-/* Define to 1 if you have the <stdint.h> header file. */
-#undef HAVE_STDINT_H
-
-/* Define to 1 if you have the <stdlib.h> header file. */
-#undef HAVE_STDLIB_H
-
-/* Define to 1 if you have the <strings.h> header file. */
-#undef HAVE_STRINGS_H
-
-/* Define to 1 if you have the <string.h> header file. */
-#undef HAVE_STRING_H
-
-/* Define to 1 if you have the <sys/capability.h> header file. */
-#undef HAVE_SYS_CAPABILITY_H
-
-/* Define to 1 if you have the <sys/devpoll.h> header file. */
-#undef HAVE_SYS_DEVPOLL_H
-
-/* Define to 1 if you have the <sys/dyntune.h> header file. */
-#undef HAVE_SYS_DYNTUNE_H
-
-/* Define to 1 if you have the <sys/param.h> header file. */
-#undef HAVE_SYS_PARAM_H
-
-/* Define to 1 if you have the <sys/prctl.h> header file. */
-#undef HAVE_SYS_PRCTL_H
-
-/* Define to 1 if you have the <sys/select.h> header file. */
-#undef HAVE_SYS_SELECT_H
-
-/* Define to 1 if you have the <sys/sockio.h> header file. */
-#undef HAVE_SYS_SOCKIO_H
-
-/* Define to 1 if you have the <sys/stat.h> header file. */
-#undef HAVE_SYS_STAT_H
-
-/* Define to 1 if you have the <sys/sysctl.h> header file. */
-#undef HAVE_SYS_SYSCTL_H
-
-/* Define to 1 if you have the <sys/time.h> header file. */
-#undef HAVE_SYS_TIME_H
-
-/* Define to 1 if you have the <sys/types.h> header file. */
-#undef HAVE_SYS_TYPES_H
-
-/* Define to 1 if you have the <sys/un.h> header file. */
-#undef HAVE_SYS_UN_H
-
-/* Define if running under Compaq TruCluster */
-#undef HAVE_TRUCLUSTER
-
-/* Define to 1 if you have the <unistd.h> header file. */
-#undef HAVE_UNISTD_H
-
-/* Define to 1 if you have the `usleep' function. */
-#undef HAVE_USLEEP
-
-/* return type of gai_strerror */
-#undef IRS_GAISTRERROR_RETURN_T
-
-/* Define to the buffer length type used by getnameinfo(3). */
-#undef IRS_GETNAMEINFO_BUFLEN_T
-
-/* Define to the flags type used by getnameinfo(3). */
-#undef IRS_GETNAMEINFO_FLAGS_T
-
-/* Define to allow building of objects for dlopen(). */
-#undef ISC_DLZ_DLOPEN
-
-/* Define to the sub-directory in which libtool stores uninstalled libraries.
-   */
-#undef LT_OBJDIR
-
-/* Defined if extern char *optarg is not declared. */
-#undef NEED_OPTARG
-
-/* Define if connect does not honour the permission on the UNIX domain socket.
-   */
-#undef NEED_SECURE_DIRECTORY
-
-/* Use the new XML schema for statistics */
-#undef NEWSTATS
-
-/* Define to the address where bug reports for this package should be sent. */
-#undef PACKAGE_BUGREPORT
-
-/* Define to the full name of this package. */
-#undef PACKAGE_NAME
-
-/* Define to the full name and version of this package. */
-#undef PACKAGE_STRING
-
-/* Define to the one symbol short name of this package. */
-#undef PACKAGE_TARNAME
-
-/* Define to the home page for this package. */
-#undef PACKAGE_URL
-
-/* Define to the version of this package. */
-#undef PACKAGE_VERSION
-
-/* Sets which flag to pass to open/fcntl to make non-blocking
-   (O_NDELAY/O_NONBLOCK). */
-#undef PORT_NONBLOCK
-
-/* The size of `void *', as computed by sizeof. */
-#undef SIZEOF_VOID_P
-
-/* Define to 1 if you have the ANSI C header files. */
-#undef STDC_HEADERS
-
-/* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */
-#undef TIME_WITH_SYS_TIME
-
-/* Defined if you need to use ioctl(FIONBIO) instead a fcntl call to make
-   non-blocking. */
-#undef USE_FIONBIO_IOCTL
-
-/* define if idnkit support is to be included. */
-#undef WITH_IDN
-
-/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
-   significant byte first (like Motorola and SPARC, unlike Intel). */
-#if defined AC_APPLE_UNIVERSAL_BUILD
-# if defined __BIG_ENDIAN__
-#  define WORDS_BIGENDIAN 1
-# endif
-#else
-# ifndef WORDS_BIGENDIAN
-#  undef WORDS_BIGENDIAN
-# endif
-#endif
-
-/* Define to empty if `const' does not conform to ANSI C. */
-#undef const
-
-/* Define to empty if your compiler does not support "static inline". */
-#undef inline
-
-/* Define to `unsigned int' if <sys/types.h> does not define. */
-#undef size_t
-
-/* Define to `int' if <sys/types.h> does not define. */
-#undef ssize_t
-
-/* Define to `unsigned long' if <sys/types.h> does not define. */
-#undef uintptr_t
-
-/* Define to empty if the keyword `volatile' does not work. Warning: valid
-   code using `volatile' can become incorrect without. Disable with care. */
-#undef volatile
diff --git a/contrib/bind9/config.sub b/contrib/bind9/config.sub
deleted file mode 100644
index edb6b66..0000000
--- a/contrib/bind9/config.sub
+++ /dev/null
@@ -1,1555 +0,0 @@
-#! /bin/sh
-# Configuration validation subroutine script.
-#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc.
-
-timestamp='2004-08-29'
-
-# This file is (in principle) common to ALL GNU software.
-# The presence of a machine in this file suggests that SOME GNU software
-# can handle that machine.  It does not imply ALL GNU software can.
-#
-# This file is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330,
-# Boston, MA 02111-1307, USA.
-
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-# Please send patches to <config-patches@gnu.org>.  Submit a context
-# diff and a properly formatted ChangeLog entry.
-#
-# Configuration subroutine to validate and canonicalize a configuration type.
-# Supply the specified configuration type as an argument.
-# If it is invalid, we print an error message on stderr and exit with code 1.
-# Otherwise, we print the canonical config type on stdout and succeed.
-
-# This file is supposed to be the same for all GNU packages
-# and recognize all the CPU types, system types and aliases
-# that are meaningful with *any* GNU software.
-# Each package is responsible for reporting which valid configurations
-# it does not support.  The user should be able to distinguish
-# a failure to support a valid configuration from a meaningless
-# configuration.
-
-# The goal of this file is to map all the various variations of a given
-# machine specification into a single specification in the form:
-#	CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM
-# or in some cases, the newer four-part form:
-#	CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM
-# It is wrong to echo any other type of specification.
-
-me=`echo "$0" | sed -e 's,.*/,,'`
-
-usage="\
-Usage: $0 [OPTION] CPU-MFR-OPSYS
-       $0 [OPTION] ALIAS
-
-Canonicalize a configuration name.
-
-Operation modes:
-  -h, --help         print this help, then exit
-  -t, --time-stamp   print date of last modification, then exit
-  -v, --version      print version number, then exit
-
-Report bugs and patches to <config-patches@gnu.org>."
-
-version="\
-GNU config.sub ($timestamp)
-
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004
-Free Software Foundation, Inc.
-
-This is free software; see the source for copying conditions.  There is NO
-warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
-
-help="
-Try \`$me --help' for more information."
-
-# Parse command line
-while test $# -gt 0 ; do
-  case $1 in
-    --time-stamp | --time* | -t )
-       echo "$timestamp" ; exit 0 ;;
-    --version | -v )
-       echo "$version" ; exit 0 ;;
-    --help | --h* | -h )
-       echo "$usage"; exit 0 ;;
-    -- )     # Stop option processing
-       shift; break ;;
-    - )	# Use stdin as input.
-       break ;;
-    -* )
-       echo "$me: invalid option $1$help"
-       exit 1 ;;
-
-    *local*)
-       # First pass through any local machine types.
-       echo $1
-       exit 0;;
-
-    * )
-       break ;;
-  esac
-done
-
-case $# in
- 0) echo "$me: missing argument$help" >&2
-    exit 1;;
- 1) ;;
- *) echo "$me: too many arguments$help" >&2
-    exit 1;;
-esac
-
-# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any).
-# Here we must recognize all the valid KERNEL-OS combinations.
-maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
-case $maybe_os in
-  nto-qnx* | linux-gnu* | linux-dietlibc | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | \
-  kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | storm-chaos* | os2-emx* | rtmk-nova*)
-    os=-$maybe_os
-    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
-    ;;
-  *)
-    basic_machine=`echo $1 | sed 's/-[^-]*$//'`
-    if [ $basic_machine != $1 ]
-    then os=`echo $1 | sed 's/.*-/-/'`
-    else os=; fi
-    ;;
-esac
-
-### Let's recognize common machines as not being operating systems so
-### that things like config.sub decstation-3100 work.  We also
-### recognize some manufacturers as not being operating systems, so we
-### can provide default operating systems below.
-case $os in
-	-sun*os*)
-		# Prevent following clause from handling this invalid input.
-		;;
-	-dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \
-	-att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \
-	-unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \
-	-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
-	-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
-	-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
-	-apple | -axis | -knuth | -cray)
-		os=
-		basic_machine=$1
-		;;
-	-sim | -cisco | -oki | -wec | -winbond)
-		os=
-		basic_machine=$1
-		;;
-	-scout)
-		;;
-	-wrs)
-		os=-vxworks
-		basic_machine=$1
-		;;
-	-chorusos*)
-		os=-chorusos
-		basic_machine=$1
-		;;
- 	-chorusrdb)
- 		os=-chorusrdb
-		basic_machine=$1
- 		;;
-	-hiux*)
-		os=-hiuxwe2
-		;;
-	-sco5)
-		os=-sco3.2v5
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-sco4)
-		os=-sco3.2v4
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-sco3.2.[4-9]*)
-		os=`echo $os | sed -e 's/sco3.2./sco3.2v/'`
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-sco3.2v[4-9]*)
-		# Don't forget version if it is 3.2v4 or newer.
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-sco*)
-		os=-sco3.2v2
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-udk*)
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-isc)
-		os=-isc2.2
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-clix*)
-		basic_machine=clipper-intergraph
-		;;
-	-isc*)
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-lynx*)
-		os=-lynxos
-		;;
-	-ptx*)
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'`
-		;;
-	-windowsnt*)
-		os=`echo $os | sed -e 's/windowsnt/winnt/'`
-		;;
-	-psos*)
-		os=-psos
-		;;
-	-mint | -mint[0-9]*)
-		basic_machine=m68k-atari
-		os=-mint
-		;;
-esac
-
-# Decode aliases for certain CPU-COMPANY combinations.
-case $basic_machine in
-	# Recognize the basic CPU types without company name.
-	# Some are omitted here because they have special meanings below.
-	1750a | 580 \
-	| a29k \
-	| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
-	| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
-	| am33_2.0 \
-	| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \
-	| c4x | clipper \
-	| d10v | d30v | dlx | dsp16xx \
-	| fr30 | frv \
-	| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
-	| i370 | i860 | i960 | ia64 \
-	| ip2k | iq2000 \
-	| m32r | m32rle | m68000 | m68k | m88k | mcore \
-	| mips | mipsbe | mipseb | mipsel | mipsle \
-	| mips16 \
-	| mips64 | mips64el \
-	| mips64vr | mips64vrel \
-	| mips64orion | mips64orionel \
-	| mips64vr4100 | mips64vr4100el \
-	| mips64vr4300 | mips64vr4300el \
-	| mips64vr5000 | mips64vr5000el \
-	| mipsisa32 | mipsisa32el \
-	| mipsisa32r2 | mipsisa32r2el \
-	| mipsisa64 | mipsisa64el \
-	| mipsisa64r2 | mipsisa64r2el \
-	| mipsisa64sb1 | mipsisa64sb1el \
-	| mipsisa64sr71k | mipsisa64sr71kel \
-	| mipstx39 | mipstx39el \
-	| mn10200 | mn10300 \
-	| msp430 \
-	| ns16k | ns32k \
-	| openrisc | or32 \
-	| pdp10 | pdp11 | pj | pjl \
-	| powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
-	| pyramid \
-	| sh | sh[1234] | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \
-	| sh64 | sh64le \
-	| sparc | sparc64 | sparc86x | sparclet | sparclite | sparcv8 | sparcv9 | sparcv9b \
-	| strongarm \
-	| tahoe | thumb | tic4x | tic80 | tron \
-	| v850 | v850e \
-	| we32k \
-	| x86 | xscale | xstormy16 | xtensa \
-	| z8k)
-		basic_machine=$basic_machine-unknown
-		;;
-	m6811 | m68hc11 | m6812 | m68hc12)
-		# Motorola 68HC11/12.
-		basic_machine=$basic_machine-unknown
-		os=-none
-		;;
-	m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k)
-		;;
-
-	# We use `pc' rather than `unknown'
-	# because (1) that's what they normally are, and
-	# (2) the word "unknown" tends to confuse beginning users.
-	i*86 | x86_64)
-	  basic_machine=$basic_machine-pc
-	  ;;
-	# Object if more than one company name word.
-	*-*-*)
-		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
-		exit 1
-		;;
-	# Recognize the basic CPU types with company name.
-	580-* \
-	| a29k-* \
-	| alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
-	| alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
-	| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
-	| arm-*  | armbe-* | armle-* | armeb-* | armv*-* \
-	| avr-* \
-	| bs2000-* \
-	| c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \
-	| clipper-* | craynv-* | cydra-* \
-	| d10v-* | d30v-* | dlx-* \
-	| elxsi-* \
-	| f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \
-	| h8300-* | h8500-* \
-	| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
-	| i*86-* | i860-* | i960-* | ia64-* \
-	| ip2k-* | iq2000-* \
-	| m32r-* | m32rle-* \
-	| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
-	| m88110-* | m88k-* | mcore-* \
-	| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
-	| mips16-* \
-	| mips64-* | mips64el-* \
-	| mips64vr-* | mips64vrel-* \
-	| mips64orion-* | mips64orionel-* \
-	| mips64vr4100-* | mips64vr4100el-* \
-	| mips64vr4300-* | mips64vr4300el-* \
-	| mips64vr5000-* | mips64vr5000el-* \
-	| mipsisa32-* | mipsisa32el-* \
-	| mipsisa32r2-* | mipsisa32r2el-* \
-	| mipsisa64-* | mipsisa64el-* \
-	| mipsisa64r2-* | mipsisa64r2el-* \
-	| mipsisa64sb1-* | mipsisa64sb1el-* \
-	| mipsisa64sr71k-* | mipsisa64sr71kel-* \
-	| mipstx39-* | mipstx39el-* \
-	| mmix-* \
-	| msp430-* \
-	| none-* | np1-* | ns16k-* | ns32k-* \
-	| orion-* \
-	| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
-	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
-	| pyramid-* \
-	| romp-* | rs6000-* \
-	| sh-* | sh[1234]-* | sh[23]e-* | sh[34]eb-* | shbe-* \
-	| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
-	| sparc-* | sparc64-* | sparc86x-* | sparclet-* | sparclite-* \
-	| sparcv8-* | sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \
-	| tahoe-* | thumb-* \
-	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
-	| tron-* \
-	| v850-* | v850e-* | vax-* \
-	| we32k-* \
-	| x86-* | x86_64-* | xps100-* | xscale-* | xstormy16-* \
-	| xtensa-* \
-	| ymp-* \
-	| z8k-*)
-		;;
-	# Recognize the various machine names and aliases which stand
-	# for a CPU type and a company and sometimes even an OS.
-	386bsd)
-		basic_machine=i386-unknown
-		os=-bsd
-		;;
-	3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc)
-		basic_machine=m68000-att
-		;;
-	3b*)
-		basic_machine=we32k-att
-		;;
-	a29khif)
-		basic_machine=a29k-amd
-		os=-udi
-		;;
-    	abacus)
-		basic_machine=abacus-unknown
-		;;
-	adobe68k)
-		basic_machine=m68010-adobe
-		os=-scout
-		;;
-	alliant | fx80)
-		basic_machine=fx80-alliant
-		;;
-	altos | altos3068)
-		basic_machine=m68k-altos
-		;;
-	am29k)
-		basic_machine=a29k-none
-		os=-bsd
-		;;
-	amd64)
-		basic_machine=x86_64-pc
-		;;
-	amd64-*)
-		basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	amdahl)
-		basic_machine=580-amdahl
-		os=-sysv
-		;;
-	amiga | amiga-*)
-		basic_machine=m68k-unknown
-		;;
-	amigaos | amigados)
-		basic_machine=m68k-unknown
-		os=-amigaos
-		;;
-	amigaunix | amix)
-		basic_machine=m68k-unknown
-		os=-sysv4
-		;;
-	apollo68)
-		basic_machine=m68k-apollo
-		os=-sysv
-		;;
-	apollo68bsd)
-		basic_machine=m68k-apollo
-		os=-bsd
-		;;
-	aux)
-		basic_machine=m68k-apple
-		os=-aux
-		;;
-	balance)
-		basic_machine=ns32k-sequent
-		os=-dynix
-		;;
-	c90)
-		basic_machine=c90-cray
-		os=-unicos
-		;;
-	convex-c1)
-		basic_machine=c1-convex
-		os=-bsd
-		;;
-	convex-c2)
-		basic_machine=c2-convex
-		os=-bsd
-		;;
-	convex-c32)
-		basic_machine=c32-convex
-		os=-bsd
-		;;
-	convex-c34)
-		basic_machine=c34-convex
-		os=-bsd
-		;;
-	convex-c38)
-		basic_machine=c38-convex
-		os=-bsd
-		;;
-	cray | j90)
-		basic_machine=j90-cray
-		os=-unicos
-		;;
-	craynv)
-		basic_machine=craynv-cray
-		os=-unicosmp
-		;;
-	cr16c)
-		basic_machine=cr16c-unknown
-		os=-elf
-		;;
-	crds | unos)
-		basic_machine=m68k-crds
-		;;
-	crisv32 | crisv32-* | etraxfs*)
-		basic_machine=crisv32-axis
-		;;
-	cris | cris-* | etrax*)
-		basic_machine=cris-axis
-		;;
-	crx)
-		basic_machine=crx-unknown
-		os=-elf
-		;;
-	da30 | da30-*)
-		basic_machine=m68k-da30
-		;;
-	decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn)
-		basic_machine=mips-dec
-		;;
-	decsystem10* | dec10*)
-		basic_machine=pdp10-dec
-		os=-tops10
-		;;
-	decsystem20* | dec20*)
-		basic_machine=pdp10-dec
-		os=-tops20
-		;;
-	delta | 3300 | motorola-3300 | motorola-delta \
-	      | 3300-motorola | delta-motorola)
-		basic_machine=m68k-motorola
-		;;
-	delta88)
-		basic_machine=m88k-motorola
-		os=-sysv3
-		;;
-	dpx20 | dpx20-*)
-		basic_machine=rs6000-bull
-		os=-bosx
-		;;
-	dpx2* | dpx2*-bull)
-		basic_machine=m68k-bull
-		os=-sysv3
-		;;
-	ebmon29k)
-		basic_machine=a29k-amd
-		os=-ebmon
-		;;
-	elxsi)
-		basic_machine=elxsi-elxsi
-		os=-bsd
-		;;
-	encore | umax | mmax)
-		basic_machine=ns32k-encore
-		;;
-	es1800 | OSE68k | ose68k | ose | OSE)
-		basic_machine=m68k-ericsson
-		os=-ose
-		;;
-	fx2800)
-		basic_machine=i860-alliant
-		;;
-	genix)
-		basic_machine=ns32k-ns
-		;;
-	gmicro)
-		basic_machine=tron-gmicro
-		os=-sysv
-		;;
-	go32)
-		basic_machine=i386-pc
-		os=-go32
-		;;
-	h3050r* | hiux*)
-		basic_machine=hppa1.1-hitachi
-		os=-hiuxwe2
-		;;
-	h8300hms)
-		basic_machine=h8300-hitachi
-		os=-hms
-		;;
-	h8300xray)
-		basic_machine=h8300-hitachi
-		os=-xray
-		;;
-	h8500hms)
-		basic_machine=h8500-hitachi
-		os=-hms
-		;;
-	harris)
-		basic_machine=m88k-harris
-		os=-sysv3
-		;;
-	hp300-*)
-		basic_machine=m68k-hp
-		;;
-	hp300bsd)
-		basic_machine=m68k-hp
-		os=-bsd
-		;;
-	hp300hpux)
-		basic_machine=m68k-hp
-		os=-hpux
-		;;
-	hp3k9[0-9][0-9] | hp9[0-9][0-9])
-		basic_machine=hppa1.0-hp
-		;;
-	hp9k2[0-9][0-9] | hp9k31[0-9])
-		basic_machine=m68000-hp
-		;;
-	hp9k3[2-9][0-9])
-		basic_machine=m68k-hp
-		;;
-	hp9k6[0-9][0-9] | hp6[0-9][0-9])
-		basic_machine=hppa1.0-hp
-		;;
-	hp9k7[0-79][0-9] | hp7[0-79][0-9])
-		basic_machine=hppa1.1-hp
-		;;
-	hp9k78[0-9] | hp78[0-9])
-		# FIXME: really hppa2.0-hp
-		basic_machine=hppa1.1-hp
-		;;
-	hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893)
-		# FIXME: really hppa2.0-hp
-		basic_machine=hppa1.1-hp
-		;;
-	hp9k8[0-9][13679] | hp8[0-9][13679])
-		basic_machine=hppa1.1-hp
-		;;
-	hp9k8[0-9][0-9] | hp8[0-9][0-9])
-		basic_machine=hppa1.0-hp
-		;;
-	hppa-next)
-		os=-nextstep3
-		;;
-	hppaosf)
-		basic_machine=hppa1.1-hp
-		os=-osf
-		;;
-	hppro)
-		basic_machine=hppa1.1-hp
-		os=-proelf
-		;;
-	i370-ibm* | ibm*)
-		basic_machine=i370-ibm
-		;;
-# I'm not sure what "Sysv32" means.  Should this be sysv3.2?
-	i*86v32)
-		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
-		os=-sysv32
-		;;
-	i*86v4*)
-		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
-		os=-sysv4
-		;;
-	i*86v)
-		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
-		os=-sysv
-		;;
-	i*86sol2)
-		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
-		os=-solaris2
-		;;
-	i386mach)
-		basic_machine=i386-mach
-		os=-mach
-		;;
-	i386-vsta | vsta)
-		basic_machine=i386-unknown
-		os=-vsta
-		;;
-	iris | iris4d)
-		basic_machine=mips-sgi
-		case $os in
-		    -irix*)
-			;;
-		    *)
-			os=-irix4
-			;;
-		esac
-		;;
-	isi68 | isi)
-		basic_machine=m68k-isi
-		os=-sysv
-		;;
-	m88k-omron*)
-		basic_machine=m88k-omron
-		;;
-	magnum | m3230)
-		basic_machine=mips-mips
-		os=-sysv
-		;;
-	merlin)
-		basic_machine=ns32k-utek
-		os=-sysv
-		;;
-	mingw32)
-		basic_machine=i386-pc
-		os=-mingw32
-		;;
-	miniframe)
-		basic_machine=m68000-convergent
-		;;
-	*mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*)
-		basic_machine=m68k-atari
-		os=-mint
-		;;
-	mips3*-*)
-		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`
-		;;
-	mips3*)
-		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
-		;;
-	monitor)
-		basic_machine=m68k-rom68k
-		os=-coff
-		;;
-	morphos)
-		basic_machine=powerpc-unknown
-		os=-morphos
-		;;
-	msdos)
-		basic_machine=i386-pc
-		os=-msdos
-		;;
-	mvs)
-		basic_machine=i370-ibm
-		os=-mvs
-		;;
-	ncr3000)
-		basic_machine=i486-ncr
-		os=-sysv4
-		;;
-	netbsd386)
-		basic_machine=i386-unknown
-		os=-netbsd
-		;;
-	netwinder)
-		basic_machine=armv4l-rebel
-		os=-linux
-		;;
-	news | news700 | news800 | news900)
-		basic_machine=m68k-sony
-		os=-newsos
-		;;
-	news1000)
-		basic_machine=m68030-sony
-		os=-newsos
-		;;
-	news-3600 | risc-news)
-		basic_machine=mips-sony
-		os=-newsos
-		;;
-	necv70)
-		basic_machine=v70-nec
-		os=-sysv
-		;;
-	next | m*-next )
-		basic_machine=m68k-next
-		case $os in
-		    -nextstep* )
-			;;
-		    -ns2*)
-		      os=-nextstep2
-			;;
-		    *)
-		      os=-nextstep3
-			;;
-		esac
-		;;
-	nh3000)
-		basic_machine=m68k-harris
-		os=-cxux
-		;;
-	nh[45]000)
-		basic_machine=m88k-harris
-		os=-cxux
-		;;
-	nindy960)
-		basic_machine=i960-intel
-		os=-nindy
-		;;
-	mon960)
-		basic_machine=i960-intel
-		os=-mon960
-		;;
-	nonstopux)
-		basic_machine=mips-compaq
-		os=-nonstopux
-		;;
-	np1)
-		basic_machine=np1-gould
-		;;
-	nsr-tandem)
-		basic_machine=nsr-tandem
-		;;
-	op50n-* | op60c-*)
-		basic_machine=hppa1.1-oki
-		os=-proelf
-		;;
-	or32 | or32-*)
-		basic_machine=or32-unknown
-		os=-coff
-		;;
-	os400)
-		basic_machine=powerpc-ibm
-		os=-os400
-		;;
-	OSE68000 | ose68000)
-		basic_machine=m68000-ericsson
-		os=-ose
-		;;
-	os68k)
-		basic_machine=m68k-none
-		os=-os68k
-		;;
-	pa-hitachi)
-		basic_machine=hppa1.1-hitachi
-		os=-hiuxwe2
-		;;
-	paragon)
-		basic_machine=i860-intel
-		os=-osf
-		;;
-	pbd)
-		basic_machine=sparc-tti
-		;;
-	pbb)
-		basic_machine=m68k-tti
-		;;
-	pc532 | pc532-*)
-		basic_machine=ns32k-pc532
-		;;
-	pentium | p5 | k5 | k6 | nexgen | viac3)
-		basic_machine=i586-pc
-		;;
-	pentiumpro | p6 | 6x86 | athlon | athlon_*)
-		basic_machine=i686-pc
-		;;
-	pentiumii | pentium2 | pentiumiii | pentium3)
-		basic_machine=i686-pc
-		;;
-	pentium4)
-		basic_machine=i786-pc
-		;;
-	pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*)
-		basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	pentiumpro-* | p6-* | 6x86-* | athlon-*)
-		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*)
-		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	pentium4-*)
-		basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	pn)
-		basic_machine=pn-gould
-		;;
-	power)	basic_machine=power-ibm
-		;;
-	ppc)	basic_machine=powerpc-unknown
-		;;
-	ppc-*)	basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	ppcle | powerpclittle | ppc-le | powerpc-little)
-		basic_machine=powerpcle-unknown
-		;;
-	ppcle-* | powerpclittle-*)
-		basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	ppc64)	basic_machine=powerpc64-unknown
-		;;
-	ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	ppc64le | powerpc64little | ppc64-le | powerpc64-little)
-		basic_machine=powerpc64le-unknown
-		;;
-	ppc64le-* | powerpc64little-*)
-		basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	ps2)
-		basic_machine=i386-ibm
-		;;
-	pw32)
-		basic_machine=i586-unknown
-		os=-pw32
-		;;
-	rom68k)
-		basic_machine=m68k-rom68k
-		os=-coff
-		;;
-	rm[46]00)
-		basic_machine=mips-siemens
-		;;
-	rtpc | rtpc-*)
-		basic_machine=romp-ibm
-		;;
-	s390 | s390-*)
-		basic_machine=s390-ibm
-		;;
-	s390x | s390x-*)
-		basic_machine=s390x-ibm
-		;;
-	sa29200)
-		basic_machine=a29k-amd
-		os=-udi
-		;;
-	sb1)
-		basic_machine=mipsisa64sb1-unknown
-		;;
-	sb1el)
-		basic_machine=mipsisa64sb1el-unknown
-		;;
-	sei)
-		basic_machine=mips-sei
-		os=-seiux
-		;;
-	sequent)
-		basic_machine=i386-sequent
-		;;
-	sh)
-		basic_machine=sh-hitachi
-		os=-hms
-		;;
-	sh64)
-		basic_machine=sh64-unknown
-		;;
-	sparclite-wrs | simso-wrs)
-		basic_machine=sparclite-wrs
-		os=-vxworks
-		;;
-	sps7)
-		basic_machine=m68k-bull
-		os=-sysv2
-		;;
-	spur)
-		basic_machine=spur-unknown
-		;;
-	st2000)
-		basic_machine=m68k-tandem
-		;;
-	stratus)
-		basic_machine=i860-stratus
-		os=-sysv4
-		;;
-	sun2)
-		basic_machine=m68000-sun
-		;;
-	sun2os3)
-		basic_machine=m68000-sun
-		os=-sunos3
-		;;
-	sun2os4)
-		basic_machine=m68000-sun
-		os=-sunos4
-		;;
-	sun3os3)
-		basic_machine=m68k-sun
-		os=-sunos3
-		;;
-	sun3os4)
-		basic_machine=m68k-sun
-		os=-sunos4
-		;;
-	sun4os3)
-		basic_machine=sparc-sun
-		os=-sunos3
-		;;
-	sun4os4)
-		basic_machine=sparc-sun
-		os=-sunos4
-		;;
-	sun4sol2)
-		basic_machine=sparc-sun
-		os=-solaris2
-		;;
-	sun3 | sun3-*)
-		basic_machine=m68k-sun
-		;;
-	sun4)
-		basic_machine=sparc-sun
-		;;
-	sun386 | sun386i | roadrunner)
-		basic_machine=i386-sun
-		;;
-	sv1)
-		basic_machine=sv1-cray
-		os=-unicos
-		;;
-	symmetry)
-		basic_machine=i386-sequent
-		os=-dynix
-		;;
-	t3e)
-		basic_machine=alphaev5-cray
-		os=-unicos
-		;;
-	t90)
-		basic_machine=t90-cray
-		os=-unicos
-		;;
-	tic54x | c54x*)
-		basic_machine=tic54x-unknown
-		os=-coff
-		;;
-	tic55x | c55x*)
-		basic_machine=tic55x-unknown
-		os=-coff
-		;;
-	tic6x | c6x*)
-		basic_machine=tic6x-unknown
-		os=-coff
-		;;
-	tx39)
-		basic_machine=mipstx39-unknown
-		;;
-	tx39el)
-		basic_machine=mipstx39el-unknown
-		;;
-	toad1)
-		basic_machine=pdp10-xkl
-		os=-tops20
-		;;
-	tower | tower-32)
-		basic_machine=m68k-ncr
-		;;
-	tpf)
-		basic_machine=s390x-ibm
-		os=-tpf
-		;;
-	udi29k)
-		basic_machine=a29k-amd
-		os=-udi
-		;;
-	ultra3)
-		basic_machine=a29k-nyu
-		os=-sym1
-		;;
-	v810 | necv810)
-		basic_machine=v810-nec
-		os=-none
-		;;
-	vaxv)
-		basic_machine=vax-dec
-		os=-sysv
-		;;
-	vms)
-		basic_machine=vax-dec
-		os=-vms
-		;;
-	vpp*|vx|vx-*)
-		basic_machine=f301-fujitsu
-		;;
-	vxworks960)
-		basic_machine=i960-wrs
-		os=-vxworks
-		;;
-	vxworks68)
-		basic_machine=m68k-wrs
-		os=-vxworks
-		;;
-	vxworks29k)
-		basic_machine=a29k-wrs
-		os=-vxworks
-		;;
-	w65*)
-		basic_machine=w65-wdc
-		os=-none
-		;;
-	w89k-*)
-		basic_machine=hppa1.1-winbond
-		os=-proelf
-		;;
-	xps | xps100)
-		basic_machine=xps100-honeywell
-		;;
-	ymp)
-		basic_machine=ymp-cray
-		os=-unicos
-		;;
-	z8k-*-coff)
-		basic_machine=z8k-unknown
-		os=-sim
-		;;
-	none)
-		basic_machine=none-none
-		os=-none
-		;;
-
-# Here we handle the default manufacturer of certain CPU types.  It is in
-# some cases the only manufacturer, in others, it is the most popular.
-	w89k)
-		basic_machine=hppa1.1-winbond
-		;;
-	op50n)
-		basic_machine=hppa1.1-oki
-		;;
-	op60c)
-		basic_machine=hppa1.1-oki
-		;;
-	romp)
-		basic_machine=romp-ibm
-		;;
-	mmix)
-		basic_machine=mmix-knuth
-		;;
-	rs6000)
-		basic_machine=rs6000-ibm
-		;;
-	vax)
-		basic_machine=vax-dec
-		;;
-	pdp10)
-		# there are many clones, so DEC is not a safe bet
-		basic_machine=pdp10-unknown
-		;;
-	pdp11)
-		basic_machine=pdp11-dec
-		;;
-	we32k)
-		basic_machine=we32k-att
-		;;
-	sh3 | sh4 | sh[34]eb | sh[1234]le | sh[23]ele)
-		basic_machine=sh-unknown
-		;;
-	sh64)
-		basic_machine=sh64-unknown
-		;;
-	sparc | sparcv8 | sparcv9 | sparcv9b)
-		basic_machine=sparc-sun
-		;;
-	cydra)
-		basic_machine=cydra-cydrome
-		;;
-	orion)
-		basic_machine=orion-highlevel
-		;;
-	orion105)
-		basic_machine=clipper-highlevel
-		;;
-	mac | mpw | mac-mpw)
-		basic_machine=m68k-apple
-		;;
-	pmac | pmac-mpw)
-		basic_machine=powerpc-apple
-		;;
-	*-unknown)
-		# Make sure to match an already-canonicalized machine name.
-		;;
-	*)
-		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
-		exit 1
-		;;
-esac
-
-# Here we canonicalize certain aliases for manufacturers.
-case $basic_machine in
-	*-digital*)
-		basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'`
-		;;
-	*-commodore*)
-		basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'`
-		;;
-	*)
-		;;
-esac
-
-# Decode manufacturer-specific aliases for certain operating systems.
-
-if [ x"$os" != x"" ]
-then
-case $os in
-        # First match some system type aliases
-        # that might get confused with valid system types.
-	# -solaris* is a basic system type, with this one exception.
-	-solaris1 | -solaris1.*)
-		os=`echo $os | sed -e 's|solaris1|sunos4|'`
-		;;
-	-solaris)
-		os=-solaris2
-		;;
-	-svr4*)
-		os=-sysv4
-		;;
-	-unixware*)
-		os=-sysv4.2uw
-		;;
-	-gnu/linux*)
-		os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'`
-		;;
-	# First accept the basic system types.
-	# The portable systems comes first.
-	# Each alternative MUST END IN A *, to match a version number.
-	# -sysv* is not here because it comes later, after sysvr4.
-	-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
-	      | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\
-	      | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \
-	      | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
-	      | -aos* \
-	      | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
-	      | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
-	      | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* | -openbsd* \
-	      | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
-	      | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
-	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
-	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
-	      | -chorusos* | -chorusrdb* \
-	      | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
-	      | -mingw32* | -linux-gnu* | -linux-uclibc* | -uxpv* | -beos* | -mpeix* | -udk* \
-	      | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
-	      | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
-	      | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
-	      | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
-	      | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
-	      | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly*)
-	# Remember, each alternative MUST END IN *, to match a version number.
-		;;
-	-qnx*)
-		case $basic_machine in
-		    x86-* | i*86-*)
-			;;
-		    *)
-			os=-nto$os
-			;;
-		esac
-		;;
-	-nto-qnx*)
-		;;
-	-nto*)
-		os=`echo $os | sed -e 's|nto|nto-qnx|'`
-		;;
-	-sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \
-	      | -windows* | -osx | -abug | -netware* | -os9* | -beos* \
-	      | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*)
-		;;
-	-mac*)
-		os=`echo $os | sed -e 's|mac|macos|'`
-		;;
-	-linux-dietlibc)
-		os=-linux-dietlibc
-		;;
-	-linux*)
-		os=`echo $os | sed -e 's|linux|linux-gnu|'`
-		;;
-	-sunos5*)
-		os=`echo $os | sed -e 's|sunos5|solaris2|'`
-		;;
-	-sunos6*)
-		os=`echo $os | sed -e 's|sunos6|solaris3|'`
-		;;
-	-opened*)
-		os=-openedition
-		;;
-        -os400*)
-		os=-os400
-		;;
-	-wince*)
-		os=-wince
-		;;
-	-osfrose*)
-		os=-osfrose
-		;;
-	-osf*)
-		os=-osf
-		;;
-	-utek*)
-		os=-bsd
-		;;
-	-dynix*)
-		os=-bsd
-		;;
-	-acis*)
-		os=-aos
-		;;
-	-atheos*)
-		os=-atheos
-		;;
-	-syllable*)
-		os=-syllable
-		;;
-	-386bsd)
-		os=-bsd
-		;;
-	-ctix* | -uts*)
-		os=-sysv
-		;;
-	-nova*)
-		os=-rtmk-nova
-		;;
-	-ns2 )
-		os=-nextstep2
-		;;
-	-nsk*)
-		os=-nsk
-		;;
-	# Preserve the version number of sinix5.
-	-sinix5.*)
-		os=`echo $os | sed -e 's|sinix|sysv|'`
-		;;
-	-sinix*)
-		os=-sysv4
-		;;
-        -tpf*)
-		os=-tpf
-		;;
-	-triton*)
-		os=-sysv3
-		;;
-	-oss*)
-		os=-sysv3
-		;;
-	-svr4)
-		os=-sysv4
-		;;
-	-svr3)
-		os=-sysv3
-		;;
-	-sysvr4)
-		os=-sysv4
-		;;
-	# This must come after -sysvr4.
-	-sysv*)
-		;;
-	-ose*)
-		os=-ose
-		;;
-	-es1800*)
-		os=-ose
-		;;
-	-xenix)
-		os=-xenix
-		;;
-	-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
-		os=-mint
-		;;
-	-aros*)
-		os=-aros
-		;;
-	-kaos*)
-		os=-kaos
-		;;
-	-none)
-		;;
-	*)
-		# Get rid of the `-' at the beginning of $os.
-		os=`echo $os | sed 's/[^-]*-//'`
-		echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2
-		exit 1
-		;;
-esac
-else
-
-# Here we handle the default operating systems that come with various machines.
-# The value should be what the vendor currently ships out the door with their
-# machine or put another way, the most popular os provided with the machine.
-
-# Note that if you're going to try to match "-MANUFACTURER" here (say,
-# "-sun"), then you have to tell the case statement up towards the top
-# that MANUFACTURER isn't an operating system.  Otherwise, code above
-# will signal an error saying that MANUFACTURER isn't an operating
-# system, and we'll never get to this point.
-
-case $basic_machine in
-	*-acorn)
-		os=-riscix1.2
-		;;
-	arm*-rebel)
-		os=-linux
-		;;
-	arm*-semi)
-		os=-aout
-		;;
-    c4x-* | tic4x-*)
-        os=-coff
-        ;;
-	# This must come before the *-dec entry.
-	pdp10-*)
-		os=-tops20
-		;;
-	pdp11-*)
-		os=-none
-		;;
-	*-dec | vax-*)
-		os=-ultrix4.2
-		;;
-	m68*-apollo)
-		os=-domain
-		;;
-	i386-sun)
-		os=-sunos4.0.2
-		;;
-	m68000-sun)
-		os=-sunos3
-		# This also exists in the configure program, but was not the
-		# default.
-		# os=-sunos4
-		;;
-	m68*-cisco)
-		os=-aout
-		;;
-	mips*-cisco)
-		os=-elf
-		;;
-	mips*-*)
-		os=-elf
-		;;
-	or32-*)
-		os=-coff
-		;;
-	*-tti)	# must be before sparc entry or we get the wrong os.
-		os=-sysv3
-		;;
-	sparc-* | *-sun)
-		os=-sunos4.1.1
-		;;
-	*-be)
-		os=-beos
-		;;
-	*-ibm)
-		os=-aix
-		;;
-    	*-knuth)
-		os=-mmixware
-		;;
-	*-wec)
-		os=-proelf
-		;;
-	*-winbond)
-		os=-proelf
-		;;
-	*-oki)
-		os=-proelf
-		;;
-	*-hp)
-		os=-hpux
-		;;
-	*-hitachi)
-		os=-hiux
-		;;
-	i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent)
-		os=-sysv
-		;;
-	*-cbm)
-		os=-amigaos
-		;;
-	*-dg)
-		os=-dgux
-		;;
-	*-dolphin)
-		os=-sysv3
-		;;
-	m68k-ccur)
-		os=-rtu
-		;;
-	m88k-omron*)
-		os=-luna
-		;;
-	*-next )
-		os=-nextstep
-		;;
-	*-sequent)
-		os=-ptx
-		;;
-	*-crds)
-		os=-unos
-		;;
-	*-ns)
-		os=-genix
-		;;
-	i370-*)
-		os=-mvs
-		;;
-	*-next)
-		os=-nextstep3
-		;;
-	*-gould)
-		os=-sysv
-		;;
-	*-highlevel)
-		os=-bsd
-		;;
-	*-encore)
-		os=-bsd
-		;;
-	*-sgi)
-		os=-irix
-		;;
-	*-siemens)
-		os=-sysv4
-		;;
-	*-masscomp)
-		os=-rtu
-		;;
-	f30[01]-fujitsu | f700-fujitsu)
-		os=-uxpv
-		;;
-	*-rom68k)
-		os=-coff
-		;;
-	*-*bug)
-		os=-coff
-		;;
-	*-apple)
-		os=-macos
-		;;
-	*-atari*)
-		os=-mint
-		;;
-	*)
-		os=-none
-		;;
-esac
-fi
-
-# Here we handle the case where we know the os, and the CPU type, but not the
-# manufacturer.  We pick the logical manufacturer.
-vendor=unknown
-case $basic_machine in
-	*-unknown)
-		case $os in
-			-riscix*)
-				vendor=acorn
-				;;
-			-sunos*)
-				vendor=sun
-				;;
-			-aix*)
-				vendor=ibm
-				;;
-			-beos*)
-				vendor=be
-				;;
-			-hpux*)
-				vendor=hp
-				;;
-			-mpeix*)
-				vendor=hp
-				;;
-			-hiux*)
-				vendor=hitachi
-				;;
-			-unos*)
-				vendor=crds
-				;;
-			-dgux*)
-				vendor=dg
-				;;
-			-luna*)
-				vendor=omron
-				;;
-			-genix*)
-				vendor=ns
-				;;
-			-mvs* | -opened*)
-				vendor=ibm
-				;;
-			-os400*)
-				vendor=ibm
-				;;
-			-ptx*)
-				vendor=sequent
-				;;
-			-tpf*)
-				vendor=ibm
-				;;
-			-vxsim* | -vxworks* | -windiss*)
-				vendor=wrs
-				;;
-			-aux*)
-				vendor=apple
-				;;
-			-hms*)
-				vendor=hitachi
-				;;
-			-mpw* | -macos*)
-				vendor=apple
-				;;
-			-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
-				vendor=atari
-				;;
-			-vos*)
-				vendor=stratus
-				;;
-		esac
-		basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"`
-		;;
-esac
-
-echo $basic_machine$os
-exit 0
-
-# Local variables:
-# eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "timestamp='"
-# time-stamp-format: "%:y-%02m-%02d"
-# time-stamp-end: "'"
-# End:
diff --git a/contrib/bind9/config.threads.in b/contrib/bind9/config.threads.in
deleted file mode 100644
index 3f1c936..0000000
--- a/contrib/bind9/config.threads.in
+++ /dev/null
@@ -1,135 +0,0 @@
-#
-# Begin pthreads checking.
-#
-# First, decide whether to use multithreading or not.
-#
-# Enable multithreading by default on systems where it is known
-# to work well, and where debugging of multithreaded programs
-# is supported.
-#
-
-AC_MSG_CHECKING(whether to build with thread support)
-
-case $host in
-*-dec-osf*)
-	use_threads=true ;;
-[*-solaris2.[0-6]])
-	# Thread signals are broken on Solaris 2.6; they are sometimes
-	# delivered to the wrong thread.
-	use_threads=false ;;
-*-solaris*)
-	use_threads=true ;;
-*-ibm-aix*)
-	use_threads=true ;;
-*-hp-hpux10*)
-	use_threads=false ;;
-*-hp-hpux11*)
-	use_threads=true ;;
-*-sgi-irix*)
-	use_threads=true ;;
-*-sco-sysv*uw*|*-*-sysv*UnixWare*)
-        # UnixWare
-	use_threads=false ;;
-*-*-sysv*OpenUNIX*)
-        # UnixWare
-	use_threads=true ;;
-[*-netbsd[1234].*])
-	# NetBSD earlier than NetBSD 5.0 has poor pthreads.
-	#  Don't use it by default.
-	use_threads=false ;;
-*-netbsd*)
-	use_threads=true ;;
-*-openbsd*)
-	# OpenBSD users have reported that named dumps core on
-	# startup when built with threads.
-	use_threads=false ;;
-[*-freebsd[1234567].*])
-	# Threads are broken at least up to FreeBSD 4.11.
-	# FreeBSD 5, 6 and 7 we have never officially supported threads
-	# on. YMMV
-	use_threads=false ;;
-*-freebsd*)
-	use_threads=true ;;
-[*-bsdi[234]*])
-	# Thread signals do not work reliably on some versions of BSD/OS.
-	use_threads=false ;;
-*-bsdi5*)
-	use_threads=true ;;
-*-linux*)
-   	# Threads are disabled on Linux by default because most
-	# Linux kernels produce unusable core dumps from multithreaded
-	# programs, and because of limitations in setuid().
-	use_threads=false ;;	
-*-darwin[[123456789]].*)
-	use_threads=false ;;
-*-darwin*.*)
-	use_threads=true ;;
-*)
-	use_threads=false ;;
-esac
-
-AC_ARG_ENABLE(threads,
-	[  --enable-threads        enable multithreading])
-case "$enable_threads" in
-	yes)
-		use_threads=true
-		;;
-	no)
-		use_threads=false
-		;;
-	'')
-		# Use system-dependent default
-		;;
-	*)
-	    	AC_MSG_ERROR([--enable-threads takes yes or no])
-		;;
-esac
-
-if $use_threads
-then
-	AC_MSG_RESULT(yes)
-else
-	AC_MSG_RESULT(no)	
-fi
-
-if $use_threads
-then
-	#
-	# Search for / configure pthreads in a system-dependent fashion.
-	#
-	case "$host" in
-		*-freebsd*)
-			# We don't want to set -lpthread as that break
-			# the ability to choose threads library at final
-			# link time and is not valid for all architectures.
-			
-			PTHREAD=
-			if test "X$GCC" = "Xyes"; then
-				saved_cc="$CC"
-				CC="$CC -pthread"
-				AC_MSG_CHECKING(for gcc -pthread support);
-				AC_TRY_LINK([#include <pthread.h>],
-					    [printf("%x\n", pthread_create);],
-					    PTHREAD="yes"
-					    AC_MSG_RESULT(yes),
-					    AC_MSG_RESULT(no))
-				CC="$saved_cc"
-			fi
-			if test "X$PTHREAD" != "Xyes"; then
-				AC_CHECK_LIB(pthread, pthread_create,,
-				AC_CHECK_LIB(thr, thread_create,,
-				AC_CHECK_LIB(c_r, pthread_create,,
-				AC_CHECK_LIB(c, pthread_create,,
-				AC_MSG_ERROR("could not find thread libraries")))))
-			fi
-			;;
-		*)
-			AC_CHECK_LIB(pthread, pthread_create,,
-				AC_CHECK_LIB(pthread, __pthread_create,,
-				AC_CHECK_LIB(pthread, __pthread_create_system,,
-				AC_CHECK_LIB(c_r, pthread_create,,
-				AC_CHECK_LIB(c, pthread_create,,
-				AC_MSG_ERROR("could not find thread libraries"))))))
-		;;
-	esac
-fi
diff --git a/contrib/bind9/configure.in b/contrib/bind9/configure.in
deleted file mode 100644
index 8e543d8..0000000
--- a/contrib/bind9/configure.in
+++ /dev/null
@@ -1,3840 +0,0 @@
-# Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2003  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-dnl
-AC_DIVERT_PUSH(1)dnl
-esyscmd([sed "s/^/# /" COPYRIGHT])dnl
-AC_DIVERT_POP()dnl
-
-AC_REVISION($Revision: 1.533 $)
-
-AC_INIT(lib/dns/name.c)
-AC_PREREQ(2.59)
-
-AC_CONFIG_HEADER(config.h)
-AC_CONFIG_MACRO_DIR([libtool.m4])
-
-AC_CANONICAL_HOST
-
-AC_PROG_MAKE_SET
-
-#
-# GNU libtool support
-#
-case $build_os in
-sunos*)
-    # Just set the maximum command line length for sunos as it otherwise
-    # takes a exceptionally long time to work it out. Required for libtool.
-
-    lt_cv_sys_max_cmd_len=4096;
-    ;;
-esac
-
-AC_PROG_LIBTOOL
-AC_PROG_INSTALL
-AC_PROG_LN_S
-
-AC_SUBST(STD_CINCLUDES)
-AC_SUBST(STD_CDEFINES)
-AC_SUBST(STD_CWARNINGS)
-AC_SUBST(CCOPT)
-
-# Warn if the user specified libbind, which is now deprecated
-AC_ARG_ENABLE(libbind, [  --enable-libbind	  deprecated])
-
-case "$enable_libbind" in
-	yes)
-		AC_MSG_ERROR(['libbind' is no longer part of the BIND 9 distribution.
-It is available from http://www.isc.org as a separate download.])
-		;;
-	no|'')
-		;;
-esac
-
-AC_ARG_ENABLE(developer, [  --enable-developer      enable developer build settings])
-case "$enable_developer" in
-yes)
-	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1"
-	test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
-	test "${with_atf+set}" = set || with_atf=yes
-	test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
-	test "${with_dlz_filesystem+set}" = set || with_dlz_filesystem=yes
-	case "$host" in
-	*-darwin*)
-		test "${enable_exportlib+set}" = set || enable_exportlib=yes
-		;;
-	*-linux*)
-		test "${enable_exportlib+set}" = set || enable_exportlib=yes
-		;;
-	esac
-	;;
-esac
-#
-# Make very sure that these are the first files processed by
-# config.status, since we use the processed output as the input for
-# AC_SUBST_FILE() substitutions in other files.
-#
-AC_CONFIG_FILES([make/rules make/includes])
-
-AC_PATH_PROG(AR, ar)
-ARFLAGS="cruv"
-AC_SUBST(AR)
-AC_SUBST(ARFLAGS)
-
-# The POSIX ln(1) program.  Non-POSIX systems may substitute
-# "copy" or something.
-LN=ln
-AC_SUBST(LN)
-
-case "$AR" in
-	"")
-		AC_MSG_ERROR([
-ar program not found.  Please fix your PATH to include the directory in
-which ar resides, or set AR in the environment with the full path to ar.
-])
-
-		;;
-esac
-
-#
-# Etags.
-#
-AC_PATH_PROGS(ETAGS, etags emacs-etags)
-
-#
-# Some systems, e.g. RH7, have the Exuberant Ctags etags instead of
-# GNU emacs etags, and it requires the -L flag.
-#
-if test "X$ETAGS" != "X"; then
-	AC_MSG_CHECKING(for Exuberant Ctags etags)
-	if $ETAGS --version 2>&1 | grep 'Exuberant Ctags' >/dev/null 2>&1; then
-		AC_MSG_RESULT(yes)
-		ETAGS="$ETAGS -L"
-	else
-		AC_MSG_RESULT(no)
-	fi
-fi
-AC_SUBST(ETAGS)
-
-#
-# Perl is optional; it is used only by some of the system test scripts.
-# Note: the backtrace feature (see below) uses perl to build the symbol table,
-# but it still compiles without perl, in which case an empty table will be used.
-#
-AC_PATH_PROGS(PERL, perl5 perl)
-AC_SUBST(PERL)
-
-#
-# Python is also optional; it is used by the tools in bin/python.
-# If python is unavailable, we simply don't build those.
-#
-AC_ARG_WITH(python,
-[  --with-python=PATH      Specify path to python interpreter],
-    use_python="$withval", use_python="unspec")
-
-case "$use_python" in
-	no)
-		AC_MSG_RESULT(disabled)
-		;;
-	unspec|yes|*)
-		case "$use_python" in
-		unspec|yes|'')
-			AC_PATH_PROGS(PYTHON, python)
-			;;
-		*)
-			AC_PATH_PROGS(PYTHON, $use_python)
-			;;
-		esac
-		if test "X$PYTHON" == "X"
-		then
-			case "$use_python" in
-			unspec)
-				AC_MSG_RESULT(disabled)
-				;;
-			yes|*)
-				AC_MSG_ERROR([missing python])
-				;;
-			esac
-			break
-		fi
-                testscript='try: import argparse
-except: exit(1)'
-		AC_MSG_CHECKING([python module 'argparse'])
-                if $PYTHON -c "$testscript"; then
-                        AC_MSG_RESULT([found, using $PYTHON])
-                else
-			case "$use_python" in
-			unspec)
-				PYTHON=""
-				AC_SUBST(CHECKDS)
-				AC_SUBST(COVERAGE)
-				AC_MSG_RESULT([not found, python disabled])
-				;;
-			yes)
-                        AC_MSG_RESULT([no found])
-                        AC_MSG_ERROR([python 'argparse' module not supported])
-				;;
-			esac
-                fi
-		;;
-esac
-
-PYTHON_TOOLS=''
-CHECKDS=''
-COVERAGE=''
-if test "X$PYTHON" != "X"; then
-        PYTHON_TOOLS=python
-	CHECKDS=checkds
-	COVERAGE=coverage
-fi
-AC_SUBST(CHECKDS)
-AC_SUBST(COVERAGE)
-AC_SUBST(PYTHON_TOOLS)
-
-#
-# Special processing of paths depending on whether --prefix,
-# --sysconfdir or --localstatedir arguments were given.  What's
-# desired is some compatibility with the way previous versions
-# of BIND built; they defaulted to /usr/local for most parts of
-# the installation, but named.boot/named.conf was in /etc
-# and named.pid was in /var/run.
-#
-# So ... if none of --prefix, --sysconfdir or --localstatedir are
-# specified, set things up that way.  If --prefix is given, use
-# it for sysconfdir and localstatedir the way configure normally
-# would.  To change the prefix for everything but leave named.conf
-# in /etc or named.pid in /var/run, then do this the usual configure way:
-# ./configure --prefix=/somewhere --sysconfdir=/etc
-# ./configure --prefix=/somewhere --localstatedir=/var
-#
-# To put named.conf and named.pid in /usr/local with everything else,
-# set the prefix explicitly to /usr/local even though that's the default:
-# ./configure --prefix=/usr/local
-#
-case "$prefix" in
-	NONE)
-		case "$sysconfdir" in
-			'${prefix}/etc')
-				sysconfdir=/etc
-				;;
-		esac
-		case "$localstatedir" in
-			'${prefix}/var')
-				localstatedir=/var
-				;;
-		esac
-		;;
-esac
-
-#
-# Make sure INSTALL uses an absolute path, else it will be wrong in all
-# Makefiles, since they use make/rules.in and INSTALL will be adjusted by
-# configure based on the location of the file where it is substituted.
-# Since in BIND9 INSTALL is only substituted into make/rules.in, an immediate
-# subdirectory of install-sh, This relative path will be wrong for all
-# directories more than one level down from install-sh.
-#
-case "$INSTALL" in
-	/*)
-		;;
-	*)
-		#
-		# Not all systems have dirname.
-		#
-		changequote({, })
-		ac_dir="`echo $INSTALL | sed 's%/[^/]*$%%'`"
-		changequote([, ])
-
-		ac_prog="`echo $INSTALL | sed 's%.*/%%'`"
-		test "$ac_dir" = "$ac_prog" && ac_dir=.
-		test -d "$ac_dir" && ac_dir="`(cd \"$ac_dir\" && pwd)`"
-		INSTALL="$ac_dir/$ac_prog"
-		;;
-esac
-
-#
-# On these hosts, we really want to use cc, not gcc, even if it is
-# found.  The gcc that these systems have will not correctly handle
-# pthreads.
-#
-# However, if the user sets $CC to be something, let that override
-# our change.
-#
-if test "X$CC" = "X" ; then
-	case "$host" in
-		*-dec-osf*)
-			CC="cc"
-			;;
-		*-solaris*)
-			# Use Sun's cc if it is available, but watch
-			# out for /usr/ucb/cc; it will never be the right
-			# compiler to use.
-			#
-			# If setting CC here fails, the AC_PROG_CC done
-			# below might still find gcc.
-			IFS="${IFS=	}"; ac_save_ifs="$IFS"; IFS=":"
-			for ac_dir in $PATH; do
-				test -z "$ac_dir" && ac_dir=.
-				case "$ac_dir" in
-				/usr/ucb)
-					# exclude
-					;;
-				*)
-					if test -f "$ac_dir/cc"; then
-						CC="$ac_dir/cc"
-						break
-					fi
-					;;
-				esac
-			done
-			IFS="$ac_save_ifs"
-			;;
-		*-hp-hpux*)
-			CC="cc"
-			;;
-		mips-sgi-irix*)
-			CC="cc"
-			;;
-	esac
-fi
-
-AC_PROG_CC
-
-#
-# gcc's optimiser is broken at -02 for ultrasparc
-#
-if test "$ac_env_CFLAGS_set" != set -a "X$GCC" = "Xyes"; then
-	case "$host" in
-	sparc-*)
-		CCFLAGS="-g -O1"
-		;;
-	esac
-fi
-
-#
-# OS dependent CC flags
-#
-case "$host" in
-	# OSF 5.0: recv/send are only available with -D_POSIX_PII_SOCKET or
-	# -D_XOPEN_SOURCE_EXTENDED.
-	*-dec-osf*)
-		STD_CDEFINES="$STD_CDEFINES -D_POSIX_PII_SOCKET"
-		CPPFLAGS="$CPPFLAGS -D_POSIX_PII_SOCKET"
-		;;
-	#HP-UX: need -D_XOPEN_SOURCE_EXTENDED and -lxnet for CMSG macros
-	*-hp-hpux*)
-		STD_CDEFINES="$STD_CDEFINES -D_XOPEN_SOURCE_EXTENDED"
-		CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE_EXTENDED"
-		LIBS="-lxnet $LIBS"
-		;;
-	# Solaris: need -D_XPG4_2 and -D__EXTENSIONS__ for CMSG macros
-	*-solaris*)
-		STD_CDEFINES="$STD_CDEFINES -D_XPG4_2 -D__EXTENSIONS__"
-		CPPFLAGS="$CPPFLAGS -D_XPG4_2 -D__EXTENSIONS__"
-		;;
-	# POSIX doesn't include the IPv6 Advanced Socket API and glibc hides
-	# parts of the IPv6 Advanced Socket API as a result.  This is stupid
-	# as it breaks how the two halves (Basic and Advanced) of the IPv6
-	# Socket API were designed to be used but we have to live with it.
-	# Define _GNU_SOURCE to pull in the IPv6 Advanced Socket API.
-	*-linux* | *-kfreebsd*-gnu)
-		STD_CDEFINES="$STD_CDEFINES -D_GNU_SOURCE"
-		CPPFLAGS="$CPPFLAGS -D_GNU_SOURCE"
-		;;
-	#
-	# Starting with OSX 10.7 (Lion) we must choose which IPv6 API to use.
-	# Setting this is sufficient to select the correct behavior for BIND 9.
-	#
-	*-darwin*)
-	  STD_CDEFINES="$STD_CDEFINES -D__APPLE_USE_RFC_3542"
-	  CPPFLAGS="$CPPFLAGS -D__APPLE_USE_RFC_3542"
-	  ;;
-esac
-
-AC_HEADER_STDC
-
-AC_CHECK_HEADERS(fcntl.h regex.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,,
-[$ac_includes_default
-#ifdef HAVE_SYS_PARAM_H
-# include <sys/param.h>
-#endif
-])
-
-AC_C_CONST
-AC_C_INLINE
-AC_C_VOLATILE
-AC_CHECK_FUNC(sysctlbyname, AC_DEFINE(HAVE_SYSCTLBYNAME))
-AC_C_FLEXIBLE_ARRAY_MEMBER
-
-#
-# Older versions of HP/UX don't define seteuid() and setegid()
-#
-AC_CHECK_FUNCS(seteuid setresuid)
-AC_CHECK_FUNCS(setegid setresgid)
-
-#
-# UnixWare 7.1.1 with the feature supplement to the UDK compiler
-# is reported to not support "static inline" (RT #1212).
-#
-AC_MSG_CHECKING(for static inline breakage)
-AC_TRY_COMPILE([
-	static inline int foo1() {
-		return 0;
-	}
-
-	static inline int foo2() {
-		return foo1();
-	}
-	], [foo1();],
-	[AC_MSG_RESULT(no)],
-	[AC_MSG_RESULT(yes)
-	 AC_DEFINE(inline, ,[Define to empty if your compiler does not support "static inline".])])
-
-AC_TYPE_SIZE_T
-AC_CHECK_TYPE(ssize_t, int)
-AC_CHECK_TYPE(uintptr_t,unsigned long)
-AC_CHECK_TYPE(socklen_t,
-[AC_DEFINE(ISC_SOCKADDR_LEN_T, socklen_t)],
-[
-AC_TRY_COMPILE(
-[
-#include <sys/types.h>
-#include <sys/socket.h>
-int getsockname(int, struct sockaddr *, size_t *);
-],[],
-[AC_DEFINE(ISC_SOCKADDR_LEN_T, size_t)],
-[AC_DEFINE(ISC_SOCKADDR_LEN_T, int)])
-],
-[
-#include <sys/types.h>
-#include <sys/socket.h>
-])
-AC_SUBST(ISC_SOCKADDR_LEN_T)
-AC_HEADER_TIME
-AC_MSG_CHECKING(for long long)
-AC_TRY_COMPILE([],[long long i = 0; return (0);],
-	[AC_MSG_RESULT(yes)
-		ISC_PLATFORM_HAVELONGLONG="#define ISC_PLATFORM_HAVELONGLONG 1"],
-	[AC_MSG_RESULT(no)
-		ISC_PLATFORM_HAVELONGLONG="#undef ISC_PLATFORM_HAVELONGLONG"])
-AC_SUBST(ISC_PLATFORM_HAVELONGLONG)
-
-#
-# check for GCC noreturn attribute
-#
-AC_MSG_CHECKING(for GCC noreturn attribute)
-AC_TRY_COMPILE([],[void foo() __attribute__((noreturn));],
-	[AC_MSG_RESULT(yes)
-		ISC_PLATFORM_NORETURN_PRE="#define ISC_PLATFORM_NORETURN_PRE"
-		ISC_PLATFORM_NORETURN_POST="#define ISC_PLATFORM_NORETURN_POST __attribute__((noreturn))"],
-	[AC_MSG_RESULT(no)
-		ISC_PLATFORM_NORETURN_PRE="#define ISC_PLATFORM_NORETURN_PRE"
-		ISC_PLATFORM_NORETURN_POST="#define ISC_PLATFORM_NORETURN_POST"])
-AC_SUBST(ISC_PLATFORM_NORETURN_PRE)
-AC_SUBST(ISC_PLATFORM_NORETURN_POST)
-
-#
-# check if we have lifconf
-#
-AC_MSG_CHECKING(for struct lifconf)
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <net/if.h>
-],
-[
-struct lifconf lifconf;
-lifconf.lifc_len = 0;
-]
-,
-	[AC_MSG_RESULT(yes)
-		ISC_PLATFORM_HAVELIFCONF="#define ISC_PLATFORM_HAVELIFCONF 1"],
-	[AC_MSG_RESULT(no)
-		ISC_PLATFORM_HAVELIFCONF="#undef ISC_PLATFORM_HAVELIFCONF"])
-AC_SUBST(ISC_PLATFORM_HAVELIFCONF)
-
-#
-# check if we want the new statistics
-#
-AC_ARG_ENABLE(newstats,
-	[  --enable-newstats         use the new statistics])
-case "$enable_newstats" in
-yes)
-        AC_DEFINE(NEWSTATS, 1, [Use the new XML schema for statistics])
-	;;
-*)
-	;;
-esac
-
-#
-# check if we have kqueue
-#
-AC_ARG_ENABLE(kqueue,
-	[  --enable-kqueue         use BSD kqueue when available [[default=yes]]],
-	      want_kqueue="$enableval",  want_kqueue="yes")
-case $want_kqueue in
-yes)
-	AC_CHECK_FUNC(kqueue, ac_cv_have_kqueue=yes, ac_cv_have_kqueue=no)
-	case $ac_cv_have_kqueue in
-	yes)
-		ISC_PLATFORM_HAVEKQUEUE="#define ISC_PLATFORM_HAVEKQUEUE 1"
-		;;
-	*)
-		ISC_PLATFORM_HAVEKQUEUE="#undef ISC_PLATFORM_HAVEKQUEUE"
-		;;
-	esac
-	;;
-*)
-	ISC_PLATFORM_HAVEKQUEUE="#undef ISC_PLATFORM_HAVEKQUEUE"
-	;;
-esac
-AC_SUBST(ISC_PLATFORM_HAVEKQUEUE)
-
-#
-# check if we have epoll.  Linux kernel 2.4 has epoll_create() which fails,
-# so we need to try running the code, not just test its existence.
-#
-AC_ARG_ENABLE(epoll,
-[  --enable-epoll          use Linux epoll when available [[default=auto]]],
-	      want_epoll="$enableval",  want_epoll="auto")
-case $want_epoll in
-auto)
-	AC_MSG_CHECKING(epoll support)
-	AC_TRY_RUN([
-#include <sys/epoll.h>
-int main() {
-	if (epoll_create(1) < 0)
-		return (1);
-	return (0);
-}
-],
-	[AC_MSG_RESULT(yes)
-	ISC_PLATFORM_HAVEEPOLL="#define ISC_PLATFORM_HAVEEPOLL 1"],
-	[AC_MSG_RESULT(no)
-	ISC_PLATFORM_HAVEEPOLL="#undef ISC_PLATFORM_HAVEEPOLL"],
-	[AC_MSG_RESULT(no)
-	ISC_PLATFORM_HAVEEPOLL="#undef ISC_PLATFORM_HAVEEPOLL"])
-	;;
-yes)
-	ISC_PLATFORM_HAVEEPOLL="#define ISC_PLATFORM_HAVEEPOLL 1"
-	;;
-*)
-	ISC_PLATFORM_HAVEEPOLL="#undef ISC_PLATFORM_HAVEEPOLL"
-	;;
-esac
-AC_SUBST(ISC_PLATFORM_HAVEEPOLL)
-
-#
-# check if we support /dev/poll
-#
-AC_ARG_ENABLE(devpoll,
-	[  --enable-devpoll        use /dev/poll when available [[default=yes]]],
-	      want_devpoll="$enableval",  want_devpoll="yes")
-case $want_devpoll in
-yes)
-	AC_CHECK_HEADERS(sys/devpoll.h devpoll.h,
-	ISC_PLATFORM_HAVEDEVPOLL="#define ISC_PLATFORM_HAVEDEVPOLL 1"
-	,
-	ISC_PLATFORM_HAVEDEVPOLL="#undef ISC_PLATFORM_HAVEDEVPOLL"
-	)
-	;;
-*)
-	ISC_PLATFORM_HAVEDEVPOLL="#undef ISC_PLATFORM_HAVEDEVPOLL"
-	;;
-esac
-AC_SUBST(ISC_PLATFORM_HAVEDEVPOLL)
-
-#
-# check if we need to #include sys/select.h explicitly
-#
-case $ac_cv_header_unistd_h in
-yes)
-AC_MSG_CHECKING(if unistd.h or sys/types.h defines fd_set)
-AC_TRY_COMPILE([
-#include <sys/types.h> /* Ultrix */
-#include <unistd.h>],
-[fd_set read_set; return (0);],
-	[AC_MSG_RESULT(yes)
-	 ISC_PLATFORM_NEEDSYSSELECTH="#undef ISC_PLATFORM_NEEDSYSSELECTH"
-	 LWRES_PLATFORM_NEEDSYSSELECTH="#undef LWRES_PLATFORM_NEEDSYSSELECTH"],
-	[AC_MSG_RESULT(no)
-	case $ac_cv_header_sys_select_h in
-	yes)
-	 ISC_PLATFORM_NEEDSYSSELECTH="#define ISC_PLATFORM_NEEDSYSSELECTH 1"
-	 LWRES_PLATFORM_NEEDSYSSELECTH="#define LWRES_PLATFORM_NEEDSYSSELECTH 1"
-		;;
-	no)
-		AC_MSG_ERROR([need either working unistd.h or sys/select.h])
-		;;
-	esac
-	])
-	;;
-no)
-	case $ac_cv_header_sys_select_h in
-	yes)
-	     ISC_PLATFORM_NEEDSYSSELECTH="#define ISC_PLATFORM_NEEDSYSSELECTH 1"
-	     LWRES_PLATFORM_NEEDSYSSELECTH="#define LWRES_PLATFORM_NEEDSYSSELECTH 1"
-		;;
-	no)
-		AC_MSG_ERROR([need either unistd.h or sys/select.h])
-		;;
-	esac
-	;;
-esac
-AC_SUBST(ISC_PLATFORM_NEEDSYSSELECTH)
-AC_SUBST(LWRES_PLATFORM_NEEDSYSSELECTH)
-
-#
-# Find the machine's endian flavor.
-#
-AC_C_BIGENDIAN
-
-#
-# was --with-openssl specified?
-#
-OPENSSL_WARNING=
-AC_MSG_CHECKING(for OpenSSL library)
-AC_ARG_WITH(openssl,
-[  --with-openssl[=PATH]     Build with OpenSSL [yes|no|path].
-			  (Required for DNSSEC)],
-    use_openssl="$withval", use_openssl="auto")
-
-openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
-if test "$use_openssl" = "auto"
-then
-	for d in $openssldirs
-	do
-		if test -f $d/include/openssl/opensslv.h
-		then
-			use_openssl=$d
-			break
-		fi
-	done
-fi
-OPENSSL_ECDSA=""
-OPENSSL_GOST=""
-case "$use_openssl" in
-	no)
-		AC_MSG_RESULT(no)
-		DST_OPENSSL_INC=""
-		USE_OPENSSL=""
-		OPENSSLGOSTLINKOBJS=""
-		OPENSSLGOSTLINKSRS=""
-		OPENSSLLINKOBJS=""
-		OPENSSLLINKSRCS=""
-		;;
-	auto)
-		DST_OPENSSL_INC=""
-		USE_OPENSSL=""
-		OPENSSLGOSTLINKOBJS=""
-		OPENSSLGOSTLINKSRS=""
-		OPENSSLLINKOBJS=""
-		OPENSSLLINKSRCS=""
-		AC_MSG_ERROR(
-[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
-If you don't want OpenSSL, use --without-openssl])
-		;;
-	*)
-		if test "$use_openssl" = "yes"
-		then
-			# User did not specify a path - guess it
-			for d in $openssldirs
-			do
-				if test -f $d/include/openssl/opensslv.h
-				then
-					use_openssl=$d
-					break
-				fi
-			done
-			if test "$use_openssl" = "yes"
-			then
-				AC_MSG_RESULT(not found)
-				AC_MSG_ERROR(
-[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path])
-			fi
-		elif ! test -f "$use_openssl"/include/openssl/opensslv.h
-		then
-			AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found])
-		fi
-		USE_OPENSSL='-DOPENSSL'
-		if test "$use_openssl" = "/usr"
-		then
-			DST_OPENSSL_INC=""
-			DNS_OPENSSL_LIBS="-lcrypto"
-		else
-			DST_OPENSSL_INC="-I$use_openssl/include"
-			case $host in
-			*-solaris*)
-				DNS_OPENSSL_LIBS="-L$use_openssl/lib -R$use_openssl/lib -lcrypto"
-				;;
-			*-hp-hpux*)
-				DNS_OPENSSL_LIBS="-L$use_openssl/lib -Wl,+b: -lcrypto"
-				;;
-			*-apple-darwin*)
-				#
-				# Apple's ld seaches for serially for dynamic
-				# then static libraries.  This means you can't
-				# use -L to override dynamic system libraries
-				# with static ones when linking.  Instead
-				# we specify a absolute path.
-				#
-				if test -f "$use_openssl/lib/libcrypto.dylib"
-				then
-					DNS_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
-				else
-					DNS_OPENSSL_LIBS="$use_openssl/lib/libcrypto.a"
-				fi
-				;;
-			*)
-				DNS_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
-				;;
-			esac
-		fi
-		AC_MSG_RESULT(using OpenSSL from $use_openssl/lib and $use_openssl/include)
-
-		saved_cflags="$CFLAGS"
-		saved_libs="$LIBS"
-		CFLAGS="$CFLAGS $DST_OPENSSL_INC"
-		LIBS="$LIBS $DNS_OPENSSL_LIBS"
-		AC_MSG_CHECKING(whether linking with OpenSSL works)
-		AC_TRY_RUN([
-#include <openssl/err.h>
-int main() {
-	ERR_clear_error();
-	return (0);
-}
-],
-		[AC_MSG_RESULT(yes)],
-		[AC_MSG_RESULT(no)
-		 AC_MSG_ERROR(Could not run test program using OpenSSL from
-$use_openssl/lib and $use_openssl/include.
-Please check the argument to --with-openssl and your
-shared library configuration (e.g., LD_LIBRARY_PATH).)],
-		[AC_MSG_RESULT(assuming it does work on target platform)])
-
-		AC_MSG_CHECKING(whether linking with OpenSSL requires -ldl)
-		AC_TRY_LINK([
-#include <openssl/err.h>],
-[ DSO_METHOD_dlfcn(); ],
-		[AC_MSG_RESULT(no)],
-		[LIBS="$LIBS -ldl"
-		AC_TRY_LINK([
-#include <openssl/err.h>
-],[ DSO_METHOD_dlfcn(); ],
-		[AC_MSG_RESULT(yes)
-		DNS_OPENSSL_LIBS="$DNS_OPENSSL_LIBS -ldl"
-		],
-		 [AC_MSG_RESULT(unknown)
-		 AC_MSG_ERROR(OpenSSL has unsupported dynamic loading)],
-		[AC_MSG_RESULT(assuming it does work on target platform)])
-		],
-		[AC_MSG_RESULT(assuming it does work on target platform)]
-		)
-		
-AC_ARG_ENABLE(openssl-version-check,
-[AC_HELP_STRING([--enable-openssl-version-check],
-	[Check OpenSSL Version @<:@default=yes@:>@])])
-case "$enable_openssl_version_check" in
-yes|'')
-		AC_MSG_CHECKING(OpenSSL library version)
-		AC_TRY_RUN([
-#include <stdio.h>
-#include <openssl/opensslv.h>
-int main() {
-	if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL &&
-	     OPENSSL_VERSION_NUMBER < 0x00908000L) ||
-	     OPENSSL_VERSION_NUMBER >= 0x0090804fL)
-		return (0);
-	printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010x\n",
-		OPENSSL_VERSION_NUMBER);
-	printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"
-	       "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n\n");
-	return (1);
-}
-		],
-		[AC_MSG_RESULT(ok)],
-		[AC_MSG_RESULT(not compatible)
-		 OPENSSL_WARNING=yes
-		],
-		[AC_MSG_RESULT(assuming target platform has compatible version)])
-;;
-no)
-	AC_MSG_RESULT(Skipped OpenSSL version check)
-;;
-esac
-
-        AC_MSG_CHECKING(for OpenSSL DSA support)
-        if test -f $use_openssl/include/openssl/dsa.h
-        then
-                AC_DEFINE(HAVE_OPENSSL_DSA)
-                AC_MSG_RESULT(yes)
-        else
-                AC_MSG_RESULT(no)
-        fi
-
-        AC_CHECK_FUNCS(EVP_sha256 EVP_sha384 EVP_sha512)
-
-        AC_MSG_CHECKING(for OpenSSL ECDSA support)
-        have_ecdsa=""
-        AC_TRY_RUN([
-#include <stdio.h>
-#include <openssl/ecdsa.h>
-#include <openssl/objects.h>
-int main() {
-	EC_KEY *ec256, *ec384;
-
-#if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA384)
-	return (1);
-#endif
-	ec256 = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
-	ec384 = EC_KEY_new_by_curve_name(NID_secp384r1);
-	if (ec256 == NULL || ec384 == NULL)
-		return (2);
-	return (0);
-}
-],
-        [AC_MSG_RESULT(yes)
-        have_ecdsa="yes"],
-        [AC_MSG_RESULT(no)
-        have_ecdsa="no"],
-        [AC_MSG_RESULT(using --with-ecdsa)])
-        AC_ARG_WITH(ecdsa, [  --with-ecdsa            OpenSSL ECDSA],
-	            with_ecdsa="$withval", with_ecdsa="auto")
-        case "$with_ecdsa" in
-        yes)
-            case "$have_ecdsa" in
-            no)  AC_MSG_ERROR([ecdsa not supported]) ;;
-            *)  have_ecdsa=yes ;;
-            esac
-            ;;
-        no)
-            have_ecdsa=no ;;
-        *)
-            case "$have_ecdsa" in
-            yes|no) ;;
-            *) AC_MSG_ERROR([need --with-ecdsa=[[yes or no]]]) ;;
-            esac
-            ;;
-        esac
-        case $have_ecdsa in
-        yes)
-                OPENSSL_ECDSA="yes"
-                AC_DEFINE(HAVE_OPENSSL_ECDSA, 1,
-                          [Define if your OpenSSL version supports ECDSA.])
-                ;;
-        *)
-                ;;
-        esac
-
-        AC_MSG_CHECKING(for OpenSSL GOST support)
-        have_gost=""
-        AC_TRY_RUN([
-#include <openssl/conf.h>
-#include <openssl/engine.h>
-int main() {
-#if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
-	ENGINE *e;
-	EC_KEY *ek;
-
-	ek = NULL;
-	OPENSSL_config(NULL);
-
-	e = ENGINE_by_id("gost");
-	if (e == NULL)
-		return (1);
-	if (ENGINE_init(e) <= 0)
-		return (1);
-	return (0);
-#else
-	return (1);
-#endif
-}
-],
-        [AC_MSG_RESULT(yes)
-        have_gost="yes"],
-        [AC_MSG_RESULT(no)
-        have_gost="no"],
-        [AC_MSG_RESULT(using --with-gost)])
-        AC_ARG_WITH(gost, [  --with-gost             OpenSSL GOST],
-                    with_gost="$withval", with_gost="auto")
-        case "$with_gost" in
-        yes)
-            case "$have_gost" in
-            no)  AC_MSG_ERROR([gost not supported]) ;;
-            *)  have_gost=yes ;;
-            esac
-            ;;
-        no)
-            have_gost=no ;;
-        *)
-            case "$have_gost" in
-            yes|no) ;;
-            *) AC_MSG_ERROR([need --with-gost=[[yes or no]]]) ;;
-            esac
-            ;;
-        esac
-        case $have_gost in
-        yes)
-		OPENSSL_GOST="yes"
-		OPENSSLGOSTLINKOBJS='${OPENSSLGOSTLINKOBJS}'
-		OPENSSLGOSTLINKSRCS='${OPENSSLGOSTLINKSRCS}'
-		AC_DEFINE(HAVE_OPENSSL_GOST, 1,
-			  [Define if your OpenSSL version supports GOST.])
-		;;
-        *)
-                ;;
-        esac
-        CFLAGS="$saved_cflags"
-        LIBS="$saved_libs"
-        OPENSSLLINKOBJS='${OPENSSLLINKOBJS}'
-        OPENSSLLINKSRCS='${OPENSSLLINKSRCS}'
-
-        ;;
-esac
-
-#
-# This would include the system openssl path (and linker options to use
-# it as needed) if it is found.
-#
-
-AC_SUBST(USE_OPENSSL)
-AC_SUBST(DST_OPENSSL_INC)
-AC_SUBST(OPENSSLGOSTLINKOBJS)
-AC_SUBST(OPENSSLGOSTLINKSRCS)
-AC_SUBST(OPENSSLLINKOBJS)
-AC_SUBST(OPENSSLLINKSRCS)
-AC_SUBST(OPENSSL_ECDSA)
-AC_SUBST(OPENSSL_GOST)
-
-DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS"
-
-#
-# Use OpenSSL for hash functions
-#
-
-AC_ARG_ENABLE(openssl-hash,
-	[  --enable-openssl-hash   use OpenSSL for hash functions [[default=no]]],
-	want_openssl_hash="$enableval", want_openssl_hash="no")
-case $want_openssl_hash in
-	yes)
-		if test "$USE_OPENSSL" = ""
-		then
-			AC_MSG_ERROR([No OpenSSL for hash functions])
-		fi
-		ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1"
-		ISC_OPENSSL_INC="$DST_OPENSSL_INC"
-		;;
-	no)
-		ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
-		ISC_OPENSSL_INC=""
-		;;
-esac
-AC_SUBST(ISC_PLATFORM_OPENSSLHASH)
-AC_SUBST(ISC_OPENSSL_INC)
-
-#
-# PKCS11 (aka crypto hardware) support
-#
-# This works only with the right OpenSSL with PKCS11 engine!
-#
-
-AC_MSG_CHECKING(for PKCS11 support)
-AC_ARG_WITH(pkcs11,
-[  --with-pkcs11[=PATH]      Build with PKCS11 support [yes|no|path]
-                          (PATH is for the PKCS11 provider)],
-   use_pkcs11="$withval", use_pkcs11="no")
-
-case "$use_pkcs11" in
-	no|'')
-		AC_MSG_RESULT(disabled)
-		USE_PKCS11=''
-		PKCS11_TOOLS=''
-		;;
-	yes|*)
-		AC_MSG_RESULT(using OpenSSL with PKCS11 support)
-		USE_PKCS11='-DUSE_PKCS11'
-		PKCS11_TOOLS=pkcs11
-		;;
-esac
-AC_SUBST(USE_PKCS11)
-AC_SUBST(PKCS11_TOOLS)
-
-AC_MSG_CHECKING(for PKCS11 tools)
-case "$use_pkcs11" in
-	no|yes|'')
-		AC_MSG_RESULT(disabled)
-		PKCS11_PROVIDER="undefined"
-		;;
-       *)
-		AC_MSG_RESULT(PKCS11 provider is "$use_pkcs11")
-		PKCS11_PROVIDER="$use_pkcs11"
-		;;
-esac
-AC_SUBST(PKCS11_PROVIDER)
-
-AC_MSG_CHECKING(for GSSAPI library)
-AC_ARG_WITH(gssapi,
-[  --with-gssapi=PATH      Specify path for system-supplied GSSAPI [[default=yes]]],
-    use_gssapi="$withval", use_gssapi="yes")
-
-# gssapi is just the framework, we really require kerberos v5, so
-# look for those headers (the gssapi headers must be there, too)
-# The problem with this implementation is that it doesn't allow
-# for the specification of gssapi and krb5 headers in different locations,
-# which probably ought to be fixed although fixing might raise the issue of
-# trying to build with incompatible versions of gssapi and krb5.
-if test "$use_gssapi" = "yes"
-then
-	# first, deal with the obvious
-	if test \( -f /usr/include/kerberosv5/krb5.h -o \
-		   -f /usr/include/krb5/krb5.h -o \
-		   -f /usr/include/krb5.h \)   -a \
-		\( -f /usr/include/gssapi.h -o \
-		   -f /usr/include/gssapi/gssapi.h \)
-	then
-		use_gssapi=/usr
-	else
-	    krb5dirs="/usr/local /usr/local/krb5 /usr/local/kerberosv5 /usr/local/kerberos /usr/pkg /usr/krb5 /usr/kerberosv5 /usr/kerberos /usr"
-	    for d in $krb5dirs
-	    do
-		if test -f $d/include/gssapi/gssapi_krb5.h -o \
-		        -f $d/include/krb5.h
-		then
-			if test -f $d/include/gssapi/gssapi.h -o \
-			        -f $d/include/gssapi.h
-			then
-				use_gssapi=$d
-				break
-			fi
-		fi
-		use_gssapi="no"
-	    done
-	fi
-fi
-
-case "$use_gssapi" in
-	no)
-		AC_MSG_RESULT(disabled)
-		USE_GSSAPI=''
-		;;
-	yes)
-		AC_MSG_ERROR([--with-gssapi must specify a path])
-		;;
-	*)
-		AC_MSG_RESULT(looking in $use_gssapi/lib)
-		USE_GSSAPI='-DGSSAPI'
-		saved_cppflags="$CPPFLAGS"
-		CPPFLAGS="-I$use_gssapi/include $CPPFLAGS"
-		AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h,
-		    [ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"])
-
-		if test "$ISC_PLATFORM_GSSAPIHEADER" = ""; then
-		    AC_MSG_ERROR([gssapi.h not found])
-		fi
-
-		AC_CHECK_HEADERS(gssapi_krb5.h gssapi/gssapi_krb5.h,
-		    [ISC_PLATFORM_GSSAPI_KRB5_HEADER="#define ISC_PLATFORM_GSSAPI_KRB5_HEADER <$ac_header>"])
-
-		AC_CHECK_HEADERS(krb5.h krb5/krb5.h kerberosv5/krb5.h,
-		    [ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>"])
-
-		if test "$ISC_PLATFORM_KRB5HEADER" = ""; then
-		    AC_MSG_ERROR([krb5.h not found])
-		fi
-
-		CPPFLAGS="$saved_cppflags"
-
-		#
-		# XXXDCL This probably doesn't work right on all systems.
-		# It will need to be worked on as problems become evident.
-		#
-		# Essentially the problems here relate to two different
-		# areas.  The first area is building with either KTH
-		# or MIT Kerberos, particularly when both are present on
-		# the machine.  The other is static versus dynamic linking.
-		#
-		# On the KTH vs MIT issue, Both have libkrb5 that can mess
-		# up the works if one implementation ends up trying to
-		# use the other's krb.  This is unfortunately a situation
-		# that very easily arises.
-		#
-		# Dynamic linking when the dependency information is built
-		# into MIT's libgssapi_krb5 or KTH's libgssapi magically makes
-		# all such problems go away, but when that setup is not
-		# present, because either the dynamic libraries lack
-		# dependencies or static linking is being done, then the
-		# problems start to show up.
-		saved_libs="$LIBS"
-		for TRY_LIBS in \
-		    "-lgssapi_krb5" \
-		    "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" \
-		    "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" \
-		    "-lgssapi" \
-		    "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \
-		    "-lgssapi -lkrb5 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \
-		    "-lgss -lkrb5"
-		do
-		    # Note that this does not include $saved_libs, because
-		    # on FreeBSD machines this configure script has added
-		    # -L/usr/local/lib to LIBS, which can make the
-		    # -lgssapi_krb5 test succeed with shared libraries even
-		    # when you are trying to build with KTH in /usr/lib.
-		    if test "$use_gssapi" = "/usr"
-		    then
-			    LIBS="$TRY_LIBS"
-		    else
-			    LIBS="-L$use_gssapi/lib $TRY_LIBS"
-		    fi
-		    AC_MSG_CHECKING(linking as $TRY_LIBS)
-		    AC_TRY_LINK( , [gss_acquire_cred();krb5_init_context()],
-				gssapi_linked=yes, gssapi_linked=no)
-		    case $gssapi_linked in
-		    yes) AC_MSG_RESULT(yes); break ;;
-		    no)  AC_MSG_RESULT(no) ;;
-		    esac
-		done
-
-		case $gssapi_linked in
-		no) AC_MSG_ERROR(could not determine proper GSSAPI linkage) ;;
-		esac
-
-		#
-		# XXXDCL Major kludge.  Tries to cope with KTH in /usr/lib
-		# but MIT in /usr/local/lib and trying to build with KTH.
-		# /usr/local/lib can end up earlier on the link lines.
-		# Like most kludges, this one is not only inelegant it
-		# is also likely to be the wrong thing to do at least as
-		# many times as it is the right thing.  Something better
-		# needs to be done.
-		#
-		if test "$use_gssapi" = "/usr" -a \
-			-f /usr/local/lib/libkrb5.a; then
-		    FIX_KTH_VS_MIT=yes
-		fi
-
-		case "$FIX_KTH_VS_MIT" in
-		yes)
-		    case "$enable_static_linking" in
-		    yes) gssapi_lib_suffix=".a"  ;;
-		    *)   gssapi_lib_suffix=".so" ;;
-		    esac
-
-		    for lib in $LIBS; do
-			case $lib in
-			-L*)
-			    ;;
-			-l*)
-			    new_lib=`echo $lib |
-				     sed -e s%^-l%$use_gssapi/lib/lib% \
-					 -e s%$%$gssapi_lib_suffix%`
-			    NEW_LIBS="$NEW_LIBS $new_lib"
-			    ;;
-			*)
-			   AC_MSG_ERROR([KTH vs MIT Kerberos confusion!])
-			    ;;
-			esac
-		    done
-		    LIBS="$NEW_LIBS"
-		    ;;
-		esac
-
-		DST_GSSAPI_INC="-I$use_gssapi/include"
-		DNS_GSSAPI_LIBS="$LIBS"
-
-		AC_MSG_RESULT(using GSSAPI from $use_gssapi/lib and $use_gssapi/include)
-		LIBS="$saved_libs"
-		;;
-esac
-
-AC_SUBST(ISC_PLATFORM_HAVEGSSAPI)
-AC_SUBST(ISC_PLATFORM_GSSAPIHEADER)
-AC_SUBST(ISC_PLATFORM_GSSAPI_KRB5_HEADER)
-AC_SUBST(ISC_PLATFORM_KRB5HEADER)
-
-AC_SUBST(USE_GSSAPI)
-AC_SUBST(DST_GSSAPI_INC)
-AC_SUBST(DNS_GSSAPI_LIBS)
-DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
-
-#
-# Applications linking with libdns also need to link with these libraries.
-#
-
-AC_SUBST(DNS_CRYPTO_LIBS)
-
-#
-# was --with-randomdev specified?
-#
-AC_MSG_CHECKING(for random device)
-AC_ARG_WITH(randomdev,
-[  --with-randomdev=PATH   Specify path for random device],
-    use_randomdev="$withval", use_randomdev="unspec")
-
-case "$use_randomdev" in
-	unspec)
-		case "$cross_compiling" in
-		yes)
-			AC_MSG_RESULT(unspecified)
-			AC_MSG_ERROR([ need --with-randomdev=PATH or --with-randomdev=no])
-		esac
-		case "$host" in
-			*-openbsd*)
-				devrandom=/dev/arandom
-				;;
-			*)
-				devrandom=/dev/random
-				;;
-		esac
-		AC_MSG_RESULT($devrandom)
-		AC_CHECK_FILE($devrandom,
-			      AC_DEFINE_UNQUOTED(PATH_RANDOMDEV,
-						 "$devrandom"),)
-			      
-		;;
-	yes)
-		AC_MSG_ERROR([--with-randomdev must specify a path])
-		;;
-	no)
-		AC_MSG_RESULT(disabled)
-		;;
-	*)
-		AC_DEFINE_UNQUOTED(PATH_RANDOMDEV, "$use_randomdev")
-		AC_MSG_RESULT(using "$use_randomdev")
-		;;
-esac
-
-#
-# Do we have arc4random() ?
-#
-AC_CHECK_FUNC(arc4random, AC_DEFINE(HAVE_ARC4RANDOM))
-
-sinclude(config.threads.in)dnl
-
-if $use_threads
-then
-	if test "X$GCC" = "Xyes"; then
-		case "$host" in
-		*-freebsd*)
-			CC="$CC -pthread"
-			CCOPT="$CCOPT -pthread"
-			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-			;;
-		*-openbsd*)
-			CC="$CC -pthread"
-			CCOPT="$CCOPT -pthread"
-			;;
-		*-solaris*)
-			LIBS="$LIBS -lthread"
-			;;
-		*-ibm-aix*)
-			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-			;;
-		esac
-	else
-		case $host in
-		*-dec-osf*)
-			CC="$CC -pthread"
-			CCOPT="$CCOPT -pthread"
-			;;
-		*-solaris*)
-			CC="$CC -mt"
-			CCOPT="$CCOPT -mt"
-			;;
-		*-ibm-aix*)
-			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-			;;
-		*-sco-sysv*uw*|*-*-sysv*UnixWare*)
-			CC="$CC -Kthread"
-			CCOPT="$CCOPT -Kthread"
-			;;
-		*-*-sysv*OpenUNIX*)
-			CC="$CC -Kpthread"
-			CCOPT="$CCOPT -Kpthread"
-			;;
-		esac
-	fi
-	ALWAYS_DEFINES="-D_REENTRANT"
-	ISC_PLATFORM_USETHREADS="#define ISC_PLATFORM_USETHREADS 1"
-	THREADOPTOBJS='${THREADOPTOBJS}'
-	THREADOPTSRCS='${THREADOPTSRCS}'
-	thread_dir=pthreads
-	#
-	# We'd like to use sigwait() too
-	#
-	AC_CHECK_FUNC(sigwait,
-		      AC_DEFINE(HAVE_SIGWAIT),
-		      AC_CHECK_LIB(c, sigwait,
-		      AC_DEFINE(HAVE_SIGWAIT),
-		      AC_CHECK_LIB(pthread, sigwait,
-				   AC_DEFINE(HAVE_SIGWAIT),
-				   AC_CHECK_LIB(pthread, _Psigwait,
-						AC_DEFINE(HAVE_SIGWAIT),))))
-
-	AC_CHECK_FUNC(pthread_attr_getstacksize,
-		      AC_DEFINE(HAVE_PTHREAD_ATTR_GETSTACKSIZE),)
-
-	AC_CHECK_FUNC(pthread_attr_setstacksize,
-		      AC_DEFINE(HAVE_PTHREAD_ATTR_SETSTACKSIZE),)
-
-	#
-	# Additional OS-specific issues related to pthreads and sigwait.
-	#
-	case "$host" in
-		#
-		# One more place to look for sigwait.
-		#
-		*-freebsd*)
-			AC_CHECK_LIB(c_r, sigwait, AC_DEFINE(HAVE_SIGWAIT),)
-			case $host in
-			*-freebsd5.[[012]]|*-freebsd5.[[012]].*);;
-			*-freebsd5.[[3456789]]|*-freebsd5.[[3456789]].*)
-				AC_DEFINE(NEED_PTHREAD_SCOPE_SYSTEM)
-				;;
-			*-freebsd6.*)
-				AC_DEFINE(NEED_PTHREAD_SCOPE_SYSTEM)
-				;;
-			esac
-			;;
-		#
-		# BSDI 3.0 through 4.0.1 needs pthread_init() to be
-		# called before certain pthreads calls.	 This is deprecated
-		# in BSD/OS 4.1.
-		#
-		*-bsdi3.*|*-bsdi4.0*)
-			AC_DEFINE(NEED_PTHREAD_INIT)
-			;;
-		#
-		# LinuxThreads requires some changes to the way we
-		# deal with signals.
-		#
-		*-linux*)
-			AC_DEFINE(HAVE_LINUXTHREADS)
-			;;
-		#
-		# Ensure the right sigwait() semantics on Solaris and make
-		# sure we call pthread_setconcurrency.
-		#
-		*-solaris*)
-			AC_DEFINE(_POSIX_PTHREAD_SEMANTICS)
-			AC_CHECK_FUNC(pthread_setconcurrency,
-				      AC_DEFINE(CALL_PTHREAD_SETCONCURRENCY))
-			;;
-		#
-		# UnixWare does things its own way.
-		#
-		*-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
-			AC_DEFINE(HAVE_UNIXWARE_SIGWAIT)
-			;;
-	esac
-
-	#
-	# Look for sysconf to allow detection of the number of processors.
-	#
-	AC_CHECK_FUNC(sysconf, AC_DEFINE(HAVE_SYSCONF),)
-
-else
-	ISC_PLATFORM_USETHREADS="#undef ISC_PLATFORM_USETHREADS"
-	thread_dir=nothreads
-	THREADOPTOBJS=""
-	THREADOPTSRCS=""
-	ALWAYS_DEFINES=""
-fi
-
-AC_SUBST(ALWAYS_DEFINES)
-AC_SUBST(ISC_PLATFORM_USETHREADS)
-AC_SUBST(THREADOPTOBJS)
-AC_SUBST(THREADOPTSRCS)
-ISC_THREAD_DIR=$thread_dir
-AC_SUBST(ISC_THREAD_DIR)
-
-#
-# was --with-libxml2 specified?
-#
-AC_MSG_CHECKING(for libxml2 library)
-AC_ARG_WITH(libxml2,
-[  --with-libxml2[=PATH]     Build with libxml2 library [yes|no|path]],
-    use_libxml2="$withval", use_libxml2="auto")
-
-case "$use_libxml2" in
-	no)
-		DST_LIBXML2_INC=""
-		;;
-	auto|yes)
-		case X`(xml2-config --version) 2>/dev/null` in
-		X2.[[6789]].*)
-			libxml2_libs=`xml2-config --libs`
-			libxml2_cflags=`xml2-config --cflags`
-			;;
-		*)
-			libxml2_libs=
-			libxml2_cflags=
-			;;
-		esac
-		;;
-	*)
-		if test -f "$use_libxml2/bin/xml2-config" ; then
-			libxml2_libs=`$use_libxml2/bin/xml2-config --libs`
-			libxml2_cflags=`$use_libxml2/bin/xml2-config --cflags`
-		fi
-		;;
-esac
-
-if test "X$libxml2_libs" != "X"
-then
-	AC_MSG_RESULT(yes)
-	CFLAGS="$CFLAGS $libxml2_cflags"
-	LIBS="$LIBS $libxml2_libs"
-	AC_DEFINE(HAVE_LIBXML2, 1, [Define if libxml2 was found])
-else
-	AC_MSG_RESULT(no)
-fi
-
-#
-# In solaris 10, SMF can manage named service
-#
-AC_CHECK_LIB(scf, smf_enable_instance)
-
-#
-# flockfile is usually provided by pthreads, but we may want to use it
-# even if compiled with --disable-threads.  getc_unlocked might also not
-# be defined.
-#
-AC_CHECK_FUNC(flockfile, AC_DEFINE(HAVE_FLOCKFILE),)
-AC_CHECK_FUNC(getc_unlocked, AC_DEFINE(HAVE_GETCUNLOCKED),)
-
-#
-# Indicate what the final decision was regarding threads.
-#
-AC_MSG_CHECKING(whether to build with threads)
-if $use_threads; then
-	AC_MSG_RESULT(yes)
-else
-	AC_MSG_RESULT(no)
-fi
-
-#
-# End of pthreads stuff.
-#
-
-#
-# Large File
-#
-AC_ARG_ENABLE(largefile, [  --enable-largefile	  64-bit file support],
-	      want_largefile="yes", want_largefile="no")
-case $want_largefile in
-	yes)
-		ALWAYS_DEFINES="$ALWAYS_DEFINES -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"
-		;;
-	*)
-		;;
-esac
-
-#
-# Additional compiler settings.
-#
-MKDEPCC="$CC"
-MKDEPCFLAGS="-M"
-IRIX_DNSSEC_WARNINGS_HACK=""
-
-if test "X$GCC" = "Xyes"; then
-	AC_MSG_CHECKING(if "$CC" supports -fno-strict-aliasing)
-	SAVE_CFLAGS=$CFLAGS
-	CFLAGS="$CFLAGS -fno-strict-aliasing"
-	AC_TRY_COMPILE(,, [FNOSTRICTALIASING=yes],[FNOSTRICTALIASING=no])
-	CFLAGS=$SAVE_CFLAGS
-	if test "$FNOSTRICTALIASING" = "yes"; then
-		AC_MSG_RESULT(yes)
-	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing"
-	else
-		AC_MSG_RESULT(no)
-	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith"
-	fi
-	case "$host" in
-	*-hp-hpux*)
-		LDFLAGS="-Wl,+vnocompatwarnings $LDFLAGS"
-		;;
-	esac
-else
-	case $host in
-	*-dec-osf*)
-		CC="$CC -std"
-		CCOPT="$CCOPT -std"
-		MKDEPCC="$CC"
-		;;
-	*-hp-hpux*)
-		CC="$CC -Ae -z"
-		# The version of the C compiler that constantly warns about
-		# 'const' as well as alignment issues is unfortunately not
-		# able to be discerned via the version of the operating
-		# system, nor does cc have a version flag.
-		case "`$CC +W 123 2>&1`" in
-		*Unknown?option*)
-			STD_CWARNINGS="+w1"
-			;;
-		*)
-			# Turn off the pointlessly noisy warnings.
-			STD_CWARNINGS="+w1 +W 474,530,2193,2236"
-			;;
-		esac
-		CCOPT="$CCOPT -Ae -z"
-		LDFLAGS="-Wl,+vnocompatwarnings $LDFLAGS"
-		MKDEPPROG='cc -Ae -E -Wp,-M >/dev/null 2>>$TMP'
-		;;
-	*-sgi-irix*)
-		STD_CWARNINGS="-fullwarn -woff 1209"
-		#
-		# Silence more than 250 instances of
-		#   "prototyped function redeclared without prototype"
-		# and 11 instances of
-		#   "variable ... was set but never used"
-		# from lib/dns/sec/openssl.
-		#
-		IRIX_DNSSEC_WARNINGS_HACK="-woff 1692,1552"
-		;;
-	*-solaris*)
-		MKDEPCFLAGS="-xM"
-		;;
-	*-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
-		# UnixWare
-		CC="$CC -w"
-		;;
-	esac
-fi
-
-AC_SUBST(MKDEPCC)
-AC_SUBST(MKDEPCFLAGS)
-AC_SUBST(MKDEPPROG)
-AC_SUBST(IRIX_DNSSEC_WARNINGS_HACK)
-
-#
-# NLS
-#
-AC_CHECK_FUNC(catgets, AC_DEFINE(HAVE_CATGETS),)
-
-#
-# -lxnet buys us one big porting headache...  standards, gotta love 'em.
-#
-# AC_CHECK_LIB(xnet, socket, ,
-#    AC_CHECK_LIB(socket, socket)
-# )
-#
-# Use this for now, instead:
-#
-case "$host" in
-	mips-sgi-irix*)
-		;;
-	*-linux*)
-		;;
-	*)
-		AC_CHECK_LIB(socket, socket)
-		AC_CHECK_LIB(nsl, inet_addr)
-		;;
-esac
-
-#
-# Work around Solaris's select() limitations.
-#
-case "$host" in
-	*-solaris2.[[89]]|*-solaris2.1?)
-	AC_DEFINE(FD_SETSIZE, 65536,
-		  [Solaris hack to get select_large_fdset.])
-	;;
-esac
-
-#
-# Purify support
-#
-AC_MSG_CHECKING(whether to use purify)
-AC_ARG_WITH(purify,
-	[  --with-purify[=PATH]      use Rational purify],
-	use_purify="$withval", use_purify="no")
-
-case "$use_purify" in
-	no)
-		;;
-	yes)
-		AC_PATH_PROG(purify_path, purify, purify)
-		;;
-	*)
-		purify_path="$use_purify"
-		;;
-esac
-
-case "$use_purify" in
-	no)
-		AC_MSG_RESULT(no)
-		PURIFY=""
-		;;
-	*)
-		if test -f $purify_path || test $purify_path = purify; then
-			AC_MSG_RESULT($purify_path)
-			PURIFYFLAGS="`echo $PURIFYOPTIONS`"
-			PURIFY="$purify_path $PURIFYFLAGS"
-		else
-			AC_MSG_ERROR([$purify_path not found.
-
-Please choose the proper path with the following command:
-
-    configure --with-purify=PATH
-])
-		fi
-		;;
-esac
-
-AC_SUBST(PURIFY)
-
-
-AC_ARG_WITH(libtool,
-	    [  --with-libtool          use GNU libtool],
-	    use_libtool="$withval", use_libtool="no")
-
-case $use_libtool in
-	yes)
-		AM_PROG_LIBTOOL
-		O=lo
-		A=la
-		LIBTOOL_MKDEP_SED='s;\.o;\.lo;'
-		LIBTOOL_MODE_COMPILE='--mode=compile --tag=CC'
-		LIBTOOL_MODE_INSTALL='--mode=install --tag=CC'
-		LIBTOOL_MODE_LINK='--mode=link --tag=CC'
-		case "$host" in
-		*) LIBTOOL_ALLOW_UNDEFINED= ;;
-		esac
-		case "$host" in
-		*-ibm-aix*) LIBTOOL_IN_MAIN="-Wl,-bI:T_testlist.imp" ;;
-		*) LIBTOOL_IN_MAIN= ;;
-		esac;
-		;;
-	*)
-		O=o
-		A=a
-		LIBTOOL=
-		AC_SUBST(LIBTOOL)
-		LIBTOOL_MKDEP_SED=
-		LIBTOOL_MODE_COMPILE=
-		LIBTOOL_MODE_INSTALL=
-		LIBTOOL_MODE_LINK=
-		LIBTOOL_ALLOW_UNDEFINED=
-		LIBTOOL_IN_MAIN=
-		;;
-esac
-
-#
-# enable/disable dumping stack backtrace.  Also check if the system supports
-# glibc-compatible backtrace() function.
-#
-AC_ARG_ENABLE(backtrace,
-[  --enable-backtrace      log stack backtrace on abort [[default=yes]]],
-	      want_backtrace="$enableval",  want_backtrace="yes")
-case $want_backtrace in
-yes)
-	ISC_PLATFORM_USEBACKTRACE="#define ISC_PLATFORM_USEBACKTRACE 1"
-	AC_TRY_LINK([#include <execinfo.h>],
-	[return (backtrace((void **)0, 0));],
-	[AC_DEFINE([HAVE_LIBCTRACE], [], [if system have backtrace function])],)
-	;;
-*)
-	ISC_PLATFORM_USEBACKTRACE="#undef ISC_PLATFORM_USEBACKTRACE"
-	;;
-esac
-AC_SUBST(ISC_PLATFORM_USEBACKTRACE)
-
-AC_ARG_ENABLE(symtable,
-[  --enable-symtable       use internal symbol table for backtrace
-                          [[all|minimal(default)|none]]],
-		want_symtable="$enableval",  want_symtable="minimal")
-case $want_symtable in
-yes|all|minimal)     # "yes" is a hidden value equivalent to "minimal"
-	if test "$PERL" = ""
-	then
-		AC_MSG_ERROR([Internal symbol table requires perl but no perl is found.
-Install perl or explicitly disable the feature by --disable-symtable.])
-	fi
-	if test "$use_libtool" = "yes"; then
-		AC_MSG_WARN([Internal symbol table does not work with libtool.  Disabling symbol table.])
-	else
-		# we generate the internal symbol table only for those systems
-		# known to work to avoid unexpected build failure.  Also, warn
-		# about unsupported systems when the feature is enabled
-		#  manually.
-		case $host_os in
-		freebsd*|netbsd*|openbsd*|linux*|solaris*|darwin*)
-			MKSYMTBL_PROGRAM="$PERL"
-			if test $want_symtable = all; then
-				ALWAYS_MAKE_SYMTABLE="yes"
-			fi
-			;;
-		*)
-			if test $want_symtable = yes -o $want_symtable = all
-			then
-				AC_MSG_WARN([this system is not known to generate internal symbol table safely; disabling it])
-			fi
-		esac
-	fi
-	;;
-*)
-	;;
-esac
-AC_SUBST(MKSYMTBL_PROGRAM)
-AC_SUBST(ALWAYS_MAKE_SYMTABLE)
-
-#
-# File name extension for static archive files, for those few places
-# where they are treated differently from dynamic ones.
-#
-SA=a
-
-AC_SUBST(O)
-AC_SUBST(A)
-AC_SUBST(SA)
-AC_SUBST(LIBTOOL_MKDEP_SED)
-AC_SUBST(LIBTOOL_MODE_COMPILE)
-AC_SUBST(LIBTOOL_MODE_INSTALL)
-AC_SUBST(LIBTOOL_MODE_LINK)
-AC_SUBST(LIBTOOL_ALLOW_UNDEFINED)
-AC_SUBST(LIBTOOL_IN_MAIN)
-
-#
-# build exportable DNS library?
-#
-AC_ARG_ENABLE(exportlib,
-	[  --enable-exportlib	  build exportable library (GNU make required)
-                          [[default=no]]])
-case "$enable_exportlib" in
-	yes)
-		gmake=
-		for x in gmake gnumake make; do
-			if $x --version 2>/dev/null | grep GNU > /dev/null; then
-				gmake=$x
-				break;
-			fi
-		done
-		if test -z "$gmake"; then
-			AC_MSG_ERROR([exportlib requires GNU make.  Install it or disable the feature.])
-		fi
-		LIBEXPORT=lib/export
-		AC_SUBST(LIBEXPORT)
-		BIND9_CO_RULE="%.$O:  \${srcdir}/%.c"
-		;;
-	no|*)
-		BIND9_CO_RULE=".c.$O:"
-		;;
-esac
-AC_SUBST(BIND9_CO_RULE)
-
-AC_ARG_WITH(export-libdir,
-	[  --with-export-libdir[=PATH]
-                          installation directory for the export library
-                          [[EPREFIX/lib/bind9]]],
-	export_libdir="$withval",)
-if test -z "$export_libdir"; then
-	export_libdir="\${exec_prefix}/lib/bind9/"
-fi
-AC_SUBST(export_libdir)
-
-AC_ARG_WITH(export-includedir,
-	[  --with-export-includedir[=PATH]
-                          installation directory for the header files of the
-                          export library [[PREFIX/include/bind9]]],
-	export_includedir="$withval",)
-if test -z "$export_includedir"; then
-	export_includedir="\${prefix}/include/bind9/"
-fi
-AC_SUBST(export_includedir)
-
-#
-# Here begins a very long section to determine the system's networking
-# capabilities.  The order of the tests is significant.
-#
-
-#
-# IPv6
-#
-AC_ARG_ENABLE(ipv6,
-	[  --enable-ipv6           use IPv6 [default=autodetect]])
-
-case "$enable_ipv6" in
-	yes|''|autodetect)
-		AC_DEFINE(WANT_IPV6)
-		;;
-	no)
-		;;
-esac
-
-#
-# We do the IPv6 compilation checking after libtool so that we can put
-# the right suffix on the files.
-#
-AC_MSG_CHECKING(for IPv6 structures)
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>],
-[struct sockaddr_in6 sin6; return (0);],
-	[AC_MSG_RESULT(yes)
-	 found_ipv6=yes],
-	[AC_MSG_RESULT(no)
-	 found_ipv6=no])
-
-#
-# See whether IPv6 support is provided via a Kame add-on.
-# This is done before other IPv6 linking tests to LIBS is properly set.
-#
-AC_MSG_CHECKING(for Kame IPv6 support)
-AC_ARG_WITH(kame,
-	[  --with-kame[=PATH]	  use Kame IPv6 [default path /usr/local/v6]],
-	use_kame="$withval", use_kame="no")
-
-case "$use_kame" in
-	no)
-		;;
-	yes)
-		kame_path=/usr/local/v6
-		;;
-	*)
-		kame_path="$use_kame"
-		;;
-esac
-
-case "$use_kame" in
-	no)
-		AC_MSG_RESULT(no)
-		;;
-	*)
-		if test -f $kame_path/lib/libinet6.a; then
-			AC_MSG_RESULT($kame_path/lib/libinet6.a)
-			LIBS="-L$kame_path/lib -linet6 $LIBS"
-		else
-			AC_MSG_ERROR([$kame_path/lib/libinet6.a not found.
-
-Please choose the proper path with the following command:
-
-    configure --with-kame=PATH
-])
-		fi
-		;;
-esac
-
-#
-# Whether netinet6/in6.h is needed has to be defined in isc/platform.h.
-# Including it on Kame-using platforms is very bad, though, because
-# Kame uses #error against direct inclusion.   So include it on only
-# the platform that is otherwise broken without it -- BSD/OS 4.0 through 4.1.
-# This is done before the in6_pktinfo check because that's what
-# netinet6/in6.h is needed for.
-#
-changequote({, })
-case "$host" in
-*-bsdi4.[01]*)
-	ISC_PLATFORM_NEEDNETINET6IN6H="#define ISC_PLATFORM_NEEDNETINET6IN6H 1"
-	LWRES_PLATFORM_NEEDNETINET6IN6H="#define LWRES_PLATFORM_NEEDNETINET6IN6H 1"
-	isc_netinet6in6_hack="#include <netinet6/in6.h>"
-	;;
-*)
-	ISC_PLATFORM_NEEDNETINET6IN6H="#undef ISC_PLATFORM_NEEDNETINET6IN6H"
-	LWRES_PLATFORM_NEEDNETINET6IN6H="#undef LWRES_PLATFORM_NEEDNETINET6IN6H"
-	isc_netinet6in6_hack=""
-	;;
-esac
-changequote([, ])
-
-#
-# This is similar to the netinet6/in6.h issue.
-#
-case "$host" in
-*-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
-	# UnixWare
-	ISC_PLATFORM_NEEDNETINETIN6H="#define ISC_PLATFORM_NEEDNETINETIN6H 1"
-	LWRES_PLATFORM_NEEDNETINETIN6H="#define LWRES_PLATFORM_NEEDNETINETIN6H 1"
-	ISC_PLATFORM_FIXIN6ISADDR="#define ISC_PLATFORM_FIXIN6ISADDR 1"
-	isc_netinetin6_hack="#include <netinet/in6.h>"
-	;;
-*)
-	ISC_PLATFORM_NEEDNETINETIN6H="#undef ISC_PLATFORM_NEEDNETINETIN6H"
-	LWRES_PLATFORM_NEEDNETINETIN6H="#undef LWRES_PLATFORM_NEEDNETINETIN6H"
-	ISC_PLATFORM_FIXIN6ISADDR="#undef ISC_PLATFORM_FIXIN6ISADDR"
-	isc_netinetin6_hack=""
-	;;
-esac
-
-#
-# Now delve deeper into the suitability of the IPv6 support.
-#
-case "$found_ipv6" in
-	yes)
-		ISC_PLATFORM_HAVEIPV6="#define ISC_PLATFORM_HAVEIPV6 1"
-		LWRES_PLATFORM_HAVEIPV6="#define LWRES_PLATFORM_HAVEIPV6 1"
-
-		AC_MSG_CHECKING(for in6_addr)
-		AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-$isc_netinetin6_hack
-$isc_netinet6in6_hack
-],
-[struct in6_addr in6; return (0);],
-		[AC_MSG_RESULT(yes)
-		 ISC_PLATFORM_HAVEINADDR6="#undef ISC_PLATFORM_HAVEINADDR6"
-		 LWRES_PLATFORM_HAVEINADDR6="#undef LWRES_PLATFORM_HAVEINADDR6"
-		 isc_in_addr6_hack=""],
-		[AC_MSG_RESULT(no)
-		 ISC_PLATFORM_HAVEINADDR6="#define ISC_PLATFORM_HAVEINADDR6 1"
-		 LWRES_PLATFORM_HAVEINADDR6="#define LWRES_PLATFORM_HAVEINADDR6 1"
-		 isc_in_addr6_hack="#define in6_addr in_addr6"])
-
-		AC_MSG_CHECKING(for in6addr_any)
-		AC_TRY_LINK([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-$isc_netinetin6_hack
-$isc_netinet6in6_hack
-$isc_in_addr6_hack
-],
-		[struct in6_addr in6; in6 = in6addr_any; return (in6.s6_addr[0]);],
-			[AC_MSG_RESULT(yes)
-			 ISC_PLATFORM_NEEDIN6ADDRANY="#undef ISC_PLATFORM_NEEDIN6ADDRANY"
-			 LWRES_PLATFORM_NEEDIN6ADDRANY="#undef LWRES_PLATFORM_NEEDIN6ADDRANY"],
-			[AC_MSG_RESULT(no)
-			 ISC_PLATFORM_NEEDIN6ADDRANY="#define ISC_PLATFORM_NEEDIN6ADDRANY 1"
-			 LWRES_PLATFORM_NEEDIN6ADDRANY="#define LWRES_PLATFORM_NEEDIN6ADDRANY 1"])
-
-		AC_MSG_CHECKING(for in6addr_loopback)
-		AC_TRY_LINK([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-$isc_netinetin6_hack
-$isc_netinet6in6_hack
-$isc_in_addr6_hack
-],
-		[struct in6_addr in6; in6 = in6addr_loopback; return (in6.s6_addr[0]);],
-			[AC_MSG_RESULT(yes)
-			 ISC_PLATFORM_NEEDIN6ADDRLOOPBACK="#undef ISC_PLATFORM_NEEDIN6ADDRLOOPBACK"
-			 LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK="#undef LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK"],
-			[AC_MSG_RESULT(no)
-			 ISC_PLATFORM_NEEDIN6ADDRLOOPBACK="#define ISC_PLATFORM_NEEDIN6ADDRLOOPBACK 1"
-			 LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK="#define LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK 1"])
-
-		AC_MSG_CHECKING(for sin6_scope_id in struct sockaddr_in6)
-		AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-$isc_netinetin6_hack
-$isc_netinet6in6_hack
-],
-		[struct sockaddr_in6 xyzzy; xyzzy.sin6_scope_id = 0; return (0);],
-			[AC_MSG_RESULT(yes)
-			 ISC_PLATFORM_HAVESCOPEID="#define ISC_PLATFORM_HAVESCOPEID 1"
-			 result="#define LWRES_HAVE_SIN6_SCOPE_ID 1"],
-			[AC_MSG_RESULT(no)
-			 ISC_PLATFORM_HAVESCOPEID="#undef ISC_PLATFORM_HAVESCOPEID"
-			 result="#undef LWRES_HAVE_SIN6_SCOPE_ID"])
-		LWRES_HAVE_SIN6_SCOPE_ID="$result"
-
-		AC_MSG_CHECKING(for in6_pktinfo)
-		AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-$isc_netinetin6_hack
-$isc_netinet6in6_hack
-],
-		[struct in6_pktinfo xyzzy; return (0);],
-			[AC_MSG_RESULT(yes)
-			 ISC_PLATFORM_HAVEIN6PKTINFO="#define ISC_PLATFORM_HAVEIN6PKTINFO 1"],
-			[AC_MSG_RESULT(no -- disabling runtime ipv6 support)
-			 ISC_PLATFORM_HAVEIN6PKTINFO="#undef ISC_PLATFORM_HAVEIN6PKTINFO"])
-		;;
-	no)
-		ISC_PLATFORM_HAVEIPV6="#undef ISC_PLATFORM_HAVEIPV6"
-		LWRES_PLATFORM_HAVEIPV6="#undef LWRES_PLATFORM_HAVEIPV6"
-		ISC_PLATFORM_NEEDIN6ADDRANY="#undef ISC_PLATFORM_NEEDIN6ADDRANY"
-		LWRES_PLATFORM_NEEDIN6ADDRANY="#undef LWRES_PLATFORM_NEEDIN6ADDRANY"
-		ISC_PLATFORM_HAVEIN6PKTINFO="#undef ISC_PLATFORM_HAVEIN6PKTINFO"
-		LWRES_HAVE_SIN6_SCOPE_ID="#define LWRES_HAVE_SIN6_SCOPE_ID 1"
-		ISC_PLATFORM_HAVESCOPEID="#define ISC_PLATFORM_HAVESCOPEID 1"
-		ISC_IPV6_H="ipv6.h"
-		ISC_IPV6_O="ipv6.$O"
-		ISC_ISCIPV6_O="unix/ipv6.$O"
-		ISC_IPV6_C="ipv6.c"
-		;;
-esac
-
-AC_SUBST(ISC_PLATFORM_HAVEIPV6)
-AC_SUBST(LWRES_PLATFORM_HAVEIPV6)
-AC_SUBST(ISC_PLATFORM_NEEDNETINETIN6H)
-AC_SUBST(LWRES_PLATFORM_NEEDNETINETIN6H)
-AC_SUBST(ISC_PLATFORM_NEEDNETINET6IN6H)
-AC_SUBST(LWRES_PLATFORM_NEEDNETINET6IN6H)
-AC_SUBST(ISC_PLATFORM_HAVEINADDR6)
-AC_SUBST(LWRES_PLATFORM_HAVEINADDR6)
-AC_SUBST(ISC_PLATFORM_NEEDIN6ADDRANY)
-AC_SUBST(LWRES_PLATFORM_NEEDIN6ADDRANY)
-AC_SUBST(ISC_PLATFORM_NEEDIN6ADDRLOOPBACK)
-AC_SUBST(LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK)
-AC_SUBST(ISC_PLATFORM_HAVEIN6PKTINFO)
-AC_SUBST(ISC_PLATFORM_FIXIN6ISADDR)
-AC_SUBST(ISC_IPV6_H)
-AC_SUBST(ISC_IPV6_O)
-AC_SUBST(ISC_ISCIPV6_O)
-AC_SUBST(ISC_IPV6_C)
-AC_SUBST(LWRES_HAVE_SIN6_SCOPE_ID)
-AC_SUBST(ISC_PLATFORM_HAVESCOPEID)
-
-AC_MSG_CHECKING([for struct if_laddrreq])
-AC_TRY_LINK([
-#include <sys/types.h>
-#include <net/if6.h>
-],[ struct if_laddrreq a; ],
-	[AC_MSG_RESULT(yes)
-	ISC_PLATFORM_HAVEIF_LADDRREQ="#define ISC_PLATFORM_HAVEIF_LADDRREQ 1"],
-	[AC_MSG_RESULT(no)
-	ISC_PLATFORM_HAVEIF_LADDRREQ="#undef ISC_PLATFORM_HAVEIF_LADDRREQ"])
-AC_SUBST(ISC_PLATFORM_HAVEIF_LADDRREQ)
-
-AC_MSG_CHECKING([for struct if_laddrconf])
-AC_TRY_LINK([
-#include <sys/types.h>
-#include <net/if6.h>
-],[ struct if_laddrconf a; ],
-	[AC_MSG_RESULT(yes)
-	ISC_PLATFORM_HAVEIF_LADDRCONF="#define ISC_PLATFORM_HAVEIF_LADDRCONF 1"],
-	[AC_MSG_RESULT(no)
-	ISC_PLATFORM_HAVEIF_LADDRCONF="#undef ISC_PLATFORM_HAVEIF_LADDRCONF"])
-AC_SUBST(ISC_PLATFORM_HAVEIF_LADDRCONF)
-
-#
-# Check for network functions that are often missing.  We do this
-# after the libtool checking, so we can put the right suffix on
-# the files.  It also needs to come after checking for a Kame add-on,
-# which provides some (all?) of the desired functions.
-#
-
-AC_MSG_CHECKING([for inet_ntop with IPv6 support])
-AC_TRY_RUN([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-main() {
-char a[16],b[64]; return(inet_ntop(AF_INET6, a, b, sizeof(b)) == (char*)0);}],
-	[AC_MSG_RESULT(yes)
-	ISC_PLATFORM_NEEDNTOP="#undef ISC_PLATFORM_NEEDNTOP"],
-
-	[AC_MSG_RESULT(no)
-	ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
-	ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
-	ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"],
-	[AC_MSG_RESULT(assuming inet_ntop not needed)
-	ISC_PLATFORM_NEEDNTOP="#undef ISC_PLATFORM_NEEDNTOP"])
-
-
-# On NetBSD 1.4.2 and maybe others, inet_pton() incorrectly accepts
-# addresses with less than four octets, like "1.2.3".  Also leading
-# zeros should also be rejected.
-
-AC_MSG_CHECKING([for working inet_pton with IPv6 support])
-AC_TRY_RUN([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-main() { char a[16]; return (inet_pton(AF_INET, "1.2.3", a) == 1 ? 1 :
-			     inet_pton(AF_INET, "1.2.3.04", a) == 1 ? 1 :
-			     (inet_pton(AF_INET6, "::1.2.3.4", a) != 1)); }],
-	[AC_MSG_RESULT(yes)
-	ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"],
-	[AC_MSG_RESULT(no)
-	ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_pton.$O"
-	ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_pton.c"
-	ISC_PLATFORM_NEEDPTON="#define ISC_PLATFORM_NEEDPTON 1"],
-	[AC_MSG_RESULT(assuming inet_pton needed)
-	ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_pton.$O"
-	ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_pton.c"
-	ISC_PLATFORM_NEEDPTON="#define ISC_PLATFORM_NEEDPTON 1"])
-
-AC_SUBST(ISC_PLATFORM_NEEDNTOP)
-AC_SUBST(ISC_PLATFORM_NEEDPTON)
-
-#
-# Look for a 4.4BSD-style sa_len member in struct sockaddr.
-#
-case "$host" in
-	*-dec-osf*)
-		# Turn on 4.4BSD style sa_len support.
-		AC_DEFINE(_SOCKADDR_LEN)
-		;;
-esac
-
-AC_MSG_CHECKING(for sa_len in struct sockaddr)
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>],
-[struct sockaddr sa; sa.sa_len = 0; return (0);],
-	[AC_MSG_RESULT(yes)
-	ISC_PLATFORM_HAVESALEN="#define ISC_PLATFORM_HAVESALEN 1"
-	LWRES_PLATFORM_HAVESALEN="#define LWRES_PLATFORM_HAVESALEN 1"],
-	[AC_MSG_RESULT(no)
-	ISC_PLATFORM_HAVESALEN="#undef ISC_PLATFORM_HAVESALEN"
-	LWRES_PLATFORM_HAVESALEN="#undef LWRES_PLATFORM_HAVESALEN"])
-AC_SUBST(ISC_PLATFORM_HAVESALEN)
-AC_SUBST(LWRES_PLATFORM_HAVESALEN)
-
-#
-# Look for a 4.4BSD or 4.3BSD struct msghdr
-#
-AC_MSG_CHECKING(for struct msghdr flavor)
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>],
-[struct msghdr msg; msg.msg_flags = 0; return (0);],
-	[AC_MSG_RESULT(4.4BSD)
-	ISC_PLATFORM_MSGHDRFLAVOR="#define ISC_NET_BSD44MSGHDR 1"],
-	[AC_MSG_RESULT(4.3BSD)
-	ISC_PLATFORM_MSGHDRFLAVOR="#define ISC_NET_BSD43MSGHDR 1"])
-AC_SUBST(ISC_PLATFORM_MSGHDRFLAVOR)
-
-#
-# Look for in_port_t.
-#
-AC_MSG_CHECKING(for type in_port_t)
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <netinet/in.h>],
-[in_port_t port = 25; return (0);],
-	[AC_MSG_RESULT(yes)
-	ISC_PLATFORM_NEEDPORTT="#undef ISC_PLATFORM_NEEDPORTT"],
-	[AC_MSG_RESULT(no)
-	ISC_PLATFORM_NEEDPORTT="#define ISC_PLATFORM_NEEDPORTT 1"])
-AC_SUBST(ISC_PLATFORM_NEEDPORTT)
-
-#
-# Check for addrinfo
-#
-AC_MSG_CHECKING(for struct addrinfo)
-AC_TRY_COMPILE([
-#include <netdb.h>],
-[struct addrinfo a; return (0);],
-	[AC_MSG_RESULT(yes)
-	ISC_LWRES_NEEDADDRINFO="#undef ISC_LWRES_NEEDADDRINFO"
-	ISC_IRS_NEEDADDRINFO="#undef ISC_IRS_NEEDADDRINFO"
-	AC_DEFINE(HAVE_ADDRINFO)],
-	[AC_MSG_RESULT(no)
-	ISC_LWRES_NEEDADDRINFO="#define ISC_LWRES_NEEDADDRINFO 1"
-	ISC_IRS_NEEDADDRINFO="#define ISC_IRS_NEEDADDRINFO 1"])
-AC_SUBST(ISC_LWRES_NEEDADDRINFO)
-AC_SUBST(ISC_IRS_NEEDADDRINFO)
-
-#
-# Check for rrsetinfo
-#
-AC_MSG_CHECKING(for struct rrsetinfo)
-AC_TRY_COMPILE([
-#include <netdb.h>],
-[struct rrsetinfo r; return (0);],
-	[AC_MSG_RESULT(yes)
-	ISC_LWRES_NEEDRRSETINFO="#undef ISC_LWRES_NEEDRRSETINFO"],
-	[AC_MSG_RESULT(no)
-	ISC_LWRES_NEEDRRSETINFO="#define ISC_LWRES_NEEDRRSETINFO 1"])
-AC_SUBST(ISC_LWRES_NEEDRRSETINFO)
-
-AC_MSG_CHECKING(for int sethostent)
-AC_TRY_COMPILE([
-#include <netdb.h>],
-[int i = sethostent(0); return(0);],
-	[AC_MSG_RESULT(yes)
-	ISC_LWRES_SETHOSTENTINT="#define ISC_LWRES_SETHOSTENTINT 1"],
-	[AC_MSG_RESULT(no)
-	ISC_LWRES_SETHOSTENTINT="#undef ISC_LWRES_SETHOSTENTINT"])
-AC_SUBST(ISC_LWRES_SETHOSTENTINT)
-
-AC_MSG_CHECKING(for int endhostent)
-AC_TRY_COMPILE([
-#include <netdb.h>],
-[int i = endhostent(); return(0);],
-	[AC_MSG_RESULT(yes)
-	ISC_LWRES_ENDHOSTENTINT="#define ISC_LWRES_ENDHOSTENTINT 1"],
-	[AC_MSG_RESULT(no)
-	ISC_LWRES_ENDHOSTENTINT="#undef ISC_LWRES_ENDHOSTENTINT"])
-AC_SUBST(ISC_LWRES_ENDHOSTENTINT)
-
-AC_MSG_CHECKING(for getnetbyaddr(in_addr_t, ...))
-AC_TRY_COMPILE([
-#include <netdb.h>
-struct netent *getnetbyaddr(in_addr_t, int);],
-[],
-	[AC_MSG_RESULT(yes)
-	ISC_LWRES_GETNETBYADDRINADDR="#define ISC_LWRES_GETNETBYADDRINADDR 1"],
-	[AC_MSG_RESULT(no)
-	ISC_LWRES_GETNETBYADDRINADDR="#undef ISC_LWRES_GETNETBYADDRINADDR"])
-AC_SUBST(ISC_LWRES_GETNETBYADDRINADDR)
-
-AC_MSG_CHECKING(for int setnetent)
-AC_TRY_COMPILE([
-#include <netdb.h>],
-[int i = setnetent(0); return(0);],
-	[AC_MSG_RESULT(yes)
-	ISC_LWRES_SETNETENTINT="#define ISC_LWRES_SETNETENTINT 1"],
-	[AC_MSG_RESULT(no)
-	ISC_LWRES_SETNETENTINT="#undef ISC_LWRES_SETNETENTINT"])
-AC_SUBST(ISC_LWRES_SETNETENTINT)
-
-AC_MSG_CHECKING(for int endnetent)
-AC_TRY_COMPILE([
-#include <netdb.h>],
-[int i = endnetent(); return(0);],
-	[AC_MSG_RESULT(yes)
-	ISC_LWRES_ENDNETENTINT="#define ISC_LWRES_ENDNETENTINT 1"],
-	[AC_MSG_RESULT(no)
-	ISC_LWRES_ENDNETENTINT="#undef ISC_LWRES_ENDNETENTINT"])
-AC_SUBST(ISC_LWRES_ENDNETENTINT)
-
-AC_MSG_CHECKING(for gethostbyaddr(const void *, size_t, ...))
-AC_TRY_COMPILE([
-#include <netdb.h>
-struct hostent *gethostbyaddr(const void *, size_t, int);],
-[return(0);],
-	[AC_MSG_RESULT(yes)
-	ISC_LWRES_GETHOSTBYADDRVOID="#define ISC_LWRES_GETHOSTBYADDRVOID 1"],
-	[AC_MSG_RESULT(no)
-	ISC_LWRES_GETHOSTBYADDRVOID="#undef ISC_LWRES_GETHOSTBYADDRVOID"])
-AC_SUBST(ISC_LWRES_GETHOSTBYADDRVOID)
-
-AC_MSG_CHECKING(for h_errno in netdb.h)
-AC_TRY_COMPILE([
-#include <netdb.h>],
-[h_errno = 1; return(0);],
-	[AC_MSG_RESULT(yes)
-	ISC_LWRES_NEEDHERRNO="#undef ISC_LWRES_NEEDHERRNO"],
-	[AC_MSG_RESULT(no)
-	ISC_LWRES_NEEDHERRNO="#define ISC_LWRES_NEEDHERRNO 1"])
-AC_SUBST(ISC_LWRES_NEEDHERRNO)
-
-#
-# Sadly, the definitions of system-supplied getnameinfo(3) vary.  Try to catch
-# known variations here:
-#
-AC_MSG_CHECKING(for getnameinfo prototype definitions)
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netdb.h>
-int getnameinfo(const struct sockaddr *, socklen_t, char *,
-                socklen_t, char *, socklen_t, unsigned int);],
-[ return (0);],
-	[AC_MSG_RESULT(socklen_t for buflen; u_int for flags)
-	 AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t,
-		   [Define to the buffer length type used by getnameinfo(3).])
-	 AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int,
-		   [Define to the flags type used by getnameinfo(3).])],
-[AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netdb.h>
-int getnameinfo(const struct sockaddr *, socklen_t, char *,
-                size_t, char *, size_t, int);],
-[ return (0);],
-	[AC_MSG_RESULT(size_t for buflen; int for flags)
-	 AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, size_t)
-	 AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int)],
-[AC_MSG_RESULT(not match any subspecies; assume standard definition)
-AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t)
-AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int)])])
-
-#
-# ...and same for gai_strerror().
-#
-AC_MSG_CHECKING(for gai_strerror prototype definitions)
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netdb.h>
-char *gai_strerror(int ecode);],
-[ return (0); ],
-	[AC_MSG_RESULT(returning char *)
-	 AC_DEFINE([IRS_GAISTRERROR_RETURN_T], [char *],
-	 [return type of gai_strerror])],
-[AC_MSG_RESULT(not match any subspecies; assume standard definition)
-AC_DEFINE([IRS_GAISTRERROR_RETURN_T], [const char *])])
-
-AC_CHECK_FUNC(getipnodebyname,
-	[ISC_LWRES_GETIPNODEPROTO="#undef ISC_LWRES_GETIPNODEPROTO"],
-	[ISC_LWRES_GETIPNODEPROTO="#define ISC_LWRES_GETIPNODEPROTO 1"])
-AC_CHECK_FUNC(getnameinfo,
-	[ISC_LWRES_GETNAMEINFOPROTO="#undef ISC_LWRES_GETNAMEINFOPROTO"],
-	[ISC_LWRES_GETNAMEINFOPROTO="#define ISC_LWRES_GETNAMEINFOPROTO 1"])
-AC_CHECK_FUNC(getaddrinfo,
-	[ISC_LWRES_GETADDRINFOPROTO="#undef ISC_LWRES_GETADDRINFOPROTO"
-	AC_DEFINE(HAVE_GETADDRINFO)],
-	[ISC_LWRES_GETADDRINFOPROTO="#define ISC_LWRES_GETADDRINFOPROTO 1"])
-AC_CHECK_FUNC(gai_strerror, AC_DEFINE(HAVE_GAISTRERROR))
-AC_SUBST(ISC_LWRES_GETIPNODEPROTO)
-AC_SUBST(ISC_LWRES_GETADDRINFOPROTO)
-AC_SUBST(ISC_LWRES_GETNAMEINFOPROTO)
-AC_SUBST(ISC_IRS_GETNAMEINFOSOCKLEN)
-
-AC_ARG_ENABLE(getifaddrs,
-[  --enable-getifaddrs     Enable the use of getifaddrs() [[yes|no]].],
-    want_getifaddrs="$enableval",  want_getifaddrs="yes")
-
-#
-# This interface iteration code for getifaddrs() will fall back to using
-# /proc/net/if_inet6 if getifaddrs() in glibc doesn't return any IPv6
-# addresses.
-#
-case $want_getifaddrs in
-glibc)
-AC_MSG_WARN("--enable-getifaddrs=glibc is no longer required")
-AC_CHECK_FUNC(getifaddrs, AC_DEFINE(HAVE_GETIFADDRS))
-;;
-yes)
-AC_CHECK_FUNC(getifaddrs, AC_DEFINE(HAVE_GETIFADDRS))
-;;
-no)
-;;
-esac
-
-#
-# Look for a sysctl call to get the list of network interfaces.
-#
-case $ac_cv_header_sys_sysctl_h in
-yes)
-AC_MSG_CHECKING(for interface list sysctl)
-AC_EGREP_CPP(found_rt_iflist, [
-#include <sys/param.h>
-#include <sys/sysctl.h>
-#include <sys/socket.h>
-#ifdef NET_RT_IFLIST
-found_rt_iflist
-#endif
-],
-	[AC_MSG_RESULT(yes)
-	 AC_DEFINE(HAVE_IFLIST_SYSCTL)],
-	[AC_MSG_RESULT(no)])
-;;
-esac
-
-#
-# Check for some other useful functions that are not ever-present.
-#
-
-# We test for strsep() using AC_TRY_LINK instead of AC_CHECK_FUNC
-# because AIX 4.3.3 with patches for bos.adt.include to version 4.3.3.77
-# reportedly defines strsep() without declaring it in <string.h> when
-# -D_LINUX_SOURCE_COMPAT is not defined [RT #2190], and
-# AC_CHECK_FUNC() incorrectly succeeds because it declares
-# the function itself.
-AC_MSG_CHECKING(for correctly declared strsep())
-AC_TRY_LINK([#include <string.h>], [char *sp; char *foo = strsep(&sp, ".");],
-	[AC_MSG_RESULT(yes); ISC_PLATFORM_NEEDSTRSEP="#undef ISC_PLATFORM_NEEDSTRSEP"],
-	[AC_MSG_RESULT(no); ISC_PLATFORM_NEEDSTRSEP="#define ISC_PLATFORM_NEEDSTRSEP 1"])
-AC_SUBST(ISC_PLATFORM_NEEDSTRSEP)
-
-AC_CHECK_FUNC(memmove,
-	[ISC_PLATFORM_NEEDMEMMOVE="#undef ISC_PLATFORM_NEEDMEMMOVE"],
-	[ISC_PLATFORM_NEEDMEMMOVE="#define ISC_PLATFORM_NEEDMEMMOVE 1"])
-AC_SUBST(ISC_PLATFORM_NEEDMEMMOVE)
-
-AC_CHECK_FUNC(strtoul,
-	[ISC_PLATFORM_NEEDSTRTOUL="#undef ISC_PLATFORM_NEEDSTRTOUL"
-	 LWRES_PLATFORM_NEEDSTRTOUL="#undef LWRES_PLATFORM_NEEDSTRTOUL"
-	 GENRANDOMLIB=""],
-	[ISC_PLATFORM_NEEDSTRTOUL="#define ISC_PLATFORM_NEEDSTRTOUL 1"
-	 LWRES_PLATFORM_NEEDSTRTOUL="#define LWRES_PLATFORM_NEEDSTRTOUL 1"
-	 GENRANDOMLIB='${ISCLIBS}'])
-AC_SUBST(ISC_PLATFORM_NEEDSTRTOUL)
-AC_SUBST(LWRES_PLATFORM_NEEDSTRTOUL)
-AC_SUBST(GENRANDOMLIB)
-
-AC_CHECK_FUNC(strlcpy,
-	[ISC_PLATFORM_NEEDSTRLCPY="#undef ISC_PLATFORM_NEEDSTRLCPY"],
-	[ISC_PLATFORM_NEEDSTRLCPY="#define ISC_PLATFORM_NEEDSTRLCPY 1"])
-AC_SUBST(ISC_PLATFORM_NEEDSTRLCPY)
-
-AC_CHECK_FUNC(strlcat,
-	[ISC_PLATFORM_NEEDSTRLCAT="#undef ISC_PLATFORM_NEEDSTRLCAT"],
-	[ISC_PLATFORM_NEEDSTRLCAT="#define ISC_PLATFORM_NEEDSTRLCAT 1"])
-AC_SUBST(ISC_PLATFORM_NEEDSTRLCAT)
-
-
-AC_SUBST(READLINE_LIB)
-AC_ARG_WITH(readline,
-        [  --with-readline[=LIBSPEC]    specify readline library [default -lreadline]],
-        readline="$withval", readline="-lreadline")
-case "$readline" in
-no)	;;
-*)
-	if test "x$readline" = "xyes"
-	then
-		readline=-lreadline
-	fi
-	saved_LIBS="$LIBS"
-	LIBS="$readline"
-	AC_CHECK_FUNCS(readline)
-	if test "$ac_cv_func_readline" = "yes"
-	then
-		READLINE_LIB="$readline"
-	fi
-	LIBS="$saved_LIBS"
-        ;;
-esac
-
-ISC_PRINT_OBJS=
-ISC_PRINT_SRCS=
-AC_MSG_CHECKING(sprintf)
-AC_TRY_COMPILE([
-#include <stdio.h>
-],
-[ char buf[2]; return(*sprintf(buf,"x"));],
-[
-ISC_PRINT_OBJS="print.$O"
-ISC_PRINT_SRCS="print.c"
-ISC_PLATFORM_NEEDSPRINTF="#define ISC_PLATFORM_NEEDSPRINTF"
-LWRES_PLATFORM_NEEDSPRINTF="#define LWRES_PLATFORM_NEEDSPRINTF"
-],
-[ISC_PLATFORM_NEEDSPRINTF="#undef ISC_PLATFORM_NEEDSPRINTF"
- LWRES_PLATFORM_NEEDSPRINTF="#undef LWRES_PLATFORM_NEEDSPRINTF"]
-)
-AC_SUBST(ISC_PLATFORM_NEEDSPRINTF)
-AC_SUBST(LWRES_PLATFORM_NEEDSPRINTF)
-
-AC_CHECK_FUNC(vsnprintf,
-	[ISC_PLATFORM_NEEDVSNPRINTF="#undef ISC_PLATFORM_NEEDVSNPRINTF"
-	 LWRES_PLATFORM_NEEDVSNPRINTF="#undef LWRES_PLATFORM_NEEDVSNPRINTF"],
-	[ISC_PRINT_OBJS="print.$O"
-	 ISC_PRINT_SRCS="print.c"
-	 ISC_PLATFORM_NEEDVSNPRINTF="#define ISC_PLATFORM_NEEDVSNPRINTF 1"
-	 LWRES_PLATFORM_NEEDVSNPRINTF="#define LWRES_PLATFORM_NEEDVSNPRINTF 1"])
-AC_SUBST(ISC_PLATFORM_NEEDVSNPRINTF)
-AC_SUBST(LWRES_PLATFORM_NEEDVSNPRINTF)
-ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS $ISC_PRINT_OBJS"
-ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS $ISC_PRINT_SRCS"
-
-AC_CHECK_FUNC(strerror, AC_DEFINE(HAVE_STRERROR))
-
-AC_SUBST(ISC_EXTRA_OBJS)
-AC_SUBST(ISC_EXTRA_SRCS)
-
-#
-# Use our own SPNEGO implementation?
-#
-AC_ARG_ENABLE(isc-spnego,
-	[  --disable-isc-spnego    use SPNEGO from GSSAPI library])
-
-if test -n "$USE_GSSAPI"
-then
-	case "$enable_isc_spnego" in
-		yes|'')
-			USE_ISC_SPNEGO='-DUSE_ISC_SPNEGO'
-			DST_EXTRA_OBJS="$DST_EXTRA_OBJS spnego.$O"
-			DST_EXTRA_SRCS="$DST_EXTRA_SRCS spnego.c"
-			AC_MSG_RESULT(using SPNEGO from lib/dns)
-			;;
-		no)
-			AC_MSG_RESULT(using SPNEGO from GSSAPI library)
-			;;
-	esac
-fi
-
-AC_SUBST(USE_ISC_SPNEGO)
-
-AC_SUBST(DST_EXTRA_OBJS)
-AC_SUBST(DST_EXTRA_SRCS)
-
-# Determine the printf format characters to use when printing
-# values of type isc_int64_t. This will normally be "ll", but where
-# the compiler treats "long long" as a alias for "long" and printf
-# doesn't know about "long long" use "l".  Hopefully the sprintf
-# will produce a inconsistent result in the later case.  If the compiler
-# fails due to seeing "%lld" we fall back to "l".
-#
-# Digital Unix 4.0 (gcc?) (long long) is 64 bits as is its long. It uses
-# %ld even for (long long)/
-#
-# Win32 uses "%I64d", but that's defined elsewhere since we don't use
-# configure on Win32.
-#
-AC_MSG_CHECKING(printf format modifier for 64-bit integers)
-AC_TRY_RUN([
-#include <stdio.h>
-main() {
-	long long int j = 0;
-	char buf[100];
-	buf[0] = 0;
-	sprintf(buf, "%lld", j);
-	exit((sizeof(long long int) != sizeof(long int))? 0 :
-	     (strcmp(buf, "0") != 0));
-}
-],
-	[AC_MSG_RESULT(ll)
-	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "ll"'
-	LWRES_PLATFORM_QUADFORMAT='#define LWRES_PLATFORM_QUADFORMAT "ll"'],
-	[AC_MSG_RESULT(l)
-	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "l"'
-	LWRES_PLATFORM_QUADFORMAT='#define LWRES_PLATFORM_QUADFORMAT "l"'],
-	[AC_MSG_RESULT(assuming target platform uses ll)
-	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "ll"'
-	LWRES_PLATFORM_QUADFORMAT='#define LWRES_PLATFORM_QUADFORMAT "ll"'])
-AC_SUBST(ISC_PLATFORM_QUADFORMAT)
-AC_SUBST(LWRES_PLATFORM_QUADFORMAT)
-
-#
-# Security Stuff
-#
-# Note it is very recommended to *not* disable chroot(),
-# this is only because chroot() was made obsolete by Posix.
-AC_ARG_ENABLE(chroot,
-	[  --disable-chroot        disable chroot])
-case "$enable_chroot" in
-	yes|'')
-		AC_CHECK_FUNCS(chroot)
-		;;
-	no)
-		;;
-esac
-AC_ARG_ENABLE(linux-caps,
-	[  --disable-linux-caps	  disable linux capabilities])
-case "$enable_linux_caps" in
-	yes|'')
-		AC_CHECK_HEADERS(linux/capability.h sys/capability.h)
-		AC_CHECK_LIB(cap, cap_set_proc)
-		;;
-	no)
-		;;
-esac
-AC_CHECK_HEADERS(sys/prctl.h)
-
-AC_CHECK_HEADERS(sys/un.h,
-ISC_PLATFORM_HAVESYSUNH="#define ISC_PLATFORM_HAVESYSUNH 1"
-,
-ISC_PLATFORM_HAVESYSUNH="#undef ISC_PLATFORM_HAVESYSUNH"
-)
-AC_SUBST(ISC_PLATFORM_HAVESYSUNH)
-
-case "$host" in
-*-solaris*)
-	AC_DEFINE(NEED_SECURE_DIRECTORY, 1,
-		  [Define if connect does not honour the permission on the UNIX domain socket.])
-	;;
-*-sunos*)
-	AC_DEFINE(NEED_SECURE_DIRECTORY, 1,
-		  [Define if connect does not honour the permission on the UNIX domain socket.])
-	;;
-esac
-
-#
-# Time Zone Stuff
-#
-AC_CHECK_FUNC(tzset, AC_DEFINE(HAVE_TZSET))
-
-AC_MSG_CHECKING(for optarg declaration)
-AC_TRY_COMPILE([
-#include <unistd.h>
-],
-[optarg = 0;],
-[AC_MSG_RESULT(yes)],
-[AC_MSG_RESULT(no)
-GEN_NEED_OPTARG="-DNEED_OPTARG=1"
-AC_DEFINE(NEED_OPTARG, 1, [Defined if extern char *optarg is not declared.])])
-
-#
-# BSD/OS, and perhaps some others, don't define rlim_t.
-#
-AC_MSG_CHECKING(for type rlim_t)
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/resource.h>],
-[rlim_t rl = 19671212; return (0);],
-[AC_MSG_RESULT(yes)
- ISC_PLATFORM_RLIMITTYPE="#define ISC_PLATFORM_RLIMITTYPE rlim_t"],
-[AC_MSG_RESULT(no)
-
-AC_MSG_CHECKING(type of rlim_cur)
-AC_TRY_RUN([
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/resource.h>
-main() { struct rlimit r; exit(!(sizeof(r.rlim_cur) == sizeof(int)));}],
-[AC_MSG_RESULT(int)
-ISC_PLATFORM_RLIMITTYPE="#define ISC_PLATFORM_RLIMITTYPE int"],
-[
-AC_TRY_RUN([
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/resource.h>
-main() { struct rlimit r; exit(!(sizeof(r.rlim_cur) == sizeof(long int)));}],
-[AC_MSG_RESULT(long int)
-ISC_PLATFORM_RLIMITTYPE="#define ISC_PLATFORM_RLIMITTYPE long int"],
-[
-AC_TRY_RUN([
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/resource.h>
-main() { struct rlimit r; exit((!sizeof(r.rlim_cur) == sizeof(long long int)));}],
-[AC_MSG_RESULT(long long int)
-ISC_PLATFORM_RLIMITTYPE="#define ISC_PLATFORM_RLIMITTYPE long long int"],
-[AC_MSG_ERROR([unable to determine sizeof rlim_cur])
-],[AC_MSG_ERROR(this cannot happen)])
-],[AC_MSG_ERROR(this cannot happen)])
-],[
-AC_ARG_WITH(rlimtype, , rlimtype="$withval", rlimtype="long long int")
-ISC_PLATFORM_RLIMITTYPE="#define ISC_PLATFORM_RLIMITTYPE $rlimtype"
-AC_MSG_RESULT(cannot determine type of rlim_cur when cross compiling - assuming $rlimtype)])
-])
-AC_SUBST(ISC_PLATFORM_RLIMITTYPE)
-
-#
-# Older HP-UX doesn't have gettune
-#
-case "$host" in
-  	*-hp-hpux*)
-		AC_CHECK_HEADERS(sys/dyntune.h)
-		;;
-	*)
-		;;
-esac
-
-
-#
-# Compaq TruCluster requires more code for handling cluster IP aliases
-#
-case "$host" in
-	*-dec-osf*)
-		AC_CHECK_LIB(clua, clua_getaliasaddress, LIBS="-lclua $LIBS")
-		AC_CHECK_FUNC(clua_getaliasaddress,
-				AC_DEFINE(HAVE_TRUCLUSTER, 1,
-					[Define if running under Compaq TruCluster]))
-		;;
-	*)
-		;;
-esac
-
-#
-# Some hosts need msg_namelen to match the size of the socket structure.
-# Some hosts don't set msg_namelen appropriately on return from recvmsg().
-#
-case $host in
-*os2*|*hp-mpeix*)
-	AC_DEFINE(BROKEN_RECVMSG, 1,
-		  [Define if recvmsg() does not meet all of the BSD socket API specifications.])
-	;;
-esac
-
-#
-# Microsoft has their own way of handling shared libraries that requires
-# additional qualifiers on extern variables.  Unix systems don't need it.
-#
-AC_SUBST(ISC_PLATFORM_USEDECLSPEC)
-ISC_PLATFORM_USEDECLSPEC="#undef ISC_PLATFORM_USEDECLSPEC"
-AC_SUBST(LWRES_PLATFORM_USEDECLSPEC)
-LWRES_PLATFORM_USEDECLSPEC="#undef LWRES_PLATFORM_USEDECLSPEC"
-AC_SUBST(IRS_PLATFORM_USEDECLSPEC)
-IRS_PLATFORM_USEDECLSPEC="#undef IRS_PLATFORM_USEDECLSPEC"
-
-#
-# Random remaining OS-specific issues involving compiler warnings.
-# XXXDCL print messages to indicate some compensation is being done?
-#
-AC_SUBST(ISC_PLATFORM_BRACEPTHREADONCEINIT)
-ISC_PLATFORM_BRACEPTHREADONCEINIT="#undef ISC_PLATFORM_BRACEPTHREADONCEINIT"
-
-case "$host" in
-	*-aix5.[[123]].*)
-		hack_shutup_pthreadonceinit=yes
-		;;
-	*-bsdi3.1*)
-		hack_shutup_sputaux=yes
-		;;
-	*-bsdi4.0*)
-		hack_shutup_sigwait=yes
-		hack_shutup_sputaux=yes
-		;;
-	[*-bsdi4.[12]*])
-		hack_shutup_stdargcast=yes
-		;;
-	[*-solaris2.[89]])
-		hack_shutup_pthreadonceinit=yes
-		;;
-	*-solaris2.1[[0-9]])
-		AC_TRY_COMPILE([ #include <pthread.h> ], [ static pthread_once_t once_test = { PTHREAD_ONCE_INIT }; ], [hack_shutup_pthreadonceinit=yes], )
-		;;
-esac
-
-case "$hack_shutup_pthreadonceinit" in
-	yes)
-		#
-		# Shut up PTHREAD_ONCE_INIT unbraced initializer warnings.
-		#
-		ISC_PLATFORM_BRACEPTHREADONCEINIT="#define ISC_PLATFORM_BRACEPTHREADONCEINIT 1"
-		;;
-esac
-
-case "$hack_shutup_sigwait" in
-	yes)
-		#
-		# Shut up a -Wmissing-prototypes warning for sigwait().
-		#
-		AC_DEFINE(SHUTUP_SIGWAIT)
-		;;
-esac
-
-case "$hack_shutup_sputaux" in
-	yes)
-		#
-		# Shut up a -Wmissing-prototypes warning from <stdio.h>.
-		#
-		AC_DEFINE(SHUTUP_SPUTAUX)
-		;;
-esac
-
-case "$hack_shutup_stdargcast" in
-	yes)
-		#
-		# Shut up a -Wcast-qual warning from va_start().
-		#
-		AC_DEFINE(SHUTUP_STDARG_CAST)
-		;;
-esac
-
-AC_CHECK_HEADERS(strings.h,
-  ISC_PLATFORM_HAVESTRINGSH="#define ISC_PLATFORM_HAVESTRINGSH 1"
-,
-  ISC_PLATFORM_HAVESTRINGSH="#undef ISC_PLATFORM_HAVESTRINGSH"
-)
-AC_SUBST(ISC_PLATFORM_HAVESTRINGSH)
-
-#
-# Check for if_nametoindex() for IPv6 scoped addresses support
-#
-AC_CHECK_FUNC(if_nametoindex, ac_cv_have_if_nametoindex=yes,
-		ac_cv_have_if_nametoindex=no)
-case $ac_cv_have_if_nametoindex in
-no)
-	case "$host" in
-	*-hp-hpux*)
-		AC_CHECK_LIB(ipv6, if_nametoindex,
-				ac_cv_have_if_nametoindex=yes
-				LIBS="-lipv6 $LIBS",)
-	;;
-	esac
-esac
-case $ac_cv_have_if_nametoindex in
-yes)
-	ISC_PLATFORM_HAVEIFNAMETOINDEX="#define ISC_PLATFORM_HAVEIFNAMETOINDEX 1"
-	;;
-*)
-	ISC_PLATFORM_HAVEIFNAMETOINDEX="#undef ISC_PLATFORM_HAVEIFNAMETOINDEX"
-	;;
-esac
-AC_SUBST(ISC_PLATFORM_HAVEIFNAMETOINDEX)
-
-AC_CHECK_FUNCS(nanosleep usleep)
-
-#
-# Machine architecture dependent features
-#
-AC_ARG_ENABLE(atomic,
-	[  --enable-atomic	  enable machine specific atomic operations
-			  [[default=autodetect]]],
-			enable_atomic="$enableval",
-			enable_atomic="autodetect")
-case "$enable_atomic" in
-	yes|''|autodetect)
-		case "$host" in
-		powerpc-ibm-aix*)
-			if test "X$GCC" = "Xyes"; then
-				AC_MSG_CHECKING([if asm("isc"); works])
-				AC_TRY_COMPILE(,[
-				main() { asm("ics"); exit(0); }
-				],
-				[AC_MSG_RESULT(yes)
-				 use_atomic=yes],
-				[
-				saved_cflags="$CFLAGS"
-				CFLAGS="$CFLAGS -Wa,-many"
-				AC_TRY_RUN([
-				main() { asm("ics"); exit(0); }
-				],
-				[AC_MSG_RESULT([yes, required -Wa,-many])
-				 use_atomic=yes],
-				[AC_MSG_RESULT([no, use_atomic disabled])
-				 CFLAGS="$saved_cflags"
-				 use_atomic=no],
-				[AC_MSG_RESULT([cross compile, assume yes])
-				 CFLAGS="$saved_cflags"
-				 use_atomic=yes])
-				]
-				)
-			else
-				use_atomic=yes
-			fi
-			;;
-		*)
-			use_atomic=yes
-			;;
-		esac
-		;;
-	no)
-		use_atomic=no
-		arch=noatomic
-		;;
-esac
-
-ISC_PLATFORM_USEOSFASM="#undef ISC_PLATFORM_USEOSFASM"
-if test "$use_atomic" = "yes"; then
-	AC_MSG_CHECKING([architecture type for atomic operations])
-	have_atomic=yes		# set default
-	case "$host" in
-	[i[3456]86-*])
-		# XXX: some old x86 architectures actually do not support
-		#      (some of) these operations.  Do we need stricter checks?
-                AC_CHECK_SIZEOF([void *])
-		if test $ac_cv_sizeof_void_p = 8; then
-			arch=x86_64
-			have_xaddq=yes
-		else
-			arch=x86_32
-		fi
-	;;
-	x86_64-*|amd64-*)
-                AC_CHECK_SIZEOF([void *])
-		if test $ac_cv_sizeof_void_p = 8; then
-			arch=x86_64
-			have_xaddq=yes
-		else
-			arch=x86_32
-		fi
-	;;
-	alpha*-*)
-		arch=alpha
-	;;
-	powerpc-*|powerpc64-*)
-		arch=powerpc
-	;;
-	mips-*|mipsel-*|mips64-*|mips64el-*)
-		arch=mips
-	;;
-	ia64-*)
-		arch=ia64
-	;;
-	*)
-		have_atomic=no
-		arch=noatomic
-	;;
-	esac
-	AC_MSG_RESULT($arch)
-fi
-
-if test "$have_atomic" = "yes"; then
-	AC_MSG_CHECKING([compiler support for inline assembly code])
-
-	compiler=generic
-	# Check whether the compiler supports the assembly syntax we provide.
-	if test "X$GCC" = "Xyes"; then
-		# GCC's ASM extension always works
-		compiler=gcc
-		if test $arch = "x86_64"; then
-			# We can share the same code for gcc with x86_32
-			arch=x86_32
-		fi
-		if test $arch = "powerpc"; then
-			#
-			# The MacOS (and maybe others) uses "r0" for register
-			# zero. Under linux/ibm it is "0" for register 0.
-			# Probe to see if we have a MacOS style assembler.
-			#
-			AC_MSG_CHECKING([Checking for MacOS style assembler syntax])
-			AC_TRY_COMPILE(, [
-			__asm__ volatile ("li r0, 0x0\n"::);
-			], [
-			AC_MSG_RESULT(yes)
-			compiler="mac"
-			ISC_PLATFORM_USEMACASM="#define ISC_PLATFORM_USEMACASM 1"
-			], [AC_MSG_RESULT(no)])
-		fi
-	else
-		case "$host" in
-		alpha*-dec-osf*)
-			# Tru64 compiler has its own syntax for inline
-			# assembly.
-			AC_TRY_COMPILE(, [
-#ifndef __DECC
-#error "unexpected compiler"
-#endif
-				return (0);],
-				[compiler=osf],)
-		;;
-		powerpc-ibm-aix*)
-			compiler=aix
-		;;
-		esac
-	fi
-	case "$compiler" in
-	gcc)
-		ISC_PLATFORM_USEGCCASM="#define ISC_PLATFORM_USEGCCASM 1"
-		;;
-	osf)
-		ISC_PLATFORM_USEOSFASM="#define ISC_PLATFORM_USEOSFASM 1"
-		;;
-	aix)
-		;;
-	mac)
-		;;
-	*)
-		# See if the generic __asm function works.  If not,
-		# we need to disable the atomic operations.
-		AC_TRY_LINK(, [
-					__asm("nop")
-				],
-		[compiler="standard"
-		ISC_PLATFORM_USESTDASM="#define ISC_PLATFORM_USESTDASM 1"],
-		[compiler="not supported (atomic operations disabled)"
-		have_atomic=no
-		arch=noatomic ]);
-		;;
-	esac
-
-	AC_MSG_RESULT($compiler)
-fi
-
-if test "$have_atomic" = "yes"; then
-	ISC_PLATFORM_HAVEXADD="#define ISC_PLATFORM_HAVEXADD 1"
-	ISC_PLATFORM_HAVECMPXCHG="#define ISC_PLATFORM_HAVECMPXCHG 1"
-	ISC_PLATFORM_HAVEATOMICSTORE="#define ISC_PLATFORM_HAVEATOMICSTORE 1"
-else
-	ISC_PLATFORM_HAVEXADD="#undef ISC_PLATFORM_HAVEXADD"
-	ISC_PLATFORM_HAVECMPXCHG="#undef ISC_PLATFORM_HAVECMPXCHG"
-	ISC_PLATFORM_HAVEATOMICSTORE="#undef ISC_PLATFORM_HAVEATOMICSTORE"
-fi
-
-if test "$have_xaddq" = "yes"; then
-	ISC_PLATFORM_HAVEXADDQ="#define ISC_PLATFORM_HAVEXADDQ 1"
-else
-	ISC_PLATFORM_HAVEXADDQ="#undef ISC_PLATFORM_HAVEXADDQ"
-fi
-
-AC_SUBST(ISC_PLATFORM_HAVEXADD)
-AC_SUBST(ISC_PLATFORM_HAVEXADDQ)
-AC_SUBST(ISC_PLATFORM_HAVECMPXCHG)
-AC_SUBST(ISC_PLATFORM_HAVEATOMICSTORE)
-
-AC_SUBST(ISC_PLATFORM_USEGCCASM)
-AC_SUBST(ISC_PLATFORM_USEOSFASM)
-AC_SUBST(ISC_PLATFORM_USESTDASM)
-AC_SUBST(ISC_PLATFORM_USEMACASM)
-
-ISC_ARCH_DIR=$arch
-AC_SUBST(ISC_ARCH_DIR)
-
-#
-# Activate "rrset-order fixed" or not?
-#
-AC_ARG_ENABLE(fixed-rrset,
-	[  --enable-fixed-rrset    enable fixed rrset ordering
-			  [[default=no]]],
-			enable_fixed="$enableval",
-			enable_fixed="no")
-case "$enable_fixed" in
-	yes)
-		AC_DEFINE(DNS_RDATASET_FIXED, 1,
-			  [Define to enable "rrset-order fixed" syntax.])
-		;;
-	no)
-		;;
-	*)
-		;;
-esac
-
-#
-# Enable response policy rewriting using NS IP addresses
-#
-AC_ARG_ENABLE(rpz-nsip,
-	[  --disable-rpz-nsip	  disable rpz-nsip rules [[default=enabled]]],
-			enable_nsip="$enableval",
-			enable_nsip="yes")
-case "$enable_nsip" in
-	yes)
-		AC_DEFINE(ENABLE_RPZ_NSIP, 1,
-			  [Define to enable rpz-nsip rules.])
-		;;
-	no)
-		;;
-	*)
-		;;
-esac
-
-#
-# Enable response policy rewriting using NS name
-#
-AC_ARG_ENABLE(rpz-nsdname,
-	[  --disable-rpz-nsdname	  disable rpz-nsdname rules [[default=enabled]]],
-			enable_nsdname="$enableval",
-			enable_nsdname="yes")
-case "$enable_nsdname" in
-	yes)
-		AC_DEFINE(ENABLE_RPZ_NSDNAME, 1,
-			  [Define to enable rpz-nsdname rules.])
-		;;
-	no)
-		;;
-	*)
-		;;
-esac
-
-#
-# Activate "filter-aaaa-on-v4" or not?
-#
-AC_ARG_ENABLE(filter-aaaa,
-	[  --enable-filter-aaaa    enable filtering of AAAA records over IPv4
-			  [[default=no]]],
-			enable_filter="$enableval",
-			enable_filter="no")
-case "$enable_filter" in
-	yes)
-		AC_DEFINE(ALLOW_FILTER_AAAA_ON_V4, 1,
-			  [Define to enable the "filter-aaaa-on-v4" option.])
-		;;
-	no)
-		;;
-	*)
-		;;
-esac
-
-#
-#  The following sets up how non-blocking i/o is established.
-#  Sunos, cygwin and solaris 2.x (x<5) require special handling.
-#
-case "$host" in
-*-sunos*) AC_DEFINE(PORT_NONBLOCK, O_NDELAY);;
-*-cygwin*) AC_DEFINE(PORT_NONBLOCK, O_NDELAY);;
-*-solaris2.[[01234]])
-	AC_DEFINE(PORT_NONBLOCK, O_NONBLOCK)
-	AC_DEFINE(USE_FIONBIO_IOCTL, 1,
-		  [Defined if you need to use ioctl(FIONBIO) instead a fcntl call to make non-blocking.])
-	;;
-*) AC_DEFINE(PORT_NONBLOCK, O_NONBLOCK,
-	     [Sets which flag to pass to open/fcntl to make non-blocking (O_NDELAY/O_NONBLOCK).])
-	;;
-esac
-#
-# Solaris 2.5.1 and earlier cannot bind() then connect() a TCP socket.
-# This prevents the source address being set.
-#
-case "$host" in
-*-solaris2.[[012345]]|*-solaris2.5.1)
-	AC_DEFINE(BROKEN_TCP_BIND_BEFORE_CONNECT, 1,
-		  [Define if you cannot bind() before connect() for TCP sockets.])
-	;;
-esac
-#
-# The following sections deal with tools used for formatting
-# the documentation.  They are all optional, unless you are
-# a developer editing the documentation source.
-#
-
-#
-# Look for TeX.
-#
-
-AC_PATH_PROGS(LATEX, latex, latex)
-AC_SUBST(LATEX)
-
-AC_PATH_PROGS(PDFLATEX, pdflatex, pdflatex)
-AC_SUBST(PDFLATEX)
-
-#
-# Look for w3m
-#
-
-AC_PATH_PROGS(W3M, w3m, w3m)
-AC_SUBST(W3M)
-
-#
-# Look for xsltproc (libxslt)
-#
-
-AC_PATH_PROG(XSLTPROC, xsltproc, xsltproc)
-AC_SUBST(XSLTPROC)
-
-#
-# Look for xmllint (libxml2)
-#
-
-AC_PATH_PROG(XMLLINT, xmllint, xmllint)
-AC_SUBST(XMLLINT)
-
-#
-# Look for Doxygen
-#
-
-AC_PATH_PROG(DOXYGEN, doxygen, doxygen)
-AC_SUBST(DOXYGEN)
-
-#
-# Subroutine for searching for an ordinary file (e.g., a stylesheet)
-# in a number of directories:
-#
-#   NOM_PATH_FILE(VARIABLE, FILENAME, DIRECTORIES)
-#
-# If the file FILENAME is found in one of the DIRECTORIES, the shell
-# variable VARIABLE is defined to its absolute pathname.  Otherwise,
-# it is set to FILENAME, with no directory prefix (that's not terribly
-# useful, but looks less confusing in substitutions than leaving it
-# empty).  The variable VARIABLE will be substituted into output files.
-#
-
-AC_DEFUN(NOM_PATH_FILE, [
-$1=""
-AC_MSG_CHECKING(for $2)
-for d in $3
-do
-	f=$d/$2
-	if test -f $f
-	then
-		$1=$f
-		AC_MSG_RESULT($f)
-		break
-	fi
-done
-if test "X[$]$1" = "X"
-then
-	AC_MSG_RESULT("not found");
-	$1=$2
-fi
-AC_SUBST($1)
-])
-
-#
-# Look for Docbook-XSL stylesheets.  Location probably varies by system.
-# If it's not explicitly specified, guess where it might be found, based on
-# where SGML stuff lives on some systems (FreeBSD is the only one we're sure
-# of at the moment).
-#
-AC_MSG_CHECKING(for Docbook-XSL path)
-AC_ARG_WITH(docbook-xsl,
-[  --with-docbook-xsl=PATH Specify path for Docbook-XSL stylesheets],
-   docbook_path="$withval", docbook_path="auto")
-case "$docbook_path" in
-auto)
-	AC_MSG_RESULT(auto)
-	docbook_xsl_trees="/usr/pkg/share/xsl/docbook /usr/local/share/xsl/docbook /usr/share/xsl/docbook /opt/local/share/xsl/docbook-xsl"
-	;;
-*)
-	docbook_xsl_trees="$withval"
-    	AC_MSG_RESULT($docbook_xsl_trees)
-	;;
-esac
-
-#
-# Look for stylesheets we need.
-#
-
-NOM_PATH_FILE(XSLT_DOCBOOK_STYLE_HTML, html/docbook.xsl, $docbook_xsl_trees)
-NOM_PATH_FILE(XSLT_DOCBOOK_STYLE_XHTML, xhtml/docbook.xsl, $docbook_xsl_trees)
-NOM_PATH_FILE(XSLT_DOCBOOK_STYLE_MAN, manpages/docbook.xsl, $docbook_xsl_trees)
-NOM_PATH_FILE(XSLT_DOCBOOK_CHUNK_HTML, html/chunk.xsl, $docbook_xsl_trees)
-NOM_PATH_FILE(XSLT_DOCBOOK_CHUNK_XHTML, xhtml/chunk.xsl, $docbook_xsl_trees)
-NOM_PATH_FILE(XSLT_DOCBOOK_CHUNKTOC_HTML, html/chunktoc.xsl, $docbook_xsl_trees)
-NOM_PATH_FILE(XSLT_DOCBOOK_CHUNKTOC_XHTML, xhtml/chunktoc.xsl, $docbook_xsl_trees)
-NOM_PATH_FILE(XSLT_DOCBOOK_MAKETOC_HTML, html/maketoc.xsl, $docbook_xsl_trees)
-NOM_PATH_FILE(XSLT_DOCBOOK_MAKETOC_XHTML, xhtml/maketoc.xsl, $docbook_xsl_trees)
-
-#
-# Same dance for db2latex
-#
-# No idea where this lives except on FreeBSD.
-#
-
-db2latex_xsl_trees="/usr/local/share"
-
-#
-# Look for stylesheets we need.
-#
-
-NOM_PATH_FILE(XSLT_DB2LATEX_STYLE, db2latex/xsl/docbook.xsl, $db2latex_xsl_trees)
-
-#
-# Look for "admonition" image directory.  Can't use NOM_PATH_FILE()
-# because it's a directory, so just do the same things, inline.
-#
-
-AC_MSG_CHECKING(for db2latex/xsl/figures)
-for d in $db2latex_xsl_trees
-do
-	dd=$d/db2latex/xsl/figures
-	if test -d $dd
-	then
-		XSLT_DB2LATEX_ADMONITIONS=$dd
-		AC_MSG_RESULT($dd)
-		break
-	fi
-done
-if test "X$XSLT_DB2LATEX_ADMONITIONS" = "X"
-then
-	AC_MSG_RESULT(not found)
-	XSLT_DB2LATEX_ADMONITIONS=db2latex/xsl/figures
-fi
-AC_SUBST(XSLT_DB2LATEX_ADMONITIONS)
-
-#
-# IDN support
-#
-AC_ARG_WITH(idn,
-	[  --with-idn[=MPREFIX]      enable IDN support using idnkit [default PREFIX]],
-	use_idn="$withval", use_idn="no")
-case "$use_idn" in
-yes)
-	if test X$prefix = XNONE ; then
-		idn_path=/usr/local
-	else
-		idn_path=$prefix
-	fi
-	;;
-no)
-	;;
-*)
-	idn_path="$use_idn"
-	;;
-esac
-
-iconvinc=
-iconvlib=
-AC_ARG_WITH(libiconv,
-	[  --with-libiconv[=IPREFIX] GNU libiconv are in IPREFIX [default PREFIX]],
-	use_libiconv="$withval", use_libiconv="no")
-case "$use_libiconv" in
-yes)
-	if test X$prefix = XNONE ; then
-		iconvlib="-L/usr/local/lib -R/usr/local/lib -liconv"
-	else
-		iconvlib="-L$prefix/lib -R$prefix/lib -liconv"
-	fi
-	;;
-no)
-	iconvlib=
-	;;
-*)
-	iconvlib="-L$use_libiconv/lib -R$use_libiconv/lib -liconv"
-	;;
-esac
-
-AC_ARG_WITH(iconv,
-	[  --with-iconv[=LIBSPEC]    specify iconv library [default -liconv]],
-	iconvlib="$withval")
-case "$iconvlib" in
-no)
-	iconvlib=
-	;;
-yes)
-	iconvlib=-liconv
-	;;
-esac
-
-AC_ARG_WITH(idnlib,
-	[  --with-idnlib=ARG       specify libidnkit],
-	idnlib="$withval", idnlib="no")
-if test "$idnlib" = yes; then
-	AC_MSG_ERROR([You must specify ARG for --with-idnlib.])
-fi
-
-IDNLIBS=
-if test "$use_idn" != no; then
-	AC_DEFINE(WITH_IDN, 1, [define if idnkit support is to be included.])
-	STD_CINCLUDES="$STD_CINCLUDES -I$idn_path/include"
-	if test "$idnlib" != no; then
-		IDNLIBS="$idnlib $iconvlib"
-	else
-		IDNLIBS="-L$idn_path/lib -lidnkit $iconvlib"
-	fi
-fi
-AC_SUBST(IDNLIBS)
-
-#
-# Check whether to build Automated Test Framework unit tests
-#
-AC_ARG_WITH(atf,
-	[  --with-atf=ARG          Automated Test Framework support],
-	atf="$withval", atf="no")
-if test "$atf" = yes; then
-	atf=`pwd`/unit/atf
-	ATFBUILD=atf-src
-	AC_SUBST(ATFBUILD)
-	AC_CONFIG_COMMANDS([atf-config],
-		[(
-		 mkdir -p unit/atf-src;
-		 cd unit/atf-src;
-		 case "$srcdir" in
-		 /*) ;;
-		 *) srcdir="../../$srcdir";;
-		 esac
-		 ${SHELL} ${srcdir}${srcdir:+/unit/atf-src/}./configure MISSING=: --prefix $atfdir;
-		) ],
-		[atfdir=`pwd`/unit/atf])
-	AC_MSG_RESULT(building ATF from bind9/unit/atf-src)
-fi
-
-ATFLIBS=
-if test "$atf" != no; then
-	AC_DEFINE(ATF_TEST, 1, [define if ATF unit tests are to be built.])
-	STD_CINCLUDES="$STD_CINCLUDES -I$atf/include"
-	ATFBIN="$atf/bin"
-	ATFLIBS="-L$atf/lib -latf-c"
-	if test "$want_openssl_hash" = yes; then
-		ATFLIBS="-L$atf/lib -latf-c $DNS_CRYPTO_LIBS"
-	fi
-	UNITTESTS=tests
-fi
-AC_SUBST(ATFBIN)
-AC_SUBST(ATFLIBS)
-AC_SUBST(UNITTESTS)
-
-AC_CHECK_HEADERS(locale.h)
-AC_CHECK_FUNCS(setlocale)
-
-#
-# Substitutions
-#
-AC_SUBST(BIND9_TOP_BUILDDIR)
-BIND9_TOP_BUILDDIR=`pwd`
-
-AC_SUBST(BIND9_ISC_BUILDINCLUDE)
-AC_SUBST(BIND9_ISCCC_BUILDINCLUDE)
-AC_SUBST(BIND9_ISCCFG_BUILDINCLUDE)
-AC_SUBST(BIND9_DNS_BUILDINCLUDE)
-AC_SUBST(BIND9_LWRES_BUILDINCLUDE)
-AC_SUBST(BIND9_BIND9_BUILDINCLUDE)
-if test "X$srcdir" != "X"; then
-	BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include"
-	BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include"
-	BIND9_ISCCFG_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccfg/include"
-	BIND9_DNS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/dns/include"
-	BIND9_LWRES_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/lwres/include"
-	BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
-else
-	BIND9_ISC_BUILDINCLUDE=""
-	BIND9_ISCCC_BUILDINCLUDE=""
-	BIND9_ISCCFG_BUILDINCLUDE=""
-	BIND9_DNS_BUILDINCLUDE=""
-	BIND9_LWRES_BUILDINCLUDE=""
-	BIND9_BIND9_BUILDINCLUDE=""
-fi
-
-AC_SUBST_FILE(BIND9_MAKE_INCLUDES)
-BIND9_MAKE_INCLUDES=$BIND9_TOP_BUILDDIR/make/includes
-
-AC_SUBST_FILE(BIND9_MAKE_RULES)
-BIND9_MAKE_RULES=$BIND9_TOP_BUILDDIR/make/rules
-
-. $srcdir/version
-BIND9_PRODUCT="PRODUCT=\"${PRODUCT}\""
-AC_SUBST(BIND9_PRODUCT)
-BIND9_DESCRIPTION="DESCRIPTION=\"${DESCRIPTION}\""
-AC_SUBST(BIND9_DESCRIPTION)
-BIND9_VERSION="VERSION=${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASETYPE}${RELEASEVER}"
-AC_SUBST(BIND9_VERSION)
-
-BIND9_SRCID="SRCID=unset"
-if test -f $srcdir/srcid; then
-	. $srcdir/srcid
-	BIND9_SRCID="SRCID=$SRCID"
-fi
-AC_SUBST(BIND9_SRCID)
-
-if test -z "$ac_configure_args"; then
-	BIND9_CONFIGARGS="defaults"
-else
-	for a in $ac_configure_args
-	do
-		BIND9_CONFIGARGS="$BIND9_CONFIGARGS $a"
-	done
-fi
-BIND9_CONFIGARGS="`echo $BIND9_CONFIGARGS | sed 's/^ //'`"
-BIND9_CONFIGARGS="CONFIGARGS=${BIND9_CONFIGARGS}"
-AC_SUBST(BIND9_CONFIGARGS)
-
-AC_SUBST_FILE(LIBISC_API)
-LIBISC_API=$srcdir/lib/isc/api
-
-AC_SUBST_FILE(LIBISCCC_API)
-LIBISCCC_API=$srcdir/lib/isccc/api
-
-AC_SUBST_FILE(LIBISCCFG_API)
-LIBISCCFG_API=$srcdir/lib/isccfg/api
-
-AC_SUBST_FILE(LIBDNS_API)
-LIBDNS_API=$srcdir/lib/dns/api
-
-AC_SUBST_FILE(LIBBIND9_API)
-LIBBIND9_API=$srcdir/lib/bind9/api
-
-AC_SUBST_FILE(LIBLWRES_API)
-LIBLWRES_API=$srcdir/lib/lwres/api
-
-AC_SUBST_FILE(LIBIRS_API)
-LIBIRS_API=$srcdir/lib/irs/api
-
-#
-# Configure any DLZ drivers.
-#
-# If config.dlz.in selects one or more DLZ drivers, it will set
-# CONTRIB_DLZ to a non-empty value, which will be our clue to
-# build DLZ drivers in contrib.
-#
-# This section has to come after the libtool stuff because it needs to
-# know how to name the driver object files.
-#
-
-CONTRIB_DLZ=""
-DLZ_DRIVER_INCLUDES=""
-DLZ_DRIVER_LIBS=""
-DLZ_DRIVER_SRCS=""
-DLZ_DRIVER_OBJS=""
-DLZ_SYSTEM_TEST=""
-
-#
-# Configure support for building a shared library object
-#
-# Even when libtool is available it can't always be relied upon
-# to build an object that can be dlopen()'ed, but this is necessary
-# for building the dlzexternal system test, so we'll try it the
-# old-fashioned way.
-#
-SO="so"
-SO_CFLAGS=""
-SO_LD=""
-SO_TARGETS=""
-
-AC_ARG_WITH(dlopen,
-	[  --with-dlopen=ARG       Support dynamically loadable DLZ drivers],
-	dlopen="$withval", dlopen="yes")
-
-case $host in
-	*-sunos*) dlopen="no"
-		;;
-esac
-
-if test "$dlopen" = "yes"; then
-	AC_CHECK_LIB(dl, dlopen, have_dl=yes, have_dl=no)
-	if test "$have_dl" = "yes"; then
-		LIBS="-ldl $LIBS"
-	fi
-        AC_CHECK_FUNCS(dlopen dlclose dlsym,,dlopen=no)
-fi
-
-if test "$dlopen" = "yes"; then
-	case $host in
-		*-linux*)
-			SO_CFLAGS="-fPIC"
-			if test "$have_dl" = "yes"
-			then
-				if test "$use_libtool" = "yes"; then
-					SO_LD="${CC} -Xcompiler -shared"
-				else
-					SO_LD="${CC} -shared"
-				fi
-			else
-				SO_LD="ld -shared"
-			fi
-			;;
-		*-freebsd*|*-openbsd*|*-netbsd*)
-			SO_CFLAGS="-fpic"
-			SO_LD="ld -Bshareable -x"
-			;;
-		*-solaris*)
-			SO_CFLAGS="-KPIC"
-			SO_LD="ld -G -z text"
-                        ;;
-		*-hp-hpux*)
-			SO=sl
-			SO_CFLAGS="+z"
-			SO_LD="ld -b"
-                        ;;
-		*)
-			SO_CFLAGS="-fPIC"
-			;;
-	esac
-
-	if test "X$GCC" = "Xyes"; then
-		SO_CFLAGS="-fPIC"
-                test -n "$SO_LD" || SO_LD="${CC} -shared"
-	fi
-
-	# If we still don't know how to make shared objects, don't make any.
-	if test -n "$SO_LD"; then
-		SO_TARGETS="\${SO_TARGETS}"
-		AC_DEFINE(ISC_DLZ_DLOPEN, 1,
-			  [Define to allow building of objects for dlopen().])
-	fi
-fi
-
-AC_SUBST(SO)
-AC_SUBST(SO_CFLAGS)
-AC_SUBST(SO_LD)
-AC_SUBST(SO_TARGETS)
-
-sinclude(contrib/dlz/config.dlz.in)
-AC_MSG_CHECKING(contributed DLZ drivers)
-
-if test -n "$CONTRIB_DLZ"
-then
-	AC_MSG_RESULT(yes)
-	DLZ_DRIVER_RULES=contrib/dlz/drivers/rules
-	AC_CONFIG_FILES([$DLZ_DRIVER_RULES])
-else
-	AC_MSG_RESULT(no)
-	DLZ_DRIVER_RULES=/dev/null
-fi
-
-AC_SUBST(CONTRIB_DLZ)
-AC_SUBST(DLZ_DRIVER_INCLUDES)
-AC_SUBST(DLZ_DRIVER_LIBS)
-AC_SUBST(DLZ_DRIVER_SRCS)
-AC_SUBST(DLZ_DRIVER_OBJS)
-AC_SUBST(DLZ_SYSTEM_TEST)
-AC_SUBST_FILE(DLZ_DRIVER_RULES)
-
-if test "$cross_compiling" = "yes"; then
-	if test -z "$BUILD_CC"; then
-		AC_ERROR([BUILD_CC not set])
-	fi
-	BUILD_CFLAGS="$BUILD_CFLAGS"
-	BUILD_CPPFLAGS="$BUILD_CPPFLAGS"
-	BUILD_LDFLAGS="$BUILD_LDFLAGS"
-	BUILD_LIBS="$BUILD_LIBS"
-else
-	BUILD_CC="$CC"
-	BUILD_CFLAGS="$CFLAGS"
-	BUILD_CPPFLAGS="$CPPFLAGS $GEN_NEED_OPTARG"
-	BUILD_LDFLAGS="$LDFLAGS"
-	BUILD_LIBS="$LIBS"
-fi
-
-NEWFLAGS=""
-for e in $BUILD_LDFLAGS ; do
-    case $e in
-	-L*)
-	    case $host_os in
-		netbsd*)
-		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
-		    NEWFLAGS="$NEWFLAGS $e $ee"
-		    ;;
-		freebsd*)
-		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
-		    NEWFLAGS="$NEWFLAGS $e $ee"
-		    ;;
-		solaris*)
-		    ee=`echo $e | sed -e 's%^-L%-R%'`
-		    NEWFLAGS="$NEWFLAGS $e $ee"
-		    ;;
-		*)
-		    NEWFLAGS="$NEWFLAGS $e"
-		    ;;
-		esac
-	    ;;
-	*)
-	    NEWFLAGS="$NEWFLAGS $e"
-	    ;;
-    esac
-done
-BUILD_LDFLAGS="$NEWFLAGS"
-
-NEWFLAGS=""
-for e in $DNS_GSSAPI_LIBS ; do
-    case $e in
-	-L*)
-	    case $host_os in
-		netbsd*)
-		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
-		    NEWFLAGS="$NEWFLAGS $e $ee"
-		    ;;
-		freebsd*)
-		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
-		    NEWFLAGS="$NEWFLAGS $e $ee"
-		    ;;
-		solaris*)
-		    ee=`echo $e | sed -e 's%^-L%-R%'`
-		    NEWFLAGS="$NEWFLAGS $e $ee"
-		    ;;
-		*)
-		    NEWFLAGS="$NEWFLAGS $e"
-		    ;;
-		esac
-	    ;;
-	*)
-	    NEWFLAGS="$NEWFLAGS $e"
-	    ;;
-    esac
-done
-DNS_GSSAPI_LIBS="$NEWFLAGS"
-
-NEWFLAGS=""
-for e in $DNS_CRYPTO_LIBS ; do
-    case $e in
-	-L*)
-	    case $host_os in
-		netbsd*)
-		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
-		    NEWFLAGS="$NEWFLAGS $e $ee"
-		    ;;
-		freebsd*)
-		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
-		    NEWFLAGS="$NEWFLAGS $e $ee"
-		    ;;
-		solaris*)
-		    ee=`echo $e | sed -e 's%^-L%-R%'`
-		    NEWFLAGS="$NEWFLAGS $e $ee"
-		    ;;
-		*)
-		    NEWFLAGS="$NEWFLAGS $e"
-		    ;;
-		esac
-	    ;;
-	*)
-	    NEWFLAGS="$NEWFLAGS $e"
-	    ;;
-    esac
-done
-DNS_CRYPTO_LIBS="$NEWFLAGS"
-
-AC_SUBST(BUILD_CC)
-AC_SUBST(BUILD_CFLAGS)
-AC_SUBST(BUILD_CPPFLAGS)
-AC_SUBST(BUILD_LDFLAGS)
-AC_SUBST(BUILD_LIBS)
-
-#
-# Commands to run at the end of config.status.
-# Don't just put these into configure, it won't work right if somebody
-# runs config.status directly (which autoconf allows).
-#
-
-AC_CONFIG_COMMANDS(
-	[chmod],
-	[chmod a+x isc-config.sh doc/doxygen/doxygen-input-filter])
-
-#
-# Files to configure.  These are listed here because we used to
-# specify them as arguments to AC_OUTPUT.  It's (now) ok to move these
-# elsewhere if there's a good reason for doing so.
-#
-
-AC_CONFIG_FILES([
-  make/Makefile
-  make/mkdep
-	Makefile
-	bin/Makefile
-	bin/check/Makefile
-	bin/confgen/Makefile
-	bin/confgen/unix/Makefile
-	bin/dig/Makefile
-	bin/dnssec/Makefile
-	bin/named/Makefile
-	bin/named/unix/Makefile
-	bin/nsupdate/Makefile
-	bin/pkcs11/Makefile
-	bin/python/Makefile
-	bin/python/dnssec-checkds.py
-	bin/python/dnssec-coverage.py
-	bin/rndc/Makefile
-	bin/tests/Makefile
-	bin/tests/atomic/Makefile
-	bin/tests/db/Makefile
-	bin/tests/dst/Makefile
-	bin/tests/dst/Kdh.+002+18602.key
-	bin/tests/dst/Kdh.+002+18602.private
-	bin/tests/dst/Kdh.+002+48957.key
-	bin/tests/dst/Kdh.+002+48957.private
-	bin/tests/dst/Ktest.+001+00002.key
-	bin/tests/dst/Ktest.+001+54622.key
-	bin/tests/dst/Ktest.+001+54622.private
-	bin/tests/dst/Ktest.+003+23616.key
-	bin/tests/dst/Ktest.+003+23616.private
-	bin/tests/dst/Ktest.+003+49667.key
-	bin/tests/dst/dst_2_data
-	bin/tests/dst/t2_data_1
-	bin/tests/dst/t2_data_2
-	bin/tests/dst/t2_dsasig
-	bin/tests/dst/t2_rsasig
-	bin/tests/hashes/Makefile
-	bin/tests/headerdep_test.sh
-	bin/tests/master/Makefile
-	bin/tests/mem/Makefile
-	bin/tests/names/Makefile
-	bin/tests/net/Makefile
-	bin/tests/rbt/Makefile
-	bin/tests/resolver/Makefile
-	bin/tests/sockaddr/Makefile
-	bin/tests/system/Makefile
-	bin/tests/system/conf.sh
-	bin/tests/system/dlz/prereq.sh
-	bin/tests/system/dlzexternal/Makefile
-	bin/tests/system/dlzexternal/ns1/named.conf
-	bin/tests/system/ecdsa/prereq.sh
-	bin/tests/system/filter-aaaa/Makefile
-	bin/tests/system/gost/prereq.sh
-	bin/tests/system/lwresd/Makefile
-	bin/tests/system/rpz/Makefile
-	bin/tests/system/rsabigexponent/Makefile
-	bin/tests/system/tkey/Makefile
-	bin/tests/system/tsiggss/Makefile
-	bin/tests/tasks/Makefile
-	bin/tests/timers/Makefile
-	bin/tests/virtual-time/Makefile
-	bin/tests/virtual-time/conf.sh
-	bin/tools/Makefile
-	contrib/check-secure-delegation.pl
-	contrib/zone-edit.sh
-	doc/Makefile
-	doc/arm/Makefile
-	doc/doxygen/Doxyfile
-	doc/doxygen/Makefile
-	doc/doxygen/doxygen-input-filter
-	doc/misc/Makefile
-	doc/xsl/Makefile
-	doc/xsl/isc-docbook-chunk.xsl
-	doc/xsl/isc-docbook-html.xsl
-	doc/xsl/isc-docbook-latex.xsl
-	doc/xsl/isc-manpage.xsl
-	isc-config.sh
-	lib/Makefile
-	lib/bind9/Makefile
-	lib/bind9/include/Makefile
-	lib/bind9/include/bind9/Makefile
-	lib/dns/Makefile
-	lib/dns/include/Makefile
-	lib/dns/include/dns/Makefile
-	lib/dns/include/dst/Makefile
-	lib/dns/tests/Makefile
-	lib/export/Makefile
-	lib/export/dns/Makefile
-	lib/export/dns/include/Makefile
-	lib/export/dns/include/dns/Makefile
-	lib/export/dns/include/dst/Makefile
-	lib/export/irs/Makefile
-	lib/export/irs/include/Makefile
-	lib/export/irs/include/irs/Makefile
-	lib/export/isc/$thread_dir/Makefile
-	lib/export/isc/$thread_dir/include/Makefile
-	lib/export/isc/$thread_dir/include/isc/Makefile
-	lib/export/isc/Makefile
-	lib/export/isc/include/Makefile
-	lib/export/isc/include/isc/Makefile
-	lib/export/isc/nls/Makefile
-	lib/export/isc/unix/Makefile
-	lib/export/isc/unix/include/Makefile
-	lib/export/isc/unix/include/isc/Makefile
-	lib/export/isccfg/Makefile
-	lib/export/isccfg/include/Makefile
-	lib/export/isccfg/include/isccfg/Makefile
-	lib/export/samples/Makefile
-	lib/export/samples/Makefile-postinstall
-	lib/irs/Makefile
-	lib/irs/include/Makefile
-	lib/irs/include/irs/Makefile
-	lib/irs/include/irs/netdb.h
-	lib/irs/include/irs/platform.h
-	lib/isc/$arch/Makefile
-	lib/isc/$arch/include/Makefile
-	lib/isc/$arch/include/isc/Makefile
-	lib/isc/$thread_dir/Makefile
-	lib/isc/$thread_dir/include/Makefile
-	lib/isc/$thread_dir/include/isc/Makefile
-	lib/isc/Makefile
-	lib/isc/include/Makefile
-	lib/isc/include/isc/Makefile
-	lib/isc/include/isc/platform.h
-	lib/isc/tests/Makefile
-	lib/isc/nls/Makefile
-	lib/isc/unix/Makefile
-	lib/isc/unix/include/Makefile
-	lib/isc/unix/include/isc/Makefile
-	lib/isccc/Makefile
-	lib/isccc/include/Makefile
-	lib/isccc/include/isccc/Makefile
-	lib/isccfg/Makefile
-	lib/isccfg/include/Makefile
-	lib/isccfg/include/isccfg/Makefile
-	lib/lwres/Makefile
-	lib/lwres/include/Makefile
-	lib/lwres/include/lwres/Makefile
-	lib/lwres/include/lwres/netdb.h
-	lib/lwres/include/lwres/platform.h
-	lib/lwres/man/Makefile
-	lib/lwres/unix/Makefile
-	lib/lwres/unix/include/Makefile
-	lib/lwres/unix/include/lwres/Makefile
-	lib/tests/Makefile
-	lib/tests/include/Makefile
-	lib/tests/include/tests/Makefile
-	unit/Makefile
-	unit/unittest.sh
-])
-
-#
-# Do it
-#
-
-AC_OUTPUT
-
-#
-# Now that the Makefiles exist we can ensure that everything is rebuilt.
-#
-AC_ARG_WITH(make-clean,
-[  --with-make-clean      Run "make clean" at end of configure [[yes|no]].],
-    make_clean="$withval", make_clean="yes")
-case "$make_clean" in
-yes)
-	make clean
-	;;
-esac
-
-if test "X$USE_OPENSSL" = "X"; then
-cat << \EOF
-BIND is being built without OpenSSL. This means it will not have DNSSEC support.
-EOF
-fi
-
-if test "X$OPENSSL_WARNING" != "X"; then
-cat << \EOF
-WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
-WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
-WARNING                                                                 WARNING
-WARNING         Your OpenSSL crypto library may be vulnerable to        WARNING
-WARNING         one or more of the the following known security         WARNING
-WARNING         flaws:                                                  WARNING
-WARNING                                                                 WARNING
-WARNING         CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and         WARNING
-WARNING         CVE-2006-2940.                                          WARNING
-WARNING                                                                 WARNING
-WARNING         It is recommended that you upgrade to OpenSSL           WARNING
-WARNING         version 0.9.8d/0.9.7l (or greater).                     WARNING
-WARNING                                                                 WARNING
-WARNING         You can disable this warning by specifying:             WARNING
-WARNING                                                                 WARNING
-WARNING               --disable-openssl-version-check          	        WARNING
-WARNING                                                                 WARNING
-WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
-WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
-EOF
-fi
-
-# Tell Emacs to edit this file in shell mode.
-# Local Variables:
-# mode: sh
-# End:
diff --git a/contrib/bind9/doc/Makefile.in b/contrib/bind9/doc/Makefile.in
deleted file mode 100644
index 29074b5..0000000
--- a/contrib/bind9/doc/Makefile.in
+++ /dev/null
@@ -1,29 +0,0 @@
-# Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.11 2007/06/19 23:47:13 tbox Exp $
-
-# This Makefile is a placeholder.  It exists merely to make
-# sure that its directory gets created in the object directory
-# tree when doing a build using separate object directories.
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS = arm misc xsl doxygen
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/doc/arm/Bv9ARM-book.xml b/contrib/bind9/doc/arm/Bv9ARM-book.xml
deleted file mode 100644
index 8625554..0000000
--- a/contrib/bind9/doc/arm/Bv9ARM-book.xml
+++ /dev/null
@@ -1,17126 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-              "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- File: $Id$ -->
-<book xmlns:xi="http://www.w3.org/2001/XInclude">
-  <title>BIND 9 Administrator Reference Manual</title>
-
-  <bookinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2006</year>
-      <year>2007</year>
-      <year>2008</year>
-      <year>2009</year>
-      <year>2010</year>
-      <year>2011</year>
-      <year>2012</year>
-      <year>2013</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </bookinfo>
-
-  <chapter id="Bv9ARM.ch01">
-    <title>Introduction</title>
-    <para>
-      The Internet Domain Name System (<acronym>DNS</acronym>)
-      consists of the syntax
-      to specify the names of entities in the Internet in a hierarchical
-      manner, the rules used for delegating authority over names, and the
-      system implementation that actually maps names to Internet
-      addresses.  <acronym>DNS</acronym> data is maintained in a
-      group of distributed
-      hierarchical databases.
-    </para>
-
-    <sect1>
-      <title>Scope of Document</title>
-
-      <para>
-        The Berkeley Internet Name Domain
-        (<acronym>BIND</acronym>) implements a
-        domain name server for a number of operating systems. This
-        document provides basic information about the installation and
-        care of the Internet Systems Consortium (<acronym>ISC</acronym>)
-        <acronym>BIND</acronym> version 9 software package for
-        system administrators.
-      </para>
-
-      <para>
-        This version of the manual corresponds to BIND version 9.9.
-      </para>
-
-    </sect1>
-    <sect1>
-      <title>Organization of This Document</title>
-      <para>
-        In this document, <emphasis>Chapter 1</emphasis> introduces
-        the basic <acronym>DNS</acronym> and <acronym>BIND</acronym> concepts. <emphasis>Chapter 2</emphasis>
-        describes resource requirements for running <acronym>BIND</acronym> in various
-        environments. Information in <emphasis>Chapter 3</emphasis> is
-        <emphasis>task-oriented</emphasis> in its presentation and is
-        organized functionally, to aid in the process of installing the
-        <acronym>BIND</acronym> 9 software. The task-oriented
-        section is followed by
-        <emphasis>Chapter 4</emphasis>, which contains more advanced
-        concepts that the system administrator may need for implementing
-        certain options. <emphasis>Chapter 5</emphasis>
-        describes the <acronym>BIND</acronym> 9 lightweight
-        resolver.  The contents of <emphasis>Chapter 6</emphasis> are
-        organized as in a reference manual to aid in the ongoing
-        maintenance of the software. <emphasis>Chapter 7</emphasis> addresses
-        security considerations, and
-        <emphasis>Chapter 8</emphasis> contains troubleshooting help. The
-        main body of the document is followed by several
-        <emphasis>appendices</emphasis> which contain useful reference
-        information, such as a <emphasis>bibliography</emphasis> and
-        historic information related to <acronym>BIND</acronym>
-        and the Domain Name
-        System.
-      </para>
-    </sect1>
-    <sect1>
-      <title>Conventions Used in This Document</title>
-
-      <para>
-        In this document, we use the following general typographic
-        conventions:
-      </para>
-
-      <informaltable>
-        <tgroup cols="2">
-          <colspec colname="1" colnum="1" colwidth="3.000in"/>
-          <colspec colname="2" colnum="2" colwidth="2.625in"/>
-          <tbody>
-            <row>
-              <entry colname="1">
-                <para>
-                  <emphasis>To describe:</emphasis>
-                </para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  <emphasis>We use the style:</emphasis>
-                </para>
-              </entry>
-            </row>
-            <row>
-              <entry colname="1">
-                <para>
-                  a pathname, filename, URL, hostname,
-                  mailing list name, or new term or concept
-                </para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  <filename>Fixed width</filename>
-                </para>
-              </entry>
-            </row>
-            <row>
-              <entry colname="1">
-                <para>
-                  literal user
-                  input
-                </para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  <userinput>Fixed Width Bold</userinput>
-                </para>
-              </entry>
-            </row>
-            <row>
-              <entry colname="1">
-                <para>
-                  program output
-                </para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  <computeroutput>Fixed Width</computeroutput>
-                </para>
-              </entry>
-            </row>
-          </tbody>
-        </tgroup>
-      </informaltable>
-
-      <para>
-        The following conventions are used in descriptions of the
-        <acronym>BIND</acronym> configuration file:<informaltable colsep="0" frame="all" rowsep="0">
-                  <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
-                      <colspec colname="1" colnum="1" colsep="0" colwidth="3.000in"/>
-            <colspec colname="2" colnum="2" colsep="0" colwidth="2.625in"/>
-            <tbody>
-              <row rowsep="0">
-                <entry colname="1" colsep="1" rowsep="1">
-                  <para>
-                    <emphasis>To describe:</emphasis>
-                  </para>
-                </entry>
-                <entry colname="2" rowsep="1">
-                  <para>
-                    <emphasis>We use the style:</emphasis>
-                  </para>
-                </entry>
-              </row>
-              <row rowsep="0">
-                <entry colname="1" colsep="1" rowsep="1">
-                  <para>
-                    keywords
-                  </para>
-                </entry>
-                <entry colname="2" rowsep="1">
-                  <para>
-                    <literal>Fixed Width</literal>
-                  </para>
-                </entry>
-              </row>
-              <row rowsep="0">
-                <entry colname="1" colsep="1" rowsep="1">
-                  <para>
-                    variables
-                  </para>
-                </entry>
-                <entry colname="2" rowsep="1">
-                  <para>
-                    <varname>Fixed Width</varname>
-                  </para>
-                </entry>
-              </row>
-              <row rowsep="0">
-                <entry colname="1" colsep="1">
-                  <para>
-                    Optional input
-                  </para>
-                </entry>
-                <entry colname="2">
-                  <para>
-                    <optional>Text is enclosed in square brackets</optional>
-                  </para>
-                </entry>
-              </row>
-            </tbody>
-          </tgroup>
-        </informaltable>
-      </para>
-    </sect1>
-    <sect1>
-      <title>The Domain Name System (<acronym>DNS</acronym>)</title>
-      <para>
-        The purpose of this document is to explain the installation
-        and upkeep of the <acronym>BIND</acronym> (Berkeley Internet
-	Name Domain) software package, and we
-        begin by reviewing the fundamentals of the Domain Name System
-        (<acronym>DNS</acronym>) as they relate to <acronym>BIND</acronym>.
-      </para>
-
-      <sect2>
-        <title>DNS Fundamentals</title>
-
-        <para>
-          The Domain Name System (DNS) is a hierarchical, distributed
-          database.  It stores information for mapping Internet host names to
-          IP
-          addresses and vice versa, mail routing information, and other data
-          used by Internet applications.
-        </para>
-
-        <para>
-          Clients look up information in the DNS by calling a
-          <emphasis>resolver</emphasis> library, which sends queries to one or
-          more <emphasis>name servers</emphasis> and interprets the responses.
-          The <acronym>BIND</acronym> 9 software distribution
-          contains a
-          name server, <command>named</command>, and a resolver
-          library, <command>liblwres</command>.  The older
-          <command>libbind</command> resolver library is also available
-          from ISC as a separate download.
-        </para>
-
-        </sect2><sect2>
-        <title>Domains and Domain Names</title>
-
-        <para>
-          The data stored in the DNS is identified by <emphasis>domain names</emphasis> that are organized as a tree according to
-          organizational or administrative boundaries. Each node of the tree,
-          called a <emphasis>domain</emphasis>, is given a label. The domain
-          name of the
-          node is the concatenation of all the labels on the path from the
-          node to the <emphasis>root</emphasis> node.  This is represented
-          in written form as a string of labels listed from right to left and
-          separated by dots. A label need only be unique within its parent
-          domain.
-        </para>
-
-        <para>
-          For example, a domain name for a host at the
-          company <emphasis>Example, Inc.</emphasis> could be
-          <literal>ourhost.example.com</literal>,
-          where <literal>com</literal> is the
-          top level domain to which
-          <literal>ourhost.example.com</literal> belongs,
-          <literal>example</literal> is
-          a subdomain of <literal>com</literal>, and
-          <literal>ourhost</literal> is the
-          name of the host.
-        </para>
-
-        <para>
-          For administrative purposes, the name space is partitioned into
-          areas called <emphasis>zones</emphasis>, each starting at a node and
-          extending down to the leaf nodes or to nodes where other zones
-          start.
-          The data for each zone is stored in a <emphasis>name server</emphasis>, which answers queries about the zone using the
-          <emphasis>DNS protocol</emphasis>.
-        </para>
-
-        <para>
-          The data associated with each domain name is stored in the
-          form of <emphasis>resource records</emphasis> (<acronym>RR</acronym>s).
-          Some of the supported resource record types are described in
-          <xref linkend="types_of_resource_records_and_when_to_use_them"/>.
-        </para>
-
-        <para>
-          For more detailed information about the design of the DNS and
-          the DNS protocol, please refer to the standards documents listed in
-          <xref linkend="rfcs"/>.
-        </para>
-      </sect2>
-
-      <sect2>
-        <title>Zones</title>
-        <para>
-          To properly operate a name server, it is important to understand
-          the difference between a <emphasis>zone</emphasis>
-          and a <emphasis>domain</emphasis>.
-        </para>
-
-        <para>
-          As stated previously, a zone is a point of delegation in
-          the <acronym>DNS</acronym> tree. A zone consists of
-          those contiguous parts of the domain
-          tree for which a name server has complete information and over which
-          it has authority. It contains all domain names from a certain point
-          downward in the domain tree except those which are delegated to
-          other zones. A delegation point is marked by one or more
-          <emphasis>NS records</emphasis> in the
-          parent zone, which should be matched by equivalent NS records at
-          the root of the delegated zone.
-        </para>
-
-        <para>
-          For instance, consider the <literal>example.com</literal>
-          domain which includes names
-          such as <literal>host.aaa.example.com</literal> and
-          <literal>host.bbb.example.com</literal> even though
-          the <literal>example.com</literal> zone includes
-          only delegations for the <literal>aaa.example.com</literal> and
-          <literal>bbb.example.com</literal> zones.  A zone can
-          map
-          exactly to a single domain, but could also include only part of a
-          domain, the rest of which could be delegated to other
-          name servers. Every name in the <acronym>DNS</acronym>
-          tree is a
-          <emphasis>domain</emphasis>, even if it is
-          <emphasis>terminal</emphasis>, that is, has no
-          <emphasis>subdomains</emphasis>.  Every subdomain is a domain and
-          every domain except the root is also a subdomain. The terminology is
-          not intuitive and we suggest that you read RFCs 1033, 1034 and 1035
-          to
-          gain a complete understanding of this difficult and subtle
-          topic.
-        </para>
-
-        <para>
-          Though <acronym>BIND</acronym> is called a "domain name
-          server",
-          it deals primarily in terms of zones. The master and slave
-          declarations in the <filename>named.conf</filename> file
-          specify
-          zones, not domains. When you ask some other site if it is willing to
-          be a slave server for your <emphasis>domain</emphasis>, you are
-          actually asking for slave service for some collection of zones.
-        </para>
-      </sect2>
-
-      <sect2>
-        <title>Authoritative Name Servers</title>
-
-        <para>
-          Each zone is served by at least
-          one <emphasis>authoritative name server</emphasis>,
-          which contains the complete data for the zone.
-          To make the DNS tolerant of server and network failures,
-          most zones have two or more authoritative servers, on
-          different networks.
-        </para>
-
-        <para>
-          Responses from authoritative servers have the "authoritative
-          answer" (AA) bit set in the response packets.  This makes them
-          easy to identify when debugging DNS configurations using tools like
-          <command>dig</command> (<xref linkend="diagnostic_tools"/>).
-        </para>
-
-        <sect3>
-          <title>The Primary Master</title>
-
-          <para>
-            The authoritative server where the master copy of the zone
-            data is maintained is called the
-	    <emphasis>primary master</emphasis> server, or simply the
-            <emphasis>primary</emphasis>.  Typically it loads the zone
-            contents from some local file edited by humans or perhaps
-            generated mechanically from some other local file which is
-            edited by humans.  This file is called the
-	    <emphasis>zone file</emphasis> or
-	    <emphasis>master file</emphasis>.
-          </para>
-
-	  <para>
-	    In some cases, however, the master file may not be edited
-	    by humans at all, but may instead be the result of
-	    <emphasis>dynamic update</emphasis> operations.
-	  </para>
-        </sect3>
-
-        <sect3>
-          <title>Slave Servers</title>
-          <para>
-            The other authoritative servers, the <emphasis>slave</emphasis>
-            servers (also known as <emphasis>secondary</emphasis> servers)
-            load
-            the zone contents from another server using a replication process
-            known as a <emphasis>zone transfer</emphasis>.  Typically the data
-            are
-            transferred directly from the primary master, but it is also
-            possible
-            to transfer it from another slave.  In other words, a slave server
-            may itself act as a master to a subordinate slave server.
-          </para>
-        </sect3>
-
-        <sect3>
-          <title>Stealth Servers</title>
-
-          <para>
-            Usually all of the zone's authoritative servers are listed in
-            NS records in the parent zone.  These NS records constitute
-            a <emphasis>delegation</emphasis> of the zone from the parent.
-            The authoritative servers are also listed in the zone file itself,
-            at the <emphasis>top level</emphasis> or <emphasis>apex</emphasis>
-            of the zone.  You can list servers in the zone's top-level NS
-            records that are not in the parent's NS delegation, but you cannot
-            list servers in the parent's delegation that are not present at
-            the zone's top level.
-          </para>
-
-          <para>
-            A <emphasis>stealth server</emphasis> is a server that is
-            authoritative for a zone but is not listed in that zone's NS
-            records.  Stealth servers can be used for keeping a local copy of
-            a
-            zone to speed up access to the zone's records or to make sure that
-            the
-            zone is available even if all the "official" servers for the zone
-            are
-            inaccessible.
-          </para>
-
-          <para>
-            A configuration where the primary master server itself is a
-            stealth server is often referred to as a "hidden primary"
-            configuration.  One use for this configuration is when the primary
-            master
-            is behind a firewall and therefore unable to communicate directly
-            with the outside world.
-          </para>
-
-        </sect3>
-
-      </sect2>
-      <sect2>
-
-        <title>Caching Name Servers</title>
-
-	<!--
-	  - Terminology here is inconsistent.  Probably ought to
-	  - convert to using "recursive name server" everywhere
-	  - with just a note about "caching" terminology.
-	  -->
-
-        <para>
-          The resolver libraries provided by most operating systems are
-          <emphasis>stub resolvers</emphasis>, meaning that they are not
-          capable of
-          performing the full DNS resolution process by themselves by talking
-          directly to the authoritative servers.  Instead, they rely on a
-          local
-          name server to perform the resolution on their behalf.  Such a
-          server
-          is called a <emphasis>recursive</emphasis> name server; it performs
-          <emphasis>recursive lookups</emphasis> for local clients.
-        </para>
-
-        <para>
-          To improve performance, recursive servers cache the results of
-          the lookups they perform.  Since the processes of recursion and
-          caching are intimately connected, the terms
-          <emphasis>recursive server</emphasis> and
-          <emphasis>caching server</emphasis> are often used synonymously.
-        </para>
-
-        <para>
-          The length of time for which a record may be retained in
-          the cache of a caching name server is controlled by the
-          Time To Live (TTL) field associated with each resource record.
-        </para>
-
-        <sect3>
-          <title>Forwarding</title>
-
-          <para>
-            Even a caching name server does not necessarily perform
-            the complete recursive lookup itself.  Instead, it can
-            <emphasis>forward</emphasis> some or all of the queries
-            that it cannot satisfy from its cache to another caching name
-            server,
-            commonly referred to as a <emphasis>forwarder</emphasis>.
-          </para>
-
-          <para>
-            There may be one or more forwarders,
-            and they are queried in turn until the list is exhausted or an
-            answer
-            is found. Forwarders are typically used when you do not
-            wish all the servers at a given site to interact directly with the
-            rest of
-            the Internet servers. A typical scenario would involve a number
-            of internal <acronym>DNS</acronym> servers and an
-            Internet firewall. Servers unable
-            to pass packets through the firewall would forward to the server
-            that can do it, and that server would query the Internet <acronym>DNS</acronym> servers
-            on the internal server's behalf.
-          </para>
-        </sect3>
-
-      </sect2>
-
-      <sect2>
-        <title>Name Servers in Multiple Roles</title>
-
-        <para>
-          The <acronym>BIND</acronym> name server can
-          simultaneously act as
-          a master for some zones, a slave for other zones, and as a caching
-          (recursive) server for a set of local clients.
-        </para>
-
-        <para>
-          However, since the functions of authoritative name service
-          and caching/recursive name service are logically separate, it is
-          often advantageous to run them on separate server machines.
-
-          A server that only provides authoritative name service
-          (an <emphasis>authoritative-only</emphasis> server) can run with
-          recursion disabled, improving reliability and security.
-
-          A server that is not authoritative for any zones and only provides
-          recursive service to local
-          clients (a <emphasis>caching-only</emphasis> server)
-          does not need to be reachable from the Internet at large and can
-          be placed inside a firewall.
-        </para>
-
-      </sect2>
-    </sect1>
-
-  </chapter>
-
-  <chapter id="Bv9ARM.ch02">
-    <title><acronym>BIND</acronym> Resource Requirements</title>
-
-    <sect1>
-      <title>Hardware requirements</title>
-
-      <para>
-        <acronym>DNS</acronym> hardware requirements have
-        traditionally been quite modest.
-        For many installations, servers that have been pensioned off from
-        active duty have performed admirably as <acronym>DNS</acronym> servers.
-      </para>
-      <para>
-        The DNSSEC features of <acronym>BIND</acronym> 9
-        may prove to be quite
-        CPU intensive however, so organizations that make heavy use of these
-        features may wish to consider larger systems for these applications.
-        <acronym>BIND</acronym> 9 is fully multithreaded, allowing
-        full utilization of
-        multiprocessor systems for installations that need it.
-      </para>
-    </sect1>
-    <sect1>
-      <title>CPU Requirements</title>
-      <para>
-        CPU requirements for <acronym>BIND</acronym> 9 range from
-        i486-class machines
-        for serving of static zones without caching, to enterprise-class
-        machines if you intend to process many dynamic updates and DNSSEC
-        signed zones, serving many thousands of queries per second.
-      </para>
-    </sect1>
-
-    <sect1>
-      <title>Memory Requirements</title>
-      <para>
-        The memory of the server has to be large enough to fit the
-        cache and zones loaded off disk.  The <command>max-cache-size</command>
-        option can be used to limit the amount of memory used by the cache,
-        at the expense of reducing cache hit rates and causing more <acronym>DNS</acronym>
-        traffic.
-        Additionally, if additional section caching
-        (<xref linkend="acache"/>) is enabled,
-        the <command>max-acache-size</command> option can be used to
-        limit the amount
-        of memory used by the mechanism.
-        It is still good practice to have enough memory to load
-        all zone and cache data into memory &mdash; unfortunately, the best
-        way
-        to determine this for a given installation is to watch the name server
-        in operation. After a few weeks the server process should reach
-        a relatively stable size where entries are expiring from the cache as
-        fast as they are being inserted.
-      </para>
-      <!--
-        - Add something here about leaving overhead for attacks?
-	- How much overhead?  Percentage?
-        -->
-    </sect1>
-
-    <sect1>
-      <title>Name Server Intensive Environment Issues</title>
-      <para>
-        For name server intensive environments, there are two alternative
-        configurations that may be used. The first is where clients and
-        any second-level internal name servers query a main name server, which
-        has enough memory to build a large cache. This approach minimizes
-        the bandwidth used by external name lookups. The second alternative
-        is to set up second-level internal name servers to make queries
-        independently.
-        In this configuration, none of the individual machines needs to
-        have as much memory or CPU power as in the first alternative, but
-        this has the disadvantage of making many more external queries,
-        as none of the name servers share their cached data.
-      </para>
-    </sect1>
-
-    <sect1>
-      <title>Supported Operating Systems</title>
-      <para>
-        ISC <acronym>BIND</acronym> 9 compiles and runs on a large
-        number
-        of Unix-like operating systems and on 
-        Microsoft Windows Server 2003 and 2008, and Windows XP and Vista.
-        For an up-to-date
-        list of supported systems, see the README file in the top level
-        directory
-        of the BIND 9 source distribution.
-      </para>
-    </sect1>
-  </chapter>
-
-  <chapter id="Bv9ARM.ch03">
-    <title>Name Server Configuration</title>
-    <para>
-      In this chapter we provide some suggested configurations along
-      with guidelines for their use.  We suggest reasonable values for
-      certain option settings.
-    </para>
-
-    <sect1 id="sample_configuration">
-      <title>Sample Configurations</title>
-      <sect2>
-        <title>A Caching-only Name Server</title>
-        <para>
-          The following sample configuration is appropriate for a caching-only
-          name server for use by clients internal to a corporation.  All
-          queries
-          from outside clients are refused using the <command>allow-query</command>
-          option.  Alternatively, the same effect could be achieved using
-          suitable
-          firewall rules.
-        </para>
-
-<programlisting>
-// Two corporate subnets we wish to allow queries from.
-acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
-options {
-     // Working directory
-     directory "/etc/namedb";
-
-     allow-query { corpnets; };
-};
-// Provide a reverse mapping for the loopback
-// address 127.0.0.1
-zone "0.0.127.in-addr.arpa" {
-     type master;
-     file "localhost.rev";
-     notify no;
-};
-</programlisting>
-
-      </sect2>
-
-      <sect2>
-        <title>An Authoritative-only Name Server</title>
-        <para>
-          This sample configuration is for an authoritative-only server
-          that is the master server for "<filename>example.com</filename>"
-          and a slave for the subdomain "<filename>eng.example.com</filename>".
-        </para>
-
-<programlisting>
-options {
-     // Working directory
-     directory "/etc/namedb";
-     // Do not allow access to cache
-     allow-query-cache { none; };
-     // This is the default
-     allow-query { any; };
-     // Do not provide recursive service
-     recursion no;
-};
-
-// Provide a reverse mapping for the loopback
-// address 127.0.0.1
-zone "0.0.127.in-addr.arpa" {
-     type master;
-     file "localhost.rev";
-     notify no;
-};
-// We are the master server for example.com
-zone "example.com" {
-     type master;
-     file "example.com.db";
-     // IP addresses of slave servers allowed to
-     // transfer example.com
-     allow-transfer {
-          192.168.4.14;
-          192.168.5.53;
-     };
-};
-// We are a slave server for eng.example.com
-zone "eng.example.com" {
-     type slave;
-     file "eng.example.com.bk";
-     // IP address of eng.example.com master server
-     masters { 192.168.4.12; };
-};
-</programlisting>
-
-      </sect2>
-    </sect1>
-
-    <sect1>
-      <title>Load Balancing</title>
-      <!--
-        - Add explanation of why load balancing is fragile at best
-	- and completely pointless in the general case.
-        -->
-
-      <para>
-        A primitive form of load balancing can be achieved in
-        the <acronym>DNS</acronym> by using multiple records
-	(such as multiple A records) for one name.
-      </para>
-
-      <para>
-        For example, if you have three WWW servers with network addresses
-        of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
-        following means that clients will connect to each machine one third
-        of the time:
-      </para>
-
-      <informaltable colsep="0" rowsep="0">
-        <tgroup cols="5" colsep="0" rowsep="0" tgroupstyle="2Level-table">
-          <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
-          <colspec colname="2" colnum="2" colsep="0" colwidth="0.500in"/>
-          <colspec colname="3" colnum="3" colsep="0" colwidth="0.750in"/>
-          <colspec colname="4" colnum="4" colsep="0" colwidth="0.750in"/>
-          <colspec colname="5" colnum="5" colsep="0" colwidth="2.028in"/>
-          <tbody>
-            <row rowsep="0">
-              <entry colname="1">
-                <para>
-                  Name
-                </para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  TTL
-                </para>
-              </entry>
-              <entry colname="3">
-                <para>
-                  CLASS
-                </para>
-              </entry>
-              <entry colname="4">
-                <para>
-                  TYPE
-                </para>
-              </entry>
-              <entry colname="5">
-                <para>
-                  Resource Record (RR) Data
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para>
-                  <literal>www</literal>
-                </para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  <literal>600</literal>
-                </para>
-              </entry>
-              <entry colname="3">
-                <para>
-                  <literal>IN</literal>
-                </para>
-              </entry>
-              <entry colname="4">
-                <para>
-                  <literal>A</literal>
-                </para>
-              </entry>
-              <entry colname="5">
-                <para>
-                  <literal>10.0.0.1</literal>
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para/>
-              </entry>
-              <entry colname="2">
-                <para>
-                  <literal>600</literal>
-                </para>
-              </entry>
-              <entry colname="3">
-                <para>
-                  <literal>IN</literal>
-                </para>
-              </entry>
-              <entry colname="4">
-                <para>
-                  <literal>A</literal>
-                </para>
-              </entry>
-              <entry colname="5">
-                <para>
-                  <literal>10.0.0.2</literal>
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para/>
-              </entry>
-              <entry colname="2">
-                <para>
-                  <literal>600</literal>
-                </para>
-              </entry>
-              <entry colname="3">
-                <para>
-                  <literal>IN</literal>
-                </para>
-              </entry>
-              <entry colname="4">
-                <para>
-                  <literal>A</literal>
-                </para>
-              </entry>
-              <entry colname="5">
-                <para>
-                  <literal>10.0.0.3</literal>
-                </para>
-              </entry>
-            </row>
-          </tbody>
-        </tgroup>
-      </informaltable>
-      <para>
-        When a resolver queries for these records, <acronym>BIND</acronym> will rotate
-        them and respond to the query with the records in a different
-        order.  In the example above, clients will randomly receive
-        records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
-        will use the first record returned and discard the rest.
-      </para>
-      <para>
-        For more detail on ordering responses, check the
-        <command>rrset-order</command> sub-statement in the
-        <command>options</command> statement, see
-        <xref endterm="rrset_ordering_title" linkend="rrset_ordering"/>.
-      </para>
-
-    </sect1>
-
-    <sect1>
-      <title>Name Server Operations</title>
-
-      <sect2>
-        <title>Tools for Use With the Name Server Daemon</title>
-        <para>
-          This section describes several indispensable diagnostic,
-          administrative and monitoring tools available to the system
-          administrator for controlling and debugging the name server
-          daemon.
-        </para>
-        <sect3 id="diagnostic_tools">
-          <title>Diagnostic Tools</title>
-          <para>
-            The <command>dig</command>, <command>host</command>, and
-            <command>nslookup</command> programs are all command
-            line tools
-            for manually querying name servers.  They differ in style and
-            output format.
-          </para>
-
-          <variablelist>
-            <varlistentry>
-              <term id="dig"><command>dig</command></term>
-              <listitem>
-                <para>
-                  The domain information groper (<command>dig</command>)
-                  is the most versatile and complete of these lookup tools.
-                  It has two modes: simple interactive
-                  mode for a single query, and batch mode which executes a
-                  query for
-                  each in a list of several query lines. All query options are
-                  accessible
-                  from the command line.
-                </para>
-                <cmdsynopsis label="Usage">
-                  <command>dig</command>
-                  <arg>@<replaceable>server</replaceable></arg>
-                  <arg choice="plain"><replaceable>domain</replaceable></arg>
-                  <arg><replaceable>query-type</replaceable></arg>
-                  <arg><replaceable>query-class</replaceable></arg>
-                  <arg>+<replaceable>query-option</replaceable></arg>
-                  <arg>-<replaceable>dig-option</replaceable></arg>
-                  <arg>%<replaceable>comment</replaceable></arg>
-                </cmdsynopsis>
-                <para>
-                  The usual simple use of <command>dig</command> will take the form
-                </para>
-                <simpara>
-                  <command>dig @server domain query-type query-class</command>
-                </simpara>
-                <para>
-                  For more information and a list of available commands and
-                  options, see the <command>dig</command> man
-                  page.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>host</command></term>
-              <listitem>
-                <para>
-                  The <command>host</command> utility emphasizes
-                  simplicity
-                  and ease of use.  By default, it converts
-                  between host names and Internet addresses, but its
-                  functionality
-                  can be extended with the use of options.
-                </para>
-                <cmdsynopsis label="Usage">
-                  <command>host</command>
-                  <arg>-aCdlnrsTwv</arg>
-                  <arg>-c <replaceable>class</replaceable></arg>
-                  <arg>-N <replaceable>ndots</replaceable></arg>
-                  <arg>-t <replaceable>type</replaceable></arg>
-                  <arg>-W <replaceable>timeout</replaceable></arg>
-                  <arg>-R <replaceable>retries</replaceable></arg>
-                  <arg>-m <replaceable>flag</replaceable></arg>
-		  <arg>-4</arg>
-		  <arg>-6</arg>
-                  <arg choice="plain"><replaceable>hostname</replaceable></arg>
-                  <arg><replaceable>server</replaceable></arg>
-                </cmdsynopsis>
-                <para>
-                  For more information and a list of available commands and
-                  options, see the <command>host</command> man
-                  page.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>nslookup</command></term>
-              <listitem>
-                <para><command>nslookup</command>
-		  has two modes: interactive and
-                  non-interactive. Interactive mode allows the user to
-                  query name servers for information about various
-                  hosts and domains or to print a list of hosts in a
-                  domain. Non-interactive mode is used to print just
-                  the name and requested information for a host or
-                  domain.
-                </para>
-                <cmdsynopsis label="Usage">
-                  <command>nslookup</command>
-                  <arg rep="repeat">-option</arg>
-                  <group>
-                    <arg><replaceable>host-to-find</replaceable></arg>
-                    <arg>- <arg>server</arg></arg>
-                  </group>
-                </cmdsynopsis>
-                <para>
-                  Interactive mode is entered when no arguments are given (the
-                  default name server will be used) or when the first argument
-                  is a
-                  hyphen (`-') and the second argument is the host name or
-                  Internet address
-                  of a name server.
-                </para>
-                <para>
-                  Non-interactive mode is used when the name or Internet
-                  address
-                  of the host to be looked up is given as the first argument.
-                  The
-                  optional second argument specifies the host name or address
-                  of a name server.
-                </para>
-                <para>
-                  Due to its arcane user interface and frequently inconsistent
-                  behavior, we do not recommend the use of <command>nslookup</command>.
-                  Use <command>dig</command> instead.
-                </para>
-              </listitem>
-
-            </varlistentry>
-          </variablelist>
-        </sect3>
-
-        <sect3 id="admin_tools">
-          <title>Administrative Tools</title>
-          <para>
-            Administrative tools play an integral part in the management
-            of a server.
-          </para>
-          <variablelist>
-            <varlistentry id="named-checkconf" xreflabel="Named Configuration Checking application">
-
-              <term><command>named-checkconf</command></term>
-              <listitem>
-                <para>
-                  The <command>named-checkconf</command> program
-                  checks the syntax of a <filename>named.conf</filename> file.
-                </para>
-                <cmdsynopsis label="Usage">
-                  <command>named-checkconf</command>
-                  <arg>-jvz</arg>
-                  <arg>-t <replaceable>directory</replaceable></arg>
-                  <arg><replaceable>filename</replaceable></arg>
-                </cmdsynopsis>
-              </listitem>
-            </varlistentry>
-            <varlistentry id="named-checkzone" xreflabel="Zone Checking application">
-
-              <term><command>named-checkzone</command></term>
-              <listitem>
-                <para>
-                  The <command>named-checkzone</command> program
-                  checks a master file for
-                  syntax and consistency.
-                </para>
-                <cmdsynopsis label="Usage">
-                  <command>named-checkzone</command>
-                  <arg>-djqvD</arg>
-                  <arg>-c <replaceable>class</replaceable></arg>
-                  <arg>-o <replaceable>output</replaceable></arg>
-                  <arg>-t <replaceable>directory</replaceable></arg>
-                  <arg>-w <replaceable>directory</replaceable></arg>
-                  <arg>-k <replaceable>(ignore|warn|fail)</replaceable></arg>
-                  <arg>-n <replaceable>(ignore|warn|fail)</replaceable></arg>
-                  <arg>-W <replaceable>(ignore|warn)</replaceable></arg>
-                  <arg choice="plain"><replaceable>zone</replaceable></arg>
-                  <arg><replaceable>filename</replaceable></arg>
-                </cmdsynopsis>
-              </listitem>
-            </varlistentry>
-	    <varlistentry id="named-compilezone" xreflabel="Zone Compilation application">
-	      <term><command>named-compilezone</command></term>
-	      <listitem>
-		<para>
-		  Similar to <command>named-checkzone,</command> but
-		  it always dumps the zone content to a specified file
-		  (typically in a different format).
-		</para>
-	      </listitem>
-	    </varlistentry>
-            <varlistentry id="rndc" xreflabel="Remote Name Daemon Control application">
-
-              <term><command>rndc</command></term>
-              <listitem>
-                <para>
-                  The remote name daemon control
-                  (<command>rndc</command>) program allows the
-                  system
-                  administrator to control the operation of a name server.
-                  Since <acronym>BIND</acronym> 9.2, <command>rndc</command>
-                  supports all the commands of the BIND 8 <command>ndc</command>
-                  utility except <command>ndc start</command> and
-                  <command>ndc restart</command>, which were also
-                  not supported in <command>ndc</command>'s
-                  channel mode.
-                  If you run <command>rndc</command> without any
-                  options
-                  it will display a usage message as follows:
-                </para>
-                <cmdsynopsis label="Usage">
-                  <command>rndc</command>
-                  <arg>-c <replaceable>config</replaceable></arg>
-                  <arg>-s <replaceable>server</replaceable></arg>
-                  <arg>-p <replaceable>port</replaceable></arg>
-                  <arg>-y <replaceable>key</replaceable></arg>
-                  <arg choice="plain"><replaceable>command</replaceable></arg>
-                  <arg rep="repeat"><replaceable>command</replaceable></arg>
-                </cmdsynopsis>
-                <para>The <command>command</command>
-		  is one of the following:
-                </para>
-
-                <variablelist>
-
-                  <varlistentry>
-                    <term><userinput>reload</userinput></term>
-                    <listitem>
-                      <para>
-                        Reload configuration file and zones.
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>reload <replaceable>zone</replaceable>
-                        <optional><replaceable>class</replaceable>
-           <optional><replaceable>view</replaceable></optional></optional></userinput></term>
-                    <listitem>
-                      <para>
-                        Reload the given zone.
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>refresh <replaceable>zone</replaceable>
-                        <optional><replaceable>class</replaceable>
-           <optional><replaceable>view</replaceable></optional></optional></userinput></term>
-                    <listitem>
-                      <para>
-                        Schedule zone maintenance for the given zone.
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>retransfer <replaceable>zone</replaceable>
-
-                        <optional><replaceable>class</replaceable>
-           <optional><replaceable>view</replaceable></optional></optional></userinput></term>
-                    <listitem>
-                      <para>
-                        Retransfer the given zone from the master.
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>sign <replaceable>zone</replaceable>
-                        <optional><replaceable>class</replaceable>
-           <optional><replaceable>view</replaceable></optional></optional></userinput></term>
-                    <listitem>
-                      <para>
-                        Fetch all DNSSEC keys for the given zone
-                        from the key directory (see
-                        <command>key-directory</command> in
-                        <xref linkend="options"/>).  If they are within
-                        their publication period, merge them into the
-                        zone's DNSKEY RRset.  If the DNSKEY RRset
-                        is changed, then the zone is automatically
-                        re-signed with the new key set.
-                      </para>
-                      <para>
-                        This command requires that the
-                        <command>auto-dnssec</command> zone option be set
-                        to <literal>allow</literal> or
-                        <literal>maintain</literal>,
-                        and also requires the zone to be configured to
-                        allow dynamic DNS.
-                        See <xref linkend="dynamic_update_policies"/> for
-                        more details.
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>loadkeys <replaceable>zone</replaceable>
-                        <optional><replaceable>class</replaceable>
-           <optional><replaceable>view</replaceable></optional></optional></userinput></term>
-                    <listitem>
-                      <para>
-                        Fetch all DNSSEC keys for the given zone
-                        from the key directory (see
-                        <command>key-directory</command> in
-                        <xref linkend="options"/>).  If they are within
-                        their publication period, merge them into the
-                        zone's DNSKEY RRset.  Unlike <command>rndc
-                        sign</command>, however, the zone is not
-                        immediately re-signed by the new keys, but is
-                        allowed to incrementally re-sign over time.
-                      </para>
-                      <para>
-                        This command requires that the
-                        <command>auto-dnssec</command> zone option
-                        be set to <literal>maintain</literal>,
-                        and also requires the zone to be configured to
-                        allow dynamic DNS.
-                        See <xref linkend="dynamic_update_policies"/> for
-                        more details.
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>freeze
-                        <optional><replaceable>zone</replaceable>
-       <optional><replaceable>class</replaceable>
-           <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
-                    <listitem>
-                      <para>
-                        Suspend updates to a dynamic zone.  If no zone is
-                        specified, then all zones are suspended.  This allows
-                        manual edits to be made to a zone normally updated by
-                        dynamic update.  It also causes changes in the
-                        journal file to be synced into the master file.
-                        All dynamic update attempts will be refused while
-                        the zone is frozen.
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>thaw
-                        <optional><replaceable>zone</replaceable>
-       <optional><replaceable>class</replaceable>
-           <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
-                    <listitem>
-                      <para>
-                        Enable updates to a frozen dynamic zone.  If no
-                        zone is specified, then all frozen zones are
-                        enabled.  This causes the server to reload the zone
-                        from disk, and re-enables dynamic updates after the
-                        load has completed.  After a zone is thawed,
-                        dynamic updates will no longer be refused.  If
-                        the zone has changed and the
-                        <command>ixfr-from-differences</command> option is
-                        in use, then the journal file will be updated to
-                        reflect changes in the zone.  Otherwise, if the
-                        zone has changed, any existing journal file will be
-                        removed.
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>sync
-                        <optional>-clean</optional>
-                        <optional><replaceable>zone</replaceable>
-       <optional><replaceable>class</replaceable>
-           <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
-                    <listitem>
-                      <para>
-                        Sync changes in the journal file for a dynamic zone
-                        to the master file.  If the "-clean" option is
-                        specified, the journal file is also removed.  If
-                        no zone is specified, then all zones are synced.
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>notify <replaceable>zone</replaceable>
-                        <optional><replaceable>class</replaceable>
-           <optional><replaceable>view</replaceable></optional></optional></userinput></term>
-                    <listitem>
-                      <para>
-                        Resend NOTIFY messages for the zone.
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>reconfig</userinput></term>
-                    <listitem>
-                      <para>
-                        Reload the configuration file and load new zones,
-                        but do not reload existing zone files even if they
-                        have changed.
-                        This is faster than a full <command>reload</command> when there
-                        is a large number of zones because it avoids the need
-                        to examine the
-                        modification times of the zones files.
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>stats</userinput></term>
-                    <listitem>
-                      <para>
-                        Write server statistics to the statistics file.
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-		    <term><userinput>querylog</userinput>
-			  <optional>on|off</optional>
-		    </term>
-                    <listitem>
-                      <para>
-                        Enable or disable query logging.  (For backward
-                        compatibility, this command can also be used without
-                        an argument to toggle query logging on and off.)
-                      </para>
-                      <para>
-                        Query logging can also be enabled
-                        by explicitly directing the <command>queries</command>
-                        <command>category</command> to a
-		        <command>channel</command> in the
-                        <command>logging</command> section of
-                        <filename>named.conf</filename> or by specifying
-			<command>querylog yes;</command> in the
-			<command>options</command> section of
-			<filename>named.conf</filename>.
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>dumpdb
-                        <optional>-all|-cache|-zone</optional>
-                        <optional><replaceable>view ...</replaceable></optional></userinput></term>
-                    <listitem>
-                      <para>
-                        Dump the server's caches (default) and/or zones to
-                        the
-                        dump file for the specified views.  If no view is
-                        specified, all
-                        views are dumped.
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>secroots
-                        <optional><replaceable>view ...</replaceable></optional></userinput></term>
-                    <listitem>
-                      <para>
-                        Dump the server's security roots to the secroots
-                        file for the specified views.  If no view is
-                        specified, security roots for all
-                        views are dumped.
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>stop <optional>-p</optional></userinput></term>
-                    <listitem>
-                      <para>
-                        Stop the server, making sure any recent changes
-                        made through dynamic update or IXFR are first saved to
-                        the master files of the updated zones.
-			If <option>-p</option> is specified <command>named</command>'s process id is returned.
-			This allows an external process to determine when <command>named</command>
-			had completed stopping.
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>halt <optional>-p</optional></userinput></term>
-                    <listitem>
-                      <para>
-                        Stop the server immediately.  Recent changes
-                        made through dynamic update or IXFR are not saved to
-                        the master files, but will be rolled forward from the
-			journal files when the server is restarted.
-			If <option>-p</option> is specified <command>named</command>'s process id is returned.
-			This allows an external process to determine when <command>named</command>
-			had completed halting.
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>trace</userinput></term>
-                    <listitem>
-                      <para>
-                        Increment the servers debugging level by one.
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>trace <replaceable>level</replaceable></userinput></term>
-                    <listitem>
-                      <para>
-                        Sets the server's debugging level to an explicit
-                        value.
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>notrace</userinput></term>
-                    <listitem>
-                      <para>
-                        Sets the server's debugging level to 0.
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>flush</userinput></term>
-                    <listitem>
-                      <para>
-                        Flushes the server's cache.
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>flushname</userinput>
-                       <replaceable>name</replaceable>
-                       <optional><replaceable>view</replaceable></optional>
-                       </term>
-                    <listitem>
-                      <para>
-                        Flushes the given name from the server's DNS cache,
-                        and from the server's nameserver address database
-                        if applicable.
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>flushtree</userinput>
-                       <replaceable>name</replaceable>
-                       <optional><replaceable>view</replaceable></optional>
-                       </term>
-                    <listitem>
-                      <para>
-                        Flushes the given name, and all of its subdomains,
-                        from the server's DNS cache.  (The server's
-                        nameserver address database is not affected.)
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>status</userinput></term>
-                    <listitem>
-                      <para>
-                        Display status of the server.
-                        Note that the number of zones includes the internal <command>bind/CH</command> zone
-                        and the default <command>./IN</command>
-                        hint zone if there is not an
-                        explicit root zone configured.
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>recursing</userinput></term>
-                    <listitem>
-                      <para>
-                        Dump the list of queries <command>named</command> is currently recursing
-                        on.
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>validation
-                        <optional>on|off</optional>
-                        <optional><replaceable>view ...</replaceable></optional>
-                    </userinput></term>
-                    <listitem>
-                      <para>
-                        Enable or disable DNSSEC validation.
-                        Note <command>dnssec-enable</command> also needs to be
-                        set to <userinput>yes</userinput> to be effective.
-                        It defaults to enabled.
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>tsig-list</userinput></term>
-                    <listitem>
-                      <para>
-                        List the names of all TSIG keys currently configured
-                        for use by <command>named</command> in each view.  The
-                        list both statically configured keys and dynamic
-                        TKEY-negotiated keys.
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>tsig-delete</userinput>
-                     <replaceable>keyname</replaceable>
-                     <optional><replaceable>view</replaceable></optional></term>
-                    <listitem>
-                      <para>
-                        Delete a given TKEY-negotiated key from the server.
-                        (This does not apply to statically configured TSIG
-                        keys.)
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>addzone
-                        <replaceable>zone</replaceable>
-                        <optional><replaceable>class</replaceable>
-                        <optional><replaceable>view</replaceable></optional></optional>
-                        <replaceable>configuration</replaceable>
-                    </userinput></term>
-                    <listitem>
-                      <para>
-                        Add a zone while the server is running.  This
-                        command requires the
-                        <command>allow-new-zones</command> option to be set
-                        to <userinput>yes</userinput>.  The
-                        <replaceable>configuration</replaceable> string
-                        specified on the command line is the zone
-                        configuration text that would ordinarily be
-                        placed in <filename>named.conf</filename>.
-                      </para>
-                      <para>
-                        The configuration is saved in a file called
-                       <filename><replaceable>hash</replaceable>.nzf</filename>,
-                        where <replaceable>hash</replaceable> is a
-                        cryptographic hash generated from the name of
-                        the view.  When <command>named</command> is
-                        restarted, the file will be loaded into the view
-                        configuration, so that zones that were added
-                        can persist after a restart.
-                      </para>
-                      <para>
-                        This sample <command>addzone</command> command
-                        would add the zone <literal>example.com</literal>
-                        to the default view:
-                      </para>
-                      <para>
-<prompt>$ </prompt><userinput>rndc addzone example.com '{ type master; file "example.com.db"; };'</userinput>
-                      </para>
-                      <para>
-                        (Note the brackets and semi-colon around the zone
-                        configuration text.)
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>delzone
-                        <replaceable>zone</replaceable>
-                        <optional><replaceable>class</replaceable>
-                        <optional><replaceable>view</replaceable></optional></optional>
-                    </userinput></term>
-                    <listitem>
-                      <para>
-                        Delete a zone while the server is running.
-                        Only zones that were originally added via
-                        <command>rndc addzone</command> can be deleted
-                        in this matter.
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term><userinput>signing
-                        <optional>( -list | -clear <replaceable>keyid/algorithm</replaceable> | -clear <literal>all</literal> | -nsec3param ( <replaceable>parameters</replaceable> | <literal>none</literal> ) ) </optional>
-                        <replaceable>zone</replaceable>
-                        <optional><replaceable>class</replaceable>
-                        <optional><replaceable>view</replaceable></optional></optional>
-                    </userinput></term>
-                    <listitem>
-                      <para>
-                        List, edit, or remove the DNSSEC signing state for 
-                        the specified zone.  The status of ongoing DNSSEC
-                        operations (such as signing or generating
-                        NSEC3 chains) is stored in the zone in the form
-                        of DNS resource records of type
-                        <command>sig-signing-type</command>. 
-                        <command>rndc signing -list</command> converts
-                        these records into a human-readable form,
-                        indicating which keys are currently signing
-                        or have finished signing the zone, and which NSEC3
-                        NSEC3 chains are being created or removed.
-                      </para>
-                      <para>
-                        <command>rndc signing -clear</command> can remove
-                        a single key (specified in the same format that
-                        <command>rndc signing -list</command> uses to
-                        display it), or all keys.  In either case, only
-                        completed keys are removed; any record indicating
-                        that a key has not yet finished signing the zone
-                        will be retained.
-                      </para>
-                      <para>
-                        <command>rndc signing -nsec3param</command> sets
-                        the NSEC3 parameters for a zone.  This is the
-                        only supported mechanism for using NSEC3 with
-                        <command>inline-signing</command> zones.
-                        Parameters are specified in the same format as
-                        an NSEC3PARAM resource record: hash algorithm,
-                        flags, iterations, and salt, in that order.
-                      </para>
-                      <para>
-                        Currently, the only defined value for hash algorithm 
-                        is <literal>1</literal>, representing SHA-1.
-                        The <option>flags</option> may be set to
-                        <literal>0</literal> or <literal>1</literal>,
-                        depending on whether you wish to set the opt-out
-                        bit in the NSEC3 chain.  <option>iterations</option>
-                        defines the number of additional times to apply
-                        the algorithm when generating an NSEC3 hash.  The
-                        <option>salt</option> is a string of data expressed
-                        in hexidecimal, or a hyphen (`-') if no salt is
-                        to be used.
-                      </para>
-                      <para>
-                        So, for example, to create an NSEC3 chain using
-                        the SHA-1 hash algorithm, no opt-out flag,
-                        10 iterations, and a salt value of "FFFF", use:
-                        <command>rndc signing -nsec3param 1 0 10 FFFF &lt;zone&gt;</command>.
-                        To set the opt-out flag, 15 iterations, and no
-                        salt, use:
-                        <command>rndc signing -nsec3param 1 1 15 - &lt;zone&gt;</command>.
-                      </para>
-                      <para>
-                        <command>rndc signing -nsec3param none</command>
-                        removes an existing NSEC3 chain and replaces it
-                        with NSEC.
-                      </para>
-                    </listitem>
-                  </varlistentry>
-
-                </variablelist>
-
-                <para>
-                  A configuration file is required, since all
-                  communication with the server is authenticated with
-                  digital signatures that rely on a shared secret, and
-                  there is no way to provide that secret other than with a
-                  configuration file.  The default location for the
-                  <command>rndc</command> configuration file is
-                  <filename>/etc/rndc.conf</filename>, but an
-                  alternate
-                  location can be specified with the <option>-c</option>
-                  option.  If the configuration file is not found,
-                  <command>rndc</command> will also look in
-                  <filename>/etc/rndc.key</filename> (or whatever
-                  <varname>sysconfdir</varname> was defined when
-                  the <acronym>BIND</acronym> build was
-                  configured).
-                  The <filename>rndc.key</filename> file is
-                  generated by
-                  running <command>rndc-confgen -a</command> as
-                  described in
-                  <xref linkend="controls_statement_definition_and_usage"/>.
-                </para>
-
-                <para>
-                  The format of the configuration file is similar to
-                  that of <filename>named.conf</filename>, but
-                  limited to
-                  only four statements, the <command>options</command>,
-                  <command>key</command>, <command>server</command> and
-                  <command>include</command>
-                  statements.  These statements are what associate the
-                  secret keys to the servers with which they are meant to
-                  be shared.  The order of statements is not
-                  significant.
-                </para>
-
-                <para>
-                  The <command>options</command> statement has
-                  three clauses:
-                  <command>default-server</command>, <command>default-key</command>,
-                  and <command>default-port</command>.
-                  <command>default-server</command> takes a
-                  host name or address argument  and represents the server
-                  that will
-                  be contacted if no <option>-s</option>
-                  option is provided on the command line.
-                  <command>default-key</command> takes
-                  the name of a key as its argument, as defined by a <command>key</command> statement.
-                  <command>default-port</command> specifies the
-                  port to which
-                  <command>rndc</command> should connect if no
-                  port is given on the command line or in a
-                  <command>server</command> statement.
-                </para>
-
-                <para>
-                  The <command>key</command> statement defines a
-                  key to be used
-                  by <command>rndc</command> when authenticating
-                  with
-                  <command>named</command>.  Its syntax is
-                  identical to the
-                  <command>key</command> statement in <filename>named.conf</filename>.
-                  The keyword <userinput>key</userinput> is
-                  followed by a key name, which must be a valid
-                  domain name, though it need not actually be hierarchical;
-                  thus,
-                  a string like "<userinput>rndc_key</userinput>" is a valid
-                  name.
-                  The <command>key</command> statement has two
-                  clauses:
-                  <command>algorithm</command> and <command>secret</command>.
-                  While the configuration parser will accept any string as the
-                  argument
-                  to algorithm, currently only the string "<userinput>hmac-md5</userinput>"
-                  has any meaning.  The secret is a base-64 encoded string
-		  as specified in RFC 3548.
-                </para>
-
-                <para>
-                  The <command>server</command> statement
-                  associates a key
-                  defined using the <command>key</command>
-                  statement with a server.
-                  The keyword <userinput>server</userinput> is followed by a
-                  host name or address.  The <command>server</command> statement
-                  has two clauses: <command>key</command> and <command>port</command>.
-                  The <command>key</command> clause specifies the
-                  name of the key
-                  to be used when communicating with this server, and the
-                  <command>port</command> clause can be used to
-                  specify the port <command>rndc</command> should
-                  connect
-                  to on the server.
-                </para>
-
-                <para>
-                  A sample minimal configuration file is as follows:
-                </para>
-
-<programlisting>
-key rndc_key {
-     algorithm "hmac-md5";
-     secret
-       "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
-};
-options {
-     default-server 127.0.0.1;
-     default-key    rndc_key;
-};
-</programlisting>
-
-                <para>
-                  This file, if installed as <filename>/etc/rndc.conf</filename>,
-                  would allow the command:
-                </para>
-
-                <para>
-                  <prompt>$ </prompt><userinput>rndc reload</userinput>
-                </para>
-
-                <para>
-                  to connect to 127.0.0.1 port 953 and cause the name server
-                  to reload, if a name server on the local machine were
-                  running with
-                  following controls statements:
-                </para>
-
-<programlisting>
-controls {
-        inet 127.0.0.1
-            allow { localhost; } keys { rndc_key; };
-};
-</programlisting>
-
-                <para>
-                  and it had an identical key statement for
-                  <literal>rndc_key</literal>.
-                </para>
-
-                <para>
-                  Running the <command>rndc-confgen</command>
-                  program will
-                  conveniently create a <filename>rndc.conf</filename>
-                  file for you, and also display the
-                  corresponding <command>controls</command>
-                  statement that you need to
-                  add to <filename>named.conf</filename>.
-                  Alternatively,
-                  you can run <command>rndc-confgen -a</command>
-                  to set up
-                  a <filename>rndc.key</filename> file and not
-                  modify
-                  <filename>named.conf</filename> at all.
-                </para>
-
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-        </sect3>
-      </sect2>
-      <sect2>
-
-        <title>Signals</title>
-        <para>
-          Certain UNIX signals cause the name server to take specific
-          actions, as described in the following table.  These signals can
-          be sent using the <command>kill</command> command.
-        </para>
-        <informaltable frame="all">
-          <tgroup cols="2">
-            <colspec colname="1" colnum="1" colsep="0" colwidth="1.125in"/>
-            <colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
-            <tbody>
-              <row rowsep="0">
-                <entry colname="1">
-                  <para><command>SIGHUP</command></para>
-                </entry>
-                <entry colname="2">
-                  <para>
-                    Causes the server to read <filename>named.conf</filename> and
-                    reload the database.
-                  </para>
-                </entry>
-              </row>
-              <row rowsep="0">
-                <entry colname="1">
-                  <para><command>SIGTERM</command></para>
-                </entry>
-                <entry colname="2">
-                  <para>
-                    Causes the server to clean up and exit.
-                  </para>
-                </entry>
-              </row>
-              <row rowsep="0">
-                <entry colname="1">
-                  <para><command>SIGINT</command></para>
-                </entry>
-                <entry colname="2">
-                  <para>
-                    Causes the server to clean up and exit.
-                  </para>
-                </entry>
-              </row>
-            </tbody>
-          </tgroup>
-        </informaltable>
-      </sect2>
-    </sect1>
-  </chapter>
-
-  <chapter id="Bv9ARM.ch04">
-    <title>Advanced DNS Features</title>
-
-    <sect1 id="notify">
-
-      <title>Notify</title>
-      <para>
-        <acronym>DNS</acronym> NOTIFY is a mechanism that allows master
-        servers to notify their slave servers of changes to a zone's data. In
-        response to a <command>NOTIFY</command> from a master server, the
-        slave will check to see that its version of the zone is the
-        current version and, if not, initiate a zone transfer.
-      </para>
-
-      <para>
-        For more information about <acronym>DNS</acronym>
-        <command>NOTIFY</command>, see the description of the
-        <command>notify</command> option in <xref linkend="boolean_options"/> and
-        the description of the zone option <command>also-notify</command> in
-        <xref linkend="zone_transfers"/>.  The <command>NOTIFY</command>
-        protocol is specified in RFC 1996.
-      </para>
-
-      <note>
-	As a slave zone can also be a master to other slaves, <command>named</command>,
-        by default, sends <command>NOTIFY</command> messages for every zone
-	it loads.  Specifying <command>notify master-only;</command> will
-	cause <command>named</command> to only send <command>NOTIFY</command> for master
-	zones that it loads.
-      </note>
-
-    </sect1>
-
-    <sect1 id="dynamic_update">
-      <title>Dynamic Update</title>
-
-      <para>
-        Dynamic Update is a method for adding, replacing or deleting
-        records in a master server by sending it a special form of DNS
-        messages.  The format and meaning of these messages is specified
-        in RFC 2136.
-      </para>
-
-      <para>
-	Dynamic update is enabled by including an
-	<command>allow-update</command> or an <command>update-policy</command>
-	clause in the <command>zone</command> statement.
-      </para>
-      
-      <para>
-	If the zone's <command>update-policy</command> is set to
-	<userinput>local</userinput>, updates to the zone
-	will be permitted for the key <varname>local-ddns</varname>,
-        which will be generated by <command>named</command> at startup.
-	See <xref linkend="dynamic_update_policies"/> for more details.
-      </para>
-
-      <para>
-	Dynamic updates using Kerberos signed requests can be made
-	using the TKEY/GSS protocol by setting either the
-	<command>tkey-gssapi-keytab</command> option, or alternatively
-	by setting both the <command>tkey-gssapi-credential</command>
-	and <command>tkey-domain</command> options. Once enabled,
-	Kerberos signed requests will be matched against the update
-	policies for the zone, using the Kerberos principal as the
-	signer for the request.
-      </para>
-
-      <para>
-	Updating of secure zones (zones using DNSSEC) follows RFC
-	3007: RRSIG, NSEC and NSEC3 records affected by updates are
-	automatically regenerated by the server using an online
-	zone key.  Update authorization is based on transaction
-	signatures and an explicit server policy.
-      </para>
-
-      <sect2 id="journal">
-	<title>The journal file</title>
-
-        <para>
-          All changes made to a zone using dynamic update are stored
-          in the zone's journal file.  This file is automatically created
-          by the server when the first dynamic update takes place.
-          The name of the journal file is formed by appending the extension
-          <filename>.jnl</filename> to the name of the
-          corresponding zone
-          file unless specifically overridden.  The journal file is in a
-          binary format and should not be edited manually.
-        </para>
-
-        <para>
-          The server will also occasionally write ("dump")
-          the complete contents of the updated zone to its zone file.
-          This is not done immediately after
-          each dynamic update, because that would be too slow when a large
-          zone is updated frequently.  Instead, the dump is delayed by
-          up to 15 minutes, allowing additional updates to take place.
-          During the dump process, transient files will be created
-          with the extensions <filename>.jnw</filename> and
-          <filename>.jbk</filename>; under ordinary circumstances, these
-          will be removed when the dump is complete, and can be safely
-          ignored.
-        </para>
-
-        <para>
-          When a server is restarted after a shutdown or crash, it will replay
-              the journal file to incorporate into the zone any updates that
-          took
-          place after the last zone dump.
-        </para>
-
-        <para>
-          Changes that result from incoming incremental zone transfers are
-          also
-          journalled in a similar way.
-        </para>
-
-        <para>
-          The zone files of dynamic zones cannot normally be edited by
-          hand because they are not guaranteed to contain the most recent
-          dynamic changes &mdash; those are only in the journal file.
-          The only way to ensure that the zone file of a dynamic zone
-          is up to date is to run <command>rndc stop</command>.
-        </para>
-
-        <para>
-          If you have to make changes to a dynamic zone
-          manually, the following procedure will work: Disable dynamic updates
-              to the zone using
-          <command>rndc freeze <replaceable>zone</replaceable></command>.
-          This will also remove the zone's <filename>.jnl</filename> file
-          and update the master file.  Edit the zone file.  Run
-          <command>rndc thaw <replaceable>zone</replaceable></command>
-          to reload the changed zone and re-enable dynamic updates.
-        </para>
-
-      </sect2>
-
-    </sect1>
-
-    <sect1 id="incremental_zone_transfers">
-      <title>Incremental Zone Transfers (IXFR)</title>
-
-      <para>
-        The incremental zone transfer (IXFR) protocol is a way for
-        slave servers to transfer only changed data, instead of having to
-        transfer the entire zone. The IXFR protocol is specified in RFC
-        1995. See <xref linkend="proposed_standards"/>.
-      </para>
-
-      <para>
-        When acting as a master, <acronym>BIND</acronym> 9
-        supports IXFR for those zones
-        where the necessary change history information is available. These
-        include master zones maintained by dynamic update and slave zones
-        whose data was obtained by IXFR.  For manually maintained master
-        zones, and for slave zones obtained by performing a full zone
-        transfer (AXFR), IXFR is supported only if the option
-        <command>ixfr-from-differences</command> is set
-        to <userinput>yes</userinput>.
-      </para>
-
-      <para>
-        When acting as a slave, <acronym>BIND</acronym> 9 will
-        attempt to use IXFR unless
-        it is explicitly disabled. For more information about disabling
-        IXFR, see the description of the <command>request-ixfr</command> clause
-        of the <command>server</command> statement.
-      </para>
-    </sect1>
-
-    <sect1>
-      <title>Split DNS</title>
-      <para>
-        Setting up different views, or visibility, of the DNS space to
-        internal and external resolvers is usually referred to as a
-	<emphasis>Split DNS</emphasis> setup. There are several
-        reasons an organization would want to set up its DNS this way.
-      </para>
-      <para>
-        One common reason for setting up a DNS system this way is
-        to hide "internal" DNS information from "external" clients on the
-        Internet. There is some debate as to whether or not this is actually
-        useful.
-        Internal DNS information leaks out in many ways (via email headers,
-        for example) and most savvy "attackers" can find the information
-        they need using other means.
-	However, since listing addresses of internal servers that
-        external clients cannot possibly reach can result in
-        connection delays and other annoyances, an organization may
-        choose to use a Split DNS to present a consistent view of itself
-        to the outside world.
-      </para>
-      <para>
-        Another common reason for setting up a Split DNS system is
-        to allow internal networks that are behind filters or in RFC 1918
-        space (reserved IP space, as documented in RFC 1918) to resolve DNS
-        on the Internet. Split DNS can also be used to allow mail from outside
-        back in to the internal network.
-      </para>
-     <sect2>
-      <title>Example split DNS setup</title>
-      <para>
-        Let's say a company named <emphasis>Example, Inc.</emphasis>
-        (<literal>example.com</literal>)
-        has several corporate sites that have an internal network with
-        reserved
-        Internet Protocol (IP) space and an external demilitarized zone (DMZ),
-        or "outside" section of a network, that is available to the public.
-      </para>
-      <para>
-        <emphasis>Example, Inc.</emphasis> wants its internal clients
-        to be able to resolve external hostnames and to exchange mail with
-        people on the outside. The company also wants its internal resolvers
-        to have access to certain internal-only zones that are not available
-        at all outside of the internal network.
-      </para>
-      <para>
-        In order to accomplish this, the company will set up two sets
-        of name servers. One set will be on the inside network (in the
-        reserved
-        IP space) and the other set will be on bastion hosts, which are
-        "proxy"
-        hosts that can talk to both sides of its network, in the DMZ.
-      </para>
-      <para>
-        The internal servers will be configured to forward all queries,
-        except queries for <filename>site1.internal</filename>, <filename>site2.internal</filename>, <filename>site1.example.com</filename>,
-        and <filename>site2.example.com</filename>, to the servers
-        in the
-        DMZ. These internal servers will have complete sets of information
-        for <filename>site1.example.com</filename>, <filename>site2.example.com</filename>, <filename>site1.internal</filename>,
-        and <filename>site2.internal</filename>.
-      </para>
-      <para>
-        To protect the <filename>site1.internal</filename> and <filename>site2.internal</filename> domains,
-        the internal name servers must be configured to disallow all queries
-        to these domains from any external hosts, including the bastion
-        hosts.
-      </para>
-      <para>
-        The external servers, which are on the bastion hosts, will
-        be configured to serve the "public" version of the <filename>site1</filename> and <filename>site2.example.com</filename> zones.
-        This could include things such as the host records for public servers
-        (<filename>www.example.com</filename> and <filename>ftp.example.com</filename>),
-        and mail exchange (MX)  records (<filename>a.mx.example.com</filename> and <filename>b.mx.example.com</filename>).
-      </para>
-      <para>
-        In addition, the public <filename>site1</filename> and <filename>site2.example.com</filename> zones
-        should have special MX records that contain wildcard (`*') records
-        pointing to the bastion hosts. This is needed because external mail
-        servers do not have any other way of looking up how to deliver mail
-        to those internal hosts. With the wildcard records, the mail will
-        be delivered to the bastion host, which can then forward it on to
-        internal hosts.
-      </para>
-      <para>
-        Here's an example of a wildcard MX record:
-      </para>
-      <programlisting>*   IN MX 10 external1.example.com.</programlisting>
-      <para>
-        Now that they accept mail on behalf of anything in the internal
-        network, the bastion hosts will need to know how to deliver mail
-        to internal hosts. In order for this to work properly, the resolvers
-        on
-        the bastion hosts will need to be configured to point to the internal
-        name servers for DNS resolution.
-      </para>
-      <para>
-        Queries for internal hostnames will be answered by the internal
-        servers, and queries for external hostnames will be forwarded back
-        out to the DNS servers on the bastion hosts.
-      </para>
-      <para>
-        In order for all this to work properly, internal clients will
-        need to be configured to query <emphasis>only</emphasis> the internal
-        name servers for DNS queries. This could also be enforced via
-        selective
-        filtering on the network.
-      </para>
-      <para>
-        If everything has been set properly, <emphasis>Example, Inc.</emphasis>'s
-        internal clients will now be able to:
-      </para>
-      <itemizedlist>
-        <listitem>
-          <simpara>
-            Look up any hostnames in the <literal>site1</literal>
-            and
-            <literal>site2.example.com</literal> zones.
-          </simpara>
-        </listitem>
-        <listitem>
-          <simpara>
-            Look up any hostnames in the <literal>site1.internal</literal> and
-            <literal>site2.internal</literal> domains.
-          </simpara>
-        </listitem>
-        <listitem>
-          <simpara>Look up any hostnames on the Internet.</simpara>
-        </listitem>
-        <listitem>
-          <simpara>Exchange mail with both internal and external people.</simpara>
-        </listitem>
-      </itemizedlist>
-      <para>
-        Hosts on the Internet will be able to:
-      </para>
-      <itemizedlist>
-        <listitem>
-          <simpara>
-            Look up any hostnames in the <literal>site1</literal>
-            and
-            <literal>site2.example.com</literal> zones.
-          </simpara>
-        </listitem>
-        <listitem>
-          <simpara>
-            Exchange mail with anyone in the <literal>site1</literal> and
-            <literal>site2.example.com</literal> zones.
-          </simpara>
-        </listitem>
-      </itemizedlist>
-
-      <para>
-        Here is an example configuration for the setup we just
-        described above. Note that this is only configuration information;
-        for information on how to configure your zone files, see <xref linkend="sample_configuration"/>.
-      </para>
-
-      <para>
-        Internal DNS server config:
-      </para>
-
-<programlisting>
-
-acl internals { 172.16.72.0/24; 192.168.1.0/24; };
-
-acl externals { <varname>bastion-ips-go-here</varname>; };
-
-options {
-    ...
-    ...
-    forward only;
-    // forward to external servers
-    forwarders {
-        <varname>bastion-ips-go-here</varname>;
-    };
-    // sample allow-transfer (no one)
-    allow-transfer { none; };
-    // restrict query access
-    allow-query { internals; externals; };
-    // restrict recursion
-    allow-recursion { internals; };
-    ...
-    ...
-};
-
-// sample master zone
-zone "site1.example.com" {
-  type master;
-  file "m/site1.example.com";
-  // do normal iterative resolution (do not forward)
-  forwarders { };
-  allow-query { internals; externals; };
-  allow-transfer { internals; };
-};
-
-// sample slave zone
-zone "site2.example.com" {
-  type slave;
-  file "s/site2.example.com";
-  masters { 172.16.72.3; };
-  forwarders { };
-  allow-query { internals; externals; };
-  allow-transfer { internals; };
-};
-
-zone "site1.internal" {
-  type master;
-  file "m/site1.internal";
-  forwarders { };
-  allow-query { internals; };
-  allow-transfer { internals; }
-};
-
-zone "site2.internal" {
-  type slave;
-  file "s/site2.internal";
-  masters { 172.16.72.3; };
-  forwarders { };
-  allow-query { internals };
-  allow-transfer { internals; }
-};
-</programlisting>
-
-      <para>
-        External (bastion host) DNS server config:
-      </para>
-
-<programlisting>
-acl internals { 172.16.72.0/24; 192.168.1.0/24; };
-
-acl externals { bastion-ips-go-here; };
-
-options {
-  ...
-  ...
-  // sample allow-transfer (no one)
-  allow-transfer { none; };
-  // default query access
-  allow-query { any; };
-  // restrict cache access
-  allow-query-cache { internals; externals; };
-  // restrict recursion
-  allow-recursion { internals; externals; };
-  ...
-  ...
-};
-
-// sample slave zone
-zone "site1.example.com" {
-  type master;
-  file "m/site1.foo.com";
-  allow-transfer { internals; externals; };
-};
-
-zone "site2.example.com" {
-  type slave;
-  file "s/site2.foo.com";
-  masters { another_bastion_host_maybe; };
-  allow-transfer { internals; externals; }
-};
-</programlisting>
-
-      <para>
-        In the <filename>resolv.conf</filename> (or equivalent) on
-        the bastion host(s):
-      </para>
-
-<programlisting>
-search ...
-nameserver 172.16.72.2
-nameserver 172.16.72.3
-nameserver 172.16.72.4
-</programlisting>
-
-     </sect2>
-    </sect1>
-    <sect1 id="tsig">
-      <title>TSIG</title>
-      <para>
-        This is a short guide to setting up Transaction SIGnatures
-        (TSIG) based transaction security in <acronym>BIND</acronym>. It describes changes
-        to the configuration file as well as what changes are required for
-        different features, including the process of creating transaction
-        keys and using transaction signatures with <acronym>BIND</acronym>.
-      </para>
-      <para>
-        <acronym>BIND</acronym> primarily supports TSIG for server
-        to server communication.
-        This includes zone transfer, notify, and recursive query messages.
-        Resolvers based on newer versions of <acronym>BIND</acronym> 8 have limited support
-        for TSIG.
-      </para>
-
-      <para>
-        TSIG can also be useful for dynamic update. A primary
-        server for a dynamic zone should control access to the dynamic
-        update service, but IP-based access control is insufficient.
-        The cryptographic access control provided by TSIG
-        is far superior. The <command>nsupdate</command>
-        program supports TSIG via the <option>-k</option> and
-        <option>-y</option> command line options or inline by use
-	of the <command>key</command>.
-      </para>
-
-      <sect2>
-        <title>Generate Shared Keys for Each Pair of Hosts</title>
-        <para>
-          A shared secret is generated to be shared between <emphasis>host1</emphasis> and <emphasis>host2</emphasis>.
-          An arbitrary key name is chosen: "host1-host2.". The key name must
-          be the same on both hosts.
-        </para>
-        <sect3>
-          <title>Automatic Generation</title>
-          <para>
-            The following command will generate a 128-bit (16 byte) HMAC-SHA256
-            key as described above. Longer keys are better, but shorter keys
-            are easier to read. Note that the maximum key length is the digest
-            length, here 256 bits.
-          </para>
-          <para>
-            <userinput>dnssec-keygen -a hmac-sha256 -b 128 -n HOST host1-host2.</userinput>
-          </para>
-          <para>
-            The key is in the file <filename>Khost1-host2.+163+00000.private</filename>.
-            Nothing directly uses this file, but the base-64 encoded string
-            following "<literal>Key:</literal>"
-            can be extracted from the file and used as a shared secret:
-          </para>
-          <programlisting>Key: La/E5CjG9O+os1jq0a2jdA==</programlisting>
-          <para>
-            The string "<literal>La/E5CjG9O+os1jq0a2jdA==</literal>" can
-            be used as the shared secret.
-          </para>
-        </sect3>
-        <sect3>
-          <title>Manual Generation</title>
-          <para>
-            The shared secret is simply a random sequence of bits, encoded
-            in base-64. Most ASCII strings are valid base-64 strings (assuming
-            the length is a multiple of 4 and only valid characters are used),
-            so the shared secret can be manually generated.
-          </para>
-          <para>
-            Also, a known string can be run through <command>mmencode</command> or
-            a similar program to generate base-64 encoded data.
-          </para>
-        </sect3>
-      </sect2>
-      <sect2>
-        <title>Copying the Shared Secret to Both Machines</title>
-        <para>
-          This is beyond the scope of DNS. A secure transport mechanism
-          should be used. This could be secure FTP, ssh, telephone, etc.
-        </para>
-      </sect2>
-      <sect2>
-        <title>Informing the Servers of the Key's Existence</title>
-        <para>
-          Imagine <emphasis>host1</emphasis> and <emphasis>host 2</emphasis>
-          are
-          both servers. The following is added to each server's <filename>named.conf</filename> file:
-        </para>
-
-<programlisting>
-key host1-host2. {
-  algorithm hmac-sha256;
-  secret "La/E5CjG9O+os1jq0a2jdA==";
-};
-</programlisting>
-
-        <para>
-          The secret is the one generated above. Since this is a secret, it
-          is recommended that either <filename>named.conf</filename> be
-          non-world readable, or the key directive be added to a non-world
-          readable file that is included by <filename>named.conf</filename>.
-        </para>
-        <para>
-          At this point, the key is recognized. This means that if the
-          server receives a message signed by this key, it can verify the
-          signature. If the signature is successfully verified, the
-          response is signed by the same key.
-        </para>
-      </sect2>
-
-      <sect2>
-        <title>Instructing the Server to Use the Key</title>
-        <para>
-          Since keys are shared between two hosts only, the server must
-          be told when keys are to be used. The following is added to the <filename>named.conf</filename> file
-          for <emphasis>host1</emphasis>, if the IP address of <emphasis>host2</emphasis> is
-          10.1.2.3:
-        </para>
-
-<programlisting>
-server 10.1.2.3 {
-  keys { host1-host2. ;};
-};
-</programlisting>
-
-        <para>
-          Multiple keys may be present, but only the first is used.
-          This directive does not contain any secrets, so it may be in a
-          world-readable
-          file.
-        </para>
-        <para>
-          If <emphasis>host1</emphasis> sends a message that is a request
-          to that address, the message will be signed with the specified key. <emphasis>host1</emphasis> will
-          expect any responses to signed messages to be signed with the same
-          key.
-        </para>
-        <para>
-          A similar statement must be present in <emphasis>host2</emphasis>'s
-          configuration file (with <emphasis>host1</emphasis>'s address) for <emphasis>host2</emphasis> to
-          sign request messages to <emphasis>host1</emphasis>.
-        </para>
-      </sect2>
-      <sect2>
-        <title>TSIG Key Based Access Control</title>
-        <para>
-          <acronym>BIND</acronym> allows IP addresses and ranges
-          to be specified in ACL
-          definitions and
-          <command>allow-{ query | transfer | update }</command>
-          directives.
-          This has been extended to allow TSIG keys also. The above key would
-          be denoted <command>key host1-host2.</command>
-        </para>
-        <para>
-          An example of an <command>allow-update</command> directive would be:
-        </para>
-
-<programlisting>
-allow-update { key host1-host2. ;};
-</programlisting>
-
-	<para>
-	  This allows dynamic updates to succeed only if the request
-	  was signed by a key named "<command>host1-host2.</command>".
-	</para>
-
-	<para>
-	  See <xref linkend="dynamic_update_policies"/> for a discussion of
-          the more flexible <command>update-policy</command> statement.
-	</para>
-
-      </sect2>
-      <sect2>
-        <title>Errors</title>
-
-        <para>
-          The processing of TSIG signed messages can result in
-          several errors. If a signed message is sent to a non-TSIG aware
-          server, a FORMERR (format error) will be returned, since the server will not
-          understand the record. This is a result of misconfiguration,
-          since the server must be explicitly configured to send a TSIG
-          signed message to a specific server.
-        </para>
-
-        <para>
-          If a TSIG aware server receives a message signed by an
-          unknown key, the response will be unsigned with the TSIG
-          extended error code set to BADKEY. If a TSIG aware server
-          receives a message with a signature that does not validate, the
-          response will be unsigned with the TSIG extended error code set
-          to BADSIG. If a TSIG aware server receives a message with a time
-          outside of the allowed range, the response will be signed with
-          the TSIG extended error code set to BADTIME, and the time values
-          will be adjusted so that the response can be successfully
-          verified. In any of these cases, the message's rcode (response code) is set to
-          NOTAUTH (not authenticated).
-        </para>
-
-      </sect2>
-    </sect1>
-    <sect1>
-      <title>TKEY</title>
-
-      <para><command>TKEY</command>
-        is a mechanism for automatically generating a shared secret
-        between two hosts.  There are several "modes" of
-        <command>TKEY</command> that specify how the key is generated
-        or assigned.  <acronym>BIND</acronym> 9 implements only one of
-        these modes, the Diffie-Hellman key exchange.  Both hosts are
-        required to have a Diffie-Hellman KEY record (although this
-        record is not required to be present in a zone).  The
-        <command>TKEY</command> process must use signed messages,
-        signed either by TSIG or SIG(0).  The result of
-        <command>TKEY</command> is a shared secret that can be used to
-        sign messages with TSIG.  <command>TKEY</command> can also be
-        used to delete shared secrets that it had previously
-        generated.
-      </para>
-
-      <para>
-        The <command>TKEY</command> process is initiated by a
-        client
-        or server by sending a signed <command>TKEY</command>
-        query
-        (including any appropriate KEYs) to a TKEY-aware server.  The
-        server response, if it indicates success, will contain a
-        <command>TKEY</command> record and any appropriate keys.
-        After
-        this exchange, both participants have enough information to
-        determine the shared secret; the exact process depends on the
-        <command>TKEY</command> mode.  When using the
-        Diffie-Hellman
-        <command>TKEY</command> mode, Diffie-Hellman keys are
-        exchanged,
-        and the shared secret is derived by both participants.
-      </para>
-
-    </sect1>
-    <sect1>
-      <title>SIG(0)</title>
-
-      <para>
-        <acronym>BIND</acronym> 9 partially supports DNSSEC SIG(0)
-            transaction signatures as specified in RFC 2535 and RFC 2931.
-        SIG(0)
-        uses public/private keys to authenticate messages.  Access control
-        is performed in the same manner as TSIG keys; privileges can be
-        granted or denied based on the key name.
-      </para>
-
-      <para>
-        When a SIG(0) signed message is received, it will only be
-        verified if the key is known and trusted by the server; the server
-        will not attempt to locate and/or validate the key.
-      </para>
-
-      <para>
-        SIG(0) signing of multiple-message TCP streams is not
-        supported.
-      </para>
-
-      <para>
-        The only tool shipped with <acronym>BIND</acronym> 9 that
-        generates SIG(0) signed messages is <command>nsupdate</command>.
-      </para>
-
-    </sect1>
-    <sect1 id="DNSSEC">
-      <title>DNSSEC</title>
-
-      <para>
-        Cryptographic authentication of DNS information is possible
-        through the DNS Security (<emphasis>DNSSEC-bis</emphasis>) extensions,
-        defined in RFC 4033, RFC 4034, and RFC 4035.
-	This section describes the creation and use of DNSSEC signed zones.
-      </para>
-
-      <para>
-        In order to set up a DNSSEC secure zone, there are a series
-        of steps which must be followed.  <acronym>BIND</acronym>
-        9 ships
-        with several tools
-        that are used in this process, which are explained in more detail
-        below.  In all cases, the <option>-h</option> option prints a
-        full list of parameters.  Note that the DNSSEC tools require the
-        keyset files to be in the working directory or the
-        directory specified by the <option>-d</option> option, and
-        that the tools shipped with BIND 9.2.x and earlier are not compatible
-        with the current ones.
-      </para>
-
-      <para>
-        There must also be communication with the administrators of
-        the parent and/or child zone to transmit keys.  A zone's security
-        status must be indicated by the parent zone for a DNSSEC capable
-        resolver to trust its data.  This is done through the presence
-        or absence of a <literal>DS</literal> record at the
-        delegation
-        point.
-      </para>
-
-      <para>
-        For other servers to trust data in this zone, they must
-        either be statically configured with this zone's zone key or the
-        zone key of another zone above this one in the DNS tree.
-      </para>
-
-      <sect2>
-        <title>Generating Keys</title>
-
-        <para>
-          The <command>dnssec-keygen</command> program is used to
-          generate keys.
-        </para>
-
-        <para>
-          A secure zone must contain one or more zone keys.  The
-          zone keys will sign all other records in the zone, as well as
-          the zone keys of any secure delegated zones.  Zone keys must
-          have the same name as the zone, a name type of
-          <command>ZONE</command>, and must be usable for
-          authentication.
-          It is recommended that zone keys use a cryptographic algorithm
-          designated as "mandatory to implement" by the IETF; currently
-          the only one is RSASHA1.
-        </para>
-
-        <para>
-          The following command will generate a 768-bit RSASHA1 key for
-          the <filename>child.example</filename> zone:
-        </para>
-
-        <para>
-          <userinput>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</userinput>
-        </para>
-
-        <para>
-          Two output files will be produced:
-          <filename>Kchild.example.+005+12345.key</filename> and
-          <filename>Kchild.example.+005+12345.private</filename>
-          (where
-          12345 is an example of a key tag).  The key filenames contain
-          the key name (<filename>child.example.</filename>),
-          algorithm (3
-          is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
-          this case).
-          The private key (in the <filename>.private</filename>
-          file) is
-          used to generate signatures, and the public key (in the
-          <filename>.key</filename> file) is used for signature
-          verification.
-        </para>
-
-        <para>
-          To generate another key with the same properties (but with
-          a different key tag), repeat the above command.
-        </para>
-
-        <para>
-          The <command>dnssec-keyfromlabel</command> program is used
-          to get a key pair from a crypto hardware and build the key
-          files. Its usage is similar to <command>dnssec-keygen</command>.
-        </para>
-
-        <para>
-          The public keys should be inserted into the zone file by
-          including the <filename>.key</filename> files using
-          <command>$INCLUDE</command> statements.
-        </para>
-
-      </sect2>
-      <sect2>
-        <title>Signing the Zone</title>
-
-	<para>
-	  The <command>dnssec-signzone</command> program is used
-	  to sign a zone.
-	</para>
-
-	<para>
-	  Any <filename>keyset</filename> files corresponding to
-	  secure subzones should be present.  The zone signer will
-	  generate <literal>NSEC</literal>, <literal>NSEC3</literal>
-	  and <literal>RRSIG</literal> records for the zone, as
-	  well as <literal>DS</literal> for the child zones if
-	  <literal>'-g'</literal> is specified.  If <literal>'-g'</literal>
-	  is not specified, then DS RRsets for the secure child
-	  zones need to be added manually.
-	</para>
-
-        <para>
-          The following command signs the zone, assuming it is in a
-          file called <filename>zone.child.example</filename>.  By
-                default, all zone keys which have an available private key are
-                used to generate signatures.
-        </para>
-
-        <para>
-          <userinput>dnssec-signzone -o child.example zone.child.example</userinput>
-        </para>
-
-        <para>
-          One output file is produced:
-          <filename>zone.child.example.signed</filename>.  This
-          file
-          should be referenced by <filename>named.conf</filename>
-          as the
-          input file for the zone.
-        </para>
-
-        <para><command>dnssec-signzone</command>
-	  will also produce a keyset and dsset files and optionally a
-          dlvset file.  These are used to provide the parent zone
-          administrators with the <literal>DNSKEYs</literal> (or their
-          corresponding <literal>DS</literal> records) that are the
-          secure entry point to the zone.
-        </para>
-
-      </sect2>
-
-      <sect2>
-        <title>Configuring Servers</title>
-
-	<para>
-	  To enable <command>named</command> to respond appropriately
-	  to DNS requests from DNSSEC aware clients,
-	  <command>dnssec-enable</command> must be set to yes.
-          (This is the default setting.)
-        </para>
-
-	<para>
-	  To enable <command>named</command> to validate answers from
-	  other servers, the <command>dnssec-enable</command> option
-          must be set to <userinput>yes</userinput>, and the
-          <command>dnssec-validation</command> options must be set to 
-          <userinput>yes</userinput> or <userinput>auto</userinput>.
-        </para>
-	  
-	<para>
-          If <command>dnssec-validation</command> is set to
-          <userinput>auto</userinput>, then a default
-          trust anchor for the DNS root zone will be used.
-          If it is set to <userinput>yes</userinput>, however,
-          then at least one trust anchor must be configured
-          with a <command>trusted-keys</command> or
-          <command>managed-keys</command> statement in
-          <filename>named.conf</filename>, or DNSSEC validation
-          will not occur.  The default setting is
-          <userinput>yes</userinput>.
-        </para>
-	  
-	<para>
-	  <command>trusted-keys</command> are copies of DNSKEY RRs
-	  for zones that are used to form the first link in the
-	  cryptographic chain of trust.  All keys listed in
-	  <command>trusted-keys</command> (and corresponding zones)
-	  are deemed to exist and only the listed keys will be used
-	  to validated the DNSKEY RRset that they are from.
-	</para>
-
-	<para>
-	  <command>managed-keys</command> are trusted keys which are
-          automatically kept up to date via RFC 5011 trust anchor
-          maintenance.
-	</para>
-
-	<para>
-	  <command>trusted-keys</command> and
-          <command>managed-keys</command> are described in more detail
-	  later in this document.
-	</para>
-
-	<para>
-	  Unlike <acronym>BIND</acronym> 8, <acronym>BIND</acronym>
-	  9 does not verify signatures on load, so zone keys for
-	  authoritative zones do not need to be specified in the
-	  configuration file.
-	</para>
-
-	<para>
-	  After DNSSEC gets established, a typical DNSSEC configuration
-	  will look something like the following.  It has one or
-	  more public keys for the root.  This allows answers from
-	  outside the organization to be validated.  It will also
-	  have several keys for parts of the namespace the organization
-          controls.  These are here to ensure that <command>named</command>
-          is immune to compromises in the DNSSEC components of the security
-          of parent zones.
-	</para>
-
-<programlisting>
-managed-keys {
-	/* Root Key */
-        "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
-                                 JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
-                                 aBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3zy2Xy
-                                 4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYg
-                                 hf+6fElrmLkdaz MQ2OCnACR817DF4BBa7UR/beDHyp
-                                 5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M/lUUVRbke
-                                 g1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq
-                                 66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
-                                 97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
-                                 dgxbcDTClU0CRBdiieyLMNzXG3";
-};
-
-trusted-keys {
-        /* Key for our organization's forward zone */
-        example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
-                              5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
-                              GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
-                              4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
-                              kBOUKUf/mC7HvfwYH/Be22GnClrinKJp1O
-                              g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S
-                              TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq
-                              FxmAVZP20igTixin/1LcrgX/KMEGd/biuv
-                              F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm
-                              /oyWR8BW/hWdzOvnSCThlHf3xiYleDbt/o
-                              1OTQ09A0=";
-
-        /* Key for our reverse zone. */
-        2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
-                                       xOdNax071L18QqZnQQQAVVr+i
-                                       LhGTnNGp3HoWQLUIzKrJVZ3zg
-                                       gy3WwNT6kZo6c0tszYqbtvchm
-                                       gQC8CzKojM/W16i6MG/eafGU3
-                                       siaOdS0yOI6BgPsw+YZdzlYMa
-                                       IJGf4M4dyoKIhzdZyQ2bYQrjy
-                                       Q4LB0lC7aOnsMyYKHHYeRvPxj
-                                       IQXmdqgOJGq+vsevG06zW+1xg
-                                       YJh9rCIfnm1GX/KMgxLPG2vXT
-                                       D/RnLX+D3T3UL7HJYHJhAZD5L
-                                       59VvjSPsZJHeDCUyWYrvPZesZ
-                                       DIRvhDD52SKvbheeTJUm6Ehkz
-                                       ytNN2SN96QRk8j/iI8ib";
-};
-
-options {
-	...
-	dnssec-enable yes;
-	dnssec-validation yes;
-};
-</programlisting>
-
-	<note>
-	  None of the keys listed in this example are valid.  In particular,
-	  the root key is not valid.
-	</note>
-
-	<para>
-	  When DNSSEC validation is enabled and properly configured,
-	  the resolver will reject any answers from signed, secure zones
-	  which fail to validate, and will return SERVFAIL to the client.
-	</para>
-
-	<para>
-	  Responses may fail to validate for any of several reasons,
-	  including missing, expired, or invalid signatures, a key which
-	  does not match the DS RRset in the parent zone, or an insecure
-	  response from a zone which, according to its parent, should have
-	  been secure.  
-	</para>
-
-	<note>
-	  <para>
-	    When the validator receives a response from an unsigned zone
-	    that has a signed parent, it must confirm with the parent
-	    that the zone was intentionally left unsigned.  It does
-	    this by verifying, via signed and validated NSEC/NSEC3 records,
-	    that the parent zone contains no DS records for the child.
-	  </para>
-	  <para>
-	    If the validator <emphasis>can</emphasis> prove that the zone
-	    is insecure, then the response is accepted.  However, if it
-	    cannot, then it must assume an insecure response to be a
-	    forgery; it rejects the response and logs an error.
-	  </para>
-	  <para>
-            The logged error reads "insecurity proof failed" and
-            "got insecure response; parent indicates it should be secure".
-	    (Prior to BIND 9.7, the logged error was "not insecure".
-            This referred to the zone, not the response.)
-	  </para>
-	</note>
-      </sect2>
-
-    </sect1>
-
-    <xi:include href="dnssec.xml"/>
-
-    <xi:include href="managed-keys.xml"/>
-
-    <xi:include href="pkcs11.xml"/>
-
-    <sect1>
-      <title>IPv6 Support in <acronym>BIND</acronym> 9</title>
-
-      <para>
-        <acronym>BIND</acronym> 9 fully supports all currently
-        defined forms of IPv6 name to address and address to name
-        lookups.  It will also use IPv6 addresses to make queries when
-        running on an IPv6 capable system.
-      </para>
-
-      <para>
-        For forward lookups, <acronym>BIND</acronym> 9 supports
-        only AAAA records.  RFC 3363 deprecated the use of A6 records,
-        and client-side support for A6 records was accordingly removed
-        from <acronym>BIND</acronym> 9.
-        However, authoritative <acronym>BIND</acronym> 9 name servers still
-        load zone files containing A6 records correctly, answer queries
-        for A6 records, and accept zone transfer for a zone containing A6
-        records.
-      </para>
-
-      <para>
-        For IPv6 reverse lookups, <acronym>BIND</acronym> 9 supports
-        the traditional "nibble" format used in the
-        <emphasis>ip6.arpa</emphasis> domain, as well as the older, deprecated
-        <emphasis>ip6.int</emphasis> domain.
-        Older versions of <acronym>BIND</acronym> 9 
-        supported the "binary label" (also known as "bitstring") format,
-        but support of binary labels has been completely removed per
-        RFC 3363.
-        Many applications in <acronym>BIND</acronym> 9 do not understand
-        the binary label format at all any more, and will return an
-        error if given.
-	In particular, an authoritative <acronym>BIND</acronym> 9
-        name server will not load a zone file containing binary labels.
-      </para>
-
-      <para>
-        For an overview of the format and structure of IPv6 addresses,
-        see <xref linkend="ipv6addresses"/>.
-      </para>
-
-      <sect2>
-        <title>Address Lookups Using AAAA Records</title>
-
-        <para>
-          The IPv6 AAAA record is a parallel to the IPv4 A record,
-          and, unlike the deprecated A6 record, specifies the entire
-          IPv6 address in a single record.  For example,
-        </para>
-
-<programlisting>
-$ORIGIN example.com.
-host            3600    IN      AAAA    2001:db8::1
-</programlisting>
-
-        <para>
-          Use of IPv4-in-IPv6 mapped addresses is not recommended.
-	  If a host has an IPv4 address, use an A record, not
-          a AAAA, with <literal>::ffff:192.168.42.1</literal> as
-          the address.
-        </para>
-      </sect2>
-      <sect2>
-        <title>Address to Name Lookups Using Nibble Format</title>
-
-        <para>
-          When looking up an address in nibble format, the address
-          components are simply reversed, just as in IPv4, and
-          <literal>ip6.arpa.</literal> is appended to the
-          resulting name.
-          For example, the following would provide reverse name lookup for
-          a host with address
-          <literal>2001:db8::1</literal>.
-        </para>
-
-<programlisting>
-$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
-1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0  14400   IN    PTR    (
-                                    host.example.com. )
-</programlisting>
-
-      </sect2>
-    </sect1>
-  </chapter>
-
-  <chapter id="Bv9ARM.ch05">
-    <title>The <acronym>BIND</acronym> 9 Lightweight Resolver</title>
-    <sect1>
-      <title>The Lightweight Resolver Library</title>
-      <para>
-        Traditionally applications have been linked with a stub resolver
-        library that sends recursive DNS queries to a local caching name
-        server.
-      </para>
-      <para>
-        IPv6 once introduced new complexity into the resolution process,
-        such as following A6 chains and DNAME records, and simultaneous
-        lookup of IPv4 and IPv6 addresses.  Though most of the complexity was
-        then removed, these are hard or impossible
-        to implement in a traditional stub resolver.
-      </para>
-      <para>
-        <acronym>BIND</acronym> 9 therefore can also provide resolution
-        services to local clients
-        using a combination of a lightweight resolver library and a resolver
-        daemon process running on the local host.  These communicate using
-        a simple UDP-based protocol, the "lightweight resolver protocol"
-        that is distinct from and simpler than the full DNS protocol.
-      </para>
-    </sect1>
-    <sect1 id="lwresd">
-      <title>Running a Resolver Daemon</title>
-
-      <para>
-        To use the lightweight resolver interface, the system must
-        run the resolver daemon <command>lwresd</command> or a
-        local
-        name server configured with a <command>lwres</command>
-        statement.
-      </para>
-
-      <para>
-        By default, applications using the lightweight resolver library will
-        make
-        UDP requests to the IPv4 loopback address (127.0.0.1) on port 921.
-        The
-        address can be overridden by <command>lwserver</command>
-        lines in
-        <filename>/etc/resolv.conf</filename>.
-      </para>
-
-      <para>
-        The daemon currently only looks in the DNS, but in the future
-        it may use other sources such as <filename>/etc/hosts</filename>,
-        NIS, etc.
-      </para>
-
-      <para>
-        The <command>lwresd</command> daemon is essentially a
-        caching-only name server that responds to requests using the
-        lightweight
-        resolver protocol rather than the DNS protocol.  Because it needs
-        to run on each host, it is designed to require no or minimal
-        configuration.
-        Unless configured otherwise, it uses the name servers listed on
-        <command>nameserver</command> lines in <filename>/etc/resolv.conf</filename>
-        as forwarders, but is also capable of doing the resolution
-        autonomously if
-        none are specified.
-      </para>
-      <para>
-        The <command>lwresd</command> daemon may also be
-        configured with a
-        <filename>named.conf</filename> style configuration file,
-        in
-        <filename>/etc/lwresd.conf</filename> by default.  A name
-        server may also
-        be configured to act as a lightweight resolver daemon using the
-        <command>lwres</command> statement in <filename>named.conf</filename>.
-      </para>
-
-    </sect1>
-  </chapter>
-
-  <chapter id="Bv9ARM.ch06">
-    <title><acronym>BIND</acronym> 9 Configuration Reference</title>
-
-    <para>
-      <acronym>BIND</acronym> 9 configuration is broadly similar
-      to <acronym>BIND</acronym> 8; however, there are a few new
-      areas
-      of configuration, such as views. <acronym>BIND</acronym>
-      8 configuration files should work with few alterations in <acronym>BIND</acronym>
-      9, although more complex configurations should be reviewed to check
-      if they can be more efficiently implemented using the new features
-      found in <acronym>BIND</acronym> 9.
-    </para>
-
-    <para>
-      <acronym>BIND</acronym> 4 configuration files can be
-      converted to the new format
-      using the shell script
-      <filename>contrib/named-bootconf/named-bootconf.sh</filename>.
-    </para>
-    <sect1 id="configuration_file_elements">
-      <title>Configuration File Elements</title>
-      <para>
-        Following is a list of elements used throughout the <acronym>BIND</acronym> configuration
-        file documentation:
-      </para>
-      <informaltable colsep="0" rowsep="0">
-        <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
-          <colspec colname="1" colnum="1" colsep="0" colwidth="1.855in"/>
-          <colspec colname="2" colnum="2" colsep="0" colwidth="3.770in"/>
-          <tbody>
-            <row rowsep="0">
-              <entry colname="1">
-                <para>
-                  <varname>acl_name</varname>
-                </para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  The name of an <varname>address_match_list</varname> as
-                  defined by the <command>acl</command> statement.
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para>
-                  <varname>address_match_list</varname>
-                </para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  A list of one or more
-                  <varname>ip_addr</varname>,
-                  <varname>ip_prefix</varname>, <varname>key_id</varname>,
-                  or <varname>acl_name</varname> elements, see
-                  <xref linkend="address_match_lists"/>.
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para>
-                  <varname>masters_list</varname>
-                </para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  A named list of one or more <varname>ip_addr</varname>
-		  with optional <varname>key_id</varname> and/or
-		  <varname>ip_port</varname>.
-		  A <varname>masters_list</varname> may include other
-		  <varname>masters_lists</varname>.
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para>
-                  <varname>domain_name</varname>
-                </para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  A quoted string which will be used as
-                  a DNS name, for example "<literal>my.test.domain</literal>".
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para>
-                  <varname>namelist</varname>
-                </para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  A list of one or more <varname>domain_name</varname>
-                  elements.
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para>
-                  <varname>dotted_decimal</varname>
-                </para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  One to four integers valued 0 through
-                  255 separated by dots (`.'), such as <command>123</command>,
-                  <command>45.67</command> or <command>89.123.45.67</command>.
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para>
-                  <varname>ip4_addr</varname>
-                </para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  An IPv4 address with exactly four elements
-                  in <varname>dotted_decimal</varname> notation.
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para>
-                  <varname>ip6_addr</varname>
-                </para>
-              </entry>
-	      <entry colname="2">
-		<para>
-		  An IPv6 address, such as <command>2001:db8::1234</command>.
-		  IPv6 scoped addresses that have ambiguity on their
-		  scope zones must be disambiguated by an appropriate
-		  zone ID with the percent character (`%') as
-		  delimiter.  It is strongly recommended to use
-		  string zone names rather than numeric identifiers,
-		  in order to be robust against system configuration
-		  changes.  However, since there is no standard
-		  mapping for such names and identifier values,
-		  currently only interface names as link identifiers
-		  are supported, assuming one-to-one mapping between
-		  interfaces and links.  For example, a link-local
-		  address <command>fe80::1</command> on the link
-		  attached to the interface <command>ne0</command>
-		  can be specified as <command>fe80::1%ne0</command>.
-		  Note that on most systems link-local addresses
-		  always have the ambiguity, and need to be
-		  disambiguated.
-		</para>
-	      </entry>
-	    </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para>
-                  <varname>ip_addr</varname>
-                </para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  An <varname>ip4_addr</varname> or <varname>ip6_addr</varname>.
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para>
-                  <varname>ip_port</varname>
-                </para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  An IP port <varname>number</varname>.
-                  The <varname>number</varname> is limited to 0
-                  through 65535, with values
-                  below 1024 typically restricted to use by processes running
-                  as root.
-                  In some cases, an asterisk (`*') character can be used as a
-                  placeholder to
-                  select a random high-numbered port.
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para>
-                  <varname>ip_prefix</varname>
-                </para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  An IP network specified as an <varname>ip_addr</varname>,
-                  followed by a slash (`/') and then the number of bits in the
-                  netmask.
-                  Trailing zeros in a <varname>ip_addr</varname>
-                  may omitted.
-                  For example, <command>127/8</command> is the
-                  network <command>127.0.0.0</command> with
-                  netmask <command>255.0.0.0</command> and <command>1.2.3.0/28</command> is
-                  network <command>1.2.3.0</command> with netmask <command>255.255.255.240</command>.
-                </para>
-                <para>
-		  When specifying a prefix involving a IPv6 scoped address
-		  the scope may be omitted.  In that case the prefix will
-		  match packets from any scope.
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para>
-                  <varname>key_id</varname>
-                </para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  A <varname>domain_name</varname> representing
-                  the name of a shared key, to be used for transaction
-                  security.
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para>
-                  <varname>key_list</varname>
-                </para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  A list of one or more
-                  <varname>key_id</varname>s,
-                  separated by semicolons and ending with a semicolon.
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para>
-                  <varname>number</varname>
-                </para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  A non-negative 32-bit integer
-                  (i.e., a number between 0 and 4294967295, inclusive).
-                  Its acceptable value might further
-                  be limited by the context in which it is used.
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para>
-                  <varname>path_name</varname>
-                </para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  A quoted string which will be used as
-                  a pathname, such as <filename>zones/master/my.test.domain</filename>.
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para>
-                  <varname>port_list</varname>
-                </para>
-              </entry>
-              <entry colname="2">
-                <para>
-		  A list of an <varname>ip_port</varname> or a port
-		  range.
-		  A port range is specified in the form of
-		  <userinput>range</userinput> followed by
-		  two <varname>ip_port</varname>s,
-		  <varname>port_low</varname> and
-		  <varname>port_high</varname>, which represents
-		  port numbers from <varname>port_low</varname> through
-		  <varname>port_high</varname>, inclusive.
-		  <varname>port_low</varname> must not be larger than
-		  <varname>port_high</varname>.
-		  For example,
-		  <userinput>range 1024 65535</userinput> represents
-		  ports from 1024 through 65535.
-		  In either case an asterisk (`*') character is not
-		  allowed as a valid <varname>ip_port</varname>.
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para>
-                  <varname>size_spec</varname>
-                </para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  A 64-bit unsigned integer, or the keywords
-                  <userinput>unlimited</userinput> or
-                  <userinput>default</userinput>.
-                </para>
-                <para>
-                  Integers may take values
-                  0 &lt;= value &lt;= 18446744073709551615, though
-                  certain parameters may use a more limited range
-                  within these extremes.  In most cases, setting a
-                  value to 0 does not literally mean zero; it means
-                  "undefined" or "as big as psosible", depending on
-                  the context. See the expalantions of particular
-                  parameters that use <varname>size_spec</varname>
-                  for details on how they interpret its use. 
-                </para>
-                <para>
-                  Numeric values can optionally be followed by a
-                  scaling factor:
-		  <userinput>K</userinput> or <userinput>k</userinput>
-		  for kilobytes,
-		  <userinput>M</userinput> or <userinput>m</userinput>
-		  for megabytes, and
-                  <userinput>G</userinput> or <userinput>g</userinput>
-                  for gigabytes, which scale by 1024, 1024*1024, and
-                  1024*1024*1024 respectively.
-                </para>
-		<para>
-                  <varname>unlimited</varname> generally means
-                  "as big as possible", though in certain contexts,
-                  (including <option>max-cache-size</option>), it may
-                  mean the largest possible 32-bit unsigned integer
-                  (0xffffffff); this distinction can be important when
-                  dealing with larger quantities. 
-                  <varname>unlimited</varname> is usually the best way
-                  to safely set a very large number.
-                </para>
-		<para>
-                  <varname>default</varname> 
-                  uses the limit that was in force when the server was started.
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para>
-                  <varname>yes_or_no</varname>
-                </para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  Either <userinput>yes</userinput> or <userinput>no</userinput>.
-                  The words <userinput>true</userinput> and <userinput>false</userinput> are
-                  also accepted, as are the numbers <userinput>1</userinput>
-                  and <userinput>0</userinput>.
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para>
-                  <varname>dialup_option</varname>
-                </para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  One of <userinput>yes</userinput>,
-                  <userinput>no</userinput>, <userinput>notify</userinput>,
-                  <userinput>notify-passive</userinput>, <userinput>refresh</userinput> or
-                  <userinput>passive</userinput>.
-                  When used in a zone, <userinput>notify-passive</userinput>,
-                  <userinput>refresh</userinput>, and <userinput>passive</userinput>
-                  are restricted to slave and stub zones.
-                </para>
-              </entry>
-            </row>
-          </tbody>
-        </tgroup>
-      </informaltable>
-      <sect2 id="address_match_lists">
-        <title>Address Match Lists</title>
-        <sect3>
-          <title>Syntax</title>
-
-<programlisting><varname>address_match_list</varname> = address_match_list_element ;
-  <optional> address_match_list_element; ... </optional>
-<varname>address_match_list_element</varname> = <optional> ! </optional> (ip_address <optional>/length</optional> |
-   key key_id | acl_name | { address_match_list } )
-</programlisting>
-
-        </sect3>
-        <sect3>
-          <title>Definition and Usage</title>
-          <para>
-            Address match lists are primarily used to determine access
-            control for various server operations. They are also used in
-            the <command>listen-on</command> and <command>sortlist</command>
-            statements. The elements which constitute an address match
-            list can be any of the following:
-          </para>
-          <itemizedlist>
-            <listitem>
-              <simpara>an IP address (IPv4 or IPv6)</simpara>
-            </listitem>
-            <listitem>
-              <simpara>an IP prefix (in `/' notation)</simpara>
-            </listitem>
-            <listitem>
-              <simpara>
-                a key ID, as defined by the <command>key</command>
-                statement
-              </simpara>
-            </listitem>
-            <listitem>
-              <simpara>the name of an address match list defined with
-                the <command>acl</command> statement
-              </simpara>
-            </listitem>
-            <listitem>
-              <simpara>a nested address match list enclosed in braces</simpara>
-            </listitem>
-          </itemizedlist>
-
-          <para>
-            Elements can be negated with a leading exclamation mark (`!'),
-            and the match list names "any", "none", "localhost", and
-            "localnets" are predefined. More information on those names
-            can be found in the description of the acl statement.
-          </para>
-
-          <para>
-            The addition of the key clause made the name of this syntactic
-            element something of a misnomer, since security keys can be used
-            to validate access without regard to a host or network address.
-            Nonetheless, the term "address match list" is still used
-            throughout the documentation.
-          </para>
-
-          <para>
-            When a given IP address or prefix is compared to an address
-            match list, the comparison takes place in approximately O(1)
-            time.  However, key comparisons require that the list of keys
-            be traversed until a matching key is found, and therefore may
-            be somewhat slower.
-          </para>
-
-          <para>
-            The interpretation of a match depends on whether the list is being
-            used for access control, defining <command>listen-on</command> ports, or in a
-            <command>sortlist</command>, and whether the element was negated.
-          </para>
-
-	  <para>
-	    When used as an access control list, a non-negated match
-	    allows access and a negated match denies access. If
-	    there is no match, access is denied. The clauses
-	    <command>allow-notify</command>,
-	    <command>allow-recursion</command>,
-	    <command>allow-recursion-on</command>,
-	    <command>allow-query</command>,
-	    <command>allow-query-on</command>,
-	    <command>allow-query-cache</command>,
-	    <command>allow-query-cache-on</command>,
-	    <command>allow-transfer</command>,
-	    <command>allow-update</command>,
-	    <command>allow-update-forwarding</command>, and
-	    <command>blackhole</command> all use address match
-	    lists.  Similarly, the <command>listen-on</command> option will cause the
-	    server to refuse queries on any of the machine's
-	    addresses which do not match the list.
-	  </para>
-
-          <para>
-            Order of insertion is significant.  If more than one element
-            in an ACL is found to match a given IP address or prefix,
-            preference will be given to the one that came
-            <emphasis>first</emphasis> in the ACL definition.
-            Because of this first-match behavior, an element that
-            defines a subset of another element in the list should
-            come before the broader element, regardless of whether
-            either is negated. For example, in
-            <command>1.2.3/24; ! 1.2.3.13;</command>
-            the 1.2.3.13 element is completely useless because the
-            algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
-            element.  Using <command>! 1.2.3.13; 1.2.3/24</command> fixes
-            that problem by having 1.2.3.13 blocked by the negation, but
-            all other 1.2.3.* hosts fall through.
-          </para>
-        </sect3>
-      </sect2>
-
-      <sect2>
-        <title>Comment Syntax</title>
-
-        <para>
-          The <acronym>BIND</acronym> 9 comment syntax allows for
-          comments to appear
-          anywhere that whitespace may appear in a <acronym>BIND</acronym> configuration
-          file. To appeal to programmers of all kinds, they can be written
-          in the C, C++, or shell/perl style.
-        </para>
-
-        <sect3>
-          <title>Syntax</title>
-
-          <para>
-            <programlisting>/* This is a <acronym>BIND</acronym> comment as in C */</programlisting>
-            <programlisting>// This is a <acronym>BIND</acronym> comment as in C++</programlisting>
-            <programlisting># This is a <acronym>BIND</acronym> comment as in common UNIX shells
-# and perl</programlisting>
-          </para>
-        </sect3>
-        <sect3>
-          <title>Definition and Usage</title>
-          <para>
-            Comments may appear anywhere that whitespace may appear in
-            a <acronym>BIND</acronym> configuration file.
-          </para>
-          <para>
-            C-style comments start with the two characters /* (slash,
-            star) and end with */ (star, slash). Because they are completely
-            delimited with these characters, they can be used to comment only
-            a portion of a line or to span multiple lines.
-          </para>
-          <para>
-            C-style comments cannot be nested. For example, the following
-            is not valid because the entire comment ends with the first */:
-          </para>
-          <para>
-
-<programlisting>/* This is the start of a comment.
-   This is still part of the comment.
-/* This is an incorrect attempt at nesting a comment. */
-   This is no longer in any comment. */
-</programlisting>
-
-          </para>
-
-          <para>
-            C++-style comments start with the two characters // (slash,
-            slash) and continue to the end of the physical line. They cannot
-            be continued across multiple physical lines; to have one logical
-            comment span multiple lines, each line must use the // pair.
-            For example:
-          </para>
-          <para>
-
-<programlisting>// This is the start of a comment.  The next line
-// is a new comment, even though it is logically
-// part of the previous comment.
-</programlisting>
-
-          </para>
-          <para>
-            Shell-style (or perl-style, if you prefer) comments start
-            with the character <literal>#</literal> (number sign)
-            and continue to the end of the
-            physical line, as in C++ comments.
-            For example:
-          </para>
-
-          <para>
-
-<programlisting># This is the start of a comment.  The next line
-# is a new comment, even though it is logically
-# part of the previous comment.
-</programlisting>
-
-          </para>
-
-          <warning>
-            <para>
-              You cannot use the semicolon (`;') character
-              to start a comment such as you would in a zone file. The
-              semicolon indicates the end of a configuration
-              statement.
-            </para>
-          </warning>
-        </sect3>
-      </sect2>
-    </sect1>
-
-    <sect1 id="Configuration_File_Grammar">
-      <title>Configuration File Grammar</title>
-
-      <para>
-        A <acronym>BIND</acronym> 9 configuration consists of
-        statements and comments.
-        Statements end with a semicolon. Statements and comments are the
-        only elements that can appear without enclosing braces. Many
-        statements contain a block of sub-statements, which are also
-        terminated with a semicolon.
-      </para>
-
-      <para>
-        The following statements are supported:
-      </para>
-
-      <informaltable colsep="0" rowsep="0">
-        <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
-          <colspec colname="1" colnum="1" colsep="0" colwidth="1.336in"/>
-          <colspec colname="2" colnum="2" colsep="0" colwidth="3.778in"/>
-          <tbody>
-            <row rowsep="0">
-              <entry colname="1">
-                <para><command>acl</command></para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  defines a named IP address
-                  matching list, for access control and other uses.
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para><command>controls</command></para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  declares control channels to be used
-                  by the <command>rndc</command> utility.
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para><command>include</command></para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  includes a file.
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para><command>key</command></para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  specifies key information for use in
-                  authentication and authorization using TSIG.
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para><command>logging</command></para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  specifies what the server logs, and where
-                  the log messages are sent.
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para><command>lwres</command></para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  configures <command>named</command> to
-                  also act as a light-weight resolver daemon (<command>lwresd</command>).
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para><command>masters</command></para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  defines a named masters list for
-                  inclusion in stub and slave zones'
-                  <command>masters</command> or 
-                  <command>also-notify</command> lists.
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para><command>options</command></para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  controls global server configuration
-                  options and sets defaults for other statements.
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para><command>server</command></para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  sets certain configuration options on
-                  a per-server basis.
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para><command>statistics-channels</command></para>
-              </entry>
-              <entry colname="2">
-                <para>
-		  declares communication channels to get access to
-		  <command>named</command> statistics.
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para><command>trusted-keys</command></para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  defines trusted DNSSEC keys.
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para><command>managed-keys</command></para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  lists DNSSEC keys to be kept up to date
-                  using RFC 5011 trust anchor maintenance.
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para><command>view</command></para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  defines a view.
-                </para>
-              </entry>
-            </row>
-            <row rowsep="0">
-              <entry colname="1">
-                <para><command>zone</command></para>
-              </entry>
-              <entry colname="2">
-                <para>
-                  defines a zone.
-                </para>
-              </entry>
-            </row>
-          </tbody>
-        </tgroup>
-      </informaltable>
-
-      <para>
-        The <command>logging</command> and
-        <command>options</command> statements may only occur once
-        per
-        configuration.
-      </para>
-
-      <sect2>
-        <title><command>acl</command> Statement Grammar</title>
-
-<programlisting><command>acl</command> acl-name {
-    address_match_list
-};
-</programlisting>
-
-      </sect2>
-      <sect2 id="acl">
-        <title><command>acl</command> Statement Definition and
-          Usage</title>
-
-        <para>
-          The <command>acl</command> statement assigns a symbolic
-          name to an address match list. It gets its name from a primary
-          use of address match lists: Access Control Lists (ACLs).
-        </para>
-
-        <para>
-          Note that an address match list's name must be defined
-          with <command>acl</command> before it can be used
-          elsewhere; no forward references are allowed.
-        </para>
-
-        <para>
-          The following ACLs are built-in:
-        </para>
-
-        <informaltable colsep="0" rowsep="0">
-          <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
-            <colspec colname="1" colnum="1" colsep="0" colwidth="1.130in"/>
-            <colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
-            <tbody>
-              <row rowsep="0">
-                <entry colname="1">
-                  <para><command>any</command></para>
-                </entry>
-                <entry colname="2">
-                  <para>
-                    Matches all hosts.
-                  </para>
-                </entry>
-              </row>
-              <row rowsep="0">
-                <entry colname="1">
-                  <para><command>none</command></para>
-                </entry>
-                <entry colname="2">
-                  <para>
-                    Matches no hosts.
-                  </para>
-                </entry>
-              </row>
-              <row rowsep="0">
-                <entry colname="1">
-                  <para><command>localhost</command></para>
-                </entry>
-                <entry colname="2">
-                  <para>
-                    Matches the IPv4 and IPv6 addresses of all network
-                    interfaces on the system.
-                  </para>
-                </entry>
-              </row>
-              <row rowsep="0">
-                <entry colname="1">
-                  <para><command>localnets</command></para>
-                </entry>
-                <entry colname="2">
-                  <para>
-                    Matches any host on an IPv4 or IPv6 network
-                    for which the system has an interface.
-                    Some systems do not provide a way to determine the prefix
-                    lengths of
-                    local IPv6 addresses.
-                    In such a case, <command>localnets</command>
-                    only matches the local
-                    IPv6 addresses, just like <command>localhost</command>.
-                  </para>
-                </entry>
-              </row>
-            </tbody>
-          </tgroup>
-        </informaltable>
-
-      </sect2>
-      <sect2>
-        <title><command>controls</command> Statement Grammar</title>
-
-<programlisting><command>controls</command> {
-   [ inet ( ip_addr | * ) [ port ip_port ]
-                allow { <replaceable> address_match_list </replaceable> }
-                keys { <replaceable>key_list</replaceable> }; ]
-   [ inet ...; ]
-   [ unix <replaceable>path</replaceable> perm <replaceable>number</replaceable> owner <replaceable>number</replaceable> group <replaceable>number</replaceable>
-     keys { <replaceable>key_list</replaceable> }; ]
-   [ unix ...; ]
-};
-</programlisting>
-
-      </sect2>
-
-      <sect2 id="controls_statement_definition_and_usage">
-        <title><command>controls</command> Statement Definition and
-          Usage</title>
-
-        <para>
-          The <command>controls</command> statement declares control
-          channels to be used by system administrators to control the
-          operation of the name server. These control channels are
-          used by the <command>rndc</command> utility to send
-          commands to and retrieve non-DNS results from a name server.
-        </para>
-
-        <para>
-          An <command>inet</command> control channel is a TCP socket
-	  listening at the specified <command>ip_port</command> on the
-	  specified <command>ip_addr</command>, which can be an IPv4 or IPv6
-	  address.  An <command>ip_addr</command> of <literal>*</literal> (asterisk) is
-	  interpreted as the IPv4 wildcard address; connections will be
-	  accepted on any of the system's IPv4 addresses.
-	  To listen on the IPv6 wildcard address,
-          use an <command>ip_addr</command> of <literal>::</literal>.
-          If you will only use <command>rndc</command> on the local host,
-          using the loopback address (<literal>127.0.0.1</literal>
-          or <literal>::1</literal>) is recommended for maximum security.
-        </para>
-
-        <para>
-          If no port is specified, port 953 is used. The asterisk
-	  "<literal>*</literal>" cannot be used for <command>ip_port</command>.
-        </para>
-
-        <para>
-          The ability to issue commands over the control channel is
-          restricted by the <command>allow</command> and
-          <command>keys</command> clauses.
-	  Connections to the control channel are permitted based on the
-          <command>address_match_list</command>.  This is for simple
-          IP address based filtering only; any <command>key_id</command>
-          elements of the <command>address_match_list</command>
-          are ignored.
-        </para>
-
-	<para>
-	  A <command>unix</command> control channel is a UNIX domain
-	  socket listening at the specified path in the file system.
-	  Access to the socket is specified by the <command>perm</command>,
-	  <command>owner</command> and <command>group</command> clauses.
-	  Note on some platforms (SunOS and Solaris) the permissions
-	  (<command>perm</command>) are applied to the parent directory
-	  as the permissions on the socket itself are ignored.
-	</para>
-
-        <para>
-          The primary authorization mechanism of the command
-          channel is the <command>key_list</command>, which
-          contains a list of <command>key_id</command>s.
-          Each <command>key_id</command> in the <command>key_list</command>
-	  is authorized to execute commands over the control channel.
-          See <xref linkend="rndc"/> in <xref linkend="admin_tools"/>)
-	  for information about configuring keys in <command>rndc</command>.
-        </para>
-
-        <para>
-          If no <command>controls</command> statement is present,
-          <command>named</command> will set up a default
-          control channel listening on the loopback address 127.0.0.1
-          and its IPv6 counterpart ::1.
-          In this case, and also when the <command>controls</command> statement
-          is present but does not have a <command>keys</command> clause,
-          <command>named</command> will attempt to load the command channel key
-          from the file <filename>rndc.key</filename> in
-          <filename>/etc</filename> (or whatever <varname>sysconfdir</varname>
-          was specified as when <acronym>BIND</acronym> was built).
-          To create a <filename>rndc.key</filename> file, run
-          <userinput>rndc-confgen -a</userinput>.
-        </para>
-
-        <para>
-          The <filename>rndc.key</filename> feature was created to
-          ease the transition of systems from <acronym>BIND</acronym> 8,
-          which did not have digital signatures on its command channel
-          messages and thus did not have a <command>keys</command> clause.
-
-          It makes it possible to use an existing <acronym>BIND</acronym> 8
-          configuration file in <acronym>BIND</acronym> 9 unchanged,
-          and still have <command>rndc</command> work the same way
-          <command>ndc</command> worked in BIND 8, simply by executing the
-          command <userinput>rndc-confgen -a</userinput> after BIND 9 is
-          installed.
-        </para>
-
-        <para>
-          Since the <filename>rndc.key</filename> feature
-          is only intended to allow the backward-compatible usage of
-          <acronym>BIND</acronym> 8 configuration files, this
-          feature does not
-          have a high degree of configurability.  You cannot easily change
-          the key name or the size of the secret, so you should make a
-          <filename>rndc.conf</filename> with your own key if you
-          wish to change
-          those things.  The <filename>rndc.key</filename> file
-          also has its
-          permissions set such that only the owner of the file (the user that
-          <command>named</command> is running as) can access it.
-          If you
-          desire greater flexibility in allowing other users to access
-          <command>rndc</command> commands, then you need to create
-          a
-          <filename>rndc.conf</filename> file and make it group
-          readable by a group
-          that contains the users who should have access.
-        </para>
-
-        <para>
-          To disable the command channel, use an empty
-	  <command>controls</command> statement:
-	  <command>controls { };</command>.
-        </para>
-
-      </sect2>
-      <sect2>
-        <title><command>include</command> Statement Grammar</title>
-        <programlisting><command>include</command> <replaceable>filename</replaceable>;</programlisting>
-      </sect2>
-      <sect2>
-        <title><command>include</command> Statement Definition and
-          Usage</title>
-
-        <para>
-          The <command>include</command> statement inserts the
-          specified file at the point where the <command>include</command>
-          statement is encountered. The <command>include</command>
-                statement facilitates the administration of configuration
-          files
-          by permitting the reading or writing of some things but not
-          others. For example, the statement could include private keys
-          that are readable only by the name server.
-        </para>
-
-      </sect2>
-      <sect2>
-        <title><command>key</command> Statement Grammar</title>
-
-<programlisting><command>key</command> <replaceable>key_id</replaceable> {
-    algorithm <replaceable>string</replaceable>;
-    secret <replaceable>string</replaceable>;
-};
-</programlisting>
-
-      </sect2>
-
-      <sect2>
-        <title><command>key</command> Statement Definition and Usage</title>
-
-        <para>
-          The <command>key</command> statement defines a shared
-          secret key for use with TSIG (see <xref linkend="tsig"/>)
-          or the command channel
-          (see <xref linkend="controls_statement_definition_and_usage"/>).
-        </para>
-
-        <para>
-          The <command>key</command> statement can occur at the
-          top level
-          of the configuration file or inside a <command>view</command>
-          statement.  Keys defined in top-level <command>key</command>
-          statements can be used in all views.  Keys intended for use in
-          a <command>controls</command> statement
-          (see <xref linkend="controls_statement_definition_and_usage"/>)
-          must be defined at the top level.
-        </para>
-
-        <para>
-          The <replaceable>key_id</replaceable>, also known as the
-          key name, is a domain name uniquely identifying the key. It can
-          be used in a <command>server</command>
-          statement to cause requests sent to that
-          server to be signed with this key, or in address match lists to
-          verify that incoming requests have been signed with a key
-          matching this name, algorithm, and secret.
-        </para>
-
-	<para>
-	  The <replaceable>algorithm_id</replaceable> is a string
-	  that specifies a security/authentication algorithm.  Named
-	  supports <literal>hmac-md5</literal>,
-	  <literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>,
-	  <literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>
-	  and <literal>hmac-sha512</literal> TSIG authentication.
-	  Truncated hashes are supported by appending the minimum
-	  number of required bits preceded by a dash, e.g.
-	  <literal>hmac-sha1-80</literal>.  The
-	  <replaceable>secret_string</replaceable> is the secret
-	  to be used by the algorithm, and is treated as a base-64
-	  encoded string.
-	</para>
-
-      </sect2>
-      <sect2>
-        <title><command>logging</command> Statement Grammar</title>
-
-<programlisting><command>logging</command> {
-   [ <command>channel</command> <replaceable>channel_name</replaceable> {
-     ( <command>file</command> <replaceable>path_name</replaceable>
-         [ <command>versions</command> ( <replaceable>number</replaceable> | <command>unlimited</command> ) ]
-         [ <command>size</command> <replaceable>size_spec</replaceable> ]
-       | <command>syslog</command> <replaceable>syslog_facility</replaceable>
-       | <command>stderr</command>
-       | <command>null</command> );
-     [ <command>severity</command> (<option>critical</option> | <option>error</option> | <option>warning</option> | <option>notice</option> |
-                 <option>info</option> | <option>debug</option> [ <replaceable>level</replaceable> ] | <option>dynamic</option> ); ]
-     [ <command>print-category</command> <option>yes</option> or <option>no</option>; ]
-     [ <command>print-severity</command> <option>yes</option> or <option>no</option>; ]
-     [ <command>print-time</command> <option>yes</option> or <option>no</option>; ]
-   }; ]
-   [ <command>category</command> <replaceable>category_name</replaceable> {
-     <replaceable>channel_name</replaceable> ; [ <replaceable>channel_name</replaceable> ; ... ]
-   }; ]
-   ...
-};
-</programlisting>
-
-      </sect2>
-
-      <sect2>
-        <title><command>logging</command> Statement Definition and
-          Usage</title>
-
-        <para>
-          The <command>logging</command> statement configures a
-          wide
-          variety of logging options for the name server. Its <command>channel</command> phrase
-          associates output methods, format options and severity levels with
-          a name that can then be used with the <command>category</command> phrase
-          to select how various classes of messages are logged.
-        </para>
-        <para>
-          Only one <command>logging</command> statement is used to
-          define
-          as many channels and categories as are wanted. If there is no <command>logging</command> statement,
-          the logging configuration will be:
-        </para>
-
-<programlisting>logging {
-     category default { default_syslog; default_debug; };
-     category unmatched { null; };
-};
-</programlisting>
-
-        <para>
-          In <acronym>BIND</acronym> 9, the logging configuration
-          is only established when
-          the entire configuration file has been parsed.  In <acronym>BIND</acronym> 8, it was
-          established as soon as the <command>logging</command>
-          statement
-          was parsed. When the server is starting up, all logging messages
-          regarding syntax errors in the configuration file go to the default
-          channels, or to standard error if the "<option>-g</option>" option
-          was specified.
-        </para>
-
-        <sect3>
-          <title>The <command>channel</command> Phrase</title>
-
-          <para>
-            All log output goes to one or more <emphasis>channels</emphasis>;
-            you can make as many of them as you want.
-          </para>
-
-          <para>
-            Every channel definition must include a destination clause that
-            says whether messages selected for the channel go to a file, to a
-            particular syslog facility, to the standard error stream, or are
-            discarded. It can optionally also limit the message severity level
-            that will be accepted by the channel (the default is
-            <command>info</command>), and whether to include a
-            <command>named</command>-generated time stamp, the
-            category name
-            and/or severity level (the default is not to include any).
-          </para>
-
-          <para>
-            The <command>null</command> destination clause
-            causes all messages sent to the channel to be discarded;
-            in that case, other options for the channel are meaningless.
-          </para>
-
-          <para>
-            The <command>file</command> destination clause directs
-            the channel
-            to a disk file.  It can include limitations
-            both on how large the file is allowed to become, and how many
-            versions
-            of the file will be saved each time the file is opened.
-          </para>
-
-          <para>
-            If you use the <command>versions</command> log file
-            option, then
-            <command>named</command> will retain that many backup
-            versions of the file by
-            renaming them when opening.  For example, if you choose to keep
-            three old versions
-            of the file <filename>lamers.log</filename>, then just
-            before it is opened
-            <filename>lamers.log.1</filename> is renamed to
-            <filename>lamers.log.2</filename>, <filename>lamers.log.0</filename> is renamed
-            to <filename>lamers.log.1</filename>, and <filename>lamers.log</filename> is
-            renamed to <filename>lamers.log.0</filename>.
-            You can say <command>versions unlimited</command> to
-            not limit
-            the number of versions.
-            If a <command>size</command> option is associated with
-            the log file,
-            then renaming is only done when the file being opened exceeds the
-            indicated size.  No backup versions are kept by default; any
-            existing
-            log file is simply appended.
-          </para>
-
-          <para>
-            The <command>size</command> option for files is used
-            to limit log
-            growth. If the file ever exceeds the size, then <command>named</command> will
-            stop writing to the file unless it has a <command>versions</command> option
-            associated with it.  If backup versions are kept, the files are
-            rolled as
-            described above and a new one begun.  If there is no
-            <command>versions</command> option, no more data will
-            be written to the log
-            until some out-of-band mechanism removes or truncates the log to
-            less than the
-            maximum size.  The default behavior is not to limit the size of
-            the
-            file.
-          </para>
-
-          <para>
-            Example usage of the <command>size</command> and
-            <command>versions</command> options:
-          </para>
-
-<programlisting>channel an_example_channel {
-    file "example.log" versions 3 size 20m;
-    print-time yes;
-    print-category yes;
-};
-</programlisting>
-
-          <para>
-            The <command>syslog</command> destination clause
-            directs the
-            channel to the system log.  Its argument is a
-            syslog facility as described in the <command>syslog</command> man
-            page. Known facilities are <command>kern</command>, <command>user</command>,
-            <command>mail</command>, <command>daemon</command>, <command>auth</command>,
-            <command>syslog</command>, <command>lpr</command>, <command>news</command>,
-            <command>uucp</command>, <command>cron</command>, <command>authpriv</command>,
-            <command>ftp</command>, <command>local0</command>, <command>local1</command>,
-            <command>local2</command>, <command>local3</command>, <command>local4</command>,
-            <command>local5</command>, <command>local6</command> and
-            <command>local7</command>, however not all facilities
-            are supported on
-            all operating systems.
-            How <command>syslog</command> will handle messages
-            sent to
-            this facility is described in the <command>syslog.conf</command> man
-            page. If you have a system which uses a very old version of <command>syslog</command> that
-            only uses two arguments to the <command>openlog()</command> function,
-            then this clause is silently ignored.
-          </para>
-          <para>
-            The <command>severity</command> clause works like <command>syslog</command>'s
-            "priorities", except that they can also be used if you are writing
-            straight to a file rather than using <command>syslog</command>.
-            Messages which are not at least of the severity level given will
-            not be selected for the channel; messages of higher severity
-            levels
-            will be accepted.
-          </para>
-          <para>
-            If you are using <command>syslog</command>, then the <command>syslog.conf</command> priorities
-            will also determine what eventually passes through. For example,
-            defining a channel facility and severity as <command>daemon</command> and <command>debug</command> but
-            only logging <command>daemon.warning</command> via <command>syslog.conf</command> will
-            cause messages of severity <command>info</command> and
-            <command>notice</command> to
-            be dropped. If the situation were reversed, with <command>named</command> writing
-            messages of only <command>warning</command> or higher,
-            then <command>syslogd</command> would
-            print all messages it received from the channel.
-          </para>
-
-          <para>
-            The <command>stderr</command> destination clause
-            directs the
-            channel to the server's standard error stream.  This is intended
-            for
-            use when the server is running as a foreground process, for
-            example
-            when debugging a configuration.
-          </para>
-
-          <para>
-            The server can supply extensive debugging information when
-            it is in debugging mode. If the server's global debug level is
-            greater
-            than zero, then debugging mode will be active. The global debug
-            level is set either by starting the <command>named</command> server
-            with the <option>-d</option> flag followed by a positive integer,
-            or by running <command>rndc trace</command>.
-            The global debug level
-            can be set to zero, and debugging mode turned off, by running <command>rndc
-notrace</command>. All debugging messages in the server have a debug
-            level, and higher debug levels give more detailed output. Channels
-            that specify a specific debug severity, for example:
-          </para>
-
-<programlisting>channel specific_debug_level {
-    file "foo";
-    severity debug 3;
-};
-</programlisting>
-
-          <para>
-            will get debugging output of level 3 or less any time the
-            server is in debugging mode, regardless of the global debugging
-            level. Channels with <command>dynamic</command>
-            severity use the
-            server's global debug level to determine what messages to print.
-          </para>
-          <para>
-            If <command>print-time</command> has been turned on,
-            then
-            the date and time will be logged. <command>print-time</command> may
-            be specified for a <command>syslog</command> channel,
-            but is usually
-            pointless since <command>syslog</command> also logs
-            the date and
-            time. If <command>print-category</command> is
-            requested, then the
-            category of the message will be logged as well. Finally, if <command>print-severity</command> is
-            on, then the severity level of the message will be logged. The <command>print-</command> options may
-            be used in any combination, and will always be printed in the
-            following
-            order: time, category, severity. Here is an example where all
-            three <command>print-</command> options
-            are on:
-          </para>
-
-          <para>
-            <computeroutput>28-Feb-2000 15:05:32.863 general: notice: running</computeroutput>
-          </para>
-
-          <para>
-            There are four predefined channels that are used for
-            <command>named</command>'s default logging as follows.
-            How they are
-            used is described in <xref linkend="the_category_phrase"/>.
-          </para>
-
-<programlisting>channel default_syslog {
-    // send to syslog's daemon facility
-    syslog daemon;
-    // only send priority info and higher
-    severity info;
-
-channel default_debug {
-    // write to named.run in the working directory
-    // Note: stderr is used instead of "named.run" if
-    // the server is started with the '-f' option.
-    file "named.run";
-    // log at the server's current debug level
-    severity dynamic;
-};
-
-channel default_stderr {
-    // writes to stderr
-    stderr;
-    // only send priority info and higher
-    severity info;
-};
-
-channel null {
-   // toss anything sent to this channel
-   null;
-};
-</programlisting>
-
-          <para>
-            The <command>default_debug</command> channel has the
-            special
-            property that it only produces output when the server's debug
-            level is
-            nonzero.  It normally writes to a file called <filename>named.run</filename>
-            in the server's working directory.
-          </para>
-
-          <para>
-            For security reasons, when the "<option>-u</option>"
-            command line option is used, the <filename>named.run</filename> file
-            is created only after <command>named</command> has
-            changed to the
-            new UID, and any debug output generated while <command>named</command> is
-            starting up and still running as root is discarded.  If you need
-            to capture this output, you must run the server with the "<option>-g</option>"
-            option and redirect standard error to a file.
-          </para>
-
-          <para>
-            Once a channel is defined, it cannot be redefined. Thus you
-            cannot alter the built-in channels directly, but you can modify
-            the default logging by pointing categories at channels you have
-            defined.
-          </para>
-        </sect3>
-
-        <sect3 id="the_category_phrase">
-          <title>The <command>category</command> Phrase</title>
-
-          <para>
-            There are many categories, so you can send the logs you want
-            to see wherever you want, without seeing logs you don't want. If
-            you don't specify a list of channels for a category, then log
-            messages
-            in that category will be sent to the <command>default</command> category
-            instead. If you don't specify a default category, the following
-            "default default" is used:
-          </para>
-
-<programlisting>category default { default_syslog; default_debug; };
-</programlisting>
-
-          <para>
-            As an example, let's say you want to log security events to
-            a file, but you also want keep the default logging behavior. You'd
-            specify the following:
-          </para>
-
-<programlisting>channel my_security_channel {
-    file "my_security_file";
-    severity info;
-};
-category security {
-    my_security_channel;
-    default_syslog;
-    default_debug;
-};</programlisting>
-
-          <para>
-            To discard all messages in a category, specify the <command>null</command> channel:
-          </para>
-
-<programlisting>category xfer-out { null; };
-category notify { null; };
-</programlisting>
-
-          <para>
-            Following are the available categories and brief descriptions
-            of the types of log information they contain. More
-            categories may be added in future <acronym>BIND</acronym> releases.
-          </para>
-          <informaltable colsep="0" rowsep="0">
-            <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
-              <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
-              <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
-              <tbody>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>default</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      The default category defines the logging
-                      options for those categories where no specific
-                      configuration has been
-                      defined.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>general</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      The catch-all. Many things still aren't
-                      classified into categories, and they all end up here.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>database</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      Messages relating to the databases used
-                      internally by the name server to store zone and cache
-                      data.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>security</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      Approval and denial of requests.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>config</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      Configuration file parsing and processing.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>resolver</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      DNS resolution, such as the recursive
-                      lookups performed on behalf of clients by a caching name
-                      server.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>xfer-in</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      Zone transfers the server is receiving.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>xfer-out</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      Zone transfers the server is sending.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>notify</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      The NOTIFY protocol.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>client</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      Processing of client requests.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>unmatched</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      Messages that <command>named</command> was unable to determine the
-                      class of or for which there was no matching <command>view</command>.
-                      A one line summary is also logged to the <command>client</command> category.
-                      This category is best sent to a file or stderr, by
-                      default it is sent to
-                      the <command>null</command> channel.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>network</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      Network operations.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>update</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      Dynamic updates.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>update-security</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      Approval and denial of update requests.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>queries</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      Specify where queries should be logged to.
-                    </para>
-                    <para>
-                      At startup, specifying the category <command>queries</command> will also
-                      enable query logging unless <command>querylog</command> option has been
-                      specified.
-                    </para>
-
-		    <para>
-		      The query log entry reports the client's IP
-		      address and port number, and the query name,
-		      class and type.  Next it reports whether the
-		      Recursion Desired flag was set (+ if set, -
-		      if not set), if the query was signed (S),
-		      EDNS was in use (E), if TCP was used (T), if
-		      DO (DNSSEC Ok) was set (D), or if CD (Checking
-		      Disabled) was set (C).  After this the
-		      destination address the query was sent to is
-		      reported.
-		    </para>
-
-                    <para>
-                      <computeroutput>client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE</computeroutput>
-                    </para>
-                    <para>
-                      <computeroutput>client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE</computeroutput>
-                    </para>
-		    <para>
-                      (The first part of this log message, showing the
-                      client address/port number and query name, is
-                      repeated in all subsequent log messages related
-                      to the same query.)
-		    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>query-errors</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      Information about queries that resulted in some
-                      failure.
-		    </para>
-		  </entry>
-		</row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>dispatch</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      Dispatching of incoming packets to the
-                      server modules where they are to be processed.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>dnssec</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      DNSSEC and TSIG protocol processing.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>lame-servers</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      Lame servers.  These are misconfigurations
-                      in remote servers, discovered by BIND 9 when trying to
-                      query those servers during resolution.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>delegation-only</command></para>
-                  </entry>
-		  <entry colname="2">
-		    <para>
-		      Delegation only.  Logs queries that have been
-		      forced to NXDOMAIN as the result of a
-		      delegation-only zone or a
-		      <command>delegation-only</command> in a hint
-		      or stub zone declaration.
-		    </para>
-		  </entry>
-		</row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>edns-disabled</command></para>
-                  </entry>
-		  <entry colname="2">
-		    <para>
-		      Log queries that have been forced to use plain
-		      DNS due to timeouts.  This is often due to
-		      the remote servers not being RFC 1034 compliant
-		      (not always returning FORMERR or similar to
-		      EDNS queries and other extensions to the DNS
-		      when they are not understood).  In other words, this is
-		      targeted at servers that fail to respond to
-		      DNS queries that they don't understand.
-		    </para>
-		    <para>
-		      Note: the log message can also be due to
-		      packet loss.  Before reporting servers for
-		      non-RFC 1034 compliance they should be re-tested
-		      to determine the nature of the non-compliance.
-		      This testing should prevent or reduce the
-		      number of false-positive reports.
-		    </para>
-		    <para>
-		      Note: eventually <command>named</command> will have to stop
-		      treating such timeouts as due to RFC 1034 non
-		      compliance and start treating it as plain
-		      packet loss.  Falsely classifying packet
-		      loss as due to RFC 1034 non compliance impacts
-		      on DNSSEC validation which requires EDNS for
-		      the DNSSEC records to be returned.
-		    </para>
-		  </entry>
-		</row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>RPZ</command></para>
-                  </entry>
-		  <entry colname="2">
-		    <para>
-		      Information about errors in response policy zone files,
-		      rewritten responses, and at the highest
-		      <command>debug</command> levels, mere rewriting
-		      attempts.
-		    </para>
-		  </entry>
-		</row>
-	      </tbody>
-	    </tgroup>
-	  </informaltable>
-	</sect3>
-	<sect3>
-	  <title>The <command>query-errors</command> Category</title>
-	  <para>
-	    The <command>query-errors</command> category is
-	    specifically intended for debugging purposes: To identify
-	    why and how specific queries result in responses which
-	    indicate an error.
-	    Messages of this category are therefore only logged
-	    with <command>debug</command> levels.
-	  </para>
-
-	  <para>
-	    At the debug levels of 1 or higher, each response with the
-	    rcode of SERVFAIL is logged as follows:
-	  </para>
-	  <para>
-	    <computeroutput>client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</computeroutput>
-	  </para>
-	  <para>
-	    This means an error resulting in SERVFAIL was
-	    detected at line 3880 of source file
-	    <filename>query.c</filename>.
-	    Log messages of this level will particularly
-	    help identify the cause of SERVFAIL for an
-	    authoritative server.
-	  </para>
-	  <para>
-	    At the debug levels of 2 or higher, detailed context
-	    information of recursive resolutions that resulted in
-	    SERVFAIL is logged.
-	    The log message will look like as follows:
-	  </para>
-	  <para>
-<!-- NOTE: newlines and some spaces added so this would fit on page -->
-            <programlisting>
-fetch completed at resolver.c:2970 for www.example.com/A
-in 30.000183: timed out/success [domain:example.com,
-referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,
-badresp:1,adberr:0,findfail:0,valfail:0]
-            </programlisting>
-	  </para>
-	  <para>
-	    The first part before the colon shows that a recursive
-	    resolution for AAAA records of www.example.com completed
-	    in 30.000183 seconds and the final result that led to the
-	    SERVFAIL was determined at line 2970 of source file
-	    <filename>resolver.c</filename>.
-	  </para>
-	  <para>
-	    The following part shows the detected final result and the
-	    latest result of DNSSEC validation.
-	    The latter is always success when no validation attempt
-	    is made.
-	    In this example, this query resulted in SERVFAIL probably
-	    because all name servers are down or unreachable, leading
-	    to a timeout in 30 seconds.
-	    DNSSEC validation was probably not attempted.
-	  </para>
-	  <para>
-	    The last part enclosed in square brackets shows statistics
-	    information collected for this particular resolution
-	    attempt.
-	    The <varname>domain</varname> field shows the deepest zone
-	    that the resolver reached;
-	    it is the zone where the error was finally detected.
-	    The meaning of the other fields is summarized in the
-	    following table.
-	  </para>
-
-          <informaltable colsep="0" rowsep="0">
-            <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
-              <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
-              <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
-              <tbody>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><varname>referral</varname></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-		      The number of referrals the resolver received
-		      throughout the resolution process.
-		      In the above example this is 2, which are most
-		      likely com and example.com.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><varname>restart</varname></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-		      The number of cycles that the resolver tried
-		      remote servers at the <varname>domain</varname>
-		      zone.
-		      In each cycle the resolver sends one query
-		      (possibly resending it, depending on the response)
-		      to each known name server of
-		      the <varname>domain</varname> zone.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><varname>qrysent</varname></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-		      The number of queries the resolver sent at the
-		      <varname>domain</varname> zone.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><varname>timeout</varname></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-		      The number of timeouts since the resolver
-		      received the last response.
-		    </para>
-		  </entry>
-		</row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><varname>lame</varname></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-		      The number of lame servers the resolver detected
-		      at the <varname>domain</varname> zone.
-		      A server is detected to be lame either by an
-		      invalid response or as a result of lookup in
-		      BIND9's address database (ADB), where lame
-		      servers are cached.
-		    </para>
-		  </entry>
-		</row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><varname>neterr</varname></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-		      The number of erroneous results that the
-		      resolver encountered in sending queries
-		      at the <varname>domain</varname> zone.
-		      One common case is the remote server is
-		      unreachable and the resolver receives an ICMP
-		      unreachable error message.
-		    </para>
-		  </entry>
-		</row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><varname>badresp</varname></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-		      The number of unexpected responses (other than
-		      <varname>lame</varname>) to queries sent by the
-		      resolver at the <varname>domain</varname> zone.
-		    </para>
-		  </entry>
-		</row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><varname>adberr</varname></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-		      Failures in finding remote server addresses
-		      of the <varname>domain</varname> zone in the ADB.
-		      One common case of this is that the remote
-		      server's name does not have any address records.
-		    </para>
-		  </entry>
-		</row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><varname>findfail</varname></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-		      Failures of resolving remote server addresses.
-		      This is a total number of failures throughout
-		      the resolution process.
-		    </para>
-		  </entry>
-		</row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><varname>valfail</varname></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-		      Failures of DNSSEC validation.
-		      Validation failures are counted throughout
-		      the resolution process (not limited to
-		      the <varname>domain</varname> zone), but should
-		      only happen in <varname>domain</varname>.
-		    </para>
-		  </entry>
-		</row>
-	      </tbody>
-	    </tgroup>
-	  </informaltable>
-	  <para>
-	    At the debug levels of 3 or higher, the same messages
-	    as those at the debug 1 level are logged for other errors
-	    than SERVFAIL.
-	    Note that negative responses such as NXDOMAIN are not
-	    regarded as errors here.
-	  </para>
-	  <para>
-	    At the debug levels of 4 or higher, the same messages
-	    as those at the debug 2 level are logged for other errors
-	    than SERVFAIL.
-	    Unlike the above case of level 3, messages are logged for
-	    negative responses.
-	    This is because any unexpected results can be difficult to
-	    debug in the recursion case.
-	  </para>
-	</sect3>
-      </sect2>
-
-      <sect2>
-        <title><command>lwres</command> Statement Grammar</title>
-
-        <para>
-           This is the grammar of the <command>lwres</command>
-          statement in the <filename>named.conf</filename> file:
-        </para>
-
-<programlisting><command>lwres</command> {
-    <optional> listen-on { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ;
-                <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
-    <optional> view <replaceable>view_name</replaceable>; </optional>
-    <optional> search { <replaceable>domain_name</replaceable> ; <optional> <replaceable>domain_name</replaceable> ; ... </optional> }; </optional>
-    <optional> ndots <replaceable>number</replaceable>; </optional>
-};
-</programlisting>
-
-      </sect2>
-      <sect2>
-        <title><command>lwres</command> Statement Definition and Usage</title>
-
-        <para>
-          The <command>lwres</command> statement configures the
-          name
-          server to also act as a lightweight resolver server. (See
-          <xref linkend="lwresd"/>.)  There may be multiple
-          <command>lwres</command> statements configuring
-          lightweight resolver servers with different properties.
-        </para>
-
-        <para>
-          The <command>listen-on</command> statement specifies a
-          list of
-          addresses (and ports) that this instance of a lightweight resolver
-          daemon
-          should accept requests on.  If no port is specified, port 921 is
-          used.
-          If this statement is omitted, requests will be accepted on
-          127.0.0.1,
-          port 921.
-        </para>
-
-        <para>
-          The <command>view</command> statement binds this
-          instance of a
-          lightweight resolver daemon to a view in the DNS namespace, so that
-          the
-          response will be constructed in the same manner as a normal DNS
-          query
-          matching this view.  If this statement is omitted, the default view
-          is
-          used, and if there is no default view, an error is triggered.
-        </para>
-
-        <para>
-          The <command>search</command> statement is equivalent to
-          the
-          <command>search</command> statement in
-          <filename>/etc/resolv.conf</filename>.  It provides a
-          list of domains
-          which are appended to relative names in queries.
-        </para>
-
-        <para>
-          The <command>ndots</command> statement is equivalent to
-          the
-          <command>ndots</command> statement in
-          <filename>/etc/resolv.conf</filename>.  It indicates the
-          minimum
-          number of dots in a relative domain name that should result in an
-          exact match lookup before search path elements are appended.
-        </para>
-      </sect2>
-      <sect2>
-        <title><command>masters</command> Statement Grammar</title>
-
-<programlisting>
-<command>masters</command> <replaceable>name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | 
-      <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> };
-</programlisting>
-
-      </sect2>
-
-      <sect2>
-        <title><command>masters</command> Statement Definition and
-          Usage</title>
-        <para><command>masters</command>
-	  lists allow for a common set of masters to be easily used by
-          multiple stub and slave zones in their <command>masters</command>
-          or <command>also-notify</command> lists.
-        </para>
-      </sect2>
-
-      <sect2>
-        <title><command>options</command> Statement Grammar</title>
-
-        <para>
-          This is the grammar of the <command>options</command>
-          statement in the <filename>named.conf</filename> file:
-        </para>
-
-<programlisting><command>options</command> {
-    <optional> attach-cache <replaceable>cache_name</replaceable>; </optional>
-    <optional> version <replaceable>version_string</replaceable>; </optional>
-    <optional> hostname <replaceable>hostname_string</replaceable>; </optional>
-    <optional> server-id <replaceable>server_id_string</replaceable>; </optional>
-    <optional> directory <replaceable>path_name</replaceable>; </optional>
-    <optional> key-directory <replaceable>path_name</replaceable>; </optional>
-    <optional> managed-keys-directory <replaceable>path_name</replaceable>; </optional>
-    <optional> named-xfer <replaceable>path_name</replaceable>; </optional>
-    <optional> tkey-gssapi-keytab <replaceable>path_name</replaceable>; </optional>
-    <optional> tkey-gssapi-credential <replaceable>principal</replaceable>; </optional>
-    <optional> tkey-domain <replaceable>domainname</replaceable>; </optional>
-    <optional> tkey-dhkey <replaceable>key_name</replaceable> <replaceable>key_tag</replaceable>; </optional>
-    <optional> cache-file <replaceable>path_name</replaceable>; </optional>
-    <optional> dump-file <replaceable>path_name</replaceable>; </optional>
-    <optional> bindkeys-file <replaceable>path_name</replaceable>; </optional>
-    <optional> secroots-file <replaceable>path_name</replaceable>; </optional>
-    <optional> session-keyfile <replaceable>path_name</replaceable>; </optional>
-    <optional> session-keyname <replaceable>key_name</replaceable>; </optional>
-    <optional> session-keyalg <replaceable>algorithm_id</replaceable>; </optional>
-    <optional> memstatistics <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> memstatistics-file <replaceable>path_name</replaceable>; </optional>
-    <optional> pid-file <replaceable>path_name</replaceable>; </optional>
-    <optional> recursing-file <replaceable>path_name</replaceable>; </optional>
-    <optional> statistics-file <replaceable>path_name</replaceable>; </optional>
-    <optional> zone-statistics <replaceable>full</replaceable> | <replaceable>terse</replaceable> | <replaceable>none</replaceable>; </optional>
-    <optional> auth-nxdomain <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> deallocate-on-exit <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> dialup <replaceable>dialup_option</replaceable>; </optional>
-    <optional> fake-iquery <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> fetch-glue <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> flush-zones-on-shutdown <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> has-old-clients <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> host-statistics <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> host-statistics-max <replaceable>number</replaceable>; </optional>
-    <optional> minimal-responses <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> multiple-cnames <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable>; </optional>
-    <optional> recursion <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> request-nsid <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> rfc2308-type1 <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> use-id-pool <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> ixfr-from-differences (<replaceable>yes_or_no</replaceable> | <constant>master</constant> | <constant>slave</constant>); </optional>
-    <optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> dnssec-validation (<replaceable>yes_or_no</replaceable> | <constant>auto</constant>); </optional>
-    <optional> dnssec-lookaside ( <replaceable>auto</replaceable> |
-			<replaceable>no</replaceable> |
-                        <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable> ); </optional>
-    <optional> dnssec-must-be-secure <replaceable>domain yes_or_no</replaceable>; </optional>
-    <optional> dnssec-accept-expired <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> forward ( <replaceable>only</replaceable> | <replaceable>first</replaceable> ); </optional>
-    <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
-    <optional> dual-stack-servers <optional>port <replaceable>ip_port</replaceable></optional> {
-        ( <replaceable>domain_name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> |
-          <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ) ; 
-        ... }; </optional>
-    <optional> check-names ( <replaceable>master</replaceable> | <replaceable>slave</replaceable> | <replaceable>response</replaceable> )
-        ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
-    <optional> check-dup-records ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
-    <optional> check-mx ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
-    <optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> check-integrity <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> check-mx-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
-    <optional> check-srv-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
-    <optional> check-sibling <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> check-spf ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
-    <optional> allow-new-zones { <replaceable>yes_or_no</replaceable> }; </optional>
-    <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> allow-query-cache { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> allow-query-cache-on { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> allow-recursion { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> allow-recursion-on { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> dnssec-update-mode ( <replaceable>maintain</replaceable> | <replaceable>no-resign</replaceable> ); </optional>
-    <optional> dnssec-dnskey-kskonly <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> dnssec-loadkeys-interval <replaceable>number</replaceable>; </optional>
-    <optional> dnssec-secure-to-insecure <replaceable>yes_or_no</replaceable> ;</optional>
-    <optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> blackhole { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> use-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>
-    <optional> avoid-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>
-    <optional> use-v6-udp-ports { <replaceable>port_list</replaceable> }; </optional>
-    <optional> avoid-v6-udp-ports { <replaceable>port_list</replaceable> }; </optional>
-    <optional> listen-on <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> listen-on-v6 <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> query-source ( ( <replaceable>ip4_addr</replaceable> | <replaceable>*</replaceable> )
-        <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> |
-        <optional> address ( <replaceable>ip4_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
-        <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
-    <optional> query-source-v6 ( ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> )
-        <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> | 
-        <optional> address ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> ) </optional> 
-        <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
-    <optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>
-    <optional> queryport-pool-updateinterval <replaceable>number</replaceable>; </optional>
-    <optional> max-transfer-time-in <replaceable>number</replaceable>; </optional>
-    <optional> max-transfer-time-out <replaceable>number</replaceable>; </optional>
-    <optional> max-transfer-idle-in <replaceable>number</replaceable>; </optional>
-    <optional> max-transfer-idle-out <replaceable>number</replaceable>; </optional>
-    <optional> tcp-clients <replaceable>number</replaceable>; </optional>
-    <optional> reserved-sockets <replaceable>number</replaceable>; </optional>
-    <optional> recursive-clients <replaceable>number</replaceable>; </optional>
-    <optional> serial-query-rate <replaceable>number</replaceable>; </optional>
-    <optional> serial-queries <replaceable>number</replaceable>; </optional>
-    <optional> tcp-listen-queue <replaceable>number</replaceable>; </optional>
-    <optional> transfer-format <replaceable>( one-answer | many-answers )</replaceable>; </optional>
-    <optional> transfers-in  <replaceable>number</replaceable>; </optional>
-    <optional> transfers-out <replaceable>number</replaceable>; </optional>
-    <optional> transfers-per-ns <replaceable>number</replaceable>; </optional>
-    <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>)
-                             <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
-    <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> notify-to-soa <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> also-notify { <replaceable>ip_addr</replaceable>
-                    <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>keyname</replaceable></optional> ;
-                    <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>keyname</replaceable></optional> ; ... </optional> }; </optional>
-    <optional> max-ixfr-log-size <replaceable>number</replaceable>; </optional>
-    <optional> max-journal-size <replaceable>size_spec</replaceable>; </optional>
-    <optional> coresize <replaceable>size_spec</replaceable> ; </optional>
-    <optional> datasize <replaceable>size_spec</replaceable> ; </optional>
-    <optional> files <replaceable>size_spec</replaceable> ; </optional>
-    <optional> stacksize <replaceable>size_spec</replaceable> ; </optional>
-    <optional> cleaning-interval <replaceable>number</replaceable>; </optional>
-    <optional> heartbeat-interval <replaceable>number</replaceable>; </optional>
-    <optional> interface-interval <replaceable>number</replaceable>; </optional>
-    <optional> statistics-interval <replaceable>number</replaceable>; </optional>
-    <optional> topology { <replaceable>address_match_list</replaceable> }</optional>;
-    <optional> sortlist { <replaceable>address_match_list</replaceable> }</optional>;
-    <optional> rrset-order { <replaceable>order_spec</replaceable> ; <optional> <replaceable>order_spec</replaceable> ; ... </optional> </optional> };
-    <optional> lame-ttl <replaceable>number</replaceable>; </optional>
-    <optional> max-ncache-ttl <replaceable>number</replaceable>; </optional>
-    <optional> max-cache-ttl <replaceable>number</replaceable>; </optional>
-    <optional> sig-validity-interval <replaceable>number</replaceable> <optional><replaceable>number</replaceable></optional> ; </optional>
-    <optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional>
-    <optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional>
-    <optional> sig-signing-type <replaceable>number</replaceable> ; </optional>
-    <optional> min-roots <replaceable>number</replaceable>; </optional>
-    <optional> use-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> provide-ixfr <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> request-ixfr <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> treat-cr-as-space <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
-    <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
-    <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
-    <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
-    <optional> port <replaceable>ip_port</replaceable>; </optional>
-    <optional> additional-from-auth <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> additional-from-cache <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> random-device <replaceable>path_name</replaceable> ; </optional>
-    <optional> max-cache-size <replaceable>size_spec</replaceable> ; </optional>
-    <optional> match-mapped-addresses <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> filter-aaaa-on-v4 ( <replaceable>yes_or_no</replaceable> | <replaceable>break-dnssec</replaceable> ); </optional>
-    <optional> filter-aaaa { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> dns64 <replaceable>IPv6-prefix</replaceable> {
-	<optional> clients { <replaceable>address_match_list</replaceable> }; </optional>
-	<optional> mapped { <replaceable>address_match_list</replaceable> }; </optional>
-        <optional> exclude { <replaceable>address_match_list</replaceable> }; </optional>
-	<optional> suffix IPv6-address; </optional>
-	<optional> recursive-only <replaceable>yes_or_no</replaceable>; </optional>
-	<optional> break-dnssec <replaceable>yes_or_no</replaceable>; </optional>
-    }; </optional>;
-    <optional> dns64-server <replaceable>name</replaceable> </optional>
-    <optional> dns64-contact <replaceable>name</replaceable> </optional>
-    <optional> preferred-glue ( <replaceable>A</replaceable> | <replaceable>AAAA</replaceable> | <replaceable>NONE</replaceable> ); </optional>
-    <optional> edns-udp-size <replaceable>number</replaceable>; </optional>
-    <optional> max-udp-size <replaceable>number</replaceable>; </optional>
-    <optional> max-rsa-exponent-size <replaceable>number</replaceable>; </optional>
-    <optional> root-delegation-only <optional> exclude { <replaceable>namelist</replaceable> } </optional> ; </optional>
-    <optional> querylog <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> disable-algorithms <replaceable>domain</replaceable> { <replaceable>algorithm</replaceable>;
-                                <optional> <replaceable>algorithm</replaceable>; </optional> }; </optional>
-    <optional> acache-enable <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> acache-cleaning-interval <replaceable>number</replaceable>; </optional>
-    <optional> max-acache-size <replaceable>size_spec</replaceable> ; </optional>
-    <optional> clients-per-query <replaceable>number</replaceable> ; </optional>
-    <optional> max-clients-per-query <replaceable>number</replaceable> ; </optional>
-    <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
-    <optional> empty-server <replaceable>name</replaceable> ; </optional>
-    <optional> empty-contact <replaceable>name</replaceable> ; </optional>
-    <optional> empty-zones-enable <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> disable-empty-zone <replaceable>zone_name</replaceable> ; </optional>
-    <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> zero-no-soa-ttl-cache <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> resolver-query-timeout <replaceable>number</replaceable> ; </optional>
-    <optional> deny-answer-addresses { <replaceable>address_match_list</replaceable> } <optional> except-from { <replaceable>namelist</replaceable> } </optional>;</optional>
-    <optional> deny-answer-aliases { <replaceable>namelist</replaceable> } <optional> except-from { <replaceable>namelist</replaceable> } </optional>;</optional>
-    <optional> response-policy { <replaceable>zone_name</replaceable>
-	<optional> policy given | disabled | passthru | nxdomain | nodata | cname <replaceable>domain</replaceable> </optional>
-	<optional> recursive-only <replaceable>yes_or_no</replaceable> </optional> <optional> max-policy-ttl <replaceable>number</replaceable> </optional> ;
-    } <optional> recursive-only <replaceable>yes_or_no</replaceable> </optional> <optional> max-policy-ttl <replaceable>number</replaceable> </optional>
-	<optional> break-dnssec <replaceable>yes_or_no</replaceable> </optional> <optional> min-ns-dots <replaceable>number</replaceable> </optional> ; </optional>
-};
-</programlisting>
-
-      </sect2>
-
-      <sect2 id="options">
-        <title><command>options</command> Statement Definition and
-          Usage</title>
-
-        <para>
-          The <command>options</command> statement sets up global
-          options
-          to be used by <acronym>BIND</acronym>. This statement
-          may appear only
-          once in a configuration file. If there is no <command>options</command>
-          statement, an options block with each option set to its default will
-          be used.
-        </para>
-
-        <variablelist>
-
-            <varlistentry>
-              <term><command>attach-cache</command></term>
-              <listitem>
-                <para>
-		  Allows multiple views to share a single cache
-		  database.
-		  Each view has its own cache database by default, but
-		  if multiple views have the same operational policy
-		  for name resolution and caching, those views can
-		  share a single cache to save memory and possibly
-		  improve resolution efficiency by using this option.
-                </para>
-
-                <para>
-                  The <command>attach-cache</command> option
-                  may also be specified in <command>view</command>
-                  statements, in which case it overrides the
-                  global <command>attach-cache</command> option.
-                </para>
-
-		<para>
-		  The <replaceable>cache_name</replaceable> specifies
-		  the cache to be shared.
-		  When the <command>named</command> server configures
-		  views which are supposed to share a cache, it
-		  creates a cache with the specified name for the
-		  first view of these sharing views.
-		  The rest of the views will simply refer to the
-		  already created cache.
-		</para>
-
-		<para>
-		  One common configuration to share a cache would be to
-		  allow all views to share a single cache.
-		  This can be done by specifying
-		  the <command>attach-cache</command> as a global
-		  option with an arbitrary name.
-		</para>
-
-		<para>
-		  Another possible operation is to allow a subset of
-		  all views to share a cache while the others to
-		  retain their own caches.
-		  For example, if there are three views A, B, and C,
-		  and only A and B should share a cache, specify the
-		  <command>attach-cache</command> option as a view A (or
-		  B)'s option, referring to the other view name:
-		</para>
-
-<programlisting>
-  view "A" {
-    // this view has its own cache
-    ...
-  };
-  view "B" {
-    // this view refers to A's cache
-    attach-cache "A";
-  };
-  view "C" {
-    // this view has its own cache
-    ...
-  };
-</programlisting>
-
-		<para>
-		  Views that share a cache must have the same policy
-		  on configurable parameters that may affect caching.
-		  The current implementation requires the following
-		  configurable options be consistent among these
-		  views:
-		  <command>check-names</command>,
-		  <command>cleaning-interval</command>,
-		  <command>dnssec-accept-expired</command>,
-		  <command>dnssec-validation</command>,
-		  <command>max-cache-ttl</command>,
-		  <command>max-ncache-ttl</command>,
-		  <command>max-cache-size</command>, and
-		  <command>zero-no-soa-ttl</command>.
-		</para>
-
-		<para>
-		  Note that there may be other parameters that may
-		  cause confusion if they are inconsistent for
-		  different views that share a single cache.
-		  For example, if these views define different sets of
-		  forwarders that can return different answers for the
-		  same question, sharing the answer does not make
-		  sense or could even be harmful.
-		  It is administrator's responsibility to ensure
-		  configuration differences in different views do
-		  not cause disruption with a shared cache.
-		</para>
-              </listitem>
-
-            </varlistentry>
-
-          <varlistentry>
-            <term><command>directory</command></term>
-            <listitem>
-              <para>
-                The working directory of the server.
-                Any non-absolute pathnames in the configuration file will be
-                taken
-                as relative to this directory. The default location for most
-                server
-                output files (e.g. <filename>named.run</filename>)
-                is this directory.
-                If a directory is not specified, the working directory
-                defaults to `<filename>.</filename>', the directory from
-                which the server
-                was started. The directory specified should be an absolute
-                path.
-              </para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><command>key-directory</command></term>
-            <listitem>
-              <para>
-                When performing dynamic update of secure zones, the
-                directory where the public and private DNSSEC key files
-                should be found, if different than the current working
-                directory.  (Note that this option has no effect on the
-                paths for files containing non-DNSSEC keys such as
-                <filename>bind.keys</filename>,
-                <filename>rndc.key</filename> or
-                <filename>session.key</filename>.)
-              </para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><command>managed-keys-directory</command></term>
-            <listitem>
-              <para>
-                Specifies the directory in which to store the files that
-                track managed DNSSEC keys.  By default, this is the working
-                directory.
-              </para>
-              <para>
-                If <command>named</command> is not configured to use views,
-                then managed keys for the server will be tracked in a single
-                file called <filename>managed-keys.bind</filename>.
-                Otherwise, managed keys will be tracked in separate files,
-                one file per view; each file name will be the SHA256 hash
-                of the view name, followed by the extension
-                <filename>.mkeys</filename>.
-              </para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><command>named-xfer</command></term>
-	    <listitem>
-	      <para>
-		<emphasis>This option is obsolete.</emphasis> It
-		was used in <acronym>BIND</acronym> 8 to specify
-		the pathname to the <command>named-xfer</command>
-		program.  In <acronym>BIND</acronym> 9, no separate
-		<command>named-xfer</command> program is needed;
-		its functionality is built into the name server.
-	      </para>
-	    </listitem>
-	  </varlistentry>
-
-	  <varlistentry>
-	    <term><command>tkey-gssapi-keytab</command></term>
-	    <listitem>
-	      <para>
-		The KRB5 keytab file to use for GSS-TSIG updates. If
-		this option is set and tkey-gssapi-credential is not
-		set, then updates will be allowed with any key
-		matching a principal in the specified keytab.
-	      </para>
-	    </listitem>
-	  </varlistentry>
-
-	  <varlistentry>
-	    <term><command>tkey-gssapi-credential</command></term>
-	    <listitem>
-	      <para>
-		The security credential with which the server should
-		authenticate keys requested by the GSS-TSIG protocol.
-		Currently only Kerberos 5 authentication is available
-		and the credential is a Kerberos principal which the
-		server can acquire through the default system key
-		file, normally <filename>/etc/krb5.keytab</filename>.
-		The location keytab file can be overridden using the
-		tkey-gssapi-keytab option. Normally this principal is
-		of the form "<userinput>DNS/</userinput><varname>server.domain</varname>".
-		To use GSS-TSIG, <command>tkey-domain</command> must
-		also be set if a specific keytab is not set with
-		tkey-gssapi-keytab.
-	      </para>
-	    </listitem>
-	  </varlistentry>
-
-          <varlistentry>
-            <term><command>tkey-domain</command></term>
-	    <listitem>
-	      <para>
-		The domain appended to the names of all shared keys
-		generated with <command>TKEY</command>.  When a
-		client requests a <command>TKEY</command> exchange,
-		it may or may not specify the desired name for the
-		key. If present, the name of the shared key will
-		be <varname>client specified part</varname> +
-		<varname>tkey-domain</varname>.  Otherwise, the
-		name of the shared key will be <varname>random hex
-		digits</varname> + <varname>tkey-domain</varname>.
-		In most cases, the <command>domainname</command>
-		should be the server's domain name, or an otherwise
-		non-existent subdomain like
-		"_tkey.<varname>domainname</varname>".  If you are
-		using GSS-TSIG, this variable must be defined, unless
-		you specify a specific keytab using tkey-gssapi-keytab.
-	      </para>
-	    </listitem>
-	  </varlistentry>
-
-          <varlistentry>
-            <term><command>tkey-dhkey</command></term>
-            <listitem>
-              <para>
-                The Diffie-Hellman key used by the server
-                to generate shared keys with clients using the Diffie-Hellman
-                mode
-                of <command>TKEY</command>. The server must be
-                able to load the
-                public and private keys from files in the working directory.
-                In
-                most cases, the keyname should be the server's host name.
-              </para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><command>cache-file</command></term>
-            <listitem>
-              <para>
-		This is for testing only.  Do not use.
-              </para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><command>dump-file</command></term>
-            <listitem>
-              <para>
-                The pathname of the file the server dumps
-                the database to when instructed to do so with
-                <command>rndc dumpdb</command>.
-                If not specified, the default is <filename>named_dump.db</filename>.
-              </para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><command>memstatistics-file</command></term>
-            <listitem>
-              <para>
-                The pathname of the file the server writes memory
-                usage statistics to on exit. If not specified,
-                the default is <filename>named.memstats</filename>.
-              </para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><command>pid-file</command></term>
-            <listitem>
-              <para>
-                The pathname of the file the server writes its process ID
-                in. If not specified, the default is
-		<filename>/var/run/named/named.pid</filename>.
-                The PID file is used by programs that want to send signals to
-                the running
-                name server. Specifying <command>pid-file none</command> disables the
-                use of a PID file &mdash; no file will be written and any
-                existing one will be removed.  Note that <command>none</command>
-                is a keyword, not a filename, and therefore is not enclosed
-                in
-                double quotes.
-              </para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><command>recursing-file</command></term>
-            <listitem>
-              <para>
-                The pathname of the file the server dumps
-                the queries that are currently recursing when instructed
-                to do so with <command>rndc recursing</command>.
-                If not specified, the default is <filename>named.recursing</filename>.
-              </para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><command>statistics-file</command></term>
-            <listitem>
-              <para>
-                The pathname of the file the server appends statistics
-                to when instructed to do so using <command>rndc stats</command>.
-                If not specified, the default is <filename>named.stats</filename> in the
-                server's current directory.  The format of the file is
-                described
-                in <xref linkend="statsfile"/>.
-              </para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><command>bindkeys-file</command></term>
-            <listitem>
-              <para>
-                The pathname of a file to override the built-in trusted
-		keys provided by <command>named</command>.
-		See the discussion of <command>dnssec-lookaside</command>
-                and <command>dnssec-validation</command> for details. 
-                If not specified, the default is
-		<filename>/etc/bind.keys</filename>.
-              </para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><command>secroots-file</command></term>
-            <listitem>
-              <para>
-                The pathname of the file the server dumps
-                security roots to when instructed to do so with
-                <command>rndc secroots</command>.
-                If not specified, the default is
-		<filename>named.secroots</filename>.
-              </para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><command>session-keyfile</command></term>
-            <listitem>
-              <para>
-                The pathname of the file into which to write a TSIG
-                session key generated by <command>named</command> for use by
-                <command>nsupdate -l</command>.  If not specified, the
-                default is <filename>/var/run/named/session.key</filename>.
-                (See <xref linkend="dynamic_update_policies"/>, and in
-                particular the discussion of the
-                <command>update-policy</command> statement's
-                <userinput>local</userinput> option for more
-                information about this feature.)
-              </para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><command>session-keyname</command></term>
-            <listitem>
-              <para>
-                The key name to use for the TSIG session key.
-                If not specified, the default is "local-ddns".
-              </para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><command>session-keyalg</command></term>
-            <listitem>
-              <para>
-                The algorithm to use for the TSIG session key.
-                Valid values are hmac-sha1, hmac-sha224, hmac-sha256,
-                hmac-sha384, hmac-sha512 and hmac-md5.  If not
-                specified, the default is hmac-sha256.
-              </para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><command>port</command></term>
-            <listitem>
-              <para>
-                The UDP/TCP port number the server uses for
-                receiving and sending DNS protocol traffic.
-                The default is 53.  This option is mainly intended for server
-                testing;
-                a server using a port other than 53 will not be able to
-                communicate with
-                the global DNS.
-              </para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><command>random-device</command></term>
-            <listitem>
-              <para>
-                The source of entropy to be used by the server.  Entropy is
-                primarily needed
-                for DNSSEC operations, such as TKEY transactions and dynamic
-                update of signed
-                zones.  This options specifies the device (or file) from which
-                to read
-                entropy.  If this is a file, operations requiring entropy will
-                fail when the
-                file has been exhausted.  If not specified, the default value
-                is
-                <filename>/dev/random</filename>
-                (or equivalent) when present, and none otherwise.  The
-                <command>random-device</command> option takes
-                effect during
-                the initial configuration load at server startup time and
-                is ignored on subsequent reloads.
-              </para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><command>preferred-glue</command></term>
-            <listitem>
-              <para>
-                If specified, the listed type (A or AAAA) will be emitted
-                before other glue
-                in the additional section of a query response.
-                The default is not to prefer any type (NONE).
-              </para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry id="root_delegation_only">
-            <term><command>root-delegation-only</command></term>
-            <listitem>
-              <para>
-                Turn on enforcement of delegation-only in TLDs
-		(top level domains) and root zones with an optional
-		exclude list.
-              </para>
-	      <para>
-		DS queries are expected to be made to and be answered by
-		delegation only zones.  Such queries and responses are
-		treated as an exception to delegation-only processing
-		and are not converted to NXDOMAIN responses provided
-		a CNAME is not discovered at the query name.
-	      </para>
-	      <para>
-		If a delegation only zone server also serves a child
-		zone it is not always possible to determine whether
-		an answer comes from the delegation only zone or the
-		child zone.  SOA NS and DNSKEY records are apex
-		only records and a matching response that contains
-		these records or DS is treated as coming from a
-		child zone.  RRSIG records are also examined to see
-		if they are signed by a child zone or not.  The
-		authority section is also examined to see if there
-		is evidence that the answer is from the child zone.
-		Answers that are determined to be from a child zone
-		are not converted to NXDOMAIN responses.  Despite
-		all these checks there is still a possibility of
-		false negatives when a child zone is being served.
-	      </para>
-	      <para>
-		Similarly false positives can arise from empty nodes
-		(no records at the name) in the delegation only zone
-		when the query type is not ANY.
-	      </para>
-              <para>
-                Note some TLDs are not delegation only (e.g. "DE", "LV",
-		"US" and "MUSEUM").  This list is not exhaustive.
-              </para>
-
-<programlisting>
-options {
-	root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
-};
-</programlisting>
-
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><command>disable-algorithms</command></term>
-            <listitem>
-              <para>
-                Disable the specified DNSSEC algorithms at and below the
-                specified name.
-                Multiple <command>disable-algorithms</command>
-                statements are allowed.
-                Only the most specific will be applied.
-              </para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><command>dnssec-lookaside</command></term>
-            <listitem>
-              <para>
-		When set, <command>dnssec-lookaside</command> provides the
-		validator with an alternate method to validate DNSKEY
-		records at the top of a zone.  When a DNSKEY is at or
-		below a domain specified by the deepest
-		<command>dnssec-lookaside</command>, and the normal DNSSEC
-		validation has left the key untrusted, the trust-anchor
-		will be appended to the key name and a DLV record will be
-		looked up to see if it can validate the key.  If the DLV
-		record validates a DNSKEY (similarly to the way a DS
-                record does) the DNSKEY RRset is deemed to be trusted.
-	      </para>
-	      <para>
-		If <command>dnssec-lookaside</command> is set to
-		<userinput>auto</userinput>, then built-in default
-		values for the DLV domain and trust anchor will be
-		used, along with a built-in key for validation.
-	      </para>
-	      <para>
-		If <command>dnssec-lookaside</command> is set to
-		<userinput>no</userinput>, then dnssec-lookaside
-		is not used.
-	      </para>
-              <para>
-                The default DLV key is stored in the file
-                <filename>bind.keys</filename>;
-                <command>named</command> will load that key at
-                startup if <command>dnssec-lookaside</command> is set to
-                <constant>auto</constant>.  A copy of the file is
-                installed along with <acronym>BIND</acronym> 9, and is
-                current as of the release date.  If the DLV key expires, a
-                new copy of <filename>bind.keys</filename> can be downloaded
-                from <ulink url="https://www.isc.org/solutions/dlv/"
-		>https://www.isc.org/solutions/dlv/</ulink>.
-              </para>
-              <para>
-                (To prevent problems if <filename>bind.keys</filename> is
-                not found, the current key is also compiled in to
-                <command>named</command>.  Relying on this is not
-                recommended, however, as it requires <command>named</command>
-                to be recompiled with a new key when the DLV key expires.)
-              </para>
-              <para>
-                NOTE: <command>named</command> only loads certain specific
-                keys from <filename>bind.keys</filename>:  those for the
-                DLV zone and for the DNS root zone.  The file cannot be
-                used to store keys for other zones.
-              </para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><command>dnssec-must-be-secure</command></term>
-            <listitem>
-              <para>
-                Specify hierarchies which must be or may not be secure
-                (signed and validated).  If <userinput>yes</userinput>,
-                then <command>named</command> will only accept answers if
-                they are secure.  If <userinput>no</userinput>, then normal
-                DNSSEC validation applies allowing for insecure answers to
-                be accepted.  The specified domain must be under a
-                <command>trusted-keys</command> or
-                <command>managed-keys</command> statement, or
-                <command>dnssec-lookaside</command> must be active.
-              </para>
-            </listitem>
-          </varlistentry>
-
-	  <varlistentry>
-	    <term><command>dns64</command></term>
-            <listitem>
-	      <para>
-		This directive instructs <command>named</command> to
-		return mapped IPv4 addresses to AAAA queries when
-		there are no AAAA records.  It is intended to be
-		used in conjunction with a NAT64.  Each
-		<command>dns64</command> defines one DNS64 prefix.
-		Multiple DNS64 prefixes can be defined.
-	      </para>
-	      <para>
-		Compatible IPv6 prefixes have lengths of 32, 40, 48, 56,
-		64 and 96 as per RFC 6052.
-	      </para>
-	      <para>
-		Additionally a reverse IP6.ARPA zone will be created for
-		the prefix to provide a mapping from the IP6.ARPA names
-		to the corresponding IN-ADDR.ARPA names using synthesized
-		CNAMEs.  <command>dns64-server</command> and
-		<command>dns64-contact</command> can be used to specify
-		the name of the server and contact for the zones. These
-		are settable at the view / options level.  These are
-		not settable on a per-prefix basis.
-	      </para>
-	      <para>
-		Each <command>dns64</command> supports an optional
-		<command>clients</command> ACL that determines which
-                clients are affected by this directive.  If not defined,
-                it defaults to <userinput>any;</userinput>.
-	      </para>
-	      <para>
-		Each <command>dns64</command> supports an optional
-		<command>mapped</command> ACL that selects which
-		IPv4 addresses are to be mapped in the corresponding	
-		A RRset.  If not defined it defaults to
-		<userinput>any;</userinput>.
-	      </para>
-	      <para>
-		Normally, DNS64 won't apply to a domain name that
-		owns one or more AAAA records; these records will
-		simply be returned.  The optional
-		<command>exclude</command> ACL allows specification
-		of a list of IPv6 addresses that will be ignored
-		if they appear in a domain name's AAAA records, and
-		DNS64 will be applied to any A records the domain
-		name owns.  If not defined, <command>exclude</command>
-		defaults to none.
-	      </para>
-	      <para>
-		A optional <command>suffix</command> can also
-		be defined to set the bits trailing the mapped
-		IPv4 address bits.  By default these bits are
-		set to <userinput>::</userinput>.  The bits
-		matching the prefix and mapped IPv4 address
-		must be zero.
-	      </para>
-	      <para>
-		If <command>recursive-only</command> is set to
-		<command>yes</command> the DNS64 synthesis will
-		only happen for recursive queries.  The default
-		is <command>no</command>.
-	      </para>
-	      <para>
-		If <command>break-dnssec</command> is set to
-		<command>yes</command> the DNS64 synthesis will
-		happen even if the result, if validated, would
-		cause a DNSSEC validation failure.  If this option
-		is set to <command>no</command> (the default), the DO
-		is set on the incoming query, and there are RRSIGs on
-		the applicable records, then synthesis will not happen.
-	      </para>
-<programlisting>
-	acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
-
-        dns64 64:FF9B::/96 {
-                clients { any; };
-                mapped { !rfc1918; any; };
-                exclude { 64:FF9B::/96; ::ffff:0000:0000/96; };
-                suffix ::;
-        };
-</programlisting>
-            </listitem>
-	  </varlistentry>
-
-	  <varlistentry>
-	    <term><command>dnssec-update-mode</command></term>
-	    <listitem>
-	        <para>
-                  If this option is set to its default value of
-                  <literal>maintain</literal> in a zone of type
-                  <literal>master</literal> which is DNSSEC-signed
-                  and configured to allow dynamic updates (see
-                  <xref linkend="dynamic_update_policies"/>), and
-                  if <command>named</command> has access to the
-                  private signing key(s) for the zone, then
-                  <command>named</command> will automatically sign all new
-                  or changed records and maintain signatures for the zone
-                  by regenerating RRSIG records whenever they approach
-                  their expiration date.
-		</para>
-		<para>
-                  If the option is changed to <literal>no-resign</literal>,
-                  then <command>named</command> will sign all new or
-                  changed records, but scheduled maintenance of
-                  signatures is disabled.
-                </para>
-                <para>
-                  With either of these settings, <command>named</command>
-                  will reject updates to a DNSSEC-signed zone when the
-                  signing keys are inactive or unavailable to
-                  <command>named</command>.  (A planned third option,
-                  <literal>external</literal>, will disable all automatic
-                  signing and allow DNSSEC data to be submitted into a zone
-                  via dyanmic update; this is not yet implemented.)
-		</para>
-	    </listitem>
-	  </varlistentry>
-
-          <varlistentry>
-            <term><command>zone-statistics</command></term>
-            <listitem>
-              <para>
-                If <userinput>full</userinput>, the server will collect
-                statistical data on all zones (unless specifically
-                turned off on a per-zone basis by specifying
-                <command>zone-statistics terse</command> or
-                <command>zone-statistics none</command>
-                in the <command>zone</command> statement).
-                The default is <userinput>terse</userinput>, providing
-                minimal statistics on zones (including name and
-                current serial number, but not query type
-                counters).
-              </para>
-              <para>
-                These statistics may be accessed via the
-                <command>statistics-channel</command> or
-                using <command>rndc stats</command>, which
-                will dump them to the file listed
-                in the <command>statistics-file</command>.  See
-                also <xref linkend="statsfile"/>.
-              </para>
-              <para>
-                For backward compatibility with earlier versions
-                of BIND 9, the <command>zone-statistics</command>
-                option can also accept <userinput>yes</userinput>
-                or <userinput>no</userinput>, which have the same
-                effect as <userinput>full</userinput> and
-                <userinput>terse</userinput>, respectively.
-              </para>
-            </listitem>
-          </varlistentry>
-        </variablelist>
-
-        <sect3 id="boolean_options">
-          <title>Boolean Options</title>
-
-          <variablelist>
-
-            <varlistentry>
-              <term><command>allow-new-zones</command></term>
-              <listitem>
-                <para>
-                  If <userinput>yes</userinput>, then zones can be
-                  added at runtime via <command>rndc addzone</command>
-                  or deleted via <command>rndc delzone</command>.
-                  The default is <userinput>no</userinput>.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>auth-nxdomain</command></term>
-              <listitem>
-                <para>
-                  If <userinput>yes</userinput>, then the <command>AA</command> bit
-                  is always set on NXDOMAIN responses, even if the server is
-                  not actually
-                  authoritative. The default is <userinput>no</userinput>;
-                  this is
-                  a change from <acronym>BIND</acronym> 8. If you
-                  are using very old DNS software, you
-                  may need to set it to <userinput>yes</userinput>.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>deallocate-on-exit</command></term>
-              <listitem>
-                <para>
-                  This option was used in <acronym>BIND</acronym>
-                  8 to enable checking
-                  for memory leaks on exit. <acronym>BIND</acronym> 9 ignores the option and always performs
-                  the checks.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>memstatistics</command></term>
-              <listitem>
-                <para>
-		  Write memory statistics to the file specified by
-		  <command>memstatistics-file</command> at exit.
-		  The default is <userinput>no</userinput> unless
-		  '-m record' is specified on the command line in
-		  which case it is <userinput>yes</userinput>.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>dialup</command></term>
-              <listitem>
-                <para>
-                  If <userinput>yes</userinput>, then the
-                  server treats all zones as if they are doing zone transfers
-                  across
-                  a dial-on-demand dialup link, which can be brought up by
-                  traffic
-                  originating from this server. This has different effects
-                  according
-                  to zone type and concentrates the zone maintenance so that
-                  it all
-                  happens in a short interval, once every <command>heartbeat-interval</command> and
-                  hopefully during the one call. It also suppresses some of
-                  the normal
-                  zone maintenance traffic. The default is <userinput>no</userinput>.
-                </para>
-                <para>
-                  The <command>dialup</command> option
-                  may also be specified in the <command>view</command> and
-                  <command>zone</command> statements,
-                  in which case it overrides the global <command>dialup</command>
-                  option.
-                </para>
-                <para>
-                  If the zone is a master zone, then the server will send out a
-                  NOTIFY
-                  request to all the slaves (default). This should trigger the
-                  zone serial
-                  number check in the slave (providing it supports NOTIFY)
-                  allowing the slave
-                  to verify the zone while the connection is active.
-                  The set of servers to which NOTIFY is sent can be controlled
-                  by
-                  <command>notify</command> and <command>also-notify</command>.
-                </para>
-                <para>
-                  If the
-                  zone is a slave or stub zone, then the server will suppress
-                  the regular
-                  "zone up to date" (refresh) queries and only perform them
-                  when the
-                  <command>heartbeat-interval</command> expires in
-                  addition to sending
-                  NOTIFY requests.
-                </para>
-                <para>
-                  Finer control can be achieved by using
-                  <userinput>notify</userinput> which only sends NOTIFY
-                  messages,
-                  <userinput>notify-passive</userinput> which sends NOTIFY
-                  messages and
-                  suppresses the normal refresh queries, <userinput>refresh</userinput>
-                  which suppresses normal refresh processing and sends refresh
-                  queries
-                  when the <command>heartbeat-interval</command>
-                  expires, and
-                  <userinput>passive</userinput> which just disables normal
-                  refresh
-                  processing.
-                </para>
-
-                <informaltable colsep="0" rowsep="0">
-                  <tgroup cols="4" colsep="0" rowsep="0" tgroupstyle="4Level-table">
-                    <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
-                    <colspec colname="2" colnum="2" colsep="0" colwidth="1.150in"/>
-                    <colspec colname="3" colnum="3" colsep="0" colwidth="1.150in"/>
-                    <colspec colname="4" colnum="4" colsep="0" colwidth="1.150in"/>
-                    <tbody>
-                      <row rowsep="0">
-                        <entry colname="1">
-                          <para>
-                            dialup mode
-                          </para>
-                        </entry>
-                        <entry colname="2">
-                          <para>
-                            normal refresh
-                          </para>
-                        </entry>
-                        <entry colname="3">
-                          <para>
-                            heart-beat refresh
-                          </para>
-                        </entry>
-                        <entry colname="4">
-                          <para>
-                            heart-beat notify
-                          </para>
-                        </entry>
-                      </row>
-                      <row rowsep="0">
-                        <entry colname="1">
-                          <para><command>no</command> (default)</para>
-                        </entry>
-                        <entry colname="2">
-                          <para>
-                            yes
-                          </para>
-                        </entry>
-                        <entry colname="3">
-                          <para>
-                            no
-                          </para>
-                        </entry>
-                        <entry colname="4">
-                          <para>
-                            no
-                          </para>
-                        </entry>
-                      </row>
-                      <row rowsep="0">
-                        <entry colname="1">
-                          <para><command>yes</command></para>
-                        </entry>
-                        <entry colname="2">
-                          <para>
-                            no
-                          </para>
-                        </entry>
-                        <entry colname="3">
-                          <para>
-                            yes
-                          </para>
-                        </entry>
-                        <entry colname="4">
-                          <para>
-                            yes
-                          </para>
-                        </entry>
-                      </row>
-                      <row rowsep="0">
-                        <entry colname="1">
-                          <para><command>notify</command></para>
-                        </entry>
-                        <entry colname="2">
-                          <para>
-                            yes
-                          </para>
-                        </entry>
-                        <entry colname="3">
-                          <para>
-                            no
-                          </para>
-                        </entry>
-                        <entry colname="4">
-                          <para>
-                            yes
-                          </para>
-                        </entry>
-                      </row>
-                      <row rowsep="0">
-                        <entry colname="1">
-                          <para><command>refresh</command></para>
-                        </entry>
-                        <entry colname="2">
-                          <para>
-                            no
-                          </para>
-                        </entry>
-                        <entry colname="3">
-                          <para>
-                            yes
-                          </para>
-                        </entry>
-                        <entry colname="4">
-                          <para>
-                            no
-                          </para>
-                        </entry>
-                      </row>
-                      <row rowsep="0">
-                        <entry colname="1">
-                          <para><command>passive</command></para>
-                        </entry>
-                        <entry colname="2">
-                          <para>
-                            no
-                          </para>
-                        </entry>
-                        <entry colname="3">
-                          <para>
-                            no
-                          </para>
-                        </entry>
-                        <entry colname="4">
-                          <para>
-                            no
-                          </para>
-                        </entry>
-                      </row>
-                      <row rowsep="0">
-                        <entry colname="1">
-                          <para><command>notify-passive</command></para>
-                        </entry>
-                        <entry colname="2">
-                          <para>
-                            no
-                          </para>
-                        </entry>
-                        <entry colname="3">
-                          <para>
-                            no
-                          </para>
-                        </entry>
-                        <entry colname="4">
-                          <para>
-                            yes
-                          </para>
-                        </entry>
-                      </row>
-                    </tbody>
-                  </tgroup>
-                </informaltable>
-
-                <para>
-                  Note that normal NOTIFY processing is not affected by
-                  <command>dialup</command>.
-                </para>
-
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>fake-iquery</command></term>
-              <listitem>
-                <para>
-                  In <acronym>BIND</acronym> 8, this option
-                  enabled simulating the obsolete DNS query type
-                  IQUERY. <acronym>BIND</acronym> 9 never does
-                  IQUERY simulation.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>fetch-glue</command></term>
-              <listitem>
-                <para>
-                  This option is obsolete.
-                  In BIND 8, <userinput>fetch-glue yes</userinput>
-                  caused the server to attempt to fetch glue resource records
-                  it
-                  didn't have when constructing the additional
-                  data section of a response.  This is now considered a bad
-                  idea
-                  and BIND 9 never does it.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>flush-zones-on-shutdown</command></term>
-              <listitem>
-                <para>
-                  When the nameserver exits due receiving SIGTERM,
-                  flush or do not flush any pending zone writes.  The default
-                  is
-                  <command>flush-zones-on-shutdown</command> <userinput>no</userinput>.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>has-old-clients</command></term>
-              <listitem>
-                <para>
-                  This option was incorrectly implemented
-                  in <acronym>BIND</acronym> 8, and is ignored by <acronym>BIND</acronym> 9.
-                  To achieve the intended effect
-                  of
-                  <command>has-old-clients</command> <userinput>yes</userinput>, specify
-                  the two separate options <command>auth-nxdomain</command> <userinput>yes</userinput>
-                  and <command>rfc2308-type1</command> <userinput>no</userinput> instead.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>host-statistics</command></term>
-              <listitem>
-                <para>
-                  In BIND 8, this enables keeping of
-                  statistics for every host that the name server interacts
-                  with.
-                  Not implemented in BIND 9.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>maintain-ixfr-base</command></term>
-              <listitem>
-                <para>
-                  <emphasis>This option is obsolete</emphasis>.
-                  It was used in <acronym>BIND</acronym> 8 to
-                  determine whether a transaction log was
-                  kept for Incremental Zone Transfer. <acronym>BIND</acronym> 9 maintains a transaction
-                  log whenever possible.  If you need to disable outgoing
-                  incremental zone
-                  transfers, use <command>provide-ixfr</command> <userinput>no</userinput>.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>minimal-responses</command></term>
-              <listitem>
-                <para>
-                  If <userinput>yes</userinput>, then when generating
-                  responses the server will only add records to the authority
-                  and additional data sections when they are required (e.g.
-                  delegations, negative responses).  This may improve the
-		  performance of the server.
-                  The default is <userinput>no</userinput>.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>multiple-cnames</command></term>
-              <listitem>
-                <para>
-                  This option was used in <acronym>BIND</acronym> 8 to allow
-                  a domain name to have multiple CNAME records in violation of
-                  the DNS standards.  <acronym>BIND</acronym> 9.2 onwards
-                  always strictly enforces the CNAME rules both in master
-		  files and dynamic updates.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>notify</command></term>
-              <listitem>
-                <para>
-                  If <userinput>yes</userinput> (the default),
-                  DNS NOTIFY messages are sent when a zone the server is
-                  authoritative for
-                  changes, see <xref linkend="notify"/>.  The messages are
-                  sent to the
-                  servers listed in the zone's NS records (except the master
-                  server identified
-                  in the SOA MNAME field), and to any servers listed in the
-                  <command>also-notify</command> option.
-                </para>
-                <para>
-                  If <userinput>master-only</userinput>, notifies are only
-                  sent
-                  for master zones.
-                  If <userinput>explicit</userinput>, notifies are sent only
-                  to
-                  servers explicitly listed using <command>also-notify</command>.
-                  If <userinput>no</userinput>, no notifies are sent.
-                </para>
-                <para>
-                  The <command>notify</command> option may also be
-                  specified in the <command>zone</command>
-                  statement,
-                  in which case it overrides the <command>options notify</command> statement.
-                  It would only be necessary to turn off this option if it
-                  caused slaves
-                  to crash.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>notify-to-soa</command></term>
-              <listitem>
-                <para>
-		  If <userinput>yes</userinput> do not check the nameservers
-		  in the NS RRset against the SOA MNAME.  Normally a NOTIFY
-		  message is not sent to the SOA MNAME (SOA ORIGIN) as it is
-		  supposed to contain the name of the ultimate master.
-		  Sometimes, however, a slave is listed as the SOA MNAME in
-		  hidden master configurations and in that case you would
-		  want the ultimate master to still send NOTIFY messages to
-		  all the nameservers listed in the NS RRset.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>recursion</command></term>
-              <listitem>
-                <para>
-                  If <userinput>yes</userinput>, and a
-                  DNS query requests recursion, then the server will attempt
-                  to do
-                  all the work required to answer the query. If recursion is
-                  off
-                  and the server does not already know the answer, it will
-                  return a
-                  referral response. The default is
-                  <userinput>yes</userinput>.
-                  Note that setting <command>recursion no</command> does not prevent
-                  clients from getting data from the server's cache; it only
-                  prevents new data from being cached as an effect of client
-                  queries.
-                  Caching may still occur as an effect the server's internal
-                  operation, such as NOTIFY address lookups.
-                  See also <command>fetch-glue</command> above.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>request-nsid</command></term>
-              <listitem>
-                <para>
-                  If <userinput>yes</userinput>, then an empty EDNS(0)
-                  NSID (Name Server Identifier) option is sent with all 
-                  queries to authoritative name servers during iterative
-                  resolution. If the authoritative server returns an NSID
-                  option in its response, then its contents are logged in
-                  the <command>resolver</command> category at level
-                  <command>info</command>.
-                  The default is <userinput>no</userinput>.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>rfc2308-type1</command></term>
-              <listitem>
-                <para>
-                  Setting this to <userinput>yes</userinput> will
-                  cause the server to send NS records along with the SOA
-                  record for negative
-                  answers. The default is <userinput>no</userinput>.
-                </para>
-                <note>
-                  <simpara>
-                    Not yet implemented in <acronym>BIND</acronym>
-                    9.
-                  </simpara>
-                </note>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>use-id-pool</command></term>
-              <listitem>
-                <para>
-                  <emphasis>This option is obsolete</emphasis>.
-                  <acronym>BIND</acronym> 9 always allocates query
-                  IDs from a pool.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>use-ixfr</command></term>
-              <listitem>
-                <para>
-                  <emphasis>This option is obsolete</emphasis>.
-                  If you need to disable IXFR to a particular server or
-                  servers, see
-                  the information on the <command>provide-ixfr</command> option
-                  in <xref linkend="server_statement_definition_and_usage"/>.
-                  See also
-                  <xref linkend="incremental_zone_transfers"/>.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>provide-ixfr</command></term>
-              <listitem>
-                <para>
-                  See the description of
-                  <command>provide-ixfr</command> in
-                  <xref linkend="server_statement_definition_and_usage"/>.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>request-ixfr</command></term>
-              <listitem>
-                <para>
-                  See the description of
-                  <command>request-ixfr</command> in
-                  <xref linkend="server_statement_definition_and_usage"/>.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>treat-cr-as-space</command></term>
-              <listitem>
-                <para>
-                  This option was used in <acronym>BIND</acronym>
-                  8 to make
-                  the server treat carriage return ("<command>\r</command>") characters the same way
-                  as a space or tab character,
-                  to facilitate loading of zone files on a UNIX system that
-                  were generated
-                  on an NT or DOS machine. In <acronym>BIND</acronym> 9, both UNIX "<command>\n</command>"
-                  and NT/DOS "<command>\r\n</command>" newlines
-                  are always accepted,
-                  and the option is ignored.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>additional-from-auth</command></term>
-              <term><command>additional-from-cache</command></term>
-              <listitem>
-
-                <para>
-                  These options control the behavior of an authoritative
-                  server when
-                  answering queries which have additional data, or when
-                  following CNAME
-                  and DNAME chains.
-                </para>
-
-                <para>
-                  When both of these options are set to <userinput>yes</userinput>
-                  (the default) and a
-                  query is being answered from authoritative data (a zone
-                  configured into the server), the additional data section of
-                  the
-                  reply will be filled in using data from other authoritative
-                  zones
-                  and from the cache.  In some situations this is undesirable,
-                  such
-                  as when there is concern over the correctness of the cache,
-                  or
-                  in servers where slave zones may be added and modified by
-                  untrusted third parties.  Also, avoiding
-                  the search for this additional data will speed up server
-                  operations
-                  at the possible expense of additional queries to resolve
-                  what would
-                  otherwise be provided in the additional section.
-                </para>
-
-                <para>
-                  For example, if a query asks for an MX record for host <literal>foo.example.com</literal>,
-                  and the record found is "<literal>MX 10 mail.example.net</literal>", normally the address
-                  records (A and AAAA) for <literal>mail.example.net</literal> will be provided as well,
-                  if known, even though they are not in the example.com zone.
-                  Setting these options to <command>no</command>
-                  disables this behavior and makes
-                  the server only search for additional data in the zone it
-                  answers from.
-                </para>
-
-                <para>
-                  These options are intended for use in authoritative-only
-                  servers, or in authoritative-only views.  Attempts to set
-                  them to <command>no</command> without also
-                  specifying
-                  <command>recursion no</command> will cause the
-                  server to
-                  ignore the options and log a warning message.
-                </para>
-
-                <para>
-                  Specifying <command>additional-from-cache no</command> actually
-                  disables the use of the cache not only for additional data
-                  lookups
-                  but also when looking up the answer.  This is usually the
-                  desired
-                  behavior in an authoritative-only server where the
-                  correctness of
-                  the cached data is an issue.
-                </para>
-
-                <para>
-                  When a name server is non-recursively queried for a name
-                  that is not
-                  below the apex of any served zone, it normally answers with
-                  an
-                  "upwards referral" to the root servers or the servers of
-                  some other
-                  known parent of the query name.  Since the data in an
-                  upwards referral
-                  comes from the cache, the server will not be able to provide
-                  upwards
-                  referrals when <command>additional-from-cache no</command>
-                  has been specified.  Instead, it will respond to such
-                  queries
-                  with REFUSED.  This should not cause any problems since
-                  upwards referrals are not required for the resolution
-                  process.
-                </para>
-
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>match-mapped-addresses</command></term>
-              <listitem>
-                <para>
-                  If <userinput>yes</userinput>, then an
-                  IPv4-mapped IPv6 address will match any address match
-                  list entries that match the corresponding IPv4 address.
-                </para>
-                <para>
-                  This option was introduced to work around a kernel quirk
-                  in some operating systems that causes IPv4 TCP
-                  connections, such as zone transfers, to be accepted on an
-                  IPv6 socket using mapped addresses.  This caused address
-                  match lists designed for IPv4 to fail to match.  However,
-                  <command>named</command> now solves this problem
-                  internally.  The use of this option is discouraged.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>filter-aaaa-on-v4</command></term>
-              <listitem>
-                <para>
-                  This option is only available when
-                  <acronym>BIND</acronym> 9 is compiled with the
-                  <userinput>--enable-filter-aaaa</userinput> option on the
-                  "configure" command line.  It is intended to help the
-                  transition from IPv4 to IPv6 by not giving IPv6 addresses
-                  to DNS clients unless they have connections to the IPv6
-                  Internet.  This is not recommended unless absolutely
-                  necessary.  The default is <userinput>no</userinput>.
-                  The <command>filter-aaaa-on-v4</command> option
-                  may also be specified in <command>view</command> statements
-                  to override the global <command>filter-aaaa-on-v4</command>
-                  option.
-                </para>
-                <para>
-                  If <userinput>yes</userinput>,
-                  the DNS client is at an IPv4 address, in <command>filter-aaaa</command>,
-                  and if the response does not include DNSSEC signatures, 
-                  then all AAAA records are deleted from the response.
-                  This filtering applies to all responses and not only
-                  authoritative responses.
-                </para>
-                <para>
-                  If <userinput>break-dnssec</userinput>,
-                  then AAAA records are deleted even when dnssec is enabled.
-                  As suggested by the name, this makes the response not verify,
-                  because the DNSSEC protocol is designed detect deletions.
-                </para>
-                <para>
-                  This mechanism can erroneously cause other servers to 
-		  not give AAAA records to their clients.  
-		  A recursing server with both IPv6 and IPv4 network connections
-		  that queries an authoritative server using this mechanism
-		  via IPv4 will be denied AAAA records even if its client is
-		  using IPv6.
-                </para>
-                <para>
-                  This mechanism is applied to authoritative as well as
-		  non-authoritative records.
-		  A client using IPv4 that is not allowed recursion can
-		  erroneously be given AAAA records because the server is not
-		  allowed to check for A records.
-                </para>
-                <para>
-		  Some AAAA records are given to IPv4 clients in glue records.
-		  IPv4 clients that are servers can then erroneously
-		  answer requests for AAAA records received via IPv4.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>ixfr-from-differences</command></term>
-              <listitem>
-                <para>
-                  When <userinput>yes</userinput> and the server loads a new
-                  version of a master zone from its zone file or receives a
-                  new version of a slave file via zone transfer, it will
-                  compare the new version to the previous one and calculate
-                  a set of differences.  The differences are then logged in
-                  the zone's journal file such that the changes can be
-                  transmitted to downstream slaves as an incremental zone
-                  transfer.
-                </para>
-                <para>
-                  By allowing incremental zone transfers to be used for
-                  non-dynamic zones, this option saves bandwidth at the
-                  expense of increased CPU and memory consumption at the
-                  master.
-                  In particular, if the new version of a zone is completely
-                  different from the previous one, the set of differences
-                  will be of a size comparable to the combined size of the
-                  old and new zone version, and the server will need to
-                  temporarily allocate memory to hold this complete
-                  difference set.
-                </para>
-                <para><command>ixfr-from-differences</command>
-		  also accepts <command>master</command> and
-                  <command>slave</command> at the view and options
-                  levels which causes
-                  <command>ixfr-from-differences</command> to be enabled for
-                  all <command>master</command> or
-                  <command>slave</command> zones respectively.
-                  It is off by default.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>multi-master</command></term>
-              <listitem>
-                <para>
-                  This should be set when you have multiple masters for a zone
-                  and the
-                  addresses refer to different machines.  If <userinput>yes</userinput>, <command>named</command> will
-                  not log
-                  when the serial number on the master is less than what <command>named</command>
-                  currently
-                  has.  The default is <userinput>no</userinput>.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>dnssec-enable</command></term>
-              <listitem>
-                <para>
-                  Enable DNSSEC support in <command>named</command>.  Unless set to <userinput>yes</userinput>,
-                  <command>named</command> behaves as if it does not support DNSSEC.
-                  The default is <userinput>yes</userinput>.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>dnssec-validation</command></term>
-              <listitem>
-                <para>
-                  Enable DNSSEC validation in <command>named</command>.
-		  Note <command>dnssec-enable</command> also needs to be
-		  set to <userinput>yes</userinput> to be effective.
-                  If set to <userinput>no</userinput>, DNSSEC validation
-                  is disabled.  If set to <userinput>auto</userinput>,
-                  DNSSEC validation is enabled, and a default
-                  trust-anchor for the DNS root zone is used.  If set to
-                  <userinput>yes</userinput>, DNSSEC validation is enabled,
-                  but a trust anchor must be manually configured using
-                  a <command>trusted-keys</command> or
-                  <command>managed-keys</command> statement.  The default
-                  is <userinput>yes</userinput>.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>dnssec-accept-expired</command></term>
-              <listitem>
-                <para>
-		  Accept expired signatures when verifying DNSSEC signatures.
-                  The default is <userinput>no</userinput>.
-		  Setting this option to <userinput>yes</userinput>
-		  leaves <command>named</command> vulnerable to
-		  replay attacks.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>querylog</command></term>
-              <listitem>
-                <para>
-                  Specify whether query logging should be started when <command>named</command>
-                  starts.
-                  If <command>querylog</command> is not specified,
-                  then the query logging
-                  is determined by the presence of the logging category <command>queries</command>.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>check-names</command></term>
-              <listitem>
-                <para>
-                  This option is used to restrict the character set and syntax
-                  of
-                  certain domain names in master files and/or DNS responses
-                  received
-                  from the network.  The default varies according to usage
-                  area.  For
-                  <command>master</command> zones the default is <command>fail</command>.
-                  For <command>slave</command> zones the default
-                  is <command>warn</command>.
-                  For answers received from the network (<command>response</command>)
-                  the default is <command>ignore</command>.
-                </para>
-                <para>
-                  The rules for legal hostnames and mail domains are derived
-                  from RFC 952 and RFC 821 as modified by RFC 1123.
-                </para>
-                <para><command>check-names</command>
-		  applies to the owner names of A, AAAA and MX records.
-		  It also applies to the domain names in the RDATA of NS, SOA,
-		  MX, and SRV records.
-		  It also applies to the RDATA of PTR records where the owner
-		  name indicated that it is a reverse lookup of a hostname
-		  (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
-                </para>
-              </listitem>
-            </varlistentry>
-
-	    <varlistentry>
-	      <term><command>check-dup-records</command></term>
-	      <listitem>
-		<para>
-		  Check master zones for records that are treated as different
-		  by DNSSEC but are semantically equal in plain DNS.  The
-		  default is to <command>warn</command>.  Other possible
-		  values are <command>fail</command> and
-		  <command>ignore</command>.
-		</para>
-	      </listitem>
-	    </varlistentry>
-
-	    <varlistentry>
-	      <term><command>check-mx</command></term>
-	      <listitem>
-		<para>
-		  Check whether the MX record appears to refer to a IP address.
-		  The default is to <command>warn</command>.  Other possible
-		  values are <command>fail</command> and
-		  <command>ignore</command>.
-		</para>
-	      </listitem>
-	    </varlistentry>
-
-            <varlistentry>
-              <term><command>check-wildcard</command></term>
-              <listitem>
-                <para>
-                  This option is used to check for non-terminal wildcards.
-                  The use of non-terminal wildcards is almost always as a
-                  result of a failure
-                  to understand the wildcard matching algorithm (RFC 1034).
-                  This option
-                  affects master zones.  The default (<command>yes</command>) is to check
-                  for non-terminal wildcards and issue a warning.
-                </para>
-              </listitem>
-            </varlistentry>
-
-	    <varlistentry>
-	      <term><command>check-integrity</command></term>
-	      <listitem>
-		<para>
-		  Perform post load zone integrity checks on master
-		  zones.  This checks that MX and SRV records refer
-		  to address (A or AAAA) records and that glue
-		  address records exist for delegated zones.  For
-		  MX and SRV records only in-zone hostnames are
-		  checked (for out-of-zone hostnames use
-		  <command>named-checkzone</command>).
-		  For NS records only names below top of zone are
-		  checked (for out-of-zone names and glue consistency
-		  checks use <command>named-checkzone</command>).
-	          The default is <command>yes</command>.
-		</para>
-		<para>
-		  Check that the two forms of Sender Policy Framework
-		  records (TXT records starting with "v=spf1" and SPF) either
-		  both exist or both don't exist.  Warnings are
-		  emitted it they don't and be suppressed with
-		  <command>check-spf</command>.
-		</para>
-	      </listitem>
-	    </varlistentry>
-
-	    <varlistentry>
-	      <term><command>check-mx-cname</command></term>
-	      <listitem>
-		<para>
-		  If <command>check-integrity</command> is set then
-		  fail, warn or ignore MX records that refer
-		  to CNAMES.  The default is to <command>warn</command>.
-		</para>
-	      </listitem>
-	    </varlistentry>
-
-	    <varlistentry>
-	      <term><command>check-srv-cname</command></term>
-	      <listitem>
-		<para>
-		  If <command>check-integrity</command> is set then
-		  fail, warn or ignore SRV records that refer
-		  to CNAMES.  The default is to <command>warn</command>.
-		</para>
-	      </listitem>
-	    </varlistentry>
-
-	    <varlistentry>
-	      <term><command>check-sibling</command></term>
-	      <listitem>
-		<para>
-		  When performing integrity checks, also check that
-		  sibling glue exists.  The default is <command>yes</command>.
-		</para>
-	      </listitem>
-	    </varlistentry>
-
-	    <varlistentry>
-	      <term><command>check-spf</command></term>
-	      <listitem>
-		<para>
-		  When performing integrity checks, check that the
-		  two forms of Sender Policy Framwork records (TXT
-		  records starting with "v=spf1" and SPF) both exist
-		  or both don't exist and issue a warning if not
-		  met.  The default is <command>warn</command>.
-		</para>
-	      </listitem>
-	    </varlistentry>
-
-	    <varlistentry>
-	      <term><command>zero-no-soa-ttl</command></term>
-	      <listitem>
-	        <para>
-		  When returning authoritative negative responses to
-		  SOA queries set the TTL of the SOA record returned in
-		  the authority section to zero.
-		  The default is <command>yes</command>.
-	        </para>
-	      </listitem>
-	    </varlistentry>
-
-	    <varlistentry>
-	      <term><command>zero-no-soa-ttl-cache</command></term>
-	      <listitem>
-	        <para>
-		  When caching a negative response to a SOA query
-		  set the TTL to zero.
-		  The default is <command>no</command>.
-	        </para>
-	      </listitem>
-	    </varlistentry>
-
-	    <varlistentry>
-	      <term><command>update-check-ksk</command></term>
-	      <listitem>
-	        <para>
-                  When set to the default value of <literal>yes</literal>,
-                  check the KSK bit in each key to determine how the key
-                  should be used when generating RRSIGs for a secure zone.
-		</para>
-		<para>
-                  Ordinarily, zone-signing keys (that is, keys without the
-                  KSK bit set) are used to sign the entire zone, while
-                  key-signing keys (keys with the KSK bit set) are only
-                  used to sign the DNSKEY RRset at the zone apex.
-                  However, if this option is set to <literal>no</literal>,
-                  then the KSK bit is ignored; KSKs are treated as if they
-                  were ZSKs and are used to sign the entire zone.  This is
-                  similar to the <command>dnssec-signzone -z</command>
-                  command line option.
-		</para>
-		<para>
-                  When this option is set to <literal>yes</literal>, there
-                  must be at least two active keys for every algorithm
-                  represented in the DNSKEY RRset: at least one KSK and one
-                  ZSK per algorithm.  If there is any algorithm for which
-                  this requirement is not met, this option will be ignored
-                  for that algorithm.
-		</para>
-	      </listitem>
-	    </varlistentry>
-
-	    <varlistentry>
-	      <term><command>dnssec-dnskey-kskonly</command></term>
-	      <listitem>
-	        <para>
-                  When this option and <command>update-check-ksk</command>
-                  are both set to <literal>yes</literal>, only key-signing
-                  keys (that is, keys with the KSK bit set) will be used
-                  to sign the DNSKEY RRset at the zone apex.  Zone-signing
-                  keys (keys without the KSK bit set) will be used to sign
-                  the remainder of the zone, but not the DNSKEY RRset.
-                  This is similar to the
-                  <command>dnssec-signzone -x</command> command line option.
-		</para>
-		<para>
-		  The default is <command>no</command>.  If
-                  <command>update-check-ksk</command> is set to
-                  <literal>no</literal>, this option is ignored.
-		</para>
-	      </listitem>
-	    </varlistentry>
-
-	    <varlistentry>
-	      <term><command>dnssec-loadkeys-interval</command></term>
-	      <listitem>
-	        <para>
-                  When a zone is configured with <command>auto-dnssec
-                  maintain;</command> its key repository must be checked
-                  periodically to see if any new keys have been added
-                  or any existing keys' timing metadata has been updated
-                  (see <xref linkend="man.dnssec-keygen"/> and
-                  <xref linkend="man.dnssec-settime"/>).  The
-                  <command>dnssec-loadkeys-interval</command> option
-                  sets the frequency of autoatic repository checks, in
-                  minutes.  The default is <literal>60</literal> (1 hour),
-                  the minimum is <literal>1</literal> (1 minute), and the
-                  maximum is <literal>1440</literal> (24 hours); any higher
-                  value is silently reduced.
-		</para>
-	      </listitem>
-	    </varlistentry>
-
-	    <varlistentry>
-	      <term><command>try-tcp-refresh</command></term>
-	      <listitem>
-	        <para>
-		  Try to refresh the zone using TCP if UDP queries fail.
-		  For BIND 8 compatibility, the default is
-		  <command>yes</command>.
-		</para>
-	      </listitem>
-	    </varlistentry>
-
-	    <varlistentry>
-	      <term><command>dnssec-secure-to-insecure</command></term>
-	      <listitem>
-	        <para>
-		  Allow a dynamic zone to transition from secure to
-                  insecure (i.e., signed to unsigned) by deleting all
-                  of the DNSKEY records.  The default is <command>no</command>.
-                  If set to <command>yes</command>, and if the DNSKEY RRset
-                  at the zone apex is deleted, all RRSIG and NSEC records
-                  will be removed from the zone as well.
-		</para>
-	        <para>
-                  If the zone uses NSEC3, then it is also necessary to
-                  delete the NSEC3PARAM RRset from the zone apex; this will
-                  cause the removal of all corresponding NSEC3 records.
-                  (It is expected that this requirement will be eliminated
-                  in a future release.)
-		</para>
-	        <para>
-                  Note that if a zone has been configured with
-                  <command>auto-dnssec maintain</command> and the
-                  private keys remain accessible in the key repository,
-                  then the zone will be automatically signed again the
-                  next time <command>named</command> is started.
-		</para>
-	      </listitem>
-	    </varlistentry>
-
-          </variablelist>
-
-        </sect3>
-
-        <sect3>
-          <title>Forwarding</title>
-          <para>
-            The forwarding facility can be used to create a large site-wide
-            cache on a few servers, reducing traffic over links to external
-            name servers. It can also be used to allow queries by servers that
-            do not have direct access to the Internet, but wish to look up
-            exterior
-            names anyway. Forwarding occurs only on those queries for which
-            the server is not authoritative and does not have the answer in
-            its cache.
-          </para>
-
-          <variablelist>
-            <varlistentry>
-              <term><command>forward</command></term>
-              <listitem>
-                <para>
-                  This option is only meaningful if the
-                  forwarders list is not empty. A value of <varname>first</varname>,
-                  the default, causes the server to query the forwarders
-                  first &mdash; and
-                  if that doesn't answer the question, the server will then
-                  look for
-                  the answer itself. If <varname>only</varname> is
-                  specified, the
-                  server will only query the forwarders.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>forwarders</command></term>
-              <listitem>
-                <para>
-                  Specifies the IP addresses to be used
-                  for forwarding. The default is the empty list (no
-                  forwarding).
-                </para>
-              </listitem>
-            </varlistentry>
-
-          </variablelist>
-
-          <para>
-            Forwarding can also be configured on a per-domain basis, allowing
-            for the global forwarding options to be overridden in a variety
-            of ways. You can set particular domains to use different
-            forwarders,
-            or have a different <command>forward only/first</command> behavior,
-            or not forward at all, see <xref linkend="zone_statement_grammar"/>.
-          </para>
-        </sect3>
-
-        <sect3>
-          <title>Dual-stack Servers</title>
-          <para>
-            Dual-stack servers are used as servers of last resort to work
-            around
-            problems in reachability due the lack of support for either IPv4
-            or IPv6
-            on the host machine.
-          </para>
-
-          <variablelist>
-            <varlistentry>
-              <term><command>dual-stack-servers</command></term>
-              <listitem>
-                <para>
-                  Specifies host names or addresses of machines with access to
-                  both IPv4 and IPv6 transports. If a hostname is used, the
-                  server must be able
-                  to resolve the name using only the transport it has.  If the
-                  machine is dual
-                  stacked, then the <command>dual-stack-servers</command> have no effect unless
-                  access to a transport has been disabled on the command line
-                  (e.g. <command>named -4</command>).
-                </para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-        </sect3>
-
-        <sect3 id="access_control">
-          <title>Access Control</title>
-
-          <para>
-            Access to the server can be restricted based on the IP address
-            of the requesting system. See <xref linkend="address_match_lists"/> for
-            details on how to specify IP address lists.
-          </para>
-
-          <variablelist>
-
-            <varlistentry>
-              <term><command>allow-notify</command></term>
-              <listitem>
-                <para>
-                  Specifies which hosts are allowed to
-                  notify this server, a slave, of zone changes in addition
-                  to the zone masters.
-                  <command>allow-notify</command> may also be
-                  specified in the
-                  <command>zone</command> statement, in which case
-                  it overrides the
-                  <command>options allow-notify</command>
-                  statement.  It is only meaningful
-                  for a slave zone.  If not specified, the default is to
-                  process notify messages
-                  only from a zone's master.
-                </para>
-              </listitem>
-            </varlistentry>
-
-	    <varlistentry>
-	      <term><command>allow-query</command></term>
-	      <listitem>
-		<para>
-		  Specifies which hosts are allowed to ask ordinary
-		  DNS questions. <command>allow-query</command> may
-		  also be specified in the <command>zone</command>
-		  statement, in which case it overrides the
-		  <command>options allow-query</command> statement.
-		  If not specified, the default is to allow queries
-		  from all hosts.
-		</para>
-		<note>
-		  <para>
-		    <command>allow-query-cache</command> is now
-		    used to specify access to the cache.
-		  </para>
-		</note>
-	      </listitem>
-	    </varlistentry>
-
-	    <varlistentry>
-	      <term><command>allow-query-on</command></term>
-	      <listitem>
-		<para>
-		  Specifies which local addresses can accept ordinary
-		  DNS questions. This makes it possible, for instance,
-		  to allow queries on internal-facing interfaces but
-		  disallow them on external-facing ones, without
-		  necessarily knowing the internal network's addresses.
-		</para>
-		<para>
-                  Note that <command>allow-query-on</command> is only
-                  checked for queries that are permitted by
-                  <command>allow-query</command>.  A query must be
-                  allowed by both ACLs, or it will be refused.
-		</para>
-		<para>
-		  <command>allow-query-on</command> may
-		  also be specified in the <command>zone</command>
-		  statement, in which case it overrides the
-		  <command>options allow-query-on</command> statement.
-		</para>
-		<para>
-		  If not specified, the default is to allow queries
-		  on all addresses.
-		</para>
-		<note>
-		  <para>
-		    <command>allow-query-cache</command> is
-		    used to specify access to the cache.
-		  </para>
-		</note>
-	      </listitem>
-	    </varlistentry>
-
-	    <varlistentry>
-	      <term><command>allow-query-cache</command></term>
-	      <listitem>
-		<para>
-		  Specifies which hosts are allowed to get answers
-		  from the cache.  If <command>allow-query-cache</command>
-		  is not set then <command>allow-recursion</command>
-		  is used if set, otherwise <command>allow-query</command>
-		  is used if set unless <command>recursion no;</command> is
-		  set in which case <command>none;</command> is used,
-		  otherwise the default (<command>localnets;</command>
-		  <command>localhost;</command>) is used.
-		</para>
-	      </listitem>
-	    </varlistentry>
-
-	    <varlistentry>
-	      <term><command>allow-query-cache-on</command></term>
-	      <listitem>
-		<para>
-		  Specifies which local addresses can give answers
-		  from the cache.  If not specified, the default is
-		  to allow cache queries on any address,
-		  <command>localnets</command> and
-		  <command>localhost</command>.
-		</para>
-	      </listitem>
-	    </varlistentry>
-
-            <varlistentry>
-              <term><command>allow-recursion</command></term>
-              <listitem>
-		<para>
-		  Specifies which hosts are allowed to make recursive
-		  queries through this server. If
-		  <command>allow-recursion</command> is not set
-		  then <command>allow-query-cache</command> is
-		  used if set, otherwise <command>allow-query</command>
-		  is used if set, otherwise the default
-		  (<command>localnets;</command>
-		  <command>localhost;</command>) is used.
-		</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>allow-recursion-on</command></term>
-              <listitem>
-                <para>
-		  Specifies which local addresses can accept recursive
-		  queries.  If not specified, the default is to allow
-		  recursive queries on all addresses.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>allow-update</command></term>
-              <listitem>
-                <para>
-                  Specifies which hosts are allowed to
-                  submit Dynamic DNS updates for master zones. The default is
-                  to deny
-                  updates from all hosts.  Note that allowing updates based
-                  on the requestor's IP address is insecure; see
-                  <xref linkend="dynamic_update_security"/> for details.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>allow-update-forwarding</command></term>
-              <listitem>
-                <para>
-                  Specifies which hosts are allowed to
-                  submit Dynamic DNS updates to slave zones to be forwarded to
-                  the
-                  master.  The default is <userinput>{ none; }</userinput>,
-                  which
-                  means that no update forwarding will be performed.  To
-                  enable
-                  update forwarding, specify
-                  <userinput>allow-update-forwarding { any; };</userinput>.
-                  Specifying values other than <userinput>{ none; }</userinput> or
-                  <userinput>{ any; }</userinput> is usually
-                  counterproductive, since
-                  the responsibility for update access control should rest
-                  with the
-                  master server, not the slaves.
-                </para>
-                <para>
-                  Note that enabling the update forwarding feature on a slave
-                  server
-                  may expose master servers relying on insecure IP address
-                  based
-                  access control to attacks; see <xref linkend="dynamic_update_security"/>
-                  for more details.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>allow-v6-synthesis</command></term>
-              <listitem>
-                <para>
-                  This option was introduced for the smooth transition from
-                  AAAA
-                  to A6 and from "nibble labels" to binary labels.
-                  However, since both A6 and binary labels were then
-                  deprecated,
-                  this option was also deprecated.
-                  It is now ignored with some warning messages.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>allow-transfer</command></term>
-              <listitem>
-                <para>
-                  Specifies which hosts are allowed to
-                  receive zone transfers from the server. <command>allow-transfer</command> may
-                  also be specified in the <command>zone</command>
-                  statement, in which
-                  case it overrides the <command>options allow-transfer</command> statement.
-                  If not specified, the default is to allow transfers to all
-                  hosts.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>blackhole</command></term>
-              <listitem>
-                <para>
-                  Specifies a list of addresses that the
-                  server will not accept queries from or use to resolve a
-                  query. Queries
-                  from these addresses will not be responded to. The default
-                  is <userinput>none</userinput>.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>filter-aaaa</command></term>
-              <listitem>
-                <para>
-                  Specifies a list of addresses to which
-		  <command>filter-aaaa-on-v4</command>
-                  is applies.  The default is <userinput>any</userinput>.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>resolver-query-timeout</command></term>
-              <listitem>
-                <para>
-		  The amount of time the resolver will spend attempting
-		  to resolve a recursive query before failing.  The default
-		  and minimum is <literal>10</literal> and the maximum is
-		  <literal>30</literal>.  Setting it to <literal>0</literal>
-		  will result in the default being used.
-                </para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-        </sect3>
-
-        <sect3>
-          <title>Interfaces</title>
-          <para>
-            The interfaces and ports that the server will answer queries
-            from may be specified using the <command>listen-on</command> option. <command>listen-on</command> takes
-            an optional port and an <varname>address_match_list</varname>.
-            The server will listen on all interfaces allowed by the address
-            match list. If a port is not specified, port 53 will be used.
-          </para>
-          <para>
-            Multiple <command>listen-on</command> statements are
-            allowed.
-            For example,
-          </para>
-
-<programlisting>listen-on { 5.6.7.8; };
-listen-on port 1234 { !1.2.3.4; 1.2/16; };
-</programlisting>
-
-          <para>
-            will enable the name server on port 53 for the IP address
-            5.6.7.8, and on port 1234 of an address on the machine in net
-            1.2 that is not 1.2.3.4.
-          </para>
-
-          <para>
-            If no <command>listen-on</command> is specified, the
-            server will listen on port 53 on all IPv4 interfaces.
-          </para>
-
-          <para>
-            The <command>listen-on-v6</command> option is used to
-            specify the interfaces and the ports on which the server will
-            listen
-            for incoming queries sent using IPv6.
-          </para>
-
-          <para>
-            When <programlisting>{ any; }</programlisting> is
-            specified
-            as the <varname>address_match_list</varname> for the
-            <command>listen-on-v6</command> option,
-            the server does not bind a separate socket to each IPv6 interface
-            address as it does for IPv4 if the operating system has enough API
-            support for IPv6 (specifically if it conforms to RFC 3493 and RFC
-            3542).
-            Instead, it listens on the IPv6 wildcard address.
-            If the system only has incomplete API support for IPv6, however,
-            the behavior is the same as that for IPv4.
-          </para>
-
-          <para>
-            A list of particular IPv6 addresses can also be specified, in
-            which case
-            the server listens on a separate socket for each specified
-            address,
-            regardless of whether the desired API is supported by the system.
-          </para>
-
-          <para>
-            Multiple <command>listen-on-v6</command> options can
-            be used.
-            For example,
-          </para>
-
-<programlisting>listen-on-v6 { any; };
-listen-on-v6 port 1234 { !2001:db8::/32; any; };
-</programlisting>
-
-          <para>
-            will enable the name server on port 53 for any IPv6 addresses
-            (with a single wildcard socket),
-            and on port 1234 of IPv6 addresses that is not in the prefix
-            2001:db8::/32 (with separate sockets for each matched address.)
-          </para>
-
-          <para>
-            To make the server not listen on any IPv6 address, use
-          </para>
-
-<programlisting>listen-on-v6 { none; };
-</programlisting>
-
-          <para>
-            If no <command>listen-on-v6</command> option is
-            specified, the server will not listen on any IPv6 address
-	    unless <command>-6</command> is specified when <command>named</command> is
-	    invoked.  If <command>-6</command> is specified then
-	    <command>named</command> will listen on port 53 on all IPv6 interfaces by default.
-          </para>
-        </sect3>
-
-        <sect3 id="query_address">
-          <title>Query Address</title>
-          <para>
-            If the server doesn't know the answer to a question, it will
-            query other name servers. <command>query-source</command> specifies
-            the address and port used for such queries. For queries sent over
-            IPv6, there is a separate <command>query-source-v6</command> option.
-            If <command>address</command> is <command>*</command> (asterisk) or is omitted,
-            a wildcard IP address (<command>INADDR_ANY</command>)
-            will be used.
-	  </para>
-
-	  <para>
-            If <command>port</command> is <command>*</command> or is omitted,
-	    a random port number from a pre-configured
-	    range is picked up and will be used for each query.
-	    The port range(s) is that specified in
-	    the <command>use-v4-udp-ports</command> (for IPv4)
-            and <command>use-v6-udp-ports</command> (for IPv6)
-	    options, excluding the ranges specified in
-	    the <command>avoid-v4-udp-ports</command>
-            and <command>avoid-v6-udp-ports</command> options, respectively.
-	  </para>
-
-          <para>
-	    The defaults of the <command>query-source</command> and
-	    <command>query-source-v6</command> options
-	    are:
-          </para>
-
-<programlisting>query-source address * port *;
-query-source-v6 address * port *;
-</programlisting>
-
-          <para>
-	    If <command>use-v4-udp-ports</command> or
-            <command>use-v6-udp-ports</command> is unspecified,
-	    <command>named</command> will check if the operating
-	    system provides a programming interface to retrieve the
-	    system's default range for ephemeral ports.
-	    If such an interface is available,
-	    <command>named</command> will use the corresponding system
-	    default range; otherwise, it will use its own defaults:
-         </para>
-
-<programlisting>use-v4-udp-ports { range 1024 65535; };
-use-v6-udp-ports { range 1024 65535; };
-</programlisting>
-
-          <para>
-	    Note: make sure the ranges be sufficiently large for
-	    security.  A desirable size depends on various parameters,
-	    but we generally recommend it contain at least 16384 ports
-	    (14 bits of entropy).
-	    Note also that the system's default range when used may be
-	    too small for this purpose, and that the range may even be
-	    changed while <command>named</command> is running; the new
-	    range will automatically be applied when <command>named</command>
-	    is reloaded.
-	    It is encouraged to
-	    configure <command>use-v4-udp-ports</command> and
-            <command>use-v6-udp-ports</command> explicitly so that the
-            ranges are sufficiently large and are reasonably
-            independent from the ranges used by other applications.
-          </para>
-
-	  <para>
-	    Note: the operational configuration
-	    where <command>named</command> runs may prohibit the use
-	    of some ports.  For example, UNIX systems will not allow
-	    <command>named</command> running without a root privilege
-	    to use ports less than 1024.
-	    If such ports are included in the specified (or detected)
-	    set of query ports, the corresponding query attempts will
-	    fail, resulting in resolution failures or delay.
-	    It is therefore important to configure the set of ports
-	    that can be safely used in the expected operational environment.
-	  </para>
-
-          <para>
-	    The defaults of the <command>avoid-v4-udp-ports</command> and
-	    <command>avoid-v6-udp-ports</command> options
-	    are:
-          </para>
-
-<programlisting>avoid-v4-udp-ports {};
-avoid-v6-udp-ports {};
-</programlisting>
-
-	  <para>
-	    Note: BIND 9.5.0 introduced
-	    the <command>use-queryport-pool</command> 
-	    option to support a pool of such random ports, but this
-	    option is now obsolete because reusing the same ports in
-	    the pool may not be sufficiently secure.
-	    For the same reason, it is generally strongly discouraged to
-            specify a particular port for the
-	    <command>query-source</command> or
-	    <command>query-source-v6</command> options;
-	    it implicitly disables the use of randomized port numbers.
-          </para>
-
-          <variablelist>
-            <varlistentry>
-              <term><command>use-queryport-pool</command></term>
-              <listitem>
-                <para>
-		  This option is obsolete.
-		</para>
-	      </listitem>
-	    </varlistentry>
-
-            <varlistentry>
-              <term><command>queryport-pool-ports</command></term>
-              <listitem>
-                <para>
-		  This option is obsolete.
-		</para>
-	      </listitem>
-	    </varlistentry>
-
-            <varlistentry>
-              <term><command>queryport-pool-updateinterval</command></term>
-              <listitem>
-                <para>
-		  This option is obsolete.
-		</para>
-	      </listitem>
-	    </varlistentry>
-	    
-          </variablelist>
-          <note>
-            <para>
-              The address specified in the <command>query-source</command> option
-              is used for both UDP and TCP queries, but the port applies only
-              to UDP queries.  TCP queries always use a random
-              unprivileged port.
-            </para>
-          </note>
-	  <note>
-	    <para>
-	      Solaris 2.5.1 and earlier does not support setting the source
-	      address for TCP sockets.
-	    </para>
-	  </note>
-          <note>
-            <para>
-              See also <command>transfer-source</command> and
-              <command>notify-source</command>.
-            </para>
-          </note>
-        </sect3>
-
-        <sect3 id="zone_transfers">
-          <title>Zone Transfers</title>
-          <para>
-            <acronym>BIND</acronym> has mechanisms in place to
-            facilitate zone transfers
-            and set limits on the amount of load that transfers place on the
-            system. The following options apply to zone transfers.
-          </para>
-
-          <variablelist>
-
-            <varlistentry>
-              <term><command>also-notify</command></term>
-              <listitem>
-                <para>
-                  Defines a global list of IP addresses of name servers
-                  that are also sent NOTIFY messages whenever a fresh copy of
-                  the
-                  zone is loaded, in addition to the servers listed in the
-                  zone's NS records.
-                  This helps to ensure that copies of the zones will
-                  quickly converge on stealth servers.
-                  Optionally, a port may be specified with each
-                  <command>also-notify</command> address to send
-                  the notify messages to a port other than the
-                  default of 53.
-                  An optional TSIG key can also be specified with each
-                  address to cause the notify messages to be signed; this
-                  can be useful when sending notifies to multiple views.
-                  In place of explicit addresses, one or more named
-                  <command>masters</command> lists can be used.
-                </para>
-                <para>
-                  If an <command>also-notify</command> list
-                  is given in a <command>zone</command> statement,
-                  it will override
-                  the <command>options also-notify</command>
-                  statement. When a <command>zone notify</command>
-                  statement
-                  is set to <command>no</command>, the IP
-                  addresses in the global <command>also-notify</command> list will
-                  not be sent NOTIFY messages for that zone. The default is
-                  the empty
-                  list (no global notification list).
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>max-transfer-time-in</command></term>
-              <listitem>
-                <para>
-                  Inbound zone transfers running longer than
-                  this many minutes will be terminated. The default is 120
-                  minutes
-                  (2 hours).  The maximum value is 28 days (40320 minutes).
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>max-transfer-idle-in</command></term>
-              <listitem>
-                <para>
-                  Inbound zone transfers making no progress
-                  in this many minutes will be terminated. The default is 60
-                  minutes
-                  (1 hour).  The maximum value is 28 days (40320 minutes).
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>max-transfer-time-out</command></term>
-              <listitem>
-                <para>
-                  Outbound zone transfers running longer than
-                  this many minutes will be terminated. The default is 120
-                  minutes
-                  (2 hours).  The maximum value is 28 days (40320 minutes).
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>max-transfer-idle-out</command></term>
-              <listitem>
-                <para>
-                  Outbound zone transfers making no progress
-                  in this many minutes will be terminated.  The default is 60
-                  minutes (1
-                  hour).  The maximum value is 28 days (40320 minutes).
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>serial-query-rate</command></term>
-	      <listitem>
-		<para>
-		  Slave servers will periodically query master
-		  servers to find out if zone serial numbers have
-		  changed. Each such query uses a minute amount of
-		  the slave server's network bandwidth.  To limit
-		  the amount of bandwidth used, BIND 9 limits the
-		  rate at which queries are sent.  The value of the
-		  <command>serial-query-rate</command> option, an
-		  integer, is the maximum number of queries sent
-		  per second.  The default is 20.
-		</para>
-		<para>
-		  In addition to controlling the rate SOA refresh
-		  queries are issued at
-		  <command>serial-query-rate</command> also controls
-		  the rate at which NOTIFY messages are sent from
-		  both master and slave zones.
-		</para>
-	      </listitem>
-	    </varlistentry>
-
-            <varlistentry>
-              <term><command>serial-queries</command></term>
-              <listitem>
-                <para>
-                  In BIND 8, the <command>serial-queries</command>
-                  option
-                  set the maximum number of concurrent serial number queries
-                  allowed to be outstanding at any given time.
-                  BIND 9 does not limit the number of outstanding
-                  serial queries and ignores the <command>serial-queries</command> option.
-                  Instead, it limits the rate at which the queries are sent
-                  as defined using the <command>serial-query-rate</command> option.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>transfer-format</command></term>
-              <listitem>
-
-                <para>
-                  Zone transfers can be sent using two different formats,
-                  <command>one-answer</command> and
-		  <command>many-answers</command>.
-                  The <command>transfer-format</command> option is used
-                  on the master server to determine which format it sends.
-                  <command>one-answer</command> uses one DNS message per
-                  resource record transferred.
-                  <command>many-answers</command> packs as many resource
-		  records as possible into a message.
-		  <command>many-answers</command> is more efficient, but is
-		  only supported by relatively new slave servers,
-                  such as <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
-		  8.x and <acronym>BIND</acronym> 4.9.5 onwards.
-	          The <command>many-answers</command> format is also supported by
-		  recent Microsoft Windows nameservers.
-		  The default is <command>many-answers</command>.
-		  <command>transfer-format</command> may be overridden on a
-		  per-server basis by using the <command>server</command>
-		  statement.
-                </para>
-
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>transfers-in</command></term>
-              <listitem>
-                <para>
-                  The maximum number of inbound zone transfers
-                  that can be running concurrently. The default value is <literal>10</literal>.
-                  Increasing <command>transfers-in</command> may
-                  speed up the convergence
-                  of slave zones, but it also may increase the load on the
-                  local system.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>transfers-out</command></term>
-              <listitem>
-                <para>
-                  The maximum number of outbound zone transfers
-                  that can be running concurrently. Zone transfer requests in
-                  excess
-                  of the limit will be refused. The default value is <literal>10</literal>.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>transfers-per-ns</command></term>
-              <listitem>
-                <para>
-                  The maximum number of inbound zone transfers
-                  that can be concurrently transferring from a given remote
-                  name server.
-                  The default value is <literal>2</literal>.
-                  Increasing <command>transfers-per-ns</command>
-                  may
-                  speed up the convergence of slave zones, but it also may
-                  increase
-                  the load on the remote name server. <command>transfers-per-ns</command> may
-                  be overridden on a per-server basis by using the <command>transfers</command> phrase
-                  of the <command>server</command> statement.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>transfer-source</command></term>
-              <listitem>
-                <para><command>transfer-source</command>
-		  determines which local address will be bound to IPv4
-                  TCP connections used to fetch zones transferred
-                  inbound by the server.  It also determines the
-                  source IPv4 address, and optionally the UDP port,
-                  used for the refresh queries and forwarded dynamic
-                  updates.  If not set, it defaults to a system
-                  controlled value which will usually be the address
-                  of the interface "closest to" the remote end. This
-                  address must appear in the remote end's
-                  <command>allow-transfer</command> option for the
-                  zone being transferred, if one is specified. This
-                  statement sets the
-                  <command>transfer-source</command> for all zones,
-                  but can be overridden on a per-view or per-zone
-                  basis by including a
-                  <command>transfer-source</command> statement within
-                  the <command>view</command> or
-                  <command>zone</command> block in the configuration
-                  file.
-                </para>
-	        <note>
-	          <para>
-	            Solaris 2.5.1 and earlier does not support setting the
-		    source address for TCP sockets.
-	          </para>
-                </note>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>transfer-source-v6</command></term>
-              <listitem>
-                <para>
-                  The same as <command>transfer-source</command>,
-                  except zone transfers are performed using IPv6.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>alt-transfer-source</command></term>
-              <listitem>
-                <para>
-                  An alternate transfer source if the one listed in
-                  <command>transfer-source</command> fails and
-                  <command>use-alt-transfer-source</command> is
-                  set.
-                </para>
-		<note>
-		  If you do not wish the alternate transfer source
-		  to be used, you should set
-		  <command>use-alt-transfer-source</command>
-		  appropriately and you should not depend upon
-		  getting an answer back to the first refresh
-		  query.
-		</note>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>alt-transfer-source-v6</command></term>
-              <listitem>
-                <para>
-                  An alternate transfer source if the one listed in
-                  <command>transfer-source-v6</command> fails and
-                  <command>use-alt-transfer-source</command> is
-                  set.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>use-alt-transfer-source</command></term>
-              <listitem>
-                <para>
-                  Use the alternate transfer sources or not.  If views are
-                  specified this defaults to <command>no</command>
-                  otherwise it defaults to
-                  <command>yes</command> (for BIND 8
-                  compatibility).
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>notify-source</command></term>
-              <listitem>
-                <para><command>notify-source</command>
-		  determines which local source address, and
-                  optionally UDP port, will be used to send NOTIFY
-                  messages.  This address must appear in the slave
-                  server's <command>masters</command> zone clause or
-                  in an <command>allow-notify</command> clause.  This
-                  statement sets the <command>notify-source</command>
-                  for all zones, but can be overridden on a per-zone or
-                  per-view basis by including a
-                  <command>notify-source</command> statement within
-                  the <command>zone</command> or
-                  <command>view</command> block in the configuration
-                  file.
-                </para>
-	        <note>
-	          <para>
-	            Solaris 2.5.1 and earlier does not support setting the
-		    source address for TCP sockets.
-	          </para>
-                </note>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>notify-source-v6</command></term>
-              <listitem>
-                <para>
-                  Like <command>notify-source</command>,
-                  but applies to notify messages sent to IPv6 addresses.
-                </para>
-              </listitem>
-            </varlistentry>
-
-          </variablelist>
-
-        </sect3>
-
-        <sect3>
-          <title>UDP Port Lists</title>
-          <para>
-	    <command>use-v4-udp-ports</command>,
-	    <command>avoid-v4-udp-ports</command>,
-	    <command>use-v6-udp-ports</command>, and
-	    <command>avoid-v6-udp-ports</command>
-	    specify a list of IPv4 and IPv6 UDP ports that will be
-	    used or not used as source ports for UDP messages.
-	    See <xref linkend="query_address"/> about how the
-	    available ports are determined.
-	    For example, with the following configuration
-          </para>
-
-<programlisting>
-use-v6-udp-ports { range 32768 65535; };
-avoid-v6-udp-ports { 40000; range 50000 60000; };
-</programlisting>
-
-	   <para>
-	     UDP ports of IPv6 messages sent
-	     from <command>named</command> will be in one
-	     of the following ranges: 32768 to 39999, 40001 to 49999,
-	     and 60001 to 65535.
-	   </para>
-
-	   <para>
-	     <command>avoid-v4-udp-ports</command> and
-	     <command>avoid-v6-udp-ports</command> can be used
-             to prevent <command>named</command> from choosing as its random source port a
-             port that is blocked by your firewall or a port that is
-             used by other applications;
-	     if a query went out with a source port blocked by a
-             firewall, the
-	     answer would not get by the firewall and the name server would
-             have to query again.
-	     Note: the desired range can also be represented only with
-	     <command>use-v4-udp-ports</command> and
-	     <command>use-v6-udp-ports</command>, and the
-	     <command>avoid-</command> options are redundant in that
-	     sense; they are provided for backward compatibility and
-	     to possibly simplify the port specification.
-	   </para>
-        </sect3>
-
-        <sect3>
-          <title>Operating System Resource Limits</title>
-
-          <para>
-            The server's usage of many system resources can be limited.
-            Scaled values are allowed when specifying resource limits.  For
-            example, <command>1G</command> can be used instead of
-            <command>1073741824</command> to specify a limit of
-            one
-            gigabyte. <command>unlimited</command> requests
-            unlimited use, or the
-            maximum available amount. <command>default</command>
-            uses the limit
-            that was in force when the server was started. See the description
-            of <command>size_spec</command> in <xref linkend="configuration_file_elements"/>.
-          </para>
-
-          <para>
-            The following options set operating system resource limits for
-            the name server process.  Some operating systems don't support
-            some or
-            any of the limits. On such systems, a warning will be issued if
-            the
-            unsupported limit is used.
-          </para>
-
-          <variablelist>
-
-            <varlistentry>
-              <term><command>coresize</command></term>
-              <listitem>
-                <para>
-                  The maximum size of a core dump. The default
-                  is <literal>default</literal>.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>datasize</command></term>
-              <listitem>
-                <para>
-                  The maximum amount of data memory the server
-                  may use. The default is <literal>default</literal>.
-                  This is a hard limit on server memory usage.
-                  If the server attempts to allocate memory in excess of this
-                  limit, the allocation will fail, which may in turn leave
-                  the server unable to perform DNS service.  Therefore,
-                  this option is rarely useful as a way of limiting the
-                  amount of memory used by the server, but it can be used
-                  to raise an operating system data size limit that is
-                  too small by default.  If you wish to limit the amount
-                  of memory used by the server, use the
-                  <command>max-cache-size</command> and
-                  <command>recursive-clients</command>
-                  options instead.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>files</command></term>
-              <listitem>
-                <para>
-                  The maximum number of files the server
-                  may have open concurrently. The default is <literal>unlimited</literal>.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>stacksize</command></term>
-              <listitem>
-                <para>
-                  The maximum amount of stack memory the server
-                  may use. The default is <literal>default</literal>.
-                </para>
-              </listitem>
-            </varlistentry>
-
-          </variablelist>
-
-        </sect3>
-
-        <sect3 id="server_resource_limits">
-          <title>Server  Resource Limits</title>
-
-          <para>
-            The following options set limits on the server's
-            resource consumption that are enforced internally by the
-            server rather than the operating system.
-          </para>
-
-          <variablelist>
-
-            <varlistentry>
-              <term><command>max-ixfr-log-size</command></term>
-              <listitem>
-                <para>
-                  This option is obsolete; it is accepted
-                  and ignored for BIND 8 compatibility.  The option
-                  <command>max-journal-size</command> performs a
-                  similar function in BIND 9.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>max-journal-size</command></term>
-              <listitem>
-                <para>
-                  Sets a maximum size for each journal file
-                  (see <xref linkend="journal"/>).  When the journal file
-                  approaches
-                  the specified size, some of the oldest transactions in the
-                  journal
-                  will be automatically removed.  The largest permitted
-                  value is 2 gigabytes. The default is
-                  <literal>unlimited</literal>, which also
-                  means 2 gigabytes.
-                  This may also be set on a per-zone basis.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>host-statistics-max</command></term>
-              <listitem>
-                <para>
-                  In BIND 8, specifies the maximum number of host statistics
-                  entries to be kept.
-                  Not implemented in BIND 9.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>recursive-clients</command></term>
-              <listitem>
-                <para>
-                  The maximum number of simultaneous recursive lookups
-                  the server will perform on behalf of clients.  The default
-                  is
-                  <literal>1000</literal>.  Because each recursing
-                  client uses a fair
-                  bit of memory, on the order of 20 kilobytes, the value of
-                  the
-                  <command>recursive-clients</command> option may
-                  have to be decreased
-                  on hosts with limited memory.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>tcp-clients</command></term>
-              <listitem>
-                <para>
-                  The maximum number of simultaneous client TCP
-                  connections that the server will accept.
-                  The default is <literal>100</literal>.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>reserved-sockets</command></term>
-              <listitem>
-                <para>
-		  The number of file descriptors reserved for TCP, stdio,
-		  etc.  This needs to be big enough to cover the number of
-		  interfaces <command>named</command> listens on, <command>tcp-clients</command> as well as
-		  to provide room for outgoing TCP queries and incoming zone
-		  transfers.  The default is <literal>512</literal>.
-		  The minimum value is <literal>128</literal> and the
-		  maximum value is <literal>128</literal> less than
-		  maxsockets (-S).  This option may be removed in the future.
-                </para>
-                <para>
-		  This option has little effect on Windows.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>max-cache-size</command></term>
-              <listitem>
-                <para>
-                  The maximum amount of memory to use for the
-                  server's cache, in bytes.
-                  When the amount of data in the cache
-                  reaches this limit, the server will cause records to expire
-                  prematurely based on an LRU based strategy so that
-                  the limit is not exceeded.
-                  A value of 0 is special, meaning that
-                  records are purged from the cache only when their
-                  TTLs expire.
-                  Another special keyword <userinput>unlimited</userinput>
-                  means the maximum value of 32-bit unsigned integers
-                  (0xffffffff), which may not have the same effect as
-                  0 on machines that support more than 32 bits of
-                  memory space.
-                  Any positive values less than 2MB will be ignored reset
-                  to 2MB.
-                  In a server with multiple views, the limit applies
-                  separately to the cache of each view.
-                  The default is 0.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>tcp-listen-queue</command></term>
-              <listitem>
-                <para>
-                  The listen queue depth.  The default and minimum is 3.
-                  If the kernel supports the accept filter "dataready" this
-                  also controls how
-                  many TCP connections that will be queued in kernel space
-                  waiting for
-                  some data before being passed to accept.  Values less than 3
-                  will be
-                  silently raised.
-                </para>
-              </listitem>
-            </varlistentry>
-
-          </variablelist>
-
-        </sect3>
-
-        <sect3>
-          <title>Periodic Task Intervals</title>
-
-          <variablelist>
-
-            <varlistentry>
-              <term><command>cleaning-interval</command></term>
-              <listitem>
-                <para>
-		  This interval is effectively obsolete.  Previously,
-		  the server would remove expired resource records
-                  from the cache every <command>cleaning-interval</command> minutes.
-		  <acronym>BIND</acronym> 9 now manages cache
-		  memory in a more sophisticated manner and does not
-		  rely on the periodic cleaning any more.
-		  Specifying this option therefore has no effect on
-		  the server's behavior.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>heartbeat-interval</command></term>
-              <listitem>
-                <para>
-                  The server will perform zone maintenance tasks
-                  for all zones marked as <command>dialup</command> whenever this
-                  interval expires. The default is 60 minutes. Reasonable
-                  values are up
-                  to 1 day (1440 minutes).  The maximum value is 28 days
-                  (40320 minutes).
-                  If set to 0, no zone maintenance for these zones will occur.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>interface-interval</command></term>
-              <listitem>
-                <para>
-                  The server will scan the network interface list
-                  every <command>interface-interval</command>
-                  minutes. The default
-                  is 60 minutes. The maximum value is 28 days (40320 minutes).
-                  If set to 0, interface scanning will only occur when
-                  the configuration file is  loaded. After the scan, the
-                  server will
-                  begin listening for queries on any newly discovered
-                  interfaces (provided they are allowed by the
-                  <command>listen-on</command> configuration), and
-                  will
-                  stop listening on interfaces that have gone away.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>statistics-interval</command></term>
-              <listitem>
-                <para>
-                  Name server statistics will be logged
-                  every <command>statistics-interval</command>
-                  minutes. The default is
-                  60. The maximum value is 28 days (40320 minutes).
-                  If set to 0, no statistics will be logged.
-                  </para><note>
-                  <simpara>
-                    Not yet implemented in
-                    <acronym>BIND</acronym> 9.
-                  </simpara>
-                </note>
-              </listitem>
-            </varlistentry>
-
-          </variablelist>
-
-        </sect3>
-
-        <sect3 id="topology">
-          <title>Topology</title>
-
-          <para>
-            All other things being equal, when the server chooses a name
-            server
-            to query from a list of name servers, it prefers the one that is
-            topologically closest to itself. The <command>topology</command> statement
-            takes an <command>address_match_list</command> and
-            interprets it
-            in a special way. Each top-level list element is assigned a
-            distance.
-            Non-negated elements get a distance based on their position in the
-            list, where the closer the match is to the start of the list, the
-            shorter the distance is between it and the server. A negated match
-            will be assigned the maximum distance from the server. If there
-            is no match, the address will get a distance which is further than
-            any non-negated list element, and closer than any negated element.
-            For example,
-          </para>
-
-<programlisting>topology {
-    10/8;
-    !1.2.3/24;
-    { 1.2/16; 3/8; };
-};</programlisting>
-
-          <para>
-            will prefer servers on network 10 the most, followed by hosts
-            on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
-            exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
-            is preferred least of all.
-          </para>
-          <para>
-            The default topology is
-          </para>
-
-<programlisting>    topology { localhost; localnets; };
-</programlisting>
-
-          <note>
-            <simpara>
-              The <command>topology</command> option
-              is not implemented in <acronym>BIND</acronym> 9.
-            </simpara>
-          </note>
-        </sect3>
-
-        <sect3 id="the_sortlist_statement">
-
-          <title>The <command>sortlist</command> Statement</title>
-
-          <para>
-            The response to a DNS query may consist of multiple resource
-            records (RRs) forming a resource records set (RRset).
-            The name server will normally return the
-            RRs within the RRset in an indeterminate order
-            (but see the <command>rrset-order</command>
-            statement in <xref linkend="rrset_ordering"/>).
-            The client resolver code should rearrange the RRs as appropriate,
-            that is, using any addresses on the local net in preference to
-            other addresses.
-            However, not all resolvers can do this or are correctly
-            configured.
-            When a client is using a local server, the sorting can be performed
-            in the server, based on the client's address. This only requires
-            configuring the name servers, not all the clients.
-          </para>
-
-          <para>
-            The <command>sortlist</command> statement (see below)
-            takes
-            an <command>address_match_list</command> and
-            interprets it even
-            more specifically than the <command>topology</command>
-            statement
-            does (<xref linkend="topology"/>).
-            Each top level statement in the <command>sortlist</command> must
-            itself be an explicit <command>address_match_list</command> with
-            one or two elements. The first element (which may be an IP
-            address,
-            an IP prefix, an ACL name or a nested <command>address_match_list</command>)
-            of each top level list is checked against the source address of
-            the query until a match is found.
-          </para>
-          <para>
-            Once the source address of the query has been matched, if
-            the top level statement contains only one element, the actual
-            primitive
-            element that matched the source address is used to select the
-            address
-            in the response to move to the beginning of the response. If the
-            statement is a list of two elements, then the second element is
-            treated the same as the <command>address_match_list</command> in
-            a <command>topology</command> statement. Each top
-            level element
-            is assigned a distance and the address in the response with the
-            minimum
-            distance is moved to the beginning of the response.
-          </para>
-          <para>
-            In the following example, any queries received from any of
-            the addresses of the host itself will get responses preferring
-            addresses
-            on any of the locally connected networks. Next most preferred are
-            addresses
-            on the 192.168.1/24 network, and after that either the
-            192.168.2/24
-            or
-            192.168.3/24 network with no preference shown between these two
-            networks. Queries received from a host on the 192.168.1/24 network
-            will prefer other addresses on that network to the 192.168.2/24
-            and
-            192.168.3/24 networks. Queries received from a host on the
-            192.168.4/24
-            or the 192.168.5/24 network will only prefer other addresses on
-            their directly connected networks.
-          </para>
-
-<programlisting>sortlist {
-    // IF the local host
-    // THEN first fit on the following nets
-    { localhost;
-        { localnets;
-            192.168.1/24;
-            { 192.168.2/24; 192.168.3/24; }; }; };
-    // IF on class C 192.168.1 THEN use .1, or .2 or .3
-    { 192.168.1/24;
-        { 192.168.1/24;
-            { 192.168.2/24; 192.168.3/24; }; }; };
-    // IF on class C 192.168.2 THEN use .2, or .1 or .3
-    { 192.168.2/24;
-        { 192.168.2/24;
-            { 192.168.1/24; 192.168.3/24; }; }; };
-    // IF on class C 192.168.3 THEN use .3, or .1 or .2
-    { 192.168.3/24;
-        { 192.168.3/24;
-            { 192.168.1/24; 192.168.2/24; }; }; };
-    // IF .4 or .5 THEN prefer that net
-    { { 192.168.4/24; 192.168.5/24; };
-    };
-};</programlisting>
-
-          <para>
-            The following example will give reasonable behavior for the
-            local host and hosts on directly connected networks. It is similar
-            to the behavior of the address sort in <acronym>BIND</acronym> 4.9.x. Responses sent
-            to queries from the local host will favor any of the directly
-            connected
-            networks. Responses sent to queries from any other hosts on a
-            directly
-            connected network will prefer addresses on that same network.
-            Responses
-            to other queries will not be sorted.
-          </para>
-
-<programlisting>sortlist {
-           { localhost; localnets; };
-           { localnets; };
-};
-</programlisting>
-
-        </sect3>
-        <sect3 id="rrset_ordering">
-          <title id="rrset_ordering_title">RRset Ordering</title>
-          <para>
-            When multiple records are returned in an answer it may be
-            useful to configure the order of the records placed into the
-            response.
-            The <command>rrset-order</command> statement permits
-            configuration
-            of the ordering of the records in a multiple record response.
-            See also the <command>sortlist</command> statement,
-            <xref linkend="the_sortlist_statement"/>.
-          </para>
-
-          <para>
-            An <command>order_spec</command> is defined as
-            follows:
-          </para>
-          <para>
-	    <optional>class <replaceable>class_name</replaceable></optional>
-            <optional>type <replaceable>type_name</replaceable></optional>
-            <optional>name <replaceable>"domain_name"</replaceable></optional>
-	    order <replaceable>ordering</replaceable>
-	  </para>
-          <para>
-            If no class is specified, the default is <command>ANY</command>.
-            If no type is specified, the default is <command>ANY</command>.
-            If no name is specified, the default is "<command>*</command>" (asterisk).
-          </para>
-          <para>
-            The legal values for <command>ordering</command> are:
-          </para>
-          <informaltable colsep="0" rowsep="0">
-            <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
-              <colspec colname="1" colnum="1" colsep="0" colwidth="0.750in"/>
-              <colspec colname="2" colnum="2" colsep="0" colwidth="3.750in"/>
-              <tbody>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>fixed</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      Records are returned in the order they
-                      are defined in the zone file.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>random</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      Records are returned in some random order.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>cyclic</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      Records are returned in a cyclic round-robin order.
-                    </para>
-                    <para>
-                      If <acronym>BIND</acronym> is configured with the
-                      "--enable-fixed-rrset" option at compile time, then
-                      the initial ordering of the RRset will match the
-                      one specified in the zone file.
-                    </para>
-                  </entry>
-                </row>
-              </tbody>
-            </tgroup>
-          </informaltable>
-          <para>
-            For example:
-          </para>
-
-<programlisting>rrset-order {
-   class IN type A name "host.example.com" order random;
-   order cyclic;
-};
-</programlisting>
-
-          <para>
-            will cause any responses for type A records in class IN that
-            have "<literal>host.example.com</literal>" as a
-            suffix, to always be returned
-            in random order. All other records are returned in cyclic order.
-          </para>
-          <para>
-            If multiple <command>rrset-order</command> statements
-            appear, they are not combined &mdash; the last one applies.
-          </para>
-          <para>
-            By default, all records are returned in random order.
-          </para>
-
-          <note>
-            <simpara>
-              In this release of <acronym>BIND</acronym> 9, the
-              <command>rrset-order</command> statement does not support
-              "fixed" ordering by default.  Fixed ordering can be enabled
-              at compile time by specifying "--enable-fixed-rrset" on
-              the "configure" command line.
-            </simpara>
-          </note>
-        </sect3>
-
-        <sect3 id="tuning">
-          <title>Tuning</title>
-
-          <variablelist>
-
-            <varlistentry>
-              <term><command>lame-ttl</command></term>
-              <listitem>
-                <para>
-                  Sets the number of seconds to cache a
-                  lame server indication. 0 disables caching. (This is
-                  <emphasis role="bold">NOT</emphasis> recommended.)
-                  The default is <literal>600</literal> (10 minutes) and the
-                  maximum value is
-                  <literal>1800</literal> (30 minutes).
-                </para>
-
-		<para>
-		  Lame-ttl also controls the amount of time DNSSEC
-		  validation failures are cached.  There is a minimum
-		  of 30 seconds applied to bad cache entries if the
-		  lame-ttl is set to less than 30 seconds.
-		</para>
-
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>max-ncache-ttl</command></term>
-              <listitem>
-                <para>
-                  To reduce network traffic and increase performance,
-                  the server stores negative answers. <command>max-ncache-ttl</command> is
-                  used to set a maximum retention time for these answers in
-                  the server
-                  in seconds. The default
-                  <command>max-ncache-ttl</command> is <literal>10800</literal> seconds (3 hours).
-                  <command>max-ncache-ttl</command> cannot exceed
-                  7 days and will
-                  be silently truncated to 7 days if set to a greater value.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>max-cache-ttl</command></term>
-              <listitem>
-                <para>
-		  Sets the maximum time for which the server will
-                  cache ordinary (positive) answers. The default is
-                  one week (7 days).
-		  A value of zero may cause all queries to return
-		  SERVFAIL, because of lost caches of intermediate
-		  RRsets (such as NS and glue AAAA/A records) in the
-		  resolution process.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>min-roots</command></term>
-              <listitem>
-                <para>
-                  The minimum number of root servers that
-                  is required for a request for the root servers to be
-                  accepted. The default
-                  is <userinput>2</userinput>.
-                </para>
-                <note>
-                  <simpara>
-                    Not implemented in <acronym>BIND</acronym> 9.
-                  </simpara>
-                </note>
-              </listitem>
-            </varlistentry>
-
-	    <varlistentry>
-	      <term><command>sig-validity-interval</command></term>
-	      <listitem>
-		<para>
-		  Specifies the number of days into the future when
-		  DNSSEC signatures automatically generated as a
-		  result of dynamic updates (<xref
-		  linkend="dynamic_update"/>) will expire.  There
-		  is an optional second field which specifies how
-		  long before expiry that the signatures will be
-		  regenerated.  If not specified, the signatures will
-		  be regenerated at 1/4 of base interval.  The second
-		  field is specified in days if the base interval is
-		  greater than 7 days otherwise it is specified in hours.
-		  The default base interval is <literal>30</literal> days
-		  giving a re-signing interval of 7 1/2 days.  The maximum
-		  values are 10 years (3660 days).
-		</para>
-		<para>
-		  The signature inception time is unconditionally
-		  set to one hour before the current time to allow
-		  for a limited amount of clock skew.
-		</para>
-		<para>
-		  The <command>sig-validity-interval</command>
-		  should be, at least, several multiples of the SOA
-		  expire interval to allow for reasonable interaction
-		  between the various timer and expiry dates.
-		</para>
-	      </listitem>
-	    </varlistentry>
-
-	    <varlistentry>
-	      <term><command>sig-signing-nodes</command></term>
-	      <listitem>
-		<para>
-		  Specify the maximum number of nodes to be
-		  examined in each quantum when signing a zone with
-		  a new DNSKEY. The default is
-		  <literal>100</literal>.
-		</para>
-	      </listitem>
-	    </varlistentry>
-
-	    <varlistentry>
-	      <term><command>sig-signing-signatures</command></term>
-	      <listitem>
-		<para>
-		  Specify a threshold number of signatures that
-		  will terminate processing a quantum when signing
-		  a zone with a new DNSKEY.  The default is
-		  <literal>10</literal>.
-		</para>
-	      </listitem>
-	    </varlistentry>
-
-	    <varlistentry>
-	      <term><command>sig-signing-type</command></term>
-	      <listitem>
-		<para>
-		  Specify a private RDATA type to be used when generating
-		  key signing records.  The default is
-		  <literal>65534</literal>.
-		</para>
-		<para>
-		  It is expected that this parameter may be removed
-		  in a future version once there is a standard type.
-		</para>
-		<para>
-		  These records can be removed from the zone once named
-		  has completed signing the zone with the matching key
-		  using <command>nsupdate</command> or
-		  <command>rndc signing -clear</command>.
-		  <command>rndc signing -clear</command> is the only supported
-		  way to remove these records from
-		  <command>inline-signing</command> zones.
-		</para>
-	      </listitem>
-	    </varlistentry>
-
-            <varlistentry>
-              <term><command>min-refresh-time</command></term>
-              <term><command>max-refresh-time</command></term>
-              <term><command>min-retry-time</command></term>
-              <term><command>max-retry-time</command></term>
-              <listitem>
-                <para>
-                  These options control the server's behavior on refreshing a
-                  zone
-                  (querying for SOA changes) or retrying failed transfers.
-                  Usually the SOA values for the zone are used, but these
-                  values
-                  are set by the master, giving slave server administrators
-                  little
-                  control over their contents.
-                </para>
-                <para>
-                  These options allow the administrator to set a minimum and
-                  maximum
-                  refresh and retry time either per-zone, per-view, or
-                  globally.
-                  These options are valid for slave and stub zones,
-                  and clamp the SOA refresh and retry times to the specified
-                  values.
-                </para>
-		<para>
-		  The following defaults apply.
-		  <command>min-refresh-time</command> 300 seconds,
-		  <command>max-refresh-time</command> 2419200 seconds
-		  (4 weeks), <command>min-retry-time</command> 500 seconds,
-		  and <command>max-retry-time</command> 1209600 seconds
-		  (2 weeks).
-		</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>edns-udp-size</command></term>
-              <listitem>
-                <para>
-		  Sets the advertised EDNS UDP buffer size in bytes
-                  to control the size of packets received.
-                  Valid values are 512 to 4096 (values outside this range
-		  will be silently adjusted).  The default value
-		  is 4096.  The usual reason for setting
-		  <command>edns-udp-size</command> to a non-default
-		  value is to get UDP answers to pass through broken
-		  firewalls that block fragmented packets and/or
-		  block UDP packets that are greater than 512 bytes.
-                </para>
-		<para>
-		  <command>named</command> will fallback to using 512 bytes
-		  if it get a series of timeout at the initial value.  512
-		  bytes is not being offered to encourage sites to fix their
-	          firewalls.  Small EDNS UDP sizes will result in the
-		  excessive use of TCP.
-		</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>max-udp-size</command></term>
-	      <listitem>
-		<para>
-		  Sets the maximum EDNS UDP message size
-		  <command>named</command> will send in bytes.
-		  Valid values are 512 to 4096 (values outside this
-		  range will be silently adjusted).  The default
-		  value is 4096.  The usual reason for setting
-		  <command>max-udp-size</command> to a non-default
-		  value is to get UDP answers to pass through broken
-		  firewalls that block fragmented packets and/or
-		  block UDP packets that are greater than 512 bytes.
-		  This is independent of the advertised receive
-		  buffer (<command>edns-udp-size</command>).
-		</para>
-		<para>
-		  Setting this to a low value will encourage additional
-		  TCP traffic to the nameserver.
-		</para>
-	      </listitem>
-	    </varlistentry>
-
-	    <varlistentry>
-	      <term><command>masterfile-format</command></term>
-	      <listitem>
-	        <para>Specifies
-		  the file format of zone files (see
-	          <xref linkend="zonefile_format"/>).
-	          The default value is <constant>text</constant>, which is the
-		  standard textual representation, except for slave zones,
-                  in which the default value is <constant>raw</constant>.
-                  Files in other formats than <constant>text</constant> are
-                  typically expected to be generated by the
-                  <command>named-compilezone</command> tool, or dumped by
-                  <command>named</command>.
-                </para>
-                <para>
-		  Note that when a zone file in a different format than
-		  <constant>text</constant> is loaded, <command>named</command>
-	          may omit some of the checks which would be performed for a
-		  file in the <constant>text</constant> format.  In particular,
-		  <command>check-names</command> checks do not apply
-		  for the <constant>raw</constant> format.  This means
-		  a zone file in the <constant>raw</constant> format
-		  must be generated with the same check level as that
-		  specified in the <command>named</command> configuration
-		  file.  This statement sets the
-		  <command>masterfile-format</command> for all zones,
-		  but can be overridden on a per-zone or per-view basis
-		  by including a <command>masterfile-format</command>
-		  statement within the <command>zone</command> or
-		  <command>view</command> block in the configuration
-		  file.
-	        </para>
-	      </listitem>
-	    </varlistentry>
-
-	    <varlistentry id="clients-per-query">
-	      <term><command>clients-per-query</command></term>
-	      <term><command>max-clients-per-query</command></term>
-              <listitem>
-		<para>These set the
-		  initial value (minimum) and maximum number of recursive
-		  simultaneous clients for any given query
-		  (&lt;qname,qtype,qclass&gt;) that the server will accept
-		  before dropping additional clients.  <command>named</command> will attempt to
-		  self tune this value and changes will be logged.  The
-		  default values are 10 and 100.
-		</para>
-		<para>
-	          This value should reflect how many queries come in for
-		  a given name in the time it takes to resolve that name.
-		  If the number of queries exceed this value, <command>named</command> will
-		  assume that it is dealing with a non-responsive zone
-		  and will drop additional queries.  If it gets a response
-		  after dropping queries, it will raise the estimate.  The
-		  estimate will then be lowered in 20 minutes if it has
-		  remained unchanged.
-		</para>
-		<para>
-		  If <command>clients-per-query</command> is set to zero,
-		  then there is no limit on the number of clients per query
-		  and no queries will be dropped.
-		</para>
-		<para>
-		  If <command>max-clients-per-query</command> is set to zero,
-		  then there is no upper bound other than imposed by
-		  <command>recursive-clients</command>.
-		</para>
-              </listitem>
-	    </varlistentry>
-
-            <varlistentry>
-              <term><command>notify-delay</command></term>
-              <listitem>
-                <para>
-                  The delay, in seconds, between sending sets of notify
-                  messages for a zone.  The default is five (5) seconds.
-                </para>
-                <para>
-		  The overall rate that NOTIFY messages are sent for all
-		  zones is controlled by <command>serial-query-rate</command>.
-		</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>max-rsa-exponent-size</command></term>
-              <listitem>
-                <para>
-		  The maximum RSA exponent size, in bits, that will
-		  be accepted when validating.  Valid values are 35
-		  to 4096 bits.  The default zero (0) is also accepted
-		  and is equivalent to 4096.
-		</para>
-              </listitem>
-            </varlistentry>
-	  </variablelist>
-
-        </sect3>
-
-        <sect3 id="builtin">
-          <title>Built-in server information zones</title>
-
-          <para>
-            The server provides some helpful diagnostic information
-            through a number of built-in zones under the
-            pseudo-top-level-domain <literal>bind</literal> in the
-            <command>CHAOS</command> class.  These zones are part
-            of a
-            built-in view (see <xref linkend="view_statement_grammar"/>) of
-            class
-            <command>CHAOS</command> which is separate from the
-            default view of class <command>IN</command>. Most global
-            configuration options (<command>allow-query</command>,
-            etc) will apply to this view, but some are locally
-            overridden: <command>notify</command>,
-            <command>recursion</command> and
-            <command>allow-new-zones</command> are
-            always set to <userinput>no</userinput>.
-          </para>
-          <para>
-            If you need to disable these zones, use the options
-            below, or hide the built-in <command>CHAOS</command>
-            view by
-            defining an explicit view of class <command>CHAOS</command>
-            that matches all clients.
-          </para>
-
-          <variablelist>
-
-            <varlistentry>
-              <term><command>version</command></term>
-              <listitem>
-                <para>
-                  The version the server should report
-                  via a query of the name <literal>version.bind</literal>
-                  with type <command>TXT</command>, class <command>CHAOS</command>.
-                  The default is the real version number of this server.
-                  Specifying <command>version none</command>
-                  disables processing of the queries.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>hostname</command></term>
-              <listitem>
-                <para>
-                  The hostname the server should report via a query of
-                  the name <filename>hostname.bind</filename>
-                  with type <command>TXT</command>, class <command>CHAOS</command>.
-                  This defaults to the hostname of the machine hosting the
-                  name server as
-                  found by the gethostname() function.  The primary purpose of such queries
-                  is to
-                  identify which of a group of anycast servers is actually
-                  answering your queries.  Specifying <command>hostname none;</command>
-                  disables processing of the queries.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>server-id</command></term>
-              <listitem>
-                <para>
-                  The ID the server should report when receiving a Name
-                  Server Identifier (NSID) query, or a query of the name
-                  <filename>ID.SERVER</filename> with type
-                  <command>TXT</command>, class <command>CHAOS</command>.
-                  The primary purpose of such queries is to
-                  identify which of a group of anycast servers is actually
-                  answering your queries.  Specifying <command>server-id none;</command>
-                  disables processing of the queries.
-                  Specifying <command>server-id hostname;</command> will cause <command>named</command> to
-                  use the hostname as found by the gethostname() function.
-                  The default <command>server-id</command> is <command>none</command>.
-                </para>
-              </listitem>
-            </varlistentry>
-
-          </variablelist>
-
-        </sect3>
-
-        <sect3 id="empty">
-          <title>Built-in Empty Zones</title>
-	  <para>
-	    Named has some built-in empty zones (SOA and NS records only).
-	    These are for zones that should normally be answered locally
-	    and which queries should not be sent to the Internet's root
-	    servers.  The official servers which cover these namespaces
-	    return NXDOMAIN responses to these queries.  In particular,
-            these cover the reverse namespaces for addresses from
-            RFC 1918, RFC 4193, RFC 5737 and RFC 6598.  They also include the
-            reverse namespace for IPv6 local address (locally assigned),
-            IPv6 link local addresses, the IPv6 loopback address and the
-            IPv6 unknown address.
-	  </para>
-	  <para>
-	    Named will attempt to determine if a built-in zone already exists
-	    or is active (covered by a forward-only forwarding declaration)
-	    and will not create an empty zone in that case.
-	  </para>
-	  <para>
-	    The current list of empty zones is:
-	    <itemizedlist>
-	      <listitem>10.IN-ADDR.ARPA</listitem>
-	      <listitem>16.172.IN-ADDR.ARPA</listitem>
-	      <listitem>17.172.IN-ADDR.ARPA</listitem>
-	      <listitem>18.172.IN-ADDR.ARPA</listitem>
-	      <listitem>19.172.IN-ADDR.ARPA</listitem>
-	      <listitem>20.172.IN-ADDR.ARPA</listitem>
-	      <listitem>21.172.IN-ADDR.ARPA</listitem>
-	      <listitem>22.172.IN-ADDR.ARPA</listitem>
-	      <listitem>23.172.IN-ADDR.ARPA</listitem>
-	      <listitem>24.172.IN-ADDR.ARPA</listitem>
-	      <listitem>25.172.IN-ADDR.ARPA</listitem>
-	      <listitem>26.172.IN-ADDR.ARPA</listitem>
-	      <listitem>27.172.IN-ADDR.ARPA</listitem>
-	      <listitem>28.172.IN-ADDR.ARPA</listitem>
-	      <listitem>29.172.IN-ADDR.ARPA</listitem>
-	      <listitem>30.172.IN-ADDR.ARPA</listitem>
-	      <listitem>31.172.IN-ADDR.ARPA</listitem>
-	      <listitem>168.192.IN-ADDR.ARPA</listitem>
-	      <listitem>64.100.IN-ADDR.ARPA</listitem>
-	      <listitem>65.100.IN-ADDR.ARPA</listitem>
-	      <listitem>66.100.IN-ADDR.ARPA</listitem>
-	      <listitem>67.100.IN-ADDR.ARPA</listitem>
-	      <listitem>68.100.IN-ADDR.ARPA</listitem>
-	      <listitem>69.100.IN-ADDR.ARPA</listitem>
-	      <listitem>70.100.IN-ADDR.ARPA</listitem>
-	      <listitem>71.100.IN-ADDR.ARPA</listitem>
-	      <listitem>72.100.IN-ADDR.ARPA</listitem>
-	      <listitem>73.100.IN-ADDR.ARPA</listitem>
-	      <listitem>74.100.IN-ADDR.ARPA</listitem>
-	      <listitem>75.100.IN-ADDR.ARPA</listitem>
-	      <listitem>76.100.IN-ADDR.ARPA</listitem>
-	      <listitem>77.100.IN-ADDR.ARPA</listitem>
-	      <listitem>78.100.IN-ADDR.ARPA</listitem>
-	      <listitem>79.100.IN-ADDR.ARPA</listitem>
-	      <listitem>80.100.IN-ADDR.ARPA</listitem>
-	      <listitem>81.100.IN-ADDR.ARPA</listitem>
-	      <listitem>82.100.IN-ADDR.ARPA</listitem>
-	      <listitem>83.100.IN-ADDR.ARPA</listitem>
-	      <listitem>84.100.IN-ADDR.ARPA</listitem>
-	      <listitem>85.100.IN-ADDR.ARPA</listitem>
-	      <listitem>86.100.IN-ADDR.ARPA</listitem>
-	      <listitem>87.100.IN-ADDR.ARPA</listitem>
-	      <listitem>88.100.IN-ADDR.ARPA</listitem>
-	      <listitem>89.100.IN-ADDR.ARPA</listitem>
-	      <listitem>90.100.IN-ADDR.ARPA</listitem>
-	      <listitem>91.100.IN-ADDR.ARPA</listitem>
-	      <listitem>92.100.IN-ADDR.ARPA</listitem>
-	      <listitem>93.100.IN-ADDR.ARPA</listitem>
-	      <listitem>94.100.IN-ADDR.ARPA</listitem>
-	      <listitem>95.100.IN-ADDR.ARPA</listitem>
-	      <listitem>96.100.IN-ADDR.ARPA</listitem>
-	      <listitem>97.100.IN-ADDR.ARPA</listitem>
-	      <listitem>98.100.IN-ADDR.ARPA</listitem>
-	      <listitem>99.100.IN-ADDR.ARPA</listitem>
-	      <listitem>100.100.IN-ADDR.ARPA</listitem>
-	      <listitem>101.100.IN-ADDR.ARPA</listitem>
-	      <listitem>102.100.IN-ADDR.ARPA</listitem>
-	      <listitem>103.100.IN-ADDR.ARPA</listitem>
-	      <listitem>104.100.IN-ADDR.ARPA</listitem>
-	      <listitem>105.100.IN-ADDR.ARPA</listitem>
-	      <listitem>106.100.IN-ADDR.ARPA</listitem>
-	      <listitem>107.100.IN-ADDR.ARPA</listitem>
-	      <listitem>108.100.IN-ADDR.ARPA</listitem>
-	      <listitem>109.100.IN-ADDR.ARPA</listitem>
-	      <listitem>110.100.IN-ADDR.ARPA</listitem>
-	      <listitem>111.100.IN-ADDR.ARPA</listitem>
-	      <listitem>112.100.IN-ADDR.ARPA</listitem>
-	      <listitem>113.100.IN-ADDR.ARPA</listitem>
-	      <listitem>114.100.IN-ADDR.ARPA</listitem>
-	      <listitem>115.100.IN-ADDR.ARPA</listitem>
-	      <listitem>116.100.IN-ADDR.ARPA</listitem>
-	      <listitem>117.100.IN-ADDR.ARPA</listitem>
-	      <listitem>118.100.IN-ADDR.ARPA</listitem>
-	      <listitem>119.100.IN-ADDR.ARPA</listitem>
-	      <listitem>120.100.IN-ADDR.ARPA</listitem>
-	      <listitem>121.100.IN-ADDR.ARPA</listitem>
-	      <listitem>122.100.IN-ADDR.ARPA</listitem>
-	      <listitem>123.100.IN-ADDR.ARPA</listitem>
-	      <listitem>124.100.IN-ADDR.ARPA</listitem>
-	      <listitem>125.100.IN-ADDR.ARPA</listitem>
-	      <listitem>126.100.IN-ADDR.ARPA</listitem>
-	      <listitem>127.100.IN-ADDR.ARPA</listitem>
-	      <listitem>0.IN-ADDR.ARPA</listitem>
-	      <listitem>127.IN-ADDR.ARPA</listitem>
-	      <listitem>254.169.IN-ADDR.ARPA</listitem>
-	      <listitem>2.0.192.IN-ADDR.ARPA</listitem>
-	      <listitem>100.51.198.IN-ADDR.ARPA</listitem>
-	      <listitem>113.0.203.IN-ADDR.ARPA</listitem>
-	      <listitem>255.255.255.255.IN-ADDR.ARPA</listitem>
-	      <listitem>0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</listitem>
-	      <listitem>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</listitem>
-	      <listitem>8.B.D.0.1.0.0.2.IP6.ARPA</listitem>
-	      <listitem>D.F.IP6.ARPA</listitem>
-	      <listitem>8.E.F.IP6.ARPA</listitem>
-	      <listitem>9.E.F.IP6.ARPA</listitem>
-	      <listitem>A.E.F.IP6.ARPA</listitem>
-	      <listitem>B.E.F.IP6.ARPA</listitem>
-	    </itemizedlist>
-	  </para>
-	  <para>
-	    Empty zones are settable at the view level and only apply to
-	    views of class IN.  Disabled empty zones are only inherited
-	    from options if there are no disabled empty zones specified
-	    at the view level.  To override the options list of disabled
-	    zones, you can disable the root zone at the view level, for example:
-<programlisting>
-	    disable-empty-zone ".";
-</programlisting>
-	  </para>
-	  <para>
-	    If you are using the address ranges covered here, you should
-	    already have reverse zones covering the addresses you use.
-	    In practice this appears to not be the case with many queries
-	    being made to the infrastructure servers for names in these
-	    spaces.  So many in fact that sacrificial servers were needed
-	    to be deployed to channel the query load away from the
-	    infrastructure servers.
-	  </para>
-	  <note>
-	    The real parent servers for these zones should disable all
-	    empty zone under the parent zone they serve.  For the real
-	    root servers, this is all built-in empty zones.  This will
-	    enable them to return referrals to deeper in the tree.
-	  </note>
-          <variablelist>
-	    <varlistentry>
-	      <term><command>empty-server</command></term>
-	      <listitem>
-	        <para>
-		  Specify what server name will appear in the returned
-		  SOA record for empty zones.  If none is specified, then
-		  the zone's name will be used.
-	        </para>
-	       </listitem>
-	    </varlistentry>
-	      
-	    <varlistentry>
-	      <term><command>empty-contact</command></term>
-	      <listitem>
-	        <para>
-		  Specify what contact name will appear in the returned
-		  SOA record for empty zones.  If none is specified, then
-		  "." will be used.
-	        </para>
-	      </listitem>
-	    </varlistentry>
-  
-	    <varlistentry>
-	      <term><command>empty-zones-enable</command></term>
-	      <listitem>
-	        <para>
-		  Enable or disable all empty zones.  By default, they
-		  are enabled.
-	        </para>
-	      </listitem>
-	    </varlistentry>
-  
-	    <varlistentry>
-	    <term><command>disable-empty-zone</command></term>
-	      <listitem>
-	        <para>
-		  Disable individual empty zones.  By default, none are
-		  disabled.  This option can be specified multiple times.
-	        </para>
-	      </listitem>
-	    </varlistentry>
-          </variablelist>
-        </sect3>
-
-        <sect3 id="acache">
-          <title>Additional Section Caching</title>
-
-          <para>
-            The additional section cache, also called <command>acache</command>,
-            is an internal cache to improve the response performance of BIND 9.
-            When additional section caching is enabled, BIND 9 will
-            cache an internal short-cut to the additional section content for
-            each answer RR.
-            Note that <command>acache</command> is an internal caching
-            mechanism of BIND 9, and is not related to the DNS caching
-            server function.
-          </para>
-
-          <para>
-            Additional section caching does not change the
-            response content (except the RRsets ordering of the additional
-            section, see below), but can improve the response performance
-            significantly.
-            It is particularly effective when BIND 9 acts as an authoritative
-            server for a zone that has many delegations with many glue RRs.
-          </para>
-
-          <para>
-            In order to obtain the maximum performance improvement
-            from additional section caching, setting
-            <command>additional-from-cache</command>
-            to <command>no</command> is recommended, since the current
-            implementation of <command>acache</command>
-            does not short-cut of additional section information from the
-            DNS cache data.
-          </para>
-
-          <para>
-            One obvious disadvantage of <command>acache</command> is
-            that it requires much more
-            memory for the internal cached data.
-            Thus, if the response performance does not matter and memory
-            consumption is much more critical, the
-            <command>acache</command> mechanism can be
-            disabled by setting <command>acache-enable</command> to
-            <command>no</command>.
-            It is also possible to specify the upper limit of memory
-            consumption
-            for acache by using <command>max-acache-size</command>.
-          </para>
-
-          <para>
-            Additional section caching also has a minor effect on the
-            RRset ordering in the additional section.
-            Without <command>acache</command>,
-            <command>cyclic</command> order is effective for the additional
-            section as well as the answer and authority sections.
-            However, additional section caching fixes the ordering when it
-            first caches an RRset for the additional section, and the same
-            ordering will be kept in succeeding responses, regardless of the
-            setting of <command>rrset-order</command>.
-            The effect of this should be minor, however, since an
-            RRset in the additional section
-            typically only contains a small number of RRs (and in many cases
-            it only contains a single RR), in which case the
-            ordering does not matter much.
-          </para>
-
-          <para>
-            The following is a summary of options related to
-            <command>acache</command>.
-          </para>
-
-          <variablelist>
-
-            <varlistentry>
-              <term><command>acache-enable</command></term>
-              <listitem>
-                <para>
-                  If <command>yes</command>, additional section caching is
-		  enabled.  The default value is <command>no</command>.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>acache-cleaning-interval</command></term>
-              <listitem>
-                <para>
-                  The server will remove stale cache entries, based on an LRU
-                  based
-                  algorithm, every <command>acache-cleaning-interval</command> minutes.
-                  The default is 60 minutes.
-                  If set to 0, no periodic cleaning will occur.
-                </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><command>max-acache-size</command></term>
-              <listitem>
-                <para>
-                  The maximum amount of memory in bytes to use for the server's acache.
-                  When the amount of data in the acache reaches this limit,
-                  the server
-                  will clean more aggressively so that the limit is not
-                  exceeded.
-                  In a server with multiple views, the limit applies
-                  separately to the
-                  acache of each view.
-                  The default is <literal>16M</literal>.
-                </para>
-              </listitem>
-            </varlistentry>
-
-          </variablelist>
-
-        </sect3>
-
-        <sect3>
-          <title>Content Filtering</title>
-	  <para>
-	    <acronym>BIND</acronym> 9 provides the ability to filter
-	    out DNS responses from external DNS servers containing
-	    certain types of data in the answer section.
-	    Specifically, it can reject address (A or AAAA) records if
-	    the corresponding IPv4 or IPv6 addresses match the given
-	    <varname>address_match_list</varname> of the
-	    <command>deny-answer-addresses</command> option.
-	    It can also reject CNAME or DNAME records if the "alias"
-	    name (i.e., the CNAME alias or the substituted query name
-	    due to DNAME) matches the
-	    given <varname>namelist</varname> of the
-	    <command>deny-answer-aliases</command> option, where
-	    "match" means the alias name is a subdomain of one of
-	    the <varname>name_list</varname> elements.
-	    If the optional <varname>namelist</varname> is specified
-	    with <command>except-from</command>, records whose query name
-	    matches the list will be accepted regardless of the filter
-	    setting.
-	    Likewise, if the alias name is a subdomain of the
-	    corresponding zone, the <command>deny-answer-aliases</command>
-	    filter will not apply;
-	    for example, even if "example.com" is specified for
-	    <command>deny-answer-aliases</command>,
-	  </para>
-<programlisting>www.example.com. CNAME xxx.example.com.</programlisting>
-
-	  <para>
-	    returned by an "example.com" server will be accepted.
-	  </para>
-
-	  <para>
-	    In the <varname>address_match_list</varname> of the
-	    <command>deny-answer-addresses</command> option, only
-            <varname>ip_addr</varname>
-	    and <varname>ip_prefix</varname>
-	    are meaningful;
-	    any <varname>key_id</varname> will be silently ignored.
-	  </para>
-
-	  <para>
-	    If a response message is rejected due to the filtering,
-	    the entire message is discarded without being cached, and
-	    a SERVFAIL error will be returned to the client.
-	  </para>
-
-	  <para>
-	    This filtering is intended to prevent "DNS rebinding attacks," in
-	    which an attacker, in response to a query for a domain name the
-	    attacker controls, returns an IP address within your own network or
-	    an alias name within your own domain.
-	    A naive web browser or script could then serve as an
-	    unintended proxy, allowing the attacker
-	    to get access to an internal node of your local network
-	    that couldn't be externally accessed otherwise.
-	    See the paper available at
-	    <ulink url="http://portal.acm.org/citation.cfm?id=1315245.1315298">
-	    http://portal.acm.org/citation.cfm?id=1315245.1315298
-	    </ulink>
-	    for more details about the attacks.
-	  </para>
-
-	  <para>
-	    For example, if you own a domain named "example.net" and
-	    your internal network uses an IPv4 prefix 192.0.2.0/24,
-	    you might specify the following rules:
-	  </para>
-
-<programlisting>deny-answer-addresses { 192.0.2.0/24; } except-from { "example.net"; };
-deny-answer-aliases { "example.net"; };
-</programlisting>
-
-	  <para>
-	    If an external attacker lets a web browser in your local
-	    network look up an IPv4 address of "attacker.example.com",
-	    the attacker's DNS server would return a response like this:
-	  </para>
-
-<programlisting>attacker.example.com. A 192.0.2.1</programlisting>
-
-	  <para>
-	    in the answer section.
-	    Since the rdata of this record (the IPv4 address) matches
-	    the specified prefix 192.0.2.0/24, this response will be
-	    ignored.
-	  </para>
-
-	  <para>
-	    On the other hand, if the browser looks up a legitimate
-	    internal web server "www.example.net" and the
-	    following response is returned to
-	    the <acronym>BIND</acronym> 9 server
-	  </para>
-
-<programlisting>www.example.net. A 192.0.2.2</programlisting>
-
-	  <para>
-	    it will be accepted since the owner name "www.example.net"
-	    matches the <command>except-from</command> element,
-	    "example.net".
-	  </para>
-
-	  <para>
-	    Note that this is not really an attack on the DNS per se.
-	    In fact, there is nothing wrong for an "external" name to
-	    be mapped to your "internal" IP address or domain name
-	    from the DNS point of view.
-	    It might actually be provided for a legitimate purpose,
-	    such as for debugging.
-	    As long as the mapping is provided by the correct owner,
-	    it is not possible or does not make sense to detect
-	    whether the intent of the mapping is legitimate or not
-	    within the DNS.
-	    The "rebinding" attack must primarily be protected at the
-	    application that uses the DNS.
-	    For a large site, however, it may be difficult to protect
-	    all possible applications at once.
-	    This filtering feature is provided only to help such an
-	    operational environment;
-	    it is generally discouraged to turn it on unless you are
-	    very sure you have no other choice and the attack is a
-	    real threat for your applications.
-	  </para>
-
-	  <para>
-	    Care should be particularly taken if you want to use this
-	    option for addresses within 127.0.0.0/8.
-	    These addresses are obviously "internal", but many
-	    applications conventionally rely on a DNS mapping from
-	    some name to such an address.
-	    Filtering out DNS records containing this address
-	    spuriously can break such applications.
-	  </para>
-	</sect3>
-
-        <sect3>
-	  <title>Response Policy Zone (RPZ) Rewriting</title>
-	  <para>
-	    <acronym>BIND</acronym> 9 includes a limited
-	    mechanism to modify DNS responses for requests
-	    analogous to email anti-spam DNS blacklists.
-	    Responses can be changed to deny the existence of domains(NXDOMAIN),
-	    deny the existence of IP addresses for domains (NODATA),
-	    or contain other IP addresses or data.
-	  </para>
-
-	  <para>
-	    Response policy zones are named in the
-	    <command>response-policy</command> option for the view or among the
-	    global options if there is no response-policy option for the view.
-	    RPZs are ordinary DNS zones containing RRsets
-	    that can be queried normally if allowed.
-	    It is usually best to restrict those queries with something like
-	    <command>allow-query { localhost; };</command>.
-	  </para>
-
-	  <para>
-	    Four policy triggers are encoded in RPZ records, QNAME, IP, NSIP,
-	    and NSDNAME.
-	    QNAME RPZ records triggered by query names of requests and targets
-	    of CNAME records resolved to generate the response.
-	    The owner name of a QNAME RPZ record is the query name relativized
-	    to the RPZ.
-	  </para>
-
-	  <para>
-	    The second kind of RPZ trigger is an IP address in an A and AAAA
-	    record in the ANSWER section of a response.
-	    IP address triggers are encoded in records that have owner names
-	    that are subdomains of <userinput>rpz-ip</userinput> relativized
-	    to the RPZ origin name and encode an IP address or address block.
-	    IPv4 trigger addresses are represented as
-	    <userinput>prefixlength.B4.B3.B2.B1.rpz-ip</userinput>.
-	    The prefix length must be between 1 and 32.
-	    All four bytes, B4, B3, B2, and B1, must be present.
-	    B4 is the decimal value of the least significant byte of the
-	    IPv4 address as in IN-ADDR.ARPA.
-	    IPv6 addresses are encoded in a format similar to the standard
-	    IPv6 text representation,
-	    <userinput>prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-ip</userinput>.
-	    Each of W8,...,W1 is a one to four digit hexadecimal number
-	    representing 16 bits of the IPv6 address as in the standard text
-	    representation of IPv6 addresses, but reversed as in IN-ADDR.ARPA.
-	    All 8 words must be present except when consecutive
-	    zero words are replaced with <userinput>.zz.</userinput>
-	    analogous to double colons (::) in standard IPv6 text encodings.
-	    The prefix length must be between 1 and 128.
-	  </para>
-
-	  <para>
-	    NSDNAME triggers match names of authoritative servers
-	    for the query name, a parent of the query name, a CNAME for
-	    query name, or a parent of a CNAME.
-	    They are encoded as subdomains of
-	    <userinput>rpz-nsdomain</userinput> relativized
-	    to the RPZ origin name.
-	    NSIP triggers match IP addresses in A and
-	    AAAA RRsets for domains that can be checked against NSDNAME
-	    policy records.
-	    NSIP triggers are encoded like IP triggers except as subdomains of
-	    <userinput>rpz-nsip</userinput>.
-	    NSDNAME and NSIP triggers are checked only for names with at
-	    least <command>min-ns-dots</command> dots.
-	    The default value of <command>min-ns-dots</command> is 1 to
-	    exclude top level domains.
-	  </para>
-
-	  <para>
-	    The query response is checked against all RPZs, so
-	    two or more policy records can be triggered by a response.
-	    Because DNS responses can be rewritten according to at most one
-	    policy record, a single record encoding an action (other than
-	    <command>DISABLED</command> actions) must be chosen.
-	    Triggers or the records that encode them are chosen in
-	    the following order:
-	    <itemizedlist>
-	      <listitem>Choose the triggered record in the zone that appears
-		first in the response-policy option.
-	      </listitem>
-	      <listitem>Prefer QNAME to IP to NSDNAME to NSIP triggers
-		in a single zone.
-	      </listitem>
-	      <listitem>Among NSDNAME triggers, prefer the
-		trigger that matches the smallest name under the DNSSEC ordering.
-	      </listitem>
-	      <listitem>Among IP or NSIP triggers, prefer the trigger
-		with the longest prefix.
-	      </listitem>
-	      <listitem>Among triggers with the same prefex length,
-		prefer the IP or NSIP trigger that matches
-		the smallest IP address.
-	      </listitem>
-	    </itemizedlist>
-	  </para>
-
-	  <para>
-	    When the processing of a response is restarted to resolve
-	    DNAME or CNAME records and a policy record set has
-	    not been triggered,
-	    all RPZs are again consulted for the DNAME or CNAME names
-	    and addresses.
-	  </para>
-
-	  <para>
-	    RPZ record sets are sets of any types of DNS record except
-	    DNAME or DNSSEC that encode actions or responses to queries.
-	    <itemizedlist>
-	      <listitem>The <command>NXDOMAIN</command> response is encoded
-		by a CNAME whose target is the root domain (.)
-	      </listitem>
-	      <listitem>A CNAME whose target is the wildcard top-level
-		domain (*.) specifies the <command>NODATA</command> action,
-		which rewrites the response to NODATA or ANCOUNT=1.
-	      </listitem>
-	      <listitem>The <command>Local Data</command> action is
-		represented by a set ordinary DNS records that are used
-		to answer queries.  Queries for record types not the
-		set are answered with NODATA.
-
-		A special form of local data is a CNAME whose target is a
-		wildcard such as *.example.com.
-		It is used as if were an ordinary CNAME after the astrisk (*)
-		has been replaced with the query name.
-		The purpose for this special form is query logging in the
-		walled garden's authority DNS server.
-	      </listitem>
-	      <listitem>The <command>PASSTHRU</command> policy is specified
-		by a CNAME whose target is <command>rpz-passthru.</command>
-		It causes the response to not be rewritten
-		and is most often used to "poke holes" in policies for
-		CIDR blocks.
-		(A CNAME whose target is the variable part of its owner name
-		is an obsolete specification of the PASSTHRU policy.)
-	      </listitem>
-	    </itemizedlist>
-	  </para>
-
-	  <para>
-	    The actions specified in an RPZ can be overridden with a
-	    <command>policy</command> clause in the
-	    <command>response-policy</command> option.
-	    An organization using an RPZ provided by another organization might
-	    use this mechanism to redirect domains to its own walled garden.
-	    <itemizedlist>
-	      <listitem><command>GIVEN</command> says "do not override but
-		perform the action specified in the zone."
-	      </listitem>
-	      <listitem><command>DISABLED</command> causes policy records to do
-		nothing but log what they might have done.
-		The response to the DNS query will be written according to
-		any triggered policy records that are not disabled.
-		Disabled policy zones should appear first,
-		because they will often not be logged
-		if a higher precedence trigger is found first.
-	      </listitem>
-	      <listitem><command>PASSTHRU</command> causes all policy records
-		to act as if they were CNAME records with targets the variable
-		part of their owner name.  They protect the response from
-		being changed.
-	      </listitem>
-	      <listitem><command>NXDOMAIN</command> causes all RPZ records
-		to specify NXDOMAIN policies.
-	      </listitem>
-	      <listitem><command>NODATA</command> overrides with the
-		NODATA policy
-	      </listitem>
-	      <listitem><command>CNAME domain</command> causes all RPZ
-		policy records to act as if they were "cname domain" records.
-	      </listitem>
-	    </itemizedlist>
-	  </para>
-
-	  <para>
-	    By default, the actions encoded in an RPZ are applied
-	    only to queries that ask for recursion (RD=1).
-	    That default can be changed for a single RPZ or all RPZs in a view
-	    with a <command>recursive-only no</command> clause.
-	    This feature is useful for serving the same zone files
-	    both inside and outside an RFC 1918 cloud and using RPZ to
-	    delete answers that would otherwise contain RFC 1918 values
-	    on the externally visible name server or view.
-	  </para>
-
-	  <para>
-	    Also by default, RPZ actions are applied only to DNS requests that
-	    either do not request DNSSEC metadata (DO=0) or when no DNSSEC
-	    records are available for request name in the original zone (not
-	    the response policy zone).
-	    This default can be changed for all RPZs in a view with a
-	    <command>break-dnssec yes</command> clause.
-	    In that case, RPZ actions are applied regardless of DNSSEC.
-	    The name of the clause option reflects the fact that results
-	    rewritten by RPZ actions cannot verify.
-	  </para>
-
-	  <para>
-	    The TTL of a record modified by RPZ policies is set from the
-	    TTL of the relevant record in policy zone.  It is then limited
-	    to a maximum value.
-	    The <command>max-policy-ttl</command> clause changes that
-	    maximum from its default of 5.
-	  </para>
-
-	  <para>
-	    For example, you might use this option statement
-          </para>
-<programlisting>    response-policy { zone "badlist"; };</programlisting>
-          <para>
-            and this zone statement
-          </para>
-<programlisting>    zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };</programlisting>
-          <para>
-            with this zone file
-          </para>
-<programlisting>$TTL 1H
-@                       SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
-                        NS  LOCALHOST.
-
-; QNAME policy records.  There are no periods (.) after the owner names.
-nxdomain.domain.com     CNAME   .               ; NXDOMAIN policy
-nodata.domain.com       CNAME   *.              ; NODATA policy
-bad.domain.com          A       10.0.0.1        ; redirect to a walled garden
-                        AAAA    2001:2::1
-
-; do not rewrite (PASSTHRU) OK.DOMAIN.COM
-ok.domain.com           CNAME   rpz-passthru.
-
-bzone.domain.com        CNAME   garden.example.com.
-
-; redirect x.bzone.domain.com to x.bzone.domain.com.garden.example.com
-*.bzone.domain.com      CNAME   *.garden.example.com.
-
-
-; IP policy records that rewrite all answers for 127/8 except 127.0.0.1
-8.0.0.0.127.rpz-ip      CNAME   .
-32.1.0.0.127.rpz-ip     CNAME   rpz-passthru.
-
-; NSDNAME and NSIP policy records
-ns.domain.com.rpz-nsdname   CNAME   .
-48.zz.2.2001.rpz-nsip       CNAME   .
-</programlisting>
-          <para>
-            RPZ can affect server performance.
-            Each configured response policy zone requires the server to
-            perform one to four additional database lookups before a
-            query can be answered.
-            For example, a DNS server with four policy zones, each with all
-            four kinds of response triggers, QNAME, IP, NSIP, and
-            NSDNAME, requires a total of 17 times as many database
-            lookups as a similar DNS server with no response policy zones.
-            A <acronym>BIND9</acronym> server with adequate memory and one
-            response policy zone with QNAME and IP triggers might achieve a
-            maximum queries-per-second rate about 20% lower.
-            A server with four response policy zones with QNAME and IP
-            triggers might have a maximum QPS rate about 50% lower.
-          </para>
-
-          <para>
-            Responses rewritten by RPZ are counted in the
-            <command>RPZRewrites</command> statistics.
-          </para>
-        </sect3>
-      </sect2>
-
-      <sect2 id="server_statement_grammar">
-        <title><command>server</command> Statement Grammar</title>
-
-<programlisting><command>server</command> <replaceable>ip_addr[/prefixlen]</replaceable> {
-    <optional> bogus <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> provide-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> request-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> edns <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> edns-udp-size <replaceable>number</replaceable> ; </optional>
-    <optional> max-udp-size <replaceable>number</replaceable> ; </optional>
-    <optional> transfers <replaceable>number</replaceable> ; </optional>
-    <optional> transfer-format <replaceable>( one-answer | many-answers )</replaceable> ; ]</optional>
-    <optional> keys <replaceable>{ string ; <optional> string ; <optional>...</optional></optional> }</replaceable> ; </optional>
-    <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> query-source <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
-                  <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
-    <optional> query-source-v6 <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
-                     <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
-    <optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>
-    <optional> queryport-pool-updateinterval <replaceable>number</replaceable>; </optional>
-};
-</programlisting>
-
-        </sect2>
-
-        <sect2 id="server_statement_definition_and_usage">
-          <title><command>server</command> Statement Definition and
-            Usage</title>
-
-          <para>
-            The <command>server</command> statement defines
-            characteristics
-            to be associated with a remote name server.  If a prefix length is
-            specified, then a range of servers is covered.  Only the most
-            specific
-            server clause applies regardless of the order in
-            <filename>named.conf</filename>.
-          </para>
-
-          <para>
-            The <command>server</command> statement can occur at
-            the top level of the
-            configuration file or inside a <command>view</command>
-            statement.
-            If a <command>view</command> statement contains
-            one or more <command>server</command> statements, only
-            those
-            apply to the view and any top-level ones are ignored.
-            If a view contains no <command>server</command>
-            statements,
-            any top-level <command>server</command> statements are
-            used as
-            defaults.
-          </para>
-
-          <para>
-            If you discover that a remote server is giving out bad data,
-            marking it as bogus will prevent further queries to it. The
-            default
-            value of <command>bogus</command> is <command>no</command>.
-          </para>
-          <para>
-            The <command>provide-ixfr</command> clause determines
-            whether
-            the local server, acting as master, will respond with an
-            incremental
-            zone transfer when the given remote server, a slave, requests it.
-            If set to <command>yes</command>, incremental transfer
-            will be provided
-            whenever possible. If set to <command>no</command>,
-            all transfers
-            to the remote server will be non-incremental. If not set, the
-            value
-            of the <command>provide-ixfr</command> option in the
-            view or
-            global options block is used as a default.
-          </para>
-
-          <para>
-            The <command>request-ixfr</command> clause determines
-            whether
-            the local server, acting as a slave, will request incremental zone
-            transfers from the given remote server, a master. If not set, the
-            value of the <command>request-ixfr</command> option in
-            the view or global options block is used as a default. It may
-            also be set in the zone block and, if set there, it will
-            override the global or view setting for that zone.
-          </para>
-
-          <para>
-            IXFR requests to servers that do not support IXFR will
-            automatically
-            fall back to AXFR.  Therefore, there is no need to manually list
-            which servers support IXFR and which ones do not; the global
-            default
-            of <command>yes</command> should always work.
-            The purpose of the <command>provide-ixfr</command> and
-            <command>request-ixfr</command> clauses is
-            to make it possible to disable the use of IXFR even when both
-            master
-            and slave claim to support it, for example if one of the servers
-            is buggy and crashes or corrupts data when IXFR is used.
-          </para>
-
-          <para>
-            The <command>edns</command> clause determines whether
-            the local server will attempt to use EDNS when communicating
-	    with the remote server.  The default is <command>yes</command>.
-          </para>
-
-          <para>
-            The <command>edns-udp-size</command> option sets the EDNS UDP size
-	    that is advertised by <command>named</command> when querying the remote server.
-	    Valid values are 512 to 4096 bytes (values outside this range will be
-	    silently adjusted).  This option is useful when you wish to
-	    advertises a different value to this server than the value you
-	    advertise globally, for example, when there is a firewall at the
-	    remote site that is blocking large replies.
-          </para>
-
-          <para>
-	    The <command>max-udp-size</command> option sets the
-	    maximum EDNS UDP message size <command>named</command> will send.  Valid
-	    values are 512 to 4096 bytes (values outside this range will
-	    be silently adjusted).  This option is useful when you
-	    know that there is a firewall that is blocking large
-	    replies from <command>named</command>.
-	  </para>
-
-          <para>
-            The server supports two zone transfer methods. The first, <command>one-answer</command>,
-            uses one DNS message per resource record transferred. <command>many-answers</command> packs
-            as many resource records as possible into a message. <command>many-answers</command> is
-            more efficient, but is only known to be understood by <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
-            8.x, and patched versions of <acronym>BIND</acronym>
-            4.9.5. You can specify which method
-            to use for a server with the <command>transfer-format</command> option.
-            If <command>transfer-format</command> is not
-            specified, the <command>transfer-format</command>
-            specified
-            by the <command>options</command> statement will be
-            used.
-          </para>
-
-          <para><command>transfers</command>
-	    is used to limit the number of concurrent inbound zone
-            transfers from the specified server. If no
-            <command>transfers</command> clause is specified, the
-            limit is set according to the
-            <command>transfers-per-ns</command> option.
-          </para>
-
-          <para>
-            The <command>keys</command> clause identifies a
-            <command>key_id</command> defined by the <command>key</command> statement,
-            to be used for transaction security (TSIG, <xref linkend="tsig"/>)
-            when talking to the remote server.
-            When a request is sent to the remote server, a request signature
-            will be generated using the key specified here and appended to the
-            message. A request originating from the remote server is not
-            required
-            to be signed by this key.
-          </para>
-
-          <para>
-            Although the grammar of the <command>keys</command>
-            clause
-            allows for multiple keys, only a single key per server is
-            currently
-            supported.
-          </para>
-
-          <para>
-            The <command>transfer-source</command> and
-            <command>transfer-source-v6</command> clauses specify
-            the IPv4 and IPv6 source
-            address to be used for zone transfer with the remote server,
-            respectively.
-            For an IPv4 remote server, only <command>transfer-source</command> can
-            be specified.
-            Similarly, for an IPv6 remote server, only
-            <command>transfer-source-v6</command> can be
-            specified.
-            For more details, see the description of
-            <command>transfer-source</command> and
-            <command>transfer-source-v6</command> in
-            <xref linkend="zone_transfers"/>.
-          </para>
-
-	  <para>
-	    The <command>notify-source</command> and
-	    <command>notify-source-v6</command> clauses specify the
-	    IPv4 and IPv6 source address to be used for notify
-	    messages sent to remote servers, respectively.  For an
-	    IPv4 remote server, only <command>notify-source</command>
-	    can be specified.  Similarly, for an IPv6 remote server,
-	    only <command>notify-source-v6</command> can be specified.
-	  </para>
-
-	  <para>
-	    The <command>query-source</command> and
-	    <command>query-source-v6</command> clauses specify the
-	    IPv4 and IPv6 source address to be used for queries
-	    sent to remote servers, respectively.  For an IPv4
-	    remote server, only <command>query-source</command> can
-	    be specified.  Similarly, for an IPv6 remote server,
-	    only <command>query-source-v6</command> can be specified.
-	  </para>
-
-        </sect2>
-
-      <sect2 id="statschannels">
-        <title><command>statistics-channels</command> Statement Grammar</title>
-
-<programlisting><command>statistics-channels</command> {
-   [ inet ( ip_addr | * ) [ port ip_port ]
-   [ allow { <replaceable> address_match_list </replaceable> } ]; ]
-   [ inet ...; ]
-};
-</programlisting>
-      </sect2>
-
-      <sect2>
-          <title><command>statistics-channels</command> Statement Definition and
-            Usage</title>
-
-        <para>
-          The <command>statistics-channels</command> statement
-	  declares communication channels to be used by system
-	  administrators to get access to statistics information of
-	  the name server.
-        </para>
-
-        <para>
-	  This statement intends to be flexible to support multiple
-	  communication protocols in the future, but currently only
-	  HTTP access is supported.
-	  It requires that BIND 9 be compiled with libxml2;
-	  the <command>statistics-channels</command> statement is
-	  still accepted even if it is built without the library,
-	  but any HTTP access will fail with an error.
-        </para>
-
-        <para>
-          An <command>inet</command> control channel is a TCP socket
-	  listening at the specified <command>ip_port</command> on the
-	  specified <command>ip_addr</command>, which can be an IPv4 or IPv6
-	  address.  An <command>ip_addr</command> of <literal>*</literal> (asterisk) is
-	  interpreted as the IPv4 wildcard address; connections will be
-	  accepted on any of the system's IPv4 addresses.
-	  To listen on the IPv6 wildcard address,
-          use an <command>ip_addr</command> of <literal>::</literal>.
-        </para>
-
-        <para>
-          If no port is specified, port 80 is used for HTTP channels.
-	  The asterisk "<literal>*</literal>" cannot be used for
-	  <command>ip_port</command>.
-        </para>
-
-        <para>
-          The attempt of opening a statistics channel is
-          restricted by the optional <command>allow</command> clause.
-	  Connections to the statistics channel are permitted based on the
-          <command>address_match_list</command>.
-	  If no <command>allow</command> clause is present,
-	  <command>named</command> accepts connection
-	  attempts from any address; since the statistics may
-	  contain sensitive internal information, it is highly
-	  recommended to restrict the source of connection requests
-	  appropriately.
-        </para>
-
-        <para>
-          If no <command>statistics-channels</command> statement is present,
-          <command>named</command> will not open any communication channels.
-        </para>
-
-        <para>
-          If the statistics channel is configured to listen on 127.0.0.1
-          port 8888, then the statistics are accessible in XML format at
-          <ulink url="http://127.0.0.1:8888/"
-                  >http://127.0.0.1:8888/</ulink> or
-          <ulink url="http://127.0.0.1:8888/xml"
-                  >http://127.0.0.1:8888/xml</ulink>. A CSS file is
-          included which can format the XML statistics into tables 
-          when viewed with a stylesheet-capable browser.  When
-          <acronym>BIND</acronym> 9 is configured with --enable-newstats, 
-          a new XML schema is used (version 3) which adds additional
-          zone statistics and uses a flatter tree for more efficient
-          parsing.  The stylesheet included uses the Google Charts API
-          to render data into into charts and graphs when using a
-          javascript-capable browser.
-        </para>
-
-        <para>
-          Applications that depend on a particular XML schema
-          can request 
-          <ulink url="http://127.0.0.1:8888/xml/v2"
-                  >http://127.0.0.1:8888/xml/v2</ulink> for version 2
-          of the statistics XML schema or 
-          <ulink url="http://127.0.0.1:8888/xml/v3"
-                  >http://127.0.0.1:8888/xml/v3</ulink> for version 3.
-          If the requested schema is supported by the server, then
-          it will respond; if not, it will return a "page not found"
-          error.
-        </para>
-      </sect2>
-
-	<sect2 id="trusted-keys">
-          <title><command>trusted-keys</command> Statement Grammar</title>
-
-<programlisting><command>trusted-keys</command> {
-    <replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ;
-    <optional> <replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; <optional>...</optional></optional>
-};
-</programlisting>
-
-        </sect2>
-	<sect2>
-	  <title><command>trusted-keys</command> Statement Definition
-	    and Usage</title>
-	  <para>
-	    The <command>trusted-keys</command> statement defines
-	    DNSSEC security roots. DNSSEC is described in <xref
-	    linkend="DNSSEC"/>. A security root is defined when the
-	    public key for a non-authoritative zone is known, but
-	    cannot be securely obtained through DNS, either because
-	    it is the DNS root zone or because its parent zone is
-	    unsigned.  Once a key has been configured as a trusted
-	    key, it is treated as if it had been validated and
-	    proven secure. The resolver attempts DNSSEC validation
-	    on all DNS data in subdomains of a security root.
-	  </para>
-	  <para>
-	    All keys (and corresponding zones) listed in
-	    <command>trusted-keys</command> are deemed to exist regardless
-	    of what parent zones say.  Similarly for all keys listed in
-	    <command>trusted-keys</command> only those keys are
-	    used to validate the DNSKEY RRset.  The parent's DS RRset
-	    will not be used.
-	  </para>
-	  <para>
-	    The <command>trusted-keys</command> statement can contain
-	    multiple key entries, each consisting of the key's
-	    domain name, flags, protocol, algorithm, and the Base-64
-	    representation of the key data.
-	    Spaces, tabs, newlines and carriage returns are ignored
-	    in the key data, so the configuration may be split up into
-	    multiple lines.
-	  </para>
-	  <para>
-	    <command>trusted-keys</command> may be set at the top level
-	    of <filename>named.conf</filename> or within a view.  If it is
-	    set in both places, they are additive: keys defined at the top
-	    level are inherited by all views, but keys defined in a view
-	    are only used within that view.
-	  </para>
-	</sect2>
-
-        <sect2>
-          <title><command>managed-keys</command> Statement Grammar</title>
-
-<programlisting><command>managed-keys</command> {
-    <replaceable>name</replaceable> <literal>initial-key</literal> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key-data</replaceable> ;
-    <optional> <replaceable>name</replaceable> <literal>initial-key</literal> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key-data</replaceable> ; <optional>...</optional></optional>
-};
-</programlisting>
-
-        </sect2>
-	<sect2 id="managed-keys">
-	  <title><command>managed-keys</command> Statement Definition
-	    and Usage</title>
-	  <para>
-	    The <command>managed-keys</command> statement, like 
-            <command>trusted-keys</command>, defines DNSSEC
-            security roots.  The difference is that
-            <command>managed-keys</command> can be kept up to date
-            automatically, without intervention from the resolver
-            operator.
-	  </para>
-	  <para>
-            Suppose, for example, that a zone's key-signing
-            key was compromised, and the zone owner had to revoke and
-            replace the key.  A resolver which had the old key in a
-            <command>trusted-keys</command> statement would be
-            unable to validate this zone any longer; it would
-            reply with a SERVFAIL response code.  This would
-            continue until the resolver operator had updated the
-            <command>trusted-keys</command> statement with the new key.
-	  </para>
-	  <para>
-            If, however, the zone were listed in a
-            <command>managed-keys</command> statement instead, then the
-            zone owner could add a "stand-by" key to the zone in advance.
-            <command>named</command> would store the stand-by key, and
-            when the original key was revoked, <command>named</command>
-            would be able to transition smoothly to the new key.  It would
-            also recognize that the old key had been revoked, and cease
-            using that key to validate answers, minimizing the damage that
-            the compromised key could do.
-	  </para>
-          <para>
-            A <command>managed-keys</command> statement contains a list of
-            the keys to be managed, along with information about how the
-            keys are to be initialized for the first time.  The only
-            initialization method currently supported (as of
-            <acronym>BIND</acronym> 9.7.0) is <literal>initial-key</literal>.
-            This means the <command>managed-keys</command> statement must
-            contain a copy of the initializing key.  (Future releases may
-            allow keys to be initialized by other methods, eliminating this
-            requirement.)
-	  </para>
-          <para>
-            Consequently, a <command>managed-keys</command> statement
-            appears similar to a <command>trusted-keys</command>, differing
-            in the presence of the second field, containing the keyword
-            <literal>initial-key</literal>.  The difference is, whereas the
-            keys listed in a <command>trusted-keys</command> continue to be
-            trusted until they are removed from
-            <filename>named.conf</filename>, an initializing key listed 
-            in a <command>managed-keys</command> statement is only trusted
-            <emphasis>once</emphasis>: for as long as it takes to load the
-            managed key database and start the RFC 5011 key maintenance
-            process.
-	  </para>
-          <para>
-            The first time <command>named</command> runs with a managed key
-            configured in <filename>named.conf</filename>, it fetches the
-            DNSKEY RRset directly from the zone apex, and validates it
-            using the key specified in the <command>managed-keys</command>
-            statement.  If the DNSKEY RRset is validly signed, then it is
-            used as the basis for a new managed keys database.
-	  </para>
-          <para>
-            From that point on, whenever <command>named</command> runs, it
-            sees the <command>managed-keys</command> statement, checks to
-            make sure RFC 5011 key maintenance has already been initialized
-            for the specified domain, and if so, it simply moves on.  The
-            key specified in the <command>managed-keys</command> is not
-            used to validate answers; it has been superseded by the key or
-            keys stored in the managed keys database.
-          </para>
-          <para>
-            The next time <command>named</command> runs after a name
-            has been <emphasis>removed</emphasis> from the
-            <command>managed-keys</command> statement, the corresponding
-            zone will be removed from the managed keys database,
-            and RFC 5011 key maintenance will no longer be used for that
-            domain.
-	  </para>
-	  <para>
-	    <command>named</command> only maintains a single managed keys
-            database; consequently, unlike <command>trusted-keys</command>,
-            <command>managed-keys</command> may only be set at the top
-            level of <filename>named.conf</filename>, not within a view.
-	  </para>
-          <para>
-            In the current implementation, the managed keys database is
-            stored as a master-format zone file called
-            <filename>managed-keys.bind</filename>.  When the key database
-            is changed, the zone is updated.  As with any other dynamic
-            zone, changes will be written into a journal file,
-            <filename>managed-keys.bind.jnl</filename>.  They are committed
-            to the master file as soon as possible afterward; in the case
-            of the managed key database, this will usually occur within 30
-            seconds.  So, whenever <command>named</command> is using
-            automatic key maintenance, those two files can be expected to
-            exist in the working directory.  (For this reason among others,
-            the working directory should be always be writable by
-            <command>named</command>.)
-	  </para>
-	  <para>
-	    If the <command>dnssec-validation</command> option is
-	    set to <userinput>auto</userinput>, <command>named</command>
-	    will automatically initialize a managed key for the
-            root zone.  Similarly, if the <command>dnssec-lookaside</command>
-            option is set to <userinput>auto</userinput>,
-            <command>named</command> will automatically initialize
-            a managed key for the zone <literal>dlv.isc.org</literal>.
-            In both cases, the key that is used to initialize the key
-            maintenance process is built into <command>named</command>,
-            and can be overridden from <command>bindkeys-file</command>.
-	  </para>
-	</sect2>
-
-        <sect2 id="view_statement_grammar">
-          <title><command>view</command> Statement Grammar</title>
-
-<programlisting><command>view</command> <replaceable>view_name</replaceable>
-      <optional><replaceable>class</replaceable></optional> {
-      match-clients { <replaceable>address_match_list</replaceable> };
-      match-destinations { <replaceable>address_match_list</replaceable> };
-      match-recursive-only <replaceable>yes_or_no</replaceable> ;
-      <optional> <replaceable>view_option</replaceable>; ...</optional>
-      <optional> <replaceable>zone_statement</replaceable>; ...</optional>
-};
-</programlisting>
-
-        </sect2>
-        <sect2>
-          <title><command>view</command> Statement Definition and Usage</title>
-
-          <para>
-            The <command>view</command> statement is a powerful
-            feature
-            of <acronym>BIND</acronym> 9 that lets a name server
-            answer a DNS query differently
-            depending on who is asking. It is particularly useful for
-            implementing
-            split DNS setups without having to run multiple servers.
-          </para>
-
-          <para>
-            Each <command>view</command> statement defines a view
-            of the
-            DNS namespace that will be seen by a subset of clients.  A client
-            matches
-            a view if its source IP address matches the
-            <varname>address_match_list</varname> of the view's
-            <command>match-clients</command> clause and its
-            destination IP address matches
-            the <varname>address_match_list</varname> of the
-            view's
-            <command>match-destinations</command> clause.  If not
-            specified, both
-            <command>match-clients</command> and <command>match-destinations</command>
-            default to matching all addresses.  In addition to checking IP
-            addresses
-            <command>match-clients</command> and <command>match-destinations</command>
-            can also take <command>keys</command> which provide an
-            mechanism for the
-            client to select the view.  A view can also be specified
-            as <command>match-recursive-only</command>, which
-            means that only recursive
-            requests from matching clients will match that view.
-            The order of the <command>view</command> statements is
-            significant &mdash;
-            a client request will be resolved in the context of the first
-            <command>view</command> that it matches.
-          </para>
-
-          <para>
-            Zones defined within a <command>view</command>
-            statement will
-            only be accessible to clients that match the <command>view</command>.
-            By defining a zone of the same name in multiple views, different
-            zone data can be given to different clients, for example,
-            "internal"
-            and "external" clients in a split DNS setup.
-          </para>
-
-          <para>
-            Many of the options given in the <command>options</command> statement
-            can also be used within a <command>view</command>
-            statement, and then
-            apply only when resolving queries with that view.  When no
-            view-specific
-            value is given, the value in the <command>options</command> statement
-            is used as a default.  Also, zone options can have default values
-            specified
-            in the <command>view</command> statement; these
-            view-specific defaults
-            take precedence over those in the <command>options</command> statement.
-          </para>
-
-          <para>
-            Views are class specific.  If no class is given, class IN
-            is assumed.  Note that all non-IN views must contain a hint zone,
-            since only the IN class has compiled-in default hints.
-          </para>
-
-          <para>
-            If there are no <command>view</command> statements in
-            the config
-            file, a default view that matches any client is automatically
-            created
-            in class IN. Any <command>zone</command> statements
-            specified on
-            the top level of the configuration file are considered to be part
-            of
-            this default view, and the <command>options</command>
-            statement will
-            apply to the default view. If any explicit <command>view</command>
-            statements are present, all <command>zone</command>
-            statements must
-            occur inside <command>view</command> statements.
-          </para>
-
-          <para>
-            Here is an example of a typical split DNS setup implemented
-            using <command>view</command> statements:
-          </para>
-
-<programlisting>view "internal" {
-      // This should match our internal networks.
-      match-clients { 10.0.0.0/8; };
-
-      // Provide recursive service to internal
-      // clients only.
-      recursion yes;
-
-      // Provide a complete view of the example.com
-      // zone including addresses of internal hosts.
-      zone "example.com" {
-            type master;
-            file "example-internal.db";
-      };
-};
-
-view "external" {
-      // Match all clients not matched by the
-      // previous view.
-      match-clients { any; };
-
-      // Refuse recursive service to external clients.
-      recursion no;
-
-      // Provide a restricted view of the example.com
-      // zone containing only publicly accessible hosts.
-      zone "example.com" {
-           type master;
-           file "example-external.db";
-      };
-};
-</programlisting>
-
-        </sect2>
-        <sect2 id="zone_statement_grammar">
-          <title><command>zone</command>
-            Statement Grammar</title>
-
-<programlisting><command>zone</command> <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
-    type master;
-    <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> dnssec-dnskey-kskonly <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> dnssec-loadkeys-interval <replaceable>number</replaceable>; </optional>
-    <optional> update-policy <replaceable>local</replaceable> | { <replaceable>update_policy_rule</replaceable> <optional>...</optional> }; </optional>
-    <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ;
-                  <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
-    <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
-    <optional> check-mx (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
-    <optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> check-spf ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
-    <optional> check-integrity <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
-    <optional> file <replaceable>string</replaceable> ; </optional>
-    <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
-    <optional> journal <replaceable>string</replaceable> ; </optional>
-    <optional> max-journal-size <replaceable>size_spec</replaceable>; </optional>
-    <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
-    <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
-    <optional> ixfr-base <replaceable>string</replaceable> ; </optional>
-    <optional> ixfr-from-differences <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
-    <optional> request-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
-    <optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
-    <optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
-    <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable> ; </optional>
-    <optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
-    <optional> notify-to-soa <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
-    <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> zone-statistics <replaceable>full</replaceable> | <replaceable>terse</replaceable> | <replaceable>none</replaceable>; </optional>
-    <optional> sig-validity-interval <replaceable>number</replaceable> <optional><replaceable>number</replaceable></optional> ; </optional>
-    <optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional>
-    <optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional>
-    <optional> sig-signing-type <replaceable>number</replaceable> ; </optional>
-    <optional> database <replaceable>string</replaceable> ; </optional>
-    <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
-    <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
-    <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
-    <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
-    <optional> key-directory <replaceable>path_name</replaceable>; </optional>
-    <optional> auto-dnssec <constant>allow</constant>|<constant>maintain</constant>|<constant>off</constant>; </optional>
-    <optional> inline-signing <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> serial-update-method <constant>increment</constant>|<constant>unixtime</constant>; </optional>
-};
-
-zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
-    type slave;
-    <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> dnssec-update-mode ( <replaceable>maintain</replaceable> | <replaceable>no-resign</replaceable> ); </optional>
-    <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> dnssec-dnskey-kskonly <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> dnssec-loadkeys-interval <replaceable>number</replaceable>; </optional>
-    <optional> dnssec-secure-to-insecure <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> also-notify <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable>
-                              <optional>port <replaceable>ip_port</replaceable></optional>
-                              <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
-    <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
-    <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
-    <optional> file <replaceable>string</replaceable> ; </optional>
-    <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
-    <optional> journal <replaceable>string</replaceable> ; </optional>
-    <optional> max-journal-size <replaceable>size_spec</replaceable>; </optional>
-    <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
-    <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
-    <optional> ixfr-base <replaceable>string</replaceable> ; </optional>
-    <optional> ixfr-from-differences <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
-    <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable>
-                              <optional>port <replaceable>ip_port</replaceable></optional>
-                              <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
-    <optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
-    <optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
-    <optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
-    <optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
-    <optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
-    <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable> ; </optional>
-    <optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
-    <optional> notify-to-soa <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
-    <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>)
-                             <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> zone-statistics <replaceable>full</replaceable> | <replaceable>terse</replaceable> | <replaceable>none</replaceable>; </optional>
-    <optional> sig-validity-interval <replaceable>number</replaceable> <optional><replaceable>number</replaceable></optional> ; </optional>
-    <optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional>
-    <optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional>
-    <optional> sig-signing-type <replaceable>number</replaceable> ; </optional>
-    <optional> database <replaceable>string</replaceable> ; </optional>
-    <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
-    <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
-    <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
-    <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
-    <optional> key-directory <replaceable>path_name</replaceable>; </optional>
-    <optional> auto-dnssec <constant>allow</constant>|<constant>maintain</constant>|<constant>off</constant>; </optional>
-    <optional> inline-signing <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> multi-master <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
-};
-
-zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
-    type hint;
-    file <replaceable>string</replaceable> ;
-    <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional> // Not Implemented.
-};
-
-zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
-    type stub;
-    <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
-    <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
-    <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> file <replaceable>string</replaceable> ; </optional>
-    <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
-    <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
-    <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
-    <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable>
-                              <optional>port <replaceable>ip_port</replaceable></optional>
-                              <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
-    <optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
-    <optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
-    <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
-    <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>)
-                         <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>)
-                            <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> database <replaceable>string</replaceable> ; </optional>
-    <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
-    <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
-    <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
-    <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
-    <optional> multi-master <replaceable>yes_or_no</replaceable> ; </optional>
-};
-
-zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
-    type static-stub;
-    <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> server-addresses { <optional> <replaceable>ip_addr</replaceable> ; ... </optional> }; </optional>
-    <optional> server-names { <optional> <replaceable>namelist</replaceable> </optional> }; </optional>  
-    <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
-};
-
-zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
-    type forward;
-    <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
-    <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
-    <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
-};
-
-zone <replaceable>"."</replaceable> <optional><replaceable>class</replaceable></optional> {
-    type redirect;
-    file <replaceable>string</replaceable> ;
-    <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
-    <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
-};
-
-zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
-    type delegation-only;
-};
-
-</programlisting>
-
-        </sect2>
-        <sect2>
-          <title><command>zone</command> Statement Definition and Usage</title>
-          <sect3>
-            <title>Zone Types</title>
-            <informaltable colsep="0" rowsep="0">
-              <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
-                <!--colspec colname="1" colnum="1" colsep="0" colwidth="1.108in"/-->
-                <!--colspec colname="2" colnum="2" colsep="0" colwidth="4.017in"/-->
-		<colspec colname="1" colnum="1" colsep="0"/>
-                <colspec colname="2" colnum="2" colsep="0" colwidth="4.017in"/>
-                <tbody>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        <varname>master</varname>
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        The server has a master copy of the data
-                        for the zone and will be able to provide authoritative
-                        answers for
-                        it.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        <varname>slave</varname>
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        A slave zone is a replica of a master
-                        zone. The <command>masters</command> list
-                        specifies one or more IP addresses
-                        of master servers that the slave contacts to update
-                        its copy of the zone.
-                        Masters list elements can also be names of other
-                        masters lists.
-                        By default, transfers are made from port 53 on the
-                        servers; this can
-                        be changed for all servers by specifying a port number
-                        before the
-                        list of IP addresses, or on a per-server basis after
-                        the IP address.
-                        Authentication to the master can also be done with
-                        per-server TSIG keys.
-                        If a file is specified, then the
-                        replica will be written to this file whenever the zone
-                        is changed,
-                        and reloaded from this file on a server restart. Use
-                        of a file is
-                        recommended, since it often speeds server startup and
-                        eliminates
-                        a needless waste of bandwidth. Note that for large
-                        numbers (in the
-                        tens or hundreds of thousands) of zones per server, it
-                        is best to
-                        use a two-level naming scheme for zone filenames. For
-                        example,
-                        a slave server for the zone <literal>example.com</literal> might place
-                        the zone contents into a file called
-                        <filename>ex/example.com</filename> where <filename>ex/</filename> is
-                        just the first two letters of the zone name. (Most
-                        operating systems
-                        behave very slowly if you put 100000 files into
-                        a single directory.)
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        <varname>stub</varname>
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        A stub zone is similar to a slave zone,
-                        except that it replicates only the NS records of a
-                        master zone instead
-                        of the entire zone. Stub zones are not a standard part
-                        of the DNS;
-                        they are a feature specific to the <acronym>BIND</acronym> implementation.
-                      </para>
-
-                      <para>
-                        Stub zones can be used to eliminate the need for glue
-                        NS record
-                        in a parent zone at the expense of maintaining a stub
-                        zone entry and
-                        a set of name server addresses in <filename>named.conf</filename>.
-                        This usage is not recommended for new configurations,
-                        and BIND 9
-                        supports it only in a limited way.
-                        In <acronym>BIND</acronym> 4/8, zone
-                        transfers of a parent zone
-                        included the NS records from stub children of that
-                        zone. This meant
-                        that, in some cases, users could get away with
-                        configuring child stubs
-                        only in the master server for the parent zone. <acronym>BIND</acronym>
-                        9 never mixes together zone data from different zones
-                        in this
-                        way. Therefore, if a <acronym>BIND</acronym> 9 master serving a parent
-                        zone has child stub zones configured, all the slave
-                        servers for the
-                        parent zone also need to have the same child stub
-                        zones
-                        configured.
-                      </para>
-
-                      <para>
-                        Stub zones can also be used as a way of forcing the
-                        resolution
-                        of a given domain to use a particular set of
-                        authoritative servers.
-                        For example, the caching name servers on a private
-                        network using
-                        RFC1918 addressing may be configured with stub zones
-                        for
-                        <literal>10.in-addr.arpa</literal>
-                        to use a set of internal name servers as the
-                        authoritative
-                        servers for that domain.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        <varname>static-stub</varname>
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-			A static-stub zone is similar to a stub zone
-			with the following exceptions:
-			the zone data is statically configured, rather
-			than transferred from a master server;
-			when recursion is necessary for a query that
-			matches a static-stub zone, the locally
-			configured data (nameserver names and glue addresses)
-			is always used even if different authoritative
-			information is cached.
-                      </para>
-                      <para>
-			Zone data is configured via the
-			<command>server-addresses</command> and
-			<command>server-names</command> zone options.
-                      </para>
-		      <para>
-			The zone data is maintained in the form of NS
-			and (if necessary) glue A or AAAA RRs
-			internally, which can be seen by dumping zone
-			databases by <command>rndc dumpdb -all</command>.
-			The configured RRs are considered local configuration
-			parameters rather than public data.
-			Non recursive queries (i.e., those with the RD
-			bit off) to a static-stub zone are therefore
-			prohibited and will be responded with REFUSED.
-		      </para>
-		      <para>
-			Since the data is statically configured, no
-			zone maintenance action takes place for a static-stub
-			zone.
-			For example, there is no periodic refresh
-			attempt, and an incoming notify message
-			will be rejected with an rcode of NOTAUTH.
-		      </para>
-		      <para>
-			Each static-stub zone is configured with
-			internally generated NS and (if necessary)
-			glue A or AAAA RRs 
-		      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        <varname>forward</varname>
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        A "forward zone" is a way to configure
-                        forwarding on a per-domain basis.  A <command>zone</command> statement
-                        of type <command>forward</command> can
-                        contain a <command>forward</command>
-                        and/or <command>forwarders</command>
-                        statement,
-                        which will apply to queries within the domain given by
-                        the zone
-                        name. If no <command>forwarders</command>
-                        statement is present or
-                        an empty list for <command>forwarders</command> is given, then no
-                        forwarding will be done for the domain, canceling the
-                        effects of
-                        any forwarders in the <command>options</command> statement. Thus
-                        if you want to use this type of zone to change the
-                        behavior of the
-                        global <command>forward</command> option
-                        (that is, "forward first"
-                        to, then "forward only", or vice versa, but want to
-                        use the same
-                        servers as set globally) you need to re-specify the
-                        global forwarders.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        <varname>hint</varname>
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        The initial set of root name servers is
-                        specified using a "hint zone". When the server starts
-                        up, it uses
-                        the root hints to find a root name server and get the
-                        most recent
-                        list of root name servers. If no hint zone is
-                        specified for class
-                        IN, the server uses a compiled-in default set of root
-                        servers hints.
-                        Classes other than IN have no built-in defaults hints.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        <varname>redirect</varname>
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Redirect zones are used to provide answers to
-                        queries when normal resolution would result in
-                        NXDOMAIN being returned.
-			Only one redirect zone is supported
-                        per view.  <command>allow-query</command> can be
-                        used to restrict which clients see these answers.
-                      </para>
-                      <para>
-			If the client has requested DNSSEC records (DO=1) and
-			the NXDOMAIN response is signed then no substitution
-			will occur.
-                      </para>
-                      <para>
-                        To redirect all NXDOMAIN responses to
-                        100.100.100.2 and
-                        2001:ffff:ffff::100.100.100.2, one would
-                        configure a type redirect zone named ".",
-                        with the zone file containing wildcard records
-                        that point to the desired addresses: 
-                        <literal>"*. IN A 100.100.100.2"</literal>
-                        and
-                        <literal>"*. IN AAAA 2001:ffff:ffff::100.100.100.2"</literal>.
-                      </para>
-                      <para>
-                        To redirect all Spanish names (under .ES) one
-                        would use similar entries but with the names
-                        "*.ES." instead of "*.".  To redirect all 
-                        commercial Spanish names (under COM.ES) one
-			would use wildcard entries called "*.COM.ES.".
-                      </para>
-                      <para>
-                        Note that the redirect zone supports all
-                        possible types; it is not limited to A and
-                        AAAA records.
-                      </para>
-                      <para>
-                        Because redirect zones are not referenced
-                        directly by name, they are not kept in the
-                        zone lookup table with normal master and slave
-                        zones. Consequently, it is not currently possible
-                        to use
-                        <command>rndc reload
-                                <replaceable>zonename</replaceable></command>
-                        to reload a redirect zone.  However, when using
-                        <command>rndc reload</command> without specifying
-                        a zone name, redirect zones will be reloaded along
-                        with other zones.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        <varname>delegation-only</varname>
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-			This is used to enforce the delegation-only
-			status of infrastructure zones (e.g. COM,
-			NET, ORG).  Any answer that is received
-			without an explicit or implicit delegation
-			in the authority section will be treated
-			as NXDOMAIN.  This does not apply to the
-			zone apex.  This should not be applied to
-			leaf zones.
-                      </para>
-                      <para>
-                        <varname>delegation-only</varname> has no
-                        effect on answers received from forwarders.
-                      </para>
-		      <para>
-			See caveats in <xref linkend="root_delegation_only"/>.
-		      </para>
-                    </entry>
-                  </row>
-                </tbody>
-              </tgroup>
-            </informaltable>
-          </sect3>
-
-          <sect3>
-            <title>Class</title>
-            <para>
-              The zone's name may optionally be followed by a class. If
-              a class is not specified, class <literal>IN</literal> (for <varname>Internet</varname>),
-              is assumed. This is correct for the vast majority of cases.
-            </para>
-            <para>
-              The <literal>hesiod</literal> class is
-              named for an information service from MIT's Project Athena. It
-              is
-              used to share information about various systems databases, such
-              as users, groups, printers and so on. The keyword
-              <literal>HS</literal> is
-              a synonym for hesiod.
-            </para>
-            <para>
-              Another MIT development is Chaosnet, a LAN protocol created
-              in the mid-1970s. Zone data for it can be specified with the <literal>CHAOS</literal> class.
-            </para>
-          </sect3>
-          <sect3>
-
-            <title>Zone Options</title>
-
-            <variablelist>
-
-              <varlistentry>
-                <term><command>allow-notify</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>allow-notify</command> in <xref linkend="access_control"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>allow-query</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>allow-query</command> in <xref linkend="access_control"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>allow-query-on</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>allow-query-on</command> in <xref linkend="access_control"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>allow-transfer</command></term>
-                <listitem>
-                  <para>
-                    See the description of <command>allow-transfer</command>
-                    in <xref linkend="access_control"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>allow-update</command></term>
-                <listitem>
-                  <para>
-                    See the description of <command>allow-update</command>
-                    in <xref linkend="access_control"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>update-policy</command></term>
-                <listitem>
-                  <para>
-                    Specifies a "Simple Secure Update" policy. See
-                    <xref linkend="dynamic_update_policies"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>allow-update-forwarding</command></term>
-                <listitem>
-                  <para>
-                    See the description of <command>allow-update-forwarding</command>
-                    in <xref linkend="access_control"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>also-notify</command></term>
-                <listitem>
-                  <para>
-                    Only meaningful if <command>notify</command>
-                    is
-                    active for this zone. The set of machines that will
-                    receive a
-                    <literal>DNS NOTIFY</literal> message
-                    for this zone is made up of all the listed name servers
-                    (other than
-                    the primary master) for the zone plus any IP addresses
-                    specified
-                    with <command>also-notify</command>. A port
-                    may be specified
-                    with each <command>also-notify</command>
-                    address to send the notify
-                    messages to a port other than the default of 53.
-                    A TSIG key may also be specified to cause the
-                    <literal>NOTIFY</literal> to be signed by the
-                    given key.
-                    <command>also-notify</command> is not
-                    meaningful for stub zones.
-                    The default is the empty list.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>check-names</command></term>
-                <listitem>
-                  <para>
-                    This option is used to restrict the character set and
-                    syntax of
-                    certain domain names in master files and/or DNS responses
-                    received from the
-                    network.  The default varies according to zone type.  For <command>master</command> zones the default is <command>fail</command>.  For <command>slave</command>
-                    zones the default is <command>warn</command>.
-                    It is not implemented for <command>hint</command> zones.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>check-mx</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>check-mx</command> in <xref linkend="boolean_options"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>check-spf</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>check-spf</command> in <xref linkend="boolean_options"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>check-wildcard</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>check-wildcard</command> in <xref linkend="boolean_options"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>check-integrity</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>check-integrity</command> in <xref linkend="boolean_options"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>check-sibling</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>check-sibling</command> in <xref linkend="boolean_options"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>zero-no-soa-ttl</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>zero-no-soa-ttl</command> in <xref linkend="boolean_options"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-	      <varlistentry>
-	        <term><command>update-check-ksk</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>update-check-ksk</command> in <xref linkend="boolean_options"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-	      <varlistentry>
-	        <term><command>dnssec-update-mode</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>dnssec-update-mode</command> in <xref linkend="options"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-	      <varlistentry>
-	        <term><command>dnssec-dnskey-kskonly</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>dnssec-dnskey-kskonly</command> in <xref linkend="boolean_options"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-	      <varlistentry>
-	        <term><command>try-tcp-refresh</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>try-tcp-refresh</command> in <xref linkend="boolean_options"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>database</command></term>
-                <listitem>
-                  <para>
-                    Specify the type of database to be used for storing the
-                    zone data.  The string following the <command>database</command> keyword
-                    is interpreted as a list of whitespace-delimited words.
-                    The first word
-                    identifies the database type, and any subsequent words are
-                    passed
-                    as arguments to the database to be interpreted in a way
-                    specific
-                    to the database type.
-                  </para>
-                  <para>
-                    The default is <userinput>"rbt"</userinput>, BIND 9's
-                    native in-memory
-                    red-black-tree database.  This database does not take
-                    arguments.
-                  </para>
-                  <para>
-                    Other values are possible if additional database drivers
-                    have been linked into the server.  Some sample drivers are
-                    included
-                    with the distribution but none are linked in by default.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>dialup</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>dialup</command> in <xref linkend="boolean_options"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>delegation-only</command></term>
-                <listitem>
-                  <para>
-                    The flag only applies to hint and stub zones.  If set
-                    to <userinput>yes</userinput>, then the zone will also be
-                    treated as if it is also a delegation-only type zone.
-                  </para>
-		  <para>
-		    See caveats in <xref linkend="root_delegation_only"/>.
-		  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>forward</command></term>
-                <listitem>
-                  <para>
-                    Only meaningful if the zone has a forwarders
-                    list. The <command>only</command> value causes
-                    the lookup to fail
-                    after trying the forwarders and getting no answer, while <command>first</command> would
-                    allow a normal lookup to be tried.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>forwarders</command></term>
-                <listitem>
-                  <para>
-                    Used to override the list of global forwarders.
-                    If it is not specified in a zone of type <command>forward</command>,
-                    no forwarding is done for the zone and the global options are
-                    not used.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>ixfr-base</command></term>
-                <listitem>
-                  <para>
-                    Was used in <acronym>BIND</acronym> 8 to
-                    specify the name
-                    of the transaction log (journal) file for dynamic update
-                    and IXFR.
-                    <acronym>BIND</acronym> 9 ignores the option
-                    and constructs the name of the journal
-                    file by appending "<filename>.jnl</filename>"
-                    to the name of the
-                    zone file.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>ixfr-tmp-file</command></term>
-                <listitem>
-                  <para>
-                    Was an undocumented option in <acronym>BIND</acronym> 8.
-                    Ignored in <acronym>BIND</acronym> 9.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>journal</command></term>
-                <listitem>
-                  <para>
-                    Allow the default journal's filename to be overridden.
-                    The default is the zone's filename with "<filename>.jnl</filename>" appended.
-                    This is applicable to <command>master</command> and <command>slave</command> zones.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>max-journal-size</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>max-journal-size</command> in <xref linkend="server_resource_limits"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>max-transfer-time-in</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>max-transfer-time-in</command> in <xref linkend="zone_transfers"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>max-transfer-idle-in</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>max-transfer-idle-in</command> in <xref linkend="zone_transfers"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>max-transfer-time-out</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>max-transfer-time-out</command> in <xref linkend="zone_transfers"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>max-transfer-idle-out</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>max-transfer-idle-out</command> in <xref linkend="zone_transfers"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>notify</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>notify</command> in <xref linkend="boolean_options"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>notify-delay</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>notify-delay</command> in <xref linkend="tuning"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>notify-to-soa</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>notify-to-soa</command> in
-		    <xref linkend="boolean_options"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>pubkey</command></term>
-                <listitem>
-                  <para>
-                    In <acronym>BIND</acronym> 8, this option was
-                    intended for specifying
-                    a public zone key for verification of signatures in DNSSEC
-                    signed
-                    zones when they are loaded from disk. <acronym>BIND</acronym> 9 does not verify signatures
-                    on load and ignores the option.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>zone-statistics</command></term>
-                <listitem>
-                  <para>
-                    If <userinput>yes</userinput>, the server will keep
-                    statistical
-                    information for this zone, which can be dumped to the
-                    <command>statistics-file</command> defined in
-                    the server options.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>server-addresses</command></term>
-                <listitem>
-                  <para>
-                    Only meaningful for static-stub zones.
-		    This is a list of IP addresses to which queries
-		    should be sent in recursive resolution for the
-		    zone.
-		    A non empty list for this option will internally
-		    configure the apex NS RR with associated glue A or
-		    AAAA RRs.
-                  </para>
-		  <para>
-		    For example, if "example.com" is configured as a
-		    static-stub zone with 192.0.2.1 and 2001:db8::1234
-		    in a <command>server-addresses</command> option,
-		    the following RRs will be internally configured.
-		  </para>
-<programlisting>example.com. NS example.com.
-example.com. A 192.0.2.1
-example.com. AAAA 2001:db8::1234</programlisting>
-		  <para>
-		    These records are internally used to resolve
-		    names under the static-stub zone.
-		    For instance, if the server receives a query for
-		    "www.example.com" with the RD bit on, the server
-		    will initiate recursive resolution and send
-		    queries to 192.0.2.1 and/or 2001:db8::1234.
-		  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>server-names</command></term>
-                <listitem>
-                  <para>
-                    Only meaningful for static-stub zones.
-		    This is a list of domain names of nameservers that
-		    act as authoritative servers of the static-stub
-		    zone.
-		    These names will be resolved to IP addresses when
-		    <command>named</command> needs to send queries to
-		    these servers.
-		    To make this supplemental resolution successful,
-		    these names must not be a subdomain of the origin
-		    name of static-stub zone.
-		    That is, when "example.net" is the origin of a
-		    static-stub zone, "ns.example" and
-		    "master.example.com" can be specified in the
-		    <command>server-names</command> option, but
-		    "ns.example.net" cannot, and will be rejected by
-		    the configuration parser.
-		  </para>
-		  <para>
-		    A non empty list for this option will internally
-		    configure the apex NS RR with the specified names.
-		    For example, if "example.com" is configured as a
-		    static-stub zone with "ns1.example.net" and
-		    "ns2.example.net"
-		    in a <command>server-names</command> option,
-		    the following RRs will be internally configured.
-		  </para>
-<programlisting>example.com. NS ns1.example.net.
-example.com. NS ns2.example.net.
-</programlisting>
-		  <para>
-		    These records are internally used to resolve
-		    names under the static-stub zone.
-		    For instance, if the server receives a query for
-		    "www.example.com" with the RD bit on, the server
-		    initiate recursive resolution,
-		    resolve "ns1.example.net" and/or
-		    "ns2.example.net" to IP addresses, and then send
-		    queries to (one or more of) these addresses.
-		  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>sig-validity-interval</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>sig-validity-interval</command> in <xref linkend="tuning"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>sig-signing-nodes</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>sig-signing-nodes</command> in <xref linkend="tuning"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>sig-signing-signatures</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>sig-signing-signatures</command> in <xref linkend="tuning"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>sig-signing-type</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>sig-signing-type</command> in <xref linkend="tuning"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>transfer-source</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>transfer-source</command> in <xref linkend="zone_transfers"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>transfer-source-v6</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>transfer-source-v6</command> in <xref linkend="zone_transfers"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>alt-transfer-source</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>alt-transfer-source</command> in <xref linkend="zone_transfers"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>alt-transfer-source-v6</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>alt-transfer-source-v6</command> in <xref linkend="zone_transfers"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>use-alt-transfer-source</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>use-alt-transfer-source</command> in <xref linkend="zone_transfers"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-
-              <varlistentry>
-                <term><command>notify-source</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>notify-source</command> in <xref linkend="zone_transfers"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>notify-source-v6</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>notify-source-v6</command> in <xref linkend="zone_transfers"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>min-refresh-time</command></term>
-                <term><command>max-refresh-time</command></term>
-                <term><command>min-retry-time</command></term>
-                <term><command>max-retry-time</command></term>
-                <listitem>
-                  <para>
-                    See the description in <xref linkend="tuning"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>ixfr-from-differences</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>ixfr-from-differences</command> in <xref linkend="boolean_options"/>.
-		    (Note that the <command>ixfr-from-differences</command>
-		    <userinput>master</userinput> and
-		    <userinput>slave</userinput> choices are not
-		    available at the zone level.)
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>key-directory</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>key-directory</command> in <xref linkend="options"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>auto-dnssec</command></term>
-                <listitem>
-                  <para>
-                    Zones configured for dynamic DNS may also use this
-                    option to allow varying levels of automatic DNSSEC key
-                    management. There are three possible settings:
-                  </para>
-                  <para>
-                    <command>auto-dnssec allow;</command> permits
-                    keys to be updated and the zone fully re-signed
-                    whenever the user issues the command <command>rndc sign
-                    <replaceable>zonename</replaceable></command>.
-                  </para>
-                  <para>
-                    <command>auto-dnssec maintain;</command> includes the
-                    above, but also automatically adjusts the zone's DNSSEC
-                    keys on schedule, according to the keys' timing metadata
-                    (see <xref linkend="man.dnssec-keygen"/> and
-                    <xref linkend="man.dnssec-settime"/>).  The command
-                    <command>rndc sign
-                    <replaceable>zonename</replaceable></command> causes
-                    <command>named</command> to load keys from the key
-                    repository and sign the zone with all keys that are
-                    active. 
-                    <command>rndc loadkeys
-                    <replaceable>zonename</replaceable></command> causes
-                    <command>named</command> to load keys from the key
-                    repository and schedule key maintenance events to occur
-                    in the future, but it does not sign the full zone
-                    immediately.  Note: once keys have been loaded for a
-                    zone the first time, the repository will be searched
-                    for changes periodically, regardless of whether
-                    <command>rndc loadkeys</command> is used.  The recheck
-                    interval is defined by
-                    <command>dnssec-loadkeys-interval</command>.)
-                  </para>
-                  <para>
-                    The default setting is <command>auto-dnssec off</command>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>serial-update-method</command></term>
-                <listitem>
-                  <para>
-                    Zones configured for dynamic DNS may use this
-                    option to set the update method that will be used for
-                    the zone serial number in the SOA record.
-                  </para>
-                  <para>
-                    With the default setting of
-                    <command>serial-update-method increment;</command>, the
-                    SOA serial number will be incremented by one each time
-                    the zone is updated.
-                  </para>
-                  <para>
-                    When set to 
-                    <command>serial-update-method unixtime;</command>, the
-                    SOA serial number will be set to the number of seconds
-                    since the UNIX epoch, unless the serial number is
-                    already greater than or equal to that value, in which
-                    case it is simply incremented by one.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-              <varlistentry>
-                <term><command>inline-signing</command></term>
-		<listitem>
-		  <para>
-                    If <literal>yes</literal>, this enables
-		    "bump in the wire" signing of a zone, where a
-		    unsigned zone is transferred in or loaded from
-		    disk and a signed version of the zone is served,
-		    with possibly, a different serial number.  This
-		    behaviour is disabled by default.
-		  </para>
-		</listitem>
-	      </varlistentry>
-
-              <varlistentry>
-                <term><command>multi-master</command></term>
-                <listitem>
-                  <para>
-                    See the description of <command>multi-master</command> in
-		    <xref linkend="boolean_options"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-	
-	      <varlistentry>
-		<term><command>masterfile-format</command></term>
-		<listitem>
-		  <para>
-		    See the description of <command>masterfile-format</command>
-		    in <xref linkend="tuning"/>.
-		  </para>
-		</listitem>
-	      </varlistentry>
-
-              <varlistentry>
-                <term><command>dnssec-secure-to-insecure</command></term>
-                <listitem>
-                  <para>
-                    See the description of
-                    <command>dnssec-secure-to-insecure</command> in <xref linkend="boolean_options"/>.
-                  </para>
-                </listitem>
-              </varlistentry>
-
-            </variablelist>
-
-          </sect3>
-          <sect3 id="dynamic_update_policies">
-            <title>Dynamic Update Policies</title>
-	    <para><acronym>BIND</acronym> 9 supports two alternative
-	      methods of granting clients the right to perform
-	      dynamic updates to a zone, configured by the
-	      <command>allow-update</command> and
-	      <command>update-policy</command> option, respectively.
-	    </para>
-	    <para>
-	      The <command>allow-update</command> clause works the
-	      same way as in previous versions of <acronym>BIND</acronym>.
-	      It grants given clients the permission to update any
-	      record of any name in the zone.
-	    </para>
-	    <para>
-	      The <command>update-policy</command> clause
-	      allows more fine-grained control over what updates are
-	      allowed.  A set of rules is specified, where each rule
-	      either grants or denies permissions for one or more
-	      names to be updated by one or more identities.  If
-	      the dynamic update request message is signed (that is,
-	      it includes either a TSIG or SIG(0) record), the
-	      identity of the signer can be determined.
-	    </para>
-	    <para>
-	      Rules are specified in the <command>update-policy</command>
-	      zone option, and are only meaningful for master zones.
-	      When the <command>update-policy</command> statement
-	      is present, it is a configuration error for the
-	      <command>allow-update</command> statement to be
-	      present.  The <command>update-policy</command> statement
-	      only examines the signer of a message; the source
-	      address is not relevant.
-	    </para>
-	    <para>
-              There is a pre-defined <command>update-policy</command>
-              rule which can be switched on with the command
-              <command>update-policy local;</command>.
-              Switching on this rule in a zone causes
-              <command>named</command> to generate a TSIG session
-              key and place it in a file, and to allow that key
-              to update the zone.  (By default, the file is
-              <filename>/var/run/named/session.key</filename>, the key
-              name is "local-ddns" and the key algorithm is HMAC-SHA256,
-              but these values are configurable with the
-              <command>session-keyfile</command>,
-              <command>session-keyname</command> and
-              <command>session-keyalg</command> options, respectively).
-            </para>
-	    <para>
-              A client running on the local system, and with appropriate
-              permissions, may read that file and use the key to sign update
-              requests.  The zone's update policy will be set to allow that
-              key to change any record within the zone.  Assuming the
-              key name is "local-ddns", this policy is equivalent to:
-            </para>
-
-            <programlisting>update-policy { grant local-ddns zonesub any; };
-            </programlisting>
-
-	    <para>
-              The command <command>nsupdate -l</command> sends update
-              requests to localhost, and signs them using the session key.
-	    </para>
-
-	    <para>
-              Other rule definitions look like this:
-            </para>
-
-<programlisting>
-( <command>grant</command> | <command>deny</command> ) <replaceable>identity</replaceable> <replaceable>nametype</replaceable> <optional> <replaceable>name</replaceable> </optional> <optional> <replaceable>types</replaceable> </optional>
-</programlisting>
-
-            <para>
-              Each rule grants or denies privileges.  Once a message has
-              successfully matched a rule, the operation is immediately
-              granted or denied and no further rules are examined.  A rule
-              is matched when the signer matches the identity field, the
-              name matches the name field in accordance with the nametype
-              field, and the type matches the types specified in the type
-              field.
-            </para>
-            <para>
-	      No signer is required for <replaceable>tcp-self</replaceable>
-	      or <replaceable>6to4-self</replaceable> however the standard
-	      reverse mapping / prefix conversion must match the identity
-	      field.
-	    </para>
-	    <para>
-	      The identity field specifies a name or a wildcard
-	      name.  Normally, this is the name of the TSIG or
-	      SIG(0) key used to sign the update request.  When a
-	      TKEY exchange has been used to create a shared secret,
-	      the identity of the shared secret is the same as the
-	      identity of the key used to authenticate the TKEY
-	      exchange.  TKEY is also the negotiation method used
-	      by GSS-TSIG, which establishes an identity that is
-	      the Kerberos principal of the client, such as
-	      <userinput>"user@host.domain"</userinput>.  When the
-	      <replaceable>identity</replaceable> field specifies
-	      a wildcard name, it is subject to DNS wildcard
-	      expansion, so the rule will apply to multiple identities.
-	      The <replaceable>identity</replaceable> field must
-	      contain a fully-qualified domain name.
-	    </para>
-	    <para>
-	      For nametypes <varname>krb5-self</varname>,
-	      <varname>ms-self</varname>, <varname>krb5-subdomain</varname>,
-              and <varname>ms-subdomain</varname> the
-	      <replaceable>identity</replaceable> field specifies
-	      the Windows or Kerberos realm of the machine belongs to.
-	    </para>
-            <para>
-              The <replaceable>nametype</replaceable> field has 13
-              values:
-              <varname>name</varname>, <varname>subdomain</varname>,
-              <varname>wildcard</varname>, <varname>self</varname>,
-	      <varname>selfsub</varname>, <varname>selfwild</varname>,
-	      <varname>krb5-self</varname>, <varname>ms-self</varname>,
-	      <varname>krb5-subdomain</varname>,
-	      <varname>ms-subdomain</varname>,
-	      <varname>tcp-self</varname>, <varname>6to4-self</varname>,
-	      <varname>zonesub</varname>, and <varname>external</varname>.
-            </para>
-            <informaltable>
-              <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
-                <colspec colname="1" colnum="1" colsep="0" colwidth="0.819in"/>
-                <colspec colname="2" colnum="2" colsep="0" colwidth="3.681in"/>
-                <tbody>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			<varname>name</varname>
-		      </para>
-		    </entry> <entry colname="2">
-		      <para>
-			Exact-match semantics.  This rule matches
-			when the name being updated is identical
-			to the contents of the
-			<replaceable>name</replaceable> field.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			<varname>subdomain</varname>
-		      </para>
-		    </entry> <entry colname="2">
-		      <para>
-			This rule matches when the name being updated
-			is a subdomain of, or identical to, the
-			contents of the <replaceable>name</replaceable>
-			field.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			<varname>zonesub</varname>
-		      </para>
-		    </entry> <entry colname="2">
-		      <para>
-			This rule is similar to subdomain, except that
-			it matches when the name being updated is a
-			subdomain of the zone in which the
-			<command>update-policy</command> statement
-			appears.  This obviates the need to type the zone
-			name twice, and enables the use of a standard
-			<command>update-policy</command> statement in
-			multiple zones without modification.
-		      </para>
-		      <para>
-                        When this rule is used, the
-                        <replaceable>name</replaceable> field is omitted.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			<varname>wildcard</varname>
-		      </para>
-		    </entry> <entry colname="2">
-		      <para>
-			The <replaceable>name</replaceable> field
-			is subject to DNS wildcard expansion, and
-			this rule matches when the name being updated
-			name is a valid expansion of the wildcard.
-		      </para>
-		    </entry>
-		  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        <varname>self</varname>
-                      </para>
-                    </entry>
-                    <entry colname="2">
-		      <para>
-			This rule matches when the name being updated
-			matches the contents of the
-			<replaceable>identity</replaceable> field.
-			The <replaceable>name</replaceable> field
-			is ignored, but should be the same as the
-			<replaceable>identity</replaceable> field.
-			The <varname>self</varname> nametype is
-			most useful when allowing using one key per
-			name to update, where the key has the same
-			name as the name to be updated.  The
-			<replaceable>identity</replaceable> would
-			be specified as <constant>*</constant> (an asterisk) in
-			this case.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			<varname>selfsub</varname>
-		      </para>
-		    </entry> <entry colname="2">
-		      <para>
-			This rule is similar to <varname>self</varname>
-			except that subdomains of <varname>self</varname>
-			can also be updated.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			<varname>selfwild</varname>
-		      </para>
-		    </entry> <entry colname="2">
-		      <para>
-			This rule is similar to <varname>self</varname>
-			except that only subdomains of
-			<varname>self</varname> can be updated.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			<varname>ms-self</varname>
-		      </para>
-		    </entry> <entry colname="2">
-		      <para>
-			This rule takes a Windows machine principal
-			(machine$@REALM) for machine in REALM and
-			and converts it machine.realm allowing the machine 
-                        to update machine.realm.  The REALM to be matched
-			is specified in the <replaceable>identity</replaceable>
-			field.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			<varname>ms-subdomain</varname>
-		      </para>
-		    </entry> <entry colname="2">
-		      <para>
-			This rule takes a Windows machine principal 
-			(machine$@REALM) for machine in REALM and
-			converts it to machine.realm allowing the machine
-			to update subdomains of machine.realm.  The REALM
-			to be matched is specified in the
-			<replaceable>identity</replaceable> field.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			<varname>krb5-self</varname>
-		      </para>
-		    </entry> <entry colname="2">
-		      <para>
-			This rule takes a Kerberos machine principal
-			(host/machine@REALM) for machine in REALM and
-			and converts it machine.realm allowing the machine 
-                        to update machine.realm.  The REALM to be matched
-			is specified in the <replaceable>identity</replaceable>
-			field.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			<varname>krb5-subdomain</varname>
-		      </para>
-		    </entry> <entry colname="2">
-		      <para>
-			This rule takes a Kerberos machine principal 
-			(host/machine@REALM) for machine in REALM and
-			converts it to machine.realm allowing the machine
-			to update subdomains of machine.realm.  The REALM
-			to be matched is specified in the
-			<replaceable>identity</replaceable> field.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			<varname>tcp-self</varname>
-		      </para>
-		    </entry> <entry colname="2">
-		      <para>
-			Allow updates that have been sent via TCP and
-			for which the standard mapping from the initiating
-			IP address into the IN-ADDR.ARPA and IP6.ARPA
-			namespaces match the name to be updated.
-		      </para>
-		      <note>
-			It is theoretically possible to spoof these TCP
-			sessions.
-		      </note>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			<varname>6to4-self</varname>
-		      </para>
-		    </entry> <entry colname="2">
-		      <para>
-			Allow the 6to4 prefix to be update by any TCP
-			connection from the 6to4 network or from the
-			corresponding IPv4 address.  This is intended
-			to allow NS or DNAME RRsets to be added to the
-			reverse tree.
-		      </para>
-		      <note>
-			It is theoretically possible to spoof these TCP
-			sessions.
-		      </note>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para>
-			<varname>external</varname>
-		      </para>
-		    </entry> <entry colname="2">
-		      <para>
-			This rule allows <command>named</command>
-			to defer the decision of whether to allow a
-			given update to an external daemon.
-		      </para>
-		      <para>
-			The method of communicating with the daemon is
-			specified in the <replaceable>identity</replaceable>
-			field, the format of which is
-			"<constant>local:</constant><replaceable>path</replaceable>",
-			where <replaceable>path</replaceable> is the location
-                        of a UNIX-domain socket.  (Currently, "local" is the
-                        only supported mechanism.)
-		      </para>
-		      <para>
-			Requests to the external daemon are sent over the
-			UNIX-domain socket as datagrams with the following
-			format:
-		      </para>
-		      <programlisting>
-   Protocol version number (4 bytes, network byte order, currently 1)
-   Request length (4 bytes, network byte order)
-   Signer (null-terminated string)
-   Name (null-terminated string)
-   TCP source address (null-terminated string)
-   Rdata type (null-terminated string)
-   Key (null-terminated string)
-   TKEY token length (4 bytes, network byte order)
-   TKEY token (remainder of packet)</programlisting>
-		      <para>
-			The daemon replies with a four-byte value in
-			network byte order, containing either 0 or 1; 0
-			indicates that the specified update is not
-			permitted, and 1 indicates that it is.
-		      </para>
-		    </entry>
-		  </row>
-                </tbody>
-              </tgroup>
-            </informaltable>
-
-            <para>
-              In all cases, the <replaceable>name</replaceable>
-              field must specify a fully-qualified domain name.
-            </para>
-
-	    <para>
-	      If no types are explicitly specified, this rule matches
-	      all types except RRSIG, NS, SOA, NSEC and NSEC3. Types
-	      may be specified by name, including "ANY" (ANY matches
-	      all types except NSEC and NSEC3, which can never be
-	      updated).  Note that when an attempt is made to delete
-	      all records associated with a name, the rules are
-	      checked for each existing record type.
-	    </para>
-          </sect3>
-        </sect2>
-      </sect1>
-      <sect1>
-        <title>Zone File</title>
-        <sect2 id="types_of_resource_records_and_when_to_use_them">
-          <title>Types of Resource Records and When to Use Them</title>
-          <para>
-            This section, largely borrowed from RFC 1034, describes the
-            concept of a Resource Record (RR) and explains when each is used.
-            Since the publication of RFC 1034, several new RRs have been
-            identified
-            and implemented in the DNS. These are also included.
-          </para>
-          <sect3>
-            <title>Resource Records</title>
-
-            <para>
-              A domain name identifies a node.  Each node has a set of
-              resource information, which may be empty.  The set of resource
-              information associated with a particular name is composed of
-              separate RRs. The order of RRs in a set is not significant and
-              need not be preserved by name servers, resolvers, or other
-              parts of the DNS. However, sorting of multiple RRs is
-              permitted for optimization purposes, for example, to specify
-              that a particular nearby server be tried first. See <xref linkend="the_sortlist_statement"/> and <xref linkend="rrset_ordering"/>.
-            </para>
-
-            <para>
-              The components of a Resource Record are:
-            </para>
-            <informaltable colsep="0" rowsep="0">
-              <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
-                <colspec colname="1" colnum="1" colsep="0" colwidth="1.000in"/>
-                <colspec colname="2" colnum="2" colsep="0" colwidth="3.500in"/>
-                <tbody>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        owner name
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        The domain name where the RR is found.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        type
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        An encoded 16-bit value that specifies
-                        the type of the resource record.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        TTL
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        The time-to-live of the RR. This field
-                        is a 32-bit integer in units of seconds, and is
-                        primarily used by
-                        resolvers when they cache RRs. The TTL describes how
-                        long a RR can
-                        be cached before it should be discarded.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        class
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        An encoded 16-bit value that identifies
-                        a protocol family or instance of a protocol.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        RDATA
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        The resource data.  The format of the
-                        data is type (and sometimes class) specific.
-                      </para>
-                    </entry>
-                  </row>
-                </tbody>
-              </tgroup>
-            </informaltable>
-            <para>
-              The following are <emphasis>types</emphasis> of valid RRs:
-            </para>
-            <informaltable colsep="0" rowsep="0">
-              <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
-                <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
-                <colspec colname="2" colnum="2" colsep="0" colwidth="3.625in"/>
-                <tbody>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        A
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        A host address.  In the IN class, this is a
-                        32-bit IP address.  Described in RFC 1035.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        AAAA
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        IPv6 address.  Described in RFC 1886.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        A6
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        IPv6 address.  This can be a partial
-                        address (a suffix) and an indirection to the name
-                        where the rest of the
-                        address (the prefix) can be found.  Experimental.
-                        Described in RFC 2874.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        AFSDB
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Location of AFS database servers.
-                        Experimental.  Described in RFC 1183.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        APL
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Address prefix list.  Experimental.
-                        Described in RFC 3123.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        CERT
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Holds a digital certificate.
-                        Described in RFC 2538.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        CNAME
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Identifies the canonical name of an alias.
-                        Described in RFC 1035.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        DHCID
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-			Is used for identifying which DHCP client is
-			associated with this name.  Described in RFC 4701.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        DNAME
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Replaces the domain name specified with
-                        another name to be looked up, effectively aliasing an
-                        entire
-                        subtree of the domain name space rather than a single
-                        record
-                        as in the case of the CNAME RR.
-                        Described in RFC 2672.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        DNSKEY
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Stores a public key associated with a signed
-                        DNS zone.  Described in RFC 4034.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        DS
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Stores the hash of a public key associated with a
-                        signed DNS zone.  Described in RFC 4034.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        GPOS
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Specifies the global position.  Superseded by LOC.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        HINFO
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Identifies the CPU and OS used by a host.
-                        Described in RFC 1035.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        IPSECKEY
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-			Provides a method for storing IPsec keying material in
-			DNS.  Described in RFC 4025.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        ISDN
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Representation of ISDN addresses.
-                        Experimental.  Described in RFC 1183.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        KEY
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Stores a public key associated with a
-                        DNS name.  Used in original DNSSEC; replaced
-			by DNSKEY in DNSSECbis, but still used with
-			SIG(0).  Described in RFCs 2535 and 2931.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        KX
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Identifies a key exchanger for this
-                        DNS name.  Described in RFC 2230.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        LOC
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        For storing GPS info.  Described in RFC 1876.
-                        Experimental.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        MX
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Identifies a mail exchange for the domain with
-                        a 16-bit preference value (lower is better)
-                        followed by the host name of the mail exchange.
-                        Described in RFC 974, RFC 1035.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        NAPTR
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Name authority pointer.  Described in RFC 2915.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        NSAP
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        A network service access point.
-                        Described in RFC 1706.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        NS
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        The authoritative name server for the
-                        domain.  Described in RFC 1035.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        NSEC
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Used in DNSSECbis to securely indicate that
-                        RRs with an owner name in a certain name interval do
-                        not exist in
-                        a zone and indicate what RR types are present for an
-                        existing name.
-                        Described in RFC 4034.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        NSEC3
-                      </para>
-                    </entry>
-		    <entry colname="2">
-		      <para>
-			Used in DNSSECbis to securely indicate that
-			RRs with an owner name in a certain name
-			interval do not exist in a zone and indicate
-			what RR types are present for an existing
-			name.  NSEC3 differs from NSEC in that it
-			prevents zone enumeration but is more
-			computationally expensive on both the server
-			and the client than NSEC.  Described in RFC
-			5155.
-		      </para>
-		    </entry>
-		  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        NSEC3PARAM
-                      </para>
-                    </entry>
-		    <entry colname="2">
-		      <para>
-			Used in DNSSECbis to tell the authoritative
-			server which NSEC3 chains are available to use.
-			Described in RFC 5155.
-		      </para>
-		    </entry>
-		  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        NXT
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Used in DNSSEC to securely indicate that
-                        RRs with an owner name in a certain name interval do
-                        not exist in
-                        a zone and indicate what RR types are present for an
-                        existing name.
-			Used in original DNSSEC; replaced by NSEC in
-			DNSSECbis.
-                        Described in RFC 2535.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        PTR
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        A pointer to another part of the domain
-                        name space.  Described in RFC 1035.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        PX
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Provides mappings between RFC 822 and X.400
-                        addresses.  Described in RFC 2163.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        RP
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Information on persons responsible
-                        for the domain.  Experimental.  Described in RFC 1183.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        RRSIG
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Contains DNSSECbis signature data.  Described
-			in RFC 4034.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        RT
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Route-through binding for hosts that
-                        do not have their own direct wide area network
-                        addresses.
-                        Experimental.  Described in RFC 1183.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        SIG
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Contains DNSSEC signature data.  Used in
-			original DNSSEC; replaced by RRSIG in
-			DNSSECbis, but still used for SIG(0).
-			Described in RFCs 2535 and 2931.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        SOA
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Identifies the start of a zone of authority.
-                        Described in RFC 1035.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        SPF
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-			Contains the Sender Policy Framework information
-			for a given email domain.  Described in RFC 4408.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        SRV
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Information about well known network
-                        services (replaces WKS).  Described in RFC 2782.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        SSHFP
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-			Provides a way to securely publish a secure shell key's
-			fingerprint.  Described in RFC 4255.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        TXT
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Text records.  Described in RFC 1035.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        WKS
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Information about which well known
-                        network services, such as SMTP, that a domain
-                        supports. Historical.
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        X25
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Representation of X.25 network addresses.
-                        Experimental.  Described in RFC 1183.
-                      </para>
-                    </entry>
-                  </row>
-                </tbody>
-              </tgroup>
-            </informaltable>
-            <para>
-              The following <emphasis>classes</emphasis> of resource records
-              are currently valid in the DNS:
-            </para>
-            <informaltable colsep="0" rowsep="0"><tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
-                <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
-                <colspec colname="2" colnum="2" colsep="0" colwidth="3.625in"/>
-                <tbody>
-
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        IN
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        The Internet.
-                      </para>
-                    </entry>
-                  </row>
-
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        CH
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Chaosnet, a LAN protocol created at MIT in the
-                        mid-1970s.
-                        Rarely used for its historical purpose, but reused for
-                        BIND's
-                        built-in server information zones, e.g.,
-                        <literal>version.bind</literal>.
-                      </para>
-                    </entry>
-                  </row>
-
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        HS
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        Hesiod, an information service
-                        developed by MIT's Project Athena. It is used to share
-                        information
-                        about various systems databases, such as users,
-                        groups, printers
-                        and so on.
-                      </para>
-                    </entry>
-                  </row>
-
-                </tbody>
-              </tgroup>
-            </informaltable>
-
-            <para>
-              The owner name is often implicit, rather than forming an
-              integral
-              part of the RR.  For example, many name servers internally form
-              tree
-              or hash structures for the name space, and chain RRs off nodes.
-              The remaining RR parts are the fixed header (type, class, TTL)
-              which is consistent for all RRs, and a variable part (RDATA)
-              that
-              fits the needs of the resource being described.
-            </para>
-            <para>
-              The meaning of the TTL field is a time limit on how long an
-              RR can be kept in a cache.  This limit does not apply to
-              authoritative
-              data in zones; it is also timed out, but by the refreshing
-              policies
-              for the zone.  The TTL is assigned by the administrator for the
-              zone where the data originates.  While short TTLs can be used to
-              minimize caching, and a zero TTL prohibits caching, the
-              realities
-              of Internet performance suggest that these times should be on
-              the
-              order of days for the typical host.  If a change can be
-              anticipated,
-              the TTL can be reduced prior to the change to minimize
-              inconsistency
-              during the change, and then increased back to its former value
-              following
-              the change.
-            </para>
-            <para>
-              The data in the RDATA section of RRs is carried as a combination
-              of binary strings and domain names.  The domain names are
-              frequently
-              used as "pointers" to other data in the DNS.
-            </para>
-          </sect3>
-          <sect3>
-            <title>Textual expression of RRs</title>
-            <para>
-              RRs are represented in binary form in the packets of the DNS
-              protocol, and are usually represented in highly encoded form
-              when
-              stored in a name server or resolver.  In the examples provided
-              in
-              RFC 1034, a style similar to that used in master files was
-              employed
-              in order to show the contents of RRs.  In this format, most RRs
-              are shown on a single line, although continuation lines are
-              possible
-              using parentheses.
-            </para>
-            <para>
-              The start of the line gives the owner of the RR.  If a line
-              begins with a blank, then the owner is assumed to be the same as
-              that of the previous RR.  Blank lines are often included for
-              readability.
-            </para>
-            <para>
-              Following the owner, we list the TTL, type, and class of the
-              RR.  Class and type use the mnemonics defined above, and TTL is
-              an integer before the type field.  In order to avoid ambiguity
-              in
-              parsing, type and class mnemonics are disjoint, TTLs are
-              integers,
-              and the type mnemonic is always last. The IN class and TTL
-              values
-              are often omitted from examples in the interests of clarity.
-            </para>
-            <para>
-              The resource data or RDATA section of the RR are given using
-              knowledge of the typical representation for the data.
-            </para>
-            <para>
-              For example, we might show the RRs carried in a message as:
-            </para>
-            <informaltable colsep="0" rowsep="0"><tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
-                <colspec colname="1" colnum="1" colsep="0" colwidth="1.381in"/>
-                <colspec colname="2" colnum="2" colsep="0" colwidth="1.020in"/>
-                <colspec colname="3" colnum="3" colsep="0" colwidth="2.099in"/>
-                <tbody>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        <literal>ISI.EDU.</literal>
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        <literal>MX</literal>
-                      </para>
-                    </entry>
-                    <entry colname="3">
-                      <para>
-                        <literal>10 VENERA.ISI.EDU.</literal>
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para/>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        <literal>MX</literal>
-                      </para>
-                    </entry>
-                    <entry colname="3">
-                      <para>
-                        <literal>10 VAXA.ISI.EDU</literal>
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        <literal>VENERA.ISI.EDU</literal>
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        <literal>A</literal>
-                      </para>
-                    </entry>
-                    <entry colname="3">
-                      <para>
-                        <literal>128.9.0.32</literal>
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para/>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        <literal>A</literal>
-                      </para>
-                    </entry>
-                    <entry colname="3">
-                      <para>
-                        <literal>10.1.0.52</literal>
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        <literal>VAXA.ISI.EDU</literal>
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        <literal>A</literal>
-                      </para>
-                    </entry>
-                    <entry colname="3">
-                      <para>
-                        <literal>10.2.0.27</literal>
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para/>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        <literal>A</literal>
-                      </para>
-                    </entry>
-                    <entry colname="3">
-                      <para>
-                        <literal>128.9.0.33</literal>
-                      </para>
-                    </entry>
-                  </row>
-                </tbody>
-              </tgroup>
-            </informaltable>
-            <para>
-              The MX RRs have an RDATA section which consists of a 16-bit
-              number followed by a domain name.  The address RRs use a
-              standard
-              IP address format to contain a 32-bit internet address.
-            </para>
-            <para>
-              The above example shows six RRs, with two RRs at each of three
-              domain names.
-            </para>
-            <para>
-              Similarly we might see:
-            </para>
-            <informaltable colsep="0" rowsep="0"><tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
-                <colspec colname="1" colnum="1" colsep="0" colwidth="1.491in"/>
-                <colspec colname="2" colnum="2" colsep="0" colwidth="1.067in"/>
-                <colspec colname="3" colnum="3" colsep="0" colwidth="2.067in"/>
-                <tbody>
-                  <row rowsep="0">
-                    <entry colname="1">
-                      <para>
-                        <literal>XX.LCS.MIT.EDU.</literal>
-                      </para>
-                    </entry>
-                    <entry colname="2">
-                      <para>
-                        <literal>IN A</literal>
-                      </para>
-                    </entry>
-                    <entry colname="3">
-                      <para>
-                        <literal>10.0.0.44</literal>
-                      </para>
-                    </entry>
-                  </row>
-                  <row rowsep="0">
-		    <entry colname="1"/>
-                    <entry colname="2">
-                      <para>
-                        <literal>CH A</literal>
-                      </para>
-                    </entry>
-                    <entry colname="3">
-                      <para>
-                        <literal>MIT.EDU. 2420</literal>
-                      </para>
-                    </entry>
-                  </row>
-                </tbody>
-              </tgroup>
-            </informaltable>
-            <para>
-              This example shows two addresses for
-	      <literal>XX.LCS.MIT.EDU</literal>, each of a different class.
-            </para>
-          </sect3>
-        </sect2>
-
-        <sect2>
-          <title>Discussion of MX Records</title>
-
-          <para>
-            As described above, domain servers store information as a
-            series of resource records, each of which contains a particular
-            piece of information about a given domain name (which is usually,
-            but not always, a host). The simplest way to think of a RR is as
-            a typed pair of data, a domain name matched with a relevant datum,
-            and stored with some additional type information to help systems
-            determine when the RR is relevant.
-          </para>
-
-          <para>
-            MX records are used to control delivery of email. The data
-            specified in the record is a priority and a domain name. The
-            priority
-            controls the order in which email delivery is attempted, with the
-            lowest number first. If two priorities are the same, a server is
-            chosen randomly. If no servers at a given priority are responding,
-            the mail transport agent will fall back to the next largest
-            priority.
-            Priority numbers do not have any absolute meaning &mdash; they are
-            relevant
-            only respective to other MX records for that domain name. The
-            domain
-            name given is the machine to which the mail will be delivered.
-	    It <emphasis>must</emphasis> have an associated address record
-	    (A or AAAA) &mdash; CNAME is not sufficient.
-          </para>
-          <para>
-            For a given domain, if there is both a CNAME record and an
-            MX record, the MX record is in error, and will be ignored.
-            Instead,
-            the mail will be delivered to the server specified in the MX
-            record
-            pointed to by the CNAME.
-            For example:
-          </para>
-          <informaltable colsep="0" rowsep="0">
-            <tgroup cols="5" colsep="0" rowsep="0" tgroupstyle="3Level-table">
-              <colspec colname="1" colnum="1" colsep="0" colwidth="1.708in"/>
-              <colspec colname="2" colnum="2" colsep="0" colwidth="0.444in"/>
-              <colspec colname="3" colnum="3" colsep="0" colwidth="0.444in"/>
-              <colspec colname="4" colnum="4" colsep="0" colwidth="0.976in"/>
-              <colspec colname="5" colnum="5" colsep="0" colwidth="1.553in"/>
-              <tbody>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para>
-                      <literal>example.com.</literal>
-                    </para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      <literal>IN</literal>
-                    </para>
-                  </entry>
-                  <entry colname="3">
-                    <para>
-                      <literal>MX</literal>
-                    </para>
-                  </entry>
-                  <entry colname="4">
-                    <para>
-                      <literal>10</literal>
-                    </para>
-                  </entry>
-                  <entry colname="5">
-                    <para>
-                      <literal>mail.example.com.</literal>
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para/>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      <literal>IN</literal>
-                    </para>
-                  </entry>
-                  <entry colname="3">
-                    <para>
-                      <literal>MX</literal>
-                    </para>
-                  </entry>
-                  <entry colname="4">
-                    <para>
-                      <literal>10</literal>
-                    </para>
-                  </entry>
-                  <entry colname="5">
-                    <para>
-                      <literal>mail2.example.com.</literal>
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para/>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      <literal>IN</literal>
-                    </para>
-                  </entry>
-                  <entry colname="3">
-                    <para>
-                      <literal>MX</literal>
-                    </para>
-                  </entry>
-                  <entry colname="4">
-                    <para>
-                      <literal>20</literal>
-                    </para>
-                  </entry>
-                  <entry colname="5">
-                    <para>
-                      <literal>mail.backup.org.</literal>
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para>
-                      <literal>mail.example.com.</literal>
-                    </para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      <literal>IN</literal>
-                    </para>
-                  </entry>
-                  <entry colname="3">
-                    <para>
-                      <literal>A</literal>
-                    </para>
-                  </entry>
-                  <entry colname="4">
-                    <para>
-                      <literal>10.0.0.1</literal>
-                    </para>
-                  </entry>
-                  <entry colname="5">
-                    <para/>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para>
-                      <literal>mail2.example.com.</literal>
-                    </para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      <literal>IN</literal>
-                    </para>
-                  </entry>
-                  <entry colname="3">
-                    <para>
-                      <literal>A</literal>
-                    </para>
-                  </entry>
-                  <entry colname="4">
-                    <para>
-                      <literal>10.0.0.2</literal>
-                    </para>
-                  </entry>
-                  <entry colname="5">
-                    <para/>
-                  </entry>
-                </row>
-              </tbody>
-            </tgroup>
-            </informaltable><para>
-            Mail delivery will be attempted to <literal>mail.example.com</literal> and
-            <literal>mail2.example.com</literal> (in
-            any order), and if neither of those succeed, delivery to <literal>mail.backup.org</literal> will
-            be attempted.
-          </para>
-        </sect2>
-        <sect2 id="Setting_TTLs">
-          <title>Setting TTLs</title>
-          <para>
-            The time-to-live of the RR field is a 32-bit integer represented
-            in units of seconds, and is primarily used by resolvers when they
-            cache RRs. The TTL describes how long a RR can be cached before it
-            should be discarded. The following three types of TTL are
-            currently
-            used in a zone file.
-          </para>
-          <informaltable colsep="0" rowsep="0">
-            <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
-              <colspec colname="1" colnum="1" colsep="0" colwidth="0.750in"/>
-              <colspec colname="2" colnum="2" colsep="0" colwidth="4.375in"/>
-              <tbody>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para>
-                      SOA
-                    </para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      The last field in the SOA is the negative
-                      caching TTL. This controls how long other servers will
-                      cache no-such-domain
-                      (NXDOMAIN) responses from you.
-                    </para>
-                    <para>
-                      The maximum time for
-                      negative caching is 3 hours (3h).
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para>
-                      $TTL
-                    </para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      The $TTL directive at the top of the
-                      zone file (before the SOA) gives a default TTL for every
-                      RR without
-                      a specific TTL set.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para>
-                      RR TTLs
-                    </para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      Each RR can have a TTL as the second
-                      field in the RR, which will control how long other
-                      servers can cache
-                      the it.
-                    </para>
-                  </entry>
-                </row>
-              </tbody>
-            </tgroup>
-          </informaltable>
-          <para>
-            All of these TTLs default to units of seconds, though units
-            can be explicitly specified, for example, <literal>1h30m</literal>.
-          </para>
-        </sect2>
-        <sect2>
-          <title>Inverse Mapping in IPv4</title>
-          <para>
-            Reverse name resolution (that is, translation from IP address
-            to name) is achieved by means of the <emphasis>in-addr.arpa</emphasis> domain
-            and PTR records. Entries in the in-addr.arpa domain are made in
-            least-to-most significant order, read left to right. This is the
-            opposite order to the way IP addresses are usually written. Thus,
-            a machine with an IP address of 10.1.2.3 would have a
-            corresponding
-            in-addr.arpa name of
-            3.2.1.10.in-addr.arpa. This name should have a PTR resource record
-            whose data field is the name of the machine or, optionally,
-            multiple
-            PTR records if the machine has more than one name. For example,
-            in the <optional>example.com</optional> domain:
-          </para>
-          <informaltable colsep="0" rowsep="0">
-            <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
-              <colspec colname="1" colnum="1" colsep="0" colwidth="1.125in"/>
-              <colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
-              <tbody>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para>
-                      <literal>$ORIGIN</literal>
-                    </para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      <literal>2.1.10.in-addr.arpa</literal>
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para>
-                      <literal>3</literal>
-                    </para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      <literal>IN PTR foo.example.com.</literal>
-                    </para>
-                  </entry>
-                </row>
-              </tbody>
-            </tgroup>
-          </informaltable>
-          <note>
-            <para>
-              The <command>$ORIGIN</command> lines in the examples
-              are for providing context to the examples only &mdash; they do not
-              necessarily
-              appear in the actual usage. They are only used here to indicate
-              that the example is relative to the listed origin.
-            </para>
-          </note>
-        </sect2>
-        <sect2>
-          <title>Other Zone File Directives</title>
-          <para>
-            The Master File Format was initially defined in RFC 1035 and
-            has subsequently been extended. While the Master File Format
-            itself
-            is class independent all records in a Master File must be of the
-            same
-            class.
-          </para>
-          <para>
-            Master File Directives include <command>$ORIGIN</command>, <command>$INCLUDE</command>,
-            and <command>$TTL.</command>
-          </para>
-          <sect3>
-            <title>The <command>@</command> (at-sign)</title>
-            <para>
-              When used in the label (or name) field, the asperand or
-              at-sign (@) symbol represents the current origin.
-              At the start of the zone file, it is the 
-              &lt;<varname>zone_name</varname>&gt; (followed by
-              trailing dot).
-            </para>
-          </sect3>
-          <sect3>
-            <title>The <command>$ORIGIN</command> Directive</title>
-            <para>
-              Syntax: <command>$ORIGIN</command>
-	      <replaceable>domain-name</replaceable>
-              <optional><replaceable>comment</replaceable></optional>
-            </para>
-            <para><command>$ORIGIN</command>
-	      sets the domain name that will be appended to any
-              unqualified records. When a zone is first read in there
-              is an implicit <command>$ORIGIN</command>
-              &lt;<varname>zone_name</varname>&gt;<command>.</command>
-              (followed by trailing dot).
-              The current <command>$ORIGIN</command> is appended to
-              the domain specified in the <command>$ORIGIN</command>
-              argument if it is not absolute.
-            </para>
-
-<programlisting>
-$ORIGIN example.com.
-WWW     CNAME   MAIN-SERVER
-</programlisting>
-
-            <para>
-              is equivalent to
-            </para>
-
-<programlisting>
-WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
-</programlisting>
-
-          </sect3>
-          <sect3>
-            <title>The <command>$INCLUDE</command> Directive</title>
-            <para>
-              Syntax: <command>$INCLUDE</command>
-              <replaceable>filename</replaceable>
-              <optional>
-<replaceable>origin</replaceable> </optional>
-              <optional> <replaceable>comment</replaceable> </optional>
-            </para>
-            <para>
-              Read and process the file <filename>filename</filename> as
-              if it were included into the file at this point.  If <command>origin</command> is
-              specified the file is processed with <command>$ORIGIN</command> set
-              to that value, otherwise the current <command>$ORIGIN</command> is
-              used.
-            </para>
-            <para>
-              The origin and the current domain name
-              revert to the values they had prior to the <command>$INCLUDE</command> once
-              the file has been read.
-            </para>
-            <note>
-              <para>
-                RFC 1035 specifies that the current origin should be restored
-                after
-                an <command>$INCLUDE</command>, but it is silent
-                on whether the current
-                domain name should also be restored.  BIND 9 restores both of
-                them.
-                This could be construed as a deviation from RFC 1035, a
-                feature, or both.
-              </para>
-            </note>
-          </sect3>
-          <sect3>
-            <title>The <command>$TTL</command> Directive</title>
-            <para>
-              Syntax: <command>$TTL</command>
-              <replaceable>default-ttl</replaceable>
-              <optional>
-<replaceable>comment</replaceable> </optional>
-            </para>
-            <para>
-              Set the default Time To Live (TTL) for subsequent records
-              with undefined TTLs. Valid TTLs are of the range 0-2147483647
-              seconds.
-            </para>
-            <para><command>$TTL</command>
-	       is defined in RFC 2308.
-            </para>
-          </sect3>
-        </sect2>
-        <sect2>
-          <title><acronym>BIND</acronym> Master File Extension: the  <command>$GENERATE</command> Directive</title>
-          <para>
-            Syntax: <command>$GENERATE</command>
-	    <replaceable>range</replaceable>
-	    <replaceable>lhs</replaceable>
-            <optional><replaceable>ttl</replaceable></optional>
-            <optional><replaceable>class</replaceable></optional>
-	    <replaceable>type</replaceable>
-	    <replaceable>rhs</replaceable>
-            <optional><replaceable>comment</replaceable></optional>
-          </para>
-          <para><command>$GENERATE</command>
-	    is used to create a series of resource records that only
-            differ from each other by an
-            iterator. <command>$GENERATE</command> can be used to
-            easily generate the sets of records required to support
-            sub /24 reverse delegations described in RFC 2317:
-            Classless IN-ADDR.ARPA delegation.
-          </para>
-
-<programlisting>$ORIGIN 0.0.192.IN-ADDR.ARPA.
-$GENERATE 1-2 @ NS SERVER$.EXAMPLE.
-$GENERATE 1-127 $ CNAME $.0</programlisting>
-
-          <para>
-            is equivalent to
-          </para>
-
-<programlisting>0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE.
-0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
-1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
-2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
-...
-127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
-</programlisting>
-
-	   <para>
-	    Generate a set of A and MX records.  Note the MX's right hand
-	    side is a quoted string.  The quotes will be stripped when the
-	    right hand side is processed.
-	   </para>
-
-<programlisting>
-$ORIGIN EXAMPLE.
-$GENERATE 1-127 HOST-$ A 1.2.3.$
-$GENERATE 1-127 HOST-$ MX "0 ."</programlisting>
-
-          <para>
-            is equivalent to
-          </para>
-
-<programlisting>HOST-1.EXAMPLE.   A  1.2.3.1
-HOST-1.EXAMPLE.   MX 0 .
-HOST-2.EXAMPLE.   A  1.2.3.2
-HOST-2.EXAMPLE.   MX 0 .
-HOST-3.EXAMPLE.   A  1.2.3.3
-HOST-3.EXAMPLE.   MX 0 .
-...
-HOST-127.EXAMPLE. A  1.2.3.127
-HOST-127.EXAMPLE. MX 0 .
-</programlisting>
-
-          <informaltable colsep="0" rowsep="0">
-            <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
-                        <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
-              <colspec colname="2" colnum="2" colsep="0" colwidth="4.250in"/>
-              <tbody>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>range</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      This can be one of two forms: start-stop
-                      or start-stop/step. If the first form is used, then step
-                      is set to
-                      1. All of start, stop and step must be positive.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>lhs</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>This
-		      describes the owner name of the resource records
-                      to be created.  Any single <command>$</command>
-                      (dollar sign)
-                      symbols within the <command>lhs</command> string
-                      are replaced by the iterator value.
-
-                      To get a $ in the output, you need to escape the
-                      <command>$</command> using a backslash
-                      <command>\</command>,
-                      e.g. <command>\$</command>. The
-                      <command>$</command> may optionally be followed
-                      by modifiers which change the offset from the
-                      iterator, field width and base.
-
-                      Modifiers are introduced by a
-                      <command>{</command> (left brace) immediately following the
-                      <command>$</command> as
-                      <command>${offset[,width[,base]]}</command>.
-                      For example, <command>${-20,3,d}</command>
-                      subtracts 20 from the current value, prints the
-                      result as a decimal in a zero-padded field of
-                      width 3.
-
-		      Available output forms are decimal
-                      (<command>d</command>), octal
-                      (<command>o</command>), hexadecimal
-                      (<command>x</command> or <command>X</command>
-                      for uppercase) and nibble
-		      (<command>n</command> or <command>N</command>\
-		      for uppercase).  The default modifier is
-                      <command>${0,0,d}</command>.  If the
-                      <command>lhs</command> is not absolute, the
-                      current <command>$ORIGIN</command> is appended
-                      to the name.
-                    </para>
-		    <para>
-		      In nibble mode the value will be treated as
-		      if it was a reversed hexadecimal string
-		      with each hexadecimal digit as a separate
-		      label.  The width field includes the label
-		      separator.
-		    </para>
-		    <para>
-		      For compatibility with earlier versions,
-		      <command>$$</command> is still recognized as
-		      indicating a literal $ in the output.
-		    </para>
-		  </entry>
-		</row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>ttl</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-		      Specifies the time-to-live of the generated records. If
-                      not specified this will be inherited using the
-                      normal TTL inheritance rules.
-                    </para>
-                    <para><command>class</command>
-		      and <command>ttl</command> can be
-                      entered in either order.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>class</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-		      Specifies the class of the generated records.
-                      This must match the zone class if it is
-                      specified.
-                    </para>
-                    <para><command>class</command>
-		      and <command>ttl</command> can be
-                      entered in either order.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>type</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-		      Any valid type.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>rhs</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      <command>rhs</command>, optionally, quoted string.
-                    </para>
-                  </entry>
-                </row>
-              </tbody>
-            </tgroup>
-          </informaltable>
-          <para>
-            The <command>$GENERATE</command> directive is a <acronym>BIND</acronym> extension
-            and not part of the standard zone file format.
-          </para>
-          <para>
-            BIND 8 does not support the optional TTL and CLASS fields.
-          </para>
-        </sect2>
-
-	<sect2 id="zonefile_format">
-	  <title>Additional File Formats</title>
-	  <para>
-	    In addition to the standard textual format, BIND 9
-	    supports the ability to read or dump to zone files in
-	    other formats.  The <constant>raw</constant> format is
-	    currently available as an additional format.  It is a
-	    binary format representing BIND 9's internal data
-	    structure directly, thereby remarkably improving the
-	    loading time.
-	  </para>
-	  <para>
-	    For a primary server, a zone file in the
-	    <constant>raw</constant> format is expected to be
-	    generated from a textual zone file by the
-	    <command>named-compilezone</command> command.  For a
-	    secondary server or for a dynamic zone, it is automatically
-	    generated (if this format is specified by the
-	    <command>masterfile-format</command> option) when
-	    <command>named</command> dumps the zone contents after
-	    zone transfer or when applying prior updates.
-	  </para>
-	  <para>
-	    If a zone file in a binary format needs manual modification,
-	    it first must be converted to a textual form by the
-	    <command>named-compilezone</command> command.  All
-	    necessary modification should go to the text file, which
-	    should then be converted to the binary form by the
-	    <command>named-compilezone</command> command again.
-	  </para>
-    	  <para>
-	     Although the <constant>raw</constant> format uses the
-	     network byte order and avoids architecture-dependent
-	     data alignment so that it is as much portable as
-	     possible, it is primarily expected to be used inside
-	     the same single system.  In order to export a zone
-	     file in the <constant>raw</constant> format or make a
-	     portable backup of the file, it is recommended to
-	     convert the file to the standard textual representation.
-	  </para>
-	</sect2>
-      </sect1>
-
-      <sect1 id="statistics">
-        <title>BIND9 Statistics</title>
-        <para>
-	  <acronym>BIND</acronym> 9 maintains lots of statistics
-	  information and provides several interfaces for users to
-	  get access to the statistics.
-	  The available statistics include all statistics counters
-	  that were available in <acronym>BIND</acronym> 8 and
-	  are meaningful in <acronym>BIND</acronym> 9,
-	  and other information that is considered useful.
-        </para>
-
-        <para>
-	  The statistics information is categorized into the following
-	  sections.
-        </para>
-
-	<informaltable frame="all">
-          <tgroup cols="2">
-            <colspec colname="1" colnum="1" colsep="0" colwidth="3.300in"/>
-            <colspec colname="2" colnum="2" colsep="0" colwidth="2.625in"/>
-            <tbody>
-
-	      <row rowsep="0">
-                <entry colname="1">
-                  <para>Incoming Requests</para>
-                </entry>
-                <entry colname="2">
-                  <para>
-                    The number of incoming DNS requests for each OPCODE.
-                  </para>
-                </entry>
-	      </row>
-
-	      <row rowsep="0">
-                <entry colname="1">
-                  <para>Incoming Queries</para>
-                </entry>
-                <entry colname="2">
-                  <para>
-		    The number of incoming queries for each RR type.
-                  </para>
-                </entry>
-	      </row>
-
-	      <row rowsep="0">
-                <entry colname="1">
-                  <para>Outgoing Queries</para>
-                </entry>
-                <entry colname="2">
-                  <para>
-                    The number of outgoing queries for each RR
-                    type sent from the internal resolver.
-		    Maintained per view.
-                  </para>
-                </entry>
-	      </row>
-
-	      <row rowsep="0">
-                <entry colname="1">
-                  <para>Name Server Statistics</para>
-                </entry>
-                <entry colname="2">
-                  <para>
-                    Statistics counters about incoming request processing.
-                  </para>
-                </entry>
-	      </row>
-
-	      <row rowsep="0">
-                <entry colname="1">
-                  <para>Zone Maintenance Statistics</para>
-                </entry>
-                <entry colname="2">
-                  <para>
-                    Statistics counters regarding zone maintenance
-                    operations such as zone transfers.
-                  </para>
-                </entry>
-	      </row>
-
-	      <row rowsep="0">
-                <entry colname="1">
-                  <para>Resolver Statistics</para>
-                </entry>
-                <entry colname="2">
-                  <para>
-                    Statistics counters about name resolution
-                    performed in the internal resolver.
-		    Maintained per view.
-                  </para>
-                </entry>
-	      </row>
-
-	      <row rowsep="0">
-                <entry colname="1">
-                  <para>Cache DB RRsets</para>
-                </entry>
-                <entry colname="2">
-                  <para>
-		    The number of RRsets per RR type and nonexistent
-		    names stored in the cache database.
-		    If the exclamation mark (!) is printed for a RR
-		    type, it means that particular type of RRset is
-		    known to be nonexistent (this is also known as
-		    "NXRRSET").
-		    Maintained per view.
-                  </para>
-                </entry>
-	      </row>
-
-	      <row rowsep="0">
-                <entry colname="1">
-                  <para>Socket I/O Statistics</para>
-                </entry>
-                <entry colname="2">
-                  <para>
-                    Statistics counters about network related events.
-                  </para>
-                </entry>
-	      </row>
-
-	    </tbody>
-	  </tgroup>
-	</informaltable>
-
-	<para>
-	  A subset of Name Server Statistics is collected and shown
-	  per zone for which the server has the authority when
-	  <command>zone-statistics</command> is set to
-	  <userinput>yes</userinput>.
-	  These statistics counters are shown with their zone and view
-	  names.
-	  In some cases the view names are omitted for the default view.
-	</para>
-
-	<para>
-	  There are currently two user interfaces to get access to the
-	  statistics.
-	  One is in the plain text format dumped to the file specified
-	  by the <command>statistics-file</command> configuration option.
-	  The other is remotely accessible via a statistics channel
-	  when the <command>statistics-channels</command> statement
-	  is specified in the configuration file
-	  (see <xref linkend="statschannels"/>.)
-	</para>
-
-        <sect3 id="statsfile">
-          <title>The Statistics File</title>
-          <para>
-            The text format statistics dump begins with a line, like:
-	  </para>
-          <para>
-	    <command>+++ Statistics Dump +++ (973798949)</command>
-	  </para>
-	  <para>
-	    The number in parentheses is a standard
-            Unix-style timestamp, measured as seconds since January 1, 1970.
-
-            Following
-            that line is a set of statistics information, which is categorized
-            as described above.
-	    Each section begins with a line, like:
-	  </para>
-
-	  <para>
-	    <command>++ Name Server Statistics ++</command>
-	  </para>
-
-	  <para>
-	    Each section consists of lines, each containing the statistics
-	    counter value followed by its textual description.
-	    See below for available counters.
-	    For brevity, counters that have a value of 0 are not shown
-	    in the statistics file.
-	  </para>
-
-	  <para>
-	    The statistics dump ends with the line where the
-            number is identical to the number in the beginning line; for example:
-          </para>
-          <para>
-	    <command>--- Statistics Dump --- (973798949)</command>
-          </para>
-	</sect3>
-
-        <sect2 id="statistics_counters">
-	  <title>Statistics Counters</title>
-	  <para>
-	    The following tables summarize statistics counters that
-	    <acronym>BIND</acronym> 9 provides.
-	    For each row of the tables, the leftmost column is the
-	    abbreviated symbol name of that counter.
-	    These symbols are shown in the statistics information
-	    accessed via an HTTP statistics channel.
-	    The rightmost column gives the description of the counter,
-	    which is also shown in the statistics file
-	    (but, in this document, possibly with slight modification
-	    for better readability).
-	    Additional notes may also be provided in this column.
-	    When a middle column exists between these two columns,
-	    it gives the corresponding counter name of the
-	    <acronym>BIND</acronym> 8 statistics, if applicable.
-	  </para>
-
-	  <sect3>
-            <title>Name Server Statistics Counters</title>
-
-            <informaltable colsep="0" rowsep="0">
-              <tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
-		<colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
-		<colspec colname="2" colnum="2" colsep="0" colwidth="1.150in"/>
-		<colspec colname="3" colnum="3" colsep="0" colwidth="3.350in"/>
-		<tbody>
-		  <row>
-		    <entry colname="1">
-                      <para>
-			<emphasis>Symbol</emphasis>
-                      </para>
-		    </entry>
-		    <entry colname="2">
-                      <para>
-			<emphasis>BIND8 Symbol</emphasis>
-                      </para>
-		    </entry>
-		    <entry colname="3">
-                      <para>
-			<emphasis>Description</emphasis>
-                      </para>
-		    </entry>
-		  </row>
-
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>Requestv4</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command>RQ</command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			IPv4 requests received.
-			Note: this also counts non query requests.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>Requestv6</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command>RQ</command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			IPv6 requests received.
-			Note: this also counts non query requests.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>ReqEdns0</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Requests with EDNS(0) received.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>ReqBadEDNSVer</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Requests with unsupported EDNS version received.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>ReqTSIG</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Requests with TSIG received.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>ReqSIG0</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Requests with SIG(0) received.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>ReqBadSIG</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Requests with invalid (TSIG or SIG(0)) signature.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>ReqTCP</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command>RTCP</command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			TCP requests received.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>AuthQryRej</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command>RUQ</command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Authoritative (non recursive) queries rejected.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>RecQryRej</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command>RURQ</command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Recursive queries rejected.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>XfrRej</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command>RUXFR</command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Zone transfer requests rejected.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>UpdateRej</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command>RUUpd</command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Dynamic update requests rejected.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>Response</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command>SAns</command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Responses sent.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>RespTruncated</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Truncated responses sent.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>RespEDNS0</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Responses with EDNS(0) sent.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>RespTSIG</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Responses with TSIG sent.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>RespSIG0</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Responses with SIG(0) sent.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>QrySuccess</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Queries resulted in a successful answer.
-			This means the query which returns a NOERROR response
-			with at least one answer RR.
-			This corresponds to the
-			<command>success</command> counter
-			of previous versions of
-			<acronym>BIND</acronym> 9.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>QryAuthAns</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Queries resulted in authoritative answer.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>QryNoauthAns</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command>SNaAns</command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Queries resulted in non authoritative answer.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>QryReferral</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Queries resulted in referral answer.
-			This corresponds to the
-			<command>referral</command> counter
-			of previous versions of
-			<acronym>BIND</acronym> 9.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>QryNxrrset</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Queries resulted in NOERROR responses with no data.
-			This corresponds to the
-			<command>nxrrset</command> counter
-			of previous versions of
-			<acronym>BIND</acronym> 9.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>QrySERVFAIL</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command>SFail</command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Queries resulted in SERVFAIL.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>QryFORMERR</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command>SFErr</command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Queries resulted in FORMERR.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>QryNXDOMAIN</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command>SNXD</command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Queries resulted in NXDOMAIN.
-			This corresponds to the
-			<command>nxdomain</command> counter
-			of previous versions of
-			<acronym>BIND</acronym> 9.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>QryRecursion</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command>RFwdQ</command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Queries which caused the server
-			to perform recursion in order to find the final answer.
-			This corresponds to the
-			<command>recursion</command> counter
-			of previous versions of
-			<acronym>BIND</acronym> 9.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>QryDuplicate</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command>RDupQ</command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Queries which the server attempted to
-			recurse but discovered an existing query with the same
-			IP address, port, query ID, name, type and class
-			already being processed.
-			This corresponds to the
-			<command>duplicate</command> counter
-			of previous versions of
-			<acronym>BIND</acronym> 9.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>QryDropped</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Recursive queries for which the server
-			discovered an excessive number of existing
-			recursive queries for the same name, type and
-			class and were subsequently dropped.
-			This is the number of dropped queries due to
-			the reason explained with the
-			<command>clients-per-query</command>
-			and
-			<command>max-clients-per-query</command>
-			options
-			(see the description about
-			<xref linkend="clients-per-query"/>.)
-			This corresponds to the
-			<command>dropped</command> counter
-			of previous versions of
-			<acronym>BIND</acronym> 9.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>QryFailure</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Other query failures.
-			This corresponds to the
-			<command>failure</command> counter
-			of previous versions of
-			<acronym>BIND</acronym> 9.
-			Note: this counter is provided mainly for
-			backward compatibility with the previous versions.
-			Normally a more fine-grained counters such as
-			<command>AuthQryRej</command> and
-			<command>RecQryRej</command>
-			that would also fall into this counter are provided,
-			and so this counter would not be of much
-			interest in practice.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>XfrReqDone</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Requested zone transfers completed.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>UpdateReqFwd</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Update requests forwarded.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>UpdateRespFwd</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Update responses forwarded.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>UpdateFwdFail</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Dynamic update forward failed.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>UpdateDone</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Dynamic updates completed.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>UpdateFail</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Dynamic updates failed.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>UpdateBadPrereq</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Dynamic updates rejected due to prerequisite failure.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>RPZRewrites</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Response policy zone rewrites.
-		      </para>
-		    </entry>
-		  </row>
-		</tbody>
-              </tgroup>
-            </informaltable>
-          </sect3>
-
-	  <sect3>
-            <title>Zone Maintenance Statistics Counters</title>
-
-            <informaltable colsep="0" rowsep="0">
-              <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
-		<colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
-		<colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
-		<tbody>
-		  <row>
-		    <entry colname="1">
-                      <para>
-			<emphasis>Symbol</emphasis>
-                      </para>
-		    </entry>
-		    <entry colname="2">
-                      <para>
-			<emphasis>Description</emphasis>
-                      </para>
-		    </entry>
-		  </row>
-
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>NotifyOutv4</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			IPv4 notifies sent.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>NotifyOutv6</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			IPv6 notifies sent.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>NotifyInv4</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			IPv4 notifies received.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>NotifyInv6</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			IPv6 notifies received.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>NotifyRej</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Incoming notifies rejected.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>SOAOutv4</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			IPv4 SOA queries sent.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>SOAOutv6</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			IPv6 SOA queries sent.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>AXFRReqv4</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			IPv4 AXFR requested.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>AXFRReqv6</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			IPv6 AXFR requested.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>IXFRReqv4</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			IPv4 IXFR requested.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>IXFRReqv6</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			IPv6 IXFR requested.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>XfrSuccess</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Zone transfer requests succeeded.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>XfrFail</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Zone transfer requests failed.
-		      </para>
-		    </entry>
-		  </row>
-		</tbody>
-              </tgroup>
-            </informaltable>
-	  </sect3>
-
-	  <sect3>
-            <title>Resolver Statistics Counters</title>
-
-            <informaltable colsep="0" rowsep="0">
-              <tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
-		<colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
-		<colspec colname="2" colnum="2" colsep="0" colwidth="1.150in"/>
-		<colspec colname="3" colnum="3" colsep="0" colwidth="3.350in"/>
-		<tbody>
-		  <row>
-		    <entry colname="1">
-                      <para>
-			<emphasis>Symbol</emphasis>
-                      </para>
-		    </entry>
-		    <entry colname="2">
-                      <para>
-			<emphasis>BIND8 Symbol</emphasis>
-                      </para>
-		    </entry>
-		    <entry colname="3">
-                      <para>
-			<emphasis>Description</emphasis>
-                      </para>
-		    </entry>
-		  </row>
-
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>Queryv4</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command>SFwdQ</command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			IPv4 queries sent.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>Queryv6</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command>SFwdQ</command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			IPv6 queries sent.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>Responsev4</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command>RR</command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			IPv4 responses received.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>Responsev6</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command>RR</command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			IPv6 responses received.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>NXDOMAIN</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command>RNXD</command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			NXDOMAIN received.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>SERVFAIL</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command>RFail</command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			SERVFAIL received.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>FORMERR</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command>RFErr</command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			FORMERR received.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>OtherError</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command>RErr</command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Other errors received.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>EDNS0Fail</command></para>
-						 </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			EDNS(0) query failures.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>Mismatch</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command>RDupR</command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Mismatch responses received.
-			The DNS ID, response's source address,
-			and/or the response's source port does not
-			match what was expected.
-			(The port must be 53 or as defined by
-			the <command>port</command> option.)
-			This may be an indication of a cache
-			poisoning attempt.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>Truncated</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Truncated responses received.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>Lame</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command>RLame</command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Lame delegations received.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>Retry</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command>SDupQ</command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Query retries performed.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>QueryAbort</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Queries aborted due to quota control.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>QuerySockFail</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Failures in opening query sockets.
-			One common reason for such failures is a
-			failure of opening a new socket due to a
-			limitation on file descriptors.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>QueryTimeout</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Query timeouts.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>GlueFetchv4</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command>SSysQ</command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			IPv4 NS address fetches invoked.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>GlueFetchv6</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command>SSysQ</command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			IPv6 NS address fetches invoked.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>GlueFetchv4Fail</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			IPv4 NS address fetch failed.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>GlueFetchv6Fail</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			IPv6 NS address fetch failed.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>ValAttempt</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			DNSSEC validation attempted.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>ValOk</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			DNSSEC validation succeeded.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>ValNegOk</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			DNSSEC validation on negative information succeeded.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>ValFail</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			DNSSEC validation failed.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>QryRTTnn</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para><command></command></para>
-		    </entry>
-		    <entry colname="3">
-		      <para>
-			Frequency table on round trip times (RTTs) of
-			queries.
-			Each <command>nn</command> specifies the corresponding
-			frequency.
-			In the sequence of
-			<command>nn_1</command>,
-			<command>nn_2</command>,
-			...,
-			<command>nn_m</command>,
-			the value of <command>nn_i</command> is the
-			number of queries whose RTTs are between
-			<command>nn_(i-1)</command> (inclusive) and
-			<command>nn_i</command> (exclusive) milliseconds.
-			For the sake of convenience we define
-			<command>nn_0</command> to be 0.
-			The last entry should be represented as
-			<command>nn_m+</command>, which means the
-			number of queries whose RTTs are equal to or over
-			<command>nn_m</command> milliseconds.
-		      </para>
-		    </entry>
-		  </row>
-		</tbody>
-              </tgroup>
-            </informaltable>
-
-	  </sect3>
-
-	  <sect3>
-            <title>Socket I/O Statistics Counters</title>
-
-	    <para>
-	      Socket I/O statistics counters are defined per socket
-	      types, which are
-	      <command>UDP4</command> (UDP/IPv4),
-	      <command>UDP6</command> (UDP/IPv6),
-	      <command>TCP4</command> (TCP/IPv4),
-	      <command>TCP6</command> (TCP/IPv6),
-	      <command>Unix</command> (Unix Domain), and
-	      <command>FDwatch</command> (sockets opened outside the
-	      socket module).
-	      In the following table <command>&lt;TYPE&gt;</command>
-	      represents a socket type.
-	      Not all counters are available for all socket types;
-	      exceptions are noted in the description field.
-	    </para>
-
-	    <informaltable colsep="0" rowsep="0">
-              <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
-		<colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
-		<colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
-		<tbody>
-		  <row>
-		    <entry colname="1">
-                      <para>
-			<emphasis>Symbol</emphasis>
-                      </para>
-		    </entry>
-		    <entry colname="2">
-                      <para>
-			<emphasis>Description</emphasis>
-                      </para>
-		    </entry>
-		  </row>
-
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>&lt;TYPE&gt;Open</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Sockets opened successfully.
-			This counter is not applicable to the
-			<command>FDwatch</command> type.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>&lt;TYPE&gt;OpenFail</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Failures of opening sockets.
-			This counter is not applicable to the
-			<command>FDwatch</command> type.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>&lt;TYPE&gt;Close</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Sockets closed.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>&lt;TYPE&gt;BindFail</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Failures of binding sockets.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>&lt;TYPE&gt;ConnFail</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Failures of connecting sockets.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>&lt;TYPE&gt;Conn</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Connections established successfully.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>&lt;TYPE&gt;AcceptFail</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Failures of accepting incoming connection requests.
-			This counter is not applicable to the
-			<command>UDP</command> and
-			<command>FDwatch</command> types.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>&lt;TYPE&gt;Accept</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Incoming connections successfully accepted.
-			This counter is not applicable to the
-			<command>UDP</command> and
-			<command>FDwatch</command> types.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>&lt;TYPE&gt;SendErr</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Errors in socket send operations.
-			This counter corresponds
-			to <command>SErr</command> counter of
-			<command>BIND</command> 8.
-		      </para>
-		    </entry>
-		  </row>
-		  <row rowsep="0">
-		    <entry colname="1">
-		      <para><command>&lt;TYPE&gt;RecvErr</command></para>
-		    </entry>
-		    <entry colname="2">
-		      <para>
-			Errors in socket receive operations.
-			This includes errors of send operations on a
-			connected UDP socket notified by an ICMP error
-			message.
-		      </para>
-		    </entry>
-		  </row>
-		</tbody>
-              </tgroup>
-	    </informaltable>
-	  </sect3>
-	  <sect3>
-            <title>Compatibility with <emphasis>BIND</emphasis> 8 Counters</title>
-	    <para>
-	      Most statistics counters that were available
-	      in <command>BIND</command> 8 are also supported in
-	      <command>BIND</command> 9 as shown in the above tables.
-	      Here are notes about other counters that do not appear
-	      in these tables.
-	    </para>
-
-            <variablelist>
-              <varlistentry>
-		<term><command>RFwdR,SFwdR</command></term>
-		<listitem>
-		  <para>
-		    These counters are not supported
-		    because <command>BIND</command> 9 does not adopt
-		    the notion of <emphasis>forwarding</emphasis>
-		    as <command>BIND</command> 8 did.
-		  </para>
-		</listitem>
-	      </varlistentry>
-
-              <varlistentry>
-		<term><command>RAXFR</command></term>
-		<listitem>
-		  <para>
-		    This counter is accessible in the Incoming Queries section.
-		  </para>
-		</listitem>
-	      </varlistentry>
-
-              <varlistentry>
-		<term><command>RIQ</command></term>
-		<listitem>
-		  <para>
-		    This counter is accessible in the Incoming Requests section.
-		  </para>
-		</listitem>
-	      </varlistentry>
-
-              <varlistentry>
-		<term><command>ROpts</command></term>
-		<listitem>
-		  <para>
-		    This counter is not supported
-		    because <command>BIND</command> 9 does not care
-		    about IP options in the first place.
-		  </para>
-		</listitem>
-	      </varlistentry>
-	    </variablelist>
-	  </sect3>
-        </sect2>
-      </sect1>
-
-    </chapter>
-    <chapter id="Bv9ARM.ch07">
-      <title><acronym>BIND</acronym> 9 Security Considerations</title>
-      <sect1 id="Access_Control_Lists">
-        <title>Access Control Lists</title>
-        <para>
-          Access Control Lists (ACLs) are address match lists that
-          you can set up and nickname for future use in <command>allow-notify</command>,
-          <command>allow-query</command>, <command>allow-query-on</command>,
-	  <command>allow-recursion</command>, <command>allow-recursion-on</command>,
-          <command>blackhole</command>, <command>allow-transfer</command>,
-          etc.
-        </para>
-        <para>
-          Using ACLs allows you to have finer control over who can access
-          your name server, without cluttering up your config files with huge
-          lists of IP addresses.
-        </para>
-        <para>
-          It is a <emphasis>good idea</emphasis> to use ACLs, and to
-          control access to your server. Limiting access to your server by
-          outside parties can help prevent spoofing and denial of service (DoS) attacks against
-          your server.
-        </para>
-        <para>
-          Here is an example of how to properly apply ACLs:
-        </para>
-
-<programlisting>
-// Set up an ACL named "bogusnets" that will block
-// RFC1918 space and some reserved space, which is
-// commonly used in spoofing attacks.
-acl bogusnets {
-        0.0.0.0/8;  192.0.2.0/24; 224.0.0.0/3;
-        10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
-};
-
-// Set up an ACL called our-nets. Replace this with the
-// real IP numbers.
-acl our-nets { x.x.x.x/24; x.x.x.x/21; };
-options {
-  ...
-  ...
-  allow-query { our-nets; };
-  allow-recursion { our-nets; };
-  ...
-  blackhole { bogusnets; };
-  ...
-};
-
-zone "example.com" {
-  type master;
-  file "m/example.com";
-  allow-query { any; };
-};
-</programlisting>
-
-        <para>
-          This allows recursive queries of the server from the outside
-          unless recursion has been previously disabled.
-        </para>
-      </sect1>
-      <sect1>
-        <title><command>Chroot</command> and <command>Setuid</command></title>
-        <para>
-	  On UNIX servers, it is possible to run <acronym>BIND</acronym>
-	  in a <emphasis>chrooted</emphasis> environment (using
-	  the <command>chroot()</command> function) by specifying
-	  the "<option>-t</option>" option for <command>named</command>.
-	  This can help improve system security by placing
-	  <acronym>BIND</acronym> in a "sandbox", which will limit
-	  the damage done if a server is compromised.
-        </para>
-        <para>
-          Another useful feature in the UNIX version of <acronym>BIND</acronym> is the
-          ability to run the daemon as an unprivileged user ( <option>-u</option> <replaceable>user</replaceable> ).
-          We suggest running as an unprivileged user when using the <command>chroot</command> feature.
-        </para>
-        <para>
-          Here is an example command line to load <acronym>BIND</acronym> in a <command>chroot</command> sandbox,
-          <command>/var/named</command>, and to run <command>named</command> <command>setuid</command> to
-          user 202:
-        </para>
-        <para>
-          <userinput>/usr/local/sbin/named -u 202 -t /var/named</userinput>
-        </para>
-
-        <sect2>
-          <title>The <command>chroot</command> Environment</title>
-
-          <para>
-            In order for a <command>chroot</command> environment
-            to
-            work properly in a particular directory
-            (for example, <filename>/var/named</filename>),
-            you will need to set up an environment that includes everything
-            <acronym>BIND</acronym> needs to run.
-            From <acronym>BIND</acronym>'s point of view, <filename>/var/named</filename> is
-            the root of the filesystem.  You will need to adjust the values of
-            options like
-            like <command>directory</command> and <command>pid-file</command> to account
-            for this.
-          </para>
-          <para>
-            Unlike with earlier versions of BIND, you typically will
-            <emphasis>not</emphasis> need to compile <command>named</command>
-            statically nor install shared libraries under the new root.
-            However, depending on your operating system, you may need
-            to set up things like
-            <filename>/dev/zero</filename>,
-            <filename>/dev/random</filename>,
-            <filename>/dev/log</filename>, and
-            <filename>/etc/localtime</filename>.
-          </para>
-        </sect2>
-
-        <sect2>
-          <title>Using the <command>setuid</command> Function</title>
-
-          <para>
-            Prior to running the <command>named</command> daemon,
-            use
-            the <command>touch</command> utility (to change file
-            access and
-            modification times) or the <command>chown</command>
-            utility (to
-            set the user id and/or group id) on files
-            to which you want <acronym>BIND</acronym>
-            to write.
-          </para>
-	  <note>
-	    Note that if the <command>named</command> daemon is running as an
-            unprivileged user, it will not be able to bind to new restricted
-            ports if the server is reloaded.
-	  </note>
-        </sect2>
-      </sect1>
-
-      <sect1 id="dynamic_update_security">
-        <title>Dynamic Update Security</title>
-
-        <para>
-          Access to the dynamic
-          update facility should be strictly limited.  In earlier versions of
-          <acronym>BIND</acronym>, the only way to do this was
-          based on the IP
-          address of the host requesting the update, by listing an IP address
-          or
-          network prefix in the <command>allow-update</command>
-          zone option.
-          This method is insecure since the source address of the update UDP
-          packet
-          is easily forged.  Also note that if the IP addresses allowed by the
-          <command>allow-update</command> option include the
-          address of a slave
-          server which performs forwarding of dynamic updates, the master can
-          be
-          trivially attacked by sending the update to the slave, which will
-          forward it to the master with its own source IP address causing the
-          master to approve it without question.
-        </para>
-
-        <para>
-          For these reasons, we strongly recommend that updates be
-          cryptographically authenticated by means of transaction signatures
-          (TSIG).  That is, the <command>allow-update</command>
-          option should
-          list only TSIG key names, not IP addresses or network
-          prefixes. Alternatively, the new <command>update-policy</command>
-          option can be used.
-        </para>
-
-        <para>
-          Some sites choose to keep all dynamically-updated DNS data
-          in a subdomain and delegate that subdomain to a separate zone. This
-          way, the top-level zone containing critical data such as the IP
-          addresses
-          of public web and mail servers need not allow dynamic update at
-          all.
-        </para>
-
-      </sect1>
-    </chapter>
-
-    <chapter id="Bv9ARM.ch08">
-      <title>Troubleshooting</title>
-      <sect1>
-        <title>Common Problems</title>
-        <sect2>
-          <title>It's not working; how can I figure out what's wrong?</title>
-
-          <para>
-            The best solution to solving installation and
-            configuration issues is to take preventative measures by setting
-            up logging files beforehand. The log files provide a
-            source of hints and information that can be used to figure out
-            what went wrong and how to fix the problem.
-          </para>
-
-        </sect2>
-      </sect1>
-      <sect1>
-        <title>Incrementing and Changing the Serial Number</title>
-
-	<para>
-	  Zone serial numbers are just numbers &mdash; they aren't
-	  date related.  A lot of people set them to a number that
-	  represents a date, usually of the form YYYYMMDDRR.
-	  Occasionally they will make a mistake and set them to a
-	  "date in the future" then try to correct them by setting
-	  them to the "current date".  This causes problems because
-	  serial numbers are used to indicate that a zone has been
-	  updated.  If the serial number on the slave server is
-	  lower than the serial number on the master, the slave
-	  server will attempt to update its copy of the zone.
-	</para>
-
-        <para>
-          Setting the serial number to a lower number on the master
-          server than the slave server means that the slave will not perform
-          updates to its copy of the zone.
-        </para>
-
-        <para>
-          The solution to this is to add 2147483647 (2^31-1) to the
-          number, reload the zone and make sure all slaves have updated to
-          the new zone serial number, then reset the number to what you want
-          it to be, and reload the zone again.
-        </para>
-
-      </sect1>
-      <sect1>
-        <title>Where Can I Get Help?</title>
-
-        <para>
-          The Internet Systems Consortium
-          (<acronym>ISC</acronym>) offers a wide range
-          of support and service agreements for <acronym>BIND</acronym> and <acronym>DHCP</acronym> servers. Four
-          levels of premium support are available and each level includes
-          support for all <acronym>ISC</acronym> programs,
-          significant discounts on products
-          and training, and a recognized priority on bug fixes and
-          non-funded feature requests. In addition, <acronym>ISC</acronym> offers a standard
-          support agreement package which includes services ranging from bug
-          fix announcements to remote support. It also includes training in
-          <acronym>BIND</acronym> and <acronym>DHCP</acronym>.
-        </para>
-
-        <para>
-          To discuss arrangements for support, contact
-          <ulink url="mailto:info@isc.org">info@isc.org</ulink> or visit the
-          <acronym>ISC</acronym> web page at
-	  <ulink url="http://www.isc.org/services/support/"
-	             >http://www.isc.org/services/support/</ulink>
-          to read more.
-        </para>
-      </sect1>
-    </chapter>
-    <appendix id="Bv9ARM.ch09">
-      <title>Appendices</title>
-      <sect1>
-        <title>Acknowledgments</title>
-        <sect2 id="historical_dns_information">
-          <title>A Brief History of the <acronym>DNS</acronym> and <acronym>BIND</acronym></title>
-
-          <para>
-            Although the "official" beginning of the Domain Name
-            System occurred in 1984 with the publication of RFC 920, the
-            core of the new system was described in 1983 in RFCs 882 and
-            883. From 1984 to 1987, the ARPAnet (the precursor to today's
-            Internet) became a testbed of experimentation for developing the
-            new naming/addressing scheme in a rapidly expanding,
-            operational network environment.  New RFCs were written and
-            published in 1987 that modified the original documents to
-            incorporate improvements based on the working model. RFC 1034,
-            "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
-            Names-Implementation and Specification" were published and
-            became the standards upon which all <acronym>DNS</acronym> implementations are
-            built.
-          </para>
-
-          <para>
-            The first working domain name server, called "Jeeves", was
-            written in 1983-84 by Paul Mockapetris for operation on DEC
-            Tops-20
-            machines located at the University of Southern California's
-            Information
-            Sciences Institute (USC-ISI) and SRI International's Network
-            Information
-            Center (SRI-NIC). A <acronym>DNS</acronym> server for
-            Unix machines, the Berkeley Internet
-            Name Domain (<acronym>BIND</acronym>) package, was
-            written soon after by a group of
-            graduate students at the University of California at Berkeley
-            under
-            a grant from the US Defense Advanced Research Projects
-            Administration
-            (DARPA).
-          </para>
-          <para>
-	    Versions of <acronym>BIND</acronym> through
-            4.8.3 were maintained by the Computer
-            Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
-            Painter, David Riggle and Songnian Zhou made up the initial <acronym>BIND</acronym>
-            project team. After that, additional work on the software package
-            was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment
-            Corporation
-            employee on loan to the CSRG, worked on <acronym>BIND</acronym> for 2 years, from 1985
-            to 1987. Many other people also contributed to <acronym>BIND</acronym> development
-            during that time: Doug Kingston, Craig Partridge, Smoot
-            Carl-Mitchell,
-            Mike Muuss, Jim Bloom and Mike Schwartz. <acronym>BIND</acronym> maintenance was subsequently
-            handled by Mike Karels and &#216;ivind Kure.
-          </para>
-          <para>
-            <acronym>BIND</acronym> versions 4.9 and 4.9.1 were
-            released by Digital Equipment
-            Corporation (now Compaq Computer Corporation). Paul Vixie, then
-            a DEC employee, became <acronym>BIND</acronym>'s
-            primary caretaker. He was assisted
-            by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan
-            Beecher, Andrew
-            Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
-            Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
-            Wolfhugel, and others.
-          </para>
-          <para>
-            In 1994, <acronym>BIND</acronym> version 4.9.2 was sponsored by
-            Vixie Enterprises. Paul
-            Vixie became <acronym>BIND</acronym>'s principal
-            architect/programmer.
-          </para>
-          <para>
-            <acronym>BIND</acronym> versions from 4.9.3 onward
-            have been developed and maintained
-            by the Internet Systems Consortium and its predecessor,
-            the Internet Software Consortium,  with support being provided
-            by ISC's sponsors.
-          </para>
-	  <para>
-	    As co-architects/programmers, Bob Halley and
-            Paul Vixie released the first production-ready version of
-	    <acronym>BIND</acronym> version 8 in May 1997.
-          </para>
-	  <para>
-	    BIND version 9 was released in September 2000 and is a
-	    major rewrite of nearly all aspects of the underlying
-	    BIND architecture.
-          </para>
-          <para>
-	    BIND versions 4 and 8 are officially deprecated.
-	    No additional development is done
-	    on BIND version 4 or BIND version 8.
-          </para>
-          <para>
-            <acronym>BIND</acronym> development work is made
-            possible today by the sponsorship
-            of several corporations, and by the tireless work efforts of
-            numerous individuals.
-          </para>
-        </sect2>
-      </sect1>
-      <sect1>
-        <title>General <acronym>DNS</acronym> Reference Information</title>
-        <sect2 id="ipv6addresses">
-          <title>IPv6 addresses (AAAA)</title>
-          <para>
-            IPv6 addresses are 128-bit identifiers for interfaces and
-            sets of interfaces which were introduced in the <acronym>DNS</acronym> to facilitate
-            scalable Internet routing. There are three types of addresses: <emphasis>Unicast</emphasis>,
-            an identifier for a single interface;
-            <emphasis>Anycast</emphasis>,
-            an identifier for a set of interfaces; and <emphasis>Multicast</emphasis>,
-            an identifier for a set of interfaces. Here we describe the global
-            Unicast address scheme. For more information, see RFC 3587,
-	    "Global Unicast Address Format."
-          </para>
-          <para>
-	    IPv6 unicast addresses consist of a
-	    <emphasis>global routing prefix</emphasis>, a
-	    <emphasis>subnet identifier</emphasis>, and an
-	    <emphasis>interface identifier</emphasis>.
-          </para>
-          <para>
-            The global routing prefix is provided by the
-            upstream provider or ISP, and (roughly) corresponds to the
-	    IPv4 <emphasis>network</emphasis> section
-            of the address range.
-
-	    The subnet identifier is for local subnetting, much the
-            same as subnetting an
-            IPv4 /16 network into /24 subnets.
-
-	    The interface identifier is the address of an individual
-            interface on a given network; in IPv6, addresses belong to
-            interfaces rather than to machines.
-          </para>
-          <para>
-            The subnetting capability of IPv6 is much more flexible than
-            that of IPv4: subnetting can be carried out on bit boundaries,
-            in much the same way as Classless InterDomain Routing
-            (CIDR), and the DNS PTR representation ("nibble" format)
-            makes setting up reverse zones easier.
-          </para>
-          <para>
-            The Interface Identifier must be unique on the local link,
-            and is usually generated automatically by the IPv6
-            implementation, although it is usually possible to
-            override the default setting if necessary.  A typical IPv6
-            address might look like:
-	    <command>2001:db8:201:9:a00:20ff:fe81:2b32</command>
-	  </para>
-          <para>
-            IPv6 address specifications often contain long strings
-            of zeros, so the architects have included a shorthand for
-            specifying
-            them. The double colon (`::') indicates the longest possible
-            string
-            of zeros that can fit, and can be used only once in an address.
-          </para>
-        </sect2>
-      </sect1>
-      <sect1 id="bibliography">
-        <title>Bibliography (and Suggested Reading)</title>
-        <sect2 id="rfcs">
-          <title>Request for Comments (RFCs)</title>
-          <para>
-            Specification documents for the Internet protocol suite, including
-            the <acronym>DNS</acronym>, are published as part of
-            the Request for Comments (RFCs)
-            series of technical notes. The standards themselves are defined
-            by the Internet Engineering Task Force (IETF) and the Internet
-            Engineering Steering Group (IESG). RFCs can be obtained online via FTP at:
-	  </para>
-	  <para>
-            <ulink url="ftp://www.isi.edu/in-notes/">
-	      ftp://www.isi.edu/in-notes/RFC<replaceable>xxxx</replaceable>.txt
-	    </ulink>
-	  </para>
-	  <para>
-	    (where <replaceable>xxxx</replaceable> is
-            the number of the RFC). RFCs are also available via the Web at:
-	  </para>
-	  <para>
-            <ulink url="http://www.ietf.org/rfc/"
-	               >http://www.ietf.org/rfc/</ulink>.
-          </para>
-          <bibliography>
-            <bibliodiv>
-              <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
-              <title>Standards</title>
-              <biblioentry>
-                <abbrev>RFC974</abbrev>
-                <author>
-                  <surname>Partridge</surname>
-                  <firstname>C.</firstname>
-                </author>
-                <title>Mail Routing and the Domain System</title>
-                <pubdate>January 1986</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC1034</abbrev>
-                <author>
-                  <surname>Mockapetris</surname>
-                  <firstname>P.V.</firstname>
-                </author>
-                <title>Domain Names &mdash; Concepts and Facilities</title>
-                <pubdate>November 1987</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC1035</abbrev>
-                <author>
-                  <surname>Mockapetris</surname>
-                  <firstname>P. V.</firstname>
-                  </author> <title>Domain Names &mdash; Implementation and
-                  Specification</title>
-                <pubdate>November 1987</pubdate>
-              </biblioentry>
-            </bibliodiv>
-            <bibliodiv id="proposed_standards" xreflabel="Proposed Standards">
-
-              <title>Proposed Standards</title>
-              <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
-              <biblioentry>
-                <abbrev>RFC2181</abbrev>
-                <author>
-                  <surname>Elz</surname>
-                  <firstname>R., R. Bush</firstname>
-                </author>
-                <title>Clarifications to the <acronym>DNS</acronym>
-                  Specification</title>
-                <pubdate>July 1997</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC2308</abbrev>
-                <author>
-                  <surname>Andrews</surname>
-                  <firstname>M.</firstname>
-                </author>
-                <title>Negative Caching of <acronym>DNS</acronym>
-                  Queries</title>
-                <pubdate>March 1998</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC1995</abbrev>
-                <author>
-                  <surname>Ohta</surname>
-                  <firstname>M.</firstname>
-                </author>
-                <title>Incremental Zone Transfer in <acronym>DNS</acronym></title>
-                <pubdate>August 1996</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC1996</abbrev>
-                <author>
-                  <surname>Vixie</surname>
-                  <firstname>P.</firstname>
-                </author>
-                <title>A Mechanism for Prompt Notification of Zone Changes</title>
-                <pubdate>August 1996</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC2136</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Vixie</surname>
-                    <firstname>P.</firstname>
-                  </author>
-                  <author>
-                    <firstname>S.</firstname>
-                    <surname>Thomson</surname>
-                  </author>
-                  <author>
-                    <firstname>Y.</firstname>
-                    <surname>Rekhter</surname>
-                  </author>
-                  <author>
-                    <firstname>J.</firstname>
-                    <surname>Bound</surname>
-                  </author>
-                </authorgroup>
-                <title>Dynamic Updates in the Domain Name System</title>
-                <pubdate>April 1997</pubdate>
-              </biblioentry>
-	      <biblioentry>
-                <abbrev>RFC2671</abbrev>
-                <authorgroup>
-                  <author>
-                    <firstname>P.</firstname>
-                    <surname>Vixie</surname>
-                  </author>
-                </authorgroup>
-                <title>Extension Mechanisms for DNS (EDNS0)</title>
-                <pubdate>August 1997</pubdate>
-	      </biblioentry>
-	      <biblioentry>
-                <abbrev>RFC2672</abbrev>
-                <authorgroup>
-                  <author>
-                    <firstname>M.</firstname>
-                    <surname>Crawford</surname>
-                  </author>
-                </authorgroup>
-                <title>Non-Terminal DNS Name Redirection</title>
-                <pubdate>August 1999</pubdate>
-	      </biblioentry>
-              <biblioentry>
-                <abbrev>RFC2845</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Vixie</surname>
-                    <firstname>P.</firstname>
-                  </author>
-                  <author>
-                    <firstname>O.</firstname>
-                    <surname>Gudmundsson</surname>
-                  </author>
-                  <author>
-                    <firstname>D.</firstname>
-                    <surname>Eastlake</surname>
-                    <lineage>3rd</lineage>
-                  </author>
-                  <author>
-                    <firstname>B.</firstname>
-                    <surname>Wellington</surname>
-                  </author>
-                </authorgroup>
-                <title>Secret Key Transaction Authentication for <acronym>DNS</acronym> (TSIG)</title>
-                <pubdate>May 2000</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC2930</abbrev>
-                <authorgroup>
-                  <author>
-                    <firstname>D.</firstname>
-                    <surname>Eastlake</surname>
-                    <lineage>3rd</lineage>
-                  </author>
-                </authorgroup>
-                <title>Secret Key Establishment for DNS (TKEY RR)</title>
-                <pubdate>September 2000</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC2931</abbrev>
-                <authorgroup>
-                  <author>
-                    <firstname>D.</firstname>
-                    <surname>Eastlake</surname>
-                    <lineage>3rd</lineage>
-                  </author>
-                </authorgroup>
-                <title>DNS Request and Transaction Signatures (SIG(0)s)</title>
-                <pubdate>September 2000</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC3007</abbrev>
-                <authorgroup>
-                  <author>
-                    <firstname>B.</firstname>
-                    <surname>Wellington</surname>
-                  </author>
-                </authorgroup>
-                <title>Secure Domain Name System (DNS) Dynamic Update</title>
-                <pubdate>November 2000</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC3645</abbrev>
-                <authorgroup>
-                  <author>
-                    <firstname>S.</firstname>
-                    <surname>Kwan</surname>
-                  </author>
-                  <author>
-                    <firstname>P.</firstname>
-                    <surname>Garg</surname>
-                  </author>
-                  <author>
-                    <firstname>J.</firstname>
-                    <surname>Gilroy</surname>
-                  </author>
-                  <author>
-                    <firstname>L.</firstname>
-                    <surname>Esibov</surname>
-                  </author>
-                  <author>
-                    <firstname>J.</firstname>
-                    <surname>Westhead</surname>
-                  </author>
-                  <author>
-                    <firstname>R.</firstname>
-                    <surname>Hall</surname>
-                  </author>
-                </authorgroup>
-                <title>Generic Security Service Algorithm for Secret
-		       Key Transaction Authentication for DNS
-		       (GSS-TSIG)</title>
-                <pubdate>October 2003</pubdate>
-              </biblioentry>
-            </bibliodiv>
-	    <bibliodiv>
-	      <title><acronym>DNS</acronym> Security Proposed Standards</title>
-	      <biblioentry>
-		<abbrev>RFC3225</abbrev>
-	 	<authorgroup>
-		  <author>
-		    <firstname>D.</firstname>
-		    <surname>Conrad</surname>
-		  </author>
-	 	</authorgroup>
-		<title>Indicating Resolver Support of DNSSEC</title>
-		<pubdate>December 2001</pubdate>
-	      </biblioentry>
-	      <biblioentry>
-	        <abbrev>RFC3833</abbrev>
-	 	<authorgroup>
-		  <author>
-		    <firstname>D.</firstname>
-		    <surname>Atkins</surname>
-		  </author>
-		  <author>
-		    <firstname>R.</firstname>
-		    <surname>Austein</surname>
-		  </author>
-		</authorgroup>
-		<title>Threat Analysis of the Domain Name System (DNS)</title>
-		<pubdate>August 2004</pubdate>
-	      </biblioentry>
-	      <biblioentry>
-	        <abbrev>RFC4033</abbrev>
-	 	<authorgroup>
-		  <author>
-		    <firstname>R.</firstname>
-		    <surname>Arends</surname>
-		  </author>
-		  <author>
-		    <firstname>R.</firstname>
-		    <surname>Austein</surname>
-		  </author>
-		  <author>
-		    <firstname>M.</firstname>
-		    <surname>Larson</surname>
-		  </author>
-		  <author>
-		    <firstname>D.</firstname>
-		    <surname>Massey</surname>
-		  </author>
-		  <author>
-		    <firstname>S.</firstname>
-		    <surname>Rose</surname>
-		  </author>
-		</authorgroup>
-		<title>DNS Security Introduction and Requirements</title>
-		<pubdate>March 2005</pubdate>
-	      </biblioentry>
-	      <biblioentry>
-	        <abbrev>RFC4034</abbrev>
-	 	<authorgroup>
-		  <author>
-		    <firstname>R.</firstname>
-		    <surname>Arends</surname>
-		  </author>
-		  <author>
-		    <firstname>R.</firstname>
-		    <surname>Austein</surname>
-		  </author>
-		  <author>
-		    <firstname>M.</firstname>
-		    <surname>Larson</surname>
-		  </author>
-		  <author>
-		    <firstname>D.</firstname>
-		    <surname>Massey</surname>
-		  </author>
-		  <author>
-		    <firstname>S.</firstname>
-		    <surname>Rose</surname>
-		  </author>
-		</authorgroup>
-		<title>Resource Records for the DNS Security Extensions</title>
-		<pubdate>March 2005</pubdate>
-	      </biblioentry>
-	      <biblioentry>
-	        <abbrev>RFC4035</abbrev>
-	 	<authorgroup>
-		  <author>
-		    <firstname>R.</firstname>
-		    <surname>Arends</surname>
-		  </author>
-		  <author>
-		    <firstname>R.</firstname>
-		    <surname>Austein</surname>
-		  </author>
-		  <author>
-		    <firstname>M.</firstname>
-		    <surname>Larson</surname>
-		  </author>
-		  <author>
-		    <firstname>D.</firstname>
-		    <surname>Massey</surname>
-		  </author>
-		  <author>
-		    <firstname>S.</firstname>
-		    <surname>Rose</surname>
-		  </author>
-		</authorgroup>
-		<title>Protocol Modifications for the DNS
-		       Security Extensions</title>
-		<pubdate>March 2005</pubdate>
-	      </biblioentry>
-            </bibliodiv>
-            <bibliodiv>
-              <title>Other Important RFCs About <acronym>DNS</acronym>
-                Implementation</title>
-              <biblioentry>
-                <abbrev>RFC1535</abbrev>
-                <author>
-                  <surname>Gavron</surname>
-                  <firstname>E.</firstname>
-                </author>
-                <title>A Security Problem and Proposed Correction With Widely
-                  Deployed <acronym>DNS</acronym> Software.</title>
-                <pubdate>October 1993</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC1536</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Kumar</surname>
-                    <firstname>A.</firstname>
-                  </author>
-                  <author>
-                    <firstname>J.</firstname>
-                    <surname>Postel</surname>
-                  </author>
-                  <author>
-                    <firstname>C.</firstname>
-                    <surname>Neuman</surname>
-                  </author>
-                  <author>
-                    <firstname>P.</firstname>
-                    <surname>Danzig</surname>
-                  </author>
-                  <author>
-                    <firstname>S.</firstname>
-                    <surname>Miller</surname>
-                  </author>
-                </authorgroup>
-                <title>Common <acronym>DNS</acronym> Implementation
-                  Errors and Suggested Fixes</title>
-                <pubdate>October 1993</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC1982</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Elz</surname>
-                    <firstname>R.</firstname>
-                  </author>
-                  <author>
-                    <firstname>R.</firstname>
-                    <surname>Bush</surname>
-                  </author>
-                </authorgroup>
-                <title>Serial Number Arithmetic</title>
-                <pubdate>August 1996</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC4074</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Morishita</surname>
-                    <firstname>Y.</firstname>
-                  </author>
-                  <author>
-                    <firstname>T.</firstname>
-                    <surname>Jinmei</surname>
-                  </author>
-                </authorgroup>
-                <title>Common Misbehaviour Against <acronym>DNS</acronym>
-		Queries for IPv6 Addresses</title>
-                <pubdate>May 2005</pubdate>
-              </biblioentry>
-            </bibliodiv>
-            <bibliodiv>
-              <title>Resource Record Types</title>
-              <biblioentry>
-                <abbrev>RFC1183</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Everhart</surname>
-                    <firstname>C.F.</firstname>
-                  </author>
-                  <author>
-                    <firstname>L. A.</firstname>
-                    <surname>Mamakos</surname>
-                  </author>
-                  <author>
-                    <firstname>R.</firstname>
-                    <surname>Ullmann</surname>
-                  </author>
-                  <author>
-                    <firstname>P.</firstname>
-                    <surname>Mockapetris</surname>
-                  </author>
-                </authorgroup>
-                <title>New <acronym>DNS</acronym> RR Definitions</title>
-                <pubdate>October 1990</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC1706</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Manning</surname>
-                    <firstname>B.</firstname>
-                  </author>
-                  <author>
-                    <firstname>R.</firstname>
-                    <surname>Colella</surname>
-                  </author>
-                </authorgroup>
-                <title><acronym>DNS</acronym> NSAP Resource Records</title>
-                <pubdate>October 1994</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC2168</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Daniel</surname>
-                    <firstname>R.</firstname>
-                  </author>
-                  <author>
-                    <firstname>M.</firstname>
-                    <surname>Mealling</surname>
-                  </author>
-                </authorgroup>
-                <title>Resolution of Uniform Resource Identifiers using
-                  the Domain Name System</title>
-                <pubdate>June 1997</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC1876</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Davis</surname>
-                    <firstname>C.</firstname>
-                  </author>
-                  <author>
-                    <firstname>P.</firstname>
-                    <surname>Vixie</surname>
-                  </author>
-                  <author>
-                    <firstname>T.</firstname>
-                    <firstname>Goodwin</firstname>
-                  </author>
-                  <author>
-                    <firstname>I.</firstname>
-                    <surname>Dickinson</surname>
-                  </author>
-                </authorgroup>
-                <title>A Means for Expressing Location Information in the
-                  Domain
-                  Name System</title>
-                <pubdate>January 1996</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC2052</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Gulbrandsen</surname>
-                    <firstname>A.</firstname>
-                  </author>
-                  <author>
-                    <firstname>P.</firstname>
-                    <surname>Vixie</surname>
-                  </author>
-                </authorgroup>
-                <title>A <acronym>DNS</acronym> RR for Specifying the
-                  Location of
-                  Services.</title>
-                <pubdate>October 1996</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC2163</abbrev>
-                <author>
-                  <surname>Allocchio</surname>
-                  <firstname>A.</firstname>
-                </author>
-                <title>Using the Internet <acronym>DNS</acronym> to
-                  Distribute MIXER
-                  Conformant Global Address Mapping</title>
-                <pubdate>January 1998</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC2230</abbrev>
-                <author>
-                  <surname>Atkinson</surname>
-                  <firstname>R.</firstname>
-                </author>
-                <title>Key Exchange Delegation Record for the <acronym>DNS</acronym></title>
-                <pubdate>October 1997</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC2536</abbrev>
-                <author>
-                  <surname>Eastlake</surname>
-                  <firstname>D.</firstname>
-                  <lineage>3rd</lineage>
-                </author>
-                <title>DSA KEYs and SIGs in the Domain Name System (DNS)</title>
-                <pubdate>March 1999</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC2537</abbrev>
-                <author>
-                  <surname>Eastlake</surname>
-                  <firstname>D.</firstname>
-                  <lineage>3rd</lineage>
-                </author>
-                <title>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</title>
-                <pubdate>March 1999</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC2538</abbrev>
-		<authorgroup>
-                  <author>
-                    <surname>Eastlake</surname>
-                    <firstname>D.</firstname>
-                    <lineage>3rd</lineage>
-                  </author>
-		  <author>
-		    <surname>Gudmundsson</surname>
-		    <firstname>O.</firstname>
-		  </author>
-		</authorgroup>
-                <title>Storing Certificates in the Domain Name System (DNS)</title>
-                <pubdate>March 1999</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC2539</abbrev>
-		<authorgroup>
-                  <author>
-                    <surname>Eastlake</surname>
-                    <firstname>D.</firstname>
-                    <lineage>3rd</lineage>
-                  </author>
-		</authorgroup>
-                <title>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</title>
-                <pubdate>March 1999</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC2540</abbrev>
-		<authorgroup>
-                  <author>
-                    <surname>Eastlake</surname>
-                    <firstname>D.</firstname>
-                    <lineage>3rd</lineage>
-                  </author>
-		</authorgroup>
-                <title>Detached Domain Name System (DNS) Information</title>
-                <pubdate>March 1999</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC2782</abbrev>
-                <author>
-                  <surname>Gulbrandsen</surname>
-                  <firstname>A.</firstname>
-                </author>
-                <author>
-                  <surname>Vixie</surname>
-                  <firstname>P.</firstname>
-                </author>
-                <author>
-                  <surname>Esibov</surname>
-                  <firstname>L.</firstname>
-                </author>
-                <title>A DNS RR for specifying the location of services (DNS SRV)</title>
-                <pubdate>February 2000</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC2915</abbrev>
-                <author>
-                  <surname>Mealling</surname>
-                  <firstname>M.</firstname>
-                </author>
-                <author>
-                  <surname>Daniel</surname>
-                  <firstname>R.</firstname>
-                </author>
-                <title>The Naming Authority Pointer (NAPTR) DNS Resource Record</title>
-                <pubdate>September 2000</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC3110</abbrev>
-                <author>
-                    <surname>Eastlake</surname>
-                    <firstname>D.</firstname>
-                    <lineage>3rd</lineage>
-                </author>
-                <title>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</title>
-                <pubdate>May 2001</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC3123</abbrev>
-                <author>
-                  <surname>Koch</surname>
-                  <firstname>P.</firstname>
-                </author>
-                <title>A DNS RR Type for Lists of Address Prefixes (APL RR)</title>
-                <pubdate>June 2001</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC3596</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Thomson</surname>
-                    <firstname>S.</firstname>
-                  </author>
-                  <author>
-                    <firstname>C.</firstname>
-                    <surname>Huitema</surname>
-                  </author>
-                  <author>
-                    <firstname>V.</firstname>
-                    <surname>Ksinant</surname>
-                  </author>
-                  <author>
-                    <firstname>M.</firstname>
-                    <surname>Souissi</surname>
-                  </author>
-                </authorgroup>
-                <title><acronym>DNS</acronym> Extensions to support IP
-                  version 6</title>
-                <pubdate>October 2003</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC3597</abbrev>
-                <author>
-                  <surname>Gustafsson</surname>
-                  <firstname>A.</firstname>
-                </author>
-                <title>Handling of Unknown DNS Resource Record (RR) Types</title>
-                <pubdate>September 2003</pubdate>
-              </biblioentry>
-            </bibliodiv>
-            <bibliodiv>
-              <title><acronym>DNS</acronym> and the Internet</title>
-              <biblioentry>
-                <abbrev>RFC1101</abbrev>
-                <author>
-                  <surname>Mockapetris</surname>
-                  <firstname>P. V.</firstname>
-                </author>
-                <title><acronym>DNS</acronym> Encoding of Network Names
-                  and Other Types</title>
-                <pubdate>April 1989</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC1123</abbrev>
-                <author>
-                  <surname>Braden</surname>
-                  <surname>R.</surname>
-                </author>
-                <title>Requirements for Internet Hosts - Application and
-                  Support</title>
-                <pubdate>October 1989</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC1591</abbrev>
-                <author>
-                  <surname>Postel</surname>
-                  <firstname>J.</firstname>
-                </author>
-                <title>Domain Name System Structure and Delegation</title>
-                <pubdate>March 1994</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC2317</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Eidnes</surname>
-                    <firstname>H.</firstname>
-                  </author>
-                  <author>
-                    <firstname>G.</firstname>
-                    <surname>de Groot</surname>
-                  </author>
-                  <author>
-                    <firstname>P.</firstname>
-                    <surname>Vixie</surname>
-                  </author>
-                </authorgroup>
-                <title>Classless IN-ADDR.ARPA Delegation</title>
-                <pubdate>March 1998</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC2826</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Internet Architecture Board</surname>
-                  </author>
-                </authorgroup>
-                <title>IAB Technical Comment on the Unique DNS Root</title>
-                <pubdate>May 2000</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC2929</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Eastlake</surname>
-                    <firstname>D.</firstname>
-                    <lineage>3rd</lineage>
-                  </author>
-                  <author>
-                    <surname>Brunner-Williams</surname>
-                    <firstname>E.</firstname>
-                  </author>
-                  <author>
-                    <surname>Manning</surname>
-                    <firstname>B.</firstname>
-                  </author>
-                </authorgroup>
-                <title>Domain Name System (DNS) IANA Considerations</title>
-                <pubdate>September 2000</pubdate>
-              </biblioentry>
-            </bibliodiv>
-            <bibliodiv>
-              <title><acronym>DNS</acronym> Operations</title>
-              <biblioentry>
-                <abbrev>RFC1033</abbrev>
-                <author>
-                  <surname>Lottor</surname>
-                  <firstname>M.</firstname>
-                </author>
-                <title>Domain administrators operations guide.</title>
-                <pubdate>November 1987</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC1537</abbrev>
-                <author>
-                  <surname>Beertema</surname>
-                  <firstname>P.</firstname>
-                </author>
-                <title>Common <acronym>DNS</acronym> Data File
-                  Configuration Errors</title>
-                <pubdate>October 1993</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC1912</abbrev>
-                <author>
-                  <surname>Barr</surname>
-                  <firstname>D.</firstname>
-                </author>
-                <title>Common <acronym>DNS</acronym> Operational and
-                  Configuration Errors</title>
-                <pubdate>February 1996</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC2010</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Manning</surname>
-                    <firstname>B.</firstname>
-                  </author>
-                  <author>
-                    <firstname>P.</firstname>
-                    <surname>Vixie</surname>
-                  </author>
-                </authorgroup>
-                <title>Operational Criteria for Root Name Servers.</title>
-                <pubdate>October 1996</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC2219</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Hamilton</surname>
-                    <firstname>M.</firstname>
-                  </author>
-                  <author>
-                    <firstname>R.</firstname>
-                    <surname>Wright</surname>
-                  </author>
-                </authorgroup>
-                <title>Use of <acronym>DNS</acronym> Aliases for
-                  Network Services.</title>
-                <pubdate>October 1997</pubdate>
-              </biblioentry>
-            </bibliodiv>
-	    <bibliodiv>
-              <title>Internationalized Domain Names</title>
-              <biblioentry>
-                <abbrev>RFC2825</abbrev>
-		<authorgroup>
-                  <author>
-                    <surname>IAB</surname>
-                  </author>
-                  <author>
-                    <surname>Daigle</surname>
-                    <firstname>R.</firstname>
-                  </author>
-		</authorgroup>
-                <title>A Tangled Web: Issues of I18N, Domain Names,
-		       and the Other Internet protocols</title>
-                <pubdate>May 2000</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC3490</abbrev>
-		<authorgroup>
-                  <author>
-                    <surname>Faltstrom</surname>
-                    <firstname>P.</firstname>
-                  </author>
-                  <author>
-                    <surname>Hoffman</surname>
-                    <firstname>P.</firstname>
-                  </author>
-                  <author>
-                    <surname>Costello</surname>
-                    <firstname>A.</firstname>
-                  </author>
-		</authorgroup>
-                <title>Internationalizing Domain Names in Applications (IDNA)</title>
-                <pubdate>March 2003</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC3491</abbrev>
-		<authorgroup>
-                  <author>
-                    <surname>Hoffman</surname>
-                    <firstname>P.</firstname>
-                  </author>
-                  <author>
-                    <surname>Blanchet</surname>
-                    <firstname>M.</firstname>
-                  </author>
-		</authorgroup>
-                <title>Nameprep: A Stringprep Profile for Internationalized Domain Names</title>
-                <pubdate>March 2003</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC3492</abbrev>
-		<authorgroup>
-                  <author>
-                    <surname>Costello</surname>
-                    <firstname>A.</firstname>
-                  </author>
-		</authorgroup>
-                <title>Punycode: A Bootstring encoding of Unicode
-		       for Internationalized Domain Names in
-		       Applications (IDNA)</title>
-                <pubdate>March 2003</pubdate>
-              </biblioentry>
-	    </bibliodiv>
-            <bibliodiv>
-              <title>Other <acronym>DNS</acronym>-related RFCs</title>
-              <note>
-                <para>
-                  Note: the following list of RFCs, although
-                  <acronym>DNS</acronym>-related, are not
-                  concerned with implementing software.
-                </para>
-              </note>
-              <biblioentry>
-                <abbrev>RFC1464</abbrev>
-                <author>
-                  <surname>Rosenbaum</surname>
-                  <firstname>R.</firstname>
-                </author>
-                <title>Using the Domain Name System To Store Arbitrary String
-                  Attributes</title>
-                <pubdate>May 1993</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC1713</abbrev>
-                <author>
-                  <surname>Romao</surname>
-                  <firstname>A.</firstname>
-                </author>
-                <title>Tools for <acronym>DNS</acronym> Debugging</title>
-                <pubdate>November 1994</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC1794</abbrev>
-                <author>
-                  <surname>Brisco</surname>
-                  <firstname>T.</firstname>
-                </author>
-                <title><acronym>DNS</acronym> Support for Load
-                  Balancing</title>
-                <pubdate>April 1995</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC2240</abbrev>
-                <author>
-                  <surname>Vaughan</surname>
-                  <firstname>O.</firstname>
-                </author>
-                <title>A Legal Basis for Domain Name Allocation</title>
-                <pubdate>November 1997</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC2345</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Klensin</surname>
-                    <firstname>J.</firstname>
-                  </author>
-                  <author>
-                    <firstname>T.</firstname>
-                    <surname>Wolf</surname>
-                  </author>
-                  <author>
-                    <firstname>G.</firstname>
-                    <surname>Oglesby</surname>
-                  </author>
-                </authorgroup>
-                <title>Domain Names and Company Name Retrieval</title>
-                <pubdate>May 1998</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC2352</abbrev>
-                <author>
-                  <surname>Vaughan</surname>
-                  <firstname>O.</firstname>
-                </author>
-                <title>A Convention For Using Legal Names as Domain Names</title>
-                <pubdate>May 1998</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC3071</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Klensin</surname>
-                    <firstname>J.</firstname>
-                  </author>
-                </authorgroup>
-                <title>Reflections on the DNS, RFC 1591, and Categories of Domains</title>
-                <pubdate>February 2001</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC3258</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Hardie</surname>
-                    <firstname>T.</firstname>
-                  </author>
-                </authorgroup>
-                <title>Distributing Authoritative Name Servers via
-		       Shared Unicast Addresses</title>
-                <pubdate>April 2002</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC3901</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Durand</surname>
-                    <firstname>A.</firstname>
-                  </author>
-                  <author>
-                    <firstname>J.</firstname>
-                    <surname>Ihren</surname>
-                  </author>
-                </authorgroup>
-                <title>DNS IPv6 Transport Operational Guidelines</title>
-                <pubdate>September 2004</pubdate>
-              </biblioentry>
-            </bibliodiv>
-            <bibliodiv>
-              <title>Obsolete and Unimplemented Experimental RFC</title>
-              <biblioentry>
-                <abbrev>RFC1712</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Farrell</surname>
-                    <firstname>C.</firstname>
-                  </author>
-                  <author>
-                    <firstname>M.</firstname>
-                    <surname>Schulze</surname>
-                  </author>
-                  <author>
-                    <firstname>S.</firstname>
-                    <surname>Pleitner</surname>
-                  </author>
-                  <author>
-                    <firstname>D.</firstname>
-                    <surname>Baldoni</surname>
-                  </author>
-                </authorgroup>
-                <title><acronym>DNS</acronym> Encoding of Geographical
-                  Location</title>
-                <pubdate>November 1994</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC2673</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Crawford</surname>
-                    <firstname>M.</firstname>
-                  </author>
-                </authorgroup>
-                <title>Binary Labels in the Domain Name System</title>
-                <pubdate>August 1999</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC2874</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Crawford</surname>
-                    <firstname>M.</firstname>
-                  </author>
-                  <author>
-                    <surname>Huitema</surname>
-                    <firstname>C.</firstname>
-                  </author>
-                </authorgroup>
-                <title>DNS Extensions to Support IPv6 Address Aggregation
-		       and Renumbering</title>
-                <pubdate>July 2000</pubdate>
-              </biblioentry>
-            </bibliodiv>
-            <bibliodiv>
-              <title>Obsoleted DNS Security RFCs</title>
-	      <note>
-		<para>
-		  Most of these have been consolidated into RFC4033,
-		  RFC4034 and RFC4035 which collectively describe DNSSECbis.
-		</para>
-	      </note>
-              <biblioentry>
-                <abbrev>RFC2065</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Eastlake</surname>
-                    <lineage>3rd</lineage>
-                    <firstname>D.</firstname>
-                  </author>
-                  <author>
-                    <firstname>C.</firstname>
-                    <surname>Kaufman</surname>
-                  </author>
-                </authorgroup>
-                <title>Domain Name System Security Extensions</title>
-                <pubdate>January 1997</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC2137</abbrev>
-                <author>
-                  <surname>Eastlake</surname>
-                  <lineage>3rd</lineage>
-                  <firstname>D.</firstname>
-                </author>
-                <title>Secure Domain Name System Dynamic Update</title>
-                <pubdate>April 1997</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC2535</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Eastlake</surname>
-                    <lineage>3rd</lineage>
-                    <firstname>D.</firstname>
-                  </author>
-                </authorgroup>
-                <title>Domain Name System Security Extensions</title>
-                <pubdate>March 1999</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC3008</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Wellington</surname>
-                    <firstname>B.</firstname>
-                  </author>
-                </authorgroup>
-                <title>Domain Name System Security (DNSSEC)
-		       Signing Authority</title>
-                <pubdate>November 2000</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC3090</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Lewis</surname>
-                    <firstname>E.</firstname>
-                  </author>
-                </authorgroup>
-                <title>DNS Security Extension Clarification on Zone Status</title>
-                <pubdate>March 2001</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC3445</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Massey</surname>
-                    <firstname>D.</firstname>
-                  </author>
-                  <author>
-                    <surname>Rose</surname>
-                    <firstname>S.</firstname>
-                  </author>
-                </authorgroup>
-                <title>Limiting the Scope of the KEY Resource Record (RR)</title>
-                <pubdate>December 2002</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC3655</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Wellington</surname>
-                    <firstname>B.</firstname>
-                  </author>
-                  <author>
-                    <surname>Gudmundsson</surname>
-                    <firstname>O.</firstname>
-                  </author>
-                </authorgroup>
-                <title>Redefinition of DNS Authenticated Data (AD) bit</title>
-                <pubdate>November 2003</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC3658</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Gudmundsson</surname>
-                    <firstname>O.</firstname>
-                  </author>
-                </authorgroup>
-                <title>Delegation Signer (DS) Resource Record (RR)</title>
-                <pubdate>December 2003</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC3755</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Weiler</surname>
-                    <firstname>S.</firstname>
-                  </author>
-                </authorgroup>
-                <title>Legacy Resolver Compatibility for Delegation Signer (DS)</title>
-                <pubdate>May 2004</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC3757</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Kolkman</surname>
-                    <firstname>O.</firstname>
-                  </author>
-                  <author>
-                    <surname>Schlyter</surname>
-                    <firstname>J.</firstname>
-                  </author>
-                  <author>
-                    <surname>Lewis</surname>
-                    <firstname>E.</firstname>
-                  </author>
-                </authorgroup>
-                <title>Domain Name System KEY (DNSKEY) Resource Record
-		      (RR) Secure Entry Point (SEP) Flag</title>
-                <pubdate>April 2004</pubdate>
-              </biblioentry>
-              <biblioentry>
-                <abbrev>RFC3845</abbrev>
-                <authorgroup>
-                  <author>
-                    <surname>Schlyter</surname>
-                    <firstname>J.</firstname>
-                  </author>
-                </authorgroup>
-                <title>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</title>
-                <pubdate>August 2004</pubdate>
-              </biblioentry>
-            </bibliodiv>
-          </bibliography>
-        </sect2>
-        <sect2 id="internet_drafts">
-          <title>Internet Drafts</title>
-          <para>
-            Internet Drafts (IDs) are rough-draft working documents of
-            the Internet Engineering Task Force. They are, in essence, RFCs
-            in the preliminary stages of development. Implementors are
-            cautioned not
-            to regard IDs as archival, and they should not be quoted or cited
-            in any formal documents unless accompanied by the disclaimer that
-            they are "works in progress." IDs have a lifespan of six months
-            after which they are deleted unless updated by their authors.
-          </para>
-        </sect2>
-        <sect2>
-          <title>Other Documents About <acronym>BIND</acronym></title>
-          <para/>
-          <bibliography>
-            <biblioentry>
-              <authorgroup>
-                <author>
-                  <surname>Albitz</surname>
-                  <firstname>Paul</firstname>
-                </author>
-                <author>
-                  <firstname>Cricket</firstname>
-                  <surname>Liu</surname>
-                </author>
-              </authorgroup>
-              <title><acronym>DNS</acronym> and <acronym>BIND</acronym></title>
-              <copyright>
-                <year>1998</year>
-                <holder>Sebastopol, CA: O'Reilly and Associates</holder>
-              </copyright>
-            </biblioentry>
-          </bibliography>
-        </sect2>
-      </sect1>
-
-      <xi:include href="libdns.xml"/>
-
-    </appendix>
-
-
-    <reference id="Bv9ARM.ch10">
-      <title>Manual pages</title>
-      <xi:include href="../../bin/dig/dig.docbook"/>
-      <xi:include href="../../bin/dig/host.docbook"/>
-      <xi:include href="../../bin/python/dnssec-checkds.docbook"/>
-      <xi:include href="../../bin/python/dnssec-coverage.docbook"/>
-      <xi:include href="../../bin/dnssec/dnssec-dsfromkey.docbook"/>
-      <xi:include href="../../bin/dnssec/dnssec-keyfromlabel.docbook"/>
-      <xi:include href="../../bin/dnssec/dnssec-keygen.docbook"/>
-      <xi:include href="../../bin/dnssec/dnssec-revoke.docbook"/>
-      <xi:include href="../../bin/dnssec/dnssec-settime.docbook"/>
-      <xi:include href="../../bin/dnssec/dnssec-signzone.docbook"/>
-      <xi:include href="../../bin/dnssec/dnssec-verify.docbook"/>
-      <xi:include href="../../bin/check/named-checkconf.docbook"/>
-      <xi:include href="../../bin/check/named-checkzone.docbook"/>
-      <xi:include href="../../bin/named/named.docbook"/>
-      <xi:include href="../../bin/tools/named-journalprint.docbook"/>
-      <!-- named.conf.docbook and others? -->
-      <xi:include href="../../bin/nsupdate/nsupdate.docbook"/>
-      <xi:include href="../../bin/rndc/rndc.docbook"/>
-      <xi:include href="../../bin/rndc/rndc.conf.docbook"/>
-      <xi:include href="../../bin/confgen/rndc-confgen.docbook"/>
-      <xi:include href="../../bin/confgen/ddns-confgen.docbook"/>
-      <xi:include href="../../bin/tools/arpaname.docbook"/>
-      <xi:include href="../../bin/tools/genrandom.docbook"/>
-      <xi:include href="../../bin/tools/isc-hmac-fixup.docbook"/>
-      <xi:include href="../../bin/tools/nsec3hash.docbook"/>
-    </reference>
-
-  </book>
-
-<!--
-  - Local variables:
-  - mode: sgml
-  - End:
- -->
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch01.html b/contrib/bind9/doc/arm/Bv9ARM.ch01.html
deleted file mode 100644
index 39211c7..0000000
--- a/contrib/bind9/doc/arm/Bv9ARM.ch01.html
+++ /dev/null
@@ -1,562 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 1. Introduction</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="next" href="Bv9ARM.ch02.html" title="Chapter 2. BIND Resource Requirements">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 1. Introduction</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch02.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter" lang="en">
-<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch01"></a>Chapter 1. Introduction</h2></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564378">Scope of Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564402">Organization of This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564541">Conventions Used in This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564723">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564744">DNS Fundamentals</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564846">Domains and Domain Names</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567184">Zones</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567260">Authoritative Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567433">Caching Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567563">Name Servers in Multiple Roles</a></span></dt>
-</dl></dd>
-</dl>
-</div>
-<p>
-      The Internet Domain Name System (<acronym class="acronym">DNS</acronym>)
-      consists of the syntax
-      to specify the names of entities in the Internet in a hierarchical
-      manner, the rules used for delegating authority over names, and the
-      system implementation that actually maps names to Internet
-      addresses.  <acronym class="acronym">DNS</acronym> data is maintained in a
-      group of distributed
-      hierarchical databases.
-    </p>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2564378"></a>Scope of Document</h2></div></div></div>
-<p>
-        The Berkeley Internet Name Domain
-        (<acronym class="acronym">BIND</acronym>) implements a
-        domain name server for a number of operating systems. This
-        document provides basic information about the installation and
-        care of the Internet Systems Consortium (<acronym class="acronym">ISC</acronym>)
-        <acronym class="acronym">BIND</acronym> version 9 software package for
-        system administrators.
-      </p>
-<p>
-        This version of the manual corresponds to BIND version 9.9.
-      </p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2564402"></a>Organization of This Document</h2></div></div></div>
-<p>
-        In this document, <span class="emphasis"><em>Chapter 1</em></span> introduces
-        the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Chapter 2</em></span>
-        describes resource requirements for running <acronym class="acronym">BIND</acronym> in various
-        environments. Information in <span class="emphasis"><em>Chapter 3</em></span> is
-        <span class="emphasis"><em>task-oriented</em></span> in its presentation and is
-        organized functionally, to aid in the process of installing the
-        <acronym class="acronym">BIND</acronym> 9 software. The task-oriented
-        section is followed by
-        <span class="emphasis"><em>Chapter 4</em></span>, which contains more advanced
-        concepts that the system administrator may need for implementing
-        certain options. <span class="emphasis"><em>Chapter 5</em></span>
-        describes the <acronym class="acronym">BIND</acronym> 9 lightweight
-        resolver.  The contents of <span class="emphasis"><em>Chapter 6</em></span> are
-        organized as in a reference manual to aid in the ongoing
-        maintenance of the software. <span class="emphasis"><em>Chapter 7</em></span> addresses
-        security considerations, and
-        <span class="emphasis"><em>Chapter 8</em></span> contains troubleshooting help. The
-        main body of the document is followed by several
-        <span class="emphasis"><em>appendices</em></span> which contain useful reference
-        information, such as a <span class="emphasis"><em>bibliography</em></span> and
-        historic information related to <acronym class="acronym">BIND</acronym>
-        and the Domain Name
-        System.
-      </p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2564541"></a>Conventions Used in This Document</h2></div></div></div>
-<p>
-        In this document, we use the following general typographic
-        conventions:
-      </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-                <p>
-                  <span class="emphasis"><em>To describe:</em></span>
-                </p>
-              </td>
-<td>
-                <p>
-                  <span class="emphasis"><em>We use the style:</em></span>
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  a pathname, filename, URL, hostname,
-                  mailing list name, or new term or concept
-                </p>
-              </td>
-<td>
-                <p>
-                  <code class="filename">Fixed width</code>
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  literal user
-                  input
-                </p>
-              </td>
-<td>
-                <p>
-                  <strong class="userinput"><code>Fixed Width Bold</code></strong>
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  program output
-                </p>
-              </td>
-<td>
-                <p>
-                  <code class="computeroutput">Fixed Width</code>
-                </p>
-              </td>
-</tr>
-</tbody>
-</table></div>
-<p>
-        The following conventions are used in descriptions of the
-        <acronym class="acronym">BIND</acronym> configuration file:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-                  <p>
-                    <span class="emphasis"><em>To describe:</em></span>
-                  </p>
-                </td>
-<td>
-                  <p>
-                    <span class="emphasis"><em>We use the style:</em></span>
-                  </p>
-                </td>
-</tr>
-<tr>
-<td>
-                  <p>
-                    keywords
-                  </p>
-                </td>
-<td>
-                  <p>
-                    <code class="literal">Fixed Width</code>
-                  </p>
-                </td>
-</tr>
-<tr>
-<td>
-                  <p>
-                    variables
-                  </p>
-                </td>
-<td>
-                  <p>
-                    <code class="varname">Fixed Width</code>
-                  </p>
-                </td>
-</tr>
-<tr>
-<td>
-                  <p>
-                    Optional input
-                  </p>
-                </td>
-<td>
-                  <p>
-                    [<span class="optional">Text is enclosed in square brackets</span>]
-                  </p>
-                </td>
-</tr>
-</tbody>
-</table></div>
-<p>
-      </p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2564723"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
-<p>
-        The purpose of this document is to explain the installation
-        and upkeep of the <acronym class="acronym">BIND</acronym> (Berkeley Internet
-        Name Domain) software package, and we
-        begin by reviewing the fundamentals of the Domain Name System
-        (<acronym class="acronym">DNS</acronym>) as they relate to <acronym class="acronym">BIND</acronym>.
-      </p>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2564744"></a>DNS Fundamentals</h3></div></div></div>
-<p>
-          The Domain Name System (DNS) is a hierarchical, distributed
-          database.  It stores information for mapping Internet host names to
-          IP
-          addresses and vice versa, mail routing information, and other data
-          used by Internet applications.
-        </p>
-<p>
-          Clients look up information in the DNS by calling a
-          <span class="emphasis"><em>resolver</em></span> library, which sends queries to one or
-          more <span class="emphasis"><em>name servers</em></span> and interprets the responses.
-          The <acronym class="acronym">BIND</acronym> 9 software distribution
-          contains a
-          name server, <span><strong class="command">named</strong></span>, and a resolver
-          library, <span><strong class="command">liblwres</strong></span>.  The older
-          <span><strong class="command">libbind</strong></span> resolver library is also available
-          from ISC as a separate download.
-        </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2564846"></a>Domains and Domain Names</h3></div></div></div>
-<p>
-          The data stored in the DNS is identified by <span class="emphasis"><em>domain names</em></span> that are organized as a tree according to
-          organizational or administrative boundaries. Each node of the tree,
-          called a <span class="emphasis"><em>domain</em></span>, is given a label. The domain
-          name of the
-          node is the concatenation of all the labels on the path from the
-          node to the <span class="emphasis"><em>root</em></span> node.  This is represented
-          in written form as a string of labels listed from right to left and
-          separated by dots. A label need only be unique within its parent
-          domain.
-        </p>
-<p>
-          For example, a domain name for a host at the
-          company <span class="emphasis"><em>Example, Inc.</em></span> could be
-          <code class="literal">ourhost.example.com</code>,
-          where <code class="literal">com</code> is the
-          top level domain to which
-          <code class="literal">ourhost.example.com</code> belongs,
-          <code class="literal">example</code> is
-          a subdomain of <code class="literal">com</code>, and
-          <code class="literal">ourhost</code> is the
-          name of the host.
-        </p>
-<p>
-          For administrative purposes, the name space is partitioned into
-          areas called <span class="emphasis"><em>zones</em></span>, each starting at a node and
-          extending down to the leaf nodes or to nodes where other zones
-          start.
-          The data for each zone is stored in a <span class="emphasis"><em>name server</em></span>, which answers queries about the zone using the
-          <span class="emphasis"><em>DNS protocol</em></span>.
-        </p>
-<p>
-          The data associated with each domain name is stored in the
-          form of <span class="emphasis"><em>resource records</em></span> (<acronym class="acronym">RR</acronym>s).
-          Some of the supported resource record types are described in
-          <a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them" title="Types of Resource Records and When to Use Them">the section called &#8220;Types of Resource Records and When to Use Them&#8221;</a>.
-        </p>
-<p>
-          For more detailed information about the design of the DNS and
-          the DNS protocol, please refer to the standards documents listed in
-          <a href="Bv9ARM.ch09.html#rfcs" title="Request for Comments (RFCs)">the section called &#8220;Request for Comments (RFCs)&#8221;</a>.
-        </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2567184"></a>Zones</h3></div></div></div>
-<p>
-          To properly operate a name server, it is important to understand
-          the difference between a <span class="emphasis"><em>zone</em></span>
-          and a <span class="emphasis"><em>domain</em></span>.
-        </p>
-<p>
-          As stated previously, a zone is a point of delegation in
-          the <acronym class="acronym">DNS</acronym> tree. A zone consists of
-          those contiguous parts of the domain
-          tree for which a name server has complete information and over which
-          it has authority. It contains all domain names from a certain point
-          downward in the domain tree except those which are delegated to
-          other zones. A delegation point is marked by one or more
-          <span class="emphasis"><em>NS records</em></span> in the
-          parent zone, which should be matched by equivalent NS records at
-          the root of the delegated zone.
-        </p>
-<p>
-          For instance, consider the <code class="literal">example.com</code>
-          domain which includes names
-          such as <code class="literal">host.aaa.example.com</code> and
-          <code class="literal">host.bbb.example.com</code> even though
-          the <code class="literal">example.com</code> zone includes
-          only delegations for the <code class="literal">aaa.example.com</code> and
-          <code class="literal">bbb.example.com</code> zones.  A zone can
-          map
-          exactly to a single domain, but could also include only part of a
-          domain, the rest of which could be delegated to other
-          name servers. Every name in the <acronym class="acronym">DNS</acronym>
-          tree is a
-          <span class="emphasis"><em>domain</em></span>, even if it is
-          <span class="emphasis"><em>terminal</em></span>, that is, has no
-          <span class="emphasis"><em>subdomains</em></span>.  Every subdomain is a domain and
-          every domain except the root is also a subdomain. The terminology is
-          not intuitive and we suggest that you read RFCs 1033, 1034 and 1035
-          to
-          gain a complete understanding of this difficult and subtle
-          topic.
-        </p>
-<p>
-          Though <acronym class="acronym">BIND</acronym> is called a "domain name
-          server",
-          it deals primarily in terms of zones. The master and slave
-          declarations in the <code class="filename">named.conf</code> file
-          specify
-          zones, not domains. When you ask some other site if it is willing to
-          be a slave server for your <span class="emphasis"><em>domain</em></span>, you are
-          actually asking for slave service for some collection of zones.
-        </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2567260"></a>Authoritative Name Servers</h3></div></div></div>
-<p>
-          Each zone is served by at least
-          one <span class="emphasis"><em>authoritative name server</em></span>,
-          which contains the complete data for the zone.
-          To make the DNS tolerant of server and network failures,
-          most zones have two or more authoritative servers, on
-          different networks.
-        </p>
-<p>
-          Responses from authoritative servers have the "authoritative
-          answer" (AA) bit set in the response packets.  This makes them
-          easy to identify when debugging DNS configurations using tools like
-          <span><strong class="command">dig</strong></span> (<a href="Bv9ARM.ch03.html#diagnostic_tools" title="Diagnostic Tools">the section called &#8220;Diagnostic Tools&#8221;</a>).
-        </p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2567284"></a>The Primary Master</h4></div></div></div>
-<p>
-            The authoritative server where the master copy of the zone
-            data is maintained is called the
-            <span class="emphasis"><em>primary master</em></span> server, or simply the
-            <span class="emphasis"><em>primary</em></span>.  Typically it loads the zone
-            contents from some local file edited by humans or perhaps
-            generated mechanically from some other local file which is
-            edited by humans.  This file is called the
-            <span class="emphasis"><em>zone file</em></span> or
-            <span class="emphasis"><em>master file</em></span>.
-          </p>
-<p>
-            In some cases, however, the master file may not be edited
-            by humans at all, but may instead be the result of
-            <span class="emphasis"><em>dynamic update</em></span> operations.
-          </p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2567382"></a>Slave Servers</h4></div></div></div>
-<p>
-            The other authoritative servers, the <span class="emphasis"><em>slave</em></span>
-            servers (also known as <span class="emphasis"><em>secondary</em></span> servers)
-            load
-            the zone contents from another server using a replication process
-            known as a <span class="emphasis"><em>zone transfer</em></span>.  Typically the data
-            are
-            transferred directly from the primary master, but it is also
-            possible
-            to transfer it from another slave.  In other words, a slave server
-            may itself act as a master to a subordinate slave server.
-          </p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2567403"></a>Stealth Servers</h4></div></div></div>
-<p>
-            Usually all of the zone's authoritative servers are listed in
-            NS records in the parent zone.  These NS records constitute
-            a <span class="emphasis"><em>delegation</em></span> of the zone from the parent.
-            The authoritative servers are also listed in the zone file itself,
-            at the <span class="emphasis"><em>top level</em></span> or <span class="emphasis"><em>apex</em></span>
-            of the zone.  You can list servers in the zone's top-level NS
-            records that are not in the parent's NS delegation, but you cannot
-            list servers in the parent's delegation that are not present at
-            the zone's top level.
-          </p>
-<p>
-            A <span class="emphasis"><em>stealth server</em></span> is a server that is
-            authoritative for a zone but is not listed in that zone's NS
-            records.  Stealth servers can be used for keeping a local copy of
-            a
-            zone to speed up access to the zone's records or to make sure that
-            the
-            zone is available even if all the "official" servers for the zone
-            are
-            inaccessible.
-          </p>
-<p>
-            A configuration where the primary master server itself is a
-            stealth server is often referred to as a "hidden primary"
-            configuration.  One use for this configuration is when the primary
-            master
-            is behind a firewall and therefore unable to communicate directly
-            with the outside world.
-          </p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2567433"></a>Caching Name Servers</h3></div></div></div>
-<p>
-          The resolver libraries provided by most operating systems are
-          <span class="emphasis"><em>stub resolvers</em></span>, meaning that they are not
-          capable of
-          performing the full DNS resolution process by themselves by talking
-          directly to the authoritative servers.  Instead, they rely on a
-          local
-          name server to perform the resolution on their behalf.  Such a
-          server
-          is called a <span class="emphasis"><em>recursive</em></span> name server; it performs
-          <span class="emphasis"><em>recursive lookups</em></span> for local clients.
-        </p>
-<p>
-          To improve performance, recursive servers cache the results of
-          the lookups they perform.  Since the processes of recursion and
-          caching are intimately connected, the terms
-          <span class="emphasis"><em>recursive server</em></span> and
-          <span class="emphasis"><em>caching server</em></span> are often used synonymously.
-        </p>
-<p>
-          The length of time for which a record may be retained in
-          the cache of a caching name server is controlled by the
-          Time To Live (TTL) field associated with each resource record.
-        </p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2567537"></a>Forwarding</h4></div></div></div>
-<p>
-            Even a caching name server does not necessarily perform
-            the complete recursive lookup itself.  Instead, it can
-            <span class="emphasis"><em>forward</em></span> some or all of the queries
-            that it cannot satisfy from its cache to another caching name
-            server,
-            commonly referred to as a <span class="emphasis"><em>forwarder</em></span>.
-          </p>
-<p>
-            There may be one or more forwarders,
-            and they are queried in turn until the list is exhausted or an
-            answer
-            is found. Forwarders are typically used when you do not
-            wish all the servers at a given site to interact directly with the
-            rest of
-            the Internet servers. A typical scenario would involve a number
-            of internal <acronym class="acronym">DNS</acronym> servers and an
-            Internet firewall. Servers unable
-            to pass packets through the firewall would forward to the server
-            that can do it, and that server would query the Internet <acronym class="acronym">DNS</acronym> servers
-            on the internal server's behalf.
-          </p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2567563"></a>Name Servers in Multiple Roles</h3></div></div></div>
-<p>
-          The <acronym class="acronym">BIND</acronym> name server can
-          simultaneously act as
-          a master for some zones, a slave for other zones, and as a caching
-          (recursive) server for a set of local clients.
-        </p>
-<p>
-          However, since the functions of authoritative name service
-          and caching/recursive name service are logically separate, it is
-          often advantageous to run them on separate server machines.
-
-          A server that only provides authoritative name service
-          (an <span class="emphasis"><em>authoritative-only</em></span> server) can run with
-          recursion disabled, improving reliability and security.
-
-          A server that is not authoritative for any zones and only provides
-          recursive service to local
-          clients (a <span class="emphasis"><em>caching-only</em></span> server)
-          does not need to be reachable from the Internet at large and can
-          be placed inside a firewall.
-        </p>
-</div>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch02.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">BIND 9 Administrator Reference Manual </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 2. <acronym class="acronym">BIND</acronym> Resource Requirements</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch02.html b/contrib/bind9/doc/arm/Bv9ARM.ch02.html
deleted file mode 100644
index c62ec1c..0000000
--- a/contrib/bind9/doc/arm/Bv9ARM.ch02.html
+++ /dev/null
@@ -1,158 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 2. BIND Resource Requirements</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch01.html" title="Chapter 1. Introduction">
-<link rel="next" href="Bv9ARM.ch03.html" title="Chapter 3. Name Server Configuration">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 2. <acronym class="acronym">BIND</acronym> Resource Requirements</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch01.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch03.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter" lang="en">
-<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch02"></a>Chapter 2. <acronym class="acronym">BIND</acronym> Resource Requirements</h2></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567597">Hardware requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567624">CPU Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567637">Memory Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567732">Name Server Intensive Environment Issues</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567742">Supported Operating Systems</a></span></dt>
-</dl>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567597"></a>Hardware requirements</h2></div></div></div>
-<p>
-        <acronym class="acronym">DNS</acronym> hardware requirements have
-        traditionally been quite modest.
-        For many installations, servers that have been pensioned off from
-        active duty have performed admirably as <acronym class="acronym">DNS</acronym> servers.
-      </p>
-<p>
-        The DNSSEC features of <acronym class="acronym">BIND</acronym> 9
-        may prove to be quite
-        CPU intensive however, so organizations that make heavy use of these
-        features may wish to consider larger systems for these applications.
-        <acronym class="acronym">BIND</acronym> 9 is fully multithreaded, allowing
-        full utilization of
-        multiprocessor systems for installations that need it.
-      </p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567624"></a>CPU Requirements</h2></div></div></div>
-<p>
-        CPU requirements for <acronym class="acronym">BIND</acronym> 9 range from
-        i486-class machines
-        for serving of static zones without caching, to enterprise-class
-        machines if you intend to process many dynamic updates and DNSSEC
-        signed zones, serving many thousands of queries per second.
-      </p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567637"></a>Memory Requirements</h2></div></div></div>
-<p>
-        The memory of the server has to be large enough to fit the
-        cache and zones loaded off disk.  The <span><strong class="command">max-cache-size</strong></span>
-        option can be used to limit the amount of memory used by the cache,
-        at the expense of reducing cache hit rates and causing more <acronym class="acronym">DNS</acronym>
-        traffic.
-        Additionally, if additional section caching
-        (<a href="Bv9ARM.ch06.html#acache" title="Additional Section Caching">the section called &#8220;Additional Section Caching&#8221;</a>) is enabled,
-        the <span><strong class="command">max-acache-size</strong></span> option can be used to
-        limit the amount
-        of memory used by the mechanism.
-        It is still good practice to have enough memory to load
-        all zone and cache data into memory &#8212; unfortunately, the best
-        way
-        to determine this for a given installation is to watch the name server
-        in operation. After a few weeks the server process should reach
-        a relatively stable size where entries are expiring from the cache as
-        fast as they are being inserted.
-      </p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567732"></a>Name Server Intensive Environment Issues</h2></div></div></div>
-<p>
-        For name server intensive environments, there are two alternative
-        configurations that may be used. The first is where clients and
-        any second-level internal name servers query a main name server, which
-        has enough memory to build a large cache. This approach minimizes
-        the bandwidth used by external name lookups. The second alternative
-        is to set up second-level internal name servers to make queries
-        independently.
-        In this configuration, none of the individual machines needs to
-        have as much memory or CPU power as in the first alternative, but
-        this has the disadvantage of making many more external queries,
-        as none of the name servers share their cached data.
-      </p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567742"></a>Supported Operating Systems</h2></div></div></div>
-<p>
-        ISC <acronym class="acronym">BIND</acronym> 9 compiles and runs on a large
-        number
-        of Unix-like operating systems and on 
-        Microsoft Windows Server 2003 and 2008, and Windows XP and Vista.
-        For an up-to-date
-        list of supported systems, see the README file in the top level
-        directory
-        of the BIND 9 source distribution.
-      </p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch01.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch03.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 1. Introduction </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 3. Name Server Configuration</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch03.html b/contrib/bind9/doc/arm/Bv9ARM.ch03.html
deleted file mode 100644
index 0b8819e..0000000
--- a/contrib/bind9/doc/arm/Bv9ARM.ch03.html
+++ /dev/null
@@ -1,1057 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 3. Name Server Configuration</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch02.html" title="Chapter 2. BIND Resource Requirements">
-<link rel="next" href="Bv9ARM.ch04.html" title="Chapter 4. Advanced DNS Features">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 3. Name Server Configuration</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch02.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch04.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter" lang="en">
-<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch03"></a>Chapter 3. Name Server Configuration</h2></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567774">A Caching-only Name Server</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567995">An Authoritative-only Name Server</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568018">Load Balancing</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568372">Name Server Operations</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568377">Tools for Use With the Name Server Daemon</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570600">Signals</a></span></dt>
-</dl></dd>
-</dl>
-</div>
-<p>
-      In this chapter we provide some suggested configurations along
-      with guidelines for their use.  We suggest reasonable values for
-      certain option settings.
-    </p>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="sample_configuration"></a>Sample Configurations</h2></div></div></div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2567774"></a>A Caching-only Name Server</h3></div></div></div>
-<p>
-          The following sample configuration is appropriate for a caching-only
-          name server for use by clients internal to a corporation.  All
-          queries
-          from outside clients are refused using the <span><strong class="command">allow-query</strong></span>
-          option.  Alternatively, the same effect could be achieved using
-          suitable
-          firewall rules.
-        </p>
-<pre class="programlisting">
-// Two corporate subnets we wish to allow queries from.
-acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
-options {
-     // Working directory
-     directory "/etc/namedb";
-
-     allow-query { corpnets; };
-};
-// Provide a reverse mapping for the loopback
-// address 127.0.0.1
-zone "0.0.127.in-addr.arpa" {
-     type master;
-     file "localhost.rev";
-     notify no;
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2567995"></a>An Authoritative-only Name Server</h3></div></div></div>
-<p>
-          This sample configuration is for an authoritative-only server
-          that is the master server for "<code class="filename">example.com</code>"
-          and a slave for the subdomain "<code class="filename">eng.example.com</code>".
-        </p>
-<pre class="programlisting">
-options {
-     // Working directory
-     directory "/etc/namedb";
-     // Do not allow access to cache
-     allow-query-cache { none; };
-     // This is the default
-     allow-query { any; };
-     // Do not provide recursive service
-     recursion no;
-};
-
-// Provide a reverse mapping for the loopback
-// address 127.0.0.1
-zone "0.0.127.in-addr.arpa" {
-     type master;
-     file "localhost.rev";
-     notify no;
-};
-// We are the master server for example.com
-zone "example.com" {
-     type master;
-     file "example.com.db";
-     // IP addresses of slave servers allowed to
-     // transfer example.com
-     allow-transfer {
-          192.168.4.14;
-          192.168.5.53;
-     };
-};
-// We are a slave server for eng.example.com
-zone "eng.example.com" {
-     type slave;
-     file "eng.example.com.bk";
-     // IP address of eng.example.com master server
-     masters { 192.168.4.12; };
-};
-</pre>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2568018"></a>Load Balancing</h2></div></div></div>
-<p>
-        A primitive form of load balancing can be achieved in
-        the <acronym class="acronym">DNS</acronym> by using multiple records
-        (such as multiple A records) for one name.
-      </p>
-<p>
-        For example, if you have three WWW servers with network addresses
-        of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
-        following means that clients will connect to each machine one third
-        of the time:
-      </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-                <p>
-                  Name
-                </p>
-              </td>
-<td>
-                <p>
-                  TTL
-                </p>
-              </td>
-<td>
-                <p>
-                  CLASS
-                </p>
-              </td>
-<td>
-                <p>
-                  TYPE
-                </p>
-              </td>
-<td>
-                <p>
-                  Resource Record (RR) Data
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="literal">www</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  <code class="literal">600</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  <code class="literal">IN</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  <code class="literal">A</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  <code class="literal">10.0.0.1</code>
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p></p>
-              </td>
-<td>
-                <p>
-                  <code class="literal">600</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  <code class="literal">IN</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  <code class="literal">A</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  <code class="literal">10.0.0.2</code>
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p></p>
-              </td>
-<td>
-                <p>
-                  <code class="literal">600</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  <code class="literal">IN</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  <code class="literal">A</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  <code class="literal">10.0.0.3</code>
-                </p>
-              </td>
-</tr>
-</tbody>
-</table></div>
-<p>
-        When a resolver queries for these records, <acronym class="acronym">BIND</acronym> will rotate
-        them and respond to the query with the records in a different
-        order.  In the example above, clients will randomly receive
-        records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
-        will use the first record returned and discard the rest.
-      </p>
-<p>
-        For more detail on ordering responses, check the
-        <span><strong class="command">rrset-order</strong></span> sub-statement in the
-        <span><strong class="command">options</strong></span> statement, see
-        <a href="Bv9ARM.ch06.html#rrset_ordering">RRset Ordering</a>.
-      </p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2568372"></a>Name Server Operations</h2></div></div></div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2568377"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
-<p>
-          This section describes several indispensable diagnostic,
-          administrative and monitoring tools available to the system
-          administrator for controlling and debugging the name server
-          daemon.
-        </p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="diagnostic_tools"></a>Diagnostic Tools</h4></div></div></div>
-<p>
-            The <span><strong class="command">dig</strong></span>, <span><strong class="command">host</strong></span>, and
-            <span><strong class="command">nslookup</strong></span> programs are all command
-            line tools
-            for manually querying name servers.  They differ in style and
-            output format.
-          </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><a name="dig"></a><span><strong class="command">dig</strong></span></span></dt>
-<dd>
-<p>
-                  The domain information groper (<span><strong class="command">dig</strong></span>)
-                  is the most versatile and complete of these lookup tools.
-                  It has two modes: simple interactive
-                  mode for a single query, and batch mode which executes a
-                  query for
-                  each in a list of several query lines. All query options are
-                  accessible
-                  from the command line.
-                </p>
-<div class="cmdsynopsis"><p><code class="command">dig</code>  [@<em class="replaceable"><code>server</code></em>]  <em class="replaceable"><code>domain</code></em>  [<em class="replaceable"><code>query-type</code></em>] [<em class="replaceable"><code>query-class</code></em>] [+<em class="replaceable"><code>query-option</code></em>] [-<em class="replaceable"><code>dig-option</code></em>] [%<em class="replaceable"><code>comment</code></em>]</p></div>
-<p>
-                  The usual simple use of <span><strong class="command">dig</strong></span> will take the form
-                </p>
-<p>
-                  <span><strong class="command">dig @server domain query-type query-class</strong></span>
-                </p>
-<p>
-                  For more information and a list of available commands and
-                  options, see the <span><strong class="command">dig</strong></span> man
-                  page.
-                </p>
-</dd>
-<dt><span class="term"><span><strong class="command">host</strong></span></span></dt>
-<dd>
-<p>
-                  The <span><strong class="command">host</strong></span> utility emphasizes
-                  simplicity
-                  and ease of use.  By default, it converts
-                  between host names and Internet addresses, but its
-                  functionality
-                  can be extended with the use of options.
-                </p>
-<div class="cmdsynopsis"><p><code class="command">host</code>  [-aCdlnrsTwv] [-c <em class="replaceable"><code>class</code></em>] [-N <em class="replaceable"><code>ndots</code></em>] [-t <em class="replaceable"><code>type</code></em>] [-W <em class="replaceable"><code>timeout</code></em>] [-R <em class="replaceable"><code>retries</code></em>] [-m <em class="replaceable"><code>flag</code></em>] [-4] [-6]  <em class="replaceable"><code>hostname</code></em>  [<em class="replaceable"><code>server</code></em>]</p></div>
-<p>
-                  For more information and a list of available commands and
-                  options, see the <span><strong class="command">host</strong></span> man
-                  page.
-                </p>
-</dd>
-<dt><span class="term"><span><strong class="command">nslookup</strong></span></span></dt>
-<dd>
-<p><span><strong class="command">nslookup</strong></span>
-                  has two modes: interactive and
-                  non-interactive. Interactive mode allows the user to
-                  query name servers for information about various
-                  hosts and domains or to print a list of hosts in a
-                  domain. Non-interactive mode is used to print just
-                  the name and requested information for a host or
-                  domain.
-                </p>
-<div class="cmdsynopsis"><p><code class="command">nslookup</code>  [-option...] [[<em class="replaceable"><code>host-to-find</code></em>] |  [- [server]]]</p></div>
-<p>
-                  Interactive mode is entered when no arguments are given (the
-                  default name server will be used) or when the first argument
-                  is a
-                  hyphen (`-') and the second argument is the host name or
-                  Internet address
-                  of a name server.
-                </p>
-<p>
-                  Non-interactive mode is used when the name or Internet
-                  address
-                  of the host to be looked up is given as the first argument.
-                  The
-                  optional second argument specifies the host name or address
-                  of a name server.
-                </p>
-<p>
-                  Due to its arcane user interface and frequently inconsistent
-                  behavior, we do not recommend the use of <span><strong class="command">nslookup</strong></span>.
-                  Use <span><strong class="command">dig</strong></span> instead.
-                </p>
-</dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="admin_tools"></a>Administrative Tools</h4></div></div></div>
-<p>
-            Administrative tools play an integral part in the management
-            of a server.
-          </p>
-<div class="variablelist"><dl>
-<dt>
-<a name="named-checkconf"></a><span class="term"><span><strong class="command">named-checkconf</strong></span></span>
-</dt>
-<dd>
-<p>
-                  The <span><strong class="command">named-checkconf</strong></span> program
-                  checks the syntax of a <code class="filename">named.conf</code> file.
-                </p>
-<div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [-jvz] [-t <em class="replaceable"><code>directory</code></em>] [<em class="replaceable"><code>filename</code></em>]</p></div>
-</dd>
-<dt>
-<a name="named-checkzone"></a><span class="term"><span><strong class="command">named-checkzone</strong></span></span>
-</dt>
-<dd>
-<p>
-                  The <span><strong class="command">named-checkzone</strong></span> program
-                  checks a master file for
-                  syntax and consistency.
-                </p>
-<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [-djqvD] [-c <em class="replaceable"><code>class</code></em>] [-o <em class="replaceable"><code>output</code></em>] [-t <em class="replaceable"><code>directory</code></em>] [-w <em class="replaceable"><code>directory</code></em>] [-k <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-n <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-W <em class="replaceable"><code>(ignore|warn)</code></em>]  <em class="replaceable"><code>zone</code></em>  [<em class="replaceable"><code>filename</code></em>]</p></div>
-</dd>
-<dt>
-<a name="named-compilezone"></a><span class="term"><span><strong class="command">named-compilezone</strong></span></span>
-</dt>
-<dd><p>
-                  Similar to <span><strong class="command">named-checkzone,</strong></span> but
-                  it always dumps the zone content to a specified file
-                  (typically in a different format).
-                </p></dd>
-<dt>
-<a name="rndc"></a><span class="term"><span><strong class="command">rndc</strong></span></span>
-</dt>
-<dd>
-<p>
-                  The remote name daemon control
-                  (<span><strong class="command">rndc</strong></span>) program allows the
-                  system
-                  administrator to control the operation of a name server.
-                  Since <acronym class="acronym">BIND</acronym> 9.2, <span><strong class="command">rndc</strong></span>
-                  supports all the commands of the BIND 8 <span><strong class="command">ndc</strong></span>
-                  utility except <span><strong class="command">ndc start</strong></span> and
-                  <span><strong class="command">ndc restart</strong></span>, which were also
-                  not supported in <span><strong class="command">ndc</strong></span>'s
-                  channel mode.
-                  If you run <span><strong class="command">rndc</strong></span> without any
-                  options
-                  it will display a usage message as follows:
-                </p>
-<div class="cmdsynopsis"><p><code class="command">rndc</code>  [-c <em class="replaceable"><code>config</code></em>] [-s <em class="replaceable"><code>server</code></em>] [-p <em class="replaceable"><code>port</code></em>] [-y <em class="replaceable"><code>key</code></em>]  <em class="replaceable"><code>command</code></em>  [<em class="replaceable"><code>command</code></em>...]</p></div>
-<p>The <span><strong class="command">command</strong></span>
-                  is one of the following:
-                </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt>
-<dd><p>
-                        Reload configuration file and zones.
-                      </p></dd>
-<dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em>
-                        [<span class="optional"><em class="replaceable"><code>class</code></em>
-           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd><p>
-                        Reload the given zone.
-                      </p></dd>
-<dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em>
-                        [<span class="optional"><em class="replaceable"><code>class</code></em>
-           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd><p>
-                        Schedule zone maintenance for the given zone.
-                      </p></dd>
-<dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em>
-
-                        [<span class="optional"><em class="replaceable"><code>class</code></em>
-           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd><p>
-                        Retransfer the given zone from the master.
-                      </p></dd>
-<dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em>
-                        [<span class="optional"><em class="replaceable"><code>class</code></em>
-           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd>
-<p>
-                        Fetch all DNSSEC keys for the given zone
-                        from the key directory (see
-                        <span><strong class="command">key-directory</strong></span> in
-                        <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
-          Usage">the section called &#8220;<span><strong class="command">options</strong></span> Statement Definition and
-          Usage&#8221;</a>).  If they are within
-                        their publication period, merge them into the
-                        zone's DNSKEY RRset.  If the DNSKEY RRset
-                        is changed, then the zone is automatically
-                        re-signed with the new key set.
-                      </p>
-<p>
-                        This command requires that the
-                        <span><strong class="command">auto-dnssec</strong></span> zone option be set
-                        to <code class="literal">allow</code> or
-                        <code class="literal">maintain</code>,
-                        and also requires the zone to be configured to
-                        allow dynamic DNS.
-                        See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a> for
-                        more details.
-                      </p>
-</dd>
-<dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em>
-                        [<span class="optional"><em class="replaceable"><code>class</code></em>
-           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd>
-<p>
-                        Fetch all DNSSEC keys for the given zone
-                        from the key directory (see
-                        <span><strong class="command">key-directory</strong></span> in
-                        <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
-          Usage">the section called &#8220;<span><strong class="command">options</strong></span> Statement Definition and
-          Usage&#8221;</a>).  If they are within
-                        their publication period, merge them into the
-                        zone's DNSKEY RRset.  Unlike <span><strong class="command">rndc
-                        sign</strong></span>, however, the zone is not
-                        immediately re-signed by the new keys, but is
-                        allowed to incrementally re-sign over time.
-                      </p>
-<p>
-                        This command requires that the
-                        <span><strong class="command">auto-dnssec</strong></span> zone option
-                        be set to <code class="literal">maintain</code>,
-                        and also requires the zone to be configured to
-                        allow dynamic DNS.
-                        See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a> for
-                        more details.
-                      </p>
-</dd>
-<dt><span class="term"><strong class="userinput"><code>freeze
-                        [<span class="optional"><em class="replaceable"><code>zone</code></em>
-       [<span class="optional"><em class="replaceable"><code>class</code></em>
-           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
-<dd><p>
-                        Suspend updates to a dynamic zone.  If no zone is
-                        specified, then all zones are suspended.  This allows
-                        manual edits to be made to a zone normally updated by
-                        dynamic update.  It also causes changes in the
-                        journal file to be synced into the master file.
-                        All dynamic update attempts will be refused while
-                        the zone is frozen.
-                      </p></dd>
-<dt><span class="term"><strong class="userinput"><code>thaw
-                        [<span class="optional"><em class="replaceable"><code>zone</code></em>
-       [<span class="optional"><em class="replaceable"><code>class</code></em>
-           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
-<dd><p>
-                        Enable updates to a frozen dynamic zone.  If no
-                        zone is specified, then all frozen zones are
-                        enabled.  This causes the server to reload the zone
-                        from disk, and re-enables dynamic updates after the
-                        load has completed.  After a zone is thawed,
-                        dynamic updates will no longer be refused.  If
-                        the zone has changed and the
-                        <span><strong class="command">ixfr-from-differences</strong></span> option is
-                        in use, then the journal file will be updated to
-                        reflect changes in the zone.  Otherwise, if the
-                        zone has changed, any existing journal file will be
-                        removed.
-                      </p></dd>
-<dt><span class="term"><strong class="userinput"><code>sync
-                        [<span class="optional">-clean</span>]
-                        [<span class="optional"><em class="replaceable"><code>zone</code></em>
-       [<span class="optional"><em class="replaceable"><code>class</code></em>
-           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
-<dd><p>
-                        Sync changes in the journal file for a dynamic zone
-                        to the master file.  If the "-clean" option is
-                        specified, the journal file is also removed.  If
-                        no zone is specified, then all zones are synced.
-                      </p></dd>
-<dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em>
-                        [<span class="optional"><em class="replaceable"><code>class</code></em>
-           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd><p>
-                        Resend NOTIFY messages for the zone.
-                      </p></dd>
-<dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt>
-<dd><p>
-                        Reload the configuration file and load new zones,
-                        but do not reload existing zone files even if they
-                        have changed.
-                        This is faster than a full <span><strong class="command">reload</strong></span> when there
-                        is a large number of zones because it avoids the need
-                        to examine the
-                        modification times of the zones files.
-                      </p></dd>
-<dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt>
-<dd><p>
-                        Write server statistics to the statistics file.
-                      </p></dd>
-<dt><span class="term"><strong class="userinput"><code>querylog</code></strong>
-                          [<span class="optional">on|off</span>]
-                    </span></dt>
-<dd>
-<p>
-                        Enable or disable query logging.  (For backward
-                        compatibility, this command can also be used without
-                        an argument to toggle query logging on and off.)
-                      </p>
-<p>
-                        Query logging can also be enabled
-                        by explicitly directing the <span><strong class="command">queries</strong></span>
-                        <span><strong class="command">category</strong></span> to a
-                        <span><strong class="command">channel</strong></span> in the
-                        <span><strong class="command">logging</strong></span> section of
-                        <code class="filename">named.conf</code> or by specifying
-                        <span><strong class="command">querylog yes;</strong></span> in the
-                        <span><strong class="command">options</strong></span> section of
-                        <code class="filename">named.conf</code>.
-                      </p>
-</dd>
-<dt><span class="term"><strong class="userinput"><code>dumpdb
-                        [<span class="optional">-all|-cache|-zone</span>]
-                        [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
-<dd><p>
-                        Dump the server's caches (default) and/or zones to
-                        the
-                        dump file for the specified views.  If no view is
-                        specified, all
-                        views are dumped.
-                      </p></dd>
-<dt><span class="term"><strong class="userinput"><code>secroots
-                        [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
-<dd><p>
-                        Dump the server's security roots to the secroots
-                        file for the specified views.  If no view is
-                        specified, security roots for all
-                        views are dumped.
-                      </p></dd>
-<dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>
-<dd><p>
-                        Stop the server, making sure any recent changes
-                        made through dynamic update or IXFR are first saved to
-                        the master files of the updated zones.
-                        If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
-                        This allows an external process to determine when <span><strong class="command">named</strong></span>
-                        had completed stopping.
-                      </p></dd>
-<dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
-<dd><p>
-                        Stop the server immediately.  Recent changes
-                        made through dynamic update or IXFR are not saved to
-                        the master files, but will be rolled forward from the
-                        journal files when the server is restarted.
-                        If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
-                        This allows an external process to determine when <span><strong class="command">named</strong></span>
-                        had completed halting.
-                      </p></dd>
-<dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
-<dd><p>
-                        Increment the servers debugging level by one.
-                      </p></dd>
-<dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt>
-<dd><p>
-                        Sets the server's debugging level to an explicit
-                        value.
-                      </p></dd>
-<dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt>
-<dd><p>
-                        Sets the server's debugging level to 0.
-                      </p></dd>
-<dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt>
-<dd><p>
-                        Flushes the server's cache.
-                      </p></dd>
-<dt><span class="term"><strong class="userinput"><code>flushname</code></strong>
-                       <em class="replaceable"><code>name</code></em>
-                       [<span class="optional"><em class="replaceable"><code>view</code></em></span>]
-                       </span></dt>
-<dd><p>
-                        Flushes the given name from the server's DNS cache,
-                        and from the server's nameserver address database
-                        if applicable.
-                      </p></dd>
-<dt><span class="term"><strong class="userinput"><code>flushtree</code></strong>
-                       <em class="replaceable"><code>name</code></em>
-                       [<span class="optional"><em class="replaceable"><code>view</code></em></span>]
-                       </span></dt>
-<dd><p>
-                        Flushes the given name, and all of its subdomains,
-                        from the server's DNS cache.  (The server's
-                        nameserver address database is not affected.)
-                      </p></dd>
-<dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>
-<dd><p>
-                        Display status of the server.
-                        Note that the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone
-                        and the default <span><strong class="command">./IN</strong></span>
-                        hint zone if there is not an
-                        explicit root zone configured.
-                      </p></dd>
-<dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
-<dd><p>
-                        Dump the list of queries <span><strong class="command">named</strong></span> is currently recursing
-                        on.
-                      </p></dd>
-<dt><span class="term"><strong class="userinput"><code>validation
-                        [<span class="optional">on|off</span>]
-                        [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]
-                    </code></strong></span></dt>
-<dd><p>
-                        Enable or disable DNSSEC validation.
-                        Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
-                        set to <strong class="userinput"><code>yes</code></strong> to be effective.
-                        It defaults to enabled.
-                      </p></dd>
-<dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt>
-<dd><p>
-                        List the names of all TSIG keys currently configured
-                        for use by <span><strong class="command">named</strong></span> in each view.  The
-                        list both statically configured keys and dynamic
-                        TKEY-negotiated keys.
-                      </p></dd>
-<dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong>
-                     <em class="replaceable"><code>keyname</code></em>
-                     [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt>
-<dd><p>
-                        Delete a given TKEY-negotiated key from the server.
-                        (This does not apply to statically configured TSIG
-                        keys.)
-                      </p></dd>
-<dt><span class="term"><strong class="userinput"><code>addzone
-                        <em class="replaceable"><code>zone</code></em>
-                        [<span class="optional"><em class="replaceable"><code>class</code></em>
-                        [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]
-                        <em class="replaceable"><code>configuration</code></em>
-                    </code></strong></span></dt>
-<dd>
-<p>
-                        Add a zone while the server is running.  This
-                        command requires the
-                        <span><strong class="command">allow-new-zones</strong></span> option to be set
-                        to <strong class="userinput"><code>yes</code></strong>.  The
-                        <em class="replaceable"><code>configuration</code></em> string
-                        specified on the command line is the zone
-                        configuration text that would ordinarily be
-                        placed in <code class="filename">named.conf</code>.
-                      </p>
-<p>
-                        The configuration is saved in a file called
-                       <code class="filename"><em class="replaceable"><code>hash</code></em>.nzf</code>,
-                        where <em class="replaceable"><code>hash</code></em> is a
-                        cryptographic hash generated from the name of
-                        the view.  When <span><strong class="command">named</strong></span> is
-                        restarted, the file will be loaded into the view
-                        configuration, so that zones that were added
-                        can persist after a restart.
-                      </p>
-<p>
-                        This sample <span><strong class="command">addzone</strong></span> command
-                        would add the zone <code class="literal">example.com</code>
-                        to the default view:
-                      </p>
-<p>
-<code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong>
-                      </p>
-<p>
-                        (Note the brackets and semi-colon around the zone
-                        configuration text.)
-                      </p>
-</dd>
-<dt><span class="term"><strong class="userinput"><code>delzone
-                        <em class="replaceable"><code>zone</code></em>
-                        [<span class="optional"><em class="replaceable"><code>class</code></em>
-                        [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]
-                    </code></strong></span></dt>
-<dd><p>
-                        Delete a zone while the server is running.
-                        Only zones that were originally added via
-                        <span><strong class="command">rndc addzone</strong></span> can be deleted
-                        in this matter.
-                      </p></dd>
-<dt><span class="term"><strong class="userinput"><code>signing
-                        [<span class="optional">( -list | -clear <em class="replaceable"><code>keyid/algorithm</code></em> | -clear <code class="literal">all</code> | -nsec3param ( <em class="replaceable"><code>parameters</code></em> | <code class="literal">none</code> ) ) </span>]
-                        <em class="replaceable"><code>zone</code></em>
-                        [<span class="optional"><em class="replaceable"><code>class</code></em>
-                        [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]
-                    </code></strong></span></dt>
-<dd>
-<p>
-                        List, edit, or remove the DNSSEC signing state for 
-                        the specified zone.  The status of ongoing DNSSEC
-                        operations (such as signing or generating
-                        NSEC3 chains) is stored in the zone in the form
-                        of DNS resource records of type
-                        <span><strong class="command">sig-signing-type</strong></span>. 
-                        <span><strong class="command">rndc signing -list</strong></span> converts
-                        these records into a human-readable form,
-                        indicating which keys are currently signing
-                        or have finished signing the zone, and which NSEC3
-                        NSEC3 chains are being created or removed.
-                      </p>
-<p>
-                        <span><strong class="command">rndc signing -clear</strong></span> can remove
-                        a single key (specified in the same format that
-                        <span><strong class="command">rndc signing -list</strong></span> uses to
-                        display it), or all keys.  In either case, only
-                        completed keys are removed; any record indicating
-                        that a key has not yet finished signing the zone
-                        will be retained.
-                      </p>
-<p>
-                        <span><strong class="command">rndc signing -nsec3param</strong></span> sets
-                        the NSEC3 parameters for a zone.  This is the
-                        only supported mechanism for using NSEC3 with
-                        <span><strong class="command">inline-signing</strong></span> zones.
-                        Parameters are specified in the same format as
-                        an NSEC3PARAM resource record: hash algorithm,
-                        flags, iterations, and salt, in that order.
-                      </p>
-<p>
-                        Currently, the only defined value for hash algorithm 
-                        is <code class="literal">1</code>, representing SHA-1.
-                        The <code class="option">flags</code> may be set to
-                        <code class="literal">0</code> or <code class="literal">1</code>,
-                        depending on whether you wish to set the opt-out
-                        bit in the NSEC3 chain.  <code class="option">iterations</code>
-                        defines the number of additional times to apply
-                        the algorithm when generating an NSEC3 hash.  The
-                        <code class="option">salt</code> is a string of data expressed
-                        in hexidecimal, or a hyphen (`-') if no salt is
-                        to be used.
-                      </p>
-<p>
-                        So, for example, to create an NSEC3 chain using
-                        the SHA-1 hash algorithm, no opt-out flag,
-                        10 iterations, and a salt value of "FFFF", use:
-                        <span><strong class="command">rndc signing -nsec3param 1 0 10 FFFF &lt;zone&gt;</strong></span>.
-                        To set the opt-out flag, 15 iterations, and no
-                        salt, use:
-                        <span><strong class="command">rndc signing -nsec3param 1 1 15 - &lt;zone&gt;</strong></span>.
-                      </p>
-<p>
-                        <span><strong class="command">rndc signing -nsec3param none</strong></span>
-                        removes an existing NSEC3 chain and replaces it
-                        with NSEC.
-                      </p>
-</dd>
-</dl></div>
-<p>
-                  A configuration file is required, since all
-                  communication with the server is authenticated with
-                  digital signatures that rely on a shared secret, and
-                  there is no way to provide that secret other than with a
-                  configuration file.  The default location for the
-                  <span><strong class="command">rndc</strong></span> configuration file is
-                  <code class="filename">/etc/rndc.conf</code>, but an
-                  alternate
-                  location can be specified with the <code class="option">-c</code>
-                  option.  If the configuration file is not found,
-                  <span><strong class="command">rndc</strong></span> will also look in
-                  <code class="filename">/etc/rndc.key</code> (or whatever
-                  <code class="varname">sysconfdir</code> was defined when
-                  the <acronym class="acronym">BIND</acronym> build was
-                  configured).
-                  The <code class="filename">rndc.key</code> file is
-                  generated by
-                  running <span><strong class="command">rndc-confgen -a</strong></span> as
-                  described in
-                  <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
-          Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and
-          Usage&#8221;</a>.
-                </p>
-<p>
-                  The format of the configuration file is similar to
-                  that of <code class="filename">named.conf</code>, but
-                  limited to
-                  only four statements, the <span><strong class="command">options</strong></span>,
-                  <span><strong class="command">key</strong></span>, <span><strong class="command">server</strong></span> and
-                  <span><strong class="command">include</strong></span>
-                  statements.  These statements are what associate the
-                  secret keys to the servers with which they are meant to
-                  be shared.  The order of statements is not
-                  significant.
-                </p>
-<p>
-                  The <span><strong class="command">options</strong></span> statement has
-                  three clauses:
-                  <span><strong class="command">default-server</strong></span>, <span><strong class="command">default-key</strong></span>,
-                  and <span><strong class="command">default-port</strong></span>.
-                  <span><strong class="command">default-server</strong></span> takes a
-                  host name or address argument  and represents the server
-                  that will
-                  be contacted if no <code class="option">-s</code>
-                  option is provided on the command line.
-                  <span><strong class="command">default-key</strong></span> takes
-                  the name of a key as its argument, as defined by a <span><strong class="command">key</strong></span> statement.
-                  <span><strong class="command">default-port</strong></span> specifies the
-                  port to which
-                  <span><strong class="command">rndc</strong></span> should connect if no
-                  port is given on the command line or in a
-                  <span><strong class="command">server</strong></span> statement.
-                </p>
-<p>
-                  The <span><strong class="command">key</strong></span> statement defines a
-                  key to be used
-                  by <span><strong class="command">rndc</strong></span> when authenticating
-                  with
-                  <span><strong class="command">named</strong></span>.  Its syntax is
-                  identical to the
-                  <span><strong class="command">key</strong></span> statement in <code class="filename">named.conf</code>.
-                  The keyword <strong class="userinput"><code>key</code></strong> is
-                  followed by a key name, which must be a valid
-                  domain name, though it need not actually be hierarchical;
-                  thus,
-                  a string like "<strong class="userinput"><code>rndc_key</code></strong>" is a valid
-                  name.
-                  The <span><strong class="command">key</strong></span> statement has two
-                  clauses:
-                  <span><strong class="command">algorithm</strong></span> and <span><strong class="command">secret</strong></span>.
-                  While the configuration parser will accept any string as the
-                  argument
-                  to algorithm, currently only the string "<strong class="userinput"><code>hmac-md5</code></strong>"
-                  has any meaning.  The secret is a base-64 encoded string
-                  as specified in RFC 3548.
-                </p>
-<p>
-                  The <span><strong class="command">server</strong></span> statement
-                  associates a key
-                  defined using the <span><strong class="command">key</strong></span>
-                  statement with a server.
-                  The keyword <strong class="userinput"><code>server</code></strong> is followed by a
-                  host name or address.  The <span><strong class="command">server</strong></span> statement
-                  has two clauses: <span><strong class="command">key</strong></span> and <span><strong class="command">port</strong></span>.
-                  The <span><strong class="command">key</strong></span> clause specifies the
-                  name of the key
-                  to be used when communicating with this server, and the
-                  <span><strong class="command">port</strong></span> clause can be used to
-                  specify the port <span><strong class="command">rndc</strong></span> should
-                  connect
-                  to on the server.
-                </p>
-<p>
-                  A sample minimal configuration file is as follows:
-                </p>
-<pre class="programlisting">
-key rndc_key {
-     algorithm "hmac-md5";
-     secret
-       "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
-};
-options {
-     default-server 127.0.0.1;
-     default-key    rndc_key;
-};
-</pre>
-<p>
-                  This file, if installed as <code class="filename">/etc/rndc.conf</code>,
-                  would allow the command:
-                </p>
-<p>
-                  <code class="prompt">$ </code><strong class="userinput"><code>rndc reload</code></strong>
-                </p>
-<p>
-                  to connect to 127.0.0.1 port 953 and cause the name server
-                  to reload, if a name server on the local machine were
-                  running with
-                  following controls statements:
-                </p>
-<pre class="programlisting">
-controls {
-        inet 127.0.0.1
-            allow { localhost; } keys { rndc_key; };
-};
-</pre>
-<p>
-                  and it had an identical key statement for
-                  <code class="literal">rndc_key</code>.
-                </p>
-<p>
-                  Running the <span><strong class="command">rndc-confgen</strong></span>
-                  program will
-                  conveniently create a <code class="filename">rndc.conf</code>
-                  file for you, and also display the
-                  corresponding <span><strong class="command">controls</strong></span>
-                  statement that you need to
-                  add to <code class="filename">named.conf</code>.
-                  Alternatively,
-                  you can run <span><strong class="command">rndc-confgen -a</strong></span>
-                  to set up
-                  a <code class="filename">rndc.key</code> file and not
-                  modify
-                  <code class="filename">named.conf</code> at all.
-                </p>
-</dd>
-</dl></div>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570600"></a>Signals</h3></div></div></div>
-<p>
-          Certain UNIX signals cause the name server to take specific
-          actions, as described in the following table.  These signals can
-          be sent using the <span><strong class="command">kill</strong></span> command.
-        </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-                  <p><span><strong class="command">SIGHUP</strong></span></p>
-                </td>
-<td>
-                  <p>
-                    Causes the server to read <code class="filename">named.conf</code> and
-                    reload the database.
-                  </p>
-                </td>
-</tr>
-<tr>
-<td>
-                  <p><span><strong class="command">SIGTERM</strong></span></p>
-                </td>
-<td>
-                  <p>
-                    Causes the server to clean up and exit.
-                  </p>
-                </td>
-</tr>
-<tr>
-<td>
-                  <p><span><strong class="command">SIGINT</strong></span></p>
-                </td>
-<td>
-                  <p>
-                    Causes the server to clean up and exit.
-                  </p>
-                </td>
-</tr>
-</tbody>
-</table></div>
-</div>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch02.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch04.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 2. <acronym class="acronym">BIND</acronym> Resource Requirements </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 4. Advanced DNS Features</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch04.html b/contrib/bind9/doc/arm/Bv9ARM.ch04.html
deleted file mode 100644
index e22a0cb..0000000
--- a/contrib/bind9/doc/arm/Bv9ARM.ch04.html
+++ /dev/null
@@ -1,1921 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 4. Advanced DNS Features</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter 3. Name Server Configuration">
-<link rel="next" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 4. Advanced DNS Features</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter" lang="en">
-<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch04"></a>Chapter 4. Advanced DNS Features</h2></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571175">Split DNS</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571193">Example split DNS setup</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571763">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571836">Copying the Shared Secret to Both Machines</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571847">Informing the Servers of the Key's Existence</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571883">Instructing the Server to Use the Key</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571941">TSIG Key Based Access Control</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564003">Errors</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2564017">TKEY</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572326">SIG(0)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572394">Generating Keys</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572541">Signing the Zone</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572622">Configuring Servers</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563413">Converting from insecure to secure</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563450">Dynamic DNS update method</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563555">Fully automatic zone signing</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563726">Private-type records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563832">DNSKEY rollovers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563845">Dynamic DNS update method</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563878">Automatic key rollovers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563905">NSEC3PARAM rollovers via UPDATE</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563914">Converting from NSEC to NSEC3</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563924">Converting from NSEC3 to NSEC</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563937">Converting from secure to insecure</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572029">Periodic re-signing</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572039">NSEC3 and OPTOUT</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572072">Validating Resolver</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609027">Authoritative Server</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611929">Prerequisites</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610179">Building BIND 9 with PKCS#11</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612283">PKCS #11 Tools</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612382">Using the HSM</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636884">Specifying the engine on the command line</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636930">Running named with automatic zone re-signing</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572842">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573109">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573130">Address to Name Lookups Using Nibble Format</a></span></dt>
-</dl></dd>
-</dl>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="notify"></a>Notify</h2></div></div></div>
-<p>
-        <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
-        servers to notify their slave servers of changes to a zone's data. In
-        response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the
-        slave will check to see that its version of the zone is the
-        current version and, if not, initiate a zone transfer.
-      </p>
-<p>
-        For more information about <acronym class="acronym">DNS</acronym>
-        <span><strong class="command">NOTIFY</strong></span>, see the description of the
-        <span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a> and
-        the description of the zone option <span><strong class="command">also-notify</strong></span> in
-        <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.  The <span><strong class="command">NOTIFY</strong></span>
-        protocol is specified in RFC 1996.
-      </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-        As a slave zone can also be a master to other slaves, <span><strong class="command">named</strong></span>,
-        by default, sends <span><strong class="command">NOTIFY</strong></span> messages for every zone
-        it loads.  Specifying <span><strong class="command">notify master-only;</strong></span> will
-        cause <span><strong class="command">named</strong></span> to only send <span><strong class="command">NOTIFY</strong></span> for master
-        zones that it loads.
-      </div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
-<p>
-        Dynamic Update is a method for adding, replacing or deleting
-        records in a master server by sending it a special form of DNS
-        messages.  The format and meaning of these messages is specified
-        in RFC 2136.
-      </p>
-<p>
-        Dynamic update is enabled by including an
-        <span><strong class="command">allow-update</strong></span> or an <span><strong class="command">update-policy</strong></span>
-        clause in the <span><strong class="command">zone</strong></span> statement.
-      </p>
-<p>
-        If the zone's <span><strong class="command">update-policy</strong></span> is set to
-        <strong class="userinput"><code>local</code></strong>, updates to the zone
-        will be permitted for the key <code class="varname">local-ddns</code>,
-        which will be generated by <span><strong class="command">named</strong></span> at startup.
-        See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a> for more details.
-      </p>
-<p>
-        Dynamic updates using Kerberos signed requests can be made
-        using the TKEY/GSS protocol by setting either the
-        <span><strong class="command">tkey-gssapi-keytab</strong></span> option, or alternatively
-        by setting both the <span><strong class="command">tkey-gssapi-credential</strong></span>
-        and <span><strong class="command">tkey-domain</strong></span> options. Once enabled,
-        Kerberos signed requests will be matched against the update
-        policies for the zone, using the Kerberos principal as the
-        signer for the request.
-      </p>
-<p>
-        Updating of secure zones (zones using DNSSEC) follows RFC
-        3007: RRSIG, NSEC and NSEC3 records affected by updates are
-        automatically regenerated by the server using an online
-        zone key.  Update authorization is based on transaction
-        signatures and an explicit server policy.
-      </p>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="journal"></a>The journal file</h3></div></div></div>
-<p>
-          All changes made to a zone using dynamic update are stored
-          in the zone's journal file.  This file is automatically created
-          by the server when the first dynamic update takes place.
-          The name of the journal file is formed by appending the extension
-          <code class="filename">.jnl</code> to the name of the
-          corresponding zone
-          file unless specifically overridden.  The journal file is in a
-          binary format and should not be edited manually.
-        </p>
-<p>
-          The server will also occasionally write ("dump")
-          the complete contents of the updated zone to its zone file.
-          This is not done immediately after
-          each dynamic update, because that would be too slow when a large
-          zone is updated frequently.  Instead, the dump is delayed by
-          up to 15 minutes, allowing additional updates to take place.
-          During the dump process, transient files will be created
-          with the extensions <code class="filename">.jnw</code> and
-          <code class="filename">.jbk</code>; under ordinary circumstances, these
-          will be removed when the dump is complete, and can be safely
-          ignored.
-        </p>
-<p>
-          When a server is restarted after a shutdown or crash, it will replay
-              the journal file to incorporate into the zone any updates that
-          took
-          place after the last zone dump.
-        </p>
-<p>
-          Changes that result from incoming incremental zone transfers are
-          also
-          journalled in a similar way.
-        </p>
-<p>
-          The zone files of dynamic zones cannot normally be edited by
-          hand because they are not guaranteed to contain the most recent
-          dynamic changes &#8212; those are only in the journal file.
-          The only way to ensure that the zone file of a dynamic zone
-          is up to date is to run <span><strong class="command">rndc stop</strong></span>.
-        </p>
-<p>
-          If you have to make changes to a dynamic zone
-          manually, the following procedure will work: Disable dynamic updates
-              to the zone using
-          <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
-          This will also remove the zone's <code class="filename">.jnl</code> file
-          and update the master file.  Edit the zone file.  Run
-          <span><strong class="command">rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
-          to reload the changed zone and re-enable dynamic updates.
-        </p>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
-<p>
-        The incremental zone transfer (IXFR) protocol is a way for
-        slave servers to transfer only changed data, instead of having to
-        transfer the entire zone. The IXFR protocol is specified in RFC
-        1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>.
-      </p>
-<p>
-        When acting as a master, <acronym class="acronym">BIND</acronym> 9
-        supports IXFR for those zones
-        where the necessary change history information is available. These
-        include master zones maintained by dynamic update and slave zones
-        whose data was obtained by IXFR.  For manually maintained master
-        zones, and for slave zones obtained by performing a full zone
-        transfer (AXFR), IXFR is supported only if the option
-        <span><strong class="command">ixfr-from-differences</strong></span> is set
-        to <strong class="userinput"><code>yes</code></strong>.
-      </p>
-<p>
-        When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
-        attempt to use IXFR unless
-        it is explicitly disabled. For more information about disabling
-        IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause
-        of the <span><strong class="command">server</strong></span> statement.
-      </p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2571175"></a>Split DNS</h2></div></div></div>
-<p>
-        Setting up different views, or visibility, of the DNS space to
-        internal and external resolvers is usually referred to as a
-        <span class="emphasis"><em>Split DNS</em></span> setup. There are several
-        reasons an organization would want to set up its DNS this way.
-      </p>
-<p>
-        One common reason for setting up a DNS system this way is
-        to hide "internal" DNS information from "external" clients on the
-        Internet. There is some debate as to whether or not this is actually
-        useful.
-        Internal DNS information leaks out in many ways (via email headers,
-        for example) and most savvy "attackers" can find the information
-        they need using other means.
-        However, since listing addresses of internal servers that
-        external clients cannot possibly reach can result in
-        connection delays and other annoyances, an organization may
-        choose to use a Split DNS to present a consistent view of itself
-        to the outside world.
-      </p>
-<p>
-        Another common reason for setting up a Split DNS system is
-        to allow internal networks that are behind filters or in RFC 1918
-        space (reserved IP space, as documented in RFC 1918) to resolve DNS
-        on the Internet. Split DNS can also be used to allow mail from outside
-        back in to the internal network.
-      </p>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571193"></a>Example split DNS setup</h3></div></div></div>
-<p>
-        Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
-        (<code class="literal">example.com</code>)
-        has several corporate sites that have an internal network with
-        reserved
-        Internet Protocol (IP) space and an external demilitarized zone (DMZ),
-        or "outside" section of a network, that is available to the public.
-      </p>
-<p>
-        <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
-        to be able to resolve external hostnames and to exchange mail with
-        people on the outside. The company also wants its internal resolvers
-        to have access to certain internal-only zones that are not available
-        at all outside of the internal network.
-      </p>
-<p>
-        In order to accomplish this, the company will set up two sets
-        of name servers. One set will be on the inside network (in the
-        reserved
-        IP space) and the other set will be on bastion hosts, which are
-        "proxy"
-        hosts that can talk to both sides of its network, in the DMZ.
-      </p>
-<p>
-        The internal servers will be configured to forward all queries,
-        except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
-        and <code class="filename">site2.example.com</code>, to the servers
-        in the
-        DMZ. These internal servers will have complete sets of information
-        for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>,
-        and <code class="filename">site2.internal</code>.
-      </p>
-<p>
-        To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
-        the internal name servers must be configured to disallow all queries
-        to these domains from any external hosts, including the bastion
-        hosts.
-      </p>
-<p>
-        The external servers, which are on the bastion hosts, will
-        be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
-        This could include things such as the host records for public servers
-        (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
-        and mail exchange (MX)  records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
-      </p>
-<p>
-        In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
-        should have special MX records that contain wildcard (`*') records
-        pointing to the bastion hosts. This is needed because external mail
-        servers do not have any other way of looking up how to deliver mail
-        to those internal hosts. With the wildcard records, the mail will
-        be delivered to the bastion host, which can then forward it on to
-        internal hosts.
-      </p>
-<p>
-        Here's an example of a wildcard MX record:
-      </p>
-<pre class="programlisting">*   IN MX 10 external1.example.com.</pre>
-<p>
-        Now that they accept mail on behalf of anything in the internal
-        network, the bastion hosts will need to know how to deliver mail
-        to internal hosts. In order for this to work properly, the resolvers
-        on
-        the bastion hosts will need to be configured to point to the internal
-        name servers for DNS resolution.
-      </p>
-<p>
-        Queries for internal hostnames will be answered by the internal
-        servers, and queries for external hostnames will be forwarded back
-        out to the DNS servers on the bastion hosts.
-      </p>
-<p>
-        In order for all this to work properly, internal clients will
-        need to be configured to query <span class="emphasis"><em>only</em></span> the internal
-        name servers for DNS queries. This could also be enforced via
-        selective
-        filtering on the network.
-      </p>
-<p>
-        If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
-        internal clients will now be able to:
-      </p>
-<div class="itemizedlist"><ul type="disc">
-<li>
-            Look up any hostnames in the <code class="literal">site1</code>
-            and
-            <code class="literal">site2.example.com</code> zones.
-          </li>
-<li>
-            Look up any hostnames in the <code class="literal">site1.internal</code> and
-            <code class="literal">site2.internal</code> domains.
-          </li>
-<li>Look up any hostnames on the Internet.</li>
-<li>Exchange mail with both internal and external people.</li>
-</ul></div>
-<p>
-        Hosts on the Internet will be able to:
-      </p>
-<div class="itemizedlist"><ul type="disc">
-<li>
-            Look up any hostnames in the <code class="literal">site1</code>
-            and
-            <code class="literal">site2.example.com</code> zones.
-          </li>
-<li>
-            Exchange mail with anyone in the <code class="literal">site1</code> and
-            <code class="literal">site2.example.com</code> zones.
-          </li>
-</ul></div>
-<p>
-        Here is an example configuration for the setup we just
-        described above. Note that this is only configuration information;
-        for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called &#8220;Sample Configurations&#8221;</a>.
-      </p>
-<p>
-        Internal DNS server config:
-      </p>
-<pre class="programlisting">
-
-acl internals { 172.16.72.0/24; 192.168.1.0/24; };
-
-acl externals { <code class="varname">bastion-ips-go-here</code>; };
-
-options {
-    ...
-    ...
-    forward only;
-    // forward to external servers
-    forwarders {
-        <code class="varname">bastion-ips-go-here</code>;
-    };
-    // sample allow-transfer (no one)
-    allow-transfer { none; };
-    // restrict query access
-    allow-query { internals; externals; };
-    // restrict recursion
-    allow-recursion { internals; };
-    ...
-    ...
-};
-
-// sample master zone
-zone "site1.example.com" {
-  type master;
-  file "m/site1.example.com";
-  // do normal iterative resolution (do not forward)
-  forwarders { };
-  allow-query { internals; externals; };
-  allow-transfer { internals; };
-};
-
-// sample slave zone
-zone "site2.example.com" {
-  type slave;
-  file "s/site2.example.com";
-  masters { 172.16.72.3; };
-  forwarders { };
-  allow-query { internals; externals; };
-  allow-transfer { internals; };
-};
-
-zone "site1.internal" {
-  type master;
-  file "m/site1.internal";
-  forwarders { };
-  allow-query { internals; };
-  allow-transfer { internals; }
-};
-
-zone "site2.internal" {
-  type slave;
-  file "s/site2.internal";
-  masters { 172.16.72.3; };
-  forwarders { };
-  allow-query { internals };
-  allow-transfer { internals; }
-};
-</pre>
-<p>
-        External (bastion host) DNS server config:
-      </p>
-<pre class="programlisting">
-acl internals { 172.16.72.0/24; 192.168.1.0/24; };
-
-acl externals { bastion-ips-go-here; };
-
-options {
-  ...
-  ...
-  // sample allow-transfer (no one)
-  allow-transfer { none; };
-  // default query access
-  allow-query { any; };
-  // restrict cache access
-  allow-query-cache { internals; externals; };
-  // restrict recursion
-  allow-recursion { internals; externals; };
-  ...
-  ...
-};
-
-// sample slave zone
-zone "site1.example.com" {
-  type master;
-  file "m/site1.foo.com";
-  allow-transfer { internals; externals; };
-};
-
-zone "site2.example.com" {
-  type slave;
-  file "s/site2.foo.com";
-  masters { another_bastion_host_maybe; };
-  allow-transfer { internals; externals; }
-};
-</pre>
-<p>
-        In the <code class="filename">resolv.conf</code> (or equivalent) on
-        the bastion host(s):
-      </p>
-<pre class="programlisting">
-search ...
-nameserver 172.16.72.2
-nameserver 172.16.72.3
-nameserver 172.16.72.4
-</pre>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="tsig"></a>TSIG</h2></div></div></div>
-<p>
-        This is a short guide to setting up Transaction SIGnatures
-        (TSIG) based transaction security in <acronym class="acronym">BIND</acronym>. It describes changes
-        to the configuration file as well as what changes are required for
-        different features, including the process of creating transaction
-        keys and using transaction signatures with <acronym class="acronym">BIND</acronym>.
-      </p>
-<p>
-        <acronym class="acronym">BIND</acronym> primarily supports TSIG for server
-        to server communication.
-        This includes zone transfer, notify, and recursive query messages.
-        Resolvers based on newer versions of <acronym class="acronym">BIND</acronym> 8 have limited support
-        for TSIG.
-      </p>
-<p>
-        TSIG can also be useful for dynamic update. A primary
-        server for a dynamic zone should control access to the dynamic
-        update service, but IP-based access control is insufficient.
-        The cryptographic access control provided by TSIG
-        is far superior. The <span><strong class="command">nsupdate</strong></span>
-        program supports TSIG via the <code class="option">-k</code> and
-        <code class="option">-y</code> command line options or inline by use
-        of the <span><strong class="command">key</strong></span>.
-      </p>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571763"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
-<p>
-          A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
-          An arbitrary key name is chosen: "host1-host2.". The key name must
-          be the same on both hosts.
-        </p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2571780"></a>Automatic Generation</h4></div></div></div>
-<p>
-            The following command will generate a 128-bit (16 byte) HMAC-SHA256
-            key as described above. Longer keys are better, but shorter keys
-            are easier to read. Note that the maximum key length is the digest
-            length, here 256 bits.
-          </p>
-<p>
-            <strong class="userinput"><code>dnssec-keygen -a hmac-sha256 -b 128 -n HOST host1-host2.</code></strong>
-          </p>
-<p>
-            The key is in the file <code class="filename">Khost1-host2.+163+00000.private</code>.
-            Nothing directly uses this file, but the base-64 encoded string
-            following "<code class="literal">Key:</code>"
-            can be extracted from the file and used as a shared secret:
-          </p>
-<pre class="programlisting">Key: La/E5CjG9O+os1jq0a2jdA==</pre>
-<p>
-            The string "<code class="literal">La/E5CjG9O+os1jq0a2jdA==</code>" can
-            be used as the shared secret.
-          </p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2571818"></a>Manual Generation</h4></div></div></div>
-<p>
-            The shared secret is simply a random sequence of bits, encoded
-            in base-64. Most ASCII strings are valid base-64 strings (assuming
-            the length is a multiple of 4 and only valid characters are used),
-            so the shared secret can be manually generated.
-          </p>
-<p>
-            Also, a known string can be run through <span><strong class="command">mmencode</strong></span> or
-            a similar program to generate base-64 encoded data.
-          </p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571836"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
-<p>
-          This is beyond the scope of DNS. A secure transport mechanism
-          should be used. This could be secure FTP, ssh, telephone, etc.
-        </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571847"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
-<p>
-          Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
-          are
-          both servers. The following is added to each server's <code class="filename">named.conf</code> file:
-        </p>
-<pre class="programlisting">
-key host1-host2. {
-  algorithm hmac-sha256;
-  secret "La/E5CjG9O+os1jq0a2jdA==";
-};
-</pre>
-<p>
-          The secret is the one generated above. Since this is a secret, it
-          is recommended that either <code class="filename">named.conf</code> be
-          non-world readable, or the key directive be added to a non-world
-          readable file that is included by <code class="filename">named.conf</code>.
-        </p>
-<p>
-          At this point, the key is recognized. This means that if the
-          server receives a message signed by this key, it can verify the
-          signature. If the signature is successfully verified, the
-          response is signed by the same key.
-        </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571883"></a>Instructing the Server to Use the Key</h3></div></div></div>
-<p>
-          Since keys are shared between two hosts only, the server must
-          be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
-          for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is
-          10.1.2.3:
-        </p>
-<pre class="programlisting">
-server 10.1.2.3 {
-  keys { host1-host2. ;};
-};
-</pre>
-<p>
-          Multiple keys may be present, but only the first is used.
-          This directive does not contain any secrets, so it may be in a
-          world-readable
-          file.
-        </p>
-<p>
-          If <span class="emphasis"><em>host1</em></span> sends a message that is a request
-          to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will
-          expect any responses to signed messages to be signed with the same
-          key.
-        </p>
-<p>
-          A similar statement must be present in <span class="emphasis"><em>host2</em></span>'s
-          configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to
-          sign request messages to <span class="emphasis"><em>host1</em></span>.
-        </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571941"></a>TSIG Key Based Access Control</h3></div></div></div>
-<p>
-          <acronym class="acronym">BIND</acronym> allows IP addresses and ranges
-          to be specified in ACL
-          definitions and
-          <span><strong class="command">allow-{ query | transfer | update }</strong></span>
-          directives.
-          This has been extended to allow TSIG keys also. The above key would
-          be denoted <span><strong class="command">key host1-host2.</strong></span>
-        </p>
-<p>
-          An example of an <span><strong class="command">allow-update</strong></span> directive would be:
-        </p>
-<pre class="programlisting">
-allow-update { key host1-host2. ;};
-</pre>
-<p>
-          This allows dynamic updates to succeed only if the request
-          was signed by a key named "<span><strong class="command">host1-host2.</strong></span>".
-        </p>
-<p>
-          See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a> for a discussion of
-          the more flexible <span><strong class="command">update-policy</strong></span> statement.
-        </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2564003"></a>Errors</h3></div></div></div>
-<p>
-          The processing of TSIG signed messages can result in
-          several errors. If a signed message is sent to a non-TSIG aware
-          server, a FORMERR (format error) will be returned, since the server will not
-          understand the record. This is a result of misconfiguration,
-          since the server must be explicitly configured to send a TSIG
-          signed message to a specific server.
-        </p>
-<p>
-          If a TSIG aware server receives a message signed by an
-          unknown key, the response will be unsigned with the TSIG
-          extended error code set to BADKEY. If a TSIG aware server
-          receives a message with a signature that does not validate, the
-          response will be unsigned with the TSIG extended error code set
-          to BADSIG. If a TSIG aware server receives a message with a time
-          outside of the allowed range, the response will be signed with
-          the TSIG extended error code set to BADTIME, and the time values
-          will be adjusted so that the response can be successfully
-          verified. In any of these cases, the message's rcode (response code) is set to
-          NOTAUTH (not authenticated).
-        </p>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2564017"></a>TKEY</h2></div></div></div>
-<p><span><strong class="command">TKEY</strong></span>
-        is a mechanism for automatically generating a shared secret
-        between two hosts.  There are several "modes" of
-        <span><strong class="command">TKEY</strong></span> that specify how the key is generated
-        or assigned.  <acronym class="acronym">BIND</acronym> 9 implements only one of
-        these modes, the Diffie-Hellman key exchange.  Both hosts are
-        required to have a Diffie-Hellman KEY record (although this
-        record is not required to be present in a zone).  The
-        <span><strong class="command">TKEY</strong></span> process must use signed messages,
-        signed either by TSIG or SIG(0).  The result of
-        <span><strong class="command">TKEY</strong></span> is a shared secret that can be used to
-        sign messages with TSIG.  <span><strong class="command">TKEY</strong></span> can also be
-        used to delete shared secrets that it had previously
-        generated.
-      </p>
-<p>
-        The <span><strong class="command">TKEY</strong></span> process is initiated by a
-        client
-        or server by sending a signed <span><strong class="command">TKEY</strong></span>
-        query
-        (including any appropriate KEYs) to a TKEY-aware server.  The
-        server response, if it indicates success, will contain a
-        <span><strong class="command">TKEY</strong></span> record and any appropriate keys.
-        After
-        this exchange, both participants have enough information to
-        determine the shared secret; the exact process depends on the
-        <span><strong class="command">TKEY</strong></span> mode.  When using the
-        Diffie-Hellman
-        <span><strong class="command">TKEY</strong></span> mode, Diffie-Hellman keys are
-        exchanged,
-        and the shared secret is derived by both participants.
-      </p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2572326"></a>SIG(0)</h2></div></div></div>
-<p>
-        <acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
-            transaction signatures as specified in RFC 2535 and RFC 2931.
-        SIG(0)
-        uses public/private keys to authenticate messages.  Access control
-        is performed in the same manner as TSIG keys; privileges can be
-        granted or denied based on the key name.
-      </p>
-<p>
-        When a SIG(0) signed message is received, it will only be
-        verified if the key is known and trusted by the server; the server
-        will not attempt to locate and/or validate the key.
-      </p>
-<p>
-        SIG(0) signing of multiple-message TCP streams is not
-        supported.
-      </p>
-<p>
-        The only tool shipped with <acronym class="acronym">BIND</acronym> 9 that
-        generates SIG(0) signed messages is <span><strong class="command">nsupdate</strong></span>.
-      </p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="DNSSEC"></a>DNSSEC</h2></div></div></div>
-<p>
-        Cryptographic authentication of DNS information is possible
-        through the DNS Security (<span class="emphasis"><em>DNSSEC-bis</em></span>) extensions,
-        defined in RFC 4033, RFC 4034, and RFC 4035.
-        This section describes the creation and use of DNSSEC signed zones.
-      </p>
-<p>
-        In order to set up a DNSSEC secure zone, there are a series
-        of steps which must be followed.  <acronym class="acronym">BIND</acronym>
-        9 ships
-        with several tools
-        that are used in this process, which are explained in more detail
-        below.  In all cases, the <code class="option">-h</code> option prints a
-        full list of parameters.  Note that the DNSSEC tools require the
-        keyset files to be in the working directory or the
-        directory specified by the <code class="option">-d</code> option, and
-        that the tools shipped with BIND 9.2.x and earlier are not compatible
-        with the current ones.
-      </p>
-<p>
-        There must also be communication with the administrators of
-        the parent and/or child zone to transmit keys.  A zone's security
-        status must be indicated by the parent zone for a DNSSEC capable
-        resolver to trust its data.  This is done through the presence
-        or absence of a <code class="literal">DS</code> record at the
-        delegation
-        point.
-      </p>
-<p>
-        For other servers to trust data in this zone, they must
-        either be statically configured with this zone's zone key or the
-        zone key of another zone above this one in the DNS tree.
-      </p>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2572394"></a>Generating Keys</h3></div></div></div>
-<p>
-          The <span><strong class="command">dnssec-keygen</strong></span> program is used to
-          generate keys.
-        </p>
-<p>
-          A secure zone must contain one or more zone keys.  The
-          zone keys will sign all other records in the zone, as well as
-          the zone keys of any secure delegated zones.  Zone keys must
-          have the same name as the zone, a name type of
-          <span><strong class="command">ZONE</strong></span>, and must be usable for
-          authentication.
-          It is recommended that zone keys use a cryptographic algorithm
-          designated as "mandatory to implement" by the IETF; currently
-          the only one is RSASHA1.
-        </p>
-<p>
-          The following command will generate a 768-bit RSASHA1 key for
-          the <code class="filename">child.example</code> zone:
-        </p>
-<p>
-          <strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
-        </p>
-<p>
-          Two output files will be produced:
-          <code class="filename">Kchild.example.+005+12345.key</code> and
-          <code class="filename">Kchild.example.+005+12345.private</code>
-          (where
-          12345 is an example of a key tag).  The key filenames contain
-          the key name (<code class="filename">child.example.</code>),
-          algorithm (3
-          is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
-          this case).
-          The private key (in the <code class="filename">.private</code>
-          file) is
-          used to generate signatures, and the public key (in the
-          <code class="filename">.key</code> file) is used for signature
-          verification.
-        </p>
-<p>
-          To generate another key with the same properties (but with
-          a different key tag), repeat the above command.
-        </p>
-<p>
-          The <span><strong class="command">dnssec-keyfromlabel</strong></span> program is used
-          to get a key pair from a crypto hardware and build the key
-          files. Its usage is similar to <span><strong class="command">dnssec-keygen</strong></span>.
-        </p>
-<p>
-          The public keys should be inserted into the zone file by
-          including the <code class="filename">.key</code> files using
-          <span><strong class="command">$INCLUDE</strong></span> statements.
-        </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2572541"></a>Signing the Zone</h3></div></div></div>
-<p>
-          The <span><strong class="command">dnssec-signzone</strong></span> program is used
-          to sign a zone.
-        </p>
-<p>
-          Any <code class="filename">keyset</code> files corresponding to
-          secure subzones should be present.  The zone signer will
-          generate <code class="literal">NSEC</code>, <code class="literal">NSEC3</code>
-          and <code class="literal">RRSIG</code> records for the zone, as
-          well as <code class="literal">DS</code> for the child zones if
-          <code class="literal">'-g'</code> is specified.  If <code class="literal">'-g'</code>
-          is not specified, then DS RRsets for the secure child
-          zones need to be added manually.
-        </p>
-<p>
-          The following command signs the zone, assuming it is in a
-          file called <code class="filename">zone.child.example</code>.  By
-                default, all zone keys which have an available private key are
-                used to generate signatures.
-        </p>
-<p>
-          <strong class="userinput"><code>dnssec-signzone -o child.example zone.child.example</code></strong>
-        </p>
-<p>
-          One output file is produced:
-          <code class="filename">zone.child.example.signed</code>.  This
-          file
-          should be referenced by <code class="filename">named.conf</code>
-          as the
-          input file for the zone.
-        </p>
-<p><span><strong class="command">dnssec-signzone</strong></span>
-          will also produce a keyset and dsset files and optionally a
-          dlvset file.  These are used to provide the parent zone
-          administrators with the <code class="literal">DNSKEYs</code> (or their
-          corresponding <code class="literal">DS</code> records) that are the
-          secure entry point to the zone.
-        </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2572622"></a>Configuring Servers</h3></div></div></div>
-<p>
-          To enable <span><strong class="command">named</strong></span> to respond appropriately
-          to DNS requests from DNSSEC aware clients,
-          <span><strong class="command">dnssec-enable</strong></span> must be set to yes.
-          (This is the default setting.)
-        </p>
-<p>
-          To enable <span><strong class="command">named</strong></span> to validate answers from
-          other servers, the <span><strong class="command">dnssec-enable</strong></span> option
-          must be set to <strong class="userinput"><code>yes</code></strong>, and the
-          <span><strong class="command">dnssec-validation</strong></span> options must be set to 
-          <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong>.
-        </p>
-<p>
-          If <span><strong class="command">dnssec-validation</strong></span> is set to
-          <strong class="userinput"><code>auto</code></strong>, then a default
-          trust anchor for the DNS root zone will be used.
-          If it is set to <strong class="userinput"><code>yes</code></strong>, however,
-          then at least one trust anchor must be configured
-          with a <span><strong class="command">trusted-keys</strong></span> or
-          <span><strong class="command">managed-keys</strong></span> statement in
-          <code class="filename">named.conf</code>, or DNSSEC validation
-          will not occur.  The default setting is
-          <strong class="userinput"><code>yes</code></strong>.
-        </p>
-<p>
-          <span><strong class="command">trusted-keys</strong></span> are copies of DNSKEY RRs
-          for zones that are used to form the first link in the
-          cryptographic chain of trust.  All keys listed in
-          <span><strong class="command">trusted-keys</strong></span> (and corresponding zones)
-          are deemed to exist and only the listed keys will be used
-          to validated the DNSKEY RRset that they are from.
-        </p>
-<p>
-          <span><strong class="command">managed-keys</strong></span> are trusted keys which are
-          automatically kept up to date via RFC 5011 trust anchor
-          maintenance.
-        </p>
-<p>
-          <span><strong class="command">trusted-keys</strong></span> and
-          <span><strong class="command">managed-keys</strong></span> are described in more detail
-          later in this document.
-        </p>
-<p>
-          Unlike <acronym class="acronym">BIND</acronym> 8, <acronym class="acronym">BIND</acronym>
-          9 does not verify signatures on load, so zone keys for
-          authoritative zones do not need to be specified in the
-          configuration file.
-        </p>
-<p>
-          After DNSSEC gets established, a typical DNSSEC configuration
-          will look something like the following.  It has one or
-          more public keys for the root.  This allows answers from
-          outside the organization to be validated.  It will also
-          have several keys for parts of the namespace the organization
-          controls.  These are here to ensure that <span><strong class="command">named</strong></span>
-          is immune to compromises in the DNSSEC components of the security
-          of parent zones.
-        </p>
-<pre class="programlisting">
-managed-keys {
-        /* Root Key */
-        "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
-                                 JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
-                                 aBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3zy2Xy
-                                 4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYg
-                                 hf+6fElrmLkdaz MQ2OCnACR817DF4BBa7UR/beDHyp
-                                 5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M/lUUVRbke
-                                 g1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq
-                                 66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
-                                 97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
-                                 dgxbcDTClU0CRBdiieyLMNzXG3";
-};
-
-trusted-keys {
-        /* Key for our organization's forward zone */
-        example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
-                              5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
-                              GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
-                              4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
-                              kBOUKUf/mC7HvfwYH/Be22GnClrinKJp1O
-                              g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S
-                              TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq
-                              FxmAVZP20igTixin/1LcrgX/KMEGd/biuv
-                              F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm
-                              /oyWR8BW/hWdzOvnSCThlHf3xiYleDbt/o
-                              1OTQ09A0=";
-
-        /* Key for our reverse zone. */
-        2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
-                                       xOdNax071L18QqZnQQQAVVr+i
-                                       LhGTnNGp3HoWQLUIzKrJVZ3zg
-                                       gy3WwNT6kZo6c0tszYqbtvchm
-                                       gQC8CzKojM/W16i6MG/eafGU3
-                                       siaOdS0yOI6BgPsw+YZdzlYMa
-                                       IJGf4M4dyoKIhzdZyQ2bYQrjy
-                                       Q4LB0lC7aOnsMyYKHHYeRvPxj
-                                       IQXmdqgOJGq+vsevG06zW+1xg
-                                       YJh9rCIfnm1GX/KMgxLPG2vXT
-                                       D/RnLX+D3T3UL7HJYHJhAZD5L
-                                       59VvjSPsZJHeDCUyWYrvPZesZ
-                                       DIRvhDD52SKvbheeTJUm6Ehkz
-                                       ytNN2SN96QRk8j/iI8ib";
-};
-
-options {
-        ...
-        dnssec-enable yes;
-        dnssec-validation yes;
-};
-</pre>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-          None of the keys listed in this example are valid.  In particular,
-          the root key is not valid.
-        </div>
-<p>
-          When DNSSEC validation is enabled and properly configured,
-          the resolver will reject any answers from signed, secure zones
-          which fail to validate, and will return SERVFAIL to the client.
-        </p>
-<p>
-          Responses may fail to validate for any of several reasons,
-          including missing, expired, or invalid signatures, a key which
-          does not match the DS RRset in the parent zone, or an insecure
-          response from a zone which, according to its parent, should have
-          been secure.  
-        </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-            When the validator receives a response from an unsigned zone
-            that has a signed parent, it must confirm with the parent
-            that the zone was intentionally left unsigned.  It does
-            this by verifying, via signed and validated NSEC/NSEC3 records,
-            that the parent zone contains no DS records for the child.
-          </p>
-<p>
-            If the validator <span class="emphasis"><em>can</em></span> prove that the zone
-            is insecure, then the response is accepted.  However, if it
-            cannot, then it must assume an insecure response to be a
-            forgery; it rejects the response and logs an error.
-          </p>
-<p>
-            The logged error reads "insecurity proof failed" and
-            "got insecure response; parent indicates it should be secure".
-            (Prior to BIND 9.7, the logged error was "not insecure".
-            This referred to the zone, not the response.)
-          </p>
-</div>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="dnssec.dynamic.zones"></a>DNSSEC, Dynamic Zones, and Automatic Signing</h2></div></div></div>
-<p>As of BIND 9.7.0 it is possible to change a dynamic zone
-  from insecure to signed and back again. A secure zone can use
-  either NSEC or NSEC3 chains.</p>
-<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2563413"></a>Converting from insecure to secure</h3></div></div></div></div>
-<p>Changing a zone from insecure to secure can be done in two
-  ways: using a dynamic DNS update, or the 
-  <span><strong class="command">auto-dnssec</strong></span> zone option.</p>
-<p>For either method, you need to configure 
-  <span><strong class="command">named</strong></span> so that it can see the 
-  <code class="filename">K*</code> files which contain the public and private
-  parts of the keys that will be used to sign the zone. These files
-  will have been generated by 
-  <span><strong class="command">dnssec-keygen</strong></span>. You can do this by placing them
-  in the key-directory, as specified in 
-  <code class="filename">named.conf</code>:</p>
-<pre class="programlisting">
-        zone example.net {
-                type master;
-                update-policy local;
-                file "dynamic/example.net/example.net";
-                key-directory "dynamic/example.net";
-        };
-</pre>
-<p>If one KSK and one ZSK DNSKEY key have been generated, this
-  configuration will cause all records in the zone to be signed
-  with the ZSK, and the DNSKEY RRset to be signed with the KSK as
-  well. An NSEC chain will be generated as part of the initial
-  signing process.</p>
-<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2563450"></a>Dynamic DNS update method</h3></div></div></div></div>
-<p>To insert the keys via dynamic update:</p>
-<pre class="screen">
-        % nsupdate
-        &gt; ttl 3600
-        &gt; update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
-        &gt; update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
-        &gt; send
-</pre>
-<p>While the update request will complete almost immediately,
-  the zone will not be completely signed until 
-  <span><strong class="command">named</strong></span> has had time to walk the zone and
-  generate the NSEC and RRSIG records. The NSEC record at the apex
-  will be added last, to signal that there is a complete NSEC
-  chain.</p>
-<p>If you wish to sign using NSEC3 instead of NSEC, you should
-  add an NSEC3PARAM record to the initial update request. If you
-  wish the NSEC3 chain to have the OPTOUT bit set, set it in the
-  flags field of the NSEC3PARAM record.</p>
-<pre class="screen">
-        % nsupdate
-        &gt; ttl 3600
-        &gt; update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
-        &gt; update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
-        &gt; update add example.net NSEC3PARAM 1 1 100 1234567890
-        &gt; send
-</pre>
-<p>Again, this update request will complete almost
-  immediately; however, the record won't show up until 
-  <span><strong class="command">named</strong></span> has had a chance to build/remove the
-  relevant chain. A private type record will be created to record
-  the state of the operation (see below for more details), and will
-  be removed once the operation completes.</p>
-<p>While the initial signing and NSEC/NSEC3 chain generation
-  is happening, other updates are possible as well.</p>
-<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2563555"></a>Fully automatic zone signing</h3></div></div></div></div>
-<p>To enable automatic signing, add the 
-  <span><strong class="command">auto-dnssec</strong></span> option to the zone statement in 
-  <code class="filename">named.conf</code>. 
-  <span><strong class="command">auto-dnssec</strong></span> has two possible arguments: 
-  <code class="constant">allow</code> or 
-  <code class="constant">maintain</code>.</p>
-<p>With 
-  <span><strong class="command">auto-dnssec allow</strong></span>, 
-  <span><strong class="command">named</strong></span> can search the key directory for keys
-  matching the zone, insert them into the zone, and use them to
-  sign the zone. It will do so only when it receives an 
-  <span><strong class="command">rndc sign &lt;zonename&gt;</strong></span>.</p>
-<p>
-  
-  <span><strong class="command">auto-dnssec maintain</strong></span> includes the above
-  functionality, but will also automatically adjust the zone's
-  DNSKEY records on schedule according to the keys' timing metadata.
-  (See <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
-  <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.) 
-  </p>
-<p>
-  <span><strong class="command">named</strong></span> will periodically search the key directory
-  for keys matching the zone, and if the keys' metadata indicates
-  that any change should be made the zone, such as adding, removing,
-  or revoking a key, then that action will be carried out.  By default,
-  the key directory is checked for changes every 60 minutes; this period
-  can be adjusted with the <code class="option">dnssec-loadkeys-interval</code>, up
-  to a maximum of 24 hours.  The <span><strong class="command">rndc loadkeys</strong></span> forces
-  <span><strong class="command">named</strong></span> to check for key updates immediately.
-  </p>
-<p>
-  If keys are present in the key directory the first time the zone
-  is loaded, the zone will be signed immediately, without waiting for an 
-  <span><strong class="command">rndc sign</strong></span> or <span><strong class="command">rndc loadkeys</strong></span>
-  command. (Those commands can still be used when there are unscheduled
-  key changes, however.)
-  </p>
-<p>
-  If you wish the zone to be signed using NSEC3 instead of NSEC,
-  submit an NSEC3PARAM record via dynamic update prior to the
-  scheduled publication and activation of the keys.  If you wish the
-  NSEC3 chain to have the OPTOUT bit set, set it in the flags field
-  of the NSEC3PARAM record.  The NSEC3PARAM record will not appear in
-  the zone immediately, but it will be stored for later reference.  When
-  the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM
-  record will appear in the zone.
-  </p>
-<p>Using the 
-  <span><strong class="command">auto-dnssec</strong></span> option requires the zone to be
-  configured to allow dynamic updates, by adding an 
-  <span><strong class="command">allow-update</strong></span> or 
-  <span><strong class="command">update-policy</strong></span> statement to the zone
-  configuration. If this has not been done, the configuration will
-  fail.</p>
-<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2563726"></a>Private-type records</h3></div></div></div></div>
-<p>The state of the signing process is signaled by
-  private-type records (with a default type value of 65534). When
-  signing is complete, these records will have a nonzero value for
-  the final octet (for those records which have a nonzero initial
-  octet).</p>
-<p>The private type record format: If the first octet is
-  non-zero then the record indicates that the zone needs to be
-  signed with the key matching the record, or that all signatures
-  that match the record should be removed.</p>
-<p>
-    </p>
-<div class="literallayout"><p><br>
-<br>
-  algorithm (octet 1)<br>
-  key id in network order (octet 2 and 3)<br>
-  removal flag (octet 4)<br>
-  complete flag (octet 5)<br>
-</p></div>
-<p>
-  </p>
-<p>Only records flagged as "complete" can be removed via
-  dynamic update. Attempts to remove other private type records
-  will be silently ignored.</p>
-<p>If the first octet is zero (this is a reserved algorithm
-  number that should never appear in a DNSKEY record) then the
-  record indicates changes to the NSEC3 chains are in progress. The
-  rest of the record contains an NSEC3PARAM record. The flag field
-  tells what operation to perform based on the flag bits.</p>
-<p>
-    </p>
-<div class="literallayout"><p><br>
-<br>
-  0x01 OPTOUT<br>
-  0x80 CREATE<br>
-  0x40 REMOVE<br>
-  0x20 NONSEC<br>
-</p></div>
-<p>
-  </p>
-<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2563832"></a>DNSKEY rollovers</h3></div></div></div></div>
-<p>As with insecure-to-secure conversions, rolling DNSSEC
-  keys can be done in two ways: using a dynamic DNS update, or the 
-  <span><strong class="command">auto-dnssec</strong></span> zone option.</p>
-<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2563845"></a>Dynamic DNS update method</h3></div></div></div></div>
-<p> To perform key rollovers via dynamic update, you need to add
-  the <code class="filename">K*</code> files for the new keys so that 
-  <span><strong class="command">named</strong></span> can find them. You can then add the new
-  DNSKEY RRs via dynamic update. 
-  <span><strong class="command">named</strong></span> will then cause the zone to be signed
-  with the new keys. When the signing is complete the private type
-  records will be updated so that the last octet is non
-  zero.</p>
-<p>If this is for a KSK you need to inform the parent and any
-  trust anchor repositories of the new KSK.</p>
-<p>You should then wait for the maximum TTL in the zone before
-  removing the old DNSKEY. If it is a KSK that is being updated,
-  you also need to wait for the DS RRset in the parent to be
-  updated and its TTL to expire. This ensures that all clients will
-  be able to verify at least one signature when you remove the old
-  DNSKEY.</p>
-<p>The old DNSKEY can be removed via UPDATE. Take care to
-  specify the correct key. 
-  <span><strong class="command">named</strong></span> will clean out any signatures generated
-  by the old key after the update completes.</p>
-<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2563878"></a>Automatic key rollovers</h3></div></div></div></div>
-<p>When a new key reaches its activation date (as set by
-  <span><strong class="command">dnssec-keygen</strong></span> or <span><strong class="command">dnssec-settime</strong></span>),
-  if the <span><strong class="command">auto-dnssec</strong></span> zone option is set to 
-  <code class="constant">maintain</code>, <span><strong class="command">named</strong></span> will
-  automatically carry out the key rollover.  If the key's algorithm
-  has not previously been used to sign the zone, then the zone will
-  be fully signed as quickly as possible.  However, if the new key
-  is replacing an existing key of the same algorithm, then the
-  zone will be re-signed incrementally, with signatures from the
-  old key being replaced with signatures from the new key as their
-  signature validity periods expire.  By default, this rollover
-  completes in 30 days, after which it will be safe to remove the
-  old key from the DNSKEY RRset.</p>
-<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2563905"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div></div>
-<p>Add the new NSEC3PARAM record via dynamic update. When the
-  new NSEC3 chain has been generated, the NSEC3PARAM flag field
-  will be zero. At this point you can remove the old NSEC3PARAM
-  record. The old chain will be removed after the update request
-  completes.</p>
-<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2563914"></a>Converting from NSEC to NSEC3</h3></div></div></div></div>
-<p>To do this, you just need to add an NSEC3PARAM record. When
-  the conversion is complete, the NSEC chain will have been removed
-  and the NSEC3PARAM record will have a zero flag field. The NSEC3
-  chain will be generated before the NSEC chain is
-  destroyed.</p>
-<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2563924"></a>Converting from NSEC3 to NSEC</h3></div></div></div></div>
-<p>To do this, use <span><strong class="command">nsupdate</strong></span> to
-  remove all NSEC3PARAM records with a zero flag
-  field. The NSEC chain will be generated before the NSEC3 chain is
-  removed.</p>
-<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2563937"></a>Converting from secure to insecure</h3></div></div></div></div>
-<p>To convert a signed zone to unsigned using dynamic DNS,
-  delete all the DNSKEY records from the zone apex using
-  <span><strong class="command">nsupdate</strong></span>. All signatures, NSEC or NSEC3 chains,
-  and associated NSEC3PARAM records will be removed automatically.
-  This will take place after the update request completes.</p>
-<p> This requires the 
-  <span><strong class="command">dnssec-secure-to-insecure</strong></span> option to be set to 
-  <strong class="userinput"><code>yes</code></strong> in 
-  <code class="filename">named.conf</code>.</p>
-<p>In addition, if the <span><strong class="command">auto-dnssec maintain</strong></span>
-  zone statement is used, it should be removed or changed to
-  <span><strong class="command">allow</strong></span> instead (or it will re-sign).
-  </p>
-<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2572029"></a>Periodic re-signing</h3></div></div></div></div>
-<p>In any secure zone which supports dynamic updates, named
-  will periodically re-sign RRsets which have not been re-signed as
-  a result of some update action. The signature lifetimes will be
-  adjusted so as to spread the re-sign load over time rather than
-  all at once.</p>
-<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2572039"></a>NSEC3 and OPTOUT</h3></div></div></div></div>
-<p>
-  <span><strong class="command">named</strong></span> only supports creating new NSEC3 chains
-  where all the NSEC3 records in the zone have the same OPTOUT
-  state. 
-  <span><strong class="command">named</strong></span> supports UPDATES to zones where the NSEC3
-  records in the chain have mixed OPTOUT state. 
-  <span><strong class="command">named</strong></span> does not support changing the OPTOUT
-  state of an individual NSEC3 record, the entire chain needs to be
-  changed if the OPTOUT state of an individual NSEC3 needs to be
-  changed.</p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="rfc5011.support"></a>Dynamic Trust Anchor Management</h2></div></div></div>
-<p>BIND 9.7.0 introduces support for RFC 5011, dynamic trust
-  anchor management. Using this feature allows 
-  <span><strong class="command">named</strong></span> to keep track of changes to critical
-  DNSSEC keys without any need for the operator to make changes to
-  configuration files.</p>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2572072"></a>Validating Resolver</h3></div></div></div>
-<p>To configure a validating resolver to use RFC 5011 to
-    maintain a trust anchor, configure the trust anchor using a 
-    <span><strong class="command">managed-keys</strong></span> statement. Information about
-    this can be found in 
-    <a href="Bv9ARM.ch06.html#managed-keys" title="managed-keys Statement Definition
-            and Usage">the section called &#8220;<span><strong class="command">managed-keys</strong></span> Statement Definition
-            and Usage&#8221;</a>.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2609027"></a>Authoritative Server</h3></div></div></div>
-<p>To set up an authoritative zone for RFC 5011 trust anchor
-    maintenance, generate two (or more) key signing keys (KSKs) for
-    the zone. Sign the zone with one of them; this is the "active"
-    KSK. All KSK's which do not sign the zone are "stand-by"
-    keys.</p>
-<p>Any validating resolver which is configured to use the
-    active KSK as an RFC 5011-managed trust anchor will take note
-    of the stand-by KSKs in the zone's DNSKEY RRset, and store them
-    for future reference. The resolver will recheck the zone
-    periodically, and after 30 days, if the new key is still there,
-    then the key will be accepted by the resolver as a valid trust
-    anchor for the zone. Any time after this 30-day acceptance
-    timer has completed, the active KSK can be revoked, and the
-    zone can be "rolled over" to the newly accepted key.</p>
-<p>The easiest way to place a stand-by key in a zone is to
-    use the "smart signing" features of 
-    <span><strong class="command">dnssec-keygen</strong></span> and 
-    <span><strong class="command">dnssec-signzone</strong></span>. If a key with a publication
-    date in the past, but an activation date which is unset or in
-    the future, " 
-    <span><strong class="command">dnssec-signzone -S</strong></span>" will include the DNSKEY
-    record in the zone, but will not sign with it:</p>
-<pre class="screen">
-$ <strong class="userinput"><code>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</code></strong>
-$ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code></strong>
-</pre>
-<p>To revoke a key, the new command 
-    <span><strong class="command">dnssec-revoke</strong></span> has been added. This adds the
-    REVOKED bit to the key flags and re-generates the 
-    <code class="filename">K*.key</code> and 
-    <code class="filename">K*.private</code> files.</p>
-<p>After revoking the active key, the zone must be signed
-    with both the revoked KSK and the new active KSK. (Smart
-    signing takes care of this automatically.)</p>
-<p>Once a key has been revoked and used to sign the DNSKEY
-    RRset in which it appears, that key will never again be
-    accepted as a valid trust anchor by the resolver. However,
-    validation can proceed using the new active key (which had been
-    accepted by the resolver when it was a stand-by key).</p>
-<p>See RFC 5011 for more details on key rollover
-    scenarios.</p>
-<p>When a key has been revoked, its key ID changes,
-    increasing by 128, and wrapping around at 65535. So, for
-    example, the key "<code class="filename">Kexample.com.+005+10000</code>" becomes
-    "<code class="filename">Kexample.com.+005+10128</code>".</p>
-<p>If two keys have ID's exactly 128 apart, and one is
-    revoked, then the two key ID's will collide, causing several
-    problems. To prevent this, 
-    <span><strong class="command">dnssec-keygen</strong></span> will not generate a new key if
-    another key is present which may collide. This checking will
-    only occur if the new keys are written to the same directory
-    which holds all other keys in use for that zone.</p>
-<p>Older versions of BIND 9 did not have this precaution.
-    Exercise caution if using key revocation on keys that were
-    generated by previous releases, or if using keys stored in
-    multiple directories or on multiple machines.</p>
-<p>It is expected that a future release of BIND 9 will
-    address this problem in a different way, by storing revoked
-    keys with their original unrevoked key ID's.</p>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="pkcs11"></a>PKCS #11 (Cryptoki) support</h2></div></div></div>
-<p>PKCS #11 (Public Key Cryptography Standard #11) defines a
-  platform- independent API for the control of hardware security
-  modules (HSMs) and other cryptographic support devices.</p>
-<p>BIND 9 is known to work with two HSMs: The Sun SCA 6000
-  cryptographic acceleration board, tested under Solaris x86, and
-  the AEP Keyper network-attached key storage device, tested with
-  Debian Linux, Solaris x86 and Windows Server 2003.</p>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2611929"></a>Prerequisites</h3></div></div></div>
-<p>See the HSM vendor documentation for information about
-    installing, initializing, testing and troubleshooting the
-    HSM.</p>
-<p>BIND 9 uses OpenSSL for cryptography, but stock OpenSSL
-    does not yet fully support PKCS #11. However, a PKCS #11 engine
-    for OpenSSL is available from the OpenSolaris project. It has
-    been modified by ISC to work with with BIND 9, and to provide
-    new features such as PIN management and key by
-    reference.</p>
-<p>The patched OpenSSL depends on a "PKCS #11 provider".
-    This is a shared library object, providing a low-level PKCS #11
-    interface to the HSM hardware. It is dynamically loaded by
-    OpenSSL at runtime. The PKCS #11 provider comes from the HSM
-    vendor, and is specific to the HSM to be controlled.</p>
-<p>There are two "flavors" of PKCS #11 support provided by
-    the patched OpenSSL, one of which must be chosen at
-    configuration time. The correct choice depends on the HSM
-    hardware:</p>
-<div class="itemizedlist"><ul type="disc">
-<li><p>Use 'crypto-accelerator' with HSMs that have hardware
-        cryptographic acceleration features, such as the SCA 6000
-        board. This causes OpenSSL to run all supported
-        cryptographic operations in the HSM.</p></li>
-<li><p>Use 'sign-only' with HSMs that are designed to
-        function primarily as secure key storage devices, but lack
-        hardware acceleration. These devices are highly secure, but
-        are not necessarily any faster at cryptography than the
-        system CPU &#8212; often, they are slower. It is therefore
-        most efficient to use them only for those cryptographic
-        functions that require access to the secured private key,
-        such as zone signing, and to use the system CPU for all
-        other computationally-intensive operations. The AEP Keyper
-        is an example of such a device.</p></li>
-</ul></div>
-<p>The modified OpenSSL code is included in the BIND 9 release,
-        in the form of a context diff against the latest verions of
-        OpenSSL.  OpenSSL 0.9.8 and 1.0.0 are both supported; there are
-        separate diffs for each version.  In the examples to follow,
-        we use OpenSSL 0.9.8, but the same methods work with OpenSSL 1.0.0.
-    </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-      The latest OpenSSL versions at the time of the BIND release
-      are 0.9.8s and 1.0.0f.
-      ISC will provide an updated patch as new versions of OpenSSL
-      are released. The version number in the following examples
-      is expected to change.</div>
-<p>
-    Before building BIND 9 with PKCS #11 support, it will be
-    necessary to build OpenSSL with this patch in place and inform
-    it of the path to the HSM-specific PKCS #11 provider
-    library.</p>
-<p>Obtain OpenSSL 0.9.8s:</p>
-<pre class="screen">
-$ <strong class="userinput"><code>wget <a href="" target="_top">http://www.openssl.org/source/openssl-0.9.8s.tar.gz</a></code></strong>
-</pre>
-<p>Extract the tarball:</p>
-<pre class="screen">
-$ <strong class="userinput"><code>tar zxf openssl-0.9.8s.tar.gz</code></strong>
-</pre>
-<p>Apply the patch from the BIND 9 release:</p>
-<pre class="screen">
-$ <strong class="userinput"><code>patch -p1 -d openssl-0.9.8s \
-            &lt; bind9/bin/pkcs11/openssl-0.9.8s-patch</code></strong>
-</pre>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>(Note that the patch file may not be compatible with the
-    "patch" utility on all operating systems. You may need to
-    install GNU patch.)</div>
-<p>When building OpenSSL, place it in a non-standard
-    location so that it does not interfere with OpenSSL libraries
-    elsewhere on the system. In the following examples, we choose
-    to install into "/opt/pkcs11/usr". We will use this location
-    when we configure BIND 9.</p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2609772"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div>
-<p>The AEP Keyper is a highly secure key storage device,
-      but does not provide hardware cryptographic acceleration. It
-      can carry out cryptographic operations, but it is probably
-      slower than your system's CPU. Therefore, we choose the
-      'sign-only' flavor when building OpenSSL.</p>
-<p>The Keyper-specific PKCS #11 provider library is
-      delivered with the Keyper software. In this example, we place
-      it /opt/pkcs11/usr/lib:</p>
-<pre class="screen">
-$ <strong class="userinput"><code>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
-</pre>
-<p>This library is only available for Linux as a 32-bit
-      binary. If we are compiling on a 64-bit Linux system, it is
-      necessary to force a 32-bit build, by specifying -m32 in the
-      build options.</p>
-<p>Finally, the Keyper library requires threads, so we
-      must specify -pthread.</p>
-<pre class="screen">
-$ <strong class="userinput"><code>cd openssl-0.9.8s</code></strong>
-$ <strong class="userinput"><code>./Configure linux-generic32 -m32 -pthread \
-            --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
-            --pk11-flavor=sign-only \
-            --prefix=/opt/pkcs11/usr</code></strong>
-</pre>
-<p>After configuring, run "<span><strong class="command">make</strong></span>"
-      and "<span><strong class="command">make test</strong></span>". If "<span><strong class="command">make
-      test</strong></span>" fails with "pthread_atfork() not found", you forgot to
-      add the -pthread above.</p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2609910"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div>
-<p>The SCA-6000 PKCS #11 provider is installed as a system
-      library, libpkcs11. It is a true crypto accelerator, up to 4
-      times faster than any CPU, so the flavor shall be
-      'crypto-accelerator'.</p>
-<p>In this example, we are building on Solaris x86 on an
-      AMD64 system.</p>
-<pre class="screen">
-$ <strong class="userinput"><code>cd openssl-0.9.8s</code></strong>
-$ <strong class="userinput"><code>./Configure solaris64-x86_64-cc \
-            --pk11-libname=/usr/lib/64/libpkcs11.so \
-            --pk11-flavor=crypto-accelerator \
-            --prefix=/opt/pkcs11/usr</code></strong>
-</pre>
-<p>(For a 32-bit build, use "solaris-x86-cc" and
-      /usr/lib/libpkcs11.so.)</p>
-<p>After configuring, run 
-      <span><strong class="command">make</strong></span> and 
-      <span><strong class="command">make test</strong></span>.</p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2609959"></a>Building OpenSSL for SoftHSM</h4></div></div></div>
-<p>SoftHSM is a software library provided by the OpenDNSSEC
-      project (http://www.opendnssec.org) which provides a PKCS#11
-      interface to a virtual HSM, implemented in the form of encrypted
-      data on the local filesystem.  It uses the Botan library for
-      encryption and SQLite3 for data storage.  Though less secure
-      than a true HSM, it can provide more secure key storage than
-      traditional key files, and can allow you to experiment with
-      PKCS#11 when an HSM is not available.</p>
-<p>The SoftHSM cryptographic store must be installed and
-      initialized before using it with OpenSSL, and the SOFTHSM_CONF
-      environment variable must always point to the SoftHSM configuration
-      file:</p>
-<pre class="screen">
-$ <strong class="userinput"><code> cd softhsm-1.3.0 </code></strong>
-$ <strong class="userinput"><code> configure --prefix=/opt/pkcs11/usr </code></strong>
-$ <strong class="userinput"><code> make </code></strong>
-$ <strong class="userinput"><code> make install </code></strong>
-$ <strong class="userinput"><code> export SOFTHSM_CONF=/opt/pkcs11/softhsm.conf </code></strong>
-$ <strong class="userinput"><code> echo "0:/opt/pkcs11/softhsm.db" &gt; $SOFTHSM_CONF </code></strong>
-$ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm </code></strong>
-</pre>
-<p>SoftHSM can perform all cryptographic operations, but
-      since it only uses your system CPU, there is no need to use it
-      for anything but signing.  Therefore, we choose the 'sign-only'
-      flavor when building OpenSSL.</p>
-<pre class="screen">
-$ <strong class="userinput"><code>cd openssl-0.9.8s</code></strong>
-$ <strong class="userinput"><code>./Configure linux-x86_64 -pthread \
-            --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
-            --pk11-flavor=sign-only \
-            --prefix=/opt/pkcs11/usr</code></strong>
-</pre>
-<p>After configuring, run "<span><strong class="command">make</strong></span>"
-      and "<span><strong class="command">make test</strong></span>".</p>
-</div>
-<p>Once you have built OpenSSL, run
-    "<span><strong class="command">apps/openssl engine pkcs11</strong></span>" to confirm
-    that PKCS #11 support was compiled in correctly. The output
-    should be one of the following lines, depending on the flavor
-    selected:</p>
-<pre class="screen">
-        (pkcs11) PKCS #11 engine support (sign only)
-</pre>
-<p>Or:</p>
-<pre class="screen">
-        (pkcs11) PKCS #11 engine support (crypto accelerator)
-</pre>
-<p>Next, run
-    "<span><strong class="command">apps/openssl engine pkcs11 -t</strong></span>". This will
-    attempt to initialize the PKCS #11 engine. If it is able to
-    do so successfully, it will report
-    &#8220;<span class="quote"><code class="literal">[ available ]</code></span>&#8221;.</p>
-<p>If the output is correct, run
-    "<span><strong class="command">make install</strong></span>" which will install the
-    modified OpenSSL suite to 
-    <code class="filename">/opt/pkcs11/usr</code>.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2610179"></a>Building BIND 9 with PKCS#11</h3></div></div></div>
-<p>When building BIND 9, the location of the custom-built
-    OpenSSL library must be specified via configure.</p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2610187"></a>Configuring BIND 9 for Linux with the AEP Keyper</h4></div></div></div>
-<p>To link with the PKCS #11 provider, threads must be
-      enabled in the BIND 9 build.</p>
-<p>The PKCS #11 library for the AEP Keyper is currently
-      only available as a 32-bit binary. If we are building on a
-      64-bit host, we must force a 32-bit build by adding "-m32" to
-      the CC options on the "configure" command line.</p>
-<pre class="screen">
-$ <strong class="userinput"><code>cd ../bind9</code></strong>
-$ <strong class="userinput"><code>./configure CC="gcc -m32" --enable-threads \
-           --with-openssl=/opt/pkcs11/usr \
-           --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
-</pre>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2610219"></a>Configuring BIND 9 for Solaris with the SCA 6000</h4></div></div></div>
-<p>To link with the PKCS #11 provider, threads must be
-      enabled in the BIND 9 build.</p>
-<pre class="screen">
-$ <strong class="userinput"><code>cd ../bind9</code></strong>
-$ <strong class="userinput"><code>./configure CC="cc -xarch=amd64" --enable-threads \
-            --with-openssl=/opt/pkcs11/usr \
-            --with-pkcs11=/usr/lib/64/libpkcs11.so</code></strong>
-</pre>
-<p>(For a 32-bit build, omit CC="cc -xarch=amd64".)</p>
-<p>If configure complains about OpenSSL not working, you
-      may have a 32/64-bit architecture mismatch. Or, you may have
-      incorrectly specified the path to OpenSSL (it should be the
-      same as the --prefix argument to the OpenSSL
-      Configure).</p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2612235"></a>Configuring BIND 9 for SoftHSM</h4></div></div></div>
-<pre class="screen">
-$ <strong class="userinput"><code>cd ../bind9</code></strong>
-$ <strong class="userinput"><code>./configure --enable-threads \
-           --with-openssl=/opt/pkcs11/usr \
-           --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
-</pre>
-</div>
-<p>After configuring, run
-    "<span><strong class="command">make</strong></span>",
-    "<span><strong class="command">make test</strong></span>" and
-    "<span><strong class="command">make install</strong></span>".</p>
-<p>(Note: If "make test" fails in the "pkcs11" system test, you may
-    have forgotten to set the SOFTHSM_CONF environment variable.)</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2612283"></a>PKCS #11 Tools</h3></div></div></div>
-<p>BIND 9 includes a minimal set of tools to operate the
-    HSM, including 
-    <span><strong class="command">pkcs11-keygen</strong></span> to generate a new key pair
-    within the HSM, 
-    <span><strong class="command">pkcs11-list</strong></span> to list objects currently
-    available, and 
-    <span><strong class="command">pkcs11-destroy</strong></span> to remove objects.</p>
-<p>In UNIX/Linux builds, these tools are built only if BIND
-    9 is configured with the --with-pkcs11 option. (NOTE: If
-    --with-pkcs11 is set to "yes", rather than to the path of the
-    PKCS #11 provider, then the tools will be built but the
-    provider will be left undefined. Use the -m option or the
-    PKCS11_PROVIDER environment variable to specify the path to the
-    provider.)</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2612382"></a>Using the HSM</h3></div></div></div>
-<p>First, we must set up the runtime environment so the
-    OpenSSL and PKCS #11 libraries can be loaded:</p>
-<pre class="screen">
-$ <strong class="userinput"><code>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</code></strong>
-</pre>
-<p>When operating an AEP Keyper, it is also necessary to
-    specify the location of the "machine" file, which stores
-    information about the Keyper for use by PKCS #11 provider
-    library. If the machine file is in 
-    <code class="filename">/opt/Keyper/PKCS11Provider/machine</code>,
-    use:</p>
-<pre class="screen">
-$ <strong class="userinput"><code>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</code></strong>
-</pre>
-<p>These environment variables must be set whenever running
-    any tool that uses the HSM, including 
-    <span><strong class="command">pkcs11-keygen</strong></span>, 
-    <span><strong class="command">pkcs11-list</strong></span>, 
-    <span><strong class="command">pkcs11-destroy</strong></span>, 
-    <span><strong class="command">dnssec-keyfromlabel</strong></span>, 
-    <span><strong class="command">dnssec-signzone</strong></span>, 
-    <span><strong class="command">dnssec-keygen</strong></span>(which will use the HSM for
-    random number generation), and 
-    <span><strong class="command">named</strong></span>.</p>
-<p>We can now create and use keys in the HSM. In this case,
-    we will create a 2048 bit key and give it the label
-    "sample-ksk":</p>
-<pre class="screen">
-$ <strong class="userinput"><code>pkcs11-keygen -b 2048 -l sample-ksk</code></strong>
-</pre>
-<p>To confirm that the key exists:</p>
-<pre class="screen">
-$ <strong class="userinput"><code>pkcs11-list</code></strong>
-Enter PIN:
-object[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0]
-object[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0]
-</pre>
-<p>Before using this key to sign a zone, we must create a
-    pair of BIND 9 key files. The "dnssec-keyfromlabel" utility
-    does this. In this case, we will be using the HSM key
-    "sample-ksk" as the key-signing key for "example.net":</p>
-<pre class="screen">
-$ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</code></strong>
-</pre>
-<p>The resulting K*.key and K*.private files can now be used
-    to sign the zone. Unlike normal K* files, which contain both
-    public and private key data, these files will contain only the
-    public key data, plus an identifier for the private key which
-    remains stored within the HSM. The HSM handles signing with the
-    private key.</p>
-<p>If you wish to generate a second key in the HSM for use
-    as a zone-signing key, follow the same procedure above, using a
-    different keylabel, a smaller key size, and omitting "-f KSK"
-    from the dnssec-keyfromlabel arguments:</p>
-<pre class="screen">
-$ <strong class="userinput"><code>pkcs11-keygen -b 1024 -l sample-zsk</code></strong>
-$ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-zsk example.net</code></strong>
-</pre>
-<p>Alternatively, you may prefer to generate a conventional
-    on-disk key, using dnssec-keygen:</p>
-<pre class="screen">
-$ <strong class="userinput"><code>dnssec-keygen example.net</code></strong>
-</pre>
-<p>This provides less security than an HSM key, but since
-    HSMs can be slow or cumbersome to use for security reasons, it
-    may be more efficient to reserve HSM keys for use in the less
-    frequent key-signing operation. The zone-signing key can be
-    rolled more frequently, if you wish, to compensate for a
-    reduction in key security.</p>
-<p>Now you can sign the zone. (Note: If not using the -S
-    option to 
-    <span><strong class="command">dnssec-signzone</strong></span>, it will be necessary to add
-    the contents of both 
-    <code class="filename">K*.key</code> files to the zone master file before
-    signing it.)</p>
-<pre class="screen">
-$ <strong class="userinput"><code>dnssec-signzone -S example.net</code></strong>
-Enter PIN:
-Verifying the zone using the following algorithms:
-NSEC3RSASHA1.
-Zone signing complete:
-Algorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by
-example.net.signed
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2636884"></a>Specifying the engine on the command line</h3></div></div></div>
-<p>The OpenSSL engine can be specified in 
-    <span><strong class="command">named</strong></span> and all of the BIND 
-    <span><strong class="command">dnssec-*</strong></span> tools by using the "-E
-    &lt;engine&gt;" command line option. If BIND 9 is built with
-    the --with-pkcs11 option, this option defaults to "pkcs11".
-    Specifying the engine will generally not be necessary unless
-    for some reason you wish to use a different OpenSSL
-    engine.</p>
-<p>If you wish to disable use of the "pkcs11" engine &#8212;
-    for troubleshooting purposes, or because the HSM is unavailable
-    &#8212; set the engine to the empty string. For example:</p>
-<pre class="screen">
-$ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></strong>
-</pre>
-<p>This causes 
-    <span><strong class="command">dnssec-signzone</strong></span> to run as if it were compiled
-    without the --with-pkcs11 option.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2636930"></a>Running named with automatic zone re-signing</h3></div></div></div>
-<p>If you want 
-    <span><strong class="command">named</strong></span> to dynamically re-sign zones using HSM
-    keys, and/or to to sign new records inserted via nsupdate, then
-    named must have access to the HSM PIN. This can be accomplished
-    by placing the PIN into the openssl.cnf file (in the above
-    examples, 
-    <code class="filename">/opt/pkcs11/usr/ssl/openssl.cnf</code>).</p>
-<p>The location of the openssl.cnf file can be overridden by
-    setting the OPENSSL_CONF environment variable before running
-    named.</p>
-<p>Sample openssl.cnf:</p>
-<pre class="programlisting">
-        openssl_conf = openssl_def
-        [ openssl_def ]
-        engines = engine_section
-        [ engine_section ]
-        pkcs11 = pkcs11_section
-        [ pkcs11_section ]
-        PIN = <em class="replaceable"><code>&lt;PLACE PIN HERE&gt;</code></em>
-</pre>
-<p>This will also allow the dnssec-* tools to access the HSM
-    without PIN entry. (The pkcs11-* tools access the HSM directly,
-    not via OpenSSL, so a PIN will still be required to use
-    them.)</p>
-<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Warning</h3>
-<p>Placing the HSM's PIN in a text file in
-      this manner may reduce the security advantage of using an
-      HSM. Be sure this is what you want to do before configuring
-      OpenSSL in this way.</p>
-</div>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2572842"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
-<p>
-        <acronym class="acronym">BIND</acronym> 9 fully supports all currently
-        defined forms of IPv6 name to address and address to name
-        lookups.  It will also use IPv6 addresses to make queries when
-        running on an IPv6 capable system.
-      </p>
-<p>
-        For forward lookups, <acronym class="acronym">BIND</acronym> 9 supports
-        only AAAA records.  RFC 3363 deprecated the use of A6 records,
-        and client-side support for A6 records was accordingly removed
-        from <acronym class="acronym">BIND</acronym> 9.
-        However, authoritative <acronym class="acronym">BIND</acronym> 9 name servers still
-        load zone files containing A6 records correctly, answer queries
-        for A6 records, and accept zone transfer for a zone containing A6
-        records.
-      </p>
-<p>
-        For IPv6 reverse lookups, <acronym class="acronym">BIND</acronym> 9 supports
-        the traditional "nibble" format used in the
-        <span class="emphasis"><em>ip6.arpa</em></span> domain, as well as the older, deprecated
-        <span class="emphasis"><em>ip6.int</em></span> domain.
-        Older versions of <acronym class="acronym">BIND</acronym> 9 
-        supported the "binary label" (also known as "bitstring") format,
-        but support of binary labels has been completely removed per
-        RFC 3363.
-        Many applications in <acronym class="acronym">BIND</acronym> 9 do not understand
-        the binary label format at all any more, and will return an
-        error if given.
-        In particular, an authoritative <acronym class="acronym">BIND</acronym> 9
-        name server will not load a zone file containing binary labels.
-      </p>
-<p>
-        For an overview of the format and structure of IPv6 addresses,
-        see <a href="Bv9ARM.ch09.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called &#8220;IPv6 addresses (AAAA)&#8221;</a>.
-      </p>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2573109"></a>Address Lookups Using AAAA Records</h3></div></div></div>
-<p>
-          The IPv6 AAAA record is a parallel to the IPv4 A record,
-          and, unlike the deprecated A6 record, specifies the entire
-          IPv6 address in a single record.  For example,
-        </p>
-<pre class="programlisting">
-$ORIGIN example.com.
-host            3600    IN      AAAA    2001:db8::1
-</pre>
-<p>
-          Use of IPv4-in-IPv6 mapped addresses is not recommended.
-          If a host has an IPv4 address, use an A record, not
-          a AAAA, with <code class="literal">::ffff:192.168.42.1</code> as
-          the address.
-        </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2573130"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
-<p>
-          When looking up an address in nibble format, the address
-          components are simply reversed, just as in IPv4, and
-          <code class="literal">ip6.arpa.</code> is appended to the
-          resulting name.
-          For example, the following would provide reverse name lookup for
-          a host with address
-          <code class="literal">2001:db8::1</code>.
-        </p>
-<pre class="programlisting">
-$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
-1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0  14400   IN    PTR    (
-                                    host.example.com. )
-</pre>
-</div>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 3. Name Server Configuration </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch05.html b/contrib/bind9/doc/arm/Bv9ARM.ch05.html
deleted file mode 100644
index 4457cbd..0000000
--- a/contrib/bind9/doc/arm/Bv9ARM.ch05.html
+++ /dev/null
@@ -1,143 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 5. The BIND 9 Lightweight Resolver</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch04.html" title="Chapter 4. Advanced DNS Features">
-<link rel="next" href="Bv9ARM.ch06.html" title="Chapter 6. BIND 9 Configuration Reference">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch04.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch06.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter" lang="en">
-<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch05"></a>Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</h2></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2573163">The Lightweight Resolver Library</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
-</dl>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2573163"></a>The Lightweight Resolver Library</h2></div></div></div>
-<p>
-        Traditionally applications have been linked with a stub resolver
-        library that sends recursive DNS queries to a local caching name
-        server.
-      </p>
-<p>
-        IPv6 once introduced new complexity into the resolution process,
-        such as following A6 chains and DNAME records, and simultaneous
-        lookup of IPv4 and IPv6 addresses.  Though most of the complexity was
-        then removed, these are hard or impossible
-        to implement in a traditional stub resolver.
-      </p>
-<p>
-        <acronym class="acronym">BIND</acronym> 9 therefore can also provide resolution
-        services to local clients
-        using a combination of a lightweight resolver library and a resolver
-        daemon process running on the local host.  These communicate using
-        a simple UDP-based protocol, the "lightweight resolver protocol"
-        that is distinct from and simpler than the full DNS protocol.
-      </p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="lwresd"></a>Running a Resolver Daemon</h2></div></div></div>
-<p>
-        To use the lightweight resolver interface, the system must
-        run the resolver daemon <span><strong class="command">lwresd</strong></span> or a
-        local
-        name server configured with a <span><strong class="command">lwres</strong></span>
-        statement.
-      </p>
-<p>
-        By default, applications using the lightweight resolver library will
-        make
-        UDP requests to the IPv4 loopback address (127.0.0.1) on port 921.
-        The
-        address can be overridden by <span><strong class="command">lwserver</strong></span>
-        lines in
-        <code class="filename">/etc/resolv.conf</code>.
-      </p>
-<p>
-        The daemon currently only looks in the DNS, but in the future
-        it may use other sources such as <code class="filename">/etc/hosts</code>,
-        NIS, etc.
-      </p>
-<p>
-        The <span><strong class="command">lwresd</strong></span> daemon is essentially a
-        caching-only name server that responds to requests using the
-        lightweight
-        resolver protocol rather than the DNS protocol.  Because it needs
-        to run on each host, it is designed to require no or minimal
-        configuration.
-        Unless configured otherwise, it uses the name servers listed on
-        <span><strong class="command">nameserver</strong></span> lines in <code class="filename">/etc/resolv.conf</code>
-        as forwarders, but is also capable of doing the resolution
-        autonomously if
-        none are specified.
-      </p>
-<p>
-        The <span><strong class="command">lwresd</strong></span> daemon may also be
-        configured with a
-        <code class="filename">named.conf</code> style configuration file,
-        in
-        <code class="filename">/etc/lwresd.conf</code> by default.  A name
-        server may also
-        be configured to act as a lightweight resolver daemon using the
-        <span><strong class="command">lwres</strong></span> statement in <code class="filename">named.conf</code>.
-      </p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch04.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch06.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 4. Advanced DNS Features </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch06.html b/contrib/bind9/doc/arm/Bv9ARM.ch06.html
deleted file mode 100644
index bd260dc..0000000
--- a/contrib/bind9/doc/arm/Bv9ARM.ch06.html
+++ /dev/null
@@ -1,11220 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 6. BIND 9 Configuration Reference</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver">
-<link rel="next" href="Bv9ARM.ch07.html" title="Chapter 7. BIND 9 Security Considerations">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter" lang="en">
-<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch06"></a>Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</h2></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574711">Comment Syntax</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575371"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
-          Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575561"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
-          Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575921"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575938"><span><strong class="command">include</strong></span> Statement Definition and
-          Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575961"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575985"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576075"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576269"><span><strong class="command">logging</strong></span> Statement Definition and
-          Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578364"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578438"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578502"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578546"><span><strong class="command">masters</strong></span> Statement Definition and
-          Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578567"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
-          Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
-            Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590613"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
-            Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590920"><span><strong class="command">trusted-keys</strong></span> Statement Definition
-            and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590967"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition
-            and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591409"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
-            Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593189"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2596875">Zone File</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599037">Discussion of MX Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599585">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599848">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2600189"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt></dl></dd>
-</dl>
-</div>
-<p>
-      <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
-      to <acronym class="acronym">BIND</acronym> 8; however, there are a few new
-      areas
-      of configuration, such as views. <acronym class="acronym">BIND</acronym>
-      8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
-      9, although more complex configurations should be reviewed to check
-      if they can be more efficiently implemented using the new features
-      found in <acronym class="acronym">BIND</acronym> 9.
-    </p>
-<p>
-      <acronym class="acronym">BIND</acronym> 4 configuration files can be
-      converted to the new format
-      using the shell script
-      <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
-    </p>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
-<p>
-        Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
-        file documentation:
-      </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-                <p>
-                  <code class="varname">acl_name</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  The name of an <code class="varname">address_match_list</code> as
-                  defined by the <span><strong class="command">acl</strong></span> statement.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">address_match_list</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  A list of one or more
-                  <code class="varname">ip_addr</code>,
-                  <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
-                  or <code class="varname">acl_name</code> elements, see
-                  <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a>.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">masters_list</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  A named list of one or more <code class="varname">ip_addr</code>
-                  with optional <code class="varname">key_id</code> and/or
-                  <code class="varname">ip_port</code>.
-                  A <code class="varname">masters_list</code> may include other
-                  <code class="varname">masters_lists</code>.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">domain_name</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  A quoted string which will be used as
-                  a DNS name, for example "<code class="literal">my.test.domain</code>".
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">namelist</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  A list of one or more <code class="varname">domain_name</code>
-                  elements.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">dotted_decimal</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  One to four integers valued 0 through
-                  255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>,
-                  <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">ip4_addr</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  An IPv4 address with exactly four elements
-                  in <code class="varname">dotted_decimal</code> notation.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">ip6_addr</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
-                  IPv6 scoped addresses that have ambiguity on their
-                  scope zones must be disambiguated by an appropriate
-                  zone ID with the percent character (`%') as
-                  delimiter.  It is strongly recommended to use
-                  string zone names rather than numeric identifiers,
-                  in order to be robust against system configuration
-                  changes.  However, since there is no standard
-                  mapping for such names and identifier values,
-                  currently only interface names as link identifiers
-                  are supported, assuming one-to-one mapping between
-                  interfaces and links.  For example, a link-local
-                  address <span><strong class="command">fe80::1</strong></span> on the link
-                  attached to the interface <span><strong class="command">ne0</strong></span>
-                  can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
-                  Note that on most systems link-local addresses
-                  always have the ambiguity, and need to be
-                  disambiguated.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">ip_addr</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">ip_port</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  An IP port <code class="varname">number</code>.
-                  The <code class="varname">number</code> is limited to 0
-                  through 65535, with values
-                  below 1024 typically restricted to use by processes running
-                  as root.
-                  In some cases, an asterisk (`*') character can be used as a
-                  placeholder to
-                  select a random high-numbered port.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">ip_prefix</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  An IP network specified as an <code class="varname">ip_addr</code>,
-                  followed by a slash (`/') and then the number of bits in the
-                  netmask.
-                  Trailing zeros in a <code class="varname">ip_addr</code>
-                  may omitted.
-                  For example, <span><strong class="command">127/8</strong></span> is the
-                  network <span><strong class="command">127.0.0.0</strong></span> with
-                  netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
-                  network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.
-                </p>
-                <p>
-                  When specifying a prefix involving a IPv6 scoped address
-                  the scope may be omitted.  In that case the prefix will
-                  match packets from any scope.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">key_id</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  A <code class="varname">domain_name</code> representing
-                  the name of a shared key, to be used for transaction
-                  security.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">key_list</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  A list of one or more
-                  <code class="varname">key_id</code>s,
-                  separated by semicolons and ending with a semicolon.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">number</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  A non-negative 32-bit integer
-                  (i.e., a number between 0 and 4294967295, inclusive).
-                  Its acceptable value might further
-                  be limited by the context in which it is used.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">path_name</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  A quoted string which will be used as
-                  a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">port_list</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  A list of an <code class="varname">ip_port</code> or a port
-                  range.
-                  A port range is specified in the form of
-                  <strong class="userinput"><code>range</code></strong> followed by
-                  two <code class="varname">ip_port</code>s,
-                  <code class="varname">port_low</code> and
-                  <code class="varname">port_high</code>, which represents
-                  port numbers from <code class="varname">port_low</code> through
-                  <code class="varname">port_high</code>, inclusive.
-                  <code class="varname">port_low</code> must not be larger than
-                  <code class="varname">port_high</code>.
-                  For example,
-                  <strong class="userinput"><code>range 1024 65535</code></strong> represents
-                  ports from 1024 through 65535.
-                  In either case an asterisk (`*') character is not
-                  allowed as a valid <code class="varname">ip_port</code>.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">size_spec</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  A 64-bit unsigned integer, or the keywords
-                  <strong class="userinput"><code>unlimited</code></strong> or
-                  <strong class="userinput"><code>default</code></strong>.
-                </p>
-                <p>
-                  Integers may take values
-                  0 &lt;= value &lt;= 18446744073709551615, though
-                  certain parameters may use a more limited range
-                  within these extremes.  In most cases, setting a
-                  value to 0 does not literally mean zero; it means
-                  "undefined" or "as big as psosible", depending on
-                  the context. See the expalantions of particular
-                  parameters that use <code class="varname">size_spec</code>
-                  for details on how they interpret its use. 
-                </p>
-                <p>
-                  Numeric values can optionally be followed by a
-                  scaling factor:
-                  <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
-                  for kilobytes,
-                  <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
-                  for megabytes, and
-                  <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong>
-                  for gigabytes, which scale by 1024, 1024*1024, and
-                  1024*1024*1024 respectively.
-                </p>
-                <p>
-                  <code class="varname">unlimited</code> generally means
-                  "as big as possible", though in certain contexts,
-                  (including <code class="option">max-cache-size</code>), it may
-                  mean the largest possible 32-bit unsigned integer
-                  (0xffffffff); this distinction can be important when
-                  dealing with larger quantities. 
-                  <code class="varname">unlimited</code> is usually the best way
-                  to safely set a very large number.
-                </p>
-                <p>
-                  <code class="varname">default</code> 
-                  uses the limit that was in force when the server was started.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">yes_or_no</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
-                  The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
-                  also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
-                  and <strong class="userinput"><code>0</code></strong>.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p>
-                  <code class="varname">dialup_option</code>
-                </p>
-              </td>
-<td>
-                <p>
-                  One of <strong class="userinput"><code>yes</code></strong>,
-                  <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
-                  <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
-                  <strong class="userinput"><code>passive</code></strong>.
-                  When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
-                  <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
-                  are restricted to slave and stub zones.
-                </p>
-              </td>
-</tr>
-</tbody>
-</table></div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2574546"></a>Syntax</h4></div></div></div>
-<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
-  [<span class="optional"> address_match_list_element; ... </span>]
-<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
-   key key_id | acl_name | { address_match_list } )
-</pre>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2574573"></a>Definition and Usage</h4></div></div></div>
-<p>
-            Address match lists are primarily used to determine access
-            control for various server operations. They are also used in
-            the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
-            statements. The elements which constitute an address match
-            list can be any of the following:
-          </p>
-<div class="itemizedlist"><ul type="disc">
-<li>an IP address (IPv4 or IPv6)</li>
-<li>an IP prefix (in `/' notation)</li>
-<li>
-                a key ID, as defined by the <span><strong class="command">key</strong></span>
-                statement
-              </li>
-<li>the name of an address match list defined with
-                the <span><strong class="command">acl</strong></span> statement
-              </li>
-<li>a nested address match list enclosed in braces</li>
-</ul></div>
-<p>
-            Elements can be negated with a leading exclamation mark (`!'),
-            and the match list names "any", "none", "localhost", and
-            "localnets" are predefined. More information on those names
-            can be found in the description of the acl statement.
-          </p>
-<p>
-            The addition of the key clause made the name of this syntactic
-            element something of a misnomer, since security keys can be used
-            to validate access without regard to a host or network address.
-            Nonetheless, the term "address match list" is still used
-            throughout the documentation.
-          </p>
-<p>
-            When a given IP address or prefix is compared to an address
-            match list, the comparison takes place in approximately O(1)
-            time.  However, key comparisons require that the list of keys
-            be traversed until a matching key is found, and therefore may
-            be somewhat slower.
-          </p>
-<p>
-            The interpretation of a match depends on whether the list is being
-            used for access control, defining <span><strong class="command">listen-on</strong></span> ports, or in a
-            <span><strong class="command">sortlist</strong></span>, and whether the element was negated.
-          </p>
-<p>
-            When used as an access control list, a non-negated match
-            allows access and a negated match denies access. If
-            there is no match, access is denied. The clauses
-            <span><strong class="command">allow-notify</strong></span>,
-            <span><strong class="command">allow-recursion</strong></span>,
-            <span><strong class="command">allow-recursion-on</strong></span>,
-            <span><strong class="command">allow-query</strong></span>,
-            <span><strong class="command">allow-query-on</strong></span>,
-            <span><strong class="command">allow-query-cache</strong></span>,
-            <span><strong class="command">allow-query-cache-on</strong></span>,
-            <span><strong class="command">allow-transfer</strong></span>,
-            <span><strong class="command">allow-update</strong></span>,
-            <span><strong class="command">allow-update-forwarding</strong></span>, and
-            <span><strong class="command">blackhole</strong></span> all use address match
-            lists.  Similarly, the <span><strong class="command">listen-on</strong></span> option will cause the
-            server to refuse queries on any of the machine's
-            addresses which do not match the list.
-          </p>
-<p>
-            Order of insertion is significant.  If more than one element
-            in an ACL is found to match a given IP address or prefix,
-            preference will be given to the one that came
-            <span class="emphasis"><em>first</em></span> in the ACL definition.
-            Because of this first-match behavior, an element that
-            defines a subset of another element in the list should
-            come before the broader element, regardless of whether
-            either is negated. For example, in
-            <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span>
-            the 1.2.3.13 element is completely useless because the
-            algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
-            element.  Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
-            that problem by having 1.2.3.13 blocked by the negation, but
-            all other 1.2.3.* hosts fall through.
-          </p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574711"></a>Comment Syntax</h3></div></div></div>
-<p>
-          The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
-          comments to appear
-          anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration
-          file. To appeal to programmers of all kinds, they can be written
-          in the C, C++, or shell/perl style.
-        </p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2574726"></a>Syntax</h4></div></div></div>
-<p>
-            </p>
-<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
-<p>
-            </p>
-<pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
-<p>
-            </p>
-<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells
-# and perl</pre>
-<p>
-          </p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2574756"></a>Definition and Usage</h4></div></div></div>
-<p>
-            Comments may appear anywhere that whitespace may appear in
-            a <acronym class="acronym">BIND</acronym> configuration file.
-          </p>
-<p>
-            C-style comments start with the two characters /* (slash,
-            star) and end with */ (star, slash). Because they are completely
-            delimited with these characters, they can be used to comment only
-            a portion of a line or to span multiple lines.
-          </p>
-<p>
-            C-style comments cannot be nested. For example, the following
-            is not valid because the entire comment ends with the first */:
-          </p>
-<p>
-
-</p>
-<pre class="programlisting">/* This is the start of a comment.
-   This is still part of the comment.
-/* This is an incorrect attempt at nesting a comment. */
-   This is no longer in any comment. */
-</pre>
-<p>
-
-          </p>
-<p>
-            C++-style comments start with the two characters // (slash,
-            slash) and continue to the end of the physical line. They cannot
-            be continued across multiple physical lines; to have one logical
-            comment span multiple lines, each line must use the // pair.
-            For example:
-          </p>
-<p>
-
-</p>
-<pre class="programlisting">// This is the start of a comment.  The next line
-// is a new comment, even though it is logically
-// part of the previous comment.
-</pre>
-<p>
-
-          </p>
-<p>
-            Shell-style (or perl-style, if you prefer) comments start
-            with the character <code class="literal">#</code> (number sign)
-            and continue to the end of the
-            physical line, as in C++ comments.
-            For example:
-          </p>
-<p>
-
-</p>
-<pre class="programlisting"># This is the start of a comment.  The next line
-# is a new comment, even though it is logically
-# part of the previous comment.
-</pre>
-<p>
-
-          </p>
-<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Warning</h3>
-<p>
-              You cannot use the semicolon (`;') character
-              to start a comment such as you would in a zone file. The
-              semicolon indicates the end of a configuration
-              statement.
-            </p>
-</div>
-</div>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
-<p>
-        A <acronym class="acronym">BIND</acronym> 9 configuration consists of
-        statements and comments.
-        Statements end with a semicolon. Statements and comments are the
-        only elements that can appear without enclosing braces. Many
-        statements contain a block of sub-statements, which are also
-        terminated with a semicolon.
-      </p>
-<p>
-        The following statements are supported:
-      </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-                <p><span><strong class="command">acl</strong></span></p>
-              </td>
-<td>
-                <p>
-                  defines a named IP address
-                  matching list, for access control and other uses.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p><span><strong class="command">controls</strong></span></p>
-              </td>
-<td>
-                <p>
-                  declares control channels to be used
-                  by the <span><strong class="command">rndc</strong></span> utility.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p><span><strong class="command">include</strong></span></p>
-              </td>
-<td>
-                <p>
-                  includes a file.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p><span><strong class="command">key</strong></span></p>
-              </td>
-<td>
-                <p>
-                  specifies key information for use in
-                  authentication and authorization using TSIG.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p><span><strong class="command">logging</strong></span></p>
-              </td>
-<td>
-                <p>
-                  specifies what the server logs, and where
-                  the log messages are sent.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p><span><strong class="command">lwres</strong></span></p>
-              </td>
-<td>
-                <p>
-                  configures <span><strong class="command">named</strong></span> to
-                  also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>).
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p><span><strong class="command">masters</strong></span></p>
-              </td>
-<td>
-                <p>
-                  defines a named masters list for
-                  inclusion in stub and slave zones'
-                  <span><strong class="command">masters</strong></span> or 
-                  <span><strong class="command">also-notify</strong></span> lists.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p><span><strong class="command">options</strong></span></p>
-              </td>
-<td>
-                <p>
-                  controls global server configuration
-                  options and sets defaults for other statements.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p><span><strong class="command">server</strong></span></p>
-              </td>
-<td>
-                <p>
-                  sets certain configuration options on
-                  a per-server basis.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p><span><strong class="command">statistics-channels</strong></span></p>
-              </td>
-<td>
-                <p>
-                  declares communication channels to get access to
-                  <span><strong class="command">named</strong></span> statistics.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p><span><strong class="command">trusted-keys</strong></span></p>
-              </td>
-<td>
-                <p>
-                  defines trusted DNSSEC keys.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p><span><strong class="command">managed-keys</strong></span></p>
-              </td>
-<td>
-                <p>
-                  lists DNSSEC keys to be kept up to date
-                  using RFC 5011 trust anchor maintenance.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p><span><strong class="command">view</strong></span></p>
-              </td>
-<td>
-                <p>
-                  defines a view.
-                </p>
-              </td>
-</tr>
-<tr>
-<td>
-                <p><span><strong class="command">zone</strong></span></p>
-              </td>
-<td>
-                <p>
-                  defines a zone.
-                </p>
-              </td>
-</tr>
-</tbody>
-</table></div>
-<p>
-        The <span><strong class="command">logging</strong></span> and
-        <span><strong class="command">options</strong></span> statements may only occur once
-        per
-        configuration.
-      </p>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2575371"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
-    address_match_list
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and
-          Usage</h3></div></div></div>
-<p>
-          The <span><strong class="command">acl</strong></span> statement assigns a symbolic
-          name to an address match list. It gets its name from a primary
-          use of address match lists: Access Control Lists (ACLs).
-        </p>
-<p>
-          Note that an address match list's name must be defined
-          with <span><strong class="command">acl</strong></span> before it can be used
-          elsewhere; no forward references are allowed.
-        </p>
-<p>
-          The following ACLs are built-in:
-        </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-                  <p><span><strong class="command">any</strong></span></p>
-                </td>
-<td>
-                  <p>
-                    Matches all hosts.
-                  </p>
-                </td>
-</tr>
-<tr>
-<td>
-                  <p><span><strong class="command">none</strong></span></p>
-                </td>
-<td>
-                  <p>
-                    Matches no hosts.
-                  </p>
-                </td>
-</tr>
-<tr>
-<td>
-                  <p><span><strong class="command">localhost</strong></span></p>
-                </td>
-<td>
-                  <p>
-                    Matches the IPv4 and IPv6 addresses of all network
-                    interfaces on the system.
-                  </p>
-                </td>
-</tr>
-<tr>
-<td>
-                  <p><span><strong class="command">localnets</strong></span></p>
-                </td>
-<td>
-                  <p>
-                    Matches any host on an IPv4 or IPv6 network
-                    for which the system has an interface.
-                    Some systems do not provide a way to determine the prefix
-                    lengths of
-                    local IPv6 addresses.
-                    In such a case, <span><strong class="command">localnets</strong></span>
-                    only matches the local
-                    IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
-                  </p>
-                </td>
-</tr>
-</tbody>
-</table></div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2575561"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting"><span><strong class="command">controls</strong></span> {
-   [ inet ( ip_addr | * ) [ port ip_port ]
-                allow { <em class="replaceable"><code> address_match_list </code></em> }
-                keys { <em class="replaceable"><code>key_list</code></em> }; ]
-   [ inet ...; ]
-   [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em>
-     keys { <em class="replaceable"><code>key_list</code></em> }; ]
-   [ unix ...; ]
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and
-          Usage</h3></div></div></div>
-<p>
-          The <span><strong class="command">controls</strong></span> statement declares control
-          channels to be used by system administrators to control the
-          operation of the name server. These control channels are
-          used by the <span><strong class="command">rndc</strong></span> utility to send
-          commands to and retrieve non-DNS results from a name server.
-        </p>
-<p>
-          An <span><strong class="command">inet</strong></span> control channel is a TCP socket
-          listening at the specified <span><strong class="command">ip_port</strong></span> on the
-          specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
-          address.  An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
-          interpreted as the IPv4 wildcard address; connections will be
-          accepted on any of the system's IPv4 addresses.
-          To listen on the IPv6 wildcard address,
-          use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
-          If you will only use <span><strong class="command">rndc</strong></span> on the local host,
-          using the loopback address (<code class="literal">127.0.0.1</code>
-          or <code class="literal">::1</code>) is recommended for maximum security.
-        </p>
-<p>
-          If no port is specified, port 953 is used. The asterisk
-          "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>.
-        </p>
-<p>
-          The ability to issue commands over the control channel is
-          restricted by the <span><strong class="command">allow</strong></span> and
-          <span><strong class="command">keys</strong></span> clauses.
-          Connections to the control channel are permitted based on the
-          <span><strong class="command">address_match_list</strong></span>.  This is for simple
-          IP address based filtering only; any <span><strong class="command">key_id</strong></span>
-          elements of the <span><strong class="command">address_match_list</strong></span>
-          are ignored.
-        </p>
-<p>
-          A <span><strong class="command">unix</strong></span> control channel is a UNIX domain
-          socket listening at the specified path in the file system.
-          Access to the socket is specified by the <span><strong class="command">perm</strong></span>,
-          <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses.
-          Note on some platforms (SunOS and Solaris) the permissions
-          (<span><strong class="command">perm</strong></span>) are applied to the parent directory
-          as the permissions on the socket itself are ignored.
-        </p>
-<p>
-          The primary authorization mechanism of the command
-          channel is the <span><strong class="command">key_list</strong></span>, which
-          contains a list of <span><strong class="command">key_id</strong></span>s.
-          Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span>
-          is authorized to execute commands over the control channel.
-          See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called &#8220;Administrative Tools&#8221;</a>)
-          for information about configuring keys in <span><strong class="command">rndc</strong></span>.
-        </p>
-<p>
-          If no <span><strong class="command">controls</strong></span> statement is present,
-          <span><strong class="command">named</strong></span> will set up a default
-          control channel listening on the loopback address 127.0.0.1
-          and its IPv6 counterpart ::1.
-          In this case, and also when the <span><strong class="command">controls</strong></span> statement
-          is present but does not have a <span><strong class="command">keys</strong></span> clause,
-          <span><strong class="command">named</strong></span> will attempt to load the command channel key
-          from the file <code class="filename">rndc.key</code> in
-          <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
-          was specified as when <acronym class="acronym">BIND</acronym> was built).
-          To create a <code class="filename">rndc.key</code> file, run
-          <strong class="userinput"><code>rndc-confgen -a</code></strong>.
-        </p>
-<p>
-          The <code class="filename">rndc.key</code> feature was created to
-          ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
-          which did not have digital signatures on its command channel
-          messages and thus did not have a <span><strong class="command">keys</strong></span> clause.
-
-          It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
-          configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
-          and still have <span><strong class="command">rndc</strong></span> work the same way
-          <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
-          command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
-          installed.
-        </p>
-<p>
-          Since the <code class="filename">rndc.key</code> feature
-          is only intended to allow the backward-compatible usage of
-          <acronym class="acronym">BIND</acronym> 8 configuration files, this
-          feature does not
-          have a high degree of configurability.  You cannot easily change
-          the key name or the size of the secret, so you should make a
-          <code class="filename">rndc.conf</code> with your own key if you
-          wish to change
-          those things.  The <code class="filename">rndc.key</code> file
-          also has its
-          permissions set such that only the owner of the file (the user that
-          <span><strong class="command">named</strong></span> is running as) can access it.
-          If you
-          desire greater flexibility in allowing other users to access
-          <span><strong class="command">rndc</strong></span> commands, then you need to create
-          a
-          <code class="filename">rndc.conf</code> file and make it group
-          readable by a group
-          that contains the users who should have access.
-        </p>
-<p>
-          To disable the command channel, use an empty
-          <span><strong class="command">controls</strong></span> statement:
-          <span><strong class="command">controls { };</strong></span>.
-        </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2575921"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2575938"></a><span><strong class="command">include</strong></span> Statement Definition and
-          Usage</h3></div></div></div>
-<p>
-          The <span><strong class="command">include</strong></span> statement inserts the
-          specified file at the point where the <span><strong class="command">include</strong></span>
-          statement is encountered. The <span><strong class="command">include</strong></span>
-                statement facilitates the administration of configuration
-          files
-          by permitting the reading or writing of some things but not
-          others. For example, the statement could include private keys
-          that are readable only by the name server.
-        </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2575961"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> {
-    algorithm <em class="replaceable"><code>string</code></em>;
-    secret <em class="replaceable"><code>string</code></em>;
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2575985"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>
-          The <span><strong class="command">key</strong></span> statement defines a shared
-          secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
-          or the command channel
-          (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
-          Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and
-          Usage&#8221;</a>).
-        </p>
-<p>
-          The <span><strong class="command">key</strong></span> statement can occur at the
-          top level
-          of the configuration file or inside a <span><strong class="command">view</strong></span>
-          statement.  Keys defined in top-level <span><strong class="command">key</strong></span>
-          statements can be used in all views.  Keys intended for use in
-          a <span><strong class="command">controls</strong></span> statement
-          (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
-          Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and
-          Usage&#8221;</a>)
-          must be defined at the top level.
-        </p>
-<p>
-          The <em class="replaceable"><code>key_id</code></em>, also known as the
-          key name, is a domain name uniquely identifying the key. It can
-          be used in a <span><strong class="command">server</strong></span>
-          statement to cause requests sent to that
-          server to be signed with this key, or in address match lists to
-          verify that incoming requests have been signed with a key
-          matching this name, algorithm, and secret.
-        </p>
-<p>
-          The <em class="replaceable"><code>algorithm_id</code></em> is a string
-          that specifies a security/authentication algorithm.  Named
-          supports <code class="literal">hmac-md5</code>,
-          <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
-          <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
-          and <code class="literal">hmac-sha512</code> TSIG authentication.
-          Truncated hashes are supported by appending the minimum
-          number of required bits preceded by a dash, e.g.
-          <code class="literal">hmac-sha1-80</code>.  The
-          <em class="replaceable"><code>secret_string</code></em> is the secret
-          to be used by the algorithm, and is treated as a base-64
-          encoded string.
-        </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2576075"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting"><span><strong class="command">logging</strong></span> {
-   [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
-     ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em>
-         [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ]
-         [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size_spec</code></em> ]
-       | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
-       | <span><strong class="command">stderr</strong></span>
-       | <span><strong class="command">null</strong></span> );
-     [ <span><strong class="command">severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> |
-                 <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ]
-     [ <span><strong class="command">print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
-     [ <span><strong class="command">print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
-     [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
-   }; ]
-   [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> {
-     <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ]
-   }; ]
-   ...
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2576269"></a><span><strong class="command">logging</strong></span> Statement Definition and
-          Usage</h3></div></div></div>
-<p>
-          The <span><strong class="command">logging</strong></span> statement configures a
-          wide
-          variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase
-          associates output methods, format options and severity levels with
-          a name that can then be used with the <span><strong class="command">category</strong></span> phrase
-          to select how various classes of messages are logged.
-        </p>
-<p>
-          Only one <span><strong class="command">logging</strong></span> statement is used to
-          define
-          as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement,
-          the logging configuration will be:
-        </p>
-<pre class="programlisting">logging {
-     category default { default_syslog; default_debug; };
-     category unmatched { null; };
-};
-</pre>
-<p>
-          In <acronym class="acronym">BIND</acronym> 9, the logging configuration
-          is only established when
-          the entire configuration file has been parsed.  In <acronym class="acronym">BIND</acronym> 8, it was
-          established as soon as the <span><strong class="command">logging</strong></span>
-          statement
-          was parsed. When the server is starting up, all logging messages
-          regarding syntax errors in the configuration file go to the default
-          channels, or to standard error if the "<code class="option">-g</code>" option
-          was specified.
-        </p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2576322"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
-<p>
-            All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
-            you can make as many of them as you want.
-          </p>
-<p>
-            Every channel definition must include a destination clause that
-            says whether messages selected for the channel go to a file, to a
-            particular syslog facility, to the standard error stream, or are
-            discarded. It can optionally also limit the message severity level
-            that will be accepted by the channel (the default is
-            <span><strong class="command">info</strong></span>), and whether to include a
-            <span><strong class="command">named</strong></span>-generated time stamp, the
-            category name
-            and/or severity level (the default is not to include any).
-          </p>
-<p>
-            The <span><strong class="command">null</strong></span> destination clause
-            causes all messages sent to the channel to be discarded;
-            in that case, other options for the channel are meaningless.
-          </p>
-<p>
-            The <span><strong class="command">file</strong></span> destination clause directs
-            the channel
-            to a disk file.  It can include limitations
-            both on how large the file is allowed to become, and how many
-            versions
-            of the file will be saved each time the file is opened.
-          </p>
-<p>
-            If you use the <span><strong class="command">versions</strong></span> log file
-            option, then
-            <span><strong class="command">named</strong></span> will retain that many backup
-            versions of the file by
-            renaming them when opening.  For example, if you choose to keep
-            three old versions
-            of the file <code class="filename">lamers.log</code>, then just
-            before it is opened
-            <code class="filename">lamers.log.1</code> is renamed to
-            <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
-            to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
-            renamed to <code class="filename">lamers.log.0</code>.
-            You can say <span><strong class="command">versions unlimited</strong></span> to
-            not limit
-            the number of versions.
-            If a <span><strong class="command">size</strong></span> option is associated with
-            the log file,
-            then renaming is only done when the file being opened exceeds the
-            indicated size.  No backup versions are kept by default; any
-            existing
-            log file is simply appended.
-          </p>
-<p>
-            The <span><strong class="command">size</strong></span> option for files is used
-            to limit log
-            growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will
-            stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option
-            associated with it.  If backup versions are kept, the files are
-            rolled as
-            described above and a new one begun.  If there is no
-            <span><strong class="command">versions</strong></span> option, no more data will
-            be written to the log
-            until some out-of-band mechanism removes or truncates the log to
-            less than the
-            maximum size.  The default behavior is not to limit the size of
-            the
-            file.
-          </p>
-<p>
-            Example usage of the <span><strong class="command">size</strong></span> and
-            <span><strong class="command">versions</strong></span> options:
-          </p>
-<pre class="programlisting">channel an_example_channel {
-    file "example.log" versions 3 size 20m;
-    print-time yes;
-    print-category yes;
-};
-</pre>
-<p>
-            The <span><strong class="command">syslog</strong></span> destination clause
-            directs the
-            channel to the system log.  Its argument is a
-            syslog facility as described in the <span><strong class="command">syslog</strong></span> man
-            page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>,
-            <span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>,
-            <span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>,
-            <span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>,
-            <span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>,
-            <span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>,
-            <span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and
-            <span><strong class="command">local7</strong></span>, however not all facilities
-            are supported on
-            all operating systems.
-            How <span><strong class="command">syslog</strong></span> will handle messages
-            sent to
-            this facility is described in the <span><strong class="command">syslog.conf</strong></span> man
-            page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that
-            only uses two arguments to the <span><strong class="command">openlog()</strong></span> function,
-            then this clause is silently ignored.
-          </p>
-<p>
-            The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s
-            "priorities", except that they can also be used if you are writing
-            straight to a file rather than using <span><strong class="command">syslog</strong></span>.
-            Messages which are not at least of the severity level given will
-            not be selected for the channel; messages of higher severity
-            levels
-            will be accepted.
-          </p>
-<p>
-            If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities
-            will also determine what eventually passes through. For example,
-            defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but
-            only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will
-            cause messages of severity <span><strong class="command">info</strong></span> and
-            <span><strong class="command">notice</strong></span> to
-            be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing
-            messages of only <span><strong class="command">warning</strong></span> or higher,
-            then <span><strong class="command">syslogd</strong></span> would
-            print all messages it received from the channel.
-          </p>
-<p>
-            The <span><strong class="command">stderr</strong></span> destination clause
-            directs the
-            channel to the server's standard error stream.  This is intended
-            for
-            use when the server is running as a foreground process, for
-            example
-            when debugging a configuration.
-          </p>
-<p>
-            The server can supply extensive debugging information when
-            it is in debugging mode. If the server's global debug level is
-            greater
-            than zero, then debugging mode will be active. The global debug
-            level is set either by starting the <span><strong class="command">named</strong></span> server
-            with the <code class="option">-d</code> flag followed by a positive integer,
-            or by running <span><strong class="command">rndc trace</strong></span>.
-            The global debug level
-            can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc
-notrace</strong></span>. All debugging messages in the server have a debug
-            level, and higher debug levels give more detailed output. Channels
-            that specify a specific debug severity, for example:
-          </p>
-<pre class="programlisting">channel specific_debug_level {
-    file "foo";
-    severity debug 3;
-};
-</pre>
-<p>
-            will get debugging output of level 3 or less any time the
-            server is in debugging mode, regardless of the global debugging
-            level. Channels with <span><strong class="command">dynamic</strong></span>
-            severity use the
-            server's global debug level to determine what messages to print.
-          </p>
-<p>
-            If <span><strong class="command">print-time</strong></span> has been turned on,
-            then
-            the date and time will be logged. <span><strong class="command">print-time</strong></span> may
-            be specified for a <span><strong class="command">syslog</strong></span> channel,
-            but is usually
-            pointless since <span><strong class="command">syslog</strong></span> also logs
-            the date and
-            time. If <span><strong class="command">print-category</strong></span> is
-            requested, then the
-            category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is
-            on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may
-            be used in any combination, and will always be printed in the
-            following
-            order: time, category, severity. Here is an example where all
-            three <span><strong class="command">print-</strong></span> options
-            are on:
-          </p>
-<p>
-            <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code>
-          </p>
-<p>
-            There are four predefined channels that are used for
-            <span><strong class="command">named</strong></span>'s default logging as follows.
-            How they are
-            used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called &#8220;The <span><strong class="command">category</strong></span> Phrase&#8221;</a>.
-          </p>
-<pre class="programlisting">channel default_syslog {
-    // send to syslog's daemon facility
-    syslog daemon;
-    // only send priority info and higher
-    severity info;
-
-channel default_debug {
-    // write to named.run in the working directory
-    // Note: stderr is used instead of "named.run" if
-    // the server is started with the '-f' option.
-    file "named.run";
-    // log at the server's current debug level
-    severity dynamic;
-};
-
-channel default_stderr {
-    // writes to stderr
-    stderr;
-    // only send priority info and higher
-    severity info;
-};
-
-channel null {
-   // toss anything sent to this channel
-   null;
-};
-</pre>
-<p>
-            The <span><strong class="command">default_debug</strong></span> channel has the
-            special
-            property that it only produces output when the server's debug
-            level is
-            nonzero.  It normally writes to a file called <code class="filename">named.run</code>
-            in the server's working directory.
-          </p>
-<p>
-            For security reasons, when the "<code class="option">-u</code>"
-            command line option is used, the <code class="filename">named.run</code> file
-            is created only after <span><strong class="command">named</strong></span> has
-            changed to the
-            new UID, and any debug output generated while <span><strong class="command">named</strong></span> is
-            starting up and still running as root is discarded.  If you need
-            to capture this output, you must run the server with the "<code class="option">-g</code>"
-            option and redirect standard error to a file.
-          </p>
-<p>
-            Once a channel is defined, it cannot be redefined. Thus you
-            cannot alter the built-in channels directly, but you can modify
-            the default logging by pointing categories at channels you have
-            defined.
-          </p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div>
-<p>
-            There are many categories, so you can send the logs you want
-            to see wherever you want, without seeing logs you don't want. If
-            you don't specify a list of channels for a category, then log
-            messages
-            in that category will be sent to the <span><strong class="command">default</strong></span> category
-            instead. If you don't specify a default category, the following
-            "default default" is used:
-          </p>
-<pre class="programlisting">category default { default_syslog; default_debug; };
-</pre>
-<p>
-            As an example, let's say you want to log security events to
-            a file, but you also want keep the default logging behavior. You'd
-            specify the following:
-          </p>
-<pre class="programlisting">channel my_security_channel {
-    file "my_security_file";
-    severity info;
-};
-category security {
-    my_security_channel;
-    default_syslog;
-    default_debug;
-};</pre>
-<p>
-            To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:
-          </p>
-<pre class="programlisting">category xfer-out { null; };
-category notify { null; };
-</pre>
-<p>
-            Following are the available categories and brief descriptions
-            of the types of log information they contain. More
-            categories may be added in future <acronym class="acronym">BIND</acronym> releases.
-          </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-                    <p><span><strong class="command">default</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      The default category defines the logging
-                      options for those categories where no specific
-                      configuration has been
-                      defined.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">general</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      The catch-all. Many things still aren't
-                      classified into categories, and they all end up here.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">database</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Messages relating to the databases used
-                      internally by the name server to store zone and cache
-                      data.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">security</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Approval and denial of requests.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">config</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Configuration file parsing and processing.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">resolver</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      DNS resolution, such as the recursive
-                      lookups performed on behalf of clients by a caching name
-                      server.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">xfer-in</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Zone transfers the server is receiving.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">xfer-out</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Zone transfers the server is sending.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">notify</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      The NOTIFY protocol.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">client</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Processing of client requests.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">unmatched</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Messages that <span><strong class="command">named</strong></span> was unable to determine the
-                      class of or for which there was no matching <span><strong class="command">view</strong></span>.
-                      A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
-                      This category is best sent to a file or stderr, by
-                      default it is sent to
-                      the <span><strong class="command">null</strong></span> channel.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">network</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Network operations.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">update</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Dynamic updates.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">update-security</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Approval and denial of update requests.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">queries</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Specify where queries should be logged to.
-                    </p>
-                    <p>
-                      At startup, specifying the category <span><strong class="command">queries</strong></span> will also
-                      enable query logging unless <span><strong class="command">querylog</strong></span> option has been
-                      specified.
-                    </p>
-
-                    <p>
-                      The query log entry reports the client's IP
-                      address and port number, and the query name,
-                      class and type.  Next it reports whether the
-                      Recursion Desired flag was set (+ if set, -
-                      if not set), if the query was signed (S),
-                      EDNS was in use (E), if TCP was used (T), if
-                      DO (DNSSEC Ok) was set (D), or if CD (Checking
-                      Disabled) was set (C).  After this the
-                      destination address the query was sent to is
-                      reported.
-                    </p>
-
-                    <p>
-                      <code class="computeroutput">client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE</code>
-                    </p>
-                    <p>
-                      <code class="computeroutput">client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE</code>
-                    </p>
-                    <p>
-                      (The first part of this log message, showing the
-                      client address/port number and query name, is
-                      repeated in all subsequent log messages related
-                      to the same query.)
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">query-errors</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Information about queries that resulted in some
-                      failure.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">dispatch</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Dispatching of incoming packets to the
-                      server modules where they are to be processed.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">dnssec</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      DNSSEC and TSIG protocol processing.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">lame-servers</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Lame servers.  These are misconfigurations
-                      in remote servers, discovered by BIND 9 when trying to
-                      query those servers during resolution.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">delegation-only</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Delegation only.  Logs queries that have been
-                      forced to NXDOMAIN as the result of a
-                      delegation-only zone or a
-                      <span><strong class="command">delegation-only</strong></span> in a hint
-                      or stub zone declaration.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">edns-disabled</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Log queries that have been forced to use plain
-                      DNS due to timeouts.  This is often due to
-                      the remote servers not being RFC 1034 compliant
-                      (not always returning FORMERR or similar to
-                      EDNS queries and other extensions to the DNS
-                      when they are not understood).  In other words, this is
-                      targeted at servers that fail to respond to
-                      DNS queries that they don't understand.
-                    </p>
-                    <p>
-                      Note: the log message can also be due to
-                      packet loss.  Before reporting servers for
-                      non-RFC 1034 compliance they should be re-tested
-                      to determine the nature of the non-compliance.
-                      This testing should prevent or reduce the
-                      number of false-positive reports.
-                    </p>
-                    <p>
-                      Note: eventually <span><strong class="command">named</strong></span> will have to stop
-                      treating such timeouts as due to RFC 1034 non
-                      compliance and start treating it as plain
-                      packet loss.  Falsely classifying packet
-                      loss as due to RFC 1034 non compliance impacts
-                      on DNSSEC validation which requires EDNS for
-                      the DNSSEC records to be returned.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">RPZ</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Information about errors in response policy zone files,
-                      rewritten responses, and at the highest
-                      <span><strong class="command">debug</strong></span> levels, mere rewriting
-                      attempts.
-                    </p>
-                  </td>
-</tr>
-</tbody>
-</table></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2577777"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
-<p>
-            The <span><strong class="command">query-errors</strong></span> category is
-            specifically intended for debugging purposes: To identify
-            why and how specific queries result in responses which
-            indicate an error.
-            Messages of this category are therefore only logged
-            with <span><strong class="command">debug</strong></span> levels.
-          </p>
-<p>
-            At the debug levels of 1 or higher, each response with the
-            rcode of SERVFAIL is logged as follows:
-          </p>
-<p>
-            <code class="computeroutput">client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</code>
-          </p>
-<p>
-            This means an error resulting in SERVFAIL was
-            detected at line 3880 of source file
-            <code class="filename">query.c</code>.
-            Log messages of this level will particularly
-            help identify the cause of SERVFAIL for an
-            authoritative server.
-          </p>
-<p>
-            At the debug levels of 2 or higher, detailed context
-            information of recursive resolutions that resulted in
-            SERVFAIL is logged.
-            The log message will look like as follows:
-          </p>
-<p>
-
-            </p>
-<pre class="programlisting">
-fetch completed at resolver.c:2970 for www.example.com/A
-in 30.000183: timed out/success [domain:example.com,
-referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,
-badresp:1,adberr:0,findfail:0,valfail:0]
-            </pre>
-<p>
-          </p>
-<p>
-            The first part before the colon shows that a recursive
-            resolution for AAAA records of www.example.com completed
-            in 30.000183 seconds and the final result that led to the
-            SERVFAIL was determined at line 2970 of source file
-            <code class="filename">resolver.c</code>.
-          </p>
-<p>
-            The following part shows the detected final result and the
-            latest result of DNSSEC validation.
-            The latter is always success when no validation attempt
-            is made.
-            In this example, this query resulted in SERVFAIL probably
-            because all name servers are down or unreachable, leading
-            to a timeout in 30 seconds.
-            DNSSEC validation was probably not attempted.
-          </p>
-<p>
-            The last part enclosed in square brackets shows statistics
-            information collected for this particular resolution
-            attempt.
-            The <code class="varname">domain</code> field shows the deepest zone
-            that the resolver reached;
-            it is the zone where the error was finally detected.
-            The meaning of the other fields is summarized in the
-            following table.
-          </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-                    <p><code class="varname">referral</code></p>
-                  </td>
-<td>
-                    <p>
-                      The number of referrals the resolver received
-                      throughout the resolution process.
-                      In the above example this is 2, which are most
-                      likely com and example.com.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><code class="varname">restart</code></p>
-                  </td>
-<td>
-                    <p>
-                      The number of cycles that the resolver tried
-                      remote servers at the <code class="varname">domain</code>
-                      zone.
-                      In each cycle the resolver sends one query
-                      (possibly resending it, depending on the response)
-                      to each known name server of
-                      the <code class="varname">domain</code> zone.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><code class="varname">qrysent</code></p>
-                  </td>
-<td>
-                    <p>
-                      The number of queries the resolver sent at the
-                      <code class="varname">domain</code> zone.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><code class="varname">timeout</code></p>
-                  </td>
-<td>
-                    <p>
-                      The number of timeouts since the resolver
-                      received the last response.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><code class="varname">lame</code></p>
-                  </td>
-<td>
-                    <p>
-                      The number of lame servers the resolver detected
-                      at the <code class="varname">domain</code> zone.
-                      A server is detected to be lame either by an
-                      invalid response or as a result of lookup in
-                      BIND9's address database (ADB), where lame
-                      servers are cached.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><code class="varname">neterr</code></p>
-                  </td>
-<td>
-                    <p>
-                      The number of erroneous results that the
-                      resolver encountered in sending queries
-                      at the <code class="varname">domain</code> zone.
-                      One common case is the remote server is
-                      unreachable and the resolver receives an ICMP
-                      unreachable error message.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><code class="varname">badresp</code></p>
-                  </td>
-<td>
-                    <p>
-                      The number of unexpected responses (other than
-                      <code class="varname">lame</code>) to queries sent by the
-                      resolver at the <code class="varname">domain</code> zone.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><code class="varname">adberr</code></p>
-                  </td>
-<td>
-                    <p>
-                      Failures in finding remote server addresses
-                      of the <code class="varname">domain</code> zone in the ADB.
-                      One common case of this is that the remote
-                      server's name does not have any address records.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><code class="varname">findfail</code></p>
-                  </td>
-<td>
-                    <p>
-                      Failures of resolving remote server addresses.
-                      This is a total number of failures throughout
-                      the resolution process.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><code class="varname">valfail</code></p>
-                  </td>
-<td>
-                    <p>
-                      Failures of DNSSEC validation.
-                      Validation failures are counted throughout
-                      the resolution process (not limited to
-                      the <code class="varname">domain</code> zone), but should
-                      only happen in <code class="varname">domain</code>.
-                    </p>
-                  </td>
-</tr>
-</tbody>
-</table></div>
-<p>
-            At the debug levels of 3 or higher, the same messages
-            as those at the debug 1 level are logged for other errors
-            than SERVFAIL.
-            Note that negative responses such as NXDOMAIN are not
-            regarded as errors here.
-          </p>
-<p>
-            At the debug levels of 4 or higher, the same messages
-            as those at the debug 2 level are logged for other errors
-            than SERVFAIL.
-            Unlike the above case of level 3, messages are logged for
-            negative responses.
-            This is because any unexpected results can be difficult to
-            debug in the recursion case.
-          </p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2578364"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
-<p>
-           This is the grammar of the <span><strong class="command">lwres</strong></span>
-          statement in the <code class="filename">named.conf</code> file:
-        </p>
-<pre class="programlisting"><span><strong class="command">lwres</strong></span> {
-    [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
-                [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
-    [<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>]
-    [<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>]
-    [<span class="optional"> ndots <em class="replaceable"><code>number</code></em>; </span>]
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2578438"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>
-          The <span><strong class="command">lwres</strong></span> statement configures the
-          name
-          server to also act as a lightweight resolver server. (See
-          <a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called &#8220;Running a Resolver Daemon&#8221;</a>.)  There may be multiple
-          <span><strong class="command">lwres</strong></span> statements configuring
-          lightweight resolver servers with different properties.
-        </p>
-<p>
-          The <span><strong class="command">listen-on</strong></span> statement specifies a
-          list of
-          addresses (and ports) that this instance of a lightweight resolver
-          daemon
-          should accept requests on.  If no port is specified, port 921 is
-          used.
-          If this statement is omitted, requests will be accepted on
-          127.0.0.1,
-          port 921.
-        </p>
-<p>
-          The <span><strong class="command">view</strong></span> statement binds this
-          instance of a
-          lightweight resolver daemon to a view in the DNS namespace, so that
-          the
-          response will be constructed in the same manner as a normal DNS
-          query
-          matching this view.  If this statement is omitted, the default view
-          is
-          used, and if there is no default view, an error is triggered.
-        </p>
-<p>
-          The <span><strong class="command">search</strong></span> statement is equivalent to
-          the
-          <span><strong class="command">search</strong></span> statement in
-          <code class="filename">/etc/resolv.conf</code>.  It provides a
-          list of domains
-          which are appended to relative names in queries.
-        </p>
-<p>
-          The <span><strong class="command">ndots</strong></span> statement is equivalent to
-          the
-          <span><strong class="command">ndots</strong></span> statement in
-          <code class="filename">/etc/resolv.conf</code>.  It indicates the
-          minimum
-          number of dots in a relative domain name that should result in an
-          exact match lookup before search path elements are appended.
-        </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2578502"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting">
-<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | 
-      <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2578546"></a><span><strong class="command">masters</strong></span> Statement Definition and
-          Usage</h3></div></div></div>
-<p><span><strong class="command">masters</strong></span>
-          lists allow for a common set of masters to be easily used by
-          multiple stub and slave zones in their <span><strong class="command">masters</strong></span>
-          or <span><strong class="command">also-notify</strong></span> lists.
-        </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2578567"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
-<p>
-          This is the grammar of the <span><strong class="command">options</strong></span>
-          statement in the <code class="filename">named.conf</code> file:
-        </p>
-<pre class="programlisting"><span><strong class="command">options</strong></span> {
-    [<span class="optional"> attach-cache <em class="replaceable"><code>cache_name</code></em>; </span>]
-    [<span class="optional"> version <em class="replaceable"><code>version_string</code></em>; </span>]
-    [<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>]
-    [<span class="optional"> server-id <em class="replaceable"><code>server_id_string</code></em>; </span>]
-    [<span class="optional"> directory <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> managed-keys-directory <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> named-xfer <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> tkey-gssapi-keytab <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> tkey-gssapi-credential <em class="replaceable"><code>principal</code></em>; </span>]
-    [<span class="optional"> tkey-domain <em class="replaceable"><code>domainname</code></em>; </span>]
-    [<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]
-    [<span class="optional"> cache-file <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> dump-file <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> bindkeys-file <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> secroots-file <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> session-keyfile <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> session-keyname <em class="replaceable"><code>key_name</code></em>; </span>]
-    [<span class="optional"> session-keyalg <em class="replaceable"><code>algorithm_id</code></em>; </span>]
-    [<span class="optional"> memstatistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> pid-file <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> recursing-file <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
-    [<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> deallocate-on-exit <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em>; </span>]
-    [<span class="optional"> fake-iquery <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> fetch-glue <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> flush-zones-on-shutdown <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> has-old-clients <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> host-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em>; </span>]
-    [<span class="optional"> recursion <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> request-nsid <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> ixfr-from-differences (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">master</code> | <code class="constant">slave</code>); </span>]
-    [<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> dnssec-validation (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">auto</code>); </span>]
-    [<span class="optional"> dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> |
-                        <em class="replaceable"><code>no</code></em> |
-                        <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> ); </span>]
-    [<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>]
-    [<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>]
-    [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
-    [<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] {
-        ( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] |
-          <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ) ; 
-        ... }; </span>]
-    [<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )
-        ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
-    [<span class="optional"> check-dup-records ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
-    [<span class="optional"> check-mx ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
-    [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
-    [<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
-    [<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> check-spf ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
-    [<span class="optional"> allow-new-zones { <em class="replaceable"><code>yes_or_no</code></em> }; </span>]
-    [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> allow-query-cache-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> allow-recursion-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>]
-    [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ;</span>]
-    [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> use-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
-    [<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
-    [<span class="optional"> use-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
-    [<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
-    [<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> query-source ( ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> )
-        [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
-        [<span class="optional"> address ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
-        [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
-    [<span class="optional"> query-source-v6 ( ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> )
-        [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] | 
-        [<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] 
-        [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
-    [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> tcp-clients <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> reserved-sockets <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> recursive-clients <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> serial-queries <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> tcp-listen-queue <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em>; </span>]
-    [<span class="optional"> transfers-in  <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> transfers-out <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> transfers-per-ns <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
-                             [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
-    [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em>
-                    [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>keyname</code></em></span>] ;
-                    [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>keyname</code></em></span>] ; ... </span>] }; </span>]
-    [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
-    [<span class="optional"> coresize <em class="replaceable"><code>size_spec</code></em> ; </span>]
-    [<span class="optional"> datasize <em class="replaceable"><code>size_spec</code></em> ; </span>]
-    [<span class="optional"> files <em class="replaceable"><code>size_spec</code></em> ; </span>]
-    [<span class="optional"> stacksize <em class="replaceable"><code>size_spec</code></em> ; </span>]
-    [<span class="optional"> cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> heartbeat-interval <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> interface-interval <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> statistics-interval <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> topology { <em class="replaceable"><code>address_match_list</code></em> }</span>];
-    [<span class="optional"> sortlist { <em class="replaceable"><code>address_match_list</code></em> }</span>];
-    [<span class="optional"> rrset-order { <em class="replaceable"><code>order_spec</code></em> ; [<span class="optional"> <em class="replaceable"><code>order_spec</code></em> ; ... </span>] </span>] };
-    [<span class="optional"> lame-ttl <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> max-ncache-ttl <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> max-cache-ttl <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
-    [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> min-roots <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> use-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> treat-cr-as-space <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em>; </span>]
-    [<span class="optional"> additional-from-auth <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> additional-from-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> random-device <em class="replaceable"><code>path_name</code></em> ; </span>]
-    [<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
-    [<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> filter-aaaa-on-v4 ( <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>break-dnssec</code></em> ); </span>]
-    [<span class="optional"> filter-aaaa { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> dns64 <em class="replaceable"><code>IPv6-prefix</code></em> {
-        [<span class="optional"> clients { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-        [<span class="optional"> mapped { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-        [<span class="optional"> exclude { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-        [<span class="optional"> suffix IPv6-address; </span>]
-        [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-        [<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    }; </span>];
-    [<span class="optional"> dns64-server <em class="replaceable"><code>name</code></em> </span>]
-    [<span class="optional"> dns64-contact <em class="replaceable"><code>name</code></em> </span>]
-    [<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]
-    [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> max-rsa-exponent-size <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>]
-    [<span class="optional"> querylog <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>;
-                                [<span class="optional"> <em class="replaceable"><code>algorithm</code></em>; </span>] }; </span>]
-    [<span class="optional"> acache-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
-    [<span class="optional"> clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
-    [<span class="optional"> empty-server <em class="replaceable"><code>name</code></em> ; </span>]
-    [<span class="optional"> empty-contact <em class="replaceable"><code>name</code></em> ; </span>]
-    [<span class="optional"> empty-zones-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>]
-    [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> resolver-query-timeout <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> deny-answer-addresses { <em class="replaceable"><code>address_match_list</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
-    [<span class="optional"> deny-answer-aliases { <em class="replaceable"><code>namelist</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
-    [<span class="optional"> response-policy { <em class="replaceable"><code>zone_name</code></em>
-        [<span class="optional"> policy given | disabled | passthru | nxdomain | nodata | cname <em class="replaceable"><code>domain</code></em> </span>]
-        [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em> </span>] [<span class="optional"> max-policy-ttl <em class="replaceable"><code>number</code></em> </span>] ;
-    } [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em> </span>] [<span class="optional"> max-policy-ttl <em class="replaceable"><code>number</code></em> </span>]
-        [<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em> </span>] [<span class="optional"> min-ns-dots <em class="replaceable"><code>number</code></em> </span>] ; </span>]
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and
-          Usage</h3></div></div></div>
-<p>
-          The <span><strong class="command">options</strong></span> statement sets up global
-          options
-          to be used by <acronym class="acronym">BIND</acronym>. This statement
-          may appear only
-          once in a configuration file. If there is no <span><strong class="command">options</strong></span>
-          statement, an options block with each option set to its default will
-          be used.
-        </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">attach-cache</strong></span></span></dt>
-<dd>
-<p>
-                  Allows multiple views to share a single cache
-                  database.
-                  Each view has its own cache database by default, but
-                  if multiple views have the same operational policy
-                  for name resolution and caching, those views can
-                  share a single cache to save memory and possibly
-                  improve resolution efficiency by using this option.
-                </p>
-<p>
-                  The <span><strong class="command">attach-cache</strong></span> option
-                  may also be specified in <span><strong class="command">view</strong></span>
-                  statements, in which case it overrides the
-                  global <span><strong class="command">attach-cache</strong></span> option.
-                </p>
-<p>
-                  The <em class="replaceable"><code>cache_name</code></em> specifies
-                  the cache to be shared.
-                  When the <span><strong class="command">named</strong></span> server configures
-                  views which are supposed to share a cache, it
-                  creates a cache with the specified name for the
-                  first view of these sharing views.
-                  The rest of the views will simply refer to the
-                  already created cache.
-                </p>
-<p>
-                  One common configuration to share a cache would be to
-                  allow all views to share a single cache.
-                  This can be done by specifying
-                  the <span><strong class="command">attach-cache</strong></span> as a global
-                  option with an arbitrary name.
-                </p>
-<p>
-                  Another possible operation is to allow a subset of
-                  all views to share a cache while the others to
-                  retain their own caches.
-                  For example, if there are three views A, B, and C,
-                  and only A and B should share a cache, specify the
-                  <span><strong class="command">attach-cache</strong></span> option as a view A (or
-                  B)'s option, referring to the other view name:
-                </p>
-<pre class="programlisting">
-  view "A" {
-    // this view has its own cache
-    ...
-  };
-  view "B" {
-    // this view refers to A's cache
-    attach-cache "A";
-  };
-  view "C" {
-    // this view has its own cache
-    ...
-  };
-</pre>
-<p>
-                  Views that share a cache must have the same policy
-                  on configurable parameters that may affect caching.
-                  The current implementation requires the following
-                  configurable options be consistent among these
-                  views:
-                  <span><strong class="command">check-names</strong></span>,
-                  <span><strong class="command">cleaning-interval</strong></span>,
-                  <span><strong class="command">dnssec-accept-expired</strong></span>,
-                  <span><strong class="command">dnssec-validation</strong></span>,
-                  <span><strong class="command">max-cache-ttl</strong></span>,
-                  <span><strong class="command">max-ncache-ttl</strong></span>,
-                  <span><strong class="command">max-cache-size</strong></span>, and
-                  <span><strong class="command">zero-no-soa-ttl</strong></span>.
-                </p>
-<p>
-                  Note that there may be other parameters that may
-                  cause confusion if they are inconsistent for
-                  different views that share a single cache.
-                  For example, if these views define different sets of
-                  forwarders that can return different answers for the
-                  same question, sharing the answer does not make
-                  sense or could even be harmful.
-                  It is administrator's responsibility to ensure
-                  configuration differences in different views do
-                  not cause disruption with a shared cache.
-                </p>
-</dd>
-<dt><span class="term"><span><strong class="command">directory</strong></span></span></dt>
-<dd><p>
-                The working directory of the server.
-                Any non-absolute pathnames in the configuration file will be
-                taken
-                as relative to this directory. The default location for most
-                server
-                output files (e.g. <code class="filename">named.run</code>)
-                is this directory.
-                If a directory is not specified, the working directory
-                defaults to `<code class="filename">.</code>', the directory from
-                which the server
-                was started. The directory specified should be an absolute
-                path.
-              </p></dd>
-<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
-<dd><p>
-                When performing dynamic update of secure zones, the
-                directory where the public and private DNSSEC key files
-                should be found, if different than the current working
-                directory.  (Note that this option has no effect on the
-                paths for files containing non-DNSSEC keys such as
-                <code class="filename">bind.keys</code>,
-                <code class="filename">rndc.key</code> or
-                <code class="filename">session.key</code>.)
-              </p></dd>
-<dt><span class="term"><span><strong class="command">managed-keys-directory</strong></span></span></dt>
-<dd>
-<p>
-                Specifies the directory in which to store the files that
-                track managed DNSSEC keys.  By default, this is the working
-                directory.
-              </p>
-<p>
-                If <span><strong class="command">named</strong></span> is not configured to use views,
-                then managed keys for the server will be tracked in a single
-                file called <code class="filename">managed-keys.bind</code>.
-                Otherwise, managed keys will be tracked in separate files,
-                one file per view; each file name will be the SHA256 hash
-                of the view name, followed by the extension
-                <code class="filename">.mkeys</code>.
-              </p>
-</dd>
-<dt><span class="term"><span><strong class="command">named-xfer</strong></span></span></dt>
-<dd><p>
-                <span class="emphasis"><em>This option is obsolete.</em></span> It
-                was used in <acronym class="acronym">BIND</acronym> 8 to specify
-                the pathname to the <span><strong class="command">named-xfer</strong></span>
-                program.  In <acronym class="acronym">BIND</acronym> 9, no separate
-                <span><strong class="command">named-xfer</strong></span> program is needed;
-                its functionality is built into the name server.
-              </p></dd>
-<dt><span class="term"><span><strong class="command">tkey-gssapi-keytab</strong></span></span></dt>
-<dd><p>
-                The KRB5 keytab file to use for GSS-TSIG updates. If
-                this option is set and tkey-gssapi-credential is not
-                set, then updates will be allowed with any key
-                matching a principal in the specified keytab.
-              </p></dd>
-<dt><span class="term"><span><strong class="command">tkey-gssapi-credential</strong></span></span></dt>
-<dd><p>
-                The security credential with which the server should
-                authenticate keys requested by the GSS-TSIG protocol.
-                Currently only Kerberos 5 authentication is available
-                and the credential is a Kerberos principal which the
-                server can acquire through the default system key
-                file, normally <code class="filename">/etc/krb5.keytab</code>.
-                The location keytab file can be overridden using the
-                tkey-gssapi-keytab option. Normally this principal is
-                of the form "<strong class="userinput"><code>DNS/</code></strong><code class="varname">server.domain</code>".
-                To use GSS-TSIG, <span><strong class="command">tkey-domain</strong></span> must
-                also be set if a specific keytab is not set with
-                tkey-gssapi-keytab.
-              </p></dd>
-<dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt>
-<dd><p>
-                The domain appended to the names of all shared keys
-                generated with <span><strong class="command">TKEY</strong></span>.  When a
-                client requests a <span><strong class="command">TKEY</strong></span> exchange,
-                it may or may not specify the desired name for the
-                key. If present, the name of the shared key will
-                be <code class="varname">client specified part</code> +
-                <code class="varname">tkey-domain</code>.  Otherwise, the
-                name of the shared key will be <code class="varname">random hex
-                digits</code> + <code class="varname">tkey-domain</code>.
-                In most cases, the <span><strong class="command">domainname</strong></span>
-                should be the server's domain name, or an otherwise
-                non-existent subdomain like
-                "_tkey.<code class="varname">domainname</code>".  If you are
-                using GSS-TSIG, this variable must be defined, unless
-                you specify a specific keytab using tkey-gssapi-keytab.
-              </p></dd>
-<dt><span class="term"><span><strong class="command">tkey-dhkey</strong></span></span></dt>
-<dd><p>
-                The Diffie-Hellman key used by the server
-                to generate shared keys with clients using the Diffie-Hellman
-                mode
-                of <span><strong class="command">TKEY</strong></span>. The server must be
-                able to load the
-                public and private keys from files in the working directory.
-                In
-                most cases, the keyname should be the server's host name.
-              </p></dd>
-<dt><span class="term"><span><strong class="command">cache-file</strong></span></span></dt>
-<dd><p>
-                This is for testing only.  Do not use.
-              </p></dd>
-<dt><span class="term"><span><strong class="command">dump-file</strong></span></span></dt>
-<dd><p>
-                The pathname of the file the server dumps
-                the database to when instructed to do so with
-                <span><strong class="command">rndc dumpdb</strong></span>.
-                If not specified, the default is <code class="filename">named_dump.db</code>.
-              </p></dd>
-<dt><span class="term"><span><strong class="command">memstatistics-file</strong></span></span></dt>
-<dd><p>
-                The pathname of the file the server writes memory
-                usage statistics to on exit. If not specified,
-                the default is <code class="filename">named.memstats</code>.
-              </p></dd>
-<dt><span class="term"><span><strong class="command">pid-file</strong></span></span></dt>
-<dd><p>
-                The pathname of the file the server writes its process ID
-                in. If not specified, the default is
-                <code class="filename">/var/run/named/named.pid</code>.
-                The PID file is used by programs that want to send signals to
-                the running
-                name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the
-                use of a PID file &#8212; no file will be written and any
-                existing one will be removed.  Note that <span><strong class="command">none</strong></span>
-                is a keyword, not a filename, and therefore is not enclosed
-                in
-                double quotes.
-              </p></dd>
-<dt><span class="term"><span><strong class="command">recursing-file</strong></span></span></dt>
-<dd><p>
-                The pathname of the file the server dumps
-                the queries that are currently recursing when instructed
-                to do so with <span><strong class="command">rndc recursing</strong></span>.
-                If not specified, the default is <code class="filename">named.recursing</code>.
-              </p></dd>
-<dt><span class="term"><span><strong class="command">statistics-file</strong></span></span></dt>
-<dd><p>
-                The pathname of the file the server appends statistics
-                to when instructed to do so using <span><strong class="command">rndc stats</strong></span>.
-                If not specified, the default is <code class="filename">named.stats</code> in the
-                server's current directory.  The format of the file is
-                described
-                in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
-              </p></dd>
-<dt><span class="term"><span><strong class="command">bindkeys-file</strong></span></span></dt>
-<dd><p>
-                The pathname of a file to override the built-in trusted
-                keys provided by <span><strong class="command">named</strong></span>.
-                See the discussion of <span><strong class="command">dnssec-lookaside</strong></span>
-                and <span><strong class="command">dnssec-validation</strong></span> for details. 
-                If not specified, the default is
-                <code class="filename">/etc/bind.keys</code>.
-              </p></dd>
-<dt><span class="term"><span><strong class="command">secroots-file</strong></span></span></dt>
-<dd><p>
-                The pathname of the file the server dumps
-                security roots to when instructed to do so with
-                <span><strong class="command">rndc secroots</strong></span>.
-                If not specified, the default is
-                <code class="filename">named.secroots</code>.
-              </p></dd>
-<dt><span class="term"><span><strong class="command">session-keyfile</strong></span></span></dt>
-<dd><p>
-                The pathname of the file into which to write a TSIG
-                session key generated by <span><strong class="command">named</strong></span> for use by
-                <span><strong class="command">nsupdate -l</strong></span>.  If not specified, the
-                default is <code class="filename">/var/run/named/session.key</code>.
-                (See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>, and in
-                particular the discussion of the
-                <span><strong class="command">update-policy</strong></span> statement's
-                <strong class="userinput"><code>local</code></strong> option for more
-                information about this feature.)
-              </p></dd>
-<dt><span class="term"><span><strong class="command">session-keyname</strong></span></span></dt>
-<dd><p>
-                The key name to use for the TSIG session key.
-                If not specified, the default is "local-ddns".
-              </p></dd>
-<dt><span class="term"><span><strong class="command">session-keyalg</strong></span></span></dt>
-<dd><p>
-                The algorithm to use for the TSIG session key.
-                Valid values are hmac-sha1, hmac-sha224, hmac-sha256,
-                hmac-sha384, hmac-sha512 and hmac-md5.  If not
-                specified, the default is hmac-sha256.
-              </p></dd>
-<dt><span class="term"><span><strong class="command">port</strong></span></span></dt>
-<dd><p>
-                The UDP/TCP port number the server uses for
-                receiving and sending DNS protocol traffic.
-                The default is 53.  This option is mainly intended for server
-                testing;
-                a server using a port other than 53 will not be able to
-                communicate with
-                the global DNS.
-              </p></dd>
-<dt><span class="term"><span><strong class="command">random-device</strong></span></span></dt>
-<dd><p>
-                The source of entropy to be used by the server.  Entropy is
-                primarily needed
-                for DNSSEC operations, such as TKEY transactions and dynamic
-                update of signed
-                zones.  This options specifies the device (or file) from which
-                to read
-                entropy.  If this is a file, operations requiring entropy will
-                fail when the
-                file has been exhausted.  If not specified, the default value
-                is
-                <code class="filename">/dev/random</code>
-                (or equivalent) when present, and none otherwise.  The
-                <span><strong class="command">random-device</strong></span> option takes
-                effect during
-                the initial configuration load at server startup time and
-                is ignored on subsequent reloads.
-              </p></dd>
-<dt><span class="term"><span><strong class="command">preferred-glue</strong></span></span></dt>
-<dd><p>
-                If specified, the listed type (A or AAAA) will be emitted
-                before other glue
-                in the additional section of a query response.
-                The default is not to prefer any type (NONE).
-              </p></dd>
-<dt>
-<a name="root_delegation_only"></a><span class="term"><span><strong class="command">root-delegation-only</strong></span></span>
-</dt>
-<dd>
-<p>
-                Turn on enforcement of delegation-only in TLDs
-                (top level domains) and root zones with an optional
-                exclude list.
-              </p>
-<p>
-                DS queries are expected to be made to and be answered by
-                delegation only zones.  Such queries and responses are
-                treated as an exception to delegation-only processing
-                and are not converted to NXDOMAIN responses provided
-                a CNAME is not discovered at the query name.
-              </p>
-<p>
-                If a delegation only zone server also serves a child
-                zone it is not always possible to determine whether
-                an answer comes from the delegation only zone or the
-                child zone.  SOA NS and DNSKEY records are apex
-                only records and a matching response that contains
-                these records or DS is treated as coming from a
-                child zone.  RRSIG records are also examined to see
-                if they are signed by a child zone or not.  The
-                authority section is also examined to see if there
-                is evidence that the answer is from the child zone.
-                Answers that are determined to be from a child zone
-                are not converted to NXDOMAIN responses.  Despite
-                all these checks there is still a possibility of
-                false negatives when a child zone is being served.
-              </p>
-<p>
-                Similarly false positives can arise from empty nodes
-                (no records at the name) in the delegation only zone
-                when the query type is not ANY.
-              </p>
-<p>
-                Note some TLDs are not delegation only (e.g. "DE", "LV",
-                "US" and "MUSEUM").  This list is not exhaustive.
-              </p>
-<pre class="programlisting">
-options {
-        root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
-};
-</pre>
-</dd>
-<dt><span class="term"><span><strong class="command">disable-algorithms</strong></span></span></dt>
-<dd><p>
-                Disable the specified DNSSEC algorithms at and below the
-                specified name.
-                Multiple <span><strong class="command">disable-algorithms</strong></span>
-                statements are allowed.
-                Only the most specific will be applied.
-              </p></dd>
-<dt><span class="term"><span><strong class="command">dnssec-lookaside</strong></span></span></dt>
-<dd>
-<p>
-                When set, <span><strong class="command">dnssec-lookaside</strong></span> provides the
-                validator with an alternate method to validate DNSKEY
-                records at the top of a zone.  When a DNSKEY is at or
-                below a domain specified by the deepest
-                <span><strong class="command">dnssec-lookaside</strong></span>, and the normal DNSSEC
-                validation has left the key untrusted, the trust-anchor
-                will be appended to the key name and a DLV record will be
-                looked up to see if it can validate the key.  If the DLV
-                record validates a DNSKEY (similarly to the way a DS
-                record does) the DNSKEY RRset is deemed to be trusted.
-              </p>
-<p>
-                If <span><strong class="command">dnssec-lookaside</strong></span> is set to
-                <strong class="userinput"><code>auto</code></strong>, then built-in default
-                values for the DLV domain and trust anchor will be
-                used, along with a built-in key for validation.
-              </p>
-<p>
-                If <span><strong class="command">dnssec-lookaside</strong></span> is set to
-                <strong class="userinput"><code>no</code></strong>, then dnssec-lookaside
-                is not used.
-              </p>
-<p>
-                The default DLV key is stored in the file
-                <code class="filename">bind.keys</code>;
-                <span><strong class="command">named</strong></span> will load that key at
-                startup if <span><strong class="command">dnssec-lookaside</strong></span> is set to
-                <code class="constant">auto</code>.  A copy of the file is
-                installed along with <acronym class="acronym">BIND</acronym> 9, and is
-                current as of the release date.  If the DLV key expires, a
-                new copy of <code class="filename">bind.keys</code> can be downloaded
-                from <a href="https://www.isc.org/solutions/dlv/" target="_top">https://www.isc.org/solutions/dlv/</a>.
-              </p>
-<p>
-                (To prevent problems if <code class="filename">bind.keys</code> is
-                not found, the current key is also compiled in to
-                <span><strong class="command">named</strong></span>.  Relying on this is not
-                recommended, however, as it requires <span><strong class="command">named</strong></span>
-                to be recompiled with a new key when the DLV key expires.)
-              </p>
-<p>
-                NOTE: <span><strong class="command">named</strong></span> only loads certain specific
-                keys from <code class="filename">bind.keys</code>:  those for the
-                DLV zone and for the DNS root zone.  The file cannot be
-                used to store keys for other zones.
-              </p>
-</dd>
-<dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt>
-<dd><p>
-                Specify hierarchies which must be or may not be secure
-                (signed and validated).  If <strong class="userinput"><code>yes</code></strong>,
-                then <span><strong class="command">named</strong></span> will only accept answers if
-                they are secure.  If <strong class="userinput"><code>no</code></strong>, then normal
-                DNSSEC validation applies allowing for insecure answers to
-                be accepted.  The specified domain must be under a
-                <span><strong class="command">trusted-keys</strong></span> or
-                <span><strong class="command">managed-keys</strong></span> statement, or
-                <span><strong class="command">dnssec-lookaside</strong></span> must be active.
-              </p></dd>
-<dt><span class="term"><span><strong class="command">dns64</strong></span></span></dt>
-<dd>
-<p>
-                This directive instructs <span><strong class="command">named</strong></span> to
-                return mapped IPv4 addresses to AAAA queries when
-                there are no AAAA records.  It is intended to be
-                used in conjunction with a NAT64.  Each
-                <span><strong class="command">dns64</strong></span> defines one DNS64 prefix.
-                Multiple DNS64 prefixes can be defined.
-              </p>
-<p>
-                Compatible IPv6 prefixes have lengths of 32, 40, 48, 56,
-                64 and 96 as per RFC 6052.
-              </p>
-<p>
-                Additionally a reverse IP6.ARPA zone will be created for
-                the prefix to provide a mapping from the IP6.ARPA names
-                to the corresponding IN-ADDR.ARPA names using synthesized
-                CNAMEs.  <span><strong class="command">dns64-server</strong></span> and
-                <span><strong class="command">dns64-contact</strong></span> can be used to specify
-                the name of the server and contact for the zones. These
-                are settable at the view / options level.  These are
-                not settable on a per-prefix basis.
-              </p>
-<p>
-                Each <span><strong class="command">dns64</strong></span> supports an optional
-                <span><strong class="command">clients</strong></span> ACL that determines which
-                clients are affected by this directive.  If not defined,
-                it defaults to <strong class="userinput"><code>any;</code></strong>.
-              </p>
-<p>
-                Each <span><strong class="command">dns64</strong></span> supports an optional
-                <span><strong class="command">mapped</strong></span> ACL that selects which
-                IPv4 addresses are to be mapped in the corresponding    
-                A RRset.  If not defined it defaults to
-                <strong class="userinput"><code>any;</code></strong>.
-              </p>
-<p>
-                Normally, DNS64 won't apply to a domain name that
-                owns one or more AAAA records; these records will
-                simply be returned.  The optional
-                <span><strong class="command">exclude</strong></span> ACL allows specification
-                of a list of IPv6 addresses that will be ignored
-                if they appear in a domain name's AAAA records, and
-                DNS64 will be applied to any A records the domain
-                name owns.  If not defined, <span><strong class="command">exclude</strong></span>
-                defaults to none.
-              </p>
-<p>
-                A optional <span><strong class="command">suffix</strong></span> can also
-                be defined to set the bits trailing the mapped
-                IPv4 address bits.  By default these bits are
-                set to <strong class="userinput"><code>::</code></strong>.  The bits
-                matching the prefix and mapped IPv4 address
-                must be zero.
-              </p>
-<p>
-                If <span><strong class="command">recursive-only</strong></span> is set to
-                <span><strong class="command">yes</strong></span> the DNS64 synthesis will
-                only happen for recursive queries.  The default
-                is <span><strong class="command">no</strong></span>.
-              </p>
-<p>
-                If <span><strong class="command">break-dnssec</strong></span> is set to
-                <span><strong class="command">yes</strong></span> the DNS64 synthesis will
-                happen even if the result, if validated, would
-                cause a DNSSEC validation failure.  If this option
-                is set to <span><strong class="command">no</strong></span> (the default), the DO
-                is set on the incoming query, and there are RRSIGs on
-                the applicable records, then synthesis will not happen.
-              </p>
-<pre class="programlisting">
-        acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
-
-        dns64 64:FF9B::/96 {
-                clients { any; };
-                mapped { !rfc1918; any; };
-                exclude { 64:FF9B::/96; ::ffff:0000:0000/96; };
-                suffix ::;
-        };
-</pre>
-</dd>
-<dt><span class="term"><span><strong class="command">dnssec-update-mode</strong></span></span></dt>
-<dd>
-<p>
-                  If this option is set to its default value of
-                  <code class="literal">maintain</code> in a zone of type
-                  <code class="literal">master</code> which is DNSSEC-signed
-                  and configured to allow dynamic updates (see
-                  <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>), and
-                  if <span><strong class="command">named</strong></span> has access to the
-                  private signing key(s) for the zone, then
-                  <span><strong class="command">named</strong></span> will automatically sign all new
-                  or changed records and maintain signatures for the zone
-                  by regenerating RRSIG records whenever they approach
-                  their expiration date.
-                </p>
-<p>
-                  If the option is changed to <code class="literal">no-resign</code>,
-                  then <span><strong class="command">named</strong></span> will sign all new or
-                  changed records, but scheduled maintenance of
-                  signatures is disabled.
-                </p>
-<p>
-                  With either of these settings, <span><strong class="command">named</strong></span>
-                  will reject updates to a DNSSEC-signed zone when the
-                  signing keys are inactive or unavailable to
-                  <span><strong class="command">named</strong></span>.  (A planned third option,
-                  <code class="literal">external</code>, will disable all automatic
-                  signing and allow DNSSEC data to be submitted into a zone
-                  via dyanmic update; this is not yet implemented.)
-                </p>
-</dd>
-<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
-<dd>
-<p>
-                If <strong class="userinput"><code>full</code></strong>, the server will collect
-                statistical data on all zones (unless specifically
-                turned off on a per-zone basis by specifying
-                <span><strong class="command">zone-statistics terse</strong></span> or
-                <span><strong class="command">zone-statistics none</strong></span>
-                in the <span><strong class="command">zone</strong></span> statement).
-                The default is <strong class="userinput"><code>terse</code></strong>, providing
-                minimal statistics on zones (including name and
-                current serial number, but not query type
-                counters).
-              </p>
-<p>
-                These statistics may be accessed via the
-                <span><strong class="command">statistics-channel</strong></span> or
-                using <span><strong class="command">rndc stats</strong></span>, which
-                will dump them to the file listed
-                in the <span><strong class="command">statistics-file</strong></span>.  See
-                also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
-              </p>
-<p>
-                For backward compatibility with earlier versions
-                of BIND 9, the <span><strong class="command">zone-statistics</strong></span>
-                option can also accept <strong class="userinput"><code>yes</code></strong>
-                or <strong class="userinput"><code>no</code></strong>, which have the same
-                effect as <strong class="userinput"><code>full</code></strong> and
-                <strong class="userinput"><code>terse</code></strong>, respectively.
-              </p>
-</dd>
-</dl></div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="boolean_options"></a>Boolean Options</h4></div></div></div>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">allow-new-zones</strong></span></span></dt>
-<dd><p>
-                  If <strong class="userinput"><code>yes</code></strong>, then zones can be
-                  added at runtime via <span><strong class="command">rndc addzone</strong></span>
-                  or deleted via <span><strong class="command">rndc delzone</strong></span>.
-                  The default is <strong class="userinput"><code>no</code></strong>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">auth-nxdomain</strong></span></span></dt>
-<dd><p>
-                  If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
-                  is always set on NXDOMAIN responses, even if the server is
-                  not actually
-                  authoritative. The default is <strong class="userinput"><code>no</code></strong>;
-                  this is
-                  a change from <acronym class="acronym">BIND</acronym> 8. If you
-                  are using very old DNS software, you
-                  may need to set it to <strong class="userinput"><code>yes</code></strong>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">deallocate-on-exit</strong></span></span></dt>
-<dd><p>
-                  This option was used in <acronym class="acronym">BIND</acronym>
-                  8 to enable checking
-                  for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
-                  the checks.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">memstatistics</strong></span></span></dt>
-<dd><p>
-                  Write memory statistics to the file specified by
-                  <span><strong class="command">memstatistics-file</strong></span> at exit.
-                  The default is <strong class="userinput"><code>no</code></strong> unless
-                  '-m record' is specified on the command line in
-                  which case it is <strong class="userinput"><code>yes</code></strong>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
-<dd>
-<p>
-                  If <strong class="userinput"><code>yes</code></strong>, then the
-                  server treats all zones as if they are doing zone transfers
-                  across
-                  a dial-on-demand dialup link, which can be brought up by
-                  traffic
-                  originating from this server. This has different effects
-                  according
-                  to zone type and concentrates the zone maintenance so that
-                  it all
-                  happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and
-                  hopefully during the one call. It also suppresses some of
-                  the normal
-                  zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>.
-                </p>
-<p>
-                  The <span><strong class="command">dialup</strong></span> option
-                  may also be specified in the <span><strong class="command">view</strong></span> and
-                  <span><strong class="command">zone</strong></span> statements,
-                  in which case it overrides the global <span><strong class="command">dialup</strong></span>
-                  option.
-                </p>
-<p>
-                  If the zone is a master zone, then the server will send out a
-                  NOTIFY
-                  request to all the slaves (default). This should trigger the
-                  zone serial
-                  number check in the slave (providing it supports NOTIFY)
-                  allowing the slave
-                  to verify the zone while the connection is active.
-                  The set of servers to which NOTIFY is sent can be controlled
-                  by
-                  <span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>.
-                </p>
-<p>
-                  If the
-                  zone is a slave or stub zone, then the server will suppress
-                  the regular
-                  "zone up to date" (refresh) queries and only perform them
-                  when the
-                  <span><strong class="command">heartbeat-interval</strong></span> expires in
-                  addition to sending
-                  NOTIFY requests.
-                </p>
-<p>
-                  Finer control can be achieved by using
-                  <strong class="userinput"><code>notify</code></strong> which only sends NOTIFY
-                  messages,
-                  <strong class="userinput"><code>notify-passive</code></strong> which sends NOTIFY
-                  messages and
-                  suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong>
-                  which suppresses normal refresh processing and sends refresh
-                  queries
-                  when the <span><strong class="command">heartbeat-interval</strong></span>
-                  expires, and
-                  <strong class="userinput"><code>passive</code></strong> which just disables normal
-                  refresh
-                  processing.
-                </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-                          <p>
-                            dialup mode
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            normal refresh
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            heart-beat refresh
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            heart-beat notify
-                          </p>
-                        </td>
-</tr>
-<tr>
-<td>
-                          <p><span><strong class="command">no</strong></span> (default)</p>
-                        </td>
-<td>
-                          <p>
-                            yes
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            no
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            no
-                          </p>
-                        </td>
-</tr>
-<tr>
-<td>
-                          <p><span><strong class="command">yes</strong></span></p>
-                        </td>
-<td>
-                          <p>
-                            no
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            yes
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            yes
-                          </p>
-                        </td>
-</tr>
-<tr>
-<td>
-                          <p><span><strong class="command">notify</strong></span></p>
-                        </td>
-<td>
-                          <p>
-                            yes
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            no
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            yes
-                          </p>
-                        </td>
-</tr>
-<tr>
-<td>
-                          <p><span><strong class="command">refresh</strong></span></p>
-                        </td>
-<td>
-                          <p>
-                            no
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            yes
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            no
-                          </p>
-                        </td>
-</tr>
-<tr>
-<td>
-                          <p><span><strong class="command">passive</strong></span></p>
-                        </td>
-<td>
-                          <p>
-                            no
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            no
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            no
-                          </p>
-                        </td>
-</tr>
-<tr>
-<td>
-                          <p><span><strong class="command">notify-passive</strong></span></p>
-                        </td>
-<td>
-                          <p>
-                            no
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            no
-                          </p>
-                        </td>
-<td>
-                          <p>
-                            yes
-                          </p>
-                        </td>
-</tr>
-</tbody>
-</table></div>
-<p>
-                  Note that normal NOTIFY processing is not affected by
-                  <span><strong class="command">dialup</strong></span>.
-                </p>
-</dd>
-<dt><span class="term"><span><strong class="command">fake-iquery</strong></span></span></dt>
-<dd><p>
-                  In <acronym class="acronym">BIND</acronym> 8, this option
-                  enabled simulating the obsolete DNS query type
-                  IQUERY. <acronym class="acronym">BIND</acronym> 9 never does
-                  IQUERY simulation.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">fetch-glue</strong></span></span></dt>
-<dd><p>
-                  This option is obsolete.
-                  In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong>
-                  caused the server to attempt to fetch glue resource records
-                  it
-                  didn't have when constructing the additional
-                  data section of a response.  This is now considered a bad
-                  idea
-                  and BIND 9 never does it.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt>
-<dd><p>
-                  When the nameserver exits due receiving SIGTERM,
-                  flush or do not flush any pending zone writes.  The default
-                  is
-                  <span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">has-old-clients</strong></span></span></dt>
-<dd><p>
-                  This option was incorrectly implemented
-                  in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
-                  To achieve the intended effect
-                  of
-                  <span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
-                  the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
-                  and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">host-statistics</strong></span></span></dt>
-<dd><p>
-                  In BIND 8, this enables keeping of
-                  statistics for every host that the name server interacts
-                  with.
-                  Not implemented in BIND 9.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">maintain-ixfr-base</strong></span></span></dt>
-<dd><p>
-                  <span class="emphasis"><em>This option is obsolete</em></span>.
-                  It was used in <acronym class="acronym">BIND</acronym> 8 to
-                  determine whether a transaction log was
-                  kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
-                  log whenever possible.  If you need to disable outgoing
-                  incremental zone
-                  transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">minimal-responses</strong></span></span></dt>
-<dd><p>
-                  If <strong class="userinput"><code>yes</code></strong>, then when generating
-                  responses the server will only add records to the authority
-                  and additional data sections when they are required (e.g.
-                  delegations, negative responses).  This may improve the
-                  performance of the server.
-                  The default is <strong class="userinput"><code>no</code></strong>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">multiple-cnames</strong></span></span></dt>
-<dd><p>
-                  This option was used in <acronym class="acronym">BIND</acronym> 8 to allow
-                  a domain name to have multiple CNAME records in violation of
-                  the DNS standards.  <acronym class="acronym">BIND</acronym> 9.2 onwards
-                  always strictly enforces the CNAME rules both in master
-                  files and dynamic updates.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt>
-<dd>
-<p>
-                  If <strong class="userinput"><code>yes</code></strong> (the default),
-                  DNS NOTIFY messages are sent when a zone the server is
-                  authoritative for
-                  changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called &#8220;Notify&#8221;</a>.  The messages are
-                  sent to the
-                  servers listed in the zone's NS records (except the master
-                  server identified
-                  in the SOA MNAME field), and to any servers listed in the
-                  <span><strong class="command">also-notify</strong></span> option.
-                </p>
-<p>
-                  If <strong class="userinput"><code>master-only</code></strong>, notifies are only
-                  sent
-                  for master zones.
-                  If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only
-                  to
-                  servers explicitly listed using <span><strong class="command">also-notify</strong></span>.
-                  If <strong class="userinput"><code>no</code></strong>, no notifies are sent.
-                </p>
-<p>
-                  The <span><strong class="command">notify</strong></span> option may also be
-                  specified in the <span><strong class="command">zone</strong></span>
-                  statement,
-                  in which case it overrides the <span><strong class="command">options notify</strong></span> statement.
-                  It would only be necessary to turn off this option if it
-                  caused slaves
-                  to crash.
-                </p>
-</dd>
-<dt><span class="term"><span><strong class="command">notify-to-soa</strong></span></span></dt>
-<dd><p>
-                  If <strong class="userinput"><code>yes</code></strong> do not check the nameservers
-                  in the NS RRset against the SOA MNAME.  Normally a NOTIFY
-                  message is not sent to the SOA MNAME (SOA ORIGIN) as it is
-                  supposed to contain the name of the ultimate master.
-                  Sometimes, however, a slave is listed as the SOA MNAME in
-                  hidden master configurations and in that case you would
-                  want the ultimate master to still send NOTIFY messages to
-                  all the nameservers listed in the NS RRset.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">recursion</strong></span></span></dt>
-<dd><p>
-                  If <strong class="userinput"><code>yes</code></strong>, and a
-                  DNS query requests recursion, then the server will attempt
-                  to do
-                  all the work required to answer the query. If recursion is
-                  off
-                  and the server does not already know the answer, it will
-                  return a
-                  referral response. The default is
-                  <strong class="userinput"><code>yes</code></strong>.
-                  Note that setting <span><strong class="command">recursion no</strong></span> does not prevent
-                  clients from getting data from the server's cache; it only
-                  prevents new data from being cached as an effect of client
-                  queries.
-                  Caching may still occur as an effect the server's internal
-                  operation, such as NOTIFY address lookups.
-                  See also <span><strong class="command">fetch-glue</strong></span> above.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">request-nsid</strong></span></span></dt>
-<dd><p>
-                  If <strong class="userinput"><code>yes</code></strong>, then an empty EDNS(0)
-                  NSID (Name Server Identifier) option is sent with all 
-                  queries to authoritative name servers during iterative
-                  resolution. If the authoritative server returns an NSID
-                  option in its response, then its contents are logged in
-                  the <span><strong class="command">resolver</strong></span> category at level
-                  <span><strong class="command">info</strong></span>.
-                  The default is <strong class="userinput"><code>no</code></strong>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">rfc2308-type1</strong></span></span></dt>
-<dd>
-<p>
-                  Setting this to <strong class="userinput"><code>yes</code></strong> will
-                  cause the server to send NS records along with the SOA
-                  record for negative
-                  answers. The default is <strong class="userinput"><code>no</code></strong>.
-                </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-                    Not yet implemented in <acronym class="acronym">BIND</acronym>
-                    9.
-                  </p>
-</div>
-</dd>
-<dt><span class="term"><span><strong class="command">use-id-pool</strong></span></span></dt>
-<dd><p>
-                  <span class="emphasis"><em>This option is obsolete</em></span>.
-                  <acronym class="acronym">BIND</acronym> 9 always allocates query
-                  IDs from a pool.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">use-ixfr</strong></span></span></dt>
-<dd><p>
-                  <span class="emphasis"><em>This option is obsolete</em></span>.
-                  If you need to disable IXFR to a particular server or
-                  servers, see
-                  the information on the <span><strong class="command">provide-ixfr</strong></span> option
-                  in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
-            Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and
-            Usage&#8221;</a>.
-                  See also
-                  <a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called &#8220;Incremental Zone Transfers (IXFR)&#8221;</a>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">provide-ixfr</strong></span></span></dt>
-<dd><p>
-                  See the description of
-                  <span><strong class="command">provide-ixfr</strong></span> in
-                  <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
-            Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and
-            Usage&#8221;</a>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">request-ixfr</strong></span></span></dt>
-<dd><p>
-                  See the description of
-                  <span><strong class="command">request-ixfr</strong></span> in
-                  <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
-            Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and
-            Usage&#8221;</a>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">treat-cr-as-space</strong></span></span></dt>
-<dd><p>
-                  This option was used in <acronym class="acronym">BIND</acronym>
-                  8 to make
-                  the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way
-                  as a space or tab character,
-                  to facilitate loading of zone files on a UNIX system that
-                  were generated
-                  on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>"
-                  and NT/DOS "<span><strong class="command">\r\n</strong></span>" newlines
-                  are always accepted,
-                  and the option is ignored.
-                </p></dd>
-<dt>
-<span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span>
-</dt>
-<dd>
-<p>
-                  These options control the behavior of an authoritative
-                  server when
-                  answering queries which have additional data, or when
-                  following CNAME
-                  and DNAME chains.
-                </p>
-<p>
-                  When both of these options are set to <strong class="userinput"><code>yes</code></strong>
-                  (the default) and a
-                  query is being answered from authoritative data (a zone
-                  configured into the server), the additional data section of
-                  the
-                  reply will be filled in using data from other authoritative
-                  zones
-                  and from the cache.  In some situations this is undesirable,
-                  such
-                  as when there is concern over the correctness of the cache,
-                  or
-                  in servers where slave zones may be added and modified by
-                  untrusted third parties.  Also, avoiding
-                  the search for this additional data will speed up server
-                  operations
-                  at the possible expense of additional queries to resolve
-                  what would
-                  otherwise be provided in the additional section.
-                </p>
-<p>
-                  For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
-                  and the record found is "<code class="literal">MX 10 mail.example.net</code>", normally the address
-                  records (A and AAAA) for <code class="literal">mail.example.net</code> will be provided as well,
-                  if known, even though they are not in the example.com zone.
-                  Setting these options to <span><strong class="command">no</strong></span>
-                  disables this behavior and makes
-                  the server only search for additional data in the zone it
-                  answers from.
-                </p>
-<p>
-                  These options are intended for use in authoritative-only
-                  servers, or in authoritative-only views.  Attempts to set
-                  them to <span><strong class="command">no</strong></span> without also
-                  specifying
-                  <span><strong class="command">recursion no</strong></span> will cause the
-                  server to
-                  ignore the options and log a warning message.
-                </p>
-<p>
-                  Specifying <span><strong class="command">additional-from-cache no</strong></span> actually
-                  disables the use of the cache not only for additional data
-                  lookups
-                  but also when looking up the answer.  This is usually the
-                  desired
-                  behavior in an authoritative-only server where the
-                  correctness of
-                  the cached data is an issue.
-                </p>
-<p>
-                  When a name server is non-recursively queried for a name
-                  that is not
-                  below the apex of any served zone, it normally answers with
-                  an
-                  "upwards referral" to the root servers or the servers of
-                  some other
-                  known parent of the query name.  Since the data in an
-                  upwards referral
-                  comes from the cache, the server will not be able to provide
-                  upwards
-                  referrals when <span><strong class="command">additional-from-cache no</strong></span>
-                  has been specified.  Instead, it will respond to such
-                  queries
-                  with REFUSED.  This should not cause any problems since
-                  upwards referrals are not required for the resolution
-                  process.
-                </p>
-</dd>
-<dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt>
-<dd>
-<p>
-                  If <strong class="userinput"><code>yes</code></strong>, then an
-                  IPv4-mapped IPv6 address will match any address match
-                  list entries that match the corresponding IPv4 address.
-                </p>
-<p>
-                  This option was introduced to work around a kernel quirk
-                  in some operating systems that causes IPv4 TCP
-                  connections, such as zone transfers, to be accepted on an
-                  IPv6 socket using mapped addresses.  This caused address
-                  match lists designed for IPv4 to fail to match.  However,
-                  <span><strong class="command">named</strong></span> now solves this problem
-                  internally.  The use of this option is discouraged.
-                </p>
-</dd>
-<dt><span class="term"><span><strong class="command">filter-aaaa-on-v4</strong></span></span></dt>
-<dd>
-<p>
-                  This option is only available when
-                  <acronym class="acronym">BIND</acronym> 9 is compiled with the
-                  <strong class="userinput"><code>--enable-filter-aaaa</code></strong> option on the
-                  "configure" command line.  It is intended to help the
-                  transition from IPv4 to IPv6 by not giving IPv6 addresses
-                  to DNS clients unless they have connections to the IPv6
-                  Internet.  This is not recommended unless absolutely
-                  necessary.  The default is <strong class="userinput"><code>no</code></strong>.
-                  The <span><strong class="command">filter-aaaa-on-v4</strong></span> option
-                  may also be specified in <span><strong class="command">view</strong></span> statements
-                  to override the global <span><strong class="command">filter-aaaa-on-v4</strong></span>
-                  option.
-                </p>
-<p>
-                  If <strong class="userinput"><code>yes</code></strong>,
-                  the DNS client is at an IPv4 address, in <span><strong class="command">filter-aaaa</strong></span>,
-                  and if the response does not include DNSSEC signatures, 
-                  then all AAAA records are deleted from the response.
-                  This filtering applies to all responses and not only
-                  authoritative responses.
-                </p>
-<p>
-                  If <strong class="userinput"><code>break-dnssec</code></strong>,
-                  then AAAA records are deleted even when dnssec is enabled.
-                  As suggested by the name, this makes the response not verify,
-                  because the DNSSEC protocol is designed detect deletions.
-                </p>
-<p>
-                  This mechanism can erroneously cause other servers to 
-                  not give AAAA records to their clients.  
-                  A recursing server with both IPv6 and IPv4 network connections
-                  that queries an authoritative server using this mechanism
-                  via IPv4 will be denied AAAA records even if its client is
-                  using IPv6.
-                </p>
-<p>
-                  This mechanism is applied to authoritative as well as
-                  non-authoritative records.
-                  A client using IPv4 that is not allowed recursion can
-                  erroneously be given AAAA records because the server is not
-                  allowed to check for A records.
-                </p>
-<p>
-                  Some AAAA records are given to IPv4 clients in glue records.
-                  IPv4 clients that are servers can then erroneously
-                  answer requests for AAAA records received via IPv4.
-                </p>
-</dd>
-<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
-<dd>
-<p>
-                  When <strong class="userinput"><code>yes</code></strong> and the server loads a new
-                  version of a master zone from its zone file or receives a
-                  new version of a slave file via zone transfer, it will
-                  compare the new version to the previous one and calculate
-                  a set of differences.  The differences are then logged in
-                  the zone's journal file such that the changes can be
-                  transmitted to downstream slaves as an incremental zone
-                  transfer.
-                </p>
-<p>
-                  By allowing incremental zone transfers to be used for
-                  non-dynamic zones, this option saves bandwidth at the
-                  expense of increased CPU and memory consumption at the
-                  master.
-                  In particular, if the new version of a zone is completely
-                  different from the previous one, the set of differences
-                  will be of a size comparable to the combined size of the
-                  old and new zone version, and the server will need to
-                  temporarily allocate memory to hold this complete
-                  difference set.
-                </p>
-<p><span><strong class="command">ixfr-from-differences</strong></span>
-                  also accepts <span><strong class="command">master</strong></span> and
-                  <span><strong class="command">slave</strong></span> at the view and options
-                  levels which causes
-                  <span><strong class="command">ixfr-from-differences</strong></span> to be enabled for
-                  all <span><strong class="command">master</strong></span> or
-                  <span><strong class="command">slave</strong></span> zones respectively.
-                  It is off by default.
-                </p>
-</dd>
-<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
-<dd><p>
-                  This should be set when you have multiple masters for a zone
-                  and the
-                  addresses refer to different machines.  If <strong class="userinput"><code>yes</code></strong>, <span><strong class="command">named</strong></span> will
-                  not log
-                  when the serial number on the master is less than what <span><strong class="command">named</strong></span>
-                  currently
-                  has.  The default is <strong class="userinput"><code>no</code></strong>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">dnssec-enable</strong></span></span></dt>
-<dd><p>
-                  Enable DNSSEC support in <span><strong class="command">named</strong></span>.  Unless set to <strong class="userinput"><code>yes</code></strong>,
-                  <span><strong class="command">named</strong></span> behaves as if it does not support DNSSEC.
-                  The default is <strong class="userinput"><code>yes</code></strong>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">dnssec-validation</strong></span></span></dt>
-<dd><p>
-                  Enable DNSSEC validation in <span><strong class="command">named</strong></span>.
-                  Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
-                  set to <strong class="userinput"><code>yes</code></strong> to be effective.
-                  If set to <strong class="userinput"><code>no</code></strong>, DNSSEC validation
-                  is disabled.  If set to <strong class="userinput"><code>auto</code></strong>,
-                  DNSSEC validation is enabled, and a default
-                  trust-anchor for the DNS root zone is used.  If set to
-                  <strong class="userinput"><code>yes</code></strong>, DNSSEC validation is enabled,
-                  but a trust anchor must be manually configured using
-                  a <span><strong class="command">trusted-keys</strong></span> or
-                  <span><strong class="command">managed-keys</strong></span> statement.  The default
-                  is <strong class="userinput"><code>yes</code></strong>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt>
-<dd><p>
-                  Accept expired signatures when verifying DNSSEC signatures.
-                  The default is <strong class="userinput"><code>no</code></strong>.
-                  Setting this option to <strong class="userinput"><code>yes</code></strong>
-                  leaves <span><strong class="command">named</strong></span> vulnerable to
-                  replay attacks.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">querylog</strong></span></span></dt>
-<dd><p>
-                  Specify whether query logging should be started when <span><strong class="command">named</strong></span>
-                  starts.
-                  If <span><strong class="command">querylog</strong></span> is not specified,
-                  then the query logging
-                  is determined by the presence of the logging category <span><strong class="command">queries</strong></span>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt>
-<dd>
-<p>
-                  This option is used to restrict the character set and syntax
-                  of
-                  certain domain names in master files and/or DNS responses
-                  received
-                  from the network.  The default varies according to usage
-                  area.  For
-                  <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.
-                  For <span><strong class="command">slave</strong></span> zones the default
-                  is <span><strong class="command">warn</strong></span>.
-                  For answers received from the network (<span><strong class="command">response</strong></span>)
-                  the default is <span><strong class="command">ignore</strong></span>.
-                </p>
-<p>
-                  The rules for legal hostnames and mail domains are derived
-                  from RFC 952 and RFC 821 as modified by RFC 1123.
-                </p>
-<p><span><strong class="command">check-names</strong></span>
-                  applies to the owner names of A, AAAA and MX records.
-                  It also applies to the domain names in the RDATA of NS, SOA,
-                  MX, and SRV records.
-                  It also applies to the RDATA of PTR records where the owner
-                  name indicated that it is a reverse lookup of a hostname
-                  (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
-                </p>
-</dd>
-<dt><span class="term"><span><strong class="command">check-dup-records</strong></span></span></dt>
-<dd><p>
-                  Check master zones for records that are treated as different
-                  by DNSSEC but are semantically equal in plain DNS.  The
-                  default is to <span><strong class="command">warn</strong></span>.  Other possible
-                  values are <span><strong class="command">fail</strong></span> and
-                  <span><strong class="command">ignore</strong></span>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt>
-<dd><p>
-                  Check whether the MX record appears to refer to a IP address.
-                  The default is to <span><strong class="command">warn</strong></span>.  Other possible
-                  values are <span><strong class="command">fail</strong></span> and
-                  <span><strong class="command">ignore</strong></span>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt>
-<dd><p>
-                  This option is used to check for non-terminal wildcards.
-                  The use of non-terminal wildcards is almost always as a
-                  result of a failure
-                  to understand the wildcard matching algorithm (RFC 1034).
-                  This option
-                  affects master zones.  The default (<span><strong class="command">yes</strong></span>) is to check
-                  for non-terminal wildcards and issue a warning.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt>
-<dd>
-<p>
-                  Perform post load zone integrity checks on master
-                  zones.  This checks that MX and SRV records refer
-                  to address (A or AAAA) records and that glue
-                  address records exist for delegated zones.  For
-                  MX and SRV records only in-zone hostnames are
-                  checked (for out-of-zone hostnames use
-                  <span><strong class="command">named-checkzone</strong></span>).
-                  For NS records only names below top of zone are
-                  checked (for out-of-zone names and glue consistency
-                  checks use <span><strong class="command">named-checkzone</strong></span>).
-                  The default is <span><strong class="command">yes</strong></span>.
-                </p>
-<p>
-                  Check that the two forms of Sender Policy Framework
-                  records (TXT records starting with "v=spf1" and SPF) either
-                  both exist or both don't exist.  Warnings are
-                  emitted it they don't and be suppressed with
-                  <span><strong class="command">check-spf</strong></span>.
-                </p>
-</dd>
-<dt><span class="term"><span><strong class="command">check-mx-cname</strong></span></span></dt>
-<dd><p>
-                  If <span><strong class="command">check-integrity</strong></span> is set then
-                  fail, warn or ignore MX records that refer
-                  to CNAMES.  The default is to <span><strong class="command">warn</strong></span>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">check-srv-cname</strong></span></span></dt>
-<dd><p>
-                  If <span><strong class="command">check-integrity</strong></span> is set then
-                  fail, warn or ignore SRV records that refer
-                  to CNAMES.  The default is to <span><strong class="command">warn</strong></span>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt>
-<dd><p>
-                  When performing integrity checks, also check that
-                  sibling glue exists.  The default is <span><strong class="command">yes</strong></span>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">check-spf</strong></span></span></dt>
-<dd><p>
-                  When performing integrity checks, check that the
-                  two forms of Sender Policy Framwork records (TXT
-                  records starting with "v=spf1" and SPF) both exist
-                  or both don't exist and issue a warning if not
-                  met.  The default is <span><strong class="command">warn</strong></span>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt>
-<dd><p>
-                  When returning authoritative negative responses to
-                  SOA queries set the TTL of the SOA record returned in
-                  the authority section to zero.
-                  The default is <span><strong class="command">yes</strong></span>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">zero-no-soa-ttl-cache</strong></span></span></dt>
-<dd><p>
-                  When caching a negative response to a SOA query
-                  set the TTL to zero.
-                  The default is <span><strong class="command">no</strong></span>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt>
-<dd>
-<p>
-                  When set to the default value of <code class="literal">yes</code>,
-                  check the KSK bit in each key to determine how the key
-                  should be used when generating RRSIGs for a secure zone.
-                </p>
-<p>
-                  Ordinarily, zone-signing keys (that is, keys without the
-                  KSK bit set) are used to sign the entire zone, while
-                  key-signing keys (keys with the KSK bit set) are only
-                  used to sign the DNSKEY RRset at the zone apex.
-                  However, if this option is set to <code class="literal">no</code>,
-                  then the KSK bit is ignored; KSKs are treated as if they
-                  were ZSKs and are used to sign the entire zone.  This is
-                  similar to the <span><strong class="command">dnssec-signzone -z</strong></span>
-                  command line option.
-                </p>
-<p>
-                  When this option is set to <code class="literal">yes</code>, there
-                  must be at least two active keys for every algorithm
-                  represented in the DNSKEY RRset: at least one KSK and one
-                  ZSK per algorithm.  If there is any algorithm for which
-                  this requirement is not met, this option will be ignored
-                  for that algorithm.
-                </p>
-</dd>
-<dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt>
-<dd>
-<p>
-                  When this option and <span><strong class="command">update-check-ksk</strong></span>
-                  are both set to <code class="literal">yes</code>, only key-signing
-                  keys (that is, keys with the KSK bit set) will be used
-                  to sign the DNSKEY RRset at the zone apex.  Zone-signing
-                  keys (keys without the KSK bit set) will be used to sign
-                  the remainder of the zone, but not the DNSKEY RRset.
-                  This is similar to the
-                  <span><strong class="command">dnssec-signzone -x</strong></span> command line option.
-                </p>
-<p>
-                  The default is <span><strong class="command">no</strong></span>.  If
-                  <span><strong class="command">update-check-ksk</strong></span> is set to
-                  <code class="literal">no</code>, this option is ignored.
-                </p>
-</dd>
-<dt><span class="term"><span><strong class="command">dnssec-loadkeys-interval</strong></span></span></dt>
-<dd><p>
-                  When a zone is configured with <span><strong class="command">auto-dnssec
-                  maintain;</strong></span> its key repository must be checked
-                  periodically to see if any new keys have been added
-                  or any existing keys' timing metadata has been updated
-                  (see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
-                  <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>).  The
-                  <span><strong class="command">dnssec-loadkeys-interval</strong></span> option
-                  sets the frequency of autoatic repository checks, in
-                  minutes.  The default is <code class="literal">60</code> (1 hour),
-                  the minimum is <code class="literal">1</code> (1 minute), and the
-                  maximum is <code class="literal">1440</code> (24 hours); any higher
-                  value is silently reduced.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt>
-<dd><p>
-                  Try to refresh the zone using TCP if UDP queries fail.
-                  For BIND 8 compatibility, the default is
-                  <span><strong class="command">yes</strong></span>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt>
-<dd>
-<p>
-                  Allow a dynamic zone to transition from secure to
-                  insecure (i.e., signed to unsigned) by deleting all
-                  of the DNSKEY records.  The default is <span><strong class="command">no</strong></span>.
-                  If set to <span><strong class="command">yes</strong></span>, and if the DNSKEY RRset
-                  at the zone apex is deleted, all RRSIG and NSEC records
-                  will be removed from the zone as well.
-                </p>
-<p>
-                  If the zone uses NSEC3, then it is also necessary to
-                  delete the NSEC3PARAM RRset from the zone apex; this will
-                  cause the removal of all corresponding NSEC3 records.
-                  (It is expected that this requirement will be eliminated
-                  in a future release.)
-                </p>
-<p>
-                  Note that if a zone has been configured with
-                  <span><strong class="command">auto-dnssec maintain</strong></span> and the
-                  private keys remain accessible in the key repository,
-                  then the zone will be automatically signed again the
-                  next time <span><strong class="command">named</strong></span> is started.
-                </p>
-</dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2584393"></a>Forwarding</h4></div></div></div>
-<p>
-            The forwarding facility can be used to create a large site-wide
-            cache on a few servers, reducing traffic over links to external
-            name servers. It can also be used to allow queries by servers that
-            do not have direct access to the Internet, but wish to look up
-            exterior
-            names anyway. Forwarding occurs only on those queries for which
-            the server is not authoritative and does not have the answer in
-            its cache.
-          </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt>
-<dd><p>
-                  This option is only meaningful if the
-                  forwarders list is not empty. A value of <code class="varname">first</code>,
-                  the default, causes the server to query the forwarders
-                  first &#8212; and
-                  if that doesn't answer the question, the server will then
-                  look for
-                  the answer itself. If <code class="varname">only</code> is
-                  specified, the
-                  server will only query the forwarders.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt>
-<dd><p>
-                  Specifies the IP addresses to be used
-                  for forwarding. The default is the empty list (no
-                  forwarding).
-                </p></dd>
-</dl></div>
-<p>
-            Forwarding can also be configured on a per-domain basis, allowing
-            for the global forwarding options to be overridden in a variety
-            of ways. You can set particular domains to use different
-            forwarders,
-            or have a different <span><strong class="command">forward only/first</strong></span> behavior,
-            or not forward at all, see <a href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone
-            Statement Grammar">the section called &#8220;<span><strong class="command">zone</strong></span>
-            Statement Grammar&#8221;</a>.
-          </p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2584588"></a>Dual-stack Servers</h4></div></div></div>
-<p>
-            Dual-stack servers are used as servers of last resort to work
-            around
-            problems in reachability due the lack of support for either IPv4
-            or IPv6
-            on the host machine.
-          </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">dual-stack-servers</strong></span></span></dt>
-<dd><p>
-                  Specifies host names or addresses of machines with access to
-                  both IPv4 and IPv6 transports. If a hostname is used, the
-                  server must be able
-                  to resolve the name using only the transport it has.  If the
-                  machine is dual
-                  stacked, then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless
-                  access to a transport has been disabled on the command line
-                  (e.g. <span><strong class="command">named -4</strong></span>).
-                </p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="access_control"></a>Access Control</h4></div></div></div>
-<p>
-            Access to the server can be restricted based on the IP address
-            of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a> for
-            details on how to specify IP address lists.
-          </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
-<dd><p>
-                  Specifies which hosts are allowed to
-                  notify this server, a slave, of zone changes in addition
-                  to the zone masters.
-                  <span><strong class="command">allow-notify</strong></span> may also be
-                  specified in the
-                  <span><strong class="command">zone</strong></span> statement, in which case
-                  it overrides the
-                  <span><strong class="command">options allow-notify</strong></span>
-                  statement.  It is only meaningful
-                  for a slave zone.  If not specified, the default is to
-                  process notify messages
-                  only from a zone's master.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt>
-<dd>
-<p>
-                  Specifies which hosts are allowed to ask ordinary
-                  DNS questions. <span><strong class="command">allow-query</strong></span> may
-                  also be specified in the <span><strong class="command">zone</strong></span>
-                  statement, in which case it overrides the
-                  <span><strong class="command">options allow-query</strong></span> statement.
-                  If not specified, the default is to allow queries
-                  from all hosts.
-                </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-                    <span><strong class="command">allow-query-cache</strong></span> is now
-                    used to specify access to the cache.
-                  </p>
-</div>
-</dd>
-<dt><span class="term"><span><strong class="command">allow-query-on</strong></span></span></dt>
-<dd>
-<p>
-                  Specifies which local addresses can accept ordinary
-                  DNS questions. This makes it possible, for instance,
-                  to allow queries on internal-facing interfaces but
-                  disallow them on external-facing ones, without
-                  necessarily knowing the internal network's addresses.
-                </p>
-<p>
-                  Note that <span><strong class="command">allow-query-on</strong></span> is only
-                  checked for queries that are permitted by
-                  <span><strong class="command">allow-query</strong></span>.  A query must be
-                  allowed by both ACLs, or it will be refused.
-                </p>
-<p>
-                  <span><strong class="command">allow-query-on</strong></span> may
-                  also be specified in the <span><strong class="command">zone</strong></span>
-                  statement, in which case it overrides the
-                  <span><strong class="command">options allow-query-on</strong></span> statement.
-                </p>
-<p>
-                  If not specified, the default is to allow queries
-                  on all addresses.
-                </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-                    <span><strong class="command">allow-query-cache</strong></span> is
-                    used to specify access to the cache.
-                  </p>
-</div>
-</dd>
-<dt><span class="term"><span><strong class="command">allow-query-cache</strong></span></span></dt>
-<dd><p>
-                  Specifies which hosts are allowed to get answers
-                  from the cache.  If <span><strong class="command">allow-query-cache</strong></span>
-                  is not set then <span><strong class="command">allow-recursion</strong></span>
-                  is used if set, otherwise <span><strong class="command">allow-query</strong></span>
-                  is used if set unless <span><strong class="command">recursion no;</strong></span> is
-                  set in which case <span><strong class="command">none;</strong></span> is used,
-                  otherwise the default (<span><strong class="command">localnets;</strong></span>
-                  <span><strong class="command">localhost;</strong></span>) is used.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">allow-query-cache-on</strong></span></span></dt>
-<dd><p>
-                  Specifies which local addresses can give answers
-                  from the cache.  If not specified, the default is
-                  to allow cache queries on any address,
-                  <span><strong class="command">localnets</strong></span> and
-                  <span><strong class="command">localhost</strong></span>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">allow-recursion</strong></span></span></dt>
-<dd><p>
-                  Specifies which hosts are allowed to make recursive
-                  queries through this server. If
-                  <span><strong class="command">allow-recursion</strong></span> is not set
-                  then <span><strong class="command">allow-query-cache</strong></span> is
-                  used if set, otherwise <span><strong class="command">allow-query</strong></span>
-                  is used if set, otherwise the default
-                  (<span><strong class="command">localnets;</strong></span>
-                  <span><strong class="command">localhost;</strong></span>) is used.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">allow-recursion-on</strong></span></span></dt>
-<dd><p>
-                  Specifies which local addresses can accept recursive
-                  queries.  If not specified, the default is to allow
-                  recursive queries on all addresses.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt>
-<dd><p>
-                  Specifies which hosts are allowed to
-                  submit Dynamic DNS updates for master zones. The default is
-                  to deny
-                  updates from all hosts.  Note that allowing updates based
-                  on the requestor's IP address is insecure; see
-                  <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a> for details.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
-<dd>
-<p>
-                  Specifies which hosts are allowed to
-                  submit Dynamic DNS updates to slave zones to be forwarded to
-                  the
-                  master.  The default is <strong class="userinput"><code>{ none; }</code></strong>,
-                  which
-                  means that no update forwarding will be performed.  To
-                  enable
-                  update forwarding, specify
-                  <strong class="userinput"><code>allow-update-forwarding { any; };</code></strong>.
-                  Specifying values other than <strong class="userinput"><code>{ none; }</code></strong> or
-                  <strong class="userinput"><code>{ any; }</code></strong> is usually
-                  counterproductive, since
-                  the responsibility for update access control should rest
-                  with the
-                  master server, not the slaves.
-                </p>
-<p>
-                  Note that enabling the update forwarding feature on a slave
-                  server
-                  may expose master servers relying on insecure IP address
-                  based
-                  access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a>
-                  for more details.
-                </p>
-</dd>
-<dt><span class="term"><span><strong class="command">allow-v6-synthesis</strong></span></span></dt>
-<dd><p>
-                  This option was introduced for the smooth transition from
-                  AAAA
-                  to A6 and from "nibble labels" to binary labels.
-                  However, since both A6 and binary labels were then
-                  deprecated,
-                  this option was also deprecated.
-                  It is now ignored with some warning messages.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
-<dd><p>
-                  Specifies which hosts are allowed to
-                  receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may
-                  also be specified in the <span><strong class="command">zone</strong></span>
-                  statement, in which
-                  case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement.
-                  If not specified, the default is to allow transfers to all
-                  hosts.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">blackhole</strong></span></span></dt>
-<dd><p>
-                  Specifies a list of addresses that the
-                  server will not accept queries from or use to resolve a
-                  query. Queries
-                  from these addresses will not be responded to. The default
-                  is <strong class="userinput"><code>none</code></strong>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">filter-aaaa</strong></span></span></dt>
-<dd><p>
-                  Specifies a list of addresses to which
-                  <span><strong class="command">filter-aaaa-on-v4</strong></span>
-                  is applies.  The default is <strong class="userinput"><code>any</code></strong>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">resolver-query-timeout</strong></span></span></dt>
-<dd><p>
-                  The amount of time the resolver will spend attempting
-                  to resolve a recursive query before failing.  The default
-                  and minimum is <code class="literal">10</code> and the maximum is
-                  <code class="literal">30</code>.  Setting it to <code class="literal">0</code>
-                  will result in the default being used.
-                </p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2585149"></a>Interfaces</h4></div></div></div>
-<p>
-            The interfaces and ports that the server will answer queries
-            from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
-            an optional port and an <code class="varname">address_match_list</code>.
-            The server will listen on all interfaces allowed by the address
-            match list. If a port is not specified, port 53 will be used.
-          </p>
-<p>
-            Multiple <span><strong class="command">listen-on</strong></span> statements are
-            allowed.
-            For example,
-          </p>
-<pre class="programlisting">listen-on { 5.6.7.8; };
-listen-on port 1234 { !1.2.3.4; 1.2/16; };
-</pre>
-<p>
-            will enable the name server on port 53 for the IP address
-            5.6.7.8, and on port 1234 of an address on the machine in net
-            1.2 that is not 1.2.3.4.
-          </p>
-<p>
-            If no <span><strong class="command">listen-on</strong></span> is specified, the
-            server will listen on port 53 on all IPv4 interfaces.
-          </p>
-<p>
-            The <span><strong class="command">listen-on-v6</strong></span> option is used to
-            specify the interfaces and the ports on which the server will
-            listen
-            for incoming queries sent using IPv6.
-          </p>
-<p>
-            When </p>
-<pre class="programlisting">{ any; }</pre>
-<p> is
-            specified
-            as the <code class="varname">address_match_list</code> for the
-            <span><strong class="command">listen-on-v6</strong></span> option,
-            the server does not bind a separate socket to each IPv6 interface
-            address as it does for IPv4 if the operating system has enough API
-            support for IPv6 (specifically if it conforms to RFC 3493 and RFC
-            3542).
-            Instead, it listens on the IPv6 wildcard address.
-            If the system only has incomplete API support for IPv6, however,
-            the behavior is the same as that for IPv4.
-          </p>
-<p>
-            A list of particular IPv6 addresses can also be specified, in
-            which case
-            the server listens on a separate socket for each specified
-            address,
-            regardless of whether the desired API is supported by the system.
-          </p>
-<p>
-            Multiple <span><strong class="command">listen-on-v6</strong></span> options can
-            be used.
-            For example,
-          </p>
-<pre class="programlisting">listen-on-v6 { any; };
-listen-on-v6 port 1234 { !2001:db8::/32; any; };
-</pre>
-<p>
-            will enable the name server on port 53 for any IPv6 addresses
-            (with a single wildcard socket),
-            and on port 1234 of IPv6 addresses that is not in the prefix
-            2001:db8::/32 (with separate sockets for each matched address.)
-          </p>
-<p>
-            To make the server not listen on any IPv6 address, use
-          </p>
-<pre class="programlisting">listen-on-v6 { none; };
-</pre>
-<p>
-            If no <span><strong class="command">listen-on-v6</strong></span> option is
-            specified, the server will not listen on any IPv6 address
-            unless <span><strong class="command">-6</strong></span> is specified when <span><strong class="command">named</strong></span> is
-            invoked.  If <span><strong class="command">-6</strong></span> is specified then
-            <span><strong class="command">named</strong></span> will listen on port 53 on all IPv6 interfaces by default.
-          </p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="query_address"></a>Query Address</h4></div></div></div>
-<p>
-            If the server doesn't know the answer to a question, it will
-            query other name servers. <span><strong class="command">query-source</strong></span> specifies
-            the address and port used for such queries. For queries sent over
-            IPv6, there is a separate <span><strong class="command">query-source-v6</strong></span> option.
-            If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted,
-            a wildcard IP address (<span><strong class="command">INADDR_ANY</strong></span>)
-            will be used.
-          </p>
-<p>
-            If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
-            a random port number from a pre-configured
-            range is picked up and will be used for each query.
-            The port range(s) is that specified in
-            the <span><strong class="command">use-v4-udp-ports</strong></span> (for IPv4)
-            and <span><strong class="command">use-v6-udp-ports</strong></span> (for IPv6)
-            options, excluding the ranges specified in
-            the <span><strong class="command">avoid-v4-udp-ports</strong></span>
-            and <span><strong class="command">avoid-v6-udp-ports</strong></span> options, respectively.
-          </p>
-<p>
-            The defaults of the <span><strong class="command">query-source</strong></span> and
-            <span><strong class="command">query-source-v6</strong></span> options
-            are:
-          </p>
-<pre class="programlisting">query-source address * port *;
-query-source-v6 address * port *;
-</pre>
-<p>
-            If <span><strong class="command">use-v4-udp-ports</strong></span> or
-            <span><strong class="command">use-v6-udp-ports</strong></span> is unspecified,
-            <span><strong class="command">named</strong></span> will check if the operating
-            system provides a programming interface to retrieve the
-            system's default range for ephemeral ports.
-            If such an interface is available,
-            <span><strong class="command">named</strong></span> will use the corresponding system
-            default range; otherwise, it will use its own defaults:
-         </p>
-<pre class="programlisting">use-v4-udp-ports { range 1024 65535; };
-use-v6-udp-ports { range 1024 65535; };
-</pre>
-<p>
-            Note: make sure the ranges be sufficiently large for
-            security.  A desirable size depends on various parameters,
-            but we generally recommend it contain at least 16384 ports
-            (14 bits of entropy).
-            Note also that the system's default range when used may be
-            too small for this purpose, and that the range may even be
-            changed while <span><strong class="command">named</strong></span> is running; the new
-            range will automatically be applied when <span><strong class="command">named</strong></span>
-            is reloaded.
-            It is encouraged to
-            configure <span><strong class="command">use-v4-udp-ports</strong></span> and
-            <span><strong class="command">use-v6-udp-ports</strong></span> explicitly so that the
-            ranges are sufficiently large and are reasonably
-            independent from the ranges used by other applications.
-          </p>
-<p>
-            Note: the operational configuration
-            where <span><strong class="command">named</strong></span> runs may prohibit the use
-            of some ports.  For example, UNIX systems will not allow
-            <span><strong class="command">named</strong></span> running without a root privilege
-            to use ports less than 1024.
-            If such ports are included in the specified (or detected)
-            set of query ports, the corresponding query attempts will
-            fail, resulting in resolution failures or delay.
-            It is therefore important to configure the set of ports
-            that can be safely used in the expected operational environment.
-          </p>
-<p>
-            The defaults of the <span><strong class="command">avoid-v4-udp-ports</strong></span> and
-            <span><strong class="command">avoid-v6-udp-ports</strong></span> options
-            are:
-          </p>
-<pre class="programlisting">avoid-v4-udp-ports {};
-avoid-v6-udp-ports {};
-</pre>
-<p>
-            Note: BIND 9.5.0 introduced
-            the <span><strong class="command">use-queryport-pool</strong></span> 
-            option to support a pool of such random ports, but this
-            option is now obsolete because reusing the same ports in
-            the pool may not be sufficiently secure.
-            For the same reason, it is generally strongly discouraged to
-            specify a particular port for the
-            <span><strong class="command">query-source</strong></span> or
-            <span><strong class="command">query-source-v6</strong></span> options;
-            it implicitly disables the use of randomized port numbers.
-          </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">use-queryport-pool</strong></span></span></dt>
-<dd><p>
-                  This option is obsolete.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">queryport-pool-ports</strong></span></span></dt>
-<dd><p>
-                  This option is obsolete.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">queryport-pool-updateinterval</strong></span></span></dt>
-<dd><p>
-                  This option is obsolete.
-                </p></dd>
-</dl></div>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-              The address specified in the <span><strong class="command">query-source</strong></span> option
-              is used for both UDP and TCP queries, but the port applies only
-              to UDP queries.  TCP queries always use a random
-              unprivileged port.
-            </p>
-</div>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-              Solaris 2.5.1 and earlier does not support setting the source
-              address for TCP sockets.
-            </p>
-</div>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-              See also <span><strong class="command">transfer-source</strong></span> and
-              <span><strong class="command">notify-source</strong></span>.
-            </p>
-</div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="zone_transfers"></a>Zone Transfers</h4></div></div></div>
-<p>
-            <acronym class="acronym">BIND</acronym> has mechanisms in place to
-            facilitate zone transfers
-            and set limits on the amount of load that transfers place on the
-            system. The following options apply to zone transfers.
-          </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt>
-<dd>
-<p>
-                  Defines a global list of IP addresses of name servers
-                  that are also sent NOTIFY messages whenever a fresh copy of
-                  the
-                  zone is loaded, in addition to the servers listed in the
-                  zone's NS records.
-                  This helps to ensure that copies of the zones will
-                  quickly converge on stealth servers.
-                  Optionally, a port may be specified with each
-                  <span><strong class="command">also-notify</strong></span> address to send
-                  the notify messages to a port other than the
-                  default of 53.
-                  An optional TSIG key can also be specified with each
-                  address to cause the notify messages to be signed; this
-                  can be useful when sending notifies to multiple views.
-                  In place of explicit addresses, one or more named
-                  <span><strong class="command">masters</strong></span> lists can be used.
-                </p>
-<p>
-                  If an <span><strong class="command">also-notify</strong></span> list
-                  is given in a <span><strong class="command">zone</strong></span> statement,
-                  it will override
-                  the <span><strong class="command">options also-notify</strong></span>
-                  statement. When a <span><strong class="command">zone notify</strong></span>
-                  statement
-                  is set to <span><strong class="command">no</strong></span>, the IP
-                  addresses in the global <span><strong class="command">also-notify</strong></span> list will
-                  not be sent NOTIFY messages for that zone. The default is
-                  the empty
-                  list (no global notification list).
-                </p>
-</dd>
-<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
-<dd><p>
-                  Inbound zone transfers running longer than
-                  this many minutes will be terminated. The default is 120
-                  minutes
-                  (2 hours).  The maximum value is 28 days (40320 minutes).
-                </p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
-<dd><p>
-                  Inbound zone transfers making no progress
-                  in this many minutes will be terminated. The default is 60
-                  minutes
-                  (1 hour).  The maximum value is 28 days (40320 minutes).
-                </p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
-<dd><p>
-                  Outbound zone transfers running longer than
-                  this many minutes will be terminated. The default is 120
-                  minutes
-                  (2 hours).  The maximum value is 28 days (40320 minutes).
-                </p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
-<dd><p>
-                  Outbound zone transfers making no progress
-                  in this many minutes will be terminated.  The default is 60
-                  minutes (1
-                  hour).  The maximum value is 28 days (40320 minutes).
-                </p></dd>
-<dt><span class="term"><span><strong class="command">serial-query-rate</strong></span></span></dt>
-<dd>
-<p>
-                  Slave servers will periodically query master
-                  servers to find out if zone serial numbers have
-                  changed. Each such query uses a minute amount of
-                  the slave server's network bandwidth.  To limit
-                  the amount of bandwidth used, BIND 9 limits the
-                  rate at which queries are sent.  The value of the
-                  <span><strong class="command">serial-query-rate</strong></span> option, an
-                  integer, is the maximum number of queries sent
-                  per second.  The default is 20.
-                </p>
-<p>
-                  In addition to controlling the rate SOA refresh
-                  queries are issued at
-                  <span><strong class="command">serial-query-rate</strong></span> also controls
-                  the rate at which NOTIFY messages are sent from
-                  both master and slave zones.
-                </p>
-</dd>
-<dt><span class="term"><span><strong class="command">serial-queries</strong></span></span></dt>
-<dd><p>
-                  In BIND 8, the <span><strong class="command">serial-queries</strong></span>
-                  option
-                  set the maximum number of concurrent serial number queries
-                  allowed to be outstanding at any given time.
-                  BIND 9 does not limit the number of outstanding
-                  serial queries and ignores the <span><strong class="command">serial-queries</strong></span> option.
-                  Instead, it limits the rate at which the queries are sent
-                  as defined using the <span><strong class="command">serial-query-rate</strong></span> option.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">transfer-format</strong></span></span></dt>
-<dd><p>
-                  Zone transfers can be sent using two different formats,
-                  <span><strong class="command">one-answer</strong></span> and
-                  <span><strong class="command">many-answers</strong></span>.
-                  The <span><strong class="command">transfer-format</strong></span> option is used
-                  on the master server to determine which format it sends.
-                  <span><strong class="command">one-answer</strong></span> uses one DNS message per
-                  resource record transferred.
-                  <span><strong class="command">many-answers</strong></span> packs as many resource
-                  records as possible into a message.
-                  <span><strong class="command">many-answers</strong></span> is more efficient, but is
-                  only supported by relatively new slave servers,
-                  such as <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
-                  8.x and <acronym class="acronym">BIND</acronym> 4.9.5 onwards.
-                  The <span><strong class="command">many-answers</strong></span> format is also supported by
-                  recent Microsoft Windows nameservers.
-                  The default is <span><strong class="command">many-answers</strong></span>.
-                  <span><strong class="command">transfer-format</strong></span> may be overridden on a
-                  per-server basis by using the <span><strong class="command">server</strong></span>
-                  statement.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">transfers-in</strong></span></span></dt>
-<dd><p>
-                  The maximum number of inbound zone transfers
-                  that can be running concurrently. The default value is <code class="literal">10</code>.
-                  Increasing <span><strong class="command">transfers-in</strong></span> may
-                  speed up the convergence
-                  of slave zones, but it also may increase the load on the
-                  local system.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">transfers-out</strong></span></span></dt>
-<dd><p>
-                  The maximum number of outbound zone transfers
-                  that can be running concurrently. Zone transfer requests in
-                  excess
-                  of the limit will be refused. The default value is <code class="literal">10</code>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">transfers-per-ns</strong></span></span></dt>
-<dd><p>
-                  The maximum number of inbound zone transfers
-                  that can be concurrently transferring from a given remote
-                  name server.
-                  The default value is <code class="literal">2</code>.
-                  Increasing <span><strong class="command">transfers-per-ns</strong></span>
-                  may
-                  speed up the convergence of slave zones, but it also may
-                  increase
-                  the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may
-                  be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase
-                  of the <span><strong class="command">server</strong></span> statement.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
-<dd>
-<p><span><strong class="command">transfer-source</strong></span>
-                  determines which local address will be bound to IPv4
-                  TCP connections used to fetch zones transferred
-                  inbound by the server.  It also determines the
-                  source IPv4 address, and optionally the UDP port,
-                  used for the refresh queries and forwarded dynamic
-                  updates.  If not set, it defaults to a system
-                  controlled value which will usually be the address
-                  of the interface "closest to" the remote end. This
-                  address must appear in the remote end's
-                  <span><strong class="command">allow-transfer</strong></span> option for the
-                  zone being transferred, if one is specified. This
-                  statement sets the
-                  <span><strong class="command">transfer-source</strong></span> for all zones,
-                  but can be overridden on a per-view or per-zone
-                  basis by including a
-                  <span><strong class="command">transfer-source</strong></span> statement within
-                  the <span><strong class="command">view</strong></span> or
-                  <span><strong class="command">zone</strong></span> block in the configuration
-                  file.
-                </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-                    Solaris 2.5.1 and earlier does not support setting the
-                    source address for TCP sockets.
-                  </p>
-</div>
-</dd>
-<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt>
-<dd><p>
-                  The same as <span><strong class="command">transfer-source</strong></span>,
-                  except zone transfers are performed using IPv6.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
-<dd>
-<p>
-                  An alternate transfer source if the one listed in
-                  <span><strong class="command">transfer-source</strong></span> fails and
-                  <span><strong class="command">use-alt-transfer-source</strong></span> is
-                  set.
-                </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-                  If you do not wish the alternate transfer source
-                  to be used, you should set
-                  <span><strong class="command">use-alt-transfer-source</strong></span>
-                  appropriately and you should not depend upon
-                  getting an answer back to the first refresh
-                  query.
-                </div>
-</dd>
-<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
-<dd><p>
-                  An alternate transfer source if the one listed in
-                  <span><strong class="command">transfer-source-v6</strong></span> fails and
-                  <span><strong class="command">use-alt-transfer-source</strong></span> is
-                  set.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
-<dd><p>
-                  Use the alternate transfer sources or not.  If views are
-                  specified this defaults to <span><strong class="command">no</strong></span>
-                  otherwise it defaults to
-                  <span><strong class="command">yes</strong></span> (for BIND 8
-                  compatibility).
-                </p></dd>
-<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt>
-<dd>
-<p><span><strong class="command">notify-source</strong></span>
-                  determines which local source address, and
-                  optionally UDP port, will be used to send NOTIFY
-                  messages.  This address must appear in the slave
-                  server's <span><strong class="command">masters</strong></span> zone clause or
-                  in an <span><strong class="command">allow-notify</strong></span> clause.  This
-                  statement sets the <span><strong class="command">notify-source</strong></span>
-                  for all zones, but can be overridden on a per-zone or
-                  per-view basis by including a
-                  <span><strong class="command">notify-source</strong></span> statement within
-                  the <span><strong class="command">zone</strong></span> or
-                  <span><strong class="command">view</strong></span> block in the configuration
-                  file.
-                </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-                    Solaris 2.5.1 and earlier does not support setting the
-                    source address for TCP sockets.
-                  </p>
-</div>
-</dd>
-<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt>
-<dd><p>
-                  Like <span><strong class="command">notify-source</strong></span>,
-                  but applies to notify messages sent to IPv6 addresses.
-                </p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2586366"></a>UDP Port Lists</h4></div></div></div>
-<p>
-            <span><strong class="command">use-v4-udp-ports</strong></span>,
-            <span><strong class="command">avoid-v4-udp-ports</strong></span>,
-            <span><strong class="command">use-v6-udp-ports</strong></span>, and
-            <span><strong class="command">avoid-v6-udp-ports</strong></span>
-            specify a list of IPv4 and IPv6 UDP ports that will be
-            used or not used as source ports for UDP messages.
-            See <a href="Bv9ARM.ch06.html#query_address" title="Query Address">the section called &#8220;Query Address&#8221;</a> about how the
-            available ports are determined.
-            For example, with the following configuration
-          </p>
-<pre class="programlisting">
-use-v6-udp-ports { range 32768 65535; };
-avoid-v6-udp-ports { 40000; range 50000 60000; };
-</pre>
-<p>
-             UDP ports of IPv6 messages sent
-             from <span><strong class="command">named</strong></span> will be in one
-             of the following ranges: 32768 to 39999, 40001 to 49999,
-             and 60001 to 65535.
-           </p>
-<p>
-             <span><strong class="command">avoid-v4-udp-ports</strong></span> and
-             <span><strong class="command">avoid-v6-udp-ports</strong></span> can be used
-             to prevent <span><strong class="command">named</strong></span> from choosing as its random source port a
-             port that is blocked by your firewall or a port that is
-             used by other applications;
-             if a query went out with a source port blocked by a
-             firewall, the
-             answer would not get by the firewall and the name server would
-             have to query again.
-             Note: the desired range can also be represented only with
-             <span><strong class="command">use-v4-udp-ports</strong></span> and
-             <span><strong class="command">use-v6-udp-ports</strong></span>, and the
-             <span><strong class="command">avoid-</strong></span> options are redundant in that
-             sense; they are provided for backward compatibility and
-             to possibly simplify the port specification.
-           </p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2586426"></a>Operating System Resource Limits</h4></div></div></div>
-<p>
-            The server's usage of many system resources can be limited.
-            Scaled values are allowed when specifying resource limits.  For
-            example, <span><strong class="command">1G</strong></span> can be used instead of
-            <span><strong class="command">1073741824</strong></span> to specify a limit of
-            one
-            gigabyte. <span><strong class="command">unlimited</strong></span> requests
-            unlimited use, or the
-            maximum available amount. <span><strong class="command">default</strong></span>
-            uses the limit
-            that was in force when the server was started. See the description
-            of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called &#8220;Configuration File Elements&#8221;</a>.
-          </p>
-<p>
-            The following options set operating system resource limits for
-            the name server process.  Some operating systems don't support
-            some or
-            any of the limits. On such systems, a warning will be issued if
-            the
-            unsupported limit is used.
-          </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">coresize</strong></span></span></dt>
-<dd><p>
-                  The maximum size of a core dump. The default
-                  is <code class="literal">default</code>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">datasize</strong></span></span></dt>
-<dd><p>
-                  The maximum amount of data memory the server
-                  may use. The default is <code class="literal">default</code>.
-                  This is a hard limit on server memory usage.
-                  If the server attempts to allocate memory in excess of this
-                  limit, the allocation will fail, which may in turn leave
-                  the server unable to perform DNS service.  Therefore,
-                  this option is rarely useful as a way of limiting the
-                  amount of memory used by the server, but it can be used
-                  to raise an operating system data size limit that is
-                  too small by default.  If you wish to limit the amount
-                  of memory used by the server, use the
-                  <span><strong class="command">max-cache-size</strong></span> and
-                  <span><strong class="command">recursive-clients</strong></span>
-                  options instead.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">files</strong></span></span></dt>
-<dd><p>
-                  The maximum number of files the server
-                  may have open concurrently. The default is <code class="literal">unlimited</code>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">stacksize</strong></span></span></dt>
-<dd><p>
-                  The maximum amount of stack memory the server
-                  may use. The default is <code class="literal">default</code>.
-                </p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="server_resource_limits"></a>Server  Resource Limits</h4></div></div></div>
-<p>
-            The following options set limits on the server's
-            resource consumption that are enforced internally by the
-            server rather than the operating system.
-          </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">max-ixfr-log-size</strong></span></span></dt>
-<dd><p>
-                  This option is obsolete; it is accepted
-                  and ignored for BIND 8 compatibility.  The option
-                  <span><strong class="command">max-journal-size</strong></span> performs a
-                  similar function in BIND 9.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt>
-<dd><p>
-                  Sets a maximum size for each journal file
-                  (see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called &#8220;The journal file&#8221;</a>).  When the journal file
-                  approaches
-                  the specified size, some of the oldest transactions in the
-                  journal
-                  will be automatically removed.  The largest permitted
-                  value is 2 gigabytes. The default is
-                  <code class="literal">unlimited</code>, which also
-                  means 2 gigabytes.
-                  This may also be set on a per-zone basis.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt>
-<dd><p>
-                  In BIND 8, specifies the maximum number of host statistics
-                  entries to be kept.
-                  Not implemented in BIND 9.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">recursive-clients</strong></span></span></dt>
-<dd><p>
-                  The maximum number of simultaneous recursive lookups
-                  the server will perform on behalf of clients.  The default
-                  is
-                  <code class="literal">1000</code>.  Because each recursing
-                  client uses a fair
-                  bit of memory, on the order of 20 kilobytes, the value of
-                  the
-                  <span><strong class="command">recursive-clients</strong></span> option may
-                  have to be decreased
-                  on hosts with limited memory.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">tcp-clients</strong></span></span></dt>
-<dd><p>
-                  The maximum number of simultaneous client TCP
-                  connections that the server will accept.
-                  The default is <code class="literal">100</code>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">reserved-sockets</strong></span></span></dt>
-<dd>
-<p>
-                  The number of file descriptors reserved for TCP, stdio,
-                  etc.  This needs to be big enough to cover the number of
-                  interfaces <span><strong class="command">named</strong></span> listens on, <span><strong class="command">tcp-clients</strong></span> as well as
-                  to provide room for outgoing TCP queries and incoming zone
-                  transfers.  The default is <code class="literal">512</code>.
-                  The minimum value is <code class="literal">128</code> and the
-                  maximum value is <code class="literal">128</code> less than
-                  maxsockets (-S).  This option may be removed in the future.
-                </p>
-<p>
-                  This option has little effect on Windows.
-                </p>
-</dd>
-<dt><span class="term"><span><strong class="command">max-cache-size</strong></span></span></dt>
-<dd><p>
-                  The maximum amount of memory to use for the
-                  server's cache, in bytes.
-                  When the amount of data in the cache
-                  reaches this limit, the server will cause records to expire
-                  prematurely based on an LRU based strategy so that
-                  the limit is not exceeded.
-                  A value of 0 is special, meaning that
-                  records are purged from the cache only when their
-                  TTLs expire.
-                  Another special keyword <strong class="userinput"><code>unlimited</code></strong>
-                  means the maximum value of 32-bit unsigned integers
-                  (0xffffffff), which may not have the same effect as
-                  0 on machines that support more than 32 bits of
-                  memory space.
-                  Any positive values less than 2MB will be ignored reset
-                  to 2MB.
-                  In a server with multiple views, the limit applies
-                  separately to the cache of each view.
-                  The default is 0.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">tcp-listen-queue</strong></span></span></dt>
-<dd><p>
-                  The listen queue depth.  The default and minimum is 3.
-                  If the kernel supports the accept filter "dataready" this
-                  also controls how
-                  many TCP connections that will be queued in kernel space
-                  waiting for
-                  some data before being passed to accept.  Values less than 3
-                  will be
-                  silently raised.
-                </p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2586917"></a>Periodic Task Intervals</h4></div></div></div>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt>
-<dd><p>
-                  This interval is effectively obsolete.  Previously,
-                  the server would remove expired resource records
-                  from the cache every <span><strong class="command">cleaning-interval</strong></span> minutes.
-                  <acronym class="acronym">BIND</acronym> 9 now manages cache
-                  memory in a more sophisticated manner and does not
-                  rely on the periodic cleaning any more.
-                  Specifying this option therefore has no effect on
-                  the server's behavior.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">heartbeat-interval</strong></span></span></dt>
-<dd><p>
-                  The server will perform zone maintenance tasks
-                  for all zones marked as <span><strong class="command">dialup</strong></span> whenever this
-                  interval expires. The default is 60 minutes. Reasonable
-                  values are up
-                  to 1 day (1440 minutes).  The maximum value is 28 days
-                  (40320 minutes).
-                  If set to 0, no zone maintenance for these zones will occur.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">interface-interval</strong></span></span></dt>
-<dd><p>
-                  The server will scan the network interface list
-                  every <span><strong class="command">interface-interval</strong></span>
-                  minutes. The default
-                  is 60 minutes. The maximum value is 28 days (40320 minutes).
-                  If set to 0, interface scanning will only occur when
-                  the configuration file is  loaded. After the scan, the
-                  server will
-                  begin listening for queries on any newly discovered
-                  interfaces (provided they are allowed by the
-                  <span><strong class="command">listen-on</strong></span> configuration), and
-                  will
-                  stop listening on interfaces that have gone away.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt>
-<dd>
-<p>
-                  Name server statistics will be logged
-                  every <span><strong class="command">statistics-interval</strong></span>
-                  minutes. The default is
-                  60. The maximum value is 28 days (40320 minutes).
-                  If set to 0, no statistics will be logged.
-                  </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-                    Not yet implemented in
-                    <acronym class="acronym">BIND</acronym> 9.
-                  </p>
-</div>
-</dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="topology"></a>Topology</h4></div></div></div>
-<p>
-            All other things being equal, when the server chooses a name
-            server
-            to query from a list of name servers, it prefers the one that is
-            topologically closest to itself. The <span><strong class="command">topology</strong></span> statement
-            takes an <span><strong class="command">address_match_list</strong></span> and
-            interprets it
-            in a special way. Each top-level list element is assigned a
-            distance.
-            Non-negated elements get a distance based on their position in the
-            list, where the closer the match is to the start of the list, the
-            shorter the distance is between it and the server. A negated match
-            will be assigned the maximum distance from the server. If there
-            is no match, the address will get a distance which is further than
-            any non-negated list element, and closer than any negated element.
-            For example,
-          </p>
-<pre class="programlisting">topology {
-    10/8;
-    !1.2.3/24;
-    { 1.2/16; 3/8; };
-};</pre>
-<p>
-            will prefer servers on network 10 the most, followed by hosts
-            on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
-            exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
-            is preferred least of all.
-          </p>
-<p>
-            The default topology is
-          </p>
-<pre class="programlisting">    topology { localhost; localnets; };
-</pre>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-              The <span><strong class="command">topology</strong></span> option
-              is not implemented in <acronym class="acronym">BIND</acronym> 9.
-            </p>
-</div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div>
-<p>
-            The response to a DNS query may consist of multiple resource
-            records (RRs) forming a resource records set (RRset).
-            The name server will normally return the
-            RRs within the RRset in an indeterminate order
-            (but see the <span><strong class="command">rrset-order</strong></span>
-            statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>).
-            The client resolver code should rearrange the RRs as appropriate,
-            that is, using any addresses on the local net in preference to
-            other addresses.
-            However, not all resolvers can do this or are correctly
-            configured.
-            When a client is using a local server, the sorting can be performed
-            in the server, based on the client's address. This only requires
-            configuring the name servers, not all the clients.
-          </p>
-<p>
-            The <span><strong class="command">sortlist</strong></span> statement (see below)
-            takes
-            an <span><strong class="command">address_match_list</strong></span> and
-            interprets it even
-            more specifically than the <span><strong class="command">topology</strong></span>
-            statement
-            does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called &#8220;Topology&#8221;</a>).
-            Each top level statement in the <span><strong class="command">sortlist</strong></span> must
-            itself be an explicit <span><strong class="command">address_match_list</strong></span> with
-            one or two elements. The first element (which may be an IP
-            address,
-            an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>)
-            of each top level list is checked against the source address of
-            the query until a match is found.
-          </p>
-<p>
-            Once the source address of the query has been matched, if
-            the top level statement contains only one element, the actual
-            primitive
-            element that matched the source address is used to select the
-            address
-            in the response to move to the beginning of the response. If the
-            statement is a list of two elements, then the second element is
-            treated the same as the <span><strong class="command">address_match_list</strong></span> in
-            a <span><strong class="command">topology</strong></span> statement. Each top
-            level element
-            is assigned a distance and the address in the response with the
-            minimum
-            distance is moved to the beginning of the response.
-          </p>
-<p>
-            In the following example, any queries received from any of
-            the addresses of the host itself will get responses preferring
-            addresses
-            on any of the locally connected networks. Next most preferred are
-            addresses
-            on the 192.168.1/24 network, and after that either the
-            192.168.2/24
-            or
-            192.168.3/24 network with no preference shown between these two
-            networks. Queries received from a host on the 192.168.1/24 network
-            will prefer other addresses on that network to the 192.168.2/24
-            and
-            192.168.3/24 networks. Queries received from a host on the
-            192.168.4/24
-            or the 192.168.5/24 network will only prefer other addresses on
-            their directly connected networks.
-          </p>
-<pre class="programlisting">sortlist {
-    // IF the local host
-    // THEN first fit on the following nets
-    { localhost;
-        { localnets;
-            192.168.1/24;
-            { 192.168.2/24; 192.168.3/24; }; }; };
-    // IF on class C 192.168.1 THEN use .1, or .2 or .3
-    { 192.168.1/24;
-        { 192.168.1/24;
-            { 192.168.2/24; 192.168.3/24; }; }; };
-    // IF on class C 192.168.2 THEN use .2, or .1 or .3
-    { 192.168.2/24;
-        { 192.168.2/24;
-            { 192.168.1/24; 192.168.3/24; }; }; };
-    // IF on class C 192.168.3 THEN use .3, or .1 or .2
-    { 192.168.3/24;
-        { 192.168.3/24;
-            { 192.168.1/24; 192.168.2/24; }; }; };
-    // IF .4 or .5 THEN prefer that net
-    { { 192.168.4/24; 192.168.5/24; };
-    };
-};</pre>
-<p>
-            The following example will give reasonable behavior for the
-            local host and hosts on directly connected networks. It is similar
-            to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent
-            to queries from the local host will favor any of the directly
-            connected
-            networks. Responses sent to queries from any other hosts on a
-            directly
-            connected network will prefer addresses on that same network.
-            Responses
-            to other queries will not be sorted.
-          </p>
-<pre class="programlisting">sortlist {
-           { localhost; localnets; };
-           { localnets; };
-};
-</pre>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="rrset_ordering"></a>RRset Ordering</h4></div></div></div>
-<p>
-            When multiple records are returned in an answer it may be
-            useful to configure the order of the records placed into the
-            response.
-            The <span><strong class="command">rrset-order</strong></span> statement permits
-            configuration
-            of the ordering of the records in a multiple record response.
-            See also the <span><strong class="command">sortlist</strong></span> statement,
-            <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span><strong class="command">sortlist</strong></span> Statement&#8221;</a>.
-          </p>
-<p>
-            An <span><strong class="command">order_spec</strong></span> is defined as
-            follows:
-          </p>
-<p>
-            [<span class="optional">class <em class="replaceable"><code>class_name</code></em></span>]
-            [<span class="optional">type <em class="replaceable"><code>type_name</code></em></span>]
-            [<span class="optional">name <em class="replaceable"><code>"domain_name"</code></em></span>]
-            order <em class="replaceable"><code>ordering</code></em>
-          </p>
-<p>
-            If no class is specified, the default is <span><strong class="command">ANY</strong></span>.
-            If no type is specified, the default is <span><strong class="command">ANY</strong></span>.
-            If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk).
-          </p>
-<p>
-            The legal values for <span><strong class="command">ordering</strong></span> are:
-          </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-                    <p><span><strong class="command">fixed</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Records are returned in the order they
-                      are defined in the zone file.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">random</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Records are returned in some random order.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">cyclic</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Records are returned in a cyclic round-robin order.
-                    </p>
-                    <p>
-                      If <acronym class="acronym">BIND</acronym> is configured with the
-                      "--enable-fixed-rrset" option at compile time, then
-                      the initial ordering of the RRset will match the
-                      one specified in the zone file.
-                    </p>
-                  </td>
-</tr>
-</tbody>
-</table></div>
-<p>
-            For example:
-          </p>
-<pre class="programlisting">rrset-order {
-   class IN type A name "host.example.com" order random;
-   order cyclic;
-};
-</pre>
-<p>
-            will cause any responses for type A records in class IN that
-            have "<code class="literal">host.example.com</code>" as a
-            suffix, to always be returned
-            in random order. All other records are returned in cyclic order.
-          </p>
-<p>
-            If multiple <span><strong class="command">rrset-order</strong></span> statements
-            appear, they are not combined &#8212; the last one applies.
-          </p>
-<p>
-            By default, all records are returned in random order.
-          </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-              In this release of <acronym class="acronym">BIND</acronym> 9, the
-              <span><strong class="command">rrset-order</strong></span> statement does not support
-              "fixed" ordering by default.  Fixed ordering can be enabled
-              at compile time by specifying "--enable-fixed-rrset" on
-              the "configure" command line.
-            </p>
-</div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="tuning"></a>Tuning</h4></div></div></div>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">lame-ttl</strong></span></span></dt>
-<dd>
-<p>
-                  Sets the number of seconds to cache a
-                  lame server indication. 0 disables caching. (This is
-                  <span class="bold"><strong>NOT</strong></span> recommended.)
-                  The default is <code class="literal">600</code> (10 minutes) and the
-                  maximum value is
-                  <code class="literal">1800</code> (30 minutes).
-                </p>
-<p>
-                  Lame-ttl also controls the amount of time DNSSEC
-                  validation failures are cached.  There is a minimum
-                  of 30 seconds applied to bad cache entries if the
-                  lame-ttl is set to less than 30 seconds.
-                </p>
-</dd>
-<dt><span class="term"><span><strong class="command">max-ncache-ttl</strong></span></span></dt>
-<dd><p>
-                  To reduce network traffic and increase performance,
-                  the server stores negative answers. <span><strong class="command">max-ncache-ttl</strong></span> is
-                  used to set a maximum retention time for these answers in
-                  the server
-                  in seconds. The default
-                  <span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
-                  <span><strong class="command">max-ncache-ttl</strong></span> cannot exceed
-                  7 days and will
-                  be silently truncated to 7 days if set to a greater value.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">max-cache-ttl</strong></span></span></dt>
-<dd><p>
-                  Sets the maximum time for which the server will
-                  cache ordinary (positive) answers. The default is
-                  one week (7 days).
-                  A value of zero may cause all queries to return
-                  SERVFAIL, because of lost caches of intermediate
-                  RRsets (such as NS and glue AAAA/A records) in the
-                  resolution process.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">min-roots</strong></span></span></dt>
-<dd>
-<p>
-                  The minimum number of root servers that
-                  is required for a request for the root servers to be
-                  accepted. The default
-                  is <strong class="userinput"><code>2</code></strong>.
-                </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-                    Not implemented in <acronym class="acronym">BIND</acronym> 9.
-                  </p>
-</div>
-</dd>
-<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
-<dd>
-<p>
-                  Specifies the number of days into the future when
-                  DNSSEC signatures automatically generated as a
-                  result of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called &#8220;Dynamic Update&#8221;</a>) will expire.  There
-                  is an optional second field which specifies how
-                  long before expiry that the signatures will be
-                  regenerated.  If not specified, the signatures will
-                  be regenerated at 1/4 of base interval.  The second
-                  field is specified in days if the base interval is
-                  greater than 7 days otherwise it is specified in hours.
-                  The default base interval is <code class="literal">30</code> days
-                  giving a re-signing interval of 7 1/2 days.  The maximum
-                  values are 10 years (3660 days).
-                </p>
-<p>
-                  The signature inception time is unconditionally
-                  set to one hour before the current time to allow
-                  for a limited amount of clock skew.
-                </p>
-<p>
-                  The <span><strong class="command">sig-validity-interval</strong></span>
-                  should be, at least, several multiples of the SOA
-                  expire interval to allow for reasonable interaction
-                  between the various timer and expiry dates.
-                </p>
-</dd>
-<dt><span class="term"><span><strong class="command">sig-signing-nodes</strong></span></span></dt>
-<dd><p>
-                  Specify the maximum number of nodes to be
-                  examined in each quantum when signing a zone with
-                  a new DNSKEY. The default is
-                  <code class="literal">100</code>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
-<dd><p>
-                  Specify a threshold number of signatures that
-                  will terminate processing a quantum when signing
-                  a zone with a new DNSKEY.  The default is
-                  <code class="literal">10</code>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">sig-signing-type</strong></span></span></dt>
-<dd>
-<p>
-                  Specify a private RDATA type to be used when generating
-                  key signing records.  The default is
-                  <code class="literal">65534</code>.
-                </p>
-<p>
-                  It is expected that this parameter may be removed
-                  in a future version once there is a standard type.
-                </p>
-<p>
-                  These records can be removed from the zone once named
-                  has completed signing the zone with the matching key
-                  using <span><strong class="command">nsupdate</strong></span> or
-                  <span><strong class="command">rndc signing -clear</strong></span>.
-                  <span><strong class="command">rndc signing -clear</strong></span> is the only supported
-                  way to remove these records from
-                  <span><strong class="command">inline-signing</strong></span> zones.
-                </p>
-</dd>
-<dt>
-<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
-</dt>
-<dd>
-<p>
-                  These options control the server's behavior on refreshing a
-                  zone
-                  (querying for SOA changes) or retrying failed transfers.
-                  Usually the SOA values for the zone are used, but these
-                  values
-                  are set by the master, giving slave server administrators
-                  little
-                  control over their contents.
-                </p>
-<p>
-                  These options allow the administrator to set a minimum and
-                  maximum
-                  refresh and retry time either per-zone, per-view, or
-                  globally.
-                  These options are valid for slave and stub zones,
-                  and clamp the SOA refresh and retry times to the specified
-                  values.
-                </p>
-<p>
-                  The following defaults apply.
-                  <span><strong class="command">min-refresh-time</strong></span> 300 seconds,
-                  <span><strong class="command">max-refresh-time</strong></span> 2419200 seconds
-                  (4 weeks), <span><strong class="command">min-retry-time</strong></span> 500 seconds,
-                  and <span><strong class="command">max-retry-time</strong></span> 1209600 seconds
-                  (2 weeks).
-                </p>
-</dd>
-<dt><span class="term"><span><strong class="command">edns-udp-size</strong></span></span></dt>
-<dd>
-<p>
-                  Sets the advertised EDNS UDP buffer size in bytes
-                  to control the size of packets received.
-                  Valid values are 512 to 4096 (values outside this range
-                  will be silently adjusted).  The default value
-                  is 4096.  The usual reason for setting
-                  <span><strong class="command">edns-udp-size</strong></span> to a non-default
-                  value is to get UDP answers to pass through broken
-                  firewalls that block fragmented packets and/or
-                  block UDP packets that are greater than 512 bytes.
-                </p>
-<p>
-                  <span><strong class="command">named</strong></span> will fallback to using 512 bytes
-                  if it get a series of timeout at the initial value.  512
-                  bytes is not being offered to encourage sites to fix their
-                  firewalls.  Small EDNS UDP sizes will result in the
-                  excessive use of TCP.
-                </p>
-</dd>
-<dt><span class="term"><span><strong class="command">max-udp-size</strong></span></span></dt>
-<dd>
-<p>
-                  Sets the maximum EDNS UDP message size
-                  <span><strong class="command">named</strong></span> will send in bytes.
-                  Valid values are 512 to 4096 (values outside this
-                  range will be silently adjusted).  The default
-                  value is 4096.  The usual reason for setting
-                  <span><strong class="command">max-udp-size</strong></span> to a non-default
-                  value is to get UDP answers to pass through broken
-                  firewalls that block fragmented packets and/or
-                  block UDP packets that are greater than 512 bytes.
-                  This is independent of the advertised receive
-                  buffer (<span><strong class="command">edns-udp-size</strong></span>).
-                </p>
-<p>
-                  Setting this to a low value will encourage additional
-                  TCP traffic to the nameserver.
-                </p>
-</dd>
-<dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt>
-<dd>
-<p>Specifies
-                  the file format of zone files (see
-                  <a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called &#8220;Additional File Formats&#8221;</a>).
-                  The default value is <code class="constant">text</code>, which is the
-                  standard textual representation, except for slave zones,
-                  in which the default value is <code class="constant">raw</code>.
-                  Files in other formats than <code class="constant">text</code> are
-                  typically expected to be generated by the
-                  <span><strong class="command">named-compilezone</strong></span> tool, or dumped by
-                  <span><strong class="command">named</strong></span>.
-                </p>
-<p>
-                  Note that when a zone file in a different format than
-                  <code class="constant">text</code> is loaded, <span><strong class="command">named</strong></span>
-                  may omit some of the checks which would be performed for a
-                  file in the <code class="constant">text</code> format.  In particular,
-                  <span><strong class="command">check-names</strong></span> checks do not apply
-                  for the <code class="constant">raw</code> format.  This means
-                  a zone file in the <code class="constant">raw</code> format
-                  must be generated with the same check level as that
-                  specified in the <span><strong class="command">named</strong></span> configuration
-                  file.  This statement sets the
-                  <span><strong class="command">masterfile-format</strong></span> for all zones,
-                  but can be overridden on a per-zone or per-view basis
-                  by including a <span><strong class="command">masterfile-format</strong></span>
-                  statement within the <span><strong class="command">zone</strong></span> or
-                  <span><strong class="command">view</strong></span> block in the configuration
-                  file.
-                </p>
-</dd>
-<dt>
-<a name="clients-per-query"></a><span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span>
-</dt>
-<dd>
-<p>These set the
-                  initial value (minimum) and maximum number of recursive
-                  simultaneous clients for any given query
-                  (&lt;qname,qtype,qclass&gt;) that the server will accept
-                  before dropping additional clients.  <span><strong class="command">named</strong></span> will attempt to
-                  self tune this value and changes will be logged.  The
-                  default values are 10 and 100.
-                </p>
-<p>
-                  This value should reflect how many queries come in for
-                  a given name in the time it takes to resolve that name.
-                  If the number of queries exceed this value, <span><strong class="command">named</strong></span> will
-                  assume that it is dealing with a non-responsive zone
-                  and will drop additional queries.  If it gets a response
-                  after dropping queries, it will raise the estimate.  The
-                  estimate will then be lowered in 20 minutes if it has
-                  remained unchanged.
-                </p>
-<p>
-                  If <span><strong class="command">clients-per-query</strong></span> is set to zero,
-                  then there is no limit on the number of clients per query
-                  and no queries will be dropped.
-                </p>
-<p>
-                  If <span><strong class="command">max-clients-per-query</strong></span> is set to zero,
-                  then there is no upper bound other than imposed by
-                  <span><strong class="command">recursive-clients</strong></span>.
-                </p>
-</dd>
-<dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt>
-<dd>
-<p>
-                  The delay, in seconds, between sending sets of notify
-                  messages for a zone.  The default is five (5) seconds.
-                </p>
-<p>
-                  The overall rate that NOTIFY messages are sent for all
-                  zones is controlled by <span><strong class="command">serial-query-rate</strong></span>.
-                </p>
-</dd>
-<dt><span class="term"><span><strong class="command">max-rsa-exponent-size</strong></span></span></dt>
-<dd><p>
-                  The maximum RSA exponent size, in bits, that will
-                  be accepted when validating.  Valid values are 35
-                  to 4096 bits.  The default zero (0) is also accepted
-                  and is equivalent to 4096.
-                </p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="builtin"></a>Built-in server information zones</h4></div></div></div>
-<p>
-            The server provides some helpful diagnostic information
-            through a number of built-in zones under the
-            pseudo-top-level-domain <code class="literal">bind</code> in the
-            <span><strong class="command">CHAOS</strong></span> class.  These zones are part
-            of a
-            built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called &#8220;<span><strong class="command">view</strong></span> Statement Grammar&#8221;</a>) of
-            class
-            <span><strong class="command">CHAOS</strong></span> which is separate from the
-            default view of class <span><strong class="command">IN</strong></span>. Most global
-            configuration options (<span><strong class="command">allow-query</strong></span>,
-            etc) will apply to this view, but some are locally
-            overridden: <span><strong class="command">notify</strong></span>,
-            <span><strong class="command">recursion</strong></span> and
-            <span><strong class="command">allow-new-zones</strong></span> are
-            always set to <strong class="userinput"><code>no</code></strong>.
-          </p>
-<p>
-            If you need to disable these zones, use the options
-            below, or hide the built-in <span><strong class="command">CHAOS</strong></span>
-            view by
-            defining an explicit view of class <span><strong class="command">CHAOS</strong></span>
-            that matches all clients.
-          </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">version</strong></span></span></dt>
-<dd><p>
-                  The version the server should report
-                  via a query of the name <code class="literal">version.bind</code>
-                  with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
-                  The default is the real version number of this server.
-                  Specifying <span><strong class="command">version none</strong></span>
-                  disables processing of the queries.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">hostname</strong></span></span></dt>
-<dd><p>
-                  The hostname the server should report via a query of
-                  the name <code class="filename">hostname.bind</code>
-                  with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
-                  This defaults to the hostname of the machine hosting the
-                  name server as
-                  found by the gethostname() function.  The primary purpose of such queries
-                  is to
-                  identify which of a group of anycast servers is actually
-                  answering your queries.  Specifying <span><strong class="command">hostname none;</strong></span>
-                  disables processing of the queries.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">server-id</strong></span></span></dt>
-<dd><p>
-                  The ID the server should report when receiving a Name
-                  Server Identifier (NSID) query, or a query of the name
-                  <code class="filename">ID.SERVER</code> with type
-                  <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
-                  The primary purpose of such queries is to
-                  identify which of a group of anycast servers is actually
-                  answering your queries.  Specifying <span><strong class="command">server-id none;</strong></span>
-                  disables processing of the queries.
-                  Specifying <span><strong class="command">server-id hostname;</strong></span> will cause <span><strong class="command">named</strong></span> to
-                  use the hostname as found by the gethostname() function.
-                  The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
-                </p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="empty"></a>Built-in Empty Zones</h4></div></div></div>
-<p>
-            Named has some built-in empty zones (SOA and NS records only).
-            These are for zones that should normally be answered locally
-            and which queries should not be sent to the Internet's root
-            servers.  The official servers which cover these namespaces
-            return NXDOMAIN responses to these queries.  In particular,
-            these cover the reverse namespaces for addresses from
-            RFC 1918, RFC 4193, RFC 5737 and RFC 6598.  They also include the
-            reverse namespace for IPv6 local address (locally assigned),
-            IPv6 link local addresses, the IPv6 loopback address and the
-            IPv6 unknown address.
-          </p>
-<p>
-            Named will attempt to determine if a built-in zone already exists
-            or is active (covered by a forward-only forwarding declaration)
-            and will not create an empty zone in that case.
-          </p>
-<p>
-            The current list of empty zones is:
-            </p>
-<div class="itemizedlist"><ul type="disc">
-<li>10.IN-ADDR.ARPA</li>
-<li>16.172.IN-ADDR.ARPA</li>
-<li>17.172.IN-ADDR.ARPA</li>
-<li>18.172.IN-ADDR.ARPA</li>
-<li>19.172.IN-ADDR.ARPA</li>
-<li>20.172.IN-ADDR.ARPA</li>
-<li>21.172.IN-ADDR.ARPA</li>
-<li>22.172.IN-ADDR.ARPA</li>
-<li>23.172.IN-ADDR.ARPA</li>
-<li>24.172.IN-ADDR.ARPA</li>
-<li>25.172.IN-ADDR.ARPA</li>
-<li>26.172.IN-ADDR.ARPA</li>
-<li>27.172.IN-ADDR.ARPA</li>
-<li>28.172.IN-ADDR.ARPA</li>
-<li>29.172.IN-ADDR.ARPA</li>
-<li>30.172.IN-ADDR.ARPA</li>
-<li>31.172.IN-ADDR.ARPA</li>
-<li>168.192.IN-ADDR.ARPA</li>
-<li>64.100.IN-ADDR.ARPA</li>
-<li>65.100.IN-ADDR.ARPA</li>
-<li>66.100.IN-ADDR.ARPA</li>
-<li>67.100.IN-ADDR.ARPA</li>
-<li>68.100.IN-ADDR.ARPA</li>
-<li>69.100.IN-ADDR.ARPA</li>
-<li>70.100.IN-ADDR.ARPA</li>
-<li>71.100.IN-ADDR.ARPA</li>
-<li>72.100.IN-ADDR.ARPA</li>
-<li>73.100.IN-ADDR.ARPA</li>
-<li>74.100.IN-ADDR.ARPA</li>
-<li>75.100.IN-ADDR.ARPA</li>
-<li>76.100.IN-ADDR.ARPA</li>
-<li>77.100.IN-ADDR.ARPA</li>
-<li>78.100.IN-ADDR.ARPA</li>
-<li>79.100.IN-ADDR.ARPA</li>
-<li>80.100.IN-ADDR.ARPA</li>
-<li>81.100.IN-ADDR.ARPA</li>
-<li>82.100.IN-ADDR.ARPA</li>
-<li>83.100.IN-ADDR.ARPA</li>
-<li>84.100.IN-ADDR.ARPA</li>
-<li>85.100.IN-ADDR.ARPA</li>
-<li>86.100.IN-ADDR.ARPA</li>
-<li>87.100.IN-ADDR.ARPA</li>
-<li>88.100.IN-ADDR.ARPA</li>
-<li>89.100.IN-ADDR.ARPA</li>
-<li>90.100.IN-ADDR.ARPA</li>
-<li>91.100.IN-ADDR.ARPA</li>
-<li>92.100.IN-ADDR.ARPA</li>
-<li>93.100.IN-ADDR.ARPA</li>
-<li>94.100.IN-ADDR.ARPA</li>
-<li>95.100.IN-ADDR.ARPA</li>
-<li>96.100.IN-ADDR.ARPA</li>
-<li>97.100.IN-ADDR.ARPA</li>
-<li>98.100.IN-ADDR.ARPA</li>
-<li>99.100.IN-ADDR.ARPA</li>
-<li>100.100.IN-ADDR.ARPA</li>
-<li>101.100.IN-ADDR.ARPA</li>
-<li>102.100.IN-ADDR.ARPA</li>
-<li>103.100.IN-ADDR.ARPA</li>
-<li>104.100.IN-ADDR.ARPA</li>
-<li>105.100.IN-ADDR.ARPA</li>
-<li>106.100.IN-ADDR.ARPA</li>
-<li>107.100.IN-ADDR.ARPA</li>
-<li>108.100.IN-ADDR.ARPA</li>
-<li>109.100.IN-ADDR.ARPA</li>
-<li>110.100.IN-ADDR.ARPA</li>
-<li>111.100.IN-ADDR.ARPA</li>
-<li>112.100.IN-ADDR.ARPA</li>
-<li>113.100.IN-ADDR.ARPA</li>
-<li>114.100.IN-ADDR.ARPA</li>
-<li>115.100.IN-ADDR.ARPA</li>
-<li>116.100.IN-ADDR.ARPA</li>
-<li>117.100.IN-ADDR.ARPA</li>
-<li>118.100.IN-ADDR.ARPA</li>
-<li>119.100.IN-ADDR.ARPA</li>
-<li>120.100.IN-ADDR.ARPA</li>
-<li>121.100.IN-ADDR.ARPA</li>
-<li>122.100.IN-ADDR.ARPA</li>
-<li>123.100.IN-ADDR.ARPA</li>
-<li>124.100.IN-ADDR.ARPA</li>
-<li>125.100.IN-ADDR.ARPA</li>
-<li>126.100.IN-ADDR.ARPA</li>
-<li>127.100.IN-ADDR.ARPA</li>
-<li>0.IN-ADDR.ARPA</li>
-<li>127.IN-ADDR.ARPA</li>
-<li>254.169.IN-ADDR.ARPA</li>
-<li>2.0.192.IN-ADDR.ARPA</li>
-<li>100.51.198.IN-ADDR.ARPA</li>
-<li>113.0.203.IN-ADDR.ARPA</li>
-<li>255.255.255.255.IN-ADDR.ARPA</li>
-<li>0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
-<li>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
-<li>8.B.D.0.1.0.0.2.IP6.ARPA</li>
-<li>D.F.IP6.ARPA</li>
-<li>8.E.F.IP6.ARPA</li>
-<li>9.E.F.IP6.ARPA</li>
-<li>A.E.F.IP6.ARPA</li>
-<li>B.E.F.IP6.ARPA</li>
-</ul></div>
-<p>
-          </p>
-<p>
-            Empty zones are settable at the view level and only apply to
-            views of class IN.  Disabled empty zones are only inherited
-            from options if there are no disabled empty zones specified
-            at the view level.  To override the options list of disabled
-            zones, you can disable the root zone at the view level, for example:
-</p>
-<pre class="programlisting">
-            disable-empty-zone ".";
-</pre>
-<p>
-          </p>
-<p>
-            If you are using the address ranges covered here, you should
-            already have reverse zones covering the addresses you use.
-            In practice this appears to not be the case with many queries
-            being made to the infrastructure servers for names in these
-            spaces.  So many in fact that sacrificial servers were needed
-            to be deployed to channel the query load away from the
-            infrastructure servers.
-          </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-            The real parent servers for these zones should disable all
-            empty zone under the parent zone they serve.  For the real
-            root servers, this is all built-in empty zones.  This will
-            enable them to return referrals to deeper in the tree.
-          </div>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">empty-server</strong></span></span></dt>
-<dd><p>
-                  Specify what server name will appear in the returned
-                  SOA record for empty zones.  If none is specified, then
-                  the zone's name will be used.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">empty-contact</strong></span></span></dt>
-<dd><p>
-                  Specify what contact name will appear in the returned
-                  SOA record for empty zones.  If none is specified, then
-                  "." will be used.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">empty-zones-enable</strong></span></span></dt>
-<dd><p>
-                  Enable or disable all empty zones.  By default, they
-                  are enabled.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">disable-empty-zone</strong></span></span></dt>
-<dd><p>
-                  Disable individual empty zones.  By default, none are
-                  disabled.  This option can be specified multiple times.
-                </p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="acache"></a>Additional Section Caching</h4></div></div></div>
-<p>
-            The additional section cache, also called <span><strong class="command">acache</strong></span>,
-            is an internal cache to improve the response performance of BIND 9.
-            When additional section caching is enabled, BIND 9 will
-            cache an internal short-cut to the additional section content for
-            each answer RR.
-            Note that <span><strong class="command">acache</strong></span> is an internal caching
-            mechanism of BIND 9, and is not related to the DNS caching
-            server function.
-          </p>
-<p>
-            Additional section caching does not change the
-            response content (except the RRsets ordering of the additional
-            section, see below), but can improve the response performance
-            significantly.
-            It is particularly effective when BIND 9 acts as an authoritative
-            server for a zone that has many delegations with many glue RRs.
-          </p>
-<p>
-            In order to obtain the maximum performance improvement
-            from additional section caching, setting
-            <span><strong class="command">additional-from-cache</strong></span>
-            to <span><strong class="command">no</strong></span> is recommended, since the current
-            implementation of <span><strong class="command">acache</strong></span>
-            does not short-cut of additional section information from the
-            DNS cache data.
-          </p>
-<p>
-            One obvious disadvantage of <span><strong class="command">acache</strong></span> is
-            that it requires much more
-            memory for the internal cached data.
-            Thus, if the response performance does not matter and memory
-            consumption is much more critical, the
-            <span><strong class="command">acache</strong></span> mechanism can be
-            disabled by setting <span><strong class="command">acache-enable</strong></span> to
-            <span><strong class="command">no</strong></span>.
-            It is also possible to specify the upper limit of memory
-            consumption
-            for acache by using <span><strong class="command">max-acache-size</strong></span>.
-          </p>
-<p>
-            Additional section caching also has a minor effect on the
-            RRset ordering in the additional section.
-            Without <span><strong class="command">acache</strong></span>,
-            <span><strong class="command">cyclic</strong></span> order is effective for the additional
-            section as well as the answer and authority sections.
-            However, additional section caching fixes the ordering when it
-            first caches an RRset for the additional section, and the same
-            ordering will be kept in succeeding responses, regardless of the
-            setting of <span><strong class="command">rrset-order</strong></span>.
-            The effect of this should be minor, however, since an
-            RRset in the additional section
-            typically only contains a small number of RRs (and in many cases
-            it only contains a single RR), in which case the
-            ordering does not matter much.
-          </p>
-<p>
-            The following is a summary of options related to
-            <span><strong class="command">acache</strong></span>.
-          </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">acache-enable</strong></span></span></dt>
-<dd><p>
-                  If <span><strong class="command">yes</strong></span>, additional section caching is
-                  enabled.  The default value is <span><strong class="command">no</strong></span>.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">acache-cleaning-interval</strong></span></span></dt>
-<dd><p>
-                  The server will remove stale cache entries, based on an LRU
-                  based
-                  algorithm, every <span><strong class="command">acache-cleaning-interval</strong></span> minutes.
-                  The default is 60 minutes.
-                  If set to 0, no periodic cleaning will occur.
-                </p></dd>
-<dt><span class="term"><span><strong class="command">max-acache-size</strong></span></span></dt>
-<dd><p>
-                  The maximum amount of memory in bytes to use for the server's acache.
-                  When the amount of data in the acache reaches this limit,
-                  the server
-                  will clean more aggressively so that the limit is not
-                  exceeded.
-                  In a server with multiple views, the limit applies
-                  separately to the
-                  acache of each view.
-                  The default is <code class="literal">16M</code>.
-                </p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2589223"></a>Content Filtering</h4></div></div></div>
-<p>
-            <acronym class="acronym">BIND</acronym> 9 provides the ability to filter
-            out DNS responses from external DNS servers containing
-            certain types of data in the answer section.
-            Specifically, it can reject address (A or AAAA) records if
-            the corresponding IPv4 or IPv6 addresses match the given
-            <code class="varname">address_match_list</code> of the
-            <span><strong class="command">deny-answer-addresses</strong></span> option.
-            It can also reject CNAME or DNAME records if the "alias"
-            name (i.e., the CNAME alias or the substituted query name
-            due to DNAME) matches the
-            given <code class="varname">namelist</code> of the
-            <span><strong class="command">deny-answer-aliases</strong></span> option, where
-            "match" means the alias name is a subdomain of one of
-            the <code class="varname">name_list</code> elements.
-            If the optional <code class="varname">namelist</code> is specified
-            with <span><strong class="command">except-from</strong></span>, records whose query name
-            matches the list will be accepted regardless of the filter
-            setting.
-            Likewise, if the alias name is a subdomain of the
-            corresponding zone, the <span><strong class="command">deny-answer-aliases</strong></span>
-            filter will not apply;
-            for example, even if "example.com" is specified for
-            <span><strong class="command">deny-answer-aliases</strong></span>,
-          </p>
-<pre class="programlisting">www.example.com. CNAME xxx.example.com.</pre>
-<p>
-            returned by an "example.com" server will be accepted.
-          </p>
-<p>
-            In the <code class="varname">address_match_list</code> of the
-            <span><strong class="command">deny-answer-addresses</strong></span> option, only
-            <code class="varname">ip_addr</code>
-            and <code class="varname">ip_prefix</code>
-            are meaningful;
-            any <code class="varname">key_id</code> will be silently ignored.
-          </p>
-<p>
-            If a response message is rejected due to the filtering,
-            the entire message is discarded without being cached, and
-            a SERVFAIL error will be returned to the client.
-          </p>
-<p>
-            This filtering is intended to prevent "DNS rebinding attacks," in
-            which an attacker, in response to a query for a domain name the
-            attacker controls, returns an IP address within your own network or
-            an alias name within your own domain.
-            A naive web browser or script could then serve as an
-            unintended proxy, allowing the attacker
-            to get access to an internal node of your local network
-            that couldn't be externally accessed otherwise.
-            See the paper available at
-            <a href="http://portal.acm.org/citation.cfm?id=1315245.1315298" target="_top">
-            http://portal.acm.org/citation.cfm?id=1315245.1315298
-            </a>
-            for more details about the attacks.
-          </p>
-<p>
-            For example, if you own a domain named "example.net" and
-            your internal network uses an IPv4 prefix 192.0.2.0/24,
-            you might specify the following rules:
-          </p>
-<pre class="programlisting">deny-answer-addresses { 192.0.2.0/24; } except-from { "example.net"; };
-deny-answer-aliases { "example.net"; };
-</pre>
-<p>
-            If an external attacker lets a web browser in your local
-            network look up an IPv4 address of "attacker.example.com",
-            the attacker's DNS server would return a response like this:
-          </p>
-<pre class="programlisting">attacker.example.com. A 192.0.2.1</pre>
-<p>
-            in the answer section.
-            Since the rdata of this record (the IPv4 address) matches
-            the specified prefix 192.0.2.0/24, this response will be
-            ignored.
-          </p>
-<p>
-            On the other hand, if the browser looks up a legitimate
-            internal web server "www.example.net" and the
-            following response is returned to
-            the <acronym class="acronym">BIND</acronym> 9 server
-          </p>
-<pre class="programlisting">www.example.net. A 192.0.2.2</pre>
-<p>
-            it will be accepted since the owner name "www.example.net"
-            matches the <span><strong class="command">except-from</strong></span> element,
-            "example.net".
-          </p>
-<p>
-            Note that this is not really an attack on the DNS per se.
-            In fact, there is nothing wrong for an "external" name to
-            be mapped to your "internal" IP address or domain name
-            from the DNS point of view.
-            It might actually be provided for a legitimate purpose,
-            such as for debugging.
-            As long as the mapping is provided by the correct owner,
-            it is not possible or does not make sense to detect
-            whether the intent of the mapping is legitimate or not
-            within the DNS.
-            The "rebinding" attack must primarily be protected at the
-            application that uses the DNS.
-            For a large site, however, it may be difficult to protect
-            all possible applications at once.
-            This filtering feature is provided only to help such an
-            operational environment;
-            it is generally discouraged to turn it on unless you are
-            very sure you have no other choice and the attack is a
-            real threat for your applications.
-          </p>
-<p>
-            Care should be particularly taken if you want to use this
-            option for addresses within 127.0.0.0/8.
-            These addresses are obviously "internal", but many
-            applications conventionally rely on a DNS mapping from
-            some name to such an address.
-            Filtering out DNS records containing this address
-            spuriously can break such applications.
-          </p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2589417"></a>Response Policy Zone (RPZ) Rewriting</h4></div></div></div>
-<p>
-            <acronym class="acronym">BIND</acronym> 9 includes a limited
-            mechanism to modify DNS responses for requests
-            analogous to email anti-spam DNS blacklists.
-            Responses can be changed to deny the existence of domains(NXDOMAIN),
-            deny the existence of IP addresses for domains (NODATA),
-            or contain other IP addresses or data.
-          </p>
-<p>
-            Response policy zones are named in the
-            <span><strong class="command">response-policy</strong></span> option for the view or among the
-            global options if there is no response-policy option for the view.
-            RPZs are ordinary DNS zones containing RRsets
-            that can be queried normally if allowed.
-            It is usually best to restrict those queries with something like
-            <span><strong class="command">allow-query { localhost; };</strong></span>.
-          </p>
-<p>
-            Four policy triggers are encoded in RPZ records, QNAME, IP, NSIP,
-            and NSDNAME.
-            QNAME RPZ records triggered by query names of requests and targets
-            of CNAME records resolved to generate the response.
-            The owner name of a QNAME RPZ record is the query name relativized
-            to the RPZ.
-          </p>
-<p>
-            The second kind of RPZ trigger is an IP address in an A and AAAA
-            record in the ANSWER section of a response.
-            IP address triggers are encoded in records that have owner names
-            that are subdomains of <strong class="userinput"><code>rpz-ip</code></strong> relativized
-            to the RPZ origin name and encode an IP address or address block.
-            IPv4 trigger addresses are represented as
-            <strong class="userinput"><code>prefixlength.B4.B3.B2.B1.rpz-ip</code></strong>.
-            The prefix length must be between 1 and 32.
-            All four bytes, B4, B3, B2, and B1, must be present.
-            B4 is the decimal value of the least significant byte of the
-            IPv4 address as in IN-ADDR.ARPA.
-            IPv6 addresses are encoded in a format similar to the standard
-            IPv6 text representation,
-            <strong class="userinput"><code>prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-ip</code></strong>.
-            Each of W8,...,W1 is a one to four digit hexadecimal number
-            representing 16 bits of the IPv6 address as in the standard text
-            representation of IPv6 addresses, but reversed as in IN-ADDR.ARPA.
-            All 8 words must be present except when consecutive
-            zero words are replaced with <strong class="userinput"><code>.zz.</code></strong>
-            analogous to double colons (::) in standard IPv6 text encodings.
-            The prefix length must be between 1 and 128.
-          </p>
-<p>
-            NSDNAME triggers match names of authoritative servers
-            for the query name, a parent of the query name, a CNAME for
-            query name, or a parent of a CNAME.
-            They are encoded as subdomains of
-            <strong class="userinput"><code>rpz-nsdomain</code></strong> relativized
-            to the RPZ origin name.
-            NSIP triggers match IP addresses in A and
-            AAAA RRsets for domains that can be checked against NSDNAME
-            policy records.
-            NSIP triggers are encoded like IP triggers except as subdomains of
-            <strong class="userinput"><code>rpz-nsip</code></strong>.
-            NSDNAME and NSIP triggers are checked only for names with at
-            least <span><strong class="command">min-ns-dots</strong></span> dots.
-            The default value of <span><strong class="command">min-ns-dots</strong></span> is 1 to
-            exclude top level domains.
-          </p>
-<p>
-            The query response is checked against all RPZs, so
-            two or more policy records can be triggered by a response.
-            Because DNS responses can be rewritten according to at most one
-            policy record, a single record encoding an action (other than
-            <span><strong class="command">DISABLED</strong></span> actions) must be chosen.
-            Triggers or the records that encode them are chosen in
-            the following order:
-            </p>
-<div class="itemizedlist"><ul type="disc">
-<li>Choose the triggered record in the zone that appears
-                first in the response-policy option.
-              </li>
-<li>Prefer QNAME to IP to NSDNAME to NSIP triggers
-                in a single zone.
-              </li>
-<li>Among NSDNAME triggers, prefer the
-                trigger that matches the smallest name under the DNSSEC ordering.
-              </li>
-<li>Among IP or NSIP triggers, prefer the trigger
-                with the longest prefix.
-              </li>
-<li>Among triggers with the same prefex length,
-                prefer the IP or NSIP trigger that matches
-                the smallest IP address.
-              </li>
-</ul></div>
-<p>
-          </p>
-<p>
-            When the processing of a response is restarted to resolve
-            DNAME or CNAME records and a policy record set has
-            not been triggered,
-            all RPZs are again consulted for the DNAME or CNAME names
-            and addresses.
-          </p>
-<p>
-            RPZ record sets are sets of any types of DNS record except
-            DNAME or DNSSEC that encode actions or responses to queries.
-            </p>
-<div class="itemizedlist"><ul type="disc">
-<li>The <span><strong class="command">NXDOMAIN</strong></span> response is encoded
-                by a CNAME whose target is the root domain (.)
-              </li>
-<li>A CNAME whose target is the wildcard top-level
-                domain (*.) specifies the <span><strong class="command">NODATA</strong></span> action,
-                which rewrites the response to NODATA or ANCOUNT=1.
-              </li>
-<li>The <span><strong class="command">Local Data</strong></span> action is
-                represented by a set ordinary DNS records that are used
-                to answer queries.  Queries for record types not the
-                set are answered with NODATA.
-
-                A special form of local data is a CNAME whose target is a
-                wildcard such as *.example.com.
-                It is used as if were an ordinary CNAME after the astrisk (*)
-                has been replaced with the query name.
-                The purpose for this special form is query logging in the
-                walled garden's authority DNS server.
-              </li>
-<li>The <span><strong class="command">PASSTHRU</strong></span> policy is specified
-                by a CNAME whose target is <span><strong class="command">rpz-passthru.</strong></span>
-                It causes the response to not be rewritten
-                and is most often used to "poke holes" in policies for
-                CIDR blocks.
-                (A CNAME whose target is the variable part of its owner name
-                is an obsolete specification of the PASSTHRU policy.)
-              </li>
-</ul></div>
-<p>
-          </p>
-<p>
-            The actions specified in an RPZ can be overridden with a
-            <span><strong class="command">policy</strong></span> clause in the
-            <span><strong class="command">response-policy</strong></span> option.
-            An organization using an RPZ provided by another organization might
-            use this mechanism to redirect domains to its own walled garden.
-            </p>
-<div class="itemizedlist"><ul type="disc">
-<li>
-<span><strong class="command">GIVEN</strong></span> says "do not override but
-                perform the action specified in the zone."
-              </li>
-<li>
-<span><strong class="command">DISABLED</strong></span> causes policy records to do
-                nothing but log what they might have done.
-                The response to the DNS query will be written according to
-                any triggered policy records that are not disabled.
-                Disabled policy zones should appear first,
-                because they will often not be logged
-                if a higher precedence trigger is found first.
-              </li>
-<li>
-<span><strong class="command">PASSTHRU</strong></span> causes all policy records
-                to act as if they were CNAME records with targets the variable
-                part of their owner name.  They protect the response from
-                being changed.
-              </li>
-<li>
-<span><strong class="command">NXDOMAIN</strong></span> causes all RPZ records
-                to specify NXDOMAIN policies.
-              </li>
-<li>
-<span><strong class="command">NODATA</strong></span> overrides with the
-                NODATA policy
-              </li>
-<li>
-<span><strong class="command">CNAME domain</strong></span> causes all RPZ
-                policy records to act as if they were "cname domain" records.
-              </li>
-</ul></div>
-<p>
-          </p>
-<p>
-            By default, the actions encoded in an RPZ are applied
-            only to queries that ask for recursion (RD=1).
-            That default can be changed for a single RPZ or all RPZs in a view
-            with a <span><strong class="command">recursive-only no</strong></span> clause.
-            This feature is useful for serving the same zone files
-            both inside and outside an RFC 1918 cloud and using RPZ to
-            delete answers that would otherwise contain RFC 1918 values
-            on the externally visible name server or view.
-          </p>
-<p>
-            Also by default, RPZ actions are applied only to DNS requests that
-            either do not request DNSSEC metadata (DO=0) or when no DNSSEC
-            records are available for request name in the original zone (not
-            the response policy zone).
-            This default can be changed for all RPZs in a view with a
-            <span><strong class="command">break-dnssec yes</strong></span> clause.
-            In that case, RPZ actions are applied regardless of DNSSEC.
-            The name of the clause option reflects the fact that results
-            rewritten by RPZ actions cannot verify.
-          </p>
-<p>
-            The TTL of a record modified by RPZ policies is set from the
-            TTL of the relevant record in policy zone.  It is then limited
-            to a maximum value.
-            The <span><strong class="command">max-policy-ttl</strong></span> clause changes that
-            maximum from its default of 5.
-          </p>
-<p>
-            For example, you might use this option statement
-          </p>
-<pre class="programlisting">    response-policy { zone "badlist"; };</pre>
-<p>
-            and this zone statement
-          </p>
-<pre class="programlisting">    zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };</pre>
-<p>
-            with this zone file
-          </p>
-<pre class="programlisting">$TTL 1H
-@                       SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
-                        NS  LOCALHOST.
-
-; QNAME policy records.  There are no periods (.) after the owner names.
-nxdomain.domain.com     CNAME   .               ; NXDOMAIN policy
-nodata.domain.com       CNAME   *.              ; NODATA policy
-bad.domain.com          A       10.0.0.1        ; redirect to a walled garden
-                        AAAA    2001:2::1
-
-; do not rewrite (PASSTHRU) OK.DOMAIN.COM
-ok.domain.com           CNAME   rpz-passthru.
-
-bzone.domain.com        CNAME   garden.example.com.
-
-; redirect x.bzone.domain.com to x.bzone.domain.com.garden.example.com
-*.bzone.domain.com      CNAME   *.garden.example.com.
-
-
-; IP policy records that rewrite all answers for 127/8 except 127.0.0.1
-8.0.0.0.127.rpz-ip      CNAME   .
-32.1.0.0.127.rpz-ip     CNAME   rpz-passthru.
-
-; NSDNAME and NSIP policy records
-ns.domain.com.rpz-nsdname   CNAME   .
-48.zz.2.2001.rpz-nsip       CNAME   .
-</pre>
-<p>
-            RPZ can affect server performance.
-            Each configured response policy zone requires the server to
-            perform one to four additional database lookups before a
-            query can be answered.
-            For example, a DNS server with four policy zones, each with all
-            four kinds of response triggers, QNAME, IP, NSIP, and
-            NSDNAME, requires a total of 17 times as many database
-            lookups as a similar DNS server with no response policy zones.
-            A <acronym class="acronym">BIND9</acronym> server with adequate memory and one
-            response policy zone with QNAME and IP triggers might achieve a
-            maximum queries-per-second rate about 20% lower.
-            A server with four response policy zones with QNAME and IP
-            triggers might have a maximum QPS rate about 50% lower.
-          </p>
-<p>
-            Responses rewritten by RPZ are counted in the
-            <span><strong class="command">RPZRewrites</strong></span> statistics.
-          </p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting"><span><strong class="command">server</strong></span> <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> {
-    [<span class="optional"> bogus <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> edns <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> transfers <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>]
-    [<span class="optional"> keys <em class="replaceable"><code>{ string ; [<span class="optional"> string ; [<span class="optional">...</span>]</span>] }</code></em> ; </span>]
-    [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
-                  [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
-    [<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
-                     [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
-    [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>]
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and
-            Usage</h3></div></div></div>
-<p>
-            The <span><strong class="command">server</strong></span> statement defines
-            characteristics
-            to be associated with a remote name server.  If a prefix length is
-            specified, then a range of servers is covered.  Only the most
-            specific
-            server clause applies regardless of the order in
-            <code class="filename">named.conf</code>.
-          </p>
-<p>
-            The <span><strong class="command">server</strong></span> statement can occur at
-            the top level of the
-            configuration file or inside a <span><strong class="command">view</strong></span>
-            statement.
-            If a <span><strong class="command">view</strong></span> statement contains
-            one or more <span><strong class="command">server</strong></span> statements, only
-            those
-            apply to the view and any top-level ones are ignored.
-            If a view contains no <span><strong class="command">server</strong></span>
-            statements,
-            any top-level <span><strong class="command">server</strong></span> statements are
-            used as
-            defaults.
-          </p>
-<p>
-            If you discover that a remote server is giving out bad data,
-            marking it as bogus will prevent further queries to it. The
-            default
-            value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.
-          </p>
-<p>
-            The <span><strong class="command">provide-ixfr</strong></span> clause determines
-            whether
-            the local server, acting as master, will respond with an
-            incremental
-            zone transfer when the given remote server, a slave, requests it.
-            If set to <span><strong class="command">yes</strong></span>, incremental transfer
-            will be provided
-            whenever possible. If set to <span><strong class="command">no</strong></span>,
-            all transfers
-            to the remote server will be non-incremental. If not set, the
-            value
-            of the <span><strong class="command">provide-ixfr</strong></span> option in the
-            view or
-            global options block is used as a default.
-          </p>
-<p>
-            The <span><strong class="command">request-ixfr</strong></span> clause determines
-            whether
-            the local server, acting as a slave, will request incremental zone
-            transfers from the given remote server, a master. If not set, the
-            value of the <span><strong class="command">request-ixfr</strong></span> option in
-            the view or global options block is used as a default. It may
-            also be set in the zone block and, if set there, it will
-            override the global or view setting for that zone.
-          </p>
-<p>
-            IXFR requests to servers that do not support IXFR will
-            automatically
-            fall back to AXFR.  Therefore, there is no need to manually list
-            which servers support IXFR and which ones do not; the global
-            default
-            of <span><strong class="command">yes</strong></span> should always work.
-            The purpose of the <span><strong class="command">provide-ixfr</strong></span> and
-            <span><strong class="command">request-ixfr</strong></span> clauses is
-            to make it possible to disable the use of IXFR even when both
-            master
-            and slave claim to support it, for example if one of the servers
-            is buggy and crashes or corrupts data when IXFR is used.
-          </p>
-<p>
-            The <span><strong class="command">edns</strong></span> clause determines whether
-            the local server will attempt to use EDNS when communicating
-            with the remote server.  The default is <span><strong class="command">yes</strong></span>.
-          </p>
-<p>
-            The <span><strong class="command">edns-udp-size</strong></span> option sets the EDNS UDP size
-            that is advertised by <span><strong class="command">named</strong></span> when querying the remote server.
-            Valid values are 512 to 4096 bytes (values outside this range will be
-            silently adjusted).  This option is useful when you wish to
-            advertises a different value to this server than the value you
-            advertise globally, for example, when there is a firewall at the
-            remote site that is blocking large replies.
-          </p>
-<p>
-            The <span><strong class="command">max-udp-size</strong></span> option sets the
-            maximum EDNS UDP message size <span><strong class="command">named</strong></span> will send.  Valid
-            values are 512 to 4096 bytes (values outside this range will
-            be silently adjusted).  This option is useful when you
-            know that there is a firewall that is blocking large
-            replies from <span><strong class="command">named</strong></span>.
-          </p>
-<p>
-            The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
-            uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs
-            as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is
-            more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
-            8.x, and patched versions of <acronym class="acronym">BIND</acronym>
-            4.9.5. You can specify which method
-            to use for a server with the <span><strong class="command">transfer-format</strong></span> option.
-            If <span><strong class="command">transfer-format</strong></span> is not
-            specified, the <span><strong class="command">transfer-format</strong></span>
-            specified
-            by the <span><strong class="command">options</strong></span> statement will be
-            used.
-          </p>
-<p><span><strong class="command">transfers</strong></span>
-            is used to limit the number of concurrent inbound zone
-            transfers from the specified server. If no
-            <span><strong class="command">transfers</strong></span> clause is specified, the
-            limit is set according to the
-            <span><strong class="command">transfers-per-ns</strong></span> option.
-          </p>
-<p>
-            The <span><strong class="command">keys</strong></span> clause identifies a
-            <span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement,
-            to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
-            when talking to the remote server.
-            When a request is sent to the remote server, a request signature
-            will be generated using the key specified here and appended to the
-            message. A request originating from the remote server is not
-            required
-            to be signed by this key.
-          </p>
-<p>
-            Although the grammar of the <span><strong class="command">keys</strong></span>
-            clause
-            allows for multiple keys, only a single key per server is
-            currently
-            supported.
-          </p>
-<p>
-            The <span><strong class="command">transfer-source</strong></span> and
-            <span><strong class="command">transfer-source-v6</strong></span> clauses specify
-            the IPv4 and IPv6 source
-            address to be used for zone transfer with the remote server,
-            respectively.
-            For an IPv4 remote server, only <span><strong class="command">transfer-source</strong></span> can
-            be specified.
-            Similarly, for an IPv6 remote server, only
-            <span><strong class="command">transfer-source-v6</strong></span> can be
-            specified.
-            For more details, see the description of
-            <span><strong class="command">transfer-source</strong></span> and
-            <span><strong class="command">transfer-source-v6</strong></span> in
-            <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-          </p>
-<p>
-            The <span><strong class="command">notify-source</strong></span> and
-            <span><strong class="command">notify-source-v6</strong></span> clauses specify the
-            IPv4 and IPv6 source address to be used for notify
-            messages sent to remote servers, respectively.  For an
-            IPv4 remote server, only <span><strong class="command">notify-source</strong></span>
-            can be specified.  Similarly, for an IPv6 remote server,
-            only <span><strong class="command">notify-source-v6</strong></span> can be specified.
-          </p>
-<p>
-            The <span><strong class="command">query-source</strong></span> and
-            <span><strong class="command">query-source-v6</strong></span> clauses specify the
-            IPv4 and IPv6 source address to be used for queries
-            sent to remote servers, respectively.  For an IPv4
-            remote server, only <span><strong class="command">query-source</strong></span> can
-            be specified.  Similarly, for an IPv6 remote server,
-            only <span><strong class="command">query-source-v6</strong></span> can be specified.
-          </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="statschannels"></a><span><strong class="command">statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting"><span><strong class="command">statistics-channels</strong></span> {
-   [ inet ( ip_addr | * ) [ port ip_port ]
-   [ allow { <em class="replaceable"><code> address_match_list </code></em> } ]; ]
-   [ inet ...; ]
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2590613"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
-            Usage</h3></div></div></div>
-<p>
-          The <span><strong class="command">statistics-channels</strong></span> statement
-          declares communication channels to be used by system
-          administrators to get access to statistics information of
-          the name server.
-        </p>
-<p>
-          This statement intends to be flexible to support multiple
-          communication protocols in the future, but currently only
-          HTTP access is supported.
-          It requires that BIND 9 be compiled with libxml2;
-          the <span><strong class="command">statistics-channels</strong></span> statement is
-          still accepted even if it is built without the library,
-          but any HTTP access will fail with an error.
-        </p>
-<p>
-          An <span><strong class="command">inet</strong></span> control channel is a TCP socket
-          listening at the specified <span><strong class="command">ip_port</strong></span> on the
-          specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
-          address.  An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
-          interpreted as the IPv4 wildcard address; connections will be
-          accepted on any of the system's IPv4 addresses.
-          To listen on the IPv6 wildcard address,
-          use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
-        </p>
-<p>
-          If no port is specified, port 80 is used for HTTP channels.
-          The asterisk "<code class="literal">*</code>" cannot be used for
-          <span><strong class="command">ip_port</strong></span>.
-        </p>
-<p>
-          The attempt of opening a statistics channel is
-          restricted by the optional <span><strong class="command">allow</strong></span> clause.
-          Connections to the statistics channel are permitted based on the
-          <span><strong class="command">address_match_list</strong></span>.
-          If no <span><strong class="command">allow</strong></span> clause is present,
-          <span><strong class="command">named</strong></span> accepts connection
-          attempts from any address; since the statistics may
-          contain sensitive internal information, it is highly
-          recommended to restrict the source of connection requests
-          appropriately.
-        </p>
-<p>
-          If no <span><strong class="command">statistics-channels</strong></span> statement is present,
-          <span><strong class="command">named</strong></span> will not open any communication channels.
-        </p>
-<p>
-          If the statistics channel is configured to listen on 127.0.0.1
-          port 8888, then the statistics are accessible in XML format at
-          <a href="http://127.0.0.1:8888/" target="_top">http://127.0.0.1:8888/</a> or
-          <a href="http://127.0.0.1:8888/xml" target="_top">http://127.0.0.1:8888/xml</a>. A CSS file is
-          included which can format the XML statistics into tables 
-          when viewed with a stylesheet-capable browser.  When
-          <acronym class="acronym">BIND</acronym> 9 is configured with --enable-newstats, 
-          a new XML schema is used (version 3) which adds additional
-          zone statistics and uses a flatter tree for more efficient
-          parsing.  The stylesheet included uses the Google Charts API
-          to render data into into charts and graphs when using a
-          javascript-capable browser.
-        </p>
-<p>
-          Applications that depend on a particular XML schema
-          can request 
-          <a href="http://127.0.0.1:8888/xml/v2" target="_top">http://127.0.0.1:8888/xml/v2</a> for version 2
-          of the statistics XML schema or 
-          <a href="http://127.0.0.1:8888/xml/v3" target="_top">http://127.0.0.1:8888/xml/v3</a> for version 3.
-          If the requested schema is supported by the server, then
-          it will respond; if not, it will return a "page not found"
-          error.
-        </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="trusted-keys"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting"><span><strong class="command">trusted-keys</strong></span> {
-    <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
-    [<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2590920"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
-            and Usage</h3></div></div></div>
-<p>
-            The <span><strong class="command">trusted-keys</strong></span> statement defines
-            DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called &#8220;DNSSEC&#8221;</a>. A security root is defined when the
-            public key for a non-authoritative zone is known, but
-            cannot be securely obtained through DNS, either because
-            it is the DNS root zone or because its parent zone is
-            unsigned.  Once a key has been configured as a trusted
-            key, it is treated as if it had been validated and
-            proven secure. The resolver attempts DNSSEC validation
-            on all DNS data in subdomains of a security root.
-          </p>
-<p>
-            All keys (and corresponding zones) listed in
-            <span><strong class="command">trusted-keys</strong></span> are deemed to exist regardless
-            of what parent zones say.  Similarly for all keys listed in
-            <span><strong class="command">trusted-keys</strong></span> only those keys are
-            used to validate the DNSKEY RRset.  The parent's DS RRset
-            will not be used.
-          </p>
-<p>
-            The <span><strong class="command">trusted-keys</strong></span> statement can contain
-            multiple key entries, each consisting of the key's
-            domain name, flags, protocol, algorithm, and the Base-64
-            representation of the key data.
-            Spaces, tabs, newlines and carriage returns are ignored
-            in the key data, so the configuration may be split up into
-            multiple lines.
-          </p>
-<p>
-            <span><strong class="command">trusted-keys</strong></span> may be set at the top level
-            of <code class="filename">named.conf</code> or within a view.  If it is
-            set in both places, they are additive: keys defined at the top
-            level are inherited by all views, but keys defined in a view
-            are only used within that view.
-          </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2590967"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting"><span><strong class="command">managed-keys</strong></span> {
-    <em class="replaceable"><code>name</code></em> <code class="literal">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ;
-    [<span class="optional"> <em class="replaceable"><code>name</code></em> <code class="literal">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ; [<span class="optional">...</span>]</span>]
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="managed-keys"></a><span><strong class="command">managed-keys</strong></span> Statement Definition
-            and Usage</h3></div></div></div>
-<p>
-            The <span><strong class="command">managed-keys</strong></span> statement, like 
-            <span><strong class="command">trusted-keys</strong></span>, defines DNSSEC
-            security roots.  The difference is that
-            <span><strong class="command">managed-keys</strong></span> can be kept up to date
-            automatically, without intervention from the resolver
-            operator.
-          </p>
-<p>
-            Suppose, for example, that a zone's key-signing
-            key was compromised, and the zone owner had to revoke and
-            replace the key.  A resolver which had the old key in a
-            <span><strong class="command">trusted-keys</strong></span> statement would be
-            unable to validate this zone any longer; it would
-            reply with a SERVFAIL response code.  This would
-            continue until the resolver operator had updated the
-            <span><strong class="command">trusted-keys</strong></span> statement with the new key.
-          </p>
-<p>
-            If, however, the zone were listed in a
-            <span><strong class="command">managed-keys</strong></span> statement instead, then the
-            zone owner could add a "stand-by" key to the zone in advance.
-            <span><strong class="command">named</strong></span> would store the stand-by key, and
-            when the original key was revoked, <span><strong class="command">named</strong></span>
-            would be able to transition smoothly to the new key.  It would
-            also recognize that the old key had been revoked, and cease
-            using that key to validate answers, minimizing the damage that
-            the compromised key could do.
-          </p>
-<p>
-            A <span><strong class="command">managed-keys</strong></span> statement contains a list of
-            the keys to be managed, along with information about how the
-            keys are to be initialized for the first time.  The only
-            initialization method currently supported (as of
-            <acronym class="acronym">BIND</acronym> 9.7.0) is <code class="literal">initial-key</code>.
-            This means the <span><strong class="command">managed-keys</strong></span> statement must
-            contain a copy of the initializing key.  (Future releases may
-            allow keys to be initialized by other methods, eliminating this
-            requirement.)
-          </p>
-<p>
-            Consequently, a <span><strong class="command">managed-keys</strong></span> statement
-            appears similar to a <span><strong class="command">trusted-keys</strong></span>, differing
-            in the presence of the second field, containing the keyword
-            <code class="literal">initial-key</code>.  The difference is, whereas the
-            keys listed in a <span><strong class="command">trusted-keys</strong></span> continue to be
-            trusted until they are removed from
-            <code class="filename">named.conf</code>, an initializing key listed 
-            in a <span><strong class="command">managed-keys</strong></span> statement is only trusted
-            <span class="emphasis"><em>once</em></span>: for as long as it takes to load the
-            managed key database and start the RFC 5011 key maintenance
-            process.
-          </p>
-<p>
-            The first time <span><strong class="command">named</strong></span> runs with a managed key
-            configured in <code class="filename">named.conf</code>, it fetches the
-            DNSKEY RRset directly from the zone apex, and validates it
-            using the key specified in the <span><strong class="command">managed-keys</strong></span>
-            statement.  If the DNSKEY RRset is validly signed, then it is
-            used as the basis for a new managed keys database.
-          </p>
-<p>
-            From that point on, whenever <span><strong class="command">named</strong></span> runs, it
-            sees the <span><strong class="command">managed-keys</strong></span> statement, checks to
-            make sure RFC 5011 key maintenance has already been initialized
-            for the specified domain, and if so, it simply moves on.  The
-            key specified in the <span><strong class="command">managed-keys</strong></span> is not
-            used to validate answers; it has been superseded by the key or
-            keys stored in the managed keys database.
-          </p>
-<p>
-            The next time <span><strong class="command">named</strong></span> runs after a name
-            has been <span class="emphasis"><em>removed</em></span> from the
-            <span><strong class="command">managed-keys</strong></span> statement, the corresponding
-            zone will be removed from the managed keys database,
-            and RFC 5011 key maintenance will no longer be used for that
-            domain.
-          </p>
-<p>
-            <span><strong class="command">named</strong></span> only maintains a single managed keys
-            database; consequently, unlike <span><strong class="command">trusted-keys</strong></span>,
-            <span><strong class="command">managed-keys</strong></span> may only be set at the top
-            level of <code class="filename">named.conf</code>, not within a view.
-          </p>
-<p>
-            In the current implementation, the managed keys database is
-            stored as a master-format zone file called
-            <code class="filename">managed-keys.bind</code>.  When the key database
-            is changed, the zone is updated.  As with any other dynamic
-            zone, changes will be written into a journal file,
-            <code class="filename">managed-keys.bind.jnl</code>.  They are committed
-            to the master file as soon as possible afterward; in the case
-            of the managed key database, this will usually occur within 30
-            seconds.  So, whenever <span><strong class="command">named</strong></span> is using
-            automatic key maintenance, those two files can be expected to
-            exist in the working directory.  (For this reason among others,
-            the working directory should be always be writable by
-            <span><strong class="command">named</strong></span>.)
-          </p>
-<p>
-            If the <span><strong class="command">dnssec-validation</strong></span> option is
-            set to <strong class="userinput"><code>auto</code></strong>, <span><strong class="command">named</strong></span>
-            will automatically initialize a managed key for the
-            root zone.  Similarly, if the <span><strong class="command">dnssec-lookaside</strong></span>
-            option is set to <strong class="userinput"><code>auto</code></strong>,
-            <span><strong class="command">named</strong></span> will automatically initialize
-            a managed key for the zone <code class="literal">dlv.isc.org</code>.
-            In both cases, the key that is used to initialize the key
-            maintenance process is built into <span><strong class="command">named</strong></span>,
-            and can be overridden from <span><strong class="command">bindkeys-file</strong></span>.
-          </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting"><span><strong class="command">view</strong></span> <em class="replaceable"><code>view_name</code></em>
-      [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
-      match-clients { <em class="replaceable"><code>address_match_list</code></em> };
-      match-destinations { <em class="replaceable"><code>address_match_list</code></em> };
-      match-recursive-only <em class="replaceable"><code>yes_or_no</code></em> ;
-      [<span class="optional"> <em class="replaceable"><code>view_option</code></em>; ...</span>]
-      [<span class="optional"> <em class="replaceable"><code>zone_statement</code></em>; ...</span>]
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2591409"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>
-            The <span><strong class="command">view</strong></span> statement is a powerful
-            feature
-            of <acronym class="acronym">BIND</acronym> 9 that lets a name server
-            answer a DNS query differently
-            depending on who is asking. It is particularly useful for
-            implementing
-            split DNS setups without having to run multiple servers.
-          </p>
-<p>
-            Each <span><strong class="command">view</strong></span> statement defines a view
-            of the
-            DNS namespace that will be seen by a subset of clients.  A client
-            matches
-            a view if its source IP address matches the
-            <code class="varname">address_match_list</code> of the view's
-            <span><strong class="command">match-clients</strong></span> clause and its
-            destination IP address matches
-            the <code class="varname">address_match_list</code> of the
-            view's
-            <span><strong class="command">match-destinations</strong></span> clause.  If not
-            specified, both
-            <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
-            default to matching all addresses.  In addition to checking IP
-            addresses
-            <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
-            can also take <span><strong class="command">keys</strong></span> which provide an
-            mechanism for the
-            client to select the view.  A view can also be specified
-            as <span><strong class="command">match-recursive-only</strong></span>, which
-            means that only recursive
-            requests from matching clients will match that view.
-            The order of the <span><strong class="command">view</strong></span> statements is
-            significant &#8212;
-            a client request will be resolved in the context of the first
-            <span><strong class="command">view</strong></span> that it matches.
-          </p>
-<p>
-            Zones defined within a <span><strong class="command">view</strong></span>
-            statement will
-            only be accessible to clients that match the <span><strong class="command">view</strong></span>.
-            By defining a zone of the same name in multiple views, different
-            zone data can be given to different clients, for example,
-            "internal"
-            and "external" clients in a split DNS setup.
-          </p>
-<p>
-            Many of the options given in the <span><strong class="command">options</strong></span> statement
-            can also be used within a <span><strong class="command">view</strong></span>
-            statement, and then
-            apply only when resolving queries with that view.  When no
-            view-specific
-            value is given, the value in the <span><strong class="command">options</strong></span> statement
-            is used as a default.  Also, zone options can have default values
-            specified
-            in the <span><strong class="command">view</strong></span> statement; these
-            view-specific defaults
-            take precedence over those in the <span><strong class="command">options</strong></span> statement.
-          </p>
-<p>
-            Views are class specific.  If no class is given, class IN
-            is assumed.  Note that all non-IN views must contain a hint zone,
-            since only the IN class has compiled-in default hints.
-          </p>
-<p>
-            If there are no <span><strong class="command">view</strong></span> statements in
-            the config
-            file, a default view that matches any client is automatically
-            created
-            in class IN. Any <span><strong class="command">zone</strong></span> statements
-            specified on
-            the top level of the configuration file are considered to be part
-            of
-            this default view, and the <span><strong class="command">options</strong></span>
-            statement will
-            apply to the default view. If any explicit <span><strong class="command">view</strong></span>
-            statements are present, all <span><strong class="command">zone</strong></span>
-            statements must
-            occur inside <span><strong class="command">view</strong></span> statements.
-          </p>
-<p>
-            Here is an example of a typical split DNS setup implemented
-            using <span><strong class="command">view</strong></span> statements:
-          </p>
-<pre class="programlisting">view "internal" {
-      // This should match our internal networks.
-      match-clients { 10.0.0.0/8; };
-
-      // Provide recursive service to internal
-      // clients only.
-      recursion yes;
-
-      // Provide a complete view of the example.com
-      // zone including addresses of internal hosts.
-      zone "example.com" {
-            type master;
-            file "example-internal.db";
-      };
-};
-
-view "external" {
-      // Match all clients not matched by the
-      // previous view.
-      match-clients { any; };
-
-      // Refuse recursive service to external clients.
-      recursion no;
-
-      // Provide a restricted view of the example.com
-      // zone containing only publicly accessible hosts.
-      zone "example.com" {
-           type master;
-           file "example-external.db";
-      };
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="zone_statement_grammar"></a><span><strong class="command">zone</strong></span>
-            Statement Grammar</h3></div></div></div>
-<pre class="programlisting"><span><strong class="command">zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
-    type master;
-    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> update-policy <em class="replaceable"><code>local</code></em> | { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
-    [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
-                  [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
-    [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
-    [<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
-    [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> check-spf ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
-    [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
-    [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
-    [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
-    [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
-    [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
-    [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
-    [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
-    [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
-    [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
-    [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>]
-    [<span class="optional"> inline-signing <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> serial-update-method <code class="constant">increment</code>|<code class="constant">unixtime</code>; </span>]
-};
-
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
-    type slave;
-    [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>]
-    [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> also-notify [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
-                              [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>]
-                              [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
-    [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
-    [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
-    [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
-    [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
-    [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
-    [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
-    [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
-                              [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>]
-                              [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
-    [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
-    [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
-    [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
-                             [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
-    [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
-    [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>]
-    [<span class="optional"> inline-signing <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-};
-
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
-    type hint;
-    file <em class="replaceable"><code>string</code></em> ;
-    [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] // Not Implemented.
-};
-
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
-    type stub;
-    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
-    [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
-    [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
-    [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
-    [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
-    [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
-                              [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>]
-                              [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
-    [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
-                         [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
-                            [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-};
-
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
-    type static-stub;
-    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> server-addresses { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> ; ... </span>] }; </span>]
-    [<span class="optional"> server-names { [<span class="optional"> <em class="replaceable"><code>namelist</code></em> </span>] }; </span>]  
-    [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-};
-
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
-    type forward;
-    [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
-    [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
-    [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-};
-
-zone <em class="replaceable"><code>"."</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
-    type redirect;
-    file <em class="replaceable"><code>string</code></em> ;
-    [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
-    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-};
-
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
-    type delegation-only;
-};
-
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2593189"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2593196"></a>Zone Types</h4></div></div></div>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">master</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        The server has a master copy of the data
-                        for the zone and will be able to provide authoritative
-                        answers for
-                        it.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">slave</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        A slave zone is a replica of a master
-                        zone. The <span><strong class="command">masters</strong></span> list
-                        specifies one or more IP addresses
-                        of master servers that the slave contacts to update
-                        its copy of the zone.
-                        Masters list elements can also be names of other
-                        masters lists.
-                        By default, transfers are made from port 53 on the
-                        servers; this can
-                        be changed for all servers by specifying a port number
-                        before the
-                        list of IP addresses, or on a per-server basis after
-                        the IP address.
-                        Authentication to the master can also be done with
-                        per-server TSIG keys.
-                        If a file is specified, then the
-                        replica will be written to this file whenever the zone
-                        is changed,
-                        and reloaded from this file on a server restart. Use
-                        of a file is
-                        recommended, since it often speeds server startup and
-                        eliminates
-                        a needless waste of bandwidth. Note that for large
-                        numbers (in the
-                        tens or hundreds of thousands) of zones per server, it
-                        is best to
-                        use a two-level naming scheme for zone filenames. For
-                        example,
-                        a slave server for the zone <code class="literal">example.com</code> might place
-                        the zone contents into a file called
-                        <code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is
-                        just the first two letters of the zone name. (Most
-                        operating systems
-                        behave very slowly if you put 100000 files into
-                        a single directory.)
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">stub</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        A stub zone is similar to a slave zone,
-                        except that it replicates only the NS records of a
-                        master zone instead
-                        of the entire zone. Stub zones are not a standard part
-                        of the DNS;
-                        they are a feature specific to the <acronym class="acronym">BIND</acronym> implementation.
-                      </p>
-
-                      <p>
-                        Stub zones can be used to eliminate the need for glue
-                        NS record
-                        in a parent zone at the expense of maintaining a stub
-                        zone entry and
-                        a set of name server addresses in <code class="filename">named.conf</code>.
-                        This usage is not recommended for new configurations,
-                        and BIND 9
-                        supports it only in a limited way.
-                        In <acronym class="acronym">BIND</acronym> 4/8, zone
-                        transfers of a parent zone
-                        included the NS records from stub children of that
-                        zone. This meant
-                        that, in some cases, users could get away with
-                        configuring child stubs
-                        only in the master server for the parent zone. <acronym class="acronym">BIND</acronym>
-                        9 never mixes together zone data from different zones
-                        in this
-                        way. Therefore, if a <acronym class="acronym">BIND</acronym> 9 master serving a parent
-                        zone has child stub zones configured, all the slave
-                        servers for the
-                        parent zone also need to have the same child stub
-                        zones
-                        configured.
-                      </p>
-
-                      <p>
-                        Stub zones can also be used as a way of forcing the
-                        resolution
-                        of a given domain to use a particular set of
-                        authoritative servers.
-                        For example, the caching name servers on a private
-                        network using
-                        RFC1918 addressing may be configured with stub zones
-                        for
-                        <code class="literal">10.in-addr.arpa</code>
-                        to use a set of internal name servers as the
-                        authoritative
-                        servers for that domain.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">static-stub</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        A static-stub zone is similar to a stub zone
-                        with the following exceptions:
-                        the zone data is statically configured, rather
-                        than transferred from a master server;
-                        when recursion is necessary for a query that
-                        matches a static-stub zone, the locally
-                        configured data (nameserver names and glue addresses)
-                        is always used even if different authoritative
-                        information is cached.
-                      </p>
-                      <p>
-                        Zone data is configured via the
-                        <span><strong class="command">server-addresses</strong></span> and
-                        <span><strong class="command">server-names</strong></span> zone options.
-                      </p>
-                      <p>
-                        The zone data is maintained in the form of NS
-                        and (if necessary) glue A or AAAA RRs
-                        internally, which can be seen by dumping zone
-                        databases by <span><strong class="command">rndc dumpdb -all</strong></span>.
-                        The configured RRs are considered local configuration
-                        parameters rather than public data.
-                        Non recursive queries (i.e., those with the RD
-                        bit off) to a static-stub zone are therefore
-                        prohibited and will be responded with REFUSED.
-                      </p>
-                      <p>
-                        Since the data is statically configured, no
-                        zone maintenance action takes place for a static-stub
-                        zone.
-                        For example, there is no periodic refresh
-                        attempt, and an incoming notify message
-                        will be rejected with an rcode of NOTAUTH.
-                      </p>
-                      <p>
-                        Each static-stub zone is configured with
-                        internally generated NS and (if necessary)
-                        glue A or AAAA RRs 
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">forward</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        A "forward zone" is a way to configure
-                        forwarding on a per-domain basis.  A <span><strong class="command">zone</strong></span> statement
-                        of type <span><strong class="command">forward</strong></span> can
-                        contain a <span><strong class="command">forward</strong></span>
-                        and/or <span><strong class="command">forwarders</strong></span>
-                        statement,
-                        which will apply to queries within the domain given by
-                        the zone
-                        name. If no <span><strong class="command">forwarders</strong></span>
-                        statement is present or
-                        an empty list for <span><strong class="command">forwarders</strong></span> is given, then no
-                        forwarding will be done for the domain, canceling the
-                        effects of
-                        any forwarders in the <span><strong class="command">options</strong></span> statement. Thus
-                        if you want to use this type of zone to change the
-                        behavior of the
-                        global <span><strong class="command">forward</strong></span> option
-                        (that is, "forward first"
-                        to, then "forward only", or vice versa, but want to
-                        use the same
-                        servers as set globally) you need to re-specify the
-                        global forwarders.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">hint</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        The initial set of root name servers is
-                        specified using a "hint zone". When the server starts
-                        up, it uses
-                        the root hints to find a root name server and get the
-                        most recent
-                        list of root name servers. If no hint zone is
-                        specified for class
-                        IN, the server uses a compiled-in default set of root
-                        servers hints.
-                        Classes other than IN have no built-in defaults hints.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">redirect</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Redirect zones are used to provide answers to
-                        queries when normal resolution would result in
-                        NXDOMAIN being returned.
-                        Only one redirect zone is supported
-                        per view.  <span><strong class="command">allow-query</strong></span> can be
-                        used to restrict which clients see these answers.
-                      </p>
-                      <p>
-                        If the client has requested DNSSEC records (DO=1) and
-                        the NXDOMAIN response is signed then no substitution
-                        will occur.
-                      </p>
-                      <p>
-                        To redirect all NXDOMAIN responses to
-                        100.100.100.2 and
-                        2001:ffff:ffff::100.100.100.2, one would
-                        configure a type redirect zone named ".",
-                        with the zone file containing wildcard records
-                        that point to the desired addresses: 
-                        <code class="literal">"*. IN A 100.100.100.2"</code>
-                        and
-                        <code class="literal">"*. IN AAAA 2001:ffff:ffff::100.100.100.2"</code>.
-                      </p>
-                      <p>
-                        To redirect all Spanish names (under .ES) one
-                        would use similar entries but with the names
-                        "*.ES." instead of "*.".  To redirect all 
-                        commercial Spanish names (under COM.ES) one
-                        would use wildcard entries called "*.COM.ES.".
-                      </p>
-                      <p>
-                        Note that the redirect zone supports all
-                        possible types; it is not limited to A and
-                        AAAA records.
-                      </p>
-                      <p>
-                        Because redirect zones are not referenced
-                        directly by name, they are not kept in the
-                        zone lookup table with normal master and slave
-                        zones. Consequently, it is not currently possible
-                        to use
-                        <span><strong class="command">rndc reload
-                                <em class="replaceable"><code>zonename</code></em></strong></span>
-                        to reload a redirect zone.  However, when using
-                        <span><strong class="command">rndc reload</strong></span> without specifying
-                        a zone name, redirect zones will be reloaded along
-                        with other zones.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">delegation-only</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        This is used to enforce the delegation-only
-                        status of infrastructure zones (e.g. COM,
-                        NET, ORG).  Any answer that is received
-                        without an explicit or implicit delegation
-                        in the authority section will be treated
-                        as NXDOMAIN.  This does not apply to the
-                        zone apex.  This should not be applied to
-                        leaf zones.
-                      </p>
-                      <p>
-                        <code class="varname">delegation-only</code> has no
-                        effect on answers received from forwarders.
-                      </p>
-                      <p>
-                        See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
-                      </p>
-                    </td>
-</tr>
-</tbody>
-</table></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2594009"></a>Class</h4></div></div></div>
-<p>
-              The zone's name may optionally be followed by a class. If
-              a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
-              is assumed. This is correct for the vast majority of cases.
-            </p>
-<p>
-              The <code class="literal">hesiod</code> class is
-              named for an information service from MIT's Project Athena. It
-              is
-              used to share information about various systems databases, such
-              as users, groups, printers and so on. The keyword
-              <code class="literal">HS</code> is
-              a synonym for hesiod.
-            </p>
-<p>
-              Another MIT development is Chaosnet, a LAN protocol created
-              in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
-            </p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2594042"></a>Zone Options</h4></div></div></div>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">allow-query-on</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">allow-query-on</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
-<dd><p>
-                    See the description of <span><strong class="command">allow-transfer</strong></span>
-                    in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt>
-<dd><p>
-                    See the description of <span><strong class="command">allow-update</strong></span>
-                    in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">update-policy</strong></span></span></dt>
-<dd><p>
-                    Specifies a "Simple Secure Update" policy. See
-                    <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
-<dd><p>
-                    See the description of <span><strong class="command">allow-update-forwarding</strong></span>
-                    in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt>
-<dd><p>
-                    Only meaningful if <span><strong class="command">notify</strong></span>
-                    is
-                    active for this zone. The set of machines that will
-                    receive a
-                    <code class="literal">DNS NOTIFY</code> message
-                    for this zone is made up of all the listed name servers
-                    (other than
-                    the primary master) for the zone plus any IP addresses
-                    specified
-                    with <span><strong class="command">also-notify</strong></span>. A port
-                    may be specified
-                    with each <span><strong class="command">also-notify</strong></span>
-                    address to send the notify
-                    messages to a port other than the default of 53.
-                    A TSIG key may also be specified to cause the
-                    <code class="literal">NOTIFY</code> to be signed by the
-                    given key.
-                    <span><strong class="command">also-notify</strong></span> is not
-                    meaningful for stub zones.
-                    The default is the empty list.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt>
-<dd><p>
-                    This option is used to restrict the character set and
-                    syntax of
-                    certain domain names in master files and/or DNS responses
-                    received from the
-                    network.  The default varies according to zone type.  For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.  For <span><strong class="command">slave</strong></span>
-                    zones the default is <span><strong class="command">warn</strong></span>.
-                    It is not implemented for <span><strong class="command">hint</strong></span> zones.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">check-spf</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">check-spf</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">check-wildcard</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">check-integrity</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">check-sibling</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">zero-no-soa-ttl</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">dnssec-update-mode</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">dnssec-update-mode</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
-          Usage">the section called &#8220;<span><strong class="command">options</strong></span> Statement Definition and
-          Usage&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">dnssec-dnskey-kskonly</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">try-tcp-refresh</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">database</strong></span></span></dt>
-<dd>
-<p>
-                    Specify the type of database to be used for storing the
-                    zone data.  The string following the <span><strong class="command">database</strong></span> keyword
-                    is interpreted as a list of whitespace-delimited words.
-                    The first word
-                    identifies the database type, and any subsequent words are
-                    passed
-                    as arguments to the database to be interpreted in a way
-                    specific
-                    to the database type.
-                  </p>
-<p>
-                    The default is <strong class="userinput"><code>"rbt"</code></strong>, BIND 9's
-                    native in-memory
-                    red-black-tree database.  This database does not take
-                    arguments.
-                  </p>
-<p>
-                    Other values are possible if additional database drivers
-                    have been linked into the server.  Some sample drivers are
-                    included
-                    with the distribution but none are linked in by default.
-                  </p>
-</dd>
-<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">delegation-only</strong></span></span></dt>
-<dd>
-<p>
-                    The flag only applies to hint and stub zones.  If set
-                    to <strong class="userinput"><code>yes</code></strong>, then the zone will also be
-                    treated as if it is also a delegation-only type zone.
-                  </p>
-<p>
-                    See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
-                  </p>
-</dd>
-<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt>
-<dd><p>
-                    Only meaningful if the zone has a forwarders
-                    list. The <span><strong class="command">only</strong></span> value causes
-                    the lookup to fail
-                    after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would
-                    allow a normal lookup to be tried.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt>
-<dd><p>
-                    Used to override the list of global forwarders.
-                    If it is not specified in a zone of type <span><strong class="command">forward</strong></span>,
-                    no forwarding is done for the zone and the global options are
-                    not used.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">ixfr-base</strong></span></span></dt>
-<dd><p>
-                    Was used in <acronym class="acronym">BIND</acronym> 8 to
-                    specify the name
-                    of the transaction log (journal) file for dynamic update
-                    and IXFR.
-                    <acronym class="acronym">BIND</acronym> 9 ignores the option
-                    and constructs the name of the journal
-                    file by appending "<code class="filename">.jnl</code>"
-                    to the name of the
-                    zone file.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">ixfr-tmp-file</strong></span></span></dt>
-<dd><p>
-                    Was an undocumented option in <acronym class="acronym">BIND</acronym> 8.
-                    Ignored in <acronym class="acronym">BIND</acronym> 9.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">journal</strong></span></span></dt>
-<dd><p>
-                    Allow the default journal's filename to be overridden.
-                    The default is the zone's filename with "<code class="filename">.jnl</code>" appended.
-                    This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">max-journal-size</strong></span> in <a href="Bv9ARM.ch06.html#server_resource_limits" title="Server  Resource Limits">the section called &#8220;Server  Resource Limits&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">notify-delay</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">notify-to-soa</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">notify-to-soa</strong></span> in
-                    <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">pubkey</strong></span></span></dt>
-<dd><p>
-                    In <acronym class="acronym">BIND</acronym> 8, this option was
-                    intended for specifying
-                    a public zone key for verification of signatures in DNSSEC
-                    signed
-                    zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
-                    on load and ignores the option.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
-<dd><p>
-                    If <strong class="userinput"><code>yes</code></strong>, the server will keep
-                    statistical
-                    information for this zone, which can be dumped to the
-                    <span><strong class="command">statistics-file</strong></span> defined in
-                    the server options.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">server-addresses</strong></span></span></dt>
-<dd>
-<p>
-                    Only meaningful for static-stub zones.
-                    This is a list of IP addresses to which queries
-                    should be sent in recursive resolution for the
-                    zone.
-                    A non empty list for this option will internally
-                    configure the apex NS RR with associated glue A or
-                    AAAA RRs.
-                  </p>
-<p>
-                    For example, if "example.com" is configured as a
-                    static-stub zone with 192.0.2.1 and 2001:db8::1234
-                    in a <span><strong class="command">server-addresses</strong></span> option,
-                    the following RRs will be internally configured.
-                  </p>
-<pre class="programlisting">example.com. NS example.com.
-example.com. A 192.0.2.1
-example.com. AAAA 2001:db8::1234</pre>
-<p>
-                    These records are internally used to resolve
-                    names under the static-stub zone.
-                    For instance, if the server receives a query for
-                    "www.example.com" with the RD bit on, the server
-                    will initiate recursive resolution and send
-                    queries to 192.0.2.1 and/or 2001:db8::1234.
-                  </p>
-</dd>
-<dt><span class="term"><span><strong class="command">server-names</strong></span></span></dt>
-<dd>
-<p>
-                    Only meaningful for static-stub zones.
-                    This is a list of domain names of nameservers that
-                    act as authoritative servers of the static-stub
-                    zone.
-                    These names will be resolved to IP addresses when
-                    <span><strong class="command">named</strong></span> needs to send queries to
-                    these servers.
-                    To make this supplemental resolution successful,
-                    these names must not be a subdomain of the origin
-                    name of static-stub zone.
-                    That is, when "example.net" is the origin of a
-                    static-stub zone, "ns.example" and
-                    "master.example.com" can be specified in the
-                    <span><strong class="command">server-names</strong></span> option, but
-                    "ns.example.net" cannot, and will be rejected by
-                    the configuration parser.
-                  </p>
-<p>
-                    A non empty list for this option will internally
-                    configure the apex NS RR with the specified names.
-                    For example, if "example.com" is configured as a
-                    static-stub zone with "ns1.example.net" and
-                    "ns2.example.net"
-                    in a <span><strong class="command">server-names</strong></span> option,
-                    the following RRs will be internally configured.
-                  </p>
-<pre class="programlisting">example.com. NS ns1.example.net.
-example.com. NS ns2.example.net.
-</pre>
-<p>
-                    These records are internally used to resolve
-                    names under the static-stub zone.
-                    For instance, if the server receives a query for
-                    "www.example.com" with the RD bit on, the server
-                    initiate recursive resolution,
-                    resolve "ns1.example.net" and/or
-                    "ns2.example.net" to IP addresses, and then send
-                    queries to (one or more of) these addresses.
-                  </p>
-</dd>
-<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">sig-signing-nodes</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">sig-signing-nodes</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">sig-signing-signatures</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">sig-signing-type</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">sig-signing-type</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-                  </p></dd>
-<dt>
-<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
-</dt>
-<dd><p>
-                    See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                    (Note that the <span><strong class="command">ixfr-from-differences</strong></span>
-                    <strong class="userinput"><code>master</code></strong> and
-                    <strong class="userinput"><code>slave</code></strong> choices are not
-                    available at the zone level.)
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
-          Usage">the section called &#8220;<span><strong class="command">options</strong></span> Statement Definition and
-          Usage&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">auto-dnssec</strong></span></span></dt>
-<dd>
-<p>
-                    Zones configured for dynamic DNS may also use this
-                    option to allow varying levels of automatic DNSSEC key
-                    management. There are three possible settings:
-                  </p>
-<p>
-                    <span><strong class="command">auto-dnssec allow;</strong></span> permits
-                    keys to be updated and the zone fully re-signed
-                    whenever the user issues the command <span><strong class="command">rndc sign
-                    <em class="replaceable"><code>zonename</code></em></strong></span>.
-                  </p>
-<p>
-                    <span><strong class="command">auto-dnssec maintain;</strong></span> includes the
-                    above, but also automatically adjusts the zone's DNSSEC
-                    keys on schedule, according to the keys' timing metadata
-                    (see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
-                    <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>).  The command
-                    <span><strong class="command">rndc sign
-                    <em class="replaceable"><code>zonename</code></em></strong></span> causes
-                    <span><strong class="command">named</strong></span> to load keys from the key
-                    repository and sign the zone with all keys that are
-                    active. 
-                    <span><strong class="command">rndc loadkeys
-                    <em class="replaceable"><code>zonename</code></em></strong></span> causes
-                    <span><strong class="command">named</strong></span> to load keys from the key
-                    repository and schedule key maintenance events to occur
-                    in the future, but it does not sign the full zone
-                    immediately.  Note: once keys have been loaded for a
-                    zone the first time, the repository will be searched
-                    for changes periodically, regardless of whether
-                    <span><strong class="command">rndc loadkeys</strong></span> is used.  The recheck
-                    interval is defined by
-                    <span><strong class="command">dnssec-loadkeys-interval</strong></span>.)
-                  </p>
-<p>
-                    The default setting is <span><strong class="command">auto-dnssec off</strong></span>.
-                  </p>
-</dd>
-<dt><span class="term"><span><strong class="command">serial-update-method</strong></span></span></dt>
-<dd>
-<p>
-                    Zones configured for dynamic DNS may use this
-                    option to set the update method that will be used for
-                    the zone serial number in the SOA record.
-                  </p>
-<p>
-                    With the default setting of
-                    <span><strong class="command">serial-update-method increment;</strong></span>, the
-                    SOA serial number will be incremented by one each time
-                    the zone is updated.
-                  </p>
-<p>
-                    When set to 
-                    <span><strong class="command">serial-update-method unixtime;</strong></span>, the
-                    SOA serial number will be set to the number of seconds
-                    since the UNIX epoch, unless the serial number is
-                    already greater than or equal to that value, in which
-                    case it is simply incremented by one.
-                  </p>
-</dd>
-<dt><span class="term"><span><strong class="command">inline-signing</strong></span></span></dt>
-<dd><p>
-                    If <code class="literal">yes</code>, this enables
-                    "bump in the wire" signing of a zone, where a
-                    unsigned zone is transferred in or loaded from
-                    disk and a signed version of the zone is served,
-                    with possibly, a different serial number.  This
-                    behaviour is disabled by default.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
-<dd><p>
-                    See the description of <span><strong class="command">multi-master</strong></span> in
-                    <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt>
-<dd><p>
-                    See the description of <span><strong class="command">masterfile-format</strong></span>
-                    in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt>
-<dd><p>
-                    See the description of
-                    <span><strong class="command">dnssec-secure-to-insecure</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
-                  </p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="dynamic_update_policies"></a>Dynamic Update Policies</h4></div></div></div>
-<p><acronym class="acronym">BIND</acronym> 9 supports two alternative
-              methods of granting clients the right to perform
-              dynamic updates to a zone, configured by the
-              <span><strong class="command">allow-update</strong></span> and
-              <span><strong class="command">update-policy</strong></span> option, respectively.
-            </p>
-<p>
-              The <span><strong class="command">allow-update</strong></span> clause works the
-              same way as in previous versions of <acronym class="acronym">BIND</acronym>.
-              It grants given clients the permission to update any
-              record of any name in the zone.
-            </p>
-<p>
-              The <span><strong class="command">update-policy</strong></span> clause
-              allows more fine-grained control over what updates are
-              allowed.  A set of rules is specified, where each rule
-              either grants or denies permissions for one or more
-              names to be updated by one or more identities.  If
-              the dynamic update request message is signed (that is,
-              it includes either a TSIG or SIG(0) record), the
-              identity of the signer can be determined.
-            </p>
-<p>
-              Rules are specified in the <span><strong class="command">update-policy</strong></span>
-              zone option, and are only meaningful for master zones.
-              When the <span><strong class="command">update-policy</strong></span> statement
-              is present, it is a configuration error for the
-              <span><strong class="command">allow-update</strong></span> statement to be
-              present.  The <span><strong class="command">update-policy</strong></span> statement
-              only examines the signer of a message; the source
-              address is not relevant.
-            </p>
-<p>
-              There is a pre-defined <span><strong class="command">update-policy</strong></span>
-              rule which can be switched on with the command
-              <span><strong class="command">update-policy local;</strong></span>.
-              Switching on this rule in a zone causes
-              <span><strong class="command">named</strong></span> to generate a TSIG session
-              key and place it in a file, and to allow that key
-              to update the zone.  (By default, the file is
-              <code class="filename">/var/run/named/session.key</code>, the key
-              name is "local-ddns" and the key algorithm is HMAC-SHA256,
-              but these values are configurable with the
-              <span><strong class="command">session-keyfile</strong></span>,
-              <span><strong class="command">session-keyname</strong></span> and
-              <span><strong class="command">session-keyalg</strong></span> options, respectively).
-            </p>
-<p>
-              A client running on the local system, and with appropriate
-              permissions, may read that file and use the key to sign update
-              requests.  The zone's update policy will be set to allow that
-              key to change any record within the zone.  Assuming the
-              key name is "local-ddns", this policy is equivalent to:
-            </p>
-<pre class="programlisting">update-policy { grant local-ddns zonesub any; };
-            </pre>
-<p>
-              The command <span><strong class="command">nsupdate -l</strong></span> sends update
-              requests to localhost, and signs them using the session key.
-            </p>
-<p>
-              Other rule definitions look like this:
-            </p>
-<pre class="programlisting">
-( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
-</pre>
-<p>
-              Each rule grants or denies privileges.  Once a message has
-              successfully matched a rule, the operation is immediately
-              granted or denied and no further rules are examined.  A rule
-              is matched when the signer matches the identity field, the
-              name matches the name field in accordance with the nametype
-              field, and the type matches the types specified in the type
-              field.
-            </p>
-<p>
-              No signer is required for <em class="replaceable"><code>tcp-self</code></em>
-              or <em class="replaceable"><code>6to4-self</code></em> however the standard
-              reverse mapping / prefix conversion must match the identity
-              field.
-            </p>
-<p>
-              The identity field specifies a name or a wildcard
-              name.  Normally, this is the name of the TSIG or
-              SIG(0) key used to sign the update request.  When a
-              TKEY exchange has been used to create a shared secret,
-              the identity of the shared secret is the same as the
-              identity of the key used to authenticate the TKEY
-              exchange.  TKEY is also the negotiation method used
-              by GSS-TSIG, which establishes an identity that is
-              the Kerberos principal of the client, such as
-              <strong class="userinput"><code>"user@host.domain"</code></strong>.  When the
-              <em class="replaceable"><code>identity</code></em> field specifies
-              a wildcard name, it is subject to DNS wildcard
-              expansion, so the rule will apply to multiple identities.
-              The <em class="replaceable"><code>identity</code></em> field must
-              contain a fully-qualified domain name.
-            </p>
-<p>
-              For nametypes <code class="varname">krb5-self</code>,
-              <code class="varname">ms-self</code>, <code class="varname">krb5-subdomain</code>,
-              and <code class="varname">ms-subdomain</code> the
-              <em class="replaceable"><code>identity</code></em> field specifies
-              the Windows or Kerberos realm of the machine belongs to.
-            </p>
-<p>
-              The <em class="replaceable"><code>nametype</code></em> field has 13
-              values:
-              <code class="varname">name</code>, <code class="varname">subdomain</code>,
-              <code class="varname">wildcard</code>, <code class="varname">self</code>,
-              <code class="varname">selfsub</code>, <code class="varname">selfwild</code>,
-              <code class="varname">krb5-self</code>, <code class="varname">ms-self</code>,
-              <code class="varname">krb5-subdomain</code>,
-              <code class="varname">ms-subdomain</code>,
-              <code class="varname">tcp-self</code>, <code class="varname">6to4-self</code>,
-              <code class="varname">zonesub</code>, and <code class="varname">external</code>.
-            </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">name</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Exact-match semantics.  This rule matches
-                        when the name being updated is identical
-                        to the contents of the
-                        <em class="replaceable"><code>name</code></em> field.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">subdomain</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        This rule matches when the name being updated
-                        is a subdomain of, or identical to, the
-                        contents of the <em class="replaceable"><code>name</code></em>
-                        field.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">zonesub</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        This rule is similar to subdomain, except that
-                        it matches when the name being updated is a
-                        subdomain of the zone in which the
-                        <span><strong class="command">update-policy</strong></span> statement
-                        appears.  This obviates the need to type the zone
-                        name twice, and enables the use of a standard
-                        <span><strong class="command">update-policy</strong></span> statement in
-                        multiple zones without modification.
-                      </p>
-                      <p>
-                        When this rule is used, the
-                        <em class="replaceable"><code>name</code></em> field is omitted.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">wildcard</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        The <em class="replaceable"><code>name</code></em> field
-                        is subject to DNS wildcard expansion, and
-                        this rule matches when the name being updated
-                        name is a valid expansion of the wildcard.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">self</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        This rule matches when the name being updated
-                        matches the contents of the
-                        <em class="replaceable"><code>identity</code></em> field.
-                        The <em class="replaceable"><code>name</code></em> field
-                        is ignored, but should be the same as the
-                        <em class="replaceable"><code>identity</code></em> field.
-                        The <code class="varname">self</code> nametype is
-                        most useful when allowing using one key per
-                        name to update, where the key has the same
-                        name as the name to be updated.  The
-                        <em class="replaceable"><code>identity</code></em> would
-                        be specified as <code class="constant">*</code> (an asterisk) in
-                        this case.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">selfsub</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        This rule is similar to <code class="varname">self</code>
-                        except that subdomains of <code class="varname">self</code>
-                        can also be updated.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">selfwild</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        This rule is similar to <code class="varname">self</code>
-                        except that only subdomains of
-                        <code class="varname">self</code> can be updated.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">ms-self</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        This rule takes a Windows machine principal
-                        (machine$@REALM) for machine in REALM and
-                        and converts it machine.realm allowing the machine 
-                        to update machine.realm.  The REALM to be matched
-                        is specified in the <em class="replaceable"><code>identity</code></em>
-                        field.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">ms-subdomain</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        This rule takes a Windows machine principal 
-                        (machine$@REALM) for machine in REALM and
-                        converts it to machine.realm allowing the machine
-                        to update subdomains of machine.realm.  The REALM
-                        to be matched is specified in the
-                        <em class="replaceable"><code>identity</code></em> field.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">krb5-self</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        This rule takes a Kerberos machine principal
-                        (host/machine@REALM) for machine in REALM and
-                        and converts it machine.realm allowing the machine 
-                        to update machine.realm.  The REALM to be matched
-                        is specified in the <em class="replaceable"><code>identity</code></em>
-                        field.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">krb5-subdomain</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        This rule takes a Kerberos machine principal 
-                        (host/machine@REALM) for machine in REALM and
-                        converts it to machine.realm allowing the machine
-                        to update subdomains of machine.realm.  The REALM
-                        to be matched is specified in the
-                        <em class="replaceable"><code>identity</code></em> field.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">tcp-self</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Allow updates that have been sent via TCP and
-                        for which the standard mapping from the initiating
-                        IP address into the IN-ADDR.ARPA and IP6.ARPA
-                        namespaces match the name to be updated.
-                      </p>
-                      <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-                        It is theoretically possible to spoof these TCP
-                        sessions.
-                      </div>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">6to4-self</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Allow the 6to4 prefix to be update by any TCP
-                        connection from the 6to4 network or from the
-                        corresponding IPv4 address.  This is intended
-                        to allow NS or DNAME RRsets to be added to the
-                        reverse tree.
-                      </p>
-                      <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-                        It is theoretically possible to spoof these TCP
-                        sessions.
-                      </div>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="varname">external</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        This rule allows <span><strong class="command">named</strong></span>
-                        to defer the decision of whether to allow a
-                        given update to an external daemon.
-                      </p>
-                      <p>
-                        The method of communicating with the daemon is
-                        specified in the <em class="replaceable"><code>identity</code></em>
-                        field, the format of which is
-                        "<code class="constant">local:</code><em class="replaceable"><code>path</code></em>",
-                        where <em class="replaceable"><code>path</code></em> is the location
-                        of a UNIX-domain socket.  (Currently, "local" is the
-                        only supported mechanism.)
-                      </p>
-                      <p>
-                        Requests to the external daemon are sent over the
-                        UNIX-domain socket as datagrams with the following
-                        format:
-                      </p>
-                      <pre class="programlisting">
-   Protocol version number (4 bytes, network byte order, currently 1)
-   Request length (4 bytes, network byte order)
-   Signer (null-terminated string)
-   Name (null-terminated string)
-   TCP source address (null-terminated string)
-   Rdata type (null-terminated string)
-   Key (null-terminated string)
-   TKEY token length (4 bytes, network byte order)
-   TKEY token (remainder of packet)</pre>
-                      <p>
-                        The daemon replies with a four-byte value in
-                        network byte order, containing either 0 or 1; 0
-                        indicates that the specified update is not
-                        permitted, and 1 indicates that it is.
-                      </p>
-                    </td>
-</tr>
-</tbody>
-</table></div>
-<p>
-              In all cases, the <em class="replaceable"><code>name</code></em>
-              field must specify a fully-qualified domain name.
-            </p>
-<p>
-              If no types are explicitly specified, this rule matches
-              all types except RRSIG, NS, SOA, NSEC and NSEC3. Types
-              may be specified by name, including "ANY" (ANY matches
-              all types except NSEC and NSEC3, which can never be
-              updated).  Note that when an attempt is made to delete
-              all records associated with a name, the rules are
-              checked for each existing record type.
-            </p>
-</div>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2596875"></a>Zone File</h2></div></div></div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
-<p>
-            This section, largely borrowed from RFC 1034, describes the
-            concept of a Resource Record (RR) and explains when each is used.
-            Since the publication of RFC 1034, several new RRs have been
-            identified
-            and implemented in the DNS. These are also included.
-          </p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2596893"></a>Resource Records</h4></div></div></div>
-<p>
-              A domain name identifies a node.  Each node has a set of
-              resource information, which may be empty.  The set of resource
-              information associated with a particular name is composed of
-              separate RRs. The order of RRs in a set is not significant and
-              need not be preserved by name servers, resolvers, or other
-              parts of the DNS. However, sorting of multiple RRs is
-              permitted for optimization purposes, for example, to specify
-              that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span><strong class="command">sortlist</strong></span> Statement&#8221;</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>.
-            </p>
-<p>
-              The components of a Resource Record are:
-            </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-                      <p>
-                        owner name
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        The domain name where the RR is found.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        type
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        An encoded 16-bit value that specifies
-                        the type of the resource record.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        TTL
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        The time-to-live of the RR. This field
-                        is a 32-bit integer in units of seconds, and is
-                        primarily used by
-                        resolvers when they cache RRs. The TTL describes how
-                        long a RR can
-                        be cached before it should be discarded.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        class
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        An encoded 16-bit value that identifies
-                        a protocol family or instance of a protocol.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        RDATA
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        The resource data.  The format of the
-                        data is type (and sometimes class) specific.
-                      </p>
-                    </td>
-</tr>
-</tbody>
-</table></div>
-<p>
-              The following are <span class="emphasis"><em>types</em></span> of valid RRs:
-            </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-                      <p>
-                        A
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        A host address.  In the IN class, this is a
-                        32-bit IP address.  Described in RFC 1035.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        AAAA
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        IPv6 address.  Described in RFC 1886.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        A6
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        IPv6 address.  This can be a partial
-                        address (a suffix) and an indirection to the name
-                        where the rest of the
-                        address (the prefix) can be found.  Experimental.
-                        Described in RFC 2874.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        AFSDB
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Location of AFS database servers.
-                        Experimental.  Described in RFC 1183.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        APL
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Address prefix list.  Experimental.
-                        Described in RFC 3123.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        CERT
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Holds a digital certificate.
-                        Described in RFC 2538.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        CNAME
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Identifies the canonical name of an alias.
-                        Described in RFC 1035.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        DHCID
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Is used for identifying which DHCP client is
-                        associated with this name.  Described in RFC 4701.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        DNAME
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Replaces the domain name specified with
-                        another name to be looked up, effectively aliasing an
-                        entire
-                        subtree of the domain name space rather than a single
-                        record
-                        as in the case of the CNAME RR.
-                        Described in RFC 2672.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        DNSKEY
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Stores a public key associated with a signed
-                        DNS zone.  Described in RFC 4034.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        DS
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Stores the hash of a public key associated with a
-                        signed DNS zone.  Described in RFC 4034.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        GPOS
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Specifies the global position.  Superseded by LOC.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        HINFO
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Identifies the CPU and OS used by a host.
-                        Described in RFC 1035.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        IPSECKEY
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Provides a method for storing IPsec keying material in
-                        DNS.  Described in RFC 4025.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        ISDN
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Representation of ISDN addresses.
-                        Experimental.  Described in RFC 1183.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        KEY
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Stores a public key associated with a
-                        DNS name.  Used in original DNSSEC; replaced
-                        by DNSKEY in DNSSECbis, but still used with
-                        SIG(0).  Described in RFCs 2535 and 2931.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        KX
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Identifies a key exchanger for this
-                        DNS name.  Described in RFC 2230.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        LOC
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        For storing GPS info.  Described in RFC 1876.
-                        Experimental.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        MX
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Identifies a mail exchange for the domain with
-                        a 16-bit preference value (lower is better)
-                        followed by the host name of the mail exchange.
-                        Described in RFC 974, RFC 1035.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NAPTR
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Name authority pointer.  Described in RFC 2915.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NSAP
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        A network service access point.
-                        Described in RFC 1706.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NS
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        The authoritative name server for the
-                        domain.  Described in RFC 1035.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NSEC
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Used in DNSSECbis to securely indicate that
-                        RRs with an owner name in a certain name interval do
-                        not exist in
-                        a zone and indicate what RR types are present for an
-                        existing name.
-                        Described in RFC 4034.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NSEC3
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Used in DNSSECbis to securely indicate that
-                        RRs with an owner name in a certain name
-                        interval do not exist in a zone and indicate
-                        what RR types are present for an existing
-                        name.  NSEC3 differs from NSEC in that it
-                        prevents zone enumeration but is more
-                        computationally expensive on both the server
-                        and the client than NSEC.  Described in RFC
-                        5155.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NSEC3PARAM
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Used in DNSSECbis to tell the authoritative
-                        server which NSEC3 chains are available to use.
-                        Described in RFC 5155.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        NXT
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Used in DNSSEC to securely indicate that
-                        RRs with an owner name in a certain name interval do
-                        not exist in
-                        a zone and indicate what RR types are present for an
-                        existing name.
-                        Used in original DNSSEC; replaced by NSEC in
-                        DNSSECbis.
-                        Described in RFC 2535.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        PTR
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        A pointer to another part of the domain
-                        name space.  Described in RFC 1035.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        PX
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Provides mappings between RFC 822 and X.400
-                        addresses.  Described in RFC 2163.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        RP
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Information on persons responsible
-                        for the domain.  Experimental.  Described in RFC 1183.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        RRSIG
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Contains DNSSECbis signature data.  Described
-                        in RFC 4034.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        RT
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Route-through binding for hosts that
-                        do not have their own direct wide area network
-                        addresses.
-                        Experimental.  Described in RFC 1183.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        SIG
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Contains DNSSEC signature data.  Used in
-                        original DNSSEC; replaced by RRSIG in
-                        DNSSECbis, but still used for SIG(0).
-                        Described in RFCs 2535 and 2931.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        SOA
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Identifies the start of a zone of authority.
-                        Described in RFC 1035.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        SPF
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Contains the Sender Policy Framework information
-                        for a given email domain.  Described in RFC 4408.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        SRV
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Information about well known network
-                        services (replaces WKS).  Described in RFC 2782.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        SSHFP
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Provides a way to securely publish a secure shell key's
-                        fingerprint.  Described in RFC 4255.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        TXT
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Text records.  Described in RFC 1035.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        WKS
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Information about which well known
-                        network services, such as SMTP, that a domain
-                        supports. Historical.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        X25
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Representation of X.25 network addresses.
-                        Experimental.  Described in RFC 1183.
-                      </p>
-                    </td>
-</tr>
-</tbody>
-</table></div>
-<p>
-              The following <span class="emphasis"><em>classes</em></span> of resource records
-              are currently valid in the DNS:
-            </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-                      <p>
-                        IN
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        The Internet.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        CH
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Chaosnet, a LAN protocol created at MIT in the
-                        mid-1970s.
-                        Rarely used for its historical purpose, but reused for
-                        BIND's
-                        built-in server information zones, e.g.,
-                        <code class="literal">version.bind</code>.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        HS
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        Hesiod, an information service
-                        developed by MIT's Project Athena. It is used to share
-                        information
-                        about various systems databases, such as users,
-                        groups, printers
-                        and so on.
-                      </p>
-                    </td>
-</tr>
-</tbody>
-</table></div>
-<p>
-              The owner name is often implicit, rather than forming an
-              integral
-              part of the RR.  For example, many name servers internally form
-              tree
-              or hash structures for the name space, and chain RRs off nodes.
-              The remaining RR parts are the fixed header (type, class, TTL)
-              which is consistent for all RRs, and a variable part (RDATA)
-              that
-              fits the needs of the resource being described.
-            </p>
-<p>
-              The meaning of the TTL field is a time limit on how long an
-              RR can be kept in a cache.  This limit does not apply to
-              authoritative
-              data in zones; it is also timed out, but by the refreshing
-              policies
-              for the zone.  The TTL is assigned by the administrator for the
-              zone where the data originates.  While short TTLs can be used to
-              minimize caching, and a zero TTL prohibits caching, the
-              realities
-              of Internet performance suggest that these times should be on
-              the
-              order of days for the typical host.  If a change can be
-              anticipated,
-              the TTL can be reduced prior to the change to minimize
-              inconsistency
-              during the change, and then increased back to its former value
-              following
-              the change.
-            </p>
-<p>
-              The data in the RDATA section of RRs is carried as a combination
-              of binary strings and domain names.  The domain names are
-              frequently
-              used as "pointers" to other data in the DNS.
-            </p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2598517"></a>Textual expression of RRs</h4></div></div></div>
-<p>
-              RRs are represented in binary form in the packets of the DNS
-              protocol, and are usually represented in highly encoded form
-              when
-              stored in a name server or resolver.  In the examples provided
-              in
-              RFC 1034, a style similar to that used in master files was
-              employed
-              in order to show the contents of RRs.  In this format, most RRs
-              are shown on a single line, although continuation lines are
-              possible
-              using parentheses.
-            </p>
-<p>
-              The start of the line gives the owner of the RR.  If a line
-              begins with a blank, then the owner is assumed to be the same as
-              that of the previous RR.  Blank lines are often included for
-              readability.
-            </p>
-<p>
-              Following the owner, we list the TTL, type, and class of the
-              RR.  Class and type use the mnemonics defined above, and TTL is
-              an integer before the type field.  In order to avoid ambiguity
-              in
-              parsing, type and class mnemonics are disjoint, TTLs are
-              integers,
-              and the type mnemonic is always last. The IN class and TTL
-              values
-              are often omitted from examples in the interests of clarity.
-            </p>
-<p>
-              The resource data or RDATA section of the RR are given using
-              knowledge of the typical representation for the data.
-            </p>
-<p>
-              For example, we might show the RRs carried in a message as:
-            </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-                      <p>
-                        <code class="literal">ISI.EDU.</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">MX</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">10 VENERA.ISI.EDU.</code>
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p></p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">MX</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">10 VAXA.ISI.EDU</code>
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="literal">VENERA.ISI.EDU</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">A</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">128.9.0.32</code>
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p></p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">A</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">10.1.0.52</code>
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p>
-                        <code class="literal">VAXA.ISI.EDU</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">A</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">10.2.0.27</code>
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p></p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">A</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">128.9.0.33</code>
-                      </p>
-                    </td>
-</tr>
-</tbody>
-</table></div>
-<p>
-              The MX RRs have an RDATA section which consists of a 16-bit
-              number followed by a domain name.  The address RRs use a
-              standard
-              IP address format to contain a 32-bit internet address.
-            </p>
-<p>
-              The above example shows six RRs, with two RRs at each of three
-              domain names.
-            </p>
-<p>
-              Similarly we might see:
-            </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-                      <p>
-                        <code class="literal">XX.LCS.MIT.EDU.</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">IN A</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">10.0.0.44</code>
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td> </td>
-<td>
-                      <p>
-                        <code class="literal">CH A</code>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <code class="literal">MIT.EDU. 2420</code>
-                      </p>
-                    </td>
-</tr>
-</tbody>
-</table></div>
-<p>
-              This example shows two addresses for
-              <code class="literal">XX.LCS.MIT.EDU</code>, each of a different class.
-            </p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2599037"></a>Discussion of MX Records</h3></div></div></div>
-<p>
-            As described above, domain servers store information as a
-            series of resource records, each of which contains a particular
-            piece of information about a given domain name (which is usually,
-            but not always, a host). The simplest way to think of a RR is as
-            a typed pair of data, a domain name matched with a relevant datum,
-            and stored with some additional type information to help systems
-            determine when the RR is relevant.
-          </p>
-<p>
-            MX records are used to control delivery of email. The data
-            specified in the record is a priority and a domain name. The
-            priority
-            controls the order in which email delivery is attempted, with the
-            lowest number first. If two priorities are the same, a server is
-            chosen randomly. If no servers at a given priority are responding,
-            the mail transport agent will fall back to the next largest
-            priority.
-            Priority numbers do not have any absolute meaning &#8212; they are
-            relevant
-            only respective to other MX records for that domain name. The
-            domain
-            name given is the machine to which the mail will be delivered.
-            It <span class="emphasis"><em>must</em></span> have an associated address record
-            (A or AAAA) &#8212; CNAME is not sufficient.
-          </p>
-<p>
-            For a given domain, if there is both a CNAME record and an
-            MX record, the MX record is in error, and will be ignored.
-            Instead,
-            the mail will be delivered to the server specified in the MX
-            record
-            pointed to by the CNAME.
-            For example:
-          </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-                    <p>
-                      <code class="literal">example.com.</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">IN</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">MX</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">10</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">mail.example.com.</code>
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p></p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">IN</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">MX</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">10</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">mail2.example.com.</code>
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p></p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">IN</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">MX</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">20</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">mail.backup.org.</code>
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p>
-                      <code class="literal">mail.example.com.</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">IN</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">A</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">10.0.0.1</code>
-                    </p>
-                  </td>
-<td>
-                    <p></p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p>
-                      <code class="literal">mail2.example.com.</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">IN</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">A</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">10.0.0.2</code>
-                    </p>
-                  </td>
-<td>
-                    <p></p>
-                  </td>
-</tr>
-</tbody>
-</table></div>
-<p>
-            Mail delivery will be attempted to <code class="literal">mail.example.com</code> and
-            <code class="literal">mail2.example.com</code> (in
-            any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
-            be attempted.
-          </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="Setting_TTLs"></a>Setting TTLs</h3></div></div></div>
-<p>
-            The time-to-live of the RR field is a 32-bit integer represented
-            in units of seconds, and is primarily used by resolvers when they
-            cache RRs. The TTL describes how long a RR can be cached before it
-            should be discarded. The following three types of TTL are
-            currently
-            used in a zone file.
-          </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-                    <p>
-                      SOA
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      The last field in the SOA is the negative
-                      caching TTL. This controls how long other servers will
-                      cache no-such-domain
-                      (NXDOMAIN) responses from you.
-                    </p>
-                    <p>
-                      The maximum time for
-                      negative caching is 3 hours (3h).
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p>
-                      $TTL
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      The $TTL directive at the top of the
-                      zone file (before the SOA) gives a default TTL for every
-                      RR without
-                      a specific TTL set.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p>
-                      RR TTLs
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      Each RR can have a TTL as the second
-                      field in the RR, which will control how long other
-                      servers can cache
-                      the it.
-                    </p>
-                  </td>
-</tr>
-</tbody>
-</table></div>
-<p>
-            All of these TTLs default to units of seconds, though units
-            can be explicitly specified, for example, <code class="literal">1h30m</code>.
-          </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2599585"></a>Inverse Mapping in IPv4</h3></div></div></div>
-<p>
-            Reverse name resolution (that is, translation from IP address
-            to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
-            and PTR records. Entries in the in-addr.arpa domain are made in
-            least-to-most significant order, read left to right. This is the
-            opposite order to the way IP addresses are usually written. Thus,
-            a machine with an IP address of 10.1.2.3 would have a
-            corresponding
-            in-addr.arpa name of
-            3.2.1.10.in-addr.arpa. This name should have a PTR resource record
-            whose data field is the name of the machine or, optionally,
-            multiple
-            PTR records if the machine has more than one name. For example,
-            in the [<span class="optional">example.com</span>] domain:
-          </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-                    <p>
-                      <code class="literal">$ORIGIN</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">2.1.10.in-addr.arpa</code>
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p>
-                      <code class="literal">3</code>
-                    </p>
-                  </td>
-<td>
-                    <p>
-                      <code class="literal">IN PTR foo.example.com.</code>
-                    </p>
-                  </td>
-</tr>
-</tbody>
-</table></div>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-              The <span><strong class="command">$ORIGIN</strong></span> lines in the examples
-              are for providing context to the examples only &#8212; they do not
-              necessarily
-              appear in the actual usage. They are only used here to indicate
-              that the example is relative to the listed origin.
-            </p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2599848"></a>Other Zone File Directives</h3></div></div></div>
-<p>
-            The Master File Format was initially defined in RFC 1035 and
-            has subsequently been extended. While the Master File Format
-            itself
-            is class independent all records in a Master File must be of the
-            same
-            class.
-          </p>
-<p>
-            Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>,
-            and <span><strong class="command">$TTL.</strong></span>
-          </p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2599939"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div>
-<p>
-              When used in the label (or name) field, the asperand or
-              at-sign (@) symbol represents the current origin.
-              At the start of the zone file, it is the 
-              &lt;<code class="varname">zone_name</code>&gt; (followed by
-              trailing dot).
-            </p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2599955"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
-<p>
-              Syntax: <span><strong class="command">$ORIGIN</strong></span>
-              <em class="replaceable"><code>domain-name</code></em>
-              [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
-            </p>
-<p><span><strong class="command">$ORIGIN</strong></span>
-              sets the domain name that will be appended to any
-              unqualified records. When a zone is first read in there
-              is an implicit <span><strong class="command">$ORIGIN</strong></span>
-              &lt;<code class="varname">zone_name</code>&gt;<span><strong class="command">.</strong></span>
-              (followed by trailing dot).
-              The current <span><strong class="command">$ORIGIN</strong></span> is appended to
-              the domain specified in the <span><strong class="command">$ORIGIN</strong></span>
-              argument if it is not absolute.
-            </p>
-<pre class="programlisting">
-$ORIGIN example.com.
-WWW     CNAME   MAIN-SERVER
-</pre>
-<p>
-              is equivalent to
-            </p>
-<pre class="programlisting">
-WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
-</pre>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2600016"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
-<p>
-              Syntax: <span><strong class="command">$INCLUDE</strong></span>
-              <em class="replaceable"><code>filename</code></em>
-              [<span class="optional">
-<em class="replaceable"><code>origin</code></em> </span>]
-              [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>]
-            </p>
-<p>
-              Read and process the file <code class="filename">filename</code> as
-              if it were included into the file at this point.  If <span><strong class="command">origin</strong></span> is
-              specified the file is processed with <span><strong class="command">$ORIGIN</strong></span> set
-              to that value, otherwise the current <span><strong class="command">$ORIGIN</strong></span> is
-              used.
-            </p>
-<p>
-              The origin and the current domain name
-              revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once
-              the file has been read.
-            </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-                RFC 1035 specifies that the current origin should be restored
-                after
-                an <span><strong class="command">$INCLUDE</strong></span>, but it is silent
-                on whether the current
-                domain name should also be restored.  BIND 9 restores both of
-                them.
-                This could be construed as a deviation from RFC 1035, a
-                feature, or both.
-              </p>
-</div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2600153"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
-<p>
-              Syntax: <span><strong class="command">$TTL</strong></span>
-              <em class="replaceable"><code>default-ttl</code></em>
-              [<span class="optional">
-<em class="replaceable"><code>comment</code></em> </span>]
-            </p>
-<p>
-              Set the default Time To Live (TTL) for subsequent records
-              with undefined TTLs. Valid TTLs are of the range 0-2147483647
-              seconds.
-            </p>
-<p><span><strong class="command">$TTL</strong></span>
-               is defined in RFC 2308.
-            </p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2600189"></a><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
-<p>
-            Syntax: <span><strong class="command">$GENERATE</strong></span>
-            <em class="replaceable"><code>range</code></em>
-            <em class="replaceable"><code>lhs</code></em>
-            [<span class="optional"><em class="replaceable"><code>ttl</code></em></span>]
-            [<span class="optional"><em class="replaceable"><code>class</code></em></span>]
-            <em class="replaceable"><code>type</code></em>
-            <em class="replaceable"><code>rhs</code></em>
-            [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
-          </p>
-<p><span><strong class="command">$GENERATE</strong></span>
-            is used to create a series of resource records that only
-            differ from each other by an
-            iterator. <span><strong class="command">$GENERATE</strong></span> can be used to
-            easily generate the sets of records required to support
-            sub /24 reverse delegations described in RFC 2317:
-            Classless IN-ADDR.ARPA delegation.
-          </p>
-<pre class="programlisting">$ORIGIN 0.0.192.IN-ADDR.ARPA.
-$GENERATE 1-2 @ NS SERVER$.EXAMPLE.
-$GENERATE 1-127 $ CNAME $.0</pre>
-<p>
-            is equivalent to
-          </p>
-<pre class="programlisting">0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE.
-0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
-1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
-2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
-...
-127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
-</pre>
-<p>
-            Generate a set of A and MX records.  Note the MX's right hand
-            side is a quoted string.  The quotes will be stripped when the
-            right hand side is processed.
-           </p>
-<pre class="programlisting">
-$ORIGIN EXAMPLE.
-$GENERATE 1-127 HOST-$ A 1.2.3.$
-$GENERATE 1-127 HOST-$ MX "0 ."</pre>
-<p>
-            is equivalent to
-          </p>
-<pre class="programlisting">HOST-1.EXAMPLE.   A  1.2.3.1
-HOST-1.EXAMPLE.   MX 0 .
-HOST-2.EXAMPLE.   A  1.2.3.2
-HOST-2.EXAMPLE.   MX 0 .
-HOST-3.EXAMPLE.   A  1.2.3.3
-HOST-3.EXAMPLE.   MX 0 .
-...
-HOST-127.EXAMPLE. A  1.2.3.127
-HOST-127.EXAMPLE. MX 0 .
-</pre>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-                    <p><span><strong class="command">range</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      This can be one of two forms: start-stop
-                      or start-stop/step. If the first form is used, then step
-                      is set to
-                      1. All of start, stop and step must be positive.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">lhs</strong></span></p>
-                  </td>
-<td>
-                    <p>This
-                      describes the owner name of the resource records
-                      to be created.  Any single <span><strong class="command">$</strong></span>
-                      (dollar sign)
-                      symbols within the <span><strong class="command">lhs</strong></span> string
-                      are replaced by the iterator value.
-
-                      To get a $ in the output, you need to escape the
-                      <span><strong class="command">$</strong></span> using a backslash
-                      <span><strong class="command">\</strong></span>,
-                      e.g. <span><strong class="command">\$</strong></span>. The
-                      <span><strong class="command">$</strong></span> may optionally be followed
-                      by modifiers which change the offset from the
-                      iterator, field width and base.
-
-                      Modifiers are introduced by a
-                      <span><strong class="command">{</strong></span> (left brace) immediately following the
-                      <span><strong class="command">$</strong></span> as
-                      <span><strong class="command">${offset[,width[,base]]}</strong></span>.
-                      For example, <span><strong class="command">${-20,3,d}</strong></span>
-                      subtracts 20 from the current value, prints the
-                      result as a decimal in a zero-padded field of
-                      width 3.
-
-                      Available output forms are decimal
-                      (<span><strong class="command">d</strong></span>), octal
-                      (<span><strong class="command">o</strong></span>), hexadecimal
-                      (<span><strong class="command">x</strong></span> or <span><strong class="command">X</strong></span>
-                      for uppercase) and nibble
-                      (<span><strong class="command">n</strong></span> or <span><strong class="command">N</strong></span>\
-                      for uppercase).  The default modifier is
-                      <span><strong class="command">${0,0,d}</strong></span>.  If the
-                      <span><strong class="command">lhs</strong></span> is not absolute, the
-                      current <span><strong class="command">$ORIGIN</strong></span> is appended
-                      to the name.
-                    </p>
-                    <p>
-                      In nibble mode the value will be treated as
-                      if it was a reversed hexadecimal string
-                      with each hexadecimal digit as a separate
-                      label.  The width field includes the label
-                      separator.
-                    </p>
-                    <p>
-                      For compatibility with earlier versions,
-                      <span><strong class="command">$$</strong></span> is still recognized as
-                      indicating a literal $ in the output.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">ttl</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Specifies the time-to-live of the generated records. If
-                      not specified this will be inherited using the
-                      normal TTL inheritance rules.
-                    </p>
-                    <p><span><strong class="command">class</strong></span>
-                      and <span><strong class="command">ttl</strong></span> can be
-                      entered in either order.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">class</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Specifies the class of the generated records.
-                      This must match the zone class if it is
-                      specified.
-                    </p>
-                    <p><span><strong class="command">class</strong></span>
-                      and <span><strong class="command">ttl</strong></span> can be
-                      entered in either order.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">type</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      Any valid type.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">rhs</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      <span><strong class="command">rhs</strong></span>, optionally, quoted string.
-                    </p>
-                  </td>
-</tr>
-</tbody>
-</table></div>
-<p>
-            The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
-            and not part of the standard zone file format.
-          </p>
-<p>
-            BIND 8 does not support the optional TTL and CLASS fields.
-          </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="zonefile_format"></a>Additional File Formats</h3></div></div></div>
-<p>
-            In addition to the standard textual format, BIND 9
-            supports the ability to read or dump to zone files in
-            other formats.  The <code class="constant">raw</code> format is
-            currently available as an additional format.  It is a
-            binary format representing BIND 9's internal data
-            structure directly, thereby remarkably improving the
-            loading time.
-          </p>
-<p>
-            For a primary server, a zone file in the
-            <code class="constant">raw</code> format is expected to be
-            generated from a textual zone file by the
-            <span><strong class="command">named-compilezone</strong></span> command.  For a
-            secondary server or for a dynamic zone, it is automatically
-            generated (if this format is specified by the
-            <span><strong class="command">masterfile-format</strong></span> option) when
-            <span><strong class="command">named</strong></span> dumps the zone contents after
-            zone transfer or when applying prior updates.
-          </p>
-<p>
-            If a zone file in a binary format needs manual modification,
-            it first must be converted to a textual form by the
-            <span><strong class="command">named-compilezone</strong></span> command.  All
-            necessary modification should go to the text file, which
-            should then be converted to the binary form by the
-            <span><strong class="command">named-compilezone</strong></span> command again.
-          </p>
-<p>
-             Although the <code class="constant">raw</code> format uses the
-             network byte order and avoids architecture-dependent
-             data alignment so that it is as much portable as
-             possible, it is primarily expected to be used inside
-             the same single system.  In order to export a zone
-             file in the <code class="constant">raw</code> format or make a
-             portable backup of the file, it is recommended to
-             convert the file to the standard textual representation.
-          </p>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="statistics"></a>BIND9 Statistics</h2></div></div></div>
-<p>
-          <acronym class="acronym">BIND</acronym> 9 maintains lots of statistics
-          information and provides several interfaces for users to
-          get access to the statistics.
-          The available statistics include all statistics counters
-          that were available in <acronym class="acronym">BIND</acronym> 8 and
-          are meaningful in <acronym class="acronym">BIND</acronym> 9,
-          and other information that is considered useful.
-        </p>
-<p>
-          The statistics information is categorized into the following
-          sections.
-        </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-                  <p>Incoming Requests</p>
-                </td>
-<td>
-                  <p>
-                    The number of incoming DNS requests for each OPCODE.
-                  </p>
-                </td>
-</tr>
-<tr>
-<td>
-                  <p>Incoming Queries</p>
-                </td>
-<td>
-                  <p>
-                    The number of incoming queries for each RR type.
-                  </p>
-                </td>
-</tr>
-<tr>
-<td>
-                  <p>Outgoing Queries</p>
-                </td>
-<td>
-                  <p>
-                    The number of outgoing queries for each RR
-                    type sent from the internal resolver.
-                    Maintained per view.
-                  </p>
-                </td>
-</tr>
-<tr>
-<td>
-                  <p>Name Server Statistics</p>
-                </td>
-<td>
-                  <p>
-                    Statistics counters about incoming request processing.
-                  </p>
-                </td>
-</tr>
-<tr>
-<td>
-                  <p>Zone Maintenance Statistics</p>
-                </td>
-<td>
-                  <p>
-                    Statistics counters regarding zone maintenance
-                    operations such as zone transfers.
-                  </p>
-                </td>
-</tr>
-<tr>
-<td>
-                  <p>Resolver Statistics</p>
-                </td>
-<td>
-                  <p>
-                    Statistics counters about name resolution
-                    performed in the internal resolver.
-                    Maintained per view.
-                  </p>
-                </td>
-</tr>
-<tr>
-<td>
-                  <p>Cache DB RRsets</p>
-                </td>
-<td>
-                  <p>
-                    The number of RRsets per RR type and nonexistent
-                    names stored in the cache database.
-                    If the exclamation mark (!) is printed for a RR
-                    type, it means that particular type of RRset is
-                    known to be nonexistent (this is also known as
-                    "NXRRSET").
-                    Maintained per view.
-                  </p>
-                </td>
-</tr>
-<tr>
-<td>
-                  <p>Socket I/O Statistics</p>
-                </td>
-<td>
-                  <p>
-                    Statistics counters about network related events.
-                  </p>
-                </td>
-</tr>
-</tbody>
-</table></div>
-<p>
-          A subset of Name Server Statistics is collected and shown
-          per zone for which the server has the authority when
-          <span><strong class="command">zone-statistics</strong></span> is set to
-          <strong class="userinput"><code>yes</code></strong>.
-          These statistics counters are shown with their zone and view
-          names.
-          In some cases the view names are omitted for the default view.
-        </p>
-<p>
-          There are currently two user interfaces to get access to the
-          statistics.
-          One is in the plain text format dumped to the file specified
-          by the <span><strong class="command">statistics-file</strong></span> configuration option.
-          The other is remotely accessible via a statistics channel
-          when the <span><strong class="command">statistics-channels</strong></span> statement
-          is specified in the configuration file
-          (see <a href="Bv9ARM.ch06.html#statschannels" title="statistics-channels Statement Grammar">the section called &#8220;<span><strong class="command">statistics-channels</strong></span> Statement Grammar&#8221;</a>.)
-        </p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="statsfile"></a>The Statistics File</h4></div></div></div>
-<p>
-            The text format statistics dump begins with a line, like:
-          </p>
-<p>
-            <span><strong class="command">+++ Statistics Dump +++ (973798949)</strong></span>
-          </p>
-<p>
-            The number in parentheses is a standard
-            Unix-style timestamp, measured as seconds since January 1, 1970.
-
-            Following
-            that line is a set of statistics information, which is categorized
-            as described above.
-            Each section begins with a line, like:
-          </p>
-<p>
-            <span><strong class="command">++ Name Server Statistics ++</strong></span>
-          </p>
-<p>
-            Each section consists of lines, each containing the statistics
-            counter value followed by its textual description.
-            See below for available counters.
-            For brevity, counters that have a value of 0 are not shown
-            in the statistics file.
-          </p>
-<p>
-            The statistics dump ends with the line where the
-            number is identical to the number in the beginning line; for example:
-          </p>
-<p>
-            <span><strong class="command">--- Statistics Dump --- (973798949)</strong></span>
-          </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="statistics_counters"></a>Statistics Counters</h3></div></div></div>
-<p>
-            The following tables summarize statistics counters that
-            <acronym class="acronym">BIND</acronym> 9 provides.
-            For each row of the tables, the leftmost column is the
-            abbreviated symbol name of that counter.
-            These symbols are shown in the statistics information
-            accessed via an HTTP statistics channel.
-            The rightmost column gives the description of the counter,
-            which is also shown in the statistics file
-            (but, in this document, possibly with slight modification
-            for better readability).
-            Additional notes may also be provided in this column.
-            When a middle column exists between these two columns,
-            it gives the corresponding counter name of the
-            <acronym class="acronym">BIND</acronym> 8 statistics, if applicable.
-          </p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2601075"></a>Name Server Statistics Counters</h4></div></div></div>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-                      <p>
-                        <span class="emphasis"><em>Symbol</em></span>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <span class="emphasis"><em>BIND8 Symbol</em></span>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <span class="emphasis"><em>Description</em></span>
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">Requestv4</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command">RQ</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv4 requests received.
-                        Note: this also counts non query requests.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">Requestv6</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command">RQ</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv6 requests received.
-                        Note: this also counts non query requests.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">ReqEdns0</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Requests with EDNS(0) received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">ReqBadEDNSVer</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Requests with unsupported EDNS version received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">ReqTSIG</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Requests with TSIG received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">ReqSIG0</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Requests with SIG(0) received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">ReqBadSIG</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Requests with invalid (TSIG or SIG(0)) signature.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">ReqTCP</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command">RTCP</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        TCP requests received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">AuthQryRej</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command">RUQ</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Authoritative (non recursive) queries rejected.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">RecQryRej</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command">RURQ</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Recursive queries rejected.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">XfrRej</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command">RUXFR</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Zone transfer requests rejected.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">UpdateRej</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command">RUUpd</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Dynamic update requests rejected.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">Response</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command">SAns</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Responses sent.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">RespTruncated</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Truncated responses sent.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">RespEDNS0</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Responses with EDNS(0) sent.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">RespTSIG</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Responses with TSIG sent.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">RespSIG0</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Responses with SIG(0) sent.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">QrySuccess</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Queries resulted in a successful answer.
-                        This means the query which returns a NOERROR response
-                        with at least one answer RR.
-                        This corresponds to the
-                        <span><strong class="command">success</strong></span> counter
-                        of previous versions of
-                        <acronym class="acronym">BIND</acronym> 9.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">QryAuthAns</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Queries resulted in authoritative answer.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">QryNoauthAns</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command">SNaAns</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Queries resulted in non authoritative answer.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">QryReferral</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Queries resulted in referral answer.
-                        This corresponds to the
-                        <span><strong class="command">referral</strong></span> counter
-                        of previous versions of
-                        <acronym class="acronym">BIND</acronym> 9.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">QryNxrrset</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Queries resulted in NOERROR responses with no data.
-                        This corresponds to the
-                        <span><strong class="command">nxrrset</strong></span> counter
-                        of previous versions of
-                        <acronym class="acronym">BIND</acronym> 9.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">QrySERVFAIL</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command">SFail</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Queries resulted in SERVFAIL.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">QryFORMERR</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command">SFErr</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Queries resulted in FORMERR.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">QryNXDOMAIN</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command">SNXD</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Queries resulted in NXDOMAIN.
-                        This corresponds to the
-                        <span><strong class="command">nxdomain</strong></span> counter
-                        of previous versions of
-                        <acronym class="acronym">BIND</acronym> 9.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">QryRecursion</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command">RFwdQ</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Queries which caused the server
-                        to perform recursion in order to find the final answer.
-                        This corresponds to the
-                        <span><strong class="command">recursion</strong></span> counter
-                        of previous versions of
-                        <acronym class="acronym">BIND</acronym> 9.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">QryDuplicate</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command">RDupQ</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Queries which the server attempted to
-                        recurse but discovered an existing query with the same
-                        IP address, port, query ID, name, type and class
-                        already being processed.
-                        This corresponds to the
-                        <span><strong class="command">duplicate</strong></span> counter
-                        of previous versions of
-                        <acronym class="acronym">BIND</acronym> 9.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">QryDropped</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Recursive queries for which the server
-                        discovered an excessive number of existing
-                        recursive queries for the same name, type and
-                        class and were subsequently dropped.
-                        This is the number of dropped queries due to
-                        the reason explained with the
-                        <span><strong class="command">clients-per-query</strong></span>
-                        and
-                        <span><strong class="command">max-clients-per-query</strong></span>
-                        options
-                        (see the description about
-                        <a href="Bv9ARM.ch06.html#clients-per-query"><span><strong class="command">clients-per-query</strong></span></a>.)
-                        This corresponds to the
-                        <span><strong class="command">dropped</strong></span> counter
-                        of previous versions of
-                        <acronym class="acronym">BIND</acronym> 9.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">QryFailure</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Other query failures.
-                        This corresponds to the
-                        <span><strong class="command">failure</strong></span> counter
-                        of previous versions of
-                        <acronym class="acronym">BIND</acronym> 9.
-                        Note: this counter is provided mainly for
-                        backward compatibility with the previous versions.
-                        Normally a more fine-grained counters such as
-                        <span><strong class="command">AuthQryRej</strong></span> and
-                        <span><strong class="command">RecQryRej</strong></span>
-                        that would also fall into this counter are provided,
-                        and so this counter would not be of much
-                        interest in practice.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">XfrReqDone</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Requested zone transfers completed.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">UpdateReqFwd</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Update requests forwarded.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">UpdateRespFwd</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Update responses forwarded.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">UpdateFwdFail</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Dynamic update forward failed.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">UpdateDone</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Dynamic updates completed.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">UpdateFail</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Dynamic updates failed.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">UpdateBadPrereq</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Dynamic updates rejected due to prerequisite failure.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">RPZRewrites</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Response policy zone rewrites.
-                      </p>
-                    </td>
-</tr>
-</tbody>
-</table></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2602716"></a>Zone Maintenance Statistics Counters</h4></div></div></div>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-                      <p>
-                        <span class="emphasis"><em>Symbol</em></span>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <span class="emphasis"><em>Description</em></span>
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">NotifyOutv4</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv4 notifies sent.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">NotifyOutv6</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv6 notifies sent.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">NotifyInv4</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv4 notifies received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">NotifyInv6</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv6 notifies received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">NotifyRej</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Incoming notifies rejected.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">SOAOutv4</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv4 SOA queries sent.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">SOAOutv6</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv6 SOA queries sent.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">AXFRReqv4</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv4 AXFR requested.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">AXFRReqv6</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv6 AXFR requested.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">IXFRReqv4</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv4 IXFR requested.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">IXFRReqv6</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv6 IXFR requested.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">XfrSuccess</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Zone transfer requests succeeded.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">XfrFail</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Zone transfer requests failed.
-                      </p>
-                    </td>
-</tr>
-</tbody>
-</table></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2603099"></a>Resolver Statistics Counters</h4></div></div></div>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-                      <p>
-                        <span class="emphasis"><em>Symbol</em></span>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <span class="emphasis"><em>BIND8 Symbol</em></span>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <span class="emphasis"><em>Description</em></span>
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">Queryv4</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command">SFwdQ</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv4 queries sent.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">Queryv6</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command">SFwdQ</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv6 queries sent.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">Responsev4</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command">RR</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv4 responses received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">Responsev6</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command">RR</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv6 responses received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">NXDOMAIN</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command">RNXD</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        NXDOMAIN received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">SERVFAIL</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command">RFail</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        SERVFAIL received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">FORMERR</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command">RFErr</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        FORMERR received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">OtherError</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command">RErr</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Other errors received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">EDNS0Fail</strong></span></p>
-                                                 </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        EDNS(0) query failures.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">Mismatch</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command">RDupR</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Mismatch responses received.
-                        The DNS ID, response's source address,
-                        and/or the response's source port does not
-                        match what was expected.
-                        (The port must be 53 or as defined by
-                        the <span><strong class="command">port</strong></span> option.)
-                        This may be an indication of a cache
-                        poisoning attempt.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">Truncated</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Truncated responses received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">Lame</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command">RLame</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Lame delegations received.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">Retry</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command">SDupQ</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Query retries performed.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">QueryAbort</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Queries aborted due to quota control.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">QuerySockFail</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Failures in opening query sockets.
-                        One common reason for such failures is a
-                        failure of opening a new socket due to a
-                        limitation on file descriptors.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">QueryTimeout</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Query timeouts.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">GlueFetchv4</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command">SSysQ</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv4 NS address fetches invoked.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">GlueFetchv6</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command">SSysQ</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv6 NS address fetches invoked.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">GlueFetchv4Fail</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv4 NS address fetch failed.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">GlueFetchv6Fail</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        IPv6 NS address fetch failed.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">ValAttempt</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        DNSSEC validation attempted.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">ValOk</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        DNSSEC validation succeeded.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">ValNegOk</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        DNSSEC validation on negative information succeeded.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">ValFail</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        DNSSEC validation failed.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">QryRTTnn</strong></span></p>
-                    </td>
-<td>
-                      <p><span><strong class="command"></strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Frequency table on round trip times (RTTs) of
-                        queries.
-                        Each <span><strong class="command">nn</strong></span> specifies the corresponding
-                        frequency.
-                        In the sequence of
-                        <span><strong class="command">nn_1</strong></span>,
-                        <span><strong class="command">nn_2</strong></span>,
-                        ...,
-                        <span><strong class="command">nn_m</strong></span>,
-                        the value of <span><strong class="command">nn_i</strong></span> is the
-                        number of queries whose RTTs are between
-                        <span><strong class="command">nn_(i-1)</strong></span> (inclusive) and
-                        <span><strong class="command">nn_i</strong></span> (exclusive) milliseconds.
-                        For the sake of convenience we define
-                        <span><strong class="command">nn_0</strong></span> to be 0.
-                        The last entry should be represented as
-                        <span><strong class="command">nn_m+</strong></span>, which means the
-                        number of queries whose RTTs are equal to or over
-                        <span><strong class="command">nn_m</strong></span> milliseconds.
-                      </p>
-                    </td>
-</tr>
-</tbody>
-</table></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2604121"></a>Socket I/O Statistics Counters</h4></div></div></div>
-<p>
-              Socket I/O statistics counters are defined per socket
-              types, which are
-              <span><strong class="command">UDP4</strong></span> (UDP/IPv4),
-              <span><strong class="command">UDP6</strong></span> (UDP/IPv6),
-              <span><strong class="command">TCP4</strong></span> (TCP/IPv4),
-              <span><strong class="command">TCP6</strong></span> (TCP/IPv6),
-              <span><strong class="command">Unix</strong></span> (Unix Domain), and
-              <span><strong class="command">FDwatch</strong></span> (sockets opened outside the
-              socket module).
-              In the following table <span><strong class="command">&lt;TYPE&gt;</strong></span>
-              represents a socket type.
-              Not all counters are available for all socket types;
-              exceptions are noted in the description field.
-            </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-                      <p>
-                        <span class="emphasis"><em>Symbol</em></span>
-                      </p>
-                    </td>
-<td>
-                      <p>
-                        <span class="emphasis"><em>Description</em></span>
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">&lt;TYPE&gt;Open</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Sockets opened successfully.
-                        This counter is not applicable to the
-                        <span><strong class="command">FDwatch</strong></span> type.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">&lt;TYPE&gt;OpenFail</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Failures of opening sockets.
-                        This counter is not applicable to the
-                        <span><strong class="command">FDwatch</strong></span> type.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">&lt;TYPE&gt;Close</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Sockets closed.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">&lt;TYPE&gt;BindFail</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Failures of binding sockets.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">&lt;TYPE&gt;ConnFail</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Failures of connecting sockets.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">&lt;TYPE&gt;Conn</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Connections established successfully.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">&lt;TYPE&gt;AcceptFail</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Failures of accepting incoming connection requests.
-                        This counter is not applicable to the
-                        <span><strong class="command">UDP</strong></span> and
-                        <span><strong class="command">FDwatch</strong></span> types.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">&lt;TYPE&gt;Accept</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Incoming connections successfully accepted.
-                        This counter is not applicable to the
-                        <span><strong class="command">UDP</strong></span> and
-                        <span><strong class="command">FDwatch</strong></span> types.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">&lt;TYPE&gt;SendErr</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Errors in socket send operations.
-                        This counter corresponds
-                        to <span><strong class="command">SErr</strong></span> counter of
-                        <span><strong class="command">BIND</strong></span> 8.
-                      </p>
-                    </td>
-</tr>
-<tr>
-<td>
-                      <p><span><strong class="command">&lt;TYPE&gt;RecvErr</strong></span></p>
-                    </td>
-<td>
-                      <p>
-                        Errors in socket receive operations.
-                        This includes errors of send operations on a
-                        connected UDP socket notified by an ICMP error
-                        message.
-                      </p>
-                    </td>
-</tr>
-</tbody>
-</table></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2604494"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
-<p>
-              Most statistics counters that were available
-              in <span><strong class="command">BIND</strong></span> 8 are also supported in
-              <span><strong class="command">BIND</strong></span> 9 as shown in the above tables.
-              Here are notes about other counters that do not appear
-              in these tables.
-            </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">RFwdR,SFwdR</strong></span></span></dt>
-<dd><p>
-                    These counters are not supported
-                    because <span><strong class="command">BIND</strong></span> 9 does not adopt
-                    the notion of <span class="emphasis"><em>forwarding</em></span>
-                    as <span><strong class="command">BIND</strong></span> 8 did.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">RAXFR</strong></span></span></dt>
-<dd><p>
-                    This counter is accessible in the Incoming Queries section.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">RIQ</strong></span></span></dt>
-<dd><p>
-                    This counter is accessible in the Incoming Requests section.
-                  </p></dd>
-<dt><span class="term"><span><strong class="command">ROpts</strong></span></span></dt>
-<dd><p>
-                    This counter is not supported
-                    because <span><strong class="command">BIND</strong></span> 9 does not care
-                    about IP options in the first place.
-                  </p></dd>
-</dl></div>
-</div>
-</div>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch07.html b/contrib/bind9/doc/arm/Bv9ARM.ch07.html
deleted file mode 100644
index fd1747e..0000000
--- a/contrib/bind9/doc/arm/Bv9ARM.ch07.html
+++ /dev/null
@@ -1,251 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 7. BIND 9 Security Considerations</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter 6. BIND 9 Configuration Reference">
-<link rel="next" href="Bv9ARM.ch08.html" title="Chapter 8. Troubleshooting">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter" lang="en">
-<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch07"></a>Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2604722"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2604871">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2604999">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
-</dl>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
-<p>
-          Access Control Lists (ACLs) are address match lists that
-          you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
-          <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
-          <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
-          <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
-          etc.
-        </p>
-<p>
-          Using ACLs allows you to have finer control over who can access
-          your name server, without cluttering up your config files with huge
-          lists of IP addresses.
-        </p>
-<p>
-          It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
-          control access to your server. Limiting access to your server by
-          outside parties can help prevent spoofing and denial of service (DoS) attacks against
-          your server.
-        </p>
-<p>
-          Here is an example of how to properly apply ACLs:
-        </p>
-<pre class="programlisting">
-// Set up an ACL named "bogusnets" that will block
-// RFC1918 space and some reserved space, which is
-// commonly used in spoofing attacks.
-acl bogusnets {
-        0.0.0.0/8;  192.0.2.0/24; 224.0.0.0/3;
-        10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
-};
-
-// Set up an ACL called our-nets. Replace this with the
-// real IP numbers.
-acl our-nets { x.x.x.x/24; x.x.x.x/21; };
-options {
-  ...
-  ...
-  allow-query { our-nets; };
-  allow-recursion { our-nets; };
-  ...
-  blackhole { bogusnets; };
-  ...
-};
-
-zone "example.com" {
-  type master;
-  file "m/example.com";
-  allow-query { any; };
-};
-</pre>
-<p>
-          This allows recursive queries of the server from the outside
-          unless recursion has been previously disabled.
-        </p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2604722"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
-</h2></div></div></div>
-<p>
-          On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
-          in a <span class="emphasis"><em>chrooted</em></span> environment (using
-          the <span><strong class="command">chroot()</strong></span> function) by specifying
-          the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>.
-          This can help improve system security by placing
-          <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
-          the damage done if a server is compromised.
-        </p>
-<p>
-          Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
-          ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
-          We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
-        </p>
-<p>
-          Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
-          <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
-          user 202:
-        </p>
-<p>
-          <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
-        </p>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2604871"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
-<p>
-            In order for a <span><strong class="command">chroot</strong></span> environment
-            to
-            work properly in a particular directory
-            (for example, <code class="filename">/var/named</code>),
-            you will need to set up an environment that includes everything
-            <acronym class="acronym">BIND</acronym> needs to run.
-            From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
-            the root of the filesystem.  You will need to adjust the values of
-            options like
-            like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
-            for this.
-          </p>
-<p>
-            Unlike with earlier versions of BIND, you typically will
-            <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
-            statically nor install shared libraries under the new root.
-            However, depending on your operating system, you may need
-            to set up things like
-            <code class="filename">/dev/zero</code>,
-            <code class="filename">/dev/random</code>,
-            <code class="filename">/dev/log</code>, and
-            <code class="filename">/etc/localtime</code>.
-          </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2604999"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
-<p>
-            Prior to running the <span><strong class="command">named</strong></span> daemon,
-            use
-            the <span><strong class="command">touch</strong></span> utility (to change file
-            access and
-            modification times) or the <span><strong class="command">chown</strong></span>
-            utility (to
-            set the user id and/or group id) on files
-            to which you want <acronym class="acronym">BIND</acronym>
-            to write.
-          </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-            Note that if the <span><strong class="command">named</strong></span> daemon is running as an
-            unprivileged user, it will not be able to bind to new restricted
-            ports if the server is reloaded.
-          </div>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
-<p>
-          Access to the dynamic
-          update facility should be strictly limited.  In earlier versions of
-          <acronym class="acronym">BIND</acronym>, the only way to do this was
-          based on the IP
-          address of the host requesting the update, by listing an IP address
-          or
-          network prefix in the <span><strong class="command">allow-update</strong></span>
-          zone option.
-          This method is insecure since the source address of the update UDP
-          packet
-          is easily forged.  Also note that if the IP addresses allowed by the
-          <span><strong class="command">allow-update</strong></span> option include the
-          address of a slave
-          server which performs forwarding of dynamic updates, the master can
-          be
-          trivially attacked by sending the update to the slave, which will
-          forward it to the master with its own source IP address causing the
-          master to approve it without question.
-        </p>
-<p>
-          For these reasons, we strongly recommend that updates be
-          cryptographically authenticated by means of transaction signatures
-          (TSIG).  That is, the <span><strong class="command">allow-update</strong></span>
-          option should
-          list only TSIG key names, not IP addresses or network
-          prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
-          option can be used.
-        </p>
-<p>
-          Some sites choose to keep all dynamically-updated DNS data
-          in a subdomain and delegate that subdomain to a separate zone. This
-          way, the top-level zone containing critical data such as the IP
-          addresses
-          of public web and mail servers need not allow dynamic update at
-          all.
-        </p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 8. Troubleshooting</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch08.html b/contrib/bind9/doc/arm/Bv9ARM.ch08.html
deleted file mode 100644
index 35d6bbd..0000000
--- a/contrib/bind9/doc/arm/Bv9ARM.ch08.html
+++ /dev/null
@@ -1,139 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 8. Troubleshooting</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch07.html" title="Chapter 7. BIND 9 Security Considerations">
-<link rel="next" href="Bv9ARM.ch09.html" title="Appendix A. Appendices">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 8. Troubleshooting</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch07.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch09.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter" lang="en">
-<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch08"></a>Chapter 8. Troubleshooting</h2></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2605147">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2605153">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2605164">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2605181">Where Can I Get Help?</a></span></dt>
-</dl>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2605147"></a>Common Problems</h2></div></div></div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2605153"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
-<p>
-            The best solution to solving installation and
-            configuration issues is to take preventative measures by setting
-            up logging files beforehand. The log files provide a
-            source of hints and information that can be used to figure out
-            what went wrong and how to fix the problem.
-          </p>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2605164"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
-<p>
-          Zone serial numbers are just numbers &#8212; they aren't
-          date related.  A lot of people set them to a number that
-          represents a date, usually of the form YYYYMMDDRR.
-          Occasionally they will make a mistake and set them to a
-          "date in the future" then try to correct them by setting
-          them to the "current date".  This causes problems because
-          serial numbers are used to indicate that a zone has been
-          updated.  If the serial number on the slave server is
-          lower than the serial number on the master, the slave
-          server will attempt to update its copy of the zone.
-        </p>
-<p>
-          Setting the serial number to a lower number on the master
-          server than the slave server means that the slave will not perform
-          updates to its copy of the zone.
-        </p>
-<p>
-          The solution to this is to add 2147483647 (2^31-1) to the
-          number, reload the zone and make sure all slaves have updated to
-          the new zone serial number, then reset the number to what you want
-          it to be, and reload the zone again.
-        </p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2605181"></a>Where Can I Get Help?</h2></div></div></div>
-<p>
-          The Internet Systems Consortium
-          (<acronym class="acronym">ISC</acronym>) offers a wide range
-          of support and service agreements for <acronym class="acronym">BIND</acronym> and <acronym class="acronym">DHCP</acronym> servers. Four
-          levels of premium support are available and each level includes
-          support for all <acronym class="acronym">ISC</acronym> programs,
-          significant discounts on products
-          and training, and a recognized priority on bug fixes and
-          non-funded feature requests. In addition, <acronym class="acronym">ISC</acronym> offers a standard
-          support agreement package which includes services ranging from bug
-          fix announcements to remote support. It also includes training in
-          <acronym class="acronym">BIND</acronym> and <acronym class="acronym">DHCP</acronym>.
-        </p>
-<p>
-          To discuss arrangements for support, contact
-          <a href="mailto:info@isc.org" target="_top">info@isc.org</a> or visit the
-          <acronym class="acronym">ISC</acronym> web page at
-          <a href="http://www.isc.org/services/support/" target="_top">http://www.isc.org/services/support/</a>
-          to read more.
-        </p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch07.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch09.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Appendix A. Appendices</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch09.html b/contrib/bind9/doc/arm/Bv9ARM.ch09.html
deleted file mode 100644
index 83578ad..0000000
--- a/contrib/bind9/doc/arm/Bv9ARM.ch09.html
+++ /dev/null
@@ -1,1103 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Appendix A. Appendices</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter 8. Troubleshooting">
-<link rel="next" href="Bv9ARM.ch10.html" title="Manual pages">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Appendix A. Appendices</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="appendix" lang="en">
-<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch09"></a>Appendix A. Appendices</h2></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2605243">Acknowledgments</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2605483">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2608695">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2610921">Prerequisite</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2609361">Compilation</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2609385">Installation</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2609416">Known Defects/Restrictions</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2610380">The dns.conf File</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2610407">Sample Applications</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2611312">Library References</a></span></dt>
-</dl></dd>
-</dl>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2605243"></a>Acknowledgments</h2></div></div></div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="historical_dns_information"></a>A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
-</h3></div></div></div>
-<p>
-            Although the "official" beginning of the Domain Name
-            System occurred in 1984 with the publication of RFC 920, the
-            core of the new system was described in 1983 in RFCs 882 and
-            883. From 1984 to 1987, the ARPAnet (the precursor to today's
-            Internet) became a testbed of experimentation for developing the
-            new naming/addressing scheme in a rapidly expanding,
-            operational network environment.  New RFCs were written and
-            published in 1987 that modified the original documents to
-            incorporate improvements based on the working model. RFC 1034,
-            "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
-            Names-Implementation and Specification" were published and
-            became the standards upon which all <acronym class="acronym">DNS</acronym> implementations are
-            built.
-          </p>
-<p>
-            The first working domain name server, called "Jeeves", was
-            written in 1983-84 by Paul Mockapetris for operation on DEC
-            Tops-20
-            machines located at the University of Southern California's
-            Information
-            Sciences Institute (USC-ISI) and SRI International's Network
-            Information
-            Center (SRI-NIC). A <acronym class="acronym">DNS</acronym> server for
-            Unix machines, the Berkeley Internet
-            Name Domain (<acronym class="acronym">BIND</acronym>) package, was
-            written soon after by a group of
-            graduate students at the University of California at Berkeley
-            under
-            a grant from the US Defense Advanced Research Projects
-            Administration
-            (DARPA).
-          </p>
-<p>
-            Versions of <acronym class="acronym">BIND</acronym> through
-            4.8.3 were maintained by the Computer
-            Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
-            Painter, David Riggle and Songnian Zhou made up the initial <acronym class="acronym">BIND</acronym>
-            project team. After that, additional work on the software package
-            was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment
-            Corporation
-            employee on loan to the CSRG, worked on <acronym class="acronym">BIND</acronym> for 2 years, from 1985
-            to 1987. Many other people also contributed to <acronym class="acronym">BIND</acronym> development
-            during that time: Doug Kingston, Craig Partridge, Smoot
-            Carl-Mitchell,
-            Mike Muuss, Jim Bloom and Mike Schwartz. <acronym class="acronym">BIND</acronym> maintenance was subsequently
-            handled by Mike Karels and Øivind Kure.
-          </p>
-<p>
-            <acronym class="acronym">BIND</acronym> versions 4.9 and 4.9.1 were
-            released by Digital Equipment
-            Corporation (now Compaq Computer Corporation). Paul Vixie, then
-            a DEC employee, became <acronym class="acronym">BIND</acronym>'s
-            primary caretaker. He was assisted
-            by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan
-            Beecher, Andrew
-            Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
-            Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
-            Wolfhugel, and others.
-          </p>
-<p>
-            In 1994, <acronym class="acronym">BIND</acronym> version 4.9.2 was sponsored by
-            Vixie Enterprises. Paul
-            Vixie became <acronym class="acronym">BIND</acronym>'s principal
-            architect/programmer.
-          </p>
-<p>
-            <acronym class="acronym">BIND</acronym> versions from 4.9.3 onward
-            have been developed and maintained
-            by the Internet Systems Consortium and its predecessor,
-            the Internet Software Consortium,  with support being provided
-            by ISC's sponsors.
-          </p>
-<p>
-            As co-architects/programmers, Bob Halley and
-            Paul Vixie released the first production-ready version of
-            <acronym class="acronym">BIND</acronym> version 8 in May 1997.
-          </p>
-<p>
-            BIND version 9 was released in September 2000 and is a
-            major rewrite of nearly all aspects of the underlying
-            BIND architecture.
-          </p>
-<p>
-            BIND versions 4 and 8 are officially deprecated.
-            No additional development is done
-            on BIND version 4 or BIND version 8.
-          </p>
-<p>
-            <acronym class="acronym">BIND</acronym> development work is made
-            possible today by the sponsorship
-            of several corporations, and by the tireless work efforts of
-            numerous individuals.
-          </p>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2605483"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="ipv6addresses"></a>IPv6 addresses (AAAA)</h3></div></div></div>
-<p>
-            IPv6 addresses are 128-bit identifiers for interfaces and
-            sets of interfaces which were introduced in the <acronym class="acronym">DNS</acronym> to facilitate
-            scalable Internet routing. There are three types of addresses: <span class="emphasis"><em>Unicast</em></span>,
-            an identifier for a single interface;
-            <span class="emphasis"><em>Anycast</em></span>,
-            an identifier for a set of interfaces; and <span class="emphasis"><em>Multicast</em></span>,
-            an identifier for a set of interfaces. Here we describe the global
-            Unicast address scheme. For more information, see RFC 3587,
-            "Global Unicast Address Format."
-          </p>
-<p>
-            IPv6 unicast addresses consist of a
-            <span class="emphasis"><em>global routing prefix</em></span>, a
-            <span class="emphasis"><em>subnet identifier</em></span>, and an
-            <span class="emphasis"><em>interface identifier</em></span>.
-          </p>
-<p>
-            The global routing prefix is provided by the
-            upstream provider or ISP, and (roughly) corresponds to the
-            IPv4 <span class="emphasis"><em>network</em></span> section
-            of the address range.
-
-            The subnet identifier is for local subnetting, much the
-            same as subnetting an
-            IPv4 /16 network into /24 subnets.
-
-            The interface identifier is the address of an individual
-            interface on a given network; in IPv6, addresses belong to
-            interfaces rather than to machines.
-          </p>
-<p>
-            The subnetting capability of IPv6 is much more flexible than
-            that of IPv4: subnetting can be carried out on bit boundaries,
-            in much the same way as Classless InterDomain Routing
-            (CIDR), and the DNS PTR representation ("nibble" format)
-            makes setting up reverse zones easier.
-          </p>
-<p>
-            The Interface Identifier must be unique on the local link,
-            and is usually generated automatically by the IPv6
-            implementation, although it is usually possible to
-            override the default setting if necessary.  A typical IPv6
-            address might look like:
-            <span><strong class="command">2001:db8:201:9:a00:20ff:fe81:2b32</strong></span>
-          </p>
-<p>
-            IPv6 address specifications often contain long strings
-            of zeros, so the architects have included a shorthand for
-            specifying
-            them. The double colon (`::') indicates the longest possible
-            string
-            of zeros that can fit, and can be used only once in an address.
-          </p>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="bibliography"></a>Bibliography (and Suggested Reading)</h2></div></div></div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="rfcs"></a>Request for Comments (RFCs)</h3></div></div></div>
-<p>
-            Specification documents for the Internet protocol suite, including
-            the <acronym class="acronym">DNS</acronym>, are published as part of
-            the Request for Comments (RFCs)
-            series of technical notes. The standards themselves are defined
-            by the Internet Engineering Task Force (IETF) and the Internet
-            Engineering Steering Group (IESG). RFCs can be obtained online via FTP at:
-          </p>
-<p>
-            <a href="ftp://www.isi.edu/in-notes/" target="_top">
-              ftp://www.isi.edu/in-notes/RFC<em class="replaceable"><code>xxxx</code></em>.txt
-            </a>
-          </p>
-<p>
-            (where <em class="replaceable"><code>xxxx</code></em> is
-            the number of the RFC). RFCs are also available via the Web at:
-          </p>
-<p>
-            <a href="http://www.ietf.org/rfc/" target="_top">http://www.ietf.org/rfc/</a>.
-          </p>
-<div class="bibliography">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2605739"></a>Bibliography</h4></div></div></div>
-<div class="bibliodiv">
-<h3 class="title">Standards</h3>
-<div class="biblioentry">
-<a name="id2605750"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2605773"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2605797"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
-                  Specification</i>. </span><span class="pubdate">November 1987. </span></p>
-</div>
-</div>
-<div class="bibliodiv">
-<h3 class="title">
-<a name="proposed_standards"></a>Proposed Standards</h3>
-<div class="biblioentry">
-<a name="id2605833"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
-                  Specification</i>. </span><span class="pubdate">July 1997. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2605860"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
-                  Queries</i>. </span><span class="pubdate">March 1998. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2605885"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2605910"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2605933"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2605989"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2606016"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2606042"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2606104"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2606134"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2606164"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2606190"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
-                       Key Transaction Authentication for DNS
-                       (GSS-TSIG)</i>. </span><span class="pubdate">October 2003. </span></p>
-</div>
-</div>
-<div class="bibliodiv">
-<h3 class="title">
-<acronym class="acronym">DNS</acronym> Security Proposed Standards</h3>
-<div class="biblioentry">
-<a name="id2606273"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2606299"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2606336"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2606401"></a><p>[<abbr class="abbrev">RFC4034</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2606466"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
-                       Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
-</div>
-</div>
-<div class="bibliodiv">
-<h3 class="title">Other Important RFCs About <acronym class="acronym">DNS</acronym>
-                Implementation</h3>
-<div class="biblioentry">
-<a name="id2606539"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
-                  Deployed <acronym class="acronym">DNS</acronym> Software.</i>. </span><span class="pubdate">October 1993. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2606565"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
-                  Errors and Suggested Fixes</i>. </span><span class="pubdate">October 1993. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2606633"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2606668"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
-                Queries for IPv6 Addresses</i>. </span><span class="pubdate">May 2005. </span></p>
-</div>
-</div>
-<div class="bibliodiv">
-<h3 class="title">Resource Record Types</h3>
-<div class="biblioentry">
-<a name="id2606714"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2606772"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2606809"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
-                  the Domain Name System</i>. </span><span class="pubdate">June 1997. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2606844"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
-                  Domain
-                  Name System</i>. </span><span class="pubdate">January 1996. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2606899"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
-                  Location of
-                  Services.</i>. </span><span class="pubdate">October 1996. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2606937"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
-                  Distribute MIXER
-                  Conformant Global Address Mapping</i>. </span><span class="pubdate">January 1998. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2606963"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2606988"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2607015"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2607042"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2607081"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2607111"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2607141"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2607184"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2607217"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2607312"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2607335"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
-                  version 6</i>. </span><span class="pubdate">October 2003. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2607393"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
-</div>
-</div>
-<div class="bibliodiv">
-<h3 class="title">
-<acronym class="acronym">DNS</acronym> and the Internet</h3>
-<div class="biblioentry">
-<a name="id2607425"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
-                  and Other Types</i>. </span><span class="pubdate">April 1989. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2607450"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
-                  Support</i>. </span><span class="pubdate">October 1989. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2607473"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2607496"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2607542"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2607565"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
-</div>
-</div>
-<div class="bibliodiv">
-<h3 class="title">
-<acronym class="acronym">DNS</acronym> Operations</h3>
-<div class="biblioentry">
-<a name="id2607623"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2607646"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
-                  Configuration Errors</i>. </span><span class="pubdate">October 1993. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2607673"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
-                  Configuration Errors</i>. </span><span class="pubdate">February 1996. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2607700"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2607736"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
-                  Network Services.</i>. </span><span class="pubdate">October 1997. </span></p>
-</div>
-</div>
-<div class="bibliodiv">
-<h3 class="title">Internationalized Domain Names</h3>
-<div class="biblioentry">
-<a name="id2607782"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
-                       and the Other Internet protocols</i>. </span><span class="pubdate">May 2000. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2607814"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2607860"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2607895"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
-                       for Internationalized Domain Names in
-                       Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
-</div>
-</div>
-<div class="bibliodiv">
-<h3 class="title">Other <acronym class="acronym">DNS</acronym>-related RFCs</h3>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-                  Note: the following list of RFCs, although
-                  <acronym class="acronym">DNS</acronym>-related, are not
-                  concerned with implementing software.
-                </p>
-</div>
-<div class="biblioentry">
-<a name="id2607940"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
-                  Attributes</i>. </span><span class="pubdate">May 1993. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2607962"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2607988"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
-                  Balancing</i>. </span><span class="pubdate">April 1995. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2608013"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2608037"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2608083"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2608106"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2608133"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
-                       Shared Unicast Addresses</i>. </span><span class="pubdate">April 2002. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2608158"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
-</div>
-</div>
-<div class="bibliodiv">
-<h3 class="title">Obsolete and Unimplemented Experimental RFC</h3>
-<div class="biblioentry">
-<a name="id2608202"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
-                  Location</i>. </span><span class="pubdate">November 1994. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2608260"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2608286"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
-                       and Renumbering</i>. </span><span class="pubdate">July 2000. </span></p>
-</div>
-</div>
-<div class="bibliodiv">
-<h3 class="title">Obsoleted DNS Security RFCs</h3>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-                  Most of these have been consolidated into RFC4033,
-                  RFC4034 and RFC4035 which collectively describe DNSSECbis.
-                </p>
-</div>
-<div class="biblioentry">
-<a name="id2608334"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2608374"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2608401"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2608430"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
-                       Signing Authority</i>. </span><span class="pubdate">November 2000. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2608456"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2608483"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2608519"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2608555"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2608582"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2608609"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
-                      (RR) Secure Entry Point (SEP) Flag</i>. </span><span class="pubdate">April 2004. </span></p>
-</div>
-<div class="biblioentry">
-<a name="id2608653"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
-</div>
-</div>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="internet_drafts"></a>Internet Drafts</h3></div></div></div>
-<p>
-            Internet Drafts (IDs) are rough-draft working documents of
-            the Internet Engineering Task Force. They are, in essence, RFCs
-            in the preliminary stages of development. Implementors are
-            cautioned not
-            to regard IDs as archival, and they should not be quoted or cited
-            in any formal documents unless accompanied by the disclaimer that
-            they are "works in progress." IDs have a lifespan of six months
-            after which they are deleted unless updated by their authors.
-          </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2608695"></a>Other Documents About <acronym class="acronym">BIND</acronym>
-</h3></div></div></div>
-<p></p>
-<div class="bibliography">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2608705"></a>Bibliography</h4></div></div></div>
-<div class="biblioentry">
-<a name="id2608707"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
-</div>
-</div>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="bind9.library"></a>BIND 9 DNS Library Support</h2></div></div></div>
-<p>This version of BIND 9 "exports" its internal libraries so
-  that they can be used by third-party applications more easily (we
-  call them "export" libraries in this document). In addition to
-  all major DNS-related APIs BIND 9 is currently using, the export
-  libraries provide the following features:</p>
-<div class="itemizedlist"><ul type="disc">
-<li><p>The newly created "DNS client" module. This is a higher
-      level API that provides an interface to name resolution,
-      single DNS transaction with a particular server, and dynamic
-      update. Regarding name resolution, it supports advanced
-      features such as DNSSEC validation and caching. This module
-      supports both synchronous and asynchronous mode.</p></li>
-<li><p>The new "IRS" (Information Retrieval System) library.
-      It provides an interface to parse the traditional resolv.conf
-      file and more advanced, DNS-specific configuration file for
-      the rest of this package (see the description for the
-      dns.conf file below).</p></li>
-<li><p>As part of the IRS library, newly implemented standard
-      address-name mapping functions, getaddrinfo() and
-      getnameinfo(), are provided. They use the DNSSEC-aware
-      validating resolver backend, and could use other advanced
-      features of the BIND 9 libraries such as caching. The
-      getaddrinfo() function resolves both A and AAAA RRs
-      concurrently (when the address family is unspecified).</p></li>
-<li><p>An experimental framework to support other event
-      libraries than BIND 9's internal event task system.</p></li>
-</ul></div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2610921"></a>Prerequisite</h3></div></div></div>
-<p>GNU make is required to build the export libraries (other
-  part of BIND 9 can still be built with other types of make). In
-  the reminder of this document, "make" means GNU make. Note that
-  in some platforms you may need to invoke a different command name
-  than "make" (e.g. "gmake") to indicate it's GNU make.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2609361"></a>Compilation</h3></div></div></div>
-<pre class="screen">
-$ <strong class="userinput"><code>./configure --enable-exportlib <em class="replaceable"><code>[other flags]</code></em></code></strong>
-$ <strong class="userinput"><code>make</code></strong>
-</pre>
-<p>
-  This will create (in addition to usual BIND 9 programs) and a
-  separate set of libraries under the lib/export directory. For
-  example, <code class="filename">lib/export/dns/libdns.a</code> is the archive file of the
-  export version of the BIND 9 DNS library. Sample application
-  programs using the libraries will also be built under the
-  lib/export/samples directory (see below).</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2609385"></a>Installation</h3></div></div></div>
-<pre class="screen">
-$ <strong class="userinput"><code>cd lib/export</code></strong>
-$ <strong class="userinput"><code>make install</code></strong>
-</pre>
-<p>
-  This will install library object files under the directory
-  specified by the --with-export-libdir configure option (default:
-  EPREFIX/lib/bind9), and header files under the directory
-  specified by the --with-export-includedir configure option
-  (default: PREFIX/include/bind9).
-  Root privilege is normally required.
-  "<span><strong class="command">make install</strong></span>" at the top directory will do the
-  same.
-  </p>
-<p>
-  To see how to build your own
-  application after the installation, see
-  <code class="filename">lib/export/samples/Makefile-postinstall.in</code>.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2609416"></a>Known Defects/Restrictions</h3></div></div></div>
-<div class="itemizedlist"><ul type="disc">
-<li><p>Currently, win32 is not supported for the export
-      library. (Normal BIND 9 application can be built as
-      before).</p></li>
-<li>
-<p>The "fixed" RRset order is not (currently) supported in
-      the export library. If you want to use "fixed" RRset order
-      for, e.g. <span><strong class="command">named</strong></span> while still building the
-      export library even without the fixed order support, build
-      them separately:
-      </p>
-<pre class="screen">
-$ <strong class="userinput"><code>./configure --enable-fixed-rrset <em class="replaceable"><code>[other flags, but not --enable-exportlib]</code></em></code></strong>
-$ <strong class="userinput"><code>make</code></strong>
-$ <strong class="userinput"><code>./configure --enable-exportlib <em class="replaceable"><code>[other flags, but not --enable-fixed-rrset]</code></em></code></strong>
-$ <strong class="userinput"><code>cd lib/export</code></strong>
-$ <strong class="userinput"><code>make</code></strong>
-</pre>
-<p>
-    </p>
-</li>
-<li><p>The client module and the IRS library currently do not
-      support DNSSEC validation using DLV (the underlying modules
-      can handle it, but there is no tunable interface to enable
-      the feature).</p></li>
-<li><p>RFC 5011 is not supported in the validating stub
-      resolver of the export library. In fact, it is not clear
-      whether it should: trust anchors would be a system-wide
-      configuration which would be managed by an administrator,
-      while the stub resolver will be used by ordinary applications
-      run by a normal user.</p></li>
-<li><p>Not all common <code class="filename">/etc/resolv.conf</code>
-      options are supported
-      in the IRS library. The only available options in this
-      version are "debug" and "ndots".</p></li>
-</ul></div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2610380"></a>The dns.conf File</h3></div></div></div>
-<p>The IRS library supports an "advanced" configuration file
-  related to the DNS library for configuration parameters that
-  would be beyond the capability of the
-  <code class="filename">resolv.conf</code> file.
-  Specifically, it is intended to provide DNSSEC related
-  configuration parameters. By default the path to this
-  configuration file is <code class="filename">/etc/dns.conf</code>.
-  This module is very
-  experimental and the configuration syntax or library interfaces
-  may change in future versions. Currently, only the
-  <span><strong class="command">trusted-keys</strong></span>
-  statement is supported, whose syntax is the same as the same name
-  of statement for <code class="filename">named.conf</code>. (See
-  <a href="Bv9ARM.ch06.html#trusted-keys" title="trusted-keys Statement Grammar">the section called &#8220;<span><strong class="command">trusted-keys</strong></span> Statement Grammar&#8221;</a> for details.)</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2610407"></a>Sample Applications</h3></div></div></div>
-<p>Some sample application programs using this API are
-  provided for reference. The following is a brief description of
-  these applications.
-  </p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2610416"></a>sample: a simple stub resolver utility</h4></div></div></div>
-<p>
-  It sends a query of a given name (of a given optional RR type) to a
-  specified recursive server, and prints the result as a list of
-  RRs. It can also act as a validating stub resolver if a trust
-  anchor is given via a set of command line options.</p>
-<p>
-  Usage: sample [options] server_address hostname
-  </p>
-<p>
-  Options and Arguments:
-  </p>
-<div class="variablelist"><dl>
-<dt><span class="term">
-  -t RRtype
-  </span></dt>
-<dd><p>
-        specify the RR type of the query.  The default is the A RR.
-  </p></dd>
-<dt><span class="term">
-  [-a algorithm] [-e] -k keyname -K keystring
-  </span></dt>
-<dd>
-<p>
-        specify a command-line DNS key to validate the answer.  For
-        example, to specify the following DNSKEY of example.com:
-</p>
-<div class="literallayout"><p><br>
-                example.com. 3600 IN DNSKEY 257 3 5 xxx<br>
-</p></div>
-<p>
-        specify the options as follows:
-</p>
-<pre class="screen">
-<strong class="userinput"><code>
-          -e -k example.com -K "xxx"
-</code></strong>
-</pre>
-<p>
-        -e means that this key is a zone's "key signing key" (as known
-        as "secure Entry point").
-        When -a is omitted rsasha1 will be used by default.
-  </p>
-</dd>
-<dt><span class="term">
-  -s domain:alt_server_address
-  </span></dt>
-<dd><p>
-         specify a separate recursive server address for the specific
-        "domain".  Example: -s example.com:2001:db8::1234
-  </p></dd>
-<dt><span class="term">server_address</span></dt>
-<dd><p>
-        an IP(v4/v6) address of the recursive server to which queries
-        are sent.
-  </p></dd>
-<dt><span class="term">hostname</span></dt>
-<dd><p>
-        the domain name for the query
-  </p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2610506"></a>sample-async: a simple stub resolver, working asynchronously</h4></div></div></div>
-<p>
-  Similar to "sample", but accepts a list
-  of (query) domain names as a separate file and resolves the names
-  asynchronously.</p>
-<p>
-    Usage: sample-async [-s server_address] [-t RR_type] input_file</p>
-<p>
- Options and Arguments:
-  </p>
-<div class="variablelist"><dl>
-<dt><span class="term">
-   -s server_address
-   </span></dt>
-<dd>
-   an IPv4 address of the recursive server to which queries are sent.
-  (IPv6 addresses are not supported in this implementation)
-  </dd>
-<dt><span class="term">
-   -t RR_type
-  </span></dt>
-<dd>
-  specify the RR type of the queries. The default is the A
-  RR.
-  </dd>
-<dt><span class="term">
-   input_file
-  </span></dt>
-<dd>
-   a list of domain names to be resolved. each line
-  consists of a single domain name. Example:
-  <div class="literallayout"><p><br>
-  www.example.com<br>
-  mx.examle.net<br>
-  ns.xxx.example<br>
-</p></div>
-</dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2610560"></a>sample-request: a simple DNS transaction client</h4></div></div></div>
-<p>
-  It sends a query to a specified server, and
-  prints the response with minimal processing. It doesn't act as a
-  "stub resolver": it stops the processing once it gets any
-  response from the server, whether it's a referral or an alias
-  (CNAME or DNAME) that would require further queries to get the
-  ultimate answer. In other words, this utility acts as a very
-  simplified <span><strong class="command">dig</strong></span>.
-  </p>
-<p>
-  Usage: sample-request [-t RRtype] server_address hostname
-  </p>
-<p>
-    Options and Arguments:
-  </p>
-<div class="variablelist"><dl>
-<dt><span class="term">
-   -t RRtype
-  </span></dt>
-<dd><p>
-  specify the RR type of
-  the queries. The default is the A RR.
-  </p></dd>
-<dt><span class="term">
-  server_address
-  </span></dt>
-<dd><p>
-   an IP(v4/v6)
-  address of the recursive server to which the query is sent.
-  </p></dd>
-<dt><span class="term">
-  hostname
-  </span></dt>
-<dd><p>
-  the domain name for the query
-  </p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2610624"></a>sample-gai: getaddrinfo() and getnameinfo() test code</h4></div></div></div>
-<p>
-  This is a test program
-  to check getaddrinfo() and getnameinfo() behavior. It takes a
-  host name as an argument, calls getaddrinfo() with the given host
-  name, and calls getnameinfo() with the resulting IP addresses
-  returned by getaddrinfo(). If the dns.conf file exists and
-  defines a trust anchor, the underlying resolver will act as a
-  validating resolver, and getaddrinfo()/getnameinfo() will fail
-  with an EAI_INSECUREDATA error when DNSSEC validation fails.
-  </p>
-<p>
-  Usage: sample-gai hostname
-  </p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2610638"></a>sample-update: a simple dynamic update client program</h4></div></div></div>
-<p>
-  It accepts a single update command as a
-  command-line argument, sends an update request message to the
-  authoritative server, and shows the response from the server. In
-  other words, this is a simplified <span><strong class="command">nsupdate</strong></span>.
-  </p>
-<p>
-   Usage: sample-update [options] (add|delete) "update data"
-  </p>
-<p>
-  Options and Arguments:
-  </p>
-<div class="variablelist"><dl>
-<dt><span class="term">
-  -a auth_server
-   </span></dt>
-<dd><p>
-        An IP address of the authoritative server that has authority
-        for the zone containing the update name.  This should normally
-        be the primary authoritative server that accepts dynamic
-        updates.  It can also be a secondary server that is configured
-        to forward update requests to the primary server.
-   </p></dd>
-<dt><span class="term">
-  -k keyfile
-   </span></dt>
-<dd><p>
-        A TSIG key file to secure the update transaction.  The keyfile
-        format is the same as that for the nsupdate utility.
-   </p></dd>
-<dt><span class="term">
-  -p prerequisite
-   </span></dt>
-<dd><p>
-        A prerequisite for the update (only one prerequisite can be
-        specified).  The prerequisite format is the same as that is
-        accepted by the nsupdate utility.
-   </p></dd>
-<dt><span class="term">
-  -r recursive_server
-   </span></dt>
-<dd><p>
-        An IP address of a recursive server that this utility will
-        use.  A recursive server may be necessary to identify the
-        authoritative server address to which the update request is
-        sent.
-   </p></dd>
-<dt><span class="term">
-  -z zonename
-   </span></dt>
-<dd><p>
-        The domain name of the zone that contains
-   </p></dd>
-<dt><span class="term">
-  (add|delete)
-   </span></dt>
-<dd><p>
-        Specify the type of update operation.  Either "add" or "delete"
-        must be specified.
-   </p></dd>
-<dt><span class="term">
-  "update data"
-   </span></dt>
-<dd><p>
-        Specify the data to be updated.  A typical example of the data
-        would look like "name TTL RRtype RDATA".
-  </p></dd>
-</dl></div>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>In practice, either -a or -r must be specified.  Others can
-   be optional; the underlying library routine tries to identify the
-   appropriate server and the zone name for the update.</div>
-<p>
-   Examples: assuming the primary authoritative server of the
-   dynamic.example.com zone has an IPv6 address 2001:db8::1234,
-   </p>
-<pre class="screen">
-$ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key add "foo.dynamic.example.com 30 IN A 192.168.2.1"</code></strong></pre>
-<p>
-     adds an A RR for foo.dynamic.example.com using the given key.
-   </p>
-<pre class="screen">
-$ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com 30 IN A"</code></strong></pre>
-<p>
-     removes all A RRs for foo.dynamic.example.com using the given key.
-   </p>
-<pre class="screen">   
-$ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com"</code></strong></pre>
-<p>
-     removes all RRs for foo.dynamic.example.com using the given key.
-   </p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2611248"></a>nsprobe: domain/name server checker in terms of RFC 4074</h4></div></div></div>
-<p>
-  It checks a set
-  of domains to see the name servers of the domains behave
-  correctly in terms of RFC 4074. This is included in the set of
-  sample programs to show how the export library can be used in a
-  DNS-related application.
-  </p>
-<p>
- Usage: nsprobe [-d] [-v [-v...]] [-c cache_address] [input_file]
-  </p>
-<p>
-   Options
-  </p>
-<div class="variablelist"><dl>
-<dt><span class="term">
-  -d
-  </span></dt>
-<dd><p>
-        run in the "debug" mode.  with this option nsprobe will dump
-        every RRs it receives.
-  </p></dd>
-<dt><span class="term">
-  -v
-  </span></dt>
-<dd><p>
-        increase verbosity of other normal log messages.  This can be
-        specified multiple times
-  </p></dd>
-<dt><span class="term">
-  -c cache_address
-  </span></dt>
-<dd><p>
-        specify an IP address of a recursive (caching) name server.
-        nsprobe uses this server to get the NS RRset of each domain and
-        the A and/or AAAA RRsets for the name servers.  The default
-        value is 127.0.0.1.
-  </p></dd>
-<dt><span class="term">
-  input_file
-  </span></dt>
-<dd><p>
-        a file name containing a list of domain (zone) names to be
-        probed.  when omitted the standard input will be used.  Each
-        line of the input file specifies a single domain name such as
-        "example.com".  In general this domain name must be the apex
-        name of some DNS zone (unlike normal "host names" such as
-        "www.example.com").  nsprobe first identifies the NS RRsets for
-        the given domain name, and sends A and AAAA queries to these
-        servers for some "widely used" names under the zone;
-        specifically, adding "www" and "ftp" to the zone name.
-  </p></dd>
-</dl></div>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2611312"></a>Library References</h3></div></div></div>
-<p>As of this writing, there is no formal "manual" of the
-  libraries, except this document, header files (some of them
-  provide pretty detailed explanations), and sample application
-  programs.</p>
-</div>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 8. Troubleshooting </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Manual pages</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch10.html b/contrib/bind9/doc/arm/Bv9ARM.ch10.html
deleted file mode 100644
index d25c0dd..0000000
--- a/contrib/bind9/doc/arm/Bv9ARM.ch10.html
+++ /dev/null
@@ -1,144 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Manual pages</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch09.html" title="Appendix A. Appendices">
-<link rel="next" href="man.dig.html" title="dig">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Manual pages</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch09.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="man.dig.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="reference" lang="en">
-<div class="titlepage">
-<div><div><h1 class="title">
-<a name="Bv9ARM.ch10"></a>Manual pages</h1></div></div>
-<hr>
-</div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt>
-<span class="refentrytitle"><a href="man.dig.html">dig</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.host.html">host</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-checkds.html"><span class="application">dnssec-checkds</span></a></span><span class="refpurpose"> &#8212; A DNSSEC delegation consistency checking tool.</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-coverage.html"><span class="application">dnssec-coverage</span></a></span><span class="refpurpose"> &#8212; checks future DNSKEY coverage for a zone</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-dsfromkey.html"><span class="application">dnssec-dsfromkey</span></a></span><span class="refpurpose"> &#8212; DNSSEC DS RR generation tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-keyfromlabel.html"><span class="application">dnssec-keyfromlabel</span></a></span><span class="refpurpose"> &#8212; DNSSEC key generation tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-keygen.html"><span class="application">dnssec-keygen</span></a></span><span class="refpurpose"> &#8212; DNSSEC key generation tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-revoke.html"><span class="application">dnssec-revoke</span></a></span><span class="refpurpose"> &#8212; Set the REVOKED bit on a DNSSEC key</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-settime.html"><span class="application">dnssec-settime</span></a></span><span class="refpurpose"> &#8212; Set the key timing metadata for a DNSSEC key</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-signzone.html"><span class="application">dnssec-signzone</span></a></span><span class="refpurpose"> &#8212; DNSSEC zone signing tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-verify.html"><span class="application">dnssec-verify</span></a></span><span class="refpurpose"> &#8212; DNSSEC zone verification tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named-checkconf.html"><span class="application">named-checkconf</span></a></span><span class="refpurpose"> &#8212; named configuration file syntax checking tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named-checkzone.html"><span class="application">named-checkzone</span></a></span><span class="refpurpose"> &#8212; zone file validity checking or converting tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> &#8212; Internet domain name server</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named-journalprint.html"><span class="application">named-journalprint</span></a></span><span class="refpurpose"> &#8212; print zone journal in human-readable form</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.nsupdate.html"><span class="application">nsupdate</span></a></span><span class="refpurpose"> &#8212; Dynamic DNS update utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.rndc.html"><span class="application">rndc</span></a></span><span class="refpurpose"> &#8212; name server control utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.rndc.conf.html"><code class="filename">rndc.conf</code></a></span><span class="refpurpose"> &#8212; rndc configuration file</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.rndc-confgen.html"><span class="application">rndc-confgen</span></a></span><span class="refpurpose"> &#8212; rndc key generation tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.ddns-confgen.html"><span class="application">ddns-confgen</span></a></span><span class="refpurpose"> &#8212; ddns key generation tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.arpaname.html"><span class="application">arpaname</span></a></span><span class="refpurpose"> &#8212; translate IP addresses to the corresponding ARPA names</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.genrandom.html"><span class="application">genrandom</span></a></span><span class="refpurpose"> &#8212; generate a file containing random data</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.isc-hmac-fixup.html"><span class="application">isc-hmac-fixup</span></a></span><span class="refpurpose"> &#8212; fixes HMAC keys generated by older versions of BIND</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.nsec3hash.html"><span class="application">nsec3hash</span></a></span><span class="refpurpose"> &#8212; generate NSEC3 hash</span>
-</dt>
-</dl>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch09.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="man.dig.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Appendix A. Appendices </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> dig</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.html b/contrib/bind9/doc/arm/Bv9ARM.html
deleted file mode 100644
index 039aa9a..0000000
--- a/contrib/bind9/doc/arm/Bv9ARM.html
+++ /dev/null
@@ -1,352 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>BIND 9 Administrator Reference Manual</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="next" href="Bv9ARM.ch01.html" title="Chapter 1. Introduction">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">BIND 9 Administrator Reference Manual</th></tr>
-<tr>
-<td width="20%" align="left"> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch01.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="book" lang="en">
-<div class="titlepage">
-<div>
-<div><h1 class="title">
-<a name="id2563175"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="copyright">Copyright © 2004-2013 Internet Systems Consortium, Inc. ("ISC")</p></div>
-<div><p class="copyright">Copyright © 2000-2003 Internet Software Consortium.</p></div>
-</div>
-<hr>
-</div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="chapter"><a href="Bv9ARM.ch01.html">1. Introduction</a></span></dt>
-<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564378">Scope of Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564402">Organization of This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564541">Conventions Used in This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564723">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564744">DNS Fundamentals</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564846">Domains and Domain Names</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567184">Zones</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567260">Authoritative Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567433">Caching Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567563">Name Servers in Multiple Roles</a></span></dt>
-</dl></dd>
-</dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch02.html">2. <acronym class="acronym">BIND</acronym> Resource Requirements</a></span></dt>
-<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567597">Hardware requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567624">CPU Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567637">Memory Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567732">Name Server Intensive Environment Issues</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567742">Supported Operating Systems</a></span></dt>
-</dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch03.html">3. Name Server Configuration</a></span></dt>
-<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567774">A Caching-only Name Server</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567995">An Authoritative-only Name Server</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568018">Load Balancing</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568372">Name Server Operations</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568377">Tools for Use With the Name Server Daemon</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570600">Signals</a></span></dt>
-</dl></dd>
-</dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch04.html">4. Advanced DNS Features</a></span></dt>
-<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571175">Split DNS</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571193">Example split DNS setup</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571763">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571836">Copying the Shared Secret to Both Machines</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571847">Informing the Servers of the Key's Existence</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571883">Instructing the Server to Use the Key</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571941">TSIG Key Based Access Control</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564003">Errors</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2564017">TKEY</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572326">SIG(0)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572394">Generating Keys</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572541">Signing the Zone</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572622">Configuring Servers</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563413">Converting from insecure to secure</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563450">Dynamic DNS update method</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563555">Fully automatic zone signing</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563726">Private-type records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563832">DNSKEY rollovers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563845">Dynamic DNS update method</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563878">Automatic key rollovers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563905">NSEC3PARAM rollovers via UPDATE</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563914">Converting from NSEC to NSEC3</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563924">Converting from NSEC3 to NSEC</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563937">Converting from secure to insecure</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572029">Periodic re-signing</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572039">NSEC3 and OPTOUT</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572072">Validating Resolver</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609027">Authoritative Server</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2611929">Prerequisites</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610179">Building BIND 9 with PKCS#11</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612283">PKCS #11 Tools</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612382">Using the HSM</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636884">Specifying the engine on the command line</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636930">Running named with automatic zone re-signing</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572842">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573109">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2573130">Address to Name Lookups Using Nibble Format</a></span></dt>
-</dl></dd>
-</dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch05.html">5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</a></span></dt>
-<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2573163">The Lightweight Resolver Library</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
-</dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch06.html">6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</a></span></dt>
-<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574711">Comment Syntax</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575371"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
-          Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575561"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
-          Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575921"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575938"><span><strong class="command">include</strong></span> Statement Definition and
-          Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575961"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575985"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576075"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576269"><span><strong class="command">logging</strong></span> Statement Definition and
-          Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578364"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578438"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578502"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578546"><span><strong class="command">masters</strong></span> Statement Definition and
-          Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578567"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
-          Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
-            Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590613"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
-            Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590920"><span><strong class="command">trusted-keys</strong></span> Statement Definition
-            and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590967"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition
-            and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591409"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
-            Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593189"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2596875">Zone File</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599037">Discussion of MX Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599585">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599848">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2600189"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt></dl></dd>
-</dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch07.html">7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</a></span></dt>
-<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2604722"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2604871">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2604999">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
-</dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch08.html">8. Troubleshooting</a></span></dt>
-<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2605147">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2605153">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2605164">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2605181">Where Can I Get Help?</a></span></dt>
-</dl></dd>
-<dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Appendices</a></span></dt>
-<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2605243">Acknowledgments</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2605483">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2608695">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2610921">Prerequisite</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2609361">Compilation</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2609385">Installation</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2609416">Known Defects/Restrictions</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2610380">The dns.conf File</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2610407">Sample Applications</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2611312">Library References</a></span></dt>
-</dl></dd>
-</dl></dd>
-<dt><span class="reference"><a href="Bv9ARM.ch10.html">I. Manual pages</a></span></dt>
-<dd><dl>
-<dt>
-<span class="refentrytitle"><a href="man.dig.html">dig</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.host.html">host</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-checkds.html"><span class="application">dnssec-checkds</span></a></span><span class="refpurpose"> &#8212; A DNSSEC delegation consistency checking tool.</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-coverage.html"><span class="application">dnssec-coverage</span></a></span><span class="refpurpose"> &#8212; checks future DNSKEY coverage for a zone</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-dsfromkey.html"><span class="application">dnssec-dsfromkey</span></a></span><span class="refpurpose"> &#8212; DNSSEC DS RR generation tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-keyfromlabel.html"><span class="application">dnssec-keyfromlabel</span></a></span><span class="refpurpose"> &#8212; DNSSEC key generation tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-keygen.html"><span class="application">dnssec-keygen</span></a></span><span class="refpurpose"> &#8212; DNSSEC key generation tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-revoke.html"><span class="application">dnssec-revoke</span></a></span><span class="refpurpose"> &#8212; Set the REVOKED bit on a DNSSEC key</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-settime.html"><span class="application">dnssec-settime</span></a></span><span class="refpurpose"> &#8212; Set the key timing metadata for a DNSSEC key</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-signzone.html"><span class="application">dnssec-signzone</span></a></span><span class="refpurpose"> &#8212; DNSSEC zone signing tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.dnssec-verify.html"><span class="application">dnssec-verify</span></a></span><span class="refpurpose"> &#8212; DNSSEC zone verification tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named-checkconf.html"><span class="application">named-checkconf</span></a></span><span class="refpurpose"> &#8212; named configuration file syntax checking tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named-checkzone.html"><span class="application">named-checkzone</span></a></span><span class="refpurpose"> &#8212; zone file validity checking or converting tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> &#8212; Internet domain name server</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.named-journalprint.html"><span class="application">named-journalprint</span></a></span><span class="refpurpose"> &#8212; print zone journal in human-readable form</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.nsupdate.html"><span class="application">nsupdate</span></a></span><span class="refpurpose"> &#8212; Dynamic DNS update utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.rndc.html"><span class="application">rndc</span></a></span><span class="refpurpose"> &#8212; name server control utility</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.rndc.conf.html"><code class="filename">rndc.conf</code></a></span><span class="refpurpose"> &#8212; rndc configuration file</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.rndc-confgen.html"><span class="application">rndc-confgen</span></a></span><span class="refpurpose"> &#8212; rndc key generation tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.ddns-confgen.html"><span class="application">ddns-confgen</span></a></span><span class="refpurpose"> &#8212; ddns key generation tool</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.arpaname.html"><span class="application">arpaname</span></a></span><span class="refpurpose"> &#8212; translate IP addresses to the corresponding ARPA names</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.genrandom.html"><span class="application">genrandom</span></a></span><span class="refpurpose"> &#8212; generate a file containing random data</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.isc-hmac-fixup.html"><span class="application">isc-hmac-fixup</span></a></span><span class="refpurpose"> &#8212; fixes HMAC keys generated by older versions of BIND</span>
-</dt>
-<dt>
-<span class="refentrytitle"><a href="man.nsec3hash.html"><span class="application">nsec3hash</span></a></span><span class="refpurpose"> &#8212; generate NSEC3 hash</span>
-</dt>
-</dl></dd>
-</dl>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left"> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch01.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top"> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right" valign="top"> Chapter 1. Introduction</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.pdf b/contrib/bind9/doc/arm/Bv9ARM.pdf
deleted file mode 100644
index b38b393..0000000
--- a/contrib/bind9/doc/arm/Bv9ARM.pdf
+++ /dev/null
@@ -1,19705 +0,0 @@
-%PDF-1.4
-5 0 obj
-<< /S /GoTo /D (chapter.1) >>
-endobj
-8 0 obj
-(1 Introduction)
-endobj
-9 0 obj
-<< /S /GoTo /D (section.1.1) >>
-endobj
-12 0 obj
-(1.1 Scope of Document)
-endobj
-13 0 obj
-<< /S /GoTo /D (section.1.2) >>
-endobj
-16 0 obj
-(1.2 Organization of This Document)
-endobj
-17 0 obj
-<< /S /GoTo /D (section.1.3) >>
-endobj
-20 0 obj
-(1.3 Conventions Used in This Document)
-endobj
-21 0 obj
-<< /S /GoTo /D (section.1.4) >>
-endobj
-24 0 obj
-(1.4 The Domain Name System \(DNS\))
-endobj
-25 0 obj
-<< /S /GoTo /D (subsection.1.4.1) >>
-endobj
-28 0 obj
-(1.4.1 DNS Fundamentals)
-endobj
-29 0 obj
-<< /S /GoTo /D (subsection.1.4.2) >>
-endobj
-32 0 obj
-(1.4.2 Domains and Domain Names)
-endobj
-33 0 obj
-<< /S /GoTo /D (subsection.1.4.3) >>
-endobj
-36 0 obj
-(1.4.3 Zones)
-endobj
-37 0 obj
-<< /S /GoTo /D (subsection.1.4.4) >>
-endobj
-40 0 obj
-(1.4.4 Authoritative Name Servers)
-endobj
-41 0 obj
-<< /S /GoTo /D (subsubsection.1.4.4.1) >>
-endobj
-44 0 obj
-(1.4.4.1 The Primary Master)
-endobj
-45 0 obj
-<< /S /GoTo /D (subsubsection.1.4.4.2) >>
-endobj
-48 0 obj
-(1.4.4.2 Slave Servers)
-endobj
-49 0 obj
-<< /S /GoTo /D (subsubsection.1.4.4.3) >>
-endobj
-52 0 obj
-(1.4.4.3 Stealth Servers)
-endobj
-53 0 obj
-<< /S /GoTo /D (subsection.1.4.5) >>
-endobj
-56 0 obj
-(1.4.5 Caching Name Servers)
-endobj
-57 0 obj
-<< /S /GoTo /D (subsubsection.1.4.5.1) >>
-endobj
-60 0 obj
-(1.4.5.1 Forwarding)
-endobj
-61 0 obj
-<< /S /GoTo /D (subsection.1.4.6) >>
-endobj
-64 0 obj
-(1.4.6 Name Servers in Multiple Roles)
-endobj
-65 0 obj
-<< /S /GoTo /D (chapter.2) >>
-endobj
-68 0 obj
-(2 BIND Resource Requirements)
-endobj
-69 0 obj
-<< /S /GoTo /D (section.2.1) >>
-endobj
-72 0 obj
-(2.1 Hardware requirements)
-endobj
-73 0 obj
-<< /S /GoTo /D (section.2.2) >>
-endobj
-76 0 obj
-(2.2 CPU Requirements)
-endobj
-77 0 obj
-<< /S /GoTo /D (section.2.3) >>
-endobj
-80 0 obj
-(2.3 Memory Requirements)
-endobj
-81 0 obj
-<< /S /GoTo /D (section.2.4) >>
-endobj
-84 0 obj
-(2.4 Name Server Intensive Environment Issues)
-endobj
-85 0 obj
-<< /S /GoTo /D (section.2.5) >>
-endobj
-88 0 obj
-(2.5 Supported Operating Systems)
-endobj
-89 0 obj
-<< /S /GoTo /D (chapter.3) >>
-endobj
-92 0 obj
-(3 Name Server Configuration)
-endobj
-93 0 obj
-<< /S /GoTo /D (section.3.1) >>
-endobj
-96 0 obj
-(3.1 Sample Configurations)
-endobj
-97 0 obj
-<< /S /GoTo /D (subsection.3.1.1) >>
-endobj
-100 0 obj
-(3.1.1 A Caching-only Name Server)
-endobj
-101 0 obj
-<< /S /GoTo /D (subsection.3.1.2) >>
-endobj
-104 0 obj
-(3.1.2 An Authoritative-only Name Server)
-endobj
-105 0 obj
-<< /S /GoTo /D (section.3.2) >>
-endobj
-108 0 obj
-(3.2 Load Balancing)
-endobj
-109 0 obj
-<< /S /GoTo /D (section.3.3) >>
-endobj
-112 0 obj
-(3.3 Name Server Operations)
-endobj
-113 0 obj
-<< /S /GoTo /D (subsection.3.3.1) >>
-endobj
-116 0 obj
-(3.3.1 Tools for Use With the Name Server Daemon)
-endobj
-117 0 obj
-<< /S /GoTo /D (subsubsection.3.3.1.1) >>
-endobj
-120 0 obj
-(3.3.1.1 Diagnostic Tools)
-endobj
-121 0 obj
-<< /S /GoTo /D (subsubsection.3.3.1.2) >>
-endobj
-124 0 obj
-(3.3.1.2 Administrative Tools)
-endobj
-125 0 obj
-<< /S /GoTo /D (subsection.3.3.2) >>
-endobj
-128 0 obj
-(3.3.2 Signals)
-endobj
-129 0 obj
-<< /S /GoTo /D (chapter.4) >>
-endobj
-132 0 obj
-(4 Advanced DNS Features)
-endobj
-133 0 obj
-<< /S /GoTo /D (section.4.1) >>
-endobj
-136 0 obj
-(4.1 Notify)
-endobj
-137 0 obj
-<< /S /GoTo /D (section.4.2) >>
-endobj
-140 0 obj
-(4.2 Dynamic Update)
-endobj
-141 0 obj
-<< /S /GoTo /D (subsection.4.2.1) >>
-endobj
-144 0 obj
-(4.2.1 The journal file)
-endobj
-145 0 obj
-<< /S /GoTo /D (section.4.3) >>
-endobj
-148 0 obj
-(4.3 Incremental Zone Transfers \(IXFR\))
-endobj
-149 0 obj
-<< /S /GoTo /D (section.4.4) >>
-endobj
-152 0 obj
-(4.4 Split DNS)
-endobj
-153 0 obj
-<< /S /GoTo /D (subsection.4.4.1) >>
-endobj
-156 0 obj
-(4.4.1 Example split DNS setup)
-endobj
-157 0 obj
-<< /S /GoTo /D (section.4.5) >>
-endobj
-160 0 obj
-(4.5 TSIG)
-endobj
-161 0 obj
-<< /S /GoTo /D (subsection.4.5.1) >>
-endobj
-164 0 obj
-(4.5.1 Generate Shared Keys for Each Pair of Hosts)
-endobj
-165 0 obj
-<< /S /GoTo /D (subsubsection.4.5.1.1) >>
-endobj
-168 0 obj
-(4.5.1.1 Automatic Generation)
-endobj
-169 0 obj
-<< /S /GoTo /D (subsubsection.4.5.1.2) >>
-endobj
-172 0 obj
-(4.5.1.2 Manual Generation)
-endobj
-173 0 obj
-<< /S /GoTo /D (subsection.4.5.2) >>
-endobj
-176 0 obj
-(4.5.2 Copying the Shared Secret to Both Machines)
-endobj
-177 0 obj
-<< /S /GoTo /D (subsection.4.5.3) >>
-endobj
-180 0 obj
-(4.5.3 Informing the Servers of the Key's Existence)
-endobj
-181 0 obj
-<< /S /GoTo /D (subsection.4.5.4) >>
-endobj
-184 0 obj
-(4.5.4 Instructing the Server to Use the Key)
-endobj
-185 0 obj
-<< /S /GoTo /D (subsection.4.5.5) >>
-endobj
-188 0 obj
-(4.5.5 TSIG Key Based Access Control)
-endobj
-189 0 obj
-<< /S /GoTo /D (subsection.4.5.6) >>
-endobj
-192 0 obj
-(4.5.6 Errors)
-endobj
-193 0 obj
-<< /S /GoTo /D (section.4.6) >>
-endobj
-196 0 obj
-(4.6 TKEY)
-endobj
-197 0 obj
-<< /S /GoTo /D (section.4.7) >>
-endobj
-200 0 obj
-(4.7 SIG\(0\))
-endobj
-201 0 obj
-<< /S /GoTo /D (section.4.8) >>
-endobj
-204 0 obj
-(4.8 DNSSEC)
-endobj
-205 0 obj
-<< /S /GoTo /D (subsection.4.8.1) >>
-endobj
-208 0 obj
-(4.8.1 Generating Keys)
-endobj
-209 0 obj
-<< /S /GoTo /D (subsection.4.8.2) >>
-endobj
-212 0 obj
-(4.8.2 Signing the Zone)
-endobj
-213 0 obj
-<< /S /GoTo /D (subsection.4.8.3) >>
-endobj
-216 0 obj
-(4.8.3 Configuring Servers)
-endobj
-217 0 obj
-<< /S /GoTo /D (section.4.9) >>
-endobj
-220 0 obj
-(4.9 DNSSEC, Dynamic Zones, and Automatic Signing)
-endobj
-221 0 obj
-<< /S /GoTo /D (subsection.4.9.1) >>
-endobj
-224 0 obj
-(4.9.1 Converting from insecure to secure)
-endobj
-225 0 obj
-<< /S /GoTo /D (subsection.4.9.2) >>
-endobj
-228 0 obj
-(4.9.2 Dynamic DNS update method)
-endobj
-229 0 obj
-<< /S /GoTo /D (subsection.4.9.3) >>
-endobj
-232 0 obj
-(4.9.3 Fully automatic zone signing)
-endobj
-233 0 obj
-<< /S /GoTo /D (subsection.4.9.4) >>
-endobj
-236 0 obj
-(4.9.4 Private-type records)
-endobj
-237 0 obj
-<< /S /GoTo /D (subsection.4.9.5) >>
-endobj
-240 0 obj
-(4.9.5 DNSKEY rollovers)
-endobj
-241 0 obj
-<< /S /GoTo /D (subsection.4.9.6) >>
-endobj
-244 0 obj
-(4.9.6 Dynamic DNS update method)
-endobj
-245 0 obj
-<< /S /GoTo /D (subsection.4.9.7) >>
-endobj
-248 0 obj
-(4.9.7 Automatic key rollovers)
-endobj
-249 0 obj
-<< /S /GoTo /D (subsection.4.9.8) >>
-endobj
-252 0 obj
-(4.9.8 NSEC3PARAM rollovers via UPDATE)
-endobj
-253 0 obj
-<< /S /GoTo /D (subsection.4.9.9) >>
-endobj
-256 0 obj
-(4.9.9 Converting from NSEC to NSEC3)
-endobj
-257 0 obj
-<< /S /GoTo /D (subsection.4.9.10) >>
-endobj
-260 0 obj
-(4.9.10 Converting from NSEC3 to NSEC)
-endobj
-261 0 obj
-<< /S /GoTo /D (subsection.4.9.11) >>
-endobj
-264 0 obj
-(4.9.11 Converting from secure to insecure)
-endobj
-265 0 obj
-<< /S /GoTo /D (subsection.4.9.12) >>
-endobj
-268 0 obj
-(4.9.12 Periodic re-signing)
-endobj
-269 0 obj
-<< /S /GoTo /D (subsection.4.9.13) >>
-endobj
-272 0 obj
-(4.9.13 NSEC3 and OPTOUT)
-endobj
-273 0 obj
-<< /S /GoTo /D (section.4.10) >>
-endobj
-276 0 obj
-(4.10 Dynamic Trust Anchor Management)
-endobj
-277 0 obj
-<< /S /GoTo /D (subsection.4.10.1) >>
-endobj
-280 0 obj
-(4.10.1 Validating Resolver)
-endobj
-281 0 obj
-<< /S /GoTo /D (subsection.4.10.2) >>
-endobj
-284 0 obj
-(4.10.2 Authoritative Server)
-endobj
-285 0 obj
-<< /S /GoTo /D (section.4.11) >>
-endobj
-288 0 obj
-(4.11 PKCS \04311 \(Cryptoki\) support)
-endobj
-289 0 obj
-<< /S /GoTo /D (subsection.4.11.1) >>
-endobj
-292 0 obj
-(4.11.1 Prerequisites)
-endobj
-293 0 obj
-<< /S /GoTo /D (subsubsection.4.11.1.1) >>
-endobj
-296 0 obj
-(4.11.1.1 Building OpenSSL for the AEP Keyper on Linux)
-endobj
-297 0 obj
-<< /S /GoTo /D (subsubsection.4.11.1.2) >>
-endobj
-300 0 obj
-(4.11.1.2 Building OpenSSL for the SCA 6000 on Solaris)
-endobj
-301 0 obj
-<< /S /GoTo /D (subsubsection.4.11.1.3) >>
-endobj
-304 0 obj
-(4.11.1.3 Building OpenSSL for SoftHSM)
-endobj
-305 0 obj
-<< /S /GoTo /D (subsection.4.11.2) >>
-endobj
-308 0 obj
-(4.11.2 Building BIND 9 with PKCS\04311)
-endobj
-309 0 obj
-<< /S /GoTo /D (subsubsection.4.11.2.1) >>
-endobj
-312 0 obj
-(4.11.2.1 Configuring BIND 9 for Linux with the AEP Keyper)
-endobj
-313 0 obj
-<< /S /GoTo /D (subsubsection.4.11.2.2) >>
-endobj
-316 0 obj
-(4.11.2.2 Configuring BIND 9 for Solaris with the SCA 6000)
-endobj
-317 0 obj
-<< /S /GoTo /D (subsubsection.4.11.2.3) >>
-endobj
-320 0 obj
-(4.11.2.3 Configuring BIND 9 for SoftHSM)
-endobj
-321 0 obj
-<< /S /GoTo /D (subsection.4.11.3) >>
-endobj
-324 0 obj
-(4.11.3 PKCS \04311 Tools)
-endobj
-325 0 obj
-<< /S /GoTo /D (subsection.4.11.4) >>
-endobj
-328 0 obj
-(4.11.4 Using the HSM)
-endobj
-329 0 obj
-<< /S /GoTo /D (subsection.4.11.5) >>
-endobj
-332 0 obj
-(4.11.5 Specifying the engine on the command line)
-endobj
-333 0 obj
-<< /S /GoTo /D (subsection.4.11.6) >>
-endobj
-336 0 obj
-(4.11.6 Running named with automatic zone re-signing)
-endobj
-337 0 obj
-<< /S /GoTo /D (section.4.12) >>
-endobj
-340 0 obj
-(4.12 IPv6 Support in BIND 9)
-endobj
-341 0 obj
-<< /S /GoTo /D (subsection.4.12.1) >>
-endobj
-344 0 obj
-(4.12.1 Address Lookups Using AAAA Records)
-endobj
-345 0 obj
-<< /S /GoTo /D (subsection.4.12.2) >>
-endobj
-348 0 obj
-(4.12.2 Address to Name Lookups Using Nibble Format)
-endobj
-349 0 obj
-<< /S /GoTo /D (chapter.5) >>
-endobj
-352 0 obj
-(5 The BIND 9 Lightweight Resolver)
-endobj
-353 0 obj
-<< /S /GoTo /D (section.5.1) >>
-endobj
-356 0 obj
-(5.1 The Lightweight Resolver Library)
-endobj
-357 0 obj
-<< /S /GoTo /D (section.5.2) >>
-endobj
-360 0 obj
-(5.2 Running a Resolver Daemon)
-endobj
-361 0 obj
-<< /S /GoTo /D (chapter.6) >>
-endobj
-364 0 obj
-(6 BIND 9 Configuration Reference)
-endobj
-365 0 obj
-<< /S /GoTo /D (section.6.1) >>
-endobj
-368 0 obj
-(6.1 Configuration File Elements)
-endobj
-369 0 obj
-<< /S /GoTo /D (subsection.6.1.1) >>
-endobj
-372 0 obj
-(6.1.1 Address Match Lists)
-endobj
-373 0 obj
-<< /S /GoTo /D (subsubsection.6.1.1.1) >>
-endobj
-376 0 obj
-(6.1.1.1 Syntax)
-endobj
-377 0 obj
-<< /S /GoTo /D (subsubsection.6.1.1.2) >>
-endobj
-380 0 obj
-(6.1.1.2 Definition and Usage)
-endobj
-381 0 obj
-<< /S /GoTo /D (subsection.6.1.2) >>
-endobj
-384 0 obj
-(6.1.2 Comment Syntax)
-endobj
-385 0 obj
-<< /S /GoTo /D (subsubsection.6.1.2.1) >>
-endobj
-388 0 obj
-(6.1.2.1 Syntax)
-endobj
-389 0 obj
-<< /S /GoTo /D (subsubsection.6.1.2.2) >>
-endobj
-392 0 obj
-(6.1.2.2 Definition and Usage)
-endobj
-393 0 obj
-<< /S /GoTo /D (section.6.2) >>
-endobj
-396 0 obj
-(6.2 Configuration File Grammar)
-endobj
-397 0 obj
-<< /S /GoTo /D (subsection.6.2.1) >>
-endobj
-400 0 obj
-(6.2.1 acl Statement Grammar)
-endobj
-401 0 obj
-<< /S /GoTo /D (subsection.6.2.2) >>
-endobj
-404 0 obj
-(6.2.2 acl Statement Definition and Usage)
-endobj
-405 0 obj
-<< /S /GoTo /D (subsection.6.2.3) >>
-endobj
-408 0 obj
-(6.2.3 controls Statement Grammar)
-endobj
-409 0 obj
-<< /S /GoTo /D (subsection.6.2.4) >>
-endobj
-412 0 obj
-(6.2.4 controls Statement Definition and Usage)
-endobj
-413 0 obj
-<< /S /GoTo /D (subsection.6.2.5) >>
-endobj
-416 0 obj
-(6.2.5 include Statement Grammar)
-endobj
-417 0 obj
-<< /S /GoTo /D (subsection.6.2.6) >>
-endobj
-420 0 obj
-(6.2.6 include Statement Definition and Usage)
-endobj
-421 0 obj
-<< /S /GoTo /D (subsection.6.2.7) >>
-endobj
-424 0 obj
-(6.2.7 key Statement Grammar)
-endobj
-425 0 obj
-<< /S /GoTo /D (subsection.6.2.8) >>
-endobj
-428 0 obj
-(6.2.8 key Statement Definition and Usage)
-endobj
-429 0 obj
-<< /S /GoTo /D (subsection.6.2.9) >>
-endobj
-432 0 obj
-(6.2.9 logging Statement Grammar)
-endobj
-433 0 obj
-<< /S /GoTo /D (subsection.6.2.10) >>
-endobj
-436 0 obj
-(6.2.10 logging Statement Definition and Usage)
-endobj
-437 0 obj
-<< /S /GoTo /D (subsubsection.6.2.10.1) >>
-endobj
-440 0 obj
-(6.2.10.1 The channel Phrase)
-endobj
-441 0 obj
-<< /S /GoTo /D (subsubsection.6.2.10.2) >>
-endobj
-444 0 obj
-(6.2.10.2 The category Phrase)
-endobj
-445 0 obj
-<< /S /GoTo /D (subsubsection.6.2.10.3) >>
-endobj
-448 0 obj
-(6.2.10.3 The query-errors Category)
-endobj
-449 0 obj
-<< /S /GoTo /D (subsection.6.2.11) >>
-endobj
-452 0 obj
-(6.2.11 lwres Statement Grammar)
-endobj
-453 0 obj
-<< /S /GoTo /D (subsection.6.2.12) >>
-endobj
-456 0 obj
-(6.2.12 lwres Statement Definition and Usage)
-endobj
-457 0 obj
-<< /S /GoTo /D (subsection.6.2.13) >>
-endobj
-460 0 obj
-(6.2.13 masters Statement Grammar)
-endobj
-461 0 obj
-<< /S /GoTo /D (subsection.6.2.14) >>
-endobj
-464 0 obj
-(6.2.14 masters Statement Definition and Usage)
-endobj
-465 0 obj
-<< /S /GoTo /D (subsection.6.2.15) >>
-endobj
-468 0 obj
-(6.2.15 options Statement Grammar)
-endobj
-469 0 obj
-<< /S /GoTo /D (subsection.6.2.16) >>
-endobj
-472 0 obj
-(6.2.16 options Statement Definition and Usage)
-endobj
-473 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.1) >>
-endobj
-476 0 obj
-(6.2.16.1 Boolean Options)
-endobj
-477 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.2) >>
-endobj
-480 0 obj
-(6.2.16.2 Forwarding)
-endobj
-481 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.3) >>
-endobj
-484 0 obj
-(6.2.16.3 Dual-stack Servers)
-endobj
-485 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.4) >>
-endobj
-488 0 obj
-(6.2.16.4 Access Control)
-endobj
-489 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.5) >>
-endobj
-492 0 obj
-(6.2.16.5 Interfaces)
-endobj
-493 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.6) >>
-endobj
-496 0 obj
-(6.2.16.6 Query Address)
-endobj
-497 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.7) >>
-endobj
-500 0 obj
-(6.2.16.7 Zone Transfers)
-endobj
-501 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.8) >>
-endobj
-504 0 obj
-(6.2.16.8 UDP Port Lists)
-endobj
-505 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.9) >>
-endobj
-508 0 obj
-(6.2.16.9 Operating System Resource Limits)
-endobj
-509 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.10) >>
-endobj
-512 0 obj
-(6.2.16.10 Server Resource Limits)
-endobj
-513 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.11) >>
-endobj
-516 0 obj
-(6.2.16.11 Periodic Task Intervals)
-endobj
-517 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.12) >>
-endobj
-520 0 obj
-(6.2.16.12 Topology)
-endobj
-521 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.13) >>
-endobj
-524 0 obj
-(6.2.16.13 The sortlist Statement)
-endobj
-525 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.14) >>
-endobj
-528 0 obj
-(6.2.16.14 RRset Ordering)
-endobj
-529 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.15) >>
-endobj
-532 0 obj
-(6.2.16.15 Tuning)
-endobj
-533 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.16) >>
-endobj
-536 0 obj
-(6.2.16.16 Built-in server information zones)
-endobj
-537 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.17) >>
-endobj
-540 0 obj
-(6.2.16.17 Built-in Empty Zones)
-endobj
-541 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.18) >>
-endobj
-544 0 obj
-(6.2.16.18 Additional Section Caching)
-endobj
-545 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.19) >>
-endobj
-548 0 obj
-(6.2.16.19 Content Filtering)
-endobj
-549 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.20) >>
-endobj
-552 0 obj
-(6.2.16.20 Response Policy Zone \(RPZ\) Rewriting)
-endobj
-553 0 obj
-<< /S /GoTo /D (subsection.6.2.17) >>
-endobj
-556 0 obj
-(6.2.17 server Statement Grammar)
-endobj
-557 0 obj
-<< /S /GoTo /D (subsection.6.2.18) >>
-endobj
-560 0 obj
-(6.2.18 server Statement Definition and Usage)
-endobj
-561 0 obj
-<< /S /GoTo /D (subsection.6.2.19) >>
-endobj
-564 0 obj
-(6.2.19 statistics-channels Statement Grammar)
-endobj
-565 0 obj
-<< /S /GoTo /D (subsection.6.2.20) >>
-endobj
-568 0 obj
-(6.2.20 statistics-channels Statement Definition and Usage)
-endobj
-569 0 obj
-<< /S /GoTo /D (subsection.6.2.21) >>
-endobj
-572 0 obj
-(6.2.21 trusted-keys Statement Grammar)
-endobj
-573 0 obj
-<< /S /GoTo /D (subsection.6.2.22) >>
-endobj
-576 0 obj
-(6.2.22 trusted-keys Statement Definition and Usage)
-endobj
-577 0 obj
-<< /S /GoTo /D (subsection.6.2.23) >>
-endobj
-580 0 obj
-(6.2.23 managed-keys Statement Grammar)
-endobj
-581 0 obj
-<< /S /GoTo /D (subsection.6.2.24) >>
-endobj
-584 0 obj
-(6.2.24 managed-keys Statement Definition and Usage)
-endobj
-585 0 obj
-<< /S /GoTo /D (subsection.6.2.25) >>
-endobj
-588 0 obj
-(6.2.25 view Statement Grammar)
-endobj
-589 0 obj
-<< /S /GoTo /D (subsection.6.2.26) >>
-endobj
-592 0 obj
-(6.2.26 view Statement Definition and Usage)
-endobj
-593 0 obj
-<< /S /GoTo /D (subsection.6.2.27) >>
-endobj
-596 0 obj
-(6.2.27 zone Statement Grammar)
-endobj
-597 0 obj
-<< /S /GoTo /D (subsection.6.2.28) >>
-endobj
-600 0 obj
-(6.2.28 zone Statement Definition and Usage)
-endobj
-601 0 obj
-<< /S /GoTo /D (subsubsection.6.2.28.1) >>
-endobj
-604 0 obj
-(6.2.28.1 Zone Types)
-endobj
-605 0 obj
-<< /S /GoTo /D (subsubsection.6.2.28.2) >>
-endobj
-608 0 obj
-(6.2.28.2 Class)
-endobj
-609 0 obj
-<< /S /GoTo /D (subsubsection.6.2.28.3) >>
-endobj
-612 0 obj
-(6.2.28.3 Zone Options)
-endobj
-613 0 obj
-<< /S /GoTo /D (subsubsection.6.2.28.4) >>
-endobj
-616 0 obj
-(6.2.28.4 Dynamic Update Policies)
-endobj
-617 0 obj
-<< /S /GoTo /D (section.6.3) >>
-endobj
-620 0 obj
-(6.3 Zone File)
-endobj
-621 0 obj
-<< /S /GoTo /D (subsection.6.3.1) >>
-endobj
-624 0 obj
-(6.3.1 Types of Resource Records and When to Use Them)
-endobj
-625 0 obj
-<< /S /GoTo /D (subsubsection.6.3.1.1) >>
-endobj
-628 0 obj
-(6.3.1.1 Resource Records)
-endobj
-629 0 obj
-<< /S /GoTo /D (subsubsection.6.3.1.2) >>
-endobj
-632 0 obj
-(6.3.1.2 Textual expression of RRs)
-endobj
-633 0 obj
-<< /S /GoTo /D (subsection.6.3.2) >>
-endobj
-636 0 obj
-(6.3.2 Discussion of MX Records)
-endobj
-637 0 obj
-<< /S /GoTo /D (subsection.6.3.3) >>
-endobj
-640 0 obj
-(6.3.3 Setting TTLs)
-endobj
-641 0 obj
-<< /S /GoTo /D (subsection.6.3.4) >>
-endobj
-644 0 obj
-(6.3.4 Inverse Mapping in IPv4)
-endobj
-645 0 obj
-<< /S /GoTo /D (subsection.6.3.5) >>
-endobj
-648 0 obj
-(6.3.5 Other Zone File Directives)
-endobj
-649 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.1) >>
-endobj
-652 0 obj
-(6.3.5.1 The @ \(at-sign\))
-endobj
-653 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.2) >>
-endobj
-656 0 obj
-(6.3.5.2 The \044ORIGIN Directive)
-endobj
-657 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.3) >>
-endobj
-660 0 obj
-(6.3.5.3 The \044INCLUDE Directive)
-endobj
-661 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.4) >>
-endobj
-664 0 obj
-(6.3.5.4 The \044TTL Directive)
-endobj
-665 0 obj
-<< /S /GoTo /D (subsection.6.3.6) >>
-endobj
-668 0 obj
-(6.3.6 BIND Master File Extension: the \044GENERATE Directive)
-endobj
-669 0 obj
-<< /S /GoTo /D (subsection.6.3.7) >>
-endobj
-672 0 obj
-(6.3.7 Additional File Formats)
-endobj
-673 0 obj
-<< /S /GoTo /D (section.6.4) >>
-endobj
-676 0 obj
-(6.4 BIND9 Statistics)
-endobj
-677 0 obj
-<< /S /GoTo /D (subsubsection.6.4.0.1) >>
-endobj
-680 0 obj
-(6.4.0.1 The Statistics File)
-endobj
-681 0 obj
-<< /S /GoTo /D (subsection.6.4.1) >>
-endobj
-684 0 obj
-(6.4.1 Statistics Counters)
-endobj
-685 0 obj
-<< /S /GoTo /D (subsubsection.6.4.1.1) >>
-endobj
-688 0 obj
-(6.4.1.1 Name Server Statistics Counters)
-endobj
-689 0 obj
-<< /S /GoTo /D (subsubsection.6.4.1.2) >>
-endobj
-692 0 obj
-(6.4.1.2 Zone Maintenance Statistics Counters)
-endobj
-693 0 obj
-<< /S /GoTo /D (subsubsection.6.4.1.3) >>
-endobj
-696 0 obj
-(6.4.1.3 Resolver Statistics Counters)
-endobj
-697 0 obj
-<< /S /GoTo /D (subsubsection.6.4.1.4) >>
-endobj
-700 0 obj
-(6.4.1.4 Socket I/O Statistics Counters)
-endobj
-701 0 obj
-<< /S /GoTo /D (subsubsection.6.4.1.5) >>
-endobj
-704 0 obj
-(6.4.1.5 Compatibility with BIND 8 Counters)
-endobj
-705 0 obj
-<< /S /GoTo /D (chapter.7) >>
-endobj
-708 0 obj
-(7 BIND 9 Security Considerations)
-endobj
-709 0 obj
-<< /S /GoTo /D (section.7.1) >>
-endobj
-712 0 obj
-(7.1 Access Control Lists)
-endobj
-713 0 obj
-<< /S /GoTo /D (section.7.2) >>
-endobj
-716 0 obj
-(7.2 Chroot and Setuid)
-endobj
-717 0 obj
-<< /S /GoTo /D (subsection.7.2.1) >>
-endobj
-720 0 obj
-(7.2.1 The chroot Environment)
-endobj
-721 0 obj
-<< /S /GoTo /D (subsection.7.2.2) >>
-endobj
-724 0 obj
-(7.2.2 Using the setuid Function)
-endobj
-725 0 obj
-<< /S /GoTo /D (section.7.3) >>
-endobj
-728 0 obj
-(7.3 Dynamic Update Security)
-endobj
-729 0 obj
-<< /S /GoTo /D (chapter.8) >>
-endobj
-732 0 obj
-(8 Troubleshooting)
-endobj
-733 0 obj
-<< /S /GoTo /D (section.8.1) >>
-endobj
-736 0 obj
-(8.1 Common Problems)
-endobj
-737 0 obj
-<< /S /GoTo /D (subsection.8.1.1) >>
-endobj
-740 0 obj
-(8.1.1 It's not working; how can I figure out what's wrong?)
-endobj
-741 0 obj
-<< /S /GoTo /D (section.8.2) >>
-endobj
-744 0 obj
-(8.2 Incrementing and Changing the Serial Number)
-endobj
-745 0 obj
-<< /S /GoTo /D (section.8.3) >>
-endobj
-748 0 obj
-(8.3 Where Can I Get Help?)
-endobj
-749 0 obj
-<< /S /GoTo /D (appendix.A) >>
-endobj
-752 0 obj
-(A Appendices)
-endobj
-753 0 obj
-<< /S /GoTo /D (section.A.1) >>
-endobj
-756 0 obj
-(A.1 Acknowledgments)
-endobj
-757 0 obj
-<< /S /GoTo /D (subsection.A.1.1) >>
-endobj
-760 0 obj
-(A.1.1 A Brief History of the DNS and BIND)
-endobj
-761 0 obj
-<< /S /GoTo /D (section.A.2) >>
-endobj
-764 0 obj
-(A.2 General DNS Reference Information)
-endobj
-765 0 obj
-<< /S /GoTo /D (subsection.A.2.1) >>
-endobj
-768 0 obj
-(A.2.1 IPv6 addresses \(AAAA\))
-endobj
-769 0 obj
-<< /S /GoTo /D (section.A.3) >>
-endobj
-772 0 obj
-(A.3 Bibliography \(and Suggested Reading\))
-endobj
-773 0 obj
-<< /S /GoTo /D (subsection.A.3.1) >>
-endobj
-776 0 obj
-(A.3.1 Request for Comments \(RFCs\))
-endobj
-777 0 obj
-<< /S /GoTo /D (subsection.A.3.2) >>
-endobj
-780 0 obj
-(A.3.2 Internet Drafts)
-endobj
-781 0 obj
-<< /S /GoTo /D (subsection.A.3.3) >>
-endobj
-784 0 obj
-(A.3.3 Other Documents About BIND)
-endobj
-785 0 obj
-<< /S /GoTo /D (section.A.4) >>
-endobj
-788 0 obj
-(A.4 BIND 9 DNS Library Support)
-endobj
-789 0 obj
-<< /S /GoTo /D (subsection.A.4.1) >>
-endobj
-792 0 obj
-(A.4.1 Prerequisite)
-endobj
-793 0 obj
-<< /S /GoTo /D (subsection.A.4.2) >>
-endobj
-796 0 obj
-(A.4.2 Compilation)
-endobj
-797 0 obj
-<< /S /GoTo /D (subsection.A.4.3) >>
-endobj
-800 0 obj
-(A.4.3 Installation)
-endobj
-801 0 obj
-<< /S /GoTo /D (subsection.A.4.4) >>
-endobj
-804 0 obj
-(A.4.4 Known Defects/Restrictions)
-endobj
-805 0 obj
-<< /S /GoTo /D (subsection.A.4.5) >>
-endobj
-808 0 obj
-(A.4.5 The dns.conf File)
-endobj
-809 0 obj
-<< /S /GoTo /D (subsection.A.4.6) >>
-endobj
-812 0 obj
-(A.4.6 Sample Applications)
-endobj
-813 0 obj
-<< /S /GoTo /D (subsubsection.A.4.6.1) >>
-endobj
-816 0 obj
-(A.4.6.1 sample: a simple stub resolver utility)
-endobj
-817 0 obj
-<< /S /GoTo /D (subsubsection.A.4.6.2) >>
-endobj
-820 0 obj
-(A.4.6.2 sample-async: a simple stub resolver, working asynchronously)
-endobj
-821 0 obj
-<< /S /GoTo /D (subsubsection.A.4.6.3) >>
-endobj
-824 0 obj
-(A.4.6.3 sample-request: a simple DNS transaction client)
-endobj
-825 0 obj
-<< /S /GoTo /D (subsubsection.A.4.6.4) >>
-endobj
-828 0 obj
-(A.4.6.4 sample-gai: getaddrinfo\(\) and getnameinfo\(\) test code)
-endobj
-829 0 obj
-<< /S /GoTo /D (subsubsection.A.4.6.5) >>
-endobj
-832 0 obj
-(A.4.6.5 sample-update: a simple dynamic update client program)
-endobj
-833 0 obj
-<< /S /GoTo /D (subsubsection.A.4.6.6) >>
-endobj
-836 0 obj
-(A.4.6.6 nsprobe: domain/name server checker in terms of RFC 4074)
-endobj
-837 0 obj
-<< /S /GoTo /D (subsection.A.4.7) >>
-endobj
-840 0 obj
-(A.4.7 Library References)
-endobj
-841 0 obj
-<< /S /GoTo /D (appendix.B) >>
-endobj
-844 0 obj
-(B Manual pages)
-endobj
-845 0 obj
-<< /S /GoTo /D (section.B.1) >>
-endobj
-848 0 obj
-(B.1 dig)
-endobj
-849 0 obj
-<< /S /GoTo /D (section.B.2) >>
-endobj
-852 0 obj
-(B.2 host)
-endobj
-853 0 obj
-<< /S /GoTo /D (section.B.3) >>
-endobj
-856 0 obj
-(B.3 dnssec-checkds)
-endobj
-857 0 obj
-<< /S /GoTo /D (section.B.4) >>
-endobj
-860 0 obj
-(B.4 dnssec-coverage)
-endobj
-861 0 obj
-<< /S /GoTo /D (section.B.5) >>
-endobj
-864 0 obj
-(B.5 dnssec-dsfromkey)
-endobj
-865 0 obj
-<< /S /GoTo /D (section.B.6) >>
-endobj
-868 0 obj
-(B.6 dnssec-keyfromlabel)
-endobj
-869 0 obj
-<< /S /GoTo /D (section.B.7) >>
-endobj
-872 0 obj
-(B.7 dnssec-keygen)
-endobj
-873 0 obj
-<< /S /GoTo /D (section.B.8) >>
-endobj
-876 0 obj
-(B.8 dnssec-revoke)
-endobj
-877 0 obj
-<< /S /GoTo /D (section.B.9) >>
-endobj
-880 0 obj
-(B.9 dnssec-settime)
-endobj
-881 0 obj
-<< /S /GoTo /D (section.B.10) >>
-endobj
-884 0 obj
-(B.10 dnssec-signzone)
-endobj
-885 0 obj
-<< /S /GoTo /D (section.B.11) >>
-endobj
-888 0 obj
-(B.11 dnssec-verify)
-endobj
-889 0 obj
-<< /S /GoTo /D (section.B.12) >>
-endobj
-892 0 obj
-(B.12 named-checkconf)
-endobj
-893 0 obj
-<< /S /GoTo /D (section.B.13) >>
-endobj
-896 0 obj
-(B.13 named-checkzone)
-endobj
-897 0 obj
-<< /S /GoTo /D (section.B.14) >>
-endobj
-900 0 obj
-(B.14 named)
-endobj
-901 0 obj
-<< /S /GoTo /D (section.B.15) >>
-endobj
-904 0 obj
-(B.15 named-journalprint)
-endobj
-905 0 obj
-<< /S /GoTo /D (section.B.16) >>
-endobj
-908 0 obj
-(B.16 nsupdate)
-endobj
-909 0 obj
-<< /S /GoTo /D (section.B.17) >>
-endobj
-912 0 obj
-(B.17 rndc)
-endobj
-913 0 obj
-<< /S /GoTo /D (section.B.18) >>
-endobj
-916 0 obj
-(B.18 rndc.conf)
-endobj
-917 0 obj
-<< /S /GoTo /D (section.B.19) >>
-endobj
-920 0 obj
-(B.19 rndc-confgen)
-endobj
-921 0 obj
-<< /S /GoTo /D (section.B.20) >>
-endobj
-924 0 obj
-(B.20 ddns-confgen)
-endobj
-925 0 obj
-<< /S /GoTo /D (section.B.21) >>
-endobj
-928 0 obj
-(B.21 arpaname)
-endobj
-929 0 obj
-<< /S /GoTo /D (section.B.22) >>
-endobj
-932 0 obj
-(B.22 genrandom)
-endobj
-933 0 obj
-<< /S /GoTo /D (section.B.23) >>
-endobj
-936 0 obj
-(B.23 isc-hmac-fixup)
-endobj
-937 0 obj
-<< /S /GoTo /D (section.B.24) >>
-endobj
-940 0 obj
-(B.24 nsec3hash)
-endobj
-941 0 obj
-<< /S /GoTo /D [942 0 R  /FitH ] >>
-endobj
-945 0 obj <<
-/Length 240       
-/Filter /FlateDecode
->>
-stream
-xÚ•�OKAÅïó)rl›N2Éü9ZªRA¡27ñ°´[)¸[ºÖïïlWË‚^$�0ïý˜y[Š *Z—BTK
-ÛÖXx+Þ½¡oFÔ¡Šsåð‡[	LÁ+T\@1M±_8±Eo=C¥BÈÌ~À—Ù,CyÄŠƒÂ•Ë»—Ùrý´š——ì,�ãf׺Ãǹ¯ÏÇ~”ž›}Ó7ݶ™¿æ a$/¾äKc¼\óXwŸõûà›Û|
§â1'p®äðqH'`Ôð3‹zšüßÚ±y±n	VG³1°™ž07l(%tî[þM^Xúendstream
-endobj
-942 0 obj <<
-/Type /Page
-/Contents 945 0 R
-/Resources 944 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 951 0 R
->> endobj
-943 0 obj <<
-/Type /XObject
-/Subtype /Form
-/FormType 1
-/PTEX.FileName (./isc-logo.pdf)
-/PTEX.PageNumber 1
-/PTEX.InfoDict 952 0 R 
-/Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000]
-/BBox [0.00000000 0.00000000 612.00000000 792.00000000]
-/PieceInfo <<
-/Illustrator 953 0 R
->>
-/Resources <<
-/ColorSpace <<
-/CS0 954 0 R
->>/Properties <<
-/MC0 955 0 R
->>/ExtGState <<
-/GS0 956 0 R
->>>>
-/Length 843
-/Filter /FlateDecode
->>
-stream
-H‰tUIŽ$7¼ç+ô�b‹‹¶«Û†OcàƒP°}©`ÜÿÁLU7Ð6
-ÈT¤$.Aëå·×òòåµ–Ÿ~~-Ç�£–±¬tµrãâŸ?�?Ê÷ãåõ÷Zîo¥ŠÏgçsF)owlÿŠí¿ßŽEKÅO‹õ!ÝZq¼[oQîßî|;ÂÅ`¸–ÇáK¦GQ—¹ð²²$h¿ûñ×ñõƒ=¯KZôUà_*Oƒ·!ˬè�‰Ï7ŸÒ*WYL¢›D‡m‰æ°zá[“˜Šnâ>?|°%6K�ø
-›Øiê?ÃÒš)0*¾ßƒ2!}j´rS…[21Z“ÞGA¨u£r•~îωãÞeT䲎‡¦1'ï�ÇIŒ‚HGGŠ`´kfò¸—wa±FÚFBA[c)L‡4SzZŠÓ¼ÄÓSF¬äDZÊІ9ù¸> H�º¡
-J‚xi†þOá@½-M†xôÉ‚î³_¨OC8³Ä:JXl 0$‡(•vàª~FC¬žm†¢Ëj£4QzÐŒT³«´$Ù‚±³
-F
‘åRe�BC[¬ÐWçz%A
2×¹NôØVš‘æ
-BqÕ•l9uš
-Ì‹<{a˜ïºõ4ÖØ(®)tAtR÷´[bvL·>³o [Õ³ü˜“ÓÓ
–
²\AYŸ`IõÌõ„ˆ‰sz£“$Œ‰ý�Á˜˜IO
-!=§ ¨Œø†vGc	£I#/'~<1‚ÀÔRPy±´ýl1½Ͷw1	чd

}¡þa
-Ë9b	�:žÎÞF"‹>64”~0IGD˜ËØ°$ÙtMâ¯%Z½Gð¾¥Úñ§a�ÑÌ‘I¼ý—/øýzü+À
-endobj
-952 0 obj
-<<
-/CreationDate (D:20100303120319-08'00')
-/Creator (Adobe Illustrator CS3)
-/Producer (Adobe PDF library 8.00)
-/ModDate (D:20100412113401-07'00')
-/Title (ISC_logo_only_RGB)
->>
-endobj
-953 0 obj
-<<
-/Private 957 0 R
-/LastModified (D:20100412113400-07'00')
->>
-endobj
-954 0 obj
-[/ICCBased 958 0 R]
-endobj
-955 0 obj
-<<
-/Intent 959 0 R
-/Usage 960 0 R
-/Name (Layer 1)
-/Type /OCG
->>
-endobj
-956 0 obj
-<<
-/OPM 1
-/BM /Normal
-/CA 1
-/OP false
-/SMask /None
-/ca 1
-/AIS false
-/op false
-/Type /ExtGState
-/SA true
->>
-endobj
-957 0 obj
-<<
-/RoundtripVersion 13
-/ContainerVersion 11
-/CreatorVersion 13
-/AIMetaData 961 0 R
-/AIPrivateData1 962 0 R
-/AIPrivateData2 963 0 R
-/AIPrivateData3 964 0 R
-/AIPrivateData4 965 0 R
-/AIPrivateData5 966 0 R
-/NumBlock 5
-/RoundtripStreamType 1
->>
-endobj
-958 0 obj
-<<
-/Length 281
-/Filter /FlateDecode
-/N 3
->>
-stream
-H‰b``2ptqre``ÈÍ+)
-rwRˆˆŒR`?ÏÀÆÀÌ
-ò‹KRS€j!îAˆBPˆi
-endobj
-959 0 obj
-[/View/Design]
-endobj
-960 0 obj
-<<
-/CreatorInfo <<
-/Subtype /Artwork
-/Creator (Adobe Illustrator 13.0)
->>
->>
-endobj
-961 0 obj
-<<
-/Length 981
->>
-stream
-%!PS-Adobe-3.0 
%%Creator: Adobe Illustrator(R) 13.0
%%AI8_CreatorVersion: 13.0.2
%%For: (Brian Reid) ()
%%Title: (ISC_logo_only_RGB.ai)
%%CreationDate: 4/12/10 11:34 AM
%%BoundingBox: 247 367 366 413
%%HiResBoundingBox: 247.0869 367.5654 365.0859 412.583
%%DocumentProcessColors: Cyan Magenta Yellow Black
%AI5_FileFormat 9.0
%AI12_BuildNumber: 434
%AI3_ColorUsage: Color
%AI7_ImageSettings: 0
%%RGBProcessColor: 0 0.658824 0.8 (ISC logo blue)
%%+ 0.372549 0.376471 0.384314 (PANTONE 425 U)
%%+ 0 0 0 ([Registration])
%AI3_TemplateBox: 306.5 395.5 306.5 395.5
%AI3_TileBox: 18 33.1201 594 786.96
%AI3_DocumentPreview: None
%AI5_ArtSize: 612 792
%AI5_RulerUnits: 3
%AI9_ColorModel: 1
%AI5_ArtFlags: 0 0 0 1 0 0 0 0 0
%AI5_TargetResolution: 800
%AI5_NumLayers: 1
%AI9_OpenToView: -381 793 0.92 1268 743 26 0 0 117 75 0 0 1 1 1 0 1
%AI5_OpenViewLayers: 7
%%PageOrigin:0 0
%AI7_GridSettings: 72 8 72 8 1 0 0.8 0.8 0.8 0.9 0.9 0.9
%AI9_Flatten: 1
%AI12_CMSettings: 00.MS
%%EndComments
endstream
-endobj
-962 0 obj
-<<
-/Length 11082
->>
-stream
-%%BoundingBox: 247 367 366 413
%%HiResBoundingBox: 247.0869 367.5654 365.0859 412.583
%AI7_Thumbnail: 128 52 8
%%BeginData: 10932 Hex Bytes
%0000330000660000990000CC0033000033330033660033990033CC0033FF
%0066000066330066660066990066CC0066FF009900009933009966009999
%0099CC0099FF00CC0000CC3300CC6600CC9900CCCC00CCFF00FF3300FF66
%00FF9900FFCC3300003300333300663300993300CC3300FF333300333333
%3333663333993333CC3333FF3366003366333366663366993366CC3366FF
%3399003399333399663399993399CC3399FF33CC0033CC3333CC6633CC99
%33CCCC33CCFF33FF0033FF3333FF6633FF9933FFCC33FFFF660000660033
%6600666600996600CC6600FF6633006633336633666633996633CC6633FF
%6666006666336666666666996666CC6666FF669900669933669966669999
%6699CC6699FF66CC0066CC3366CC6666CC9966CCCC66CCFF66FF0066FF33
%66FF6666FF9966FFCC66FFFF9900009900339900669900999900CC9900FF
%9933009933339933669933999933CC9933FF996600996633996666996699
%9966CC9966FF9999009999339999669999999999CC9999FF99CC0099CC33
%99CC6699CC9999CCCC99CCFF99FF0099FF3399FF6699FF9999FFCC99FFFF
%CC0000CC0033CC0066CC0099CC00CCCC00FFCC3300CC3333CC3366CC3399
%CC33CCCC33FFCC6600CC6633CC6666CC6699CC66CCCC66FFCC9900CC9933
%CC9966CC9999CC99CCCC99FFCCCC00CCCC33CCCC66CCCC99CCCCCCCCCCFF
%CCFF00CCFF33CCFF66CCFF99CCFFCCCCFFFFFF0033FF0066FF0099FF00CC
%FF3300FF3333FF3366FF3399FF33CCFF33FFFF6600FF6633FF6666FF6699
%FF66CCFF66FFFF9900FF9933FF9966FF9999FF99CCFF99FFFFCC00FFCC33
%FFCC66FFCC99FFCCCCFFCCFFFFFF33FFFF66FFFF99FFFFCC110000001100
%000011111111220000002200000022222222440000004400000044444444
%550000005500000055555555770000007700000077777777880000008800
%000088888888AA000000AA000000AAAAAAAABB000000BB000000BBBBBBBB
%DD000000DD000000DDDDDDDDEE000000EE000000EEEEEEEE0000000000FF
%00FF0000FFFFFF0000FF00FFFFFF00FFFFFF
%524C45FD1F52285252A8FD04FFFD05A8FFFFFFA87DFD4F52285252522852
%525228525252285252522852525228525252285252522852277DA8FFFFA8
%7D7D525227FD04527DA8FFFFA85252275252522852525228525252285252
%522852525228525252285252522852525228525252285252522852525228
%52525228525252285252522852525228525252285252522852525228FD21
%52A8FFFF7D7D525227FD0752275252A8FFFF7DFD215227FD2A522E522752
%2E5227522E5227522E5227522E5227522E5227522E5227527DFFFFA85252
%27522E5227522E5227522E5227522752A8FF7D5227522E5227522E522752
%2E5227522E5227522E5227522E5227522E522752277D7D7D275227522E52
%27522E5227522E5227522E5227522E5227522E5227522E5227522E522752
%2E5227FD1A52277DA8FFA87D2EFD11522E527DFFA853FD1D52A8FFFFFF7D
%28FD285228525252285252522852525228525252285252522852277DFFFF
%7D522752525228525252285252522852525228525252275252FFA8522752
%285252522852525228525252285252522852525228525252277DFFA852A8
%FF5227525252285252522852525228525252285252522852525228525252
%285252522852525228FD1852277DFFFFFD1B52FFA8FD1A527DFFA8275252
%FF7DFD265227522E5227522E5227522E5227522E5227522E522752277DFF
%FF525227522E5227522E5227522E5227522E5227522E5227522E52275252
%FFA852275227522E5227522E5227522E5227522E5227522E522752A8A827
%522E527DA9275227522E5227522E5227522E5227522E5227522E52275227
%5227522E5227522E5227522EFD17527DFFA8FD1E527DFFA8FD17527DFFFD
%0452287DFFFD155228FD075228FD08522852525228525252285252522852
%5252285252522852527D2752525228525252285252522852525228525252
%2852525228525252285252527DFF7D522852525228525252285252522852
%525228FD0452FF7D5228FD0452FF52522852525228525252285252522752
%2752527DA1A8A8FFCACFA8CAA17D5252275228FD3C52A8FFFD145228A8FF
%53FD0652FFA82EFD0C527D7DCAFD04FFAFAF85AF85AFAFFFFFFFA87DFD05
%522E5227522E5227522E5227522E5227522E5227522E5227522E5227522E
%5227522E5227522E5227522E5227522E5227522E5227522E5227522752A8
%FF275227522E5227522E5227522E5227522E522752FFA827522E5227522E
%FF7D522E5227522E522752275252A8FFFFAFAF603CFD041413FD04143C60
%AFFFFF535227FD3A52277DFFA827FD11527DFFFD0852A8FFFD0952A8CFFF
%FFAF3C3D1414141A141A141A141A141A14141461AFFFA8FD045228525252
%285252522852525228525252285252522852525228525252285252522852
%5252285252522852525228525252285252522852525227A8FF5227525252
%2852525228525252285252522EFFA85227525252285228A87D5252522852
%27527DFFFFAF603CFD07141A1414141A1414141AFD041460FFA8FD3D52FF
%A8FD10527DFF7DFD0F527DFFFFA9611414141A141A141A141A141A141A14
%1A141A141A141A14143CFFA827522E5227522E5227522E5227522E522752
%2E5227522E5227522E5227522E5227522E5227522E5227522E5227522E52
%27522E5227522E5227522E527DFF525227522E5227522E5227522E522752
%A8FF27522E5227522E5227522852275252A8FFFF3C1413FD191436FFFD3C
%5259FFA828FD0E52FF7DFD0D527DFFFF8B1414141A141A141A141A141A14
%1A141A141A141A141A141A141A141A141460285252522852525228525252
%285252522852525228525252275227522752275227525252285252522852
%52522852525228525252285252522852525227A8FF7D2752525228525252
%2852525227A8FF52275252522852525228522752A8FFA93CFD05141A1414
%141A1414141A1414141A1414141A1414141A1414141A1414FD1552285252
%7D527D597D527DFD065227FD1852FFA8FD0D52FFFFFD0A52277DFFFF601A
%141A141A141A141A141A141A141A141A141A141A141A141A141A141A141A
%141A142E5227522E5227522E5227522E5227522752527D7DA8A8FD09FFA8
%FFA8A87D532852275227522E5227522E5227522E5227522E5227522E527D
%FF525227522E5227522E52275252FF7D522E5227522E522752277DFFFF36
%FD2314FD0E527D7DFD07FFA8A87DA87DA87DFD04A8FD05FFA87DFD15527D
%FFA827FD0A52A8FF7DFD0952A8FFAF1414141A141A141A141A141A141A14
%1A141A141A141A141A141A141A141A141A141A141A145252285252522852
%525227527DA8FFFFFFA87D7D52522752275227522752275227522752527D
%A8FFFFFFA87E52522752525228525252285252522852525227A8FF522752
%5252285252522752FFA8275252522852525227A8FF85FD05141A1414141A
%1414141A1414141A1414141A1414141A1414141A1414141A1414141AFD07
%52275253A8FFFFFFA8FD045227FD0F522EFD04527D7DFFFFFFA87DFD1052
%7DFF7DFD0A52FF7DFD0852A8FF8B1414141A141A141A141A141A141A141A
%141A141A141A141A141A141A141A141A141A141A141A1427522E52275227
%7DA8FFFFA85252275227522E5227522E5227522E5227522E5227522E5227
%522E52275227527DFFFFFF7D52275227522E5227522E5227522752A8A827
%5227522E52275227A8FF5227522752525227A8FF6113FD2714FD0652A8FF
%FF7D7D28FD22527DA8FFFF7DFD0C5227A8FF7DFD0852A8FFFD06522EA8FF
%61141A141A141A141A141A141A141A141A141A141A141A141A141A141A14
%1A141A141A141A141A141A14285227527DFFFF7D52522752285252522852
%525228525252285252522852525228525252285252522852525228522752
%52FFFFA8525228522852525228FD0452FF7D5228525252285252FF7D5252
%52285227A8FF611414141A1414141A1414141A1414141A1414141A141414
%1A1414141A1414141A1414141A1414141A141452277DFFFFA87D28FD2952
%287DFFFF7EFD0B52A8FFFD065227A8FF7D2752525227A8FF8B141A141A14
%1A141A141A141A141A141A141A141A141A141A141A141A141A141A141A14
%1A141A141A141A1428A8FFFF525227522E5227522E5227522E5227522E52
%27522E5227522E5227522E5227522E5227522E5227522E5227522E522752
%7DFFA87D275227522E522752277EFF52275227522852A8FF52522752277D
%FF8BFD121413FD0F1413FD0914FFFFA8FD3352FFFFA8FD0952FF7DFD0652
%FFA8FD04527DFFAF141A141A141A141A141A141A141A141A141A14613C3C
%141A141A141A141A141A141A143D3C3C141A141A141A14FF7D2752525228
%525252285252522852525228525252285252522852525228525252285252
%522852525228525252285252522852525227A8FFA8FD045228525252A8A8
%27522852277DFF7D27522752A8FFFD051461A9AF848B1414141A141436AF
%AFFFFFFFAFAF36FD04141A14141461A9FFAFFFAFAF601A1414141A7D2EFD
%3552277DFFFFFD0752A8FFFD05527DFFFD04527DFF3C14141A141484FFFF
%FFAF1A141A141A85FD09FF841A141A141A14AFFD08FF841A141A1427522E
%5227522E5227522E5227522E5227522E5227522E5227522E5227522E5227
%522E5227522E5227522E5227522E5227522E5227522E52277DA8FF52522E
%5227527DFF52522E5227FFA852275252FF60FD061485FFFFFFAFFD041460
%FD0BFF36FD0414AFFD0AFF60141414FD3A5253FFFF7DFD04527DFFA85252
%527DFFA8285252FFAF1A141A141A141A84FFFFFFAF3D141A14FD05FF603D
%60FD04FFAF141A1461FD04FFA96136AFFD04FF141A142852525228525252
%285252522852525228525252285252522852525228525252285252522852
%52522852525228525252285252522852525228522752A8FF5252285252FF
%A8FD0452FF7D5227A8FF3C141AFD051485FFFFFFAF14141460FD04FF3614
%141460FFFFFFA91A141484FFFFFFA91A141414FD04FF611414FD3D52A8FF
%FD0452A8FF525228A8FF7D277DFF8B141A141A141A141A85FFFFFFAF1A14
%1A60FD04FF3C141A1461FD04FF141A14FD04FF8B141A141AAFFFFFFF601A
%142E5227522E5227522E5227522E5227522E5227522E5227522E5227522E
%5227522E5227522E5227522E5227522E5227522E5227522E5227522E5227
%522752A8FF5252277DFF7D2752A8FF2752A8FFFD08141385FFFFFFAF1414
%1361FD04FF36FD04148584856014133CFD04FF60FD0414FD04FF851314FD
%3D52287DFFFF525252FF7D5252FFA8527DFF3C1A141A141A141A141A85FF
%FFFFAF1A141A60FD04FFAF141A141A141A141A141A3CFD04FF61141A141A
%3C616061361A145252285252522852525228525252285252522852525228
%525252285252522852525228525252285252522852525228525252275252
%522752525228525252277DFF7E2752FFA82753FF7E27FFA914141A141414
%1A1414148BFFFFFFAF1414143CAFFD04FFAFFD091461FD04FF3614141AFD
%07141AFD2B522852285227FD075227FD075227A8FF7D27FFA8527DFF7D7D
%FF3D141A141A141A141A141484FFFFFFA91A141A1485FD06FF603C141A14
%1A14143CFD04FF61141A141A141A141A141A1427522E5227522E5227522E
%5227522E5227522E5227522E5227522E5227522E5227522E522752275227
%FD04527D7DA8A8FFA8FFA8FFA8A87D7D52522752275227FFA8527DFF277D
%FF52A8AF13FD0A1485FFFFFFAFFD0414138BFD06FFA860FD05143CFD04FF
%36FD0B14FD2852A8A8FD07FFA8FFA8FFA8FD06FFA87D5227527DFF7D7DFF
%7DA8FF7DFF3C1A141A141A141A141A141A84FFFFFFAF3D141A141A148BFD
%07FF8B141A141A3CFD04FF61141A141A141A141A141A1428525252285252
%522852525228525252285252522852525228525252285252522752275252
%A8A8FFFFFFA8A87D7DFD065227FD04527D7DA8FFFFA87D2752A8FF52FF7D
%A8A8CAA914141A1414141A1414141A1485FFFFFFAFFD071460A8FD06FF8B
%1414143CFD04FF36FD04141A1414141A1414FD2252A8FD04FF7D7D525228
%5227FD0B52275252527DFFFFFF5253FFA8A8A8FFA8FF61141A141A141A14
%1A141A141A85FFFFFFAF1A141A141A141A141A60FD06FF85141A3CFD04FF
%61141A141A141A141A141A142E5227522E5227522E5227522E5227522E52
%27522E5227522E5227522752277DA8FFFFA859522752275227522E522752
%2E5227522E5227522E5227522752277DA8FF7DA8FFFFA8FFFFAFFD0C1413
%85FFFFFFAFFD061413FD0414AFFD04FFA9141360FD04FF36FD051413FD05
%14FD1D527DFFFFFF7D7DFD1E52A8FFA8FD05FF601A141A141A141A141A14
%1A141A85FFFFFFAF1A141A143D363D141A141A14FD05FF3C1A3CFD04FF61
%141A141A60AF85AF601A1452522852525228525252285252522852525228
%52525228525252277DFFFFA87D2E52275252522852525228525252285252
%52285252522852525228525252285228527DFD06FF3C141A1414141A1414
%141A1414148BFFFFFFAF141414AFFFFFAF8BFD04143CFD04FF3C143CFD04
%FF60FD04148BFFFFFFAF1414FD1752285259FFFFA9525227FD2352A8FD04
%FFAF141A141A141A141A141A141A141484FFFFFFA91A141484FFFFFFA91A
%141A1461FD04FF3C1414FD04FF8B141A141AA9FFFFFF85141427522E5227
%522E5227522E5227522E5227522E52275227527DFFA87D27522E5227522E
%5227522E5227522E5227522E5227522E5227522E5227522E5227522E5227
%522752A8FFFFFF60FD0E1485FFFFFFAF14141485FD04FFFD041436FD04FF
%3C141484FFFFFFA8FD0414FD04FF611414FD16527DFFFF7D5228FD275227
%A8FFFFFF3D141A141A141A141A141A141A141A84FFFFFFAF3D141460FD04
%FFAF363C3CFD05FF141A1461FD04FF853C148BFD04FF3C1A142752275227
%52275227522752275227522752275227A8FFA82852275227522752275227
%522752275227522752275227522752275227522752275227522752275227
%52275252FFFFAFFD0F1485FFFFFFAFFD0414A8FD05FFAFFD05FF36FD0414
%AFFD0AFF841414147D527D527D527D527D527D527D527D527D527D52A8FF
%FF527D527D527D527D527D527D527D527D527D527D527D527D527D527D52
%7D527D527D527D527D527D527D527D527DA8FF853C363D3C3C363D3C3C36
%3D3C3C363D85FFFFFFAF3D363D3685FD0AFFAF3C363D3C3C60FD0AFF6136
%3D3CFD16FFA8FD49FFAFFD11FFAFFD09FFAFFFFFFF
%%EndData
endstream
-endobj
-963 0 obj
-<<
-/Length 65536
->>
-stream
-%AI12_CompressedDataxœì½ëŽ]Iv&öçÒ?t�M*î—¶1@æÉLY%5º[ @±¨ÇE²Áª’Ü~zÇZëûVìs2Y]7�Æ@ç“™+÷‰;"ÖýöÿÓ¯ûâöË�ÿüöE~nNñçOo_óñÓ¯nzó×_}õí×ß|Ð/~óË›¸îZ7Ýþõø7þÃÛO_¿ûøáWú§—iýñQ>ý‹»Oï^¸ùÍÛw_þòæ¿\àß½ûæ«·ëýÛó_}üýÇ/>~øê�_üæ¯î^¾~÷K>x�tÿú›u[ù˘þ2†›•ËÍí߬î>~ûáËw~÷ñÿþÕM*ý&7ù×nJÌëÏÿû»ß¼ýúúž—a´)7¾¬­–õC]�:×GÒË:äc÷ß|ûþí‡o~ýéã›·_}þøÕÇO_ÿêæüÇ5û¿yýûõ—×7ÿçÛ¯¾úøï7w_½~ó�ÖË×/ß}õv½çû×ßÜLY‘Û¿Žé‹»oß}õåß~ûþŸß®(¹8¡#þý×k¨5ªü,àþÅ_¿_�ß¾ýæ›5Ûõ<YÕµÇY,àMxÙꩬ†.Ý�,ÝÍ?õí[Y³ÿyÁsOµLý¡•å‡Qr,7¿øõíßþîïþöᦤzó÷¸]¯_üÓoÞþþ�nëZðÿúK›èïÞ¾ÿÃWkñuírh/ëMžU¾ïŸqçz{½+Ž›œ_ÆâM�å¦�ör6»g¯ëÛ{÷ößuó·?¼µÅ»ýôÍoßý?k9ZL7}&ƒþæÛ¯Þ~úûï¾Y«‘4méþæã—o¿Z�òÏ>~õZWL¯ˆÿÃM°~÷úÓïß~³ŽÂǯ¾ýFæøÓÚšW¯ÿøV¶7Úþîo?üîã?èü^ä×lòZÀ™nbj㦗|“š='ö›^ñȨ�ÅŒd�C÷µÐ¿^{ûwŸÞýþ݇_abý‹¿úôî˽ß=Ýû¦o°vwÿ›üg“\ïûÍ7o?`Òëœ�ÿæpnÂË¿ùízâÇ/ÏßË‚-¨²¶÷Ã:Kë°ØßügýËúø·°Ùëï_¬½ùõ§wdÌÓßê_Æ¿þêÛõ§¿úôñÛ?üõ‡ùxú…„_¿þæ_&¼ýðå×±
f¿ÞØ'ôÕ»{k°…ÛøåwŽ÷»O¯ß¬ÇÞüÝ?ÿ··o¾Y`ÿôÛoß}óöOôÛ7²LŸnî>}ûõ¿Þüîãǯ|~—òi¬P¹ÿŒgüZ?ðáï>ØJ?}n¸~ÒÂŒÿáž²îþüÖÿGýüú«¯ÞýþÓë?üë»7Ï=à™¿û“ìo?àaÇ?½ÝŸ×_ùÿ÷8–|ÿÏ¿z÷õû}�_¿þôÍ»7_½ýí¿þæíû?=ÚýÛYœí°l
-}øðoo¿úø‡Ã$òú×7ÿåõ§?|×вMÿòî×CŸ÷2~|ÿaÚ7¿ý××x«Óýæ_õÎß~�cüÕë¯?Ý(܇ò³Îï¢g—$É`>hýbÆ#é{ñâ;hb¿¹ûpøó_}zýå»Em—@ó÷>¼~ÿöË›ßôËÓSТñõæîËÓ?�þ·Sˆëú¿N?ç`ÿ
øƒ_øôŸ×JÝ=ÜÝß�ïîînïæ]¿kwõ®Üå»xnnïoïnooçºúm»-·ù6݆ù8æyÞMù³Í%–Ì4Ããq<œÆyÜ�c´±ä¿‘Öúc¿_×¹ßõ¹®Ñ{¯ë*=õØc{lëºowm=§�Ö×ÕZYW>µÜR-ÔÇú°®óºÖ$ëm]£ËµŠÜ¹®¼®¸®PCy\×úÎëº/ë•Ê­^£ŒÓv=¸èg
-¿®È+?îËVê׃^ûçõÿ9œ£~—+žÓº"þOç¼.þl¿Ë=ñä€xñgûý;þœ×ñ¹t=ìç“þÚüª×5”¿w\ã	¤ŸÐþÄËÿtxÌŵV*¬µº¯ëj¸tçﮉë×�^g\üzðëQ®ÓýãCÀq%¿²_Wõ«®î×8=¿æáº=\w×ù꺿¼NëÛ羟¿ôT­cÞ×�ŸëØß­õ»_ó|ìa!Eêy�Òº0A¾ÆBšÛ…<çµ”ýq„±–²Ð �>äkŽÛÓ¾³®ôÃx\Hj¦™ŠÖuµ…|‚œsáôÂ÷…Æ÷úÞ�·a]q¡w^W¹]صq=ñvœnÇÂùº»=¯K6M–çñ.¬+®+­+¯KÐLPs½È¢$ýnÍäNŸ²hËí�}�ïÎ'Ûñ4"ê?û¡+Upâ>ïëáp=/¡‡+^\I®“ý·®|u•«ëú«=¹”˜�ì?¿Æ³×üìu{}�ž€îþÔµVªÜüÅwŸ„	.Š¬ÿùÕ}QQûn×¢“ú�WÆw»Òºì{2È	?$ÿ³\—|ý@ôß…«®¹éñYï++q»Níý"#�1Æ¥ÁǶØÏŒ·ëÀÝÇÇõ>)åu$Zêmn×ɾ_æ1ÇœrYG£ç±ä.ß/ž°Ö*–¼Î‡°“¹¿œÌG=kIM[»-[v^tèq­w\œ¬¬Ó"ø.ؾp˜^ËOÉ
ÅÁ½‹"öBjÅhÁfÁdÃbÁ`ÅÞ…·IqVðu(š.Ô<)NVÅÆ©x´ÓÕ¸ e‚ˆ‚ÓB�>’b
-½À±j›7
>]ü!‘XÙ^ô[ä½Òwà¾Ò}ãB«„?§¨z)bŸÖ·µÌë{º_[s¿6íü¸®‡5ÊYÿ�õ^w~	•ZK~E–·¸cV²BC†õ¸”dž«â"-¡�pE½‚]NÏùåì`/.X.rrŸ~±äd[\n_ÑVšÜË‹‹\ˆ_\.¶]ó°äã„uçÚcýít�PÕ	È3mïuÄ[¡ëí²G²?ÁwæNWßV^ä’,òËI×û(iŽƒ¬™TÚ|Tyó‰s¨ÄY!sFH�÷*wÞÎyZ<¬CôÌ+¢	ŸëµDú¼U鳫üYT�*�>@½…ÚTÍ"ƒžU|Tô¬BèT!´ãyÂéÿôÕŸ¿NW€ñ=®ù]×ɼý^×ÝŸºNJÍž\G梤ÿQH¦aÃ:“�OùýApv}?ëÿü~qa}¿Õÿù]þ¿=­ÿ¦^ßåêz5¥ÒòÝø7t|—ÿ“þŸÖe_‹êŸô?ü‚ïÁ0ÖpGÙÀ½^g|?‹HsñýNä"û~Â/óp-þjRÜP9Nd
Ùù´(}­E鈠•Ð aàSu–¶¸C�Î"ˆj-Šð÷¦­œt/eã»k)‹
é‹‹~Ò(z…r£…‹/­gªø"_²£ÿºê´˜Ù­H‚‹±õõHÑu„ÕÅõ;‰’ÝàÈâÛrËc-mõNºD²4\‘1a×Q¢�Ý>¬OÉ&
Ù{e±e1Xa¯÷‹µ¦5í¾^㼤÷°^±(FÜ)/>ºä¨“2ÑGe Â>§2ÏÇ5»¼0¸/l^<SEâ¼0^Äàó’êEö5n9TÚ½_Rn\ädI¶'0ʳ²Ê¨|rsÉ{GMÅjªþÜ.²v^îq“¸V´¨vÓU›Nv>‰¢¢:IQ=c¨úpsQv¤Â3XÔf]Æ$„±=ÚQTf'ÏHÊþ2ÝzШúÉÕ©£*uT¤¶
-¥üáBsÚ:“ëJ'W” ¹^tÔ„Žz�«5`ƒFŒ=.VyZßT
-×˸ê"Àz:TÍ ¢AUÄ—¡¶Ó5¨m¨®ñDÛ8觃²AE㬢Žé�®WP/®
-¢Á»¾ùgQ8Ò—ùÚ`P-\¹ÌP/»šLżw%3AÍü¬aét°,=oW:Z•&JÛœdÆ$3%©!é;Ò£Û�
-ìGf:£U"A¾M-GÅǪ̂B£iÉâl–Ò÷¡”žWóëh
-�‡‘‹���T2	y¹ù8xZ_ËjN©ànÆßné59ÃGµX�2»à/ÃÀBJ?øQÌ“"¾”³òAõ¨œ„ÊÇJ<h=ÙI~uí§ÁÝÒ�uL×…T:ØÎÙ1tÆ@IrE‰W<\éò:ÁkCÏ;.=
-›Íö‹k\]ógÏåuû™ëé×ùú:A‰»¾~ìuºøõñ§_§Ÿ>ÄŸ�"y„ÿ…JÁ5ª²?8Â?‹ò'˜Ý.ð^•ƒòâŸá1ÔOja*°HÀÉiÀý’,„
(ð�˜
ó‚ì&[˜m iOÐ`Bª@Ù–Ò-iæg•C`pj>4Gj9¨Ä8P
-ÒŠM-(†ÑRŒ†ëài5L½ƒsÜ(ÇÃõ ÿ59¡·¯]Ð¥%§i_·¢rçD„ÅܵÚ²éK„ÄÈk©½—äæHtêA=’Ÿ~�^�„H¯ÓMºüú,¦HÖ“ëô¹?\Ѹï}�~øGþãü¡(nþxàèù€Þàé'øÑÁ½‰àõÎ~DpCnêÿÆßvŸ½Ä¦lÞ¼:‚Ï‚?øüÖV©¯ÂpRmáÈô“+¯‚àÅí„~Š«$pRQ€!ÝÑü(¢?
-á³;iíOO0�þîB’ø,Ú‘ÿôy쿸ž¢ÿñ:��Óg¨Âó×5­ø,Íxzýè¯Ó÷¸ç»‰ÑÕuúa·ÿ¨
/Qüg4ý‡¯®t¸2²­—UcNhÃ4Œ¹…ó(²MK iFÕ¨©ÜžàK¤Ð’°Á�
¡h´g>êL\1j6%ï4€ãAýMé´è˜‰)awj¾°
-æzÏŠ—Ž(uE�à¿s¼Å
7
æcäpºŠ¾WαÃSUC‰D“âí•gÔ°øåÅ÷ùpðΩ¹UŸÏT]¢«ïÇüôêÐWâ”Nâr—ý£º…躇¾NÿýT¿�¬Š	LÞü¢V›¬1žTÜîÚð�Œ{ˆ…w|±ã..#..¢-Nµ° ‹‹@�«Ø±Œ«¸×¹Mív�.")†_ýpµÃuŒæ,W&«É¡‹××5¯º¼¾3ü3ŠÿÅÿŒâFñ?£øŸQüÏ(þÿc?:’	çé&‡—9«/x;Š?sƒºá«}ÙÄCõõ‡Š‡4ÎÆÔù'îçüÁŸæFœÏº§¸³»'Ôòá›9ú\I‡JßßðÓÕŸ®?zý�×剱S£ßOOAøÿéúż�ï5ýÈÞžðë­Yg²*:­gÕPÍaÆÕ�D‘O)°£ÒŠjT³ŸöL§j5E²�¢·ÓópH1Û("y>Іdµ,˜½3[¾ÒEîúš4øµ-*}™.R©s«†EÒIƒíjˆ;[sií`u°¼òߦq´ÂšÖ‹|²t¹ ̨èdë•5v»^îá¨5÷‹e¾ØëX‚m³‹éœÔ({ðÀ 5†6ÙÄ(…gKS7”ÝÝ!XL«‹Òxš˜²“?.S?>Ÿöñ�á8§gãq¾#"ç³
9É9ýð˜œË¬š‹�œ%…œ•cbÏs‚ÍOH9]ç�|gôæhp«E&?"ê‹‚Ô¥:¶¶8u¨¶HuªÚI§f“Óé«£he=
-W6Ý-^Ù¤Ï'�7$¬+
Ë¢s->÷ZÄšˆÓ}"b�DÂë"oÐräî5G.)ù3Ï’xŒÕø
-w’À
H’9�©Ÿ­ìk)«(+uíî�+ñ¸²L�{Ö%¤Ë°^þÎcqåMí°®M¨k-n×v=ªõSÂ÷ïî4t_÷‡š3×Ѭë˜ÞÞß/|Jë0�u¸"ç…æ]&z=>gŸÞ¶Mé¤|Ö´
~£C%ˆô¯Eý�Äâ1DqD‡¼pr
DpÞ>ãǾŽy9z¯Ý›¥Cþ©�m�Ø>ÄkCjŽ*/?¨¤|§2ò¸�¯ád1ö&�[bíˆ'+ëÀÊEþ*b�˜!„*¼¬Ÿ‰Lû±C!Tn}Jo襪è…q%â.J¸ŸÄœUh¨ýd
nùåÌ©gôS‡Ò%�ó³ñd$Ùyð%‡Ië÷0ž‘)Ú0?IÂLϪ¥«@5¦׋ÿËáÿç‘/sŽãÖN.öÿLå>þ;9ÔŽ±ë;uúÚ…vAhM/âî,ÞFbm¢º°*œð[°dlM÷ ñM¢JšFµä¼“
-vgOD¶Pº~‘‡4¹*á’a�àâK‹þŽ'J–ü>+qÈ°ªêšÚ
ßî½c½‘iuÏ\«“:�˜lu‹›õ%EuõÏtOWºCŠÒƒ¦&EMGZäK×�¡9øá±Oý1@‡¡~ãિEéuÖŸà¥gÔŸ®‚dd«Ç²¥þ+žìdø®K4Ô�wHv:Ý^ÖVx®¾B‡ƒo*»cºÓƒ:ú©NÙJ‚ÔCŽÓ­»ø‘Ô´š˜Ît«¢¥, =t"üUHÈŸÉi~šÕ¼…ÝËdò«ìæÓ“LòíWðÎr~šçìÂðéVs‘î|�‹ŸÊÆ[>Þaë�’O»îñëÁ¾£Øw$;cٟij[¶×g¤lÞ×és	Ò?V4>}.AúÇæ}�ž‘"¡V¶ªÖµ”-ÂEd
-É“Eâ�˜¬‚2,‘[R¦¬|iŽŒ'X$YèÒ*I»¤½(ÅæƒmÒ‹1Å÷îôŒ}ò»-”´Q²FÑ…�R¬”;û÷ÒFùyåµ}Ò¬“—RcûEèbvª–çv¼¿¾×-²$�÷q“¾(M|âå°Ä
î‡<·Æõô
O…�Ÿ8ÎO“vò³ÒN~Ξ6žØÒ¶%m@cØV«~a
-/JVi:Ʀ6¢‚H¢Ž¨™÷1Ÿ6rBHwUR;Õà91¼Ùë<²JÍŠ'XѲx‡@«¨À¦
-4—b͵ps´ö=s.…�‘Ç%wnË:Z³hÏ¢E6-·j=`¬ó…mk	V{E
\*(›…‹6.Z¹Ì¢ò“$ˆgŒ§ï'?|ÎñCÚÂÏ‘G¾ÇtµLCEÝÆ‹ñÄTֈƋš$W1'ó“ǺœSåħ
-6Ó#+S!“Ýþ/þiãü4^\ŸåÅUê�:/VEgËõÇÿj;¤C¢êUªÐåËÔÕÓ•ô¿ej
-hî6-I¡9_–uÌ‚?Û�V%ÁE�Yg& íѱ”I…ÞÆj4ôUçŽøŸa,Ó?ùf�ï14úÑôFT}yY8 
-ö<QÍÊ(?I÷ìÏ©žýÒ
-ü¤áIØì†Í‹ÚÃ߯|{k5I$!bÐtco8T¸¦¹÷ÁÃ+”ª[fz?oñ=!1’Â�u»wï²â6M°õG^íùëô¹?\ÜôŸ¯Ÿ\ž½ò³WzöŠ'Äÿ]_áx™Xñ3VN¦{z&àÈw•ó>)ü¾�Æíá§[”°åO˽Ã_Ë!˜Éª¥Ûu¾ª:bÚ1£ä{—˜cæ«eÏ;Fõhù´Îvyft‘wtâ¶Òoû<ýÎÛ,o¾eé{N‰ùœ
-se9„]ËŽÂö1Mš³öb“nÊx™^Ü<g"ûÑC]•ùúÁ!Pk¤Ñ[ùY©8Öe<U Á‘f@ý88i2M•ÏYÒ8ßEÉH"í…¤ÑæRhÒµ	}Ì¿<…›Ûõïÿýôíºv‡¼üãúåÿX?ü·ú÷›ró77ÿô_ÃÍ—rïoN/J�–ˆ7¥Ç"L«Ü¼?½É÷å\ÒÎ
üêÜæx)z”€9Âs°ÃÇ?è¬þníMÃ!{ÙœIzÕ;–º‹r„›G®1~øÇ×—óU*œUŸv�¥¸¥z³`yíÝÒ2[l‰`Q`åeïñæ|2èUfÚgÖ„^=ÿ¬W§ÑûÓË…?ÝþPç+t9¿\ïm˜¡·ÛÍeéZÃ$Àñe­	`oìÞÚºŽÐ—
-Ú
-†áÎ%ƒ'�”�Îñ(Á÷æEÏm
ȼî\hË—mmPÖYÁ
«’ˆ�Õa|d	È7‹*‡ZÁfKî.Äâid±q£
IJ¥ý4Ü»”%°tRºEÖù¨EÜZæIJ„±aÏÊœå…� à›ùêýóã)SôEÛ^a^yg³CÓªu˜6	¥Xƒ�L,°‹QÎ/ª„Úaer0¼i퀻z>m€…-±b”cpa�´5ãÛM$*ŠE¥vÿ|nv<6D£tM>5°Üäû­;I[41úÖt—�ÖR-@LÍ Ý
¦lLä
-�9áÖÐ+¥Ìj„¨K3u
-´BÿùñY(à-
"ãÖ%6w|èÞ—8•:&u�%ËšŒŸuo4墮<kR”Õ¶þë3%aú:`¡çËmY@1rÛ½ë0بë€/å×ôb�—…{£o‹ˆÚ•;KÔ^@¥ÖzoŸ�êçbBçe£ëKó«ªf(æé¨J5_|^Ì^g
-3*}ÅÄ{vQqm€b�Ðq_
<!u­³�²
±ÔŒ8áJM(„$O¾p�B ˆ#]¤dw‘°‘XÕXÔ©[�r­{×<pöÕ7`wˆ<é ‡ÌpØ  f
F#xvÊŒû̵"cr^NxIE8�£W›Ù„c;ŽÕÈá\'ÒQ1
Ƙr†xp†¬M	"kÛˆõ©6
¸ö<Wð¤õ’:À’ýÅ®‘@�•
-0Ñ
OŒr[‰ðd9ªöéu¢Ù†½ªÂߌuÛc’+ßµ†è¤J%óB…+¥ %{u.2½fnÀ¥…$ š/bÅ+µë¨ÄK¶î�¤-¤Èö¤.’*nÌ56*¢1…»O°A—p_;d#¥Túnój³b†ÑTº)½
-n1ãAlÜ"Ax\‚¸Îî]W
LPyƒMìŒ
ˆLS‚+³�ŒÞ‹^Ušƒ¸Ð¢`qMXÀ$œOUÃÅC‚©œ
-^·B³KÝï�®Äu‘—9j„
-7`ÁPpk
ãêö¾x1yŒÛ¸�ªæAc\´}ÛÀ�‹¦sƒÄÀY¡µ¦˜x/ÐFÔÓÒ*€JLÇ�x·ìЛMa²‡uîƒ#£˜±‚ïo$âã¸ê—�²”N�h×Ý¢¸™%ÀvBèˆ�×1‰Ø“¨‡¸ù&FîÐó§RoÊÔ�Æ«ÝŠ"„ÞHöƒsÇÚ)g‹|-†ïG�zØw?¼µ¶æÔR�HPÈ�¸WaÑòg. îÃô1?ˆm€Ä=†@†¨o$í	÷&ÓîÖ
-l5JjíóbýQ#™±PÉžíd4uv$šœÄ4ëfO5ÑCæçc¥	h	ø|3–%ÀùÒϧ4ï-Æ
-£ºhÖ㤋wP`¤‚aK“q¡*Œ@º&f(\#ØÎÛ©mcsþÐT
©³C¦áήcß%¥>:;ˆ²b$ÒÙƒnû%p 	(À*£lPe5ê
-ÃdhYZÁœWÐaÕ»—ˆ%ªÅ‚Ån0S6=Å4¢U·­=±ÙÁJ-n‘Íó&
•e-C¢IQ-Q4@ÄAëáóâ+ܽƥ|‹t•ÕtD‘?£rž<FEy $ô&/:01˜PÕL>®”ÖYŽ³¸â•,‡à#(BÒi°l±–²í�rô#dJ•8^=?È+7õ®Í‡¤69qµÉšj!6|—a)ÈG“ÉL^âC„¤ç¦%W!Gcü¯ž}f±HGWÖé~–÷´ª)Ya‹†b1’£¤÷ÂB&‚V´
„ïqkܬ”FÀMÌ<�ÔT¤`0ÿÁÓ	`g­¤Œ.YnÑ&6¥�‰JbÔê´BØžbˆ:%BÄä‡`ª%À!'MçÐ??D†×[)A>y¾ÌëïOó濼ùÇÿrñ“úÑ>|yáEû“εvå\û¡î5’ÜbœD—GÔßjdàWàEŽÖYÉͽi6ÈgÀ‡AÄÏöŸ¾=Å›{¸Ûè@ËÌIÌô­¹�µv¤GVÆ÷TëhdÞ6Êf€vß—Ø`¯‡«@‹«C‹K¾€•þ¶ntÎرœ63ÁÖ]
B—^ÇlعÉb¢ï0'µ>’0B¢Ø7ÌôŸÅPk Zÿ²8Œ(Æ-
-f”…ª5<ñ`3OË¢u9As)‘žƒƒ�®VëÑ›;¾ÌBQª0n�3-²ˆ°C`v³QY2n˼w˜y¹“UmT[Á"Z5' ÜÞ>ŸÜ~8ܾQ’æú`YMöY°ÄY¨-´õ
>OÅ}£â^‰�¤B`Åš
-LÚÁmQ]T›7°=ÓrµÀ•rIK@è�}Æåàïc" ˆYuàÞ¬¬Kï…‹K€�û?ܽ„ßh9†M¦õØ@5[¥IU:»»¢ÔGuz³¦èK¦Ç’a’Á¶‹F Tœª3ü”BokI¸ª’œj
 °
œ\êéà
-+w¥û
-‚KW 
D-
-Œ$®‹­†¨Ðj;öBMÐëņ
-pë‹ÂáUÛQðbꘕóø.f²l³Šb¼}ƒ
¢ú`Ú\?eó.àÒ³³
Í8f3h6ªÊ0n-¡Æ
-)81¨jg™&;}î TIšþHs·XqQiQÕs¨òu5¿XáÒÞ±É
ºv�{3¼ "ò†
Ùn‘g ‘NF�«Xîqë€8°øK•ô[û|ÍÔçRx�:Ûm
ÄB
£–Î8 
-ý§¿‡•rIŠÓ�Påï÷´ªGFHF�¨%þ½B:Rª�¬¾dJÀ÷QGÁKÈ Ôã€{iÅà4§N4 ¡
-�*Ê
-^ŠtÂÃ,@Hg�W»ðægÚe;´:E“%ßÃ4ZTh;‡2~((*á
-Ð#ÞÄWÛÕ"2Œ'P¡5�uS¿¢¹O¥9u)ú&kž`@IpV»SíÀF©$æ£a
-4w�
-ݘ&;õHo°
—Ô\(	ÒO€R‚Çmv4
-äã
-Ë4™	ê”Î[¡=ËÌ
à�°;.´Öˆ³ÀcœBÒTĦ\Šä]Cé 9(–)P‚š€
-¦#›GÀ@ÛÒ}9j,�>Jm€âAñKèlF7ÅñˆSÉÄ3Ë�ÜÙ+€ÝS¢$h'Ó‡–#ãndÄ@h¬owpžŒà¦ÙPóäÜß
|ï¨8÷:“ãÄŠ“¨Ý\|\5¸Ù¸6%ø»½m-Dp÷`«f;•Õ™�óê9ùò"¨Phc7Ç©
->/vz(Sé¼W=Pp/Â|Ü<‹BN-�2@gø8 À7¢sè?=`f‰Âãû"‰âÒyÓ@äò•ëµP¢_Œ;xDÆè×Hkq©‘;ÅCLÈ9s+’ÅVég„oÜ!¨óµ›;l4
-œ~È:¬D†&`Eqˆ¹KÖ”€8L4³jeðu¾:‚=mpiÀs$!j²Ž�NÍØ)ÚËáO¾c‡Šï�¬£»Ÿ/VßÈâo«©L
-N}=þQ�s�j¢
-ž>™
r©ÃAŒnÈ	.AR=±uîøâC¶+cÔ-AëA…­dÂÌŸî‚Ÿe­å,ÙÊ'àÂ(µ&‘«¯¼'MdÕ!"%¾^Çͳãž÷Á•Õú'žÇär±$ØFËä49¤yárØM“š‡Ò.UúŽ€g$q†µ{
;D�éÒásÄ绨{ÉÓ­*S5nȦ€¸Û§óÚÞýÊÉ–Ÿe2ŽÐ’Ü,Z‘ó4¤5ÉPhF±�§�#©‘^+Ätõ\’Ö€Šé‚T!pñÕ\l2¡:•#’‚¶/}Hb>+gLà˜8Ãû@ÒUîæzy†Ö`^�éUÑüȨÌ}�z%*ugå™Vð<™}/	â¶n
Ñ”+£%ûõSDëôå�–‘ä¢>J¼Scî�ýp
-iÓåß@‚ÑQ–ÚB³eTwƒŽl9�6ƒbŠ²8µM*—¬¦Rè¨N–[¢©J\@�vÔœ³É`àƒT �V°3[eU2Ÿ/jkñZ3þ¤Tà±P�Ú„W”ºJ¾þE2~h″Q²¯àX(æñÐ$÷x´4ŒÌ*'šÓp#Î`vqbdF·Ë²$$–åCF‘j(—Û½cÁ@ì ÄS
¢&Žô;Ú6aMŠÓ±‡è´Ï_ûÃ}E=Yfe	Ñt:naú¾€+Ëõt¿5uf•ùiOàD=IÏÐWå
�m'Ya•÷26}à!¡µ?«ïlÏaú±´œè8}sx.93³E…0:PI:ciRáÛ3�As¾-©NJ+&�ƒÇj
$ÞÁ¨\Y=DœI¬J'þ¶XLc~q]üY÷
-¾êíà]ºo
Ĩ€êg¦§ÃIå$¡
³Û�´¦
‹-füϬd§.rK<D
-jö©¼Ô7÷@…¦iÑVvº�’§¯`^šj°fVTPå‰Ô�©¿"äÂ8»F�	DWU‡-¼îs�)PîµÇü¤­Ò\aÞ+'Çø;÷hDö¾æ5U¾ö½–û"ÀÔ‘-¶ò]œò^p(–¶¸š�Pdñ¾°ú\�*RƒØ{€¥Û¤\Ù£ªZ¶©n…
p"îDýø6ÿU«{#
`VÞÈR^¢ºfêè"j:”Ï»¶YäÞé9CÔ$¯¡×N½5¬ì@Ôwí‹
-h#×3@
d‘¬sãë2b0mé3QÐ,?Çž„¬R¸‹Á¼PJLLC`òBºé°,l­§¾Aß�†
-Dºm\BD˜ø�:…eMɾ¸QhæÜÑPSÚ½–ðÓÞ§ÛÍy¦§Àë¬Ëë1ð°²*ò¤^2gÚéL° q�çfq
ÑTº²0·ˆ+*°Km•@
-bù©›l ¨ªì­à¢�ŠR…ªrt"XÖ$ËýqR‡q§Ñ]é]2Ùx7³ñÛd†Øá 4äŸ_j]m2ýE56¥§”s'zÀ%ù½^ä(ºL-4Öꬪ%Ѥ;¥ÇÅÕ>”+|B¤…ˆ#ç§M·†€&¼–ê¨�,ô)å=c½ @MæHXñ—¾V‡fѤ]ïÔé=Á�~éTíTH*A¥[;�àÀÄrmÙKÀ‰h.k©Ø=�
„àZéÉ	G«m•Tæ×Õtëq¿&CæªmmZòt\>0€SˆB‹Æ²Ž	Kꆑ•Ep‚ÚiÌ;QοÓ0
-s?LÅ­Øɪf¿'º�€Y-/jŠú
-¶ûdy
-`¼³y5‚
-Ý[”¢G¯M³áÔXWmzêJ<l1Ͻ›mçx™¿:­ Ã{‚½ºy�
_€(+öÔ^Ø]'$Ó�ñvFòò&˜:@p�cVŠ¸šÁÙQ`SV±ã‚Ç몼ø|ˆæ³K‡„™8¼Ê“ðÜÉhJ¢mÚ±qÃÝÔÉjWr
-r¤¥ùyZTÄ:Š^Rh
-¢�
¾AB¥[À
-CzšóÄ8XKQë“ xôH(cLœ
Á`
^8ÀDÑÕh•íŒté¥
¦è§€ê"ºXžEñ¡0ÊzÀ²ã>u'Ú£:B	Ó¡™…Ì
-&dÌ­J2…È€ðáv×xlQã[>Üÿ$ÞÛñÝ„waö�r?œ�s½:õX_U|‰-9:¯–½`st—†Þ�Í”¸:vB 
:NFAh4dßtõ¸ƒ¨à]L´jE©*f`­MQa«íÌlå ÛÑXûtÜÍ’ô-gá™Å2J~ZW]GV`nO�£2¦LÂÚh
-£r¥¨®ï<\4�ìØS��½…ØCJš¾œ1@u
¹À�*@Ôs™~6ŸÎà¸h4ÄÇ#ØQì¨AÆœ<÷ÊO>~¸×²•Ÿ<žRfd	f
¸b€ €'y,Ía5zå¯iÞ°À½©3k7—Ù·Æ䟿z'‘�µcXïŸ{“ DŽ·4ö&@”ÔÄeÆ+¥¾ôÌ°ÜXX,X
-eMÛî4IÝZñ\¼Ø*2(òe§S4GC
"±YZæ™döö`”¬`ç§Y²=€1è}WžNŒö
4%*Öh@­Z`T¤c5� S¤IÒK$0{Ó%wõH7*ˆ¤Í,²/¬´�Çõqß‹Ôm¯\™Nw—Ü[Y—‡Â ŒŠzjÍûÒ¼vl5ÆpÜjQ¶Œ©îX@´Þ’ò»õU{é-ÿPA³3ÎKŸ?½ßTÝœ\nn7M…±À:ÑêgYS}cÊð6Õ’½_qÔH^5–ˆîà'{pËÃãWv¾�4¼qâwÚÎA’­EÜAÛÆœîBX}~z€Î~²®Î†Ÿ,GÍ·–‚‘Ä\úÐÛ÷Dúèl�ˆíÕÉÒ-Qê¹Ãi3KÞÐQR4KÓ¡n+”02™‚
6%ѯÕ`î=Ó±mÝc”ÄŠï:@ç¨W3Ø©
aööÎL`Øq7Êm@¸Ù4½aÐOGé[ºx„mœ¿Ó•‘`õíÛ�=r«ï\•xÈÐØÁ
O¦»;c2¨Z|À{‚'‘•1¡Ò«cT�	•n™°/V)`L¥_œ6lzFÉC;kv§'+•ÀêÅð²Mb»Ùá8-ÚHž¾Â>×ÔªüX'—BÄ8EvscÝ�ÏS,Äæɽ=‘ºÑöQ]á2�³/:…”ff.:üR_MYšÓ°_Küæè.þvvÊRI/'‚ï…éB@|lŽmÞ,f—к݌‚áa^â�Ç÷é+ðÝ$áƒC¨á⽃É>X‚'ª¢.Ýç§F;xó(ã«Q7ìb—zmEŽ¥Š7ãá Ñ·+[äƒÑð'y"ïÎtØû›Zy@ý~bc·ÇSÏZ‘©¾±Cè!¥>
Ov1#;êé°Hõ%Ç¦¯f~yP‡7<Û÷Âo¥;ŒêUûç~1vô“Öf�·¶Ý,±zSÚ¡Ï‘¸};Idýˆì½ÿ$“l0öàù`7Êäýå<Ô³¢,íq:ÏgàÞD¹ÞqÜWÖ¸¦UIýîäcý¢»ézDOõ2‰Íñ½ï¤÷nr-£ai)¦0x2\%Z¾|™#Ñ®,q7¼á«rʳvv]§‘££á<©±»±«íhÃîþ¢~°’tmûˆ	¨SÑ€L›o�&‘VÍx?Þº”œë``YPi¯û
-?ÕYóvh±H8™ù#qY^î²$)géâ5o„YK]:4DÜýPBb£š„Àš+"ËÍÈ÷Í¥$ÈŒ²âN¿�‡õÂÀÁÊ!‘_B¥`ÆlÖÌÍ5’7D„mE5½ÂF5ù`á	î¾Ùë�+eP,&²3°kG�–Ãô]?š-Ó’·+`b¢C®êV’"¹×Â$cE4­ƒV*ò—Q<=i<~’ÒXY;x5„±Û»%‡pzGÚ4ÙÁgKŽ‹ŠseŸÄ€2†4yMfÐÛ®f8Ø)Ÿi­·{�awÛâh(óklù2;;¿[Â°ûuÓ+@du6½Éë.w=ºç3ó6�tHs êÁ¢­yº'„åc]éydk¸×YkkH©ÒÈSÛRÛý•Š+¿”gpÙ#åã|›
J©¹HÑUÞ^
̉u7ÑÎp`K¥f´â!˜êÝ�d
-Ô·4^ƒ°¾vs³°TnJ�‡‹kVo'ÚŒŸÚçŤCF#âL¨’¹¦@ 25B§/õ…v$dóÁî‘;“ÕMµ3[‹˜`áck–{uF¡ýÜi)°\«¾H0È]熓.ªOžäîZŠ\a4ltTS õ¬~l�œ(w+Ãy0Ù
-/{›ßmXRðÞn³3*�.q"aè§�Íùiª»ÍjTp÷èÕT)ný<…ˆzWZˆ"“%u齌,èV„Ѐ#�
#?m
-›‹ìË
-~�‡Ìú†æŸVnà8wµÔ
-`d«r»¬~¦¦àgª2´JíÅ<¬
-4wKæhýJíA“Í:U@åÍŒü¯°ÙYÎLÛ H
-ov1QÝneLÞxÁ*JüíOß
-f¥Cu=6‘±(>{º·�ˆ>00ÜÞl_«öÑ‚Z¼Ÿ2{¯9�|Q4La½1ÿÆT!\��Q*ZöÈk�‚®oÅŒÛÞ
-¼
ªaX‚Øèê•Ò¼™¥Ê–ÌcC+²�ÚAT͇<4-ŒëÕË�þ %l;�¡iRëÖ¡ÈÜUˆü@ÛèKDò€æzHÉëÂN˜º36€ä&€™F6ƒS¹ä12ª%÷h‰Bׯ‚‰ö°DU,†M1»iL/&ñ:Œ^Ÿž­AíÞ“2p6Û
-´Éî%=›Pî…�o×ñu4°0ñVê»O{�Cg`¹ÔÕd÷‹;Msª1¦êŦ×3Œfí´
vU¸
-[ÖèV{Ïîôü$
gÆbÁƒ¯XîŽ
-ÒV ˜<‘½{0$?Ь1##dÝhÕ_.5rZ»K@‰!Ìöi–¯ŒÐBÔ®’±U“Õ\Cñ¢xÓóóG4>¬Ó0C'ƒØÜ3`)9r{[`éÂ콶GóÖfjŒuߤŠ„z:Ù
(G7ÔªiÔ%ÔÊ–ŒÍ�³%9‚4^
\½ˆ¡2úk»T²¾e/¬†ˆb¹°HóÏð“:0‘½›rꬶA6w½á�Þã6–]‰ ú˜"e¦~ØèQ«'äª#JçA²7`EÓÔW†Yz'—‰V_z.'	¤�èY¦o2P�ÍS•Öt²-†ÛÎÀvUH^¨‘—¨݉'áìmz½š‚$ßf–Y¨Ä"÷Îz…;­YûÀyv¨Ø{«#Wæ
-³p´)„
)Å�8×\¸”#5˜ÊUÝ	½›B¯Ó
-›+LÔ
-F©lM`â^Fž�¼W)¸óàj.ÇHê]⪢ëP÷:îšânI‰ý�¬ÑY�N𞹕=;‘›JeXa¬-CÞ¹÷1vkHtÒ©”‡$oƒjÇDFÓ•�5ÿ� Të¸Ñ�|�¦ö"Ä–
-Ì+€7:OvžÛUƒÖ¸7ƒd¡י€…DfÓTôÊ1FŽ$‰å˜Ûæ `ïƒÚ¼_-LufU'
Z5Q
zœ·v§*àaUȬ
Ó
p2-zûúÛ®wv1éâÅЃw9`%¿¯Þh±Uî‹^h¢xÀĶ´‚{f¢£ª×
-úP["û6´ãµã�8>¹wºv�•&þ×+½ülËÞf%Âó¦@Š•{w'íé
-vç

o�­6‰ä¦a9á&&KÞG£Òͺ6M5Zja›HD/±‡Ôf—ZÚÞûIdáPB²íðŒ°ë‰ˆ»œµ%ô±/žOž8$µùyö/Üâw‹‡vÞ»ÒK£eŽ7jËÓeÄîè¬È«DêÔ~©jÈÂný
AM²	•tN[p
-µTo¸´º2IJN©¼1¿£•ÃÃ6ñ±ÊS
-ƒLP7ñéÖ_¢®w
-Ûù—0r'¥Í(ú£RCÌ&ÅhJáX–\‚í&(6VuÓ¹AzlRm2ÎÌû„[_p“½ˆŽ]è¤=¤e˜µ`ø¸7µè�
-§ž|xpj>Д‰"æ5»1¢¡«zó©O6ü®)òJSÐÏ°«v…cµ�´±BÌ™”±€iº7mø2ÀL$`‡¥IÜvd¬0¡˜:KéMÀ®|³à™TDê´	0É¿VO
-^ŠaŸ/Žc`«güûÒakÑc˜*ÛÁZ�)ÓLÚÀºÌZ‘(¯JÕÖÀä›­I7±@˜¡ÚpÔ-ÑÅÀÊ3ù°·æe ‚Å—ñó,?<_»åÁýùÏ®
x:¥hj÷êTÑ‹x	Ð}@)S«;ût«uçÆMvö
-Òã<F§T8=Öáø|Q;+ÎM§Ï-^¸K
-Þ–EvÆÛɺTšívGH)n‰tÞ`žDnE‚µ2µs]JÐìSœq·â¨Èm`ꨘîÓ>Œ¤ ÚåÓVk‹ÔÃm(³ÑWNÙQì¢ò$¶˜GÆ/E&­Õ¥lpW²%:QÉÞ-cµÕÔ¾W€—ëQ°T¸‘M­Ð¢t¾1;@Áìü=-wÒ€}qé“óª¦AÐ~\ŠÌaSxðbTåEÊîp<[KfÛ¼âJa
}}‰è&§À‰YÀ½zUÈlÝmÂèh[÷°ÓÌ(åçöë6«Wm¯;õ'µ3*©%Xqiˆ‰=šœJ?lXòbˆR'£Ôz jì^Ó“ùŸ^ÌÂÍH`d_™Áb”f‚¡�
³‹åú •C:é7«#É»fRžè	û5Ñ+™=XHÖÊyPA“yW�� ÛHÎv�‰ÜŠ|E°ÃÑ‹z`îsN^^ZV%0ä-{ÛY
w¢¢æöc¶™R"óÚdº—Ϭ»¤Ët†
¢!•ÜçM
¼T/˜qñõèµÏ¬öUª+
Á³1•‚Dòšê"i°–IÀƒÀ0 �œ½p†R°,aŽË¦¯ÁKÓ—âu‘‚™
ˆVgòn­ìqÃÞHÙì]‚ǃÊ}™r€b?ž'­š<`@FÞ…ÍX-v8ãÀb?Ý4EAÇ*ì~Î(ߦh#ª#Á±ÒIÏXO‚FYÆ—Œêð—RNÉJ§±–6nòv•Û³W"êh˜Ï,;% ßEçëþÝpôþ—pŒj°¶ÏÆ­�»>Q¤ÄCKʤ%zœ¨™öùè}v a¢Ó…�ƒZžädB;
r€èQ8t7–ttB¹(¬ë`,Àé”ÈÊ“r\R-Æsæ©éÜæK v0÷WR@)® /
"@3ÛuÊn½öõó3H¨©lqzÎ\“MÇÀ`£É�ÖnÀVÒÁ‡¨p~>x©IîwôVÑBb
È,æx¨[=f6¾t�©x—E�‚1ï‚ÍÊà9–›-ÁKm	¡ûdyÞ
{	윦ίèE°=øqû�òô¶ÉìQ¯žÛ{Õ›ƒ‰ýÑK{åéô/z§³L×+˜çQ˜sù&Oöt *çÏ‚YB¤±Èg
èlÁ‚c0
�ÑRíˆ�cF|pÑ/OöOÁœ¤
-z;®Žf:© çö¸¯‰,�ÇŒjB<_aדe‰'™­W
-mt:  9A(3,4®˜†	†®‰'X>ïù†¬�%/�¹P‡=¥\Љ?©{4s231_ŸòFbYâ
ÿž¦ø´¸@ïMÉR
-ü
-`Ò†dÖTOæ	©£ô@A‰­ì*~j^^ܘZõb(ÑNè½)PÆôßÕÓNƒsIr#e7,p
Ù¢—+UoR¹{I0’k!6>Ë’²�{;µ^홋;=§JëÄòùÃE<æ7¤í�ÊŽÕÝlÈGæç϶uPz+˜%”ªk�Jö°pUrJœªWNò*@çh“
-c*f`7l"3÷–QóB�ÅÝ@»BÞ3t-™
-ÈŽ5ÌIÊFšŠ»È2ö�‰m
-
Ø*FjÃMHö,2¦a¥ä…¢“égÚ>ø�ðåx
Y¤Cªýƒ¡%—Ò!²>%/t›¬tæ}ø²Æ”â¶SÚm4â¸F8¼˜�ÃÉ»r§xÈv¼Ó¦$“®ñJ³
O)¦)ÀÊ$KöÚNÁ¥CöL
-¥œX­;ÅCÏ×äó�iÝn—�wú_­Pˆ™[¼Înœ^Ú)[ÑE@À°{d7·i™ÏøG4ós]^Ü 6g�˜ŠÞÛL€ =l,<Q=ý&nÉ*k¢*{P.^ÙU&‹…Éî=�¦`ìEŽÜ^Ø«Þ:,úÏÂÅcØ“*þ¨² Îm¢WuQ+ÇíÓÃk�]p:%ï÷C
´ZÝ¥pTû±pW¦eý“žþVàÖÕœº|+Š¬òfâM^‚fRZŒ~Øê»#bÖ¬ætç�gáòꑱ2Àच02b'ë7ËÔ5à„‰¥º=KÈü`Éèè×Öªù¥^‘ÎC�j¶†Fµ˜åÚ\ÙMÕkgôC¸ª²ûÄÊznö¢>Y7« ØœpÛêÕêP–.Uwî«i¼ø¸Ùk1åÛªB…®F&ÂL,ÝS£SsÊw,+ššËsÃœ&Œ(¯4<«UEùà•>ëf¥“‡—"�óži‹yWþr?–®#‹$2“\¸�W<ÈtfvÃ#2êìR@ _Ë}7,žÂܬ£s-�5S>TZG
O�M>(oÅ'k�š#çÈË”…Ž·ÚaæÝ„|¾@òè”,Xªï– ÙS#†Yî‰	»š¹–NO\+æ>¥èR?TëOÑ#ø/Žì±,¨¯kp¦&•·{ŠQ²è‡Ú×­’æ�Btf@¤èJN7!'EOËØíÅ�ŠhZ¥—SbñÐ9L&³<¤Æèì†f¬2¦'„`v‰Øå�¥UNð"¬-³Ò¡
-=mÇ㵋·c,WS4‰©bô.¢¨ä�ç;€Ñ:?­°€�½Ð5€çbðQÙMVi�œÞôI%>öM§e&%/ï;�ô	]cmÈøÙеnjìýµíK§g§ïÁ‘�Þ#%vw–Bhž€‘Ò¡ãte®&GYr¦ÀèazïD³^6E9Ø»›g´¼H^|KÛú–-H3¸oºñRˆFaÛ¹�îæìløV=dPð­ñ>‚Ûä6ö¨ÙEf¬¬
-«Åƒ[†r$“�á�Q.s«fÞW
--¼9x·÷d$oÝ%Š‡+žö:ÔHÞ„�˶Ț71+Q!pT–ׇiUL§·¿Ð€{.xš™Qø4*ÏC,±Ü."øÔc›MÏÃJì#|ix~[bt¿ì‚è„ÌdH>‡ÉRS5±£ƒœz&ªDºå"Rë
ˆ˜[9t^þRòGY"BÖžÞi
-Ì«“zo¸H(éÑ’´x¿¦$ï¡�v}Zɵ	Ôµ*3
-³ù¡Vz:H&¡Ò¤ü<;¦O3àÚÊ”ƒ…J;²ã";atãyÚo’û°-	žìÍâ:öê�UµàúN±,½cë¡*YªælÞX³GÆeã™»e±ú‹¹`ÂX+ÀF]Ksä
ÈF¾ÃòDÎ`·Ý¬ip
-
-
-ɶ…´¯Û=	Ò2R”ÔØ”X¯E.~»	ˆA¯˜ôŽ¸ ÌaUK ©ŠÁÈžJÍé¿ß8€€Ž-Ñ‘B�m/iœz¯†�Žõ2ÕÂ{ëP¼wh–YÀÌÝ5Ítˆ£ñeŽŸû©ƒ­õÞõÖ>Kmsÿ�¹E`õíš÷®tc’±³¡®åqe¬¥Û�Ÿ÷uyÛÝ~Åâ�R[÷Ý–ºF3�ž£'Žïpqvg—
Þ6§T=šM›“¿•Ô¼Ky
p©ÉT�¾$pÈ¢“®áa%Œµ¢YìÌ›ÕÕl¾ßû3[ksÝWÏê,¯ìP¿ä(bÿêW€ë­Ý	¤­záµê´Ñ7í®ôOË"Õ±ߎΎ߈"¢]<hSŒX˜VVqß/U¶»‡ÊdÛÈ´~SBt}IèW 3z´Wí>þÅŽ8v‹Eu©¶€§jn‰tz»,2övn›8Õ½výÑ”5*¯h‘�WXl2a3˜ú·ó¸ßo+{Þš9WêCfÚäÛÌèÙÔÍÃô\›öÉí$CÑ­ëRvv4éU…´X~YОߌ‚~‹MÈÄú=
Á?Ý<ûx÷=B¹|Èe¨ÚÓ¶®fM¼Gâ
~DQËnÉHô$€î%Ë8³¯¯ˆ¯­Õyº’ú~cºã{Éô‘?hï•Õ.ý¿ !I3–è·Ö]ÄAÄŒ’fÄ0ãy¥a`:}9Íð²€sú
-²BEQöµèïv!$"Ù´¿î(>l|nJ[hÍ—ƒ¢ƒ
HEé±ìÖæ[êPu”q—E¬Á̺?�N¦¹ƒùYæá±RÄŒü|fha`
-+š¡wÏÄ©â}x–Zx‚$t êFïS{;¸K
™Ü橇šõY5ßidËD#Yþ�]¹uº£2¿’)wb^Fô¦¼
¨#&
5E#Ý
ÿF�Æú­Wòn„K#³œ¢I‡Z¦ZõHAµí˜>5Á(¬Z§âÂõðf8ý/#¯ÚÍØ@1ä–=K�	!à|:'Þ�ÌTà¦FÞw¯mÊ�’ßiLÑõVÏÒ(Èáý›}.5,Ãñ
ß~‘Y¿+êÍ5Îu)”­‘ŒöªúóÍê�¸C{tXJ»ë%ÈóeÓZZ0/ÀZÌrk%?XŠðGöyÇ´”`Š×-Uy^tÙá©B7æ•"l[‚9Œèݼ
± 9^û[.º¶Ï%4'…ðSL(¯Îh€x	
iת†�oH
" æ�Søƒg`%šxm‚¯Æ×ðƒÊ «I�»¤[¦âöcWWóz±ùpå^Åó†UYä’Í �•tk/×Õ®Ô¤h_ƒqãƒU§Y-Nn+:Ú[ÞHˆåØo’¦%…ÖHúGI!>׃½y›d®´%“I	×Õϼ’‚·ÕC¢
�;´g™‚ëp]Z¢j]†Y(ê+-‹².ÚMJwÀ¯™Sî6)´Ðv)÷î±[}æ8rp¼d‘W‡EÄ3­WÂÍ[ô5ófXVÀW¬ú¹5¯OñãHqOÑ"ßWÕI`Œ}‹®²êD	yò
lFÆû	C�®Öá>‘š…Êl¡žß¶ð‚Ü*½­ÂÚ_¸»ó;äê·Œ
”±jl–’
›·¤‡“ºù�ÝËd*óרlJ˱Î�ï�bx ˜
-ÑS)ïdüÐ7³EöA
-Ö�>¸Ú™CZk„Ï1|)i\ŨsWßêTûš!ÿ1cO™[êi3ûçÍ+¬óþ­®Û·/N=ôÍ–2oæ¬~ã|ˉÞTÌwUU¬b®@:¨˜‚kWçµÛ
-æî¶
-³ƒÒ?evëÐù˜nJ`#ø+Ò-µ‡£ºnÁ�™/å¦ê!ñ°á[öS�j�^zЬbé}'Üën…·ס6Ÿ`¿øòâ·¬ìF�&‘…Ðl5v€_ž€ùñ˧I¼¶Â;VÇÐM…¼ÌºÃt”‹n`—ÅvO“›j×ÆÔûÁôz=�YÜŽW�+QÐ!$-f;ëÔ–›	)°KP ÛÄôªëÕ=#vRqÌ{€
µ¡Sêê‚LHk©gÝŒƒØ­,PdžÖ9B2â¥`Õ»²šÒé΋¼´göMúhD»sÇ�mg¢Šs×£ÙÞ!³üÍq×ÆJ-B¹y	Ø&Ĥ¥¦Š[AèáCľ,ÂœÝXå<Œ(�Cˆ+Ò¸!µVnPÄØÔ€ƒÑ[‘ή›I0‚PKèñL©h×�%šÞŒH¯ˆÀ¦póÉ
Ñ*˨ÓqxíÔ?‘=ºÇ•~­ê$=ZçÕ0¼~÷’¶–™ê¤fNS™*º 
-
^yi”«J©-Ñ>7+¹¬àvwwil2Š×]øÆŸÊ!…³ÄdÀ}ðWVHÄ
p\ù¹±	Œj•‡£Í»lñ’î΃wúÃ`y@B=Šáe§üAˆl‚ÃJý¤Ý’í7èló²”tžfÔeä4àa»x¾bîÖÝž½9;RoFÒCÍ×¹0®£(±­²5TØïiÑAº¦ ÏÔßm-ËœÁñDËø%ÕßI|4GpSoMÐjfû
-ÍÁ¡¹Ù
‘̼¢7´¯²òj/xk+zºÇçTo!’¢mˆ1öj©±Ó}åêÜmývRý¿Á˜oÊ�ÿŸ¸ß�Z4£—$3yÑU$½Ö�Böµ›è‰ÍÁºûöÒh”HN‹n˜¸–)u4X
-ñÈÅc½ÁÒp¿#®vhHp‰ÕKÏ¥ŽHõÆ»«õFG÷B>‚*—ÕÉ�nÌÜéª;šò¡«7J¦¸ò+ýLê×Ê	NRRI*K¿sÅù\]?ÊHK·zõœ!ÚX¼/�¥ÜV·ï¸B6¦úö§Ð@$�ÙŪî}víöÝ‹·Õµ®âé[*[;ùr8þê�aZÚ9šv¤œµ:›I¨â2rÈZVi
ÍÆ÷ÐU1m�´™Þ4ïxŸ4y .™æk»…K»Eæ¶"ü†›
-æCüÿ 4¬h�9­9NLWU¼sk¯#…‘h{[³óÞm—õS·n#Zzà‚Há�Æ2xÕïïeУ|J¶E‚Oc¶8�ïjØ�ªŠgJî·
ˆ�
-môgóOƒì‰a'p#¥#&7µ{%@°B$›ñ}�½Pô‰MŸ<-”�>7W0 "KúR‹Ì ²[ïa�í§aù)Õ|kºaÜšGÖ¬!X
+‘µ²n檯–Öù~[9£•Äreíe0³Øj"“ƒ§OøÔî�S–RzéÞ|ô<ÀâÏnÝù~š�‚ÏD™ð¤[ƒ9‚Úèqs—B³ò��7§I…©uI„`С°¶×Ký$~º�òÎR‹·;S«‹¾»[½%ù£&rEŽ¹FEÂp7Õ�9}ýú­½ü‘µÙ�§aÝ¢»Ý)DÑüe…‚÷,ë#�˜èWdÊ"„!úy
-wPkM”âûïÿˆ72CUÕ�z#‘¿Õ‹
"
-!ŠMh7(®�¬¢·e/Yò«Æô>þüN·Þ\_h9)ݪ8úÖ+¹Š~ym>!ŒÑ[twük÷®S’ìAÖ¢FÃjéó~º5P4¥ãºÁM)6”f
ðwZÕ»¶yÅüûqˆïñ6˜>DzBJZoƒ(À­BÕR°Â¯ÝýõŠ¬üòhö[ÜEUð’Ùwô¨.íVØŠtrtt‰Ô™‰U¿UUQƒ‘÷Ø“öÓÀš5ï{çzt±)¥
-æ¥�DOŒ•ñ>½Œ%zwm­ß1ɱ.­KoiLòà-ÇÀ*™
1yp6R]Æ’¾¡õ…ÔcLv3õ¼Œ“mƼußRc˜1ƒÓx9ÈW:±U)ÆŽ1ˆnôŠžO�FŽI°ˆ=›�ŒÁ•½….›×wÌ)¶�¬¨&<S"lJбqô¢ÑRW¾¤•Ì†5<eÏ¥�ÁÿîÃȾ¯Ó“ÏúóN®RJ0æ,·²kЋÍ`çMûmYêf9(C(PÛnGÌŠ§‚üö÷oĦðAcZR×~Í¢Ó$Á¨hkhéÁLgF¸”�ïîE«Û�v\›	ë¶'˜—¬%ïjSš„ïú¾M£*…uÄéÒcÉÊ+œ÷ïK³}XlgÀË8ïGˆ$—çE<Ÿý|œ�3±6î­•%f	ól
-®èíÎDÁý{‡ÂkË`¬>n&JÎÌÓ}<Ù‚x»wª…¦ß�Tçd%_q‡ß× �­dV×çˆý}7KŸã¶ï¤hy3‡d쮧0v¦ ¢3±­ã“µ
ñš#šl]¡¢2Ç-*‡
-Á7Ò¢�p
-4-d
ƒ3S€Ø¡&}:û`Q!ÆèV/⊚y
-QÜÖˆž}yïŠ
-(~¯}¦F«^­û±Øa(:zý
-vÖYƒžK“£†L2ëûïïïn„À·m¡qcžz‡DWìÂ0wéÕßÇàS/Ó+¤„ªf+�@÷-WÁÆúy:Öwm~áå|ºo@I©+’v+IÈÍXà§;ØõµTêÙÒs1³à'�ÍA‘;k‹ŽOµ7·?�[‘Ý-ÇiOð<¹·M/a�K~�e~d69qß!YÛž“-çÌØV—ß+>ȹnRéMµÍµ Š%Œ¹ˆœ±§ÎðBBðn¬².êwÛþ3G	³Õ˜ÝL"íºÂM^â‡ÀVu»Ì¡Á\H;ñ9S¾dUGÖ1hwŒÀ*Tó–ðîȬz¯ªf…¸«H¹ÍÌ~(û%®†EõÕµÛz\ž¤ð¿Ïžÿ�­hìq]AN]ùSOc‰,c‘N5j7´èwŽë{=CìG\m¨¾¼–‚)�µ ÝÎe²Óœ°Ý�w]·7<çÔ
-�€!$sÝ;oœž: -ê4…
.mÖÒ±´£^ÖwB,u
7o™?F�Ÿ+ا–íÔ—8†»÷ÓƒL®tÆ*5Z�¹¢¡µ ÍCöë†jzd�þÓ0]úZûu»9ðÌI–9Dq”Õ‚Gz�pN7í·Ñ™Tóû[t™^fgEÜ’\«³S§Ç�üX;)îf¬ò˜Þ‡Ý�-ÂÊusyV»ùÜWt�:
ãf |OvwãeT®+”§ßî[ÜÇOó¬ûpª¥-*ÖÀ8U(\ÆÓ>¾ÿÓƒ^ëß3:"O&y§˜†r»'Ëö
-*Û{~§y·±f÷�$Z–Ù	úýÆâŽy�éüøõßJ¡'ºí\
Ëß´—OCÞ&fm
!ažbÈHöy®[·H+Ð=<
-ÿâ?üË¿øãŸþ§øñ§øÏøýÿë—õ2ý™E˯3õÏ¿üËÿãOü‡?üÇ/ö—ù?~üãÇ¿ýÏú=.ýó/ÿãëÂýú¯=„uÇë|¶â˜)3¿>¨I3vj·-=œ‰Ú˜í65<¡ÝŒ×àæ
-qy3îÇHÀ-Ð×ÊŸÍ£0ÿû׋»´¼â[Ò ?Ýÿo87ÐñÒ
-)£sjò펽øhÆòòy©�Äf´Rª]½ÙÍû–½šæ£B5•Æ¤Q?ßÀoúÞ-™â«Q€Þû¸ôŽ=t#Pž~i¿M~Íø|ÀžüÙh«×ßð¨ï¶Ó[70(?¨Ì+'øön3ÄãóÄâÚ«ë%ä®›ù£|"ƒýžžþÿ�™5WÔÌ£jb­¹°Ùæ^å8.̶ªoOÓ0êóüʟכ¨ý3?ŠÖÃöuÈöåø ,3eVFi̶�æååe7šdÆÒ]Ý2 ž.4óËês§íø­^ý‹ª[¡Ñ
-3›–µ™=Ñù26Mä¼öþÞ¼ _G‡¶ò®1‰B†
-Pe_’Ž`usi�‹ÇëÕf¬=ÇôŽNcïZ§µ¶=
-Ö*ôÆâf^S¼Ž;]íö�?Â�ö»\¯ò“5ã�¥Y5Yû}ߌwÐb²LÓUϵÆOËðy\±×Ô�ÑSº/Ãz[Çlƒè÷¥õÂÝÁײbðËØ‘ñÒpÉŸJÝoŸn´2%àKé¾íSì08¦Äû„TMåÓ»*‡;¿‹€f¶Æßn¶Öâf4­7ZÔŒVq§[�or<ù6.�M®¼ÅÎ4æ5nžqÀ#ßxÙ0M×(äM­&cÓÁf�‚ÿ9Ö³fv\œ-´€*ôLZÖ�æœÑßî
-Kî’�çÆòM3bEþT¼íÙÑ=2™“äO%«nj¢!¬§ˆL,Ïã?Ûý£¾ùßÖpo¬ö¢Q„7çGŽ"'¿µZœ]÷27ÿB±v†¢¼‰¢ '2Ú‡7Žšäáå¡,-¬-¿V¾ÎÇizþƒE»¯‡døšNÍ�.b¾\%ݧ
-õ•Ç(SOÀ­fžÓ7\ëN½ø[׎ xºa²(Ämfže“Z7š¸†åù\žsciʺ
-´}™T.&u…©îð	†å�MÏv$Óª�nd]ÂŒ‚Ĺ¹/à^‡ÙÜsï×¾'@,þîé–ÕF‚ióº=§ª�oú2fö†u!°UÑáÿd€Î¾×wÔšýú^\v`¾Œme7fW‚2co—z.óß{Qô9LËV‹µõjˆIb™ï‹h�´M3³Ð‹kýÈh�RÍÇèvRÀÆL$îjLNa™Óo :-ί}…øØé;RŠV×•æĽŒ&áo´0»Ô&F
-c™±òT»ä•iðX‚Ùdoì,Ìt#×5Zyr
Uk×Ýh.‹x­NΖ#ª}€Ë\!ëËl–ýT¶Xåõfû{
-غBg˜ëä¡Ô3Ï	ö½ðkKSðyÜ¥�;úqï8'ΔÃéópR=œj‡óïá¬<ž«Çøá´~8Ùß}€áè[½�ƒÃòó6›�ñ Lì³ø‡'�°ÍŽk½v:ü#¢̾„Ô<÷Ù·—üñËã‚8.�‡evZ‘§¥{Zãç�áüÕ<Ä$‡øå!ÒyˆŠÔ1ÖzŒËŽ1Ü1Ú;F†Ç(òo#Óc{Œv#ãc}Œ·�±ù1Ž?FüçäÀCá�qxÈN3ÇœÇc~ä˜K9f]Žš)ô)²9�ù¬å¤/3½Ú.•ý;ÙÂö÷Ruvsó�Ö¤…}¶ þvé%š1ÅßÏeïé,ÔaL¾›‘àâ�Þ\ñËÿžb6ž¢òtÿhYX„¾·´ðóíÙ¸ðF[ñL.]k¿×«ø cè@Û5Óу×Yê…±	}Þk8�øJ
-“ïK„{?åpWË'Öøúvx÷Ë‹7>
-†
-A¿/2'àEXÞÅ¿ƒDÊÛbFÝÀ%NŽ�Ø[å•MIë³P™¨-gÈ7ÕTÓFWL½¼—!øJÚÇ_
-ð_6ÕRß\RôñП€Ý°ÈYˆû)Ç	h<ø÷Âäd¤àg:/îå01¢¸æ»GA§jf6&ç6¦¿î.¤êVÂÈP½¿´i{£$3dc�¬oÝ\š‹Î`œ]›+1€ý&G¬XùYhý<=µÉùw<d¹â’O˜�ài̳ªÿ0[%Ù͞䜈“=Ù‰÷r£5ÌV1¸™%¾ü–×yaÌ-vr?	`œ¹r	.½@X÷²p( R
#c\•À8¨
-ÆKP`tm»ô²™¯3cŽW莽[x)iì
æ´D7ümw��§&1®óQ`lΖ¢ÿw��|MÓ7¬
§´ø2ºˆf{Ü–mîß8€‚˜¬	Ü_[
-ÊÎ΃v¦ÌýÏ­Å¥ÌÍ?Ábl:Ew<G
-÷SwKy�ÍzEW(šÊék›¾x«Âö!µ8?—¤ÛGnÑ3¦˜Wœ¼kc;1~¬mV×/	T\­\|o¾T7,ˆÑ
-B›zÅÍïÄ@…ƒ›X
ð,òaMP
2§¡apíƒ)~ñ<¼¾0{y©
£&?žo‘Íp”«
€9j¦Úð20Æ¢lNGSÆ
-®õ’¾
 yçùü1´4§¯iþ³XRp:†Ür&=Eö*y¦À�ÙA¯~Dۜҫ牾´¹¸Mùa–Èûïs$
ıi3R°×ï”`ï¸"4ïŠj°˜ù
£…¤û#J�Ë9Yn,}pýï¨u�'-²ö—eåó$ ,‘þÖÀ>ñ—BUÄ™^…Û˜XfÞìž_«óû•³Êˆê}"íXãwšÀ¢CÞl¾‹![ì/Fv7³5}1³5>t£�º“ß$ k±äQ"·
KëÓÅÐé¾Uü½•¶1ÕŒë³Ò´‡!�^:Ç¥d–õ
-ßîƒ&†JLWd>(kUãnSµRsµ‹Rt5‹j
°îÐù&ÈÚn)¡
cî‘F©J.
-:0Öežµ÷§åŽcQ "Ù�¤bÞNÞ”aãrú–AŽ8tM˜¨ŸÁ؇0Šs9³”hfU_!�”îâóè-[­BaÙ$€ì(”¹(~²yLÂW›Š¸¢0b+þÁT;©ë0×.-¥žÃÈóдÁµiÝ”U¬«.ŸÌÚµú�‰âîÇuczá%œB´¦­:¤B�h•†‹1ù•{Rø47³´³‚?½Nrh§˜BÍzÍéïI»òã°.ÕkÈm[Ÿ¬'„©ý]ŠÖ.ªQVwÅü©\àÌ%WÙÞ—êM�Ëpx”íFb à'�î¯öEp~åpºwxqc"jª‡¦€	gÂÔ<äò?OQNµåhKY¨%&?MS¯óB“õŠÝR
-#óÌv³÷„¸<g {YÍËîÈV¾U!Ù¦5å]1oƬwø©nß�jmÀ½¦Â?áû	Ðâj&>•½6ÿûOXFÓ`w”ã2T”m]̦¼Ž¾jÿûÐmLY;tBuè./{XÖP/+JÎÀiÌ•8³ÂuöBK7ÆrYTÓê®7b\BM9{6F–á
-#ô>1,™­…
³ÍHÕe`X‰b2é–L«
r5Ö�c:J”O€Xëâµôñ>"`mK{µ	wsiÜ/™Û˜ÄVg—Ð��LšPHî¹É7VXäõÝ;6Õc&�WöømpÈX–%6Ë[½ÓÚÉ�N"ÎІèò$a¼jj3´]èÍÌZnÖk-v-O¶�»0i‡x¤­ù
-Ê´$²´
éÌlAö$ŒÐöjjd˜äâ±.Fõ�1ÉG¥ð�¥Ý|€ê‰M7»ãh„BšªJ`†õf6µZ‡ÿû®K
i_ä�m#?"Ô²©pPÍï¶%kÒ–ëÅ2ØÈd‡�G)píW	cÓ¦éky~
Fëú¡!œst£•› ®%—ªÌÔ®!xã
×Ïͩܤê\§z¸È99œ
çƒ×û`4ÇÀ�¨Ùt‡×÷!Ä2IÁZó.ÒÏ$Á#¡ðH=<`~æ^üwˆs´êS+ÉÚ6úA³À‡¤ø¡:–Ek¯íÀ(hÁ¸6p^hîÉM�Ú1ÔIrðÒ	ÍàÜ6ƒò[¦µoÀ÷Ö$è‚ûÀ¨²VwR‡ÿôtåo/õ{	
-®WÀv)ƒ·e˜÷Ýfá�k€‹D1D›Ð¢îÙzmôô+q[^½‡±y½×úƒ‘þ¶ýMà¼IÉÚ¸¾<�¥Èb(0ìíf‚
-vÄ€c*	YÒÈ@ÑŸHƒ­6Ñ™pøAê2Î�ÙJu¾Öú©B
âìdöÇž†0W
(x¦@WÐsÝ}G‘}
-‰òcP�æH‚e0<&¤d„÷Ø©ÛâÐW#çß’‰à	ü-œëzíS.îâ
-¸þR¶¡ýé~Ã$Re	,d°v/"Ù„ë�% Cò`ðGzåFò’QÇ^‹Æ+ký�¦Œd�äŒûùÓz׌ÄíNOTù
-xõZ~3_Wx¦T¹8YÛW²þv…wÀj�]KÜ(?‘¯¸¸ºáõ«
-�m¤�(zŠU¤Ì#òNÒUO‡´~	¾�
¶B5¿£q�ñ[Ë•hsˆT¡ãuúR8‹@à/©À¬Ç’d^ÐGàá‡ÎbÛs³É[E:¯¹*v¾E�Ö9[7°ÈêFË(OÇŒTm4—¢[öÓø‡r‡^E0³Cb€à÷ÊŒ걦³®½L1Ï]¢W¹÷‘(kŸ´†F	@š¹NØ(aüÁܩ䟋X�0‚m‘E„+Š[†‰‹ÎRE´ŒKTÐUädàXD¸ªëݚѼE 9òÜï€âè|“‹F«]x¢šÅ@“ýM;MJÑH;ýÛ”UhæVEbxÅ	¼ò&u
-ûR\·vr’�o|š‚ªºaß=6‹¢3ÎÑêó¨�
±fB“NB´ÀIº+¸´X�42…/%j
-lI®J“r™@¼V”jÉÓù>
-óÂègMXQ	H‚5¹&‹¢+Ùc@« éTjëÕMøHHæÂ9%F²^xÇŒô¹Q-ÙÛ˜6¹A ¢´P¦'ΦIJ×CÒ1Îeq½ð�èM¥™¡'#©ÈÈ{K�¬�&ád!D!Ð1u©öær‰à
uàпÍK$óâ;0
-7æ�¸´›.ŒØCrÔRѱ€JÀy…ŸÙãx‚쇃Õ6®ñˆ¸4Rp‰LÃð”ÆÏ]õJ
uþîi.-µÚlŠ…ñj—§m�c§Âq!LÉ7‘ ,
-¬zµTC‹¢,…Á'Ù7îŠ}ÄðžK¡
-ãò0Îâ•Ê·X§è¦–—q¨-P¡5	´Ôv“Žƒ°ÂIøMüU£Q.àYt‰×‰t*°\î¹øßïC‡©]Ù¼Y®Ÿ¥UèáNòÙòãßÿºKtE„#ôyÃ%nÿNõ­07Y@ù¶ÏÇ,'À^|#Áüûgl^\*å
-¨y
-]}	šÄEç7 Ί1“&§dó?-Ë´èK°ê�k_“Îe%È›g¡Ã�ؾ�¾äé‚`@ï—#‹�``O
-þ¦ƒ{³e13Φ7#ˆÝ�
-dÍŸøõg*þ™µÿÀï?j
uú�JGÕ‚£¾ÁQᨛpTXxTc8+7œ4ŽzG툳ÈÄYŽâ¨\qиxÐÃ8jgU69ÞÄ;Ž*OŠ Gõ��‘M’ƒ~ÉQéä,ŠrÔO9è¬<(²Õ[N2/Š0ïÚ1G�™'=š£vÍQåæA稞sÔÙyÐäyÐï9*ýU�NB'¡¡GM¢ƒ~ÑQéèQé$ tPZzPe:*8½+==hB�õ£ŽJSªTG«£ÖÕƒ.ÖQC먶õ Ìuñ:ª}=(ƒUÄzcÚd:fGųu´£’ÚQsíAŸí¨åvT}{Tˆ;¨É�tçÎug5»£îÝ£FÞQOï ¼÷ Ò÷ èwÐþ{Ð	<j
-Õ”
-O¢†GõåģªâIñA«ñI×ñ¨
-c$WTÜŽ5ä;ÀE²7T¬°’ÏAñ�¤Í‹ku|
 ÏeK†
šwMî:l+ô¨Bõ XuÔ¶:ê`³”µŽ*\Š]Gm¯£؃fØQ]ì]‡ì¨XvÖ6;Ë =(¦µÕŽ:lOšmGu·“ÜQ5î¨/÷ E÷ [wT¸{PÃ;*ç5öôøÚ}G•¿EÀ“xàQeðA‘ðA½ð¨sxÒD<ê'ž•Ï¢Œ9œú©~˜Ó¨ýz‚FËO2‘þ×E=Õñ/‰W^£e½l÷³ž-�ê—ï2™ŠšOê›g�΃¦çQÿó¨ú *zT =I•>ªš¾ •RUUO¬ïJ­GM׳úëƒNìQSö¨?û Tû¤jû®€{ÔÊ}ÐÕ}Ðà=¨õ>(û>¨
-Iry	˜É80r¢XcŠÉà r[¹„™�„·À
-ˆÑTÓÎï§Oá_ÿ'­žâèÝcu•WJ¤´Á8ÕGræ|)­ ¸xßš]01¬(¯6[WÕ­K­©njk+2©$Ó0Jà¦nB¸­tj×ààSIÊ!¼Bý�0š4Z�µ?ÀļcÓ¸û‹ÉÉ–ªŒ7É�Kñp�zˤm
ÊTi"ÀH‰wT&Ð;¦g `9[¤&Vâd­…Ñ&扙Ƭì¼ul5c¼×>ÚŒ;Ð!Ú¼H#3[¡t`ÆÉt×ÎNMÃM6.£’b”ÆJ—‡ÏVÒÚ¼a¾º|)9ÀQPfì}´
-Uj‚˱�¿|vÅP´»âlójíTt4=enÀT)Ã:GåÕláž»‹†LëXmJêgÙ¾¥/cËÀ..9ÁÛþš×u�^LoF–ÞFí’-á{Á:w:‰I™ä¿E*)ʸ–p]JâI$k”#z îKxxYuS×f.êÚúÚ¨­uÉe5ѯ¬s¤ï¥W
-Þ÷•…8nI “4(Yåî*Ô6*8C'Lái
-a‰‘¹2Dæ¾RÔú’+i
-Q‚|Íðê’�Z#&á4…L†E`5/7ö(d¢DÅ�‰…²k«Í
Zöä’šI§M¹
˜šoX×Bÿh­ƒ©
šs}q̱ë•Vfóåµ�C%ÜV'¡Z+Nùz-š®'šqÈ5©ÐÊ©ºD©·ÒlÕ]_@[ŠaØE…˜¤ì9ŽãvI¯–HÒzK1ÂLMC\K…•K®y
øt]_×j]7K°Y\*Ï©B|„<¤,KõÇ®ú3èÇ4ªrö
-8ÊêÈ€e/ÊF)9ºDÌÍq	 5Æ¥‰ï~J¿h´(ów6ÜûƉAd*á?¬3Vã’vp
­ÆÈ7›¤°«6 Q<9‡ut³£†ö07–ô÷¯OI³åj»«,ÁAûßÞáaGFˆ‚oÅW¸¿è!õÇQö;7´«W)¥J@JW¢
-àZ
-Ñeõ3EÖ%ÅÁÜ
¤f;¼‰P6¶‡„
-ó<—¾ÛÚ£ x”Ò浹ʧ•«-»i*ˆk3“1µl!‹•Ãx	znY,7†¾³™½ZÐ\ªQÆ‹FÖsÍèŽP¥x² h"‚1‹32_>ît	83:ÍÅP<Cš®É…i^æ¢Ê½Ií:FîÆô<ãkŠŒ‡‘®ý—¨#mÆÊŸSêýÞÒjúÜÁ	Jm%G©±c6�-±,Õ”0ë‘Ç£Þ™ÏQgÏÖ*Ì1L»`Êûcj혆;&ì’{‡Dà1eø˜^<¦"’–Ççåλ'N%Ü+tô&„_—  HñªŸ·áî§rPD™BŸ}&.ª�Ø“º¼LûÄC��…
-13UÖ»¤ækÓê9ÀvmµL{±$^$GÖòu±ÜyÅYººw]ñädÓ2ßÞËËÌndF	"?$7�‰ÐcÊô1½*¨eRqÙØ#+?Ë<ÄûWðþ©xÕ ñk4ÐÉÍÓ¡�À“ë;G	ý’t)¿^)ó¡j‚öŽ€J üÝ“Ä
-éÏ.xÁu5^_.Jh"¡WÈ9
-ØŒC¯9�´Çt„«*À*1#�•|QÉ�ùpùÚrø
-
[…€JeqéLˆÉ=Ä>›N@M,sÓ&T\çÎ�1�}
-QTB´Ör®Ùp„—uñc,x5Ñ/ åÝç®’ƒeêdž'5ªFfzÞhd¿Rt8–'Ž…Œ2cÿvD}üòè¯=»ÃÎûk»ôq?ÿ¼÷ÿà
-rÞÙÍ(@þ¾±ÓiJÏöºÌrY	׸RŒx†°¡ß-
-Ù7WmaY?XF·Ç¥ Iݸ³}©Û.™êx‰÷ Æñ-…úHLãû$žfºÅ"¡dÜÍŠsÈ7Ñ°=šÀLíE–³ŒÜð`~“¨óaË–YÙíB�Ï!ÄÝ@îë3˜î»û	�×½Ì8]?MŒ—A2ýo!=6Ó̾;«)
�
ídñ½OÝ)Ðg
-Á3)ðÂ=Њ£€;&ó`+A·„˜�´Ìh¹GÚ¨Kv‹$ùa;¥RLbß´VŠŸ¦–ø�wÐ=S€tT"3äxYÜõÞáôœ+D
-›sŽ>h–{W¡e²R¯`ƒû^KÎQ¹RÜ&‹
-]2˜¥mwû)èÓ'®ýIµd Q½ˆ¡'5U‡™µT ö¹	�í,Ž€j~0þ®¶Äþ
-ßxÄÙ€^¯þác§¢ì¬Ã„M
-„·ìeœÄ5d¹Slý»¥â5a3•÷–Æ4îj†aNj–9�­›£"øòÚ.u’º¥Í¹,L†„ÂÞW¼Ókw͆ysø™
-GjØ9‚f´]©$µùÃÌ
-ö°PjŸÌªéK»¼Ñ(\d!b|QO™µ±Ì
-@�æ:¡¼¦¨‹÷±^ðT[8V!~®X¼¥±�ï€%„bùl•Ÿ/$´QknÈkãÿzÍ%j
-ÐeBÒ› �wѪ™�WG)¬“lÖQbë(Æõ Üuùz�;J‡�TÆäÈŽÒe2gA´gñ´w¡µ“$Ûƒ|ÛYêí 	÷ ÷ 4w”¤{�¯;HÝEñôÎb{GY¾	¿£ÜßQð,"x<H>È>HÅ„�¢‹GyÆ£”ãQöñ(ù &ù <y”¨<©Yžt/�™�bšgáÍ£DçAÍó$üy”}P=
-�J¤L�²§�Ô1ÕBwsww®á`̨}¼Åø[�­äËn²1Ô_ÞÂ%ß	œTã¨
-½#rµ¦óY¢êÑtºG=`†Ê­u—–Òy�¤›°g^föFFÛøèd'„;êPN΢vÁ,õç¥0Ïza'u� †7“—ÐwNÒ�›WÈ’/ïçíÆáäw“ßvHÂŒ«sf#ú´&ßÑ‘Cä¶$L¼ru4§j˜ïÛqLŠ´ù&=]ìlZ“X­X§»ÂHª9ŒWÞ­çUêáÿÀ8·Hõj
à†ºKTô×
-sZ,۩
-âTËLU±I—%�´e¢Aû½T‚´�B(+QbÃÏÓõPψ¹i”LÖk
ª•GßVû”žšeÒø]1AÌAmµ*²ƒÝVÌÈVUö­-æîè4oÑ
-�
Ë´„��! ^/¡LJF›
-T:Á½Âlçm\mêíÞB\K�ã�?‚{˜Ø¨Âj‘/�ËHŒÀE[’<ŠQÿö(¸ƒ³õAsÍ)\Þ¬sq\j¶².×¼ž9ëËC)?,KT:fúf‘4ˆ­$ú%ô†Çî£càæNo�j³7÷£KýêÑW{ðëàƒ·øàY|Ѓ¿úó›j˜{dsªÍ>þQñ®¾X«K'ñTéhîkœ/ìxÅw`ˆ—áO ’3ÜäQøì(’v”S{�^�pWUÛFY‘˜Ï×3Üàë34ábx
-È0²ªl%ïpÝvÅaì™ÃªY»mq‰×JÖ÷œsò!?oð ß>«x@Ë	†¥¯2E©rß|K['ðŸ	ð‡3Æ™ÎpkÚl)š¡m¸\Dï#mb$Uúq»7k’”½)®üÙtMÃ"cȼXº3ÎKB–ÚãH!�eýX%C½õ‡-xÔÙ²{¤3’§ Ý8BÛ˜„‚¾\!œN?Þa2áo.bg³b³Ý¤Ü¯TÛbÒXÛ3ìl½løèPIo0y»H«Ër[‘"¸\<fX[°Âe’
ü ™ng›Cÿ˜‚´pŒ|VáT‰×Â*òØ$Q…ÓgJ,šÈ¡‰L¤j@yiú¢›ª
Ãk“-1<F—°ß÷ ~Dæ$/$Ø6—ªuáDÀ&âŒ[g–³:´ƒ÷ãI¯ºÕî¼q+ÉûQ
-¸
-½”8.�j™zI”_Îmt°H‰Ð±Ñ…%N–ºº¹?…À–„4ªÄVEÀl”�XŽä¦qè6ˆõ�<x³ŒíadóÜÝ)áe{Ea•�Ö–^
at]
#>*zæH#zÄiçwÛØ0ËôøÄ ÀNì´UÓ2•²·Ÿº!~¤í³E
-yjîÍøH¯_B\IÀ×¥Ò¶ 0z‰ì‡i"WS/±z¿h`hf®\Z‹Í¾úM;Iö)Á�)éá!À9ð¾Îå"gì4¿�$Ý�6s×�I–søáàÆìmZëØ2>ÉeŠ©I\�^ÎK ÞGh¶›T��H¸§P�L™�6ê&Á#íPŠ›¬ÆÏážC‘â¥c«RìÙ�R^Ô^Z�W`Í–ÄŸ'w½á"`nñÃó²~Üe£Dž–«L5ú€ãàiTþž¸ÿÁóŒHíûµÑÆíôÿäà?„
çxá[ã�sÄrˆnÞm‡ªøÎð
-?d®P^Íd¿eÇ2÷Ô‚æØ®æÔØæ¡	α_Ω¯ÎcVž+Á	n´âº?ýˆ•ÔÖ›YHg3‡°á>
-Fô§˜çh7¤�bº<‡
-%·›3 ¯ÚmIn‹UÄÝØzäZ®µ5BI¹1D4.^U0“Àùê"£m·“th
-Ì3¤ˆy€
-ÄJ•ã¢^œ™$ì‡T`D1ª%˜w=Hvè5#`_+?ª$?,9¿Sž^~oi¼EeßÆ~RL“åz)Ø4–™]…óÂ&£Wu�­íO\RÑÌh`ÉÐæä,ÕTæІw©_×Y…~Âû]¨˜€´ðïaÒzD`Ìpl’ʨ¬<9S1A_Å�J¶Í÷¹¶
Üd¨FæTC´v±âÀ¤WM�ï¶He9l¶o`¼5ìžJFnÆABnÞ¼Í
*uÒ®óR/Ž´k_A�Û\”Vö~‡ÿ\XáJ°ª¯0°ÙÚ‡¼î+ð+|ñCfù1	ý�¯~Èl?dÁ2æ¯pë�hø‡ŒýCnÿq€AÁ€ae�õ*ƒŠÃÚ«u5†ÕV*1«6ë;ìÔ‚x¡ºT
-($J&_Á½"¹ë4AԙŦñ%ðFÃ¥_áä&Ð)‹*x$Î3b%É *„h„P•‘X¨L ËV“xÑ.µ
Sòù+V+å•ã
-#¦¬W©È¥DíƉQ’sŸEýYa¾’dé´W¨·	íµY8º’
¿©Wš!ÀIl
ÆÊãâTú‡˜QÚŠ/Ù	³Õwø7oµnU¹OõçÙœ²ú]×T‡®œTøÄ4ÁÓâ“¦pk
-$Ë{Ò©í–{ö½åÖ_®žj‰7ŒNÄiÝ,÷�ÄfÂjü�·Šƒã
PöÕ½:Ø×Ã`0Í"æ»S¾“ªÔ3œ—Q'=x
-0LXO0ä"’Æù
+©ƒ”‰arÅ 
c”®±’Ú±–2LYI.qqž>1ç¨è°¤ÑWvºJèºqGÙø'xî£T0¤ùAµ…qfïãÃï©/¼ꆤ”_‹szg);é;‹d'
éF¥øSÔè.Ó|Ë7ù9§Oa…8AgsI\
VÆB.nAÀ¢Üˆ»ùWøý Uk˜Ôµ’
-7a–­xœKÊG1(D¨z<Èh|‰Ì¬bW�;Än¸I§ÅW8îí4U-¡ÆÌÎ7ÁÉ=¢ÜÄC1�“D"óÌ2›.˜
iÁøzÁæ¶Àq§Í$nÀßĉ#Áþ}kîAîù:™î˜vwLÑ« g	Jõ/î•ø^‰öXþˆS!—™ë¬ðþ`-‹Α üÑúiΫp…GzÀ9=d§^ÏŠePs-‡y™v"±¢qé‚ô`XõñÎ*±÷î`ïoT\
-ê`kÍH®dϪÕCÐy”Áš„@Š{I$ÃúMS¦Iº�³Åì”äÐ	´AõicIÔŠØ¢öiFi
õÉ•1è=ÈùÙ`Õˆ#ç'Ä_DÁ|ð}’¡éGÀû  vy4�V%)ª©v>Ê�FyÃŒ„µì…•L‡ANÄJþÄ0×b˜•1ÈàØ¥UM€}°�’µbeL0½´%	5pÂYÄù½„š+䛚ÎJÏ!ýç�(t5E`˜N0Ê;¦(dC§·™.:/Ò÷Ôãøž$‰ABÅ0õb5M£ë":38™˃
P§pç#ŽàÉ;ì³7*ŽÂ¾‘œ¡ø»,ÝNX­EÈ(×jõ?†­|…Ó“³Îälš©GB#ažRäÇVZ?U×6D*[i)Œc�^ƒRA×›8i wLz@b! !LÆRW¡‘ÐižYÊÐèŸÀЦ¹3À§Ze�õ\ŽAÞÇJ†È0›dÈ<äpï²ÏzDÏÁ†z£bP,„A™Sꑦ/©˜-,>ɵ¨oøªÀ�G«ÞÖŒ$¿%ár–ÍodZZpçDñ�°MHš=~>¤n=_gyòÁ®àÀ˜ñ¸|‡>ĬÑí+Hø!j~ˆ¯_Áâ¯àö‡ÿ•l
-÷vq;)Œ�žø˜èèF§Â"g,›©=%#duF9I OMïjò«sÆ“ÎF9°¥�ºÈ	�Êÿ2ÍN÷	L/Sµ+m	šhõ8à ¥©-`5U�·S3œk097à–_FÑö]¦”@ì¼”…›]êÞ�ß;ñŨ²)Î#çPpÖ@¯Œ�JÌ~©
4%juÒ•s†ú‚Ôߥ«›s§�8ó¥
þÈ䌃ÐYЛPm4‚
-ò‹¹"„Šƒ1¦�-WÛÍT¬TU»@ý£`ß™Õ~œUhFüå
-É&Ó8É7Üu¡Ù¢ò k'D¦çEÅ= ü“ÅÞ8°w.€=
>LHŸfÀž3î’d5GgªãÉ8Ü(,?;•
o
.7„Ö
Ax«€½
¸o\…à…C â*hq
-tt3RÇØ՘뻞
-�|:_�§¯@Ù‡°÷
@~L?Þ!úÀ×ù*6l
-rÑjõWŽ8Ù£ÈÝd—WÃZ”앃¦Ñ–½ÚíM.V9–ͬˆ
Ö%}%uI‘I×€|ÓôšÝŒ�¬ÑN º€×Q„TC×ÍÜ69¡ÀX²p0	•C‹ø�@.È5€ê¤
X!%< ,`ŒT7XX¸Z�Ÿ¯’bþÔ¬‰,´’MiAÇ=W” J®
(ñ´Ú½U|XÃ)øÉ.N)ÔÞåŸ2U­“Z$Ç!BJ�*­S
¨~Ð�Á8%á ÿACÄ€ŒÌÝì*lþѵ’¤CÜ%.»Qqµ|Ç \ÕX˜Oò7$ž1A,‚u0Š8 $X§+!Øá«ñÆalrÅ\‰x–Eþ¡²–q6=’ìÅøžÌûQ’þ0›%ó?Wd.9ÄXX�Jcu
-[™ü3
-\¼ŸLç±IV/â+Y
-̽PW‚ÏØÒˆÀ[:É”}ÊUÃR­ÕXi
-ÐôkЇ–…Kz•llHL6¤0Ð�íúvòðo4.3ÈÙf÷
-&€�nîRFܨøÑ)#†�v`ØÙá°¬£Òß['(ý=$CЦ¬$zS
-üjô{e±§#Bíé
ÃÊÏjÿR¤‘¡Ý¤Ò0ÝLÈ$
-a³E\äVb±‚9Y8¡·ÊlÏ)øBEíêzÓUœ¬œ"—fƒvƧŠ�àH3 –·Œ¦Y$˜!$ÔÀõ@@ª¼á<¨6X-A^�c´ÑI$²Éª
€©‚vwÀÄ0CN”çˆÅIVŒ=Î1¦^�5
-‘!ÙȈ˜dHb²Bw2bF’¨¬Ð­©YVh\„/«„#nŠ!‰Åáŧ ÁÙYk œ®ËÁ
-^Yí+;c¸‡†û-Û‰Å
¶Ù[�}¾wµwÆ`
öÛˆ™cëj¸Ñqj*v´ò"ti
-c‰Q6¼è)£TÌÚD
çteöw¾Ôž|ACN”1{Ê
-ÓÊ�•eDß²ÊôòÁjñyú½ùQ‘	Cù½§+tÐ
œ™ä4-áIB…'®l©µí7ܨ£M=<
-X"ˆ‰Æù{3FÔ#Ž"3ÓÈ~*ÆÍ@¬F ÐYa52 ­p%­ð*�Æ+_?UEóÑo
jgî»qw/ܨXÓ¿i!Dðd�R·,£ÄEž2ÇHåv‰âo‘ÍìôsDAËfvøý�¶É<7̼¦3l¹’ðP¬%UOH©æ$¢O¤éG“ñ“R‘À ÆÛù:óÔKÕˆÎjÌ|5\Oƒ•·Ê3ä•2Ь°Õ¨Ê‹[
-iIÎ2x8žŒrtœ/ˆª%ND9õ‡pöªXš1ÏRºßL·Ó
-’_¬;•…r.Ã]Â^Dcr ¡!åaŬ̞.ù�€ÓTŠªx*F8S)“]óAè8•÷ƒWSã)1zD‘ªGj\Ôºo:€Éê“Yÿ}2‹Ý@¸u’X¨ˆq£5€›ø2.ø‚ÅÂ=U‹U’UD³Œ¸šâ=U©Hiµjº0ðê%-ü
-;Ĥ³Õ+a<t€•
œÊB@7¥*	Dä¡Ž$Ð�­Ü©+÷ïà¦Þ9ɶ5ü,:Úîf»ÑÅ> ‘N­�S­Y
)¯Vè±vwÖp®n×ÁÎ
«§ÅðdžA;çÕÏ{«ÐQðrä"hÝ�ŠQ§µ È0BiàøFÑ‘óµHÊ(ä²JûCØ;$ö]%
©…G4ÄCÊâ1¹ñ
-²[D[ÙM&Bg³Íl
"ä#»r]¥ºèA
-pïN“’¯ÎªD%ÍÊN¥¨=°Âê<2+¡Ç=M¢2GÁIÉdWW
ô0×'•U5ð½¡ïÕ
-„š­M
-=¬½E¸%30âæ’xí~ÉïWÊjp‹uO†um‚’�Çä—<+š”1à<ãã]‘2”ÉŠˆ'ä¥;…z®U<GVQ_©¸>*Î>¬â¾Sñ�ŸÜ°¼Çuû(¿
UW?¹{›¥àÇŒŸW£��¤ÌŒlJõhÐý¯$bLè
¥€]HØÀ½3àa(ÖÀdÜ
-jëó	`œ%Œ
’² ¶E[Òz‰}Sú¬ÚVÌP˜a)cŒˆgÎi�ÆñyU�?\apÌ›À×L˜4Ìà0çÂÑ°¬šV!2ëy9	ïÙ=F5—“4;Ð!:a’,'_�.G¼Ê²Vs˜�KaW$Ôl\î�+gÃüSpï3;¢‘sp‘ëˆEWçã
-C�äLV%zm¦Vž¶ºÕƒOÂ�º‹*¼ìÏP>ý
-^é@³
-±ŠÓ¯LÞ$Ôt~vºD0(
í™…�m�2 �V§=À¨`ßÞëa
¿•R?YÀ]|Ò
-úwXLiXtiXžÉðÈ#¯ñ®Ü
-lÃs+Ñ>Š‡UíSŽoA²×ÉafU|‹þPÓùu:=ô�z¬<Åôä4éØ
-¨ƒX“ö£iŽ!-ÓÂjk
 >ôà…u-×0ÃHH®	·
-=ß*Ò¼CM™Ýà
-Òó®)â÷5Ƴa0=™ŒxúFÅJëHã‹–Ú/îÂ:;ÀßÓ1){Ä3Ñ�Æ?	¡�¬�Ž]Éy’ýÞ¿=­õlÒ£R¶¥ªó\F¦¬q´rªQ™“AU,%’X&†</Ý+¤õ=/Œ6–Ä9Ým~©ýr ±f'�AÆbðxÙÎľxh-0�ˆ…æVWµeKEÎBü1Ñc¥°â^$›
Ú`[¼w1d;;™ÎßzÖUl]Pì¤}	±Ü¦¼¹]0ñfØVb”VÙŠH8��£‹üù’¥™}^Îü©àëkr%mN2wÊX5’ÄB:Ç­œŠ
-6àî†ogé¥$®zHyæ}©Rå[ õ£þîZf!CVWíîÀ0›¤®8½jTrq‘mäfÒÒRd½;À¼Y#„ÙòÓrƒH†
-Òh¢
-sÓ
·ÓíÑ·OÒ„ŸuMÊ’ÏyÒ�ÁQÊ—*V€)-z=¦Hèªmƈœ~ÅñÓ×z…Sý[t¸c&4 ŽªªAj^råº;ņÜ�(�cççx¼,Š@B\’aÎ"±«å)¢ºUq("Ì®èX8‰•ý�o�	jÑÓâô™g¬6Ô]#<’ܨåŠ
+U	‹°PU/™bx]Õ‹ÏAkçôzqýŸ[¶EÒôUsÝ“ª¥G¥
ðØ”‹½™�é–T#´"	=¸²œÔÎ Ê=�¼ð3Ób•EìB8£IŠ›(éû_âá\°;	1ñr؆'TD¢âPš
-Ë.Wg;T±¯Éã6ˆ¨w iд*%ß™….èiÐì>#qÈaqˈ�y#e©hªaà æ…™-Á£ämE
€w!©‹ÚÛ¬{(ØÕÙûZÁBU/ldâìãG†… d`Õ¡7�º˜Äš6Fb�U’СWXQ4µa#¡E*¨‡D
-}´!Da³Ñ­	«�ú ©×´4:Þ‚œÚrbÌ_|kÑÌ+µ™ºÃXMNJÕ,��
žÅ²™°l
-*ŠÑ³ÉȶB´P«÷RQl·èYYU`Ђ²ÔyÛI§:“—’žïýÞ5œ/-x4�Eótf¡ì¼î×°ëm‹ŽE‡ýÊåå³Í¦Õ0±À"ñA´eogµ·nl½NúÁtš¡êH8Cëâ)Ø«q‘±¹½–ïÂ~p§ÅþBТ¿lC4еì¶X�"Ô­å†%±¢>hIøbÏ
-Dx^QÜ×}Ì
-˜ØyY‰Ÿ‹©
¨zŽ…N¬V¥%™­‚¨™@“£=HU˜ü¢³l0¼Tq_PIÐ/u,dÆö¶fý"íŒØ¾MMæu [endstream
-endobj
-964 0 obj
-<<
-/Length 65536
->>
-stream
-~òÐ~Œ<
-«Vh"Þs‡Y0Úð*
-¢Œ«eg
”
-‡…14§ÇI$ϺԒ~ÃÉ}Hò¯Y¤^¯Œ»¹¬A`$í’.4™C9—èÙ
-³Sɯ×'=‰ÇÏÎ
ÄNuÔFH[èÕW´–$‘÷M¥#-üyê^c¡¤U­¿öbܯ—Úáhg±xÀ�Š›ÉS¯wD4÷†ƒÍúžÓ�OU½q6áîuVÞh·˜JÊ¿€k ›yÕUì½­æ‚Òg'¸ò|ÍÄ€ã)Ùu”SзEEÃLzzi_'\r[¯Ÿ÷•&ÜcýbñÁ2s{}	•¹à”çÕùr܈~—\)ʘW:
-l‡’X'€“r_ª0LˆgÛ‰šˆÌ¢,–¢œó³ÏBc4òìì\f×:ÚåÛºT‰©¼U3wŽº=¨]/µÉÒ)êS“wkBç¡"ÏU-H¬gD0")â05·‘}Àl1‚°$¬Íf£k¥ Î=-¯Í½šÐ¨Ô¸ªÂ#´#á„PI¤áÎå©W¶s ´¡/P¡J¬ïeöƒé¶õ8øÈ!
-Œí´‹VäñÀç(/l
-nµD,}H…¼»
-(8â£øµ¦=r`Rwm[ H�ð숰jhÊPCéY‹3ƒŠ£EØP˜ÀFH ²&ñÃFµB×À¼»˜
-‹…ü«� %ÜUÑC•÷”
-b5kŸ9æ*Â9Dƒpe†(`2.÷<—Bœ;th®‹ÕûÅQ8ÓR}SH”°†³M�ÈõôRÛÄ0ˆ<}*;r&«€ÖÿÊØï­©0D öªƒÂKâ	í*;áBFdœ²fv'3KtË
vµ탧„܈(Õë©”‚ÙÊzQû¾ sÛ†…±8`ǪýL¿7°‘îH8ÃÒæòOô¬7­=Vp¬+kßéZ®˜i'1ÈyÇûbn�ÙÅOO¦jçy5••¼Ã¢oùªOFˆŒÜs@¼0¿¯æ/FßZ
-úšd¯R7š4Жˆ¯„rể=6"ÄâÖ¡â÷5"„â
žÒÒÛÖ�ÜÌö[:Âd¨*à±Ð`ŒÈ9¢zî‹`o‰4`É�|{jKÇY¨X³ièÔñÂ4×`�¼0ða}'5ž¥
ÓIìVŒ�H
ë›ÍÄà%Â%\\ „Îvv²H³~
¨âà·´°îü@Ûä�
Vì¤Ùd›t�È&}o1¸Š©®½½šM Ämè@æõ váØæf3Õâét¨Î²iVZÏð…v€qMui•…$:­|U@¨¹­Ä9[”êÐ*™"½,˜Y�ae©o$_Áj~Rb³‹A,”�þ‘š´Ê9±1"êŸÅÕ Qå—*–d¶_9×h'Í='ahˆä.hY FáJ	uy©Ñ€èUp”qp(ØN*Þî°AP´»n„âÉw‰´.ÃBAõ`€Ì`ü�ÁéËšÇ%ɧS-RèºHhX+þÌ3lê�ˆ§ùbÚtV·05Pq­mô
-º5çëQQù¹cØÁlåÅêö a ¯Á[¤@t“ùuY—“r²O`dÌQµ ëÂbdíVuÀúŒ:!5˜.í—{
xŸ–
ÌÇz¢RØ�E]<Tê=âVñ2>-,|ú}
ZfžGz6C«E��fUB7�û2 ú ¿�`|ò2z©ÚI1o±YoÄúa˜$ãFA
-†¯]=
-
-VBYqÞú(WMb
rD£T"¡fÉD‹¯¯ #Ž2û*TC�èw=>øV´k»‡Ò"£©#
-�ãCÍã
-<£ÀP�§NPJòbS€­áBJa¾ŸAúµÕ®¾�èî'`Ì+jº1…¼ƒZ×æª%5á
-ïX L�”¬|ÙÀ°U²ìÖ0EZŠ;cn50N‰ãËz•
-Q¬.Cu’xR`oTv.®Þâ-±Å�È€á{–ßÓ�‡]Êù”",–Äg?1	Y:í¥¼HÓžW²Bz’[äi� ‚ˆŸš}ƒ
-ý”SH`?çn%=
©ôŠ
-Ý‚^Ê6-Ž^ªügöÀl 3­0ˆÕ`I…i‰­BFa|°E[�#”ÕÌiU‹ÐÔ`PQ®'8!+–|Ê`£_Z¦ýÜ*8Ë4�YJ*ÂPrVÈ‚ŒÐuÚ>%k
-.¯¥©¦T{"tÁ“±ƒîøYá„ÉèÉVw\óT'Ï™Á,þyZ’¦eRiØÅ¢X
-òœËç
&g&ß™¸«NXCœ(WK
H|ç�sU¼’`	"¸›‹áLãäD↩!]ó¥J]vn–ªLO/*9¡ŽØ™\*JZ…}I¿ÇÉ’+S´Ìh¶œ©…#5[BY\`Ô󌄎rØŠPWÕˆtÔ¬Ô™Ò­h~ÔlÜQ²&Ϲ,#ìH�nBu×ÒØÒ@’Êô&õ&ä9Ï7JŒª;L	“�üÒL‰˜“þI¦_Mº
-âšpÅ
-ñtpûl ½á#}µ§Hൂë4ï?ÿ¼ÿœ	üO`Ú?]éåOŸ1íWÿöÍo˜Åà›ŸÓ¥õtnœ/„´w�ð‰LãÇ!Ó8Pï? òé€zºÔÃït@�¨'z@ýó]œ¨§|>}

-Ô­ÂÓñt:žÆÇÓI}zÂÇÓ >�Ž§Óñ4<ž–aŽo~ÎXÿÓ9¥NU×O;dßRþ.wÈã>í�¿ãò‡ë¿]½þÃë‹Ÿ¾yÂécŸ·êÅç&
-˜ÎÒÃ@1éã¿ïƒ[<ú”2wæ¾òÓ™KýOgý¿_õ¿ûÿÿUÿ‡³§¤s{œ!N„{‘)ÜÜ®R$<Bˆë7¯®¾»~³^‰q¹¦~¸º¸ÿÍ>{cñè#|•ÅÅ{Æò˜o ’‹Çó$(.Rþnø-ŽEoùvŸêªG�ÐÞkGk |ÈN–ü1mëKTŠþý»‡Ë÷ýöþÐhÏÑ&ïwNë_íØ�óü,åÔqc
´Pvõí¾þ ãöh÷÷Ã~¼¿¬E´]§gŽ±ëk»eÙu÷]xÿe
Å´ìz8ήï±eÿò;öâîúþû›«û=ô‰¿¿;íé¸Ý?ì:<e]íÕ�SÄòçˆX>a½SÄòï bÉó@1K?}µßœœ¢”§(å)J¹}Lœ¢”Ÿó«œ¢”G¥ü’ˆøOQʇ,Äcô›½³ó¥|tç)JyLÛúÕõwß½Ûƒçüèwö¾9ÚÍý´“Ó\½}w÷]W¿Þ“FxãéÏ>œŸ®^¿¾ýëƒcz}ýçïïû¿Ÿ_3äãÚ~þò�÷üJá`ôPxqû¦›áoö8¾v~ð”ÜI²h¿úóÝÕÕ›¯úqrõU7?¯ÿ|ûÕ�×·¯¯î¿º»zõÕíÝÅ›U÷òSò3�Ê#žüL'?ÓÉÏtò3�üL�e
îälúÜ·{}8vñ_×7ïî×j[-?üì‹+?<Š«×ýÿØÏѱxôѼ¿¹f½ø%íšÇHüFtô—ºsŸÐ²~ûÃÕe?´ï¾DøÓöWìQF_këq÷�`í=®þÛ]-ù�qÍ¿8Êq=%S·Å?ƒwééø.ÔS!¾ud°ãä»8ù.N¾‹“ïâä»8ù.N¾‹­±œ|Çgä½~�müÂÐ'×Ë`'׋ôák5O¾—SÎîgþ&GëI:¥ä?þæ~}}ÿ‡‹ëUWÖÚÙ{ÃØŽwW!ÄðO8�¤ðcMÅßcÖ�5�®ŸRñOwÙ¾wÙ@-óaúÝÑ^h{k§»ìQº~¬wÙ‰Væt—Ù]ötÂû_ƒ'J™½:ðH/ÿ"(e¾þþâÕí_O0VÇ´Å'ótŽ™/#­ù‹H~˜­é”üŒï¾{{uO�¾»zµßÊ:úmò´!«—²{õpµD~滾v!-»þ·GÜÆ¿çýð÷¡{ÄÞÿ¢”ðcùŸ*’ò>ÁÉ::;èÜ¥_<¸÷¸�ãÚ«ï{\A{„¾Ïöçæ3uqzøüõúÕ>¨2}ìó�!ì1†ï¯öhÙs'OÀ‘o'OÀºÂð¹Á›'OÀi¡'OÀ±í�út=
{týä	8žKñä	8Žïpò|‚œ<
X¤÷û ,ŽÖ=YAãy¹|ØÇpôÊÝc8Úuyùsâ]>7gûÝÅåýÅëßÝ^ï‘À ¿zhhû³ç<}}¹æ‹ZÚ¡ôØ\¿Þ‡pbãáÏï½zIùæÝÍïûüqŸÁ,Ÿýü ÐçÓÁ|{ñöê_î®þﻫ7—{XC[�?¥3{ŸÙøîîöf�k‹Ÿz„Ïù0)üýí§Åí#tþDærd.'*”õor¢B9Q¡ìŒæK¢BÙç²ÿ»aBù$“ÿxw÷í»×}zŸžÛìÉó$ìcЫQø÷L�pòµý_<UÑ=?^Ñ|€³–uøücnúpDûŒá„#z¢ôû¾Ïž¾ýþ!uïäÉ}4OîÊ'äÈ�ŽÁ“{²˜¾0‹i¯Cød3�l¦“Íôø=6ÓÃ×ÔÉfzì1œl¦“Íôˆ6Ó	ÿrÌVÓÃ9èOÈjzx0'£éó}�“Ñ´Ýý“Ñt2š}[ž»§k6íÕ÷ã5œþçíí«?ß]ì±'�×jJ_€Õ´ÏNVÓµš¾ŒŒõýRq�õ”øBŠ<lOœ2î?ã�÷fÜß¾/kú	lô§Ípâ|ÚŒ
ŸpºWAÉ£?s¾{ÝÍ©ŽùOß¾¾¸üËWg"ºýáâòúþ§ÚÇ‘ööþ§½ê‰ËcŸ¼×§ÚÿX}¤-ò/ô]žÐùr¯è$û8Zoæ[æÌ{ñ3o�ãÜÝǪvü=ûd�å¤Ú·¢àÑO{—F<ÖÍü´Mˆ‡
0oßÝ}wqyõõåÅ^
-ÓÆÓŸ}8ý~Ÿ,Û½J¬/µýüç÷øî¹Ï÷üHá`ôLxqû†‹cïanÿà)9|yu=ar>DNµåA¯9†Úò¿‘�y*-ÿÂ1Ǫ¤<|càcíeìþâЯ{�ëŸÿöÃ훫×ü‹“Nù4tÊ'¦±œ–“Âò*,_ëùyÒXWcùBзV,ýHõ¯“Ã÷ñ7÷Þåê�~gïíñ=Þ]ý…àÃV þ²I_t�ž9B“ð/k�,»îŽsÖר|–]ÇÙõ=öì_cË^Ü]ßsµ½ýé.;ÝeŸD½;ÚûlïrºÊ¥ëÇz•íqëU¶G×OWټʞŽõT…ë8¾Ã'¸üžÀìº<¡Oÿ /ÁRE¿ˆ±'²•B¡§bC?ÓXN•ÇuÿkÿéÛ÷à
žÐIü
·ÊÑÄîlÒÿŒþ2Ƀä¿ö8ðÜgèÍEoêaî�»kÍ€z}{÷Û÷
èwþ—•nõE¨a'â€cÚ ¿ÿ³?‘Ûãsó9=¬Cmþù)ÿóoerqÒÒÿ�/‚õ#¦#‚ío�íytj×ÿÊ®Љu´ÃíQLù¤Ò~ÞUõ§ï®îþåúîpø|Š›ãéÄ1ï/¾ÝcäGí¬÷g{¶y˜ÜÓ�µñðãÑï¼{sùïOèTøVÒór6�}©ké_Oké³®%÷åK¿~,ˆ›”ûwoÞ~·úñ¬iê»ø—¿½éCÓ(ŽÖuðAêìÑI'ïÁãoqFPýêõëO°¹ŸŽEñ�çÜ	—÷sáò>ÅË?¨âÈ/~õonúæŸß¼²Ê#$J$ùæw·oþЛ`Ò„sÿúêÏ×o–ÿðìw?hüO_ÿtóííëgÿð«»‹o¯ÞþßÞ¥gÓÙ¯úÿô×gïúÿ÷ûgÓóX¦TëÙô<Å45ú£ú�|ëþŸþGœBóž$xÆû“;ûÓųñ§Ÿúÿñ?úÿ§‹þzÏ~{ö¿ÿ¿éì½ïߟ�—ÚrIhg5OôWëM·©·ÛZ$q{^ûIæž×X³È|ˆ‘…á¹›B"a}îZˆg/´Y×R qz^Zig$ÏK–úˆz[gÿ‹Ÿ-Ï»$ʳS^_VR©Ò¯§ª/«.ó“åy*>ðËZÿ™kÒ@~JáG{|LÒhÎÑi£!'OBÿ<Ç)Ÿ]jgcªýÙÔÚóÔGÆ�íOôÞ’°w ÏB÷<5ÏÂò<'µ�þ¥¦Êâú<†’´�©æ&/SÑÎd_>ûŽ¨ýgnò:‹.{þ
-Ô®wŽžwþ¹Ï)£±lýóVM�s2ÉòÜó¦¬FžnsªIúàK¡O[k{ýÄÏ'—?¯“~Ü¢¼*ö/Î3Û_boÿ�ülŸfêxOÏKi
.ʼnÐ;ß´�)x/=pSÃ$º>_HìúÇñü²>19†,3ëšö¶ôÎx¦–Š4Pûx¼+"î‹×�‰08Yá¹—^íÎ6>CÀBr^–ß�Š}(a!Va�v…Áóƒð¨˜†)MÖ@àO6Åþ•æRÐîFŸæjñN¾dŸ™›þ!rJú²˜�|ˆšúbLº>r’…Û§!FŒl
-sãB¬²�}ÞKm ô)”…Û7-^£�2¹}å³å|±°m /› ûiñìô<÷żÕj_Ôñ­”¾\Ë䤷­dy–6os;¾õÅôSßOÈæe•Æ©ïTþ”%ôö\‘‰ä㊄幫1Ë—H>‹°ÚÁæå,ã/Q’‚}M‰To5¶ /«Sÿ¾ü%J”�êNu¼ÿJÆþëBWBÕ´2•�)Ó3å7ïôÜÑGÝXå½³-V¿½#z³…îr÷ôô3Åmî³>]A‡µÜ“¹=/¾%Y¸Ag‹n£¤½ö#îl8Ý/ä;ä¾[ò…síËõFÅE?{n�—(‰|I",.V#Ï,	©+ürêÝuz;ôs^ûåSÒó¶¿2j¿ú”F¹rbß$úû>)èõTû²âwõëÉÉ•Så௘é+Ê	ÒúYR¹ÝœíÀìG'OAnÒÒòp—Eлm×€×OÐåió¾èÒ©¾y³ô•Õu
·yõ75~ùò¾êSÒÏ…¼}·å¾\¦¬—+okö£6áŠršì~(ÚIÿí]×´~C
õ''ZXüÒBG9È>U¾ø$«©6™çeÛóºÅq©Ÿw9Hy—q]íÛºzU
-è¨îBߟ c’…SsÜkׇíŠÎZ6UƒöV_Û:Eýß_²´ß’¤Jpw[n¼÷\–#7ÉÒûUJÒ%’SÕ½çú-5á»…0ñ>£«MwN—ðϧ*+˜ÛäSþR§ËWyïUj</ýÄÖxýÄÐßgjªtI{]6´¬øêMt”Ư÷ýOO]Mýi)‰°d¥¦®êÈ´xÚ/‰.I:\²l'ŸúŸ¤Pôaöþe40õûG^ŧ÷ ¸~Un€Žc@슎�Ü�Ú{ŪZ?9ŸÓ!âÜ�Ô{ã7ëú=#ÚGߤ9pgûÉ]¢÷ºòcsÚ@r§W_q•n
XH)éÖ‘MšúÖ˜²žÕtWVjµoìBš)Îê–yŸÐ™ÕdiQ_NÔ
-²ë-Þˆ]8AåìŠSï-Y0¤.ø0qÉÉ2éÂ~$÷wŸÉ`»õéDXh'Ë'è#›Ø
ÑÅêC¡ÏÕ;TE¨çtó¡kw¼ŒI3¡d5,Ù¬¾=MD¿¥—¾)ø@¤©ëÂþµHq‘#f‚ÑÍ“~'ñstXð* ežô9Ö|Ç$î±¾83ß5höGmVÏ£Lª+,­+Èý^«2‹¾6§«»‰Ï,“!ƒ
¬V>!òâèk¢Ø‹Ð…¦B±ìXH'²·}ÜäåÛôÓµŸ‰ABš¢n{¹*hÉ,|qAž`q•á’З Šó”2ΨÊ>Núnfé£î	ã¶óçJk¦l÷-O÷ ¨Û­o– SÙpiÄÄöH,ëó/TíÌbâ÷á–Xœê�©É�H÷m­¯²�×±™ýè*6¯ú$‹Gßeu&™9Ï]ÄšW›OÄÝ~ÒïÅbU.ØIï÷r'±;%y]�|'½€—ET\ˆw…Å„¢÷²0Ek >eiyƳ·wž×q_S�Ùë2O!µÑéMÕÖÄ]ÕÅ°pÉ_"›¹Ûää+úñt1^qýGº•Hér“Óκ 
-ÌŒ)ë�BbŸªî�)‹	Ü…jTõöÃ$ß›\¢÷f'Ý¥z#²ã³«�ÛŒüßM_EŒ|¸àÉNéæaQm¸áþ!oƒ:šHóžøÛÐlê¸HoI—!íߪ⦈ƒÖ»ªZ>)éÓ”e`AmØ~$NoàI€:½|Q9æ<Úeñ” îw
·ºYÕ·‹ˆûüp¡Ú-Þ÷BßUüq"œ~Üß î“~Ûé�DJvÇH\¢I.jÏô²à+
-úiEžŠKÝaâc¥KL�~_'ç è‘Èîjêrð¦vöïE%¥O]1±j€ˆ„!É�žgrz½-i$¶ìØoÄ÷Lêûži^b“SÖ“?n*!7àÉ
1å­gû—u²b“yõ{Õ\?dz¾P/——«™¯
-1`&:ox‘�gßÜD†¼¨ãý#»®£‹?HotqyñgMôe‚|Ή>¿ë¨#GÞ$^¼–dYûä­'�¦¾4ÕŒæ;¥H‘oU¿`›¸º6¦
-áiö-´ÍgK�õ¦­ê‰ï$V¡=ð¸2¼è¢]ìžÃYÔ¿¡ìÇ~Ó¡@ڸ܃âÒsj2Í϶$³¢�B¶5â©&š·—ºJŠ88I<E±žûä#]�æ¸è×P7)€ýlÒr¨¦ðgs[Òuœ½ê…nÿG€+‘Lƒ ]럞}gÒÀdŽ´"w¤�äd”‰é'Ñ®XgÕu2zWójÉd'Á\²8
-›‚]XE�häJLâ�Kâ\“EµTœ§õÙÞ–Zˆ°¨Ã„k³f9ÎE_¦�ƒg³——…IÜoܪ†ˆ©Õ楯I!/´
½bIrÑúLk·œ†xŸ\^…FOˆ²CY¬fÝæž’>³˜ä´*{ŒHˆ[X±¨¸f>Ç—Â~@xΆëHBR4¶RðqúÑw£Â¬ß¡k“!é8(À祆xhuõ™÷8DuXä'!iËj7&(Æ•Ð
b�²+y°¯³Á’©²|ÅFÓ7õoÐ&µòù–QI
-Nš8'9	Ë·ýŽ†ƒ±~
-¤cfr*ËBFˆ˜Ô$
	V$æ0,‰9>+BÇñ:fÑdHèÃ(hË‘ý€Ràz_�¼OHäüágûÙQTÈqÞùIi ‘ÊZDì�¡¯°)†Å˶…ÜêMÔ¡hÇRž’y…íè~ëš±Ú¯q’’pJàÉìdñH�s„3LtI�ЉB¸’_nB^"ñ,.)áY9JIÈ`-}RÀDŽînpLP»‚“éâdÉ‹]¼>몘�|Ûò8Bû½\Ì$MUŒTríÊW$ìY˜Ú®0¶h#È7�g
Ö#@:�ü
-³Z„
-ý«ÍPˆŒæe-„JOéòˆxW×€ãb͈°[2ig!-żƒ6…½)±¦6…ÙÕE$tÂË£X_“6:k4
-V‹—¬eûσ­¸a«QUØ 5U%²XÄuøB3§©èNHâ'H™�W®¢²˜L~½”'Š!ºôЙØxû¬Ü3yZX$ÈrÎ�ÿÉÉñPE³9çÀ?;ÔùêiI3õY-›7Ðy"çÇ?Nzlm°ººšä–‹HO§ƒSñ$+ˆÔE‰j2>²%õú�4ô/©.äþ÷*V[Ƴ¶©žO|§`@Ëï£%"Ü}"D©d’=ì¾!XÆü~/Ÿ]0|°MÈ÷í
-0ƒ
>(ö•¬ƒJ/”RFÔRoù{m§9[¨ë8E
-^sQ@–L½[-©Ç.L©X¢°c6ª9èEIbW£ž°‹qUõ �IŒùÌ ‰”¬?ê|õu\CpøbŠó£í©(
O¡±ié&E:ªŸ¬]”Hüº-0pq ¡ËA½u¡b´®
-Æ‚Å
-'†:9Ùç( 5O|Ót�%%öT‹C�rà:—°º:ÑIG�¯æ£‰•mK6nU·‚"ö(òBß¾‰ºÂb�/’Xà,,t
Ϫ;‡tÊVÔð�šj—Ô[q^CŽÀwI½cYÂO$Tã¶ØÉ;­R$ŽS@l.ˆÏMý;4]}ኅ×ÀÇåÈŠÌŠ¦)³;—ý1laç ›¦ŸQf’r ß›ŸK5
§¢æ!+Â"”<ÜRìáð!8€›TÆ?ê9˜œ†@Ùi…t@9�M,£Ò@%a9¼‚Äǃ¨q£DÐ^IKʆv¤½e‰é¹EÈÙ,œóYI�Y&=66}¶¯!v
L‚k••Õ%!
d¼Ç’ïëP®ÉD÷°\	œÃÂç»ñää£ü	9
-R’{V¨¿ú•:A\
٫X݉
-ˆ‘4òv¼(€Š±U¸síù‚(èäáæÏ®À%¹Jv Uî7pžÔ÷Èþ`Ñ-uÒ*PÈ1鶊,öœ„Æ*f"$5N»zʈ)O@ÝDÁ	ÌfP#U²Ç¦M?'e§�û†41~9xm¬‹¼§ƒÆ´Y'¡G_	ˆQÄvåmî tºŒI¬ª|_±#?焱‰ÞãÅò£¸fÐ@”¯4À×®B�"°$“yÅêYXy£ór#n‚²W#ÌçC3f;£·´b5¹Ž„•OîDJ°ñ\d{]¬Ù'äN²2Gá,ç¢ñ>J¤¢e°A&Á³˜p0üì$
-袨ˆA€"ŒMÐÍQRYÑ@hU“�`Ùu'�ɱÕÁ¸ÔsvVÂGhVó4s1€šÅˆÅ‡†œKr-MŒû#¸Ž¦ó8UŸ¸�P™Àα ÙJ]Øœø›2âÀÔ
-.ºáÖÆÙ|V7Ù¦P‡
-	ÃöE9E	nîÆ Þ�å^så‡Åõ	î"y²”V·>âüd•ˆÛåæ�º8K(mgÎ&òXãæ#[~N.~î®
ÖšhÇ
U)ƪW\0>[
-ÿÉâ:“xê*`(Ó>ì%.�ô^é�^ô",(©¥
!ÜJÈmM~ßW<;–jÑâÙY¯]UCð.¿Vq·§‹2Âq~ÖOp…‘Ð¥¤O²oíÎâ¢é¹Âtºf¡›kÛ,&Ì;0Bm
-§V!ìSè­¢
„ã/›$�cM¸ÕƒY¼è
^¶!ÜŠüÉê°EC'€Ous)Îhœ…b0Í–¾‡v·…܃wžÅÔÌè¦pw°ó¦Ý|rb°ÂÅ`çVYŸ}Pd
-þ@„!Ä´ð
_>Û³ësè2¡�ÆØ“Ü
-Ñ
-×KUùº@nˆy‡nm//…´Yä mîûo'Ä|¨
Hòñ2ͧŸ&š�6ÇHÈ®äÍÈÀòY=·^.�(,ϲ�SBõÕ£QA•Y
-øùÒ,Z¨�³õQ	�gSíhžçK�žx+”|à7ƒšã›Z2žuFÿº!dt2ØÒÿÏ·Œ‡Ö’Ûê–
-a¸Ÿ�ÑŒCa0`SÌü�ÛB‚CÂË0NÎ25³¥¥†ÒÖl/í'³ú!üqˆT»ì|ÃÞ\Xp”“ g6äl°.lH³äa.žoØ»jXÂŽ†xøìlÚng3ØR�—&ó�º^ÅòVSei´Ûšg26C¿âɸ<’mÛ0¿õÖ“ÉNÔ)B6aßrE,œ!ó¨2�²f•éžcL”³\8NŠp,n|/Ê£�
-`ž…ya½lˆSɻϚŸÈ68„Û~¢¡£)QdGæ“·)qªÔmOW¿ë¶
¾6ìNŽÓo»àf¡1äÍž6ubwÎè…co½¡Þ:`6ý˜C`öˆ[¾‡Ðð1Š|Œ7ÓW@ì³{{àó^4 •Ff—ù¥zÂ5¹ÿâ~jËUu۳ߟ„;8üK�&0û”öP4 VÍ žÞ¦!¾.5JÑmÁt¶ÀAv=	•êš³à%Q1•K
Ÿ‚9ÑÑš•u [ò
]3Bo¹é$l
'
å-Õ©m½ÌŠ,…;¹b
ó’câãe¤fbéÄlGÁæùZD¶6„slmn`CßÓ0Gc78‡¹NáÓËo[2³3”�Š¿v¤Â$Ío.$*Cš&i0Gb¡y
-KñùFÜt UrÐy)#ÙÔ\î…¢|ló¾9ß
-úZ\‡rê&¯RN•9_K”YIªÉà“FˆY„šß·ˆö”lœ8zlHúU([‹ QðInØ2šmÂÔ„¸õÅf[ýIŸåk“Å1&´;‡Î›rmП’ˆÑL{V8ÿcqÚ"6µ!tf�î!Œã‹0û¤ÓÖñMjŽ°+Bˆ8nãü_<«w…ƒ—L´
-øFJ–"߈ójHÝ"€ß6±'­Í#ÈHáýÿI{wK’]Iôò¶|€:ˆ§G„œƒ+•:9�+u‹wý÷w‘4#�¾2»0Z–•/†‡‡?è|©Gݹ¡;Ý,X©s`5Ù×kÕ]¤Aöƒ�=Ðç&ËD½Aë
4­¦M[ž&´îFe¶??f8©J3ÖÁGát5çLTó@b3;À~mV?ò_½S™îÜ{*#`ªè…ß“¥õÎsÎxz9®ÕÓþ|Þô¶ÜLís�Ꙥ»òkuvÚ]:Ø®ª�b��Õ}Um Ô#Ⱦ¦ñ+o©Í«mŸÁ%7äàœyDx¢~Ü™£Bqó‹ìôù¦T5VxMeÅ#ÏŽÛàñüƒúš°ÝÇ�¶ÌŒÏ%@H/ˆ6ú¡š[=Ô'Ï4Œ�Y@G†ïd®Þ¹c)èÔ3è×Îœ¿èþ™Œ^f£YÈÛ˜¬îÙ(òýGرœ=ú¨¬ìçžz�ôF¿ 
-XŒ!v¸¡‚°²j�b¤öô5ØNzß—À8Hâ>{­YÅ®4‹l¼i­*åMWD§D”ÌVäË빌½©(ÛÁƒŸÓïóåW^ŽPw�ðïéÎÄ86YÙ= •7&D¢}âç^=«_XŽä½@Õ¾_í5EÏLO è¥kîÚïʪ%ÿß…›Å?ÈÄh
-Ž±2¾øº„n“€·Gͯ ³æ$�‚õš€ú�ißóŠoÁ;T	:k
-Ì,¬EÑqÉ`røã
Î>¨
Ï»õöp'ÓŽi[éXÖ=ð�PùÂKcF©UãrÎWµ�ZD®c÷àžP°øЭ¬Ÿ
-wj+¾’|qöæo¤_´ –}[²Ø$,ºÍÔ¬ð¹�÷Ÿ>B‚p¦¹ÇMbpð7v
|T35kXЮ	H°Œd�:Û	[[‚bìVp£h-i$“!,Ke%'I–ˆ»¤•­`‰Ä*).ŸYsü?ËÈI
-iK5ÝO!5Z•Z·¥;&b¸þó1ãê±c•V!Ýš<ýÀ¶¥}ŠÔŸˆò�5UùŽoþúè£Ð:V O°ÿ¼µe¾Gë­€F€³.ôššâòu¡ƒMWì"(�)Ž¶Ô�jéP·ÿ§E†»×*QøŸ°^6
–Iéc=âB¯2y»P0_÷íÒóÖ)	~ü°sk$³:YP„l¤(WZ¶…ÂT|È
\ˆ\Ê.g@¦kìßœ’�sÅ?‹ÐÙHfF&KüJºÆ!g[rÜdf„xµÍç’ªDÅG·¶®vüÌ„‰R<Hû®dQ¨-ØŒð19%tÜÊëFI
-	=ê#u^Ø#Öcò
-ó¹òqì"þÌó øçš
-Ý“ŸµƒÏ¼×ÞÿM:ZÝÂ+Üi,,ã©ÇM±òáJ=Ÿ­-ñ
-òúݤ:ÈÞVDzí`½—œÚÅ"Øz€ðM±¸Ô‘Ë+uô@á$ÌS0•	«Àp(H
ðÁkÛêAáÙo¹R?µ-0Mt«ÓçÇܱl›yšbA(nÄÎùw…e¬™¸¤­(_6Æ=àšÞï®ú¨V˜TŒªk¾6º�™½Y7ó..FÍN=Ks‹µ¥›??æ¶tÕŠ¦'R+¤ºLµ>w:;X¾Qlái¤€‚“¯4ãÊ
-³
-MþÙ—¿å+Ý+/�°œ+ùÉAc6Yû>! ªÖO`³U
¹
u¦•Ü…ª¥Îœûˆ_íx1Ïô²_óñB¸h ΂Ó	ÙÛH¶™V
-ëSm=½EÕ"jïr�èLÔâ%�’\%UËcºÓ:¦¶[ñåUËMÊåa[fÝ6P\ƒÔiîÁÆZÂEûl±ÌzË=²{æì©
‰€ƒÅÝkI~ɯReö6"㧷1z¼Aòõîcˆ‚ßís‘¿lúŠ/˜Z‡¼
À¿ÚpIyòj›¬œ\#%‘ãKø—pûüú­Œ½-8¹>Uª€Õ?§W
-\=°WÀúƬ-ûÁlsæ>±ó‘Á賈Ùæs¤më9 ¿fÅ׃»äó *Çl.a“@I»ãA�|*( à½j2ýè:@Ž
ô )eóDè°ƒTÉäô`ãuP4+Hö´& ŽE[¿wú!~s÷/K‡	TÜ�¸¡ǃÊ	+l¶n–èÁ
¾§Æ:˜W!k»Ýlû$K÷“R©ÚŸ+Âé{‘[ÎبÍÒ»pû+p}ÒܩуûN
~@TÇ’Œx…ô}±­KÝFþÞíIÑ4‡0bÆCš\ZÄãA—<ÿÜ.�y_û¨/ n“W ùïzã{å&…;�ƒOݪf�W:¥‡‰Æ"[·ÉŒÏ³7ê<Øу'Lºfð´qͪ9®ƒp
'ìõ‡íYùmìÊî°~‡¨&
-ë?‚Nœ––-^
0æF(þ?�n’ €ÓC ýa8×mn ¾Ñ‘.ºZ3«ù¬y$Ùëž”{Ã)mƒíÚh*—{˜3îî5clϤd=PÛx/³fÁ’鵘ýNµŽŒ<³Z¦çõb%¸Èò–ZÄ%¨Ò
¾÷;k¨„e½Jg» Ì6kCiNýg°l¬òq¥m}Ú2žçn²š•ðz›†e ®¯%æD“‰[Û¦…º@ÙÍëI(:Ïàü­Zô
-Â>ƒbýÿ¡-_¶I­¸.”ÛáÍ’^4QÉh‹€×�i=ny/ZhãF’rŒ›ÃFXzø
#öÚ{�.¤ÃCX
;¡™Õ1³Záõ¦Þ®wR3Ø}"4ˆ*…®_`jèqP˜¤.ÆACìcŠÇ‚蔬«öÕ·Ãm	›Û�ªÀkŠèÊ"n¼˜®:žÀØèµåÌd‚ó§¸M3
-#Àf˜5£ˆì¥áÎq†9¶
^èAÍ�Ó8ËÇ>E‹ÂöJçê.²hžuƒ
-ÍEõ°À­f¾à�º—±¥ñÓÀýDÑZ&/”�«U-‡šD‘4�þ+mr\ˆ7©{^¦Ði©ÒŠ€ïõ)
‘²3µ-P¤Â{Ø{�ž>¹ª–²ƒ¶&€I|ía?€Ôv&
S/1,6ù%vö
- ³¸·�Ë7v–™\Ó¾Q}ZDº¬ëYЄ�ÁÖ•÷áû|�-+<«¾»ÿù³Ö–�UË1pÆÞ	ró±¶k–á^ÓIE`ó¥ôà¼jlã½)¸Þßà¯Æ;EF˜üI®‹'ÕI+|é©}Že탎“òÑÿÔ4XòýIiœG‰¡¹1Ÿß÷êw~	èžt&ÿù“òÕæÌ…'K#ûà.ÄÚ‡ˆÃÁé‘3�ĵ‚ð<<5ïx.îôÇŸ+•!kz¤ÁwÇGi‹`q{
™cðôŸáŒÊ9ÑxêÒXÓ¶hd,Y°‘×3Û9E2(t”éß-&
#ý½ŸÈ¡0_ÇŠäa¾Á×ÈdËP猚A÷8e×âÖdm¯šþ;CAXpÉÖOUXWÅ¿/Ç

g~5”k_vÖP’AŸž_p�bÌÜèS::¦
øÌÕC7éT\=Ãg‰Á,Dx&%¯�[­©•-_o8ꦙY?¹·î'Û¦fY~Ö'H¶f·2๷߂ Çä»ñ£­Q
%w†¸.›:³X—Û*—¯­gIJcq2”Wí%b»\ï�÷ƒ–n㤀ãÉ°¦t+g”�ÌÔýz¯ @É ÆœÍžÝê0Ìiî7{
-<¤gÅŸ5M—07Äõðxä…)öŒˆk¬Ÿøî뙞µ·pç/Cä-Œ=Cžßœss¦ËxöÜ]<ŸÐA¿JÕ˜�¸eÛ}/‡gAÏ®=£8höU—‚ö¸ßŒ
-pYòŠfÖ‡�.3Z¶FTq«P�û�7Sµc§1¨Õʹæµ\¬Ï³ÄÊëwë¼¥5öŠX�Ô%œyÄ­~[~v¾ï•,wÒ3µïÕ�_å*_¨˜yðÉЊîÓ+�¹#VAt
-׎uTPÙ<
-D˜iœKÄFK¹*åÇë÷×z•¶ß:€žI>\àÂGƒŸçâ6q>ŒbH
³”…Gò†lcDJÕ“¦jm gþ®lg§æ	:	ŠâÃÎ##&.†œ°Ò¾¿�|°³n/ým­ƒï>ÃL¸Uï5†
dí¿ºº­VÝP'ï•v#Ö¤´a€íÐRƒòâ�ÉÁ½ÀÅcF6jKzB¶ÙÕôåÛí’ËÁ ®ó÷*Õwœÿúß9{"¨ðˆyÍÍA÷V
- \g‰<¬�|À¯�¿iû­Ô¯äÎnŽcÍÒÚQ	]N3+cîÑý8¬Šá]@õ–Nû’ÊC–=€\á¥(©Dr‚Ÿ3̸½ª$mìˈخêÚM%�‡I[ímö@qÍ $™t2v‘\®7eqùi>§©Œ
ÿýÑç=ZÿžZc2ýƺE
ÙgKϹm~QXÐ	÷®ƒ„émݤj”5Zûa%Íäæ;í
-_È;j s8Ävöõ1ÃLíÈ£bãPI°@m£æØ6ßQîÝÂÛ`’w50Ï‹r£Áy
-zÎç×$àÊà $SÕ8ù$S#ìÜ–žÉñdÇ· &V\Éi`f`\©®…qÖ-Ľ+­ŸÎ�ý¼º½öy[�!cÈF}!£ÈFh‹»†se¿Ô÷�ÙF
æÛCêQFüÄf­wyÕ%S;‹x–‹ã+ߊnÞ0®•DÐ^̯º!rÏ@/£Bmö¾vì´ÄéZ”»5}ž3k°t·íp¦hA

-'�+Êw'itT+ vÁ¾®r´Z1wdîo¬Áh¥ÎÏ
×!:{Þ|žkr
-[|Eìÿùsk•°/P…ÛŒ¼hÂÞnÀ®±&7×ûy?+VÛ‚$ 6®Nz×$9„¥4æÞ­jë7ªè¤Gè[Óe�@û^Fàë`†¥
Y.~ËÅ‘ñÜך	|ƒ/enbq}M«s¤Áͦa„»˜·™ùz=ÝçžÓ;¯}Ú õ
-m·t$¾68ºX±Á}½í�râ~.%e‹=ÒὦÍæBd[¬Ïs᩺!¹ó65cÌëy¨.„QÄ4@ÇtV“	ÑNU¾°¯x@�¼vI­dhª•Â;É–á©LùA.°ånr•Ÿzãu_îßHaäfâ÷>‡ip4.PgêS&òª¤÷iàmfæÕãÆ/á±ö]ù’*ƒRò~'Ü·ÔÅxž3ŸÀøJË 30F.êËdN'ÏbÊ%Ùý(¶§;2žC&Ìôý*˜JŽ?Rv·CµÞ
-‡êçÇû±Ú_¶�ŒÑj¤7òÒm1>KXL¬ªe¸Þ„HAºÕˆ'®$8«·æÞ�]š$ØdÖtˆa‰`èí=}œÉ22Êìˆ(£hh;HŒá!–>†,’F«�ÔÎL×·øÃÁÙ’÷]#ÎÀ*süÈà}KS;øø`ê�TÇ5^”{…eÞX0OĸGK²¦=RâÃÂ*Ï½Kºp†$.1™h~Š
-RÌ`¼“ƒŠBHn¢¿ƒ“ÌJU"9H,Ü�dâEL"Ôa£h`A’þ–%¯ìׂhn„#¿@®Ó	7>�l)O|
-™Ë‘=jÀ;s7Ž\·-�P".+åPb3áb
-$.shåùÀ†¹gôÁSŒ5»à�e*Ëøaš•±Q�
a ^?3~ºÆ`rÚ�œFhÚÚ´°BVÝ¿Ç@Þ±5‰lük;çáJšƒ®Î‡3JÉ0{ùÐŽ×5ƒZÄn9j)M£w^ßi‚…ËÞ3Ùb-²šäæ1ÿä“
-Iî;XAËÀfñI2'AǬ’` !¿{Ökâæé R‰)à=
-_;ç’®ï‹Þ¦üÐ÷^”„’×0~?HŽ¹‹Ã9Vë	«+	ˆ¯›9ŒTøë£Ã#Ù5ë“zø4Vû,»S�BÖöä`“AÀ¿+®Ìbm©G3yË€˜ÁÌ•¨‰Ñz m3Ù¢ÚyoÈ=Yà–­Á°¦¿KáÈY˜0	›­ŠÅu ¼+gŒžŒüžFÒÁÊ£±bM™9£€÷'pŸ™m`°ÜY63õHMcñKì•èý°èSQ4@¦Ìœbˆ²:7ásaÊ“¹p4÷e¤/pÞIyFT]€g÷«“yS•Ìu‘¦¥¡næ‰ÉMÈ«ÈÄOÍZ†•)n!à@5UϾ#3Ï‘[¬­“¥ß1›ŒníB³ðÁ†ÊšÞ”oU�(-ô*i¯Ò ¨¬¬Gµ½ I¾¸Â‰_<?×ü¨Êhw‚•eÈÍŠ@le瓱žH7=™ð+y;qHxü³2™+)74èЇ€,
-²ïn©Tî±Õþj1O Kà0_eψÎ-¤ˬÈ+¤REÖÌ[Þ’7«Î>3Øä' Û‚É–/z1lJJÀ-ó‹nFLìÂ8QZE–ÏÐœ¡Ÿ@f¡ª^Óà|˜‚·yd˜\{…CX/D
-µZ�Ì瘒ÃûÈçÖ ¼Á•]®DMÅÙˆšÊò m·xóf“’Ì,µ	�;wW³™>g¦ÝïUÛ¨J‹PDƒéWËÁí*v<“ˆÑQ{š|�X09w#[ÙRMjöüÁ0Ãöâd
æÒ)ÖÕT°±5Èäzç1Ê•£ì“ŠJtÙ?€ÂýøS%WNt5Þžü›Jý¨„�´Kþà¢Q\¸A#£²(©Ù· ?ó$ àœÀ
-žïù?
-ƒÊå/p…ÑIÞkÄeðkz�×z_2nÎcbÝ¥æÜ
2n¥/¾>:ÜòøxZ( £µ¤†õࢫ̼&%9¹5ÅVîb�äwµ�Y¿î„ÕŸT
-Ò`msõÁÖk»»¶Š}.ÿÂ)Ùƒ
-¨Ì(Ë#n©¼H’pY÷ØÍ‚×JŠÜ�™®ÕR$ü`Wô›
-³�²ý,uw�XH
F¦
òKå¡UQ±Å•ÿ´zD7ŠýöY38Æ-„=(ãfiu|Ù°U*–%3�Ñü^>–ÜõpfG÷qu©šjK¹Î
-½å+
-›²�Ç6x}D7-:Õ.Q\Ç×å‹À`V=Eg¡̳Ìèh“ùú;PêKx³
-|"
- wÒ-Š>•Ðñ-˜àò8"|W>ÆÁ|{…ÚŸÁ»|ÝaÊå^ɼkÞmXóNO’€–ں̖¯h›7qš\W8]ÛnJð3�äpÛ¹yaÚ
-ÝŽéÆ•o�6�P‹^¿Oò²<‘=Žè扌v¸VSç��÷*
-V×ÖT•Lͮʀ¢Øe¿ó¼>“}$ËRö	3‚€2ç‘Ì­·^�;Iq×b—%
-G[[ŒA™A•ðÔµx=¼ä*—×àÕÍU.5¥ã›É<Š� «ÄšŽº€óWhm<+ɯÀ#Yª¥âó¨Â…Uº�¬#Ý(œ<BUwûÐp&	l{Ø�ŠZñiöâÑ[ð½ÜaF
H|Áç“þ ¿2(H@‹–Ê-Yá,ÕpS鵶à÷­îödñ«ŸôãÍ*)ÁŠ‹oqŠ/ù^¦2FX[�O–³ÙàQòýäJç6�-Ù-FaÏm®"QyUá%ƒx \qïù%á}K´À&·{š€;ëLZ;£¥k=Èzâ¦7{µ%ß”Éÿ•é¦VõšnEÆe)ìz…m8ŸQ&Z;YزXòçGƒÇS®Õd6þ�•q}O4xãWpZœø
-'ô£¥"E1½ÂŠ$ßé!oîÒ8­ÆUö°'7	ìxt�ré~�¬©>Š-”Á	Ò7êìb^”=©Qépuð›Ç`a·tm’ΰU…gŒ›öç£(|>߃,´i-‘™ÁÙ?ýþȘmy¾]ñÇ=u`�LÿÏé
-”Ìtéõè38;᤹¢�{¦ÆÚ?âždúåuõ¼€¬³–‚jaÜ÷>º2k<njKšðK
-€©XÚfn’�G¬`Kø&8†ŸLÎúGÐóË8oÂm¼+¿ÌŒ<=¡\dÚó“9í 
¾åF¤À´‘¼?½Tå�¶Qž&_7ÀõÜö·1P˜ó¨�9°	å14%%¯$œsö
-î‹·™ì±Ĉ>éÓ Á¬…æà¶RÀE
û~œ2;) žýò
-«Å‘°ð—õ1
ÞFfZÿ9#¾¸š×ªIÊX=Æšš$õ¸5c2mŸEТíþÉ€k�¤ÈðŽù¦J£dÆVûN»,GÏ'œ\Ü~q2þ¥Š³�	8>
-»,F:5Y–v�
­‹:¿­žW|-õ¿§"Kôæ	€q]¶>Q‘eÀ¼µÜžê~¡~¨Í`yσòsð$™n’
·C5?¡écwj193Ï H%héØ4ñÔŒcÛߘ²¸+š9˜dÕX�ñºWè³·Wð™~AÀ·Âx‰P%�-ÅW™ÂršA¾‚MÁöÉíñ´OÖˆåòos!i*�бąˆÛ	”ƒá€¼Ò³l •ÕXù|=}‘^ȧ<L°×Bæ
-EeÔB:ÁÙÞ Ô‡ö#»‘Y2>%OÌ9F›BóÛÇ�p¬«œKE¬eŸ—YÅÜžxr+¨ŠÌÅ$!
--¸Ï	·IdjXpÊß{-B¬£Û^¯œ…ãf8j˜ÝÊ�xÒ\HÎ…n0rØljcöïzy	ºxRjíÆþ¬“{$¸Pòàü�–—ÖÌbȵ¸n°�Ï kpCב¤2µ¬�
-s¨Ÿ|€ì
áäçØKFYÁ†¾áܧ8¾ípÉÄ/ú‰y"T2÷ò¤4nÙ'™RnäûÃQ.ȾJœók‰Èñ:Pï¡L)µ6,7ðuœýÆÂý6�	ÀÏ�`@oàAƒå
-I�ë©;HCþ)¡wRbRÀuðmÏR¬#8â柲‚/ïc¸$]Оù¥™S'mjê€ÛŽÖ!0zÁ6Ïê@pF,õ}Ötéþ’Þžz‰#I؈;XZÉ‹Jø—›îœÐ(�È¿s'e¢²&«M²aÑþKºP&•‡r&EÏWqÿóCzZ†Y2™[Í‘qÈÁàœƒIük0¦’imü=öBÃNb¸Úóùü9,æRÀÆž¢´â<4Së ©›ƒ4Ì—ýTýZë@\åžJA¬‚p-çÈ`=[bèÑÛe ë‰�¸iÎì¤îuФ¥ö°oÁzÀ¤Šq
-óÖJó|2·,ðÐ<ÊãÑC)	s:,ÌÑJ‚í�3îÑ@_r™ä%ô5E¯(Œ8hÉ€(FRÇ„¿¦ÒÑŠ‘Ek	MÏæwçß@+Ë7jûýÃjCÜŽ…� ý(è%åN’„0�l-?nr—��~sÔw^ÖŒ^1g÷CVë|­$4Ák1ò
-|×p­É¿&¼äDé|uk.\áÖS0ãÔ!pΡl«d°½÷ˆñ=XÎõXÌ
íóc†iÚqGnlÉGÆO÷Áî‰Í]BOV)õöNÍêEIÍD®©]ù‡±¼¹ëbÌé‹QÁ>ËjÚÙ^ŸÍFõ“×”þð;HxB7{¬¢Ñy�ƒ[¬‚`@³Wê0¼A‚ÊU�O
-Æb‚Ÿ0žcÿ›¶¸¹õ–²¯e¼µe·7m	ðóc†‘}÷�àô
-^²¡¿ÂkMïËü^
-^¤‹ío†y—cz«Sjw¹zÁŸ/
-Î]úD îüþu8}T¯uèÎŽpF¸Ã¨¥õx‰µ±IÛäPï°<¬@äëöGÉ+œp˜·×=“_J¤¨^’ {Pm½c|DkVï1n‰=^bOæ¬=88\žA®3
-
#®Þ,Hn 9%~
-˜†f7Tk WY�_a�`õÞ-
wÆv
{R­7Ó|ºÔ¯�fî•ù@"@üY3WüÙÓI³§-{PmYZDzû-¸D¬Í×Ç_à1’‡50ª„&Ȍԫ'ù_ž…å›
-»óŠÇ+ÊxßH7oqÆ7pË”¼g#»Ò]QJÏFgÌ}G¸Qp‡•bJxE@�•’g3"œ<ÚvMª™@TŒ�ÂóMª€Õƒ-³
-üm[y¯i¾ÞQÚ(Rl=@ •¾nÎý¶9ßøm§¥h%ÎN®Dl<‚Õ.½D€9wtnôKÆ�[uÀHÐY\‡‡W)Zó¬ÚƒËÁ®"Ȫýd�Ä‹ÚE"«×%™«è5BsâûÃÂÓþ,ƒÊ"/þsÛËV\˜º�d^¸Ö:9ǶŸsw0}„_0ö5(,¾Ã~ìN¸#÷ó;•+T5|i³7z`"ßl·g€âl]qY³¸Ë‚©O#hÅj¶…	Ü•lô6.ìJ€Î¶(Þɨ™Œ¼“QÑØ5ø\&ü ŸCõ»_{è+ÛŠ+t°À;X—m¤T˜sæÏ‘m“!<¯¥ÀGYÅða}-ý×d]¤åo3êÖm8@p3XÀC¸üÍÊùRõ…à^±O?�ýª
->ˆð5ìÙ†óϵ%F%@®÷/üüûÖVü³m±ùÔŠðõç0XæÁ¥gÜœª�Ïr]o#ˆ–”[0B,ãDiú(Ñ4:µ¦ƒP€ôÍDYÒ‡¥b¥Ýø×ÔÛ�Ñ_϶“†¢´n•Š<—ùag$V÷ï�×
ýb#‚>§)꣟áÃþ«OzŠ˜å­ª®ÿf<ˆÎ¯¸üüÑg"Ð{›Û�[&³ÿõ¤ ’Ô.½ÖáþÌ“W4 áoÛÞáµîs
-oÁê¤KicÀü|@Ñf4ž@#“ŒÖFöyË¢•Ÿ¦�%UÍ\9ài>›AÚ„Iîëc†Ïe›†k'SM®né“á*KŸ€"@ÁAr<Zél}Z€ÿþ»¶“Üo{ðõw½åÃÈ9§–ÑÖ–¦ÕÖ–c¨+Ju6à&²0¾¨Ø…Û'¸÷mú,e”–ŸÃ|ý5umÿ˜:…ÖLë³µ¶¤Ásï¦ñ&‚÷& Œó­#HBº€Ÿ_cžr­J
-l=ø¦­dJ­•€–üqŒ«3C–­¼W�#øF¾>fÌýºÛw‚ŸoèJW�4²§_Qø­+“ê“’íèb‘8}Ôd1nHM@×?Ju-P^9Ù›$‹úiÔY(ÓãŽb}ËÛ(RQ„²ëm	÷n}®KÐïN»¯W¢[îþŬXtö€žÑ©â0ý	¬Gº%TÇòaùÅ~¥ùq¬ŽÆØž©å4®¯À–ù
-Ë ö Ÿ]×
¯ó”=>=¯Á
-ovñäÍ:­ [„6¹Ò�+[”Œ
pÜÞŸN
Ç}
Fødô`„ß¼¦'Á~3™Úr`XÖWG[ýî
~ÓÖÌÍÖ�pÒCz[Θt¥ÚpMÎÙÎÊí_ûéJ“‰a÷ÍB(#¯¹K·–Ø¢ÀÈW¡h†9©HyŸ\­Vç|ß‹	Ï" à×´„Z[‚{Ôù˜A�¯˜ £Oö�Ì-ôÑé4 Ü¥V4ˆ|¿Ìó
%s[†´È£4¨GV1A"
-ÈyÐ^¡æ—¼ní|Ò­Û *œ^Ó¾�ìÁ]Ì•*À¬¹ãímŸ:9
güûü˜'(ûÔ8Ê’ÁÓ¨½
-‹
-Ä£>?ºÜÚRÿô�úëM
-Ó¹©üà…¼"½,^Aáí­PÀ×�¤�“
Ž"�Bçêq¿ ÁL’^£ˆ|ÐÆ^ù{¢™¥d�ÇN«qäJÃ]öʃÛ;µ™ëIÖÖˆ;&mí¶Ñâi÷��$½(å³
-�rh"|Ä^pxå™/t rõlyᶦ7‰sAÔãÞ•u_Íø\§Œ<±gÉjONžáµ ¼ÈØÞ
U��o.£`OLÀ•š
-Öß5ˆ÷ùòpï:|38vŽ%ç†w[Á'½?3éÌ><€ƒt” Øupßðýö´[-0s8<*6ê
;!æyÒ¿€ûò‚V°Ë©ZXÊÞ Qç¹`
-.±¡töN—æ_˹9(€ôÝùa<ˆLôGeY+üÓÀV.øœ–K°Ç•í޹ུ
Àˆí
-W‹H¹“jlË0r/)§\‡Qñ¹�~ÒÉ)·–
-Å
'3(¯p3zä:’ëÔJ‚^ÿ[¬PóW¨z:6
Õƒªfc‘E1?�õéÆ
-s
-GTŒñC�ÙO¾ÂˆÿŽ‰t’ÈÁh/ŸŒ–Å®íD#Kz™ŒQs-«»ÆvhU‘¶‹ñŒwò/‘ƒÖÀâ�ÊTË©m
-`=óp#FñH"»;ª›QÀ@‘˜;I’­F$˜±,;q
-™Ÿ6ñó…úú½FôY´=Pˆ¬h–D¨R:ÉóÁu7øVjÑZ=¬…ë0ª�<ÌÚöRrã`N0ò ¾°cU‹ÎBa"ÈA_¡@¥µ²ºP^Œ+jGtöNb[Ažm!Ý^:ÝAj¸:Õ�Ì)61£(“]¹¶ÀLb®O¬Ã¸R:ßöˆáà@ýÇš„d•Š…Œì‚1µ£D�‘:Ýûñz	¿/¾�ÛUžæÜH˜ÚQÊÆꮬ[KF,FÐAöàõßË#1ay]v«ª'J·Œúb¿Þz
-ÿ‚Ð71ÇÖõ¤Š7ËeÎB°·ƒ	…(y@,Þ1q´ ìWÄ=y´N_4éªBÀÁÏhÑ”°Ydul¦Q_aüY’ƒÔv”eÛ+^:j³ÙgBÖ’¥èLGeVæ
-(î6‹ºßYE\@Î�´q&r‚{�Ìo™]µ@´¶,&™ö#‹ª-Öm˜E,
h¿ÏZÎã>ßÚb7—*àjq¿æ=HABÑÓçÊ\€-‚$
-•yVHËœ®bYÀ9Ær�f¸/Ú›×ËÁú3HR€Ÿ0“#gc"³õ
-¥¶žŠôJ0éž`4Žœå„iŠfø¯WRP³u#8ë½���wP¼¬WòÐÕ´·èÈìTCT€U8öi`@ÎE»7Iâv2~X,C9ˆ*Bz¸4½œ/tƒÃÆ{¶Éyß’ÁŒS$-óh‘¯�>,š¥.…¢Mg,ZrÆìj3f$\âÕ©˜œHPËî¹G� ƒ†NÅ#©8…QÏåä@|ü{¬ût¨í¬È£òócn‹z¡ž[âyÓžNvIPªÅE2M1u»	{Té&ࢢñÓWkÁ°ˆîÇÁMn#H�àçt¬-J0[‰*vfRiíÜfçNƒÑ�Ï:Èae÷o$©¯IVx*˜©åÆQ ¬[
-¦’ÝÕ׎¿3Iàæç™�Wm\-}ö:ËÚÀóð¦Ž¬àX.1W¤\é
î	Úƒ¼”w%[áT,ê¬G
üü˜ÇVp`DG®AlçúÉBU¦XÔ€{ÂC€ÏΫn*Ô
-ž±ÑŲFˆ/Ê™ÇYÜÉëHí,rƒ…ÙQÛãòŽrÆ”"waËÈá“*'�)ÕãÎSq%`hrë@[Py:¸x‡×‰ç2�ð+Ãà
óéÆ:(1{pf’Iù«ô@ÁûXgÐ.�×ý¦]™;ð8ø°sÁÀ¤��ÎûìA÷é3£ê‡ÉX©ú��nªÊ¸k�
¤v¥,~ÿaFÇ YOõ ¹@µ¯§d³IÇpõn�¤´+r
-âJúw¢=<æ@pQjƒåCð…1ô‹DÁ
^¹ŒŠ¾žíó,G~„‚ÁÓÚæmçGyK
-¨‡¥€z­F„Ð$€A+:
¤míÍ”ä­pƒ1©¶ŽŒúi‘B9çC
-†/ă§ðÉï°Äá{ádvF™X"	.[V™8¡,AadnöyÔk
ç¯Ã�m¹:®$–vá®/kè¼,œ†±õ¾~Mòؘ²Á¹�¾ÖVGì
¼x.æóŸ"
ÌÍÄå–YØãÖ%Ãë¾K�»QÁϳÌÌQ¸ä£ÌU)Û;¶çangl;ƒÇ-FìôëF缬eû Ò¨Ek ¬rb_�q¦v™‹cÍ&Ázƒ¤“ÄVg¹~Ãä,Z‚BÎ&/'̞ܛG&¨Õ<&È•4‚ßψ]G(hŸ¹2vô`Ü5%`EèiÚ`-èó>™¬�/n
¾g°|ŽLîBC€ój¬Ó³FÜo"±døúÿs«ª¯®€°¡‚Œú%
ó])Àk©õ!PpÝ÷<"ª‚"Š+áX7øÌཛྷכ
-2i
-×KßN-!nYO�g�ÚB‡›{�{ÉÚ®Ñõ•ÍkEß³j²™qMjŒ¥ÃÝë1	ØQÛϳ€¯ÔáoÛ ŽnR[ª·ÔÄdÝ­i—‘E¦ãrmh›é–K&À4�ßr*gÞ±»­°nŽJßë\¦µ
-–�©
-ì°ÑŠäV£`φ)ú‡0ÏÕ¼Uµ „ºÞkü�‚tà4°â2j—gÕ7=
Ê¡/GŽD4ôۦ߂ ç[}.90ëÃÊf¨,Ùe´k3¬x™œYÂÒõi
HíãQ­(b‡ÓºÅˆf0Æ?¬o ¯û¸F/è¸ô�†•%
Í‹®û†çŠ0‡ýȬiT²¥»±Ê§€Ê9yÐ�ý6aúúè[©¹7�;Y‚}!k¤b'Ù¿Ëe»×‘#È7¨è	ù.£2eyYì"7K†*X!œ¹™6Oríp*“qQ™k\Ò’^GÃÙŠfsÛ¢À‘FÿÜJZÝUØC~üd›y
âÅȹ›”h5ܸëQ
-JWPJ0{oÇ
-h;ŠŠïVk7¯¤+µ¬„‘;I•FZ)ÛŒ÷€wøòíూ79uä"4?àö Y‚ì¥
$?±�P‡„¼+¯2:&9�%}C=Ê]P?ÏŒ”Þ2³WÊ/)DeþöÒö, ÆhŠLª	¯Ñ•é/GZt—›¼ô–Á3gF>æ£Âñ•¤
Òƒô[ISù­ZO‡‘kÓÁ¦Ç&õI�GÆiJ¶O…n4
Œ÷ÍGq84Ò_JfR3‘ËÃ$±ˆNÍ@ØÞkÏ7Ä�¤1‚«ÐT™ÄVkrY0´Ç+|Ò
%{vHÝÅ�ßÌdûúhÑá÷²z[3r^LA©?Ùä…0Å.^
Éø|Ø/�¦d†^Œà¬`
“.e¡“»Œœ"
g�Û0#rOãÖ²ÙÌ,€¹]/ðØ‹'áu§‚Üφ¹2^œDN´°<ò²Pð`Ñ<‘�(!©}2€µR"%ÔUG63cz´­@\­ö`®èj2ZW_áÒ†.à$ÿC0!8¼êÉt•{cV§¾äR·•Á7Ã
-az[Öh{uöÜ!Àí	=½Rù
¸|IéâŸ+“Ò›æ€MdX‚9I‹kÃS±°;“—®‡±þ½Æ
¹þ#Ësl�	ÉØ…
Üóͦ|~ü¿ÿõ¿q/ËõóÿÄ9Ï´Î#9îÌAqðDcI–â‚Ò|kƒ9Ä8{~ÄFA#rx)X;Y�ôMKv’Úà(
-¬}7ct×Ë0Š&€Ñ}×ËøÝ!3´ ¥þŸ�.·µ
O¯�ã\ßÁLÝÿA@é‘ò
-ùÃ~ýüº"àgÇ)a­·ÅHðß3,½eÇXݪ3MÖ¾.¥þðÉÛôرáÕ©*SIz  ¼nr˜i[dêxUW?UKÅ–ø�)ÏjÆOçz)Ã" sÌT³`&SÓï$ó«tÁŠ€“­áÐÖ¥þŸ�oû0÷6Áz/,ýùu�¼Û®ôp§
iÇ7[•mcÿW¥àkycœåNü	ØíŸ ø®u?ö"‘,p‹ÃþÆ–ˆbK‚º
-·T‡Éi'k ;pîØŠûǽÔ5À»¸¥¦	n4RëäÆp¾§c�o4 vêNít,uyÙï7�_àçÔƒäqRÛÓòßQÐW66MÝZ‚À°ìÁÀ&{²´dì¬a¤¹Ë IŸç\S³!¼òj!ûf#¼²QKUäª0C	Û¨j+z|‹n•<ª„çó߯!]*Øž¾>fØUþ?&¤Ý€©Ùä�¥¿Âž±?¢ßÉ(”‚˜4Tª‹Z�+h‰æ
-¸�m9¶M@UÉúUîÐ>]jj,éxMôzÂñGŸo„Ûñóxf5§:“^ðŠZHÛÝÀôkœælo[à2‘&šLp]q9†
-æôî¯�_F_7/ß‚Z®šjz£BÓO¿Ç|!È@ãѶÿÌjŸz#‰~ýþh�eÂ|�qj÷·ª¾Ê'¨aÍWÕï²,gÍÌÍ뮜šÔ�ŠfO¶GîÚ“g€{üŽ;yǡ¤
-
-aáŸnèjã®­ª�µ+y]™yWŠÊ2ým£LC_v�9ÝnÙ­>ÜòV%à
-.ÿI£&ÜW£wÍìH“ÃN¿—‚ùÁ¼5•µæ¬È%ªS.×ç]`¬Ø#{Gúsu-®A°Rkñ†5„´±D’�d/i¶prµLºOÁ¢Ž(H©ÉŽÐ«1Uð™(Oå„£žôK�p-.¤¼R¢¾UP�è¤B)œ¤¦Ym¢?U%ÍøyòO–ö^ô²¡æÿòž'ëgÔ…¢‚xäòÑ~îà¿n›¼»D¼ÁxXFÉõÇÒn"Cl	E;ÈûSx
-õäaõˆxSîá œû–‚nFýëcîM®òÈO®fÔ熪 oÔ½
MrìÖk ¿˜ZÊÚîMw´l};+
-u0+K鱂ó. à.TKYRâ°äQU'Xž uÒ}s¨Ê³¿9~ëìÔSº°´§·|™“*>]Õ‰Œ§¡š¿Ïèª)¿ßÔÑsb/
-–Ô%…iÌ

,íIø»U@²gÿ i}Ûƒ,„Øö�Ô¸j·ÄóBØ@Q©N=.®fÐJmSƒGÈÖ—–+ª«ç-QÁ¼%*(·ÄT˜U;O÷´sªîd»4h‘ͼ¶Ô�åñ~µKƒEäß×Û­C‚›
-ܪ:lÝ~7-/K¢·& ºei
¨â¡Zµ/iʤj_Ý/Xe3@TZe½ùÕö›g!¾«?	C0_{ö¬z.à–eÿä]�Iø~·6X°u’V±-ê4þj/€üŠì­¨Þn,¢¦sc�poNÄûf8[~„Œ~è 'bmëcðûcn�CCº	ä²
È%†kšÄÃ	(•"s1ò3R
-³ŠY\ê]]’�Xµ’·LÑ«šÄ°â÷,?œðÞ+Ü%¡Y��Î1¬qÉEÞ?B:7ô#¤'¥WÒÆæõMym~E~ñrUÕÝjk´�²æ\ùÓd&7©,�®>²Ó&“¶�|@açÔã¦zPú¤–xw•¿‡M²Xçó+c¥=èHu.÷�ö$l1ýçfnLCùô4ˆ6¬÷r2²ê�¡DÖÝQ@(�ŸsÛ<ìsÛ¤€É:§zgµ
5·ãv«.«ŸÜÀE*Àÿ]ÛInõö(DåÉÃC{[gZÓÓK9imLíªÀöº%·nÛeŒTÝ»ºµƒÀd–ÛvÀkµô
-Ð1ÿ˜NvÑéKø
ôMœr©rXQ¥‡ê|6/5•Ì„šMýªÚR%/]ŒŠþ_ÝJJ¡cÂöyÚzO¦S(ï_Óï¯ÿ®¾BmŒ´/ì0îÿÉëÕšBdÓ¼Üà8ÇTIT{ŸƒÊןg‘Ü>j¼¶Ïc›¬òœTÃ
-Î[ËV®$µ¬AB5o2" 6C¹§Ô^¨¦¤A7´òQm!TÇZÛóR¤ ¯Žyd)Ö+4�}ݵ̬¶Í�G{+=˜^–ÇOyX�h²ûÖé+Eá9©3EU«<'U)�HU6Ò+ÚŽj ¥‰>¯šQjÞª5%VÕ4-µµ*bVʦfl®TìVß|‡ï‘»øû¢ŠA
-
-–W@Íþ
-+XgÚWÐ×ýF@Y
-h»^	h'JIË<$3EgL�:›N8X¢8‘yFˆ½DÁ´a(øí¡Þ
-Žt
-–bwšmvëwåÓ>ç¿šµå4:ÕëÉ_ÃÞr^Y
-©ì"§9Ñ®Ù
-éò>‡’¯Â­ÚÇ =ü* CôÊ�1ðm÷¶î¨æÔÀÃ
-RÍžeémz×;ï:Aú¶éònméo=(pÝ%ž†jÄc^Ä=�Wøü˜Ûzþø˜['�t�Io+Їk):–1P§4�gP6¶& Öhpel"¨†è£XõŸsÇ
IˆK«(
-¦½ç6››1
«öhZ.;T¨í4¾×\·›”Õlr"–üÃ÷n#9¿IùkúÄŸ@¡¸¾P°¨¿®VQ E7#Qv¥^Zü1÷=¢pKÞˆ�û9�z‘™ŸÛzLFZ�éú(´dÐ×âý2paB²Ò¸ábŽ|þ�€zXö º…ä›Ï�¹·)À’3ö1½—¥|¬ÊQ¯pE�±ÞÛÁ·à¾_�Œ,œAÊ­þ8¢LÁÏ�Yn~Fm‹´š&¹‘ÁÎ:&É:/ý%Þ…ÛÈ@¯‚x7z§#«ÈÀ¨CT4F†9/f£D3ô¹¶«?þ	}âG¬&q¢úp³÷
-&·”Á;,w2|O¨}øIÖ|Û
÷ôL«ûY„’XÀgo3;no
-'±s�I‚ôz
-	>™mß‘�ç}Á”…tµzK
-ˆ"_’ïf`ø•ü!£ÀoK˜ëpš²Œhû†A1m|[\†ïɯ°“½,Qe‹‹‘ÙaOåÇü„}
ÄËê^J£Û÷`‹2R8
i7¬ø‘—M#%lq<Q~4kœZBÒ"ª×ý´ÅuMÚØôj_ \×ËŒ!Áéζe"k MÍ6P†ŒÖ––�Tc:˜>Í.ÀÛþžŒé©”¨¦ruª%CB†Õæ�¾e5/¤Š(ÑGÔF'›Ã>Îu
-Jª�

-‘ÐÞÂpŸ˜¼&rãþþçpDé� ¡òt¸g:ßAº»áƒE5ƒA™\šÉ¢ì ­-í0bÇ(W·ÉaÏûß/u�w
ìj�"5O(ܲ~´¼®ô 9"µ¬Fí¾®mó¾ž1A¤ÝGoËbqZe–cŠôQ›En4«IYs^›Í¦$¤�19â$þ‚݇A*GW—�GÀ2æ’ýùÑÍ9¦+#�,sñ;ˆ´}vëó£·mF"D}÷ A‘=x7=¥€z]ÙzY€´}}Û–Æ/|&tÒÐ&6žú8b5)›^›µõÉe~ý
-;@ý¼a¸©
-ÐÛî(D–Äâ½¥×™í
-àdŒè¯Ë¶R¾¯Æ@Š
ª
-Ôê¸
-Ô˜*t,_‘mgÐ+Q@Áò°’ú
ˆ¾RE”žu‘úxN®Çj"AÉ`¸Ç¬rKÅÈÁ.gqÒ×ئ¶YÈ[
	ÒÖ†ðjÖuU5\AÔ"§€‚%–©@Ô"×µp~…&€Ýº˜�Û¥Þu%Èëá
¸}X=÷q½…cýÔö[°õ
-CƒÏuŒ·¶¨šÜ[ÞÇ]”…KÛ›À0u%Øí�)·ƒ+™–
ÍÀ=KCeü™Á,G’68Ç5†µnxu»ëN#Ûþ0Ì£	Î=hm\Q¥�~=¥€’;˜1¡=8—óy{ÐM©Ãj‰"à‘pcµ»8Êú1Ôm¬¯“õ¾8ë—°Z]‡R®|¯Ï{Û5ŸÚ£Þ{ǤmÄàýÞ¼Êþ(€ êUÏà¾^U¡9lÄ6^÷–,ªÁŸaKFJÚ6§yHëjÂ}�Êì®Ý ­º5v÷_ßzÌþ”Žîrp+róåFiù,ðœ2w¸YyaHyXs÷æön´„û™ðx_Wþ>„‰Î˜ü¼ÀÓ’Ž¾Þžï�z~¸_w§AÈ–ý
-?€n:¢qÑPڶ̘ø‡(±2b¶TìÒA—aSª‚eÓjri’K,lZ}´¤²xo+fÌol›j‡-»žÌoéA�lÛpK´mZWkd¿
-¾~x4#±æ4ÞZ
£:±�Ž
-O
üø°9ÝÚå«Ù&ðúhÔè;³³Ó~œÆÇ)(^
Œ¯†
üødf,*š`,ê6Çx%?:]§ˆ†äÖ±_ƒew³¿Ý³�—FýfÏãÖ¯=¾¿[_øÎ!çã¾|1þoQ¾›ùø8ñÉý<}ÝÇ=ã6¢
Ÿ�q娼Í25?|Ÿ»ç9æîi>¦il[¬ýÇG³ÑŸ®��+¶ÂØ(έ46¤x,_:ÂÉ9£º7óÑUz>GŸÎ;�÷§ß=}m£pÿk:
ç•aã�6íÐóŸ3þ}ùeÓŠ¦žê:¤mÆ´��ªý¢Ô§-!òÐŽ%.ZÅ•l KDì±�—­†QGås|Æ»ñœ.íi,•
-`
\ŽpjˆO$\FÍÚx4¶Ì™©e6@sDŸ/£Eñ<:Lù¶?.–-qÞÔ¼‚Ø£qRcß�>²d£n€bÍt0ÅX¬^¡ð.ÌëIö|7	ÂÞ¬êÝm×
-ÉíÚÓè­fƒrŸW#“ûxh€×Þ–3Í’»ózÎŽµ³@iâ œ‹$Ô¯îׂYôæmä‹ Éš¬.uÐî56¶Ç•þØ—Âørg|؆¹±[vlVN“+­’5yg�Û8Ùh§ðÚ¦¾ÅÛƒ—†ÇñÚVÒt'$¬ìæÙbt=nîr§Ç_ß| YögâpŒàYщJ}À\—
$§H•Œn^Ø0®F°Ø@˜Ý�£ñ¤G¸¿æÆ74°ôÐúàšsø®#éUHî×’_á­ºñ‡‡k÷ôZYÂCÄvn‡ƒÌ›…™”Л‘dweÝø†$ÝóÁëgúæúÓE¿�…Â|eN£eγƒë؈yY�¼Û±çõ¿!øø3tçÇ~!<•›…´åÛFö
Æ·§›øA/Œ Yë]ü�u2¯�sÚíZƒŽ};SóZ²ÌL.êÞÀ^Æ?	ªËͨ'`ö ÌÏÇÚÓ7J+nÿêÊW->Üüíé¤�K%ﮩŠÎô÷?7BÎc×ß�ܘEQà$äðö¼6(9÷í6m¥BaÉUa$R0j[O׆Ñ[½ü‡©XÑ{=¢ÏóÍ>=€"º+Qè3ÌwãÑêiœ#ϧ€ÁÜov3Žl+Œo¯M¦öuÂ=·:©FG²t[úáéZ¦¢] `ŸnØÒ
Mwpꂯ׼Â-î:^v„]_¯¥rG'¯;â™ÍÑø
-$é¦+hVèŠDvèrçÆ;üyH	þzÈ	|KµâC‹\̲ã.«õŽ‘H¯ë&=7pô€×ºjѽ
W8ºw\bÔÂ8§LTÀÒ®IEA›JSŸÿÐå
-ß_Œ=BgMíófÄËŒ·º£ðbÍÆññ7£�è7a¯@{ÏÞ: x(]�Ãð̾›¡8ãùnÆc qÇ0ŒYàÂQÇ<<JÚ“‹‚Ùç…Ç$ ¾x“ã?fü9‹Î8Ç�ŽÝÇŒ?”
-Þß—_{¾/
4WïÖ.Ê=ž+…û	Œ|„0ûÂ}}‰�MÛÁÛÃŽ¢b×ß}“!„û°!ĽíhŽ«ž["!ÜCBÚÌ
-õ-gjÍ7a;id§\ïF|(›o�äf16è`‰±W‹j4É–Ih@©4úN.³¥z]ç“ë›Ø÷ku"üZ3V™äÊéb�-Ûñë2'ÑÊüh6«‹1òf¢òeëÙÈטö�×eÖ“®š{·p³Æ€ÄXeLÿðtmÅP¿¯}âÙ˜:ažË¬�Ý0ßà4S½£õÖßÁýZ§ÉH<§3½ŽvÅÁ5Qð£Âü(ãá}ÁÈG yضvo »<Ìu«nÍì}{è?Ì÷>u£Å=^ÙR�á2šÑMš¯±ñVt	¹fï/ìlÚ.×6
p`ú"äfnR}ÇŒM1š£:a|Ãx×]Ù˜-´‰Üc¡°´j‘û¶,ü¨Ä”Âú!ws†‡pµL�²2&è«7£v�
hhWÍ%®µLí‡L*]Y,.¬u\‹ŽÝ¦÷i<¯Ü®éf©éƒ˜F<—Ôé�7­òÅ°èØeVí1^›–òªåÍêÉé2öksQ^¸¿nkàÚ´vm÷k/cQºµ²–Ša¸×­®ù~ÛÇG¸N™HJÂ>FQôI‚U¨	vö¿šPôýY±Ì›±ã\].šsh›ø ºèI„öŽ.×.J|íË8+½×Ûµj6ãÔH‹Leܯìçôø\ÇŒ�›ÝŒ|ØËõ#F¯…ù~³›‘ïàš<îLï`xðý˜Irúm�F¬Dl ̾”Iñ#ÄaÙ»ß
-W²
vìXöâ%ÊA»?U¼€/3ô\ãÅ­Æ0D¦âùñip³ÇÜ�/üxܳ�ét‰›Ù·‰0»×i¬Nî¸õÁˆ¯p40 >èW~¥³ ˜ém÷:�ÚÀ-®ý¸ê8<6
†ì¹/ŸFÝØÙvm[²é}€
Äð¸9ñÊ�â£_«j‹3ƯîëÌ;×NÐ|nWNWA9V¥Ûµ\·�Í(¾îcתš4]çt�|õ¼Ü(ìŒ6‹P‡òã_‡ÃÕŧÌ3®4ÛÒ|©û__®™&l�Wž6¨kßl®Ò³QDÕšŒHvÙòý9¯;ï=àkÆ_í5õÛs_¶¡j¼ÎþúÚ)Æã'ê×V±ù*ù1/#äon¾_nÊ,#ç2NŸ<ýO©S¨Šç÷±Û»mB�×Ò³R GUc¼»�73'ëÍÎîífœÏ3céåi¢æãq£�mzJfÔD’»�½�!݇јÞ7V/Oüüdv-¤ÖØ[1N“Š£+žà›¹­‡Ç½–A-6ó®ñ:©-oà}ýéfa<ˆŸüìíqm¶qº¸òö.£ö§ñ�›Í˜L=™ì]SØü FW+̺í7cÇ¡;–%Ù
-uôVêó©Ýq=6±ÄÇ‚>™¢"Ý–†ì*.LièŠ
Ù±Ž&òæ
-�õfU�-l;¾ãø+bÜëÙ¸“µ›È{a/;*S¶œ¸�AO¹ƒµ’›‡NȈ¢D÷N,í,SGÚç:là�ª	/ë+<Ôb`/+7¼Sãá¡D4ñ¢zÄË:O5)ØÄŸ¨`q–º¸Å`/+h¼¬µñT—ƒM¼SÅãe½�§Ú lâe%‘—5Gžê“X/«™¼S÷ä©FŠ5ñ²¢Ê;µWžê´°‰—U]^Öy¨M€¯"•e�U#•ÑÔ3còJܺب1P9¼Í�®E§àbsÄ8X‚yÙçUãkMØk¶ú8�÷+-O½hÎSÑ6ñ¢ÄÏ‹b@/
-Yï”zY�è©x›x§ÔÑË¢H”Ø„${µ¥Œêmr0« Oê÷B©F`V©¸l‚>Å�ð©q4GQ_k:«ô=ÊkN°÷°�l
²�¬al168‚îoË~Ñ&òrÎÒf”âZ¤L@MÀe;V‰QÂœ•ñ¹æk÷®�oˆïh¶��ŒIÜÏö 1ŽÁh½®�oÞÄ*QBP.ÅØ#ë/�Š8E/øC2†çý†7#ocôâúóhûÑè½…¬¾Ž+ÙDüpÜð4Ρ!›»q¤Ò�&†ž„”æ`üU1^»®×ö¸òúv#EùaÏ:Ž>?ý°ÞU
-*";5ü“^¾Ÿ�FT%ÊêýÊ	Å$T ©�c­¢KVÆZæOƒnRœqÚ®(áÇÑ*´Š1}¸ÿ°Æ‹«÷c ·öC{Õ„�obœa\nlñ9$Ϫh SŠ±­
-£R	ÍHµ2á2´ã]æÅji|—ˆHmØš ,+«A>*ZZÒøЕc3B*P}ñ«UöÆ~0Õ25æÍ«­D‹5¤¤FEøxÃaÒÌzC£+ˆmæŽz|*PjÆeB/¢Šhéela	C€ž†S‡hU³:j,WêÁ7FqJ	mãµ€l3¢^òek%·°}õ ¦p»6l&‘u·Ná1¿âZ�f'¤ �í¬K„mVΊ¥®ºŽ̈9÷žq˜ÿÕ›ˆ�Ÿ}öéÝ÷+!+cªšNà„ëÊX’ÆÕÿÂjÒ³s˜²ü±¸ZENþ€&ìý¨q¸1«Ç+Æy¼7WQ	6µ5"Ÿ½ÛjŽ›™Ç;;‹æz/’Ý°[d•MèÒ(Æä¢RjÔÀ×ñ xBäÕ~ñC¦w“MÛZóõO2L5úÄÿã=�Õ
-ÚžvN“ü0‹O©­Ðc*uÏÃx´�M³fœO}¹Wr�̱ªCG&v¦aÊ¡O#ÆË݃ê�Ò_nÛ.õqžöcá—ÌÝ»V�°
-Ó·Lîóºªñ ]Š³ ïÖ®nØO9:U-3ãåÃàÊÜÒ8š0N¨v¯À«TÊI3cM�žÉö6³¢	²ùnh!Ý÷ŒÓÄØDü Ø1ü£Iý9¨Ú�WBÛ(zQ!öâJHbDì>´êÄK[Е�‘½¿o¯ç«ófôyÄH½¼#L/?\ß’wª2cÕ®K9‹J7¾b�$z
wS~ÈͯVÄX�8Ž©Q'™(MYñoÂXGòÃÀètÿVŒœ§7c¤dé&H#?§þs¸ä9ãÐ7wóKµ¼²•DÙ9“)%É2ªÙv–c-üʨ“W»LØØjLTIÓ›EÙvwÉIh"ÉAlˆϗx¨§Ö[� ÅB ã‹Ñ„T°§›ä‚`ãÖËÅÊÈvÉ¿Ïþƒ.ÿ¡hF«0s(nAšS‚¾Ÿ¢]Œîœ?£�"ÄhIdj4ú�ÜìØû¤¸Œ2œµm ¨‰Lo1*ËŒ¨S.]ëÝýï´È¡9=K#k¢òWm
-ž.w¶Ò4f¬Š÷Y‹ØÊ ôŸE놅FÔrpoäPz³PšQf°_‡B[eÓ@æ�ØV¾µ`y)þÃ'
ÖmcuÝ�£Û+‡‘ÏÐ�³óxuƒ
-e%éà~¥Ù‹f~©þ0pò|~è6{6Ñ�ë"Æë¤t6
º˜dpËöýÙÑ@¨øÃ'
^,8�¹-ndÛÙT~ÓÏþÿBt�ðèÙ˜[qµÓ¼=:ß^Bª´~-TŒÛXŠ½y•p»ÐcDŽ-¤,ƒ«ÍʸEÖ�I&¡üZÕy¾Ïö#ðHn^FÍ­yߨ™KÏM„^d°½H�„«î#¼2˜ 5„f¤E(Kœ1òƒnA!È gXîÎ)ðŒ�C„pW’F)™‘ø�4§ ˆ’®A<¹ï´BSÑðMì´Ÿ½íh†2´‚FMÝÁfȲi¼Á¢9”B6ºføg€€Ì&2¤1ü‡G#%voF(>7AMà I‚ÈYÊ-Îp¶4*Â&äEÎrs…ÀTŒ¦&
-„i’nÞpHýikqY–4#’³¼Nï¡
-‡H¼*°&BÑþ&¨O=üIÀ!½?½yEQù�â)Gm†8
-BÎ~q}CÏëüÐ2ªí¤ÇšlBˆÍ	ƒh ųZ6x
->“Bc•ãûÈÌ’Ê „‡³¬óðC}¦-ívÌ�¯ÞB1ö3£ÃˆX�ŸœÑYû¡‰l暪±º±M7:f¡Uý¡´½Khß­…©ž�r®øÜ :Ãû—Ùi®¢,X¨Å8*ª¢ˆJÝÊ0¢ª
-›Pó¶ZFñø:l&Fƒ
4d0x�3"·ó€dДòpü@ið¤Ïã§XŒÓ?™à¡!µÇÿûå⌦ÞUÆÅæ®Ì¬É@‰Îl6!ծ̛–/öÊ?ôV/£¦'„1ZXÆ/NíPãj‡½r¢	Í:=šÈ±.Tö½¹<íÚŽ˜�9?y%¨òƒ	
-B¢ßi+Ð=à§̈QzxðnD¦ÃÝØ‚‹rþ 飙W#ðòI5¯,aç¨[ M¸tÖYgA„[y¨Þ ’©€Á¶EåЕú2¼ÃÚ*tþkסÜY40jÂÜ*ÄØiä./Fc§‰+NûAÝ
-Ñõ®,&F×R\®B ‘¥®?l\Í•[ŒVShF�C1ŽnÇé¯Ê{ƒ±±]ž¸±®
E…Ú²�l”ãÅUâ¡EEÌð$õ%šˆ®áÿ|5KªFpmbdbWw‰nb
-rŒYªIŒ–Ž*FS¨(×¢6]ÃØ‚ˆœ¸J'´ðÄØSFá5?TKÿgœ�ïÊèß^üà:ê/ןÔÙãÜ;3i{Åq¿K¾'›Àc¢Œ¬º{Çé»P$ÚÏœÝ3¦Mt"�ÍéD´A.v…Î�^½hÄ2ûü.ÞâEIth뎦o×Úõ-bI�Š
-yxfu{º©†£ÚDÒœºÀЂMîþùns°~ñ˜,÷/ozèÔÙãS3Mòoïýð¬Þö¯ù
÷¹‰š)^ú-~(Z®¡&gjËv¬®'Fã¡(Ó!ÂBÒDmø!á$)å·�"ÚÕ«HoœŠØ‡8	ÑH­ru÷*óÕ6Ðå—Ïq¼LÑohÔŠ�˜ë·°+Œ£vT‡£+@¬€ˆc£¼Û©!² ˜¥ÆRÅc¢{šŒ1såÁa¢{š�±춤l]ì`´ÉòŠ
±É8{ó"y#E.ž62™¼azåv·É^0é±k÷n+‘Zo«	ðÑo8zrBBN¬ð¡5Å]�VßO�(�Aжý0quÛ™¹$¦saÆÆ&@Z¾Þ~XÝ;Á²àÈà}~Œãþ;
-k/×ùüçWxÒèüæ?˜b˜é˜‚ó9ÈÛßÁµú£Š§«CBÔ_¹¬}Óب@úB)”Ö“4ý·ø¡»�=à ÉýÌæo»&Z¦wcPB®5
?8¯–Pc§æý�|éâ_¼Ss*}üË¿ýÕï>þÙ_ýmN¿þúÛo~ýû_ýÓÇÿøþñ7¿üøí×ÿôË?ÿø_]Wý7ׯÿÿÿåõ?zmþŸþñw¿ûåoõï~ÿ»ÿåW¿üïýÛ¿ûÍoÿñ¿üíq½ïÿÒö¿ÿï~õO÷‡oÿǯÄ¿ÿõ/ÿù_~ËŸ½ýã·ßüóoåÖþ!}ü«ë¿ÿðŸ>üþCþøW¿¹þùo®ÿþ»’¥»ÄƒV‰°1¤^ôåÀ!âmSÖ#©5SÄõVåY+8�ø‡¼ZÉRnúúÏ?üáú—{ýÃÿu™þÓÇöñüø¿ýïéã?É�ÿg”§7lD~U‘þö`NÌЃrÇaÀ5«ÊXºÑÊho2shÖzb,3ãhB8ø…›
-ó©jÃ4cQ+IDüf3í±f¹ÄúEÂOrp*	õÉôϪ�)<¢Š#ø‰z6°¢£*ixÚ:D[…ùW÷4â"©9¾Â”ŽAÊë.ºM4ÇJ‹pì;4œˆþ•E=4µµ
-qlÞ¯­ò�×âô`>
-ÇžÖ‚ZÇ×;'å^hTÆRIU@rÓÒŸ´ÿǵÃÅØ¢QÉ‚b…e>Ê~ì€Ð¡Ü%Ü›=^
-]\gÛgâïfL‹U¡¼ÌÙ¤L˜œLZñ“¥
µ�f±#«hл*]n¥%G6íÃho l9¯U9Á"Ît‡ÕÓ°hVe¨ìŽà4'T{ÜÈox�œÇk¾‹Ê8wbû%	/
â»,J"LYù*‰ïâäž@ºRn¨þ½ä
-¶“¬ûVG=#	[ül&wJ΂fkíY”&{öñß1øÀ	ÛÄ%'DSì
- F?؆Fß®U
E2,„Ò-[‰Ðð~Eô׈bˆ¨<Þë‹uAhÜš:®—Ú[ɬëxÏ*}ñ
-endobj
-965 0 obj
-<<
-/Length 65536
->>
-stream
-¨¥xø¯£Êq
-ý@Ç«T”©<:%`B{â›Ëš´\VGš<É·ÃxÕÑ]QÆLÃ`Ú� §\³sñÀ.9k¬é¨B
_>p&ÐêPêK�:æ’o°
-ºº®u"ö<cë~Qq4P
‚—ïÀ&�swWÓæ¿aS�(’kÕeøÃå!LŒY­ê4¨4©Ó„á·”¬?ºìOw“±òÿ2�ñ¼xûðr©ÿüÞ¶ðbMÿá½õÿÅí~€›ðä|{í=|~gëv~xסx¾ÙX]žfÈû³éy*üðáåÄùüî${¾úñ¼í}{½I~~w‡{Þ
xwç|¾úñ¼‚¾¿Ú>/•?|x¹°~~w~¾ÝS?¸£¼¿û<oýàFóÐ�cSz¾Fé³ëüí•›ýù]'ùÉŸþá]×ûù^œ*Oç…?r¶x:Ø
�Ÿß?q<Ý
Ýx^’lŒ>-`ŸßYë^,T?¼»¨=ßíß
-‘ª™Ö-ª“ÝÛ�¶߬-wYÎÏ{ùîßV²¯ŽÔÏøQ#\¢�§Ecæ5Ìüsp)'vÅÈã3fõ>£˜‘¥XÊjØ!•¼Ñ£CÈù+Xªx¦/Þu�:„„õXŽ¯!
-àkP¥\þÒ`Óuä'ºñ‰,Ä>m“4©ÄaûãblˆÄ…?¶½œ ’Eõ~µÕfQb#صâ£RBòšºŽdÝT+šG-T�­mñ¡yEùR™H¾”€o±Z‚Ï“Þ£–n°íøŽ|Ûi¤B…‹Þˆ£±:ýu€
ò^»iÂNÃò¿
-IãþBÖbiÃ4å?)x5p¯¡Â‹?aà®Öê'B8Ûš?¹ à!þ\íX·Y£]¸±Ø€ºíT?á¤)éO0ÐP@p2äH
-ÌZ»3]
!ógdö€Dš Ûøbù©Úi¹QtZyú
-y½O«©�m'ù	€A#Ú‰b¯LjÊ%=óÈk೫1«
-Ö .
ª2üQƒZª»;\àÀ(%Îö,ådíÔY‹²ÑbœA[€ÓI³�/•]¯�NÈÆh(� šÅùÁ^ôcf+ŽþɲÝlBÐHÇtÑóZ™IIúj¾ .8²!EÅFë'0K¬¨°€Í�
Y«­¼r5>
ßÕÃ×&rD�w؆ŸÁj;­pÞQÀ¸Zõrꨥ•a&d& 2†y5Ï™g%Œ]Ee*]\„$P+kˆ=C²o»raX«ð2úÝšðÅÌ•Å*R¶I›ÔÒc“_¬Ò{ĺª™?dEùå%ðgÿßüË¿û�Á?þÙß	ð×?þòWÿt�õÿÃÿò‡ß
-h7m§\^ΆÀ’8	Èò-†üß!ÙñEÌ ö*
b!ŸWÙúv·ÌY¯X4<’kã�¿«µB¢Õ‘áZÎîz®8i)	iÍ4¶fÈ‚§5ËÅŸø8ì’�˜Ì�E¼3qû–²¡�­j�Ò�d2ÆxI7év^IGÇ´¨69>Ý š‰hÛøñ“Ì\–Î6‹Sgâ·g�ž)þoI°¤óBéW3²r‚IF0Ü0¬Ì¨† ÚàJ˜ºÓx¤£`oøÚ
-Œ«%´ÕÈ3€)+.¨ÉµY�2þÈÉFt'C�¬à¢æêÌEVv‹¥F½Æ‚èNiv2ìªÃ˜â!~—H(7cs£PI(ü«fœåQDKô2p3ŽRcâ)Ht3—ôBŸ‚´Ù	_Þ©Ùƒ@GÕ<6ÍmÒÛDŠ�ä¨vsõ$?¬ã]éQ×z 
-­phu,K Jc|«g]h´ä5ʪCà3`ñÞ7‘S:‰�j´
-!f¢Ú:žtJñ«…z!…‰ÿ<\~‹4Éûö1 €‰´)~ÃQ´¾@Ö"÷ÛnæR¦*æiض{Ÿþ
Iö¬tÒU¶ÓÐmQþÈP´Â#ª1ŠKÊDo»Äʪ˜0úÐ*ôäÄH”DÍ{šFÌpxW
l#$)£ù{â®Eï�]•ÃXý;B“K�«Ðȸ‘˜Ažœô´d““8‘w"xfÜÍW¡aKž˜Gg�(
¦4

-QR¾ôŒ“�ê,D"eÊ])–¥,P»«Åˆˆtr)nÎ^Ó2š…ÄÕ¸AS@Ñ‘N$—PÞ<¨
=9§RR‚8ÉOßû §d	«—1É^€ÑY#™ÑÇ]É_ÔL_S
”·º7�s@[ä³ÒГ>̠Ή±v™Þ<Êp
d�lÖ
áÉòÃó=ô8X˜Æ¬DG
Qã"ç¦9V<HË˃Š�,üdäkÏòÐX½ßc‡Ø~â)ØDmÛ@²s‘°LÅ ŽØ‹«Ûp!D)ŸcTé
-ð¸;h¶,QÅ_ é¬åuuÊ ÁFZ-þZ!T%ÇÜÕfmµàÚÙœ^dÕ‡Ã~Jì6£Å�Ùˆ»bF’‡@û8ÝT
œwkò¯]¾QaR@�²O
åìž9Š87Œ
-¢íd„TŠ‡»²
<õ:É›²u*Uä™DÊ&…±Ð«‰|Ì�’Ü®h%8®’àV	8qØùÙ Y`="œ¹œ2Ø3×éaz+€o’s0C™d�Yr–¶f×É�¦9HYC­"1p#_v1ñ¥XzÈ–â gå)—›RröU§¦»33¢‡Šõ•Ô‚-åÞ
-Þª|Ɔ”py*¤ßH_QYWŒ ±�„É7:Ü$¼åìR«¢.e#CtjZ'tæ0„œŠŽëÉe
-ÎiÃY.,ƒ‘‰®b”�÷"§Bœvó¡¥Æ5hÜüˆ×ü¨\ŠU4õ“2…°ÇÊb:k/’X+âäÅz°çѬ3™/X
-c@úœröpž–AÉNÑ+Ù@*±êF-À»<¶G$­‚©ÛŒ"�k	�L}–*ñÅ¿Ÿp°Ù
-|›Æ"=Ö@"@Ê^	•¢‘øf9˜´ªÓˆm¹öÁÏ™~?Ī78ä¼­#¿!¹\@w]
-�0`�J¿
-#½t«Iæ&½´®
¬rŸšc£ƒš¼9É¥ËVuµ."v€…„Ž;&ñÔÉ
-¿L§À,~šÅÚ2IƒÐv9,<�[ƒ²¼X±.N³Çj¯FæËo±*_w�¼ˆsß®13·	:›q²>”p!gV=YPò®�% q
-̤ärÿÅ28“�ëØúNž	¤rj‰ìGGªQ?L·~]F§m¢œƒ§pW§ÿi+ç/6Tx)–Çg¢’Ñ–Éï®Ô{#K\)°h¹*jU±9×ѵ'ÔØn¥k"W£Õ¯ƒ dÈÀzºxw•¸bs†žV8�â¬f$ƒ²p—4ªä@Ì!;«AÌ@PŠ§	kH}áË@Ñ\=Hä— £«¿	ùäb„sÁL‘ù1;ó�Hõs6‘	¥ÆI
-'
˜|&‹£j»çAá„5óT¶¦	á4u–�+s„ÖŽ}Ö6‘G›N‡�š~ÉF1qMèRJ\)ûñ‚ÂÅɹi{Ð!YY&6�C±%&ì$1ÆS«ðs7(š6ë"��[¢’PL#9±$¹®6ürÇvMEw'¦ž(³ÕWÎiE¤Ô88¶¥ýŠ[� —R[ìô/,»²�Â#ЬaFÄ
“ì äÐ'†Ùr
c¦ˆ¢–Æ`ˆ!k­P¦Lóuznd·f”m3£'K=�äffüO*ö(d8ì%.(´û€w«³Ê¢&;™§�](Û®àhœGMr6FÅD‚jŽÂ¨ï•Í4#âøܤX¡²œì¶ÃZ”�ØùqPH
-³�}‰%Nëw²
«iâW~ÿÎT®Ï„ch�œAÓ¨ fDц4Öæì5™ßcoÎ}óš‡�rgRÄjT8²V3®\<sˆœãÕˆVNù"So&bv”Ôj&cE|�)^-4²…ZÍ' ‚“=­E±ÐÂWШÅzÞŸãëjÄ�3«DU5�ÁŸìÊ¡·r=ÀHOÒ®NÝ‘’$V©[•ïÍõØd TŽ¹Ôô2"
—èåJšŽÐfÏÑnNOÖÌoFŽgü,[v”žQ—C‘Nã�ÀK“•b4­›Û\zÔ�„«ÆôÂ8zŠ(Áš»]›-t£$ß<©áÐõ³ø6ÙC6t"
Z%	î.š ʲl
ÞŸÍNŸ‰Ûâsy!zõkB˜AFNÎã™ØÛ·Ýx¬€¡™mömèŸ{ÄUAsXm“R¯ãh9­…3AçòO¼6s‚•½<
-�çÕȦÔ|±Ì‘XÕüÝf«}ý•÷Ï|ðHíñ5âÅ ôUº·Ô;r‘ÛUêÐìÒ‚Kp냻Vƒwdº³Ìß »“«�«²IpaÃT
-j�Î-WYY3*yÞfO«l øÜÉôêSñ•­¹~†
-œñÒÊIñ\ïfµÆÙ
0AdN'Ç倵ss1c·Ì(ÝG[ö>U0#ª¨­zL	ß K rßü	(Á�Œ^M�„2ŠÀŸ�54åÅ\‘áC±Ð±­¢–}�P§Cª¦ÜhÆÅØ6>™™êÃ…a
Ù288‹ïÝð5B8‰ã©e™H‰‹;’dÕ86z°ãô#�Ÿ;lj‘.Œ•P¢ôÁõ“™°6CÎ<ŸVO”~ÖÐ��\}X¾è?9 W‚ö²`M§Ñ…æ%à>"áùΛ�äÁZýŒ
-£Î¾Ä¼
Ã	æµ
-²uB~«T\†Òwa½	¥6ÓùƒŽ°Ö­ZÌúæf{Œãy(Ôé×f–—¡`¤t¢™
-VbDBä:ˆ„)Âjëä€R-’B³l
-‘\ePü
-qQÄŒs¯Jô›8ºìT9ZY�Í„JM)q#5@*݃%£>·ÖÈ#Š1Ê“m­,1$•!W¯B£œ®‘‘rÌr�P¨—ØÞˆb'ÿ7so»kÉr‰=Á}‡ûGÀxŒ¦«ò;ø‡t`Ãc´aCj�sD�e°É�L¶À·Ÿ±"VÖé¾2Œ
g`	¢šk×É]»>2WÆŠAëÚ[�
1l©á”ù»å †³%¤iWî`4áÌ$_v„ÄO°ñ4;בe05ÅÉP}‡Àiñk§î˜V™Ë̪ŧ@d*Æ­"{1Z
-kjŠágNã^2ÍàÇÚ�w'¶¨f“öX¡RÇ°Œ}ŒvMŒë9h
-Þ©SÍ�AéWªÛ„¬ÂÞ³ÏÔ$pþ1žgÚõ+µ‹ZÌŽoš‘Œã´ òÖ°$X¬ho‹Å
Ój	 »œ_k?~–ñwÊ¡ÝQ ðl»®n`X¿wÜi*>"AóB¤ô”ÄŠ¢E¤d}qû)ÅâÜ ƒk¦-µ’F¸ÃŨ=õ½jd]†6˜‘zWÇȪe‰Îg"Þp]t<“�Þìz‰UßVò·Uñ�©ÝG–aßf6.˜?/ëMu+ø0KI¯afŸ½-Öå™%Ü„ /-Ì\A'EƬÇN+þYuØæ~®‘fÅq±4-hc�pfãBTJì",Rã¨Û% Š
-\'8îÜ…�þ!ü)2wÌjt^É$=Íà•ÛaòГ^"mövé蓤’	ú°].êë!~sHë©GsÅ{ÇÎyzS‰;m€µloïf’�ØvªÇä‡íì%—hn²á�ý÷~%3¶âF^–½£ÏV<fé©
W�+úUá[¹Tö\ðÿÕj—
óŒD°²Ì™è»ðíD :E°bÛ+®ª€Å`±îÂñ0`!ỊÉ?¤¸ºK¦uÐrqO_D¬wìØîÜ›µî®JüÄ–€Á)…	²ËÞ”�©YaÍ„uËÕ�b¸:ƒŠÎÝkÙTÇDý:-´wzâ‚X™%3¸õU¤…¿ùæ¨y¹âŽE1x%ü²+¯]ÓXœÕµ2ëÅæ_2´‰ÌmiPË!(}SuE¼i
¶é÷:¹P±°6vþUgp'�wƾþ]™�æÇhÐÒ
W#5Üw%ñÛcm~ÓSà+ÐÍðæÏ
-ݪ­&Z§Õ†]”Î…:Ov×'§_O7¸¢n[gðÍ)q0'Ž—¼Î˜‚ÙW·A"÷òï~nS¯ésëæóYåAÁì€0ïŠÑnµÎÍÑxœˆ]a `w¿ˆïžn
)ê¶èxNœÕèÆ &×­;šp#©¸Üp
-‚ô›‚vJ
-±¸*fùÌÐ>Š\Ñ+͈zŒÓ²šŒÖ¡�–9K—"]¥
-°�·ŸîNo±Ì±¬«ú@§…¢òE"ÿW´¡­P8ovZSQv»µSvâÛk¸�¯”Ý¡]pè>±qYöÊÍQ­ca±Ž�ýg›“Å5¬qÕ¢ƒôJSFØà¾	=–¯~‘jóˆ‡�hÒuðîÚmvBZæ5±Äo*J¶×~̳²¤½NkÒ²Y\
-‚Ñ&I rÊX¥ªë,¬‚‡}‰	$+˜ÎÈ5-$ÇoUÔà8ê^vFVi
]uî§[(ãL£�e=­Àà¨6Ïb¦óGXþÖM™RŽ–,®4
3ŸKÐ%1(-¬“­jgЖSÞóô%ˆµ?ÂY¥R½
-¢F
GÓa»)]‹p÷c`¨½§‘Ö¯±]=ïºÑ
-T*º‡ðÍ™‰ÞŽg~BÖÆ¿@ÂÉÀ™�e°Ûzºõ�aá˜H‰T¼»l‰Ë`�kpKÜ7U ¼¥FY©Ô7ŒG!˜0˜Í\”¼s÷>fîów.%.=òe8Ê3;çr¤›WÑHÄŽ5«ÕuµRÆáð f½¤+%.ªKMÀ¤W]-¢ážá˜ÌFQÏv”Gb{5t‰´wÂÌUŽ¾TžëíZœË”,ºåŽþö~{™�&ç~:�
f()=Ï@¯2ù‘ÝW
-« Å0rù"UëÅvÌ[!§eMjwžƒð¶$GØgØSUçHæô#‹rÇÞå]Ó»”÷‰í¶¬‡{
¨uÖS%‚&¸3\Œcæú´	o韀 Þ"–Õóï¹Ñ�'#žÁ.Y^VûÖ¾BïØëQÄÀ§ᾓX×kê
-|S—F,m§-:~_¤Œe”G=*�hº¦™ˆRÍ•D¢Ýï:{§='(ÙÇ£º{Ê8Ε'ÕU0*è:×
N@èNK+ÈA8sÛ3‘]¤ïºƒjÚã‰;H/*ý²ÔÅÜ ê‘ºå½“×»S{„\Y)Ž¤)!(šÒb¤‘y—{g06âw™vªûü±Û4¿T€›;uÛwVE_‘œdP±Ÿ±
dðÖ‘LÉŒëEVÌ\,RxÌZ¸�Õ/œi
‚
-’H~‡<•¶òX;¦LËÝ
{Êø6šÔY2OX‡ê˜¢Ë^Ú²¶Øwùøl›�à©ís`³~¸¦¸qµ'º<
 !,rP±ÄqÕ¯ÌçH€ÊxxOÙ,3\¢m�$§Äa‹r-oXkú,!¬k˜æ�<ƒQÄyvÉã€u:ÙC¸]†Da£«W¸j¤k]	Zï®æ¤-"õ�áÔm;ê§Öìç†î—ôºug¯‘8U`$SœÍV«ÉÂÐkÂ+.1˜
¼lWÁ`ÔÑëxÓšrêPxx
-�†•ºM˜œîàã÷×	aNÓ6‚	Þné,0ØÖrPîß®èx{´U&¼;-éÑ�°nŸŠº°g1•AY?klÏ{ªÝ€s�+B6=NÏksû^b/‚4‰Œøa›+æ­â¾d[Eâ�3(9™šb>¼ï&{kÏ|v-m
•KÆóLLp©ÎÈ_%Žb_Ifoqr
-fñ+=¸	Ò�éißGÖÔšei;÷ ÝÆ÷£jéûêJw?ôöný|Ç*�Çʨ¨qᑆìki½"¥Ï:û9¨2ûö³D¬äÇ·).	ÕUÚ6¤VÈ`¢ók‚ëYël]nä<-QÙwqéua_wœASþK[;´ÖeÄçJ¤ÔÖ•­ñná¾y
-�ñ#Pr)Á‰î&œ1¯Še"Øìæø1\MÂ÷ZvgÙ¨É0—	wcI?»]Bvéìu_ƒÃFAm–Ð:s/�—g/´»»\í‚AÛjœã|¡¦ —ëí$¬¿éÉ’t>ÄŸÃeˆ÷u˜[)ïxüV+—® Vø¾šî·r¿ñ
-:Wœ,n	”	ìxûð`„µ—x«©�½S~A	zìl<㪒ÚÛ;âØÀÛ»õ«#h•Ó¨a½x•‰Wª�(¾¶7#7|€[ƒfE»/)�ŒfÏ©�qaîòR… `µ‹Ñ[^D3þŒ×lHi1-*¸Wn…®�Ï‘¸f
-ÕmÕW2º›˜¹F^fwž–ã>²ºQ²…£·ì=ºÎÂՓøiRïÉï\qŠ6MgJj$w’Y)ü``ó<0Ús!#·PŠ½Ç�¸f«ÃtÚ¹3{¹Ïéf#Ì�Â4UOþŸ8m5±âg®Õ¬`?gO€Óz¨+�óQ“1)ãw¥Z}*®Î9¯ëA7ÀybSRÀú”àÙLÆ>rã+�¨–5è3çfX[tóTû
-±¨Ö�
ñqx½A¿V”žÙfÆ»ß!r}•KÜ€gÞ¹ÀCÇn	)šƒúÄòo.?õÿýó¥D¶4W6z¤^| &惲`”àÈ)ÃÈ£€†îÖ–wS
-‚-Bý:³Í!˳ÿ^æöóþ$�ÜGò¡0<u
·3xašùÎåL˜×¥`‰œÙp÷f˵y™UUËm¼ÅÆ©íÁ¼»ŒqÃQl
-u6\yîV"æ#4m
9
,¤ÔZh³cë‹îÎý[ˆMBgÉFÙq¸Ç#oÊLÜtŠ^©¬Kás<ºšÜŠ={J؃ֻ+N»Ë¹}ëѽd—` Ì·Yž×ÝýPôâN+J+ûþE�±ÐâSuß¿\¬"xÞ¼C˜Â·/úÛ‹�ãÔŽÞ¼jwÓ7‘.fd̼ǚœ¿ž»ç…nn£8¥�¡y¨a%râ8«‘{r&èzP¸µ˜`|†*ßÌÔJ$-x
-
-§h¡ñä1Z†ÍNÙl^…SLûç18ݹ÷Ñy¯Ù¶J•üe€‹·P©sÅ°DZŽŠG¾�L9¤ýÜ,ÛߥÅ'†…gxµ
-têi¯ô¶ô	<ê4«øï],\¹C0§Ü•J?V?J>}@LÓ³™¹å3Jìè�m6½på�Bn1Èï`}+ˆ$RA³F¹gè>Vœš!BzuK°ˆPŒ)¯ÃAXŒÅzv‰;‹J%ñŠ¬&Qa_‚+™q&¶
ó,EÖd+HÐô¼‰	?`/Ä"\êÈ|â¾+8@�Q·UcÝÊÚEጰ2—׆°h.mùz2èªÖAPú`ÄWIÓf÷ç\ªmW¿“9;±ß*ÏGQ$Õ˜ñÅ[£¹ eù?¶»Þj”fCàI<rŠ
-Í~jkÕ>I­iK‹²ÞmdÑœ~üÔËí£Óþ(�T.
ÙÊšpçÙªRÜÇ
-­Q3û×J¦&É–�Ç8›ûúÐÂO¨dÅ9Q6¢#ý`›W²9µ*xŠ É½Lló›„–vYj
-º¯šÿâlôÚr;3Û£'�	žYSÎ0{ΠLÏ\”Ë"¨ªãsµ!½Ú9K¢@Åðþþ@Ú¶°@�5Ä� =6»1B˜Ôgà�æJȈ­8Kþîêù¢BíÙ'=Fjç)á2*"-mÈŸ÷' Aæ§â�Ý�‚>gówWXÔ�4“žvY]
�;’º˜—-U܉«•lƘÑÈA³ŸW0›ôXoƒ ÄëýÛ)x§åù¼…ö¶:<¯‰lŽ`¾‚+3Ú)ë0OŠ¿3åÄ�Nž*«é¾Ñ:B…È(yˆ·x�wèJî¦ô}\1-ëTBÙºÒ†³�@‰‹)ç{ÎâCÓZÀÛ´:ïå>oS`:“e¸µ�¥÷)ÚÔê�'7Ù¾†g?êä¯@q·]"ŽE¶Oć“9ˆpƶ¦,s?lhsÂ�àºÏ:Ð,6ºÜ~%
©ž7ó�5»½ëI—Õì
[i	‰h¢jQ¿ÃUƶ
-IŒ+U
J€žÁQNGz(´²ÁVK!9(ñd_‡W²²Ùw®g}gIæ:Íß;§Í;V`«Ÿl6Þ5@r}J]`¶HÔ‹È6<é@tY€Y[w¿Ï¬(ÜÙR‚à²X"{�<ÀåYW(`ïÚ'S—Q­¬½…,tÛuvïkgØ=ýE©Oà…	cI~ÝÏzÂXÍ„Ä”ƒ»µ×àiY£í²Œ¾�4€Á¶ýø]Åé® óp#%•bÙ³;,ÃhÛ~ßÑ’G>ð›ïPH!›¯xBeó5WÌWî6¯ùèÁÅÆ?Ù`û\µ+É‚Äiö’�óL쬟üúâNO&‚ž—Ùg(ºåÍØB=¦�Kã›LºÎÂ1¢zËfòzM`˜Û]¼mJ õOý0Èé�¤�˜“š‚y%DR)hœÿ!
-¢Î”D7CA=ÛÃÌZþ(‹2سȌ`wÙ^ôÅpg¾œ`Ú‘Q<êBÀ·–[¦R/°&‡´ÇÞû`a—~@9°—{}û™jb6=r ¯_ÀNê«éOß�ÇUQ�¾=_†úB´Ãë²*b†Z×6%‚­ÝyýÏ_»9®Ûb�ÐŽ‹Î�4mx×_µa—œÁN^ii¬ù¥¸©ýJ�„§=SRîºÛ?ø¦›�ݹ §_e€†A-#lzô;Êq¦¼m™þ¹Ð³†�5ŠE~¼Õ̳ý:ÍØxëè‹\Å;Q¿+Ö2áE½\ÿ2„%Ö€çb«ß3»òUoIAfS·wœL!\+;{VKê
->ŽaI½<¤âº¶åNV«Qâ’PÍhI0¿‡>TUËråù¬}GU·+TY$“Ú“‰uE"õMǶyO‡[¶è彄0ž+c¸}=¹+9Êc=îʯKÇ•óeØnw36º~wÂÞ:F¹³?iôœ)ïÓ2ÕÒŽ�­SWËÔS–côï/£.Œ
-\÷ƒÑ=š…àtÈq$/Ë)8’Z	1ºü	Òå(	ÚŽ‘’4ØO3H3~�)ŒØ5Ë#�T¨~ZMÎÌÌ·†ëÿ»ð¤VS#eÊø2Õí
ÜË�¬Ã:é/¯ŒSj% ,«
-zrH{f|xnƒ©¹Ùóú¸O_Òý!ûƒðrÁý
©’CòÓ0!vzdÙF.!#r-‡“vs]éƒ1…³²IÍqz€ÜáÞ a[£ÛwÁa9„«³û•Ð¯Ë¼#z¬n¯Cr3#�û×Cº�Ÿ�™�f´ ä40Ý‹UÎœ³TÉ›QÏÔ©F;
¶LÅÅS„•òÌälàËR÷)×ßþºg“ Ï`ä/óžcœRõ´O*ƒ)quv=|4»Nlyl‹ç¶<‚ÃÇLêqV6b?F]©ó1ŽªŽœg9p'ÏÊmËc‚¥£ƒ's©Ò‚ØïŠÂ8Üâ$Ý�¯ÖJ¾ö°Ð)ƒ6¶åj ­ˆõ,‘z=\Ù>-�æ†<"Ö	åMÿ°:³îK¢XÙÀ2ÃJ,µ>.Ëå—¸&	c�	¾æÍ~v,¼Ân@b~:¶C1üyÏ¿t�3¸Ó…á>ökwú5¸¨óè¢Æ/Í3(�«]g�n»Z§š|J×OiB„¯<öàx·Ê%+ûÖŽŸÏ–4ƒ¾=�Ö¶ÝÇ]Òu#¯AÉŠ¥î¶Ï@‚7<['—^eeͪ`ñ	¢à8õ²õ$
-I|{ìyaƒ-8`ªQEÖí1ãP'¨‹ÇÞ¼ô35a®­²)?�W;äuÉä`³e…«bx9(ÔobÚ…LP�‡ðøØ-ÚœÉÓ#ÔŠ}·¡È}Iº�ç:,?‡°$á汤G‘Hݨrôù¦«+ªÄ:ezj‹r‚œ=ó³Û�/èRfAódå
=>ȼÚ[)÷\ǯÚÕ\üI²Âc`…mK‰n8>ÿÛNÏô+)Ýn,_®°™B¬ØQwKZ¯/ªzuÅ)À´1²[ùò¶QvhO©íí¤€�ØAÛ±df¯ðöO’XQ{iM•FÈôݶy÷~
-ö….Ù�ãP9,å°Êw¸H‚ébÚ/[óÎSKJaIw¢‘­žÓÕ€–â;ÖJ<"QC‹›üäh+╆f¾5nŸš9f
ÀPÁd+Þ†Ræ8”˜¬’Í{ÛôÆ"
-öè]ü¢4V)ûxø¶!b¡€tšZÒŒ[UlØÛtUBêº|3úçìÇ/Ëþ
ª‚ñ±
DgÙ(à#4îG©D•dÐfÖÑö)Û
k`JHbrWz™À"±�ñá6.?ããÎ
R_Ƈ<(¿é.èõWŠ<ò˶‚ÄolÜŽæÕ¾[�Ç4„õ™ÃîÀú1êF9 ôBp2ËÞ¥xIÂ/�„–ZPÌcC„ü´´SfÐ&�½iü1+/#2ü#ˆ¼Õ)ˆc�—ÌËjÏöôÎnÙ�~s*Ç6¬£˜W¦³6¨H#‡ôŒ'*±/pÌx5z€_Gï¨0}
-ÕØÀné|×Wj3[ŠçÁnFöçáëƒ'Ï+¾Tê"ìCŠA¬ÙÅF‚Œ¹²› QðÙ—Æm÷Þ!©ÌRÈ«nÏ‘ðÙ©XÍÒo_ióvÅvoÔ|N—›ÚqÜD²®	��ÐS§7lmßø1⥴q®Š•4þÌ>?¢>è÷Èýb+lJÏ),!iLÉ~áäÇÞ·µh=%´skÜm…”}%L4R¹Ayb#ˆe;òâêÆ9‡#‡–�ù{—úü:5^"�¿.6ðâGDéAövðH&ïÚè
"û:fŠxï®Qµ¹Â‰a¼	Ÿµ=Q“/)'clO„�~jÁ«‘‡Ù¤ön¬†
-]Ü»‰Ís�D?’»¹&¸b+µ¯ùy¬_—S(àÄ� �kN¡nk¦t²§X°BÐY˜Tš#%¹£ˆû\Z‘ÍzÞ‘³ѱBnÀ^âkŠ,.Z¡�Ü‘¡‡b¶fE:DXpãÌ–ç%îÀâÛn`Z[Yë,qfÛ\jÌ{ÁWD&�@C—.ú½ŒTÍ4:ãwÅB8ÕöóMdžÚš@�kwÅäPÐþ‡`•Qr\•Èfq·-sçX�ØŽ*ÔaMÎL$#φ˜P ¡3)€ûJ|Áæö
- ÅZ†uB’o;]šfÉJ/ƒ—RÃc¸±Ó[c
-qÒ^!¦ñ™êÚ›Êô‘x÷zÓó¨ŽE„Ã“"D¬*‡M‰Œ²8‚§N
-–]ÚÔ¡Ñ{˜¬ÎŒÞIõB-yÇžá=ºeQKPs	yx<œêí†,%¦·w=ˆmζe©…k-&­V¯åŠÍOpÓ˜S¨ÃqMD'cÅä*
-ªÌ¼®cùÈ(j9AŠäDl&¨R®;gŸèøf°ø$íöã±Úí±”k
-cƒèàÛOGA±§ï'`šÀ»×ÌVt¬íÍ'îÏß•´ˆò«Ú¶¼B»2××^Ì°Ž¼Mú5¬8•;ƒw{�ãI�àã±ÊÔ÷�d¤uZ¯ï˜_#Ë܆ Áùu±h§&æ}ìBöƒ2|i«¡úN¸�Ë\f·ºQg°I–˜ó»e+¬_i*
Iö…îœAý?Á·Ÿ¾ÇwǦ¥’jÓî®eàÖÔ,�4ç2¸‘öDê6U«`áaP];e0ΠÇÛöñØjz.JcŽÿ¢|,Í¡Þl\½é©ß;uDç^%ú­YŽòðòC8šžÇÞž
ibtg›¶fƒ0Ú»QÞ oÑi¤WÔˆêïí‘Ai€(øö“Ã×pxØJû”Kwº	W ŒI‘½`§Û•oÕÛ=w!x�õúJt´=�EêSEDxôÊ3Õ;AWмªÏäS“>àB`#ƒñ$;ø&œ[/#rÁ–Ž>òPÅ#©]/J¬±og0…<«[T,!ÇNUÚLDH˜™‚o?9å³Ç±É¤áPõNXìž©¦>?ìWæ÷ÛÞ˜™æV
1%’o[¶Í§üž³ÒÇ’Ó%µT�OÜ÷ï˜ù¦rì$/sOšIxÃ6b�±ÃÌ0›ØAS¬�³>Žm	<Mz{Mï½Cœ˜bº�|ù\7ê&Lºân^XÏKc�´¶ö�K¤6mC”
¥ñ}L^|WÌÍñ]ª°ŠÞMw{-¶:²:�#ÁI
-ª‚öÓÝPhŠ®�²Œ»úâh‹üE­@f[;î€Sf¢qtœ/‚"¦€"w`ÞfJ?[Út}_;ÁmÞS’B¶]ñx�Å|
-TÌém2¿Ñ
óñ!bçg¡©J—ÇfS]d¾âÌ�ÒÊwì»PÔ
6fè
-TÙ(­^nøšÁ1I*"SCîaK´N{¨,6ïífwã¾Ï´ò}xÞºêÏá¬~7
 R#Mjºîðt1»Å¸Ã¸•ÊU8è6—¢)ljûÿ¦çQm´óX¼m9¥Ì#_Äæ¼[NEÿùÛQ|UQÀ¶y¤(�žAÝ�åϸ
-yŠêZ¢½¹�<�¬0,ñ}���L„—õòÄ'Äaxéjù¦W-ü½4”A©RÛþ\�có4Œ ’ë.åIéQþæ ïáÈëò8V@Ú`Lç&°I³,Kéæ¦�ó-©[N¶Æ7­KE}Ê»9èÒôÚÆjæ�
-%À÷‚=‡òC¿
ú)£qðM3»y!=�eøå£ftÀ–+nâz¤á ¤ëÒµRtÑ{ˆ†F‘À!(~¨‚iC~ø…™œÀÔâ1„éû•É�øî>Û¹ùFÝUÖ+U³×•2wCÍAWÛZBPÌEÀò8«p™%5pÔ£uþA·wÙ°®�i•,n¯l»¨x0ÎE…%&ƒ¤Æ¦>K¸€–äرR-G�,ÌÆÚ¶ŽÐ?R¥ ù­šƒÕÜ°ê Ó¹">�µÃ.p4»þ¬âµŠÁ¢épåÖÍaƒø°ŽH9.]l³™Úl×–ïÐâcøX7]‰ïi2ˆ ›(N79‘û»<vî½íI¡ýõ|}š+`óS�ËWù	Óûi	Š4úL“ª>lº•‚‘Ã1jH"èg$ìQr[Bß…¼
-Õ
-T»³ë	k]è’c{ÛaP Á¸žÔiðÇóJ;N™Œzº)wb¨5`à,±G	�:%ÊuS,b/ö@ûÆÿ{Wa’Ûè—•báŠ5Ÿ݇q´.YU¾†dñÅÓZÙcA¾)
²a–4^ªbhº¹¤¯=€ðRR'ÔÝšÑ?’ùþp¯Ã`WÏ."’
-le–Ѥ]Œ°k€d¨VLU¿!ë´iÂ:Éæjf°Q.I$Ò†Å
áÜ^7¾�3æmÛÕüÐóç/Õ"‰Y±&j,W‚¾EÞ-à´èt1‘ðeÓ$ÛÛ-#ñe}ûlµ«¿’{ÛcšÊîóË…¥2ºwõL=hDEá›öß"Ä‚#êýwÉUN�*îTïÉÚ·½Én´t§à!T&¶»®¬¾‚è †
-Æ“€Ùñ³aqIGôI
-u»\J$çЄXÙx`©
-V¾�³Š¼^›bËnR“�¡Ö "ÅÚVM€„s)ê"Aþ³QF=7ÛÝzªã˜’ù¬@C
-*ðÔ;-dcŽâp7yWíEóˆðíd7LñÝýª“8®¦wÞƪ�Ê@@SçÝÁ¼�Ãýó�c¥ÑHt9ŠV ^ª>Ѓ¸ý®¹J"d$ÚDqû4ˆNµÀFPä{
˜ªh5ÅDúôlV˜Ç·
-ÛQãtÚa’Ý+\tÚ˜“Æ•ØŸV©ˆùû¥8Ìh5PYjQEm“11Š°$Xœ&_óƒ%{Xš?—#5½*h˜Ð¢VŽUÏ�·êßOÞXÆ|ý¯˜ÝΑx°«i�K¤àÞ±-rÐ/�KñûPt1µÝÖˆ2Ì9íŽÈàã
0±æK€{™-༿
-J
-æÑÎC¸õþݱÃîˆó(•Ï”ئtÕ½ó=ÿ³g¹¸HÕ‹±xÝ;q£�ÅýˆÜÜW-›­%V>´8T3#ÌV�øz¿ÄÅ-‚H´®’1_Àó
-‘6Ê*YxØmã¡Y:¼ÜŒ'¹úðrÁ9
-±z¥‰˜Š�øù—GG_SÖ뾃G_ÞD}+ƒýö¯À+õxt^®âQ¤üuS¿*¬ª
-ÎVb?4Ž›ÚMN;ÄYdFdÙx&n»›Ž‘~˜W¢‘#jàq`‰zØ98ë—•~®fm¨Û_Ÿ„{V�Ä=��í$ŒY׳¦öâ"Œyö[·¿É$°™]†£'[†mx׈]“ã;wè·](XA«"ZqتB
Éâ©^ÒÉ£=8
܇,
N¹,µ‡4@N‹å…hU«y	$>’‚™*TŽ	èÖ<­DÁøû'ÐZ ÂÊN°ÚÄÞeHI^×`L
y=[pZÞÃJÍ1×ïªÇçr&B*ìÍó²x;·Þ”=Ø�¬ª¹»ö0‹g¶ëSó8óÁêiÈØ¡'Áö¨$› Us«‡
†�nRŠœUŸÖÈ©y{Ÿ„k ú)R­È„¨
5�"ú«ÚC¢¥�†ŸŽîÕte3Ï~·aK¸�¤§ìï,ùŠ¾žÑ“êÁ`уÌ&	gÉêi¬äl²Zýw´¤í#	jù(tM5¨ä	r5—º
-'VëÈÎ
-h1ŸÑÌoÞÊ<Ž­ê�Q”KU¨Ô�±Ó+ì7ºÇuGD"o�J®yR¢&�“¬®¼º÷+Ö—Õ€ ¾ÆŠæz€þm3‰NûÌíó¨¥.Û±G~ ú–rï1!(«˜Y;�"Â .n|µN' Öá¦ûKg¶í¼·zà¹@¼gg˸Q]éîŽ^s=¿+`C+ôèŸb…Lƒj/�úž�*Òò©Kʪ¯/Ð˺3KcðRBÆTÑØØH¹H1†	®…å5X'xûÈ’»
€k*Û-~Q›
ÈÚ"¹«Í4¸®k%¯0F\W·Å&‚ª
üá?>‰Òõ
-¶T¿òT)~`a7‹GìeVÕ 
p©psÛóûou¢·$q�Â{·�óÇáê:è�—_ªÇ±Ë>ƒ³¤t=–†‡lôJ´¹>Áa6ÙæY�_ÁvpiñÖïRÅ¥dý”{Çêåq·s
\V-¹­’÷àNzÌJQð)+<?‡¬6E2!ú&-�%9
ÀÃÁÇæÓ]ëåP†·)îó¸?f_� ¯�ØÿÏc‘.º��Bït6P¢‹Æp“K&Ë”´
©+•xoï�à[ÞÅk}wì°ì.õ%ð–)
-
îD¸ô(Ó³ð¤$J:¢È”ůîVÈ)$=ïO
pÍX3´�î§|w%ú9Î<ûì³ å`½ÝS„™fÀÔ*‘ÀØПf
N¸=3ëÙÌ)maN¾1o�e»²]D<Ü8Ž�-.=÷ü÷$%Gl]žý•(’Íå=À†¾+k�Ûrr6¦Ó¢íEÕË\÷ˆ¸öS«ƒ�ñmö›=72áà"®ìÉG¶ú1uúï/×–Mbê¡úœ´Có5•©ÅãSé6‚§ké5¹Jͱ'~²ÊC0×JCl·Úþ­‡ÍQ~e>šäÉ¿ºÉ,ì?ý¾8_Ó~…Ì77­ŸçÂÒ
#¬¿2_ôe)”À÷¬ ,
N×/÷ÉÎWMOíP#å㬾5MDÐö	Ìå"Ä6ˆv(öçÕD0’¾šëd̃³èC«¼bpuôßÏ¡©˜Ø³SveF+Ëÿ÷AãF„…Î
-ÐïºÜŒÒ…å”Ç“LbiW¸ÔIMfÂ
-’0{¯Ž­åò˜_ÐR]²Äræ30|VÜ¿Àd.!žlÌ:*#åaÚŒðèß[ݳ8Kb„…#Ê^sPj…ê¥<uèʺ>63t·=ø	5{"R·ºÃ‘r‚Å;ôÔø~µÃâµ°Î�Ru<Ö8]fLåQ®aЛ%´�ůÝ�@7ö9·g¾ƒð
-Þ§Ä�5(ÆSœô�xGðñ´§,æÛ âà?‚‘IŒ4`Ð
“eImÓ4ƒ\j[nÜt4DŠw5{ùZ~Õò r»×§±wè­
-ØòꆴS‰í
-MÛo¶cÅ‹‹îsT~¼^�»ø_Ñ®ûÿåsý»ÿþõÿúO¯ÿ€›÷ë?ÿs)ð°õþ«¿]³d�Óù–ëW}°Ó]x¥ w­æiBÁ¼Ø/qt½E½¿ypÑsÊئçpŒ–~<«ø`ŠüWÑ#Ví;7͵›@	�ÂÊMoÑŒ$ ÉOZ²t�qÝ3PmtÀ`¿°<Ç]Ùø ž«
-þ ö‚1DTâ*ÀÚ¡/c¡ý-‡À3ˆcMI¯èl:vé!8ä’Ç+IJ0…ëð¥Ë­YûÄ«NØŒG7ÔR&ǾCÜÁ[†Lã’oѯ56}Íg|`Õª:´z#¸•^W´OžE5í+†êcÇV	¯†Ã´òweŸ�‚ÁÝ:W¨+îº}m±AcÐÛ/Þ§LÓ÷¼Õ!c9(%µ›:TxhöEêýå<+¾pØ2nàÅ»:C{æ[þÀ:ÄfâViºplº£ñÚÇ�LÄÞó~Ħ™ß¥�Qžÿæ�ÛD‰&ë’×^’ �¿èas×[Q—‚\}÷-„2`‹£ô·�‡É§:7=Pãh˜Dðîãƒ)ið)Çv€gÓ	‡]‡èNîñA—lY§gd� ýÞ\ñöï yˆ¦<j\+¸&ŸõÁjE\þpØ×Ö=òÎ銴¸ÑOÁSOÅÊÖ·m´òú<¦ücùÁOE©´”º±A:X!¨j©‡¨×(ñ¨XòŸ¾¼ñüMî>ÕRÄç…é|Œ€
o=.ê^‚\3iç<15*Á(—R.|*
J9°I8¸»Ù0üiÆ¥öM=0ô	Œc
Òpêí ^iYrˆÃn†JE~
¶Ä¶­!Î÷÷ü-‡3~p©?§ÄÄS“e<G(3bR{<#”î¦�&êA!cÐ)ESÅÞwyñÊPtÖhÇ3«x“Ô4߃ªò~FX÷ö;�ÞÛCˆvBYò±Gž“᮸ÍÛW"š˜c¢Y's‚ìs9÷£ïÇ:‹rûè–ªô
 øz?žglA¾H�ôæ
·àmâœîÐ~×W|@‰¢V
-
-TÑü¾Óí‰ÁhFe°�ÇRëÝf4)æïm˜�8Ö¦ÈÊãF×O&2ùñú»"(2˖έ¯Ã²ó	$Õ´Ý"éÙã‹Ž†“@ì㧛}²Ìg"dØo²ÈËÇK]t(aÑòX^šã”ëy@iÊ9u°µ°`»ÃIÊäÝCDöE„¡eÆÁ¿­`QŠGðµù,:3Ý}¤V=O÷1ëÜõùšÜwÌV[8A	U5�\ÁmÏ!òÕæ�]û!ü5I¾ºÂ·½•9BÉñ]ŠGŽ[�ä`øÅæø¼[\Ãlæ-‡ˆÎxb-1·¿†ÄÞ¥hã¡ËSÔ‘ÁÒ
0½ôW>ÓµM‘å.ó
”qߪß¼­¬rÇž>‚^a$$§§¥^ªZñ¼c
-.;ž²xÞ‚6‚ÅÚÚ¡¾ç¬að‚v•Ú‡¦›8‰š†A�ÎC]ÛC¤Î¾0¶VBÁì¼›^[q´@z4eÊÁÐXE³'vìßÎÑ…0=º×‚*„3­Â~‘Õ¼æ<€Í
-¾^OßAb•—†¦
-4tºî˜«�Ì•˜Ø¯`ɼå=‡�&Á®L%ù#Ôݸë´ÒË×ßç°\¢Àuˆ(eT›Ùx—HõnW
-Üo7¼ívûº³¡® ÄÒ~%­.ÞøÚcsK9¡¾ä‰ÄÄEIþØ62¼gp&ÀlùvŽæ -BjÖÓ—¢ÏË£z"=–o‰83(àâþŸã•d¯ø@l…×ÕÀ壃ƒÇS<H0~ËÊ¥®àý¿Sðkî*»[[ë
-ïð’|û%IŠ·�ÞwRBÛųs¹Í¬E-7÷|0å`½S,óÞVƒ±c‚Ì­é•<Ž¾2¨ufÇtzZ¡cîħ¦RD,˲íô	ˆçîæÁ;­»ì|òn
-XSTaÄï‹%‚2J\ž
-1„dø�°7®UÄ´×üHѶòÄ	ð
ñ�ø`�­£+Á>AËCð•DÊ–ÀüYîD‚^ÉšÁº»†•ßæöZì«^CçÇ'
tmèḗ–Wàs~l%ý† <(ý6ÏI
-š3‡�#¨ÉÁî.,[*/‚�}t?üŽja	"±ÞªtDP«‚š4ÚÇç
-³xѽ9“÷‘z½º—svH_Ôz~?<g8=G0ˆIàNíÛT–«ëÁ…xÏ!¹ÃÊ
ˆgÑ«\O†oRŠˆAãÛ«sr>ÇmdJÚ3x/�»äÞ];	¥å›ùî¼>½ëömI* õ,²(x†à$�K�]rÇR†g�á{*k4ÌY¡E–ù`ðA(o­‰)T—P™:‹m~>º<‘�!fŠvRùs>÷ÊŽçÉò£#·šbü:Ÿ.[c½&ŸË·Ð?™^~9�buÏ­:p9Ü…9ƒ·úíÜpõQOs3ð„õlp¦–Í'íAÜc;Ãâ$÷ sZU.ÀÓz©!•€zšVÕ“0¡@sÛµJÎŽØ5ÙÉbàÐëÖ‘ôÆ=Û´UÜ¿K¼àì¦%¾„¾Ü ŽPWxgðvhݾ…
-H{¢Ï9'ˆO»‰áÓLu±š[ØÊ€}!zàIÜÐÝÖ…-R”Œ Ds0K«Çµ °|Z¤ò~­ŒÕ-Ùz^ä3Â7Š¤éuAJ’ÖÁU–‚Ÿƒ~›�ýªœ‰�z#‚ò«¢”P³ÆØy™©$+Öšú:¯‡ë>Û¢=îiEØ#¬t§–3mûJ,å±ñ�´Wâ
gœyŠÞû´¢´ªÞŽ–íL2s0ÂM+U_
ëÄPW*n̆ÅO¡ÃÀð
tß0W›´f×`Òø£^Ó)1°�„¸Ä€\q£ëÝ«5UÆv?'¥º<ÄzôtŽ‘š&véÁ3Šàè›díÎC¤&ÚxŽÒ‰<±(Õx¹–d{ài¢±-×ÕÝã6¶{çúrКZ+­ÝÙPw¨+çòQŸ=8Òï+6Ñ_ò²I
-¥KwósžÉèLµú²q'%ÕÔ|
ꯋT+6˜¸Æã>ðÁ=4Ô´Þx%Š¹årŠþ׃Ë{þ|t÷Â*3$!Ùp¡H
-z¡Ñ·ÿ-�Ë
Þ·HÉx�–…_-¯–iʇÎÇúŽ_¨.’•­d½<¤*-ðÝ‹UŒíÐ÷žga•;õ´{uubŠ‘æ_xQ{¨hiˆ^u	8¿àŸ]Yu\Ùú5rÙÆó1̦e"ZÕ¢±©;KÌŠ¶PwSˆ›W¸=ô@û—Oâ¶3´Y‘îTO¤Šòôi.˦Ão91¶D«ÞÑ
rYgΚÃFh(ºÎŠÅ$üö]ïûH8iDÅ:‚´·ãSB߯ët—<-{/Ó™¼êjhÊæ¾MŠjjÎå ö;¸ b{cˆÙå_aû)¬—Õi£ð J$k<�bU³Ÿª?{ÝLÅ
ôr•T6¿ªýêÉ>5!0}ù�šËj*m� ;Æ’@ßrÙm©Pé†CX	õfg&M^ôîé<Æcˆ"÷§yZz{4{�oz8Ÿ!z)ðÁÎÅßmz#i¥?˜œÜv>2éEp[?2×þ4œJÇ=DIsF£LÜ�¡7~¦ð8ƒ»<‚oçö…&ËÇ£å:N¸bÀ×ò¦q™í½åóbÑÆõ`)Bf!öéôš‡¼³õyø“¸°K®Dân024ìj|�oi8/ÿ£„Ú�Ž[A§Arö]—Õñü÷E¶êW$dz³wà÷wúSH«©R'c¿îmÛkÇb	ªEAMŠç8‰2Uôz�?ø#¦ËVù}Ó€Ó)e,šQ¸ŠKêÄ[Ne4UZ,7JI³©jCnEp]û1Ä5‡JTö¥¦³®í‰,d‹EOžçE.2ž:ƒûGÅIâ¾]
…“ïÜ:Û¾ÙZª\�vWWd;Ï÷RLóî!­<ãð¶Ây©ÈåVÖAóPŸ…Éæ©„…/»Ïä[¬/Ž¡õ
-¨b=ZûDEE#¨(!Ò•~G1tÆ#Û³;PÓ:m#ãg ;ú¾«h*¼méG'Ç$Ïàƒ+r°Ä¤ªÝ/5r6Õ…À”ÕER{fY¯^§4ô�7Eh}Î`‹‰ÁP½CЫN¢-W8–¨°^)g÷`ÞÖ“e}R½_¦?ó1™dqz¾ºäH_Ã>À-/í²”ó]_�`]lóŽ¸x5lh
é7<
ZA™</ûÑéœJ9xµØVÓac*;
9õ¶Lü–¿¶‚QþÝjÞývŽÖýê&¦á¥“ª'Êá»,+
í™P?¶ cìÿ3ÑFnåÈýåk¯þt¶$¹?ýa&Gí`ŽOñH�kˆî�8?”1‘p?©îØèû§_gJßî!b«Åþiv‘Ó–Rkß&×?ª#Üìl}à¦\l·†ƒ®šMÊñ‰ŠßN“$ÄeEje–ûsÄêbòÊ6ù~èÅÓ©¢?þÞ|Ïä»s
-ÖCCuÙȲ˜VZ'\jÂq­a[c‹–¿Ë.!eõá/¼mÜAô™Áþì„Û.j®3«`ЋƒRR
-<*Õ£ú¾ŽTaæ¾Ù‚Â?<2ÏÛ´ 7ŽPKùšÌvkC¥2ïn&B KPÕÆ�*^lÆGèúø7‰jèH¡´¢ìKGw�«›ÁÓoF�um‡�ÈÚ;6Þj3ø’_¸"Ÿ[õŒÓ{=óù|1„|iL? ÆGæ:š�U�îN[<Jb~¼lÏw”¶}š‘(Lö5ß!ÏÂ;…N@
WËö*îy]ü�SC›:@8ÛýúŒÝb?z,9
Œª	ó,wv�S‡Öøea<òzÎòúÚóXBNY
-ÃÇ£í·Zò�¦ÄO
-Þ�€Éïi™ÂaŽ£ŽçÝe´†ObŽ3].�¢¢WÓ5C–%µ&AÔŒµ}»Ûã^	�?Ð^	W"	gŸ4ÂÚþ®¾C¼23}¥ç¡]ÅK´lüâýxÞ¬å�1PÜ×Jô5ãÂ+褔–*
Ôä +v‹eëÝI^iŠý•´ÿÀ×-ûåJ¶˜©Â4ÛïQ Gº0í5JÊ<]ªÔ”B
-^¼GE?z»-ÙË~źò¢úGÏžJ궿$ŸÁ¾JôÑ�!,:rgS=‚ÍÁfěӎà<
ü@Ñ>ýmMz!wjÓà°»ßùñ<…€ ©Ó¤,‰:+/¥P„E-ü œÒî:�½xTåÔ¥ÝV^JBp+dšž?�µO6›÷‘e½ÞÔìè7š—féÈÙû‡_Á´™H¨ót§ÍwïçyyÉÆ×òÞS¯.;zwW‹ŸÛa ‚²†0,l#¸¶ƒÏæá‘}ÙN?Ý
�-pà£ü®(ùbÃÞ>ô÷Ä~ÜØÊà­­5]ú4Dˆs+z}ðA_ú@×ùÙ-yQoéµôø!ÍxŒä2H��\ M P†Šë¾?²Ø¡at£¹ùMKCp5Þ<n5BƒÝ­‡`êÞýA´¢@0ióN²úŠ2vd¨í~!~7¶f!i�`½Œ ëÍaPÛÓ+X×ï9„7¾×iÞæÚP\Wø?ƒ§åèZ‰*~`Æ£„ïG@ABWxjçrz‡[=‘ñ6)¯ÂÿcXƒÇë…âN5ÝWÉ£÷TP^W<‰r5ÙŸMþ¯9IoH·Öôd>͇‡1A¸ ôçïhÍ-úIYÆsxi\zÜüÂ[úx�Ah�¤å?ô龋1(ã†>¸Ú‘ÔÛå>Q6œw4=
-éEÀ.Š÷›¥¢ƒ8¤“ø�]È‚xò8ß9m’íßöMZѾ8ç:<‚(�X¿f-ß][lŒ5%_!À‰¤¦7ìÇ›ûöÓ¿ÿUîýÏyÞ~“;b˦\QÞüš¼NÒùLõ¶Â‹�>++}ëþ”_•”m@¼²‡Ô·Ëhß{éY¸åqÌÙj8sÞ–d—ªÂÜj|~|0óƒÔí] "³Ô–i�Ážçs~ÐÛ°ìÈ>,%xé©–7£Ûlw›ï‘Æð¸wzäzZ}	H¹ÎÙÕhqMvÄ0c†]Ñ®m˜
DžÌeežÇlK­¡ßƒ×è{·yþ
-CŠ
|ÏIô¶ (\¿2¦Ô'T'ÿOì½iÔeWY.škß•^9ƒö ”
�Jfß WH¿„` &FHŠ/%	ÔWÁ¤È@¤ï2è	 Â@Q¹Ò*¹4Ñãà¢`/W¢¢"Øà ‡Üý6Ï;çÚ{å’q~Üœƒ�9÷7ךkÍ5çÛ<ïó°H9Œ2
�)ä¿\7®*ÇÅ
-AŸþbä‹V6•âûÈ"_MKQØ� Þb©M	½wí‹Tnšc×/¾´Ê‹pR(MÏÎ.d¶h$s’•éª±e‚¤‰2—mÙwÕFù_Ö<9kïW»úêÕ}]qõÞš‘BöÈê�·ÕB”íT1]ˆÌ� º�zV�� 9”)¬DgH	¼B†ßÎ4á`BUÂ,NÁî©e Å]uJu‘ŠÂmA5¡>SA©@*Á´Ào#úø·šýˆøUŸ,³Ö²
àC6z“]ˆ‹å·¦ Uô‡QPóÀRù@ÊÚ+X¶q¹¬Æ(!B91
Šz)3!6Ê I³PŽ6ÄÕ:
-S¸1Bq”	(þ^1¼…°ÑXì’ÉÎRʹ"èTÛ’ßíl¼ÄÝíïöø�«U*X«ÿ»VŠˆÒn0
-ÛPºY0ñ!>9‹šÎEÅʸٕ†X¾ê3ÍYAȱÊ(èn×™9eÍð¸Td¿=vÎ
î¡_¦‰‡M¦B3
·%{»œâlHh&�jt¤¶‚º}ü}Éúh”K@ ¡
Ä�Åàp±Á£™Èßg�sI8kðµ») ç:0dÐÄãV<B×ÌûŽ>-­%éZ⺣¿ŽŠBͲ<ðr¢¾³<rû5ê“Õ/÷ÈÚÛ-²œiÞ£é—[§F`±ì‚V'ó¶¢ÕAT‘+ù‰lÒ¶�Ûf®]
½Ê7"65±¡Ká	åï/CÙ¾($˜³cRÊ"‡ø oå�ìøZ³;BÒIèókd£á�Ìܸbnk—‡x|³¹Z(j4Ú°‹ÆìTŠ‹Šd«l5UlW«¶ìh§ÚØ'3é¤ëö9¾QÚ}lÿU&^6ƒ,:Ë4+Òˆ]"ƒÃQöjÀú²àUŽo6'lëÍV×Ö6S‚¬ ßäflÀ
¢�ÓwÇÊ�@ùùñnƒaü²ÄJuWEpjÔê:‚ÚÙ¼~…Õ…M"�3h¬ùlª|›'XkÖ“�Yù<<GÚc!¨¤:DQ¬È>vA oêSUé*™Ê;&[ÍúSoüÄhAâwB
1Ë3sS—Š4_z°49îQô;Tõ[!ÄG�ܯŸÆÉè&”ÎœD]t
-`z€Ý**>¹Q {Ò<`Ÿû¸†è/~‚ð[ÿ+&0KèaN�â¬@†Ì©r	ÑLd vº­®	ÆS5i“mâª�#ÍZÏU»½Ö	±²±bw·/dlJE0…rÆ:?ÂÅâö3/¿¢ãRLŸ¯�ª¦àå&j!a|’z½:Yp-C‚šKµRÓk™^â<À8u¨+Ëf£Ëó¸:`ü‰³V^{WÖ‘»Ð0d¬oDTO4,“¥ù¦oÒUchÒšìÞ-ÝÃQf¸(–÷§Xœ*›I^ˆ�9rcÇ
-|O�&„¬¢Œ°ÌŽ0¸p¸þ¦a=Å„›ÕÙðQ;(2D®|Ä©å¦0…S\[³ ICÖA!2ÉuEºn<8ßäO<H-º×,�…Ë'•¿J²áà¡HâÔ~¹£Í\"è%	r/wnO¼˜ñ™õI°„ÉåОâ•q/Ö–‘eòª=n'4BÂËE˜{´´t¹hˆW!×�ÉIuûkvÿE®¿‹eÜK‡ñ„ŸF]¯YDÿ¶­÷Ý­_�dÄïÈ¿B5�˜j�•sºr…êÉ@°…§’R³œœ,½!z­dÞé‚ëθwÉ&žØø,ß®½t\hÆ€Œ ªæ9Ÿ"ÖÌ`ÒãÀ–­kº*^Ï�.*ÞÅ¡0Ž)‹
Õœ=®»x.\!A¿Õ*GÀÄ0‰À7]ÉÌÖ9”«�T…š¡r]`¯aÖ±W~2årŠc
-^uPgp}þšfž�¤ŒÅ@ãå›â
³‘ˆ#VÂh‡u>7Wl¸¸R’å ƒ
-d€>TÄÑh9U�¤Ÿ*^s«0ôrÍQËšS—¦©eñCBœ¦A›¼e34ȧ«EÐUÍ“Ö«r.„Ù%
-ÂhÍÍüõïØø5½_4+j�ŠÜäMâèAy=š§àQQÊt-ˆ—Išt±«0åˆ^xà²ØùQJ^?<Í&¬Â²jªÉfÓC
-æ¸TvË<|+´nð#ŠV_,YÆ�jÃjSÀg‚4{³ï‘�P%¦À7¨ÚÊQ¯”lŒÖXogwCwv•¯`œ™}üüåb_k–Æ v‰žØÚ¼<FôÐÂoqjd{g\ƒWüÔx-Î’
-‹pÇ»i.ÞY.Eú»]ïvøj3"»:9D�Q:gÕBì³ÁRõŒêb‚Àâ)®éÍe;§qît{»d�©mÕ‡ƒÈGŸš%Ýïf¦³@úÆ—»»ýƒé&XžUö�=µrÕø%°@eó%Þ3lXp0:æ,BÞ+”Ô`�’
-ZÕC\B…fB†":¡¤s]9éÌÍ×}í'©@‚ R7Á5’"*R¹Ó¤PWp—è¥CïÉÛbÎhðJwÍ�®»
T;%$#8æ•Lª*t�o¶9•‘‚."ý¶ƒ�/ACÌMŸøˆ�ÕÓªwê´Ö‰^Æ…ð/Ù‘¾V£'¹9ýFõlàøš„J8Ê_‹b½4ÍL"7š¡;´±41w­þ4ëÍ6¹ê—hìBÕÚ«¡¸yÆû‚º$)ipFM+¶£u+·³µÑºi�1ŒÅé ö5/›­À´ Ù6u9 nÔ,´Œô4ÕÚRª±1—@Ñ
-Œ™•~(\ ¸sVëÀl)hPôS<d2Z´€ÂGA
m’W¯
- ´oé1Í
-²tÔc:+‘Jvþ6wjÝ»íU�i{Nê%+¸±˜m´ûdRt<•ÕîŠC†""HÄN	W‹qägõ®á…ãÖlÕ؊ޣƈ¢n+ÑnFDd:ÐúÎsÐz‚j)�ïp±IÀ›Ñ 3Á.¢«¢é§ËÞÒ•Õ–²11Ugê{q	Ü®~xºÑPT, 4P94(¨öÃ.ÊÌâ—Z¦€<}á5gwÕC%²$0u¢ aãÃßݺÐ6ñ¥*þïrÍêÿ\Ãå§÷c€/«Àó¨Õaeb‹Ú³ïJ'kCñ·ÊÂ2QyEñ&"mAä;PüÍTÛúk”uqI¦×��Ö‡E¡Að̃fÕÚAÀšúB<d.dÄ«úU8¬†›™QG‘
-t;UPš«t
-æÁÄn\=Ä	�‰eÕE-ä uíQÃÌbàªþÑž¢ÖØ¡D¹Ñ0•„4Ž›î�oá{4¿²›0×xS™Ù]ÉZ¸kåãP„Óæ›ÎN7jÑÔ$§×ǪeS)Àu¢"®�
-Šòó*ãE�lè�{p¤‚ŒÆݱ¥Q�,�f4À]û+í­VU�Þ®öÀx+~ìx­Æéñ‡Šm¯†Ž[\yÇ`¦PñæâGÑ·Ü�«ÎŠ�}�8Ÿ]³¡TR�Ëþ¡s�¤95FœklbŒ/Ãëæe{ÕFµçFû¸˜C‡˜­�·NÈÒ=ÊŽ4	Ip#˜ÄRªHÜÑpA8쎎?}&Ìì„_�rNqy:A.öïWå9¨ƒÎ£û W»
-®TFiª¾neê”<´@Ëxð&ûô×&‚Ú…›^¬ Šm}…x¿´ÏZ©ý%þསõÚµ0š-•½©ÃëGbËž>=2â¸úRߣ°–J‚r"ü <�VÉÝY~€Ëô¾6înG§s�ü sòZÏTÞp÷F‡HRÑSW´éÊIú˜jÔP'O!#IÒ'
Ü!
I§Æ,r´úø"8i̵Ɉ=€œ�|0uþ!vmRó(
tÅ$C*J)r™ôñ:Ž<:T…l•-	oÎe
Y9ÉƲZh…ØÃÞ™:P3Íf;:¼‘ùj¥r`²ºZõœÈ<–ÒãV5ú—¢D$Tc�@Ðœ‹D‚�&.Fh¯LipHK½Æ[2
:I{p­EK³„V�^+l”ô˜¢ŠÝ£RL%)ü¢–ªÇASËÕV(ŽÃYÌn èd´©Øv!”[%q?P †"éP	dr
-b×o‹‹‡Bkå¼Óé±ì |³Ã‘6<‘êŠõ2-Š4®þU)ag%búŒúc.ÚCƒÒÕ‰“ƒŽñª&"ˆÃè¨"âE�n·¤Æìôàë*ÊiBn\0 *S: ^ŒO	~`�ùC‚�˨3b&ÆÁ§Ô#(8y1ø”rEé+;ÑRˆö‰øÅ_ˆ(}S(!Ì¢Ö ð [è
_5c#ŽŒ5d…È�
ªjœ9¢EÅ»�V�„Þgg£CæFÒ
-Gõh»ö$4šMÕá«®
Î?þ¢XöÒV‹2A|]yT¬>ÔÑh›âx+$íäu$#UãÄ3XÀOn
-ëô
”isY=a%t.ª¤G@ÔÞ易•Þ2Å ’Ä!!Ç.­C—gǩ˲YÒ(4elÇYã‘_®mW5=¤à•�ÂÅ´„¢nk”m×V
-I&AÑ"¶A
-½¨,`ˆs2B�“—xˆL�t]ªCJxÒ*ƒ€ë¨—�ã°öBâÐ,
9˜¿‹ƒ�ÏžÒ8sí{å>Ø9Ä´S2¢0ÒëÐÈB´8sQ=ÌjB¾­(Ó«ÐÁP	€ÖPI5ìXT½ÒУ$­ÓpŠ™5–=ä¨ÉàH'}+W”Áœj™ØÜí-€ëdØk¦ƒ¹Ê0稛>ÓìMh.ɾ³oÊb
! q"ͧÈuêS¾„€þ…÷�Ú§‹�!šR¥hÇæ^A¶Óx£,^“A@ÒÃÔ®ºîÔ®íD¢{O(xA6ÈÄ)›#HSé,˜:êhÈ­s&dÇ:”=•
Åã¬!Á6‘ᥣ„3ô
VHש0.é6ÄÉøãÙµå3xÆQ�_¼Iû%“Ôbº…l’ŒO&E°3§AðŸJÕ[K}´5këó
-G9§ B×2Â$=òǨ„Fm±l·,)'e¹!àÐ_½°8ĉû7)“ïÚ`û 5Ó
-¢H!FXí Ñ�¨®
-ß‹*��QEØaŸŒÛ^}qj03ÄÔÑÍ^ue~+‹˜”x˜Mjbë‘
™TÙƒjÆÒ#˜ô™¨£zßàýÓê´ÙÄ :‚¤Q·:覭8�Þ—æ1£²Õþà�t²÷“›í�¹#ë5X_\³‘%)°‚³.;—'·¤H¤ƒ§<Î:z(	õÈŠg^4‰cæQ¤\\¾ª<œ:r{QŽ­RB…E¸´lÚT?ªUò�LNß´oê
B¨–àæJÖÙ¤®�mÔ¥Ž‚¸?3qKcl0„'í‘žq(–YCeå «n_~_môð.rH¦="à
²Ñ³ÓnÈ΀tqÅ°@X@O�”اhP*d~Š¨Ê«%§(C�ëÁ÷†¥둦YÐ1rniæF[�åzª`+¦ÓÊ!¾ÂlÄ#t³zAèn¬ÈŸ@s�›Ùl‰jtK‡CV§U:ICÁÃêmBXò©Ãgûu´jƈafqæÈB)¯’°uàÖ :³ó¬‡!°Oä�ü1sz9®¼7u˜êb26¿âA]ÕØý]:í5^ÉÎK
Xn)¡­6;Yã›w·ù›”ŠÐñA+,+™�uH£"…ˆ¸@³S£r%±!¢ÊKê0¸_%UÎä5à@¦NSö{Ua­â¨ŠW>òàX�IJgÅ¥ŽzÆvN•zèY^lÔ˜C™¹ðY Q±
[­%,¸Æ
&!*ÚÆ=VåHIƒ ÎËIïƒqôW±H¤mÊ•P8©tí€Úå¯ÙA—_ÎIY:âÄ1PPRu 3©Éè}Ôi£Üä ÛJaóè˜Þk1Äil¬DƇsÑŒTŒíœI 2$PA9“{\¹*‰ŒàYU·vX>ƒLxåm©;Ì’X2®Àß„bÊ”¾÷ð|Ä
"äLn2¾
j®ÊÑd'ÉdiTH7eibV›#ÓF›¢"„2„ýºn—ð#G¶ßÜú¼qééî䙢š¸”oMS�
-Œö`±:»FŠXª5üÚ…Ž`G3¼Ì�8KóäΫ©^·

LNr##0)9K¬³Ü„KØ8 8™“¥)-—î©ñé¡AÆ{F¬:ÎÖ.Q”Ú¯!|¡8m4_uerƒ:†ÞÒä«ñ”oÄ»J÷JRÄost „D´HÙ �$6Á&òFª’kñBÃ}ìhLy£SgÞÜbvàI\Ùnº�~Š§µ ™ªMÙ9‰Ž¤ÝH%ôbªvÖg�¤IÛ±EeUd.-`;¢T0p#§9¦hcpº·Gõ
-DƒoD}Íc©öP.¶Ûp~S:°*£¹tÏ%Ü:‘íÛó5óM&„CmB¡ÿÞèÈ '&„ÊŽµûfÂRM³íeN#T@Ý!ÒM8¸`§"…@Eáø2gjFÚ"ižRžI­QEDÊY’ØM²¢¿ÅDÃÖzÅAYY¶+3)xD‚¦`òš^

-3…Aߘ
-ªÊ‘ÕA
6ðõgXÒnQ<šKÑ1¿ˆá+dWðøé*“I÷z
-¦)œ"€p¼ÉI?"+U8¯k…œSc²sÚ™–ñjf	+gÄêš*ÑIÇä·dÍKq»Ð±ÚÝ×Rawïœ:4+Ü$m9uô¨v
cvvì=¥ô¬ã•+Ÿ‰ˆ²¢G‹{GeßUÂAùÒ8˜­$�Yµ´X-¥Â}¨
õÐÂCãh%v\Ò� CÁ‘
-€Â�EeudíÉé&2ð-ópf¤7
"n}ÛqeKËÇøŽ¯ËfO˜\ƒ;R"ŠÏúüØš‘Æ>¸3s±4ÇÈéÆ
·ÊÙ0Õõí’#v€/ÆUÞtà׆äÐŒ™Óɺ¢£¿
-"±ê›WÎ8XéÄÉe׃5‘‡�+;t†d¤p‡p¡Wü&£§`·JÊ«�í1TýE�bãIõ°5zÇ� m‡™.
-Ífxø¨a.®Æ×”YW'³UF!n&šWÍÊ3c²Ë´?•kU¥©u°!ªÀ5f
PWDøZ”tL#¾h,H˜x³¶­,Fmë#}Ê’¥ÒWÙ!êнW{{žvQKì�T¨0S†“ªT(q+^�JÜèáà±7J•ªìÔ pJÓ§E/Bà”’‹M0e³rª®ŽG}Í©;­ f:Iå’)(ue
)Œ@ 6W±d+œ)Ř]]K°}'EÑÜf(êÐr>Æ¥Æ4-n…÷°xXœÚWÇp“vÝÑø	]™"˜†A?(/¢Ô^ð=ãTVîУ¤ƒÿ«zѵÆ7O0-�O£”*f¯G r“æSQTˆíÀíéÐ{gÅž
-ó]ÄôÕÁWU5æM¸	�FÒ—Ú{šFX­ñ‚}åh
-¦¶^S[Û°·�›+CEÃ.qöp°|ãšÛéÆ¥Q½
�ˆtMªé	ú)TØ�W;ˆ×W¯w<Ú¸6wD°Žkå§4ƶý×üáŽbcô\T'–ñK!D°!¤Ü¯jUý=mŒ \þ%¾HŽfÎßR×
•;v,ðïôý5ðí(þ³šÅG[
-í§Ï‘Â�ÃbgÀìGGµ¯ºö0µ¯Žn|1ÎÏ  Kê˜+«Q\ˆð
s¼XLj	R‡«ú-(Ç<?œÈAvkõ>OÇ©¿]R6</R
G–Pq�©®.4¥ý¶@pæTÍüln7!xÁÅ^mœ6
�ƒ¨�qÈÐiÙ*¯`C˜½˜©Ù€Ð—Ü
?€<ƒ2œˆìÐH“`}deG¢õ	“¡ðHÚ"R2Òä+ø|²ü$¢HÕ%yDüéÞSý5ꉈ�%ÃLÏ5…%À8ÌéÑ#v¥€m›I'GA‘¤ÏØvmþ“tQŠšE)”Å_è&»Ùáè=†	1‰%W£<da8]\yT˜ÚEÎ�µáõ‡VºUÖîÑoºE«l()³·‘QdÍVšY3¥1Jp�åV#0‘Ê/HèË	]ð)mÇÁÍ�E	e'
-u(Þ~�`ø�²"ÆE•Ø†:êþ÷�fiŠÎ@aÂ
-’FígtyN§ÅÓ‹Wº86®Ç™¥ÉÜ!6ëg¨ÖšbÄ¡*©ÓÿJ•IYM
^¬ÞhéÆ�â»êaX.Ž«XÔøe€ó_­U°ê'0HúÐÓ´]H£²eÑÁCþ=¢n‡¥=°
-«Ï 뱑T„\A£�0D"kwçFí낲­ƒ(S¦iìm1Ì!	Ö¥ªQ¦�²ˆ:
-$J8©:Â{½!µÖÁÅ{²_æ
sb¼
-
Y„�8©!.ɤ�\à¯lÜM2%~k;i6�—œ<ÔIÄ9BæI5ÍYLÉ�_jmÕB‚nkgê-µî;E„//£#ÖÈ°žé-E¨"õɬaŠÛ®f™Wò ¢éô¦
-Ó	òGg8
-þÈdóve¤3²4
¡²S?Œe'¤tt£d½£`•ö_ÍÜNÐ$Yì,°@Ú*á0ubLU4ŠI£ÖXÓÆ3ݽ§{¶›|êÖ*.¡5â·X ·gÛIG=v]’aq§il4*€×UÔPîê«ÀÇ�í)Û ½Ê%éMÑ–këœþ*³¦ÄÌQæRç"ùd
ò",Y©– •”b‡ì¤5¾ÀÛÓ:Þ¬ì€8«¬Tê»
-IN?äój[׎§Çl…×$â0qQ‡PCRÇd>â„Ö’ec^g-_L�¼ˆºþ²NØh*Ðòò(®½Û 7Èi\µ¥PŒ¬á©t�\M§Ã0+�|‚*F®ÞÔä*~™ý¨~Xv¨
TUl^ÃhƒþÅüç%ª[�¦újîèȨ‹·–ú¢ñc½¬™zÂk‚—Õõ(7¶µ­mIËÝ]I;Áئ#\
-#LJ¤k<F(:Š$<ßLŸìÞ¸Ù¨7Hu*\ÈaòX\sØ!HÈõa/˜‚Y TÿRŸ¯@»XuCP
¹"[©á'\ÉÃ5èìú›²»J^ØãAÕp¨/N�‚QÜ>×s“
§Lð^8(Æ×*%î˜
-#ó�w²Ž^*¬å­"SúœxdòåÀ†8É8�lSq|kÄΊi„.wé�T{3Bœª(­=ëÈÂUÈZ6nñ”ÕÙCÒ¤q*O³
iŽvGœÌ
mÎԣɓ`'Cðõ&ÒØ»(Vˆlu”è(‡"ÀJoO[—@Q(»Lň]œ#Þ@QWÀ
&>ÕKQyX+ƒ4É/¹ÔY‡ >ñBiÇVp'mú:‘�ÖÍÞ-�\q,œ\@ÝÔ†„=5fhaÍ�1Û/‹u„ƒM­-j4gÚP£�œq­ÉD3@雦¦OPµ�
-ëì!­rƒ¹ô¶?§ ¶1ƒü¥‹©-ÑóX­J„ãÒû B¬ªý jL:äŒGªFWrÅE•ºœ«ŒuÉP
-®´¨¤£ Â,k±
7b;¦‡œtˆ™]¨Y©")ý‰_ÁX$§S
{ËÊÁ-™3֔ݗ`í 
-U
-£5gƒ£ Õ¨œ¯êÚ)ŠwKpýi.Þ
ÔáݺºÏNõ<É%tÝÎ<„	€ê
-í1LC(/+íó"-Á�ªR7ÀÊÁTd›ÄZ�Œ¬ÃuGh‡ó
-k_ü²Zþuùkè`ÐÚ"ÖŽt*^92dM¸00eख़˺v¬Ù{9ÑÚì41ì^ *$Ù„D·6rò ‰Š§Ñ061FÈ{ŽDWwà50)±©#BL™
-nÞ´ÉËǹê¡!²ËÂЪJKeuY
¼UZŠäxµ29αk»¤²QRàW7rgòì´ñU2vÀ|�…ò´¹¯^Ÿ¾9Û•sU›‡ƒ_ت›jòÄ‘&cùTaán
-SÇ
-SG€Ý£*Ÿ&¾©%¤··4%[°£\ˆN+‘A`�®€#álAÉÃèUôT
-c<ººJ{)ð‘—y
ã]„Ì%å«:”—Ë
-¸¨·$%ÊÇ5=ð£Mé*§ŽŽ”ß>‘áàöëf;%#šÆ0ŠÄd5h�õ¹ÑuklÖÚtëR«);åTWàQìHK½´¹pȤ"ØqH˜ì…¿WE
-&4µî rœÄQûW
-Gøäö}Š)»$Ðnr³@Ø)
ÃÉ‹¨Ñ»R!ݹ€-$;:bl…pcêz'mÝêÎv�:oVwìØ<Å¥ ã:˜Ò}±du ¸–!.!†µÇN-õœÞ�8¹iòh¡!’ï-H£Hg~üu¸=âRføqG4f0ÊË#Êf±óKœ6\Ñ‹-Îö¹w)0˜ë+Eù¢)Òyë>°6ü¤k…B†òÞxç
°�EÉb·ô�òîì7ÔL?”ý˜ß9
-i8s§¦Ÿf/�õ‰¸‰H –á›ÕzÒ™Á��±Íú·ÂèEó�>FWEn„jsÑ®g!éáhr�€öݪØ.׆ëì½ûêCgÕû´«g”O¦X&c²ºQWYÀƒ –Ua:å•LÊ­Æ�±ÎVñjS”„y´C·[ƒ…¹1‘iÛr£-Mž¾Þ.[²¼
Y‹œ˜“½UcS
-¾ÎŸ…1Ë[[ãý�~í«¥·¥¨�áÙlÜÅMÀk0#¨µÏ鋽�Ž6ÄešAŽã�ñ
-)e21ˆ-8äo&&*Óó^‡‰Z:C7ÝŠæ·Ti¾T¥eÜÄ(I^vn·(ä¥
\¹)ËHíÊÕÃè;Aª‘¦©çWuKc¡BõM:¥„
-Ý3Ү̎�!è]
¡¤Ñ;þ\"Æmâ
-oyy7Á"y(å=�ºÞ³MÕ\ë¯XLJ¢†:7t’ù!eº‡<�Mä·AîV³”~SˆYåE ªj<rÙÅØpª¹¤`ÑæRE¨‹=Æ-¦$§ƒ» lKÓX«Ú[¬ŠW%±ê�r�ô0Õ= ØöÀ‘ÌSJp9Õõ })©¡m]¤[u!_¨NLŠ‚«VÑX
--" 9NÒ„põN+¨M„‹T݃54
-ÿ.—&·	
-Ù•(1W#�^Ý¿dù9$’u¯ÉÝô³�ÔÄŒg¡õ‘L4/VMQŽÍ9áE¯I]ã®é‰é¥ª&}ˆïŽ-­…¦Âí ¬ºò�º42ãÊÖE»¹“UT9±^é ¹¡Ž$2‰QIÇaµÚÙñ³fx2Ýæ(ìòþ™!NV·ò®ÐJ‰EC{m(%Òã¹'­â/`
-æ#Á‹“Á‹0ƒ¦a)u.Z,RKÏN-u.O”¶¥¨Zý4å—¹i"¤Õv3}¸œ`»¡Æûèã׊¼R¥<JŽRudáÆY1º4ûv£)FS£àk©QEÑJÃßµVcl+�W�F±De7&Ykâ™
¹
-m
-ɦ“è‰uçV«•Ûu1N4.äŸJn†÷´`5™â’.1ºŽÅÈ!ëá�iŠqu°²²‡ÜšV§‘åª2Ï0ÚNû½ÑdO^bÁk�¥�òÍ�í„A§�tnÄãOþàÖ—uÌr2	ÊÐÇÍ8j‰’Yì)•Ð’fþñ-³Cßõ@£�g"-ÕÆ>ª
-X'h£Æ_ó³šÚ_Ç
¥›£Òx—Ú¾ä]‚�”<ñ j^Õˆwͬð°3:
-pg
-¨¢g•¡ë‰7áP³Àyƒ¢RUði9Ò
-N¯VòE‹®â6’ØŽ’ 'µMÔw’éÖ¡±1.‹Úˆšg® (ºò™RæÈøªlÇ™‘Œ:„[³G1»G‡²
÷Q‹ç‰¹E[Ófqª‘džtª³R¤ÆººŒº;ú¢¿Æša• _ÛìúqH�ShÈãH£&Èi&Wd°UEI…H#^V
-š*´	ÒQê’À¨¨­Í4íƒUO+ø&Åc²#Ø,èUm1�;<Wkxˆô‰´ð›>#�ô6*±66Í
·��u¹�*	¶¡„ªÈ}°R¶hbçÅ(¹ðL–¸~~GlkúFàR!ò’žTBŽÁ r1Mát¥;�vÙDû¨:«Ç…
-]rÆŽ ¬+ØGÆùêj×툽3=G‘Ù+4­Í΂âo.ç†$÷N&¸}‘*	4
;Õ
w¹e¯^ûæcž²ª|#]?6¶Ú÷¦ŽfÁøl<âPÌ·©�ºÛÅ%=¡”2¢VÅTzƒ�1:4 >=º?2õy{»‡1ÂÒNŠ{æýi”nguG`-¼Ù	d\†Í!FÉ8Ò‰nÃ�Á™]݉˜(-laxtp�S:<vÞ.Ç!·uc&ˆv¬mÇ´ÐÛ¼“ð«q£móÑ�Çáfv%5ϸ#̵ïJüÚUWu¬ÀRœÞöz¡
ÎvYÞog²N<
FáLÂåËv˜‡raâ¡ÏÜhhçŽ43ôru‘t4“Ãâ;™2³4Bï=N&mUÿ8.®Ypdq
ÆÔq Æ™±«/Ä|yÞhL„<žëà6ñNEÑÙ{w£ìM}xeƒJa6*�V´“Mð	þu‚=ÒÂÌM¼r$;l�Š­Hô[º:>Ûµ�|»Õ{ú×Óϸêä½®Ø=yÅ•'Ž^uÝÁ»óŽ}úY'N<õŒ³¼;¸{åÞ#®¼æÄe¯¾üè#ŽÜ»ò²cßwðn«_}ÿê?«ÿá]Wÿ‡ëÏ;zò䱫NÜǯ8qì>W^uþ#®:zݱ«¦ßÛÅiìKî}â²ó¯Û{È•Çõß{è'´åÔs¯xèå'žòèUßwÀ<cõŸyàšÕÝoõùžÿß…G„ƒneJIã…×­úÏ^ý�‡­úy0<çàÅr/£
~ø€XìN9³�Qì8¤üIst)²8Í!.n¯¢`Âu^›§_gù_;‹±Éã¿“æ"ÕÉË_´7XéÌ4öøõ|'›÷½sàÇWS÷câºglŠüÙbv**²¸Ôø5à,�±˜ôvNÅ?P©€Å�x#�ã>Ö‡n’ÜÙ~×4·­«óÔCT%ŸcoßwðôóO^uʼn‡<õðá3vw¯Ùûá+O¥ßN+Î<ã«WÿÃVÇb?xæê¿ÜÊv;øHº*ó–0?ÿ½esm3›5׫�JL�Ù q—çeßš+j=Õ/F�q4ÀÔÌ»C@Á„ŒÊ·ª&=ùìnçߎyM£n>ƒÝ‡bŸØáËWOðÔž8qtïØezÕÑË®8¶Ú¼û¾é”ÿæŸ?ô
-›ò”$­ÎÐýÍ„X©±Wõç!¹G˜�'ª“厊JM–³–FT¿tÓ+¤FaÔ¥ÔRÙÞU‡ªHPÛø¦cMZY‰2|Ö­ÉÚÈÐÙ1r2ÞØ[Ô"“ãPE6Ú“ØÔ)›SŒµrÞZ„E‘Æn#´jYÈÖç'¡�·Ì6󠻀s(�Z¿ÃyÓ‰šÞ‹Îp›ê5„ªÑ(Ÿ™ˆQr"£ÌC(¿™Gàzñ€ØPî®ê–â�äÃ{RKðÀÞ°‰RŒ”‘¥9E‡óŸÒ°M9¸�!Œb‘ŒÅnUe‡V7‚lÕð­DXb›†(j4gÅ~	cÖÀ+IcOp¡{Ä…$™f)Ò¢›\´;+‚“Cd!sêJ�!�U¨™Ø+kPQgZ_q†ÂøÂÈ,»ê5H£×€Fº$iä²-ñ
-vŠÁN{'~[­÷âœáUŒ–Œ9B8œDá£ÈгWštˆTŒl,ñ¶M�ÞÔ¦µOÔ�t7ýTÓÔ	ZZ¯ªÝNÖ×ýÙü5�[1®Ÿî¢o½Á^¬Ý³ÐšÉìLTD¼y}”Öô!­ü �ÖJQ1IM»C(° Mqš9ý­	Ñéн6úgïÃYÝìÏÚåT÷�ºšôÆ:æ¶ïÃÜç×ó¸F!<ßÅH±Ó=t γ!öÕ´�[*hpãxLÑßtÖ(Äeš7Œ
-Û5c’91X5™žä°ˆ˜ìd¤R”T
-E×LZŠ’Š®Çd
-æÝ5ßµÏéxºôÚE&wò‰™
-1ùMšVŽ¹ìð·i�	ÿéä™3M^®›~|Ÿ3&q&ìà g¦â”lP�¡&Âí%¡]Ë�–�~jD6xÖµoºûg”l’"›,Ì
>F­X‹‰Ð‡ìáæWì~gé¬~Ñ6£2´m?ìÃ!®Hu0G´‡	$Ó–ØmGšE‘$jÔø°…œz‡ÄÈZ|Š:Á5E³hG1•)îż”	´eS”¬sŽ..cjÔ©Cô�Qô8E꨹!R§Q=ÔºF,‰ÿq£iÄ-”á5¶(�
¿–(äÚ/òikÊ`}ì"”	s8
ì:_´H:wyß3¿Ð<É<ÊeÇãÈ"Õ6?º,©ÄéÑécÎãp/$‰Ù½|}I¼¦1^v2ÚiY$ƒÄ�ED>HóJFú"Jéä´2)ŸãR_®còš&bû±ê	œìràO_Q˜f?/dýöˆ+Ô ú‰>Íñ53â<ΫX?}–‰Å&Î7?“Äê6C0�êf2Ì•¨ä*½,{�Éf°íRwF® Kóà‘v–µ;.{â¶]êþL~{^ìÏ=ïÂ׶Ø÷™g?¬�”ÛžP�r¦h‡SIÖqújÀg;îä
-¦/A?Ôå‘˺ ÓÖV¥ªM@çËø2,Š IuT˜Ì›ÈMÏCx½	¤èÁ¯:ïUÐj;xˆž2ùöd;ýká*#ðbˆhLÃûLÄ,
þ5¬5IxØ°fÀ°ŽjŸPkG°£¸µ‹ª²ï-Œ(Ö>~²ÃÔäb­)#§U㌅�ÿUM9Ž^º2
¡†KêÙh&"‹G4ªAÉÂ]“-gæ'
éÁÑm†jÍÆê>ÌZ–gí}B�`Šð‚+ØÌeö*úp×T¦]ã|Ìi·þëÕ¸qc\•ãÙ¼èp,îyËì²àÆ6Ÿ=9¿ùä¶>ch-ë9bC¬uQBdY‰A²Àö!
Ó/š|ae”ɇ‘m’`íJ”Ï>LÑGŠ•¼ïc6‡§¦ñ�™kDÃ6c½SGªjMÕBÝ.óF'§þYÀ–áÌQú¡„™gyåPhDØG̪˜¢Â\ìP‚j€m“^ ¬Æ‚GÒXSÔl
À3f!*cžýsˆÆGU†e�¿V"IñÏ“*¥1ÓˆUhý3%•ºÔö1®,€`XmÆC~v*[1ê…
-B²üöŒ-sþJ	à™ñxæoÚƒÕ•î!LÄ€½¢A:èq¢Q”dö=lCœlsP¶�”5R~ëÛ›%çÍpJÛ椇´Üd-M9íÈ#�9mÝ#÷¹¶Ñ�Dét,Œ”êt€ŒìÚq3ÒµÓá4òºÓ16²Àk‡’¶l'$.kÓ#ºòlrõˆ“×ÏÚ•µ›†ÈRè°°Y8�Ý3Ì“1Æ 4‰ý=…y„}ça¹ïåõ4K>ÙH#§¾f#�üd#�\ýd#�Ìþš�4p
-n¨×À°µ É€‘M!–�7³PÌÀ¦­…m&$ÛòL˜·šrËàÑ„§¡¦	y7‚R†Ò[°&DßvMØ¿›�‚Žî	Vh
7mTâu«CŸÝ°¥¶!‘­°C®«qAŽ9îm\x
Ïèñë­ÈÇ©Ú’'Ú,9Õ¦1ˆû;^­r&sØG{¬ Fb–±ùÁ?]ªãÁ‚ç.Ivss‚»cökãOÂñÓ­+#—‚]@BíÌåXma
T³ù=/Ì¢K(+­�1Cµ…Y4|½Ýt]ýè©ÇÏ$t9‘#‹éké1J»<M_•M)òžìKí^	X&¤f‘O‡Âÿ“| ï
-­im#_!·Êj±ÍäIöd«¡W*Sÿj#SVMƱx+]ùSa§¾6ǚǟÀ¼‰tPX�ÓznÓ˜§HÁ× ¹¦ÝݳàÖétpC”‘AÞ ½Bµ@¹•ÞfOfå)@ª$³Š7ƒ0±"t
`œàÀs¥ãIã«VJ¨­™gI
-ž
-uALŽk‹Š=ŽÉÀÇš?éì•ëðå0ƒ¨Ua¦7S“«ÙŽ®&éÀ­Ó˜çÈî¹m(‚4„Ð�‹z35Ãùd2pnSø׸®÷—fSµNP™š¨4„kªpÕ„Ð[
-È
-]×g1Í�¼‘ôAÚF¥5³ò(ª®
Í
-
-endobj
-966 0 obj
-<<
-/Length 53114
->>
-stream
-xøëÓ˜§¸„®ÉžuŒ¶-)ª%ÄÛ_“šÚÍ¥Ú4³XØ+-ë
-
-ÞŠÒ�³dØP¬%׊!L×ymó$—ÀÎIך `Q]k¸¢Œ˨º�6K•ù¥[Ìn´9óÎÝà�:h¼ÂT7~X¿.¡ú3?0;´ÏÖ¼1ÄÚD–³\ÃŽŽY2y9å\ÇP)b|SÂ#ÌÝa¥%l¯)´•sÒXÔ`52FÇeh€
-3ê®H¶‹˜Ö°ÃwÈ;óáàÖi,çõ"�Ž9BɦÍc£Æë€îÖMŽd+w“_Ñ]CyèÖ�0$níØ¿YÉ:¯„æœvm†cúŠ.Õðõ¡Vx©kîíƆ9†×n±,±¹U%LtæƦbV�–kY!?…²�Lw·
-�¸/ßCEV”‡0³
-/:¥ð£Ùv«¢Àç2^’=š‚Ý¢÷6„×ø~c"[]`%†�/qÆJ´G$%
-jž¤Ždˆœ0ü*¥Ï&ÀFèÿ!R¹9€A&\3uÌÇæ<–žwl]á@9M~·ž	4R"2vö»Â’
-ÁíâC\.>ºA	ÿóR'$�P"vBÐÜYc¨šz*R*+mNæûÒºt}˺‚7ç±™¦¶$
°b#‰âJ2d™¦ƒVœ–‘wÈP
¯k¬<Yrã2„î2Ù˺õ8u2ÜlÞzŽØí­uìX»Ÿë¨µê}Ç؆o[›áfþÚ²qkÛoß	ضn_Àœ.èi«å4_±m=j[7em§U›�vÃvÏ#ôµƒasËì®æU�…‰OÅ—LÕ7ô¹Æ®�%»�dz3fªê¡!Z7ì�G"·	Ù/cì´ISÿuU¬J¥'Ð;µ‰x€nDävצ±œ£fÈ׬Χ�#¹ #�½¼Y°ŠÓôv‹q¹0N×>'õ�w°B4BÌIöƒ#�ú)Æöµ-À+!¨mX!Á ˆkY‚ì
-mu‚�QÌî"Öb®Dkó˜×íÀ–©g;&éõºiq3ŠYK„|F›¨»�síïp¸Å®›žu6	Ùjó�µ£Yä¥*ú
Ÿ{sÓ$'ðß=™‘‚‹˜1…µX;à4ç£Ò¸"R�q”Ž¸	_jÔW�’M¼æL/iPк3™q óô0õÿµzÏ»êʽc'/?vÍÕ†^pôú›HÈKj¥Z†Wo‡
-¡Oä+ãZ–Þ«oâ „²�ybÏ‹[*!‹Ñ%¯Å9«…(Œ›–7°úækôS•i‘’r�àù)-[t¦CÈßÃUmÒ«‡z-nVï!š"eUƒU|”Èî!%cJ<d€]Twù­—$Ð!Áî$A8ÕÓ&ê;b.û4èïS�h"d!E
0X°‘ÅI‡#lBÝ\‘Q#ÓðgÊ^+QÓ`S#ïor}k›«�8(sG%�!_XeŸU'E®¯Ä®MªªL£&Të±gHB¥ÌÙ®ryCQ S´h
-öþ}ièÕÎLRŒ«ÇÉš8«kÒá¡@‡'­šÕÆ}�«Á?ôÀ!’‡'PÅ(à”½hËQ¬vTèWöÚb¥ËÃ{~|uO‡o7IOŸÿýàéç^yò‡�í^yÕe«[¾{Ÿ[oæô>vôø9GO^uÅ£ØH=rÆYgêðãW^µ']jž®lØË®|ȱKÎ8«_²º�óO^wüØ%㲓KÆç…—­=Äðe<D�Ûóü‹šÈû租sôê‡óÿòO?|å•Çžºsʼn‡»Ln�™í…ØžèìWvu¾ä>W?vwüÛØ?|ôê•¥¾jZ]j5—3Åè¿×±k¯Ø=¶zB×¼�Ü�‹I÷‚pP<Iª'`[Ðwͬ¦ •:èW‡Ž_µ…ƒ^þŸûK~
-¶nÕÎûÑ‹ÎÜ÷ý†oùºÿú¥Â½Ï9猻}›5ÜéÌ‹/½èÈöûý×~Û·ÿWgv›xæyçÿPŸ†¾õ÷_pÙC/>|p¿¿ø–[ßê›ÿk—J÷=ÿ‚óŽúö©í.ç{Ä•—Þw¿óòëou‡;Üú[þ+—:ë
ž¿X
-·9ü�k{ÝÃιÓ>ôÍw¸ëÝîôŸvšV—zàE¼o\Û'ÜÅ�zÚ³ž|õ÷[ ·=ýîßÚ­þ+—:+Ýf­ý;ϽæÙ/ùùçÿÔŧoÿ»o;ýðÙ÷Îÿ)óçVñ¾Øv©SNùÁG<ïW^ÿÚ—=íŠ{niw¾Ïݯÿ'.vwŸ}.uJ¸üù¯{×»ßñÚ\{Á]·ýéϺäòËзüå>ÿ|ÏáûÓ¥n»¥ë».}Þ›ÞûñoyÙOÿȶòÝg;yÍ÷¿Éëmï~¿‹.8;o¿·û]ÿýÙ?|ì#þÎ_|Ìý·x}·¹÷Ãó„G»×MœØ-ÓÎEžS¶ÍjõÏÙÏ|Ûÿí³ŸþØ_¼ý†Gô-ý?xüI×?õšÜD‡ðÔûþèƒøûíçg=ëó™oüì?¾ï5O~Àwlö¹êY?÷¼Ç]rÓŒ ÛÞó¢ÝKwöÝaϾþ]ùü�7Þø‰¼åyG7_Ëw>ð§^ð7<õagÜâ¦\ë´\±wé½öy‚§œòCÏùÿð…Õµ>õ׿õ‚ÝÍ“Óí>õ¥¯ü…gî¾)׺ý}/ä5GÛ¾ýç<ÿwÿé‹|­·?÷âƒÝýÄséU/æû0ýüè'=öK8tçýÜ{>¾ºÔ�ÿþ�7=å¾›Ý÷¾î†WýÚËž¶{SÉÛï\ýŒç?ýÄÝ÷ýÁE/{ÿ¿Ñµþù�þÏë6õ½zê+^óêŸÂÅ7å;ôà'¾øå?÷¨Ãûõßåäk>ð©Õ¥>÷÷ï~Ñî÷ntßã'~öU¯{Õ¹³e…nü“þÜ_}ý+Ÿzî~ý‡Ÿò¶¿ý=¿|ã6¤Sôä—¿öu¿øÌË÷}³Åz÷“/yÓ;~ó¥W†}~ûÀ~ÿc«¥ñù�¾ç®Øø.ÞïºþÚ^ý¢Ÿ:ÿà>þU_=ýË=ýÊw½÷÷ßøÜK·G1]ýê?ÿ÷Õ´>ùÁ7?õ¬�Þïß{ö/¿á
¯¼þaû®BõDäŸ3ûê÷|àïyÍ7G¢vžõNz„_üøüâñ�}þ®—>å¯ãkVÓÚ7<öõ³¥uø	¯ÿ£�|ôC¿÷KWo[µw;ñÊ÷ÿËjZŸýðÛŸ¾q3§^øø—¾þÍ¿ñÊ/ñq}í�ÙÐ:òÄßøó�ò_?øÛ7<lËÅÎzÆ[?üéÕµþíO~õÄúžq§ù©Ÿý[ßòºuî¾VÝ7Þb¶³?á7þâß¾ðùýÀ[vsºëÞ/ýáÇW+ã‹ÿô{?s¿µ¾ïºÿ£_ü†w¼ë-¿ü´/+8pëÿ}ú·ü©×ýÙê[ýü?ÿ雞ù õƒá짿õC4­Ïäí�ók}÷¸ê…¿þ;¿ÿ;o|ÑU?0×}²oûŽÛM±œüå÷ý3}«}ßkžpæú´~ñ>Fûîçþæ7öÖ§¼ûœ×ÿîûß÷?^ýÔ
á¯ZwÉnñ]ß5Mì{ŽÞðî 3ãÓùŸ¿ôËWvÖÓßò!Ú3nüÜß½ù±ËyÝá
O|Õ»ÿìüŽ—�¼ÇhÝpÿnyÇ;ÍÝ}žòæ¿â
?ù¡w¾àèü•Ýåø+ÞûO4­¿ð�¿óœå¾[®|É;þìo?üÇo~Þôa~õ†�t«Sï6ŸÁ«eý>zÿ7~ñ_þüן4/ìûâ.n¼ñ_ßÿŠ-§üÄ׿ÿ#ûÈû_÷¸#£qñáò?·¾[¸ó·Nÿ~Þsßñ·Ÿá'õ�ïùÅÃæ¼Óå/ýý�~^®õé¿~Ëãgcã{òsïúпþû?¬¾ðiƒÿº
é–w«aþ ¾ÿ'_û§|jÜø©¾íú‹m/ÿÁǾá/>!—Zíïÿ¥Ÿ˜ö×ÕŠúÃ�~æ³}Ï‹/šFúÆ
éÀ]àžq2±¾÷Ø‹ßý‘ÏòkùØû~õ:‹@Ýï¹ïú»ÏêµnüÌßýÎÏ+ç�{ßÿÛ¿ø±÷Üð€iZß>?.}
-P‡ ˆ�²¨
$CQÂEP1‘d©¨€€�¥ b
-'Oym›m±�«æt£Tÿš6Ëçb%âå¼�ô¿þæ‰CÏ)˜t›öÜ;+_}pBÝ…=k®™³”{Àž5s/(}Waðs›íŒ¿ç£‡êøñYïì�´ƒ[_¿£ßzêÀë§\Û·ôpâ/Cç-ß°éÓUK½ÿ¾‹ßý|7}ïúGkËßõü—ö]û7-›t:>vü³tfþ~ã‹“yö=þ¼&_USzÖ~Òóëv|÷íŽÍë?X»nã™pl~é†SKm¹~
õƒ'¯j‹}öšZ±ß}òÔ8þ”V]9yò••t
³¹z÷+ü{¿ývo6íZûHC~ÿû—vOznCnm9ðõÚgï{ûS«·Ù‡v¯}` ›Si¿ënž<ª{ÉN󜉋7”¯ñØô½=$÷ß?ŸzÖy=GNžksþŽ;?]ùúŠ
;²ò}³b6�ïã;7ÜtÛ䊻>«Â߈åè�G&Ô^Ð¥ë…C¯žtÛÝ—­úb÷¡¢;íÛõõ®½¹´¯ßš.ã»ÆL|“�RüY¦µ*˜.tíýjí²GæΙ3÷‘g–¾±jݦoöU¾/»¶/¿�Ç÷Ão¹kÖÄ~aég­ØVñ³P�»6¯[³jÕê�6lújçwe†[ùe¾‹Æ÷.º~μ»n¬)vœ3¡rkÉuà»Ý;wîþvßþCMß“»L{ÑôsÆÈ™½çÚî¿É¿êÏæ¾Óägýeö+—"×Ú›~öÉ{¯,>�kwóŸ|{ä<š{íýüÙñfœœ{ÝCK_]<wÔéùW�Xw×ò­ŽœGs¯C_¯šWc†÷ƒ¯®Zµì¾‘EàˆSÆ.úp÷‘³hþõý—ïÌ?ãÉw?ùbÝks‡uÃS—m,3üŽéÚ·õƒ·V¬ÿj×Î�oÞÝ7�ìûC¿{ÞÙÞ¼ÖìëÀž�»ö8ôýÖ峊։øŠGÖî:òã?ä:ôõ;³ºäßuúø§Öÿˆ½°èÚ¹ò®nùwµ¹áùOË7?εçýyåßÕvÂâÏŽ8ÇýÀkïúÇëóÃmoüéÞµã‹7äÕ×?»á§ªÃCÛÞšž;ËÁiÒÇ?UßhÜýÁ#õ¹ƒã°~ÁšŸ¨ÏÃÎY6µCö®ß÷½ûím?òX¶×¡ï=88×;:N]úùOÕ9÷~öÂÄsssï•×îü©>ìàöó†eû¯kï|uãOöaßnX|ËE™A_}Õc«·ÿˆXѵË[óFŸkÏSN¸dÚ’õ?UW<¸í½E/ÎN¥Ü!÷¾¾ñ0Æͱ\ßo]¹hJm’þ¶¹êáw¿üI^vp׆×æ�¿ÐÍÞõ‡^“_ùS¼ìÀ®Ïß^tˀ꼙ݪ÷”ÇßÝ´çGîù‡ön_ÿæc·*�µ¬™òèòÏvý¨½ñûo6®^:BŸSK�Š­z]sÿËoÿñÆÙ÷»6­}uáWôlU(»Nh?bÖó«7íþQ>íà¾�›?xýñÙW_vf剠ïÍ�½ññÖ=Çú¶Cû÷lÿüýמ˜uuß6Mz[_|ÍÝϾýɶo�åmÌFxÝŠe�ÝyMŸv‡Ã9ŸÐ®ßõsŸ{gÝ–�{ÈëØ·Çì¸W¾üÔýSÇÔV	QÝâì�ç>óæÚ϶îܳ÷ûý6o:øýÞ=;·oùü㕯>5oÚø
ç�Ú-ý{û˯�ýØ’7Þûè“Ï7nÞòÕ×ßìùîûýªøÖC‡îß÷­yË>zï­W—<~ÿ­W
è|z³#Z´ë3fÒŒyŸYüâK¯¾ñŽÙQâ�Û¶m/¿¶mÛºeÓg¯~ëÕŸ]4Ö­Æ^Þé´£+9á䳺^>êš&N¹ù¶;ç-zîÅ—_}íõ7Þx³ôzã�×_{yés�ß?ã–I×�нC›“›SuåïKÎhsÖÙçœ×}ÐØ&O½åÖi·U¸¦ÝzËÔI×�îß­ÃYÕ'ý!-Nªn×¾ý9çVºÎ9§ýÙmÏŒÿ
-�$³âIÛîƒhR„Íž­ñ±&ÍFǶ«‚koÏhŸVµùþÏè*åÑâ z×’ÝX’œáõ|“£9´ÜP7¼^ƒwmrõÀþC‡öÜ·$¹Mÿ5—
Ô»O¦\Zòj'Fhñá™qˆ;§��6®H¬ÓR˜ìˆÄGÈv˜{ÂâY¼ì96*=lGÄ/‚¨yP©(	‚Ï!ôQÄ\�L ´²æ©Pˆ0¢@U Àg�gl~0«É»lè­DÚ	¤=±#*ŽÄéËÏû­’ B±8`ÒŒLÊK¤
Âà$ªlù,«5þŠ¥UŠ˜Ÿ‚>ËÉH~ŠI
-
ÆÇHIySžM¢ÄªõæeŽã²äl†
-ïƒ>‘5HP,aZQÒ®’Bˆ?DIñ'„¾ÌQÈÔçÙbÌ ²âç=KV}âòÉšö»¢€�M	¾¤TµR‡¤ Ô:Ž[\€lêÍe�Ÿ£r÷ÚÕ'ÿ."N¤½Lïô·h>L(V¤B%%òHdî6ŒÏJþ&LHa"$< °�õ0Í1Üç&Ô»C‡)÷ùñXIÖ‚@Åa@ç°CÙòJ„8Ìï¬tdb—ønFÙXfý(:-¨{$Â]ã‚ÉóR
-æc]ÇE{ƒÎö̾ÇAéšÆ&Éu@Ôíci3·�qÒçb‚	ŽÉ3ý˜ÙÉŽ�U§Ùåûož�cäÙÑò¡¯:£y
¤]\:U©›qëánüÈOð7ƒM'0³Ðß
-¿úh7Ög\Øî(Ÿ8wø€£ïzý�=�|WþºðÖ9c+En5}õšþàÍ]�|[îê:í¡éù¶ÜuÒ¸{§÷>ª'
-ßr[Ÿ£{âÔ±S¯8Êú½ôÆqB™wu»ª¡M¡ð?�â‰Î#êüÂÏ�ä˜GœŸ×¿S¡ð»#ðBüsƒÜ꒾Յ‰GèÁ¿Î�ÊŸYw±S(ü¥©à!¹ŽÏ�ªÏí']tÖaGÖ¯r…öëúÁ7zJ�&C¯ÌõÛ0Wèó‡üíÔÚKµœ”!yÛ^qùæ[÷һɸ³Vm3àÔÙãïœÀ³öÃFtlâ�°Ûùö#ÛNZ¸h"ƒŽÜÞ£.¯±æöœ…|�xvÕÒ+åï“Ž*ôñuÎè«í�»`á†moë…Ãë+–낉“u&h7óÃï¼?ξ½vtßÒØ\5·ß~‰üÙç¹o?¼ÚþtòÀ!殪!wÍÑ!7äµ}��_“ýØ}X—ò'
-ýî�?Tþ¼üå½��ëÆg¿u=¤Âhì;ÿÉ©kíøØ×��ë¯Í~ë1áº
-¡sµó—̽Tþž¸¾±ñÓ³ßjnŸVa"ºhî‹GÈßõïhüò¶ì·áóï%(^ñ>ã¦Å‹gžÃwz|gã·OYÌã9³—.ˆ?~Ya0àÑמ"ßôyã¡·†ë/#—~ð"ýãߪŠžhç+¯Í<õ«MõN‘:=òéö·®À_'dÞšF-Yñ¤¼¤û‹û¿yBêg슽ûW�Æ_Ì·†`ù>ß_>[‚zæïnÜÿö0ú³óÂí��«è-²÷O˜CκoíúçúÓ¿{¼¼ßëj~Å{÷¿A‘TÉy9h)¾ñ½/¥ÇNø¸±±qÓ-ø³ãÂm��ß<F®|?‰ýo®×¬Þµþ&üqÉóðÞî~�|Är¼n’ÿÜ>ë+üºñÜõTgS9ó6’{ç�Á&qÒ'��û^£Êm×ët} Eá7lh<ônƒy×*Fµ½w%Óôü­КAŸ�ãuf‚HÞ±¹±ñóÙ…þ/€ú£‰…ÂÐå­ ¯;ô0�»¼ËúãáîÏrñÙ+q½ñžSW}Ðظ}!À4éÈëéÔuþÃ
¿öCº/B}1û”Â-Ÿ›ïž„».š4Eûv<üÀ©/z¾Ô½ýþøBÇE;÷/GŸ>yÜœ[zÉ]nœRcê}Þç%ì}eHáòWö6îX„¹®ÇmóíúÞçöi
-cÞ.uYnyè¼Â°7ö5~:wõ¿û�ëBzÊø¹wô*œûÐÖ’ö¿mz_ßvî]=ÖÜuê
Ý;@^ÑmÚ·u+zu_ÉwozÐL í|ñÕ+hÈîw<<S?ã¢é÷_{raÔ{tÛ'O¿'ßÿÝÔV|ü0úÔ%3¸^#ê.ºm†é°ãÖⶭw­â'>›K£vÌ+ïЀï=cf?mð§ÞbêùjjŒO͸[HÎïÝÏr�Û¯¬^lMŸ·ôÐ'ºOœÜKŸødB¡ûKÔ©>¸Ž½rùæU˜¹†ß3Ñ‚ô;ŒŸpa�zƒéUS
-c©xû—]È¿Ž_»o狽<sƒíéqýufŠ³7n»§0›jù»‡å×[656î|÷á76¬{(ÃÇ\rmÃI…!orÓÜò‡ÞL¿õx½óÐwMÝ
³O\8Ù,yç?Í°?Å{î~ãÖQ¦=núĶ�C®Þ[ï0ýêŽ-%½ê‹ÕÏÍ™÷A†Ýö„].¾óþ‘¦À›KzI㡽ßìÌýóÀÊz}¢Çì%óúîÙQúDéõ™N’…3g¯X÷Ƣώô@ã®…v
�ðÁ÷û›á�?ðš
½îã#ߎkå(ûĺæ=±f¬>qã§Í{bíUúÄeÛÄWËÚÜÍÇÈÍh¼¯OLiæg4®–/ïòT3�;‡Þ½BFÙ{Í|Åw/Ñ]8k~3kªñ˸—Ô<ýuóØ¿R,®‹–N†M\[‘PÍ3o¿Y@Øo_·½ê‚{×6ž³oõôÌXì~ÏÊoŽôÀ÷kﲺÉUO
þ¶oí]Š®Kî_ùõa€ûÞ¿»W¡ä:ïªGß)�
ãëÐÎU³/,}À\�®zäÍ�6–
y¾ßñéêÅÓÊ7èê8ôê›måšµk?àkíÚ5+_]xÓؾ‡Ûäu4jÜUWëuÕØQƒJã]þ×»¶‹\ÛÝJÕb*:¾Å
à‡¢g‚câAâ@p“X„&“X}
nêˆ0c¤îè—º¢§Búkê€H!‡ò‰¸â ªÊbà‰E;VW`d%¾Ô7“ª÷Y|·PÈpYSÍmå³?ÜÂKﲫZ29_x0Dó

-¡ü²8§.*[~”f$‹r|Ÿâ!„’…ÀѯÚÆPËðÄKšîÕš�(—D,ÅÞ!'%
›(`o"Ÿ¿§!ÕvI''´N«Ð¾Ìúœ<UWFÍŠïž°T•0EÉ�“I`‹�;¢‘Ar¡ÜŒQ¦$/ŒJÌEq˜X¯]Ìz=$I+š&ðòEWU½RhM¹*XA
-h¤…�€k=ÀÏãkÔ•I
-LÄïùŒÄªÚ«ãܤŠÃ<`qÞÄcQI®”PÀS™¾~¯0Ë@&BøÀEX�ÞE:…©HI0Ì@´¹ ììª.I8ÒІ”
-¿±Oh'Ss‰ë
ôIKV‹òKìù"W¥žr©!g`)�0i¢÷bû~QŸO¡ýê	(Ãcdôl´
–³£
-¬V%‡*'/ÈœP@<䤗
HOîiÀ_U-`Ò]¥l“ÀUhPÌ™"QÕ{ ˜Ãè
-Sqú$v™²2ÈÃ4I ‹hLšÔ®¶sÉ@ò5�æÓ›tEi>Z6-ES4Q³(´ЬJ¥UUr-²Ë[Õ‹6ÝÖµ
-R"’%ìé‚Z�)KF
-d¥Õ(eÁpªZô¤¼O€î™
RÁ\©îȵ€R
¡o»¢••*¬Š,o•ÝCi~ƒ½Šô"h€±‰lªŒ.@W#Ov*
}‡û1æ
-™K ƒbNêbHxË@$ÂiÈi%’9Ï%>ëöš~"zcÆpÐ^-IWKŒT¬®/󹩟Č]i˜±¼%H¬ö$Fµ¨C‡\Õ¢×J	–dòRƒ6vÌ“4”qÍ°ò­=e’uñ€1ƒO‘È
†ÕËj€Qm²­n33-²¦Gè³9­R
-…ʘãŠéHf*}@êV'Év`èщÊ/ëlZÑ9 ½RûPoç&dTW­¯Äª¢Šòb€‰þEqxÆvSXÐaäÚŽ%k—´ [©¨_Ø*˜&`3“•#ÃÀ”ÐuE§{‚È-?Œ8Zü5ƒ€K`jˆMî^D"è!¶Ë<—!1 Ùß@6ì
-M^�0¬˜sõX‚5€ª[4¿<ÁùM�ùžÈ%« „.0wÂÐ긅Y/FÇà]‘IL\Ý„‘ZZø1`Qá2mX¥lÓ1R‡´»MZ¡ÍjiÂÈ¥ñ:vù#ôa&S‰�÷ë�y-€(:˜cí°!½+0¿F®ö‚„t2IÞÎËÊ/‹oà[ûÃT€džµTàÄísÙ|Ñ6”3‹ÀÑm™éD2?û™F"¶)}SP×ÏéA²µçÇÜ0-):ÀÉ*ÒkŒ–n“˜/Hk�ä µ"Ï<5ø‘ÝVÅ}@J|äu1aüuè<#‰
)_€-˜XÕ‘Fh¢î‹¤µs÷bô{´×ð­‚«Çë½ÈªãDº IVã#Í*Àç)¯%$…4_˜;É0V@0Ý89V0«£0e? „ YùÀerŧ"áŠdÁ#QŒ_Ï%
-¸Hô³ILD×׉µš¶¦S Î QH·é"ë
-qb1¿�¨º¼ØXñ�¹­9’åpzŒ	k9ûj@>ˇrbDÐgR�Ö1DÉ!5¬²#�gÞ˜±.†HLS�[ìÖÊÓnâÈØLùˆ²Ñ®Ëì¦ÀcJt\6SÈxâ ›X‹ÆñäÞP¦‘POIäZ2HØJà�ô0ÎØ®<Q&=LN¼½!1ê”ZÖÌ=6’É.i.ãe‘ ¤[ØXÅ�Ñ0ŠüM¼ÍpD\¦’ìÎ�üuÚò˜{ÅÊ€D¶œƒa5AmÛ:ä—aµpâD¾ÖXërH©xf{‹¶Ï5¢/·Æ(ŽˆnðÈÊw¢
-yAÖgõ÷ɪ?/Å”+…˜ÒjØZkØZ,f¶– ±UKŽH邉&êAa™Ç³¶q-žó'„®8±éò8­¢ðÓÕ�%
-bµ86Å,ÕfôUŒd©p7~ä'ø¿›Éš½äß@$˹ÊðÈõÃ$²Š¯ü1ÄgÑ|u¤&¯ŸW»–ð¯þxìù]TQêèò8³í±‹ŽºÚ»ÄgtÞ)Gß×JHÏ?¥ð÷|?Š˜­|`Êß›Oíq÷Ø<
-E²|‡A›ÚÎ…àê¿nRѤìú§¼`Ò¯M'ë8jÜÅmÀR÷ÛÖMk_ÿò›œ Ü¯Z›—wŸzÏT"ú¥W.þSéúõ	'ä?¼´Ò.½ûé®pTð—#Äàpmžp’—/ñ	g4Þï‘×-þõw…°œþéòÂv?‡°B«óÚø´î€l�Xòþ#…?žÛù‚ÒX•ãŸ—7¡h ¿\Ø¿sþ–Ö5ƒ�4ž°rËÊ	…B‹š†a%*E¿KÃ"Ý?üδeÃuyE�ÂYc'*ú.Þ~ð«û
-§^unq&Qû(ÿÏ_y'
-�'Ìšœ§£ìzë¢Go�¾HËí/Ý6iÞý7žS”lj�ºE¹ý16™ô˜öÐœaN¡ uÕ}ÎòO>ÝÄ$‰»?[óæ±E/.œtÉEEâ=	ÌÇõšñèÜQ§~Ù‚ª:N_‘ƒ0ïxoî%öþŸAi´Mß^ù‰æWzÀ%3ÜÑ×)´H©;üÁ+[’ƒ™nYrÍérûï[ýÓe·aE\œ¿wQË—Íœ3ÖŒ5çôñ–]/jwñ½ë-Hw÷›7+ô3ìÒÌd§Ž™T“Ïäô¢h쬛�ÇÎÄDÖqäÈŽ…‹žøJòØ»òvAp·î6jýÙîÃ7手[žlÆH§Éw�7�ëÄ6§V™GN›Ô½P'A�ëïVVÊo}èÓà…žóß~ûþ<ÔmçD¼Þ|Ldz°rþ-ße
-ÛùqF¬î~þ’Â?ÑÈ<uÊ‹k^¿±ÐuÜÓë¾ùrñ€|&M>òÜõ…6ýj©ú.½oÙ"
-…Éèï÷Æäó8åÚg–N3ßôÚ‘Yƒ×Oκä{E%éyߪµÏô.æ®q$ùÜ°žþ^s]>“º§6îþâ‘Þ…¹GŒÈiÜd:Kaæ—ô÷º;òK¿ÅæéMo<±áˆy4îý`ÎÔ»×ðxøàæüº\ó,Šp YÜƾڸ…óØûê°üç´»ÿËæ<_rmkjÆOpc3£�Š®Ïo6Ožüá_ÅrµâðL~fZ;ìÚ¾…ššý—fô6u}5»pîÈ‘™…wΛŽüPéupí}Ý™=…kVÿ€ï9¸cËÇOÎõ”%?ŒÄwÇk×e
Õíæ–F>6ïúæåñ¹hñú—›3”^?´.×ßΞþÞh ­¯LΩé™Åï®æDý_›^¸¥C¡èê>÷££$!ßôôè2�Ëîs×±í¶G—fa®þ´ù
-ò¨úÐ'
-x�‚ #â”/½7çiŒEˆ 9
3œ0Àš‘õó†9lw¬A‘¡â»€‰u„ÓrFÀ\(þA‘«�,G+ü™<è2˜šïŒ$0TZFc]¦
-Ö�_”IÀaCñ½¹Àjq×-Ìž¢�ÍáäiOŽŠËW­…ÊF^Õ—(LP+†aŽ¦Û‡„ÿpX@ÓK}Û ÈØBù�<Ž4|*Ô¨*m‡–WÒ
-
-ÖM,¸Fû†P
-Ùo¾q²ŠÉú\ö	º(Ø<‡C8Ë|
-˜€›,.0@\¢xëã|ŸÃÝ3q-k6�ž±(I
-mÂ茸1„.áS¢Àb¨ð˜yÖ‰lió�(R8X6ê³7iq£@÷‚,^‘cúÚ °� À¸¿1û>‚_ÂWå{¼£…%€¼å{„Âgl'
Ò≓08ŒñKlàÂý8T)ö8j[ƒø¢@!:èCŸðÁ‘§Ñ7©âzc	X-}Þ¢mQ
-P§
ÐÅb*xÛ£Û À…°:%V”FF	í7Øé³Ø0ákVÛ¨%E0y<ki{q@X*×€Î/ˆõaDʈ>"�g\ªR(–=ÎBád|e÷­&·ˆ£˜âj—D“#¸Lcù6©˜ÛiG‰Bš_# óX‚€&d´“%'¹è“8Ð@´0TRü¬i@,ÌÎ@�I¸–¬ÔZÝx¨Œ?V‚Œƒ %±£@][j`gmøˆ²~S®¾„Œ)ôµ!@hY»83.ãÔ-¶¡5:sëbJ8ò5"Å>¯0ެà ^Ša´:ur
²pÈ,�eqš~Q̈PåIðs±…Œ ‰	�-Ù?°¿\߀Õ:GC,a¾¬Ôð	
-�rKŠO“=(þe6ˆ2n„ü†
-^®â.'"!ØbýYÂ3—$JÞŽ8Ž�Ë
Fá¡'+¨¬?Ye­•YÍ"”Ë·Ñt.ï�Õ&|*æÏ@¢£y“«
	âÈ-¶¡Ýüh®
Mç¸Q~½æÚbmƒürŸå`r�³Þ%‘Ô�ËqŠEcIc^Z²z
-›l/ÊÏGb^R¢:‘èHtŒ†'Jàû¹x:ðpƒ+G¬qThÐ�ë)0SyòÏgÛÁ/'-»JßËèëËNsš…<õ›	�dpgâ™bgxScÁ˜
ë ~0ãÆô&T‡ùœÊˆ)kV:�ö3T,ÓnÇ8­\œÿë0ÓæÖã)˜)
-3�«ÌtX˜iîn‚™ÒüßÍ!LwÃø¿(Ì´äúû#ßr„ëgÿÚÌ›þÃ?ÿ±™¨Æ¿o¢´ÿûø‹ЕMã› ÛþW÷ÏÿŒ¼*cÓHÚ&Zý—§$…v]2‚èÂ?6]1ÿoé§_Ôs@Ÿhê×Eó�yÐÝÏ›Àƶ:v\¿ í÷þñ¹_«ò2è?;±XÃ^¯³G\ÓpA‰öëÔÉåÑvÿ9­¨úxö€�=Šh´ã³´�Z¤gU·ÌÿÔêœ6ÀÈþ%ÿE>éünÕÅàÅSz]È� ûEÂ"¹Äßwè�Ôï¢3ÙêìžÝN.e?eÀ•P½Þeõ5ná·¿ÈÿvúEçŸXøÕiçØluIÃÈrþ¾VýnºelûB¡ëu“z
-¿pþ’«Ã¸×EIáøvÝ,�kÛ1·NèV–E¡ÛÍ?|S—Bý¼y@œtVî;ÿØýSÀ“zu×ú?oÂ=·U ¦>ùÚEo¾òøœçßy}vׂߣ{”Êç\h*£Å—µ‘Ÿ;aÞœ¾åYjX¹ñËO7n\÷ê¬Áƒ.ïÔ\îÖ8Š/•–�ÇÌ�7¾eùi_ߺwÏk?\ñìŒQ—žnЯŽzê…�
-íÇß%ìÃ'¿ærSC-«™ºÍäÇŸ½§ôSÚÞ¶xÉͧã¯hääI¡ž||¡óM?@5»e
-Ú e;™ejï]üôM%žò¡O­\"ø!wÞ|i!ébòë0eÑ3wÀ�Üõ–‡fö6ÿû»s;ó�>}“K½:õ,tàÃ�¯2óê9Ó[pûÈq£Í×Ä
ó—>uËù…Bÿ‡–>D_Ôæâóxú¸dÎKîÍÊÙ3Öìþn%Ävœòø’'çÝ{ÿt $ÚÞ²äíe3.(\ÿÚÚçé‹ÚÖ]Ì�Ÿ“®zdÙSr�£áÕ]��f
-�êï[òÚãw\=cÑÂÛP©ý¬\ÿîÓ÷¾¹õ›U“é—_*У³o\ôÂ=*ò‚Ç
-, Œ]��Jˆz.Q¾$²�DN¥'²Ü+I 'ÅI¤À(×izä‹	­Ç‰Ä
-Í!.
-mN^ø}_ɸËb>ç$’ãvaÿÐÊâ³j¡ƒ7 SsN,VÈm¥ZÊp.¦
-¨Q]v賿ÝXáyŽú—L±”þ¯b
-œÄJŸXš:$
0Á] Þ™Ðr
-B
Z8ùœ£-|sÌ=ÊLáž‘®O)lKaÔ&÷±µ)W(¯Y8G+6öÂÃéšalDT�äÕ;rÔ2>cÆxH©Ø›	"´A�#¦åüc5¹
sI‚⚎’_[»«¾Ëç	"ÌX9€jàÁI¾M!_N-ïªÏœÞ
-ÜÆP.)Õ;ü‘pàgŒÎ©€Àõªp±Üó	s1fÁe_o$4,
2Q.,8ÙCW°ÊeX¿0
-`*¾2š%±ŠÀ‹p�©šÇ––=rBá
-�H�Iä@
Çgàf��D×>Ï÷FJa
-V `âõTvÁ—¾‘q¡Âù¯DkðÕ
-Ÿ<Ô ôg¯® O@Ê&néP	ÑÂá#A¬ôèß ‰nV-® @jj%šá&eøk®kEëÔE„%äÜ1‰2îþéPÞ/ôwù¶r”WZ9uj<‚À�–óS¨×€¦¨AL¨ÞQî.`¼”>1¥ø”Eû;É‘[â¹k
B­à†Øòôfµc̼ϣidÖR¶¢³1‹æ|áX…›Vý×Â!Œ€¹gt²¨L�“ÂîèG]ˆßå«W:ƒÒñ®(WPzÊ1/2�i
-‡	•KS�â;€qñƒüðhÓ<˜À2*O¡_Ó%™›@à�¹‰€ðŒò‰sˆ âŒF DQ ƒ¶Jãaxúâ�ú�–?^iÇÚ°ÐØã$ÌŽÙ`¿5Js%�æfÔc1«>ßé1¸=ÈÈòŠB0x	° =–ç7?ƒñai"Ë(�V3+)+‡€vT—ƒØ²vz61›Š}?‡ÎÖ9xûa€ðêmš#å\]?±#¸ósœ“0�6+²1/ÅòD^Áèo\ f/wà�,xbš“ k �j.Ð’º­yÄÃOUˆQ›TA
-'põDd™¢»åÿ/ÑÍ®Æÿh�HýÿqjÑQ•éfÑî&´
-¿o×££Õo>ál�ýo©¾î¾û¯×ÞÓúÕ�b>œJ{Z'E�|ò½7§·5µÔ©w7Í‚Ã
-­Û9…¶ãî^pçpáz8gô�Sùq•ùGÛž
-Shxm˦Åð;]Þ�½³NÍå`Ž9ñ‚þ¦Ì]0ç*þˆ¶Cï|lîåø€3L×Lúô9]r¸ñÃýû×Ý
G§aýØãÕiôªý®7ÜõÈÂ9c»“ëç¼i‹×|ø	Ò¶©éuɈ+ˆ{ì‚g¾nlüúy8®;ŽFN� ~ÚD:ÜïzócOÏÃD6g¾½mß·k'Ró�›<õ¦k.áÞ~Ö¬u‡@ƒÏè4f$jwšrÿÄÃÒñ¦GL`2«3¦,‡í›gà5¾xÊ왓úKï¬$)‡Vƒ,äâñ
Ôù.¼óñ{zã�øÊ{g	õÎ¥‹˜æâ“—Ú\që­×^.¥¶wo >¾Ö4Ï•S‡Q]:wñCLZP{û4ñÐ
Çè�Ï]=†tQotís̲yz¡0èîÙEé=ÿ•'ع|É´[ÅOXÿ¶ø6ö¼àÆ¡�3>¥Æù~í]ÓŸ{í±Ë)ñÂyË_ºš_0kf-ß8j¥º46̯5=ûýÉ�Â)ë¯6oßüÃDªg­øàQ*ý¨…�¹Ó•kÔòÀ
?·ÃjÄ[9Ç˾U›rãšížÛ¹Ðû±Õ+ær[\ó‘ÍázóÏ?Ú14äµ¼ïoÃdN�ºáÐÁí+ÏyÓ·_¿Áª­Ó,ŧ·›žÒV§‡>Kò¾Ò‰ž ó“¨ÞCßí€[òËÑ={gœß¾\W8£oo�sϺ?/k»ÿrÂ�_•óâî{çS£�æø=¶/½õŽ©#N×Ïÿ~ÞmôõbSõ}ž+¢yÚ³bÎ�K7çïÚùÁ²ûFX@ØÀeE”Û–Íœýr	ãÌ÷_m-qÚm'§îÚ~n±dðw_m=²îËç®ÊÁC†¾xd~š’kÇëSòtm§¯>:'é¡íoL+bÉ+t›sT¾Ú=Ÿ.™RœA¡pþÝ«ç@/º¾ûâõû†žU(½ºÝ¾ôóæ|ÉÁÝ_¿ÿŠsËžG]Œœÿ滾?¬òó¡=›×¼tßÈ&]‹ç6Üûüë+?ܸ«2%Æ�=[V/{`üÀòòçËÑgø˜\º|å{–
|ŸlÙ¾mã‡ï.›?~`Åâ—¥nx1ÆUï|ÑÜëúƒ_±ÍÅŽÈãoàúo¯äQx%›ØÚÒÞõϼyíd·°|òš	€ºŽ
-ýA¤F@//!™8ä÷YS¨ÎåH•cmSÖ`­Îr)È"Í"çËß×ÝÜýŸ²³v«Úð³åâPR¬ÊRRE§*Tq•Ô¬š�½*“ÈâpôI0¹EøðË�\QÙJ؇³\ËzN.0­GX@k òLjA÷=¡¯—‚E"˱U¦žs9ø~,’JApwFÁK-+‡rñgTüª"VN¦Y4|V¨ÖÓÞ]1¬­b
-�Xƹt艪�fs¢ï±R…Ïlš<©è2P€)'Æn"5a£/uÛQG§Šš8´&D¾i©/=ˆˆpºÛ›‰Þ…j^ý1�iF–©Ÿag:Τ“p�Rˆ³…:�™Q\™RÂ�¹RvÉVœg´Ä±z˜ÑýH�£E|1	3‰>Â.ÈÐsá�Ë&6ñ‹ X<bÖÄŽ�šPÌ6»»DŽ
®1t0Í"Ñ~‹ü{Ì‚ �
-Ž…FªäðkÐ^T¥ÂÕO¥ñl°˜r"Ž$Ì#µ‰¼]òÐA¦×•T¸|‘Þ%Åí–ìÌŽË40_”õBÜ«ü±h<ql5KÇ,PÉ¥�4YmöFE8ÀUU³DÂé#'¶Z–ž€+"×eDýŒHØE"7ÌË%3˜ÄŒ[ž(dÊý`l 6diåÐƯ"N™ÝŒ²Ö‡s9
-ŸÁ,I
-ÂuœE™1å¯s|½[ÖYI $?"
-³^+Y)Á)
-4t”5ö/+"ÖY5cÎ?ÊUê(„ØÔñB­¸2éR­¸
-B§%QËÕSõ3`lU‚M'ZXmi*¨[êe|g*k è±ke:A",.©ïÄRõAê
-LYXIH�W„»I¸6WôjRò%ÍÇŠð£žÙt‘ÂÃâg⦎˰&KAŲ”‘$zˆEÐaè"î‡j—U Gɦ{±€Žì ŒŽ„β|P˜ñÅر+€š—È"�»c6}-ËšŸ£”ƒzº+‰±—d˜=³×ø>ó,¶$hnìP“ø.w²–•ifx“„3O cºû&av)p*Ø;ìy®G"¶ºÍò¸!¨†h{&›lÆ%BHZ¹¤À(+WNV‹sCMO”&˓ψ¬�U‰mÇo•qóTdñ©ÄøÇlö´py9ÉB´I@�tc~jA›~ªBíi¶ÑòÓ§®…è†�±i&ŸÅÒ
¨•ó­JðZŠ�×,èÅóÇØSO”åeöƇs](Z´š‘�	ŒÛX€–))UvNÚøq¢™ÖüIôžÙ‡!�^%
EÆ“==#
ôH‡$¤su(‘b(ça-+q;õ´wÓ!(ÿ ‡È"ä…±Pà!7	Ëx«­/DÇvç®[;|�= |#›Xš-9fÏCl+‚qKq»ÙárE�o	 ¸§½›Öô½„MÏl¿†˜È5ÔyeÌ;ÿ‰"“åó(e³^:�pÇ�@9(Y.7�Ò‘:­tÏB[OŽT‰PÌÕ…%·µGWeÌ8¸
-eˈ6Qd…ï9ñY!Ôî&¸^P}Êî�^NȾRî!©GŠ#N”̺Fa°
'
-ÿ@&~ˆY™½øî$Ìt¶ú\Ž×É,1™pÍÖÆdžȓDbGlY™v\íÁØr@JȨӅIÛ±Fnä�e:^¾®'�&*N¹êØfëZÉî’ª¨•ÚjYAqvP¶ëIb!õ¤µOG¬q=ŽÃÖ3õ$:¥Ô-«ù!v„ð<Píc“¨ ¶/Ç
-ؼFB8ëçvÞ8±ăäÆ¡ŸÑ©%’½h#l6ö[jø™Ps—;…ª	±hH
-3Žv,ø¼i‡]•óTc'ÏE•ò„	¾LÞ¨†Yô*Vk‡
%—ƪm5»±+�ÐDò(uï§RÅI,H€²ÉÍ!…|P±Sãd뉌b'–`^$†žê1myHU­ÍÂ,Ç4là˜×È
¶s-8æõv‹Lfº;–.¢N•lÙ½AÜ~S¼»ú}>-ÜáZ*ÚÀq$”4*ÖD~èÚu9MxÛ4ÈþÀå8­
}6
-�
G‘Ë^
-8¼h
Çl'ÑSHäó†4ó
Ç(µV’r\–…D,“”ÆÊxî±6|Š˜na�w”Ÿô¹“}üÀñ�8wW~óT¡P£Òõ²É:uJ¾žOvÊý ¾rW¥R˜ rˆ#‹"%F6‹T"Í<Çaž;5H}9þ¢ùŒÍ>Ý…Ý$9û%Q-ÐÁ§jgÐx¢C£T\åd�¨·� +Y¡ãËÝÊ'�Df%§f³"²ÑJ¤+æ²ðBùÁõãÌr51�m)ŠuT2çSÕ•2…–žö…Qt‡øáa1¥ö<Q
¬4ZqqÎבêi0j™�ý‘˜¸|
-4íæ#Â:{%…uÄÇÑ*O…8ànßažö
:|Ìî™ÑçDâã&,qcx	‹
-Ðäì´R¿&Ã7XNÂX»ö΄ï¬V:ÂôÀ®Úžè
-ØÐؤ…(õ³\ÍUGf­” ”‚¹Ù½®-­g‘Y埀.À£CrF'²ßÚ]ƒäBCAž:�QRÏò…ÃAÐh|¡5€
-­ûwøŒß"bšä­f:¿¦Œ:OUS
-“7×59ÌÏJÙJâdv•]!ã8›itR€Û-›íü�»‡ÍÖ;ÐñGá-²–VZw�Ýu«ÎZ¾é“aiË`-°|²æ¢#ÀzM‚"ë}®Äää!³£µè^k³æsÍ%F¹²äÔ³}9Ë5�+”@¹¶´¹{³ïÊåZ^µÄ]ƒ*û,x䟙³Ô'ͳ6Yæ>/ˆ–ºC]Ä*iЙ<W¤ŒgãS#öÚâ³µFÙ6ÚÏm½¬ŠÒåï•`ÞD
-FÈ‹ø€šñ„QÛ](Y*OÉóäD¢4?–®c2�RWõÌæV=Š¹=¿c…ØË)ê9ŒNç³vÆr¬ÕdÙ2‡®Ù„äåDŠ‘™O.�g-zO‚ƒP[âZSO-²/�D~>²Çܽ§	h‘W
-Ñ‘èU“ÑW-EŽÚш2½{±Ny‰“ÕK¬ÀIMÔÅŽ"‹ï…RU"Y$‘OyûÃdɉÅÌe¹¦ŽÒåJ ‰zr±Æxþ^Ä¿¸7Vv’|¤LQ^²è8l‘$¬¤Ê‡ƒxœ;
¹-³^(‘CA&dŠ6ô¸i±¹�[íî;¦ ´	ð°Z&
-ÙÂëÛ>�0�,�¬„5š…gò™‰�ëràéæ†+E¥ÈŽ$�Ä)�èî´$|d@¿@=DnÑI?�ÈÇj‚Äå;qLjóÆj]bÒÐp³Äl*«»ÚÎPä+K#öÓˆ‘—¥6Ïîÿôì­t¶¶K¬‰Ì¾u²DÇ®°Ù†$;SCh�ëh'�ïŠ-Ïh~.SºV�N>¹€Äe6Ý;v•×ʧãc…=\tÅ3”Aö‡c8Eá,|Ù±àuø
fˆ= %ªËGA-†
h.®н¾µd±H¹JHù©f
ˆïE<6·:d?”…¨!ÑãÀ%O‘@÷SœÅ1í¨Øéu,{*…2ÿð]•"r�a_ÅYËΪcýƒöV”í8‘°>	{Ǩð&…aÄva÷yï,²&í¡#¶Óà`
½°©é†³éV™ò"µb‰˜­lΕ¨pEჵ‰j�c†gšTž¡S�ÇB>!ô6(1ÈB=|—Ñ�ìò90Älj
/œpcƒ€Žt…¤£ÍÇä<Ë®
-q-â,…T¨�øéÖ’Ï
DFûoöÊøÖýIžó\×N5ª“
-íB`¥ò#‡	
05ñè†%Êq$6±ö¸â{=a…�¦¹r©ä@>¥ù³¨\ÀH‡–M1@|F°J2ÒˆNX¹´åÃ`.#
-íÁqÝ.âöS…­™žãñ�ôR•Î–Jt2Ÿ•m:Ñ0³Í
-sŠA%Æ
†½#ú‰d!˜p ÿU
-6Uµ%Ðt…žÜë;Œ�%:|RÕP|¯o÷ã¹—ù±£gÆÇ:
-Ù)ú°Xý q°3Š*i”Wm-ã¤î’
¥“Ò ™,)䤸hÙ'»Gj ænøêgÀ`‹„ƒÞk1l<^c©gÐɽ"‡h»M£U†úBº5ˆy
ÓÁ*vXÚI
-1då@j:tܦ�¦ÖJêÇ–ÃT)Ûü”ûRlcÚÊ+FÖ@
ê&!¤?uᙄ %	‡õ]a%DH
-J+~I±n©”žJµ©s/fE1l£•È
-»
-¤Í3�ýáña¦Êý%Ù™�œÃ´$x°/Ûø˜·Ë¼FÒ¾EKô¡+XÉ$!ß«Û/"…P=ÌŸOÂÌZDdÛÇ_E�çó…X\q´½O%1ä~sS™à‰â½¹±Š1oäÌ1\&:¨eõâó¥4ÑHPQÕ5mfg;f[Rž
-š4R€;mÅä(ZqßrÄ`áµS›Jçú�iJžpØw•Hç’ PÌ!	BW�¹Öp\QP¹¢ XT0Ëæ�¡'‘®H§5.¥VÏ|fï.Ó¤Êéï\AuÉ¡ð-™Þ‹÷ P”¿Ë;.×åc/v¬1ª–šı›tÊ�ÄŠŽ*�XYËü¦Ãt€„sÅ
-Q/ÂÉN‰è\¨¥@^«”ˆ©�=pØa¨Z቞
:™™ë¡=aCb
xÃ%�JŒb¶âø˜IcËXA‚í|<E÷�kÐ>NqÅåX{\;]ˆÖ'¡â
9^ÎcÞ\šœõÐ_ü¡gë‘Žy)09"¦-_¦[ŽXǦßrÛ#€Ý¥gˆ
NxÍ,³Xö*
-ivY½6ÓXÇY9O5ð9$DÜ!ûTÚþ`°³J(z4«€ˆ¡¯«%æ¢D¢|bëÌJ@ýêëÈ"
-�Õ�ÀNYÚEzLß�WÌÀrP�	ƒI»`
-u…Äv "¼¦u~¥Ž;r1Ô¼öèp�ÖRëêµI •JÑ•<_óAµ	–Ø9wõ­éÈÓùÍ•ùÅᘞ‹<±1|5¦Ä¢R]

O%©’í“|@d£¼Š«ö'9HÃÂ
-Ü™X_É9„¯Y?/¢!ÂA"£
È^YŒ!û ²c†Ÿ
Ú&G¦ŽQ®#„ÏϾºaŠr"�ÚLŒ0F¦`ÏÄÓ³ãèÙßêÅž (”H†Þ•�öÚ~º/uÓC+Ó—SL\Ka‰¸ÍŽWЪ±‚5
-àgé?ä	Ž‡+S£*œœú¢á­ ŠÓŽÌä
-e”(ci‰ÃL³©è^«äˆ«ä´ãÝ“Ò
-
œEÅp„J�•‚t[U1$¢<x¢R —¢bXFÅ
-Á–o¹,4¤bI¥€>¨žR1�¥,æEr¨ SLÓ³ìî,ô¦b�N¥€K¡\~L9ÈþĶð	'’]Ɖ*¤>…#//ÅÈ:M<=Ù3vMÌõ¤®B¨�sUÞ'›ÒDk•Æ'z¡'h¥‰OB,>
-Ú9dYH|¢·=«@iþ©8–çªxd›qM—B!2–øÀOuô‹¿›L;¸êöĆ5a¡_ßËë#Ç�e4Ç1…N4QDL´
-k̺Ög˱¡Nol]-Öb»þÍgâQÓú®â8õOô
­å–¿Tz¨K}�iºÃ>tf͈þµù'P—‡}Ä£¿v.÷šLò†¯ù¦!õÿQW;ÄX„}ð#ß&ŸVÕ\ݺ£�ɺî?«N®:®ªE.Â'WÑ[«N>®ªuçšáõ¾¥zÈà>#û×7ñùPu—¼
urøWKæÆ3MÇ®jÑmD]Û†ºÁ�úôÁWRMgUG\UüÿŽ !
-©¤N’ILI„
-Øhüiì4ÆûÃöÛß=µ«©�}t¾MÔñ»%Qô/€ÝÞûÇdF®…B£L*¯ôÔQ_þ®ýL�ÌI@~i@Ô°°!¤oÞò
ï"Ös2%þ¶R±?P¾føf—Lè�ú(…ÿÝÌR‡”’7|ñwW~së<ð)]ßѾarõš’aàÚëPù=1å.fhŸÈƒö«íÁp2¶	IùUÓAò–0’ÿêÚÕ¹¥û“q×h»òƒdR0‰Rj
î7\Z/
-P³%Yù*ÖaEé|U*Í Ÿ6w;òüx¡ý¬·úç.<©ËUÚ^¸ÔŸ(T|±µ
-Œ7/C½RÏh·Û,ïï¤
-hÛ�ÝÄ"à¿èúþ·×·ví˨tQjÅáÃÈÿm�µÆ;òXF*‹¡^ÂM]åd€ÅœÅ0ä%sÄÿ!ubOî)á’5ô_N‡øoºL’JŸE¢©ôú�Äfž¥”åaP*ÐŽ²1áÝnÚ}¼YÔôg¨ô?ÅÐs.;S$¨|¼¯¡É{›™N#Òie62yv“hhz
-X96lP�ª�
-ÚÚfàþø׌ø"9Ø?,6F�
-
-Ó£¬}LG…¬Mæ—ô7#&|Nݹð™QÇŸ¢õ‡ügÅÁïzÀþ#=ÿ~3墧ªÀ»å˜syØïË/ÿÑèâ?¾ãý#zxgÝô£åÑAÙ¦‡YæÐMg0>õós·}/Q-÷•=—ÀCw!…÷äþóx8覵¦DÁgoÉ*ý¯N-÷6Etkj"·ÐØ虿£øû›õ{
-L”„€	~àÁ9°R”pmØï¡�Ñ–
-axÞ2ðœpOöåq7Ü‚Gz~=FŸ¨1r<)uÃÝÿ�ÃÕNo,·zýÞø;ã|[&È}'l5å­¢Ó°åQW}5]Lȇ„ùÐì,6G§l# Jû;€B¯VMÏ”ï$Løú®ƒ¯ÈÙæ{2�
-MÈÿ#â !éÿFiÈ�èøGí¡OÕƒbPƒÎ„	øŽï,ÅŠÔ±ÒQÔôódÐö"kÔHŒó*�VšïÔ˜'"Aúr”.‚¶…$
-6|lȸA?�v°…e9#5
vª:Æm\”
½¼¿¥�¦Ûí€M·ð“¡­…÷Ä	À¶HùoÉŠ4Q;‹%„8iõ/Œ«o;•b†a4'Qöh4T{>cÃ.�Azõä4¨ÀÑ1Œ‰ô”:ZŽ]¹�ª—róZãrÞÔ†„‚m-ðÒb* 
‹…jæ¤ê™= ú™rw©	7]	€Ã8+ÌQ›¿ËÊ›jGc†Æ&}0´Å°‰†çÁ8Ýé�”ç¡©¹2têàónàö�KqªÀ6º4Ôǵ.­t¶Ãö2_¤¶Â]¥”­lºMBÙp‡&ŸºÞ E��_ÃÏÜñV¯ §‡Ú…×|ƒI{ÎYoó—Ëêw¶B‘ÃF_¾íþò'j{Ôo§£�Ö¦=P½ 	ÚŒ{}ÓÛE¥gÕÉõhƒ(ÔOb(…‘¦¬ÑŒmKˆmÔIËX•H}›_ƒÔ¢…R·<eÌ û"ÃüA4Ðï<Úôù6ò̸,§H•�Á�˜ÄVv©Ÿ'‰2 -îÜ,ß5b†¹ÝªÖŒ8³šÇCÛCËEî
�ŠSRŒžÛv£@…Ùƒˆ-Àù=ƒÇ”Evw	Ç‚xÅü>&:È(ß	§•Ú#Ê
--#…
ªH§Ã~Ï‹WŸéÌýA»?q~vâå óIìÖèBÛ,訌õî0ÏD�>`ªRÆö; /=µÎo”á
-r#YÝh£

-^iªsÙÇLF%iR€ÃôÕqüO6�q3Ò¬ð¦º÷•®Õâ�­Ø+’®ck	ävÌî7ØÜ<èf7xs`8©–ºFdfxóg¥û1±H–ÈÎðd£8‰?¨{jûý»o·õÛ·û
-¨µ¨µhðì|žíƒ¬.ÅY´D×#þµß)'ÞžLYǽÞ•Ø‘W
-‚¼†¼$>fky¥`È+C^)(òJìÈ+Ù‘7Mv”Ûº€¿’Ó¼ÿÌí(Ì1~àDáœ(0 °
-{ P{8aÃ^ŽÑ9;¢û5¶á¢wË ˆÎ9–K÷Þ .®sAq�ÃqÝoò
5ѹ@Œšs`9[kÅ•a¨áòwyà‹á\
-vôõFJ
C_’™ak}úò>è+C_!(ú
-ìè+A_!ú
-�ÐW„¾}õ‹yü0R€½B ìÙ±W´c¯7NŠözëÒb0ì�rÚÇ6ƒ!¯yEväƒ ¯yÅ@È+B^‘‚¼ÚeT~ø(À]Ñ�»Æ‘üþà-/ØÁÎâ}®•]nJãh,¹ÝÚ+™“½âzMŽ)›¥æóÑBcc·‰lˆ‹ÿì¬�쌥ÉZéäŸÊ�Z�ÿþ‹DO•Hde9‰Ä¢¡êèë?xImrG9ÛçÁ*üÙÜÍ?¼ôÁ‹çðFÛ|½´Ó­£yÄzð½´sõð‘
-ÄAÕÂ5Ot/[Œí¾‘݈.…bêòâpDZ«2yJ/Æ[‹ç÷¤A“Bƒ¶ÒÜÂÂÕ—cÉ`2¾o·_¸Z)wBp´ö­°8×OIƒrµçöuÐPlIÈÞVÉkÍÞv¸z]¹%ïjíãR(_´bà³ìе§Ëïkú §ËË`_ì»**W™W4(¿²ÛªÚwõNy¨\�ÂAnTÊ>dÇéËUÒ ¡˜ò0Ú;°†uš;æÖhƒ¶•¯þ†<èqueá#79BƒifV]•j´A÷¶…
ÿ…<h6q›\ï_“k™<m&Vv®WdÒZ¹Z±ºE4·°Ø¼RÖ)ƒÞ>pµ‡½s4(Ä1'*©ë±·ÌU“8h=59¦ºÜ}Ù9!

-Ö¢lD2Š::]„î¸
-uÐÇÇÝñ5eÐû,÷pr‘p
-Fц=>yùvSÙX!ú0NŸQ}?M.ÝЭq�g`âZOvÊÝ®Z&Zý¶š£ZØ‹\s
mP9:®£Aá(š¬‰l+“ë»,4é"š“…õÄ×Éû#tSqú´r¾¨úV\±
*½.qGÇÒ”ê}ay+¾gp‘´¢¾,ÀAWÝì¡‘ŽÜ/äj`ÐÕ%Sï‡EmÐíx5…E£è
-|K`k­A._[äá[ÒD÷^G¹ÁrNDTIz?Pò'{åíx\à·¾äÉo÷—";'×Õ3ë­M‹î�×÷TòׇÜC#™”&”·¹Çã�­É2é-ÐÇ¢‡‡Ï§kù«Uâ×…ã/|"¾}÷
-T[`ç<âú˜mØÛ¯ƒÖ#}Ph瘃Š¶AÀÞ‡úÿ½1l½oð>h¶¹ˆƒ÷lç´³´´`
Š´kP(+m
->€A‹`6w~¥ô­¦éÉ¢ÍûØÞÖV5†ý8£¥1Ÿéî2«ñéÒ‡ÑD_®5aî@ŠÅÀ(ð :ØŒ}f'æ
-*É­–¸‡
ƒ|ýòü\‚æÃd…4%Ë£MJõžT¦·°–BÿhðÔ|.O òÆÄ9Òù‰@Gÿœãv5a}ÛüaÃo}àh%É7ï·¯.Žüö/u¤ã‹fÓØÖ‡FA+\_ñûþÕ›~~K*°<:»bFvÜâ#
‹{^þ¸™³,ÈjT9äåÅå½Y oÂ=C‚»¾/A!ßRqݧDb>`Ê©�“õTïË#|
-ÅŒu%–Ъȼý65B‚bʦz_IÛ0Ý$CžsÝÓô’]WÇ·i«~ÿAÀä@€y^‹¡Ié3i,)�ôÀd¾Þ™êZÂêcvº“£
⪃Š|¹f65žìÞËT5¥ý£ï•vHáF‹–eØN]îë\9¢	”,G�xjg™×arÓ=¯µšÜo	BéKñ€Œ°©Rœ …ymÉ[a„6Ä´^Á¤À×—Š'¯ee=u–šµfD•–`ò×±ýíÔí\Õ-–(†b~ûûV˜Ì¬=é´&ߊx®/ã;¥bÔCVZóaPéÀx¯´)íX4kí²’(;è£Ò=N–Y÷/óSéXéó­ ˜¢ÊÙU(6Eg�e¹h^&·twf(3-ÊJ6œg茪ÕM1‹×Î
bvŽp‘º_ËôÃ¥›ÛU»áºI¥:³vœÜoi|Ñ‹¯)A¦ƒ—=Võ:£é
-{NK|jª|Ù{˜”ÊÚy,
:Û1*WÕe%tØÍ>7l4M	n÷é;«±@Ûi•ÊB1†©a7ñÑ,qm*~\€e"vÝÒ˜ˆS·ô�‰Ù;,Ö˜0u»ˆ*Ý<fƒÙäÚ±¤-ÈÈÀý5tÈ}nÓ”¶ã•q°
(N�}hàÖ©:‰}P˜aDOš’~*ê1©y0
- +ÝÀ²“øæ‘8>Wþ
- ×Îæ@/‡NHãJx¾v±?Ñ®[²¹lÅí˘|A¶Uwn|ìž`tè�v¸|	» £0
-v&ÌÌÑ€�ÐŒÎNû—�…ö/gæhÈ~Aý̬S ^æpöŠúy¤�ípÝñeFÇ!›.€q~û–­sTwƒíèÐåqÃÃBõ‰,£“÷­GP×”�„Õ_!3ÚSg8’ÛÉÀdC166:óÔê½™¬�'ƒÎfŽ~€q:N“?{e&çê}%ˆ)Ppôã£È1Î&íðöLÛ‹&bè‡N9þ*9~š€:ãgèÌîÈJ¤²Pãc×sÓïï?H²0 Åm,
F’…!w²±Þ“ùèM
»Ê:|°S!ší.Î.Å®gviY»?»~M•…Á¤Ø5ƒ~OêÏ®5ú™FR6ìHðð'—†0$<å�…Vä‹Éù§–†7^Ne=tJ‹èÆ1¨ë3û:¡m‰
”AROß ±à£Q2kº «,çg¡îµ¸äçU``ÜÄê.Ñtbò
#�{�žRp¸®ž+ÿp:ç”èDŠaDˆU0¥	FÚ-«X
-ù†Ñ“ÒÃHcˆ\³Ûû·ÎXz(Yˆ«tó�S´-ììÃG´`òÅûôv6ž‰Ýcñ'c*†ídÀ¾“Žà[šVb”Ó�à[#2‡ñš”ãtªXU\OÖ‚Â	ãáùrñóÅ<¼Œ¥	3ã‘ÕÂê#Ê¡óΠÅæ“Cç�AŠÍ'‡Î;ƒÎq{ÃÔ9tÞt¶lÁrè¼3èìÙ‚ÓçÐygÐ9³§Í¡óΠÅæ“Cç�AçÈœ:‡Î;ƒNÏ}›9‡Î;ƒÎÊá�-‡.é™AGõ�Ì¡óΠÃ|ž
Éô´·ƒÑk��§gí£ÏX§dZ¯§KŠ_àöf+Î�HŠr±ÛȬžüÓ%ŸXrvO/€Ói�XrêÖ-Gýâ”Xáä̲±‡…tÏ––'«+—ý;KÍi}fÞœIû®H:Öõ¥¦%2äì‡9�§„e>ú¸Á<àä›2‡üÉ>¾c6„½M)T³�öK ¢§'û…‚8,¾¯ÕYÜƶ¥­b1ŸQj>K
-B‹´¿M�HÁ AuñLžÞ*ë±�a%‘Iæ§Ñu~Æ
-ôÄ~†,0GßÝØ[�`Ïã³9[1ð
òÀ|s‡Ž†x¼Ç¤ÆÛ1ÉžZˆ<ð`RôxSdÚ¿â"iÿ¦‰"py0}÷Ï+�Ï7'†ྸïA˜³()2Ø™E�Î<¢êƒCŒœ33%ÄèG!�I¾
-�bvÇo^q†ÖÃL¿L.6ûeÏ7�Q'vªßÒ?_ŽÒ…Õ
•áX™�¼ö�u�·‰Ôí}ÔA>u¹v=Œ=¢*&”n£Kv¯uð.nY¬ëXÃ�3â™*ǺCÍCOqó£}0ˆYiB p0äÈâúLpxi.{þWž,xùÆíz¤ð ¶Òv=rß/+Ö¡EÒ1ùAq[ø¥ÇydÙ¹=#Š!=™M“bÉø¢nÚô±‡q|i.pZvLÉAÄ
-'o÷Ž<<W(7.ˆ§�>%°û>w¹ñ’6%1˜óÊ°ä‘¡F§[iqÓÀÉî‘ÙæT×ÝâbqäcÓ±xd¶ùCç
(SD©÷ÈPcàßæä‘
K[ž=‚è€Á#bIC›Ù#³‹3x{d°ŒT¿ü¼<2†&Pz=9À&Ç„ÉlQ;WêÚYÄ?nœEYÎ#'qû’÷Ž`54-—ÉÈ©3:dˆœ
ù§¡m&fNƒ±£^7‡±¦�yßb!]˜96Sþ¨fñN¯çÊ«£¤�Ø3…ýDPrý’*
-õ⺥#TŒ¼°ì8IÏâÞYDAG°_ê§ïó·#ûùç�ÇtÿØÌùpz´##nÞùpÁ"T§Í‡sÆõ5ç’=â̇›%[�=N…8§|8#Ùž7ï|8Ý£8¯37J>é–€¥¹çÃ7·x…ZN•ç²Å(Ç:З2‡”Ž•Ýšê“/Æé¸d˜®[²ÄDº¢$¦£ýËÙÓë!bŒ„dèÇ}­Eà^Ø�Ãxžr6P‰Ÿ9“öã{©ïñ|ééóI'Ð æ CÂQLb@†"´Y`#f¾¶ì¸!»óÆiv2¬Þ_1PŽ��QÉ°z�Ut^Aûev2¼Íå6`ÔO
-:›_FêýÇ2Rù¨3éfªŒT9z”
-Äï(© Ÿ9ðMÐv22S?,æ“oF*û5Ð.-ç	ÄãÒÔ AF�=¤,"4GY‹ûl#Sá,>4['H*œ¡ÁÒüƒóI…à ÆäÏ™..˜ßrÚT8»rN©p�^è’v^©pšW�!Ót¦T8Ó?Ævåç7ÂS%rKµHL‘Wg-RåôQ´ŽÎ¨1�Ž»È°3ÊE†Áu˜–j¿dxÚÔ†ݨãÛE8À¸º�AŠ1ˆ,¯Ž
#œÂÁðŽjâA÷
�iUãˆèl+ž¾{εÁK�ªòuóqó¢òÆ—K™ƒëÊB÷ YÙN6/B±ÍáS2þ®Ÿ‚–ËåÚÍ}­#,oE+š8Bî^ÌŸ|åÎ;+oã¹XŽrqW·§¶U{
-ØÖZùî––ìvCMvS&Ok¼cP<ÃŽ«q+G”As‹ùóÄ-ÙÍ3Ãn$zeØÕ¾\R]Þo¥_h¹X	G.–£Ÿ$`ƒÚSÀÔåü’UêÕ™ìK\ö)Yg	Ï»hMNSåj‡§”As±ìq剞a÷è•ì¶˜£Z?[øBÖã‹�ôŽdZ†Ý¹G.áñá}Ðjõ²fóÀƒaµŒ¿ô\¼ÉÊfƾû”vb™óngTa~ZYÛeè1¹6W-Ñ	Ö|›u*¢æ
Ž%N±|ä²W̽oÈ­#L~eWJX'DšÜ¯p¢§ölËœglE¿ìš°ÿ”È1W`ReŸxRÆ,?Õ?æjªJr„)ÅB¬N^ßJr¬^8tíÙ\à4´‹yÿ¸¾ Eä|½pÓ‘cYŸQ÷�5V×oJ¾µ˜�Κ+`M‰èU`¨Ç>%è¾ñ¬,I
-w�ª
-[§ïî|¢ÓwVAçs.ÓÕÒ³L›g4TsžÑPÍàÒŽœù8%ñÙóÖAˆF/Óöã�Skõ¢Ù•ýÌ#Ÿ3ŠÍL�¨oÞ�kã>‘]¨³À‰µxž¸3±–pE1x¶é-¥Ùo„�•�é+�4<[Wc�!LvQAù­»â
JR½W¯j ­%œ‰à™O‘&§%N�¡¾d­Qí�™r5œ�&¡u5¿
-†WCÖDOÚWߦ¨SëÕ_Ù]_	Í¡Æ�ë–â©N«Q?3åsu¬\WO»*{rºý†CÖT‹@%2ø�ðBÝkÅ•O´üᳬx½ÆÝlGäF…;ψf2ô«p nõ�3—E'V¸›¶R^0ò¡WÊ›K>ge.yIŒîX|ã³W¸sÖ{uÖ¸Ûb©pÇz«9Ra*í—�EטâÞQØÙ#C.,¦æ
-(ï”3†)�éfJ³�¸/7s»ÚvÌöéý–vˆyÛî
ìJ˜è9eæƒi†WtÆL1„SrÆ*¼•ß©–Ó«.Å°œÆ&L»µ‰É>»e(÷ˆÝwá_‘î•zSƒO¹G‚>VNû˜EÌWS�®$?ˆ±ç¸–Óλù¦Öa\ñAìµgÏq…EòÜ"�œõÌ�˜éyÇ›S8xÜAdÑ/—©=®’Æ3Ò̺eEÙæcZŠÞÅvþ¶ò¥v{QùRUvv÷r¡X¹”n—Ë¥Ì!ãlŽÑëÛ§§{—uØ.Gý;r>ÜFäÎÊœÒ|¶Ü¿³µS•lùpÉõö	-	Oz]‰mD†¤AC1˜°EÏýS£µN†:(W»(�QÍ-X9búî۳Ğ<­¯±A�uØÖ’ª9(–šŠ!
-Ž`×Àxæ
-xŸZ”�^-kžEù¨õ+g(Êç˜R#{o?Å#B.™Rƒ�º~ÖHUý¦ºŠP×oŠX¸)êúQ ¦Wõ›ÇÝP°®ßìѶ,uý|ã”æR×Ï»ªóÝP>uýX­®Ÿ•Žèy7ÔŒuý¼Ca6Ç<êúy+줢iêú9—k¯êGô)MQ×Ï;ž)äïÐeªëç½´Pl>uýæQ
Ä¿®Ÿ÷‚t)6s]?#áÎëVóÙëúyGœ‘s§L?ÂCOÌä#xͳ¶–Ùëú‘rÛ,ª›)+Í·	ë
T¬uý¼M]CSšµ®Ÿ
mrU¿àõøæ�ó>u]?ïª~³Ôãc?P¡çŒ«ëç†2RçQ×O?P¡TõÃrxgMOñ¨êg‹»˜¡®ŸçQd’¾/Áêú\#;UΣ®ŸwU¿ùd¥Õ¼×¼€�ñÍT×Ïû Ë•+:e]?ïª~3ÔãP$Ø«ßÌ·x˜UýæR�ÏW‰gÈæp×õcÌ{ FÛÎT×��÷€])Š�2S]?<fÙ]Õoʬ´€ñ“çP×Ïó¼¹h.uý¼Íè õø¦¯Õm«Ç72$Wõ›®_P[št{ƒ»®_ R|ήœ7êÌP×Ï»ªŸGæc º~3ó1¦º~ÞjŽ…c³ÕõsÌËaUOsk©®ß¾¾)êúÑza¼½�±®Ÿ_ÎÈ|êúy÷‚|JGt{Àœ'JU¿
-Õ	ÝßZ²–fIÛùåµ¥¡�­^—>®v2ã•
-à0Ål+Sª
-{;àéÑÁÎóåÅñî^îé8Y”6·kÅÅóNùá`a­T(Ý&«a£Kݶê×qxÂOVR±I-¾·¿ÏW¿®m”{r†‡›3¨¶ß>Š�^nÞV…ǽNŠËÈ«PÆ/ˆˆUø5˜›Ã7qû2šFÇ5o_XFÆ—‘²	ô@lg~®%ÑO@ÌçàçΪ~Êzì¦ÐßââÆÆSí1qwÈ=ÝyÙYoD0ïC|¢)nðd¾XÁ_”c-óE
-qÉwB1óUõ²ùl¾à°«‹û¯Æ‹ãZ)_oDeóYk\ÿšn£ÈF>^Å_�Ö8ø,£‹阃	Kïü^®!ÀŸ‚ÖwëkÌìû,©5i�øUøsÕd8‹
-—X,pB¿	¤X5UL|ÝYç®q”,Sc©ÈÂt[¯:ç=f=’úC–8s�Ö#ŸYP7’—ëJnë2{¼›èÄ5jJ|iFþ‚5ß	»ïÆŠí^_?Yè%$&�7céײ•½M¨	^kØ-T¾ìóÚWÚ'’þWÿRÐÿšÜ}E¤.Tò£+vT“gX®ìæ(†‘½I•¬dh;»‚I÷;u´�h¿2‘OOˆd祥«càÁ»fJ
-ßg’Õ«›=Ê{=’Yâ㨼&ªƒ	~æW4Š—£Í,êÚ4ún
-Gð×ãØ‚{H“Iú
ÂË™Unê+Qëf(ù¢ðÅ­=K~Ù\ÐëÊ�"¶Œ«và Gôhñí»0ÑlÝyK‚žÁ÷%{ûÅR’ìE‹�Â�
-RØéÐ]ë¹ò¦)þ次v¡Ïû+¾ýËcÚFd6±
ÎÛçV°.b‘'£‹MÁê"ÞZ<¿§ìd‚T€Éž³°w‘šr¦-ö”X�ui*(Ž±,ƒ£t±)ØÚ¥ès b*ÅØ£9y­rú±qMÈgoLJbô™™¬¡4<×ï^9,;Î÷3+ؤâú©ãî¤
-­‡2»û<9èkJ·{Ñý߸2lOÞ»ƒqx-œÙm–÷÷R¥Ûvº 9õ“µ�+ºËO÷É4Ý:¬áRª<ëo{ç›rå™»ÝrºïâÞ&tß�‡b‘äÖÛF$Öå#©×oMø³¦)mšýæð	kÊûP;s+•®RšT“G�ëÊá~¤i©öHõ•ú­êGåKM&üîž´«l'_ïJOÇB3¸³�?Û«š…†Œ»›rþ¼é=¶åI!ý~¼Ilgá2®à¬�‚Y¬2‘Tbg>=ˆ$ϢǑd;}_lGVwÅN$ut³YùXP ¦Ku“�Ôv˜YëúÆ×
"=Z$Ð
Æý²…lG�»½EB/½ï}ÌqñtF³»òc\ÿë[wE§8F/èçZcO3×à±]#«w
¬Ä±aTîsVs{ò¸h ±�¬8è`±¼i¼(¯b¬é
Ñ„EÖ@—/»Æ‹Þ|ñU7Ýê›+Ö3|äz9…¹#¾âc×÷ÓPX
VÍ=’É	 ‚¿MÀ‹sýB=~žîX}?¢8
ð¬†Dõ
-`aÝÂ6hf�[µQ@¾IÐè$-õàcü¼DÝ®h›“9½MIÀ¿°±€ü
`€4·�U‹c£ Œÿ VÉÈKk/ƒåËÚF5ûÍ$¾¸n
-ÅQÛ0Ÿ7
-Y‘φ㧻Ç'ÇÕpV�—	´Š›·§/	óü8
-‹à¥œ”
¿‡DžKù¼õ¨¹|:+Ãb�Gÿ+ä‹ÚWù|šËòaW/åÐ3ø¨˜–²9ðU^­À oŽ×á9Ð^	á,'¦‹°ã,è°
-¼‚}»çƒf	V[³è!ü_8Çš“X„€9Áby)œåy0˜½
-ðkØH*Š ÐFëFJgÅ<€"z»FÌçÒ"j‡æ´ox!-D®è‘”CS¶€ŸO‹"k^ÐÖƒ‹Á¼x´|þ�x@…´PäÑ3>ˆP’¶
EÐ-ìD( õfQû-ré<ø"Ëñ›Ê!øö—å8кˆ&ãø[<ì~“
- 9mDc=+ä
-œ;ø#ñ<
Ý°'€å‰íöÐ"W€­
-Ö^IY�ïc­
-endobj
-946 0 obj <<
-/D [942 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-947 0 obj <<
-/D [942 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-944 0 obj <<
-/Font << /F21 950 0 R >>
-/XObject << /Im1 943 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-969 0 obj <<
-/Length 1075      
-/Filter /FlateDecode
->>
-stream
-xÚ¥V]�ªH}Ÿ_Áã˜hÛÐÀ¾1ˆÊÁ¼“ÍÞ}`G’1Â\3ÿ~«éD'“Ín|èÓtYuêTõÑ0üˆfpÄmjk¦­#CÛ¾?`íÖDÙèC†ÎL¾X�èF–…
1YàíÚêÎÚ°38
-¥Œ� �@E‰�0õ=µøì§K‰boáÄ3¹-áàftXœT¨IÓtÙRü‚|è›™.n‚û«uà·¹|Å$šËqåÅîF¦þè<ù�ŸþÙ'*Øqdë–9|—$¨å ÇPñõ~xàO^öŒZ½žõÀwž…çQÜFUᓵçúN0n5Ž=·á8ncÞ}MŒøPL7
-ï�
°�Ê¡³r�·Á«ÏKGDI“‹Ûê%› ùÚI?�£•J,Jz‘%Œà`¼)ð&ñÚܤû¦
-ÅùîR–êüu‹zp9¹Ù[
ͱȺ
ÏQvקŽtÏ„{:$v¨ëÓoÓéår
-£¢Ú¢²!õ:½»µÕ[—H¼fÿõK÷ùõŸkendstream
-endobj
-968 0 obj <<
-/Type /Page
-/Contents 969 0 R
-/Resources 967 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 951 0 R
->> endobj
-970 0 obj <<
-/D [968 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-967 0 obj <<
-/Font << /F22 973 0 R /F14 976 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-979 0 obj <<
-/Length 2886      
-/Filter /FlateDecode
->>
-stream
-xÚí�]wÛ¸†ïó+tWûB(¾	^:Ž“u·ÉæÄÎé×ö‚GflõX¤KQ¾ 	€#œÍn²±tö´¥áÌÎû
-x6$a»N9pšÛCcÓ®³ŒhÉ\HŸE�.õ]y<çö°þ4ü|U/6+›Íã¹2ù±?l¾žå™Éÿß$5>Ó;²}Ž`¸+äîù?CO$Œ"Ôy H«î*ÖŽ"î(ú©9fæ躨–ÿ-ú+j¨Ë›åú1ZRdûÌ$)>›É¤
-êœqNLžYç<'\_³È¾já6Vü�„×›êªè†ˆâ¶3ŒØ»*䉘øL&c1L R&‘00LPç#&,#LQ0á“~$q7“¢ºŠ�/ös¡å³¤bŸ±d€!†TÁ!†ê|Ä�Ú)¢â"à ¯«^lÊŸõ¬æŒ.>ãÉ8
C'¨(‚S$'ÔyÀIåœäJ†r¥/X:œN6íMÝ,[;ã¹/wÊ•²¹/›þž”íc]²–Š4D�ØREL"AwΔ$Y–å3e(1J�uÉP™Xžo–«¢y~y[Øâµ±9|¯†�¨d
-€!F
¡ F
ê|¤@’©L
-¸£àⶸ<(nöçNñ9.|ê’¹
-¿Z×U½n—÷Ð̈ƒ2f�ûHBÎ’�
-‹µÁPá_ù™óœ˜ØûÆ»
Õõ Î…�~‰‰&Áº"15s_êb["_ø3yoÿgTªendstream
-endobj
-978 0 obj <<
-/Type /Page
-/Contents 979 0 R
-/Resources 977 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 951 0 R
-/Annots [ 982 0 R 983 0 R 984 0 R 985 0 R 986 0 R 987 0 R 988 0 R 989 0 R 990 0 R 991 0 R 992 0 R 993 0 R 994 0 R 995 0 R 996 0 R 997 0 R 998 0 R 999 0 R 1000 0 R 1001 0 R 1002 0 R 1003 0 R 1004 0 R 1005 0 R 1006 0 R 1007 0 R 1008 0 R 1009 0 R 1010 0 R 1011 0 R 1012 0 R 1013 0 R 1014 0 R 1015 0 R 1016 0 R 1017 0 R 1018 0 R 1019 0 R 1020 0 R 1021 0 R 1022 0 R 1023 0 R 1024 0 R 1025 0 R 1026 0 R 1027 0 R 1028 0 R 1029 0 R 1030 0 R 1031 0 R ]
->> endobj
-982 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 688.709 539.579 697.4212]
-/Subtype /Link
-/A << /S /GoTo /D (chapter.1) >>
->> endobj
-983 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 676.5858 539.579 685.5919]
-/Subtype /Link
-/A << /S /GoTo /D (section.1.1) >>
->> endobj
-984 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 664.4876 539.579 673.4937]
-/Subtype /Link
-/A << /S /GoTo /D (section.1.2) >>
->> endobj
-985 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 652.3894 539.579 661.3954]
-/Subtype /Link
-/A << /S /GoTo /D (section.1.3) >>
->> endobj
-986 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 640.2911 539.579 649.1477]
-/Subtype /Link
-/A << /S /GoTo /D (section.1.4) >>
->> endobj
-987 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 628.1929 539.579 637.0495]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.1.4.1) >>
->> endobj
-988 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 616.0946 539.579 624.9512]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.1.4.2) >>
->> endobj
-989 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 603.9964 539.579 612.853]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.1.4.3) >>
->> endobj
-990 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 591.7985 539.579 600.7547]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.1.4.4) >>
->> endobj
-991 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 579.7002 539.579 588.6565]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.1.4.4.1) >>
->> endobj
-992 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 567.6019 539.579 576.5582]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.1.4.4.2) >>
->> endobj
-993 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 555.5037 539.579 564.46]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.1.4.4.3) >>
->> endobj
-994 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 543.5051 539.579 552.5112]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.1.4.5) >>
->> endobj
-995 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 531.4069 539.579 540.413]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.1.4.5.1) >>
->> endobj
-996 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 519.3086 539.579 528.3147]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.1.4.6) >>
->> endobj
-997 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 496.5559 539.579 505.288]
-/Subtype /Link
-/A << /S /GoTo /D (chapter.2) >>
->> endobj
-998 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 484.4775 539.579 493.4338]
-/Subtype /Link
-/A << /S /GoTo /D (section.2.1) >>
->> endobj
-999 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 472.3792 539.579 481.3355]
-/Subtype /Link
-/A << /S /GoTo /D (section.2.2) >>
->> endobj
-1000 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 460.281 539.579 469.2373]
-/Subtype /Link
-/A << /S /GoTo /D (section.2.3) >>
->> endobj
-1001 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 448.1827 539.579 457.139]
-/Subtype /Link
-/A << /S /GoTo /D (section.2.4) >>
->> endobj
-1002 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 436.0845 539.579 445.0408]
-/Subtype /Link
-/A << /S /GoTo /D (section.2.5) >>
->> endobj
-1003 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 413.5759 539.579 422.1635]
-/Subtype /Link
-/A << /S /GoTo /D (chapter.3) >>
->> endobj
-1004 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 401.4527 539.579 410.3093]
-/Subtype /Link
-/A << /S /GoTo /D (section.3.1) >>
->> endobj
-1005 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 389.3544 539.579 398.2111]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.3.1.1) >>
->> endobj
-1006 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 377.2562 539.579 386.1128]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.3.1.2) >>
->> endobj
-1007 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 365.0583 539.579 374.0146]
-/Subtype /Link
-/A << /S /GoTo /D (section.3.2) >>
->> endobj
-1008 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 352.96 539.579 361.9163]
-/Subtype /Link
-/A << /S /GoTo /D (section.3.3) >>
->> endobj
-1009 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 340.8618 539.579 349.818]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.3.3.1) >>
->> endobj
-1010 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 328.7635 539.579 337.7198]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.3.3.1.1) >>
->> endobj
-1011 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [532.6051 316.6653 539.579 325.6216]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.3.3.1.2) >>
->> endobj
-1012 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 304.6667 539.579 313.6728]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.3.3.2) >>
->> endobj
-1013 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 281.9139 539.579 290.7706]
-/Subtype /Link
-/A << /S /GoTo /D (chapter.4) >>
->> endobj
-1014 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 269.8356 539.579 278.9413]
-/Subtype /Link
-/A << /S /GoTo /D (section.4.1) >>
->> endobj
-1015 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 257.7373 539.579 266.8431]
-/Subtype /Link
-/A << /S /GoTo /D (section.4.2) >>
->> endobj
-1016 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 245.6391 539.579 254.7448]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.2.1) >>
->> endobj
-1017 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 233.5408 539.579 242.6465]
-/Subtype /Link
-/A << /S /GoTo /D (section.4.3) >>
->> endobj
-1018 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 221.4426 539.579 230.5483]
-/Subtype /Link
-/A << /S /GoTo /D (section.4.4) >>
->> endobj
-1019 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 209.444 539.579 218.4501]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.4.1) >>
->> endobj
-1020 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 197.2461 539.579 206.3518]
-/Subtype /Link
-/A << /S /GoTo /D (section.4.5) >>
->> endobj
-1021 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 185.1478 539.579 194.1041]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.5.1) >>
->> endobj
-1022 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 173.0496 539.579 182.0058]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.4.5.1.1) >>
->> endobj
-1023 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 160.9513 539.579 169.9076]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.4.5.1.2) >>
->> endobj
-1024 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 148.8531 539.579 157.8094]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.5.2) >>
->> endobj
-1025 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 136.7548 539.579 145.7111]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.5.3) >>
->> endobj
-1026 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 124.7562 539.579 133.7623]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.5.4) >>
->> endobj
-1027 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 112.658 539.579 121.6641]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.5.5) >>
->> endobj
-1028 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 100.5597 539.579 109.5658]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.5.6) >>
->> endobj
-1029 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 88.4615 539.579 97.4676]
-/Subtype /Link
-/A << /S /GoTo /D (section.4.6) >>
->> endobj
-1030 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 76.3632 539.579 85.2199]
-/Subtype /Link
-/A << /S /GoTo /D (section.4.7) >>
->> endobj
-1031 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 64.265 539.579 73.1216]
-/Subtype /Link
-/A << /S /GoTo /D (section.4.8) >>
->> endobj
-980 0 obj <<
-/D [978 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-981 0 obj <<
-/D [978 0 R /XYZ 85.0394 711.9273 null]
->> endobj
-977 0 obj <<
-/Font << /F21 950 0 R /F22 973 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1034 0 obj <<
-/Length 3273      
-/Filter /FlateDecode
->>
-stream
-xÚí�msÛ6ÇßûShæÞØ3'ñ¼t§×6q|‘r3wm_¨6ãhªW–’ºŸþ@‘®$pmä’4¶ÕÎD´ÄÕ®öÿ#vA‚ïáÞÓ†/|ÏzÅtÁuïbzPô®ÂkßðfŸ>ìÔÇ{=üã…´=ϼ¦7|×SZ3¡×oæXáï
/:<y}6<=Ž~þpp:ŒïŠ=óBVoùûÁO¿½ËÀ“ÞéÞÇðGÁ¸÷¢7=PZ2­¤„g&ƒƒÅ7D¯®M“Ÿ„LH#EôQª5ïY홑B®?ˆbŽñ£>Eqø]9+£åxvuÔº8ü±¼½9ê;#ÙQ_‡Þƒòþ³½Ù¶ÔEȺ•¦ÍçŽ6‹«^½ñ«v}l¸«ÖîûWz	±¨ŸŠƒb…ô¬(ËLQ˜ÈŠhXŒ¯f”åû²Þøï|¶laöÄ�Ä@V³‰A†1X5!»‰IÄACzb¤fÚ8‰‘
1'óÙÏE!®V‹ÈÍ \|(ÕÃåSE¥“Èc6#È�bëD1’ˆƒb„ônyrL(�"T5iE‰ˆ�‡çgƒÁéÉßk8žßÎFÓñE;°Ü4/Œf—õÆñj9Ÿ†zÕì‡$eÕ7
@§ä�•lÉ‘!%9κÐÝ’'â $'½Ã°ÀyèL4›Ž0,„1 m:Þ-Ž¸;œOë¿Æ³›òbµ~ª)1ËyýˆŸ÷V>ØÑ HX6È�‚
BÁ�ˆƒ‚�ôÞÀ`¼gÊJa€®b㘣A½±º¾-ù§åòý<ÿÖ˧Qb®r9À†Z¤â 8 ½Î2¥D,±Wx±šLn›Ñ~s�ÿsÝa®
-�D ¤w
-É„@S^T�ã}0�»<n UÙ C
-,…A"
-Ò{ƒ�öœqçÚZÀù}0è:]¹y"ó1ž°Œ	Ë…
0lBÀ�Šƒ€�ö0Ø ¿¶miࢆá¼\Œç—Ð8ÖòöÛ3SÜ=ñ¡�°@B³aA†,X0
-–D,¤w€ÅØÀ‡V-,²†•ˆx
ëõù°‚æõÛaŒßŸ�
-,H"
-Ò;\þÔZ³ÂÇyFÕ`èí+žÃ#_
(îpu³l.wÎ.ÞÏõö«ÑltUNËÙ²’Ã>J^:Ñ€ìe£�)4°:Âw£‘ˆƒBƒôc‡’¬0qŒ›®ãßÕäs4_¢õYoÊ›ù$ô"G})ôþ¼fHh6,È�‚FÁ’ˆƒ‚…ô°HÎ
-Y¨–¦+9^-ÃH1^V>”x©MhI´Ú÷"[ˆ@³A†"X&
-‘D"¤÷Xj¸cÞ;ŒðºÔœÿxÒœíþ[õTµñs¡‹“ÅíõrþÛ8l7ÏÞ¬®¯ç‹Pe¬zzàtIÍ&RÄ`ÑdÑML"ŠÒ;*…	OÅ©çP�ÎëÙMýïï«ñÍxYVç=Ý^ìùו%Èr6AÈ�"«H”ˆƒ"ˆôÎ…aJrÕS�%/ã¨b¨¢È…ñäÙj<¹ŒÌëër6¼lN¤@s—ŸžÇ•è×eóê|V?¾ÏV„7•ê¯iCã‡Ì•n$QòN	SqÒÞ[	�`¾�K(>AÂÁÉq½aŠ¢Øp0ŸŒã0„x)þÒá<~Öl%‘!¥$Î%¥d"JIÒ{«¤-˜‹¿×BÊû9˜¿[þsðªZeår“YÈ–¸µ£F9–Ýwh$‚ ô¥\7ÕZiÇœ*d«n3ØÔöÙ÷gÏë-_?|/ß×[U'X÷€F=�~?æ,›dHÁ€5‘Ý+ëSqP8�ÞÛÃ]æ
-Ôð3
µ7qÆñÀoÊë&,Ý•Ù(óÕ
-/|Âlý�!¥Î ¥_"J?Ò{«ŸTÌÚ
ùÄ'È‹k‡€[uù³»Ï­bó9³Elí(
Q)	wƒ ¤\·
-Á¬ÒxH†‚›© T^®æ8‰È–RãDS"'â T&½CÝ
»[.M+rs�'qbeX�º�Ï'á`4…ÛO�7dH¡ƒå£ÐIÄA¡CzoБÞ1ã¸oÑQ5:oovo¨­
-Í÷çLÓÂ%˜zY¢oô‚ï	ä8 dH
„5”Ý·Ì¥â 
-ÐýtÎ؇¼L$æ%[sdHiŽóNižˆƒÒœôšKÇ´h§"^ùßÖ<®E5‚¦àlü믓fŸóE¨Õ¶ÿæe†TdËŒ)™qª)™qP2ïxçØ{ó5R’&„¬«îo,B.†ÐÄíœ;x9¾z¿üXVÿn­êÌ8aÜ/kÈ ÷Îû®³Ö}~;*[;^“•´‡‚çõrq½þ†‰ê[Eb¾ºÓÓ¼üëb´¸
åô�,uøÜG¤/ûHB†Ô‘„塘HÄA±Az6„uQ{×°!66úèQŠŠç£rZMŸ¼Õûõ/�’1™¹¤`C‚”
±RRq¤ìzO�¹Âxæ´¯15͘»3Ô¶§ræ×oÊw墜]”Ý™ƒ7¿ïx‹
ˆñv#hÙ½Æ¿•©¯ÉcJ[æ„­e2q¼M¦æÅz‹ÓÉzÝru?-·Ou¾Òɤ4ûÈB†Ô‘…%£8IÄAñBzošV¡4³ÞpÀ%~ÔNÓúj´¼xEù¦BÅX±ŸÓn¡éÌFR¨`¹T÷ª•T*¤÷xMHɬQº…e�‹¬Î‡ÜΖ£?ŽúÒëýùðû€©ÌR `©(PqP �Þ[PgV
-‡@
(Ï˪ÍÆmŠ§¼ßÞŒ®ÊodQó׸4³”Í
-2¤PÁrQ¨$â P!½Çá‚{ËŒñª…e_W>”˜Ê\P°!
ʆTª{Ue*Ú{ŠÓa–Ó,!ªAÙו] KÙ CŠ
¬Å@"Š
Ò;Ìo¹•ÌqÂ"î7¿ýn1šNGÕÙ#+÷ÓÛ-\ £Ù¸ C
-¬…K"
-Ò{Ó†pÙ>ÐÂÖ¥më„�ä̹BÕ^£‹I³ÏƤ™à¡ç©÷,G˲mc"]Vì¿Œ¬Íy6OÈ�â	kªº×‰¥â x"½OÊ3­„�<‰/ÁÓݵÌyþøÆ!Èm67È�âkGq“ˆƒâ†ôÜHËtœ
Uk�ïÂæb>[.ªõ©»ìHÏ
-.Åc‘v�ó‹K:ñiRœMOkGÁƒTÝ«APèP®�¡™²¾­`ê‹¡s�Z‹‡@J'"�ËlF�!	ÖŠ¢$…	é8á’)eÛʤïäd<»˜¬.Ë&†YÏïêvO«Q†gãƒ)|°„ª{Åc*
-Ò;àSp¦¸‰ô˜/EÏ݃Ì×¾¨ÿ™Wl@&³!ií(F�N"»AP„P®@œgÒ)
±wR}cs¢ñ
È;yÇÐ"¥ÛŸô…”ç’„ì’° I‰ ’H×ð«C–I-Ú¡Æ}	’îftñø¦P�ÚìŸ'jí¨_'BÂÄ$‚ ~›ˆr+€IÑNžü�ÀLæWWÕ
-²Dm
-îŒ×w�ÇùÖ¿�ë3׬&Áù?/
-Ì8×±ÎU¸‚i£uO†&]ÖÃéxL,<_ï…BÿÙëÒ’endstream
-endobj
-1033 0 obj <<
-/Type /Page
-/Contents 1034 0 R
-/Resources 1032 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 951 0 R
-/Annots [ 1039 0 R 1040 0 R 1041 0 R 1042 0 R 1043 0 R 1044 0 R 1045 0 R 1046 0 R 1047 0 R 1048 0 R 1049 0 R 1050 0 R 1051 0 R 1052 0 R 1053 0 R 1054 0 R 1055 0 R 1056 0 R 1057 0 R 1058 0 R 1059 0 R 1060 0 R 1061 0 R 1062 0 R 1063 0 R 1064 0 R 1065 0 R 1066 0 R 1067 0 R 1068 0 R 1069 0 R 1070 0 R 1071 0 R 1072 0 R 1073 0 R 1074 0 R 1075 0 R 1076 0 R 1077 0 R 1078 0 R 1079 0 R 1080 0 R 1081 0 R 1082 0 R 1083 0 R 1084 0 R 1085 0 R 1086 0 R 1087 0 R 1088 0 R 1089 0 R 1090 0 R 1091 0 R 1092 0 R 1093 0 R 1094 0 R 1095 0 R ]
->> endobj
-1039 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 758.5763 511.2325 767.4329]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.8.1) >>
->> endobj
-1040 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 746.445 511.2325 755.4012]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.8.2) >>
->> endobj
-1041 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 734.4133 511.2325 743.3696]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.8.3) >>
->> endobj
-1042 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 722.3816 511.2325 731.3379]
-/Subtype /Link
-/A << /S /GoTo /D (section.4.9) >>
->> endobj
-1043 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 710.3499 511.2325 719.3062]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.9.1) >>
->> endobj
-1044 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 698.3182 511.2325 707.2745]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.9.2) >>
->> endobj
-1045 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 686.2866 511.2325 695.2428]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.9.3) >>
->> endobj
-1046 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 674.3546 511.2325 683.2112]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.9.4) >>
->> endobj
-1047 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 662.3229 511.2325 671.1795]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.9.5) >>
->> endobj
-1048 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 650.2912 511.2325 659.1478]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.9.6) >>
->> endobj
-1049 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 638.2595 511.2325 647.1161]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.9.7) >>
->> endobj
-1050 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 626.1282 511.2325 635.0845]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.9.8) >>
->> endobj
-1051 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 614.0965 511.2325 623.0528]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.9.9) >>
->> endobj
-1052 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 602.0648 511.2325 611.0211]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.9.10) >>
->> endobj
-1053 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 590.0331 511.2325 598.9894]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.9.11) >>
->> endobj
-1054 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 578.0015 511.2325 586.9578]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.9.12) >>
->> endobj
-1055 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 565.9698 511.2325 574.9261]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.9.13) >>
->> endobj
-1056 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 553.9381 511.2325 562.8944]
-/Subtype /Link
-/A << /S /GoTo /D (section.4.10) >>
->> endobj
-1057 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 541.9064 511.2325 550.8627]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.10.1) >>
->> endobj
-1058 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 529.8748 511.2325 538.831]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.10.2) >>
->> endobj
-1059 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 517.8431 511.2325 526.7994]
-/Subtype /Link
-/A << /S /GoTo /D (section.4.11) >>
->> endobj
-1060 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 505.8114 511.2325 514.7677]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.11.1) >>
->> endobj
-1061 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 493.7797 511.2325 502.8855]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.4.11.1.1) >>
->> endobj
-1062 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 481.7481 511.2325 490.8538]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.4.11.1.2) >>
->> endobj
-1063 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 469.7164 511.2325 478.6727]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.4.11.1.3) >>
->> endobj
-1064 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 457.6847 511.2325 466.641]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.11.2) >>
->> endobj
-1065 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 445.653 511.2325 454.6093]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.4.11.2.1) >>
->> endobj
-1066 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 433.6213 511.2325 442.5776]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.4.11.2.2) >>
->> endobj
-1067 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 421.5897 511.2325 430.5459]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.4.11.2.3) >>
->> endobj
-1068 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 409.558 511.2325 418.5143]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.11.3) >>
->> endobj
-1069 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 397.5263 511.2325 406.6321]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.11.4) >>
->> endobj
-1070 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 385.4946 511.2325 394.4509]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.11.5) >>
->> endobj
-1071 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 373.4629 511.2325 382.4192]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.11.6) >>
->> endobj
-1072 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 361.4313 511.2325 370.3876]
-/Subtype /Link
-/A << /S /GoTo /D (section.4.12) >>
->> endobj
-1073 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 349.3996 511.2325 358.3559]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.12.1) >>
->> endobj
-1074 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 337.3679 511.2325 346.3242]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.4.12.2) >>
->> endobj
-1075 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 315.0477 511.2325 323.7798]
-/Subtype /Link
-/A << /S /GoTo /D (chapter.5) >>
->> endobj
-1076 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 303.0359 511.2325 311.9922]
-/Subtype /Link
-/A << /S /GoTo /D (section.5.1) >>
->> endobj
-1077 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 291.0042 511.2325 299.9605]
-/Subtype /Link
-/A << /S /GoTo /D (section.5.2) >>
->> endobj
-1078 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 268.684 511.2325 277.4161]
-/Subtype /Link
-/A << /S /GoTo /D (chapter.6) >>
->> endobj
-1079 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 256.6722 511.2325 265.6285]
-/Subtype /Link
-/A << /S /GoTo /D (section.6.1) >>
->> endobj
-1080 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 244.7402 511.2325 253.7462]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.1.1) >>
->> endobj
-1081 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 232.7085 511.2325 241.7146]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.1.1.1) >>
->> endobj
-1082 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 220.6768 511.2325 229.6829]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.1.1.2) >>
->> endobj
-1083 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 208.6451 511.2325 217.6512]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.1.2) >>
->> endobj
-1084 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 196.6134 511.2325 205.6195]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.1.2.1) >>
->> endobj
-1085 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 184.5818 511.2325 193.5878]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.1.2.2) >>
->> endobj
-1086 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 172.5501 511.2325 181.5562]
-/Subtype /Link
-/A << /S /GoTo /D (section.6.2) >>
->> endobj
-1087 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 160.4187 511.2325 169.5245]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.1) >>
->> endobj
-1088 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 148.3871 511.2325 157.4928]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.2) >>
->> endobj
-1089 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 136.4551 511.2325 145.4611]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.3) >>
->> endobj
-1090 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 124.4234 511.2325 133.4295]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.4) >>
->> endobj
-1091 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 112.292 511.2325 121.3978]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.5) >>
->> endobj
-1092 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 100.2604 511.2325 109.3661]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.6) >>
->> endobj
-1093 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 88.2287 511.2325 97.3344]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.7) >>
->> endobj
-1094 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 76.197 511.2325 85.3027]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.8) >>
->> endobj
-1095 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 64.1653 511.2325 73.2711]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.9) >>
->> endobj
-1035 0 obj <<
-/D [1033 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1032 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F21 950 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1098 0 obj <<
-/Length 3428      
-/Filter /FlateDecode
->>
-stream
-xÚí�KSIÇï|
-æ
-Ñʼn‘„óé·ZÝU•
Õ)j×0 GØw*Sùÿ)«*»º›
¨ÿÃV*œ'‰¢L
Æ;tpæÿïÍk�†ƒ†ð¨—';ÿx-ÌÀ§¹œ|ïe	µ–
NNÝ}õöèäàèäýÞï'?îœÄ7…Žõ;þ¹óëïtpêýÿ¸C‰pV
¾ø(aÎñÁÅŽT‚()DøÍtçýÎ/ñ
Áÿ®MsD	K”å&óI8Ÿ„qN¬3>:åˆ\¬?Š&܇Z8‡F¬¥Òû¨›ÎÏÎ&³³ö8ø¶Â¡�n�{¿­ª‹j¶ÚrEw÷«ß(å³Éj2Ÿ5¿ÍN›–£³joè˜Ù%{CEéýü#�û_ì®	­¸%šS–ryC™ÅÙ yqµ
-vChxS«›ï_'Wêqísq`¤ Þ™’ÄãF¢5“€ÂöüW‡îžœWh4%”IÓÂ0>ÍfÕ4�%R©pÜ»óÅhéYðÝ+wÀI<!½Åð
-žÛ¬ÅÝc`¥’�ËbJ€!†	Ô
-ã$
-ê=‘¢±ZñDŠÚHÊü²;KŠöp2³¡ÌXÆžV™	9.&bA
1‚2q`¡ÞAÊÃá$èûé»"èµÆÈG]kB.‹I
†)P+ÕߺÉÅ�‘‚z�«o-ü/¹
-äzñÈÅ�à�{OxXJ¨îС:~©Oà45ãÅééºd¬‹ˆ0æ¹f„´3‘ì0$ (7ƒÀ€À\'´%ÔY�0
糪áádÏÑÝÅh¶ü´žN(Þ‰ˆ‰+FbL@aLÿ
-$Fê=a¡üò“±°
öß5T¼›/ÚÞÃO“åªæB>WŠ”¹b.€!ÆTƈ~.2q`\ ÞR¦4lh×pñö²ZŒVëEézññm¹ª.š×ÇÕr~µQÆU æbR#c¥z\gccŠå†˜¼0Á˜¼™80yQïI^áµJuºPÔÏ
âjr“ †é-ùž÷rTL
-øîhÙöÖk‹Ï£iý�nÛk|HR1ÀC
-x;ìO–ã«ŒÜ?ÿ'S!$}’�C
-¶),$Ùa|
-¥õa öÿUœqendstream
-endobj
-1097 0 obj <<
-/Type /Page
-/Contents 1098 0 R
-/Resources 1096 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 951 0 R
-/Annots [ 1100 0 R 1101 0 R 1102 0 R 1103 0 R 1104 0 R 1105 0 R 1106 0 R 1107 0 R 1108 0 R 1109 0 R 1110 0 R 1111 0 R 1112 0 R 1113 0 R 1114 0 R 1115 0 R 1116 0 R 1117 0 R 1118 0 R 1119 0 R 1120 0 R 1121 0 R 1122 0 R 1123 0 R 1124 0 R 1125 0 R 1126 0 R 1127 0 R 1128 0 R 1129 0 R 1130 0 R 1131 0 R 1132 0 R 1133 0 R 1134 0 R 1135 0 R 1136 0 R 1137 0 R 1138 0 R 1139 0 R 1140 0 R 1141 0 R 1142 0 R 1143 0 R 1144 0 R 1145 0 R 1146 0 R 1147 0 R 1148 0 R 1149 0 R 1150 0 R 1151 0 R 1152 0 R 1153 0 R 1154 0 R 1155 0 R 1156 0 R 1157 0 R 1158 0 R ]
->> endobj
-1100 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 758.4766 539.579 767.5824]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.10) >>
->> endobj
-1101 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 746.5057 539.579 755.6115]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.10.1) >>
->> endobj
-1102 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 734.5349 539.579 743.6406]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.10.2) >>
->> endobj
-1103 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 722.564 539.579 731.5203]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.10.3) >>
->> endobj
-1104 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 710.5931 539.579 719.6988]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.11) >>
->> endobj
-1105 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 698.6222 539.579 707.5785]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.12) >>
->> endobj
-1106 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 686.6513 539.579 695.6076]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.13) >>
->> endobj
-1107 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 674.6804 539.579 683.6367]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.14) >>
->> endobj
-1108 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 662.7096 539.579 671.6658]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.15) >>
->> endobj
-1109 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 650.7387 539.579 659.695]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.16) >>
->> endobj
-1110 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 638.7678 539.579 647.8735]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.16.1) >>
->> endobj
-1111 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 626.7969 539.579 635.7532]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.16.2) >>
->> endobj
-1112 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 614.826 539.579 623.7823]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.16.3) >>
->> endobj
-1113 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 602.8551 539.579 611.8114]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.16.4) >>
->> endobj
-1114 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 590.8843 539.579 599.8405]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.16.5) >>
->> endobj
-1115 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 578.9134 539.579 587.8696]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.16.6) >>
->> endobj
-1116 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 567.0421 539.579 576.0482]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.16.7) >>
->> endobj
-1117 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 554.9716 539.579 563.9279]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.16.8) >>
->> endobj
-1118 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 543.0007 539.579 551.957]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.16.9) >>
->> endobj
-1119 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 531.1295 539.579 540.1356]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.16.10) >>
->> endobj
-1120 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 519.0589 539.579 528.0152]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.16.11) >>
->> endobj
-1121 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 507.0881 539.579 516.0443]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.16.12) >>
->> endobj
-1122 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 495.1172 539.579 504.0735]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.16.13) >>
->> endobj
-1123 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 483.2459 539.579 492.1026]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.16.14) >>
->> endobj
-1124 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 471.1754 539.579 480.1317]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.16.15) >>
->> endobj
-1125 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 459.2045 539.579 468.1608]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.16.16) >>
->> endobj
-1126 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 447.2336 539.579 456.1899]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.16.17) >>
->> endobj
-1127 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 435.2628 539.579 444.3685]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.16.18) >>
->> endobj
-1128 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 423.2919 539.579 432.3976]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.16.19) >>
->> endobj
-1129 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 411.321 539.579 420.2773]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.16.20) >>
->> endobj
-1130 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 399.3501 539.579 408.3064]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.17) >>
->> endobj
-1131 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 387.3792 539.579 396.3355]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.18) >>
->> endobj
-1132 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 375.4083 539.579 384.3646]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.19) >>
->> endobj
-1133 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 363.4374 539.579 372.3937]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.20) >>
->> endobj
-1134 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 351.4666 539.579 360.4228]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.21) >>
->> endobj
-1135 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 339.4957 539.579 348.452]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.22) >>
->> endobj
-1136 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 327.5248 539.579 336.6305]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.23) >>
->> endobj
-1137 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 315.5539 539.579 324.6596]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.24) >>
->> endobj
-1138 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 303.583 539.579 312.5393]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.25) >>
->> endobj
-1139 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 291.6121 539.579 300.5684]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.26) >>
->> endobj
-1140 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 279.6413 539.579 288.5975]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.27) >>
->> endobj
-1141 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 267.6704 539.579 276.6267]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.28) >>
->> endobj
-1142 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 255.6995 539.579 264.6558]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.28.1) >>
->> endobj
-1143 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 243.7286 539.579 252.6849]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.28.2) >>
->> endobj
-1144 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 231.7577 539.579 240.714]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.28.3) >>
->> endobj
-1145 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 219.7868 539.579 228.8926]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.28.4) >>
->> endobj
-1146 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 207.8159 539.579 216.9217]
-/Subtype /Link
-/A << /S /GoTo /D (section.6.3) >>
->> endobj
-1147 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 195.845 539.579 204.9508]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.3.1) >>
->> endobj
-1148 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 183.8742 539.579 192.9799]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.3.1.1) >>
->> endobj
-1149 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 171.9033 539.579 181.009]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.3.1.2) >>
->> endobj
-1150 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 159.9324 539.579 169.0381]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.3.2) >>
->> endobj
-1151 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 147.9615 539.579 157.0673]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.3.3) >>
->> endobj
-1152 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 135.9906 539.579 145.0964]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.3.4) >>
->> endobj
-1153 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 124.1194 539.579 133.1255]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.3.5) >>
->> endobj
-1154 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 112.1485 539.579 121.1546]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.3.5.1) >>
->> endobj
-1155 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 100.1776 539.579 109.1837]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.3.5.2) >>
->> endobj
-1156 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 88.2068 539.579 97.2128]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.3.5.3) >>
->> endobj
-1157 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 76.2359 539.579 85.242]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.3.5.4) >>
->> endobj
-1158 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 64.265 539.579 73.2711]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.3.6) >>
->> endobj
-1099 0 obj <<
-/D [1097 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1096 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F21 950 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1161 0 obj <<
-/Length 3432      
-/Filter /FlateDecode
->>
-stream
-xÚí�msÛÆÇßëSð]¥™ê|�8\û¢#Éqê4qRI™Î4툄(ŒI@!HkÜOßqwXŠ‡�.vËf<Q"»Üÿï÷�M¨ýÇ&*#™áf¢�$Š25™.�èdnßûúˆ¹cNýA§ð¨ó룯„žb2žM®o'R)ÂÕöd9¡yÎ&׳ŸŽ/¾sý՛뫓ÿ^sôÕu8+ǫ̂èNùóÑOÿ¥“™
à›#J„ÉÕäÁþB	3†O–GR	¢¤þ/‹£«£†‚w·¦ÑOÂ(á"ã‘�Â9ø(Ý›ŠM´2$\l?HFÑ'§ŒSz|6›U목‹ÅÉ)WôøUµ(Ý«fµ,ÖíÉi¦³crrªìÑŸôi̇Ÿå‘¶ÒXŒÍ[Hàž«ù¤q	ä	v§Ðp_žýów1&ö ózÇÁè@ÝkfßÌ,ºR[L(wxHµœ¿~óÒô4\­‹uÕ®«©Bqú,€ø¤yòOæ	b<AE“ã<EÁxBÝ3náLN´PDfy
-‹15NJ$ŒÔýP9#‚JÀJ¨oŠ¥/åê]¹Š—‘�!Éóç ÷¨Ð>ÉBCLh˜iTèH ˜Ð¨û tfáœ�¹ÓùßMítþ®¨¬–uQOË_Ûhù©è:&¨ÿÄ©z;DN˜OƲQ5#Q b¢¾-sMì�AJ᤼,Ûfñ„¦šgüùêQ�ûl$ËÌ0•‡L£"ï…€iŒ8$ÖŠP¥
Y:‘¯šéÛrÝKúúÅ÷¿¤uFåç ²ÏG²ÌÀæ›1=.u$LlÔý wƉ±ƒG ·rr_4Ë{«íMµ¨Öï{qªõ]à‹WÂìœMihfcèNÓ
'û£v|Úƒ„Ñî˜|�ñ©uG‰ð)K&bD@IËljˆ‚±çž
÷~v+“”H.ôÖ{7{Di?AÐæ§	Êéf°¸h궚•«¢›ajÇçOmxZ€Á~ÄûçífÆ·%jÏml.%ã9’e}¢¶�×n.ål:-ÛPëõê„åÇ�›uûÖVÊí{ò0£’Þî|“Û0ÄÚÅ(†ê>àÄ2•ñ8qW@!ðܶ_&™« w«¦YGê¬�„JîŽ*êYäLÌ¡´tÇ\•ëM5‹�)·!I_²¿€©À�M¬×4™X`ˆ™aœŽ	#uï&{l÷Ž0­•6LötûÈ)f©Ì…ci:
-¯jîûª~Wõ´^–µízŠL|9Õq+Ÿùd¬€!†TÅ*†êÞa¥'Ô¨
+î°ú±­êy]G	ÓÉ�¯ŽíhM£DÓPÓ^mêi×i±ªè/©�õT¤ !‚ÔŽªR±@¤p÷þÚªrJ(Ò1%\WíåûºXVÓž©ïgź|Ü»Õ*;ôÆâÄøœ&1b f(1‘@0böÜÇFAJÙmƸ«nGA×'Œ±ãU³¹Y”í�½~ui4?þOì@d°³ããÈð|X>öÜF[�TDhãò;ÍrÙÏ®ÑüÐ_¨mn–Ýp^ÊÃØ&½Qù4'7*`ˆ5*(#
-O$"Ô½¿²a£ÐÌ3:Œ¯×ræºqÓ‹Íê­m]í»kúÓÂÁöºÿñJù|³Ï•îfãÏpW„Ó>¸>äüo¶¢³ü `TpŸ“dÁ�!&8Ì9*x$LpÔ}¨Üöæ™òŠsW5^×Ó^²®O:uÝHµŸ5¹+êùN_ϯV~÷Ò›Íò¦[l°NžQ)…À§)`ˆA
-Œá‡ÁÉS�ñYMFbÈ@Õ˜_t‰‚!ƒºwȈÜþ‰K�=2߯ïüÆâ—Ít
-ÇÙM˜îí‡!Šñ/£�r•
-4D@ØÑ!îÞ÷1„Ö$—Ü“ ]ãñ&Ä0Lù¶ºY~Ìzµ¹¿oV‹Œ™Ãä†×Óg4™`ˆñCy‰‚ñ‚º÷…#SDgTx\|ߣ_‘tØŸ7U[uüš¦Å~@>ÇÉ
-"�` î=L)8¨ž‚ð
-LÌ÷ NfºÇÄ ŽØUÇOLخݸFa’k½*궘ú1=ž.ªí=Q†Š?¨aùO˜,0ÄÔƒDå‹‚釺TšPΠ€rWÀyQ9áæåº[¯êÛ¦[ÍêW²vöÉØ#êbYî±ËcÓffEWBýöÊù�–¬0Ä”ƒ©C•‹‚)‡º”“’aàµOí*·ÙÞí3ÞêfðÖ 
¸5È7ºîõ}_ç«byrªw–-?ÖÖàðI’…†˜P0SLŒ?.,&ê~Jp’+
…ÊœPuëÒ{ãeš5Ë¢ª_ÔáéP-x:Ôô®œ¾õ¿TµoZ«e»»“íòÕEÿBR-ÓïïÕÉ�d�€!¦Lã[Æb�`:¡îÝhƒsJ´V:¨¤ûÑÆβËÎV1›tMÕa£iœŸÎdV€!Æ
-”e%ÆÊžûØFmfr¹è—�Ï»íâø»¢Þø½…÷ÅÙ¯¬Ÿº_ ûµw¢bbü);ð|H.öÝÆÖ1m'‘0éãt¾]–æxVÍ?�ÏnN(è‘Úò !ÒòvôF)‹‚цº´iI¨2ž6ÞÓv×tÝK¥¸ýþ¸yA’q†nPp&Ç{Ù±@0ÜP÷
·Œ£µp¸	WÜê¶-§§ÛîØlûÀ?qÀéC9ò™NæbA%™ÄÁ8BÝŽ¤!¹Qž#¹ËQc{ø¶ÇÐ-¿›H
-’Ou2HÀ	JÉäxÏ3ê>€$4Éýí‰çÛU´
¤Y{Û'—oK;by~ÀèWcä�Œ0Ä0‚B2‰t£"�`¡îF\-Ü6η+kFÏÑ¢¸)Ïü
æ
-°CX‚j25~W$
-„$Ôwø")M$õ=mFûᙩš×ÿÛ~µƒ”‡Áÿ;HŸéäï	fØ7ƒ*25ÞUÚ
ûVÄqxÖ±"~眥‡íÐcÇûÕm·¦”ËìäÇ}qŸõä‡Æ3쑱ƒ¢,ŸˆÜa�¤ð¥ˆ§ÜúóèƒsìÿŒ¥ø‡ãðU‘R‘�}Á׆pJõ¤û,72­Þ!7l�¡ÿÒŸæ(endstream
-endobj
-1160 0 obj <<
-/Type /Page
-/Contents 1161 0 R
-/Resources 1159 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 951 0 R
-/Annots [ 1163 0 R 1164 0 R 1165 0 R 1166 0 R 1167 0 R 1168 0 R 1169 0 R 1170 0 R 1174 0 R 1175 0 R 1176 0 R 1177 0 R 1178 0 R 1179 0 R 1180 0 R 1181 0 R 1182 0 R 1183 0 R 1184 0 R 1185 0 R 1186 0 R 1187 0 R 1188 0 R 1189 0 R 1190 0 R 1191 0 R 1192 0 R 1193 0 R 1194 0 R 1195 0 R 1196 0 R 1197 0 R 1198 0 R 1199 0 R 1200 0 R 1201 0 R 1202 0 R 1203 0 R 1204 0 R 1205 0 R 1206 0 R 1207 0 R 1208 0 R 1209 0 R 1210 0 R 1211 0 R 1212 0 R 1213 0 R 1214 0 R 1215 0 R 1216 0 R 1217 0 R 1218 0 R 1219 0 R 1220 0 R ]
->> endobj
-1163 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 758.4766 511.2325 767.5824]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.3.7) >>
->> endobj
-1164 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 746.4943 511.2325 755.5003]
-/Subtype /Link
-/A << /S /GoTo /D (section.6.4) >>
->> endobj
-1165 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 734.4122 511.2325 743.4183]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.4.0.1) >>
->> endobj
-1166 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 722.2305 511.2325 731.3362]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.4.1) >>
->> endobj
-1167 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 710.1484 511.2325 719.2542]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.4.1.1) >>
->> endobj
-1168 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 698.0664 511.2325 707.1721]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.4.1.2) >>
->> endobj
-1169 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 685.9843 511.2325 695.0901]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.4.1.3) >>
->> endobj
-1170 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 674.002 511.2325 683.008]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.4.1.4) >>
->> endobj
-1174 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 661.8203 511.2325 670.926]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.4.1.5) >>
->> endobj
-1175 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 639.2482 511.2325 648.1048]
-/Subtype /Link
-/A << /S /GoTo /D (chapter.7) >>
->> endobj
-1176 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 627.186 511.2325 636.2917]
-/Subtype /Link
-/A << /S /GoTo /D (section.7.1) >>
->> endobj
-1177 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 615.1039 511.2325 624.2097]
-/Subtype /Link
-/A << /S /GoTo /D (section.7.2) >>
->> endobj
-1178 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 603.0219 511.2325 612.1276]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.7.2.1) >>
->> endobj
-1179 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 590.9398 511.2325 600.0456]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.7.2.2) >>
->> endobj
-1180 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 578.8578 511.2325 587.9635]
-/Subtype /Link
-/A << /S /GoTo /D (section.7.3) >>
->> endobj
-1181 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 556.2857 511.2325 565.1423]
-/Subtype /Link
-/A << /S /GoTo /D (chapter.8) >>
->> endobj
-1182 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 544.2235 511.2325 553.3293]
-/Subtype /Link
-/A << /S /GoTo /D (section.8.1) >>
->> endobj
-1183 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 532.1415 511.2325 541.2472]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.8.1.1) >>
->> endobj
-1184 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 520.0594 511.2325 529.1652]
-/Subtype /Link
-/A << /S /GoTo /D (section.8.2) >>
->> endobj
-1185 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 507.9774 511.2325 517.0831]
-/Subtype /Link
-/A << /S /GoTo /D (section.8.3) >>
->> endobj
-1186 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 485.4053 511.2325 494.2619]
-/Subtype /Link
-/A << /S /GoTo /D (appendix.A) >>
->> endobj
-1187 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 473.3431 511.2325 482.4488]
-/Subtype /Link
-/A << /S /GoTo /D (section.A.1) >>
->> endobj
-1188 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 461.2611 511.2325 470.3668]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.A.1.1) >>
->> endobj
-1189 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 449.179 511.2325 458.2847]
-/Subtype /Link
-/A << /S /GoTo /D (section.A.2) >>
->> endobj
-1190 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 437.097 511.2325 446.2027]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.A.2.1) >>
->> endobj
-1191 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 425.0149 511.2325 434.1207]
-/Subtype /Link
-/A << /S /GoTo /D (section.A.3) >>
->> endobj
-1192 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 412.9329 511.2325 422.0386]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.A.3.1) >>
->> endobj
-1193 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 400.8508 511.2325 409.9566]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.A.3.2) >>
->> endobj
-1194 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 388.7688 511.2325 397.8745]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.A.3.3) >>
->> endobj
-1195 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 376.6867 511.2325 385.7925]
-/Subtype /Link
-/A << /S /GoTo /D (section.A.4) >>
->> endobj
-1196 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 364.6047 511.2325 373.7104]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.A.4.1) >>
->> endobj
-1197 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 352.5226 511.2325 361.6284]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.A.4.2) >>
->> endobj
-1198 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 340.4406 511.2325 349.5463]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.A.4.3) >>
->> endobj
-1199 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 328.3585 511.2325 337.4643]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.A.4.4) >>
->> endobj
-1200 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 316.2765 511.2325 325.3822]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.A.4.5) >>
->> endobj
-1201 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 304.1944 511.2325 313.3002]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.A.4.6) >>
->> endobj
-1202 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 292.1124 511.2325 301.2181]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.A.4.6.1) >>
->> endobj
-1203 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 280.0303 511.2325 289.1361]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.A.4.6.2) >>
->> endobj
-1204 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 267.9483 511.2325 277.054]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.A.4.6.3) >>
->> endobj
-1205 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 255.8662 511.2325 264.972]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.A.4.6.4) >>
->> endobj
-1206 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 243.7842 511.2325 252.8899]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.A.4.6.5) >>
->> endobj
-1207 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 231.7021 511.2325 240.8079]
-/Subtype /Link
-/A << /S /GoTo /D (subsubsection.A.4.6.6) >>
->> endobj
-1208 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 219.6201 511.2325 228.7258]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.A.4.7) >>
->> endobj
-1209 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 197.048 511.2325 205.9046]
-/Subtype /Link
-/A << /S /GoTo /D (appendix.B) >>
->> endobj
-1210 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 184.9858 511.2325 194.0916]
-/Subtype /Link
-/A << /S /GoTo /D (section.B.1) >>
->> endobj
-1211 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 172.9038 511.2325 182.0095]
-/Subtype /Link
-/A << /S /GoTo /D (section.B.2) >>
->> endobj
-1212 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 160.9214 511.2325 169.9275]
-/Subtype /Link
-/A << /S /GoTo /D (section.B.3) >>
->> endobj
-1213 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 148.7397 511.2325 157.8454]
-/Subtype /Link
-/A << /S /GoTo /D (section.B.4) >>
->> endobj
-1214 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 136.7573 511.2325 145.7634]
-/Subtype /Link
-/A << /S /GoTo /D (section.B.5) >>
->> endobj
-1215 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 124.5756 511.2325 133.6813]
-/Subtype /Link
-/A << /S /GoTo /D (section.B.6) >>
->> endobj
-1216 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 112.4935 511.2325 121.5993]
-/Subtype /Link
-/A << /S /GoTo /D (section.B.7) >>
->> endobj
-1217 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 100.4115 511.2325 109.5172]
-/Subtype /Link
-/A << /S /GoTo /D (section.B.8) >>
->> endobj
-1218 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 88.3294 511.2325 97.4352]
-/Subtype /Link
-/A << /S /GoTo /D (section.B.9) >>
->> endobj
-1219 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 76.2474 511.2325 85.3531]
-/Subtype /Link
-/A << /S /GoTo /D (section.B.10) >>
->> endobj
-1220 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 64.1653 511.2325 73.2711]
-/Subtype /Link
-/A << /S /GoTo /D (section.B.11) >>
->> endobj
-1162 0 obj <<
-/D [1160 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1159 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F39 1173 0 R /F21 950 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1223 0 obj <<
-/Length 898       
-/Filter /FlateDecode
->>
-stream
-xÚíÙÍRÛ0
-“8!Й8hýTF9¦¥�ë39a E)ÝQ]Í&ãb4�Œ¾ŽæõÍ ÐJ±A¡8›Jçž?Ë
-¤xáƒ�v^‰B(^dúÀKû«tx™
¯e=ù#°ÿ;­×¿ÆŽtõ†	oO:¦ý�+Uá�N½YǸí³Múã³ÐX!˜ƒ²IÑj(²õ^p=òɬš+¨ÙŽì�ÔaèTg‡(�rˆ%€Ñí…PÉôÑ¡QÌ•:îÝîºW4Øn'õ � ûkÜaQ…eïŒ
-R¨p[Á¸vT‰B(TdúˆJKæ»IÁ7¨ÆãzµCeµé5HSXïΚP ¥	÷lû“ªJ™>jR‚q©ÂÆQÀFSµ\TÍæqPÝ?‰½è04 3/HñÂ
ÛþäŸ*„âE¦�¼Jθåac)¶ÀûkÔ²ªÇóYsûÓ½¯�–¾3,HÁ­+Úa%
-¡`‘é#,a¶”bû±üÝjTLgÕ¨ø̹øù¸ð¾ô¢$*¬ygQ(�…{
-V¶‹JB‰"ÓGQ 6�"|J¿šŒä´ZM…“²¿T½¬°ô�a¡@
-n-	+QȬøEu¡,gF‘ú®ÚÿsJÁó¿ß}_&­éÓ•Üú>mr©˜Ÿk³=ùÞz®aªý7B¬endstream
-endobj
-1222 0 obj <<
-/Type /Page
-/Contents 1223 0 R
-/Resources 1221 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1241 0 R
-/Annots [ 1225 0 R 1226 0 R 1227 0 R 1228 0 R 1229 0 R 1230 0 R 1234 0 R 1235 0 R 1236 0 R 1237 0 R 1238 0 R 1239 0 R 1240 0 R ]
->> endobj
-1225 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 758.4766 539.579 767.5824]
-/Subtype /Link
-/A << /S /GoTo /D (section.B.12) >>
->> endobj
-1226 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 746.5215 539.579 755.6272]
-/Subtype /Link
-/A << /S /GoTo /D (section.B.13) >>
->> endobj
-1227 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 734.5663 539.579 743.672]
-/Subtype /Link
-/A << /S /GoTo /D (section.B.14) >>
->> endobj
-1228 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 722.6111 539.579 731.7169]
-/Subtype /Link
-/A << /S /GoTo /D (section.B.15) >>
->> endobj
-1229 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 710.7556 539.579 719.7617]
-/Subtype /Link
-/A << /S /GoTo /D (section.B.16) >>
->> endobj
-1230 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 698.7008 539.579 707.8065]
-/Subtype /Link
-/A << /S /GoTo /D (section.B.17) >>
->> endobj
-1234 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 686.7456 539.579 695.8514]
-/Subtype /Link
-/A << /S /GoTo /D (section.B.18) >>
->> endobj
-1235 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 674.7905 539.579 683.8962]
-/Subtype /Link
-/A << /S /GoTo /D (section.B.19) >>
->> endobj
-1236 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 662.8353 539.579 671.941]
-/Subtype /Link
-/A << /S /GoTo /D (section.B.20) >>
->> endobj
-1237 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 650.8801 539.579 659.9859]
-/Subtype /Link
-/A << /S /GoTo /D (section.B.21) >>
->> endobj
-1238 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 638.925 539.579 648.0307]
-/Subtype /Link
-/A << /S /GoTo /D (section.B.22) >>
->> endobj
-1239 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 626.9698 539.579 636.0755]
-/Subtype /Link
-/A << /S /GoTo /D (section.B.23) >>
->> endobj
-1240 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 615.0146 539.579 624.1204]
-/Subtype /Link
-/A << /S /GoTo /D (section.B.24) >>
->> endobj
-1224 0 obj <<
-/D [1222 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1221 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1244 0 obj <<
-/Length 2174      
-/Filter /FlateDecode
->>
-stream
-xÚÝYÝoã6÷_áGXëø%‘ìãî¶ÅÅî’¢½>(ckK®>’ºý
9C[ŠåÍö6ÀE€ˆ¤†äpæ7¿Ê|Éà�/M–2iÕR[•fŒgËõ~Á–x÷ý‚“ŒÊdš))¡3óv•I“fFèåj¼ÈÛ»Å?¾|)Xšç"[Þ=œöʵI­TvyWþ’¼Û‡Þµ7+‘±„ßüz÷NS©6šûi¶ÈRm™	>Ô}۔ú¯ššÄÅÒ¦6y”Ö0ÔõÒw[K›ÜOsmízì½oöEUcûc±'™Ûc×»=¶ÿÃ2öþã-<¸Ðɺ©»ªë;|Ý<à³�ëwǺ/~§Á†Æn]=ŸIÖ°ß³U\ÝW}…£:©nxRcÓO‚3úSqžÚ,Ñt)Xâ"O
-ìn+×í
7Éz[­‹Žî‹º3k•¼�
iPÿ¦½1É°ó›ûE†Î•8þдØ(ÝÎmŠ¾ª7´ÏÐo›¶êAÍ#Ž4�ŽdÃáh‡¢¦•h+F
-žœˆ‡UûÃÎíÁEðëJ€¢ý¶ðîÒYR¬û¡ØíŽ8¾/¶¢)A$؆F~öË2XÂu�ëRPÂȼŠ¢eÑ(Vuqå
-4¨joßñË`wÖj†Ž‚÷f|SHÚê~èÃ"Ùœ?ü¨ßü¾ZEÌs•J•B±b©È%bž§
-
<ð|߬o¹ù`&͵�KÞºö85ØÓNBƒÅp€ñs�°o?||Oñ
-FŠüäuܹê;´¡’<ÕY®§6<�ÁG‰ÐB
-žD8^øú	&�®*‚îóSˆÏš|SXuYµ)©Ú„âüѳoSSiùS¯wUý•eg(£ãÜsÙºOëàïg7b�¸„%Wð¡Ðñ€^Á;NÀNTÿ¯ÕâÛ»Ó÷›CHá™�ºQ
-ÿñæ·Å/¿²e¹`Ë,•ÖdË'è0°&TŠû…’Ðd™‰#»Åíâ_ÿ㬨ǨP¸ª
Îc°5#º§K­â™V܇3üôEjŠfø�
-–Q�£­¢+O(Ÿèº³ß…Ù¤
-�µ¾€Ð5༚ºÜ¸c3Í¡vÃH-Ôø·¿‹ß
-endobj
-1243 0 obj <<
-/Type /Page
-/Contents 1244 0 R
-/Resources 1242 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1241 0 R
->> endobj
-6 0 obj <<
-/D [1243 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1245 0 obj <<
-/D [1243 0 R /XYZ 85.0394 582.8476 null]
->> endobj
-10 0 obj <<
-/D [1243 0 R /XYZ 85.0394 512.9824 null]
->> endobj
-1246 0 obj <<
-/D [1243 0 R /XYZ 85.0394 474.7837 null]
->> endobj
-14 0 obj <<
-/D [1243 0 R /XYZ 85.0394 399.5462 null]
->> endobj
-1247 0 obj <<
-/D [1243 0 R /XYZ 85.0394 363.8828 null]
->> endobj
-18 0 obj <<
-/D [1243 0 R /XYZ 85.0394 223.0066 null]
->> endobj
-1248 0 obj <<
-/D [1243 0 R /XYZ 85.0394 190.9009 null]
->> endobj
-1249 0 obj <<
-/D [1243 0 R /XYZ 85.0394 170.4169 null]
->> endobj
-1250 0 obj <<
-/D [1243 0 R /XYZ 85.0394 158.4617 null]
->> endobj
-1242 0 obj <<
-/Font << /F21 950 0 R /F22 973 0 R /F39 1173 0 R /F41 1233 0 R /F48 1253 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1256 0 obj <<
-/Length 3187      
-/Filter /FlateDecode
->>
-stream
-xÚÍÛrã¶õÝ_¡Gyf…àBðÒ7g/�3oºv'Ó&y EÈæ,E2"e­÷ë{Î
EJtvۦӌ
À¹ß`µ�ð§6q¦³E’EÂJeëí…\<ÀÚ_/ìÐjõíÝÅ7ïL²ÈDëxq·�•
-™¦jqWü¼T"—p‚\Þ}÷ör¥­\¾yÿÃÕõ
�o®~àÙÛÜÞ½ý�Æ¿H+ßÜÜÂG]®”Š¹|ýÝÕ�wo?кâ#¯oî>¼ó÷×w×ïo.½ûþâíÝ€õ˜2%
¢üÛÅÏ¿ÊE
~!…ÉR»8À)T–éÅö"²FØȘ0S]Ü^üm8p´ê·ÎrJI¡M¬gX¥õ«l&b£�gÕÝ£#ò6MU5‡²~ Ÿë¦~ru_6uGùîR¥KÞw® QYÓ·pÝzW¶£
͆¾}¸áÛë›7Ãá¿H©ö»7þK]¹¿œ²4NE¬$`E"ü¿Š§:‰LNxúŸí
-xÈ(…ȬýhŸ„³xvL�ZšV‰Ñªè¨ÚÙH^I$²4Y$&]’1‰ëR)µlÆ<¿ž­Tª�Yþt©åHD'üïúçþFY"2•á=.ÿuÈG¶ø?a˜–ÂZ8{VÃÇ4X_d#ϱ�îùÐxÝ-:¤ý›w‘mÑ:¡¥‡~W~BÍŽ¥\þTýãËÜ"D²?9»$Œ$8Ìße—Òpš$ð”ïÊü¾r(¯FXüyygà£Ôþ>¯$úZKaæ½wwy<a»ïÁc#íòç»ËL/ݧž×Ø'ºz]5g¾³ûm?ñ®÷»|ýÑõݯ/rtŒëÅÑc„ù¸W-3‘&”V¨dƘq¨;y:IE”y1ÈÏ@°>JM-T$Lñpób8UfÀ9N@Nôvˆ~ošmÄq“oyöö¹ëÝö<=ð¦1Qˆ@žÌ’lUS³l÷»¶éø‡�ˆðí½>¤zY4ëýÂ,ÍÓ,¬7ôuŸÚŠ°ò›ø”²îú¼ªBä„™¼.è¸}ûѹöô2ÞÇáFHÊ·n÷ÑUî™f®ëÞíj×#eãH‡´0;²˜™D	’Îì²k6ýᨹ
-�”'ŽŽÄÅ6H
fr`vJ,z‚oNë�¥Û‘€Ö�å:¯^á4D²ë!qØ÷Þ
x‘÷ù}Þ9Hq�uèiºë)rºŽŽ+ëM³ÛÍ
-Â"×ñ=õÉz›÷�45²SŒ8ˆø˜ÂKçœ�8Å$Sc¯Ñ4ýoTIœžO¡Š ù”LvGizÄY|IäX Rþ„
-9›ÂN<\k)ŸÒˆê8­À^ò
�𘎆T¡GKG;&H®EaHôú¡§
}7DAζ5fƒcéÇ&\A„‡ýslЛq9nGÎ¥/�QèL;:*×63ªšŠÈLò¡~DCèXÒù£
-V ëOÔ÷3—“ø¬1<QͧÔ:�Ï>t`(j7}³nª9çnE¬‡"‚GPBeöÄVH
-ij+PÂé(;­�öÔüá3h2ëb6‘O ó�Cˆ­¥:l-¡âeÑò¶	H{÷ÂÈ£)biO\g·oÛf×ýšÁi˜
Ù>Kö¹usÏŽáÁ먰'
r�€¿‡òTP€ùg"ZÛ=,hðaÒF&ðÕþ¼÷vªï*ºõñíj&¡N‘Á”_)(ǧŸµ²¨/ q~ÚHQue§ÊôœS‡„fè½øJ«pÞo”UbÉ´ùä«/2ÁIA	¼/j®æ6óÕfÌ-•Ì,�
�´�
-H•²/hÊ
-‘tôÚÄ�„¶)Ã;Tèu®r£w¦³§(
-®£fw"®höx׺©;°Çn|>”°�ÃÓ¶PˇýjÎÖ�zýÁ”rþ!È£+Œ�­$üE™Bö‘Q�™…­Ê"ôãÇœ/Áò±r=?5M[ô°ÌÏ[€Ì°u¸Âz
Æm�Üo<)¶ó=P¿+{’‘OíRzw�dîØPÖ6ôV`0ÐhõðlÓã>§¦|êv=£lÁá“xý1‡š[ÚÍ„C9ßšÞ4â¦Å7ɵkù ’ßÿe¬ˆ¦¯¸Çÿ¤ùâãý×þ{Ôñ¿Ä T0iª_ð‡)¶ˆÌ€
-@Ÿ!þ�êó
4Ï©Êendstream
-endobj
-1255 0 obj <<
-/Type /Page
-/Contents 1256 0 R
-/Resources 1254 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1241 0 R
-/Annots [ 1262 0 R 1263 0 R ]
->> endobj
-1262 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [272.8897 207.1951 329.1084 219.2548]
-/Subtype /Link
-/A << /S /GoTo /D (types_of_resource_records_and_when_to_use_them) >>
->> endobj
-1263 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [190.6691 179.6723 249.6573 189.0819]
-/Subtype /Link
-/A << /S /GoTo /D (rfcs) >>
->> endobj
-1257 0 obj <<
-/D [1255 0 R /XYZ 56.6929 756.8229 null]
->> endobj
-1258 0 obj <<
-/D [1255 0 R /XYZ 56.6929 744.8677 null]
->> endobj
-22 0 obj <<
-/D [1255 0 R /XYZ 56.6929 651.295 null]
->> endobj
-1259 0 obj <<
-/D [1255 0 R /XYZ 56.6929 612.4036 null]
->> endobj
-26 0 obj <<
-/D [1255 0 R /XYZ 56.6929 555.4285 null]
->> endobj
-1260 0 obj <<
-/D [1255 0 R /XYZ 56.6929 530.6703 null]
->> endobj
-30 0 obj <<
-/D [1255 0 R /XYZ 56.6929 416.0112 null]
->> endobj
-1261 0 obj <<
-/D [1255 0 R /XYZ 56.6929 391.253 null]
->> endobj
-34 0 obj <<
-/D [1255 0 R /XYZ 56.6929 164.815 null]
->> endobj
-1264 0 obj <<
-/D [1255 0 R /XYZ 56.6929 137.4068 null]
->> endobj
-1254 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F39 1173 0 R /F41 1233 0 R /F21 950 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1269 0 obj <<
-/Length 3415      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZKsã6¾ûWè¹jÍàA
-¬f~oöTf¹Ð¹ßÓ”°R9È ªÝÊoH‹ùªÛõͺö�&æÛ¹œQJ�• *–býgµÝ·u¶ê¶	‰[—•¥P<vÝm+”:®dë4»U{\×=uìª-5ͼ?Ò�|^õ)N,´KPsš}ÓõCVUUX¢SÕSåù驦ÙU"S¶Ð<aµ[§V%JM].—Ù—å •ÌŠÂ…¯êçÅ s�qw|ÄMê·äítfAkÿ7q#ø›øËÛ.20,ÓíÚW¢�vÊ] $4¡3áÔ™ÐÞP“¥
§0=€4“¥Ì\®¾"ätÌq}]¾§sHR¥EHR¢ÂÅ|U툴­öÔ€©Wƒ—	t#Â!±¢Gßì[þ’ÔMEºùò8�¨ðª•ÕAT’õËÃ�–€§mßQ‹Ï
_’
aj¡AûOè„ùÉÈñCBŠþì“
-FÙ—´·¤r™½úš©Àã§l¢b
+åé
ykçÕWÛq‘´[S£æ9¡9ö[0ƒU½ˆNG	�‰ÃÑvœÝ«t\Ç�¼
Ûx]„ïIº]Û=òŠ4…QñR›¡y®G.O�ìé•l°?>>’îƒqÒQ ùµ;‰®Zùó‡ï{jA¦½!åØ̉è%½†§ìˆòèÅ¢	�
-¶ÜÙ¼Ãî!åUVDÄóhyÑ~_¯š‡WZÏoÂ+‰ õD"[+îÍ•óÿlêÑYã,„&ODé»-Ï`hŽ.%8r——Å™½¢
-PÌÛ#„]‡f¨v0'o†)¹¿„@`>Ȥ�ùÂÊ;\¥9¸À–?>¥è<ÖDóé
<=VÁ³­«ž›ø]â€¶uˆ~ªSnñ;6chñÁ'"N
ΫÔrr|ù%À—`*ƒ÷Cþ�¢à|‚s@^WCE-:'IÇdasøPÎq£7_\—jŽ~ÂÀ‚'”¯ã8I% ¥këCå" ûsjPi¤LqW/ÝቨUÓ9BO\(Èû�Fzµ q¯y~¥—ŽO3LOeIߤ�jª,!q’áþ¡>Í™å>	èŸë~xG	�›?�»Ýâ[q~ð8€W¦~Þ—
-îˆçŸ¡£ë_ìy˜0âöÖW.|ÿÒÇK~~nPšVŒ3³œ=·Ôµ¯VOIQÕÂ¥Ñ%¸2çÏ¿��ì–ˆ`¯LëˆÉçn @ê¡-Ð×õ?¡
-txÕÁ(1Âùãqt0úØÇ‘C×µLm›§:ÂÄ$è’y¦
-sÔæ1eME&Á$£1â¼äc w,°¬’C¼WJˆãV[î<<ΨñyZ­	ão¦\Vk.çEîëÕ
-4¤_gª1Rg:“ÙEyJj•A¤_Ìr“ãB.YOŠ£n¦Ã.9¼œ�e$³„¸Á�fÊg–’U
þ%¢30Jø¼õŒŸ|
-ñ,…¸Hs
	(5Û®ò¥.^ÚóÙz¡¼‡8à
lD®}°EsÀÜD‘’ëuCu0h/Y€ÒØ,Ïeyj.›ã¶ò£I(ðÜ“jlª=w<Ö;ðQ\YÓóm½ÚT»¸+ L؃7fg¤X›�ShFN¡«ˆ>à32o45³™Qxê�5
½ã¼‚'Ó‚P)¼<`È$­ÍOËF¾Àí'K´Édî‚fuÉ S‚Θ0g0©/ΚËÌHm¢þð‘•€¼ÂœºÍ�ˆoÒ1C
-¾ªz
- „Ùt/õDוdå’fd>‰²òôW"RZ*)Ööµ…pHãAQc€æ‹
@!óòX:�«¬>'�NybÏúF†Ø=¤¥«òXÈ^¿B<جH¼Ç=ÀQJ¼à>LYÆCÛ×ì2“ í\VäN�Î' ­¤ï) ÿ[!3A³ŠV�
g"¼ã+�¿¥³ÒÊLˆ<¤”^$@ Ä¢' È!/zq®Í
O»îeÇ�zªh$…ÉTéÆ™
-¶|üßùò„R!è�yìØ5Âiq^·f@ÔÚNGûºI�©ž¸9=C@®ˆB
-·o
¾Àbº¦
úž&\Õ=¯d‚Ó÷aŠKѨðÀæ@pð
-–þvA•c«ÇøÀ†û,¤ÆAg€hCõoœ€}¼ew8ýš*çÐð‡#çô/�œÿn1]/‚0Péú\í8°ef´>+sŒBO�D‡+^ .ùRéØ{
-endobj
-1268 0 obj <<
-/Type /Page
-/Contents 1269 0 R
-/Resources 1267 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1241 0 R
-/Annots [ 1272 0 R 1273 0 R ]
->> endobj
-1272 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [519.8432 463.1122 539.579 475.1718]
-/Subtype /Link
-/A << /S /GoTo /D (diagnostic_tools) >>
->> endobj
-1273 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [84.0431 451.8246 133.308 463.2167]
-/Subtype /Link
-/A << /S /GoTo /D (diagnostic_tools) >>
->> endobj
-1270 0 obj <<
-/D [1268 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-38 0 obj <<
-/D [1268 0 R /XYZ 85.0394 570.5252 null]
->> endobj
-1271 0 obj <<
-/D [1268 0 R /XYZ 85.0394 541.3751 null]
->> endobj
-42 0 obj <<
-/D [1268 0 R /XYZ 85.0394 434.1868 null]
->> endobj
-1274 0 obj <<
-/D [1268 0 R /XYZ 85.0394 406.5769 null]
->> endobj
-46 0 obj <<
-/D [1268 0 R /XYZ 85.0394 301.1559 null]
->> endobj
-1275 0 obj <<
-/D [1268 0 R /XYZ 85.0394 276.6843 null]
->> endobj
-50 0 obj <<
-/D [1268 0 R /XYZ 85.0394 200.1512 null]
->> endobj
-1276 0 obj <<
-/D [1268 0 R /XYZ 85.0394 175.6796 null]
->> endobj
-1267 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F39 1173 0 R /F41 1233 0 R /F21 950 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1280 0 obj <<
-/Length 2457      
-/Filter /FlateDecode
->>
-stream
-xڥ˒ã¶ñ>_¡[4Uš
-my¢¬hIaë3aN•SNìU@7ؾ*ypêŽu C`ab5r´CþT&£ÆàLa¾¤¸á{ nx¯g§þž7››+ì%£ �DäöÚ8V²ˆ-¢ïj2ÀÔÕö¨�•éixpÝ+ð[f{¦oÓõ– î`PsŽögÐHãÖÇkÍ"t,©|Æ’L³@dÀeèXêí°½åié.qDR
-^÷,ÊÕº1º9°{m=d˜]=êmg�	<(¥‚$ŒÔ¥)úÀºêvô…K‚A4tÈdŽ`Ñ”ƒ â0^a˜š%Y˜žÍ~{7jÀ½_Í5^×ßÆÓ®§»+>ô`÷ݱz¸4n
-âôóŠtiLAâ^¬�=:)Hã±Å R¢$3áE–ú[¸ó`™»|5MÖ]¡k´d€€ã`é(7FîÍ|ÆÜ�*Þ<Y×;æóy(ö‹žKÖ?sðCg7ì×zÁ3dI¦Ø–XÄñGaÝZžÊƒPAÐ'êvô;:ù¯|´¥/ß»_8|:H¤Ê�u‹ë®û6–¬?Å‹û•L=i¯\W¦µ}ÀFA”E�ÙDäJ¦äÿ÷¹\ƒ~T’­«Æû¸ADî×maÀ$ S^3ˆ«z5nE
áˆñvÏ»°‚‡Úö4ƒ~„Ö“ú;úuç‹ãAç	Äíç
-ؘ.f¢Ñ¯œ©œ\6
-ç|;Û‚)ŠòQèx&ïBì`Pµò‹%Ã�\:oÁïŒs�H°
Ãä�Eõ*`/LÕÚ…ØRo•›Ä
”J^»Èë‚ñä�Œ…§¹¸Æ›û‚ã ÏãìÊqæùÍ×	˜êzï3ý¹íÚsÓ
=HC@qŒ*˜›3éº6íÕ"))
¶aò,Y+
-®%~êŽ'},Q6ÿ³nøðJ&’PÌMfR…�ˆÉ,§ë²sn‰ó�eÀ ·B•AER2Ë0`¡&X]jcyt%Ž S‰Œ™BæSF[ÐÆg¥@|º]ªJ°óI£)¾¢l–R
HE„cñÒáÍqW4qüb‘I{ʇ=@ü>*¯p@•
-B3¶œœî!k÷»3
vd’
mäbÝìÃ/î×ññ°–±¼%+	NI.5$BBš\
-¬9ÈÂßM%n×újv¡ƒ˜•Ãº;ÓŠ(„ÊÕ¥d£¤Y™�Ž™È² RBúÈ“ùÈãc˜#p!�-#ºÖ
1é)º9=qáü’f»LRŠPdˆ¼�ž/"2
F G; }Ôt(é
µÂZÙÑ÷ô5ÿÞë¡·~Ïžn—ª7Ýö'§Ìˆ*Tú®Ú»è4gö× º‰e4¾ó¡ÂRèLsßq‚º+Ä�»�PeG²Â#Q¿§)2ê(ôÆœÏÊ
-S¦…€Äüœº
ã2±öŠ�
41ÑÍ–,÷úBäí]¨u›«˜úDOâ‚
ÙLë–3žatÙ±º÷5vxn�ïH‘šªmÝóìAߌå³ìž¢Çð²÷CdÔ“õ±0¤RsA„$ÏW¬DŒ‘ß!]ÆZ7]2}e1¼¨„ë1Üi$žo1ž-�Û�¯N›$†hj¿F&zÂRå§Þ*'MÍ{ˆá`æ[�?ס'œUo›rj¸ÂúuquðÏ	_ºÚüé®=
×?<>½'È·^³î'
Y܈¬8H·†
-8hÁ;ÑÍpÒEë”’ÒÙÛÀT©á�ßÿ?J1BŽ- LÖúÕ\-à´s³¢]¬£¦„ÁÝÚìYË¥‹œ?NóNol�Æ.Ðúzö�[£«öcw2Sæ‹$ôÉÜzä\ò«NÚÖž†ÎÝaž[oßeãi!ä¶*x@NKø®ß_÷Vo-ó§”k9ÖÝËß3\vÐG(%ñ"BRi‘qêHs_é#J—¯ºµú
„0.�¤Ø¿e`·7
A]{yÑz}àLãîe\¬Ísk³ð‚ÂyúRìlýSÃìÑÉÙhr-àù«C2I	Ñh6Ë•](!•7ºØñÁ�½ÐlÇAšå©¯òÜ%Øá(v³d”"¹nO“›î&˪Ç�Í…)RA)³Ëx;5äT´�)òKL¥·U]Ù3!É”ÐPñDSƒöCXG¹ËéAɸÖÈ|)ÅãVWö(çWtŸçüùêhÒB:[ÐîuùžG3½åŠ2I>½+
ŠÝ•ðN¯KueÍŒ€Îö¢~K¡@œ&¡ZR(œÁ­
-M­
- ZãŠÜƒ[æž.ÇñS!�L%:P–ô˜¥Hé!”·i"®"!G­š¼ü…3Ãø(M¶æÒ?/ÕºðõwÕNïÉzê-çÕÃÿ­@úÂ?Dþ		ÇD÷ÿï2ýý¥�Ê2¹ü—ŠÌ OÕÈŠ%ºaÜÿ?sËù
y;:»endstream
-endobj
-1279 0 obj <<
-/Type /Page
-/Contents 1280 0 R
-/Resources 1278 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1241 0 R
->> endobj
-1281 0 obj <<
-/D [1279 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-54 0 obj <<
-/D [1279 0 R /XYZ 56.6929 717.7272 null]
->> endobj
-1282 0 obj <<
-/D [1279 0 R /XYZ 56.6929 690.4227 null]
->> endobj
-58 0 obj <<
-/D [1279 0 R /XYZ 56.6929 550.0786 null]
->> endobj
-1283 0 obj <<
-/D [1279 0 R /XYZ 56.6929 525.2967 null]
->> endobj
-62 0 obj <<
-/D [1279 0 R /XYZ 56.6929 393.0502 null]
->> endobj
-1284 0 obj <<
-/D [1279 0 R /XYZ 56.6929 363.1913 null]
->> endobj
-1278 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F21 950 0 R /F39 1173 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1287 0 obj <<
-/Length 2097      
-/Filter /FlateDecode
->>
-stream
-xÚ•XK“Û6¾ûWèÈ©qù~ÇÙõV­k+ž=Å9`DHD

-
J–}ºÑ
�œ‘SÞÒ��Ðhôóƒâ]¿xWåa”ÖÙ®¬³0�â|wèßE»Ìýó]Ìk²<
ó,MapgvŸ§U˜WI¹Û¯…üüôî¿&ñ.‰Â¢HòÝÓÑŸU”eXäeµ{j~Þ·âläô°Oò(Hþxú7m˲*cÜÁeem7üüñÓ/´ú7©Çy:H7úsV“ìå`´gaš	‹)P
:6	ã‡}EQð/15W1±”é­”dW‡u‘,$�Â<ÏS+å—OŸa[‘­˜â*@AøEaE�-�Bâ@Ód+.’6›I4ʨq]w#Ö³”Q°Û°¸~l¤6áÃ>ÍÊà×q¢½x“´
EéGäå�–ÓEN|¤i…ÁKá5â8¬ó<±×`Uàú|.Pg9h�#ŽG¼Â‘G{Ÿ±§‘8åö7³¹µÈ<Ëé8N½“$š^Mâ¹ãuBÓ—L	kzEë0‰jòÚS2Ó(ÅÕŸ?¼'ú(…™Éš8 ¬ýR¨ UÓ§7"Îtƒ‹3#}ŸyÌFGòýÿG„šÄmiÇ«=Ê,
->ã;ÆïÅ‹5T´R\nDΚy㑾¦…È‘Ž»½2rìÍ�¸*Ýò–‘¾PA5”bEÐQ„žÜXß´‘½•’ÇqrÇù³ÄùÜ©Ýc/©|
-hWü(½½Ylovœ;çå~îŒ2-©,Ù<²÷»n¼ªáÄqˆš�êØ|>þA콃ÔzäʱºFä®m3‚XÖ
–¤IeÂïTŒ
-Zš\2.6&¾SsîV‹ŒJn‹ëè^]Ð4c5G‚LŒTÍ{Äp’¼È§ŽTVûC'4‹èÅ¡Uƒ|-ÓÊhMË4`šÑßF¿é
-®gCƒƒ•wz¼çab\
rc:OJK§	rM’¨Ô‘¸·q&Â&TC´´ò¬“a«ìonƒèQYdÏçFÉk„“âªÒZ�¨x
m¯öx/ù¼UllÑY6HÆYƒX½
¾?g9)©}Ys2¬ù±J9‚þ#ûqºýA”.%0©³ w"j*xÈ3n’Š(Ñ­-±5U9d<ó"_
-hZã|jY/ýE‰áÝN6“dy 8xp]7b~{é0h”~�’e±½„3×rÓ,�Ã,*r¸2Ư{ë³½ŸØøÎê±×꛼cµ¬Ë"-XÔx¦J’VP¶ØW¶Ö6DÙ6
-^–@Á³"Ê
-Ìk
-âþî^̲EÑÅk˜èP<sgÕ1BÚÖP�!žÅj˜K±dx	’;mêá6¨BÐ¾I½�Ÿp
-endobj
-1286 0 obj <<
-/Type /Page
-/Contents 1287 0 R
-/Resources 1285 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1241 0 R
-/Annots [ 1293 0 R 1294 0 R ]
->> endobj
-1293 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [519.8432 268.1131 539.579 280.1727]
-/Subtype /Link
-/A << /S /GoTo /D (acache) >>
->> endobj
-1294 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [84.0431 256.1579 143.5361 268.2175]
-/Subtype /Link
-/A << /S /GoTo /D (acache) >>
->> endobj
-1288 0 obj <<
-/D [1286 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-66 0 obj <<
-/D [1286 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1289 0 obj <<
-/D [1286 0 R /XYZ 85.0394 574.3444 null]
->> endobj
-70 0 obj <<
-/D [1286 0 R /XYZ 85.0394 574.3444 null]
->> endobj
-1290 0 obj <<
-/D [1286 0 R /XYZ 85.0394 540.5052 null]
->> endobj
-74 0 obj <<
-/D [1286 0 R /XYZ 85.0394 447.7637 null]
->> endobj
-1291 0 obj <<
-/D [1286 0 R /XYZ 85.0394 410.3389 null]
->> endobj
-78 0 obj <<
-/D [1286 0 R /XYZ 85.0394 348.7624 null]
->> endobj
-1292 0 obj <<
-/D [1286 0 R /XYZ 85.0394 311.223 null]
->> endobj
-82 0 obj <<
-/D [1286 0 R /XYZ 85.0394 189.9853 null]
->> endobj
-1295 0 obj <<
-/D [1286 0 R /XYZ 85.0394 156.0037 null]
->> endobj
-1285 0 obj <<
-/Font << /F21 950 0 R /F22 973 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1299 0 obj <<
-/Length 591       
-/Filter /FlateDecode
->>
-stream
-xÚ¥TKs›0¾ó+t3AÕ�tt’:3Nƒû˜4Ç()SŒ\ÀIóï+!°Iâž:³«}|ì~Ú…
-ÕºÕõ«3uE�ó»$�hô®ËZ«
¤iëâa׺BÿÚ*Æ‘]…#;`ÞþÒþ{ã¿¡0FLzX¦ñÐS�‘ŒÙ¾(Klô¡ða3?VþP%6endstream
-endobj
-1298 0 obj <<
-/Type /Page
-/Contents 1299 0 R
-/Resources 1297 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1302 0 R
->> endobj
-1300 0 obj <<
-/D [1298 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-86 0 obj <<
-/D [1298 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-1301 0 obj <<
-/D [1298 0 R /XYZ 56.6929 744.7247 null]
->> endobj
-1297 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1305 0 obj <<
-/Length 1159      
-/Filter /FlateDecode
->>
-stream
-xÚÍWÉŽã6½÷W}’�ˆæ¢}êt$‡ @Ì!“-Ó–0²èH”�N�O‘EÊ›2sÈ%ðA\ŠU¯^-¤Ù‚Â�-Š”PQ&‹¼LHJYº¨Ot±‡½ïŸ˜—IRAÒD˜ÌìÆ©(HZð|_+ùzý´úŽ³§$ËxºXï&[YXo�Þjy4ª_Æ<¥‘Xþ¶þ�%$/rf�Q0‘V
-'ÿ“<(þEõ§pðMw)åû±—¦Ñ�WÃ%)3žy-#4ϧæ‡æ,2u3Ø�ª	,Ÿ~�ý’‘>5[…Rƒ>ø­aÜïÕ`Ô§Õ-¯T¶ºÛ{•�©q´A]ÛtÊítÀ¨ÆÇA‘e,r}X–<ºØŒ­oÖÆH™¦Üyc� ¯’ƒîä¦õD�d;:[i°ƒJõF6Nôѱæƃ2¦éö™bÁ"’Œ{F2Z2gW¶Œ¥y8{o÷TLŠd§H0Â3Ÿ hRõêµÈª±îÚw\yýl”yj“yY×p@d)¸Ý¶úÜØXØé
-¦ÝŽÄ$Â	Žw
-xfŒE_aNX0˜ÀSš¨�¿S•/ŽJ�í‡/bƒ¦Nʯzßœ–±1—²é�Lœ¥åK­ˆÆV…BIØm
-JxI1|«ÄR{}Ö8!S8ÆM§,ývrö‹çf¨qdü)G%§ÀÚÉ®×r›6H–¬Ú‹½‹…¿ðÃJNXV�„ÐO^nóëÅ¿_æ’£5é´¼$E‘—·rÁûºÿäøµ“mÓC\4&Å=î˦“}^)S­l9m7Ï.HÉhò�d×.¿oýˆï`¢Ñy'øŸ{¸@েÌé¿v€F1yçŠÜ…®öÛ­ÖÇ�¬>}ΆÜn{5xB‡À�Íô§î¼Þg'²MÛóDöGùüŘ˜÷ã„.±~Ö÷]Ó+­®d[ëÁpúùeS§M³óôwzži~ÅôÌ•�@2BIOWW‚¿›^GSë
-Ó–ÿ¼\g¥»ÜE
-¾qÂôr�œº=ȘZ\
ö\FØ
ÿxd²ó‘ód¦·$4%9‡‹{¦úÃ9šfؼ!¼‚¦ÿH	ËI)xáõ8kØ;ߥo…­<©»çÃ¥ÛŽ›­>L/‰ÁÌ ²”Š,`îö$àžÇV”ðl×ØæÚ,˜Lá5]Ö·[öhLs&¾Ñ¡0ÌC/—U5U}hõö5¡æ^uº…®û]}á¦×=}»ž^êáý-Rb_ósoù _dð!AK"8�YXù½±é_Á£µ
-endobj
-1304 0 obj <<
-/Type /Page
-/Contents 1305 0 R
-/Resources 1303 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1302 0 R
->> endobj
-1306 0 obj <<
-/D [1304 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-90 0 obj <<
-/D [1304 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1307 0 obj <<
-/D [1304 0 R /XYZ 85.0394 575.896 null]
->> endobj
-94 0 obj <<
-/D [1304 0 R /XYZ 85.0394 529.2011 null]
->> endobj
-1308 0 obj <<
-/D [1304 0 R /XYZ 85.0394 492.9468 null]
->> endobj
-98 0 obj <<
-/D [1304 0 R /XYZ 85.0394 492.9468 null]
->> endobj
-1309 0 obj <<
-/D [1304 0 R /XYZ 85.0394 466.0581 null]
->> endobj
-102 0 obj <<
-/D [1304 0 R /XYZ 85.0394 201.2466 null]
->> endobj
-1310 0 obj <<
-/D [1304 0 R /XYZ 85.0394 170.5419 null]
->> endobj
-1303 0 obj <<
-/Font << /F21 950 0 R /F22 973 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1313 0 obj <<
-/Length 1768      
-/Filter /FlateDecode
->>
-stream
-xÚÍXYSãF~÷¯Pñ$Wáa�áɈkˆqB¥6û ¤1V­,y%ÇI忧ç’d#›�JJsõôñMOw�ˆ…á#–ë!/¤¡å‡r1q­x9ÀÖ¬}M32D£.Õ»Ùàä‚ùVˆB�zÖlÞá Äš%Ÿl†(l_]�χ#êbûÝøj<9»œ|Žq©oŸ}?¾™½ŸªU¦é'ã�ïÕÌ-,¹®ý³¡8»ž\\~øi:úŽ=»¼ž?Ï~¼Ÿ5w­"˜	u¿>}ÆVÆý0Àˆ…�km`€	Cj-ŽË�ë0ff²ÁíàdžagUníE‰`D™G{`rH¦ÀCn€ËwCä1Ê$L''ч±=[¤•ê™¶^pÕIø<Zgµ°r(t]*wGYVlF_×¼Ü*Ú?TåÛSÕûó´oŸ‘z^¨6/jÕY•ÅcšhÁ%�×e•>êaÅËÇ4æ»üÔakÊ"7ì”Ô
Qøá®ðV%ÊP(Ž©«ÒMWƒÈ(òÈËJÏ-£Õ*ÍÔ`^”{heE±º�â/Ï™%IÉ+�3¡>Â𑾿¹æ{$i€6ÍGb?ŠÊUtdP[÷ŒUÈÔÛU£wUó²÷8æif¤dEe‹¢ª}ÔK
‡•Î·Ï#Mö�îCá΀\ò=•ªí©›~ƒ6ÿ-Z®2ŽâbùjÊ·«Ã%÷GÏZ{y³sö\Ÿ~1×ffQ×ÏÁÝ4¹¸a<Ñ
-tèErÆ)LÌìÔ)ÂpÉ!è©n½ˆ4ï8Ky^ëéMšezºÈsk¿²å‘µΔk1…éÔ‹T©¦ô0j}z¬¬Ó%ÿn¿�ô¡�ô1µ(Ô¾ç{¯ª$	ÔŠAìV’o—Ñ££ëA
Ô>¼t×ìØe526�¨CP@¨Ó”©;
 `;³¨ã‚D&àñÑ0bÏfW£|Ï>»ߊ»êøÔžýr5»C¨gOyU¬%þ±¾/ÓÆWÔXÜÑé´½açQí€@Àó°kieÝn¿@š„Pnþ�Šøìúì@åo e9S˜n6xïøÔ±!Î%̾œÀ”CePò0%Í->OGðÿ%Áž~xˆïFL0† ÒœÄÇ â죂Û`v•Ž¼·E…¼%*ØE¡ã¿
-¡¦cÞ+Aa‡AiŽ&í«ø¿Ž‹ÐÀˆ¬w dÝçù“g:õ¡°
-˜8I wÝ�öÇ?ó
b
-|HÜï\*“I�v‹LÖ»bF¼ÂS‘…Å@
¢IG<\Û-MÚ„ÄÌ<Ï~w99Wë:ëÊ¢ŽjÞ0Yjé"qwä¯
-3!“£¢mõÙ΢z0«=9ðIF§~(K3ÑFªI Œ�UñZÄy-*¨ŠÔ¥M)~Ë ö¥Þ,Õ]i–÷Å£¬Ž¿ÍübAa zð2JŠe¶Õ#¥ —hg¢_ãF¨Q®Tº’ã¾Ç
=ÖÿŸNUÛŒuKô¼*šºº?ºÁöGx¶«™Ö&h› ·®tFT
-ÊTˆiivíÚÔ�«×eΓ=5’´Š£.mÃU;GÝ©ÔE^à9�"–J�ØCàxy¥™Zÿqdkà“µ› jÝ
-Na>¤¯xÁã/jY»—|‘´7ŠÂ-Ý M¤³•PQŽŠ2Q£ýëq€:Ž¦­Ö÷£J\„¥r8�.ù ¬� "~AªíŪNAÕ1̃`àùFŒ!Mr¡äå‡~-zP©Ä¢VÊKu¦}?N[êÃ�FÓ=¦SYl‹3¼îb¿§”Cˆ¹Ê[öOÂ]Có¬ûœ„è�éÌEc½â°õbz|í/×<ÇG,„i¸Ï(ôY«•P=x¢ºù7Û£û_`#~›endstream
-endobj
-1312 0 obj <<
-/Type /Page
-/Contents 1313 0 R
-/Resources 1311 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1302 0 R
-/Annots [ 1318 0 R ]
->> endobj
-1318 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 61.5153 126.3509 73.5749]
-/Subtype /Link
-/A << /S /GoTo /D (rrset_ordering) >>
->> endobj
-1314 0 obj <<
-/D [1312 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-106 0 obj <<
-/D [1312 0 R /XYZ 56.6929 372.6686 null]
->> endobj
-1315 0 obj <<
-/D [1312 0 R /XYZ 56.6929 334.1957 null]
->> endobj
-1316 0 obj <<
-/D [1312 0 R /XYZ 56.6929 266.1213 null]
->> endobj
-1317 0 obj <<
-/D [1312 0 R /XYZ 56.6929 254.1661 null]
->> endobj
-1311 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F21 950 0 R /F22 973 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1322 0 obj <<
-/Length 2693      
-/Filter /FlateDecode
->>
-stream
-xÚÕZK“Û¸¾Ï¯Ð%NÅDˆ9­×��·*öÆ–³ÇUáˆ�ĬDjEjÆ“Ê�O
@$Žìò)5�`³»ÑÏÀÐEt‘K’ðB,²B™P¹Xío’ÅÞýtC-Mìˆâ!Õ�Ë›?¿æÙ¢ EÊÒÅr=à•“$ÏébY}Š^üõù/ËWïoc&“ˆ“ÛX¦Iôöùß^áÌx%eôGñâÝÛ×o~úøþùm&¢å›wooã,)|yýÛw¿¼:÷áöóòç›WK¿ŠáJiÂõ~¿ùô9YT°àŸo‹\.à!!´(Øb#$'Rpîfv7nþîÞšOC–“<'2gYÀtŒ.¨ \¤ld;Y
- XݷǺÙàs�«64÷e½3|As­«7èÚ·“¥w�]¯ö8Ht–ó&\µM¼¥yÔîvFªù@«£•º;m6~Þso¼a»�a+cXâ½;²,‡8Îr~v®wïKo!d3p÷¼�2ë"�F’Hª£ZÓTõ&À‚¹<·4Ï\Éó¬°[Ð/Ä¥ <͘ç3A�õ.Ù1X?Ë…%mº]Ûþv:x
-	)E3Kx@çlŽå^G?Ï£ÒÌhósŠÝgWí~�nƒð¤Â‘�MŠ.‡9 ;Áw�øôûIÑÃðdËëØÎxb�e¤`	G˜ÿѺ¾^k­Ö.êƆGÿ¸S“ jOýáÔû8Ü—=¹¨~	xJ²ÌÁÀI’†ë¼%Š‡T®X]ÖyO5Š¡Ì>É9{Z¦#
-ÈÅEá•
-9º4é“dQÕîKc!¨uƒ60õE¿Ü ÇÆ”ðüÏD&¡ ‚@´ñoˆràD‘§.lZxï4Úëø6#ítÐÆx
(Ðk0
vØ©ÞÒ·kÏ ³S6 ÍØ„t@V¤ÑËx[v6–$hžðtRÁZ]ç(¨ö/·± ,êj-ç릇B»rE	qdBÌ•øÜA<»ÏL|›Š¢ë/®ÖÒè®ìWÛ)«‡mí&Õµ:õXç©c�ìØWTU®¶ã$(ñgWw6ê�õLñ´½C? gKÙ(m>N“èùîò}{À6ŠÜ}=Ы•êºúÎ%݃i?©ßçja¥]f €"–C6ˆŒP‘ñMIÁS	ãPªØ
-�q‡\1Äl3J2>²ŸÆ¦ã�òS|ݸõf^PØ(¸ª¿Î-ÕôW]ö9P¯¡6
-ˆe“ÒÊ5°É�òT°§18ƒ‚�øŠzèR÷ÛÊHí€:ê[ýGu8eÒ¦^y‹™´m“D0ef «tNdô£%®Ôº<ízí|³ßÄYØBA\÷~u§ú¥|µEXÓX[ü#`ž&l\­|€½Ñ0§Q½ÛºUÖ]§\ÐÝ9ð\÷nC|j̵´K×áëâèÎF¨úÒ«¦RVÊÃåfyXD†¡>
DƒŒ~Wò˜‡žê*4àEJ(
‡è×ê4ä1
<•Mlqù¢Ú5ÇnùpïzF¼
-u"yŸ×çº(+`:mBñÛ«
-v‚_Ñ&-Ë÷
–Ðùs’LŒ“é¨úc­º¯ç½¿ªîzWnBˇ¢—ålÊOøQ‚x#£cÇl»„“¬ðܯb¼o�càÁ
-°‡åþßv×ùö�Kð_×^9ø>KRñt{RÍ·WO5=öµXFO2ö´dOuE4åv-¹œ—}yäøÐ9é�zÌ2Ž[r=p[r.³ñ6\¿DçÁ i›xðV÷ÎÜö³!=îµÍ—»]ûàdmí$´¡#öÉ´ ”3ß'éù 3Ë4H„¶n6Äðd�­`ds€F>ã¶<ËÎ1ïLØÂ\yך^
-Ã{˜.�u{²ßéh²C»ÀÔ‚V;‹|S¯ÐákÇ©glÀ„IÏ4px€P˜aúp+È
-#si¿X�ô
ªGfœ¥V˜ž2G·ð{Þ÷觑²†l=âà¶VfªÅß;ûFç�­sIË«'eóÍ…–
-(>pGÊìéóÉ¥ñ7Þ“†>ïÏê‡]ùè�¸Cø½Úø«‰CyìÇWþÔ
-p¬xJ´§¹�=vrB þ²¡ðÙ£,ˆ†—
-N8çŒd¬`—·Àvÿ¤?í.îü›¾ü2õÃ%0
'üµµQ†Ìè‘2ÂÒTúÄ„íû&·×�ˆã<dÏÄŸ¼÷?²œÿ¿Gd„çùÌ9#×çŒ,ñJiõ‹©âþ^.5ÿ+Lendstream
-endobj
-1321 0 obj <<
-/Type /Page
-/Contents 1322 0 R
-/Resources 1320 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1302 0 R
->> endobj
-1323 0 obj <<
-/D [1321 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-110 0 obj <<
-/D [1321 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1324 0 obj <<
-/D [1321 0 R /XYZ 85.0394 744.949 null]
->> endobj
-114 0 obj <<
-/D [1321 0 R /XYZ 85.0394 744.949 null]
->> endobj
-1325 0 obj <<
-/D [1321 0 R /XYZ 85.0394 721.0357 null]
->> endobj
-118 0 obj <<
-/D [1321 0 R /XYZ 85.0394 672.3079 null]
->> endobj
-1277 0 obj <<
-/D [1321 0 R /XYZ 85.0394 647.0603 null]
->> endobj
-122 0 obj <<
-/D [1321 0 R /XYZ 85.0394 136.5325 null]
->> endobj
-1329 0 obj <<
-/D [1321 0 R /XYZ 85.0394 113.5963 null]
->> endobj
-1320 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R /F53 1328 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1332 0 obj <<
-/Length 3556      
-/Filter /FlateDecode
->>
-stream
-xÚÝ[_sܶק¸·žf|ñ�ûæ$vêtꤒÒNÇñuGI´ïÈË‘gEþô]`
�8‚<¥žN;=
-’2I-¥ãã™Á"™cyWmK-\„#ȯX’zŽ§
-¥$£4]dÀ0ãŒÅÏ�%Z
©ÆÛè­ÔQ�èìsS�6”rŠ–b^
-S$K”p†Bÿ+Ë}¦ ‘ók­)z¿=Ã&K%ɳ,}n(ÍÎ…Ò”s›é|(RM‡RO5ðsÍn2Fƒ©€˜Fe6/‚§ŠÈS8ôIÐ'âºÚUÛB0.—]	¬B’$¡�õE,²¦`^¯·à3
óÊüŠe±},žZÛwû‡»‡ÇÐçë!�7;/¾ŽÝv_®+…Ë�a±b‰ ,Mhè‡qZÛy÷´¯ÖÅvû„CUDøMu§aÀ]iÐ
-Œ»Pnp¼ª'Œ_i8=§L€Ó2÷QëO-²_?u]n‘ù®Ù”`\¬þÍÚ¬F~i*Ópžš#:®Ã¥Zc"qÈ‚™’gì�A“;±«î¡9v.»±´Ùë³aó¤Ê>}¬´5¢Cm÷Ûâ)p²G“q`FU¶}§h�·5ÇûÏSI‰„ä‘f©ú‚¤dÈb:OòTgó$ÉR¸ø/iÀb:OòT~ÛfÒ!ÉI–+gߺÂQÝÇÒ—”Îù)€lÏÂdëò¢ì”ãþ,G}”b�/
-s€œ!gþfê©Æ
Í
”ëRX Ò«^¥³›mmÉÝ	­ýN`RÁ)›�
-r¹Lœ±‰
ÕŒM8*ƒÉªû:¢ÿÀ¹ÆÀ$$ë
-³ÍõÊV$
-¤Š†ÑaS‚
l§³O8Y$ËϤç¢iÜáˆô¬:U2á0íƒ*Ôב—(àBóY]z¢‘2ÃØêÉ%g�6ðÈ©ÐðÀ#Oð€Q¹=Šú™0f}µ&ë�GOK]y&\æ£G,âHåâH….²<q
-©ÓˆeV©=di5ŽYµ^Û}i(Ëã~¶ÅŽ	(xsGÿx¤¯;X9]É”aðãÚ÷�°UYFæÎÏj²à… í snÓW¦$¢(¦�gkǼ1B§EáË�Îø©p9¦ƒ»&�³õ±°œ †tv³is
d›røï,)³	Zµ¾Q¤ƒA�Bc€BÝiE&‰xbÒ#ð4VoÐG"SŸ Ë7[·­uql�úuÛäô-¾‡u
-?¡ñ¡9êb‹÷5KSv–Õ­%lŸêµ“Ê‚„„úÛ3'e€ñUi}q�&Ë—þf€Ï÷ô•
-}U·fÃSÕû–æxÚ`°Àn¿ã8Ü[<´~‡Ûêž~^7ý#©,cíwœÛ�'Tr‚¦+ïwôÍ/ô;‚eèwS�,ú�õCú‘÷Cz¼4kÓ^HAÀD/¤ÇÝyÖ/#׃öþ68†ÌðËe@Œ«Ȳ‹ùžMÕ~4ÞÓ‚-¦<ÄBÑZC]ê‹RØï÷
:Åž}å°4ì·TÅ–…%Ó_·e‡>7QË—ýkþ8Éq'¿â±ÄÌ&öÿT`âúŸ "—ø;_ü¿Vý¿ éËJM}oÌ´¥
-endobj
-1331 0 obj <<
-/Type /Page
-/Contents 1332 0 R
-/Resources 1330 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1302 0 R
-/Annots [ 1337 0 R 1338 0 R 1339 0 R 1340 0 R ]
->> endobj
-1337 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [219.3839 342.7466 281.1025 354.8062]
-/Subtype /Link
-/A << /S /GoTo /D (options) >>
->> endobj
-1338 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [401.2123 288.8914 470.1877 300.951]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update_policies) >>
->> endobj
-1339 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [243.8464 235.0361 306.1963 247.0958]
-/Subtype /Link
-/A << /S /GoTo /D (options) >>
->> endobj
-1340 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [368.2917 181.1809 436.8984 193.2405]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update_policies) >>
->> endobj
-1333 0 obj <<
-/D [1331 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1330 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F41 1233 0 R /F53 1328 0 R /F22 973 0 R /F14 976 0 R /F48 1253 0 R /F55 1336 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1345 0 obj <<
-/Length 3160      
-/Filter /FlateDecode
->>
-stream
-xÚÕZK“ã6¾÷¯ð-">$Šµ§Ùd&Û©Ú™dº÷U“9ȶl+‘¥Ž%wO§òã H‰zXž©ì%åƒ)
-$
ø€b‹~l‘DA(´\(-ƒ(dÑbs¼	{x÷Ý
³4+G´ò©þöpóõ¡:Ð1�;o®$“„-¶–ßüýÕ¯ßß®x.Ep»ŠâpùöÕ?^SÏ=¼Š¢å¿Å7ïÞ¾¹ûîŸï_Ý*¹|¸{÷öv¥B-aäõ±ï~xÝ�»¿ýøðýÍë‡V
-_R
-á×›ÃÅþþ&„N¢Å3<„
Óš/Ž72A$…p=ÅÍýÍ�í„Þ[3tJs‘H‚(ájBuœ{ªc‚I,’…Št.Œî¶/ezÌ7·+Éøòü¸M›¬¦‡ç¼(°%–eE=EUî³µ×ýŸnY²Ìvç:Û‚ò”VË»½i–ä·ªÌh¢CjçÞR˜jKi¹íF€F�oæñ-b„±a‘ßüÓÎ,¹Ú�ªã
-É+G±b,ÐQÄI°|‡t»ì”•�‰&öÉ€'<²W�M^•·+©e^ã¼Ìí3H÷h%Y´}F<$ú¹:ŸÊ´ ÞŸÂ�µI�H²¶=¤ß-u6u’a È6
u‘zLXíÀ†[¾{⢒aÊÓsnxF›E˜Ã16hC°e6vC숴|¡Fö)¯›¼ÜÓS+)>8I±M’bkm{H¨cõ„f1ðJØ©*Œ¥Ô¤U·D+�ʵL|£¡-ãv*TEýR‚=Ça¸ü°ÚYZ~´OdQäã	¸úDØ*‘ˆz‹p$‰Ò–hjš(ÐJÅ–`S¤u=1�ˆÀÿ¢ès§yʳç)fD [ˆèãÇ�Cõ
-¦
-Ì©·%©·ç"‚�Ižôô{oô½��âÚ)þ“ßC£5|pæ‚í]u¢FJ„A·l¹!gšô=2p°o)Éq¤°Ç´n—°Më Žkf ÈŒp”?q.É&°EÓ´Žï�ãÃý˜mrœÊ¸„ˆU7Eçî0¶uwolZÔµ†N
-˜é-ý>+ªU%b«h
-±˜ÅÈÆbÞS•oë�é—Yf¦©\(gŒÃ×–îXm
¾nœeàËü謦B§Ú€êËÅIÀ8»ßød—¬¥2N“6õh]
¸)„¾²®£¯Û÷.)ƒ„�Möþ7¦>§¼q'LvzÊ,ê Oh󛺯÷VuCwR_Tä5LÅ׎'ŸlF}Ž
-¥øõœ�^Šj?áà/cî?€I&{ª�)…;Ÿ~žò$
-
-;Ù6'ÀÜØ£º¦s`®°
-R37µ1k˜Õl‹âeï^:®üU@óà~‰§yf‚—¬þëÔj0DJÇØè†R‘zZ7!�õ@7E(ˆc™ÔýSsRc@À¥RŸ£±HC¾¹/£´Œ
-/'¥TpmkOÔ–”?ŸÒ¶‰¬™h"‘EÎæYÉÀ½!e¸fƒÙŒ
:*ëh§ª‚X뢱‘Ÿ$_dkê’­qÈ6#²y‰Zª±Dýd’'X–}‘ÈÖ„L\ICm
ß�àçíæÉlé
é©
-�ïÑäCà(üšã{d3Žï¨ˆÑ¢ùÇŸe sü!ßç€N{îsÞ%ûЙAß9~AÉ¢tÈ–ï­ƒ#	98
-endobj
-1344 0 obj <<
-/Type /Page
-/Contents 1345 0 R
-/Resources 1343 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1302 0 R
->> endobj
-1346 0 obj <<
-/D [1344 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1343 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F21 950 0 R /F48 1253 0 R /F55 1336 0 R /F14 976 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1349 0 obj <<
-/Length 3792      
-/Filter /FlateDecode
->>
-stream
-xÚÝZmoä¶þî_a²¼<‘"%*)
-\ï.É¥ÍÝ5ç¶(’*¯d¯�]i³ÒÚç4ýï�á�©ÕÚW(ŠÚDQ#¾ÌË3ÏPËÏøçç*cY!Šó¼�L%\�¯¶gÉù-<ûúŒ[™¥Z†R¿¿:{öUšŸ¬ÈDv~uŒ¥Y¢5?¿ª~X¤,e0B²xóü»WK¡’ÅûWß_(µø\ÌýÛw¯¾~‘ËÅÕë·oÞ_,ó¤�‹ß<wå$žãÅÛ7_½þúÏã8®¾={uåwî”')náç³>$çløÛ³„¥…Vç÷p“0^â|{&UÊ”LS׳9{ö'?`ðÔ¼:§9xÌ2®A…‚iUÌÊäŠhHÎ2)FíJhWs¦ŠB�{)Ôn?”áŸn•óœÉLñópÄ£y½ÔñÄBs!˜”™Œg~Ùô»Mù
-÷º¯W‡}ß´·G®›*ˆ¦\?>µ—:ž;v]	±™ƒE£É_¶»‰!7MoµÔY�ÿ|¨÷MÝϘ–'šºÐÖlm¹­«ãBäK-S+å,Û&¥·Ãæ!°’×-¢=m’vRäÙ&	¤1‰“ÂÞ•›¦*‡¦WÊ’dñC×þÚÝÜ|°w´C¥"`PL‰Âmñ®©ïI˜1FâѬ‡Z$¹•þ0Ý ÈVˆœ?¾C/u¼Å8´2ÅŠDËx�¯Úòz&çèxOתéÇΗoÞ¿õ‚Ú£Bn%„[3þPp¦Sí
-¾*oª8%^Ãæu7¬­�hV°÷‡ùdC½VaV­`ÑÍŠn®þðêo¸Že[ßvCSá‹'½Miˆú'½-”:ím^Ê{[Uoj‡
-Qû36’’¥iêǤ[æ0e
-Ér!òǕ᥎µã…
-ñ�‰êS°z¦õ¸î½Ô±ò'HÕÖf‘öŸW¥½’.DšÓ¤Xܯd	ØiÖaM½¯û½8´msÁí­…Q!4ã˜~ä¯Î³sØövK8˜e–þ|h¨aEpÎî
VÊ#øwwaw¿¤’éÿ5”B:³u;â{f‚Ž¦7\
->qÀC&
-f=¸#ƒ†!¦eˆcøhdcK©ÒÅ_×u;G’„å™þ„‚´Èx¸;œÂ‚ÌPîa�—
¾áCgVlß7†ÎBË D‘/6]Y¹½5-Á`]
-Ì"Mò86}¥MUbœ‚�·]ÚDݹҼÎ-úiç}t9Ó…ÎÊ…ìj(¨=-os¨¤Œ9ǪÛì›ùpÌ©°ÀWTnw›9ðUŠeyâ@+ÊÛ‘â%g"—pàæp·a‘‚ö09”2|„ùiΤö5\ýѬ `;3wLM‡îÄ
–7Í3‚wr
-ýT€«ÿ	œÈUΠÖPOøš“:v¶¸ÈIR|*¡:ÕL™N{@ˆ„FCº«×4'yàýµÛ{[kHüŒmï°æf(+sãFñoMjiŒ„å–ö¨ÎŽ`>ÑAÛðL¼¶·�ý3­FÜJR© J¬)›õt�NÙðÄïJÛë×k^ÙÓÕ2`ßÿM©¹Z—MÛ“ûá}ãÆ:&cú[ºRÑ-3¸ôhfé6+kÔrm•Û�:wE
Ëþ::þYÕ$f¿ÄØš­'Q÷.B:”Õ)FˆsK<*´ÊXã¡Óä
-á`õ#¤:#v-sÚ‡ëpØ%É–}?Á~T98»ä¼S5+gzxÙѸB‡¿ØYº†7“#q”�
-ž§Âɱ�1<†@Ûôk—€eM¸Úå„èÙµaÓzè¤Iβ@Çk?ÃʪÃ'Àn–îÕœ©“˜¢ZcCìŽë‡›0+ÅÖÖŒ'™ŠR2ÈG÷¥³½ÝØ.:Ž…†	èD4§ô­Ý7v|•êTh¡•M!¦…ç(Óš4ã,áE\
-„›òŸ8ˆÆv<åׂc-ã(ë¡74I™*¸æø%�~’€�̀Ђ­NÉs@Âä[|J_–Yš,^·ÔU7æ#»‘[•}í^%bPtì,½AëÄ*tb•…Æþ
½ìÁVÆvýÑfãxsÌi�¸ì-ýé45Öåô—
-·ÂbŒÂ"ä9æžR!4J7—÷ÒÜ—ïÅ¢™H5ë<ìvž{X’íÖh[Cðƒ"1•ˆÄÎ	�ƒý\ÏÇ%
-Ôâ°žK*a²�ÊwÃÇeSž�
3÷硦$À�
K{ê@„h‰ƒXX.œ½EBAl½1gRðɯ]\hó‚›Ìn®-]Í6ßáyÔsÈ…ß?ÿŽº�séØëüú"@æÀŒÆt´ù’~ê‹NËÛÞÞ5ƒc—ôûƒÔø^_n'd—嫤I:°SÇÔc_D	‡snN¥ýª›
-é¢ZUmÊD?ÜÞ•›ƒ•1�
ڶƢÀÜ6ýÜ9§Á>OšùÜ1nÈvíÒhÁ;«tX9¥G˜åý7Ï—'—Šñ”=>9ÊÇÓÿ›
h|öx
--�NPy‹ÈÊeà�’>`‡ÿ@Í`s®ìHæHÐt_Luû¹õr–rÿû¨OÑ�H2°Ô®
-W¨â´DXÇSÝfëß묈ýPø.ÞÞ¯Íg]h\Þ
-ûbö‡X˜Ñ<—°|†ùŒ�±àSN»XZ´^à”4�æÀŸ“qòÛ™eä,—úø`5€Xùc´ßÍ‚c0ˆý€'üážE?ÆÁ„Œ8O	»°A	ÞVxãl…#-¸¢ÎÛÀ@ø̶n`J»øì„ò1�É„§‘òÍ«¾„ƒ›HùØÁã‹]ÓrFeK?CädÿEÌýš<U>s‚”œ»eþÇ¿4€/s€A-NYç?¥nQ&ÅÑÊyÂDš‰™¥ÿâæWendstream
-endobj
-1348 0 obj <<
-/Type /Page
-/Contents 1349 0 R
-/Resources 1347 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1354 0 R
->> endobj
-1350 0 obj <<
-/D [1348 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1347 0 obj <<
-/Font << /F37 1038 0 R /F48 1253 0 R /F22 973 0 R /F21 950 0 R /F55 1336 0 R /F53 1328 0 R /F41 1233 0 R /F11 1353 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1357 0 obj <<
-/Length 3478      
-/Filter /FlateDecode
->>
-stream
-xÚ­ksã¶ñ»…&Óò̉Á›dóéîz¹:�^Ò;ç2yt:4EKœ£HG¤Îñtòß»‹@R‚l§íèƒðX,‹}ƒ|ÁàÇ™N˜ÌÕ"ÍU¢׋rwÁ˜{{ÁÌÊ­¦P¯®/¾üZ¦‹<É�0‹ëÛ	®,aYÆ×럗¯ÿúò»ë7ï/WB³¥L.WÚ°å»—C#`JëåGñúÛw__½ýþýËËT-¯¯¾}w¹JY®`åÓk¿ýî͸îÃå?¯¿¹xsN1=)g�ðëÅÏÿd‹5ø›–È<Ó‹{è°„ç¹Xì.”–‰VRú‘æâÃÅ?Âɬ]㜖Y¢3‘FX'ø„u\ò$32[¤:OŒÒònß®ËËl½ìëM[·ê¬Ú¾*å]±/v4Ðvm…ǤbŠT‰D±T
)Û%Ï–Õ®û\õ´¬hé¿ú­î‡€ý݇7¯%5ËmQ·vM
Âr×¥GSô_ÛE‚-VܨD
-- •%Ê
-{=Åp Òz“°Q1Ð,
74Ž$áhAÝ~[¸9TUIýáâ<!¬h†
-Oä}mµ›qà_ßQ«éºOÔªÛ'R0¸†›“+ýT=Än”%)K3ýÓ%‘߃ÚTh*N·0à¤òRÓ?ô(.ëzÁoD’¦šûã=!_WÈËÖZ»WÕR‹ì4^]½ûÉô£y:gßÍ¡nP6ÐV!V13¬dZà8.X1a•òô ¸m”’E;Ã'Í`jøäÁYjÜ|SµÕž(ß<Ðÿþ2[ZëÅNEƒ�(ÍÒÉþ+äåÙ�«WE„¸a
NÎ-¢Ã#Kûr_ßÀþĵT&¹Ðù\-Ib¦ñ
.SæcòDÉÌ §¦ÉýfA�÷×àWÓäÚgÊv‚÷ÿP•£Ö›õ	=©N¤a|FÏI€ ž¢âR᜴
æsÅç>ÚZoi¬‰Þ¡ã�œ×-�
~òÔ…”—
-°®þûzW7ÅÞ-ï�<Žt·1[¦A…÷JÓ»j}Î"CÜú•‹¼’¹ ã‹èØ�\úd÷®EŸLG<ì�´€m”Ü™¨~
-S Uô}WÖè*íÝ8t&r9×dòT™™5YŠŒëiÆFDøO ©c‡›u[ۺ܀>ÐàHtvUÑ:ôé�ß>rhiyî€ììøÚFX
-l„U¡³gÜmν
-åìL(	é(c†?u%)c‘+±»ÅRbÐÃ<eú�ÇÓx蜻œ
-�Ñ’÷*`\MQÚtsFš-=HÍØ#bB)CœhÏ:+,Ôõ¦è’\½*nÏr´ßOÚ3–±g°
…»hÎï;y,ÐTF…P h6ÝìÍ.²©J!óJu6Û’:¤‡˜ÔT1—*!FýDnü°­}YΙ•ÖµÉrÏŒR¤¬g–wž·‘ž2>¾ƒVQ–ÕÝàÚí5‚Ø*MÁˆòé•2ÇѦrÎxæ ¨tYöx¶Cã0SV>Ãç6û/5c»+ÊÕn­ã÷‘‰�s8уk÷Oç…&~@ÃDê()›æœ“È  ¿›¢¯VÆ!­Ú²s*ù‡À}¬Ö;	ÞýÚ½Ÿi•9÷Ža!Ïrî4Ç´ü‘|#7RGB²1ïÉR4LúÓ8Æ=Nžso<‡ð9Íåã*š%Y®eœ"—µ�´¸ƒ¥Ê*“þù�=ᬰҀª”?3/ÈL¨K[Ç%øÔq	ç¸à—`.UÃ
Ê	°e«Ë2¦jøÀ)äÙ-ÃâGúŒ 0KÇ�wÀfV®±aí6Mà!Âb!ó:kF3¦¯­06MçèL¦€wÎó‰Y3?ÃX3f
-ãìÏ´äÊfÐ
-…Ç	r÷-Ðú½:Þú’×#«­NO7ÁW÷&&e lÛP¬¹?¸Ðlú€I³�s&°J%ÉÆGv¡Ôÿ“a—Û¥£ù@u&Û@çp¤9¤p2Éñ§#³b%ŠPÚ?ËM¾¢þïôGÏ&¸QÍÌ©[
->}´	Ï׶àÆêÁÛ^è�å�J°ëÊ¥l
Z®Çžä9¤;B„Ä.–ãŸIAû Måÿ!+WŒ”OI“�éb½Î=7%ö¾Mh|þÏæªø>ˆd~îYRgÀ©coëÑg‘†Ú›+­oì§f¸ƒKsƒbú¹jkŸ¹ÁœK…èÓ€(b×£±^c¦µ½³(“¤Zªã/
`#úhvxèömÇ~]×kš¶_ˆ¸B®�Ü÷ø‹‰uÝß5ök)û¢ž/\*ÚßuíúÌg
-ø‚š ¨‘(<KŒÌcÉÔìè§!WWâ®V
-#�„�!ÛÏ(äåcD�,zé>Bª?ãwiœszp‹}/)u‚9F>>`!äøŸ¿¥?1ÅI–‰øW’J‚Qx".�)]ž’þ]Mïþendstream
-endobj
-1356 0 obj <<
-/Type /Page
-/Contents 1357 0 R
-/Resources 1355 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1354 0 R
-/Annots [ 1359 0 R ]
->> endobj
-1359 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [120.1376 668.2829 176.3563 677.4983]
-/Subtype /Link
-/A << /S /GoTo /D (controls_statement_definition_and_usage) >>
->> endobj
-1358 0 obj <<
-/D [1356 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1355 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R /F48 1253 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1363 0 obj <<
-/Length 905       
-/Filter /FlateDecode
->>
-stream
-xÚÍWKoÛF¾óWðHåvß�£k8ŽDvcº(�æ@“k‡0E¦¢ÜÔÿ¾C-—ZYtl¤Bè ]ržß~3œ%1†‰…DÒP+ÑÀDÄå*Âñ¼;�È(“y¡,”ú%�~~ÃTl�‘TÆùm`K#¬5‰óêcÂC)XÀÉòäýYšQ�“«³©Éoð·Ý_\ž}8IOòÅÅò*Í6<9}{r™{‰—mœ^,ß,ίwvÒOù»è,Ÿ²3%˜
)ü}ü„ã
-~aÄŒñWØ`DŒ¡ñ*â‚!ÁóOšè*úu2¼ÝªÎ"G0¢LÒè(
 Ó	cD¬„A’Q¶…î±{p¹•EëëT'í�è“z�¥ƒÛAqÝVeVvíí�³bT
-�*†$f|TÚtN´··xøâþGUúã
-iitàÝÛÇÀ!ÄûøcÚØÑl[¹EÛ�W]Uß>ÎxÓ
-aCÅh¤-V¶BCz3þ$ETJ/ZŒ–‹¦Aj„ #¤3Ž	b
-ðΘ@„`5q–¦ÁxVßµEÓϸÂqF92²”NízSÔ[¼Ir½\üîVý¨
-ùÐ[÷|óy\錢vý—]�¯;§±)îýÛ/¶¬
-R¸xãßÚÖ¦íâ­¿C– )×þpî릙�•h$öŒ)»Õ
-˜‚žV³–ˆ¢b©(âP_¯¨f¶-|¡÷«ùû´|h߈Àéa°5.½Æ¾©Ì§”I‰¡UH½k!ˆ†"¥•Ž¥äPÌ‘ïjqþöúò)HD¤¤`qhñß9™œ‰rÿ%"Ciì…y:ð¿ßQd$�§=žšÐ:%:±E5Óa`�«ïè¾ã8ëMWTOB©
-(ˆ¢·tã`!æˆ@2Ã�Â
-€Ü}>þW“c2˜kD£/0X¤À‡g0|íß?OáÀäÑ(|æ<…Ã8_Má²±¾UN_RO@ûw½yžcGËô‡ãØQ»$|±Õ03}›cÌ ¦%ñ[,óç)X<Å¢œ§Xæ@±£eú£PŒÀ�cE$Ìd0,ªýqü`,‡Qò‡K@&`~ÐÚð¹éÇ/vÆ×ÞvW(˜œ™ÖÏ´ª4HPúp>`ËÑ�ðƒ«Œ¿Ux± ø
-endobj
-1362 0 obj <<
-/Type /Page
-/Contents 1363 0 R
-/Resources 1361 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1354 0 R
->> endobj
-1364 0 obj <<
-/D [1362 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-126 0 obj <<
-/D [1362 0 R /XYZ 56.6929 741.6375 null]
->> endobj
-1365 0 obj <<
-/D [1362 0 R /XYZ 56.6929 714.333 null]
->> endobj
-1366 0 obj <<
-/D [1362 0 R /XYZ 56.6929 684.8157 null]
->> endobj
-1367 0 obj <<
-/D [1362 0 R /XYZ 56.6929 672.8605 null]
->> endobj
-1361 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F21 950 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1371 0 obj <<
-/Length 2407      
-/Filter /FlateDecode
->>
-stream
-xÚ¥YK�Û8¾÷¯ðme RÄ·¸{ÚÍ™
:Øtïa03Z’»…±%Ç’“éüú­b‘²d«ÓÄY,Ö‹U_±Ù*‡lU¨,V®Œ•™Ê™Z•û›|õ
-
«©E¦
-nVé”Éîo^¿çlÅóLk®V÷Ûñ,mT¦)V÷կɛGwêã:å*Oäú÷ûŸh›ÌLanËá›å’I¿áßÕW×–uE;ÞÞÞÑà}í†Ó±îGLfBj8h“å$C2cë”åyžÜvC³}
-[øÊfVsv‘I%éLŠ:¹ýtÿñý/4nzü5‰£Ï}]>º¶é÷ô9<º!¬ïvÝ·>¹Þ+‹ã¾>~­�aa舸%‰‹º‰´;÷µ¾Úf’nK“xôC}ÁË¡b¨
-c™UŠ{U¾wmý äB%•\´¹J>¶4u\³"©ûC×ö5Í 7üu£eÏfb\g‚™AÞÁ:×æ”,ÓR˜@¶õ‡tûÈ×ÿDËà˜T\™¼Â‰-VÈ8üÖìv4*ëò�¹°}¥÷nÀQ3­ÑzMô¢‘R
b5H0ó’Ò¹]h5¡×ñw\*OG2Z;ÐÄ™?|¸¶z6né<gÚfhÜø¸Ë“†£kû-Ù!‹®ä,c… ¨|ßatä&Ùw$
}5í¶;îÝàeÀ	·éN
1�ܨ@g.ÍKn69ÌÙ+béM�oTu_›ÃY
-W6©BpÂ
-¢I[ÃäÚ9�1Àáh‰(ü��3Ò§Ó
×6¹æ;sªœc®D*°Z̺rM yIˆN(‚ϱEr¿þPé´1ò/¤P#sÈ”B‡®ìv¤™ÏKàÂþP—ÍoyΡBúÌ&´«z^š�Ÿ>¿Cf­Î.Í2Fã™Ö Ê_n~ý=_U`ŸŸnòLØB­¾ÁGž
¾Úß ­µJÆ™ÝÍÝÍGŽ�Â
-‘éœéçyѾx…!íP¬Ò(]*8à1÷Ȩìve1¿Àª°6“¹¥;{;±±ÒÒ#
–gJðèŠOëT³äþçÉ»KË
-SDôçÃÃ@x´»'¡w˜+
"1f¼ù¤È,Üì£�ù™0Ž–ïé3€>5áwâ„K¤`Á.ä›&‘¿——0*«í*
{ÿvÖœ¦º3±ž¶X“N'ÒqåZ±ÐïðÐï¼}W6%eüÿ*Ÿ/7?ã&mã&?ö%~ýìëá±C
-ƒ·¡Å/øx#}o›žž‹$ͳ"·± z_?ǘ«ŒÉoˆazèvM¹„0
Ò(SØ@]î|›‹=Ój(íjØåQï5k€cy!£~ý€rP•� Œâv^RöÐ÷]8ƒ
-×j¤�‡
-΄£Màõ¿|ŒÜHÖôA-08×I@t98ÔÌÁˆÏùMã혽B†·Ã�³å`æp„²Þ"°q—o—^ÇãsÇM´^„|UÀ1øXžÆÛŒØ<âr“ü–«üû¦GŒ—¼{÷Ö-m»ðhŽ|€Jä¹ùç_4’ÏŸï>~xEë·°•z…)AÃK,¹pÝ׶�½ÿ¬&TdÍ9³à¤Õ‚w:|d…êäÛ£dZK&œÈªVŸ±*Œ£�_KSÐ=5m8#<ÌÁ,–JÍ#D±”îI—€-`ñcóÝ�Ó|Ä—×Ç:—üK³›”Œüs
-ý1àÖº@TÿyÀp�.ª…aGØ…~æII¨L>óznvFš¥Â¦
ˆBE	D¨3SÏ>º^÷µµ^endstream
-endobj
-1370 0 obj <<
-/Type /Page
-/Contents 1371 0 R
-/Resources 1369 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1354 0 R
-/Annots [ 1375 0 R 1376 0 R 1384 0 R ]
->> endobj
-1368 0 obj <<
-/Type /XObject
-/Subtype /Form
-/FormType 1
-/PTEX.FileName (/usr/local/share/db2latex/xsl/figures/note.pdf)
-/PTEX.PageNumber 1
-/PTEX.InfoDict 1385 0 R 
-/Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000]
-/BBox [0.00000000 0.00000000 27.00000000 27.00000000]
-/Resources <<
-/ProcSet [ /PDF ]
-/ExtGState <<
-/R4 1386 0 R
->>>>
-/Length 1387 0 R
-/Filter /FlateDecode
->>
-stream
-xœeU9²,GôûeË@@Q‡�!é¡%bd(dèúʤ—÷ÿ(žÑ¯
-’$¡T¬)ÿ®ïë¯ãïãÇ_¢ýþÏaíÏc‹®½Ú¿G—=ûÌöÓ1ÄF¬lÖ]töö×ãqu‰Ý¦‹÷5š�”�<8Ç—ý:\;âúãñ‰ü<q¸Í;.\ži2c¶û~ð¶e¸í×qc¸=7Ä+Àg
¯ã�ã×ctéa³ÙL1ca·cu™šmQOƒ½¥ì-¡
{wñ¨¼&kñÄÞ
-¨9xcH
-¤Ï’ÃigÙ¥—ÇáC6uéíÛ&”\ÊGTœ„Méêö–KòlÜ’Fyu|?é%åiÈ¥K”êNÊq{vˆ�*êèJE¢]8hÍò¤p0R±ˆ$Á(+ÁnÖN¬
-q�ª„Ñ«ò�^ÿï>‹«>÷—
.13×…Óƒ!¶3¢SËAÕ”ih¥Å¨Š^…(€<Îm䦽ªšÛÆlLÊâ³ò7Ù
-г2"ïE9~ 
-n*Œ1½÷¨¾x¥Æˆpîâ‹
&Xî
Ãœ§³±è\íD¤ß�ä0}#XŒûž˜‹¸À>#^V°¡|2Îi‰9ÊÎ�r)`˜¢Xh¡Ò& „hb—H°Œe"Ãê
-þrÓGçX5¾ûû8‡´ÕªOª«t–Ô³$Ây°‰—BÒ›ÀÄ5
©/¨�vp�÷o`kA“ôr±ñœÓ4N.4Žæ
-endobj
-1385 0 obj
-<<
-/Producer (AFPL Ghostscript 6.50)
->>
-endobj
-1386 0 obj
-<<
-/Type /ExtGState
-/Name /R4
-/TR /Identity
-/OPM 1
-/SM 0.02
-/SA true
->>
-endobj
-1387 0 obj
-1049
-endobj
-1375 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [470.3398 467.2776 539.579 479.3373]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
->> endobj
-1376 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [316.7164 455.3224 385.3363 467.3821]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1384 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [304.6433 163.6578 373.3153 175.7175]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update_policies) >>
->> endobj
-1372 0 obj <<
-/D [1370 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-130 0 obj <<
-/D [1370 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1373 0 obj <<
-/D [1370 0 R /XYZ 85.0394 576.3463 null]
->> endobj
-134 0 obj <<
-/D [1370 0 R /XYZ 85.0394 576.3463 null]
->> endobj
-1374 0 obj <<
-/D [1370 0 R /XYZ 85.0394 533.5444 null]
->> endobj
-138 0 obj <<
-/D [1370 0 R /XYZ 85.0394 299.6823 null]
->> endobj
-1383 0 obj <<
-/D [1370 0 R /XYZ 85.0394 263.0631 null]
->> endobj
-1369 0 obj <<
-/Font << /F21 950 0 R /F22 973 0 R /F62 1379 0 R /F63 1382 0 R /F48 1253 0 R /F41 1233 0 R >>
-/XObject << /Im2 1368 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1392 0 obj <<
-/Length 3579      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZIw㸾ûWèú½‡.ÉÉÓmg:/ñLlgy³ ’²8M‘.V{~}ªP”ÙÓ‡<ˆµ
-6ÏÐ÷׫�Çlí ­;êÛ§«oîd²Éü,ñæiïÐJý MÃÍSñ“ùÒ¿
-�÷ñþýÃí?n“È»ùûõV¨Àûñûû[*==ÜÜ?ÞÝ><Rõç@ÿ{÷
-ì´ †wÐn Ð—ÝKÙQù|(›‹n\¼ëª®C/§úÄœ¡?®BñTë�!²”¥�0“Kíþb�™	¼`ÍpÚÅɾömw4lj2:¨�>�ʦ IA3‘†Bùy(›¾jÒ�(t4$MSIŒªŠdý_›zE�DÊIdÔdZ
-ÞÔ¡k.7-÷î˜hYT¤dP>êf4ûF˜ò'&~&EjvM›Œ“Yý |®Œ‘BI×}K¥6Ï5Ê�UGuÕÀ“1"*Æã	¿„œØ3Xúy{<Õå0ÕЇ¡gÚû‹Á¤ÏUXNqJB‡–ÊN4]+š9p$•5àLxöK<ƒBA¤±ëª\Á¢ætYèéý`Ø
}¥Î<~¨Ð&ß�°
ÜÏõØ3±á y�3
-îlgÛR¡¯Û3�"s‡’^ƒ’š`í	ˆIo¡dÎß™]PÙ“®ÿ6'É›=~lú¡ÔìXȈ™-R…¶¤W”µ~µôŒe›Eèk„
-ÒÝÐ#XXD
Ë+Ó”�Ç~ÐMn$‡Ú
§´úËÊĤ´ÄŸ#`\±TÙ�¹ƒÆAâpìÌÚ<¯@ø…íº!$�¤§pè…ZX ëõž¬ò¹±ÎüÆ3ç?´¡†Šx†3h"µV|8uÇÆ+‘w\£qýaŠöÌ[îÌ;ÝŒvÁv곚3mPÙWêa�q¨Là/8ÐÁÝ5àŸNmGÜ4PE*+vcc"ôÌŸÙ” Âðƒ¥¶ýD%cL<‰‘ÍŒä¶Z÷<e&Žò\õïçÈÍ]ŒÙ;Ö\' j�ÖÇ�6pgj¬R`¢Ö5ÎKëÝ—¯á„u�uI³_­­·»p£}u¬:Må¬W�`â8A%§0JÊ…ÛS;è3»a¯Ða“�Tl?Ð:;eÁ¡’ôìÏ]ç¡L4Æ“�cKëç…÷<jàÎP9‰z´¢#è`µaHf#Þ,ñŽ­sfõ5'€ÌÜ�†Í¡9ô€?O¨y8´„n 
•¶!§™xoœµ?sÂêb.âùböÙOƦ


-ˆG—2È,Ò6ü 
]ØÞG<Kšx¯íH…ƒ~Áí¥ìA¡åH4uåÛ­iôÌ…t
-±Ìd'b|çJæìÛÙ»ÃØÉëã¤é=b©í>ý°?UÞ‡ª×»zΦ�
-j=§’úq’IÇ¥kn5� .
'·JíË4¶°AmÞò\y0SS•:5×R*ô5ãOÀ!O ´	.–d¬‡Ò,üÔïÖ ¡¢¥hÆcD<Ž#Ô”-r–QjÎð
-´Úl8<ëfXžŒ�	(Ñq–zxûȦÐO
žüö^þ‡9žï
Ä'“’G³¡ÄÝ?õ‘³�ŽÞj¶š
%&êÀ*½ñâ Wð]Gjä]$’cä„D"é€	Fo
ŸH¬a™ú™®¼Àè™2i+ê‚ó1/=Ó’	Ü|ꊞW°Òâ“I¿|À)%í6N”+qì­xfß¹¥(wF$Œà	ÃpbrÁÃÁÄ'¸M¾
-Gg\ªà
8"À`xbílgC‹›d¬.â)h¨Ký©§¢
cDߣɑb	ÃЯ¿Tš*%„$¼Â
î`ªˆ	™�qÄg�ylþ;
-endobj
-1391 0 obj <<
-/Type /Page
-/Contents 1392 0 R
-/Resources 1390 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1354 0 R
-/Annots [ 1396 0 R 1397 0 R ]
->> endobj
-1396 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [464.1993 393.2115 511.2325 405.2711]
-/Subtype /Link
-/A << /S /GoTo /D (proposed_standards) >>
->> endobj
-1397 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 382.2725 105.4 393.3159]
-/Subtype /Link
-/A << /S /GoTo /D (proposed_standards) >>
->> endobj
-1393 0 obj <<
-/D [1391 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-142 0 obj <<
-/D [1391 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-1394 0 obj <<
-/D [1391 0 R /XYZ 56.6929 749.4437 null]
->> endobj
-146 0 obj <<
-/D [1391 0 R /XYZ 56.6929 458.7525 null]
->> endobj
-1395 0 obj <<
-/D [1391 0 R /XYZ 56.6929 425.4132 null]
->> endobj
-150 0 obj <<
-/D [1391 0 R /XYZ 56.6929 270.5184 null]
->> endobj
-1398 0 obj <<
-/D [1391 0 R /XYZ 56.6929 234.9696 null]
->> endobj
-1390 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R /F55 1336 0 R /F48 1253 0 R /F39 1173 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1402 0 obj <<
-/Length 3172      
-/Filter /FlateDecode
->>
-stream
-xÚå]sãÆíÝ¿Bo¡3'v¿¹LŸ®9§¹Lr¹äÜ6Ó$3¥%Þ™=™TDÚ:ç×Xì’KŠ’ìfúÔуö°
-ú[5w—<Ùµ_®‹»rMeaäøÎr
¨£çìÅå„‘¼®WéN¯÷�üÂ4# X€d*yЖ„6E®fðé4ÓR
ø8ñ|[„Õå®ØÐdÕì¶Í®èJj«®ô`ÝmÑ…'JZ+j$b":Wz±ì´ªº+w5b™Nê²Û7»�4ÙWÝ-�v—Ü&e[î@‚nåµ{¬D­e&yë
-–³/êÕ+ò¤¢��´†Ë«MUö0Èþß”JLÇ;^›ÍæÁƒ
-ÀíÛ¦íð®x|N]Ã㽺-êéÈ…ì+p=RÙ�4Y²-wáqŒJÀ'>·@ºÏgŒH®Ã2\aRlÚ†FA"0¬úÁ ˜EGÜy€Î?ì/"\­ÊÖíÚ~wUªçl+PX6õæ‘´Ž†ÙNM¦ âÞ®šnÖ€zàÍÆÛ#I`lœ½yE·t0Ö´çr°¯×(YÎð"
-¶z[­n=�Þ0,y¨-¹ÍO�ÎGÍÖ!šÚתð.¬+6Çîè¦q}©SP�}]UOl
üëœeÑ¥Ô£›3¯`œØ MX¾ñÀ«¦þ…1ñážÎ¾¦UgŽðÿ¾ÙíI*kBP„ç»/wUélÓ*t9å¶íôæ¯ÉRiLp yÚ³}èo­„„ÂþbãRiž2�™O¬Ä,þæ,å—#NO§
-œ�Ÿå6ïq.UFö{ˆ\Øl-–ƒxö	rT—†LD�¯è•Ž«h@Ñ®üŠH%ä€Aj<XR <�ýÎz´8![Âyl9çUve
- °®‚ê¯÷ȃrP1¡N^~8¢¸ƒP‰Áp_„5WÔÈdÓ4éP°ˆ•©ÃáÂ#:�}]nª‡€Ãómwp^O4.´Å n’\j�PGèújIŒÕ1"&ºx1)¶3!ßuUœß\‡,`®ï4¨MSÝé	„²sT/Þ–~4ª»¨6ôµb=¦3î;�ð_{.?Ý2�¦Œ»¼“ŽÛÄŽ5Ýü‹ì‹™»‹M`ÁÂ
’ÿܱ¾0ÇN8O3%5ù™7—KÃ3þsFÿÁPGYÿ\'n�ŽÜ×´/)uh·ºQùH#ì*mý*iG.aq÷å¶Ø¼÷kþÝE\šUu�1,ôY“ÔQñ.µ€†¬&¾m€CŸ¹ËõÜ
téË“�µ;Ëéúô]#f‡ëƒ‹þLýv>Ê~û4p©¬!?�=�q7
-3ƒ¾ý4ÆEýùa[î6—<yt/Q\Þ­†VÕ´ÍÚG,?Ö>:¸/íôö99�»*Þ€góÊù×#·tÒ¾sõ
u¤CÞC—rò¤?Þ=ò<¹x¤½ú¼ßJ�ÁŽ¼˜•qC7CKú&zÚvùÜy¤ÿ>×cRw‘‡Þ,EˆOÿÜj<3Ë9Íg]aä°‚ÜoŠÕǾuzDîÑÛ¤HÐM}Ή¶ÇZ«AdÌ8¥srík1n¼U»QCÿ¾K	£í¥Ë
2(ƒy‚¶Ý¶2–2Àöm}‡‚dÂu0н“>ph =”vÚyœyA
éF*m_»îöLö“§ÖÈ�’èxTùR>Ê0ÛSöP³O²wo?)5€}âá.Õ)®_ÞNne‰=<ï*XÆCUr|åóà!Q6`×ç3†pª±î£¾‡îÚ™KÑ~Bt¥v1º„Á…5ϼ~ÔY
-åk~ðú1yA
ä!
Qwìeë»7Ê�ùÅ/µ¾8ö–Y
-CEÕ0´2ÂE¥ϦD1ÑÎ�ÊNSí¡ÉNÒv+3&û-¤�thÊYÈ6ÙÈ[NÚã3õˆÔ©6Lž¯ñefõj.õÌ‚NgÆ5þ1
J“f"³g4A�Ð`€:¯ÁST#
NÉÎk0&û¿Ôà™~ ÏŒ}Fùü”# ÌÇ-Æ㊧Q÷œ"#¨ŠPçyŠj¤È)ÙyEÆdŸ®Èw>B8*+µ<øIYÅPÇeÕC�•ÕIªƒ¬ÈÎÊjDöjè)MjÇðÞox8Ž”£igc¡ÜKùдΘ1ãóë!G>*ÿcYÛ“B7?¿1gtA�ÐQ€:¯£ST#MÉÎë(&ûÿZ¸Â¯¡Ä™êb¨Pç5xŠj¤Á)Ùy
ÆdÏß2Ð(}’t^‹Z¤�áeOÒ¢yvTù/µ¸XJ ˜³<Ÿ\ö²ÿD!SÔïË”ÿNKEݘôµ4þ�+®SVŸ…Îb¦ü—|n¸÷Kÿv¯Âp´.ÛÕ®º¡¯3€ÔMó€_
A=’¼iº2 *º0
-L…ÿ1NÌÑlyÙó¨G¯‰ÿ<©EFo�c§wòæPdNŠ-Z|lîwçAQÙQ†Î_[–S“V «¤]púÒô1'mî>,hðcdÜ=ü2~àиñ¢ ÞÅ_ÁÉ”pã>3sp¿Ð9¦¸¢WÄÒ²Tkk¦oâð4©ßÇ‚?QÀqâw¬3|³þÕ?ü¹ìàØÔoÖŠy	HfR+ò,0…g<tjýwµ‡¬ÿíp~endstream
-endobj
-1401 0 obj <<
-/Type /Page
-/Contents 1402 0 R
-/Resources 1400 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1354 0 R
-/Annots [ 1405 0 R ]
->> endobj
-1405 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [417.8476 110.3446 466.5943 122.4042]
-/Subtype /Link
-/A << /S /GoTo /D (sample_configuration) >>
->> endobj
-1403 0 obj <<
-/D [1401 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-154 0 obj <<
-/D [1401 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1404 0 obj <<
-/D [1401 0 R /XYZ 85.0394 749.3028 null]
->> endobj
-1400 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F39 1173 0 R /F41 1233 0 R /F14 976 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1408 0 obj <<
-/Length 735       
-/Filter /FlateDecode
->>
-stream
-xÚÅWMs›0½ó+˜œà Y€a|r§m¦“IcÚKšÅrÊG�ïɯ@� ܤNÓÉL‚–§ÝÕ{om›Hü`Óõ �ÀtvÍ83�y!Þ}4ð´QBctHÇf
-:=øncŒ­éñþì µ¥z8œMí±c…ßNgsû<<2faÓiû4ѪÍKãì™q¨#Aø®y#â  ff8.…®C©Š¤ÆÜøÚ$l½­·jÙÁê
=ÖÑãУ„ÖôDqj!+Y•Œ¯¢´�Ëù�	Ŀш8“M0¨‚>Äíàã¤"Ct…
FN7=»Õ¥ÿe’¯@².ÀE~1ÎÒÉnóuorTU
`×%5B¨¶Ë0Ö‡%z™ó›ˆ/dÖ|•ÞMt¨ÑH:è2ïO®
-Ư/t-lvWo{‡ Ý‚Zr*4ÐÂ'ºzªë"ÊÖ)“ÏQšæ7 äѪX2.c?�‹V¹¢€‰%Ö‘ ÛºÑr%¶õÄÓÈYQò$.åêòŠñ»M_qÌ
--k²lúðÌ´“g.û‹F8‹¯x!>÷d[z!¼§Â@ëcýè4Í„Y” ÷B	]­:^#öŠ¤d²Û:Œól¯mGµ©s€ònÝ©¥¥v™¨†ö²Q¿ÈV9¹2ÏÔ$‰<*“kÖ(–§We£@åÚ§meg@ûšÀ-Vy[ãm™ž

­úÏZ�-Š4RÜõ]�u® /uy抺ԟLQŒú5´ã"=6ôeD·Òü_Æo¤ð¶Áï
°Êù�^7½M…É»ÍÒî³óêÑéÍÀKˆÅ»À¯d÷ÿMÞMÝ5šº°ºûj.½¨cç+öÓÎRß'Íí™�Ö홌}èø"ɦ©ªsì÷:Wwñ~ë¿
ÈUendstream
-endobj
-1407 0 obj <<
-/Type /Page
-/Contents 1408 0 R
-/Resources 1406 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1410 0 R
->> endobj
-1409 0 obj <<
-/D [1407 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1406 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F22 973 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1413 0 obj <<
-/Length 1364      
-/Filter /FlateDecode
->>
-stream
-xÚ¥WÝ�Ó8ï_ñÔJ$µó�Û§…]¸å
qл@È›8mtiRâd—ºÿýf<N7-î‡*Õ“ñx>~3öØÜaðãNy,ÈB'ÉB/b<ròíŒ9k˜{9ãFÆ…Ü©Ô³Õlù"HœÌËb?vVåDWê±4åΪx?þûå›ÕõÛ…ëGlz7ŠÙüòê¯ç|~ùúùõM]½~GÄ‹ëËEÎW¾½F÷3\™•«w7/W¯f׫ƒÓ8йϳ÷™S@(¯f̲4rîáƒy<Ë|g;£À‹Â 9õìÝì�ƒÂɬ^jÃ$
-R/JýÄŠïÛ@‰2/ü@ƒrý¥—]#jŠø‹Ø­P}Õ6ÄØ´ª&?AFÉîNvDçmó�1ý‚±|ò‰Iæ¸�ï±ü@c";1cóª!«Š>¿ÒÀßã±ÿl釆™!3õø”ùïCõ~àeˆô‘zùŦÞæV;å®[w#;yF]¨Õµ;?è@	ν,Š|Ç%‚êÊó¼qù8ÿ{¹$…Jlwµ$ZÔu{ïö�hT‰°"SÑ´D·�ÔI8RGÆmKM¼
,û&@›+…,ÅP÷ôñy�ÝÞ¸•çR)ÛJ²:5&E³?c‘Yì¤ê»*7&s‘oäO˜t'¾žÔÅIü
-¼¼Ý>y¤üÉÑ~¿3«·°Ádg
²¬Fžl—d¤l[màâ'ËúQv­ÎÚŽ
-غ–›ÅØ‹�cQRtù†p9³e±•cg<îgþω¶’8/À¸ÃC/cߤú|4ºƒ…Ë{¸·XRÖxB[bµ© úü8ž�£ AmÚ®G2š¯‡ª�Äí[3+û¾jÖô1ìh\-àâ„õ'r“`‚�è‡nÁÓ¹4&0+èžÉ$˜€Äɘ8Õ ð®ú½qÓpŸÝ¼¾òˆ¼ém°Rå]u‹6Íó�hÖㆡG,=k.7C'È02‘S
aVÞ˺>álDo1!(bú *˜ˆ‚¸%Ö6EU"·-N7F_)€{j+•ªÉë¡ <L·ÁN/ju‹¥�Rš;iýÚ#´�ñ·Ü›E¢)ˆÔyqU­�Ó¼ûªßEIOb¸ùÂíG>H$¸ZmEWÕ{úTÃnu‡Š’˜JXó5TZ`¼‘&”ECނωC.·Û¡©r�I(‘ �Æ2Obƒ™vTPGÐÊƃ^O�•úp±ê«r¯Ÿ
O­'®(e&½úª€=Yæ΄$lg% .À•�ñù[}
-ÑKLæ—Ä£´ïéã�Ó©
-ñ�¦lÌ.Ù´C]çÚ¦§‚7nœ¿\ê}Ÿ¤fß'Ùƒzä’£4�>U¹„J9$iè‰}óÆ5	ÃÆ�ž9ò'+eÆF
z{ãq’W°»
Š8ƒê&' €n¿ëÛu'vre‚íÙD¾-�Dv¸ºüò“ôá
&^�¦¾ýµ°ØKý,�B˜yvêùáíú­ëÿ
¨6Eendstream
-endobj
-1412 0 obj <<
-/Type /Page
-/Contents 1413 0 R
-/Resources 1411 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1410 0 R
->> endobj
-1414 0 obj <<
-/D [1412 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-158 0 obj <<
-/D [1412 0 R /XYZ 85.0394 223.4026 null]
->> endobj
-1415 0 obj <<
-/D [1412 0 R /XYZ 85.0394 185.2496 null]
->> endobj
-1411 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F41 1233 0 R /F21 950 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1418 0 obj <<
-/Length 2265      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Y[wÛ6~÷¯ÐéK©“%
-@aQÔyµ£iïŠ8yÈ‹‚F»Ïx=M‹\$>hœ&�W�]sN³ë7‹Kÿöz!”}mԆݽMÖ®çÜkòU¶±Võ}fô�‚íò[]í2±D¨¥‘Å+M
-Nƽ“š2:Š�`
-„®ìNgx8»u+–ª‹8¶3й=¨©¶Õ;w"ßU„¨Ø~ŠŽRâ×êçSîˆ(•AHÅ
-€u¾}¤1¡
-/ ‚3ÉÝýsÑÿdiÙendstream
-endobj
-1417 0 obj <<
-/Type /Page
-/Contents 1418 0 R
-/Resources 1416 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1410 0 R
->> endobj
-1419 0 obj <<
-/D [1417 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-162 0 obj <<
-/D [1417 0 R /XYZ 56.6929 726.8027 null]
->> endobj
-1420 0 obj <<
-/D [1417 0 R /XYZ 56.6929 697.6944 null]
->> endobj
-166 0 obj <<
-/D [1417 0 R /XYZ 56.6929 648.8841 null]
->> endobj
-1421 0 obj <<
-/D [1417 0 R /XYZ 56.6929 624.769 null]
->> endobj
-170 0 obj <<
-/D [1417 0 R /XYZ 56.6929 472.4047 null]
->> endobj
-1422 0 obj <<
-/D [1417 0 R /XYZ 56.6929 448.2896 null]
->> endobj
-174 0 obj <<
-/D [1417 0 R /XYZ 56.6929 356.0575 null]
->> endobj
-1423 0 obj <<
-/D [1417 0 R /XYZ 56.6929 324.2991 null]
->> endobj
-178 0 obj <<
-/D [1417 0 R /XYZ 56.6929 275.4888 null]
->> endobj
-1424 0 obj <<
-/D [1417 0 R /XYZ 56.6929 246.3805 null]
->> endobj
-1416 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F21 950 0 R /F41 1233 0 R /F39 1173 0 R /F48 1253 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1427 0 obj <<
-/Length 2935      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Z[sÛÆ~ׯà[©ÙnÍ“l˱’ÚI%º3�4
‰ˆI@!@Ëj§ÿ½ç¶à‚„¬Étø°÷³g¿sö\Ô3?=ËâHÙÜÍÒÜE±Òñlµ=S³{ûáLËœ…Ÿ´g½^ž}÷Φ³<Ê“Ì–w
­,RY¦gËò×ù›÷¿,/¯Ï&Vs�/âDÍ/Þþã\k=¿øøæò-½ýxÕw—ç©›/?]_b�Êaž‹Y¹üéòŸç¿-<»\ü…gÐÊ"sœýú›š•p”ÏTdó,ž=BCE:ÏÍl{æbÅÎZß³9»9ûû@0¥¥S˜Ä6‹â̤ =Ó:ÊãØŒP‰ó(±Æ*°"rç­”š_5]¿Û¯úº¹gúuÅ•›j÷¥ÚIgË姮:šõSõ„ˆÀ¾&†šÁ`ät–Ò†7u³‚ùVeóÏÕSǵbw®³9uçón-Í’o«þ±ªnô�-WÖm×Ëê¶Ù<‘_AÛXf:aëÛ}×3ý[íÛ�ìð¸öäŸa©o=+\=pY<_Âfph<æ€5ó®ÝlÚÇ
ɺã²(K<VˆcϾ{çt€šÖ„”€ä‰\SlaÇUÛÜM œ˜È$I,Sÿ¥”ÙˆDîÚÏ·y0ßêȦ:—ù¤ž jt§™ŸõJÎqw$ó«_†ƒ1`�œ´½›Ø9Ë£Ôš,ØÙLíì"•äþ<:
7$2‘ýëZët”Äq5
[àR/ÿD–së?$3/°‘äXxЂ˜�¸çûÿ~OëGØÐðàé-`Îršóa¿éëSšË–&--ž¸ëV†ÕªéQ p·ûž‡Hí©ÆÒ€å(û]'㔢¬6O@YkÙ¨¬™0Üö/²UÙV²¢i{ž
-×uýE#ÛuÕŠ÷ñ”Ì»v|ˆºgÉñ¡ r+JCQi¸xlw›rÁ$‹²¸õÚËš
¤³ÈÄ)[‘«)íÊ#g3û’Z»È:èQ¢!MI‡N‰”
-n2³ì«N�¢Û<ZÜBÉÄ4Úã±Þl¸v+Ã]}ß�• Ñ~-;¬eA÷P­jÄæ�Z¥™ŠOÔ˜lb4
”
wblò2RÁ56A,ÕW`@DË:
9êCÛtU76pÃqPøäG3¼^„3åà¡­éÀrmt¸ÙÂ�Ls«½Š$Äð_—®ÞÖ›b'�¾è«-Ü%n²O KUq\7î
-ï~¿+úºm¸s0ÚT��~bc
ÇÎrû}}„4wN;ˆ$Fcª_6ÓàÕý6$KÂû¾©^â8ëåøæL©ÄÄÅVplÿÔ±EïÇ!p~Â*°Ø6�€+uCK´¼¹úáÎPåuÑy­¼X­÷Œã®Ý¼ò¼¾úˆ±e¦ç$Þûr!°«)¹²+Fæ3ÀZTU�Ì
-oþÆ•²Âá¦F5"HÙãà=`'Зž§]ˆp¥‡Àán‚R
-–ÈÉ8Èx÷4E%‡ðc~Ÿ ÒH½Z
Ý]µ› q¯Ñ¹û�…‹pŒaAè—ö%˜�)Š¶§Þ,ÞO6�=°6r¡zØØz›ÄóuAÃèkÕ×ü
É&�@¡—àæ.Q>è”�€†»–ˆ;Š5¹ï¶%¯
K>“–Bßc»ß”~G++ðäU9‰ŒŽÒ\§§>ƒT{òLêwèŒ/ïŠíƒwÞí�÷Ûg˜Ï¤éHßB©‡·™rz
-u?ðÉÉ“L†‡ÚÙÈ(��ÃÃѾaÄG8|3ô{.ºc¢xzá¡^>A_¯¸Á»{Ê=˜oj$¼›
-ºOlècÑ�zÐÛ§Q”5—r	‰°ŒqSö G{0\­´!Ƭ3ö’Ü2\äÄ%cm¹©ªã¼Y+Ì•‹áJÛH¥Î`˃»ûW®ƒ”w˜¿pÊrvJ—X‰ãÈ	À¬¹–’,Ê3ðBá'¹÷0ë%FR¹�1‚Î7”PYw«}×
¼µÇr߶>)•ðØV_k—OE¨c°ÕÆx[Íê¶xh7õj*IOÐäZ!‡0iÚ‰ZÈ¥RK·éȉ&âD/w»v×½ìÙ éTâ®�+çÌÐGÇ׉7ŠÐ3h7Ôƒ°
Z«¢áÉâJ!½â
rŠ¸´‚L°Øp£Úñv;´Ú&Ï0� �âÙ}„ZÇ»H|=tu+›¶YL¥Br¦ûqxYÀ¦¤¨©£ÛäDúßý|ýáòúš‚²l)µ€öÀ¿rÐ%á¹ã¥¤hûEhwüö‚£¬SŽˆp•=ø+È(9"‘uÏb“Y?)ÛTÆ›AÏ}Y„¬‰� ›$
å.À8:FÆ­:0{Æã€ñ!�7ÈC	I
-¨zÝ“
5aÔퟖˆXëi5eÀ¡8â‰sNä2c.WyÎÄÜÄ|”Î&>�]XCÙ%¬-Ö¤¡¶àÀð u�¼Âà#Xh,­†±Ž�æ5\î›ÏMûØð*ŸRáš“lûÃÄŽ—±–ÁÊ’m&ã<ÎZ-$¡"dz*ˆ°Pkn®Ú²âi]Õ‰–Ë×oñù•S@ê!¡,x…ßB�„æ€ Ô�´ŠWë
-»¾›m1½U*ÿVy‚3,œU*ÏŽÉ
gêÆhC!"dž®
-öÒ÷rÜò0F	;Ráû“Œ43€-Ȩ£ìæäÃÇ€q–ï"¥´O2žÁ
-Ò*­†'Qg Höî‰kÌŸ­òZ–ç’ìäò¥`E˜ C;^PttÝÏ5-[k`N.0§Å`¸ã%’—!‘¦
-�7[døÙ/ÏŽl©\˜G¨Ð½7Þf«ù[Hï4?ÝW‹÷Õf³¥ëè�Sª¯¨÷•g±¥§Q:xçÙ:	ú}‚XÒäfàªâ‹ì]pÇ48A„òípc´Œ®W±é×íþ¹³h„k
-ò-?ÎCño_iòvËõT‚du¹|Hyž¿ª1¾ð¤ Ká�$î´ô‘…»‚H½R”hcð|æB±­=„” Wào8¦Í9}‚Aìie:l5œÑJ"eò£Ðú™›g 1O•Ñ/žÝ©tôÎç'ù‘‘ÉŽŒLîo*ÔØ»ù¤eø{”Ljeñðflðe]åÉø
-�Ÿˆ_–œœž/Ëâ÷âñÌCysI/6ÝÑW‰}wüɶ¬6Uï?J„@�>Žù콟㿇­™+Šü¥n÷�ìUôÜ¿,$ÐÖN½G¨!Mÿ¿ÿypø«…K#›eÏ<lÀýŠ2“§ž)„Òèc·¿(œ²þ?G°±endstream
-endobj
-1426 0 obj <<
-/Type /Page
-/Contents 1427 0 R
-/Resources 1425 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1410 0 R
-/Annots [ 1431 0 R ]
->> endobj
-1431 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [101.3082 379.428 169.9802 391.3282]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update_policies) >>
->> endobj
-1428 0 obj <<
-/D [1426 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-182 0 obj <<
-/D [1426 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1429 0 obj <<
-/D [1426 0 R /XYZ 85.0394 749.2913 null]
->> endobj
-186 0 obj <<
-/D [1426 0 R /XYZ 85.0394 546.785 null]
->> endobj
-1430 0 obj <<
-/D [1426 0 R /XYZ 85.0394 519.0032 null]
->> endobj
-190 0 obj <<
-/D [1426 0 R /XYZ 85.0394 364.477 null]
->> endobj
-1432 0 obj <<
-/D [1426 0 R /XYZ 85.0394 339.5007 null]
->> endobj
-194 0 obj <<
-/D [1426 0 R /XYZ 85.0394 175.6792 null]
->> endobj
-1433 0 obj <<
-/D [1426 0 R /XYZ 85.0394 143.0963 null]
->> endobj
-1425 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R /F39 1173 0 R /F14 976 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1436 0 obj <<
-/Length 3227      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]sܶñ]¿Bo¡&>ŒŸ[NœLÝÔRÛi>x$¤ã„GÒGžeå×w»À‘'ÚéLG3°X
-Y\æEk‘èËj!.`îû‹„q6i3Çúîîâ›7*¿,â"“ÙåÝýl/c’Ë»ú×(�óø
-vÑíÛïZø—\m¤ÈU½úáúç»›÷0ÔP	ñúõ¿®’$‰®ß½ºyMS¯ßÝRçÍÍõUžFwÿ|s{õûÝ�7w�Î9/‰PH䇋_—5°ôã…ˆUaôå#Dœ…¼Ü_¤ZÅ:UÊCÚ‹Û‹„
g³néªlK•ÉáH¹&]Ä™’Ê	çng‘	@Mf¨vÔ:‡ýÎO7ÿa¤ù~JĹЊ‘†ÃUb¢¾²ãxµQºˆßvÍÔ”“­i¸}‚D\Ò°jÛMÔïÔŽöðÑ–製J¢®nº‡Åò±yè`çò,.„ÈþRFúp´‡'ÚͤéªöÈ'¨ìžp‡K˜Xgùå&IâBkéÖ–`8 ³°$É#8t$[ÃÑÔS[RãH*d´)K·”1÷`bhŒ`„¨¢ùŒëÓŠqè;�Ëh_
-î
šöttº(
-vDw’§Eá£ÐÕ&â,
-=�pÖ˜ç	áwoß½F‚²¨ Æ\¶­#ïô
-¶<wÁ†]0ûÈ/8_ºð¯OÃÔÃvME	ÉÌõ4­3Ò`¡¹F(²E~A€‘Ú¡ÇfÛZMàˆväš(5AØŽ'Ãf·¶:šé‰F(f"\sùpl|ÊNn¶AÖ‹B@A‘{	ú0²Ò�öKm–NÏ~šl7'£»ü8'¼Öì3¤ó™Øº˜ •ŠR¡£2L",e_m¹˜Ôà·•€ªŠr<Øb5‹0j;V‡fë,†ìBÀµó•8a†Ý!¤(gÅQø(ynªö�×îÏ[
�ep>ëòp¡)"
xt9
-!šs
-�9ÅZ˜oàwu¾€ˆZb¹óŒA.ÁÑ9'úè‚â6�GlxÉ,föñùrûih¡0¡­²°Õ¾Ÿ#Az^6LØÖŸXU9N
k
v§¿bÄVgÖYqJ¹ÓEN›Æ2-|M³Ù­\'p<ºH}FÛlŒ™ÆàO…HFñšû£?ÐkÔ’ÌRrˆ^ ŒC­�YŒÒ:z×»8“iïx3>³“e9 é»$™ÇÆ‹O‹03±¼ÞâÖŽt÷¡¦5©:Kõ�qKCf$Y•Òp‚
€ÇþðÈ
-Þƒv‹è—•ýXªÐãgÛ9
üø½.ôV©\çæ�òK¡7=
Ü£áÌ(3"”S¿üýÝÍúƒ·’…w†/h;
-ü&„!èmù¤ãÈñÂøÀbÔYA‰ñN@ÞÊ+�9ô»ßÛ®¶|
-/\øŽó8«úÁjÜ(,ÿñÃ=�½•8 «þ
XÒЙv¦ò
sð	\}6óiÁ@È»Ÿ¾û¥ü%Èã;VÅ—A.T¥föµ4ó$N井¯™�QqfÂWCd
-<Å^Ÿ"ßX=³°ŸDáS¢“+
(}€¦þº7ILç©ð¯¿`yZÐ÷+/a´~¨EJG:š3&<¯§væa´üP„ÁNr9M|zvÜÎî!}Ì3�-%Üeàñ³3×>e~æfC‚™Šd�¹Õt0øè?ü¶ÏŸ,|(þ̯;”Žñ'+¿Å!}þ¿ùqúÉKšÇʹþ£™›85°	å>µÉg”ûŸˆ<'ý¿w€=endstream
-endobj
-1435 0 obj <<
-/Type /Page
-/Contents 1436 0 R
-/Resources 1434 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1410 0 R
->> endobj
-1437 0 obj <<
-/D [1435 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-198 0 obj <<
-/D [1435 0 R /XYZ 56.6929 678.9507 null]
->> endobj
-1438 0 obj <<
-/D [1435 0 R /XYZ 56.6929 644.5195 null]
->> endobj
-202 0 obj <<
-/D [1435 0 R /XYZ 56.6929 514.5361 null]
->> endobj
-1439 0 obj <<
-/D [1435 0 R /XYZ 56.6929 481.3387 null]
->> endobj
-206 0 obj <<
-/D [1435 0 R /XYZ 56.6929 279.5586 null]
->> endobj
-1440 0 obj <<
-/D [1435 0 R /XYZ 56.6929 251.1623 null]
->> endobj
-1434 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F21 950 0 R /F39 1173 0 R /F41 1233 0 R /F48 1253 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1443 0 obj <<
-/Length 3255      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]sã¶ñݿ“éLèö„
-)·‡ù±éòR–UOÏC_4ZznÊ�9=øúi°Ï«ŽFk¶›¬[uO{‡c›ÛÅ#=K^ØðQËCU»S·åñdð):ÍÇ1bÌOR†uÙƒÎk%ƒCO¦qèóMIÊA}µ«ê¼£ h†�Àñ4Öá?Aíf8™$@h<­L%èp
-¤ž‹o¡3ì˺ZÑ÷8RA¿mxq„.yeÕô ¤eáÞ�…¸vp¨~kxû“Û°ªEÕlŽ»ì
¢ñ…ÁÄ„–±vW`^ŸÜ3LEb€ïrÌp:åÐã	県p˜Þò‡¯ÿúíû›Ü‹HJaR™Mí ÀÈw`i½ðØýü�CÇ°M‘‡@Ÿ‚”RwÕ¦±·¶RÞ²üyu~:à	c¡•Ñ/™JR3UŠŽùmiš‚ÜgÍk¤Œl^¤‰¬ž›†F9==+•I„Ž�„‰N½mžfD†PB§”¨b`¶çD‚CÎbcÎd*ø¦ŽŒ³ß·MQ�_´J3Vá	88ûÕÀóþ°Dby¿WfÉÊ°=c‰‚¥F‰b‹€)VcI@oŽÐǪ®iÄ.ȘÓàEê…ÑÔ)|äÀwªÈZŒyté73è@2í|#bÑs¼Eš)^„¾ëèÄ0‡èööîÃWÏ!’ΰˆEÀ}ë!QOŒÖ-:,Ãf�ä×bM΋KdŽ
-•±,PMt|˜;a¡�Y
-Žzâ4ž?*’j|dlvÇ#ßx§Á†øžó¬Û[0"ÞH¬û–±5à»cU|dXžü’×çEᦠüòº~²Û>“?NLÔÔuûH^^!­ØÙ`Š/hN=
)f˜Ô)r6ïûÃÎï¬~ö´°jè=§‡�0xPX³Ñ$‚
-ü¸ÕsXGëCîµø�¿ÊÞf
->é|Ê™ ½Ÿjµ†œÏIÞºFxçOF»Ž';0ÞíÀ#¬¨–¤Mû�F‡=£m		¥|y¨rÜ~yMƒX*5%‚ �nEtŸ|Yƒ*¼fU¾Ä•WÛ»	ýß>ýl ãÔù„O{mŸ;JÈûUW-�nTܼڵÓEC^±šÕÀ¼nºxðù~Ñ®;Û…§ˆ%"
î�uâÛ¦®~ædö݇�øѼtÆù´ƒèÀÐDÑ–œ‘“k„çjýÄéð¤%F0Jž!L·yÁh{Nø¹‰“lA˜é·œÙƒ�ˆ+ˆiÕ¯rV˜-Z!3ŸVŸoÀŽZÀ§ls-]Ÿ¸˜æû>Ó¯µôafM“QU˜à÷ÓžFPCB¡Qõ[ê9keÛ*!8å+<íÑFè}¼ýœ
-=�º§u|ü¤	3ìt¹§v½g¸”Óþ=!ãö"È‘ÞæK<‹Ã—xöôÃÐS_hŒ•HÙäMõóÅN·ô\–s7ôîSmì�ÃÄ»êDºvZl\Û8Ájô:ç¬�‰oùìP
³
2ñ
-dlVÕïóU9†ãÂ3ê
-¢èêuÏ$º¾Zrôô“‹‘ÛÚ–GÁbB„½žþ0�séÄae�ø¨(üT�Ž=þ(W>€²Úí”hKæ½ý�·VvU_º…
/Ú21NÅÝP¶fèi²‘æŶ‹U
O~šœXŠ0;íƒ�†þ[Œ˜É±•%…ŠŽÁ8zjÛtÿ¯=&JEÊ“¨ò…�ÂFXŠiºH#M�¬?Ú	'›ÑÄ­-ºí7üdžض³ôÌvÆ;‚á{¨©<->Ÿ⪩†*¯öÂ8¥�ž<>{÷ñ‡è±û×ßTs½þúO×ß²ûîû§vírHû››õ7zUß.¿Êïïžû‘Žþ÷gæO?Ò·ÿï¿ÿUBÐYÎÿ{Hc�54©#
-™êSÊý‘ÎIÿݳÊZendstream
-endobj
-1442 0 obj <<
-/Type /Page
-/Contents 1443 0 R
-/Resources 1441 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1410 0 R
->> endobj
-1444 0 obj <<
-/D [1442 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-210 0 obj <<
-/D [1442 0 R /XYZ 85.0394 671.4386 null]
->> endobj
-1445 0 obj <<
-/D [1442 0 R /XYZ 85.0394 641.1061 null]
->> endobj
-214 0 obj <<
-/D [1442 0 R /XYZ 85.0394 444.8166 null]
->> endobj
-1446 0 obj <<
-/D [1442 0 R /XYZ 85.0394 417.1342 null]
->> endobj
-1441 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F21 950 0 R /F41 1233 0 R /F48 1253 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1449 0 obj <<
-/Length 1913      
-/Filter /FlateDecode
->>
-stream
-xÚ­W[“ªH~ï_aÌËê:B](.qbPlñ.
-^˜�AQQؘÿ>¥h»³—8Ñ•·/³2³²`	Ð?X"<ÃKH*	Ç
-5kó�}p‡�Ö¡š�¤ølV…×Âh,:ž7Úëp[·Úq¯½Q%s½†ÂŽÃÞ¼ª`=Aí,ÔŽ'›
-)ì Dš&›ÉèhvTGiél'#Ó9šEÌJ{œxŠBФ›,=ÇÑ;ÆŽozÛÂ>˜ž4H¼6ÞŠÖo‹þòYbc"ò¥ß~½Úò‹ö·«åßÝj¹4Ã0…÷lx<:«šZËàQp©süV„øÁšX�oßï³/ìµB»9ê¢Qò½¼8þ¿šE!b$‰pų(*P¥@­+—T×cù”ø¬êû$/
-8îcbE裋ё•G”
-iÇ!€D.÷upsõÎ)1„§#.e¤#0�l)ð;Ç�Æ–uú•›_Cu
	T„b ¹3¥mj€“$œ3½¬ï®~Á}ƒmïPI‰¨C¥ŸžŠk¯šïNñèe§�ÊEíC‘†FÌG§Ám>©!A*GëÛ¯X>y��m�²sûw›ªn¤À¿�Y9ÕŸìþ1ßq*”óÙ$'YñCSRA¤|Ë+Úƒ1GÊí0ßß[ôFà@ùä¯Î
]ÓGί_@ÄQtÊ·^à<<P…”£ õ_Œ~9Ž—$Jbé%~.«nùK$ž¦Õ÷çÒÏåüK¢òôò#Òk¢þøâäéý„€tw|æ9·ø"ñãÁy[¿Öõíû=ú›·;ÿ°Âû‚žL\�"m>NTà=àts…ÿ
-endobj
-1448 0 obj <<
-/Type /Page
-/Contents 1449 0 R
-/Resources 1447 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1451 0 R
->> endobj
-1450 0 obj <<
-/D [1448 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1447 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F22 973 0 R /F62 1379 0 R >>
-/XObject << /Im2 1368 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1454 0 obj <<
-/Length 2465      
-/Filter /FlateDecode
->>
-stream
-xÚ¥k�Û6òûþ
-¡À
ò¡VDQÔ£
p7›t›ë¦Íº=¤M?heÚÖU–\KÞ­s¸ÿÞÎP¢¥w@°Àj8g†ó"-¼þ„—© ”yì¥y¨P(¯Ü]…Þæ^]	¦™[¢¹KõõòêÙK™zy�'Qâ-ׯ,³LxËÕ/þõ7‹ï—7ogóH…~Ìæ*	ýÅ‹ŸfBqw}ó‚¦^ÜÝðòf1KcùãÛ›û™LR«r^D÷7×_òŠww‹ïn¯iðó›»›{žXÜ1ÏÅ�Ë™Èü7ßGK{ûêîöîÕì×å·W7ËAM×"”¨ãïW¿üz+°È·Wa óLyO0‘ç‘·»Š•T,¥ÅÔW÷W?�Y³tÊ´Jf�Ê¢t¶Q4e[•‰Œ¤±mWm½b­;]¨®¦ñ‡¶Ñ�O۪ܸ.ªš ¾¥ïcQW«¢×̦hV¼¨ª™’¸öÇCÃöƒãTÊÿé%ZuqûÏs~ý–(ëJ7}€f]ç"D–§Fð·ºÛ·MgäËbWœ`é2EÜ
-„YT»ã•ôAžçST�¬Ç”ekÖ²}_¨zöÀQVë­ÛöX³§m‹Gv™­›Ko>§	
-–Ë¢t&BÿØ™Qâ—mó>#”§ÅSÕoiÖh‰(âd‘³¦GQ‘à	G($NUM+«¶)êúDóµ^3ƒc3Ÿ
-JÒJ¥”‰‹j«!á( ê÷0‹BÿD0�Í«õ‰³"ÔÚǪ ŠÁ¸JÙê Üó³swPšŸá?Ic8Ïö°êP«/'³&Mš±W
-ë‹ï£(¶Å×DXbO?´¦u±þ
-��^!õ™l¹a°iY+×j£6χؙlN(
…)¬^U%„+f˜0£Äh[‰F“ãmƒ{C6‰eä¿Uø=ª
->!­W"Êš°‰=æ:à>Ø
M�gs&Š„6gIiÌÀ˜ØÚCèÛ‹bŠCÇäŽþSn
D
h*.«jœ§Ðt'Òs+úgv	Ø‘¨<ɽùx;ø¼.æ¼ñP"kt$<2N"÷.'9ô‚,
—,8Þ0¼¼d�šbW•|ÉÂ+Åå=aqì[ha-Í=TìÇ6ƦD8Ú6T	EÑ¢£B…a åàF€
7
-BB'TÅÄû÷‡ZÓ¬ñ@À–Û¢Ù0® ÔÊÊ�ƒTcavlr
׳¶ØåhkÂFSœ|(Êßµ�Z„wÒôŸòÛ©Ëߊ
-îp�c4ô
ú@0–O‚Z#yé+`À¦n/	ÛK膓<·‡>Îë¶�«Q?ôæÜ?aw>¦§ggÜôù©@ŠŒÊæ5�¸JIMUdõ„s��òò³¬¸Ä“}
-c
T‘öí/�.v“;8¢[#�‰'¤Ñum:ùÄ_4SÞ5ö¦É¸|
~ààu“�®˜;¹Þ­/½jª¾*˜Mǽ!-¢¡ÔÝ_¶4éÐÐD¶?u[Òág
-&‚©~þïfirÜØY-ÜdÅ*òkHè´æSÙd2(þFq×t,ì„›ýƒHú¾&@¿O=€‚yð×…‰ŸÂÁ�Ÿý#Æx«
-endobj
-1453 0 obj <<
-/Type /Page
-/Contents 1454 0 R
-/Resources 1452 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1451 0 R
->> endobj
-1455 0 obj <<
-/D [1453 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-218 0 obj <<
-/D [1453 0 R /XYZ 85.0394 486.5796 null]
->> endobj
-1459 0 obj <<
-/D [1453 0 R /XYZ 85.0394 454.3582 null]
->> endobj
-222 0 obj <<
-/D [1453 0 R /XYZ 85.0394 412.0822 null]
->> endobj
-1460 0 obj <<
-/D [1453 0 R /XYZ 85.0394 381.7503 null]
->> endobj
-226 0 obj <<
-/D [1453 0 R /XYZ 85.0394 150.1125 null]
->> endobj
-1461 0 obj <<
-/D [1453 0 R /XYZ 85.0394 122.4306 null]
->> endobj
-1452 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F62 1379 0 R /F65 1458 0 R /F21 950 0 R /F41 1233 0 R >>
-/XObject << /Im2 1368 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1464 0 obj <<
-/Length 3336      
-/Filter /FlateDecode
->>
-stream
-xÚÝksÛ6ò»…¾ÜTžV4
ð…ë]gÇqÝ$ÎÃr’¾>P"eñB‘²IÙq~ýíb|‰I;Ó~¸¹É8\.–‹Åû„ÄÄ…bâN ¥ž„Ús|Wø“ÕöÈ�ÜÀØù‘`š™%šu©ž,ŽNž©p¢È`²XwxEŽEb²H~�zŽvŽ�ƒ;}zyuuvúÝñLúðòóåüåÅ)½üòêòìŠæ—O¸^‹húêåü8ô¦K{uq~yqy~¬‚Пžþ8½8{K#Ï3úîX
œNϘLMÀ³3âvýöìêø÷ÅOGg‹f™]UWáo�~ýÝ�$ ‘ŸŽ\GéÈŸ<À‹ë­åd{äùÊñ=¥,&?º:zÓ0쌚OGU+\Gª@ŽèÖÝ
-F…
-&¡¯�@Ie”ûÃñ,pÝé~—ÄuJpœ$¤Ÿâí.O�"­	
Jx~ö3ÁÒPôé18›Ï)D¸»~æ>ß-_Ïå*<ÿï–"ºwëôùB�=ÎÏ×OÖ/¢ôMçÊÿüY1Ó±=¹š¿yòéâöåúE}ñpûþurSoª½
-âÏço梣Òaå3!íûò¯®"üâ*’“°L®O¯”/Ϋl½|Q¿ÙÖ¯¢äÙÓz1ÿåÃÕùí•ž\_æ·úâÇ[õ³K_¨OÝ‹}ü�ŸÜ~ŒŸ¿ûô!•y�Öß&/ƒëtóxzûñk«¨Ò"Áá“gRvöoæ…N$Ýp2SpÜ€Œãý&ËaÅÒUÓzÀUÂwh
éí>­jB<dyŽ�œ®JÔ‹%Œómii²í6M2à‘?;@ò�àsY¤}njZ”üñ’‡,{àaÞ«ì¦H–°¨³œ×Ø=£�BhqErŒ¨B)'ˆ F¢M\
ÓÐ ! Î¶(C(¦uI˜‡8ÿÈcf

-^•æ™TàAP.†		×æÌxA½Ó@óƒÇ‰wé'‚XÛ
-¿ñ›8+œæØFŽò]m½XÚÁk>–{ˆYm…‚ !̾ʊ‘·¢ñ¬¨ê·ñåš�—äë;¬aE›rŸ'4n,‘qÑ~ ^k9�¿�¿¤±¡Ö»R¡†GÌ0+²:3jtkKÍ[Âm"³t¤2ò!@Ko� x™ˆ3:$¬Ù"xnâûtðÁ«×¶ z™÷eVE•š
†èS¡/Ã1;Ô°µL~s]ß°eÀ‹Lódl±¨l>íŽw•ˆ¸¾²È^pø&ÃúäΊŠuøe�W×9{aøïoöïÿQJüÿE©?·
-:Mt’ð]ô.Ë"¤òü Œ´ûwÅÅù
˜Z‹‡Fa|œ×±f€û‘ÑÓÖ»zQ×¾‰Œ
-š¦t—þpö®%@!ŽÝ¦/jA(âJwŠ54T ‰P¾@uÝ“Äx`Œ–m¢jÚ:lM.çXɆ¶‚ö…}ÛýZÓÍ­Ëáb)§�¿febíJQ/� 7%"
-$ˆDÑ2ˆ¨"THz\ØýK(;(§…Ál}8Z’aÃÖÓ¶Úpƒ–.€ÒXð
Ü+CQ<€EÓ�éÔè¦	…xÓˆƒç6NRû1VÎÈŸV{£dXH!9Ÿ„á¦NhQF@OC÷åGÒr êÒöf#f‹±ž-E	ÐÕŠ‹!¬ƒ¬)U๊ïî2S¦Àp¹Ç—§ýé“GNÒu¼Ïku›Ì@ØÌ@fÒÔHNpõ‘8Ûª
-ç3úd, ù«À¥'8¿=ìÇ÷cÅÕó
-|*�=„CÎcm	"Ƚ›™
û€™˜�š¤Ý&íBjsÙ¾ó2Nð(Í |¥w÷q>À<åx�l²2êsîH“„(³køº�?eÛý–p¦4…§ôhŽÕWzàµãk!û+_Œ×ÚAØO.LG˜…‘ÓÆÜ5yŽUZ�媑ãI%ÿ(§Džb*Û€6{O`ã¦È	øÝÊÝÕàÊÁ±9a|¡29è8K—µ…'¼ì襢úÙ±˜’uÒ·}Q—§wsák…v<²NÁ‚ ÎÓÄt‚D˧¥c¿	Ð’1ͽˆ²í¥ÙhÅÜ»�1íªLM«‡Ê~ã!`„TíE㹨�¡#uãÈù¸
-endobj
-1463 0 obj <<
-/Type /Page
-/Contents 1464 0 R
-/Resources 1462 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1451 0 R
-/Annots [ 1467 0 R 1468 0 R ]
->> endobj
-1467 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [411.5778 302.2913 489.9929 314.351]
-/Subtype /Link
-/A << /S /GoTo /D (man.dnssec-keygen) >>
->> endobj
-1468 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 291.0037 134.1116 302.3958]
-/Subtype /Link
-/A << /S /GoTo /D (man.dnssec-settime) >>
->> endobj
-1465 0 obj <<
-/D [1463 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-230 0 obj <<
-/D [1463 0 R /XYZ 56.6929 436.3593 null]
->> endobj
-1466 0 obj <<
-/D [1463 0 R /XYZ 56.6929 405.7905 null]
->> endobj
-1462 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F22 973 0 R /F21 950 0 R /F11 1353 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1473 0 obj <<
-/Length 2453      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ÛvÛ¸ñÝ_¡·R=+$@웚hÓl;µ•íI7û@S�ÄŠÔŠ”ï×w3àE¦»îéÑ€Á`07Ì…
-f~ÁLG¾�©š%©ò#D³üp%f;Ø{w0ÎÂ!-†X[_ýåG™ÌR?�Ãx¶Þhi_hÌÖ›_¼7_~Z¯nç‹0žòç‹(ÞòíÏó ¼åõ›Õ[Úz{}G“WËy¢¼õçÛÕÝ\ÆI§R>Hw«7?ð‰/×Ë�ïßÐâß7׫;ÞX^3Íåçõ<ÐÞÍG¢èpïÞ¿»~ýnþëú§«Õºs¨Š@H”ñ·«_~³
hä§+áËTG³GX?HÓpv¸R‘ô#%¥ƒ”WwWÿìvíÑ)ÕFRû‘“	݆Á,ü4ŠÂ‘r£Ô�e(­rQ3j¾„Þ§Sñ�µfÑ>
Éy2y}Ú4('P–3@ðã ‰-™õÞžP^ÓœJ¯Þ¨íöŠ]UT;ZO¨Ø:7MCèEÓce¥ÙÐêþÉ¡�y“ž=�üá¸áÃ_E$‹vO«Œ†�Ùfç²¥cŽ€ò²òÌSÇjER
�ÀG‘QÈN ä¿ö¦<𧦘žÖ–ws
-©ì™¬ÜÕ'ÐÂa¾ˆ!¡¿²q M]eµ„ņNJÆÊ´�õé- z�Ù§‡4d—/]tByбk[f»Irêùq2~ÎñàÎGîüEœíXYHÈ
JSÔ¾©Jô%ž©|2Ûí¬�
NÖÐø5•cç„œgm[÷ìHZ#ÆC‘ÑÎæ©ÊENÐóq>x3«½eۚñ廬Ï�ˆÑ©œì4¥æ>@üd çQ^¸ Ï86Eiª¶|âX´«è
-øk
-uÝ#ÁÕ=.†vîaAœ‚’a
-JzÊ$ðžê³‹Ÿ†#iË×dpʽ.)_Ä‘b•}°F‹ü4
Ž�Ÿ(Iúøó„pÐ=I¥f,Œ¥a¾måínfî;q©©Ĕ綇èú*IÔØ�@fJÝRú:HÆ:t¨%õrW`æ
-¹¡k
Ä®õm�)mikÝ@lTÅoJ¥N1Ê)F9Å`ízG#D
늵âjrŒìßÑå·
-û½·##Ö9�LÛ„Ô�—ÖS5�ù~,ˆ>"†â�Ô”Â�Mß+‡ª{B’[jœäe
Ζ
~‰’Š‹w_òÌr
#d²bûDôµÒÐCDk:õêLž}Íé]¦£¦ª÷8 �^1]qô>òâ±WéxÛ#—b“ѸAD
-ªvpùŽ2þû‰
-endobj
-1472 0 obj <<
-/Type /Page
-/Contents 1473 0 R
-/Resources 1471 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1451 0 R
->> endobj
-1474 0 obj <<
-/D [1472 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-234 0 obj <<
-/D [1472 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1475 0 obj <<
-/D [1472 0 R /XYZ 85.0394 749.2278 null]
->> endobj
-238 0 obj <<
-/D [1472 0 R /XYZ 85.0394 398.6362 null]
->> endobj
-1476 0 obj <<
-/D [1472 0 R /XYZ 85.0394 370.8109 null]
->> endobj
-242 0 obj <<
-/D [1472 0 R /XYZ 85.0394 321.6035 null]
->> endobj
-1477 0 obj <<
-/D [1472 0 R /XYZ 85.0394 293.6228 null]
->> endobj
-246 0 obj <<
-/D [1472 0 R /XYZ 85.0394 120.47 null]
->> endobj
-1478 0 obj <<
-/D [1472 0 R /XYZ 85.0394 92.4893 null]
->> endobj
-1471 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1481 0 obj <<
-/Length 2247      
-/Filter /FlateDecode
->>
-stream
-xÚ­Y[—Û6~÷¯ð£}NÌ%E]݉›¦{2™Î8»§ÛöAcÉcnlÉÉ3qý¨‹¥I¦§{ü Aø
-¦›ÃDN ïÝD±ÌÂ	-ºR?¬'ÿøQGÓD$¡N×ÛŽ®XÈ8VÓuöÛ̉˜ƒ9{{}w·ºz3_x
4~½^~xE�ÿ|¼^ÝqÇòú-ŸÖsÏ>~XÎ#¶v²wïß]¿¿~7×aÌ®~ZÞ¬W·Ôãó<Ë·ÿš+¥@ÓÕŠuÁÔDü¸"mŸnWwó?Ö?OVëf™]W(©q�_&¿ý!§xäç‰:‰ƒé34¤PIâM?Ð"ðµvœýänòK£°Ók‡ŽºVIáéÐñ­ç�ù6HD¨=m}›îÊGSï°8íÍviEDQÖDÑ…ù“)OÕþŒ<=»Ïó‚zOUžU—ô­Ì÷Õ»œˆ?Ë"ÇÐèyc½¤öÙì÷Ä»ç¾íiOs’^7—3òËÉl>;£€	Ñ
-ôçüÌ"}ÉÇ}º1ű҂d󯦪n3²¼T^¥‡œF4ŽÓˆÂ춞YúI{1[¶p>Ò]lˆ{È‹:E7" a2íÇ ¯ÞÑH’Ö'­ˆ·µ­ò@Š¬9È.÷vyØuŸÛ%· oœ
uŽÞò(ñ)qÄ�CŠ<0`€y$²§�XOéÞd¦æ1Çüє̿
‰"|OÎ~8SG–oÓÓ¾Æh$ˆSÃÈÎý¾DØX}›òpÜçuΦ ¯–¬(=W¬%ÝÖ0h$nÏ;³ÙQhMÝ	±¥î9èUºeÊæ|9 `
-ówLØд˜¢õoOªØ?W¿}{[åµ@ó P¨icß­õ}!7õ7ž/””rv
õWß`þ,o—Ø,vOEÍ'“ñéæíržx³õŠ'éV#˜Ã‹E‡��c™á
-BŸM
>pxJPÄS�<±)í—GÒ¼02;éÁlˆ{:fimÓ?гS’µÓønš€¦!Þf—–£‚×<|È‹Üλ-L–a–iÅ™£‚Á
-�÷»”:}hh/·Ù
R÷<üOš®ÄÍI³eMlÂ(RÇÒÌ<—'$
-çÖ–¦ìèã“¢Õðå”Wœ"Mâ½´	ƒöª,
-æ¾`•‹š)}š#¶jΞÀ­yÄ©hû¡U‘y·f»…0Þ�†,DzÃX'£²]ÞÈÑAD�¡@uˆ�ql×Hv§Çü+ÖF�-â:P€kí¿מ��§Xë‹Í–¶Byúâ0kÏÓ®,àì°+Æè@–EI*.’ÞaªrcgÍ
-눔$À‚’`Q—‹o$„R±#‡�òXóvÙfSsøÎë¦Ãêñ㎞X	úNÏ9¯Fæ‚uú^ƒ7ªB FõÌ*ŽI¸fs;¢
îìQÄ
(-4Ôj(ä^ß©ïí­ñxap�oèì‹]Íï¡OcOQâô#PäXÒu
-¶áãÍúã§õHz]À�p2D«ö…ïKw<,¿@hñ#UJ§äØ9nE)»…ý¼Ë�cH,4}¾Ù\Œœ,�i¯7Ý
œ'@ñõƒ;©Æò2z±åg¼X£—ì3xʶmÑ#^KB‘¨¸[êÇ|uKiç³ÖS¨Ù¾¦àÃóêŽ`ðEóY¦ã+±cÂÅ7Ö#‡-`ÒVg€;Ñi}B'h-E¤UØOåƒùJgÙs†öÔËÎPR‹H*ý=wø°?:od%½J*V?9ˆ¸v_à÷H÷ö2°I’M$ƒUYö¥Ú¦ÈÌ“ÉNéžøíU–
â#݇Aß—¸©)~ØÖ�T°ó™©²½%$‰}¨ˆ‹QÄï}+EÛÊÙ=[ÊVgn àV]%ËÚÕHÙ[
Šº´€®ñéÇÐñÒÿ:øçÄÈ¿²)=û?�ö¿#Ž;qì�ÿ½áE±ðcPÂF¡ý^<°ÜýY24ý–æÆendstream
-endobj
-1480 0 obj <<
-/Type /Page
-/Contents 1481 0 R
-/Resources 1479 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1451 0 R
->> endobj
-1482 0 obj <<
-/D [1480 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-250 0 obj <<
-/D [1480 0 R /XYZ 56.6929 687.5192 null]
->> endobj
-1483 0 obj <<
-/D [1480 0 R /XYZ 56.6929 659.2346 null]
->> endobj
-254 0 obj <<
-/D [1480 0 R /XYZ 56.6929 590.6286 null]
->> endobj
-1484 0 obj <<
-/D [1480 0 R /XYZ 56.6929 559.3791 null]
->> endobj
-258 0 obj <<
-/D [1480 0 R /XYZ 56.6929 493.738 null]
->> endobj
-1485 0 obj <<
-/D [1480 0 R /XYZ 56.6929 462.4885 null]
->> endobj
-262 0 obj <<
-/D [1480 0 R /XYZ 56.6929 408.8026 null]
->> endobj
-1486 0 obj <<
-/D [1480 0 R /XYZ 56.6929 377.553 null]
->> endobj
-266 0 obj <<
-/D [1480 0 R /XYZ 56.6929 258.7201 null]
->> endobj
-1487 0 obj <<
-/D [1480 0 R /XYZ 56.6929 227.4706 null]
->> endobj
-270 0 obj <<
-/D [1480 0 R /XYZ 56.6929 161.8295 null]
->> endobj
-1488 0 obj <<
-/D [1480 0 R /XYZ 56.6929 133.5449 null]
->> endobj
-1479 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F21 950 0 R /F48 1253 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1491 0 obj <<
-/Length 3154      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZÝsã¶÷_¡‡ÎœÜX,@ühŸœ;_âxr—Zºt2¹<Ð"mqN"U‘:Åýë»_
-¬Òv¶Þ]¨ÙŒ}w¡eÎÂMZg}»ºøË{“̲ ‹Ãx¶zðJ•¦z¶*~�¿ýþú§ÕÍýå"´j—«ùõ»Ÿ/µÖóëooÞñлK¹¾L¢ùêÓý
Pt&°L+Yùî—×?޾婫ûOËw�Ó÷e—¯?\wóã͇Õåo«.nVþ$ÃÓjeðÿ¼øõ75+àÐ?\¨Àd©��àC:ËÂÙî"²&°‘1Ž²½X^üÝ3ŒÒÒ)íY“6
“	õ…z¦£ÀDq8ÒŸÍ‚0MBÒ
-
-jP
-Îþ\ç»j-g'Žm'
-¨×›æ 
-Èëü©Ü•u‡
-€mÂÁ-©Ù€´ ñÿööÜ€
ÕfAÀVÆfóªî—:�7Åq]¶<Ü÷ûæÐñÇ#n…3ïß¿e
-ðÓWÐM“yáäD:0Jç$%NÏEJÙy)ánc“Í?µUý$«6•lûXæÝ‘„)ñ0(¾ÖAf-«'ßn›S+ÇÔƒc˜óqTÊ0 ÞXñ¬®�=a§/e¹Ç^Òçë/Ll¹]oòú‰”‚ã²b}¨ºj�oùlyyó–g|)Ÿ[¦žªnÓ;þÈëg¯KŒH¬Sèt›’Çš}yÈ;OnH
‹8FïJÆzØå_J¾|/~ |DlêÏJ…OGàW55‘²-ÛÀkÏ3d+IƒLÛÞ
--vȾ›o«˜á�!³û²m¶_ËôŅqë�y­.³pŽrE½\—zî.™è97_yå}€Ä³d¯EhøpäØ–L ›D
-Ú$÷hír0møßï‚¼‰‘M è
-	z »�€tG¯.ž0ÔcëU•O™kDF9se×(d</§à¿:4¹íòι‘Ñj~[ƒ%í÷œ?�Ù‘=�_‘Eä2ú vóØë‚» Ÿ3àŒTèP%³8L
-Zµ¼‚Ì^õØ
Mè?ºŽç+ £c×nÓj'£¢7^A8aQƒPÞd
-
-ÇØwˆœ
1:pwCâê<m·ß–pPT[è$�Î¥p¹)6cçAf±¾6_„AÊ—L»9N…¸ÙùrÎç·ÛRÖ5 R
:äÒL™ª+0�í³ �¶,<0‘éM‚[:d$eÞV%¹=8Ø)f*ãØñ6GÕáXΔ�CkgŽ*cÖÊÍOÀ�vÌ‘‘Ke¹Vwù¡“
8	ÀÂÄA•!¼
-ŒÖŽóð1já¼Î+
�
êºO¨¼�qÆ-ù
ù,ˆ›óˆ6ÎâvœgRˆgìý_�&žÔ‡†{&ƒ¬€G8'Ï) J’;í¤›ðR.vØ^¬ZJ´´ª¯ÞÈ> #÷OÃÊ…ÒòÑ”©
¾Côj@•Þ(U`Í~äìÉPä†ÓF£$…
-{öFç¦5”
-üB¢‡9#PÊa3@m RæÏÝJæIÜ™•åû}™(q¶È(ïFB
-†O¨´.9·�¡Lzâg'ðnºh$õ©P%,£•u™-¡A_6á¸{èENÏL¼8+û’ˆÒÍ¿oN¥PýR_/6"?
‡='Šë’å²òp5q¸avèrÃþÁc
-endobj
-1490 0 obj <<
-/Type /Page
-/Contents 1491 0 R
-/Resources 1489 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1451 0 R
-/Annots [ 1495 0 R ]
->> endobj
-1495 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [408.1244 623.7385 469.3244 635.7981]
-/Subtype /Link
-/A << /S /GoTo /D (managed-keys) >>
->> endobj
-1492 0 obj <<
-/D [1490 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-274 0 obj <<
-/D [1490 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1493 0 obj <<
-/D [1490 0 R /XYZ 85.0394 744.1913 null]
->> endobj
-278 0 obj <<
-/D [1490 0 R /XYZ 85.0394 684.3648 null]
->> endobj
-1494 0 obj <<
-/D [1490 0 R /XYZ 85.0394 655.3895 null]
->> endobj
-282 0 obj <<
-/D [1490 0 R /XYZ 85.0394 606.8822 null]
->> endobj
-1496 0 obj <<
-/D [1490 0 R /XYZ 85.0394 580.8718 null]
->> endobj
-1489 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1500 0 obj <<
-/Length 2887      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]oÛ8ò=¿ÂÀPˆQÔgï)›f¯Ùîµ¹:½Ãa»´Lۺʒ+ÉqÝ_3œ¡$;Jv�"@4‡œá|ÒbâÁŸ˜„‘¥~:‰ÓÀ
=N²í…7YÃÜ?.ÓÌ,ÑlHõóÃÅÕ/2ž¤nùÑäa5à•¸^’ˆÉÃòw'p…p§ÀÂsîßÝ̧3?ôœŸ„ à³z7§2vþ{ÿ0‰óáÝàxvþéþþƒ™}˜ÂÞ¡ïܼ½¾¸ýHÓ
ó½~ó啕~sû†¦Þ¼ç�~¹½žÆ�óðéãí|úÇï·�\CÙ…'Q¨¯¿ÿáM– ‚_/<W¦I89ÀÀsEšú“íEJ7¤´˜âb~ñ¯Žá`Ö,Õ¥ð\_Fþˆ2}1�+˜j3L]?‰ýN›Ó™ð¼çµYwmõ%ïµØìw»ªnQzØÃ\˜7™ù©+ã04Ì™cà3G
-Õ®ªz;£a^.õNÿ²%Äõý
@DÛ´Sál4ÁYU¶fê@éP0¶4IYÕŠ°áSè«Y-:Û×y{¤Ñ¶Zîs8ÖãÛù?›^‡ 
U»Ñ5�Y¯£ž�ªÍ`©óL7nw´Ä
¼(6Gûùî=Zj;)~"'ohø¥¬%¡ÚŠP‡ªþB˜CÞn×*Bá1_Og2
-ãðÙ7Æ
ú
-|(u69³±_EŸ†ó˜ÙØù¢Võ‘·\à=£¤À"lÇœœèÕØÍ`ÆØl�Vm-]z\ */[]¯T¦	o.Ðdw€0
	1çiå‰2: 3f	dËc©¶y¦Œ«áDQ©%Ê„“Æõ~
-*s½ïŠÔœ¹wãÔÝMgUMÚÈìÊM•gÚÖ_Ö%±n+Ÿ»‘s³}ý\›„¡5ôr‹4¤2U½é=�Û£
/TÁgOÄç›ÆÀO$þË›Z¢§›žÔ‰pÃ4
O7ýÔ°"^Q*�q¡â�0u6f%°úWDÈ¥éΔñPlì�mÔ£&Üx¹}^xáYážÆüK[Rƒ%�DnÕpñGÍ€àb0\쪫cMÎîB+ÐdŠŒ`�sq‰ñO@R¬á¶(É.cœ 	4¶cy˜wÎ,ð”#ÆoË¡QsÒ�âðÏÌm@õ‚¹Yª?5·—6íÍí|ÓqsnJæÇΫ&_—³ª,ŽhVq×Ôı5+À±Y
®·!@/5.6ê‡)sU€]íËŒM°»:ßB
dê8˜4fhÓíu¬bn+€ o+
-ÛrTHåiÍV
-R[dEuq‡)ÏMÝ„@.d#G¸žë1®0dPÊùqŸûþŽã´÷Ö‘U�Þ©šÌFV:>!™pÔê<³“l OC¡3ˆ åÄÕ³}®×YIÃ芾+¨Ÿ«Ã4õMã
!÷ÀäÆ	´éÀPúZO¶hÔVSë
_LÞÕ’›îw½®Ë01{£Ög3¼Ån{é_zx>Ôna0þðۦ•qò/Zç
/íŠSV}i! ß@7Hòƒ7®È‡Õ"šøaàF�G/Èï/Za$žJn(>Lg‘ÀçüÈwnÏ<½Ø�'¾Cå ÍÖ“¯Ðb�¦’ˆ°µW�A\ÝmýÉ›
-šd²ŒgCÎF¨hX¹¤‰T°¿„FºÊ
-%Ì¢fÀXªå[Ž¾Î+[M¥‡™5”!?Ó@š9äÒ%>´×ÕT„¿³˜wYšØï–ÊT´ˆ4=áÍ|!×ø`í4*ª4‰Ÿfzïµ5oRëÑ÷A#'å‘äfNBY0`Žé”SèõöÛæ$ÈßÚFft|í`:p^#º�¸²Î@³NÃŒ‰0“AÉU ðyâ®A„?À¤Édà?æbèÌa
-uù¬ÿ¡èÇÀ©×z©ÇksK&
-endobj
-1499 0 obj <<
-/Type /Page
-/Contents 1500 0 R
-/Resources 1498 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1504 0 R
->> endobj
-1501 0 obj <<
-/D [1499 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-286 0 obj <<
-/D [1499 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-1502 0 obj <<
-/D [1499 0 R /XYZ 56.6929 744.5025 null]
->> endobj
-290 0 obj <<
-/D [1499 0 R /XYZ 56.6929 659.1833 null]
->> endobj
-1503 0 obj <<
-/D [1499 0 R /XYZ 56.6929 628.6281 null]
->> endobj
-1498 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F14 976 0 R /F62 1379 0 R /F41 1233 0 R >>
-/XObject << /Im2 1368 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1507 0 obj <<
-/Length 2097      
-/Filter /FlateDecode
->>
-stream
-xÚ¥X[oã¶~ϯЬDoº´Ù$»M·'›³ñž¢èöA–i[ˆ,y-9‰ûëÏ�CÊ’£´iF¢g8ä¿¹PÌ£ðc^*RéÅ©$!e¡—¯O¨·Þûfe'ô¥ÞNOÎÞ‰ØKIñÈ›.zºB“„yÓùoþÅ�ç·Ó«O“€‡Ô—d„õÏ/ÿ7aŒùç7W—Ⱥ¼¹CâÝÕù$–þôó§+‰Ó�Ã4ÆìÌÛVî;Æ�øBCzñi"bÿ×Ûé„%þÇ×0f¹wŸoo?îtòûô§“«igWßvF…6êëÉo¿So.øé„‘&¡÷/”°4åÞúD†‚„R7RžÜ�ü·SØãš©c¾EB„Ç#ΔlÌ™2&Q£3ÿ5	"Jý6Û"ñÇÓ‰z£ª¦)JR’4ÈòmïÙ;Î{Z©J8�ºóͦܣ›Ú•Bb“µù
-ÉÅV{³^I¼½¾±g–âÈ©Re�ú7®9°d¸¦5Á.£É`Ã,13Ǿ0!µn/f$àG@D†ÜèüefE5OÏàÿÙæ>o;*
-pÍ@	F¢4J_…ÆIš†r`ogE‚(œGA—%ÝŒ¡ªCä…¡ŠFXàX;,¼”’˜AÄE,!·Üô
-Ÿ²õ¦T
øˆSî?Z©|U×�¥ÛŸôðÅ
ëÈ€¼Ûº¼k¶zˆŒÙòË$å¾-*�…�1P»F¹‚S4HnDÍÊJæu¥c}¹sž8*SÄ&Âãª$	—6¯˜~`…RòvWXähÝÁ˜ªXo�
-âùÕ-Ô^‡¸¡Ýn.ªÝÓx%æ!‘"²8ÕÊç¨0ß)ÓƒÚú™ácU,Wºpk±Få�Ùšw¯öH4m½Í–
-¥æê¡ÈÕ©N1P'w-Š @5ß
-Hqh0;Ïx(ìö?ËfÆA Ñ
-–`’Ñ,¿@Ù´r:æbçÀMi’±&õ™êçQ9ƒ-¿º¿Ì7¶Ï4ÓÉû‹(„“¦&@„ÈY@ÿÙ9�Øÿª�žZYß�Ìwƒúä‘ʲ¢Lr›C`³ŠØI>fÆ@CK«uë“ö1xôz�ã==©Ë|ð¢»èJ°Ç`˜‰Š#yPÜ-ÏmŒ‘;—Ž+•«¦AkC¬.1Â&Ü)føèìp0·�3³³
xûüÁZp»\uNfºÍ®�XšÑyÞ*Kt×é‘Š~†>Yw‡ùº+�hÜ<|Íæ�ÕÔÔø_ïšv`ˆµbs˜J^�ÙñûÏȉØ	ä좮Ô=…¥>Ï`©*µ-ríGs­Zw”ÞìèWª ØÜ3€�ªl­~øËHjì¶ËúÊ¥Î}?tIñ¥IݶjQ<¯=”�³ ·]´æ eØk
-áÅ@+…¦Qò%ípÝŒ©ä}åf^«
-ÚÝL3Am�£X¨»› í²±ËÚÌÙ£o/Â4�}åVKkbYá
-Ø?Z¾ëAÁ=P3GkÛn3<@i_‹µ«
‹¬iUçßÌz1«l¦‡ñ¨4t‡0ìöšUæ®83×ânƒþFØé›Ñºv]ß‹º¾jP’²þ-hØYcÀ¼<%Ñ�ël<ÿÏedýán‘ß\ÉÆ>½	
:1öµ”v߸¾ùÛìá«‚Œ!Ç%|<u‘„§±Û”6J<ûŽÒ}Ä}¾õÿã}Ó{endstream
-endobj
-1506 0 obj <<
-/Type /Page
-/Contents 1507 0 R
-/Resources 1505 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1504 0 R
->> endobj
-1508 0 obj <<
-/D [1506 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-294 0 obj <<
-/D [1506 0 R /XYZ 85.0394 491.3865 null]
->> endobj
-1509 0 obj <<
-/D [1506 0 R /XYZ 85.0394 466.1094 null]
->> endobj
-298 0 obj <<
-/D [1506 0 R /XYZ 85.0394 166.668 null]
->> endobj
-1510 0 obj <<
-/D [1506 0 R /XYZ 85.0394 141.3909 null]
->> endobj
-1505 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F22 973 0 R /F62 1379 0 R /F21 950 0 R >>
-/XObject << /Im2 1368 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1513 0 obj <<
-/Length 2160      
-/Filter /FlateDecode
->>
-stream
-xÚ½X{oÛ8ÿ?ŸÂØ[`e ¢ùõ(ÐÒ4¹íî^“­Ým±�m9ÖE–|’'÷éo†CÚ’«¤»·À!LÍ�Ãá<~œ¡qø#²0‘É(J¦¹Ð£ÅæŒ�î€÷·3açøn’ß�õfv6¹VÑ(aI(ÃÑlÕ‘3Çb4[~ò&ƒîÝþ|9ûRsï/BÐà3×üòÃXEÞ?ogc{7?¿šåN?ÞÞÞîl{ké]þxq;»ú@ìÀʽxû�±»xyõ–XoßÛ�®¯.ÆQàÍ>~¸šŽ¿Ì~:»šÎÕ=»à
-õï³O_øh	&øéŒ3•Äz´‡ÎD’ÈÑæ,Њé@)G)Φg¿v¸fé -gR…rÀ˜�2¦NX¨¤2Æü~쇜{lrY•«ünWgDhª"­ó&üÇ8ü
~b|*Àc�"Á"Ûƒ3­¥‘æûÛ{!ü"Ÿ—é&{=Ù5õ>&a€?ÛûE³›êD²*Ò‡ª~½¨Ÿ¶m始EVduÚVõs«…[]g«üñõ¤Ú¶ÚõÀ¹“k);ñÝX7¢å>׸º:¥%ýyÞÒx¾Ë‹å9�wMfcNÊÀͶBŠ•Q.ip0F×Ì„¦;FÌ¡c£ÇŪͬ‹ªü̹ßäå�ݺÇÞ®´gê:YpθV䡘MzŸ
œ\FN‘°“PÅ
I	S:
-º‚ÌÖmÖ´"ÅÆv:è‹5b0x
-l9Ò*d
W¿«n�,‰ãx¸jðý®HSôðRÈ
-=¾‘Ž1
ø’0È°ªniº�•ßÐ=…ìé*ÿ¢°ÅÚZßñWC–óïˆÿWúù¾»åKg:1Ïdž—N¨3$f•ßV÷HáŽÑU{B
-±~€Õ9ªÄ+šŒ23Ð#(U�b
-K$„½»p�–OíšðHp«6�›ü®*^d‰@ܤÝ�¡V2ôö͆À¨ÜtÑñ”áãa $¡Â
-œØ„ê8š»
-màHÙ@æ:ò¤Ûw¸”Ũi
-Ÿ³„ÅÍ3a=بy¹{´MŠ�¨m»®³tù?ô+'�}Z­³óèô-s~³Ùù3íÊïkMÊ`àWAü�†!`	]W1ÐÝ<#]	þ±&"élC…�/AK�÷]¯@¸¡d•	+8X§–„qÚÒ°sK×3Š’ñ³F	5“±Š\ƒ´Ý6¢$#+ïòÒnDN8�€6+±èY
W˜<‡_ë2YH^§Vaz×@©¾R³ÛšË�Ì‘(&¹ˆOz†áIAqWm¶9•:JSMo¨5ÁÁ¢…¨Äç
óÚØ:fT»vk V5P
K¢›2J!º‰+"´nåªÂ2’€	è�”¦äDT\fØôX•ÕÆ.ÕGœÈŽzþ´C¥@±Xòè«î�ÜAO>˜ydK[âÀyÏ\9Ö®”¥°ׂd¯ëÏNsqh÷›úÿ©'ÝkôÝyù#
-¿Ï[DŠ8>"Eül.kèÞeæ.sÚâØæ„ûC™. à„Lï§:´a¢Ñ´	16…�¶pÉn[ú0eÌ;•»¥¯íÀ¾
-ÆîUz>Ð
êPÏl"¼w++ÃÊ´74 KÈté~«]WÌ.íoã~wà�¦Yí
-›Z€óC¯dŽb S�\i�S
D�ˆ Ð�…C OÖÏ®_¢Ï/†…u�Ã
Õ€i	W}EC¨Ðe2Ú7 u�ãœ;
-Üç0TIE'H8¿SŸè®#¦@Á\Â÷‚CcG£›•Ò×~S-s„Tƒ}¡>> áG³ËÛŒVƒ¿¶¹TŠéÈ]ræB&ÓR±Pë /^Ö:�ÃëÞsØÐC±Ò, æìôYþí^úùøÚ  âX7ƒ2‚¸ˆAˆU
-Wò+ÍÝkóתÿ
-ú*sendstream
-endobj
-1512 0 obj <<
-/Type /Page
-/Contents 1513 0 R
-/Resources 1511 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1504 0 R
->> endobj
-1514 0 obj <<
-/D [1512 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-302 0 obj <<
-/D [1512 0 R /XYZ 56.6929 655.8524 null]
->> endobj
-1515 0 obj <<
-/D [1512 0 R /XYZ 56.6929 630.3608 null]
->> endobj
-1511 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F22 973 0 R /F21 950 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1518 0 obj <<
-/Length 1877      
-/Filter /FlateDecode
->>
-stream
-xÚÝXÝoã6÷_a´}��•LŠúâ
û�õ&mº½$]{{-º}�e9Vc‰®%'ëÿþf8¤,+Jo¯=ÐÆH
ÉùâÌ�Cò1ƒ'¡Ç„Ʊ¼�ñpœ•#6¾‡±¯GÜÌqí$·;ëÍb4½ñXz2ò£ñbÝá•x,Iøx±úÙ™}sq·¸|?qý�9�7qÈ9o˜pÎ�‹›Ùå[z{3§ÎÕåÅ$œÅ‡÷—@‰eèÃ2ÎÍÊ»w33ïKΩó‘…lö~"b移ń'Îí»k ™Ñù‡»»[=º˜ü²øvt¹híêÚΙ@£~ýü¯Àߎ˜'dŽŸàƒy\J\Ž‚Pxa „¥lGóÑ÷-ÃΨ^:äËP$^˜øñ€3}>;eúgÞ¥	_hojOø—3Æœ7‡b»*ª{2ôÍõ�q¥¤æ©h6ÔC§¡»À~�âw¶Œ�a‚N–šý¿6yÌ¥p–-oü"ÞØ“¯€%�f“a«²´)”Y¦ÖÔšáÀÉu£JÙ54t»Ë«ùü;³ºXîÓý‘>J˜k¤æõ.ÏŠ�ŒùùŠ�Ejøª
-é÷‡=îxîÛø¹m|‰¤ã:�çÍZ/{p­öÔù®¨Ÿú^Õ6bçâòŽ:ïòã.ßÿž›I•ÅDúŽ¢5Û¢zx‘ó@´ï´Áê±X�$È“Wv	9"]ÕD gboi˜åUºÜ¢#ñ£¨z¢ž¯#@ûÕçµ<I}½†V=.Œz@j7©ä? 6v¹
-†Œ«4±¨‰–ödDÕl�4¤*ÛKÓbL¸cx¥µiiµðÝeÑiYT¨Bà†/çzM³žìb’d¦Û`·Æê,$üÂÈ<D)‚GN�$mTÝ€û…ð5[&¯ã Ú²ül¹UIZ*‘—G3kE9‡´�¾¸¥ð±¥ÑFÑH>Ø�³�©&aMD«scg!�^Æh¶göúÚÞL•eZ­Úà´©ôS‹yA$#½æ«‰AJe+j=o
-°’CìÍTo
-ê¬P&'Âlöú‹û,£4ûÓu)l]p
-n¤~ä‚”� «Bœo™ëb*¹
-€¦®·¯§à›éî!«9Ÿê}�CO?³–¦÷—N!ºñŸ(^­PÇmU
-b�qÙÅÿ�`Ï\mÓ}Q¿ˆóÙuÀ,ö·ÃžÿKàµq÷)Ýg›×i¹Š‚Ï‹¿˜{±àƒ!ô_†
-?sQ0vÝ]v­&]÷`eteã(¥¦…Iëf³‰ª´TðˆÆ‹Œ>Ñ)ÉŒcpÌÓõÕÙÑh‰f!Àz`c‰ån›ˆR>œåéRikü¨”¡>©ý$B,ÎQˆ\¦Gb°I
ç”áO->kªÑ»hò¬éh•FQ—i“m¼¡H¹mc;ŽŒÔØJ�¹•
-½¢Ê”9±2:±€xV² �¢:»Tç’µ'³A
-Ä€²ü‰SÆ<eºù~±nr㼬ëi“âûIâöÚã¿·}œá­#H@aéC> 
-ó
 :<)Ðr8&žs„ˆ(ép7
-!M£v…´*4ïUÓäV„2Üò¦'s~{µ09Õ½	‡Ü÷âˆÃýSßIÿsî¾'“$¾	»-G·Ë’®¹g[À!�)O’õ£ÁíÍíD
-6ð?VUÅ„Ô(&<¶‡U^1%bYTE™n‰¦7©xgFB£E™®‚;RÚ䆨q¨°�¯ˆDRÌÍ¥Ÿ£Ûfšû�ï!JžÛI/‘ør¡g“|éÀÜV�„¬�N•?ÑÞÈÄâÛ@ØP-¦‚‘”ººÄðG*Y
DmÅ
-endobj
-1517 0 obj <<
-/Type /Page
-/Contents 1518 0 R
-/Resources 1516 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1504 0 R
->> endobj
-1519 0 obj <<
-/D [1517 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-306 0 obj <<
-/D [1517 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1520 0 obj <<
-/D [1517 0 R /XYZ 85.0394 749.1709 null]
->> endobj
-310 0 obj <<
-/D [1517 0 R /XYZ 85.0394 714.4776 null]
->> endobj
-1521 0 obj <<
-/D [1517 0 R /XYZ 85.0394 688.8412 null]
->> endobj
-314 0 obj <<
-/D [1517 0 R /XYZ 85.0394 535.7123 null]
->> endobj
-1522 0 obj <<
-/D [1517 0 R /XYZ 85.0394 507.2665 null]
->> endobj
-318 0 obj <<
-/D [1517 0 R /XYZ 85.0394 332.8138 null]
->> endobj
-1523 0 obj <<
-/D [1517 0 R /XYZ 85.0394 307.1774 null]
->> endobj
-322 0 obj <<
-/D [1517 0 R /XYZ 85.0394 163.8619 null]
->> endobj
-1524 0 obj <<
-/D [1517 0 R /XYZ 85.0394 138.0002 null]
->> endobj
-1516 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1527 0 obj <<
-/Length 2117      
-/Filter /FlateDecode
->>
-stream
-xÚ­XmoÛHþž_aàXùP)šÑ{€ý�6î5›^ëMÜ]m±�­q¬‹,ù,Ù©{¸ÿ~ä�#˶úìÁÄáÌpHù�c1pá'A脉LQâ;�+‚Ályæîaîg‚×Øf‘Ý]õ|rvþÒ‹‰“„2LæY±ãƱL²–ïáA„k�o^Ü
m¸Öß„ ⣸/n‡^d½O†"¶ÞÞ\�gïÞ�ÇoõìdgÒzñêr<ÝÒ´Ïr/¯~
-!¬Ë7/FW4uõ†Oz9ºF¾5yw;º~šüz6š´vum®‡FýûìÃ'w��~=s/‰ƒÁ#\G$‰,ÏüÀsßó§8»;û­Ø™Õ[{})\Gz¡ìq¦”}Î'ô¤§�ù˜ÅÐöbaM7yÑ’‰fÁ“«5º´Úæ™ZÇ�­€BÍyÛ¦ÌÔGו¥ÊÀ±‘ëYïju$Ñ^Ò·Z5yU2½&‰í"¼g¸à#oûAàD¾Û±èü-�$Žã~oÛ­D»+òÔ•~;‘L¢C_Žoßþ~}±z‚,W:®ÆÂ5	©×¨r›“Ë¥*
-©mºÎÓi¡hÔTô­Wj–ÏwÌ\ðì*m‡ëöSÝË�ut܃2 ½´ZÌÁVÛN7³O(h×uá†òòþHð«»²˜®@ŠŒœ(¾–ò2_×Í3ÚðÈ—›šM¬›Õ‘ðõ0†@iò%�{=TÛúv¥Ê»»×4HËŒˆ<(òéÜ«jÎÒ’ˆ)*ª4SÙÙç‹Cû<áÄ2Öæý4´Áa–ú¼ªÖ
ѯ¯þ|}ýüöòöýŸãËÉ«_Î!†ÏW³ZˆóM½>‡£/~úÏѪÿö{²sÒ…:†˜j�6t0L™}9q£v+ºjô{è[yC9ZJ+-´ã€Sª™ªët½£aÃì}Œ…œ“HÕ,¥lÔZ̦¥õQJ™Îy©�¤YÌóB±�‹|¶Ðià†ÝTúnñ:<OZy9¯ÖK>é´Ò ãyœýÀc35=¯˜ØÔ<;ÝÑ—î7ê»GÖZ
‡¢a§Á±>­ëùÑql
È,V¶Uº'Z|?r‚0ˆÀb4ôœAÀpÙTÁ0NȨsB¶ñš”<7gŸÆˆH"G†PSH>'x¡/tívõwBøfô~<ºí	ã^õ¾ºdÙd¡ô½$Éi·HWÓÂœ˜ò.�H<B¨­¾7˜&�(u*àlZîˆhªª %Í"å­à”ÚðX, Ø3¢òrVl2d€ñÀ˜î5Q*Ûjw¯ÊÛC¸[í�œ
-Ärì	^ÀâŠl>æÇNEâ‰Â2U7ëjקtL¡/¿'Ï,ÈʺV3´u¾®–E:UE�Ð$pD,å�*ÉBëü¾üRõFuäCO’øOøõ	áöbs#Ø
-î‘rÑsBᇈDýçROÝÓ„F]¬ ÔTK¢ËÍrª˜êh¨®J¬¹ÏöeéÔ 	j­ÉeºTY�%žë$‰ò*‡,�à® ŽBÌo'ŽL½&ÒÂ8wMyƒ0/«GæÞ¦
¯ ZIYBðfMTΛ)m\í
-¿Ï¯ß\•L=Hí`z¸Xb™
QÞ…m]k	ºu[Ös×›&/òNúVVé2)=m,vCžÐyŽ“œç0iòÜç<‡I~ó
¥Ë6,bÏÑNæiôD¥8§YJ+Óúh+ìÐU£ÚŠÀë1e©ÏZ´SªæI
-endobj
-1526 0 obj <<
-/Type /Page
-/Contents 1527 0 R
-/Resources 1525 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1504 0 R
->> endobj
-1528 0 obj <<
-/D [1526 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-326 0 obj <<
-/D [1526 0 R /XYZ 56.6929 725.1329 null]
->> endobj
-1529 0 obj <<
-/D [1526 0 R /XYZ 56.6929 694.9784 null]
->> endobj
-1525 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F21 950 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1533 0 obj <<
-/Length 2294      
-/Filter /FlateDecode
->>
-stream
-xÚ¥YmoãÈ
þž_a N>¬�F¯Áµ@.ët÷ruÒØw@owq�åq,¬,yõâÔýõ%‡”,ÙêÞE>˜âp†Î�|8þÄ$ô,[Fî$ˆ\˳…7IvWöäÆþv%XÆl…̾Ô�Ë«ë{L"+ò²ÜôÖ
--;Åd¹þ`ܽ»}ZΞ§¦ãÙ†kMMÏ·�Û·¿N…Æíünö–†ÞÎDÜÏn§�k,yž
'ˆ<¦	Á3ŸîXîOBñÑöì»ç©Œ>-§"4Þ�G¿<==êÑåôÓò§«Ù²ÛWï–¸©/W>Ù“5¸à§+Û’QèM^áöD9“Ý•ëIËs¥l9ÙÕâêÝ‚½Q=uÌ—ž-/t‚gºbÌ™n`ùA@ÎüóÔômÛXçU¥ó³:¾¨œXê_ñnŸ)+W5nóúÞqz‹ÙSÚ–'<©—YnÓjjJûVÒ©0ÖŠ™™ª˜-M™ÖGü
-�zçħßÐx·ø;1À} oàNiÕÔ¼@š'ª“åU“vúJ±TV¼§(Y¤Ù­TY;–¨o*fl@ö‰;ƒ»yž£wv2؉|CoNÅU‘Wh˜iM#»˜EÐ'òŒ]AÂÄUüøhÛN’ªœç 
§U+Ux®öŽ€*¢Ð<Mhƒ‘Hs®·Ì /kaZñKÓ©‚…Ì*}ÉÓüe¸KºÅ^•q�¹…î†XÑkú¡ñï"WÝDÍÁƒÑ„vºã´c`ÐÉg™ZÓwÏðÕ·)ëÎÖ	¤‘nHâX4´àkZmyL»•»½Ê«¸nWÓî
-J#ó¢V7ôù~C¢yQÑTäT˜ÅÓmÃä\TìO6ƒ(
-‡0h‹P
-ì«ÌJòÍ%xÇf,=ÇWñª8¨A怃¹LÆuà´¨æ"áš"㺩ÊkÐyÝ×}y‘<IèºFÄc lº.oxÃÊ@í·ÌW$1W])(éËÖ~y¾c�èv,Û.UrK‡Óª,ÓõZµü#ýBæÄ/ÅiíǧÙ«ØÙ—5<t¤?q\pŠ÷Mo\ŽA�¿p™Ý‚foEýz5ÄyN`…Π•ÒO��ó{²V凔ÊY¾£B{9ÄejrÓê:ÂÄÁe:U¤óÖŽÒêYÂ}Xèksq
Ç*´�¡cŸµ�<çwè–7TeþB?í
-ÂqgUÑRú-IFÎá©!65Dò¤6_ögQžÔjÚ¢”Ñ�ËöÊ”‘§SÖ²�LQɪÆ^½Ú4GŠ5`å
-Ò�ë?IQ¡8aX¯Š
îí’ðéÙ¨ªÏ^�Úbõ¥a�ë!¦ë°4X¹ëžNÆÓ¥gáøÈÓ·Ýa�ÿû¡ýô	¸"2�ñ,$m.P´F¡›¥wny÷"iú
-endobj
-1532 0 obj <<
-/Type /Page
-/Contents 1533 0 R
-/Resources 1531 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1504 0 R
->> endobj
-1534 0 obj <<
-/D [1532 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-330 0 obj <<
-/D [1532 0 R /XYZ 85.0394 519.9229 null]
->> endobj
-1535 0 obj <<
-/D [1532 0 R /XYZ 85.0394 488.8874 null]
->> endobj
-334 0 obj <<
-/D [1532 0 R /XYZ 85.0394 326.6298 null]
->> endobj
-1536 0 obj <<
-/D [1532 0 R /XYZ 85.0394 298.4037 null]
->> endobj
-1531 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F22 973 0 R /F21 950 0 R /F11 1353 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1539 0 obj <<
-/Length 2424      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Y[Sä¶~çWø!UÇSÅ(ºY¶yc¯!•°`“‡lÌXÎzìٱ̈́üúÓ­–=cÈ©Z¨B-©ÕjõåSˈ€Ã¯"ÃL*Ó N5‹¸ˆ‚Õæ„÷0÷ñDxžeÏ´s½¹=ùñƒŠƒ”¥Fšàv=’•0ž$"¸Íÿ5’-@/®~3‹¥ŒxxóùêêÓõBÅá-
\\RûæâòQéb)„à*|ûÓùÕíûkÕ^Ôù»ß0ž_¾}ï¼»¼!âÃûóE¬ÃÛÏ×ïoÞþ|òþv8Êø¸ Ïñíä�?y�é>áL¥Iì¡Ã™HSlNt¤X¤•êGÊ“›“ÿG³néœùž¥N˜ ãÿÙÌ–¦‘žß–ËD±„ó²,ZÇA–'ûÇ¢Þ5F2Gñà])!XEݳ*&ˆ•dIœçÞßÑÂŽ3e‘ÑaMCHpÇq¾X^»¿àe#‹�–áÇ©‡`Ë80IÂb°*|+¤Bkå˜Æ´;ýÁ*nàÇ‹�
-ÞÕpÆ`tÌ^ðr,ÙÓÈQCìWÄ<f&–‘;ÃU™­Šê~±T2	ÛKÄO7¿þg

×P÷
-ƒ‰¢¢6óüv¡xøwK½/œËÒ3¶…—±ÉªÊîz×=Qggóne'
-4vÕ
³ˆÂ¢õ|Y¾D‹b€®ƒ<.dfU›ÝÃRiâ°^SÛ5î\Hfµp,FÔÇûÀ."ôR§ûvÿ�µD=-$ëÎ/„Û“zmMmîÛ;»ÆãÕ;¯Ðª®Ð4÷ý�@«£sš|ÚÚêææX“ù°õ
E[’Ùç!›F—6)“IšãXÿ¾ôÁD�Rùs€€ïKîãŒäq,)¡™ÒFŽ
×HÅbÄ•pÁ„œ#à>ö€Ûm·õ®¥Ž³ÛlYÜ'X^&�©rb=3�™±Yweù„¤�øpÒšÈÊ’Nˆ›$´UKœà}‹N®lîeÔ»MC2\@Â�ר*ÛX¢\ì ä<'��_”UùìÌaÉAHY×_»mÃæÒãÂ[f_8Ý�Êʦ&ªk¬¿£kŽv³

µž{“}õìß:»+úéýƒõFß-’°«*Ê:è×~<«¦»¬²mvWziÍSÓÚÍAù˜¥�îNù5¤Œ”
-­¹Ïœb9
ø#Ÿb/é=ã)5Þm�Ú

Ô•óPçðCtU“\0ßRq^xKÓJETn· ɳg­õ:8°B‚숻¬ýfv‡Ó¹¼'G›4\•„Ó²)rKÍÙÐY;S
-µW
-lÝì페A²îŒèyÏÉ‘ç0ÀW+»õyæ�€y³ƒíÖn;èÑÈ<å;:ôÏMŸN“ð<J�x” XxPn™~ÚÒÔ(UŒœìÊPœ!RLÃ0hŸmQWYI3_¤ÔUqi‹1!ÈÑéÀ$§QÂ(âÁøªt¾*�JµA5T±5,Ûm³˜V0ŠÔ3æõ¬DŽ€›)f<âzâwWÊpo]hÅj¡c
Q—ù(žLíq^?WWh
…m”ŽÔ-àâ®­Ä*Qª#m1�â8üä6uû£_À¨
©çðF½S€JiÂ;ÅYt¬>šþ®¨²Ýñ•Ù�-�?œYDÌY'òa¾€¥<è›(üZÕûŠH㥶M»ƒ ĬÄB>%X¸ëZ!Säë­(ô‰%¤$ªæ7x �€ÇZ¿÷ªÞlKÛZ¦hŠMQ¸u&ƒÅÈ3Ù‡ðŒöÕ&ü5«œfÛmY€+½‰a„‚q0±‘}ÜSµ&ên‰è*ðRÓz<î�Äá`’Nä!øaß¾-ýä Ñ†òמz“÷ÒÝ}<s,ân»Ð:u—'¶– 
ó»ÅšÚ{€a3ƒõ…gÝf»¶XueÖºÂLèå
¸"Ó •RC��A6ÑTA¸y4„ÜN,5„jHùÇÀÌ…7Å»Á¼@;ó6¯Ô£rBe÷Xؽï­=ê>Ø
pÉ=n‰Gjq,RVmGv>^ûBtê×Z;­¹UÄ™N ßà	ÌŒ†B5K“»{ÿj»=—þåxAÿ #ßT.Zàî³¢/ªÎ™dâÙ
-~È:ûw†€}JÑbâ�”%Iœ:µ~øt}ñ?>,c
-­€Eâ
Ø¡îÕíµ§ðá„Ãkˆa=ÃqvöNm÷�xá€øŸƒ™
-…ÈñÝÿÄ8|pÔ1SXRÍ–:ðÄRGõJ¹†y¦¹
-endobj
-1538 0 obj <<
-/Type /Page
-/Contents 1539 0 R
-/Resources 1537 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1545 0 R
-/Annots [ 1542 0 R ]
->> endobj
-1530 0 obj <<
-/Type /XObject
-/Subtype /Form
-/FormType 1
-/PTEX.FileName (/usr/local/share/db2latex/xsl/figures/warning.pdf)
-/PTEX.PageNumber 1
-/Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000]
-/BBox [0.00000000 0.00000000 31.00000000 31.00000000]
-/Resources <<
-/ProcSet [ /PDF ]
->>
-/Length 557
-/Filter [/FlateDecode]
->>
-stream
-xÚm”In1EOPw¨u€$ÅIg0²Êľÿ6¤¤êV5oʯÅésÀó�ή¯�ƒÖ×O²Î Ž¢‘ÿ¨#h8Çùø:„5?ùÆ [ÄIÚL’~”F ØPÈùYÌÀ¹�dˆÐzZ8å±Ýƒ²ÙËò‘–Œ€f¾Å(ÌÀ�E#@x˜oL Û¹[ƒ±ñðù
-ä
-6\>RgÈbÏWÖ¹j[†�›
-WŒÏ¢®{6;»²þFÃÇñ÷ø]š¨)Õ/Ô¬Mu;pk;Ì©Ëdh<åE–ñ¬AÏw³ð¬±±Nê¦ó¡Ä½�t•‹ùD„™Â²]°Ä(�‡;�„ ·åŽ°Š­r²ÂÙÄLûˆ
T¥Í¡誋ŠŽt’¹w_=Î]ˆ‹=¦uSä÷—ä"ï±yl±‡µÃ-ËkHsŠöreOÚ³êvg›<7ºt,‡Ýe—;ãÒèЭ/I…B÷&ê(ýê³ö󻉨YÙ¹Ç,çkRÔšÚ'^
m"	^�˜h±�ÎW9AVªy­Â©/f�ýÆ"•œãûFy-Sng	\Çdª¼˜©Æ¥†Í}B©•µŒÎ$âw1.¶&�Øíþ²C¶O–ÃVç X×9g¹E{îÇ<•ãóP)!ÍZÜÅŸLÞª~ÑÔ'¯UâXLµüc“ÅXsЖõÚ¯½˜Ó’~òBL–§èªÆ¹O¦ºNZ�_[Èü.øšŠû*]3QôçÇñ!Ö-žendstream
-endobj
-1542 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [349.4919 431.1147 408.4801 441.8991]
-/Subtype /Link
-/A << /S /GoTo /D (ipv6addresses) >>
->> endobj
-1540 0 obj <<
-/D [1538 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-338 0 obj <<
-/D [1538 0 R /XYZ 56.6929 640.7425 null]
->> endobj
-1541 0 obj <<
-/D [1538 0 R /XYZ 56.6929 609.2714 null]
->> endobj
-342 0 obj <<
-/D [1538 0 R /XYZ 56.6929 416.9256 null]
->> endobj
-1543 0 obj <<
-/D [1538 0 R /XYZ 56.6929 388.3459 null]
->> endobj
-346 0 obj <<
-/D [1538 0 R /XYZ 56.6929 261.2322 null]
->> endobj
-1544 0 obj <<
-/D [1538 0 R /XYZ 56.6929 232.6525 null]
->> endobj
-1537 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F62 1379 0 R /F21 950 0 R /F39 1173 0 R /F41 1233 0 R >>
-/XObject << /Im3 1530 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1549 0 obj <<
-/Length 1913      
-/Filter /FlateDecode
->>
-stream
-xÚ�XQ�Û8~ï¯È£h\K²-û±½Ù[tqW,º³O×{Ple"Ô¶²‘=¹ù÷GŠ’gœn ¦)Š¢Hê#e¶ÉàÇ6U‘f¢Î7²ÎÓ"cŦéße›gûõ2y!Ò"^VF·…¨Ò¢âr³½Vòéé݇r¶áYZ–¼Ø<íçµJY¥µÈëÍSûŸäuõéaË‹,)þûôMËSYI†Ó2X¢He�U~ÂÓA“ð§Ï_‰ªéñ/ó|Ïÿ‰ñU;Û½€ò¨•å©ÈK´–"•eFf){ز,Ë.úï«û“:½Ý|S§uÉË šWi)kA?ÔYrR­�T×½ÂBu™¨ã±3�B¦#ÎA½h¤d²Óz ^g†ïº%úlÆ�+b¸qÚuz`U2›GÉ</?Ô¦è¡u×sšéä­[&�_þ 	Múd´ÃÍávKë¢à~;£¥ý+zt¶Q‘�jfx¦—AõÁ�NŸÐ*™'é¬OB@Æ ¾Ï¿¿”[
«Û¡ÑHÉÄ£·Î¶Sƒ»ÇÑAŸi°±ý±Óÿ3ã+
€°¥‘ñ ‰5»cB÷ïHíÜû‡-¤sâ¦æ@•#™½í:{ö{@öÇ`XsPfpAth×¼òøåã¿�ýò*úÕúg‹‹qÁý<–‰3ýÔ�jÐvr4¡³öût¤Q»'x%'jžHŽò¬¶
;tÚ¥`WÆ!míô| ñÞºq©Î{‰+ç­ì⌎À˜�ü@-ÔÛݾŸÇ\­¢Qz9Ð[Ko6Ó­sfש˜>íèõΖY5^ÎKH"ŸêƒBªßK*ÂV{lÀM÷6ÚŒìF
D¨ÎY¢Bž¼˜6ÈÜ&ò0§
¤RP¦†³àwöÆ'çSʯ†m¿3ƒº(Ä@]�wWس§åqç5¿w^‹�2ÀUôþV¼UÒ�諃Å«d:Ê )‰@ žyà ÕR<N�Ó
Ø^?
ˆnšÄ‚¼qË
1¿!çÓ
39Kþ|ü}»SNû=ÔѼÑ6¶ƒLDCêäçùµ«üüån‘s­§ÐdE7Žž­q£š‘Æ÷4«§1ïS$ÈÔ t« ‹È~êB{lEâÚšôNiʳ”—¢
-¥‰‡ÒôuŽÊå¤,‹Ò#ÅõgjÄö rˆ�&‚à€qéR¹q)p
-q¿–D"­Y•
‘¹ÈjmËêÿ@CH®FlM‘e‡Hakâˆ4A~ŒJ
-í,7
>ßš§’ß&µšF;Ønn 1ûpݵÃÚ�Èuc0žº½¹§T?
-¯“�Ä�`ÄЖœè•
-H�g‘…žEÎJŸ°ÕËûkŽ½.{²úöúâ-Tšz§mØÀ"'©�3V‡+úJZ•ø�?Õ“²Û¦t¾¦¿
 �,çóýÃì(êTÊ¢ºîUÞýò4KŒ_E‘â÷Ƶ¯�Qd{‘¡O�‹“‘
ä
-endobj
-1548 0 obj <<
-/Type /Page
-/Contents 1549 0 R
-/Resources 1547 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1545 0 R
->> endobj
-1550 0 obj <<
-/D [1548 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-350 0 obj <<
-/D [1548 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1551 0 obj <<
-/D [1548 0 R /XYZ 85.0394 576.7004 null]
->> endobj
-354 0 obj <<
-/D [1548 0 R /XYZ 85.0394 576.7004 null]
->> endobj
-1552 0 obj <<
-/D [1548 0 R /XYZ 85.0394 544.8207 null]
->> endobj
-358 0 obj <<
-/D [1548 0 R /XYZ 85.0394 403.9445 null]
->> endobj
-1553 0 obj <<
-/D [1548 0 R /XYZ 85.0394 368.2811 null]
->> endobj
-1547 0 obj <<
-/Font << /F21 950 0 R /F22 973 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1556 0 obj <<
-/Length 69        
-/Filter /FlateDecode
->>
-stream
-xÚ3T0
-endobj
-1555 0 obj <<
-/Type /Page
-/Contents 1556 0 R
-/Resources 1554 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1545 0 R
->> endobj
-1557 0 obj <<
-/D [1555 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1554 0 obj <<
-/ProcSet [ /PDF ]
->> endobj
-1560 0 obj <<
-/Length 3198      
-/Filter /FlateDecode
->>
-stream
-xÚÍË’ã¶ñ>_¡K*šªŒ7�ÍiýØd}p{o¶«Â‘8#ÖJ¤,R;ž|}ºÑ
-ŸiÇð€ÏͶz¬Ïpª¹!�åTE€O� ³êÀí(NoÇjÂx�Ußkqä9êE.îF¿šØœY¨÷Úm†]Ì¥ÑÖô¡3Τâ�*ÐÌ­ƒŽ‘¯f|À8£<e\€Ú¢™'°)Ä
-=XdJdßPÞÙUÕ‰…š‚IzcèåöiB�G{ü)ÍGŠvŒéù©šï3bHô!Õ?V/X#
-q@ÏÉÉ
-»[ƒbä]Ža«”ç�±|4š�Ä­¸0^áZ×ÆJ}Èõû^¸áràj/+ì´næ«Ý¢Â‡bÚ†=ßLdN�ŸAo4V”3‘SY’Q@÷Å
Ô bœ�Qf¢»‡Ê´pû‰“<r[Uœ+üx[-ÈF!âuQç¸RÔ·¬Á5p!‹k�rac´	</ÚuY7'‘LyVx[ìa_ËÆÙe.šIHÌ•çöƒ¸e÷L†x&µ�þ¶» Æa—»~K[•ÚLŸ—u8`€áç:ìíÂ`Ø7†‘¸1©ãღ#h¾ýá'G2ÞÐØ#ÆCìT¿—ëYnË“¶'‘RgJBº+–Œñ…õU׳ýzñ
-Ög�M±	q^Pב"Ü*ïJ¬}9ÊôÅ9u•½Ma®¨«„¬ÖbP„sÉ
dKFè±2dw£CF:ñPïBFã!¤C‘Ÿ·(9˜p@Ê@èë‹òˆq6F™‰xT¨âTD_ZÈœW¡¸8öõëýGz<i=Ô°…¼¦BNƒñø¸ˆ=º†s/�ÞÎß�0^pw$Vóz]®®;¼¿‡ä‚6žq)�^i·¥‘ºé«'Ìaüs¹Ú…ÞðøÉþð…`¤1ô¦«6å¶ì	ÞÆÚ×åüÜ/�Rü‹ý‘êb:ÅÅ#¡.³©k @;“‚®�*kÌÌkå7V°
-*3ëÛk
-endobj
-1559 0 obj <<
-/Type /Page
-/Contents 1560 0 R
-/Resources 1558 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1545 0 R
-/Annots [ 1566 0 R ]
->> endobj
-1566 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [356.2946 363.7923 412.5133 376.6291]
-/Subtype /Link
-/A << /S /GoTo /D (address_match_lists) >>
->> endobj
-1561 0 obj <<
-/D [1559 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-362 0 obj <<
-/D [1559 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1562 0 obj <<
-/D [1559 0 R /XYZ 85.0394 576.7004 null]
->> endobj
-366 0 obj <<
-/D [1559 0 R /XYZ 85.0394 479.565 null]
->> endobj
-1563 0 obj <<
-/D [1559 0 R /XYZ 85.0394 441.8891 null]
->> endobj
-1564 0 obj <<
-/D [1559 0 R /XYZ 85.0394 424.9629 null]
->> endobj
-1565 0 obj <<
-/D [1559 0 R /XYZ 85.0394 413.0077 null]
->> endobj
-1558 0 obj <<
-/Font << /F21 950 0 R /F22 973 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1570 0 obj <<
-/Length 4323      
-/Filter /FlateDecode
->>
-stream
-xÚÍ;Ùrã8’ïõ~[¹£„Â}ìñÐÓëš©Ù™êÙnoìÃôD,-Ñ6£t¸Eª\ž¯ßL$@‘$¹×šˆ
GA
-4íÕ4fµP¿
dþÅ1µb…dƃ~?¥WlÌ«Ïè•~ÚÅôÊâq½2BïiSß7ß^§Y”âQ³(&«º{^o¾PgûTÏš_8—‘«`4r•ŠÌ{¨+„òÌk�õÊ!�”Ìã>/F¡â)8A�6zD£j>/i3©€qÁVÒ6P\ÁÂÞ¯‹5(‹çH
- 
j‹H
-¢L»¨ÚǤ¾0|°v,¢Q²?$ÉÖHË@Ò
-Ññi©#³ßž6ˆ¿�Z’``ã.uìDqòg°·{¬:j¡?“ûRcièyn‹¿›=¦iÕìË´äÉÔ]KgrOJjIoÕê…ÝãÎÆÐŽ¿Í5Øydôo
-Rˆ'ÍU¶rÂ(eÁø›p9ÊôÏ�F¡Û
&uL›²ºIìO»ˆq¶1ÀäOAwä¶ëä¶c÷²™­ëUKýÉ¡
!R‚)°à#iªWóduùÀm¨²%P'DhÇœ—’ œÄy=Èü‹£$!~îtnÍ+h}:!„#t0)zwëÕtU?T]óyÓò‰’Skh´YuõCLOÀ
-ç
ÄÉI渗oçãq:YàdL¯FU“§EA^?—öœ¡û<]Ÿ~Ãã\€œæ,íU	�0	Ô½Ø^{ˆgöª@
[íËKgì›6*I-äap�‰q�\YœAžbV	, ¹»g}‚©@Hp�¤3'‰™
¯Òr4¿@N"CœA–r
-�³r·òI¦Ñ†g>¬¹Rý/ØSÌÆ"ÊÅöÜC<³geaÏΆñžO2Ï |c¢&N?+lT”“'åF;Á¸äör[ï!žÙºot‰~Íqcš,¶ÛSzË-Z{­A*Ö©�¾¥Öj² DS»4¥v‹•=
ÊÔyyŠ9°h™C5ƒ{»WÞCœA–˜KÈyÚ«5Ì ºŒ•Üþ¸ò32ÍÎ0emط̨ìJë1Íé2‚åœ.6”*
-œi�¥ÑÕ÷&’:5w	q|£°5ºJ�qEØšsöKZÍìåÚ
-ae9•Bº˜À°wt1!þ`w1
_c˜±X“½‚•:é
!u3?£<Np}88W ãYÀlë›Õn†8‚,¨]eÁ
-ü�gIÚ5H=™Õ›“$ð'èÀeÝE²à R¥�	Ü¢nÕTàÁGŸŠ�o}ž_R¬‰ML4Ç’ŠFCƒ‘êè×˺-/Vf	.å
-D"è¾lQPœ2&bàGŠƒ‚E“·@ÄédÁꡤàýá~Ú	Õ)-H•è³©ê8¯A\)‰�+��ñÒ&¥Ã_r
-˜ œúîv¹ï¤šæ!åžjú¼]‚§2ÃÛ›vt;oKÆÎõãîJh¼à
-w	¹f‰!
-X1z}¦;g¯®d)±›JÚý&¬Ý¢ìt5ÎÆk'¹Ðb}Ò¯DkoÛmbFA÷#cã.R[ÏU[Ó³­îkš/Ñ“¡ÎŠ_ëMšÝï"±eZ{|Ý’jÉà¼B¾NøÏÓÛY³lÛhztØÕy#Ir_•,Ûs•¦åÂï=y„³šºÓ9õõbèjëÍ×x*8\¥Ìf^}\†èÀ?9U,†soÿ‘·ä N`
-;§¢N¡¡Š¸óú^£t¥§Ÿw±+=CˆÇ¯ôŒð#ã5D6
-t…U.†_ñ‚±ÖVt„àj]
-‰¹gÚ¨l�o(kth…gÚÊliÒYìûˆ‚ApzÚRŒï4E£ÑM¼¿íEü€iª@žOEÛàIÑ¢Ðm¶õ‘ëâJ©ƒZË8lgƇŒå}µh�Tꀗ3åªõ!–ðÔiÑ̲@¥ðöó	¤ù}ºr”<âÔèNÉ êqPYÌóþ&¿(O8½>Å[Þ4
-z_°<^„V—£ÎT‚˜P{
ÐQ:�÷ôžBò#ºLtèùî™P¥³¯�ñsÔƒoFyè?amÕךºbhûºíµâŪãšo S.uOo÷%öÙO»á7Ž»½O»ÿo¿ê“Sàoxf"jˆ¡E~~ði¸À̽Æoq|éûqÞý›¿Vß}˯S~p9aÏà{¬DZ#¬xi”|K/À<+ÛÏ þ¿x¯õendstream
-endobj
-1569 0 obj <<
-/Type /Page
-/Contents 1570 0 R
-/Resources 1568 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1545 0 R
->> endobj
-1571 0 obj <<
-/D [1569 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1568 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F22 973 0 R /F21 950 0 R /F48 1253 0 R /F11 1353 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1574 0 obj <<
-/Length 3057      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Z_sÛ6÷§pŸ*_-„ À—¹‡4uZwÒ$—8sM'¥%Øâ˜"’²ã¹»ï~»ØHJ”ÜöF‹]ìb±ø-(yÀOž¦‘T¦O“L‹(�Ñéb}œÞBß�'’yæŽi>äúþêäÙ+•œf"‹Ãøôêf +AšÊӫ寳—?½xwuñþlFÁ,gó(fß_¾ù�(=^¾}óêòÇ�ï_œ%zvuùö
‘ß_¼ºxñæ异h/YÂ�
¯.__PëâõÅ/o®>œývõóÉÅ•7fh°Zòåä×ß‚Ó%ØýóI T–F§ð™eáéúDGJDZ)G)O>œüÓôÚ¡SŒT*¢4L&<ÊS)EEáÈ…Q&b*ëB´ZžÍe³ËecÚ–lü%ï+j¾.Ú®E[­Ä~M‚Óy‹ I¢¼°�U—¥QúȨœ”~^£¾Ï%¨:›Ç0þôØïþlJ³6³=G
Þʹ7$ÿú”„çÄ „ ÆoVÖ|G˜<0Íñ<xº¬ó'Ð>>QPl>çν–ñYiªÛnÅ,ÿ!3‘©0›qg‰Ÿ‹¥ã'Ûåç*_›ñ߇ì&úý¤äÄšÎýt"â(KKòÒþ`>AX]QW!yµ¤ÆÇ6¿5,6<¼èig2�Q´%j¶æhƒfi£
šá,'&¢ošb�7EùH¯ÛÖ,©ÕÕô\šÎ4ë¢2<x±ðâuÕYYuI„›º¡Æ=ˆ¬·¬¯5ͽáŽzcš-l!:T’Í®V°¸JÁx}“¥e[Sk{&g<ÅpVTôìVfÂçi
-{?†Mnå¡ý¦šƒk÷ݨ•²(aNôú¾4™‰(Ñ’yÚºéìÚïSZ„*uÂÚ.ïl<“½ÚK“æ8g=¬
-Z)‰^m»¢ÛvÎx¶2¯nÈ«K›²�t:Þ]�@‹œCêÚ¸Ðz¤F}CÏnÅ=7uYÖEuû÷Cy8Š"FizüàrÙ´)õÀK4S5�…óýÈdW)Xƒtr\«çÚW;Z@[ÇcµÎ7—ïØ7#GG”i.ßÝköXãØïc·Ý'ݤb
Ñü”›\GÜ丞vÓ1­7íª�vÓPí®›6ä$LZ_{?Ìõû³o©QÕ�ÝðG]é1ÕñS®pq•ãzÚUÇ´\µ«vÚUCµ9™nÏë²Î9´8¢–”ë
ç÷ëÇ~N¤È=ZK—{î(aîÎ#ƒ–ªÝ´sÈãÜ%uð„LJ\‡=ôøQ­½Ç÷ÔNz|¤Ö§/:·‡™ÍÅíÞ¶^÷X¬Ï”;+óPt«ck†Z¤‰ŽÜÙ±(§Ö’�„]ôG×&
„Vú©µpYÇõôÚÓ:X›]µÓk3TË»¡2p/ÿÌZ˜jQÖ­ã2Ëu“¡s¼ŸqŒ H‚ت»èV¥ø䃆=ùTÓ¸Íi@äå…VN�ÒäK8ûèÅ|]”ù:g@¦ðÄmî¨SÝïß|‹I
·¶Š¬A…¢êÑ—RÎ&ha|¶$íœÃø°2K©êÊiaGY/òrU·Ô!+W™ì*ÓµøBd�¦ð…·�t@&	Ìì—ºgBo˜s¶ã(÷ì@5b[°iÝŒ�k·nN…iÆ6JYšvÑ›öîAÜU¶á·Žð‚úu'dÅ\DÇ,-rÒb—•ã,î¶eâ:_š>—IœˆºŠ–Z-–a‹®XÐ_³Ø¾zm€ÓÑ`pN¬ë¢­€¡Á"Ø
-é¬-ª…™ZíÖ,¶MÑ14‡y[à§9¦Žé
j×µßçe±Ì	BêhÇ�¯·½ÐŠßRxìˆÈé�‘FÜCh=Ôv# h·“˜[�›ÊÙˆaðc	J'Ãد,–Œp3<‘(žm.h]@%ÇÆÖ'ŠnEEÉö–
ÆÒ²^lq­ldO…Ñ¿V½›’àq[€i÷ŽhÑvŽæ
-ë�4Ü…EÐS0Ç¢^ox#.‰b]�2ÄŸê�R
-Á€á�dÇ‘Ä¢­y|—ß¹)!K²þj²ÀÚÐLë¯P
-ÊZå�k1‰#¶pŸ (
-s¤\»aMjíòâ붂E§f>•O¬Ïxû
0˜›˜Îw
-l˜MôÆ'AŠ¿ÇqÙ„{ûÁZaß P"ÌGÊ–©D�i82:—T¡Ë�µ>¤[n¤,ÍÆTË–èŽýaeìL-±sòÙ‡@*Z¢\k?’h[ ÑçHrÙ
-ŽÛªÀS
-‰¿Ò
-„€Ø*YjøÓÐÓq½xùz¬Ê•�	¹Øjp '!Ø“
-°³cŠ$ØÎçîƒ�išd;qî®+rw«Q÷åiû½à­Œ+h=óàâCxÇ
þª`P‰8KBÿùÙ}|~Y¯û’hø'ƒcß›ù[¦v�
“ñ
•/-‰£K%WÒ
-ÂÛmãn}ãÔ†H‰— *–³«³�Ûa”4ÒΞ8·M65-m¾Á
%sßPÛŸÓ÷Þne¯( ›îõ Û^7Àó
¶bg˜Xðt(¤€ðòœŸß}wNy©n&¯W¦,ŸmLãoQÑœ_T$ð¯1_
Kÿ÷?pŸ1(ÀÒpús‚‚­ž†Yâ&…Ö软ˆþ¯:ûSÿ+/yÑendstream
-endobj
-1573 0 obj <<
-/Type /Page
-/Contents 1574 0 R
-/Resources 1572 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1545 0 R
->> endobj
-1575 0 obj <<
-/D [1573 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-370 0 obj <<
-/D [1573 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1567 0 obj <<
-/D [1573 0 R /XYZ 85.0394 752.0459 null]
->> endobj
-374 0 obj <<
-/D [1573 0 R /XYZ 85.0394 752.0459 null]
->> endobj
-1576 0 obj <<
-/D [1573 0 R /XYZ 85.0394 723.5337 null]
->> endobj
-378 0 obj <<
-/D [1573 0 R /XYZ 85.0394 642.6584 null]
->> endobj
-1577 0 obj <<
-/D [1573 0 R /XYZ 85.0394 613.9312 null]
->> endobj
-382 0 obj <<
-/D [1573 0 R /XYZ 85.0394 133.1977 null]
->> endobj
-1578 0 obj <<
-/D [1573 0 R /XYZ 85.0394 104.7573 null]
->> endobj
-1572 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F41 1233 0 R /F22 973 0 R /F14 976 0 R /F39 1173 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1581 0 obj <<
-/Length 1991      
-/Filter /FlateDecode
->>
-stream
-xÚÅXmsã¶þ®_Á™ûPébÁ
-Dűô›Ñb+ž¶]±íhà±ìVÔÙ­o÷ØPÏrUl‹eg¶-
œ¾¦þ_¸æmU´«hk‚ƒ>A\Ö¨Èfˆe¼>¥‹
-æR¦L¨N#2gYFÕªdl*ƒ
ZÎG�t90˜fí¤ Íb+8~Ã4ká|†¤&/+BªÞyØæ@Žñ|èU{#›ÕS;ßwS2x¹,*L‡‰M2˜�ãvÁ¦EèôIi›±Ï-âžšÅÒÆxÓ¶ÔR¶Pð¾Œö; EiúVÅ'ÇÛÔŽ¨š‡aÎ�v¡a3äH´�äË¢M±\
½>»úlBI+L6vK4†hik&KÁ]²D<J–_“„ŽÏþ“Ô2Òb‹ŸÝ«Îˆ)¼ØƒÓZm÷�O¨e>™Ú/ªÙ=¬ÜÜnÃm”¼/üBRÛlͧ²ÙµÏ£uä†!—æú=žèÃ@ñ;�CsQS:¯jvŽƒªÏG³béßÅmïa¸Žl6œ ˜J §qwj}®Lp‘!\y½[ßa³’ˇڭª?ž†NI2æ,‡îƒCQsà³Ænm܇#CøùpaQ´ûgP¼¸³'Ùç¿÷ûWÿ·õ?öúW/pú±ë¶Ì8KE"¾ê¾-$Ës­ÆïÛ°ÐL²4çê8Íã€åH?cjx×9ì°Ôép-—ýA\ ‘,†ÕG2IY,$Uú¿1¡p`„9:·¡ 8ÛÈé­ý¿�1½îi9½:´Há)x™”póKsk«è7°B.”Š-SH[í«ØŽÓëu½m@Ç(PÓÏCd«ftž1àùJ0¡娿τ‚݇”£øP0‘¶ÅEÑ-„ˆÖ¬ËeSá5
›˜þñÝŸ(
¨”Û„3ƒ¨£¤Cs7ïP@MxáäùêhyvXëìhKߧ™´kqàGÔì*,ãZÙD€—³‚šÿš	í
-2´èî‰]xBH&Žáì²¾‡��«/�vž�.ˆÀ`oFÐáÄ7]«¶»AÑE³3óÑR?E*É™Ìò,
-ýôe®�A¦ó|x·zY`îG“–©¹„b±JdøÊ%tîÌsÿLè^7ÎÇž.Kú¹Úëu±=R]3–¤yì£OB˜¹w rú<~HbìlËÖÖM`±…¾v›|=MÜ‹
-endobj
-1580 0 obj <<
-/Type /Page
-/Contents 1581 0 R
-/Resources 1579 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1588 0 R
->> endobj
-1582 0 obj <<
-/D [1580 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-386 0 obj <<
-/D [1580 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-1583 0 obj <<
-/D [1580 0 R /XYZ 56.6929 749.9737 null]
->> endobj
-390 0 obj <<
-/D [1580 0 R /XYZ 56.6929 670.1208 null]
->> endobj
-1584 0 obj <<
-/D [1580 0 R /XYZ 56.6929 644.0935 null]
->> endobj
-394 0 obj <<
-/D [1580 0 R /XYZ 56.6929 176.1924 null]
->> endobj
-1585 0 obj <<
-/D [1580 0 R /XYZ 56.6929 144.3484 null]
->> endobj
-1586 0 obj <<
-/D [1580 0 R /XYZ 56.6929 85.5791 null]
->> endobj
-1587 0 obj <<
-/D [1580 0 R /XYZ 56.6929 73.6239 null]
->> endobj
-1579 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F41 1233 0 R /F22 973 0 R /F62 1379 0 R >>
-/XObject << /Im3 1530 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1591 0 obj <<
-/Length 2555      
-/Filter /FlateDecode
->>
-stream
-xÚÍZ_sã6ϧð[�™šÇÿ"Û§t7»—Înº—¤Om§£ØJ¬[YÊYò¦éÍ}÷J–ÙNwf'¦@¢
-Õ$óÔöZÎÈ;ªfž-i¸ª³š=vÃæ.F}�¼NËhO#lÒîH¼@dû
Û
/M¬uû'Z€ÊºªŠú9Ö›i4)­¯g"ÌӲ̊8ÝTô{�u:ŽŠ¿~ˆó,¾wc£ž3m•‰ï]–³éÀî$ô>bZ5y‘7ÇBˆñ;öô:¥?¶£<¨�Ã	a÷ÙxGN�—Ób5Ëö›12F¥ôƒç²Èv(®·£C)®=!Œ\Ö%Ìs¡ö)Ž+¦µ
-êøœ=ì×Y}—MsÔQP$\Šó Mˆ@�òª¤™�p¼�(yœIWàîe“O[n`¢P'«ÉP´Zævð…(ˆÃ«Ë³÷Û-ÖWÅ¡BÖß�k¬Ï÷å›xf”¤\ST··¨…šM%ãûyÚÐ#ܸΖ_B
-`™ö­ÍagÐÒ°íD¡COʪÉo†r¸L¢;^üæ·oœ¯8]ysoºÀÏâ‚ÒEu‡éóyѧ…³ʽßÕuŠØ*�.Q
-8DŒ|ZOº¢î…¢±¬°X¬ÊòRW#âæfü½Í´u¼±	N$P-G\±
L:¾MÖ}׳öôõ5*­™VÔFÚeVí@ÆZ® ûÌ&P¿¼,«†j}yìÆa==¿=¿¼<}Cc¸C£½­~Å壑œéöe£,ã	Ob:/
ú?W£!ƒÆ’žö´GÔÐ3
Jè™$¨×»†F«;š!8´ÉˆÒÖ„@¼x÷††ù£Õ†;aÓy›y:›¬ÒŽ>@_C_óÑ
-ŸtåçÖN
-Ö"¶«EÍÊR¦«²·Ãl—
Œó.¬mãÎC‹ÇŠv4�®Z<áh�φ�ëvÖE¶tiɬ·àÒÊ0! 8ÆwãÍ„EÁ97AÞe»¡xe´L‹4OÝÿ^¼mÑÌk¡»+�‰%I„!ôôßhÛ¨·ng3(÷ëßÃmÆï¡
-
�„GÌÔHøß÷C{Ðà96æsü ¹çƒÞÒÉË×0¸»
-Ô›JÙ  ¤l^¡©NA8‡›ù&’I
H]¬ê(ã:RÚ˜=#ò}Þ̇
-endobj
-1590 0 obj <<
-/Type /Page
-/Contents 1591 0 R
-/Resources 1589 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1588 0 R
->> endobj
-1592 0 obj <<
-/D [1590 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-398 0 obj <<
-/D [1590 0 R /XYZ 85.0394 433.214 null]
->> endobj
-1593 0 obj <<
-/D [1590 0 R /XYZ 85.0394 408.8744 null]
->> endobj
-402 0 obj <<
-/D [1590 0 R /XYZ 85.0394 340.1059 null]
->> endobj
-1594 0 obj <<
-/D [1590 0 R /XYZ 85.0394 309.992 null]
->> endobj
-1595 0 obj <<
-/D [1590 0 R /XYZ 85.0394 232.654 null]
->> endobj
-1596 0 obj <<
-/D [1590 0 R /XYZ 85.0394 220.6988 null]
->> endobj
-1589 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1599 0 obj <<
-/Length 4374      
-/Filter /FlateDecode
->>
-stream
-xÚ­[Ýsã¶÷_¡·ê:C|Àåéz¹K�i/é�3ÓN’ÉÐmqN"]‘Šã~üïÝÅ )A–;¾ñƒH
-nf‹Èü‰FÔMÕÓÓϹÊ}Ûý¯åjµ£—ÿ	¢Ð0ñ‚eZ
-åHüÑw!QXëÐ
¤}íg¹ow}¤=¼üâ,¤ÎÏ‹)åfÓ>„U,‡_dªêº_·e¿\ÿº©»Þwü×ÑÉ
ÒÎÏÕc”‚û�ÿ¾ý÷ë	Zg:7ÅeY6ù,OŽß7õï~Ýe¿öOÕnKOÍ~{Syá¶Mx7ßíÚýý¤y4É*Hœàúp•‹¤
i§�S5‰H“q£UTpùÿ¦ú9ÏyS÷uÛPKÙ¬èáÇ®¼«ü\ü´æ_¯«ÈÐ0ˆƒí*­aðÄ:Ž©I°cp4®˜…�¯ªåŒ�™yÜíׂ
톆,×eÓTßÝ·ÔzSÑﾫVÔsóH-Ýc3P[¹ÚÖ
lÙ®ìÛ]Gý�Ât"$MËœÁþdà6õtSZгÒË°Ðóö�ûÈ54嶢¦®ÚýŠ®5Ù8ʯó}“Iñ³auØíEA]´4|Â¥…ÉŽ7Bä ¹d^»fµLìq»ö}½©ûG"�!Æ?Ჟج<WÐïä"¸Í„dfj'Q›ˆ÷~WW¿UÔÒ´Í⛟ÆÝÝ~Ó{=½%Al½RúOHŒð4cð ÿÖ¸Yß4	I0î®0~�ι‚Á£a|¬·qCxT7|1óº£Æ’^¯ßþ@ï]»üŒžŸÑ%TMÝÜјÒ7“b@Cw_-k4AØÍ„Éb›
-,߆^!m–çFÌç™IŸ|9¬Ð˜tè]DŠ‹1ÉWGj¥`“­fÃÌÈ¡1	íbYnƒr9y¾4|k˜8)©
-GWÛ{÷[wÝÞ÷0Ü9x„Ã4tLr5 WGé›ûo½	8_Æró8øöDV!%<G‹¢¢AÂkXܼ`0˜$3EHyû¼:é9u!ƒ©CV¸wщ°`vÅ
"N\ÆÛqÈäJP£¸÷DÐ0÷ØÁ=’-èÁ*BÝSŒ‡×›Ò+-'4‹ÔÓY°s�a×}åHƒð˜é™|Ä
-€d/Öà@q1&™Ð`®!¿ˆÃ�MWæ963Ìî¤ø‚LŠg˜”9‡øØy¤+µ$ÌLf ´vˆ�6ñz]{ _|²˜wõö~ã7ùê‡`•9†iv°xVFÏ…ÞwƒNÔ¥yŠBîסœò˜BßR�BóAé�Ð7(uQä oXg\¼}Š‹1ÉúæY!-fvŽw•F"BŒ_Eµq¥/žÖ®´a°÷ܲ3†!`÷/&ƒHñŒ„�c‡2H†Æ@Á—c2P<ǤÆÚ0ú�1“§R¯"BÏ‘slp×´ô¾
-q	‚½–JLk*)5KÉã6ºJfÂwóLV¤K*z\R)|IESIEÏüpõwêXµÛ²n¨u¨¯èi}¥ðõŠzR\p#¨4Œ]�œ[�‡ï\z„$çó7�[€*`5ò°üçb‹)BÒW,åÓÅâ€hp…;ÿUÊE°Œ"l™+d'q¹Éc…è2AG
6‰µW÷>¦" CæöÉ0
ÞC3ÆP¥<𭎹IŒÓ Ézþ¡í½t\ÐtRÚú–ûMÙƒSÞv$2ÄûŸöÍ÷Ÿ¨×s„Ù
xT¸‰ô?µ›
-0·‰/vÀ�âbL2á€
€zž-{62ÁL
 :U
-°€VJ\’„‘£â3¼
-:õÆöº÷üɈAýØ»s£‹´Øõú5¥›_54¤wì[–]uIð9Ò,7]KãÖî$ÆÈSàIÙŒÊ<ë†�1�¯aà"BêcÑLóåí7¦Nr~³÷«¶réª�oZ—îôžÊ”Ês,({¦( /ŠP�rŒ”¦A¦†Ùg
Ò=1U4d¯	Ü{®]@â¨åÊ·¬ý2\‹/C*+]”v_�n2p9Ü#á�<K,¡œt¸4q>Q€+7ãk™Ç
‡ñ'ÇMR¬HžuøUÕ'=K1.ËbÞDÎ/­íø­J¢(T�¨o�CƒÊÝbŽsL¿à°z4îÁe=:?H’ñ’Nf­zò±-tÞìëM�~:£Ë:áÀû–¤Ÿ%Eß<(Þ„o:š.ôAbù´”!5Q<¸k—áÈÌ÷Aìf¬k0‡ˆ(‰/P>w¸0¼õµ(S‡ÒXµzêââê¼8>8Hì5l	žj?GoŠ¡V}ÛÇD¯Kê=ÈÓŸxSñÃBSWMξáaW6]¸[f,¥…ÐNÕOpdÐåwžÌ¥?É\ãQ…Ë“`ôªöÓ’O�çSè2ažq)íÔ?­ê»º§ÃI˜òݸ0ô±¹ö‡™Æûê\6�­Ã™	¼lÁá—wáÃ8¦_ï}“ã›wø@Ï
Ož£è¬�òüéGn7î<ÂZ
W=ß–Ÿ‰-\‡w×B-øì©Nß·]W߸2—ðP[h:|ÇwÃD ö†0IAºý¦@»¡Ÿ
ä$ôP?ƒ
µ§¾Ôîv14ì”èV
-ë/ˆALçœ/
;ztà~‹çò$‚|„Ç«líî³_jp¼X.eÒØzG \‚¾•©Š½Ë´Y؃ôÔ`k¹.ÆS;‘–Ä
¿^Òk7ßâ	Ä#µ¹‚ Œ¢Ä‡¤/CEE”c×Â!€3ˆàÿŸo±
-
"}9Dˆˆ¬jw>@³zæÛ‡†âëÛ	gxß©[�ñ>l^€7à&¥èÞvñ¬«^
-µp¬"©â¥€.LðÃÀë”za¨°IšLž¤éïÜ%ó~ضþ딶fÒæÅ8	JrU†ÿ6–(
æñÖä‹ÿ;m¨v‡”œŸ¨ij“
@�)d\Ê#Îÿ±³þ?tâbendstream
-endobj
-1598 0 obj <<
-/Type /Page
-/Contents 1599 0 R
-/Resources 1597 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1588 0 R
-/Annots [ 1602 0 R 1603 0 R ]
->> endobj
-1602 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 314.0348 256.3816 326.0944]
-/Subtype /Link
-/A << /S /GoTo /D (rndc) >>
->> endobj
-1603 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [268.5158 314.0348 332.4306 326.0944]
-/Subtype /Link
-/A << /S /GoTo /D (admin_tools) >>
->> endobj
-1600 0 obj <<
-/D [1598 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-406 0 obj <<
-/D [1598 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-1601 0 obj <<
-/D [1598 0 R /XYZ 56.6929 752.2372 null]
->> endobj
-410 0 obj <<
-/D [1598 0 R /XYZ 56.6929 610.516 null]
->> endobj
-1360 0 obj <<
-/D [1598 0 R /XYZ 56.6929 579.8656 null]
->> endobj
-1597 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F41 1233 0 R /F22 973 0 R /F48 1253 0 R /F14 976 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1607 0 obj <<
-/Length 2364      
-/Filter /FlateDecode
->>
-stream
-xÚµ]sã¶ñÝ¿B�òLˆÃA€sO—‹}uÚ8©OyºÜÜÐ$,qÂE¤ìªmþ{X�"EÊvëéè�`±Ø]ìVlAáÇZ*âp¡â�HÊä"-/èb
kŸ.˜Ç	:¤`ˆõýêâݵP‹˜Ä�«‡
-M¨Öl±Ê¾,?þåÃ/««»Ë€KºŒÈe #ºüþæöœ‰ñóñçÛë›O¿Þ}¸Táruóó-Nß]]_Ý]Ý~¼º˜–ösOá̆뛿]!ôéîÃO?}¸»üºúñâjÕË2”—QaùãâËWºÈ@ì/(±–‹'PÂâ˜/Ê‹P
-"C!º™ââóÅß{‚ƒU·uNRh"5W3
-älÁ‰¥ä#
ʘD‚§A+´PJ—y•ûÌ ˆŸÛ¤5¥©Z/ñ.)Ëdg%~w²ÁÅÐ .¤r{"P|ÈS%¥y�ûÆüÀF!‰ÒT÷œD¯àäó¥¼ÊÛ¼®p&©2~m’µñGñó,®6¦ççˆÄbB9

y(Æ”˜ˆH†^3`NHØÖ˜]Ûà Ýš­Is˵±ŒŠhiáÂ/&í	ö¶Î;rO³»dzip[;Ë85‰ÀoãÜ3mª´ÞW­?7#–\TÈ×L/‚þŸS¤¯aG&#5ÃŽVˇ$Í‹ÜÎY¾täÕ+IVæUÞ´»Ä[
-$hOÇb¬�§]Ž4E.…ë®Kƒ3휽߷8YÕ-ÎÔpè®�˜*µ¼†sܬùGRnóŒ8E¾Ñ£~,¸¤"ÕÞYìüv—?"~7‡K¶l:^¿7ñ6eÅ¢�<P;é“ûÂ{_]„îýU€õl„ÀèÁb Z’WzºòžnY|S¼q"¤ô-Ïþ—“�Û0<º±¤X×pi›1ÁŽàŠÞ�u�˜�Iw¦�¢'tQsž‹q¡"JD½àúÁÿ_á�Sp~{o³§O	
ŽTb&@@òYfȘu$;LðÓl¼5e~Jsc¿Ë‰i�gß
-oó°
-,Oµ9ïÐ4$K3„@§¼àÐ~0Ü0ãJº¯th	¢…6°
ÈOºÃz‰‹	µc˜´,”ûÆgÐ{_”t	ËgϤ=)_Ðß
-RœØŸˆNlt¤
-´k®„á‘+ÝNŽÏ‹Œ+Y]&¹ßïËE€öUþÇÞ¸ºF¦ª68`ÅÍ£ñ
Œ±¥sM¾¼iq]€ûŽžum,ÒÁãcyÎQá…¤]YäëØ/¥„2>÷r²q#Dšô¡
K �±éÞ‚Íëq;ãOÅÙzµ`_¾î'L¸7÷AªS‘S?£—eÈKãñˤM7>¸€è‘ͤÃ2¶È‘ex	9V´^op;~™^uéIúT`Xß$�×î�©p®`/Œv•¤�@kÀ±ØSö¢jÕ[Y¬ŽE|7öåÐL�Å(é—_tk[(+ѹõñ¹pêܸ(Ž}KH¦o÷mO0RœqíH«ÁÁç][‚*Xÿ5†”YuÛ¾hÆ[
ÁÅ\§ÞŒ®YÑà\·Á@é’·‡wÉ<6õˆ#Ú©	\ªªå-ÜUæ÷í·ÛÚöD¦O¹ Á­(ßÚ¦LÒ ÌäŒDð–Òœª>XMIB±'ûºÁQ‚
-›!%Q±/‘Ò'¤8gˆE·8½š/.£³ÄäKLèYÎ kF}Yêýä„P…ò„ždü,½.ú‡#Ù]ÉT=+C‹!ØÙX]Æâ<+˜Ç,BØh6®W#EߧpÞŒOøfÄôíŠ4Œ0í“»XÚQ¹/©Ú—÷.À‚«¨å1DçýóÕ‘Í]ü‚õ-Îsq%5Xƾ);¯²ÃØ·�°{CÖdFÙ1ÔÇLðS
4�ѶbD‰®6´�"ÈÍg¢Vy,ê3¶.NB–`‰ `¶¥½=buô‚
ÁiÀ¶3Ý‹)ÔEŸÙrXI-1˪¯5f£ö‚[¨ý5øu_ä.Æo¥Ãœ�](õ„¸£öP×lqGÛ*Ñ·ÄÚ¾Žô‰¯6“ÆQˆÛ<Í:D”ñµ
±Ø÷…Šz½öæü¿7Åz"ÇfSP­Ú	†Ò~AŒ¾]0|Ãrm@Àïùµ}Š[ým“vƒ»Ï6áü¹PY4iuþjáãg_y™»Kð¸¡¯sêé7ù?Íúf“ÛpS0+’?°94 Å!üÍ÷¤s'v»ÚÌìvÏ Tû¢8Šð~ÈóÑÉ`lýÕŽ:JmÏ9MŠ‘~àÔz¬±§dWõ6Ð�^ÃNÓMÙ³}„9©—êѶÌÜï=!Ï•oQ .G¨¸ù<Š8ÔøÜqžä¼¥
l*
-endobj
-1606 0 obj <<
-/Type /Page
-/Contents 1607 0 R
-/Resources 1605 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1588 0 R
-/Annots [ 1613 0 R 1614 0 R 1615 0 R ]
->> endobj
-1613 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [406.6264 463.8552 456.8481 475.9148]
-/Subtype /Link
-/A << /S /GoTo /D (tsig) >>
->> endobj
-1614 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [140.5805 452.5676 196.7992 463.9596]
-/Subtype /Link
-/A << /S /GoTo /D (controls_statement_definition_and_usage) >>
->> endobj
-1615 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [103.6195 409.8565 159.8382 421.9162]
-/Subtype /Link
-/A << /S /GoTo /D (controls_statement_definition_and_usage) >>
->> endobj
-1608 0 obj <<
-/D [1606 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-414 0 obj <<
-/D [1606 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1609 0 obj <<
-/D [1606 0 R /XYZ 85.0394 752.3146 null]
->> endobj
-418 0 obj <<
-/D [1606 0 R /XYZ 85.0394 717.6455 null]
->> endobj
-1610 0 obj <<
-/D [1606 0 R /XYZ 85.0394 688.3332 null]
->> endobj
-422 0 obj <<
-/D [1606 0 R /XYZ 85.0394 619.0499 null]
->> endobj
-1611 0 obj <<
-/D [1606 0 R /XYZ 85.0394 591.4512 null]
->> endobj
-426 0 obj <<
-/D [1606 0 R /XYZ 85.0394 513.0222 null]
->> endobj
-1612 0 obj <<
-/D [1606 0 R /XYZ 85.0394 482.614 null]
->> endobj
-430 0 obj <<
-/D [1606 0 R /XYZ 85.0394 275.2452 null]
->> endobj
-1616 0 obj <<
-/D [1606 0 R /XYZ 85.0394 247.6465 null]
->> endobj
-1605 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F41 1233 0 R /F22 973 0 R /F53 1328 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1619 0 obj <<
-/Length 3170      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sܶñ]¿â&O§‹Á
’Õ““È©2��:Êt:qÆûÃéXIõȳ¬vúß»‹]€ä‰g{¦=p±
-‹®Æ«¾»»øö•ÎERXewÛ­<y.w›ß—6QÉ%PËïß¼~uûãoo_^féòîöÍëË+eÄòÕí_núñíËŸ~ùöòJæF.¿ÿóË_înÞÒ”eßݾþ�0}Î}{óêæíÍëïo.ÿ¸ûéâæ.Þe|_)4^䟿ÿ!¸öO"ÑEn�0‰,
-µ¨/R£“j0û‹_/þ	ŽfýÖYùI‘(mÕŒ
-8dßÞßWÍ=©è×¾ì]íšž†?¸wB¨¦ê«¶!LÙlø­+Fâ‚£”I¤ÌRÔÝÎE††EJ$BgãšÀÁsb:’×usZgËuÛ w÷Çå̗®Cl¾,iò±Ú8‚>–‡ÊõO4h·´*^Ú#ð~
¶í�€~çh-éQ�;|t4j´üL-oûnæv,E™1Ûl3×»JA‡&ËõTûCÙÁ‘Jƒ¼»®]WpïÇrÙû‡cOsµëwí¦{�£¯Kž‰7Â-¤2Àv¸¯P8ÚÃhÏK«K	æõ4O×F¨ß]¹\—M@9†VŽ¦Ž�ÛLÍ•ò±òt�ß3'¬"FQÁEïÛÃÓŒ¬R‘Ø<ˆ4JɶôíÜÞ­Ùnwí#
¨üöØÑ`½i: %à·vZ2cK²% ‘¸
{[V$`Ò�]Enô¦Ù£,ÓtÙ6sWKUR¤‘çÏXy–h™æÏ­IWÈYjH¾ã/˜
9§#lÉëê²a¦ØîOV€h’qåÂDÇâÕ
ùX6=^ýJ‹|y»%$(pXã9ó’É!ŽZm¦6Ü´3‘:ÉTž~•@laNòb°£¨Ÿ¹†hPÑê±Úï	Z¹?ÑA“ØI EV½š	c>ÿÛ_RIžûu£;Fkõ7n[÷}Ø5ƽïž: z=EnÜêp¶OCýô€cþ½Þ¡ŒŽhŽûý”ÈÕ	³'‰á$XkÅ"Ëýš[ž:BÈ2(C@�ÏdŽH4Xü¶Þ;r ÁÕ¾ê<ëˆxôÑ¡HÔ[ã:K1{^°+ùœ•b3Â{(�7a#2º™4áfÒ.s¼™V˪§™GO&¦Ü‚&̲k=#Ì|DSh¾Xu|EvJÏ$78â1œ1¹ÆßHp0ßCÀö²˜Óé>3Iª¤™*ßërrè9ï¥ËãÊÀ@@/ÑZ�Ób:ŠŒ8"åÜS”ØÄEÝSÓ—Ÿv?ÙxKÕЗ3©žQ*ÌF¥|ßòŽv²3�Î5ç$æ8:`úž¤…"sM˜È&
«íIXy§T:+¤UP¥æA_Ws
|ÑOˆ˜zŤ’sM÷àÖÞžs̉A}—&Ö``ÕPÍʼÕn‰äêí.pª?ø…ò㫳—!<‚â™ÓP_
-i
-v‰ªÙ¶sÁ&OrYÄ`#Œ|Aö�B¯—é¡©¤à@-³ÁÞpà#-|£%ã œ«Ý¤Iò4$5l6s®,’¢Ð6ÆH×8ˆõŽOî«šO
-Á bòðÔ&¹ÎíÔBÁcØç
-â>o+àf›3YûlýœÇ$xÞrkN-
-C£3WhUF–Ù/—ÒÄKûò€‚¯¶‰ÑÙIyØõ-ƒ3„v‰4§ù) ô\ˆˆ‚
TàSÃlè™�YÅ`˜*õ…ø•²§.‹dÇ®ª£«âëaï~01`*Z8À£(¦ÇO0@›~14ãä×B'ÚæjêØ#Q
-%9z»ß“¹(~ðUØ=¬Õ*¢WíGÞÁݵòM
|÷H
-MK'ÔíøÜMÙ—Üm@
”fâ¤&ärTPe�_´«ÞWE‚š
-ÿÝñ,y
-üW‘‰>·ÕžÿÛâÞŠÕÕ7„BŽ4}H)Q_ϵ�‡ªé¯¨cÅuO®»>÷ÿ+ÐMá?�Ìü·‰ˆ?
üÏÿÛ2üãOš%:ÏUü·•©b³<Is ÂLá]RûŒóðO0ÏYÿ/�.ˆÅendstream
-endobj
-1618 0 obj <<
-/Type /Page
-/Contents 1619 0 R
-/Resources 1617 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1588 0 R
->> endobj
-1620 0 obj <<
-/D [1618 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-434 0 obj <<
-/D [1618 0 R /XYZ 56.6929 696.3453 null]
->> endobj
-1621 0 obj <<
-/D [1618 0 R /XYZ 56.6929 666.0554 null]
->> endobj
-438 0 obj <<
-/D [1618 0 R /XYZ 56.6929 459.1977 null]
->> endobj
-1622 0 obj <<
-/D [1618 0 R /XYZ 56.6929 436.7104 null]
->> endobj
-1617 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F21 950 0 R /F22 973 0 R /F39 1173 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1625 0 obj <<
-/Length 3640      
-/Filter /FlateDecode
->>
-stream
-xÚ­Z[“Û¶~ß_±“kg,Wtž×Nœ6NëlŸ’L†+Q'©’”•m§ÿ½çà
-k®�ðÀ™(
-y½»ÒF1£•
-=Û«Ÿ®þ�ºWSü3Ê2cež` #
-nY¡‹ü:7Ë”TŽƒû®n†ù¢ªuÛÝßÌ3Îg÷Uÿ5íz.+ð s!XaŒt¯ü×
¾x+åhu~=Wœ¡iÎí¦ò“&$@ifa2Îéïûm»N¬¥Ë
-¡ü´eÕuSuÛ
-àAcï¼>÷ÕŸ­Úîdj¤û”}MO#DE;^Ñï˜_ua½H$<9"ýl�Ñ£½ËjO0>5„:-
-Ò
-lDÆáÃ
R¥bMW€îŸÏu&¼õãi¬
�°ÙÉRGsÃT=ÔÉ|h}â†;—3

g[VCÕíêÆŸñè
-[ÀÅf8€[½§ç}Ù#pЀx•†(ebÃÆq«=¬7˜½Y1{‹¢U¹›-wûm…'æöDiœ�†4
­'ÅÌN~Ÿ00qSO¢vÝ}‚_Š&¸•ŸÊ–4ÇäóñÐr!SðSFw¸�Æn2?ëî0uär�j�ØÜ;ýBC0ÅÍÔBÖi­‚D#·E19;–]sš>&ÃÂ�¤Ä~¬Ë¤ãbF*ý4eÒãüŒ”afA>@q9²M@ÛÄÞ3o2Å7
)˜‹ÖͪM§æVE•¿•b5�ˆ©UJ4C¶À„i$ôΓ¿$…Ýï£U6g…²v*Ÿwî`†
-}
¦A•|<V
'ÏfÔÆȦZ‚Æ+x:Ö1ÕžœÁ@[˜pЦÜUËÔ!4ã*àÁ9¹�Ç0^
-yFéCâxëm{W¢6ÙÌ;/hæ1Œƒ^’S6[{-H€yUaèßn­„	É
-L™°<s”ÒÀ‹ÊÎ^áÁ^0\BÆóÑ�ƒø£I
-³…ù¬Nž¬¯BÖª¦ðZ	ØêžúÀ(:‘ðt)I–�Á©ìÓÐ ³$âwDt·k\rk‘spa&!óÔÚ˜¦KÀôT•žäU»Ý¶GWj«¤Ÿ}ÞÇ)>¡ñ·×'`V†Û#+L$Øâ¥Ïœ®Y.<þteÒ·jÍ2ЈQ¢2/Yx+J
ÏKÖØ(Y»Òc#Åæ–„:F¾±êA¤ì¢@œ8Ö<˜æ5_<tMå�œ!²ò9
åÝ=õ>Ê
-püLk°Þ±€@Q)Æsþ°ru�50$+O¬ÑÒÌ^‘ISñc�f-á€
¨oíV‹Pz±–
-„Bþg·@CYoƒ�mÃþ0 äŸ½&ßê'±òÒï«E½òÉY9êCd^ÐsT�Q2'„˜=?K=ø¿LÜÀ£#Å{A¢ ^üæ¶ùÍ« ŽüÇ5y[¸ªÑÉयVmûÕ×SÓ²‰›ç�Mõgï!}´mвjŒ´FEÞÓ�‹ûàן›Ê�t4{:F=esO�¡ÞU¾µñ�p¾è„}î¢ï|{álÑ&ñîÚG!§�¨œ÷ÀåºÍ¬Š
-¬}²u.Bc×1úêwåýx“º„ ~¦ešÙÌœe©DÒÀL˜'ÜäñÞÀcŽKŽ„/p_½-°äç«)ø°oáxd*øØ×Í"¥ä‚q‘?�â_ø„ua¶ßÁ�…FÃ1à2ú(“§ÕJ¨ŒåÊNE?½xHM–3‘ÛàEÃ}‡ÖÓ’Ÿ9� _rÙ2Fõ^Í
-¦d,‹Ñ/¤»<íSœÞQÞO·¥²;¶œ3Á		LÐvw>O~îq3ƒL¹KŒ±‰:]…ÐÖ"Ír{,ï{êu‚†>Gn姺HJ-�Q
-«)î¢(Ù@»—TB3@Ñ@’Õ-¨„²ÓÀ„Q©ç»êTY7$aøuq-ìwJU‘ðÍhnæêIïH“’¢
ìR™ù¤d€…,Î%sºçªÂ�X*Œš…¥l=õ6ÒÎßVwsp³œa^ró›)êYWMÕ•[à%x=î+rá©›„ÜòbØv;bR¦FôfX+8tÔ½÷×^TFvâ†ÞÅ)þÌdˆ?§‹¨p-ï¨?¤…/>•rV1y¤b«ò°ˆ
-Átž¹/íh°[_SãÃèÓ¼8>~Á}š7Í`¬‹þT-BÝ‹»�gòœ$pËLqa'$=øF0Îú!W£¼+¡ßÂ
-endobj
-1624 0 obj <<
-/Type /Page
-/Contents 1625 0 R
-/Resources 1623 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1588 0 R
-/Annots [ 1627 0 R ]
->> endobj
-1627 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [173.6261 190.3209 242.2981 199.7305]
-/Subtype /Link
-/A << /S /GoTo /D (the_category_phrase) >>
->> endobj
-1626 0 obj <<
-/D [1624 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1623 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F22 973 0 R /F21 950 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1631 0 obj <<
-/Length 2058      
-/Filter /FlateDecode
->>
-stream
-xÚ¥X_“Û6ßOáéK䙘!©Ôõi›îæ¶sIz{îÃMÛÉhmÚÖT–|’œ­ïæ¾û
(K¶²ÍMǦ@
-VØ5¹qT
aR(c¼û‚7áq¨äÚ˜Œ9‹Š•îXÅxßd\Ýüæ €ëÂmÇ®ºº9Í•R� ï„2Qš&>×S'ÿ¾Y:‹@.”Mlü"y[Wíë9.åà™ƒ_´Ž&öª¢P˜L)ÞÁâ8±I!bq‚œÈU½ß»*„eQ9M1dQWÔ¬Þ…þ�­];ÛbgÑ„î´Iâ¯óyª3Ø>¢m+öHg×l¦.96ÕB+}QúòMGô²4ha”ÑC£¦`‡ol¼Òtœ:üm�±á<L}j˜ ²ÏDùéáû×4"_ÂÔK¢ôx0=Â�¼µ•mxw1OçkëÁÛ"2Yú™_°õm—7'ª	Žv_"u¤Æ¥—‡$o»6sXUU$
¾�WRNÖºÆ�¤!iêºhW¹›ZCÜ!QŒ64wª�4¨¬e=Λð¿ÊÝ‘‚Mòè$Á)òzÖȳˆý±í†ö±8´ŸñŠãç¢ÛM�C=¸¿€(­ $d¾$,¶_(�Ø#'–>$£û\)¸²tÀÀ#
-vèÚæ…Âç«K(t«óAŠf|¬V`\’%çói­ƒ’*F3H_
oÍã'KØr¿ÂE	ÂG–EQ-N‚¼ìì\
}qù™Ç¢ì®Àâ2­%¦³oJ*¢¯§š¡§#»ŽÔº€}½¯×ÅætQ»}'@§Q½ÝöUû‰YuQu=u€ÜB§æOžœ—l*ßåŸ{E½ƒ®1,]´”\d°�‡ë‰„vi¹³#ålØ�»&oíÚ¡Hd‘Š|?äÁfPÎ&Ø»"„äóÆ æQmMn/Èë‰êZ‘DG?�Às-‘˜êUŽ
 Žºš¦ZËÜÏÞ"ëUl
-ù¦.Ëú¹Ç!–Óvùã\f}?‰MÉ_&*¸Æó^WE_O-óÛ1Ñ�áL{ñŽ’fNÝ-ÂECFLé$°¿çûCi�/ Í²Ý«–&ÚüDœìèÄHò˜rË1÷#’
^UÇb<kNŸtP°6W3G*ò²e~¯,	~³öÀjê�4È¢K„ŽK©…:÷[|8ážþŸóLÃéýŠ�µ3þ†Å¹�ù‹ñK¯o°ûÓ'ïŠO£‰Éë¾¾|ü.GòåÈŸ»w©ã¬;‡ïž&&ö7)þ2e_`áþ£–묂hé¢êo=}³ÇGeÉ7½ADœV£æ²4LfÇD¯b‘†çÛ>a\›][8¾7Oeì?…�3l«ß7¶Yàñ4,ôz1(/ÇÚ!·­—$¼\FîUQFç³?FHýœeþTBÃÅ”Qƒ®
…ÁÐ64\ÛvÕ®We®z3}øé`/æ蘃
â
®ëÜêÒªk¯«./*1å ÷u¿…‰nkŸŸ|Eá¤Y¯ízœG›ãà²ßq‰ZÂÚ¶âêíGfЀÉlf´HÒ0ýš·8¶D*Ó/<×.b-"ef‹(…F\¦Sïµ²¿%üé×áóÓ9è�Ñç·¦R×ÅPãA�²Ð鑹z»öÏÈÌ50ý¾%+endstream
-endobj
-1630 0 obj <<
-/Type /Page
-/Contents 1631 0 R
-/Resources 1629 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1635 0 R
->> endobj
-1632 0 obj <<
-/D [1630 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-442 0 obj <<
-/D [1630 0 R /XYZ 56.6929 436.7807 null]
->> endobj
-1628 0 obj <<
-/D [1630 0 R /XYZ 56.6929 411.9988 null]
->> endobj
-1633 0 obj <<
-/D [1630 0 R /XYZ 56.6929 95.0274 null]
->> endobj
-1634 0 obj <<
-/D [1630 0 R /XYZ 56.6929 83.0722 null]
->> endobj
-1629 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F22 973 0 R /F21 950 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1638 0 obj <<
-/Length 2918      
-/Filter /FlateDecode
->>
-stream
-xÚÍ]sã¶ñÝ¿B3}=�|
-®ð žüöÍàØ¿œp¦âH�áƒ3Çr´<	µb:TªéÉOnOþÙ.Øu }ô¹`Bj5«�EÖxŶ*Œ˜åö…m9¬¥a-­_^‹à8¬å›
ÄîRc¡,µEþJŬ1QË_):ü¡b‘Rzdµ`Ò
-&ŽY¤M8$
-Bã&DõyZ¤ë$�(ˆ8DÞLã$ÏA«e,‚�IñD#õø]Q»ª³<§fB¬+~¨ýyRUŽméŒz²¢.ÛÅÇ}²á¥áGâXR̨
Âöä»p7l¤ÍØfE¿�è¼ÌÝ.Ù¾�ûÜUGå®Õ,‰உ#“¢'ur—€Z
±÷cZUÉõMiÅrТS c'òÈý¢$(¶‹{ M…üÄ
àgº.€%O4r÷Ô¯ï)q¨H–¾U¥ë`ñ¶ô}uÙè>~þ¯,Ò=)˜&Óf)Dé
-cW@p�‹}¾"Õ¤	n$ñ°X+@G”Ÿç•\q¸ñgxÈÒÇžƒJÉ„2±ŸɯáqpF'�2dQ¡øÎ	ÈšZäYÓª6Ëe‚•üp~“¼*ýÄr>w±†%ª¹ßEÚƒ³°ŠÙ¨¥û‹ª„уnxØn„r
-¬~²®7+0ùaÄ©hÿä¯Tsa ¶ž¦ÇÛÈ ŒhLõËTãV´Ñˆ«AãÚÎÅz'™RRïú»Ô‡+ÒƸú©ÈIÇÛküØ9DN}JËd(£‚O
-¡viË“üX%k×
-)
µ
l9“Š�%%Ó(²&B_ùHR6We¡îägû§êÈÑOd9•ŠËéÚÎbÖ'[	™€Wt¥VzRp¤„*«Ïöt—¥è™7wFJ�p’›€�e[ Àîö:ÐÙ
-0Ó/i]µ&|×â·Uqh/ËÙ&O«^·bw/ìt—»�vç‚ðЕ.•Ž{OtT…±es
0“¦°yYÀɧ¯¹¤˜£›+Nn¯><¯¶ÝÍkåc©É¼F°ð ¬ˆb¦,§L1³=&é6U¿:¯tìå½Â¨²˜oT~ Ù–`ã`™U{²ÐMîÌN ÉË’ª(ûÚâ7Á¬QTèiù�nãóX¸â!þÒËDlÅôŠVP’rÆØ.é—<TO”ã mï¹|P6Û¬Û‹‡Ý›çBÓáƱ^Œ½…ÐHÃ8�†ÔQàƒI®½mMótîø9.‹|¸”sÑÎÇ´Qˆ*Ðcyå¯å¼¢‘­Ã³ªqxÐZ$)µü£=hÝÓ£ )UËÕ³°šdèúߟ>ž]¹‡¦Ö=�Ú4·™¶ãI雪I–níͳƒº±æý‘
ö_1’%=Õ
 ¶mjÃÔ³!CÞÔ:²bç%
8*_ý.×Íû¨ÍÝþÓ¨Y
-4éÜ
íðþÛä)äœYi@DcδժïE-
º“×¾ßÝ>n-SQÔyu°Sâ†E2¶ˆvˆW
HÏ0Þ'ˆVÓ‘ÜNë ÿr3Çkendstream
-endobj
-1637 0 obj <<
-/Type /Page
-/Contents 1638 0 R
-/Resources 1636 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1635 0 R
->> endobj
-1639 0 obj <<
-/D [1637 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1636 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1642 0 obj <<
-/Length 2959      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ËrÛ8òî¯PÕ–®²‚
-¼›Û7×½¾¿zûöêþ|)t$¼Wÿ¾úåáúž§bËãåíÝOŒIùóÓûë›ëûë»W×ç~>»~èï2¾¯$^äóÙ‡�Á"‡kÿ|ø2ÕÑâƒÀi.vg*’~¤¤t˜òìýÙz†£YZ:'?_„‘\,C%`�Ú³ûò
ìkÁPD
-G‹@8I¤Ø	©ßÔ� Õ ö>wæP˜†í6kŠ¼möÅ0neLÅЦ>œí­�=S×LÛ5–t_f…¥ýéî=ygð0°íR?…‹Ñþ´6J½¶Ø™ºkÐ)#ïa[4<Á_íÕ›–ö²"\¿xk s™]ÝZ‚ƾ˜ƒåTÕíÜ	V¦¨PIäÝß¼b
-�
²ò˜=5óÎmw¨,·Ø»yw¿œnÈVóöú5?”ȾÊkŠ]QfFÒ¥
-¶UÀWX‹;>Œë�]·�uxèá„è&„èݬ‚�ùÚ^úÂÄž÷øb*û¦$ b|Þ­çý»8f·[‘�EöˆðÝÀ+šå¾nŠ¶øbé韾–ëŠV	¦ËÊòɺç±O×Ê—	1vÏU¶›uâ2öEa�©ŽE	FÁ
Ø]G"%ñ#ŒvÏPËGÌHNxÂ¥?’A2½zÓ­·øVqï”y”Ù/»ßØú}ø².
`u	 x-FJÅLª|NÜ`cÔ÷4˜0Â+À0ZñHd#�ÎV`šme™HH=ð�Ê'ƯˬiŠÍÓ¬?fµQƒÕ!ŒœÊì—¯­X²øåk`¯�ÊRÃQ+†'7ªb·œ»9lJÖ¡G2ÓäŸß_¿bÜ—¬,r�Ï…à²zíøsWXÈ6l
-ågV‘R¾’)Kîþ—ÿ}7Ÿº­@ì;÷`)ijºõ®å‘9�köɉ*1Ê¡`f_—Åú‰g¯+‹ý-ÂÒ@<�Ñcæq<-eJR«	[Â
-†”@à$F>ürè`[<nÁ�Î8%¡?
bçor³êç¼RèÇ�#*ÁÍ•ö¤ËP@&-”žªâÎô
 W/<¿uä
±5»½õ¨óÚ6zÆS�AÛ†lÿ{å®I‚ä¤|ø{«ÜADœbÀ‚"ñÁŽ&eÇ7åG˜hPTB!¢S_ÅÑ3
-íj#€TIØ×oNUYMÍ�"=-AWYO±ËZóXžf=ÀÊÞ@(âùÀáûT�R_‡½‘LøË«™ ²´k·3ü˜òFü6{³.ÐÖFy®½Ï1ýÀe;RD¬¬�L
-½‡ó4¤¬ä—!Jð踵
-'ûõN„5›¥@Y p<}ó5ƒÅø�©¼¸½{qæ†ÌîOùëK©u0ïÆ'çÔœxù¬² UAã0ÈèÁ:lΧ=ÎîôŒpqý1³±¸XSÉAì[ž.©Ú@�• |-ü6ug»<¦ˆ
-ef‚¢K=q[þzæîJøZIaé0�$µVH—Uƒ�Éiðëíu¤Lm_Ñ�B;],-´‡4¹Xwev(mµº5åÞj\ï¾&Z»ÎºæOiìÆÙIf3جk·5„ãl¨r¸ d¯ãTåÔ@ci7�Uo €ë
ÐtÀ…ü¡�cub PÛÃóZ•F²u
þ«Ý¢˜$Z#ž6•í
ŸºG5uÙµÔ$!z×S�#õã�jߌßû3†N…é(”R;
-âËà¢Â¦Â
€¹wZe90Ù_Š‹,_1ÙB)zG
-˜�m!ɺ.kÛ
-àûâpC��RIåά�S;ßÚ¥à.ƒ¾.¥ðzËÇ	Û[–Ô¡éq+ƒ–rqÇÇo—åØÜåö²6$â¤Uh²•HaS $™úrâlÙ8EC=›íÄŒRŒ ²}Ãz•­¨¾
-;tŒê›­4ß·Ña�×ÇŠ!Êxð§’Êv¹Ö[ü�oÃÒd9g@@Bm{äd‡ìyPXv2p[“‘úÏ4¾û6Ϥ›„qÈ…šém¹•ÕNjp“ÏF|V�JG*�Õl­<S­K¨µrÆSÍßæs7T0^¨ïÖØYk
°¼ÁÌ£�|§qÆ!_cBP–ÎL´kpké’({Η˜¥s¯³
-Ðû\•¸[“A表�8�ø‰ìûéæªt¡«gÑ–
5§awYåb‡ÂœÇìÙ|Ußù
´
™IñHnŠ§z¥2ù¿y´eÄUàhñÀùèª?׎ý ’ò›ö¿­™†Ô}¢AÖG9õqì4Âb oïI¯KPíoZ–È©™&YM·Ûe‡âwWQÕ	‡±—E<Z×7Ý£¾§àòCý÷[=ÃÏ衯v*ñ§çTÏýTÿ¬²ýðÓïö*ñ¡Æ	‡¦ÏXóúæ�Œ|ä…ßül.?”qO5:úÿ
<{aEendstream
-endobj
-1641 0 obj <<
-/Type /Page
-/Contents 1642 0 R
-/Resources 1640 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1635 0 R
->> endobj
-1643 0 obj <<
-/D [1641 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-446 0 obj <<
-/D [1641 0 R /XYZ 56.6929 474.28 null]
->> endobj
-1644 0 obj <<
-/D [1641 0 R /XYZ 56.6929 446.6886 null]
->> endobj
-1645 0 obj <<
-/D [1641 0 R /XYZ 56.6929 81.8965 null]
->> endobj
-1646 0 obj <<
-/D [1641 0 R /XYZ 56.6929 69.9414 null]
->> endobj
-1640 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1649 0 obj <<
-/Length 2586      
-/Filter /FlateDecode
->>
-stream
-xÚÍ]sÛ¸ñÝ¿Bo•g"¾IöžœÄN}sq®Žï¦3n&CK”͉D*"eŸÛéï. H‰²”Øétô€Åb±°ß€Ä€ÃObøJô J43\˜Áx~Ä·0öîHxšQ µ©^_ýt¦¢AÂ+íàjÚâ3Çbp5¹¾ùÛÉoW§—Ç#iøв㑱|øúüâ-ajÞ|¸8;÷ûåÉq¤‡Wç.}yzvzyzñæôx$b#`¾ôvL8;ÿõ” w—'ïߟ\ºúåèôªÙK{¿‚+ÜÈ×£ëO|0�mÿrÄ™Jb3x€g"Iä`~¤�bF+0³£�Go¶FÝÔ¾óÓ\0!�Œ”f±|Vé˜E<ÚñY¼ð2f7/šÇ�—ÃŒ.«‘PÓ&BùJÅ"kãF¾Z´ä+´b±RfÁ¤Ù£€—Ù4[.ÓžôOgR¶&ÀGFGð$¼ºË@4 ®b5¿É–—SlÕpy,â¡çTÑPèi¬*g÷aaÆY~ŸM±Ã•«Û»®H–#ÝÇËU
„:ñ\
h¸®ê¼,· &㬪@Ï”àÃóbcZzSÞ{0û3�/fY È+Ò<h; ;�¯hôá.ߘҨ3/«š Yþ%›=<.瞶˜à?Ê`„m*·íñÉA[ŽÏÓ
ÔBÆ<™„E‘I¾�%͈w«›µŠ%	Oö©›0øéÕ­ªÓe}˜¶ÁgmCµ
Ûñãx–U×wi ?¥«pnh™£¦­çe�õéY•-a°6 <ÈØpR·ÞÎþ,Ø·M¬_卵§yѳ-ÍY¢¥ñdÿ*‹TSð8qº‰ì³5
-?èöE ÛŽÒzÉ(`ÈDHÑÕÍÆ´¬€
Tdð±ð)Â}]eËGÿÉ
_”U•ßÌ<ÆLË‹[š˜×¨ìV'Ùð½Ù;Û³~ÁÒ4†¹(‹*ƒÏ	?\RK›EèKQ>4¥Hç!éü=çéšóöño¬gçù+0
-Ûõ¢°‡ñ@i;¼É¨O›D(Ë}°ƒÃ6‰J¶–�|…Þ<R›Ø*ˆH÷é,Ÿ²­v„)ý´´"ò´C¸šÕžlJí¬,¿¬�s_FˆEPò䦀ëdâ9yÄ$­Ó›Ô}zvOÞ¾ÆpøŠ0¸J•RaûJ62îY'áC Í&»Mª­«/ËÁš”N,³"ÞË¬�K`„çP€&-—‡•Ò²1*„�|¡EX+à+B­UÁ#(µ$ȱڌuŽQ1êÓŽq¹*j/bç+-ª‘kA)À%ûtúë¨j,Lcw™§‰˜ÕØgÌ4œq×>•Œ†ŠÌg’pîÜØ
낪dŽ	�ÒÌi/@dÁ:œ‚nçЮ¿6÷@l†«‚¨@MÓ›™'Ä2h‡/å·›ÇÛ`\Èq–eÈÞaäüÍûßÚþ ƒ€=ŸyVõÊ©JoŸˆKmí|)#ú
u¿¶_‰=F¤ã˜A%‚Û¾I'P‰-³!­ÂhCØ®ŠìÏ…÷éØo;ÝŠPèøJòÙØ‹*öçò;Bfˆø´2*-´.”`ÛØv(Eã„#£x)¶â¥pFHzŒ.LKmH–ÚÝK•úҌ·³3vk˜�,Qr_æ£�d*Ö¤céäæ7}–法—	”¼‰qŽÒ$¨<\z?‰è¶×Á~ð:HÚŠ¿�j)=»|Œã$nyRð'\»5*î« D@xg„úho
-HïM9]™ÑLç*¹7N£ð­Žúø dý÷ýp‘º|ĆŠ¡I™\éÝ¥÷~0-=Ð_å·’šu2?.];©žÐê–º<O¨ßTQĸµû.°4×ÌXEÉÇ4/&SPÙoÔk¼j¡2ºí€ü-Šèˆ´{"ººÍ(¹¢ëJ
mÚXË:�QB±®
­¯
£á´»D—v4÷°tåêSl]¹åÚŸ¹{Ø]:Ò>üÿcϧdÂÀùË=:¢lÌlÓe"ߣ"qL’‰£áÛ‹�OßΕ5)9_K9üã8�Š# ‰hºÅ*T=jAÉ)–‡‘Ú¹w÷:R["ÇÁÖ-;a�wÎGgù¼Wr*ýŒ¡ÒÛ^Çl@0 ÏT š«¤å—CqCÈÇ}(LµaK3ÿÙ²À+O„îÒÅ"+Îûò‘Qœ0|î9,Bx¥¤•<¡ï-Ez)Ÿ¸~´ú¾ç¨ç=b	›0I|°5.Û¯g[¯hŠ[ØMAž”@ãõ3dç<ߌ [�#Ê%NÜ=bðEÖ'ÙÍê–p³ì>s�NÖxk‡ŠšrIè»üsPPO¼ÙŽøšO寞]…€Å@E½Ô3¬ïÊÊÐ]¦	sm{
‚†ÜR<uS¬#¾¼½ue LiQ°8—÷˜JSºøŠÇeÍúxzyJûÇnåäüWFÅÍ¥DZTd·àî=~#5GTµÂ›xWQUžÍ?Þ~xr~á±ëû	ãs‡†Ñ-
NœI·8´VÞãv•kñé»ä«ÿÇò•/#_¹-_ÝÈW÷Ëпø¨ˆ=à_2¥ºñ×ÍBT¯(Å[ïßÍn¤«×ËÇ9·|D¶Ho(ëÓÚ«öªko²qºª²ðêßDÛUc놘®]èf«ó©�äS¤Ár`ì.êé”pÐ	¿ëçù„¥ÉWWËÊç+Üó^<X�Š+ ¦D†'n7øW!ð¥Žóáìa™ùÅ}¬Ó:›ÓûþMa™Îçi_‘ü¤eI”ȧӬòÖópJÍZ�^²“nˆÒ‚
­«§RŽ 
-IFÕ]qû�¶#_¤:fš‰EÄ„�ËbÚó
+(¹iªq.gÙ_ûb©„òYĪmíþ<ñÂøßN•Biß1“k¢˜åU�# MpM¾øìòb×¹^”˺Ácçõ~vÜ#Á"µñfzýml\Ø¿åöèÿüº®|ë~¦³‡û<{XCŸñ`;syï¬*K—è£[Û¦,ä3•w­¥]?=üôÊyïÑ“²öB¢Ú¡=§ï?9�áizþAÃC{öÿuÖfÒ¨ä±ìO"šdÃ/
-÷eÄæÊ
TÜ&–QÏÒÿZ†Tendstream
-endobj
-1648 0 obj <<
-/Type /Page
-/Contents 1649 0 R
-/Resources 1647 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1635 0 R
->> endobj
-1650 0 obj <<
-/D [1648 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-450 0 obj <<
-/D [1648 0 R /XYZ 85.0394 189.8991 null]
->> endobj
-1651 0 obj <<
-/D [1648 0 R /XYZ 85.0394 163.5217 null]
->> endobj
-1647 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F22 973 0 R /F21 950 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1654 0 obj <<
-/Length 2051      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]Sä6ò�_1�¦*£•dùëò´Ù…
©„ä€<Š¶fÆLl„»Ü¿nµì±g�lQ5n·ZýÝ­–b„,Ld²ˆÅ.‚EZžðÅÖ¾œG³ì‰–cªïnN>œûÑ"aI(ÃÅÍjÄ+f<ŽÅâ&»õB&Ù)pàÞ§Ÿ/Ï/¾üzõñ4RÞÍÅÏ—§KpïüâÇ3‚¾\}üé§�W§KÂûôýÇ_nήh)t<¾»¸üL˜„/0½:;?»:»ütvzwóÃÉÙÍ`ËØ^Á}4ä�“Û;¾ÈÀìN8ó“8X<Ág"Iä¢<Q�Ïåû=¦8¹>ù÷Àp´j·ÎúOp&ýPÎ8P‰9	}é[þï[´áù!XIùb©"‡~0xYHðçÜ+žÓ’®;Ý™ÒT½~6¿q.«¼ËëŠ0ºÊøµÕkã$É‘N HL&"²‚n6fPgO$G
-íE’ÌJBZ$è)KÕîUó¥ðÒºBÝÖ»æTÄê�ØÄY Ò¥…¸×šæÑ4n¹¦§.ÚJ?í8hzùzÓ=ü%„SŽÙÀò“MúÞo<à×Ʀ�J$S‰¿ã�©(KZkÖ®FÁïÉ—czû‰sŽ¸¢�®MºDñÀÅXÌ9ð’
-îþ±3-Wë
-
-jÆ»X¢ªé‰Æ”;Ò½£²o°ÚÃM"Iè‰w­É8;/ §QH@qkÕm]æ]gEak�jŽ˜§¼(±}ØZj\3�ƒ4aÂq"¥íñ'ÅA®ù¯÷g•„.‡só4W`
-õ�ŽMƾ÷�WYK ¹¡}Bà&>5=ŠüTx£œ@Ü´ÓÞ2®'¬šNN/Ù‰ú|yM
-mß!S�ˆ¦�ØêÔ ïüØÃBÚ„ÆÔ–6É

N¯m]µ†ˆ @ ~A/ŽšLÛ5§±·K)R¶(z®Ž¨µB¥®*k'ÖeK8M�ªnJí¸“1€„ižû­]º±�Lö%8É2¹d"íqÅ…ËU5䪚æªïõè}vú>wG,,gf¥¡M
y¡~V…­�„†»6ˆÚÿXÕ£:àŽuŠ;
tE+¦¡^Ú‚gŒîš|½vÒ²w´[(
¡’!½�nÒÍLø‚I¥ÔL¨ØÚ…O¨åüQÞf®J¬+g$Ï0ôÅ׉v'Ãá¼8œL—~hlq1HÔÕŒ€$`¡ýÈŸ'ÞEGº»sì1ÏŒ³RӃ΄êUš£Hôó¬.5t×à69ØH�­Ïû²Ýš*ëÛœõÛÐ Ýå�ŽÎ6�¹ë…Xï;a!äÈÜ*«»Ù¹"bIœˆ¯”û2¦
<)¼ð$Rá›$Ë$¿ï8øþ£ˆÃXk#`ëÊò„¶Î&ÛÁ
-i¾ÕÅ[ùôsˆ
�…ßcI¶Ÿy÷ûÌ·N¿%lò/WyaÞï‰lWnß¾u¢>Þëm"üÍö¹OèÐbñ»÷ÌWE>4å¯þ¼¾ÿßÌ
~Ëùï“2‚V§š}¾Ã«þþ°}Hendstream
-endobj
-1653 0 obj <<
-/Type /Page
-/Contents 1654 0 R
-/Resources 1652 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1635 0 R
-/Annots [ 1657 0 R 1658 0 R ]
->> endobj
-1657 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [491.4967 682.6714 511.2325 694.731]
-/Subtype /Link
-/A << /S /GoTo /D (lwresd) >>
->> endobj
-1658 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 670.7162 89.457 682.7759]
-/Subtype /Link
-/A << /S /GoTo /D (lwresd) >>
->> endobj
-1655 0 obj <<
-/D [1653 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-454 0 obj <<
-/D [1653 0 R /XYZ 56.6929 731.9325 null]
->> endobj
-1656 0 obj <<
-/D [1653 0 R /XYZ 56.6929 701.4683 null]
->> endobj
-458 0 obj <<
-/D [1653 0 R /XYZ 56.6929 475.6865 null]
->> endobj
-1659 0 obj <<
-/D [1653 0 R /XYZ 56.6929 450.9966 null]
->> endobj
-462 0 obj <<
-/D [1653 0 R /XYZ 56.6929 381.4304 null]
->> endobj
-1660 0 obj <<
-/D [1653 0 R /XYZ 56.6929 350.9662 null]
->> endobj
-466 0 obj <<
-/D [1653 0 R /XYZ 56.6929 305.6252 null]
->> endobj
-1661 0 obj <<
-/D [1653 0 R /XYZ 56.6929 277.9066 null]
->> endobj
-1652 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F21 950 0 R /F22 973 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1664 0 obj <<
-/Length 1132      
-/Filter /FlateDecode
->>
-stream
-xÚ½Xßs£6~÷_Ácü ŠÀØ0}Ê¥Nš›^®uݧ4ãQ@Øš‰“Dlßµÿ{…elp Åär“É
-)"‰¤m±\p±`ü\õî4Ö¢ÈHÜ3
G¹�„-û&ð­®åƒSþ’œRs÷�¹(,$®I˜ÖëàÊÕ
-°MÌSDØùɉ1¢”GHa ‹oˆê„Q‹0&ˆæYõ~Á3¥‹®ƒý=a@¾äXlÏw>Á*Z�%ÍñùN'4—+P$G‘ËU®b¾îÁà
-i
-ÆIN‹ Öx“Q•º¦HêÞÑ)¤ÛîÓ€÷ȳÀºJ5ÑL’øüèD¹ž
-ºƒV>7úaÂLPn2¾¯« B:•ï‡üF·ØP1™”Ãû»ù|²}?·é4Êóíâ©áìÈ9,–o>©:ã�&¶îáÊu+‡Pž3¶7œ”N±ûÞ©ç‡#­—®ÿ¿^fendstream
-endobj
-1663 0 obj <<
-/Type /Page
-/Contents 1664 0 R
-/Resources 1662 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1635 0 R
->> endobj
-1665 0 obj <<
-/D [1663 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1662 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F22 973 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1668 0 obj <<
-/Length 1207      
-/Filter /FlateDecode
->>
-stream
-xÚ½XÑrâ6}ç+ü�‘jI–mMž²)I³ÓͶ”>ÑãµEâb,Ö2ɲÝþ{edll †±,Yçž{t%]	¦ú!ƒÚÐf˜³ 55üYÇ4žTÛ]å߀õG úÕ‡açç[â2ÛÆpRÁr¡éºÈ£®
1ì)³{óùáöþî¯ÁuϱºÃûÏ=€©Ù½½ÿ­¯KwƒëOŸ®=€\Šº7¿^ÿ>ìt“�c|¸øE×0ýØ:èßöý‡›~ïqø±Ó¾TýE&ÉùÚ=šF ÜþØ1!a.5^Õ‹	cؘu,J µY×D�?;€•ÖU×Zý�	1±q�€ªèšÐ6”C´	&+
G=`›f׋"ñ
-î/ŠˆX×ÿ›7AÂ¥ϼÔG¡LuýWúù˜	¡Ø
-¦rªk—\ŽE2ŽE†A,%÷×g"È�ÿÛ¤¦.ͼ0NÕ_¿ýÐ�X¨Q�áS\|�šS�)_f|E-qF50‘ð…#�âÇ“/Ê©-f_xÒœ�Ì¢‰ƒT(]Þb¤_¯A¥É¤þ\i2Q²<·wIÊ‹
ä2NŸ•²òb1ø%òü鳈.ÕÉÁ‹ÁÌE’nRÍjZF±÷"Âà\Ä]†öåðr†öå|ξæå6*�t)œ�Ë—Ç‹
]aV9ó¾–¿.¸š$R,g‰)KáÜgVÖ‹M†‡	v¨‚…ŽE¬êOº)·SiÈ–¢U@¶‰ƒ­ZýK«Æ+žç¶‘Úص?iÛtŸmZÚ®êö#g‚)¤˜‘úØÒ¢6R‚8Ðr-«=MÃbÐ"Ì®¥qš M£*HYqu�Ú:EÜÖG�½«s ¶MÜB3ÍÈ¥�¨·Šõ®Ñc‹žCw|ˆÞG�¦Ñ³³¬"(#£oµÏ’6ûWw€CÙ:
-™ãØõkãh'u{¬]#íg[<76Ù›*yªØ$‡í9R§ •¬´ím¯ÊÕ:•+ƒQºçT·Ãõ¨´#ˆÓn.튇ã@Çt·wÀ†¡qlûÜ«y›#n,Òp²
�¼åzýòEÈJõ“1Gh4—ÊÜ¿VEzÞ\r$cÇYŸIå´|ƒèDAìbçЀ¤Bqõêï<šÜpI
4ÒÆQQ±Z¹šõdÚ"
cs4å9”*ÄÞŒží�­µµÃÚìG^= „Ùææ©Ô{Q¦1á·I"ñdø�Ÿ�ý£&VÛyÙ=+�åœû
f—/²û¸�ž�ÇQe£^£þu÷È„Âìò·æÖ×,òú³ï˜ËxKÍm×ÅÅõ1Æ•ëcì¸ê”£@rR™�ÔÚa¾¾ŒÞ¥þ?š!<Íendstream
-endobj
-1667 0 obj <<
-/Type /Page
-/Contents 1668 0 R
-/Resources 1666 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1670 0 R
->> endobj
-1669 0 obj <<
-/D [1667 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1666 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F22 973 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1673 0 obj <<
-/Length 1069      
-/Filter /FlateDecode
->>
-stream
-xÚ­XK“Ú8¾ó+|„ƒ¼~cלÈ,3KjÃdYö4KQ[€*~E’	d“ÿ¾íØà!¶g (!Yý©ßÝ–*)ðU%Û”Ý1¤±cȦ¢š’iÏj±•›Puׇåà·},9²ci–´ÜT°lY±mUZzÏÃû?&Ÿ—ÓÅi¦2´ä2-eøa6ÿ=_qòáþiþ0{üg1��árö4Ï—Ó‡éb:¿ŸŽ�j›*ÐkÂ+³?§ù¿ÇÅäÓ§Éb´Z~L—'YªòªŠž
-òuð¼R$Äþ8PdݱMéLYuM
-†©Ë¦¡ëåŠ?ø{ð×	°ò4#mÒŸ©Û²ikãjE�ªbˎጥ±éÈ–®é™ŸGÈR”á†ú„ç9ýNÖ<&n>½Ë‡U*+ˆTUvLS«s�Ý/)Y_
-pe¤L]zH‡ÃE!Úùò¿Š©4jéG>¼@¼|A^‡º'
-µÛyí*a]
-ˆC�/sÔ96éBÈ�BèšÅ/ëù
|�0A¸õr<“ZÐLàS[˜?ͧ�¢‡
-øg½ù^ä|id€çÚ¶vºòдʕ‡®X²­9ã’©TFÓ¼äüt�rÍúÿ²›íÕendstream
-endobj
-1672 0 obj <<
-/Type /Page
-/Contents 1673 0 R
-/Resources 1671 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1670 0 R
->> endobj
-1674 0 obj <<
-/D [1672 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1671 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F22 973 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1677 0 obj <<
-/Length 2456      
-/Filter /FlateDecode
->>
-stream
-xÚ½]sÛ6òÝ¿BÓ—Ê3!‚I4OvjçÒi“;×½{H=H‚,N(R!)ÛÊ]ÿûíb
Š”%é}Œ°\,‹ýN8ü‰LX¢„š¤*f’‡r2_ŸñÉ=̽:Mà‰‚>ÕåíÙóë(�(¦‘Ln—=^ãYNnï¦	ì8ðéË·o®_¿úíæâ<�§·¯ß¾9„äÓë×?_ôêæâ—_.n΃0“áôå_.þz{uCS‰ãqùúÍ�„Q4|†éÍÕõÕÍÕ›—Wçw·?�]ÝvgéŸ7ääãÙ»;>YÀ±:ã,R™œ<Âg¡Rb²>‹eÄdESœýzö·ŽaoÖ.Õ_È™ˆ1¢À8ì)0ã,áÀ*•Š%‘ˆ¬ß�	çS³Þ´»àSUš&0¥ž†ð;Ó¼¯ê÷eEŸ/h¸ÃsÃæA2%¥èsZä
.ö	�ÐûR¯ÍWsúdê*(« ©tжÅ7ž`Ìõ|õ§OW›¦*L|Üšz´ùÚTÛ–æÊízfê¯W”)w�.›Gà¦àܘ†¦þIƒÃ¾_ëv¾z_ä�Ûè¼éžæfÓ˺ZV£®�Öܽ8¥ª�HE®eù_ãPÉ›ªlL°©Š|¾°Û»®Sgc\ú‹ïóSø¯�›.È�nšvUoÈòiQ­u>\^VÝê
j¾wîþ‚Sú®Í|[7 [P•ÅnÔ'ïJ^ë'§”}DôÝîÎ{îŒjghµÿ�_²Ë¬6úC°(ÁÝç_³a^e,ª¶9qÞÞÞAœ²Lðt¨ñ?¬Nž_‹pÒÉ´D³ÄSQ&ºj&P!8p«6m^Hÿ×V·fmÊ–>4¿s.Ê)£Ë
¿5úÞ¸½D/ûÂVB²4�š†[Ý®L'О(a”J�i¼ÇÌ"¨3Q;º¦'\MƒªBh»¡ñ¾¨fº x,øh+ãé̸
FB³�X�·«Ü-;Øp­±ÞlŒ®Ý>ÖŸšS´R¢ØáÐ-0P¢$™jÒé¼*Q·÷ÛZ“vq1…
9©¦¯—„lWàa65´…C4¸Ñˆb“ŒeJ…_Öl
- Ï5ûx+	V¦½:%↳¢š ð1oWDa ÊŽh	ÓÐ4*yÛ¸Xå	ˤRC¯]˜¥ÞÎéó¢ ÈšF4;êAB–†a2‰³”…!�?Ó3QЧ²-Ã@m¾Ÿé¨P(ݶp8WG6CÁ 
	OïÞQ�lß7Hñ�ÄÃý/Š¢zDÝgÉt
ÚÉ7Ø­à×Cnü„U0ŒÍJwN’‘“!6/ïý"× ˆ9}U-…5WdCǘ •¶¤ÖrS=–}FÖš‘„v-QCG÷Ü�:¤
-‡Î×»Iõàž:
™Â,‘³Ê<7%*ƆÕ·H`K9OúrÀ:n‹•�§r9tÙ	÷9ú0h<]f,â2¤'ØW)J®vƒES
-Ã1ÍÆÌs<„MÚ0‘—crÄë11ñ¶®|,
-é;àC+&Œ‹®xuî�.ì…
-ïk…½^ø:
DDñq›wM R¶žÇ²ÂºacñGâó
Ôlz•‘î’D´MÞ´¸ûصZd*B×w
èšÏF²ž®t>��%æÌÍxÎKâî-ïÙ7	�}Wéç…Ñ%œ0ÈK°ÁCw7ê³LSãUà,¥# 7Ö@Ïí˼yÚäõho®“™üV¶ b¾Ðþ†}À2ãL@>Á2ˆæãƒk!>/[·¯ËÇ|¸gñîásŒoe©»g »ò$¿îm<ù~Ä®É?�º$cp�ßË×½
�\t¡Ñ‹2¿õáŸ]#¬ÁRxÖìs=F’áÿ…#Ïn¼+`ÿñß’ûÿl¡
ˆ²LŒ¿ß‰šÆ˜8¡Pp™?Xºÿ/�Eÿ73sѺendstream
-endobj
-1676 0 obj <<
-/Type /Page
-/Contents 1677 0 R
-/Resources 1675 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1670 0 R
->> endobj
-1678 0 obj <<
-/D [1676 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-470 0 obj <<
-/D [1676 0 R /XYZ 56.6929 587.7171 null]
->> endobj
-1341 0 obj <<
-/D [1676 0 R /XYZ 56.6929 556.781 null]
->> endobj
-1675 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F21 950 0 R /F22 973 0 R /F53 1328 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1681 0 obj <<
-/Length 3745      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]sã¸í=¿"o§Lc-I‘’8}Ú�ì^îz{í&�Nçîf*Ër¬Y[òZòfÓ__€
-–ýÓ…#›šËGø¡´V]î.´‰B££Èc¶wë´º®sò3QšT%3Tj @)
-€�^Â?�o2ñÑl|¸»[ÜßÝ~àv—£àQoDêÒo×›£éxMÇ�Ç5EKcbÂAô(Ú¾8µÀÄj¸},¶œ�`È
-Œ´G¯Š6õù°4aïd§'¼ÁRŒ®Æ—Gc=¬ˆÂWçc=¤5ß²Äǯ:¨A‡rµ*¸ã±¡?öuf�
-…`’)çݳÚSÖÿ	JYendstream
-endobj
-1680 0 obj <<
-/Type /Page
-/Contents 1681 0 R
-/Resources 1679 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1670 0 R
->> endobj
-1682 0 obj <<
-/D [1680 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1679 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F21 950 0 R /F41 1233 0 R /F39 1173 0 R /F48 1253 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1685 0 obj <<
-/Length 3662      
-/Filter /FlateDecode
->>
-stream
-xÚ½]sÛ6òÝ¿Âo•g"Ÿ9÷”&N.wW7—¸7sÓö�i›S‰TDÊ®ï×ß. @Š”;Ó™&“\,�Å~ï‚â’Ã_qi–d2»´™f†s¹Þ^ð˘ûx!<Î2 -c¬ïï.®?({™±,‘ÉåÝ}´VÊxšŠË»âçEÂ$»‚øâÝ�·>}üéËÛ+«wŸ~¼½ZJÃ>ýë†F¿¼ýᇷ_®–"5bñîïo?ßÝ|¡©Ä¯ñý§Û÷ÉègfÑ/7n¾Üܾ»¹úõî7wýYâó
-®ð ß.~þ•_pì\p¦²Ô\>Ãg"ËäåöBÅŒV*@6_/þÝ/ͺW§ø§MÊŒÔÉåRi–ÂþÓ\Ì
-
HÖd,QRõ\–bŠË
¹\¶»å/œËM9>±à‚
›ÇËžlÞcMì.£ÝO˜ÎÌhû»Çòj©T²ØåÝc�oýSsO¿]˜öÂØ.º+±xôã¶Ü?•{ÂÁ£´£÷Š¼ËWy럺†~ŸËšFUÝvû«tqXwe1D*¿Ex©ê‘E#®.%H&K4pB°Ìéε¯‹5)RU¬ü‹1CɤI$p_
-O_oâÎæV.ïóÃÆãU-m¡cÚ„2,™õ{ ‹±”G|!.­¶,±VüÍ–,KÓtZ¯—ýŠËxI§ꔀet–w
-É&¦Kµ=ÃÆê­ÀŠöK9"�1�„ÛmËmÛå]ÕvÕº�3•0e”>KB�tJÃÀ\à´Ji; ÂY‹Lyd-ø„Ö‚¿]˜Ö
Eo*|ÞW]ÙÒNÖì_h|hóÿÞñ´~�ÆoVÓoù{Õ�Òj.HiSRZ`	°9cV�%LâÏi2W`eY¬ÈÌ‹¤�P•T±$�lkFU«rœÕ•k^Yz,ÜqW3:’f,G�ß: MlŸ2s1!n}\cìQSïQmðŒ6ò¨éxt§¶×D¨ºÖ/º¿°Øºl=àÓ{�Qc µÒ)N8æÖÈ]%ü¸]/w|˜”»_¢Ò,ý5é—–’%&AÁÈs<åûëý¡¾vÚAÿ3Ä„ze™Nµ>úÞ$É<ç`ðÙÊí�UK°CëŒV/4ãyò°Ï·§{Ì;š{Îëδeíßo«‡:ß´ý´;ZOÚÀv¼›…‹Uu]Õø¬Á	˜ :HfÐ*…^|E¾ß¿ êiÔ‰fWçc}u‹ÕM]N…,õ‰HýKEÕæ«
¹HÔÈ ‚�[2‹œàŽ«ø|ÜH/~‘Ò†-OgŸ«Í† «’Ø#%xOaÅ�=¨ª†t™ÉEŽü¥
zµL «GæX`<šøÕa´ò'Hp‡O 9ÀDe·MççœLO)�fÚªÀÈÆIˆÃRBBUrÒÏoåËsã¶vÂ¥�þGâ	ÊÚ#à‰)g9´�åžÖ-{Ï:L.Êz½iœ>»éÚ{ãæ°ÚøW¾€
í¬5™a\òô¼�±æh�åò§r}Ø· ³¹P+,ã<üY
-z¬	þ@óRk†4P´5&Ž¶Æ«µA…‡<ÔÃz¥5ÁŒ9\ûÜt0ÿíPÂ
-ûªì'òŽFùQjf
Œ ÇºÛ¼ˆž=‡äRZrŽ�°¥6ZÈ(ÏuÑ·	âö™¦ÿ�És·Òü‚�	n/ª)‡a˜±JÿÕ9.;G×$Qék¹
pê<c^QíëŒj,—½šF
-È^LjÏ“ÐcMÐ0Ðm‘²²´!븎³xrY÷:Š€>¸öY`æ»´ÖOD9£{£¡__o
ú¸ÞŠ�
-ÿëê-@=´Ó¡Â%ãš›©‚K%DÄTN¨53¦O!1æJ]ñ%ÊVðía¶âISÇl%Q3º¨`±¦©sô$�ÙX:_ÜÄï¦z&C@ÿ®¥¹ÈxŠ*ï	:Ìà…áX(^Š	Ä•
ÃD…mîmª¹YÜÑ•FQ¶ë}µŠÅHe¥TÀ\Ð-#S¨	�ëSÐäþá’_"åíñ—ñ§Ê{º.Òÿ\5uhðhuè	E©�òZ%ŠNŒ¨Çz�Ž“ÕÎú�Y&Õ+®#Bš÷
	·[Uu
¹B{>$ê³»÷H§ÛOD;ØŸâ¡Uq<´ä3šÓc¯?
-	�ÓáÀ€/êe5
€òc5ê(8o©Àç¹n&÷ГIÚ«O{Ø�7ö/,7S:-1}ˆO"¡$Ô(Ÿ„žø`È=ScŒ/TP?Nç¡Pƪ>½vÆ<KÑïNõÆŒaZX9$ñn8ÆÈq7S0H©Í¥²Pè©4{%íèËÿTíNV$}J
-w7™˜>Q�Bèj@Щú¬Wè8]
	A‰¨ŒÚL^)sšvù*ŸÃ&ßœDq΀ÎP¤©Æ8ÎÛŒAYøOµÜ5›j=%®XÑI,5Ê-”ß­HcÝS€Ú7=7Í:ŸÒP¥ÏxP�f’ò©·õ}^ÁÛa¯©¦*£ÏÓóUs肃…Å}™wz��Š‰Y‡ª ƒ�ê•F}ŒuÆ¡¬‘CužìäFGÃÚYzž€k‚‚aÛDË…’@a>SäÝpàc}Fµ1B¨§
-â6(È

-¹Jõ®2,æB­}ØÌTè,ª±‹	å=NÃf¦|¯Ò5jµS™¥¿âI±Òᤥˆ8eŠHÕy9ÆXórì±FrÌ7§Q{%`Èg÷ï±&FÅ/°“!NŒZ@´yh  =n©
�"D°!œÒ…7H„8׋Á‘SÎÿ¹Â†0äû„
-©ÿ
;‡nË`yøð¸Í×Ëö1 Wm=ûDŠ?5u€
-"{C×8áei’7t- *ã!Ñ‘ñà
-ÍlƒWA’”ç)®ÁüHéúë(åjˆG¹He@hDÛ¼‚áwʾÒ�Ž±Î(XÀr7$;oŠQ
*å󛤉MG% Î”nê»téâ§÷Ÿ¯ïÞ}¦G
-Œì¢>lWÔˆwx<�ºsXN»<@¥„@¾cTVO®wŒ ’Ÿ{µ.zèûÛ¯ôª/¿»fÝlü^ûüa(Ê5z˜T÷-'
~!©X”ˆ[ßTJŽP ÙóáÀ†hã¦l›W5õ½±é€BjCÙylÔhÒJwÕó7xJ„ëIŒ¡gnÃ,ñçwqâ€Ýc^:§”Ñ_ŕȪ‘.ôÏB‹}Ýl·‡ºZ»Ü°ï±‹•‡M³Êý’ÀúY
Çü Kì+.4Æš×ðËÕd ÍvY”OÕz²®°‰ç·ï±&ö×”fH€Óv‘áMåkÿŒ	þBbCª¸{!
-‘P§£û–f‡õ	(sûÆ×1Wõ€Ï[ú½ûçÍiæT·¹Ko]´
É%L˜–Tkzè«Î}§ž.‘K�ü¿¦Æ»:ðú™7*‡¹ó;tôÀË¡BSIîÜrKM!_ÂaËÛ)Œ•+
œ¡Éç26÷|O¬ÜÒS_â)_âiïuò‚žbAúgüw$´}å		¿y 
·u¡ƒG,Ž·øv¨öäÂFûÌÛ°Áæ•ùÞ‡
m¯è+
-endobj
-1684 0 obj <<
-/Type /Page
-/Contents 1685 0 R
-/Resources 1683 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1670 0 R
-/Annots [ 1687 0 R 1688 0 R ]
->> endobj
-1687 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [222.5592 527.0395 286.2499 536.4491]
-/Subtype /Link
-/A << /S /GoTo /D (statsfile) >>
->> endobj
-1688 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [80.6033 371.7332 149.9876 383.7928]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update_policies) >>
->> endobj
-1686 0 obj <<
-/D [1684 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1683 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R /F48 1253 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1692 0 obj <<
-/Length 3717      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]sä¶íݿ“'yæ–G‰¢D%�Î8gßÕIΗھ¶™$ò.íU£•6+­}n§ÿ½
-gæ‘fC¬ooŽÞ¾Wéq&²$JŽoî´Œ�Æ„Ç7‹Ÿƒw9ýñæüêdi$âd¦|{qyF=ý¼ûtùþâÃç«Ó“4n.>]R÷Õùûó«óËwç'³ÐèæGLáÀ„÷?œôáêôãÇÓ«“_o¾;:¿éö2Üo(nä÷£Ÿ•ÇØöwGR¨ÌèãGhHfYt¼:Šµ:VÊ÷”G×GíFÝÔ)ùÅÚÅÉñLÅÂ$@cRÊRH
R›¥:‰ŠT'å(œ’²ÇB)oêº�-liï󶨫Y]•O»[Sà"MÍñ�þÖÑ€�ÐÀ¾uŽù¸9Éd°ÝT'3edP»ß0°'aPÝÕ›“Ðs»²UKýõáí2î:&róÃYCè¿H-ÛzMÝ¥}°%O¯WyQ50RG^-h†[Dƒ¢€
)‘„
-÷ŠLëÈqü¯º²
©ÌcÑ.	Ê+ú­×ÈT^RË~™—Û…¥FY4­pt%
-MdÈ	ž]ÃÚ2~ßÚM�¤±‘;N,5ì—µ�·vA­¶¦ß[]å;¡íPòªy´DÑ�<Ño/Ij³8
rûã‰S\oçË1“~Á¸U£4#!Úf]W�“tuÛÁFK�ÜíÈ�z,”bjPnvM<9üš~÷N;×tdsÛ4Euïé,&–­àX0¯«»éVò»¹üÇÙ§�§ì&v·]¼ðC±p„P	Ø5]ž~dŸR0.-
À¢hæõCn�µKÖ”ñOÌWvRi.з¦JÂñ1&Ò#@xŒ5vƒ+;ü¼lêAo3 &ƒù²(„×Ï.ZþmhÄmÉM*ó'&°®ánKžâÔÑ1×Úͪ
-à~�¾:x^¯œÈ
¼#‘¯¨Eò`¸yl³r
-Þñ÷t,z™jn=žº£³ä.o0ŽÖ¤wîÏIEOŒLgëÐÇ'¥cœ:r�ÇuË
r)EYoÕ<Ýí	�ny|¸ q®:»åŒr”�É’_AÎz/Íä'4ò/-H2gÐ.Zö¬y‰7sœu¢ÑÛÙùoM×Ýë»oènÚ¢,G>ž]Q¨´ì«ë;ú½ƒS·4±r~é¡‹–¶š¼9='l5Þk¯�[Ë&Ç.{±s-dŽÒu±*Ê|ãœ{VŽÁ…‡
qƒ=sô¶ä›Âc

Zvµvê+8–…Ÿ‡QUU¼gÇŽ^K¿¤d8n1¶ »¨FãdâˆÙeŽ„âyðÒlŸÖöÀý{zùÓI†Á¤ð.k§'18
¸s¢`Bñ�W�n"Àèî�6sŠÉŠ{VÃ_¢(>;Ç¿oxÀN²(ø[×i\ççküËkºû€±?~¾>ÿü!”%Ó½Y’’¦.¾$È÷TÇîh›ý²Ì·
ª¥“ÂÛ÷ñ0[
-·Û¢lg·ö.‡«˜p’[wŒ°þ�Ë_3.{ Ð+Îcƒ¨T3DT–[›N„ŠÍŽí�lêÒ„ØÍY­»ŒkŸµŠ¥ŒÞí
[lz’xF ÷¯?ÀL„‰Nþе¤eªçG	VÛéÔÄùi¡!2â9ÕÔé…#µxÓ ¼×=Ʀ“”£ðN/¡Æ�¡\-"B[ò
-�íõ
-FH¬’“ømÚº¯>¶“¿·áÈÙ¹Œ|Ø6ÊÂT	�ï궨ÈO…kpɤYwÉ|3@ˆ‚a¾¢zÓ…
ŒòX¬gÀaYçÌ<׿†ûô#nZçmq““Æ® @SQ6Ö’7DdÂdJ�Õþ9M‚ÜD÷÷jÁµò‘é5iÈ
ªIÍ«<�—‚+Ð$Á)—SêõÑw/#}a'óÇè=7ER)K_RaãD2N줗6„²7˜žöW£°2³Ý�
-¹g™ˆê÷ø[ß±¶ÊL(•Nøt•øç�Òæ
wà½ûJÃeí¬Gîý•�°_Ö{�É,£Ò5\	`É$ž©ÉG:±z�.fªSƤ¢	�½õÌ×�*¤j2({9JápQHHb<Ëd,˜?í…÷`ã`æ8Š
_Žïiø·c}?ˆõýŒÙpŠöÇ&¼GX¶íºùúíÛÇÇGQ4sQoîß6u¹u©ÿÛEùðv—CˆrE¦€æ˜Ã�¤ÃÚçj$—}jÈÕŸ§bQ‘Æ&íLÁ)[‘*­Æï#­Ü ê`ˆ*Î8ìélû2ÏUC(Å”¢„Â_©ôk%Yï¤JõLXð®ÞVx-öV
-�cStRqñ󹄌¸õj]�ñ"·õv>c¤ÞàÚ"ˆš_r° ÷L%cyƦç;:zeË'~^Kz—Cïë.•TÓå=üÄÖ¿:¬V.ÜÆÐDÁs|‚‚pž{ržXŒæý¾õÖ=µ7HX!ñ‹^¾<Ò8ô 'Ä„B”!,QÜ(©‹^ÝnÀ™Ðm A&Ú‘I±LT#Y ´¸-1
-}Š{ùéæüë‰mÃ~t¢_±é$ö›ö�¤Æݘ
�s»i)­„ƨ
-z³àרaw¨†Q,»¡ZÝ|é¾tÀÎÇe� ˆÜä„¿N 8’3	:ž
†Û™?�ȧ©üæmÒ
-k6á8ü5þm¡|ŽßIøoøÉ\1ÁHÿ&jäøKˆ^fX/�rzÏ‘Tàh£ðåD'œØ´[µ+
-Ù…¥v'aàƒméÊÎw6]ÑßA\Ö•
-5xé2Š9ÅE
-
Wî³kvHû‹ŽM Cö)1§ð
´‡/ü9¿½R/&b®Ì2o›É2dŸq¨^òh6©„8H›ÖkÑ‚ŠºVXö\|ñãCL‘c¾Xp0â¾iÂÁ–CÍSøG=ýGiÐM�ŽCìÊ)ድH¤JvL 3F÷½þJ&�=;õv4Ä8
-.Zu!%~oTµ¾b½-S¹eª|9#~E#óºú続û‚sèÃ:üè‰0.éPˆbhÅó€+I1xI{ý'=ÚMÏ3ê´{̲è:*ÛúŒTi�ß~Nè›ìªFÿ÷'¦ý÷·q*”1•L„‰@Á™)Ü€Îv9×Ê€~Géëÿ6ƒendstream
-endobj
-1691 0 obj <<
-/Type /Page
-/Contents 1692 0 R
-/Resources 1690 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1670 0 R
-/Annots [ 1694 0 R ]
->> endobj
-1694 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [116.6985 242.3486 321.9289 252.5104]
-/Subtype/Link/A<</Type/Action/S/URI/URI(https://www.isc.org/solutions/dlv/)>>
->> endobj
-1693 0 obj <<
-/D [1691 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1690 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R /F48 1253 0 R /F11 1353 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1697 0 obj <<
-/Length 3596      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]sÛ¸ñÝ¿Â}:y&B€
-.�pQ¯Öy[ÞFìW_ìÓÈïó†[Õ]{ÏÓõ‚~µzEƒ4‰ÇcyiÏ«9K›÷Ëٺذ ?\ð+‰Q£ÄŸÏçe[ÖU¾\î€UÊOrüq"ý¡Ø4Í_}±âüúË™W“sù30×Ëå’F·­Íèý¼-æ´°¨74hï¤Ï^ªé—Vê‡rΠ9ͯòõº¬î!
­ºSIá�QáT´G’
3U¾BQà0l—˜=ô¬ÞMͺ®æ´"ù<=ÿþúiDÛ¦ƒmv kÊ?ù
ùÅçóO—Mà=è³ìéó
Íóª±é´)6Às†îk¿E#ÑÞB`ý1FéÁجaB8««6ŸµcSaÓL24)½%	âï¶Á#àù„¿Íº˜•‹OÞ3ò�FA‡ûK|˜0&e…A$(<­ˆï  §2MEª2™C~U­a[¾
þ²	å$.zhŠ¶Í;+Ì[ú%b`ðP�4zÍ&·FÅo¢1>Ë6¨êvl§š½E¾7>xg:TïàNò¦lF­ð2ŸÝ�ÈS�;ÌT֗爕.ÕÔl×ëzÓ6lË@šÖñ¨ùrdo…Î
-±95±pŠçõ*Göà¹a±IÂzýˆî
ç(RãÔ†&Vug†ðt´ÎFE«óæ-Ìúyßc�ö
-ƒ²iMôsÅ·Ùr;/Æ”8˜%öý`V×�
S…qa–ãv¼õ‚
égY6-AÇ…�Ö‘@S¤ìõ”BÔ¡æ
ǤÌœ£œ2�”w‹`Nå‚PÏådGhù†
*ž£Ç(|œBáÿÀ›’,qt œàMÌõ>fòFÄ`TÁ2ZM0á�~î–w¤«Ý“›Ä”
c'hèw8ïuð™Èdâ¾Gtê#Ü‘¥ó–UÁƪµ‰M|7‡µÏ©§‘"K•étˆkûG½¹WÆö3/DŸ/´oKÞgzþ
-§ƒùÃ4x8PæŠ/”!¼âÔ&/—”Žâ÷Œ‰ýl“·ÆåžÎÒâ
yXã'ïvÄ—k¡\F_â#JγwC¦Cõ2'œ&‚¥"Ô‚Û4�+3?Þ¼aYÜ<zV¨]ôݶK„vvOÇ—]­‘Ö’óQzƒ9#}ä’?à‚m>ÃmÌTAURg²ƒL•Ò¿z4ÏÉÚ‘dY›b¶Ý4�ÓLëj¹KÛ�Èë¼^1‡SÙqx°…vBYÉ]1–à
�
-¢%Î
â.&É®¶á-ÙÍÃB 4ÌÝ3Á{=RÑö
ád¸N³l‹MòzãL�fÇXí•~BåBänFN™j‘BÚÆ'¨êq5‚‘híIŠ
œE¬·6JêvSä¿O!ckŠÙ˜œ$¤åYOLJ&$&Œ‹)PíºçÅ”‰D›�˜_tæ¸Ç^LøÈ¡G&A8(C¹ÒFOqG&{T¬÷ÀkŒ0Žù²œcEÏó�õvS7’Ê �ˆl–o©{�Å®�ùõò‚¦E`x^€ãÚÒ樠p%Ôá}òÀ4Ks«¾rã<UVaO+{V+Rá\yúkbvYÔ:˜“˜¤¥Ñ¥ÂÒûŸût¸HG6‰v5­Ê2aÜÐO”Õ¬^uÉ+ZB—
-z;€¤_ƒ
-Òëë¯W›aÚܳgû2u,àüb_mL§6ý€LúíŒt`y™p
-ƒ¦N„K2ʇfð¾M`ãÅLzéèá_ô#“×î-¡8‘Ö½–6Nd8ñZ*~þ÷ÛèJ)½Ö½J)
-%5ˆø©Âdª�c‰š^¢ãàà·ã[€¬Çü_ˆÐ]£±ª§›"ÊéÐ
j‘ù®×ˆÊãÌ“Êã…‘‰|YwŒM²¡î
-P´f¬u"ñZ
оÄN%¼r~ÀNDM”ÿ³À+|î| ¡¦Éœ~Â	N‘u ìcH=%µ™lv<TSÈše:d3x£�n§½ƒÂÞX.艮�´*€¢‚r`\­$d/Þ¿Ä�`ºë7¬O´áìœ0¯—yE!·¹§Ë‰9‘A¶ôjÔ^¤Ðºkß ~ïûKê(ÃÎz沯ÀaGÖæ7ó@™3!µ=èPt¾”Îõœ=Ä&v|ÎÄpŽÃX³áD�dè�9jë4ÛÛUÙ†k|í¯%M�ÜqôPòÔ|—W+"#ªö›½¿ü9p‚ÑPº’dWĆÀj½,V�Ùƒõ„HõD¶+µDA¦Ïg»}¨§³Ý*ÞPN›øÚ
-Ý’zgØÚ=Ôn*¾éŠD™î66~«`é–‡;â‹mö<Gî
rgßõçåµá3‰cÎBÚ­t÷j½õÆÂJoŸÃŽíé1äxs¨u¿„P66Ž#h’¤®·Ë˜¤ÂiÝ]2¶X¶qI™À6‡e1˜ÚxÃ|PèÆ*çz�:çºNÝP+-^zÆàÿ÷ðbÛe¾§—>ë}ÂNËMVeU®‚êÁCŸyøÐe�Þ9ªBÊ
-òßHÀˆ= ¤[¾f¬ÚØã‚b!5�p0�2��’íêô-Kcs†¡Ã¢FåiXÓñ�æ¶B&3GbÿMì°ËÁù´T�hìhá–
(ͧŽ¶"g‹Óãz!3üx@ÊžÌ	ù3¢ªsNö¿	±ðÓ70#MÙ*ŸNÔ›j>ÛŸc¬¿™†
- çŒ°“+Ux/^.ÊÉ|»ZsœK
ÞÕ»£�€VÃ{ž®7†&öÅ𦯻î5ÑÆLU	ç»>a�YŒo$Ë…Ô·Oð¦ëk[txás(4˜šN¥9µFhØþùJ¸ƒžîÁ�ÃÅ!ÎAL×ÅQÐÔÖ‚0|Ö£å(du0ÏSp€©ë¾�}}ˆ÷*z´”t÷@ÿ÷—‰ûÏ6!µ‚’ó‰Ê]e¿åБ¨ðÑfrœ]ð'ŒÇ¤ÿîG²úendstream
-endobj
-1696 0 obj <<
-/Type /Page
-/Contents 1697 0 R
-/Resources 1695 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1701 0 R
-/Annots [ 1699 0 R 1700 0 R ]
->> endobj
-1699 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [406.7896 280.3845 476.0457 292.4442]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update_policies) >>
->> endobj
-1700 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [303.3452 64.1455 367.0359 73.5749]
-/Subtype /Link
-/A << /S /GoTo /D (statsfile) >>
->> endobj
-1698 0 obj <<
-/D [1696 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1695 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F21 950 0 R /F48 1253 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1704 0 obj <<
-/Length 3375      
-/Filter /FlateDecode
->>
-stream
-xÚÍZYsã6~÷¯Ð[äª!qÔ>9‰�ujdzqœÚM%y $Úâ%:"eGûë·‰’<Ù©Ú)= 	5€F£�¯A²	…›˜”PaåD[IRÊÒÉ|uA'Oðßw,ð$‘)és}ýpñ—¡'–XÅÕäá±7—!Ô6yXü2ýæoWÿx¸¾¿LxJ§Š\&©¢Ó¯oï¾õ=Ö7ß|¸»¹ýî§û«K-§·î|÷ýõÍõýõÝ7×—	3)ƒñ<ÌpdÀÍí߯=õÝýÕû÷W÷—¿=|qýÐ_Fnä÷‹_~£“lûûJ„5éä(aÖòÉêB¦‚¤RˆØS^üxñC;aï_7tL©0$5\�(�óžZª‰N-Q‚§À›js™)§³lþñ5Û\23]øžyµzΚbV”E³ó]¯E³ôTžmÊ"c_òM]TëÚ?U�¾õÇ€”}­2Óf™£Æ@.Ö“‹[NˆO�@ÿ©ÖyR7°pÝó:ð÷÷¡4I­�¿zn`é qˆ¬¬+9�e)á˜0Flšr7(›ÏóçÆÏ-Mon
zæ©	sïò±õ9%’×ߌLk•F–u52Kdz¼ófõº,æKO.³—ÜS¨5GÔÙ*Pù#žÓc>oüsV�	!41”Ù°Äã¶,Çv£ˆ¤,ðdëÅØD–ˆTG…7pØùØD–£ípCΞòú$-^òrwÉ›’#HãÄr0ÏDÂXðotI¦¥<»ªÊçþàN¾>ðAJh
-ÕÖD).ÇcN`Jú\ÞeØHÌi¹œ’ʲzMÖùk‚¶z°>SœÐÈÓ´\#̬]«‡"Ü>ŽX:â¤í2M¬à¦;$aúMª¦~C@¦Á—€˜å¾Í‹|ÈÆ·›K3Ý®›b•ûá/Å%›f#§Ë,è[¶²mÖ‹y;)®9æåpôVö¼Ìñ/ò2o¢/ÅØZ0�	ÅúK¹H ©
Sj	`Â#ˆ”X-£=CbŒN¢/.òÇl[÷+ÆÜO¹åÒ·Ç
-4sªñx]›•¯Ù.ÐuÞøÅ\î�Ž»}ûáýÕí�ŠqâS^
ó—<ð�¾u‘'©óÍ‹K¦~5g¯L2µÑÑ^Y°#´9c!…5[ˆD»ð'Ym@`ð?Œ´`®’ë`®ðg®ÆŒ›+3œh“ª·Ûë_£¶Q?¸Hl3ßÌ—Ùú)÷K>:…T+ÿO
-¨*9ÎíжÆì$R¦yl×e^Óù*YõqõÜä⫆øÐ5PKÏæ;Ë«V«ÖRËb�=¯W†Ì³:ÆÁÑíA" BRþ	iû¨ÝK(ð…
-‡4@j]�Ž£˜ÄK‡à¯^èB°�­×®ëÙ=Êù§`°ÿj=‡56�¿ÃL7Æ!‚o +«ï¨«Èëª5 ŠÐ:ƒ@b™=?çë0'ú>®–
÷â©péÜŸOq™ÍKV¾ó�•[©<B³ýÚÃoÝ~™g›fæ™Ä™Æ‚¯ &•ªw+á–XVÏ9^cìüãb»	iŸÇІbût	Ðe�ÖbN1øPoŸŸC>¯óˆ¹Ái¹Ö{·Euï]ðjkH
¬`VGq°²wŽ¿o�Ÿ^Jr%ˆÖæ<4gýØ:I¸N¡–¾Bèõ@,-щ’&&�.TîWÅœiÓ½Ë7nMÀÒJ§bèšå¾ÝËÓÆ'šÀFDI
‘]éüRä¯c÷M)aÔ¤û7Wû›2¢EçG
-}^ÑhŸˆ
òø›+Ûme�IÄI7Òø¶zñ± 	Š‡4%Þi÷íhS,°ãSYÍZè‹Zj©ßpB™áy„ÓgÏJðáéc¥%L
-í™eDèv®«Õ0â%P�(u6VˆTÇ*
ƒXrt>i	O¥Þ‹¶VÁ+®$¶èo\ÅD8 œ& ÅûÅÚs…WÃB[7ÛY7
-S®JƒæŒˆ´w@7a/Ãí
ðÝOÛ2£~å\v’! rü•o‘#ð‚‰û	’±sk.ƒ%+=÷Þ.öÁƒOç@Tk—É�
-²
-KzÄÝ„ÄÍ-ø{“»%í Á¦{Ž÷®»8;TnšclD¥'ŒDB±-ôÐHpÚoë�eE�w†õ!p?ÐŒ»³¨õಂqØ
hÍSE(‡C}û~¡
�2¼Ùé¿ëÿs£¢ ½à{T?ŽÂ\�ŒG1œ*i7@¤2Ǿ$àX&Á<\j¢¢ÇJÞU@ÕÂ�6™žÖ´ LxCJÐ’Žp1-ô
WÒúç™
¾¿ƒÿM+¨ÉtÌNE€gøÖvô«S´H‰²Öž¼4d,:ÀÆw,€ŸñŽ)1j_˜!ÁÂ(L5®Àžd_²9pâ�àr(¡¥Ô'.Ûð}RêZuZÛ¾ìï´Õãójëóú5}гÖóhcÕiè0Ô׈q�ÔW'Èl\0Ä8sF_01BÊ3
-endobj
-1703 0 obj <<
-/Type /Page
-/Contents 1704 0 R
-/Resources 1702 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1701 0 R
->> endobj
-1705 0 obj <<
-/D [1703 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-474 0 obj <<
-/D [1703 0 R /XYZ 85.0394 729.6823 null]
->> endobj
-1388 0 obj <<
-/D [1703 0 R /XYZ 85.0394 704.98 null]
->> endobj
-1706 0 obj <<
-/D [1703 0 R /XYZ 85.0394 268.3773 null]
->> endobj
-1707 0 obj <<
-/D [1703 0 R /XYZ 85.0394 256.4221 null]
->> endobj
-1702 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F21 950 0 R /F48 1253 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1710 0 obj <<
-/Length 3924      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sÛ¸ñÝ¿BoGÏD<|ü˜>årNê›Æimw:íÝ=Ð%qB“ŠHEq}w±ˆ¤(ù2×ñx´Ø°ß€œ	ø“3‡q¦²Y’E¡ÒÌÏWb¶†¾W’qæiÞÇúéñêÇ÷:™ea«xö¸êÍ•†"Måìqùk‡*¼†DðîÓÝûÛÿ¼{�DÁãí§»ë¹2"xû·‚>Ü¿ýøñíýõ\¦Fïþúöï�7÷Ôó?ÝÞýL-ýœ™ôþæýÍýÍÝ»›ëß¹ºyôké¯W
-�ùrõëïb¶„eÿr%B�¥fv€Ê,S³ç«ÈèÐDZ»–êêáê~Â^¯:µ‘IC£¢x6×Q˜ýé]–a"% %&c­´ße%§vÙaá.¯Šn±™¯«}1^°*Œ¬´?ë	m�5A\õˆK‘„±
-ò%ÆœÇB/EKƒì¥q¨
ž…³È÷m±$ݦ ®Úb÷µØqcC¿y×ÏÛŽ\£¥ˆ4fئä_Ê03FÙÙ‰•¥ÁîZ¦AÑ6{,­‹Æþ.[j,;ú]–Ëú†7ùWrØ5A‹¦n»Ýuì]Y¯©‘Ö
-3"zÐã+F1Õð,öžü
Y_«
-:Ãr´ª‚�Ù´ÐÁb“×À2,Ñs�ÍÆ„*Ž¢™÷yµ­IPçn=#à¾oSþ¼?`¨œÌ‹|=¸’&òþ}Ì
äÝT€ïO~"ëNgãØ;ŠSòÈFïÀDÏ;b˜ ¨»»�ïÂÓi飂ÎI
-!�
…ÀM"è© _[~ôZÌqvLë–ùU‰çÅú“	÷fB£µÛ ¬=Ùd+ÀZy
-‡M¹Ø¸À:‹…ð¶!XßíÀÆ´—¸�T݆ž£*°«’ÎUš�ß®8	½ðxÑj«˜*&0øÐì«%�œx¥©Ý:;s±@›nËgðiãJèîö»š‡P¥™»)ÐÅfèrɽ%ô÷�Ð×V¡¶~r+5Äô`µ‹]ÞnΆ\*N
¯ËúXçC.�uÃy×ÌÛ&?-ŒFa* \¸HÞcMÐê[&©I†Lj/ôG™¼{	зØÅgx¯¥DJ÷Z,6Åâ3‚ÇÏØéoÖZj°ñ±H�6¬‡ßûû¶èht¾ÆêS7B´>
ëC�IhEþomÀ?«Qi>§�Þ…€sDA%Çü´ï,0ú·‚yLó
-Š
-ó}•D›,ØãËÕ5$àûËž.o2å+lEÛµ„ÅÁ?mÀŸWÔ„ÏCÔ±ÌC¸Ìˆ”üó–LrÅD‘­ÄNÂ’ÇIÍî3Íøâiºd2(ÿ	Š÷d)yÝ,"rv2â¥I)QéUf#ZÛ1XM`uºŽþVD¼i.C¿R,6ÒKèfÃ*š:_¾PÏgzÊÒçŠYeC#u@ÑóX™x•{@Ã!
|çýæ„8ù
-‚µ(ú3wwl´	±8<¡ÚÂOñ§Ÿ”ßÛG	¤é™Xr
-endobj
-1709 0 obj <<
-/Type /Page
-/Contents 1710 0 R
-/Resources 1708 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1701 0 R
-/Annots [ 1712 0 R ]
->> endobj
-1712 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [154.2681 390.6622 203.5396 402.7219]
-/Subtype /Link
-/A << /S /GoTo /D (notify) >>
->> endobj
-1711 0 obj <<
-/D [1709 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1708 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F48 1253 0 R /F39 1173 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1715 0 obj <<
-/Length 3535      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sÛ6òÝ¿B�òLÄ
-7òçÙoijlûç³8R¹IgÏðG"Ïåls–¤*J¥<¤:»=ûw ØuS§ä—¤&Je¢g‹ägÔ´�ã(NAh‹L�H…9YŠ)!{,òn½”*6‹îekÅñ–E’FJËlÖ'<Z>`M¬/{ë‹6š­k»®¬Î*ÎæÝcÙr¯A^ÞJL�€N¢LÇ)¬Š3_lK8ƒEdå6I8ÏeUÁe±o­_Åuô¼µ»'»º¶µõŠz×·ÔîÎ…™ÛeãÚUKS‹ªñL?—Ýã€p6¿ýzAhùÈ.ˆKêH$Y=åi*§kÀqÖWÛ‡¢+Ÿ,}uûlw-˜®ñüî‘Á+».öUGe;!+‘æQ&rÁ‚¨›	Yùõ	%i?T0=
oò\ÿˆÅ+ãØL[|&""ëôuZ4/ZÜõ3†¤ž»…–*’¹}£’ÅM¦‘–I6Óé\¹Í^÷Ä‘êD8Ì8J•ô¦óõ|¡Åüþ—óË‘h€¨’©™i•Á¤ÔùåìÏ™ˆâ$‡%V¯ïv{�‚¼¿ÚÈÙÇö4ëoËS^ôI»}é¡3ÁM$2ÐŽÛVƒ6‘™ù˹Œç–?ÊͶ²vÅ€šZ¦ÐËGÚOò,ÒJ«Y_¾MeÊ
-Ñ“/Àƒ�ãG‹÷q{êr[dP¨Xœ¾ÝF•†ƒ5&(Rå+aJ"nmw‘�bŒ¯tR2{÷–®Þvë£-O;\÷¸ñ=§#
f…wýƒlÔ3ˆW¹Ó	y,È¥ÜÔ˜$öaA/k—p‚›'þ¶÷ôîh¤o®J¥Ýœå VuÀ8hÅmõBpz À�{;e.—UŽÃ<§ò#7P�PúËÃN
Ø»8˜ˆ+:``è,nEÑòhÍÄûó
3`0 w%iJ¹`m³áѶìöMsÑ0ÏùUà8·îk(çËÞ'½Ã|¨æíÝ
¢UÈ“âöÀˆ´Dõ-íŽq*®|ì ñ?|t°M¦ê4A47ÆL4L¢d¢|Køa.&ÔV.HH}ª6�ò_vÏc`.N‰Ú`›fU¢~-ß¿Âc"*¹ó# U~ÁqîªÍºG­çUÛ uBÝT<5%WFÚ«P£ERp‚†o|ë™Ø
-ëÎÈ¡qá�FØ^
ÖnÝE!÷[jC¥k0a­Ä†�$;j‰)@Ø6m[ºkEÛï[[·<äT5bC†8=U³5}÷j›Ê?`=S1‡½f_qwÎñ\¶6¸Ý%“à%Å*Ü
-ADзºy®fŸ\Ì(äŠý
-á"ê“	q>j÷Ê�2ÌᑾQ9
-@®Š‘Zª©U¨Wup&#e¤:ù¾œà톯çgŒ–à`Ô•&Â9:+w’¸–`!À!‡µËáÚ¯’ŸÒa`,`€Ã¨V|å%¿Ž´œ—CÁRvƒçøá{Ødµè+n¥z!|*B…lt¶v¦‚_ŽoììÛ0Ží°Ü†Àd´y:¼ç¨”ò(Bi¢–a–š?•ö¹Wåö6ÑÁ©|ÛáeJa]j*]àÑnÂÐØ(DœD^sŸ²
-<rŠÃ/4Ðà™º{Ü ·vY®_Ø^'V�n.—û]K%™\45QŠ:. óÏBpIR;À‚•õp8[9°#^vTܧz­š‡ÁÛés±«©Z€�
„¿âÁNÓí)i$&2Bû3Áôyj]ùÚo@²Hháãc±„z²¢êXö]6ñnY"¹ºî�Vë©öäÈ1vL0dòM:Vè4Ê�o¹Èa•FÑ5ßö[ô¡
-5´„’½`�jVDL:Õ
-¢?åTSnHÕ[š+”lÿ6$¡q1í�5,üjpêÝŒᦤÝÛ‡[—i(õÔt›(’“‚O
-]ïɺ
•ˆœûHß
-endobj
-1714 0 obj <<
-/Type /Page
-/Contents 1715 0 R
-/Resources 1713 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1701 0 R
-/Annots [ 1717 0 R 1718 0 R 1719 0 R 1720 0 R ]
->> endobj
-1717 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [293.8042 549.7735 355.0043 561.8331]
-/Subtype /Link
-/A << /S /GoTo /D (server_statement_definition_and_usage) >>
->> endobj
-1718 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [395.8905 549.7735 444.6373 561.8331]
-/Subtype /Link
-/A << /S /GoTo /D (incremental_zone_transfers) >>
->> endobj
-1719 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [309.3157 518.1046 370.5157 530.1642]
-/Subtype /Link
-/A << /S /GoTo /D (server_statement_definition_and_usage) >>
->> endobj
-1720 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [305.9683 486.4356 367.1684 498.4953]
-/Subtype /Link
-/A << /S /GoTo /D (server_statement_definition_and_usage) >>
->> endobj
-1716 0 obj <<
-/D [1714 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1713 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F48 1253 0 R /F62 1379 0 R /F39 1173 0 R /F14 976 0 R /F41 1233 0 R >>
-/XObject << /Im2 1368 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1724 0 obj <<
-/Length 3757      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZÍ—Û6¿Ï_1·õ¼W³"©Ïc’NÚéÛ¦ÙdòöÐö KôXYr-iÜé_¿
-¼ÕÛ‡ßSëǯ~ùåÕ‡»µŒ¹zóÓ«÷�÷h(ä9^?¼û�zz\˜ôÃýÛû÷ïÞÜßýñøóÍýc/ËX^éiäÏ›ßþðnsûçOè$nOðâ	™$êvãZ¾Ö®§¼ùxóŸ~ÂѨýtQÒJ‡jA�J�K$Ip‰µÒV�»´A™âÕƘ
-[ɪ9˜¬øÝó”ÉA/Z«‡ªiMšã¡\-}q*Ê’¾8ÞÉxešC]å4ÔÖ<U—í¨çÏÎÓ¸/Û€&?}¼ÿAPÿã®høÃ]Ý•<YU·Ô™¥]cPå ÷ZJ‘�²B¤ÕmÌÁrRoJ³o¨§)ªÌP³;œR;žó±½5ÇcZrð¼°#ü³+¨‘Sï¶>R£Ý™1]S—][ÔÕ„¥Ì4�83)")ÃÛHF"R¾¼°½D´SÑîÊ%÷pT¨˜}Úf»õ>=L¾Nóü\À&ÌØ�‘Zƒu]壧Z`dlf2Š„–I<åäa‹«~ÿÖ�Ç)âÀ`z¤x!ÆÎf‰VÓ ª
-<MûS;4U댭"eóq3ŒM%«�#¯)ª'êF9Ø>Doó Œ$ŠíZƒ¯Ôgm [Ê�°b
/ï22ؤ÷ÊS}üLädîuW1EJ�ÏæX™Ò9nAÔ8';g½7né;¹2Ç´e
`ìBÅž™p*`×m–|—$Ö¡^=¾y�
º©*“¡P
l¸N$ÇCù�øïº2ÔÓÓª
'v´(%Rlx<Í2shQØ‹Š²½½“�`«©3æ³iéµk¬LØd»Z
-<Ã&ئµ¼1Ú‹IèœÚ³Ò^o{8†fÅŸä¦)ž*÷‘�0HÌJò(²Ú¡´(iÌõØ	™‡Ÿê“y6G<µ¾c§Ç
-�D"ô5;U•îIº™ë­‹LŽ\Õ'Ž¬uù<ØzÑœE`ê
-®GÓ1ÕåhÚS¡èx&– 
J¸Náo]Wkؘy8Õp”C´¼ÎHOµÀÉ$
-éúÔ	^rS‹¹ðe)á�Œ¬Ÿ…dÁଔ;Ö`ÐéŽB"N8”Å2„tÆLœy˜�Ù%vU>Kêø�ı®ÝÕÇ\¤x63,âïö�•ófnŽ&ý¼Î+ˆÜÙ’G
-
3âi4?©YßØ:Ó7vöúÆ—^ßZª@?ž‚Î{K@lØvÁ3ÐY�I¾ŸÄ«WÜÛtOO¦ið®±j æñÌ^¡ä½8�Ò–|à`tŸ~6Í„PÎØ~j7† [
-ÿ<ÕÆPÊ?]«·]èd¸ÙÖY]ru‚W�4~“ƒv²vÉx¬æð(¼še…«½ÉviU4Ö€í+ê7”ÇA:Rw
YT¸rla
|©·1G�‘ç#£
œ=ÚóßP‹
Ï­ÿÒºhÁ3s4ƒD	ñµ‚Í\•g뎔ÚÀ®2KÔf¬­MíZ ç&R=Ò�ÀN%•?ÊwÉ´†Ú¼X½á|ìtÀ´ó;èe~˜ç|lš"L6Ń£0�§Ñ®H5²¹©
-w¾:M{KšöØ‘ìAÌÙIáPw~Œ““‹¨·+¥
ˆŽx×>Ù-vSœËéÅæv08‹P–ŽéO�¨ËU9í¬à>ûF΅Ī'$‹¯è›þD„6Ir1[·0—¶Z„¤�%†8ùgN½#£#äì|ç¾�vŸà‰þÀP›·)Yrû…ó7Ë7zÓ&„é�‚�á4Êv&û<«ô-ËâF¤"‰ìÏM =ç^ŽÏMx8¡%ƒr.mQÏ€ó¡»`²§²3‹³cM5I.}ÎÛ7_Qø�«®Y0° À…؇'ms2ÇiáÔ4ÎoU^w=î4 �|Á¹/&ÿÚE�èë¹ÿˆèrêïˆPÐâ/Â0ëí±Þ¯sˆð²5GSeåÔ@	/òõU^z¢sf&h6
-�
x;_C‡lh8Ü°ùµ¦ç†‡©†Œ-Š�ð-ïù`î"£œÌfn:vèz‡Ò œ†Náj¦´^ïTä­-IkJ…áÉÛ¹Â_C9§ç³�éA°”ëÜzõæý'ž¡âž½Ù×ÇjHlº=³µ°Žï‡U0X+œ_L	nÖhøƒCFË.¹“²5¥5zĪ4+ºìPn#¸ˆ…OtjL§èDÓƒŸÜ9EÈO�3[WeÀÆÔ�íš•M�ÆDÖc~ô²;"�
7Žµq·0ÛÉíMSümè—G@ÌC‚›¢r÷CîÃaF&KwC䮊X·I¯¿Äi™¯‰{Ê~µ‘áÔ™LŒÉ̇µf¨�é±è
8Wfã¥
-W:g˜ wóäëàÀìÔMb¡‡"×ý’ˆ¯¦š…ƒ
-e8”îÍÊÒPh
>8ìõ�.TC‘k~iÓ×½¶6ü…ª¿$ÂR>þDbZ’š'ä<Bd�í XÛO"/ cHú븯ûIÅBôZö“\ºŽåL˜ë,‘»ÐŠ0�x¢«<rñ$²¥°"utû�Õ´ë)á�N`Ûî/NL\–,­8€ˆéÑìºí„¸rávLJ�F_Ð�û[ò¬;ºípÑ.mæ×Ùý=ûéùa¢ãAîó-U—\B»D¯»òˆêŠ+;*k€¶XÌw¹g¾ÞG2¹¾|Oµ°þÔ—ZM¸¯´Ä£r/´›î
-ö@Ô1ΘµŽzcÆöˆ%û~á²dú
-3™ÛsÉÕ»º]ºÛFäEΤÎ|}6s‰ Ÿ˜ +2‹8½¡fË]–‘J4pn1x=!"?QÓH}¡\å
*
ÇøNÅt¤+<Mé”´HIP–ø°¥1r_/ó =Oø2–_ŽÁjôÃC­‡X3�·ßíéϼhܵÚ7p{"ô|ÇQÚµK<)-üYñ×ðtá—É:øsâ÷z‘ÿñ¯–‡Ÿtû‘Ðq¬–½²0	3eÐ퟇þyó9ëÿhRíÏendstream
-endobj
-1723 0 obj <<
-/Type /Page
-/Contents 1724 0 R
-/Resources 1722 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1701 0 R
->> endobj
-1725 0 obj <<
-/D [1723 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1722 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F21 950 0 R /F48 1253 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1728 0 obj <<
-/Length 3591      
-/Filter /FlateDecode
->>
-stream
-xÚÅZÝsã¶÷_á·Ê3'ßúàÜÙ©;=Ÿk»Mf’<ð$ÊæœD:"eŸû×w» H‰’sMfzž9‹%°Xüö”<ð'O½M„ÎÌiš™Ä
-iOg«qú
-,›³©Î²IQ埗ÅüÝÙÔh7É«9’ý$§Ñy±È7Ë–:íúÌO6M;Í«Ùc½&Æ5`ô± Æ‡ë;ZŸI?©k~û?uÅ´4NUÌAï©M'W"5E\«Fwi|o#Ú™D¹”¶ðZ4Ä4ÜmšdZyæá}�Lwï‘ûtª½J”P @)“ÌZŸóe9ÏÛ²®@
-!4€WT:#©ˆ²=ÐÁ½y¬7Ë9
 ¿´6_·Å¼›¥;:£•	ùöÙi/ÌÖc­[„º#ψŸõ‰q."µ¯Ê�‰aymUDa
-ú¤ð	µërÖòHð¿04{Ì×ù¬EóAzSœÉ	óPª<ÍkÕæ_‰ˆgÞ+Öm^òÊózEm ¥�@U̇’T³›4´*$OˆÑ%•�!~Wó
-Qn² |pE=Ú"4ª¢}©×_BîcäqýÈã 9H#
f³:Ì4çxæ8@ÀÑñ¨DØ4�Ä
-·TY4yÌjZ„ì)íM¤–cÇûD½Ö"/—cáÒ&&“¾.aîqÑ\–ºèß–èÆ¡…LÊe¢ä/ùº[œ²é¼bOò°H^5/źaðA2i3L‰úè‚ÝÒ<×Åà¡Î/Š‘¥R‰µqÛk†é˜3µVt[0›ÜYm4£¬Òn=$¤Võzô$²Dë,í;ÈS˜4÷*P�òfiÆÎwj*�`†Êi*»�¼,ò%Ñë¦eûÆ‘à �¾B|yž‚�‚GÀ—“²¡ÓS6ðÝ^¾'288~³bFÒ¯$/Ê“¯êy9Z¥bµbÀ+šRtFÔ*¢Nü˜ß-OTx‹ç�?=-Éw@E<nªÙù
-rö¦¥4NEC‡FÇDYåíì‘nx‚hõºlW´
-äþNØ9.§j3A�-âúõ¦�Ö‹nš´7ÍÈ6Íh²™&BJÓÿ0
+†Y÷=‡‡…²=Ï�vfX+BNðrS‰‘³ÃAÞ?Çíñs±¬_ˆÚÖO̸ oZ[¥ÙS
-Œl•‚/ö”�›ù$“:Û/1c:��(\æ×U
-~xeSaÑy…Ðbõ·/5QÐU5ýCOQ`P¥öM½,g|Æ—kP_4
-9Ž<¼ûŸî�p„ïN†¡÷!˜�Âðó_›§…ÄÖäéhQÀ›Krà‹’Ó|h®i¶Î%„m�¡$Ín|^WiydeØÿˆW»à´X•-]¬ÀH¹Õé+QºIe”•¿ãá¶7Oñ#T³ë”ÄA#	€‚„ÒD“¦øZÿ—Bà|+VB'B¼õ±µÏu8öv\ýÂo:W>{W#"ñƸãëw\#
¿Â)›
%ýŒ™%V	7Ðß ?Ø™­Ðv%{úð“åmü:	$ÌIßlB©FNœ�y(r:·o9¸¸ñ0Âöéí Úô|Ÿä÷×ç/îØÜ¥v‰·~çcÁA?3øñÀÐß
-Ôí‰óhR¢ÔûÒëoMKÆNÒg‰Òò�ƒì1>ÇÈ´w/SüL{lÝŽiáÝëÆT¹áÊt~ÚûÁùa¿w~ØíÎÏ(O
é\òøø»Q$ab†
NÌ°¾ÄÁ3&fØŽ‰¾Œ‰YÈ˨XIñg>cß’ûu“Þ&kØåÉäOü#ÍùZxy˜¯×rz›¡a‡².lu…šâ
-±?ÈÙÓ€¯7%_2ÚhúDi;'þuý	«¢ýö„\Z‘iäscñšÂ&øÉgƒ¢ûMàþÁôö×äo�ý�ÛG- …ÀŸo°P(¸³»’w¿¬Þý¿/œ|endstream
-endobj
-1727 0 obj <<
-/Type /Page
-/Contents 1728 0 R
-/Resources 1726 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1701 0 R
->> endobj
-1729 0 obj <<
-/D [1727 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1726 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F48 1253 0 R /F21 950 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1732 0 obj <<
-/Length 3626      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Ùrã6òÝ_á·•«"..^;OÎÄ3qOÖãÔÖæx %Èf
E:"e�òõÛ�n@$EÙ3µ•š¸Ùh
-�`k8ú\T[ƃ—p—jä`›ô0‘/Û]åZ¥Ló
,Ç3wÌ‚ßúÇ�?p_òþ%³kAO	úd÷CÆ—¶³›uY[R…þÖ5Ô™Çf7rGn爛mÅNëž·­wc;rÔ
-œ!9¹àܶd8ìךÚ:�ƒ;€€‘~ ZÖŦ¬ö</^Nš;úy[>Ôn7kd·%è‹î±èè«lÝ”¬G°+ÁÑnyœî
-�j‚��M$y$€³
\¿9¯AN%>\,ú¯z9•¤‚—L½‡žÊG[gröØ{ý¢ï3ï 5›½ãdÊìe*K¿Àê³^äÐ!„Âý íŒQ›<ʲ¡)rèNã^~5å'à{ÛSNü ˜”r⇘Clw3œšâ8Oà��Rè&PHHÍaÕÖ
¦°îÆ‹n´;;r€(�OØçoƒ„Lå>!C¨—¹ä½ì?h‹œ³/è€y/û¢Iî€8Îø€\n¹	tÀþªlÿEY/Ñ!ÊÕò}JÄ&ò™ûm7ò!7çÒ\à4ÔãÞ‰ø¿‡@ګ⧩5¹–')Ìœž²PÏ4�yÞÄOú‘HU2Œ£_ÑMHTgƼ^NšPNºº^M,&
”à&ù*³WIê+ÕpÕ¶×|lç:Æ.“þºñd\b>Dƒ“¾Þ û0ùË®¾GtÚÓ{¢žzTM±DÛš—ã7P�ùúT€�LÒÙDÇ|ý`I‘
øàä+‹±´Ã?s.Àyü]4õB¨‡mˆ›ˆu^nBb�mCß„*¶]3§³Ò44æþ½™ ¨µ1¹×¤²c¨$ÎBÎÔ´e×lög3´}Êá”a‡
-™¾ÓG*•\rS6ËrQTTFQ×ÉZk	AU
å3n¤¶;Âø"ÎÌ‹gëw¡2êÌåÒïâ‹þösÙr}Íëüƒw/ÃÁgä—!Á)Àž°ìÎ2ØwÎr¿ ÈÜ–ô�žO0Ò!¬^$öTtŽ)
DKPÜ<œpÛS§@?ïO8Ö§ãu{š
Ç{°5r”¹80âIC¶ç°\‹#ÅT¯p¢E™TzÀ	')ƒmU)aô—^E ��£uû1Àv a{ò.ŒPèkÓ—ï"P½ÂÊñjÈ
-îNܨØʼn‰ð•ãM§ÃèÜÛw"óQjÔw]ãk�ªF…Њ:¡ÐÛ£ußp
ÔÊçý¶^ìi£=¡)ºrA_#7à(�}»^‘䮂Um;Û⹓Œâ#¢@øðñqm’<¤ðÑ/'ºíIê
-Wò£T¢ZÃȨC·Ý \{Pùž ã±\o×ô1ÉºEm2¿“œà%‡B\
Yñ‹Ãô¶¥ŠO‡ý%8äϯío ÉÈ…W
iÌÔu€/P2”ßȃ2´(ž¼EÞ`'O‘?tåã+3
�Xϸ¡\D)èC�Ø–ÔƒÕ¾_*.·‹8ü„¼W"xŸêtTÈJ·ÙÏ»ÅÓ|cWÛ>¿³
ÛÔC/2¨&8¾³�J&Y2dáî"‡KpÉÍL)lNí#R_Ó·õ´ësûUÎîÞþB
-Dp¥ŠCOö3A®V‚¿Nv‰u•ÊH´ÜÇë÷<Ç•­
-rÓt–^S˜S‘�q	ªŒ…WD¸:QT‡!j¢H†ñE²Šž“¦Šdq(’'kdHŠ„ðþ€�ðoÌ°åÓ¦|.üYøEЇVšo!ipÀb”\Ôèòß3¡°¦DÚwÎ4½g0ÊÁC”7l9ƒY|sîÝÓiË1xø5æöTŒ#*ÄéCá˜ðÏ™ÔösÇ;@Y5q¿#Í‚˜g—SÕ	$™9êCuŦãtr´î<Î"�È\t		ô?j“ð¿‹9G`b´+6K.èG[gX)Ê8>´ìP<+7‰ŸËHx«bA)”£X¬i÷<…±ÿR
-‘h
-endobj
-1731 0 obj <<
-/Type /Page
-/Contents 1732 0 R
-/Resources 1730 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1737 0 R
-/Annots [ 1734 0 R 1735 0 R ]
->> endobj
-1734 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [226.1733 390.233 304.5885 402.2926]
-/Subtype /Link
-/A << /S /GoTo /D (man.dnssec-keygen) >>
->> endobj
-1735 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [325.208 390.233 403.623 402.2926]
-/Subtype /Link
-/A << /S /GoTo /D (man.dnssec-settime) >>
->> endobj
-1733 0 obj <<
-/D [1731 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-478 0 obj <<
-/D [1731 0 R /XYZ 56.6929 146.0228 null]
->> endobj
-1736 0 obj <<
-/D [1731 0 R /XYZ 56.6929 117.3366 null]
->> endobj
-1730 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1740 0 obj <<
-/Length 3122      
-/Filter /FlateDecode
->>
-stream
-xÚµZKsÛ8¾ûWè6TUÈoòèIœ¬§fœ¬ã=lÍÌ�’(›ŠôˆT<Þ_¿Ýh
-ÊT @”7îý==mÃÁ`/D(ܹ{§+Ëi �!è€H‡Òm´´1L“ûû
n1øãá§A*×}¹¦ÂNŽ'Pz&
-AuD›™‘B§8Ès½¢Æ©4T#™9ªX@Š6ŒA8ÄaŠXQI¦
°1MÓèý¡¨ã®/Ö_i_l9èfœ†«„A±r†/
-¡©Ž`¥èè7�\I?(­	@"E7`'^eƒ‰ua!
P\žl÷=Í ÿ#ý©ÝÊo͆~?âÚ–´ªË�[#Ÿ$®X?«ª®0FQØæàÔóUm÷u°Š�fô·Ãã£ÕÉù'
Ê
-¸ñõçorìÏ@Ñ>BèI¹	mçdí@·ª)ÏVL§Í˜þÅŠ9ä:_1—fáãîxô£Ê©
Tú\½¬CàšQbT;
à�fc-FµSHå,#¤Žšbç‰hQ|Nê(rY‚)gG÷ÂÍë5pÕúÐV-Í*whV´u'˜´§f+�æ‰b2›à¿=€7tLî:×Ùba2Ì¥ÂäVÔœˆ Ã
-�û9°FmáØVeÙøÒÙáImÎÄùºÝí¨�5FÄÊä~.yó,O´�4OÄ£u¯ÇrÆÐtšL0Ç`ÚIEP�ø5”﹊ ]E¸â]Ûôû¶~½„—$'ëI�B�Zî�Ù•›tþÜï«uo÷4Àw4ddKÉ�Â,˜–#0M6G9]5(©�³hUyîúr‡€ÜúË)z�™L¤ÈÔYm[á—ÁC`�ü3E{*u@/ðÈ„M•Q GÆÍP™“Ę^VÁ'h/ÍEîñ›óß²/ªº»ïCû4ÛEnŸ}Ys12:ëß]¾õ`
-HÿüåB6ä:_È—�_ìb
-iÿ…bD÷+‚‹Wqàš$Þ˜ÐÞÈÉ”u¾J>­HžkF�QIB<‡ßFŒk’8Ö$ÖíÚ^sò]Dd®Mä
-6Eí_êñæÕ¬Ñ�%A“Á— ›¶·]¸¢O®3Vu}Šœ«Nüñ²HÙ0“Èð•RjhtJ¼q"2µµR
ª“ÔþÛ/^ò$í÷¥]Õ»«­žç
¤ÍÔ0õ}ˆ"Fr¯ªõÇ?À£ôðå“TªÉÇ6º
¤Ë¥A±õ—?+wftu‰£Ëw¿v“(Uï�ÝW`/‹ö½Åœ;ܪï>É̺1é¿óÁÈ.˦ �9�ÆÄ9PÄ!C‹ò
-J€œæ0šïtÙ£±€Ñ˜Ãhð´jøóŒ.ÿ®#ø©ht‚¹ÄÜ8é¿Ë•�Vg ›Ÿ�Äÿ¹ù+Ÿ€ÙN#|î/…´ÑBÌŽ4€¤þ+¢ãŸXI(-Ù¹[ÈúIÆs㕲7›æì•Ú©êÿü&vøendstream
-endobj
-1739 0 obj <<
-/Type /Page
-/Contents 1740 0 R
-/Resources 1738 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1737 0 R
-/Annots [ 1742 0 R 1745 0 R ]
->> endobj
-1742 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [367.5469 618.1183 428.747 630.0185]
-/Subtype /Link
-/A << /S /GoTo /D (zone_statement_grammar) >>
->> endobj
-1745 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [483.4431 422.7733 539.579 434.833]
-/Subtype /Link
-/A << /S /GoTo /D (address_match_lists) >>
->> endobj
-1741 0 obj <<
-/D [1739 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-482 0 obj <<
-/D [1739 0 R /XYZ 85.0394 603.6296 null]
->> endobj
-1743 0 obj <<
-/D [1739 0 R /XYZ 85.0394 580.9712 null]
->> endobj
-486 0 obj <<
-/D [1739 0 R /XYZ 85.0394 466.9592 null]
->> endobj
-1744 0 obj <<
-/D [1739 0 R /XYZ 85.0394 444.4603 null]
->> endobj
-1738 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R /F63 1382 0 R /F62 1379 0 R >>
-/XObject << /Im2 1368 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1749 0 obj <<
-/Length 3416      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZÝsÛ6÷_¡·“g"ߦOi“´¹¹ºmâ{jû@K´Å©Dº"e×wsÿû-°
-+‰¢L-Öû+ºx€¾ï®XàYE¦UÎõÍíÕWD±°Äj®·÷ÙX†PcØâvóËRN®aºüöÇ›¿û÷§·×…\Þ~üñæzÅ]~øø¯÷H}÷éí?¼ýt½bF±å·ß¿ýéöý'ìÒaŒo>޼Ë?gýôþÃûOïo¾}ýÛí?¯ÞߦµäëeT¸…üqõËot±�eÿóŠa�Z<Ã%ÌZ¾Ø_I%ˆ’BÄ–ÝÕç«ŸÓ€Y¯uN’¢….€2„3ã¦ÆkÑÌOKa3ÑRËócá{Æ
-d|c<ÔÊ0¢¬U‹•.$È©lÚ^ÎŒ«wûk
-ÂÃA¨k‚í½q
-öŒ–(-™ãc”(Á%î8~¼^i¶¼…ÿùòd;Œ&¶b¡a±–7ñâ�#TZ+�'£ýJ
ø†¯>îùâ]ëYäK
-㮲�ýŠ´È
-Nl!¨ßu×øPõ¡·éž«CxïÞ¿×îñÉ#Ã~±Î*±üxŒ/W— š·ËôDQŽ¶d‹Â-?š6ð%%NÖžKRi2lÅ—MÛ#ÑU�
-³2ðo¯À5ãº
-ŸR] qÍH0BªÏÕD„qäÔ&y3 cärˆœî!EN�ù’ûÝ—¿‡ndõkz
-M	þ�-bøø°�
uèêªÃ¤yp|
-2®Pˆ\Ž�›²?=í°NHú/Ξ¸f¦ဃ:MQŒçŸäfÈ/Šèµ]kòÚþ!zmÇä÷
-–já cøÄq{›vÛ^�³ö]…Ϩ8'×Æã
-m`Ýžà0�¬ð~Á÷d!!¿ú M®!@ʘ¿ÿAJñٓÿ›Ëw)à€ÞyƒÃG�:�*8EaÑG@cÄ~Ü÷:”ÂÒB}†–ÆÕX9qùè^$„áÚ»%iPIÐòX`¤½KRV‚ÚåíµåËyª¦¼Û¾4µ,rÅÂÈo�9Ö)gôdáÔ¤ø8œ·«
z^1v^AµpL‹šýúUÕúrCüÞ¿x
¸úÙS¹;bí-䌡¬¶-›Ñ]9‚‚‡úk[\¸*g\.lÓ̸œh�üÓåÍ�
-Š�Ì:/»—^AŸ/ø°n�
 ùÑ渎Å;š'§hÈ`\nDÁÈêfíöÖFË
-˜¹‡ptc‘©ë
Óûªñõ@ÉÒ1µÒßyA'@»Ç–u¨7þ
-?»ºë‘jïCÇ´Z�hHUH¤|�ópÜrT(Lò¬¬É³ËxÈ®îÝœa„£Ï9n]C� Ý=UQ\<8Ib¬žD9,º3Æ–
T?çµÊ,®"˜bñ|zÛç}ÄHÂã]•—DÝAa#E߆ùnÏ!ôôH$ÀdA‹ìöùŒÑ3*^»c®œÃõ+•õœëT#ø)ßõ«W%üÍAV%.‹�¸fd˜BV
-Td˼È
[‚«¢>X»dÕ�ÖCH‚xç�½îý·qì„c>l¼ñ~É(8GMo[Ð/ù:ö]u?œ¥
-pJp’‚ù|Á<Vã
-:.Èc2
ľnêý1TÜŠF7ö`7ZŠˆFç@侉Kõš4xçÞ—†Yð2àt^I¥ObÄì$aù©8ån‘?W}ŸJÿu¸è¯Ù²�™DYR"ÚÃÜð“*D~CÃw/
-endobj
-1748 0 obj <<
-/Type /Page
-/Contents 1749 0 R
-/Resources 1747 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1737 0 R
-/Annots [ 1751 0 R 1752 0 R ]
->> endobj
-1751 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [184.7318 419.6605 233.4785 430.4449]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update_security) >>
->> endobj
-1752 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [369.8158 298.4384 418.5625 310.4981]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update_security) >>
->> endobj
-1750 0 obj <<
-/D [1748 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1747 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F63 1382 0 R /F62 1379 0 R /F21 950 0 R /F48 1253 0 R /F41 1233 0 R >>
-/XObject << /Im2 1368 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1756 0 obj <<
-/Length 2832      
-/Filter /FlateDecode
->>
-stream
-xÚ­ZÝsÛ¸÷_¡>Uî|@òäKìÔ7�/çºÓéÜÝ-Ñ–Æ©%û<�þïÝÅ)QŽ3ÉøAäX,~ØoZŒ8ü‰‘3Œ+¯GÖkf¸0£Éò„�îaì㉈s²4)ëÎúñæäÍ…²#Ï|.óÑÍ]‡—cÜ91º™þ:~ÿ÷³Ï7çק™4|œ³ÓÌä|üãåÕ¢xúyÿóÕÅåÇ]Ÿ�Z=¾¹üùŠÈ×çç×çWïÏO3ጀõ2r8²àâòçôôñúìÓ§³ëÓßo~:9¿iÏÒ=¯à
-òÇɯ¿óÑŽýÓ	gÊ;3z‚΄÷r´<ÑF1£•J”ÅÉ?O~ivFÃÒ!üŒrÌ8i
-
-¾t rÇ
-4è™Ï0?”d·ð$Bz‚ÐÿÍ|²]kz'\qF·PÁÁà$”pðP,ššfaBŒ”~ÐWÒ†œG h¡±Ðú¦¤eá�a]*#¢táƃ€i«4¯c©üˆ…v¡ˆ&ÚÏGjˆ˜ Ðë}Ô¢E[\Ô1Mzš• ñz/›™–ÍœVFƤ�\,*ÈÑj†ï;G='^ßóœQºp�‡UÍë+	o™ÒêX%�òtÓÿNÀ¹�h¾TKHÎÅÛé­{ûö�’ï†wxM9¡¸iË	Åc1€D*'�Ôê(PƒZ-¶-€‚ù)R‚æ!
¤ ‡hK0¶oK0ˆžöi¾™Å	DÄ+	Òók4ô'šЩcBR
ØÉõ~„Ox4)$>íɆ“ȳàà<RB
„Š~L8²¢Åh_ÒPïfˆ´;,.im9ŒÑ©â>
D¤’ùâSHˆÊ/ºv„eÈŽnN½שWðP¾P‘´•ÓPAn5e¿ÇüЗóߣRÕUùú˜Gk8ËÍë}D.¥;(k92}PÓéÔõÔ�®§�ꃰR‹e[Ljˆ¥n±Ôb/]‚¡mµˆ¹ú~Þ(4s<¥‚ÙÐy8Hot·.EA;q ä{š'ˆ5}¥zj‹˜> –yy4ñDç0ØYi&�±��)>ÖÁµ­ðÞÙçš)ë_<äß9÷{¬{ÁMÉ�1‰…ŸÖ½JüÔc�viÛz°Að€@‹(Á%�´,%Ç„À®Üň„”rkÇw²	¦å]
áo¨�6
-|ðÐlC¢ƒ±‡
-ŸK¹Nh[avh-àìšàZL�˜ÔçÄ9ó$IZ¼K5¤{Ê.6ÃÞ/õDxïH¸‚ASÕª{uØSØ·%Ë´'tÈÉ3«MúRò·!Ñ×&I†A´
-°&
-w/$<SÆê
~Gƒ¥ÑùP7!~–|{ì_H mÃÿûø‡>Jøó¿—ìþ÷!wNîÂE/6C4s`cI¨�Júƒp–þåPôÿp¦‡endstream
-endobj
-1755 0 obj <<
-/Type /Page
-/Contents 1756 0 R
-/Resources 1754 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1737 0 R
->> endobj
-1757 0 obj <<
-/D [1755 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-490 0 obj <<
-/D [1755 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1758 0 obj <<
-/D [1755 0 R /XYZ 85.0394 752.051 null]
->> endobj
-494 0 obj <<
-/D [1755 0 R /XYZ 85.0394 219.3808 null]
->> endobj
-1759 0 obj <<
-/D [1755 0 R /XYZ 85.0394 190.7166 null]
->> endobj
-1754 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1762 0 obj <<
-/Length 2802      
-/Filter /FlateDecode
->>
-stream
-xÚµZmsÛ6þî_¡oGÝTÞI6ŸÒÄιsur®3s3m?P"ds"‘ŠHYõÝÜ¿],H‘2eç­“\,`÷ÙTÄ„Ã?11–ÙT¦“8ÕÌpa&‹õŸÜBßÛ3tf­Ò¬¯õÓÍÙ‹OR–Zi'7Ëž­„ñ$“›ü·È2ɦ`�G¯ß]]\¾ýpýjëèæòÝÕt&
�..ÿyN­·×¯~ùåÕõt&#¢×ÿxõþæüšºl°ñÓåÕ’¤ô8aôúüâüúüêõùô�›ŸÏÎoºµô×+¸Â…|:ûí>ÉaÙ?Ÿq¦ÒÄLöð™HS9YŸi£˜ÑJµ’ÕÙ¯gÿêözýÐÑýœIeåÈj1¶�&eVIå7ðÓÎmfuµÛ.Ütf9�²<ߺºÆ¥M„4ÌÈTMf‚ÅZ?äïÔ%XjŒœô:6Õ¶ñ}2eI§#£KãØö½ôò™ˆɬ5{ìÛìÞŽ¸§Ó¸ð¿Ö»Rööq&RÁd"ãÉL	&¬%o/—A·¿ç)3"Á“B�]
Ëг]¾™¡3õˆíÎYÈv@µ1)$“ÜïÙ´_`³¨!†íÊzãÅïœK—ÿ02�µL%V‡ae¶vùˆq¥X¢l´öÅjEæwnñ›6*–$jî5ª�ÛfMQÞRýP7nM]›íT$Q5£ €Mf&9‹û"w°¥L”áC·£n·ÙzíÍb_Q6n*¢í2ÃÈFISÑÓk»f[@·»o;ïBû=ë¿…Ir·Ìv«&ŒÍÀ>£·%œ�o¸Í�[;0e+’øÓð¸¢14¼Ÿõnq/ý
-ùpeèrðWàø£ŠAù>+VÙ|åÆŽ)…�­yþ˜b™èá1Á>4HÕ–ö§ÞTeN‡›Ã!�J·!Ø�â^âéÅQV¶û¢Gá�GEЙ¯ P…õC:*®Óv'׫}IP檤E

-.5µ¬1ʼ¤öÿ^Ž�È£ôú
-›GGÁ‡°qU5îÇéLK­³�W<†@¡3À·$„&4ü„5µçAVï–¨Šy¼(\Ù¬H¾Ê¼‰Û`‘"õÝb·-š‡)l[ñ©½¢.H+L‰-†ZP.þãÚ¾�+ó0wUÒó>ÛÕ.7Ùll!'Du�!¡E4ßaL¨4Úc (t°4X¡Û(¦u/ªõ¦#�"ŒXTe“%½d
u®\V‡~aU¢©Î
-~çPƒx^�4�ª%õ†vl@Q0\Šõg¦YÕµš»¬®�¢ŽG´0† 
ðÜËè
-�‚òý�+I¡•Sk�=Pç<˜jªŠõ:ó™2€(kî<.€h³Ûn*J6©
-ÝŸÙz˜	6Ø!ùaûpuùoLq0²¦—À
- UV
5 Ÿ«ý(çM`íZ=Ÿ²’Ûx°ö’(ŒŸ¯¹«víLô �h§ßl‹{À9c€¨˜£(&Ò‚ý¡¬@s…wß‚�/©…$ÀWáŸ_02>â9VÀGƒ=TÒâXI`~åbµË	+�É’4¤�±s§,r¾ÀK¤«�[4.ÇzF½µk¨ÏþbE"ï
T@ñƒýx4,kà7�Ã:WO:€·¢ív£]
%‘ÌAoXDèªV;J„vd€Äš$-ÉÝ*ë‘IH‹æ‚bÓæV̉*Ö¸Ô¬ÚáyŒ¿}‡�ÃÙ—�ä´èx¼èPt
Y ®ó
-L’<íN§5â�Ü
-¡°i.†}íFµ‹Ó	ãÊÚÏú5D@ø¦F�ÿ`åÞj}Ú
ã`*4ý
-F,g±JÄ3("$P¦„ëï‰"€Ô\[ýýA¤gø4†¤ �?.¢»¿Vž•
-¢ý*á„
Ôôì°á‚dЖ$y傾çëØ KK›s^âšðé Ÿ«¼4üpígh�_:˜ÀL¸2_WÌö�øÇ5!COeG-dþšäÐ,åv´øó.¿ù#Â]ÇL%‰<Á"â„éŒ(ÃÐîuÌó¨ðß‚VÏõÿGç“rendstream
-endobj
-1761 0 obj <<
-/Type /Page
-/Contents 1762 0 R
-/Resources 1760 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1737 0 R
->> endobj
-1763 0 obj <<
-/D [1761 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1760 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F22 973 0 R /F21 950 0 R /F62 1379 0 R /F63 1382 0 R >>
-/XObject << /Im2 1368 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1766 0 obj <<
-/Length 3271      
-/Filter /FlateDecode
->>
-stream
-xÚÝZÝsã6Ï_á·*35Ë}�sOÛnv/�kÒÛõÍÍ]ÛÅVbÍÊRÖ’7Mÿú(KŠìÝ^n¦“™¢@~
-Æø±Jç’x^¬g(‘¦*>=õ“0“¡Çx¨£{Ó,©–®w¯Ö¥„K�þuRd
-Üš#$6�{oÐÀžÑ‰$�ò))£AqÏq{¹LU´‚ÿ:ºšº†ŒÑ©µÂ)‹‚JÈØ9C<ÚÏôh
ßðÍõN/^70ŸÅ`JaÜå``?£T
-­÷MU5OeýÀ½»²©y´üñ±zæQzþÖ¾—üŒVBꀒd"4Iç×fZ¹Nƒ¡çò1A»¤¨™ÊV Î>/¼çš‘>JÆ	�%ñ¯‹Ÿ¥Ôu�žÔ�Bð‘EUs—WÔT•mG”÷$|½þ‘™7›ý¥²QѶ¡`©ó]A-m±ÿD0ÒìyêK=ù—gh‹šnnW×oþCô$ä…�ˆ
-/h·bC¡ÿHÞW,éæý8(I�êëÆ?7
-f^Ìíçî¿2êÂߞʪ"êã¡\À€¡î5šF~à>Þð„)æU·åš¾˜‹í[‹yCbŽ»ê8A?é8Ž›}GÔ.&â® gûX¬K„(šžJ‡T‘¯·œ#‡QiV¸,6aÍÇ×$(X0l–þ
 I„ϨEQ³xÊ@@ð�¤uÀç¨SÎpM´H—�íÁSN d`È=‘à°:P›â>?T�õžžPž�Å�‰^1{ÃÖ¥·Õûë·D}(ž‰X‡�)Ô�ºc	cC[(oaê6²*ØÌ�v�ZÖ‡:½¡€
-YzÞ1g[>ÔÅæoðbÐÐ%³‘î>�q¨ˆÆ¸çÞà#Jý,ÔÏi"j¶,+èSY<ÍÃõº~¹ÝÓ³øõ±*×eÇËÊ0~V«ÐeOÏ]Âß07n怅”MM
-áæIi A	ª:ÑÀÞ‰ð|(?yGa?ó‘©àÅÃø¬üR–6"U:Ø©ÅòeëZ_éÈ{Fb¢¨°º¡—Ó¾Ü$±ùR¶2P£iÆ=V¨ëÙÉÛJ¦
-±å�Åí‡ÕãPù7
×ÍÛ
\¬ú´Äu
-°ž6»Ã4žj@½¼àék7$ºfF¤ÕhzÝ×ñ3R@ ‚�pm”!#¨XøùŒË¯�Ÿê€—Œ9'8¡â4ù2ÐA�%Ét0:-cl0vB{|cÜ8ÌCœPÙ�T(;|س•/.÷¡Í»c
9­A	›Š‰QÝZì;®BY] ~–‰¬¹&
•—OœÄÖ9Õ¡ð«“…jå‘KÌg
-Õ!×éBµç¢|ôë2ÔÉèÞeWîŠeY¿¨ZÁÒN§ñyMz®UF�ƒàq2³c]®ë;Ø``qeãP»
5Ü´X%”�uíü\5õƒ¯‘Õ/µDù’ÊbñQ?SÏ]Yº‚›¹(²T”ø.Å~W.	XPL»TÙ1®jˆ¿Í!CiÉ`""4‘[ØI·äññpà�rwØÑ˧¼:㑵e±ùó`ÔXš‰Ä³h‚âW(%“óhr�FSÏ5‹¦rSÍ£)…L[÷³šô\3ªŒÑ¤„2�ŠGºѤz4©1š¢ã!IañGÏG¯{óp¬�°ÕWûªG–ê‘¥otX–\ª¯¸ƒKMÀê:­ÿWp¥§°¥ŽØúÿA+N…N³ø3Ðp��Và:�¨šC÷[6°Ô¤çUé¹ftcˉ8F¤•¹=t.
[=^ÉqÏ88ë€×aªÒ~÷	 ¡lå¹icà©’»¦<Õ»^xíê.ˆÊAI'Ý_5[Ip•ŽÍg 5à:©Àu:[ÍB
-J$XΫÒsÍè2†T*Ò,›(s„”‘
RFÊQ¾’꘯€öù
-ž3ù
-:ú|%¶¨¯ÏWR�ó•ðBÊç+éáåMÂ
-=׌#`¥	l× ª)ñ¾Ê?¡ÕŒ>ždiÓ§h~5›M¹öç8þ›×˜>Ò†•šý5m¾áéO7Ä€±ãË{jàÔH²ËœÖ‡Ýo‚KØäs,µhµ%�­‹ðàûÁ£,ÖitEgÐÞ”ò@{ rz�û¹‰�¯µå3h£‡«z‰4ËËeG_ñhuÑ=5ûôr—×›§rÓmgÏV—NGhXôýi:’|.‡m½@{-°H#/îïqÛ«U¸¢7²�Œé¡E£³¸§-^¬y@´�?)ô,ý©…òG`°¡…M•å˜n
-³™©yu¥>±ÑÖ©H,Bò4ô'xÍ2XQ5Ú™ûí¾Šü¢ʺ+p½_ð:zàãYd9¦�EAÝãì¥
-{BéQšÖM½´—]ÑÜ`âÒ‹õÁ–³¹MË#†‡08“
N—ñ�¢ÆâákGi»ª¨>0át
v(Pïo_q“÷Úàì�S3ƒÃwüR¶íÁý¡Ýœ»ð²Ñªì�ù+ÕrxKãæÒ†}¹�ŠdRáöÛežž³±)
®t&yn«ž�ÛŽ{{2IÃkÄ]ÓmÃÒÁ‰»ú…Ý8Ìy›úfH%±p6Îί	C®ÓkBÏ51tIw£!΄”�êÏÊï¹f-°è9ÂHLíBnÑ6²[æÔ	ZŠÓPö%PXÿ‰Ð4:ŽãQT“@:©ÒáZŽ±­}ì»ڇÉú°'Ç{‡ûax%¡>\¢(ØU™éŽÝ�g 6ú@1¼Oô—8ÆÒ5‹¡ƒs|ÂÖv9:{îŽ>Pñzâ7܃àOA²$ÜÚÂwG�MCò¬?®òì¼x±[–f�ßaÖ3Çï#�(i³
^¤vsÜ«>Ô|8=X*fŽå¡.1ÀµJêtäZ^=®k¼4¢e‹OkG«U8%]¦«UÌáOÚ±ƒÍqæN¤ŽãtO'„¼
…(]‚n©y…|™	˜ä�eÄ,ÎìÄ 'R
-ì$¡$úÌ6fÀt:¡¦áõº¯Öï›ý.¹}�è‡~ö¬=ÓKÆ)Å		ëðHú­ƒrÉp·‚¯þê‰;þN^BŠÝá;=5Dl l„iðlzVšUûõÜ*f2a]Ÿlêb	òŸ ÿ̱rÞí«�þG/“€Vºã]MýÌãÍF, ‰ýàÏ=S<éžÔ„óxÆýÑü	?N
§D’N.3èꎪ�Æ7~ÍôÖñ¸"f}‘Ë·~|+éjfïåŒ=À‚ø‰7s´~No9úÄ|¦‘VdJ%ãìvÒ_&ZõÕUöÆOËßVgÑë›÷ÔÂeµú²[9ÿ5tyî&Ó·†xêLOß6ssÒI*@ÿø‘áð§
�ùúëîÏýNüÄoM"ðGz31*ûŸÁýéß饄±öÄŽÒÈTXí² N'SS͉ÓêlFõß
¶ò‡»endstream
-endobj
-1765 0 obj <<
-/Type /Page
-/Contents 1766 0 R
-/Resources 1764 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1737 0 R
->> endobj
-1767 0 obj <<
-/D [1765 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-498 0 obj <<
-/D [1765 0 R /XYZ 85.0394 654.332 null]
->> endobj
-1389 0 obj <<
-/D [1765 0 R /XYZ 85.0394 633.0122 null]
->> endobj
-1764 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F62 1379 0 R /F63 1382 0 R /F21 950 0 R >>
-/XObject << /Im2 1368 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1770 0 obj <<
-/Length 3272      
-/Filter /FlateDecode
->>
-stream
-xÚÅ]sÛ6òÝ¿Bo'ÏD(>	à1Mœœ;×4—ºs3×ö�’(›S‰TEÊ®ûëoP¤DÉÉ$37ž1ÀX,öbb2–yé'Ökf¸0“ÅæŠOîaìý•ˆ8³„4ëc}wõÝ;e'žùLf“»Uo-Ǹsbr·üuš1É®a>}óÓ‡w·ïùôúÚêéÝíO®gÒðé»ÛÝôþÓë|ýéz&œÓ7ÿ|ýñîæ
eq�ïo?¼¥OŸ3‹~ºywóéæÛ›ëßï~¸º¹ëÎÒ?¯à
-òçÕ¯¿óÉŽýÃgÊ;3y‚gÂ{9Ù\i£˜ÑJ¥žõÕÏWÿîì�†©£üœI•ÉJÙc Ìxo&Öx–)©w×ÂM‹¦Þ`QÀ
…�½‹:|—
uæñ»­›¦œ¯#jYµu§Ï¦hšü¾`È @ô(^2¸98MØ{“Wϳ¼jžŠ]±ûôfpÏBùˆ\ÆÝ7DTܽXaã7Îå¢,ªöôJ5�ïÛH\œTWëg‚šýv[ïÚb‰Nf2ãÌy¼‚y
-!0�˜}BÔ3*Dšã˜°™Þüæá“M-ZâÏ}Ñ´Mú- ä‰÷¿:¾ÿrS¶>•ëõÐâÓš«}S,¹ù»4ïàë 58l:¦Á
-¢Dî…ü>#…ÆgÌK%/Kaë¼vXC)LŽ¬jN„Q:°»J\¦¢Ã!cpbV\j3¤ƒ8,øA±‘„QBÔîPðƒ9ÇÉ"B=YÍ
-‹¢,b×<bžÈÞ`þ.ÍÀV'�C“EJHŸ§
-!=ŠÄgQq,LÀ4ëRÔ¸,Úb·)Ag@1Á
-<=”˜#˜" %¦ùrë
	�\¢Š6¿Ñäv¨+ Eùø¨	º{ó‘
-®s•/âœß¤Ô‹uÝÌÆî	‚Dä,P#Âq;ìX}(*ÿðâî!˜SÀ�„H›}Z3ßn‹|G½e÷yˆk
×V¸ö?F+%"cFdÉ
sê§Y§ù#Å8Ë4—Éw�øÑ(SÑ+æ˜ë¡o
-LV*EP
-ùO%
-èl�¿CåC©PÙ´\B7)Ô9 \þ¢Ä‚ÅÌ\G¦…±dºi
-ÈXwŠCê,ÍX	ç’Ù“¼‹´IŸ`ƒœì˜Lq1ÄJì29”üM˜˜þ‹Œ0t0¶ãxNÍä€K*AÂŽÒH¬9ÀHrÌ>D(ëý’œ3tç£B
nC~)Gã2ÓÇÞ3ÉÄÚEeOeûPV—ŠTÚ2kxbs8ñéÎàä2iµõn¬â¡ufq�?£ëpëS;‡õÇ0Ãë²90=(z÷û]N
-€�س.N¢…Tn×\1•ùìs ÄÅ·
7þ
-“K-I×
-X­.»¥ë‚[‹*Ä
ŒH—SÏ”°FˆH qL)î†Ô¼’Àûž	›½×+h
JNVPzmSfcy̳-ï<Â㞉;&D—ŸgÄñÏ�À­
--‡Þ)>î�À>~€�*Kº¡9\¯´êø½öl¤pL†
ÉíÞ™/y§$"
|öBtÓC:/E	éÔ]ŽoðÞ�í)é�NIÈP²Æ¡«OË/áEÛ%áü@˜œë“ó=ajh¸Ž`Ö““¡êŒ`æÞÄ%»Hú{Um©ˆã\¿ˆýõX}|³å2VªzìÙSƒ°ve®¸•SÛÁck”…Ñ-dñVvE‚çbì½b6­t*HüÆ
�×þO]*%l¶y[ÎËuÙ>ª`ç~L¨Ã_
-endobj
-1769 0 obj <<
-/Type /Page
-/Contents 1770 0 R
-/Resources 1768 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1772 0 R
->> endobj
-1771 0 obj <<
-/D [1769 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1768 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F21 950 0 R /F41 1233 0 R /F62 1379 0 R /F63 1382 0 R >>
-/XObject << /Im2 1368 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1775 0 obj <<
-/Length 3358      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZÝsÛ6÷_¡·Ê3‹o’—§4qrî´NÎQnz} $ÚæDU‘²êvî¿]ì‚"e'×dÆ�Åb±
-aW%žúø˜�mòÕX"†AÆ)ÎEa<‘8‚O³àݧ]ãˆ{ 
í:b½wKõà,Vߣ˜OZ¡]§ðïሶ[ò$ÛC'Ë~H1Ô‰öŸ‡K®>‘ó<hp™€h§¾
Ó!‰4IpÍ8ô‚Ò$Öî¡Ô†P�IÜL	I(TÀ9AÚ¸G\õ¡)°	Û†þsË•hð¾Ù6~œåCYVta4�®P[øó° +Úa˜X
QiÜ_°b*a,1I§‚ÁJ>‹„§O”ü”
§”Pù„}	1�æôÙ0Öyˆ1”¾ö†jgovT—°qY·g:K7Õkîw×1<�þ~È÷O}œ äúHGÐ@tôé¸qqX•Ñ£wOd'¶4sö/O�^îd¯ºD…¶ÕÑçP>–‡õŠ:QÂ
-²ˆµ1¢bÑ,dëª$ñ7Q>…¡{¹]óÈ~)ÆA ¡ö"H[v†}á‘€„èÿgvþªÇ/…<w¥aT”(ÕÇ™±cÓ32¨¦ÛÇŠô6a_Øí‡í*óûª<ÐË@Ï°|[å¯yyò§¾pv%iÿlÐÒ”�Å*_…PϤ`‘-¿IÃ*„ýÍNà¢XõÓ	ÀTß•UU,ÖÜ\À+šd¤¡»&7ðl·;í3á`$ßH9ßø¸Ë‘„fòù©ªó
ßüç!Õ¦,dSŒ.ñIR2`~Û¿?eÊ›Ýs«'Ú@d7Ùö‰åÃÐPæ
߀
-֤
-ü܉¸7‹grâF~ÄÆÞÖèígÅþ“¬$èx«/MÚ³føQ3H½`ÃPÚñ¦ƒ£/ckûYÁ¸Ö½Ô^›8«èËP¨m£¼6På!tbO‚Î0ž
-u“¸�À;j9ÖB4 ›
3ý\¹Ö€ô&s�$ÀÄÊíw_‰äçšê+¯KÈáé#Êy˜K›K:À;ý¸eÿýK4`‘
:˜Q%P�-%ŽøB¹gB©ÖUuðÈŽåÎx#|ü°eÃåà‚ß_øðc˜\l‡¯ÛÒøïåÏ
ï�¿2B>T•û|¤Â¯9êùa¡á¸½à¨6öžDkAÞS§?ó׈kÖ»Ô9lv‘ó	çƒG‡×3
-ÌIâ^ˆi®ŸÏ¯ˆb`¤{aI:RϬI�ò–eu6¾(xU'Ôó#7R#C÷—%ŽD*mlòg*;ë/m©ìW&ÞJÍ7%æTX®Cÿ¼.n¥×F«vœvÝàetÝðëqœÆß¾n0PøyA«ƒ€ŠâÄ©þ
õs±�06ä?m
-b©ÜPºv奓ð£¬å…sl
äá‡=—Ö¹O­}ePßNÓ
à1YC�’ž€÷76ôòîæsÛ«Xý|| ü9ó)䊜iÖ3íÇ6*‡º='>Ývžß»�ö×GX—Ñ㘱Œ�ŽÃÀÑÅùtEÃñ+`
KûDÅ3±€Ý95Yp;ÐGŒ‚Ÿ”6
ÏôiTðM‘fwBË>+*n$a×�é¶Ó]8¯Pb”í2\×0\Gá9oY²ü†n¶ è/© �¡é÷û™Ÿ‹iáo¼FpJ4ŸßÿöOÉÚßÙAî¡“D�!uˆ'Þ
²Q¸±>ûUchúÿ
-endobj
-1774 0 obj <<
-/Type /Page
-/Contents 1775 0 R
-/Resources 1773 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1772 0 R
-/Annots [ 1778 0 R 1780 0 R ]
->> endobj
-1778 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [471.1233 483.7823 539.579 495.8419]
-/Subtype /Link
-/A << /S /GoTo /D (query_address) >>
->> endobj
-1780 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [389.4645 212.4953 438.2112 224.5549]
-/Subtype /Link
-/A << /S /GoTo /D (configuration_file_elements) >>
->> endobj
-1776 0 obj <<
-/D [1774 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-502 0 obj <<
-/D [1774 0 R /XYZ 85.0394 540.8756 null]
->> endobj
-1777 0 obj <<
-/D [1774 0 R /XYZ 85.0394 517.8101 null]
->> endobj
-506 0 obj <<
-/D [1774 0 R /XYZ 85.0394 293.4989 null]
->> endobj
-1779 0 obj <<
-/D [1774 0 R /XYZ 85.0394 267.9627 null]
->> endobj
-1773 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F62 1379 0 R /F41 1233 0 R >>
-/XObject << /Im2 1368 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1783 0 obj <<
-/Length 3373      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]sÛ6òÝ¿BoGÏT<|‘çž’œÓs'M{Ž{}èõ�’ ‰ŠTE*Žû뻋]P¤LÉíÜtR-K`�ý^XÎü'gI§¹ÊgYnâDÈd¶Ü݈Ùæ¾½‘L3Dó!ÕÛÇ›¿¿×Ù,�óT¥³Çõ`-kåìqõK”Æ*¾…Dôî‡�ïï¿ýéáÍmf¢Çû>ÞÎU"¢÷÷îúöáÍ÷ß¿y¸�K›ÈèÝ¿Þüøx÷@S)¯ñöþã?	“ÓÏ…EîÞß=Ü}|wwûëãw7w�ýY†ç•BãA~»ùåW1[Á±¿»±Îm2{‚�ˆež«ÙîÆ$:NŒÖ
SÝ|ºùw¿à`Ö:yRÄJ§jâ•\ •q’çÉ,Kò8ÕJû|nŽp&‘GOe»EÈF]C˜ªÜ•£¶ŽpÅ®9ÖŒlÖ„Û¹]sx&ܱu+Â.žÏ>mÝá‹;àE~™!í‰.Ø•v&Ó9Ý_çËb¹uó¶ü=Ð�—Áj™3yQ¯&Ö”6Î�ÑLspËã¡-¿¸9’ÎæÚêØÊDÏæRÆy’(Oµ¬JWwíÄŽZÅ:±†Wkö]ÙÔ-iHY·�+Vñ‘q&e:Ëd›7-P"š©HžrÊ rñ_!TåÚó}³D~uß@4±ïH�Dl¬NÇû>z1ëåTîŽ;ÔÇÝdîa¯.ð8ôƒ.|ÆÚÁK îhm‹/<Ýì]Mв©Aj‡[i#Kõ|+¥ŒÀ~µHNL¬Üº8V
J–�^žÎtlRp0$¼cíµÝ­&Ä&>'(ÍE‘¦6‰µ’¯ˆtHuY¤=îØvÅòsPúáÎy§
-îÿêÎ�hbçá!¥Pq*E2Þš.ôù$UôN
-è¶+„ѧ
ï®mŽ‡%sû
•fÊ5ˆÙ\¥1XIrºG­òhÝTUóTÖÚ“ÏÀ¹ÖuT´*QÔ„ëÂ
-á"Á�þ�?$c
-úˆ6qõºáW4]Ö�;ÔEöåÇàÍÑEŠ±kœ”î¡
-ã¯zO�Ï“‡H
-Kïù'<>ù–]óÅAn;WyÆ‘BxE!eCì€;
‹†8æ}¿Õ‘Iщ!JÑpSnŠÅsçÚñ’r�ÈÉ€Ê!m�ÔïO§qŠ)}
b£§m‰æ€›UÛ´sp�,H9®²ÙØ*r8C¾)‰)Û³‡hчÊ�9Õ#W·åÃÑïMÍ”‹¢-Û‹>ͤYœi®û´!ÕeŸÖSáá¶MÛÍ!�ëÊ¡�ƒCyáÖŒˆ³,µ×™è©&¸96“ÄYýˆ�{¼žÔÿžf‘E™ej`)-‘�vpÊRÓAí‘r©
-¿x6š=�f –8”´`F0 ¼îgµ(ãTG›Ž4#…
-?�Š|dån_¹¬å•þ/F)£Lœ
-ÐÐëP]‘h ×¹ƒZv¦ v[Xè*=Õã@•ÆpUfÌÄT)!OB–0]uEíšcKTäuøDT5Íçã¾%—r”‡²w#ÓÂÔ‚H(w�/Ÿj;–ßÂm‹
-Ù°’Ø
¿Ïwò‡ÁÇ°ÃBh'}“ÔylsúXJL¸%¥!!¦¯R`½uË‚Ú#°8El„÷àóçž;š†/Z‚
-š\å�‹²žJ†"
Ó>dl12ÕP_I;vyó0xy&VxËZR@B´4þ\V�÷‰°ªÖIø.îß/±&ÔtßGZÌ•Eú¢Is¹IµMT>jÄÐVÞã^ÔJ@7b<^¹%Ýká{WþP|*…R0ÕgFŽN¤
:ÖmY9î+`Ê©/X»N2(=MvÝÚ‡T—­½§ò’Zî/Ú9ä8™€Œþêæ=ÕÄîã–��S›%ãíÉ@òt`ç0èí`¯‚ð{fç€é•àÇw?2²©k×'5€ "– GCo÷€d»ˆj¤˜e™a×x,É¿ÐuHUœX“œlyB
%ÔvPN¿Ö(ÒÒ@Íx©ÞK~@uEò�ŠLÅßÃjÞ6ËÏnÚÍçÉõý™fbûsŸk©Çûûë„2·—¶‘$mÄ…aHY—‡rß5‡–ÜÁðÜÓg¾^Á)Ô©rôR8l»UÙ œd‘ë–à/­H9óò[;·b
Ž–\”výI¬µ<ÓW7Ç
³1ÿ
–ȤUˆòª@¯É0ï5p¾[².–®�ôg*Îó,x§ºØM¦§ØHÀ¶QU�›8¯ð°|S3±.d¦iÚŽ3«?/nòØ4³àuŸœ·8HÀÐÁMÄuÊ—r刀ÆÍŽ³b	Ö „‡/2¥AäÇnÓP„ÒÁ�
øíè8Å‚�ïX PÖËf×sö�/fÖîà“k/bžôvÓB‘B¥ÜÞDª‹Æš�âî �Ϋ¬C;í+—K½d(÷ ˆ§FŽ5J*;ï&QzðL
\™ºMsÚÙ$R™cŠš?³cåÚ6lé›s´gp~Œ
€ù'®}qs®l`*Wú와ó>¨	QÖ§Óqr!@s²3Û[»#}÷Eg+¥†�2jž@Û¢
¡·ë*vän�ˬ!^Œ‹¬Ÿo¸ÂzÕ<]®¨”„hÿJûþDsÙ'3Íô£ÕÈC~œ™L_Û¹§y±õH™è�²époê9;ì�ðpÂçaHÀ
{œ÷Ù‘±ô8‡
-½“ü¤	¾é“Ÿ™Lÿ²�*®ÙT´*º‚ ¯MðËõž¢m	äŽ+©"¯40åS3LrÓäôiŸ1
-úñ…—Å*¹-AÒµkÃRÑ÷ûæÀƒ]Ó+‡
ïEiE¿z	³Ôð_o…Kí!éÂg!@Ò“Ë}Ó–]IÅŸ¦ËÇ¥áHˆoóêû·„Ÿ
-º9x«Cí*‚Ù€Zú´�¨‰‰•8®£­…ÿò¢óú‡#¥ÆVŽœ«gDÐÅN„¨�”áùéŠç¶Í
»¢~&ÈçúL}*ÚiÉ‚¹ h‹�7+kéþV„+ë)…§Çî¼·yŸŠ’_’a@åÐk	¾Pê lµî
Î,\ÿݾhÛðFÑñ@èøæÂÐ(Øoà$gÐHN4@š¢LÂoÈÌ”ý™ÊÔcJQ¶nâo„ú®þI”Ã?^æÿþ³Ó_ß™Ê„K=]HÙñ�~t`
-ÙÏÌKÀ‰ö’õ?
-endobj
-1782 0 obj <<
-/Type /Page
-/Contents 1783 0 R
-/Resources 1781 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1772 0 R
-/Annots [ 1786 0 R ]
->> endobj
-1786 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [347.1258 530.9792 404.2417 543.0388]
-/Subtype /Link
-/A << /S /GoTo /D (journal) >>
->> endobj
-1784 0 obj <<
-/D [1782 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-510 0 obj <<
-/D [1782 0 R /XYZ 56.6929 664.3011 null]
->> endobj
-1785 0 obj <<
-/D [1782 0 R /XYZ 56.6929 640.0948 null]
->> endobj
-1781 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F21 950 0 R /F41 1233 0 R /F48 1253 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1789 0 obj <<
-/Length 2719      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sÛ6òÝ¿B÷tÔLÄà‹ 9yrS§çÎÕɹº§¶´IœP¤"Rv|�ûï·‹(P¢”Îä&ãX,»‹ý„ø„Á?>É’˜É\MÒ\Å	ãÉd±½a“5¬ýtÃÎÌ#ÍB¬æ7o?Èt’ǹz2_´²˜eŸÌ—¿Eïÿqûi~÷8�‰„E:žÎÍ¢î~$HNŸ÷>ÜÿôïÇÛiª¢ùýÇ?Þ}¸{¼{x7�ñ,á°_8
-6|¸ÿç�~z¼ýå—ÛÇéóŸoîæ½,¡¼œIäËÍo°ÉÄþù†Å2Ï’ÉLXÌó\L¶7*‘q¢¤ô�êæ×›õƒU»uL‰Ìâ$éˆS`’ÇZ
-iˆ2ss:`ŒEŸÌ¾l–å‚ÄœO9çQÑ~¦é}Ý™ýsQµgr³˜%p%©à1—B�ß³Cš…XWØôXÈæ¢2E]ÖëYéX8å€k
¢gò:=Ö"à�ë4VY®‡LÌ7e;�ÉLD=4sP³šò,Z™EW>›ê•€ÍSÛT¦›òÈ€q¥LGŸöˆfžËæÐjøÍt¦xuC›Z nö4~iÕ’†´qÛ<;4óuWl‰ú
-j‚«žb]öÄy´Æ±*æŠ'ÊXsu��4ÂÂ0Ci“'rÈÝ*ÄLï‡BµÐEQÓ¨óˆµé^šýgÂìE µ
-‚>�.å6!¤U¨Øœ'7ždg¹MÊ̲oS–L¡ªKô‰[ö^Åsmí¿èUø=R¹ EX°7ož§Þ¼ÃíhÞø%óÆQ`Þ
]gÞHÍW¬yã
-ã�$Zq‹	Ù[d2ƒ�Pðñhÿ‹èîL5@T
-È‹ŠiàÚ58|òe‚�`žKÂ
-ÆVÚ£,àíýVL~l@¦I(–§<I[¹ôÀµ@š<cÀ
—1C¯ �­á²èu* ?r“r»«ÌÖÔ¶´€š¾î�	FùÙí«<�µÔrê÷û®*ÙXçLNfÇW ï3¨¡€›~ã-FBMêàÅH¸#z#jv
¸ÃëH”
-›/‡¢Â§‘„»��
aö]
-#çQ‰ýØþεⰂ
-Öùu‡ßµ¦Zao¥úzò4Û30š$÷2ÝåR
-.9üÖäÝyPãŸ�㮨GÎÁÂ\§Þû‹%UL3%s(€S9¬—{Ó¶cñRaR�\ìí¯Ø·
-ªYÑ£¥íMúŠ[0�ÂÉ3÷'@2;,Û±FȺ°ÌÜ ,ï;‚a¤A�[Ëz.4ð7ÍÞö8*�èÒ=ÆH,
»cjB)Ý)Î*‚c\|´
-pÑItKð£êeÞKpWcJl˜Æ"bpߢ?&¨æÞÕàá9Ü1dbVoãx'¹“—j7œ[^QqÊ`±\º‡,‡íÄ€%gHô2,CîeS¢Â2tuØS2smL훢W_Rfì;"÷K}ÚFyÛºD0$æH¸úöƒD2_¬_ÞP”P|˜’y3¡ø07Ì4äó?­Ðb
þ‚5�³·Ù»1�ü�CQ ß
-õnÌäÿ$€ó–ëw4‘HÉŽþûÎ=à��H‹ç±/O<ȹ4w™™žãlÛ	Àã[L8£¯{Ѷ±‡�
«Æ÷Öˆ�½5~7€p•"hzMš`7«[ú
¶ˆ$‰ñ0°'ukJd•Œ$2¥¶ÛÐ2±óuaü¯
-Õó.˜ƒüíÀ"Ç~וIŒ?ÆŽôö¬ï�¾û7ßãâ*�¡Žã�úœLä©g
-ÅM“SÎû‡ÏYÿÞ£éendstream
-endobj
-1788 0 obj <<
-/Type /Page
-/Contents 1789 0 R
-/Resources 1787 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1772 0 R
->> endobj
-1790 0 obj <<
-/D [1788 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-514 0 obj <<
-/D [1788 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1791 0 obj <<
-/D [1788 0 R /XYZ 85.0394 751.9325 null]
->> endobj
-518 0 obj <<
-/D [1788 0 R /XYZ 85.0394 369.5823 null]
->> endobj
-1792 0 obj <<
-/D [1788 0 R /XYZ 85.0394 344.1885 null]
->> endobj
-1787 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F62 1379 0 R /F41 1233 0 R >>
-/XObject << /Im2 1368 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1795 0 obj <<
-/Length 2949      
-/Filter /FlateDecode
->>
-stream
-xÚÅ]sÜ6îÝ¿bßNžÉ*â—DMžÒÄiÝi�ÖñÍ=´}�we[Ó]É‘´q2�þ÷PKiµ¶ï’››Ì„	‚ 
-/òñä·?’Å®ýãI«ÜšÅ|$±Ès¹Øžh£b£•ò3›“'¿ƒU·uN~ð«Äˆg+dœçFÏ›€2DœJÒÅ<-Ú—
-P€Êð•úæ¾Ù4·_/$©5'<bsßWM
6™Ù¨êh¬›ž'¶÷›r[Ö}¹æ	Æd+(�§ÓiK›ÛE¨¬¯Ó?ZšÉS0€½
�uŽMJd©Þ›”˜ñ©
ù'p†÷"�…G�$‰Ó‡{Ô]Óö›ªëéëC_ôNz�
zºð:d
-ªeŠDAé¨=6*»û¦îÜŒMÒJAŸo/>Ð÷Ç]Ù~!p[|¡Ål£ãa¶¹¡ÉínÓW ÇÑ
ÍÎ
«Ñìªq㺣�¿'&¹¼ì`„uÓ´Ûª¾¥Õâ?¡À+O®Ü•Èg®ý1e��ÕZ±<`±.¶ueû©l	~¨6^–ŠÍæ}ѱý®­é»'2&ú~gW�WuäN'Я5m¬NET¯Ë¾Ä›ƒ:i–ïìŒ.Fþïs½CzI\—ôþÍŽÍž¾1ŠßbÛ˦e“1I,…ð¸Ý`\Ž<ð=y†Rè8Ms³HÖšghà´ØÞ²sºBÀ€¿7x'»gã�.²ó¡\±
füûÐ<YðË	H <â 
XOqr@�Å�V$ó”­ZmªARÞ`7dM¸Ú¬¯»kv›uˆW´mQß:t
-TŠžÖ«ÎMeÑ®£g…{ê/¬×ÌjW2=òÓ‚ù
-0[RCsOÀ”»!¡M¤Y=ª1¡ÁŽò¡ZyÜu¥=âv×yú}WnnÈjtÔ`xäøЗ«LºœÊǨü|¿©VU?ÃNªc
¨�{
Eƒ±P­xP	é¯~¡ÅeHòð…
-%nf²ýÉG݈°”�à¿“žâSLæIl¥Uc&�¹Uò0{']5uIÊÂ<'ú‡†€’*VŒ™if(DDt -E€äWLòpW­˜´«¦¸æ�d2:ÿ…¬H	™¸žä|ûh
TA඙·¹‘½òñy‚òúÍOP¹ƒ�»ŒP’—á‡)%¶2Ì�MA1œZ`Õ$&VJËo4˜â2$94LœfzðñÀN7W™ý†<zŠOñ¨Ó8—i:fò˜EêXe&gySâvCcéœBÎù!ÀÎÏ�XP:+„Ìæp\Ý•«?I»ÀtõU’O|Tq[Tµo,ôû~CPvc®¶7Bšp=€p‡ï
-•J„ò6FE¿†	øÃìÀ0á« �-LQ#×QwÆFÒœ»‰¿®2™·I€‚‹¹oîé"85yC:Ä%NSL6&ëR
ã#¢™êÃu±ÕLBŠ—ÏŒ9í¥eò©´Ìèï+–fÖ5Í0cùpºæÓ}µ4ƒb¦Ò²¡õ9á¾>caæ,ÌeLß2:ÄzpˆUKີ²±o¼`ì°†{ùN‹ñŸCï¹ÿ»bš$Ñ_Ž)	µ
þ>`ÄÚË—„rþŽF'¸ñ� 쌒üÞ«Î.º©ZæMÅ
-endobj
-1794 0 obj <<
-/Type /Page
-/Contents 1795 0 R
-/Resources 1793 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1772 0 R
-/Annots [ 1798 0 R 1799 0 R ]
->> endobj
-1798 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [213.6732 604.364 286.8984 616.4237]
-/Subtype /Link
-/A << /S /GoTo /D (rrset_ordering) >>
->> endobj
-1799 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [209.702 525.4389 283.4678 537.4985]
-/Subtype /Link
-/A << /S /GoTo /D (topology) >>
->> endobj
-1796 0 obj <<
-/D [1794 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-522 0 obj <<
-/D [1794 0 R /XYZ 56.6929 674.157 null]
->> endobj
-1797 0 obj <<
-/D [1794 0 R /XYZ 56.6929 651.0501 null]
->> endobj
-1793 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F62 1379 0 R /F63 1382 0 R /F21 950 0 R /F41 1233 0 R >>
-/XObject << /Im2 1368 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1802 0 obj <<
-/Length 2649      
-/Filter /FlateDecode
->>
-stream
-xÚÅ]sÛ¸ñÝ¿B“'¹sBðI¹''g§¾¹sZÇ�N'—Z¢mÎQ¢"Êqt™þ÷îb
¤¨Ø©¯ÓñØÁÅbw±ß°˜pø“Ì0®¬ž¤V3Ã…™Ì—G|rßÞ	3@³êõÕÑË3•N,³‰L&W7®Œñ,“«Å‡é›¿žüíêôòx&
Ÿ&ìxf>}}~ñÍXz¼ywqvþö—'Ç©ž^�¿» éËÓ³ÓËÓ‹7§Ç3‘
ë¥Çp`ÁÙù/§4z{yòë¯'—ǯ~>:½jy‰ù\!#ŸŽ>|ä“°ýógÊffò
-¾Çƒ¯šwvøÍû¥e¾£‰k�æ¾)nî+šs¶OÐÅß8—·÷ñ~Þß™©§©ð~Ðù\|w€ô‘#YWùÜQ­Pí¶ÕÚc€)¯ÒN9Ñ߀®¢Gß?¡g“
~D»ÙÀ	Ìjþˆä
g&•ÖÃ6Û|[,ÉmÁ–ëb³,�±!ÿù¶töŽOx¶T¶r ðëö@ÆD
q]°LBÌ뉄Ü-w‘6À[O<×	IðéûÂÃçUSÓh;.·,…®M�E°Ã}¡)Í8LdöÃ0ÉPF³$50$&9×íéÛævBƒË(=à³Þeý͇X‘ˆ÷à%éP\zE6¨†i™0¥LÖ£h/Mi¡!dRÂè<•%´‰îû¶“Õ˜ÜÌÅR/ÎVQcÂ…DP
-À2IÓ§$l’Ù,ËÆÓµY‹q£$&{ÄIg­»�Ý‘¯‹ùˆZHÉ47ÁîJš
ù#ÔB?MIXóÊû[¥åi}˜WyÓÐFFÅ%’_á7j¡zÓ’oàOC®”¶Ï—XÀ8‹Q:‰õˆ.ènc—®a´‘˜Ïe‰‘�$™ÛݺáÜšHdГ
-W
-Ì3ƒe�áK¹ú{åçÝ®BóªÜ–.\(>,x%õßzð¡¢ÚL.óíün¬·ÔÆKt*¤ì]LíŸGúGû˜Ë‰”êyzÚ©~×ñþ-‘X¦R© v%Xˆ¸¦Ý«mO|›AIà Ò¨mÃý€â)㢨tVûžŸï˜¿z¼™7_¢~^HQ{ïsS„:¿ §+rÜè„”†áè¶ü˜§„�¿ ùh/r�£í¿Š¬Ù÷ý„}ûr!dóÓÝÌóû¦=·]Üýê«I]8qtr°Ë—´m</$¢�“ïéâµB®,º´²w:ÒJPR·¡GØ´êºv�÷)Èš'"§GsƒÔ:„Ž#¡syrƸ�ƒ<9¯ò]Óov¼ßr®ÇuÚÎQcz_ŒOwô±‡?àÈEV¯=·Ÿ2k¶©ŸÜ’LÐöíµÀÁz]䎖®¾Ø�0×6àá\!(áÓ�ó�Ú<.lR•EãkH2®eß²_ïzUÍ¡ÇX=_úOOi‚›ZC-&Å“î1TìÖèƒ5@¦¨•ñôVBD{_œp–y±«mm
L¾ŠL¸¾µ0‚tê"RHE!3JÅxîKL¯à¯œž8µ@ÊR°=êíM>MãÚZE0ÑØqÚIÀM¼<_ÊÉO5ð3‰X
-xgbÇR"{MÃ[`À%„.¬78^-ðN
-¼žÝ~ÒfSð„pèd?âù‰¶o,èÌw$m�ú¼¹ãI2v—À[;ö?XtÞDcß©ïM¢†aHð”aÚßI¦éP²íbx¨ˆôÿ
-endobj
-1801 0 obj <<
-/Type /Page
-/Contents 1802 0 R
-/Resources 1800 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1772 0 R
-/Annots [ 1804 0 R ]
->> endobj
-1804 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [353.6787 530.3947 427.332 542.4544]
-/Subtype /Link
-/A << /S /GoTo /D (the_sortlist_statement) >>
->> endobj
-1803 0 obj <<
-/D [1801 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-526 0 obj <<
-/D [1801 0 R /XYZ 85.0394 600.9849 null]
->> endobj
-1319 0 obj <<
-/D [1801 0 R /XYZ 85.0394 573.3935 null]
->> endobj
-1805 0 obj <<
-/D [1801 0 R /XYZ 85.0394 447.7048 null]
->> endobj
-1806 0 obj <<
-/D [1801 0 R /XYZ 85.0394 435.7497 null]
->> endobj
-1800 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F22 973 0 R /F21 950 0 R /F53 1328 0 R /F62 1379 0 R /F63 1382 0 R >>
-/XObject << /Im2 1368 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1809 0 obj <<
-/Length 3271      
-/Filter /FlateDecode
->>
-stream
-xÚ½]sÛ6òÝ¿B�òLÉà“ ÝÄɹ×:w¶ïfnÚ>Ðms"‘ŠHÙqý-°~‰’{ÍÌÅ3áX`‹ý¦ø‚Á_è$N¬°cU¬׋|sÆ�0÷éŒN�¢!Ö�wgï>J³°±MD²¸{ì•Æ,Mùânõë2‰E|;°åûÏׯ>ýëæâܨåÝÕçëóHh¶üxõó%BŸn.~ùåâæ<â©æË÷»øÇÝå
N%´Ç�W×pÄâãȦ7—/o.¯ß_žÿ~÷ÓÙå]w–áy9“î _Ï~ý�-VpìŸÎX,mª/ðÂbn­XlΔ–±VR†‘õÙíÙ?»
³~é¬ü8‹…LÄŒ
-”M²tÉp|U6Ùýº ]ÝnNô|IX¿1ÍîžJbž ›‰,e
-0äàsýùŽ�†çŽÓ Bjq[­…ÇÝ�ót	§ÚlŠjU¬b Æ�.=ð‡]_Ù~ÝâK ¯†ô¹T±MAŸ�~ÂØ}Áb%¤"w*ÎpÏMYíÛ¢AÒn «V´�‡Mö­Üì7øòœ­÷Å)vŒ‰…•�žÎó“ÄŠñ
;ò��Ø­[DìltŒ§`8
çç ¬p1j™­›!P‘Ö‹µ^ûKÓA§
-‘ô^(’ÂGDÔY´I'*Ó'8)EKxÖ•#šêåKQ|Á!GÌ è”Í R\./p4$&)EwXý†âG7Ù+y¶o3óÔ¯û‚&Œ¶´‚ÜÖ~Wáû-T, ªtõÈÅÕÏ?àÚûw…ut9Ž)ÓåºnZY”hƒ£8kÁ‡�oŠU	ÚŒ377�¿V»“7{wa7£Ñë[|úˆâ&ýñÝÐü{w�pH1ñò(ÍCšˆàÀ
PT©×{ï¤gr”-J3‡´à¸�q'J½eg¬v°¼�•U´«ë¶9°1Æ`¥³±S¤;¬Ú#ƒ<Ý*cÆÄ)r¤>#˲}‘¢SJÛHÞ5úRKFÕà$Q-B˜q‘Ý—”Fà,™iŠž®Ç*šv‚@ÆkGTÓ	ÕQîÉ…Š¥ê�Õ4ËóbÛbûvõ‘Žä•Ä©6)1j4:-D8Pœ”ÇÚBèSÆU„°ðOí2õ=ˆt¾h­…½´±üø^¸ŽÁ^âŠéVQà| 
-ɇZÓÙD_(zL*J§1œÄb)8†N +ðòŠµ!�ú|%Ê(˃nF
-QÁ@ɨ8\™4Ö‘^|]ð˜)k%"
`Ö^~àÝÕF,>Ôp¢ÅðP´q4ÜÙ*‡	õ–’qGj¸v(¯e”x³]P¸b(w>©��=¸m•ØX¤6]åù}W$Aö‰e`Ù}“æû(6NS‹3–„+{Ú™I£!Û7Z-–ÏðÊÇÈ™eûyïoŽMÈ
-¹Y	:¶€5ÃÇè6µp-€1·Û"/]yâ#Ÿ	é€1½oƒAïÛL—°\ã-€äbßî»Â׸£¨¥«¬a^eí –†ùlßÖ¨a°.Ž‹Sáj³aèÉ!P»è
öcQ;J áÕÅCÿÄíŒN‹‘_†çêµÊ6eŽ/û-T÷-táu*z
:•Â™@A •W*œÜ=’yÝ.¡Ã�†/áp_Ìàrª‹€‹)7Rª˜'zÄÌ�¤788Ø‹0©SæPñmKa	‚‚°É¨±Á(†9¹ßõÖ�!£ÕXÂPÄ
ÍÓ‰žÜ¨×ºµË]	©›¡Jº�§ú�u]="t_<Ô�÷îy}E£,B4=U:OÑ7Ã'NwÚå’ËD.¯pÖ—G�¿h.ÕC¦W�JmBZu¨ñRê@fï	kBÑüA`’¿S`¾«|ÓÀ¡ßá;è·§Šò÷p/i· !„NÌ„UΦ|Áä5Öc&´Ó
-ö{,Ÿ]ÙÃÎ1YC79uè¦ÆLxWOƒø;�ïn[§�ZÒa¬¯ðàÅW>D¹oL‹ïñÂV¯E¶k¨1•£´ÉXu}�!IX_ƒ÷ýW6î»"BŒõ‡ÊÊe‘Ôá]‡GP×H¸Ê´²DGáýyß8ÔITü
àn¡¡Á{ÔÀE¾ßáxÕN‰†í€’ó ¡Ó4£ÔQX—›²ëKtÍâAK6_×ùêJ|)^\ð¨Œ42ÚâG€é÷C¶’ç$²^…|ÞUŸ	[fTk¬‹¬ii¬) 
-à-a\œÎã†XÇó¸+\#YtTÕ«â°8•�hJ#N³ÐaÍð0v72f’Ù>‰{p‚à!ãCÁÙÀþþ

ùÅE5>ïimñ
r¥Ê›Œzgë¯Ñ7�`äë>«Ú°7%z€à$AI\ÂcÅS;õ¹�£Þhé
-uXS
->uF�´qýZqš�k†‘Ñ™!
-XúcNz=rèÆ%.Oõš¾\tº°×%×|Ÿ¦õ~©÷L"¤;~¬Ø�bù.—ÿäÑ7”P7zÂNÅH— —ròå´
ŸËHû|§9DÖÿ§†ÿ%‰w*6§aÄ÷[&’X3ýF±9Ä:¡a
kªaíë¶8ôQPq)%NsÐaÍ°0:­ÔPâ@¶?â¡×-‹ßBá±Ý•Ï¨
-ðró
äá;«8äyEÈù'«Ñ?Á;}}ˆ® Ê�)·RË/Qd\jÚui•’}‡ZCõ
îX‡ú˜€[V<	QJ©æ¾ySWa PíB€gJ�ˆ+GŒS;œké DD¬‚ay(`l³]¶)0Õæ¡Õ

-endobj
-1808 0 obj <<
-/Type /Page
-/Contents 1809 0 R
-/Resources 1807 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1813 0 R
-/Annots [ 1812 0 R ]
->> endobj
-1812 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [286.8324 359.3488 335.1613 371.4085]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update) >>
->> endobj
-1810 0 obj <<
-/D [1808 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-530 0 obj <<
-/D [1808 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-1811 0 obj <<
-/D [1808 0 R /XYZ 56.6929 749.6432 null]
->> endobj
-1807 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R /F48 1253 0 R /F62 1379 0 R >>
-/XObject << /Im2 1368 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1816 0 obj <<
-/Length 3972      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]oã6ò=¿Âoç
-iWÛÝ•XÝÃØ÷W’q6
i3Æúææêë7:[I‘ªtus7Z+ODžËÕMõëúÛ¾úùæõûë�²b�&×›Šõ7oß}G�‚~¾ýéÝ›·ßÿòþÕufÖ7ozGà÷¯ß¼~ÿúÝ·¯¯72·æ+^á„7oÿõšZß¿õã�¯Þ_ÿ~óÃÕë›x–ñy¥Ðx�OW¿þ.Vû‡+‘è"·«'èˆD…Zí®ŒÕ‰5ZHsõáêßqÁѨŸºÄ?«óÄæ*[` R#J
m“®2[$©VÚ3ð©|¦
ý®e¾v»îÑ1üÁõn<´íüoÕðÎ÷º²6”ã
­J”È
- ·ªÛ¦nݦ¯ïÛº½gü1�i–(•Fÿ£k]ŸœqX$ÂÂågªH”4fY¢i3Æ"†È%‰
-X¸í®n7wwpýÃf¨wî+:æ®ü¼öØÃáù7
-!|h•D
uŽ½«@
-mÊ–Z$¡Ððš´ä}f­-w®Z¸,­“LÇÛzª½ fbÔ¦¹-ñ*KéJ
-,ʹ/>Ö„¹m‡Ë[ˆ[š]4UÈꊀ:k×n»#ܹ£n_Ó>#”�Ï
-qg1—(¤Wgë»ÒsØhB‹dÛ/þGXœo
Zô�¶@ßÛOÚk)xrŸ·®ïë�Cìy
¿7ßþ|-U±¾èÉLŠ:•§/{²1ÖeO±‚c¾ìÈÒÄØ<{y÷ˆµ°ýÔ‘I&¦»“Ó9ƒL	ä X“CŸnQHa¡
‘dïï;#[7>¬i¢„€‹Zf’ìuÑýúU��úÑø
1-5Y¥7™�c�…øìy8ÙU‰É2;�h@0wð¢SËÉŠa?†­±Ã~ôcÝû1³Ã&S
­[F;91ʑЉE–Zö?8M>vØäc“¶±ì³ì!­ mð`Ø{0ì{†�<˜Ê’<á‹Ò8w`&±6³#†«—ô3ñ`Ç‘–Ž#mœâí6H¦pö`4ï«ü�B4ž�Î
-†ñÎ؃)aÎ="‘óèä�°9ö`83:%l2Ç„¸NO‘OËŸ| �}ÖbzwɃ
'À@Q
-õg£ˆ—£ßŒéÁ
-Å9‘*ͦî÷‹&“^ÏrÔ’+Xxˆ™)§ìÄÔṫ³ô²9wZôPú£Tl/äÂh¨¸“™Ëþ@g*ɱÀù¢?c]ö‹4EHaã6 À;
-‡&n!ÕIªtþ2k�Š‰[H!S P2>Ä’€WI.™if^Ãm¦Ï·Qüð—Jj'Ì>t¬èÝy²+ˆTÔä,4x¸_Qãý¸–ð¿pªóuIض(DQš@(4§ì-Joö2o#Ö¨8_í¤+M°âùÈ@'Μö¯ß˜‰Ñ’õP
ÜçaA
•N
-|· ¤¯8ùS)ä°éÔŠ>=Ô[Ì
-º†Sû•ê¸Û'”�”gIjÄcEpC…NãEQ`�‰Ò©žz•wÝàK*xch==ø¨
-3ƺœÂD,¯M�oË›póŸŽîð<úžbq|N%$ŠI‘ÈËdF¬:§aÄßRSBû®Hùå^„« +UWE,e ~ÊæODx¾…Ñøœ��ö¸»ålƒOyz*¼’L“ó
åÌíñÀ5Jÿ²ƒ ·l]wd£Á|£aþ΢€­Ÿ©qS[jGã³‰–œX8üÐ(‹å¹¿/½&ÙééñÚÀ¯>AL
-ÿ·
×ef‹æ�R¥Ñ‹þãÒšÙ¨6À¯Il¨Ãzô!Ügúä!ŒH~"3}ØR¢¡,ÄwÝé© XWTÚï¹È�ÏÊ‘­‹Õp¢TèüË~À¦±>ê°Ó
-FQ7ó|šž-K�)f¥sÜ
tó¸sa·’/»æƒÔLSåʆUB†Ë×ÛHÊÀ^jta³g¢vÃÛwm0UiL¤2–
-
-Hð‰òéxõ	}DâY«ùÆ4Ƈdîèêu¼/Ü=ìxG�€08SuäÕ¿Z|ÆX´oJFˆgkÿÝSøna®9‚
_lNŠ4†�×à‰-aÜòXÓ=�ÞÐpÀÇØ0 õÁ™ýóñ¡Ð#1uËzâè[βn9Zž‰ê±%3Q-**0v!–I >‹Ñë%§|MŽl<I“a÷i5[9³þƒ–é¼Û·ÌðE”`jt\ åyMM)ªåï­	zfFzfXÏôÈ'Zú´Ë7‚ÿ³á»+Ú�bËŒu.§Â0RW±`L£dýöJ‘ÀªÑËÊŸå±k#Å•y#`Äcˆ‚ƒè©|Ìcì†ÚŽæ÷žQºíŽÈlry‹æ—-¡Ö»}çß<òRéØhÁ!©™C:„`&z)€ð6/Ô¸ž³ô
6~,¦õRø'VaËÿûãìÓ—ë�iiüRv¹¬,R,êe�($<+æ”ǯ¸ÏIÿÚ!Vendstream
-endobj
-1815 0 obj <<
-/Type /Page
-/Contents 1816 0 R
-/Resources 1814 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1813 0 R
-/Annots [ 1818 0 R ]
->> endobj
-1818 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [353.2799 369.0217 410.176 381.0814]
-/Subtype /Link
-/A << /S /GoTo /D (zonefile_format) >>
->> endobj
-1817 0 obj <<
-/D [1815 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1814 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F21 950 0 R /F41 1233 0 R /F11 1353 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1822 0 obj <<
-/Length 3338      
-/Filter /FlateDecode
->>
-stream
-xÚ­ZÝsã¶÷_¡·Ê3'–ø"€ôɹó¥Îô|©­fÒ&y %Úâ„"u"eÇù뻋(P¢äË´sž#>ìb÷·@l’Â?6QY’Yn'ÚÊD¥LMë‹tò}ß]0O3D³˜êÛùÅ_?
-=±‰Íx6™?F¼L’Ã&óåÏÓ,áÉ%pH§ï?ß~¼ùî_wW—ZNç7Ÿo/g\¥Ó�7ÿ¸¦ÒwwWŸ>]Ý]ΘQlúþïW?̯ï¨+ó<¾½¹ý@-–>'˜Þ]¼¾»¾}}ùëüû‹ëy/K,/K
-òåâç_ÓÉÄþþ"M„5jò•4aÖòÉúB*‘()Dh©.î/þÙ3ŒzÝÐ1ýIeÅešb¥²q-³D3DZ¦‰•ÊöZælLË�
-µ\7]ùø:[Uþz(2c<Q–›IÌ÷höžjdzMϘN”–l8ÿ|U€âµžÒ
-cÓwÐ`Ä´¬±#›¶Å¢©—­k•Ó‡¢{)Š¾«^–õ1h‹®¥RóHÝ$µ­‹¶ÍŸŠ–z›-5çôù£©0al¼ Ç|WuT)[TÎd&Tb5îc‰UŠ;~ISþ\�ýü’ªTÁŒª~ñ‰�Â0“d&“‘è@Ô<Û¼ª¨²Í;ßÜ­òŽJ·Ÿç7ÿMåH¨åÛKf¦E˜¬öH>ìlQB?¦ô_XYç†7UU,©íÁÁ�áa­•
pÝm±-ójöeWl_gn¹4$Þl­®4ó#’#gò›i›dØÎY³Ž©N›uO…3®óßgÛ6Ÿ¿o@𺛵åÅ‘}£w±Tž_FO5²Ž�}g"‘–™áBh“m†+*×»5Uî §a}ÔŒ‹;©!뇦‡²k}“·h|)ݶb·çž/Ŧs»ˆý+ç!Àÿ9¯ÊeÞÍÈz
KŒ…E¬L?cvúã¥åS
-R{ˆô^•=P
àÌ&Bi1Pw]¼ÌN¡?$VÙ~{â|-¯^ò×6DŸºQ5ÃtJˆÌôJ³CoHQÆqG@•Z9L<o0?†ƒÒk³£B]„ü·[–e›?TU:L,:)ßQy×îû}"Ì[
-P�7¬SJʦ+ˆqƒq@z	Ü<°Ž§ŸFöÛr)×�ŠœÜ1õ"è_5ž¼qiàƒ¹æ�˜Uå¢ô›¸¥t¶P§!ƒ¥àŽÌ|¬1fƒí3}ˆä‹UŸÜ‡ä}Q•�ã´'Óhi “ɘ8ŸFÇT§ÓèžÊi±è]%ž×¦‰ToLëiFf�õ`U"xÓ`V3ýô®Ò…Ö>	ÃòªÙUK*“kmšmçG—9ü‡@Ñé„ñ¬óu1’»pÀižŒŠÖ“œÈa4Þq¤*Ī²[ùY^7ciŒD§¶Ácç?ÍǼŠBÅ(…l’žAO†0‰Éà)ï�ƒ˜å>Q…Â>zBÅ…
-ém–½1sO52õÀÊP·RÌMn˜eûE¸Zš{?ÄrðÃLýúÈ¡à?Á¡èó<å‡�H�…ptÊMšô>ëÝ'wC8ð€?%†VòUþcÕI×]ZžŠ?ízÀrNNb²à{-µ»L¿t†Œ·›é\×w+'‹UYG´ÎÄ$at�GÕ4÷÷]Æ$
-�ÒN‡÷2­§Xt;Êi‰¾}�µ9ü€*$V[*õÀáîeÎØ7\Ø8ñA„ûÛXȉV&À{�l”àX‘¤2ÕÃÝû¿à�€
-?†TÑí¶5ÕoúðùÓÕÍmÜÛnšº
Ò<#T5$%‚
íâlloºr±«rwì}×~\Λq·vw¢áHEõD±H@�½PÈ—K¿ê–úxtŽwßS3D5ãg÷mb*™Ã6>UZhÏÛY‡ç1"V¦¬q‡�{è®Y¤ÈÃRY/ª�»÷Ó2ܺÈÑ´Ú‹Fýþ™ûÃsF%g²D‰K}èˆ{“Æù!Ô<ÕÅ]Íý~ �9•õoĈxŽb…¾;È‘='(UM³yÈ¿ù[»Á²°¡^žº««›—úhäè<Tq.Â0^´wÂUœïq|s—[»“VKÌï¹t	(�A
kˆ-žUåïr–¯ÔPü^¶îGø±õ¼|ÒŽòÙDÅ“épỢIa/_È-–3„¿1#Šhú³É²€ä�ÞDö?«èUêõ
-}þWT1•;Ò@lŒ’/A2‹xÑ›DʃIµ»¢æç'
DÇ“¯Z â[«†“²4¹¹�]}øp—\Ýý€o
-endobj
-1821 0 obj <<
-/Type /Page
-/Contents 1822 0 R
-/Resources 1820 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1813 0 R
-/Annots [ 1825 0 R ]
->> endobj
-1825 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 566.349 117.601 578.4087]
-/Subtype /Link
-/A << /S /GoTo /D (view_statement_grammar) >>
->> endobj
-1823 0 obj <<
-/D [1821 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-534 0 obj <<
-/D [1821 0 R /XYZ 56.6929 638.6405 null]
->> endobj
-1824 0 obj <<
-/D [1821 0 R /XYZ 56.6929 612.5722 null]
->> endobj
-538 0 obj <<
-/D [1821 0 R /XYZ 56.6929 275.0395 null]
->> endobj
-1826 0 obj <<
-/D [1821 0 R /XYZ 56.6929 246.5203 null]
->> endobj
-1820 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R /F48 1253 0 R /F14 976 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1830 0 obj <<
-/Length 1319      
-/Filter /FlateDecode
->>
-stream
-xÚ¥šKsGF÷üŠY‚›~?–XB
-®X¶	Y9^Å•lâEVùûiŒzøhzîUWÊ¥2’s8S-æÒ 'Uþé)yR6»)fG^i?ýñ}¥¦¿ÊïžWú•ÙVh‹Ô»Óê§'§L9˜0�þ„c%R)ééôíËúáçݧÓþ¸Ù¯Ö�6[ÔúÝáåñò“|ùïáãËÓáù·ãnÝútøørùñqÿ´?î_ö›­N^—û›×#,ÜáéðËþrëù¸ûðawÜ|=½_íOsöjeÏ!ÿ¬¾|UÓ·’ý~¥Èæä§Ë7ŠtÎfú¾rÞ’wÖÖŸü½úuõy> üöÇ]{çof¶ÖQ
-åüYö™‚5v>ËÚÁYÎåf²¥ Rç³ü»Ò±MÕÊ•;¹8áñî¬3u¯5´Z•Û.Üju"
^¶»ÇÇ#펟6Ù¬w‹'Ýi²Ae!(&¿Rr>g…üVÛÏG­ÎcùÆ–¿‹„| ˜üJÉùœò[m?µF�åWÒIZü@1ù•’ó9+ä·Ú~>j�Ê)”'� ,~¤–ógJÌg­×ü;m7ÿFkÌX~Hd¢.0H1ù•’ó9+ä·Ú~>jËÂP¾W¤”?RL~¥ä|Î
-ù­¶Ÿ�ZãÆò­¦hMò�bò+%çsVÈoµý|Ô?–¯-¹ MWH1ù•’ó9+ä·Ú~>jMÊ÷¹œ®¬4Ÿ�ÔrþL‰ù¬õš§íæßhMË��²NÂâGŠÉ¯”œÏY!¿ÕöóQkƦ>ï•ò�bò+%çsVÈoµý|Ôš±©Ï»òÊ iñÅäWJÎç¬�ßjûù¨µcSŸ?Ï	ª¸ø| ˜üJÉùœò[m?µvlêóÊR²VZü@1ù•’ó9+ä·Ú~>ju™�t~{¿+7|Æ€–ë+$ÆsÊk{ë즣3œ7ÔÛÃC$“•°î‘bÒ+%·sVˆoµýzÔ?–ï2)�­�“_)9Ÿ³B~«íç£6„±üò,�pň‰…ävF	é�³_β†Âµ!ƒ°Ç�“^)¹�³B|«í×£öüt7�_¾È(/,{¤–ógJÌg­×ü;m7ÿFòX~ô”­ö8�bò+%çsVÈoµý|ÔF5–ï#…óñø| ˜üJÉùœò[m?µQ�åÛL6káb�“_)9Ÿ³B~«íç£6š±üó† ÎÒâŠÉ¯”œÏY!¿ÕöóQíX¾2”\ö8�bò+%çsVÈoµý|ÔƱyÏ$G>Fañ#µœ?Sb>k½æßi»ù7Ú86ï™2 Yå…‰)&¿Rr>g…üVÛÏGm›÷ŒKå†?RL~¥ä|Î
-ù­¶Ÿ�Ú86õ“)+ìq ÅäWJÎç¬�ßjûù¨�cSŸÑš\ÖÒâŠÉ¯”œÏY!¿ÕöóQǦ¾ò‰ŒQÂRËù3%æ³Ökþ�¶›£McSŸ.WŠ\Î��“_)9Ÿ³B~«íç£6�M}Ú
-1
-H1ù•’ó9+ä·Ú~>jÓØÔ§m"§‚´ø�bò+%çsVÈoµý|Ô¦±©OŸ?`…ë@Lü+$·3JHoœýrp¦±yO+M)XiÙŤWJnç¬ßjûõ¨Mcó^Y&>aŸ åø
-‰íœòšÞ:»åèLc“^ðT^%IoãW†{ÿó†·ð}øþ�páíûY˜âà¶�?¼ÖyåKSöÞüÿÏÑÁæ`$›–>‰cU dr¬êrÁj¹/Ïh>™Øyèÿ
–†b3endstream
-endobj
-1829 0 obj <<
-/Type /Page
-/Contents 1830 0 R
-/Resources 1828 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1813 0 R
->> endobj
-1831 0 obj <<
-/D [1829 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1828 0 obj <<
-/Font << /F37 1038 0 R /F14 976 0 R /F22 973 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1834 0 obj <<
-/Length 1333      
-/Filter /FlateDecode
->>
-stream
-xÚ¥š=s7@{þŠ+É‚,¾QÒ¥ÐËÃTŽ+{œ&.RåïG	‡%ˆÛŒÇã±,>Ýã»
uKqRùN΃O:M!Yp
-ÝôõÇFMçÇž7øÆì´§Ô»Ëæ—'¦Ék?]¾“cEP1âtùöyëAÃ.Am>¾<�žÿ<vÁn/§�/»½vjûtúíøúÕóùðáÃá¼Ûct¸}øõðér<¿>äߎñîôòøú�ôúÏÊAÏǧãùøòpÜ}¹¼ß/KíEeæ�7Ÿ¿¨é[Î~¿Q`RtÓù?
-0%=ýØXgÀYcÊwþÙü±ù}9 yôú£½ó·0{c!f¿p–]o´YÎ2Zr–æ}.(Ô|–ÿRÚÔ��‡QOôpwÒÝKµ&ÒˆàRr·Òó)TpzÙÏp8Ú%½=¬žr‹`¼JB<¡˜øB‰ñœ´Æ·Ò~<•Æ4¯M~M$/ÄŠ‰/”ÏIk|+íÇSiRcñ*/ûÙÅÇŠ‰/”ÏIk|+íÇSi¡x}~ñ{aÙSj=~¡¤xVºÄßI»ñ7Ò¤Çâ}œpY¡_(1ž“ÖøVÚ�§ÒdÆâ�¥¬°ì)ÅÄJŒç¤5¾•öã©ôzÁˆ7Áè(ÄŠ‰/”ÏIk|+íÇSircñhÀziš¢_(1ž“ÖøVÚ�§Òä‡âÝ|²’B>žRëñ%ųÒ%þNÚ�¿‘¦0Ÿ]	£°ì)ÅÄJŒç¤5¾•öã©4�MxÎEð6X!žPL|¡ÄxNZã[i?žJÓØ„çl~¼´ì	ÅÄJŒç¤5¾•öã©t.ª×ó``ƒPO(¦¾Pb='­õ­´_O¥¨Æf<§Dc¤…O(¦¾Pb='­õ­´_O¥¨Æ†<8/Œ9Zo/�”ΗòÖØ
§FTcó�õ
tRš§S^(1�“ÖöVÚ�§Ò¼øÇêm…Éõ„bê%ÖsÒZßJûõTŠjl³FA°Âež@Lû$¦3ÆZÞûáĈjl¸³¨Á/ìcPŠ)/”˜ÎIk{+íÇS)ª±éÎä7AZ9aÍSj½~¡¤zVºÔßI»õ7RTcã�	’1ÂN¥˜úB‰õœ´Ö·Ò~=•¢›ïŒàçòõ„bê%ÖsÒZßJûõTŠ86ßå³&¡p‘§S_(±ž“ÖúVÚ¯§RıùÎèÌc’V>¡˜úB‰õœ´Ö·Ò~=•"ŽÍw&σÑFa7ƒRL}¡ÄzNZë[i¿žJǦ<-¸„•O©õú…’êYéR'íÖßHǦ<í=å„A‡RL}¡ÄzNZë[i¿žJǦ<m#(c…•O)¦¾Pb='­õ­´_O¥ˆc³žÖ	‚7ÂŽ¥˜úB‰õœ´Ö·Ò~=•"ŽÍz:_#lBi助/”XÏIk}+í×S)âج—ß�ÖJØÑ ÔzýBIõ¬t©¿“vëo¤ùÒ7V,¤|î„zB1õ…ë9i­o¥ýz*E=6ëáüE¾¥˜úB‰õœ´Ö·Ò~=•¢›õÐD°ÊK+ŸPL}¡ÄzNZë[i¿žJQ�Íz×µb„�˜ö7HLgŒµ¼1öÉõØ”7ïøFo¤5O(¦¼Pb:'­í­´O¥¨Ç¦¼hòA´°­A õöIéœq)o�ÝpjD=xŸÖA~g$ÝŸ/wwþÊÈ÷æWuäÎü�nå¾ü¢Cíw1`þ Zç)ä¿É9ýóŸ‰#�
L\ût�ùU4º<©ëǪôÝ3GÚxÝyêÿˆ­Y™endstream
-endobj
-1833 0 obj <<
-/Type /Page
-/Contents 1834 0 R
-/Resources 1832 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1813 0 R
->> endobj
-1835 0 obj <<
-/D [1833 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1832 0 obj <<
-/Font << /F37 1038 0 R /F14 976 0 R /F22 973 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1838 0 obj <<
-/Length 2325      
-/Filter /FlateDecode
->>
-stream
-xÚ½ZKsÛ8¾ûW°æ²TU„/Ø=9±œÕÔŽ“u´§Éh‰ŠY%QŠöx~ý6Ð
-Î}ËêêëÕ¿ë	ƒ^;´‹¿ZgÌQ)ÌÑϲÔ$åŒ×,S°¬ATx-Ãò·„f§Pi"`�È¢p¾3«µÖ¹YƳ4
Y¤m³”eÀbB¦wãë››{r}ÿe¤Y|}‘u‘Ee:€?ÐêÁ﵆ñ÷Y
ðŸšíÆšý	䌭•@hõ ÷ZÃÈû¬ÈOÍv#Íš•5ö„ªÀhõ`÷ZÃØû¬ØOÍvcÍ2	¹#կƟ*Ax*E?þPë2þZk¯Õÿ™ÙNü-³Œ˜LÈ^�?•�þT6€?ÐêÁ﵆ñ÷Y
ðŸšíÆš5OR @½ž‘’Œäý@©‡
-‹ªØ˜„†]^}/œ<7b{Øàcå�Y»¬1³ÜWN'_¡N¾xA³�ù“3†0çÞ5øøñ¶ZþuAà­Ç¥@ŒpÜR)ãñ´Â–í.ŸÊy�o‡ÇÒ
�}Zä;÷bvªyVfÁ�ð`õ]Üš†y¾wÒsyxDi�W/(ý8‚ÛÞ™‡Â"@�EZ�—0•Õr—ﻑŠ�óñ^°ŒB^Ú²ðã
-„*_®­¬ð	Sïý˜íˆÆù¼Ø›ý•ñøëÛÑãpÐØñÃs'íóùÎîây™¯:œx.Bÿª¢XØÐ0slÚà°N}p[eQlW›¿+mv4ñ1¯*›PÃme}qûj“»!ùsîÚ‚œŽºD#t9äÒ	iˆ$Þó?|SF´–¢ûÃ7 WœÈL°Ësá¸ær¢Ñžª9›£D&¢õ
º 8œaÿSE#¦)QÂÕwAÆ�)ä{œÉxn5>Ã^¡�}aÇÄ“Sf`NAÁ5&2˜ÑD?"¸m­9*²ÅÚp`ÞO×,ºÙ
-þè%?;ŽÕ¢Ø¡xa›×ž*ŽU˜ÀؾµQE³‘SßÖ@”?TApT	�¬³)€˜ÄN*sIÐ(ù'bS�»ŒÇruÛ¡šƒ>ðx�uà›áÌ@ÀsYÓUµy¯×NÚø•4[vi\ù»`PŒ(ìúÕ¾­¿(Š­'º¬ÂQØEí_ÎBg$å)�­ô¶Ýiò€Ô©ŽÆÍo\oËc(^嶊ʹèþeJÁu_*SCÃ�€Ó°r¦¿:ÖZf…°°ÀdxV¸
3ÔÚá¼ç…»×ê0ßÚ¾B©Ûö¿š
-qiŽM®ãg{äÉ9des´¹~DFÂÓe³äæ‰g3˜æ!†*s¶˜–¯Ÿ¯Ã®ùÆ>]§=C�àBÛˆ¶1¿ BAýd/\C*ÕºáU]	–®újÞwõqT�Lfþ¿¹
ˆÏHn“€ä�H¨_çG”[oj~-UBE Õ^«	Šù¦:˜jà,*4alÈ|­Õa¿R–œ:PG…ÉA&áx�l³£
šmJÔaadŸ°\V'aaºlX4]MX˜N,­Tsóч…€™–Â=ø
añ�Áö6ÿüoa
-t·½˜TÍuÌߢZw´Ü³åÊ_ñÌ	çŇ_n.óãêаïÚó°,Dœ—É6O%¶\ t™j¯tášwÆ´$L$i¯µÒ¹mžØ›p;]¸©)åæ6°(ŸÊÅÑ–ð^ßîiÃl"�Yh˜µ*7MðÝ€Öwp;–ûÒ€3sw‡Û	\ßñ/â0à
K¦qÞfR·ïí/°pkp ÜÖ÷ör]ôÔö’˜ÿdÒAaRÑoþÿ.áw4ÂÕ¥¯y<I‰b:óNÙ¹üÔsÉdG–u¸þ_ÑyP,endstream
-endobj
-1837 0 obj <<
-/Type /Page
-/Contents 1838 0 R
-/Resources 1836 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1813 0 R
->> endobj
-1839 0 obj <<
-/D [1837 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1836 0 obj <<
-/Font << /F37 1038 0 R /F14 976 0 R /F22 973 0 R /F41 1233 0 R /F62 1379 0 R /F21 950 0 R >>
-/XObject << /Im2 1368 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1842 0 obj <<
-/Length 3646      
-/Filter /FlateDecode
->>
-stream
-xÚ­ZKsÛF¾ëWð¶T•9;o
-rþöã‡wWßý|}qžØùÍÕÇçíäüÝÕ�—Túîúâýû‹ëó…J�š¿ýþ⧛Ëkêò¼Æ7W¾¥–Œ>'½¾|wy}ùáíåùï7?œ]ÞtgžWIƒùóì×ßålÇþáL
-“¥nö)T–éÙúÌ:#œ5&¶TgŸÎþÝ-8è
S'ù§¤ÐÆë	j5Å@—	o´é¨¼P)ðEJ9¿X­Ê¶¬7yEGýT,±ÊìÈ—åæO
këÁÚr¶Ð‰Ðk°êÍCq¾0ÖÍóÁrÆÚy—ÃÎ%,W¼�²OçyÕÔ4d™WU±â=†ô«˜ªS›áy˜>A‹ÎDš$)ãõˆ	ÚÐ.å¦-vLSBmMMåz»;Wé¼~䣴qDh.šm½i¸k[ìîêм@z€Ê
-)ñJ”™s:�²Î7K˜¡“l^ßÁ7í$Z2�A¸âù/ņú�wçjÞÝ4uìÃK¾�ЃçÃÆb“ßûÞ`k2\ž>OeÅKñ‘±1ç{ž„½ê]»XîÛp$�Bz‡\Ò:!¦`axÑZ§J¡sYÃÊ›–*È©P(€œoš§‚[¯¯>Ôm7ÉÛ	yЉ Ëîsò`@­Šò…3mƒC%=O¡k],òMÙ¬éR�LD&•_j¸I7²oè›oVT[ÂwS·T 	ªò¶à��ø
ì„·>Q¡'Èáõ|·ß‹îz2aÑ€ QC-6p³½Ú
åÆÀ-¯ê¢¡æ@]è‡CßT&¡‡Â‘У
-öÞrJüÉ"aär¿£Á�IYЄ*ð,g›
-x®Û‚PPsQíö@½§Í‰J¤Hm6&bAÀm‚ï…•Ö¼jE”°^ºW­ˆPŠ«RÐฒ´�±e[7M‰ô„Z€'x¦m±,ïÜÈ\`&\Úñ¿ÝF¨R•ëòHÉ;¹uG÷tºæ‰ù@{oyô¾™æªvJ8c|¼´üyÁœmÊ¿¦øš!�K:ŽÐY4DP>3§áÔ
-Œ7!ëµ™_?ˆÆ
-Ò�ëï—Ë¢
pœ6t;
oLm÷9íQMÛÞ�è±�9Ž½ŸEy»LYÔ;”Ä—2kSˆ);P†é#
Êz(?Rp£Šq:æ ÎÐØg_­¨õ–g‘… a1ÆÌFâƒ-Þ)
-_qß$€VIç±´a½WuزdzŒäýjDÈßÄò
-‰¢ü%Ã…VEÜ…£¿áâO% ‡	IƽŽã±jE3
-Ü#†	e@%“pò&.yWW•vëÅ4@θv¿^çÑF¿Xocàu"M0áøÀ\Ke’¯3×âEêR�±V~f¥ZDšN5Ò ÅpÔéLc7jçwWZ
-ð½êõí»Qû�ÀŽv¬ƒp5¥õ™PÞEÐp€Ÿ€N
-T*7#Hi�\„qXïÐmÉ¥(¾!ÚÍí“Þr„R�,*2"¸Õý=Å"…êÀ‹Ôq¯¼íi›@]¬ªØpëèýÕ³ÛÅŠM¸
9MlÎéÓÓ©cÊZ× `å6X¨=–ÅS0$0†¨†[æÛmU_pÁm¾çOgÐüH ú‰=W5CÚ™fzbAÏ;Ÿgzþªû‰>ÇŽ“
-œn—3Qþý”ÁIDfô\iÞB9¾V¢Š¤`ÒÓÑócÆÏ�o»—"|»-«–ðØ+Ž.¬CYsĵ}br¸\íPi„Å€oËŠÂ9¶cøŨ©¢üÎÛ3ryD,Œ‚j$›±ï¹{PÎ#©àŒbéíæ,‹]È{OÅZ‡m�ƒÄ“~%IÔ¯„�>~I’¤@Kü0üO³ù'LÙгEůámÐP¼˜ø˜ÏŠ™ÇÿPZ"	OzQ“h
-A†çwgÏ'b=¦T=»ç˜öÇY'É;€©Ý3nsB
-zƒlÂO¯Ò`˜€ Aíí¤ǘg̨.>õ_$…™MÜðAÐ\e±¢†€á^ÊeFÌvÂN?xïÀS;Yüa–üÉL˜Œ°ÙC@»2Qc±•EJÙ^#±ÂHÆ£™Ø�‚ƒé·Ì?­á˜NEšùé
ÆÁêéì©Õ¤™–ÃlèÑÖ8—Òù�åÅSÙà¹pNy<7/(²‚RÀÖ0*ç{é÷�>†u�¡C¶߀Dx{¤X-œñö2)ºËœ
x
F‘#ÃO þð/,Ç;Aoñœã³;ÓW<†¬=ì‚~43aÌ9…XÖköž™cG"Š¸úÒ6‰€sê±ê|ÅyAót÷’öfB×qÈ(ñùôô$øœx
-endobj
-1841 0 obj <<
-/Type /Page
-/Contents 1842 0 R
-/Resources 1840 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1845 0 R
->> endobj
-1843 0 obj <<
-/D [1841 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-542 0 obj <<
-/D [1841 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-1296 0 obj <<
-/D [1841 0 R /XYZ 56.6929 749.239 null]
->> endobj
-546 0 obj <<
-/D [1841 0 R /XYZ 56.6929 258.4984 null]
->> endobj
-1844 0 obj <<
-/D [1841 0 R /XYZ 56.6929 228.7653 null]
->> endobj
-1840 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1848 0 obj <<
-/Length 3431      
-/Filter /FlateDecode
->>
-stream
-xÚ­koã6ò{~EÐ/U€XE=»÷@º»iÓk³{ÙÜáÐÇY¦m]dɵäxs‡ûï7/Ê’¬th $‡äpf8œ—¬Î=øSçIèz:
Îã4pCO…çùæÌ;_ÁÜ7gJÖÌì¢YÕ×gW7:>OÝ4ò£ó‡eWâzI¢Î?9¯¿½~ÿðöþb懞¹³0òœ¯oïÞ0$åæõ»»›Ûoþq}ÎÃí»;ß¿½y{ÿöîõÛ‹™JBû}Áð†›Ûïßrï›ûë~¸¾¿øåỳ·/}~•§‘‘_Ï~úÅ;_
-ÂO1šDn�u}»3Ëâã«`´ò"Ë*é)x`à@¥Ü4}~4&«ŠjµÜ—¯Ø¾eÕ”Ä`^ÒÔªÁ£y>ygqâª(mb7Šcõûß™Å8룜xg‰rÁ øÇ“éSú¸AÚ;>eÉ<Ï
·MQšª…w@£bUÕ,¿…ËTÊÝ"è¥nˆÈŽÂcÕ‰r2nxG³­«Æ0dÏ1[É húËþmòÖ,²ØË’¶–v-€Ÿ=Ï/[³ƒ{‚Ǩà8ärÇ/Ÿµ(šœ5aa;íºÞ·<˜ÀLzCåȳ|m—V1Òáæ8ß0tþyƒžòúö{†š‚£á©Œ™Úv¿«ŒàC~©]Ë’¼,€/·£ˆdÍ×ú°&¦¢�PÀ¾ST­©˜ÑH„	í–Ï}IJß÷ƒ7wxO΋jÑ¡ËÚ6Ë›K\'TÜÖøÚ—UýÅ`�A—(Ô´[=Ò‡Ž$Ø<93øëÞì@ÿ´—8K¢öRÒ,/êMFX
TeÃPV\Õ^
-tƒlÒ»òqœÌt6ÅjÝJ¤±5y±|9¾e}´ä*g_šæ«‰€l(Ç^ÐK
-A�¾Ç$Ã(T£öõã×J!¯78w9%ÊNŽÜÁÖ/R¼Bêƒ^ˆXÖ­õc«A¤6AR�Æê^ñúe©éóàòE^õKM_k?†£p"Ž$r�Žd¯Ôo "FC	X“ÄùPT¹­æ@6k3¢¸yž@»ÀälºûÙ½_�|¼<X¡sÁ4£céÅâ³7‚òeK ^²Lãô•œFÊ'ùÇHŽïð–ýXt:ä’±9k°xx¨cÚ_6–`1ªyÃs¨çØfÜ”fU´D¶öŒ&ìãðÀ�:BUûp8\¤þQã�¶Q“-‚&žÀ‰Kj(ÃßÌ$Nê�Bé§ôè?­êþg¨:š{ˆ»år¡G—-S[Êý|߇ēô'äš4ú<–©¶ñ2ô>!]}T^‹ë´~¤ýÐõ㮶׷ÿ§…6„‘­'˜Òl ƒBÍò“ÎÝÎÄûC"k/>ƒ…“Z|W·�)¢@5H{ï„Z€TuÛ¿tJq"«úö’ûueј¾ÝÈÖM
-[µò¤
-š:Ë,o»WjlÔ3"aÝiå�ß
q·Íw-9,~,t9Š.9ØwÊcÉq¼É¶[63¡ÌÙ@{ˆÏ>DÉNaep0;ÌàbN…pA—>ÆAwtè,™‘�²
-83†ùm]PÆŒˆ–Ü>†mtàܶSÖÏÆ:ä”y»—‹R~
-kȤ¿eG}tƒ€Ub� çb`йÝ	hj®Ž¦]�4Ù¦Öë…6ðIû¼£˜täÜÇÇ¨LƒÉÓQ‚Ô0«ÅtÛìå¥Ãˆ‚ˆ
-xI›Æf¤gåä£Nܽ{ÿì �V^÷ÁJž�
-‹ýÿ€ÂÒÍê£ÁB¸Ô4±ËÁ”ÿB.‡?¥í‡Ù�œ4“CNu=@ÂÞð
-4T_L•“}7H;Uw_úÅ–]ü™ÕÄ7ïÜrþ»Íuü©[»:Iüéj�²º‰ŸÆ–($<	Ç”w?û:%ýÿÙB‰endstream
-endobj
-1847 0 obj <<
-/Type /Page
-/Contents 1848 0 R
-/Resources 1846 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1845 0 R
-/Annots [ 1850 0 R ]
->> endobj
-1850 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [91.7919 633.8696 410.5963 644.684]
-/Subtype/Link/A<</Type/Action/S/URI/URI(http://portal.acm.org/citation.cfm?id=1315245.1315298)>>
->> endobj
-1849 0 obj <<
-/D [1847 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-550 0 obj <<
-/D [1847 0 R /XYZ 85.0394 189.4262 null]
->> endobj
-1851 0 obj <<
-/D [1847 0 R /XYZ 85.0394 161.9629 null]
->> endobj
-1846 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F41 1233 0 R /F21 950 0 R /F11 1353 0 R /F14 976 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1854 0 obj <<
-/Length 3959      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]sã6î=¿"o§t–¤¾;sÎǶét³Û$�Ü\·Š­Øšµ%×’“ÍþúP¢dÙ¾¹ÛÌF$
-Ò»út÷áöç?î'gqà=Þ~º;»Ð¡ô>ÜþvC­Ÿï'?NîÏ.T*ïê—ÉçÇ›{ꊘÆåíÝ5ARzì!zóáæþæîêæì¯Ç_OnÛµ¸ëUÒÇ…ü}òç_òtËþõD
-?MÂÓ7x‘B¥©>]�¡/ÂÀ÷-dyòpò{KÐé5CG姤Ð~¤G¨õ˜
-ÃFª+jz6–8«OœF.³¦x-¾ç<×Ó
-ŒD»–Œ˜–bæí‰Wo#Zh-¨“LkWаš4/8?ÄÊJz2Ïl6cՌȄ{ûÊ'ð�ZC1 ¶ÝعNîžÐe𼛢*ÇÔd¤žFFêðh-Ì wÂèö�NÃnßaW»ïð§ÖÑvÍYd
µÙkN¤¬y
-Nñ@žnáðáqß)R¬Fظg1¼°�–Ù”âÀ.Àk ©À¸øþ]ŒX§Ž…
-졘•Ù²šW[æ¶F*Oc!e<0øYµ}^r¤5­–°"j‘¡üé'ø­(L4ñÀ8ì6°´8ä“,³™ƒó íy
m«	Éš�ÝÉ€/ŠcÑ’9+�ŒE†øc”•ºy¼�—2;š6fØo#ám³€

âëל u¾ym	¼˜c?°‡
4lÀ$Ñ„!Ó˲f¥'o9µ£Û¸xÄf™–£Æ(0i³lšY`ÆÕIà°½<Ð�¾›è²ëº°Z“(á+¨Š)v/]ð˜˜PÃ<�0ÏRÞµà@c²è;�Ù£…÷\PYÁ`#(_í‹ü´äÜAÚãFÚ$Ev‘¶QR‚‚)“<Ò�.n†7¶lZ„a\&yOÀsÂ%Oƒ’Ãÿ¾Æ,�ÖËóï©™5yŽcUxŠq(‚̆@À"Ÿ~%=@ú2Ç1ŒÚš=öØT;!>ž]¬ðÒ7UGlG뱫õÈ[_#GLÖ¡£ƒÎej¶=°íïI‚P„*v쥬G�ä ‰–qw$ã×IAsÊ�
^¬“ì/�hqjåò�À¤"m³|£K•úÂȸo¼Æ…“‹j¬sÃ��¦®ú…Ùæ:«¢„%^̪¦YeÝùDúÔYþ’m—Ì‘ÃQÎÝw9+Ò�Cý?ð¶I½ê'ê èåv–[àÚ®ü5_òüHå6îJ"¡?².[9Ù¼ßUUü —ö¤àˆµÕ”‰‰í&0/&G€ì|
-' خԼqƒR·Ð[U]ätÕ+¬üÀiÆAÇ3�‡°ëÝFÌ#	À ��é]æÓlk–‡ÆõÝ6übM b3óç
Ž«&ç®ljgLA!`™@žh�ˆ²ªŒ¤bŸcÑØYwKÔR
ù’Î2À«�è2?^9£ØÈF
-ûÓNØC¦ãÂv™²°!ôv<¾‘¬$¾FVª�
c«÷7z§rêB=]º4^m" âÒ¦ÃÚòÃ�…àvc9dünc�MÖ<œ¼ÒFÈ�HeõjO¦èäG1—¢„'_Ma …{ßzA_F¯ƒ:⋯®§É6æþÀ®Že4¶š}&r�½©Œâ‘P9²÷cЛñ\é´üobÇ(õ g¦ÆÂ$Ž0¾¬òLÅ (í
¨Ï˜£ÄÇèŸÐºH_0U &Öî iÊ™%%yWf�„uº
--¤˜.øÚ !ø~<VÊÀêC^H“!?Î?ƒÂ_“~¼4¹»úôÇÝã?Õ~� SýÌÅ:`Në¨9bÚ™Ó�é¸9¹L÷xH´àìg•üVMñ
-#�ë¬ÉÆkâqèž
-i@QÓsôs
ì@÷ èv
æÌUty@¤lÃæéh9G½9'¾lk˵oºËúÍN®÷?½ˆàP‚¤oa¿
-ÝdÒµ‹ÜÍóÆ'6MœàÛ�‡
Š%R'ðM©ÞÌ¥ýªËÜØê[© à„©áN¤kY3©•{ÑŠ!úÔvÎPa¦UÔcGcF_Ù@
-šìN°éº“ÞçJŒÙs&©·t­Ó)ùAäß²Õz™‹iµÂb#^ÿ6üYã�ŽºQÐóÂòVZÎWR=ÓY“õ�1ø¥1©LlÂjˆÙê¯ôb|»8x¥H/–6À‹åðŠ4n“"—¦½
-		¹ý
-Û,lÈ0•R^4ÛT?Þý°ÕÜû·	VªúFŒ½ô
§¦IÓÒIÀœZÈ3Ó©À§lŠÙ,g8»ÑTyÙ˜I‡±ˆµûjäƒ(%”/-ÚtI×XÝÌÔž(Ò"ˆXÚküA=}—Oˆ$ˆ,¾SjÇêµ:Pƒ/)'FE6�™geñ½Uœó&§³ä
-’%+íMÕÂÚ[óEcy䳧ŒòVùt
êwTôä¤à°¦;…ºs'”&ƒ¦¯¶�8ûkƒ¡À?
-qèðŸ¥ùÿí�Sw�…Ÿ$zühÐ1¤Ê	áI᪓hgæö�v§þ£Ÿ–endstream
-endobj
-1853 0 obj <<
-/Type /Page
-/Contents 1854 0 R
-/Resources 1852 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1845 0 R
->> endobj
-1855 0 obj <<
-/D [1853 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1852 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F48 1253 0 R /F21 950 0 R /F14 976 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1858 0 obj <<
-/Length 2739      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]sÛ6òÝ¿BÓ¹ù¦B
~³�Îœb;‰{‰�ÚêÍM›>ÐdqJ‘*IÙqoúßo» @‰’¯sÉ$\,ØïÅR#	Õ(	…ôÓ`§�¥
-Góõ™=ÂÜ»3Å4K4q©ÞÌξyëÇ£T¤‘�fKg¯DÈ$Q£Ùâ—ñÅûé§ÙÕÝùÄå8ç“0’ã7×7—„Iésq{óöúÝOwÓó8Ï®oo}wõöêîêæâê|¢’PÁz�w8²àíõ‡+‚ÞÝM?~œÞ�ÿ:ûáìjÖéâꫤ�Šü~ö˯r´
-+§
-ãV@?T¨5¢ó²1W1Äfؘ!²Ú¶.–�wo/¡R•4/ª-/áµ1ˆ‰ò¸žƒQr AŠèB·šà¬l �&à Sãgêy	ëú9oxÁ¼*ÛŒâ]²h
-»x°4_K§öÊÐ<k4Þ?“�ÚØ	h3Ø97Ý´ÛËô#, >ñ
-s9€/Å� bz3
-¾}ÖÙ—|½]ÓÀÔÜ<�óE%žH%t¾ã°zBÂMÚ¶º2E‹eÿL'^”Ù�¬&XöåqÌ
-£¼ej[2LŒz
t²10íÁÞ“ÃÁykÏ!ý%[o
-“‡0z©¶Øw8
-|è�÷b›åõSy¶ÔÖ<HÍvü‘‘Vc…Á›íI^³»2`÷a–A¡­°Ó°ŠêYñ²ÅÖ(’\úàw(k‘fð*S~¡;žà�±”/a
_ZšÄKǺì^Hu†6¯°ÏêmxÝÖƾ©^bn"|ú9àïf*iG#R$�#Åíåt6=�a¢ÒXx‘	N'l ê{‚D¨Ï”RRà_0f�ìÔz‘×æ•.â^Õ˜š>Ï�7šNþ….�Ìþ@ ìÀM}ë}û­z=b•õkåÁ#Zïà?ÆîâàöŸ‚\#.n?¹¤ú­o…hÏÓõæ�É&kšvUo»€q…{0ç]Ï¥ÉÞd7ùöv
-\5ûVþ"¸Ö?œ‡ì:Å}¥It$¨B
-ªC~~Ô�Ñ$>X˜c4<½Ý1å�°ôC‘DaèáúÓÑÒ`³:ŠÓxÀ^=Mͯ8ï•“¨¿Ìõ¦íÐï’N ÂhÈ7=‹Ø‚0°Ò÷„:\*ÿj„Ùô¾¿Ü•Lsˆö”©Ž¼'‚Áñwì�w=øÇ
-üß?©ï&ƒXøIâí{?2ËH$^[¡ŒÉ%C?!ÖÅCÑÿ�±IÌendstream
-endobj
-1857 0 obj <<
-/Type /Page
-/Contents 1858 0 R
-/Resources 1856 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1845 0 R
->> endobj
-1859 0 obj <<
-/D [1857 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1856 0 obj <<
-/Font << /F37 1038 0 R /F14 976 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1862 0 obj <<
-/Length 2641      
-/Filter /FlateDecode
->>
-stream
-xÚµ]oÛ8ò=¿Â/8‡ŠIQ”°OÙ6éuqMÛ$ûrÙ¢P,Ú*K^QvšÞí¿%KŽ²M[
"r8·3c>á�ÏTÌâT¤3�FL…\Íë£p¶‚µWGÜãR0Äúõêèù™Ô³”¥±ˆgWË
­„…IÂgWùõ<f‚…pþâíùÙëW¿_œëh~õúíùq T8?{ýïS½º8yóæäâ8à‰âóÿ:ywuzAK±§ñëëó—IéóÑ‹Ó³Ó‹Óó§Ç®~;:½êeÊËC‰‚üytý!œå öoG!“i¢fw0	OS1[EJ2IÙAʣˣ÷=ÁÁªÛ:©?2!c1¡ÀˆO)P¥,–B:V–åõ:+*¶¨×¬Ù|	*›WÙÚ žBÐÀùÉ›S?f(.œpÎR¥„#%ìË°‚Cî÷›ã S›ŸŸ	1àHILp2æÅ»ÿ€~y2_d
²å1ü_šEKskš�ih¼1ͲnÖYµ0`>‘¦óÓlqë	ÔÕa(VÛ÷›œ 4±›º²ÆÓ¨ËbqOã/ue†xn¿� í­yÈD[�˜™R�#+EèpAÖù²¶$Ëó¢-ê*+ižgmv“Y�_Öõ§íÆÒ¦ô;~+}þÜšæž0œÒvÓ¡TöÎx ƒÎYíO6Ÿ³õ¦4Ï`&“ŽØËóK"å%	C&º+ZTq(½"{%•hŸ¡NÄÜ�9
-~ÚºEûˆÄó ®ýR±î‘ýüñžF{câÖÞ˜Cd‚-ÖE™54qFÀ½›
Ð+FUMß
Ä›aB<gð
-F�rT蕧øv÷€f�`x›9%(ÜZ¯$ùî’^bDóÃP9‰U8”¸c<a2Ž):{™üÙ$æ]S´­©t㥢8Žgt'‹z[µÆËSø-Té]¾T"LX*"`À?î 8úá–„ªm³¶°m±°¬'Ûë~9„æL‹ž�˜)•Æ}�7š‡ðLõÖæ.�šY›Ê«éU“­×YC„G/+(J(¦´NˆO#zÅæ#Dùæúù¦1Ëâsiª´ð_§b!YÊ�ý‘‡\ÆM½ÚZÞû±n>âåÇé/ôù0uKüæMSïŠÜÅçeó
4F4Œmˆ†É«ï–
÷Û|Øâ‹!Pµ]ßtª}Âép	~Œ@ÛÀ+ºtîi»ùÔîÀ%*-
ÿUH#¸ü�¤ÝüÓÕ½‡Û~úw<2÷¶ó1÷±5ªÕˆÀõã+Œ±ÞGÿúf=âàÂì%-6‘»
-}ŠØ§LÉ×S¦—Ëðʹíï6[™éžÀ0—ºšL!-�¸Šá0ßzHK¤,Ö©$‡o!ŸçÄ›Ëgaº¸Íšl
*£ü‘€®¼¹+©ñ›Y[/ŠŒÒØ°¯hp…>”ð®ëÖ×­ÔIÁÏ$•"…ºu9Ú¹¡­ÈÓgÚ[šc>¯Vp‚³è_ªT�­UX*žìÆ,
-Ükr,|¥Â̺ò–¯Ò²jå1WÇÊŽ'Kh©E½t
°f|[•¾ö£ÖµmN^<,'e¶íJÂl³)c‡ãŠêƒ¼t1Å•”Ë)/§SÁg¨’wÎEÄÃ\\�Së8õ6Gýç*¾å„{¨”i­:TæC„
­°FÔ>�xaŠM¹èk^ˆ-®Tó	/ÔÒ·º`P/®‚„aæ×Hnð˜¶Þ¤„R·ôøË’ô¼2Ý
-³Ø”��.7Ël[¶vÜð€˜€‹N…‘šß×[ä…¥èèfí-^TÅNÇ
-	`µå÷^	øX’Ú…”„®™ó—Ü〢̮۱©­-nJÃÈ�¯ý;íC:“‚	©™
-û>æ|  O?¨`°ïT¹i=JÄ83uü4»C!¥òÖº
-|‘
-endobj
-1861 0 obj <<
-/Type /Page
-/Contents 1862 0 R
-/Resources 1860 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1845 0 R
->> endobj
-1863 0 obj <<
-/D [1861 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-554 0 obj <<
-/D [1861 0 R /XYZ 56.6929 608.2484 null]
->> endobj
-1864 0 obj <<
-/D [1861 0 R /XYZ 56.6929 583.2725 null]
->> endobj
-558 0 obj <<
-/D [1861 0 R /XYZ 56.6929 285.9067 null]
->> endobj
-1721 0 obj <<
-/D [1861 0 R /XYZ 56.6929 255.1565 null]
->> endobj
-1860 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F22 973 0 R /F21 950 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1867 0 obj <<
-/Length 3830      
-/Filter /FlateDecode
->>
-stream
-xÚÅ]sÛ6òÝ¿Â�òMÄÃ'
NžÒ6ɹsM{‰{Óv:”DÛ¼H¤*RvÜ»þ÷ÛÅ.(’¢b»}¸ÑƒÀ°X,ö�ç~òÜÛDèÌœ»Ì$VH{¾Üœ‰óè{{&yÌ<š÷G}quöç7Ú�gI–ªôü꺇Ë'Â{y~µúaöå_^}wõúýÅ\Y1K“‹¹MÅì‹Ëw_$£¿/¿}÷æòí÷ï_]83»ºüö�ß¿~óúýëw_¾¾˜Ko%ÌWŒáÄ„7—}M­·ï_}óÍ«÷?]}}öúªÛK¿RhÜÈ/g?ü$ÎW°í¯ÏD¢3oÏïáC$2ËÔùæÌX�X£u„¬Ï>œý­CØë
S§øgµO¬Wn‚�JM1ÐfIª•¼º-p0Tö†Ê,1^+À�cvÅ/û¢içå§ëîãµ6ÉTªyðr�äÕlU´ÅnSVEƒßrv[´·ÅŽ:¡EÐu½Ì×kŠÝôÓ_
-uË]Ã}0Í0n“7-ÁAдOg—×ÔQÕmœÙ¾èóúîòõžñÖ׎OM[—¥ý“�ͧÖòàzÛ–5怜ˆKF긫‡l"º”�Ý•Å=¶ÒY½#Èͺ^„£DX@ØPÇÎø#5ˆúAHVÉ’Ó窸Î÷ë$Ôì²%è&àQë¦f¤L°ŒºÊŠ
-]Ý¡B7‹(ϾžPEƒ69Ë¢v=ÀÇ8ïF
xÑÜÖû5R™¹ëûü¡¡ö}½ûˆZ‘¦ÁjØv¿ÛÖ
ë
-ã†Zº*›œ†úxzÐè\Rà‘ïdZYqh�{ªhÔ¢no	Æ;´Iv \�„�”^¬æÞNòà£æ<“¬é¸Þ§|³½
-XÕ–!"ÀïÅùp:µQ¨ª|S¬&èÔ(U]4ÊG8Á8í‚ßÕ‡
-ŒHŠ†N»áùöSËlx˜
-0Ëd*˜¹"¬FŽR“)F(Éõ~M0f!@ê=5îËæ–:öŒ8œ`CðœÀ+0nÀŒköüUKà;0ÔâWÄÁíy„æLIN?ÌE’&ldGN? ÞH)CDÞ�¼‚=^/ÆFð¯,!Ë…PÔ}ŸÇp0Fp§mBÙãp¯³à¡vqᚤèf€h».‹æyVr½hE6ù§Ïê7§Ž#ýYÔoÉCà*7û
}DC*XÙ±¿hšü†÷è³V‰4Ö=®ÏÂuZÏr¨ªÀ#Í�÷CeQI½-9¯ÌH<ºƒUŠTT)Iþ
-{’¬”
}LÇ`ZÉ$D¥Ä~S€i
-Ñí˜ú(ªg#lg8ªÞÔT’úÄtI$†
-²zXg÷‰ù<‰£ÉýÀK9”"È ²ˆ›ø3µ�
Öo”Z=¾H0x/Aâ!ÜÔ�ÒY-~ @,KPfôâ}Kƒi¤UPs€ "VÔhÁ¸öÕ
-èhëzÅð‚sý ã?@|ò‰açÃðmÞ.oIyÎç¼…Á®1] ZŒv>¤øO8±�dbAæÓÌÌþ…¶4øyèX×�f[,ËëúàÌ›¤/ÔnÜÅ
-¦xÞbN%Â+ÝôJ¡À‚N(pŤÀj“VæÄF}†éÅX¹·‘€R�õñzNƒf3póSª ]¢³ŽÿM›·¡€JK×F¶(”KܸE1ÊGDŒ¢—C¹õ˜6S+ß×I'bñбÓȺ܄j�‹á4ªýfrwG•SÌ«å~wGVV‹z´É‰®
-,‡U`1¨÷ð§
?A"™$oeÀªªž²¿`º”7#©8Á­…×Þ{{(ˆƒð4ò¬?º`@¾Œ&¹sö�Õö”`)H'žŽæù–ÅyRÊœI”é/**Gn2Y&Ÿ˜ÉJ«"¿>'Ê
V¤j\n0�õ¬@ˆG
Aò)MÕ‰9Ð
-‹Œ/Ä*Ú@D£3Ÿ8
‘í®T’yï§/æÆy%ÝìCiÐj­åaå ,Sñ”T‰?ÓªÀ]WÁt6æT
\‹×vÄ€1“Ú&?6h�æL/£œþI�±E¾—FÁÁ[Ÿ�}ŒóA_ALåì�DC�*2Ÿ_}¸|ûb|*R¦A¦)¸”4q^„Ë1êÜÝœSã}ï6­?ïO8¾M;Æ‹d|("éÞ�_µGÔ¤6‘Rˆ9ºÐ‹ƒ£`Œ‹ù iuÎÛ}:kó5…ìgàçrÐÔ:`ôÀ~9%fÿ`D.8ònß±! x¿0µj?»
-œb\È
.ÉÂÉz8X±þ0WƒÁ6­i1«¼©òvß[lWù³,`ðSTÅdpEŸû†Ø`c1
&¡Â�#À![¯n…Æv©g„‚YPf‡°tžj7{5•ž
¯)C}¶¼)«¼w3tp7O(3Œ8ÝòtƒÙ—ëíø¢«JÜT±oñ׋È�?X6™¬;¼ZCü·¿�PÎ&7»|³�Ô0| ç�½S®.K\jÓGl·M„<ºbF¬�ªÖ÷
µƒÁÆf¿nË횇 NL¶4°³ÂÂûÂC�Ý(½¡Ô@¯E½Ì_l—\T�©
…“£(»V¬™‹œ}>·t.!¯ŸŠ1uZNÕn Õ*ó�]Öh°Y§ñÎïÒ	ÔQKŒïÆ÷6Æ’eâ­8@/¿»3â%€RžÒOþpÈjÅY!ã¤)åÉ’‡ ¦g
-УJù
abF/l?£&&ÂÆâ•<1º¬Çû
-¼gÕøFýD}ë|׫†êx;…×ëa¾‹g¦FoT:zÛ
-¿»H¡¥zbf®S-S¸ƒý¬:eB¤ŸU'@hM—¿öžÜ�Ó�oí´IÇÊM(j¦1xw"úsÇ)°�N%LéiSÒ×&ÍoX°cÁzñ‹”Û¡¿¦øE§a'%Ýžº˜G
8àÓC'ŒßÂæ”Ù”§Ð5j7¨Ý	¤1`±§–oî:+ùø©ÚtèÐq±E«bL?
-¦ÿ�
-¤Ðþ:ût	³p®©|ªþ„庭b '€›Ó^P]¡=1 øÍìb.&!-$†M[.›ùò6¯ªbÍÉÙ‡C]6¼Jæ¼+,cFWÜWšª®0s„0…•þEâ[�q¥òQVX"Ä–\¶ý9hBøø/¡�:±Î`5_ù˜€âOÜEòßë ªÎæUè
ã>|üĺù U‡‡©²O`Èãn`¨ 5ýyƒ7%?ÓÛÁÐñ£}ÙG/Ùw’$/‡äv�ž�üöòÔãpmñÞT¼#:ÁøÃǯê�K´÷j:p›T¯2‰BÊ}6¦¼{a~Lúÿ
-endobj
-1866 0 obj <<
-/Type /Page
-/Contents 1867 0 R
-/Resources 1865 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1845 0 R
-/Annots [ 1869 0 R 1870 0 R ]
->> endobj
-1869 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [116.0003 382.9749 166.1092 395.0345]
-/Subtype /Link
-/A << /S /GoTo /D (tsig) >>
->> endobj
-1870 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [399.2874 273.03 467.9594 285.0897]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1868 0 obj <<
-/D [1866 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-562 0 obj <<
-/D [1866 0 R /XYZ 85.0394 170.053 null]
->> endobj
-1871 0 obj <<
-/D [1866 0 R /XYZ 85.0394 143.9886 null]
->> endobj
-1865 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F21 950 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1874 0 obj <<
-/Length 3891      
-/Filter /FlateDecode
->>
-stream
-xÚµÙrÛÈñ]_Á·¥R"Œ9
-úÞœ3sƒfÝQßÞž¼x­¢IìÅ¡'·w\Æó�“ÛåûièIï0øÓ‹_Þ¾¾zóëõùi¤§·W¿¼=�ÉÀŸ¾¾úé’ 7×ç?ÿ|~}:&Ó‹ïÏßÝ^^SWÈ8¾½zûµÄôwéõåëËëË·—§n8¹¼möÒݯðnäÓÉûþd	ÛþáÄ÷Tl‚É|øžˆc9Ùœè@y�Vʵä'7'mvzíÔQþ	ß“*”#”b"„�ìq0ˆ½PIÕpPúÀß÷§U�ÔYUg‹j¶X'E‘æíø:ÒMZÔôù]ú›ïË"«³² –¤Xðk•¬Rä¬.;ÇçOfÖòÜíÚ
�A"ö"§îÛ1cÔ›Ðó#væ0¡JÈé2]äÉîT˜iZQË¢ÜlöE¶Hˆv%Ä´Ý*¨KúŸ§ô¿¯Ò%�›?RKõXÁ'ËMV
-¬g)ÆãE±™ñ"a—Uø™uZ,¹Ï""Ëü†ãVéçlž§Ý~À±ßnËcØìó:Ûº!ŒÆ¦­=‰².e^¹U¡Ý¬x·¯÷t`gÐ áö5õ,¨}ÖìªÃ_šQÔ9‘Œ‚iY8èûÛÛw5Œ8ã¦?]‚P&˜^áZQÈø>í³Fvpt½Nj‚XS
-ì¯Z`G¹³2¨ò–òV–|žíY½"A
-• ç7ÒAl¾ZZŒ³.Ê¡´
-{A(¢v姥5
-V,<a"qܾD‘§`°ÖS¡ùz-èκG¬‹
Ì>HS3ì	'nD,û¡µô´
-Åa|�’õIj¸ÿÛš>l¼¡à’o�³‚#诬ÀwëÁ„Œù2×»lAªÚ0žÂR…;ª°$9�ÏÄ*æ-$y^>ŒÝŸÈ‹¢Æƒ†ØŽåÍ×Ó‹®Ž´Ë–íò–!JìõAèÖÛ^lx{§bšÓ7‡—ô±Mw›¬¦Æ>%$]ÐcÝhwý¥ï{‘lÌjô„Mn,AË)8óPz¡êëM®Ã8ë¢1¹18Ç7Ã�LˆHÉAéùœÜ#ê?ŽÈã3D*8}pdŸH4HcWB{`‡âæJ€[§HÂ!�6A�@-åsh<-LÜ“@’
-s¿ø‡{ÅŽ¡FÂ^¢!D´ÀegEú€;ÃØV…Ò‡ •0‘²€–j±N7I.H B?ðïÓ]E•èR6	1²'f¼’6€GDR#”±Ãm{þU)õt¹nç`u;`m×D
X@¿bG­”
M�
±yS:…‰Íé~ «Uj`È6�}+ä6øä6
-ÁæöÈƼ„Vº°R@ÄIéühzS–«œá‹u²³6àówW<²¤. ,q#ø½Lê„ ’8ë ‰©AE•/
-[âAFŸÕ±ÍŒYwÊPÇ1?©c_°*"
-Ùçü½<¤;„€PCh�*.Ôq<ª�Ý YwÔP
p5i¾'MìbXN¤Óæ¢ã‡¤?rZçÕ…À;Ü¡â¬Q+GÀ	#ŽšI£�lðâ)3éfÓ7“ÌOá½æø¥ç‹Ð<}Nͨgjˆí<)ʲø
¸sJ÷EMÙzcH®oä*fQнgäÒ†íÑ�Õ-iÈüÑ(SžÓ�­_+œ_q¯I·ÅÎj[K®OÚ‚Œ
oßΗGgÕû]ÁåUjÆlÛ–Ÿ
-îŽ5¦øßÇý~¼öï½çy>¸�«G;-õŸWG˜¬�7ÊD-“å—2ùÿø$D‡Mº»GÆHò7ŠM0VðöÁZ
-SŽá¾{{ssyÁ!^ºØï²ú‘¾HËÚÖÇÀmìŽtÑç2E>§ªŽ‹ùz:	"h£�‚
/ÐAˆÊ†:w+V–×]íäÆϺ(ÉÕ¯éâÅ­Þ4) ,â€ã{±NùPCºQÏÑ0Àærh )玥îÕ‚ÔpÆñaÅÊñ[‰†ßôEcÑ—MûΣRι`»ŸƒãC0
¤…• ì´
-v5MY�dKØVSÃÇ¢Üuœ
.ôDVN*®o«ˆrk<#};°f~¡ÒF›çmj
°/ÓtãV¢rM4M?cBß‚4tÅeäœÞA;U«"Ð	�ìH>YE‚ø°Ôc÷	48P‰Kë΄?7Ù&ƒHÉ&�¡—”
-MÙzsF)NÍ8#
À·	ØÞPÓ�Q§$àÞ½BŸ}óÑ�Iú\VÙLŒ™Þl“Eêè©“¹‹ô!Ï
-Ê…–Š‹±Hv»�¿Ž¾ÄˆÁURyEm·*Ê6•ßQMɆ…Uä™+ãjíNGÛRyª#|Õ6wE¥ýÖ-çªFQ°’P¤T¿{é­Ÿg�xS~ãZõ+ðö‰¼Ž<eŒwË$–
 a¢ðb@¹{.>$ý¿æôývendstream
-endobj
-1873 0 obj <<
-/Type /Page
-/Contents 1874 0 R
-/Resources 1872 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1885 0 R
-/Annots [ 1877 0 R 1878 0 R 1879 0 R 1880 0 R 1881 0 R 1884 0 R ]
->> endobj
-1877 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [134.0621 486.6122 267.5615 497.4265]
-/Subtype/Link/A<</Type/Action/S/URI/URI(http://127.0.0.1:8888/)>>
->> endobj
-1878 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [297.4503 486.6122 448.8825 497.4265]
-/Subtype/Link/A<</Type/Action/S/URI/URI(http://127.0.0.1:8888/xml)>>
->> endobj
-1879 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [353.8228 406.7994 511.2325 418.859]
-/Subtype/Link/A<</Type/Action/S/URI/URI(http://127.0.0.1:8888/xml/v2)>>
->> endobj
-1880 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [55.6967 396.0896 69.6444 406.9039]
-/Subtype/Link/A<</Type/Action/S/URI/URI(http://127.0.0.1:8888/xml/v2)>>
->> endobj
-1881 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [283.6482 396.0896 453.0131 406.9039]
-/Subtype/Link/A<</Type/Action/S/URI/URI(http://127.0.0.1:8888/xml/v3)>>
->> endobj
-1884 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [432.8521 194.7399 481.8988 206.7995]
-/Subtype /Link
-/A << /S /GoTo /D (DNSSEC) >>
->> endobj
-1875 0 obj <<
-/D [1873 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-566 0 obj <<
-/D [1873 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-1876 0 obj <<
-/D [1873 0 R /XYZ 56.6929 749.0409 null]
->> endobj
-570 0 obj <<
-/D [1873 0 R /XYZ 56.6929 357.3808 null]
->> endobj
-1882 0 obj <<
-/D [1873 0 R /XYZ 56.6929 326.1646 null]
->> endobj
-574 0 obj <<
-/D [1873 0 R /XYZ 56.6929 245.5328 null]
->> endobj
-1883 0 obj <<
-/D [1873 0 R /XYZ 56.6929 214.1573 null]
->> endobj
-1872 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R /F11 1353 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1888 0 obj <<
-/Length 3651      
-/Filter /FlateDecode
->>
-stream
-xÚ½ZÝsã¶÷_¡·Ê3gH$OÎ�}uš\ZÛi§sw”D[ÌQ¤"RvœNþ÷îbü�éœr�éè�,‹ýøí‚r&à'g©‰„vñ,qqd„4³åæDÌîáÝÛÉcΠ³á¨ooO¾ºÔÉÌEÎ*;»½ÐJ#‘¦rv»z?ý×ó¿ß^\Ÿž)#æ6:=3VÌ¿½z÷†z=^ÿøîòêíO×ç§I<¿½úñu__\^\_¼{}qz&S#a¾b
-/L¸¼úþ‚Zo¯Ïøáüúôãíw'·Ý^†û•BãF~9yÿQÌV°íïND¤]jf�ðGDÒ95ÛœÄFG&Ö:ô”'7'ÿèÞú©Sò3:�Lª’	
*9%@ã"«•ölwû¦ÍWgŸò§wsÔ`ŽI#'…‚…pð&{‚íÇé|‘Ó³É[jdþéæíšß´õ–eþ�—Ô¬ïh…xÈ•Tpœ‰°¼D•mòU´¬«»	n¬Š€Žä¡õŽÈ>íº¨˜z<ùã©Ss8N-Åüꎺæ¶hاén¾¨Û5õlËl™7¯x3ëü	Ù™á H©ÔÍΤŒœ1Ês’íNe:÷;Wólµ*Úâ!ÿÖvîë_¬òB¨*_á_Í"SAd*ˆLõ"ScÊEµÎwEKÔ|ñÄ„JŒ»&–õ|±o©ñÂúŠ÷¬Hd4ùÙšz^W%m]Œ·¼o<0…NüÐn×~WÐêO€ŽQκÙwHK[<Jãi¡Ý)
F(„
-&éíí9ëg
-N/�Óx|ºŸ—’6jüàeÆÇå}½A�Úò‘î·lí5=AÏxL¶oëMÖKðIO§RJ/
-võžçU›ïà
-ô¸
ÀiÌüŸ—¨…çWßg5ÛºjxÁe½Êñ$`ÈŽZgâ¸
ó´EµgÕßßòxsðÿüQ’�¢$VýôçǦ4øçô‘Ç0<Úóc¶}Ài屄wA!)è8„76Ö«;ôJÍ×õcŽ{±rQ”†�[�y‡Oà_Y4´Sh{Ï)5•VÌÔöè€!D§ÓÃýúe`ÉlÕsÈËNðÊÆŽÍ%é—çoµ0
-RQxKåX>(ÃÊÕêlñ„m˜¢Ù$6¼óÕ)¯
-¼*´¼à™­2Ñ”8
éF’Q÷„@IÀF‚ØD�tƒJǧ ìnÃ=³!Ä’?ô?’̆
»ÜUVöI4ÂF&�d$ï~•�.Žc"„ËH¹Ô~~“V{°I î#<ÉÙ`ËÝÂQﲪ	�ú›
Dï5:Œ~{l�9ØxèŸ!fͯZ꬙•M=ÜÛ²†øó[ÎËr¸Ÿ�A¢ç
-T'pé!Þ‹°ù—}A
”[äõ`Â+¼F°öËž4Ž#•Ž“I‘Ä‘Òêhg!U:u~
-j»Í³]CØU™í†î4�0Xås])îÏ棸«>›dgL…/|²SNç[™>×$õ�…ušø2¸0Q$˜ÑÖ>~@':…¼ôNô‡µ”Ö짤¨�#VS…A—D
-}ÙZ§&„M¥ÑØ_4Ìâãš_eÍÁ¶ØSC#M‚%VGB§ñ×ã.§¦�‡Óúè,I÷~i�8E–OoI2�Ýi:ß3†þ�88EeK⨳]ÒÁMý@SdŸ}??„¦ˆ3Ž(ÎÓIbÒ�Ê	X˜Eràd §ƒxÚ&�ÚƒZE‡ë
ãYxNÉ56äWÇ»Õ8ŽÝT㨦OX›½hOå<üW—Ú�ðƒŒ¬Ir¬Ùd•°=§Â ¯ÉÌ(�bìæU)Ðû]rOÁ|µÙ§œ»X²¨3
{qvNzøãõ�3cÙb]páÞ¨òØ®ëË×Ô0BÊеɰ�SeT•2‚}G½Ì›fƒy{”Nõ 
ÿ h˜8XP'c­þv‡|RØ \^†‘.
&éíÑ?:IV?ß
-µßtÉZŒ>�·Yï¹"YÌéï;²æÀFÀ”¨»PŠÉê óó¾V,ql.t3wÙ�§V¢K¾ÀÊê¢âf]¡›…ìj_9™Â
àdWËxÑ�@ÉÒÞ°!1õ‚—kò¼	ÜLB\A–š
‘„Qj¢&�K‚y,?…Åjzn2_	EF%e�1VêíX¼çÂR"y.¬ƒvõÌ‘ç¢"hCC²’qÀê)"}¾«1dÅWTUî+§jløfUãR¸'Òk¤tGo›šß\
-`Õ5&Oˆ½$xÙÉ7±ß;ë«cÏ®2`±`M‹§{ìT0ÆÞÞº²Õ*ÜDÌýSv:kXž©ò_[.ÔLÇ4‹’ê#êQZ=‹iH7»k}v„M^Ó_bkŠb^”hEÉHöheˆ'x°‘RÃÐb^P¦XD±8ÚøSüNÁN]ÈY××Í–5WÎTÔफ़éŠWIïü.À_Œ'ü¹B¸gë�oâ†KB¨ƒF¯IÚÕJÒNüõßò`?�$h0HJB°L»À�
'AŸglâ6¸âû4ºŸß¾õñ§‹1}•ŒÜÌT�wRþÀù÷GGøsÏ;—µB�
=uÉ	T'¨qª…Æ®-B¬çY¶ÂTå…«W-Ud¤³_–ëN`ÉȺä0u'•ŠE%R&ã“xa%hZÉdô5ú™*€‰pZäxVǤ�<ð�ù##^ø.ÆH»ã/Ú=êöù÷ÙÄÇø)
-¿{-hð¿<PÔádµ‘…Á‚þù@‰%êuVqa7	EpèæëÉn —w¼Ð9Oçò¯Ïמh •Êü	vLŽs„'P›b‰6I÷ ¯(Â+
õ“—Ä–/AcÏ®h[¿=ø ¦VF�ŸëýÎßÓàú«©Â�I"%Íê÷’Ž~®Ê)i+Èç•SƒBŽõ…œ'f"2´ðw!0¤*Jâƒ4wƒÛXq}«Õ¹\Ð'ßTÇ—ÞB]®öÕu庞mÝ4Å¢‡‘ø‘ØY¡Ÿ³	Ó\_L[ò5
-ק‡u¶Þs*îSFFûïÎKœ¤·ÙRLÔöþSÿ§^‚�R³3zhkAOªÐá7&±2óŸÊ%”;(-á4Ž¸?Km,À�8£�Íî«úK±1M‡0Üó‚®›ü¥�*µ‰ðKȉO E÷µÒÿüÁeÿ5jœ`ÙSõßRŽö,l”‚ôS¸s'9ï¾Ì|Îú
Û“Wendstream
-endobj
-1887 0 obj <<
-/Type /Page
-/Contents 1888 0 R
-/Resources 1886 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1885 0 R
->> endobj
-1889 0 obj <<
-/D [1887 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-578 0 obj <<
-/D [1887 0 R /XYZ 85.0394 719.5795 null]
->> endobj
-1890 0 obj <<
-/D [1887 0 R /XYZ 85.0394 689.1253 null]
->> endobj
-582 0 obj <<
-/D [1887 0 R /XYZ 85.0394 610.2286 null]
->> endobj
-1497 0 obj <<
-/D [1887 0 R /XYZ 85.0394 579.615 null]
->> endobj
-1886 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R /F39 1173 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1893 0 obj <<
-/Length 3406      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sÜ6îÝ¿ÂÓ—“g²Šø¡^ŸÜÖIÝiÝ\âÞÍ\šÉÈZÚÖD+mWZ;îÍý÷P+­é¬¯íìƒ(�@
-xž(ÊI^)Ã	PsɃúT.wêS¹ õ!Ô©!îÈ#UØÉ\	°ÕQËæ.®û*î67�=€]ç©ò{
-\
‘ªÊÞ¢Ëщôô'¬
·å@ ÔB¶=ñ/�§t3S¥o&XœL„Éc	b÷2!G°*ëv°mÙVì„ÖdŸ•íÙWÕÞgmëf`P;ê}&

@òY®*̓¼cËî’"ÃÄGvwv³©—KËðkbpb
-0XZÔO9ËøXg.¦ÁcÝÝÛÍõ]l
-±Ì‚ÇÑ–‚u×´Òç°å°»'5v˜cu†ì¾îíÎ1O¶ýý8¦ÇwïhðÛÖR•A^u�䯭ãbA
-Ó[r3×5lÊELíÚ¶Ë1/ôùÝý-g¡”
-Øtç¹ð†ß]ï”ãh¿ëC9*ð’%Þ{Rôb“2NSWRMœ�·ÁD6Q™ç
-ì<È¿�I�ñ“F@7gñ)S˱ÔSóºqƒ'M
ÒЬ3â/™w¦Ùc6Àr…)ôÌÞ°
•W÷+¥¢ëOôk[Õè×í+ÎTSUÊ­fbÆäÓ6ŸéXdc&ŽvˆH ˜"�c<°5ƒŸŒ
ji¯ËmÃ;q•<ߪ�ì=�µTr~VKWK‚<&§ÊbQ*såÏ�y›á˜l"8s÷�PžoxB[G•cM|Pz*Ö*‘_”¤€Z§éÿ#½?‘£#*ýF›ž77”ŸBÙ&$I9úÙ½<k«'ÒÎIƒå¶®°ÊÍ´/-ï°3

-0‰™×Aò]KNznЭi¦±w¶!†äÉ"1Šx»áVÎò5œ�šçÕx]M ¥O©ó8O÷êv—|7OlÔÓˆúz‰ÿ‹G1µÌ|¡^PŸ–‚eñ”¹dž;cB7,€›Ó^ù�[$ã¸ÿèÙ<
ã¢÷i,M:8ˆ¢eö3¤MU=kÓ
-|cò?ø ONæèØ{Ÿm$ÎE…þŽ€ÀB0@�]²ì	ÂìÜÐ5UPëú€1ù;ãßô9a¡­úH

G»âmâ±¾·S	øKp9Í©13z=Ëk‡‡5žöI.ãõWH–ÓèmÏuÇ~]u3äVlŸô†a×*N
-=n[îÝDå“ý¯¦7Í{¦$«—/iÉ¥;|8ò€Â1×l8Ä{7ð¸é­µþ¿j:žu™-’Øý^_ï_<û¿ L¹{³áÖ¾lv�ǯÝÜÕ¿Ý“
®<Ò_Lã§þ²’ÃÿÙþ`—Œ×Ìúï|»ÿ:ê<†rR†ÿ©'s°¦�0S¸##qîÿ÷÷˜õÿ
õµ»6endstream
-endobj
-1892 0 obj <<
-/Type /Page
-/Contents 1893 0 R
-/Resources 1891 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1885 0 R
->> endobj
-1894 0 obj <<
-/D [1892 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-586 0 obj <<
-/D [1892 0 R /XYZ 56.6929 675.8159 null]
->> endobj
-1827 0 obj <<
-/D [1892 0 R /XYZ 56.6929 651.4464 null]
->> endobj
-590 0 obj <<
-/D [1892 0 R /XYZ 56.6929 522.8339 null]
->> endobj
-1895 0 obj <<
-/D [1892 0 R /XYZ 56.6929 492.6901 null]
->> endobj
-1891 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F21 950 0 R /F48 1253 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1898 0 obj <<
-/Length 1144      
-/Filter /FlateDecode
->>
-stream
-xÚ­WÍSÛ8¿ç¯ðp"	ËŽ{8Q6°tÚ¦é‰2Ç–A‹m¹’’�–ýßW²dÇ`|Їõ~ïû=	Y¶ü�å{Ðvƒ�5
-г‘gEY϶nå¿ó2g@u4O}šöŽÎÜ‘À`è­iÒÀò¡íûÈšÆׇ§Ÿ|�Ž'}àxöáö�7´?]\ý¥w=œ~¹:»8ÿ19é�‡Ó‹/Wz{2>OÆW§ã>@¾‡$½cž!8»øg¬gç““ËË“Iÿfú¹7žÖº4õE¶«ùÕ»¾±­Xªý¹gC7ð=k%6DAàXYoà¹Ð¸nµ“ö¾÷¾Õ€�¿%i—ý<ׇžïŒ:8@
"dž�=¬‘À¡ë¸¥ŽŒš÷Áжט+­$4p\ {P;:Òÿ¿2º$1Ö‹PÍŠ³¹$x¥g4Ñ£¸3¿ðC¨NBIPñ@ž‡Z<~ÓÜ�<J1Éo
¿8f˜sÌÛø$˜åaªWw”ÛøN‰¿Á=hHr ·þ”®ý¡çµéĺ0tYÈ%«ã.á’n�ƒJ.Ï4
èÄÿo‡Ÿµ;´×6F–Ü4—×õ¨ì{ŠèÎX45V‹R‚sa›SQé+OâX/æë�;_ð^Áð’ÐßDC§3JhÐbûÇÈ”¯�õ¬[÷ŠÑ'nln¢xi–³%‰ÌBÐ*úšab8wʶ•9}QŽ®”�a*‰De»·$…óLRD4!É묠yj<S,æ)‰ªUE2YȼŠËw%†@ßm—¿’Îs‰Qy¢‘[ø/&jü<:s�UÓ$Šù`$‹àHûH•tg$ë»]›P•ïï"8“þ7Õœ…Y2�ת™ÊåD®çnJÍfy˜™åu”†œß´,fBeÿRr]ç&]�_ÌÖíüÐUpVfÐ,%\ÔÙRŽ7]^xŠ	ªðþ0XÁÂœ'˜½¶Ã‹"«æò
²j8 ëZtîù}Ý÷f”ÍTª¿Šç²E@÷x­ 6ø
-ê€IiK®ÛŲªOù"›«øØUŸ‚ÊÔ7R¤4ª`[vÓggúìŒ-ªÌ¼†ÞìãnN�l$iG&)fÊ3³ LÔûja8è˜÷]8ô‡N§evÅ))z%q‡`‹OK*‹Múi{ö*dùc’ô‘Üæ”a¹‡Z_²ŒFÌÞ‡žÂ­HG!‹÷�TMÏ‹d#�ž)©Z
¢$lmhik:´37Æ·ŒˆíŒØY阄é¢hÎg´u7ÞA�MËQ]¸ê“;ꢬÈAB™¬.»	Ù´Y¸ÚËÿÒÅæƱ·,ÀÐN~W
-ÉÙŒ8ÚÅ”­ê°Q:¨:õ˜ÆÅ^ZÌÚ÷´�OÖn5ÈCÂÀ<äosiI�0š�˜$²9á<ª²}Ÿb]ˆ¬
-endobj
-1897 0 obj <<
-/Type /Page
-/Contents 1898 0 R
-/Resources 1896 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1885 0 R
->> endobj
-1899 0 obj <<
-/D [1897 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-594 0 obj <<
-/D [1897 0 R /XYZ 85.0394 445.2582 null]
->> endobj
-1746 0 obj <<
-/D [1897 0 R /XYZ 85.0394 417.9153 null]
->> endobj
-1896 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F21 950 0 R /F22 973 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1902 0 obj <<
-/Length 1201      
-/Filter /FlateDecode
->>
-stream
-xÚåXÉrã6½ë+x´R„àÎòÉãÈOe<‰¢œ•
-&A1·! Û²5ÿžæ&‘5CÊÎ)¥bñÐ
¼~h�(*üˆbZØr5W±]›*1/©Êô}‘êT„š_}˜�~¾ÒmÅÅ®¥YÊ,h`9Xu¢Ìüù™…5<õìòËÍÕõÇ¿¦cÛ8›]¹#ÍTÏ®®›”¥�Ó‹ÏŸ/¦cD“œ]þzñûl2-»¬
-ãÃõÍ/e‹[¾Ž€N'W“éäær2^Ì>�&³­/M‰ªçŽ|ͪâƒÛŸF*Ö]ÇTž ¢b⺚�SǦ¡ëuK8úsôÇ°Ñ[í\?¢bM·´Ž4Hc
[*@Ù¦‹-]Ó‹œ�‘¥ªg}Fü9ÈP˜Ü!Á_XÙ¯¢[–•åóòµÈ}†‰!Ø5MmEf4
Ë÷C†’•|;’äÑ $ÒDŠɃuY^3±L²eœ”ÕMùbÏiÈ=.[�¦NâpÝÛèr*ä³�Vƒó’ØCd‚DB÷lîákºº}`ëÃe:V2ãñÝPëD²Ê¼Š «¦ÊScI}?«×/ –�u8†¶
Ý,`~*ºLìÚ¶¥4Ú
„”ƒçi’UûÀÓe^YtX‡ˆ­cÝpÝ[‰­¦¡Ö¡¡Ž‰u˜¿2Ô8b¨q¢¡.Áš£Ù�»õ’Ä	I%’{I‚U¶ˆ,¬Õø»%øz¤!÷¹\#Ô90/+‹Þ,Èqá‰�9(N|&N
-Ë&Jþ¦r•õ‡:j�\§§I—O%½¥õJÿ80ZÎD<FÀ�ûB¬N–¼·ƒ–Èl=‚Ú1¢eˆòyÆ<™d•¥TÞ/cõa.]�
-endobj
-1901 0 obj <<
-/Type /Page
-/Contents 1902 0 R
-/Resources 1900 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1885 0 R
->> endobj
-1903 0 obj <<
-/D [1901 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1900 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F22 973 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1906 0 obj <<
-/Length 1187      
-/Filter /FlateDecode
->>
-stream
-xÚÍX[oâ8~çW䱬d7¶ã$VŸ:]Úíh§3˲Ol…\bZkrabgZ¦ô¿¯s
JèEZ!dlj?çó9ÇdÙæ‡,ŸB›0Çò˜©�¨5�z¶ukÞ]ôPõ
X}ê_}õŽÏ‰g1È\ìZ£Y
ˇ¶ï#kŒ�Îþ8ý6û
-™ç¹V­Ý€ ²óxž¤ÕLÈù$¸ná—Ç,$¦Sžà§[§ê>§Ê<ˆ]²%UgUçuT±M &k�1jp�¬5´�ÛbDi«¬-\÷J‹1‚ȳÝîtž=Ûw·htt
‡A‡0·UïL	°Só=¡Ö©�"Áõ ñ°³Kú¶Hð$cûYî�ƒMP}@ † .–ª–yù•Ä(͵TZN«„9Ë°‘”MFV¢Ñ›~fKÉ[ð“‡2�za–$ƒcžžçÃqùpÝ9#æ¸æ›,
-â$êUKT%/¹ÎÒîP;	éÅ\¼
-$àšßð•Òû‰†1‘ŒA*fÆ€»bá~õòÿv�‚‰NA ç<…h°02d*¦:I«¥yÎõÝ$æQÏå™Ù±2;‰U“ûeÄ�›ÿ2™Í:Ø!ãPæ
VzÆáÙ.ÊB-A¹'jÝJuÀø%ÒÄI¾³
Z‡ûa
-Ï“EÞÌ’Ô¨ºQF‹½Lùý>Eö£h°AÉ­ZÎdªôAÊV8f'јþñz³ÙíÛØ@¡öÔYµg€Ç�™�n5¿\6	û7J¡ƒ<¼¥_Ë müÖ'GS¹^�ßvlLn5l��_¾`è~-€>ä~á|R~ïm÷ÖI½ãIùã�smlÄx!m×aæ_
ðæË·ÍͤcNo¾�×÷j×îÕˆíB3oE*7ŒÑmæë[ºçÔÿô |�endstream
-endobj
-1905 0 obj <<
-/Type /Page
-/Contents 1906 0 R
-/Resources 1904 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1885 0 R
->> endobj
-1907 0 obj <<
-/D [1905 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1904 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F22 973 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1910 0 obj <<
-/Length 1066      
-/Filter /FlateDecode
->>
-stream
-xÚÅWÝsÚ8ç¯ðô	nƪ$˲5<¥)äÒ¹¦w”¾Í0DðŒ±©,Bé¥ÿûIÈ_HÒ›X}ýv÷·»ò
-9Pÿ�ãS@fNÀð!ò�é²�;½vÕBù·ØäÖw½¶Þö½Àa€QL�ἆ†ÈÎFm
-0èhؾütÓ¿¾ú2¸è¤=¼þtÓq±Ûýë?zVº\|üx1è¸(ôQûò÷‹?‡½�]¢9Æ»ë›÷v†Ù¿'@½~oл¹ìun‡Z½aéKÝ_=ãÈ·Öè:3íö‡}g£ Æ°³lß>ñ¼b&n}nýUÖVwGùC`�â	ªB@¡†
-|¨‡½�£ŽK!lóX¹Jò$›éféZN…]ø
-}­È˜ÏfÒÎ<§=­4�€xþì·Ý’XP§6¯A�=<Z¥RY1Z�ÍàÖŽºöïv‡àbÈ
- =ßÜ�¡hh˜Ý3ã<ñ
-ì²-Ví*îã„Ž¦1ϲ<
ÿ±ß«¶«2Æ:g¦:uÖ“î:x§÷ÛZÈm
nçu}‰,/¹š.ƱÎ>;ÿó~2!ïuÊç"Û•…U•pŽ	
-‡¬Íí¸øTyš®¶VJçv“* L“d%]nV(×òT1˜»LÐS›(Ž­4MÏ'qs•Úÿ•ì °�ÞG³|�¯Õ"•‘ùÊÜSI¶ÙÝ°f`íÐB¤Àa¾��€�zº±­±ûº€“±
´¾v$ðPÓ{–Õõê×Oõ4$
ð—²r„€„Äó�Á2ì2úèmV<“ò]5ÓÿÛ«¤Kendstream
-endobj
-1909 0 obj <<
-/Type /Page
-/Contents 1910 0 R
-/Resources 1908 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1916 0 R
->> endobj
-1911 0 obj <<
-/D [1909 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-598 0 obj <<
-/D [1909 0 R /XYZ 56.6929 278.1954 null]
->> endobj
-1912 0 obj <<
-/D [1909 0 R /XYZ 56.6929 248.0815 null]
->> endobj
-602 0 obj <<
-/D [1909 0 R /XYZ 56.6929 248.0815 null]
->> endobj
-1913 0 obj <<
-/D [1909 0 R /XYZ 56.6929 223.6701 null]
->> endobj
-1914 0 obj <<
-/D [1909 0 R /XYZ 56.6929 223.6701 null]
->> endobj
-1915 0 obj <<
-/D [1909 0 R /XYZ 56.6929 211.7149 null]
->> endobj
-1908 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F21 950 0 R /F22 973 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1919 0 obj <<
-/Length 2618      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]sÛ6òÝ¿B�ôLÄ€
-<
c›Å(°0QíïJéo�¤
_)
–÷ŒØ¶|þºÿ…g‹å’Ñ]çW®d�»�uåþ™¥‰~Sô’Cœ0
·hfR�3׋ÞmÐâhƒa·,zYVñ¤…õ»ã˜ëNñ"6F_EzD 2Š².·eã·*FuמóÄ^ümSlñöâ¡4©{3¯)ÂãY0

->·,WÅP÷Xûý¾hº•_P8±2˜e9%œµ[`7�‚]»Çû¤:HcÚ†G
-
-Éœ»‚ªf%éO¹8
-ˆž~ð¨#ãF»ûMWeÑc¼¯­“rl]2?9=
-endobj
-1918 0 obj <<
-/Type /Page
-/Contents 1919 0 R
-/Resources 1917 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1916 0 R
->> endobj
-1920 0 obj <<
-/D [1918 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1917 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F22 973 0 R /F21 950 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1923 0 obj <<
-/Length 2502      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]sÛÆñ]¿‚�ÐŒ	ã>p
-�Òv¾+Wó¶;,QAïï´±¤@éÀ²ÑÞ€FS{ÂüÑÔ/•-cÚr[V~ÏÈ®a¤ïÙ™Ï|&x)»�oµnªªy)ë'Æ¿Ïñ|p’¹RaÇšŽ´*v]ÙÔí_®ç&Ízîl�¹ïpã,’Ãer~_U¯<_5õ·(ÒO‡ýµJƒ"‡äY°÷ mϬÝÆ×LÜí}ÝNe]ìEÀ5˜9Ö4k¶8³xyDn}Û¡P„Ûbÿ\ìÿ
-î¬tð²)j¦d!«Ã¾…‹1%žǺXmë÷¯L¹nD’?=?·ßÅ^nÇïÚúnµ)Z¾•ëc°'+O”À
-Úª
�]«€”ós¥�”=¡›oQÕ~[ð•�V™€æú:gà©:‚Ês–ܶEìŠÑdCê¬^ü«pÚBØ‹gT"Ñ­yÌËõ[Æ"éuÇQºM³/QÏ£Êôú"+¢åqåA…y8¥ó‘ÛÅ&·‹uFlˆ¹Ô®>—ž—QÓü
-"åL=["±µÂ„Ú½”¬u¨(X�¦{ÁEÓÐFYzª6¶Ùå†F…©Žb&�TÕðëd]Í{ª‘�èa&ê£B¬;„Pw8n}Ywð‡Z#|ÍcÙó£µjÖ<>|á‘Ü
tÃR‡·DÎ5aKöEïì‡8À×FSøǘŢeœ®Ø×R”R
<c!ªmÊÕ†)W?�rY0¢-Šóʘü°Ýa¸›ðVV�ë j–­NSུl
-‰Å¤½1öu¾^Ø _2<‡³N9Ž	#ízVÈ´)¼5²2]z0bI	V%�g4ÛZ%$º3[ƒ€¶Ì‹cÈ
-ÑzÒxÊApÊÁÿ}pfÐÆ	iRä;Žìµ©ˆe-Í°�2Ù©¿�?fc“‘Å)W
&ç<
ÊшⲊÖÀ”�hçDáëXÕ LèäUª¶ ßµ¼os2Q ¸t|2®)]Fí®M÷`YêÔõÝ”´4S¯rÄ çÁó±°p1ч~³5oöÚxñVÇGÄ@G+®/O'Êž•9›¾¥ø3×)%÷{/†í*ÉO=n#äËbãŸË>	ö̼Lé4ß,}5õàL6>w¨)}dÐLDÙ ·!@ÙÐ&™=u)ø-ßòÁÂ*pB¬¿¬½L;¸ŠYdßvœy�¹kˆÜˆ£’¼)Ʀ®^qA„“"
-[0¨M@ÄF€‹@Ôa·<ñm�	Oj»’Š1äÔ•@£m88L7»bE•â™9É–ŸúøfÉ3®$¾³:9–<‰‚¤ªþ„Hax³Ü�¨œDö­rGGabfrä\F*Ú`­yé­.
«ûøN=¯†V¾¬Ë®äU±¹àü/�dÓ¶&c3¡›DÈH¶A�åÖW�»ðçMäƒ.Iç£Y_TM–ßÿdWý7:
-endobj
-1922 0 obj <<
-/Type /Page
-/Contents 1923 0 R
-/Resources 1921 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1916 0 R
->> endobj
-1924 0 obj <<
-/D [1922 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1921 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F22 973 0 R /F21 950 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1927 0 obj <<
-/Length 3024      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sÛ6òÝ¿BÓ—Ò�ˆÅ'?rsªã$î4vÏöÍtÚô�¦(‹­Dª$eW÷ëoP˽K�‰¹\,€Å~/h>að�O2™ªIœªP3®'ùúŒMaì÷4SG4R}wöí{OÒ0�D4¹_ÖJB–$|r?ÿ%¸ø8ûñþòö|*4¢ð|ª#|wuýŽ0)=.n®ß_}ø÷íì<VÁýÕÍ5¡o/ß_Þ^^_\žOy¢9Ìv…&¼¿úá’ ·³OŸf·ç¿Þvyߟex^Î$ä�³_~e“9ûû3Ê4Ñ“gxa!OS1YŸ)-C­¤t˜ÕÙÝÙ¿ú£fªO~J$¡ŽR€$—¡*~y_ÚƒÁ¾I¦B�¶�rÎBÆe«'<dq”ôJQ| .ãPr.&±NÃH
-i´Òó²)òÅóí{!†Zda”Æ
-vAÂ[$<çI€ÄS‘êà?uU´FAF#„߶ŜÐ]M˜�®ŸÊ¹%ɪö¹hÚCª?¶ESºŸ—EEèª6³§È!ðç
S­…aj�­€H¤
íßÖ«mWÖážëíj~0¼]uô^Z’ëŸÞÝ|š]]ÓÛCQV�Ã	ݶ©Š9šd2¸©V; 44içHI+#%/[z¶Ûͦn:#$ Ø
áŸÊâù<Ahuq ¼8
c©­.²Õª~ž¢¼v½é8L¢È’æYE«?´�Ñc*À "ÆÝiÈK�2Àk¬Äº¦¤ƒ0ÐH™/	ÌWeQu-½´EA@·,ZZý†>y]-@žB!9
´Áˬ%€ö‡#¶FPˆzw}wwy�°¶Ã9™ÆÜÎùÌ4{wóOON˜¬š�6»þÉkH½ì�¾©+wœÒµ|¬Hmæ´A•Y»}h»²sˆ"+W+‚ê<ß6¡F"!¡ß£Úa•˜1�EiŠ§á½Å"zÈjK¨@â†ý/h¥á9»`Œ¿]àJƒ_Lj·+¾�è+S2~ˆ;ÎÙÌëê3câqë‚‚JD�ÑX·ÛØ	GçôpF¾#STÙÚ˜AÊ‚ÏB¨
J@¤(»%��’�ÚÍb`de±ÀW—••ñqíÌsŠ\s¢[•GUÝ2CˆD°©ËÊ€œœP†
DÌ‹ÖlN#Ù|nuŠzKN{�Ákc[¯ýÊl­Ã4Ž!®ó0Vàû8ðÍp`€‡ÅA��1xÎè1T9=� øÇ/Mà+Oá@	l¹˜CÆ3bT¡E,þ6¶á‡ 2Jø¡_o�O¢£�¥	ÿ+±ÌîI‚°H¯#Jéçˆ5ŽˆÀÝ&«ÊvI/hž-�„¶Õƒ:¾†—w6Á™%
-=$è=Ä#“ƒiR~Qå&T~¿”NfÊÃŽFÐ ~KmŒ×[Wõ[)¡i+¨—ƒß‹MG(¬á”Kíˆ ñ#jU׿o7„í2#pD“ÃÐr�)»ÎÀ+¿�!ÛUö„Æ’V„q\˜
-�cáZá	9çÁ$KŒ>Elk>˜føG”
VJF&8¶·
-|3Z�).×�"JÂX³ÄƲ¦šç¶˜sÊmŠU�Ù¸­õ`ÉC¼.¶ã¡P#¾bB®N]ái˜“®ü2k›÷ÊW
KÒ‹©¡uð±~.ž
-S¡ dâê|‰…)fæã#O¡«	e,sò©TâàŒ‡¬C‚ˆ´´¬£òk:aN»)òr±£R@™êDª¾nP{ûŒ´Ï'”è}f™*¯OI¸ã
§ÅБWçÀÙª6ý†‰i�
’5ØsC µµQ㪡s

›½/k “0AWŸê0R\þKº/ö¤úlÈöú…ž”G¡LÒh¢bÆ,!‰Í‹Uñ˜a=­mÓ5ÎèŒCm’ZÕÞ/©@�{ÚT[w‚gQ-(涣Z
FÆ»dÛeÝÖ.†™Ò,^-ˆÍylóÎU·ž�êcÆMžÃ>†ØÍ*ÌtohèúòÞù
Ô;7·0ý…46«v„¦FŠ�¶ôd¶a}½Z”O°…91㽡ûBj…ÅŸ›U™›œ£ /o[®‡Ø½Xì¨}R‚lû4e·#|®a‰Ûø ú¡ð1Òç™Éeê
lûx*ûö&$4i¡y]XJÍœÍÕ… jÇsˆ O&ªâO#{N«yôÕ.÷Uj
-ݾ?X‚E�wlž˜)[ñ™Ñ#GLPaæ:k<D`év¥€Å¨êÀ‰bn¢¾°ÔÇÁCÆàq‚»K<h�=9P†‰Š]e†‰½Ûs³‡)®Ô»ª Ø­
-ß}¯ŠAI}MˆÙè
Å	y	,]
-w)'خ閔³>ï/Í ýÞˆ2„Ü
O�V	Zg¿Ùœbj¡…5m1ˆF)X¤õ7T³çÈ
-fx‘˜aï
mÑUwÈ
-�©NÂ4Å2š²†6š=˜ÊsàSÖ”µ©lÐ wÐú¬[™gÐ*¡ ±î…:¢Ýšë^œn)€›†FYðHçØnù¦)Ñ´ìÊԌœ¶¦g]Á•ä䘈ù½Ø=ÛÎôõôùñÎç
*TJ»^¨·G{»«êj·™Ù‚»²ó­EÑN³ÊUà‰FÅ!  >Aé¾Y›‹j1»Áób™Õ-ø:4 a˜]Ó<û士ózECù°ô1+UDJÞ
-hÃñÖ\ALb~zóžÊ³ý¡ÝF¡Š’Ñþwƒï(Ì‹6oÊÍþ{ÄÃcé¦1dT•|ÚŸbÜC¼�‰û¦w\µágIh¬¢ƒƒž¨ÚzúWŽ|¼.9ßÍ
ò¾:b	t*ÒôÙ÷T¯1r´š·l#;1MɶÀ€èe[sDžïw‡–µXÂÕÉ�{¢ã­íL‡2‚Ô?Üûï4³S_ e_rø¬…Š÷¤‘YòÓÇ=Zõ¯›XŒ§G'…Þ½ÂÅx­“ö�†^hDzóÚÓ¼l]–f¤hƒŽìK#%dÕ;÷4G[XWFÈ ¨öþ2ãJŽ�Ëž`´5^Å‘~Ù¾ ‹òÀžÿSæå¨Ow¼æ_6.Å 
-endobj
-1926 0 obj <<
-/Type /Page
-/Contents 1927 0 R
-/Resources 1925 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1916 0 R
-/Annots [ 1929 0 R 1932 0 R 1933 0 R 1934 0 R ]
->> endobj
-1929 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [280.2146 384.4392 375.7455 397.1764]
-/Subtype /Link
-/A << /S /GoTo /D (root_delegation_only) >>
->> endobj
-1932 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [312.6233 123.81 381.2953 135.8697]
-/Subtype /Link
-/A << /S /GoTo /D (access_control) >>
->> endobj
-1933 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [310.4119 92.6626 379.0839 104.7223]
-/Subtype /Link
-/A << /S /GoTo /D (access_control) >>
->> endobj
-1934 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [340.2996 61.5153 408.9716 73.5749]
-/Subtype /Link
-/A << /S /GoTo /D (access_control) >>
->> endobj
-1928 0 obj <<
-/D [1926 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-606 0 obj <<
-/D [1926 0 R /XYZ 85.0394 335.882 null]
->> endobj
-1930 0 obj <<
-/D [1926 0 R /XYZ 85.0394 308.9113 null]
->> endobj
-610 0 obj <<
-/D [1926 0 R /XYZ 85.0394 182.7451 null]
->> endobj
-1931 0 obj <<
-/D [1926 0 R /XYZ 85.0394 156.1927 null]
->> endobj
-1925 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F22 973 0 R /F21 950 0 R /F55 1336 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1938 0 obj <<
-/Length 3198      
-/Filter /FlateDecode
->>
-stream
-xÚµ[[sÛ6~÷¯ðôeå™
-Å•
-¾`�KxÁkN‹‘�}•ïÒêh}í¬w¾ÚóÚ.5H"ð§Î(Xœun@Õ~{¨m)-Ž¶pó««X¯í8ÔuVÛ÷j¿„®-æ%ož&(Fa×EEr:¦ÇxÃ\:¬9%*¹xçÌ+«Æ–v©3ï!ÙrE`ŽíèAÌù§?ö­‘KÊù"æM˜ËÂZ‹WYa"Ѹ‹¹½>²šÒü
-ÔbíjÚy
-4ŒMB¡ºa3VŸ?V3þñ¤®-<Bˆ(N®ØMY8„	ó­€¾vˆµ¤É)òÙ°B
·Øh®�»à
B/<Ûà…º9<Ø’™uµÛ2ÞŸ¶Ý ÂC^�6ÙnßmÑ�³+›`°Àæ>¾²õQçW6�2þ­ž²ÕóÒ«:ܳrF¹GMhîÙ¡•²‘ú{y9DU·‹b®›L°omkgL�›ŒM•¯×bcžOÒ
-V¯6²šaÉ[Ÿk[¨�E“þe[Ûn^ʪ&Í�Úu¹³enÃwí¬)|,–0‡3ÍÆb
-ĸ›…_\*´PióSæ·h²jo3˜öâU‹Ô5¦öǤµm©í#
-é_J!>ÿ	Qtp#›Ü}·û®zh¾›¾~¦”¿~ö½‘Ǻ¿
ÉúWdQÛr‘º;iFc±Üe»²:ÚGÛëåÃ6…³Pc;K�gí}é®ÐÁ$maeÖééÒ­mW�îÔ4é³ë¤Á€NöÖgwËñÅ×t{°)yv¢ŠiØ—µù"•Ù¦|ckÓõ:7±=ÝÚú~@á‹u•»«dÐôdRØmõCfîȘºm^<Û{Ü𤴵.`qwÍüN{�€,îÊ]6u' NO÷¥½Ò“ïYGºÕö°î(è®a
È•›Xõp8­VP¶…¢
q�ÈÎ�>§Žƒ«4èÜ1�Ì_ùLøçœûÛLtúK+.Sê\rL
-¤M¢Óe:BS¸dbDYB'lÿŽÜendstream
-endobj
-1937 0 obj <<
-/Type /Page
-/Contents 1938 0 R
-/Resources 1936 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1916 0 R
-/Annots [ 1940 0 R 1941 0 R 1942 0 R 1943 0 R 1944 0 R 1945 0 R 1946 0 R 1947 0 R 1948 0 R 1949 0 R 1950 0 R 1951 0 R 1952 0 R 1953 0 R ]
->> endobj
-1940 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [299.7586 737.5313 368.4306 749.5909]
-/Subtype /Link
-/A << /S /GoTo /D (access_control) >>
->> endobj
-1941 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [292.0084 707.2808 360.6804 719.3404]
-/Subtype /Link
-/A << /S /GoTo /D (access_control) >>
->> endobj
-1942 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [330.7921 677.0302 399.4641 689.0899]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update_policies) >>
->> endobj
-1943 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [401.5962 646.7797 470.2682 658.8394]
-/Subtype /Link
-/A << /S /GoTo /D (access_control) >>
->> endobj
-1944 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [257.6971 460.3869 326.3691 472.4465]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
->> endobj
-1945 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [258.7928 430.1364 327.4648 442.196]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
->> endobj
-1946 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [310.7975 399.8859 379.4695 411.9455]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
->> endobj
-1947 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [308.6055 369.6354 377.2775 381.695]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
->> endobj
-1948 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [294.1999 339.3849 362.8719 351.4445]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
->> endobj
-1949 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [303.0862 309.1343 371.7582 321.194]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
->> endobj
-1950 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [332.9347 278.8838 401.6067 290.9435]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
->> endobj
-1951 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [359.5147 248.6333 420.7148 260.693]
-/Subtype /Link
-/A << /S /GoTo /D (options) >>
->> endobj
-1952 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [386.0748 218.3828 454.7468 230.4425]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
->> endobj
-1953 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [301.97 188.1323 370.642 200.192]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
->> endobj
-1939 0 obj <<
-/D [1937 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1936 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R /F48 1253 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1956 0 obj <<
-/Length 3103      
-/Filter /FlateDecode
->>
-stream
-xÚµ[[sÛ6~÷¯ÐÛÊ3–¸�nêtÝÙM»Ž;»3m‰²ÙФ*JqÝ_¿Wñ
-¶Û4™!ð#Îß9¸¯2ø‹WŠ£Œj¶’š!ža¾Ú>_e«Gx÷õö˜M
-¯v?¬ßüã滇Ûûë
áÙZ ë
ÙúË»w_¹ío¾}÷öîëïïo®%[?Ü}ûÎUßß¾½½¿}÷æözƒÇð=ñ-Ì|ðö®ôõýÍ¿þusýÓÃ7W·Ñ–®½8£Æ�_®~ø)[íÀìo®2Dµâ«ø‘!¬5Y=_1Ng”†šêêýÕ¿cƒ�·öÓ)ÿ1®'L¬6
-“^ÎPÆÁkÉ0¢Tèèe‚§¼PÆË»2¯Î‡¡±3¤±$«n‹#¹5!˜tc¬‘2&ö$¿/
-çðÓ“/ìŠv{,§²©]E³7Š
ÌÐe„iP¡¯ÿ@(%ˆ
-�é`e=4‘ˆ1©eÏD÷òø¸r…ûŽ±¿`ì¸]gìöb–!#U¢D"Ìõ‚×#jA‘qkF4âµ'�ÄbO°†uP	†”í¡¢*scý¦©«×Õ¸@Zé´ü
-âÆŒÅiJ”Ç|q½¡™4ÁQ{Õ‚F¼“õRV•7¢j½æ
-Ó4Ð$Ó(ÓJ™0Ešsb[=¯±Zù©Ø9.æ­{–{ÿ<ù§¯÷
›RÒ~wº~=ø6ÊYŽ��z¨Iûá¾Í?�ü v—XB¦cŠ®�NQ¾—¿é~0ææ¸]£Õ±iN›†!�PBö4Q4¢&ôèç‡akÉ°<C\ñ…°ì¢æÃ2¢ŒÄ}s|É�»‘û	F\b�Q’{”&qc\Oô·–7”òõs‘×eý¸?Wæ7³,4õ–ë¦à¸n^=¦šªÜ=œþ†Í»âØ:LU¶';Ì3ôã±(‡dÎw1z{ØE),±}‚
Æk³ÍÏmáeE«¦ù#�Ó»q/÷yY¹0$#L1î‡a¾?Gˆ
-Ž¨	ÉýäD!0=ñsâHûöù¹:¹Z¯ÛßZ÷ÓñÀó°–ÒÊÎHìÓ»»¢6빌ûÅ"¼éµjGóyxkè>'ã¥<=ù$&H­û18Æ°ÀÅaV†¦\¢1,o‡�ê…­,kžÂHWqf�»Í?TEŒìñpŽ™DB°ÐüsÞšIêäΊ¾Œú&N´¥dß`N[ÁšoÊIš”_Vϱ™€v^p»¨›ÊÙùëƳfÓ–¿�“†Àˆe„¥5ˆ¨	ú[QEU_‡?·¦b��-ˆ—
-&­TÎîŠQNãé›X}Gü‚ÙãvgwŲ¡Nh‚ñhA�Q[ÉÅ7ÿRŽß]Ô<ç"*ô”�þì?f•ÏÅfj3D™XciM"jB•÷ä�Lª¾.Ÿ�{s
Ô€…•2ÁA¥ÓŠôŒNq0àÌ·;ÇA9¢ 7C=èœì‡ˆZPdÜZš…BBTd™¯‹J°0 &û¬ÜUÓ,„°äB§5‰¨	Uú,4;"¦ºº|žÓ€”ECRH
-{PØß´'è¶öTnÇW`ÑN̶EJz�Å÷ˆÌÍ ¡yOþÝ~âúš†à¦êÿº¼nÇ?Ù/P¾\ZûX‡p·ÎœûWe½7wJ<y¡Â1Û^ƒ+ÛË=8+H™Ë.Û'W»ÍëxÎ>wççC±st—©,\9èsNÜ—‘ˆ)&—žé1§1¿ØXð"Ë¢k.—f)§ _)^¦; yÊ�µÉi`Vˆùnw,Ú¶ó†8l®ú¦Tˆ ±ý#næ$¼§„»FTÿNQ¡çá…õývãïaªÎ=L,™ÀÜSØŒ	?ý
¨°ùjî¾sOc¬|{©Ë@Üñ �|‚ª_Î�i|VÙ˜�[NxŸ?í“¿Ť#<ÛÂÞeÂu8Ô8QÛó±-?ݪ¶©ÎžçLzkYˆ&ü�JsŸs}ã^Õ
\<N¯®èÍd¢Û‚u”âÀe~LÚ‘Çœ¹;pÔ¹mjCÜÇs÷nLdm~(~u¥wïý�{Sßž~ú«¥m³-/WMí=:Sºñt÷´¿�?¡‘	ò‡íŽÌmù	âÁ?ßúRþå,0‰¨Rdf¾“1D©ÆA)ã0œ�&Yœ*Ä‘ºÿŒ7t’endstream
-endobj
-1955 0 obj <<
-/Type /Page
-/Contents 1956 0 R
-/Resources 1954 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1916 0 R
-/Annots [ 1958 0 R 1959 0 R 1960 0 R 1961 0 R 1962 0 R 1963 0 R 1964 0 R 1965 0 R 1966 0 R 1967 0 R ]
->> endobj
-1958 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [259.4835 737.5313 328.1555 749.5909]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
->> endobj
-1959 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [172.152 677.1897 267.6829 688.9903]
-/Subtype /Link
-/A << /S /GoTo /D (root_delegation_only) >>
->> endobj
-1960 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [352.4539 423.7962 426.1073 435.8558]
-/Subtype /Link
-/A << /S /GoTo /D (server_resource_limits) >>
->> endobj
-1961 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [387.5019 393.5457 456.1739 405.6053]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1962 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [381.9629 363.2952 450.6349 375.3548]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1963 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [398.5803 333.0447 467.2523 345.1043]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1964 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [393.0412 302.7942 461.7132 314.8538]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1965 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [255.0796 272.5437 323.7516 284.6033]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
->> endobj
-1966 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [311.5276 242.2932 385.1809 254.3528]
-/Subtype /Link
-/A << /S /GoTo /D (tuning) >>
->> endobj
-1967 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [315.9507 212.0427 384.6227 224.1023]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
->> endobj
-1957 0 obj <<
-/D [1955 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1954 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F48 1253 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1970 0 obj <<
-/Length 2798      
-/Filter /FlateDecode
->>
-stream
-xÚÅ[[sÛ6~÷¯Ð£<¡¸“È[š:Ýt¶I×ñ>5} %*æ®.®HÙqýžƒEèL�Ùv:
-"ëòðPZ²‹bµ:”u]Öþ¥îdeQ&ܽ´¿oªýî•£¹+]e½ßlö�Õî‹WÅuí*�Õfãj·Yíšò°+6›'÷<œ5âÈ.í…
qó\‚£1¹�–Ig1@´šÒù‡O®ìõŒLQüæWœf½÷;÷üãjñ²&‘ö¹ßÜ•5LˆÈÄÜù½ÜÛrU»Æµº‡î”áó±Fqa­ÙwmÔû̓eWlKoê¸[Á";ø�í–V… Â*¨ÛP…èWfÜNp#r·Ä­ ©Ä­02›ÎªdAO¶î½*«ËZ
-Wüy,O®ºÞ{0î¥ÇÇÇKÃç$ÚbpûBHzìú'WÞV�«XQ
--Çù8!b­ÚUMU4å˜+žõñPW^¯íÔQ÷~kánÄJ]†ºU•^õ¸,Xv6±ítë}Á�(z2’1¦gZ`ÇØ™hç@‹.Ê;6rZ´¨ÁÞwZ
-]õ3ÎHÎrÞçðqg
§Í¶,v<ÖG\#”
6\¶*…Ti�2…•¼¹ÃЋ­®¤VcPlªºqûµkYí·Fl{š]·o²3b'bj'œåÙPè…ÕZ>/–¡bÅ�Í‹cs·?TÈÖnAè
-öìƒJ¯Ílàô„íGE 5p…jPpnC)Úèìú•7¿wåûß<½ÕbLæ+ÿfmËõüñ®Ü�šÁišù‘Ëj$´Á’r)[TY®¼U»
 ô»j§]Òénœ»œ«0g0‚òù
Úÿ-¼òêã=DŠm¹kŠ�klV»”�Șöby}\.Á
J[††9ÇêöˆB²�{_¹õ¨Âõñ6hq�±t#6ª/¡
÷a=`ƒW�TPø!«úÕØ*ÚEòýÔdW6>nbÀFíPåe
�Ž­¯]Y¸¢¯HêÓ6Ç	‚YE£»:„çÓ6"›¶E
GfˆQq`YàÄhãæTÖ¹/—f¨gì°3§Ý¶Éf(%*ã"NgÚ�6�ªæ$ç”E©u·ÇÆ�Ùwô4ŸÈƒìÞslõINǧÃÿ”Ë&xrûäÔÈ´€ô•Ë¾Û<ê”
§ãæ¾8Ô~VÛiìä�‚pf@¡ç�ýlï›'Wu�{mDÅ&¿} É¹ïZ½Ìôó3ågäøBoq_~uM˜{aËõµ{vG¶Ñ¿Õ_^îwÚh†æ3�¼“‹KFm..²l<G¸<”q.Ž­…ï-œ•¾â³Ü'âXó	GtÏb=XC»ÕX¦èÞá#²	p"?§œp­Ô7)Z©ÿŸÉ9Ó’Hgž›�fó™úém½çÚžD®»¹6ÏXœkcc›kãCoàÙåÚX³ÇUkÃçÚØÎD»\ÛÂï|w?Æg,Äx̯­ÌÝ°m¢ÍA™¨ó`dD_!±å&$ÚÜäîdÊB¢�U·ùM–N´ñ]¿k
êO°Ì&ÚXÚD1.ѦæéòiÓk‹í'Ôg3îpbÛ^®3R$6!t†´ZH~~ç!ÐeGÂgGð⪓ù¡Ýq&í]içj6}¡>šò¦ŠÚ(‚!Ùßî[‰aë@¬Ý£µoî±9{!�Îh	’‚.êü… EYMU_ŦZUÍÓÂîxŠn2#R²,M£E�ðèÝ
-'Žï�Oe9_«²^ªûÓy¸_�„N“Êeûiãœ7
-rWÞ¿Uí†%Hž
µ®'®óðeæ*××[ü„ë±]çûòä%~σëSCN’+¢Ä„h‚GdiœDúŒj=!¾*!¾€
-Ëÿáp±Û¯F®£"'Td<M¡E�pè	O
-BY®ú$þžòòŽò"W†ŸañE«ÕÕ	E€ëy›R]ÀOøÛýÕQM2ÈdÓ+Т&˜ÄÖÒ€Òù„îN „ì<h¸TXÍñ0"=Y�ö)-(fѤkFÝ£ñòºë;3ä@ÉÔyíe’äF‹®»)éxÚñÈê7Oj¢TÆ’óß‚Ò4"[iÕQ Í�š�]•Ð]@
תyº/ãhGI.%O3hQ#z»>çp©èqxyÕO†>€�,ì8%:‡ëC׋”â~ÂíØîó57t"$5éhQSL"kIÙq»W
-b»Ï£ù0‘^Š
-endobj
-1969 0 obj <<
-/Type /Page
-/Contents 1970 0 R
-/Resources 1968 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1984 0 R
-/Annots [ 1972 0 R 1973 0 R 1974 0 R 1975 0 R 1976 0 R 1977 0 R 1978 0 R 1979 0 R 1980 0 R 1981 0 R 1982 0 R 1983 0 R ]
->> endobj
-1972 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [352.879 390.8395 426.5323 402.8991]
-/Subtype /Link
-/A << /S /GoTo /D (tuning) >>
->> endobj
-1973 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [334.0699 360.9009 407.7232 372.9605]
-/Subtype /Link
-/A << /S /GoTo /D (tuning) >>
->> endobj
-1974 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [373.9 330.9624 447.5533 343.022]
-/Subtype /Link
-/A << /S /GoTo /D (tuning) >>
->> endobj
-1975 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [319.6839 301.0238 393.3372 313.0834]
-/Subtype /Link
-/A << /S /GoTo /D (tuning) >>
->> endobj
-1976 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [307.1508 271.0852 375.8228 283.1449]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1977 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [334.8268 241.1467 403.4988 253.2063]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1978 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [337.0185 211.2081 405.6905 223.2677]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1979 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [364.6945 181.2695 433.3665 193.3292]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1980 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [374.6372 151.331 443.3092 163.3906]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1981 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [292.0276 121.3924 360.6996 133.4521]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1982 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [319.7036 91.4538 388.3756 103.5135]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1983 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [460.1655 61.5153 533.2211 73.5749]
-/Subtype /Link
-/A << /S /GoTo /D (tuning) >>
->> endobj
-1971 0 obj <<
-/D [1969 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1968 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F21 950 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1987 0 obj <<
-/Length 3618      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sã¶ñÝ¿Bo‘gN,¾	¦O—‹ïêLã¤>gÚi’Z¢-ö$Ò);ίï.€ø%É3Éx<K`¿±» Ÿ1øã3«&35K3•hÆõl¹½`³G˜ûtÁ=Î" -ºXßÜ]üí£LgY’afw�µl¬峻ÕÏóÿxÿãÝÕíåBh67ÉåB6ÿæúæ[‚dôóᇛ�ן~º}™ªùÝõ7¾½úxu{uóáêrÁ­æð¾ð+yáãõ?¯hôéöý÷ß¿¿½üõ«»ÈK—_Î$2òÛÅÏ¿²Ù
-Øþî‚%2³zö,áY&fÛ¥e¢•”
²¹ø|ñ¯¸`gÖ½:%?¥m¢…2³…I&¬˜–2K˜©-RÅ�J¥,ø””J¹üýawÉí|ñ°«·‹Uù€Å®¨–E3”
‡�”`鬻шœˆ5A�èЊI}z>ÅåB=o×n æ«¢Yîʧ¶¬+š©�®
sœÁ"™B"ÞÄÖ€–,KW2¼]
9
%R1Ýãœ&w�3ÜvdñÏÈ`¼.	ay`M—›„IR€FÈÓʈXg¯†„€Ï­æ¿0Ínê6j&oI5¨£±*RÍÜÀžœ'™Öâ­*Q¶«’4±©ðÙæM[ì&'A~Ú´¼ZM¬Ä3ÀIƒr›Mþ\L­$™Zã±–ëºDº\HÈá=Tuë¡Ïy¹Éï7ž{°3\üQW~´)ž‹MR)1¸®
4à�§ý»‹uÜ¿#òñ¥xYïÀ êÝëÈŸ•†¨ÂÔéí#ÖÄþ=Ö,É·}œC÷äÒshL:4¨Ÿ	P#›fc°·‘ <ž÷_!eÁNº,œò߀†çñº=ÿ¥£ýwD�å‰Éà<)úˆuŽŒÑjä½Ç¬Íd‰¶YzÆÚ:X'¬-`9ÿÛ·õbU5M±ÙxjÊR{zóˆ5±{ÏÖ”LŒÍxûÿ‚Ç�ËJY˺ú…1ñ¸'×]ô¡ÞÑ`õZåÛrIßÞ|Æ�†(óJ�|ÓÔ4Ú7
Úué—®ÃY„Ð:¼°©_høœï^Ëê‘VÜ\ò9:C�dé W™¤Jò yÞ6o‘*´ êóÕƒùÓ`›Wùc±-ªB³äl~·.ºÁ©©Ú5=ùǧºiÊ®š¢m�Ìæë	ßcxˆƒd#¥å’˜ýû„Z›€>´÷§b·-Û†Þ
ÜÈ‹ ÷ýîŸVyë„KW+�µöÓEqô°ßl^i–øZ4åcÞ|YHzGOñuÐߎdˆëJM³Q>¨e½ÝÆ“¤”àUÓ„]µòºBB]ë+x�rV7uö(8ë0cb¿ªÜ*ðl£�«FöQV-üOiS$Ãø!ÉYnö+Ç<¼HÌ° ûú¹x‡ãt~¿oi–üÁ�‚‘æNî�ÕÿöMÛ_‡;n¿òÀhÊ‚‘!8…DzzqaSˆy³\«ý&�’/—µÓúÊùb´uoKá–þÊÃÊmÄÛm&–Óæ2MQŒâ1dÚFA ×pð€œÅ¹"à/º/LDæѺÈ$©l
?Rd§’%!Æk{4�3¼€u†%ÓD¤)ïSâí¼·-¤oRþVQDüsŒÖíˆÂ…£mqTÒ³4Uú´,"ÖRÆ«!)¸oB¶©à\·Â¢Å�³´Tœˆ�F+nÓ~„€7ŽE�måù
¹•YXw™C\k&¶—ʉèâ¸Öj*Յ㇉°˜ó# qSç+Q°Æ¥ìõ–žÚÀ?�G)÷�N–Ò%fnÒÅð.Ï3ô`àKÂî�ç—3!S†ÑKÙ®iñi$ÆøÂÃMÆc Ùz.¦‚&7L^¨�6Œc5¢�F@�™äæmIyö�X©ß ¥²žFLÔˆé!j„	—s«A¥ÓO{=á`¨'„ÑY«¡vðŽ;K€{¨Ï
-;•B"ÉÎt	;HÇ˺€äœì,ß,(Q_@:µ®WãÖ @Ñ«“$D¤1
ýÆ`Šã´G„¯íxÆ&j;„:ÁA¬íðÁÕv8pµ\E‡ªèp*:­é”Ð<>ñïW‹B˜-R°nÒaý ±£oüz¢iDR÷=§ýö¾Ø÷¼òù‡÷=OòyrÐÁnÿ}	E(±�SûÄÙt¬ +†™é^+7`�±×:in)(1v®X�,GdÆ1n`è’1—O=SŽ/ &Š
à^¬
-
Ç8¿"ôõaðÓÍõp¤ð@\®ñàT
-ø¤óª‡Çq 
-®}tQý›œD@²è�ùuòº†Ã
!E'vH«c‡.�CÒz¿¡ÌÒÎBÝï·O4EIª
Iªã'µ ¡�¸iÌ™˜Ó#Æ
-»ú´à#Ö9:F«�LÀE
-XœéÓ¦ÖÅ:njëp
Šiï¦X@Ú¸¥£ªgqZ�€æ$k‚
-1è�ÎÜ#㯹Í;ÂÌð6�',Õ'OCu�É»';¶„~†ïѪG
O�§P=k}N
ë!ãÕN[œÄ63òŒåu°NX^Àê5h—û]±€Šµ¬h<¤D0žHÄO“±&hé²/È™
hùkÞIŽF�
¼ê¨*)–1ÛcúT³<àŸa¼î› Ê0'ƒ²ù¤"Ö9BF«½¢Rb¥DÞ$~ÚÊCT$SØ’+Îä¡:G~ò%5Ž¬7岜L÷ µ:áÂPmå?SÆ}?Íþé©Þ¹+(yàKMà|Q¦Ê±;L
-$оÜät{ÏÒùK½ûÒÐ�r^4ØקYwïƒÜã¸ä›™ù1�™¨Ÿñi´ry4ü¢E&4¼né×™•G{
T4ÆEWÒ2
ª‰æ½oïn˦‰þNµø¡åîû«×©ÞO¿ß‘ÜMÆté�P‚úG´‚wé¼ÝH˜±Cµð,#}¢›@`ØÖ¡œÂjö.@ŠeE¾¤¥ÊgC€ÚÝ÷ãË/®Ý†°èznýî’n3ìÖ,D&çïéEßæsÍ÷»»„"nS4D­ÿÑ
-òq–eo>Õ¸9B½ókØç¾8ö½ºÔx±5•¿ôŸþ–ýð¡¿Jií±�a˜J¤Ìx 
-âLŽ¿õ°‰¶P"Œiÿ?
-endobj
-1986 0 obj <<
-/Type /Page
-/Contents 1987 0 R
-/Resources 1985 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1984 0 R
-/Annots [ 1989 0 R 1990 0 R 1991 0 R 1992 0 R 1993 0 R 1994 0 R 1995 0 R ]
->> endobj
-1989 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [397.3443 737.7676 467.1586 749.8272]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
->> endobj
-1990 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [321.49 695.7982 382.69 707.8579]
-/Subtype /Link
-/A << /S /GoTo /D (options) >>
->> endobj
-1991 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [357.6499 593.8005 436.0651 605.8602]
-/Subtype /Link
-/A << /S /GoTo /D (man.dnssec-keygen) >>
->> endobj
-1992 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [455.3558 593.8005 533.7708 605.8602]
-/Subtype /Link
-/A << /S /GoTo /D (man.dnssec-settime) >>
->> endobj
-1993 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [317.0267 306.119 385.6987 318.1786]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
->> endobj
-1994 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [356.8967 276.1048 430.5501 288.1644]
-/Subtype /Link
-/A << /S /GoTo /D (tuning) >>
->> endobj
-1995 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [432.0945 246.0906 500.7665 258.1503]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
->> endobj
-1988 0 obj <<
-/D [1986 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-614 0 obj <<
-/D [1986 0 R /XYZ 85.0394 231.6054 null]
->> endobj
-1342 0 obj <<
-/D [1986 0 R /XYZ 85.0394 206.638 null]
->> endobj
-1985 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F48 1253 0 R /F55 1336 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1998 0 obj <<
-/Length 3395      
-/Filter /FlateDecode
->>
-stream
-xÚµZÝsÛ6÷_á¹—“g,†ø$x}97uÒ´×ä.ñMç¦í-Ñ6/©ˆTœÜÇÿ~»ØJ”í6½É8ÁÅb±Xüö§)ü§Æ&6—ùi–ëĤœ.V'éé-|{y"˜fˆæ1Õ×W'Ï^¨ì4Or+íéÕMÄË%©sâôjùÓÌ&29éìù›×/^½üûÛ‹³LÏ®^½y}6—&�½xõ—Kj½|{ñÃoÏæÂ1{þíÅ_¯.ßÒ'Ë<¾~õúêÉéq„éÛË—o/_?¿<ûå껓˫a-ñzEªp!N~ú%=]²¿;I•;sz/i"ò\ž®N´Q‰ÑJ…žúäÝÉ߆ÑW?tR"M¤²rB�RN)Ðä‰URy®7gÂÍÊ®lzP‚ʲÙÕ]‰Ë‚Á"ì™
-�Ã�Ú®—E_Î×m]->3u<•5I–g9Sw=¯`Ð^&gmSÆ–š•ŸŠUÕ”õ÷0±ïîªÛ¦Ü0ñ
õôº*»®¸-¿‚7§£íÖ¯cQY±\òº:"¨xŽ¦íQÜÓ¹�*ÉQßs!’Üé%¥Auù±@u a
-Y’+é<
(‡hP€”س +s¾,NSÙ”Ë	Eæyâ´OW¤Ë¤fêÍ™›mkžûþ®ZÜQsQ4Ô¸æoÝ}Õ/î`~ÿÖòWèä
¤8Ù®VE3%§”:É´rÇ=�«<M´+gÒ‰¬ÛEQ5±à—ÚÜ0?06™ç³w^Ъ¹…WP�—Tä Ÿ×,ôì–/UCÏ‚ÿjþ°(¶˜Ñá*Df©u°Ä¦X
›˦T"¬Í˜ªo‰ëm	f«MzõîÕKjÁŒ]$~_~f²fI�u],‚Üý¤üh$uyNÚ”J&Ú	16Hâxåe‚gQ×í=wÝ=µhr#*Ú­@Æ
Tžq¡`f“~ý™º—åM±­ûsæ¨I8jW¬Z=2�,O”�Á@ž},6Ï6Ûæ™×ñ3VN‚¢ê[“h‘I{¾“ÔëB+°=5Ö„_£©ßCly±|ÏÏ`«ÞìæËeÓáõ{åaÃ/
-GLŠú¶ÝÀqXÑkàôíÏçï¾½�Æ‚LJÚÙõ¶xt%5?õ¶äE€d¿hTÛívS\×å€Ñéà#hÒ°Ø={Uy’š€²¬Ã9HÍ»1
 ¾Õƒ"Yê$wb‚¥×ã!C—&N
ÓOcƒ€�7™>ä	j�’1OvG°]÷@Ü�“¥×墯>–5¬Óˆ„H⬶c
-H×/Öó®¬o¦ Q$JŠ�Ló’��™@bûVe–%³K¢¼kïË�´ŽÇQ^H‹›eÁN2ZPvL²‚xÄc'~}FN2QwŸBê�%J	;Þ<F‘Ó
-"ôç4ŽÝ:Š1>.£Inö>qò͈ù©‡ôc1ÆW¼-©…NÅ¢èÌ÷ø-E"öžØŽ¼'€Ë�Oð[Á1Û÷—ÿ Vù)DRøæa§¸Æ0Ïé¾ð\pø¦d¶Ý]±;(hÉ„ýùÑS®tlø†ÊÃçðyÄVÇlyxÇ@æa%kÐ*º=v�ÌFŠ×ò5EžÕ¨`ì‚�ò�XcЯ·(ËŠ—)Ò(w»v”
ËYSÞ¶}žÆ²¿k—Ô&©°u͹÷Ëwïæh_œH‡ò4Á ¬:ÆM9+˜a|èé�Rzuà4Ån«Dnfß—›kªDµõ€§oÕ|E}âsA
-—z÷~GÝEHí]Œs.Klž†Ôþ°ØÍŸ1ÜK–íª¨š?L¥ô)d¢¹Õw$›|äQ5¤†*$§ƒ:¹]fu °ÇXÃu)�h§³½J
-:p»4Žü"ªXù:
Q4€jºþ'd¦Dçc_èüæõ»iV¬l]4ˆ¸žŒç!>ı›ËBÝ€òÙa–Õ¶î«u eÍTÆMX÷Õ¤n!Šv(Â> \“&JˆåŽ�¸“¾¾¼ ‡ç¶E=òød$»L�Ãz,d¾â¹ùÄ
-‚ÆžL•š2På¹÷›ksÔïª$Û%Bç¼l1 e‚UwŒ‘‰ÓJ<•É´½æ¥O”U ár6*x©Üìª+ãšMr�ŠHÄøf&QÙ°ÉÓ‡ô­­vO0
„™Ý3.É�fMæƆ7öóq<ñã™�óÔ,Û{þÒrî6F®]šYÔœ-z§³ZX!æ—ë²n›Û!��—˜lPë
Oc�PökRrÌØŠžT
-œÊ+�N¤âÎ#Å6¼„À{¢ãV†:ƒ>ddùOfÅà5U×Yâdš=Y¨éDKÓ¿†–G~ËI<`„‹ûò…=Ž3i{®3	‘íEå_‚8£Jî¯FœGø=†3"Éž.ÜiÖS6!âô`’õ“�X…
-ÜãªjZà¬!ÕrAüòS_nš¢>ºN;„C{7Å"ïÿ�Jg­Só”»b¥]’¥ÙÞ]ñoÁ:£ÐQ	h\
-¼¸FŒY͇EÍ¥‰Q©n¢GJÄœ\ƒe–%i&BHpý¹TÁŠ/?‹~Îù«Â‹ßrU`&€å-ë þ÷i!~B-|ªøBe•ñý1v…É÷«ër¨\Rj·—�É—ÒíBTíwÛ¦/›P=�=Û¡’0±Ü¹écÂŽÁ‰Åizl\Ú€Ç9(8Ú†/ÛZ4"•:÷ÿ±ù�>b-oi…}ÔŽmæŠ/
-endobj
-1997 0 obj <<
-/Type /Page
-/Contents 1998 0 R
-/Resources 1996 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1984 0 R
->> endobj
-1999 0 obj <<
-/D [1997 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2000 0 obj <<
-/D [1997 0 R /XYZ 56.6929 297.7942 null]
->> endobj
-2001 0 obj <<
-/D [1997 0 R /XYZ 56.6929 285.8391 null]
->> endobj
-1996 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F21 950 0 R /F41 1233 0 R /F53 1328 0 R /F48 1253 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2004 0 obj <<
-/Length 2363      
-/Filter /FlateDecode
->>
-stream
-xÚÕZMsã6½ûWè°i+Âààm�{ÖIÆãU¼µ‡l”D�X#‘ŠH�ã¿Ýh�¢dʲ˚ªl¹ÊßÀ{¯ Ä€ÃŸxøJôÀ%š.Ì`¶:ãƒ/�÷ñLÄ2ã¦Ð¸[êÇÛ³w—Ê
–Xi·w�¶<ãÞ‹Áíü·áûžßÜ^LFciøвÑØX>üñêúYz¼ÿ|}yõñß“ó‘ÓÃÛ«Ï×dž\\^L.®ß_ŒÆÂ
õelá@…Ë«_.(õqrþéÓùdôûíOg·í\ºó\áDþ8ûíw>˜Ã´:ãL%Þà…3‘$r°:ÓF1£•j,˳_ÏþÕ6ØÉ
UûÖOsÁ„4j0ñÖî—úàÐoLzŬ·ûÝŽ…rL›b½fJh×nŠ�MZ1¯”8“0«¤
-»ReË;\šw—Rv
-;Ω°{,t»È+XøÄ
7#?¼_føb‡«´ž-²˜ó°È
-JÕ‹˜_¤«ŒLÓ,/¾�ñ~=OëlNö�°Œú„Õa‰12t>+‹:+j(¤¤–wôŒ…ß]Âbn‡m&…pqØùêåõcÏüŒ`\'*ü/ç2[ÎQJÂlûšÖ°Ê^75ÂÔž6+*Ùm•Æ›Çñç_Šr3~˜Í³…©kæ±å�YOïk¨`Í°Z”÷¡HO3|Òä)3¬0¦ÒŠžýë"4gÆ
-œŒ[±DpýŠ&©†zF™-gškuD™­3,ÑV´Lªî§/g	®°gXùac¬òU¾L7d´÷l(tª¼|žÀÒ2�ØF@²?gÙº¦êEZSë0Úy¹Jó"v]Þõô&„Çõ­^D_Ð"gY•”
-„�gô+Ï@¥³oÛ×}¨¨“BEáJëcH1À{e|»†9úePQ\n¡‚/�±…
-¾ôCâ9côQ¨$0×=¨„6T0UËÇØi4!§4c!5KœÙs’Ï`•‹Ø™—e»§Â	(¡sæ5Á^Sã NŒ³Ì	 í H�'Éôª¿"ÞóNmqâl_ú5‹ö”ÿš=/**²Jg‹¼È(w½É‹Y¾N—ôŠÊ¿Jǽ1VúÛ?&ç¿|"g`

-w)ABm[E+º4†ÂdJ‹9ÙÚ�{‘¨~Ë6!’‰!EÛ8#�Ÿ.W”Ý	2 ùy0·CÁ—è·1I¨jʞ䶌6�~}¬”o棔£ D9Š÷T&Ïé%°ž;ÞÀ…	µ{#…½Á<)(!žÄƇèÒâÛÀ½Ï—ä¤| KZsÁÆÂÀÓµ|iäéÿ�4J
-"�’¼ƒT°lÀ³
$W° p¥¡–¬éIú¿ÏŸ²H›tÈ‚o�,˜h‡¬%=¦`º#þ=ijž4þi§ǃZ(g…ÉЋqQíý–:h¤˜Òïº&P§§ÿg)‹ µ/Š¸_Å£@OË£“úø	kŽñˆ{fœ¢˜ÿëfj^ãyà¸Ú	QÂ[¤QH§ñùs¶™ÒA­l²ZÄ…·-—z ŒÌZÀIó]¬Ó%’—Šˆ„‰-=ñü’_P2¢‹ —z
-7Þ~|¥ƒâp"kf¼LN �OÙœT�ñŠb{D�A!˜–aëR¿J‘•10ÆÏÉP›LkR6ônÆB%•	ÞÛ›HO)/-Épƒ	;ŠlVtúDi+¸°”q wq`*²ú¡Ü|%s8‘ƒñ@­Y¹‰r¼.‹yü˜åAN¿i*�Îû#üFÄY{ü c t=+æ¾ëÛÇ›-*pý+™p„øüp}þ邲&“*««ÝšÓ^çTêrOÝiˆÀU�È“%;¬ã’sf¹'ÔqyJxÛkyrLÇ…‡øÉqRGòHeÝwÐñnÓÏè¸0Šéä»è¸x£Žw÷æ/®ãþ’«�*NZÐq�¿=¡ØgÿG'¼Eç›â²ýý�lûÎLJ½V\3ˆÆÄ@†máž
-nöwÍÀ®ÁB¸¦Xgìÿm¯³ºendstream
-endobj
-2003 0 obj <<
-/Type /Page
-/Contents 2004 0 R
-/Resources 2002 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1984 0 R
->> endobj
-2005 0 obj <<
-/D [2003 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2002 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F22 973 0 R /F53 1328 0 R /F62 1379 0 R >>
-/XObject << /Im2 1368 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2008 0 obj <<
-/Length 2887      
-/Filter /FlateDecode
->>
-stream
-xÚÅZKsä6¾ûWôQ®šføÒ+{š8vâlÊ“mwj7¯ƒ,ÑnUôèHj{¼¿~
‚TK¶lÏd[S5A�
üÀ¶Xqø'VaÄ¢T¦«8Õ,ä"\åõ	_ÝAßw'Âɬ½Ðz*õÍö䫯R–F2Zmo's%Œ'‰Xm‹ß‚ˆ)v
-3ðà×Wç§kòàâòG „Ò¡ξÿÓö|C‘ýæòê[â¤ô9ûpuqùÝÏ›÷§±¶—®ˆ½9¿8ßœ_��Ÿþ±ýáä|;ª<Ý–à
-õýëä·?øª€Ýýp™J“põ
-sk:š~ØÏË˾ljµ·Ôý°3 цÃ
-d•j	”`iÓãäVQŠ‰Œ>wå½iˆ<ì‹l0D£VÊõ�²­"3uÛ0»Ÿ¯°E]u˜5(Õ@Cœ¢¦ÈËÛº>4ež
esG¬‡rØ‘ÐàGÒìD£¹±³ß›|=_�ÎMù;ç̺Ž¥
-ʆ¾8•µ3ÙÑÎ9)×Þeaš¡†ŒK)œ ] *Þ�®-HK\ã¶íêl ÷‡ß‡]™ï�”¨8ùA$@ñÜH¿K©iÝYlbÜ
-å–­Ú<«¾^؆
-Y…¡Ûg`¿ç[�°WÁµß¬ú‡©À`éNE,H‡,�¹|cf<gQä­þ	�Å��VíÁ†hèƒÜŒš?_]þgíì¢R–ÀÉŸÙ¥hë}¨uômþ§ Ñ¥\�B~vèHóf¨O…
lI§±Ý�µ–5«lþS@´
Œ¡yû}Û
tŸFSmò]Ö”}Í`E±ßó×ÁôÎ/´=&ök×
âxN°5F2Й3»mô°	¤Â ½Ç“;›ãh%¾l<‚dwH{,‡ì®Ëjפ£eOóÎëÛ€=|ÔÄþz!1âhnœŸºvhóöq€Þ”Š°ÑêÜÒè+MäÍã`úwäðùŒ´¡Æm÷çQ˜¨¶+L÷Žè¼N·MaýbIç‰%CU¦¹Ã½/«C¿²ôsß“
®Ë»fºËæPUkðw]6”íè‡ì{Tó
-²þ’ŽŸ<Áöì'×Ѻ|q®¬(:Ó÷Ÿ©ÙãeiŸÃãÞ|æ\ÿ4�_¶ÉžÿBÔÐþi\T97¾0ïßqêâZÀù;ƒ§­ðÇT†ß}†χȓä(”t2æ]{F¡A‡ŽòÀ¾*MO�tN#{'»Üèf™íùÜ�C×´1
-Å–.ðJÇí`sØáµH”!oïñ¢FÆ5p¸×´nØce€PA=ã0Èb®”æ«ÛT—¹¬XúoÏžÂ^ÆL‹4^M±âP¥¦
-Ø€û6ß×C†›/c>æf?{³¹¾üîÑW׎¸þð~d�Ÿ¹‰š‚F#K-óÓ”n™ày†šëÆc~F±ã‘:Ðd° âxÖòêPP€Ä[ï¯~!Øe�6�Aã�;MR·SàGÆ�Ûm%›âÈRï–N¾ƒÙÛqèXZ¤�gw,J2¦j†úGÁU;¸>—&@
-?´%Na*㧣í©Ä%÷Ü¥ÛÞõö€ÖJºüì’Ì°gÉSÎà3àæbÈ%¹c(â¡Û¸‘Šѹ‚-Ëw¾t+ûa„|sÝ*à6V¯B3¥#‰‘c±YA%þ�â
-K„_ÛÆ­~QVæ8ÔïÂUœE±‡2áO#1¤‹Õ>Rp\t,ü~§é¿w¾XõêϽ
-*<yXñ ¿14Åfã–Úe÷núã¢ÚÛ%›%<ëý]ÖûÊÔ ìãÛçññ`|{uÍÆ
-š…pˆŠ=ïRú,Š�ö2@âÆIcþ£›-%`‹k•nq ìâZ,-®ùtq›fDlSF´=ôÙgÝPæ<“¶íì¦	.âœy[ïÛÞOà×ï
Œ´Ð[„øR
-–Üî§#,†m§Î„©^ ÈmtR÷¶¦[
¿³"ÑCih�	’cÙ ¶BÆOÄÉÎi°wö2ݽ•tíZY)˜©:,¶­ÛôhájÂk½þÀ/ìÍiñ%ÉÝ£"2Ü	Ö÷�éî�%‚ˆ¡äìÜÕ1Yª¡ÜWn¸µ•t6AÆß©I7*·ʺü¯‹+yèÐ…½[l”43<÷‹w¿Ïû3üwý	NÃÇÂ>“u7N˜ÌIô�îìJŸaЉ]�Oè�kcž�ÀX"À°°sEöÕœ:»»›	Äå×Ó
Ï!öóy훃É�Á컿d"bB=Ó)	
-…\º6ùêÍtÿ©#pü;	PH%‰\Žw5ƒ#üÁç²o¾<zö'‚3©"éÅ&ºÿŸéj2endstream
-endobj
-2007 0 obj <<
-/Type /Page
-/Contents 2008 0 R
-/Resources 2006 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1984 0 R
-/Annots [ 2012 0 R 2013 0 R ]
->> endobj
-2012 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [312.8189 175.0606 386.4723 187.1202]
-/Subtype /Link
-/A << /S /GoTo /D (the_sortlist_statement) >>
->> endobj
-2013 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [406.3277 175.0606 479.981 187.1202]
-/Subtype /Link
-/A << /S /GoTo /D (rrset_ordering) >>
->> endobj
-2009 0 obj <<
-/D [2007 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-618 0 obj <<
-/D [2007 0 R /XYZ 56.6929 385.3709 null]
->> endobj
-2010 0 obj <<
-/D [2007 0 R /XYZ 56.6929 353.2653 null]
->> endobj
-622 0 obj <<
-/D [2007 0 R /XYZ 56.6929 353.2653 null]
->> endobj
-1265 0 obj <<
-/D [2007 0 R /XYZ 56.6929 323.4096 null]
->> endobj
-626 0 obj <<
-/D [2007 0 R /XYZ 56.6929 266.7517 null]
->> endobj
-2011 0 obj <<
-/D [2007 0 R /XYZ 56.6929 244.4404 null]
->> endobj
-2014 0 obj <<
-/D [2007 0 R /XYZ 56.6929 158.1241 null]
->> endobj
-2015 0 obj <<
-/D [2007 0 R /XYZ 56.6929 146.1689 null]
->> endobj
-2006 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F22 973 0 R /F21 950 0 R /F53 1328 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2018 0 obj <<
-/Length 2923      
-/Filter /FlateDecode
->>
-stream
-xÚÍZÝsÛ¸÷_¡Gz&Âá`ûäØrâkNv%g¦íÝ=Ðms"‹®HÛqÿúîbA‰R,1©•©ã™`	øÛïD�ßèyøJuÏ¥š.LorwÀ{7ðîÃ�ˆcúÍ ~{Ôû˃_N•ë¥,µÒö.¯[kyƽ½ËéïÉñÇ£‹ËÁè°/
O,;ìË“÷gÃêI©9>žž}ø<::t:¹<;R÷hp:
†ÇƒÃ¾PÚHX@Å%þu>РӳOƒÃ?/=\.·Üþ,Áî÷ß¿ÿÉ{Søº_8S©7½'xàL¤©ìÝh£˜ÑJ5=³ƒñÁß—¶Þ†©/Á¤¹`BÕëδÛ•~�ïFR*–â>×>Ú1m"¯5ã)_!/ey¡óJ™ž3)³Jª
-?àˆ·æGœa3c+~Æ;æ�U]ø	vO‘\
dV‚ìoGO€ù*Ç‘E䮂AË [ÔE6ûf
ÜSt5×ø
-�ÍוBßEËÍ_R
òaÅ|Zк“º(Q!²¬ËØ}bžÝEêé6�æÅjDÜ[MOÁ϶XÛ=vàîñ-nŒ¯k%>yûk
-™Š‹fùt|ò”[zž|*'q"õèé4Ž Ž®²*§î*_<æ‹ ½R|ƒ8t­ßjp¿5"«í\X}Þ¶°ð’qÁ»,¬1†™ÔE{ñ	\ŸQ"9Z×k¾&þÔ3+ª:šÜMØWVøP$[
±rÊ­ýïË7&fŸ0kθ1]1$¦ÌjIòvɶr�B`öÀ“�ålZ­%YÓ⦨;É”à�Vä>ànÐUñ;Ðmm{_èþ„
-
=-ï²
-uþ§œ¯ìM»…ê0E\íÈZ(ì׋ìÕ�«ÔB°©º2Èð™P&š¢1f­Ò¬1J¤QGDj’Û¬º%
-µÛŒF4<Ä®ÀÃðnÍkèÈÃå,³ä!ÒÈí¦i�¯¯a^–ýf{
u!
-Aâøâ3Tp
ÅAN`aH(Á#C�µÞ�†�¯tÛŸú†]ŽÂו6+ÈN•Imøð³‹ñà8xé”N.èˆì"ÛjÍÝåõm-KŒÁÜ€Y‹±¯�•ª|e°–Ýw`®¡æ†OÈŒhœ^QEÖ\îâV†·Ì-ð)w�&Iz¦!Z'n�O†‡}Ã�ÃÐ6º,]PÍÉH*¬ÛÓP¹V)Ì1ÂÏ�²GèÛâáåwxøÝU§ö§î‹#?¡0-�ƒ@«ëDUqÍŒòdЂæ
-yS̃G¢u@½ÿJ´½�M©'ØPF&€oM½*ð°H*Ÿ\=Ô/åU]Ì¢û‹¶¨[5>û€uiŽUçÎx£ZVÌZ½ºRµ#—mñm¿•å½úKø,ˆEW
-$šÚ��A½qË"‚Z/
-Á�]’µJ½¤â;˜ÑúÌ7\b–Z0álWî%!‘ÄC
-B‰bFT#ìôD²Þœvã„eÅ:£1’ªYfy/	èèC¯w8¾x:G—Š¼X^eòt`8+Ÿ‚ÎyŠ{Ø}•×óă6x¦ÛAðí3µ´Y˜FçøØ‹3@�¡r²Ì:"@5H|g2—:ýä[ŒÜ—mý	Ú,R!­éŠ|$«©–d[‡G—#¬ñ*ž	xt9ç.Šú¹IéŠ9ð/LýÀñE*v ÚÞë~‡ö©LsÞå®$«©w$ŸÃñÑ ê|¸£êÕyýT.¾ÄCõ|ñX4wó²Édu@‡(oàxn
6ßq¢½ñý¦Ï{
ÿ…
*å]¥máãª�£
ëã=-å–Òša™º¢

ŠŽ—‰&©|4!ª)€ßcÖ„ZmÄz°Ûn´?ï
0ž2kÓN)×)R¸È†Áq¨ù&&×
²Ð.Ãfz÷> …Ô˜îUR©?L˜x*Ç…K±H�FqjL
-€ÊvÅûOsä±–�÷Ðàþp3Ø“Qƒ§°õÉå(‘Ëöˆ©‚.3®RÖDä_‹ªÞ\ï…
-an<Œ7^ºfXkïÿdûáendstream
-endobj
-2017 0 obj <<
-/Type /Page
-/Contents 2018 0 R
-/Resources 2016 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1984 0 R
->> endobj
-2019 0 obj <<
-/D [2017 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2020 0 obj <<
-/D [2017 0 R /XYZ 85.0394 671.961 null]
->> endobj
-2021 0 obj <<
-/D [2017 0 R /XYZ 85.0394 660.0058 null]
->> endobj
-2016 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F39 1173 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2024 0 obj <<
-/Length 2982      
-/Filter /FlateDecode
->>
-stream
-xÚíZKs㸾ûWè¶TÕ‹	09y=öŽ÷áqdm2•Ý=Ðl1+‘ŠHÙãüút£A‰ÒH”gÇSñ!å*³ÑxèFèn@ô8ü‰^œ°$•iϤšÅ\Ľñü„÷î¡îûÚšFƒv«ïF'ß^(ÓKYšÈ¤7ºk�e·VôF“_£„)Ö‡xôÏ÷Wçý�ŒytqùPBéXFgïN¯GçCªHBÓï.¯Þ'¥ÏÙû«‹Ëïžö�ŽF—﯈=<¿8ž_��÷ýpr>ZO¹½,ÁÎ÷ß'¿þÎ{XÝ'œ©ÔƽG(p&ÒTöæ':V,ÖJ5œÙÉÍÉßÖ¶j}×}bÒ\0!cÕ
ƒØÄþ]ú
¿H«Xb“ÝŸž2
dŸXÍ”Ðf-{)[²"fÚšž‰S–(©¼ì¯nÎÏT •¶Ñ/•›ôHå}ß^Ý@ým^Q±.é[¹ñjÙ6r³§¦Ã$gµí¦YMÔpº>æõ”¨¬@MôŒfiK8›ò±pK˜�Q‘ÍRÒO9}ÆnYgÄ“ëVZÕnù�͈?)Ã(eM„û˜Wõîx8¾=ƒÿ”."N`ž"ZkƒÒ#­
¨á�¾õÓÂá*ce$â/¨P¹"t¸+—ÍÐôõ“lOƒL"/îq’Ü/v¼²Q�“üǾsËŠwþ·Ê9”Dê[ŸÖʃF<'|Ãì`vU‡ À–\±šƒV@`u^Ä»]ÕDø­aT4/×K/VµoŸÍü�&îãÂUþàöýœ”r[ú}â§ìˆU�^qW MJ
"Ôòh<ËIÀž™…aPŒ¼uÕx™ßºÐ1/öÉ{xqFp‹8f»P¡cÃ@®¦×6°/3Z°¦
-Æ^½6/_xÈòYv;Eœ~WÚ‹[ŠÇ
-\ƒ?ž©ê–¿L/Uðä7=«šs–HQu,W0Žî‡¡Z¨ `mSÂ	Û(˜x(Qün£=µnÑ·#l
Ê£=„öHýퟋö2Õ
Úk-ƒn�é7nª"0§û¼À5#—4õW*Ðo/fÙ¸étûD_:
-Â0{$°¶èg
ø.]FÓÚ�_¶ÃwñQ½$>Æ&aFXÙm4q*™ŒÓÔËéz4D¿S¥Ñ)º1:Z”~R�#
ª†ã«a.²eMTyšytbRÎ3ò±tØÔHUк· ì·npØpºUKïPQ{í/…k_ქ2Ë�=¢¢¦ Ó„Tô
Ž-ØŸÑ59Cù-UZͳÅŒ,”n]ýè\AVJ"< ñ

-hZ.ÿUÛ89°�an,Ï»>Ývü /1Ƕ̿L�_wk(NErÄ5&V$oŒ±MÓ–1lƒ¯ŽôŽ%"«±D¤É™4!!`À^;“‡�²ÆÁT"Þq0!ö&Ö°@–÷h€µF‰7PV"$ AUç>P„6+œÑž-@Û´
£þÆcÎáŸ8Š×ÕÆ9
Áa�ã,:6MK/µi¾‚3¤�R:>âi©™µ†ðäæý)y€—°¼ü7Î¥÷†ŒØœŸUí]TßÑ7£&mU„€þ©/„ˆü™»…ðØ&gy'Âw»§í¥¾âSUY�¹Š�¸@à>²ÔZ÷Íõš±j›±æ6ªû"B… }㊉‰�¾.gùø‰è‹%	
e9¦cZN2¼Õ ‘ö}îó,Æ�Û4#rãB=Ã!¸·‡U×–É+Ž,T"ÀÕ
¡tª<JÆ“„¢›a?Ž£¿c
-‡ónXpÌn~]÷…L£7!YO�
-¶hCDW«Å¢\Ö�nßåU
ŽÇƒ‡ƒl‰æš„C€n‚ÇÊ”åÆ‹òƒŒÑiˆM4t­ssøXE¹Eø~`Ø©Íq…Ý€Ìðt' ûÓ¹¬îx¬µÖ—ÒÈæ^ýØE=ö1Üì\Ôÿ¹^ÍD˜ÊH…jdÜl_ðrÑ0hS�HATL
-øšGRI¦eH–�¦áN뮜ÍÊGùAÊß^€47=
“´~
»Œg*˜Úmý‚ª}P;ïͯa´*é@»½àºçÒ
N@*µ?*�õ�Íò�-R7€Hð/»;dm‘*IÄÿJ¡­ÈóÏ:Éc¦ÄïRò�;D�\^õ	^­õ~‰7`ÆÖµù•—:±¾B²MFëcQ’H–Bðê…qöï?
-endobj
-2023 0 obj <<
-/Type /Page
-/Contents 2024 0 R
-/Resources 2022 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2028 0 R
->> endobj
-2025 0 obj <<
-/D [2023 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2026 0 obj <<
-/D [2023 0 R /XYZ 56.6929 229.6198 null]
->> endobj
-2027 0 obj <<
-/D [2023 0 R /XYZ 56.6929 217.6646 null]
->> endobj
-2022 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F39 1173 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2031 0 obj <<
-/Length 3019      
-/Filter /FlateDecode
->>
-stream
-xÚÍ]sÛ6òÝ¿B�ôŒÍ#
-D4Ë×gÁl	}ß�	sé]ŽG½¾?ûË�JfÚ×±Œg÷#Z©¤©˜Ý¿xWõÓýõüüRF�ûç—Qx¯oïÞFÓÏÕÛ»›Ûï~ž¿:OBïþöí¡ç×7×ó뻫ëóK¡ÂH
Å$þýöîšÝÜþp}þÛý÷g×÷Ëãm‰@!¿¿Ÿýò[0+`wߟ¾Òi4ÛA#ð…Ör¶>#åG¡RS�½;ûÇ@pÔk§N‰)R©¥2™�“”SrŠ´+©¬œ6Ù¶£ýüDÁü
Iÿ½„ ®n•
ƒÙµ[P—eÁ¸æá¨o{.R¯l›Þ9c¥©—e›oÍ¢,|&ìèR$¾V2µìÝ#ܬˬ¶sTÙUÙQoäÝßÿ@䯬
-j˜–z3mÖ<¼2kÓ²©éwÕ츯¡UB/«	3ŸS;Ïxì‚É|(7LÅÔ+åY¾*Á`âTÁ´ªÛ¤ðuI»É¢)íáÕ�%xÙfS=®kÕw«fkº¬3�%uY—DÞ§¦.Û¿�_†
-p÷1ñ¬j™J¢ dÓw0<Þ¢çµna’®Óá«rÅjÞ¦©LnïÍöpsäˆDE‡–5�I
-Ö*àHošU¥•—µ­YÖ–9ÀZNt¸§‘kS›¶Ûf¬fQ¨Ã…Ú­Jbú€Œrrtiê¬+[Ëšôþµ2U9¥¤„�N�
-äº%ÈšhøÛ·È;B¨6üE†×æSé&ä(¿li°0œÑÏ'b·–!`CØ•Y˜®�¢CÞhÚmV™ÎªQÖ#á÷¶îÊm]Nà¦Ü‚×Y�þ©¤ôÚ~¹,ÛŽäý•-�@jyðªé­Ë
¼ànëV4ƒ–µ¢Üró�~‹ì‰©�ÇSº§�ɳŠ«¦í0ËØ»å¹ý䫬^–S¦G+5s…òîÀ`7 î$§ÂÔ-¦Ù
x6‰dZô¹µJ@l¶†xÕä›rD†™uê‘`ËÔyS·`Ãe�?ªè·äS’T9¡!¢{A!“̆¢lMPeÝ“
bŒÍò<¬áA.r£²Q?fU_:tU5»!21œ?ŠÏÉ>>KÈ‹äRa(’1‡D$BµeÞ™¦¦†µP7oi¦i	‘gÛ­±Û�FÆH^%oÖt\¦"*ˆÝ>ñ2
-ÖM¬™RѬ3Çd�­Ñõ'$~ïv?ÇL—Y«·Jp‘ÅJŽ¿÷eÝaÜF\?h"ã)¿JnƒŽØ"|¨�¦[9�°0#æXoîÞYv!·‹Qnæ•ò…àêëáK(_‚ 
-†¾¾úv]=½È¤ecÂVf¹²Scí�»6£vüCnÜ‘®íÔ6ŒÏèM‡¦´åöÑj°
ÿº2©Âðu*N hÓö%àâc¶ÞTÖcí„ðhŠãEç7W4ªÐðb*8bô xwOUÉ D©*ÛRï`þ�Kmˆ³Åü®3ˆb</Ë6v%0Û<Ïç‚a)�ydçe– TBœì˜šMðò	ãØʇ&˜vJ�6«a�#eä­Ìh–&zd)ðƒë×Z¿¤;ì�(R•„ªLmã°„j¤‚Š¬_®¨y5uïBLá-�£…@m
¸Þ¢âeû–".vð°Ú&ÚötE,cš£Ò@Š}Ê™‰²+#$½%‹íQ/l“ìobæ|îpË=ÑqäE¨˜˜äÎt«Ñ0謲úŠ”ÃÙéÄʆI@Å×c5:U:6î´p[ò¥QhÝŸPž�@ØÛMÓ·.Êù¼Fn	tº:ŽìÍC7ʱU_¸ në•ý	'+²…�ºëÉÆÚIÍÝìÓ+ú69
-ö×há¸Ô*ñÓ(Ò°y
wB‘ðöÝ­ýæg¼ôQiàýøþü2Q‰„ú0PƒÿóúîzþʆI4ZI¨@¢£µÿÜ~Pr`ƒ{3ûšJ"?J"5-!j_†�õT¢}m%ô\$¯Þ9-�ÑJß°<båÇ2Ÿ³˜8ñe“ZVë`7­�2’©¯}`Iž–­)¿qÉDü7úœ¡D‘/#[Á2€5@Ñ"Øÿ†% ´Ÿ
-R‘Éi©Œü†Å"?‰Âøs–
 Ü“‡–á¼C�‘O¾¢öO0ÿ�T' ªPë
-?Hß‚ž½	© öS©„ÐX’äå7!™J êÑ£‹T6d+RÑ€ˆUöÈ]tKú¬Ô®¡ÔÂÆneò
å{O&E7ÀŠnqCOÄ—û`
¨º_/è¢Xñ�$]½òƒ€›¤†«9ìÂû•—/ò²¢àB¬=ª…ì©gTÿÀѺ.¨äéö§4è†áð&o²£’JIÚßPãUü1ɪ߈OW•ß¾ÊcnZóqØš+鈎ì횣};ÆË,_Ÿž‰§Sw “Üwt�ä.@§
-Ò²|^LÊØפоŠ…ü2ÓÈÃô—“_#ιM]Ê ñà >ý•¯0úKë@Žàû÷þWïüo﹤G¦#–Màeq$l"À¿0|cˆ�GKÿÙ¨¿vä#tä‡Qp"=ÊH¢ÆôˆA¤JB~Ü‹Bx{I!òFpR&ãå¾’Pþ—¼ðõ­V@��º¼ 0ôeyA@-š0½ó‚€<CÊåHdÚ—ãÏbFA­ÜGJz[8ô€DúB�‚ƒ	ÓŸx‹H¡èMcÁÃ/NÅ/Žº…y@.Jw¯:Ü8p°µÏ(C¶x
-WT…žSÜcÊÓæýÄÓ	æJ\˼Ù§žQ@¬qBqý•½…“û °©†;4¥÷añôjÀs†·ê35¥!ʺПñ¸l˜KÏô1_¢îù]
-ö6çKµÖò!X¾ãÙ”Ö§*)÷Ù«)z×Vöª­3yolÛ”öòFñ³~¬0Þ‚�ºhðƒ©GÅÝÇ
-@ø×–$3á^€ð~é‚®ÇDš?¸°ËÙµ“/%BÙhü$ŸtÂEà[cï½°vøôñDhûª!ìÓÞ1#Ê
-OHGÐ~WMûíƒP¤4AÅ�°ÏßÖ&
-ô’H‰‚8„ç(Q5@«œøv	?8šøÒ(˜}6þéwMûo»BˆZi*§Ã�
-BˆiZ8¦P"ÐǬ_@=çý¿	Pfúendstream
-endobj
-2030 0 obj <<
-/Type /Page
-/Contents 2031 0 R
-/Resources 2029 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2028 0 R
->> endobj
-2032 0 obj <<
-/D [2030 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-630 0 obj <<
-/D [2030 0 R /XYZ 85.0394 622.0858 null]
->> endobj
-2033 0 obj <<
-/D [2030 0 R /XYZ 85.0394 597.3835 null]
->> endobj
-2034 0 obj <<
-/D [2030 0 R /XYZ 85.0394 411.8393 null]
->> endobj
-2035 0 obj <<
-/D [2030 0 R /XYZ 85.0394 399.8842 null]
->> endobj
-2036 0 obj <<
-/D [2030 0 R /XYZ 85.0394 231.7148 null]
->> endobj
-2037 0 obj <<
-/D [2030 0 R /XYZ 85.0394 219.7596 null]
->> endobj
-634 0 obj <<
-/D [2030 0 R /XYZ 85.0394 131.5008 null]
->> endobj
-2038 0 obj <<
-/D [2030 0 R /XYZ 85.0394 107.0349 null]
->> endobj
-2029 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F21 950 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2041 0 obj <<
-/Length 3197      
-/Filter /FlateDecode
->>
-stream
-xÚÍ]sÛ6òÝ¿B} g*¾H‚}s[§çNãä\ÝLç’>ÐdqŽ"u"Ç÷ëo» H™v’‹;­ý
-ù*ÑÑbÃØ€¶õÚÝ9À,Ë÷B¨°CYóN
||<
-§¤f·/›}Ùñæþ½hvD&’‰UgÂ=LÕÅÖÁéR!øt06ÀeÒá=[šï Èíé“p¦ðNårCCþöÔ�a[‚-:xî]çVÀi:“ÌP£]ªæÞµÝÔ{ׇí-n®´��€ûžy®E]­q4�ºû†¦ùN¥ké»\üð[!xÔ€÷ð\ïI‹³­Û ]râ,[nšÖ3#ô÷@íf[=œK)£Ñþ6ªFìq„½;n©¹²ÔÖS~â²Ç[ÍÑîšzUÖwxÞ\ñ5¬‰ˆè×Áá
-î‚WØZ†Ù@"OˆÞ·)ˆÀ`““Ôž°tÛ6˲è¼5
}
–ƒßd¤À�ŠÇÞ‹D\P×ÓÚøƒaÉ
-ç<Þ“' upq7¬£š‡;Í›ƒøªÞŸ4r ûYsÆÎ’\�?iSOL&S¼l¶¨]48mWà5k%è� c#)Îç™`M�–œP×äYl™Ï'ùº»!e¦ÕB®,‹AÚiz
	bÀlà."N­6ž`§ÔÉu´§ŽúLòv~YúÈ—¤OšÄÒ
-“Ì€$±ÈÆ	†G‰•ÙØX<u"uœ%F?Ÿh0y[%É0¼&—
-k^A͛څS(öS`A¡I‘Ï´5qfäçhk�ƒ†™þ2m=½jàâÐbJ|‰#VœX p%ðÒ8Wâ	UòŸƒáÕÈl¦Hþ~}Ó€	�f¢ªðI!ðÉ‚¦™Î&ˆ£¦¥Š“8Ðµ»+8“Ÿ1xþ�	h±	ëÆÉIœCnF^WÏ‹ÑHž˜Ã“¤Ïï@÷˜›Áª-é…	ºu3»™‡\
Ž¡Ž¿þíÇ7¯/®®Cî!äåZ×NñüšN»%>{hñ”Ü÷R°->–ÛC£ž±–áH.1$×1ã¡©
iÜ·ÇŠÞࡻʼ¹Ìá¥ìðu†¼¬…µ ¼5àþ"”aÅ“Lþ‡�ϳ¬²1Ÿò9ßx%a0'I	8°Á4¦Uúˆ3DQœÄœžVœ!F˜®ÙшÏï«�¦†
ÒØ#íAÓH롆!1 ÖÁQÌ-µ¼ëÓ¼rëâPu'*¯çw4ü¡‚õæÐ�4]ŸKYž j]÷OôÔþºç;åó‚¡0?�çéó<!Lœ7"ÐÉ;àÛf:º,0—ªTB“*a��žN<)¡!ÒáwK-©2•°@ý£:„�²>�¼¹ñþ`_9Á±à'£BÓ“|AF®Tœ8ª81Tq‚ïÂêÂ�ä¼ÊgÞHÛ—â€Ï�{þK*sp»3¥¿4îñþ,<Øóq�2¼ÞœâÏŸ�Ϲ0HÕôßqˆXWX~b	÷@
A°‡‰C´^<LãÕPs¸Ûœ
-‹ æ´6QÆ¡
Ã<ŠGW5².³çëb·;Z8æã«·̧ÅÇxt.B¥ÅæG×ú@eiœE¥Mõ„(‰Æ	Ó*._ãÌј㪫·4:ªbhNkãnÊú>'ûìÁÁfÃÑV4Š?Žb•‹—Óƒ‹Pô>©Ïœ<EYÏýþ™‰âb¿+&è‚ž<	±j_²—�m½]ÜPç¤æþW¦Dt	
-ÉWRq-NÙªù�“#øéÑ>½5„‰m±rcL•7ºmÃußy8óÈ—jË»š¬÷¬T¤¹¬‘‡êy±"ˆÊ­»a�SEûònƒuc#²àYÂ(µ}PïvM[v\€”¾q2àbhÏŠA®ÀvÀŽQ*º
-¢’CQU\0½ß—Ý|Ê1ì\í+.ÖZ.·¡ØÂuAª·ø’ò—Iè '쩘¿pB‚ŠŒFä
Go0Á6/ïw~ CAæôás}¿ÑÄ•4ì‰Iœøt¹ObªÞÙ·
ÄË}l™ôãÇ[b^ü¢}ð�¥£éÇ5Åì.çR,ÿ4!Œísl(‡‡¡
-endobj
-2040 0 obj <<
-/Type /Page
-/Contents 2041 0 R
-/Resources 2039 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2028 0 R
->> endobj
-2042 0 obj <<
-/D [2040 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2043 0 obj <<
-/D [2040 0 R /XYZ 56.6929 613.3608 null]
->> endobj
-2044 0 obj <<
-/D [2040 0 R /XYZ 56.6929 601.4057 null]
->> endobj
-638 0 obj <<
-/D [2040 0 R /XYZ 56.6929 465.8716 null]
->> endobj
-2045 0 obj <<
-/D [2040 0 R /XYZ 56.6929 438.5672 null]
->> endobj
-2046 0 obj <<
-/D [2040 0 R /XYZ 56.6929 397.0946 null]
->> endobj
-2047 0 obj <<
-/D [2040 0 R /XYZ 56.6929 385.1395 null]
->> endobj
-642 0 obj <<
-/D [2040 0 R /XYZ 56.6929 216.4249 null]
->> endobj
-2048 0 obj <<
-/D [2040 0 R /XYZ 56.6929 186.4354 null]
->> endobj
-2049 0 obj <<
-/D [2040 0 R /XYZ 56.6929 97.1422 null]
->> endobj
-2050 0 obj <<
-/D [2040 0 R /XYZ 56.6929 85.1871 null]
->> endobj
-2039 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F39 1173 0 R /F41 1233 0 R /F21 950 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2053 0 obj <<
-/Length 2117      
-/Filter /FlateDecode
->>
-stream
-xÚµXÝoÛ8Ï_¡‡{��—Ÿy86›:=/šd/õ^ÛöA±•D€,¹–Ü4û×ß�CÊ’£4ÝëD49Îço†d…?iE¨02ÊŒ$Š2­6'4ºƒµ×'ÌÓ$�(Rý¼<ùñ\d‘!&åi´¼ðÒ„jÍ¢åú}|ö�Ó_—óëYÂ�S2KTJ㟗¯pÆàçìêò|ñú·ëÓY&ãåâꧯççóëùåÙ|–0!³øýêrŽDç‹7óÙÇå/'óe/òP-F…•÷ÓÉû�4Zƒv¿œP"ŒVÑü „ã͉T‚()D˜©NÞžü³g8Xu[§ÌÄ#™Q"$Ñ)°=%æ@l¨¥„“~“ŒŒc”œ–‘‚§œ––î£ÀËÃŽ1«ƒËSɉLeÚ»œóˆ1b”âÖ熒ŒÁöŒ	04—Îç—ÖŽÒ•Jf	%JÀ:uW³$eñþóø‰ó€§d Zšjˆ--íÑѧˆ*�H4;]6p?.6<zÕ€FÑ@©À8rvJ¥|ÇŒg„fÐÉ$¬Y‘—÷ª•Š
-x‘*ÔúËÕõâõ«?â)!$M=]UÖE;K„¡qYã·önPÌ�¿ä›mHò�_ºµKÍlwÍŒ©øs¹.ë;œZ5u‡Û;Ï´ùs�L¡ˆ¡`’Þ§ ^SW�@Ïhü�óG–§±Ÿ_7ø­›ÎŠUѶ9È2•a{¾ÝvN0†Š² ‹]\uû¼Âñ¾Íï
-«d·”Ôûp
-бè÷…¥å™vºÛoY¯ËUÞ…Ùû¼#?5°‰ßÑâwWTyW~žqñì÷VeÛ� nÜxåïÊš‡´4IDÎ0�¾/C-(“š(9@Ò÷áÇ8éiš²CÒ³aÒ:e ¿5@—µ¼…f ”ÆW` ¢óïM]xœ.+?zUîŠXcÐEÈp(䟡’õi—p­ã‹L½Ã±g¥M|Þì6Σ0û�·8(ë²+óÊÆŠý¹.>PÊkç'·Š[¯ÏÏp
-„ÂQ^{š{deâvÓŸöEÝn7EQã¨øÒõºXÛ˜…ywo¥šˆIŒлWad�^—][T·~ÜâwUå­B,[{fíéAIìfZ5î»îÉ=Õ׎ßì[ÏìÆÏ4^€^î6ßYH¯$xMz÷O3O£`èm/ÕªÚ¯=˜B`
€J¡ÎR6…¦üM9´!H÷Ã+IŒf"0Z\ž½ùíÕ|‚“‚$Êø�Ú«^O°ä’¡³Às¹|ƒ†Hx
-µÍPH a U¥<äa>#–Á–?áçU4ï’¶¼«aÈ^΃w÷.ìG胑@ÿÂ:
-U~ST¸f°ˆd§kðŸ;ůP^Tk««Pa¯ˆóv[ì0
`n…ÙnÆb'æ�íO��ÛÇÍMãODOoñÓBˆ¶GÒ­ö;\tÑ;š]–Ç9sÚÇ`—ïºgâó�c¬nUñCH¦q"u¡‚³QЩ”pÊCÐý
Iä�Äv
½ãÝaGðÎ3A¤Ñ"’
-Teß‚Å€ÄZëg�¸g˜8:$	Ƴ”€d¬?×
-h½=¡'ÄØVµøûDÄA‹Æ-¬#…õômSU̓7‹�ÞŽ»¼¬\Óa­›ÎÆ™ÈhrdF&Cf¨AfðãÌé>./gÆÛǺ˿üuâ|
§³t²9SÃ&NfD0Î=ݺÙäe�Ì8::G.eˆ–÷Ü0Ë¢¬šÍÆÆû†1¢¥Œ>N™�M
—ŽÒ~A.C ¶…Ë@ÅB¢0¯š#(„e,?,~(±ž0_¸ëàl�ó”
~óúûúôp¥ƒ”5î8ªDÄök"À—åˆ;CÎ2ŸžÌåî®íSƒ*#P@Ö¹;Hùêæüt‹ßÜ-§q	�]¹*»©zÃ2ð�S
2Ê+M*øwA„†JCá¾, U…ÿŒ“!Ë	�€vM¨q=Ù‹(!�PâYMÉTI%™àâQEÔEÔ
EÁÓ€	jT2&ü—Qè2þb¿�HªIÆÙQ<…Â0rêƒ|P^Yeh[¬á~è±úâ2–P°Fú²„cÊ�ÒwûMßè•·Ó5Í]Àœ7mSí»‚L'[¸ÑJmq˜YàÔ#i’`¸À
Àš,ÈïÞ½ßXÀ>»<½°2Ƨ‹Ëäíüú_óëi Æ󲑹¡Ÿ.?çU¯ü©Ìt,+Oæÿ>½øõÍœœ]]Ú‹’Ž%>u
-°†HÓlxq!âI9
-Mãÿ­�ºÒQ	QpÁ:àÍ-´ÓÏT#Íú>÷Åj„
×�L§JõÅÈé<ÅÎÆUöß7|£’gãrv�€.ÂíKd1ö��}QÀßBjßßM„ƒXU‚å[LÆt`¹?Áåíò~?jŠ]Å+‹¯¬DLÈå–ó.,–žù¶�-Úh/n§®Lª{Ð|ÞMÐåIa<Y`?Ä$,žÔ¾6™ì™kh/ì
-ÊÛ•¿Ë‰,ƒ–‹êqŒ"(H<ãÆ®2D�4GXé+Œ}¿#¤ù\ì<•³È��Fƒ´È&qö>÷çmw¥»žm�À›”‘¬Oþ¯Ý‚
o¤qÕÔ«bÄÖ>6¥0Í8¢†�„/&‡oùš<÷:¨cŸÔ'ÞÒiÿÜôÝ/÷‡W-ë|­ùð%{˜ZözoXÊê¡~,ºš(
öTöÿ
-endobj
-2052 0 obj <<
-/Type /Page
-/Contents 2053 0 R
-/Resources 2051 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2028 0 R
->> endobj
-2054 0 obj <<
-/D [2052 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-646 0 obj <<
-/D [2052 0 R /XYZ 85.0394 617.17 null]
->> endobj
-2055 0 obj <<
-/D [2052 0 R /XYZ 85.0394 591.42 null]
->> endobj
-650 0 obj <<
-/D [2052 0 R /XYZ 85.0394 518.3317 null]
->> endobj
-2056 0 obj <<
-/D [2052 0 R /XYZ 85.0394 489.3118 null]
->> endobj
-654 0 obj <<
-/D [2052 0 R /XYZ 85.0394 437.3327 null]
->> endobj
-2057 0 obj <<
-/D [2052 0 R /XYZ 85.0394 411.1024 null]
->> endobj
-658 0 obj <<
-/D [2052 0 R /XYZ 85.0394 208.889 null]
->> endobj
-2058 0 obj <<
-/D [2052 0 R /XYZ 85.0394 179.8493 null]
->> endobj
-2051 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F62 1379 0 R /F63 1382 0 R /F21 950 0 R /F11 1353 0 R /F41 1233 0 R /F53 1328 0 R >>
-/XObject << /Im2 1368 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2061 0 obj <<
-/Length 1844      
-/Filter /FlateDecode
->>
-stream
-xÚµXmoã6þî_!
N*._$Rì§s'M‘uö·(n»›ŽØr"É»ÝCiËÅç»E ‘ÃgÞ‡¤YDá�E™$Rs)�’Œ²,šo4z‚µ›
ó<I`Jº\?Ïï®…Š4Ñ’Ëh¶ì`å„æ9‹f‹�±$‚
�Æÿ¾ŸŒ‡	Ïh|}{iÆãË_Ffã).HÏúóíä
-g4—÷“ëۛߦ£¡JãÙíý§§ãëñt<¹?Í~Œg{•»f1*¬¾/ƒ�Ÿh´
-A ”B¸öó‹Ùì©«²6ó¶ül:}' B8xJtÊëákÕý仢¨Åd*É‚;¦¬[o\’<ÕÌ3-̲حۤm×=’eNxšÞ�=h[‰óífcëä5ø"OE
-þ»]¬ËΊ¥X\ (NÛb
Æ•–ï
Eõäs�&œ¥*Í…LÎ4 XµhHO¤é±Ï¡>òúq¨m‹°°]“àÓö2w·p
p´ìevÊ$à%�hŒQ¹Oméûp�y_4®í»ë4Z¤Æµ¦j �ü}‡…ÛB¸OÆpÛ
—ÎÆ_EIy�ÌRJE8à;±Y¯š-2NrÊÏ-Žþ
-Q…áÄõaiÂx¦B¡­‹¦O#®Iž+Ý-³o`2P9:·_Ÿ½�u¯�)Äêÿo)ÿo•ªá¦C^«·vÜŸ8Q™ÝçpÊ5.·�jmkà2žcI­Áù‡ÆÔ¥ñ›\¡ÂˆœÍv爹A€×}¢»Ë’Û\­¿"µ(—–eér¾—n‡;5
Æó•ß�×K>ú­E…c	…SÀÉo¯þ}µŸ«�éÿê*xHB0·Â„”xI�ÊûÌÎXŸÙÑpAúŠô“©¬Nž×U­�nLÛ åî$°ôÊOv'_v%Gr´äççmÝzÄÝ#ïxÚÝüÙÔ�¿KCŽ¬_˜µy*ìEeßäšy]>žhrLù&ti‹im¿««)M?XgŽ^àC’ö¶cŸ¶÷ÓÛ›[x³I艔ØÛ'Üé»fùÚþg÷±„#ñO&8>Œ§¿�§düÇèý‡»ñyPŒ+$/p¸œŒÞûÅBû;l×¢pvØ(~.ðÞl¿!ˆ'¼�‡“u@Ÿz¬boXÅþW ~Ò=ìPÇ5Èwføø™ ü<P4™�~¸:×Ïù†¼žsÕ!VÌ;ì9¾ìиû™Âš·#¿\-�xÿŽßôÐMä2žlþnÃ?„Vx[®¼€Õ²)ž×%âA™—À-�9eõäÄdþŠ8<ü—r½îsç£?-Âósèðô]cM©½r@zåì.TÎv_%ÏØôçÐSìó®·Bº~>êÿ_]ÿrÿ0K|q�Bör¸š]ô¥Õy86�vü�âH~8Õ(òïhØdœìNHXŽÖ0¾7‡õ¹¥cP?hÿæN~Z$ïó`ÿƳEŠÓ"ÅùO‹<ÙEÐmÐ �òµÃ!3ÎßÛ§M÷¡ŸÃã˜Q)E¤ù9�r
|EÕ¿SÚ:Ò,‡÷>‡§*Íû~¨¤ûGÌwÿ,zø
 UDä9ïþ¦Ø¹‡ÛŸ14Ððþ°X®g3þêW[F	’¶Žîÿ
ø×WËendstream
-endobj
-2060 0 obj <<
-/Type /Page
-/Contents 2061 0 R
-/Resources 2059 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2028 0 R
->> endobj
-2062 0 obj <<
-/D [2060 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-662 0 obj <<
-/D [2060 0 R /XYZ 56.6929 655.4043 null]
->> endobj
-2063 0 obj <<
-/D [2060 0 R /XYZ 56.6929 633.1281 null]
->> endobj
-666 0 obj <<
-/D [2060 0 R /XYZ 56.6929 552.1893 null]
->> endobj
-2064 0 obj <<
-/D [2060 0 R /XYZ 56.6929 525.0283 null]
->> endobj
-2065 0 obj <<
-/D [2060 0 R /XYZ 56.6929 90.0274 null]
->> endobj
-2066 0 obj <<
-/D [2060 0 R /XYZ 56.6929 78.0723 null]
->> endobj
-2059 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F62 1379 0 R /F63 1382 0 R /F21 950 0 R /F53 1328 0 R /F41 1233 0 R >>
-/XObject << /Im2 1368 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2069 0 obj <<
-/Length 3608      
-/Filter /FlateDecode
->>
-stream
-xÚÝËrÛÈñ®¯àÁU�ªDì¼ðÊMëÈŽ¶våÄVªRñú
-„úçó ÞÏ×7£™„š×ïnÞ\¿ý×ûËóÈx·×ïnhúýÕ›«÷W7¯¯ÎçR›@

-ôl®�‡
-¤¹~@þØÙ	�ácä˜	›:+о细òpW,ï°z{gÝ“�&Õ6Ö,ƒX®¬ýÆñÊŠi½¡-ݲN!ô@RGÚº‘¼Ìø˜"k廓¦|Â\/ÒÅ6‚`ä7@ò\z=žI4P•$¡m	�l¿´÷†¨ø-�`¯Œ„/Bé„e5IòDËp`#Ê|ÕÄÅT’MTl6yV€Á*ùD ÿœi
˜ähDs`ŽleÔ	M1‰Èà)‰ˆ|�Á -H›)S$}¸¡ÃQa$¡«S2îôŒÿxa¹÷ñYôéÓäÎg‚×/Ð-"ï�5Y@”üKºÙ–ùÅJaàKÝÙΓ·2/½øç}‘M™€Ä×ú‰Œ8ÐìÌrƒu72³¼‘iQrãØS‚Ú�æÄNs ³ÜïH´«–&¬
2Jy[ðN·ƒ½í¾ä
)/H©Éòe±IKX÷e¿M¨ÜלPšoÓ,³ör‚NmU(9ÌN}±‹¹ƒ6Ò»DßrŸeº(s^m]-³ñ(u;ÕÅ5vtV ¦¤M8ŒÓÆl‚!$G‘êÕU^;´À Ji`½l-AttòÈ$8qbTOœø�NÆ'BZ‘xw ½=Éu|ê„õ3töeÒiÓ)0èÆ„Ž+?Ò�žý{*Ö
-¨¡
À£#5|tmkyë—Áò„ �«Ôêz߈ãs—‰¡Æ:ùn;ëdM\ˆi{$!û–ò›ljBÉÜeÚÏh
ÝD?­ªX9Ùü
àUuKDIM]îÛœõMiØ)åØ®P,	Ž|hÛ&w
ÂÐòÝûë·×7S×Ë+•" S`mEF+ ¬Â¶îdLV(Ÿ˜c!%�j,×Õ±àÇÈV
2µšm1Í=%›�lûÔ…>XCŠ�‹–Æô!²Úw±
íŒÑˆÌ§²Ÿ�e±é°K„ÍMh6Om
-â$'··¿Žö¥Õ’WíÎco_æ�ÿ|š½„|yÊ®+f0q1'aǬ�8ˆœ˜f	0ÍíÌ1U(WSO.7ÏÆRžƒ"[ÏŠ‚N$Ï{“0)ïC9úQõ¹?CÜMìGIô\uÎDàY?É¥§>PNl4ï·sV҇߆bób.#Wd†å\G…•›´]ÞÑ$SÞW,9OØì
aÝ�m[ny~ 8OÊ­ü¿“Û�@ü(¹u´9H·ã´ÜêÐ�
„zÏÈ­¾�øšh{Ø>ÿ€ak¶H/Ÿ
-¡ÁÆ'(6@åû®wL1ùC)ÂÇQøÅTŒ%iR”DÙóPÄÂö&²>�]#û*¥•³¾Ò'!XãÙ?öuçJ(|‚ LAûW»ÿí=îû^ñ0Ô‚”_£ÜB"Ëáóá£gD-@ DxsCÐDb@,S¯­`=
-l^!šæ^½:
-&2*·ð®¯ôbÈQ{É},Τ-çG1Daä‘s¥°BAÖ¸Ç'¦&«]Œß!Ò@z];\ú –e÷(¤éîñú×ËF‰Ä ªé<Œu˜ F\#Bøh�Ï¥»̲bxÈ›Â]ì�½Ø”šá#0�’z�ÿ
ZŠFöqJ—ÿÔ~þì©ÔãèhAŽ…8�ðf¢Os3íÒ›Á‰œJò!T¶
¢ï7Ûñ:â'öˆŸ“�¨-úA¢R“çÂ.aŠÎ?ÐA/áf$áBøÂtO*»ôaÊK”–¾üP9+âìh�óÓC$N}™p˜G¥Œf:`g�+£z}>¥fQTéî0\Ï	à§dt”íóÓN
³.ü‰â/.œÁH “­,mÓÎäb¾l÷]=¿wª=6Ö–ôøaqp!<Ž6éî3P‚çŠ
áTß?NÊ:ÍúÙ•3ÄXO©†V(¥f»ƒì	£Lòw÷y÷$#ºEl ×èÛ€'<QŒ…#Ò?Éèiá~¬»XÍI‡ÞP›�øAzKrdxZM킱¯0ì‹æx!Æ¿ÓÁÉËpbn|…Õ±‘X^€ÄLWÇðÀto
XAÊæX‘
-
ô0~ä÷U¹ïÛºiŠ	™1G`\PØ Ã�ËekØßö·Ðî÷¥€¬#Ëû¿)X”û§/‹~÷ÿ«ãRPs
-Ã�kúÏaGê�þö‡Ó€ŒMp.¥)iaÂ4œµ1l˜œ°-~ å³
-óHb
-endobj
-2068 0 obj <<
-/Type /Page
-/Contents 2069 0 R
-/Resources 2067 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2028 0 R
->> endobj
-2070 0 obj <<
-/D [2068 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-670 0 obj <<
-/D [2068 0 R /XYZ 85.0394 306.3415 null]
->> endobj
-1819 0 obj <<
-/D [2068 0 R /XYZ 85.0394 275.1221 null]
->> endobj
-2067 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F14 976 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2073 0 obj <<
-/Length 2797      
-/Filter /FlateDecode
->>
-stream
-xÚÝZÝoÛ8Ï_á{sÐZå‡DJwOmšì¥À&»I8Üî>È6•¥Ô’“¦ýÍpH™²§»5pEQ¤¦†Ãápø›áðƒ�üã£DE*ÙHgq”0žŒfË#6ºƒºŸŽ¸ã™x¦IÈõîæè͙ԣ,Ê”P£›Û@V±4壛ùïcÅÑ1H`ãwçï³ã‰HØøúæXÇã·øßÍùõÍùÉõñ$ËR1>ù÷Û_nN¯ˆK
‰âšŸ\^œ�ÿôÛ•pyAä«Ó³Ó«Ó‹“Óã?o>�ÞtÉ™Dí?ýþ'Ía¬ŽX$³4=‹x–‰Ñò(Nd”ÄRzJyt}ôk'0¨µM�ÆY$¤V|ÄãHÆPš-É@h’x³O8c}³µy[4m1kp„ GÖg£‰H#¥3i8£)n�¦Äx™U
Q˺m¨¢¾%J³‘néEu[¯–@«+bÈ«9ÕܯŽy:®Š¹qÒó`Vyé¶fu›Ï|%ˆ¡ŠucVŽÖÖDº3­>~×3TÂøpDœGY’;¢va Zf�¢
-5Ú:¢|½¿¸¦j§ ­ÂÐ1à-&Ÿ-È—¿œ\¾?ÝKaL? 9,`’d4Ùýÿ#*ãC¢R$‘ŠYú*cñi;¨üumV…ÙÊ ƒƒ�r¯ÒP†Z[PJ-;PbA‰¿Pâ×'7$ûaW0,Xà

-8$Snê’:L±£¡^~vù¤_îï}2òP˜ÇãLŒŸ÷ƒÃÍÀw”™*
-–>Gm¥;LÂù<+s‡„e¾úH¥?XÂþ
ÿqjZ4ƒ®»BçDïJý-rú±ZøÅ=<¦é¸h‰„G•�«¥cF(Ýç+ˆ,ƒKܺÌíîY»
‰tAH±¦§bÑPÕǪ~¬M¤©¡okçÁ@á�/
¾]Xq‚Ž'ñ7/”&x×� …Õ6"¾øÏÕÕõé
Ñr‡ÞóÎ~àSf*⌿p<Ô¨XÒ9ãu=ûhÜY÷ù›Ë¯^•Ã®•ZîW™zú‡«r¦–q¦»U**Ó>ÖÖÁ�N!¥ÌчÎGÀö䆇ü÷
F
ΕjÏDèˆ#”‚¹�›9¡Ó(N¥„	Si”dľ;aþbN&°K�5�Ú¼„1
ÉùÔF.,ÛSmÆýþ(ÝþËá
-|îwV—¥™Q
-6
º]䮟®6_·‹zU´OC
ôqa*w©È 9uœ
-os¥»¹EV{s+ƒ›ÛM¥ƒ¤ì]*c®‹ñeåjŠÆËw]û&÷eN4c>»NèÒq(ÖÍ×Ë{k)•º[e—\!áÆDéÊͽ™H îl<}r­(ÿÚ‚>÷×\yìo2qBwqšd‘’™o1«+ä¼[¯º;tH|†íÝ‘�&þ*¬Ó(¶¬[S>Ù¹˜R×ƸŠd¢ú~üPäA'ú®
äÙ"¯*SR¥uz—È
š N¢Ï@vLàÄ9k
-i·*hc–67Ã~ìèP­Þ\¤„¬ ™CEw¬µÝt¦y�1ϽõZD´ÁÐNu«»®†ž¶„üÏ/—]ºéúÚ?V°2mkùµ`ÜSggAê¸^ÐbWš�‡6Ñß�½	ÀQØ¥YʈoÞ•D°„º·%Ý-ÿõV=+
ŽI_`ÓIÿ‘
-ÌåÃ0³�…Ÿòë×¾øÑüs`h[AîÕ«WÃÃxßõر l2-u–fqXN</žn
™ÞÜ2Ma‹¥¸ñq1×£ÆUºßœ~ÀÕÜR«ßªâ3¬¤O¥“Ü°´ùòþ5íQ`�Õ¬»}#¶È�ÈÆ€gÌýGaO±ø!¯Öùꉘùë¡HÉ3ÍÜ‹™³à!FÌ‚.h|÷œÅ½~ɉ…qø¶ÙÎö³™Ø=�Í2íHqãM–È뿉Ýé&TÌM3[SãËLëÑàNwnº(Ú5¡TÄþâ­ŠÃ×Ë8:¥W\zsE/sèÅTYóÂ/*Ü ÆBúç@^ÜÒÄÁ7…K®û³Á»mU>äåÚñÑkcà²+ Pß;:òھ゚�ûá“9¿Š¡Yì*ÒˆÆ¢öO¾Tï�Tppîšžy¶)aý
³SÈßÇ8pÍÃDNi�R`_ä†h9ü•3 �˜cèÒ* UuKTŸ*E+�Ò~	Üvší FKÐs¹zoÚk#…v�k¹.СH£ÄGhç{Hz²¶�£@"u0wsˆ=Å̱
-J��ÜzezmÀ?«žÌ”ÜÆ"j`ô¨Ò¿¶²PóâTI.4´òBB�O#:øs²¿ùæfáÆ<<}nÅ:Áp啲a�Ç;ªû·š»ºÿ‡Û_þendstream
-endobj
-2072 0 obj <<
-/Type /Page
-/Contents 2073 0 R
-/Resources 2071 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2079 0 R
-/Annots [ 2078 0 R ]
->> endobj
-2078 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 269.7901 116.8967 281.1822]
-/Subtype /Link
-/A << /S /GoTo /D (statschannels) >>
->> endobj
-2074 0 obj <<
-/D [2072 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-674 0 obj <<
-/D [2072 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-2075 0 obj <<
-/D [2072 0 R /XYZ 56.6929 748.5408 null]
->> endobj
-2076 0 obj <<
-/D [2072 0 R /XYZ 56.6929 686.2137 null]
->> endobj
-2077 0 obj <<
-/D [2072 0 R /XYZ 56.6929 674.2585 null]
->> endobj
-678 0 obj <<
-/D [2072 0 R /XYZ 56.6929 255.5751 null]
->> endobj
-1689 0 obj <<
-/D [2072 0 R /XYZ 56.6929 232.5802 null]
->> endobj
-2071 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F48 1253 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2082 0 obj <<
-/Length 2914      
-/Filter /FlateDecode
->>
-stream
-xÚÍ[Ksã6¾ûWèHU�°xÄÞœ±=q*ñÌÈšlj39Ð"=fJ"‘²ãýõÛ@ƒ%S¦e+S*5€FãC£
-#ÚH¢(Sƒéü„¾A݇æÛŒêF£v«&'ÿºz`ˆ	y8˜Ü¶xE„FL’߃÷?ž~šœ�‡#®h’áH…4øáòê)?ï?^]\~ø2>jL.?^!y|~q>>¿z>qè/[|ßë‰íä{^O.ß_ÿ˜ütr>i&О$£ÂJÿ×ÉïÐAsýé„a"5x€”0cø`~"• J
-QSf'×'Ÿ†­Z×µ4%"¢"®;Pã¬5eH(¸p¨}å\ûÙUq••U6-ñ÷Ùj¾ÀÒºÍWª¨Ñp7ÒÀf
pÃ0FŒRÜŽC#¡cT»,”l8b”>ã}±Ê«tYz6¼%-pá’ɤã2¹K‡#!xp[̆,˜Yþ
)U|3KK[fA¹šÏãeö?߸l�g«§õxØñ.®�Žjbi	‹å�EAqŸ%iiA©à¢Xb“4žÞa+lô€äâ‰U-)ÊõÎÎÍÎB]Å6Œ³ô¶š¥ƒYñf«yŽ5Y‰_ß”ñÍ�/½Ïâ*¤—�óÀÄ5Îã¹gì¤a¬ž#PüÜ­öÂŒ¤aÓÒ7G&¥	Çñ5wÅC-R^óL7'ÅݤÊ�Å5Ðü¶XÎ�V@?[)žNÓ²L¬†i`!öÕ?N&Ÿ�²Á	j¦wqž§3bq�Pl³eöíΣçZ9Íp
-"C¾éÄ^Õ©–¡…ÕÎñ±V¾X÷Ød5Âù€;„)×A…iái
-CqõÚÛÖPî–Ñ/YM\òà�ŠÛR[@*»BR„ƒöÐo›‹�†À´–˜gƒŒ',ë;à†À„XwôÐÀ£$‰B9|Æé_«´¬î%8-d0þÜáÉA‡ *�Àƒº>—Ÿ°¹ôVÆq(O™¦°°&bÁ˜GZEÞVØvha,·K,ç¸
-†NEaÏbQM¨ô8Àb�'yIû—hÜ,Š͇
P:?»º¶uqzÑzÅv"Ú’öP¶êЦÂWÀ@Èç•RS£ôCœXL~2ˆaÁ%¾ÙU^®‹bYa(‹Pc	\m‰qä‹ánOåháÖ
-E“!œ®ª»ÏËÇqú'ä!‘TÁøË:Û«Xf6¼Oלoù¬¸±ût­¹6,ËÒ
ØÿL§Õ³°·¦t´ZÌÑš÷…0
-UÇÓt©Ð_F�kD_�fKÒ£E؈é¾(
˜H*0Jøívé°Ädã/¿]ŒûÁüo‘{«eœ—·õéÆ.ûÐmKìc…V@$…=È
-cˆ”¸[”¾,’¸JQQC.
-øìaA–(çQ{wHE	µˆÏc©	y´VÎæ;�\ç=
-/âíwQ_Þ«r㬰Ül×z±²[åÛêô6ýüçRZHý Y¥=Ö—kC"ÔoÓÓ…RŸŸ¦PµÆã�¿B}šî¶µ}'¾-Ù�Õ8óPBVªzŒ3µ}DÕ
-[>N!Q]Ƴ}Œ¹”[P[Š3æM�gê(v\Q[A)ŸXÁ.‹^ø¤ºÛ&BîAXŠ".wOœ1ØïÐ7ü¦°µ‡ºÿ6eÝ˺Ö=vh•DiÓg
-'T‡¢Ùª/—eZí³7¹ÞÞ›@Éü㘵ï]7k"0 yçkß²ø2�ýǤKWP±˜yªXŽhUÉ};U	 Ç=ŽÒç;§	K,µbÛªd9[±ßMU²ûØHøÄkÄ@#
k½F¼Z×Zëø6ÅøçÜ3ÒÙã8£�[¸>[»ñë…=–?½ü ˆ(x‡‹8›Ì9ØA€=bŸÑ^þ¼èö$ŽÕÿ²ˆ’°ï̈EÌ¡j¼ÀÅÇñ/°-¡xϗ˃Áëy?ƒêZâcõ­L…2�ž%¦9”ªÆRþvöñ—ÓË«¡í°Âï}Ü,Ûn–y755o‚?½Ke¢#±`ÎòíH–:ì Ę�·6f0)æq–w.#"yÄ¿›Km/±ºTÆ)ä
¢ÏÌ
tÂP¶ÂÜ=Œ{ûj�mÇÉç=UÅg¹NâU‰ú"êwÚ"(ýƒKG,ð»H—ö-t[×jA:ÔÅ©ž0ö2Z&Ž™¤ÈÈöožx>6÷DéV ¨ë„Þ¶{ªµÈyÇ#õ>­]¶ç±­¶Š0Jå÷SÛ–JÊ;+{릢=XÖ=ºÕ6d„1Ý2Ɖâ²qg+÷ØÞÄ.T0Â>ZËCӜ̈́ÍkxÓhª-ÇU•ÎèSl›¿k]õ}nV’¬ì|F?-|†‡O¡{Þo¿îm¶{;mÙc£!ñ†ž¶ä„³…Ò½`¶¥ËOžQ’xÕíþ§
-û"Ë=æ–Í¡7Á噣áÿFøêêq‘bml7’­�Îâ²ô´YýüýënR|ò-j…-ºgîþ¹Á>`7Í
”îÚqñußî=f+Cí2iÖ¿c“ÁvÔMËf“YÞ°y0¶¯à¤�›ÒtëµÔúmÛDÂÌ…ÀF$a$E×<ÑAïYÕKÿ¿jýgRµ_¸md"øƒõ´—x¡¾1¦žâÿ«n×’þÿ›�ãvendstream
-endobj
-2081 0 obj <<
-/Type /Page
-/Contents 2082 0 R
-/Resources 2080 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2079 0 R
->> endobj
-2083 0 obj <<
-/D [2081 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-682 0 obj <<
-/D [2081 0 R /XYZ 85.0394 741.8766 null]
->> endobj
-2084 0 obj <<
-/D [2081 0 R /XYZ 85.0394 717.2979 null]
->> endobj
-686 0 obj <<
-/D [2081 0 R /XYZ 85.0394 609.8545 null]
->> endobj
-2085 0 obj <<
-/D [2081 0 R /XYZ 85.0394 587.5432 null]
->> endobj
-2086 0 obj <<
-/D [2081 0 R /XYZ 85.0394 587.5432 null]
->> endobj
-2087 0 obj <<
-/D [2081 0 R /XYZ 85.0394 575.5881 null]
->> endobj
-2080 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F39 1173 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2090 0 obj <<
-/Length 2532      
-/Filter /FlateDecode
->>
-stream
-xÚÍ›YsÛ8€ßý+ôHW
±¸�}s|ÌzjÇNdÍV*3ó@KtÌY‰TDÊŽç×oƒ EH¢DÉvjY©Š@Gãc£»Ñ¤É
-V°–	óhÝ•A
-¥Ÿ hDP¼Ì«Ê(�¸ÂxåùFÝsµ"w•/ïóæN‹éËúLNû'eã;(3¡À`ô˜Ø1�Pý[â³…zå¶lWn½lE³Ò–uM–±Ý	,(2ûëÖ_V8™£<KÝ�øû|%©ÓÞ~NŠÇ¦‡Ó_£ˆdˆIØAN?ÆÓVœ‡sÇ"´"½´¨U¸ê·&¦e¹=%HS"«)fÑ÷ðÐiæ¶7­ºfó"ÉR`Ë�
-þÀçql/´Ãak'q>^$ó°„�E"%°^tv`Ý¢ûlYlÚ†%"TØm
-LJ«ân.¾\a虃UûÐï°½y·ÇÝK|M$Í`Æ×DÚ²K«V-‚øT·G³‚ 
-Ð%eø&ömV‰°dbÖ
ÞϪK4Ýï$lCc°©ÁU”L—‹¸ÛÜÂó¦TŠÀieðPvw¬š²ÒÛnKl«öf».P‚‘’¼¶.;¥W-×”f¥à‘ˇÌÁô¯+ƒ½Ó(ƒ½ïÚ±Jl
(C¨…n²"þ',KYy“¼Í¬¯f´N­\¹ªgÌž’Iíîf`b§/îîÊoÞGãÿ>GeÛ‰»5Îfó¨Hî“iØfÕ“ÂAxe¥mÉ9\(¬¯’‘f•6v³˜EÓi5Bä~fYíÃìÕÓ4n�úë¢vJÕ‹ÎÝU¾´Þß–¢¼ÍcŠ„$µ"�-‹GP¼aüWËc…0…b­ª¦íÞ�@(C•h”�£…ÄØPJn˜óǨ°›^ÏÙrZú=à1Í3Wù
-÷±û-£ ø�•ÌÁCÉ)	ʾåN+ªÊÔ5›/¢qëã,’q¼Ûâù¶ä½,^=ûáCÖ=vZ<	âJ¶ßà	(0nd¹êÏ‹aüí"KãC"_°syáâ"üm;•¥b¥ùƒÓ~¸´[v6ªÛ‰³ômKÿ¡4E+Ý�PÌp^"úm>‰Š@]=p”p­4§­%à
-#ÅÚîEéIÙc–#
‡‚–œ#Î]c™Ï_	Ó:Ù<>’¦'çûÒ$ïI“j¤�ê8â
-Fלxx€¤�oºi^¼Àé/;vK­Ç±ª€ñöõdí±~‰§]¦“bë1ÑÃLgÎ#Œ¥'[�	Úƒ¦V¤ƒ ÖH(¦|�|­Bæ* Œö706ë8«€×F’héÑûM>.âEüí-�½ü+¯œ{•-ÁU¶du~¬ÝT’'+‹Ðœxv?oy=~š ¬d‡Ã“Š¤=û—1ÑÇ/Ãøy‘q~H
-‘JàMCÃI!=†íùÈ
„)œ†Ê™»1º uÆF¾>«"�’2Ý�‘hD	®ÜêíÙ±Žº¸Âêð
Ñ“¬Ï
-x<>O®>ãƒ8OcÖኩ‚9´q®øúÚw}4>O®>o^ô4ïðTÀ)™q¹Fïå;ž^#VŸu<mh=.W†×oÉî–cû!V'¾/[oÅv½ßÉíˆñd/POÔ>…pÏ0ÕáŒ)ãHÀŠj¢;ò¾¯Å¹#
Ü°ô„|/–‡§Ì~DƇHƒ˜¢¬NšÉC’fJ#Í°ØŸ4#R�#®>�tI3V%͆qžMŸêGqhž¬N³X
qÿ?™Fü#Ç„AœI„lÏ’Õ‰cÂ8J·³dö;]Ѭêì”}Ù³U*ØŸ»¿o,	åˆJÜñÆ’PD¹pó“ý¨Êzr!¤'ŸºSì�ïïÙ„žpý};a¿‚]ÛñŠÒZ[mˆñÊ£ÊãzÂõ!X>&pÇ;J‚x
-©ÖÞÙXµâXª`8<F[¾DØ›j€z¢ö¨ÖöÛ³Ÿ§�Atõöe…S‡S¾g)hÏ7¸’öã—Ž·�#L¥Ko>_Üþzv}c¿çç"Âu7̦Óáô<Éú‹OrûµKÇFð‹!ªq.ørhÿFæ?W§Bg×ÿ¶_nkû Áö†~ÐÛþµŽí}8OOÔ·ò´ëâ´
± ²í«v<è„}èßö4íÄÍýo«}TT	�å€AèÏ\IˆÜâA0¢"µª™'ûÿ
-endobj
-2089 0 obj <<
-/Type /Page
-/Contents 2090 0 R
-/Resources 2088 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2079 0 R
-/Annots [ 2092 0 R ]
->> endobj
-2092 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [305.1296 684.0956 384.9596 696.1552]
-/Subtype /Link
-/A << /S /GoTo /D (clients-per-query) >>
->> endobj
-2091 0 obj <<
-/D [2089 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-690 0 obj <<
-/D [2089 0 R /XYZ 56.6929 435.7843 null]
->> endobj
-2093 0 obj <<
-/D [2089 0 R /XYZ 56.6929 410.6637 null]
->> endobj
-2094 0 obj <<
-/D [2089 0 R /XYZ 56.6929 410.6637 null]
->> endobj
-2095 0 obj <<
-/D [2089 0 R /XYZ 56.6929 398.7085 null]
->> endobj
-694 0 obj <<
-/D [2089 0 R /XYZ 56.6929 185.6451 null]
->> endobj
-2096 0 obj <<
-/D [2089 0 R /XYZ 56.6929 160.5245 null]
->> endobj
-2097 0 obj <<
-/D [2089 0 R /XYZ 56.6929 160.5245 null]
->> endobj
-2098 0 obj <<
-/D [2089 0 R /XYZ 56.6929 148.5693 null]
->> endobj
-2088 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F39 1173 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2102 0 obj <<
-/Length 3456      
-/Filter /FlateDecode
->>
-stream
-xÚÍ[ëoÛ8ÿž¿ÂßNÁ­Y¾¸Ã
Ý<ö²¸MÛÄ{Àaw?(¶Òµ%ײ“ö¿¿‘²hG¶’Æ-‚µD‘CÎo†ó"Ãþ±�U„
-'ÆI¢(Sƒñìˆ>·_ŽXè3l:
ã^?�ŽÞœ3pÄi®£Ûˆ–%ÔZ6MþHNþýöýèìêxÈM49*M“Ÿ/.O}‹ó?'ï.Ï/~ùýêí±‘ÉèâÝ¥o¾:;?»:»<9;:g9Œ—…0öz„ƒÂÈëÑÅÉõñ_£_�ÎFkb&¸úÏGüEàõ×#J„³jð
-Ñ´L�®�>¬	F_ë¡] Ii
+nCa‰TÊîžÖOAaÚðÈqJmÏ:tp)(M¨Tf-Î")8
-Eg®Æåìôòšž§ù´Bìú'U”ÂÌC÷y•-¾úÇ[ ±òPV{Pô+”‡D6—�ö’~„Ý�¢6œåú”’b´¶54¿åÕ,]Žï@%�2ÉÕéj~Õh;ŠÔ°š—E•¡fšmÍ
-ÓÑ]æ¿�0ü¸‹ÓŸø[…ÓÃ<kÃ	«ÒKhŒ4KÒÉ$ª�†PIZLÞ³7vXÞ…ž[´ë¶mjór±ôO“2뜿(±ƒÖIÃ6<>Ü¥¡ñ!­üCöež�—žeeÔ9Ï6|“ �Užnêo&Q¿—‹Íɽᨩ;šL²?)åE6ÁW–Ü|õÍȪ—X,mãC÷éVOþX¬œÃÀºûNå|™—ñ›D£»¼òsÍÒ0Y½bøMÿ!/&ù8ÖË2J‰£Tnb‡DýN+oýoêÆé¸çe^•E^|–Ël6_îÞ�±¦¿lë|?›¦5%’Ê›¦µ ÎQoÓFÇüÂbUŒSТþ}8:v¸×lÒŒˆÜB»Ÿì)âÖS°Ã¡
-‘”Ž÷ ª8DkÊÛ¸ÿ¤3P3CÑåÖϽ¸úÜ$›fSTáç!­òµú\-
-ÿ
-ßoï*£!
-'HåÖSùì¤KßÏRð��kÂ�ïK½.÷v3¤ jÌ}—jž�sÌüpYV]—Õs�ì.Ú2ã¤Î?ñûí
-M¬äæ)ç´¬¯µÝ§´Ã†à0¦øX{„2\G41®�u@Œ¶ž5Bø©ƒEM˜•r7‡`¬´Qú€,6ûx´’h
KÛà‘÷ó9	h!]Ü2P	»s»’s•= »kŠ=ìJ®—f‹ÝY»G*m6Ùõ[Ej´¥«}­‘Ôð�
-&„'Åjvƒ'Û¬5lûÜT;ñåᮬ2ÿ=6…þcÚÔÂðå&[>dYÑeòÀ Ikö€+	ç´Œ£µF
-Í·
-úþPÝ®
,W&½ÛÖÀbc0°Ø¾i`ñãÚÀâgˆËÒ©o÷çÖß´ÀßûlÑ!‹í�dÁ�Å€I(DŠ/wkkŠÃ˜d‡Q¡Œ®e;ó.¿
-È
-§Z²ú9dõ.²`‹ ?ÆnnîÑI÷²ëŒÈDô¡ãþeCH¤'�õs¨ê'Qý½È¿tQMÑ6†û
9¸šÓr–æ…'^gàÝA”£b¿x~úP_ëÈŒ„Êk“‚3…ãd?žæÖüø¼ZVù$ó/mâ, ÐcÔn_�k6‹Jfåd5­Ãr¸®“o®tãTr[N§åC¸n¥C�¢^+Û𧌅Z†ÿìºf¦Á6¸�þ÷þ¬ƒ¤QRËÆ+ÿ«;v`›y9ýʯ:õ«�YÅ
˜¼¬¯èÁ÷t:õÛÍ\�nýô¹OóiÃ5Ø	Ht ƒÇôuÜS¤ÑÔa¯ÿ#\Ìý2ÎæÑ%¡h.Šw›+y(§-ï¶NÒóø˜=›>®´1aˆT 7’W
ó)¾@HpˆÔˆç9ƒîQÍBè
+›k¦@
-endobj
-2101 0 obj <<
-/Type /Page
-/Contents 2102 0 R
-/Resources 2100 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2079 0 R
->> endobj
-2103 0 obj <<
-/D [2101 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-698 0 obj <<
-/D [2101 0 R /XYZ 85.0394 316.2326 null]
->> endobj
-2104 0 obj <<
-/D [2101 0 R /XYZ 85.0394 291.112 null]
->> endobj
-2105 0 obj <<
-/D [2101 0 R /XYZ 85.0394 234.6836 null]
->> endobj
-2106 0 obj <<
-/D [2101 0 R /XYZ 85.0394 222.7284 null]
->> endobj
-2100 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F11 1353 0 R /F39 1173 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2109 0 obj <<
-/Length 1514      
-/Filter /FlateDecode
->>
-stream
-xÚ½XmoÛ6þî_¡�20³|
†
iê´.Ð4M\`C׊Ì4Âɵäý÷;Š”,Ù²½¬E "©‡wÇ»çŽ'“É„DÒP)ÑÀDDéÓG_àÝë	˜IštQ/ç£WLEIe4èÈÒkM¢ùâS,Gc�€ã—³ëWf<¡Çwó±âñ…û7ŸÝÍg—wã‰1šÆ—o.næÓ[�’��~%l¿|}5{ýñ6xí—o§WÓÛéõåtüyþv4�·è’`æ¬ÿ:úôG8ëÛFÌhma‚1†FO#.œ±fe9º}hvÞÖ[‡œÆ1A„
-M$ELJz\­W�Am2�´bOë„`ƒüƒ@0Š¬
!�@"×*R É(«ñ»óÊ‹+Ú*¤×€ù_7S�é	£ Kr@œ“r‘¦vUí²ƒ!å‚àa³<-ž²üËx"™ŠÓ"ÏmZeE^º—S–co–Ëï~1©EÛЂpEãùcV:E rB2BÐZvZlòʮǮL�ú™•$«Õ2K“û¥õóªÏG;p6"RX7f|u3p4*‘ÁRL’/Q¡Ð:`®^m“*}�5¡#
-ä꟩ú¾²%Ú'6
-qb Ò>üÇ׈Aö‚!™“Ùr ²Ùqœ¶X#JÅÖ‚%¥þ•¬½³ùbº^Ÿ¥­Ãk`S,Îr÷äqY¤ÿØʯ• Ë�Š•]'5«�²RcÏØúUËQ·;-¼X;¢s¹*òEéK�õð$ÎJëHÔG>¥ÀÑœ·Uï„CB-Òðµ.ÁB¡¾àÖ‰ú?w�ÿ1.íèÙð÷'VU© Rs†ŸÒ¤…ä¿’Ÿ·6ýö\~RìùI1mùéÖ<ÕR›}³þe�¦Ôð@S¿?]n6ÌìNz�§þ¦
�Tà?²#Ø¿)rÿLü#T}Ю¶z
�±0†²�ý�1µ‹¡Ô¸ÿîœäþ9»|wãG­©~ú—IòÅ'h7ô?«€îšƒs݆ۣ°Úë6þß®Æ"
bPK¡�+„U¿K9èV¨Ò@nF!	8GZwŠt�•M+%!ʸéñp-cÝYñ´‚¨ßgˬ
-ñÙfU¸ëd·a$`™cÏA�éeŠF€M�	 ¯_åÐJÀF]Š#É·ñ]QºúL!*°®¬²Ô•bJšZXú·Õcp[ë3Å£’oI¶ô]ƒ{	‰5`*vE³mŽM±¤tw'.é©Z–E0u³Zë:CŽ*%ÜÏ}†R””�Å6o5/ÔÍPä®'Ý®îç]r_ÔÅÃÝHÎ'®p0‚ã7­Ëê¬ìN ‘m¸Ä`÷¦
-W(
-)ºC-¶ƒ-ŠV@ؾZÙ$lÊònË=ƒö¿
€¯„ÈH
-¦÷6M6å`ëk(n|ŽX
-LZEœ,ŠU0Àq«y™¹+Á�›„™®œ ̹ÒŠµo�&�ÔÐ#»+»ËÊm²^¸OŠ
#%ÀYSC’rè´àZ#ɳú�@Ðlqœm˜A_½ìi¶uP'ØÖ j¶]üyuÀ3î"ÌœÖÚ€´v�j2ÛÓƒ]¶†,l»þhËê"¹—�á~n¿úÜìÃÆ®³¦(”þûï¨'¹bˆr}&o»¨ãžlQµ'göu*w�`rZgÐÙõ£v†”íéü¹~¼µ_7¶¬þ«#9s�ý?î@'Ü@µ߯ªr_¥ªOªl0‡*{lÄÀFNz*Ï8±½/:ÏMO<蘄&ê95À4—”ÝW›ö®¿Î�7-*Ħ5±kz×eزZ&éaóÚÄ
Q÷[Ô€wqÔÔÇþÉk÷# û2„q8PT¹º
ã`”ó!ú�ŒQ&é€íÿVоendstream
-endobj
-2108 0 obj <<
-/Type /Page
-/Contents 2109 0 R
-/Resources 2107 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2079 0 R
->> endobj
-2110 0 obj <<
-/D [2108 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-702 0 obj <<
-/D [2108 0 R /XYZ 56.6929 629.6971 null]
->> endobj
-2114 0 obj <<
-/D [2108 0 R /XYZ 56.6929 602.1058 null]
->> endobj
-2107 0 obj <<
-/Font << /F37 1038 0 R /F11 1353 0 R /F21 950 0 R /F22 973 0 R /F67 2113 0 R /F39 1173 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2117 0 obj <<
-/Length 1242      
-/Filter /FlateDecode
->>
-stream
-xÚ•WÝoÛ6Ï_aäÉ
*Z¤¨¯å©M×-C1kö´î�‘iKˆ,j•Ôú¿�Ç#e)V³†ÁÓéø»ï#EW¡ùÑU“0Êù*Í9‰C¯ŠÃE¸Ú›w?]P'ÃãˆÄ<ŠÌÃÂÛ Ž2g,]S�ww›Œ®XH’„Å«»Ý¨+IÂ(g«»íŸë›R´ZvW
‹Ãuzõ×Ý/¸�“4K)l�
-£�\Øðîö×÷(�ãòICWé#>ݨ¦¯¶²º2ÔˆG9‰xÂ^’žÑÄ⥄^4ÃõÛ¢�}?ÂèNÕøð±êµ‡b«œä	KRĈqÇùíQ”àö+š­
aÈxý9ŒÃ·7{³R|)¬¨tÛ->z¬ƒÐE‰d}BÑ¥ÐÈ<ª
‰B4HôÒ½ZÍMU<4âàTíTçˆAS†^‚»à ¥$�cÌUÕŒñ<Á„eFDD]«§ QºÚ"›Àó4uÂoà8Éâdö÷ »E¬Ø¤”½*PÍZ–ÅùÀ�ˆ×AéõÕ2 %ÔØkìñ–m̱˜ÿOÈûZ¥ªå7‚Œ¾.¶"�™š^œU†îDÓïLŸ«ŠbÂirRe;Jê‚ žÀ ˆ#n¥þè«fo$Ó”¦S�²V8ÚÖ<ZáZŠG‰Ôç0d�(	]&Žt}jEà©G|®ŸJ·ÛvŽÕáG
-³ñÖøÙihâ.NÀ9E�\	ÍÍ4=TÚ–žoŽÎ7[úþˆEgz“&œúüPë�I#œÐVtºòÉÀò€\ÈÚ%±Åp?ÊF#£o•²¥ç²i}b+›JÔó´�MU!}Þãð½ú„Ç�ݪµé\§[ìEÕôúyéLC²�ퟥç \y,ç†ü"m-ç6•ê		ÛR£‹ª•]íÎVѶž„ìþ€EÁéù‘fx&n6&a!œÑ	hXÁX
Ðc[$/ïÕ~è©ûKdàYÔSU×HÝתxXj3¯ò÷74§>ô­€p£f§¦WÇê¤
çv"ûÆé++8{�¬ú—´êpP
DÇzÙ{°ªñ JílÅZ0ÃdŽˆe(
-ï¡�>þc…yjw˜Î�‰ým²ks“aF–æÌ0ÌÃø5ngfn£Tt½ä�‚Àš2Ó$–E™çåÀË�™\»anzñmTÂ"’Ó�¿²
-3í}MÑâ+Ûz̦.«Þ—†.=O.Ö+ï¤p†éiko8ÜËîy:Ø<Þ
-Ÿ
»|!öw
-óÈ Žñm1ÚªÅëé$³þõÌfB�ú{z_šZéMÿŽItñFó
-€�:]C¦ˆcq¿h“‡ž‡-ÖXd¹_UãT]º9GLs^¾jw…9¶nßAôæ_ôqWy?.›)ü!=χhŽs·_òïâÇ»ñ[ËAÁ¥É|�-}�y‘à$ƒŸb³;Yh>‡¢œz ;
-endobj
-2116 0 obj <<
-/Type /Page
-/Contents 2117 0 R
-/Resources 2115 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2079 0 R
->> endobj
-2118 0 obj <<
-/D [2116 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-706 0 obj <<
-/D [2116 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-2119 0 obj <<
-/D [2116 0 R /XYZ 85.0394 571.259 null]
->> endobj
-710 0 obj <<
-/D [2116 0 R /XYZ 85.0394 571.259 null]
->> endobj
-2120 0 obj <<
-/D [2116 0 R /XYZ 85.0394 538.9404 null]
->> endobj
-2115 0 obj <<
-/Font << /F21 950 0 R /F22 973 0 R /F39 1173 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2123 0 obj <<
-/Length 3285      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZKsÛF¾ëWð¶`•axíM‰åD9Ø^›ªÝT’@$Ö @ æ×o÷tÏ  •«R)‡ƒF£g¦§_÷H,øO,ÂÈ�R™.âTûa ÂE¾¿
-[x÷Ó•`ž•eZ�¹~X_ݼWñ"õÓHF‹õãHVâI"ëâ7/ö¥¿ücýËÍû(ñÊÀ¥ñÈóãÏŸ?~\×D¢N|-Él·ÞÍIŠ|©„fž/wë‡ûw3¢„€Ei¹)o?­ï>/W2`�KØcàýp3JJ?_î~|ø|¿þ•ž~üøáËý»»Ï·ËX{ë{xÂy®îÖNScmŠ@¡š¾]ýöG°(@©¿\¾J“pñ�/ÒT.öW:T~¨•²”úêËÕ¿œÀÑ[óéìéˆ
-~86uÙ¿œ¬mˆ´Ëøݦ,šê@lOU{\
-¯¯OD.ª~…§
-¶€r8VËkÄÈÔWq@ó}„eÊ$ô>ÜÿG«¤¿†§T{Õ@TÔ6òÚ¾¯`�DZ¢vËTC46F V,;c³žX¿ˆ}\Yu¾#Ý·C9·fùa[æ²yªˆ½Ù—Í@sü„Á±¯š-/NÏêpäKAä'Ú¹on‡_Â?17oâË(H™ýñØäµa6“nNæW*M}H==ÊþPæÕãɬIé˜-J'ÞïRjšM�W_È@ðl«afAV<±9Ft{ÈAúcÛÍlœ(‰â„¿l²ý¼¢?M]¬�èÒºˆÎ³†æÛ•õ�FÕž¼}âÍõ§~(÷ô²G暴=mNÄq¨³Ü)…¬ÅHâõg¤SÃZT[�
-·åŒ|Óþ‰Ãk2öç]•ïxXÕ5�êj_±WÍã ÈöÙÖŽÛ†GÕ#;ýؘ`^õô›·vŸûªg5®�>P´¶Û¦…‰ðCxǾ|<âJ´ðËl8R —Æ1à­ì}@™!L˜ÓÄgŒXÈÁ^³$m7„lSÕFɆÚÒ¯óÈñ4EVî­àŒÅdü|l]õTÕå–,ã20Á†X'è03æ+!"©8´æ{$–P�ÍWûZ‡ÖŸŒÄ—6yQ;/@_ó1bÞ¿—©ôøÄúãv[ö|º´Õ†|�±·±�~';#ŠÛËó®´\½0<dúi"’Ið˜ó!áËXÚ¼>:{ŸƒÈQ*‰¦Æósi
D‰Ô£Ü–š-àoùg¶?Ôülqoâ<>ÔUÃd<yCi3~Ǿb+–“ÍíKAZMµúŽ}¥ajÏ—�ðzF V~ +ïæ)ën^‹7p¸2‰-+x³R‘çöfwĶ<ÔÂ$Q—A
¥”
-ñ¦½€(—k_$m”ŽšÆéžÛî+Q8ÈÊ�¾«»bȺ¡Ê�uÆ+-*†aCÛ�ˆã“Û
-C=M=¯Ù0 ©$‰ÓQÀB;Ž¥wÄg2å$5%ÚŽŒmcº,9¡fœ_(Ì|µËxT5y},JNÌ%¤�Ӱ㬚Œ²*ÎØO§$w2É]{ï-è5;·{™¸

-ûÆÔ4øW™µ€ñ™Ì¤§ª|ÆÐ<§bÀEq’Šï	‘ôã0¶a³âù3�gñ!‘íÜ”Ù`ð{H@æ{ÀÎt˜x¿â¢ðð=
¢#0·ô›ÿ=öÃÅ|OY},{7A’£JNÕCØ«· ãk9½tž¶)#«°^¶Ü—
-�0ªq2âÄ 8h
ÉŸ•v¨Š)bÎÁë“è"ÄeyÞÆg(ÿU½oQDhM"ÜCûÔð\
;ÂeÖÕ¡ƒbzVŠfK
*Ò5
�o¼r:T+ë“•ç4S-hX}*ìò›Ù€#€'vÉ„ÏáC"ÄpUýÊ¡„2|+¨e]5ÐÙ0^yÓvÜÁ+Únˆ×I]$¢]FQWcßtU©2AÀb1¾!OÐlŸ‰b
QQšx?·ÏèüXÙ£j“‚ø¡l
-3Àoð
-c¥/E÷Ë‹U;PÕ>Ï�Ž’~*#õb?\•Ù°î|Ò�þËZ€ýÜØm)¨X®
-nqÀ¸m¬x“`Ylû¢î¦À�´Ìæ“sWÒñwÕ@eÐ\óQAå—Êïì>
-ÐD
-m¶ûF!&L£èuYô]
-0„›û½\¼ka;‹ÑŽ¬ÜÕH°ÙP46µ4
 Ãì	$GD´£v0øH[$
-#ìž…Í:—üQBZ}¢p"°×3Ž,½§_°Tº¸ƒÓj

fxÆ2ß0�k}CFËÛ»¦.BÅ«¶€P0a›’1O
-¯˜R ¾gzèÊ~àEåCÉœS›€WôôlÚO(aÇÂ�¯*À Kz„BÄF$øÜ‚›‹†Ó”	Ó±¡þ=ÛG/:ÿ¹�ÿ÷<sìN	x;(×¹Ó¤Ûmùd
->ÐnÌ%›ç%í3¨Åº9ÃÏ©›MaF†à´ØÓæòÈÙ0àÙôrÃÔÞU‚¡uóP�LC34³.³ëk;|§Ü½Šï‘^Ñ-ËŒ(Þ
o!Þ(ös1
/�׉lSÁ¥#@=Ÿgêœó¤gÜ™F—Táö¶ÜôÈÃЙg.wÞ·&'óé
Š9ôe=Änq˜öKb¬oZw[“/¶îKÓÞ6’B9k ‡
KÏ»Óah·]vØÙ>¾ÎŽ°‚[CÉ‚6<Ǿ̚yÝ¢	Ä 6#Â{¦mãî'zbÂBbýåþ'¾zA¶5y<¼¬ŒÉFúµ˜šF¾Ö®,{;¦¦Â¹¹sX˜ÆæUœÓQMú£Áúˆöµ<Ñ 
_ÇÞ�’–ÚNµ�ú#yÑÓ�±-[ãØÚh”i{™orLÙóÅÔm
j¬žJXŸÂvœMbóf¦âœDÊöIM«C[Wùi¾}ÆînÖiË86çj¯x½Ì
-}üÃŒ™¿È\=ó·ÿþãŒó4€¶$‘óÚaîÔ ¢µ‹Â�	¼XºýK‘—kÿ2¬2Vendstream
-endobj
-2122 0 obj <<
-/Type /Page
-/Contents 2123 0 R
-/Resources 2121 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2131 0 R
->> endobj
-2124 0 obj <<
-/D [2122 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-714 0 obj <<
-/D [2122 0 R /XYZ 56.6929 730.0613 null]
->> endobj
-2128 0 obj <<
-/D [2122 0 R /XYZ 56.6929 694.6148 null]
->> endobj
-718 0 obj <<
-/D [2122 0 R /XYZ 56.6929 556.3845 null]
->> endobj
-2129 0 obj <<
-/D [2122 0 R /XYZ 56.6929 529.3116 null]
->> endobj
-722 0 obj <<
-/D [2122 0 R /XYZ 56.6929 413.847 null]
->> endobj
-2130 0 obj <<
-/D [2122 0 R /XYZ 56.6929 385.8516 null]
->> endobj
-726 0 obj <<
-/D [2122 0 R /XYZ 56.6929 226.4875 null]
->> endobj
-1753 0 obj <<
-/D [2122 0 R /XYZ 56.6929 193.9525 null]
->> endobj
-2121 0 obj <<
-/Font << /F37 1038 0 R /F69 2127 0 R /F22 973 0 R /F21 950 0 R /F39 1173 0 R /F41 1233 0 R /F53 1328 0 R /F48 1253 0 R /F62 1379 0 R /F63 1382 0 R >>
-/XObject << /Im2 1368 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2134 0 obj <<
-/Length 534       
-/Filter /FlateDecode
->>
-stream
-xÚ¥TM�›0½ó+|©¸6ÆÄ>fmY©iš°‡Õj¼	*Ái e}MÆùЖ=­¢ˆyã7o><@1?ŠÇ„É�dˆ9¡‡ •9ûîPËñÏ$ÿ–u—9_¿±’XFA„²—-�‰eå“;ù1žeÉÜóNÜö|÷.�Æà‘ðX$“‡yš=šüš.Ò8™�½Qèf©Až
-"L<³
-ñãtü3�
-Wµ­²ý2Ôàv¿¬«öî –`Ø�‘¾ý¬Ví^Õ®Ð(e	�îlH]ë˜öâ
-endobj
-2133 0 obj <<
-/Type /Page
-/Contents 2134 0 R
-/Resources 2132 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2131 0 R
->> endobj
-2135 0 obj <<
-/D [2133 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2132 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2138 0 obj <<
-/Length 69        
-/Filter /FlateDecode
->>
-stream
-xÚ3T0
-endobj
-2137 0 obj <<
-/Type /Page
-/Contents 2138 0 R
-/Resources 2136 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2131 0 R
->> endobj
-2139 0 obj <<
-/D [2137 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2136 0 obj <<
-/ProcSet [ /PDF ]
->> endobj
-2142 0 obj <<
-/Length 1965      
-/Filter /FlateDecode
->>
-stream
-xÚ¥X[�ë¶~?¿ÂoѱV”D]Ò¢i³§I¶EÒ g�¢íé-imõH¢#Rv7¿¾3œ¡,ÛJS »&çÎá7äˆbÁ¿Ø2Œ’2ÝäeÊHÈMÕ¿‹6{à}óN°L*“P¦I“îV&E(‹8ßl—F¾zy÷øu,6qfY,7/¯³¯,/Â2IËÍKý�àé Ž¶¶±Œ‚âáŸ/"µ4Ì‹\ Z.d˜—Qá^„Á¨§]טƒÖ¶ö³šHÃ$ÍbVË’0Ï"òS„âa+¢(
-žtßë�þ0j0Ó›‹
–Rz	Ÿ‹Â˜M<ÛϤ´¥ÁY�Ÿ šßÐì Ï4¨{{¦Ÿ�Q隣¡™ž¼öA]™=�zØÉ‘Å›2,³8ãÀ =e*RJÈ
,%©v�±42º›l‹‹Ä™Õ3õ„Ér“v
-i	·¥Ý3éÀ–yíˆùðŠ&�Â8K<æc�ø¡›‚hïCû™<»úÐŒ­êhüýÔï Æס\@�•‰ó÷w= vV
-ŠØmT¹,(¾ÊÞñ‰}�q´€¨\Â&|&d¾vKÈTÝVŒÐhÆKI›S?s�@Õ+6¸k0mHšŽµÇrRϯÄ'¨
-ýf3GÕ51b‘æi‘diNŒ�‘Œâ�±ˆ±0·"ð0àâÄßZÕ7’\sÂw
"ó‡&0ÍåþF
—?$cRÍZº”í(õåŠ:é�H^�04g¢°û(½ÀÙWáÓ
7�˜¿S,[>°úŒ¹…;î3`ô¦'b�ÕÀ¤Ö^ïöEy˜]¹œ­Þv‹íçÞa¯Úák@n@þzh|ÇütÓOÓ0J¿mºã—¿ÞeÚâš(°ÁiÇEðá
êÍ�âÀz҃ѣm§žæˆ§çOŒ$ 
-­è×ØÚ:‰óÎÐÃBYn?z·XdÌqâd¾©Üä¤ÚNí:ørðï»QÕaáƒL·CÕMucVìâªV.Wª�4 Û8Hü»Uoy)”@»Zìo+B)ˆ×­©ôD9ƒ©;B.ÊõTyåvÂ)Î6™îZds§¡ÁÓÏMí­µ°r=¶ö�ä&vÓž®é^/yr€�¡¶¯ÓP;«y Â1{9B€FãŸà{ËוÂM>p\×-ž‘7>å	èWˆÌ¨W
-¥Ìrcø-Š¼ûãËü
-“¤%œ¡i±Iæ² —â~ÚøÑŸ/¯6³Âv¡ámÒ¥ß;»è½‡CÀê/aïoã�ã<,EQ^Çsór4ÝÅpµö;[ÃïVÎy
7G)JΑOü©5­�¿|hW°hpk·IQ„"é5¶ÏÍŽûª‡]Ù)C™‹_Ú‘Âõ%KÄQXDñ¯oʬ±]ªÜïʽe×SX{üâññ|>‡¼+�¾,}�w¸ÉÀdñ:Æ›�š¥îãºÊǽµÿ¶Uø]5èTíŠË°ç§�ð6hÿ�˜ÈŸ%×"ö"Û‹½H.ƒH"h<H#a("NnÝÍœ÷þþùå�
-endobj
-2141 0 obj <<
-/Type /Page
-/Contents 2142 0 R
-/Resources 2140 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2131 0 R
-/Annots [ 2149 0 R 2150 0 R ]
->> endobj
-2149 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [348.3486 128.9523 463.9152 141.0119]
-/Subtype/Link/A<</Type/Action/S/URI/URI(mailto:info@isc.org)>>
->> endobj
-2150 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [147.3629 116.9971 364.5484 129.0567]
-/Subtype/Link/A<</Type/Action/S/URI/URI(http://www.isc.org/services/support/)>>
->> endobj
-2143 0 obj <<
-/D [2141 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-730 0 obj <<
-/D [2141 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-2144 0 obj <<
-/D [2141 0 R /XYZ 85.0394 576.7004 null]
->> endobj
-734 0 obj <<
-/D [2141 0 R /XYZ 85.0394 576.7004 null]
->> endobj
-2145 0 obj <<
-/D [2141 0 R /XYZ 85.0394 548.3785 null]
->> endobj
-738 0 obj <<
-/D [2141 0 R /XYZ 85.0394 548.3785 null]
->> endobj
-2146 0 obj <<
-/D [2141 0 R /XYZ 85.0394 518.5228 null]
->> endobj
-742 0 obj <<
-/D [2141 0 R /XYZ 85.0394 460.6968 null]
->> endobj
-2147 0 obj <<
-/D [2141 0 R /XYZ 85.0394 425.0333 null]
->> endobj
-746 0 obj <<
-/D [2141 0 R /XYZ 85.0394 260.2468 null]
->> endobj
-2148 0 obj <<
-/D [2141 0 R /XYZ 85.0394 224.698 null]
->> endobj
-2140 0 obj <<
-/Font << /F21 950 0 R /F22 973 0 R /F11 1353 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2153 0 obj <<
-/Length 69        
-/Filter /FlateDecode
->>
-stream
-xÚ3T0
-endobj
-2152 0 obj <<
-/Type /Page
-/Contents 2153 0 R
-/Resources 2151 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2131 0 R
->> endobj
-2154 0 obj <<
-/D [2152 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2151 0 obj <<
-/ProcSet [ /PDF ]
->> endobj
-2157 0 obj <<
-/Length 2544      
-/Filter /FlateDecode
->>
-stream
-xÚuY[sÛ¸~ï¯È[•™µ««e�·Äé%í&“‰Ó³3çô<ÐmóDUQŠëýõ ¤dµÓé˜
Äå¨>ü.ÖÉÒ�²ø"ÍâeâÉE^½ó/°öù]À<q-“8Š`2³ºH¢õ2Y‡éÅbºÉõÓ»ŸÂà"ô—«U˜\<퇳Viº“õÅSñ_ïªid]¨_—‹0ñ½«Ëÿ=}%±x™®Ó
-#œ�‚Ľ;¬�/²Ô�
»)–X+Ïܦð~EAŠC1øžÉ�ÒŒ­‘áWÐO+U”gš€B`hC»  ŸUM”Ä
-FXЭ‚dƒ\#åS¯ÐyOpBŒšÈª†¨n4\Tòi¹^¿È�=õvÂÀ3v·Ù”¹<ƒ
ZˆLPO–`š8I9³€øQ&ŽÀ6
CÆg”ñf±Ñu.{4ÐÈ,0ø$rUªNIƒb¼Ã°:Ý>±‹átûÕé°Ûª)å$
-£��ÄÁ¶‘¹µ/
!.N…Ùzê°Wâ.pl
„ÓÁº°â…!R߸“OG•y—²œ™
®Õ+Å
cøˆP¾·ëU	�é6É–+?£ÂôD˜•ZŒnMG“Ñu	Æ»Æ5
1ŒŒl_àêiìYpɼÔ$LK­¹¿JH\ç d`
-¼
-–a“p¯GkଯëÃá5³îǪÿêÄ-	ÜȽ¬Í|µ/^Äwx�ÒH‚
-D¤<ÐÎÿ—yÇ‘sU@E…ÎqÌ*Š‘×8P”Ì Ë¿/@f4
áRÊ}^º¦ÖÒRº#›Úv�°/×ˈÖFtÅŒ‚þ[åSr Òéú@Øèªé)Ž�L½"Ÿûæ¢@ù<ñpJ�µÙ>~æÜpËLtGY­Fgá±[A
—(-Ì
ƒÅÙ¶Ä� ˜Þ�°)Ëx™AaíF¼¨‚ÕáPâ¥V)§8·º>@ÌÔ4ûôÜÄP‰BÍÞ(d�vP&máªëæßFD3zœ`·“¢ÂEàÛ=ÃBj{
†rh®ÔÐq½ ‘®³«zß�&Å(uùJ¸8…B×ò5ø?Š²9Òp#ªf'Ë’•ú&_æùM_—¢±J6iðU£ª#E}ïãÏ^5X*‰eÃÏÖJ©>KF\¢P¯SSŒo&Œ>Ï! ·LÝ–è@±¸ˆ¤�ægH@Ä9³ZI(�	Ž:ž()6Sq
-
UŸiQc
¢õFêƆ�EiX*×5ÔÏ]OÕ-ãÖXXE p³Í‚¥¢o¹‡šMÔºõÁùˆ4òs®øbðج–×
-endobj
-2156 0 obj <<
-/Type /Page
-/Contents 2157 0 R
-/Resources 2155 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2131 0 R
->> endobj
-2158 0 obj <<
-/D [2156 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-750 0 obj <<
-/D [2156 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-2159 0 obj <<
-/D [2156 0 R /XYZ 85.0394 573.5449 null]
->> endobj
-754 0 obj <<
-/D [2156 0 R /XYZ 85.0394 573.5449 null]
->> endobj
-2160 0 obj <<
-/D [2156 0 R /XYZ 85.0394 539.0037 null]
->> endobj
-758 0 obj <<
-/D [2156 0 R /XYZ 85.0394 539.0037 null]
->> endobj
-2161 0 obj <<
-/D [2156 0 R /XYZ 85.0394 510.2426 null]
->> endobj
-2155 0 obj <<
-/Font << /F21 950 0 R /F22 973 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2164 0 obj <<
-/Length 2811      
-/Filter /FlateDecode
->>
-stream
-xÚ­koã¸ñ{~…¿Õ
bEõ̲»É6w½\š¸h�Û*K´­®,ùD9Ùܯïg¨‡­ì-Ð&L‡Ãyq”˜¹ð/fA脉—Ì¢ÄwW³lwæÎ6°öéL0ÎÂ"-†Xï—g—·2š%Nzál¹Њ7ŽÅl™ÿ2¿v<ç(¸óO7÷7�×;_x�;ÿxÿDƒÇ›Û›Ç›û74½»¿ýùñ§ëóÈŸ/ï~¾?_ÄQ̯nî?Þý‹p®‘ ëZ臛§ó_—?œÝ,;Ž‡R	W"»¿�ýò«;ËA¸Î\G&q0{�‰ëˆ$ñf»3?�NàKi!åÙÓÙß;‚ƒU³uRKÂu<zjò¼)5‰JO5½¿»ÿÒyñüY5º¨+œ$ó„`/©¦As.â¹*UªUNEE+OjߪÝJ54õ\×%„´Ê	T0�”à»ô?u3¤úÒ­¢µzM•J›ò•·•%Ô{•µLÌb¶[Þz¨reè-Ð( ™…Nž³|-ª
Y‘%†Qjð³-ŸµbƱ»=×q£h¨#ØÁ:Ò4óáÇ·‚Â<’U4
>aòÙu½¬
-dþU‘¥º�0¡N$;<¼q*¦cÈ2d¬‚ÊYÈ(†�b|M VK_Ì5ˆ‰z�¾Û›äÝ—±çÈXz|øuõú“ðü
“2”†I<mÌ$BŒëàá–4P}#¦ô;
-h»zxXÑGWø Ÿøxû�pdGS—é³çùŸ˜Œ3;¦`²ƒ€[s�ƒ›&²K¼C*Ç!@þ®Û(�Nê'¨u|6çfÀéà&€S2Z÷ë„c€‹»ÞÐ1Þ<Ós l³ˆú°¢à�Ycè>§'„�)ŽN°ÕEZME‡È	¡äå-�W}×q‘t¼@Ú½”î¾ç;~7eh˜%¥ç¤×ŸŒ�ô‹#ýU1¯Ô�0Mˆ†ÊÒ‰Müñü°×ÈUº’3›‚˜<¸wOçJ¾sêOLŽc®6ÛòÕ¤:³
êö (/rÍG×=…8£?¡prmRXÖ”aÄwâ ´
QC�ɵµÇ¥«°¥«7¾µhÒjƒ—VBF_Z¬Î‘`|΢‰(%[
-KÌÄ­tg¹Ñä	
äh&ÆZéI¥”»
-�À¡�ìLLÑâÏ©®ÄA
Ý]
-ûLµ³òa�¹�lIëÈ
-»�õ.µÔ»h&î>>b¹`:&Ðô‡ù¶”ôçËÇ)IH£5xrÚv
€‰°*V e“
œ’1/ã
-ItdöW9€°;˜
-#";"2ôoÆG‰Fõ	
-EЙ­OƭܨŒÚ›-—e]s÷Z_ÔU×.Ê‘zE)míë¹®¸ÊWñ•¿ÉUêº0¢Æ÷j­bqå­¤7‘Ð�‰’-9ŽÂÐák�q¢ŒuB«×­‰§	fe°�¹{	º©-žC
-â”mÖöÑëC½Ã
-cåàföí÷¹àRõvùÀw²½šÈöëvuyùòò‚*p
-]8*?\ÕÂXé[}ãú�&?�kÚþù+üM\O:‰p-’Ó~å‡1ÎCN("ÛÿùøÓ‰øN”±iÙE˜øô­ƒ–¿ÌìèÇþ»G·c1Üb¾{øÃO)�Ô1T~ß!¯½<æÏGþã8:âïè[L‡uÊÓH§Ô�§¿Lå]ÀĈ90&ºÒK÷ðxj7ˆ†žÄ˜-t|×âÚv ª{ô^Ù¶Ä>±t‹à-Ö‹i¦'¾}¤¥¶Ÿ4žÓÂ>©]¶£÷OtJµùï‘ÊøÙJ„b¤‡7
-}Ç÷èUHÇÁ{‘Ý°î8u¢º¦Nh{'RíÚ©›Íe³ÎN|Çs#'qå1WG¾Óa�²2RÄ)µ·|'r"?Ž†<ÇéÜ4†`“6MKÎü=B¿õ…S~–œ�Ãíóÿüõ³ÿ
-endobj
-2163 0 obj <<
-/Type /Page
-/Contents 2164 0 R
-/Resources 2162 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2172 0 R
-/Annots [ 2168 0 R 2169 0 R ]
->> endobj
-2168 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [253.7995 149.3637 417.685 161.4234]
-/Subtype/Link/A<</Type/Action/S/URI/URI(ftp://www.isi.edu/in-notes/)>>
->> endobj
-2169 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [63.4454 110.455 208.8999 120.6168]
-/Subtype/Link/A<</Type/Action/S/URI/URI(http://www.ietf.org/rfc/)>>
->> endobj
-2165 0 obj <<
-/D [2163 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-762 0 obj <<
-/D [2163 0 R /XYZ 56.6929 662.0717 null]
->> endobj
-2166 0 obj <<
-/D [2163 0 R /XYZ 56.6929 624.1661 null]
->> endobj
-766 0 obj <<
-/D [2163 0 R /XYZ 56.6929 624.1661 null]
->> endobj
-1546 0 obj <<
-/D [2163 0 R /XYZ 56.6929 593.0972 null]
->> endobj
-770 0 obj <<
-/D [2163 0 R /XYZ 56.6929 294.2701 null]
->> endobj
-2167 0 obj <<
-/D [2163 0 R /XYZ 56.6929 255.4568 null]
->> endobj
-774 0 obj <<
-/D [2163 0 R /XYZ 56.6929 255.4568 null]
->> endobj
-1266 0 obj <<
-/D [2163 0 R /XYZ 56.6929 226.1045 null]
->> endobj
-2170 0 obj <<
-/D [2163 0 R /XYZ 56.6929 53.5688 null]
->> endobj
-2171 0 obj <<
-/D [2163 0 R /XYZ 56.6929 53.5688 null]
->> endobj
-2162 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F21 950 0 R /F39 1173 0 R /F53 1328 0 R /F11 1353 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2175 0 obj <<
-/Length 2825      
-/Filter /FlateDecode
->>
-stream
-xÚµZ]{£6¾Ï¯È¥ý<-’ KÇö¤É4™4v·Û�α›glH
ÎLúë÷} 0’;Ûî“‹€tЋÏ{>%ðe
-’_.×G“ÇÇùÃìößã+‚Ñ�¯XèÑé|1¾Š#.&¨˜Š‚Ñõíõ�·nž&�?ü*ú-`Áäa&o?ßÜÌ˹º}šOf·7 ‚ÇŸ–wó¥ymû§á€Šwþýâã§àr
¿ðî"@”'ìò+ÜsN.÷!£ˆ…”ê‘ÝÅââ'³ 5Û<:¤*FÄèŠàKŒgŒt”Å8Š(¡�²uZ¬Óúrþ"ÊØ9š,)	M†hÒRùãÓ»)()üÔGÆ,@	‡w÷B©SlÊ-lÌJbʺà³rŸæ…$ô!Ýg•â��X^MËb•½Ôjt$/Þ¥«|—×yÖè«÷3q Å	¼ Àø‡|äqŒ	¡Érì¾\}I_²ú�WJê¡|ÍöÏÙAÞažÄÈÉŽÀVÂsŒXRF´”Åó0⃶éc;±ÁÏ2r»Ùeû¬¨Ó:/‹/‹—l•ÿd%gOÉ!˜
-´”E
ñPàƒ¶(èc;(°ÁÊâJ]ÙaŸº"3—	¦‰Ù:—¼r††HÌè°LéWÁ(¬°Ö=wê>^ˆ|~ÝÛRnÝ)£û$ôÔÂ^èV÷'Øúï€/2UP6zŸ½É‹¶
-NWªþ¢hrBQç¦&Ié"p!	ƒá"ËÅí�ÃC¡(H¶8‚‡Z�ð�p”�ñH9	å£jêæ¸ÞCú®dQ@h2š©™yZÕW2ïˆNÞߥ_´ËÑŽ˜¾íZÊ/cNFÙn1¸–8M°Té‰P69í$ŠQ”€êývbIyìDK;á4ð؉Ú²“>¶ÃNlðŽ�€
-¤�ˆô]Õéó.¯¶¢™òÅÌåû¹ÚQ|zr…΄£�G½M£™âDÐëdp‘½ÔÖŽ„Ÿ¡�#FÈ9†,)CZÊbȓȼÐC}lC6¸QöSöû1Ó!ÍXö€?µå›"­�’Úª%K:oÐä¸ÊåÆ
Ô”ðÿ7[#áslYR¶´”f‹AìaËm±ÕÇv°eƒƒ?)­ŸîµùN5T†à¸!C>¢Û5q#ÛµÁ`‹ãQ—$o˜ëîíù¹Á�@r†KÊÃ�–2ÜDޜ胶¸éc;¸±Áo²êk¡Ø8–D嵈vqw‡×|•É©ÉnSÂÔv/çdØ“�´±îe¬‰
Ëôsª½–ôj¸ôß,2¿:¯ÉS_®e(da¯Z(úßM‹¡úôFvÝ—éá|'·hÞšß¡fÔ_åÏå«=s×±²
-~ez’pu?øCºÛ©¹«º´Í�ïoòš§þþfÛ¨¶´5[KßµíIÃ
-¼þ’
-Zî–ÁÅ“ž„N(ËEHq¤;#UO«E;õ4�:É$£ÇgöHm)7™FJ“>2½Ð-™'ØÃdvÀ›
-’†ñüD>]OÂ0&FïÕè�éAuG�ìŽÄËܧU•éÈ-7Gd‡Óöé®*Þ-ú™›þ£8ÀgöKm)ýZÊ¢ßsîç…¶èïc;è·ÁEÌ”u›(ÀÃadUŠTÒÜ4i›BK*½™ªü-.Z{wf×iðà‹OB«?¦ŒK'¥=[h'ËÄè½7¶ gj[Ü t¨ïXHïLù/”¾L´ã~c°¤<Æ ¥,cð$T/´e}l‡1ØàêÀª.W¥Ø²‚
-ÜI£ã‘Ë.HŒ’�ÛÅDz‚‚E»1ÂLØQ]ŒÞ+qm*¼«•;ö Óùßc'\º§Âíî(é`>r€‚$Õ»
-À´jP'Ïå±îí0ô¾ˆpØ!f	
-ã3­¤%ä¶B-dU™Ï}¸­
ö�‡MÐFžŒ¯	-3wÊ,Ÿw¢^
[ÖŒ*…ÅÈ´<Øû©ÍØ/cŒ ­±ïÖÙN­>Ë^vå›~¾Ñó
-åçú«d>C¶K¡`Œidå7ÆÁâU<2³û»I_åC�
æœ:&	ôÚäLcjKy¨ÖRמZ/´EvÛÁ¶
>-÷{¹ëŠõfëÀ·@09—¬–‡JÊH…‰Åq³�N¬é„`ü]þmøèœÆ(æØ>F¢aóù XäýqŸêSW±ïÚôy°Úc	+ïÔàT
>d mâŒ^·Ãs§÷œ¥ÅùÆgîóÝÎœø~ŸIð‘0Šüa	¹
BµT$žƒnk}àak°‘Ù!×G%ǶÚ4[Y�¯†ªLÆ,<=�5G±Žö\×~ïGI ¶àÏÔÿ–�[áZ¨Íø¾Ï¾|¸­ÂûÀÃ
-·‘�÷A�ŸWÏÙ6}ÍE5#P}m kkôÓÒ9áBŸÔ6"²€ÑÛÇ×H^MÖêD2ì #FEÐ|X|Ö~ѼJyÈ«m^§DRãKá%Jæ./öY®�P¯ÙÙC²7Ü…¤jñ	î€j“Ûÿò—¾ÖÎaŒh’8Ó(4Ÿ”r¬_Jü
-Lâþ«›o‚Oßý¿$÷b–endstream
-endobj
-2174 0 obj <<
-/Type /Page
-/Contents 2175 0 R
-/Resources 2173 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2172 0 R
->> endobj
-2176 0 obj <<
-/D [2174 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2177 0 obj <<
-/D [2174 0 R /XYZ 85.0394 752.3015 null]
->> endobj
-2178 0 obj <<
-/D [2174 0 R /XYZ 85.0394 752.3015 null]
->> endobj
-2179 0 obj <<
-/D [2174 0 R /XYZ 85.0394 752.3015 null]
->> endobj
-2180 0 obj <<
-/D [2174 0 R /XYZ 85.0394 746.3107 null]
->> endobj
-2181 0 obj <<
-/D [2174 0 R /XYZ 85.0394 731.5461 null]
->> endobj
-2182 0 obj <<
-/D [2174 0 R /XYZ 85.0394 728.1497 null]
->> endobj
-2183 0 obj <<
-/D [2174 0 R /XYZ 85.0394 713.3851 null]
->> endobj
-2184 0 obj <<
-/D [2174 0 R /XYZ 85.0394 709.9887 null]
->> endobj
-2185 0 obj <<
-/D [2174 0 R /XYZ 85.0394 651.9592 null]
->> endobj
-1399 0 obj <<
-/D [2174 0 R /XYZ 85.0394 651.9592 null]
->> endobj
-2186 0 obj <<
-/D [2174 0 R /XYZ 85.0394 651.9592 null]
->> endobj
-2187 0 obj <<
-/D [2174 0 R /XYZ 85.0394 648.8377 null]
->> endobj
-2188 0 obj <<
-/D [2174 0 R /XYZ 85.0394 634.0731 null]
->> endobj
-2189 0 obj <<
-/D [2174 0 R /XYZ 85.0394 630.6767 null]
->> endobj
-2190 0 obj <<
-/D [2174 0 R /XYZ 85.0394 615.9121 null]
->> endobj
-2191 0 obj <<
-/D [2174 0 R /XYZ 85.0394 612.5156 null]
->> endobj
-2192 0 obj <<
-/D [2174 0 R /XYZ 85.0394 585.7959 null]
->> endobj
-2193 0 obj <<
-/D [2174 0 R /XYZ 85.0394 582.3994 null]
->> endobj
-2194 0 obj <<
-/D [2174 0 R /XYZ 85.0394 567.6349 null]
->> endobj
-2195 0 obj <<
-/D [2174 0 R /XYZ 85.0394 564.2384 null]
->> endobj
-2196 0 obj <<
-/D [2174 0 R /XYZ 85.0394 549.5337 null]
->> endobj
-2197 0 obj <<
-/D [2174 0 R /XYZ 85.0394 546.0774 null]
->> endobj
-2198 0 obj <<
-/D [2174 0 R /XYZ 85.0394 531.3128 null]
->> endobj
-2199 0 obj <<
-/D [2174 0 R /XYZ 85.0394 527.9163 null]
->> endobj
-2200 0 obj <<
-/D [2174 0 R /XYZ 85.0394 513.1518 null]
->> endobj
-2201 0 obj <<
-/D [2174 0 R /XYZ 85.0394 509.7553 null]
->> endobj
-2202 0 obj <<
-/D [2174 0 R /XYZ 85.0394 483.0356 null]
->> endobj
-2203 0 obj <<
-/D [2174 0 R /XYZ 85.0394 479.6391 null]
->> endobj
-2204 0 obj <<
-/D [2174 0 R /XYZ 85.0394 464.8745 null]
->> endobj
-2205 0 obj <<
-/D [2174 0 R /XYZ 85.0394 461.4781 null]
->> endobj
-2206 0 obj <<
-/D [2174 0 R /XYZ 85.0394 446.7135 null]
->> endobj
-2207 0 obj <<
-/D [2174 0 R /XYZ 85.0394 443.3171 null]
->> endobj
-2208 0 obj <<
-/D [2174 0 R /XYZ 85.0394 428.5525 null]
->> endobj
-2209 0 obj <<
-/D [2174 0 R /XYZ 85.0394 425.156 null]
->> endobj
-2210 0 obj <<
-/D [2174 0 R /XYZ 85.0394 355.0758 null]
->> endobj
-2211 0 obj <<
-/D [2174 0 R /XYZ 85.0394 355.0758 null]
->> endobj
-2212 0 obj <<
-/D [2174 0 R /XYZ 85.0394 355.0758 null]
->> endobj
-2213 0 obj <<
-/D [2174 0 R /XYZ 85.0394 352.0499 null]
->> endobj
-2214 0 obj <<
-/D [2174 0 R /XYZ 85.0394 337.3452 null]
->> endobj
-2215 0 obj <<
-/D [2174 0 R /XYZ 85.0394 333.8889 null]
->> endobj
-2216 0 obj <<
-/D [2174 0 R /XYZ 85.0394 309.8192 null]
->> endobj
-2217 0 obj <<
-/D [2174 0 R /XYZ 85.0394 303.7727 null]
->> endobj
-2218 0 obj <<
-/D [2174 0 R /XYZ 85.0394 278.3282 null]
->> endobj
-2219 0 obj <<
-/D [2174 0 R /XYZ 85.0394 273.6565 null]
->> endobj
-2220 0 obj <<
-/D [2174 0 R /XYZ 85.0394 246.9367 null]
->> endobj
-2221 0 obj <<
-/D [2174 0 R /XYZ 85.0394 243.5403 null]
->> endobj
-2222 0 obj <<
-/D [2174 0 R /XYZ 85.0394 173.5556 null]
->> endobj
-2223 0 obj <<
-/D [2174 0 R /XYZ 85.0394 173.5556 null]
->> endobj
-2224 0 obj <<
-/D [2174 0 R /XYZ 85.0394 173.5556 null]
->> endobj
-2225 0 obj <<
-/D [2174 0 R /XYZ 85.0394 170.4341 null]
->> endobj
-2226 0 obj <<
-/D [2174 0 R /XYZ 85.0394 144.9896 null]
->> endobj
-2227 0 obj <<
-/D [2174 0 R /XYZ 85.0394 140.3179 null]
->> endobj
-2228 0 obj <<
-/D [2174 0 R /XYZ 85.0394 113.5982 null]
->> endobj
-2229 0 obj <<
-/D [2174 0 R /XYZ 85.0394 110.2017 null]
->> endobj
-2230 0 obj <<
-/D [2174 0 R /XYZ 85.0394 95.4372 null]
->> endobj
-2231 0 obj <<
-/D [2174 0 R /XYZ 85.0394 92.0407 null]
->> endobj
-2173 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F39 1173 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2234 0 obj <<
-/Length 2889      
-/Filter /FlateDecode
->>
-stream
-xÚµšMsÛ8†ïþ:JU1†
-<
-}w„°i5LX[iÂ�ã¶J7„O´{	·´Xøé«M|§–=w¦í½˜A;ˆ‚ÈÀöHü¿HiþM|˜øh²÷²ÈX–%òž.w˜C
-†•…‚²Ò`¯·P°IºÚýLíù&?ýã⯲s¬Ø,¯dSšwç]ù?ý
-?â7?Òù1Щsàží’º(
-ü6¡¹$´HÊ*K^˜l¦µ£ïÞ©s±ðûgM,&†af0�†•…˜²2ˆb6iƒXW»Ÿ˜©½ÞÄÜÎ=ØYE�Xž(E�_q@ü¿Ø&ÁFQã�‚Z}ƒ¤Æ¯G¨ù
-\'4v¹@`ã£Ø\ÇÄÆ?5ØÄaF�ÔÊ'­0ÝÐA>Lº¦i5S[0-»�Uº�y¢Ý³¥½©ŠC½KáˆN/ÙAlapød%osk†¼¯fÈCÞ(ò+Å�[Œ0$aH;†ü~Î�ßkºžã)†Â¦^aüâ“4¾:îöG8ÔÊÃ�¹Å´‰´ÿÄs]8Ç4 #°
+leeÀŽ,°mÒì®v?lS›ÃNÄ>Šs�ÁÙô©>µœ_³º2#zas,E*[dè
�ÐéС7[
-id„ý4¦Õ0m¥Ñ¡¥
-°I+ «Ý¿Lí{Ôu]î‹5e×¥ÓøX=ö[½‰®»"ååÑÇ¡®â»ûµðOÞ_3æ}í¬“wÉä¤?ÈúžÛð†hÁSÃú.•®‘Wä‘ÊïlEÕ
{…ø¡Ó;G
-ÛðÈ‘·±±06Š ÅØ^-¢¿¶j?½F•t7×ñ90d6BäQ—Â-D‹L^àJj±ªÞ£z‹uõ7
®G¶Ëx8›c°ˆ¿¤uæåE\#þò‚tò&™ª1ZP�"¦}ÄÇ�‘…£4j@KÝΦk�ì÷£4„ã&]ÉøZ?$üÑ`'¿¿IËJ¦ž"ö:íbo¸ùáé+�‡²w7Jcðì
··T#ôB^UlŸOj4V`qÅ‘˜a4Li`^d)
Øt`]á^`¦°¨¡†p"üU±¼¬ŸTÂ숚*ü/�¯¯Å¡FË;ÑøƒJQ6‡F¿¯2`äø‘±ºÄ›n�¸ãþ¹Ø‹|�·^ÊÖëc
-¾šÈÖϺ`]Ë4OòJv‰šU
N«µƒiqLË2í«ÿ
-ŒÛÏiueK×±ôƒƒ
æ�ÏBŽãŒÄaÓj˜¹¶jÞLpð0s«tÃüD»—yK[ÏÇ"ß»ø+Vý,/MÓ­~‚é;üd'DÄñCK˜ýl~h½u Äë!ÍTò'/Ø‹PˆÇª¦•…’²j(ÙöK«´A©«ÝOÉÔ^³ïÇTìq{–«íPo‘Í#/þéºÐ湚»×,Ý…ô¦¬+#wŸ[�<¹�ÂùÅ!Ù±�r¹

-…º#õ:ÓÊEYi(^ds›´
¥«ÝÅÔOï7ÕḭD˜d�™7žmôl�‘‡ü€ºíÉÿ �ã
-.Wçñ|¾FñZD—øw¦~TЙìkUUIw9SAèJ6î$Í«z꾅щlÍ£ü~dÃÏu1dwGÛ›VdÊJ#‰å4i•6�uµû‘™ÚËøBm¼DÁ¶Ï9„§L½Î´ç1NîC݇MyúýȺ‡ лéz~ÐÛ–±D
ÇÊŽ§^I§‚ö;•“~f8ö–…a4LK5eb©TÛtV]á^T¦°Žqn¨bœñ7ƒ´ºsnÔ©b‚å2^Åâêr…tÇÉÐû�¼¤é“ÖÓ?±N©áv3¥†f#¥æ�Òè¢.lå¹x	òüßµ·eYšìÕ‹Z¤uö×ÎÚyÍnð i©³xˆ¿OÛ3ùŽ>“þϯíUñ
-endobj
-2233 0 obj <<
-/Type /Page
-/Contents 2234 0 R
-/Resources 2232 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2172 0 R
->> endobj
-2235 0 obj <<
-/D [2233 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2236 0 obj <<
-/D [2233 0 R /XYZ 56.6929 748.5056 null]
->> endobj
-2237 0 obj <<
-/D [2233 0 R /XYZ 56.6929 748.5056 null]
->> endobj
-2238 0 obj <<
-/D [2233 0 R /XYZ 56.6929 748.5056 null]
->> endobj
-2239 0 obj <<
-/D [2233 0 R /XYZ 56.6929 743.7078 null]
->> endobj
-2240 0 obj <<
-/D [2233 0 R /XYZ 56.6929 719.6381 null]
->> endobj
-2241 0 obj <<
-/D [2233 0 R /XYZ 56.6929 711.8197 null]
->> endobj
-2242 0 obj <<
-/D [2233 0 R /XYZ 56.6929 697.0552 null]
->> endobj
-2243 0 obj <<
-/D [2233 0 R /XYZ 56.6929 691.8868 null]
->> endobj
-2244 0 obj <<
-/D [2233 0 R /XYZ 56.6929 665.1671 null]
->> endobj
-2245 0 obj <<
-/D [2233 0 R /XYZ 56.6929 659.9987 null]
->> endobj
-2246 0 obj <<
-/D [2233 0 R /XYZ 56.6929 635.929 null]
->> endobj
-2247 0 obj <<
-/D [2233 0 R /XYZ 56.6929 628.1106 null]
->> endobj
-2248 0 obj <<
-/D [2233 0 R /XYZ 56.6929 601.3909 null]
->> endobj
-2249 0 obj <<
-/D [2233 0 R /XYZ 56.6929 596.2225 null]
->> endobj
-2250 0 obj <<
-/D [2233 0 R /XYZ 56.6929 569.5028 null]
->> endobj
-2251 0 obj <<
-/D [2233 0 R /XYZ 56.6929 564.3344 null]
->> endobj
-2252 0 obj <<
-/D [2233 0 R /XYZ 56.6929 549.6297 null]
->> endobj
-2253 0 obj <<
-/D [2233 0 R /XYZ 56.6929 544.4015 null]
->> endobj
-2254 0 obj <<
-/D [2233 0 R /XYZ 56.6929 529.6968 null]
->> endobj
-2255 0 obj <<
-/D [2233 0 R /XYZ 56.6929 524.4686 null]
->> endobj
-2256 0 obj <<
-/D [2233 0 R /XYZ 56.6929 500.3989 null]
->> endobj
-2257 0 obj <<
-/D [2233 0 R /XYZ 56.6929 492.5805 null]
->> endobj
-2258 0 obj <<
-/D [2233 0 R /XYZ 56.6929 467.136 null]
->> endobj
-2259 0 obj <<
-/D [2233 0 R /XYZ 56.6929 460.6924 null]
->> endobj
-2260 0 obj <<
-/D [2233 0 R /XYZ 56.6929 436.6227 null]
->> endobj
-2261 0 obj <<
-/D [2233 0 R /XYZ 56.6929 428.8043 null]
->> endobj
-2262 0 obj <<
-/D [2233 0 R /XYZ 56.6929 414.0996 null]
->> endobj
-2263 0 obj <<
-/D [2233 0 R /XYZ 56.6929 408.8714 null]
->> endobj
-2264 0 obj <<
-/D [2233 0 R /XYZ 56.6929 382.1516 null]
->> endobj
-2265 0 obj <<
-/D [2233 0 R /XYZ 56.6929 376.9833 null]
->> endobj
-2266 0 obj <<
-/D [2233 0 R /XYZ 56.6929 350.2636 null]
->> endobj
-2267 0 obj <<
-/D [2233 0 R /XYZ 56.6929 345.0952 null]
->> endobj
-2268 0 obj <<
-/D [2233 0 R /XYZ 56.6929 321.0255 null]
->> endobj
-2269 0 obj <<
-/D [2233 0 R /XYZ 56.6929 313.2071 null]
->> endobj
-2270 0 obj <<
-/D [2233 0 R /XYZ 56.6929 298.5024 null]
->> endobj
-2271 0 obj <<
-/D [2233 0 R /XYZ 56.6929 293.2742 null]
->> endobj
-2272 0 obj <<
-/D [2233 0 R /XYZ 56.6929 267.8297 null]
->> endobj
-2273 0 obj <<
-/D [2233 0 R /XYZ 56.6929 261.3861 null]
->> endobj
-2274 0 obj <<
-/D [2233 0 R /XYZ 56.6929 199.468 null]
->> endobj
-2275 0 obj <<
-/D [2233 0 R /XYZ 56.6929 199.468 null]
->> endobj
-2276 0 obj <<
-/D [2233 0 R /XYZ 56.6929 199.468 null]
->> endobj
-2277 0 obj <<
-/D [2233 0 R /XYZ 56.6929 191.7053 null]
->> endobj
-2278 0 obj <<
-/D [2233 0 R /XYZ 56.6929 176.9408 null]
->> endobj
-2279 0 obj <<
-/D [2233 0 R /XYZ 56.6929 171.7724 null]
->> endobj
-2280 0 obj <<
-/D [2233 0 R /XYZ 56.6929 157.0677 null]
->> endobj
-2281 0 obj <<
-/D [2233 0 R /XYZ 56.6929 151.8395 null]
->> endobj
-2282 0 obj <<
-/D [2233 0 R /XYZ 56.6929 137.1348 null]
->> endobj
-2283 0 obj <<
-/D [2233 0 R /XYZ 56.6929 131.9066 null]
->> endobj
-2284 0 obj <<
-/D [2233 0 R /XYZ 56.6929 117.2018 null]
->> endobj
-2285 0 obj <<
-/D [2233 0 R /XYZ 56.6929 111.9736 null]
->> endobj
-2286 0 obj <<
-/D [2233 0 R /XYZ 56.6929 97.2091 null]
->> endobj
-2287 0 obj <<
-/D [2233 0 R /XYZ 56.6929 92.0407 null]
->> endobj
-2232 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F39 1173 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2290 0 obj <<
-/Length 2542      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Z[w£º~ϯð£½Ö˜Jqé›'Og’ÔÎô´kÎy ¶â°ŠÁœ9s~}·Ð�‘<=]yH>Øß¾c<Að‡'1õI‚I”E˜N¶‡+4ÙÃÞý–2s%47¥®Ÿ¯þrG¢Iâ%¡Nž_�{ÅŠc<yÞ}›.žžn–«Îæ>EÓ…7›S„ÔêÍíf6�„o¾¢éõêúóêñ~½xúø/qѯˆ¢ÅÃRœl¾Þßßnžoåéúv±\=܃žýöüéêöY?¶ùjþÌÿ¹úöšìà
?]!�$1�|‡äá$ñ'‡«€�„¨•üjsõw}Cc·½tLU”Ä�ýhDW>ž`ì%”ú=eÑĉOZe-6âµ�¬J›¬,jë[Oq�.-#À#KÈpôoë»Pùmˆ‰)òâžß
ªe†¨pØ¡bJ½8"Ô„]–‡4+Ä{§»CVdu/_VµX+;]´çûS¶cÆÁ+á�zAÆð@ü¾„øOüÿ\6pÏY¨�‡ò�^X%ÎpGžUÙ@œ/mÈ¡nCÊ¡p%¥UNIäP¹ÚPúÛ¢vü¦<J©xmyË´IÅÑ]–3qtS¿"äïO‚±x[U3O9M#T€2ƒ0 }*žfØO¦’�kƪ†R¹÷¸mJƒŒ„XÉèB¨2¥ìdh)MF‚};N莌3ìq2zà£dè0�æÒ?ŠÝŸ¥ÄÇÔãØïS²Tl¤•éw쥚ÅÓSZýÐŒ„vF"xsŠâŒRF””bÄG9qAŒ±-Œ˜àgÊ¿©²†U™t�×Rëº,QÒƒô˜
«ÞYU�F©(ŒÃ>×’‡/iQdÅ~ÀvÏqþ1£tšýž1‹ç8x}„¾@S'ä`I
-i’|œ8Hrà
€-È_k©îòuà8‹<KkV˜z`Í÷²úwGQ¶eã…±ùA0žI>¦‡,o”Ói’ÖrûîGU¶k,E
-²WÌ}’x”B]1|DXáª
-)ÒI�8²×à|
-D}��`k°ùzH‹v;–<óç‘<k˜¹
mP7,ÏKÍt²}Ó|Û«"
-é�ÿBp7¥Œ+)ƒrì Ümp>Ķ�n‚sF…‹±#ø4¥	w}
vÓT`j�¯
K‚^ñÒ•‹µ±Ÿï�ÄQ¾¯Ì‡‹è8:4‰8�Œmúp€ÂŽq~ƒqq¯–p¾óE®nÒ#ü:O‹íkþáAL ƒº”ÍM);áZÊ ÜQ;¡;ÂÏ°Ç	ï�?�ŠÛrÇx
-ÈLíª¯ÝƒïüÂÙ)óWy�~„{¹ÿý_ýò£
Šòr�,4æ0[ÄV>ýˆzQx)]˜Rv>µTÇ'u�NèŽÏ3ìq>{à=}gE7½S.%«‚�ó©ê�ÏrjÇtå¬Q„Gõ1þYoÓm»›x1xé„´H!]Ò£ÈÑùp
RÀNä5ƒnŒ°­Q3+ZÄpEdôºP•:¢	þ0yCA»/ÁóêÁЯ%k”"J¼8õ÷'IQ猣o(À±�&B½
-endobj
-2289 0 obj <<
-/Type /Page
-/Contents 2290 0 R
-/Resources 2288 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2172 0 R
->> endobj
-2291 0 obj <<
-/D [2289 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2292 0 obj <<
-/D [2289 0 R /XYZ 85.0394 748.4854 null]
->> endobj
-2293 0 obj <<
-/D [2289 0 R /XYZ 85.0394 748.4854 null]
->> endobj
-2294 0 obj <<
-/D [2289 0 R /XYZ 85.0394 748.4854 null]
->> endobj
-2295 0 obj <<
-/D [2289 0 R /XYZ 85.0394 743.3452 null]
->> endobj
-2296 0 obj <<
-/D [2289 0 R /XYZ 85.0394 728.6405 null]
->> endobj
-2297 0 obj <<
-/D [2289 0 R /XYZ 85.0394 723.1655 null]
->> endobj
-2298 0 obj <<
-/D [2289 0 R /XYZ 85.0394 708.4607 null]
->> endobj
-2299 0 obj <<
-/D [2289 0 R /XYZ 85.0394 702.9857 null]
->> endobj
-2300 0 obj <<
-/D [2289 0 R /XYZ 85.0394 688.2211 null]
->> endobj
-2301 0 obj <<
-/D [2289 0 R /XYZ 85.0394 682.8059 null]
->> endobj
-2302 0 obj <<
-/D [2289 0 R /XYZ 85.0394 668.0414 null]
->> endobj
-2303 0 obj <<
-/D [2289 0 R /XYZ 85.0394 662.6262 null]
->> endobj
-2304 0 obj <<
-/D [2289 0 R /XYZ 85.0394 599.7666 null]
->> endobj
-2305 0 obj <<
-/D [2289 0 R /XYZ 85.0394 599.7666 null]
->> endobj
-2306 0 obj <<
-/D [2289 0 R /XYZ 85.0394 599.7666 null]
->> endobj
-2307 0 obj <<
-/D [2289 0 R /XYZ 85.0394 591.7571 null]
->> endobj
-2308 0 obj <<
-/D [2289 0 R /XYZ 85.0394 565.0374 null]
->> endobj
-2309 0 obj <<
-/D [2289 0 R /XYZ 85.0394 559.6222 null]
->> endobj
-2310 0 obj <<
-/D [2289 0 R /XYZ 85.0394 534.1777 null]
->> endobj
-2311 0 obj <<
-/D [2289 0 R /XYZ 85.0394 527.4872 null]
->> endobj
-2312 0 obj <<
-/D [2289 0 R /XYZ 85.0394 502.0427 null]
->> endobj
-2313 0 obj <<
-/D [2289 0 R /XYZ 85.0394 495.3523 null]
->> endobj
-2314 0 obj <<
-/D [2289 0 R /XYZ 85.0394 420.5376 null]
->> endobj
-2315 0 obj <<
-/D [2289 0 R /XYZ 85.0394 420.5376 null]
->> endobj
-2316 0 obj <<
-/D [2289 0 R /XYZ 85.0394 420.5376 null]
->> endobj
-2317 0 obj <<
-/D [2289 0 R /XYZ 85.0394 412.5281 null]
->> endobj
-2318 0 obj <<
-/D [2289 0 R /XYZ 85.0394 388.4584 null]
->> endobj
-2319 0 obj <<
-/D [2289 0 R /XYZ 85.0394 380.3932 null]
->> endobj
-2320 0 obj <<
-/D [2289 0 R /XYZ 85.0394 365.6884 null]
->> endobj
-2321 0 obj <<
-/D [2289 0 R /XYZ 85.0394 360.2134 null]
->> endobj
-2322 0 obj <<
-/D [2289 0 R /XYZ 85.0394 345.4488 null]
->> endobj
-2323 0 obj <<
-/D [2289 0 R /XYZ 85.0394 340.0336 null]
->> endobj
-2324 0 obj <<
-/D [2289 0 R /XYZ 85.0394 325.269 null]
->> endobj
-2325 0 obj <<
-/D [2289 0 R /XYZ 85.0394 319.8539 null]
->> endobj
-2326 0 obj <<
-/D [2289 0 R /XYZ 85.0394 295.7842 null]
->> endobj
-2327 0 obj <<
-/D [2289 0 R /XYZ 85.0394 287.7189 null]
->> endobj
-2328 0 obj <<
-/D [2289 0 R /XYZ 85.0394 272.9543 null]
->> endobj
-2329 0 obj <<
-/D [2289 0 R /XYZ 85.0394 267.5392 null]
->> endobj
-2330 0 obj <<
-/D [2289 0 R /XYZ 85.0394 252.7746 null]
->> endobj
-2331 0 obj <<
-/D [2289 0 R /XYZ 85.0394 247.3594 null]
->> endobj
-2332 0 obj <<
-/D [2289 0 R /XYZ 85.0394 223.2897 null]
->> endobj
-2333 0 obj <<
-/D [2289 0 R /XYZ 85.0394 215.2245 null]
->> endobj
-2334 0 obj <<
-/D [2289 0 R /XYZ 85.0394 149.4956 null]
->> endobj
-2335 0 obj <<
-/D [2289 0 R /XYZ 85.0394 149.4956 null]
->> endobj
-2336 0 obj <<
-/D [2289 0 R /XYZ 85.0394 149.4956 null]
->> endobj
-2337 0 obj <<
-/D [2289 0 R /XYZ 85.0394 144.3554 null]
->> endobj
-2338 0 obj <<
-/D [2289 0 R /XYZ 85.0394 120.2857 null]
->> endobj
-2339 0 obj <<
-/D [2289 0 R /XYZ 85.0394 112.2205 null]
->> endobj
-2340 0 obj <<
-/D [2289 0 R /XYZ 85.0394 97.4559 null]
->> endobj
-2341 0 obj <<
-/D [2289 0 R /XYZ 85.0394 92.0407 null]
->> endobj
-2288 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F39 1173 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2344 0 obj <<
-/Length 2928      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZKs㸾ûWèºjÅ
-á
-/ágP´¸hmÞŠ†—ö´z,¾j枧Dãª;®cÝ"±ts/r/êë¾®Ö2//§¾Çœ;¹Î°Å�ù®i³5Q÷„#7?Ú¬lòªTÇt°;37Š£Ö…²‚)¡p®]=U6m!_³KN#¾#êK;Ò#KݸÒüŸåöe-K-å“,·²Þ¡VزQ4%Øi/`W‘{=§Ä}ïz×z†«C�‹h½1Õz‡º‡Ñ³u+lð3mÕMlšÊÄ5šŠcWÊužRç·ÍB¶Ù�	w}/±€Ts]ú 5Y£¨{³M�ÔÅ#Œ…ÂÆÇñ°¹NãÑquxbÄ›FUïñ8Ò=ˆGO÷ùóqoŠ„›$Áÿ€Á¯RuÓU‡Cr‡Ðw!žFgp°¸Fp0\ÁX<‚Øj‡CÝÃ8غ
"Ž5Ø28¨v‡ƒˆ#çd„ùÍ´¸æÈ—e^.©3Û¶«Jñãä…’Vb=Ïs>¸4ñŸ—�^³¢
-þU6M¶#šªÔ’\­£j0 
-p¹ë,µ]ÌÈœve"ù˜wÒ ö]Á‚3õ‚ÍuÒŽ«ƒ4F U½‡ôH÷ ¤=Ý�Ù"Cç)srq¾ÊÿDÄT¬ËÊ6ÃjY�ÉVR¡›]ë(	ýç¼Â�ÅnÁ"÷1‘qŠ‰0§‰FXBã^3ý²]¬·å¢i0jˆFhÄ.–/§!…K†ŸÐueR‹kRÃeA:’êFU[�ê†ÔÖ}�ÙÒŠ…˜¶Ìi¨´6'°Ôí¦ç•D!¯4Ü'½’Ç¡ëû1ïÇÍ{7{`Q�büï/À"|¸¦±3• Í5‹áê`‰F=mLµË¡îaXlÝ_
-*Ñ"§¬Z­ºêoƒP¡™Ki^Ü<0À‚R}…cn<ù›,Жb"UÿYUÛBS•Vl<gôýc[Ñ+0ª¬´4×$_��ÒXja/hõm|¡»-8fÍŸ¦Õz:„ÏF–¹’Ιó¼£/Y4y“2_«ªdÛ±hæ½Bç›çùhs
uÕráK(VKbmùhˆ+ù¦…HúùKÖÀò¨§¬¾MþƒëªlWz.Ø»Yâû*‡+çÀFõŠ{ÅÐYdÖ«vwdØV�{zàYO!¹®'¤zÒhƒ;
-B…{aª/;ÏÕVÇ
-õkD'. ~ØÉõ\°«H_G^²ýèä›»y.‹#<›Ø\ÇÙ„sæ›ØSé„ŸN$£Z÷‰äHí`"éi¥DÂíW,´�Ê^tÙ'Vȇ9r[ФY
÷®?$]�Y8yúª ô¿ä[œÈ}(97»:_®Tv™ð(†
ø1þÖÂô-"¥%
-اÅ÷�ñ`èv
-`+•Z1†^ž@¼lÐÛeg˜sŠ÷Ó�¬[M”›M‘ÓëY3gÖU^
-â§.|Rƒ¶Im3ìê\ñ–/²ƒI/UQTïT�`7“­.›ŸO@6�á™Ë±Í¥"QÏ‘#÷ÒÐ’¥=9:T�<{ãJ
Ó±ÒžÓÄÜ
ð׋žÒ'uIâ”Ù»:_h¦t4  ñ�‹âh‘£e�=A]-¶…ªÙ‚H{"’ÍWÒgÁNe)hXXQÌ�º€–…–Qj‘è˜/2Õ+.«Jº>
-®,¸è«ªíEšN¡hKÂsÚZ–�LµYÃÈ{Þ®¨%éƒÞš§ÛBÖÔo²úm_áóAÖ¢û9Ø(ããûÃ÷VSì¡Á
ø9-]@
v´tŸa€¢Á†ÂbC=¹x“�¯Á§D°�ØLÀ'sŬ(žCW$¢Ae™/¤y}æÝσ€ug¹ÄÚ7JÙÁà„ð“ÿìW¦*œªÕ/õÍ®LWkYm›ƒ»­¹ÙÉ+mœ¸p¼gž
-¦Óh˜Î9à˜ÆÎÿ5ºŸ­QyŸz5Яnçä^Š€W´Rå# >f-„·7ÌQØ¥‡ýýBgQιƒÿ9ÁÕ¥¥¡¾w!Ej™–wa#»š ëÆ�ÌjÁ_+ÊjUq²7â7ZHZ•/4‚Þh3"Ñf€Ä}–Þ6ë…ú}ÎW¹¤Ùd)ýÐD, {ËmmNæ@´zÄC"-|¿¤–zꢗ0Ê{¡d#ÓW¸î_šì0�À)¦u¾Ù¿v‡{–²Ñ['1´>å p½|§{ÂÎEàâ¿àë.ÿ÷úXo@‘+âøÄO'^¸094‹Ru¥`GK7ÿt¼öÿÓž
Gendstream
-endobj
-2343 0 obj <<
-/Type /Page
-/Contents 2344 0 R
-/Resources 2342 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2172 0 R
->> endobj
-2345 0 obj <<
-/D [2343 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2346 0 obj <<
-/D [2343 0 R /XYZ 56.6929 749.0089 null]
->> endobj
-2347 0 obj <<
-/D [2343 0 R /XYZ 56.6929 749.0089 null]
->> endobj
-2348 0 obj <<
-/D [2343 0 R /XYZ 56.6929 749.0089 null]
->> endobj
-2349 0 obj <<
-/D [2343 0 R /XYZ 56.6929 745.2843 null]
->> endobj
-2350 0 obj <<
-/D [2343 0 R /XYZ 56.6929 721.2146 null]
->> endobj
-2351 0 obj <<
-/D [2343 0 R /XYZ 56.6929 714.4694 null]
->> endobj
-2352 0 obj <<
-/D [2343 0 R /XYZ 56.6929 699.7048 null]
->> endobj
-2353 0 obj <<
-/D [2343 0 R /XYZ 56.6929 695.6096 null]
->> endobj
-2354 0 obj <<
-/D [2343 0 R /XYZ 56.6929 680.9049 null]
->> endobj
-2355 0 obj <<
-/D [2343 0 R /XYZ 56.6929 676.7499 null]
->> endobj
-2356 0 obj <<
-/D [2343 0 R /XYZ 56.6929 652.6802 null]
->> endobj
-2357 0 obj <<
-/D [2343 0 R /XYZ 56.6929 645.935 null]
->> endobj
-2358 0 obj <<
-/D [2343 0 R /XYZ 56.6929 631.2303 null]
->> endobj
-2359 0 obj <<
-/D [2343 0 R /XYZ 56.6929 627.0752 null]
->> endobj
-2360 0 obj <<
-/D [2343 0 R /XYZ 56.6929 603.0055 null]
->> endobj
-2361 0 obj <<
-/D [2343 0 R /XYZ 56.6929 596.2603 null]
->> endobj
-2362 0 obj <<
-/D [2343 0 R /XYZ 56.6929 572.1906 null]
->> endobj
-2363 0 obj <<
-/D [2343 0 R /XYZ 56.6929 565.4454 null]
->> endobj
-2364 0 obj <<
-/D [2343 0 R /XYZ 56.6929 550.7407 null]
->> endobj
-2365 0 obj <<
-/D [2343 0 R /XYZ 56.6929 546.5857 null]
->> endobj
-2366 0 obj <<
-/D [2343 0 R /XYZ 56.6929 531.8211 null]
->> endobj
-2367 0 obj <<
-/D [2343 0 R /XYZ 56.6929 527.7259 null]
->> endobj
-2368 0 obj <<
-/D [2343 0 R /XYZ 56.6929 501.0062 null]
->> endobj
-2369 0 obj <<
-/D [2343 0 R /XYZ 56.6929 496.911 null]
->> endobj
-778 0 obj <<
-/D [2343 0 R /XYZ 56.6929 464.7873 null]
->> endobj
-2370 0 obj <<
-/D [2343 0 R /XYZ 56.6929 439.0859 null]
->> endobj
-782 0 obj <<
-/D [2343 0 R /XYZ 56.6929 352.4521 null]
->> endobj
-2371 0 obj <<
-/D [2343 0 R /XYZ 56.6929 326.7507 null]
->> endobj
-2372 0 obj <<
-/D [2343 0 R /XYZ 56.6929 290.6891 null]
->> endobj
-2373 0 obj <<
-/D [2343 0 R /XYZ 56.6929 290.6891 null]
->> endobj
-2374 0 obj <<
-/D [2343 0 R /XYZ 56.6929 290.6891 null]
->> endobj
-2375 0 obj <<
-/D [2343 0 R /XYZ 56.6929 290.6891 null]
->> endobj
-786 0 obj <<
-/D [2343 0 R /XYZ 56.6929 241.4457 null]
->> endobj
-2376 0 obj <<
-/D [2343 0 R /XYZ 56.6929 201.7704 null]
->> endobj
-2342 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F39 1173 0 R /F14 976 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2379 0 obj <<
-/Length 2293      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]sã6î=¿Â�9yf­�"õÕ·ìn¶“¶—Ë9éLov÷A–¨˜]Yrõa×ÿþ
-S ÃH:t Eô[óRít¦2pR
îú´VZìKE–
-NP˜d»¤L•%ÎUÒvVž%Íi¯93"(èŠéA·¨û
M—®iKb1i’®AÐÆ„žº	>y¨O�øÆ�&™sgg$rjñÍØ°r?„Z.ÒªL»šø”-úbQæ~­Jz#�aÿÈÏìi’�î÷h+¾+'¯¤ÙªTaÌSjã¾”~‚X¸’þz"S½œª7Á«R�‰àBìd"8{ƒF|GýµUµÆ8N
-Âä5DÒ¾ª¿ákà´¡›n»­0iàKï¡È`{	»î\'VˆuJ€â4hHuÙ˘À®¤ù6åuÍ¡iÕÆÜè6ê/1Ÿ-<0ÈÖ��Ó�†PˆÀ;9ƒ2õP«ZýÙéF·Êr[Dy¾x>íüéþ78‹' U}Có<ò"À�Ÿ
'2ÂÁsÕiÌ°�œp``2Àc

ºsoIX¥œŒ�‰jxZ»
iLˆÔX€¦ÕEAK+un÷ïµ	5ädØOø}{Øâ1¼( 
-
-(„bzØŽàr^CWbøà5sr
-|4
-bs�ب–
-7™06—z[_Ú�T(c›¹$³­4;E+X&›%‡"óÀÐ	5ÔH²RÏu‡l»‘ù©
èj$5.’û4-È¡ƒì1á<k´“Žˆôã;%Lטn
©Íyåi_„xr0\HŠ¦"he%ØÌj8ÑÝöœ&RÐÈþ�9eCñzzÇ…®Û(E/+UTû¡ùŽ 6¨ïJ輋ÿ1ªÓŒž¯ûå8X
¤IÖ÷F®çÖ°õ›ÍK©æ¥Zý
v!˜œÌlö{s#žÊ
-²y<ChR	�µJH%âWÇ«jØ�b€;WP§ªbu8›ZÎU�RC—iÑÁ„&�L^š
-P#¢�
&6æ0wV}-±b]íO«–í%9µ2¶žTû¾Ò�“žAäíEÑѣ̀~ãÊ»Ì^¹¾'åe	±)ìúŸ`ÖnqaSx¿áÄ«¶´¥$ÓÕå„á#áQàY1Ó½|Os‘ï¤Íw¿”Æ
-惒ÊáNšë¥jÚZÓ‡„—8@Ääܘêå
n zs€{Uêq€»;9À�ˆýp2ßh0á–ÂCP˜XÃg‰±ˆ€âLî€×ÛÈwƒã´‚ðYÝ26iàÞ.‘ØO|�)Úˆ8ñKD˜‰�••@Åt"'%M_ñX¨Ù«9÷}WúL¾qŸ#ªWzû>_“:ºÏs±Ó÷9K^"áÐtÀ¼¿TF¹	‘Ë¥é:$ã˜b�¯¦m‹ì›ýpG'ßNìWšèäúÍÖ’žm/zèᢋÛYìÜå´dF+ö‰™Ú¡¾™	8¢oX/dî�pŠ³:áØ8Ò	WÐ
Bi:–Ž™ .Ó>÷7ŠCßfœÈ²‰œ#„‰¸§Ú¯ua‡H;B£x“kéƒÞqàõ�Á�ûxÁÏD‚…¶êÚ³IÙªJ¹’Ì
Exêìc…±dÐż³@©ß•�%±3Hqøñ….oÔ~½9»åη¨ks“ÓÛ;‚W�%0þ5=ÿ}Ï ÷Âòÿ?]¾}¾‘Ž_§œòÕVx*åW1ùQž
%ìoÿ{☻dèŠ(ò¦sˆ€\Sï…
-qÁÏ�î(Ô‘Nœý¿Ii»áendstream
-endobj
-2378 0 obj <<
-/Type /Page
-/Contents 2379 0 R
-/Resources 2377 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2172 0 R
->> endobj
-2380 0 obj <<
-/D [2378 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-790 0 obj <<
-/D [2378 0 R /XYZ 85.0394 662.3711 null]
->> endobj
-2381 0 obj <<
-/D [2378 0 R /XYZ 85.0394 634.4781 null]
->> endobj
-794 0 obj <<
-/D [2378 0 R /XYZ 85.0394 566.8617 null]
->> endobj
-2382 0 obj <<
-/D [2378 0 R /XYZ 85.0394 536.3186 null]
->> endobj
-798 0 obj <<
-/D [2378 0 R /XYZ 85.0394 411.7882 null]
->> endobj
-2383 0 obj <<
-/D [2378 0 R /XYZ 85.0394 386.7645 null]
->> endobj
-802 0 obj <<
-/D [2378 0 R /XYZ 85.0394 230.2565 null]
->> endobj
-2384 0 obj <<
-/D [2378 0 R /XYZ 85.0394 203.9874 null]
->> endobj
-2377 0 obj <<
-/Font << /F37 1038 0 R /F14 976 0 R /F22 973 0 R /F21 950 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2387 0 obj <<
-/Length 2527      
-/Filter /FlateDecode
->>
-stream
-xÚ¥koÛ8ò{~…±8àd bùгßÒ6=d»Èöììí.Ú~�-Ù*K^INâýõ7Ã!eÉ–�®
*r8œçI‹	‡?1ñÄ2ž„±Ç|.üÉr{Ã'kXû×�08®ErûXïoÞ~Rá$fq ƒÉãªG+b<ŠÄä1ýêÜ2�M�wÞß?|œºÒçNLŸ�sürÿ~v;›ªÐù“
-íp_¦Y]ô>œÓš,“’8Naväí,ö-
€�Á ˜Ýee–÷e²èv—mV¯’¥™¶'ë¡t²­²¤Ýe�Y°KFÄ!SxòU«êc]6«ë5»ºÊ´3¬3¦£–5`:û·+Eà€÷	ù¤Q€h‹@€±ˆ,%x^˜4
-¦Â¡[
-Žù¡FÏ
-iÇ(Êš¤OU²Ôœ	Vσ¢D;3 �NŠ„®
uú‚…Ö
-A!zBΪª	zÊaÄwI�l3H’ ²R7IK#«pˆ1‚¾‡JʤM.“]²È‹¼=Ð<QÊF,\zÔya`,öºu1ƒâA\R
²¾ræ»l™#d	^Eæ
-ÑPùB‡w䟛a	
-�‡P�€bPœÆD”µ�O†mÇhJS¾N°ò,§&§Í“íÎ64·ý*íÕ„6¯Ð
-×–¡ià¸WéÀDÆ5·† ¶ûã]ÈÒï÷†€u½Þf«)AôÑq@h+ÓÑA‚Ę$M˜EQ=w¬ˆ‘À"§‹:ÏVcy-Íše�ïŽ×lm¡±¾ÑSñt © S’Ü?ê›	£qÒÖ;2éÄøO~¼S€Ã¨>ö?Ø
·”+_½˜{ôBJ7È^

‘
ôáí)
-)‚Mþ//€’ÅQ�¿ÿ¹E·Oò<8Â
-ävXíÐð0Išõ›	±ÕFM-‡ÇJ
ðk¿ãètw«é¬÷˜Øšwg=§
-
-H¨ã
-e0ì>Ùr${ÑÁãÍðÍtÜŠzéÙüDñùîÏ¡9rP#nß�Ô“±ÏOè(
µ”GµMo£g~ÿÑèþ�¾–Ž¥4úøôyyyI´î	KyÅK�¶˜¦C7c§±¯ë)ÆãØ£�‘8hyøí�Î,|¦ïO ðOcŸ�õ;²2ˆ�m–h	CnÚwš‡i3ÁEHèówUfÿ4ûðU‚ð`¡É×%Ý(í6O!•î‰%[VÏ¥!Ø£Ò``Û.X»+ÛÚÐÝU�ù‡ž×]DÎï�a38îÈË­�-Õ6oé+ª&i6‰ ‰yÊÄ_ì��E\áê⃣òþR5âѼ«ÃÿïÄŽ/—T•Ñ¥^A†Ð±Ä06B¡„’ç‘Ôütv.û
<�-�endstream
-endobj
-2386 0 obj <<
-/Type /Page
-/Contents 2387 0 R
-/Resources 2385 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2393 0 R
-/Annots [ 2390 0 R ]
->> endobj
-2390 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [344.9397 501.3201 406.1397 512.7122]
-/Subtype /Link
-/A << /S /GoTo /D (trusted-keys) >>
->> endobj
-2388 0 obj <<
-/D [2386 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-806 0 obj <<
-/D [2386 0 R /XYZ 56.6929 609.3932 null]
->> endobj
-2389 0 obj <<
-/D [2386 0 R /XYZ 56.6929 583.208 null]
->> endobj
-810 0 obj <<
-/D [2386 0 R /XYZ 56.6929 484.1849 null]
->> endobj
-2391 0 obj <<
-/D [2386 0 R /XYZ 56.6929 454.463 null]
->> endobj
-814 0 obj <<
-/D [2386 0 R /XYZ 56.6929 405.4622 null]
->> endobj
-2392 0 obj <<
-/D [2386 0 R /XYZ 56.6929 378.8348 null]
->> endobj
-2385 0 obj <<
-/Font << /F37 1038 0 R /F41 1233 0 R /F14 976 0 R /F22 973 0 R /F21 950 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2396 0 obj <<
-/Length 2458      
-/Filter /FlateDecode
->>
-stream
-xÚÍZ[oÛ:~ϯðÛq€c–w‰yKÛì"»9Ù&vÑöA±åD¨,¹’œË¿ß!‡TD[¶Hv±(ZÓähøif8ó
k6¡ð‡MRE¨0r’Iej2_�ÐÉ=¬ýõ„y™Yš
¥>Þž|ø‹H&†Íõäv9Еš¦lr»ø6=¿¾¾¸ú|ùÏÓWtzNNgŠÒ0ûéâætÆdb8¬H»¦éôãåÕg”6øñùê»üøåüË©H¦ÿ‰›¯×׺‰ÛÓ·œ\Üö ‡/ƨ°ˆ�|ûA'x¿?N(&U“'øB	3†OV'R	¢¤a¦<¹9ùG¯p°ê3”T)Q\êÉ„ÁNlÜœ”Pæ™%’™jÙ›“³1s)kÎY‹o¾¨WYQ�ee·ýâLJ’JÀ0Ô~ìÕ91išŽ¿ø¬×x08’¤B¨q›7�y³ƒ2Ñà–„½#Ê ñÊÄj”‰Qf‹E“·í6LÎ1JšæŽC{©‘­ù`kÎRb„[Zçóbù~fšÁ‡¤`´uÖd]Ž“Í)K§ù|Ó´Å£ŸòVu»“h[\\Ö
º‡Üë³{|§”Ïqá;çCÈŽàà	šL/žgöýÁ”p843ÆàÅG­Öe~¢Œöa˜?»Y2¯WgœRv¶¸KÏÎrç<ú ×Æ)ð@î?C©ý'£—:gàÁD´íÛÂÌ+<‘1MeiŒqO”A¢ LÓô°qz©‘­‡QÆ	SñÖzìòú;UôQ~xÔ0`8GLÔKüÄ
-‡P¡‹¾¶Ù}ÈœC¡‰¿…d:žÁ8gD	=QüL¾=�}³�‘RU
˜Œé·
é˧‰
{‡ƒ/_vpJ©Ìû

-� 7‚$B¦òîe�{ÈEµÞì�&!�ç“wÛ+<VHM4$ì¬�QWŠ¹o%š‡€2NâÏuWÔUÈ­.Œ-¹vι߬ ¿¶gû¬Œ¤F¡¦C©ý	¶—RÓ=…˜[ú,U´ÿÛ*qÐx,ãˆ{„v_){Ãåa3õR#[Gõ@H IŠ·¶9Kj(Å�Gqý•	f=XðNïÔ_©0ÁLs¡þÂðµþÚ
úúë´õ(ŸqY`è¹tÁÄBò$‰aUûÐnÖëºéòE8g¡ª>0\
²Á™Ùèuy|OŒÊÔ@�3æpŒ¥öÇh/åbtoºbÔÀù‚`j}[|�G€2Æ	‰Ž‘ÚŒµƒQpB5OÛ§—Ù7&+	¡R²xß×ndÈHÀ^8aQ�3DoËÜmÏyòe¶)½ÙC$ô�õ{ù ¤<Hçé±PH… e_t´0Fm®ÐѶoì¼Æ#m_¡ êÆ _KAœKbh*§—Ù9ŽNÒÔ¤ñΞ5z"6pø6‰mãà.j§Zø˜È³Ð”EåÅæPÆ`‹­¶£§¬Õ}¹‡;{�Ͼ-uÌTFl,Ž
Ëp
ÅÜûôôDMë³[=;	¨ò.@UKžŸŸƒš1ž.4I5³'P‘$õi‰ºˆ‰z“ùi»ýT½¿üꚬj³¹M�Þte
¹ô8%¿td6í/œ�9îÃ|Ÿá†è¾~¥¿/ÀlÎC±I$v	,°>]7E…þcá\³àý5x7G±§¢{ÀµUQ«¬Ä/kdÐs(9àlçTÕ#^Ôy[ýæ¿À«{ˆã|ÜòuŽ­v7ðm„�]
3s£§E‡ËmW¯[zÂÏ·
-¤px—�í¾¾ã bzéQ×Nñˆk¡!µíïÛŒbÓeÑùb
q¥‘Gåþ`…¸Þ=·,M‰N(
-É)´ ½�
n»v—?d�EÈ€Ò‰£~v›.û™±)8�±sY©F)á ¨
-endobj
-2395 0 obj <<
-/Type /Page
-/Contents 2396 0 R
-/Resources 2394 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2393 0 R
->> endobj
-2397 0 obj <<
-/D [2395 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-818 0 obj <<
-/D [2395 0 R /XYZ 85.0394 650.8348 null]
->> endobj
-2398 0 obj <<
-/D [2395 0 R /XYZ 85.0394 625.7398 null]
->> endobj
-822 0 obj <<
-/D [2395 0 R /XYZ 85.0394 378.0874 null]
->> endobj
-2399 0 obj <<
-/D [2395 0 R /XYZ 85.0394 350.2627 null]
->> endobj
-826 0 obj <<
-/D [2395 0 R /XYZ 85.0394 153.7325 null]
->> endobj
-2400 0 obj <<
-/D [2395 0 R /XYZ 85.0394 128.6375 null]
->> endobj
-2394 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2403 0 obj <<
-/Length 2393      
-/Filter /FlateDecode
->>
-stream
-xÚÅY_sÛ8ϧðtîAž]sùWsOé5·“Ý�6—xgî¦ÛÅV]m˵”¦î§?€ eÊ–�Îvî®�‰(Aø€ÅˆÃ12)K­´£Ìjf¸0£ÙòŒ�`îç3áy&�is½žžýôw•�,³©LGÓûHVÎxž‹Ñtþ>¹`š�AO^_½}3žHÃK�7ooiðÛÕ뛋›±Ê’áö÷ëëwŽ0O„άL.®¯/ß¾¹ú'1\ LÎõo—·ãÓ_Î.§�ÒñÆW¨ñ§³÷øhûûåŒ3es3z†΄µr´<ÓF1£•
-”ÅÙíÙ?:�ѬûtÐP‚3©R9`))‡,e,K•TÎR¿7ÅCy>ž(Á“¦X®å䡨h¿�uÓ®Še‰»Y"’ÅG¥™ÍyÚÙ;eÌÆy'çi=/Ú » ‘M…S4žoAx5£b¦ñlQ•«–ÆëMý°)–^ÙWA›¡�\á©NŠÙ¬\·
¾(·*КjõàV…q·ŒgõrY¬æž·ñzs“EµòÜÅf,òäái	Êýˆ¤,iÊÕ<|¶"1±|÷Aùé©l¼r˲A{ÓK[ã®pB0kŒtûhaZ©4)žÚÇzSµE[}ö¤¦Ü|.7ãL'°¾2Yâ”w3�õsCÃN
-ù�Ôi߽3¬XÂu…xìœxyiu¿ï´û	Îî‚£é¾1vâž«Ù㞬ØýûeTDP~µÇãA@6¯sõB<D\'â!p¹xøJ«còÊã~ú	@™eö´×€
-=GƒjÁ‘žÓ`§y½„´ÏŸV‡;äf‘9}¢Øƒ"Ÿ26Ç¨rÅR®ÒÓŒ¹Ž°ãBå�W`’CØ+¹W€‰o(À΀3+2qz×À.úg`XŽÖÛÆ-Þ(AÐn×{‡»r½.7…OQ0£¸¬¨Äå#˜ÅUŒÄMø­vs˧!V£îhL(£˜0ùÙdÌuâH—;Ò¥o?ÕàPÀʜԤãP¥Ÿj(ØSÓ×¥;%C“¨‘'Õô¼ó3¤÷KÈ.<Óv]ÍŠ½”_
-j[áëÉϾh’Y²¨¡ò«?ú—ê£çE›Ì€ÈWL+¸½zØ;�þF6¼¹ÙùÒÍ›¬¦øç…°c­GÈ\™Jõ7ÝÁZÀ-l�¾…¡pqÇeÑwdùaøbïBïš¹Òõì²^ u»¿Ám¤2ðAiS&”²Î"o£FŒIáÎuU3J xõ«À¶m*“Ë}Ë€LžÉlW ìÖ:_}	@S,ìS4v{ÝÙÀ~ºZÊÑ›v4Š6ObÉnSiì¥�¬Ÿq@ß÷q-6ž»¼³Á¶š•c¸½±½&²¤ô¸€,Ø�Ág½¡ºdâéKüÒÁ
-�ÔGÏ^¬×›zí¿éú¨
™"ù<–&qp‰¬¡që?ÖÉW4`Vö·!ŒîÇÊ�é@5Nßfy
-—„oÍ98ŒÍ již–î�•.¡UÔè
jӑ
й^�ÖQ›ENj¾×¡ËÚB-3s½h˜£üG®ù…ßQ‹GC.ý9òÃtRr.Îçwùù9”ªúG
½ÿ«dZgNÂ_
-endobj
-2402 0 obj <<
-/Type /Page
-/Contents 2403 0 R
-/Resources 2401 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2393 0 R
->> endobj
-2404 0 obj <<
-/D [2402 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-830 0 obj <<
-/D [2402 0 R /XYZ 56.6929 740.3318 null]
->> endobj
-2405 0 obj <<
-/D [2402 0 R /XYZ 56.6929 714.7319 null]
->> endobj
-2401 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F21 950 0 R /F14 976 0 R /F62 1379 0 R /F41 1233 0 R >>
-/XObject << /Im2 1368 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2408 0 obj <<
-/Length 1890      
-/Filter /FlateDecode
->>
-stream
-xÚ­ÉnÛ8ôî¯ðQj–›¶™SÚ¦ƒE›IR`i²DÇBµ¸’'óõóÈGÊ’­$t’ƒžÉÇ·o$›SøgóÈ'TÄrÆ’ø”ùó´œÑù=ìý1cgé�–C¬w7³·E8�Ið`~³Њ�"6¿Én½³ËËó/.þZ,¹O½3²Xú”ºÕ÷ç׋%“aÌaGê½€zï.¾|@ì?¾\#ðùâÝÕÙÕB„Þ߸pýíòò«Y¸YÜÝ|š�ßôBcTh‰Înïè<ý>Í(qäÏ÷ðƒÇ|^Τ/ˆ/…p+ÅìzögOp°kŽNÊñ#NXŠó)Kù1	ÆRÍ‚Ež*ëÕ¢vIQ pueWÖu〚dOURæ)Q�I¹-Ië7wm^Ý#Øm÷ùƒªü¡žŒ1�h“�`l �/… Œ9ç�S€�(8­j·M½R¿-–‚Q/«Ë$¯Þ‚–E«šeåK7*ýá~ä–q§šÒ*R¯­fß# i(­<|,—$–Ly.:àøH¾E8Ñ	Üíž&­¿(ŸEêj‡¥ìÂÆ(¿†Pþ•oDn¥6ɃÝHë=—vÅÖ
-›Ã¨ðP*­0¨©cŒÄ¾Ï�bZ}Kïf“ë3Œ{øe@.-v™ÊÜ/ÜEÉ`
5‡ÃC/˜x@xkd«ï›¤´T�)4Ö¦Þ#d�
Iõ¸­KµÈWMÒ<áFšT¬îîÚc¹’)ý …—h¥"éô	ßÛm‘§I—×é…$�@úз6¹wѦcÏh²²Ñv»Ìîôp
-Ÿ8k…“,C#µ­Ó-¯¶»îXnÁ	Êþ?¹{Š¯È-xL"Åc¹¿SÊug|ù*IƾóedP¾nµ›Û“*M	õ¡Ø:Xh<Ý},Îr€„’±‰’ê�4Óev̪²”òe~ç”ßÐqL$÷ÇüšEäíª£¢ç*ðwÎe¦V»{
àRYgŠ` îónãä®H›!|ÿûÜu‡lWnRP¿žŽZFÞá×Ö(} %Ϲ
z¡œ±—ý0ÄzÞ=–ñÄÉ'‰âà–i‚åȉÂðˆ%TMÔ9i­ÉÀ:«ºÍ»§qªÁE¶SUuS&Ö¬Em{h	é…¨µžºéýcŠ¡œOÚ­Js�®Â•»¢ËM-6žÍ�Ô³¦÷9aBðWL?ÀzÁô˘þ¥
-È8%aà�ÙÿR%é)¾"+ã‚„þ‘¬º
-`4‰i_õÞÛ‡XxŸª|.ò9ºõ
€2°ÅÖZUe¦„¦óÁ–­Å°ós§šÜ¤,›á&èZ…û‡«.¬c±Ö¤ëÒî�ŽæBËMdghR½‹é7M»*s“T?öj‡þ~4¥IQàÄ{̲þɺç0%ýÜκÛv´f'Ìì$28z¯ñ=�PW…O È†ýCGhŸ9>»¯™£ÕZ5ªJQá—_'δ·1ýµY# 5y
-jm¥	-·Çª¿k7„ÂA­k™T»¤°Z�È[xC[úê1UÛ	8tIMw%D­EÚ¨�%\±nÝŸšH˜p°™�µ}k²Iò
-endobj
-2407 0 obj <<
-/Type /Page
-/Contents 2408 0 R
-/Resources 2406 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2393 0 R
->> endobj
-2409 0 obj <<
-/D [2407 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-834 0 obj <<
-/D [2407 0 R /XYZ 85.0394 741.6375 null]
->> endobj
-2410 0 obj <<
-/D [2407 0 R /XYZ 85.0394 716.9352 null]
->> endobj
-838 0 obj <<
-/D [2407 0 R /XYZ 85.0394 420.5643 null]
->> endobj
-2411 0 obj <<
-/D [2407 0 R /XYZ 85.0394 393.2598 null]
->> endobj
-2406 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F21 950 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2414 0 obj <<
-/Length 69        
-/Filter /FlateDecode
->>
-stream
-xÚ3T0
-endobj
-2413 0 obj <<
-/Type /Page
-/Contents 2414 0 R
-/Resources 2412 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2393 0 R
->> endobj
-2415 0 obj <<
-/D [2413 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2412 0 obj <<
-/ProcSet [ /PDF ]
->> endobj
-2418 0 obj <<
-/Length 2016      
-/Filter /FlateDecode
->>
-stream
-xÚµXK�㸾ϯ0�=¸�‡oI{ʼ’é¦'Øé ‡™>¨mÚF–´¢Ü=F�ÿž"‹”%·¼F°h“ÅâÇb½)¶ ðÇ™"Tär‘æ’(ÊÔbµE[Xûû+x¤DI!`2³š(‘•ñt‘ŒAÞÞ¿zý7Îœ­¹ZÜo†³tšš/î×_—oÚÖÔëòÇMÂ]¾½y¸ÿwI’f)s»(œ�-”ö;>õ¡¨�¿-¶Æ{˜$BjöhE4U™ßó–°›„QJ—ërëøƒH‰ÐŸ+ö&àðENrÍu€Œˆdv\n³?÷ç)ŽÞß}ÁAÕ4ß-Ž}Y•ýñ$#¹RQ0ÉÏ^æ˱nZ[ú;¼úp?èTSÂhT2M˜ÊÅœÞÈÉ•¼`”Œ¸=sÇ� ¼M$Ý0šdàî©A[_ÿjM÷dº‡0MñNJŒ M‰Êµ‚sÝæb½îŒ
V™œϤ`�oÀ\Í`
-E2­"äª*f
yN²,ÍÏ
7W
7eeêÁäS!S’qšžc~ÿ?`î‡Q;ƒžçõ*ËÉà?°»mºþ/—t‘�ñûU±/ˆÌÉçxýU¼þØþx?®â9wšÃ“„ë–?^…ûºÛ«_Ü­ùnŽ3È9%2§úZ#ýà3H"
-qÍ´2eàq�+_Ö.Æ«êèf^Ýk¤?—ýi«f¿í'UY\Ã�Øö¦î­3�â`\ä.*Û ×®°�„óÇ¢_È}³PÞÎîÂS�W€–�B©œºý�B0bŠ5&92(ä\„@²}ȧu³S¦â•ñ¹E/ß íboƒC{€KwGœ4�èØ�1U‰G«$�¼7¹í­»˜æLD·�K‹Ž_ËåóÎÔ8réäe‘Os˜–Á�ÉnÞ«T¦c€ ¤OØð»-ŸLí®¯ÄòŸuU~7H7EW•>P`âÒ¯ýg7M1»q­–ooïÞ#GP÷-?ܽ8�Ôlfc^clè£/Ö%•ªèÍà�Í3j-‘îi•39
þý¡ê˶2ãè¶ÓH~‹¥µ¢|ä>ˆK0n
-©¦õ5#úO´õÈû†µªYÅçÿŠ{ÐÇ’™âSû¦
žáÍy:òL †Ü£óÜ$Ÿ)aÇ)õ|a“�ÿY“Ô•_u0Ƴ©:
-c§ý Eú’ �ðéãö.&Xž	ÐêB£‘ž=ã»�‘Ü1ôZ¡mÀ†ÒÕ˜vðf»iãSÀ{‰/!çŸN_
-endobj
-2417 0 obj <<
-/Type /Page
-/Contents 2418 0 R
-/Resources 2416 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2393 0 R
->> endobj
-2419 0 obj <<
-/D [2417 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-842 0 obj <<
-/D [2417 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-2420 0 obj <<
-/D [2417 0 R /XYZ 85.0394 573.0107 null]
->> endobj
-846 0 obj <<
-/D [2417 0 R /XYZ 85.0394 573.0107 null]
->> endobj
-2421 0 obj <<
-/D [2417 0 R /XYZ 85.0394 538.4209 null]
->> endobj
-2422 0 obj <<
-/D [2417 0 R /XYZ 85.0394 504.6118 null]
->> endobj
-2423 0 obj <<
-/D [2417 0 R /XYZ 85.0394 432.7569 null]
->> endobj
-2424 0 obj <<
-/D [2417 0 R /XYZ 85.0394 303.3232 null]
->> endobj
-2416 0 obj <<
-/Font << /F21 950 0 R /F22 973 0 R /F41 1233 0 R /F53 1328 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2427 0 obj <<
-/Length 3818      
-/Filter /FlateDecode
->>
-stream
-xÚÍZYoãF~÷¯0�‡h€ÓÙdöÀz’ÉÄAâÌŽl‚$´DÛÄH¤"RãL~ýVuU7µìû²0`5«ïê:¾ªny.àOž§Y’ª8·…IR!ÓóÕöLœßCÝ›3Ém–¾ÑrÜêÕÍÙg_i{^$E¦²ó›»ÑXy"ò\žß¬^¼JdòF‹//ß¼Xª,jqñöíë«//„ïT@h Ä⻋«.¾%ÚÛ4{óúúů7ßœ½¾	‹/X
-�+ùíìç_ÅùÖýÍ™Ht‘§ç�ð!Yê|{fR�¤FkOÙœ]Ÿý;8ªu]£�"Q:S(y.eR¤©š° -’L+íXp}ùÝÛo_Ó¾~¸†Máž §ñNœCu¢Uf]—jÝÜÕ«rCuó¡]•}Ý6ôÝÞñ8r4°$&nœu}™LÚÄh“r›MÛ¾ïhÈMý¾úœ:˜ñ¨K)MbRàÝRæÀÄ4¾ÌààþÕUûÕž>šr[Q	V_Ef_¦Iam6êñ
ºË|A³OÎ[&VÊì<Ëlb³Ôœ8j´·rÇcòˆ€†V85¯}6m¡’4ÍÍÓÓúFÇÓN6\Ø$Õ…�N[#Ës`ÒpKÙ‚ù†¤vO¿—o©¦\¯‰9÷�“?ÕןRû–h¿ªýÇRÊ(š.ŠÅ̓Ÿ}U6Ôö–û»o7÷sböš›¬Û¾¯ÖKäœ%ª(^P@ªU½EñÕÈEÛ³ðê¼p{DjÉß0_Æ”ñ|H¨¹ÉªÝ´Ír]mêm
OG…�YU,þóPqkÇlÑv»M
í�$¦zt0ÐZ©XI˜Klh8Ù^éÖyØVMÏ*ÊzTÒÏCÛõx4/cŠ
-&%•&ûŠÊli7*ž§(yf–
-p'\Mßm¸û©ñv6ȑᙦ¿»©Y]×ÝnS~DÆž@	)â.côÓ(aÜê4J­�enѳIs‘d€ã““úFÇ“NN*O@ÙtÒº;É:§¨ã*ï®°šPWäÖsN‡ñ[ï:ü1·ï+n}Ø�f¶{^€j?ÍìQ«'˜í[9ÈÀ1Êì§&˜=Ÿ4Îìñ¤5¨7Àk§……Dê¸%·WrL‡_¯"P¬¹91ú·CM…5QQÊb	B™«Ÿ{IüûÝ�\¸¾|Ã%ð?IÌÃY˜Á;ÏØZeI.ƒ�&tW°U‚ß²áe(7õz¼¶˜YRˆ4›ZLœŠ5ý’¥.Š
D}²ÐÏ.Ð_{@yг|]æ&—
8
önWíÁÆo'(
¥ý°c“Õ²9*9ȺˆéQV5
-ý–
-0p&
-àž0œçnêïßÞ\~uýTÄ—¹†7Q�+ˆ;¥õ®ò6î*Sœuì*qј×Þ±Óz+
¤‰}°b
-ò�@öeÔ3¸…ÍED>ÁÓäYê—Šâ`Çë5ŽOûãCÁR!"�	·‡®§inyæ’*¼È¯Ö.üŽÛ¦"IV9BM!§~7¥uʱ�Îœû´#bSõ�íþ=UÔM’R®*®tá
-ÐA¡�HÜÇ•©«üüsüï2vqÑpw(.‚16 }[~¤Â-¯§ÛAÄôÄï.¼ÁŠ�TQîvÁÜž˜ngü„8-'Š‚% �„£&÷
ܲŽ

BíaÆ?ŸÅqÅ�1‰°“‚p‚?^Ý•
-ù\Ôš‡Q«=¸t¶æáoËØJ3µk®$Eó~¼$¤�„03ÖõD #"ƒÛz�$w}G„TøË¡ìŠÂ@ PL‘68*™gú(D
04›*&u
-¤Îç]½©<>�[›äJØ‘±Í�×Ã0¼“5ˆuû²~
QJG„’~šÃ¬nÑ}:¿
-Áf¥�hq¹ŽK�<o¹ýŽ½,Ö�éT
‚p¤�H©Êƒiõ>‘©õöàÐQ`9^óªÝnËf½D.úm±Oâ,�”LdNefƒ½ÛÆí�1i~#†«l8¶Õ¶õá!ı÷1¬«ÛÃý=ì¯
ÂN©ƒù—CI8ÉÒÂ
-=UñdRðÿc‹›8tGº˜%oÇÙ³aã᜵•~©Ëþ.=÷¬ðážõÙK;äòlÈbXß
-J‚8
Z;s¥4«ó¡°ªj–h¿ZûK€àãS¾7Äa>eyýýÅé„ôcÙE¯ÒýQÄ8Ê	<CIè3`s!ÔŸ³¶Nx“·ü-®¾Ú¤s\ˆW>lm�ß°¬­ò攵@pÈÃÆÁÛ±µÖ#(ùðóî°¡ÏuË¿
-Ùԉ½‹hú˜�k…žxý¯8¦ºY¢`%å~WFmoš¤ÆÚwÝ4ly¥·¼bÈ!C‘��CŸVü$
-êÞÞ¼#Bhä’Ír¸}®V}ý¡ÚøwSä.
Èf˜óÎœçjºk<ë•'·GWüÐtô†Á·­PáX4ŸRSßÒk
 ãyуħkzµ‘ûÇ 8i–\¼£·“¼(8õ_G@S7XÑrw‡!ó�4™+d»¡áÓbñî«/ÀQdô±­úJ-a•iá½~á–pyuC4;•=Ícyy—©	iãúÄu—™to
ÖØÅ+÷R§ê÷aa›ò¶ÚtTF4	›
N¾B
-û”¦ö�î	Ä”ã7W`l™
-†x»ë9u4�
ÃqÀ’ëûfr˜çTòbüð'ÇÌMOäÛ�±§QNiij¦!—áN‡¶@Oæj–¨á
ËìpØØÁh¹bk�‹‚Õ—='P¸=2ûæúò
rú%o2ˆ
-ÔȢ뾫6wD$Veƒ®r‚—¨œå
›;ñèYcÀ}g"ÂUôÿü zxîml¢ó\ÅQ(ð»€2/ÊYw�?á§ÓÇkÿ/À(ÅWendstream
-endobj
-2426 0 obj <<
-/Type /Page
-/Contents 2427 0 R
-/Resources 2425 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2431 0 R
->> endobj
-2428 0 obj <<
-/D [2426 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2429 0 obj <<
-/D [2426 0 R /XYZ 56.6929 752.2855 null]
->> endobj
-2430 0 obj <<
-/D [2426 0 R /XYZ 56.6929 474.2043 null]
->> endobj
-2425 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R /F48 1253 0 R /F53 1328 0 R /F11 1353 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2434 0 obj <<
-/Length 3270      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZßsÛ6~÷_¡·“§ü
ÞMœ8͹Ó$níÌõ&õ-Â'©Š”}úïo€ EJ½¹ÉLKìbñáÛ]Ð|ÆàŸÉ8`"‹fi1ãñl¹¹`³gûxÁ�ÌÂ
--|©w÷oé,²$Lf÷OÞ\2`RòÙ}ñm~u{ûáóõÍï—‹0fówÁå"flþéêó׫_¨ïö2çW?ÜÁc³„8Š%l~}óñòáþç‹÷Îß`ÎZòçÅ·6+ÀîŸ/X 2Ï^á�<ËÂÙæ"ŠEGBØžõÅÝůnBoT¿:æ€XÈ –a:â�0ó@œ‰…ö@»R¸ˆ·?EÜå)šÃü(³8�Ho6aĤ©·mYWÿ ¹Xxr"
-ÀðÐÈ­6ùrd²ôeqf„Êær!Ó¶Qã°ÅV˜Íë§ÁÐýÝÍÇ7Ô,ÔS¾_·$øÏOWã7#&…,	XfM¯ò�úßMÒoM›D­ïJ{nri 9‚”ó ‹Á8i^#Öñ,
-–Ì﵌é×Âöíœ~óF-’ˆÆTµ¬UÐHÓîÊêù
ŽpÜ’r™¯×f’gU©]Þ^ò¹–†žÇ½UTM£–P2°˜IøŽù%â$¸å}¾G0¡½é¼YÕûuAíGE¿mþ]™áוmí0ÎŒ�cZF�”,9jÆï�šæ´¿@X¹Ø7jgì;4­Ú4ô�7�
º¡�Œn_æU
/eS>®ÍCY‘;€
-1!ä–v»�Q¸NN
-]Õ~ó¨
É):`Âð`º4­˜W^W%�ære&xÂ)ŸÔ²¥g‚$t½ææe} ±cUÚ—Öuý}¿µ&h£Ì[›¼P¦[#™K;c6'¹è¬1äc×_Q6Ûu~ D�ÝÕ?$-Lh®kLW£Z3¶£1£ÃvÈü™Ú�¥‡HiEÂZ&:WÁØJÁ
-v—À8o(ª4N¡ZµÛ”•y´þ€— ÜX;;¥

-ÃÓ•WÍ+‘±–p¬ªVoÌi#`óæØHûêcf¹åFÕûvð&9¢ÕË‚Gˆ¤p@žKÕÎ&ÈδMrÚÚ´C�tÁ»5u@ H‰[Œ<éœáÜ¿ÖZ¹Ù~¬Zªbâ�ízo&oÊg£cËÈ
<2‘–µ;¸A–¦–(îÃAÍ,Œ¸ô-lHÁ…ñ>ŠÐP,%ƒä�ܤÕĘìhl²Ž®“Å:
-
-“'’¥§-pRÇ&ô÷lH x÷L¸Ã„N$6U€F£È=ÈÇ"Á4¤±"5ý·9nvÿ=ؼµiÓºÆ.ý8$£Yd‹Hák#ˆB¡»€ÃËÅŒÑÕÌ_>‘mÍV-]æ­ŒUùHq¹xÑ)Ï ¸òlíWÓ7KÜ•‰IUÛRgW	/¨ã(PØRý­j—owª©×/Seu»‚yB·Pi*E\¸‡.¨@_g¸·3†"—¢‰Þa´ï+ÞÝÇ
î9e
-
]QehnpÇß4ïp“Á¯Á2ÍÓ,�¢9´cû™Á€ÕTw£{>
dHi"Æ»2“!ò(_<˜ª³‡{.ˆ�¼ÄŽh2<ñ¶ò×ü?�/(‹“˜§g
-endobj
-2433 0 obj <<
-/Type /Page
-/Contents 2434 0 R
-/Resources 2432 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2431 0 R
->> endobj
-2435 0 obj <<
-/D [2433 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2436 0 obj <<
-/D [2433 0 R /XYZ 85.0394 654.1216 null]
->> endobj
-2432 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F41 1233 0 R /F53 1328 0 R /F21 950 0 R /F48 1253 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2439 0 obj <<
-/Length 2877      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Z[sÛ¸~÷¯Ð£<‰Q€A²3}H&i&Û6u×î¤�¬(‰¶8¡HE¤âõþúààÊ›ÒÝÉLqÎý@f+
-ÿØ*DäQ¾JsNÊ’ÕöpEWO°öáŠiÌ�
Ýø¨·÷Wúkœ®r’‹H¬î½½2B³Œ­îw_Öo	#×°]¿ûøáú&	�Öonoßz÷ñ?ðžP€
-&΢uWöý5[+‰É÷ö1
-ÚS&#ŽÍ˜ýë	³e4',J“e»Í %e}_Ž½Þ¶oñù¥Q³3Œ”8
-Ýò·¶‘êæùzÛ6}Q5ƒ˜HAŽ6¥]­Ûö+x�š>ñYH~½4€³vŸ»¾™
-òUèR*2„ñh¸¾/T´
-¢šâD,‚ÄTöŽËÕl’2ƒ‘ÙTEÞ”¦ƒXaLf®’s^´/Œ�lJc¯ÅñXW²ºƒØDum/ç�0<CV5¸y	LuÖèxš�Œçò«�š7:‹²FqçÔÏæ×EÚ.¿ŽˆOç×€ú-úáw°…ÀÁ±;3ƒñNy¤ï”{éšè ¤<ˆ~謚€ ˜Ü¦5$!ãæ5Á’$
-u´ 
²j01[¦/ÑvUú�øt‘îS¿Û«<®÷Eàvò.BN¨»9!sÓÎa.ƒÁÇ[\+v;�A:\P¥«\9JÃÂ�·My2f×3ºN°17šÂö7%iÇaÄ\'|®'„ÃqaÛ8kàÃÜÂÈ3
¡iK`[UÐÀS4`{"bë��8‹û©¡4!Óú;ÛúÉClézYAw¯­2NbgÆ>Y»<^‹RÈ8ÉãtPÞuJo��wíYQ3é3P
:�=¨•ø´jTÔ{n8YK�ãl)…‚Ì¡}Ž’e'òQó^dQ.…bÔífÝh‘¼ó£ýiG
-ð†°ñoúŒ�ƒüPW�)Oªfð5æÍß
-‘³ª•ƒç±Tv}3l©åš=„ú\]ñ¹ý¨-mäX^bÛÈò×âp¬KåöÙz>Í
ú´ÈIgŸFÒÅN†ì¾–/ØT�6¦Á„•bÓžu#ñîÓÝßÞÿ×oF÷�¼ Ô}Ìý^÷@.è
-endobj
-2438 0 obj <<
-/Type /Page
-/Contents 2439 0 R
-/Resources 2437 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2431 0 R
->> endobj
-2440 0 obj <<
-/D [2438 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2437 0 obj <<
-/Font << /F37 1038 0 R /F48 1253 0 R /F22 973 0 R /F21 950 0 R /F53 1328 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2443 0 obj <<
-/Length 3119      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZKsÛF¾ëW°*¨Ž1oààƒÉ^'YÛ)©l9>€äPD…h´£üúíž
„R»Tó@cº§ç›~�t–Â:Ë$Iy.f:D¦TΖ»«töÏÞ\QO3Dó.Õ«‡«¯¹žå$WLÍÖ�µ2’f�=¬>&7>ܽ»}ûÛõœÉ4yE®ç2M“ß¼ûåæ'7÷á:gÉÍ›»{*™2 ¢H¦Òäöí›ëO?\Ý=DaºÓ”£$Ÿ¯>~Jg+�û‡«”ð<“³¯0H	Ís6Û]	ɉœ‡™íÕýÕâ‚�§öÕ1™É„šÍ¥ \r1®¦”¤¶=×8	è5‰lLM�
-ÕôíǪþTl·çÛ¥œ‘L¥tÖ]sÀ9R
Y3ÖaM¹&™ g¼ïMëN¢>¸v¹5…ï¢H¶³*›ý¶xrƒßÓ”�
Ž×€N3Ù3jêPM¨)PY5µåμ|h‰)’eLN3ŽTCÎgZ¢ MžõYƒ–ؽ`I»1¾Â\Ó¤>¶n¼¶
-„NášÏGsxò¤5Êüâµä=F‚h©ˆ‡IO–ŒðL‚Æ,ëjjŸóT'AŒ•YÇm{’ÉD“ÒK,]Óÿ¦ò¶­ÙíÛ(§'mGžS§¢(ƒ%¹”tBp¡2î·«n¶¦i\¯Ý•ëQ×|-Ò×4KLãvãÒ®	JÅEâ^¼ëÞzn¯®¿0eõèÙï·¥Y]D®‚
r*ž¹à]ªËÈ�T¹‡Ò4#Ð
Ww’óé‚X�_ðoÝ\yèB§:îæàúVsøÔèjßZUCç—Û®ƒê/ÏÉsøVE:#›SpSHÏ™Ì<AY5­)Vgòá=à¿s8æ€g!²äízìŠ1¸Ëòïóm�>¼&)—
çÌ>ƒo°™æó±ð
-|©ƒwmÊ•³ph’ì~M½=¶†8#Ê2E£´S¶p©Oa¾Û£ŸG\bë5g)!àd•eÃcSâíxdþ½Ê+ºM[@LÖÓ¯è+hWe™ °å7ü´ËøB`oë1I¢å§{Ä3aí?ò ž@‚­�¸Î
Dò,`ò¢²\ZQa7^Zœ)ý“ýµµ[:AŒ4ðØú9‘¼+¼›–4µì‰dm¾:,“°¶@`áéøe«ÖöÞZ'‚~!7½-Úò‹qOª—¢òÔ>Fƒ©…!h¢w´�q—›à¤ÖÁ=† .“U½+À0ú¸°lÚðJ—rxjîbFµˆqqXnÆlÎ2Î ÅÈRåË°’“çâJáj­J§ª¥×”x¸¸d„*®þ_p]¶© 5c©~Ʀv¨&lj ²6uq\7å_æå«�UTG<É;R
™÷­ªÈ‰Î•ìs÷)¨øÐÞEC`Ø�~„Dõ¯]ø$ÆžJŠøì¶lŒ¬‘p1¿Nînßݧ~ùQw®4Ö+X^�ºsÉcž¶xj�M¢À{?ywÅŸåî¸s¼1îúSI„–yÿžìÀ“:Z�Û-4®kch½o†^o¿0>Ýh€OçÒÏÛ+
-�Ô5>‡Ú;œnƒ£žó\'¿b½ÍmàzlÑ’÷Xgp ?jyÁ¨Ç¸‹öÌ€³n!2
wU­böåÞÝJ°Ð¹hÚ—_,ÎÃíSŸ'�Ëâؘ^žˆ§>Ìë�†,Íê…»&$NšÒé»Ö¥º|×"•½kfU5/¿¹XŘd|ªb8�W1z¬ï
åÚj#—-‹ºÊ¸DMYWþyíÚ¨ÀÌz}Ϋ\ù7ãÑe´À í/�”_
-Är[,o„`Žuo(BœŠB«òqä†QM�|ÕþxÓ@H¨¦ÏÔ�»T—1©"¦ë
-"¸b
-endobj
-2442 0 obj <<
-/Type /Page
-/Contents 2443 0 R
-/Resources 2441 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2431 0 R
->> endobj
-2444 0 obj <<
-/D [2442 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2441 0 obj <<
-/Font << /F37 1038 0 R /F48 1253 0 R /F22 973 0 R /F53 1328 0 R /F41 1233 0 R /F21 950 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2447 0 obj <<
-/Length 2543      
-/Filter /FlateDecode
->>
-stream
-xÚ¥YKsÛ8¾ûWè°U+W"/¾ææÄJFSŽã‰ìÚÝÊä@‘�Å
-E*"eÇ»µÿ}»Ñ
-�nYÚUÝ"u6Az–:éf/}Y`ŒA*ŤmãV|¬§i»=È@"d\&ÁaðYUzß¼&l‘¨�w‡¼Ü>ƒ0âM€9xà\	X´h¨•¥�Á…U86¨²5a z&ŒHÜ¡³ msjg%!®ÅÞΩõºû—¶!7ܸˆÝ‘S'O
žøP仴ľ촱C^dã$&ÈMÚ€Ò<�—ü vnšl[,LîÊ#ˆzZ4]ÔKÈî %æˆp�=$èÙc‡ñ´zêàkÁFÓ‚¤jN¼ÝÑà°=lì�O©h?�â–]±¦é×/ëú›q“w7Ï¢LúÓCùÓíéÕAû´1GÉÊ´9†�Õn?n�Uêg³ªw¥›æÓiê‘nYëã)GÑôŒ»û²^йGäHDcã·BèŲ`M Œxnv’˜¬`ð݆&¯±,÷«‚ÿº¥2B!Ž75ÍðËxWfè¦
FëƇ“úùCP\ôð
-(78üu˜Ñüv¹ª†‹•þöàh�x`Pë@k �ûç<~©	#8žÌ¹.,i¾»Æ8ÊÒúI½¦!.ê#:.àxMßuúÍSVäh®‹au·i~
ó1¥ ^\ÿ‹þ pãz;p0À
-
-#^¤ƒ’DƒDÜCèÕ t%Ô†\t2Ób.+ É%D»š¨6_�‚9–,ˆÕeuŒ
Éó8ÿ 5
5Šªh«9�÷qè-}×iî8鬠a\é»ÃÇŠ4ÖtUP<²I¢:\’j�0`ÒåaÔ‚;9f,‹ü”uFÙv�x¥;“Ûö�É…UUy›?0°{ñ9œÒ¤•“ã9s¢!0¼;À=}-úX”N‘ªn©±ÙUë·1ÔèNàHewijõ¦©¿9!Áå¬M%Ü¿ƒH…‡
-È]”ö*-}†ãY›[{:›ÛŽÍÂ0
-8ÁI¹£.‰êŠ7Ä
-:¾aûJˆ¡:Iu|{÷aþröèuÿ.à­ßqQv
øñ�#µ{ªXÿäýƒ=÷ÿ‘
-þé3ðÐÍ;uþòKûÎ4&ØX¿˜Ë(`09ôB¡-„–§À…X…r@öÿ
SÛendstream
-endobj
-2446 0 obj <<
-/Type /Page
-/Contents 2447 0 R
-/Resources 2445 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2431 0 R
->> endobj
-2448 0 obj <<
-/D [2446 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2449 0 obj <<
-/D [2446 0 R /XYZ 56.6929 663.9757 null]
->> endobj
-2450 0 obj <<
-/D [2446 0 R /XYZ 56.6929 361.3763 null]
->> endobj
-2451 0 obj <<
-/D [2446 0 R /XYZ 56.6929 244.0091 null]
->> endobj
-2452 0 obj <<
-/D [2446 0 R /XYZ 56.6929 154.5575 null]
->> endobj
-2453 0 obj <<
-/D [2446 0 R /XYZ 56.6929 85.0109 null]
->> endobj
-2445 0 obj <<
-/Font << /F37 1038 0 R /F48 1253 0 R /F22 973 0 R /F21 950 0 R /F41 1233 0 R /F53 1328 0 R /F39 1173 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2456 0 obj <<
-/Length 3447      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Ërã6òî¯ðQ®qðàóèÌL§²Ž×v6ÙšÌ�’ ‹ŠÔˆ¤¼Î×o7º
‘%û€fl4ý†äµ€y�F�ÐYx�da	]/·WâúÞ}w%yÎÜMš÷g}ó|õþ[�\gA«øúyÝ£•"MåõóêóìöááÓýÇ»_oæ*³o‚›y$Äì_·÷?ßþH¸‡›LÍn¿ûô„�±ÂI
-§ÅböýOOÏ7_ž¸úôì¹és,…FV¾^}þ"®WÀøW"ÐY]¿Âƒd–©ëíUé 
-µv˜òêéêßž`ï­ýtJ‘Nƒ(UÉ„”¼–a ÃX
de�Jee
--‡p�ÙÌþË”ÖϨ,’CåÿøééÃãÝÃóÝO÷þ£¡ñ�@tªŽ:yj¢J‚í»ó;šƒ‡™å44ÅvW„So’öźÞ°3{€·EõBÏÖš knÀªLÏîZ"âèWðM^–L­kÌŠ ¶¦qYW 	þ%Ôßß=0Ÿ«ÕþF¦3Ó4¦¡“äýð9’ßÉ+ ¯âtv(–†!³oràNÇzöËÆT„­jsKõ¥Ûš
-ŒÆ¢pÇvܵE]5ýy–d2{)¦z7qFNå΄G¹“Øí¿tNC³©Q$ì¶Û|ÿFëÖkBnþ²†·°e’G‚ÁLª¡f—EeÈÕŽ·Š(+.
-õ–Yu<³ŒÁêЄ½�ƒ2Ù§Vá,ïZ÷E›·�UÊyŸèhÕˆ&þ
`Çî+Pˆ1Ïþ‰Ó×äÖŽôÂ!=òž.~BUŽ!Eì*üfz8o,T®û.ŸCºÏ6XC×uçÌeí–÷f´Gì¯ø‘ÌÇW`�õT…ÙXMµ´^uî ­É]à28Ää„°é-hy7röFOV¢0öŠ¶¡
-I$xÜ'µÝP‡µ`¤`»se3\fah¤¼¹Ï°Ø€ûÞ4E½b÷.„‚@ŠQ2øa“×Meøˆˆ;r8¬;,Më“hÈ‹žÝÁù4cDÌùæ»{n
€#¿«Z³‡•Ñ›Oö¬3ûEÝXò�tí®k	&’�y›ÊìsŽm	ªêD
-éEy9ïx3•zoC…A”œóŽ:ˆ!^8­[M‡ŠHÆNë¦êe<	Åâ
‘'ñæ(
T…€Îšx~­Yd¾d�‡ž&½8ÉQB�Ãq–Hb˜	“Ù&Go¤Â”ÐÊp;rv‡be
-«{Ä;QD�‹8nqÒž2wqpwÿL®b{Züù1ÿâü=ˆR�µ«à²ãñÛ2cú³Pì⯫&:çP�“ÛGºÅø—�ȼYºô8åÒIt’s…1ÌjB—OŠÊi*ÀÙž5O³É-à(YÆLÄ•µ£>
-B_gœOൟC95Òky©šž¼4”Ã
Ä;:ò½ËP)w­Í¼3é¤1T^�Þ�Cˆ;�;ÄàO>³Ç(Ι
ê%â8¡kÈwØ9†
-6š3¹{Iâovçû3ÚšºGi:{r�RZ `vŽ!Œ³÷ÄøÖy€Ç�„ û}Äô6éj*E‹ã“€Ø>ž*!Ýo„˜-0#Êz=áÎIH¯¾
-¼R‰;åèâ]xù¾4„D¦×#G¢Ûb[,Y&V)
XÈj]—Zù±<©*’ÞÅ6Ê CÊ¢‘ŠÚh’¡~�q$x•}jÈ€Æ%+†›GèTÌÌÿv©Ý·–i�ªaÜèd›á¬vc{
-endobj
-2455 0 obj <<
-/Type /Page
-/Contents 2456 0 R
-/Resources 2454 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2431 0 R
->> endobj
-2457 0 obj <<
-/D [2455 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-850 0 obj <<
-/D [2455 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-2458 0 obj <<
-/D [2455 0 R /XYZ 85.0394 747.9963 null]
->> endobj
-2459 0 obj <<
-/D [2455 0 R /XYZ 85.0394 712.4426 null]
->> endobj
-2460 0 obj <<
-/D [2455 0 R /XYZ 85.0394 646.5299 null]
->> endobj
-2461 0 obj <<
-/D [2455 0 R /XYZ 85.0394 574.5487 null]
->> endobj
-2454 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R /F53 1328 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2464 0 obj <<
-/Length 2714      
-/Filter /FlateDecode
->>
-stream
-xÚíYAwÛ8¾çWø6Î{1+’"%í{{HwÖ3iš­3�îëô X²£Yr-9™Ì¯€ Yf’ÎÎe›L�‚À€â£
-HÕ–gAM#c?ø]€‚Ó2	ä�Ø´é¶-ª•}I­~Õn}“oÉ:Z
-9aRE]§½MÞ
-9aqìLǺÐéÜ
-ðViÐOŸÎÏf3ºë蔀±�æ±–<%×—îW:€t´¥½)‚„
-þ@ë}¼?ŸÎÏ>ή®g.=9§CåÐâ‡pAö~ú�]®b®Ll
 àÖÞ·]+Á¬¹†Éód"}^¬*Ó˜ÂÂÿùœ*góŽ¥;ÈEÚE]ߥM‘Ùµ>á‡d¨Ã3içÔÜ+�ìäþdKó^s¹³#ûÔîª{pI
gÙ¸k
-{mñÌm3{î7¸	~íðDiÐëßþøýô•Xâ]™÷»¶ˆƒ—µS
-íÅÃð@u÷™üP÷?
¦ù#½endstream
-endobj
-2463 0 obj <<
-/Type /Page
-/Contents 2464 0 R
-/Resources 2462 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2473 0 R
->> endobj
-2465 0 obj <<
-/D [2463 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2466 0 obj <<
-/D [2463 0 R /XYZ 56.6929 523.9144 null]
->> endobj
-2467 0 obj <<
-/D [2463 0 R /XYZ 56.6929 414.7474 null]
->> endobj
-2468 0 obj <<
-/D [2463 0 R /XYZ 56.6929 353.4012 null]
->> endobj
-854 0 obj <<
-/D [2463 0 R /XYZ 56.6929 315.6213 null]
->> endobj
-2469 0 obj <<
-/D [2463 0 R /XYZ 56.6929 283.1208 null]
->> endobj
-2470 0 obj <<
-/D [2463 0 R /XYZ 56.6929 248.0689 null]
->> endobj
-2471 0 obj <<
-/D [2463 0 R /XYZ 56.6929 183.8008 null]
->> endobj
-2472 0 obj <<
-/D [2463 0 R /XYZ 56.6929 95.2626 null]
->> endobj
-2462 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F41 1233 0 R /F21 950 0 R /F53 1328 0 R /F39 1173 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2476 0 obj <<
-/Length 2274      
-/Filter /FlateDecode
->>
-stream
-xÚ­YÛrÛ8}÷Wèm骈ƒ+/óæqœYÏdíl¤ÌÌV’˜¤,V(R+Rv”¯ß @Š–«v·R��&pЗƒnšÎü£³D†„§b§"”„ÊY¶¹ ³G˜ûõ‚Z�¹SšûZ¿,/~zÇãY¦‹fË•·V’$¡³eþ9¸úðáæîíí_—s&IðKx9—„ÿ¸ºûtõe.S\ýz³¸œÓD0­$´ZD‚·w‹ÅÍõüúþ�›� qùuùÛÅͲ惧„kTÿ¾øü•Ìr8Ão$äi"gÏð@Bš¦l¶¹’‡Rpî$ÕÅââŸý‚Þ¬yuÊ’'¡LX<a
Fg”†©”l`™†gܘãþÃòöþnqr	‹
�’i7X¥¹¯å6žpƒÓÒûÎWzËŸÞIéi®„KX\k¬Êªâ4
è`�³¸z­	`ÌÛŽ2FTDCd·+ƒ”
-

-ÿ(4E’$#„£eY&,Š¬RÙârí¶ÈÊ/„°"s9ç„ݺ¨qFzÀ‚M] È½¶»¤IP¨ŸVæ±Ù v·VÊõº•}³kpVËê|°
×
üûÍ¿ü¥³Æüæ-„¸à‰=>ê¦{£
‡i"´Ym(Á©,vÈ\Z’ãÒ0-�Â<_±Ç…‘Â7ð¡jšoEŽãýˉí—¢6Š“�ÇœŸ�Z_ëå¨íµLÔV“QK™Œ­»óf£
-`(/„ |ŒÀþ…H’ÀÔ²ŠÕ�™Ç¢~a²-kMDÞôf2Äzõiù÷û�¯ƒ¼­»bWî¸8ÀM±±.»nê¶Ùuå~sÜO„\Dn?
ZŒi
-U8ä„ô ³æ©Ø©ÇÂQ,�B*%b»S›bܱ4NØ€KÝBpyŒ#ñ®xÙw{¿Fñ«�áû½û•Wä¼nÍÅ¡n¶mÙŽS)¼ª{I‹ÉÂ�Â
™ÔÄY2ðV09&¦¸À)MšG§ûçùï– ø€ÒS TÚSD¹+²®Ù&jh)ˆIj5¿ºUW«B�“DRž”Ûƒõ€ÊSÝl�ÖË_]ϹPë/—易¦a"d4^zóêÒõýܺ¢€²d¼înb]ˆJ²A	QêœzRÕÔâ@–Œœ€Î^
õÁLŒE¹Ïì£
R	$LÅhýÚ×i¦#º+Á†ñþöfqýñÖtŸô<Ís~Æ�2;ŽB"RwP;^
BºNIØâQ‹°•G!pc‹#L^˜VøüX>™F$¶Y
áH§5ÔϺîÕ­i7^«'ûRWnL)¬¥›¢S¹êÀú 
-³þÔý�ÚÕà8»òÑKð®gJ³ƒ]JÕR�h¢áòìËc<¯Ël­‡b_Yi¦ ÿ¡�5Þ‡
þ~M¼8©PÒv
-êýæahòc¤]£ùbÃ^ZÕD…µ°Í<a‡em�h^¨›]Ù­78“[b²/ÁïLŒÆ"t»9¤ªßc‡y!i
-?ÌÑÈò
-endobj
-2475 0 obj <<
-/Type /Page
-/Contents 2476 0 R
-/Resources 2474 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2473 0 R
->> endobj
-2477 0 obj <<
-/D [2475 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2478 0 obj <<
-/D [2475 0 R /XYZ 85.0394 751.93 null]
->> endobj
-2479 0 obj <<
-/D [2475 0 R /XYZ 85.0394 546.4203 null]
->> endobj
-2480 0 obj <<
-/D [2475 0 R /XYZ 85.0394 481.4562 null]
->> endobj
-858 0 obj <<
-/D [2475 0 R /XYZ 85.0394 441.1625 null]
->> endobj
-2481 0 obj <<
-/D [2475 0 R /XYZ 85.0394 404.0002 null]
->> endobj
-2482 0 obj <<
-/D [2475 0 R /XYZ 85.0394 371.4021 null]
->> endobj
-2483 0 obj <<
-/D [2475 0 R /XYZ 85.0394 303.5162 null]
->> endobj
-2484 0 obj <<
-/D [2475 0 R /XYZ 85.0394 229.5618 null]
->> endobj
-2474 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F55 1336 0 R /F22 973 0 R /F41 1233 0 R /F53 1328 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2487 0 obj <<
-/Length 2682      
-/Filter /FlateDecode
->>
-stream
-xÚíZÍ—Û6¿Ï_á[4ïŬHJ¤´=¥í´M›M²™é~¼¶Ù–Çz‘¥©%gêþõ -Ù²»_‡=ôÍÁ
-+¥™Yi…ÍlvA3	͇R^ñ„¼ê�¯Qåg_§é@ìÊ´�ÉQb]Õå©Y9,53Ùu³¼Ð„Yj¨,ÊÀ¡™õz
.V&*Ⱥd¸i„4i~bÞɬÊ	)ª:š®{*—ÕOq¬ÊÕK hõ›²AžÅ	ýÖ6<¢×l´»•YT+¢®Ýc»¥§~Sô$…óÖåç8orœ­.œøcÙõDxxxCòE³òS°,DÂ÷wÿ .ŠÁ²À»©ÈóÜÎæt„(zhR|M›hUöån[5功+â.ûú@”�É:e}:¬_)úÂíHÎfi2ë|÷•‚ ¶qÆ;;ßNl¾L„ŽÃæã„^Ì…’&L³úÝiÚ§¾j›Žímé·i{”´zX³¼´�ÏiC•ME–g~CÍÞPN¡½�Á²Ýni+ࡆÍ—bÓ˜X%õõØJ]ŽÍ å6åû‰Ø”�‰ÂáOƒ—ÛÝáÔ6©§±ºn\�š°nä•‹XCB™w_öà
È–´i2Ï'mr¼ª!Öó¦Znˆô±<ð‹Ë‚¹‹’ëv߬ Õ«\G_•ëb_“ŽÌ¹u¤k¹ß‘²¦'Îs»ûX5�ô0¶DJ]öŸ²Bc®¸î¿�Ôÿy©alŒý—cïÀmñkµÝC\¨mò#?j+ÀxuÝÈ 5aå8 ”ˆs•ŽÍ$?ªÄ'†ÄDŸŠz_2­¥ß³ö�4 §o…Å •ÒÖíŽØ,—ú´$b¥ózœ‘[4E}ø͇-½$×ã¨}¦ì�Ú�éåÔ îˆëFœ0áÑåõ«‹{|j»®ZTuՈЮ‰ÛPAf¬ZV².ªzOÁÕ:Žþ(è\ɼ«½!O{Њ‰Ç™|U˾úTô®$i��ÕJEÛ=V­¤s
RʦÝ?nˆÖW[¦º}v¤
S8Z÷»"†ãHˆœ�¤çªß�™2ªÛ†
-R�GÝ»-6ŧr¼$òJùëG*Ũ埈յõ'tOY,7èä.Êu–ïâ뫦´áÅ/K¿O{®±“úÜjð=_^‘øáCWöàDŽA°�|§jb=˶YUþÄP{ÜY…UOO5e™—L Ÿçbç<TuM£טDz)wèyáÕ*	%�ƃ—LGuÙ<¢gT¦èd­÷L
-3¸MA‘s`}4¨OÀ…tha.)ô2¸
§ìèyßT.-À�”*>kHYè·X­hy8&¡n¿Æy°àþú'Økk¢ÛêÉ k'b
-�J<åãä�¨%ñ€iSð„‹²dí”™�’–(ú¬D,ˆÆñ«�kðz=eZfE+ùŸšær·Î2‘%2ÇÕ	wè«âÐòÛêœThÐõg!„‹þœ†Ug-dJ~å	ºóÎ9{ïa^u
-y‹`sä%ô�Ø\Xkäuô0”ºŒ‚Ô�у„�Ný9ñ	íx
-¦gz¥x¾1-KÖ[ŸðŽLñøÇ\,ãGÚ°\[³òÐׂ˜+¼,ØÒ¯Ã4ó
-掓X]·3HM::zF
-€ÒéØR‚PøɃ:U¶>Áf\ÙÒpÁ\ŠK§/rrëÂWº×¥¡‘<9GžÅpŠôa.v§ _KEg€XsH4Œ¦p4BS̺e垇†»&ã2þŒ
-ìxômû\"бIÄVUkVÅ*©ïÒÒ·„`ÒrS4t+‚äÃÑàóÌ9W‰øåkÜ¢U�s·ïà�ù0HÎnˆ3Ë<ÝÕ‡„q®-Q"Ü�ºm
-Ä͹Ȳ\Ñ4~Ë�«aWæÛY<šÄ]u¾u¤nwJ†ðÝ&VTÜ•ÀžZPìB–½úááÛw®­€üÓHSr&»?t}¹e‡~Ù6]»ë«ýöÒ¿8èTàÿ%L­8˜ö_ÿûÃñ=+t–]ø¼„Váeã�ÂÅÉÄœG/ÿ£Ä¹íÿ‘l¤[endstream
-endobj
-2486 0 obj <<
-/Type /Page
-/Contents 2487 0 R
-/Resources 2485 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2473 0 R
->> endobj
-2488 0 obj <<
-/D [2486 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2489 0 obj <<
-/D [2486 0 R /XYZ 56.6929 750.8289 null]
->> endobj
-2490 0 obj <<
-/D [2486 0 R /XYZ 56.6929 162.6734 null]
->> endobj
-2491 0 obj <<
-/D [2486 0 R /XYZ 56.6929 86.4068 null]
->> endobj
-2485 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F55 1336 0 R /F22 973 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2494 0 obj <<
-/Length 2389      
-/Filter /FlateDecode
->>
-stream
-xÚµZÝsÛ6÷_¡éËÉ3&äÍ��œëÔÉYjï®I‰²9‘DÕ¤�Kçþø[|Š�@ºiï&3.v¿]ì2Áð�L$G˜©|R¨qLød±9Á“;x÷ú„8šÌe}ªïç'}ÅŠ‰BJP1™¯z¼$ÂR’É|ù~zþîÝåÍÅÕ?O3Êñô{tšqŒ§?žßütþÆν;Utzþúrvš‘BbD\“	<½¸™Í._f³W·o¼¾ü×éÇù'—ó Y_{‚™Vëד÷ñd	›øá#¦$Ÿ|�ŒˆRt²9É9C<gÌϬOf'{oÍÒœIÄ%-pP2!9b¹ \!*jð€ÍÁ>1`°Ü¶mµÈ–íê¡Ù|®¾êÍ�„Œq$a†ú¦ÜTzXÓÒ@Eà×T=N§DN-7ƒíJ;²PºñÌþÞÞÚß»j[=”]Ýlís×4k'6D�âœ:±¬
-+vöuÛìÚº=´Š
-T Ÿ+y?XcTHÅ÷©Ò9È�rüNÐâíUB½>˜DçIUz¤ß"Ú`bLYìÀ.
;=ÙÃ.ã…˜Î=ÑS¹~¬,M³Jf¤*sšÜå�j¼@¤ >ôn½ìONT³Ý2¿îèwú<Á#±áÓÄ@*Ἢ‚ĉ8r·Ê�_¿�ÍíÈÇF½†É<ZÏö¬eŒ`
‡÷GˆsÃÒÆyû°(=I½m«m[wi‡]1×Y²Ý¸+ö¨F\ÑSWœ§\‘"èâh\[DNH8?Hó£zª„b‘RŒr,D¬ÙlW-j�êªÃS¬²Y¼ñ]YœPÛaXAC"ŸIA=¢P‘Áô:…)tÅ\¥*×XN!�j(F4DǪÅg’1ÔÞ}ÕÞ4ÍçƒT¿ot
ëµ[û5PùôÌ{i o+B7Ͳ:K�rQ ‚(ï@vI–8ã9túp^�SÀUKVf¢Ï¡•=@A*”ôMã P	1�ˆ|ÜúTÃn¨Œ¬~`îëìølI$
-aG"¥‹½;Ôþ!ßÙ†ô8·¾P\RìóÏ]®R°£Y4›Mè'|%m¶uv8÷ÂÙGöo>¨N)ÉcÑ’}o.–ª—›ÝºB
¬žøO I]C­Üïñâ�O` rÁÆ#|Ÿj8Â*áÏ�:�†xT¤'JˆŒì�	Ân"‘WÛÅúq©í%ï/³ë¿´vøź5ŒüUôöÎ>›¢ˆ©ã¢Ž{1ýÇ)‡¨ÜÝ7Æ�LÁ_;–ÍN_j˜cC Ü^µÓ:�{™&ªêá}ùTùõÆ—ñôzvmg ³Ò8ÜD·lEìÕᘩ×k×Ûú¹Ù>U]µŒ{à�*ï Þ=Ô[©Ì„qõèØ»­ôŠ
-Ä²ôäQ
-¬ÊÅ}Ê
c—
-1ÚnÒµ…Ç’tE^¶õÒ½úYcY®ëeï[’¹D´ ïkcÿáÉ_-«vñPªÔØßòålø*Hq$
-YÓQyžæX^t$•HÞõAkòÂÂî¡ðµlªqìײðèkÙ>ÉA-Û¿›ëÙÕÃײŽW,µ<ðAûŽÀ=þ™'Ð[ÇÑã,ÒwPÊe_
ø¯Q˜¡\WtrL§@s¤Tb0"9&}­†›þ€­Õ*ŒäméÕ�»�Ñã¡¿oßK:ðý?Gú›w
®Èÿô§õýÿ"È¡µ—C7¤ë¶Z¯”–äÅ¡êá#ü±îÿÒ¹ìendstream
-endobj
-2493 0 obj <<
-/Type /Page
-/Contents 2494 0 R
-/Resources 2492 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2473 0 R
->> endobj
-2495 0 obj <<
-/D [2493 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-862 0 obj <<
-/D [2493 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-2496 0 obj <<
-/D [2493 0 R /XYZ 85.0394 744.4041 null]
->> endobj
-2497 0 obj <<
-/D [2493 0 R /XYZ 85.0394 712.3006 null]
->> endobj
-2498 0 obj <<
-/D [2493 0 R /XYZ 85.0394 646.0353 null]
->> endobj
-2499 0 obj <<
-/D [2493 0 R /XYZ 85.0394 555.085 null]
->> endobj
-2500 0 obj <<
-/D [2493 0 R /XYZ 85.0394 479.7864 null]
->> endobj
-2492 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R /F53 1328 0 R /F55 1336 0 R /F48 1253 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2503 0 obj <<
-/Length 1584      
-/Filter /FlateDecode
->>
-stream
-xÚµX[s›F~ׯУ4›½³Û7dˉÛq-¥“Ž“,!‡	W 'î¯ïYvA m#wÚ83a�³ß~ç~bøG†B"©©†š#�‰.Ö<|€woÄÉ�PЕšÌ¯ÏY8ÔHK*‡óUK!¬Ηw£	’hxtv=›MOƒwÓ?Îoß_]F“éå8 B)9Šnn¦×gÇ
¶ÀŒGWÑõ‡èÒ>»k:ŠÞLgãÏó_ÓyK®«
-9`0Hc6J|fk¤ŒÙ‚'£èës!:’„ ÆCèF$Kž’lß:Dš*:ìy@¬ò£Ýã0EkÑg6KªÒú¤ú’ØÅ2¹ß><¤ùƒ½­‰!Ë4ÖZj.%LÂ4
-a5âôctus9uºð0 éËZpn‚ 0‡�Ñý6Í–fId4{ÁUÚ§g3ûðöÖÞ¯6c¢FÅÚ>5{êó¸êj,Rüj-ü.ù¯³-Š5:Á˜�PI$ö% �VZ»�_“çOÓÌñÊãuòªÇèYV|s6##8!0¸`¬³­á
-‘
-UØ;ßF?'!’a¨úfßqCFÏC~J"Jå
-i…,¾·ƒf·0­*iËâµ?ß�F!VûáÚBØä\hWöçA›Á½
-nÚ˜M´¢È^’PÏyñXB)Þ›Ž¡ï…J²z²
ö÷;wýp¦ïBÔ£3÷Íô­Ô¾!Z#Ô˜Ó	N펔�:Æ5nÚoœpXƒ•M+¿Øg‹yÄÐ~󈳇b“V_Ö\�Ô�¹N²�< }
-Kh¸¯‹ÕÊôÉCXhs¡`|vá�
˜€1
ÃÏ—e6èY\–¾¡FC$«}೟Ãwz6ÉáQrÔa-âê(â*‹}��r¨°Šîã½iWä¾ZÿÎöWŠæ7>ïWÀ»àk{컣á·7åôÃ�Ã< ȾV—G­TU¾,�©R3zùQ83ÒTÏ�>GrˆNŠ2ä扸ƒøxôfpTîMË�›¢*Eö�œÃ}ðÛŸ“%ÕqoùMK¡ø|€÷t¯ý&â+¡Þ|v«fpõ}X‚Ì× O3ÀmúÏ�vŸØÀCL)êÿ"CC�`³lHeWÔ	F”A�?äþ7˜Ðéendstream
-endobj
-2502 0 obj <<
-/Type /Page
-/Contents 2503 0 R
-/Resources 2501 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2473 0 R
->> endobj
-2504 0 obj <<
-/D [2502 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2505 0 obj <<
-/D [2502 0 R /XYZ 56.6929 692.8049 null]
->> endobj
-2506 0 obj <<
-/D [2502 0 R /XYZ 56.6929 544.1607 null]
->> endobj
-2507 0 obj <<
-/D [2502 0 R /XYZ 56.6929 446.1895 null]
->> endobj
-2508 0 obj <<
-/D [2502 0 R /XYZ 56.6929 379.4876 null]
->> endobj
-2509 0 obj <<
-/D [2502 0 R /XYZ 56.6929 300.8306 null]
->> endobj
-866 0 obj <<
-/D [2502 0 R /XYZ 56.6929 259.3294 null]
->> endobj
-2510 0 obj <<
-/D [2502 0 R /XYZ 56.6929 221.6367 null]
->> endobj
-2511 0 obj <<
-/D [2502 0 R /XYZ 56.6929 188.5084 null]
->> endobj
-2512 0 obj <<
-/D [2502 0 R /XYZ 56.6929 118.8847 null]
->> endobj
-2501 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F55 1336 0 R /F22 973 0 R /F48 1253 0 R /F41 1233 0 R /F39 1173 0 R /F53 1328 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2515 0 obj <<
-/Length 2924      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]sÛ¸ñÝ¿B3}¨<áðÉ�ôɱu‰Ï‰íFNÛôîh‰–9¡HU¤âú~}X€(Ji§ãs	,€Å~ïRlBá�ME¨Hå$N%Q”©ÉrsF'k˜{Æ,ÎÌ!Í|¬wg?ý,âIJÒˆG“‡'o¯„Ð$a“‡Õ¯Ó‹ûûùíÕõ?Îg\Ñé;r>S”N?]Ü~¹øˆc÷ç)Ÿ^¼Ÿ/ÎgL%IH‘F‹èôêv±˜_Înæ_þ|÷éãÅ»ùÇóß~9›?tÄù`ThÊþuöëït²‚{ürF‰H5y�JXšòÉæL*A”Â�”g‹³¿vz³féC”HˆJx<ÂÎ&Œ‘T)°D¥$\–\Í—Ÿ¯ï®ïnõmÌšž‹t\!qœDyU5M¾œ}Ë_Ÿvõ¦ÌóÒ.âÞ"àx”P	‹õšuÞ6ç3¡Ø–Yè¥hŸjŸsÖÅ÷¼Ò Ÿê}ÏÙ´Ä·§Ý9K¦õÑ2|,w¯Û¶Fø93«|Úý²j…Àã¾(W=üF)/óÆžPïô-&3Gø¬cšf�;jÇoTÑE¾Ü»ƒôÌÃ0{ƒoYƒÏU®�¨ò¾>?ÿlwâJ(»¢Z
æ$’Š€ý„K9²ÿ
˜eØ-}±”0!Ëî*Ûä#2á‘éŸà #ó¹Œ�/z¤hðÙlóe¡o`.
-\×™¹GŽQzåPE"
þk¦2ª™ÚXe7lµzžù>i™9”¢jòª)Zð®£.åZs)N¦U­Ÿ©Çz3l¬†�?8G¿™¯ôåc°¢Y!îKQ–8ldÏ}cÜÌ=¾âÈ*Êöek7ÚWà‹œiG}œ
-9_t÷“42N[ÄÊ:"c5äë†E3÷ÖУÅÁ{>ˆ¡Í3p<³(Q&Œ\�ÚA“X±“·T`–]pÕ7óOR6îÀ>{‰êWX� ‚HÉÁÎóû6 µÏYk5ÌS
xµb6.ÖjÝs¾üæ"Þ“ÓbÛ¬-‹²h_ÝRþ5d¸HtüSÎÛºÍQrì-P¥ŽÁý
Àøl4‰†ŠèÄžáC‡«¬­w¯ˆÚZ�/6Û2ßäU;0
-
-‡¨¬Ìâ¾Ûo¿@Aä*¾Ûí"ŸqB¸v- ÕèX4ÊÊp¬¶Ò1‘ëzà‰I³0íÉN×aÜ&x¾ä&!蚶ûGH¹í%õ >HP‚Ì–­&rl*o—ÖÔ�¦7¦™­QlM
-§wüÅá¢éöÈò	ñ#°Þªd™+eлÜVÔßó]Ú k¢‚þšq}{õ—¾dñúTéÀçœ9šÛaEJ•{(:€äYªØW¤›ãNnFõ¶§½„‡uÂM8,Cør¼QÊA},áË|íaò¨ˆþ¦sš²k„´°~ „IÊBÚ®«•Ö,à )œj(G
-ªÎ“G:¤‘#Ã,ƒ�ÒÄá‘ï½æSW=ùiƒ®­ö®Z·õ9š(
-ö¨l"Evú#e‡sâ#%âÁÜŒÅ^A”r_äVÅ._š.ûÐï*ND
-Fq‚¬瀮ðäðqâÓµ8ì’!èàlËßëOØ:
z÷á¸ûiÀÁW5×<sMÕ—]ѶyEŽý
-D(¢º1rQÚ}xþ¿!ÒÿFêÊ&áã<‡O„H™#J3�ÉtHz÷[’CÚÿ€v«Iendstream
-endobj
-2514 0 obj <<
-/Type /Page
-/Contents 2515 0 R
-/Resources 2513 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2473 0 R
->> endobj
-2516 0 obj <<
-/D [2514 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2517 0 obj <<
-/D [2514 0 R /XYZ 85.0394 752.1413 null]
->> endobj
-2518 0 obj <<
-/D [2514 0 R /XYZ 85.0394 646.9327 null]
->> endobj
-2513 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R /F55 1336 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2521 0 obj <<
-/Length 3027      
-/Filter /FlateDecode
->>
-stream
-xÚ­ZYsÛ8~÷¯Ð›åŠÅà x<:ñÏÄvÖÖÔìÔd(‰²X¡H­HÙãýõÛ�nP¤DÉ©ÝÍT
 F£Ñ
-†ß¾]Ý_Þþól¤Œ€)0AˆáÝÅýo_‰öí,VË›«§³¿Æ¿œ\�åÚ�B£fÿ:ùó/1˜Á>~9žŽ#3x…“q¬ËßhÏøZ;J~òtò�F`kÔNí;ßDžQ~
-mG©§´†ÔʇSK©3KçÉ&¯éÇxü•‡Kj7³Íá$ybÆ"~¤oÔy]¤õ2–ãX¦eñ’®ëtÆäÂÉM¨q7†ýÇG�:·ó›…@,œ×`»*Œ`k±1´µl¹*i%^I…
®„„—EzÝHñ,WE<v%$Øý%©‰ôšå9õ&)�Á™ð*öP�”ÕV¶nŠ<­¶R	…,(az’9™½ÑHBt>Ü¡p{#'öøX¥V�6FíêLódJ{
-òë"›.¨;Mª”z¼=Xòשׁ³â™È¼Y˜Tnò³&?˜wÅ”ÎÒbšâÕÄ!âÇÍ�œØx¡ŽT¸
-¸Ù1*ð|!™‡ö²,_Rv Y}Ð#¾ñ¤‚ã¡ÍuØ#4\Ö#¬Þõ«uY—ÓrÏ-À’°›(>®\ÃÕ£]ûh¤B·+TW=ö
¾fÃóc€U²C/I¾I©KÁWŽ][;•R1~FÑpìè»bùI¨)6ËIÊÒ&iýšZ‚ÙŠu”1-áÖèØcvqµujÀj‹â¡¦Ÿß…”@Oz4ö@ñÇWeUe“<¥
»áŠFhÇQì| �»µçÍ2-jKœÍãpöf�_D–‹´ÇëÏDPF–R8žºê³ÿj3�‚[)ׇã˜
/´”ÇQÛæ:ŒÚ†Ë¢¶îAmìIeBÆÞVé^ƒ[QQ|\-ÇÔ£V'’ù =¤Vµn‹Y6…l
íY	öEJRÀBJ9:{<ŠRžŽühgGû.E
-Ã<ËMU“à	/�~¨³ôÅoã/Ÿî¯1w<'ÒýÃQ2‘9ÈãÁýÒ,×AÂýƒ›ë!{@F†�­†6°AÛ^ÌÛ’°gØ)ÎÓ53Ûˆ©\4„N2Éò¬~ëŽ&/j{ø¼rR'¨¼–d¤ÙE;H&Ã$Ùà€·²1…+©…H³~[Õôņ»¼!xî-®#pw\î/ýNZû¡8yú’îyè8‘:®˜cêQ¬ãŸ…‚'6]ÍÈ?SÆˇ8K'›çg
-ÈðÓ*vøÈDà…Z¼×Ú\GŽÌqÙ#{Û«”0ñ;K:¦ž%;µ‚ðŒ;K^äyùŠ.Xh®ë°¯8Sâw!Tný6PmÒ	D4TlŸ¹Ò˜Ñ0œZAÙœ',˜³‘w{I#œ*!	‚YžÍR¦gõ‚È”9"­œ%aéMö…v
�At­Ã¹(´&£(©3ÒÝ·´šÖÔµ>xÒÌUB’´ÅÎ$eLH6ò—òG:ÃP'}ÿÆ”ŠÄV^‘óä*™órd–Š}*²9µoå†Fš`g'nÚ¿˜G‘§5±OÒ>Ÿ°©Û؈¨ò%ƒ}}
É×¢Û(¦‹’¿eY~Z
-,]󶚲,áÁ„wwãs®n‚áœ2ÅåÎÞÝé4*×ÙÒ–$Pù\;Ul­YdX­p¡gá
-#�>-Ž¯›õ¦]óÝŒÕ]Ã	Ú‡9ÌÁ¤&ª�‹¾ço{×0x
-=´gõë鲤®ž¾6½YÓ[¸žÝÎ^fŽTÛ"—áõÂî.$=´Ór¹ÚЙWÆÓÞÒdÍJ¡˜¥¨g
\=O÷
u`¨£üѢܬéÇ,y«ìÃ-?庩ó4YQÏ.†VÅ|˲¨,´»º%5ë‰˵DAuðÃ-ßÒù]Ÿs¨�M-³NÅò4DÕ*�Ö„ͦrÑR?3°µD:·CMû‚Ïw¼Jç2з°�i]†õ8,)¸y–‚bÇS¡~'X·¹ë†Ëëoï¡�x¥˹ÝÊnª}È„dx\¿†«GÁNžµ›Vº« §9±;Z¨Šf”j©,¨uÏXo…b–PnvIí„…¬6¨Æö"ZÃÍ"ø@×ï«xx1¯mð°ÃÖç²çÈÝ^Ô&ë&„JFû»Þ“^ŽûyèÓ|3#Ðsx•ssʪÀ,ðBÝ’Q”uW˜{†¢üÛ
-¬‘E׈dpläþ[³áRÏÙæ
-§Ç|G�Ñ
µåªÎJ–¸ ÕVR�¯œØš¡�z�ï%ª®8iYÆwp‰EùŠÍA;€“÷d½ó<Ûæ:l
—µƒ‹>;О1ñϘAàAi¦�«×põè×1_xq„]ù9ÆpÄÙ
öðV´ñ�t¸(g5ôºiGJj'Ì� ÇÃô0@Tb¸“›¼òZ÷HöH&T²L2
-�“§3ø—}?+<¥á÷uÿÀhendstream
-endobj
-2520 0 obj <<
-/Type /Page
-/Contents 2521 0 R
-/Resources 2519 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2525 0 R
->> endobj
-2522 0 obj <<
-/D [2520 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2523 0 obj <<
-/D [2520 0 R /XYZ 56.6929 439.3142 null]
->> endobj
-2524 0 obj <<
-/D [2520 0 R /XYZ 56.6929 95.301 null]
->> endobj
-2519 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F55 1336 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2528 0 obj <<
-/Length 2297      
-/Filter /FlateDecode
->>
-stream
-xÚµYKsÛ8¾ûWè°º&Bð$€£bÉ�Ib{-¥j·œh‰²Y#‘‘vÊùõÓxѤYžÝšä Ðìn|h4>Àd€á?(�0Ó| 5G1˜¯�ðàÆÎŽˆ×¥aWëÓìèã)“�tJÓÁlÙ±¥VŠf‹Ûdt}=¹_üçxHN>¡ã¡À8ù:ºü6úâú®�5MFg“éñ�h%4(I£–âd|9�NN†Ÿ'ÿ=›\ÿ˜ý~4™µauC'˜™˜þ<ºý�˜ÁïG1°6ø	
ŒˆÖt°>â‚!Á=«£éÑ¿[ƒ�QûiŠVgÈ8R)Øx0¡QÊ(k
#¼˜Q1˜AÐ2€}ÇDnO•`q9èÚÛñÚjíºå¤ã–`�yÚw[Â?ãöã)¥]š"Ž�£SÔnÅš‡Ü	ä/N(³uŽö.'(ÅôPnu´Þ€*h†ê-¯¨¶ÝÆ¡êºÍ²,†FœB„{ *ŸÖù¦˜»Æ昨$t?u^6YST¥«–[_f«ûjS4ëý
-‰¨f
…ŒjeÝ-ʺÎçCp²ÜTëUv—¯"!j‰$K¥qîV8krkš4?+#ÈÄ·Ê릥’Ÿ°¼NÁl¤Ú©Üeu~L’…k¹ôHÃleb§�/\oÝ@ëÞO¦0P•}6ûý)ü›EÙ~Å�ДC–„pµÛ
-"Ö^É­ôñ�á´�ieæGšCεá˜s‚Ëšye®¯yÈo$+�p—;`0ßØT0½�UÇ~šüªJﾊًÂ{jV/ΔÙ#fÔ%dÇÈ¿..‡.ž¢TÁ&ô™Bí$O¾|Oº5³|�w¶
-•5¡ßäËÜMµœ{¾fåS«¨$Uˆ¦i¨ú± r(
-ÒÍ鉳È1ã{p’S.B¥‰;dŠ#©©ê<ú6;¿º9ŒìÔåM™7.ŒéK
ûÁ¤ÈŸjÓOëW¿1ž†å	¥%”cÜ_«°¥˜‰Q;Jr	ÇÆžÀR”¨Ý%÷#¥ÒIŽko�¤.9_ÉISU«÷¤âKY=Ö°?¶¸C
-¼›A­f\"kaPa5œY GÉ	
7‹aÇÂ.©”'(E枪·CÏãë1‰„N…O�¶ŠDJÜ4—!3«w«€ŽJE0
-QÔůX„ìTœ‘m“åA“†84/�Q›€ÅrÛ&k¥QÄ:‹P²Íí WèP“?VËe�7O©@R0±í餕æOO¬²ºŽ)%õ¶éñA`Þ1ß6;9h6/ï‹2†v_­µ¸<hq¹ÊîcçˆKE[{Ž¯iSoï/Îíð¬õwñù
-wópÄú½
59’Ù@EºƒöC+]\Èÿ	÷â J†ônžÃIñž<ÿ|8EŠ
p jóG"¥‚ôáç„ÁÍY©þ™~;üqmž'œ�¦‰EN$ÒŒªíÈÿh¥ëîǃÐ<nª¦šWî?[éæŸ	z«V°Hpªûbw�j½ÈŸ÷,,;•vúžâ[BÁê�³ >hˆÔ ÛïF¸9hsÏAÐOÅÖÞóA{«ü9_í+Ê;iûËKå+)Ù¢Wœ! 
-¼OÆ“éÉÍÅõìâê2r)‹½F˜pR!E¿ÒYfÌÝœ¾NZZæB ?F6dwjÈ¿%¨í¸gǦ•ùϹ¡þ¥½yA³(ݯe F pú/ÊÅÖ˜a§pÿH¹N.ÂEÁÅÜË`wÙ“xH]9)ÌƵüd$÷“�®§Ú�ù[H³éÅ™“ÌìfÇ›½QgsGíÌÀ¸>\1Iâ'^›	{ßµûíΚ…ÿÒÍ	ª¸
-áK*R;¬}vî‡~Ùq	8999»šÎŽ¡\}™Bغ†ï�×iQm™â0hÞ`³BP§aØTÕ�¶Â…çMhA�ƒè7­tovTÊd|ÏTÅq±4õ×U’!�yž¯VP5Âó¦Éù×ÑÉУš
¢N›R¾ÝãpêôÀ´>Ä
-t¨A5Ó‡œƒšZûÂ`§èkBÎKÓ˜gAÅ<N–uÑÏûÿ@dKDôoZ¸-&ÿ÷_÷^ÿ´
-è"�oP†9b*¦Ê`Aà<Ú
-]0à›Ê<eìÄþXÔendstream
-endobj
-2527 0 obj <<
-/Type /Page
-/Contents 2528 0 R
-/Resources 2526 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2525 0 R
->> endobj
-2529 0 obj <<
-/D [2527 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2530 0 obj <<
-/D [2527 0 R /XYZ 85.0394 590.9135 null]
->> endobj
-2531 0 obj <<
-/D [2527 0 R /XYZ 85.0394 530.3944 null]
->> endobj
-870 0 obj <<
-/D [2527 0 R /XYZ 85.0394 493.1893 null]
->> endobj
-1469 0 obj <<
-/D [2527 0 R /XYZ 85.0394 457.3833 null]
->> endobj
-2532 0 obj <<
-/D [2527 0 R /XYZ 85.0394 426.1417 null]
->> endobj
-2533 0 obj <<
-/D [2527 0 R /XYZ 85.0394 362.7008 null]
->> endobj
-2534 0 obj <<
-/D [2527 0 R /XYZ 85.0394 257.3259 null]
->> endobj
-2535 0 obj <<
-/D [2527 0 R /XYZ 85.0394 142.9115 null]
->> endobj
-2526 0 obj <<
-/Font << /F37 1038 0 R /F14 976 0 R /F41 1233 0 R /F22 973 0 R /F21 950 0 R /F39 1173 0 R /F53 1328 0 R /F55 1336 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2538 0 obj <<
-/Length 3322      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ËrÛ8òî¯PÕF®Š8x|Ìœ<¶âx<ãx#gwçu %Øb…"µ"�óõÛ�nP¤Dɇ­”ƒÐ@7€~Sr$àŸ™(ˆR•Žâ4Œ�f4_�‰Ñ3Ì]ŸIÆ™x¤I맇³ïßëx”i¤¢ÑÃSg¯$I"G‹?Æ?qp;ˆñÕÝl6½œÜN»žÞ�Odš˜t|q?½»ºùÏùD
È€*Äø׋»Ï¿ÐØýyªÆ×ÓÙù_?ŸMZ¶º¬K¡‘§ÿžýñ—-à?Ÿ‰@…ÑtD ÓT�Vg¡Ñ�	µö#ÅÙììŸí†�Y·tð*¤”ŽÔÀ](Õ¹‹D&MÍ(6ii¥Ý]Ü<Á‘âd\Vئã¬x®6y³\Ñp^Óp½¶óüO!Ô¹ÛÅ;L¢q³´%¡}š]Ì>\HÂ}É‹‚†-µÛÚ.hîñ•Fö)Û
o´-[×4›â­~ÿ>”Þu˜±�	œ¹žhÂé�O†A¬’˜Qªu“Wåá)&¸r4ÑQ„Z˜ÑDÊ 5F¹Eîˆî|¡ˆÆ9,×±¿,óù’ÀyV[‚î@pt{n‡æÎ�Ð#ãйuÂVuc³ÈR”˜ñŸÂ¸øÃcûAläÉS12
-ž¬KÉŒ³²¸Ý½(va]€ÐAÊ°
í;Ó#ƒ¬7ˬ!¨+ÐågÈ=3´ó¥�q/
�§jãÕj�5ùc^äÍ«_Ú,	r·À}HÇ•
-n%„7½úðŽüžØ5šeAkgI´féx¯¶ÏËÎ:˜7RÑ‚lÛT+xµyV¯„SÛƯ¶„4y蜬+S:
-i`p`#eK�¢PZÈ#&�p&$2hrÀ¸{$§3�¤3ÆtuFIj4ëÌûZçßì>_Ìh¨¥>ÉX‹tÈYOIAKC©âk³V·j’
-ºH
-x‘R�vÉ]¬ã>¹År¬–o:å-ÅëzÀ+GA(’ô4s-Ö
-Õg¯ç˜UD9ˆª—ý²ÂÈ™£Á§(ú¸ÖëÈ°�©¯Y±Ý-�Fз¢Ö½…=Ö
©Öý—…mmîÄÑÁ�Lõ÷�wSAͧH9BÈ‘„RÍžìQ
ˆ�Ú’¥R©dñ…!gB¦¿}hР&ãß;Âúðqö@hŽ´Ó»‡›‡ßhvÇLd{ûfu]Ís²EØgõ”Œ–•;鎅í
?þy6ý„‡UÝ“ÕH1Õh�jÔR�¤Ç=ÙìÑ£	¿ãLJ]J»k	h$ ¶:¨™pk8 CÉ$B�Úr0�¨ó&ÿjÙ1_‘ea÷ê| ´üÚÝœ‹Ø!˜�ý©P<4&PRç“ŠßÅ:®ø-Ö.ƒí’„H&MÁûŸ$é‘HvU"0Ö²Oò3%è’ó_E)ædž­³ÇÂOuSbé.1½[d$ôz¡ã^Ô�çÂÚ‰[¿¤4\µE¥1Ù¦æʧæÒy
-7
-Ú'{‹ËmÒ€õœÛ…¥g±2ÿ]Mcs…Œ•F¤ænñÞ:®›Š/¨Ož¢³ÀŒ×›ü+ou¯Lkéãw3®ÈK#ÊÂÝûPê–¹X‘ý8´¤Ý:îGœàÈkj_¬Ó\M~~½}ÛÀ‡ÄA$„OB4=o�É¡)ÛÌÙoi�o9£N|©
¨·÷KÃyÝî‘Ôe|À)ÃzÆÂî
-Žc¨¶Õ¦±~E‰^<mö>ëtC`XžŽÿM¹|»¯yA‚{»&ãûÛËÙ?¤¤a¦F�œÛÅ.‡žÆaÝú˼–òGê°Çc»Z;' ¦x±Ù±´E‚8å—ÜÒõ—Kï+Ãð
¹ì`��K�µ+ÿìÉeD‰ŽX,ŸŠìùÀ8�ýJ¢ä4[i€­®H¦åG‰ì³5s_%DÈµÐ¿¶	�=Ó¤óö]ìݤCtß7^è
-è]ä]Lý¾µÃ
-¾€ãˆ¶¾
:ŠÇJF4¼úÆ—ÊÁbA×�†]ò¯E‡¬ë7éÞxM‚Œ_Êê¥$2Ž•%ð‰¾ä®hñ§÷—4¬ŒN	â4IS
[.H
-{‡I³
-S¦ö[Ê[I315‰OŽ„7
„úo|ƒoqN|‚'÷$·CæD¦ýr±È7vî~ãp`MÂ
-endobj
-2537 0 obj <<
-/Type /Page
-/Contents 2538 0 R
-/Resources 2536 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2525 0 R
->> endobj
-2539 0 obj <<
-/D [2537 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2536 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F41 1233 0 R /F21 950 0 R /F55 1336 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2542 0 obj <<
-/Length 3245      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Évã6òî¯ðÍôŒÅÆBp™99í^œ‰ÝKy3yI”Ù|M‘j.vœ¯Ÿª@‘%Ï{Ó}
-…Úa~Îà??�•ÏdœGIà+ÆÕùjsÆÎaíÓ'œ™Cš
±~Xœ½û(£óÄOBž/ÖZ±Ï☟/²ß¼ë¯_?ÜßÜþçr&ó~ð/gŠ1ïîúþ—ëŸöõ2Þõ§óËOb•
-z�	>%0‡e6û¶P8_ü|Hì`K‡4±¥l™$~`G[Þèm}ÉcO¯ÒVgx+y‰ã:}®jœVkgáZ.9çžp3tüˆÁn¡”oÈh€uBFËÊè'³å»�J
09÷ãDÁíY”¶-öÙâ<ðã0R§ùê±&£í?âxÌÙ\·ÍåLŠÀkŸ4N2½N»¢Å‹ÅO´\áØ5„¶6bÆs"ñM¿âäåI—8ˉŽCYUå³®í­Ypéè¦8€™k²ó‡'·ë=û�€,
´ÉO˜ˆ�0üD)a�–o¶î$"E;‰(4;À_U©¯`:�ÅjÇîd
-Ïöà—§|õ„ÓUÚhœÑñ`Ë?ó¦ÍËGÓaᣪ+2BM¿®³9�ér¥ÍÕ$‘Ñ÷}ìÈ&;Q…°Ví¥?º_†(#Í�A]cg' àC"Æ”BpˆRÂÍN�¡0N8x–Mõ¬òíQ·ÂWRE§ÝÂë¸[豬[ؾé¶uÕV«êÐ7�)œf®Çšànä‚Ä�d�Ù#ßÀgxŒt€X²KÏiÑÑ"z„!ú£.u�>ÚÀ�Ù¢ž) ³8Nݳ^
~–Ýf©k-uû¢­{�Fhe†~@Â9��E(e´¸ÝQ>PPøa�FiæýÎÃ@3îãÚk»vº­š&_DÉž¿Á/Ñú
Hf©=Úc·Ñe;„hü¢
-¼LU7G•XÅ‘¯ÞŒmC¬ãJÜcY%þ~,þŸÜ²�ÿ‡[NÅÿÑ–?w¹ñ~ §Þ¦Êô?@�„ôæÝ–\TÓ˜1Ë]Yj#™´6
C…^ÕµÛÎøf›è³*ºÌº/³Fjøèˆ ‰¼ÌrÈ3òªU%óþ}© P´O@
-1(
-ê³I‹¼}%là˜•AŒq@yÍœ×HÕÈzD¿0·'°äéfž6Ò„»OÌnÍ”—MKWb�·MÉé‚:4k°²ª~EÈ.¾qÂ
˜@t¬"ê�ðë¸®'2‰Ä‡´I¹„Çê_¦Ÿ3	S!rqš¹k‚»Q&ajR&Ô˜½ùV¯òßÖ/3NRgÂkªÎª�½VX°š#²[‚e‚½¡Â`÷%`n­AZçm½B$ÝàRV¹}ʪÅe²÷ç<£ÏÓ	#!Qà‰p¹×;�Ö;—WÄ~dŠ§±–÷6½ïƒ¸£(Ú¥¬ aàf¾w9¤60É�Ïm¾.e¯ºƒÜÙ|2�9À‘vâAxÞôÖ²Â#£•â�?uX©ü˜±xJ?öŽ3“Ô˜2Vãã7ã[uõ“^™n4‚ð>±¼ƒaõ”š¸dMðP„Yãhƒj±MÁ�á%K'p»–¥-µ%$ŒKÚË1ÉKPŠ4³b¸œ0s’»qïÜeŠÆÊÍ!­3…˜ìNÕÊWÄ‚²¤[È&D©˜/9—ãðäj
-èI÷ˆý�mG‹Í•gŠa	
-£9óq·#LZÅo¸�
Ö	·ã°¬Û™¿YÀŸx¬¯q’¯]_ã�±É¾Æˆ³÷TQ·V'0€0($ôþÆëëc³F GÍoýç¶ÈW¶ƒ
Ð>ÇÆETº!²«¤
tPé±¢J°Œa\Qãx¬jH#7ö7dJù_úêx7£PJòºÕ8³ÙJ첕„Q¶ÊÈÒ±]'˜`“¶6‡0Ý÷ƒn@ÂFg	YÀm^iS!ü�a*	´-CC‚V܇œM$–Ï !>â3p‡L‚5Ú’Ú8 �‡Èƒ“˜åR�̾ÝvË‚ÒzÄÙsélò?05`iÊ¥ M0ÏM^v½‘ŒŠ•1'ÖÒÁ?‚§¹ÂŸ.Ùƒ)¹(G¨ÂQ2ZM_�—2~1qÚ±Ž»€˺€fÊ@~9UŸª×º|lŸ3	eO3×cMp7îaÄ>‹D2fo/ó`.F1Õ•¿åÌB\+ƒ1Šì¡1„Ìô•œ6Jqè3Q6l]ÀFh6G†	WÆp9hfÄ>á^•°êjÚ±-(íÄ&eåôÄœ¸t­ñmWo«F�ûäØá8®/Æ«*�æi}`�Їeõe1¥/”tá³®­�Û×)}ù&k=Öo#m
áÊæÆÚ"úNVBýÂQ:ÖCWUŸp‰˜ü³ý¸Â‘Zæ‰k™ÈŽ*†½¤j]�JHå0Ùä�“ݦkZ$½¤-tŽ­+3ßu×cj¤‚œXè'ÉØqí^JÀiKçúå m?l9£#*×ø7Ю¡@‚­
-J†v+ì¤iq!|÷]¢#†%BP	52,!(¥‚­Í+Ãhëë_Ÿß¹ÿhÞ‡¯tÿå
-F‘«`
-mº¨û:Ê!"pÎ'9ë±&XG#îŽYÃç—Qʘée÷øØ;'Ë™ß÷“{Å�Š=€�yÚ&c¤¸¸½»½'/öåëâöËý|Bíá
-�í0ñ£²ºH‘SŽzøT¦Bê;î.ợڽ ‚ïÛàÓiàý
-ÿîînnpßJwÐÏŸïîæsM¿Ç,ötö^Rìó+ˆ¢™òþäëÝKª¢fgÒž
-ÉŠnù±¬êþáºÐégv3¸	oS•íïnAý~ìÈvR�úsÛ81ønNÁ`ïP¦x¤z�T
-2Uû¼Ó—%¦¼=M
[Õƒ¾Úó)£Ët¹—1(ÈvËl¢Ît¹¾òƒé?Öû§ÿûŸvàDÇã#^K“ãsÇ”‘%WrŸu¥€ŠE4Áû
í„uendstream
-endobj
-2541 0 obj <<
-/Type /Page
-/Contents 2542 0 R
-/Resources 2540 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2525 0 R
->> endobj
-2543 0 obj <<
-/D [2541 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2544 0 obj <<
-/D [2541 0 R /XYZ 85.0394 143.9886 null]
->> endobj
-2540 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F55 1336 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2547 0 obj <<
-/Length 2985      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Z_sÛ6÷§ÐÃÍXžF
$Ø>9µšK“ørµ;×^ÓJ¢,N%Ñ);꧿]ì"%JÎ\“@Àb±Xüöh9ˆà¿˜D$™ÊiI3˜®.¢Á̽½�L3òD£6Õ›û‹×?èt�‰,QÉà~ÞâeEd­ÜÏ~¾©¸Ñðæöînüýèýø×·ãÛ«‘̬Ɇן>�ooÞýr5R&b �¢áÇëÛŸ¯?Ðا«L
¯ßŽï®~¿ÿñb|Äj‹.#�2ýyñÛïÑ`'øñ"v<Ã�HÈ,SƒÕEl´0±Ö~dyqwñïÀ°5ë–ö©"6V'ƒ‘Ž……ýû&E*%¥&‰V:(LÉ>…y*TØèôõÆ´(¥63 ™#™åMñºšÏë¢9TŠ±t,ÓA{ç#ùU�€ª½­ÎNv¼+š®&‹†Í¢€ŽÍœ@4T­©}^”ÓMæ4òG±£ß¥_]Q;a&�Ûɲ¬Ŭ;6ù«Z€�X
jæM±ñÓy³âÕÕHG~
o
-‚IEªtG—"3F¹“<—Ë%Ð¥Šd€¶\O—Û™Áý¢–ØAEà[Ü5Õ-ëªé2ÛÖž‘;´uùÀ,ËŽ¢Ódøn~°.õöì0_{9ærŒÞR[=6eÅyM!'<sÔ=ì¤(ÖdQ(×+êGèÌŠy¾]6ôÃÝ´Ÿ•Š×Õ36âÈúâid„}É
-Í g
×}
-�Ò¯¯¨uW
‹fŲ h­#RÇÂ%¤¼^²²=|ù–ækÔ.«õ0ñ‘Ž 3¸¯öSìë>G&òþn•ïÚ.q•û…GHÆ@ùXÕeSmvW`¼Cí¢z.ž@Ø4
-ØDžDžJD¬“ø䵨ΠÏS9䕽~M*ã‘W®áJžòåì ö&ÂÇYÙU�pØI+%]évIÂJMÌ𑕉EÎ4ç´‚˜Žj^mh8§ßx¨v¼O“R±
-Žqt•œµAÛQ,8Åb§-þökeP nK
-ì£ç¸)9(ã^EC@a=‡bõ¡»"õ¡_"õaÞÅ^º­�Q*²8¡œÖáËzhØØ??P
†“¢\?ÐДî„q
s.{„‰|M¿‹/�°›Ð0Zo§Ó¢®�©Â¤»zG\Án›ývÞ_fÚc¬-Ð>¶×;ôh§å+ZÕ�Ž¸„ÏwõwÔu‚<—uÑÍ,üŠ¿
-·]u 9ë6¹vé–“�K¹â��A…;ÇuÌëW\ÎÎi†s&P�cý°]놦(?‹Á·-—6f4:ÙÑ(—›Ž·`N¨f·óKÁ<.w—nãdx¹ªB÷ù’¥¹œ…±…ïU›>Wp¹*/�ýÛcû7§“Ú ]�wÛr6ééhfW䛚٭ªu³ð?ž‹âßÇûáî¢Ú2}:$�n²\oÁ3mƒ–	åÍ\ô�â?Wx

°ä[Î93l©ïðµ§Hçk¥u
^hVŠ¹
-ƒ(0€ãY”à‹¨�´>¥ÄëíøvüÓ5>ÝÞ�oˆÉûñ¯wÌ A#â�ðið2ü.{"¡]šP²¬k�h6ö¨Û,“L¤±,�V«GLÕÜëXæ�w¾]î}§²)Ù™�PÓæ4T7r0TÍiŒŸâ2ŒØ+!î¬#èg’…x¿†â›<Ï¿)ñ_�Й…Ò<¼pÑ‹až9FP¶etÒ…qÝ@p'“ã+<nÎÿîƒ;õmاsú!Ì™ÖI¡O©Ho^èýÉÂWÙp
ņ¯N<Òk™«�>ÿ}¡Mår-·4”JHÉ’/ªûez¸i
-ü¤Uç7õDÇ›v.ÒBY‘e¦»)ÞfÏb
-ù+÷?Vß:Ç4è„¢àÀZû‡˜6ÕiEª—uvÓ ¨£M{ÕÙ
-í„¢Ö<6å´Sƒ°?жàꌱ½2_>Tð…«Óêµ`—øåã¼z[TgÔë©^Tï¹M÷ê=Ü´_½íMOù­„Nmò"÷^ÀçUX1zßWUãÜ!Vx¢Ç+ãWÈ^T7õzÉ;§,ʼpûÜ‹C|ó\QüG±–…O4öéšç(“œŸ¦c~*2ô¨Ã„Þ�o}¾:Ñ"…ê焯üéàø4-²?¢µÃ1ÊJëC•Sf·W«–ÆòìX(‰Añ¤Hp2üXÐ#–Œ
£ÒýúÅáõy(½À²RØD¥Ý´ð~QôI	‘V¥~³š·˜%‘�lt­X&-éðWŽMŠß‰é7$Ô!ˆL+çpŒ_�‘	Æ4ì¸
-M
g}{&ÿxw;âÀökíA\þþÃÏ7cSAј
+:̸ûUN2J¥ÏbÎÜ8pU2¶‡ê�e[½qË9ŽBÁ7%:ç
-Ÿ=Ž¼M‡—
dûçh–
-ÜÀ„ZP0åÿu;¦Þù#Xݽ‡Êþ4øƒOc¸¢ê–¦­2ã(‡Ã‚êÛ“e„ø:=yTàõ·ÿhŸÆ©ÐöÔߨ"m}
-•!M|üùŽ
-endobj
-2546 0 obj <<
-/Type /Page
-/Contents 2547 0 R
-/Resources 2545 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2525 0 R
->> endobj
-2548 0 obj <<
-/D [2546 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2549 0 obj <<
-/D [2546 0 R /XYZ 56.6929 364.4689 null]
->> endobj
-2550 0 obj <<
-/D [2546 0 R /XYZ 56.6929 119.0358 null]
->> endobj
-2545 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F55 1336 0 R /F22 973 0 R /F41 1233 0 R /F14 976 0 R /F48 1253 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2553 0 obj <<
-/Length 1715      
-/Filter /FlateDecode
->>
-stream
-xÚ¥X[sÚF~çW0Ó<	›½kÕ>96N'¶kœ¶3IX@�(8î¯ïÙ‹„$/0m'3aWþöœ£s¾sY‘>†¤¯Â,æý(æH`"ú“U÷çð·w=â1Ã
-4l¢Þ>öÞ\±¨£XRÙœ5d)„•"ýÇéçÁùýýèöòúϳ!xð�
ƃ�ç·ŸÎ?¸g÷g1œ¿�φ$Ž9�20‰—·ãñèbø0úýîftöõñ}oôX›Õ4�`flú«÷ù+îOá
Þ÷0b±ý'Ø`‚iÕã‚!Á«ž,{ãÞoµÀÆ_íÑ�+SH(|ÁUÈ"F’Qf}q£$«õR£I¾B¯0f¯¨$›{sEiã8î‰B‘ Î‰×ÙÙ�a1(iaV|à%½ögIãlÄÇÌXlŽN³¢Ð“áwý<×Y@“„eïãГÍQ�”º¨4j§ðÆt	O­ÞÒG&±ð¼#Ú‰c©Šýá$›XbwdÈâE\@hA±Ô½G[ùz“îà�B0Q”ÊGµ?ki3�\�†,BJn±ãÑÈøüÃø.C*ᢇ"�gç™þ‚Vðñdq“<
-©XT6½½¾½tŠb¯oºJ³´(7I™oÜ£=Ó.tÙD»G“l›,ƒ>WˆJ)½ø�
ÅŠ0x¸ºp©`q@'ˆš
-]ú#Ží²Év�àØ.=Û›0/�/`ª�äLOÝ6õ\!Äj¥U?ë«—h7©f³mdX¦ŸÜb�¤¾¾ç³}¹4öíØn&yV&вy'¡³ü©Q
-#-´ü£ÆÕ¨€u­
B
-eðyAMŠ¨ñ�ª¬@
•-jFˆ&Û*Ïg0bxÇmÒ2�çUÅ
-ýŽ‰No®Ã«WëÒץ̌ÝÍúS“¡êU}Êüoõ:‡Ø@0ŠbªN°¡�:†
-eÙ0;T£Žª¬kÔK•¡ÕRy•[§ØÛ'&(4S«ôÏ°Wrp‘l‹êëAË~‚#ÄU=SŸœ%ŠD}ù³þmV“[ºÀaêk"<q}~œ‚•¶ì3«tæЉۺšçÖɲ6ýyhû…�8¬WI9Y˜¤·"Ò| ô
-endobj
-2552 0 obj <<
-/Type /Page
-/Contents 2553 0 R
-/Resources 2551 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2525 0 R
->> endobj
-2554 0 obj <<
-/D [2552 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2555 0 obj <<
-/D [2552 0 R /XYZ 85.0394 683.4656 null]
->> endobj
-2556 0 obj <<
-/D [2552 0 R /XYZ 85.0394 619.4692 null]
->> endobj
-874 0 obj <<
-/D [2552 0 R /XYZ 85.0394 579.8478 null]
->> endobj
-2557 0 obj <<
-/D [2552 0 R /XYZ 85.0394 546.5386 null]
->> endobj
-2558 0 obj <<
-/D [2552 0 R /XYZ 85.0394 510.6781 null]
->> endobj
-2559 0 obj <<
-/D [2552 0 R /XYZ 85.0394 443.7598 null]
->> endobj
-2560 0 obj <<
-/D [2552 0 R /XYZ 85.0394 382.7282 null]
->> endobj
-2561 0 obj <<
-/D [2552 0 R /XYZ 85.0394 306.7766 null]
->> endobj
-2551 0 obj <<
-/Font << /F37 1038 0 R /F48 1253 0 R /F22 973 0 R /F21 950 0 R /F41 1233 0 R /F39 1173 0 R /F53 1328 0 R /F55 1336 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2564 0 obj <<
-/Length 2420      
-/Filter /FlateDecode
->>
-stream
-xÚµY[sÛ¶~÷¯ÐÛ‘§Š
�n¬ô¸qI�¶“ä
–(‹SŠÔ)»î¯?,À‹D+™éI:S�‹Åb±—o0Qø��¤"Js=ŠuD$er´Ü^ÐÑ#Ìý|Á<Ï$0Mº\?-.~|'â‘&Zq5Z¬;²B“„�«O㟈&— �Ž¯ïæóéÛÉ|ºXÜ|˜^N˜N_ÝßOï®o~¿œpI�x)¸ºûõêi÷—Ø~žÎ/¿,~¹˜.½ºº3*¬Rÿ½øô…ŽVp„_.(:‘£gø „iÍGÛ‹H
-"#!%¿˜_ü§Ø™uKmÁ(áBñ
cp6bŒh)yÏR%¸pÖ˜O§x¨«ÛùG{XÅ;&¤#˜%"BîUQUérògúò˜Ÿ©¤	ü�½ÁuBwÖ%ŒD(m~sw�Ûh¿Ûj›YUïM]î‘4K×éþ’%ã´X¦Hú`ŠƒÉ´b*!\)åÅ)ðfäfïÞ¢D0�1Â#É<7ñ=ëM¸–$Ññh"¡\:Ϋ_ÿþ8ûªÙnŠ:Ýi�:Ì_ª:ÝVøñ¶,ªr_g‡m»i÷b@5'<„.D)…pôŽ¨ÒºÎ¶©]jy…$T&¨Ú�Aú€b’�ê®Cƒ§ÒgÎc¯iP¹Þø9ð¼§dàÀGoÓÚ¬Lmðkê¿1ËÚ嶥=£Î_ŠrWeÕqv	FâD‰‘¤
-^ÆCÙÀà¤\B¾¼’*$fLÁ #ÂeJÄ`£á²”/|š¬¿„Ñ{<ìÝ	ÓHëI«U¶O—îÞý-#¢x€�ÐÛ
¡àäDIéYë:Çb¢OŽÅÝU¸1ý±\¯á˜b•$±ѱث
±ØžHC¾ £Ù7Ë—ÇògßGí›ï#öúûˆÝ|qY>1%ŠQìŠÈðiò4°-D3DåéS:,€Iëã
§_=GZ<fE: ±Ïæ%B<ÄV&)‰„Ô=¸žÎßÎnî7ïšE_)L<<Â=°X"¬3f ,`dð' •`ñx·ÏžÀM8áPÏ>SÊsO4Å
-°i…‹Lö˜´ã&-¯ñ{W»t™Y¹©÷–n†L;	é¹?dv¿Hz†^�ì£à‹=CHã$cö�qó
2
-ÛF�Gã…ó!H︾–¦°nÝR éÁ3*ç:˜{xTè*	ë$¿�Ôì±ø»,CÀ›ÒF»=îRÂÆ{ÜÆ®µQ…x
-ŸUý…~Åîð�gÕ&]½i$ jn‘oªMyÈWý…h§^‹NÒUÀZÅ‹Në%	½
ƒŽ�*÷›5 ¥°„XÇS@“*�ЭHÏü¯…\œ-šHX–Û-¦4PóÌé ˜@Ÿz•C“ ¤PG^}N­²í.Á½
-  „×Æ{ÁQ@ÐÕú‘<Üsu¿û2yÀ6ïÆÊ6Ø–âmŸ-cl|diþ†×>.xÆ,Ù!Wn�Ô~µË�)1L„?@
-QÃ%S@Mþl^üDÕ\ŒŽÀ1+Ìr™‚gœ.‡)^Ê
-·;Äk$eÚpC. "[©-Š� ãéý‹K,QEŒ1
-p‘Õ¯"‚’Dð¯ô‹-ÏëhàylNºEh`u|v³Àr²Yï…'½Í¦Ûð4q¨ÌcþpQµXí«Ã_CvðúIìßãT£M7þ�ÿì×þ}3Š‰H>|LÈ‹UPÊž“IuêBÿÂSÝÿÞIfendstream
-endobj
-2563 0 obj <<
-/Type /Page
-/Contents 2564 0 R
-/Resources 2562 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2572 0 R
->> endobj
-2565 0 obj <<
-/D [2563 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2566 0 obj <<
-/D [2563 0 R /XYZ 56.6929 752.2803 null]
->> endobj
-2567 0 obj <<
-/D [2563 0 R /XYZ 56.6929 690.9123 null]
->> endobj
-878 0 obj <<
-/D [2563 0 R /XYZ 56.6929 653.1174 null]
->> endobj
-1470 0 obj <<
-/D [2563 0 R /XYZ 56.6929 620.6102 null]
->> endobj
-2568 0 obj <<
-/D [2563 0 R /XYZ 56.6929 585.5517 null]
->> endobj
-2569 0 obj <<
-/D [2563 0 R /XYZ 56.6929 521.2619 null]
->> endobj
-2570 0 obj <<
-/D [2563 0 R /XYZ 56.6929 438.9484 null]
->> endobj
-2571 0 obj <<
-/D [2563 0 R /XYZ 56.6929 269.4372 null]
->> endobj
-2562 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F39 1173 0 R /F41 1233 0 R /F53 1328 0 R /F55 1336 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2575 0 obj <<
-/Length 2823      
-/Filter /FlateDecode
->>
-stream
-xÚµZÝsã6Ï_á™{°3·ÖŠ¢¨�Ù§´›mÓk²¹Ú;½›¶²MÇšµ%×’“õþõ -Ù²�mç’Q €ÀO
-/PQÛ´‘®+
-Z½ÐÔ˜éÉöé)/žèÕXæEŠÝÃ4â8	/ø¬ÁuÆg–Ëøì¶ÛgIª¬Ït
Vê#§Iˆ¢ïçMs\¶µ�{qßG˸O•FhGä4‘ƃ§üYDû¸ÖÅhô3½��
-݇]yA]4EhÌËÍ*«©ó¿ðwÿþ=õ”›6õÇïïG#�:ïæÔéädFÓÓv¥‹š(
󯌛}ë_ÊŠC3Šýö±±N ûo •ò.ôä<ɼ¨õ†§UÓ¬@wf<»rŽýsˆ
žþru0wëgr�¯2‰¬)Ó²
-=©DrÞ<ÇÕa_X©'¥m	Y°ü �cƒ�…-D–T¡EV‹Ë`¹_ÒsÂf5
-
)!lOÅ‹”Äß#%ñ`Ï$ÛH�ê&³§'ü¬jÖKk
V­»£LóÍÙÊ�íXÆ_…ŸŒýзg:>f2Ø»ëÀ^
-•
-2÷+ ç{a©äœmŽéظ6ô”ª8nYÇÈ“6=@ƒ‘'y@±Èkr4 ‘Ûñ%
š0/ßszbà•’zÒA�5b’R]òzЪj×t(Tž"n¯@_
¡7/ÿ¿U>‰JA|¡ò5¹NÃÊq\½ïÊixN¿®ò%išœ7ÏquØwXù`á%ÚòšŠöÔà5îRÐsAàÖTM.ZUA#·ãKzšPÀ ™^jª{ÒnádD˜…k2»Ÿ¤C.GZK^–Å“Þ¸˜Û˜ú†ôÄ)·*6Í­²]3®2;ðH
-Z£Ex³pA}¢åd°R„9ˆ¨¸ÙØÝ
£=gË7]qq ÷G¨ÍêfÎSÌ®:YÝ‚8ôÒ0¸pÜÝä:�c—É1yçªIÊV7;»£´Â,`;k›ãê0®•VÂÚ±h[Ç¥-²j‘ê083
å gôŽH¶‡G*¦W 2ð�}{tÙMz¤‚ó€jÃ:fæÜؤ{~ Šþ!í)a7Š×Ù&£#'$ïè™1ÛRg4'nª3WtDî�Vý”fZ«ÃÛB»	FIVž§íó+jßÖ-!í©w`šeF¸r(ú5gLëB—¶ä¡ÃÆHþL‘FŸ‘ÍWaDs�ÂÓFZ¾âÁ�
Fð(›'Û‘¡Ôó#,ðì¹3Í@‰¯ìÙ".Že¥qiAiJPº�¼í¦‚4Îj‚÷„ðl9	ƱØheDá6�B8¢Zr`?ç_Á«~Ôeò¯0Û�Ž±ûpI´µé‡Ý‡[:^ÉA³!Ï	ŠáLéD|É€¿?Ä\‚¸p#‰Œ
-èzˆúèë5¾S½¾¦›$4Nc\»‚…f¢ývÑKæƒ0^ÚÛí„c;DGÔé¢qÜÌÅïøÌ
yÉí¡n~ptüUÓuH§ónÌ–Mñ�”¡Ûó5¯7ª7|þ4§Þš…×@ØE{À°që�ÔÉŽ¨fËβ
�%©£[ììïúFqd¯<Ló¥ÏÖЕ‡¡-l«ûÌÞ^€DÉq
-P­¼’ÛpA	nËK&ËG=æV‚ÅÑ�¿¸;…h»
Mw§
-¯¾Ê|üåîa|â2Sœ¾ÌœèÀ̇|ù	›É0H—yºðÄ9/«òÒŽ|½É‹úÀ ÅÝݯt�
Ô3{<U•Ó<s,|e¹÷ï¾:ŸXþDÊ“0׳‹Ÿ=Ïé¥ó˜…ÏöPì©Ã0<«Ì²)kú5E¿ª–²Ç†¿ UŸì�Z`j³5Ý%{§~©
-endobj
-2574 0 obj <<
-/Type /Page
-/Contents 2575 0 R
-/Resources 2573 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2572 0 R
->> endobj
-2576 0 obj <<
-/D [2574 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2577 0 obj <<
-/D [2574 0 R /XYZ 85.0394 657.4255 null]
->> endobj
-2578 0 obj <<
-/D [2574 0 R /XYZ 85.0394 112.9597 null]
->> endobj
-2573 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F55 1336 0 R /F22 973 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2581 0 obj <<
-/Length 2239      
-/Filter /FlateDecode
->>
-stream
-xÚ¥YÝsâ8Ï_Á#©}Y–ö-“d²ìÍ’°W[736‰wÀæ°Élö¯¿–õ�mdï*U±�ÚÝ­ŸZýe2ÀðG‘@BQ5ˆG&Ñ`±¾ÀƒgX»¿ –fäˆFmª�ó‹«O,(¤ƒù²ÅK",%ÌÓ/Ã�ˆ`t	,ððv2›ÝÝŒfãûÉ¿&w—#")‰‡×��w“Ûñï—#a bŒ‡¿^O~»þlæ/^ßßÍ.¿Í¹¸›{ÍÚÚÌ´Zÿ¹øò
RØÄ/1%£Áø�QŠÖ<b(⌹™ÕÅì⟞akµy5„�$Š(€Cã8ŒA1!@sŒÆÒcFI3G¥1môF¯>EQ‹’$Uš5$7W�W×WÓ«ñÕíU²Zõ�! #�è -ü@EGP‘¶†(L::>nó¢†ã¡ñ0Ñ9¬6Ù"ÿŠ1]˜éuV'iRÛÕ×dµËÌB¹5Ï*«ÍZ¹<úFæÀ0Î_2ƒ	o£G…B’Ã	àn]õ9¢”6$å¦ÎËŠKÞŒ¤§†÷`ÄD§
�
-3p|Ù‡€±B˜ÂÐð*S0ø½
?/j³{Zip¬¤è¨$‚˜kL,§ëc¢øQQÉ¢Î_ß%‰‚¹gZÓ¿¿)ßkù¾}E(bÄ�á8 mÄ)h)Ò7à­ñ£F.ò¢³G˜1R›¡9û¾tàL„· Ûà^¹�´³×¶Ì4›ïÈÓW›àá\{÷ÒLo¬W�¡öjFŸe�“sVß]t
L Î1ß»†øê¡õ•=ÕY„¤ðç„,xlcð5°e1Š%e
íìîÎhqýyöàŒ#*!.4yZTU¶}ÏÞž³â+Ž°„ÄnÄ.Vùsñ¸—ÖrשöyÄQ¥œí}On
eÕI×y‘Wõ6©ÝIL³ef®XX$MŠ]„
B¸ûÒ€#%½5N?ÝŽ��
-!ÈŒL^dÆûuMmÂ…¶ý²\…@Ã=k|+ÊM•Wýt€A2"ƒ8
-ðì¼ëD¶I
–˜f¯Gn!>¼…3?ªÎº¿ªN¶õ1/)Ç‘ìóŸŸÅ¬®CFNbˆÞô€]íG;?z=ê�\"³Ê^³ÕûãÌïaW¡KÕ5ÐìÏ<·.#õ«'œø1+ýÓ�þò#vvCU²ªƒé1R¸ôŸÏ{¸ÀMÝP½ÿd¯íHGb
-Þ´9k6¡+—ˆǵ™‚\^ƒ’Y‰Éæ`
.™™šNgã{3gRð…餎·!dP
-endobj
-2580 0 obj <<
-/Type /Page
-/Contents 2581 0 R
-/Resources 2579 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2572 0 R
->> endobj
-2582 0 obj <<
-/D [2580 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2583 0 obj <<
-/D [2580 0 R /XYZ 56.6929 659.6547 null]
->> endobj
-2584 0 obj <<
-/D [2580 0 R /XYZ 56.6929 595.7578 null]
->> endobj
-882 0 obj <<
-/D [2580 0 R /XYZ 56.6929 556.2057 null]
->> endobj
-2585 0 obj <<
-/D [2580 0 R /XYZ 56.6929 519.369 null]
->> endobj
-2586 0 obj <<
-/D [2580 0 R /XYZ 56.6929 487.0966 null]
->> endobj
-2587 0 obj <<
-/D [2580 0 R /XYZ 56.6929 420.2778 null]
->> endobj
-2588 0 obj <<
-/D [2580 0 R /XYZ 56.6929 287.6148 null]
->> endobj
-2589 0 obj <<
-/D [2580 0 R /XYZ 56.6929 199.8075 null]
->> endobj
-2579 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F55 1336 0 R /F22 973 0 R /F41 1233 0 R /F39 1173 0 R /F53 1328 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2592 0 obj <<
-/Length 3585      
-/Filter /FlateDecode
->>
-stream
-xÚÅZM{㶾ûWèi{�Ÿ¬P|’@rrÖn²Ù]ïvåm’&9ÐeñY‰TEj÷×wP¤DÉÛôPû@h0ÀÌ; qø#kWN�R§™áÂŒfë>z€¾ï.Dà™D¦I—ëÛ»‹¿þM¥#Ç\"“ÑÝ¢3–eÜZ1º›ÿ2¾zÿþæöúÕO—iøø[v91œ�ß^Ý~¼zC´÷—NŽ¯¾»™^N„•"&Á‘/áãëÛéôæådúê»Û¾»½¹üí›»V²®ô‚+ë_¿üÆGsXÄœ)gÍè~p&œ“£õ…6Š­T¤¬.¦oìôúW‡vCËŒÔÉhÌJ	7¼gœq{0Iµ`"qI»gRíYäÂ=›\.Ô%,1&u;š22
L);S
-.X¢Òþ”ïvÍf×\N”MÇU¹z–7˪Ή¸½vœÏ*ÿœ­yÚä5qf»¦ZgM1ËVôr:^geö�Öû'\ÒÁâeÊYÊAîe˜—u�Ï&uñPþ»*óðBWôT³Ä9ø_\N´”ã‚å -)´>|
-NçÕ
ÖÇ¥í«Ã£ÓÍ*èBS¬óúäik€<­žÉÞ:L§O;2ùÓ^
œ¶cBšôÏ!Q*Êã	¦T<9+VËt,W?>ÁàÐ{‚í݈L´7çÄŒ¯ß`²ó¢
NcuÏ4Ÿt"Hõ¦–„þ<±Ã(JEBä„ïbN姘¶£ã‰+R
-ì[áûQ	�–m  ›ÇC–°’ĸgŒ~9T‹ƒ®£ôí”6A3�W‡×}ˆ\^!ê!óçà#Ûä
-„·RôÝz±ªÏ‹$ª\xÞ×ÕjçŇè»
-½$Æ
-âõÏ9Qp=ŒÂØ«’˜»¯j:—=/µ¼|�d^\BèÖ”û§0?=Ú”MRö‹,?ÃßÛ·×13iõõ÷ß¿};�R†NÑgߠň±äðg@R­
çÈ[™S}¡¿ÖæëØõ»{Im¨ÀñÖ*o–¾~ ý°¾ !ÇWÝ*BÜ%d§M�7n‰
[bý–´ûaÃ~ØñW·>r 6…:¯ÜÒr–ªœÚ>«Á_¤aÐè{vì‰ç§(–
-Å�Oùc@[L�ˆX:	qXá°"î³×å:
q-—‡¸|âRqÚ²À|à° ¦�í¬p-×€t=€Ó–%Š»¾x-À	6à°å
Î÷ùCÂ
\�¿pø3
-<�2“§è_¥­ó4¿Q~EáD"êË%#=N3m�îoHÈôØ�e$�*	ùäL	sªõ®>¨ÛÂéÅj³ÌÊ�©,˜�åö¿·Á“˜+ñÆÌÚgÂÊ.×iÌm¹<æþ4„¹’i£Ú­ú½¡HÚWžO"°ƒìÕgEm¹dínlŒ;HËzÂþ_Ø{ÍÞ
-»Àn*Ú$q
é¾>�?°š\•„�8Å‚È-óëékjAˆOù¦	b,pR¬à%‚'¡nEŸ1Ô¢Ñ0"ê.¯Ř꾗.ÂN,ãUÎ:+wþþ²­ùY-Ó‰Lé6»¦ÒØ)'ž2gµù#>ìÊ‘·ÆÛÔ½·†É‚‚V¦ï:Eÿ“žGÞÚÚ®·Ö2õŽ-Iv�²4áQÃA`HïP÷	ü�Áûü
ÙruÝš1Ñ­AË;mäN{ÿ’A§íŽNÙ:žÇ˜�ÉšOk볘H°…ƒÐD§¤:*'4ú.\'q÷uPW|vv~†�D§­ÓƶÏH<mèؤŒskŸ꣫{@×ÔênzsNÃr(OI Ó·éAÕ2î�W)‰7 ÇF'êË\n"]7¦À1üA+Ú^h´~~¢¹9uK.8Ī5Ž3óëÂ|žv­ˆs€IwÛ2�ÚB2uTôÄHÇå#i»j=©÷90ì.ä5ÚÉã\˜ùtlà°a3…Tä¬Åþãˆ?Τ_Gî¹pF`~,å3%ò.×ép¦åòáÌb°lšX•«ò_¨LÅê8„I8Ói¢Î‹×r
Èׯ’ˆ¢Ò´/ }!’qyéËàb¼FL´jAO(HŠªø9
ýÍÖžЭɊø¥H5è@ÿåSÐçþS©t?qÐab �AÂe«¦ƒÑs
-�N{ÍÆB²(%KŒÇ—Ïù|øûkãAø)¹Š_r(°7Z+4é˱þŽÙ!}
'!¸>Ùʌ͔®›¶ÀD>NóRTÃ~XÿO“?
Ùøj%;8`y°ºöX¸n¿RQ­�Û¢iÚwªx³¯`~•œˆXð#€y?¤òUk¿/:”P	(Ü`Ń߳¶u¡uÖôß¿BŽ·Ø­Vø<mÆ<e‰{¦Ôa:cÄ�ÉÛðòèbR=­ÏÏyŽçë]Œ;¦¥éÏ÷~[”ñ�°Uõ²Ú†
©wëu¶}:q-@WMñå2œÊÃn�—�¯>\ÓréVÁ¾ôÃ5ý¼¦)“i"žù pÏtæ{ÂÀäÏ¥xîJ
-ö1ßBPp\�ýµøÝáÁZ¦cÉúµ¹Ú©è‰öc›åeôØPðõ¹¨võêi�»Èø°U„o“ÕuìÍ̓Z—Ãi¡¿XÄÆ}ÞMi¦P«»[æC¨§î¤Ö›v°Ö‰²°X½ÿ¸‡Vï7û%åú°Îý4[ÅÂzœÂÿÊg† diA)ëAÝB|p94¤.�SC°¢ìUá1ŽaôÍO¬«g4N¼Õ‘‡cœú0W�+UjHmø(bãÿüÑîþûd•µ'ü:
-ODw(º
gg,Øö±ìÿ
ÐÀ ˆendstream
-endobj
-2591 0 obj <<
-/Type /Page
-/Contents 2592 0 R
-/Resources 2590 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2572 0 R
->> endobj
-2593 0 obj <<
-/D [2591 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2590 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R /F55 1336 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2596 0 obj <<
-/Length 3487      
-/Filter /FlateDecode
->>
-stream
-xڥ˒ã6îÞ_á[ÔU±">ôànía’™¤&ÉöÌNwj·6ÉAmÉmelÉ1åéq¾~
”%Yr'µåƒ)!OBbÁO,â$LŒ4‹Ôè0ŽD¼Xín¢ÅÌ}w#gé‘–}¬¯n¾úV¥šD&‹‡u�VFY&ÅÏÁסˆÂ[ ¯ïîïß|³¼ûÝÝßݽ¹]ŠLŠ4xõþý›»×oÿs»”qø€EÁ?_ÝýôêG‚½¿52xõÝ›ûÛ_¾¿yóÐqÖç^D
-Ùúýæç_£E
/ñýM*“Å‹gxˆBaŒ\ìnt¬ÂX+å!Û›û›u{³né¤4à…¤Jä„8¤ì‰#alL¼Hc&J*'Žòó¾:ÜŠ,(-¼[&‚|Ý–¶›’«ÓjËê†éOùöK|Ì‚ªe0¯&Rm^Õe
‚Ó‘
-Þ
™ÃseË™%«¦¶UQÒÊ‚wnèÿ‘wu\Võ=Ù¦©1äu�g
-š8–î­ÜpPÏÕvK#G	þi›ý6_!ƒ~iÒ¥•øΨ (×ùqÛâƒô@¸
-¢~õ­}›‰C“	
œvÔÅ©â@›â(ÔZgŒØLÑBLfÅ1:G-‘¡ß3÷ï‹Û}¹ª~‰"Y_ò²þ	0‘jÁ+‹ÚÚrµD±ý�r¹Mš† ø1ã?•uyÈ[§ùÉHÜ–ÕnòÖ	t©@I	d‚=3«Ò
-#X6äÐù*%â€Y€±v:ƒ°ÖO:.iÎY…¢ImKÚt𾱶zÜ–„DÄ,áõta$3©“0M"ɲøEJÝ–Ÿ[üŸ0<	‚3Þî~‰âˆÝ+ïDž|làÞ[éÞ&‡üyn�4Á—üàRË$zdµ|L4û¶jj{ØþPíòCµ=1L².\d‚'§ø&!…ç£õ3dò0(Nu¾«Vô€NÅc øyÛ09ô/<bŠÅq·§IàÝØØŸÓñ¡µ§dršœ	<ÖM½Äƒ '¯8†@‹�™ü
-™$î(éÔ“Ô©Išå
-¬ºŒ+0_Y{ôd�NŒ´
-\¹‡�xòøßzÞ-!
tKpì)$©çꟉPõ�óÕÿÒ@öE£º}ÒDzÜÏè ½±9ßo
¦®÷´„d1‹{Õ?æI.GšÙ"†”'ëpúNA˜PÅ©êQ=ÖÕgŒrsD£ÐDYÖ¿Xèk
†ï”†P‘I5©iÙǺÔTGßaM‰u ‚B�nq}÷kbû�
-â%g�öÝøª»KŠj=Nœ~^sbƒó
-4èºØzXWÄæ±fõexG—™ä:ÖÃ;:0ó42C&Þöû¿ 1Ž”]üðí74&“œ¾Aê±ÙA¿²³Â•Y®$».ÛÒ¼h=ÒœÍ+Ã8ÊôÕí;¤Ëýb%ñ§îË¿,KŸ…t+ú“ÍÚ/†Œ»ðeZåú3.¡Ù7«Ílˆ’àu´Ž²ë!ª�5¢:,¢šéäCé´+�ÕSU_æÀ
-\Vœ]g­Ãšàm˜da†iÇ€¹/H¾JA1:f85|»y�A/gt]±áO¢½¤Þ]zö2ÍÜÚãn.Ñìhx¾æÎOfadTòÂùõ°®œŸÇrç÷î¥*Þ+=�¡…Ä×ì°&8œb¬Ð�²!‹ÔCH£s!”4¦þºÄ&�ý1 ¢¿R†¼ÃÕ@©8¯éª 4òéFó½fC·«¥¥WÒ�3îH]¦×{B%sM‡‰l#
-c9è5¬�Ûíñ$ŒÏÝÔçDÏ›ŠjëŒÔ|/C„R›Œ®aª»¥�=VmþHzžù’Èß26«Òú˜�ÑMJLw2‡šœÀ€TûÖ~I)·IB)#1j\N¦F2
-“D¨?ÕnQ�	™ŽÀÃLK…"1#rÿ¸›!¨T9Z�Eª…ö"UxÛ6þEù¯pÀ%¶û8�þsú{¬êüp¢q§Þ4&Š‡|�
[„m¾‡rOS²�øcbíÛÙ貊±˜®EN)ó¨'%þœtT˜	Ó•&ý⛶äëTO—°!],ÝÁ5“;ÌÞþ™fØŪ”mûot‰Pñ‚;ªx§ˆ»ÌÝŽL'=;håûI0ûXö[ÍyÁPîLc‹šútüz%=óO‘aÂf¼�QéLþ>¼A»F1ŽMý°³ò×oÃuîק>t[æ¾q¬„‘�Eô¿©ž6ƒ«”.žv_žØš�^Ruƒ
§«Ñ«�5½:,½öã-“Gú–ibËÁ§"ŒÒl´åO(0et°·å±h–t� 8(ò6§Égº}ãî*Y­ñ—^ÜgÅâV+îô*îî"Ö:·m×CÑ
-ŒÝ6À kWÄ�4ðØ}Q�8tïŠSœ’#>Ÿ=]å
-ãzس/SéØÇ“NSß~NÕ¹9
-»üD§[0y´åú®|K�ôÖˆÐk‚ÉÁu7`ù3Ì8Mƒ¿ÐßcjŠ'{Þ³͈˜•�º ÞV»ª½ò-†‰!|dòº&ö�æÑ#9=|?§‡×öëÔðb¿)-ìï÷º²>
-endobj
-2595 0 obj <<
-/Type /Page
-/Contents 2596 0 R
-/Resources 2594 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2572 0 R
->> endobj
-2597 0 obj <<
-/D [2595 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2594 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F41 1233 0 R /F21 950 0 R /F55 1336 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2600 0 obj <<
-/Length 3141      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sÛ6òÝ¿Bo•g,HöžÒÖͤ×sr±;½»¶´DÙœH¤*Rv|¿þv±”H¥io<c‚À»Øï]JÎüÉYj"¡³x–dqd„4³åöBÌ`íÍ…d˜…Z„PßÜ]¼ú^'³,ʬ²³»upV‰4•³»Õ/ó×ïß_ß|÷ö_—eÄü›èra„˜ÿãõÍO¯¤¹÷—™š¿~s}{¹�©’	
-ø™·b1seíÞê-½},^:nå-�ªšž›ºz(ö4.>•MëÄ2Ng ¥ ÊἩ÷Û|³y¹”Rί`G’ΟI¢æ9=vDÆSYšÍË¢“u¢½:
-mLIš¢K}`	Òª>‰Üªh€™‹ØšùÛõ`'@îŠ}ªüÀ½4m±¥¥UíñTuKËä÷ê§rÅÛóýÓÆ€(¯¯€[¯œ¾/ 
-p8OÓ�õ3#ki½³E¾
-úÊ+òbJW‹sZ�–Í $‚Ð[ø•·
-O8#­ÌKKf):…Ç9nhÔ�ίó¸ê8-Pç¡®niìøáÜ‹^Ýe
-ÿÂÅ"Ïêô/78áœp=˜.dó¢D2¡ô£×š§©¨È¤—9ΪÎ`JÝíà�«bSV”bë°Sƒ':3Ö¾‹„3eu„”5"V‰Ÿã�ƒæCoÞÝMËòÈ;úÀþ‡Åu*À‘_Àó|ºVù|v3Œ'-l¤¬ŒÏ!ÔtaÐA¹Âàn¤!U틤¶Ýœ("”Q�ñëótuP#„
´M‰(Ö)´"”¦æ <îî~¤�<]©}5‰#ÊX´o$ÂL×ÞÒÇýL>¼Üîê}ë(+8IXw
:=h;†
-—Ö7·aÄ• Oƒ©¡Vžè/
-_ÒQñzâ¢!�\ùã«eAÃNâ0>•8L­`K\ÇA ðv˜}žNlPBzYcÛÀÆê(Guõ¥ÌRç¶ðIE%Ž–yŽÞeoyŠÂV:Ï7MÍA)ä¨Yûs
-
·cðR1Rþ”°p_%÷qÖ3Ç'B¤žBº)›€;zW|B–šGÍÏ�¥+¶âÌ]�Fd�qvŒî+r‚dØ°ìô¶¡ñ3µèatϧPJg¢ðôeyìÂùö*pß0åªdx’Û…A½î`¢yßQë¿‘Bá´¢�óNIoš8Ç®*¥a*ìümE�ì80Yp�F:ÚúÃrz[Öø
].ê¾hŸ©Lëq$=×4©™{^-u=�«‰o]Ãj�ÿº’ö4s™Q
-’™ju>D…PÓ!ªƒræßžô®dd“8>�Ò� ô®ld
”k”ï÷eå{x-ä.`6Kæ�oü-ëí³—ºšäˆLt”êÏ4ó i~x ÇŽÃT+ï¾®“w‚o¬‘âûiGIº6v~s{ýí+ü§ñ=Á.±KÄŒ÷ñ8boÓ¹zÌiiøQ“æü—M£¬waU6ÿùÒ˜¹û¼…@-‡Ëá#bªéØ 	¡Ö¨>Ôr÷Û#H0ÃÞ‚F˼¢�kK§�m>cNÚÒ5œp}kÞ£1É”œÃ¦Ò‘�ú¶Ž¦ÑéQ|ñ9ƨFÜ)¹­C‹9nMO.ŒVàô€ÏkŽ
î3Lïò}¾ÅÖvÄL,;c¦S‰Íˆ‡Ù|ڟծɗôg3Ó}c!‡Ž(ú�¤üé&UQ&ÓxÂ7õÑË™i9»èRo¯yÓv)’ÈB¦öÃ ÎX¦‡r¦ù4–LËHljÿ�°
ošN+È{(ËÎRÖA��6ÈŒ´Œ”±CÒn‹¶9ªYVÅýáá¡ã¨£lúG	ඟûÍGtæ'äöéÄ—éHƒ"œÅçaNñ
|Yi™™
¾w•ó:�ÏR
§¥ÿS>!±ûNëlV0	ñ3ðjnüÆÔ…ÖÜÂÄéz[¶=–ðWx^�ŠÚÌñ¡/ô]5îb†®
-endobj
-2599 0 obj <<
-/Type /Page
-/Contents 2600 0 R
-/Resources 2598 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2572 0 R
->> endobj
-2601 0 obj <<
-/D [2599 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2598 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F21 950 0 R /F41 1233 0 R /F55 1336 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2604 0 obj <<
-/Length 2361      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ËrãÆñ®¯àŪ,Læ
 |â®èµ¼»’"jËNl $‘%
E ¥•¿>Ýó
-·”ÛâiSVeåp_VÙÖBÛÚ"7å²ržp¿*»9ÏvMÑ´4#KnYäöPjº·s‹ÝËÖkTÓˆ1’©Q@ª7òXYæV¦¼¹
-FBÎv�y¶-¢ùª˜�¾6_íѪþÁ횊QJâXrwôϺrÌÖ�Û­aXªD#
Þ …f^-6«lª=$$(¸ŽÐŽ
™ÙA¬9‡Ö‰$š*yÚë»Xǽ¾Å2^/,cJõ4@â$UŽ±&[o‡|¥B•'§ùòH
¾ºjH5±d}¾>Uñ&¯‹“qVÙï5¤2�`<ž¯²Ò­¾”Û•…Œ_!°,Ÿ·»*¾ÙE5¯sãã°ŠB�¯éTŽ'v;Ïw:ŸÓŠèš‹
£L
Õ2�†’2*’±©¹tîex(,=AÇx2†T$”"”ÂÙ^P•U^Î�&0+oM„#TÕökø0�	Äq;„�M-­~Mæ°÷:d§b�ŠÉQ—”Œ0&ßrÉÖ	—ôXÆ%
-¹$ÖšØiµÜÞëª2Ç ¦T¬’ÓܵX
öz™@(¢TÌúüýrT‰YÖáEk¯loªMV½:ãU­Pà—‚a¾vèy±ÈvC#c�?fš‚x‰~Ã2¬–ñXÆ2“ƒ“X3qš¤G
-�ìj;æ²®î“tÊNE_ÙКdnÝ+–\NÀU(%°Ž
›7·÷X–n¾ÜÛ
_cq¯v§°º
/5‡Xåv7¯í‚-r{6MM%$Qq?œ;¾qx3,.ê'ïM1ßùöÀúÁºXzÁë)\
ºJ¨ÕÕ—Æ)§õ0€Ú¢…«/åÜhƒ™Wž³1)È…
7Ù5?ã1°®pÑd*”1IOz©Î�Ù=U�磰@_û´£}6®¸µ°V~
-MOØ€æ챘[7Ôºu4
-F¥–
-êSÉÆ×ao“¾÷ÅšÄ\y…DË�!°ÃŒ{v8ÔlĘÁ.û­îw0ºƒä.È0S؈ÆE f¿µývÝÁžê»ˆYû�	ÙOÂVgGb1„Ú¿–Ø#”Ø¿'H+_l_û	Ÿ�³‡úÚu÷Ÿ£sÐ|šÂ¤šÈ~jtH8Ž	K¹7ÃÜú¤ºfPqö
ßÀBZPI¿Ž’˜æ%ÿø…#o‚ƒþ®mO@r×D†JÊ=@.\ñ­æÞ{}ý̆}a³Q7mÝãb_gÒv$2�z cµÓC[l¬,Ä…&Ã:(Dߟ½à­iñ?{F¾¢Ø�Ã!�¹žÖÂ^Bîë¬užà‚ì	€4k_¤ï¬YÛ‘4×Å!áý$
-³wÓì6Cç¶&vÚ¥u	%‚A€¸0…´w»P´ãñD2ù“È_˼—zí·V³éÔjkòivsªÁb‡Ýæè¬Ë"ífaFdû\ùîêúÒ’Iµ^h¶Ðüø¶ð®_vésVí²u(Ê¡ë‚@ðOÜ!úØ41Ÿî~|oo”TˆÀ}’.k“F°3M1ó~W}“/÷?Ýܽ­·+|…«
-癳WhD6.#½¯«
-b¹ÛûAL(‚¿bæ7ÚrøÿX¶ÿ]PßIÂÓ ��ÃÚ3…Â1Í^J8Hàý¿Öháendstream
-endobj
-2603 0 obj <<
-/Type /Page
-/Contents 2604 0 R
-/Resources 2602 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2609 0 R
->> endobj
-2605 0 obj <<
-/D [2603 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2606 0 obj <<
-/D [2603 0 R /XYZ 56.6929 430.5757 null]
->> endobj
-2607 0 obj <<
-/D [2603 0 R /XYZ 56.6929 152.6716 null]
->> endobj
-2608 0 obj <<
-/D [2603 0 R /XYZ 56.6929 84.6865 null]
->> endobj
-2602 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F55 1336 0 R /F53 1328 0 R /F41 1233 0 R /F48 1253 0 R /F39 1173 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2612 0 obj <<
-/Length 2351      
-/Filter /FlateDecode
->>
-stream
-xÚ­Y[sÛ¶~÷¯Ð#=¢Ä�—é“Ó(7­ãc¹§§“ä�– ™ŠTEÊŽóëÏ@¤É™9g<c.Á%v±—ow):Ià�NrI^ˆIV"*'óõE2YÁ³_/¨å‰S<äz{ñÓ{žM
-R¤,�Ü/{å$És:¹_|Š®no§7ï®ÿs3™DoÉe,“$úãêæÏ«ßqíö²`ÑÕ¯ÓÜ&I’
¥š/M¢w7³Ùô—øßÓ»ë÷_~¹ÿíbzïõêN®•úçâÓ—d²€#üv‘^ärò7	¡EÁ&ë!9‘‚s·R_Ì.þå7<5¯†l!yNdβ€1�PA¸HÙȲ ,Ϙ±†>ÚeLá˜Ñ¢é:5�ŸÔ¶Z¾è£Áþ1—„KnXoʵÒË°/˜XAx&…áïbìù™±)´ÒßÛF!¥y?'	›—}Õ6¸Ö·mm…Á!()¤dVOIZÈÌH›½4í¦«ºCO¤`N6I9#ŒÉ4d9
-g` u±„$B&na¬*h Ä<WÀ)÷S<Çã€1÷oÓ$#²H%ˆÔïÍë²ë�m$ì›çYa¹¾¸§�Á_y*݆ªYU�
-ì8fó;^¿ºcÕlv}¼l·ë²ì›Q’qz¸mûê¶í¶M\ѧÀŽœ¤ðoû€�wjõ¤ê7ê7O}·”ÔeU«P8ÆRH»t•ï¦³_î®oï¯?Þø—Æ	#AÑL‚å8¿àP<qjºTQ¤‰�Qÿn
-ä
-ãô	†ŠQ*óü¼fž+ Ú0®(Œ	ë6Û¨ù>†î
-J8§ù+p�1¨ã2½´ iÎOÁÖȬiJ Ðçõó\
Gfk
-ñ6Òð^ÜY€Æzz­w�–øóX/jgÔÊ´)"ºm»®z¨2áfò¹48&R’¥	³¶€r,zõ­××
-ÁRˆÈ”ŽÑâþÑ Y!£vcûƒÂ¢\7Ûj]n+ƒpz¹éU³0w}«¯iô ð~×¹'T@,^šr]ÍñÆãc�@jet­Ý1ª°3¯ïÖ|#E—Ù¶	@­	µ�'ã¤3h
·MÛÄÚ¸èbC?™·MW5+|¶Û,ÊÞ(¤–
æ`ðÔ—……³Pmˆ¦ËPJÁÄ1Ï2ŒCÍ
¦ÀWM
-ÃB�fÊšyttÅ¢u¨Ð´­×åW›úë�©#@uªéì"ÚÙ¼ÐÄ{[[¤èNBGè …<C®ÓPá¹T´!ì…L?êEF(¡<	A|V5ÏÐm¾À=ÀÓH¹û!ŒZ„5ÊhïÑ$º^X¿óh½xs€Ä�îÖOƒ´íÌ]h]¹rÚu»µre¹Åëƒ:ØÃéuÊú"

øyÿ
¸ÎøÏqÿ=½ê?ßð�kgJX�ÚYÍ<W@µ±û(ÑÍþHµ™êkæB=ìV+Lb¸5š�¶™žÕrh–ÎÛlÀuÆfŽËØìۡȺ2ð{V¤c
-ˆÚfkN9ù±ÁžSD~|ЭÚFRI>l$±y僎UDÏК"õU½Äú	Ø`¡Ó9’äÑ_—Ê@ÿØî¼(·D;/WolK;’$|Øk؃x‚ÃÉ1ø¡òœ2W¯¹W^/Zå5ù\Õ5R–Ñì½àµtL弯ž,£=ˆ(²è¯GÕ8yU‡ž
-¥¶¦w@¬.¢j‰WÆÅÞIiâ�¤ù:¼Z8*öÞúá¯l΂ç,ž»Ú‹óuPݦmvѧpÓÄáhÁÎôW�d凉*ˆä™cT¶˜0ÿ
T��ìfÐQR
ÝOŠv^ÓGrÿ@h& ƒ*Ä°¹	å;94ê¯ÍC®Óù%¾ŸÊ÷³"}¾‹åûHäõªiÝÆ…E@M|˜}@‡.к‰qé�@ê£^hììÕvm[ û^ؼje tØê«¥¹n~̦î¡ód„g²Ýä{Å�6ÆyäžùZ©o,@Jycpáò‘c¿fÞËnŠ�ñ©ýjJ8Õ:U/c�|�‘zA+	4ñ^Ó@‚cÊn@/üÔÔpê×·ÍbÜí
-Lùé] I`h�òøà˜‘Äsk
-p1h°=œøéB÷Òà@°ÅÒÚ®éC-¨åôÙÃü°æsØæÆ8[Òžøír"’ãÖÅ‚î|¥ï�åþÝLZ€e9�ž®´XÝ€BUÿÙUþDæ-—¹1kîlð‘Åî9ˆýØÚ¨»âöªUÙõN¾}v@
‹�Éùª¥§‚7¸‚[¬p‚\ÔJ�÷z½½¤ÑIŒ6 0ÚßçÐ]ÉÞLP |ÅäƒÞÇæ-c>–ô²Ífó‚
ê¤^{Ák
-胃ã8(‚UΘ]¯øJÝ™nX/
ÂÝpÀÝ@^5óz·PÝáË#¢ Ÿõaýè.¼
-(I¨àçe{®€ð‘™$…þ¸8’á°5ïóÙáèåjXè+´H€Ö¾G¿�L§øæÕï³�'~¸9þíü¨?üäú“Ï|•C3ç$/|¸¼½¾y‡’
-+p¡ëv×oËÞ…ö�ò¸>·ú£lve
-Æ4',„ÆíC
-ˆhê¾»÷ö;±H8ì'`Xþ‹9õ«—DÿÔˆ€ÄûþEoÿÓ¥È`\ÊO„O`˜âuJiÅiÊU÷¿ýëþ_& +¸endstream
-endobj
-2611 0 obj <<
-/Type /Page
-/Contents 2612 0 R
-/Resources 2610 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2609 0 R
->> endobj
-2613 0 obj <<
-/D [2611 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-886 0 obj <<
-/D [2611 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-2614 0 obj <<
-/D [2611 0 R /XYZ 85.0394 744.5025 null]
->> endobj
-2615 0 obj <<
-/D [2611 0 R /XYZ 85.0394 712.7073 null]
->> endobj
-2616 0 obj <<
-/D [2611 0 R /XYZ 85.0394 647.4522 null]
->> endobj
-2617 0 obj <<
-/D [2611 0 R /XYZ 85.0394 576.1287 null]
->> endobj
-2618 0 obj <<
-/D [2611 0 R /XYZ 85.0394 501.8403 null]
->> endobj
-2619 0 obj <<
-/D [2611 0 R /XYZ 85.0394 83.5125 null]
->> endobj
-2610 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R /F53 1328 0 R /F55 1336 0 R /F39 1173 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2622 0 obj <<
-/Length 1956      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Y[sÛ6~ׯУ<!¸ƒè›ã¸­»­ã�•¶3IhŠ²˜J¤—„â8¿~€	’�Ýñƒ
-‰¤¦zª4G1Ͷ<½‡g¿LˆÇÌh>D½YL^ÿÌÔT#-©œ.Vƒ½„“„LË�³7ˆPt[àÙõù—oç¿^^üëâÝõÏgs¢ã³ó››Ëë·WŸÍ©À€0Ƴ?ί?œÿîÖnÎ4��ÿry{öyñÛärÑi6Ôž`fÕúÏäãg<]Â!~›`Ät"¦�0ÁˆhM§Û		ÎXXÙLn'ÿî6<m_�²A0¢LÒ”L	AZ:âCh$e-翾{op:`OçT"&`Ñâ®J“×en·O�É·�›\TeSÕ¦Ømý6 •#Æ%õûp†¸’´ã˜Æ@i™nóå<[çÙ?YU®ìËÍ$ÂR©}
�¸n#¬±³éþF­VŸ(UnÔ>vCxü	cz¿«SST¥GÂÊ&wãæ©4é7¶å½›™ªÚôçëYµº$ètºÜ>•ÕCS4û®ÁR‰dS!¤Ö1S8!`ì#vFŠ	ƒÁ­™9‰x}‡Š2$�ÿ�óõç0úÚ�¾t#ãŽ
-õ»S¬%B€JvßeQ癩ê'+‘¤‚x¤ßuUlr«L�ñÐIûþ9Æ.ø C	ÇrÌòÛËÛ‹÷W7‹«w×Ý[G]7âg{þ”@”1¢½ª-|›123ëÜ‚c¼‚‰ ³»�q«eeöqù6-M‘5Z­ �èI±‚hàÒËu~z¨ãˆ&²Ónß…íîÞ…ÉÌf+Ag§N÷ UÍ9%I9ÒœñéÜí(}HëƆ	#t––~ÐRVWUm¬ådÙ8±Ó¼®ÏH2«êöÌTÍÒMe£Æ¾óX˜µC¥›�[r*5nR”Ùf·îžüª�sp-gW+÷rY
ßõ ¿Eó�g…}�/_EÜ�S†¤ÜÓ÷:7ÙkÇC÷dÞ9\°:â(’"*eðþÂ'ÀöøyêsŒ=„ý]æ«t·�“´Â›s’ D{7¾®Lþœ”%CV8xSj"þ¢ çqò¼·ŠƒŠA5¿qQºß&s§&w³ÖôÞ¶pp“3­)­;ï²µ¥M„\’(¤x§S].3ôOþQK`ð9\Ý:Xd7j0wE¹´›5±Ý‚ªÎ<Ò뚺Ã:umd:+Hˆœ|dåtgª-Pni�Ž&+ÚÙÝSÄ
-*ðiKQÇMÑ¡Z[|9°ƒ®FéÓ"("rd
è�°fc‘­ó²§¾ûz“ö<?÷Œon]òûRíê2øðúÂtY©1Íq2¹­G„?Cæ
-ĺÆD’á­¿/èö##…DÊظ}8F”!M0†ÑÁw*×z¢ÆmûûËŇ÷×Îkþ<#p«;ÿýƒûj|ì‹ùŸJ¨scNÛ„ÚWPßî˜Ôìšq*"cY:ß«ÑØo	nP?MŽŽ}gЮ±è}
wDþßßËû
p…˜­”Q'§JØ»¨JY‰ä‡!í¿¬êþ_Hcð£endstream
-endobj
-2621 0 obj <<
-/Type /Page
-/Contents 2622 0 R
-/Resources 2620 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2609 0 R
->> endobj
-2623 0 obj <<
-/D [2621 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2624 0 obj <<
-/D [2621 0 R /XYZ 56.6929 751.9581 null]
->> endobj
-890 0 obj <<
-/D [2621 0 R /XYZ 56.6929 711.8652 null]
->> endobj
-2625 0 obj <<
-/D [2621 0 R /XYZ 56.6929 678.3488 null]
->> endobj
-2626 0 obj <<
-/D [2621 0 R /XYZ 56.6929 642.2811 null]
->> endobj
-2627 0 obj <<
-/D [2621 0 R /XYZ 56.6929 574.684 null]
->> endobj
-2628 0 obj <<
-/D [2621 0 R /XYZ 56.6929 512.9737 null]
->> endobj
-2629 0 obj <<
-/D [2621 0 R /XYZ 56.6929 369.6295 null]
->> endobj
-2630 0 obj <<
-/D [2621 0 R /XYZ 56.6929 83.999 null]
->> endobj
-2620 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R /F53 1328 0 R /F55 1336 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2633 0 obj <<
-/Length 1920      
-/Filter /FlateDecode
->>
-stream
-xÚÕY[sÛ¶~ׯУ4sˆƒ+	<:¶Úº'±ÝH�všæ�)›	/IÙUýY
-òOÞ&²žlÙ�â`Wvyfï«ÓÞ×›4>´1宼ù™í«OÊ‹’2^BiÜùT�]¡‹3ù2¸à꺂âÔÛÿ¯°öª¥~ÐãÆ_±5uJ7Ágžº¡8X� T3†å÷T Žˆ#Èqu*P·RïÖ WTA´Eâu•çòÌùñSÉ 88ûA?¿UtrfçÿéÅëŸ_lÎVì¡ûˆ"Ø=´T'-ßV&þoÓúwù5Ùü5æ8uHŽ(Qä«�Ð^J:Ù‡KÄ^H`®úmÍÕl~ùþúnq}{Ó¾t¼“î7};Í8ÃiÐvšÓ4šlR?š�OªM^‡ÙÁ0�ì`êCÙtnlR¬šy;ëš=Ö4{hê1J&×µ|ŠK�%÷XôÐÖ>	«
?“à%uÉÅø9à4ÃR´ÚÙ|Qká’O^ãÜRiF¶Å”Ö
iÝ
-r(4áÓ€w®;zaG X
¨GŒ}ï•€]份lÁ5I–¤¡ñž@£? 
-r€¤\}=Êà4¦nûëÛ
-)'÷ëÚêKj«*L_ÂMcC´ÎžÒ†&Ì;èÍmDçµc(š÷óŸâ¥ƒ��bÎvº“D¯„ªÇ°h/Bö
z;ÚG-¨ÇkO:ƒ`rEI�y˜¦›)!D»Åˆ2Þ!OOi¢ÃȪËdYÃÚ™)•�Hãç8­ìðýÆþFñ*\§µ–Gõj˜Ë0=a�ÐoitÜåQwOëúI£Êìª$M-uÛ_ˆîÈRaÕüæÍï²Ö·l†¶(kª…†Ø�éÞ¾ß„…
-™BœH#¥ØöÖΘN~3	@‹ÎÌu_º±Oý€�(_’J_xÁYÚ
-endobj
-2632 0 obj <<
-/Type /Page
-/Contents 2633 0 R
-/Resources 2631 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2609 0 R
->> endobj
-2634 0 obj <<
-/D [2632 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2635 0 obj <<
-/D [2632 0 R /XYZ 85.0394 752.0294 null]
->> endobj
-2636 0 obj <<
-/D [2632 0 R /XYZ 85.0394 688.0859 null]
->> endobj
-894 0 obj <<
-/D [2632 0 R /XYZ 85.0394 648.5014 null]
->> endobj
-2637 0 obj <<
-/D [2632 0 R /XYZ 85.0394 615.2083 null]
->> endobj
-2638 0 obj <<
-/D [2632 0 R /XYZ 85.0394 579.3639 null]
->> endobj
-2639 0 obj <<
-/D [2632 0 R /XYZ 85.0394 512.4986 null]
->> endobj
-2640 0 obj <<
-/D [2632 0 R /XYZ 85.0394 361.0478 null]
->> endobj
-2641 0 obj <<
-/D [2632 0 R /XYZ 85.0394 218.5873 null]
->> endobj
-2631 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F39 1173 0 R /F41 1233 0 R /F53 1328 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2644 0 obj <<
-/Length 3302      
-/Filter /FlateDecode
->>
-stream
-xÚÝ[[sã¶~÷¯ð[虂+	´ÓgãM7Í:ÛÚm2Mò@K”ʼn$:"µÎö×÷
-š]RøŸ]ª”¤†›ËÌH¢(S—óͽ|„{_]0O3D³>Õ÷Ÿ¿Ù¥!&åéåý²·–&Tkvy¿ø!ù‚0A®`	šÜ^¿»ùröúÏ7¯ÿòÏooo®f,cœ%×ïßßÜ~ùöû«Wè�˜ÒäÝõí߯¿Á¹÷W†'×_ÝÜ]ýtÿõÅÍ}ËYŸ{F…eë—‹~¢—ØÄ×”£Õå3\PŒᗛ©QRˆ0³¾¸»øk»`ï®{4&
©4Q\¦ N´‚½GeÆHÆe’‘TjÓÊŒ³˜Ì••Ùln7úù¥z”Œ.@ôÔ‘Ì×y]ŠÃ¤D3./û¯<b,Eãƒ×ÁèwÀÙÝS1/—Q-ͪÀ
2ã†ÕòàÞ¿ªm
*Œ&oý½mÕà ¶«ýH)/¯pæGÎåÛ[û/^—~YX¿)ä
-D¶úŠ
-Üö@@<K‰1Fú�[--÷ëµÓR÷ùæ0ÌLÀë�TÑE±Ì÷ë†ìUdy)Ákq°úÌrYnGÞ’2fÌ?[v&yJ˜5W QŠ·Ë¯«y>ƽ`àZk‹²KŒf}nÝr§Ø5D
-ØÍ·‹ÈÂÌ¡²þÊ[Ð蟜¤**qö
UÈ>µ[†�ÒÝ|ç�z¨U@³ÊøùJm
€x²¨Q`ïyƒPz÷=Î Œæ•û]ÔýÉe±CÚ¦Âék¼¬vþþ‹-‚TJU³BŠr;€WN ¸Ò¾™UK¼ãD¢ì. ÀØ´ÃÙ曢¶�ôNjDJZB@àúPÝcZ
(dZm×Þc‰Ùñ;ðŽäd'ŸWå|Õ¿ïDækå=cØ·½h7
-\OÀUš,Šuñ˜7eµÅ;·wøÙ¨î.õ»sžÁþT~Qq¼Îu¨°W=Á¤ˆ
-· ÂÃ!#"£j‡
-Eë:Ôµ])Õ­êÖñb
-ÊIiÚÓqSüÚLá–Åk)ÿ¦(–!í…¬oæ»üyì�t�÷K‰TdØ<Qhw4ã0ñ4$obýF„lÍp%‚ªôS-ÍWCŒ@r¨!øõØj"˜
-qYµ±c‹�ÁMÈ.žöþ&bǽN‡ëo©ä
°*ÀðS%Œßµ
0‹™³Ý�Æð­Á÷QÞÕ©3!l–PÖøÞEUø‘kºØÁ<ß×>N
-‘
õè0uÈ·Þ(Š¥ï|™Gó~».B£§ôF²ØožêQ;™WÛ¦Ø6u4æõZZtvc/ÆíÆHГäç™� �â¥rÌnÜ›¢v“Z_­ÌYv/1¢å(ªV&3T—ûÓíÈ‚’©ÚA§’¥![²,×M¨½Dðé¶ñ#—LÚÍáÏC¹ÍwQç<�@„ÍÖíe©ã`—?•ÚîF÷LÙÜ2²E.I&ï#wDX¦­HLô}yv®¨ Õ¡<詳²ÙFDâžÚýAºVcM’¡(ám8ð †ò@–)OÊ¥—#Mm–uP>ÜÂFb"¿Ô$õþÁNàêF¶ÎÁŽçù�Êi×öó8T.•‡Y´Kt€‹js#�ä&Óg)#„ ?Zÿ�Ú
º…¶Â·2±1Ø�lw€³ë"\ðÉäÐ

ƒ„³üUùYâU&sñ=LÀÙhô6ÓV&ãWŸj<‚µT.†ý�aÚ(1Ñ)6°„Ñ'ø
-D¾�âŒÈÌð:Å‘&%”µ¡Ã˜43¬xãö–ÁÊŒ6€4KžK׌Ñ<¸#Ö�y8±ÌËõ¾ó\Ì	ô™Q9ˆ¬mGÃrSíh™îoÀ¾a„ó™„<
-ÁÇûÇåâÌãr›†	ý"<Ê	<¦„‰L�‰GЧf´ð•c…ïLd”Hš‰ã¶ê'A&x?c“Îidö¨&�¨2·¿+ýžä«M¿�ùŠ¥ß¾º.£Îå^±Äy]{íŽG„ˆ�Þz]Kðà;á­×u�òʾcî*7Á½×=j´z][ÍõZ—"xÝÁ“±Æ»"ZSé»O ;#FªO�»~ªœÛ¼À¯+óÿŸt³L@5¥È¤aö©Æ
³¥r†Y�îí‚F­”ŽÒn‹´”šiæZªwƒÀÁ)Ñ$1`ï;›†îʦÀΩϲí:¹Âå7nrЈ„ð“µ?ý=ö¨ Aæ´kyÍÀfì·pÇKÚæ¨2òô’ ØvHÊ:¶¸qÖ†‹YÌZÏX€vƒålö9Hsn;U7
-4Ç<
6ïË€>O>â†ûJÈÄâ‹áá„Ûô£„�ö­;,¼Œ;}uT‹Ò Á¶ÁÛØÛãÉ—·ww7¯}ÇrïoöV§
-c²ö3õ¾lðSO‹ƒ''£j)¶»`.ß7¬dÝ„õvêÁÿæ~±â)ßå�_¬žïÊ'Œ2•|»ÅÉ&0è>.‰}µ¡Ù~™
-_\‰ðÊgº]±$„¹Mwø³«=8µY8î{¤þ+ÄÞcÍj_ûhºÌtò`A4)eãÁü®©ãÔÇZfûð-öÏ"fC/ƒê~÷_Gt9�Ðz¤Dç™"ðp˜²òfiz숬[€þ˜÷[¾endstream
-endobj
-2643 0 obj <<
-/Type /Page
-/Contents 2644 0 R
-/Resources 2642 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2609 0 R
->> endobj
-2645 0 obj <<
-/D [2643 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2642 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F55 1336 0 R /F22 973 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2648 0 obj <<
-/Length 2271      
-/Filter /FlateDecode
->>
-stream
-xÚ­Yßoã¸~Ï_a`Ô
j–¿E>fï5‡Ý\.v¶ìíƒ"Ó¶p²”Jr²é_C‘’%›¶S\‘
©Ñp8ü曡CFþÈH	„™æ£Hs$0£ds�G+x÷Óñ:“ViÒ×ú8¿øç'�4Ò’ÊÑ|Ù³¥VŠŒæ‹oã«ûûéÝÍío—*ðø#ºœŒÇ_®î¯>»¹ûKMÇW?Mg0dšIP"ÜêI<¾»ú2½¹ü>ÿùb:ïüéûL0³ÎüçâÛw<Z€ë?_`Ä´£W`D´¦£Í	ÎX;“]Ì.~íöÞ6Ÿ†b ˜BBÑ(JzA d.G‘ÐH2Êš äñÆ,&ÉÚ$ü·È�Ý|Fû±ãH*La-«_¯Ó
-¢éñ¢0^Ê‹Ú
-jœÄÛʸ¹8s‚Y^5^š¤öÚÛ<3•—Sÿáb»yöSõÚ[hÜi¤¤Èk“×Dži9¾­ýYUô\
Ï
ÞÙ	!HAÝÿà<×ñ‹q’s„�‰ó4_¹AºtOçŶ~Þú�—E¹‰½ÜÄ
-ˆá$<ûZÇáÙi5ð¬ðÔ Óa‘–@Eùv
-1ÆXÿŒ&I±yN3sä"¥¡:QªÎ4Þ˜ŸkÇúZ'ŽªÕjŽêß!�†Úö“%“£ˆbqÚ±N+àÙ°d`1`{àÚìÙ$éòÍÝï^×Ò§tƒ¦ý‡g⋪Žšiæàx'�ç›4·gÜ|šf‹$öåŽ:âj|wZËMíÚ(X Î6EU{B
-»£y˜ÎîÜÇ_/Á…ñÕçÇé,€wHD
-á‘ïÿ!ŽiÖ¦‡KÕz[æmòz@kïÛo •z[
wH†m»)Ý}®ôj¯¦£(.SCãÒBÇP `oÒ²ôkZ	N뮎ëgÓ©ûøêóì—À}H„Ö» XQ®‹ßÝ8]¤lSÔ{ÝØczÐ#@€jû#Ç�6˜‰Àò MyÇ@!ƒiEÚªÿñöîÆÙÓ~W(3p³‚Ûzá;Âû[VÓ<ñaýç[¨E‡Ë©•Rö)í ®nEŠXð÷{õ8ÿ×/Ç#ê@v›C%Ì�ÇÇì
Úä�?ùë"¯Š²N·›Ýªp‚\RoyÁ˜»âÚßÁ/'cm]aÜv£¢Ñ¹óéðG
ÏG½ö™Fi䤡›aŠ«LùbÊP„ðäÞòâ¹J«}ª‘
5D#�<‚m*M…­0'°g¡á "ÀV©·i	áû6áß[IvRâ;56ø]W#!H{á³ÐOW“eš™ÀBB[ÕÅëvv
»+½x{C3OÛÕ$3/&{¿ÙéY³&_¥¹™ä&ÞcvùÝõ`L2¸H6ì[¾MV�æ&à€`€2Õ¦ê2‹W¡«G<Rdåüì†>$ÏÛ*dP#¥"½oðù¬ÁgH¾�=†ô®ñêìU�4XÆóÃ&þ1©Šä��¿îþ¨öí×ç�2¼Ê�r$©ØEµ9EøUTˆýS|,åvݞ݇(Õäö_Ç6pðíÙ
À¼#‚Ês/�ôµ“~–ÐÐúò®>$1T©c)ºù#ÿJ§íÿÿ„;ÒûËÿfÜý}¦Ô‘ë8öïÒ¤uÊ:Nd´ïz÷ÉCßÿl#Øendstream
-endobj
-2647 0 obj <<
-/Type /Page
-/Contents 2648 0 R
-/Resources 2646 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2609 0 R
->> endobj
-2649 0 obj <<
-/D [2647 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2650 0 obj <<
-/D [2647 0 R /XYZ 85.0394 393.5547 null]
->> endobj
-2651 0 obj <<
-/D [2647 0 R /XYZ 85.0394 333.114 null]
->> endobj
-2652 0 obj <<
-/D [2647 0 R /XYZ 85.0394 272.6734 null]
->> endobj
-898 0 obj <<
-/D [2647 0 R /XYZ 85.0394 235.5228 null]
->> endobj
-2653 0 obj <<
-/D [2647 0 R /XYZ 85.0394 203.2986 null]
->> endobj
-2654 0 obj <<
-/D [2647 0 R /XYZ 85.0394 168.5232 null]
->> endobj
-2655 0 obj <<
-/D [2647 0 R /XYZ 85.0394 105.1607 null]
->> endobj
-2646 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F55 1336 0 R /F41 1233 0 R /F39 1173 0 R /F53 1328 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2658 0 obj <<
-/Length 2963      
-/Filter /FlateDecode
->>
-stream
-xÚÝZKoÛH¾ûW˜ÃJ€Ùa¿›Àb
ÇvÏ$Ž7r0ÌÌ�–(‰ˆDjDÒŽ÷×oõ‹âKT€Ì^69°Ý,VWW×ã«jáIÿñ„$"MdÄ1Ÿ,vád
ïÞ_`Gx¢ IõöñâÍ;*'Š“ÇUƒ—B¡Rxò¸ü}úa†fÀ"œÞ_}¼½™„FTL¯nïoî~ƒ¿yT@†Ó�W÷_®>ع‡YD¦Wïoç³?¾¸}¬åiÊŒCª…ùëâ÷?ÃÉDÿù"D4R|ò„G™ì.§ˆ3JýÌöb~ñïšaã­ùtP8D„
-2 ‚'£ˆsÒÒ�� „-ÜÜί?ß=<Þ}º×»1ßN"@OÌÐfñ.Y:*Ò ¢1J ÖTi1(ÓØ>nò]œfv|ìhþZ”ÉÎŽÿyxs?‡¶ErxN3ɦ—0!Ãé>>”öU¾²Ïrã½½»¿±£È>–iQÒ§ªLs·êê0Ãjš»Õîæ×ÈŽÞå;Øå†"Ñ[›~7A­:½©l•v±eªmÀ?� z
-ªý¥='Æ1
-9©ÊzuSZ­áW;H³´Lã­ýc—q÷¶`6‰;Ó•6=ø«JiR Z©
o‚“¢)™e?êŒ$Æb" Ô(©Ø	¶DA“Êûo?ˆÕTzÝ€u—EVãKz¢�%›z0”·—üR8ó¾{xfÞ¶NÏɳWbºê8È&/J;ÚÅ‹Mš¹éÔ¹È"ÞÇO[7™¯ê%° Â9Š”ÄÎ"¬:ÂcíÇÜ�>è
KŒå’z6â$ﱋvUYÅÛzëßÛªHŸtÊ
-¸‚´ Aí£VФ:m5ÕQð!+]²¶‚þ’CVÐZ²iâoìÿÈ
- §3
AdÜ
-T#Và©Œà+8çMÁ58
-è
-z¨C>öñò)	Æ…0ݱÂ�OSy3i�G?å>…ÇE'I{Ui\lUe1ô¡ëÂaâAdLgœ3P·I5b€žÊàíYL2ÐyhÅ�6À1ùØpÐ
-Ð)�×…îUëxé³!uïìñ±Ó٭ ´â˜z,m×(]"2j¶â:Œt¿¸fc�Ï)6ê{¹
-1	
-Ì
ÖwAQÄÛ’]»Z¢
-FTo™É®„ýB(Ä¡oé>ƒN|k¸ìï
tÜÃÌöô‹økbgâåsœ•6 ÂÓ‚ç�_ºß:¢ë‡/…»
-
-endobj
-2657 0 obj <<
-/Type /Page
-/Contents 2658 0 R
-/Resources 2656 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2662 0 R
->> endobj
-2659 0 obj <<
-/D [2657 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2660 0 obj <<
-/D [2657 0 R /XYZ 56.6929 752.0246 null]
->> endobj
-2661 0 obj <<
-/D [2657 0 R /XYZ 56.6929 645.3699 null]
->> endobj
-2656 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R /F55 1336 0 R /F53 1328 0 R /F62 1379 0 R >>
-/XObject << /Im2 1368 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2665 0 obj <<
-/Length 2763      
-/Filter /FlateDecode
->>
-stream
-xÚÅZÝoÜ6÷_!લ*?E÷ä6¹ Eëó5öÝ
mä]Ú«X+mWÚ8þïo†CÉ’V»i/-Š
-ÀüöþPÒÌ�[åxž'ó:àl³s«âgÆ„,I©òÖ·ù‚Ì€»üqŸ–c‘)âW(X+.ã²ØmNrãj…ó�@€­×Ž,V>Õ­6ÏMë¶Dpyý.¡Ùw·4D“„sö.\L8±qm8ª*Ÿçû´A;)–!`°&ù¡libUWh�‡Ã~Áa>È�h¾†Æd‰
̼¬{ý˜ŽqwÙsoVÁ)vm½»ój=']
-ÄX½s/‡çxl ¹€Ë.öuµuUK”Þ?`ñ±ªÑ¿ž*šnkšn»:¥bqØП1¾x ­ðÄÃö¯Äq?wÏM½B1ñ‡k;§6@U·þxOSãC%oi.\:,®Úª„ãmþ©ØÒ±41”
¿é®a¾Þœ—p±Ä‡~•EÛ–³Aä¯Õ¡œOÈY
-o€¼êFŽ#S0EàtŽfºàñù2•Ã„cdÂ¥1!aVùÖ­Ù0/I•ÎÑÞ5ŽòÅn䨷A¢Î…p<t!
-½¥`&ÉTf&îãýK˜aº‚�¢
³EÕ:2£÷)œB•ü
Nò¸²람†eåK•Ì€§…ʽ|)¸_VJ!…&¸ª
-!�ïAÎ;w_ûõÀƒÆù¹{÷æJ`
W3Ù¡ãK‚É')bŽ¹ÃGÚÃ)ÿüfe¢2õ{b¢Ûq
-½)ˆ8V}½i±•Ú?½)ldú'€·
ç3ØMÙì¥Óv3ì–°›	ØÍ`63E Wùp¨VÝ6?í†FèNÞ~j˜„P‰°½
—‡™T}Šå\êfs`�˜¯6{ËÞ¡¡ÃIÄÔŸ¡€IÀ,»½-ú <ÔGÎäÝŠs	Øf]»¦úª¥iWA9[9úhÜê0@ 8å1#üÞÖMØAøªù;":ÖYaZ埰*ä7c$H©Ìˆ`
-{œ@xÆžÙl,«y ËJ«;’�ϬÀúÎyk£Ö.¨ï¯BiËðkS<l:ñ>úF–r°äfÁ„£Dº
Í^àE¯Œ½zðzÕÓUs*a^} t¡2UI©žd›?Ç»p0xMp2ªc0嵆ߨÓx†:+yƒp„±P‰úe#(cÔ1ƧDÀ#©U’AU?“-0[
¨N§‹žjX<ÇéBÌöΈ#G™ÊK¦ôy¹:¢¹F#z"Ø{×
-�Ä	Ð,"ä„·€ÎˆÛ)`–û»Òµÿð½Û‡âŽÄîÞ#×Æ£ìÒ}
-€%Â2Ž
-õSóßÓPv[N¡gnEÂŒü,zV'Bddƒ«9ôÌ
-2mÑlñÓÐûL¯÷õŽF9Öx F®+À'0ÆÇ®;�{ Gx�[¹]Kßá‘ËÆ/2àl=›·M"¤êÀì]Q­ÏAY6yÁþôÌ–y(¿Æ²­I„Ñû[æŸþüÀ—/ÚU‡gžaÞÑéXc‚¿J¦ølTöˆö•4ô¼Ú=ÀA&Šo«þÝÏ;TyëÊgðC¢QF‡÷dܼuy¸†7:™žj‰Rˆ
-–�o‰ B™à£–ˆxö/±ˆË!a2sÔi�È Ç#^§°ôJ{ìµÐF(nÕç½Vf"4Ȳk¬ð+£®f'L‹"
-endobj
-2664 0 obj <<
-/Type /Page
-/Contents 2665 0 R
-/Resources 2663 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2662 0 R
->> endobj
-2666 0 obj <<
-/D [2664 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2663 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F62 1379 0 R /F63 1382 0 R /F21 950 0 R /F55 1336 0 R /F53 1328 0 R /F41 1233 0 R >>
-/XObject << /Im3 1530 0 R /Im2 1368 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2669 0 obj <<
-/Length 1824      
-/Filter /FlateDecode
->>
-stream
-xÚ½XßoÛ8~÷_¡G¨þ‰{rÛ$ë¢ur‰ƒ;`w‹ŽukK^IN7û×ßP¤dÉV’=DÔp4Î73i`ø#��HjªƒXs$0Áj7ÁÁÌ]Oˆ×‰Z¥¨¯õq9¹¸bq ‘–TËuÏ–BX),Ó_Ã�ˆ48\̾]~Ž¾Ü<Ü-f_oïæ‹å4""–"œÝÞ^.>Ïÿ=�¨Àð	èc~›-f_�ìvªi8»¾¼Ÿþ¾ü2¹\vÎõ7@0³žý9ùõw¤°�/Œ˜V"ø/­i°›pÁ�àŒµ’íä~òÏÎ`o¶ùt, œ*$™Œð
1,È�,ËT5¾,†èÆH1ýº)÷S~è?ŠABkDRÄDÌ;´(
AZjáR1¢±+B XÓ¸�ë_6¾�¦FBrbáÃ<n4fÓHÒð®ù¿€ÿ$œwc^Ÿâ£$Ò€Mƒ)tãLð'Ä@ÎY£Ô7›?Ƥ\Ìw,ø\Àƒþ6½á¨o¹Ù¦¤½¤$”
T`=¦IÅT³‰å&«¦',öuVän¼›ªÚ½å…<÷<T&µ©©`Ë~ª³’o_ühígòÚ”ÆÙ’a]8éÇùâ³i÷HÍ”áðyJEh¶ÅÞ”•
 Í†)p7ÉS(ƒX…»Äª¿¸ë—}–fWL‰ðV¼fQºçj“äO­0ËÝ3q�õ¡>”�‘­I*cí S¹Ôˆ*­‚~FýTŽ2H>©¡\£c•ý\ýôÓJ(}L{ÒOû¶aHAfÄø~~
=é¾—ümþ
-ý—6­ÜÈf‰}®Š¼vlÝ7õÆëæÉÎT¦|6å?¼¯¤ç+£1Š©â¾RË<]�ìˆRP’Ò+];÷ÈfqU›$=ËA”� ì ¨¨§
¯õµZDÎi£Óò€üòp{º¬ŽÖ„¼½l«4²ì 1`ÀšÂpÝ«¢	üÊ8ÚIÜ£‘A}&©{·EnŸ8L¦1_•d(Ž¹z'T=­7BÕjùPY*~üàœ
ÁòòîÛ©#„¤tZ#®Â' Ê$TãЗ͡vN¤Å÷üí 
RHÀ¹‚((Oæ;³éǼ:lëaÌ+“§YþäñÉ_ü,¬Rz…®òìâŸÍ8óJ‡<5¿aLsã2ý´e`Û°� Ì¹øéfq5¿~¸›Ù˜/ç7‹÷Û†ÝÕy½
pB[u•hk;1Å8ÂDR¯½ÁºútpÝX³ÐJ¶–¥0w”²º(Ü`Uìö[ó—›­½05ÕªÌÛoòVZ'ÙÖ�m<-Àx<Æ–ö­¦3V›¾•ýÑ·8÷®}Eg8QÅ6¹û”öœ¥ÆWSÖK”fûÀ½œˆKÂüö�Zmí³t—åYUC8
-ë�Y{ß󶎿%ù!ÙŽ—H… ¶Ý� �ü§ñ0O_EN�X´îf9„1«›<£Ç
òAQSÄ	o=8ì’ê�1»(èÍiý†nA·–Wn¿>%¬dW¤~Î}âÞÖ™ÝÑ#°pŸøˆÕn¸2U	Àˆçk7ã–­NÖuXÒðñeŒ—0´7¦å{‰E³öœùÁå‡Öˆœ>}ö¸zª«
,¨x˜XO”ÿSJ({'ô>Ú~¨Y˜›Æ;å²ß*o’gã$+8î5Á€10ø.«*aûå8`TR¤±Ôï#SŸò,,Ôð,¸Q™Ú	Ì_ûm¶Êj{ˆ´ïME€‚ƒ®Ì\D¨HÒø¤ž<g÷Z^U'e}RYXb).ÞC…!®x›Ðƒ¼i•ÁÀQ1ð e^Í¿Ž\Ý<é1®¡„½ÍŒ}­†Ž€rΙ±Ó²«^˜zuÑìAÛ\Ÿ¢„Ó,ÜâÞt Ó:÷à„ál׋�›¥f�tTvÖíÐåì«ÇFàºFy'H=­7‚Ôj5AzNÊ‹ò�»@ùpí³ôÔŠáÜ-¸~Û“NëÜ•á!D˜dC_ÆÃÕ˹(KÏ¢už‚€
-endobj
-2668 0 obj <<
-/Type /Page
-/Contents 2669 0 R
-/Resources 2667 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2662 0 R
->> endobj
-2670 0 obj <<
-/D [2668 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2671 0 obj <<
-/D [2668 0 R /XYZ 56.6929 644.329 null]
->> endobj
-2672 0 obj <<
-/D [2668 0 R /XYZ 56.6929 498.5963 null]
->> endobj
-2673 0 obj <<
-/D [2668 0 R /XYZ 56.6929 378.8143 null]
->> endobj
-2674 0 obj <<
-/D [2668 0 R /XYZ 56.6929 270.9876 null]
->> endobj
-2675 0 obj <<
-/D [2668 0 R /XYZ 56.6929 194.069 null]
->> endobj
-902 0 obj <<
-/D [2668 0 R /XYZ 56.6929 153.7758 null]
->> endobj
-2676 0 obj <<
-/D [2668 0 R /XYZ 56.6929 116.6136 null]
->> endobj
-2677 0 obj <<
-/D [2668 0 R /XYZ 56.6929 84.0158 null]
->> endobj
-2667 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F62 1379 0 R /F21 950 0 R /F39 1173 0 R /F41 1233 0 R /F48 1253 0 R >>
-/XObject << /Im3 1530 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2680 0 obj <<
-/Length 2175      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ÙrÛÈñ]_Á·PUvœûF[ò®\kYåªT´z#kР¥òñéžîÁAA¶’->ÌÕÓÓ÷
Ê™€Ÿœeq(tÍÒ<
-c!ãÙj{$f÷pöË‘d˜ÀC¨÷WG?}Ôé,óD%³«»
®,Y&gWÅõ|qqqz~rö�ã@Åbþ><b!æŸç_¿ÑÞÅq®æ‹_N—°T‘N
-©ªÌÖÁõ~W™Íî¬Z¤ï§�±Ü”„“Fø Þahst �ŽÃ,‘»qrºüpyvquöå¼»Õ£3°…P�P¿K’Rƒ;¹
-“\¦L‘ƒjȤڵ¥Éª®ZÛm×w4þ]Wæ¹q‹ß…P>(«Ñ�õ~kª`w,³¹5…¹õ`wõn"…³ÀÈÌX厶O¿ŽrÆßÐÂ2\ds³oë­iË•Ùlžé|Å�µ¶ �Ûç	éÉ<.÷ºq›�è<J2/¯§µ­ø�µ©î'	ÚšÂÒv[ÓX<örE`㙊…
ïÃw°Lõ4•àÞ*Œã…ãÍÉmö08Aq¤Àª•çÞ�¢<™_­-
-Hª9‘»ªÝXО5«5ÍLQ”mYW´ 7vc»w;DØ€Æp²²SÏ —*uÖ�‡·eevLš‚i
-'ã2û/pü•ìÌjU†#ÕlWáÕfÂø u.ådÝ£ò%`$,؇(;žïIïZB”–ðîH4}"žÃéðHñ$û£s‘%Ì
DBÐ?FB�’)ºI qå\!%W
-!FÐ)&
-s~íãÌ4M9Æ’hœB)Œ(•ÒìÄgk·8_Òd»oËMÙ>¿ÅB~P»ª4	)þJí:DñzíÚA�9O@�×Aqãg'Ýìž&ÿ¡!¨ÇËÍxù<Qû‚<CeŠ�êz½5«Ÿo¾Y”®ý¹±«�m'ÒŒÔ:„$ãkþ…oS/ä hˆïÊ��Àö“E>mÝp1!â0B¿…—ë`ªˆWl±Uâ¤Vnm½o_}Gv± ÷(ÑD’8fÐ}ñð:Vè„Rh‡±îÞ‚$¼+mó*Öìëå±î L×ÛÂ>N!�ÂJ´C¤�,s¥¤ÙQw�ZC“¸™Ž:àÕ"ÓÿÓÅ?¬”ãPËȇ=,˜°@Ý7®m€JÔ%iØiö·Û²¥½.:à�‹¸û•ý	7)êþ	¹ÊUXÑ2æÂbž©=WÂp|ùñm(©“ñˆ–T89R¨"…ÞžK
ÏÃÈ�¯ÖŽ™P1Íó©"=9È�êÞ‡ñÖ
Å>{ãõþÞ¶~ôwn§ÞòÃ4P�†3LÙhân±u©Èõk°²ØoPÁŸp•å¯ŽŠ
-Æ¡ËU{X%ÃœNlòu.;Ñ2ÀñÚ´fl·|²©›ö@Y{²Õë„“u»C's…³Ój<ü~w_Ø=Ñ9—Î=>ï|Xg#«/U¬¡pŒ³®pü¾ŠÁð|žY›G¦ÆEnªµk<ñ¼Ñp±…!Z„J&�:«H¡&í\,R=Ó*’`:UKÛNäw[x„þÆw¸dwóa(tè)êá�r^€¶Ä€áz8qpäOØø|¾ø|JSçl)âµ'Cy2&º’å—Åœº·“‰¢§Ú;b0õJ¢JŸ†ëþ£±�ùæsüH÷‰“<ÍÞ¤z­³µÝQ.ÓÔ*áXØÛý=?W¨Ï8Ê}š�Í
-7� pÞ�^dE1Ý¡¡¦ŠhV`ð·”
-´è?ðÈ(Bj²W¢y÷ÍÒ°¯›a¦Op#÷>èñ“P3Òš--Ãö™lt“?_Äâ0O}`‡z¿ŠO”î¢+pþòÇ÷þO¨­t–©þ»º:ˆZçÒ…r•©<$½ûLÿ’öÿPÌ[‡endstream
-endobj
-2679 0 obj <<
-/Type /Page
-/Contents 2680 0 R
-/Resources 2678 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2662 0 R
->> endobj
-2681 0 obj <<
-/D [2679 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2682 0 obj <<
-/D [2679 0 R /XYZ 85.0394 749.3357 null]
->> endobj
-2683 0 obj <<
-/D [2679 0 R /XYZ 85.0394 691.1408 null]
->> endobj
-2684 0 obj <<
-/D [2679 0 R /XYZ 85.0394 521.9242 null]
->> endobj
-2685 0 obj <<
-/D [2679 0 R /XYZ 85.0394 460.7643 null]
->> endobj
-906 0 obj <<
-/D [2679 0 R /XYZ 85.0394 423.114 null]
->> endobj
-2686 0 obj <<
-/D [2679 0 R /XYZ 85.0394 387.2272 null]
->> endobj
-2687 0 obj <<
-/D [2679 0 R /XYZ 85.0394 355.6754 null]
->> endobj
-2688 0 obj <<
-/D [2679 0 R /XYZ 85.0394 291.5937 null]
->> endobj
-2689 0 obj <<
-/D [2679 0 R /XYZ 85.0394 209.4884 null]
->> endobj
-2678 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F41 1233 0 R /F53 1328 0 R /F22 973 0 R /F39 1173 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2692 0 obj <<
-/Length 4060      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]“Û¶ñý~ŽUžX4>’ț㯺I\7>OÚ&y HÞ‰c‰TDê.J&ÿ½»ØHJÔÙ™Î�À‹ýäµ€?ym’(±Ê^§6ŽŒ�æºØ^‰ë;è{s%yÌÒZŽG}ssõìµN¯md•\ßÜŽæÊ"‘eòú¦üiñM$“è	L!ï>||ÿòù“4^ܼz²T*ÖÉâùû÷¯Þ½|ûoh
ƒa¤‹ïŸ¿ûøü;‚½bÕâù›Wžüró�«W7
­1êRhÄé׫Ÿ~×%ìàW"Ò63×Б´V]o¯b£#kí!›«Wÿ
-Žzݧ³¤�"R:Q3´PjŽÆF‰VÚÑâf]á&ž½Žåh¨´@¢ÔÂü8fù’†Lf“qÇ&ã!í®¯Û†¨³Í?U1ž4Q@“$æ/šî°+󾚙:†]ÄÊO½"³Eµk÷=MŸ—e�‹åj—ÕêpwW7wÔ¬›Ûv¿Ítúvvƒ:Êb‘ø–s;”‘5Fñ�G\/uœDÂdéõRÉH)™<NE-¬ñk|7OE˜,>¥b/ê~MµÜA쬯îª=YîÛªé	ÒÞRù{åºZ†îéãu}·ößvUßQ­¼]eÓzBÃQ”>ÛT÷Õ$@µx{²ÀSlfáS"�Õ& –žx¸­ºã“ª»|µ©J"¥8!á+û¼éò‚ˆ ­\tõ]“÷b�Ž`EÎ�«ŠÊCW•Tƒ£ve~€�5}] QÏš+/�M¾­n¼ûÀS8Vì`£©ÖxšÝ0÷É7Þ¾ñøÓ&åˆM»–�-p´ÈZ´®,	ÖwÜ[V]±¯WwÔ
•?¼~�•t¡²Ø�Ñ}»æO
‹Ÿè%ø'//õøÙBÍäMyÚgµœn”NÓ¡›Å›–ŽÐ~ì:^16´"tÓ¬
-Üã­`×òÜ$³Âx•“Ð�IÁr¢×3aR¿	ºÃ
¬ä]×tJØt“�qG¦™ž!öŽ¶±Ü,H,WN›d„'¿}Ï#Ë’U~G
-#	Áùz›_Ï`	ò“e^Ð~™™FGZ¦^Àô¡ÿY¬ê#Šó8G�D6Í<~+ÞÆ.A¶"iá“iäB&-Õ¤´RÅÖ*#c­RëŸsŒÁ%Æ‹a:ƒ›Î"“‰	j°bîóšW_å]•Ä´0/­"ìv‡I³ÅÇŽñ¥
èL¤?M?ÃDI*ä)¥*`\Ö]
a{~ÇqÄR›4J3m¦D]UEîœ!•Iïä«éN c¬:°ß-‚ðz€4Jq¬àÔ`v¶DBߦnx‘“ÎÖð›*ߨ¯~C¢Åà@߬ýjÛüH½+žê¾îj#ð,3	Úš¡C¿;°Ñ		´vº~’\?7tï“nœ›£ð
-á<Δ¹Qíhn¤	…ÙŠ1S"CÑÅE£íL¯u”�@¯Õ!0㵊ÈØ�¾D>§)s/ù4¼mÁžn

-RagxB…×$‰ÔéT+\¤†PYðeúéD‘œe‚tâ)£½4Ce›ÿVo[†Ö[çüE8Q�œÈ
-?ªΦڪ∙Û5u[Öf‘¯Ü=¿“²„É£“yÂØd¡…äÑúTqCÑ6eÇ„þïðhîþa¸½ðgÇotNø	Ðú¿Â�Y®¥O.|K!ÎÞ>¹+ë¾›hWãõ´+һ쒠GQûû|ãœRÔcÊá ŽJí§÷$BwÄ=kèøY“Œ‡•ý
-4/kG¾0ÇïŒ}È*Üw6uÛ¦Y´SªúZXÆ…å¹(zuB´º¤ß×øté¯(•ª î/\«‘œ=Káí˜O�&#Éé
-N;ä½1Ã6±…âUp7œð§DCã“ÿ8r‡Ž7?•„‰Žào©Î·ÔPãÐWMîË|HáÙÉê\®.�Tì™çlû¡6ç(g‘�!q–E¥x‚5ˆ¥½>º¯Ý{¥=ß9¨çødBh;¢À �(¯¹ßxÕ—Øʽk’‹+¹Ó<²KÐ|ì8Áµ¶Q›“\èô,uê
Mp5§Ò
-÷¡ýêþ™ù9îÿ§É^Šendstream
-endobj
-2691 0 obj <<
-/Type /Page
-/Contents 2692 0 R
-/Resources 2690 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2662 0 R
->> endobj
-2693 0 obj <<
-/D [2691 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2690 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F41 1233 0 R /F21 950 0 R /F53 1328 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2696 0 obj <<
-/Length 3185      
-/Filter /FlateDecode
->>
-stream
-xÚ­ZÝsÛ6÷_¡·“g*>IàÞÜ©›Iç⦱3½™4´DÙ¼èé¤î_»X
- Ò|zsûñýW—¥žÞ]_~¾ûéâú.‰•‹.¸B™~¿øô™O°ƒŸ.8SΚÉ7xáL8''ëm3Z©Ø³º¸½ø%1ÌFýÔ1Ue™±²Ñ…!˜3F”a+”T^ooÞ¼£]ÿøó‡wW¸ó;Ü—ŸÝk’Of²„7P/NÛ´û§EÕÕ�Rf”Z3)M	3�pw)ì´®-¬
­fó´ï¨¹ôCÛ5±0*cQfœ–ͪÞTëÑ¥ é´
-„Û1n»j³¨<÷E¶*ØO��¯«ù#õηë5P’  ìëiÕÔ¡w»¡gýG5ïVÏøâ ³¦ÞU³ñRMf¢pÌ
-0FR7ʳ„¥L«i¦·[؈ï
«·ôFâú!1]âN|ïbÝlš¶ÛU]ó5Ì{Úm݆w�¡Û=Ö»–dÜä´np„ÚÁhA,`|i§ûy×l7­ß�;I£Jˆéñ£ÿ¿ï›¶ñLŸÎëù—–¨PYøìãàvÓÕ›./†ÿEÂ.4zÜcÝÖ4œslë.qZ4$fàQu�„
-4ÞGh¥]?}°«Þ.²PÁ5ÛíÞ7æhÔB‡Þù–ü§%Ò߸á>
-Ï?ëKA´Û0°£çz›"&�I8y|Aš?ëc>Å€O$ÄÈ.¬Wh"“Õjû­³l…lÔtÕýÊo<nú“Ï+o$è÷.÷N–Æ
ÚÆ­MÍ’BŒáBOõ¼ù�sIŽc'Å’ö ”Öª)4p
-ÐŽØuÝ´m³y
-<�²‡l´`§U[Í”2/ jNuQntµ�W«€î‹Å®nÛ³hZ‚Ž„´çåIT#å–eÁ¬Ób(Q@SYrBSYŠÌúe–-Kqh}
IŽ2ØG›AQ	ç÷ÂÊà{Q
#À$˜ÕJôª€½‡P¿�÷ª´ŽïòX9«ÀÅ
^‡Š'R¡	H…zH­dZ¸WÁ¨(Ë!ŠÂ2
E…ÊPºƒÂ°YmhA`Ô —Fšù#s7Ô{ÿL}áìK=`­Çph&dÉŒ+^G}ýæ…ã^8Ò
-G°êK;N»s*›a¬¯\=z¤hŸÓ;Šˆ¹ pL°k³í‡BOˆsl7±fô›l÷’�æ¨ò‚/¼Úæa“jÉÓ0!
-f$€Ùy˜È¨ÎÀD¤Š™�–ÇVDò
4Ã
-¡õyÕˆh(8x	-)n“Þü¡;å=8[T¦÷m|é«W$ÞæçsαŒÄl$~»#x¡(2ž;rU†`ɬäe&$¡Â'¡ÞŽÁ—±£Q_�̀匶‡Ÿ^à¼ú¸˜‚	Y”¯@
þœ*Ïࣰ@Õ�0O½,j(XÖáHçâùÊ

-/ßi¶ôLðíûª¥ƒ˜£»¾œU@¨ÀÇgÕ0Ly�‹àî9è†Ë¾á£ÀëŠÂÉóá“S�ŸDåÁkUÅÄꛧÈ”Z�—"Q�ˆq@Rê@@¾¼<Y½xùÝÙ½
¥Ê¨Ã
-¥à¨c�vxì-˜úJk%åëK©LoM;*œÇa›�ýÛ›	b0ÄP<e{iá Ü¶Ï¨ÎØ>RùÛ�n¬xKÖÙô¨u©ÏK�¨FDìVÁaKZ;”¡·{<gb£W5ö6ëÐíž+©-!UÒ9#^óÛ׌þ>̇í/$ñ`r×úZ­ö£�
-¥Ÿ“.U5'pÏ€
¥bp�¯êjwbW¡ôrLU÷`’“~€Y©ôy?È©NûA¢ÂE¿ÔÏÇ÷7ó]‚�
-]0ˆ&3SÒȘf…•æ¼žÕÈÂÃ0µ¹²Ã…é^I©þjFånIciUHÉlÑ>ªe¼‹r†»ÿŸ–ÇãͤS¯*·oÔòXÁW2Ùÿ¼±«Â7
-ãÏ_©ø{	t¥:_Â-èkHÔlÆò †X)–¾ìî
‹?†@Õ¬íA½uûrLH8
-…;¥:=}y,û
-endobj
-2695 0 obj <<
-/Type /Page
-/Contents 2696 0 R
-/Resources 2694 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2662 0 R
->> endobj
-2697 0 obj <<
-/D [2695 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2698 0 obj <<
-/D [2695 0 R /XYZ 85.0394 751.4437 null]
->> endobj
-2694 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F53 1328 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2701 0 obj <<
-/Length 2550      
-/Filter /FlateDecode
->>
-stream
-xÚÍZmoÛ8þž_aà>œ¬¹|•¨/x¯ÙEm�k½ÀÙ|P,&*K®%ÇÉýú¾Z¯v¶]à*Š‘ÃáÌ3ÏÐ!3ÿÈLD(Jh2‹Ž&b¶Þ\àÙ#ŒýzAœÌÂ-ÚR?¯.~ü…ų%�f«‡Ö\a)Él•ÝÎF$B—0ž_þýæÝò2æóÕÕå‚R΢ùòææêúÝû?à]`IŒç—׿/?ؾ›Ë„Η¿^}¾¼[ývqµ
-jµU'˜i�¾^ÜÞáY;øí#–H1;ÀF$IèlsÁC‚3æ{Š‹Ïÿ¶Fͧc¦àB"Ay4[0Ž$¬?n0‚bB@(	ŠeÁ`”ŒÌKiƒÝnwj§¾ÞÙÝ—/»]­û’U›4/eºQ¶ãv]¤uíD›×­êÛˆr�NâY[‘�ºAjD_ÚÒVA	e¤«ð'õuŸï.‰œ«úrAÐä)ml«¬ìÓ
W{ÓX«vïº2ÏÌö©—¼nÜ<ÕƒŸÏ}PoÕ:ÿcª2½Ó¬­HÆT¦´^ÞýM0”Ì�Ð#ó,8MÀ£"°!(‚Qcë‘	E,w±¦å˜j$ALÄ~Ñö9ç‹Šó²Œàùû‡±Y9Š9ø"~ƒ~^*¯­·T›¼iTöƒ}{mŸb�ó²Q»R5Ð&¶×óï7*CƒHtî“q"Ï„ÄQèDD8¡a@¼~@°`ë”®Ah¨l?X,HGÛÕ“¶£‘óîvl0»ØÐãi[¬ÇÞchèOu8è1ºq.â¦o	v:"D4äýO¢A"Ê9q²›}íŽÞàÄ©à
-\2NÈÙà�ñÀ�¨$óÃNcoi_r÷´¶†FÝÀžRŸÍ�zÑG*=›tñ]«²I›¼r˜ãnO4̺Ç^ŸuÿéÜ‘‰ ‰®?~r¥Œþo9	û"‰¡ì'jKMÃ~�2°¿ß‚m•ÃòL·êø6Àý¦)îFRÀí1ܺ$pw×ß
-#a€}r/Ajd3�Œ\	*HÒÝÍ;U¨Æ—iùúöªÁ}£÷:J5 ^£T°obÞæô9	–pÚ
—QÊ!ÁóCNÅ{„(	kLò#%ñÙjMd2óé­zÎ3Ë_ m©QD´ÇFC€‘¡u)£óC^vø¾#¶©ž5å
<ä
Ì�çHö-
-ös@쌙#N»æ׊?–Ör�=êîEwz¨(ªƒß2dJÛ€DºäºÏ‹¼y½$
-{³-Ì~$…ý
-+0Vî±®¢­›$½‚_"c(i¯tæ@k{ó$Ì=�†ͯ«&·.Ü­¯m¹®¼Üî]š1e.tùk+áçµ/.ïÔö-uóìR`ˆ>y|‚
�O¶UWýÅS+ýh·¸ßš­áî–L2sþ–œí¸Y@3
¤Ö3¾W`‡ùÚ¾¸#6mŸUÝÃÛ
-ë¶wÝ®Šì©ªÔ9n=°ìNF¦&3Ú(¡ã3Ɉcì'5SýÛ)Aä„Æ>ÿ÷m�eiîĘžZ?ŽÏ0µÖÕ££»ÕÇ?ìÃKR<’°BædÊÖJtø;……F�¡0ŽlúýM¨H\D;ÿkÙª{+Ÿe�ZÏ:—:¯3ÔöÍ÷‡¾'ïÚš‰¯h\ñ¶Z}8þ,àÏú+„kVëþV×´·üNüÅVbî-_ÑñÒ1ãÛ|üè–csôýò_×Ë�WÎíª�Ýt(œóRÚJ2ô9@a–»k=
dªésx‡þ<rèáÊ1ü'µþâ¿hAr@7ÍÐÛ/¥ûp$�À—ÃÒªÌ5–YÉÝõÄÁ™µ¾vZÆõ=ˆ$᧣.L¢
-7­ô?uhâÂ>*åû*÷©¹w‹¥V!ë#Gnw%!ݽ¬YAc‘câé¸Ôt»Þ‡Hu‡;hžT÷þ7¸à`ZS¡É°ä:-­îº]•PX±|ígµ¤Kâãe0®Ç…¹ZÖ	uâÏLÐ!6ú÷8P¬ïþ”ãŸÚð1)éÔ•‡@ðqä•Òv'1rqˆ.¦©ì@÷ÿ
…éuendstream
-endobj
-2700 0 obj <<
-/Type /Page
-/Contents 2701 0 R
-/Resources 2699 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2704 0 R
->> endobj
-2702 0 obj <<
-/D [2700 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2703 0 obj <<
-/D [2700 0 R /XYZ 56.6929 335.9533 null]
->> endobj
-2699 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F53 1328 0 R /F41 1233 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2707 0 obj <<
-/Length 2326      
-/Filter /FlateDecode
->>
-stream
-xÚíYKsÛ8¾ûWè¶rMãÉÇѱ�¬g�7òLÍV’-B+©I{üï·�(’¢äìNŽ[:àÕl4_¿ 6¡ðc“H*b9	cIej²ØœÑÉ
-ÖÞŸ1G3óD³.ÕÛ‡³‹w"œÄ$x0yXvxE„F›<¤Ÿ§—÷÷7w×·œÏ¸¢Ó·ä|¦(�~¼¼ûíòÎÝŸÇ|zùþfCňXhè:ýtw}uþõáç³›‡Vœ®ÈŒ
-#ËŸgŸ¿ÒI
-’ÿ|F‰ˆ#5y†
%,Žùds&• J
-ágò³ùÙ¿Z†�Uûé˜
-”ˆˆŠx8¢ÎÇt b.¬vçÑ´É5œ/¦Y�í§wWØ�3HìÕë¤Æ^‚M‘lÜW›¦rKEé:ú¯ÌÏ%•k‹ì”õZï°»;gÑT/JÛ¦n£—­—féÚ.ÓjÀ›«»Ë�7û_¨¢kíwÀãÁ=�²fŒ‘X)nO¾6<DÀ§�ZØk¶iRëÔÄt	bÙÙë»ùüæ
-û™£´2®„Â^]b›äyùŒ,¬XUy�<iÇãÓüöý›v�_nþíN‚;³íˆä}µUNÌÜ7›´„Kó™¥ql?{wû
€<D,%T�=
'’Ó#Fæˆf]*0�
-ëP�P˜§²
-{Jv»¦¸0’¤•®ª¬,È7ý2…KJ¤
-‚Ó²´T‡ÂôTÇ¥"R„q_šJ[“3º[ëu=
-ÉO#Œ$#‘ì{ÅÙ�·(7#|„"Q Ôky>£øï!Cœ¼‹–èà2èb€B÷nã1©ô,�],Ê4+V8*—ØþóãåÕìãµ`l�>½µ™xô¶\T•^Ì€p¥
-"ãÉ1”©Ð¸KÊOìKug-Õÿ�v
-hÛ]ö÷v
-c’Ùu=ZH\Ï\z“=î’Ý0Ê|µØ½lërµK¶ëlá¢ÜVƒè�ÞUopÂæþ65J|¤['Åj�G-›ºA½àû¹÷VunM!k€t:¦Š÷E¡ÚÝéÂ
-<9\{dIîÚèsp±1¡¡tÕ£ùÚŠð…óðH�Ç(‹ÚŠYæ.9¬³<«_N`Ì9È—¢ÜVpwƒx
�€	(z¹ŠHÈ@ê‘pÁ@p®L(<Þ»,0¼³‘ðÞRí€?ÏñJtM[�0Ž¸³Öªlv=KÒ
-¡ÊEÈÞª›À“õœ#œûáÖ˜y¶š-³\�°… *!‡l¿½Ê¬óO’ˆÓpȳz•ç¾œp„»æ�9nG8.`rÕ·Àm¹«G÷S¥–ñïmïed‹¾ÎƲb&�-—
�Baõ¯<R (㙵g]–‰=Ñ8Ÿ´ßÙˆ˜¥#Ggœ%‚þÑåfcÌhn"#"ÍCSϽ_ß̯>ÝÞ?Üþz×~5âååÞ&]çD
÷=`½0n‘*WWB§u†n¸Ä6Áƹè9 …rj^|b9½­ÝB Ö×·RsÃyÕŒË›GïªÓÄm÷œ¸}¶x §,µq
-f2†ÜM¼½½»ÆÌcJ”IH‚YçIÇ{p\Ñôv9"¼¢�´s/ü1�È‘½Â1ê	é©üæãèsV¯qº(}4DlØÉ<+\8-·6:á´�hÐ&VÚU³ÑEm— éàÈî‹ÚÑ'ØTkcž«ØÅFHÃn‰	%á‚}“n_àR�yû:ÏÉY
ÂeKž<%Yž<æÚX/ÿ€:sq©w2r@§,8©r8kk#dSdH"Ìë_¨œÂMÏJ*Bÿ€j¦|œ4ý²í%Ø<\Ý#=XN¡u¹MY€Ö%
áËKC¹W�ý¼��ŠÚ
-‘:è9!{ŠöP�Ó4[eubÂs2e«"ñY†…¤ÓÛ)QÛ@µhvHQÔ¸ÒW0ÊÝðÐþÀ!ð(�¯bXÒÀ+´ëµ:V“¨S,§#l%qÜúA‹ÕÀ‹/§î%
-z]”Å=åä7 2
-Dßp“|Uî@…|²Í*l}iv„$ò2¾5®4•v4	6Õ:is\;֮جq\ØêijÐø@,­‹4ˆ)èxŒ”ÜX c—ýš¥Ž“ªÆ²X“šÏªú%·¬¢¡
-ìœ{ý†ÑÞm˜
Š
)uU;~¥¥w ÂôàÆÿQu¿¯¶&17òÃ	/ó¼·Ñ¨èÂϘ{›o¶ÁäÏ…vI§û«Â¼y÷8¾!%ûǦaì�BH)
-endobj
-2706 0 obj <<
-/Type /Page
-/Contents 2707 0 R
-/Resources 2705 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2704 0 R
->> endobj
-2708 0 obj <<
-/D [2706 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2709 0 obj <<
-/D [2706 0 R /XYZ 85.0394 692.3622 null]
->> endobj
-2710 0 obj <<
-/D [2706 0 R /XYZ 85.0394 528.5904 null]
->> endobj
-2711 0 obj <<
-/D [2706 0 R /XYZ 85.0394 455.289 null]
->> endobj
-910 0 obj <<
-/D [2706 0 R /XYZ 85.0394 405.554 null]
->> endobj
-2712 0 obj <<
-/D [2706 0 R /XYZ 85.0394 373.0534 null]
->> endobj
-2713 0 obj <<
-/D [2706 0 R /XYZ 85.0394 338.0016 null]
->> endobj
-2714 0 obj <<
-/D [2706 0 R /XYZ 85.0394 273.7334 null]
->> endobj
-2715 0 obj <<
-/D [2706 0 R /XYZ 85.0394 203.3969 null]
->> endobj
-2705 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F21 950 0 R /F48 1253 0 R /F14 976 0 R /F39 1173 0 R /F41 1233 0 R /F53 1328 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2718 0 obj <<
-/Length 2639      
-/Filter /FlateDecode
->>
-stream
-xÚ­Z[oÛ:~ϯðÛ:@Ì’/âcÚ¦gsÐ&ÙÆ],pz[Ž…ÚRÖ’“Í¿ß^$J–�œ¢@M‘£áp®ßPa
-ÿØD*¢7m‘”ÉÉb{F'�°öÛó4³@4‹©ÞÏÏÞ}JôÄ£¸šÌW¯”Ð4e“ùò�é{ÂRrþçü÷wŸds f”ÃHõõæãòáöæ“£ì±åZÍãI/ïî®n>^ÿç|Æ%öç3IéôËåÍ·ËÏnîîÜðéåoW÷ÈììjÞ$>,£	žâ¿güI'K8óïg”$&•“x „Ã'Û3!"E’„™ÍÙýÙ¿Z†Ñª}uTyŒž(>¢=Î&Œ#%ï©O¢žØÓÞÞͯooOÂ@%LM4ç$aTÙÙÍbª°ñˆÙî;{ð6“%›°¢3D]íw‹|–-—»¼®‡2É	×Bœ±¥‘‘Ç;KM¸”º/ä·:ó,J„Pò¨”Ö©&I
-œyVŸÏͦÍ:Ç
·ïŸ³tºÈÝ2Âgdf'VÕÎQúWØtQ•e¾hŠªô¼ª
A�ïžóݹS †4!"MA
­?€,_ö›¦xÚäΫ‹²n²r‘×î1sR¸‡§|·-š&_ºGÜÐÒl6Õ‹ÖyÓå£{¨Vî÷¡jÖþ�µçt}÷,üËå²�RžI¤KÒé"¯É1U)ÄŽNùi�©ŽûhKe}t1æ£m,XL±*g«b“8h‰ÒÚœ–¯¥°ç ‰&JB‚èI8î �•¢f\Ä
_l•‘w2ã=	ðòwJùã~—9ÃIœÙxôš<[º´;3I÷ú2_eàdncÁzQD	Õ,Hù.oïvårAPÞ±0JˆJUÈçÇ�A[ÊÞð…Žè„+x"ë	?ÞÌV?ò×q7`Ššš“’µD‡¢õœ€3¨PÔbÙŽú€Ñ‚�7à‰œ„6‘p.|¼òßt3Áè8Ùl°ó$¼"N�É”¤Ü¤FÇmeÃÂLSÕÚ|–P6�‡}¼h(ÎÈVP9£U¼“Ë…PH‰†dØÏ…'¤0LY�ù¥Øl`[¦§¹ûÝ×6/ÂÈæEøÍö Œ²)YciÄÑv	¯vë5,ößpʳK6uÛq±êGÊ�l ÙÏF¹a"$­e•{Aʪ	JaD(�ô•’ÿ¯¨›£¡&�®‰8k1Õñ`k©l´Õoæ]¯¦a¬QN´9-˜§9”«>\@a_°n×�~pkÑF[�Ú5Æe¶õ#¬åøÛ«òva5x§u¿¬‹ÅÚ
·Y³Xçþ¥ì�jx“o�Á#„FŸ-øÉÌ™\IXÑô-ÞOöIÚ%û$uPÄ>¶aÊ ‚ù£c�è!“Nº8ÖTN¯WŽiY¹�Â)p5hçöOO›ÃŸœH
;¥<D•›Ýe~q>L6]WuãHÑžðáÕMù°r.ÁÄÀ÷}›µÊ<²Ødì
.
�Mõ„Jóè)6CˆÚHî)�'
-9Ý…{ßTȽMÑ0öi
-A˜ŸÁ4u<–3.ßÀù1Õ‰XT6–ŸÞ¬œOÕ®Êe8&}C®@4"W¬9£ÁùÌ@®û<ÀÏ(5GÐvþáÎC_/Ý0ApC�¨Á†FòRtW5#�x}óÑ�Ì?¼Þó‚tec3Eå͹Xg€þ7�pþu(xG­
-Wâhÿ¬Q�°n ²Öý÷pK¨4ZaÞ<µe Ù²Wþ!S®ú[^•ÙCpṙ*ä¦z|„ä¨ä)¡ÙmBLu\	-•UÂ븋'¢ÅÕXÄb¥
-ª7ô™ñ†o]@
-H
¸Œ^ÌÃÃ#ôK
‘Ò¨þŠåa)eD2¡O«­¥Ñ[¸R£X×oÖtÊçk´
-PBµøÓµõ®S®	4Ö-ìsöeìßwÈé“o-Ú秃$óSˆŒ/P…’–nÒw	m?s-6¼Ø"_ã~#;êù™\‹Aû†FA	©éMecj‚D4õì¨É‚°Úb[GÐd…ÝV굿ª\ºÕ.Ž=Aèž`­»Ô„yß·£•gå@!Fürì0‡¸lFúÎO7¨1Ø�^{xW¯«ýfÙ6N¼Uß½b�nëìÙO=æe¾ËüÆŽ¶Å•¾Uy�nQ!ËÔµ¿	æF+ƒ°åÜùÚ'û–×ÂÞW<mrËAà¥D㦭éa":,Ìb—@Ôj^Çzí&•ì/ô‰aó| œÇÌ0eÜÄår[”$ì¬	'ùš¯¼6Ë…íKVîAiN
‰„�R6sV¥àåÈ) Q£LóŸéÔT›„°q_ª?î1žâŽ‰�eXYç›'7òÕ„´E_uf³8M¡6+Buêðçë/×sû™
-ÿk?ñŽ>Í%
-¥£M²"
-ÝßpüÞ}ì3&×’ÀË*…ÇdZÞÙø¿i8”ýÿ7_Uyendstream
-endobj
-2717 0 obj <<
-/Type /Page
-/Contents 2718 0 R
-/Resources 2716 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2704 0 R
->> endobj
-2719 0 obj <<
-/D [2717 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2720 0 obj <<
-/D [2717 0 R /XYZ 56.6929 752.2728 null]
->> endobj
-2721 0 obj <<
-/D [2717 0 R /XYZ 56.6929 348.0801 null]
->> endobj
-2722 0 obj <<
-/D [2717 0 R /XYZ 56.6929 250.1909 null]
->> endobj
-2723 0 obj <<
-/D [2717 0 R /XYZ 56.6929 188.746 null]
->> endobj
-914 0 obj <<
-/D [2717 0 R /XYZ 56.6929 150.8976 null]
->> endobj
-2724 0 obj <<
-/D [2717 0 R /XYZ 56.6929 118.3669 null]
->> endobj
-2725 0 obj <<
-/D [2717 0 R /XYZ 56.6929 83.2849 null]
->> endobj
-2716 0 obj <<
-/Font << /F37 1038 0 R /F53 1328 0 R /F21 950 0 R /F55 1336 0 R /F22 973 0 R /F41 1233 0 R /F39 1173 0 R /F48 1253 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2728 0 obj <<
-/Length 2932      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]oÜ6òÝ¿b�{¨Üz~ˆ•<9ŽÓsѸ¹Æ
-ôú ìʶP­ä®´v�Ãý÷›á�\I«uRü°Ô�šÎ÷Œ,þÄÂjÆUž.²<eš½XmNøâö¾?þÌ2ZO½½9yõ^e‹œåFšÅÍí
-7õ}H‚ Ô¡jO»ZÏP‡bMë\k%“'T~<V`•kwS
-ªo¬‹'
®ž
-RrüYì˜ȸ,žl½'ÛèÉ–R#BŠÈìm¨	B²‡#Á¡!\|ãéx%ø'=œ¤ä¥
-¸ˆa÷«XÝ+Ê2á.Щ<�í8çš÷Ì€x¹^ò$
ýîœ'A§ï=)ãOÂE6’EW‚•s%øõ®”yWʸ70&;
p$��ç*b)Ñr‰ùsùá
„ÒÐö‹à¨›±@•Æ惑ûÍY>š9:Z2aô8byVíÓT¾ÉÊÕ�
-¼�”îO=€çB½Q‡&v¦¾<¿í÷EùœrRÁ2^_ŠËút›î³ÊSë˜XŸ…Ú;TÝ¡DÖÖôXAß¹[—¾ð.|ßÐoÑÞ(;µ±Áˆx±\£°ãJxOaT"À�Ü€EH­ÚSôòP¥¨Qø‚úÐP‹ávÅ4¼BC
-ý…
-ñ5]_þÁI<ñŽJpaX£b\÷­’Ë©mL�T}ƒHùÄÙ(^JeñGI+‚hÌß�5 …»)

-¦ [LS’þî¥àtOÀ-„ÐvCë ß3z¤j3ÛWÐcŸË-“<v…ø¹
l­œó}ɤ塈ˆÇÓñŸ:��¦}j<{ÝMnYªÒ€jS½@T1¡"Ñ3/b-×øYô0c_1Ä–!TåCÑe4ëÆãÑìÍ  ‡ý[ºâ†vÂ¥ÜLéa׳™‹I£™Ž	ûeY¦°=eK¥Åz¢ÝÝW¢Ä‚+2QÜÍ=ç»>Ìœ-㹜‹c˜:‹ª.¢�†0°)š0䆂jÓùxð©,'‰úò×ó¼ô‡1ÝÎôÀ(´Žã‰ð馛.¡c_ñù7Ð�ÉXÐIì� ³ÚÊÑ—†¥á<ù�“LÀ=2”É×€¥�p¾nWE�mÚ›¹:<CtàáÂðüÆ·ºcJ¤�ÿFd˜‘ùø3ŒRý"ÓŽrf(Ïý�Hÿ±`æË=�Èÿïÿ_ØÿGš1eíþ
-endobj
-2727 0 obj <<
-/Type /Page
-/Contents 2728 0 R
-/Resources 2726 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2704 0 R
->> endobj
-2729 0 obj <<
-/D [2727 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2730 0 obj <<
-/D [2727 0 R /XYZ 85.0394 749.0409 null]
->> endobj
-2731 0 obj <<
-/D [2727 0 R /XYZ 85.0394 687.8191 null]
->> endobj
-2732 0 obj <<
-/D [2727 0 R /XYZ 85.0394 186.4649 null]
->> endobj
-2726 0 obj <<
-/Font << /F37 1038 0 R /F53 1328 0 R /F21 950 0 R /F41 1233 0 R /F22 973 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2735 0 obj <<
-/Length 1767      
-/Filter /FlateDecode
->>
-stream
-xÚ¥X[sÛ¶~ׯÐø¥Ôœ!
-Ž’Óóåÿb~Ù|ŠË‡_žV¼9ù¤Ë%-Ëw—ÿ)?�ÛÀ>�^iïÕgã0° yÚ
-Š\i•ÈB 
-ªñ‡ßx!¹ù%ŠXålrQíE	ª&ãà+k�”AVWVÂíf�¶Em·KXJi�aG¨9,ƒæ~±êGè|»yFU`Zë=HЋ;Ï‚¦Z–6mÍÊT-Ò‹*/2 4Ý1.ìxŽ÷Ð`6.s±XuáVÁÛóùqxþZà,-g4è
è(NG­ßºSçY™b ì¸®Ú´¨§Ür“6&Lbœ˜*«ó¢ºÅY½|J¡'2V43UÖ�$Ì\ á�×›	ÜÔà$Ò	cP‹UˆçåZÑP‰†`,Ð ´q6,(�A,Q1÷{‹wnP=îîW5r¢ˆ‰ŒùóùAJy�@:ø»2Y먑¸Ë4p·“ïã
X±DÙ[¢:M1(¼ÃÐ|2 }úF„c&Hᶾïyuaû‹�k*ñ¡Hñµ†U¯p|O‡›Ç.¢1x6éû!ë£,_Þöú*
mÀÏü_äˆÕ0¿³HCçNßSý¹ýõ‘Øj
R%dÉÚâ­5þ˜½È
-’Ä{™ŸXé#¢…„œ*¨çÄL9-gpÅ7{œ‹WÞ�
-ÝžÔB|Ž:¼é‰Y›}FähÂ…ìxlÎY×e3æWˆèíûÚàm[ÖëáIL [í f“uþTØFX’t¬è­î²cÕ�Ñýº°.ñ áLÊ%ý‡ Ù%Ђš„¥¤Wφ¯±#ÖDQ¦>‡ªÛö|Oo“ÝÕاýVÕÛÊ÷¿ejMþÃ7ÁÖÍn�únÖumG8ù_ÊѾ7DÜÅœðÈjg^ÌÏOÐîë“«Tåàåæöéì͇«¹õæâìòâ	+"¸ÂžÎÕYN_”9}ö´Tì"ìèƯîJ¿‹@Ž«>ðN³ÌܷȉÅÃR}’†N¡ñlUŽ<Ý>–Õ·UñÉ+„H—‚-¥¹7YaïN-ª±éÛ˜CÈ$DÛFörpRù(q¦»
-Á)ïÔãˆ>«¾E £:;-ªQuà	õ% ƒ/>¨|�æ�ib­ƒkcôhæ®ìuËcyˆÉcù|	ãHÉ`²ß‡š±Aã�eÓ~xŸ]¼Æ‘Æ×<_UÑ´
-endobj
-2734 0 obj <<
-/Type /Page
-/Contents 2735 0 R
-/Resources 2733 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2704 0 R
->> endobj
-2736 0 obj <<
-/D [2734 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2737 0 obj <<
-/D [2734 0 R /XYZ 56.6929 253.0811 null]
->> endobj
-2738 0 obj <<
-/D [2734 0 R /XYZ 56.6929 157.3292 null]
->> endobj
-2739 0 obj <<
-/D [2734 0 R /XYZ 56.6929 85.4876 null]
->> endobj
-2733 0 obj <<
-/Font << /F37 1038 0 R /F53 1328 0 R /F41 1233 0 R /F22 973 0 R /F21 950 0 R /F48 1253 0 R /F39 1173 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2742 0 obj <<
-/Length 2868      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZKoãF¾ûWè(QO¿ÙÄž&™I0ÁÆ3›q€’d‘¶ˆH¢"Qvœ_¿_?ER-ÉÁ¶šÅêꪯ^ÝfŠ?61ŠPQÊIQJ¢(S“Åú†Nžðî‡hf‘hÖ§úöþæÝ÷¢˜”¤Ô\Oî{¼¡Æ°É}õëôý—/ï>|úïíŒ+:ý–ÜÎ¥ÓŸÞßýòþß~îËmɧïøøõvÆJYH±ÒÒi:ýùîÃw³ï>ß}ÿÃÇ»Ûßï¼ùxŸÄê‹Î¨°2ýyóëïtRa?ÞP"J£&/øAÁ°ä“õ�T‚()DœYÝ|½ùObØ{ë>Í©B	C”áEFœM˜$Bj>P†*	7wÊ°;Ã.)4°ÛT‹Ù¢Ý<>Õ»3°Ÿ	E+µ#½›¯k;¾¼§cPñ’éù
˜8eþÆyáGö�ýQ¿ú
¨êݼkÚ@ܵí*¬
Ù)•âaQ�B~}Ý´Û}³@C‹ªÐ�¨ÐBæK–\IŒ³À¢„ÚUf}N™’e€•¨N÷®¡Ò_góßãèÁïK‰&,¦
Ö¶ –}ówPò`=É aÁ]â¹Èð´&ÓJY>6«Àr™Fd˜k#yd¾I xóíUy·í®Ëðã‚”Ö£Füv~3QÂi8ð8K
-É#ž½¾<gx�(·„›Y´»Ý-3Óz¿m7•!£NhŠ«2"«v»vµÏ¬,J"uaoWËpCº`ŒƒH†h •Ègß
khxïen6õhx\i"[˜ªsúÑœ<…“‡WÏu	q‰·�´y³”e´O¨Ž–]½Þ2ƦßàK	y¬é¥ ‘ʃ»[3=„¹—¦[úÙdÞ¡Z”!ÌÈ"H5›çÔBI!T¼Ý§
-†
ÿ™Ðu
-E¥æìŠé9‘,E¾3‰{¥¦ìg€œ?sRÕ׆m¯wÝaKl*à
-+øBŸíº¾sÐtºn½výd½š?´¶÷ñ?O[L"ÔG�ç[¦Ê¿xxÍù—D‡[z‡>DËó5E�K« õ2ÿyhü ²6Ñ<Bûøk¾Þ®b
-	}�ÍíœËævЄ‰‡¦ÛÛjTŽ?lîs“u|v/u(YàêÀ†�bÜ„cñ/MB66)Ъ‹ÄŽ	Ìݳ3nÎZ›Ûó5]êËÖîS�·v¢rÖ^ä¬
÷F%sz
- ê2¸ÕúÒžWûá
¥ù. }U Þdûñ¹„•O‡TY9{æÓ7ç¼xcÊ¢(¼Ó�ÅYÓ04-’¡6¼hš>ÕyÓ$*gš?ÞƒãÍA6_”íƒO…ËÆà�tƒlkÙ`#o¥´Ëz~äíØ£‰wXú$,G¶.!>m‡£¼X|?¢Sé=÷�çùÊ�žaXµëy³9J@.„àûˆ«q,Î4­h׌ì·	³K­¯Âƶëö�ä2lzT`©l¶Wao‡˜á”Øý]”+eäâ£Itø#Á†Y;Ï»AjÇEÙkÇí'©½Ø^ÓUù¿¦(á¸×ú^IJ‘ú¤z™zDqU·‹/B�±â<úNn�뻵×3òŸÝŽÒÄs‘ÉL¢¬¡œÉ7T0ßy01A˜dW*ƒ>Õ0E*¦]L%ÑF$O\¥�$Jc.K—¨2â
0ɢ@栘
1¥ìù8jºoÎn‹ÚO»jO/­§©æÝÜÏzëcïÑm‹kI<B-[D©v×üOH5®µï‘BrŠ{Û–D	Ɇ‡YûW ní[½ªu±S3´ß�ŸÚz´=7Uí'²çýè…EºEzWÕÏï¾2I¤:�°ºÞ\mÛ‰�é�ß±>X4‹Úu ñúÁÊ—`’¾FíKÒñô+oÂí­íӵͣóªÀ2ZŸ®C¸n6ÛCG2»4ö6ŽÇ™nÈ™ïÇ„,ÒAîÙÄtš�Bö@ÈÙÍÑh¹Î[mÊ�ïC\Œè�bÂAˆž•o“j‰H;rg4«DWejê³~‡ƒ#Ì4àb^ùi¯ÛXö8û8Kßjø¬¥C±êÎê@{êìå´AÙ/ä­ªüi<ü*�Sl*w z<(Ùïœ
Ãy
j]1B}8P°qì!¤\»wrî_„"öŠ60hºú¿ÿ-èøïOÒ^#›3ÙLP4Âö ^(»!V”cÑÓ?�Êþ?Ò'4øendstream
-endobj
-2741 0 obj <<
-/Type /Page
-/Contents 2742 0 R
-/Resources 2740 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2704 0 R
->> endobj
-2743 0 obj <<
-/D [2741 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-918 0 obj <<
-/D [2741 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-2744 0 obj <<
-/D [2741 0 R /XYZ 85.0394 744.3535 null]
->> endobj
-2745 0 obj <<
-/D [2741 0 R /XYZ 85.0394 712.0918 null]
->> endobj
-2746 0 obj <<
-/D [2741 0 R /XYZ 85.0394 645.3077 null]
->> endobj
-2747 0 obj <<
-/D [2741 0 R /XYZ 85.0394 572.4552 null]
->> endobj
-2748 0 obj <<
-/D [2741 0 R /XYZ 85.0394 472.7274 null]
->> endobj
-2740 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R /F53 1328 0 R /F55 1336 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2751 0 obj <<
-/Length 2216      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Y[oÛ¸~ϯð£Ô\ÞÄËcÚ¦=YtÓœ&èöA±äD¨,y-y³Yœfx‘%›‰{p ¢È9~3ó
ÍfþØ,SDYngÚJ’Q–Í–ë3:{€±�g,È,¢Ðb,õöîì—BÏ,±Š«ÙÝj4—!Ô6»+¾ÍßNÉ9LAçïß_ß.Þ}¾þðñòú|Ál–ñùÅÍÍåõû«ßÏ<£ ’”λ¸þzñÉ÷Ýœ[ûxy{þýî׳˻A­±êŒ
-Ôéϳoß鬀üzF‰°&›=Á%ÌZ>[ŸÉL�L
-{ê³Û³ŽFݧ)SÈÌ�ŒKF„fêƒ1¢!-‘ro/ÎRö
-Bh®E‡ÛüåC–�%\€Õ©É‹b[vÝ¡95D+�ÍFk)6kÆÇ2A´4SÕn7å²úƒR^vp2œÎûÇl~uã;P³sfæ¨�ëxz,}‡ßÔd÷LHB%ÓaWM¾.‹ 6VEÂŒQAª®º¾lÂì«vë×_¶ëuÞ¾wù˜7MY‡—Ú˾j‡oœ>í:¡§Šp+dXjÛË„>€f©E�!(
-ǵŠGßn1aÊÖ?;DÿêÙ¿äø0sÜ9Ö²o·aäUÄg–P&ÙiÄ[Íx�zªêÚO½=7ó]Ð
-,ïpÜöe
1Sfj~†òbáQ)À‰©5&Â’»ùŠ
-÷–ãœJ€lPqÅçíÊ÷&”cÕ�!Êh>r
ò£|N(Ÿ�{ˆÁ]ƒò0í}éŸOÛª?gspbÿî�Uç}õW�pwŠ8_
ÕÍƒÝ ”÷¾U…',	ó¬ºjw.<`׳·Êfê´ƒ[Ž
œ8ÊLCå'c%Ö
-5I–iNxðHêŽRê»T2aÄØ,F°]Wy¯åDZsB¯(”Ðkl«!\Ú½‚ëºÓr®«äK®+‰Ö{ÕuÁÈœÙC×�$ç]Ùï±ííSSnCsu°¾œ&)NöëŸÀ½˜%ë°ÖC	kåÞO ëj•Ø§Î€WÑøyŒ¼SK@kÔÄ»†˜çu79dç"¸?D›LÐ÷o›úù 
Êbzj÷~”wÅÜ¿=æ!MU}hDËf>?à¶ãv=V³„tK•F5a‡Ìãâò÷‹ßn>y¦w°{
-ŸdHPH®H
-Û R]·O	›JȚ²éœCs8·>Lyv¿ó@…V
-H
åx4Ø
Љ¨áfZ=`pT@ƒ“x§ñ+>±„ j¾ÙVMtùzS':#BØ1®qå°1 ü×nŒ¨ØX¶ÛÀY6mSTÍC*õQA¸¬ÕoÛºKÅL@­æ1<á"‰Ù ÉTLèi‡Dn‘é¸`׃®ËaŠ:÷Áb÷a3þ0Ñ5ð­jb
-å‰�šú„Ì>âÞ&Ì+-‘TŽÓËöµáâIœD£�¶0 N@0�NÂÝèÔÏn//ý:Ÿn?Ÿv6œýšQÿXÔ0B²Ñ€ÛìHÚÍH�Œä y1õöêú½ÿÔ¥ŠuÕ
-`*F‰gŠd6œ 
è¹Ü‘�W¹Îx
-Ç)dŠëRÇ{Çèù-†OXo‰&:\^?´@I×	'†
-ßJ�ô=Îú8´~$æ‡bCgC [7ÃÑM#Ð0)ØáäÛÄ”`|£²î¶ÛõªJ†uMÌá¬ÝÉY_ÐÐeLœî?!+ý“˜m!,\([&¡òŸ¶IN–Å+›5ÿŒ-Ôæ{Òq¥�<‚%ã‘ï/oß}¹º¹»ú|�ÈÎ{èj.ç'ÔP}Eò†®c¤«ûŒïþ@üÐýs*_A¬†\‘Ôt»M
“&V—’mNf?ÿÿ­ö€ÀÃæW½W·«€ìïrŒ8d0^Ìqcxâjés"×¹ª:>èΠ÷¡ŽáÁ¾h¶ÁxøîJ2(£7žbþUƒlºà”#×g?aG;OÚÑÈ�Ú¼ž¤fO&ž›>ÿ;*ê
-PwuÇáÙ”eï(<K@F!!ù‰ƒ»"Ç£ßD^±¬wÁÈqCˆ.ÿºén8C=0Yo™Å¦­«åsæ#é�…-Õ“°á	Ë€Êô׎[r5‡(”c½€].|¸^¬L°g\�¸�6ˆºÒíŽÖUSÂÖ!QºJ»¼AQò>|áé¸[e:™Ð´Ø3¬3`þ5ÐEÇ£G
-@šp.Ä@à“ššùŒ!¸`8Û7Iú¬ÁÆϧ©nô)¬¾N1"Ž¡ÙÆPÿÔîê°×hÿ–ˆj ,ZfSûx·UplÀ“}ùn�^H§Í9sb)ƒãh̓·Ã÷/š“3M¤µì'’×Qûë_¥‡!Ý;¼
-
-ªú« ˆ!l¹ZF­€’Æ8
îÁØÔK‹ñÜT{Æ´Š7z°oòÒï�¹ðG†
¢Cªû¿ËØÿf#5Ä.ÃÓ×3\CµÐJá6™¡Ç7Uø0­cÝÿyÚ|ðendstream
-endobj
-2750 0 obj <<
-/Type /Page
-/Contents 2751 0 R
-/Resources 2749 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2760 0 R
->> endobj
-2752 0 obj <<
-/D [2750 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2753 0 obj <<
-/D [2750 0 R /XYZ 56.6929 590.0348 null]
->> endobj
-2754 0 obj <<
-/D [2750 0 R /XYZ 56.6929 462.241 null]
->> endobj
-2755 0 obj <<
-/D [2750 0 R /XYZ 56.6929 400.964 null]
->> endobj
-922 0 obj <<
-/D [2750 0 R /XYZ 56.6929 363.2323 null]
->> endobj
-2756 0 obj <<
-/D [2750 0 R /XYZ 56.6929 327.1951 null]
->> endobj
-2757 0 obj <<
-/D [2750 0 R /XYZ 56.6929 295.7222 null]
->> endobj
-2758 0 obj <<
-/D [2750 0 R /XYZ 56.6929 231.5234 null]
->> endobj
-2759 0 obj <<
-/D [2750 0 R /XYZ 56.6929 161.2561 null]
->> endobj
-2749 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F55 1336 0 R /F22 973 0 R /F41 1233 0 R /F48 1253 0 R /F39 1173 0 R /F53 1328 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2763 0 obj <<
-/Length 2602      
-/Filter /FlateDecode
->>
-stream
-xÚ½Y_oÛHϧð£ÔÓù/éî)½æzYlÓl“ØÝÅÇÂÚ’kÉIÓOäpF–ÅÙÃ
‡"õˆâÌ�òGr$fþ‰YjW™ž%™f†3[nÏøì
Þ}:�g™}®wgïÿ©’YÆ2+íìnÕ[+e<MÅì®øm~qssyýñêßçiøü;_ÎçŸ/®½ø™h7癜_|º¼…G‘%˜¤@>Ëç_éíõÅçËó?î~:»¼ëÄê‹.¸B™¾�ýöŸ ÁOgœ©,5³'xàLd™œmÏ´QÌh¥"esv{öK·`ï­Ÿ:e
-£RfR™LØBÊ)[˜ŒY%•·ÅuÝ:PÒ¦óv�·¨Ì½YZ3ed[!{•o]¸úk+ŬU6p•mã6+Zv™WaPW¿s.ûs‘Îæ9ýlêe¾¡áÇ�×·4úÓ=Ó`Uïiph´§²]OÈ*¥b*édm»"�ê-6b
Ê%"L`KZ&„MCQTÍôX=¸jb5k˜ä:n_6´q]mž‘y¶ÐR3žh5[Á2c$‰é\
6]ȔϟÖ­•
-o lëÎZðä6ù}½'•àñhѼ-ë0Ño/iÞ·CIƒâoç•ð`Kä«š6¯–î>¦ór5¡¼§—V¦cƒ¾T¼$ÕÚöUÚšöºÃùEW^ªzKO9ÙGY°6hh’K~
-±Ù<7­ÛϪã]Áî
a„‘‡3¿ÜÜ]}
o)gÜ
-!—)5J:ëüÑ� òá6o‡ø`ò1ß”
òŠz›—�q»�•
-VÄr{xJ©‚}ó@‡QÓ¯û¾ÛäUÞÖ1—µî{\nO¿‡&p‘Û{ÜëöÖ)dP›ªÓöîs½nïŽËÛ{?‘i L»Ô·§¨·«ró2×@)¨³4=-]Ç5!Þ°°„ÃI¹Ê7L7†ŘySSÓ·tD&ÐAZâ�Æ"'ª/2q
-yZ°ŽkB²
–I
ã�h·àPèbJ›ùºnZ…œƒ÷…TJ
-ä±6L2¦D:Œ¨¤Q/¼û$ý¤U�~ô~™W!»¨
-_`¦¶CúÄkóßÄëøz~! ¥KŒï.z×ô·——$ÂÅÏ·_&ÖX’	*ƒ¯¿sÃü/‚�N�oÌø
S"ú-TÖW!�øPi,Z?\]¤©Y�¬ØB…Ù´{ì‰ôÕ!Ââ6A6�>çÕ!ŸúÌe}Ý%Ä´q 9a ·çâ×»}ùzÊ*žíª‚z¹Š�ñ­ok‚3ü£®šzß–‡íq[
%ºí>™:H¯9“â|!8Ç‹Ú]“%²
¥FÛõtE.ÎÒ„˜º¼nIð4¨Ð›M¿ç\݄댢 {6�;^;ùe½<»
-âxs?É�»yíˬ2?§N
-endobj
-2762 0 obj <<
-/Type /Page
-/Contents 2763 0 R
-/Resources 2761 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2760 0 R
->> endobj
-2764 0 obj <<
-/D [2762 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2765 0 obj <<
-/D [2762 0 R /XYZ 85.0394 687.6869 null]
->> endobj
-2766 0 obj <<
-/D [2762 0 R /XYZ 85.0394 264.7716 null]
->> endobj
-2767 0 obj <<
-/D [2762 0 R /XYZ 85.0394 197.5243 null]
->> endobj
-926 0 obj <<
-/D [2762 0 R /XYZ 85.0394 155.6441 null]
->> endobj
-2768 0 obj <<
-/D [2762 0 R /XYZ 85.0394 117.8997 null]
->> endobj
-2769 0 obj <<
-/D [2762 0 R /XYZ 85.0394 84.4903 null]
->> endobj
-2761 0 obj <<
-/Font << /F37 1038 0 R /F22 973 0 R /F21 950 0 R /F55 1336 0 R /F41 1233 0 R /F53 1328 0 R /F39 1173 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2772 0 obj <<
-/Length 1275      
-/Filter /FlateDecode
->>
-stream
-xÚ¥W]oâ8}çW䤉DZc?Ò�é2šR¨´R§)	m´�0$LÕýõ{Û!�ÀìªêC±}ì{||îµC<Äã	E•ª
-æ…Œ¡€€”¡	¨L9�»À…„ ÕX¢¢�®óq(Í*Úï¢,Ú&šÕ篢�gŽRÕÀtÅñ>)
-ƒl¯\!©E"„¦-ŠOpˆ¸Üó„’ B�Æ‹/óÉl9¹ŸÖ³Ž+cϧQ¢Â¶”6�Aˆ$ŽC¹�²b•I1ð˜j2C)Õ×{Ù‡}¸¡˜ãÉìW`
Yìfü0DLw™›Þò51«|oÚåYœf/vÖÔŽFs4œëp¾wkŠãlÁókßerFï°èÔ·µ[ŒÇ&O†ß÷ÏÔeõn&Ó‘Á+;-Þ¦YZ€X¥¦¨»æÉ:1ËV‰éº‹²C´é�œ‰¨Â�{÷©;P‹ùðaùÇý¼cÍÊ“¬LöYR&‹÷¢L¶…i|ɳ"ß—éa{Œ §TÀ	^—¡
8á%ÉÀq^M«åH1ÍpÓnsiVÐâ¡Išã“”†æ$ ¦.²ÃÓ�íZåY�æÚ/ºÝ\&ŽÊè¿úoê㔫ԑæ—ëH�:‘D€È�~ÖQQ$CBÖ9š¶ÏàµórÂÀ
-IÁ?RZÞ9ñ¨!eèÊ¥s‚.22ÔV`RÔVÐ]UQpCa¿Ð&ט|m:ÖÎoúFƒÜ¤]²J50‰MÇÏC”•iùÞ^jW$‡8÷Ý
é.m¶O¦9â~-ð{MW¯Ö³Qf~<[
-®rxÑrz‘ªÚá*‡Ž¯ÿ'YYõç»wÓ±vå&‡‚ºw©±ÝA»bncÍ”KKË)Ë;ò'ù•®’ëuÓ\ÅÃùíÃÝxº<VØ ˜!ÌXp=Mš(÷
-8O“¥#×iÁÛn–Š³³´h2#8@ðF‘שըn­Ê�
-\7-r­¹¶Ë&ªNÐ:HwY;›º¥Í›Y€qé'}ω†éÏ“šHŠ¸d¼#ù[ÔàœBJ¤…éËym¼³5‘©‰«/dÝTöŽ>&Œåív‰¹˜;¸0
-/T!ÿiîl]EÅÛ	c^ÚšPÐ%c
ïKŠÉuc5Q—�U£êx4„ëP‰àzPêÚ”"Tˆ…aغt{6¸™òµGƒ@#µYýwºÉŸßKsX�·ïÏËúÁ5Ìá¹.ßtE=2.ÓÝÅÑŒ«àm yp5®ÃœÇm§†ß"l^¶U:ÈÉå„i”ã³'ƒ9�×ü°‰ÛuúmŸ–e’u¿Ë‚
-endobj
-2771 0 obj <<
-/Type /Page
-/Contents 2772 0 R
-/Resources 2770 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2760 0 R
->> endobj
-2773 0 obj <<
-/D [2771 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2774 0 obj <<
-/D [2771 0 R /XYZ 56.6929 749.0356 null]
->> endobj
-2775 0 obj <<
-/D [2771 0 R /XYZ 56.6929 687.7594 null]
->> endobj
-2776 0 obj <<
-/D [2771 0 R /XYZ 56.6929 611.5631 null]
->> endobj
-2777 0 obj <<
-/D [2771 0 R /XYZ 56.6929 547.3221 null]
->> endobj
-930 0 obj <<
-/D [2771 0 R /XYZ 56.6929 507.5308 null]
->> endobj
-2778 0 obj <<
-/D [2771 0 R /XYZ 56.6929 470.5891 null]
->> endobj
-2779 0 obj <<
-/D [2771 0 R /XYZ 56.6929 438.2117 null]
->> endobj
-2780 0 obj <<
-/D [2771 0 R /XYZ 56.6929 371.0488 null]
->> endobj
-2781 0 obj <<
-/D [2771 0 R /XYZ 56.6929 309.7726 null]
->> endobj
-2782 0 obj <<
-/D [2771 0 R /XYZ 56.6929 233.5764 null]
->> endobj
-2783 0 obj <<
-/D [2771 0 R /XYZ 56.6929 83.9088 null]
->> endobj
-2770 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F41 1233 0 R /F53 1328 0 R /F22 973 0 R /F39 1173 0 R /F55 1336 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2786 0 obj <<
-/Length 1769      
-/Filter /FlateDecode
->>
-stream
-xÚÅXK“Û6¾ûWøV¹3|èyÜì#ë4ñn×ÞN:IZ™¶5‘)Ç’ãøß (ù±JÓ´‡Ž†@
-8Èð#bO\ÂÄ+J³°€º^¦¦¡Üò,_èªv¢Ú,ê%ÑmÇ‚Ë´rK.)áa^�ó‘<gš½€ÇÈ÷ÀoAíßuC„œˆ§¼®Ú2»æ¬ùþÁš4Ö€‹j–ÕXR×x'œhI‚Ošþ·•­>X�¼•
-[V{gÁÕ©M
>§¤»ÒU•.œ¡tq2už�\iH.+gn<¬‰·K«ÓƒNq÷ÕtŸ
-ME¾Ëm"°ìÁ²ëWã	ùj]èlh·«Xk‹M—9E†a@@
-GkƒTàºÔŒØ¹¡‡Z á%¤bï¶ÜièGHÄEÙ¸ë#$¿J÷D ˜ucµ9\^äõ¾ñ Þ9'¦å!‰…Ô £w”îè¸)ú!Á¸èò"wKmhÑÕ20D!ˆXÛBÝ@
-ÉbèU®ót]gý#ŒYìÇÊ)¬ÊYŽ²¶åÃ>õ²¬4ùÑà6r
-öRä�3ÈΠDóŠº&>Û«ô`˜nd4ñ<IÃŽ.
-endobj
-2785 0 obj <<
-/Type /Page
-/Contents 2786 0 R
-/Resources 2784 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2760 0 R
->> endobj
-2787 0 obj <<
-/D [2785 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2788 0 obj <<
-/D [2785 0 R /XYZ 85.0394 752.3326 null]
->> endobj
-934 0 obj <<
-/D [2785 0 R /XYZ 85.0394 714.9106 null]
->> endobj
-2789 0 obj <<
-/D [2785 0 R /XYZ 85.0394 679.124 null]
->> endobj
-2790 0 obj <<
-/D [2785 0 R /XYZ 85.0394 647.6724 null]
->> endobj
-2791 0 obj <<
-/D [2785 0 R /XYZ 85.0394 583.9192 null]
->> endobj
-2792 0 obj <<
-/D [2785 0 R /XYZ 85.0394 526.0527 null]
->> endobj
-2793 0 obj <<
-/D [2785 0 R /XYZ 85.0394 333.3907 null]
->> endobj
-2794 0 obj <<
-/D [2785 0 R /XYZ 85.0394 248.649 null]
->> endobj
-2795 0 obj <<
-/D [2785 0 R /XYZ 85.0394 187.8177 null]
->> endobj
-938 0 obj <<
-/D [2785 0 R /XYZ 85.0394 150.3956 null]
->> endobj
-2796 0 obj <<
-/D [2785 0 R /XYZ 85.0394 118.0522 null]
->> endobj
-2797 0 obj <<
-/D [2785 0 R /XYZ 85.0394 83.1575 null]
->> endobj
-2784 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F22 973 0 R /F41 1233 0 R /F53 1328 0 R /F39 1173 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2800 0 obj <<
-/Length 1123      
-/Filter /FlateDecode
->>
-stream
-xÚ¥WMoÛ8½ûWè(Ëo‰Ø““8EãdcX Ûƒl1¶°–äZr‹ì¯ß¡H)’-»‡E€�"gÞ<Î�4ñ0üOH$U^¨8˜o•�°·†¹»q˜ 
]ÔÕbôù–…žBJRé-Þ:¶"„£ˆx‹ä›…(Gc0�ýÙ|zÍî'óûq@IȘ?y~žÎnþ‚o�
	0ŒýÇÉìuòÕŽ=�õ'wÓùøûâËhºh9uyÌ¡£oß±—
- w†
-	‘@«c¢¦ÅÉÐþ4(Ã*/õŠmârch}¾�
-…81È2ÞVã@ÂÅÛu±O«MŸDøi¥÷q•yi§“"‹ÓÜÚëë4&!XÖ†o¦óë—‡çÅÃÓ¬]ôA{
d�â„ñ¥´åX�BÇw­sÃK+ʈ維³Ðt©_›©—q©Û-.¶M©+7þfµë‰¿‹÷q¦!úR—aæ/6iiQ«ÆÝRÛöÐ:¨
-Û®6zõ�ÚhŽ4­hÈÏx›&iõnK¢æ!p˺û1‰|½*ê6)í`šÛ6¶M™®óš
ôÿ-r�†ö÷7fòr÷ú8�-N«Ï%œPÉPŠËYÙE5Årš•-ªÍµ#§!E!£¿qÚ€œv3%�;rºØh§U�馷«%-~¦I£]½{¦mÀ.‰D§,ÐY½$†Z�äoôê .èÕ õ�Š<òL0A‚rvÙu‹ðÝ•
Ž=!ûÎ'¾~~È–zoú’/IWp&äk;gÕ‚	§uÔ
-8çþõaoó8¯¶ïG«Š¼*»]±¯êÝ6g?ß êŠ2g–¤_Q®vŽ|S°¦�ßOò	ú”ù¿6éjÓŸv
¿æsùnÛš¡é4Á›>ùZú+8õ�ƒÈÌüM)'æ_ßxkÅÆizp\¼¶¶õ°çî‡a‚tɘºª�k
ׇ¼žOCØF¥ì­y!
;¨iØ ¡ÎMpäZ)	^vÝ€\÷³�£ˆÑ¾ë¶xÛ4윕qç'Њ·N¯4ÓåÙ:.7ÅaëÊ}éfwzjg:9+*‡3…`Ê/‹ÚE�µE™È>®Óž P±’¨ËnЀۮ Jš§í»muþ­¸pßõÏÁeG>§ÎÉ­Ïê}eýËe>�Ú•“¯ó'»ä³÷þÕÃìÆâ•[–diž–$\S/úM»3dåh=Æù
výô­@d„¨”Ò=>
0
-"ÄÐÛƒÀCW‡Ö�Ž¸:Òaòº¸z°x$ÀCÅ•kw1ÍßËJg.‡¯¡ààPLÙ¹g284oÛ�Á-Ãÿý„þø�ÀCÄ¢ˆg
”-ô)‰øi]¹Çö)÷ÿ
-endobj
-2799 0 obj <<
-/Type /Page
-/Contents 2800 0 R
-/Resources 2798 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2760 0 R
->> endobj
-2801 0 obj <<
-/D [2799 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2802 0 obj <<
-/D [2799 0 R /XYZ 56.6929 749.4437 null]
->> endobj
-2803 0 obj <<
-/D [2799 0 R /XYZ 56.6929 692.3565 null]
->> endobj
-2804 0 obj <<
-/D [2799 0 R /XYZ 56.6929 620.3493 null]
->> endobj
-2805 0 obj <<
-/D [2799 0 R /XYZ 56.6929 434.768 null]
->> endobj
-2806 0 obj <<
-/D [2799 0 R /XYZ 56.6929 374.716 null]
->> endobj
-2798 0 obj <<
-/Font << /F37 1038 0 R /F21 950 0 R /F41 1233 0 R /F53 1328 0 R /F22 973 0 R /F39 1173 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2099 0 obj
-[942 0 R /Fit]
-endobj
-1935 0 obj
-[942 0 R /Fit]
-endobj
-1604 0 obj
-[942 0 R /Fit]
-endobj
-2807 0 obj <<
-/Type /Encoding
-/Differences [ 0 /.notdef 1/dotaccent/fi/fl/fraction/hungarumlaut/Lslash/lslash/ogonek/ring 10/.notdef 11/breve/minus 13/.notdef 14/Zcaron/zcaron/caron/dotlessi/dotlessj/ff/ffi/ffl/notequal/infinity/lessequal/greaterequal/partialdiff/summation/product/pi/grave/quotesingle/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/asciicircum/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde 127/.notdef 128/Euro/integral/quotesinglbase/florin/quotedblbase/ellipsis/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE/Omega/radical/approxequal 144/.notdef 147/quotedblleft/quotedblright/bullet/endash/emdash/tilde/trademark/scaron/guilsinglright/oe/Delta/lozenge/Ydieresis 160/.notdef 161/exclamdown/cent/sterling/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]
->> endobj
-2126 0 obj <<
-/Length1 1628
-/Length2 8040
-/Length3 532
-/Length 8905      
-/Filter /FlateDecode
->>
-stream
-xÚíte\Ôí¶6Ò ˆtÃÐÝÝÝÝ¡Ä000Ì ÝÝÝÝ’‚R"‚´t	ÒÈ‹>ïÞûüž³?�³?½¿w¾Ìÿ^×Z׺î7�¶‡Œ5Ü
-¬‡¹rðpr‹t�´�P(ÐWç�…C­
�f
L9g0ЇÉ]Á¢
-Äü{fXE
-0Üú÷äè¹aÖ�ÃöOÃoäæìüØã?ûÿxýœÿŒ=ì	a.ÌÁAb¡ö™9Y®
Ä£ò/z{x�Âœ*Þè—ÖÁ»2#×Dj,ïêÃ8›ÇEµyÍî;Ýoª²n
öA™ºÓÁß‹(üèX>ã.3v±ms™W`gÅúϨ¯"›
-rn­�êèš—ß¡RŽwð9£_²Ò¹Ð_8=óe4%v>oFÀk(Ù?`LÙ½¼`êú4ð±ûåÃ&9[~ƒ˜;26cLà«|r)Sƒj…×Íl(ßÛ
-b¬Å7ÎßÊçÏVð™h9�Žù,¢I‚°RÊ• e®äß·RÆ%=²ìÙ
êt›œ(†Ì%³LÇ�î)®Ž>1Ù¥‘„µ…^Ñ2¼éˆO£Ý	%õ‰>•pjÕr{2–Âw�Í<–g¬™-j—!3cäáakIè,AŒ$ÁLˆÇÆ‹J¯³nöùU»Ïm›Þ‰D3
-~"ÅVöè=”Žòíí`õ§ï3t;k‡–Bf?õ[¼„Y®¤¾ša£„+gl’ft]ÎB‚²w3ë‹,£ªˆôkêyô’­úÅ>¡ï„móW¯µrÅý¼0Ï”dË#»§BŠ¸ÝUJàžuÕñÆIÍôaòÔã·×¸§™	žL¦€Ädô<­cË-8àÒ—£t‰Äº4ú£|©D„¡¹šŒ]¸ãÏßE¯¡>ÓR·9xyôöŽ[Ìï`º~ͲûDœ¨'ˆº5e[-0GMÓ=KÊÊJþ&â&’PøS¤8ëãin,õ	2PU«r`ZÅÄí¢v8Q—ÁèÍ	×ë¯oã»o[�2ÝO2Ó¾Ðm/Ÿß×Y¿üìvV¹"_=5Ó›é�¶è áaÖ™7þv|g	“y×&"YæЖ(¾+ÐMoûÁ|°>›à¦±vZÎI ÏW´Ä%�^‘›üˆ¯­Ú]Ö%½ZÆÁ_Ï@ÄR�dçÒÄ9è©‚†õ‘kã�C¾¥HzõOlnÕž
ÝÍà™>{óbÙ7U^|ä-)G?
-8òÞ¼x“mì¾%ÿjã=!•š[žž;[#ÆŠ™éJ©/A%Ñv–µû`éióöí؜njP~^z•çQ•7˜¿\扯â	ÈÛ.|âùúÁèéá™
-¸È÷»Œq„z`²\F棖ûEœ!~õT¦¾\Ž'4/ýCîe–7,î9tãÒ¾Â1¦’·IM^y/¢˜kIm;˜¨½}O«•oÐHâ•¡Ç6—]í
7ôh`†J­TÂcweófœkÔ­—ÕRÐÓ(9%�Ö¯c
-Ó·_Ü€¡èüêr_7ýGmÔ&œÐ‰lÞÆŽ
-Kê#�TðÖ†§øñÞ¿šûDE&ñžËœ^QH¶!’Þ»¸>àáÉà̹ç$ÚxþF`Š×Í4IŽ@N@ÒÖ>_9²J¾ÃEúOê
-uÿ'¢µ?s_¯Ð‡öÿŠ˜'u
-BêH—‚?ý
-$O�íœàÅ€DÈ
-¶_O®ð-¡;…®u§uªºXÄ[AŒù××¼^L¹ê=_󱑵ħŠfJ—äÌ;7œ1¾,`_q”�¾´9›Œx•±tþ”
->C{(�©¼Ê°nwð,K
?EÚ7þBq&‚´”jÉ�¸ˆ�·?è¦ú-ŸCØüƒ%¥uXcýøââBïÅ ´;ÁµÜ3höŬ¶÷Ét(‡„šœì :î´cØ¢>:ƒ‚¯úò‚#ÑǤ_VItSÏ$ëŽ`ø~"ÔܲÜr$ŒU–Y7÷“ø?¢ê¹iâ¯ÉqÅõãÏØ�ISª5ñ4Â…èÑb“EÝêÑÑn
›p³ú†-.ä‰ìošå•Hû~B»ÎÂ�î‚T§Z§Ï_)�©OqÓzèß�÷>ë˜Ê;­dpI¡rr1ÛA
-öÝPî2Pw]¶u¢èúä»(£ý/Ž¾ªˆ§þßÜ¿~&æ[1¸Aé-KžÚEО5JÃ÷.føzßwi°h“bLñB³ß6ˆ
-ÃÐÙ²¶©HÈ 9^©�;¢Ìœp»Ãm%{r7E•�€�ÏŒµÂE±…ʨ*o,„óQÞúʭ䦀(ô$íªy{Çgk9©‘�5Â1ª0Û˜F3ŒÛ!s0¸4XàŠú#r¥Æ2á\8nqå°Ãs}䮀„s–è5)q…i¹
C9ad¼¿`u	
^<‰2@´ÄR­×$âƳ—xº>áÈïž¡wdª‡}Té†×ÎÂËõ€Èøt\1Ü~‚9 ÿ½8iaD9©ì"Ð!gÑßqÝùA“ׯøŠ
-»]‚Ä�ÙªAÓ8ﯙÎd@Iî?_ɽŽbÎJÊ8&1ß’bçy·ÌJü®J_ƒ|¡iïÂC®¡L;¡Æ–=x8"ÆÝù\šGd'—®®ðÖ/B¿ÝÞpRÆ'µsñX'MÂÁd;ŸäÕEûtGmý«†g¾ ¿¨öùWí},¾Ï†Ä›tÓk„fªõžÑ »›&�oô/L¿ÇGìü²•âBZmÎOw݉Úñ¼>–¶ü^ÝvšÉŽHk6Œ´­¶DM0¦›}Öda'¨šßo·é˾xWp¼311ïçdϘ9óÅ­Ô§?¯jò>*§¨¦‰Ð:’-+X}7¿$ÏL\œö¦nD™ðì�¡ÉX˜vWŠñ=mç¡|'M}„ç‹çÄ_’øÏ£÷rci%Åës܃ ¨ÄÏ,n±±ˆ" 5Ù½6ìÉ6úQèÒõmŽ¬öó–à+q®Æ�¾ùÃ$ô|Òî]¾öÒñÕäË&�æèñ²€Õ„KfVº”DfƒŒåZóbúä`#öZ·<Ò_Ç÷-¦�ªÏôª
-_˜lg˜¨Î>«ŠTÂ70¡ðW~—ÛC!<ZüòþÅ#(·�3¨bæ:ߨn¢Œè½Ù$ÞÄ‘Îf;®Ì*=ËnÙ†b…ƒ´ÂVE¼Á<öuBgˆÿׯxî×_ò­Ìz—XˆÖ`©Ö4s�iÝÏAí+<¾ŸãÁE.Q˜ÒQqúÖDõ”ÏÓ$`d�lÚ/BŒñY<xŽ%Á„+{æÔ¢´®³N‡­”TøTõ”V3Tj+"}âžÂr}©Xž\L$ÓÇÈš÷ŽEh®Š-x�ù
->_ŽÎr¦x‰|„ŠúNx‡<7M–/&×gaÅj[²Ë±‹4—À¤ÀÖO–|¾1_JSw{ðÐıDÃP~�ÜFY­Yy³]ˆ:¬aÔ_|žjÓM+ý­‚0@îhÅtÙl¿Êgšê…µAbDå·�Ôw¿þ}û�YÕ×iîBÕ*jòýZö˦ÏN’FéT/H
n±úÁÖ“4ÑOEìØœz~Ÿ
Þ88‡á ‹w|q£ªšîFªãÆÇ
-TT>/5—䬽%‰”dðqÚnCÃ%Î4Ã
XDmeß:#ƒU¹Ø•l1~à4±GL§%ÕëEЈ®ìÒ\;ãÛ8Å+§êJZdº×d¡K©¡ZÅIŽf3zV#W•c[Û¡*_-�߈¯Þ­—¶5k
ª€º—,ìd¿»Ìë÷S/úò¢×Ž Nâ)uóÒY~	]ßjÑ×Ù˜fšuž²K,tÊ�÷“\'gy¿÷5­<TÏ4CUMà£Æ�gÿ3Q£8Nð²Ã‰ËzN5\/MØr®]�SÝé}pæ§VD@™:]¬ÔË7>1ÌÈéC•'ÛEÆŒ!…Ù7aVì:ASQ×µ{|ãÇj9YÈ4Ö|m Î·*_íw4ø!D1 ñX¿Ù¤X•³ç
-t�‡Í=žÝbóÆÃwî6ß"£“˵?�”JËOP2RÐoQo+†â1)©w†¦ÜèådîI½ÈZ¿VÍ�­(e÷åû È
"QÔüFØs(úF�$'‘qL ®/¶!õÔ
¤HvkÖ‰Œh¼È‰¬ê؉á¶o?Ùa:Šÿ±qêcŒ°gã!_QÇ~ÏWê¡1üaœ¯UÝGmã§Yñmn%ìRãr9÷¬ß0qˆ5†/‚E…(êÚ“�†,W‚˜$Ù½ï¶åçLxËÎÔ|ú奕£w†Z|ÂV€ãž÷,éOd
-ÞyŠGÝ
 ŽÎ¨Ý3lÍ4©¿Î\×T2Zª½Ag—.7Ù#ÏPæï™v¼eŦQLÞ»±Oþ¼Ô\’	¬ÿĵJÅñ¾(š3Ç].Å*,MÎ>ÛBx�(ÃSÃó|D³uû‚Þ¡ï†{:Ò‘Á¨2G9¡Cê{É•<|?�ÒK áéá@F)Ø,êw÷ó?�È ¸¢Ëa„Çh%Ù±o^Œñ{‹6™Ý@¥-«ä%
Å~jÉwXjz1�îi´·î¬%uÕ3^¿±g�¸`d+ÎK[ŽDe—„]âò†Yè�ÖýÇ?Ï>£³HjË,èkѸÍhÔ8Š”™v_Å
[ªJÖ®²9m=·�âú?\‹k>¼à¬‡¤*³Ñ³ž,Y
ê<‹ý¹uÓZ/ZV$S·é#ƒmNOš¨5M@¿§rãÝ0Hõ7¬&7[àçŽAØñêOõƧÈêÚ5±pE6~d»Ž^.x¨T1¬µ¤$£Í7¿ÿ4òÆêüj§‹G1¬èípoóÌ3³QýÐZ:œNÍÆéç,0½‹Š‡Zg‹ðâ£à)‹Q©¯³‹X""œÛÆ0�ÏÁ¾äBvFA‚)Y9(ÎYÖý…ì¬S…|¸Ôü¾“qbæÇN.LÔX§…_�ï‚¿œ%�%½¥åŒìé|°
D>W²7}C–Í#—ZR¸
­$º`bÛGο…a¿9gÝS%\”Á/œîñ�hC|�?s§Ø…šg¯ÎÙÈ)ª¬m}ÐvÖËk†Ÿ.bÉ&O
-üõí+uqfº`Îa‡„°£â,I§ã¯½/‘�˜÷�ÇÝ›Á¤'P6ߢH‚
Ú?÷›½šÙ¹˜Žà9¦ŠmHr7:pMRYŸ#£ 'æW¥¿ðKCß|-¡mWÝ躖nᲶË0–«ÞÐ3äÛÙ=j’
¸Ë-,n–³e±€¢üb½iÙ;‘˜Hâ°l<)žL.ßÐYÖÿ°Ú·)�wL=(‚Œ£± L|�)=å'ÀÆ-Å@²öò¾µ<ÃNrä³6îµEôʃ3±d¶kÓ»¬ÿ‹%ôµøü·(kD~ô(¬_yñ‡Í;¯åä²fùOî{&*‰äyÒ¯9Û�B±T¨d>è.<Sâ¢éX3p7«Á~ª"럽Ÿ“lË´ÍÔDQÿfŒ°Ì
-*s"}Y
;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}
-endobj
-2127 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 2807 0 R
-/FirstChar 67
-/LastChar 85
-/Widths 2808 0 R
-/BaseFont /DOPODV+URWPalladioL-Bold-Slant_167
-/FontDescriptor 2125 0 R
->> endobj
-2125 0 obj <<
-/Ascent 708
-/CapHeight 672
-/Descent -266
-/FontName /DOPODV+URWPalladioL-Bold-Slant_167
-/ItalicAngle -9
-/StemV 123
-/XHeight 471
-/FontBBox [-152 -301 1000 935]
-/Flags 4
-/CharSet (/C/D/E/H/I/O/R/S/T/U)
-/FontFile 2126 0 R
->> endobj
-2808 0 obj
-[722 833 611 0 0 833 389 0 0 0 0 0 833 0 0 722 611 667 778 ]
-endobj
-2112 0 obj <<
-/Length1 1630
-/Length2 6133
-/Length3 532
-/Length 6982      
-/Filter /FlateDecode
->>
-stream
-xÚíVuTÔí¶VA�!¤†n†n”.IéÎ
†˜
f(‘N)én$†�FJ	Á!¤[:%•$.úÝï|g}÷üuÏùë®;kͬ߻Ÿ½Ÿýìø½ki5´8¥¬á–y8ÉÉÃÅ-
-Òy¦§aáèha
…«pJí•�Ž H
-±@Bá0Y$D¤±ÉB¬@¼¼ 
-µµC‚XnxXÙÙ9þ²ür
Yzý‰ÜD" ¶0Ó̓;Äîì�!o(þ×�Zi
Ù@! u
%5‹‚šH
ƒ¸Þ¡áf鵩@­ 0„dw9þq
-³rt³þ%àÆnÿ-ÈÙ~ãátƒÝ�iÀH„•+Ô	ºÉª!+ÿ‡N¤�òWnôÁmn<­áVn¿Jú�ÝÐÜ H(
BB<‘¿rYB@ÖP„³£…×Mî2gWèon(Ìö/ Wˆ­…«µ#�¸¡¹áþÕ�¿êýSõÎÎŽ^¿£á¿½þ¡
ŠD@m¸
-ïeë[ă»4fÖ)Æ»'c£»¶*2‡Ìu•ÙÖ£™øM×�E;
-at
-½’•sJÜkŒ"êC3ó®cUÉÙ4eHÎH~0+¾÷ì
-£Šà>	ä>-e™÷CL\¸³Äù¯“7ôwÂI:HÁ®óÚÊüÄR�ö*gTr
éïI(J‹ÕÏÀÒˆª1!øRb’>¹`ÕÕâ1�3W@‰MÔïÒ335,Gƒ÷îÃ'V? 9ZŽfjW]èUªŠÛ¬[ßÑY@ÞCLAíŸjÙÙ*+òæÅõÁÉÏ5~šj�}‰Ûy]ç¼�cñvË‹Bxi9]'±|¤“²w/±2X®‹‚8w^+ÐKºDœ~$ìl‚Ý‚I®J5`žV¯ipw�/�¢6’
-}ˆçãõF´£ögºts£ng]á„Ö|Õ`ˆksÕ8;¾Ï»´²?…&@È™!*¦54[«*/„“¶sÈo?87Æ…ÑS)ê¿{=ܼP‚+»Ñho†lMe$—ü¬NRž3(Þc½4ûô.¨’õ©ë~F�ZBô¾Y5““_ªßþÎhd%\N+œ2‹ÐèÛ�—ˇ)™¼¢{ás9͆·ß¡’½¨™”qá
'N_Φíc%}#0~?3¸¦fSwß2œ]aµo1ŸJ(Ïá®óc¨ƒ~ P ʽ]HϨ}æKU«Ù0¼Q[»SÊvåg à¶"hÉþÄêYá­ÿ/¤g¹iŠWœeM¬”…¨AˇêžÒGªrÌ,ÒÔ‡Øn¹äV¥õ†¡¯ø]mÔÅbüÒ&‹’j´¥‚LsNù£97œ�{xØ4()Ûó’:ÍÕJ QɉÓ4âQx�Ÿ6êw´êú|©:T™$·Ü½Ê·ƒ
-Õý‘–”øц1öã9ã^Ìæ‰ÍDqf
-pR°‚šL�\(<uØÔûÐéV‘‡ᣩ
ež¨ÓE§vìA7nEŸb�ü­¤6ÌÑ
�ä¡ÁDÈ;Cŵ½AŽcήšÏêYcg)äµU4ø&š˜,9D
-V1-S¸`_3ÄÝËú%6BëbØ
r¨Ãt©a*Óغ0ɼ•�uï´ñï¨Î)y©@[gbL¦Ç)Ä?ÊDâÐ÷*éԒꟲGê«àI÷_â‚R§—«·>noߢiŒ!L½<©35¢$2MIÝw™ôäs¢¨bâ<ûVÇ–DT£ì¶"Y \FÉ…Cóuø9�TcÝI¥zÒ³€‚*lõ™s$a`FéúÀµ
(X×Ñ	|
|
-5ÌÄ÷
o榯‰‹ûȯg¥Ï.š%~2Œþ 
Í“ 60×Ò3îeÐiÁeø¬O3KG·l¯„šÊé:ÐgyÐóud6pD‰+v°Ìb¦Nf‹Mh¯Ëaˆ>.`È.kŠI¡iøòØ"ÌS�ˆå0ÙÒ—��ûbûj¹D䧠Éj§×òáøg”Ÿ�V0½Ð
-½c–$îSÓ5¬´0ÏÚEdÊŒ0ƒh(‘©ðñôä‚Iµ±¾»Ú»	:�—2´
Ä!<|^Þ‚X2›/¾5obÿd¬ë¥KºÃw�ƒø‰Õ˜ÞMG0C&ÊØjãž;áÔ+=ÃÜãÍEXr#à�]Cg
"}Yá¾.¶aýìY³ÆIˆ/^Y»}$oί8lU†ø�„=O'aFX²Åï9hRÔ¤[ÞÞ[ù~ˆ[ró—M~“j…<·ÑVG½‹Xî//¨šá‹ÉVà²hÑi·¢·æÉå6I?,·%F\œÖô™–@ê�õ~ø†YýE>eUλGwü^‚}«
2ë$¶Íð‚
-ïcñ•ñZ×™b”[DÌÛ³>Â&Õ—ÂaY
Kê{@”¹¸’QeUSæX6»ð�¯CvòàªÇ£hœ½a¢ª§é›ßôóƒòêªÎ1‡(‡(-Ô±ßV”ÓyCC..&
-®Æã
-7/ƒ[\ÉcçtFqóÍÍhF4®¾¡õz»Bö¯	ÐØóÜE™Œ®
#ôÃëÅš[È
-ŽM®Aµì)ÅŽ¡ArjgWLØ;'·p
-²R
-Øêa³!ß™ŠxW_FÅyë"3Lêû¸Ž>ê‚*8VŠí_ŠÀÊëó<"•{•îÛá[w õ(FïVqQß¼óq–QõvÕ’Tw͇\÷Yd›fÜÞ>ÄO¯Þû9÷aZjümµ=!À›œÝ>ÜüïQ3Ù¹åÔ«^	ü9â@"ñF/h•>þl`|ò\ÕIh=n‚ÜL'¿õkµf9VÒjt‹ƒS~÷Ò¤&ÀŒT�ú'§$à3ã!Ê5vÿÃJ
-ƃ>³ÖÕ;À'uãá`:?Ó+Ôx`ïq–΢vIÀr=
-ȘóiÀù ÿ�K1â	Ýc‡É…ã9áU¦
-ÐíC¡Ówï»ëÉ“º¿Zèp½÷äOô>/¨lÝ4nlŽ°U-oMôÙ“ˆ
o:œ©Í|y„7MT{õ	¯=i3R�ÇVHA9j�Q¾rÁ3ãaÂ3œ´X_¿ÆdhÚ—E/Oö\ìKɬÝO�õš_·—&†÷ê$ÀuæbsAƒytN.`.�šâb™Ê¥܆€ð6é瘯l¾}êÈg|ëwRŠžhXŠs×L84ØGê}	1Y³mgzÑìÅÓŒ$»9ñNh‹Í”ŸâÕ÷ºXsm{Ôg"'H±¨ª®RU\O¹<Š>ÊlSñ"�
-‰ôt.CB±|…—(�z?п)|Æö…›‡8csa4«ªy=~U»+jð*Ì8Ó“«&�ÐÐåÇw?´,IpöÛ7oå¡#½Ëõqw¾}eüJü¢šïUølœ�]Rçm‘LغÂ=Îk¡·ÐóKJ;œu�Y8:B.²åžðŒC\„0&õê®X¨ÕåsÊ;2•©`‡�¬#¿Ê"ÿÿátökä
-¹Ø+`‹ï—Rp 36‚�FŊݹÎ%:b‰»•¯·0Î&SwjÒV‹­C%#N^©Û™KuÓÏy,ÅEŸq&¨ãò8¿ªÊ{DLGÌ8½UTmÚ5leUÍ?6¹6ÞÒ6!-+ÁöŽ·¶¯T(wu9eQ–éáö:Jmš»4
û_}ö~N†ŒÁOkôÚ‹Ö»µ§½Mìð}íîɲư™qÀ�“ë`Á+�–»5�ãéö×­d[%˦×÷[M–ŠÁÃ#ߦT\Ú*wqªÝ¯¢Øg”‰˜÷Õžà�$²dß]Í|®yó9¾è?)ì#�IiwñùŠ€%z :õÔÝ3°ˆKzW†Fc¾òm={‚ú³8uL‚ÂôwÌY«|í»U&›±”n{ÀeóbL=Xûy*áwSYø"FžN†j×'›<ºÚyÍ7Ì4`u¹§h‚Žï›Ô
-M0	V”µ@¦ØRšÁSÇ8${�^™æÒu”œqÿ›ÀÿüŸ °r„X¸"áN®€ÿkdy½endstream
-endobj
-2113 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 2807 0 R
-/FirstChar 66
-/LastChar 78
-/Widths 2809 0 R
-/BaseFont /HTMZKV+URWPalladioL-BoldItal
-/FontDescriptor 2111 0 R
->> endobj
-2111 0 obj <<
-/Ascent 728
-/CapHeight 669
-/Descent -256
-/FontName /HTMZKV+URWPalladioL-BoldItal
-/ItalicAngle -9.9
-/StemV 114
-/XHeight 469
-/FontBBox [-170 -300 1073 935]
-/Flags 4
-/CharSet (/B/D/I/N)
-/FontFile 2112 0 R
->> endobj
-2809 0 obj
-[667 0 778 0 0 0 0 389 0 0 0 0 778 ]
-endobj
-1457 0 obj <<
-/Length1 1199
-/Length2 2269
-/Length3 544
-/Length 3058      
-/Filter /FlateDecode
->>
-stream
-xÚíWi<”k�2e$"ËA<daÌØ)ûØ:a4v*cæ™1Œf±oÅÉV–É’#[‘6[¢Å„ÈJE©h±d‰N½�ê=½}{¿½¿÷y><÷}ý¯ë]×ÿ¾î�‚,§fJ¤{ƒ–tK
�D
-
‚0tÛ¤±pì€
-™(B‹ �JXÍQX�4�
N\õÅ’ðD
-kµm
-$@�…ªÿJC?=˜þKˆD¡×Ú#²Ô�h”@6hƒù;
-…P«ï÷Õ~èp‰t5ô‡»ÞÔ÷îµt·³VùUÿß=ÍÌè­ZWPÓÐÓÐh¨O}mÍŸY¿ëñM‹5+Où»VÔJ‰èm	Òò[[A ƒ	Í*€XmeàŸüvt…
-ïO¡†þ"îgGðë…ø›îgø+»)�L
5´ÆW#…iI	
‰X
-‹àóuv¾ÉM\»  –Τ¬^q(DýæèC!øÑ@&:”5¤JjA#ЉÀ± Å3ˆß
«0�Í`@:­�ûmO¢@%‚`H€
Ð	»ûÖnXºh*¬öâ¾f«ŽÓ¶Œ<™Ê5Žän±÷;/©U0¯—™‡Á¶ûUy¬·]Ï•�&i‘¬ì§oÖˆÜ($/Äm�(ñyi·�ÁæéMˆîT«Dú1ñìü×æ¡w¬ßË–/¸)™w
-áè"ÑÛ—Ü_¾
-´‡IJ—UòÚ¿PÖ]Ž}goM�r0€õqš0(ßØ#Ù|{n\yðQi�;ß•7‹Â•�B^ý·Ìøµ£û¬à¬šioI·óºM�74–}ÊêIË9
EÚ{4÷Œ¨v]rA$¿�m2S9µí"ûåñ8×Cår-Å‘eÅïšKt^VV@¿P”~¸Ò|¤™_h¨±™G:P½/Ö¹ŠÛ´&,™Eb´w›.›e#5pÙÎyž?-ý!;(mâ+›×aÙ–Ú&ϼæeuG\y'qÔø–jnϳ)×í¶›æyo¸á¶MÊ
èº,ØL”‘
º~§B…(¹%¾¤}âË�’#ÞÊ–¬“1|é,‘Ÿ(×^S{ª¹-'lV¼ñðg>á�Ä)7T%¹'ŸÓBœsKüÛ‡»áŸ%Ó¸\v¾Ù¬s<35ÚHtd³̪îfñ$²j«ºŸfež[–z#¡©?ŸPp«E˧k&þ"bªÐYohzß–�Óêúí<ä�FFsPC¯‡×Û±sFgz0èX*–;%eŸð¹8c³ÿÖ®ôÊXúËCó�R__Êmñ
-MS™™<ìyç
‡9ÜutÈ9(¯®¡C&s©z«˜ÆîÏ^®Z®¯�¯f›<G‰ßêze9s7÷ÞщZËŠÎí<Å%±ÇX+zTóÚ„¿“�M!r†?á‰JRšÕáêP˜*Jy˜/~}“ŽÅ¢{=_áÀ½#–g?‚â¯ÀJ\§½Yª—$쩇Ÿ±Rk‰êý}¤£Ž#¶£ÛB¥4æ$D2ÔŒDƒU·t­tûn,�“˜\9ÆT¾éV-»Ì)ûëÙ‘S¦Ú=,ÉGµ$Ѩ÷›í-Øù¥dƒŒç®Jî¢Èp—/ýèE„Î;�f´zÙf©1—•Å´Úš­µÂÁð×/
,ëhBÎ%yI
üù§¬í°•„í¨{5Ø@7ѺsÅzNyrx$Ææ®÷bo
ó³D_ôF¤/� }ÐŒÊ+K|÷!.<Ö}˺-.W·ÊÁ)ùzï&ãT}+ï
-Ë90RŠå	gýö|ãÍ\	«4p’>x.É’ê�jwO��Ë<
-6qVI¢Ï±¬å;Ä6\Õ.B_·‹y¦¯å°üÂt®h%…�8¿2~ÀS°ÐÌ »71\"®*Ÿ&¬¼¯íƒñÞ‰ytËgWúQÒDª×w¿Pè³ÊëE鞸Ê$�W-—鸛'¤¢ï”
-ŠŸÚÍ‘ymÕ"ÈXŸ£u´]ê‹‹ôÄcÔÂÆ��n·Úôðï½Þâ;ªÖl›†’/0åw½Ì«JñF9
-›½´ô­š‡ÖÕ/,¨Ï×
-Mw=h–%µe‹ã¼
ñÁö|nVþ:A.Ïá­Ï¥¼)îÝnzíFêÏŒ›ü%¾ì|PÄôz7''«f5/F9$Ö¯îl«ˆ·p~|AèÁljŽüÒi9þxi¢Ó·Ûme´v½l÷ÓÒqåˆsDT`CQidÏ!'ï�Ž±K¨óìš�Od÷2ÒR¶“QO±ÊL’	"k†T”}>p�‘äõE¬´Î[ŸªœÒ¢DÆ®=>»­¿øò‘/Ùï¯Ò¤ºèçExBΕïmcD¾>�ÒËïуÏÆ¿Œ
-.»§¥3) /=™$dlCäÞ™ÇlãÝl)”4 N%8H$ý>ý6ßœ[ Y¬+®×ªáú+œõ–¥MÝ}7vø�ˆžµäŸ,wÈÇO{Mu1ç’òE¹b1éÊzŒˆª¬ŒÛûêøþ*÷u¥¾æã;ç
-£ÕòLŒi’ÓZ…ŒDÑvÁ‘�“£ò¹X²cµ¼_Á¶…ª­‘†ŽJ÷C6‘·¦O¦šP2�ãg�ûŠ¹=gÖŸYææqq¬üŒ¸¨ðÉã1¤õ‚hW)V ºà^¾#Yå/æ³gY­'pÃIË„ÓAÒ>�Dé^éõ ÷+^)ä7Ú/coÚ‘VÊ{{oP6…§¿ Cõ_>ðÿüO¨ žÁ¢ûã~ðpÈ„~(WÿÍàÿÙ@«endstream
-endobj
-1458 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 2807 0 R
-/FirstChar 97
-/LastChar 110
-/Widths 2810 0 R
-/BaseFont /LLFZNH+NimbusSanL-ReguItal
-/FontDescriptor 1456 0 R
->> endobj
-1456 0 obj <<
-/Ascent 712
-/CapHeight 712
-/Descent -213
-/FontName /LLFZNH+NimbusSanL-ReguItal
-/ItalicAngle -12
-/StemV 88
-/XHeight 523
-/FontBBox [-178 -284 1108 953]
-/Flags 4
-/CharSet (/a/c/n)
-/FontFile 1457 0 R
->> endobj
-2810 0 obj
-[556 0 500 0 0 0 0 0 0 0 0 0 0 556 ]
-endobj
-1381 0 obj <<
-/Length1 1608
-/Length2 7939
-/Length3 532
-/Length 8789      
-/Filter /FlateDecode
->>
-stream
-xÚívgPTݶ-HPPÉ™&çÐÉ™–œƒº�–††î&K�(HÎQÉH�’sÎ 9#$ˆ€øÐïžsn}ïüº÷üzõvÕ®ÚkιÆsŽ¹VmVF-]^Yª„p@óùž4`ö–Î(]°ƒ¯
ÜEXYå‘P0†pP
-G8ÚCзÿã�ºP(
-�²BÂÑ€Û¬Z
-JñDÛ‚Ñ¿s£`·n
-œ6B†Nš
Vµúz9S,nq2BÙYÒ_+Ÿ¦Þsà›`n'.@b%iî§ZüwœJ¯îsúð{^¥’¸úC�HW—Z“èŒÁv,!ieí1«¥O˜–©í[�oF‹£‡y‚öƒÛ¢Aùx@”SÜeMIƒZ|
-úˆJý€•<.%sõJŽÅ?ANïÝy¯2}oÁ[+B”z1’áž ‚`Ïtf�¶¢tÈwŒ°ÏŽ·xÀ©þ™Ììè)‰ë�{çqéœÅâêsn¹ÁâÑÈ!áLâ|®Å–êjÙµXùPüðáæN…:ÍâŸiËÉ#V
-.¡Þ&ä±.­µÙ:á%%¯ÆƒÀ+Ùì£àrÒôdxå	~åj}vøñÅ
-E“õî
÷*\ÔíÀ5´Êµ³nÝ¥¿ìv°¦Õ°“@<˜ÐÀÁæ„|º‡¹Uº–ÒSCö¡•Z„þîýÐ�ni¯0q¡~‘
-5¿Õ¬g-Í=¥á`8Z4~  iN6ý”@}!ôk °)„COÊ,”úP¹EÞ}/šòÜ:o«4QßФháôBlågË”O„á�1
QÏ—�=GÖíÎ2‹$ö"Ä‚B5GmÞœ!k�Ê€ÅÁFþ9¡Ë+TdùGô“Àû"6®ld&Zíeí{4BQãÛ£x­æ
-Çžó,g½Ã!‰âŒOòpÓª¥øℱ—ê¨,«镨’/+U²ðN\ú_øHîÙ;š2™´@r•zPÆœ±¹ú™5¿,Oì°v^=³ŽÐŽrûÊ`ÉØÒ�d±‡U”£'„/,&z‰â£óõ�¾Ôá­�ÌÚ_'z8ƒ^»‚!OUáö:§˜VeÞö¨|BVvÔ0ó+·–0ûÖÓ¶Ú,V¿š J,â^´S´+�kNï¯s¥8¡ËÐ	f´“[„wO¹¹Ržáè�.ÁFFM„l-¿?®f$i½*Z§g´É-@$ˆð‰´…G©3ªV;eW„ôÆw�œÃðÇkÝüÓï«Ï0¾B¸9lZàâèàø3x?Üßj¼¼ß· E=_a^ñêu(ýv
--gھ蟖¤§I„²kZKéä”ð
-›û,¥ñ­º“ÛýÙU@žXÒÖrÝ}Â;´w`D­.à™Œ«ž¥ÅÇ3\™»ølð­…Ébñƒ¥‚U³¢ÌöMÌœÞÎÛJ”…¶WkÓhý� j¢’«qµD¹Kz瑳�³B|óG\Caî+þ¹*Ê�Û~¡ñ¥ÎGÙ§}–ΪJæÄäû§	W÷�HíÚ>ÛÀaòœúò4ó	üN$ÕYYšžÇï_œ••W+vqƒÛSš:±	0ZÌ©„›a‚â[‹”%sˆ{¬Þd?zä­7~ÞÛsý3M{öž�i17Í
Ö‚\"éýGeã3mì7
-Kygm/®SÉçÍ�Ä\ÊqÈbO;z¸‰ð«-4'¤§€+k=ž~(6¸hLìÈÒúô<6»¯´yjÊ^"þxNLÝ�°Ç%3jz˾‘e2 ÃÏfĺEÎ>_žÝ(¸š¤²uy•“®ƒ›{!Þ4l"ùíóQtñÚIÝE°ºÙu²¯‡Ån¹¹�ÄùÂGˈÃÄ ›
-?y“w¾G$ÜË×ß™‹<Ê™2ãtÏ¢Þ}ÿ†­@´yIGbc‚²Kê�·HŸ|ëÖ	
x°–Ñx½Ùþ2—€_M”+�=‘Û~d˜„“•/tŸ†ò³vLFd*°Ä¾ù±b«&}¢¥çË/à¥2?‘©"B¾,|BÊ1û楛æŽÈkf�}°¿Åø«þŒ„g“IÆÞyã8‚©.Ͳ�mhïF`”ÜN‚”ƺʨjÊéž=wþ¼æuußÆ?ÀTÓˆ½~.%º�·�2¢_½¥’()“�5”ôe-èÍÜhxlšŒS+é\d®ýÞ¢Ïd=ºñ�bfýFÇO¹!3‚"Ž±6÷'íjCœ´¾X‰Œ]Š*ÅÂBùwK‡õiŽ€hn"d²¦…Œ·âg쎓š™Îë`ÎÓp¦»²'UJfaþ»f[Ĉ]ˆ•á®þÍ�z´&—À$ñZ�¼¡®i¾—fG‹LßÇzbÕû\dÊÅï격|X“Ý\sÉ•ŠØÊ+¾ÿfÜŸ
|>„%ýHÎÌÚ`=6"æ’P«ô9#Ñ\Ó#3z-Rô|%ñ¨$¾Gc^¤‹M]÷²³Ôú{'¢_ýDÊû1�éÍ*õ,θÈêÝþ²â³Gƒg¸LMa2B Æ»é»*+M[TÏ•´lm§2!ž7V¦�Ôˆ·nŠæ‘’¸†pj7ŒÙ>ò"$›XêÐ:{—­¶^˜u^9Ì’„‡DW¬9%%^ÑËå�,W0ß²¦ÜÝ™ZÒ×ý/õ{øúÆ>²Ý” à/"ŽDkúmù0§_ì>WTxìÑéƹœ ‹›��
-zƒ½Ê-%¯Oà¸L5�“‡û’ªV�,î½øÊáÃz‡>ò&ïw¼´rY6Ç—ÆJwŽGƒ±Â*ÜA5ƒ
-ëšSùSÕi…Ÿ*z~Öå{OrÛÎâ¿z»—­’M®læ|Pû„î"‡ãüi®WêæˆOâ›Ð'ñëgÏbíbœŒÉQùb³	3.ã…ñk›ÌBd¬ilüÖw_ãcÂŒ´¾,ã
Ž
-¢&tG�÷ü©Ï¾2¤ûôþÌÓ(v'«.Š
-òôÿÑü0�íû�¾€Žˆtß
-sožbrÌûvE	²ÁÅ/ÍWRÙu/w¦ØÒÕÛïòxœ‘h<L�šøÖ‘píÇâa
®”Y
-Kqh|>6œÊ³(æÀ’ßë.
-	a‰ñµoWkrŸÔgÔÅÖº›Ð˜wÜ6îÂÞN¾Ùö
i±	XüÐ~ýÅ´á´ÙÞVóÞ³6÷³Ý>EŽ
-‹^±Šî±nl#šñ�‰65%,ç_°Oê”+µNý%Ùz¯>W7¶]•fzã}A}H›ÎÀSÝÀ~ƒQrNÉ)îs�¬þr]
Lf¸á“
-<á¼ØËûò
Aê)¡³k¯×ývuSøGlVªs#Nu¥¬·OŠE•?.j?øÿ©ÓwGä“øݺ23oªkvSÛë>Ñ=¶ Ðz¸^"èÁ8¡-òo*N¡žº3Xl‰eÓk‹þœ%¿_>
-Ý‘o•�~~æHj¦ä=ß‚§§Øç÷üÁ4fA|Nç“ž@íD2ÏJªÏ	ªßãfœêvæ_ïùQÎ`œTäUí`­Ø
@–�¶Y™i"Çø¡Ñ=¸M×g•Õ´1�š:Uпƒfèò©�ü¢hçˆ		Šl`‡N¤·èç«s¼„klbhL˜:g6(皊…KQ}ÈÞ]Ÿjƒ+�ÅÁ7„,IL$¥<³	
Àãyª1ÕÓ¬^Ubó¥s¼=õ¤¯æ-_ãº"/·ÒøìX¸¶å¤)"<XŠxÜ*%Å•€,Kß‹?¯‘¬’ÿ„Ç#8,Gi§ñ
-D¯°4Õ4øO‰h§ª‚Ã*÷)É›%ŠØb~ø-GÈs“I»øN��à9-ŽSqÈÓºD
{Ú½S\pzùÃuyjD¡«†k!ÈÅ¡ùð4yªQemˆÿÉX‡Fiomß­¿»jÑÄŒŸ*�m—­´Ã”8Fèc…ךÆàAÔÉÜî°’Z¼5è篫a¸”dñF~²á)ž!“F³ò±Ëâ7£gªØjB}X€‰/‘'™“š"ZtÍCöEqË’¼R7ö¿Õð®ÒÂö@.)¨F…t ‘½uŸ¬®%Qò«§µEp˜Çd€™ÑÛkï#ÝýFø‡‰0A³KE*3Æ€F ‚é®0BÖLqÄ`nÿ‚Š%P爉䅟Ú�*›X‹²Å·jÔi÷b¶‹ôRáó"¿¬žû6vTZRœÌ°T3Séèv\ã«%øÜýI¯”Þ¯é¡ëæ®ZÖ·mpßú”Qn?ø&�Å—�Â#Ôߟ›ì}ÅÀ^í° ª"Á"çt{RH:†×¼woŽ¸ÏhFO°™§éç€oÊC£B÷~”…�
- sœçã¸!q?Oƒ¶•G¯îW̳ŒÔ)HænÉøoÌF–A£Êå{Ç‘æä8£jýäUu;W�+Aà¢ï
óÇ;X;{¥ð”ÇÎwÆ}x"
�Æš=×N¿nc}&±Éy[µ~œ ¿öµh¨»š«¢³ñ©"Ì‹üEmÊ`;µ
-Lj
-â³ß
-�Ì Q=w¾�?‰¦6ª~û�á¤àõd‰xW/aéÒÛ‹†Cú\»UÒâàfÒ~…¶‡Í
-¤´HNú2HBÃ8—GÂ+zq(6|£}h`wŽXn‘ÉÖ­\ƒd0ÖŸ9yEúQ§lõ8þ4»G“‘Èh(1›‚#Tšl8ùñ\^ß/Jö\¥H§¼¿Õž‹r2Σ}‰RÕ»Y€|áCžÓ|ƒi
xCªݪÌZ-›Çð0ÜJLÕ—D9dkùåΞ‹üÀu!!‘}U?³9Ü«eŒ�iÒ�F̦ì½Äõ–çwNRi¸Ž
~ÑqÂzÊ—�eh)¶M#±M¤µ.?¶%aÿ5ßóÀ€L]t“ö´ƒÓÈÙ‹CM³S­ê£²lµ^÷³²Ú�fÉÔë'7±‹÷bqÛG2®K œ¾’j…Ã×?“	vœ:Û¤~í^~ŒÓ}ü>[6ï¥Ô‘Uïi!~£óú“á{±±?Gywuîj>S–µ¿ƒÆçò8CëD?¯‹{ÇéëˆLŠ"X?
¹ÒPÌ­ÔÜìô|�/*_6fñfw
-=ÂRŸó>ÍjóðÔv)Ùyÿ¹[G¼Ü5)­…ðwÃä¼Ar«òqsV
-…üЦ^o{<´p–…p¤(„¬Ý¡òž#%
-o–›�.%�§ª¿ƒàêÕÎ*4Z®÷„&§xás=G‡ü<ṼǕoÜRŠÂò7ð|lä”güâ(l€Â(Ù‘(8Å|)ÿ¿w
Æô/þQL™�uG«ØâÐÏœÎÎ~N*{cÀt(û6HÝB=viˆÀ%ŒÐ/ÌÐà>^P䶊ŧ¡¯ÕrȈ=ÂÆé2¾ldÔD4“kêœÐw§3\Wd†@$B}�vÓmwÝK&à#ýÁ?¡e6êœÿ¸¥*IÖÔ*Àií¨²Q„É¿åAFÜd@+íy‡íj¡×Ré­¬üž±àV{ñ)„ÓÜy¸KþÍç*ï¬%3Ã6ÄÐqO®Vî�z
-Pdž·ÕŽÝKcì" ÂñקÃ߸Ð|÷”:
úaAÞffñ~þµGµ³+ì�Mk{çg1Û»tîO±¶)0ÞÊœ<vŸj5Uq"¯}h‘ïÎ[
ã^ý­ŒwXcsÝX YVW³Zxg/ÁÍ&YÜÔŠþ6¾ÿ„×ÔĈäUu&S·+0›Ý)§LI4îÄR°v�ò[_•(�ÉëOJ¼‡ŽÛXÄbÉÛú󅟃HÙ¾üª½[!+ØÑ™õd­¶¶¹c
¡µìÉŠaüð L²ëb_Àå¦RnMúY6F¿ÅýíÕ<úx*¸÷â&?ñiÛJÌ¤éŠ Žô·Î±¯‰Ò%§¤+Žpñýïê=Ú02á=o �!“®…-‰NØ ží2_Ûš,l|%ÕvW”v¨q$M1‘]–OmÍöèÂg®eÝ/Ý»ÈÔß1x±]Ô'ÎÝíÎ<±úa’'0x{&¿µx¯ùí©wÏ.o†l¬AÁ +Øο>Ú²Ê�.ÔZlvp‡k³g¤…æ[FMI�Á‹£÷0�ê¹³ÕvœøæhPKò´	ûäx´!vyÚ³×eœï?uúfK¿ŠÈ+>ªX'·[ò&&ÇŒÈSm"~Ê�\mŸ$¯GÊ-ˆýJo%ÛÞêdyž†õJ-»Û¼`~DÒ]FB´§�Aäû¹xx²Ãò`}fZ%±ÆÈr™6³Á‡å_Êf
-í&2�PƒóuíIŸ[^|uÊàïíŽl«0x¦ŸøpÙ(ÈÅ%mé
…ÆÃð½/�¯±sqØo
-ŠÉËQfþNÒú�ðÄCzòÛgêg_åD6ºq¸I“ª¸ÊFØ2Ëv­Ö¦™˜¤Pé¿g¦Uu䂱~Õ#ÉUz$¼
-ÇHÄ•vËÕ$«x-‘–ß™š¦#{eöòÓ`ÐhšDŸâ°º ë«×^9ÁB0¤ñ뫽‡í»˜m×ÖÜ¢Ò	¯-‘+ÖŒ!ÇBPŸÕvî¦è	·?§¡ºƒ¼E^$‡ý…’*O*n˜.—Çw2wÏ5N¨°xNÂø,†éõG#ËÕ€ª“ŸêÅUOr3~\Å�[kÒ¸!9×0ϵ
-CÝ_‹{™éÉYŠúð["šgì2eàß$‹îy;Þ;Ú
-_ƒ
ÃižòÆv==·%!Ãd2KVûBàùü€ÿ'
-endobj
-1382 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 2807 0 R
-/FirstChar 36
-/LastChar 121
-/Widths 2811 0 R
-/BaseFont /IFQNBV+NimbusSanL-Bold
-/FontDescriptor 1380 0 R
->> endobj
-1380 0 obj <<
-/Ascent 722
-/CapHeight 722
-/Descent -217
-/FontName /IFQNBV+NimbusSanL-Bold
-/ItalicAngle 0
-/StemV 141
-/XHeight 532
-/FontBBox [-173 -307 1003 949]
-/Flags 4
-/CharSet (/dollar/hyphen/semicolon/C/D/E/F/G/I/L/N/O/R/T/U/Y/a/c/d/e/f/g/h/i/l/m/n/o/p/q/r/s/t/u/w/y)
-/FontFile 1381 0 R
->> endobj
-2811 0 obj
-[556 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 722 722 667 611 778 0 278 0 0 611 0 722 778 0 0 722 0 611 722 0 0 0 667 0 0 0 0 0 0 0 556 0 556 611 556 333 611 611 278 0 0 278 889 611 611 611 611 389 556 333 611 0 778 0 556 ]
-endobj
-1378 0 obj <<
-/Length1 1166
-/Length2 8911
-/Length3 544
-/Length 9724      
-/Filter /FlateDecode
->>
-stream
-xÚízU\\kö%‚»înA‚»»;PHî®!x 8îîîîîÁƒ<$ýý¿ÝÓ·{žæm~Sõp¾o­}ÖÞ{}ûœz)
-U
1Kˆ9Pveá`e
-„8
-l)
qøCÀùÏ$AÎ@‹×¦¼Øþî›â
öùØ
-¶ü³%K7G6-0ÈÉ
('ù?Á¯ò¿0k +€‡�“�Ÿ�
-q
ýñ$X8x8þÆiÚ€,ìÀ@—׳ø“‚-ÿ–R
-l
±�­
®¯SiælùOàÚÂÍÙùÕž?èõÞ¿öV ×�@O òÊ"ÄB0Ô¶6´ý¡ZŒØƒe’«�Wëî·97rŒ=ô7V˜^e»bîÜÛwŸ³$UÇl„+
`•`¡Ã㉥bø<ìøÅ;X°°Ã°`d#‰NYë„”P/駯Øûˆ¢	R¾Kx
Ê^P”ÝéÑKL`i„CpHô�œTà‰ÉÊò+�TŽøñž‚ÏUdíýÕàçG:%Ùmƒ#RPä»géäõQOï±+:°LûÅÑxæÃe�]k/͉õJø:'º8ŸlJÛ¬žªGóy乌טò
Q�K6‡
Ñ+íLvþ˜ð‰Å16(ÎñkX„Éßš†+…¨pœº–QÄ´Ôß^î)RêÔ[W,,¨Þ‘õÉ»ãp%n×)iuGYÖÇš�Ï€ñZ¬Õˆv4¹›îµ:®uľõ­«G�ZýÖ:„<=Ÿ@‡ª˜yÝ—l:G�BÎÚOAs½À:rÁUuiw™ª�¨,w‘ʽVç±ÌwZ6ç]ºš½žWßÆe͹�„縤h£öÙ�8âØYWÑtÔ¸c}ü5æ?°5&Jt”ùËÞ
¨—OÉËÛò�ÁHÌîZ‚pr_‘\OœÅ±„4šß²~òIÝbâí‡�y"ûÊ“¬4ò�ŽZ¦¿;‚Àždz™RÑ�t[^cíÆ=ðàæ÷Ÿ‘øÜÏ•ä
=X}§^ÍóâÓÌ:Ë;}ß%[µ, ýÉЛ>µÞܱ^4AXç%ä#¬wÛ±�W:eÅNã¥S¶SÈ“�Hf÷Ö�ϦŠKuP·}.óF!Ö§•"k¯“/ågö«ÉФÁ
- ê2³Õ°"Ý ÝkÇÃñJ
-¬°PÙÜHy�COÍbñ¶ªß+óN)$Ñd®å]�šU$浈—DÚ!΢ê퉆‘´dGGü4Éøp«lУ³LdÒîJÒ-¹¢TÓÞœl-t=ª²ÃlÌš2iΊÚÞÝÿåOóáQDWX™
¼ åßSͦ¶ ðå«xÂAÄ�¢<ÄQ“IÔ/‚ŸÅe8XW…4XÞO¼ŒiÿÞä]óÓ̇ô+ö`dsaÄÝ´6âÄê�Òú6�këás‹ƒÉضÇÇ8–²"‹½ö6~r_¢¾;cç˜Oü$µytégÿ¬žñé¼ôˆøy!æ“_;ædx–Vªÿ`©«m%sÝ8Kçïˆ&êîvp§ ï�fæZJÛãåªxfÉ°E#ƒb˜&Zazé{_¼ÚH☦τÎ{KÙu¤®€ë™IJSÆÊ=x4ÆŽ:äAºýá�£,ñ‹iÃ01bT2l$qm®JþïiÏ`—Õü@;å³v{"•X”IAÖ¼Á~ر*ŠexATöxšÛX'
ˆè.m;�„E…ÛC·ù¦_ëÔmÆã±ݤV¾¨Ñ]V$Ë:\îøCت2™Gƒ»1
­– dT4�ûp+p�˜®s,JÞÆG‹Lúí¢“¨.Ó¸¥-¯¡†�“7Ã}‹?ñýˆ²K*Þ@P¿5ðä±Ýçr
tWïËßSzy×SìX…»|Û;PRàFá/x˜ìbúðYM¤+#d!&»À¸&æ*IË�¶	‘U‘ëQ2ÛañáË5�Z#ЛÞöWLAjÔÙ¯é>��@“"˜»põ‚Öã;$8¿†²NXæÜG°ìVFPüãï§�3‹!ao|n›ôØ\–`Ä9Ù©¦Y"]°Ý1I`¡ØQ²¯ô9WfD$ë%bJ=ÓBM·–Еõ„|}GC¶;%ýkȃ_Â[]Õ¸QJ•)MÓ?¡×(ür ~é9[m;3l }“}Æp%g�ˤ¿!ríS-Q‡‰<
=•]»Å©É¤LˆógψæÌþÍ)j‡Ÿm‹{¢R××ãÑQædÙœNæ<#C=$V㙃gú±rÃÜ+…>ºJäå28´(”ø±ºød•Ø²3/
áUF�IÏú€�.Cw'S»Ռ۠ŽjXPKbæøÃ[HS>õ@‘z¾‡˜„Œ1>ÎYçÑ>ÅÊSÞ³Sh¥£#ʱ¸Ëú;!á·	0/xßydÉPPÜÞ_Àê$…´2¡V]Ò.�)„îÅw™é
"E2øNÙ‡cO4	µ[àÖH¡¾ 
-Яªh0�/Dý-å€ÈŒcæ½]‡KºðÂý!¢½ž¿
ÎÐçê!ù‚nÝÇ
-Å øÓhaeÜ1ºÛôȇ>ì0x;JÛ”�†Ôáz©ò]É”çQÓ
-Ëlå6¹h�èÏû©Ü)s�ýüµéð´ÊçzïüR|Gz”�ñEß@«M†!»0µç‘“þ¢Â5Ï;©Ó÷›|3Òáž4!Âð…ßÄo+Õ{w¸Šý\Wá	)rtÏŠ“¡÷FŸ¯3]¾Лù ËŸ’n´3–?
,õŽzíFÞMÎ_6uÑ‘—‰òµRçW¾J
-}­ØüN²î��é_ßDЄIxúÆfÛ´Âçš‚óX»ÊT¦
-cú»â«Ì;ìãàc B$æàO|‡féã«îèB¹·öÅÓ¶6›$Xu %áIEœŸ·ºÉò%F
-žP4a€�ã¶VØ:!+¤»×¶×î‡ûl´0j;¥÷oŽâVA[…Îá‰`‘Ú1dËíæ;Õ6áŸïÍ&6ò3ÅŽ Þí·³ÕíëJèþ:g×A6ÉÚ›Ò®œtјûSÓ­&‡£sO1Äõ7d%
YIe*sÇ~ö]/ê¬nojÉw«ùèjh~í”®>ŒäXzÖ»Œ¼Q÷R©¬
-)XOAlþ莻ªÇÁCžòšvšÈÊ—\�mKéÂáçÞ7Œƒ;vAʼnš„}¢ûŒ–4Yä-ÅŸ³×{#+Hm
~±s8Ì9µp/¾{Ô.Ï9m«ŸÅ%²2궩xWEGÖg=Ñaœ�‡ý‘*þ3ì[�ã¼"EÉ<˜÷ðê¥pÉJâ‹Zô¹X¤.«‹fÛkV–séGk´#¸ß=ìk×O+n¨A%¶ ¶b§èôÊÆ;Šü$\Ž°èêÂD˜‰Î¸.Jñâ<Y
Ôï�€A׌œË¹/?ÒÊÈ«
brrG Â­ÐìZêÅæ˜Î92¹sJ3JÞ¿iÅŠ9|Œ@”‡Ê	<‰Up‡Eˆ{’`®ÏY•åª�ØÊ£Œß±7­px|$ÚBg¤”l®¹Ñ…�šÏý|
!nâKÜQ
$?õúŤ&ái²ç£×“4èÚ§´ø†ë|.­�8†
׃ò¬WÍÏ,´dUÈJݦ‹04ÞP…M—âåÙ>¬ïFÍ]‘\Jdì?QÞà�Ò!—ÇÚó‰
-eªYÜÕ›«<l Í㟮ùÀŸi÷yû\'-f"e¸ÌB‹4UtêïÔ&üú)ÀGML]§Åš¹c™©ÜÜ–e"I3S4››k`ÈçÕþÀaø•ïDáWʸ)ËüÈÐ¥°»&; ­º1­EnâÇצWÎW_ŽÉs„¥vƒvžhâן2²g+•Ñ¯ú¢IÌÖ{¸æ®¾Õ©í.׊$9Ã]$ƒD3Icc§Ëþ4žZF�W—C™×¯é•Ýƒ¹ÉóD¸_7Ú’ì9›/z¶§ìmZ›ƒñ“¨‘Ð)IOòMq×ð¡Ñ£Œ&Ùñ†*q]O[Å枯ÐÄ£4°Ž4LØO¦šåæm‹Ä
-n²&†°*¼j«€e2x£ŒM}-ZNòCMxOC½…ã¡¡—•¹äå£føæK²2?‚ÀÝo5Ð6CœgÄô,›¤ä’`p
%oL¬9l'…•èa¥—4ïõ>Èâƒ[®Tþ{7†¨@×V@õ�î±9¥ú墑-7!¼çì«=pÕ0:Ý/s¼h	1(šïr’»&Çí4D
-òÊ¢rÈY*caVøõÈ�€ØV¤®M'êÞ1V>?®#n>¿ƒñ—þ«ÉÒ£!SÆ€j–©Nj5J6Dä„oÔ¨µ8廿J¨‡Õ+QiÛz¯éØä-³Ö³Uéh±«û
-ÄU¼\4Èòá
ÜÞ¯Jý¨»}
-ûIøR1\ÏKÌj‚MM ÔÖ[èÛ ã`R°t�žLIþÀbÀrgÎˬ!ÔÆ{qÒrÖ�ðú3<?
€<ÓÞ»#tºI¥}Âþu
5�Pq'žT|Û9<}ù±„K|£ÂZìªB24ý½€·ùž+tEræ¬n¬[t8	šmœc/@=CD˜ùxVúKŒÑ"Õ¥júøý‰Àw� j˜Òú¨`Uá›e|©¹…5F:ŠNÈïÁyLŽ»g[âM!2…òÚÞcÊ«˜+6Mx<Ò…ÓñI‚³[x$g¦°ÞŠ¬,³QV�ûÎëzGË\öí®jÝ«;Ç—“Ío°ˆÄg˶ü,æ0ûD$g7^çZf\‹ÐÛJhÖNžñJY%mÛñ‘”wó8E-7{‹BîRw~_ìZR£ßØu*ò¦�§–aç— ­Ž)
-ʤÕ�"57Ié=JÎüF¦2$hó�®4A³¾H+²|Ç”£Ó
ë-Ó/ëGÅ?¹¬ÌÏ=£tÀŒ/§¥ô‹RÆb³Æÿׄp1¤|ZÍ&6;�CÌ¢ùC/²^úXI=!A]Ñç3ã´Uï/‹H˜-EΰÔ!OÛO˜}
-ðùL,¸_`¥Ég­üT’gMtÊì¹8¦ßwb/17÷à	.ÆHÊ
-E	è3‹$-,¶Æ¾+:̆�µÔeyø¡úSí™»‰È÷?ÎV›ßõw=€ý$ÿï�k~²�o™HŸƒIßÙÉŽX` 
-‡UžSØ,áµàé|=
-g~nM"up^ÅÃÓíÓêè”� ,{!5ÿ8¿UËn
-÷&w?Øú&aÅ/ê?1ê0Öù½ú�ر6é÷&Üþ0†£,Æu;m·uÚä‚úí&º‘ï^C“�u"Ëe_(w´#øÕd5J, ;çaÌ3EßÁ,EÕ–¸™zèBeò³æ:-ÀåøJÜë�¥Óbb½¿j‡%Úˆ!í«û0ê®.>h~÷ycLWÜØɱ¢n©.È£sr´nÕVÆöÍZŒˬ‚²ÔÂUŠÀö|¥¿Î¥åÚþ‹Ç=É7÷N„ V—|¡°ƒw¤¢&닱¿•È�è
ñ}¯ö㳂ÌÅïø^ŽOu”Ï™r•‘¿½Lyk¬«P9~gë(ïòZð틆GªDöž;Nþ¬œo™ÍI¥âÉl᧢åЪ!ÔÞ˜ìb‚uh*²Òˆ&úË'cÔns®~Af=çRhÈâ2,š9tX¥Üä]�œË1Â&Û'©AX™»ãp
…-ζmmˆ¢ðÔýa¨òó=“d£q �!³“NÎ�³
-�>Íýøee‘þ„1~
ž¹Lèdéק�‰˜§òUPG;K‰SH9÷µóO9)ÖÃdøì)Só̇”ùdؾh€vå×
?9kèd¢^—Û1ÊÖ¤Gœ¯¯¢Ö —ü2@vùÈ}˜ÞIæ,h�~‰:ߺ$HÖìgù@ÃÔîO¹Óp*@û8¼ÏÙ©zF64¡Ësó"î@­,íþždb©d\‰œ=ãhŸ#§ˆ‘øíÍ-”Un`ÌÔg­ñ3“HR\»q=éí­pȸ�¤Šø(âög=:À£³¦Ä'ƒ}ÞXºÝ�^ýb©¯-øo¸óÁ‘
-ÌÄŠvu
-˜ȧ„P겄A•]fv/‚Í–~H;ô„¾uoRùxoù}‰�fí0æóÞÕj�[+uñêN†Ã¶¤P!%8¼ÿH|›‘]@^Kl!@^)
<8›Ž·n|,ÝyŠâOÉ6MýZîzq´:}1üä$?ÃÃJž<Žñ èix±ÿ«]×»+é´
UÖzNYTm_~É­m.7�,Db	nuM±ŽÂϺaW! Ó‡gÒx 4*Hzé·<Ì04,%ÿ£ëzŠ¦ˆÕÔg”ó¹f÷é8¶Ñ�éî)¡¸<‚¤ðöù½ã™·t"�ú_9ËÙ؉5|ó»9�Ä×Q§XÍþÔn{2θI™ÕŒg$=A.u‰÷›�ÚjÁ†û…浉MO´�÷	I~b$tdIî~AáB"Ð9ÍÙü97d'ŠÚ
>Šªï7¡1 
¹Q\cHj?רQâX!ó¢KÌó=Â
íCäüë‡]¢U+(}µÌ}‚önB-ý²ä‡¥­pÖã‚–Ÿ8½5üÕ±]‚bɶ[Ò�}ûs~3L±Xw’žrº_o=af—'œ=s‹¸à8Fag£Ð|ýæŸÛ†><¦¥ª˜œ:¨¡Ó”¦ iåSât)Ñ °¢$3ÕnÙþŠÞΖú•·_›GJí¤·Ž\ÑÂ¥T§h¯9´KÕª-ŸÝ²»ñu—©Óe¦IùFÆwòÅ'�3�½=Ê
-™œzŸŠôÍ‚�í ÌN†ÊŒ»*ž;+[åñ­ŸB–{Œ~g+bò¡zü*É	=x¯Îc9GØý}]e ìq§ZŸµ`)¡µ-MêìÒ¯x5«9Ù©s‡(‰žObõÝ@wk›«`må¹£x!WOŸ§LÐ�[óÔ4"–:ëêô—ƒ[°‘»g10Å«š5íÂssÌv³ïÈÌ<S3[‘zÔPE+
é:�ûåÁ«JùéüJøc‚u–¹©¦h½”l~þ·œž.â,>œ¤ObŽÐW½E´«iÚ^7êµÈ�A·ã,»ßô͘O”¥ÍœÓï[§9õÓf¶ô9°åÂ#Ÿ×–6l¦G“š˜Þ1ÊÓdQqÆÞË®sÀ¨„JÉøï}ˆ°Ü,€‘;`aÖ5!€bä¯àbÖl§ÍS*Köì„¢Gµ„î’Ø̯üLXz¨ÈµÌAí!gßÚF÷¤Iè¢MnÞã?µ-§¹éÏʨNm*°ô²èîˆéE1ô+[çD•½Ì‰Ðö|® 
-ÕÛŸX%`z¼Lõƒ™±î¤Þ1{È‘HÓ#ýEENð=’ôGž»‡.>iîS ®Eò€R‰ÁÞâ–ì–.£aÍIÖÛ^š}�²iø/ÕÈ䆪wÅL~4?O¤#V΂ö
OØ�”%';Ãê!“Ü�d·p²…q!oceZ³sbØ�àß
-Ðú‡ä9¬PjK¢!zóÙ!ñHaŸ´Þãïÿ¼£êOß,?€úVÐz¾’¢Œ¤ñ¸gTW-Š«XÑèƒðN¨PÊ94X}chAc~‡^ÅûI8Y½-°Ji¾á.˜<®¯ÇIâšo,¦ÙNì¥#ÊÍ�½ÊûÊàùk¤lùnýh2³ÒþÝu<Aíâ$FŒþ¦ÏD!þ:ƒêj%FDõŠ‚QúPÀ„´èÖ#מbG¡³°ï\ùe%mËf›‘g�'CÕ䦨Ñ)Ê$‰‡x`A%*›H«¶#Ì'å;…p‘ûÚ9ß/iÔ¤N…ï#‰yàE×Óz˜8ƒÄÛ¼êpXe€N®Ñ	†µ§r%ç˜û7¯¼Çé&ï`Foùª’׬ó›}tW™ë',4Ó‘õÊ™‘8‘À`Z*\-šðú[Ü‚J�åÕ®{i!Ux„T
û•ˆ¼‘‡ôm
Ù85û)îÛ¼e¢ý¾KµÔÌ;¨žè{ÜÈ¡¾è{´Ñe¼Žò»~!–±l�˜×R¡^n`žTG�?ÂŽÎCMž—û[©s¬ ;ZWÀá¤ì`±3iSw-iUÉCW
-ÚVâ>xj„E‹ŒwêIo³}‚üH—ã
-Örú ãkÑnT‚e¿S< ¢x
K»«-1…‹54ËÆa«÷-ÕÜ@ÚUóªîÐsL/}8ÀѶ›Ñl¡ò‰ó9È+ß©O¹È¨qD‹£RKˆ7hëÀûÚë,l³Ž[‹x³#‹³
ÆÒ4
-¶ÿ�Ú®½–ZJS•ñ~´õÓp+S!¨yWC6Æjy.Lä�“X5­^g˜Â£˜ýÿòƒüÿþŸ°°š9»BÌœí�}œ�.®ç?þ€‡ü¿
-endobj
-1379 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 2807 0 R
-/FirstChar 2
-/LastChar 151
-/Widths 2812 0 R
-/BaseFont /VAVHZL+NimbusSanL-Regu
-/FontDescriptor 1377 0 R
->> endobj
-1377 0 obj <<
-/Ascent 712
-/CapHeight 712
-/Descent -213
-/FontName /VAVHZL+NimbusSanL-Regu
-/ItalicAngle 0
-/StemV 85
-/XHeight 523
-/FontBBox [-174 -285 1001 953]
-/Flags 4
-/CharSet (/fi/quoteright/parenleft/parenright/comma/hyphen/period/slash/zero/one/two/three/five/seven/eight/nine/semicolon/A/B/C/D/E/F/G/H/I/L/M/N/O/P/R/S/T/U/W/Y/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright/endash/emdash)
-/FontFile 1378 0 R
->> endobj
-2812 0 obj
-[500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 222 333 333 0 0 278 333 278 278 556 556 556 556 0 556 0 556 556 556 0 278 0 0 0 0 0 667 667 722 722 667 611 778 722 278 0 0 556 833 722 778 667 0 722 667 611 722 0 944 0 667 0 0 0 0 0 0 222 556 556 500 556 556 278 556 556 222 222 500 222 833 556 556 556 556 333 500 278 556 500 722 500 500 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 556 1000 ]
-endobj
-1352 0 obj <<
-/Length1 771
-/Length2 1151
-/Length3 532
-/Length 1713      
-/Filter /FlateDecode
->>
-stream
-xÚíRiTSבª¡¬2©¤j=,Œ‚4Ã�†�PÀ0"FÑ„I‰¹7ä–ä^z¹�¤"T¨Ê²ˆ�.EE©°ªÔ
¥–X…p"­"<Âòù�ªUpz¬««ôç{¿Þzçü9ûÛßÙû;ßÙ·Sã1Ž‘Lˆ	A�T*�8€:s84#ˆ@$ŠcÁ
-H ð+uÀ]8|!o™�ǧ1@žj Ðd5	<‚<'H| Ò"ªT`@ª Õˆ–ª¡Th€W¢i`
‘FÖMÜHë�4„HG`
‚
--ª1üÁÀµ©:!€‡›J�FÞŠ“"0ªÓNÍJH…UŠ°d
˜Ðrgù[M£zŽ@I¥¨š4dG0xªÊ¿Iì`ñšy¬×_;™ŒP )7¤"€ó'{2†þŒ)“Tâ8,¢ˆÔ~wJ˜Ò,Sâ0Š%.Ï(Ba QCDE<�	
ƒ=@ô”b6ÃIê
- œÉ*œ Mü«7°5HZÚúàvòÄìQîM`Z` ®Ïd.ã&—Gµâ,÷
|'û/D¥Ž ŒœÊ w±
-¥<E=¢¤™oâJß­Ÿî;½½&'¤ªó˜­gÚ|ã‘­íç·�2ú²†z}�®�?Ë‘�~wÜæø)zÜ¡d8ü6¬âõÑO‹²L™2ö¶G“½‹gÅ~ÙŒ‡Ê¡øÄi—ËÚZ?ÐÜqϼВÚèõð÷gwÓÏÛÖ­ºñ+éÃÓknÝ|õ$'eSGŸÙîkØ}°„–PvfÕ^$êŸw‹®Ž?Å«psõå¹ñûŸ9¿6Ó[ït§Ü¶7
-
-ˤ67Œ~/gq<õªþt e¡9¦T°R&œ9ßûzT¹X}èçfŒñon
-—þ6s ËS0àf|¿[’—]-‰™w¬ÂIY3OãZM·Fê[×·hý±‹ù–úµyN)õ�\¿b(µq/c]ÒØ+Æï‹vNšðâEïó7…ô–‡ÊL7+×Ó¢½|¤{x
y¶sè¶×¾0¹Å*Ô_Ý#E
a½v+
-Û´?ôg5�JAŒàF®ËÍ£_¸›¹´ûÂ1í¾ò�¥ë½¾m2í‰Ñ[	b/aŸôW>ú×¥–ÂÜDqP\oÒYù-¯Ëµ
ª‚�kó§'˜šÄâªEM3ñž�À¹nþÎó}g;ˆâ-r Þe¾Ø­/z >—åÄ[p\è}°û¥ïàÏ%‘¦Æá#Þrl·ÌKÙÅz _šéó›ÍùðÚ$C§OíIÓ�s–ìƒåY̵ûRŽ×„×l×fí=&¨Ù”g�{*júAUF�:�ðMÏ–z¶16\©}L:E¼¨Lb±
g[Z1³œËLçž]³�çŸüºÛÿȺCÕ™»7=||kù‚hB»þž

=5äó’œ7[GzBuvŽ!MíqfìÞ1ã�ûPÁÀ–s‡uî~1ß,öo¡×]øÇ芵L®£JžÉÑÄzX÷�3àæJm­v±\T${˜]MRçï%O]1Ssjáv1É8üêdUI;Çҳ┷¹j´RˆÉKNk–ZM»3}ôI‰«å±ùàµ0~Cù.8àvEÄú‘Šq¿»]ãº\ç+ÿžY&UIßÄÉö&ÍUeô�s2šºJç9”냘[ϬÉü’ûÕéÂÆÍVsˆÕ’ø;kuûöëÎWâìµÐ–h�žûühLGžÍûÙ+éôÏ°ÂÅu£úýua¥–¾£;/eD~˜oºëåZRòÚ:6ªn°Ýº,þ0WèÔ¨l¬/Üs±²Øþ“(MQ*ÏS¶ÝNܲrHZ×pb·Ýè�:«¸kv~óŒù;7ÿâòxIº¬âëõþçùyéQçļ¾€Yß»/,R“pböÉÁ¢�êƒÉ÷Bz²žüð
üžmðÈ¢'Ñg�ù/,êÞ3>åÅ’¡+�¢[­{µ]š¦êÒü=ÒÙ5NÞu8Ü~ExÍÁow{q;ﳶ1úòåë¸SK]¾5$AÁÝ…�B[VeÀØ‘<Ø~uo£S[
-(5ˆ‚ q­‚H¡ýN4Œ®endstream
-endobj
-1353 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 2813 0 R
-/FirstChar 60
-/LastChar 62
-/Widths 2814 0 R
-/BaseFont /DFOXTY+CMMI10
-/FontDescriptor 1351 0 R
->> endobj
-1351 0 obj <<
-/Ascent 694
-/CapHeight 683
-/Descent -194
-/FontName /DFOXTY+CMMI10
-/ItalicAngle -14.04
-/StemV 72
-/XHeight 431
-/FontBBox [-32 -250 1048 750]
-/Flags 4
-/CharSet (/less/greater)
-/FontFile 1352 0 R
->> endobj
-2814 0 obj
-[778 0 778 ]
-endobj
-2813 0 obj <<
-/Type /Encoding
-/Differences [ 0 /.notdef 60/less 61/.notdef 62/greater 63/.notdef]
->> endobj
-1335 0 obj <<
-/Length1 1624
-/Length2 11252
-/Length3 532
-/Length 12119     
-/Filter /FlateDecode
->>
-stream
-xÚíxePœë¶& ¸Ú¸;Á‚[p—à4Ð8�5	îîîîNpwwww	A‡½Ïœ{n�¹¿æÞ_SÓUÝõ½ëYëYú®ª¯©È”T™DLl�@’¶`3+@ÁÂÆÈÉQÞ,Ç$jkm¢hdm
x>!QQ‰9€€[°8âh‚L
- fkçê`af
Ъ«hÒ100þKò—
-ÀÈõŸÈ›¥£…@ýöà²¶µ³
�!oÿ׆ª 
-_
-0
™"±(ØBÞ\hÿïºÌü?×äÿ�ÿ�4ø¤½ÿ½æþ{�þÓ%þïÞ秖t²¶V
-¤/k`T\§§‹íÝ@€]Q�Z~®w¥m§Wrðo™áSU
-ºî\ÌUêVn†]_ý"Ô”cÍp÷ó¹uXm.V�ÝÍQeýÂ'xâ_­ç¿é¼)œs½q(ïìÐ<�“j£pÛ0ê¡°ªóŽŽ©ã~ßÑô
ôw^Âuï2dF!R}v†E¥ó¶Ï$ÒV/s¡”ÁDÖ�ùE¾ìŽêâÌMºÌ©œ}‹9YBb]™º�ý^C÷§"mÇ�á
åPÛ{ö»XPð´Ó1ðegçB˜ú�”žpDØj]Éy&�W¢…>**g›çL·V醤¯‡¬�o
öÓŸz ƒ—•å4Lm¯`o¼.
W¯9ú|ÞÊ�†¿Ñv.	©Ô¼~íkLMÀWrôêk¦ÈiÂ~©ŒK©�Kíw¢ÏŸŠŸÇ}½^ã¿æ²—BÔ«¸<_g-wªðÄ·ì	ŸCRkÞµTå³u‘£»ÒéðŸðˆ«)un�G%E="Ó)­“%KÜ_½‹¹„È& %*9,	…’Ö¶v£†íkEà8³»haøâ4-ï㊚*êFŠ+̈”®�•„I÷\é˘eœÕss×·”¯ø•«ª•!´¦2cí7Ôaý¦"!šÿªáçÐ…tgšòî¹·þc|LDÉ\‰¤ÈäìýYX’sÈùƒÆwe•x¿µëSñ«ƒb+½:’3¥”ª¦åiC·IA(Om”9ž_-­í•òÚÁ¶–—	žþœã®°‘‹s§É»™x§J¢àÞ‰9²úŠ$cÙQ¥R›Æa†·îk5Árk(q€O^XÉ#
-Ö%o¯ÇRé«Ž*í÷ÛŒþØ©§TZ"žÓr‚¸ÌñÑ~÷FËO,£àBŽ¯ýÐ=ê±+¯×ïˆhÓ”‘ô2š$ÞæJ�•œE¥�œÉ˜®‡‰z<ÒX?w’¥n°@2øÛ,g7wå‘Nè3™ëýmäƒS� ¯yèøN½¢Ø¯K>™G
-D<ð±ý.¤ÐÐ2Ž)—Ä=Z%W\tõ߮
-¸y´á+û8pÚÇf­$J ?®&NÌÌTü%þ<Ä
–0&uÿ	[?æËJÜ®'ý
-¾®¿BD™¸?7””O™¢×4¾CEsqa¨¹¡
y³äÙµ±¯ÖÀ¤+½öûSøˆÑ&3¼ËDl:—´s•nwùƒOYeÞþ·/¾RB#cŒÑ˜àc×¹Ç\ .ÞMJ)ª�6¥
-âë_G€ãü4 _ëN9£û‘@§4@d^Òq·Í݉Å�*ƒÊ�ã(·_–-ùâǥʃbÐÄ»@e ÷ÂÊ6â]aî{#õ¸‡eà%pû}M¢'þ�Q]Ö�	�@YålY	š•ÏÏÕ†„vBF^ù+º“1m§Ç$"Ú0Ñ?L«Ú
+éIƒóÍÇ)Õ²ÁÆs}ü¿
-
-Ðõpe¢°®Ij8¦YnU–é…Ψ�êk=<ñ¶r¼cô:¦ñïÎÑ3~eâ|@—‹‹{	%k,ŸÙ—ÅÀbmI
ùÅýH
-¡b¥XíÜ®[këîr‘Yê¡Ú«A�(üÚ“¿4¸ŠÞU—Ì>�ä°,ò3M|xòã
Tô7Á–tu`Ã71'3¢1}ãA/±¶æÚ+]Ÿ¿%âÅ]w>’Dúg9ͧ¢xF3<¯!F˜¬\ì:É æË{,â–Ù¿¶m—2¨˜y�‹,‹gëŸÉ‰mUR‚ìíå­ÄON‚vyÆ°CÑ¥˜GÕ+Æ`vVÂÚ)ê4s¤‚”ò#æ͸1‰	r/™ßIò²NhØoú!uçÚÊÏ~ ¯1Œ7ˆk9ÙÃ5 SªþáiÖžW¦±ìÚ<!ŒóåIq)¨ÚßéÃ|•Í‡|�Ì+ƒB§’É)[‹8YåÑ´VoÄ×°	n–èͲp%¬†Ço„X‚ÕÅ•§ÂU«�rʪF¦FŽ—·Ýé,öü
ü+žxMœÐy”É
<æ$rʨ\	zC+Ç»p°�cc46Os–WóY­½ÜøùdT‰Éþ²†ÇÛl;eùý­éÓ'd8WYèö„34W®ª/�ð̦÷õÃÐM£—УXßC¬­Ýœ1»Gül°ª£Xæo¤`Á�ª+ë"»ìYX�…{Öß08røú6¶ÆÚ-�M"(’Ì`ê¸:Aá
-¿ëg†ó(ÄzZM>$甃Õ*/œ_˜Çk»üs>sàráÛü.$Ûr~�@4rÛtÑfîð¿¿äbNþœ©zEðlø¢7‹)õ ¸¨¬¹‘Nåül¤:Kb˜ôÉ‹ÍÆòÕÊÄ«_ðA”%3ãáº*ȇ¹H0oO혙±}¿Nv‘;3’6Ñ7ˆò«#úBÅ®Õh ÄH‡)¤@r†sóz±]$Wy“­ù¹{?á¦ÎƒæÒKÐSÃb�ª´+оR€$ÕÇ\e¶W¹go)Ú“Yµãš´7ç›qâ#I…ñU:'.r@ù
õ¼hšGRŽWy@�é2AT
-ΨáíÚÓ+b7Ðk8B½4ÕE7$�Ji *”ŸA�Q@k—ÇÎR·©ê Qœã”=ÁÛD=who7Uî{>Äe'¾oõß¹,tÕ¯¶r!Ç—ÈÒ‡š€öíÆäÞ�¦4¢C~¶Hí}NYù†?H $§ _”!‰YzVÄàJDžãËlnË‹ý­’Úë1ŽP~ÔÆž|½¢ñˆ);R¦¯žÅgÙ1F†”þÞŒS8À;Y²›˜áܾó”d¹š£p æÙ¾ê<rò,2³¡xB‹¾àÔؤ zäïÛÎ;àÍk~>Ç]"Å…›þ¦îj=ûp-
-Ä9݈[lÄgaœs6øßwï
ظY“AóŠbÜ´Ú‡F™,èÔǧÁfvX°Ô‚IX÷åc?ËïAeÉ—«
-°Æ›Á#âÚöÇM	r|ÑgøZæ}u³­(£�A�ñS„J؇1N•RÆMö9ÝVyðL×£]²šòÃO³5ÕÉô@�µ¸vÓùú×x|ÕgÐåŒt
¤^õÞ‰¸A6(¤ïâ¡Tê#ØEqðIÕTÅ¢2{HÉ*±
-Ýhâø¯H¤ÅÈ)–“âÊ	Šñ#	
-�Û¬´–äx¾w®›ª-éè‚g•\<%ËÃ~`–/\Õ?¨b‘’õ
+öxJ2�N½LSèsc“�>nmTé2ëìÜ?d]>øÉèâtë;!J~á„)| ´hð€WΖÖISÀÌt:5NÉomÍ9êlo|ý:oJåhY´=î#.Oû¨‡(*/dïÄ’cŒ’Ái£
Í·lM[ËCßóª_ø0Šý¹ÞÛôÊT¬¾ž=ÚäÇϼ�èP/©O¾†ú+b‹-b“CFgS²‹7rÑuÌ]~Lj:ãÄ”µùII†„{ç„ú®B(EÑëÃ&TžÂd@ñ¯ô½XÃ#¢qÏKžùö–�‰„û|-¼ê[¨n_Ø0‘MH»`Ó†ê¢Z.JšÜ…[€©
«Ç§BsñB©»>wÝ=$*kƸ¼ „Ö+ãÛmIŒ’pœàõrš¶¶Y;5té>¯å5:‘OjQ³
{÷
-?v˜;~Jr^"ìž}0ýª£HZä2=�Ô&sËeD¶|�£—øqïxL\XWÈL'[¢x!µ?ì
-ÛHØ™|½,µßzð�lVz7¤ûd•Ïx7øóCvß 1YniŠÊÆI³	…y%"ÿ=bÔœ">ÁÀü'=yí¢eã—ÈÈæ”U—D©IZ\pcLiÿcL…´
-lÊ©4Ù@TaÊÉvX
-còtéÛDÓó—¡S×4‚º¯…´14Á:÷ ˆÇ6•_û·!ïôèì.ë¼Õ½Ýø"}Én’0èf�eTée„­‰"|£:ß?wV°>‰c¬Ç^µÛ­Ø÷�PD“‡sŽÒ�ãS�²d£«a"ËàŽ°«VIØÒyl-¢Ð¸õ½ëȱÒÈ:sø0Ê�î°×ò¸u\ÍM
%¸$¼Xi£!?¸„øSâø=žLÌª±»»²Œ¤ˆIÅHªÔŽ.ÞâªÁ2;Ý]´ÞU Üó�P†_aô·.Ê…ï·Ådp7ÅÂ
-k병-.€í9�ž¿L&šš ¸£G÷é6?¢†¹^SÀŠMbcÏ7ó¸ äÎ÷%†
-¢Ý+=°�„ãðí…>sΡÌÔ‹ãåBgíâï°ëW�~“¼{井²TgKW±s]gÄƦ‚Í; â&Yî¸ýs\ñ°î~ÚŽ&yDo·ÐC€Ë’,JKºAÇÇŵr§Q °´åàÞF4tÍ5aFD5^È}ØT‹e!�MÛ•K}Ö¤œ_P{ß~197ÿàÚ"“¬^ñá.¡dlˆMqã¼èzïësÒ\Žç%„¬²†}jv,¦
ºD§ b"¥)ìÃÚ;cgÿðjþï=pK0˯å3
}ÉüË4&“¾®bNfþj QMô½s·Ü!;Wª²ÇwŠÛÔ„ÂFÚAüÉf£þœ°nÈÓjX’†„-öÓ¤ÊkŒ}z¿gËmêon¶ÅsŒ_a½#}AÆßЖWWWW†×‚oš(ùÜu•
©uKË©Kiƒ¹T28"É…é…¹´ánHbØ#Íö~¬}µ“‰ŠMÉ*·ÒêÊø3îÖÿ�ŠÐ·ý?ÞÀR0LA™uHA“eãƒ*£ì“dÊË\YÅ~ô¦º4¿÷Œ«¡ ±OL6›^‘"à©êìΞÞä#Dø‹„l÷Ñì6ÅÔ]_7�ºÌ®D¥Ê
-_Œßåø_Oáêù0­eØPTN¡TàÞµ]wÂX›ö%7-ß2™û•´Ý›×|»ÌÖ%8P
Êß”ú”PŤL×{óû=ªáöù;H4×OÑ5�¯)
à°”•ߧÔþÛÇQ¶‹nŒ"ÅZÓ
-Ð&`ØlW¼w{oFÝ÷‡=ÁßCò{z©¼'Ö„+!“ÙŠ=RÉo¬Ö˜ÿç…Ë›2w€Ÿþ¢>‹Ó±c“Ū°´™ÇdŸqLCyÓ
…$³¶È=B+Zäü‘ÿ­[G’€kÏZJ]faO½òá×ÝúLæc?£nè×�”LÚ–´.
-ÿž. ×“¥’ÁJ™8ñ*éûº‚Ò§á)v9ÜkŠ™”úîõºô!Ùé^ÞhÂÕ£öcèm�à­�~(8vfá–=2c˜´…4Š>æ³hõuKéËÅ1,EòB|jiˆ-ú)ħ|1¯é½Æ!Ml&Øñ”ÍONÔ§H[
àÈ:eVT”†ACÏÙgîï³É©LÓyn³€C�BKm÷¢¥.=kƒ	õÐl@Ü¥ã6òïI'ßßýô]”Ãã­²ùõÓ•³'¶ ßOó�tBHäëpÀ‰µšôn
-öÏz¡ªÄ€CŒù|®ñ½j÷ã§íÚ¾>©*ýfÀÏŸµd†ñô$ó¯ã
"	¨s	‘‘Tèó�÷}(¤Xn¿~}B-±œªm|búš`�Ôü1XV±ÏžïB{
šúÚ;�–7\L`™oƒ
-ç„œ8•õýçjÒL_y|9gfˆ®#—Ϫ¾O“Öø�Ë
¦ü²C+˜cIBÈ�°·Y‹~,†{T“­�N*e÷çwB¥Š|ÇÆmÂ>B,ô1eQ„¾þ¢ön]…毶úƶ-œ‘
-¥Ìò*<É5ŠÔ7Þ«™ˆÁ_P^wqž§Ä?ËŽaÂœ_ûÔî¿u»wÄFø¨A*�õ‹Êe…¡©ðÆhõ}¬—SF‚‡Î
-xuãÀ4£C+Ý¥‰?hŠzÑ2�AzoÉUÜþx�.å3òO,ÒÚ]˜“*½]4O¶‡‡H¬Ê¢ÄÄÕ¶.y“nŒrÐ%¨ê#cúÌóÔ�u÷mÀüfYì×M,fÑîÙÅì㪆›ý6«ûÛœ�û‡®÷�‰t29ÈÂЩÝíTg“õ—1›Q)‚¬ýE´q*(ôƒ#€Un?OCkaÙÝ\FÂÇÎX¦èÞ�
-5³Ï.]Œ>�ø­¿£,�-î\yªbñ…v›ûÛ®-.‘ÚŒ?2<
-û)<»Ï-Ìň¸áøÃÇF®¨Vö^ñV%”š¶Q‘+`µ@–ü=?®Ø�—&�òÜ’Ü?XÁT~_E»Gmx9[P­¤€zPžÕd¡ƒãRÏ\OÊ�cwøh@²¡ áÒ¬-DkO¦=p4)OC²¶
ŠXÓñíUÎd-êóA&Ó…ÝžºÉJ-ú¬ðÆ�—5šãuvä…‹FRùI�Å©¨Z7/ƒ„k¦7‘!Tꃵ=Kßò;]d+gO±òâW‰;};ƒ
-eïÏùѦÈ4Øk’ØÞ±Ô×äÖ¢HH ÝÞ+�†¤fÝå¯Íc
–«<}³ö^ñ�âi“ó”RÇR×z.©ÙAeJo¿tW 1¶¤ˆaψ¶9ÖK]m(Þ�,唘¸?Qw†çÆb°.³ûHëZ[îÇN×N¸�ÓÏ*W+,éâÌ
-ÿ¸Æf�MLhˆ
¶9«žlßgøi>ª¶
�„
³"ïG"~D&]4ª³¤n§Bú	†É»sŒ^ö.Òt6>M‚kZzH�~w`êVU:wËüG‰ú�çè
¤½DÓ¯@Î#{Áà—¥…?&z—Ý¥-"—ÕkFQÆvÂ[vYf&»Õv%îGÈ·›óÅ#H¼~æë:‘_$¢U�‡<ôÐdØ]Ž7hɾŽ#�;E’²:ðãmvÔ
-}zÝÎz¿†Arqˆ{I*_ÛÌ9ŒnOdÆ|jÚzó-Éó-eI‹žmÐæ|»ô¬Š·ÿ kï…rÜÚjönLR¼ßÔF­*8ÈoAõû%‰ý›·ß$RC„:ߘyÁ•›~Û
ê…�J'Á�ÖB#÷^ÏÀ}W)å�¼…nšÌÈ>åĘj€Bv91†b
-–øÁæK7g"‡æ֪ϋÎÏå0öø¨ö="–�‹>¦ç*ÑÑ"ö(
½æÊÃ}3“jëëc7{ör1½5YIG`Ñ|á´£ñ±Í=Gâj(ü¥¥
Êe íeƒD5±Î§ùöG{lD•)æ5Ue‹ú2F>±ŽÜ
¶aëW!‡M­ÐÒññdÖj((ɱ(„‰Ô‰ XžcZÌ®üg¡º®A¿³¹®nË$ýJ˜e¯nØ^¸%ÃHXtH-Á'Ø¥ÐMÈkd¿‹r¥ÅMœŠv^vÙ»Þ°‰TÞÅ°ëá@¯dŸÏê	™e{ž9w¸ŸºÑ2ÌÃ4ÃÜ·Å×*!´Êaó£�Dž÷¡|5¥Rõ®4Òa!Lª>]öCGø\Öçôù&�V?ð~ÄUÂü19V?îúEìÇ@·€†U;'ªe/í²­r3=›&£§7¤òZÖ“þø΢:ÄÉAë+ŠßsÝŸ`�wØÁ›"¾Kínl'¶
Û¥V˧Èí&/„:ïN(wX’Bç6YÜ{Ì#V; „l�ú�]¡à\O“Z8ó�—¤>@%ÂçÎ…ñNŠj,[–ðöžè2ÿZ¥ÀJèe½üNnš0Ç[7·×±¿ÂWü‰J
-”7LãH¨žÿmÒtƒüûÔÏÅ.Û`–_Dgç3—Þ¨ÍÜ®®,=P:>ãËt—sÕuL*$Ýs¯¿i¡ÁyÂi®6#9�š3}
3ôŠ$ÍÜ<>UÇótôf¯­œ'HF­#ÖÕKw$©ÏbùBeáù([Ó85=¥†Š£üä
-ÖY9Îü`É�Ý4Á’k;÷¶�îæø`ȃ#vÔ5*r>c¢œ¥ö³hòwNkCÅ÷3çé.èÔS©Ã�|©ÄõÂ0dAE
óÄ\ÍH,vYíÉs_‚ÒÂé>˹fPwË&B;lû…f‹ñÝ6{¸ùíÄ�¥¾ÿ ¼�Çg\7›-jÿÔ°·†i~>ú™›Îuù6¢ÿå×r®›-i°ÿçÅhÏp4u{ýË�XnÒEô¨Y†l<Þ«`[Mèø÷MgšŽ]‚½³¼_Kοywø¸Á÷A´J’T놰§—Nµ™DŽ;�f£¿ØûüP2
y•Xm#±6jÅ;`ÔV_ÚAéÀi@g>GëÍ�ÌSòK̶UÐó¤á¨-ReŽM‘Ž\ýè¦)›L¨³ï-šÝI†:»lŸ^>k²“ú¼œ¼Ågä<\F-U:üDˆ‡Úû³qEùÅQæü›¦UB�w18„²¥àÉŒ–žyJßÊ
-ª²´Æõ÷>Ö눎í•E
âx¹èµäW<X�1é‰þ¬'®†�{¥#Óxјt¨LUÒÒŸ3”Ï´„6¹wrøxÍwÃò†¤k²Ä͔׋–è:NÓë¸OKî¤bôÊêFmH¤ã\Œ»�Ѐ&1nÒ^M<úJiÜC+W˜‡D-	'X,þr¢TßÛek)}sÊKI‡£à"ç¾›OzÕ¯
-c•|z{Ù†B	¨À‡·íA?̓9¨„&Þ¯žg¯��ƒQÞl6…²t1£	Â[€DÕÙ°|$–,㞸.	yj;ˆO<<¡u«"�Vù!C‡ÛÆî7+cÌ�.™ÔHý‡H¯F'®¯lšöÝ)I³…ÕŽ"î…µÄÛ¨¿wù££ÍŠ(É¥ØKhùŸaP{‹jáÁQ.’OHÔÃñ<ˆìŽ¥>Þ¤0á¸mïÜ„ÏuìTyí"›Æ£]C;žë­kXÿ›¤ÿOðÿ�±5è
-endobj
-1336 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 2807 0 R
-/FirstChar 35
-/LastChar 122
-/Widths 2815 0 R
-/BaseFont /NBERZJ+NimbusMonL-BoldObli
-/FontDescriptor 1334 0 R
->> endobj
-1334 0 obj <<
-/Ascent 624
-/CapHeight 552
-/Descent -126
-/FontName /NBERZJ+NimbusMonL-BoldObli
-/ItalicAngle -12
-/StemV 103
-/XHeight 439
-/FontBBox [-61 -278 840 871]
-/Flags 4
-/CharSet (/numbersign/hyphen/period/slash/A/C/D/E/I/K/L/N/P/R/S/T/Y/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/r/s/t/u/v/w/x/y/z)
-/FontFile 1335 0 R
->> endobj
-2815 0 obj
-[600 0 0 0 0 0 0 0 0 0 600 600 600 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 600 0 600 600 600 0 0 0 600 0 600 600 0 600 0 600 0 600 600 600 0 0 0 0 600 0 0 0 0 0 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 ]
-endobj
-1327 0 obj <<
-/Length1 1630
-/Length2 12198
-/Length3 532
-/Length 13075     
-/Filter /FlateDecode
->>
-stream
-xÚíueTœí’-îîNãîîNÐ ÁÝ¡±†Æ�àî‚[ ¸$¸Cp‚»{pw¸|ß™™3ëÜù53¿îº½V÷zŸÚU»ªž]o5
…ê'	�™¥,ÈÑ•…ƒ•]ðè`ææ¢rTbQ·´vS1³Þ
$)°¥©+ä(mêj)ж´
- ×T×f`bbþ§å/€™×¿#ï‘.@kG
-˜
`KkS°…½¥‹Ë;Í;÷_·óÏ>
ÿ©{S''{¯¿£A{ýG
@WK{+V$Î÷œæ®ï¹­�ŽHl
‹¼£ÀÁþ»…›Ó¿cî–à¿/ˆþ¯™ax/ÂÔähï°°´Bbûr}O	 ÿï©Ìú¿'òÿ‚Äÿ+ÿ¯Èû?÷_5úO/ñÿô}þWjY7{û�¦ïð�%xß2 €à¯=co
-üµkœÝ,ÿ¯0S ½×ø¯ŽÚ–ÿ(ößøþ–w5}¿	GëwaX88YÙÿaºÈ=--T�®æ6
-zôÙYÙÙ9
-G–f1–A‰°9áZm|vjeÅNÖž^X�¥-‚¤a‘7°w�+}÷ôqâ¡—vqžÈ• )
-šQk¥§”æLpÌž8;¿+é‰?ÝÁÂä‹Ì©	'üöîÇX»X•¢¢­ï,TË‹¼v©�°¢4)a½%ˆµT— é"ÕéHRDæÜa÷?}M»‚“‡Ý�Ú ÖÃL—ÑÑR°¡Ïò5å7…ø^{E®êÄ~užvdR ÌÌU\.¬}¶`!Ø•[üˆÅ=%Ѹ3m4©$¢t¬»Ôñì_È ëB«{J‰ƒÏU—¦®NBÈzN¸œ
-wôr®rl`¡©.Ê*Q\ÔâŸ7:’Y’µ›q:¾/-G›1Âèù#ëÀ•(¥jå	0©{ôšª_Ú’gÅ|
-l»>ÏÊÂôóí›QöMó�ð6$H3–k Aãm5Šk‰t}1»ü–’¦ÈdcÂ’txv³~
-kÉ8y!®løÅ‘Ðdª$ÂvQH?"ËŠfìSN2óõ%­0ºÖ÷fÜKF^N,G;¦‰K:ÄÇ�’Çv¶/Á,¨*¶¥s�‘ÆWùUD•M½p‰:
-¦¢‘H†©~J'O=é“«=/èWñ³<]º�&r©õ\a:áwÎúÒ§/„YÛP˜8áiFOýßÓ"`edi¸ÏpzOŽãªÏsekrýv~�›D…0!4*^¼C;†	M˺Æô¤ü~á�˜¹u¸±7`èó3^r9Æpá�óvýˆ±'
™Ósóõx+I'|²1¨�®®Érò*?+”0½©È�ýñÛžYL¡ú¥}ѵÒȼjW.½dfÛHû ~“õ�=�~#�ÆR•ãÄÃR{±ˆÀTèq£ÝáÚ
g	*¯<©
-OYS0Xµm¡„sˆÅ»Š�C&?ÐEƒUtÚ¾BiÑþrDm–0;{¼ADwm;€N5žz bÀLˆmª=° ÄÅÁiuÑ�§‡Ž£Ÿ=^r)ê¥Îý³w•M'ƒ"ÀÈû  €™š>‰,(víkâüsÎ\æˆ<}z‘eCx±朮äyXé쳈
->‘s�B+)±°¦pšô(;¤v“–±eMÎE¢Ä~.¶áC¿zØ“2ûgÞëiIoÒ‹ÑÇ2A�ò´{!±d
:X\Âjá´…¦0ibb¬¯‡Îi8½ÝIç9m7™"A9;‘Gå�‹‡¨Z?qq3:,´ŒwyÍ%É�±µø(­M¸0l
-GTtл¾ïGÃ9ˆ/¹MÈH£F±ŠËûÝaÎŒÄ7­såL¤Q°=þæ—PfšÇŒªfdjœ_Œ“‹ÂYõ§iwV"œQ0XáRyöÑÞah!e5Ŷ'Ê^”¼ŠV­Ȉæ¡Î=±�L>Ž�åÛËê
=_ϧHUáï+"W-6	�„ƒÕc’)õ””ãˆWaÌiÝÝÃì}¤2�©ëe§ctMÐsÛ#&Ix²Ñ ZªÚÚ™O¹¹JÍMç…e=WCŸ£T*bå4ÈËü_–­3š)¹á'†8Ý­„›HÖã\Ÿ$`}[Ÿ�çÅ5Óyô©Ó¸7Ú¹4ÕÃýÙL;N5–œ§ã<G¢bŒPfÚQ�Á§”`ÿðµÃó…a”x¬¡!²0HQ7ÜŸKEô–nŠS‡¦Oƒ�É"n7™£8S£»xuìkeñ(¬ç{ŒÝ5{±ç.i÷?Ðd¾“دèñýÐ_nm×q€=ŠLîV5¥­ò5æeh;ö|éõ­Ù¨ÏøÖ-¦½(­£*LˆçÏ׋æ�ø¦‡õv�[=†q;æú߃}.~à¶Oš«Ek.}Áqá¦|e˜íK¢"ï�Æï¾Ü§PWÛÅ¥þ‚滆p7§¡þØ4òbEÑ&Ç_JHïÀêýÖ¿¯
õ9GâO5­�‘Dz_úÞ.ÿr«ƒœþ§xäÜyåø_­Â²/#XnÒ÷ ïW˜
ò¢æ”J?‡†™ßœ¼cNµÎ~lî͆MÉ=µ�‹Ðn¿Lø9“VÈ\
- ª~º`Ù`}ô•×rÜj¥Ìg‰¾ö�B}Š,'E/¼‰AàkÆðæ!r9KŸ.¥Ü\~B˾£ÅO¥I#
-2Ç—Ž.vŽBglI¯Ë—:€‹ËÑA
-ŒlÌL�C{ ¯�ÚÆ1*4þ³u«H�a1½‚6CÞ¹å	ê^$•>äN™-¡OsÃÀH«iËb³�—¤õOþÑ:”ZÛ„ôeŠ%,0XÈ�î�Û™óMas*ý�¹±K–%„]¨ë ò½&�é@¾¯®
-–»Ñ�«¤ße+©Æv}%Dý!BÛórãÓAT^°üUé„脲ì@È7”ˆÙ~åGè]Ìd�×Ä)ãÍ$ƆJ
-ÝÑ+¸TÉ)©ÔýPí)ˆ¥æÒ
—–€¦Ä’ÛEÇØ:(«„>ÿ½­
ïÏÚªÎòžÛê×Ó�Í6qî'z¥-ǹMîÔ-E2Á×½:åR%¿¥?5袪*ôIü¼
Fµv¾PeH`_	ÈtðÞ• ÏX@+€ÜÐÚ"03|7Ú¢®ÒÁI”W?_éq0Õk¡¼}ñ؆ƒˆK]e_cgòð
ä1WêF) …‘ž¡hc¢ˆr;ºhíLÆkÜ“td20Õø±_
-üFùA³‹F-ªè+ú¡Ûïï�ÈPŒYº«Ã¾$m7	LŒQð(xsQ v²–DÚHϦƒû3Ø"Å·ôT¬Ò¸FAØ‘K4öFJïlJ,*¯¼F†§	Ççêk‘}¡nªE§}NOëG|1Š¸sÒb®hÓh½KÙÔ†Ì-%Û°1ë"­m½ÚÒÁéçš2Ì·åTó­ËYÙ
-ŒeaBÂYtLü,WæFOÄ̓ÊüÕ=e[¦™�ÉЭ9
-dçSk3Ä7ìj¾s>—Íw¡l×h‹Oœ\L
4€wéد¶¯„˜‹¾+Zz ùv#Æ-}ÅúlWüê+îÐo€þ
öh˹}ä¨s!¬íÍJl|ê³Îìx{fYý*0#Os¬tmn"ð¬¨üN^ÆÖ0V£@›_ªë²=ƒXñ¹£uö¥N`Î%„ûS¯	ÎœE¦ý‡zBá•ü»qµ[<­îqBýE¡%oDU±Sw¤˜ÀïE#-´Ÿ‘½
¼•Œë²9mpòbû¸ú[‡�yím÷ôµ¶ðü�Á;>
-Å8ÏJ;¯xð²r~ýI
-Dƒ2=7´þ\}Åf{2vÍχ{­¦óÚ!YDž©j 4íÐáÎÆ)JƒT’Ž4a ˆJÊ„ËãÇÖE0á/U
-ÔÕbìÔkJ~,ZLøAÒ‚´*éjô»XåÖìþQh{5íAN<ø•|é1*¶—T�‰þ¡©DM€ÚA2�•qQ.©'�÷ ø›§ÅðÉ>ļtÆH×8åŸäÔ€ŒN

-ÌC=Üa·Þ±û
-�zÄ}µ:á?Qãô‹ÙX£ŽS+83¦u6Dx@±[–èï‚[-^ˆâßëI�Ô¸²�z€Z«BP‡»‰�EÍÍ»f䧓
H�ø#�?ézߥMóÃœ�òÛ©Œ'oLH‹ð„ö)²^¹±à/˜²Ÿ‘¼F"xAà,e(ô�k°.¼^¤Ÿd4Z&ª€&ŒÓîHgCGrZHÅ„o=ô¥’+nø›
-(«ÅQl¼™½ezžmÒ*ÁRYòþA2óé»pŒþÌÑþS•òÓvëÁ
âqhtøð™ô
-+{M%¡„÷É-ghѤí¸Ê~hT”«ïÛ¾¬¶ÓÙÀ,
-ɇÈ
-à ¿v’d®oì@Ç;‡cM».VÍŸÓsd\«Püˆ
-%ž‚qýJN�þd=øˆ"áQ
ß$ò7JQ‚¶KEK[†üPn#¦ÕÛ5¼Nž{î/M]²õ{oú³Š›‡M%3Ÿž~nEãFäü…Ÿ[cƒ¶º U»Mw~”–pM3’âJA©OlÍ?Yö
-éi<ÆNÉßOê.s}Ëï°–<rnCœ ÍñÎçÌ`ñì¼rG7.ÔsG_í›#6¦ðêþz"D¨:mÔÀ~±ÑBsFš?'µ�ŒÎÛîud�Æz¸n.çÚIh¶4„–*=®—FåÓü@3ÛœõÆ	kÆæ]tiÿÚ
1êòÍ\…óùãj+3e¿ý“a
-Œ�²�ñ¯„1*Ýê-§ˆu«¸�²ÝñÑà¡õnËí}ÇXA×–¥ È¾J[³W™Ðžúœg(DœYT
¢¨¤%•Gvç[Žbª±³ú>|Í}vk´åÙeñ¹Ÿó\\Žã¹Wúö°?	‰§ºùâwDS~18¤”ÒÝÙ>
-ü�à¿#pîpÄ—°¬–s…¶�’¸ky¸Ê£³»šzÚ
]Zî$sŸpÿì¯vUý­'tŽ¦c“è1B¤#ìÖ¬K¶Èö8̲©McÀG¬ò²èÆÙ=ÖD´fKßy2Ô	×l=kMuâ˪ÉYÔQûQi8ñr>Ãħû™†]­ëóõšãâà&óP€;„rW¨z]t}Bã깬>GûÑ[qCÝsTE-f+J�y:#ȺÊ'a ¹ø1VŸ8Ê‘°èÙGPòµ!"Š‡Ýw§0Ãv¨3‰Ìäþ„Ã=÷ã[i�<:}dÈÖ!9?›:ôrj775b“2î«Ò+(W{S�ù§‡Ð…Äe¯=áz1�O¦)?^t7Tª»RX:%äDèW…6O8c$IÁ±xýá³nÆ·|õTÕYCitJòº[èF8È!}—á²Ù´-(*–�™ˆÇ†£ÉNIOK½ÏDÙS¡£X{ØqÌI`ghˆ‚·j.©¯sX÷ã—³”OIb»Ð\ÈtYfÚ²Cßh}m’¼™zwó=·>vÕö4Þ0ÔÈ<wfºC�éŠßäïƦ¯™ñ?Ñ´a+&¹Z2*ø'ÏGrŠ\ÇØ—Ùž×	}‹òq~ç¢[!
-!øã
-ó(]ÝLœäªõ…ðC!àá?’H{'1ƒÙ$‹ÌœÌXO7 Œ®ÙL�ûX¯E´ïà	äã1÷ˆûYº‘Ý®ìŽj#7™¹!a|Jã×ã?‰pÃo;óLsÒÏû:_­M.•uÀ²%bßyÉ<Yõ�_ɲj–K�DVÖ«„i0&|‹ûT‘þ¸â	MŸ¨ #”(¨RæÖ®--“3?ÚŒµ.ò“Ÿ
Å*ù\;õr°ca¦ò­””¬²7ÿý¡|ð,ûcé¬n Á"É·3Cu0üw|ÄÍÂG%¢p|ë_2—;\^µfEô¿Â¥uX�ÓŒñ·p3+MxKÅ>Ø�¨Y _ù¯Öe$g�OÎë$Æ⻈3•MÏf™;o�Š-›‡D h¹¸êQ
-j*c#$Š•ø¾}Aú¿bLˆªïLŒ¿¢wž³£ ÕŸ–½z§­ZëŸÓœà"í!u½S“Š‹�÷á�ÉÇ+ºzs»Ö÷’
®Ÿ .c=å¤�H!‚Ȇ?&73Éìl–Aµ*¾­ #]dàJ4ÂhÍOúá•]ápq3\zr˜Mj&šDØSø³XyöÃD HÙÞ�ÑÚó:º
Çæ�e�´‰`}1K-�‡$\ÛÌÎr^I—z¨M$9ÑgP¶BC…
ʆË?ëz¦´ƒ™>,êÔnùŒÌ¿th^ôWàéìs¹ÖÇ°ŒÇ
-!à÷'wM¦è–ÎèP½ðûkð&&ÐûQËØÙ¢�÷¶§ }Qvf/S:K¦\o¿hŸ4‹ÚïˆP�°¼Q¤sûb÷×–ú�õÙ<(¯sU8¶tËB{üKæØiFÆêÛÄ›±Ò)d¸:uò½ÁÖÓ5NócáÏ6ÍÁóSDôO§)•’�­WÙQjç×øÆu±U0~®ZrIÚ4*ÎÝü9ˆ¤š/kÁ[C¢Šç#¶ YíD�½j„õ¥×8ª#J�85¸LbE�»ºå‡'�›vÞ~]TžÑ•‰³²<IIwÛª“àsø*F Vx¨:χÓ5¼?¤
³·ÝI͆–3ÆCŒK·*6WÒÙ
-
½£Øé•ésûãA	úIÕ#2»ÓŠ’„?eZF¨›íêp½µ¿hã—F‡<=éz梴|ÿi
™
-sÒ-çvŸš"ç«ñ¢q2À¢ªšäÁvƒ8¹„ÇW?ºI/4jûé-&;S>Øx«æZ—Eª6¼l9� ÐŽy:¸íV"ëow
-÷�8˜6Ö¯!u˜Ø¡±ž@}Y_¦ŒW�$�5bìüyá}{ÄaÇ`Œ9ñ¤�õ"®2ç÷´(/�
³èD8ˆÿªÒUì»@ØÒ]Ú!nµy(�ãûEÎõÈ
-ÇJÏbì^*@vEÈXcæk3¤ÒWË3F„°0í;Æ·:™œd»Ïã°×²‹Š2Q¥"ÝW”ïê[b£î°)瘙{I³b-Üü
kÈá¼J ûJ
WJÔ}U[j×ì«tž¦#¥y`ÌpžÒûïÈòYb4èP¢zçíûrú\7øBcäqRItb‡ŸëNÌ
C¡£þÏ	èþÔ¾œJ²W)o5q?#ëÆ–íú¢
ùÞšÜ=”«@UZ—š(7‘ìŒçÛêß¾ag¨¢”–Fâ¶Çí–*âìÇ&f"bü	ä×ÓÐI1ðÊb	¼É5(+pGhß¾¬Ã¡®ÿU«n4P®48•@š!LnÆÇnàxsÜ8®dŸAÆ7ÏË‘©
D¹Ó2…+oåqeS�Ÿùð+û˜ˆüÓñ�V5¦‡K"­„ž¶”%Æ<FÙ‰*(ùWpÌÝô·û²ÍúÕ`u)ð8š2¹UB÷ÚÅ*lïdInÙÝÜÐ4Ük”ôÀnòíššLœâpzæÍ Å�øL›9àÄ¡]`QÐ,8óô}ël™ñè
=ƒ¾ ?°ÞðxéVgS�¿úÅ®ùE˜˜ÓmnÓÅ
-úÆmGž4ñ�8WÁHë0Ž
ºNãR¯´4o©ÙØ_Oéë|Ï‚ªôÓ‡rÙÇjÔO8˽²¿€…þ”Ë#”¶«µ‰$
ýX&3³Fn“±wmãÈØGœô4Uu‡°‚•ÛÔîi¯/eÆ«Ô4Âm’ÇÆÏãé#\­Ã'ßÚup9‹;øôÈžb™Ž™0Ií¸³´ÏV>Gl0:?¾1 ±ZŸþ	;¶Ë¸ßb~ó�¯E®âòðH›ê=!?öŠ§sƒ�ò»|*þsMÔ;s&/€¥òñ£òè
-€Ÿö�’_
-°>:%tÝÿ’hàÜåA®(E,FKrùÁò#5>©²"E÷èó9»¼úÌ$ÖdfGp±&â/yT/öËsš½ öÊmS;+æñd„}Ñ%ã¯ø»Î�¥Õ²ZTÎR:cí‘àÆ×e¼â•ŽËf_ú�y+§úŒ‚9Žr£Òþu!Îi¦’õ¸<¶“Ÿoö„b†™­Ò ¦€Ò‚7ö?$¢˜`ôBï
-j
•Ûœk3¦¼ï™F²žÚ2ð‘Ö¦Íú¦N†.!‘GÛt?×½U‰`Ùˆk«¾vØGn­aq9G´—• o‹ÃC"¢¾.œ\�ýaÃ4Ù œ¶X~8uSÝs›]`ÉDš£ºžoñð•À•Øº)<8–v\гcê¶ã¤’”àôzÛ.”¸¹;ù\ªÓE`BFP墬ý&MazÍY""”݈ú� v¤(´ëïü8ùœ�âŒeë¶	Q*ÍÅ£þ³GIçRh¯¿×øO{Š— ·?:û }ƒôÁ~ÿéi²>¹}Íì̦¾A25_6…½ÄŠZ*ÑÑž�4ÆGD
-»¡Î¿FÍÓ8ø©oc¾°ü$¶<;¯ÍÔl"’±*³¨Ðf°„SÞ�uwÏ$ðÑ(Á‡Âé+8ï’ÛèTÍ•oÙ­Uîák,„ÒU8‹ÝLboº¯Îr§ô‹D‹´<(Lêcv°\xš˜ncÅEÈÍk‰�zh?Œï¥.Àí{Ê(·IipIw®M9FJÛQ¹r�g�"ˆP×ËgÝxO˜ËÚÛêp8…Ýk¸Û‡6
’K(Ãùœc4ê‰MñÉ´²¯ÞÒ¬“É*C-ëa‡’y™Y0DÊ#×iPZ�³;ñhäî3¬é×ç’ø]&?"4ÞÕ<Ò×ùùg›¾ýš45É©Xÿ-ªße¶UNOàΨí�Æå•�õ…@bŽþ¦½DÛš¶D¿ñ91š¸M’úÓÌ>gÐ5ÕOZ'ÇÔÍ2gµî_uØE(lü
#È:=Ÿ~ô�¹Vþê”ïô[ƒž×j��E%zJéçÛX»8Ÿ7ZKØŸÎÀffך¢7«í×wÉp#–J R«‰»3øzˆúðþ`ÆÁŠºÀ:MHdk#Äp‡Dê«l¿’‡béð«P[FÐǹ!;@ò×eüJ£Fw8 qì5ØÕZË‘òÉ’;4þùÁ¾µ”{í.æê~؉³™KB ¤T¦yxÓY‚¸!e{®«E¼…[.ˆœ€±’9UÇW)\�ÇÉSÜî”O6^OX�8û­ë©¶Öt1¯›Cé‰4ƒbþ¡ÝwfÛLq®0ó#üu~ä„ �¡Èr°¶ñBwÕ\¥,K›1q¿0V®�•¹ë_g_Œ³
Þµ�q°û[2"iÝJ¨¤,¡�ÙìêWgµÍ¹øÝU¬r•]ˆÉƈŽ§Ë�Üu¿2Î5öHÁf�áÙüÕÏ¡^bÉj¯ðÁjÝÕ5tûñÎ2vljè�
¼üU€?~á4›‚eÀ¯ñ~.¬Ðfv–¤ÊO½“gß@Úé—W´/À…)‰Ã()r�¼Îyr2
’LƒžÕº’‰cEòšª«®à[±6	JfHïÌÎ$å
¤/í
üWj3ÈÒW<íõå¥7b#ô}EÖgÂ=gRº‚JÅe×LÛƒ¬3
_ö6„J}᧘~[IûÜžQK�xÍmJíB2)GMGìûñ{´ín~LSW2Ââ&­?®/ßÁ}Ò-Ÿ1ÛØ«ÄüXÝÕm^©“•Ç“ŠNÄ(
>¶­å_¨Ì•
-�5”0;vVÊ­‡‰\Û=¥Ç‡ÐÅ»/8�n¦”².ÜÔRzÚD"‰‘$é»$3mXiB%ˆ#öùÓnà„u²|#Á?¬8¨‚ßK¬Š-Íf¡k®XÓ“
2+ÀªtÙ¬c xJKÕUtêôÑL,qúòÑÏt/(d¹j¸ãyÿÏ÷Óáû�$˜Ôq3-]ZëGœ|ø":R`/‘Û¨B¸,ÑU8	�ÀknϾ8JÓáÜÔ†]iÅ&ÑÎ8ÚÈ>k�ÆCÒnÙéØD0¥O K|ö,ØKùPëcú¸ÿÓ~§¶´5%D5=¸ÍžgP7“l†r]™¬%¥®Ê!EŠ]âþŒçH(FŒÿµµH�?pˆpî8‰(3žG goaô9Ë�×òÛót
«Zø²&Œ¿,…Øç¼tÑöÐôD΀	qP(8XÝÚÓ‰‹½DÉO'69bA»
-üFÓ}UZ6²ðlRÛ
-ßB÷,øìõôàÞt�KÊA ‚Uö…úØ€Ã7Ú—”‡¢ê¸�då|%Qß�´“¸6ÂqoÙãWí.Š,}U/)¤ÏÚÒ°=PjcaÌé}V_[ÎQ`9Ó¿‘ #Ù
­Ú„é½Á6|-Iû}„�ýþ—¶jl£¶%"åh/ã6s ï%F¯‹k/€¯¢‚BÔpÔÉ]¿O•Ø{I…O”æ‘»üéæ"ã¦8ÉðuÛœýOÌŸoÊ8ÛÑ·MðTt8JbD?ÌOÚ…Í(󸢔s%<…ÌlGåšžÚ�ĸº¸1}˜ž¡uæØ"
-ñ…‡òÐæbð½¶õŸÝjSÔüCàâäC*œ­`E_™
[‰ä,%R•X™«b¨!-áêS?ø
­$´^GªíëvH¡²ûI\PM_ø)c#!#Π¯¹ž=³6Ú°ú
?Ç`k}RƒÁŒfC©È¤“ïÌ{5ùµ<Eû»á°DçàÀÇóÊÍ›ï#üb
ë× É¸‰ç¼§˜ém.ÍEì­ g:†´
-Œ:n/wùªb:¾D‰§ƒ˜­Þöª…%¼
&z[C÷¼cÛ+Ô(Žö=7ÇöCtmÖ“OHÀbÞ0j],G6!µèik|GÐ÷é°ÚÊ~Øfóf~´ˆHn‚§§:vƒCÙ˜9žnͺ¬ÎO‰Ž’§&esþY¼ZµL†¾AE?íz�¹¾è™AvX
-;ñŸ*Êí"
þ:»,Rñ�ŵJ&¯‘JîWå¯ÔžøÙÉ�ÇÈó<ƒ8 Ù!rÆ
-äwÞ8!¼w§š–³à0an‡Æþ?ü ý‚ÿ'Ìí-MÁ® S°Òÿ
8	Àendstream
-endobj
-1328 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 2807 0 R
-/FirstChar 34
-/LastChar 122
-/Widths 2816 0 R
-/BaseFont /MFAGBT+NimbusMonL-ReguObli
-/FontDescriptor 1326 0 R
->> endobj
-1326 0 obj <<
-/Ascent 625
-/CapHeight 557
-/Descent -147
-/FontName /MFAGBT+NimbusMonL-ReguObli
-/ItalicAngle -12
-/StemV 43
-/XHeight 426
-/FontBBox [-61 -237 774 811]
-/Flags 4
-/CharSet (/quotedbl/numbersign/parenleft/parenright/plus/hyphen/period/slash/zero/four/six/colon/equal/B/C/D/E/F/I/K/L/N/O/R/S/T/W/Y/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z)
-/FontFile 1327 0 R
->> endobj
-2816 0 obj
-[600 600 0 0 0 0 600 600 0 600 0 600 600 600 600 0 0 0 600 0 600 0 0 0 600 0 0 600 0 0 0 0 600 600 600 600 600 0 0 600 0 600 600 0 600 600 0 0 600 600 600 0 0 600 0 600 0 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
-endobj
-1252 0 obj <<
-/Length1 1606
-/Length2 17489
-/Length3 532
-/Length 18402     
-/Filter /FlateDecode
->>
-stream
-xÚ¬µcx¦]Ó%Ûv®Ø¶Ù±m_±mÛ¶ÝI:¶“Ží¤cul»¿¾ŸgfÞ9žo~ͼ?Îã8wUíU«jÕÞ›‚DI•AÄÌÁ(á`ïÊÀÂÈÌP°²3qs‘w°—cu°5ü5rÀQPˆ9�]­ìÅ�]�¼
-`e°ðððÀQ
-ôtý'—	`fåâhkìõ7÷_0Gg«Ñps±²·ø/ô
-ĬsÍXŸë%¹Nf�ß{SÊ*åP„3]lÎ0×Ï4�dîÅ�äOŽHþ¦�	˜Ý(Í hõ%gç”)'ÏOTCã£#Ã}·�‡øtù	°|1�NùøB:êÕ>Q´ËGÙS¶XÂçÌ}#ÒÜXœ‘,‘|[Õ#~WØw'Š„ªð£Ê#$n6ÎÞÁ)óý�xCÉ]ûAÍæ”=$w?º>1$S®ÝdÎ	ÖÙPN<3±ÌWêGâ¤Ý£âò
-ã@]á~?ÅñïVìÁ¢ˆJM†³„‚ô_G)|æ¦jœ:ªSÛbÈ~,˜(£ÜÖº“£xõdñÔ¤3ÂW¢säbÖûº.Ÿ†Ç“Xœ¡f-TûnÝö†hRâ/2z}•wKª{?…†|ëþ÷(¦¤I{Ôħjäß{ôb²4ªR{È2Ý· 5ꮋ®¥o¼WÐÂÜöš¢ª
-¡s,ÀñÙ燨×qZðoñS-Ýì…|­7€°4\±uhò2â·�t–û
-C…Cmkj"úðÝãûò? ¤L›_LM‘>¨J£M&ÂÃ¥¹Ö�›Bnv“EREŸÇæ«ÀZ§*ŒVXpÈqí$~Wóÿ˜\¶œÌÊòz¬©«TX¿Â4›÷T#x0E	òÄ‚ùäNÕœ�jÛEƒ²¾ñâÈø¡Î¥7µ<t“[ß|šytl"†‹÷|ÊÍ6g"„¤j�èŸe¿âûežU~¤ÍúƒŠö!8—q7¢rDìúøÁ‡~Y*ž÷3ó²ô½6"’E/ 3A~uâ„E
9«X¾9y½L45˜>ZÇú~Vr—Ž!^��Qê#®¨çS{„«;B¥9NG
-Y'B
-MüWVM¸òØ
šSöÏsˆÊQ;ôà#tîWôÕd°±ÌêÐãFþY[G5Ó»ÒÝÏtãâ_± ;!µK°æ¾3’ØmÐð¼]ˆÂ:�c
-Fú¼ªF&/0R=5;|¿ê°yöo1ð„­-ÓkÕG#w©V·‡Â6
ùQ®ÇÊæ[Hd/w’#BG8MÌÉ=VÐácn¨¹)Ë�4j†c¢	Û?áØ3fž¾òçƒG/’Am
eDz!*ýáY‘
’áÞR¾£Q�»ÈÞYuÝÍ»	¡O¾:¶ºà¯}uiß¾Øýh;/²kvôâ¿“ÈQýÜÔ¼�ýܳôŸE£ùÕ	gá2vP…——&âÐ{–ë|þVÑŽ@YaJX°e>(§*�³ãay!^™Rq5i—öS·Ý¯¸£ïW]V€Ó±¸ŸmŽZŸúûW†Ùf.
´¬%h§ÿB¶N@—B£(ŸK×k�oZb±3ìó Ê�
ÝâO±‚cõ®wíë¨F9j,¡dÇ*¹´	dÃÃ:ôgý½oZ�úi`Gg|e¶þȯ Ë eX:?æ˜ö•~#3úºéµã<;‘ƒð35&EAžmJ–á6;©Aæ‘;î'’#ÊoÛD]Ñ,À£’}¿wá<˜?&HA%VÅGŒÇÒ›�Ü7³„ÊÒjE� 
-~˜›ñ
Ñ $¡ØAÔ­Ÿü;\F$Ìß<³kNÔÒ5‘~“Oç|ŒmýŠ�FøãR@E_Êw4Þ"X!ižøNq
Ý[åûÄôë'ˆ
-�}ìD"`ž,èÛ˜AfU·oÚà·¨TÛ[³'œM£L²Î;òèeñ	UU=O¤­ÃZÞ4@Z3uò7­ÈñyßÓªsÔÚR0’ö¥1¼7/‚¹R:ðw›�@»Œbâ¬ßÞ>0éÀ©ß�Š‚ß˼n8—¨9KÚ$>NÎŒyJŸ¡ÀE/àoGÂù4°·#îoî–êi7uòý~ý€¨¶Öá÷0\‹@x:ò§tà^c¶Zí=`±óoö"´“BY�7±ÕLf¶û2HöþQZd«‚mßha.—wf÷ û¡ÂF®0ó l8áîcä
-…�Mußɾå" Bû«CŽ¸ß¬Ìqq/سÖn%Œƒ´û°&è
-ÉFl§?Xº„×Jf€^."+«^öyvðKÛú x¬/|äô0“Ëm¡Ù¹ê”_f[5·Î®?°UÄظ‰÷­CÕ�*a…Ç.ð™¢5I�^Yko(m�Oq†!<]ÖÏÐÖFßô�d„š@SÜuýÒ¸íÝ7$PâÀ¹ƒßZ<RÕî�Ü7†vzC3¡,oÁbø§¾˜¢æ\o,fôüÇ7û5Ž_‡�Ý7í¼»'h³P{Ê@sn­½»éõ@‘åe¹}Ø£<WõÁO’XÁñö7ÇbUd¶äFÛqÊn—ú¯E‘¯ÊX*IÈÎØTØ„èûòÚÇÂ%N…Y~ÖÑþÀhYú„áÄ*bÂéyê\’/Ñh¾öc¥æÒÑãÖŸÇ”áÓ#MôI+þ˜gÎs[¸1—�±9¥ú™×„¢�[8|×úÍí%÷ÊJ÷ŒÐÍUÿᙨ‰ã=¹di‘�¸Ô8L5]£°+<õóî Þì+Ö	•‚C´áõ…fiMŽþ<!}>ÖÆHJré|·ï•ó’’*Lö‡]KÈ®w��Û'7/š
-“OÆèï�b”£»$„ß#´ï_åË^BYUÕò£bz•âÁ¾M«Ø)Er)àÆÀ�Q¨¾i—¯J×>¨�F;.@.Œ
-œ¹Ëì™J‘Œ?±¸Â0í ,×fƒš¥‚®Pú±•´a¨ Ž¦&¼/N"Þo,SÙžÚ©¶ Õ~2FN¥r¹#˜Íõm€o¬æCðfÓT…ÉPé¾IÁ~#ˆ)o�Ûå´\s=QÕ
�â/=¤4{	PÎ`ÏYuJN•¼JÄ/à
-%¦j ý–Ïy´c땘ï,ÅàŠ3ž“þc3c$a²…{s†�¶Ïƒ¢Òë6�ùßÜ@¤c™2Ù½’"Ód—§$ºNŒî%З¤K÷"#w>RdÝ<4O‹ñoÞªÏ'¯>{´C=Ñå�Ø?”>WFƒ{ ËÁúydlõ«0U})¸Úl‘pì)¬ýα˜žIÙ<°¤kñÊG!å
tˆ­	?ÚmÈP¢Í8z‘—uw¡Ðêaî¦ß³)ïe¦Ž¸bQëÆvÄ‚VU2㓆ÔÔ k)|j6t¿ße.
ÙË"èŒQƒMWP[ÿ\òHÙõd<½C– Î!›ÉIÉu�ô
ê»Üƒ�}cr$¼´`’“†¦PöX‰¾è—–X-Xü³5V~ºÞVâµF;«ó#ìGÍD¯€ÎàKêM
õ	yû`ÊÂcð…º¿¸´6†çÏ®ß4õìÎfl?£i!e5¿bßg>Õ{�û9A ®� ”rÁ
-Ù*¬×'5öƺiz®„‰Ýf
-+Hê!±
®Ëö'Óä
-ÄŠ§h÷„Ü{É=Âݶ¡øU^–ÀàžèUS­œíê±¼ÛgéE¦oDs?X™W ß^®‹
B¾Óÿ…X÷Y(6ËCÊqZnÁëà¹Ïë-ú1ÿžæxñ˜²[ö©÷VŠ¨d­m1i0½ûùPšÒNövHûs	úat=§
-©gÖ<L®CRÁÐ�öŠn,ÆXcñµ;W«`S¶"Sÿ·ˆò¥“O‡˜E
-eð5²v'úå„a(�»¤Æ#r)†‰çð
øË6-E£Í5øÊ÷5†
ßý+f¨]� ¾Â.ª…¥�ábAðó³òþ7_†«	¡Å=ÚEÎ_k•-ó%AQIH„¦Æ.%í‚Dêä\�n4[*37]ÈÉr4é*–›
V7�m‡n¿‚òF#²À›ô,y*oö#�¨“÷©$Î9f¬ÒÏRÒÙþ\Í�ªL0¥Ü¦Ò>6 1ðòê��/6]³äv®µZ
-_¸¨Àé«ì1ßRmþåEÆ„üPñsKªP=.¸#`@—ˆ>Qô›ð»Â¯
_ƶ„íd¢ôN3×'M˜.ÆFrÔQ?žI$µ_«°úã¸åÓ1æOÊÊ;"ŽÀ�îÈ?²î�wó:FÅ“|/{;þ¯º”ðE*´V÷$ ÷PŸ†¼ï'E›£u!¾$Hù+BŽ:´æô ˆŠ25íøµhÖ¦2Â1¿úO€¼�ŸÙ§hémFƒjË�[ÊÁsFó…ì±\.cá>—ócÛ—Ô+v©Àâ"Tû¸hõÖÉÅýLQH+VÊ
-
jgìzï½È=dql£1ÓÖYkû^PÔ1¦\µU1…$:$a^טôNyãLl˜9‰“Ý\Uäñ’E=Ì«}üñc×(Ÿ²�ä»r¿Á¥E—j/&è;»Rß»•Sé#4¶ÇeQõ\G'.*ÞÁ8@g`ÉWQ>æ‹—qåÍ6K±{ž0BÏM­c×­ûëжÜf¬¬¼ÑQر�!kᣇ‚§›-9\:­	R‘Må‡C¶ Q›ÒRÛdšÔ�$9WzC&Àç=²LƒzWuØ–`…I�L €©
úÀ!Ç	NãCZsüôJ^ã"–ë ÂçíïY @ËA(>S9|]|u
À+‹~³±ïL˜°Pš”ú®W‘€
-õ‘%­ßÅÙ/»"
)´�žTŽÑÙ
^ì¿%.óR/ß2{ß¿)½†ÍŒÖúà
ýÆìuQ̼¶Ç¤±/×ÊWŸµÂ
Ö~¢®¨ªÓDG�ë»+é,®ªÕòº�Y9ç#yÔÊý²ûX£Ì9þMd4u_‹´�ÜÁïy¢¿˜¢Ñ#é©jr¥m—�Ÿ¹iŦ—åŠ��’*Ã!=C˯ëCÍ>*78ö<žã$`V!”¹äÞÜÁš¯Ä®x8ˆ"‡cÍúÆâB“ˆYíHu›ö(
Áz
¢
-ï�à`íír�⺰¹�ò4r–ú¥ÍÃ_»øf¤¤ï§cžç¢&ô˜BoÂÕ¤7YÜ;ôXæëõsb‹W…«L9ž:=\Þ�«jö¾2–œ�ÐÍ¡�§³T®n1‡VtÈÓ¾LÌC�ôŽÕì=Ë÷ù�”°tT¥×ÕÖz…ñ$YZ<*�4<†¯i¤&A&Ùõ.˜n•ÇDÿ,égüáHÄ|‡ñ¶™µ“EÙ:O¹™6§ª ŸHÚVW̨VˆS­Lĺð˜ÖH9%Ä®qdÄÍi²Ý¸faîxqvÅøw»…d%uó¢0ÉÝœÖ|U’vKãº6öøÌ@!wJE÷²t!Ämö�ˆ ûjVÓç[Brøj
'Y×öÂNY
-ˆƒ÷ÎÁõs½/’ÛÖ[0ø´ÊßxÃ/¢µÚô"ü(Nc&uyâEB:\>è³€v¿/èzw–�>Œ¸¸ÙŸ3©å5¶é¿U@<!%^>ÓÁ£*8Ë•ÇN#ü^.¡èFj$eoq`Ì^r�¦è8OoLe¾À´¿öùh	`üLêEW*�«
-uóÁBˆ‹Ûª–õ›ãðü†Ké|^ŸØ$ÉÃö¬:ÿÊêÞYdäÌZõ[nðIZ¥ïƒ&ýMp‰£5ž×@ÄqÙ·dsá×mSY#Oô‡àáiÅÅžØ'u0övFä„ùžP( 1•}äG&ý&Ûrô€ÂŽXtc†BZsÔŒ¹h
Mvi1ž¡!„ÍcýI‚#Z«ÆOv5„±^0)ùû¼™�T8
ÿLñ/÷ßÓª"cÉ\Uå»°8Z›8´ŠÂcçÞ
-Î(ÒÚO¨²?1ÐDµò r8!´õ™D±h’�­ úÓM~ϟǽ²…ë†î~µôqÜEÌ Ã7)e§Ì£ÏâCÆ'C_{/[ߪÆ>O
-ºíää
-ŸNvYÞb¡‘±#Æ�™ui�ÃØþáòD„Jº
õ�JÌ)±ùQ'óŽéE½•+lx—.U!’o4Pe†»> ½güÏ/ hß÷
VŽO~�^ÔÌðåHàj!Ï_®!‰7¡†�:£L[‘xs¡°öJƒu-{—mR” ãÜ>1]ÃdKFq¸�7}æ@,¶¼-Ç¢ÎÀCþ¨Ù³GìAYJ§øÕöú(Í¥ãX¶2À�{ÅõÚ¬Çú=A$ÓbPI²4¯‰x¾V„÷c½áÄUŒì‚ü¸Úº»H!õ�
-.ø@úo‰.Aµˆ¤l”é
-ZC¾“�üxŠ>èï‡P‡ˆ%<ý`TTþ<¸¹Ã¨ò~ROI¯Hµ•·?}ñ7lymþÕ‘¼%�-€†|~‘@˜†l
-û¬D¤AôùÙL—[€EfZæTVû�=ÞžWðó‹OõtG6ódìøÒfÜ_J‡ÁöR*iÖƒ¶_Yx}|!.ü9l½~ÓËöžû–4)¾ÜS¿4ØX½½ï�ü1Xš¹•.Ä!O	8×û…m^üÞ£ql1.	ü‘B&xdûÎ !<ÏH›?©³Kì›ÇAà’°ü‰‡
�3ÌXo²°2fËÔáê.•I¹Fÿqš.ÜJ’ŽŽ�ý¨Ï;µä€Ø”ue½ãV�X ä¯u¢èLJ
{�BÖ´Æ ±ˆèŒ×°ìÇíç&íò-MÁÏÌ b�²á—“­Udf»[{¯â…�LˆÌCü¬¸"ƒƒ‹'‘‡x’cEµõ]G�¶ò¦‘îi­æs*Íd&„ç­•ÝÖskÍ6ÓåøQsèNíË°k—ËìÉ_ßoQƒ.ßaÌ/ÁsœSè×òy® ëW žc.©h–C>½t>!
|x	4oÊ°úÀ׃Õ,o-La�ºA7Í°Í7)äó3�̆VfŽ$0T¸Ÿ9
-ÚŸ¸\@!#^dcÉqæ’ù-$õR‹�ÛGÐÑ‚ÄOL!¢köæV¡Rî6æÎrMˆã'¨_dœjÜõŽ­»¢'Š@z£æìôü,–NÌüua„¥¤|a¬hž~"^$6Â^°|ÒR4€
†ž 0©Vb"óãÏ ž‹#A†L6G²»0…
Â3ê6ùD¿‰‚9È\Dá:Äû�R(¸ë?}=$7z�Oª	‘—?…!<تyë<Í÷Æ
Qš?ab{¹F
-Mp.Þý©\B„$–Aì�Ô‡‡}Õ»X¤ ñé£×B?¢)ÚãŸ@´Æï �4pÒ�SËý
-±5Á
¿Z¶&
-Æ<H)]Ì{Á}꺽î¡›0<aÔÔ.’mWâ#ªš,)=Îܘ’)nÞ ˆ=�@öõÕ<jÔÜId¶QГörº+ž¸7rªXbD¡jºçÆœùaŽG¨¸Y/°kÀµl"%¢�´™º:ô7“ˆucË©èÎi½ÔzZãß'W‚Qn&Z¡gßè!ÕÓ<¤Ý¯/Ú€àuÖXž·0‹f_6ÕaZÀv`M¨¹ª—1bvÕIü‚Jn.ðK5bø½Ï�ÿãΔ<élS+1ïµÁQ¶ì…Æ7õWv[¸!MEXZ3tŠ·`~¶ý¢fìZp‹.fõ»c2p&«7^ö#ô¾èÓÙÖ)xµ¸åí]££Áµnešc›JÛŠÜ|g³v$BÀ�!W’Œ ¸U¯èÎViÝ
-§vÉ×%’Hð«.3„ŠŽX.òï˜ÀlŽ²HñÍ�gÅ«ÊFýri4(}õÑH!çDCOÌ|Iuúà%%Î%³“r)¹X!’=t’¡�“S£*b�¼iV½è6À.?ªQ7¬¦}jRÁšm‘œÇäÖ•ÇpyNL0¤ÝñÜöè@­³Î¾áµ’2רcíågE*É�R™Ò\'›˜bàáÂw½v0Å8<'Ì÷’B'Ýg‚§ îŒÁÒ›=¹Bäw^ûÝ¿`³Ø<9øMä\5ö5ø•ÂñWÈ=˜�XV’¸…�­yô„i� 6-úDA8qN!ÍŸ$öÊ“ó1 	ÔV�¯çÁ¡(³h—µM±wæ=Ò>zoØMé`w%óäû›Õ�
R÷bO飅Žê>‘ÍZtuùª£F&¼O¿NAJȼWêÉïÁJƒ6‹¨�ÌjéE¶~‚ÇÑAxH:ð0î֦̽×A{5ë?]ñ-|Ùë{É·"|ÆÑQÿŠ D™X<èkeà	8êª=§fÀ¦•[ä<wÐÍ$YÆeÀWw©Ž…Nƺä
÷}‡è4×ä+Z—¥dáh½óÙ¢·Ö!WŽt×…³\|çû3[ÇÍÊ´ú«ÃyÓ
-6eœn&`±Òj¿Šäz
M’äÙõDè.TbaY
˜‚ì!Ɖo3��6ðõ‘nFk„§‹pi›ÇýÄŠ»iÈt‹Ç®:
Ó5º²0“¼/ºI´„Sy�ÕïɤrJÝyúì¡áùU4¤éB,¯˜”éZö�}
-Y4=ÊB<7ïm覯üë÷¯Ji/¶Ov¾“…8·-’¿láöiEçh¤3Ókɹ[�x)ŠcÝk™½¸CþÑy…Œ¨Ÿå3j¦§Õ5͈WÝ�ç9XÁ,­2n<ÓK{ (¶P2“ÀŸ^Ši’;VèìVúJ�)'¬ð°<ô¸O±Ó_ì'Ñ«FX7Ó
-4çv웞îãU:ûò¤]ªzrÔîtäÆ?+ÂÀ½ÀÚŸ“rñ\2V,†mg«@bøÂBòØÄ*†N½àgÓb~õÛ_æ<žo²,Bÿ
§X`�`âN¿aÕ)`Ѧàt8hOÐ=Ð
‰CálC4ƒÌN©Éce)Aù1éËua‹¿nôDW“ôÁëªj!±”/À·vy²ôI¾å”®Ý‰¨hß[sÌÌóo|ð›êÃß.£VƒžóG½|VÚš\ä‘®X+¶J`sEsߧ¬Ðû´Ú0§Ø¥‚ÔÑ{8–À}µ‘~
;¶M”¬A­?¨Ȉ
-‘MËÂ)ÚJìyï’盾°+ÛAX•¡<UuÆEÁ°ý”Ï©S«³óõå0þ
-èP…ÃR œüZþ¸»ÈÚ—F*þ/\<>c�43‰0ÿB¯u!u•ŒA¿8ÊNÎØÙùªycPÏ¢/’­ü䄆¬äÊfI˜vÐi}°´ù
1Úd
„fÍ9~%Ù ’Ã"´ÕÅkƒR†à<Q9˜ñ&å÷ìôNJì
-ü•Ä;÷´ìCc6g¨FÏ 6Z¸ñOÉ4nFíÌæ@Ÿ(’j½9ÌRi|ûÄ«ÎÙ	8�-J_ŸW䛉n¤ÜLá J¯:³Úl
j]­)Tʸ—iÉd8r×KÕT˜²†÷A�«—h,‰BuÖ
ƒ}͹‹Sðé€mWõv¬Âë•h
+Úþ�ö…G«I.&â´<¼Xh
-¿ˆi_þ´° z`?ªÃÖRf|°¦ˆŸÆúµ~š^Ú¯x¸m)h³zã%ÚºH—�ªíAéºl…Ý”ç68c`Gàw©XŠï[=Ƹç(à�ï–†ãß/ìת}ÅÙ+�¹†¥!\
-ÒTÅË£A}f–ü™‚Ï$±*AËý¬zï„ži'ɉkê–8º[Î
Â!w@ì�fsñjàd€‡XH+ý�èNY}a
K:Pä
-Š€øÞ à	ÕƒöEñnhóJ×T—öД‡B!p±•ù
¦—l“{^.¯Ð	±LíìØK˜Ê9ˆGxC‹€U¼VX–ììÆ�©škð*û}¡óŽÌTÝF[|¨ÔõÙa—UÃÔÆöIœ¯ÁVÔæé„7½&$¡N‰pˆ®Ç�}E÷År{U­chX•è'Mí¶Ì—ä$,ŸëeÞ·ž1ÍK™•aFïá{, -ÓÀ‹*øg•ŸÚ6`F…LÎsîã$’tdÜÜØy”®Ç¢%šð¶1W´Ë�L
Ñ,uþ©löW' ¸nºó³«öÒpÓºå
ÓfŽ¶ª�¿sKn?]j‚°ÏÓ¿¡gæGˆÀhfÙ{Ô¾	Ô‰í’MPŽEoødx€Q²t•y	Q
”î§V¤óMÇL9‘5òh°À!e­Ÿ•¶¸¶ù8¬«”{†ÔuQ°b‰¹BM‹sÙ²É “ÿÆÌ]ƒ	ÎôvÍ&Ì‹Ï‘'½8«“’ã*I5«6i²Ëiw ®š@¯Œ!�e$}‚s¾{‰ÏÑëŽ!!c�PGÛD<À-€�s_|ù�bò´ùAðËQó‡ú-š"ñŽÓ&”­Ø5‚µ3~�‚Šz½òh!Îi‚é!ƒ³ÈÒ"s‡¹;o˜n¨Ë¼
8þßÆ”$'U©
-v.Z[våe±àÞ¦§°†`G‡·^—‘žÄR…ÒǺOƒò^ØÔ	bŽeõþ™ŠÄÀ.2¿AÏ»bÁ²�¨¹zYÛbÛÙR8ÕohrZG’Äý2
-’k�­~ºk	´,x™
-­å®¬¬HÖìFÉÞ NžŒ„_	ð3¡¬yÀ=ΑYÄ�Cç­²
(/ï?çïIþÝRˆ²¨è‹[_³r'Ÿ‰T™'´7”X‡€*ÿ|xÖrlŒIìèUFìžovñB�W¨é±½5à+[™ƒã·¼Éú×»„&+åœÀ´±Ùg/<R4:ë&ŒCG"ëiŒTâM•3_ßw¥èùiExZÔt»ËŽ´Š<«7@µzi|ÜŽÄmÜb3]²?4¯ƒMÐê)ÀžX~j8«'Œ½sWst’g�9èáѨVóìëî	À–Ës<|ÚËò!Ø!í®©±¡–¸ªŒ6�Õ¸ð‡Ê…²¡ŒîÛÊX©|¨_=›Lè£ØÏÇÿ\RS³îw�Ÿ";Og0N¨ã/Tl0ýu[£HÕú¹ð�λœ}¾f-õaÌâ{ºGüyèQÔïÊ‚´q¨Gγ*{b¦¸¿ŸÞ¤~+6C¡¤Ê�:j]9Ýô¼w©Ûبþ4õ6Ä^
@+µ¡‰¶�°l�;âÌdýdRCúN'æ“DÀUzF9ù ʳ>XJ²éžÿõs.n�oÙa“’cÒ;c»öZ:ckJc£S…
-Ò§ôSëÓ&áî`âìð2«oÜ“ýÛ²z6µÚÚ±]9̲�MŒ¸#úSýª½©@Âs]¥`Þt:õ¢q“ÙtìwnÒä˜×j¡
-Ò¨tWj�¶q,£Oí×Aò*úüßMî´tùó—ã´Q)VÅ1Í�ѽ»y§ÑÁL™¸Áì$Ó~ݯãvÔå\ƒóû ÝÓTùœJ̹`¿ÅŸ
-ÛÎØ,kc4Üò9¨3~`"Q€p
¶¥Î6…y»L3ñ|hk$XÀ­MÁ=3Èš„ƒÆ8¯ó÷øúãÁWæ§ËH‘�þ#9Lñ>Àü‹tú“ïüú†Çåħ­Ù§=Gß™nÚ[ù²kcñ>þþci˜˜0±½ýÖ$dï4
ï–7ƒIÉ=&ß’(LaË­<ü;±!
O$caf%ïâõžvefÁþc›k?2H·Dâ"V•Áó§›#„M韤ãب—ý™Å¨A·”€JJmu`UßK�±ýj”ùŠ÷Þ£Êä€ÛïÖ/ÊÞ?H_]x3áÂýsÞV
-v£–%·;�®ÄÙùÈ[Úãèß(v~݆¥À�¹&=/{±¡MJ‡³ã™#ªCò¤›SOæÈ:I»�ñ£WX{Ì5ö%{›ñp2‚D{j)Ë©‰ë8tT˜FËûU5�6…¸×¤à	6ž]¼�Æ�˜6sÃ2ôk£�ªXÙ?"Wª¨T&ãUÖÒÊŽU&iÃÓØKwzK‘^:àra‚_Ò‡mJ¯Hd—&—q̪·Ïöz—7QÑÂÅ'�ø	¡‘Ô”|w»Xõ­©·>uC·Óè/™¾¨öƒ¦»Úéî–÷üoýËYtpqSù¡l¥®qõãõª9¿"Mq†ï³€xºôEÅŸK·š‚¸x�÷O¢&Sƒ
:À!ÏbÖñP|iÁSG³hlÌ0Ðl†˜/?Êg°‘ê§�4F½ OÒ
-¬5]“–Bþüd?Ã!Èa)±Ÿ UwW¬•×½é·@LôƒoÑ|p¨ôÞŒú˜Ë°Ôð¢‰OØžfŠ\ãà9]ËšJȪÈZ¾P„ðôùPŒ&†®_vǢ噗b;ú­-aéÆÉJ
ºœÕ7ÈZœZ'�ó¥ÂSïtj‹¬¯ÌÉÊ[3Ù
?–¤2ßli|˜µ…Ü©†ÏÉWßg9D‘ÉÞÌŽüß×âÙ¶üô&‹÷‹òBø»&‚áa!ìëky`¢4¬[(TP¤[î_±K"b·q>ë†L�/ozÍ°~ŠFp@8uªÉJ;EFn$Œ©
-€­^�A%CÛåÜLrjùY¢žÜn\4
ìZàT2�'c6ê
-�½‡?„i¬yè-†ÇŹ(Tv–lè4Ä¢TÁÀô>\Jf>jϘøaøÀ1•Ü<m§afæ»'Nê8¹kðèRž;|(¦b.@nz#g[Á°½™­nÙ¸œLz¤�Zõ’Êáa+ÿ|ÿ)\ØÇKΰ‰b0ÕªcÓ,îó5Q5²Fg:Ë$nÅáÕÒõÎ€Ð<‹OŠsº²ÝÙÿDÃO´0yw·„¥ÇÊ2ø½=
Ó{ú¾í‰±Áh%‡òRsÛUc"g×>ÈZô3MÃà^Ò�Ë«gÔQ™¯£—k½5ÖCÍôòíyÇtÛÔ¨Ù`X¼’ã$’¦½$85Éi7�ÍdWꙩ/ABI±Õ燷Ö\šÃbEPE	«Î~øxâ;p6Ú5´£„ÂÄ|�öÊ~Û`¶­\3þ'q¤ÃsáÖZwüÈé.4v/'Áxjµ¾%Y3†
#óÇ6¬æìy|^Aj¯ä–Û4ÒÆÕˆÉé
-V®ØäÊÕtßJ¿Ú™\z?K*¸6¥!ÑH³Á½Ù¥‹Lº|_‹MœMI¹$Ö›­»Zƒ¼¡¹ ’uºKÅ“ž
-·ìÛû'ãD¸Ø“²x};èþÓ–‡úŒ4D�'P{”òeéø÷Ê
ÏÍùøëjˆ¬“q~½©ýë¼ñ<ZxàM>Ê€·ÅV¥V˜OëüÃwK,�-èÄJ„¨Ôq®ÐÍ�°î
-sþo§ý™
-#¶�cër!¡W= „��´*¯g±+¡‘À#es_‹,2™ÊãœP+ÒpuMYÖP/ºÈ˜ü‰‰;°>Û[¼”ZDñ½"ºßoÅq™Ü
-èEHÁU1u”mLz‘ìåÃh p;ÞAåO‚¼ïw2}íÞ–!
F¦†Ÿ’)fmûì‚Àü	M½ÿÌ{<ÇRÚÖ[…§—Ëu
Íc_Tž†t¾Ö“Þ©Û÷ŠUé
„òPZÜ~›…–nX	õCg›
-ÌãR7ù†æ9`ŠÌy8”5bX%2Z}ššÖ<.Ÿ39‹o§œgéJ€’ÏÂá·‡GæõÙ�I°gÙ[ããÅ)d½ T¥1vÙÍÅï<wú¤ãï�WÖLœš‚œ†ÇØâ3:Wª}Ѫìp�H¦Ü­|œ@l¯÷ŸS8±åë�z,††ý;x âMJšÎH#œxå8Ÿˆ„‘Þ¬�ÝçÎ�Qøù—ÈÞyK|8aç*Asabvª†ž˜L)"Ù÷¾¤B,
ƒšqe>>þ$h(O®Ó=Æòè:ià·ãa(×ÆÞc1}œSBª=9›öÁï‰âòí§ÇØã®LYÛÃ%¸ö9¶Z³cçÔ%ו<7oø÷¯÷�pn=¢+‚t³@wFQ´-Zå�§;VIÿòÉòœ›¯ÀémÂYªíÎ)[HZe4;ä]æI�Ú1Ô
-ë¶ÓÍeÖ�åW[�v»óœ¨ý³®è�M�6W(Js:L9þfzoÇÕÊåÄôq7ùX›§¥å;#=)G
MjÓ§§°ó>7W7WB±Ú[·ùÿz¨w&"L>bq\½·„Ѫ~yQÕákÍ«.·úû˜¿W?¬>¥¢¡@#r’ô-”‹Ea]eãò£»JÅ™|šŒ3’ÞR£ˆÉ½ÕÐüJåñDáÃhºÂ’ð‹²wíª[*Øà©r‚kº4\¾`fÜ^î
?d:ÍûEËf™³¤‹M”ÖCÓ„osCü>Kñ•¹4ÉÀOõ62|3ÑÎyõž=¹»ú1¿¾^ž®´—Ÿ5x´ !'„ú÷On,‡ÒoÝy€ùbº…q²{m� Ì�±ÓOkÏx�†E+ÆÖÒ7ó!xìòŒF™³0¬·«H{¨˜þMû¾É^Ù^ÍIös�ìëôòC¨Ÿ/`u¨QwO¸øˆ”zŠãDÆFgÃî43ö¼š…¨{ÑÐ÷É�`²lAoÄšCÅôìc #sˆƒ6>Êjv*AjNeMx‰@³ÓÆÅ£4ìæh7ÀP­–gÂýÿµ3çÿL0
-Áiz“æÚæ†Á‰²ÍÕ²Ïm7ZÄUé×4(ê6•…zÌŒ¢PMpêÑýה¤ù†Ô(Y«»kªWÀî!`Ê�£mbÄ¥„qg��ˆœíF2X3ó£æo_�ÞdõÍd¥:»T˹’E€-ä{.1ëÉ
-dÜp®ÈVã_¨¦1³å{?î:
Wõß~Šœ©"LùQjƒÖ±:KY5bx„6ÚbÿÃÖëlƒx¢¥
~¥,£Y§Ê½I|çȨ!VÃ3µÓÂ�zG#•¦n4’£Ç¦ßÒù»oôu¶Ô~«Ó
-7Ÿ+ó²Vï„(�a=ÔÅ>\M!†rµmè÷È%
-^&ÍËâJ€°—Ô²?\9¼h¢Y§!¥EÇÊ·<§ý#QÇÿ9ÚQ·nºÝ's,ÂøŽ”¢­y–’Þõ¥«½ËÆð›_ÙïϳŠ�5NÒë%Àv<¡¡ûÈ<{šOS*%älõËU¤¿\"•e†tçù›ß©s°tvܘ´t»Ç(Ìv«k‹qµ÷³ƒø™l9^÷k
%}+oµ©´£‹rüR·JôQ3ül^{´v;¥r‡³°åg3¯¢Ɔ’¢Ó¢\[#²Z̉ˆfû½Ç|(„›°ö5ÏL‹d•­ŠîhŠÆ.5TËúé䦆zp׬ó•Ó�rMΩÄq¥r.œðÜ´›‘À4€áÜ
jÿ%®ÿÿ�h
-endobj
-1253 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 2807 0 R
-/FirstChar 34
-/LastChar 125
-/Widths 2817 0 R
-/BaseFont /KDQUIR+NimbusMonL-Bold
-/FontDescriptor 1251 0 R
->> endobj
-1251 0 obj <<
-/Ascent 624
-/CapHeight 552
-/Descent -126
-/FontName /KDQUIR+NimbusMonL-Bold
-/ItalicAngle 0
-/StemV 101
-/XHeight 439
-/FontBBox [-43 -278 681 871]
-/Flags 4
-/CharSet (/quotedbl/numbersign/quoteright/parenleft/parenright/plus/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/at/A/B/C/D/E/F/G/H/I/K/M/N/O/R/S/T/W/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
-/FontFile 1252 0 R
->> endobj
-2817 0 obj
-[600 600 0 0 0 600 600 600 0 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 0 600 600 600 600 600 600 600 600 600 600 0 600 0 600 600 600 0 0 600 600 600 0 0 600 0 0 600 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
-endobj
-1232 0 obj <<
-/Length1 1612
-/Length2 18918
-/Length3 532
-/Length 19829     
-/Filter /FlateDecode
->>
-stream
-xÚ¬¶eTœÝÖ%ŠCpw),¸www÷
-wNpww÷
-økd‡§¤u»€ìíÄŒ]€<
-`e°pssÃSDí<�@–.
-tøÇEp
-ÐÖ¿¶qÒí2”"¥ŸjFy_ÎÉmBép0kìo�)«”¼ÁM´}s‚»|¤ñ'w+ðǤxp@ö5Mý‹ÕŽÚ†^Wxrú5ñèñ�êÏðà@×5tÏ
]NìJ^7(¤¯‘þŽ9‚:ê•Þá40éMˆ×­—$š�Þy”ø¶r/Jù+v­roIÐé­‚|‰òNR-{UZØW3‘|‰ÜÓ¹Ÿ«®”âÎ8|M„ãA½7SÖA“™°?‰î!®¨{�üëlkh_z�sg'•ÛKº7ÃìQ23†»V!‹¶88Szé-ŠÈZßʲÃìb“ÿ<Ìišð·uO[מʙåê;Õeâ*1žü
-=Æ:nâ(4n¼ë—jºÒQ•"/>Uöló½ˆtë% ˆ/÷€{`‰ÔÒE¨N»cj,Uoo–›U{Lê,þ�òÛ’`>8[œÂ—;1Œ"ŽÛd6k$T÷ó¤ï0ÃcÃ=­ò8Àëø‡ël2ø©ÙB ÿ-NE>…�°­VQ?SÛ׊Û_�ZßjcxÊSH£k‹_G–‘'²Âøøc±£~´½ Àë5ر3ì�ä=Í’ù9õC[¿êŽX? Cz!‹YÀGóµgàÝzŽD7 8’(GD¹‚Hñ%.fjM
-ýÈ#§:Ð YœƒNo‰ÓûFp=)I%ú&Ç.½Ù™£J©³k´ ¾�< ý6K†#„Rcxü¸
-ÙÀ[‹
-Ó´ä'¥ÆÈÆtŠ(¤"ßž6¤}ºb#›¬]uŒ'ÙßšÌüå;ƒw÷ùÁm±Um•Ý“ðI¯Ó!mü,Žæ4FØBÝ`Kÿ±4û
m¡[SPk<
¶)óÒ
-ƒq-†)åÔ\†µp¤
-–Þ•4âϵ[Š•€M—EäÇCÊ%£ŽíAT-o|Ø–y�f
-xJÅxQí½…jûk2Æê¹”ygZn™E0±¹¬"rõ%°#žØèÍÐOà…¨³qEÎûДv`æPᥧÜàÉù¼	¶Ÿm}ÆO�à}LZÝÂ:|,'˜Hõ•ù½g{ã[CcÖ­–ç®3Ê”_!qI¹1Ãl–›wløeû"-ð–·v:!”UËñžêG¬ç
-Ýû„`²<y x᤯ {?5â
ˆJ|³&<Ø#1Ë~·•þT°üp	Ds¿Œ˜°¦¤$»­‘,
-±§
¿©-?gfBŽæó¬Jü0HŽlÀ¥Š±ùjê.ñZý,†(˜@ýÜ°¾ÖÑ«­ÀMÄ�£P kå\Wq¨Žà’÷‚Ÿ%/¹�¶õò¶W€ßç+ŸÚYÈŠÿÅìü�«F•,Ã'òYŽtت´æ:1µmÿâÂÉø¬Ý�”3é3ŸP}Îîëb¨ôÌG%�ñ+_(‹øž7—?		d( ä°Ãçt�¯B�÷»„{tJT˜¥‚éÍ*

-lL¨¿ýÈ­‹^æPc$°I’}£]‹¥â ªÒ¼FÙR÷eàBIÔb	©Έžáòú޷‹³ªÊHÆA¦�ô»{ÿYw˜Š+¹¨ª¶	DÇùgÚƒ€Á³Uô9qS±½?×Bx«õ¿ñ¿kJMÄÙ™ðÄWÊ\²t—¼ÑŒƒ½°Õ¦’”pSÿp�grIô¿ ùªZ‡ä+%V õŽó‰ì«£®˜s•WDéôö	*îD‚� I0ÿñùB–«œD‹×jA+�jGŒ;Ó¹8&ˆé1Ýú“çŠÏù^3¡™¶"íÁ:š·eWÕ6^#—ÎBõ¨,^Øs<NDŽÕfDÁ£Ð°;¿5æè—¶úp€Je¾bùG¿Ë0³Øgä×ÿû̦¬Å^KØÒ;œ‹›‡B²
ó�˜ù¾0ÒLøæ	sÛEOŽ¸Zê4¸:ò=Íuó¥„Áõs2ì]ãä‹Ceµ¿lbøådçÊ(·y¥ËÖ½­ßôìöœ…“Ñ/úÅtÂ?Bs®Ð�
qEœ"¯N§YµÆJå¯ÏLzB•>õ®‰¢3|«´{ëõšÕ4¼:ª�Eßn‚¢!!×ܹ~Å„�
ﶵÝû-aÿà¥.jýÈóøʺžQQ9½‡¹š‡Œ‡4®Ow@›ÜÇ0¦wÞò¼«\�M(ÓC…åP"×j�GU½þìØ	·�kÒ³[Іr�Æ{è—~
-ázÑ…cÈß?æÚÝz´éÖ+i€hO/%—QÈÍËÒÝÍžHtNã²�ú¡P˜�
@þ�“‹i”ø‡:=»(-;%ç—kÁ§µÔ}Q[²“•L¡q«n�ód01ÙLÑåB7éoU`;N�÷0×ràjnv’;Ýn÷i<BÒÎÁÂ%èóŠ½ü… )ÇÙ`aQ² ¿-ÄH77EúqÕ½Ö/‰ž¢á^¹å,ËJ–ŒÁàï�Š’
 ¬4Á
è7«CnLÎÐV¼½N ©�±
-õª*J ð¥)½?—Ä$úï):p.„ÌHÃ`Ɔ–í"–ñŽNÔÂIª\x¶'kƒeFbR´ëyf=whoŒ�ºÓ²èŠÕ–Dð"~VWn
îMŸp!Cð÷° ¿Þ‚Ã}Ï1ΪrÅLM#	DÏhÿ”ž±j¡Lò\¢dBpï�Ф
-¬%’„ud+úÓ¾ß+U4ÉKîÀÇYC44—R'ìð58¿G—³‰“@-ΊÁÒÛ…«:r>‘O¯•p�¯»µWþN–Ò;⟟¼G¿ò¤sf„p•@Æ‘ÎÏ…)¢e‚	KNÏvýQs¸k¤èŠªá$™›¸Œg
ë.‹1ìXÿÓÌ3@¶-V•vØ¥áß¡ü”ªA´½P„ú½p4ëªpç¹�H?SOšð¡]øÊüÛAk»%Ögwrˆç|Ÿê=­FߊP3߬æYŽ!ÖÒ.(o-z•Ö¤jk:\Žë'ç¬*
-eVfØø(³n…ó`¡»LŸÕÂvs8È-7†²HŠÊmUøfnmo�1K±xí[J{ϛѕTË0<8i*_×/³bY»ïIý‰P¡ö5,4‰ßWÓwkõÄCóÂ܈ë[9œ†H.áê;pÂ϶¡gˆ•Ú†PìYÍoJÔavQßFݘª-1²7¹óH<lÆôÏi«Q5¾•G¨0•��5s!O“ñÒØ€‹Õ¨ÍÌ4Ëxô‚ãÚ{.K\õCUxPZâiÌ&ÙôNEUdX|<ƒÉ&UÊ‘|‹†¹_ÈAÄFAïcªñX4C(½x e(±â‘ƒ:äj£ž]a·­cøÆ$cò)ÈD€wZxi2Ñ›ÅyIêYžÁŠv€;²¾ò�ÆåÍžã‡cl$/­"BÀC‘TÁvâ�³ßMÖý/0–x[®ß45ü¾ð2;{%öY)óx®˜&ù;ßÁY+6GÄB­Ì&�ZÝ-‚±KÎÚ!“j~ù±2ˆ%¢pÒwã’—ÙÀÂßmf„
E#y`râ Éõnq
-x�ü˜ d�¨¿L3§qhÖêàÞVס6{gáÿŒç�6ÌdA^r2~yOw¤nÝËƺV5Íz7Œ
-áߺSjÂ)"TaèçCõ#)ðÕ†UzÊ­VAð×¼†W0~ž5££ÒŽdg–l¢ì¦ݤ®ØExç£UUö²ªÊ÷ÚU:pIŸ|¾
môÓxI¢Kdðò§oj"\Òç7©=%½ž\Þ"�äÝ7<p-ɃE;­ñ¬Æmêø®5|²è;l¦…ËïféOÙæ“|rƒk�¨äÁ±ÌÍÁæ»ãT
š±ÅVÊqs[V(-Þ¸Út‹-¸‘²Ÿ4®ßù3½üoºI0ÞÏP&ûÖ?‰³¢.ÍCœ&qG}yë³H§ŒY…-µ}"Ú¿ÇóØ
ö¾²¡wO"‹X� C¿:z£ §¦5EîÁì–œ+GÞä(Ë›�Wý~Ï]¶þ±ë‡ãvAòVQ<çôù)”‡d6GãWÀñê¦ëiÿ,¶€—`AsÓC:©¦Ý÷Ç�jiÙ³¤áþÂîyA.ç%ùÛA!óof(kI¡Õ°™èÞ©nþS×¹úèT:˜ø²*qßN„c½…`œc÷Âz¤<¤�{(Á(±04IœÈ--˜"û—柚
¸ñ±©ƒm‘&û¬©¤€í`/9¨f51IEeÁØøìÊÑà0SœÏèÞ7ëqébz‰¬|
â·V� „¡ýÏ{Ï#mà½P
-îkÀþ¨
ë*|%.ê@wá£Æéî_÷® ¥bô›éÌvøž—Î^$(6kM-Œæ1ŽtZlFU¤ÔÓθÓZÕÛ®\F4sIþ]#˜®N�ÉoP¿„‰tõÛ…¨›œ�ñ¬žÛ—ug��ýñêàNaœ0$Ê÷Þ³1Å�‰¥z.¾«.#¾±uÔhvÚÌQõƒûýÇðž˜&S•$æ†J‡©ÐÑ’»‚o¸bļ8"VàÜ"|ßÃb®×\8Ò…(ÝF7­ ct¯öœPe´1ä4Ç¿d'QÔ'0…�•%sçÀ4W±¯&ý
-Ø
-4«žj)�^	ÿb}HŠ¬É[í(¡â&C'N¸ÉpD–'®²”Úo^ÉmBrz~£‘Yú8l£U•1M‚üPÒGµƒ?m)ë�Ú¢ÐÀ—=´?Z‚³™íŘ¿åõº‚8äIÖXGìð95ö%a£ž“çíNµM,*4�0ú—�0
‚éðGëÛ™]õ
sú†KeQ¿	©RLÔ¯`¦!�ìñÈÉiØ­–©D¹lÖIÆÅ)¹·I®”êÁ
-
<õ¾ÃíŠÐmRà-<–²«!ôÎUáëæ5GgÌUç¼O;(ín:
-™†ZKvñ#¼™©	�WúåÕÍÚ\Ì$’~WZR)´Ô™}Ó@-׺'ØÚ‘f#JŠêÖÐûÌt^LÏ»Úín�üdˆ#’â¨ÿ|PÌU9´âq»ºam4AØy©E[Ù‚
-+¾í!t¶£'µ1X&Ô1Ö'˜1ÌäxÖn¢ÕIãñ7]›'m%©SùQe
Æ��°Ea‘Ä
-ï³cÇ°u¥ûíÓó Ébô†8—=¶
\ÓCÐÉ}Óð½ý³¥è³Tw�~ùê‰%â—Þ¾±ýƒú”Æ
-¦ðOµŠmCOu£3ã73߯Ç}ÀõÚH©eé­‡¯ÞæZ[ù¾ë¾E1"]°ÓMwÑí’³Ÿ¥­6–·I’)°qߌ¹pèŠ�×6W°}h '¢py<�‹vA‚Šµ–(s7�Ø,´ÏˆxbÆB¦�Ü4m-qCG
-G)´r»zoÜ8ãôúÙgö9¹ãF¨ÖcöŠüÐCÄ;0OW¾Ýñ}¥0^wyr÷Oü-U>¹ùæd!j}Š¾zu?ºðu·izý#¥rzV¾‚—ê!H¹iBÒ
”„0(óÊ4w¿#ךBz¶�Ój(O˜é}JîgúÔ–5g•h}›÷YÆß½'1x„Ìž'ðöBçKH?6#s>ÝeÄÛé£ywüFxç
gHQ-ëÄ„ZÓN	¤úLÆ…{ø]w˜£ÕA‹ÇÛÂT“öïY2%‚Oý:{Τœ·ù¹mf%Ii
-¨_Ðʾâ\¬_;‡÷¾”|#@ªF¤œq®#
-w¦héRs¿4á&æ}¼™˜NÜt-÷sjôÓD…„¹"¯ÔD0x›Ìwõ`è9G[Nºxw×"ws—��Õ×Ù¥†ùã°Y…ug…TïŠNCbÀ˜óÑîZg#Ï^ª-Ýu4ìfÂÃ7ËODΉYo�üÍoV¶NZ¿Ã2'iþ	YíW‚†Ý� §çtÖXå1Ûé–±}G_û†¡ñçdÊÃÏ™6LéFgY‚eQ®Òé i•Á6(tÛ»Z=GÌRxwfþî‹Ÿóä(“°-jdJTèS(<ŒöQz_´)ÿ�G0Õès+?Ä„ë#(½¢8ªË›�Ýg6‘„��Mš<iûR¦q »
-FŽ‘Ð&‚Oã ó"B2{6ècgôXè‹Â¸¸æ*ãhæ´Øêþv7þ‡—ÍvÙúä^ì%ÒöþY“m)¶#ýÖÒou7ÈUTNÄ
âòóàÂ_Z–~V³�-!�±çš’vWd©í«ÔZ@äÑÇ€~¾ŸoC|%¨´>2	N¼ ãÅ°Õ9IµƒÍEƒ¹ŠVΓ×êX‚�(¡<Ì1å×;“5s‹!—–3ß
9ÈÛ:gWoV‡Z|ߧÈv´€1r/#J	*?ŒK(âî	N»$Û#ˆ&:tõœù±–”–ÄnùJ×ÜÒë«Ô¦�ŽÀ`ÆW؈4ï¶5¤Y‰á]É÷Ïú$Õ£¾‡u=WL@¤)B(Û€
-ó‘wÂ33¨�º…j˜"iQÖ}(­‡|Rb–+{ý€ù6b�‡º´ë„ʹV Í-¤œêYa¾÷H7¹éÇ1½zWõêÄѬx»!Õøöêåøö‘ÄœlÂ0Fì,e„:¬þ„Nˆ ÅB”qHÛ¦}Þ#ÀäËì”ú3=¾Ç¼Úµ¢QÞDm£Žœ4wý,)Ö½™1®¼¹up~«ÊO¤*âÊØ8Á9yZ“΂	2ÚRb*AI9»´�ä¤~Ño¹!æ[^ž­Õçø8u’.ý²
-em‹ÆŽÄPÃÁ›g[¨;"­HTlï›`R¬ŸÝ¿kh>ÄùWTD_º|*§-“�X�ÀÝ~Xü™%Õò™”“ÎôK¿ãQwË
/(ðõ°&›f­s¾×9² ÉýZŠ@¸-Ü?I<X÷ÚïX+ÎŒÀ2~JâÒì¡~»\ Oœ:ÚÃ
a];q©“«W„žú:öÙÁ¥è”í¡"/ÔlGüÐ�B\•ÿ÷‘v�$«ÎŒwðƆAh*ú8ÅËvæ„Óí²6Q"Õ‹û†
mž— †°õ#›ü§mØ»-¿Žì
-h²ë”Ÿ)ºß©Yÿ„ó¸àññ>bõ7ÊÞ |«4
Æ´…­²Öø•—«Yü;%¦Ý´ûNŒà]‰Öš9m0ëzšÈ®É‚—G®¿>õ½´.[ùé'GkúF·_á~(~þÒTpZ{HýÏØ@ò4Š®Õ¢¿"¾6�ÖÌ&ž_èpxWùë
ÆÑ•š°J]èBePÛÍÛ¨¯T_]v—Â'_ªƒeg;
-Ñ+ÃfP­\Zá!ŽZæt'³˜^LE ƒÆF�¾øo�ÜXfTÎslÓ)¿L'»4Ò†í;Ví&:’ò$é®
-ôæø¢ê	üÝJQ>ÊI±Í�º£ÄÜ÷fŠ›Òwë+Üó±H‘Œ?ˆ'ܦT˜ÔV³F#Õjpi5’LÒhN‘ÚA�Cõg#ž¥©}E7^å	òæØo?G
-…
-ÿ¤VÕøxÿCƒ©~Ò´•”âÒ'ié`Ÿ{¦C(XÂ)
-
ŽÜ¿SB¿�’(è“ì½&Ý
-<ÖÅ4}Áߣ‡ÌõÎZÄHÝ%"[9¢ÜÍm ý¢–%«'S ÔD=èfrž:IâvÛAp¹DçóQ!âÞ™
-ü‚09nÞO#qzÀñ‹TØu¡/)…2ßšo˜"Gþ†x˜Rš0»�ä\ˆuvØDà—¯è~д×ÅúG„/Ý+™�± ‚Ö9=>òL4€‰ßÑ#-™éDWÎÍ>Š¤©
Ïž!†'wĬñ áB	.—ùöOõÞ,,³Šãr ¿A�âÔH|®CÍ.¹nÍ�16"aóÆÙS8a�wY!½{ìbùÌ|[�¯fvƺk@#2Ýá{kdÏã�µQs¸	Ûº55Ö5a«F=Þ¿ŸòÝPÖ—£MÕ!ô�ƒ?ÖX3½…O!ù_wvCó²1h~ÿJ°¶¸Sä�gÜÂ+º*ï%:{šÍª'r(�E%$ÅwþÞ}xnƒ»ùˆ3ø⛧M¢¨ÊÐIj¿éÇêýå‡5yHdõ²ç^úÑsŽýß�ø¼TêâÀ<—
-’ÃüŒÑL
-Ò*‘z^®de/švæÔ{ø´¼T+Q¢k
-OsJx±«{’ŸiˆçÊ„4¡¢Kšksˆg>Ç!<L+ó»Â
-üÑâÆõ9ýÅi$ïy‰Er«ƒÜ‡Ù}ÕX*±». ¦fƒJPaneÔ	½Ç˜aw¨Aᨯ];�QjÇ:¹OÛWd„bâ\¸ø�dà”ò«øàmga™
Ý”"AP0IXç
"¯&§ôÂ
-¢#ówó$Mz„­Mu7I1ËtWµ±›ÚM�]óq[ã¥s|b &¡fº˨ֹä82Õƒ_gc¿R…í§R€K¸;]Ÿ½mÝ Ï“ÌZ5Ìñ½Ë+Ê�96–‘]6	À{®v±SiÕ•Ë|AÕʵ±b½@yiy6
¨<¿â&ŽNÒrJŽ«?mÉd¡Z"ž“�¼öhP¶âù}$³ –OHéW•ë{pÒä×msñy~y‡–
ÎÜ<XŠ^¤…â`}I­‹ºq#eq,­wå®n¿$œdmC«{·É
-wá^oŽÆØÆéçŸ'vUÜ�ÙÁ§-Œ¶áËÇzNëD�/�Ùq geC¢»¼Ÿ7y9�·‹ßY¢Ákâ`ü<?OÌw
“߉úÎk#©,y½¾ñŸ~¹k‹dƒý�ÂN„5¯@xÕ÷œ`ª‘XÝÞq¦lª:þSÊÛó
¦Ò\YÓgSY>œŒ.‘Lñ2¥Ï0ñUFÓöFu5ìaÆû‹îò ÏÏÓ¡ô{q¯|©S©¥/æ0¯mÕ³˜Ïf½[64	È}�çúµY�’ÔEVÛ$*­ý¹¶WGû•»“![/ÔŸmáËÀãKC|¿»OÞh¼¸ŸåôéxN�|ËÔËH-‘ œq©äuEóo+|ÈG¼W
Å£A+ùÝÄnSG§¨­Í¾Ÿk¼·½ë‡Fp±Ó,ìÃøáÍÂ¥.<_jÏJÖØû‡Xº~¶ópEZh7Í\‰Î)
-
»>|~Å]Z´ëvm	Æ�ð¨IË4ïÞîn>Wèdͬz3Íi[˜%<²Å–úð7a3Qˆá3Œù±R¹›iÕ¦2yÓz±¾ÏP{àK±úÉj¢õ…LÙRTê†që_å°ŒñŽ™>W§¶Q…è}½[ãnï´'™ËH=ks•þžðë\Œ‚¡Ð‘rÌéž`àƒøV”øÓÂÇ/Ca´�í¡—xvÄïâdÅçÕÅFH®KlçMàZ�º},c®6qa+Àí
fuýÖÄ•Q¤ÜÕ†ñ nh’×ßÅoßÝg�xZÍ8Ò>­DÜ™‚ç{JÝ>zNl‰–òM̱°;MLVü¼GõåŠÑcâ›Y*ø.—I܆”Éþ’¥2kÇ›V(…K·Ò
-ʉ;¦^ /Ós$ýM½'ŒÌA¬-cU²~�YÞ„
µ~Ý¿Fê{È_å_×@.Z­$ÑößE_ù*š!’Ë™cõ–p隀Á«“–¢Í	ÕÜ­yýØÐ˪Mt×Ådàýä§×>§ÕY4·ðjSâMÀ¬f‹Âæ{Q�ì|$dÚJmâ“…¤	þAè�ôHm¯|[À@#_ìã<éÎýyj0_1ÆP»UÙÏÒ%ÂQÍGžyõ¤‡ežCn|ã«|ÖZŠ}‹Dµmo¾6Ý<(ãÓx
MŒžœV*5û£ÞI# iK_ꩶr.ØA
-ùõg!e&S»
-:£çèÒqÿíjžoCãëCjOQÑ”o:¦…^NómºÒd‹VætI‹¸¤j±ãf}á¯ÑüÙ�³�_›uÁ-îWtï¨*à/
‰ï²ûÄjD-Ö´at©ÓŽî]*ŸC
-ÕÏõ°~RЖõâ©e‡Â¨`îô«á„ö�௓§æoPÐÁ`ŸS¡uyØuçöw˪Xðm�©¯Þš¬à, «Ç�”ƒÛj¡·ÊI÷Òž®˜•°R
 R]§L¹ûwØ�“x�#xæÄ¡¥Èª÷8X\ðéцRò/ó‘.}Ey	Îz„“”Òr-J}ò–{�K*6«ZxV‚6:5"åß(m—ƲªëmîÎWq¸Ê“¤—1Õy¾ÆÁd‚Ÿû‘µ¾'Qnî~Šò3‰æ)•@+ë8e\|)úJN=qCeIÅ×DêͲùÈ@qØìü4ÀI#¯o=éüÙ)R9iI#Ò¶‚Uéî¸à…Æ©'�3ø aÅÒB-‡ÿ²Ô%6n¸?_CpLC;iœ~³¨À9ߤZär1J6³&Þ½%{4Þ7c·Ù•°¼óÚ oË~¦c÷Þ*ô[K¨à×ì¡èÜ$~|”aº&ñÈv{kù‰ÃH ÈÛâÆ;ó2ði†ÊŸXæ)ï¡nÓ¯EØ
l¸½möÙî¿ôeñ‹X	Z4�øhKjž¾’/8ôì¸ònÉò�PUÓê0~Þ¥ÿ&ê‹~¾F4ò$[èQšá~:,´4@×il眗Dqd^#!OÊ#8š/€ö#æõ¬¨õÛði€Šú4{˜[ëôK~žÇ¢ÁõW{ô³¯*=ÑŒ?˜üqÃHkã©AÝø£æ¤“PÓ¤ùËÏÊ‹Á*	u3áIýùÉÃ]g¢¨2NÒšdkÇlÛÁŒÞoàóÖd#ÌÅ$­x´‡`äÂuóKè7·�(’ÿ¡üòöC…}]A)AùàIóýµ· V�û7ŸÓj%‹µ–¨Bܯ@
%”èŠ:îI•ò­=�î‘Ô9Ürµá
ê¨*gˆxæ…ˆ7HJȸÕƒ³Ù
Çèý’»~1«/×úGí)HÃ"Uî0QŒ@‚[ü©Ûù¥ýÁ®Ü¶ÓÉRWüÃ�Ɇ_Ç@Bk\’iX'U°?º¥k2Ö´p7&ÿ.¢Ü¶åÈMX;eö“¢oÛ2È–gÝ	%ûi­0/ˆQ¥
ìEÞ	;EÞí
Y¢l·ˆ&H×F~ÛðÛòÔ[	£(i’™ýÖˆ­×äj_ç‡s‡¡œø¥ë�Å"$-FT¦
-­­?–>=£Ù�~$eºd Š00…ü×gÙ±B`–š
>åÐð	ÿÔ¥DAü¼l
UõÀ]
-qGØbÚŠÆêÞÀŸ×fçQûŽF�¨]E¿!t—9f!§8ý*.îƒ:¤b1“áîJ6âqÇ)•P—ANV°d{!áS?ž˜œ£/5W³åš
[R�È�a;ü¾U¿a£ÅNY¯
-H8ú)ö_ŸáaTÁÝ;Æ¢Í�s÷í“qüèÏ¢5¿ÛÐ@îÑåf9'w‰-jÖL¦)ÉÐW©ßÞé_‘ dï^�ãŠüŸí,„i×
-ü—žŸ‡4sض_S§Ç‹ �ï@>2¼õ®±?=šU²rúZú±#z{¿žt‡¹þNs_±II"TÑÔNôŒÎAenHEÛqu¡C–XžZAFN–ñè�¬7Í~Av‰
-¥)qõÍm—
Ôï.ú­ñX�x[d£E¹•3¿¬¿£¨Žñ$èÓ_'Í”,„2�ÏGãRØ:<•±ÄJ‡6i¥Ìö˜,Ç.‡{ÕúÑÅÒ"CqJ"ˆlã`z‚.ƒðüÚæ�_ˆiœîÁÑýl…`CPPkÖÌ÷~ćõÈ}�âµ1ñKº+GÂ\Ú²·5ÂQ`Ž—ØŸlŒ>¦ÆÒÍ6&® *P»p¾»°¹‚t±Ï.
áêªøy•Æ¸:J|a
-3»„˜$?‰J¸öÅ«ÝQþžp´N•Ã²Ð+Xd¾o£š“Cv�Ø9¿ÙÓÀ?ÃJŽK'ñ[Pì~U³.·34ŽrPu,•C<w”Lí0¡7
-ÝËïË
·Ä2E.œ€ÍuN¢fxŽcȧ=´@j„•¦r 4ƒ®ùRqîÄ®—
ÂPÕÁa*ýº}œ]ÆKàôF	ûI‘OPe¶ª)ÿçkt£—‰DŠšÓŠ´´·„±{„§e�E+w½«N(e"Y._.³{s…bvÈñÂwÐú�Aá/àwŸiIãÜ6ƒÖ7ç"a:ž‚i½­šÜ$ôŠ’0šý%)zË?Ñ!Ûp:£Ò?ÖÌ…•l
-º&ŠWîaê¨2)Ö×�yPu/|K<l �›õ~¿ªŠ¯
ü>ÏÝõHüäæúÇ"gm{y×j¹ážz²L�Å«å
Ïóý:Õš0ôMT¤õÛ%ÄT¹›4Š‘l¯±Ñ}†³TÕq‹G>‘7¨ž!ït–rÞ‰­5�¼÷$™™§‹#zZÞ<)Úz/…ǬþÜyÆ1	â÷	åoÄ—]�l)Hüã*_g²�ïॾù‹Ø>¢¶V;_‰òî’ΪBg^ÿ—eóÀÊpEù”û:ÉÒûeÌìËþè™m8²t€6û´]þ–WEh6B[©uíRŽŠ
-S’k+Â]‰GE§zætwq³Àæ¡ÐCéç\K�/§Ö0ÿŒö–S."¯7ë•;/aAñzü^ÑÒˆ€
?7;eöÏ®ooö1ԽᷟkÆ|o±Žy[¤‹¤8¯ûEÅ%Þ[þ÷¿ÌYx˜M
-5ñ×êÔHE£½kæ–Qˆ†êìŠ'D]OmS�ù$‘íuÈ:LY
üœtˆÒÀ–¦Ih¹ï°/f4¨Àg�lãA 
-¡`‘¾úÙöP-ÔzèUã¯ØÅn{©ô*L¶n“é,‰„	÷~2PÅ&]E©õÕ%·"b¢>u±‘5åÖJ§ò¸i·!.Þýú�û‚�ùHQòÆØ�Pøzm%eÊ
-þÎ!ANsÐL�’Írl
?Ùy‡Ã$4­
MgÖ:LF±QÞ�°XqgÕY
-v‘o$ðS^F4§!@Û~Yxr™Ãúœ_¿ecyú@Mòs¤ÆŸÃ$Cÿ±\¡
-XûY$µö‚ÞŸPotÛa,pBÇþdÔÙ²þ)/^Úeºlš‰�b|kk±YÀõm>?ÄÇ‹SBêÆU§æyôܲqEBÞWwU9´\+Åÿ(C
-a¶±vmøº´ï\vZíßa¥«B)%UlÖñÖ}ô³ŸÂ3ø,|ñ‘òÈ’›p9îì "¢¨CznÎ{Qò4¾öXœ+ó_ˆ,�#n¢òî9ä-ãn—²:¥6!¬½ûvü?íšW?Ž@k•ÚAí¥ˆÕ ´6µ+©MÍÄŽR[iíP£Ô5jU­ÔÞ{Ï5‹U;Ô(uŸîý÷íþîy?çœ
¾ØÄÂj­ƒ(èãECI¡Ma†p¢ã�<æåÖïQ×NvìG´.w`v¤`�¬}žMø
	ÅÓÝ:]¤ŸcЇ¿¢¸äÙ–¢QÛ’Øß
|”4ŸK(°÷¶¤›Šñ_
üžàB8EÉ­I�gòŽÙµ5ô7¶_´Ò׊ûuŠÈ`�QË]ÿH_aOÁ^ÕÏúASˆG†‘˜ÆN,ý˜œ½<º%kCÜà"ÙÚ”¶Qbºw¢ÕyÜŠ&Š}RÙL%J}
-¥*ªÌAŠ®"„ï…ýˆ‰½æ[‹,å$t<úøZ%Œì�j_܉GÍ·¯žÆÔíÃe—hºÝŒõ(:üJPžÈ[eZ°àîÿɯv…®Ý#sŠ}
ÉÞ®³É{ãn÷¬fAëN:\®¢}‘¦~(¸_ª
—"piùÜ'gxä½Z‹Ž|ýAîgKô£¸dae9–óÉÍk[ž|Ø ‰iA=ÓOEw@énŸZ
M�?|IihÄ,É8ÉÆ”“ÚÜ
s9^bXzpôbÛRóÔsçHñþ–T+wV�yb+Žš;×r¯Aà=æÉÕ­Ø{ì
-�m�ÃN—›¤x��…¿ZlÌIN	2:î’Òm>çú��¯Ú¬4Ú*PÄI�’s,R¥ÁÃ]€$öÓ�È'[¢mƯÞjŠg¢Ô2í­(}î	×,f¯•YIãÝÃ:åصôÅ®bT,y«†xr
-åNUðrÁŸ fDc‡·Ðj‘rK
-ó)ÔÁböZ%åóAôPû)ß(ú®[ÁúŒ»b˜SÃùÖžV)àu©wAµÞh”'&Ÿã+¯£±M¢ÜBê
¿õÁ/ÕÀ¼É�öfaZª�<ßæ%V¬ž´ëb8ŠA×+O4°’Äm¯Ðó‚¨÷ŽÈLÚ•ËÅím&m%qßAë9DZ¸Ð¥þ™±öl˜Ã}eSŒhÕsdçºqƒ„™Ç(
:üNåÊš\~y��õ¾<¤ÙEXëng*r†óqS‘M×w¼-­oÜÏÉMLvš�Â%Ÿê,ž˜Õ]nOHä7åÓSì&ï(“F<P÷	ˆ“³ƒZ
œ×ÔöW>Ù*Œ§›wHm䙼bˆ
ëð8ÿ²çÏË£ 'k³ç›1­L8_A…>áŠvp1¬ªu­iÔ9AÅ÷R�œ„’ОÂÈÀn“µ:)?|Ü=�	º­HlOÉ~M·�Q�úŸJnÆýâôŠ"Çe^5
-M¡„£ÉãB¤&vIA{}ɨüØ?òXcçR&YØÜ„*3cµ,;S˜©fKnLX�ӌȊeL�§KSü,‘Ó.ýï)•òýX©�"pnüÁúþµ¾îÛžU1¨ÙV�v¥~UŸXÐßs$�gúaÄ9Ò³¤Çnï¿ã½Hú1™ÐÈžùº)ïæãÙ=d†Ôõš³¹~~,Ä!OÎ�”¯ ¡Ã�JúbŒ…’Y›Ÿ8gƒÄh5•.ı.ׯ‡Å2F™1˜$’«©š2yx°6Ãò7%ë~t@Ü&)HÊûh?HuÕgOÀ^(¦!ÚéX]ÐäWL.C{_zÑäÅ@�Þ#›(ÈôE˜O¼ê ÓD€cßä Ú!}±~#Ý�®S²N[€­�ùáãjR”^bÿçnx)\æI%
-á’ë�†)†°sµ‰�,(³÷zÌS‘)åãø§I²%?õÇ:.©M9ø˜�²
xaPÊe6éÔvàHÒ#ޭȶ{›Ci�q{a
-î_æ7KbËͤ\Þâ?MÃòõ¬Î±Iž9ˆSïfâúó’Í¢qÖcU…D”R&º�P8ÐÌÉq‘púÛS¦™¾ì­§Ó@K¹¥í2y4,ànzñ~†ŠùÝB‡âw¡8²X7Õ…VËƶê
ÿ/Hñ�Û‡8�ž4ŸŒ[½‰;[ ]άT ¼HŠ¢oŒRUÚ÷q§X	‘ôö}‘÷S·‡¨õ`Yœød2¦ÐyÔ¾õ\¼Ã1?a#ò£uÄT!�šÃZG=Q’›ü×Î]ÐÖc›9/±§d�Òœ…i¬¬
-õZ§¯‘6’4Lv+åÆËÈ/¾{Vsü¡æ;¥5Þ‹É�Ù“÷°KqÐ@-Âú¥˜UJð¹;Ñ�Ón ïŽéU/"%ó<Ä�Ý{ŸÉÖéFq+£¿

-ªÎòêžëÍxì¯÷ŸQg›a+q%²½[ƒFe$™�Mí%¸³År@]CÆ"pI“:%?0F»X¸_
¥fÌN1¶Î®HŒ¹\Y2¾{Íï!"¹´èÊ­6fB®“»Åõè¤ÑO0–0¿�Hú^˜4WíagUv;Ö—FñIôüzçõYˆØýÂè`²ËÁ¬€óÈ5è”CPWžà¾2�‰ssFHâzS汕˳ŒÍ¤ }<.ëÙiµD{ä\Ì£º9!özד!î0Š²÷V;Ö&Ké¯(MœV}îüøQècL“ÈÒÎ3ïAT‹ëêןÌ&Ê'g®çÅVÆ´FÚÞùÊy¢tc¬�óºøÒ-yfgA‘zTz¼ì®øŽ-:y@ƒ¥±ÿ\¸"•?PVÏWÕE†È3Ê	lDK\$�UÔw¬>rß©Dè%<»ÕìÚW”åv\ÏÓŒ ø¿€§Jœ‹ê¸
-A}Ü[®L¼«#²GŽ_aâÍ¿KH¤ŸŸ‰�‚h
¼ª»,_&½òîoy£p�B7vKŽ£¬NhÄO1û_¦¾¶®rD™�91Üð)ÍÞºsùTAÍöæ÷Ý¥éëc5?Í‚ÒÚ.îçþy;4Ûú/¡üà"€ps°óòñxeç…¤ü?qCendstream
-endobj
-1233 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 2807 0 R
-/FirstChar 33
-/LastChar 125
-/Widths 2818 0 R
-/BaseFont /JNKLIU+NimbusMonL-Regu
-/FontDescriptor 1231 0 R
->> endobj
-1231 0 obj <<
-/Ascent 625
-/CapHeight 557
-/Descent -147
-/FontName /JNKLIU+NimbusMonL-Regu
-/ItalicAngle 0
-/StemV 41
-/XHeight 426
-/FontBBox [-12 -237 650 811]
-/Flags 4
-/CharSet (/exclam/quotedbl/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/underscore/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
-/FontFile 1232 0 R
->> endobj
-2818 0 obj
-[600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
-endobj
-1172 0 obj <<
-/Length1 1620
-/Length2 20127
-/Length3 532
-/Length 21035     
-/Filter /FlateDecode
->>
-stream
-xÚ¬ºct¤]·.Ûv*I§cul'ÛFÅNÅFǶm۶͎í¤cwý¼ï·÷>cŸóëœý£jÜk^s^×Zë5FQ’)ª0›Ú%ìí@,ŒÌ<
-…ü5Òß1‡PP[­B¼ªùÕy{Ju¡glŸÏßüC(»ƒ¢ÈrÓÛFÁ÷jð§fÌÁpC`¶
-f†é”/–é�„ÐaÆ)¹–ìÉT_ÄAÇDÆ@G’_²V
ú¿IÂ>^"òœ’£\žpÖk×Ñí HNZl¸Š”»Ào{ö«OŠ—©�™}½ŽÈïqM gÀÁõ@‰Î
-vÌó™\Ÿäsi‹ø'o0=ÆK‘ wnÕÉÙë)ÕiÞ8©dÆ�î�¦uË͈âL8{8yŸì'!HÄ`9õ'žz6±�VÁ‹ÃDp.µh4Ç�ÛÛ8ôÌÊv]ÊB‡ºŒŒžš¿ØKÕËËÃÙÏ£€_�ë%ç=ùäÚâô%N¥¡[é¡Zß—”Ž8¸³OÊÖÚvAÔÊ
-ų
Î:]Ní®¯jï‚?Ú1Ü¡}ú߬Eþ·ß™ã…°ä]x‰©9
-¾@�£dJî'�¾T¨×
-z	õÊøjØNE'·M¼¼²_ÉHËq	zÎ9W±O´à¼¢\Y`Gà^ùa“ñóQýÕùÒ^mš¿RDÓyYÕã�ľ¤w§fküV¥_d•ôúÁï¡qUåM»n<%ò„é±D}^õ…ï9ÜÚ™/˜zšâ.Øè×)ú/…0×�Ο·×rþ¦›§›Ü:;Òé:of\ÛsG§ys÷ÌäxQåç!X[EsèAm®¿NB(^WÄÌoÑÎÉ…qeQoP½'“ÀäŠÛ±vÅTäŠËÔ›Ê`Þ£>G}òxeVÈ#E²Á¯¶b@:4ÖëOØ,Û“œÖ˜�	w÷Ý@)Æ	óeîG£J
(På[ývÞ²
zž¹<ú JŠÔÂY­CµŸÐÝ^R°¼ke�MÒ]@KòB ™ŽtFò°…&eð
-îïø`—÷¹K³†>E9‰ú¢%óeKšb¥6$O÷Àw¯sjºN«–'šuYv™Á�uC0=õ�OS‘GQ‰þ¯Âì{êMüqûÊ¿ûw^³4)pD^W¾i
22øQæBæeëðÄø8Ü+Î(ä€#x2dßë~r%³õç:9ÿ8¯�%è5.�Ý‹IáÊ9ƒnò)6Ý(€É7ÇÅåÑ�Ú:T÷	¼$Ó­jæÏI,n›Ýƒ0C5r¦Ð{Ûôù4uJS·1Q¾àIÞ[°šùq™B·ã§�ThBŒ¢$¹*3„
-j)ÔˆÀ9”‰©P͸\‘<«Cz„	w$;48™un¤£Üó
-yÍ:
-Þäâ¨�Mœj‚ñí*Ã;øí3ÈñÈmľÎV¤>û¢{Ž'ûh„³vÁ›¤ÊŒ=N(ßÔ™Þ‡RÆÇâ-ë-U¸Õ¡AÉ^³Ø1!>•…k;oI™&Z�£Åó²A`þH¤Žš“´¹žÞù=&¬;îõ4vŸ ]Â÷žå·£Ë Z±ÔNnbáÓ1¦[^ÏÂëMᬯij
�ç_ÓTô²È§šl`îSñö—›.²XˆGe(p¤.¿¡
CžFêJ)ËÂÀ€z®Œæ×Ô9øè¹'ÆÂ-ÉÆÞGܶ•[|ÛþTÿÞl©5·	BZ«àà"—䬩¹9£ÈµÿT*qq„ÏÏ4dG<éZS{Ëèœz2T$g€E‡úÅ�3P�&�¶ãäQ,À‹é$‡(YÐF¥›Ýúg¾ÙþËœ;HGŸ€UÏ0/ˆF®A¶¢ºhÝÂüÏɬSŠ›?…ð.zì$�ƒþ¾‰OøBw
F9.é»°{IÛÖ]µYÎÙÛö>….¹©i>Öª®¤Á¹º·t’ÞѱûªÜI
r<Xh[_lÒíÅU1î¤â(ÛŸŒÙÂp—)^ðC7¾è£½k¡ú»¥FÑ…ÝL”ŽˆÃSù8Ø'ȸŽô‹òôÝ´à�vÛ\ûƒªH(dÎWs<eúJR�˜)[ÈùÒ;.ŒÛ=õM"%Z
-H;\æ¦oyd÷5/‚ZY¦Øß
Y‚x/	ÜI(ê_SVò÷O”ßmÛQ(±Ò´È{u½î}"ƒª7àú(˜"äa-/ÅGSkA˜M™�É~¥S/D+âˆä5‘<šèaŒÒeÍž€RŠÕªµ«™£Ö½KxfÕ%S_olË+ÇééG~Žá^׎ÉñHž‹cCñ	ûKÅ	r„i/©ÁX¨Eå[-6áËM*µÖ‡ßQ‘ÒY3œœüÎ$c;¸™îÎôœóð!¢¸†„
À×Ü—Ç+šž\[²7¸¹7ÚÆȈ€Cà[VZÉŽ6|íd›®y>vWL«Ýa%´§AX™ée‹ÇX�ço^´¡€KE-éÍBòŸ’Þ®ü1Ò^Þ€8ä„áU„4‡Ü46
-`YzY,lsÿtψSòé’�üZQ”²8!�Êó@¨`öžnBîàñÃ`N€¥Nw§©Ç!ô$ÕæõÎ%¢�ˆ(­ÙâÐκÒC$‚é‹Q
-=öRþ÷y:×S¨‡Î�G~�.Ílñõ¤1Õß«Øg½ ?o�!==çxQWP8?®~|˜Üÿ¸¾x¿¾tW õ/ŸU®kdY¸Åã–�„ ¯iHxºâñ¸l±˜“¾ž?b™qé®yx@cÏ·è£P(&—.!ÕGÑ‚¢™þ=Wc7Ü1WÏ28'ƒ;2[.ˆxý‘×µèÀ�w,ÔEh@¡3§>WYˆ}ðùaæNy´59ƒ‚Oà
-Û#ñ=X6µÈøÌý/ùj¨5§äÕ‰X¦NëxþU¢lµÅ•¬A2fNyë	BåK@z«1ÅÓÅ¿fÍ�ÈnÿÙÒ©ê¹4mmÒmyŸ;þ-áu
-¶Šy­ŒØœX6$ XbLÖ¯Æë6SÅGó´»
k%¾PjãdÉ\c_¼œMMâ›7IJ�Ñ1è‡ÛÒŒÆîC¡oÖ)ëÆ
-‰}
âx†Ü²t¼Væ–67Î5¥ðž)‹ôÇ“‚õ\æb—qå‘!̸øglnëN�ò4�ü ˆ
-/ôÄ@þåí‰e2bƆwU†ŽUöq`æïâðÅFŽÓ⊂™�¼ná{™š¢5¿áPƒ	
-\ÅT»à^7–4N’’Ÿ»$
$Tƒ-L3éΚ¹¼Ìè-h’T8 @½Okè#�ÁMÁ[¯/³xO:"¨4áxüåäL—<kcèyÇÛb¢q¯�ÐRÐŒñyn–yÍ�Õ4ë1q�ÑŽ{¦í¾1'.ämŽNèÇ!�Êâhkjìšû?nP:±³4¸§†ÅÜ9´mºAº‰=¥“º,fÂêhI­ôNÖ»ï�ü'hä<Vk
-Á�³‰Ek-˜B©äöVZq*
Ü
O³«iÈ�™ê“›ê¬ïžŽð°Á©ôÄÄ;Òª_俽Qì˜ÎcNµ{pÝïbÔNÏ£….Öï³J–Þ­†+–½º5©jµÊâ?ÁGtiÉBs¸¯vëÔm)«[™ïE»yŒãn6Ägî¹ÖªÐR“?Áµ7ßûx ãcå«B55Ö°0§¾ê	cu	Çð'}
-
-ä+N‰Ø5ÞNj4xÐ]›€¨áà�ݵmï+Zf;ˆ?Çåe³ÝöPà·oŸÒÃ�üµ—¢I¹ë¼“F<{½*-5	…)ôcÚ
-#oÓÂíçç‚
-
-8À#D=ÐÚ–'¼ËÆ€7aî^MXÛsänjã„h1B–¤ÖÑØÞt\§´äŠúã=/t2K(¦­H÷±X
ì�̨W2­ál“åÇ W÷í�ÀyŠ|¸`¡ïì¹Æî§È…çÁ™kÙYÔë:½	|â�­±ôÈìÓDáw
E)³*j�³sý«‹ÛV]ö�ŠSl|œf&EÔô5L‘VÑ
V	ºZ™ÜŠ2Mù…%VÐ`ß¿�1¹¦²¿‡T@@jLªPèȘ֨s*ô½§Ëâå®è�
-I³ÙêéœÆ–T©-˜Q§5߇[„þÚ@ÂÇŒçoT§÷sa‘‚‚Ÿ£;?®IÖB,$Êq®G¶qÞâ¯PIJ	•£Æ»¨(¡àœ•SÕ`RHáRp”·Í/i¼™É6vÁ³ªÈ»ÚôÎvñoU;]äW¸é­�ysQ†$Zk›o��ÀëãõO„ö¤Î£ýÁË2Uø˜>¼sUàtO?úp '@úÂÜdÛ¹KuŸCí½ìe½oÄÜóÏrž‹ëéEÓ3ŒžÈèÎ#$ûYjŒ²äØyÇúÚI�ÂOÁu)–8 Çúƒ}Ú
�|þ84G'.«2c2´GÂdL¡ÌàŽ6�(­�1¥²ò&µÂgùð‘ôrœ�P$A€+ÒádˆÐíçÁ¼_äÓôèä8\áä'wÇT`S^JkÊ_HÿΡÇÐïK”.±®:¤vìÓîÓcˆä"AŽ¥Øm¤.l¬È¤÷4³å)¸
-4=_A€ï CÎyëºnlT÷SIÆlBŽãÇD‰gÿ¸e‡Ýl‚È¢s›y|œRJ¥sáŸÆ%÷›oßú§gªDT+êg&Ÿ‡
-û
-ÀáRLæÃ2�–6çW0*¯bö"QÛ8Òœ3,´~~ý¨yܵ±®ƒ!èk÷}“IU?û
-^ºö.ÕÊ;â˜<\éæj�B† :æ‹ãk‡o™ùžËýta˜A=«(ÓÔ'ŸÔÐH•ÄN!z^“kðw¢ëKËŽÌ´«öߪ&ZÎØS³_­ž!¡ÑÐ9†˜mx,by5À,Ù{Ô´9s†s_=ªŒBÑ3ú§ÉÅé7˜MgðRSÙ
aÅL4äÆ�Íœdä’¶î¡ÁZ’Ô§q½ ¸‚’6ˆõA3†Švbwq]o§�æö§%¡×+DðXÚ2ˆPvêð7?³Í®=Dø"EL‰ÁÀ}§Û#WYççÕ"ú­Cø(øºÕèa	,Ù`­}Ta¼R›L΋ÜW’ï“9Ž˜oÖ”c/9ŠÈÀ°º·‹*�£Èp�Oˆjêû‹ª`=à^SVnæ¶ô@&2†4.Ê0h-5zPÖz.Îxúƒ)Ë+™ÆÁ·ÙÃ!îˆF°²VóöqÓA#õ:ãF½À=Caç¥�¥…1‰d1xýº¿ìø2ï«9Œ)Cí$§øV„"	Æ1‰F¢r�nêOèó$9žíÞ�ŠòZ
«>’qXøŒúÑú‡¶úIÛ¦Q!yˆ|¨(wàÌh"¾n£K²ñ�úB©
-/5ˆÝï9éŠ1)ëM÷çY¤Ò\Þ5ö£yLU!?䡳ìšýõÀªi›Ž}Ìn‹‘f^;àQbù¸RÿBr	Ï¿I-9:5Å·À2>ÁÐ3d±†Fˆc,<oäæ£Ocî1ü±St~»|Yù51DP!£í¶“°P
¾¢®tþkºô¡�ßk˜8Á¦ÌØ$õc°ã9­•Qæ3EåŠü±¹ÙÞ–q«¿tÔîÙÛCCY
^"fLzJ 
-ÛnÊ÷Ù'Î{ü®ÒÿŒŒ®AiL–Xg…¸N
-£2„‡�Œ°±hdw,
}ýåÒps9KuN4ÒÝœ°T×£bK؆F–i$Ÿ‹‹'p‘}¾Ÿt¥™´ðÞɨ�"3±Ut¢¡úx²Ø&x4D	K¬ZógÜVú‘xC¶‹]äÂØý9¦yóï³t¶�Úxæ‘…HÞ#ü¡ æh
-ø>_@[›cQƒY«]®Á²´%!
-ÚÕìΨwtŠÓ?oAZdævò6I‡¼)’þ‰èRUÇÜ(Á@Ú”µ²�âi·¦Ð£ñ	ÛåºÛšÖ/ì¢ó&Å%é±ACF÷Àa¾šƒ;öùZjûâ×QBÙŒãÏ�‰ÎYIN«ä�{Ïy|—hT®t²RML‡WK&�q¨aMPjÍ�–_ê›Í2ÖÝmYL¡£Ý§ÎŒrîgs7¨NãÚ‹+Aׇ²‚·`¨ëÞÊN óoé…%¦~aÝ–o¥­~F¼».û#3{9D«Áä9;â´æÍôQ¤m£ÆgsHœ;“¯0C[µÐñû8Z¹Ô€î>¿œáƒ¨ÃY„Üá€ø¨e{MA\\ˆbi©O»‚›îöŽÁAø¡Ö3
-'ˆqqµi½á¢C°z³(†Jœ=ã€àˆœý]ÔÞ8§š¶±×†3`žbµ^0Ï »©�uDA"e‰57"jÍLL�ÇXÝ'�N-ëZnˆhK$%JrrÛ­‹y¬ewyä¬ÏÖlv-‡åƒÑ‚ûv�ô¿L‡|ä‹N*<‹c�)u4¢×é²=hIë&a‰	ét•ÎÉV¢z*ºìÃfÞaJž¿+uÍçWâèÚK}¤¦
-cþ1α¼ZÞÃbi÷cžç„Š¢c;Ï\ºFý‚I¤�Ø-óÒF ¡Ù¡·ŒhÌ$‹™òjLjÚ¹ÕTãŸLàIHJ+øæö‡dPßÜlvÈåAÞñ GΓ[ãŽ`Ñ#&ûîR…j—ܬ'VuUÎÔ‡íëÌÒ†·�r€"˜Ž†(¾WwPßSè¤u‚3ØRUê·€¥~²ýbæ³u«jJäþnÏ×íºÁëi¯™ê'‡¹IÀ&JIÔô0>e¾dÞ>#Ç<®å³Ü±éúÞv‘¹‚ΪçñæWêÕ‰½˜¥‹ÞÛd³ªÐçÄsFÞLÖ÷ÍÝ">nfhx¬ºqŠ~K~áåÔZçW
-D9ÐÄ×ý«ÌNc­ü

-4Æg÷ÎüôL¬¾¾Ò?Âlœ�á¶_±Ã؈õ†ëî$àÝ-:ÇDpBÝu£Cbî›#13º;Ï
-*‡Kò·¶‡;¾-’"+ܦ˳-ý<ÎÈôXüöYëÁ’áJÁ‚¡$üé¥Ò.&�>Ùe¸R¸¡3ŸÁÿ]u7üaÂõñ.R8‹zAµÓã~nTLûçpYTÓìª[7ÒøUÒð=|¹üº*ÚÂ_�AŒ/–*CØ¿?CÞúh67÷
Wáïx,V[ýªŽ?RÆò^oH–èÈ;Ǩ=käàkáÕÊu3®ÉẇNbnN’²‹Y)êctž-yá¬JHÇd`‹“mó®úí}KÕ4¬½9«–øWù…�YÚá•M3
|•Ð§DN¿"æµdYDé@ÖáÄúÑ¥õÇ*1öEÒ.úMµü–r± ÒüØ
-Á4õ5’+Äó}†#‘.ç­¤‹R�‹ë
-õS׸­oïÖ‚•fx{ì—?]Ž{øjA}øé{v$õFBÇÃh¾/oF"U¹»ý´P‡SkwUŽçî0
€8â…lù9|�2
öêlá˜,RºÆ,;?…Y¦y$…䯠‰+aÍB•¨ì5šEÇ婳Ž÷õ¾Ióþ†n$ŸJ±šÿHbN±ãHÿ­^Ù’Ÿ¨aêºV§hÞšW>#žµºra·‰áWvdyóEú�C
‰ÙãÃ/c7>+΄É6¸ôªû,,�V>'$úÒµeP¹…'›ð3f3
-J̺6I>ìß
�$‘–HåÇ(�ÃÈ;LØAB¿ªƒKéíqrm”ü¼Ëµ˜+ู؂۾Ó&§døäNÃ0I¿r!7%tj[®†ð¼¸‡¿¬e°¢zñ÷pöZù¹Üv
i3l*.p.&€Ñ·Kóâd¹¨É
-ÃŽ¿NõÆç*匶ölIUQ8(±J	8a•˜· 5«X~+Õø�ëam:Êœ·jP¤^Jœ§î‘¸ÃsÀÿ‰û‡FmA@ [r«@æ	[¼¼'O24ö‰¨-ç�¯�Ô‰Qy"ð빟z¿–2¯\ÅC]õõtQŸ;G@
-ƒmÕ
R¯
Ö$õìÔÛ6Áò´K·8}bS5Û €UÞXÈs^ƒ=$B�ÿ©†Þ�‚€`õ©£X&ýµ§=²w3ØÔ�]ö§ã^êÌNóÊ»Aøðc0ÎäÚ�5¯uÈòtœ)
¼Ã؆Fê|ZEò‹Vjê¹Cç‚¡þË€y·rûÌÂqëBªUèü	õÉK%©BIhs”¨ƒr¾‰Ÿc�\už…L}dþlùÅ#œsþ�µÝ
-­­Ûä¾xP1S'¢Ä”ÀÏ/m*5blð•šZh—E5Ú°ZÊ‚?7/ ö®Ê¼¢¾Ø‡ç]�Ï�|Ö;ŠÔBùú�éí�ôý'rUS”Â
Œ,ù³Ç?»FöÌ’±ÛõÚ$Ämk¥kˆ"ƒVa+±<•šºa¶>Sû%­äù‡¸’øVî™ÏáEü4¬:ÀðÊT?ëðÎhx®‘ÕÓéUDÂãÚ%†è(
-Djà&$ >g÷5«d(
-�x­áO¶S.eƒ›»NÄÑűn5wÔÖ‹IêÞ(ˆÂ8ãÞ×Àn†hºkͬ½�P#éQ'�ÕíîaT¿£þ$RyÉà–&S�(v±8m`iʽ]rþù¦³<zlVlÉ—œÂ`5”ËR¼Ï>íJùQ5x9–�Bgaàž}x’2ÍDÑÔ1 IÐÏ4—ÆÇûèr¶
-´¡é
LŠ.Ô»4,›æË…Ü)]Ã*Vi}¾I&È éà1ƒs¸g�´YÄ1Rë}}ã$¬Ë¶Ò|>”OÙ‰@½)Ûá`LÓïËñyŒoãwk5±ÈVð…SŠËm‘í¬Í‡Ÿê)"q%Uæ#}VíÈ·ŽGØlxR×{häYÏøç%»Œ�k#’–ñ
-°û€‚ß_7ÖˆýõƯ¤øÖe÷®eßêT\qÓýÖ®Épswþ
-Ü$(Wgœî‘·xeµ§²Þ¢Q«:p¶ÐšaBš³·ØÄ ô¥7'‡Î�òÌ[H›†{±_‡*ºŸñ´í�!NTúû�[ìD_lïñ	�(bÂ/Ý}¤)mR¼�™~pÁþØL®†PèK¶	M5”ð?Æ®*äQF2±g™#ªûØ
ºà>~‚;H°‹¨-ƒô9ü·—5ûÎG	9„õKƒ[Óc÷­~@H"…°Î–E(Mõˆ@å4/”š0ù{oNcáKC¹¶un˜íÌ——*ÕˆÏh1+(¸Ôýd0�4—DËÓ`IRïÐðý„ã‚çNÝÝ45öH3‚-]º5û`EJd>¯3Ãæ	B­gÍR™n"éK`~[›J:4qð7v®`=RŽ}EñŽ:è¼süôŒÍ˜4¹nÏñÈôQr,É¢ï°ÍkÄêãÉÌ^Iö-ûØLƒÙ£1#iÕ³q{ÁðÅÔ#…·¦˜&#¹–æÆÌ0�žpk+«£
-†é68û½3¿âØ
€ÙAehD¡–~�ØioÔ�QbØFÈöyÍpR<‰˜ÈfÏâŒ&a›æ(z
-YìT”ÄÐ_ïCŽÆ}	_zA-nuò®Z˜ÄögúvXPô‹•5tºÁúOÌ]šÛæÞÄUhN'u�6V‹3án[ }¶ŽMïm9¤‚Ü.QÒ(Æ‚Ølšõ3EȽ¹²FÕ7CÇ¡¥ŸµÂü‹›¸¡•	Ò†Ô·X>År­V¤«´þœùÈ87‹Ðæ^’Ü#ž³�Ä…*[Ã�00Άºª\-zÂ0³•CÄx:M«»ÄãVNc
ÇICÃOgUÛ¼¬*¶@ÚU·ae’+b˜ÀèÌ¥�¯é¶QñóP/Anžóu–ÇúeÙM"èzpJ™Ïò®­"U‰
ñ+“ãé?§ÙÂf%%í
l¿çkíæ¿„òLO^‰ªãÃFÒò’Âiú,ÞTõg1ª
-l�•�"\\â„o8½²b¯‰{åIPwví ËQæH¶$ÜÉ´¦ÕL`e·�©ѲÂJ»ýT‚Ε^jr˜²:ª×»‹¾n
-¼ë0åà®ÏØÿîZŸÜªc~;Qwµê4è�©HšñqÇÔø°7ò=­³ž‰’ç™òÆú˜“duˆ?.Õ+rÞ9kÃf6q§œaÞÎ^bÁ�;ÐÞ“ªC=?JÅЕd›dg‡|ÜÔúˆËz@øeaªCšs5ú QoFÐé­Dú÷8È«âX²DÛíŽO@Ñ%
U÷Méd>kZ|èdü%Î0 ,cYÎ]o5ÊÓÓˆP|øTëZBŒåæxM~`Ô�ä×P
-Ïoé†-«ûç²`¹
Y¶ñ­Î±‹èÞÛ°ëÙC¼aßèß7åv¸×^
-뜻%CÁÌ‚¬UÖ´‰Maü€¤Ï¹uñçó„áÜê :œð؃C»(|cº�É&§ëéòɼ¯È8'Ùx被Šóp<]BÌý �«›[¤„
-¡à£"Ð<‘gÏ[îD~^ººÓÂÙ?Zn\Æ$ÿM­Œù–1Äœ)Á×�Bň£EGâcQóh¨X*úêÊÊ_>(”�ëw+ÇœðaÚ¨F~¶zñyþþ{‡>gS(êá9‡&IdÑX2)Fžb¡8ÚËp¤«PX,Gæ(xõš2œsPº%	faj�U‰ªh.,w¤Ñ«
-cLÇý2 Ža®
-L­ysN<q›Žé;u	%ý¡xCߥi67k]ýÔ•ðÓ�*‰I
-Ñ\‚°îÙª
[ˆ|¾[4Ã_ÆvNy|ü(—æl²½Fï·ïÊ»i¤ºõ–l
-]ë4PH§rüIbÕ
ä-àIæ<Œf)$Ü=¼ð~WÝ>�Rú?]œã|DuVò=Â+÷œõç°üdË,󴵋¨t}ïæBÖ 9Q’Ž¹¡¥PÖ•g$±»ÖùW7‡È0‰dÐs`Å/]N˜Cñh¿5÷‹$YlÄžìžvÌ6èëZü¾Žñ:á3~|±‰Q¤ãïÛ_6tºs´“WÛïµÈßFgùè`æ}
|5*¦
-…3©	¤0.aõÃ’ AÜÿJ&ªƒ0C|R*�ü(ô¯[\eZ¢¬ ÏÑZ
àú½á´sÅ%¶_,sEjâ’ñƒ]]¹QÙÄäã¤Óoxé{×ùÒT¬¬>
ÔDu±:eƒ„Ž¬‹C5áj¬QjCìé÷¤›ìÐ̆£�Y•Ãé²{G·$7wA”_sïâPs±¢Sš˜=ÍêïxEJI7z˜³LYò>‚Ý'ò.ä?4û™36L®PæØi¸Êfá]Y­IÍuÅSÛÁý²n’YWºjRd�
ú�Aùú†ÄMw¼NÆÒ`´­Š&'"—cxŒ?¦¾©Žd[ºhxB{ü¼ãXæ}•£689®ªíV�3*àV,´NÃIæ®ÎúÄ’Ÿ]ñ]Ì&ßkÏ—Ê­!ØEø>µBGD“ÊÚ	DÄ`ŽÀzë†ÿD9ÜD•^ãP¹¹¡ÒC�`pÞ¸q¶SÏ/@j»_»;Æ),H¿¥ÌNeÊ„cwLˆ^ŒM\Ú‘/Q„Ýr½Î«D¦F¡CzmbÍ$cÁïW %—õÛà”\Ù’æ’.îrËäU+ôŠÖ½U©+A�´5ŸJ¤Ï)ªãÿä;z_{®ðø–	©ŒJ !uêˆÉ
3e|Yüê*¹ˆcËûõ);ß.†úðò#ãDhö€ö‹G¸èFyç;u=2_–\?c«î¤~‘
-ƒÅÊ~Ïz_úà)ë¨R÷Ãfæ4Vf™k+{Çc–®ŸSxéüýpŸÀ–éò¢Žú‘›B6Uß\•AM{ƒo—áŧÜùþ1÷¹ž ƒG‹KÕeºd´fÙà�&ö÷-
¹÷ŸÞ
ŸLHÁ¹‰àT­Lq>ã3ïçÙuÐ3õ.°ó»ÏDkr%[’û V!
�=?(F‹V>Då†TÜ'LÞ»tðþDì0åœjiJWù¦¯:•º?˜ákÅtð·Dt,e¹Cëàì8´­~¶^Wìh÷ðá²›ó&pÀs–K‘v£yª¤}�ÜYhÇû/q˜š\—1άÄ.5HLU�c�ß|{�¨8óŠ�ò^ß4à`ä�ô·ÅPß½Q5ãŽèz”=ûý¯`ôô«î½A$äÆô¥=ÿ7<‰†ÐZLLSXëNŠ}Db6¶Ð,èÿv;=›#˜‡Ãc“(í„FrEƒÎUA7Á¾ºñ°¤‘ïÁ¼	Ÿ³ËÔ
0
-·•—Vh/†¸MƒD:•ÄÇNñú°�•:#Þþ>PLÇÒwðQ5GbÌñ
Ò禪ð@`	Ìf(iVþÉOëµ6‘
-’Yý”:®”èAèÂûXqQ¾®ãÜþŸœß,è'ì-¦E“qàO¹)• ìG³VÍ4ºf,§œR¢X=ÒÄ"Æ
œVpÕŽà"ç¸Éü4¥^Ëdw3{ñ¾T	¨Œþ)þ1²ðùfäI>EÄ÷ó…>W¹;A©j�æG’òÛB¿¶ä®.L)y{kÂ^×ö
,”K@[âŸdOÜŲÝ_tNÖm,b
-É´C™Ñ.ïð�ÖJ®{
Ò¦sŽy�ZÍÊ;±êÈÂìÄk´3ѤFÈZ‰FÝmp ÷:%•Ùd
-Ü)„�lk2'¨á"�”Öë±âµ|syùͱÕu€\çÊZ'Y�ýMªI­‘_£ƒ~Æ)bfÓíÝt=–ÙáÅbSÅ#Uk.`«
-S­‚DÍ(»(ë%ªUÎ)7%g:F—°ÞÆ {¡ßk·1SÊ»„]«
-G7üæôÆn}Ò{«óef‚‰@ƃÚZt'ˆD©Ñuèb
ÕËáÿkŸ,Ûš
-ÅGÕkX:gׂ	še£¤�xu®ôØ\CùqKå1¦g¡lø	7[Ù²Ì4Òÿ¹[PÞÿøç¥ÏFÔ´²ÿšûI#pŒ"­ªºó�öWwxN¥&ÿÊYGúéÆ„¾åoK?\aùt@½=¥¢D#UŠ&ÐmÂ΃:Kó#˜´ÏÙf`ÃN¯Ú¬5}=ÿúfy$V·‹Id”-é%#©¾¯{z²5…رF’oö¾!²’»÷ØIáMØïä†H}ØÝÖR´x`î/Æ]è›Òª^3±Í7é¶ûñâ¬Â^µñŠ
-·(FLH³~å¶ÞÖ@Õ6Jäó¾xÌ0V?K£ÈÕJÑ}gy,‹¨†/ã©$þ¸Ì�~“Æp\!#…þö/»-ñæ
–Ú3Uv+l•EM ´Dýý_O‰uò!÷¶:)
G‚·Ñ	é91¬ÄdÐ~í@§q&±ÑŸ<¹¥ËŠ)üÁžjÄÆpîp 	ãO`6ÿÓaÌ€“Ê ‰bœ›³ƒø*Ln<rüME‰J¬#Å<ÝþŽð»Z–êÞ§é
-Ö/y³¤¥6f,¹yK@ðcõ�Ï’bÖ3Jca~Äï¬]+)T!¿hê (ò‹gÙ׺Ñ9QÀî/LÆ. |ºy‹ÔOIûè{£dç*ÇU6j—áÅ+”S•ÙÏ=¡ …–›	öHL
-ú¼ÌìÝÂYÛ…(tf¦ƒ>•OA‚+«ä¿dWÍXäøkÚ—­ ÞÎÓÒU±?*›¢jžêß_
-+µ¸¹­Cí­u†Æ…¥
v‹øò¬WU˜}öÔ“LÂØÏÚ(kœ¾¨RoiÍ^
$Hé~ÒøÈz’Tñ׿·xû0­®Åψ_ShúÜ2\o­EŠã¦=U´ž$¸_N	Ó–jz͉Q
-Žò2Oa}=AÀmãUv”'·ýÆû9û¨,Yó‹Äg“ˆÐ‰$¥°®ÇªÍ3|Z�í-Ä
-ïùnS;ÝŠM‚­fˆðÓ%¸<%kDpu47û95%–T+G“¢æ×*T‹J<Èü«˜t�‡'On¬ÄÂ.
-ðž¯ÔÏ´ZÕ׈‚�œâ^ž�>ñ·!eÖ²ØäÛ¶(¥/J‹@Ëz¼–F]¢wò¿ÝÓÏõwÁ/…=
£ÆhŒcsËtö„t˹¢Æ1|Pú1�—ŠR,·²ÖÑï„$8É
-,f¬S¼‚Ô·Nï¡Ó¡›¾¼xœñÏ‚È¥éJ#ìKÛ1íü±SŸä{årsê,<+ö‰ÙöÙœ¼U1*µþôD'î¿ð|ÂBÕF5Ç	.‰Õ+‹f¬æ-åuÝÓ±oFã”’zeí­ðÓ„A Ç«á±™—KØ+·,V	cšðôŽ­/EþrË<g{³™$�ÇÜ-+Ó�xYt3É°¯‹çq¬��¸”‚û@k{#lŠ�ŠBäƒ�ûO€Ħù%ÛèúCÝt@AÎ]7DXÒþƒÅuOî­¾[©ÞÌ
	m_'y…,ÒÈŽAìÊxi
-K› ÀöYt^¬evQ&57Ñ„t9�Æ©‘;ØQLV2²ûËI2­U^¹¨%Ô~ŸŒ×ˆzW
-—wyÑ7a﨑Ýâ‚\Ð8Ó}`\%êp‡có'Æü-ú稛ù2ü@/øç0�´âs]1Ñ“ì³ h«Ñˆs.:5üókÔLžQdBöǺs+úof´Ôë§hÖ"³ÍÞ„ôî¥J¬°aÿì·µid´¯<îûöÞŸpÖ=×&¸ùï|A½WKÏÓ}‡õ2yÐ2f:oü0Á¹=}”%�4€�%³ì~­46¬“âNÑq›äøáõéí”Ú,VÞyš0ÐYjš¿c\ê�àøªà躮´Cg6Çh¥8=’Š%hU åí™Sî·’|Ì¡)‡{—zBÅŠº¿ð"qج5å§\
-p
-íSß»bò7+֘ߠáænÍwˆ'£#µE°nx‹¢PšL~|ö4KQ¦–!¯jn£ÕªîØãVBGE”}œœ Žý­Ð{ƒéV³”Vã0¾ô.
¶Tv‚Ì|`°�SU[¸U!&ýø7 >hI£YÉì0…òÇ*껪¦úݳj€í¨ž¨ß`Ù?8sGx9g3ÎîèñÙt÷:n:—SúluHx‹œ›ÍÉPo·«ÃJAüÕh€ß¾ÅW'ˆÃô´B ¶q…¡Jˆ`“ý kaæ®´bg>–MO”¶æB8uk—ÄþÙ7)Çê®Ü¿5GVQ(ë¿P­m-FG*åTA¸¡WK2z)·	Ž
×?3�Ì�›QOl
-s¹
-�¹ƒ%ÔÕÝÙêj�ýX/â
-endstream
-endobj
-1173 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 2807 0 R
-/FirstChar 2
-/LastChar 151
-/Widths 2819 0 R
-/BaseFont /IANXSZ+URWPalladioL-Ital
-/FontDescriptor 1171 0 R
->> endobj
-1171 0 obj <<
-/Ascent 722
-/CapHeight 693
-/Descent -261
-/FontName /IANXSZ+URWPalladioL-Ital
-/ItalicAngle -9.5
-/StemV 78
-/XHeight 482
-/FontBBox [-170 -305 1010 941]
-/Flags 4
-/CharSet (/fi/fl/parenleft/parenright/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/emdash)
-/FontFile 1172 0 R
->> endobj
-2819 0 obj
-[528 545 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 333 0 0 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 0 0 0 0 0 0 722 611 667 778 611 556 722 778 333 0 667 556 944 778 778 611 778 667 556 611 778 722 944 722 667 667 0 0 0 0 0 0 444 463 407 500 389 278 500 500 278 0 444 278 778 556 444 500 463 389 389 333 556 500 722 500 500 444 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1000 ]
-endobj
-1037 0 obj <<
-/Length1 1630
-/Length2 16214
-/Length3 532
-/Length 17112     
-/Filter /FlateDecode
->>
-stream
-xÚ¬¹eTœm“-Œ»kðÆÝ‚{pw×Æ¥qwwwBpwwwwn
‚÷/Ïûž™9kÎùu¾ùÕ÷U»jW]µë®^½š’TI•QÄÌÁÄ\ÒÁÄÈÊÄÂPWÑT2¶µ56:È1ª8Øþš9()ÅœÍ�A@{qc�9@ÓÜ nn
-`c°òòò"PÄ=��–V 
-R
-�ššÛ»˜Ó,œ
¶ÿ>
-üfîajîøÄ
-hjcÿOó9ÿ
™Û›ý÷úÿÊô¯ê™5Õå¥dèÿ�½Ê¨jûw¾Y¹¸ÿ¡ôw@jžŽæ€ÿ•NSÞÁì?ÿð‰Š:x
-2¶7û;nÿiø6uuvþ«ò¿6ÀßëÿÇù_ƒonîanŠ°¾â`Êb�‘�	ªÃÍ™×èc…	u,mT+*¨qèõψØå­4z«
ejšáûh÷\>s|?üFw4Ö‡cKÝ›f~ù�Зœ¶¿ý'U'7ýQ³A)ræ¹fŒ÷Õ’Ü”‹ÆÑÞ”²ŠAÉÑL'»3ÜÕ#m
-‰ªV�¶ý^]n?É�÷oŠ üÐìæÇÕQÿÑŠ´Këñ¯0AÙ�¬ŒÚ#Ûõ½ü¶Sz_“Ò¶Âæ°Â¯£Z¬4¦×âÚpj~¿H]c}jÇyŒ{ì|yz0Òä$·‘×ù³›'È úKåWµ0wïèåóä»÷ ¦¤†®ßëÓôäNg@«ÔËfR~7øX3X¯§º<†ž‡:;D݇Y‹’‡±ÇƲ ¾qv"©Î.嶱8Á[Ö†¸gÛyŽ
-‡Ø
-œQdÓžˆo¥j›*÷ú*yèõA®È›ŠØùÞ*9Ö¤û¸·ÂÃmÈŒ¿Åû×táú9ÂÌ¿×jŒîuÊ�Oà7¬ä'½£[»÷HsHs¢4xÅÈé ývÞh÷»&N™3ï²,ä¯òàÞ¼�«»PøÛÖ……Ì\!nÊ—Iž‘Ý
ù™,dsa‹™2,ÉÜïéÏé›_Ôn8Zr�烹ªv{ˆW1óLN¡¦‹JD¼¥"eéUMäãëj“µB‹ND·ó›^ÖåÓܦÙv‰çxD‹ú)MènÁŒ;Õ×`xÞý¤ŒAhàI%ÜúáG`¦‡SØÉň,ø,^‡QXÒ<5µ[�OtÂ×{ù…Žö„F×�Ï+N•W¾¤Tær U Œ€´q^¾tÆ^?Ø|%uÂŽ¯B_µ÷Åás-™^±`Ö¹Ðü|ñ.ù½„õœÏ¡-eýËÅÌ…£×ïO©èOÕR�Á]k¯þ)¿ÒÃú çøbU'�þ÷˜ÀÁ±
CŽÊ|Øo‹VÀ,÷QYáŽeƒTÅ€4ù`hõhÃÌ"ÎÕ
-¾•Qÿfí2FZ	Ys“^É2ç1›èŒ}´�x•oøLÅ~êú¼Sr6Ã,f“Å$ÖÁ~¸!’Åu£Ã¾¹fu[¨½$|8GŠ	�XP&k©:Ä0[gIJõ„ç)C‘
ŒÄ«é3TûÂü‘�ë8‹(Ù‚.àu6s	v>ñ�±=ei™t„�Ãcþ9
-ËžŸÜxªÄ®»~dÿ|°ƒÝ{ú볩P¤ˆ�C{TÃÂb	~3˜˜	Ô¶�q-ÖTkþWBµRè1
-œ^Å}�÷b"áŸÙ÷?'q
‰�–Å/F?®ÊD¨%·ŽÐrm‡6ÓÃȈWw[ØÊ.K.¼€–X¸¢¶ei—ùy¦ ÚI‰sÁÙÛèFCëšˉ°Áº¬Âì§4{ô_ju5§qWb¡â:‚F�®¹‘
-£MQùžÑéÄ›—\Jo£c
ÚSAЧÏñ`K¡ˆC%oÝ«ü°¢’N½`ž¾VDÚº‘´^álmÌb'OŠ žQS‚s
xCþíº7pá�žÄ!�Jà
wF‘›�UíG7íoY{º³ÕãbžÕ\Û."{Š~ï!x¹Î+~SÆeT•±ZЯÆ7
-«ˆbÉ4‡\·L0<Vö†GÉ'e÷Ôß6ˆ'„)©o�è–¿aŠC!*uȨÈ9ý$JÄêpêütÏröýr–™·j�«œ'“°ˆâd§Í,=~è»EÔúò#¯ùI/­r˜íÓúY«hu=}þú]%HÇ*»a4W(¾‹uó2§ÊÏ}5›z—”í»¹8NÒ7“;ðѨ
-›ˆu61j&všQÌ/‚·bénx;Á8G̾
-Xþ®qp…rÆm`‘ /Iï¨ë‚‘;ýR¨•å)’Ô`m	^f©>¬OÛÎ3[~½›ÍÄŠ
-x¯°&ù.±óh|-ö¤²K¶ÉÉ6
N¿È¿ð.·ÐøSýAH×ú¤ÅÌÞ°—‘,ŠeV®D’R¹ÏÎ_ƒ¢‡):?¨\)Ì/
-ásÆ#ûÝaØü¾C-(^
Ÿ¼,•}3Ûð–VG¼:�Žˆpöø
‡~fê"¡€«ËöDñqšû„\ãL={,Y�6èsÓö&ÿRžéãÎvø
üÆ’ ©—2[<Â]*ŽUÍö~Fº*Äe¤A�¬
-‰&$_׉<%@v©Ç1‰4~å¢få¶_±Eû´½ó*`,ÇÂÍ“)‡�D7^[�#¨eNÄî]›Ä|ccÌ.g‰æRuõ~êP„¨ö­þ²ø�wâ¯Ú¬9ˆÆoDà{éøk	JPÔ箫¾<àØ¡{ÒŽƒ£H	ˆš9Û¾>,v§ßÚˆ37ïegiZØÃÎ’~92ïc¾q`¼„¹WËmÞ/ŸªÈ"Ëùtþù¡Î T¼
1¨3
-ŸáG®o4±	ÖQÓo$øµì;ÑbV!ûykA�žÔ^¶ª¡�/©ƒÁ7ÙÈ�S�÷ƒœ�Ôdí�MèSAˆ2xî^vΨÊXdºo{g@½ËZǃ¤ÃMp¦|€…¤}øí«š
-¹˜%AÇ©OOûØ+VÄ‹~{HŠ¹l…¥mß,+?(òÖÜþòHaöjZ<Dgº¢(ˆSN÷jÖI€µž„*m÷5eÉ
ø;�ë'{ª´äú\U·®¿nâ8¬÷Ó‘àfä
-,"õRbzR_'Ï4�\ÎG-M
-ælSŒNÃ	Ëù}ì3½ÿÚ»~¾-ÇÓ]–Í
-ÑÙÜôW3>Çz�¶P\üõº"kw5·D
-(ÙüՅ'•±²ò±—gÊ1HðḶÝœœò*ãN_RÓýÈõ´Ùž®Svt¤/wpõL;AÔ�Ñ8—šåÄx{K³íeS”Áñ9�UMe›ŽˆÍ×ßÉ¥al‘Âèi×N~�¾Î3�±ÙpYbd�ÕŽðéa/å…8•H	þÐeý%‚BÒØdÎö¬/~.¯mŒ“Óø5­ÝÑ„ßÓIÆk´í0ùX,ãHKKÙ©qä6ç¡•�ø;~¿ÉoŠœç”÷-mzË9é‹�.òÕºû+Ó·œª7ÆÔ¹D´!úÅA±´âë9œ¶a¤<Ïë­á_í°Á‚L=€@°ù¶NM�¹•íô™gFNó®äìS!à{ù²gâA}*ßZ¬¾"L;¡!&{SºGÚõvÿáIt�˜h<Êo`Ð
W•˜÷¨º=áp¬
]3#"ŒBŸtª”‚¥‡˜QðëÿDŸ°Xüù§—K`!6ïH©/ôyþËZ»ùc¥ÏÇÖ™„�ÚÝ"ØÑ�6Ølšä–ãNdn>�‘W¨f4Ý…ÊðB÷=Iâ¹²ÞDŠ¡éóñL—eMåu/÷r5ÒÄØù?¶ßíž;>#ØŸ#J¬ïíýwÅ\á0NJ]þî\wL‰ËW) á«jû콪:‚ÄŒq˾t/eÖ’Ÿn…‡þàOb�ë·¶tóÅ@Ý—†v9p%Z�§P4n¦khÛ%ý®äÇ=v±¯l8E45)ÂcŸfÕ‡³QùâïsÊ9
Yb�Ü„�ƒlï^ë)ý—$ÕŽþ9%AÊf|(—À»‚†�†�î^müu¹ƒŸŽC©¢p°°ð(3ïû{TªÓýᓘï,îÍÔ}»ŸÇ4¼ékv×
з5™\Å«ñNKå'®ÌhüMÁüúîVµü~¦@Œ1ÙYЯx¹éœI¶ä¹O¹˜	N‡6õqéà/ð¸7^–@€OÜslDåÓîjßËVS!V6U%áÇÔaDšò“£u»7Z3c‚8p€È3˜£Iº¾œˆ²#>‘¿ŒRý­Š˜–—œ-¤®ÐáZhOÑŒfuð4±wCóÀ:t²YÆ
-àé nرn¢YoIêŸ<vIS	Y°ÆÒŽ5G­æå0Mö½Aˆß„«ÿ/kZâüÂz×bAdð)9Å’6Îö‘Ðk¿Ý§Ä7#ÀjhD(ÅêùÒÓ|[Cªé¶w€áàrÏxéÈsCptE�’÷$eŸ‘ƒcö2o¬ÝœSaTS¹/]v¶Ag`æÆ¡¦Á§GlÀ¢?væͶuŽ+¨�Î_¸¤ k1¡v=œ°úš§¼›:ܵÍ2¯·^&,ˆ(:˜Kw²´.Ðf‚fr:=P]_ðµW2�Vƒ4‹"úCñSðåÙâ­°¬Ø«õÏR 
,{zvþÉ
ûÕ™€”{uuV�œ¬už‡ìNŸûâˆl,
-_…Q×G×züù²žxZ5„3&° S&áŠT›D«HÎÓMn@gl"º7÷qÔEÔÓÔ´´¥!e†j³7·_ßÛ*
-«4èÑ?jú9‘`¸âQ[è)µF¬j,�>.¡ÿžByù˜únŸ‚)L©uwŽ6 f
-(ëI0r/*•6#ˆ,º¨YCYæ�ɧàIfðcWζ�{À`Œ" ίí+¸6¶qÔ…Æ*zcÑê�Z ô,
-keFüŸÒù
-d§'¬ö
¬Âõ=¹»�+¢Ûžß›-°6Ç´mQ@hbQîÀ@¾<˜õJšBHçJÑ#ëµmVi¸×0®*YEáœ
-ÒÇ™¼ïw±w9=rž„%É�÷¿´á
…ˆÛaçE„Ì|ÔÝîÄOÜå!ƒî8$á[¢ôbIe©93«•ìƒUëÔ8Ÿà% !U ÒRÓAšx®PöÔ™JØkóÇ×ng"¼Ð+7tF|…;þí|PvùçÆg/CD?Aæ`CFF9€”’Ò󮋇ùã9#�H…Kà{p”¦§�ó×XzƒÐhÃƧ	×´;{Ø�É…O�ÅY“�óç"÷
-ãÊÅF_ÕXƒÖw_¡ØKèJVDËXcïEhÛ‹Ô—–ÙR�¡pŠÔ€V§éêÆÎ~'%œjeö¯´!ç˜ö:	cf
f(æ’"äËèÁØ\ûÖôùiÁ<„îvÔÏ:¥•F²,ÎÒ$£ÞzvbsÓÚqÂQ	V-/°í-2vŃ
äƒHì£
߬«&ÍÀµÓ©ê^;	çÞÇóó~ì/ŒŸðþh¿ÂÞ Á†ž^tW÷´]þ�¿À·Õw2tIW1‹*íàNk-ûÈȯÃîoÕ8çâ•<ÿfZÑÛu1¤u“&LÑßÂZ*4|Qdù ˆêó½ë½Sý0z'D%4•cŠHÆ#Gmqu ÜFu7â¨pq³ì~zS�•>�¦…¶˜¢¥‡EíØ^þ®Hj×-Þˆ-1�1e ±%�ɾYö^‰Á†ÚÍÝïx௰éý"ûcÑ®žêön=F8^£G�ônW?&L1wñWþ“—¾Í؆ŸÏêÆ€#§R·¼ÚR룸þæ
-EÚªVMo·Œ$yg@;”¦ñ4]„逵PØWJ]¥0îNÚ”}0ý?ÜwüÄ
-"¯RÊ*×Qú(­À4ö³)FO›’	‚äêàþ(ÇÀN-ÅBÁÚc·}2«Õëé¢~ÒR¯ÛûÇDã]ÛÁ›75ÑâÛ?}’^¸Ã/T89B"j':up·ýÁÀË�uŠwX¨ôN,[œZÕz¡jð^[�éÐÒÊB¬	?ùéˆ&µ_8èè¯\¿T~+¯þzF¹­õ ã+¹6sÕétäïøë÷’ç6é¢MLqý/V‰{k˜ÖtᎭ
5Â3r;þªOé‹-ò°Yüeå‰4Š\uÔ®¾O½ÜlMÀ¢€rº%bABõ΢8ò1âGÝð+kLiyûƒ7õ;3»à%h�#üï[)ÍápµÄsÙHObgÐô»ÑŽ¹?§Çe×ĵ{
�ì«þ&ÄqKZÖ¦ ¿ðÒ;qÛª47·‘)<´2‰Ç-Ò¸6,éó}›‰Êá]Â?…�®ù6Çœb„5ÂxÀž^èvíÙœþÉã…~È’Õ*Epב~솳ŸP§Í!ðœÚ
^*ŽÒ¹�\ÝMÙàvu¸2ÈL].ÍàE´”NDJösö–êä*\Ðqeùšß±œ²ƒ¯êrýrxÍ!¸ï%ծΟÖòÄͱœ·qšZ%ªæé»�V7äÌ¿%þ_ÿVš*Ý\„ÊÒ$ǬÇ™VaÖÃVáÙàYú#gXõÜ¿Œ²ÕÞ·èêµÁ),|d œ¢Û¶†ñ;îìSJh"¬t§?ßyiKYLÚ´pØŠG?'â{âÁ:ì&~&¨*Ir‰OŽŠÜô«þaÀäOÀÝ0ØÔ››Uñ@t°'Âÿ}û¨ÃšA0IùúL{—p.ðZ¦{xyYOÛ–©Äï´+ÜsHuOŒ¨ÎU
G£–@¬Èo`ñý"qà‘±îø•¢†>MÅ€žQg¯¦ün(Nß_äz[òô:ÕKœ­²S—|vîc50ð>rá*˜RLZr§±æ¨F÷ÓËÅRè¯%ùdÏÌnw°GAš¤’€\êÌp½{ë;îÿ©£1ö
§¤Z…(Œ�£ŸâÓlXzøÓ£g®éË7âE–$M@òŠŒ!‘ø„~!Óm¡.YAuõdOÉP)$0+1�7`´¦>‹Sºšà`Ù|ÃùõZ+iÌ%‰Õ-Ž­Lf„1®Á]L?ç©Žý²ødµ§jÄaš›ý’«+}W¸½C…÷	.ìñHÖ¯b sú=l!�î‚0Q­%—�	̤¥¥®.©Q0cÑ…2¡ùÄr*Û>ŸÙ8ðrõÜôÎGùÓ%'§Â5æ+)Éñ;wF$ö’/=Ô=†1Ñ¡*^À½”»ÑœäJû¢œ%uÅ,ºs+§�ItO¸’�ýô�í^êÓqVÆ/�õø­˜¸èc è¬æ²ao¼¸=¦ªò^y#et…Ëõêj‡sKÆÝ{%&é³	˜PÅFU1ÂäÿÈ8Lˇ™§”ÁW‚e¾Sî3_×�ÐR…%«~Þ¶‡ª­R¹¼0Ö¡|!GZ¬7™D¡Â�mlÉ«	û¬ÅÚ›å'û!ªXÌƥЇŸ$Ûn¬ßi¶cNÖT{·d­ì�D§Xw¿§ÄšU ~pÌßíÛ/“8
-—[«R^i52)úIí8Ž?œðí•(Hù%‚¶§q‹©[&H…U½3È’PǃjÞX¡(ìÁõJ[Ú(y4\9{1¯€kÒ‰X)×'Ùʱiüƒ²�{æxŠH.ž?–… Ý®�CÚS‹|¦iŸÎ
+—^Pcª(¿œ($&:W§||RÏä|ó­„Ñgx^­ˆI4¿,]…�ѧ	<‘å ãÜ5u@܉ÜŠ4
-î~%³€8Áj·ÌÓ¥í©ªf‰�¾„ö§Ï‰óçô$zƒ1Ž¤PP9*'+p9øx3T.Œh“öJ™¿Âõæbo¸ó¾4¯íò¯ý	~µbàÜÄÆÅëº
-ÅïBú¦·bF3‘¿Rm«v—¾NhŽµŸSs-©®ØVû$ß±:ÆMÏÇa£é¬¥Òžwu¸`†>I2"m)pŸ†¬)LJ-sE¤wBÆ\ûàx¼uÁ	ìàà�)†ý®?w�-þÄÛóS*‡Û×wün>òîº佇1©úìIn\@Áû‚#–ÊI£óþmü€Êå^MåQ5Û†ì+fÌÉ)sm%$¥®2AÁ*r¾¯i`ƒÿë÷/Éf×(’eŽpý
-’EbŠøÒò÷³órrx¿Ùî…Ía"”æ$çÆ:O[½D—ÏMmî”�ó¯åŽŒlº7›ßÔÁ¬„dp‰e=ãvÏA6ä“Ûc4ªÙ ž)�ÊÏÓŒMëU—)Å#ãùp¥)~Ø߇gºte© wuÃ�^-Ù†œ3m6vxÐ.ú»Cd&ÏÌ	]��ˆ
-%"ë»­µ	4-ÎøY�mº¬<ÄÕàÈVTøEʦl'‡U3ž,3îÔ€K6:á…Á	ز0ÒöuXêçùpƒ$ó¶žÅûšR™=?ì¿3OZ0œ‡‹œ$%fÅ5•.,"	ÅÕIKfL&Ýd«ÒÛ¶
-Ò*Ñz>~|åÄ!á“;Tÿ¼°wc8Â
-Ÿ(*mBÊp‘77cq²¯„#eµˆ½eñ”æ¦KN84�e�
-þ&mÕõ­1Û™�P·£SÓ<òÊVµ}÷Zê§@ÞMë€<€¬åË&ûqÝA_ÁXRz½–¬X;w3ª¹BË?#,d?¥®‹#{œhï1»D‰LÄшÔ]Lª0‹G€~8îK‹žo	H]¤äë®ü²þ“’Bö¾w€Ö:8Y2Ÿo¸È�£Ç}ÜÕV%�$Á½ôK”t³15^@$N5k›¿W²àéîJXɺÝ�h‡ŒqÇ^èð^—ÛÁîHú¸5<ºL~_ÜOùoÝ#ãP÷C(oqZo~„Øq}·wy™søÈ
-Îs!V •ãrMLñ<'šP¾ÔŸ@¸WYÒ‘wçÿò¾Òç–Ö–V.wÚº7qËw ¾y2obW}ËÐë£ ~W·Àg¸sbj„ȳBMtèi(\­ùê“í&�×ÙzzÁð4#C®­x@åHCK�‚[ÐÚ¤[Þ#Ç©rÖ{°“ÈÕ84S’cmáË“áôÚ¤È*§6MM*sËY$:_Îñ¤C“Ø“›Ó¬ªc¾ìi'õs1z³�vØhæ:¬—µ¼ÙùÆLå†Ò–³i]¨W@†–M˶�Ú§‰I܉U¡€G‡•
-ª'>Ûf4C¸MvtrZnà�yTÉZÕ$KËýaGåEìÝ¿krÀ‡~�fµŽúî„ÙGé¦éåGa5ÜÓ1ƒÌZ[\
U¶…\Ðר·ü¥ÀæêÛ‚Rèmà>ñº4ëµ÷VyG~ü½m4��ø0QÍÏ<�5&6,Å*Ô"	€öºàÏ`]M$¥¹¼$ûË«>Sîy
-i¢§£	!ã�º²�”ÐÙmPžY1áÈU—¬h…øƒß'p¿X²0«Åû×N¿”UVÀzÔvƒÜšýâ„å®ðÕæjæ–Ä�9Þr`Ã�²Ù·�…Zî¢ôÃ5†Q¯„ÿÖež&Zç:€âÜ3ùO7î•r+B«(ô]gþÒ¦ÈÑH=F�ˆezu±!DÓÆQfl³C%q§Kõ¯ÏÖZ®^®¹Nˆ;–¤ßÀ¨ZÕS¡…ÄñÎ_\‘닼‹
óDo®Fø>¦R°ÝÍj‘~É÷¯[÷oìÄæòn?[Œá)m’@©—‘Œ1´bÖ9�Í­n8-MŠÝšá_jÂå­êÀ:BÝ{8J4	4q†ea: ý>F‘-¼ªø¬Oð…àŽóMA1bÒvBŽ0{«i~n"É(ãUeAqò`Z(سRl�8ì|–�½v:øŸ”‚'Š’^ÄÏlÇ7…·}¡…4íKœç:©ú,X…¥­­¡bt‡~Wî¥öÕcE«ÃÝS‹†=@å	´Ê×æåóÞ=hj3áRe*ý¸
-Cà ê8ÎÉ]Özá·}6ù\ø*ø�1B%[3DŽG
-ŸH¡ó5q¤Ã·i±‚”p³×S“š¡¬p£“
¿ EûÙc¡ó,ßlÁ5Á²È¬íŽÏl©-fͿ궘SOpø¼5Sy˃øú¶(û
-.3Ÿ–�§ï¢Uí,?H-ýÖÒzÆ¥¨>#uQ4ŸÕÃJE,°NN•SONãó‚©�;0ãb°^‰Uåª<& ²Nåð I[•Æ«çº´ÉQì\ïåºÞïñ8+ìNH‰\¶¥S‰)½0@ÌJ,yßÙ�?3FçÐi®“©
-X%Ž…¾‡¸ÝëÄìk|ßâðmbØ|¶®¶LïÄì†Ùû¸ä¡›¿å�4
žUt§Í-Ú'ÏxñwÓƒhÜ£¬N¦ú€·$:–©<©?æÌ"7{•åQιv� – YRÀ¯Téœ'Ob­²)7_ùÖÊ$ùÐGDËky—Ý�·¢ÉŠ†Ý¡í¸sx¸ìqŽ#cßê©Ê±•góf©õ�Ï)mé¼³_«´`—¦„j?ùÁ“³Û)„„)F'ÏÔJL%%›«Éw‚¦¤‰¡g¸
¢̪Bé±¢W>"BYÉ:VS=e=X|ùÁ±¨Þw	ö¼Ž”ò°=èäÚD¢z*•(J":“–Ýæ�Ü\ÒËâ¦òU�àñ+º¡îîñ,XbA�eL¼�Ásg]ÔPŠûÕ!‘�I´+SdDÞÀð®¼b–ŠÇêqüÆŽ·ß0º¯¬÷Y®M»®¡J±˜|‡à6RBÃ�ðšÍØøæU÷¹¨E—9Ò­êÿ„l™– ÅÚÎÔƒ™­GÝê™"
âX[zq3H³Üé[‹ãq»©¦
-ÚÞ,ÈŒ3:I{r¼â:Ü?#©+²÷%g²	X6F~“K0'Òöé½0r=ŸËH“¢“éÞiŒúR7a´Böj»å¸’CêOm‹FE „m&V”'TKõœ
-
-¿*,‰Hç[`öR{w…ÝƸ5¹¾ŠÇŸÉz¼ÃWDgãX°+>BÃ]‹BámƒéIÜ_<©œ�+V§UžÌGTÆ‚(ø‡Þv9N{ Óü
-Ó�úš"ýSz×âת 2\Ö´ÝõØŽHhKÌ´¥sšùíio�=¶ïÇ·‡¾Ü⪧–AL!¾ëøãt¾tblkMÀé¹7AÑ|e·šáfa$|”?²Å0ËvœÁ×°(Õ‚î)=í†þ ±T1ß<”	î³ PÔÚƒÞzçäu™»Óƶ»]÷so›w~ª°äƒ]ÛG…,¡ñó!XúÆ‘ŽÝo-*d~}áóÖö2§Cv¿*ìiëÕÎøˆIXrg]é‡
³Yèîã`"ùÞW×·�sÔ¿A^nÒÕùIÖÇZˆ‹ÕúMºpn�c1à€ôC…M¯³ùmlU”Ø�—Xz­ìS;ÒÁ’½yXžMÈð›’]h|¹ ˆü¬a^6ÕévH£ÊšÈØDuöGÑwdp7™õñàéÖd“ó?¢Ñ>;ô¥:žu ôÍáS>3ÞÒ÷“ÉU·ák&½þ½e|‘ÝÛZuFÒ0 
¬±üÕ¸¢
-iÑ$Œ.ÞoŠárò"~ÖùôÕ³zUF•=GÉÝ©‚~éRÜ×h4ÖÀ�eiâw±žRü/dR�ÁŒTkÍ#wƒ0&§šžh,Gë±Ãñ°�`¿pLsî'úm�¯=±çɱe—~–¯#\‡zó,ªÊÃã•ì9»^Bü¹“ÿC=u°cDk	þD8œ/�'V¶4¥?�	a¶d»Ø\ñQ­mÓõ:F,ÇÇÔ²\ñÎ<šr9oâ\è‰ñÓ­b]Å»¦�f;Uˆ#e2S> xV¥
˜ÃŽ­ˆ†ê§—jŠP™­¸¡.!‘#È÷©voÔ`ÒSº’ûþž}°S
-T S!õ\¶ZãÒJ)¡#¢:sÌæÀŽ_îR·è¢#Ô¦Bò
-êOqÚô¡9U¤$Ö=6Ððü|Hò‹°s%nS,{¨üˆ&õÊ’—8$²cå’6¿p[Žx7íj£\k@?®ð¶"Ü<4s=3Ña½BÚ_Z¼–âç0h^×IÓ¡gÀDFÌû"�O,v}V%t	ïæûüH¦¼¯¸Êi¹ò¢Œ
-Vº<3ÿiúü`�+zв±ƒõ¤âBy¿e5m¨á^[ÄyaS©aŠ€()ÞŸíÆÜ=7w3ÔV³Md&	ðÑÈå’½Teöä´þe¢QŽh¬õäØîαÿ”øg´>»6¹”¼g´(>\PóÔkºßo†‘vÝ8‹¥‡HZR¯±˜(rÔs•Ì7R¶s×»LíªøŠæüz!ÁÈ 
U[–Õ²69§QŽƒ.[¿’�6çÏhüS—W
se®÷±dß
bfïyîI‡dÁFbNþ%ÕgÔÆGœ¢,bœrü(šÙÂ%+'‹
Òl�£g"îuªrC`Wro¦1€5ÇCÈ…çpû¶šÍÄ]sG¹ÑOnäàrqœìZ�I=…M}…)äCQÊ~	ê!µŸ¾Dz9·%eÞ!­û©ÆÁ”,Ý,>׿¿âb‰lGûrs

RøV0'uV·ƒÔ)É ²;^%!#úㆹå"à÷È“µ‚i4Í p#Öo·¤_Œä%±!¥Óæ`…(`¢ix¸ü={Pìr{[£3þÝɶ*\��ÔvµvÈÆe~0{zŠJ"É®Ñc
-µÄÀ‹í_~ …U¢÷íýwõœÅ6o¸JÚè¨OÊÿ7E®Õ?ÿm]~»úàD¾?œñŽ¹,à¾$ôƒc2‹™‹ãé¸æß‹M|&ìšp{³×Ó�\Ì	�«e
•Œ¤·Æý:®s”CrªÞr±[G^…_x[´?ÒØæå'®Öܬž¥Škv5‰GlŸ뽺>QÄè5ó†…¼~šÒÙŽÝÙvnÂ|*ÑÐaòÝ¥ÉÿÞ^á=tønÚÖ•_ÎïxPðdòùCß•b­RæwWbgÖJ?~årοþC¬[Býäd�Ư{ñ h§úÍwÓ‰Ï'}2~Ñ]Ø6å°âÙŒ9�û²&ÜÔîNÖñûö¡î±`luî‹)G2O=ßùEßCùä”Õùù[
-¹ÓÏ™wŸ˜sìÇÆâ@•»¯M·åöMXvºóEÿÿu9~Û¤k²¹¶…ê¼ª�?yÉg“º”òÌÜ{ç;�OÛ«YŸ$3iÕæ#ÛÏn•8²oväóŽ7¯ã}ËÏë�ÕýÜá?÷þ¹ësÿ„æÕäÈ©Ù÷pö.Õ`¹fýO©a›K<­ÛNîêè=|ˆuÖïD©â¹µßýÝ^Ú(šDªM?T¹CÂxÝ;)ñ´g¥ÙENÓ/Û¾}õ%×ÊÛJ®Q†…
É9©‰E%ù¹‰EÙ\
-endobj
-1038 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 2807 0 R
-/FirstChar 35
-/LastChar 90
-/Widths 2820 0 R
-/BaseFont /WUMGIN+URWPalladioL-Roma-Slant_167
-/FontDescriptor 1036 0 R
->> endobj
-1036 0 obj <<
-/Ascent 715
-/CapHeight 680
-/Descent -282
-/FontName /WUMGIN+URWPalladioL-Roma-Slant_167
-/ItalicAngle -9
-/StemV 84
-/XHeight 469
-/FontBBox [-166 -283 1021 943]
-/Flags 4
-/CharSet (/numbersign/parenleft/parenright/comma/hyphen/period/zero/one/two/three/four/five/six/seven/eight/nine/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/X/Y/Z)
-/FontFile 1037 0 R
->> endobj
-2820 0 obj
-[500 0 0 0 0 333 333 0 0 250 333 250 0 500 500 500 500 500 500 500 500 500 500 0 0 0 0 0 0 0 778 611 709 774 611 556 763 832 337 333 726 611 946 831 786 604 786 668 525 613 778 722 0 667 667 667 ]
-endobj
-975 0 obj <<
-/Length1 862
-/Length2 1251
-/Length3 532
-/Length 1861      
-/Filter /FlateDecode
->>
-stream
-xÚíUkTgnõJÀ+Å€€¸
-æ2�@	ŠMË%€
-ŠT†dBI&	¨ÀŠ  T¨\*­”Ö°Àr1±¢àY#BAn¬\uÝ
ôØ¥?wíÙ™?ó>Ïó½ß3Ïû�óY˜1}	.l$vC„bHi€«‡ïA�€D2ÎÂÂ…!1î‚Ä0

-�‰d2ˆ	±÷ÝWà²ÍvY›'
(T{
-‡� ¬¢1 À²a)
-Ly£ÖÞXû¢
-+¨É5Ýõ4:âûúí³ûñLj_VŸ>ø¬´^®ÛUo
-VÝìè¨Ç2çÄ2&i¹!×`9ޱʺy½¬Î »æ¬LÞ«gªÝ§ÊŠ6PšÉ*ÅA<ÎÝ™Ìôf §·ÿ—Zq‡›ó’½Ÿk4½/*ž•!g·�nJõÓ$3N(^ŒÛLŠÆ|ui—:KýSŒ-£àK
ÎvÓÚ.ågתJ$§í&Ýÿâ¾Nnar67z2õÜ?Ì_Æ
ü>ñýú¢PÂO1ÖƒãZÈ­½ÙÓqÃF'˸ÏU^uNÕe¦fÄÇ1‡¤îÐHœ3*KjS­zŠ¿iÔqhïŠiD\Ö‘ˆQ3¦–¾W¹ìŠ“nB‚@ÃußD™Ïì
-Ëùg¥rJ¨0¡~ÊÌ
-U)És‘›ò¯7Vì8�Çhömyèp|ÝLÓ«D+õ·™ULó•¦Å½ó%•
-endobj
-976 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 2821 0 R
-/FirstChar 13
-/LastChar 110
-/Widths 2822 0 R
-/BaseFont /LSENRB+CMSY10
-/FontDescriptor 974 0 R
->> endobj
-974 0 obj <<
-/Ascent 750
-/CapHeight 683
-/Descent -194
-/FontName /LSENRB+CMSY10
-/ItalicAngle -14.035
-/StemV 85
-/XHeight 431
-/FontBBox [-29 -960 1116 775]
-/Flags 4
-/CharSet (/circlecopyrt/bullet/braceleft/braceright/bar/backslash)
-/FontFile 975 0 R
->> endobj
-2822 0 obj
-[1000 0 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 500 500 0 0 278 0 0 0 500 ]
-endobj
-2821 0 obj <<
-/Type /Encoding
-/Differences [ 0 /.notdef 13/circlecopyrt 14/.notdef 15/bullet 16/.notdef 102/braceleft/braceright 104/.notdef 106/bar 107/.notdef 110/backslash 111/.notdef]
->> endobj
-972 0 obj <<
-/Length1 1616
-/Length2 25435
-/Length3 532
-/Length 26323     
-/Filter /FlateDecode
->>
-stream
-xÚ¬ºc”¤]°%\]î²�,Û¶mÛvuÙ¶mÛ¶»lW—mÛúú}ïܹ³î̯ùæG®õœˆ8;vÄ>'Öz2“„@^‰FÀØÎÐDÔÎÖ‰†�–ž ¢¨&o`mm`la'M£hgc
-áàUûZ­RRŽ_&½þ’ÞŸfx¯%Ê3® ôEþsÈC®”ô“‘Bå0²TU’?…šÜ¡ˆhÍÒVù�òýåm»TúÃ8Z§ä‚�Û°ý	³:I?Ôöz"6›Èbœ^%
-
yá×h}×¹­Z ypÓ‚u=jëé 3\xœa(74nŠïRýƒ&cx£aYKÜ¿‰~ػբÉI·X�iêS¨“2�ø	ú›G²¨†lkÕ›$ñé³øIñƒ<½*­;:̽¤PœT�1]š«ÚowŽ0~,A¸ÕO˜Ó%/‡ìdccÅ÷‹k×{GKÌ‘›j™(+ÔBU�ÞD#¡6ª:Mð%¿s¾†I¼;v#wïRUèB&%Ô	øªÕ(cÊïZB™ª³/7í¿'|8¾—}Z�£6Ã*DLi´¯kâ'/rn¶
èXÐ60µ!~Èaïގا*\Dxc(uè³?^NWù±CVØñ Áá´ÅÚQ[´¬5üŠvȈ0Kïø^•vµÚ*V¦°cœ
(p3“¸µMÖiÒ|#Óƒ}5ãBy�E¦Ç•yÖÌÞ¢º<^×<;>3ý
-ÎÈ;V<g5j‡ùôIH›C„ÿæaTÓÂ
€
-úÍòÊix¹Öî]牨ùƒU)ʘÕü¬è»�à&ðŠqº_Eþ>Mv–ԌΡ�»:0jÚê­¬°ŽCgþ!ñ!YBRÕ¿i†D¯@!µrC!,ç´¦Üoieq$�wj¤q•M4räMÈ©X¢Z_ì¹Îãi¨ä�/�JF y Ètp(¬2îZ‘Ç¢Ùð‚:–ÃOxäb=ê:äH@,bŽ“t!ÅãKMdþöÑ•`£ªj•*ЪC[L+x¯Ù}£C”‚ÿ€!‘Éã|†ëuî—ÔU’ÔézÔerðˆá	Ã\·ÍZ åjWq�FW [ï•~s­É"Ëšã±ÄÜ]£Vf;ŸTiËá®
-Xz‚G)gàcúl¶É©ðÝu½^QC˜ûèÕi]s]°?Å"*Âü$fOv‘¢ö¬ì›	T!ŠåPXÙÖÐœ³P•Õ¸«
 "è
ƒ7käþkÂ[ŸŠÐâÓn¥%
„¸rñƒ‹3!ö†¿wqŠ+÷-×}ñ¨C}3X¶[G\v¿Vl=Šþ~ƒìBjÅžµ@L
wº Œèf‚ý.ÓÐr›'<Òü¶Ž¿Âfæ4ù�J äŸt^
gÃÓŒr;‘s¦ŸV�hŒ@€'
ǽêdòÉ,·œ
-lô³î@p®’Œ”JEcžìe‰;LÙƒ*#.P8Ý^NrÁO®w¢êåÃPäåú
‡ªî©¯�HÏùñâÊ›%ƒÓÆ{¤Û«Â�¹}‹÷þta2XÑ`È°½W(P�l®ôt‹8áníÝ1¯v«Ÿ<ñ¾Í4­åF¦˜4d¤Dr´4J„)Ÿùë¸L²µ%	ç?·ëÚUA§tkݱxèLë…3kàN,ˆÛ3«QÉĸǹ‰–B´‚7�’ûÄL³_ËgƒÕ
ñŽ1Ü
-˜šæ}›Û}}<‘3°2èRÍ�p´$ðʧFu(#6A<x•)Ÿö·QÜ´Ç
-å,´,œ6ˆ�å|ëÒtлå$
3ÊŽ¢¨'‚±×ÄŠé›v#c5ÉÇâÔǤw
ÐÛ�µ0ÁoãiÙíà°Añòœ¥µ¢Ã®
 DSêá©ó,zé6A²”VèFšxzGˆâJæls¬>ìFÏÊ2/ÕÐ:C
-Ífg4ÎS"
>ˆö—H¨äµ>8h¡Š¡3lÒ
-{%ྼ¿#‡«BÈ,>‚^@Ò¬Ç0n�ÓCížU½šÂZ^u»éên®p%	À#d���_Ðby¾ÅéZDzl€÷„R%ìS¢Ù+L}êPS«‰$1Ád8Ç2cæÃJœ¸Lx™Š¬3µ”êR'1ãø
-ø—I›&ÃX9!«<O	|è¥5©ÓÑ
-ÕMêÔž5…ÅÉmW¶Ä!ßCXéží´*m¤ÈjÏCB€5BŒÏ)Õ‡d"ZÕጼ B^moJ¡ì‘×Y±øRAD%HX—«Èë·ÀÇ*ÆÚ0Úýé –ì?9Ö–]©e¢ßÄŒ�B<ÙÁ„CdÀ‹l•z
-GzX°ö0F!ëþ½{¬‡VH•ZÄ2[t”€pS³õ.aQ[í)©u�
3Ñ
-/üI*Ô•ª"ù(T€}vÄ8™�xfüzYX¥û™w·$]-aÁ¥æ»ãBó!xCšœÍþe‰7Ä…`¯n‹³¹êûÅÛ
-§ÔrDš�‡ê_ƒç8ÉÈ˳f^‘±Ðòé£�ÆK$
xþdC#‹C7‹Úˆì´½‡hâžrvôîešxÐÖðà˵ˆ$Ôï­JÄ›'¯ë¡¦¯Cy2äÀªŸå‚¡ŠÆZd1”ûÎçÐ"ÁØS�X�}j3r>“¢0¥\Ò;QõԾɇ¥-§ ¶ŠX©Ýo‹	LëèR×R$A[sã
¦ø—òÂ`®/lÜ#ùhŸÁœŽq½Ä'�õzkü™]sÑÜÞ¬(Q¹Íþ©iv`cöù¸-Óz X_ÑZzVm÷ïȆ·ÐQfúq¯<–^È¥Òî\èƒçB�©.ô lräê‰åÓÊgj´øod‘ƒ|¤ˆ¡Ð	\yh´v‚�öµ�:ãY_¶”œJË”(Øž#¼&bd·‡¥”<Xd”¾×!}ÔÃúŒT†‰ÀR‘‡òÕ­¥×Ý�“ÐÄJxÝ­&Æõ…/¾uQ~4NŸ­]º�›?•‹=gæ8ã
+ßçœ;…!à<�
->î]&“ŸYdŠÃ/"Á&ZïY±Åº,nGÔ®Gz§õk+ñ¥\�£>k•á„žjß6Ù6–Ô8tµÄO§&¢„œ´bú‰|uTè@ê^[Û5œ¼N<vñ•we·!XŽù²)uê^½´É¤²�ªµ42Ý´Œç€Ù¡Yú	ó—Y	JëØ	ûŽgL¨KqHÍ(~ŸÌAMª_¼lkµz/(«·ä´X)‰F_6JxF¿K·Ê­ô
ñÚѦï{-wM"TШ`¼~Ÿ“¬ªvFüÔAŠª<Zô”ׂªìk<Lתø˜(cK©ž³€bSVlä"{�å]Ùó€ZïDFý…ÜÐå½™¸<‚ïïï³{
-„,Î8½Õ­Mþk¤«Á5­� ÜªUôæ^NÁ&ºg#w�²X4YeWn1•#~™¼qâõh¯jP¨Åö¤TpëÏè¾ö\]–öö<…¸�GxVÿ”K<$L
-ÔUñ@•5Þ"
-¶¾¨1&µwÉù\ì9UÛ39TQ÷亹í\ ¡Ã=̈º;	GLâ§6ÿã�ì˜Ì¡"¾Ž•w…B|(iï�ˆ'Å'º¬ú[7ô
¹r+£²*iÌ�ÆÄ;¹E}—ûOþÊF\]¦l{Yå
F=AD
-»÷	¦!ô	ãÔ'§»ÞÄû�✨œ¹Zzñ
-‡™r@ŸZo_ß±¼AÚ
-êú<V{VIÚÝLná_ïÞ‡¾’õ™”÷Õ.
-óBÂ:2s²uá§(•ÈaŽÌ9:¯Ü·2tƒ³DKÖ<ôG¡Âç龡31•ÝÊt#íg\
-.˜íu6î�i²ÙJŽÈoµïxöZ××_sZËòh°V5¼}r¯ÙÑþ3DXÿ8Ëé6æQàÊ)’v÷ØÜkxÞÝé÷)Jæ¿ßd%ÌAm=ÇÂ(#Õ KY8ý_
-u1`ÑΑI¬ÎP¨@àÜžÇ?M}®‰#	¯‘½Ð‘˜W–íg
wÃ!hºÊ¢ßµÝf‚]\@˜¶Lyìodªš¹øw‡“>B«Õ·¼Ë¿/K€µUræÈŸ¾UI±íº«à
-g…ß·.:ÿaâ5’Ö‹AZiD+¦ßuFƉ}¶û½é2™¸ (ùp~·ª³x¢
:’3¶¾/e…)ÁÌ
-¼äÇRi¯z>ïuÙ1VÏм ÿ¬&‘3ŸL.~Y
-_²�©Ð‹âOàvH"r§¦$ µé
-º'7$c²ÐˆÐ!•ÎݧC½¬�ç$Ê?bï¨þìl"OâŽK±¾'˜w
-bx—‰Üêüj¹£O@ÿÙ,s�[»6ýªícávÑY¹hd_æ“,
VŒ œb¨
-‰ð#"^ÆÃg¶µ¸!ÿÉ#i/“ªñ�d—ÁÐRD4ìŒ-%…·#àrþvf"I(&!QƒÑCG¨swEe`Ff÷Ëڌ札RC†×Ëîï+ZsÃãØHz–Xf--¦¼…”N)±;±shs{£•aVXAת]¾b9ï"Áúpœä•Ô�m90$j®„ÎxLYxCÀ8ÏB¿Ãí¼ìùìéÒeEá…i˜Uê#‘ÕA¤’¯ÍŒ’a
-«Ç­´
©¾T#$5?	éŸè¯¡³präZè<§ ÑM{å«¡x¦¯¡É!‚)±6¿Up‚Ó¼Ì�ÑÜŒ0+ü9r×óÕ>�ÞYãÃô	d3–Ò_`gbת}û
-rÂWf¯(¾ Ê.T³ûœ$rG~‡ÌR)G…-
ú²O2£l?ÂBüX	CÇäd"iXćÎà÷ÈÏ:ŽçEN
-}
ö&�Õ>­o´×ã®�æ¬Ñ@z-Ã=é÷îÛƒîø»^]bÄËŠ¬N-Iý
J€°ÀjDM;©ËœU×ô™Ã|ÁÊȳ5Ã
-¶!yJ6Ü#½ºø5ÒÇ-u
´–Otÿ‹Ê‡ßk§]Ã3¤¬„0¥`áÊ“êí~©/^Cë÷•µp­Éü7scË	�Oó‹¿£hˆ-Þ€îi	î¸[jÄ'Õƒ�´§!¶—7žÝÔY¿EΜީÊËi`µêm£¢>TÓñ1Z`NŸ‡¤'ü±i“’Jbÿ€‰9XêÊÚ—µp,�½ÓW¥ÂÔr×!KšÂÎèü`‡ž„�Õà@�l®
/­Øúæ.z”ÈÙä+ö<7›ƒ�\i0z�lý£b©UÐ{S›|€h•Yƒ‘æ>…mL0‹¾¾„,qÊdnï#çK�{êºýÂI_r(®¬µ׉Òõv/ˆÏñó÷†ÙÈBDßÑÑ#…iâ·d‡W¸ˆ½÷šЛ­ðƒ‹_
-ä¶Ôñ{uÚ¸M¯ýœîdßË
-‹¬)Ì Ÿž6Ö=
jÆdÝ�;í¡Ô¶„µ¼n*_>;y<"¸ü,߸藵’ðð’d
ËD¨Q T
ÇëÌÙêÏÜÍåïØ`.ø|Mõ­ºí$õ´ÃÉ�*šö7 ´¢Z•—C^“úkVa=žBž«ÃUõu‹VQVQJÕ�ÞL§Q¶Å¡ïºÜöÞÖøMØ¥b]«�®[
¿o:}ºûg<$ÈVX„~\î@uOG®1uçæM	‰0).
UòòÉÈhW'Vws˜‡×ˆ¢ƒ•\
-=;3؇ZÑm{§fÇu1{©‚q®‹é%Ñ)(Û+Ë*jóºpd±NáNK¶›áóú E‹´Ø*ë_ªŒ®NvL¢Q°-ëlr±ô¦‡³ý4Ý!aA…ÚxYGmfBv_C…³ØÞbšÅ³”ÖšÐÐ
-¢œñ £‘I½…
-M©�:l/
?Xå›èSîvåžÉ›åÎÁñiM„ED“¬Êòòn[»yÙ§”	•Ýõ§âCå5úú©:‰È•5
-.¨CAV²­¶šH't¨_ömjAžï•Úqm«B
-fÖ��˜>içtd9,kQÏŽùpMî8Åx¢E�w=sõóŒ«ÓjÀ˜#ˆÛ•¾€áꌳE–o!)»)öÒoõoÊQQ<RñðzËå3¢XõYf^åvò´­¡b†à*õÖo4kyO‰Š§7É_#¢�wm›Ÿ
IJªì'þq .½aø°+rã³—2!š™ø`%<Rˆ‚ÖWˆÓö³&¬ ç)UvCÜ)s6(âÃÂ[ž•«
-%Íë6©]’´a®Kó5”t>ù,�bR¬÷„Sö«NÁ\�S_+Ç‚øÚ¾‡Üzh(èˆÃA¦ó_Ûð¡v/Û¤¼øAÇJ
-½dcb4Ç�åøñ¾
-™1ü�˜|Þ_"UZ¤l€¹y%N
-�ENc­wî ¬ O-¾”+ÉagÙ€ÆAÇ>Ú/ŽÏ×Ë_‹¨i*ˆ{ºº�„˼WÐP�ºb껾ÏÈXÌ�P@d˜‹ïU%¥:©a:ƒÚ’¥Þ³4IDÁ­•ß%_…=!ȘÎa\*ß¼¼ê<»áae)£éŒð"0£míÉ­¦€|°Uá„6ÁâPx0-öQ“ŠCÜ4Œdx^Ždh:)³]4Û',PÅoè­noƒ=ë줾mz{ôÆøÃi?ê—á4ô!ö	åðA5±÷ÙîÏçì}
%ÕEJž;l¶¸Ûü
-³�]AQ°ë±€2½'T/]y{ˆs”és†îæëqÀÇ$Ië�¾í(Ò̯³’”šeÞ¼é4nGGq·¸Ä0uZí‰b
óÑ£€‡«
²``ƒ¿ísœl·ÎF)peÍÑôpÅzFÝO•Œ~3SºË?¨àÉ>î#À�€B8 p’Ù)À�`¤cLå?Æë'DÒk±G*7,}LðüDÉSXV¿;Â)‡É*{õ\Úz5pÇ-Jêè �Íî»KDO²‘×oyAƒ5ȃèòö6w	 Q¼RxÜ^ÏGçÊÕÛ·Ì9Ö=øÕ!ކ˶±€ü©¦âù)�X“`I:qSŒÄ¸Œ)>]K!@ÌYqQÁ‰¸âÇQÔUw¹jKNFÀ-§W<¬
-<òÚU¡~^d‰ñÓÉ°´eÖòóh
–P�B­åÃ=¿ò‹BDêôðÉ\Ÿ³Öy	LJq¼X*`Ú6wY=Ò*PØC2À×ç»á0ñÓ
-òDG^�d£�~‚ÈâÌ
-øZŠ.�V«‡§G¯�Kb)¤ž†¤Œ,]1ccQ­ÎO2œ…á´ÒåÇh‚TÓ÷ãφ»™¼u‹gÂö<†¤|d±�‚Z5Úd¥ÇøG?fIiÿÑPU=Ý <G þ`GCp”vö©.W¯Ò*³À}%)ÒÓ/“çÀ�y:P‚N§ÓX&O2ÌœÂ6ç
-êh»c±ƒI%+¸3“-_†éqí¢BfÑ?X¢=¦ú<=U¶8hÎA/*Ï	ÌI¥ÍÝHÑÐ[ælÄ•éînx™60ª_{tžõš“KFÏ)`¶Ïß*‚Ó±¹‹ë.V˜o—“ñ,C±±7'Š´Œã"œKýóG�:ÃJ‹¶�;êF'þ-­Ö×RñI
±+Æ·êûVÍb|‰(Ñþ£`wœa+ŽâX|G°Â’ûUö��lG_Ý�QÕu—OÖŸ‡
Óƒy@’”÷TÀ±Ù´ÈÙ³[•ãqPæW“ÌðÉ[çñ–GMÎÊf„V½Õ¶¬ûÔ&`¥?£�˜CÍnÜÖW}˜L=»FO+fÕZs�ÈUÉ
-qÎèÁ(/3ìã[¯ÏõC‚Sçü°b¤
-BšKä;*t»Tåà™Ÿ1gô5_§jè’®H¤²Ä�ª<‘&
-:þÙiÓ„ZtM/e*�iùüYüxçmMßÝÎú +D
×Åo{
TˆdÚ[�»o쨔̬u‚i9¡n~p
-GÈfêìð.†t	DRmfÀ&Qý3áv•}Ó¾}À÷òóK…²×™V)*­¹Eµ é£ûÏ=è㨡‚€¶h®`ÚS΀Wvm›bÏŽù2‘¨È—œR?\«®Ï–äTgš®ˆ$gÞr=¯;˜QW�碂»�Øí¡.ØöÅ�ßÈŸë}
‡îy—>Ì­}¢à“RIêM¼•e½¨pl,¤3*ÄT·þÑ)0v’ôz‹ïü1Š4jH¤†¼a\P™ï&?§’©7¨—
-Þ=á”7?îÖ
ñËu.›ÄZ=•“ز‹,-~ ‡JÐÚôr&ëm û\Zæâo®ð¼‹I^†ÀÐùío¤Ll‡ ¥TeæN"‘ˆc{Oп	›Xñjÿd'ÚŽ“La.Ï4ag•¦¬5ÎÁ
-^|eV
- ó8BгMð�öŽ5·krÌ¡¦É‰†Î*óî˜E”
-}Åó–CglxkSÅšg;×rÑ?ÇÈ8Œ‡„¤•Ö}Y©¼tíƒÓÚ",É«2EÅV€|ÈÑcþ–í‰øȨՈ
-›¾Ë×±BnWMèõ¦Í;öy‹{?%Zp¶þ�ï,OOÑ^:5šçð0Ä+¤‚¹§jÀø
ÿ™BX?„ÔÙðµÇ¸ˆ	ÐUä·¿Dü.
-é+ý®ÞfDäƒ[䉰eתG×»–m»Ñ€Žve¸‡×o òƒUËG#Þ¯3¥HÐçW²Ðh´XÖ….ÍÎ-�€¿BÕ
2µA	¨“¤ý­"¼¯;Ùò mf"8vzP¤ìúH¾Iø6[‘#aЙ…gªÃ&F']-+†Z7üRûVë^ ‰j˜©KZNÊýA?6~ç¨Û욃áqÍgŽWÊüzǃ½+àIcauÑ“‡Úþ`öŠ„˜¡‡€ A(¡8Å
iÊPH°:)âŽvÕu‡5›„­™±Àíc¶«kèÑXËa¸Žæ5Ç”sõü3øE +¢2WÑÅÈ­°�•òÍ,ä�ÃZ&ÓRÖïªr@”ä4¼8è‹EìÀ°�?a*²oѾtü�§ÐäxÖØ<ØDÞ�Û<Ž6“K)¤½wíåIXìtcíZÁGPŽDÎú'…H¼hë ›ý÷I~žŽ©e¿6ßpÝLàAü:IØ°³ƒŒRoÞasmÐxÅ»ÖÈõJg½V Ê!n—ú1̃*�<¦UY!=<É8õ—LòÝK2_TÑéÓ1Å kžsÕ
-OÁúFbáË^€� á�–ßô¶Ø<ˆ’*¦®ôÚÚ[ªO@/iMô—±™µÈÕò¶¹j‡ƒ9�GMzOUõ~<m€ÄÊ“ÅÚŸF—ë*ú·¿…¶ˆç%cíЬòré!’½œÎ-'š!ÈJ¥¾±M
FÿÕ“úå: ¦©at4g$©\-ið1¤r§å}êëŠëC¡ˆ
-.“Ÿ²l8mdÇÄ×ÕB„�¾É•‰¿eI¹Q!b'ìž´ô§W)±„LŽå•ºgÏ‘„™°w‘£:
-3¡�
=ϧ‘¥QTŠú¾šèÍzÅ„(¿¡gÎ"ßl®3‡ ”‡îoÞƒ+Z¦oáöà4Ę=tÉK-Æ4ä|~üaPX/D&_õÅ;*¡ÿªð!„i,ö,–xou*Œ…Â0c*SäH˜èµù¼ŒÜ’µÙ:üØr9Њ6p(ŒˆÿÔLGEË?9Ø6E¦ø Cø6ÜìzU‰ÉJo½TÓ �xõ3ÇÂæ´Yæ ¹ZK®ºµdy—ªÀ�WÄ
÷—Jbæ°W‡Õ$“¤)!`'<ü¡a¾ó=¤#Û·jõ嘕Wqo˜ý–)_¬HÅ3ÔAIW²~{ŽÑÇî/‹&Ëß]wÞÎZƒòO°^åûµÁHñë)¯­ÿ
z¤ÙÖ¶5.7N`‹O:KõhìÙœ=ºû1¯å'ˆ�¨d[àÀ®¦ží¡¥gío²wG³Í\û¢922 ñŸzK}·Øp$ÖÈ,b—›rd)^ÔYW†×1š
Ëœ�¦6p-eÑù[n$„:J°¨&bSEa‡H—‚ÑW¾öqŽ�11ÀcyÇK#m)!Æm±¾59õU$}À[çÓƒç¸×‚%÷‚~H®‹>¬¬ß5Lzcxí
Ek“ˆ¹ú¼Ñs:A²óp6¹önÁ¥+²àP	õÉA¡‚�éÛôÄ”,,¨Í�b6ôʘŽUÀ%"ðÔ”ç~qf?�2ÎƉRW‹êKС:¯¼(Pò~£¿˜e*²»ž¬hq»
¯ù‘1'¡Û~P�ŸÓìªLqŒÙ*£0ì�ÔϺ Ÿ`tÞYïwý.Ã×›Ù/ˆ'xû:ï+#™:ãàiÝAÏDÛ
-ÛÁ@^“H·vîâó1ôצs²5?ns÷ü*<À´eºbME„NÇúDš`¡æWÃ@V©h£�ÿ�Ã8´¡
”v}‰¤ìcJVÐ}e!¥´ï»QV=´›|8Ñ»äëTË+E¾+,»0–¸µ'su\~Ñ
-�ò$7c¢öázh˜O¥ó 8Ýúæj¡Ã‹‘/%j±A³Àóë™c5$ Óür’ o|*…i(²^j”-°ó!"÷ñ,°ž'Ôqˆ��¤âùŤCU#‰†y0-Hr\'¾Ñè5‡¤%O_JíS<^ÖácP°ZþZ5‚Ò¶m…ú[éîI’àÙ0ÃQùÎÇhpð§Ò•>þ‰­žuê]O‰´öd­ã)/P2‚©:Îçùþ–
b	¶9G\ 
-,IŒ¿&˜^ý�¾"Ϧ¢Ø�qr�,Íß®Ê>î&x콋Ád@ÜhìÒZtES·Úå«\¹
�ž@mú
-eî$Âjp¥dJºlw Äì³j
-Ü�5Ç+Iö*|Îü®’UZ­p_%6opõÉ_IO7;”Cô@¢™”人D@2¡B'…õ
,0™ânN-ÖkƒS[7p,sÍ>
­ëÝ]àÚt�¶Ÿ¾ÿòM5nڛē


ìhT?]ÙÅ+e@Ch@JH$êÏ&>2ýã°£­ YúDXQÕ¾ŠÈ‰ÕŠÃÒâ¦Æ\x+¿`2eÉ	µ^´ôB|iCEÊ·\=
Ùü*7�CRLžÜt›x,3¶J%A ~†Ó`�®*w‡Zý.¨#WÈáˆêS‹“É*&ÖLL~'Ñ;¶�M'&%ê"×[*moº¿ôH^ú‚	nM6)•U«¬¢WVg§Ä&xKí{Ç�¿]zÉ�
-¹º˜X£fÜ<#}ôÞœl:\ö%\á·Ñ–Ôõ<Eña›ýE>WYŠd÷
ŒÂ[‹¡Þ
äº\œÚ�9IxúIÞpÌš
äµBÔ:¶—³ìôxÅÚQn¸ÌÄ/„ÂœõÞwŠëÂ\ÓùÐÈ/ç:køTqjNÅë“j…㜸\—³†g›d8¤¤ŽšÚ’ãLZ¾Ã�¸]âì´�¶Ï T&¬ï66ªÌ½*|¥0w«
vî
&‹®l5fÙšEÉÿô̹ñ�$\wñ£O*9ÑÔ
-MpÂœ(i¹p—ÂMœ;Uk>$×,>c§ˆa&¼(öBŽ“,Ÿe
£Ü
-ýG±ý�N�;ã8ñsø¨ï牑1\°Q“âæZbgxÁqÚŸ¦)1â­Ûw!hK{…
Ñh­¯\¾ò–§¢,ˆOÀ°h|ÎÞØéjn‰‘£#ÍúÅ4|ÑÓ²qÔÑÁ¹õ1³G�ï¶&dðb<àËVOÇW­R‰<­¦*›¸!ôøP_1[,±Œ�v÷~Î Š¾rŠ€¹³¶fúÎÒ6Ð…i„
€ƒC#Âu�Ãè÷Ê­¢‘i˜=ÒL\™¼æÕ�Ù¢'¯Æ’•Â835P�òîL±ÇSÌÍQýí–Ór&€cÛ¶9±&¶mÛ¶mÛ¶&úbÛ¶mÛÉþï°w[ÛÐ7]§ê´sÐç	eˆ%Ó29§b²øǦ+îäò3ÎøÅ/åÚ¬¿ÛŒS¾\æDéH¶ÎÇhyvÿ9ž^¹þS”s9õsꔜ\ÊP[	ãÇcƺîÄJ¡Cr‰ŠÂéå»N,à] 5ý…–
-ý¿'¾�-ØGŸs¶Ö¶�
-48§4î²Gá0>¾Wlx{O..ʼn6mD¸—ÚµQ¤]ä]Ž.†Ø0k–:3ê‘M}úf¸âH]*�Ñ|ïâ|@…Òï‡H™ÂÖ„ Æ;¾æ™�œåâÈÑ¥¹Ìx0»°WäîÎ{Þ~
-ƒÐñ�2×"ËOÿi"4§^¦"ˆËoå<ð­��áÏ'¸ä[ÓÄõ*	wX¼�ê	`؆
ÅuŒÕ×´$¦0o±��ƒ¢ã ÿnlkÄ=³÷�0ú@TÓ~"Ó,àçÜñOÞ\à}ü½ mxT�ÀÈ²?+Ÿðw
íxª¬ò“ÞcÄ1¨+EâyT;°O
-”¼´„Ì•4YHU�†Ûî:À’´6c§ŸL<ôwÐvbif””	èAÆ1`Ï”yþ–b“àÂ…–WƒÌà.šžîý˜ìãObéFv©rüh€ÕÌ
} §¾FUStŽüõ¥¶£ŽÆÝAï¥i’h� Õj=úè@ÂÅðÂÅþ°•¼Sá"ŸÎîÓb¸®"ú�áÀT°îJƒôúïë&n‹™Ë‚'ÊøOIµé„o„œrÃîä8й+óu¯é¬�¦ÎuܬȔ
- AˆÄÒŒS�€w¢3"cöèF‘þH™ÿU¬þ›�€ªb;6ý@>œãžÊß7)Sz'Ìä­Cs"Oõ«—$Ö‡Xž|ê#ϳ݀¸®3Éþ¸x0±Ý¾Æ@ÁJ&íæ×jJ¨µjÃ[ä-ÙL˜N`žFšxó
MCÜÞ ›³R_Óf
·âéÛßVçv¡>	 $àdã<#OG1Û¢F7û™m@`�ƒ“rº”®½C><ªˆF[·ŽI<.f$#Ðüõ‰F¼úóÓZ—zð}‚4JÚ‡©‚­oI†yjø
[xWûêJ¢rédªM.<T¬¬š–âà˜.LVÙÓÔ¸û‘P·ï�ëÂ1ÌfÂ
Ÿ@@¯1yO~CnÅŸædçn$�»2âç
-J’8±ûüÙM’æ”[¼®Á'Á„SbS
-¸âÆ°ŸË_¯h	jŸ*5Îþ¤.D#gÃQ‡wÏEœl,›^BŠLg<$¼]àÂñõøzGÖÀùš>£é¤+ÿÖÁHc4à�Î’»	KA(‰ÔÎH$<!%È…ë5
ªÇ„÷ØÑ
-ü}«Ò@ÕAšêïÚX²aÒ
-˜=–ú™ˆ©hi$BnÛÕYoÊcFTNŸûìèÍ2õë”™Ûøà§{¢Ið§!U/M眼ԴŒÈRgªÛOCº2Èz –æÅ/ñŠvqü0kZÎ$‘T.R©fÇ­Ðêƒ
-MhÚÿ„¤BMsß{€ðÕí,UtËm YÅk¦X—|Žª…Ò/M½l=¸0Ó-R1ˆ¯
-f_iz�,©”›6]%¼5¦�D–Së:I™›&ziŠ…D¦>ƆÑåϨÓ})mŒ=Tmñ�
yDÊö7©ÏîEx×$Ž¾—6êñUÙªû®'.•ÁÛ|uK�uË 5y¢¼qžYàΈf'«|~ÁÅ
Þ°Mœ6Qï¥ùTú‹­K¸«ÿ*èžø’ªq7
-ìÎ[ ¶
ÿøVfÄX#Û;Á7å‰
-SCsìtLÑp|† _VçuÞEª¡ôx7?Ž ëDäMvŽCÛp—à�ŒCˆ~x�eÇè	ñ„E
©Vš‡Ûé¥ÀÜpŒc1C	xnÏÛppÔnÆÀŒ:ݨ¬}tS4Î
Õº�´ÐûKÜ^ÅÝbh6˜,•áNfÊm×A˜ªŠ�·×鶠™‚mƒpÞÄÄ%å˜swÃ�Õö)
-5n
V¨~vu²H§<mUv€[A„!‘#%2‹ä
-Lø9Ñ{ýœËå¦ÑMj]3þ
-ƒÄ(}®™˜/—BÅeUx
-Sêò Uµ°W�¦+­¨SÒÇp§�-ÿDjë3Žsneé6O¾ÍlY¡¸;ãß¿Ç5ú˜�Lý:àÑ0Š[5´q!‹:Ms<”ýñÊ’º?ú„
-›Ü«¨Ö5"
sVÚGZò×gkïá.W
-ÈMBU7{:ãKIÐ
-ˆ�—ˆw›&(8Ü“æ½Ì±ñ1ÑÔ�^Ú¯Ãàrð£0ë[kf÷Õ*}¹ß@„Æäö}7YÃê¨Æz'·KeªÛ$Ó²bI
EÙ#ßï{†,’æÕ~ExT.!Ì.
ѸqGhý9p2À@Êp_Œ^Šòû»âÑ@Æëø�æ
n ^ãÂÍ’ºñjQ�‘ãj韹ԤíÌw/®xá�úÄ3@�ŽK�Ñå=µ…T¯à™ªFã�õÏ'
‹J.ô'¤w£1’ñú8ŠCå#ðóÔ†,éx‘ï6ÓÆ/Hi4’&ÕM~ÿh/ˆGðv�â2•øÃ:jp}�¤gIp;pƒRM1¸ÄÜo¡\
-rGþ@Lrêjhx%8ŸÚ>l«Ý^=é⪲
F+©d€†µ‰¼½¾B�`o%冴ržÊ7.Õ…þÓ”.ÓÃOçkÀîö
HÐ?šnü\ûÊ—–ò¦þIØcl6_å?2aZòEô‡C8žF~Ôè,KzŒoŒ‡JO*·ÒÄh^–R…{Q '!²·¤äõì‰
-ás(;Í9r£aC¶Ê`:ðY;ÛQ™!¾�4Ê——
rÌ|¸’¢Î_”àvî‰ÐRëX.üfvÜd¢9=‚Ð]·b>ùÆÿÌÎë'Ãè¢9"¶•†³¡Õ—lS-†ÜZAqªïÙØÕèúD	žÓ”5Š•sAŽª¤{ žç?˜X{.ú:„bíò·ëÕÊÝEhâ.ÍúB_ƲÁæSË<hS†–èð¦‚ÅóX0áJ÷¤æoHÖ^'‹¹.W‚…¶‡{¶Éxl‹�¶gœJ„fž²Dí��â*ÔpÞõ‚Þ3¢3ÿ7v�¸œ=¡kÖè6zø+òᶑþhóf …Y>vçô]þŸê7Xà…ÕҗΠUÕD�”7¥Oªˆ�Ær#\¿»õe]©�ôwÞ#Êq°ŸuMÙþ›Šü$ÔÍÈͨ­ÎÜ°é´=�•qð#çgþÕPäŒÏ´áÏûójb2Žû‡¤S°RY«Ã€…rSðûÁ�2ïü‘lãïPi5v\?%•–ì|]‡?jßSšaõæ…à	·ŸâK‹âS7§xÐhît²­ííXÌ÷»øñ½QYM·õÉÛ*02÷—'(~@÷*cx.ag$Ì.6ÊÎ0~zGóÓþZ²¿o­xä²&ËN‰U]œPÄZ/ú~Q¶Îö\[Ö$ñãR[öé–’t—/)$¯h´<¤ŽcéýÃÄð±9>Z|É	ˆÞ¨¬ghH€ñj~…îç °QÏšd"ÄÙdž>É×¥‚–ÉsJ¿öãô5BíìÀ½Ã¾DÑYÁß9TFÛiô…H¿=~!µ”_£ÿÕhz Ûé�³�RÇ=@QXÚ›$ùQ
Ÿ2laŽ(ðvºQ„]jŠ�Ö-`ëÇ8öJ•§ä.?N*êh âÚ2T
-êÙ©ï•×`±–¼ì«
í‚ú{}Xíl\ER«êb{E,ìêlÁ¨ž¶`Ë	eFõÌÔøÜ�¤ó¼ Ú˜Â_‹Ú}L݇yûCö=z´©Å¯ž.ÉÔQ;¨iœ„ 6J†b<YÔþKKv”x–•L@ªžZþä&$'
-ûÛÎ ´*5R]‹ŽÅ^ØÕB¹*ú[wD„¶ù×Wàaͳ®nNo<cÂQÝ~�;ž�™>j‘ýÎn¤‘M©l"cÊ9Ѷ›|îÄó¯”ííU}]íbÐnܮфôK¤‰þ䯸¡§ÚŠ±[ÂãÏ.åð¢XØm‘yLpÅì•\’ho;�¶ÓèïÙ±Zظ¿‘+ÿ¼÷£Ì®Î2�é€_zñÌ·^ioůW'<ßf(àÂÏ›¡‹"Ç™·Åô%O™Îr(ÊQzΩDP±pH*
u`ب#_çß!×Vê´P2âý/ˆ|ð ‹„oçš>“ÇCü±ð+5ëã(w8ëÉ,4ë1Ù|†U_5Y}6bïü§a…«JhÛà’;îdÁq¤Ÿr(ÂkVU˜U”UH3~Ì cs_lŽ+ä¨<L¦Oy§ÞŸZ6Œ"ès~fûQ6ƒ›™J÷WãIø²ó`ø9„Q3¼j9p¬ð<еó¥ËbÖm–à%»Ã p¸«C’ø|' yܹ·ñy
Yð'µ

-»°fp¾bDºi7n©•7¶·tišy‚‹Å„ïÕ­i-šyç<á‹™ãžG�”2š$M…8†]�æœxÝ™+ì—ƒIÂ48
-PÔ3)lmŒ;œ¸
—ü“5|—î”+ÀTÅv‰¼Ô_òF^›bQãLT?yÇ¥ðb²èewïA© !ÅdYò]mÝÏÈÍ[ŸC9Év%?Ó8|
-\°l{ˆ<­û$\Û5•/—»ì…ñVT~B
-‡)Í
1p’}l‹ÈÙ¤û¨¯šð1ônQ“Öü:”ƒ‘96êì(…+õƒ<“4Ã7Q|ÿF1°²¨üñ#\õl1ï,äÝ?7Âeì7®Œ½nØ<É„3ÄÓ›rhNBRòÂÑC
-^[ÜÀ�!ÄŠxMcOÝ—ÙPFt>l¿��‹JF¢‡ßÂöð1’£†°åïxDÑ
v	hÇÚ
-¥åã—r¢f�Y—òU·zifÁUÆz*JfU¤ËÞ ½ýä|ÿ:Ð(�Pk<’¥WÝìo*Á]ö…�gP³Šþ,ÚFjî¶%™;ɘ¹á9L9.D�œÇǦÝ@sOµhòÚ³BãtÑsÒ~ˆ®›×)-ÉA
-ÇГ�öÞVMýͲ:“®³m›ÓWBÖþü/�ùÁÿ	�±�©¡“‹½­¡“5Ìÿ
-endobj
-973 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 2807 0 R
-/FirstChar 2
-/LastChar 216
-/Widths 2823 0 R
-/BaseFont /JOXPRG+URWPalladioL-Roma
-/FontDescriptor 971 0 R
->> endobj
-971 0 obj <<
-/Ascent 715
-/CapHeight 680
-/Descent -282
-/FontName /JOXPRG+URWPalladioL-Roma
-/ItalicAngle 0
-/StemV 84
-/XHeight 469
-/FontBBox [-166 -283 1021 943]
-/Flags 4
-/CharSet (/fi/fl/exclam/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/circumflex/quotedblleft/quotedblright/endash/emdash/Oslash)
-/FontFile 972 0 R
->> endobj
-2823 0 obj
-[605 608 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 500 500 840 0 278 333 333 389 606 250 333 250 606 500 500 500 500 500 500 500 500 500 500 250 250 0 606 0 444 747 778 611 709 774 611 556 763 832 337 333 726 611 946 831 786 604 786 668 525 613 778 722 1000 667 667 667 333 0 333 0 0 278 500 553 444 611 479 333 556 582 291 234 556 291 883 582 546 601 560 395 424 326 603 565 834 516 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 500 500 0 500 1000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 833 ]
-endobj
-949 0 obj <<
-/Length1 1614
-/Length2 24962
-/Length3 532
-/Length 25846     
-/Filter /FlateDecode
->>
-stream
-xÚ¬zc�eß³eÙU]¶ÕeÛ¶m[·lÛv—mÛ¶m³ËìrMÿþOoæÓÌûp"ÎÎ̽re®Ü;î�8dD
-Ê´‚&
-CF&ìhjèl	°1t6å"T75!15&db"däää„!#Ø{8Zš[8RüÅ ¤¦¦ù/Ë?!„Fÿáù»ÓÉÒÜŽ�üï‹«©
ÀÞÖÔÎù/ÄÿóFeSSBgSB3KSBayMI9qB
-q9UBqS;SGCB#KcBKcS;'SJB3€#¡Í¿-�
v&–ÿ”æD÷KЉÐ�ÐÉÞÔØòï6SwcSû\4„ö¦Ž¶–NNß	-�Í
íœÿöÀ@higlãbò�¿v3À¿Ù;þFØþõýS
-fH{ð1Ycgl
-ñi0–Wä¯}Ã4¿ðtóE&Åt¶Z \&—Ešà’º››¹
š#/(/25©â¾î‚C‡ã{»ò-o8J<îqæÔ§
-
-㼑a1Š¯@�x×"ÙÍÕƒHQzHÈÈH<àtáŒË{â,ȸ�†ÍÊ·K3”’/Y”Ôty®žˆW"So¼¥¯Úh‰í}oSOw½MOY%9
-Ü~ü¬1ÑYpy(Û©˜_H÷²YÔïÄd¤P\Ó8xü0°lmçä+öôk�ç9cí%ˆ5ï׫M‡G}«/¶»+¡CUa.44@BØ^»÷GQ�ê-îØ-¦e©%C§,µpj s—„„¦?l•%Ë1àL­x‚wc�Š2cQ:
-\´Ò+j|.÷`ÆiNººÏ¥ÍiÔnÌÔp=f�u˜…îF×vÉVv¥®‡ÞÑ¥ÄÚ	ÃòF-C?Iƒ3q+ºë¡8yŸ^q[bÏÉN-w¿*÷üAfÊR"ì-vkìi:‹¸±ª±8±ä‡¿
T`ë=ÎT(V¸ýw¿96@â2b4¨ñùƹ°+÷é0Lݽ=¯¨üÁÏò›¬<²Ka‡Y|:Ò—žú-E¤M…š;Wl~(بâüuù‚½E¿û˜ÐÅÂœ‘ƒ(ub°†Ñðâ%Cä%«xzªÀ¸Èûj§�¼.²_ǵ'Ô–=m7ÛBÀÆ£¨{×ÄÍ꼫ÂVÅè4ïÇ.M¦­À³ì†´= Ò1
-
-áê¡×ßO¿UæÝ¥šQ=ÑlËs]T­
�+$O¶18¶�ðææ
#¶V0�BxkÅx‹‡YT•º]Ö²Äò}‹ZZ–Äëe1该P,É}éîjÀ(RŽ›¡ÛDZù4P˜bw×4ªeÜêI˜@ ¿Rq�24§iÒƒo•æ7…j,;Y;ŒqªúQOhIäÊÓBuNí|ÚÌ
-6q #z~bj#ü¨Šèò‚Æj~Ä�•C{")ñ`uà*hñÜ�>—UF«,ë�¢‡7æÛ–�8*Ä´‰·mz¾ÞGW‹Qù©“ö­æ^ˆ$SÐz¶~a•6©á­ºÐ…Pí—>l”é›/Ü{\kkàÏI¼‚èbÈÇd¡!èEUÓcˆÝ�ýd
¿†#[Î+¥º*™€Ü°@·¿ßå|�Ë>SsüîóFPF¬ÙB¨þŽ0¶m粿R‚–Pï[#@Y4K£»åí8c t�ÔÙÇYm̃z‘HÄcKKÑœ¨ÈÏM›ÕœÏÀmí¤š–ÍEy
-<…:0´oè%VèÅŽi”Ú¤ËöÑÆQ/f ó³X(g‡¹4JQ¶�&–
%CDÌ\jö$„"é^-NývÖj)HLò¨ºè•µÍ“ œ‹H)·4¹
HÑ�8Ïÿú(õ«!4ÿѨŠ TQ`([�ÑX|oãh†¹¼�-]‘ŒÃS¡(ú&Þº
௉ÿ”ör7Z è3¯LêØ÷k£˜#úÜ2ñäüä½x†EÝ�û!rÎì¢Úƒ\·ãQ¤›ÀЇÝ.
:“>Kà¶PNøPÚ¶;e£SoIáªÁ@…>Y§%Çu
EåhÊŠåFô¡ÊˆwwÉd[ÿîÿƸê§!^z‰†—T¯ ¹ \ òË�"Ïþ¤ X÷½Ÿ}‰s¤´¯çœÏ¡À˜5/䊬t �”èÕØ„"Â[k!ì„FŽuôe>‚•M‹.Wa6æ„pà]c†J7��´žÆ”=�G�Ç p}JP{Ÿõ¼Ý	E™Ùê¼I~ˆÛb¦(g¿SsÃîÃuik›à:ÌÛG�³a²Cå^X¦ê.ZÅ{Ò
-`'æA!˜üåö�hzBåFüÂO/Ësmu«¤†,óHë�‘c¶»²
‚lq 9ÛÒ1,�&Õh?Ú{†fùíÇî–b—.Îú¤X†×Í…²þ%ÜÂôûÄö([žA«ÞÃú)µÁ‘Ò\x�˪wÔ!„k·gÒs„
¦’/`0Š]AP§!$þ‰öÜa£Em¯ˆkõS}¨á9´úÝÑÅï´x©"ÃG�…ØY+çZƒ‚<i÷»2þžoÄE3éÚSçM�«Í1M‡# åŽ'©¹Ix<ŒAÉD�£EŸúìbkz
?•&Jû7&Ø3Õ È³ãll'*QjS�œÉå-«J}ö¨PU0vó�á€>0˜Ú+�-§np¯ŽõÖ!2>T¾¡ú”÷.6yçÇC¾ç5Ÿ
��É»�p{á�0|õg-#™Š¼Öê‚}‰€D&8ºÀd··oßxð°Ï¯ØËV;AdðŽÔŠÚJ¹Nd-³º5¬(>	Þcd‹²bCÕðD½ƒåù¨àua¼rI¤,âÇÌÍEGªK_bò-T¡þ`fØ«Ì‹Ž©3ûH@W¿ëŸ#·¤‚Ó•JxÚ…aì~ÒG`Á�æ©dlv@Ý
-b>l
-œ­VŠ(‰zÖu
ÞÐu¹˜3ý\7n%“´Œ@TÁ{0¸JØü
-‘y„›K
¢UÃÑäs ¾&¹G
-Ùp3Šþa°³Òi£·×¯t¯B.ãA%ÐÝ¡ÿxcû}`¢¢ñ'
-fÊIûþÏ‹±hÒÏ£èÛ9û½ú¸v7òr蟮fA‚åêÛËêããYaŽïuSi?eXAO‚8ôÿÜ
-;ßýBtÆÅ3{’ù¹Iøõº9Í”\V†�õ+ÛÇ€¶‹ˆn„ÒdK;h¢¢ïïñXOÕŒÆBW÷ƒd#öMDâá¹{F&Æü¹*|ö«:È^?\
ʽK–ôÜa›\KR1§8_üŠ·å’&G¢±H]š+ÜFÇÝ>µ[zY¢àÈ‹|N™Í·C¼ý8H?»¿§5BfØLÅÇ£Oœõ
-vN±1¾{‘/IÖ‰¡ƒÿÛa/¦Àl+oDNk1Ç~âtjÐâS*Ó<Ï|µßCqiÄ™àå^Ös‡oôT»ãœTEÁ«£É ®3¥Ý	õ}>²–7²@éã#ÂÖÝb'§8zðã3ÖÂlÞ¸oW¶Ïκa«ø%ýÈ1Éa€%ë굶疉£ÊÎ0zÀ!>÷º˜µ�Òÿ"qWîàdÝjê}_
-7ÿéqó*Bjû’€’V(H�óŽx
-/ƨÏÏ9êc$§Ôcµo©Š~D�xÀrßõ¡%´ÎSݪ5H•ž%ß·‚S|úKžÜÃ9²^É¿š�j(o�÷׋YÞ§‰'7í…Úª½4«üÏõg4œcõƒD“zuP¥ãeñ»1o.øN™Na«5Ø¡F‹W]âÉ+‹j£qD÷3…±¨•öÅãìææ˜VÛ‚u¦êä÷™qTƒ‘´ZoVÀÍÏÓaàïß|ð]Îæ{{jeD˜¨t¹çµ*�aPÔñ®†žåVaü2Î\}‚–z3²žzû¾æ調Üp	°ñ:cù夨i¥½xÚáÞ(ó6»‘Ö/k©ÀKÏÖÃj©Ågâã4*&Ä‹Ù%.‚¡b¬‚Ću–èúØï߇ày|Ê… ò�®†©¡æw˜W–ë`md…û«‚Öq`ä1²jÃYߥ�B! fð�+Ƽ)éêd$@X{Lé�·ÃfEƒšíºDKÖƒ)®H|dëbÆ�èá’«§å3C b—ƒz°>ïzA�ìÕh�õ.‡[Ð	^
-~†sR–ðþögØ=΂/Qqqˆ!� SíC幄{ìyÇÄ—¦‘¨êVeÚ&ò<\4Xõ#¸òYȵ²„Û¤
ŠfÇ/
Èa‡óm‡SyZAð‡°â�ŠŒA�ÝÈ{ûßüxm¤=Í=ë?�ªâÛ9fÐ
‚;’RóJ4Y§W#($EóqÃ.ÃöŒ€VCÐcÓ
-|&dòÒô’ÇÃA
-~x¢˜¾eÄ6žŸp�ã"ˆtBù(iQ\mBj7}¹íƒ®€rfLJÀ)q&*�»2K¾%c£Ø“Hâ®!?�©°ÉJ½¹è
¥&´3o:ðKÞ†c§Õ¡©Fì¶$ʧ@ºO¹D¿ù)ûÛ—»³Þrµ0ºG÷J…
-2™ê[drKX©+²áW�nC-¹&TIªhÂPü! Ó_t‹yó–L¬
-›
Q­‚Å9XF„qœ{¿�'‹©Ý‹ük[K´›�
-Ž3^ïîtl7éEÐR^™UY5.ÔÉ<ÙŒ?tLúdJ¬OÔÖ
-œ­$#Ä ª�ôÔ¶Õù·y-Ë.-ŽAš¦Ï$ôT}]Hyû$öæ““m{Ò ¸ü†Uó|+kcP™>Ä�	N÷>éå4Ÿà?÷÷'o̲[6PM4Ó÷€»‘«4×®ͳó¬Ý¹ÞRRé’;™Ý¸#Üš}3
‰òìÌC‡—xˆ™Ëœ7¶Ð–µ*Ó»ö}†¢ßÊÐR.$­D
í}Óeï)FqÞø	 œìî
-ÅX¤Ö*qÊífˆC!TãËüÌeSŒ7p
/077’m&cW
-VáÆãþñÇŸZyê�šŒÆ(e‰GHŒ¥ÁÖë¡„ÞhÚY8LÝ6ú}96wc$ÚêÿþÛJªèè
�„C/7&_JSËñ´z ÔVg¿NÃ}aãµ4·º<â¦?y—†õâÁÕëòn�à°JV€5…\ô±ÅÿÚwTä¤iô…u�vjc—`\<�U|ŒÊd/Õó))ÔÒþã�R-Åå\-‡¤¤DoÞå±($ú&—èôV� â½âî”Ø`(fþQ̤Ön•G	†:mr¦ �âäéŠç—D᫬<1xSPŠfès
-zÿÖc:›#é¦,‹  h¾1�M¼ï™áˆ
¶èIÊ¡1Déœ
]ÍT%b#Æ”^…+>l$Â'üÃéú[úHõCÿ»O»ÏðsÀG¹zÇ%Á¦«ËªIšÚF=/çó~Ãç‘qç*Oé
â¶;¸‘_ºNê½&úÓ©8õÏh­°WäÒý�Ò±wÒð3ú©á¸X‰„›¸ˆRÛz9Ðø|y2—º¸ôôÅò‹>.C
C{¸mÜl|³„ýˆÈ7n€§;[í:`ØÏÓp×>ø0=Çù^|V”áÚÀU�ñ�ñ,±[ý&¸¤h«¸YÊArÇ3{%�-"CøuiíÄÀoóô2^þë•5EêOÐã–�`ª«¨ï6ú×UüÇ^’,†‘�jp.å)tiÒ+"¨¤ïë¬,÷ØéØaKÔxjTèD0î}�Ó$Óïn\¯,\>~šX6ô‘�¶5ÙüF;ÜRåÅ-SnŽÖÏ)PÖ’�maKËîf×èËÀŠXTø®ó·œè—ôÑ–`9$&Í·µÄÉmv"c�
°k›íŽ¾¶‘n|ʺtw³­z	ÂíÛŠ­²žYÎ%ÈB¥*(\�=È.αˆ¢8w�#Ðù÷–ºÒÑ$1wlºL1A�jÕÅ#j)KÜk²ãùmË¥4šHkÛMáfyÉ7ϽfêWp^ÂãmlUüî_qRy:+dóÞ™?

ˆÔošÃ»ÎJÅi4ÍER�‡\¤äbc¨ÛJin‡¤˜n|YÆœ!¾ÿ`TÓqÖ'6¾ZÃ:‹†XµX–Oß•vnw³sÚ�DbF:Þ]Õ–
-‘c啯úäQoà.ó+i‘ =ÈÕýŠN¬m·þÃpí.=Œ¥5®óš®H·><Ǩí�É:‰[¢óÕ³Ž_ùg›ÒXtItàó
-ÂÞeî£õ‡ùÞƒýÙ¤ç¯sÌ†Í Ë
-ëo4†H]9[
5Ûü�¢ð9Oà�Ãs(ª%re™¼8Í$Û&}Z͵eãÄlw)†Іm”s{f36MSøJ8¯FÑogŽÇGó8™ÅyŒ4ˆâJcñ
Á>bxx9Ùä"<
-P	ZB¢«tÆJÞ®Lg}9d11×B0î•e7�!(›Åð
-,y¼,
—ånêdAéUš’_ÛõúæáÈ›X
™¯[ïãƒb†Dë4¢[‹ß’�R
¥áÇÅU±—ã$ž7U$›Ó°¥ëÙ+ÂXÖó;­_LE�'Ä NÎE¸™GÉÎËòh±F2¤ìÍ4%¡
-â_ñÐîI~:idt—ÅìÒfù*ÖŸ|1^(¬x"ïh(“
Tc÷8)Iʾ%•u«õ]Õhµ‡ cI”
-Ægè-—“a´(ö«]�A™°u¥$k¿ùítAz;@;3ò‹¡M]w£­6Iãnx
Wd?7¨'ãv¼ã|åço¾>U%€`µæ~a¬P?ŒŒà�pŽ¯H¿{5ìà‰=ºZõPìa®”|0r±ø(
öÇ =„€	×÷ÁÃ86oÖþ%KdX]‚Â�}x9ó5ÜÄÛ0®
-¢Go±
-‚Ùr"ƒÇ¦Û¹gš¡ÄÑ‘ºö6èl•�*?õ×{Û�'´£·b„éLÚþg&ÂW$„tçñŒiû0÷wÂî±í‹IP7	\¼m£ºe&ÿsá "¹M9Ÿ7dò?æ¼ÜFº´È¡ö?í_¨Ô§Ïj–[‹x‡—/{�=Y2-vÂݪ-Uº_ä¸ô"aHÍÿé,“ÂÓQv‡ŃG•qƤu±!4 ·³Tú¬@R¨3�³š¬z(7vÖ¼Ëï)h“Ü&°v�Ža$:„W?Sv©ÿ¢Q“Fn[·‰ýª‘;]£óØ[ºâ&­üe¼—N…�6˜ZSFÄ¢üÊĤ�£”	[q’EÓ•ìxd§rP?.tÕG¤“|áÝkØ!× $ñ:º?ûüËéW,#½çÎ=�©EèåE.t]}©váG^,š;I�!{¹Ú½X[ÙÚJå_3¢-ÿûaÌp2~�銃ÜG«­ÂG
-on®±ˆÒž¶ ®áJ<©ö; €öÜ x3ø÷­µ¦'qטáŸodôY™(±Ÿ¦,óÓE_3µ#¤1�š‘js
Åû³Rñüd~
-«ä…ÛÁ0|XÛ(rž[äñÅ
-n£?ÀïÛjë&a5"Gçã^ªxv¬ûĉ1µ§i–Î+VÍÀ§Ušš"súØ�€ˆÐ¾§4gW¸�Öïd}/®W(¥Z-å™ì£ÎØ�Žæ>B��G‹z©k[Yš¼õ‹}2I#‰Ç½È‡™6¶B÷_È0Wši?>üŠ¿ý§ˆg²¾/ýôºèô¡¶Ë’…P‰œÀW�ëÐâl?/�
nãöS׳A‡Œœÿx‘P»p†SæÅJ3o6^lIðB,<9ù}Š`�'‚(ÈY¾U÷»«|oOŽn¨‡‹òÁÃÞ
ä‡ÙD-€ðÀCô¹Å
-óÛײ‘–RX›0+R
-èùú÷f©ý‹‚Îzø3ºd”ó‚oˆŽH×üÅöOé% @¥¢ч"<Ó�
R:Ï£‡±|Ò-#%<õxZö:YÊ�ö;¿;OL;S¹~ózA´®#Òhc0lúÙ1™ÔéÆ‚·(ímÂïi¸„
-ž/rÿؼ@“ž\±mbçQR†Aɽ»C|ÛÛ$÷c�dñW&Áe_¾y©Öó»Þ?cîŽsç°t.Dì]¿ÇË„Yv¬@ôVêèïiå]
?—ÉŸ¦i4ß
©\¬Òœ0æÔ=þ «,
-i ‘
fÚ åg5NAV–£OÆÒHë˜ñA½=ô�k~–B´ð+õ.´ÃZ†=0ѸDÌ[P5xœS_ξê\ßÛk£{ºy*V—†ƒÊ»âç!­åhÚéWf5vK¾ íÊÐ,6E5‹˜Lä´ïná™	$t*0m®ŽF,–r^Ô.ÙLþ†Ý
-)˜¬½ãükN¸�ÎAÓ_TÀôLšûªÞ­
-�“سïñ¼g‡œ&{(¾Öx4¦¾æ±»Ý9ˆ’9ÌYÕ]”ý ®3[ù;ìÛ. $šÃžúSá2ZЯ
-ϼ'ýPb€Hù‡�š^•9¥vv&!Q�	¥±¹ÏT>KIëkO‡T*ÃL�÷
giÒÆíÍ5;¯>öšühö
u1mì~ýâ(f
-Dbôô´¹¡`C°áP/þõ
-6‡@%ì�„gùy�Àgl‰+Èe©,²’4¸A&3;}­Œq5¿&³@†+*´PÌ^°A—+‘�YIz¿o0lü›…ûã~3ÜJsW!©„0‚{21ì
-
-†äÝk¤…–ZZØE€,Ã+nÊÑÄøœ2ã(À|ÐB0ÌnAÏ
-jr•Ï�„¦ÁÔO‰p�¡¾Ÿ°á¡_YM)—‚Á–˜ozWÔ†üºx¹Áœbè6 D)W¬ÈøFÞDËççòH^ämZ’¦Cê퉃
OÒ–7pô¹î2õÙJr/•õÓ³uåß¿5Ä!#6dGº,
âCàKy‡õ`…Öô[;¶íÔÑaÖgw\òöl B}¬Qpú¶­ù
‚�˜œû{—šîÒ•j4Ô
-Të¥k#ZÌkÆ Ä¬}\°ŠË‡‚—Õ�MCEýLw·
-Þ0?†+»Þ[øj˜[NiäJ¸�«v¹.±ÅÑ·!4Íçî‰Ø·ÅÀnuʶ‰éíß©Fu“/FMÞsËÇÙaeÊò2ð”/@
-¾žÈbÇ]‰-ùË[}F¼¯¬gŤTí®1¤<y1ŸOC°Kê—ÁÛfˆzæÝ&ýnƒ?‰Æ-s{$î3Ñ~“¤Ù1Ží—|‚<P瘽éº
0Ÿµl�ª¼¯`Ìë\%-IC�5%<JPS‰V’ ‘çOµŸ>]žÁÞ÷å*„È…³Y£�Ž®Íïå>÷Ô‹eÜ.å�¿38ö§hgXWü„{Xß%ƒ5*˜Ä…›Ô¸«úÊ*1²ñ°Ö’&þÑgºl×D�àpk•o¤ògªëk«NËcqÌ;#Øa‚b�'H3ßè´x¥�ÓqWŒƒ¼ÖíÏGH8P–Gm¸xÙæ¼^#©‚TNØ ´Þ7Ü�U¢·f±¿á>÷j¢+
Ö@׸—oÏH‡çR=2Ž¥›»»?y…AbäÖlTòÜBgⵑÅ„ÄëV ¢@í8XÔìÈô‘±ù EMIÚV‚àµðµ¸ËìiÜ*¼ð`Nö}ïT¬?AÛÊiÎò ú[¢5] «-ŠS\Ë×ME4ÐÐéëh¤®W^ƒÙZR=þ¾€‡8vm7;m&ÚC:Gõ­VcG‡z¾9ê	=ô!:0Š
-×Oq/Ëf…hm‡y¢i�ñ’Öñ]ùÆñû‰_Ñ�MÔÍyÈäaMx3,�Hr»sGù®TñƇÛd
;Ò6±nô‚âÑ‹'Ÿ’5ÝGê
-¼,…I;q©h…o{“T	DzaZÚrÒºŒ¼?»A~v+­œ6•ÎF­¨)¥V˜ŒÓÀ7Ò©|
¶©Ê`�ô‹S+ÙWZ·†-à9/°9Pû£©0×¼hEÿS�»¹¤DöšÇ©|؃‡ÅôQ§é
‡õ6K^9÷9AÚ02í
ôJþu"3PÉÝ0.@;îpíWê–¢%ÅË)ÓÔ±Ä(a»„Š�•ds,¥œ€°fKRìî$‘Ûò
	ZÂ[²’&ÞƒVb$×@(· ÆEPÚj·ŒOÜ ¬vÜŽÒÂ0ÑÚ�ú+ã�ÏàªèšúœJ0LöØ}‡‘åʲY¢Š†„WYø‡õê9VäêüÖX‡ˆ‹Þ`÷§9Q±G�À6a°!PÔHú‰nœ\lÝ7iÇüq·¶@ùä|ûCITÌk?›uÃÃã¼o÷d¶j«/OÝr 7ú;È<Ü+£¶qíæ#›4Ö[Lõº˜�`Õ)¦È�ÌÂï—¬w¿I,ÕÑ­¿ð_ϱs–õ¤›ÚáÅ
ÿ�±3mÁ㬩¶uÉ]Ÿ&¾šdð™žA³‡¡jJY¥»Œ×QhéÛßkhÔdÕPcŠ5¥õ¢J´$~��¿5 µÅþ¾3ئúQnEOê_
ß2Åiâ(ªt…Ö¨¶–+ÈÓk¿(ŸQg䔈‚jl.¬¤žmtkñRP|>Š=}nJ	*8ÇÈ„g_WÝ®Œ—õ+¼•Í�ä6¶�ðhÕmØóÚ¹	ˆÿwkÍn‹ØÖæaðÙF=U§k\!÷é“>Í}Éþ²Ò6c°ÅìC�½ïPUÈñ¾Á¾FÖ,Éà¾e�ö4°GñeášÑ¢Å"W)œÇzO§$�#G^†¾I6ºb¡lì4=E§8ÁâÄ«ðÔc‰þo˜iw¨	={€õôI=Wlº·(N˜]ü;h|-Pn%Xª²ˆ~~»'"«ò

É@Õ]͹à*ΪDÝ*Õ&¯æZL‰~TŒPé–¹CL
è$Ù‰™”ÈÌ=cöñU�a~-,'lÉ÷ûMZ9×Q)¡7HüÏ$_‰qšÑÁ%Û‘º/Ó"Xô{nKï"£2œ¥¦ ‘ì¬d)³ÐŠ¥ƒÔçSìýÜh× Á�Ɉ�Ò%zæÃȱåm™,~ÇfVߨ-¬&¨u¨úáê$Ý›7üg5úІÓd6Ш†ù¦Sº
Ì”L·„€ç�ï*w«žJÿ䟋ã¤æt‚
¢«0¶\Nê´e“ûéãÏüŸ¨ö5M.áäþ;ÿÑ÷7øÕq‚ªˆ@üuk… Õ˜Vº›à)(Ѽ.¾1½€”(ЈŒ£´¬)¢bw�µý
-OmÅE5ÃÁ‰ñT9Ý%ઢ#òJ&Vû0/ËÔ%ྀÏ9RÒÛN…Ô°º‘”óÙÀañ< i«ˆajàX±‹¶"A—•ÁødÙdµ`Ö?­É¸Ó¿aûÐ#7Îò¬'Z0ñãèhm£­ªš`”±<g¯xì}t)âK(91£�í�Ðê‰)vïïzf·4"òJ
sxÈvz=ùºœæ󒪾ß\-±ôk
-=Ú‰i7˜F¼Ž†_+JÒðôÚØKgµh4
(Ü­r,ÌÓŽLÃzE�œÑOpÁ‹hè©Ö’•^ÌűuLB+}ɹ!=Ýúm’.?Ä?¯
•±Õõ¢/f–VVÄJãÇì~ÒÙÀx®áÎœçËÏô:Ö‘¼Õ|·¯ÔFðe/¨£jB3º/�]É{LæÛºl�_$”¬÷[p}¬A¼<å÷Ï»-@Ù?³¯QÔ‹»â8€cyæÙ#èrJ‡­šhúGˆ`‰õ¯µ°JÓlCúQþ•&i¥=¡R,Ð/@…zÂX­0MŠ4Ùþz„”Ù®p8çˆS±·š�ê÷q(þSGD¼1'æS
ÒT2j¹ôi�<¤é½ˆ½ÔA�)YÎÑDµ5Þ“
_âÚà�ð‚ždO͆ø€’ਟœ‰ßï“ãùí„í½OK¤;]â:fßQ#—Ýåy°˜1ŸÜ¨^.Š`ϯȌ)Ƭ!°îÍÓ¤~@Ü›Z’ÈÄm]R½Ì±lÉ�–ˆÛM=‚è»o
]%î5H8ÉñðJ¬s˜�{ÕmoRÝœ”Ü%¶¡A€mžXŒNzÓùxî~ÓXS ª>wh Bú#Û>öcðÁ§yÿÍÓËì z>½ûÔCÏÌç0¤d‹÷èóx@©%p‡;¾Ë0ÄîÞ›ñ�S"GÝ8m°>I»Þq|=…ÍÞºÖÁPŽÙŠ`*¾âõ•W±2å —Ê„s(ҨʑieM¬î3ò °vÓ.ÈøÛ�æ�ê:‡d}ȃüÂF[ËM¥þC‡e/Eœ·ß¼¢Ca-(PÞB‡‚_ŽO¶ó:Z•žŸOXM³¹)@õ'
¬(–3ºéìجDæ7"|¶Òp
-¬>;äò4
-H
-,¿TPÚ£>Ÿ°8ÛWò¸¹‰ÜÁ0›ZÂÚ`íL^ìRIs
-s#—Œó¿å26Bbm@*QæóWv™zħ;ŸÃƒ¼%›mĨ)•ÅD²›õÇ™5Ï�çiöäô2dÏÈ�¢üˆÌú£KgîVËœ÷кÜöÀÉbÂQ]�±·aáPüøòÀ!~&58¤ UéìôvlüÚtÅkCYwO(Z’èøãɆ¤ÎJ•î«ç@Íw÷È ÞàµcNÛu
-‹w~öÍté-7µ³{-¬�§±È+Jè­ä?$ü�yüÎ�GnŠÙVËz—‰ãÒòARáJSIðÊ}D“Ä(íŒäˆ²«ØÇ–w½SwR᱌ú½©ŒiDÂœéî[“ä:¯�–â§ù‰Æ–äAlw’.ò>ªìJ•gvX9Y#òêjèžW.Ò*W�®.1õ×ÛF)�7Àa^¤»<š‹44EŠXòî¯Qœt ¨þ‚+Wrëu¿ßœp@[Ç7ƒ}§È‰6y”ò‰Q#Â~e;r¬bxSîæ(|åaôÉ·ŸËSÇ�·I�YÎl'7W?Ø`m,ËÉŠ9³–-ÄhrlWÓ½òõa… 3Gˆ	Q³âuÚ«Z`é¨[†‚šÀqHkU<¸‹µøDhW&?׳fךîOŠ£Ù'�UÜ¿5µ·Y<Ÿž™ÞúýyìÖg�J¯bèsõŸ:†‚†ÐNòÐÜ«•£»ÎØWÚ|¤º(R.g8u$=Vâcø”
§„áä¿‹¶I+É«X�g•Q8“9!®î� )Ò¥mjô\oBÓc<y<ffµqñ>l^Ü‚¹=aä–>T~E¸Í+ý&¤ iX£¬mý®Ê‹†TÆfx¬ÀjΈ]þ!ˆ„ô„¹Ï
-|�
WfìxV'ÆSɈ·ëc–&øY
-ŸÅ¦Rþ¨ò[,rhtDx㤣ڶ
-ì”íÑj#]…—°¦škSÑNf†#bÅ·.ÆÚð°ú™ò«P!›è„1Aü’v‘	—	�dBDv'OWs˜:n
-*vÛ ³ðX±�BgŠ¦wµ3ŽþXÜC«¸ñ­ÊE‡œ.ô«Ö¾
޾ˣÜ<”¿;³©µËä�‘PTåðã°ñ\þüo*ú¿ŠÿÄ\5•Yt™‘Ö
Îhý¹j¦aµšS`¨ÓÁBÃryx/7KèƒAMñÍ�s;žØ‚+Ÿ<È{/�yq	C³‹3¢«;šk`ŠÓùõ
ƒ,Ï«Ã1Cdæ}ÝÖ“!ƒ#©á+³g›	á–{r<
”æÄÀ?
-”p²‚�Ì’>›®Ì!—Hûç¿Í»LûJ,Æw‘É/S±l{;0bòÏ�ß™V®héá[�æƒßOX8÷Ƹx&Ÿ§8GÔL�‘-‰ÕÿhÔ~Å°Ó_vÅ;]hyÞy ¯Co¥ßä<ç|˜U
-¾×¶±ýX:½ë£`Íò|Ï/\Û0wwN†½-Ÿ©,‘ýœp`ì…Ζ
4C–ŠÅÎm’s]­ßxÙˆ´Šà&ð®²É)ÑêûÄ«.å}#2,dþ"(y¦–Ai|N[TðjÄðº/†,d\rjÏæ]?öt¼wÖ¹œ
®æ¬è›Ná—Ÿ8çÇ"OðùÁ›‚jÚw
-‘T� ï’
«­ºàmf¬®–ˆ‚8VÙ17f“®If)¶˜ÉÇ{§˜µ†¿o¼É î0–HÓAýñR6b5}c¼àoÌM	r*'WèU+”z±öÍÀl#GKfaÆéQôTZÉqNÕﬨàdg‰÷i+3|ª#@Ýì&ÞM„ÙÝÑ�>©LV¼«¹wJöº/$pžG ¾†6ªìk¿ÏÈ6úXð7�ä´/3²†
-{¿RÓ„¥cpçÊ´(§×"¿îzQcöê0ÖóŸ\¸PCåYsP¥ä+}›Tã|ìÔ:Pd¨~½9iÜü1I4]‚Ýdë´m¼°ÃÞ¥íhqËÖD€•6�Ñ©M,XJ:ß,ú´�÷zk¯IÿÅ´(„ª¡Z©#äÒH]Sø?BĦcêO–‹Â†òö-À<�q»×ëMX,SŒáy±ÍôwWf2%n§./[v}|5z|{ÿºx«:CB'ÇC^._C®u
-+ŽáoÑÑoJÓoä€à)�.D¦\uð¼“
-m|-zÐ#çbûŠ×—†rÿ
ì¥‘Zèñ‚%Qú¥.¦™?úgÚ�C)àhÄf‘¢qÿŒ‘
-Øwh¬ƒÁ’ãl�„«$I<e.qÄz/9ŸV’±L,âNÓ/Ú¤:c¥èó¥>¦‘5œ]±RžχäÍ(GƬ/áOt
gO(P»Scí!|@¬¿|N0É¢"¿±íq¶P5R�@hAiËDì[pêñjÀgÕêõ¢¦‘ÿ@‰Tn£6Fz¸;GË‚­5‘r0çÔcÁ[ï(þ;ÎÙØ0d»UÕz<ºÈ&ÇZô¾¾
`§ù§€×NåÑ99*‡	ñôˆÌÒ"â©üsÈLSM^÷›MÇݦ¸é¹ùc!CFEYÝO§_F¦À�¡1¿Â�Ñï9oú˜}SSQ¼ôìCÁžÉ¡N(²õo¢áÐ윅Dé}ñfi¹“ël¼&‚m~¸«�¸òÂÇM´9t‚VTQêƒÕ~뻀Ÿò1AjEñÚ¶�ÁP6#V ¡ÜJ5äàýµ›{Þöþs|¥P9bT¦ºX4Yp’P;ÎÊõëYý—†½w@4*4¥¢y§©‘(ƒ‘Om:Η²¬ÀÐÇô™§¯yCöÉEá S:äúK AüQwÞEè�³4Í,ya;dÈ”/#ðƒ“co;Æ©¡£«åhÙÛÕÐJ¹­¡0q½Î•
-C§Gußx{ÛÄœ„B��;ÀÐ\g•~�—àèiœlðv¿¹ôõÇ™‰7ßZ F¢¹fŸq:ƃ¿øëC
-}bÉ„•Óµ	Vß¹ D¶53Ÿ¸‡vðGПO*&æ\ŠÛ+>h-s›N¾)h2ÞGŽ>hÌÂéG:süFeæV6Ê�œ-ª‹¼¦)¯tà‡\§óŽŸ2E}˜Äç—å1£¹VY…4È)‹®x¹
-5Cð
-hó¾èmÆ�€‡qŒÆá�:4›ùÆaB-ª-nÍØðneVŠÄÖL$Œç_68ý0¿gዶ‚›ž�´ýÅ©<
^W¹?·eÜ/�
-
-l¥&,C†Œã·ÖQŸ8RÔV»ˆ:»ß
¢ÿÕ°¥¦o…Äóô¢&›Dñ„æ„ñ>%åqUEV
-J�ã(†N`
/õÍþ`ôV’(H…ó¬ÐC>ø¢H§A®æIØO¯õ–0ÄhfÙý˜)š_x〘ÄIMme}Wì‚|��Èà¾NÅÁä2�¼Ô°yÅÑ¿_ÑdrEˆ»ÙŲVÓ¬w#�ºÞp}§—;Å_G°n\OªˆàPcŽ>n?ÿcpåÈñò‡VA0]
-ƒÂóqI¾ÞŽ´n‹TèÔ=ZÓBÿü:åT(a
v|(‚bV~Qù`N~‚ñÑ�ÕÓéá�îÞ¸
RƒÀöðša‡ÄP@xD|i`­-.O&~F��`4y£UÓÿ
HÉMÌöÞ8Y€T¯B"y”�x†\äñŽmÄ
´Õ¤Ê诰¹ì·÷O±,‰D¶8–ëÈá
û0Ñô<¡;+BP¡j­uÛ4¡ú…wÒý}"íç…ïÌ
-ùÄì©¢�"£ÂŒÚ1§@ÓÇ%ìÏ�ã:ptu2DØ/jÏNÚ‚âî
-þ	ª×“?ŒÎ^TEul ^´­—çq<Üÿ-¯+ž4ÛŸ�^êJìZá­¡'+ŽÊÕJuˆá‚�Ç­+~¨ìóh~)à‡A¤ž¢(ÚçèÚØJ�UË€/)²|(8îñ¨¿‚Å_Ñúõ@
-€Ërs»îX
ˆ—#®#>|:+CƒMü\ûÅðêUT°ÎšÍOa\ŸÊTÅId`Éÿ!)µkâºüzwˆÔ|êˆ  •Dà^
-«9“ö¯�#ÕQÅô�/•p±ëtTu¦ŸÑoÕoÑF2ÎçÖºó¨F¿xüþÙDQ)‹€®¨G.eáÔ÷ºÙh®o¢_ý/_íÃÕ£ T\‘YÂCû->×kl,¨ÊEX›Ý¯¾�ÜWÀSÇ«GôV
-h›À
-JJ”ðú»,aüø‡´Oe=²§ùsõB.-9É?…–�ZEè·v"‚‹ÏCÿ£3N©eçí	û9–¹ŒäˆÊæ9a#Þò4)CË;ùW¦5Á™-öO­¥DÉ¢Ra‰¶µ
ºçiN¿°4ÿ!VV(䂸„ih%tL_ܶ?ó&·ç\cT
-´1rÕ¤‹©Â–C|YÙEoç“âÙšFæm†�‰bégâá
H:ÏwüØ'Ѐ±ÇPzüܯ*ªÍÅë¯Ö:N­/jÛÆÜ„PÏHEÆSsÏùo’OÜ¡³Þ+"¡&íÌßèæ�EÍÞè„Ðg­ &ÜMÖOßõ!pú7Øɯ2­Ž!l3YÅB!6tÓº²vo›·ãfÜg+/“ácÒË`Èqèa;žñËxù<ý}(ìšLÐöBýÊ”ˆ;ÍÖL„ê(õ~D™êq¢˜M©Çá5b*àÎöæÞú�Ÿ{ôÚ8�iøxÃk|ƒ¬n›Ôš…ÒÚE_SXï=ˆ÷ãf+¤m"ðÞзs®õ:é‹ÜKÎÑ4åÖ·!D›ÕñØúÀHþæ1}’  C�ej»ÌO²oDª­2Œ°š@Þ­ªÄhGO‹&	fÑŒx\q¨åÓH*“«×EãñÎŽ`ghÕ`Uð1í$!7³NN¬â�ä–NM•)ña{®yµWϺç)®‘nS˜~Ø€gÆI ôÈû8³¶}ÊàL‡TòíÌF¯C0‘;pŒ/h°[Ç.ùõ§¨²B4 '…¡ºtdˆÀ4¡~0$îãò†W`TAj@qy‹2 UÉl\²lå¯ì×½T¤Š]×ÈÌO“bq<1~úÂfÍÊ�’ì—W¨8�’…­¶ÓÃI¿ÞK?�›@‹§² WSuÝG4W¿!ÍrÞø§ˆ(ªyô[üÚ´æ»Ú•ã¨öï¶aÎûBá±j{6úMóT÷¶×9—0:'@:�5+¹×ñ®¶ëde=—'’M•~‚†L=F¾‘d cƒ~N¬5s²czçR5$þ'6«3yi@1¼¢r�¤y¬ƒÒNXr˜‡š¦ù‘�÷·HQ¢H9=WZ8	¦ú;M/�åEÔ±²ïp	ʹ1
M„òÒñžT;¨ÙŸ[bÙøøáïj	ù¶–è.h¶íùÂ’í1§Od6ä2Ó•€Sõ„ Ò¸oMîî›@¢Ÿq<rØX?+e¨aÃE› ÓzŸÂÓˆ¾�/¨”%	wÇŠ¢?ÛŸ‹À›®
-‹'Ô Öe‹Âo†÷L~¿ñþ\ì<h¿g¡‚™ýcJCK¥wA½pƒ ï#“ÑD�$_´âÀÞÍ¡ˆN5Å?¯Uµ‡å?7`ÿî	crâÊÜç<¾¿ˆ\ I}¤xÝšN.PõÈ»Œê½pRUõ–� Ÿ®ð�$
öµ©!ê£QÅÑØäkØ´ŒÂ„j¬@v�”Â’ÑlLÌnmUEX’æ±}mî´z*l9Úï^IöqJJaþLÁäc“Ñ&júi`•¢%×î—ÛØÝAA‡Æâ¿ñ�
-emÓÉÛŸ«3^4TòÓ¶¬@ÈjA1�ÝiQ·ˆ ‰Ý÷ĘtÙö¢KB:Aÿ¸‹ÿ~…¬QN¶è•]à^H£î8‚x÷7^LMûžÄh5ý‘y.ïë`Ï $G^ãÒt°x\àü¹Qµ
-¢“˜.]âeŸýcxŒHÁ�‡¹mbÞ
¾
#{Z¯ÆSŸÕ‚¥¨žÉºølõíý73\»
ö&ÛT¹™Í`9Í�}¤™å¦ï[ê¼<N5z ½_|ïh-óÔ)áäâöl?Þ9)9š°¿c(¤G�EüÛŒëÈjK°ÍÚ$ ¨ñ¾ž2»ÓŧbžÙ,½_‹ÈIT>RM�º(v¬|ŒQ|Þ¸V-'±é·ÞóVÈTú¦Jeˆ«Ôa‡ˆur	�Ûõ¤)gˆµæÂi{Ç¢VP€ææp¸D7ý™ÑÍH�¸p½÷öÙt£¿#rKاjŠ-üòPýñöÕe©,´“
föö’
-^~
-Ãå‡8q¤Â麈^ñLŽq–}¨Bƒ
CáÛ–åÊ—
>²–{lõᾃËS×ê&“U
-9èpa0õƒ�ÑßœÀƒwsi‘÷ëÛÇ* tô†tŸš…	[¥wÝÙ.Ÿ+$è+ÚÓ_ý¤iÌ��ÕKÕ6(ý"oˆ¦—2'å™GÉž?IHééæóP´¾÷‡ʧ)ê^pA9"?kòowÖÕ—Ÿ†_²;tÊ+ioáÜ‚•êú
-_ÏfZYX/JÿŠPžUºÐ±;Äó™Ã¾¨5ÃÎ~¢M~;-5”äÖ$„€`3’’˜à0
ßnpöã¤ÒE›­ðÆúb89qÄZ¥| ž½¢ MæƒVþu–
-!µãmYgKà”‹ù÷ÿ•£B}ôçüÂÛZ
= U³W¯Û䉊ù¥tàC½^¦W
-QŒÝ›îl6;¹E& ˆÈš.®*
·Kcî):+©†¸�uó‘=t‹b'´á":
-EúPjAõ¶Õ ª±E@
ûõo`¦iqKQ`_`+§|,33yºGÖÿÚæa#^¸“¯™ÆÀ¤Çð—àBÝ®éãó8OÝòUÐÇ3&]¥§J°Æ$h
�‹YH<(|í	HhtÊc­µ	YjCorpôaá‘Ögnj/#;ÌèâCŠ7±]c¥£ÿ|I4aü½ï¯kÅ3|M&ïæ†Àh¿}®²L¸­¿‚fµÝ¤TíR8g¤=Œë&í‰A¬ >ª¢Ûd�÷C{z‰-6ð7Tœçܧž�
p"ÿ²±(�¯Ÿûº`h/áw»7¢»ªîÈ”
	û½U6´‹°ÚS
+ÑT~¯Tç°Ç&µÖªñ˜ü¶×êI z{çNÊ€‘±6qZü(úX(ø¢ZyÁ´~´ãÅ¥Ù�Ûا°ÞÊ›H#æ
-½¨©5¯O3þU¬–.œ)
@X±®Kàð`ç0’’�A©2ã?Â’§¤1à*\Ü&	Ï×ò•Es”òœ³e»`Ž-Ä_�ø£½—†›}t`òC�;]t:ü#?=*rež‡¾ZNžÿµ×Þ	ÞÏ-aæ:-ƒ;ž""·È¶ êÝ'(ž¶b—PÝò$&¦‰É&ŸydÌG­<‡#
{BŸí’Tdõ/úYýþª·Áè`þÜ(JæsmjžãdàѦÞ#¶«âÝ]¹CÑdH€
Aþ–/“6óN#å
-endobj
-950 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 2807 0 R
-/FirstChar 2
-/LastChar 151
-/Widths 2824 0 R
-/BaseFont /JOBNRY+URWPalladioL-Bold
-/FontDescriptor 948 0 R
->> endobj
-948 0 obj <<
-/Ascent 708
-/CapHeight 672
-/Descent -266
-/FontName /JOBNRY+URWPalladioL-Bold
-/ItalicAngle 0
-/StemV 123
-/XHeight 471
-/FontBBox [-152 -301 1000 935]
-/Flags 4
-/CharSet (/fi/fl/exclam/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/question/at/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright/emdash)
-/FontFile 949 0 R
->> endobj
-2824 0 obj
-[611 611 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 500 500 889 0 278 333 333 444 606 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 250 0 606 0 444 747 778 667 722 833 611 556 833 833 389 0 778 611 1000 833 833 611 833 722 611 667 778 778 1000 667 667 667 333 0 333 0 0 0 500 611 444 611 500 389 556 611 333 333 611 333 889 611 556 611 611 389 444 333 611 556 833 500 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 500 0 0 1000 ]
-endobj
-951 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2825 0 R
-/Kids [942 0 R 968 0 R 978 0 R 1033 0 R 1097 0 R 1160 0 R]
->> endobj
-1241 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2825 0 R
-/Kids [1222 0 R 1243 0 R 1255 0 R 1268 0 R 1279 0 R 1286 0 R]
->> endobj
-1302 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2825 0 R
-/Kids [1298 0 R 1304 0 R 1312 0 R 1321 0 R 1331 0 R 1344 0 R]
->> endobj
-1354 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2825 0 R
-/Kids [1348 0 R 1356 0 R 1362 0 R 1370 0 R 1391 0 R 1401 0 R]
->> endobj
-1410 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2825 0 R
-/Kids [1407 0 R 1412 0 R 1417 0 R 1426 0 R 1435 0 R 1442 0 R]
->> endobj
-1451 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2825 0 R
-/Kids [1448 0 R 1453 0 R 1463 0 R 1472 0 R 1480 0 R 1490 0 R]
->> endobj
-1504 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2826 0 R
-/Kids [1499 0 R 1506 0 R 1512 0 R 1517 0 R 1526 0 R 1532 0 R]
->> endobj
-1545 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2826 0 R
-/Kids [1538 0 R 1548 0 R 1555 0 R 1559 0 R 1569 0 R 1573 0 R]
->> endobj
-1588 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2826 0 R
-/Kids [1580 0 R 1590 0 R 1598 0 R 1606 0 R 1618 0 R 1624 0 R]
->> endobj
-1635 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2826 0 R
-/Kids [1630 0 R 1637 0 R 1641 0 R 1648 0 R 1653 0 R 1663 0 R]
->> endobj
-1670 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2826 0 R
-/Kids [1667 0 R 1672 0 R 1676 0 R 1680 0 R 1684 0 R 1691 0 R]
->> endobj
-1701 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2826 0 R
-/Kids [1696 0 R 1703 0 R 1709 0 R 1714 0 R 1723 0 R 1727 0 R]
->> endobj
-1737 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2827 0 R
-/Kids [1731 0 R 1739 0 R 1748 0 R 1755 0 R 1761 0 R 1765 0 R]
->> endobj
-1772 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2827 0 R
-/Kids [1769 0 R 1774 0 R 1782 0 R 1788 0 R 1794 0 R 1801 0 R]
->> endobj
-1813 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2827 0 R
-/Kids [1808 0 R 1815 0 R 1821 0 R 1829 0 R 1833 0 R 1837 0 R]
->> endobj
-1845 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2827 0 R
-/Kids [1841 0 R 1847 0 R 1853 0 R 1857 0 R 1861 0 R 1866 0 R]
->> endobj
-1885 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2827 0 R
-/Kids [1873 0 R 1887 0 R 1892 0 R 1897 0 R 1901 0 R 1905 0 R]
->> endobj
-1916 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2827 0 R
-/Kids [1909 0 R 1918 0 R 1922 0 R 1926 0 R 1937 0 R 1955 0 R]
->> endobj
-1984 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2828 0 R
-/Kids [1969 0 R 1986 0 R 1997 0 R 2003 0 R 2007 0 R 2017 0 R]
->> endobj
-2028 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2828 0 R
-/Kids [2023 0 R 2030 0 R 2040 0 R 2052 0 R 2060 0 R 2068 0 R]
->> endobj
-2079 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2828 0 R
-/Kids [2072 0 R 2081 0 R 2089 0 R 2101 0 R 2108 0 R 2116 0 R]
->> endobj
-2131 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2828 0 R
-/Kids [2122 0 R 2133 0 R 2137 0 R 2141 0 R 2152 0 R 2156 0 R]
->> endobj
-2172 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2828 0 R
-/Kids [2163 0 R 2174 0 R 2233 0 R 2289 0 R 2343 0 R 2378 0 R]
->> endobj
-2393 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2828 0 R
-/Kids [2386 0 R 2395 0 R 2402 0 R 2407 0 R 2413 0 R 2417 0 R]
->> endobj
-2431 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2829 0 R
-/Kids [2426 0 R 2433 0 R 2438 0 R 2442 0 R 2446 0 R 2455 0 R]
->> endobj
-2473 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2829 0 R
-/Kids [2463 0 R 2475 0 R 2486 0 R 2493 0 R 2502 0 R 2514 0 R]
->> endobj
-2525 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2829 0 R
-/Kids [2520 0 R 2527 0 R 2537 0 R 2541 0 R 2546 0 R 2552 0 R]
->> endobj
-2572 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2829 0 R
-/Kids [2563 0 R 2574 0 R 2580 0 R 2591 0 R 2595 0 R 2599 0 R]
->> endobj
-2609 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2829 0 R
-/Kids [2603 0 R 2611 0 R 2621 0 R 2632 0 R 2643 0 R 2647 0 R]
->> endobj
-2662 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2829 0 R
-/Kids [2657 0 R 2664 0 R 2668 0 R 2679 0 R 2691 0 R 2695 0 R]
->> endobj
-2704 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2830 0 R
-/Kids [2700 0 R 2706 0 R 2717 0 R 2727 0 R 2734 0 R 2741 0 R]
->> endobj
-2760 0 obj <<
-/Type /Pages
-/Count 5
-/Parent 2830 0 R
-/Kids [2750 0 R 2762 0 R 2771 0 R 2785 0 R 2799 0 R]
->> endobj
-2825 0 obj <<
-/Type /Pages
-/Count 36
-/Parent 2831 0 R
-/Kids [951 0 R 1241 0 R 1302 0 R 1354 0 R 1410 0 R 1451 0 R]
->> endobj
-2826 0 obj <<
-/Type /Pages
-/Count 36
-/Parent 2831 0 R
-/Kids [1504 0 R 1545 0 R 1588 0 R 1635 0 R 1670 0 R 1701 0 R]
->> endobj
-2827 0 obj <<
-/Type /Pages
-/Count 36
-/Parent 2831 0 R
-/Kids [1737 0 R 1772 0 R 1813 0 R 1845 0 R 1885 0 R 1916 0 R]
->> endobj
-2828 0 obj <<
-/Type /Pages
-/Count 36
-/Parent 2831 0 R
-/Kids [1984 0 R 2028 0 R 2079 0 R 2131 0 R 2172 0 R 2393 0 R]
->> endobj
-2829 0 obj <<
-/Type /Pages
-/Count 36
-/Parent 2831 0 R
-/Kids [2431 0 R 2473 0 R 2525 0 R 2572 0 R 2609 0 R 2662 0 R]
->> endobj
-2830 0 obj <<
-/Type /Pages
-/Count 11
-/Parent 2831 0 R
-/Kids [2704 0 R 2760 0 R]
->> endobj
-2831 0 obj <<
-/Type /Pages
-/Count 191
-/Kids [2825 0 R 2826 0 R 2827 0 R 2828 0 R 2829 0 R 2830 0 R]
->> endobj
-2832 0 obj <<
-/Type /Outlines
-/First 7 0 R
-/Last 843 0 R
-/Count 10
->> endobj
-939 0 obj <<
-/Title 940 0 R
-/A 937 0 R
-/Parent 843 0 R
-/Prev 935 0 R
->> endobj
-935 0 obj <<
-/Title 936 0 R
-/A 933 0 R
-/Parent 843 0 R
-/Prev 931 0 R
-/Next 939 0 R
->> endobj
-931 0 obj <<
-/Title 932 0 R
-/A 929 0 R
-/Parent 843 0 R
-/Prev 927 0 R
-/Next 935 0 R
->> endobj
-927 0 obj <<
-/Title 928 0 R
-/A 925 0 R
-/Parent 843 0 R
-/Prev 923 0 R
-/Next 931 0 R
->> endobj
-923 0 obj <<
-/Title 924 0 R
-/A 921 0 R
-/Parent 843 0 R
-/Prev 919 0 R
-/Next 927 0 R
->> endobj
-919 0 obj <<
-/Title 920 0 R
-/A 917 0 R
-/Parent 843 0 R
-/Prev 915 0 R
-/Next 923 0 R
->> endobj
-915 0 obj <<
-/Title 916 0 R
-/A 913 0 R
-/Parent 843 0 R
-/Prev 911 0 R
-/Next 919 0 R
->> endobj
-911 0 obj <<
-/Title 912 0 R
-/A 909 0 R
-/Parent 843 0 R
-/Prev 907 0 R
-/Next 915 0 R
->> endobj
-907 0 obj <<
-/Title 908 0 R
-/A 905 0 R
-/Parent 843 0 R
-/Prev 903 0 R
-/Next 911 0 R
->> endobj
-903 0 obj <<
-/Title 904 0 R
-/A 901 0 R
-/Parent 843 0 R
-/Prev 899 0 R
-/Next 907 0 R
->> endobj
-899 0 obj <<
-/Title 900 0 R
-/A 897 0 R
-/Parent 843 0 R
-/Prev 895 0 R
-/Next 903 0 R
->> endobj
-895 0 obj <<
-/Title 896 0 R
-/A 893 0 R
-/Parent 843 0 R
-/Prev 891 0 R
-/Next 899 0 R
->> endobj
-891 0 obj <<
-/Title 892 0 R
-/A 889 0 R
-/Parent 843 0 R
-/Prev 887 0 R
-/Next 895 0 R
->> endobj
-887 0 obj <<
-/Title 888 0 R
-/A 885 0 R
-/Parent 843 0 R
-/Prev 883 0 R
-/Next 891 0 R
->> endobj
-883 0 obj <<
-/Title 884 0 R
-/A 881 0 R
-/Parent 843 0 R
-/Prev 879 0 R
-/Next 887 0 R
->> endobj
-879 0 obj <<
-/Title 880 0 R
-/A 877 0 R
-/Parent 843 0 R
-/Prev 875 0 R
-/Next 883 0 R
->> endobj
-875 0 obj <<
-/Title 876 0 R
-/A 873 0 R
-/Parent 843 0 R
-/Prev 871 0 R
-/Next 879 0 R
->> endobj
-871 0 obj <<
-/Title 872 0 R
-/A 869 0 R
-/Parent 843 0 R
-/Prev 867 0 R
-/Next 875 0 R
->> endobj
-867 0 obj <<
-/Title 868 0 R
-/A 865 0 R
-/Parent 843 0 R
-/Prev 863 0 R
-/Next 871 0 R
->> endobj
-863 0 obj <<
-/Title 864 0 R
-/A 861 0 R
-/Parent 843 0 R
-/Prev 859 0 R
-/Next 867 0 R
->> endobj
-859 0 obj <<
-/Title 860 0 R
-/A 857 0 R
-/Parent 843 0 R
-/Prev 855 0 R
-/Next 863 0 R
->> endobj
-855 0 obj <<
-/Title 856 0 R
-/A 853 0 R
-/Parent 843 0 R
-/Prev 851 0 R
-/Next 859 0 R
->> endobj
-851 0 obj <<
-/Title 852 0 R
-/A 849 0 R
-/Parent 843 0 R
-/Prev 847 0 R
-/Next 855 0 R
->> endobj
-847 0 obj <<
-/Title 848 0 R
-/A 845 0 R
-/Parent 843 0 R
-/Next 851 0 R
->> endobj
-843 0 obj <<
-/Title 844 0 R
-/A 841 0 R
-/Parent 2832 0 R
-/Prev 751 0 R
-/First 847 0 R
-/Last 939 0 R
-/Count -24
->> endobj
-839 0 obj <<
-/Title 840 0 R
-/A 837 0 R
-/Parent 787 0 R
-/Prev 811 0 R
->> endobj
-835 0 obj <<
-/Title 836 0 R
-/A 833 0 R
-/Parent 811 0 R
-/Prev 831 0 R
->> endobj
-831 0 obj <<
-/Title 832 0 R
-/A 829 0 R
-/Parent 811 0 R
-/Prev 827 0 R
-/Next 835 0 R
->> endobj
-827 0 obj <<
-/Title 828 0 R
-/A 825 0 R
-/Parent 811 0 R
-/Prev 823 0 R
-/Next 831 0 R
->> endobj
-823 0 obj <<
-/Title 824 0 R
-/A 821 0 R
-/Parent 811 0 R
-/Prev 819 0 R
-/Next 827 0 R
->> endobj
-819 0 obj <<
-/Title 820 0 R
-/A 817 0 R
-/Parent 811 0 R
-/Prev 815 0 R
-/Next 823 0 R
->> endobj
-815 0 obj <<
-/Title 816 0 R
-/A 813 0 R
-/Parent 811 0 R
-/Next 819 0 R
->> endobj
-811 0 obj <<
-/Title 812 0 R
-/A 809 0 R
-/Parent 787 0 R
-/Prev 807 0 R
-/Next 839 0 R
-/First 815 0 R
-/Last 835 0 R
-/Count -6
->> endobj
-807 0 obj <<
-/Title 808 0 R
-/A 805 0 R
-/Parent 787 0 R
-/Prev 803 0 R
-/Next 811 0 R
->> endobj
-803 0 obj <<
-/Title 804 0 R
-/A 801 0 R
-/Parent 787 0 R
-/Prev 799 0 R
-/Next 807 0 R
->> endobj
-799 0 obj <<
-/Title 800 0 R
-/A 797 0 R
-/Parent 787 0 R
-/Prev 795 0 R
-/Next 803 0 R
->> endobj
-795 0 obj <<
-/Title 796 0 R
-/A 793 0 R
-/Parent 787 0 R
-/Prev 791 0 R
-/Next 799 0 R
->> endobj
-791 0 obj <<
-/Title 792 0 R
-/A 789 0 R
-/Parent 787 0 R
-/Next 795 0 R
->> endobj
-787 0 obj <<
-/Title 788 0 R
-/A 785 0 R
-/Parent 751 0 R
-/Prev 771 0 R
-/First 791 0 R
-/Last 839 0 R
-/Count -7
->> endobj
-783 0 obj <<
-/Title 784 0 R
-/A 781 0 R
-/Parent 771 0 R
-/Prev 779 0 R
->> endobj
-779 0 obj <<
-/Title 780 0 R
-/A 777 0 R
-/Parent 771 0 R
-/Prev 775 0 R
-/Next 783 0 R
->> endobj
-775 0 obj <<
-/Title 776 0 R
-/A 773 0 R
-/Parent 771 0 R
-/Next 779 0 R
->> endobj
-771 0 obj <<
-/Title 772 0 R
-/A 769 0 R
-/Parent 751 0 R
-/Prev 763 0 R
-/Next 787 0 R
-/First 775 0 R
-/Last 783 0 R
-/Count -3
->> endobj
-767 0 obj <<
-/Title 768 0 R
-/A 765 0 R
-/Parent 763 0 R
->> endobj
-763 0 obj <<
-/Title 764 0 R
-/A 761 0 R
-/Parent 751 0 R
-/Prev 755 0 R
-/Next 771 0 R
-/First 767 0 R
-/Last 767 0 R
-/Count -1
->> endobj
-759 0 obj <<
-/Title 760 0 R
-/A 757 0 R
-/Parent 755 0 R
->> endobj
-755 0 obj <<
-/Title 756 0 R
-/A 753 0 R
-/Parent 751 0 R
-/Next 763 0 R
-/First 759 0 R
-/Last 759 0 R
-/Count -1
->> endobj
-751 0 obj <<
-/Title 752 0 R
-/A 749 0 R
-/Parent 2832 0 R
-/Prev 731 0 R
-/Next 843 0 R
-/First 755 0 R
-/Last 787 0 R
-/Count -4
->> endobj
-747 0 obj <<
-/Title 748 0 R
-/A 745 0 R
-/Parent 731 0 R
-/Prev 743 0 R
->> endobj
-743 0 obj <<
-/Title 744 0 R
-/A 741 0 R
-/Parent 731 0 R
-/Prev 735 0 R
-/Next 747 0 R
->> endobj
-739 0 obj <<
-/Title 740 0 R
-/A 737 0 R
-/Parent 735 0 R
->> endobj
-735 0 obj <<
-/Title 736 0 R
-/A 733 0 R
-/Parent 731 0 R
-/Next 743 0 R
-/First 739 0 R
-/Last 739 0 R
-/Count -1
->> endobj
-731 0 obj <<
-/Title 732 0 R
-/A 729 0 R
-/Parent 2832 0 R
-/Prev 707 0 R
-/Next 751 0 R
-/First 735 0 R
-/Last 747 0 R
-/Count -3
->> endobj
-727 0 obj <<
-/Title 728 0 R
-/A 725 0 R
-/Parent 707 0 R
-/Prev 715 0 R
->> endobj
-723 0 obj <<
-/Title 724 0 R
-/A 721 0 R
-/Parent 715 0 R
-/Prev 719 0 R
->> endobj
-719 0 obj <<
-/Title 720 0 R
-/A 717 0 R
-/Parent 715 0 R
-/Next 723 0 R
->> endobj
-715 0 obj <<
-/Title 716 0 R
-/A 713 0 R
-/Parent 707 0 R
-/Prev 711 0 R
-/Next 727 0 R
-/First 719 0 R
-/Last 723 0 R
-/Count -2
->> endobj
-711 0 obj <<
-/Title 712 0 R
-/A 709 0 R
-/Parent 707 0 R
-/Next 715 0 R
->> endobj
-707 0 obj <<
-/Title 708 0 R
-/A 705 0 R
-/Parent 2832 0 R
-/Prev 363 0 R
-/Next 731 0 R
-/First 711 0 R
-/Last 727 0 R
-/Count -3
->> endobj
-703 0 obj <<
-/Title 704 0 R
-/A 701 0 R
-/Parent 683 0 R
-/Prev 699 0 R
->> endobj
-699 0 obj <<
-/Title 700 0 R
-/A 697 0 R
-/Parent 683 0 R
-/Prev 695 0 R
-/Next 703 0 R
->> endobj
-695 0 obj <<
-/Title 696 0 R
-/A 693 0 R
-/Parent 683 0 R
-/Prev 691 0 R
-/Next 699 0 R
->> endobj
-691 0 obj <<
-/Title 692 0 R
-/A 689 0 R
-/Parent 683 0 R
-/Prev 687 0 R
-/Next 695 0 R
->> endobj
-687 0 obj <<
-/Title 688 0 R
-/A 685 0 R
-/Parent 683 0 R
-/Next 691 0 R
->> endobj
-683 0 obj <<
-/Title 684 0 R
-/A 681 0 R
-/Parent 675 0 R
-/Prev 679 0 R
-/First 687 0 R
-/Last 703 0 R
-/Count -5
->> endobj
-679 0 obj <<
-/Title 680 0 R
-/A 677 0 R
-/Parent 675 0 R
-/Next 683 0 R
->> endobj
-675 0 obj <<
-/Title 676 0 R
-/A 673 0 R
-/Parent 363 0 R
-/Prev 619 0 R
-/First 679 0 R
-/Last 683 0 R
-/Count -2
->> endobj
-671 0 obj <<
-/Title 672 0 R
-/A 669 0 R
-/Parent 619 0 R
-/Prev 667 0 R
->> endobj
-667 0 obj <<
-/Title 668 0 R
-/A 665 0 R
-/Parent 619 0 R
-/Prev 647 0 R
-/Next 671 0 R
->> endobj
-663 0 obj <<
-/Title 664 0 R
-/A 661 0 R
-/Parent 647 0 R
-/Prev 659 0 R
->> endobj
-659 0 obj <<
-/Title 660 0 R
-/A 657 0 R
-/Parent 647 0 R
-/Prev 655 0 R
-/Next 663 0 R
->> endobj
-655 0 obj <<
-/Title 656 0 R
-/A 653 0 R
-/Parent 647 0 R
-/Prev 651 0 R
-/Next 659 0 R
->> endobj
-651 0 obj <<
-/Title 652 0 R
-/A 649 0 R
-/Parent 647 0 R
-/Next 655 0 R
->> endobj
-647 0 obj <<
-/Title 648 0 R
-/A 645 0 R
-/Parent 619 0 R
-/Prev 643 0 R
-/Next 667 0 R
-/First 651 0 R
-/Last 663 0 R
-/Count -4
->> endobj
-643 0 obj <<
-/Title 644 0 R
-/A 641 0 R
-/Parent 619 0 R
-/Prev 639 0 R
-/Next 647 0 R
->> endobj
-639 0 obj <<
-/Title 640 0 R
-/A 637 0 R
-/Parent 619 0 R
-/Prev 635 0 R
-/Next 643 0 R
->> endobj
-635 0 obj <<
-/Title 636 0 R
-/A 633 0 R
-/Parent 619 0 R
-/Prev 623 0 R
-/Next 639 0 R
->> endobj
-631 0 obj <<
-/Title 632 0 R
-/A 629 0 R
-/Parent 623 0 R
-/Prev 627 0 R
->> endobj
-627 0 obj <<
-/Title 628 0 R
-/A 625 0 R
-/Parent 623 0 R
-/Next 631 0 R
->> endobj
-623 0 obj <<
-/Title 624 0 R
-/A 621 0 R
-/Parent 619 0 R
-/Next 635 0 R
-/First 627 0 R
-/Last 631 0 R
-/Count -2
->> endobj
-619 0 obj <<
-/Title 620 0 R
-/A 617 0 R
-/Parent 363 0 R
-/Prev 395 0 R
-/Next 675 0 R
-/First 623 0 R
-/Last 671 0 R
-/Count -7
->> endobj
-615 0 obj <<
-/Title 616 0 R
-/A 613 0 R
-/Parent 599 0 R
-/Prev 611 0 R
->> endobj
-611 0 obj <<
-/Title 612 0 R
-/A 609 0 R
-/Parent 599 0 R
-/Prev 607 0 R
-/Next 615 0 R
->> endobj
-607 0 obj <<
-/Title 608 0 R
-/A 605 0 R
-/Parent 599 0 R
-/Prev 603 0 R
-/Next 611 0 R
->> endobj
-603 0 obj <<
-/Title 604 0 R
-/A 601 0 R
-/Parent 599 0 R
-/Next 607 0 R
->> endobj
-599 0 obj <<
-/Title 600 0 R
-/A 597 0 R
-/Parent 395 0 R
-/Prev 595 0 R
-/First 603 0 R
-/Last 615 0 R
-/Count -4
->> endobj
-595 0 obj <<
-/Title 596 0 R
-/A 593 0 R
-/Parent 395 0 R
-/Prev 591 0 R
-/Next 599 0 R
->> endobj
-591 0 obj <<
-/Title 592 0 R
-/A 589 0 R
-/Parent 395 0 R
-/Prev 587 0 R
-/Next 595 0 R
->> endobj
-587 0 obj <<
-/Title 588 0 R
-/A 585 0 R
-/Parent 395 0 R
-/Prev 583 0 R
-/Next 591 0 R
->> endobj
-583 0 obj <<
-/Title 584 0 R
-/A 581 0 R
-/Parent 395 0 R
-/Prev 579 0 R
-/Next 587 0 R
->> endobj
-579 0 obj <<
-/Title 580 0 R
-/A 577 0 R
-/Parent 395 0 R
-/Prev 575 0 R
-/Next 583 0 R
->> endobj
-575 0 obj <<
-/Title 576 0 R
-/A 573 0 R
-/Parent 395 0 R
-/Prev 571 0 R
-/Next 579 0 R
->> endobj
-571 0 obj <<
-/Title 572 0 R
-/A 569 0 R
-/Parent 395 0 R
-/Prev 567 0 R
-/Next 575 0 R
->> endobj
-567 0 obj <<
-/Title 568 0 R
-/A 565 0 R
-/Parent 395 0 R
-/Prev 563 0 R
-/Next 571 0 R
->> endobj
-563 0 obj <<
-/Title 564 0 R
-/A 561 0 R
-/Parent 395 0 R
-/Prev 559 0 R
-/Next 567 0 R
->> endobj
-559 0 obj <<
-/Title 560 0 R
-/A 557 0 R
-/Parent 395 0 R
-/Prev 555 0 R
-/Next 563 0 R
->> endobj
-555 0 obj <<
-/Title 556 0 R
-/A 553 0 R
-/Parent 395 0 R
-/Prev 471 0 R
-/Next 559 0 R
->> endobj
-551 0 obj <<
-/Title 552 0 R
-/A 549 0 R
-/Parent 471 0 R
-/Prev 547 0 R
->> endobj
-547 0 obj <<
-/Title 548 0 R
-/A 545 0 R
-/Parent 471 0 R
-/Prev 543 0 R
-/Next 551 0 R
->> endobj
-543 0 obj <<
-/Title 544 0 R
-/A 541 0 R
-/Parent 471 0 R
-/Prev 539 0 R
-/Next 547 0 R
->> endobj
-539 0 obj <<
-/Title 540 0 R
-/A 537 0 R
-/Parent 471 0 R
-/Prev 535 0 R
-/Next 543 0 R
->> endobj
-535 0 obj <<
-/Title 536 0 R
-/A 533 0 R
-/Parent 471 0 R
-/Prev 531 0 R
-/Next 539 0 R
->> endobj
-531 0 obj <<
-/Title 532 0 R
-/A 529 0 R
-/Parent 471 0 R
-/Prev 527 0 R
-/Next 535 0 R
->> endobj
-527 0 obj <<
-/Title 528 0 R
-/A 525 0 R
-/Parent 471 0 R
-/Prev 523 0 R
-/Next 531 0 R
->> endobj
-523 0 obj <<
-/Title 524 0 R
-/A 521 0 R
-/Parent 471 0 R
-/Prev 519 0 R
-/Next 527 0 R
->> endobj
-519 0 obj <<
-/Title 520 0 R
-/A 517 0 R
-/Parent 471 0 R
-/Prev 515 0 R
-/Next 523 0 R
->> endobj
-515 0 obj <<
-/Title 516 0 R
-/A 513 0 R
-/Parent 471 0 R
-/Prev 511 0 R
-/Next 519 0 R
->> endobj
-511 0 obj <<
-/Title 512 0 R
-/A 509 0 R
-/Parent 471 0 R
-/Prev 507 0 R
-/Next 515 0 R
->> endobj
-507 0 obj <<
-/Title 508 0 R
-/A 505 0 R
-/Parent 471 0 R
-/Prev 503 0 R
-/Next 511 0 R
->> endobj
-503 0 obj <<
-/Title 504 0 R
-/A 501 0 R
-/Parent 471 0 R
-/Prev 499 0 R
-/Next 507 0 R
->> endobj
-499 0 obj <<
-/Title 500 0 R
-/A 497 0 R
-/Parent 471 0 R
-/Prev 495 0 R
-/Next 503 0 R
->> endobj
-495 0 obj <<
-/Title 496 0 R
-/A 493 0 R
-/Parent 471 0 R
-/Prev 491 0 R
-/Next 499 0 R
->> endobj
-491 0 obj <<
-/Title 492 0 R
-/A 489 0 R
-/Parent 471 0 R
-/Prev 487 0 R
-/Next 495 0 R
->> endobj
-487 0 obj <<
-/Title 488 0 R
-/A 485 0 R
-/Parent 471 0 R
-/Prev 483 0 R
-/Next 491 0 R
->> endobj
-483 0 obj <<
-/Title 484 0 R
-/A 481 0 R
-/Parent 471 0 R
-/Prev 479 0 R
-/Next 487 0 R
->> endobj
-479 0 obj <<
-/Title 480 0 R
-/A 477 0 R
-/Parent 471 0 R
-/Prev 475 0 R
-/Next 483 0 R
->> endobj
-475 0 obj <<
-/Title 476 0 R
-/A 473 0 R
-/Parent 471 0 R
-/Next 479 0 R
->> endobj
-471 0 obj <<
-/Title 472 0 R
-/A 469 0 R
-/Parent 395 0 R
-/Prev 467 0 R
-/Next 555 0 R
-/First 475 0 R
-/Last 551 0 R
-/Count -20
->> endobj
-467 0 obj <<
-/Title 468 0 R
-/A 465 0 R
-/Parent 395 0 R
-/Prev 463 0 R
-/Next 471 0 R
->> endobj
-463 0 obj <<
-/Title 464 0 R
-/A 461 0 R
-/Parent 395 0 R
-/Prev 459 0 R
-/Next 467 0 R
->> endobj
-459 0 obj <<
-/Title 460 0 R
-/A 457 0 R
-/Parent 395 0 R
-/Prev 455 0 R
-/Next 463 0 R
->> endobj
-455 0 obj <<
-/Title 456 0 R
-/A 453 0 R
-/Parent 395 0 R
-/Prev 451 0 R
-/Next 459 0 R
->> endobj
-451 0 obj <<
-/Title 452 0 R
-/A 449 0 R
-/Parent 395 0 R
-/Prev 435 0 R
-/Next 455 0 R
->> endobj
-447 0 obj <<
-/Title 448 0 R
-/A 445 0 R
-/Parent 435 0 R
-/Prev 443 0 R
->> endobj
-443 0 obj <<
-/Title 444 0 R
-/A 441 0 R
-/Parent 435 0 R
-/Prev 439 0 R
-/Next 447 0 R
->> endobj
-439 0 obj <<
-/Title 440 0 R
-/A 437 0 R
-/Parent 435 0 R
-/Next 443 0 R
->> endobj
-435 0 obj <<
-/Title 436 0 R
-/A 433 0 R
-/Parent 395 0 R
-/Prev 431 0 R
-/Next 451 0 R
-/First 439 0 R
-/Last 447 0 R
-/Count -3
->> endobj
-431 0 obj <<
-/Title 432 0 R
-/A 429 0 R
-/Parent 395 0 R
-/Prev 427 0 R
-/Next 435 0 R
->> endobj
-427 0 obj <<
-/Title 428 0 R
-/A 425 0 R
-/Parent 395 0 R
-/Prev 423 0 R
-/Next 431 0 R
->> endobj
-423 0 obj <<
-/Title 424 0 R
-/A 421 0 R
-/Parent 395 0 R
-/Prev 419 0 R
-/Next 427 0 R
->> endobj
-419 0 obj <<
-/Title 420 0 R
-/A 417 0 R
-/Parent 395 0 R
-/Prev 415 0 R
-/Next 423 0 R
->> endobj
-415 0 obj <<
-/Title 416 0 R
-/A 413 0 R
-/Parent 395 0 R
-/Prev 411 0 R
-/Next 419 0 R
->> endobj
-411 0 obj <<
-/Title 412 0 R
-/A 409 0 R
-/Parent 395 0 R
-/Prev 407 0 R
-/Next 415 0 R
->> endobj
-407 0 obj <<
-/Title 408 0 R
-/A 405 0 R
-/Parent 395 0 R
-/Prev 403 0 R
-/Next 411 0 R
->> endobj
-403 0 obj <<
-/Title 404 0 R
-/A 401 0 R
-/Parent 395 0 R
-/Prev 399 0 R
-/Next 407 0 R
->> endobj
-399 0 obj <<
-/Title 400 0 R
-/A 397 0 R
-/Parent 395 0 R
-/Next 403 0 R
->> endobj
-395 0 obj <<
-/Title 396 0 R
-/A 393 0 R
-/Parent 363 0 R
-/Prev 367 0 R
-/Next 619 0 R
-/First 399 0 R
-/Last 599 0 R
-/Count -28
->> endobj
-391 0 obj <<
-/Title 392 0 R
-/A 389 0 R
-/Parent 383 0 R
-/Prev 387 0 R
->> endobj
-387 0 obj <<
-/Title 388 0 R
-/A 385 0 R
-/Parent 383 0 R
-/Next 391 0 R
->> endobj
-383 0 obj <<
-/Title 384 0 R
-/A 381 0 R
-/Parent 367 0 R
-/Prev 371 0 R
-/First 387 0 R
-/Last 391 0 R
-/Count -2
->> endobj
-379 0 obj <<
-/Title 380 0 R
-/A 377 0 R
-/Parent 371 0 R
-/Prev 375 0 R
->> endobj
-375 0 obj <<
-/Title 376 0 R
-/A 373 0 R
-/Parent 371 0 R
-/Next 379 0 R
->> endobj
-371 0 obj <<
-/Title 372 0 R
-/A 369 0 R
-/Parent 367 0 R
-/Next 383 0 R
-/First 375 0 R
-/Last 379 0 R
-/Count -2
->> endobj
-367 0 obj <<
-/Title 368 0 R
-/A 365 0 R
-/Parent 363 0 R
-/Next 395 0 R
-/First 371 0 R
-/Last 383 0 R
-/Count -2
->> endobj
-363 0 obj <<
-/Title 364 0 R
-/A 361 0 R
-/Parent 2832 0 R
-/Prev 351 0 R
-/Next 707 0 R
-/First 367 0 R
-/Last 675 0 R
-/Count -4
->> endobj
-359 0 obj <<
-/Title 360 0 R
-/A 357 0 R
-/Parent 351 0 R
-/Prev 355 0 R
->> endobj
-355 0 obj <<
-/Title 356 0 R
-/A 353 0 R
-/Parent 351 0 R
-/Next 359 0 R
->> endobj
-351 0 obj <<
-/Title 352 0 R
-/A 349 0 R
-/Parent 2832 0 R
-/Prev 131 0 R
-/Next 363 0 R
-/First 355 0 R
-/Last 359 0 R
-/Count -2
->> endobj
-347 0 obj <<
-/Title 348 0 R
-/A 345 0 R
-/Parent 339 0 R
-/Prev 343 0 R
->> endobj
-343 0 obj <<
-/Title 344 0 R
-/A 341 0 R
-/Parent 339 0 R
-/Next 347 0 R
->> endobj
-339 0 obj <<
-/Title 340 0 R
-/A 337 0 R
-/Parent 131 0 R
-/Prev 287 0 R
-/First 343 0 R
-/Last 347 0 R
-/Count -2
->> endobj
-335 0 obj <<
-/Title 336 0 R
-/A 333 0 R
-/Parent 287 0 R
-/Prev 331 0 R
->> endobj
-331 0 obj <<
-/Title 332 0 R
-/A 329 0 R
-/Parent 287 0 R
-/Prev 327 0 R
-/Next 335 0 R
->> endobj
-327 0 obj <<
-/Title 328 0 R
-/A 325 0 R
-/Parent 287 0 R
-/Prev 323 0 R
-/Next 331 0 R
->> endobj
-323 0 obj <<
-/Title 324 0 R
-/A 321 0 R
-/Parent 287 0 R
-/Prev 307 0 R
-/Next 327 0 R
->> endobj
-319 0 obj <<
-/Title 320 0 R
-/A 317 0 R
-/Parent 307 0 R
-/Prev 315 0 R
->> endobj
-315 0 obj <<
-/Title 316 0 R
-/A 313 0 R
-/Parent 307 0 R
-/Prev 311 0 R
-/Next 319 0 R
->> endobj
-311 0 obj <<
-/Title 312 0 R
-/A 309 0 R
-/Parent 307 0 R
-/Next 315 0 R
->> endobj
-307 0 obj <<
-/Title 308 0 R
-/A 305 0 R
-/Parent 287 0 R
-/Prev 291 0 R
-/Next 323 0 R
-/First 311 0 R
-/Last 319 0 R
-/Count -3
->> endobj
-303 0 obj <<
-/Title 304 0 R
-/A 301 0 R
-/Parent 291 0 R
-/Prev 299 0 R
->> endobj
-299 0 obj <<
-/Title 300 0 R
-/A 297 0 R
-/Parent 291 0 R
-/Prev 295 0 R
-/Next 303 0 R
->> endobj
-295 0 obj <<
-/Title 296 0 R
-/A 293 0 R
-/Parent 291 0 R
-/Next 299 0 R
->> endobj
-291 0 obj <<
-/Title 292 0 R
-/A 289 0 R
-/Parent 287 0 R
-/Next 307 0 R
-/First 295 0 R
-/Last 303 0 R
-/Count -3
->> endobj
-287 0 obj <<
-/Title 288 0 R
-/A 285 0 R
-/Parent 131 0 R
-/Prev 275 0 R
-/Next 339 0 R
-/First 291 0 R
-/Last 335 0 R
-/Count -6
->> endobj
-283 0 obj <<
-/Title 284 0 R
-/A 281 0 R
-/Parent 275 0 R
-/Prev 279 0 R
->> endobj
-279 0 obj <<
-/Title 280 0 R
-/A 277 0 R
-/Parent 275 0 R
-/Next 283 0 R
->> endobj
-275 0 obj <<
-/Title 276 0 R
-/A 273 0 R
-/Parent 131 0 R
-/Prev 219 0 R
-/Next 287 0 R
-/First 279 0 R
-/Last 283 0 R
-/Count -2
->> endobj
-271 0 obj <<
-/Title 272 0 R
-/A 269 0 R
-/Parent 219 0 R
-/Prev 267 0 R
->> endobj
-267 0 obj <<
-/Title 268 0 R
-/A 265 0 R
-/Parent 219 0 R
-/Prev 263 0 R
-/Next 271 0 R
->> endobj
-263 0 obj <<
-/Title 264 0 R
-/A 261 0 R
-/Parent 219 0 R
-/Prev 259 0 R
-/Next 267 0 R
->> endobj
-259 0 obj <<
-/Title 260 0 R
-/A 257 0 R
-/Parent 219 0 R
-/Prev 255 0 R
-/Next 263 0 R
->> endobj
-255 0 obj <<
-/Title 256 0 R
-/A 253 0 R
-/Parent 219 0 R
-/Prev 251 0 R
-/Next 259 0 R
->> endobj
-251 0 obj <<
-/Title 252 0 R
-/A 249 0 R
-/Parent 219 0 R
-/Prev 247 0 R
-/Next 255 0 R
->> endobj
-247 0 obj <<
-/Title 248 0 R
-/A 245 0 R
-/Parent 219 0 R
-/Prev 243 0 R
-/Next 251 0 R
->> endobj
-243 0 obj <<
-/Title 244 0 R
-/A 241 0 R
-/Parent 219 0 R
-/Prev 239 0 R
-/Next 247 0 R
->> endobj
-239 0 obj <<
-/Title 240 0 R
-/A 237 0 R
-/Parent 219 0 R
-/Prev 235 0 R
-/Next 243 0 R
->> endobj
-235 0 obj <<
-/Title 236 0 R
-/A 233 0 R
-/Parent 219 0 R
-/Prev 231 0 R
-/Next 239 0 R
->> endobj
-231 0 obj <<
-/Title 232 0 R
-/A 229 0 R
-/Parent 219 0 R
-/Prev 227 0 R
-/Next 235 0 R
->> endobj
-227 0 obj <<
-/Title 228 0 R
-/A 225 0 R
-/Parent 219 0 R
-/Prev 223 0 R
-/Next 231 0 R
->> endobj
-223 0 obj <<
-/Title 224 0 R
-/A 221 0 R
-/Parent 219 0 R
-/Next 227 0 R
->> endobj
-219 0 obj <<
-/Title 220 0 R
-/A 217 0 R
-/Parent 131 0 R
-/Prev 203 0 R
-/Next 275 0 R
-/First 223 0 R
-/Last 271 0 R
-/Count -13
->> endobj
-215 0 obj <<
-/Title 216 0 R
-/A 213 0 R
-/Parent 203 0 R
-/Prev 211 0 R
->> endobj
-211 0 obj <<
-/Title 212 0 R
-/A 209 0 R
-/Parent 203 0 R
-/Prev 207 0 R
-/Next 215 0 R
->> endobj
-207 0 obj <<
-/Title 208 0 R
-/A 205 0 R
-/Parent 203 0 R
-/Next 211 0 R
->> endobj
-203 0 obj <<
-/Title 204 0 R
-/A 201 0 R
-/Parent 131 0 R
-/Prev 199 0 R
-/Next 219 0 R
-/First 207 0 R
-/Last 215 0 R
-/Count -3
->> endobj
-199 0 obj <<
-/Title 200 0 R
-/A 197 0 R
-/Parent 131 0 R
-/Prev 195 0 R
-/Next 203 0 R
->> endobj
-195 0 obj <<
-/Title 196 0 R
-/A 193 0 R
-/Parent 131 0 R
-/Prev 159 0 R
-/Next 199 0 R
->> endobj
-191 0 obj <<
-/Title 192 0 R
-/A 189 0 R
-/Parent 159 0 R
-/Prev 187 0 R
->> endobj
-187 0 obj <<
-/Title 188 0 R
-/A 185 0 R
-/Parent 159 0 R
-/Prev 183 0 R
-/Next 191 0 R
->> endobj
-183 0 obj <<
-/Title 184 0 R
-/A 181 0 R
-/Parent 159 0 R
-/Prev 179 0 R
-/Next 187 0 R
->> endobj
-179 0 obj <<
-/Title 180 0 R
-/A 177 0 R
-/Parent 159 0 R
-/Prev 175 0 R
-/Next 183 0 R
->> endobj
-175 0 obj <<
-/Title 176 0 R
-/A 173 0 R
-/Parent 159 0 R
-/Prev 163 0 R
-/Next 179 0 R
->> endobj
-171 0 obj <<
-/Title 172 0 R
-/A 169 0 R
-/Parent 163 0 R
-/Prev 167 0 R
->> endobj
-167 0 obj <<
-/Title 168 0 R
-/A 165 0 R
-/Parent 163 0 R
-/Next 171 0 R
->> endobj
-163 0 obj <<
-/Title 164 0 R
-/A 161 0 R
-/Parent 159 0 R
-/Next 175 0 R
-/First 167 0 R
-/Last 171 0 R
-/Count -2
->> endobj
-159 0 obj <<
-/Title 160 0 R
-/A 157 0 R
-/Parent 131 0 R
-/Prev 151 0 R
-/Next 195 0 R
-/First 163 0 R
-/Last 191 0 R
-/Count -6
->> endobj
-155 0 obj <<
-/Title 156 0 R
-/A 153 0 R
-/Parent 151 0 R
->> endobj
-151 0 obj <<
-/Title 152 0 R
-/A 149 0 R
-/Parent 131 0 R
-/Prev 147 0 R
-/Next 159 0 R
-/First 155 0 R
-/Last 155 0 R
-/Count -1
->> endobj
-147 0 obj <<
-/Title 148 0 R
-/A 145 0 R
-/Parent 131 0 R
-/Prev 139 0 R
-/Next 151 0 R
->> endobj
-143 0 obj <<
-/Title 144 0 R
-/A 141 0 R
-/Parent 139 0 R
->> endobj
-139 0 obj <<
-/Title 140 0 R
-/A 137 0 R
-/Parent 131 0 R
-/Prev 135 0 R
-/Next 147 0 R
-/First 143 0 R
-/Last 143 0 R
-/Count -1
->> endobj
-135 0 obj <<
-/Title 136 0 R
-/A 133 0 R
-/Parent 131 0 R
-/Next 139 0 R
->> endobj
-131 0 obj <<
-/Title 132 0 R
-/A 129 0 R
-/Parent 2832 0 R
-/Prev 91 0 R
-/Next 351 0 R
-/First 135 0 R
-/Last 339 0 R
-/Count -12
->> endobj
-127 0 obj <<
-/Title 128 0 R
-/A 125 0 R
-/Parent 111 0 R
-/Prev 115 0 R
->> endobj
-123 0 obj <<
-/Title 124 0 R
-/A 121 0 R
-/Parent 115 0 R
-/Prev 119 0 R
->> endobj
-119 0 obj <<
-/Title 120 0 R
-/A 117 0 R
-/Parent 115 0 R
-/Next 123 0 R
->> endobj
-115 0 obj <<
-/Title 116 0 R
-/A 113 0 R
-/Parent 111 0 R
-/Next 127 0 R
-/First 119 0 R
-/Last 123 0 R
-/Count -2
->> endobj
-111 0 obj <<
-/Title 112 0 R
-/A 109 0 R
-/Parent 91 0 R
-/Prev 107 0 R
-/First 115 0 R
-/Last 127 0 R
-/Count -2
->> endobj
-107 0 obj <<
-/Title 108 0 R
-/A 105 0 R
-/Parent 91 0 R
-/Prev 95 0 R
-/Next 111 0 R
->> endobj
-103 0 obj <<
-/Title 104 0 R
-/A 101 0 R
-/Parent 95 0 R
-/Prev 99 0 R
->> endobj
-99 0 obj <<
-/Title 100 0 R
-/A 97 0 R
-/Parent 95 0 R
-/Next 103 0 R
->> endobj
-95 0 obj <<
-/Title 96 0 R
-/A 93 0 R
-/Parent 91 0 R
-/Next 107 0 R
-/First 99 0 R
-/Last 103 0 R
-/Count -2
->> endobj
-91 0 obj <<
-/Title 92 0 R
-/A 89 0 R
-/Parent 2832 0 R
-/Prev 67 0 R
-/Next 131 0 R
-/First 95 0 R
-/Last 111 0 R
-/Count -3
->> endobj
-87 0 obj <<
-/Title 88 0 R
-/A 85 0 R
-/Parent 67 0 R
-/Prev 83 0 R
->> endobj
-83 0 obj <<
-/Title 84 0 R
-/A 81 0 R
-/Parent 67 0 R
-/Prev 79 0 R
-/Next 87 0 R
->> endobj
-79 0 obj <<
-/Title 80 0 R
-/A 77 0 R
-/Parent 67 0 R
-/Prev 75 0 R
-/Next 83 0 R
->> endobj
-75 0 obj <<
-/Title 76 0 R
-/A 73 0 R
-/Parent 67 0 R
-/Prev 71 0 R
-/Next 79 0 R
->> endobj
-71 0 obj <<
-/Title 72 0 R
-/A 69 0 R
-/Parent 67 0 R
-/Next 75 0 R
->> endobj
-67 0 obj <<
-/Title 68 0 R
-/A 65 0 R
-/Parent 2832 0 R
-/Prev 7 0 R
-/Next 91 0 R
-/First 71 0 R
-/Last 87 0 R
-/Count -5
->> endobj
-63 0 obj <<
-/Title 64 0 R
-/A 61 0 R
-/Parent 23 0 R
-/Prev 55 0 R
->> endobj
-59 0 obj <<
-/Title 60 0 R
-/A 57 0 R
-/Parent 55 0 R
->> endobj
-55 0 obj <<
-/Title 56 0 R
-/A 53 0 R
-/Parent 23 0 R
-/Prev 39 0 R
-/Next 63 0 R
-/First 59 0 R
-/Last 59 0 R
-/Count -1
->> endobj
-51 0 obj <<
-/Title 52 0 R
-/A 49 0 R
-/Parent 39 0 R
-/Prev 47 0 R
->> endobj
-47 0 obj <<
-/Title 48 0 R
-/A 45 0 R
-/Parent 39 0 R
-/Prev 43 0 R
-/Next 51 0 R
->> endobj
-43 0 obj <<
-/Title 44 0 R
-/A 41 0 R
-/Parent 39 0 R
-/Next 47 0 R
->> endobj
-39 0 obj <<
-/Title 40 0 R
-/A 37 0 R
-/Parent 23 0 R
-/Prev 35 0 R
-/Next 55 0 R
-/First 43 0 R
-/Last 51 0 R
-/Count -3
->> endobj
-35 0 obj <<
-/Title 36 0 R
-/A 33 0 R
-/Parent 23 0 R
-/Prev 31 0 R
-/Next 39 0 R
->> endobj
-31 0 obj <<
-/Title 32 0 R
-/A 29 0 R
-/Parent 23 0 R
-/Prev 27 0 R
-/Next 35 0 R
->> endobj
-27 0 obj <<
-/Title 28 0 R
-/A 25 0 R
-/Parent 23 0 R
-/Next 31 0 R
->> endobj
-23 0 obj <<
-/Title 24 0 R
-/A 21 0 R
-/Parent 7 0 R
-/Prev 19 0 R
-/First 27 0 R
-/Last 63 0 R
-/Count -6
->> endobj
-19 0 obj <<
-/Title 20 0 R
-/A 17 0 R
-/Parent 7 0 R
-/Prev 15 0 R
-/Next 23 0 R
->> endobj
-15 0 obj <<
-/Title 16 0 R
-/A 13 0 R
-/Parent 7 0 R
-/Prev 11 0 R
-/Next 19 0 R
->> endobj
-11 0 obj <<
-/Title 12 0 R
-/A 9 0 R
-/Parent 7 0 R
-/Next 15 0 R
->> endobj
-7 0 obj <<
-/Title 8 0 R
-/A 5 0 R
-/Parent 2832 0 R
-/Next 67 0 R
-/First 11 0 R
-/Last 23 0 R
-/Count -4
->> endobj
-2833 0 obj <<
-/Names [(Access_Control_Lists) 2120 0 R (Bv9ARM.ch01) 1245 0 R (Bv9ARM.ch02) 1289 0 R (Bv9ARM.ch03) 1307 0 R (Bv9ARM.ch04) 1373 0 R (Bv9ARM.ch05) 1551 0 R (Bv9ARM.ch06) 1562 0 R (Bv9ARM.ch07) 2119 0 R (Bv9ARM.ch08) 2144 0 R (Bv9ARM.ch09) 2159 0 R (Bv9ARM.ch10) 2420 0 R (Configuration_File_Grammar) 1585 0 R (DNSSEC) 1439 0 R (Doc-Start) 947 0 R (Setting_TTLs) 2045 0 R (acache) 1296 0 R (access_control) 1744 0 R (acl) 1594 0 R (address_match_lists) 1567 0 R (admin_tools) 1329 0 R (appendix.A) 750 0 R (appendix.B) 842 0 R (bibliography) 2167 0 R (bind9.library) 2376 0 R (boolean_options) 1388 0 R (builtin) 1824 0 R (chapter*.1) 981 0 R (chapter.1) 6 0 R (chapter.2) 66 0 R (chapter.3) 90 0 R (chapter.4) 130 0 R (chapter.5) 350 0 R (chapter.6) 362 0 R (chapter.7) 706 0 R (chapter.8) 730 0 R (cite.RFC1033) 2295 0 R (cite.RFC1034) 2180 0 R (cite.RFC1035) 2182 0 R (cite.RFC1101) 2277 0 R (cite.RFC1123) 2279 0 R (cite.RFC1183) 2239 0 R (cite.RFC1464) 2317 0 R (cite.RFC1535) 2225 0 R (cite.RFC1536) 2227 0 R (cite.RFC1537) 2297 0 R (cite.RFC1591) 2281 0 R (cite.RFC1706) 2241 0 R (cite.RFC1712) 2337 0 R (cite.RFC1713) 2319 0 R (cite.RFC1794) 2321 0 R (cite.RFC1876) 2243 0 R (cite.RFC1912) 2299 0 R (cite.RFC1982) 2229 0 R (cite.RFC1995) 2187 0 R (cite.RFC1996) 2189 0 R (cite.RFC2010) 2301 0 R (cite.RFC2052) 2245 0 R (cite.RFC2065) 2349 0 R (cite.RFC2136) 2191 0 R (cite.RFC2137) 2351 0 R (cite.RFC2163) 2247 0 R (cite.RFC2168) 2249 0 R (cite.RFC2181) 2193 0 R (cite.RFC2219) 2303 0 R (cite.RFC2230) 2251 0 R (cite.RFC2240) 2323 0 R (cite.RFC2308) 2195 0 R (cite.RFC2317) 2283 0 R (cite.RFC2345) 2325 0 R (cite.RFC2352) 2327 0 R (cite.RFC2535) 2353 0 R (cite.RFC2536) 2253 0 R (cite.RFC2537) 2255 0 R (cite.RFC2538) 2257 0 R (cite.RFC2539) 2259 0 R (cite.RFC2540) 2261 0 R (cite.RFC2671) 2197 0 R (cite.RFC2672) 2199 0 R (cite.RFC2673) 2339 0 R (cite.RFC2782) 2263 0 R (cite.RFC2825) 2307 0 R (cite.RFC2826) 2285 0 R (cite.RFC2845) 2201 0 R (cite.RFC2874) 2341 0 R (cite.RFC2915) 2265 0 R (cite.RFC2929) 2287 0 R (cite.RFC2930) 2203 0 R (cite.RFC2931) 2205 0 R (cite.RFC3007) 2207 0 R (cite.RFC3008) 2355 0 R (cite.RFC3071) 2329 0 R (cite.RFC3090) 2357 0 R (cite.RFC3110) 2267 0 R (cite.RFC3123) 2269 0 R (cite.RFC3225) 2213 0 R (cite.RFC3258) 2331 0 R (cite.RFC3445) 2359 0 R (cite.RFC3490) 2309 0 R (cite.RFC3491) 2311 0 R (cite.RFC3492) 2313 0 R (cite.RFC3596) 2271 0 R (cite.RFC3597) 2273 0 R (cite.RFC3645) 2209 0 R (cite.RFC3655) 2361 0 R (cite.RFC3658) 2363 0 R (cite.RFC3755) 2365 0 R (cite.RFC3757) 2367 0 R (cite.RFC3833) 2215 0 R (cite.RFC3845) 2369 0 R (cite.RFC3901) 2333 0 R (cite.RFC4033) 2217 0 R (cite.RFC4034) 2219 0 R (cite.RFC4035) 2221 0 R (cite.RFC4074) 2231 0 R (cite.RFC974) 2184 0 R (cite.id2513817) 2374 0 R (clients-per-query) 2099 0 R (configuration_file_elements) 1563 0 R (controls_statement_definition_and_usage) 1360 0 R (diagnostic_tools) 1277 0 R (dnssec.dynamic.zones) 1459 0 R (dynamic_update) 1383 0 R (dynamic_update_policies) 1342 0 R (dynamic_update_security) 1753 0 R (empty) 1826 0 R (historical_dns_information) 2161 0 R (id2466570) 1246 0 R (id2466594) 1247 0 R (id2467262) 1509 0 R (id2467400) 1510 0 R (id2467484) 1248 0 R (id2467494) 1249 0 R (id2467734) 1259 0 R (id2467755) 1260 0 R (id2467789) 1261 0 R (id2467874) 1264 0 R (id2467966) 1257 0 R (id2470272) 1271 0 R (id2470295) 1274 0 R (id2470393) 1275 0 R (id2470414) 1276 0 R (id2470444) 1282 0 R (id2470480) 1283 0 R (id2470574) 1284 0 R (id2470609) 1290 0 R (id2470635) 1291 0 R (id2470716) 1292 0 R (id2470742) 1295 0 R (id2470753) 1301 0 R (id2470785) 1309 0 R (id2470801) 1310 0 R (id2470823) 1315 0 R (id2470840) 1316 0 R (id2471245) 1324 0 R (id2471251) 1325 0 R (id2473610) 1365 0 R (id2473622) 1366 0 R (id2474049) 1398 0 R (id2474135) 1404 0 R (id2474636) 1420 0 R (id2474653) 1421 0 R (id2474692) 1422 0 R (id2474710) 1423 0 R (id2474721) 1424 0 R (id2474825) 1429 0 R (id2474883) 1430 0 R (id2474932) 1432 0 R (id2474946) 1433 0 R (id2474995) 1438 0 R (id2475200) 1440 0 R (id2475347) 1445 0 R (id2475428) 1446 0 R (id2475581) 1460 0 R (id2475619) 1461 0 R (id2475928) 1466 0 R (id2476100) 1475 0 R (id2476137) 1476 0 R (id2476150) 1477 0 R (id2476251) 1478 0 R (id2476278) 1483 0 R (id2476288) 1484 0 R (id2476297) 1485 0 R (id2476310) 1486 0 R (id2476347) 1487 0 R (id2476357) 1488 0 R (id2476462) 1494 0 R (id2476485) 1496 0 R (id2476724) 1503 0 R (id2477211) 1515 0 R (id2477430) 1520 0 R (id2477438) 1521 0 R (id2477470) 1522 0 R (id2477507) 1523 0 R (id2477555) 1524 0 R (id2477586) 1529 0 R (id2477852) 1535 0 R (id2478035) 1536 0 R (id2478157) 1541 0 R (id2478219) 1543 0 R (id2478241) 1544 0 R (id2478274) 1552 0 R (id2478489) 1564 0 R (id2479520) 1576 0 R (id2479547) 1577 0 R (id2479753) 1578 0 R (id2479768) 1583 0 R (id2479866) 1584 0 R (id2479941) 1586 0 R (id2480345) 1593 0 R (id2480388) 1595 0 R (id2480603) 1601 0 R (id2481031) 1609 0 R (id2481048) 1610 0 R (id2481072) 1611 0 R (id2481163) 1612 0 R (id2481254) 1616 0 R (id2481380) 1621 0 R (id2481500) 1622 0 R (id2482125) 1633 0 R (id2482819) 1644 0 R (id2482949) 1645 0 R (id2483338) 1651 0 R (id2483412) 1656 0 R (id2483544) 1659 0 R (id2483588) 1660 0 R (id2483609) 1661 0 R (id2487332) 1706 0 R (id2489504) 1736 0 R (id2489699) 1743 0 R (id2490123) 1758 0 R (id2491409) 1777 0 R (id2491468) 1779 0 R (id2491959) 1791 0 R (id2492530) 1805 0 R (id2494333) 1844 0 R (id2494459) 1851 0 R (id2495723) 1876 0 R (id2495962) 1883 0 R (id2496077) 1890 0 R (id2496519) 1895 0 R (id2498299) 1912 0 R (id2498307) 1913 0 R (id2498312) 1914 0 R (id2498983) 1930 0 R (id2499016) 1931 0 R (id2501322) 2000 0 R (id2501917) 2010 0 R (id2501936) 2011 0 R (id2501956) 2014 0 R (id2502124) 2020 0 R (id2503363) 2026 0 R (id2503559) 2033 0 R (id2503580) 2034 0 R (id2503875) 2036 0 R (id2504011) 2038 0 R (id2504098) 2043 0 R (id2504502) 2046 0 R (id2504627) 2048 0 R (id2504642) 2049 0 R (id2504754) 2055 0 R (id2504844) 2056 0 R (id2504860) 2057 0 R (id2504989) 2058 0 R (id2505059) 2063 0 R (id2505095) 2064 0 R (id2505307) 2065 0 R (id2505750) 2076 0 R (id2506117) 2085 0 R (id2506122) 2086 0 R (id2507690) 2093 0 R (id2507697) 2094 0 R (id2508073) 2096 0 R (id2508078) 2097 0 R (id2509163) 2104 0 R (id2509195) 2105 0 R (id2509605) 2114 0 R (id2509764) 2128 0 R (id2509913) 2129 0 R (id2509973) 2130 0 R (id2510189) 2145 0 R (id2510195) 2146 0 R (id2510206) 2147 0 R (id2510224) 2148 0 R (id2510490) 2160 0 R (id2510594) 2166 0 R (id2510850) 2171 0 R (id2510852) 2178 0 R (id2510860) 2183 0 R (id2510884) 2179 0 R (id2510907) 2181 0 R (id2510944) 2192 0 R (id2510970) 2194 0 R (id2510996) 2186 0 R (id2511020) 2188 0 R (id2511044) 2190 0 R (id2511099) 2196 0 R (id2511126) 2198 0 R (id2511153) 2200 0 R (id2511214) 2202 0 R (id2511244) 2204 0 R (id2511274) 2206 0 R (id2511301) 2208 0 R (id2511376) 2211 0 R (id2511383) 2212 0 R (id2511410) 2214 0 R (id2511446) 2216 0 R (id2511511) 2218 0 R (id2511576) 2220 0 R (id2511641) 2223 0 R (id2511650) 2224 0 R (id2511675) 2226 0 R (id2511744) 2228 0 R (id2511779) 2230 0 R (id2511819) 2237 0 R (id2511825) 2238 0 R (id2511882) 2240 0 R (id2511920) 2248 0 R (id2511955) 2242 0 R (id2512009) 2244 0 R (id2512048) 2246 0 R (id2512073) 2250 0 R (id2512099) 2252 0 R (id2512125) 2254 0 R (id2512152) 2256 0 R (id2512192) 2258 0 R (id2512221) 2260 0 R (id2512251) 2262 0 R (id2512294) 2264 0 R (id2512327) 2266 0 R (id2512354) 2268 0 R (id2512377) 2270 0 R (id2512435) 2272 0 R (id2512459) 2275 0 R (id2512467) 2276 0 R (id2512492) 2278 0 R (id2512515) 2280 0 R (id2512538) 2282 0 R (id2512652) 2284 0 R (id2512676) 2286 0 R (id2512726) 2293 0 R (id2512733) 2294 0 R (id2512757) 2296 0 R (id2512784) 2298 0 R (id2512810) 2300 0 R (id2512846) 2302 0 R (id2512887) 2305 0 R (id2512892) 2306 0 R (id2512924) 2308 0 R (id2512970) 2310 0 R (id2513005) 2312 0 R (id2513032) 2315 0 R (id2513050) 2316 0 R (id2513073) 2318 0 R (id2513098) 2320 0 R (id2513124) 2322 0 R (id2513147) 2324 0 R (id2513193) 2326 0 R (id2513217) 2328 0 R (id2513243) 2330 0 R (id2513269) 2332 0 R (id2513306) 2335 0 R (id2513313) 2336 0 R (id2513370) 2338 0 R (id2513397) 2340 0 R (id2513433) 2347 0 R (id2513445) 2348 0 R (id2513484) 2350 0 R (id2513511) 2352 0 R (id2513541) 2354 0 R (id2513566) 2356 0 R (id2513593) 2358 0 R (id2513629) 2360 0 R (id2513666) 2362 0 R (id2513692) 2364 0 R (id2513719) 2366 0 R (id2513764) 2368 0 R (id2513805) 2371 0 R (id2513815) 2373 0 R (id2513817) 2375 0 R (id2513973) 2381 0 R (id2513982) 2382 0 R (id2514075) 2383 0 R (id2514106) 2384 0 R (id2514183) 2389 0 R (id2514278) 2391 0 R (id2514286) 2392 0 R (id2514377) 2398 0 R (id2514499) 2399 0 R (id2514631) 2400 0 R (id2514646) 2405 0 R (id2514777) 2410 0 R (id2514841) 2411 0 R (incremental_zone_transfers) 1395 0 R (internet_drafts) 2370 0 R (ipv6addresses) 1546 0 R (journal) 1394 0 R (lwresd) 1553 0 R (man.arpaname) 2768 0 R (man.ddns-confgen) 2756 0 R (man.dig) 2421 0 R (man.dnssec-checkds) 2469 0 R (man.dnssec-coverage) 2481 0 R (man.dnssec-dsfromkey) 2496 0 R (man.dnssec-keyfromlabel) 2510 0 R (man.dnssec-keygen) 1469 0 R (man.dnssec-revoke) 2557 0 R (man.dnssec-settime) 1470 0 R (man.dnssec-signzone) 2585 0 R (man.dnssec-verify) 2614 0 R (man.genrandom) 2778 0 R (man.host) 2458 0 R (man.isc-hmac-fixup) 2789 0 R (man.named) 2653 0 R (man.named-checkconf) 2625 0 R (man.named-checkzone) 2637 0 R (man.named-journalprint) 2676 0 R (man.nsec3hash) 2796 0 R (man.nsupdate) 2686 0 R (man.rndc) 2712 0 R (man.rndc-confgen) 2744 0 R (man.rndc.conf) 2724 0 R (managed-keys) 1497 0 R (notify) 1374 0 R (options) 1341 0 R (page.1) 946 0 R (page.10) 1333 0 R (page.100) 1939 0 R (page.101) 1957 0 R (page.102) 1971 0 R (page.103) 1988 0 R (page.104) 1999 0 R (page.105) 2005 0 R (page.106) 2009 0 R (page.107) 2019 0 R (page.108) 2025 0 R (page.109) 2032 0 R (page.11) 1346 0 R (page.110) 2042 0 R (page.111) 2054 0 R (page.112) 2062 0 R (page.113) 2070 0 R (page.114) 2074 0 R (page.115) 2083 0 R (page.116) 2091 0 R (page.117) 2103 0 R (page.118) 2110 0 R (page.119) 2118 0 R (page.12) 1350 0 R (page.120) 2124 0 R (page.121) 2135 0 R (page.122) 2139 0 R (page.123) 2143 0 R (page.124) 2154 0 R (page.125) 2158 0 R (page.126) 2165 0 R (page.127) 2176 0 R (page.128) 2235 0 R (page.129) 2291 0 R (page.13) 1358 0 R (page.130) 2345 0 R (page.131) 2380 0 R (page.132) 2388 0 R (page.133) 2397 0 R (page.134) 2404 0 R (page.135) 2409 0 R (page.136) 2415 0 R (page.137) 2419 0 R (page.138) 2428 0 R (page.139) 2435 0 R (page.14) 1364 0 R (page.140) 2440 0 R (page.141) 2444 0 R (page.142) 2448 0 R (page.143) 2457 0 R (page.144) 2465 0 R (page.145) 2477 0 R (page.146) 2488 0 R (page.147) 2495 0 R (page.148) 2504 0 R (page.149) 2516 0 R (page.15) 1372 0 R (page.150) 2522 0 R (page.151) 2529 0 R (page.152) 2539 0 R (page.153) 2543 0 R (page.154) 2548 0 R (page.155) 2554 0 R (page.156) 2565 0 R (page.157) 2576 0 R (page.158) 2582 0 R (page.159) 2593 0 R (page.16) 1393 0 R (page.160) 2597 0 R (page.161) 2601 0 R (page.162) 2605 0 R (page.163) 2613 0 R (page.164) 2623 0 R (page.165) 2634 0 R (page.166) 2645 0 R (page.167) 2649 0 R (page.168) 2659 0 R (page.169) 2666 0 R (page.17) 1403 0 R (page.170) 2670 0 R (page.171) 2681 0 R (page.172) 2693 0 R (page.173) 2697 0 R (page.174) 2702 0 R (page.175) 2708 0 R (page.176) 2719 0 R (page.177) 2729 0 R (page.178) 2736 0 R (page.179) 2743 0 R (page.18) 1409 0 R (page.180) 2752 0 R (page.181) 2764 0 R (page.182) 2773 0 R (page.183) 2787 0 R (page.184) 2801 0 R (page.19) 1414 0 R (page.2) 970 0 R (page.20) 1419 0 R (page.21) 1428 0 R (page.22) 1437 0 R (page.23) 1444 0 R (page.24) 1450 0 R (page.25) 1455 0 R (page.26) 1465 0 R (page.27) 1474 0 R (page.28) 1482 0 R (page.29) 1492 0 R (page.3) 1270 0 R (page.30) 1501 0 R (page.31) 1508 0 R (page.32) 1514 0 R (page.33) 1519 0 R (page.34) 1528 0 R (page.35) 1534 0 R (page.36) 1540 0 R (page.37) 1550 0 R (page.38) 1557 0 R (page.39) 1561 0 R (page.4) 1281 0 R (page.40) 1571 0 R (page.41) 1575 0 R (page.42) 1582 0 R (page.43) 1592 0 R (page.44) 1600 0 R (page.45) 1608 0 R (page.46) 1620 0 R (page.47) 1626 0 R (page.48) 1632 0 R (page.49) 1639 0 R (page.5) 1288 0 R (page.50) 1643 0 R (page.51) 1650 0 R (page.52) 1655 0 R (page.53) 1665 0 R (page.54) 1669 0 R (page.55) 1674 0 R (page.56) 1678 0 R (page.57) 1682 0 R (page.58) 1686 0 R (page.59) 1693 0 R (page.6) 1300 0 R (page.60) 1698 0 R (page.61) 1705 0 R (page.62) 1711 0 R (page.63) 1716 0 R (page.64) 1725 0 R (page.65) 1729 0 R (page.66) 1733 0 R (page.67) 1741 0 R (page.68) 1750 0 R (page.69) 1757 0 R (page.7) 1306 0 R (page.70) 1763 0 R (page.71) 1767 0 R (page.72) 1771 0 R (page.73) 1776 0 R (page.74) 1784 0 R (page.75) 1790 0 R (page.76) 1796 0 R (page.77) 1803 0 R (page.78) 1810 0 R (page.79) 1817 0 R (page.8) 1314 0 R (page.80) 1823 0 R (page.81) 1831 0 R (page.82) 1835 0 R (page.83) 1839 0 R (page.84) 1843 0 R (page.85) 1849 0 R (page.86) 1855 0 R (page.87) 1859 0 R (page.88) 1863 0 R (page.89) 1868 0 R (page.9) 1323 0 R (page.90) 1875 0 R (page.91) 1889 0 R (page.92) 1894 0 R (page.93) 1899 0 R (page.94) 1903 0 R (page.95) 1907 0 R (page.96) 1911 0 R (page.97) 1920 0 R (page.98) 1924 0 R (page.99) 1928 0 R (page.i) 980 0 R (page.ii) 1035 0 R (page.iii) 1099 0 R (page.iv) 1162 0 R (page.v) 1224 0 R (pkcs11) 1502 0 R (proposed_standards) 1399 0 R (query_address) 1759 0 R (rfc5011.support) 1493 0 R (rfcs) 1266 0 R (rndc) 1604 0 R (root_delegation_only) 1935 0 R (rrset_ordering) 1319 0 R (sample_configuration) 1308 0 R (section*.10) 2304 0 R (section*.100) 2629 0 R (section*.101) 2630 0 R (section*.102) 2635 0 R (section*.103) 2636 0 R (section*.104) 2638 0 R (section*.105) 2639 0 R (section*.106) 2640 0 R (section*.107) 2641 0 R (section*.108) 2650 0 R (section*.109) 2651 0 R (section*.11) 2314 0 R (section*.110) 2652 0 R (section*.111) 2654 0 R (section*.112) 2655 0 R (section*.113) 2660 0 R (section*.114) 2661 0 R (section*.115) 2671 0 R (section*.116) 2672 0 R (section*.117) 2673 0 R (section*.118) 2674 0 R (section*.119) 2675 0 R (section*.12) 2334 0 R (section*.120) 2677 0 R (section*.121) 2682 0 R (section*.122) 2683 0 R (section*.123) 2684 0 R (section*.124) 2685 0 R (section*.125) 2687 0 R (section*.126) 2688 0 R (section*.127) 2689 0 R (section*.128) 2698 0 R (section*.129) 2703 0 R (section*.13) 2346 0 R (section*.130) 2709 0 R (section*.131) 2710 0 R (section*.132) 2711 0 R (section*.133) 2713 0 R (section*.134) 2714 0 R (section*.135) 2715 0 R (section*.136) 2720 0 R (section*.137) 2721 0 R (section*.138) 2722 0 R (section*.139) 2723 0 R (section*.14) 2372 0 R (section*.140) 2725 0 R (section*.141) 2730 0 R (section*.142) 2731 0 R (section*.143) 2732 0 R (section*.144) 2737 0 R (section*.145) 2738 0 R (section*.146) 2739 0 R (section*.147) 2745 0 R (section*.148) 2746 0 R (section*.149) 2747 0 R (section*.15) 2422 0 R (section*.150) 2748 0 R (section*.151) 2753 0 R (section*.152) 2754 0 R (section*.153) 2755 0 R (section*.154) 2757 0 R (section*.155) 2758 0 R (section*.156) 2759 0 R (section*.157) 2765 0 R (section*.158) 2766 0 R (section*.159) 2767 0 R (section*.16) 2423 0 R (section*.160) 2769 0 R (section*.161) 2774 0 R (section*.162) 2775 0 R (section*.163) 2776 0 R (section*.164) 2777 0 R (section*.165) 2779 0 R (section*.166) 2780 0 R (section*.167) 2781 0 R (section*.168) 2782 0 R (section*.169) 2783 0 R (section*.17) 2424 0 R (section*.170) 2788 0 R (section*.171) 2790 0 R (section*.172) 2791 0 R (section*.173) 2792 0 R (section*.174) 2793 0 R (section*.175) 2794 0 R (section*.176) 2795 0 R (section*.177) 2797 0 R (section*.178) 2802 0 R (section*.179) 2803 0 R (section*.18) 2429 0 R (section*.180) 2804 0 R (section*.181) 2805 0 R (section*.182) 2806 0 R (section*.19) 2430 0 R (section*.2) 2170 0 R (section*.20) 2436 0 R (section*.21) 2449 0 R (section*.22) 2450 0 R (section*.23) 2451 0 R (section*.24) 2452 0 R (section*.25) 2453 0 R (section*.26) 2459 0 R (section*.27) 2460 0 R (section*.28) 2461 0 R (section*.29) 2466 0 R (section*.3) 2177 0 R (section*.30) 2467 0 R (section*.31) 2468 0 R (section*.32) 2470 0 R (section*.33) 2471 0 R (section*.34) 2472 0 R (section*.35) 2478 0 R (section*.36) 2479 0 R (section*.37) 2480 0 R (section*.38) 2482 0 R (section*.39) 2483 0 R (section*.4) 2185 0 R (section*.40) 2484 0 R (section*.41) 2489 0 R (section*.42) 2490 0 R (section*.43) 2491 0 R (section*.44) 2497 0 R (section*.45) 2498 0 R (section*.46) 2499 0 R (section*.47) 2500 0 R (section*.48) 2505 0 R (section*.49) 2506 0 R (section*.5) 2210 0 R (section*.50) 2507 0 R (section*.51) 2508 0 R (section*.52) 2509 0 R (section*.53) 2511 0 R (section*.54) 2512 0 R (section*.55) 2517 0 R (section*.56) 2518 0 R (section*.57) 2523 0 R (section*.58) 2524 0 R (section*.59) 2530 0 R (section*.6) 2222 0 R (section*.60) 2531 0 R (section*.61) 2532 0 R (section*.62) 2533 0 R (section*.63) 2534 0 R (section*.64) 2535 0 R (section*.65) 2544 0 R (section*.66) 2549 0 R (section*.67) 2550 0 R (section*.68) 2555 0 R (section*.69) 2556 0 R (section*.7) 2236 0 R (section*.70) 2558 0 R (section*.71) 2559 0 R (section*.72) 2560 0 R (section*.73) 2561 0 R (section*.74) 2566 0 R (section*.75) 2567 0 R (section*.76) 2568 0 R (section*.77) 2569 0 R (section*.78) 2570 0 R (section*.79) 2571 0 R (section*.8) 2274 0 R (section*.80) 2577 0 R (section*.81) 2578 0 R (section*.82) 2583 0 R (section*.83) 2584 0 R (section*.84) 2586 0 R (section*.85) 2587 0 R (section*.86) 2588 0 R (section*.87) 2589 0 R (section*.88) 2606 0 R (section*.89) 2607 0 R (section*.9) 2292 0 R (section*.90) 2608 0 R (section*.91) 2615 0 R (section*.92) 2616 0 R (section*.93) 2617 0 R (section*.94) 2618 0 R (section*.95) 2619 0 R (section*.96) 2624 0 R (section*.97) 2626 0 R (section*.98) 2627 0 R (section*.99) 2628 0 R (section.1.1) 10 0 R (section.1.2) 14 0 R (section.1.3) 18 0 R (section.1.4) 22 0 R (section.2.1) 70 0 R (section.2.2) 74 0 R (section.2.3) 78 0 R (section.2.4) 82 0 R (section.2.5) 86 0 R (section.3.1) 94 0 R (section.3.2) 106 0 R (section.3.3) 110 0 R (section.4.1) 134 0 R (section.4.10) 274 0 R (section.4.11) 286 0 R (section.4.12) 338 0 R (section.4.2) 138 0 R (section.4.3) 146 0 R (section.4.4) 150 0 R (section.4.5) 158 0 R (section.4.6) 194 0 R (section.4.7) 198 0 R (section.4.8) 202 0 R (section.4.9) 218 0 R (section.5.1) 354 0 R (section.5.2) 358 0 R (section.6.1) 366 0 R (section.6.2) 394 0 R (section.6.3) 618 0 R (section.6.4) 674 0 R (section.7.1) 710 0 R (section.7.2) 714 0 R (section.7.3) 726 0 R (section.8.1) 734 0 R (section.8.2) 742 0 R (section.8.3) 746 0 R (section.A.1) 754 0 R (section.A.2) 762 0 R (section.A.3) 770 0 R (section.A.4) 786 0 R (section.B.1) 846 0 R (section.B.10) 882 0 R (section.B.11) 886 0 R (section.B.12) 890 0 R (section.B.13) 894 0 R (section.B.14) 898 0 R (section.B.15) 902 0 R (section.B.16) 906 0 R (section.B.17) 910 0 R (section.B.18) 914 0 R (section.B.19) 918 0 R (section.B.2) 850 0 R (section.B.20) 922 0 R (section.B.21) 926 0 R (section.B.22) 930 0 R (section.B.23) 934 0 R (section.B.24) 938 0 R (section.B.3) 854 0 R (section.B.4) 858 0 R (section.B.5) 862 0 R (section.B.6) 866 0 R (section.B.7) 870 0 R (section.B.8) 874 0 R (section.B.9) 878 0 R (server_resource_limits) 1785 0 R (server_statement_definition_and_usage) 1721 0 R (server_statement_grammar) 1864 0 R (statistics) 2075 0 R (statistics_counters) 2084 0 R (statschannels) 1871 0 R (statsfile) 1689 0 R (subsection.1.4.1) 26 0 R (subsection.1.4.2) 30 0 R (subsection.1.4.3) 34 0 R (subsection.1.4.4) 38 0 R (subsection.1.4.5) 54 0 R (subsection.1.4.6) 62 0 R (subsection.3.1.1) 98 0 R (subsection.3.1.2) 102 0 R (subsection.3.3.1) 114 0 R (subsection.3.3.2) 126 0 R (subsection.4.10.1) 278 0 R (subsection.4.10.2) 282 0 R (subsection.4.11.1) 290 0 R (subsection.4.11.2) 306 0 R (subsection.4.11.3) 322 0 R (subsection.4.11.4) 326 0 R (subsection.4.11.5) 330 0 R (subsection.4.11.6) 334 0 R (subsection.4.12.1) 342 0 R (subsection.4.12.2) 346 0 R (subsection.4.2.1) 142 0 R (subsection.4.4.1) 154 0 R (subsection.4.5.1) 162 0 R (subsection.4.5.2) 174 0 R (subsection.4.5.3) 178 0 R (subsection.4.5.4) 182 0 R (subsection.4.5.5) 186 0 R (subsection.4.5.6) 190 0 R (subsection.4.8.1) 206 0 R (subsection.4.8.2) 210 0 R (subsection.4.8.3) 214 0 R (subsection.4.9.1) 222 0 R (subsection.4.9.10) 258 0 R (subsection.4.9.11) 262 0 R (subsection.4.9.12) 266 0 R (subsection.4.9.13) 270 0 R (subsection.4.9.2) 226 0 R (subsection.4.9.3) 230 0 R (subsection.4.9.4) 234 0 R (subsection.4.9.5) 238 0 R (subsection.4.9.6) 242 0 R (subsection.4.9.7) 246 0 R (subsection.4.9.8) 250 0 R (subsection.4.9.9) 254 0 R (subsection.6.1.1) 370 0 R (subsection.6.1.2) 382 0 R (subsection.6.2.1) 398 0 R (subsection.6.2.10) 434 0 R (subsection.6.2.11) 450 0 R (subsection.6.2.12) 454 0 R (subsection.6.2.13) 458 0 R (subsection.6.2.14) 462 0 R (subsection.6.2.15) 466 0 R (subsection.6.2.16) 470 0 R (subsection.6.2.17) 554 0 R (subsection.6.2.18) 558 0 R (subsection.6.2.19) 562 0 R (subsection.6.2.2) 402 0 R (subsection.6.2.20) 566 0 R (subsection.6.2.21) 570 0 R (subsection.6.2.22) 574 0 R (subsection.6.2.23) 578 0 R (subsection.6.2.24) 582 0 R (subsection.6.2.25) 586 0 R (subsection.6.2.26) 590 0 R (subsection.6.2.27) 594 0 R (subsection.6.2.28) 598 0 R (subsection.6.2.3) 406 0 R (subsection.6.2.4) 410 0 R (subsection.6.2.5) 414 0 R (subsection.6.2.6) 418 0 R (subsection.6.2.7) 422 0 R (subsection.6.2.8) 426 0 R (subsection.6.2.9) 430 0 R (subsection.6.3.1) 622 0 R (subsection.6.3.2) 634 0 R (subsection.6.3.3) 638 0 R (subsection.6.3.4) 642 0 R (subsection.6.3.5) 646 0 R (subsection.6.3.6) 666 0 R (subsection.6.3.7) 670 0 R (subsection.6.4.1) 682 0 R (subsection.7.2.1) 718 0 R (subsection.7.2.2) 722 0 R (subsection.8.1.1) 738 0 R (subsection.A.1.1) 758 0 R (subsection.A.2.1) 766 0 R (subsection.A.3.1) 774 0 R (subsection.A.3.2) 778 0 R (subsection.A.3.3) 782 0 R (subsection.A.4.1) 790 0 R (subsection.A.4.2) 794 0 R (subsection.A.4.3) 798 0 R (subsection.A.4.4) 802 0 R (subsection.A.4.5) 806 0 R (subsection.A.4.6) 810 0 R (subsection.A.4.7) 838 0 R (subsubsection.1.4.4.1) 42 0 R (subsubsection.1.4.4.2) 46 0 R (subsubsection.1.4.4.3) 50 0 R (subsubsection.1.4.5.1) 58 0 R (subsubsection.3.3.1.1) 118 0 R (subsubsection.3.3.1.2) 122 0 R (subsubsection.4.11.1.1) 294 0 R (subsubsection.4.11.1.2) 298 0 R (subsubsection.4.11.1.3) 302 0 R (subsubsection.4.11.2.1) 310 0 R (subsubsection.4.11.2.2) 314 0 R (subsubsection.4.11.2.3) 318 0 R (subsubsection.4.5.1.1) 166 0 R (subsubsection.4.5.1.2) 170 0 R (subsubsection.6.1.1.1) 374 0 R (subsubsection.6.1.1.2) 378 0 R (subsubsection.6.1.2.1) 386 0 R (subsubsection.6.1.2.2) 390 0 R (subsubsection.6.2.10.1) 438 0 R (subsubsection.6.2.10.2) 442 0 R (subsubsection.6.2.10.3) 446 0 R (subsubsection.6.2.16.1) 474 0 R (subsubsection.6.2.16.10) 510 0 R (subsubsection.6.2.16.11) 514 0 R (subsubsection.6.2.16.12) 518 0 R (subsubsection.6.2.16.13) 522 0 R (subsubsection.6.2.16.14) 526 0 R (subsubsection.6.2.16.15) 530 0 R (subsubsection.6.2.16.16) 534 0 R (subsubsection.6.2.16.17) 538 0 R (subsubsection.6.2.16.18) 542 0 R (subsubsection.6.2.16.19) 546 0 R (subsubsection.6.2.16.2) 478 0 R (subsubsection.6.2.16.20) 550 0 R (subsubsection.6.2.16.3) 482 0 R (subsubsection.6.2.16.4) 486 0 R (subsubsection.6.2.16.5) 490 0 R (subsubsection.6.2.16.6) 494 0 R (subsubsection.6.2.16.7) 498 0 R (subsubsection.6.2.16.8) 502 0 R (subsubsection.6.2.16.9) 506 0 R (subsubsection.6.2.28.1) 602 0 R (subsubsection.6.2.28.2) 606 0 R (subsubsection.6.2.28.3) 610 0 R (subsubsection.6.2.28.4) 614 0 R (subsubsection.6.3.1.1) 626 0 R (subsubsection.6.3.1.2) 630 0 R (subsubsection.6.3.5.1) 650 0 R (subsubsection.6.3.5.2) 654 0 R (subsubsection.6.3.5.3) 658 0 R (subsubsection.6.3.5.4) 662 0 R (subsubsection.6.4.0.1) 678 0 R (subsubsection.6.4.1.1) 686 0 R (subsubsection.6.4.1.2) 690 0 R (subsubsection.6.4.1.3) 694 0 R (subsubsection.6.4.1.4) 698 0 R (subsubsection.6.4.1.5) 702 0 R (subsubsection.A.4.6.1) 814 0 R (subsubsection.A.4.6.2) 818 0 R (subsubsection.A.4.6.3) 822 0 R (subsubsection.A.4.6.4) 826 0 R (subsubsection.A.4.6.5) 830 0 R (subsubsection.A.4.6.6) 834 0 R (table.1.1) 1250 0 R (table.1.2) 1258 0 R (table.3.1) 1317 0 R (table.3.2) 1367 0 R (table.6.1) 1565 0 R (table.6.10) 2015 0 R (table.6.11) 2021 0 R (table.6.12) 2027 0 R (table.6.13) 2035 0 R (table.6.14) 2037 0 R (table.6.15) 2044 0 R (table.6.16) 2047 0 R (table.6.17) 2050 0 R (table.6.18) 2066 0 R (table.6.19) 2077 0 R (table.6.2) 1587 0 R (table.6.20) 2087 0 R (table.6.21) 2095 0 R (table.6.22) 2098 0 R (table.6.23) 2106 0 R (table.6.3) 1596 0 R (table.6.4) 1634 0 R (table.6.5) 1646 0 R (table.6.6) 1707 0 R (table.6.7) 1806 0 R (table.6.8) 1915 0 R (table.6.9) 2001 0 R (the_category_phrase) 1628 0 R (the_sortlist_statement) 1797 0 R (topology) 1792 0 R (trusted-keys) 1882 0 R (tsig) 1415 0 R (tuning) 1811 0 R (types_of_resource_records_and_when_to_use_them) 1265 0 R (view_statement_grammar) 1827 0 R (zone_statement_grammar) 1746 0 R (zone_transfers) 1389 0 R (zonefile_format) 1819 0 R]
-/Limits [(Access_Control_Lists) (zonefile_format)]
->> endobj
-2834 0 obj <<
-/Kids [2833 0 R]
->> endobj
-2835 0 obj <<
-/Dests 2834 0 R
->> endobj
-2836 0 obj <<
-/Type /Catalog
-/Pages 2831 0 R
-/Outlines 2832 0 R
-/Names 2835 0 R
-/PageMode /UseOutlines 
-/OpenAction 941 0 R
->> endobj
-2837 0 obj <<
-/Author()/Title()/Subject()/Creator(LaTeX with hyperref package)/Producer(pdfeTeX-1.21a)/Keywords()
-/CreationDate (D:20130516011446Z)
-/PTEX.Fullbanner (This is pdfeTeX, Version 3.141592-1.21a-2.2 (Web2C 7.5.4) kpathsea version 3.5.4)
->> endobj
-xref
-0 2838
-0000000001 65535 f 
-0000000002 00000 f 
-0000000003 00000 f 
-0000000004 00000 f 
-0000000000 00000 f 
-0000000009 00000 n 
-0000349585 00000 n 
-0001223461 00000 n 
-0000000054 00000 n 
-0000000086 00000 n 
-0000349712 00000 n 
-0001223389 00000 n 
-0000000133 00000 n 
-0000000173 00000 n 
-0000349840 00000 n 
-0001223303 00000 n 
-0000000221 00000 n 
-0000000273 00000 n 
-0000349968 00000 n 
-0001223217 00000 n 
-0000000321 00000 n 
-0000000377 00000 n 
-0000354254 00000 n 
-0001223107 00000 n 
-0000000425 00000 n 
-0000000478 00000 n 
-0000354381 00000 n 
-0001223033 00000 n 
-0000000531 00000 n 
-0000000572 00000 n 
-0000354509 00000 n 
-0001222946 00000 n 
-0000000625 00000 n 
-0000000674 00000 n 
-0000354636 00000 n 
-0001222859 00000 n 
-0000000727 00000 n 
-0000000757 00000 n 
-0000358933 00000 n 
-0001222735 00000 n 
-0000000810 00000 n 
-0000000861 00000 n 
-0000359061 00000 n 
-0001222661 00000 n 
-0000000919 00000 n 
-0000000964 00000 n 
-0000359189 00000 n 
-0001222574 00000 n 
-0000001022 00000 n 
-0000001062 00000 n 
-0000359317 00000 n 
-0001222500 00000 n 
-0000001120 00000 n 
-0000001162 00000 n 
-0000362302 00000 n 
-0001222376 00000 n 
-0000001215 00000 n 
-0000001260 00000 n 
-0000362430 00000 n 
-0001222315 00000 n 
-0000001318 00000 n 
-0000001355 00000 n 
-0000362558 00000 n 
-0001222241 00000 n 
-0000001408 00000 n 
-0000001463 00000 n 
-0000365505 00000 n 
-0001222116 00000 n 
-0000001509 00000 n 
-0000001556 00000 n 
-0000365633 00000 n 
-0001222042 00000 n 
-0000001604 00000 n 
-0000001648 00000 n 
-0000365761 00000 n 
-0001221955 00000 n 
-0000001696 00000 n 
-0000001735 00000 n 
-0000365889 00000 n 
-0001221868 00000 n 
-0000001783 00000 n 
-0000001825 00000 n 
-0000366016 00000 n 
-0001221781 00000 n 
-0000001873 00000 n 
-0000001936 00000 n 
-0000367093 00000 n 
-0001221707 00000 n 
-0000001984 00000 n 
-0000002034 00000 n 
-0000368752 00000 n 
-0001221579 00000 n 
-0000002080 00000 n 
-0000002126 00000 n 
-0000368879 00000 n 
-0001221466 00000 n 
-0000002174 00000 n 
-0000002218 00000 n 
-0000369007 00000 n 
-0001221390 00000 n 
-0000002271 00000 n 
-0000002323 00000 n 
-0000369135 00000 n 
-0001221313 00000 n 
-0000002377 00000 n 
-0000002436 00000 n 
-0000371584 00000 n 
-0001221222 00000 n 
-0000002485 00000 n 
-0000002523 00000 n 
-0000374922 00000 n 
-0001221105 00000 n 
-0000002572 00000 n 
-0000002618 00000 n 
-0000375050 00000 n 
-0001220987 00000 n 
-0000002672 00000 n 
-0000002739 00000 n 
-0000375178 00000 n 
-0001220908 00000 n 
-0000002798 00000 n 
-0000002842 00000 n 
-0000375307 00000 n 
-0001220829 00000 n 
-0000002901 00000 n 
-0000002949 00000 n 
-0000393344 00000 n 
-0001220750 00000 n 
-0000003003 00000 n 
-0000003036 00000 n 
-0000398572 00000 n 
-0001220617 00000 n 
-0000003083 00000 n 
-0000003126 00000 n 
-0000398701 00000 n 
-0001220538 00000 n 
-0000003175 00000 n 
-0000003205 00000 n 
-0000398830 00000 n 
-0001220406 00000 n 
-0000003254 00000 n 
-0000003292 00000 n 
-0000403339 00000 n 
-0001220341 00000 n 
-0000003346 00000 n 
-0000003388 00000 n 
-0000403468 00000 n 
-0001220248 00000 n 
-0000003437 00000 n 
-0000003496 00000 n 
-0000403597 00000 n 
-0001220116 00000 n 
-0000003545 00000 n 
-0000003578 00000 n 
-0000407515 00000 n 
-0001220051 00000 n 
-0000003632 00000 n 
-0000003681 00000 n 
-0000410529 00000 n 
-0001219919 00000 n 
-0000003730 00000 n 
-0000003758 00000 n 
-0000413309 00000 n 
-0001219801 00000 n 
-0000003812 00000 n 
-0000003881 00000 n 
-0000413438 00000 n 
-0001219722 00000 n 
-0000003940 00000 n 
-0000003988 00000 n 
-0000413566 00000 n 
-0001219643 00000 n 
-0000004047 00000 n 
-0000004092 00000 n 
-0000413695 00000 n 
-0001219550 00000 n 
-0000004146 00000 n 
-0000004214 00000 n 
-0000413824 00000 n 
-0001219457 00000 n 
-0000004268 00000 n 
-0000004338 00000 n 
-0000417493 00000 n 
-0001219364 00000 n 
-0000004392 00000 n 
-0000004455 00000 n 
-0000417622 00000 n 
-0001219271 00000 n 
-0000004509 00000 n 
-0000004564 00000 n 
-0000417750 00000 n 
-0001219192 00000 n 
-0000004618 00000 n 
-0000004650 00000 n 
-0000417878 00000 n 
-0001219099 00000 n 
-0000004699 00000 n 
-0000004727 00000 n 
-0000421647 00000 n 
-0001219006 00000 n 
-0000004776 00000 n 
-0000004808 00000 n 
-0000421776 00000 n 
-0001218874 00000 n 
-0000004857 00000 n 
-0000004887 00000 n 
-0000421905 00000 n 
-0001218795 00000 n 
-0000004941 00000 n 
-0000004982 00000 n 
-0000425703 00000 n 
-0001218702 00000 n 
-0000005036 00000 n 
-0000005078 00000 n 
-0000425832 00000 n 
-0001218623 00000 n 
-0000005132 00000 n 
-0000005177 00000 n 
-0000431155 00000 n 
-0001218490 00000 n 
-0000005226 00000 n 
-0000005294 00000 n 
-0000431284 00000 n 
-0001218411 00000 n 
-0000005348 00000 n 
-0000005408 00000 n 
-0000431413 00000 n 
-0001218318 00000 n 
-0000005462 00000 n 
-0000005513 00000 n 
-0000435680 00000 n 
-0001218225 00000 n 
-0000005567 00000 n 
-0000005621 00000 n 
-0000438662 00000 n 
-0001218132 00000 n 
-0000005675 00000 n 
-0000005721 00000 n 
-0000438791 00000 n 
-0001218039 00000 n 
-0000005775 00000 n 
-0000005817 00000 n 
-0000438920 00000 n 
-0001217946 00000 n 
-0000005871 00000 n 
-0000005922 00000 n 
-0000439049 00000 n 
-0001217853 00000 n 
-0000005976 00000 n 
-0000006025 00000 n 
-0000441808 00000 n 
-0001217760 00000 n 
-0000006079 00000 n 
-0000006136 00000 n 
-0000441937 00000 n 
-0001217667 00000 n 
-0000006190 00000 n 
-0000006245 00000 n 
-0000442066 00000 n 
-0001217574 00000 n 
-0000006300 00000 n 
-0000006356 00000 n 
-0000442194 00000 n 
-0001217481 00000 n 
-0000006411 00000 n 
-0000006472 00000 n 
-0000442322 00000 n 
-0001217388 00000 n 
-0000006527 00000 n 
-0000006573 00000 n 
-0000442451 00000 n 
-0001217309 00000 n 
-0000006628 00000 n 
-0000006671 00000 n 
-0000446315 00000 n 
-0001217177 00000 n 
-0000006721 00000 n 
-0000006777 00000 n 
-0000446444 00000 n 
-0001217098 00000 n 
-0000006832 00000 n 
-0000006878 00000 n 
-0000446573 00000 n 
-0001217019 00000 n 
-0000006933 00000 n 
-0000006980 00000 n 
-0000449975 00000 n 
-0001216887 00000 n 
-0000007030 00000 n 
-0000007087 00000 n 
-0000450104 00000 n 
-0001216769 00000 n 
-0000007142 00000 n 
-0000007182 00000 n 
-0000452772 00000 n 
-0001216690 00000 n 
-0000007242 00000 n 
-0000007315 00000 n 
-0000452901 00000 n 
-0001216597 00000 n 
-0000007375 00000 n 
-0000007448 00000 n 
-0000455618 00000 n 
-0001216518 00000 n 
-0000007508 00000 n 
-0000007565 00000 n 
-0000458010 00000 n 
-0001216386 00000 n 
-0000007620 00000 n 
-0000007678 00000 n 
-0000458139 00000 n 
-0001216307 00000 n 
-0000007738 00000 n 
-0000007815 00000 n 
-0000458268 00000 n 
-0001216214 00000 n 
-0000007875 00000 n 
-0000007952 00000 n 
-0000458397 00000 n 
-0001216135 00000 n 
-0000008012 00000 n 
-0000008071 00000 n 
-0000458526 00000 n 
-0001216042 00000 n 
-0000008126 00000 n 
-0000008170 00000 n 
-0000461158 00000 n 
-0001215949 00000 n 
-0000008225 00000 n 
-0000008265 00000 n 
-0000463967 00000 n 
-0001215856 00000 n 
-0000008320 00000 n 
-0000008388 00000 n 
-0000464096 00000 n 
-0001215777 00000 n 
-0000008443 00000 n 
-0000008514 00000 n 
-0000468157 00000 n 
-0001215659 00000 n 
-0000008564 00000 n 
-0000008611 00000 n 
-0000468286 00000 n 
-0001215580 00000 n 
-0000008666 00000 n 
-0000008727 00000 n 
-0000468415 00000 n 
-0001215501 00000 n 
-0000008782 00000 n 
-0000008852 00000 n 
-0000470900 00000 n 
-0001215368 00000 n 
-0000008899 00000 n 
-0000008952 00000 n 
-0000471029 00000 n 
-0001215289 00000 n 
-0000009001 00000 n 
-0000009057 00000 n 
-0000471158 00000 n 
-0001215210 00000 n 
-0000009106 00000 n 
-0000009155 00000 n 
-0000475428 00000 n 
-0001215077 00000 n 
-0000009202 00000 n 
-0000009254 00000 n 
-0000475557 00000 n 
-0001214959 00000 n 
-0000009303 00000 n 
-0000009354 00000 n 
-0000483981 00000 n 
-0001214841 00000 n 
-0000009408 00000 n 
-0000009453 00000 n 
-0000484110 00000 n 
-0001214762 00000 n 
-0000009512 00000 n 
-0000009546 00000 n 
-0000484239 00000 n 
-0001214683 00000 n 
-0000009605 00000 n 
-0000009653 00000 n 
-0000484368 00000 n 
-0001214565 00000 n 
-0000009707 00000 n 
-0000009747 00000 n 
-0000486901 00000 n 
-0001214486 00000 n 
-0000009806 00000 n 
-0000009840 00000 n 
-0000487030 00000 n 
-0001214407 00000 n 
-0000009899 00000 n 
-0000009947 00000 n 
-0000487159 00000 n 
-0001214274 00000 n 
-0000009996 00000 n 
-0000010046 00000 n 
-0000490400 00000 n 
-0001214195 00000 n 
-0000010100 00000 n 
-0000010147 00000 n 
-0000490528 00000 n 
-0001214102 00000 n 
-0000010201 00000 n 
-0000010261 00000 n 
-0000495885 00000 n 
-0001214009 00000 n 
-0000010315 00000 n 
-0000010367 00000 n 
-0000496014 00000 n 
-0001213916 00000 n 
-0000010421 00000 n 
-0000010486 00000 n 
-0000499484 00000 n 
-0001213823 00000 n 
-0000010540 00000 n 
-0000010591 00000 n 
-0000499613 00000 n 
-0001213730 00000 n 
-0000010645 00000 n 
-0000010709 00000 n 
-0000499742 00000 n 
-0001213637 00000 n 
-0000010763 00000 n 
-0000010810 00000 n 
-0000499871 00000 n 
-0001213544 00000 n 
-0000010864 00000 n 
-0000010924 00000 n 
-0000499999 00000 n 
-0001213451 00000 n 
-0000010978 00000 n 
-0000011029 00000 n 
-0000503698 00000 n 
-0001213319 00000 n 
-0000011084 00000 n 
-0000011149 00000 n 
-0000503827 00000 n 
-0001213240 00000 n 
-0000011209 00000 n 
-0000011256 00000 n 
-0000510628 00000 n 
-0001213147 00000 n 
-0000011316 00000 n 
-0000011364 00000 n 
-0000517534 00000 n 
-0001213068 00000 n 
-0000011424 00000 n 
-0000011478 00000 n 
-0000520761 00000 n 
-0001212975 00000 n 
-0000011533 00000 n 
-0000011583 00000 n 
-0000523661 00000 n 
-0001212882 00000 n 
-0000011638 00000 n 
-0000011701 00000 n 
-0000523790 00000 n 
-0001212789 00000 n 
-0000011756 00000 n 
-0000011808 00000 n 
-0000523919 00000 n 
-0001212696 00000 n 
-0000011863 00000 n 
-0000011928 00000 n 
-0000524048 00000 n 
-0001212603 00000 n 
-0000011983 00000 n 
-0000012035 00000 n 
-0000531546 00000 n 
-0001212470 00000 n 
-0000012090 00000 n 
-0000012155 00000 n 
-0000552718 00000 n 
-0001212391 00000 n 
-0000012215 00000 n 
-0000012259 00000 n 
-0000574745 00000 n 
-0001212298 00000 n 
-0000012319 00000 n 
-0000012358 00000 n 
-0000578746 00000 n 
-0001212205 00000 n 
-0000012418 00000 n 
-0000012465 00000 n 
-0000578875 00000 n 
-0001212112 00000 n 
-0000012525 00000 n 
-0000012568 00000 n 
-0000586524 00000 n 
-0001212019 00000 n 
-0000012628 00000 n 
-0000012667 00000 n 
-0000586652 00000 n 
-0001211926 00000 n 
-0000012727 00000 n 
-0000012769 00000 n 
-0000593683 00000 n 
-0001211833 00000 n 
-0000012829 00000 n 
-0000012872 00000 n 
-0000601678 00000 n 
-0001211740 00000 n 
-0000012932 00000 n 
-0000012975 00000 n 
-0000601807 00000 n 
-0001211647 00000 n 
-0000013035 00000 n 
-0000013096 00000 n 
-0000605914 00000 n 
-0001211554 00000 n 
-0000013157 00000 n 
-0000013209 00000 n 
-0000609162 00000 n 
-0001211461 00000 n 
-0000013270 00000 n 
-0000013323 00000 n 
-0000609291 00000 n 
-0001211368 00000 n 
-0000013384 00000 n 
-0000013422 00000 n 
-0000613144 00000 n 
-0001211275 00000 n 
-0000013483 00000 n 
-0000013535 00000 n 
-0000616554 00000 n 
-0001211182 00000 n 
-0000013596 00000 n 
-0000013640 00000 n 
-0000620724 00000 n 
-0001211089 00000 n 
-0000013701 00000 n 
-0000013737 00000 n 
-0000629377 00000 n 
-0001210996 00000 n 
-0000013798 00000 n 
-0000013861 00000 n 
-0000629506 00000 n 
-0001210903 00000 n 
-0000013922 00000 n 
-0000013972 00000 n 
-0000639857 00000 n 
-0001210810 00000 n 
-0000014033 00000 n 
-0000014089 00000 n 
-0000639985 00000 n 
-0001210717 00000 n 
-0000014150 00000 n 
-0000014197 00000 n 
-0000644156 00000 n 
-0001210638 00000 n 
-0000014258 00000 n 
-0000014326 00000 n 
-0000654835 00000 n 
-0001210545 00000 n 
-0000014381 00000 n 
-0000014432 00000 n 
-0000654964 00000 n 
-0001210452 00000 n 
-0000014487 00000 n 
-0000014551 00000 n 
-0000659651 00000 n 
-0001210359 00000 n 
-0000014606 00000 n 
-0000014670 00000 n 
-0000665169 00000 n 
-0001210266 00000 n 
-0000014725 00000 n 
-0000014802 00000 n 
-0000665298 00000 n 
-0001210173 00000 n 
-0000014857 00000 n 
-0000014914 00000 n 
-0000665427 00000 n 
-0001210080 00000 n 
-0000014969 00000 n 
-0000015039 00000 n 
-0000669607 00000 n 
-0001209987 00000 n 
-0000015094 00000 n 
-0000015151 00000 n 
-0000669736 00000 n 
-0001209894 00000 n 
-0000015206 00000 n 
-0000015276 00000 n 
-0000673670 00000 n 
-0001209801 00000 n 
-0000015331 00000 n 
-0000015380 00000 n 
-0000673799 00000 n 
-0001209708 00000 n 
-0000015435 00000 n 
-0000015497 00000 n 
-0000675472 00000 n 
-0001209615 00000 n 
-0000015552 00000 n 
-0000015601 00000 n 
-0000680187 00000 n 
-0001209497 00000 n 
-0000015656 00000 n 
-0000015718 00000 n 
-0000680316 00000 n 
-0001209418 00000 n 
-0000015778 00000 n 
-0000015817 00000 n 
-0000690574 00000 n 
-0001209325 00000 n 
-0000015877 00000 n 
-0000015911 00000 n 
-0000690702 00000 n 
-0001209232 00000 n 
-0000015971 00000 n 
-0000016012 00000 n 
-0000712487 00000 n 
-0001209153 00000 n 
-0000016072 00000 n 
-0000016124 00000 n 
-0000723009 00000 n 
-0001209021 00000 n 
-0000016173 00000 n 
-0000016206 00000 n 
-0000723138 00000 n 
-0001208903 00000 n 
-0000016260 00000 n 
-0000016332 00000 n 
-0000723267 00000 n 
-0001208824 00000 n 
-0000016391 00000 n 
-0000016435 00000 n 
-0000733869 00000 n 
-0001208745 00000 n 
-0000016494 00000 n 
-0000016547 00000 n 
-0000734258 00000 n 
-0001208652 00000 n 
-0000016601 00000 n 
-0000016651 00000 n 
-0000738100 00000 n 
-0001208559 00000 n 
-0000016705 00000 n 
-0000016743 00000 n 
-0000738359 00000 n 
-0001208466 00000 n 
-0000016797 00000 n 
-0000016846 00000 n 
-0000741133 00000 n 
-0001208334 00000 n 
-0000016900 00000 n 
-0000016952 00000 n 
-0000741258 00000 n 
-0001208255 00000 n 
-0000017011 00000 n 
-0000017056 00000 n 
-0000741387 00000 n 
-0001208162 00000 n 
-0000017115 00000 n 
-0000017167 00000 n 
-0000741516 00000 n 
-0001208069 00000 n 
-0000017226 00000 n 
-0000017279 00000 n 
-0000743959 00000 n 
-0001207990 00000 n 
-0000017338 00000 n 
-0000017387 00000 n 
-0000744088 00000 n 
-0001207897 00000 n 
-0000017441 00000 n 
-0000017521 00000 n 
-0000748410 00000 n 
-0001207818 00000 n 
-0000017575 00000 n 
-0000017624 00000 n 
-0000751916 00000 n 
-0001207700 00000 n 
-0000017673 00000 n 
-0000017713 00000 n 
-0000752175 00000 n 
-0001207621 00000 n 
-0000017772 00000 n 
-0000017819 00000 n 
-0000755604 00000 n 
-0001207503 00000 n 
-0000017873 00000 n 
-0000017918 00000 n 
-0000755733 00000 n 
-0001207424 00000 n 
-0000017977 00000 n 
-0000018036 00000 n 
-0000759096 00000 n 
-0001207331 00000 n 
-0000018095 00000 n 
-0000018159 00000 n 
-0000759355 00000 n 
-0001207238 00000 n 
-0000018218 00000 n 
-0000018274 00000 n 
-0000763456 00000 n 
-0001207145 00000 n 
-0000018333 00000 n 
-0000018391 00000 n 
-0000765628 00000 n 
-0001207066 00000 n 
-0000018450 00000 n 
-0000018512 00000 n 
-0000767413 00000 n 
-0001206933 00000 n 
-0000018559 00000 n 
-0000018611 00000 n 
-0000767541 00000 n 
-0001206854 00000 n 
-0000018660 00000 n 
-0000018704 00000 n 
-0000771340 00000 n 
-0001206722 00000 n 
-0000018753 00000 n 
-0000018794 00000 n 
-0000771469 00000 n 
-0001206643 00000 n 
-0000018848 00000 n 
-0000018896 00000 n 
-0000771598 00000 n 
-0001206564 00000 n 
-0000018950 00000 n 
-0000019001 00000 n 
-0000771726 00000 n 
-0001206485 00000 n 
-0000019050 00000 n 
-0000019097 00000 n 
-0000775986 00000 n 
-0001206352 00000 n 
-0000019144 00000 n 
-0000019181 00000 n 
-0000776115 00000 n 
-0001206234 00000 n 
-0000019230 00000 n 
-0000019269 00000 n 
-0000776244 00000 n 
-0001206169 00000 n 
-0000019323 00000 n 
-0000019401 00000 n 
-0000776373 00000 n 
-0001206076 00000 n 
-0000019450 00000 n 
-0000019517 00000 n 
-0000776502 00000 n 
-0001205997 00000 n 
-0000019566 00000 n 
-0000019611 00000 n 
-0000779943 00000 n 
-0001205864 00000 n 
-0000019659 00000 n 
-0000019691 00000 n 
-0000780072 00000 n 
-0001205746 00000 n 
-0000019740 00000 n 
-0000019779 00000 n 
-0000780201 00000 n 
-0001205681 00000 n 
-0000019833 00000 n 
-0000019894 00000 n 
-0000783883 00000 n 
-0001205549 00000 n 
-0000019943 00000 n 
-0000020000 00000 n 
-0000784012 00000 n 
-0001205484 00000 n 
-0000020054 00000 n 
-0000020103 00000 n 
-0000784141 00000 n 
-0001205352 00000 n 
-0000020152 00000 n 
-0000020214 00000 n 
-0000784270 00000 n 
-0001205273 00000 n 
-0000020268 00000 n 
-0000020323 00000 n 
-0000809112 00000 n 
-0001205180 00000 n 
-0000020377 00000 n 
-0000020418 00000 n 
-0000809241 00000 n 
-0001205101 00000 n 
-0000020472 00000 n 
-0000020524 00000 n 
-0000809630 00000 n 
-0001204983 00000 n 
-0000020573 00000 n 
-0000020623 00000 n 
-0000812451 00000 n 
-0001204904 00000 n 
-0000020677 00000 n 
-0000020715 00000 n 
-0000812580 00000 n 
-0001204811 00000 n 
-0000020769 00000 n 
-0000020806 00000 n 
-0000812709 00000 n 
-0001204718 00000 n 
-0000020860 00000 n 
-0000020898 00000 n 
-0000812838 00000 n 
-0001204625 00000 n 
-0000020952 00000 n 
-0000021004 00000 n 
-0000816074 00000 n 
-0001204532 00000 n 
-0000021058 00000 n 
-0000021101 00000 n 
-0000816202 00000 n 
-0001204400 00000 n 
-0000021155 00000 n 
-0000021200 00000 n 
-0000816330 00000 n 
-0001204321 00000 n 
-0000021259 00000 n 
-0000021325 00000 n 
-0000819316 00000 n 
-0001204228 00000 n 
-0000021384 00000 n 
-0000021472 00000 n 
-0000819445 00000 n 
-0001204135 00000 n 
-0000021531 00000 n 
-0000021606 00000 n 
-0000819574 00000 n 
-0001204042 00000 n 
-0000021665 00000 n 
-0000021750 00000 n 
-0000822482 00000 n 
-0001203949 00000 n 
-0000021809 00000 n 
-0000021890 00000 n 
-0000824943 00000 n 
-0001203870 00000 n 
-0000021949 00000 n 
-0000022033 00000 n 
-0000825072 00000 n 
-0001203791 00000 n 
-0000022087 00000 n 
-0000022131 00000 n 
-0000827972 00000 n 
-0001203671 00000 n 
-0000022179 00000 n 
-0000022213 00000 n 
-0000828101 00000 n 
-0001203592 00000 n 
-0000022262 00000 n 
-0000022289 00000 n 
-0000850488 00000 n 
-0001203499 00000 n 
-0000022338 00000 n 
-0000022366 00000 n 
-0000854121 00000 n 
-0001203406 00000 n 
-0000022415 00000 n 
-0000022453 00000 n 
-0000857325 00000 n 
-0001203313 00000 n 
-0000022502 00000 n 
-0000022541 00000 n 
-0000863728 00000 n 
-0001203220 00000 n 
-0000022590 00000 n 
-0000022630 00000 n 
-0000866453 00000 n 
-0001203127 00000 n 
-0000022679 00000 n 
-0000022722 00000 n 
-0000876590 00000 n 
-0001203034 00000 n 
-0000022771 00000 n 
-0000022808 00000 n 
-0000890239 00000 n 
-0001202941 00000 n 
-0000022857 00000 n 
-0000022894 00000 n 
-0000893620 00000 n 
-0001202848 00000 n 
-0000022943 00000 n 
-0000022981 00000 n 
-0000900145 00000 n 
-0001202755 00000 n 
-0000023031 00000 n 
-0000023071 00000 n 
-0000917722 00000 n 
-0001202662 00000 n 
-0000023121 00000 n 
-0000023159 00000 n 
-0000920624 00000 n 
-0001202569 00000 n 
-0000023209 00000 n 
-0000023249 00000 n 
-0000923539 00000 n 
-0001202476 00000 n 
-0000023299 00000 n 
-0000023339 00000 n 
-0000930509 00000 n 
-0001202383 00000 n 
-0000023389 00000 n 
-0000023419 00000 n 
-0000940141 00000 n 
-0001202290 00000 n 
-0000023469 00000 n 
-0000023512 00000 n 
-0000943226 00000 n 
-0001202197 00000 n 
-0000023562 00000 n 
-0000023595 00000 n 
-0000957608 00000 n 
-0001202104 00000 n 
-0000023645 00000 n 
-0000023674 00000 n 
-0000961270 00000 n 
-0001202011 00000 n 
-0000023724 00000 n 
-0000023758 00000 n 
-0000970689 00000 n 
-0001201918 00000 n 
-0000023808 00000 n 
-0000023845 00000 n 
-0000973901 00000 n 
-0001201825 00000 n 
-0000023895 00000 n 
-0000023932 00000 n 
-0000977464 00000 n 
-0001201732 00000 n 
-0000023982 00000 n 
-0000024015 00000 n 
-0000979620 00000 n 
-0001201639 00000 n 
-0000024065 00000 n 
-0000024099 00000 n 
-0000982335 00000 n 
-0001201546 00000 n 
-0000024149 00000 n 
-0000024188 00000 n 
-0000982852 00000 n 
-0001201467 00000 n 
-0000024238 00000 n 
-0000024272 00000 n 
-0000024645 00000 n 
-0000024767 00000 n 
-0000289568 00000 n 
-0000024325 00000 n 
-0000289442 00000 n 
-0000289505 00000 n 
-0001195528 00000 n 
-0001169386 00000 n 
-0001195354 00000 n 
-0001196574 00000 n 
-0000026076 00000 n 
-0000026269 00000 n 
-0000026349 00000 n 
-0000026386 00000 n 
-0000026467 00000 n 
-0000026591 00000 n 
-0000026850 00000 n 
-0000027209 00000 n 
-0000027241 00000 n 
-0000027335 00000 n 
-0000028368 00000 n 
-0000039504 00000 n 
-0000105094 00000 n 
-0000170684 00000 n 
-0000236274 00000 n 
-0000291008 00000 n 
-0000290823 00000 n 
-0000289668 00000 n 
-0000290945 00000 n 
-0001168150 00000 n 
-0001141531 00000 n 
-0001167976 00000 n 
-0001140846 00000 n 
-0001138701 00000 n 
-0001140682 00000 n 
-0000302775 00000 n 
-0000294059 00000 n 
-0000291093 00000 n 
-0000302649 00000 n 
-0000302712 00000 n 
-0000294625 00000 n 
-0000294779 00000 n 
-0000294936 00000 n 
-0000295093 00000 n 
-0000295250 00000 n 
-0000295407 00000 n 
-0000295569 00000 n 
-0000295731 00000 n 
-0000295892 00000 n 
-0000296054 00000 n 
-0000296221 00000 n 
-0000296388 00000 n 
-0000296553 00000 n 
-0000296715 00000 n 
-0000296881 00000 n 
-0000297043 00000 n 
-0000297197 00000 n 
-0000297354 00000 n 
-0000297511 00000 n 
-0000297668 00000 n 
-0000297825 00000 n 
-0000297983 00000 n 
-0000298139 00000 n 
-0000298297 00000 n 
-0000298460 00000 n 
-0000298623 00000 n 
-0000298781 00000 n 
-0000298937 00000 n 
-0000299099 00000 n 
-0000299267 00000 n 
-0000299435 00000 n 
-0000299598 00000 n 
-0000299754 00000 n 
-0000299912 00000 n 
-0000300070 00000 n 
-0000300233 00000 n 
-0000300391 00000 n 
-0000300549 00000 n 
-0000300711 00000 n 
-0000300869 00000 n 
-0000301032 00000 n 
-0000301200 00000 n 
-0000301368 00000 n 
-0000301531 00000 n 
-0000301694 00000 n 
-0000301857 00000 n 
-0000302019 00000 n 
-0000302182 00000 n 
-0000302338 00000 n 
-0000302494 00000 n 
-0000316282 00000 n 
-0000306214 00000 n 
-0000302860 00000 n 
-0000316217 00000 n 
-0001138113 00000 n 
-0001120692 00000 n 
-0001137927 00000 n 
-0000306864 00000 n 
-0000307028 00000 n 
-0000307191 00000 n 
-0000307355 00000 n 
-0000307514 00000 n 
-0000307678 00000 n 
-0000307842 00000 n 
-0000308006 00000 n 
-0000308170 00000 n 
-0000308334 00000 n 
-0000308498 00000 n 
-0000308662 00000 n 
-0000308826 00000 n 
-0000308990 00000 n 
-0000309155 00000 n 
-0000309320 00000 n 
-0000309485 00000 n 
-0000309650 00000 n 
-0000309810 00000 n 
-0000309975 00000 n 
-0000310139 00000 n 
-0000310299 00000 n 
-0000310464 00000 n 
-0000310634 00000 n 
-0000310804 00000 n 
-0000310974 00000 n 
-0000311138 00000 n 
-0000311307 00000 n 
-0000311477 00000 n 
-0000311647 00000 n 
-0000311811 00000 n 
-0000311976 00000 n 
-0000312141 00000 n 
-0000312306 00000 n 
-0000312466 00000 n 
-0000312631 00000 n 
-0000312796 00000 n 
-0000312953 00000 n 
-0000313112 00000 n 
-0000313271 00000 n 
-0000313427 00000 n 
-0000313586 00000 n 
-0000313750 00000 n 
-0000313919 00000 n 
-0000314088 00000 n 
-0000314252 00000 n 
-0000314421 00000 n 
-0000314590 00000 n 
-0000314749 00000 n 
-0000314913 00000 n 
-0000315077 00000 n 
-0000315241 00000 n 
-0000315405 00000 n 
-0000315568 00000 n 
-0000315732 00000 n 
-0000315894 00000 n 
-0000316055 00000 n 
-0000330440 00000 n 
-0000319891 00000 n 
-0000316382 00000 n 
-0000330375 00000 n 
-0000320559 00000 n 
-0000320723 00000 n 
-0000320892 00000 n 
-0000321061 00000 n 
-0000321229 00000 n 
-0000321393 00000 n 
-0000321557 00000 n 
-0000321721 00000 n 
-0000321885 00000 n 
-0000322049 00000 n 
-0000322212 00000 n 
-0000322381 00000 n 
-0000322550 00000 n 
-0000322718 00000 n 
-0000322887 00000 n 
-0000323056 00000 n 
-0000323225 00000 n 
-0000323394 00000 n 
-0000323563 00000 n 
-0000323731 00000 n 
-0000323901 00000 n 
-0000324071 00000 n 
-0000324241 00000 n 
-0000324411 00000 n 
-0000324581 00000 n 
-0000324751 00000 n 
-0000324921 00000 n 
-0000325091 00000 n 
-0000325261 00000 n 
-0000325431 00000 n 
-0000325600 00000 n 
-0000325764 00000 n 
-0000325928 00000 n 
-0000326092 00000 n 
-0000326256 00000 n 
-0000326420 00000 n 
-0000326583 00000 n 
-0000326747 00000 n 
-0000326911 00000 n 
-0000327074 00000 n 
-0000327238 00000 n 
-0000327402 00000 n 
-0000327566 00000 n 
-0000327735 00000 n 
-0000327904 00000 n 
-0000328072 00000 n 
-0000328241 00000 n 
-0000328399 00000 n 
-0000328561 00000 n 
-0000328729 00000 n 
-0000328896 00000 n 
-0000329059 00000 n 
-0000329222 00000 n 
-0000329385 00000 n 
-0000329548 00000 n 
-0000329716 00000 n 
-0000329884 00000 n 
-0000330050 00000 n 
-0000330215 00000 n 
-0000343626 00000 n 
-0000334053 00000 n 
-0000330540 00000 n 
-0000343561 00000 n 
-0000334685 00000 n 
-0000334848 00000 n 
-0000335006 00000 n 
-0000335174 00000 n 
-0000335337 00000 n 
-0000335505 00000 n 
-0000335673 00000 n 
-0000335841 00000 n 
-0001119801 00000 n 
-0001098467 00000 n 
-0001119625 00000 n 
-0000336007 00000 n 
-0000336174 00000 n 
-0000336330 00000 n 
-0000336487 00000 n 
-0000336645 00000 n 
-0000336808 00000 n 
-0000336971 00000 n 
-0000337129 00000 n 
-0000337285 00000 n 
-0000337443 00000 n 
-0000337606 00000 n 
-0000337764 00000 n 
-0000337922 00000 n 
-0000338079 00000 n 
-0000338237 00000 n 
-0000338400 00000 n 
-0000338557 00000 n 
-0000338719 00000 n 
-0000338877 00000 n 
-0000339040 00000 n 
-0000339203 00000 n 
-0000339366 00000 n 
-0000339524 00000 n 
-0000339687 00000 n 
-0000339850 00000 n 
-0000340013 00000 n 
-0000340176 00000 n 
-0000340339 00000 n 
-0000340502 00000 n 
-0000340670 00000 n 
-0000340838 00000 n 
-0000341005 00000 n 
-0000341172 00000 n 
-0000341340 00000 n 
-0000341508 00000 n 
-0000341671 00000 n 
-0000341827 00000 n 
-0000341985 00000 n 
-0000342143 00000 n 
-0000342301 00000 n 
-0000342459 00000 n 
-0000342617 00000 n 
-0000342775 00000 n 
-0000342933 00000 n 
-0000343091 00000 n 
-0000343247 00000 n 
-0000343404 00000 n 
-0000347103 00000 n 
-0000344719 00000 n 
-0000343740 00000 n 
-0000347038 00000 n 
-0000344974 00000 n 
-0000345133 00000 n 
-0000345292 00000 n 
-0000345450 00000 n 
-0000345609 00000 n 
-0000345768 00000 n 
-0001097488 00000 n 
-0001077361 00000 n 
-0001097313 00000 n 
-0000345927 00000 n 
-0000346086 00000 n 
-0000346245 00000 n 
-0000346403 00000 n 
-0000346562 00000 n 
-0000346720 00000 n 
-0000346879 00000 n 
-0001196695 00000 n 
-0000350226 00000 n 
-0000349459 00000 n 
-0000347204 00000 n 
-0000349647 00000 n 
-0000349775 00000 n 
-0000349903 00000 n 
-0000350031 00000 n 
-0000350096 00000 n 
-0000350161 00000 n 
-0001076519 00000 n 
-0001057819 00000 n 
-0001076344 00000 n 
-0000354763 00000 n 
-0000353622 00000 n 
-0000350354 00000 n 
-0000354124 00000 n 
-0000354189 00000 n 
-0000354316 00000 n 
-0000354444 00000 n 
-0000354572 00000 n 
-0000353778 00000 n 
-0000353972 00000 n 
-0000354698 00000 n 
-0000723202 00000 n 
-0000784334 00000 n 
-0000359445 00000 n 
-0000358387 00000 n 
-0000354891 00000 n 
-0000358868 00000 n 
-0000358996 00000 n 
-0000358543 00000 n 
-0000358706 00000 n 
-0000359124 00000 n 
-0000359252 00000 n 
-0000359380 00000 n 
-0000375242 00000 n 
-0000362686 00000 n 
-0000362111 00000 n 
-0000359573 00000 n 
-0000362237 00000 n 
-0000362365 00000 n 
-0000362493 00000 n 
-0000362621 00000 n 
-0000366144 00000 n 
-0000364978 00000 n 
-0000362800 00000 n 
-0000365440 00000 n 
-0000365568 00000 n 
-0000365696 00000 n 
-0000365824 00000 n 
-0000365952 00000 n 
-0000365134 00000 n 
-0000365287 00000 n 
-0000366079 00000 n 
-0000639921 00000 n 
-0000367221 00000 n 
-0000366902 00000 n 
-0000366230 00000 n 
-0000367028 00000 n 
-0000367156 00000 n 
-0001196820 00000 n 
-0000369264 00000 n 
-0000368561 00000 n 
-0000367321 00000 n 
-0000368687 00000 n 
-0000368815 00000 n 
-0000368942 00000 n 
-0000369070 00000 n 
-0000369199 00000 n 
-0000371843 00000 n 
-0000371213 00000 n 
-0000369364 00000 n 
-0000371519 00000 n 
-0000371648 00000 n 
-0000371713 00000 n 
-0000371778 00000 n 
-0000371360 00000 n 
-0000616618 00000 n 
-0000375436 00000 n 
-0000374731 00000 n 
-0000371957 00000 n 
-0000374857 00000 n 
-0000374986 00000 n 
-0000375113 00000 n 
-0001057097 00000 n 
-0001043720 00000 n 
-0001056918 00000 n 
-0000375371 00000 n 
-0000380091 00000 n 
-0000379201 00000 n 
-0000375564 00000 n 
-0000380026 00000 n 
-0001043119 00000 n 
-0001030698 00000 n 
-0001042940 00000 n 
-0000379375 00000 n 
-0000379530 00000 n 
-0000379700 00000 n 
-0000379855 00000 n 
-0000531610 00000 n 
-0000712551 00000 n 
-0000383692 00000 n 
-0000383501 00000 n 
-0000380260 00000 n 
-0000383627 00000 n 
-0000387911 00000 n 
-0000387720 00000 n 
-0000383847 00000 n 
-0000387846 00000 n 
-0001030343 00000 n 
-0001028344 00000 n 
-0001030178 00000 n 
-0001196945 00000 n 
-0000392039 00000 n 
-0000391640 00000 n 
-0000388081 00000 n 
-0000391974 00000 n 
-0000391787 00000 n 
-0000496077 00000 n 
-0000393602 00000 n 
-0000393153 00000 n 
-0000392167 00000 n 
-0000393279 00000 n 
-0000393408 00000 n 
-0000393472 00000 n 
-0000393537 00000 n 
-0000396369 00000 n 
-0000398959 00000 n 
-0000396204 00000 n 
-0000393716 00000 n 
-0000398507 00000 n 
-0000398636 00000 n 
-0000398765 00000 n 
-0000398012 00000 n 
-0000398174 00000 n 
-0001027438 00000 n 
-0001017418 00000 n 
-0001027264 00000 n 
-0001016854 00000 n 
-0001007768 00000 n 
-0001016679 00000 n 
-0000398894 00000 n 
-0000398336 00000 n 
-0000397841 00000 n 
-0000397899 00000 n 
-0000397989 00000 n 
-0000552782 00000 n 
-0000593746 00000 n 
-0000403726 00000 n 
-0000402790 00000 n 
-0000399130 00000 n 
-0000403274 00000 n 
-0000403403 00000 n 
-0000403532 00000 n 
-0000402946 00000 n 
-0000403112 00000 n 
-0000403661 00000 n 
-0000788365 00000 n 
-0000407644 00000 n 
-0000407135 00000 n 
-0000403882 00000 n 
-0000407450 00000 n 
-0000407579 00000 n 
-0000407282 00000 n 
-0000408792 00000 n 
-0000408601 00000 n 
-0000407785 00000 n 
-0000408727 00000 n 
-0001197070 00000 n 
-0000410658 00000 n 
-0000410338 00000 n 
-0000408893 00000 n 
-0000410464 00000 n 
-0000410593 00000 n 
-0000413953 00000 n 
-0000413118 00000 n 
-0000410772 00000 n 
-0000413244 00000 n 
-0000413373 00000 n 
-0000413502 00000 n 
-0000413630 00000 n 
-0000413759 00000 n 
-0000413888 00000 n 
-0000418007 00000 n 
-0000417111 00000 n 
-0000414095 00000 n 
-0000417428 00000 n 
-0000417557 00000 n 
-0000417685 00000 n 
-0000417258 00000 n 
-0000417813 00000 n 
-0000417942 00000 n 
-0000422034 00000 n 
-0000421456 00000 n 
-0000418148 00000 n 
-0000421582 00000 n 
-0000421711 00000 n 
-0000421840 00000 n 
-0000421969 00000 n 
-0000425961 00000 n 
-0000425512 00000 n 
-0000422176 00000 n 
-0000425638 00000 n 
-0000425767 00000 n 
-0000425896 00000 n 
-0000428274 00000 n 
-0000428083 00000 n 
-0000426089 00000 n 
-0000428209 00000 n 
-0001197195 00000 n 
-0000431542 00000 n 
-0000430964 00000 n 
-0000428418 00000 n 
-0000431090 00000 n 
-0001007493 00000 n 
-0001004134 00000 n 
-0001007314 00000 n 
-0000431219 00000 n 
-0000431348 00000 n 
-0000431477 00000 n 
-0000435809 00000 n 
-0000435130 00000 n 
-0000431713 00000 n 
-0000435615 00000 n 
-0000435744 00000 n 
-0000435286 00000 n 
-0000435450 00000 n 
-0000876654 00000 n 
-0000893684 00000 n 
-0000439175 00000 n 
-0000438471 00000 n 
-0000435937 00000 n 
-0000438597 00000 n 
-0000438726 00000 n 
-0000438855 00000 n 
-0000438984 00000 n 
-0000439111 00000 n 
-0000442580 00000 n 
-0000441617 00000 n 
-0000439289 00000 n 
-0000441743 00000 n 
-0000441872 00000 n 
-0000442001 00000 n 
-0000442129 00000 n 
-0000442258 00000 n 
-0000442386 00000 n 
-0000442515 00000 n 
-0000446702 00000 n 
-0000445943 00000 n 
-0000442708 00000 n 
-0000446250 00000 n 
-0000446379 00000 n 
-0000446508 00000 n 
-0000446090 00000 n 
-0000446637 00000 n 
-0000669800 00000 n 
-0000450233 00000 n 
-0000449784 00000 n 
-0000446816 00000 n 
-0000449910 00000 n 
-0000450039 00000 n 
-0000450168 00000 n 
-0001197320 00000 n 
-0000453029 00000 n 
-0000452581 00000 n 
-0000450403 00000 n 
-0000452707 00000 n 
-0000452836 00000 n 
-0000452964 00000 n 
-0000455747 00000 n 
-0000455427 00000 n 
-0000453186 00000 n 
-0000455553 00000 n 
-0000455682 00000 n 
-0000458655 00000 n 
-0000457819 00000 n 
-0000455861 00000 n 
-0000457945 00000 n 
-0000458074 00000 n 
-0000458203 00000 n 
-0000458332 00000 n 
-0000458461 00000 n 
-0000458590 00000 n 
-0000461287 00000 n 
-0000460967 00000 n 
-0000458769 00000 n 
-0000461093 00000 n 
-0000461222 00000 n 
-0000467005 00000 n 
-0000464225 00000 n 
-0000463776 00000 n 
-0000461401 00000 n 
-0000463902 00000 n 
-0000464031 00000 n 
-0000464160 00000 n 
-0000468544 00000 n 
-0000466858 00000 n 
-0000464353 00000 n 
-0000468092 00000 n 
-0000468221 00000 n 
-0000467931 00000 n 
-0000468350 00000 n 
-0000468479 00000 n 
-0001197445 00000 n 
-0000784076 00000 n 
-0000471287 00000 n 
-0000470709 00000 n 
-0000468715 00000 n 
-0000470835 00000 n 
-0000470964 00000 n 
-0000471093 00000 n 
-0000471222 00000 n 
-0000471728 00000 n 
-0000471537 00000 n 
-0000471387 00000 n 
-0000471663 00000 n 
-0000475815 00000 n 
-0000475049 00000 n 
-0000471770 00000 n 
-0000475363 00000 n 
-0000475492 00000 n 
-0000475620 00000 n 
-0000475685 00000 n 
-0000475750 00000 n 
-0000475196 00000 n 
-0000484045 00000 n 
-0000480510 00000 n 
-0000480319 00000 n 
-0000475915 00000 n 
-0000480445 00000 n 
-0000484497 00000 n 
-0000483790 00000 n 
-0000480652 00000 n 
-0000483916 00000 n 
-0000484174 00000 n 
-0000484303 00000 n 
-0000484432 00000 n 
-0000487416 00000 n 
-0000486710 00000 n 
-0000484638 00000 n 
-0000486836 00000 n 
-0000486965 00000 n 
-0000487094 00000 n 
-0000487223 00000 n 
-0000487288 00000 n 
-0000487352 00000 n 
-0001197570 00000 n 
-0000490785 00000 n 
-0000490209 00000 n 
-0000487573 00000 n 
-0000490335 00000 n 
-0000490463 00000 n 
-0000490592 00000 n 
-0000490656 00000 n 
-0000490720 00000 n 
-0000496142 00000 n 
-0000495354 00000 n 
-0000490899 00000 n 
-0000495820 00000 n 
-0000495949 00000 n 
-0000495510 00000 n 
-0000495661 00000 n 
-0000985113 00000 n 
-0000500128 00000 n 
-0000498728 00000 n 
-0000496283 00000 n 
-0000499419 00000 n 
-0000499548 00000 n 
-0000499677 00000 n 
-0000499806 00000 n 
-0000499935 00000 n 
-0000498893 00000 n 
-0000499045 00000 n 
-0000499232 00000 n 
-0000500063 00000 n 
-0000503956 00000 n 
-0000503507 00000 n 
-0000500256 00000 n 
-0000503633 00000 n 
-0000503762 00000 n 
-0000503891 00000 n 
-0000508184 00000 n 
-0000507805 00000 n 
-0000504084 00000 n 
-0000508119 00000 n 
-0000507952 00000 n 
-0000510692 00000 n 
-0000510885 00000 n 
-0000510437 00000 n 
-0000508298 00000 n 
-0000510563 00000 n 
-0000510757 00000 n 
-0000510821 00000 n 
-0001197695 00000 n 
-0000514189 00000 n 
-0000513998 00000 n 
-0000510999 00000 n 
-0000514124 00000 n 
-0000517789 00000 n 
-0000517343 00000 n 
-0000514303 00000 n 
-0000517469 00000 n 
-0000517596 00000 n 
-0000517661 00000 n 
-0000517725 00000 n 
-0000520890 00000 n 
-0000520570 00000 n 
-0000517903 00000 n 
-0000520696 00000 n 
-0000520825 00000 n 
-0000524177 00000 n 
-0000523136 00000 n 
-0000521004 00000 n 
-0000523596 00000 n 
-0000523725 00000 n 
-0000523292 00000 n 
-0000523445 00000 n 
-0000523854 00000 n 
-0000523983 00000 n 
-0000524112 00000 n 
-0000525695 00000 n 
-0000525504 00000 n 
-0000524291 00000 n 
-0000525630 00000 n 
-0000527275 00000 n 
-0000527084 00000 n 
-0000525796 00000 n 
-0000527210 00000 n 
-0001197820 00000 n 
-0000528717 00000 n 
-0000528526 00000 n 
-0000527376 00000 n 
-0000528652 00000 n 
-0000531674 00000 n 
-0000531355 00000 n 
-0000528818 00000 n 
-0000531481 00000 n 
-0000535819 00000 n 
-0000535628 00000 n 
-0000531802 00000 n 
-0000535754 00000 n 
-0000540252 00000 n 
-0000539704 00000 n 
-0000535961 00000 n 
-0000540187 00000 n 
-0000539860 00000 n 
-0000540017 00000 n 
-0000752239 00000 n 
-0000544577 00000 n 
-0000544178 00000 n 
-0000540380 00000 n 
-0000544512 00000 n 
-0000544325 00000 n 
-0000548943 00000 n 
-0000548396 00000 n 
-0000544719 00000 n 
-0000548878 00000 n 
-0000548552 00000 n 
-0000548723 00000 n 
-0001197945 00000 n 
-0000552975 00000 n 
-0000552527 00000 n 
-0000549071 00000 n 
-0000552653 00000 n 
-0000552845 00000 n 
-0000552910 00000 n 
-0000557460 00000 n 
-0000557094 00000 n 
-0000553089 00000 n 
-0000557395 00000 n 
-0000557241 00000 n 
-0000562172 00000 n 
-0000561204 00000 n 
-0000557588 00000 n 
-0000562107 00000 n 
-0000561378 00000 n 
-0000561563 00000 n 
-0000561737 00000 n 
-0000561922 00000 n 
-0000655028 00000 n 
-0000566399 00000 n 
-0000566208 00000 n 
-0000562370 00000 n 
-0000566334 00000 n 
-0000570376 00000 n 
-0000570185 00000 n 
-0000566513 00000 n 
-0000570311 00000 n 
-0000574874 00000 n 
-0000574197 00000 n 
-0000570490 00000 n 
-0000574680 00000 n 
-0000574353 00000 n 
-0000574517 00000 n 
-0000574809 00000 n 
-0001198070 00000 n 
-0000579004 00000 n 
-0000578191 00000 n 
-0000574988 00000 n 
-0000578681 00000 n 
-0000578347 00000 n 
-0000578810 00000 n 
-0000578939 00000 n 
-0000578516 00000 n 
-0000675536 00000 n 
-0000583235 00000 n 
-0000582672 00000 n 
-0000579175 00000 n 
-0000583170 00000 n 
-0000582828 00000 n 
-0000582999 00000 n 
-0000771790 00000 n 
-0000586781 00000 n 
-0000586333 00000 n 
-0000583420 00000 n 
-0000586459 00000 n 
-0000586588 00000 n 
-0000586716 00000 n 
-0000589969 00000 n 
-0000589778 00000 n 
-0000586895 00000 n 
-0000589904 00000 n 
-0000593811 00000 n 
-0000593492 00000 n 
-0000590140 00000 n 
-0000593618 00000 n 
-0000597512 00000 n 
-0000597321 00000 n 
-0000593968 00000 n 
-0000597447 00000 n 
-0001198195 00000 n 
-0000601936 00000 n 
-0000601122 00000 n 
-0000597683 00000 n 
-0000601613 00000 n 
-0000601742 00000 n 
-0000601278 00000 n 
-0000601871 00000 n 
-0000601438 00000 n 
-0000606043 00000 n 
-0000605547 00000 n 
-0000602093 00000 n 
-0000605849 00000 n 
-0000605978 00000 n 
-0000605694 00000 n 
-0000609420 00000 n 
-0000608971 00000 n 
-0000606171 00000 n 
-0000609097 00000 n 
-0000609226 00000 n 
-0000609355 00000 n 
-0000613272 00000 n 
-0000612607 00000 n 
-0000609577 00000 n 
-0000613079 00000 n 
-0000613207 00000 n 
-0000612763 00000 n 
-0000612924 00000 n 
-0000616813 00000 n 
-0000616173 00000 n 
-0000613443 00000 n 
-0000616489 00000 n 
-0000616320 00000 n 
-0000616683 00000 n 
-0000616748 00000 n 
-0000620853 00000 n 
-0000620350 00000 n 
-0000616998 00000 n 
-0000620659 00000 n 
-0000620788 00000 n 
-0000620497 00000 n 
-0001198320 00000 n 
-0000625451 00000 n 
-0000625077 00000 n 
-0000621024 00000 n 
-0000625386 00000 n 
-0000625224 00000 n 
-0000748474 00000 n 
-0000629635 00000 n 
-0000628998 00000 n 
-0000625579 00000 n 
-0000629312 00000 n 
-0000629441 00000 n 
-0000629145 00000 n 
-0000629570 00000 n 
-0000673734 00000 n 
-0000631367 00000 n 
-0000631176 00000 n 
-0000629776 00000 n 
-0000631302 00000 n 
-0000633072 00000 n 
-0000632881 00000 n 
-0000631467 00000 n 
-0000633007 00000 n 
-0000635769 00000 n 
-0000635578 00000 n 
-0000633172 00000 n 
-0000635704 00000 n 
-0000640114 00000 n 
-0000639666 00000 n 
-0000635939 00000 n 
-0000639792 00000 n 
-0000640049 00000 n 
-0001198445 00000 n 
-0000644285 00000 n 
-0000643740 00000 n 
-0000640228 00000 n 
-0000644091 00000 n 
-0000643887 00000 n 
-0000644220 00000 n 
-0000648657 00000 n 
-0000648466 00000 n 
-0000644426 00000 n 
-0000648592 00000 n 
-0000651795 00000 n 
-0000651604 00000 n 
-0000648784 00000 n 
-0000651730 00000 n 
-0000655093 00000 n 
-0000654644 00000 n 
-0000651922 00000 n 
-0000654770 00000 n 
-0000654899 00000 n 
-0000659779 00000 n 
-0000659118 00000 n 
-0000655207 00000 n 
-0000659586 00000 n 
-0000659274 00000 n 
-0000659426 00000 n 
-0000659714 00000 n 
-0000665556 00000 n 
-0000663865 00000 n 
-0000659893 00000 n 
-0000665104 00000 n 
-0000665233 00000 n 
-0000664057 00000 n 
-0000664232 00000 n 
-0000664410 00000 n 
-0000664590 00000 n 
-0000664769 00000 n 
-0000665362 00000 n 
-0000665491 00000 n 
-0000664950 00000 n 
-0001198570 00000 n 
-0000669864 00000 n 
-0000669416 00000 n 
-0000665684 00000 n 
-0000669542 00000 n 
-0000669671 00000 n 
-0000673928 00000 n 
-0000673479 00000 n 
-0000669992 00000 n 
-0000673605 00000 n 
-0000673863 00000 n 
-0000675601 00000 n 
-0000675281 00000 n 
-0000674056 00000 n 
-0000675407 00000 n 
-0000677188 00000 n 
-0000676997 00000 n 
-0000675715 00000 n 
-0000677123 00000 n 
-0000678748 00000 n 
-0000678557 00000 n 
-0000677289 00000 n 
-0000678683 00000 n 
-0000680575 00000 n 
-0000679996 00000 n 
-0000678849 00000 n 
-0000680122 00000 n 
-0000680251 00000 n 
-0000680380 00000 n 
-0000680445 00000 n 
-0000680510 00000 n 
-0001198695 00000 n 
-0000683579 00000 n 
-0000683388 00000 n 
-0000680689 00000 n 
-0000683514 00000 n 
-0000686467 00000 n 
-0000686276 00000 n 
-0000683693 00000 n 
-0000686402 00000 n 
-0000690831 00000 n 
-0000689686 00000 n 
-0000686581 00000 n 
-0000690509 00000 n 
-0000689860 00000 n 
-0000690637 00000 n 
-0000690766 00000 n 
-0000690028 00000 n 
-0000690188 00000 n 
-0000690349 00000 n 
-0000985080 00000 n 
-0000696838 00000 n 
-0000694238 00000 n 
-0000690959 00000 n 
-0000696773 00000 n 
-0000694502 00000 n 
-0000694664 00000 n 
-0000694826 00000 n 
-0000694997 00000 n 
-0000695159 00000 n 
-0000695322 00000 n 
-0000695484 00000 n 
-0000695647 00000 n 
-0000695809 00000 n 
-0000695972 00000 n 
-0000696134 00000 n 
-0000696297 00000 n 
-0000696451 00000 n 
-0000696614 00000 n 
-0000702071 00000 n 
-0000700150 00000 n 
-0000696966 00000 n 
-0000702006 00000 n 
-0000700378 00000 n 
-0000700541 00000 n 
-0000700708 00000 n 
-0000700878 00000 n 
-0000701040 00000 n 
-0000701202 00000 n 
-0000701364 00000 n 
-0000701526 00000 n 
-0000701689 00000 n 
-0000701843 00000 n 
-0000707284 00000 n 
-0000705078 00000 n 
-0000702199 00000 n 
-0000707219 00000 n 
-0000705324 00000 n 
-0000705477 00000 n 
-0000705631 00000 n 
-0000705781 00000 n 
-0000705935 00000 n 
-0000706097 00000 n 
-0000706259 00000 n 
-0000706421 00000 n 
-0000706583 00000 n 
-0000706744 00000 n 
-0000706906 00000 n 
-0000707067 00000 n 
-0001198820 00000 n 
-0000712615 00000 n 
-0000711097 00000 n 
-0000707398 00000 n 
-0000712422 00000 n 
-0000711298 00000 n 
-0000711461 00000 n 
-0000711612 00000 n 
-0000711777 00000 n 
-0000711943 00000 n 
-0000712105 00000 n 
-0000712259 00000 n 
-0000716554 00000 n 
-0000716233 00000 n 
-0000712757 00000 n 
-0000716359 00000 n 
-0000716424 00000 n 
-0000716489 00000 n 
-0000719331 00000 n 
-0000719140 00000 n 
-0000716696 00000 n 
-0000719266 00000 n 
-0000723526 00000 n 
-0000722457 00000 n 
-0000719489 00000 n 
-0000722944 00000 n 
-0000723073 00000 n 
-0000723331 00000 n 
-0000722613 00000 n 
-0000722783 00000 n 
-0000723396 00000 n 
-0000723461 00000 n 
-0000726978 00000 n 
-0000726658 00000 n 
-0000723654 00000 n 
-0000726784 00000 n 
-0000726849 00000 n 
-0000726913 00000 n 
-0000730463 00000 n 
-0000730142 00000 n 
-0000727079 00000 n 
-0000730268 00000 n 
-0000730333 00000 n 
-0000730398 00000 n 
-0001198945 00000 n 
-0000734387 00000 n 
-0000733678 00000 n 
-0000730578 00000 n 
-0000733804 00000 n 
-0000733933 00000 n 
-0000733998 00000 n 
-0000734063 00000 n 
-0000734128 00000 n 
-0000734193 00000 n 
-0000734322 00000 n 
-0000738616 00000 n 
-0000737779 00000 n 
-0000734501 00000 n 
-0000737905 00000 n 
-0000737970 00000 n 
-0000738035 00000 n 
-0000738164 00000 n 
-0000738229 00000 n 
-0000738294 00000 n 
-0000738423 00000 n 
-0000738488 00000 n 
-0000738552 00000 n 
-0000741644 00000 n 
-0000740942 00000 n 
-0000738744 00000 n 
-0000741068 00000 n 
-0000741195 00000 n 
-0000741322 00000 n 
-0000741451 00000 n 
-0000741579 00000 n 
-0000744345 00000 n 
-0000743768 00000 n 
-0000741843 00000 n 
-0000743894 00000 n 
-0000744023 00000 n 
-0000744152 00000 n 
-0000744217 00000 n 
-0000744281 00000 n 
-0000748539 00000 n 
-0000748219 00000 n 
-0000744530 00000 n 
-0000748345 00000 n 
-0000752304 00000 n 
-0000751544 00000 n 
-0000748666 00000 n 
-0000751851 00000 n 
-0000751980 00000 n 
-0000752045 00000 n 
-0000752110 00000 n 
-0000751691 00000 n 
-0001199070 00000 n 
-0000755992 00000 n 
-0000755413 00000 n 
-0000752418 00000 n 
-0000755539 00000 n 
-0000755668 00000 n 
-0000755797 00000 n 
-0000755862 00000 n 
-0000755927 00000 n 
-0000759614 00000 n 
-0000758719 00000 n 
-0000756106 00000 n 
-0000759031 00000 n 
-0000758866 00000 n 
-0000759160 00000 n 
-0000759225 00000 n 
-0000759290 00000 n 
-0000759419 00000 n 
-0000759484 00000 n 
-0000759549 00000 n 
-0000985047 00000 n 
-0000763714 00000 n 
-0000763265 00000 n 
-0000759728 00000 n 
-0000763391 00000 n 
-0000763520 00000 n 
-0000763584 00000 n 
-0000763649 00000 n 
-0000765757 00000 n 
-0000765437 00000 n 
-0000763842 00000 n 
-0000765563 00000 n 
-0001003853 00000 n 
-0000996569 00000 n 
-0001003673 00000 n 
-0000765692 00000 n 
-0000767669 00000 n 
-0000767222 00000 n 
-0000765899 00000 n 
-0000767348 00000 n 
-0000767477 00000 n 
-0000767604 00000 n 
-0000771855 00000 n 
-0000771149 00000 n 
-0000767783 00000 n 
-0000771275 00000 n 
-0000996248 00000 n 
-0000987035 00000 n 
-0000996062 00000 n 
-0000771404 00000 n 
-0000771533 00000 n 
-0000771661 00000 n 
-0001199195 00000 n 
-0000772888 00000 n 
-0000772697 00000 n 
-0000772082 00000 n 
-0000772823 00000 n 
-0000773316 00000 n 
-0000773125 00000 n 
-0000772975 00000 n 
-0000773251 00000 n 
-0000776630 00000 n 
-0000775404 00000 n 
-0000773358 00000 n 
-0000775921 00000 n 
-0000776050 00000 n 
-0000776179 00000 n 
-0000776308 00000 n 
-0000776437 00000 n 
-0000776566 00000 n 
-0000775560 00000 n 
-0000775732 00000 n 
-0000777085 00000 n 
-0000776894 00000 n 
-0000776744 00000 n 
-0000777020 00000 n 
-0000780330 00000 n 
-0000779752 00000 n 
-0000777127 00000 n 
-0000779878 00000 n 
-0000780007 00000 n 
-0000780136 00000 n 
-0000780265 00000 n 
-0000784527 00000 n 
-0000783308 00000 n 
-0000780416 00000 n 
-0000783818 00000 n 
-0000783947 00000 n 
-0000784205 00000 n 
-0000783464 00000 n 
-0000783643 00000 n 
-0000784399 00000 n 
-0000784463 00000 n 
-0001199320 00000 n 
-0000791417 00000 n 
-0000787589 00000 n 
-0000784683 00000 n 
-0000787715 00000 n 
-0000787780 00000 n 
-0000787845 00000 n 
-0000787910 00000 n 
-0000787975 00000 n 
-0000788040 00000 n 
-0000788105 00000 n 
-0000788170 00000 n 
-0000788235 00000 n 
-0000788300 00000 n 
-0000788430 00000 n 
-0000788495 00000 n 
-0000788560 00000 n 
-0000788625 00000 n 
-0000788690 00000 n 
-0000788755 00000 n 
-0000788820 00000 n 
-0000788885 00000 n 
-0000788950 00000 n 
-0000789015 00000 n 
-0000789080 00000 n 
-0000789145 00000 n 
-0000789210 00000 n 
-0000789275 00000 n 
-0000789340 00000 n 
-0000789405 00000 n 
-0000789470 00000 n 
-0000789535 00000 n 
-0000789600 00000 n 
-0000789665 00000 n 
-0000789730 00000 n 
-0000789795 00000 n 
-0000789860 00000 n 
-0000789925 00000 n 
-0000789989 00000 n 
-0000790054 00000 n 
-0000790119 00000 n 
-0000790184 00000 n 
-0000790249 00000 n 
-0000790314 00000 n 
-0000790379 00000 n 
-0000790444 00000 n 
-0000790509 00000 n 
-0000790574 00000 n 
-0000790639 00000 n 
-0000790704 00000 n 
-0000790769 00000 n 
-0000790834 00000 n 
-0000790899 00000 n 
-0000790964 00000 n 
-0000791029 00000 n 
-0000791094 00000 n 
-0000791159 00000 n 
-0000791224 00000 n 
-0000791289 00000 n 
-0000791353 00000 n 
-0000798065 00000 n 
-0000794501 00000 n 
-0000791531 00000 n 
-0000794627 00000 n 
-0000794692 00000 n 
-0000794757 00000 n 
-0000794822 00000 n 
-0000794887 00000 n 
-0000794952 00000 n 
-0000795017 00000 n 
-0000795082 00000 n 
-0000795147 00000 n 
-0000795212 00000 n 
-0000795277 00000 n 
-0000795342 00000 n 
-0000795406 00000 n 
-0000795471 00000 n 
-0000795536 00000 n 
-0000795601 00000 n 
-0000795666 00000 n 
-0000795731 00000 n 
-0000795796 00000 n 
-0000795861 00000 n 
-0000795926 00000 n 
-0000795991 00000 n 
-0000796056 00000 n 
-0000796121 00000 n 
-0000796185 00000 n 
-0000796250 00000 n 
-0000796315 00000 n 
-0000796380 00000 n 
-0000796445 00000 n 
-0000796510 00000 n 
-0000796575 00000 n 
-0000796640 00000 n 
-0000796705 00000 n 
-0000796770 00000 n 
-0000796835 00000 n 
-0000796900 00000 n 
-0000796965 00000 n 
-0000797030 00000 n 
-0000797095 00000 n 
-0000797160 00000 n 
-0000797224 00000 n 
-0000797288 00000 n 
-0000797352 00000 n 
-0000797417 00000 n 
-0000797482 00000 n 
-0000797547 00000 n 
-0000797612 00000 n 
-0000797677 00000 n 
-0000797742 00000 n 
-0000797807 00000 n 
-0000797872 00000 n 
-0000797937 00000 n 
-0000798001 00000 n 
-0000804240 00000 n 
-0000800802 00000 n 
-0000798179 00000 n 
-0000800928 00000 n 
-0000800993 00000 n 
-0000801058 00000 n 
-0000801123 00000 n 
-0000801188 00000 n 
-0000801253 00000 n 
-0000801318 00000 n 
-0000801383 00000 n 
-0000801448 00000 n 
-0000801513 00000 n 
-0000801578 00000 n 
-0000801643 00000 n 
-0000801708 00000 n 
-0000801773 00000 n 
-0000801838 00000 n 
-0000801903 00000 n 
-0000801968 00000 n 
-0000802033 00000 n 
-0000802098 00000 n 
-0000802163 00000 n 
-0000802228 00000 n 
-0000802293 00000 n 
-0000802358 00000 n 
-0000802423 00000 n 
-0000802488 00000 n 
-0000802553 00000 n 
-0000802618 00000 n 
-0000802683 00000 n 
-0000802748 00000 n 
-0000802813 00000 n 
-0000802878 00000 n 
-0000802943 00000 n 
-0000803008 00000 n 
-0000803073 00000 n 
-0000803137 00000 n 
-0000803202 00000 n 
-0000803267 00000 n 
-0000803332 00000 n 
-0000803397 00000 n 
-0000803462 00000 n 
-0000803527 00000 n 
-0000803592 00000 n 
-0000803657 00000 n 
-0000803722 00000 n 
-0000803787 00000 n 
-0000803852 00000 n 
-0000803917 00000 n 
-0000803982 00000 n 
-0000804047 00000 n 
-0000804112 00000 n 
-0000804176 00000 n 
-0000809759 00000 n 
-0000807363 00000 n 
-0000804354 00000 n 
-0000807489 00000 n 
-0000807554 00000 n 
-0000807619 00000 n 
-0000807684 00000 n 
-0000807749 00000 n 
-0000807814 00000 n 
-0000807879 00000 n 
-0000807944 00000 n 
-0000808009 00000 n 
-0000808074 00000 n 
-0000808139 00000 n 
-0000808204 00000 n 
-0000808269 00000 n 
-0000808333 00000 n 
-0000808398 00000 n 
-0000808463 00000 n 
-0000808528 00000 n 
-0000808593 00000 n 
-0000808658 00000 n 
-0000808723 00000 n 
-0000808788 00000 n 
-0000808853 00000 n 
-0000808918 00000 n 
-0000808983 00000 n 
-0000809048 00000 n 
-0000809176 00000 n 
-0000809305 00000 n 
-0000809370 00000 n 
-0000809435 00000 n 
-0000809500 00000 n 
-0000809565 00000 n 
-0000809694 00000 n 
-0000812967 00000 n 
-0000812260 00000 n 
-0000809886 00000 n 
-0000812386 00000 n 
-0000812515 00000 n 
-0000812644 00000 n 
-0000812773 00000 n 
-0000812902 00000 n 
-0000816459 00000 n 
-0000815702 00000 n 
-0000813094 00000 n 
-0000816009 00000 n 
-0000816138 00000 n 
-0000815849 00000 n 
-0000816266 00000 n 
-0000816394 00000 n 
-0001199445 00000 n 
-0000819703 00000 n 
-0000819125 00000 n 
-0000816586 00000 n 
-0000819251 00000 n 
-0000819380 00000 n 
-0000819509 00000 n 
-0000819638 00000 n 
-0000822611 00000 n 
-0000822291 00000 n 
-0000819817 00000 n 
-0000822417 00000 n 
-0000822546 00000 n 
-0000825201 00000 n 
-0000824752 00000 n 
-0000822781 00000 n 
-0000824878 00000 n 
-0000825007 00000 n 
-0000825136 00000 n 
-0000825642 00000 n 
-0000825451 00000 n 
-0000825301 00000 n 
-0000825577 00000 n 
-0000828425 00000 n 
-0000827781 00000 n 
-0000825684 00000 n 
-0000827907 00000 n 
-0000828036 00000 n 
-0000828165 00000 n 
-0000828230 00000 n 
-0000828295 00000 n 
-0000828360 00000 n 
-0000832759 00000 n 
-0000832438 00000 n 
-0000828539 00000 n 
-0000832564 00000 n 
-0000832629 00000 n 
-0000832694 00000 n 
-0001199570 00000 n 
-0000836522 00000 n 
-0000836266 00000 n 
-0000832915 00000 n 
-0000836392 00000 n 
-0000836457 00000 n 
-0000839813 00000 n 
-0000839622 00000 n 
-0000836664 00000 n 
-0000839748 00000 n 
-0000843332 00000 n 
-0000843141 00000 n 
-0000839941 00000 n 
-0000843267 00000 n 
-0000846613 00000 n 
-0000846098 00000 n 
-0000843474 00000 n 
-0000846224 00000 n 
-0000846289 00000 n 
-0000846354 00000 n 
-0000846419 00000 n 
-0000846484 00000 n 
-0000846549 00000 n 
-0000850812 00000 n 
-0000850297 00000 n 
-0000846769 00000 n 
-0000850423 00000 n 
-0000850552 00000 n 
-0000850617 00000 n 
-0000850682 00000 n 
-0000850747 00000 n 
-0000854444 00000 n 
-0000853735 00000 n 
-0000850940 00000 n 
-0000853861 00000 n 
-0000853926 00000 n 
-0000853991 00000 n 
-0000854056 00000 n 
-0000854185 00000 n 
-0000854250 00000 n 
-0000854315 00000 n 
-0000854380 00000 n 
-0001199695 00000 n 
-0000857649 00000 n 
-0000856941 00000 n 
-0000854586 00000 n 
-0000857067 00000 n 
-0000857132 00000 n 
-0000857195 00000 n 
-0000857260 00000 n 
-0000857389 00000 n 
-0000857454 00000 n 
-0000857519 00000 n 
-0000857584 00000 n 
-0000860939 00000 n 
-0000860554 00000 n 
-0000857791 00000 n 
-0000860680 00000 n 
-0000860745 00000 n 
-0000860810 00000 n 
-0000860875 00000 n 
-0000864116 00000 n 
-0000863537 00000 n 
-0000861067 00000 n 
-0000863663 00000 n 
-0000863792 00000 n 
-0000863857 00000 n 
-0000863922 00000 n 
-0000863987 00000 n 
-0000864051 00000 n 
-0000866712 00000 n 
-0000865937 00000 n 
-0000864272 00000 n 
-0000866063 00000 n 
-0000866128 00000 n 
-0000866193 00000 n 
-0000866258 00000 n 
-0000866323 00000 n 
-0000866388 00000 n 
-0000866517 00000 n 
-0000866582 00000 n 
-0000866647 00000 n 
-0000870208 00000 n 
-0000869887 00000 n 
-0000866882 00000 n 
-0000870013 00000 n 
-0000870078 00000 n 
-0000870143 00000 n 
-0000873763 00000 n 
-0000873444 00000 n 
-0000870336 00000 n 
-0000873570 00000 n 
-0000873635 00000 n 
-0000873700 00000 n 
-0001199820 00000 n 
-0000876979 00000 n 
-0000876269 00000 n 
-0000873891 00000 n 
-0000876395 00000 n 
-0000876460 00000 n 
-0000876525 00000 n 
-0000876719 00000 n 
-0000876784 00000 n 
-0000876849 00000 n 
-0000876914 00000 n 
-0000880742 00000 n 
-0000880551 00000 n 
-0000877148 00000 n 
-0000880677 00000 n 
-0000884452 00000 n 
-0000884196 00000 n 
-0000880870 00000 n 
-0000884322 00000 n 
-0000884387 00000 n 
-0000887967 00000 n 
-0000887646 00000 n 
-0000884580 00000 n 
-0000887772 00000 n 
-0000887837 00000 n 
-0000887902 00000 n 
-0000890628 00000 n 
-0000889918 00000 n 
-0000888122 00000 n 
-0000890044 00000 n 
-0000890109 00000 n 
-0000890174 00000 n 
-0000890303 00000 n 
-0000890368 00000 n 
-0000890433 00000 n 
-0000890498 00000 n 
-0000890563 00000 n 
-0000894009 00000 n 
-0000893299 00000 n 
-0000890798 00000 n 
-0000893425 00000 n 
-0000893490 00000 n 
-0000893555 00000 n 
-0000893749 00000 n 
-0000893814 00000 n 
-0000893879 00000 n 
-0000893944 00000 n 
-0001199945 00000 n 
-0000897390 00000 n 
-0000897069 00000 n 
-0000894165 00000 n 
-0000897195 00000 n 
-0000897260 00000 n 
-0000897325 00000 n 
-0000900533 00000 n 
-0000899824 00000 n 
-0000897504 00000 n 
-0000899950 00000 n 
-0000900015 00000 n 
-0000900080 00000 n 
-0000900209 00000 n 
-0000900273 00000 n 
-0000900338 00000 n 
-0000900403 00000 n 
-0000900468 00000 n 
-0000904546 00000 n 
-0000904355 00000 n 
-0000900689 00000 n 
-0000904481 00000 n 
-0000908433 00000 n 
-0000908242 00000 n 
-0000904674 00000 n 
-0000908368 00000 n 
-0000911974 00000 n 
-0000911783 00000 n 
-0000908561 00000 n 
-0000911909 00000 n 
-0000914929 00000 n 
-0000914544 00000 n 
-0000912102 00000 n 
-0000914670 00000 n 
-0000914735 00000 n 
-0000914800 00000 n 
-0000914865 00000 n 
-0001200070 00000 n 
-0000918175 00000 n 
-0000917531 00000 n 
-0000915099 00000 n 
-0000917657 00000 n 
-0000917786 00000 n 
-0000917851 00000 n 
-0000917916 00000 n 
-0000917981 00000 n 
-0000918046 00000 n 
-0000918111 00000 n 
-0000921075 00000 n 
-0000920368 00000 n 
-0000918331 00000 n 
-0000920494 00000 n 
-0000920559 00000 n 
-0000920688 00000 n 
-0000920753 00000 n 
-0000920818 00000 n 
-0000920882 00000 n 
-0000920947 00000 n 
-0000921012 00000 n 
-0000923928 00000 n 
-0000923218 00000 n 
-0000921217 00000 n 
-0000923344 00000 n 
-0000923409 00000 n 
-0000923474 00000 n 
-0000923603 00000 n 
-0000923668 00000 n 
-0000923733 00000 n 
-0000923798 00000 n 
-0000923863 00000 n 
-0000927644 00000 n 
-0000927453 00000 n 
-0000924070 00000 n 
-0000927579 00000 n 
-0000930768 00000 n 
-0000930124 00000 n 
-0000927772 00000 n 
-0000930250 00000 n 
-0000930315 00000 n 
-0000930380 00000 n 
-0000930444 00000 n 
-0000930573 00000 n 
-0000930638 00000 n 
-0000930703 00000 n 
-0000934289 00000 n 
-0000933968 00000 n 
-0000930924 00000 n 
-0000934094 00000 n 
-0000934159 00000 n 
-0000934224 00000 n 
-0001200195 00000 n 
-0000937509 00000 n 
-0000937318 00000 n 
-0000934474 00000 n 
-0000937444 00000 n 
-0000940334 00000 n 
-0000939627 00000 n 
-0000937722 00000 n 
-0000939753 00000 n 
-0000939818 00000 n 
-0000939882 00000 n 
-0000939947 00000 n 
-0000940012 00000 n 
-0000940077 00000 n 
-0000940205 00000 n 
-0000940270 00000 n 
-0000943549 00000 n 
-0000942775 00000 n 
-0000940519 00000 n 
-0000942901 00000 n 
-0000942966 00000 n 
-0000943031 00000 n 
-0000943096 00000 n 
-0000943161 00000 n 
-0000943289 00000 n 
-0000943354 00000 n 
-0000943419 00000 n 
-0000943484 00000 n 
-0000948023 00000 n 
-0000947832 00000 n 
-0000943691 00000 n 
-0000947958 00000 n 
-0000951673 00000 n 
-0000951417 00000 n 
-0000948151 00000 n 
-0000951543 00000 n 
-0000951608 00000 n 
-0000954688 00000 n 
-0000954432 00000 n 
-0000951801 00000 n 
-0000954558 00000 n 
-0000954623 00000 n 
-0001200320 00000 n 
-0000957931 00000 n 
-0000957223 00000 n 
-0000954816 00000 n 
-0000957349 00000 n 
-0000957414 00000 n 
-0000957479 00000 n 
-0000957544 00000 n 
-0000957671 00000 n 
-0000957736 00000 n 
-0000957801 00000 n 
-0000957866 00000 n 
-0000961463 00000 n 
-0000960820 00000 n 
-0000958100 00000 n 
-0000960946 00000 n 
-0000961011 00000 n 
-0000961076 00000 n 
-0000961141 00000 n 
-0000961206 00000 n 
-0000961334 00000 n 
-0000961399 00000 n 
-0000965032 00000 n 
-0000964646 00000 n 
-0000961633 00000 n 
-0000964772 00000 n 
-0000964837 00000 n 
-0000964902 00000 n 
-0000964967 00000 n 
-0000967393 00000 n 
-0000967008 00000 n 
-0000965160 00000 n 
-0000967134 00000 n 
-0000967199 00000 n 
-0000967264 00000 n 
-0000967329 00000 n 
-0000971078 00000 n 
-0000970498 00000 n 
-0000967549 00000 n 
-0000970624 00000 n 
-0000970753 00000 n 
-0000970818 00000 n 
-0000970883 00000 n 
-0000970948 00000 n 
-0000971013 00000 n 
-0000974225 00000 n 
-0000973517 00000 n 
-0000971220 00000 n 
-0000973643 00000 n 
-0000973708 00000 n 
-0000973773 00000 n 
-0000973837 00000 n 
-0000973965 00000 n 
-0000974030 00000 n 
-0000974095 00000 n 
-0000974160 00000 n 
-0001200445 00000 n 
-0000977657 00000 n 
-0000977078 00000 n 
-0000974395 00000 n 
-0000977204 00000 n 
-0000977269 00000 n 
-0000977334 00000 n 
-0000977399 00000 n 
-0000977528 00000 n 
-0000977593 00000 n 
-0000980073 00000 n 
-0000979169 00000 n 
-0000977813 00000 n 
-0000979295 00000 n 
-0000979360 00000 n 
-0000979425 00000 n 
-0000979490 00000 n 
-0000979555 00000 n 
-0000979684 00000 n 
-0000979749 00000 n 
-0000979814 00000 n 
-0000979879 00000 n 
-0000979944 00000 n 
-0000980009 00000 n 
-0000983045 00000 n 
-0000982079 00000 n 
-0000980229 00000 n 
-0000982205 00000 n 
-0000982270 00000 n 
-0000982399 00000 n 
-0000982463 00000 n 
-0000982528 00000 n 
-0000982593 00000 n 
-0000982658 00000 n 
-0000982723 00000 n 
-0000982787 00000 n 
-0000982916 00000 n 
-0000982981 00000 n 
-0000984905 00000 n 
-0000984391 00000 n 
-0000983187 00000 n 
-0000984517 00000 n 
-0000984582 00000 n 
-0000984647 00000 n 
-0000984712 00000 n 
-0000984777 00000 n 
-0000984841 00000 n 
-0000985146 00000 n 
-0000996490 00000 n 
-0001004079 00000 n 
-0001007713 00000 n 
-0001017153 00000 n 
-0001027888 00000 n 
-0001030590 00000 n 
-0001030559 00000 n 
-0001043439 00000 n 
-0001057508 00000 n 
-0001077014 00000 n 
-0001098080 00000 n 
-0001120230 00000 n 
-0001138486 00000 n 
-0001141333 00000 n 
-0001141103 00000 n 
-0001168751 00000 n 
-0001196080 00000 n 
-0001200561 00000 n 
-0001200686 00000 n 
-0001200812 00000 n 
-0001200938 00000 n 
-0001201064 00000 n 
-0001201190 00000 n 
-0001201280 00000 n 
-0001201390 00000 n 
-0001223571 00000 n 
-0001248515 00000 n 
-0001248556 00000 n 
-0001248596 00000 n 
-0001248730 00000 n 
-trailer
-<<
-/Size 2838
-/Root 2836 0 R
-/Info 2837 0 R
-/ID [<E1541D0B72B34C8C74B211C7F67883CD> <E1541D0B72B34C8C74B211C7F67883CD>]
->>
-startxref
-1248988
-%%EOF
diff --git a/contrib/bind9/doc/arm/Makefile.in b/contrib/bind9/doc/arm/Makefile.in
deleted file mode 100644
index 3ecf4af..0000000
--- a/contrib/bind9/doc/arm/Makefile.in
+++ /dev/null
@@ -1,71 +0,0 @@
-# Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001, 2002  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.22 2009/02/12 23:47:56 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_MAKE_RULES@
-
-@BIND9_VERSION@
-
-MANOBJS = Bv9ARM.html
-
-PDFOBJS = Bv9ARM.pdf
-
-doc man:: ${MANOBJS} ${PDFOBJS}
-
-clean::
-	rm -f Bv9ARM.aux Bv9ARM.brf Bv9ARM.glo Bv9ARM.idx Bv9ARM.toc
-	rm -f Bv9ARM.log Bv9ARM.out Bv9ARM.tex Bv9ARM.tex.tmp
-
-docclean manclean maintainer-clean:: clean
-	rm -f *.html ${PDFOBJS}
-
-docclean manclean maintainer-clean distclean::
-	rm -f releaseinfo.xml
-
-Bv9ARM.html: Bv9ARM-book.xml releaseinfo.xml
-	expand Bv9ARM-book.xml | \
-	${XSLTPROC} --stringparam root.filename Bv9ARM \
-		${top_srcdir}/doc/xsl/isc-docbook-chunk.xsl -
-
-Bv9ARM-all.html: Bv9ARM-book.xml releaseinfo.xml
-	expand Bv9ARM-book.xml | \
-	${XSLTPROC} -o Bv9ARM-all.html ../xsl/isc-docbook-html.xsl -
-
-Bv9ARM.tex: Bv9ARM-book.xml releaseinfo.xml
-	expand Bv9ARM-book.xml | \
-	${XSLTPROC} ${top_srcdir}/doc/xsl/pre-latex.xsl - | \
-	${XSLTPROC} ${top_srcdir}/doc/xsl/isc-docbook-latex.xsl - | \
-	@PERL@ latex-fixup.pl >$@.tmp 
-	if test -s $@.tmp; then mv $@.tmp $@; else rm -f $@.tmp; exit 1; fi
-
-Bv9ARM.dvi: Bv9ARM.tex releaseinfo.xml
-	rm -f Bv9ARM-book.aux Bv9ARM-book.dvi Bv9ARM-book.log
-	${LATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
-	${LATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
-	${LATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
-
-Bv9ARM.pdf: Bv9ARM.tex releaseinfo.xml
-	rm -f Bv9ARM-book.aux Bv9ARM-book.pdf Bv9ARM-book.log
-	${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
-	${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
-	${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1)
-
-releaseinfo.xml:
-	echo >$@ '<releaseinfo>BIND Version ${VERSION}</releaseinfo>'
diff --git a/contrib/bind9/doc/arm/README-SGML b/contrib/bind9/doc/arm/README-SGML
deleted file mode 100644
index e33c937..0000000
--- a/contrib/bind9/doc/arm/README-SGML
+++ /dev/null
@@ -1,329 +0,0 @@
-Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-Copyright (C) 2000, 2001  Internet Software Consortium.
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-
-The BIND v9 ARM master document is now kept in DocBook XML format.
-
-Version: $Id: README-SGML,v 1.17 2004/03/05 05:04:43 marka Exp $
-
-The entire ARM is in the single file:
-
-    Bv9ARM-book.xml
-
-All of the other documents - HTML, PDF, etc - are generated from this
-master source.
-
-This file attempts to describe what tools are necessary for the
-maintenance of this document as well as the generation of the
-alternate formats of this document.
-
-This file will also spend a very little time describing the XML and
-SGML headers so you can understand a bit what you may need to do to be
-able to work with this document in any fashion other than simply
-editing it. 
-
-We will spend almost no time on the actual tags and how to write an
-XML DocBook compliant document. If you are at all familiar with SGML
-or HTML it will be very evident. You only need to know what the tags
-are and how to use them. You can find a good resource either for this
-either online or in printed form:
-
-    DocBook: The Definitive Guide
-    By Norman Walsh and Leonard Muellner
-    ISBN: 156592-580-7
-    1st Edition, October 1999
-    Copyright (C) 1999 by O'Reilly & Associates, Inc. All rights reserved.
-
-The book is available online in HTML format:
-
-    http://docbook.org/
-
-and buried in:
-
-    http://www.nwalsh.com/docbook/defguide/index.html
-
-A lot of useful stuff is at NWalsh's site in general. You may also
-want to look at:
-
-    http://www.xml.com/
-
-The BIND v9 ARM is based on the XML 4.0 DocBook DTD. Every XML and
-SGML document begins with a prefix that tells where to find the file
-that describes the meaning and structure of the tags used in the rest
-of the document.
-
-For our XML DocBook 4.0 based document this prefix looks like this:
-
-    <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-		   "/usr/local/share/xml/dtd/docbook/docbookx.dtd">
-
-This "DOCTYPE" statement has three parts, of which we are only using
-two:
-
-o The highest level term that represents this document (in this case
-  it is "book"
-
-o The identifier that tells us which DTD to use. This identifier has
-  two parts, the "Formal Public Identifier" (or FPI) and the system
-  identifier. In SGML you can have either a FPI or a SYSTEM identifier
-  but you have to have at least one of them. In XML you have to have a
-  SYSTEM identifier.
-
-FP & SYSTEM identifiers - These are names/lookups for the actual
-DTD. The FPI is a globally unique name that should, on a properly
-configured system, tell you exactly what DTD to use. The SYSTEM
-identifier gives an absolute location for the DTD. In XML these are
-supposed to be properly formatted URL's.
-
-SGML has these things called "catalogs" that are files that map FPI's
-in to actual files. A "catalog" can also be used to remap a SYSTEM
-identifier so you can say something like: "http://www.oasis.org/foo"
-is actually "/usr/local/share/xml/foo.dtd"
-
-When you use various SGML/XML tools they need to be configured to look
-at the same "catalog" files so that as you move from tool to tool they
-all refer to the same DTD for the same document.
-
-We will be spending most of our configuration time making sure our
-tools use the same "catalog" files and that we have the same DTD's
-installed on our machines. XML's requirement of the SYSTEM identifier
-over the FPI will probably lead to more problems as it does not
-guarantee that everyone is using the same DTD.
-
-I did my initial work with the "sgmltools" the XML 4.0 DocBook DTD and
-"jade" or "openjade."
-
-You can get the 4.0 XML DocBook DTD from:
-
-    http://www.docbook.org/xml/4.0/
-
-(download the .zip file.) NOTE: We will eventually be changing the
-SYSTEM identifier to the recommended value of:
-
-    http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd
-
-NOTE: Under FreeBSD this is the package: 
-
-    /usr/ports/textproc/docbook-xml
-
-NetBSD instructions are coming soon.
-
-With packages listed below installed under FreeBSD the "catalog" file
-that all the tools refer to at least one is in:
-
-    /usr/local/share/sgml/catalog
-
-In order for our SYSTEM identifier for the XML DocBook dtd to be found
-I create a new catalog file at the top of the XML directory created on
-FreeBSD:
-
-   /usr/local/share/xml/catalog
-
-This file has one line:
-
-   SYSTEM "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" "/usr/local/share/xml/dtd/docbook/docbookx.dtd"
-
-Then in the main "catalog" I have it include this XML catalog:
-
-   CATALOG "/usr/local/share/xml/catalog"
-
-
-On your systems you need to replace "/usr/local/share" with your
-prefix root (probably /usr/pkg under NetBSD.)
-
-NOTE: The URL used above is supposed to the be the proper one for this
-XML DocBook DTD... but there is nothing at that URL so you really do
-need the "SYSTEM" identifier mapping in your catalog (or make the
-SYSTEM identifier in your document refer to the real location of the
-file on your local system.)
-
-HOW TO VALIDATE A DOCUMENT:
-
-I use the sgmltools "nsgmls" document validator. Since we are using
-XML we need to use the XML declarations, which are installed as part
-of the modular DSSL style sheets:
-
-    nsgmls -sv /usr/local/share/sgml/docbook/dsssl/modular/dtds/decls/xml.dcl \
-	   Bv9ARM-book.xml
-
-A convenient shell script "validate.sh" is now generated by configure
-to invoke the above command with the correct system-dependent paths.
-
-The SGML tools can be found at:
-
-    ftp://ftp.us.sgmltools.org/pub/SGMLtools/v2.0/source/ \
-    ftp://ftp.nllgg.nl/pub/SGMLtools/v2.0/source/
-
-FreeBSD package for these is: 
-
-    /usr/ports/textproc/sgmltools
-
-HOW TO RENDER A DOCUMENT AS HTML or TeX:
-
-o Generate html doc with:
-
-    openjade -v -d ./nominum-docbook-html.dsl \
-	 -t sgml \
-	 /usr/local/share/sgml/docbook/dsssl/modular/dtds/decls/xml.dcl \
-	 Bv9ARM-book.xml
-
-A convenient shell script "genhtml.sh" is now generated by configure to
-invoke the above command with the correct system-dependent paths.
-
-On NetBSD there is no port for "openjade" however "jade" does still
-work. However you need to specify the "catalog" file to use for style
-sheets on the command line AND you need to have a default "catalog"
-mapping where to find various DTDs. It seems that "jade" installed out
-of the box on NetBSD does not use a globally defined "catalog" file
-for mapping PUBLIC identifiers in to SYSTEM identifiers.
-
-So you need to have a "catalog" file in your current working directory
-that has in it this: (these are probably more entries than you need!)
-
-     CATALOG "/usr/pkg/share/sgml/iso8879/catalog"
-     CATALOG "/usr/pkg/share/sgml/docbook/2.4.1/catalog"
-     CATALOG "/usr/pkg/share/sgml/docbook/3.0/catalog"
-     CATALOG "/usr/pkg/share/sgml/docbook/3.1/catalog"
-     CATALOG "/usr/pkg/share/sgml/jade/catalog"
-     CATALOG "/usr/local/share/xml/catalog"
-
-(These would all be "/usr/local" on FreeBSD)
-
-So the command for jade on NetBSD will look like this:
-
-jade -v -c /usr/pkg/share/sgml/catalog -t sgml \
-     -d ./nominum-docbook-html.dsl \
-     /usr/pkg/share/sgml/docbook/dsssl/modular/dtds/decls/xml.dcl \
-     ./Bv9ARM-book.xml
-
-Furthermore, since the style sheet subset we define has in it a hard
-coded path to the style sheet is based, it is actually generated by
-configure from a .in file so that it will contain the correct
-system-dependent path: where on FreeBSD the second line reads:
-
-    <!ENTITY dbstyle SYSTEM "/usr/local/share/sgml/docbook/dsssl/modular/html/docbook.dsl" CDATA DSSSL>
-  
-On NetBSD it needs to read:
-
-    <!ENTITY dbstyle SYSTEM "/usr/pkg/share/sgml/docbook/dsssl/modular/html/docbook.dsl" CDATA DSSSL>
-
-NOTE: This is usually solved by having this style sheet modification
-be installed in a system directory and have it reference the style
-sheet it is based on via a relative path.
-
-o Generate TeX documentation:
-
-openjade -d ./nominum-docbook-print.dsl -t tex -v \
-     /usr/local/share/sgml/docbook/dsssl/modular/dtds/decls/xml.dcl \
-     Bv9ARM-book.xml
-
-If you have "jade" installed instead of "openjade" then use that as
-the command. There is little difference, openjade has some bug fixes
-and is in more active development.
-
-To convert the resulting TeX file in to a DVI file you need to do:
-
-    tex "&jadetex" Bv9ARM-book.tex
-
-You can also directly generate the pdf file via:
-
-    pdftex "&pdfjadetex" Bv9ARM-book.tex
-
-The scripts "genpdf.sh" and "gendvi." have been added to simply
-generating the  PDF and DVI output. These substitute the correct paths
-of NetBSD & FreeBSD. You still need to have TeX, jadeTeX, and pdfTeX
-installed and configured properly for these to work.
-
-You will need to up both the "pool_size" and "hash_extra" variables in
-your texmf.cnf file and regenerate them. See below.
-
-You can see that I am using a DSSSL style sheet for DocBook. Actually
-two different ones - one for rendering html, and one for 'print'
-media.
-
-NOTE: For HTML we are using a Nominum DSSSL style instead of the
-default one (all it does is change the chunking to the chapter level
-and makes the files end with ".html" instead of ".htm" so far.) If you
-want to use the plain jane DSSSL style sheet replace the:
-
-    -d ./nominum-docbook-html.dsl
-
-with
-
-    -d /usr/local/share/sgml/docbook/dsssl/modular/html/docbook.dsl
-
-This style sheet will attempt to reference the one above.
-
-I am currently working on fixing these up so that it works the same on
-our various systems. The main trick is knowing which DTD's and DSSSL
-stylesheets you have installed, installing the right ones, and
-configuring a CATALOG that refers to them in the same way. We will
-probably end up putting our CATALOG's in the same place and then we
-should be able to generate and validate our documents with a minimal
-number of command line arguments.
-
-When running these commands you will get a lot of messages about a
-bunch of general entities not being defined and having no default
-entity. You can ignore those for now.
-
-Also with the style sheets we have and jade as it is you will get
-messages about "xref to title" being unsupported. You can ignore these
-for now as well.
-
-=== Getting the various tools installed on FreeBSD
-(NetBSD coming soon..)
-
-o On freebsd you need to install the following packages:
-  o print/teTeX
-  o textproc/openjade
-  o textproc/docbook
-  o textproc/docbook-xml
-  o textproc/dsssl-docbook-modular
-  o textproc/dtd-catalogs
-
-o on freebsd you need to make some entities visible to the docbook xml
-  dtd by making a symlink (can probably be done with a catalog too)
-  ln -s /usr/local/share/xml/entity /usr/local/share/xml/dtd/docbook/ent
-
-o you may need to edit /usr/local/share/sgml/catalog and add the line:
-
-  CATALOG "/usr/local/share/sgml/openjade/catalog"
-
-o add "hugelatex," Enlarge pool sizes, install the jadetex TeX driver
-  file.
-
-  cd /usr/local/share/texmf/web2c/
-  sudo cp texmf.cnf texmf.cnf.bak
-
-  o edit the lines in texmf.cnf with these keys to these values:
-
-                  main_memory = 1100000
-                  hash_extra = 15000
-                  pool_size = 500000
-                  string_vacancies = 45000
-                  max_strings = 55000
-                  pool_free = 47500
-                  nest_size = 500
-                  param_size = 1500
-                  save_size = 5000
-                  stack_size = 1500
-
-  sudo tex -ini -progname=hugelatex -fmt=hugelatex latex.ltx
-  sudo texconfig init
-  sudo texhash
-
-  o For the jadetex macros you will need I recommend you get a more
-    current version than what is packaged with openjade or jade.
-
-    Checkout http://www.tug.org/applications/jadetex/
-    
-    Unzip the file you get from there (should be jadetex-2.20 or
-    newer.) 
-
-    In the directory you unzip: 
-
-      sudo make install
-      sudo texhash
-
-    NOTE: In the most uptodate "ports" for FreeBSD, jadetext is 2.20+
-    so on this platform you should be set as of 2001.01.08.
diff --git a/contrib/bind9/doc/arm/dnssec.xml b/contrib/bind9/doc/arm/dnssec.xml
deleted file mode 100644
index 7fa9aa7..0000000
--- a/contrib/bind9/doc/arm/dnssec.xml
+++ /dev/null
@@ -1,289 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!--
- - Copyright (C) 2010, 2011  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: dnssec.xml,v 1.7 2011/10/13 23:47:10 tbox Exp $ -->
-
-<sect1 id="dnssec.dynamic.zones">
-  <title>DNSSEC, Dynamic Zones, and Automatic Signing</title>
-  <para>As of BIND 9.7.0 it is possible to change a dynamic zone
-  from insecure to signed and back again. A secure zone can use
-  either NSEC or NSEC3 chains.</para>
-  <sect2>
-    <title>Converting from insecure to secure</title>
-  </sect2>
-  <para>Changing a zone from insecure to secure can be done in two
-  ways: using a dynamic DNS update, or the 
-  <command>auto-dnssec</command> zone option.</para>
-  <para>For either method, you need to configure 
-  <command>named</command> so that it can see the 
-  <filename>K*</filename> files which contain the public and private
-  parts of the keys that will be used to sign the zone. These files
-  will have been generated by 
-  <command>dnssec-keygen</command>. You can do this by placing them
-  in the key-directory, as specified in 
-  <filename>named.conf</filename>:</para>
-  <programlisting>
-        zone example.net {
-                type master;
-                update-policy local;
-                file "dynamic/example.net/example.net";
-                key-directory "dynamic/example.net";
-        };
-</programlisting>
-  <para>If one KSK and one ZSK DNSKEY key have been generated, this
-  configuration will cause all records in the zone to be signed
-  with the ZSK, and the DNSKEY RRset to be signed with the KSK as
-  well. An NSEC chain will be generated as part of the initial
-  signing process.</para>
-  <sect2>
-    <title>Dynamic DNS update method</title>
-  </sect2>
-  <para>To insert the keys via dynamic update:</para>
-  <screen>
-        % nsupdate
-        &gt; ttl 3600
-        &gt; update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
-        &gt; update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
-        &gt; send
-</screen>
-  <para>While the update request will complete almost immediately,
-  the zone will not be completely signed until 
-  <command>named</command> has had time to walk the zone and
-  generate the NSEC and RRSIG records. The NSEC record at the apex
-  will be added last, to signal that there is a complete NSEC
-  chain.</para>
-  <para>If you wish to sign using NSEC3 instead of NSEC, you should
-  add an NSEC3PARAM record to the initial update request. If you
-  wish the NSEC3 chain to have the OPTOUT bit set, set it in the
-  flags field of the NSEC3PARAM record.</para>
-  <screen>
-        % nsupdate
-        &gt; ttl 3600
-        &gt; update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
-        &gt; update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
-        &gt; update add example.net NSEC3PARAM 1 1 100 1234567890
-        &gt; send
-</screen>
-  <para>Again, this update request will complete almost
-  immediately; however, the record won't show up until 
-  <command>named</command> has had a chance to build/remove the
-  relevant chain. A private type record will be created to record
-  the state of the operation (see below for more details), and will
-  be removed once the operation completes.</para>
-  <para>While the initial signing and NSEC/NSEC3 chain generation
-  is happening, other updates are possible as well.</para>
-  <sect2>
-    <title>Fully automatic zone signing</title>
-  </sect2>
-  <para>To enable automatic signing, add the 
-  <command>auto-dnssec</command> option to the zone statement in 
-  <filename>named.conf</filename>. 
-  <command>auto-dnssec</command> has two possible arguments: 
-  <constant>allow</constant> or 
-  <constant>maintain</constant>.</para>
-  <para>With 
-  <command>auto-dnssec allow</command>, 
-  <command>named</command> can search the key directory for keys
-  matching the zone, insert them into the zone, and use them to
-  sign the zone. It will do so only when it receives an 
-  <command>rndc sign &lt;zonename&gt;</command>.</para>
-  <para>
-  <!-- TODO: this is repeated in the ARM -->
-  <command>auto-dnssec maintain</command> includes the above
-  functionality, but will also automatically adjust the zone's
-  DNSKEY records on schedule according to the keys' timing metadata.
-  (See <xref linkend="man.dnssec-keygen"/> and
-  <xref linkend="man.dnssec-settime"/> for more information.) 
-  </para>
-  <para>
-  <command>named</command> will periodically search the key directory
-  for keys matching the zone, and if the keys' metadata indicates
-  that any change should be made the zone, such as adding, removing,
-  or revoking a key, then that action will be carried out.  By default,
-  the key directory is checked for changes every 60 minutes; this period
-  can be adjusted with the <option>dnssec-loadkeys-interval</option>, up
-  to a maximum of 24 hours.  The <command>rndc loadkeys</command> forces
-  <command>named</command> to check for key updates immediately.
-  </para>
-  <para>
-  If keys are present in the key directory the first time the zone
-  is loaded, the zone will be signed immediately, without waiting for an 
-  <command>rndc sign</command> or <command>rndc loadkeys</command>
-  command. (Those commands can still be used when there are unscheduled
-  key changes, however.)
-  </para>
-  <para>
-  If you wish the zone to be signed using NSEC3 instead of NSEC,
-  submit an NSEC3PARAM record via dynamic update prior to the
-  scheduled publication and activation of the keys.  If you wish the
-  NSEC3 chain to have the OPTOUT bit set, set it in the flags field
-  of the NSEC3PARAM record.  The NSEC3PARAM record will not appear in
-  the zone immediately, but it will be stored for later reference.  When
-  the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM
-  record will appear in the zone.
-  </para>
-  <para>Using the 
-  <command>auto-dnssec</command> option requires the zone to be
-  configured to allow dynamic updates, by adding an 
-  <command>allow-update</command> or 
-  <command>update-policy</command> statement to the zone
-  configuration. If this has not been done, the configuration will
-  fail.</para>
-  <sect2>
-    <title>Private-type records</title>
-  </sect2>
-  <para>The state of the signing process is signaled by
-  private-type records (with a default type value of 65534). When
-  signing is complete, these records will have a nonzero value for
-  the final octet (for those records which have a nonzero initial
-  octet).</para>
-  <para>The private type record format: If the first octet is
-  non-zero then the record indicates that the zone needs to be
-  signed with the key matching the record, or that all signatures
-  that match the record should be removed.</para>
-  <para>
-    <literallayout>
-<!-- TODO: how to format this? -->
-  algorithm (octet 1)
-  key id in network order (octet 2 and 3)
-  removal flag (octet 4)
-  complete flag (octet 5)
-</literallayout>
-  </para>
-  <para>Only records flagged as "complete" can be removed via
-  dynamic update. Attempts to remove other private type records
-  will be silently ignored.</para>
-  <para>If the first octet is zero (this is a reserved algorithm
-  number that should never appear in a DNSKEY record) then the
-  record indicates changes to the NSEC3 chains are in progress. The
-  rest of the record contains an NSEC3PARAM record. The flag field
-  tells what operation to perform based on the flag bits.</para>
-  <para>
-    <literallayout>
-<!-- TODO: how to format this? -->
-  0x01 OPTOUT
-  0x80 CREATE
-  0x40 REMOVE
-  0x20 NONSEC
-</literallayout>
-  </para>
-  <sect2>
-    <title>DNSKEY rollovers</title>
-  </sect2>
-  <para>As with insecure-to-secure conversions, rolling DNSSEC
-  keys can be done in two ways: using a dynamic DNS update, or the 
-  <command>auto-dnssec</command> zone option.</para>
-  <sect2>
-    <title>Dynamic DNS update method</title>
-  </sect2>
-  <para> To perform key rollovers via dynamic update, you need to add
-  the <filename>K*</filename> files for the new keys so that 
-  <command>named</command> can find them. You can then add the new
-  DNSKEY RRs via dynamic update. 
-  <command>named</command> will then cause the zone to be signed
-  with the new keys. When the signing is complete the private type
-  records will be updated so that the last octet is non
-  zero.</para>
-  <para>If this is for a KSK you need to inform the parent and any
-  trust anchor repositories of the new KSK.</para>
-  <para>You should then wait for the maximum TTL in the zone before
-  removing the old DNSKEY. If it is a KSK that is being updated,
-  you also need to wait for the DS RRset in the parent to be
-  updated and its TTL to expire. This ensures that all clients will
-  be able to verify at least one signature when you remove the old
-  DNSKEY.</para>
-  <para>The old DNSKEY can be removed via UPDATE. Take care to
-  specify the correct key. 
-  <command>named</command> will clean out any signatures generated
-  by the old key after the update completes.</para>
-  <sect2>
-    <title>Automatic key rollovers</title>
-  </sect2>
-  <para>When a new key reaches its activation date (as set by
-  <command>dnssec-keygen</command> or <command>dnssec-settime</command>),
-  if the <command>auto-dnssec</command> zone option is set to 
-  <constant>maintain</constant>, <command>named</command> will
-  automatically carry out the key rollover.  If the key's algorithm
-  has not previously been used to sign the zone, then the zone will
-  be fully signed as quickly as possible.  However, if the new key
-  is replacing an existing key of the same algorithm, then the
-  zone will be re-signed incrementally, with signatures from the
-  old key being replaced with signatures from the new key as their
-  signature validity periods expire.  By default, this rollover
-  completes in 30 days, after which it will be safe to remove the
-  old key from the DNSKEY RRset.</para>
-  <sect2>
-    <title>NSEC3PARAM rollovers via UPDATE</title>
-  </sect2>
-  <para>Add the new NSEC3PARAM record via dynamic update. When the
-  new NSEC3 chain has been generated, the NSEC3PARAM flag field
-  will be zero. At this point you can remove the old NSEC3PARAM
-  record. The old chain will be removed after the update request
-  completes.</para>
-  <sect2>
-    <title>Converting from NSEC to NSEC3</title>
-  </sect2>
-  <para>To do this, you just need to add an NSEC3PARAM record. When
-  the conversion is complete, the NSEC chain will have been removed
-  and the NSEC3PARAM record will have a zero flag field. The NSEC3
-  chain will be generated before the NSEC chain is
-  destroyed.</para>
-  <sect2>
-    <title>Converting from NSEC3 to NSEC</title>
-  </sect2>
-  <para>To do this, use <command>nsupdate</command> to
-  remove all NSEC3PARAM records with a zero flag
-  field. The NSEC chain will be generated before the NSEC3 chain is
-  removed.</para>
-  <sect2>
-    <title>Converting from secure to insecure</title>
-  </sect2>
-  <para>To convert a signed zone to unsigned using dynamic DNS,
-  delete all the DNSKEY records from the zone apex using
-  <command>nsupdate</command>. All signatures, NSEC or NSEC3 chains,
-  and associated NSEC3PARAM records will be removed automatically.
-  This will take place after the update request completes.</para>
-  <para> This requires the 
-  <command>dnssec-secure-to-insecure</command> option to be set to 
-  <userinput>yes</userinput> in 
-  <filename>named.conf</filename>.</para>
-  <para>In addition, if the <command>auto-dnssec maintain</command>
-  zone statement is used, it should be removed or changed to
-  <command>allow</command> instead (or it will re-sign).
-  </para>
-  <sect2>
-    <title>Periodic re-signing</title>
-  </sect2>
-  <para>In any secure zone which supports dynamic updates, named
-  will periodically re-sign RRsets which have not been re-signed as
-  a result of some update action. The signature lifetimes will be
-  adjusted so as to spread the re-sign load over time rather than
-  all at once.</para>
-  <sect2>
-    <title>NSEC3 and OPTOUT</title>
-  </sect2>
-  <para>
-  <command>named</command> only supports creating new NSEC3 chains
-  where all the NSEC3 records in the zone have the same OPTOUT
-  state. 
-  <command>named</command> supports UPDATES to zones where the NSEC3
-  records in the chain have mixed OPTOUT state. 
-  <command>named</command> does not support changing the OPTOUT
-  state of an individual NSEC3 record, the entire chain needs to be
-  changed if the OPTOUT state of an individual NSEC3 needs to be
-  changed.</para>
-</sect1>
diff --git a/contrib/bind9/doc/arm/isc-logo.eps b/contrib/bind9/doc/arm/isc-logo.eps
deleted file mode 100644
index f101cc8..0000000
--- a/contrib/bind9/doc/arm/isc-logo.eps
+++ /dev/null
@@ -1,5022 +0,0 @@
-%!PS-Adobe-3.1 EPSF-3.0
-%ADO_DSC_Encoding: MacOS Roman
-%%Title: ISC_logo_only_RGB.eps
-%%Creator: Adobe Illustrator(R) 13.0
-%%For: Brian Reid
-%%CreationDate: 3/25/10
-%%BoundingBox: 0 0 118 46
-%%HiResBoundingBox: 0 0 117.9991 45.0176
-%%CropBox: 0 0 117.9991 45.0176
-%%LanguageLevel: 2
-%%DocumentData: Clean7Bit
-%ADOBeginClientInjection: DocumentHeader "AI11EPS"
-%%AI8_CreatorVersion: 13.0.2
%AI9_PrintingDataBegin
%ADO_BuildNumber: Adobe Illustrator(R) 13.0.2 x434 R agm 4.4379 ct 5.1039
%ADO_ContainsXMP: MainFirst

-%ADOEndClientInjection: DocumentHeader "AI11EPS"
-%%Pages: 1
-%%DocumentNeededResources: 
-%%DocumentSuppliedResources: procset Adobe_AGM_Image 1.0 0
-%%+ procset Adobe_CoolType_Utility_T42 1.0 0
-%%+ procset Adobe_CoolType_Utility_MAKEOCF 1.23 0
-%%+ procset Adobe_CoolType_Core 2.31 0
-%%+ procset Adobe_AGM_Core 2.0 0
-%%+ procset Adobe_AGM_Utils 1.0 0
-%%DocumentFonts: 
-%%DocumentNeededFonts: 
-%%DocumentNeededFeatures: 
-%%DocumentSuppliedFeatures: 
-%%DocumentCustomColors: 
-%%CMYKCustomColor: 
-%%RGBCustomColor: 
-%%EndComments
-                        
-                                                                                                                                                                                                                                                         
-                                                                                                                                                                                                                                                         
-                                                                                                                                                                                                                                                         
-                                                                                                                                                                                                                                                         
-                                                                                                                                                                                                                                                         
-                                                                                                                                                                                                                                                         
-%%BeginDefaults
-%%ViewingOrientation: 1 0 0 1
-%%EndDefaults
-%%BeginProlog
-%%BeginResource: procset Adobe_AGM_Utils 1.0 0
-%%Version: 1.0 0
-%%Copyright: Copyright(C)2000-2006 Adobe Systems, Inc. All Rights Reserved.
-systemdict/setpacking known
-{currentpacking	true setpacking}if
-userdict/Adobe_AGM_Utils 73 dict dup begin put
-/bdf
-{bind def}bind def
-/nd{null def}bdf
-/xdf
-{exch def}bdf
-/ldf 
-{load def}bdf
-/ddf
-{put}bdf	
-/xddf
-{3 -1 roll put}bdf	
-/xpt
-{exch put}bdf
-/ndf
-{
-	exch dup where{
-		pop pop pop
-	}{
-		xdf
-	}ifelse
-}def
-/cdndf
-{
-	exch dup currentdict exch known{
-		pop pop
-	}{
-		exch def
-	}ifelse
-}def
-/gx
-{get exec}bdf
-/ps_level
-	/languagelevel where{
-		pop systemdict/languagelevel gx
-	}{
-		1
-	}ifelse
-def
-/level2 
-	ps_level 2 ge
-def
-/level3 
-	ps_level 3 ge
-def
-/ps_version
-	{version cvr}stopped{-1}if
-def
-/set_gvm
-{currentglobal exch setglobal}bdf
-/reset_gvm
-{setglobal}bdf
-/makereadonlyarray
-{
-	/packedarray where{pop packedarray
-	}{
-		array astore readonly}ifelse
-}bdf
-/map_reserved_ink_name
-{
-	dup type/stringtype eq{
-		dup/Red eq{
-			pop(_Red_)
-		}{
-			dup/Green eq{
-				pop(_Green_)
-			}{
-				dup/Blue eq{
-					pop(_Blue_)
-				}{
-					dup()cvn eq{
-						pop(Process)
-					}if
-				}ifelse
-			}ifelse
-		}ifelse
-	}if
-}bdf
-/AGMUTIL_GSTATE 22 dict def
-/get_gstate
-{
-	AGMUTIL_GSTATE begin
-	/AGMUTIL_GSTATE_clr_spc currentcolorspace def
-	/AGMUTIL_GSTATE_clr_indx 0 def
-	/AGMUTIL_GSTATE_clr_comps 12 array def
-	mark currentcolor counttomark
-		{AGMUTIL_GSTATE_clr_comps AGMUTIL_GSTATE_clr_indx 3 -1 roll put
-		/AGMUTIL_GSTATE_clr_indx AGMUTIL_GSTATE_clr_indx 1 add def}repeat pop
-	/AGMUTIL_GSTATE_fnt rootfont def
-	/AGMUTIL_GSTATE_lw currentlinewidth def
-	/AGMUTIL_GSTATE_lc currentlinecap def
-	/AGMUTIL_GSTATE_lj currentlinejoin def
-	/AGMUTIL_GSTATE_ml currentmiterlimit def
-	currentdash/AGMUTIL_GSTATE_do xdf/AGMUTIL_GSTATE_da xdf
-	/AGMUTIL_GSTATE_sa currentstrokeadjust def
-	/AGMUTIL_GSTATE_clr_rnd currentcolorrendering def
-	/AGMUTIL_GSTATE_op currentoverprint def
-	/AGMUTIL_GSTATE_bg currentblackgeneration cvlit def
-	/AGMUTIL_GSTATE_ucr currentundercolorremoval cvlit def
-	currentcolortransfer cvlit/AGMUTIL_GSTATE_gy_xfer xdf cvlit/AGMUTIL_GSTATE_b_xfer xdf
-		cvlit/AGMUTIL_GSTATE_g_xfer xdf cvlit/AGMUTIL_GSTATE_r_xfer xdf
-	/AGMUTIL_GSTATE_ht currenthalftone def
-	/AGMUTIL_GSTATE_flt currentflat def
-	end
-}def
-/set_gstate
-{
-	AGMUTIL_GSTATE begin
-	AGMUTIL_GSTATE_clr_spc setcolorspace
-	AGMUTIL_GSTATE_clr_indx{AGMUTIL_GSTATE_clr_comps AGMUTIL_GSTATE_clr_indx 1 sub get
-	/AGMUTIL_GSTATE_clr_indx AGMUTIL_GSTATE_clr_indx 1 sub def}repeat setcolor
-	AGMUTIL_GSTATE_fnt setfont
-	AGMUTIL_GSTATE_lw setlinewidth
-	AGMUTIL_GSTATE_lc setlinecap
-	AGMUTIL_GSTATE_lj setlinejoin
-	AGMUTIL_GSTATE_ml setmiterlimit
-	AGMUTIL_GSTATE_da AGMUTIL_GSTATE_do setdash
-	AGMUTIL_GSTATE_sa setstrokeadjust
-	AGMUTIL_GSTATE_clr_rnd setcolorrendering
-	AGMUTIL_GSTATE_op setoverprint
-	AGMUTIL_GSTATE_bg cvx setblackgeneration
-	AGMUTIL_GSTATE_ucr cvx setundercolorremoval
-	AGMUTIL_GSTATE_r_xfer cvx AGMUTIL_GSTATE_g_xfer cvx AGMUTIL_GSTATE_b_xfer cvx
-		AGMUTIL_GSTATE_gy_xfer cvx setcolortransfer
-	AGMUTIL_GSTATE_ht/HalftoneType get dup 9 eq exch 100 eq or
-		{
-		currenthalftone/HalftoneType get AGMUTIL_GSTATE_ht/HalftoneType get ne
-			{
-			 mark AGMUTIL_GSTATE_ht{sethalftone}stopped cleartomark
-			}if
-		}{
-		AGMUTIL_GSTATE_ht sethalftone
-		}ifelse
-	AGMUTIL_GSTATE_flt setflat
-	end
-}def
-/get_gstate_and_matrix
-{
-	AGMUTIL_GSTATE begin
-	/AGMUTIL_GSTATE_ctm matrix currentmatrix def
-	end
-	get_gstate
-}def
-/set_gstate_and_matrix
-{
-	set_gstate
-	AGMUTIL_GSTATE begin
-	AGMUTIL_GSTATE_ctm setmatrix
-	end
-}def
-/AGMUTIL_str256 256 string def
-/AGMUTIL_src256 256 string def
-/AGMUTIL_dst64 64 string def
-/AGMUTIL_srcLen nd
-/AGMUTIL_ndx nd
-/AGMUTIL_cpd nd
-/capture_cpd{
-	//Adobe_AGM_Utils/AGMUTIL_cpd currentpagedevice ddf
-}def
-/thold_halftone
-{
-	level3
-		{sethalftone currenthalftone}
-		{
-			dup/HalftoneType get 3 eq
-			{
-				sethalftone currenthalftone
-			}{
-				begin
-				Width Height mul{
-					Thresholds read{pop}if
-				}repeat
-				end
-				currenthalftone
-			}ifelse
-		}ifelse
-}def 
-/rdcmntline
-{
-	currentfile AGMUTIL_str256 readline pop
-	(%)anchorsearch{pop}if
-}bdf
-/filter_cmyk
-{	
-	dup type/filetype ne{
-		exch()/SubFileDecode filter
-	}{
-		exch pop
-	}
-	ifelse
-	[
-	exch
-	{
-		AGMUTIL_src256 readstring pop
-		dup length/AGMUTIL_srcLen exch def
-		/AGMUTIL_ndx 0 def
-		AGMCORE_plate_ndx 4 AGMUTIL_srcLen 1 sub{
-			1 index exch get
-			AGMUTIL_dst64 AGMUTIL_ndx 3 -1 roll put
-			/AGMUTIL_ndx AGMUTIL_ndx 1 add def
-		}for
-		pop
-		AGMUTIL_dst64 0 AGMUTIL_ndx getinterval
-	}
-	bind
-	/exec cvx
-	]cvx
-}bdf
-/filter_indexed_devn
-{
-	cvi Names length mul names_index add Lookup exch get
-}bdf
-/filter_devn
-{	
-	4 dict begin
-	/srcStr xdf
-	/dstStr xdf
-	dup type/filetype ne{
-		0()/SubFileDecode filter
-	}if
-	[
-	exch
-		[
-			/devicen_colorspace_dict/AGMCORE_gget cvx/begin cvx
-			currentdict/srcStr get/readstring cvx/pop cvx
-			/dup cvx/length cvx 0/gt cvx[
-				Adobe_AGM_Utils/AGMUTIL_ndx 0/ddf cvx
-				names_index Names length currentdict/srcStr get length 1 sub{
-					1/index cvx/exch cvx/get cvx
-					currentdict/dstStr get/AGMUTIL_ndx/load cvx 3 -1/roll cvx/put cvx
-					Adobe_AGM_Utils/AGMUTIL_ndx/AGMUTIL_ndx/load cvx 1/add cvx/ddf cvx
-				}for
-				currentdict/dstStr get 0/AGMUTIL_ndx/load cvx/getinterval cvx
-			]cvx/if cvx
-			/end cvx
-		]cvx
-		bind
-		/exec cvx
-	]cvx
-	end
-}bdf
-/AGMUTIL_imagefile nd
-/read_image_file
-{
-	AGMUTIL_imagefile 0 setfileposition
-	10 dict begin
-	/imageDict xdf
-	/imbufLen Width BitsPerComponent mul 7 add 8 idiv def
-	/imbufIdx 0 def
-	/origDataSource imageDict/DataSource get def
-	/origMultipleDataSources imageDict/MultipleDataSources get def
-	/origDecode imageDict/Decode get def
-	/dstDataStr imageDict/Width get colorSpaceElemCnt mul string def
-	imageDict/MultipleDataSources known{MultipleDataSources}{false}ifelse
-	{
-		/imbufCnt imageDict/DataSource get length def
-		/imbufs imbufCnt array def
-		0 1 imbufCnt 1 sub{
-			/imbufIdx xdf
-			imbufs imbufIdx imbufLen string put
-			imageDict/DataSource get imbufIdx[AGMUTIL_imagefile imbufs imbufIdx get/readstring cvx/pop cvx]cvx put
-		}for
-		DeviceN_PS2{
-			imageDict begin
-		 	/DataSource[DataSource/devn_sep_datasource cvx]cvx def
-			/MultipleDataSources false def
-			/Decode[0 1]def
-			end
-		}if
-	}{
-		/imbuf imbufLen string def
-		Indexed_DeviceN level3 not and DeviceN_NoneName or{
-			/srcDataStrs[imageDict begin
-				currentdict/MultipleDataSources known{MultipleDataSources{DataSource length}{1}ifelse}{1}ifelse
-				{
-					Width Decode length 2 div mul cvi string
-				}repeat
-				end]def		
-			imageDict begin
-		 	/DataSource[AGMUTIL_imagefile Decode BitsPerComponent false 1/filter_indexed_devn load dstDataStr srcDataStrs devn_alt_datasource/exec cvx]cvx def
-			/Decode[0 1]def
-			end
-		}{
-			imageDict/DataSource[1 string dup 0 AGMUTIL_imagefile Decode length 2 idiv string/readstring cvx/pop cvx names_index/get cvx/put cvx]cvx put
-			imageDict/Decode[0 1]put
-		}ifelse
-	}ifelse
-	imageDict exch
-	load exec
-	imageDict/DataSource origDataSource put
-	imageDict/MultipleDataSources origMultipleDataSources put
-	imageDict/Decode origDecode put	
-	end
-}bdf
-/write_image_file
-{
-	begin
-	{(AGMUTIL_imagefile)(w+)file}stopped{
-		false
-	}{
-		Adobe_AGM_Utils/AGMUTIL_imagefile xddf 
-		2 dict begin
-		/imbufLen Width BitsPerComponent mul 7 add 8 idiv def
-		MultipleDataSources{DataSource 0 get}{DataSource}ifelse type/filetype eq{
-			/imbuf imbufLen string def
-		}if
-		1 1 Height MultipleDataSources not{Decode length 2 idiv mul}if{
-			pop
-			MultipleDataSources{
-			 	0 1 DataSource length 1 sub{
-					DataSource type dup
-					/arraytype eq{
-						pop DataSource exch gx
-					}{
-						/filetype eq{
-							DataSource exch get imbuf readstring pop
-						}{
-							DataSource exch get
-						}ifelse
-					}ifelse
-					AGMUTIL_imagefile exch writestring
-				}for
-			}{
-				DataSource type dup
-				/arraytype eq{
-					pop DataSource exec
-				}{
-					/filetype eq{
-						DataSource imbuf readstring pop
-					}{
-						DataSource
-					}ifelse
-				}ifelse
-				AGMUTIL_imagefile exch writestring
-			}ifelse
-		}for
-		end
-		true
-	}ifelse
-	end
-}bdf
-/close_image_file
-{
-	AGMUTIL_imagefile closefile(AGMUTIL_imagefile)deletefile
-}def
-statusdict/product known userdict/AGMP_current_show known not and{
-	/pstr statusdict/product get def
-	pstr(HP LaserJet 2200)eq 	
-	pstr(HP LaserJet 4000 Series)eq or
-	pstr(HP LaserJet 4050 Series )eq or
-	pstr(HP LaserJet 8000 Series)eq or
-	pstr(HP LaserJet 8100 Series)eq or
-	pstr(HP LaserJet 8150 Series)eq or
-	pstr(HP LaserJet 5000 Series)eq or
-	pstr(HP LaserJet 5100 Series)eq or
-	pstr(HP Color LaserJet 4500)eq or
-	pstr(HP Color LaserJet 4600)eq or
-	pstr(HP LaserJet 5Si)eq or
-	pstr(HP LaserJet 1200 Series)eq or
-	pstr(HP LaserJet 1300 Series)eq or
-	pstr(HP LaserJet 4100 Series)eq or 
-	{
- 		userdict/AGMP_current_show/show load put
-		userdict/show{
-		 currentcolorspace 0 get
-		 /Pattern eq
-		 {false charpath f}
-		 {AGMP_current_show}ifelse
-		}put
-	}if
-	currentdict/pstr undef
-}if
-/consumeimagedata
-{
-	begin
-	AGMIMG_init_common
-	currentdict/MultipleDataSources known not
-		{/MultipleDataSources false def}if
-	MultipleDataSources
-		{
-		DataSource 0 get type
-		dup/filetype eq
-			{
-			1 dict begin
-			/flushbuffer Width cvi string def
-			1 1 Height cvi
-				{
-				pop
-				0 1 DataSource length 1 sub
-					{
-					DataSource exch get
-					flushbuffer readstring pop pop
-					}for
-				}for
-			end
-			}if
-		dup/arraytype eq exch/packedarraytype eq or DataSource 0 get xcheck and
-			{
-			Width Height mul cvi
-				{
-				0 1 DataSource length 1 sub
-					{dup DataSource exch gx length exch 0 ne{pop}if}for
-				dup 0 eq
-					{pop exit}if
-				sub dup 0 le
-					{exit}if
-				}loop
-			pop
-			}if		
-		}
-		{
-		/DataSource load type 
-		dup/filetype eq
-			{
-			1 dict begin
-			/flushbuffer Width Decode length 2 idiv mul cvi string def
-			1 1 Height{pop DataSource flushbuffer readstring pop pop}for
-			end
-			}if
-		dup/arraytype eq exch/packedarraytype eq or/DataSource load xcheck and
-			{
-				Height Width BitsPerComponent mul 8 BitsPerComponent sub add 8 idiv Decode length 2 idiv mul mul
-					{
-					DataSource length dup 0 eq
-						{pop exit}if
-					sub dup 0 le
-						{exit}if
-					}loop
-				pop
-			}if
-		}ifelse
-	end
-}bdf
-/addprocs
-{
-	 2{/exec load}repeat
-	 3 1 roll
-	 [5 1 roll]bind cvx
-}def
-/modify_halftone_xfer
-{
-	currenthalftone dup length dict copy begin
-	 currentdict 2 index known{
-	 	1 index load dup length dict copy begin
-		currentdict/TransferFunction known{
-			/TransferFunction load
-		}{
-			currenttransfer
-		}ifelse
-		 addprocs/TransferFunction xdf 
-		 currentdict end def
-		currentdict end sethalftone
-	}{
-		currentdict/TransferFunction known{
-			/TransferFunction load 
-		}{
-			currenttransfer
-		}ifelse
-		addprocs/TransferFunction xdf
-		currentdict end sethalftone		
-		pop
-	}ifelse
-}def
-/clonearray
-{
-	dup xcheck exch
-	dup length array exch
-	Adobe_AGM_Core/AGMCORE_tmp -1 ddf 
-	{
-	Adobe_AGM_Core/AGMCORE_tmp 2 copy get 1 add ddf 
-	dup type/dicttype eq
-		{
-			Adobe_AGM_Core/AGMCORE_tmp get
-			exch
-			clonedict
-			Adobe_AGM_Core/AGMCORE_tmp 4 -1 roll ddf 
-		}if
-	dup type/arraytype eq
-		{
-			Adobe_AGM_Core/AGMCORE_tmp get exch
-			clonearray
-			Adobe_AGM_Core/AGMCORE_tmp 4 -1 roll ddf 
-		}if
-	exch dup
-	Adobe_AGM_Core/AGMCORE_tmp get 4 -1 roll put
-	}forall
-	exch{cvx}if
-}bdf
-/clonedict
-{
-	dup length dict
-	begin
-	{
-		dup type/dicttype eq
-			{clonedict}if
-		dup type/arraytype eq
-			{clonearray}if
-		def
-	}forall
-	currentdict
-	end
-}bdf
-/DeviceN_PS2
-{
-	/currentcolorspace AGMCORE_gget 0 get/DeviceN eq level3 not and
-}bdf
-/Indexed_DeviceN
-{
-	/indexed_colorspace_dict AGMCORE_gget dup null ne{
-		dup/CSDBase known{
-			/CSDBase get/CSD get_res/Names known 
-		}{
-			pop false
-		}ifelse
-	}{
-		pop false
-	}ifelse
-}bdf
-/DeviceN_NoneName
-{	
-	/Names where{
-		pop
-		false Names
-		{
-			(None)eq or
-		}forall
-	}{
-		false
-	}ifelse
-}bdf
-/DeviceN_PS2_inRip_seps
-{
-	/AGMCORE_in_rip_sep where
-	{
-		pop dup type dup/arraytype eq exch/packedarraytype eq or
-		{
-			dup 0 get/DeviceN eq level3 not and AGMCORE_in_rip_sep and
-			{
-				/currentcolorspace exch AGMCORE_gput
-				false
-			}{
-				true
-			}ifelse
-		}{
-			true
-		}ifelse
-	}{
-		true
-	}ifelse
-}bdf
-/base_colorspace_type
-{
-	dup type/arraytype eq{0 get}if
-}bdf
-/currentdistillerparams where{pop currentdistillerparams/CoreDistVersion get 5000 lt}{true}ifelse
-{
-	/pdfmark_5{cleartomark}bind def
-}{
-	/pdfmark_5{pdfmark}bind def
-}ifelse
-/ReadBypdfmark_5
-{
-	currentfile exch 0 exch/SubFileDecode filter
-	/currentdistillerparams where 
-	{pop currentdistillerparams/CoreDistVersion get 5000 lt}{true}ifelse
-	{flushfile cleartomark}
-	{/PUT pdfmark}ifelse 	
-}bdf
-/xpdfm
-{
-	{
-		dup 0 get/Label eq
-		{
-			aload length[exch 1 add 1 roll/PAGELABEL
-		}{
-			aload pop
-			[{ThisPage}<<5 -2 roll>>/PUT
-		}ifelse
-		pdfmark_5
-	}forall
-}bdf
-/ds{
-	Adobe_AGM_Utils begin
-}bdf
-/dt{
-	currentdict Adobe_AGM_Utils eq{
-		end
-	}if
-}bdf
-systemdict/setpacking known
-{setpacking}if
-%%EndResource
-%%BeginResource: procset Adobe_AGM_Core 2.0 0
-%%Version: 2.0 0
-%%Copyright: Copyright(C)1997-2007 Adobe Systems, Inc. All Rights Reserved.
-systemdict/setpacking known
-{
-	currentpacking
-	true setpacking
-}if
-userdict/Adobe_AGM_Core 209 dict dup begin put
-/Adobe_AGM_Core_Id/Adobe_AGM_Core_2.0_0 def
-/AGMCORE_str256 256 string def
-/AGMCORE_save nd
-/AGMCORE_graphicsave nd
-/AGMCORE_c 0 def
-/AGMCORE_m 0 def
-/AGMCORE_y 0 def
-/AGMCORE_k 0 def
-/AGMCORE_cmykbuf 4 array def
-/AGMCORE_screen[currentscreen]cvx def
-/AGMCORE_tmp 0 def
-/AGMCORE_&setgray nd
-/AGMCORE_&setcolor nd
-/AGMCORE_&setcolorspace nd
-/AGMCORE_&setcmykcolor nd
-/AGMCORE_cyan_plate nd
-/AGMCORE_magenta_plate nd
-/AGMCORE_yellow_plate nd
-/AGMCORE_black_plate nd
-/AGMCORE_plate_ndx nd
-/AGMCORE_get_ink_data nd
-/AGMCORE_is_cmyk_sep nd
-/AGMCORE_host_sep nd
-/AGMCORE_avoid_L2_sep_space nd
-/AGMCORE_distilling nd
-/AGMCORE_composite_job nd
-/AGMCORE_producing_seps nd
-/AGMCORE_ps_level -1 def
-/AGMCORE_ps_version -1 def
-/AGMCORE_environ_ok nd
-/AGMCORE_CSD_cache 0 dict def
-/AGMCORE_currentoverprint false def
-/AGMCORE_deltaX nd
-/AGMCORE_deltaY nd
-/AGMCORE_name nd
-/AGMCORE_sep_special nd
-/AGMCORE_err_strings 4 dict def
-/AGMCORE_cur_err nd
-/AGMCORE_current_spot_alias false def
-/AGMCORE_inverting false def
-/AGMCORE_feature_dictCount nd
-/AGMCORE_feature_opCount nd
-/AGMCORE_feature_ctm nd
-/AGMCORE_ConvertToProcess false def
-/AGMCORE_Default_CTM matrix def
-/AGMCORE_Default_PageSize nd
-/AGMCORE_Default_flatness nd
-/AGMCORE_currentbg nd
-/AGMCORE_currentucr nd
-/AGMCORE_pattern_paint_type 0 def
-/knockout_unitsq nd
-currentglobal true setglobal
-[/CSA/Gradient/Procedure]
-{
-	/Generic/Category findresource dup length dict copy/Category defineresource pop
-}forall
-setglobal
-/AGMCORE_key_known
-{
-	where{
-		/Adobe_AGM_Core_Id known
-	}{
-		false
-	}ifelse
-}ndf
-/flushinput
-{
-	save
-	2 dict begin
-	/CompareBuffer 3 -1 roll def
-	/readbuffer 256 string def
-	mark
-	{
-	currentfile readbuffer{readline}stopped
-		{cleartomark mark}
-		{
-		not
-			{pop exit}
-		if
-		CompareBuffer eq
-			{exit}
-		if
-		}ifelse
-	}loop
-	cleartomark
-	end
-	restore
-}bdf
-/getspotfunction
-{
-	AGMCORE_screen exch pop exch pop
-	dup type/dicttype eq{
-		dup/HalftoneType get 1 eq{
-			/SpotFunction get
-		}{
-			dup/HalftoneType get 2 eq{
-				/GraySpotFunction get
-			}{
-				pop
-				{
-					abs exch abs 2 copy add 1 gt{
-						1 sub dup mul exch 1 sub dup mul add 1 sub
-					}{
-						dup mul exch dup mul add 1 exch sub
-					}ifelse
-				}bind
-			}ifelse
-		}ifelse
-	}if
-}def
-/np
-{newpath}bdf
-/clp_npth
-{clip np}def
-/eoclp_npth
-{eoclip np}def
-/npth_clp
-{np clip}def
-/graphic_setup
-{
-	/AGMCORE_graphicsave save store
-	concat
-	0 setgray
-	0 setlinecap
-	0 setlinejoin
-	1 setlinewidth
-	[]0 setdash
-	10 setmiterlimit
-	np
-	false setoverprint
-	false setstrokeadjust
-	//Adobe_AGM_Core/spot_alias gx
-	/Adobe_AGM_Image where{
-		pop
-		Adobe_AGM_Image/spot_alias 2 copy known{
-			gx
-		}{
-			pop pop
-		}ifelse
-	}if
-	/sep_colorspace_dict null AGMCORE_gput
-	100 dict begin
-	/dictstackcount countdictstack def
-	/showpage{}def
-	mark
-}def
-/graphic_cleanup
-{
-	cleartomark
-	dictstackcount 1 countdictstack 1 sub{end}for
-	end
-	AGMCORE_graphicsave restore
-}def
-/compose_error_msg
-{
-	grestoreall initgraphics	
-	/Helvetica findfont 10 scalefont setfont
-	/AGMCORE_deltaY 100 def
-	/AGMCORE_deltaX 310 def
-	clippath pathbbox np pop pop 36 add exch 36 add exch moveto
-	0 AGMCORE_deltaY rlineto AGMCORE_deltaX 0 rlineto
-	0 AGMCORE_deltaY neg rlineto AGMCORE_deltaX neg 0 rlineto closepath
-	0 AGMCORE_&setgray
-	gsave 1 AGMCORE_&setgray fill grestore 
-	1 setlinewidth gsave stroke grestore
-	currentpoint AGMCORE_deltaY 15 sub add exch 8 add exch moveto
-	/AGMCORE_deltaY 12 def
-	/AGMCORE_tmp 0 def
-	AGMCORE_err_strings exch get
-		{
-		dup 32 eq
-			{
-			pop
-			AGMCORE_str256 0 AGMCORE_tmp getinterval
-			stringwidth pop currentpoint pop add AGMCORE_deltaX 28 add gt
-				{
-				currentpoint AGMCORE_deltaY sub exch pop
-				clippath pathbbox pop pop pop 44 add exch moveto
-				}if
-			AGMCORE_str256 0 AGMCORE_tmp getinterval show( )show
-			0 1 AGMCORE_str256 length 1 sub
-				{
-				AGMCORE_str256 exch 0 put
-				}for
-			/AGMCORE_tmp 0 def
-			}{
-				AGMCORE_str256 exch AGMCORE_tmp xpt
-				/AGMCORE_tmp AGMCORE_tmp 1 add def
-			}ifelse
-		}forall
-}bdf
-/AGMCORE_CMYKDeviceNColorspaces[
-	[/Separation/None/DeviceCMYK{0 0 0}]
-	[/Separation(Black)/DeviceCMYK{0 0 0 4 -1 roll}bind]
-	[/Separation(Yellow)/DeviceCMYK{0 0 3 -1 roll 0}bind]
-	[/DeviceN[(Yellow)(Black)]/DeviceCMYK{0 0 4 2 roll}bind]
-	[/Separation(Magenta)/DeviceCMYK{0 exch 0 0}bind]
-	[/DeviceN[(Magenta)(Black)]/DeviceCMYK{0 3 1 roll 0 exch}bind]
-	[/DeviceN[(Magenta)(Yellow)]/DeviceCMYK{0 3 1 roll 0}bind]
-	[/DeviceN[(Magenta)(Yellow)(Black)]/DeviceCMYK{0 4 1 roll}bind]
-	[/Separation(Cyan)/DeviceCMYK{0 0 0}]
-	[/DeviceN[(Cyan)(Black)]/DeviceCMYK{0 0 3 -1 roll}bind]
-	[/DeviceN[(Cyan)(Yellow)]/DeviceCMYK{0 exch 0}bind]
-	[/DeviceN[(Cyan)(Yellow)(Black)]/DeviceCMYK{0 3 1 roll}bind]
-	[/DeviceN[(Cyan)(Magenta)]/DeviceCMYK{0 0}]
-	[/DeviceN[(Cyan)(Magenta)(Black)]/DeviceCMYK{0 exch}bind]
-	[/DeviceN[(Cyan)(Magenta)(Yellow)]/DeviceCMYK{0}]
-	[/DeviceCMYK]
-]def
-/ds{
-	Adobe_AGM_Core begin
-	/currentdistillerparams where
-		{
-		pop currentdistillerparams/CoreDistVersion get 5000 lt
-			{<</DetectBlends false>>setdistillerparams}if
-		}if	
-	/AGMCORE_ps_version xdf
-	/AGMCORE_ps_level xdf
-	errordict/AGM_handleerror known not{
-		errordict/AGM_handleerror errordict/handleerror get put
-		errordict/handleerror{
-			Adobe_AGM_Core begin
-			$error/newerror get AGMCORE_cur_err null ne and{
-				$error/newerror false put
-				AGMCORE_cur_err compose_error_msg
-			}if
-			$error/newerror true put
-			end
-			errordict/AGM_handleerror get exec
-			}bind put
-		}if
-	/AGMCORE_environ_ok 
-		ps_level AGMCORE_ps_level ge
-		ps_version AGMCORE_ps_version ge and 
-		AGMCORE_ps_level -1 eq or
-	def
-	AGMCORE_environ_ok not
-		{/AGMCORE_cur_err/AGMCORE_bad_environ def}if
-	/AGMCORE_&setgray systemdict/setgray get def
-	level2{
-		/AGMCORE_&setcolor systemdict/setcolor get def
-		/AGMCORE_&setcolorspace systemdict/setcolorspace get def
-	}if
-	/AGMCORE_currentbg currentblackgeneration def
-	/AGMCORE_currentucr currentundercolorremoval def
-	/AGMCORE_Default_flatness currentflat def
-	/AGMCORE_distilling
-		/product where{
-			pop systemdict/setdistillerparams known product(Adobe PostScript Parser)ne and
-		}{
-			false
-		}ifelse
-	def
-	/AGMCORE_GSTATE AGMCORE_key_known not{
-		/AGMCORE_GSTATE 21 dict def
-		/AGMCORE_tmpmatrix matrix def
-		/AGMCORE_gstack 32 array def
-		/AGMCORE_gstackptr 0 def
-		/AGMCORE_gstacksaveptr 0 def
-		/AGMCORE_gstackframekeys 14 def
-		/AGMCORE_&gsave/gsave ldf
-		/AGMCORE_&grestore/grestore ldf
-		/AGMCORE_&grestoreall/grestoreall ldf
-		/AGMCORE_&save/save ldf
-		/AGMCORE_&setoverprint/setoverprint ldf
-		/AGMCORE_gdictcopy{
-			begin
-			{def}forall
-			end
-		}def
-		/AGMCORE_gput{
-			AGMCORE_gstack AGMCORE_gstackptr get
-			3 1 roll
-			put
-		}def
-		/AGMCORE_gget{
-			AGMCORE_gstack AGMCORE_gstackptr get
-			exch
-			get
-		}def
-		/gsave{
-			AGMCORE_&gsave
-			AGMCORE_gstack AGMCORE_gstackptr get
-			AGMCORE_gstackptr 1 add
-			dup 32 ge{limitcheck}if
-			/AGMCORE_gstackptr exch store
-			AGMCORE_gstack AGMCORE_gstackptr get
-			AGMCORE_gdictcopy
-		}def
-		/grestore{
-			AGMCORE_&grestore
-			AGMCORE_gstackptr 1 sub
-			dup AGMCORE_gstacksaveptr lt{1 add}if
-			dup AGMCORE_gstack exch get dup/AGMCORE_currentoverprint known
-				{/AGMCORE_currentoverprint get setoverprint}{pop}ifelse
-			/AGMCORE_gstackptr exch store
-		}def
-		/grestoreall{
-			AGMCORE_&grestoreall
-			/AGMCORE_gstackptr AGMCORE_gstacksaveptr store 
-		}def
-		/save{
-			AGMCORE_&save
-			AGMCORE_gstack AGMCORE_gstackptr get
-			AGMCORE_gstackptr 1 add
-			dup 32 ge{limitcheck}if
-			/AGMCORE_gstackptr exch store
-			/AGMCORE_gstacksaveptr AGMCORE_gstackptr store
-			AGMCORE_gstack AGMCORE_gstackptr get
-			AGMCORE_gdictcopy
-		}def
-		/setoverprint{
-			dup/AGMCORE_currentoverprint exch AGMCORE_gput AGMCORE_&setoverprint
-		}def	
-		0 1 AGMCORE_gstack length 1 sub{
-				AGMCORE_gstack exch AGMCORE_gstackframekeys dict put
-		}for
-	}if
-	level3/AGMCORE_&sysshfill AGMCORE_key_known not and
-	{
-		/AGMCORE_&sysshfill systemdict/shfill get def
-		/AGMCORE_&sysmakepattern systemdict/makepattern get def
-		/AGMCORE_&usrmakepattern/makepattern load def
-	}if
-	/currentcmykcolor[0 0 0 0]AGMCORE_gput
-	/currentstrokeadjust false AGMCORE_gput
-	/currentcolorspace[/DeviceGray]AGMCORE_gput
-	/sep_tint 0 AGMCORE_gput
-	/devicen_tints[0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0]AGMCORE_gput
-	/sep_colorspace_dict null AGMCORE_gput
-	/devicen_colorspace_dict null AGMCORE_gput
-	/indexed_colorspace_dict null AGMCORE_gput
-	/currentcolor_intent()AGMCORE_gput
-	/customcolor_tint 1 AGMCORE_gput
-	/absolute_colorimetric_crd null AGMCORE_gput
-	/relative_colorimetric_crd null AGMCORE_gput
-	/saturation_crd null AGMCORE_gput
-	/perceptual_crd null AGMCORE_gput
-	currentcolortransfer cvlit/AGMCore_gray_xfer xdf cvlit/AGMCore_b_xfer xdf
-		 cvlit/AGMCore_g_xfer xdf cvlit/AGMCore_r_xfer xdf
-	<<
-	/MaxPatternItem currentsystemparams/MaxPatternCache get
-	>>
-	setuserparams
-	end
-}def
-/ps
-{
-	/setcmykcolor where{
-		pop
-		Adobe_AGM_Core/AGMCORE_&setcmykcolor/setcmykcolor load put
-	}if
-	Adobe_AGM_Core begin
-	/setcmykcolor
-	{
-		4 copy AGMCORE_cmykbuf astore/currentcmykcolor exch AGMCORE_gput
-		1 sub 4 1 roll
-		3{
-			3 index add neg dup 0 lt{
-				pop 0
-			}if
-			3 1 roll
-		}repeat
-		setrgbcolor pop
-	}ndf
-	/currentcmykcolor
-	{
-		/currentcmykcolor AGMCORE_gget aload pop
-	}ndf
-	/setoverprint
-	{pop}ndf
-	/currentoverprint
-	{false}ndf
-	/AGMCORE_cyan_plate 1 0 0 0 test_cmyk_color_plate def
-	/AGMCORE_magenta_plate 0 1 0 0 test_cmyk_color_plate def
-	/AGMCORE_yellow_plate 0 0 1 0 test_cmyk_color_plate def
-	/AGMCORE_black_plate 0 0 0 1 test_cmyk_color_plate def
-	/AGMCORE_plate_ndx 
-		AGMCORE_cyan_plate{
-			0
-		}{
-			AGMCORE_magenta_plate{
-				1
-			}{
-				AGMCORE_yellow_plate{
-					2
-				}{
-					AGMCORE_black_plate{
-						3
-					}{
-						4
-					}ifelse
-				}ifelse
-			}ifelse
-		}ifelse
-		def
-	/AGMCORE_have_reported_unsupported_color_space false def
-	/AGMCORE_report_unsupported_color_space
-	{
-		AGMCORE_have_reported_unsupported_color_space false eq
-		{
-			(Warning: Job contains content that cannot be separated with on-host methods. This content appears on the black plate, and knocks out all other plates.)==
-			Adobe_AGM_Core/AGMCORE_have_reported_unsupported_color_space true ddf
-		}if
-	}def
-	/AGMCORE_composite_job
-		AGMCORE_cyan_plate AGMCORE_magenta_plate and AGMCORE_yellow_plate and AGMCORE_black_plate and def
-	/AGMCORE_in_rip_sep
-		/AGMCORE_in_rip_sep where{
-			pop AGMCORE_in_rip_sep
-		}{
-			AGMCORE_distilling 
-			{
-				false
-			}{
-				userdict/Adobe_AGM_OnHost_Seps known{
-					false
-				}{
-					level2{
-						currentpagedevice/Separations 2 copy known{
-							get
-						}{
-							pop pop false
-						}ifelse
-					}{
-						false
-					}ifelse
-				}ifelse
-			}ifelse
-		}ifelse
-	def
-	/AGMCORE_producing_seps AGMCORE_composite_job not AGMCORE_in_rip_sep or def
-	/AGMCORE_host_sep AGMCORE_producing_seps AGMCORE_in_rip_sep not and def
-	/AGM_preserve_spots 
-		/AGM_preserve_spots where{
-			pop AGM_preserve_spots
-		}{
-			AGMCORE_distilling AGMCORE_producing_seps or
-		}ifelse
-	def
-	/AGM_is_distiller_preserving_spotimages
-	{
-		currentdistillerparams/PreserveOverprintSettings known
-		{
-			currentdistillerparams/PreserveOverprintSettings get
-				{
-					currentdistillerparams/ColorConversionStrategy known
-					{
-						currentdistillerparams/ColorConversionStrategy get
-						/sRGB ne
-					}{
-						true
-					}ifelse
-				}{
-					false
-				}ifelse
-		}{
-			false
-		}ifelse
-	}def
-	/convert_spot_to_process where{pop}{
-		/convert_spot_to_process
-		{
-			//Adobe_AGM_Core begin
-			dup map_alias{
-				/Name get exch pop
-			}if
-			dup dup(None)eq exch(All)eq or
-				{
-				pop false
-				}{
-				AGMCORE_host_sep
-				{
-					gsave
-					1 0 0 0 setcmykcolor currentgray 1 exch sub
-					0 1 0 0 setcmykcolor currentgray 1 exch sub
-					0 0 1 0 setcmykcolor currentgray 1 exch sub
-					0 0 0 1 setcmykcolor currentgray 1 exch sub
-					add add add 0 eq
-					{
-						pop false
-					}{
-						false setoverprint
-						current_spot_alias false set_spot_alias
-						1 1 1 1 6 -1 roll findcmykcustomcolor 1 setcustomcolor
-						set_spot_alias
-						currentgray 1 ne
-					}ifelse
-					grestore
-				}{
-					AGMCORE_distilling
-					{
-						pop AGM_is_distiller_preserving_spotimages not
-					}{
-						//Adobe_AGM_Core/AGMCORE_name xddf
-						false
-						//Adobe_AGM_Core/AGMCORE_pattern_paint_type get 0 eq
-						AGMUTIL_cpd/OverrideSeparations known and
-						{
-							AGMUTIL_cpd/OverrideSeparations get
-							{
-								/HqnSpots/ProcSet resourcestatus
-								{
-									pop pop pop true
-								}if
-							}if
-						}if					
-						{
-							AGMCORE_name/HqnSpots/ProcSet findresource/TestSpot gx not
-						}{
-							gsave
-							[/Separation AGMCORE_name/DeviceGray{}]AGMCORE_&setcolorspace
-							false
-							AGMUTIL_cpd/SeparationColorNames 2 copy known
-							{
-								get
-								{AGMCORE_name eq or}forall
-								not
-							}{
-								pop pop pop true
-							}ifelse
-							grestore
-						}ifelse
-					}ifelse
-				}ifelse
-			}ifelse
-			end
-		}def
-	}ifelse
-	/convert_to_process where{pop}{
-		/convert_to_process
-		{
-			dup length 0 eq
-				{
-				pop false
-				}{
-				AGMCORE_host_sep
-				{
-				dup true exch
-					{
-					dup(Cyan)eq exch
-					dup(Magenta)eq 3 -1 roll or exch
-					dup(Yellow)eq 3 -1 roll or exch
-					dup(Black)eq 3 -1 roll or
-						{pop}
-						{convert_spot_to_process and}ifelse
-					}
-				forall
-					{
-					true exch
-						{
-						dup(Cyan)eq exch
-						dup(Magenta)eq 3 -1 roll or exch
-						dup(Yellow)eq 3 -1 roll or exch
-						(Black)eq or and
-						}forall
-						not
-					}{pop false}ifelse
-				}{
-				false exch
-					{
-					/PhotoshopDuotoneList where{pop false}{true}ifelse
-						{
-						dup(Cyan)eq exch
-						dup(Magenta)eq 3 -1 roll or exch
-						dup(Yellow)eq 3 -1 roll or exch
-						dup(Black)eq 3 -1 roll or
-						{pop}
-						{convert_spot_to_process or}ifelse
-						}
-						{
-						convert_spot_to_process or
-						}
-					ifelse
-					}
-				forall
-				}ifelse
-			}ifelse
-		}def
-	}ifelse	
-	/AGMCORE_avoid_L2_sep_space 
-		version cvr 2012 lt 
-		level2 and 
-		AGMCORE_producing_seps not and
-	def
-	/AGMCORE_is_cmyk_sep
-		AGMCORE_cyan_plate AGMCORE_magenta_plate or AGMCORE_yellow_plate or AGMCORE_black_plate or
-	def
-	/AGM_avoid_0_cmyk where{
-		pop AGM_avoid_0_cmyk
-	}{
-		AGM_preserve_spots 
-		userdict/Adobe_AGM_OnHost_Seps known 
-		userdict/Adobe_AGM_InRip_Seps known or
-		not and
-	}ifelse
-	{
-		/setcmykcolor[
-			{
-				4 copy add add add 0 eq currentoverprint and{
-					pop 0.0005
-				}if
-			}/exec cvx
-			/AGMCORE_&setcmykcolor load dup type/operatortype ne{
-				/exec cvx
-			}if
-		]cvx def
-	}if
-	/AGMCORE_IsSeparationAProcessColor
-		{
-		dup(Cyan)eq exch dup(Magenta)eq exch dup(Yellow)eq exch(Black)eq or or or
-		}def
-	AGMCORE_host_sep{
-		/setcolortransfer
-		{
-			AGMCORE_cyan_plate{
-				pop pop pop
-			}{
-			 	AGMCORE_magenta_plate{
-			 		4 3 roll pop pop pop
-			 	}{
-			 		AGMCORE_yellow_plate{
-			 			4 2 roll pop pop pop
-			 		}{
-			 			4 1 roll pop pop pop
-			 		}ifelse
-			 	}ifelse
-			}ifelse
-			settransfer 
-		}	
-		def
-		/AGMCORE_get_ink_data
-			AGMCORE_cyan_plate{
-				{pop pop pop}
-			}{
-			 	AGMCORE_magenta_plate{
-			 		{4 3 roll pop pop pop}
-			 	}{
-			 		AGMCORE_yellow_plate{
-			 			{4 2 roll pop pop pop}
-			 		}{
-			 			{4 1 roll pop pop pop}
-			 		}ifelse
-			 	}ifelse
-			}ifelse
-		def
-		/AGMCORE_RemoveProcessColorNames
-			{
-			1 dict begin
-			/filtername
-				{
-				dup/Cyan eq 1 index(Cyan)eq or
-					{pop(_cyan_)}if
-				dup/Magenta eq 1 index(Magenta)eq or
-					{pop(_magenta_)}if
-				dup/Yellow eq 1 index(Yellow)eq or
-					{pop(_yellow_)}if
-				dup/Black eq 1 index(Black)eq or
-					{pop(_black_)}if
-				}def
-			dup type/arraytype eq
-				{[exch{filtername}forall]}
-				{filtername}ifelse
-			end
-			}def
-		level3{
-			/AGMCORE_IsCurrentColor
-				{
-				dup AGMCORE_IsSeparationAProcessColor
-					{
-					AGMCORE_plate_ndx 0 eq
-						{dup(Cyan)eq exch/Cyan eq or}if
-					AGMCORE_plate_ndx 1 eq
-						{dup(Magenta)eq exch/Magenta eq or}if
-					AGMCORE_plate_ndx 2 eq
-						{dup(Yellow)eq exch/Yellow eq or}if
-					AGMCORE_plate_ndx 3 eq
-						{dup(Black)eq exch/Black eq or}if
-					AGMCORE_plate_ndx 4 eq
-						{pop false}if
-					}{
-					gsave
-					false setoverprint
-					current_spot_alias false set_spot_alias
-					1 1 1 1 6 -1 roll findcmykcustomcolor 1 setcustomcolor
-					set_spot_alias
-					currentgray 1 ne
-					grestore
-					}ifelse
-				}def
-			/AGMCORE_filter_functiondatasource
-				{	
-				5 dict begin
-				/data_in xdf
-				data_in type/stringtype eq
-					{
-					/ncomp xdf
-					/comp xdf
-					/string_out data_in length ncomp idiv string def
-					0 ncomp data_in length 1 sub
-						{
-						string_out exch dup ncomp idiv exch data_in exch ncomp getinterval comp get 255 exch sub put
-						}for
-					string_out
-					}{
-					string/string_in xdf
-					/string_out 1 string def
-					/component xdf
-					[
-					data_in string_in/readstring cvx
-						[component/get cvx 255/exch cvx/sub cvx string_out/exch cvx 0/exch cvx/put cvx string_out]cvx
-						[/pop cvx()]cvx/ifelse cvx
-					]cvx/ReusableStreamDecode filter
-				}ifelse
-				end
-				}def
-			/AGMCORE_separateShadingFunction
-				{
-				2 dict begin
-				/paint? xdf
-				/channel xdf
-				dup type/dicttype eq
-					{
-					begin
-					FunctionType 0 eq
-						{
-						/DataSource channel Range length 2 idiv DataSource AGMCORE_filter_functiondatasource def
-						currentdict/Decode known
-							{/Decode Decode channel 2 mul 2 getinterval def}if
-						paint? not
-							{/Decode[1 1]def}if
-						}if
-					FunctionType 2 eq
-						{
-						paint?
-							{
-							/C0[C0 channel get 1 exch sub]def
-							/C1[C1 channel get 1 exch sub]def
-							}{
-							/C0[1]def
-							/C1[1]def
-							}ifelse			
-						}if
-					FunctionType 3 eq
-						{
-						/Functions[Functions{channel paint? AGMCORE_separateShadingFunction}forall]def			
-						}if
-					currentdict/Range known
-						{/Range[0 1]def}if
-					currentdict
-					end}{
-					channel get 0 paint? AGMCORE_separateShadingFunction
-					}ifelse
-				end
-				}def
-			/AGMCORE_separateShading
-				{
-				3 -1 roll begin
-				currentdict/Function known
-					{
-					currentdict/Background known
-						{[1 index{Background 3 index get 1 exch sub}{1}ifelse]/Background xdf}if
-					Function 3 1 roll AGMCORE_separateShadingFunction/Function xdf
-					/ColorSpace[/DeviceGray]def
-					}{
-					ColorSpace dup type/arraytype eq{0 get}if/DeviceCMYK eq
-						{
-						/ColorSpace[/DeviceN[/_cyan_/_magenta_/_yellow_/_black_]/DeviceCMYK{}]def
-						}{
-						ColorSpace dup 1 get AGMCORE_RemoveProcessColorNames 1 exch put
-						}ifelse
-					ColorSpace 0 get/Separation eq
-						{
-							{
-								[1/exch cvx/sub cvx]cvx
-							}{
-								[/pop cvx 1]cvx
-							}ifelse
-							ColorSpace 3 3 -1 roll put
-							pop
-						}{
-							{
-								[exch ColorSpace 1 get length 1 sub exch sub/index cvx 1/exch cvx/sub cvx ColorSpace 1 get length 1 add 1/roll cvx ColorSpace 1 get length{/pop cvx}repeat]cvx
-							}{
-								pop[ColorSpace 1 get length{/pop cvx}repeat cvx 1]cvx
-							}ifelse
-							ColorSpace 3 3 -1 roll bind put
-						}ifelse
-					ColorSpace 2/DeviceGray put																		
-					}ifelse
-				end
-				}def
-			/AGMCORE_separateShadingDict
-				{
-				dup/ColorSpace get
-				dup type/arraytype ne
-					{[exch]}if
-				dup 0 get/DeviceCMYK eq
-					{
-					exch begin 
-					currentdict
-					AGMCORE_cyan_plate
-						{0 true}if
-					AGMCORE_magenta_plate
-						{1 true}if
-					AGMCORE_yellow_plate
-						{2 true}if
-					AGMCORE_black_plate
-						{3 true}if
-					AGMCORE_plate_ndx 4 eq
-						{0 false}if		
-					dup not currentoverprint and
-						{/AGMCORE_ignoreshade true def}if
-					AGMCORE_separateShading
-					currentdict
-					end exch
-					}if
-				dup 0 get/Separation eq
-					{
-					exch begin
-					ColorSpace 1 get dup/None ne exch/All ne and
-						{
-						ColorSpace 1 get AGMCORE_IsCurrentColor AGMCORE_plate_ndx 4 lt and ColorSpace 1 get AGMCORE_IsSeparationAProcessColor not and
-							{
-							ColorSpace 2 get dup type/arraytype eq{0 get}if/DeviceCMYK eq 
-								{
-								/ColorSpace
-									[
-									/Separation
-									ColorSpace 1 get
-									/DeviceGray
-										[
-										ColorSpace 3 get/exec cvx
-										4 AGMCORE_plate_ndx sub -1/roll cvx
-										4 1/roll cvx
-										3[/pop cvx]cvx/repeat cvx
-										1/exch cvx/sub cvx
-										]cvx									
-									]def
-								}{
-								AGMCORE_report_unsupported_color_space
-								AGMCORE_black_plate not
-									{
-									currentdict 0 false AGMCORE_separateShading
-									}if
-								}ifelse
-							}{
-							currentdict ColorSpace 1 get AGMCORE_IsCurrentColor
-							0 exch 
-							dup not currentoverprint and
-								{/AGMCORE_ignoreshade true def}if
-							AGMCORE_separateShading
-							}ifelse	
-						}if			
-					currentdict
-					end exch
-					}if
-				dup 0 get/DeviceN eq
-					{
-					exch begin
-					ColorSpace 1 get convert_to_process
-						{
-						ColorSpace 2 get dup type/arraytype eq{0 get}if/DeviceCMYK eq 
-							{
-							/ColorSpace
-								[
-								/DeviceN
-								ColorSpace 1 get
-								/DeviceGray
-									[
-									ColorSpace 3 get/exec cvx
-									4 AGMCORE_plate_ndx sub -1/roll cvx
-									4 1/roll cvx
-									3[/pop cvx]cvx/repeat cvx
-									1/exch cvx/sub cvx
-									]cvx									
-								]def
-							}{
-							AGMCORE_report_unsupported_color_space
-							AGMCORE_black_plate not
-								{
-								currentdict 0 false AGMCORE_separateShading
-								/ColorSpace[/DeviceGray]def
-								}if
-							}ifelse
-						}{
-						currentdict
-						false -1 ColorSpace 1 get
-							{
-							AGMCORE_IsCurrentColor
-								{
-								1 add
-								exch pop true exch exit
-								}if
-							1 add
-							}forall
-						exch 
-						dup not currentoverprint and
-							{/AGMCORE_ignoreshade true def}if
-						AGMCORE_separateShading
-						}ifelse
-					currentdict
-					end exch
-					}if
-				dup 0 get dup/DeviceCMYK eq exch dup/Separation eq exch/DeviceN eq or or not
-					{
-					exch begin
-					ColorSpace dup type/arraytype eq
-						{0 get}if
-					/DeviceGray ne
-						{
-						AGMCORE_report_unsupported_color_space
-						AGMCORE_black_plate not
-							{
-							ColorSpace 0 get/CIEBasedA eq
-								{
-								/ColorSpace[/Separation/_ciebaseda_/DeviceGray{}]def
-								}if
-							ColorSpace 0 get dup/CIEBasedABC eq exch dup/CIEBasedDEF eq exch/DeviceRGB eq or or
-								{
-								/ColorSpace[/DeviceN[/_red_/_green_/_blue_]/DeviceRGB{}]def
-								}if
-							ColorSpace 0 get/CIEBasedDEFG eq
-								{
-								/ColorSpace[/DeviceN[/_cyan_/_magenta_/_yellow_/_black_]/DeviceCMYK{}]def
-								}if
-							currentdict 0 false AGMCORE_separateShading
-							}if
-						}if
-					currentdict
-					end exch
-					}if
-				pop
-				dup/AGMCORE_ignoreshade known
-					{
-					begin
-					/ColorSpace[/Separation(None)/DeviceGray{}]def
-					currentdict end
-					}if
-				}def
-			/shfill
-				{
-				AGMCORE_separateShadingDict 
-				dup/AGMCORE_ignoreshade known
-					{pop}
-					{AGMCORE_&sysshfill}ifelse
-				}def
-			/makepattern
-				{
-				exch
-				dup/PatternType get 2 eq
-					{
-					clonedict
-					begin
-					/Shading Shading AGMCORE_separateShadingDict def
-					Shading/AGMCORE_ignoreshade known
-					currentdict end exch
-					{pop<</PatternType 1/PaintProc{pop}/BBox[0 0 1 1]/XStep 1/YStep 1/PaintType 1/TilingType 3>>}if
-					exch AGMCORE_&sysmakepattern
-					}{
-					exch AGMCORE_&usrmakepattern
-					}ifelse
-				}def
-		}if
-	}if
-	AGMCORE_in_rip_sep{
-		/setcustomcolor
-		{
-			exch aload pop
-			dup 7 1 roll inRip_spot_has_ink not	{
-				4{4 index mul 4 1 roll}
-				repeat
-				/DeviceCMYK setcolorspace
-				6 -2 roll pop pop
-			}{
-				//Adobe_AGM_Core begin
-					/AGMCORE_k xdf/AGMCORE_y xdf/AGMCORE_m xdf/AGMCORE_c xdf
-				end
-				[/Separation 4 -1 roll/DeviceCMYK
-				{dup AGMCORE_c mul exch dup AGMCORE_m mul exch dup AGMCORE_y mul exch AGMCORE_k mul}
-				]
-				setcolorspace
-			}ifelse
-			setcolor
-		}ndf
-		/setseparationgray
-		{
-			[/Separation(All)/DeviceGray{}]setcolorspace_opt
-			1 exch sub setcolor
-		}ndf
-	}{
-		/setseparationgray
-		{
-			AGMCORE_&setgray
-		}ndf
-	}ifelse
-	/findcmykcustomcolor
-	{
-		5 makereadonlyarray
-	}ndf
-	/setcustomcolor
-	{
-		exch aload pop pop
-		4{4 index mul 4 1 roll}repeat
-		setcmykcolor pop
-	}ndf
-	/has_color
-		/colorimage where{
-			AGMCORE_producing_seps{
-				pop true
-			}{
-				systemdict eq
-			}ifelse
-		}{
-			false
-		}ifelse
-	def
-	/map_index
-	{
-		1 index mul exch getinterval{255 div}forall
-	}bdf
-	/map_indexed_devn
-	{
-		Lookup Names length 3 -1 roll cvi map_index
-	}bdf
-	/n_color_components
-	{
-		base_colorspace_type
-		dup/DeviceGray eq{
-			pop 1
-		}{
-			/DeviceCMYK eq{
-				4
-			}{
-				3
-			}ifelse
-		}ifelse
-	}bdf
-	level2{
-		/mo/moveto ldf
-		/li/lineto ldf
-		/cv/curveto ldf
-		/knockout_unitsq
-		{
-			1 setgray
-			0 0 1 1 rectfill
-		}def
-		level2/setcolorspace AGMCORE_key_known not and{
-			/AGMCORE_&&&setcolorspace/setcolorspace ldf
-			/AGMCORE_ReplaceMappedColor
-			{
-				dup type dup/arraytype eq exch/packedarraytype eq or
-				{
-					/AGMCORE_SpotAliasAry2 where{
-						begin
-						dup 0 get dup/Separation eq
-						{
-							pop
-							dup length array copy
-							dup dup 1 get
-							current_spot_alias
-							{
-								dup map_alias
-								{
-									false set_spot_alias
-									dup 1 exch setsepcolorspace
-									true set_spot_alias
-									begin
-									/sep_colorspace_dict currentdict AGMCORE_gput
-									pop pop	pop
-									[
-										/Separation Name 
-										CSA map_csa
-										MappedCSA 
-										/sep_colorspace_proc load
-									]
-									dup Name
-									end
-								}if
-							}if
-							map_reserved_ink_name 1 xpt
-						}{
-							/DeviceN eq 
-							{
-								dup length array copy
-								dup dup 1 get[
-									exch{
-										current_spot_alias{
-											dup map_alias{
-												/Name get exch pop
-											}if
-										}if
-										map_reserved_ink_name
-									}forall 
-								]1 xpt
-							}if
-						}ifelse
-						end
-					}if
-				}if
-			}def
-			/setcolorspace
-			{
-				dup type dup/arraytype eq exch/packedarraytype eq or
-				{
-					dup 0 get/Indexed eq
-					{
-						AGMCORE_distilling
-						{
-							/PhotoshopDuotoneList where
-							{
-								pop false
-							}{
-								true
-							}ifelse
-						}{
-							true
-						}ifelse
-						{
-							aload pop 3 -1 roll
-							AGMCORE_ReplaceMappedColor
-							3 1 roll 4 array astore
-						}if
-					}{
-						AGMCORE_ReplaceMappedColor
-					}ifelse
-				}if
-				DeviceN_PS2_inRip_seps{AGMCORE_&&&setcolorspace}if
-			}def
-		}if	
-	}{
-		/adj
-		{
-			currentstrokeadjust{
-				transform
-				0.25 sub round 0.25 add exch
-				0.25 sub round 0.25 add exch
-				itransform
-			}if
-		}def
-		/mo{
-			adj moveto
-		}def
-		/li{
-			adj lineto
-		}def
-		/cv{
-			6 2 roll adj
-			6 2 roll adj
-			6 2 roll adj curveto
-		}def
-		/knockout_unitsq
-		{
-			1 setgray
-			8 8 1[8 0 0 8 0 0]{<ffffffffffffffff>}image
-		}def
-		/currentstrokeadjust{
-			/currentstrokeadjust AGMCORE_gget
-		}def
-		/setstrokeadjust{
-			/currentstrokeadjust exch AGMCORE_gput
-		}def
-		/setcolorspace
-		{
-			/currentcolorspace exch AGMCORE_gput
-		}def
-		/currentcolorspace
-		{
-			/currentcolorspace AGMCORE_gget
-		}def
-		/setcolor_devicecolor
-		{
-			base_colorspace_type
-			dup/DeviceGray eq{
-				pop setgray
-			}{
-				/DeviceCMYK eq{
-					setcmykcolor
-				}{
-					setrgbcolor
-				}ifelse
-			}ifelse
-		}def
-		/setcolor
-		{
-			currentcolorspace 0 get
-			dup/DeviceGray ne{
-				dup/DeviceCMYK ne{
-					dup/DeviceRGB ne{
-						dup/Separation eq{
-							pop
-							currentcolorspace 3 gx
-							currentcolorspace 2 get
-						}{
-							dup/Indexed eq{
-								pop
-								currentcolorspace 3 get dup type/stringtype eq{
-									currentcolorspace 1 get n_color_components
-									3 -1 roll map_index
-								}{
-									exec
-								}ifelse
-								currentcolorspace 1 get
-							}{
-								/AGMCORE_cur_err/AGMCORE_invalid_color_space def
-								AGMCORE_invalid_color_space
-							}ifelse
-						}ifelse
-					}if
-				}if
-			}if
-			setcolor_devicecolor
-		}def
-	}ifelse
-	/sop/setoverprint ldf
-	/lw/setlinewidth ldf
-	/lc/setlinecap ldf
-	/lj/setlinejoin ldf
-	/ml/setmiterlimit ldf
-	/dsh/setdash ldf
-	/sadj/setstrokeadjust ldf
-	/gry/setgray ldf
-	/rgb/setrgbcolor ldf
-	/cmyk[
-		/currentcolorspace[/DeviceCMYK]/AGMCORE_gput cvx
-		/setcmykcolor load dup type/operatortype ne{/exec cvx}if
-	]cvx bdf
-	level3 AGMCORE_host_sep not and{
-		/nzopmsc{
-			6 dict begin
-			/kk exch def
-			/yy exch def
-			/mm exch def
-			/cc exch def
-			/sum 0 def
-			cc 0 ne{/sum sum 2#1000 or def cc}if
-			mm 0 ne{/sum sum 2#0100 or def mm}if
-			yy 0 ne{/sum sum 2#0010 or def yy}if
-			kk 0 ne{/sum sum 2#0001 or def kk}if
-			AGMCORE_CMYKDeviceNColorspaces sum get setcolorspace
-			sum 0 eq{0}if
-			end
-			setcolor
-		}bdf
-	}{
-		/nzopmsc/cmyk ldf
-	}ifelse
-	/sep/setsepcolor ldf
-	/devn/setdevicencolor ldf
-	/idx/setindexedcolor ldf
-	/colr/setcolor ldf
-	/csacrd/set_csa_crd ldf
-	/sepcs/setsepcolorspace ldf
-	/devncs/setdevicencolorspace ldf
-	/idxcs/setindexedcolorspace ldf
-	/cp/closepath ldf
-	/clp/clp_npth ldf
-	/eclp/eoclp_npth ldf
-	/f/fill ldf
-	/ef/eofill ldf
-	/@/stroke ldf
-	/nclp/npth_clp ldf
-	/gset/graphic_setup ldf
-	/gcln/graphic_cleanup ldf
-	/ct/concat ldf
-	/cf/currentfile ldf
-	/fl/filter ldf
-	/rs/readstring ldf
-	/AGMCORE_def_ht currenthalftone def
-	/clonedict Adobe_AGM_Utils begin/clonedict load end def
-	/clonearray Adobe_AGM_Utils begin/clonearray load end def
-	currentdict{
-		dup xcheck 1 index type dup/arraytype eq exch/packedarraytype eq or and{
-			bind
-		}if
-		def
-	}forall
-	/getrampcolor
-	{
-		/indx exch def
-		0 1 NumComp 1 sub
-		{
-			dup
-			Samples exch get
-			dup type/stringtype eq{indx get}if
-			exch
-			Scaling exch get aload pop
-			3 1 roll
-			mul add
-		}for
-		ColorSpaceFamily/Separation eq 
-		{sep}
-		{
-			ColorSpaceFamily/DeviceN eq
-			{devn}{setcolor}ifelse
-		}ifelse
-	}bdf
-	/sssetbackground{
-		aload pop 
-		ColorSpaceFamily/Separation eq 
-		{sep}
-		{
-			ColorSpaceFamily/DeviceN eq
-			{devn}{setcolor}ifelse
-		}ifelse	
-	}bdf
-	/RadialShade
-	{
-		40 dict begin
-		/ColorSpaceFamily xdf
-		/background xdf
-		/ext1 xdf
-		/ext0 xdf
-		/BBox xdf
-		/r2 xdf
-		/c2y xdf
-		/c2x xdf
-		/r1 xdf
-		/c1y xdf
-		/c1x xdf
-		/rampdict xdf
-		/setinkoverprint where{pop/setinkoverprint{pop}def}if
-		gsave
-		BBox length 0 gt
-		{
-			np
-			BBox 0 get BBox 1 get moveto
-			BBox 2 get BBox 0 get sub 0 rlineto
-			0 BBox 3 get BBox 1 get sub rlineto
-			BBox 2 get BBox 0 get sub neg 0 rlineto
-			closepath
-			clip
-			np
-		}if
-		c1x c2x eq
-		{
-			c1y c2y lt{/theta 90 def}{/theta 270 def}ifelse
-		}{
-			/slope c2y c1y sub c2x c1x sub div def
-			/theta slope 1 atan def
-			c2x c1x lt c2y c1y ge and{/theta theta 180 sub def}if
-			c2x c1x lt c2y c1y lt and{/theta theta 180 add def}if
-		}ifelse
-		gsave
-		clippath
-		c1x c1y translate
-		theta rotate
-		-90 rotate
-		{pathbbox}stopped
-		{0 0 0 0}if
-		/yMax xdf
-		/xMax xdf
-		/yMin xdf
-		/xMin xdf
-		grestore
-		xMax xMin eq yMax yMin eq or
-		{
-			grestore
-			end
-		}{
-			/max{2 copy gt{pop}{exch pop}ifelse}bdf
-			/min{2 copy lt{pop}{exch pop}ifelse}bdf
-			rampdict begin
-			40 dict begin
-			background length 0 gt{background sssetbackground gsave clippath fill grestore}if
-			gsave
-			c1x c1y translate
-			theta rotate
-			-90 rotate
-			/c2y c1x c2x sub dup mul c1y c2y sub dup mul add sqrt def
-			/c1y 0 def
-			/c1x 0 def
-			/c2x 0 def
-			ext0
-			{
-				0 getrampcolor
-				c2y r2 add r1 sub 0.0001 lt
-				{
-					c1x c1y r1 360 0 arcn
-					pathbbox
-					/aymax exch def
-					/axmax exch def
-					/aymin exch def
-					/axmin exch def
-					/bxMin xMin axmin min def
-					/byMin yMin aymin min def
-					/bxMax xMax axmax max def
-					/byMax yMax aymax max def
-					bxMin byMin moveto
-					bxMax byMin lineto
-					bxMax byMax lineto
-					bxMin byMax lineto
-					bxMin byMin lineto
-					eofill
-				}{
-					c2y r1 add r2 le
-					{
-						c1x c1y r1 0 360 arc
-						fill
-					}
-					{
-						c2x c2y r2 0 360 arc fill
-						r1 r2 eq
-						{
-							/p1x r1 neg def
-							/p1y c1y def
-							/p2x r1 def
-							/p2y c1y def
-							p1x p1y moveto p2x p2y lineto p2x yMin lineto p1x yMin lineto
-							fill
-						}{
-							/AA r2 r1 sub c2y div def
-							AA -1 eq
-							{/theta 89.99 def}
-							{/theta AA 1 AA dup mul sub sqrt div 1 atan def}
-							ifelse
-							/SS1 90 theta add dup sin exch cos div def
-							/p1x r1 SS1 SS1 mul SS1 SS1 mul 1 add div sqrt mul neg def
-							/p1y p1x SS1 div neg def
-							/SS2 90 theta sub dup sin exch cos div def
-							/p2x r1 SS2 SS2 mul SS2 SS2 mul 1 add div sqrt mul def
-							/p2y p2x SS2 div neg def
-							r1 r2 gt
-							{
-								/L1maxX p1x yMin p1y sub SS1 div add def
-								/L2maxX p2x yMin p2y sub SS2 div add def
-							}{
-								/L1maxX 0 def
-								/L2maxX 0 def
-							}ifelse
-							p1x p1y moveto p2x p2y lineto L2maxX L2maxX p2x sub SS2 mul p2y add lineto
-							L1maxX L1maxX p1x sub SS1 mul p1y add lineto
-							fill
-						}ifelse
-					}ifelse
-				}ifelse
-			}if
-		c1x c2x sub dup mul
-		c1y c2y sub dup mul
-		add 0.5 exp
-		0 dtransform
-		dup mul exch dup mul add 0.5 exp 72 div
-		0 72 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt
-		72 0 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt
-		1 index 1 index lt{exch}if pop
-		/hires xdf
-		hires mul
-		/numpix xdf
-		/numsteps NumSamples def
-		/rampIndxInc 1 def
-		/subsampling false def
-		numpix 0 ne
-		{
-			NumSamples numpix div 0.5 gt
-			{
-				/numsteps numpix 2 div round cvi dup 1 le{pop 2}if def
-				/rampIndxInc NumSamples 1 sub numsteps div def
-				/subsampling true def
-			}if
-		}if
-		/xInc c2x c1x sub numsteps div def
-		/yInc c2y c1y sub numsteps div def
-		/rInc r2 r1 sub numsteps div def
-		/cx c1x def
-		/cy c1y def
-		/radius r1 def
-		np
-		xInc 0 eq yInc 0 eq rInc 0 eq and and
-		{
-			0 getrampcolor
-			cx cy radius 0 360 arc
-			stroke
-			NumSamples 1 sub getrampcolor
-			cx cy radius 72 hires div add 0 360 arc
-			0 setlinewidth
-			stroke
-		}{
-			0
-			numsteps
-			{
-				dup
-				subsampling{round cvi}if
-				getrampcolor
-				cx cy radius 0 360 arc
-				/cx cx xInc add def
-				/cy cy yInc add def
-				/radius radius rInc add def
-				cx cy radius 360 0 arcn
-				eofill
-				rampIndxInc add
-			}repeat
-			pop
-		}ifelse
-		ext1
-		{
-			c2y r2 add r1 lt
-			{
-				c2x c2y r2 0 360 arc
-				fill
-			}{
-				c2y r1 add r2 sub 0.0001 le
-				{
-					c2x c2y r2 360 0 arcn
-					pathbbox
-					/aymax exch def
-					/axmax exch def
-					/aymin exch def
-					/axmin exch def
-					/bxMin xMin axmin min def
-					/byMin yMin aymin min def
-					/bxMax xMax axmax max def
-					/byMax yMax aymax max def
-					bxMin byMin moveto
-					bxMax byMin lineto
-					bxMax byMax lineto
-					bxMin byMax lineto
-					bxMin byMin lineto
-					eofill
-				}{
-					c2x c2y r2 0 360 arc fill
-					r1 r2 eq
-					{
-						/p1x r2 neg def
-						/p1y c2y def
-						/p2x r2 def
-						/p2y c2y def
-						p1x p1y moveto p2x p2y lineto p2x yMax lineto p1x yMax lineto
-						fill
-					}{
-						/AA r2 r1 sub c2y div def
-						AA -1 eq
-						{/theta 89.99 def}
-						{/theta AA 1 AA dup mul sub sqrt div 1 atan def}
-						ifelse
-						/SS1 90 theta add dup sin exch cos div def
-						/p1x r2 SS1 SS1 mul SS1 SS1 mul 1 add div sqrt mul neg def
-						/p1y c2y p1x SS1 div sub def
-						/SS2 90 theta sub dup sin exch cos div def
-						/p2x r2 SS2 SS2 mul SS2 SS2 mul 1 add div sqrt mul def
-						/p2y c2y p2x SS2 div sub def
-						r1 r2 lt
-						{
-							/L1maxX p1x yMax p1y sub SS1 div add def
-							/L2maxX p2x yMax p2y sub SS2 div add def
-						}{
-							/L1maxX 0 def
-							/L2maxX 0 def
-						}ifelse
-						p1x p1y moveto p2x p2y lineto L2maxX L2maxX p2x sub SS2 mul p2y add lineto
-						L1maxX L1maxX p1x sub SS1 mul p1y add lineto
-						fill
-					}ifelse
-				}ifelse
-			}ifelse
-		}if
-		grestore
-		grestore
-		end
-		end
-		end
-		}ifelse
-	}bdf
-	/GenStrips
-	{
-		40 dict begin
-		/ColorSpaceFamily xdf
-		/background xdf
-		/ext1 xdf
-		/ext0 xdf
-		/BBox xdf
-		/y2 xdf
-		/x2 xdf
-		/y1 xdf
-		/x1 xdf
-		/rampdict xdf
-		/setinkoverprint where{pop/setinkoverprint{pop}def}if
-		gsave
-		BBox length 0 gt
-		{
-			np
-			BBox 0 get BBox 1 get moveto
-			BBox 2 get BBox 0 get sub 0 rlineto
-			0 BBox 3 get BBox 1 get sub rlineto
-			BBox 2 get BBox 0 get sub neg 0 rlineto
-			closepath
-			clip
-			np
-		}if
-		x1 x2 eq
-		{
-			y1 y2 lt{/theta 90 def}{/theta 270 def}ifelse
-		}{
-			/slope y2 y1 sub x2 x1 sub div def
-			/theta slope 1 atan def
-			x2 x1 lt y2 y1 ge and{/theta theta 180 sub def}if
-			x2 x1 lt y2 y1 lt and{/theta theta 180 add def}if
-		}
-		ifelse
-		gsave
-		clippath
-		x1 y1 translate
-		theta rotate
-		{pathbbox}stopped
-		{0 0 0 0}if
-		/yMax exch def
-		/xMax exch def
-		/yMin exch def
-		/xMin exch def
-		grestore
-		xMax xMin eq yMax yMin eq or
-		{
-			grestore
-			end
-		}{
-			rampdict begin
-			20 dict begin
-			background length 0 gt{background sssetbackground gsave clippath fill grestore}if
-			gsave
-			x1 y1 translate
-			theta rotate
-			/xStart 0 def
-			/xEnd x2 x1 sub dup mul y2 y1 sub dup mul add 0.5 exp def
-			/ySpan yMax yMin sub def
-			/numsteps NumSamples def
-			/rampIndxInc 1 def
-			/subsampling false def
-			xStart 0 transform
-			xEnd 0 transform
-			3 -1 roll
-			sub dup mul
-			3 1 roll
-			sub dup mul
-			add 0.5 exp 72 div
-			0 72 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt
-			72 0 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt
-			1 index 1 index lt{exch}if pop
-			mul
-			/numpix xdf
-			numpix 0 ne
-			{
-				NumSamples numpix div 0.5 gt
-				{
-					/numsteps numpix 2 div round cvi dup 1 le{pop 2}if def
-					/rampIndxInc NumSamples 1 sub numsteps div def
-					/subsampling true def
-				}if
-			}if
-			ext0
-			{
-				0 getrampcolor
-				xMin xStart lt
-				{
-					xMin yMin xMin neg ySpan rectfill
-				}if
-			}if
-			/xInc xEnd xStart sub numsteps div def
-			/x xStart def
-			0
-			numsteps
-			{
-				dup
-				subsampling{round cvi}if
-				getrampcolor
-				x yMin xInc ySpan rectfill
-				/x x xInc add def
-				rampIndxInc add
-			}repeat
-			pop
-			ext1{
-				xMax xEnd gt
-				{
-					xEnd yMin xMax xEnd sub ySpan rectfill
-				}if
-			}if
-			grestore
-			grestore
-			end
-			end
-			end
-		}ifelse
-	}bdf
-}def
-/pt
-{
-	end
-}def
-/dt{
-}def
-/pgsv{
-	//Adobe_AGM_Core/AGMCORE_save save put
-}def
-/pgrs{
-	//Adobe_AGM_Core/AGMCORE_save get restore
-}def
-systemdict/findcolorrendering known{
-	/findcolorrendering systemdict/findcolorrendering get def
-}if
-systemdict/setcolorrendering known{
-	/setcolorrendering systemdict/setcolorrendering get def
-}if
-/test_cmyk_color_plate
-{
-	gsave
-	setcmykcolor currentgray 1 ne
-	grestore
-}def
-/inRip_spot_has_ink
-{
-	dup//Adobe_AGM_Core/AGMCORE_name xddf
-	convert_spot_to_process not
-}def
-/map255_to_range
-{
-	1 index sub
-	3 -1 roll 255 div mul add
-}def
-/set_csa_crd
-{
-	/sep_colorspace_dict null AGMCORE_gput
-	begin
-		CSA get_csa_by_name setcolorspace_opt
-		set_crd
-	end
-}
-def
-/map_csa
-{
-	currentdict/MappedCSA known{MappedCSA null ne}{false}ifelse
-	{pop}{get_csa_by_name/MappedCSA xdf}ifelse
-}def
-/setsepcolor
-{
-	/sep_colorspace_dict AGMCORE_gget begin
-		dup/sep_tint exch AGMCORE_gput
-		TintProc
-	end
-}def
-/setdevicencolor
-{
-	/devicen_colorspace_dict AGMCORE_gget begin
-		Names length copy
-		Names length 1 sub -1 0
-		{
-			/devicen_tints AGMCORE_gget 3 1 roll xpt
-		}for
-		TintProc
-	end
-}def
-/sep_colorspace_proc
-{
-	/AGMCORE_tmp exch store
-	/sep_colorspace_dict AGMCORE_gget begin
-	currentdict/Components known{
-		Components aload pop 
-		TintMethod/Lab eq{
-			2{AGMCORE_tmp mul NComponents 1 roll}repeat
-			LMax sub AGMCORE_tmp mul LMax add NComponents 1 roll
-		}{
-			TintMethod/Subtractive eq{
-				NComponents{
-					AGMCORE_tmp mul NComponents 1 roll
-				}repeat
-			}{
-				NComponents{
-					1 sub AGMCORE_tmp mul 1 add NComponents 1 roll
-				}repeat
-			}ifelse
-		}ifelse
-	}{
-		ColorLookup AGMCORE_tmp ColorLookup length 1 sub mul round cvi get
-		aload pop
-	}ifelse
-	end
-}def
-/sep_colorspace_gray_proc
-{
-	/AGMCORE_tmp exch store
-	/sep_colorspace_dict AGMCORE_gget begin
-	GrayLookup AGMCORE_tmp GrayLookup length 1 sub mul round cvi get
-	end
-}def
-/sep_proc_name
-{
-	dup 0 get 
-	dup/DeviceRGB eq exch/DeviceCMYK eq or level2 not and has_color not and{
-		pop[/DeviceGray]
-		/sep_colorspace_gray_proc
-	}{
-		/sep_colorspace_proc
-	}ifelse
-}def
-/setsepcolorspace
-{
-	current_spot_alias{
-		dup begin
-			Name map_alias{
-				exch pop
-			}if
-		end
-	}if
-	dup/sep_colorspace_dict exch AGMCORE_gput
-	begin
-	CSA map_csa
-	/AGMCORE_sep_special Name dup()eq exch(All)eq or store
-	AGMCORE_avoid_L2_sep_space{
-		[/Indexed MappedCSA sep_proc_name 255 exch 
-			{255 div}/exec cvx 3 -1 roll[4 1 roll load/exec cvx]cvx 
-		]setcolorspace_opt
-		/TintProc{
-			255 mul round cvi setcolor
-		}bdf
-	}{
-		MappedCSA 0 get/DeviceCMYK eq 
-		currentdict/Components known and 
-		AGMCORE_sep_special not and{
-			/TintProc[
-				Components aload pop Name findcmykcustomcolor 
-				/exch cvx/setcustomcolor cvx
-			]cvx bdf
-		}{
- 			AGMCORE_host_sep Name(All)eq and{
- 				/TintProc{
-					1 exch sub setseparationgray 
-				}bdf
- 			}{
-				AGMCORE_in_rip_sep MappedCSA 0 get/DeviceCMYK eq and 
-				AGMCORE_host_sep or
-				Name()eq and{
-					/TintProc[
-						MappedCSA sep_proc_name exch 0 get/DeviceCMYK eq{
-							cvx/setcmykcolor cvx
-						}{
-							cvx/setgray cvx
-						}ifelse
-					]cvx bdf
-				}{
-					AGMCORE_producing_seps MappedCSA 0 get dup/DeviceCMYK eq exch/DeviceGray eq or and AGMCORE_sep_special not and{
-	 					/TintProc[
-							/dup cvx
-							MappedCSA sep_proc_name cvx exch
-							0 get/DeviceGray eq{
-								1/exch cvx/sub cvx 0 0 0 4 -1/roll cvx
-							}if
-							/Name cvx/findcmykcustomcolor cvx/exch cvx
-							AGMCORE_host_sep{
-								AGMCORE_is_cmyk_sep
-								/Name cvx 
-								/AGMCORE_IsSeparationAProcessColor load/exec cvx
-								/not cvx/and cvx 
-							}{
-								Name inRip_spot_has_ink not
-							}ifelse
-							[
-		 						/pop cvx 1
-							]cvx/if cvx
-							/setcustomcolor cvx
-						]cvx bdf
- 					}{
-						/TintProc{setcolor}bdf
-						[/Separation Name MappedCSA sep_proc_name load]setcolorspace_opt
-					}ifelse
-				}ifelse
-			}ifelse
-		}ifelse
-	}ifelse
-	set_crd
-	setsepcolor
-	end
-}def
-/additive_blend
-{
- 	3 dict begin
- 	/numarrays xdf
- 	/numcolors xdf
- 	0 1 numcolors 1 sub
- 		{
- 		/c1 xdf
- 		1
- 		0 1 numarrays 1 sub
- 			{
-			1 exch add/index cvx
- 			c1/get cvx/mul cvx
- 			}for
- 		numarrays 1 add 1/roll cvx 
- 		}for
- 	numarrays[/pop cvx]cvx/repeat cvx
- 	end
-}def
-/subtractive_blend
-{
-	3 dict begin
-	/numarrays xdf
-	/numcolors xdf
-	0 1 numcolors 1 sub
-		{
-		/c1 xdf
-		1 1
-		0 1 numarrays 1 sub
-			{
-			1 3 3 -1 roll add/index cvx 
-			c1/get cvx/sub cvx/mul cvx
-			}for
-		/sub cvx
-		numarrays 1 add 1/roll cvx
-		}for
-	numarrays[/pop cvx]cvx/repeat cvx
-	end
-}def
-/exec_tint_transform
-{
-	/TintProc[
-		/TintTransform cvx/setcolor cvx
-	]cvx bdf
-	MappedCSA setcolorspace_opt
-}bdf
-/devn_makecustomcolor
-{
-	2 dict begin
-	/names_index xdf
-	/Names xdf
-	1 1 1 1 Names names_index get findcmykcustomcolor
-	/devicen_tints AGMCORE_gget names_index get setcustomcolor
-	Names length{pop}repeat
-	end
-}bdf
-/setdevicencolorspace
-{
-	dup/AliasedColorants known{false}{true}ifelse 
-	current_spot_alias and{
-		7 dict begin
-		/names_index 0 def
-		dup/names_len exch/Names get length def
-		/new_names names_len array def
-		/new_LookupTables names_len array def
-		/alias_cnt 0 def
-		dup/Names get
-		{
-			dup map_alias{
-				exch pop
-				dup/ColorLookup known{
-					dup begin
-					new_LookupTables names_index ColorLookup put
-					end
-				}{
-					dup/Components known{
-						dup begin
-						new_LookupTables names_index Components put
-						end
-					}{
-						dup begin
-						new_LookupTables names_index[null null null null]put
-						end
-					}ifelse
-				}ifelse
-				new_names names_index 3 -1 roll/Name get put
-				/alias_cnt alias_cnt 1 add def 
-			}{
-				/name xdf				
-				new_names names_index name put
-				dup/LookupTables known{
-					dup begin
-					new_LookupTables names_index LookupTables names_index get put
-					end
-				}{
-					dup begin
-					new_LookupTables names_index[null null null null]put
-					end
-				}ifelse
-			}ifelse
-			/names_index names_index 1 add def 
-		}forall
-		alias_cnt 0 gt{
-			/AliasedColorants true def
-			/lut_entry_len new_LookupTables 0 get dup length 256 ge{0 get length}{length}ifelse def
-			0 1 names_len 1 sub{
-				/names_index xdf
-				new_LookupTables names_index get dup length 256 ge{0 get length}{length}ifelse lut_entry_len ne{
-					/AliasedColorants false def
-					exit
-				}{
-					new_LookupTables names_index get 0 get null eq{
-						dup/Names get names_index get/name xdf
-						name(Cyan)eq name(Magenta)eq name(Yellow)eq name(Black)eq
-						or or or not{
-							/AliasedColorants false def
-							exit
-						}if
-					}if
-				}ifelse
-			}for
-			lut_entry_len 1 eq{
-				/AliasedColorants false def
-			}if
-			AliasedColorants{
-				dup begin
-				/Names new_names def
-				/LookupTables new_LookupTables def
-				/AliasedColorants true def
-				/NComponents lut_entry_len def
-				/TintMethod NComponents 4 eq{/Subtractive}{/Additive}ifelse def
-				/MappedCSA TintMethod/Additive eq{/DeviceRGB}{/DeviceCMYK}ifelse def
-				currentdict/TTTablesIdx known not{
-					/TTTablesIdx -1 def
-				}if
-				end
-			}if
-		}if
-		end
-	}if
-	dup/devicen_colorspace_dict exch AGMCORE_gput
-	begin
-	currentdict/AliasedColorants known{
-		AliasedColorants
-	}{
-		false
-	}ifelse
-	dup not{
-		CSA map_csa
-	}if
-	/TintTransform load type/nulltype eq or{
-		/TintTransform[
-			0 1 Names length 1 sub
-				{
-				/TTTablesIdx TTTablesIdx 1 add def
-				dup LookupTables exch get dup 0 get null eq
-					{
-					1 index
-					Names exch get
-					dup(Cyan)eq
-						{
-						pop exch
-						LookupTables length exch sub
-						/index cvx
-						0 0 0
-						}
-						{
-						dup(Magenta)eq
-							{
-							pop exch
-							LookupTables length exch sub
-							/index cvx
-							0/exch cvx 0 0
-							}{
-							(Yellow)eq
-								{
-								exch
-								LookupTables length exch sub
-								/index cvx
-								0 0 3 -1/roll cvx 0
-								}{
-								exch
-								LookupTables length exch sub
-								/index cvx
-								0 0 0 4 -1/roll cvx
-								}ifelse
-							}ifelse
-						}ifelse
-					5 -1/roll cvx/astore cvx
-					}{
-					dup length 1 sub
-					LookupTables length 4 -1 roll sub 1 add
-					/index cvx/mul cvx/round cvx/cvi cvx/get cvx
-					}ifelse
-					Names length TTTablesIdx add 1 add 1/roll cvx
-				}for
-			Names length[/pop cvx]cvx/repeat cvx
-			NComponents Names length
- 			TintMethod/Subtractive eq
- 				{
- 				subtractive_blend
- 				}{
- 				additive_blend
- 				}ifelse
-		]cvx bdf
-	}if
-	AGMCORE_host_sep{
-		Names convert_to_process{
-			exec_tint_transform
-		}
-		{	
-			currentdict/AliasedColorants known{
-				AliasedColorants not
-			}{
-				false
-			}ifelse
-			5 dict begin
-			/AvoidAliasedColorants xdf
-			/painted? false def
-			/names_index 0 def
-			/names_len Names length def
-			AvoidAliasedColorants{
-				/currentspotalias current_spot_alias def
-				false set_spot_alias
-			}if
-			Names{
-				AGMCORE_is_cmyk_sep{
-					dup(Cyan)eq AGMCORE_cyan_plate and exch
-					dup(Magenta)eq AGMCORE_magenta_plate and exch
-					dup(Yellow)eq AGMCORE_yellow_plate and exch
-					(Black)eq AGMCORE_black_plate and or or or{
-						/devicen_colorspace_dict AGMCORE_gget/TintProc[
-							Names names_index/devn_makecustomcolor cvx
-						]cvx ddf
-						/painted? true def
-					}if
-					painted?{exit}if
-				}{
-					0 0 0 0 5 -1 roll findcmykcustomcolor 1 setcustomcolor currentgray 0 eq{
-					/devicen_colorspace_dict AGMCORE_gget/TintProc[
-						Names names_index/devn_makecustomcolor cvx
-					]cvx ddf
-					/painted? true def
-					exit
-					}if
-				}ifelse
-				/names_index names_index 1 add def
-			}forall
-			AvoidAliasedColorants{
-				currentspotalias set_spot_alias
-			}if
-			painted?{
-				/devicen_colorspace_dict AGMCORE_gget/names_index names_index put
-			}{
-				/devicen_colorspace_dict AGMCORE_gget/TintProc[
-					names_len[/pop cvx]cvx/repeat cvx 1/setseparationgray cvx
- 					0 0 0 0/setcmykcolor cvx
-				]cvx ddf
-			}ifelse
-			end
-		}ifelse
-	}
-	{
-		AGMCORE_in_rip_sep{
-			Names convert_to_process not
-		}{
-			level3
-		}ifelse
-		{
-			[/DeviceN Names MappedCSA/TintTransform load]setcolorspace_opt
-			/TintProc level3 not AGMCORE_in_rip_sep and{
-				[
-					Names/length cvx[/pop cvx]cvx/repeat cvx
-				]cvx bdf
-			}{
-				{setcolor}bdf
-			}ifelse
-		}{
-			exec_tint_transform
-		}ifelse
-	}ifelse
-	set_crd
-	/AliasedColorants false def
-	end
-}def
-/setindexedcolorspace
-{
-	dup/indexed_colorspace_dict exch AGMCORE_gput
-	begin
-		currentdict/CSDBase known{
-			CSDBase/CSD get_res begin
-			currentdict/Names known{
-				currentdict devncs
-			}{
-				1 currentdict sepcs
-			}ifelse
-			AGMCORE_host_sep{
-				4 dict begin
-				/compCnt/Names where{pop Names length}{1}ifelse def
-				/NewLookup HiVal 1 add string def
-				0 1 HiVal{
-					/tableIndex xdf
-					Lookup dup type/stringtype eq{
-						compCnt tableIndex map_index
-					}{
-						exec
-					}ifelse
-					/Names where{
-						pop setdevicencolor
-					}{
-						setsepcolor
-					}ifelse
-					currentgray
-					tableIndex exch
-					255 mul cvi 
-					NewLookup 3 1 roll put
-				}for
-				[/Indexed currentcolorspace HiVal NewLookup]setcolorspace_opt
-				end
-			}{
-				level3
-				{
-					currentdict/Names known{
-						[/Indexed[/DeviceN Names MappedCSA/TintTransform load]HiVal Lookup]setcolorspace_opt
-					}{
-						[/Indexed[/Separation Name MappedCSA sep_proc_name load]HiVal Lookup]setcolorspace_opt
-					}ifelse
-				}{
-				[/Indexed MappedCSA HiVal
-					[
-					currentdict/Names known{
-						Lookup dup type/stringtype eq
-							{/exch cvx CSDBase/CSD get_res/Names get length dup/mul cvx exch/getinterval cvx{255 div}/forall cvx}
-							{/exec cvx}ifelse
-							/TintTransform load/exec cvx
-					}{
-						Lookup dup type/stringtype eq
-							{/exch cvx/get cvx 255/div cvx}
-							{/exec cvx}ifelse
-							CSDBase/CSD get_res/MappedCSA get sep_proc_name exch pop/load cvx/exec cvx
-					}ifelse
-					]cvx
-				]setcolorspace_opt
-				}ifelse
-			}ifelse
-			end
-			set_crd
-		}
-		{
-			CSA map_csa
-			AGMCORE_host_sep level2 not and{
-				0 0 0 0 setcmykcolor
-			}{
-				[/Indexed MappedCSA 
-				level2 not has_color not and{
-					dup 0 get dup/DeviceRGB eq exch/DeviceCMYK eq or{
-						pop[/DeviceGray]
-					}if
-					HiVal GrayLookup
-				}{
-					HiVal 
-					currentdict/RangeArray known{
-						{
-							/indexed_colorspace_dict AGMCORE_gget begin
-							Lookup exch 
-							dup HiVal gt{
-								pop HiVal
-							}if
-							NComponents mul NComponents getinterval{}forall
-							NComponents 1 sub -1 0{
-								RangeArray exch 2 mul 2 getinterval aload pop map255_to_range
-								NComponents 1 roll
-							}for
-							end
-						}bind
-					}{
-						Lookup
-					}ifelse
-				}ifelse
-				]setcolorspace_opt
-				set_crd
-			}ifelse
-		}ifelse
-	end
-}def
-/setindexedcolor
-{
-	AGMCORE_host_sep{
-		/indexed_colorspace_dict AGMCORE_gget
-		begin
-		currentdict/CSDBase known{
-			CSDBase/CSD get_res begin
-			currentdict/Names known{
-				map_indexed_devn
-				devn
-			}
-			{
-				Lookup 1 3 -1 roll map_index
-				sep
-			}ifelse
-			end
-		}{
-			Lookup MappedCSA/DeviceCMYK eq{4}{1}ifelse 3 -1 roll
-			map_index
-			MappedCSA/DeviceCMYK eq{setcmykcolor}{setgray}ifelse
-		}ifelse
-		end
-	}{
-		level3 not AGMCORE_in_rip_sep and/indexed_colorspace_dict AGMCORE_gget/CSDBase known and{
-			/indexed_colorspace_dict AGMCORE_gget/CSDBase get/CSD get_res begin
-			map_indexed_devn
-			devn
-			end
-		}
-		{
-			setcolor
-		}ifelse
-	}ifelse
-}def
-/ignoreimagedata
-{
-	currentoverprint not{
-		gsave
-		dup clonedict begin
-		1 setgray
-		/Decode[0 1]def
-		/DataSource<FF>def
-		/MultipleDataSources false def
-		/BitsPerComponent 8 def
-		currentdict end
-		systemdict/image gx
-		grestore
-		}if
-	consumeimagedata
-}def
-/add_res
-{
-	dup/CSD eq{
-		pop 
-		//Adobe_AGM_Core begin
-		/AGMCORE_CSD_cache load 3 1 roll put
-		end
-	}{
-		defineresource pop
-	}ifelse
-}def
-/del_res
-{
-	{
-		aload pop exch
-		dup/CSD eq{
-			pop 
-			{//Adobe_AGM_Core/AGMCORE_CSD_cache get exch undef}forall
-		}{
-			exch
-			{1 index undefineresource}forall
-			pop
-		}ifelse
-	}forall
-}def
-/get_res
-{
-	dup/CSD eq{
-		pop
-		dup type dup/nametype eq exch/stringtype eq or{
-			AGMCORE_CSD_cache exch get
-		}if
-	}{
-		findresource
-	}ifelse
-}def
-/get_csa_by_name
-{
-	dup type dup/nametype eq exch/stringtype eq or{
-		/CSA get_res
-	}if
-}def
-/paintproc_buf_init
-{
-	/count get 0 0 put
-}def
-/paintproc_buf_next
-{
-	dup/count get dup 0 get
-	dup 3 1 roll
-	1 add 0 xpt
-	get				
-}def
-/cachepaintproc_compress
-{
-	5 dict begin
-	currentfile exch 0 exch/SubFileDecode filter/ReadFilter exch def
-	/ppdict 20 dict def
-	/string_size 16000 def
-	/readbuffer string_size string def
-	currentglobal true setglobal 
-	ppdict 1 array dup 0 1 put/count xpt
-	setglobal
-	/LZWFilter 
-	{
-		exch
-		dup length 0 eq{
-			pop
-		}{
-			ppdict dup length 1 sub 3 -1 roll put
-		}ifelse
-		{string_size}{0}ifelse string
-	}/LZWEncode filter def
-	{		
-		ReadFilter readbuffer readstring
-		exch LZWFilter exch writestring
-		not{exit}if
-	}loop
-	LZWFilter closefile
-	ppdict				
-	end
-}def
-/cachepaintproc
-{
-	2 dict begin
-	currentfile exch 0 exch/SubFileDecode filter/ReadFilter exch def
-	/ppdict 20 dict def
-	currentglobal true setglobal 
-	ppdict 1 array dup 0 1 put/count xpt
-	setglobal
-	{
-		ReadFilter 16000 string readstring exch
-		ppdict dup length 1 sub 3 -1 roll put
-		not{exit}if
-	}loop
-	ppdict dup dup length 1 sub()put					
-	end	
-}def
-/make_pattern
-{
-	exch clonedict exch
-	dup matrix currentmatrix matrix concatmatrix 0 0 3 2 roll itransform
-	exch 3 index/XStep get 1 index exch 2 copy div cvi mul sub sub
-	exch 3 index/YStep get 1 index exch 2 copy div cvi mul sub sub
-	matrix translate exch matrix concatmatrix
-			 1 index begin
-		BBox 0 get XStep div cvi XStep mul/xshift exch neg def
-		BBox 1 get YStep div cvi YStep mul/yshift exch neg def
-		BBox 0 get xshift add
-		BBox 1 get yshift add
-		BBox 2 get xshift add
-		BBox 3 get yshift add
-		4 array astore
-		/BBox exch def
-		[xshift yshift/translate load null/exec load]dup
-		3/PaintProc load put cvx/PaintProc exch def
-		end
-	gsave 0 setgray
-	makepattern
-	grestore
-}def
-/set_pattern
-{
-	dup/PatternType get 1 eq{
-		dup/PaintType get 1 eq{
-			currentoverprint sop[/DeviceGray]setcolorspace 0 setgray
-		}if
-	}if
-	setpattern
-}def
-/setcolorspace_opt
-{
-	dup currentcolorspace eq{pop}{setcolorspace}ifelse
-}def
-/updatecolorrendering
-{
-	currentcolorrendering/RenderingIntent known{
-		currentcolorrendering/RenderingIntent get
-	}
-	{
-		Intent/AbsoluteColorimetric eq 
-		{
-			/absolute_colorimetric_crd AGMCORE_gget dup null eq
-		}
-		{
-			Intent/RelativeColorimetric eq
-			{
-				/relative_colorimetric_crd AGMCORE_gget dup null eq
-			}
-			{
-				Intent/Saturation eq
-				{
-					/saturation_crd AGMCORE_gget dup null eq
-				}
-				{
-					/perceptual_crd AGMCORE_gget dup null eq
-				}ifelse
-			}ifelse
-		}ifelse
-		{
-			pop null	
-		}
-		{
-			/RenderingIntent known{null}{Intent}ifelse
-		}ifelse
-	}ifelse
-	Intent ne{
-		Intent/ColorRendering{findresource}stopped
-		{
-			pop pop systemdict/findcolorrendering known
-			{
- 				Intent findcolorrendering
- 				{
- 					/ColorRendering findresource true exch
- 				}
- 				{
- 					/ColorRendering findresource
-					product(Xerox Phaser 5400)ne
-					exch
- 				}ifelse
-				dup Intent/AbsoluteColorimetric eq 
-				{
-					/absolute_colorimetric_crd exch AGMCORE_gput
-				}
-				{
-					Intent/RelativeColorimetric eq
-					{
-						/relative_colorimetric_crd exch AGMCORE_gput
-					}
-					{
-						Intent/Saturation eq
-						{
-							/saturation_crd exch AGMCORE_gput
-						}
-						{
-							Intent/Perceptual eq
-							{
-								/perceptual_crd exch AGMCORE_gput
-							}
-							{
-								pop
-							}ifelse
-						}ifelse
-					}ifelse
-				}ifelse
-				1 index{exch}{pop}ifelse
-			}
-			{false}ifelse
-		}
-		{true}ifelse
-		{
-			dup begin
-			currentdict/TransformPQR known{
-				currentdict/TransformPQR get aload pop
-				3{{}eq 3 1 roll}repeat or or
-			}
-			{true}ifelse
-			currentdict/MatrixPQR known{
-				currentdict/MatrixPQR get aload pop
-				1.0 eq 9 1 roll 0.0 eq 9 1 roll 0.0 eq 9 1 roll
-				0.0 eq 9 1 roll 1.0 eq 9 1 roll 0.0 eq 9 1 roll
-				0.0 eq 9 1 roll 0.0 eq 9 1 roll 1.0 eq
-				and and and and and and and and
-			}
-			{true}ifelse
-			end
-			or
-			{
-				clonedict begin
-				/TransformPQR[
-					{4 -1 roll 3 get dup 3 1 roll sub 5 -1 roll 3 get 3 -1 roll sub div
-					3 -1 roll 3 get 3 -1 roll 3 get dup 4 1 roll sub mul add}bind
-					{4 -1 roll 4 get dup 3 1 roll sub 5 -1 roll 4 get 3 -1 roll sub div
-					3 -1 roll 4 get 3 -1 roll 4 get dup 4 1 roll sub mul add}bind
-					{4 -1 roll 5 get dup 3 1 roll sub 5 -1 roll 5 get 3 -1 roll sub div
-					3 -1 roll 5 get 3 -1 roll 5 get dup 4 1 roll sub mul add}bind
-				]def
-				/MatrixPQR[0.8951 -0.7502 0.0389 0.2664 1.7135 -0.0685 -0.1614 0.0367 1.0296]def
-				/RangePQR[-0.3227950745 2.3229645538 -1.5003771057 3.5003465881 -0.1369979095 2.136967392]def
-				currentdict end
-			}if
-			setcolorrendering_opt
-		}if		
-	}if
-}def
-/set_crd
-{
-	AGMCORE_host_sep not level2 and{
-		currentdict/ColorRendering known{
-			ColorRendering/ColorRendering{findresource}stopped not{setcolorrendering_opt}if
-		}{
-			currentdict/Intent known{
-				updatecolorrendering
-			}if
-		}ifelse
-		currentcolorspace dup type/arraytype eq
-			{0 get}if
-		/DeviceRGB eq
-			{
-			currentdict/UCR known
-				{/UCR}{/AGMCORE_currentucr}ifelse
-			load setundercolorremoval
-			currentdict/BG known 
-				{/BG}{/AGMCORE_currentbg}ifelse
-			load setblackgeneration
-			}if
-	}if
-}def
-/set_ucrbg
-{
-	dup null eq{pop/AGMCORE_currentbg load}{/Procedure get_res}ifelse setblackgeneration
-	dup null eq{pop/AGMCORE_currentucr load}{/Procedure get_res}ifelse setundercolorremoval
-}def
-/setcolorrendering_opt
-{
-	dup currentcolorrendering eq{
-		pop
-	}{
-		clonedict
-		begin
-			/Intent Intent def
-			currentdict
-		end
-		setcolorrendering
-	}ifelse
-}def
-/cpaint_gcomp
-{
-	convert_to_process//Adobe_AGM_Core/AGMCORE_ConvertToProcess xddf
-	//Adobe_AGM_Core/AGMCORE_ConvertToProcess get not
-	{
-		(%end_cpaint_gcomp)flushinput
-	}if
-}def
-/cpaint_gsep
-{
-	//Adobe_AGM_Core/AGMCORE_ConvertToProcess get
-	{	
-		(%end_cpaint_gsep)flushinput
-	}if
-}def
-/cpaint_gend
-{np}def
-/T1_path
-{
-	currentfile token pop currentfile token pop mo
-	{
-		currentfile token pop dup type/stringtype eq
-			{pop exit}if 
-		0 exch rlineto 
-		currentfile token pop dup type/stringtype eq
-			{pop exit}if 
-		0 rlineto
-	}loop
-}def
-/T1_gsave
-	level3
-	{/clipsave}
-	{/gsave}ifelse
-	load def
-/T1_grestore
-	level3
-	{/cliprestore}
-	{/grestore}ifelse 
-	load def
-/set_spot_alias_ary
-{
-	dup inherit_aliases
-	//Adobe_AGM_Core/AGMCORE_SpotAliasAry xddf
-}def
-/set_spot_normalization_ary
-{
-	dup inherit_aliases
-	dup length
-	/AGMCORE_SpotAliasAry where{pop AGMCORE_SpotAliasAry length add}if
-	array
-	//Adobe_AGM_Core/AGMCORE_SpotAliasAry2 xddf
-	/AGMCORE_SpotAliasAry where{
-		pop
-		AGMCORE_SpotAliasAry2 0 AGMCORE_SpotAliasAry putinterval
-		AGMCORE_SpotAliasAry length
-	}{0}ifelse
-	AGMCORE_SpotAliasAry2 3 1 roll exch putinterval
-	true set_spot_alias
-}def
-/inherit_aliases
-{
-	{dup/Name get map_alias{/CSD put}{pop}ifelse}forall
-}def
-/set_spot_alias
-{
-	/AGMCORE_SpotAliasAry2 where{
-		/AGMCORE_current_spot_alias 3 -1 roll put
-	}{
-		pop
-	}ifelse
-}def
-/current_spot_alias
-{
-	/AGMCORE_SpotAliasAry2 where{
-		/AGMCORE_current_spot_alias get
-	}{
-		false
-	}ifelse
-}def
-/map_alias
-{
-	/AGMCORE_SpotAliasAry2 where{
-		begin
-			/AGMCORE_name xdf
-			false	
-			AGMCORE_SpotAliasAry2{
-				dup/Name get AGMCORE_name eq{
-					/CSD get/CSD get_res
-					exch pop true
-					exit
-				}{
-					pop
-				}ifelse
-			}forall
-		end
-	}{
-		pop false
-	}ifelse
-}bdf
-/spot_alias
-{
-	true set_spot_alias
-	/AGMCORE_&setcustomcolor AGMCORE_key_known not{
-		//Adobe_AGM_Core/AGMCORE_&setcustomcolor/setcustomcolor load put
-	}if
-	/customcolor_tint 1 AGMCORE_gput
-	//Adobe_AGM_Core begin
-	/setcustomcolor
-	{
-		//Adobe_AGM_Core begin
-		dup/customcolor_tint exch AGMCORE_gput
-		1 index aload pop pop 1 eq exch 1 eq and exch 1 eq and exch 1 eq and not
-		current_spot_alias and{1 index 4 get map_alias}{false}ifelse
-		{
-			false set_spot_alias
-			/sep_colorspace_dict AGMCORE_gget null ne
-			3 1 roll 2 index{
-				exch pop/sep_tint AGMCORE_gget exch
-			}if
-			mark 3 1 roll
-			setsepcolorspace
-			counttomark 0 ne{
-				setsepcolor
-			}if
-			pop
-			not{/sep_tint 1.0 AGMCORE_gput}if
-			pop
-			true set_spot_alias
-		}{
-			AGMCORE_&setcustomcolor
-		}ifelse
-		end
-	}bdf
-	end
-}def
-/begin_feature
-{
-	Adobe_AGM_Core/AGMCORE_feature_dictCount countdictstack put
-	count Adobe_AGM_Core/AGMCORE_feature_opCount 3 -1 roll put
-	{Adobe_AGM_Core/AGMCORE_feature_ctm matrix currentmatrix put}if
-}def
-/end_feature
-{
-	2 dict begin
-	/spd/setpagedevice load def
-	/setpagedevice{get_gstate spd set_gstate}def
-	stopped{$error/newerror false put}if
-	end
-	count Adobe_AGM_Core/AGMCORE_feature_opCount get sub dup 0 gt{{pop}repeat}{pop}ifelse
-	countdictstack Adobe_AGM_Core/AGMCORE_feature_dictCount get sub dup 0 gt{{end}repeat}{pop}ifelse
-	{Adobe_AGM_Core/AGMCORE_feature_ctm get setmatrix}if
-}def
-/set_negative
-{
-	//Adobe_AGM_Core begin
-	/AGMCORE_inverting exch def
-	level2{
-		currentpagedevice/NegativePrint known AGMCORE_distilling not and{
-			currentpagedevice/NegativePrint get//Adobe_AGM_Core/AGMCORE_inverting get ne{
-				true begin_feature true{
-						<</NegativePrint//Adobe_AGM_Core/AGMCORE_inverting get>>setpagedevice
-				}end_feature
-			}if
-			/AGMCORE_inverting false def
-		}if
-	}if
-	AGMCORE_inverting{
-		[{1 exch sub}/exec load dup currenttransfer exch]cvx bind settransfer
- 		AGMCORE_distilling{
- 			erasepage
- 		}{
- 			gsave np clippath 1/setseparationgray where{pop setseparationgray}{setgray}ifelse
- 			/AGMIRS_&fill where{pop AGMIRS_&fill}{fill}ifelse grestore
- 		}ifelse
-	}if
-	end
-}def
-/lw_save_restore_override{
-	/md where{
-		pop
-		md begin
-		initializepage
-		/initializepage{}def
-		/pmSVsetup{}def
-		/endp{}def
-		/pse{}def
-		/psb{}def
-		/orig_showpage where
-			{pop}
-			{/orig_showpage/showpage load def}
-		ifelse
-		/showpage{orig_showpage gR}def
-		end
-	}if
-}def
-/pscript_showpage_override{
-	/NTPSOct95 where
-	{
-		begin
-		showpage
-		save
-		/showpage/restore load def
-		/restore{exch pop}def
-		end
-	}if
-}def
-/driver_media_override
-{
-	/md where{
-		pop
-		md/initializepage known{
-			md/initializepage{}put
-		}if
-		md/rC known{
-			md/rC{4{pop}repeat}put
-		}if
-	}if
-	/mysetup where{
-		/mysetup[1 0 0 1 0 0]put
-	}if
-	Adobe_AGM_Core/AGMCORE_Default_CTM matrix currentmatrix put
-	level2
-		{Adobe_AGM_Core/AGMCORE_Default_PageSize currentpagedevice/PageSize get put}if
-}def
-/driver_check_media_override
-{
- 	/PrepsDict where
- 		{pop}
-		{
-		Adobe_AGM_Core/AGMCORE_Default_CTM get matrix currentmatrix ne
-		Adobe_AGM_Core/AGMCORE_Default_PageSize get type/arraytype eq
-			{
-			Adobe_AGM_Core/AGMCORE_Default_PageSize get 0 get currentpagedevice/PageSize get 0 get eq and
-			Adobe_AGM_Core/AGMCORE_Default_PageSize get 1 get currentpagedevice/PageSize get 1 get eq and
-			}if
-			{
-			Adobe_AGM_Core/AGMCORE_Default_CTM get setmatrix
-			}if
-		}ifelse
-}def
-AGMCORE_err_strings begin
-	/AGMCORE_bad_environ(Environment not satisfactory for this job. Ensure that the PPD is correct or that the PostScript level requested is supported by this printer. )def
-	/AGMCORE_color_space_onhost_seps(This job contains colors that will not separate with on-host methods. )def
-	/AGMCORE_invalid_color_space(This job contains an invalid color space. )def
-end
-/set_def_ht
-{AGMCORE_def_ht sethalftone}def
-/set_def_flat
-{AGMCORE_Default_flatness setflat}def
-end
-systemdict/setpacking known
-{setpacking}if
-%%EndResource
-%%BeginResource: procset Adobe_CoolType_Core 2.31 0
%%Copyright: Copyright 1997-2006 Adobe Systems Incorporated. All Rights Reserved.
%%Version: 2.31 0
10 dict begin
/Adobe_CoolType_Passthru currentdict def
/Adobe_CoolType_Core_Defined userdict/Adobe_CoolType_Core known def
Adobe_CoolType_Core_Defined
	{/Adobe_CoolType_Core userdict/Adobe_CoolType_Core get def}
if
userdict/Adobe_CoolType_Core 70 dict dup begin put
/Adobe_CoolType_Version 2.31 def
/Level2?
	systemdict/languagelevel known dup
		{pop systemdict/languagelevel get 2 ge}
	if def
Level2? not
	{
	/currentglobal false def
	/setglobal/pop load def
	/gcheck{pop false}bind def
	/currentpacking false def
	/setpacking/pop load def
	/SharedFontDirectory 0 dict def
	}
if
currentpacking
true setpacking
currentglobal false setglobal
userdict/Adobe_CoolType_Data 2 copy known not
	{2 copy 10 dict put}
if
get
	 begin
	/@opStackCountByLevel 32 dict def
	/@opStackLevel 0 def
	/@dictStackCountByLevel 32 dict def
	/@dictStackLevel 0 def
	 end
setglobal
currentglobal true setglobal
userdict/Adobe_CoolType_GVMFonts known not
	{userdict/Adobe_CoolType_GVMFonts 10 dict put}
if
setglobal
currentglobal false setglobal
userdict/Adobe_CoolType_LVMFonts known not
	{userdict/Adobe_CoolType_LVMFonts 10 dict put}
if
setglobal
/ct_VMDictPut
	{
	dup gcheck{Adobe_CoolType_GVMFonts}{Adobe_CoolType_LVMFonts}ifelse
	3 1 roll put
	}bind def
/ct_VMDictUndef
	{
	dup Adobe_CoolType_GVMFonts exch known
		{Adobe_CoolType_GVMFonts exch undef}
		{
			dup Adobe_CoolType_LVMFonts exch known
			{Adobe_CoolType_LVMFonts exch undef}
			{pop}
			ifelse
		}ifelse
	}bind def
/ct_str1 1 string def
/ct_xshow
{
	/_ct_na exch def
	/_ct_i 0 def
	currentpoint
	/_ct_y exch def
	/_ct_x exch def
	{
		pop pop
		ct_str1 exch 0 exch put
		ct_str1 show
		{_ct_na _ct_i get}stopped 
		{pop pop}
		{
			_ct_x _ct_y moveto
			0
			rmoveto
		}
		ifelse
		/_ct_i _ct_i 1 add def
		currentpoint
		/_ct_y exch def
		/_ct_x exch def
	}
	exch
	@cshow
}bind def
/ct_yshow
{
	/_ct_na exch def
	/_ct_i 0 def
	currentpoint
	/_ct_y exch def
	/_ct_x exch def
	{
		pop pop
		ct_str1 exch 0 exch put
		ct_str1 show
		{_ct_na _ct_i get}stopped 
		{pop pop}
		{
			_ct_x _ct_y moveto
			0 exch
			rmoveto
		}
		ifelse
		/_ct_i _ct_i 1 add def
		currentpoint
		/_ct_y exch def
		/_ct_x exch def
	}
	exch
	@cshow
}bind def
/ct_xyshow
{
	/_ct_na exch def
	/_ct_i 0 def
	currentpoint
	/_ct_y exch def
	/_ct_x exch def
	{
		pop pop
		ct_str1 exch 0 exch put
		ct_str1 show
		{_ct_na _ct_i get}stopped 
		{pop pop}
		{
			{_ct_na _ct_i 1 add get}stopped 
			{pop pop pop}
			{
				_ct_x _ct_y moveto
				rmoveto
			}
			ifelse
		}
		ifelse
		/_ct_i _ct_i 2 add def
		currentpoint
		/_ct_y exch def
		/_ct_x exch def
	}
	exch
	@cshow
}bind def
/xsh{{@xshow}stopped{Adobe_CoolType_Data begin ct_xshow end}if}bind def
/ysh{{@yshow}stopped{Adobe_CoolType_Data begin ct_yshow end}if}bind def
/xysh{{@xyshow}stopped{Adobe_CoolType_Data begin ct_xyshow end}if}bind def
currentglobal true setglobal
/ct_T3Defs
{
/BuildChar
{
	1 index/Encoding get exch get
	1 index/BuildGlyph get exec
}bind def
/BuildGlyph
{
	exch begin
	GlyphProcs exch get exec
	end
}bind def
}bind def
setglobal
/@_SaveStackLevels
	{
	Adobe_CoolType_Data
		begin
		/@vmState currentglobal def false setglobal
		@opStackCountByLevel
		@opStackLevel
		2 copy known not
			{
			2 copy
			3 dict dup/args
			7 index
			5 add array put
			put get
			}
			{
			get dup/args get dup length 3 index lt
				{
				dup length 5 add array exch
				1 index exch 0 exch putinterval
				1 index exch/args exch put
				}
				{pop}
			ifelse
			}
		ifelse
			begin
			count 1 sub
			1 index lt
				{pop count}
			if
			dup/argCount exch def
			dup 0 gt
				{
				args exch 0 exch getinterval 
			astore pop
				}
				{pop}
			ifelse
			count
			/restCount exch def
			end
		/@opStackLevel @opStackLevel 1 add def
		countdictstack 1 sub
		@dictStackCountByLevel exch @dictStackLevel exch put
		/@dictStackLevel @dictStackLevel 1 add def
		@vmState setglobal
		end
	}bind def
/@_RestoreStackLevels
	{
	Adobe_CoolType_Data
		begin
		/@opStackLevel @opStackLevel 1 sub def
		@opStackCountByLevel @opStackLevel get
			begin
			count restCount sub dup 0 gt
				{{pop}repeat}
				{pop}
			ifelse
			args 0 argCount getinterval{}forall
			end
		/@dictStackLevel @dictStackLevel 1 sub def
		@dictStackCountByLevel @dictStackLevel get
		end
	countdictstack exch sub dup 0 gt
		{{end}repeat}
		{pop}
	ifelse
	}bind def
/@_PopStackLevels
	{
	Adobe_CoolType_Data
		begin
		/@opStackLevel @opStackLevel 1 sub def
		/@dictStackLevel @dictStackLevel 1 sub def
		end
	}bind def
/@Raise
	{
	exch cvx exch errordict exch get exec
	stop
	}bind def
/@ReRaise
	{
	cvx $error/errorname get errordict exch get exec
	stop
	}bind def
/@Stopped
	{
	0 @#Stopped
	}bind def
/@#Stopped
	{
	@_SaveStackLevels
	stopped
		{@_RestoreStackLevels true}
		{@_PopStackLevels false}
	ifelse
	}bind def
/@Arg
	{
	Adobe_CoolType_Data
		begin
		@opStackCountByLevel @opStackLevel 1 sub get
		begin
		args exch
		argCount 1 sub exch sub get
		end
		end
	}bind def
currentglobal true setglobal
/CTHasResourceForAllBug
	Level2?
		{
		1 dict dup
				/@shouldNotDisappearDictValue true def
				Adobe_CoolType_Data exch/@shouldNotDisappearDict exch put
				begin
				count @_SaveStackLevels
					{(*){pop stop}128 string/Category resourceforall}
				stopped pop
				@_RestoreStackLevels
				currentdict Adobe_CoolType_Data/@shouldNotDisappearDict get dup 3 1 roll ne dup 3 1 roll
					{
						 /@shouldNotDisappearDictValue known
								{
										 {
												end
												currentdict 1 index eq
													{pop exit}
												if
										 }
									 loop
								}
						 if
					}
					{
						 pop
						 end
					}
				ifelse
		}
		{false}
	ifelse
	def
true setglobal
/CTHasResourceStatusBug
	Level2?
		{
		mark
			{/steveamerige/Category resourcestatus}
		stopped
			{cleartomark true}
			{cleartomark currentglobal not}
		ifelse
		}
		{false}
	ifelse
	def
setglobal
/CTResourceStatus
		{
		mark 3 1 roll
		/Category findresource
			begin
			({ResourceStatus}stopped)0()/SubFileDecode filter cvx exec
				{cleartomark false}
				{{3 2 roll pop true}{cleartomark false}ifelse}
			ifelse
			end
		}bind def
/CTWorkAroundBugs
	{
	Level2?
		{
		/cid_PreLoad/ProcSet resourcestatus
			{
			pop pop
			currentglobal
			mark
				{
				(*)
					{
					dup/CMap CTHasResourceStatusBug
						{CTResourceStatus}
						{resourcestatus}
					ifelse
						{
						pop dup 0 eq exch 1 eq or
							{
							dup/CMap findresource gcheck setglobal
							/CMap undefineresource
							}
							{
							pop CTHasResourceForAllBug
								{exit}
								{stop}
							ifelse
							}
						ifelse
						}
						{pop}
					ifelse
					}
				128 string/CMap resourceforall
				}
			stopped
				{cleartomark}
			stopped pop
			setglobal
			}
		if
		}
	if
	}bind def
/ds
	{
	Adobe_CoolType_Core
		begin
		CTWorkAroundBugs
		/mo/moveto load def
		/nf/newencodedfont load def
		/msf{makefont setfont}bind def
		/uf{dup undefinefont ct_VMDictUndef}bind def
		/ur/undefineresource load def
		/chp/charpath load def
		/awsh/awidthshow load def
		/wsh/widthshow load def
		/ash/ashow load def
		/@xshow/xshow load def
		/@yshow/yshow load def
		/@xyshow/xyshow load def
		/@cshow/cshow load def
		/sh/show load def
		/rp/repeat load def
		/.n/.notdef def
		end
		currentglobal false setglobal
	 userdict/Adobe_CoolType_Data 2 copy known not
		 {2 copy 10 dict put}
		if
		get
		begin
		/AddWidths? false def
		/CC 0 def
		/charcode 2 string def
		/@opStackCountByLevel 32 dict def
		/@opStackLevel 0 def
		/@dictStackCountByLevel 32 dict def
		/@dictStackLevel 0 def
		/InVMFontsByCMap 10 dict def
		/InVMDeepCopiedFonts 10 dict def
		end
		setglobal
	}bind def
/dt
	{
	currentdict Adobe_CoolType_Core eq
		{end}
	if
	}bind def
/ps
	{
	Adobe_CoolType_Core begin
	Adobe_CoolType_GVMFonts begin
	Adobe_CoolType_LVMFonts begin
	SharedFontDirectory begin
	}bind def
/pt
	{
	end
	end
	end
	end
	}bind def
/unload
	{
	systemdict/languagelevel known
		{
		systemdict/languagelevel get 2 ge
			{
			userdict/Adobe_CoolType_Core 2 copy known
				{undef}
				{pop pop}
			ifelse
			}
		if
		}
	if
	}bind def
/ndf
	{
	1 index where
		{pop pop pop}
		{dup xcheck{bind}if def}
	ifelse
	}def
/findfont systemdict
	begin
	userdict
		begin
		/globaldict where{/globaldict get begin}if
			dup where pop exch get
		/globaldict where{pop end}if
		end
	end
Adobe_CoolType_Core_Defined
	{/systemfindfont exch def}
	{
	/findfont 1 index def
	/systemfindfont exch def
	}
ifelse
/undefinefont
	{pop}ndf
/copyfont
	{
	currentglobal 3 1 roll
	1 index gcheck setglobal
	dup null eq{0}{dup length}ifelse
	2 index length add 1 add dict
		begin
		exch
			{
			1 index/FID eq
				{pop pop}
				{def}
			ifelse
			}
		forall
		dup null eq
			{pop}
			{{def}forall}
		ifelse
		currentdict
		end
	exch setglobal
	}bind def
/copyarray
	{
	currentglobal exch
	dup gcheck setglobal
	dup length array copy
	exch setglobal
	}bind def
/newencodedfont
	{
	currentglobal
		{
		SharedFontDirectory 3 index known
			{SharedFontDirectory 3 index get/FontReferenced known}
			{false}
		ifelse
		}
		{
		FontDirectory 3 index known
			{FontDirectory 3 index get/FontReferenced known}
			{
			SharedFontDirectory 3 index known
				{SharedFontDirectory 3 index get/FontReferenced known}
				{false}
			ifelse
			}
		ifelse
		}
	ifelse
	dup
		{
		3 index findfont/FontReferenced get
		2 index dup type/nametype eq
			{findfont}
		if ne
			{pop false}
		if
		}
	if
	dup
		{
		1 index dup type/nametype eq
			{findfont}
		 if
		dup/CharStrings known
			{
			/CharStrings get length
			4 index findfont/CharStrings get length
			ne
				{
				pop false
				}
			if 
			}
			{pop}
			ifelse
		}
	if
		{
		pop
		1 index findfont
		/Encoding get exch
		0 1 255
			{2 copy get 3 index 3 1 roll put}
		for
		pop pop pop
		}
		{
		currentglobal
	 4 1 roll
		dup type/nametype eq
		 {findfont}
	 if
	 dup gcheck setglobal
		dup dup maxlength 2 add dict
			begin
			exch
				{
				1 index/FID ne
				2 index/Encoding ne and
					{def}
					{pop pop}
				ifelse
				}
			forall
			/FontReferenced exch def
			/Encoding exch dup length array copy def
			/FontName 1 index dup type/stringtype eq{cvn}if def dup
			currentdict
			end
		definefont ct_VMDictPut
		setglobal
		}
	ifelse
	}bind def
/SetSubstituteStrategy
	{
	$SubstituteFont
		begin
		dup type/dicttype ne
			{0 dict}
		if
		currentdict/$Strategies known
			{
			exch $Strategies exch 
			2 copy known
				{
				get
				2 copy maxlength exch maxlength add dict
					begin
					{def}forall
					{def}forall
					currentdict
					dup/$Init known
						{dup/$Init get exec}
					if
					end
				/$Strategy exch def
				}
				{pop pop pop}
			ifelse
			}
			{pop pop}
		ifelse
		end
	}bind def
/scff
	{
	$SubstituteFont
		begin
		dup type/stringtype eq
			{dup length exch}
			{null}
		ifelse
		/$sname exch def
		/$slen exch def
		/$inVMIndex
			$sname null eq
				{
				1 index $str cvs
				dup length $slen sub $slen getinterval cvn
				}
				{$sname}
			ifelse def
		end
		{findfont}
	@Stopped
		{
		dup length 8 add string exch
		1 index 0(BadFont:)putinterval
		1 index exch 8 exch dup length string cvs putinterval cvn
			{findfont}
		@Stopped
			{pop/Courier findfont}
		if
		}
	if
	$SubstituteFont
		begin
		/$sname null def
		/$slen 0 def
		/$inVMIndex null def
		end
	}bind def
/isWidthsOnlyFont
	{
	dup/WidthsOnly known
		{pop pop true}
		{
		dup/FDepVector known
			{/FDepVector get{isWidthsOnlyFont dup{exit}if}forall}
			{
			dup/FDArray known
				{/FDArray get{isWidthsOnlyFont dup{exit}if}forall}
				{pop}
			ifelse
			}
		ifelse
		}
	ifelse
	}bind def
/ct_StyleDicts 4 dict dup begin
		 /Adobe-Japan1 4 dict dup begin
					 Level2?
								{
								/Serif
								/HeiseiMin-W3-83pv-RKSJ-H/Font resourcestatus
								{pop pop/HeiseiMin-W3}
								{
							/CIDFont/Category resourcestatus
							{
								pop pop
								/HeiseiMin-W3/CIDFont resourcestatus
								{pop pop/HeiseiMin-W3}
								{/Ryumin-Light}
								ifelse
							}
							{/Ryumin-Light}
							ifelse
								}
								ifelse
								def
								/SansSerif
								/HeiseiKakuGo-W5-83pv-RKSJ-H/Font resourcestatus
								{pop pop/HeiseiKakuGo-W5}
								{
							/CIDFont/Category resourcestatus
							{
								pop pop
								/HeiseiKakuGo-W5/CIDFont resourcestatus
								{pop pop/HeiseiKakuGo-W5}
								{/GothicBBB-Medium}
								ifelse
							}
							{/GothicBBB-Medium}
							ifelse
								}
								ifelse
								def
								/HeiseiMaruGo-W4-83pv-RKSJ-H/Font resourcestatus
								{pop pop/HeiseiMaruGo-W4}
								{
							/CIDFont/Category resourcestatus
							{
								pop pop
								/HeiseiMaruGo-W4/CIDFont resourcestatus
								{pop pop/HeiseiMaruGo-W4}
								{
									/Jun101-Light-RKSJ-H/Font resourcestatus
									{pop pop/Jun101-Light}
									{SansSerif}
									ifelse
								}
								ifelse
							}
							{
								/Jun101-Light-RKSJ-H/Font resourcestatus
								{pop pop/Jun101-Light}
								{SansSerif}
								ifelse
							}
							ifelse
								}
								ifelse
								/RoundSansSerif exch def
								/Default Serif def
								}
								{
								/Serif/Ryumin-Light def
								/SansSerif/GothicBBB-Medium def
								{
								(fonts/Jun101-Light-83pv-RKSJ-H)status
								}stopped
								{pop}{
										 {pop pop pop pop/Jun101-Light}
										 {SansSerif}
										 ifelse
										 /RoundSansSerif exch def
								}ifelse
								/Default Serif def
								}
					 ifelse
		 end
		 def
		 /Adobe-Korea1 4 dict dup begin
					/Serif/HYSMyeongJo-Medium def
					/SansSerif/HYGoThic-Medium def
					/RoundSansSerif SansSerif def
					/Default Serif def
		 end
		 def
		 /Adobe-GB1 4 dict dup begin
					/Serif/STSong-Light def
					/SansSerif/STHeiti-Regular def
					/RoundSansSerif SansSerif def
					/Default Serif def
		 end
		 def
		 /Adobe-CNS1 4 dict dup begin
					/Serif/MKai-Medium def
					/SansSerif/MHei-Medium def
					/RoundSansSerif SansSerif def
					/Default Serif def
		 end
		 def
end
def
Level2?{currentglobal true setglobal}if
/ct_BoldRomanWidthProc 
	{
	stringwidth 1 index 0 ne{exch .03 add exch}if setcharwidth
	0 0
	}bind def
/ct_Type0WidthProc 
	{
	 dup stringwidth 0 0 moveto 
	 2 index true charpath pathbbox
	 0 -1 
	 7 index 2 div .88 
	 setcachedevice2
	 pop
	0 0
	}bind def
/ct_Type0WMode1WidthProc 
	{
	 dup stringwidth 
	 pop 2 div neg -0.88
	2 copy
	moveto 
	0 -1
	 5 -1 roll true charpath pathbbox
	 setcachedevice
	}bind def
/cHexEncoding
[/c00/c01/c02/c03/c04/c05/c06/c07/c08/c09/c0A/c0B/c0C/c0D/c0E/c0F/c10/c11/c12
/c13/c14/c15/c16/c17/c18/c19/c1A/c1B/c1C/c1D/c1E/c1F/c20/c21/c22/c23/c24/c25
/c26/c27/c28/c29/c2A/c2B/c2C/c2D/c2E/c2F/c30/c31/c32/c33/c34/c35/c36/c37/c38
/c39/c3A/c3B/c3C/c3D/c3E/c3F/c40/c41/c42/c43/c44/c45/c46/c47/c48/c49/c4A/c4B
/c4C/c4D/c4E/c4F/c50/c51/c52/c53/c54/c55/c56/c57/c58/c59/c5A/c5B/c5C/c5D/c5E
/c5F/c60/c61/c62/c63/c64/c65/c66/c67/c68/c69/c6A/c6B/c6C/c6D/c6E/c6F/c70/c71
/c72/c73/c74/c75/c76/c77/c78/c79/c7A/c7B/c7C/c7D/c7E/c7F/c80/c81/c82/c83/c84
/c85/c86/c87/c88/c89/c8A/c8B/c8C/c8D/c8E/c8F/c90/c91/c92/c93/c94/c95/c96/c97
/c98/c99/c9A/c9B/c9C/c9D/c9E/c9F/cA0/cA1/cA2/cA3/cA4/cA5/cA6/cA7/cA8/cA9/cAA
/cAB/cAC/cAD/cAE/cAF/cB0/cB1/cB2/cB3/cB4/cB5/cB6/cB7/cB8/cB9/cBA/cBB/cBC/cBD
/cBE/cBF/cC0/cC1/cC2/cC3/cC4/cC5/cC6/cC7/cC8/cC9/cCA/cCB/cCC/cCD/cCE/cCF/cD0
/cD1/cD2/cD3/cD4/cD5/cD6/cD7/cD8/cD9/cDA/cDB/cDC/cDD/cDE/cDF/cE0/cE1/cE2/cE3
/cE4/cE5/cE6/cE7/cE8/cE9/cEA/cEB/cEC/cED/cEE/cEF/cF0/cF1/cF2/cF3/cF4/cF5/cF6
/cF7/cF8/cF9/cFA/cFB/cFC/cFD/cFE/cFF]def
/ct_BoldBaseFont 
	 11 dict begin
		/FontType 3 def
		/FontMatrix[1 0 0 1 0 0]def
		/FontBBox[0 0 1 1]def
		/Encoding cHexEncoding def 
		/_setwidthProc/ct_BoldRomanWidthProc load def
		/_bcstr1 1 string def
		/BuildChar
		{
			exch begin
				_basefont setfont
				_bcstr1 dup 0 4 -1 roll put
				dup 
				_setwidthProc
				3 copy 
				moveto				
				show
				_basefonto setfont
				moveto
				show
			end
		}bind def
		 currentdict
	 end 
def
systemdict/composefont known
{
/ct_DefineIdentity-H
{
	/Identity-H/CMap resourcestatus
	{
		pop pop
	}
	{
		/CIDInit/ProcSet findresource begin
		 12 dict begin
		 begincmap
		 /CIDSystemInfo 3 dict dup begin
			 /Registry(Adobe)def
			 /Ordering(Identity)def
			 /Supplement 0 def
		 end def
		 /CMapName/Identity-H def
		 /CMapVersion 1.000 def
		 /CMapType 1 def
		 1 begincodespacerange
		 <0000><FFFF>
		 endcodespacerange
		 1 begincidrange
		 <0000><FFFF>0
		 endcidrange
		 endcmap
		 CMapName currentdict/CMap defineresource pop
		 end
		 end
	 }
	 ifelse
}
def
/ct_BoldBaseCIDFont 
	 11 dict begin
		/CIDFontType 1 def
		/CIDFontName/ct_BoldBaseCIDFont def
		/FontMatrix[1 0 0 1 0 0]def
		/FontBBox[0 0 1 1]def
		/_setwidthProc/ct_Type0WidthProc load def
		/_bcstr2 2 string def
		/BuildGlyph
		{
			exch begin		 
				_basefont setfont
				_bcstr2 1 2 index 256 mod put
				_bcstr2 0 3 -1 roll 256 idiv put
				_bcstr2 dup _setwidthProc		 
				3 copy 
				moveto
				show
				_basefonto setfont
				moveto
				show
			end
		}bind def
		 currentdict
	 end 
def
}if
Level2?{setglobal}if
/ct_CopyFont{
	{
		1 index/FID ne 2 index/UniqueID ne and
		{def}{pop pop}ifelse
	}forall
}bind def
/ct_Type0CopyFont 
{
	exch
	dup length dict
	begin
	ct_CopyFont
	[
	exch
	FDepVector 
	{
		 dup/FontType get 0 eq
		{	
		1 index ct_Type0CopyFont 
		/_ctType0 exch definefont
		}
		{
		/_ctBaseFont exch
		2 index exec
		}
		 ifelse 
		 exch
	}
	forall 
	pop
	]				
	/FDepVector exch def
	currentdict
	end
}bind def
/ct_MakeBoldFont
{
	 dup/ct_SyntheticBold known
	{
		dup length 3 add dict begin 
		ct_CopyFont 
		/ct_StrokeWidth .03 0 FontMatrix idtransform pop def 
		/ct_SyntheticBold true def
		currentdict 
		end 
		definefont
	}
	{
		dup dup length 3 add dict
		begin
			ct_CopyFont
			/PaintType 2 def
			/StrokeWidth .03 0 FontMatrix idtransform pop def
			/dummybold currentdict
		end
		definefont
		dup/FontType get dup 9 ge exch 11 le and 
		{
			ct_BoldBaseCIDFont
			dup length 3 add dict copy begin
			dup/CIDSystemInfo get/CIDSystemInfo exch def
			ct_DefineIdentity-H
			/_Type0Identity/Identity-H 3 -1 roll[exch]composefont
			/_basefont exch def
			/_Type0Identity/Identity-H 3 -1 roll[exch]composefont
			/_basefonto exch def
			currentdict
			end
			/CIDFont defineresource
		}
		{
			ct_BoldBaseFont
			dup length 3 add dict copy begin
			/_basefont exch def
			/_basefonto exch def
			currentdict
			end
			definefont
		}
		ifelse
	}
	ifelse
}bind def
/ct_MakeBold{
	1 index 
	1 index
	findfont
	currentglobal 5 1 roll
	dup gcheck setglobal
		dup
		 /FontType get 0 eq
			{
				dup/WMode known{dup/WMode get 1 eq}{false}ifelse
				version length 4 ge
				and
					{version 0 4 getinterval cvi 2015 ge}
					{true}
				ifelse 
					{/ct_Type0WidthProc}
					{/ct_Type0WMode1WidthProc}
				ifelse
				ct_BoldBaseFont/_setwidthProc 3 -1 roll load put
						{ct_MakeBoldFont}ct_Type0CopyFont definefont
			}
			{
				dup/_fauxfont known not 1 index/SubstMaster known not and
				{
					 ct_BoldBaseFont/_setwidthProc /ct_BoldRomanWidthProc load put
					 ct_MakeBoldFont 
				}
				{
				2 index 2 index eq
					{exch pop	}
					{
						dup length dict begin
						ct_CopyFont
						currentdict
						end
						definefont 
					}
				ifelse
				}
			ifelse
			}
		 ifelse
		 pop pop pop
		 setglobal
}bind def
/?str1 256 string def
/?set
	{
	$SubstituteFont
		begin
		/$substituteFound false def
		/$fontname 1 index def
		/$doSmartSub false def
		end
	dup
	 findfont
	$SubstituteFont
		begin
		$substituteFound
			{false}
			{
			dup/FontName known
				{
				dup/FontName get $fontname eq
				1 index/DistillerFauxFont known not and
				/currentdistillerparams where
					{pop false 2 index isWidthsOnlyFont not and}
				if
				}
				{false}
			ifelse
			}
		ifelse
		exch pop
		/$doSmartSub true def
		end
		{
		5 1 roll pop pop pop pop
		findfont
		}
		{
		1 index
		findfont
		dup/FontType get 3 eq
		{
			6 1 roll pop pop pop pop pop false
		}
		{pop true}
		ifelse
		{
		$SubstituteFont
		begin
		pop pop
		/$styleArray 1 index def
		/$regOrdering 2 index def
		pop pop
		0 1 $styleArray length 1 sub
		{
			$styleArray exch get
			ct_StyleDicts $regOrdering
			2 copy known
			{
				get
				exch 2 copy known not
				{pop/Default}
				if
				get
				dup type/nametype eq
				{
				?str1 cvs length dup 1 add exch
				?str1 exch(-)putinterval
				exch dup length exch ?str1 exch 3 index exch putinterval
				add ?str1 exch 0 exch getinterval cvn
				}
				{
				pop pop/Unknown
				}
				ifelse
			}
			{
				pop pop pop pop/Unknown
			}
			ifelse
		}
		for
		end
		findfont 
		}if
		}
	ifelse
	currentglobal false setglobal 3 1 roll
	null copyfont definefont pop
	setglobal
	}bind def
setpacking
userdict/$SubstituteFont 25 dict put
1 dict
	begin
	/SubstituteFont
		dup $error exch 2 copy known
			{get}
			{pop pop{pop/Courier}bind}
		ifelse def
	/currentdistillerparams where dup
		{
		pop pop
		currentdistillerparams/CannotEmbedFontPolicy 2 copy known
			{get/Error eq}
			{pop pop false}
		ifelse
		}
	if not
		{
		countdictstack array dictstack 0 get
			begin
			userdict
				begin
				$SubstituteFont
					begin
					/$str 128 string def
					/$fontpat 128 string def
					/$slen 0 def
					/$sname null def
					/$match false def
					/$fontname null def
					/$substituteFound false def
					/$inVMIndex null def
					/$doSmartSub true def
					/$depth 0 def
					/$fontname null def
					/$italicangle 26.5 def
					/$dstack null def
					/$Strategies 10 dict dup
						begin
						/$Type3Underprint
							{
							currentglobal exch false setglobal
							11 dict
								begin
								/UseFont exch
									$WMode 0 ne
										{
										dup length dict copy
										dup/WMode $WMode put
										/UseFont exch definefont
										}
									if def
								/FontName $fontname dup type/stringtype eq{cvn}if def
								/FontType 3 def
								/FontMatrix[.001 0 0 .001 0 0]def
								/Encoding 256 array dup 0 1 255{/.notdef put dup}for pop def
								/FontBBox[0 0 0 0]def
								/CCInfo 7 dict dup
									begin
									/cc null def
									/x 0 def
									/y 0 def
									end def
								/BuildChar
									{
									exch
										begin
										CCInfo
											begin
											1 string dup 0 3 index put exch pop
											/cc exch def
											UseFont 1000 scalefont setfont
											cc stringwidth/y exch def/x exch def
											x y setcharwidth
											$SubstituteFont/$Strategy get/$Underprint get exec
											0 0 moveto cc show
											x y moveto
											end
										end
									}bind def
								currentdict
								end
							exch setglobal
							}bind def
						/$GetaTint
							2 dict dup
								begin
								/$BuildFont
									{
									dup/WMode known
										{dup/WMode get}
										{0}
									ifelse
									/$WMode exch def
									$fontname exch
									dup/FontName known
										{
										dup/FontName get
										dup type/stringtype eq{cvn}if
										}
										{/unnamedfont}
									ifelse
									exch
									Adobe_CoolType_Data/InVMDeepCopiedFonts get
									1 index/FontName get known
										{
										pop
										Adobe_CoolType_Data/InVMDeepCopiedFonts get
										1 index get
										null copyfont
										}
										{$deepcopyfont}
									ifelse
									exch 1 index exch/FontBasedOn exch put
									dup/FontName $fontname dup type/stringtype eq{cvn}if put
									definefont
									Adobe_CoolType_Data/InVMDeepCopiedFonts get
										begin
										dup/FontBasedOn get 1 index def
										end
									}bind def
								/$Underprint
									{
									gsave
									x abs y abs gt
										{/y 1000 def}
										{/x -1000 def 500 120 translate}
									ifelse
									Level2?
										{
										[/Separation(All)/DeviceCMYK{0 0 0 1 pop}]
										setcolorspace
										}
										{0 setgray}
									ifelse
									10 setlinewidth
									x .8 mul
									[7 3]
										{
										y mul 8 div 120 sub x 10 div exch moveto
										0 y 4 div neg rlineto
										dup 0 rlineto
										0 y 4 div rlineto
										closepath
										gsave
										Level2?
											{.2 setcolor}
											{.8 setgray}
										ifelse
										fill grestore
										stroke
										}
									forall
									pop
									grestore
									}bind def
								end def
						/$Oblique
							1 dict dup
								begin
								/$BuildFont
									{
									currentglobal exch dup gcheck setglobal
									null copyfont
										begin
										/FontBasedOn
										currentdict/FontName known
											{
											FontName
											dup type/stringtype eq{cvn}if
											}
											{/unnamedfont}
										ifelse
										def
										/FontName $fontname dup type/stringtype eq{cvn}if def
										/currentdistillerparams where
											{pop}
											{
											/FontInfo currentdict/FontInfo known
												{FontInfo null copyfont}
												{2 dict}
											ifelse
											dup
												begin
												/ItalicAngle $italicangle def
												/FontMatrix FontMatrix
												[1 0 ItalicAngle dup sin exch cos div 1 0 0]
												matrix concatmatrix readonly
												end
											4 2 roll def
											def
											}
										ifelse
										FontName currentdict
										end
									definefont
									exch setglobal
									}bind def
								end def
						/$None
							1 dict dup
								begin
								/$BuildFont{}bind def
								end def
						end def
					/$Oblique SetSubstituteStrategy
					/$findfontByEnum
						{
						dup type/stringtype eq{cvn}if
						dup/$fontname exch def
						$sname null eq
							{$str cvs dup length $slen sub $slen getinterval}
							{pop $sname}
						ifelse
						$fontpat dup 0(fonts/*)putinterval exch 7 exch putinterval
						/$match false def
						$SubstituteFont/$dstack countdictstack array dictstack put
						mark
							{
							$fontpat 0 $slen 7 add getinterval
								{/$match exch def exit}
							$str filenameforall
							}
						stopped
							{
							cleardictstack
							currentdict
							true
							$SubstituteFont/$dstack get
								{
								exch
									{
									1 index eq
										{pop false}
										{true}
									ifelse
									}
									{begin false}
								ifelse
								}
							forall
							pop
							}
						if
						cleartomark
						/$slen 0 def
						$match false ne
							{$match(fonts/)anchorsearch pop pop cvn}
							{/Courier}
						ifelse
						}bind def
					/$ROS 1 dict dup
						begin
						/Adobe 4 dict dup
							begin
							/Japan1 [/Ryumin-Light/HeiseiMin-W3
										 /GothicBBB-Medium/HeiseiKakuGo-W5
										 /HeiseiMaruGo-W4/Jun101-Light]def
							/Korea1 [/HYSMyeongJo-Medium/HYGoThic-Medium]def
							/GB1	 [/STSong-Light/STHeiti-Regular]def
							/CNS1	[/MKai-Medium/MHei-Medium]def
							end def
						end def
					/$cmapname null def
					/$deepcopyfont
						{
						dup/FontType get 0 eq
							{
							1 dict dup/FontName/copied put copyfont
								begin
								/FDepVector FDepVector copyarray
								0 1 2 index length 1 sub
									{
									2 copy get $deepcopyfont
									dup/FontName/copied put
									/copied exch definefont
									3 copy put pop pop
									}
								for
								def
								currentdict
								end
							}
							{$Strategies/$Type3Underprint get exec}
						ifelse
						}bind def
					/$buildfontname
						{
						dup/CIDFont findresource/CIDSystemInfo get
							begin
							Registry length Ordering length Supplement 8 string cvs
							3 copy length 2 add add add string
							dup 5 1 roll dup 0 Registry putinterval
							dup 4 index(-)putinterval
							dup 4 index 1 add Ordering putinterval
							4 2 roll add 1 add 2 copy(-)putinterval
							end
						1 add 2 copy 0 exch getinterval $cmapname $fontpat cvs exch
						anchorsearch
							{pop pop 3 2 roll putinterval cvn/$cmapname exch def}
							{pop pop pop pop pop}
						ifelse
						length
						$str 1 index(-)putinterval 1 add
						$str 1 index $cmapname $fontpat cvs putinterval
						$cmapname length add
						$str exch 0 exch getinterval cvn
						}bind def
					/$findfontByROS
						{
						/$fontname exch def
						$ROS Registry 2 copy known
							{
							get Ordering 2 copy known
								{get}
								{pop pop[]}
							ifelse
							}
							{pop pop[]}
						ifelse
						false exch
							{
							dup/CIDFont resourcestatus
								{
								pop pop
								save
								1 index/CIDFont findresource
								dup/WidthsOnly known
									{dup/WidthsOnly get}
									{false}
								ifelse
								exch pop
								exch restore
									{pop}
									{exch pop true exit}
								ifelse
								}
								{pop}
							ifelse
							}
						forall
							{$str cvs $buildfontname}
							{
							false(*)
								{
								save exch
								dup/CIDFont findresource
								dup/WidthsOnly known
									{dup/WidthsOnly get not}
									{true}
								ifelse
								exch/CIDSystemInfo get
								dup/Registry get Registry eq
								exch/Ordering get Ordering eq and and
									{exch restore exch pop true exit}
									{pop restore}
								ifelse
								}
							$str/CIDFont resourceforall
								{$buildfontname}
								{$fontname $findfontByEnum}
							ifelse
							}
						ifelse
						}bind def
					end
				end
				currentdict/$error known currentdict/languagelevel known and dup
					{pop $error/SubstituteFont known}
				if
				dup
					{$error}
					{Adobe_CoolType_Core}
				ifelse
				begin
					{
					/SubstituteFont
					/CMap/Category resourcestatus
						{
						pop pop
						{
						$SubstituteFont
							begin
							/$substituteFound true def
							dup length $slen gt
							$sname null ne or
							$slen 0 gt and
								{
								$sname null eq
									{dup $str cvs dup length $slen sub $slen getinterval cvn}
									{$sname}
								ifelse
								Adobe_CoolType_Data/InVMFontsByCMap get
								1 index 2 copy known
									{
									get
									false exch
										{
										pop
										currentglobal
											{
											GlobalFontDirectory 1 index known
												{exch pop true exit}
												{pop}
											ifelse
											}
											{
											FontDirectory 1 index known
												{exch pop true exit}
												{
												GlobalFontDirectory 1 index known
													{exch pop true exit}
													{pop}
												ifelse
												}
											ifelse
											}
										ifelse
										}
									forall
									}
									{pop pop false}
								ifelse
									{
									exch pop exch pop
									}
									{
									dup/CMap resourcestatus
										{
										pop pop
										dup/$cmapname exch def
										/CMap findresource/CIDSystemInfo get{def}forall
										$findfontByROS
										}
										{
										128 string cvs
										dup(-)search
											{
											3 1 roll search
												{
												3 1 roll pop
													{dup cvi}
												stopped
													{pop pop pop pop pop $findfontByEnum}
													{
													4 2 roll pop pop
													exch length
													exch
													2 index length
													2 index
													sub
													exch 1 sub -1 0
														{
														$str cvs dup length
														4 index
														0
														4 index
														4 3 roll add
														getinterval
														exch 1 index exch 3 index exch
														putinterval
														dup/CMap resourcestatus
															{
															pop pop
															4 1 roll pop pop pop
															dup/$cmapname exch def
															/CMap findresource/CIDSystemInfo get{def}forall
															$findfontByROS
															true exit
															}
															{pop}
														ifelse
														}
													for
													dup type/booleantype eq
														{pop}
														{pop pop pop $findfontByEnum}
													ifelse
													}
												ifelse
												}
												{pop pop pop $findfontByEnum}
											ifelse
											}
											{pop pop $findfontByEnum}
										ifelse
										}
									ifelse
									}
								ifelse
								}
								{//SubstituteFont exec}
							ifelse
							/$slen 0 def
							end
						}
						}
						{
						{
						$SubstituteFont
							begin
							/$substituteFound true def
							dup length $slen gt
							$sname null ne or
							$slen 0 gt and
								{$findfontByEnum}
								{//SubstituteFont exec}
							ifelse
							end
						}
						}
					ifelse
					bind readonly def
					Adobe_CoolType_Core/scfindfont/systemfindfont load put
					}
					{
					/scfindfont
						{
						$SubstituteFont
							begin
							dup systemfindfont
							dup/FontName known
								{dup/FontName get dup 3 index ne}
								{/noname true}
							ifelse
							dup
								{
								/$origfontnamefound 2 index def
								/$origfontname 4 index def/$substituteFound true def
								}
							if
							exch pop
								{
								$slen 0 gt
								$sname null ne
								3 index length $slen gt or and
									{
									pop dup $findfontByEnum findfont
									dup maxlength 1 add dict
										begin
											{1 index/FID eq{pop pop}{def}ifelse}
										forall
										currentdict
										end
									definefont
									dup/FontName known{dup/FontName get}{null}ifelse
									$origfontnamefound ne
										{
										$origfontname $str cvs print
										( substitution revised, using )print
										dup/FontName known
											{dup/FontName get}{(unspecified font)}
										ifelse
										$str cvs print(.\n)print
										}
									if
									}
									{exch pop}
								ifelse
								}
								{exch pop}
							ifelse
							end
						}bind def
					}
				ifelse
				end
			end
		Adobe_CoolType_Core_Defined not
			{
			Adobe_CoolType_Core/findfont
				{
				$SubstituteFont
					begin
					$depth 0 eq
						{
						/$fontname 1 index dup type/stringtype ne{$str cvs}if def
						/$substituteFound false def
						}
					if
					/$depth $depth 1 add def
					end
				scfindfont
				$SubstituteFont
					begin
					/$depth $depth 1 sub def
					$substituteFound $depth 0 eq and
						{
						$inVMIndex null ne
							{dup $inVMIndex $AddInVMFont}
						if
						$doSmartSub
							{
							currentdict/$Strategy known
								{$Strategy/$BuildFont get exec}
							if
							}
						if
						}
					if
					end
				}bind put
			}
		if
		}
	if
	end
/$AddInVMFont
	{
	exch/FontName 2 copy known
		{
		get
		1 dict dup begin exch 1 index gcheck def end exch
		Adobe_CoolType_Data/InVMFontsByCMap get exch
		$DictAdd
		}
		{pop pop pop}
	ifelse
	}bind def
/$DictAdd
	{
	2 copy known not
		{2 copy 4 index length dict put}
	if
	Level2? not
		{
		2 copy get dup maxlength exch length 4 index length add lt
		2 copy get dup length 4 index length add exch maxlength 1 index lt
			{
			2 mul dict
				begin
				2 copy get{forall}def
				2 copy currentdict put
				end
			}
			{pop}
		ifelse
		}
	if
	get
		begin
			{def}
		forall
		end
	}bind def
end
end
%%EndResource
currentglobal true setglobal
%%BeginResource: procset Adobe_CoolType_Utility_MAKEOCF 1.23 0
%%Copyright: Copyright 1987-2006 Adobe Systems Incorporated.
%%Version: 1.23 0
systemdict/languagelevel known dup
	{currentglobal false setglobal}
	{false}
ifelse
exch
userdict/Adobe_CoolType_Utility 2 copy known
	{2 copy get dup maxlength 27 add dict copy}
	{27 dict}
ifelse put
Adobe_CoolType_Utility
	begin
	/@eexecStartData
		 <BAB431EA07F209EB8C4348311481D9D3F76E3D15246555577D87BC510ED54E
		 118C39697FA9F6DB58128E60EB8A12FA24D7CDD2FA94D221FA9EC8DA3E5E6A1C
		 4ACECC8C2D39C54E7C946031DD156C3A6B4A09AD29E1867A>def
	/@recognizeCIDFont null def
	/ct_Level2? exch def
	/ct_Clone? 1183615869 internaldict dup
			/CCRun known not
			exch/eCCRun known not
			ct_Level2? and or def
ct_Level2?
	{globaldict begin currentglobal true setglobal}
if
	/ct_AddStdCIDMap
		ct_Level2?
			{{
				mark
				Adobe_CoolType_Utility/@recognizeCIDFont currentdict put
					{
					((Hex)57 StartData
					 0615 1e27 2c39 1c60 d8a8 cc31 fe2b f6e0
					 7aa3 e541 e21c 60d8 a8c9 c3d0 6d9e 1c60
					 d8a8 c9c2 02d7 9a1c 60d8 a849 1c60 d8a8
					 cc36 74f4 1144 b13b 77)0()/SubFileDecode filter cvx exec
					}
				stopped
					{
					 cleartomark
					 Adobe_CoolType_Utility/@recognizeCIDFont get
					 countdictstack dup array dictstack
					 exch 1 sub -1 0
						 {
						 2 copy get 3 index eq
								{1 index length exch sub 1 sub{end}repeat exit}
								{pop}
						 ifelse
						 }
					 for
					 pop pop
					 Adobe_CoolType_Utility/@eexecStartData get eexec
					}
					{cleartomark}
				ifelse
			}}
			{{
				Adobe_CoolType_Utility/@eexecStartData get eexec
			}}
		ifelse bind def
userdict/cid_extensions known
dup{cid_extensions/cid_UpdateDB known and}if
	{
	 cid_extensions
	 begin
	/cid_GetCIDSystemInfo
		{
		 1 index type/stringtype eq
			{exch cvn exch}
		 if
		 cid_extensions
			 begin
			 dup load 2 index known
				{
				 2 copy
				 cid_GetStatusInfo
				 dup null ne
					{
					 1 index load
					 3 index get
					 dup null eq
						 {pop pop cid_UpdateDB}
						 {
						 exch
						 1 index/Created get eq
							 {exch pop exch pop}
							 {pop cid_UpdateDB}
						 ifelse
						 }
					 ifelse
					}
					{pop cid_UpdateDB}
				 ifelse
				}
				{cid_UpdateDB}
			 ifelse
			 end
		}bind def
	 end
	}
if
ct_Level2?
	{end setglobal}
if
	/ct_UseNativeCapability? systemdict/composefont known def
	/ct_MakeOCF 35 dict def
	/ct_Vars 25 dict def
	/ct_GlyphDirProcs 6 dict def
	/ct_BuildCharDict 15 dict dup
		begin
		/charcode 2 string def
		/dst_string 1500 string def
		/nullstring()def
		/usewidths? true def
		end def
	ct_Level2?{setglobal}{pop}ifelse
	ct_GlyphDirProcs
		begin
		/GetGlyphDirectory
			{
			systemdict/languagelevel known
				{pop/CIDFont findresource/GlyphDirectory get}
				{
				1 index/CIDFont findresource/GlyphDirectory
				get dup type/dicttype eq
					{
					dup dup maxlength exch length sub 2 index lt
						{
						dup length 2 index add dict copy 2 index
						/CIDFont findresource/GlyphDirectory 2 index put
						}
					if
					}
				if
				exch pop exch pop
				}
			ifelse
			+
			}def
		/+
			{
			systemdict/languagelevel known
				{
				currentglobal false setglobal
				3 dict begin
					/vm exch def
				}
				{1 dict begin}
			ifelse
			/$ exch def
			systemdict/languagelevel known
				{
				vm setglobal
				/gvm currentglobal def
				$ gcheck setglobal
				}
			if
			?{$ begin}if
			}def
		/?{$ type/dicttype eq}def
		/|{
			userdict/Adobe_CoolType_Data known
				{
			Adobe_CoolType_Data/AddWidths? known
				{
				 currentdict Adobe_CoolType_Data
					begin
					 begin
						AddWidths?
								{
								Adobe_CoolType_Data/CC 3 index put
								?{def}{$ 3 1 roll put}ifelse
								CC charcode exch 1 index 0 2 index 256 idiv put
								1 index exch 1 exch 256 mod put
								stringwidth 2 array astore
								currentfont/Widths get exch CC exch put
								}
								{?{def}{$ 3 1 roll put}ifelse}
							ifelse
					end
				end
				}
				{?{def}{$ 3 1 roll put}ifelse}	ifelse
				}
				{?{def}{$ 3 1 roll put}ifelse}
			ifelse
			}def
		/!
			{
			?{end}if
			systemdict/languagelevel known
				{gvm setglobal}
			if
			end
			}def
		/:{string currentfile exch readstring pop}executeonly def
		end
	ct_MakeOCF
		begin
		/ct_cHexEncoding
		[/c00/c01/c02/c03/c04/c05/c06/c07/c08/c09/c0A/c0B/c0C/c0D/c0E/c0F/c10/c11/c12
		/c13/c14/c15/c16/c17/c18/c19/c1A/c1B/c1C/c1D/c1E/c1F/c20/c21/c22/c23/c24/c25
		/c26/c27/c28/c29/c2A/c2B/c2C/c2D/c2E/c2F/c30/c31/c32/c33/c34/c35/c36/c37/c38
		/c39/c3A/c3B/c3C/c3D/c3E/c3F/c40/c41/c42/c43/c44/c45/c46/c47/c48/c49/c4A/c4B
		/c4C/c4D/c4E/c4F/c50/c51/c52/c53/c54/c55/c56/c57/c58/c59/c5A/c5B/c5C/c5D/c5E
		/c5F/c60/c61/c62/c63/c64/c65/c66/c67/c68/c69/c6A/c6B/c6C/c6D/c6E/c6F/c70/c71
		/c72/c73/c74/c75/c76/c77/c78/c79/c7A/c7B/c7C/c7D/c7E/c7F/c80/c81/c82/c83/c84
		/c85/c86/c87/c88/c89/c8A/c8B/c8C/c8D/c8E/c8F/c90/c91/c92/c93/c94/c95/c96/c97
		/c98/c99/c9A/c9B/c9C/c9D/c9E/c9F/cA0/cA1/cA2/cA3/cA4/cA5/cA6/cA7/cA8/cA9/cAA
		/cAB/cAC/cAD/cAE/cAF/cB0/cB1/cB2/cB3/cB4/cB5/cB6/cB7/cB8/cB9/cBA/cBB/cBC/cBD
		/cBE/cBF/cC0/cC1/cC2/cC3/cC4/cC5/cC6/cC7/cC8/cC9/cCA/cCB/cCC/cCD/cCE/cCF/cD0
		/cD1/cD2/cD3/cD4/cD5/cD6/cD7/cD8/cD9/cDA/cDB/cDC/cDD/cDE/cDF/cE0/cE1/cE2/cE3
		/cE4/cE5/cE6/cE7/cE8/cE9/cEA/cEB/cEC/cED/cEE/cEF/cF0/cF1/cF2/cF3/cF4/cF5/cF6
		/cF7/cF8/cF9/cFA/cFB/cFC/cFD/cFE/cFF]def
		/ct_CID_STR_SIZE 8000 def
		/ct_mkocfStr100 100 string def
		/ct_defaultFontMtx[.001 0 0 .001 0 0]def
		/ct_1000Mtx[1000 0 0 1000 0 0]def
		/ct_raise{exch cvx exch errordict exch get exec stop}bind def
		/ct_reraise
			{cvx $error/errorname get(Error: )print dup(						 )cvs print
					errordict exch get exec stop
			}bind def
		/ct_cvnsi
			{
			1 index add 1 sub 1 exch 0 4 1 roll
				{
				2 index exch get
				exch 8 bitshift
				add
				}
			for
			exch pop
			}bind def
		/ct_GetInterval
			{
			Adobe_CoolType_Utility/ct_BuildCharDict get
				begin
				/dst_index 0 def
				dup dst_string length gt
					{dup string/dst_string exch def}
				if
				1 index ct_CID_STR_SIZE idiv
				/arrayIndex exch def
				2 index arrayIndex get
				2 index
				arrayIndex ct_CID_STR_SIZE mul
				sub
					{
					dup 3 index add 2 index length le
						{
						2 index getinterval
						dst_string dst_index 2 index putinterval
						length dst_index add/dst_index exch def
						exit
						}
						{
						1 index length 1 index sub
						dup 4 1 roll
						getinterval
						dst_string dst_index 2 index putinterval
						pop dup dst_index add/dst_index exch def
						sub
						/arrayIndex arrayIndex 1 add def
						2 index dup length arrayIndex gt
							 {arrayIndex get}
							 {
							 pop
							 exit
							 }
						ifelse
						0
						}
					ifelse
					}
				loop
				pop pop pop
				dst_string 0 dst_index getinterval
				end
			}bind def
		ct_Level2?
			{
			/ct_resourcestatus
			currentglobal mark true setglobal
				{/unknowninstancename/Category resourcestatus}
			stopped
				{cleartomark setglobal true}
				{cleartomark currentglobal not exch setglobal}
			ifelse
				{
					{
					mark 3 1 roll/Category findresource
						begin
						ct_Vars/vm currentglobal put
						({ResourceStatus}stopped)0()/SubFileDecode filter cvx exec
							{cleartomark false}
							{{3 2 roll pop true}{cleartomark false}ifelse}
						ifelse
						ct_Vars/vm get setglobal
						end
					}
				}
				{{resourcestatus}}
			ifelse bind def
			/CIDFont/Category ct_resourcestatus
				{pop pop}
				{
				currentglobal true setglobal
				/Generic/Category findresource
				dup length dict copy
				dup/InstanceType/dicttype put
				/CIDFont exch/Category defineresource pop
				setglobal
				}
			ifelse
			ct_UseNativeCapability?
				{
				/CIDInit/ProcSet findresource begin
				12 dict begin
				begincmap
				/CIDSystemInfo 3 dict dup begin
				 /Registry(Adobe)def
				 /Ordering(Identity)def
				 /Supplement 0 def
				end def
				/CMapName/Identity-H def
				/CMapVersion 1.000 def
				/CMapType 1 def
				1 begincodespacerange
				<0000><FFFF>
				endcodespacerange
				1 begincidrange
				<0000><FFFF>0
				endcidrange
				endcmap
				CMapName currentdict/CMap defineresource pop
				end
				end
				}
			if
			}
			{
			/ct_Category 2 dict begin
			/CIDFont 10 dict def
			/ProcSet	2 dict def
			currentdict
			end
			def
			/defineresource
				{
				ct_Category 1 index 2 copy known
					{
					get
					dup dup maxlength exch length eq
						{
						dup length 10 add dict copy
						ct_Category 2 index 2 index put
						}
					if
					3 index 3 index put
					pop exch pop
					}
					{pop pop/defineresource/undefined ct_raise}
				ifelse
				}bind def
			/findresource
				{
				ct_Category 1 index 2 copy known
					{
					get
					2 index 2 copy known
						{get 3 1 roll pop pop}
						{pop pop/findresource/undefinedresource ct_raise}
					ifelse
					}
					{pop pop/findresource/undefined ct_raise}
				ifelse
				}bind def
			/resourcestatus
				{
				ct_Category 1 index 2 copy known
					{
					get
					2 index known
					exch pop exch pop
						{
						0 -1 true
						}
						{
						false
						}
					ifelse
					}
					{pop pop/findresource/undefined ct_raise}
				ifelse
				}bind def
			/ct_resourcestatus/resourcestatus load def
			}
		ifelse
		/ct_CIDInit 2 dict
			begin
			/ct_cidfont_stream_init
				{
					{
					dup(Binary)eq
						{
						pop
						null
						currentfile
						ct_Level2?
							{
								{cid_BYTE_COUNT()/SubFileDecode filter}
							stopped
								{pop pop pop}
							if
							}
						if
						/readstring load
						exit
						}
					if
					dup(Hex)eq
						{
						pop
						currentfile
						ct_Level2?
							{
								{null exch/ASCIIHexDecode filter/readstring}
							stopped
								{pop exch pop(>)exch/readhexstring}
							if
							}
							{(>)exch/readhexstring}
						ifelse
						load
						exit
						}
					if
					/StartData/typecheck ct_raise
					}
				loop
				cid_BYTE_COUNT ct_CID_STR_SIZE le
					{
					2 copy cid_BYTE_COUNT string exch exec
					pop
					1 array dup
					3 -1 roll
					0 exch put
					}
					{
					cid_BYTE_COUNT ct_CID_STR_SIZE div ceiling cvi
					dup array exch 2 sub 0 exch 1 exch
						{
						2 copy
						5 index
						ct_CID_STR_SIZE
						string
						6 index exec
						pop
						put
						pop
						}
					for
					2 index
					cid_BYTE_COUNT ct_CID_STR_SIZE mod string
					3 index exec
					pop
					1 index exch
					1 index length 1 sub
					exch put
					}
				ifelse
				cid_CIDFONT exch/GlyphData exch put
				2 index null eq
					{
					pop pop pop
					}
					{
					pop/readstring load
					1 string exch
						{
						3 copy exec
						pop
						dup length 0 eq
							{
							pop pop pop pop pop
							true exit
							}
						if
						4 index
						eq
							{
							pop pop pop pop
							false exit
							}
						if
						}
					loop
					pop
					}
				ifelse
				}bind def
			/StartData
				{
				mark
					{
					currentdict
					dup/FDArray get 0 get/FontMatrix get
					0 get 0.001 eq
						{
						dup/CDevProc known not
							{
							/CDevProc 1183615869 internaldict/stdCDevProc 2 copy known
								{get}
								{
								pop pop
								{pop pop pop pop pop 0 -1000 7 index 2 div 880}
								}
							ifelse
							def
							}
						if
						}
						{
						/CDevProc
							{
							 pop pop pop pop pop
							 0
							 1 cid_temp/cid_CIDFONT get
							/FDArray get 0 get
							/FontMatrix get 0 get div
							 7 index 2 div
							 1 index 0.88 mul
							}def
						}
					ifelse
					/cid_temp 15 dict def
					cid_temp
						begin
						/cid_CIDFONT exch def
						3 copy pop
						dup/cid_BYTE_COUNT exch def 0 gt
							{
							ct_cidfont_stream_init
							FDArray
								{
								/Private get
								dup/SubrMapOffset known
									{
									begin
									/Subrs SubrCount array def
									Subrs
									SubrMapOffset
									SubrCount
									SDBytes
									ct_Level2?
										{
										currentdict dup/SubrMapOffset undef
										dup/SubrCount undef
										/SDBytes undef
										}
									if
									end
									/cid_SD_BYTES exch def
									/cid_SUBR_COUNT exch def
									/cid_SUBR_MAP_OFFSET exch def
									/cid_SUBRS exch def
									cid_SUBR_COUNT 0 gt
										{
										GlyphData cid_SUBR_MAP_OFFSET cid_SD_BYTES ct_GetInterval
										0 cid_SD_BYTES ct_cvnsi
										0 1 cid_SUBR_COUNT 1 sub
											{
											exch 1 index
											1 add
											cid_SD_BYTES mul cid_SUBR_MAP_OFFSET add
											GlyphData exch cid_SD_BYTES ct_GetInterval
											0 cid_SD_BYTES ct_cvnsi
											cid_SUBRS 4 2 roll
											GlyphData exch
											4 index
											1 index
											sub
											ct_GetInterval
											dup length string copy put
											}
										for
										pop
										}
									if
									}
									{pop}
								ifelse
								}
							forall
							}
						if
						cleartomark pop pop
						end
					CIDFontName currentdict/CIDFont defineresource pop
					end end
					}
				stopped
					{cleartomark/StartData ct_reraise}
				if
				}bind def
			currentdict
			end def
		/ct_saveCIDInit
			{
			/CIDInit/ProcSet ct_resourcestatus
				{true}
				{/CIDInitC/ProcSet ct_resourcestatus}
			ifelse
				{
				pop pop
				/CIDInit/ProcSet findresource
				ct_UseNativeCapability?
					{pop null}
					{/CIDInit ct_CIDInit/ProcSet defineresource pop}
				ifelse
				}
				{/CIDInit ct_CIDInit/ProcSet defineresource pop null}
			ifelse
			ct_Vars exch/ct_oldCIDInit exch put
			}bind def
		/ct_restoreCIDInit
			{
			ct_Vars/ct_oldCIDInit get dup null ne
				{/CIDInit exch/ProcSet defineresource pop}
				{pop}
			ifelse
			}bind def
		/ct_BuildCharSetUp
			{
			1 index
				begin
				CIDFont
					begin
					Adobe_CoolType_Utility/ct_BuildCharDict get
						begin
						/ct_dfCharCode exch def
						/ct_dfDict exch def
						CIDFirstByte ct_dfCharCode add
						dup CIDCount ge
							{pop 0}
						if
						/cid exch def
							{
							GlyphDirectory cid 2 copy known
								{get}
								{pop pop nullstring}
							ifelse
							dup length FDBytes sub 0 gt
								{
								dup
								FDBytes 0 ne
									{0 FDBytes ct_cvnsi}
									{pop 0}
								ifelse
								/fdIndex exch def
								dup length FDBytes sub FDBytes exch getinterval
								/charstring exch def
								exit
								}
								{
								pop
								cid 0 eq
									{/charstring nullstring def exit}
								if
								/cid 0 def
								}
							ifelse
							}
						loop
			}def
		/ct_SetCacheDevice
			{
			0 0 moveto
			dup stringwidth
			3 -1 roll
			true charpath
			pathbbox
			0 -1000
			7 index 2 div 880
			setcachedevice2
			0 0 moveto
			}def
		/ct_CloneSetCacheProc
			{
			1 eq
				{
				stringwidth
				pop -2 div -880
				0 -1000 setcharwidth
				moveto
				}
				{
				usewidths?
					{
					currentfont/Widths get cid
					2 copy known
						{get exch pop aload pop}
						{pop pop stringwidth}
					ifelse
					}
					{stringwidth}
				ifelse
				setcharwidth
				0 0 moveto
				}
			ifelse
			}def
		/ct_Type3ShowCharString
			{
			ct_FDDict fdIndex 2 copy known
				{get}
				{
				currentglobal 3 1 roll
				1 index gcheck setglobal
				ct_Type1FontTemplate dup maxlength dict copy
					begin
					FDArray fdIndex get
					dup/FontMatrix 2 copy known
						{get}
						{pop pop ct_defaultFontMtx}
					ifelse
					/FontMatrix exch dup length array copy def
					/Private get
					/Private exch def
					/Widths rootfont/Widths get def
					/CharStrings 1 dict dup/.notdef
						<d841272cf18f54fc13>dup length string copy put def
					currentdict
					end
				/ct_Type1Font exch definefont
				dup 5 1 roll put
				setglobal
				}
			ifelse
			dup/CharStrings get 1 index/Encoding get
			ct_dfCharCode get charstring put
			rootfont/WMode 2 copy known
				{get}
				{pop pop 0}
			ifelse
			exch
			1000 scalefont setfont
			ct_str1 0 ct_dfCharCode put
			ct_str1 exch ct_dfSetCacheProc
			ct_SyntheticBold
				{
				currentpoint
				ct_str1 show
				newpath
				moveto
				ct_str1 true charpath
				ct_StrokeWidth setlinewidth
				stroke
				}
				{ct_str1 show}
			ifelse
			}def
		/ct_Type4ShowCharString
			{
			ct_dfDict ct_dfCharCode charstring
			FDArray fdIndex get
			dup/FontMatrix get dup ct_defaultFontMtx ct_matrixeq not
				{ct_1000Mtx matrix concatmatrix concat}
				{pop}
			ifelse
			/Private get
			Adobe_CoolType_Utility/ct_Level2? get not
				{
				ct_dfDict/Private
				3 -1 roll
					{put}
				1183615869 internaldict/superexec get exec
				}
			if
			1183615869 internaldict
			Adobe_CoolType_Utility/ct_Level2? get
				{1 index}
				{3 index/Private get mark 6 1 roll}
			ifelse
			dup/RunInt known
				{/RunInt get}
				{pop/CCRun}
			ifelse
			get exec
			Adobe_CoolType_Utility/ct_Level2? get not
				{cleartomark}
			if
			}bind def
		/ct_BuildCharIncremental
			{
				{
				Adobe_CoolType_Utility/ct_MakeOCF get begin
				ct_BuildCharSetUp
				ct_ShowCharString
				}
			stopped
				{stop}
			if
			end
			end
			end
			end
			}bind def
		/BaseFontNameStr(BF00)def
		/ct_Type1FontTemplate 14 dict
			begin
			/FontType 1 def
			/FontMatrix [0.001 0 0 0.001 0 0]def
			/FontBBox [-250 -250 1250 1250]def
			/Encoding ct_cHexEncoding def
			/PaintType 0 def
			currentdict
			end def
		/BaseFontTemplate 11 dict
			begin
			/FontMatrix [0.001 0 0 0.001 0 0]def
			/FontBBox [-250 -250 1250 1250]def
			/Encoding ct_cHexEncoding def
			/BuildChar/ct_BuildCharIncremental load def
			ct_Clone?
				{
				/FontType 3 def
				/ct_ShowCharString/ct_Type3ShowCharString load def
				/ct_dfSetCacheProc/ct_CloneSetCacheProc load def
				/ct_SyntheticBold false def
				/ct_StrokeWidth 1 def
				}
				{
				/FontType 4 def
				/Private 1 dict dup/lenIV 4 put def
				/CharStrings 1 dict dup/.notdef<d841272cf18f54fc13>put def
				/PaintType 0 def
				/ct_ShowCharString/ct_Type4ShowCharString load def
				}
			ifelse
			/ct_str1 1 string def
			currentdict
			end def
		/BaseFontDictSize BaseFontTemplate length 5 add def
		/ct_matrixeq
			{
			true 0 1 5
				{
				dup 4 index exch get exch 3 index exch get eq and
				dup not
					{exit}
				if
				}
			for
			exch pop exch pop
			}bind def
		/ct_makeocf
			{
			15 dict
				begin
				exch/WMode exch def
				exch/FontName exch def
				/FontType 0 def
				/FMapType 2 def
			dup/FontMatrix known
				{dup/FontMatrix get/FontMatrix exch def}
				{/FontMatrix matrix def}
			ifelse
				/bfCount 1 index/CIDCount get 256 idiv 1 add
					dup 256 gt{pop 256}if def
				/Encoding
					256 array 0 1 bfCount 1 sub{2 copy dup put pop}for
					bfCount 1 255{2 copy bfCount put pop}for
					def
				/FDepVector bfCount dup 256 lt{1 add}if array def
				BaseFontTemplate BaseFontDictSize dict copy
					begin
					/CIDFont exch def
					CIDFont/FontBBox known
						{CIDFont/FontBBox get/FontBBox exch def}
					if
					CIDFont/CDevProc known
						{CIDFont/CDevProc get/CDevProc exch def}
					if
					currentdict
					end
				BaseFontNameStr 3(0)putinterval
				0 1 bfCount dup 256 eq{1 sub}if
					{
					FDepVector exch
					2 index BaseFontDictSize dict copy
						begin
						dup/CIDFirstByte exch 256 mul def
						FontType 3 eq
							{/ct_FDDict 2 dict def}
						if
						currentdict
						end
					1 index 16
					BaseFontNameStr 2 2 getinterval cvrs pop
					BaseFontNameStr exch definefont
					put
					}
				for
				ct_Clone?
					{/Widths 1 index/CIDFont get/GlyphDirectory get length dict def}
				if
				FontName
				currentdict
				end
			definefont
			ct_Clone?
				{
				gsave
				dup 1000 scalefont setfont
				ct_BuildCharDict
					begin
					/usewidths? false def
					currentfont/Widths get
						begin
						exch/CIDFont get/GlyphDirectory get
							{
							pop
							dup charcode exch 1 index 0 2 index 256 idiv put
							1 index exch 1 exch 256 mod put
							stringwidth 2 array astore def
							}
						forall
						end
					/usewidths? true def
					end
				grestore
				}
				{exch pop}
			ifelse
			}bind def
		currentglobal true setglobal
		/ct_ComposeFont
			{
			ct_UseNativeCapability?
				{				
				2 index/CMap ct_resourcestatus
					{pop pop exch pop}
					{
					/CIDInit/ProcSet findresource
						begin
						12 dict
							begin
							begincmap
							/CMapName 3 index def
							/CMapVersion 1.000 def
							/CMapType 1 def
							exch/WMode exch def
							/CIDSystemInfo 3 dict dup
								begin
								/Registry(Adobe)def
								/Ordering
								CMapName ct_mkocfStr100 cvs
								(Adobe-)search
									{
									pop pop
									(-)search
										{
										dup length string copy
										exch pop exch pop
										}
										{pop(Identity)}
									ifelse
									}
									{pop (Identity)}
								ifelse
								def
								/Supplement 0 def
								end def
							1 begincodespacerange
							<0000><FFFF>
							endcodespacerange
							1 begincidrange
							<0000><FFFF>0
							endcidrange
							endcmap
							CMapName currentdict/CMap defineresource pop
							end
						end
					}
				ifelse
				composefont
				}
				{
				3 2 roll pop
				0 get/CIDFont findresource
				ct_makeocf
				}
			ifelse
			}bind def
			setglobal
		/ct_MakeIdentity
			{
			ct_UseNativeCapability?
				{
				1 index/CMap ct_resourcestatus
					{pop pop}
					{
					/CIDInit/ProcSet findresource begin
					12 dict begin
					begincmap
					/CMapName 2 index def
					/CMapVersion 1.000 def
					/CMapType 1 def
					/CIDSystemInfo 3 dict dup
						begin
						/Registry(Adobe)def
						/Ordering
						CMapName ct_mkocfStr100 cvs
						(Adobe-)search
							{
							pop pop
							(-)search
								{dup length string copy exch pop exch pop}
								{pop(Identity)}
							ifelse
							}
							{pop(Identity)}
						ifelse
						def
						/Supplement 0 def
						end def
					1 begincodespacerange
					<0000><FFFF>
					endcodespacerange
					1 begincidrange
					<0000><FFFF>0
					endcidrange
					endcmap
					CMapName currentdict/CMap defineresource pop
					end
					end
					}
				ifelse
				composefont
				}
				{
				exch pop
				0 get/CIDFont findresource
				ct_makeocf
				}
			ifelse
			}bind def
		currentdict readonly pop
		end
	end
%%EndResource
setglobal
%%BeginResource: procset Adobe_CoolType_Utility_T42 1.0 0
%%Copyright: Copyright 1987-2004 Adobe Systems Incorporated.
%%Version: 1.0 0
userdict/ct_T42Dict 15 dict put
ct_T42Dict begin
/Is2015?
{
 version
 cvi
 2015
 ge
}bind def
/AllocGlyphStorage
{
 Is2015?
 {	
	pop
 }
 {
	{string}forall
 }ifelse
}bind def
/Type42DictBegin
{
25 dict begin
 /FontName exch def
 /CharStrings 256 dict 
begin
	 /.notdef 0 def
	 currentdict 
end def
 /Encoding exch def
 /PaintType 0 def
 /FontType 42 def
 /FontMatrix[1 0 0 1 0 0]def
 4 array astore cvx/FontBBox exch def
 /sfnts
}bind def
/Type42DictEnd 
{
 currentdict dup/FontName get exch definefont end
ct_T42Dict exch
dup/FontName get exch put
}bind def
/RD{string currentfile exch readstring pop}executeonly def
/PrepFor2015
{
Is2015?
{		 
	/GlyphDirectory 
	 16
	 dict def
	 sfnts 0 get
	 dup
	 2 index
	(glyx)
	 putinterval
	 2 index 
	(locx)
	 putinterval
	 pop
	 pop
}
{
	 pop
	 pop
}ifelse			
}bind def
/AddT42Char
{
Is2015?
{
	/GlyphDirectory get 
	begin
	def
	end
	pop
	pop
}
{
	/sfnts get
	4 index
	get
	3 index
 2 index
	putinterval
	pop
	pop
	pop
	pop
}ifelse
}bind def
/T0AddT42Mtx2
{
/CIDFont findresource/Metrics2 get begin def end
}bind def
end
%%EndResource
currentglobal true setglobal
%%BeginFile: MMFauxFont.prc
%%Copyright: Copyright 1987-2001 Adobe Systems Incorporated. 
%%All Rights Reserved.
userdict /ct_EuroDict 10 dict put
ct_EuroDict begin
/ct_CopyFont 
{
    { 1 index /FID ne {def} {pop pop} ifelse} forall
} def
/ct_GetGlyphOutline
{
   gsave
   initmatrix newpath
   exch findfont dup 
   length 1 add dict 
   begin 
		ct_CopyFont 
		/Encoding Encoding dup length array copy 
		dup
		4 -1 roll
		0 exch put   
		def
		currentdict
   end
   /ct_EuroFont exch definefont
   1000 scalefont setfont
   0 0 moveto
   [
       <00> stringwidth 
       <00> false charpath
       pathbbox
       [
       {/m cvx} {/l cvx} {/c cvx} {/cp cvx} pathforall
   grestore
   counttomark 8 add
}
def
/ct_MakeGlyphProc
{
   ] cvx
   /ct_PSBuildGlyph cvx
   ] cvx
} def
/ct_PSBuildGlyph 
{ 
 	gsave 
	8 -1 roll pop 
	7 1 roll 
        6 -2 roll ct_FontMatrix transform 6 2 roll
        4 -2 roll ct_FontMatrix transform 4 2 roll
        ct_FontMatrix transform 
	currentdict /PaintType 2 copy known {get 2 eq}{pop pop false} ifelse  
	dup  9 1 roll 
	{  
		currentdict /StrokeWidth 2 copy known  
		{   
			get 2 div   
			0 ct_FontMatrix dtransform pop
			5 1 roll  
			4 -1 roll 4 index sub   
			4 1 roll   
			3 -1 roll 4 index sub  
			3 1 roll   
			exch 4 index add exch  
			4 index add  
			5 -1 roll pop  
		}  
		{	 
			pop pop 
		}  
		ifelse  
	}       
    if  
	setcachedevice  
        ct_FontMatrix concat
        ct_PSPathOps begin 
		exec 
	end 
	{  
		currentdict /StrokeWidth 2 copy known  
			{ get }  
			{ pop pop 0 }  
  	    ifelse  
		setlinewidth stroke  
	}  
	{   
	    fill  
	}  
	ifelse  
    grestore
} def 
/ct_PSPathOps 4 dict dup begin 
	/m {moveto} def 
	/l {lineto} def 
	/c {curveto} def 
	/cp {closepath} def 
end 
def 
/ct_matrix1000 [1000 0 0 1000 0 0] def
/ct_AddGlyphProc  
{
   2 index findfont dup length 4 add dict 
   begin 
	ct_CopyFont 
	/CharStrings CharStrings dup length 1 add dict copy
      begin
         3 1 roll def  
         currentdict 
      end 
      def
      /ct_FontMatrix ct_matrix1000 FontMatrix matrix concatmatrix def
      /ct_PSBuildGlyph /ct_PSBuildGlyph load def
      /ct_PSPathOps /ct_PSPathOps load def
      currentdict
   end
   definefont pop
}
def
systemdict /languagelevel known
{
	/ct_AddGlyphToPrinterFont {
		2 copy
		ct_GetGlyphOutline 3 add -1 roll restore 
		ct_MakeGlyphProc 
		ct_AddGlyphProc
	} def
}
{
	/ct_AddGlyphToPrinterFont {
	    pop pop restore
		Adobe_CTFauxDict /$$$FONTNAME get
		/Euro
		Adobe_CTFauxDict /$$$SUBSTITUTEBASE get
		ct_EuroDict exch get
		ct_AddGlyphProc
	} def
} ifelse
/AdobeSansMM 
{ 
556 0 24 -19 541 703 
	{ 
	541 628 m 
	510 669 442 703 354 703 c 
	201 703 117 607 101 444 c 
	50 444 l 
	25 372 l 
	97 372 l 
	97 301 l 
	49 301 l 
	24 229 l 
	103 229 l 
	124 67 209 -19 350 -19 c 
	435 -19 501 25 509 32 c 
	509 131 l 
	492 105 417 60 343 60 c 
	267 60 204 127 197 229 c 
	406 229 l 
	430 301 l 
	191 301 l 
	191 372 l 
	455 372 l 
	479 444 l 
	194 444 l 
	201 531 245 624 348 624 c 
	433 624 484 583 509 534 c 
	cp 
	556 0 m 
	}
ct_PSBuildGlyph
} def
/AdobeSerifMM 
{ 
500 0 10 -12 484 692 
	{ 
	347 298 m 
	171 298 l 
	170 310 170 322 170 335 c 
	170 362 l 
	362 362 l 
	374 403 l 
	172 403 l 
	184 580 244 642 308 642 c 
	380 642 434 574 457 457 c 
	481 462 l 
	474 691 l 
	449 691 l 
	433 670 429 657 410 657 c 
	394 657 360 692 299 692 c 
	204 692 94 604 73 403 c 
	22 403 l 
	10 362 l 
	70 362 l 
	69 352 69 341 69 330 c 
	69 319 69 308 70 298 c 
	22 298 l 
	10 257 l 
	73 257 l 
	97 57 216 -12 295 -12 c 
	364 -12 427 25 484 123 c 
	458 142 l 
	425 101 384 37 316 37 c 
	256 37 189 84 173 257 c 
	335 257 l 
	cp 
	500 0 m 
	} 
ct_PSBuildGlyph 
} def 
end		
%%EndFile
setglobal
Adobe_CoolType_Core begin /$Oblique SetSubstituteStrategy end
%%BeginResource: procset Adobe_AGM_Image 1.0 0
-%%Version: 1.0 0
-%%Copyright: Copyright(C)2000-2006 Adobe Systems, Inc. All Rights Reserved.
-systemdict/setpacking known
-{
-	currentpacking
-	true setpacking
-}if
-userdict/Adobe_AGM_Image 71 dict dup begin put
-/Adobe_AGM_Image_Id/Adobe_AGM_Image_1.0_0 def
-/nd{
-	null def
-}bind def
-/AGMIMG_&image nd
-/AGMIMG_&colorimage nd
-/AGMIMG_&imagemask nd
-/AGMIMG_mbuf()def
-/AGMIMG_ybuf()def
-/AGMIMG_kbuf()def
-/AGMIMG_c 0 def
-/AGMIMG_m 0 def
-/AGMIMG_y 0 def
-/AGMIMG_k 0 def
-/AGMIMG_tmp nd
-/AGMIMG_imagestring0 nd
-/AGMIMG_imagestring1 nd
-/AGMIMG_imagestring2 nd
-/AGMIMG_imagestring3 nd
-/AGMIMG_imagestring4 nd
-/AGMIMG_imagestring5 nd
-/AGMIMG_cnt nd
-/AGMIMG_fsave nd
-/AGMIMG_colorAry nd
-/AGMIMG_override nd
-/AGMIMG_name nd
-/AGMIMG_maskSource nd
-/AGMIMG_flushfilters nd
-/invert_image_samples nd
-/knockout_image_samples	nd
-/img nd
-/sepimg nd
-/devnimg nd
-/idximg nd
-/ds
-{
-	Adobe_AGM_Core begin
-	Adobe_AGM_Image begin
-	/AGMIMG_&image systemdict/image get def
-	/AGMIMG_&imagemask systemdict/imagemask get def
-	/colorimage where{
-		pop
-		/AGMIMG_&colorimage/colorimage ldf
-	}if
-	end
-	end
-}def
-/ps
-{
-	Adobe_AGM_Image begin
-	/AGMIMG_ccimage_exists{/customcolorimage where 
-		{
-			pop
-			/Adobe_AGM_OnHost_Seps where
-			{
-			pop false
-			}{
-			/Adobe_AGM_InRip_Seps where
-				{
-				pop false
-				}{
-					true
-				}ifelse
-			}ifelse
-			}{
-			false
-		}ifelse 
-	}bdf
-	level2{
-		/invert_image_samples
-		{
-			Adobe_AGM_Image/AGMIMG_tmp Decode length ddf
-			/Decode[Decode 1 get Decode 0 get]def
-		}def
-		/knockout_image_samples
-		{
-			Operator/imagemask ne{
-				/Decode[1 1]def
-			}if
-		}def
-	}{	
-		/invert_image_samples
-		{
-			{1 exch sub}currenttransfer addprocs settransfer
-		}def
-		/knockout_image_samples
-		{
-			{pop 1}currenttransfer addprocs settransfer
-		}def
-	}ifelse
-	/img/imageormask ldf
-	/sepimg/sep_imageormask ldf
-	/devnimg/devn_imageormask ldf
-	/idximg/indexed_imageormask ldf
-	/_ctype 7 def
-	currentdict{
-		dup xcheck 1 index type dup/arraytype eq exch/packedarraytype eq or and{
-			bind
-		}if
-		def
-	}forall
-}def
-/pt
-{
-	end
-}def
-/dt
-{
-}def
-/AGMIMG_flushfilters
-{
-	dup type/arraytype ne
-		{1 array astore}if
-	dup 0 get currentfile ne
-		{dup 0 get flushfile}if
-		{
-		dup type/filetype eq
-			{
-			dup status 1 index currentfile ne and
-				{closefile}
-				{pop}
-			ifelse
-			}{pop}ifelse
-		}forall
-}def
-/AGMIMG_init_common
-{
-	currentdict/T known{/ImageType/T ldf currentdict/T undef}if
-	currentdict/W known{/Width/W ldf currentdict/W undef}if
-	currentdict/H known{/Height/H ldf currentdict/H undef}if
-	currentdict/M known{/ImageMatrix/M ldf currentdict/M undef}if
-	currentdict/BC known{/BitsPerComponent/BC ldf currentdict/BC undef}if
-	currentdict/D known{/Decode/D ldf currentdict/D undef}if
-	currentdict/DS known{/DataSource/DS ldf currentdict/DS undef}if
-	currentdict/O known{
-		/Operator/O load 1 eq{
-			/imagemask
-		}{
-			/O load 2 eq{
-				/image 
-			}{
-				/colorimage
-			}ifelse
-		}ifelse
-		def
-		currentdict/O undef
-	}if
-	currentdict/HSCI known{/HostSepColorImage/HSCI ldf currentdict/HSCI undef}if
-	currentdict/MD known{/MultipleDataSources/MD ldf currentdict/MD undef}if
-	currentdict/I known{/Interpolate/I ldf currentdict/I undef}if
-	currentdict/SI known{/SkipImageProc/SI ldf currentdict/SI undef}if
-	/DataSource load xcheck not{
-		DataSource type/arraytype eq{
-			DataSource 0 get type/filetype eq{
-				/_Filters DataSource def
-				currentdict/MultipleDataSources known not{
-					/DataSource DataSource dup length 1 sub get def 
-				}if
-			}if
-		}if
-		currentdict/MultipleDataSources known not{
-			/MultipleDataSources DataSource type/arraytype eq{
-				DataSource length 1 gt
-			}
-			{false}ifelse def
-		}if
-	}if
-	/NComponents Decode length 2 div def
-	currentdict/SkipImageProc known not{/SkipImageProc{false}def}if
-}bdf
-/imageormask_sys
-{
-	begin
-		AGMIMG_init_common
-		save mark
-		level2{
-			currentdict
-			Operator/imagemask eq{
-				AGMIMG_&imagemask
-			}{
-				use_mask{
-					process_mask AGMIMG_&image
-				}{
-					AGMIMG_&image
-				}ifelse
-			}ifelse
-		}{
-			Width Height
-			Operator/imagemask eq{
-				Decode 0 get 1 eq Decode 1 get 0 eq	and
-				ImageMatrix/DataSource load
-				AGMIMG_&imagemask
-			}{
-				BitsPerComponent ImageMatrix/DataSource load
-				AGMIMG_&image
-			}ifelse
-		}ifelse
-		currentdict/_Filters known{_Filters AGMIMG_flushfilters}if
-		cleartomark restore
-	end
-}def
-/overprint_plate
-{
-	currentoverprint{
-		0 get dup type/nametype eq{
-			dup/DeviceGray eq{
-				pop AGMCORE_black_plate not
-			}{
-				/DeviceCMYK eq{
-					AGMCORE_is_cmyk_sep not
-				}if
-			}ifelse
-		}{
-			false exch
-			{
-				 AGMOHS_sepink eq or
-			}forall
-			not
-		}ifelse
-	}{
-		pop false
-	}ifelse
-}def
-/process_mask
-{
-	level3{
-		dup begin
-		/ImageType 1 def
-		end
-		4 dict begin
-			/DataDict exch def
-			/ImageType 3 def
-			/InterleaveType 3 def
-			/MaskDict 9 dict begin
-				/ImageType 1 def
-				/Width DataDict dup/MaskWidth known{/MaskWidth}{/Width}ifelse get def
-				/Height DataDict dup/MaskHeight known{/MaskHeight}{/Height}ifelse get def
-				/ImageMatrix[Width 0 0 Height neg 0 Height]def
-				/NComponents 1 def
-				/BitsPerComponent 1 def
-				/Decode DataDict dup/MaskD known{/MaskD}{[1 0]}ifelse get def
-				/DataSource Adobe_AGM_Core/AGMIMG_maskSource get def
-			currentdict end def
-		currentdict end
-	}if
-}def
-/use_mask
-{
-	dup/Mask known	{dup/Mask get}{false}ifelse
-}def
-/imageormask
-{
-	begin
-		AGMIMG_init_common
-		SkipImageProc{
-			currentdict consumeimagedata
-		}
-		{
-			save mark
-			level2 AGMCORE_host_sep not and{
-				currentdict
-				Operator/imagemask eq DeviceN_PS2 not and{
-					imagemask
-				}{
-					AGMCORE_in_rip_sep currentoverprint and currentcolorspace 0 get/DeviceGray eq and{
-						[/Separation/Black/DeviceGray{}]setcolorspace
-						/Decode[Decode 1 get Decode 0 get]def
-					}if
-					use_mask{
-						process_mask image
-					}{
-						DeviceN_NoneName DeviceN_PS2 Indexed_DeviceN level3 not and or or AGMCORE_in_rip_sep and 
-						{
-							Names convert_to_process not{
-								2 dict begin
-								/imageDict xdf
-								/names_index 0 def
-								gsave
-								imageDict write_image_file{
-									Names{
-										dup(None)ne{
-											[/Separation 3 -1 roll/DeviceGray{1 exch sub}]setcolorspace
-											Operator imageDict read_image_file
-											names_index 0 eq{true setoverprint}if
-											/names_index names_index 1 add def
-										}{
-											pop
-										}ifelse
-									}forall
-									close_image_file
-								}if
-								grestore
-								end
-							}{
-								Operator/imagemask eq{
-									imagemask
-								}{
-									image
-								}ifelse
-							}ifelse
-						}{
-							Operator/imagemask eq{
-								imagemask
-							}{
-								image
-							}ifelse
-						}ifelse
-					}ifelse
-				}ifelse
-			}{
-				Width Height
-				Operator/imagemask eq{
-					Decode 0 get 1 eq Decode 1 get 0 eq	and
-					ImageMatrix/DataSource load
-					/Adobe_AGM_OnHost_Seps where{
-						pop imagemask
-					}{
-						currentgray 1 ne{
-							currentdict imageormask_sys
-						}{
-							currentoverprint not{
-								1 AGMCORE_&setgray
-								currentdict imageormask_sys
-							}{
-								currentdict ignoreimagedata
-							}ifelse				 		
-						}ifelse
-					}ifelse
-				}{
-					BitsPerComponent ImageMatrix 
-					MultipleDataSources{
-						0 1 NComponents 1 sub{
-							DataSource exch get
-						}for
-					}{
-						/DataSource load
-					}ifelse
-					Operator/colorimage eq{
-						AGMCORE_host_sep{
-							MultipleDataSources level2 or NComponents 4 eq and{
-								AGMCORE_is_cmyk_sep{
-									MultipleDataSources{
-										/DataSource DataSource 0 get xcheck
-											{
-											[
-											DataSource 0 get/exec cvx
-											DataSource 1 get/exec cvx
-											DataSource 2 get/exec cvx
-											DataSource 3 get/exec cvx
-											/AGMCORE_get_ink_data cvx
-											]cvx
-											}{
-											DataSource aload pop AGMCORE_get_ink_data
-											}ifelse def
-									}{
-										/DataSource 
-										Width BitsPerComponent mul 7 add 8 idiv Height mul 4 mul 
-										/DataSource load
-										filter_cmyk 0()/SubFileDecode filter def
-									}ifelse
-									/Decode[Decode 0 get Decode 1 get]def
-									/MultipleDataSources false def
-									/NComponents 1 def
-									/Operator/image def
-									invert_image_samples
-						 			1 AGMCORE_&setgray
-									currentdict imageormask_sys
-								}{
-									currentoverprint not Operator/imagemask eq and{
- 			 							1 AGMCORE_&setgray
- 			 							currentdict imageormask_sys
- 			 						}{
- 			 							currentdict ignoreimagedata
- 			 						}ifelse
-								}ifelse
-							}{	
-								MultipleDataSources NComponents AGMIMG_&colorimage						
-							}ifelse
-						}{
-							true NComponents colorimage
-						}ifelse
-					}{
-						Operator/image eq{
-							AGMCORE_host_sep{
-								/DoImage true def
-								currentdict/HostSepColorImage known{HostSepColorImage not}{false}ifelse
-								{
-									AGMCORE_black_plate not Operator/imagemask ne and{
-										/DoImage false def
-										currentdict ignoreimagedata
-					 				}if
-								}if
-						 		1 AGMCORE_&setgray
-								DoImage
-									{currentdict imageormask_sys}if
-							}{
-								use_mask{
-									process_mask image
-								}{
-									image
-								}ifelse
-							}ifelse
-						}{
-							Operator/knockout eq{
-								pop pop pop pop pop
-								currentcolorspace overprint_plate not{
-									knockout_unitsq
-								}if
-							}if
-						}ifelse
-					}ifelse
-				}ifelse
-			}ifelse
-			cleartomark restore
-		}ifelse
-		currentdict/_Filters known{_Filters AGMIMG_flushfilters}if
-	end
-}def
-/sep_imageormask
-{
- 	/sep_colorspace_dict AGMCORE_gget begin
-	CSA map_csa
-	begin
-	AGMIMG_init_common
-	SkipImageProc{
-		currentdict consumeimagedata
-	}{
-		save mark 
-		AGMCORE_avoid_L2_sep_space{
-			/Decode[Decode 0 get 255 mul Decode 1 get 255 mul]def
-		}if
- 		AGMIMG_ccimage_exists 
-		MappedCSA 0 get/DeviceCMYK eq and
-		currentdict/Components known and 
-		Name()ne and 
-		Name(All)ne and 
-		Operator/image eq and
-		AGMCORE_producing_seps not and
-		level2 not and
-		{
-			Width Height BitsPerComponent ImageMatrix 
-			[
-			/DataSource load/exec cvx
-			{
-				0 1 2 index length 1 sub{
-					1 index exch
-					2 copy get 255 xor put
-				}for
-			}/exec cvx
-			]cvx bind
-			MappedCSA 0 get/DeviceCMYK eq{
-				Components aload pop
-			}{
-				0 0 0 Components aload pop 1 exch sub
-			}ifelse
-			Name findcmykcustomcolor
-			customcolorimage
-		}{
-			AGMCORE_producing_seps not{
-				level2{
- 					//Adobe_AGM_Core/AGMCORE_pattern_paint_type get 2 ne AGMCORE_avoid_L2_sep_space not and currentcolorspace 0 get/Separation ne and{
-						[/Separation Name MappedCSA sep_proc_name exch dup 0 get 15 string cvs(/Device)anchorsearch{pop pop 0 get}{pop}ifelse exch load]setcolorspace_opt
-						/sep_tint AGMCORE_gget setcolor
-					}if
-					currentdict imageormask
-				}{
-					currentdict
-					Operator/imagemask eq{
-						imageormask
-					}{
-						sep_imageormask_lev1
-					}ifelse
-				}ifelse
- 			}{
-				AGMCORE_host_sep{
-					Operator/knockout eq{
-						currentdict/ImageMatrix get concat
-						knockout_unitsq
-					}{
-						currentgray 1 ne{
- 							AGMCORE_is_cmyk_sep Name(All)ne and{
- 								level2{
- 									Name AGMCORE_IsSeparationAProcessColor 
- 									{
- 										Operator/imagemask eq{
- 											//Adobe_AGM_Core/AGMCORE_pattern_paint_type get 2 ne{
- 												/sep_tint AGMCORE_gget 1 exch sub AGMCORE_&setcolor
- 											}if
- 										}{
-											invert_image_samples
- 										}ifelse
-	 								}{
-	 									//Adobe_AGM_Core/AGMCORE_pattern_paint_type get 2 ne{
-	 										[/Separation Name[/DeviceGray]
-	 										{
-	 											sep_colorspace_proc AGMCORE_get_ink_data
-												1 exch sub
-	 										}bind
-											]AGMCORE_&setcolorspace
-											/sep_tint AGMCORE_gget AGMCORE_&setcolor
-										}if
- 									}ifelse
- 									currentdict imageormask_sys
-	 							}{
-	 								currentdict
-									Operator/imagemask eq{
-										imageormask_sys
-									}{
-										sep_image_lev1_sep
-									}ifelse
-	 							}ifelse
- 							}{
- 								Operator/imagemask ne{
-									invert_image_samples
- 								}if
-		 						currentdict imageormask_sys
- 							}ifelse
- 						}{
- 							currentoverprint not Name(All)eq or Operator/imagemask eq and{
-								currentdict imageormask_sys 
-								}{
-								currentoverprint not
-									{
- 									gsave 
- 									knockout_unitsq
- 									grestore
-									}if
-								currentdict consumeimagedata 
-		 					}ifelse
- 						}ifelse
-		 			}ifelse
- 				}{
-					//Adobe_AGM_Core/AGMCORE_pattern_paint_type get 2 ne{
-						currentcolorspace 0 get/Separation ne{
-							[/Separation Name MappedCSA sep_proc_name exch 0 get exch load]setcolorspace_opt
-							/sep_tint AGMCORE_gget setcolor
-						}if
-					}if
-					currentoverprint 
-					MappedCSA 0 get/DeviceCMYK eq and 
-					Name AGMCORE_IsSeparationAProcessColor not and
-					//Adobe_AGM_Core/AGMCORE_pattern_paint_type get 2 ne{Name inRip_spot_has_ink not and}{false}ifelse 
-					Name(All)ne and{
-						imageormask_l2_overprint
-					}{
-						currentdict imageormask
- 					}ifelse
-				}ifelse
-			}ifelse
-		}ifelse
-		cleartomark restore
-	}ifelse
-	currentdict/_Filters known{_Filters AGMIMG_flushfilters}if
-	end
-	end
-}def
-/colorSpaceElemCnt
-{
-	mark currentcolor counttomark dup 2 add 1 roll cleartomark
-}bdf
-/devn_sep_datasource
-{
-	1 dict begin
-	/dataSource xdf
-	[
-		0 1 dataSource length 1 sub{
-			dup currentdict/dataSource get/exch cvx/get cvx/exec cvx
-			/exch cvx names_index/ne cvx[/pop cvx]cvx/if cvx
-		}for
-	]cvx bind
-	end
-}bdf		
-/devn_alt_datasource
-{
-	11 dict begin
-	/convProc xdf
-	/origcolorSpaceElemCnt xdf
-	/origMultipleDataSources xdf
-	/origBitsPerComponent xdf
-	/origDecode xdf
-	/origDataSource xdf
-	/dsCnt origMultipleDataSources{origDataSource length}{1}ifelse def
-	/DataSource origMultipleDataSources
-		{
-			[
-			BitsPerComponent 8 idiv origDecode length 2 idiv mul string
-			0 1 origDecode length 2 idiv 1 sub
-				{
-				dup 7 mul 1 add index exch dup BitsPerComponent 8 idiv mul exch
-				origDataSource exch get 0()/SubFileDecode filter
-				BitsPerComponent 8 idiv string/readstring cvx/pop cvx/putinterval cvx
-				}for 
-			]bind cvx
-		}{origDataSource}ifelse 0()/SubFileDecode filter def		
-	[
-		origcolorSpaceElemCnt string
-		0 2 origDecode length 2 sub
-			{
-			dup origDecode exch get dup 3 -1 roll 1 add origDecode exch get exch sub 2 BitsPerComponent exp 1 sub div
-			1 BitsPerComponent 8 idiv{DataSource/read cvx/not cvx{0}/if cvx/mul cvx}repeat/mul cvx/add cvx
-			}for
-		/convProc load/exec cvx
-		origcolorSpaceElemCnt 1 sub -1 0
-			{
-			/dup cvx 2/add cvx/index cvx
-			3 1/roll cvx/exch cvx 255/mul cvx/cvi cvx/put cvx
-			}for
-	]bind cvx 0()/SubFileDecode filter
-	end
-}bdf
-/devn_imageormask
-{
- 	/devicen_colorspace_dict AGMCORE_gget begin
-	CSA map_csa
-	2 dict begin
-	dup
-	/srcDataStrs[3 -1 roll begin
-		AGMIMG_init_common
-		currentdict/MultipleDataSources known{MultipleDataSources{DataSource length}{1}ifelse}{1}ifelse
-		{
-			Width Decode length 2 div mul cvi
-			{
-				dup 65535 gt{1 add 2 div cvi}{exit}ifelse
-			}loop
-			string
-		}repeat
-		end]def
-	/dstDataStr srcDataStrs 0 get length string def
-	begin
-	AGMIMG_init_common
-	SkipImageProc{
-		currentdict consumeimagedata
-	}{
-		save mark 
-		AGMCORE_producing_seps not{
-			level3 not{
-				Operator/imagemask ne{
-					/DataSource[[
-						DataSource Decode BitsPerComponent currentdict/MultipleDataSources known{MultipleDataSources}{false}ifelse
-						colorSpaceElemCnt/devicen_colorspace_dict AGMCORE_gget/TintTransform get 
-						devn_alt_datasource 1/string cvx/readstring cvx/pop cvx]cvx colorSpaceElemCnt 1 sub{dup}repeat]def				
-					/MultipleDataSources true def
-					/Decode colorSpaceElemCnt[exch{0 1}repeat]def
-				}if
-			}if
-			currentdict imageormask
- 		}{
-			AGMCORE_host_sep{
-				Names convert_to_process{
-					CSA get_csa_by_name 0 get/DeviceCMYK eq{
-						/DataSource
-							Width BitsPerComponent mul 7 add 8 idiv Height mul 4 mul 
-							DataSource Decode BitsPerComponent currentdict/MultipleDataSources known{MultipleDataSources}{false}ifelse
-							4/devicen_colorspace_dict AGMCORE_gget/TintTransform get 
-							devn_alt_datasource
-						filter_cmyk 0()/SubFileDecode filter def
-						/MultipleDataSources false def
-						/Decode[1 0]def
-						/DeviceGray setcolorspace
-			 			currentdict imageormask_sys
- 					}{
-						AGMCORE_report_unsupported_color_space
-						AGMCORE_black_plate{
-							/DataSource
-								DataSource Decode BitsPerComponent currentdict/MultipleDataSources known{MultipleDataSources}{false}ifelse
-								CSA get_csa_by_name 0 get/DeviceRGB eq{3}{1}ifelse/devicen_colorspace_dict AGMCORE_gget/TintTransform get
-								devn_alt_datasource
-							/MultipleDataSources false def
-							/Decode colorSpaceElemCnt[exch{0 1}repeat]def
-				 			currentdict imageormask_sys
-				 		}{
-	 						gsave 
-	 						knockout_unitsq
-	 						grestore
-							currentdict consumeimagedata 
-						}ifelse
- 					}ifelse
-				}
-				{	
-					/devicen_colorspace_dict AGMCORE_gget/names_index known{
-	 					Operator/imagemask ne{
-	 						MultipleDataSources{
-		 						/DataSource[DataSource devn_sep_datasource/exec cvx]cvx def
-								/MultipleDataSources false def
-	 						}{
-								/DataSource/DataSource load dstDataStr srcDataStrs 0 get filter_devn def
-	 						}ifelse
-							invert_image_samples
-	 					}if
-			 			currentdict imageormask_sys
-	 				}{
-	 					currentoverprint not Operator/imagemask eq and{
-							currentdict imageormask_sys 
-							}{
-							currentoverprint not
-								{
-	 							gsave 
-	 							knockout_unitsq
-	 							grestore
-								}if
-							currentdict consumeimagedata 
-			 			}ifelse
-	 				}ifelse
-	 			}ifelse
- 			}{
-				currentdict imageormask
-			}ifelse
-		}ifelse
-		cleartomark restore
-	}ifelse
-	currentdict/_Filters known{_Filters AGMIMG_flushfilters}if
-	end
-	end
-	end
-}def
-/imageormask_l2_overprint
-{
-	currentdict
-	currentcmykcolor add add add 0 eq{
-		currentdict consumeimagedata
-	}{
-		level3{			
-			currentcmykcolor 
-			/AGMIMG_k xdf 
-			/AGMIMG_y xdf 
-			/AGMIMG_m xdf 
-			/AGMIMG_c xdf
-			Operator/imagemask eq{
-				[/DeviceN[
-				AGMIMG_c 0 ne{/Cyan}if
-				AGMIMG_m 0 ne{/Magenta}if
-				AGMIMG_y 0 ne{/Yellow}if
-				AGMIMG_k 0 ne{/Black}if
-				]/DeviceCMYK{}]setcolorspace
-				AGMIMG_c 0 ne{AGMIMG_c}if
-				AGMIMG_m 0 ne{AGMIMG_m}if
-				AGMIMG_y 0 ne{AGMIMG_y}if
-				AGMIMG_k 0 ne{AGMIMG_k}if
-				setcolor			
-			}{	
-				/Decode[Decode 0 get 255 mul Decode 1 get 255 mul]def
-				[/Indexed 				
-					[
-						/DeviceN[
-							AGMIMG_c 0 ne{/Cyan}if
-							AGMIMG_m 0 ne{/Magenta}if
-							AGMIMG_y 0 ne{/Yellow}if
-							AGMIMG_k 0 ne{/Black}if
-						]
-						/DeviceCMYK{
-							AGMIMG_k 0 eq{0}if
-							AGMIMG_y 0 eq{0 exch}if
-							AGMIMG_m 0 eq{0 3 1 roll}if
-							AGMIMG_c 0 eq{0 4 1 roll}if						
-						}
-					]
-					255
-					{
-						255 div 
-						mark exch
-						dup	dup dup
-						AGMIMG_k 0 ne{
-							/sep_tint AGMCORE_gget mul MappedCSA sep_proc_name exch pop load exec 4 1 roll pop pop pop		
-							counttomark 1 roll
-						}{
-							pop
-						}ifelse
-						AGMIMG_y 0 ne{
-							/sep_tint AGMCORE_gget mul MappedCSA sep_proc_name exch pop load exec 4 2 roll pop pop pop		
-							counttomark 1 roll
-						}{
-							pop
-						}ifelse
-						AGMIMG_m 0 ne{
-							/sep_tint AGMCORE_gget mul MappedCSA sep_proc_name exch pop load exec 4 3 roll pop pop pop		
-							counttomark 1 roll
-						}{
-							pop
-						}ifelse
-						AGMIMG_c 0 ne{
-							/sep_tint AGMCORE_gget mul MappedCSA sep_proc_name exch pop load exec pop pop pop		
-							counttomark 1 roll
-						}{
-							pop
-						}ifelse
-						counttomark 1 add -1 roll pop
-					}
-				]setcolorspace
-			}ifelse
-			imageormask_sys
-		}{
-	write_image_file{
-		currentcmykcolor
-		0 ne{
-			[/Separation/Black/DeviceGray{}]setcolorspace
-			gsave
-			/Black
-			[{1 exch sub/sep_tint AGMCORE_gget mul}/exec cvx MappedCSA sep_proc_name cvx exch pop{4 1 roll pop pop pop 1 exch sub}/exec cvx]
-			cvx modify_halftone_xfer
-			Operator currentdict read_image_file
-			grestore
-		}if
-		0 ne{
-			[/Separation/Yellow/DeviceGray{}]setcolorspace
-			gsave
-			/Yellow
-			[{1 exch sub/sep_tint AGMCORE_gget mul}/exec cvx MappedCSA sep_proc_name cvx exch pop{4 2 roll pop pop pop 1 exch sub}/exec cvx]
-			cvx modify_halftone_xfer
-			Operator currentdict read_image_file
-			grestore
-		}if
-		0 ne{
-			[/Separation/Magenta/DeviceGray{}]setcolorspace
-			gsave
-			/Magenta
-			[{1 exch sub/sep_tint AGMCORE_gget mul}/exec cvx MappedCSA sep_proc_name cvx exch pop{4 3 roll pop pop pop 1 exch sub}/exec cvx]
-			cvx modify_halftone_xfer
-			Operator currentdict read_image_file
-			grestore
-		}if
-		0 ne{
-			[/Separation/Cyan/DeviceGray{}]setcolorspace
-			gsave
-			/Cyan 
-			[{1 exch sub/sep_tint AGMCORE_gget mul}/exec cvx MappedCSA sep_proc_name cvx exch pop{pop pop pop 1 exch sub}/exec cvx]
-			cvx modify_halftone_xfer
-			Operator currentdict read_image_file
-			grestore
-		}if
-				close_image_file
-			}{
-				imageormask
-			}ifelse
-		}ifelse
-	}ifelse
-}def
-/indexed_imageormask
-{
-	begin
-		AGMIMG_init_common
-		save mark 
- 		currentdict
- 		AGMCORE_host_sep{
-			Operator/knockout eq{
-				/indexed_colorspace_dict AGMCORE_gget dup/CSA known{
-					/CSA get get_csa_by_name
-				}{
-					/Names get
-				}ifelse
-				overprint_plate not{
-					knockout_unitsq
-				}if
-			}{
-				Indexed_DeviceN{
-					/devicen_colorspace_dict AGMCORE_gget dup/names_index known exch/Names get convert_to_process or{
-			 			indexed_image_lev2_sep
-					}{
-						currentoverprint not{
-							knockout_unitsq
-			 			}if
-			 			currentdict consumeimagedata
-					}ifelse
-				}{
-		 			AGMCORE_is_cmyk_sep{
-						Operator/imagemask eq{
-							imageormask_sys
-						}{
-							level2{
-								indexed_image_lev2_sep
-							}{
-								indexed_image_lev1_sep
-							}ifelse
-						}ifelse
-					}{
-						currentoverprint not{
-							knockout_unitsq
-			 			}if
-			 			currentdict consumeimagedata
-					}ifelse
-				}ifelse
-			}ifelse
- 		}{
-			level2{
-				Indexed_DeviceN{
-					/indexed_colorspace_dict AGMCORE_gget begin
-				}{
-					/indexed_colorspace_dict AGMCORE_gget dup null ne
-					{
-						begin
-						currentdict/CSDBase known{CSDBase/CSD get_res/MappedCSA get}{CSA}ifelse
-						get_csa_by_name 0 get/DeviceCMYK eq ps_level 3 ge and ps_version 3015.007 lt and
-						AGMCORE_in_rip_sep and{
-							[/Indexed[/DeviceN[/Cyan/Magenta/Yellow/Black]/DeviceCMYK{}]HiVal Lookup]
-							setcolorspace
-						}if
-						end
-					}
-					{pop}ifelse
-				}ifelse
-				imageormask
-				Indexed_DeviceN{
-					end
-				}if
-			}{
-				Operator/imagemask eq{
-					imageormask
-				}{
-					indexed_imageormask_lev1
-				}ifelse
-			}ifelse
- 		}ifelse
-		cleartomark restore
-	currentdict/_Filters known{_Filters AGMIMG_flushfilters}if
-	end
-}def
-/indexed_image_lev2_sep
-{
-	/indexed_colorspace_dict AGMCORE_gget begin
-	begin
-		Indexed_DeviceN not{
-			currentcolorspace 
-			dup 1/DeviceGray put
-			dup 3
-			currentcolorspace 2 get 1 add string
-			0 1 2 3 AGMCORE_get_ink_data 4 currentcolorspace 3 get length 1 sub
-			{
-			dup 4 idiv exch currentcolorspace 3 get exch get 255 exch sub 2 index 3 1 roll put
-			}for 
-			put	setcolorspace
-		}if
-		currentdict 
-		Operator/imagemask eq{
-			AGMIMG_&imagemask
-		}{
-			use_mask{
-				process_mask AGMIMG_&image
-			}{
-				AGMIMG_&image
-			}ifelse
-		}ifelse
-	end end
-}def
- /OPIimage
- {
- 	dup type/dicttype ne{
- 		10 dict begin
- 			/DataSource xdf
- 			/ImageMatrix xdf
- 			/BitsPerComponent xdf
- 			/Height xdf
- 			/Width xdf
- 			/ImageType 1 def
- 			/Decode[0 1 def]
- 			currentdict
- 		end
- 	}if
- 	dup begin
- 		/NComponents 1 cdndf
- 		/MultipleDataSources false cdndf
- 		/SkipImageProc{false}cdndf
- 		/Decode[
- 				0 
- 				currentcolorspace 0 get/Indexed eq{
- 					2 BitsPerComponent exp 1 sub
- 				}{
- 					1
- 				}ifelse
- 		]cdndf
- 		/Operator/image cdndf
- 	end
- 	/sep_colorspace_dict AGMCORE_gget null eq{
- 		imageormask
- 	}{
- 		gsave
- 		dup begin invert_image_samples end
- 		sep_imageormask
- 		grestore
- 	}ifelse
- }def
-/cachemask_level2
-{
-	3 dict begin
-	/LZWEncode filter/WriteFilter xdf
-	/readBuffer 256 string def
-	/ReadFilter
-		currentfile
-		0(%EndMask)/SubFileDecode filter
-		/ASCII85Decode filter
-		/RunLengthDecode filter
-	def
-	{
-		ReadFilter readBuffer readstring exch
-		WriteFilter exch writestring
-		not{exit}if
-	}loop
-	WriteFilter closefile
-	end
-}def
-/spot_alias
-{
-	/mapto_sep_imageormask 
-	{
-		dup type/dicttype ne{
-			12 dict begin
-				/ImageType 1 def
-				/DataSource xdf
-				/ImageMatrix xdf
-				/BitsPerComponent xdf
-				/Height xdf
-				/Width xdf
-				/MultipleDataSources false def
-		}{
-			begin
-		}ifelse
-				/Decode[/customcolor_tint AGMCORE_gget 0]def
-				/Operator/image def
-				/SkipImageProc{false}def
-				currentdict 
-			end
-		sep_imageormask
-	}bdf
-	/customcolorimage
-	{
-		Adobe_AGM_Image/AGMIMG_colorAry xddf
-		/customcolor_tint AGMCORE_gget
-		<<
-			/Name AGMIMG_colorAry 4 get
-			/CSA[/DeviceCMYK]
-			/TintMethod/Subtractive
-			/TintProc null
-			/MappedCSA null
-			/NComponents 4 
-			/Components[AGMIMG_colorAry aload pop pop]
-		>>
-		setsepcolorspace
-		mapto_sep_imageormask
-	}ndf
-	Adobe_AGM_Image/AGMIMG_&customcolorimage/customcolorimage load put
-	/customcolorimage
-	{
-		Adobe_AGM_Image/AGMIMG_override false put
-		current_spot_alias{dup 4 get map_alias}{false}ifelse
-		{
-			false set_spot_alias
-			/customcolor_tint AGMCORE_gget exch setsepcolorspace
-			pop
-			mapto_sep_imageormask
-			true set_spot_alias
-		}{
-			//Adobe_AGM_Image/AGMIMG_&customcolorimage get exec
-		}ifelse			
-	}bdf
-}def
-/snap_to_device
-{
-	6 dict begin
-	matrix currentmatrix
-	dup 0 get 0 eq 1 index 3 get 0 eq and
-	1 index 1 get 0 eq 2 index 2 get 0 eq and or exch pop
-	{
-		1 1 dtransform 0 gt exch 0 gt/AGMIMG_xSign? exch def/AGMIMG_ySign? exch def
-		0 0 transform
-		AGMIMG_ySign?{floor 0.1 sub}{ceiling 0.1 add}ifelse exch
-		AGMIMG_xSign?{floor 0.1 sub}{ceiling 0.1 add}ifelse exch
-		itransform/AGMIMG_llY exch def/AGMIMG_llX exch def
-		1 1 transform
-		AGMIMG_ySign?{ceiling 0.1 add}{floor 0.1 sub}ifelse exch
-		AGMIMG_xSign?{ceiling 0.1 add}{floor 0.1 sub}ifelse exch
-		itransform/AGMIMG_urY exch def/AGMIMG_urX exch def			
-		[AGMIMG_urX AGMIMG_llX sub 0 0 AGMIMG_urY AGMIMG_llY sub AGMIMG_llX AGMIMG_llY]concat
-	}{
-	}ifelse
-	end
-}def
-level2 not{
-	/colorbuf
-	{
-		0 1 2 index length 1 sub{
-			dup 2 index exch get 
-			255 exch sub 
-			2 index 
-			3 1 roll 
-			put
-		}for
-	}def
-	/tint_image_to_color
-	{
-		begin
-			Width Height BitsPerComponent ImageMatrix 
-			/DataSource load
-		end
-		Adobe_AGM_Image begin
-			/AGMIMG_mbuf 0 string def
-			/AGMIMG_ybuf 0 string def
-			/AGMIMG_kbuf 0 string def
-			{
-				colorbuf dup length AGMIMG_mbuf length ne
-					{
-					dup length dup dup
-					/AGMIMG_mbuf exch string def
-					/AGMIMG_ybuf exch string def
-					/AGMIMG_kbuf exch string def
-					}if
-				dup AGMIMG_mbuf copy AGMIMG_ybuf copy AGMIMG_kbuf copy pop
-			}
-			addprocs
-			{AGMIMG_mbuf}{AGMIMG_ybuf}{AGMIMG_kbuf}true 4 colorimage	
-		end
-	}def			
-	/sep_imageormask_lev1
-	{
-		begin
-			MappedCSA 0 get dup/DeviceRGB eq exch/DeviceCMYK eq or has_color not and{
-				{
-					255 mul round cvi GrayLookup exch get
-				}currenttransfer addprocs settransfer
-				currentdict imageormask
-			}{
-				/sep_colorspace_dict AGMCORE_gget/Components known{
-					MappedCSA 0 get/DeviceCMYK eq{
-						Components aload pop
-					}{
-						0 0 0 Components aload pop 1 exch sub
-					}ifelse
-					Adobe_AGM_Image/AGMIMG_k xddf 
-					Adobe_AGM_Image/AGMIMG_y xddf 
-					Adobe_AGM_Image/AGMIMG_m xddf 
-					Adobe_AGM_Image/AGMIMG_c xddf 
-					AGMIMG_y 0.0 eq AGMIMG_m 0.0 eq and AGMIMG_c 0.0 eq and{
-						{AGMIMG_k mul 1 exch sub}currenttransfer addprocs settransfer
-						currentdict imageormask
-					}{
-						currentcolortransfer
-						{AGMIMG_k mul 1 exch sub}exch addprocs 4 1 roll
-						{AGMIMG_y mul 1 exch sub}exch addprocs 4 1 roll
-						{AGMIMG_m mul 1 exch sub}exch addprocs 4 1 roll
-						{AGMIMG_c mul 1 exch sub}exch addprocs 4 1 roll
-						setcolortransfer
-						currentdict tint_image_to_color
-					}ifelse
-				}{
-					MappedCSA 0 get/DeviceGray eq{
-						{255 mul round cvi ColorLookup exch get 0 get}currenttransfer addprocs settransfer
-						currentdict imageormask
-					}{
-						MappedCSA 0 get/DeviceCMYK eq{
-							currentcolortransfer
-							{255 mul round cvi ColorLookup exch get 3 get 1 exch sub}exch addprocs 4 1 roll
-							{255 mul round cvi ColorLookup exch get 2 get 1 exch sub}exch addprocs 4 1 roll
-							{255 mul round cvi ColorLookup exch get 1 get 1 exch sub}exch addprocs 4 1 roll
-							{255 mul round cvi ColorLookup exch get 0 get 1 exch sub}exch addprocs 4 1 roll
-							setcolortransfer 
-							currentdict tint_image_to_color
-						}{
-							currentcolortransfer
-							{pop 1}exch addprocs 4 1 roll
-							{255 mul round cvi ColorLookup exch get 2 get}exch addprocs 4 1 roll
-							{255 mul round cvi ColorLookup exch get 1 get}exch addprocs 4 1 roll
-							{255 mul round cvi ColorLookup exch get 0 get}exch addprocs 4 1 roll
-							setcolortransfer 
-							currentdict tint_image_to_color
-						}ifelse
-					}ifelse
-				}ifelse
-			}ifelse
-		end
-	}def
-	/sep_image_lev1_sep
-	{
-		begin
-			/sep_colorspace_dict AGMCORE_gget/Components known{
-				Components aload pop
-				Adobe_AGM_Image/AGMIMG_k xddf 
-				Adobe_AGM_Image/AGMIMG_y xddf 
-				Adobe_AGM_Image/AGMIMG_m xddf 
-				Adobe_AGM_Image/AGMIMG_c xddf 
-				{AGMIMG_c mul 1 exch sub}
-				{AGMIMG_m mul 1 exch sub}
-				{AGMIMG_y mul 1 exch sub}
-				{AGMIMG_k mul 1 exch sub}
-			}{
-				{255 mul round cvi ColorLookup exch get 0 get 1 exch sub}
-				{255 mul round cvi ColorLookup exch get 1 get 1 exch sub}
-				{255 mul round cvi ColorLookup exch get 2 get 1 exch sub}
-				{255 mul round cvi ColorLookup exch get 3 get 1 exch sub}
-			}ifelse
-			AGMCORE_get_ink_data currenttransfer addprocs settransfer
-			currentdict imageormask_sys
-		end
-	}def
-	/indexed_imageormask_lev1
-	{
-		/indexed_colorspace_dict AGMCORE_gget begin
-		begin
-			currentdict
-			MappedCSA 0 get dup/DeviceRGB eq exch/DeviceCMYK eq or has_color not and{
-				{HiVal mul round cvi GrayLookup exch get HiVal div}currenttransfer addprocs settransfer
-				imageormask
-			}{
-				MappedCSA 0 get/DeviceGray eq{
-					{HiVal mul round cvi Lookup exch get HiVal div}currenttransfer addprocs settransfer
-					imageormask
-				}{
-					MappedCSA 0 get/DeviceCMYK eq{
-						currentcolortransfer
-						{4 mul HiVal mul round cvi 3 add Lookup exch get HiVal div 1 exch sub}exch addprocs 4 1 roll
-						{4 mul HiVal mul round cvi 2 add Lookup exch get HiVal div 1 exch sub}exch addprocs 4 1 roll
-						{4 mul HiVal mul round cvi 1 add Lookup exch get HiVal div 1 exch sub}exch addprocs 4 1 roll
-						{4 mul HiVal mul round cvi		 Lookup exch get HiVal div 1 exch sub}exch addprocs 4 1 roll
-						setcolortransfer 
-						tint_image_to_color
-					}{
-						currentcolortransfer
-						{pop 1}exch addprocs 4 1 roll
-						{3 mul HiVal mul round cvi 2 add Lookup exch get HiVal div}exch addprocs 4 1 roll
-						{3 mul HiVal mul round cvi 1 add Lookup exch get HiVal div}exch addprocs 4 1 roll
-						{3 mul HiVal mul round cvi 		Lookup exch get HiVal div}exch addprocs 4 1 roll
-						setcolortransfer 
-						tint_image_to_color
-					}ifelse
-				}ifelse
-			}ifelse
-		end end
-	}def
-	/indexed_image_lev1_sep
-	{
-		/indexed_colorspace_dict AGMCORE_gget begin
-		begin
-			{4 mul HiVal mul round cvi		 Lookup exch get HiVal div 1 exch sub}
-			{4 mul HiVal mul round cvi 1 add Lookup exch get HiVal div 1 exch sub}
-			{4 mul HiVal mul round cvi 2 add Lookup exch get HiVal div 1 exch sub}
-			{4 mul HiVal mul round cvi 3 add Lookup exch get HiVal div 1 exch sub}
-			AGMCORE_get_ink_data currenttransfer addprocs settransfer
-			currentdict imageormask_sys
-		end end
-	}def
-}if
-end
-systemdict/setpacking known
-{setpacking}if
-%%EndResource
-currentdict Adobe_AGM_Utils eq {end} if
-%%EndProlog
-%%BeginSetup
-Adobe_AGM_Utils begin
-2 2010 Adobe_AGM_Core/ds gx
-Adobe_CoolType_Core/ds get exec
Adobe_AGM_Image/ds gx
-currentdict Adobe_AGM_Utils eq {end} if
-%%EndSetup
-%%Page: (Page 1) 1
-%%EndPageComments
-%%BeginPageSetup
-%ADOBeginClientInjection: PageSetup Start "AI11EPS"
-%AI12_RMC_Transparency: Balance=75 RasterRes=300 GradRes=150 Text=0 Stroke=1 Clip=1 OP=0

-%ADOEndClientInjection: PageSetup Start "AI11EPS"
-Adobe_AGM_Utils begin
-Adobe_AGM_Core/ps gx
-Adobe_AGM_Utils/capture_cpd gx
-Adobe_CoolType_Core/ps get exec
Adobe_AGM_Image/ps gx
-%ADOBeginClientInjection: PageSetup End "AI11EPS"
-/currentdistillerparams where
{pop currentdistillerparams /CoreDistVersion get 5000 lt} {true} ifelse
{ userdict /AI11_PDFMark5 /cleartomark load put
userdict /AI11_ReadMetadata_PDFMark5 {flushfile cleartomark } bind put}
{ userdict /AI11_PDFMark5 /pdfmark load put
userdict /AI11_ReadMetadata_PDFMark5 {/PUT pdfmark} bind put } ifelse
[/NamespacePush AI11_PDFMark5
[/_objdef {ai_metadata_stream_123} /type /stream /OBJ AI11_PDFMark5
[{ai_metadata_stream_123}
currentfile 0 (%  &&end XMP packet marker&&)
/SubFileDecode filter AI11_ReadMetadata_PDFMark5
<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?>
-<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.1-c036 46.277092, Fri Feb 23 2007 14:16:18        ">
-   <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
-      <rdf:Description rdf:about=""
-            xmlns:dc="http://purl.org/dc/elements/1.1/">
-         <dc:format>application/postscript</dc:format>
-         <dc:title>
-            <rdf:Alt>
-               <rdf:li xml:lang="x-default">ISC_logo_only_RGB</rdf:li>
-            </rdf:Alt>
-         </dc:title>
-      </rdf:Description>
-      <rdf:Description rdf:about=""
-            xmlns:xap="http://ns.adobe.com/xap/1.0/"
-            xmlns:xapGImg="http://ns.adobe.com/xap/1.0/g/img/">
-         <xap:CreatorTool>Adobe Illustrator CS3</xap:CreatorTool>
-         <xap:CreateDate>2010-03-25T14:28-07:00</xap:CreateDate>
-         <xap:ModifyDate>2010-03-25T14:28-07:00</xap:ModifyDate>
-         <xap:MetadataDate>2010-03-25T14:28-07:00</xap:MetadataDate>
-         <xap:Thumbnails>
-            <rdf:Alt>
-               <rdf:li rdf:parseType="Resource">
-                  <xapGImg:width>256</xapGImg:width>
-                  <xapGImg:height>100</xapGImg:height>
-                  <xapGImg:format>JPEG</xapGImg:format>
-                  <xapGImg:image>/9j/4AAQSkZJRgABAgEASABIAAD/7QAsUGhvdG9zaG9wIDMuMAA4QklNA+0AAAAAABAASAAAAAEA&#xA;AQBIAAAAAQAB/+4ADkFkb2JlAGTAAAAAAf/bAIQABgQEBAUEBgUFBgkGBQYJCwgGBggLDAoKCwoK&#xA;DBAMDAwMDAwQDA4PEA8ODBMTFBQTExwbGxscHx8fHx8fHx8fHwEHBwcNDA0YEBAYGhURFRofHx8f&#xA;Hx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8f/8AAEQgAZAEAAwER&#xA;AAIRAQMRAf/EAaIAAAAHAQEBAQEAAAAAAAAAAAQFAwIGAQAHCAkKCwEAAgIDAQEBAQEAAAAAAAAA&#xA;AQACAwQFBgcICQoLEAACAQMDAgQCBgcDBAIGAnMBAgMRBAAFIRIxQVEGE2EicYEUMpGhBxWxQiPB&#xA;UtHhMxZi8CRygvElQzRTkqKyY3PCNUQnk6OzNhdUZHTD0uIIJoMJChgZhJRFRqS0VtNVKBry4/PE&#xA;1OT0ZXWFlaW1xdXl9WZ2hpamtsbW5vY3R1dnd4eXp7fH1+f3OEhYaHiImKi4yNjo+Ck5SVlpeYmZ&#xA;qbnJ2en5KjpKWmp6ipqqusra6voRAAICAQIDBQUEBQYECAMDbQEAAhEDBCESMUEFURNhIgZxgZEy&#xA;obHwFMHR4SNCFVJicvEzJDRDghaSUyWiY7LCB3PSNeJEgxdUkwgJChgZJjZFGidkdFU38qOzwygp&#xA;0+PzhJSktMTU5PRldYWVpbXF1eX1RlZmdoaWprbG1ub2R1dnd4eXp7fH1+f3OEhYaHiImKi4yNjo&#xA;+DlJWWl5iZmpucnZ6fkqOkpaanqKmqq6ytrq+v/aAAwDAQACEQMRAD8A53hQ7FXYq7FXYq7FXAEk&#xA;ACpPQYq9K8sfkxeTWA1vzfeL5c0NaMTOQtxIp3oqtshPblv/AJJxVM5PzH/LXymDb+S/Lyahdpt+&#xA;mNRBJJH7ShgZKHwHp/LFKQ6p+en5k37HjqS2UZ/3VawxqB8mYPJ/w2KEri/Nb8xYpDIuv3ZYmpDs&#xA;HX6FYFR92Ksk0/8APzzG8P1PzLYWXmDT3/vYp4ljc9tioMfT/ivFKLk8kfl/56he48i3f6J1sKXk&#xA;0C9JCvQVPpMS34Fh4hcVeYatpGp6Rfy6fqVs9reQGkkMgoR4HwIPYjY4oQmKuxV2KuxV2KuxV2Kp&#xA;nYeWPMmo2Ut9YaXdXVnDX1biGGR4xTc/EoI274qlmKuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2&#xA;KovSdI1LV9Qh07Tbd7q8uG4xQxipPiT2AA3JOwxV6/Fp/k38pbVLnU/T13zzIoaC0U1htaioY1Hw&#xA;/wCsRyb9kAVOKXmHmrzl5h8035vNYummYV9GAfDDED+zGnQfPqe5xQkmKuxV2KuxVfBPPbzJPBI0&#xA;M8TB45YyVdWBqCrDcEYq9c0TzHo35mabH5a82PHa+Z4l46Lr3EKZW7Qy0pufDo3ajdVLzHzD5f1X&#xA;y/q9xpWqQ+jd25ow6qyndXQ91Ybg4oS7FXYq7FXYq7FWZflr5Jt/MWoXF7q0htvLekRm51a6rT4Q&#xA;CREpG9Xoenb3pirIL/8APvzHBq8S+XoodO8uWZWO20oRR0eFD0kbiWUsP5CKe/UqUp/OHRrC21+1&#xA;1zS04aV5ktU1K3UCgWSQfvU29yGPhyxQwPFXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYqm/ljzVrf&#xA;ljUW1HRpxBdPE8DOyK44PQnZgR1UH6MVS27u7q8uZbq6lee5mYvLNISzsx6kk7nFVLFXYq7FXYq7&#xA;FXYq2jujq6MVdSCrA0II3BBGKvY7SSL82PJr2U5X/HWgRcraYkBry3HZie56Hwah/aOKXjskckcj&#xA;RyKUkQlXRgQQQaEEHoRihbirsVdiq+GGWaVIYkMksjBI0UVLMxoAB4k4q9T/ADJmi8n+T9K/L6xc&#xA;C8mVb/zFIhrzlfdIyR2BH3Kvjil5Tih6f5nj/SH5G+VNRPxTabeXFkx7hJWkYfhEgxV5hirsVZF5&#xA;Z/L7zh5lIOk6bLLATQ3bj04B4/vH4qaeAqcVZ7D+ROlaUiy+cPNFrp5pU2tvRpCP8lpCrH6IzluP&#xA;DOf0glozanFi+uQiriw/5x70v4TFqOuEU+MtIlfuNoMzYdlZjzofH9VutydvaaPImXuH66cfMv5L&#xA;oCkXk12RvtF5PiHyPqMfxy4djT/nBxj7SYukZfYsaX8g9QJSXRb/AEt229eKR2UCnWnqy/8AEMhL&#xA;sjKORBbYe0OA8xIfj3oa5/JTRdZhe48i+YodRKgt+j7ukc4X/WAU17fFGo98wMunyY/qFO10+rxZ&#xA;vokD9/yeZaxouq6NfyWGqWslneR/ahlFDQ9GHZlPYjY5S5CCxV2KuxV2KuxV2KuxV2KuxV2KuxV2&#xA;KuxV2Kpn5Z8w6h5d1y01iwalxaOG4n7Lqdnjb/JdSQcVZ5+cnl/T7ldP8+aEv+4jzAoa5AH93dUP&#xA;LlTYF+Jr/lK3jil5hih2KuxV6R+RugWt15kuPMOo0XS/LcJvZnYVAloTH/wIVn+ajFLCvM+vXOv+&#xA;YL/WbnaW9maXj14p0RPkiAL9GKEsxVOT5t1s+Vh5Y9Vf0QLj60I+C8+dOnPrSu+Kojyh5D8y+bLv&#xA;0NItS8SECe8kqkEVf53od/8AJFT7Yq9Ph8tflZ+Xy11hh5n8xJ1tAFMETU6MhLIP9nyPfiMzdNoM&#xA;mXflHvLrNb2thwbXxS7h+nuSnzD+cPm7VVMFpKNJsQOKW9n8LBQKAGX7f/A8R7ZvMHZmKHMcR8/1&#xA;PMartvPl2B4I+X62ESSSSO0kjF5GNWdiSST3JObACnUEkmytwodirsVVLe5uLadJ7eV4Z4zyjljY&#xA;qykdww3GCUQRR5MoyMTYNF6bovmLRvzBsE8recgo1ShXR9bUBZBKdlRj/Mfuf/Woc5/X9ncA44cu&#xA;oet7J7ZOQjHl+roe/wAj5vDc0z0bsVdiq+GGaeVYoY2llc0SNAWYnwAG5xVluk/lF+YuqANBok8U&#xA;Z353XG2FPGkxRj9AxVksH/OOnm4RiXUNR06wjPXnLIzDueiBen+VjaVT/lRmlJ8Nx520uKUdUqhp&#xA;4dZVP4Yq1/yozTJKLbeddLmk/kqg28fhlfFVKf8A5x385GMy2F9p1/H29KZwT3/aQL/w2KsZ1b8p&#xA;/wAxNKBa50O4eNdy9sFuRQdz6JkIHzxQxSWKSKRo5UaORTRkYEEH3BxVbirsVdirsVet/k7fW3mH&#xA;Q9Z/LvU5P3V/E1xpLNv6c6fE3H5ELIB7N44peV31lc2N7cWV0hiubWR4Z4z1V42KsPoIxQoYq7FX&#xA;r+qj/B/5G2VgP3eqebZfrE/Zvq9Ffr4emIwR/lHFLyDFDsVen+RfykhnsB5l86T/AKK8uxgSRwse&#xA;E1wDutP2lVu1Pib9nxyePHKZ4Yiy15s0MceKZoBNPNH5qyyWY0TynbjRNChHBPRAjmkX5r9gHvTc&#xA;9znQ6TsuMN5+qX2PH9oduTy+nH6Yfaf1PPSSTU7k9Tm2dC7FXYq7FXYq7FXYq2rMrBlJVlNVYbEE&#xA;YqCx3OFfUk78r+S/Mvme6+r6NZPccSBLN9mGOv8API1FHy6+GKvQv+Vcflx5PQSeetc+vaiBU6Np&#xA;xJNf5WIpJv2J9PFKnN+eGn6PG1t5I8tWmkwmq/Wp1DzOOxYJx3/1nbFWI6v+an5g6qzG51y5RW/3&#xA;XbN9WSnhSEJX6cUMYnuLi4kMk8ryyHq7sWb7ziqnirsVVILi4t5BJBK8Ug6OjFW+8YqybSfzS/MH&#xA;SiPquuXTKOkdw31haeAWYSAfRirKovzuttWjW286eW7LWYQOP1mNfSnX/KBbnv8A6pXFKoPI35We&#xA;bt/KGtto+pv9jSNTrxLHoiOSW6/ytJ8sVYR5r8g+a/K03DWLF44SaR3afvIH+Ui7V9jQ+2KGPYq7&#xA;FUx8u61c6Hrtjq9sf31lMkoHTkFPxIfZlqpxVnv576LbJr9j5n0/4tN8x2yXKOBt6qqvL/gkZG+d&#xA;cVeY4qm/lLQn17zNpmjrWl5cJHIR1EdayN/sUBOKsz/P3XEvvO502Cgs9FgjtY0X7Icj1JKfLkE/&#xA;2OKXmuKHr/kfyHovljSY/OPnmP4m+LR9FcfHI4+JXkQ9/BTsOreGX6fTyyy4YuLq9ZDTw4pn3DvS&#xA;Hzj521rzVqBub5+FuhP1WzQ/u4l9v5mPdjv9G2dVptLDDGo8+94TW6/JqJXLl0HQMfzJcJ2KuxV2&#xA;KuxV2KuxV2KuxVmui/lbofl3TYvMH5kXX1OB/itdDiNbiYjfi/H4h7qvT9pl6Zwr6mgPNP5z6veW&#xA;v6I8sQL5d0GMcI4bUBJmX/Kdaca+CfSTih5yzMzFmJLE1JO5JOKtYq7FXYq7FXYq7FXYq7FXYqzr&#xA;yl+cHmfQ4jYXxXW9EkHCbTr4+oPT6FUduRUexBX2xVkFz5E8l+e7aTUfINwLDV0UyXPly6YLU9SY&#xA;WJNBX3K/6mKXl2o6bqGmXstjqFvJa3cB4ywSqVZT8j49jihDYq9csCfNf5EXlo3x6h5TuPXi/m+r&#xA;mrGp8BG8n/ADFLyPFD1f/nHzToE1zVfMt2KWmhWTuX/leUGp+iJH+/FLzLVdRn1LU7vUbjee8mkn&#xA;l7/FIxY/rxQ9N/LPydpej6V/j7zYlLGA10WwYDlczb8X4nqKj4P+C+yN7sGCWWXDFx9VqoYIGcv7&#xA;fJIvNfmrVPM2ryajfv1+GCAGqRR12Rf4nuc63T6eOKPDF8/1mrnnmZy+A7kmy9xXYq7FURFp9/LG&#xA;ZIraWSMCpdUZlA+YGRM4jmWYxyIsAqDKysVYFWGxB2IyTAhrFXYqrwWN7cAm3t5JgOpjRm/UMiZg&#xA;cyzjjlLkCVF0dGKupVh1UihwgsSKawoS7Xdf1jXtRk1HVrp7q7k6u52A7KqjZVHYDOFfUkvxV2Ku&#xA;xV2KuxV2KuxV2KuxV2KuxV2Kq1neXdldRXdnM9vdQsHhmiYo6sOhVhuMVetaT5q8tfmTYw6B5zKW&#xA;PmNB6el+YECqHPZJR8I3P7J+Fu3Fuql5z5t8oa35V1d9M1aHhIPihmXeOWOtA8bdx+I74oZr/wA4&#xA;/wCqRJ5sutCufis9ds5beSM9GeNS4r/zz9QfTirzzWdMm0vV73TJv72ynkt3PiYnK1+mmKvVNL/5&#xA;1z/nHy/vPsXXmW6METHY+mW9Mr/yLhkI+eKWK/lZ5Gi8y6xLdakfR8vaSv1jVJ2NFKrUiKv+VxNf&#xA;8kHvTDGJJocywlIRBJ5BM/P/AJzl8zaqDCvoaPZD0dMtAOKpGKDkVGwZqD5Cg7Z1ui0gwwr+I83g&#xA;O09edTkv+Ach+O9DeQVVvOuiKwDKbyEEHcH4xk9Z/cy9xa+zh/hEP6wfUN7ZWf1Of9xH/dv+wv8A&#xA;KfbORjI2N30GcI8J2HJ8gKrMwVQWZjRVG5JOdu+YgPpPyF+V2ieX9PgnvbaO71p1DTzygOI2I+xE&#xA;DUDj05dT+GcprNfPJIgGoPedndk48MQZC8n3e5MtR/MvyPp2ovp15qscd3G3CRAkrqrdKM6IyAjv&#xA;U7d8qhoc0o8Qjs35e1NPCfBKfq+P9iM8xeVPL3maxMWoW0cwdf3N2gHqpUVDRyDf38DkMOoniNxP&#xA;wbdTo8WeNSF+fX4F8u+YNGuNF1u90q4PKWzlaMuNgwG6sB/lLQ512HKMkBIdXz7U4DiyGB/hL2P8&#xA;pvyv0tNKt9e1q3W6u7tRLaW0q8o4ojujlTszOPiFegp3zR9o6+XEYQNAc3qOx+yYCAy5BZlyB6Bn&#xA;OueevJ/l2dLLU79LWbiCtuiSSFV7VWJX4+1c12LSZcouIv8AHm7fUdoYMB4Zyo92/wChW1TRPLXm&#xA;zSUN1DFe2lzGGtrpQOaqwqrxyUqp3/rgx5cmGW2xDLLgxamG4EokbH9T5l83eXZ/LvmG80iVuf1d&#xA;h6UvTnG4DI30qd/fOs02cZYCQ6vA6zTHBlMD0+5g2cY+kOxV2KuxV2KuxV2KuxV2KuxV2KuxV2Ku&#xA;xV2KvXvJfmjTPPWjL5F84SgXwFNA1l95EkA+GN2JFTtQVPxjb7VDilhVvaar5E/MCzXUk9G40u8i&#xA;kkYV4vCHBLIe6ulf9vFCdfnzpA0/8xryVF4xajFFdpTp8S+m5+l42OKsj/OCyuoNL8keRbGMyXkd&#xA;ujPAvV5nCwofpcSYpd55ntPKnluy/L/SpA0kYW51+5Tb1bhwG4H26H5BR45veydL/lD8P1vK9v6/&#xA;/Ix/zv0D9PyedZvXlmQfl/8A8pvof/MbD/xMZjaz+5l7i5vZ3+MQ/rB9TXv+8Vx/xjf/AIic4+HM&#xA;PoeT6T7nyT5eeGPX9NkmIEKXUDSlugUSKWr7UztMwJhKu4vmumIGWJPLiH3vrzOJfTXyX5t0TU9G&#xA;8wXllqKMswld1katJUZiVkUnqG/z3ztNNljkgDF821mCeLKYy538/N6T5b/PPT9L0Gw02506eeaz&#xA;gSBpVdQG9McQd9+gzVZ+yZTmZAjcu90vb8ceOMDEkxFMA8363F5q84T6jbQtbrfvBGkbkMwKxpFv&#xA;Sg/ZzZabEcOIRJur/W6bW5xqM5mBXFX3APqeCGOCCOCJeMUShEUdlUUA+7OPJs2X0SMQBQ6PlHzt&#xA;qEmoeb9Yu5G5c7uVUPX4I2KIPoRQM7LSw4cUR5PnGvyGeecj/OL1b8tPzM8oaR5NsdO1fUvRvLcy&#xA;gxmGeSitKzL8SIy9G8c02u0GWeUyiNj5h6PsvtXBiwRhOVSF9D3+5gv5veYdC17zPDf6NcfWbf6p&#xA;HHNJwkj/AHqySVFJFQ/ZK9s2PZuGePGYzFG3T9s6nHmzCWM2OHz52e95PnKveOxV2KuxV2KuxV2K&#xA;uxV2Kppo3lfzHrb8dJ025vexaGNmQf6z04r9JxVm+mf84+fmDdqHu0tdNTq31mYMQPGkIl/E4qjz&#xA;+Snley21nz3p1rIPtQp6ZavtzmVttv2cUrX/AC9/JuIN6nnnlx2bgitv024hq7+GKFv/ACrn8o51&#xA;UW/nxI3bcNNGoFKdwxjp9JxVa35EPfAny15p0vWSASI1kCOQPaNpx95xSw/zD5A86eWG9bU9Nmt4&#xA;o2BW8j/eRA1+E+rGWVT4VIOKHoc5T81Py+a5oG86+Wk/eU+3dW/XoOpYA0/yx2DYpRfmjTv8Tt+V&#xA;up0EhvhFaXzHv6RjaT9UuKsi1Q2sHnnzL581FRJbeW4YtN0eNukl20QZ/wDgXm4/ST2y7T4TkmIj&#xA;q42r1Iw4zM9Pv6PE769ub68nvbpzLc3LtLNIerO5qTnZQiIgAcg+cZMhnIylzKhkmDIPy/8A+U30&#xA;P/mNh/4mMxtZ/cy9xc3s7/GIf1g+pr3/AHiuP+Mb/wDETnHw5h9DyfSfc+Oc7l8ve/flf+a1hqdn&#xA;b6NrUwg1aJRFDcSGiXAGy/EeknYg9e3hnN6/s+UCZwFx+79j2fZPa8ckRjyGpjr3/tZ35g8s6H5g&#xA;s/qurWiXMYr6bHZ0J7o4+JT8s12HPPGbiadxqdLjzR4Zi3h/nz8mtS0KKXUdIdr/AEuMFpYyP38K&#xA;juwGzqB1YfdTfOg0facch4ZbS+wvJdodiTwgzh6ofaP1sD0X/js2H/MRF/xMZscv0H3Omwf3kfeH&#xA;1/nEPpz5A1r/AI7N/wD8xEv/ABM52+L6B7nzHP8A3kveUFljU7FWPZwr6k7FXYq7FXYq7FV0cckk&#xA;ixxqXkchURQSSSaAADqTir0LQvyV16e0/SfmS5h8s6QKFp75lEpB8IiVofZyp9sVTQa9+SvlP4dJ&#xA;0uXzXqKbfXL2i29f8lXXjsen7r/ZYpS3WPz68+3qejYyQaPagcUis4lqF7DnJzI/2NMUMI1PzBru&#xA;qsW1PUbm9J3/ANImeQfQGJpiqAxV2KuxVtWZWDKSGBqCNiCMVZr5Z/ODzvoRERvTqVh9mSxvqzoU&#xA;6FQzHmu3gae2KvTvIbeVNd1uHzR5Kj/RGu21BrflwsFintpCBIYvsqKbMpFF5Acgta4pelQeULC3&#xA;OnLCeMGmX9xf2sVBRfrMcwaMf5Ie5LL4UAwK8p/PDVYbWW18s2Tfu0kl1G//AMqe5kZ1B+XNj8iM&#xA;3/Y+CgZn3B5P2i1VyjiHTc/oeUZvHmHYqyD8v/8AlN9D/wCY2H/iYzG1n9zL3Fzezv8AGIf1g+pr&#xA;3/eK4/4xv/xE5x8OYfQ8n0n3PkCxsbu/u4rOziae6nbjFEv2mbwGdvOYiLPJ8yx45TkIxFkp7L+X&#xA;HnmKJ5ZNGuFjjUs7ECgUCpPXMca7CduIOYezNQBZgU78kfm/r2gPFaagzajpIopic1miXpWJz4fy&#xA;tt8sx9X2bDJvH0ycrQdtZMNRl6ofaPc+hbC+tNQsYL60cS2tzGssLjurio2/hnMTgYkg8w9vjyRn&#xA;ESjuC+cfPWi2egfmU0Fsojs2uILmKNeiLIVZlA8A1aDwzqdJlOTT2edEPC9oYI4dXQ+mwX0tnKPe&#xA;vkLX42i17Uo2+0l1MrfMSMM7bCbgPcHzLUiskh/SP3p/5W/K/wAy+ZtMOpac1utuJGipNIytyUAn&#xA;YK23xZjajX48UuGV25uk7Jy54ccKq63QHm7yVrHlW5t7fU2haS5QyR+ixcUU0NaquW6bVRzAmPRo&#xA;1mhyacgTrfuef5xz6M7FXYq7FXYqy7yR+Wev+aud1HxsNFgqbrVrn4YUVd241pzIpvQ0HcjFWUTe&#xA;d/I/kZGtPI1kuqayoKzeY71eQB6H0E22+VB/rYpeea95l17zBeG81i9lvZ9+JkPwqD2RBRUHsoxQ&#xA;lmKuxV2KuxV2KuxV2KuxVHaHrepaJqttqmmymG8tXDxuOh8VYd1YbEdxir7K8s+YbPX/AC5Y65AQ&#xA;kF3CJWBP2GG0iE7fYdSpPtgpNvl7zXrTa35j1HVSSVupmaKvURj4Yx9CADO10+Lw8Yj3B811mfxc&#xA;sp95+zp9iU5c4zsVZB+X/wDym+h/8xsP/ExmNrP7mXuLm9nf4xD+sH1Ne/7xXH/GN/8AiJzj4cw+&#xA;h5PpPufKPlDU4tM806VfzNxht7qJpm8I+QDn/gSc7LU4+PHKI6h850WUY80JHkJB9YTRRXNs8THl&#xA;FMhUkd1cU2+g5xgJBt9HkBIV0L5wvfyZ8+Qai9rBYi5g50iu1liWNlrsxDMGX5EZ1Me1MJjZNHue&#xA;Fydh6kSoRsd9h7/5V0d9F8uadpcjiSS0gWORx0L0q1Om1TtnN6jL4mQy7y9ppMHhYowP8IfPH5t6&#xA;vb6l57v5LZg0Vvwtlcd2iUB/ueozp+zsZhhF9d3iO2cwyamRHIbfJ9CeUteg17y7Y6pEwZp4l9cD&#xA;9mVRSRT8mrnM6nCceQxL2uj1AzYozHUfb1eQfmL+UvmebzPd6jotqL2z1CQzkK6K8ckm8gYOV2LV&#xA;IIzd6LtHGMYjM0YvM9p9j5jmM8Y4oyN/F6j+XXlq48ueU7TTbog3YLy3IU1AeRi3EH/JFBmo1ucZ&#xA;cpkOT0PZmlODCIS+rq8Z/PDWIb/zqbeFgyadAls5FCPUq0j7+3MKfcZveycRjhs/xG3le3swnqKH&#xA;8Ir9LI/+sZv+XX/p9zmHuXf9Yzf8uv8A0+4q7/rGb/l1/wCn3FXf9Yzf8uv/AE+4q2P+hZ6j/eX/&#xA;AKfcVZ35o/5V9/hS2/TPpf4Y/d/V/q/q/VaU/d/7y/Dw/lrtX3wKwP8A6xm/5df+n3Crv+sZv+XX&#xA;/p9xV3/WM3/Lr/0+4q7/AKxm/wCXX/p9xV3/AFjN/wAuv/T7irv+sZv+XX/p9xV3/WM3/Lr/ANPu&#xA;Ku/6xm/5df8Ap9xV3/WM3/Lr/wBPuKu/6xm/5df+n3FXf9Yzf8uv/T7ir0Lyt/gj/CMn+H+P+G6T&#xA;8+Hrcab+tTn+88en0YYXxCubDJw8J4uVbsM/6x8/5d/+nvNx/h3n9jz3+tnl/snf9Y+f8u//AE94&#xA;/wCHef2L/rZ5f7J3/WPn/Lv/ANPeP+Hef2L/AK2eX+yR2h/8qQ/TFn+ifQ/SfrJ9T4/Wq+rX4acv&#xA;h6+OV5fzfCeK+HrybdP/ACf4g4K472+rm9Jm9P0n9X+74nn/AKtN81Q5u+lVbvKP+sfP+Xf/AKe8&#xA;3P8Ah3n9jzn+tnl/snpmifo79EWn6M5fo/01+q8vUr6f7NPV+OlOle2anLxcR4vq6u+wcHAOD6a2&#xA;5/pRuVtyleej9Un9fl6Ppt6vDnz48Ty4+n8dadOO/hko3YpjOuE3yeVn/oXyu/1evf8A3rzcf4b5&#xA;/Y87/rZ5f7JmXkX/AAR9Vuv8JU+qcx9Y4ev6fqU7er8PLjSvH2r2zA1fjWPF5/D9DtOz/wAvR8Dl&#xA;15/pZPmI7Bx6Yq8quf8AlQn1mX6z6P1jm3rep9c586/FyrvWvXNzH87W11/mvOS/k2zdX/nP/9k=</xapGImg:image>
-               </rdf:li>
-            </rdf:Alt>
-         </xap:Thumbnails>
-      </rdf:Description>
-      <rdf:Description rdf:about=""
-            xmlns:xapMM="http://ns.adobe.com/xap/1.0/mm/"
-            xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#">
-         <xapMM:DocumentID>uuid:7127DB5039AC11DFBC4CC917F60414F5</xapMM:DocumentID>
-         <xapMM:InstanceID>uuid:7127DB5139AC11DFBC4CC917F60414F5</xapMM:InstanceID>
-         <xapMM:DerivedFrom rdf:parseType="Resource">
-            <stRef:instanceID>uuid:7127DB4D39AC11DFBC4CC917F60414F5</stRef:instanceID>
-            <stRef:documentID>uuid:9EF2320A284E11DFACBCF5F943788E24</stRef:documentID>
-         </xapMM:DerivedFrom>
-      </rdf:Description>
-      <rdf:Description rdf:about=""
-            xmlns:xapTPg="http://ns.adobe.com/xap/1.0/t/pg/"
-            xmlns:stDim="http://ns.adobe.com/xap/1.0/sType/Dimensions#"
-            xmlns:xapG="http://ns.adobe.com/xap/1.0/g/">
-         <xapTPg:MaxPageSize rdf:parseType="Resource">
-            <stDim:w>51.000000</stDim:w>
-            <stDim:h>66.000000</stDim:h>
-            <stDim:unit>Picas</stDim:unit>
-         </xapTPg:MaxPageSize>
-         <xapTPg:NPages>1</xapTPg:NPages>
-         <xapTPg:HasVisibleTransparency>False</xapTPg:HasVisibleTransparency>
-         <xapTPg:HasVisibleOverprint>False</xapTPg:HasVisibleOverprint>
-         <xapTPg:PlateNames>
-            <rdf:Seq>
-               <rdf:li>Cyan</rdf:li>
-               <rdf:li>Magenta</rdf:li>
-               <rdf:li>Yellow</rdf:li>
-               <rdf:li>Black</rdf:li>
-            </rdf:Seq>
-         </xapTPg:PlateNames>
-         <xapTPg:SwatchGroups>
-            <rdf:Seq>
-               <rdf:li rdf:parseType="Resource">
-                  <xapG:groupName>Default Swatch Group</xapG:groupName>
-                  <xapG:groupType>0</xapG:groupType>
-                  <xapG:Colorants>
-                     <rdf:Seq>
-                        <rdf:li rdf:parseType="Resource">
-                           <xapG:swatchName>White</xapG:swatchName>
-                           <xapG:mode>RGB</xapG:mode>
-                           <xapG:type>PROCESS</xapG:type>
-                           <xapG:red>255</xapG:red>
-                           <xapG:green>255</xapG:green>
-                           <xapG:blue>255</xapG:blue>
-                        </rdf:li>
-                        <rdf:li rdf:parseType="Resource">
-                           <xapG:swatchName>Black</xapG:swatchName>
-                           <xapG:mode>RGB</xapG:mode>
-                           <xapG:type>PROCESS</xapG:type>
-                           <xapG:red>39</xapG:red>
-                           <xapG:green>37</xapG:green>
-                           <xapG:blue>37</xapG:blue>
-                        </rdf:li>
-                        <rdf:li rdf:parseType="Resource">
-                           <xapG:swatchName>Yellow</xapG:swatchName>
-                           <xapG:mode>RGB</xapG:mode>
-                           <xapG:type>PROCESS</xapG:type>
-                           <xapG:red>255</xapG:red>
-                           <xapG:green>242</xapG:green>
-                           <xapG:blue>45</xapG:blue>
-                        </rdf:li>
-                        <rdf:li rdf:parseType="Resource">
-                           <xapG:swatchName>Lime</xapG:swatchName>
-                           <xapG:mode>RGB</xapG:mode>
-                           <xapG:type>PROCESS</xapG:type>
-                           <xapG:red>189</xapG:red>
-                           <xapG:green>213</xapG:green>
-                           <xapG:blue>118</xapG:blue>
-                        </rdf:li>
-                        <rdf:li rdf:parseType="Resource">
-                           <xapG:swatchName>Night Blue</xapG:swatchName>
-                           <xapG:mode>RGB</xapG:mode>
-                           <xapG:type>PROCESS</xapG:type>
-                           <xapG:red>31</xapG:red>
-                           <xapG:green>113</xapG:green>
-                           <xapG:blue>184</xapG:blue>
-                        </rdf:li>
-                        <rdf:li rdf:parseType="Resource">
-                           <xapG:swatchName>ISC logo blue</xapG:swatchName>
-                           <xapG:type>PROCESS</xapG:type>
-                           <xapG:tint>100.000000</xapG:tint>
-                           <xapG:mode>RGB</xapG:mode>
-                           <xapG:red>0</xapG:red>
-                           <xapG:green>153</xapG:green>
-                           <xapG:blue>203</xapG:blue>
-                        </rdf:li>
-                        <rdf:li rdf:parseType="Resource">
-                           <xapG:swatchName>PANTONE 425 U</xapG:swatchName>
-                           <xapG:type>PROCESS</xapG:type>
-                           <xapG:tint>100.000000</xapG:tint>
-                           <xapG:mode>RGB</xapG:mode>
-                           <xapG:red>94</xapG:red>
-                           <xapG:green>96</xapG:green>
-                           <xapG:blue>98</xapG:blue>
-                        </rdf:li>
-                     </rdf:Seq>
-                  </xapG:Colorants>
-               </rdf:li>
-            </rdf:Seq>
-         </xapTPg:SwatchGroups>
-      </rdf:Description>
-   </rdf:RDF>
-</x:xmpmeta>
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                           
-<?xpacket end="w"?>
%  &&end XMP packet marker&&
[{ai_metadata_stream_123}
<</Type /Metadata /Subtype /XML>>
/PUT AI11_PDFMark5
[/Document
1 dict begin /Metadata {ai_metadata_stream_123} def
currentdict end /BDC AI11_PDFMark5

-%ADOEndClientInjection: PageSetup End "AI11EPS"
-%%EndPageSetup
-1 -1 scale 0 -45.0176 translate
-pgsv
-[1 0 0 1 0 0 ]ct
-gsave
-np
-gsave
-0 0 mo
-0 45.0176 li
-117.999 45.0176 li
-117.999 0 li
-cp
-clp
-[1 0 0 1 0 0 ]ct
-20.5381 45.0176 mo
-63.8301 45.0176 li
-60.3721 31.124 32.5381 35.542 20.5381 45.0176 cv
-cp
-false sop
-/0 
-[/DeviceRGB] /CSA add_res
-0.372549 0.376471 0.384314 rgb
-f
-62.46 39.5361 mo
-54.5381 21.667 23.9551 8.62402 0 27.083 cv
-0 45.0176 li
-18.1216 45.0176 li
-33.1802 33.3477 54.6216 31.624 62.46 39.5361 cv
-cp
-f
-63.7471 38.749 mo
-60.9551 20.874 52.6006 1.02051 38.0801 0.666992 cv
-38.0801 0.666992 li
-32.1006 0.864258 27.0381 3.77051 21.9551 8.37402 cv
-21.2773 8.9873 20.1318 7.98926 21.0381 7.14551 cv
-24.5068 3.95801 29.2256 0.833008 33.0381 0 cv
-0 0.0263672 li
-0 25.249 li
-25.0801 6.70801 56.0381 21.333 63.7471 38.749 cv
-cp
-f
-65.2041 38.874 mo
-68.8721 15.208 81.1221 -10.792 83.7041 11.542 cv
-83.7471 12.583 82.2471 12.583 82.2471 11.667 cv
-80.9541 -8.08301 70.3721 17.833 66.8291 38.292 cv
-78.4131 10.792 107.704 1.29199 117.999 12.917 cv
-117.999 0.0263672 li
-42.9546 0.0263672 li
-55.5381 4.42676 62.7471 21.749 65.2041 38.874 cv
-cp
-f
-66.0381 45.0176 mo
-80.543 45.0176 li
-80.543 25.8945 li
-84.7637 25.8945 li
-84.7637 45.0176 li
-89.2861 45.0176 li
-87.9697 43.7939 87.6777 41.8916 87.8086 39.8379 cv
-92.0273 39.8379 li
-92.0273 41.7656 92.1133 43.3867 94.4316 43.3867 cv
-95.8555 43.3867 96.5547 42.4648 96.5547 41.0957 cv
-96.5547 37.4629 88.0605 37.2402 88.0605 31.2324 cv
-88.0605 28.0742 89.5684 25.5586 94.7109 25.5586 cv
-98.8184 25.5586 100.858 27.4043 100.579 31.623 cv
-96.4707 31.623 li
-96.4707 30.1133 96.2207 28.5781 94.5156 28.5781 cv
-93.1465 28.5781 92.3359 29.3301 92.3359 30.7285 cv
-92.3359 34.5566 100.829 34.2207 100.829 40.5645 cv
-100.829 42.7754 100.14 44.1553 99.1064 45.0176 cv
-105.153 45.0176 li
-102.93 43.1367 102.927 39.5938 102.927 35.9824 cv
-102.927 30.6445 102.927 25.5586 109.884 25.5586 cv
-114.187 25.5586 115.919 27.9355 115.753 32.2656 cv
-111.616 32.2656 li
-111.616 29.584 111.142 28.5781 109.884 28.5781 cv
-107.509 28.5781 107.202 30.8125 107.202 35.9824 cv
-107.202 41.1504 107.509 43.3867 109.884 43.3867 cv
-111.841 43.3867 111.757 40.8711 111.812 39.2793 cv
-115.976 39.2793 li
-115.976 42.1104 115.377 43.9248 114.243 45.0176 cv
-117.999 45.0176 li
-117.999 15.374 li
-108.704 0.791992 74.0381 14.624 66.0381 45.0176 cv
-cp
-0 0.6 0.796078 rgb
-f
-%ADOBeginClientInjection: EndPageContent "AI11EPS"
-userdict /annotatepage 2 copy known {get exec}{pop pop} ifelse

-%ADOEndClientInjection: EndPageContent "AI11EPS"
-grestore
-grestore
-pgrs
-%%PageTrailer
-%ADOBeginClientInjection: PageTrailer Start "AI11EPS"
-[/EMC AI11_PDFMark5
[/NamespacePop AI11_PDFMark5

-%ADOEndClientInjection: PageTrailer Start "AI11EPS"
-[
-[/CSA [/0 ]]
-] del_res
-Adobe_AGM_Image/pt gx
-Adobe_CoolType_Core/pt get exec
Adobe_AGM_Core/pt gx
-currentdict Adobe_AGM_Utils eq {end} if
-%%Trailer
-Adobe_AGM_Image/dt get exec
-Adobe_CoolType_Core/dt get exec
Adobe_AGM_Core/dt get exec
-%%EOF
-%AI9_PrintingDataEnd

userdict /AI9_read_buffer 256 string put
userdict begin
/ai9_skip_data
{
	mark
	{
		currentfile AI9_read_buffer { readline } stopped
		{
		}
		{
			not
			{
				exit
			} if
			(%AI9_PrivateDataEnd) eq
			{
				exit
			} if
		} ifelse
	} loop
	cleartomark
} def
end
userdict /ai9_skip_data get exec
%AI9_PrivateDataBegin
%!PS-Adobe-3.0 EPSF-3.0
%%Creator: Adobe Illustrator(R) 13.0
%%AI8_CreatorVersion: 13.0.2
%%For: (Brian Reid) ()
%%Title: (ISC_logo_only_RGB.eps)
%%CreationDate: 3/25/10 2:28 PM
%AI9_DataStream
%Gb"-6l`OMbE[LJ_q]3tS#.hk;RCln\`W52%O[2PJ[A8p.$lUE-e`+)02HWtBjem;l`:l^'^%YrXh)pjOjoWZBi7b__jiWO/I.<,%
%gjf7q_jBgUr;Q]Us8D8Q<;K=,o"3_BQqtKl`IE=1f5JF<]]V232W_s5g1jbTe4$?XI3dY"+Wl(/pu^?*Da/X@Rnk-`]`%]mLQ>ej
%r:KZcD]\oFM[qarn\stKs*ShXJ%kmHX,m:,F8sc,DuQrh0CJhPrpKU<=)X]qIX;%52`L=d#VDq2h1,=iX"XMDg\:aCp=$3`8hNHU
%^XEepp?OTc)HD5Ent1DVo@:<W^AZ:poBhlordOh?fCC$^GP^oLhgY1AHAj_D\E<S<Is-=3hQLk79t5'+GFpJZEV%@<s6[_K=!)ql
%n`Cq.qY'<[egLH`oq/dm>,M;G8rrP\-omT_?iK3U0E:1<rpo<NUjDXA\6Z:Frki*XrVa@3^\RN@2t&qZq!Yu'WW(/spODu'Mf7J;
%U?9g?lV3sNrnK`ucF#3L<ua.Zho6Ai9qCCCO*3USh6RpqmD$;\qldb@X8M,9LMoA*rQhoO^NoRnf(e[^2nse8s/]491#;JiN;D/`
%IeEE`hgThEc!$SfUhLqJMiV5ZrCWCaT7-_($X#]@Y_^'GAN0P3(S?0Vp7&I"5(<1,4R91h7_jMU2u*6-Is_(WCQ(0$pK)ihqr)HW
%rgh@.<??/)-ElO$kpE8cDL0D`WS.$aIa]g]1@!J#7P]^W^nLX/p>;r1rE#WJrVkW.?XmRDGCT>Nh3\$+pN/4X%t0&aEVM]mgEsJ&
%pR?*XI__c2G's(C4\c9lJ+;:dNDCY1I/*JCQ@J;1?ehiOrF,)p[<:j9r+Gu#p$lu#@'eI7s6_O)Y.N;t>%=0';ZCD-mPeL$]Dh-B
%5(3A&%tFT;T0AiqH2$F@IscV7RkMMOkB11hIe`L"?ep6Es1GU4/F)PFs74`S[pQfF_lpdq]YF7f]B&]FJ+\m&j6`=SeqZQD5Q1<1
%GMg(3irf8RN@`PVS,6"=If7SOJ+N3j=$FCjs70lUXAlb15K7pF7R-D$Y<LT2?[i`,\GW4H1B,1>bI[TBhm!+O5P""K?[VOs]AJ,7
%iXc(em`eC3nA>5&2qe60J1k,>r6sF!H2T,jrZ9hbhqnCna04?JrI44T"6DIKI/<!]S$1]Jp><U`k3`%152,&OIp)pCY\Zp[qX?.V
%^\[_\_^(fD`J6*brnA6]rpX2\bA6sPG9=P(-Uc;P?H/&prueWGk-tBg`?3t%FMIY7B>*oGhd[UTou2\>52@XCLD9Hgp@%!Rk:F_g
%5%soN@Z3h.pZg:QnAKcss5EJ)J+i,b0Ae@!qs0_Yrp>IO?bCmcjj!6[qUOi![!6u3\c;6m&#]I+']Q]Q`a>X9F0P\*#5l:JI/5L3
%V='uD+7C<>n*f`5kC(*`p[u8UkPKKGm[ihfn*]Z4mcM+W?+VV2q(CKWq)k;3_n;W4CWn]'OttJp1Q:MeF;b\MIOt=4UQ))sNjPt9
%TDRZ[*r:;WlPdJ2\usI[O$0r7p9_!CG2LmF[*e`]=tAp]Vj:P%TnW>JT@W\>Xu4=I=4cXk7]iDVXt-\+Xt/!uT%EYBY(q-_QM!f1
%:9RO7Baq\g\EIQ4IjJ?^=+9"mXjf/0-b]6"lgKVu&G8i0i^6mN`8Bf&YDYX"^ZD&3E^DncDu99kG5OA(-fX$(l$D".-iI]LX.EU`
%<;sMi)HW/P>"&6@?N+;eY;s5G8qjZRO*+_;QbN:9JSX8V_f`07""sS!o'9G]e)U$u^_Li8^Tq2M=7rU7Y3sn$4Uo0giOV*UpLi*q
%`V"J)S^nmTqt9mXV7UJZo=d-\>hf7,Xl&0-kAq1":o']70!4FbaKMiYc.tEC%r3VdqXXt;lG6Y)aZ9WCoHD!3\3$hApRj&81nN<m
%N9b/SRF`%QlY>bTal/cU9X"'%Nq&l.p[_Zm='Wd-YH-H\e$T\FqSp-e\f9u5bHLfTLNU^3PN@)(&*o,=9'aXcP%,h/F$7V(,lN2:
%jBfT4nWpe6qt4q.E3_EOG)UZfK(&ZE';6pVYiF>\hUg68H9PZP"V+Tr]96DHqeKL5i[Pbrjf`iM.5O'=?[dtNYPHl;md`DEOm`8%
%[8s<_r8MqpT0rr;Ni]u3qpjSPEDcV^Y/Md]2m80)m7Q]M5Eer>p`]H_b8#$=Y9,0Erhi<;2)j>TlZm%fmaeOh>\rI]`jkC2fTu<#
%nSW3Ra8!<=-`+Ja6q_qKS%H)7*uBQTc7u5%f%0&1X93L8+.#Z'CDBKKqa8<D>ao)Dk-OK`Umn6`[k4fM@I^&S[GGmpZEeY3S9I!\
%l`B-B(HLTTFi`s+b5msi?1_O.6`h_>::$I$42l5lp%5D.S+OqIGo_3)f)_/3H."KOoe]E,JIcefF>_?GR2eUTe%uNQ5E]L`#<b.Y
%BA>C`*dg$GO$mS3CjY\j@??Pmhf8@Tn!b:.?7#/.,Xp6V&,'`9Z'K\6R3't\H!E#iiH\^)CQo)&rLeZ3](\k-e63d3.uLtc*OE$d
%0H)\f#d!3cTKG/<'c2-%eUW<'l4rZ+Ia2:Q%een&J`WW%U%IS^92;b2jn9EP@APFOYe7IoL%pSL_Srs!*gV2DYjPbCXM=._TbFFe
%!VoK;M2s^WSW;(iG'QUKIY,>&HX2&(H-o9jkV";hn"Za?%_?7MD=^p'bm.pP6T*-rSMNUuHrRfNDU-^o@3)@\?Df!9o!of7[*Lha
%5.g*P75`Gj)X%hkcoYp69f:9K3p:9t`Fi1:+&iQ;We<8D4BDSM&,dTbqTILTJhXpZ28AH<q2]aWlam++f1EO+eTDQYb5.`aA_Lj#
%Hh)HQ;uZS<B6O7LTRZRZ#>l;gT6L,js-1:e:@#*_f>+#!FhO5aC&-6=2\^B3.=W`D40?\T/ZsTO^[Md3)=5;qfhjKnW7M.NHk;S*
%m*C%+MsSb'r\4r8P-:b%%FsK,(Q^SJ(8m4&[4!,Z@jO6."SbrcV(Lq.@'bXjU/m0npd_Yk:AQU)`HSdhQ2o><(D6TkXAS<kPt('F
%/@i.%;q2][--IGeqK^2d7o>sT9:4Ol-Fa1_?XG7jNek9Vrkt;E)j7\H(EeWSb:O*\[C"IGkn;+dE%OJuYQM5-Y,DsBiq@)78m]r-
%GHW4!/-.9\ol5i>[&2[2@lu=04fh.)H6VcWQAQYfHIPN?kd(Um&YE!UkOY-J?737de%B4gWl01RGYs)8Q<#ZMY=Zp2g@""LEoUUV
%9=$cI:d1hVN%-3aP^HGQe4cs@k0MjmCCc?>4g/]8f8:?ODRs"-,0:m$@]65";Uiu/C-FaF\>VAbjV]7WM_5YU,1rK(/#oh;mmnr-
%1)/PjYc.E?c)IHeFYoo&$)R4Ob];DqPM8\W2j@\k\Qs<aKT:5:Rl(b0`WSst/l?mtJ#F-cQV#`HJ9?(7R6a2mVM6NQ6[]DUCXCd3
%>N<l[37o.IK<[^0j$?ZcZSA'-Y+RLUg]43oCG,ssk2^IC)/jo;&&*ta2D&9d/NsuBMlmG:o$sU+C,W#l`jqc?l#Q?:/gu4\S33>M
%b*V4cnicNl7/1I;eOsu/n$6uFE)P<3it<d"PaT\S>,b$NZ<kBgoSB7h+\VI`$Zs*FZ8fEP-eBJW=glp3@QEl4@9#eF,qrENctC]$
%giQ@E?@Q,hXH0FKrBVO4qa68<8Y/_LXt06Al;)_*IQ\LZCQ"UY-*Wum;1&qpHs4O;>C9R5Z8q&T<m`f=/%4ai<m3]pP[&8*9[K24
%'PT<F77F_T+FZMVj-c.pBBB+ug]o;@jBUmQ?X+bQkR_g5W^,gkS&N$i:j2K4Z]X]*VtF<EKM;-M=17Ln3"0X99!j]cCfi]JO3/@B
%%&7APS^]\Uqe0pXJt&'H,uBWih0<Pu>uUG3`.C,^G'W]*@W;=B?SZ$M@mbXZ[!ZoS1;gckl:s#Ho?iQA">fYUNht4@Zh1P1l0)-9
%E%#RIOu\`MQ)'G9'DtDImR&Jn+.;F#Jl\:a"T(*`F;t`gF/')'VC,<0ZRK#!hhQ5u?Ho[K"(WpefroM-U0T/*V>Cl3KBq_&FN`q:
%_6<aR[=?GbMCuMq?i=q$^U?MmW0V)2<*)07?[$gNbpqIKV?u4J%*YJdH#6ZT)3sA3jjB_`)Nt[JG5F0CLYM7$+AYK0*pQBVc2tC#
%\/kSXe]5\=?UkK1D>4c4J3':2JG=n`K_&.,Th5a.,=Ou:q3&3aKdO>N7FF*Z3X#7*h:-DMNg'tAgX@g)pYuLgs8!FIQ\%:tP1rS<
%F6F,j,YKpq,%/P@j`d/'h7>e@lYToTo;;69`FOnQj(B4OB#In@P+OSK68Ma)VtC1lb7EnHJr[71HjkA#>&RUbLC*q/O`Wc!q(kI*
%0jF@mmG]L/9Zb%P,,T"LaQ)$q9=^T>+(k'W`m?`e@f#Zd#@5FaUTS]r[E\[(m3U(_Of*OE5AccFPP[k2KefP$rPG(?_n?WG'^ACt
%hnid!rJKm-2-lnA:RGmI4i$),>!dhs>h,\mW[$<"Jc93BI#9<8#j)=3E.gER/(?D/ZqS]Dg;+C:9;/nKIddd%+K6C5i7jVHeIA/h
%*+W/k))`"C;NkOd$;cISMF!8n<"lPS$"Y!N)<D_])J!$)>g)D-WK;!EhsM==GsI='M)lAp_$+/"K7u%EIYab$,Xl/k%k7fAU2gld
%-l2q8nR2$#BDL)[T8%;XGL8/$(/fMCF:^ME*f+5Y#"Fap9"a0B9'=e4;&_uBp2qERfOD:]?/sq5-NneAYIi+cf=r@ZY7ll)bNnE5
%?Dk,Z56(9@o[ATjUBAr>_F#@VJ"]_YH.;5c5P]k[n]7?\Fuqe[C)iHS%fQR)+EmC@HC2j+!A#"*EZX_[1^i7E`WHS-,NcnVK-Iq\
%^fG%dQiU1?'5W=L\.F<D:q*9E9AZn`_h74t:N/8rFWXd0[@@_3@N7?2H,\n]!?B#P"Z]&iFbmEY8\IW5gc3@')>@P:2)uI]['-%j
%&`k=:Bts'G9]b-!$5e\TCCe'ho9T`BOk2@8ce6R*l-t>LH=T8=TY2BaO^=qASojttZR>^eZEC@ZkPjLna*mFBoYWoamm#_@4lUY#
%T+;Pt+-&9jq?_.`4lCY!H,/_RP5TX@m;UPR2u10_pIUG?P6Aa%bhE0%I_b.*J3P.:r3fX?YJLN`;JY5>oTL5tEkqD][iP<N7pIp&
%PH"[XRHT+DO",]$oHtXN9?!PH8oFsJT5`M>T$TP6F@S2SO8@O<Nu&$bH]U^XrTWV.cblHk5LUlAHgHfKs7H-9Is,*>s5S60"/jIa
%KpSu9?L_0iEIIfL?`3@4cZ_1?MsL#QDZ<Q9SfdKpd96,13afV1dc!O8aS&q@brMI.dn\+-r0U!>`HYPf:G].C9BGSp=<a#rKS0f3
%C^<P+5P&$U@-WVhZ_9n[?5#;i1u=HlMiX9pdZMOhYO2ck+A*Q(.[nL7oW3jLntZ[EWKg?sRi7aBEMq%Fl-u;h-Y3FY\t0UE50o\K
%&XCV^B;YOVmPWK<X-#8E<L#/g+d'\BI+#N)eAH'7;Z?,ko/n(fkDMfJb.B(e1919cFkQ>d9H&]t]q.(Y@;1+UOf:]Il7=!!N("bn
%qK.UmM\stB72"ML=VN>jAb',4VmH$0QP08BYO^?Sq%T_o7c4flg@]T7JL!b`q>'i#4mKpgo"2l:LLufNbor4^Oe<c.8+kTlWLp>C
%GG`=c5.6f@/[!PSY2`(9JW_Y51<)r3_auq_F:9VcjGP$Y@U'5%V3=M1$SF0H_uLH<9FN[2bbTe:%lILoM.mh53*F>EJkd5-o"^HC
%Sh*fblIkL'/6M+!la_r[6tn(7K_YGX8)Pt;\7m]?1PaFJmdR!+E#t*&4>fqmPY!^R+Pot@AdqC<?=KO&LZlCTRQHN)9XQ1X`dTI6
%Y5s&_:?a%?+:m-iCKTeWTmPGXN8IEjgW6C^_Gh,l0C#seaq<Z*e\0n7r?kC_G_B7Fn&ZA-n)?Iii[ijDKN&=PZ8bLan@XXL>J[t0
%a5D66gXU2nkq&$-psfmV4']gBc>n)>MOJpY\p/L+b,Y(!q[(/)*Uu?7nNS&a5998Y*Uu?7nNS&aruW?Q@j(SDE1Urf\BS/d_)kKk
%R2\!$Lfj%]P6baL+#G#g&^iWX9BWLqcTh2W5:qgR?OS/S#pX$m,>OWf_dDOg][3"f830H@G+eU<5@+3=j[V!(jE81HCtImCVeZqE
%^7I\VS+lH`VJk/"'E38ihO1I*M@N/BK3G59N%jG[5bZ8_(Q&q%;<^M,&$#G$q['E(opVUWKL+!Ic09L7P`(oI'U_(=(hc:ALjBi\
%hjLTQ"Q^hg8:=4$r7VpQ4td^$aOIb!a.amE,c8D$Fi6FF%Wc@Oi,p(0]^ke[VK)7FRNL)nMZR@n%(RM*W9@dXKf=11?60]W[IB)S
%^=_IJJK'$D9B_nq.=6ldTJVBefdGi/KsP/[;\:rfgta1e=Bqn"'[h8q=9Ppf5L)nd5%"$RS`r,3(\;X\,9uBX#rtPu3W8H;SF`bL
%Z]puVKq+Nq@qs=_MTnpF"$'Z<JUD,(k.b\PX(<VB,O:8Fe5iD,d^HSFF]><J8p++5g.A2SPLJb:'W\!DAJ73V=#Sm:?J2+r:-*<,
%=;M=1A`m6Gm\PduOf*Q&@\#p)&fp;>DU<.Z*jnHi.JpHmP!k8Zq20-S0u*eoa:OL<O;b[%Xm?/@;H?Xq0^@@T+raVSEFkOh)tuXb
%6l;"<_g;*)cc).s[EZ9h6="AH[pI[mH9W^(s8N!h;thSXJ#GI#H#:g;[cuW.j#TtMD<A)]pX;1EGocK/#nuWL4hp'MJ(_;*mA,-\
%[1.DV6fLZ+:f,QS<;$"=i9B1qi!IdeU-kLU\HXfKmp:f[?fo!@UXpR3dNSWmb-kr!+7ch52+Q2`T2\b'<ulRVkuWX^Z5@qP`3"/%
%@dV5a.r3&F%n6J!e0%=:6OHi'Xe3^/qlrL3<Gm4WDs4$tl@j4(j"<s8TB)MB-tkktZ37Xa4*,/W)?&'YF@OCDr+nJ5aWIrY+2$\h
%C&L,P(Ndfl2U"tF0[kr:C?Zp>N?uX<m-euiqkZX?o:"^Lm=:D$rBCtNa8_rcg+df"QVLnBd*<Jf*n.I.43P*q>aqZ8XGS.u<\0YC
%dlg;#8W0O1Q;K4sn"bisK,5_9.U>9>6Om:T>a9:7bHOD(#ka(4V.G.s'/`E.IQo6%%]HV3)Of@dhk'8LF1kFbouL=;P6RR[CitLG
%RjX1A71BM;NR)]"=1UnYdZ]tD74h#5lq>rkWB'_o&[>,e)#Z0TLT,a_&?<JIFFj__:PdFTlVCSJ.^Cp@#Mi:-(GBs;!.<BE)B-XX
%'K_lRcES*j_H5q,n4aXA/9cEg5i:%ae0u=^83PH^h0FhF)+@93TS_c(GH+ih!]!(ib$TjWr0a#9l`0*Lm%,#W?W8tVXt%P;'JNd*
%^q7bb]$AuoiR8sPk,dA6TGLu$``k[aC$X-/:S,2dq<OWg^9cI9-9H;%YO^AKg?UNudQb2.lh%^hkoZrET0?=!rF>0-:+p8mpYSc-
%:bQ$Qmomk7!oYUaQ"6i8U@CKC<^dmtaK6mi=$Cgu`Y1It`#h&79%#A,%na8*i1"gb,*r#\T3h"_I^b)q5"]8uSbX\Q9=_*Qc[D%M
%pJ>2m-d=_uY*C`N58jmk;@BSO+maT+9mj-KAN=EB5ORR/I8MSbpr)R(_?Na&LH`2eocNf6Y*GQM36k=KG4LRF:4C<W2QhFAgQOO'
%0l4$n5BD?lJ(FJ?l/75ABb:9iqP"FD_N_ka(ipRd/11B\CK=j5HpIP5U7-$?mc:@#P:IR=77Eu^U@Cd1&UG%BpLj.@d!Ho7"*tKX
%JUAk-'d/PDTW+rI*<EhCi<4rlH4/_AM2uk^ne@;9ptsooQ_5BiT?au3kL,]<l,hW,D&?s9(27!;?2AHiCB#8-)HS]Ro_jIHJL_WM
%-72uX]9)Ma8luUX(qZ;W(DJ&Do*"e1WsZPCn-lTpb:toa&JIP>Fi;LOjLE;,[#l#"\uW-jW=I72iQ]]i>gM>r<U*UI+i0&-`Hrk6
%4i%7Z"5(tq%Zi]s#KWF;V`qY_HAMb9(&['iTe?<9Uo@3[25dF".1lQG[KH_`LSlNb:"RP3\O(A?em'[`7rR:MRWGXuS>eX5.(OP/
%f$TsUIhk1Nn7fF7lNq&aSGBUZ@U[n>lJPQ/ffWO3ERDs@*gN@n6+l-/3.4$iiH$&r+'R#,IZCEfauu&kAND=+G$^-.-r=%k(-!s^
%P$5hHSBObMl[2Hm';)9UfJkFCX=T'!G5DZQpns,Cdq!HH;&36L"*IbJL<eB9O+/Nb4/>6;l:&OhnE'8ie^K6G^NG$0!/=)<i)j"W
%f4C5JrI'1dIki6i3/Ejte9;r"TcSB^<)GII.m!lG49NBHJ:61'96@t4E@oTqaEc26GJf[H-6oZ0>%eGH,;>#2<H$O[CQDaG>l/Vp
%3VNMm)7bPuciGgF=8'Edi7ab;d%Dh&b`g'$Wb2#E8qE\U9W^=6#cgZs8=!N(lLVMQU2JPleiX7N%(mQ[4WFt^+nAP$mh@Fpcsh_:
%M'jFb(efl*j<>KlI*<cMdRjBQP!OF*K0$OsGZ%Ua=^kcr&>6B*]9C$;$><cO^lM5F2$?YjrocRiftI38$U2"_s78A>rZ0sAdl-V)
%W);aQN0fojB/kiOY_rKa4<:[A%rdEh@#:s`HpGBtUFR3XX;ur!&P`cQ&Z@NXf]L-<,+<#rEDSGPkqY3,q&N`'XSY&EK:j@J:d+YA
%6-*clK:j4FWYFer#BjBZ\k>@d#]_sV"$819pe7CG2>6K76t?t-i:J$2LED>mB$/!T8,+#5JLll<>PS9A*Du*8AW?j-!upAW]B(hG
%-f?&se'[a6D1$H0.\_c;XrXo7U/[9<KT5>C;MQaXWL"O'5s!<'q_RV]HVn/>Tq5S2U5F1O*S>Ko<T0mh*S!)IhB$fDhs4=8LYT(V
%oXTp"3chp#]4G<Y>9)\VZG52P6D)GRf,(Wg4h9TAY3TFWU$:iOY1&THA+Vf&&<Q:lJW#nDAnG7H:#%;JWgZ2'-#.J1R3fG'YK(cd
%jJ9jWaZ(FSC4`GdHI@nP>+dh[6$^>"mf+W\66cP:kRJH^)<fZ_qVYXFj:q+;Eo-"Sl4EGTE$5==U[n;XDBK%5'+hYZn@*c#i?G$i
%8ghk/H\<XcCW-G1/I'("IM[h#O7?)=rYWiRTg$WJ+(lKVN+\YE'Bq=]\j)`kc_%g=q!8`VfBMXol*FIjNp@)inoXTOcThs^WgBom
%IX[gts#Bme&ZG<LcZ\GT\1IRU*[!m)_I(%XJGjn(MR4#nFN=Q1&Zb,B65;L_dHP^c7HZQU0M%KYUmf3K.!4[7_B53OK[!+e6YOd"
%ZF9QP6h"_-d_JZl6I_D_1L_B%EXlYY@CHi.L9^%!_]]Tk1Q5o=-_IL13JM-1Rb\8!QeT@X!SDI)RfAULIZj*O?SXeA\JP$&=Mn.m
%m&&%6'\^J)?Oh=OHY]"E9TfrEBY(N/*"]:;mX=Z5`<rC*Ng8HSH[JU;N26#STPff3?.Q>V(Ms&4=*sa(II9>FDYc#QhcsL#nr$Rq
%nVS^Ts'8siGaVb*1En3)coo'=")sL:.XA4JhtP^348a1*#[@;(\_K:F[2b?t$n^;<LC;U_&C\oBm9nfj@ZH_Wk*1;H3NC+fbA3X8
%o"nVX7Gc^SgIo<[o8GbL\%K\G4f.Tn,Na%ob_>3kIP">T$9Q6al-A!I=Gfha.H<=gF)gf7MsNqEFTM+,K2\Go8>EZbZ_UN>XRgh>
%5_gT?JGO7V#kDN;.UV`jrhOPJMj+1&/k"D$8cM;M9;+r/B(RhXl4e.(f'gBRf@.4pg)]b`rnl9krf?`is&c(H]dYmiEUs_@4ktE6
%p\sjM<=.)6nYYq\6thjTpSV)eq;0Dnm2X3NccBs`>HsrVbRn0U*BsHgBD#?lh)&rRgZCiN;==d5(M+PA1lkmOr:'GfSBiif5rbo/
%m2AVPE_H(;dIMU-bK;MBC^mbJJjlAugYUu8_o\i5<1.lB9:]3!HN!DY]fuCYhOe];q<@SpFY:'g-^"#fHA6+N%)(J70$Dg$W]2=k
%NjlDCO@:2&Z$U9P3^R0\`*,>LEd%D)#bKfR#$=*B]G<*ZhR/H46B6[#>YOkmcV^!_eu%7TFrd0L/e':SOQDJT]jp;'p2rC!(Lfcr
%KZlAbAr@SM1hnLuEu8m;EI?@nFiqse'>Vig3mu2>PlF;F]m.e[glbAUhZc47,3I:Q&]JJdZ,AY^R$[TQW@`.\'a$!S[GftEqQqn[
%Ru[YVb[=66@Ur5N)0XEKAa(EVAF3YrD4)c6`3o&n\5og0e7tM@)HU36*ALuQff25g'*FJbp9U%:0L/bf\)1CLXfuubB,4"0Xl\:t
%ZCZN5>/RZuo&@5JaKcV?5$L[hh*t`FVY)Yi`l4ug2e'k-gXI"Lg<2_@.W(`'%+(2$gU]37#blQoDX>*Krb^Q-N!o!Y3cBdE"2-WH
%2*gT3911(3noaETn4$Xfa,YibjUBiCCXXp%&W`#@`;ic$7#Bob!&9721"R^8I/pZ)C^.1:N4?B*ZS0M(l?fIH4jCdLZ>CtN439(@
%@1+<'8^P]uf6T9C6^`jNg;MQ_QD#\1['^#&/M(eNP\V4^OW,?.6=$GI?;ZN<R#C?c7I9fZSd5/fqYhe%AV832E<>B5>m=Q]0ngJ3
%SE9G6AK9a3f1G,32Y1aUbc0iB/Fcc)A!@KUou8>d2Hm)i;g3f;TWArmRrO1nfWa4:f1%R91rRIn+P&`m1Y4_J!(.rWi30P."`p'U
%5//.>[qq&5UP0!5qD[8)>5P8X?=hk\%-p#bZ6a]+A$r;Y&l]jk\e[,d'mDYPp1gA@8M`?u3mo,Y^1u`_N6sB;ROKJIWC3J&s0Xr?
%EcAa.UQc(^mE`5dF18-N<K]s?+]aqp:#_j+UNHm]0aH9L,^b%L$H<YrM'3=c3LM?5XOW-78^XuE/=6gPdK3K)L'jn7KuaQO"0U>V
%ng>!Z@-b+Cs"q0q%XsZ@VfsW2Ifk/(=DTp:_QFX10aI/QCCK33lfBhc"8G_3"'\&OZOpCI_h_/b)"(Y_0kBiGg%cVsJhW-;E,T(\
%gh+oPR+Inpf^`HTgB3\J=0TMUL*e*\FdO.O>6=ZGil[rqLtRqQM<ePh2p5X7EL3=-4Cu_4Bt/@)9+^@KFGm9mWtoblR1mc,`eJ[Q
%^ebed?n\_T#R8"ss%oQK5JKrUFc*nXgM>#K+5Y[ee$NlgVX91mdQstNR7HBg'=+Z9/ha6#g0nQ5Y]J:IiU#k/ZiS`lM%trA'$H*s
%[,I+TAobM?7Ra_`eF&sTc*kYR%FI.@P>;W=2s#MScI*J(N;dS'lTf4eW>5mbY%BAKDMjGc;oEBD6KA-GE3bo#G(%>=NFW8*fkZS"
%WD?poD/K=,0"Ap4D,btM,';Y/,7eY6"c'Ogh:j1)]$WS,/NH'8YD&Sjpa4Z;rr1K5L9]FE2eMZ0[A:^->`t$d["PiFi$LO(@XoeG
%pGL!.__jlqQGjV5Tki%gRSAJA8Tuj1$>NC6`Pj[5FU"`abp5?-l"=-5lA@krI[_gqjCddX*co3#TiYuseJM/Mf'64JL&^c)ZV\JB
%$:Mn995X+l4H=bql;[&9e3TEPCGN>Hf"KIiM_8Woi4C=96%PuCoj==?#qOBS"q*Sd^Qq;&-b%pD2M7"#2Y]%VmEQQj0,AgN:q/I\
%CCsRYo$-`=0;<K&]sgdNolCG5MZ'iAlQT!n+![hcAcq8=dnuBG^A>L2^%MF/8iGo=@P1cd-LB'7ZV[D-SNOV^;jhcLb]OinACD?8
%mA+,#0a,cbj.30R2e!XOI%mV$3pp,M&-cgO17OdOU'+8.UbJS7a&,OD=(2sZf*3Ys'frK=`Rc5.BO,C,UhiCL"uRWK\8kLk$7!ZV
%&)=uGL+k$IOY0hCNOr9t7#GXa!MX>1(Y!/'OE7ONf0$;32)\id#,jZKTSLa1GX4XN$:9]kn8+GZoU0J``oOe&+Y<34MQe6o25rL?
%.EAk;X0KRQG!*.,@MXn30P(c7is]([&k(=Yp*/(cg,.f8kIEo+XbYC,QL6DTN<G!;,#F*CQk!YiS1+,sLeO,:C7ei0+I^&QfV9oj
%c^Tb$3Q1VKac5cCm"FSu8u;"r_M*pc/%)%HHZ^Ve2SE^?`+=WJ$m:ih'k0=-lISmmQX\bU+A5po,25&!d8Y*qY-DD3;2qR1c+%;9
%%D%f$g7]H7pFr?4GFM[''e`r36P2tfS'e:t(,MOJ%u?3L,j>hHf7o)(-*Fq:He41V+=<Jg_'\l+!I1!/,ZeS"2]0:G];d^B#&tZA
%K#KS^?kJSn4uEe9$jgNd.XBhWb:[qP2nBUQ7:52U&LQ:`#=HV822nT>pGL#baCF#FKiBi=(?=EA'?&N-mT_lF01[(Q'io+-M>-#^
%Lj<0-"];g\g%Zf]go\gT/*pk(R-`!Whh*"?EFT0%^QAaCgJo?*KTqIi/96>3]C$FZaN2Ug!VRjnNu3.ZPF-?9EWPor0]0gi*HqE]
%mS07`ds3gGHVoID)p=i4E:3M,B#`M5?VB>S<hLJAaPAdnXfXUm<$r:eEb"O&9N\CoR1#DZ0RH7D&)nNNF,qKkK-B@r=aS$!afIRt
%[/s]pZ<I.<G^n47-<ic`7Rg@cB5]Po3BIjZ:>uAEFc3/dkQ-M`oCK68"gesJI(l#iOpPNGl/u!6M>%c!L!_hb2",uedNsK,2CM=r
%P2T&tEFC>U5e\R_'c:1#fUK?UgW#QWTrA&88#4E?SVD'+D>RY<.J;)nfKkH2)^(9pa?/VZ^-hu3F9)PiAQ44T+KDS6>@Em//P@TA
%k;@(C`C9IfV4te^C9_0O)r-ZPG;5Y%eU;475!+"g,qQ?5hP?pPXCXqE.B4bQ%Z!+.4e1M<I#Ybi\C;&JOY1+KRZ/`lB/E-(e^qX:
%-sm5h]ubm:bX3AI7T;1-?WTjPkUabW>R^/V*L=S_E(^`V@Hhl92Q0a$!87?@g%l:AV.q!R?QS:9]6`)PLScsiEV7GBBd#Zff3tZ"
%8(5RR$!umaKVmq8,uIa;)b1S>Y@%2cb[Ri;Y+jD*/FTQO<AUqt<Xm#X,[3k/Kni>9X_7fmguC6B\61hOOINb*TW+n_,K+![KBij%
%bq<<o*F5]#U.oGr%iSB3`2V973,"#O-SiXNlBD\hdiX10(=W>>lnk8#&,c>:*F<Z\#'on?19\GUc'r)>lK7R8gY#@@7sk+%j]N;b
%Ns=4i7<%XLL=aLeMb+Oe*\i/FYp#39T90pO>'hPSO/CSQT-59\OZ;*FqXtVA*YE:"!%kN(0f-9#1"P&U*a+og;lugW7GC3ZRfV)g
%?YY3V66'kE/ZB41/rB?E+BHM:](%coa0OID4a\LkG^"iI>C(.m@J_C0Mn[*"eG;^"^^,d3h_<Z3(.YKhkl&[;0VTJp"=Sq#(9Z6X
%rC[?aHWp+S]up_J98STI*0bR<>*%N&n7<Yu;FQ.VLR_M07?ef*Zb)4>dW&LR]u/XKV3nE#UY6%jZ)TebQ1jqIjSm'Urf*)Jed'B5
%]$I*^*1V/YKt"e4kNS\-@W,6$.li\J#Y^po';/9G&T\s0TSqiicIQ\FA6krs##+cre7Ad-5W<1\r)0=sGA"XS_[6pU@Kf"kU;(qD
%k`G@42`k"`C*+"V@Mg=8<QqFW7(Bk(=F%UTVl@B^EE*X:V`JIdgs1nS(2@!PhA[7I-Y&sL8MB1SK>jYM/+]LQK3TrUqZ]?X-!BKk
%k`ZKt3e/$O%M)FP9=9RdPO%g'ddtmB4SDbp7W_g!.S-)1'Nj)6UHB/(.l<p,;;!IQ^EWSiZ"8[)&:ck6^"%B6DrsZ9Gq&A*<OfX)
%2A0pDh>KYmoZo4W,"1eKCm-(ui0e,R^#A,dTIn0DN7b]Z^I8j'!ge(L?W7ijjpc^aoNWtgV;;DHdS^X&VhW6ZEB1s!`0lD`:rKIs
%E,Se)V=u1P-,dgt5<K^pPi!>A3JL=ZVY.?JB!uH<C34V07;4T=-L)G,AkfOsbT;cj_^-sn/US@o/3pa*9kVBnL#:IEE%am2g!uNV
%?irC#eD7qA;MmTQ)D8jm<Hu(O.,>,a@$dn.]n+Egi;/`B$OCnJS`@+kXOnfsp5#kgdHhU*!eELr\,*i\1,.c0UNpdEoNZ`n?81!P
%j^,lFQG!d77Ri*02;7r5)>%(*eP*HqQG#:+PsMuH`%aVTYsp"t:e2&L*Q++6VIKf_0)?H#U44di\-\#t"_7nOYi9+n!2%^/EMk5k
%17OSSDc9f5MVtcTkQ"K+JJ'2qlOp6A.^dtLH_i@YojC.Cin1QeP&RlKS5&oq@em]G4Ar:@+ihFoXa0ht(8cqD-)-1k&V[a^7?R(S
%m3m7\#VgJGb%5r:2d*Rl7<.1u_#R>B0Q!tbZ:,6>ES9$uLuo\`))N:4FdNXF\!Bj3Kp3R:)-$:89[e]d5Bh&P+fZm6Gbg$tKWJf`
%Gu<+?W;:Wo)8ASuZJP*YOumb;m/m#o6pX6&%0O0r(u/THgk7sLSW#X3n_E0U!HhelQR_++pA(.kc_Whp72g!O"V=`@/W<joo7-n:
%RE7UkWQBV-SP*(:_a_Z(FTLF/'q]-C(!Os5L$]RQq7!h,am*Y@Eot%Z@rp_EVDrDbGnHC>!,mn-r0"a]2;;e";XW)VJ.TmX2*i+o
%.b[hFr!4Gr:,Z*/oc+C(nkfJ)>f7ue:tD:cr*+g1=G*.")-e`gb#UEU!>Ztm'R1#O&`M<E9,YWO&H?6PLrY*]2;l\-NVbIbr33TQ
%8Z.K#0Es@3"rar.>t5Rb`_c"2167'8=$3Ju$I#5V16j@*'6<F/1SeQf0W*,Z8N)$9AFVRnd^WnbjCRCU1r`MQ<(MYPGp;!X_tlfT
%@RW2ON-dGGB>cb7dbI_F+&F>mh-3$[VX])\%Y:'jD=*-Bq2=//kIXOI4MH16c+B#Y^A.>=2nr[p?bV\DpK0o_e]iUCm5LZoIJEcc
%0CSAuhRr[XrEk'PjpS`o=#^0F](:DU^R%+W#R`jAJ1DLm%=*T>9@dUkknsb6<Kf1]VJDu;9$JqLd]SILnNdW*VMHK(d@);JK#_-7
%Lh\&Yro7,H2,$;t,@BDulO`KaPBj1aq#gP"/+fJ5(1,.[.8DsXWdhd]mnb5a_D2Ht/W&p2nrZgeBD&YU;o3fU:j&#8/;sim^_B)j
%%_.j3/0Rb%E>h6_+d<#c!f<4.L+h"4"!r[mLLO"!N+b;^-$->YN(N#Q:0?O5N9_co:0W@R7\"KH@@qZ"Y/>ph.1#1\42r0a990'M
%o0S\*/[":ANuH/5?A<R=QW\p%c6*<(0AaR8TBRr^(8f\4RP+CWY0it9S+o!CnA@Lg%9J@WnKtNpXr`^614]Y37BDuu'eOe_c)F@`
%-X$%o!(q;*B=0hO%r@b.E]tBG:_"nlbWR0<[VQ@/8]Z!CRm@a2?Pb]$=#h-Y'MAX(iZ_@L.aOASK#sRPG:5k-6Z4Z/mNV8q'[rK2
%b=oC,3%T<V(c:@<'Ja8PB@?M+IbGENhDTqQ)V<>;];?!>V$:AFG=@2$f:0SpaoiRS(Ue+ZNHk?OIXd!:gLJ/1qSAZ(hI7YV-5N=J
%-J8U'#C5;q$TM&-&hCKD;Mp.+adk*QUS!GZ@GeGNkD3$&?nUcA#/u.kXq7'K2*@A>r#qUg>uikCXoe"h[HJ`#,8M:o=hjB.\8dfq
%f36.j;`SC^C9i&chdsV`o:i2GV>L[oWQ#LRC.KD7C(f^0,`>%+L_d-*@LJG:X+g>5M:(:Te4La>(AIZQ0f;&Ohn#Ms<SPgJ.aD]W
%*-Penc\V&8$0d.i,e16M4aFs?KGnEJC*DVpn>D*j=sLGU6f2Db4lDlCE@QQFa<3%e5i3tFre*6d\VC!NoNlEmPYH;GZ2r2G$#XQc
%DkEYaJ_#QCWe#,/+MHt+."uZ]DAl4g%,.]LDD73OoR`H502r"!Aj/^Q_E3RF+W[dNP4W9sHdlR7-sABDA`,8M_$$[D#FHYDSg7H7
%V'3L:4Qj0_qF"i_fPO8&_[`i"Y;KF#>D&Fa!h`&c;$@d,FSDON;%)kPd#^mInQZY,&,87:$"O,,hFIjNWQRstGk!*XN,Nrs&'('1
%7'f&E1sLbQEeDDQZ,&;<2r]M:\Z&(WRI)Qp%QjTe=lj[Bi;#kmQP*F5d6thd%Nr27?$7-KhIIi`Xgo9G$Dak]!l<n\4$!Q9EIcJs
%"6CbC(qC]EDdX35d@H5,aau40BnDp/3\"-![qCA!bU1WtXta*<(96n@k+IloL`\Jr'7;1;RjW_ZIWpC`<[%7W(#CaRb8o?#gh.'e
%(`?3o,'Q`2;^;DmEI^&aC+T<5lGY^5N2d1%[H(#9:Kl?)D5CgTbiIuPc<F^?b:Aq^`$&hF[U&+!O^Nb'3&dY/WJ\qK\/Zp&G>4od
%k+JVGM8Bg_d0(^SWIB`7j4_O.kDC&h4FTn64KGm\#+BLr)pC*+9mBe&TR@lAA)2L?Y1`*Sb\JU=kDjc0ie0=R*2GYSHEKqWk%Z;V
%"MI)6O1GdZ/4K[\HnEaV'a%C&!j$t?HIg"`o3:KW*gVX.4K"V$h4[&JTPqM)(>28_i>]f:`aG<\RO`>Yj!e%oM]R`XVG&seA^JYO
%mM(t&7*>s9iir>$aa[u9TaWk>FfGJ27#.qH.:*c>CV%<6SmMkT.F/U@&$qXrg!AYLM%`WPcd5gA,'KL8)4?to;-u(+NtEtsJb*%S
%bPjq"qK$Z@@q[k>]'Kn6YJ7e6[@\rTrNd2_-3iWZ8&R/35^e&MQ1l^eC?O]Lf<kM@&"(km<8SR-WEVDB2=Ds=2^W[uC4%s@$PQaK
%W0o/V&K:e[`Aa<M)8aH1;$Jc%\$T+ANZ(Q'9L4n@)k_FRr),SFnP'<PU;U"\n]Z&!GP2AQpQ?prg<#;IjiG(R)$2f0Rd8_!S0p,&
%kr.$P3KLX8!T.fpJpX'-E=r;kMFlB:/j?F!gh^4kRu<I->sX5$[MC'3Gd(3>S]^6A^j5UCI!LiR.(lfhi)GNR_ND?IjIh@?bCYP%
%c\p\8&^"'6n'q[X_M`@T2m8s;SNouK%+(EV":6K`^_]k+"n\uW(m8$r#faaZre*t>\8:"YOL[JCja+$RdE`HFSNJ*;oP:83\CASY
%%)YG;a>ril1*n<*YL<.NT=@6#d,8[u"$Cc%BTtK)PBD,,lq!Lq'dY!b+^$T&i\1bego?X]f5^TNaQ[Dk'1`4#i0YaG85YRnljRXK
%:=WZ/J+=C1G,k=dO`bc,o>TuJZM;m`.2.N)JY$1cKUSDW:qI:EViTGA_EH<rVaTU1$aDKe?9O?LaHM(#<Noe^>k;>'&[&Q2Cn7J<
%Ue'Jn!RCMGlpi-VN67C^_Xpm"g-@ZL3qI/&\IZVV`rgOa/OC0L.BYXbS<g9'0;c!<@83-tGeU`_VS?6OpE]2MIPjba:S&@N,BWVS
%j7r2YLJ^##nhjVA?1M9Z@_DFX1Wa8(j)o?J<no3u0dNJYIb5SooeSo:=*!lu]BK'O;V6NBn9C=QTS\8fOjuD79?(sS<nV[3\J4IO
%J64TT`kjlI%5`RrhGh/7Y[E**0n=J8hG0]=U*e2N63<A+#n\J$5u4"Fk/77FJ6.RBO(s_)\Vj3omG5/5^(JsmbfkZiF8^R[`G)FT
%/%oIDl?cHE9*n`dFYjk10]f@QIuQMlCIXM#qG.Xf9?'p_\@3!G;-CWn$PVHYP4Y<(PbkdLf^*'noEned'V[f_BiXkAJWT+X@0N3V
%?WdMT0eU4;_gG#I/<`U*48:1h0:"T'i`h5XfS^:qYZ(sT\7ZV79"N3u41HEb*b5o4I"<,q6m!5EB$p2K\_ENo;!TI"4W#5b,YIfU
%G[R4KKlu2+9SfXCLpgtdN-V_I4]`sT,kL/KCi!..(0QUNRs?jl!ZNt#5IG"NFu-%![o*I;H,R86ik^G8K]1=M7FZWe1PHJ4]t,/'
%_]/jk(kB'hTYt+m923h[!PA^le'pZNga/Ll5cGEYqFJoTFAN;D'm`*U>M0Y:2r1U0r)a&D4.+a5(KL_j;`INGZZ$N@P8U$Z3ZQZ5
%L77%0)'m`?>Na9b5#f-LVa835oH%!,9#`%!r;-@7q,u8U=jBpI>k$a+>aVA=,]iXdPBYu]WN8-KUrM$P\9W)LL])qJi5urGr?L4?
%ic=Q7fSc%CaD#[J8b^*tYa[!t:Sh?o3p[k1cUd1,DtbH!W$'Qs_j?b:GB*@<P*]BQ(8bj'OA,b$\(C6*'AaK&.Xrn5?PG8ETV]/$
%X<O!F-u6a-Ud.K_TG_,>f3_$K,J@-&dPZ&:?3;&nXp]9(^r9B!Z0?o[</r@6g9L8nL&"-^QoJRg%.=9e=1MQ!jTStCGm0L87DCWr
%plSEVqZ?@]9^5C6%[gAe3gkCL$45_cD@Nk8N"dcUUS[ekpaK[.FiNuBb:%DY(aYcQZ1^YNIQ.<9AT8!0[/"`0C`pRY-qeEVfeTR_
%5tAAP8"2e!6Wo#pVNjeS;^i,S-`\iH;C*rgB00kQfjkFDc@[7d^ae!%Xg0FEh_/SWENC&XVGn,3d"pC+U_Qrr>pWkX+r*=aE?Nm^
%eQ3#-'T;a<BUX91H5]7"b"77t`A65)4d]NG(n'(EZ7H<9Abf/"U_X<Xjm-6)Z/?'Vm1ghp;]u2U8,=7n&"BjO"\"(*fL'K/JaZt7
%L[Pr`%_B!jb:jR7l#b^tnpMZ__Y&#c20Drbq//ui&Xl*N%Rn^J=60`bD'r=lQ1m$mIGdabCHI#HT@pr6ji>eiU1<rBiO.aJ/BjCp
%@`7IuAa.F88VKsd1'XlV[\>g6<XLArLQ#45,Vn5mXB\mkA=Q5o9'?"eYqVTcio7QEZgIj%k!ekM]M_7Eb%DGu^%m3j4.F7JkB5I2
%Y6p!fB#JMr`_oB%-<rYm.,^nHO1VG2=mmKd84[H[1q6"FIS&'?1]$_EL0"Qn3.*U;59RS:3-7aK!f:%\eIcGkQbs,M!K,6YH&(c^
%HIIW1(,Pu'<f0gW\Kr=A5Ut-a,-P?26=kXf*-ML)XeP:UV(EQn'T7:Zk0rrR]o-%a,(3.eQL=iJap?'t;3=h+S&)'KZDW$9AmkVL
%7POX<W_".hlm*.K9LN&KMPP;janiH+n:n[DetV?&2.0E9EWT--8+9lpcl<J@!<#K!UNM2RoL^k`C-kVL=.Ni-Hp<mTkp=?cb#oS_
%V.^,M`?LGP\b,flh\l$g+mlC?G;JS.Wud(JV&k98^P_W0iFgY;3S0`:VpFOha:Qb)jta2HgS9D'],O<U]@L@/1LEdS5\00Q,@!`.
%]N3.mY7Sbq.TnoW&cp?+`3rGh]s?JQ+G<jqd`i>KjtE<6l\4t*%snLE>48PPf)u.)U0Em_E=JY54XEiU_j)DQZKXB<+PQcpH:lcB
%q21`hM[JO"o+?I=a+VM,5B_+\^ZO@NQg,W:(1MHZ7S,Nl%_HRfefdK*`,jru\SeuqgL:m#;8K$eKu,2$&a^]-%I$@'JKFcp%KG[E
%:_hr[[ZFTD*Gi_^gj33j^7Zc>Quc,>Zd#nPoiZ9`pL0hE%X)S\]"uK7ko@M?%D2G&KF_Sp)_%SW58dAN(6PO;'4K&Pi^58KR&H*D
%@eQ</J_B4bP;\N:?HusUJ=$Ap2r`2m_M&gTU9joX!tYoWRd,LF%8>=:'YMoRihg;DqB@-',tVCIqg&iSJMr+]CaDhCm)RmhLCPiU
%^)L6*6AQ05qM7ZCAtS?]I7k(n1el0%ZJC4t4FI@mn5@V4.u6%r;*g0hE^Q/lMNSA1ls:MT-88^_*ObOMpHbZC\MJ3S9?8pOq]Ka>
%k2PI8G'5ueIYXIW3Wr<nYB<R)N,OH!YLU>m0m-GgKl)2RkIbF0*5L"r!#IF&DLj:o=,,&OBd*_#LqO$r\kPH5Q$6\B<FLfZOm8u$
%@_i&i`8-!C+5cM$C:H3c!#FPTNJ-j8dkubT7orR:!Bs<Wg?)\&H`,I(d6`r+$D^uipXZ^W"&n+0(BH]c;()mZ=(ac:Zc\G26?(b;
%OH@[W0d;/.A-.V2hD135l7?/_D2lO;nj6k\-j!io78H*!K_S6OCba();6ck%CXa+5N60<n:MJ?@*K[WEibg5(9;\FV/C1g2aDPTX
%6R-Z]ccApU-Ol?XZZ\ai-j8Ufn?-e^l)RPM?e#7i$IfXh@W98R?8qKoFF#*KcP>GM19Id;<\\VT"(370At9k_QPkEiCS-G!J6(q0
%55$12e\YUO#eo5N>%1qY\e(&-l))@&+L&9Aq?D:2g/6e%gWh*UKLsst;d%\7m'@XbB?m%W7HKXlV;2`f7%X+l4Pank1Yi4pZPKXF
%a2l/+<TKWqadd'X0YrplFe2gU"_:Qrb/2sYTr:3^QJ*gF<$'!L;`EG2W2dL73K#dFTF061k[[*NX@Y"0a5[:5LO#fF6g7l+fm#HV
%n_7ReLA9`#&N&"0T3GT<ZM[-C2E7P2^q'&]^^VU_]af&s?)JGZCH/B[8Mog0q/LD\%rd5(9NmfCC4=lYD[:U)H][3cNg^PNTML.5
%N:i,32)UaGBuM1jHrq+'>"+W5hD_snH]eKkd](s'OA^\QY]^r$M2?1gfajC14X#Ild96Ygf$^e7ScP)6=rGEg8$?cp;W`e^eTC8"
%'be?F*%"VH"44J70=`-j?Pjn7,RgB>YlqltAP'cNU9YC7-`EZWU(`gVr4<@n!1<Y0>^Ts0m_qqURf/ggfJZ&C>$`\c'SVM+.n'1#
%PLXAtLa)7t2YFu2?Usa\i9;!(&m2i#!K*AYVi+NFEL@,c/OU*RlGe(ak=]9-6(I(DeH$Qn7B,\I"SO?SL"*L#_=o4q8TOL3cX(=b
%c;Y@mi18-?#QjdONGEg966(gaUfK_Snm7h'f!9I?K36o'[c`"#I@()]-]m7@k49F\&0%Zn2\r4ui%o!@Q4VU?dfFt>HT_H`Ai"h\
%@TauXgJ,b.Nl>:j,5BfM\3nJ'mLJq4D9G/V4>%54MAO<k+,BqX!PUhM*+#&nqni>`EG@nYcV()s,*l<j55=+rhcsp_E:N1TN$aNL
%`/`;#,tOGhoL0I%0)Z!i6s3OWSiV*SjMfaBTEfeM"eS)..doZ8+<P,*A'?4XQj6.2"n@-G!!8otf]MkM?\]F1G7MS(ZX:d.O:8f[
%c=8d5,XDcZj!;k_GUA<-N/C:eft7IReOk?.^Rs=.R\L!g8b.4+"8aQ%gHQe/s-V<-)pLRgUM<K@>i]9:npo7?`(hj\7HT&5!do(S
%_M)JdD9qr!_](%Z/fm#A7ld-3A""*]T=0%nE2XNPdf-)T6,'EoHK654Y%Ou:FtkbM`jR1&DKh,R:$@>eU(fb;D-EA;Vaaq!l*V`s
%WZ1Kt`OthZp,^627fM[05_f"Y41]]g%pt+mJJJ1gYSVK7$)r#Z^7C?_]Y#,Z%a[IGqj9nd(Gg=*,I!@\X8$[Z"G5eAl`.VoI#@'>
%YY0b'R5c2J8S%7"2C4E$g:;4@_plf4.ldSchNDq@boQ30c*3A+JuXDC.C:3^:QLB$J-/_?d>L>A#2i%.gX-]eCs<!JTHMh<i"I@Y
%r<$j:1FPr]BeC(Z+I8b]P9>/Ca=(OlS,jA@?k$F%^]`k92!)m:N-+:gV[[8%VZ:fN>qE/dMdlHX)'p?.]Q'QpL(isT3`6:5Tp^VY
%!8_j,(^71jkeN1XAMp+4,Zo(EJXh<@)+J\NP"[#S+agfW2',uOpa[F-J!0$_phn*`6'sg3*6O<SBBNMQG5XT7`)i4+@S;.iL*M7\
%#AfDAda5Vr1*s,aSIk"8Ng!TWRLRsE$bH,EK<!j89GB@AWe-n$)-QL5W@D_jSX"f/*,I\tCTke7,.YKq:cJiLa99[?.ckA1%U=,q
%=c'[p'@0-Z:77ocd/fE+"m((YdiUi.(a[U$:;&V><MuJ*"3A_kAmF-&M8qp.-GZ$<1kef?;G>^::*-R,:3PtQW6X6lm%G[89j\qq
%5]m7@+H.d<i42P=S(BGU/fG`4#PIUXp-o`XCQLP(00SmV`t.ojJm^pQo$u>jbD_*^eq>P##RYiT`mPl.UEb7_Mh_0NmS07?=M),f
%^,78;r5El"'%o^s0S/orA[46$6KYdK9+u51"Jh>'>]t[,?Ed$ug.O(-9>un+@_mp%W4?%5"@EJ>4<kHRK.Y%m!&A+VK&Be%Ec31+
%-c:9dkjU]%@LQO:i37RR:5j*4<:^Ho*1Sc8Zudo&+omhG#8W5!ejKDcHaB=s:Jf;I'/,BI=kfLm,/LCHaMiLf%?WruW/r[ES>,g6
%'I*)[S!@PKE.H0h*mBet!Gqcm/%,[;7M<E'b4W^:+$`c!@U4Kgbc4)9+s#&rKRugY-:KSM`9^3b4ObV3W1];3o>nX$BHb^fj*NG2
%gKqEGS`)33[h>$_b+O\#4LO=+I;+]^>>9Wf"rt*Ueq5OUo1,h$"Vq]P[ff'I\%ZUdhXV0_R[n_1o(?_de,)]obfSu/l_Y&b0Gdh=
%>5dK72:X(/6_Fj+F&9!kq_^m'PZ;4mkYAj<[ii.R1*V0Yf*b0f)lFj/VsPBJH*t^TB\Ss(>m]iTcds-"_0=JLhXI)tkm4!YX/08N
%3S/HPL$7oN,3&_k%1K[8jS%kL)4$<`JpM-Pg<>^=FHdCI5GdUpgIcu/+\!5G0YsV33oLe_2Jh`JNn;i&(o&?#^?YciUL)/PQO5RF
%g"S<h<.J]'h)MkU&SBM_L;>hi[;Y<h&[lc[K$7%\K%IL#E(]cHXhJRNih8\K-O3mNGB_&;3Dd-]JG1<b*`hEV9!:jG;*?:+\n/an
%=9ZL-7_](Cf^t,kLN_88,YeRl/!\'<@!Gg?PAmb^m;SR2I3dF*YkL$BJ1=:phq#oW_hQYp@8;s@gk`T4H&dU64LqpKE]<hYWZ1k;
%'6s"8VioKP/]1"I>XS!L;:1W)3=Yjs&`P`>&+R+rZ;VMa]pqVG]GI^Y)$'K;3I8,ZZ^b;25jrkP%YcWXLj*aolUTm>8\kXe:rgP%
%-W>CLL]f#!!ic<gmdjAP+1ulbn\qGrFuFpC#ed[#U;TsIS,)PIOQ\cj/HPFYCj;h@>c#Mg0HL/lAr0Q[:qsaT\Zn6UWJtO"A?,+I
%+oIF*T9(G4Qr+jrFBG=>4@6#%KBoR@>b2&Ii=4-,]nfnWQQ8P<eGd!#N#hkm[9;OlD)Y+h?GOUuP]l83,[oS*5n]"rOhLL]<0@^Q
%*k\$07\.3Lc3'XQF_T1NGp,0MpEo1MLsAQL^(TIp?6tTC;i^N<MXGAXlPVk9@1o'%pV)RB]BQ`IL8CeQKYlZmBF'kOI/,+p+@`YB
%$#qo:i>b]Tjh#\Y?)Nm]+1'q=W3Nt@X6j`@md[$#n<.m1qhPPl:sk(MRr?Y#%[gABA.q2a\gs#8lX41):i3E5!%blar!k&]Z'S:2
%(tkI?XU9[C:UNI8]E8>k7P%F;:0.?b?C&K7QK0LVKJ$U&7[gaGdA92t`8(qM,W;Yo8?<\k\K\?7b^A;G8s7Ds/+2s9q6F=o3-[E'
%.--^o.C_+%208@UNT:N\iEMF2NCH@?YYe+YG^+gqY=<]*j5G80,6J.hE[!RY]6;b=3BTUbpsEoGQFpLk&/,Ell>T\2Oql*PQDPc>
%ZN,-pZ4;2[-soI6nt^8]pdna^,I2K31k`+IgUe2U)0'smg,.L!B5<NcMfWI5E^6$[R_4D&WsFCBD-&Lp$ps=1cP.nH`pK@.f\O"r
%)IS"gbbJKV=6Fe.6?n+`G/%oU@tb2CX9$1-U,RARE7^k34gPE4;b2[C0aAa_GdJ3IVgC^352o2\UKGFI/uj`0+],"t]=+QEq^WC?
%I]53Mi(%<2N53L0%(6-MW4>IL<>44qK?T0pGL=]T&5*+%1Q$EJ"f?Ti+;k0+I-WYAGZ\5W,@O#Qd+BFX(OZY#i?VVXPGmMX.jLRi
%o4]T58j*kK9[C$Z1h@L33WON+15/'R9%cj[%^J.7RA)%N+tGsT8t7F@a6?SgW^K`=$_.ki;R<`mf-Cl^eHOZ)G,88>K1[?JBC-9"
%'C;Xa5A34\]*EHP>0lP=A9XPiqm+^)=H\&7VA/ERm0M!6TY72t)B=;&g<JHjK%uTX*fglaXPQ^ZR67n'MbAhW*)=F4=AU;b9n>]3
%C4sl7l7;6maQA-21Nt1n(sTED?]2F%&S#TWHh@B3rS6WdYZ_)qh`heljGpBa_c[f#-R2DZGD.5B)BBb;87G2eS^ie'!g5A$DQkj3
%O[fS=XmiX*q;%&W-1BH&IRYV=,VI5*,RrSh[';VU9lmc]7[4R0O'XE'1?,ag;i&6$;Ks=a9NKZ>pG0(J)[N,L8"]iOI0A7<2HL^I
%QN92cMO4En"](58cME9G@FKEN?f3n]GP0I98>UU)H;M`<Cf=+&)IugJnoYh!_WI^#ib)(*>,Cn$#p';d&BT2Tfnjo2It[t<PFV.!
%+MLPKBtm:FWm!PEhC:>K7[qmBRUHlB7L.2oOuZ^\;Z!31At>rpnn)M5=8;-`#A9oP:`1O7hS(&iB9;)=WjgYG%p),!'M5.>8ZtJ)
%3W"SIB+Ba^f@DE.d"c=hcq<@*XKJ/K\@H$u&um0iTZ_4-G7*&MH37d('_@<8?!PU5Nc!1r`^ZB1d0@FmWkUbuZAcD^%EgIgA6-M&
%X]m2]:WffS6[>A]Af"Crm8di7jF&Y:U85ogrp;e@`Op:Xf4,I3bMojHp\)u:f`su9fXjE8.r$.hW5Xno<7j:p4R,A_0SOa]rqqbP
%3l8Bf)l$AK[-X1uef"]thhjG']`AD_NXVQm@p+HJ:+"qbMp=j="+&2`?6f_j*4`C1C)6"U$m@MXD@M9W0mG#a2R3/LThVJYdBJss
%Q1dLWFFjMS_>^8>],"322Q;<[eEk9^dRIY#gBaK/ObMJ0Jh!JL"VAR+d+"7fT-r)50UfCX.=lEM\=,;27*=YlGRa3H+3M[k[J$GI
%774>h&_T+@Qo`''qt098<)37pa[6m>XC8RtWd@dRWJ`(`@0r#WJKr>Ai7U.>3EL_H)\Jic+!JIJDUfY5o1#f8T^u#2m4>6qqdNXX
%r>HBj%7I"dCAj6RW_#u/VEHC\\*P[ljq/8dH*;9/g:ee69(e$t)P_K]fmj-lX>#D[0U_q!fqL5%jB:38+Pdu@mU?oF+-W)N]Go?+
%88$ko`(,K`=)btM%&-Ke/-;][[Duf(n2@5B*FK1_A#NJ%Gr)/:QHiu-*0C?V5jb5Ek!L/X!ol=f)9O$(_R>Y1Od[V!YOE#jeuh@$
%a0CW\Ys^,d:Uji8LHo/^G/D`f@fo8=@02j.A2?339:k_uUKVYu657"Z'hgcp02".@6=JR^X..+N0JLW#@J9Qiib2&$pXY_]J[>/Q
%?qkg"AFsV'\JIHDNT2DKBHSu;c`Q-;:F:FL6YBdR\I6s4A:j]t?)BUmBT/oOfYV_m_e@n%)doGX<VWjh2s`]>e*E3NS=,:h#ekI)
%+P[tn'Vqir,VaQfHZp;\'L0sH0dAJbh.bDX#F?>dXkbk-`"Zh\1uTr0X:Y'*j?mh8,arKs%Z33Y5-_>@7.\;W*A\*ZLsJ5:QBE>-
%D[S+%QlWHYYs"Pb2H)7gBZ,<4'FFg3FLE+g7lSquC"sF7C53+,/&p_lfod=H)QuH0%UuAgrmEHbXDccB_[pf1`fLQo5aiKsG_MdJ
%^dRm6b,H%kK46TR]G?X#hW$M[NC6VA'pp.U'rJ^u(f:jJ-hOG!+d=>!K5>JAMl*>S9XF@d/ebA$FC.cu8/WO+d5M]8DmC?ZM9S\Y
%"#neQ[OmNocGXl`87&9ZQUa,`&5O:_g"Z-[RXu72B#:VY+L0#$ZX0/Q?.Q**i4M*Mr4UVk=69LpKVH`U9nbABd:jP0%M08:9j*n6
%O6DZ8`mMJ/#LfDKT>8"Ll(!o,@24e\KeO]NTXYBmROa`1V$9T'WWut,G>m]?WF2.p$AD9l4,alK=-@D3=m;d'9$>EHeol#sYheZ`
%%],p<i/QOtQn'4/Z1F7#O-j>nc+ILfM47$e3kq#$kJO;HD[7dd!V7o_,^*pELV*c44k[<>mJ/Vi++rii,Yuu#jacYUlGXagL-Q-P
%cf=j>'YSAZ]!2EaPT'unYAsMIBdqooD\1"ldYslnj'197`gXeB]\8"18*^ZL>/eA<i3FctD%Y'^?HrEKPc)>1,.K>[Omfr_1_PEe
%"F;"57Z/CRFSXR6Rh]5*VLuj1l1bjAAZ'/".kB1<hZM-Vh3Em1rH?1u-m)<=D&p."*n53roZle,dnK):EjGk0,?m<j6T(CXfDGB/
%6WNFDSrT53(FXl#:8WeK;e8^:4+q+gM.C/Pa^k$O^'Y:*m)EFh(&YS,2e\rK%V\jo$PoGCZP^MRK2mkV1cMb_TS(rE(1IZ67GGrE
%QIl@'paB@5M,f<4@728`;/QEuS8H/LX3Y`M?l)jp+GuSVJA;iK%nnZi':Dn:OU9$Y?@tpm/6Wqr=Y-]Ri8HQPHN8*rhKc-ic2lDB
%m`;uA#O'jjg0nQ=EGuqu(.#l&#O(RuPsV7f[V6bA4]Qb3c."&9V6M8^m%Ao7H&k.a?0>ac^t6BML&GH5o5'kl`+9p@X<XBX]rl4g
%T[$Dm404H]-!hn$pC\^N_Q$)79TSkIEdMep.pURr7M_u9R_ZeRN&h&dY#96%+k0bWRFE28WhSfUG8tfYEOV[\IONe2"Jh6&ce?O5
%S]Ql9V)#\;es7KJgA;]l]/:j03baRYb#8\2[uCFB0b:&4b"'[*@gLUGDKKAqi+[nY#Qmj4+[BSnlkgq`'O0\/X:[sP4M@(0;\=>V
%0#=g8?!SBFH+&Lli"tM-?*n>7H+l!$"5;nrh([P,6tEh=&+`CN3-oo[Z\1==>GMb<]qh0'eI,s<:n=H;oAoU+Uo6qs#g);8fEUmN
%XU]KX`4Y5sfUTk6AHT0c-3.Frl'UP!Zl*0@g,M3GlAmh'ZUK#I;=>\2pg[;GPe$\DEVB2/P=R&$"flbK`D-1gG&0ZOlSs.WK^:'N
%6=l94lcs7uEI5LqW2sXYM'7$8E7ocj^BSs/G!PbU1rCR0!UX-.%2&/^@uoZ1:/kKh.@EP2&j*4<+hE7?$\R/j2;g>e,PhBm!J82o
%0ROoOJ_)g91(E(g=EfVZlM(T@60"XE>T:<&B;9T2QkU0,,!p2@W'8!tSn0.`,`*!r-HciG5]cu]H!c2X`SL%bYL.e*le<cDY+Mr\
%T)>]s8@'J(*D59N;\7^Od5fI%Gn'=.cBFg^2G.@RN-h<S8L>F'SI)i'8Rs\Q7B[[Ej=!?W]MOX!I1AU;5,c^fn^YKSB;.EndEk:8
%k]u%=SZ4r0FeC?8O];p\V?>gg=nIaI[uGSC2OJT+0_F:/%YRq5n#JBNCt4aHU'"+(:RKe+J6($+cWkQKoiaX'C+DUrY\ulj?J?OB
%j-+hf>M$qmBbIUh]@,YN>P9s*&Wo!u![q+;h4:pN!u1+I"%(i[>A[m`a^)fi_bEjk\rT=US%(@N/Qu=dRn6#'fL+nZ&[Q7)D$9<U
%L*EpBJ<4S/4X4c*&IFd;>=-*ue]Yp1+G]$X2F#OeKj4Lnn^,R.,J>p;;5W8rUUE9jQU1&"cAJpm+@-/1U\8b-6Pak"%nLGuQVbfe
%[$:Xs+GN=(%B1B8&mk^>U87mp!M\;n(^h8_4hIU?Gan?l&^Xnd+l?Q1V)fYi&'qKc82e5Ih;-^:00/@g'dn$q(X_d=qI""We#d]l
%.^_)Ep"XM#F_,g?3jnOuqMnSd?acA`+\sNr*\]UcM>KhNrV=k6:1:d6OpX\HjKoet5H6U5YfU]ZN2@;<b*$PEh%[gt<&^?e[)XM,
%1XL,RhE0NhJt)2Ij&j]_:>/'=Kine<^otZcgsi&W!gF*hYZ2kKS$(PWm/n85c.h'M1naQuhCX7,!Wp"=rrUFs=LAIdOCGFhldTSA
%U9/[2:bVIn+B0Y^Q9Z\5]1fWjD4e6k>D[<6mr=NC7cEL.C_L++\ek2r-4m!iZ(R@i2c/^>eh".(+4NVe)ZZ<&>KsK`_eKZPHSke<
%(4;^h2?t6?Uc#bi0FirT2'ZA'.mB=?<Y<ifNK4??bm0gq!FfBAq[p^h)nKc@TCug%`:$l+,-O*4r=!Hr1pDlo<m0H`2Bp'ZcQe?'
%(=@.Hc1\"F?NumS%.(2TM6D[T)(Sr?B$O;$'=&S7"?[>cUe[N^Mu7A`!g%pb5";BnKXfEF]Z?n9R&4"&$p^@?R-,)$@Bq9YDWrHq
%:Q^e]2OmOKP%8p@e9obCgXX/5@3"rgjs/#4aqRsn+-ItlKfhiB_Z'A$?++>5`i9;NHGViVNalV;N&,a7pX8#9d;>7#gVFfRPZ]>M
%%q&[T%4'(nWVXFMR(Qq82<j7;"qg8hQo5q,CNM9BH"OQ#p?gEN"tE`()*^pld=C<Rg0H-<*m]<B\-D$YA3ePlmc[Wt6+hm70qabF
%L"0IW]$5i<lN?0Z4*uKgAT8\4-/p@-b[6L6<\1TmfiXN))X2d*?^o)o2CaIJ@TNd@Ao`l?j?'D@7oU!M:COSuNrX[]fO?+E>E#f6
%[<fMSZEP8@r#fI)FGKU397nI7*H4.L;C4mr.u\aj\/?I%$;TeC+X5%nn05$ne]9e>?BQ:\]Olqffgu4]V&Q1r)Yr=l4"W`]+^jr&
%#K1Xi+Z:[\KKODaHAYCT?mjNoXD5.F6ooRJgI`,e)e)-O*[N*'Npmh;$R9N_4]J(3qgA$"3RMS.E%gKoZibRTOm,"I)ti[Wnp2G,
%/X&LBb6C.rVhtn#<Da48!pD0Xo8<2`(?)5(Nu10U6nhZ1jD6DHb5mEPY1$Q:[kufZ]!P/<@KLLkW]-G-Z39Rn^aCXD%o=0I:%K]C
%2$%FEYQ6ei#afDi!":_Fk"n&*AP)FOg/_Rb9Hmn-[F&urQ[6>'>:-'].nO8c$h4EN!ol&6&rtDs^YaH<m/#Z]Qn<V$fTpeMA#QSb
%)i7:GT`bp'O:h6F3BB"tiUhrDnTdqm"6X:CkEUW8DSZr.(lN'-r4KaHrHt"<Lq2$Wdu&7cUOJuK/?a'&@;`S)@75:ESrQ$>%.i>A
%/+,'cmYILF#Wr$`=I2K.m['S,>^(3rYd_qI@&!BbR4.[rc7?>O@@mbS)4XEcER9'LAC&"GOF,-S#H;hR=HpnlXc.HZ/h#V3!iVkU
%:M,pWh,,Gnj!pM_<On!tn>joib/b=N>/At!aPt&i_L+FJQV+aCmKb9"Q71o*(.mS&@%p2r<i3<DUMC0>I>U2U?5urHq&3?r.^&ZU
%2^:>]G58Mqg8]cPp$ai'fbc5,4K%NsFtn7T#7+PYUYls8Kh64UJ4?Mg%3EYW258Sr-Q:[MAW2^Z[[PnD)V!\k4g4oZ72T0AdEDq$
%X^LXXeH&9SkO3,mP=Fo&#F@/*8%gSaK)Xe.ggL\b_J>7"TIT+pV!JR=_5jtS[`oCc$3Bel+elT=![hRdpU]UO<$AU@YR.Y2D.PiH
%:,er`.j3.]m)Nst=)F![RIqr[)3rtiU:<&@`#`2ZV&s#GE\KntaXFP<\=+#A@sYH[e%mTjNPkiep6?KuZ_02im+<.0]3=X%%tYeL
%ahN[m,gVq$H(l,Af>OUup1,=L/!iO*9kr`l4a2Kd,MCgo-;#f2'fd:`]P%P9iA'NVnC"TlJLPNjgWg/:o-e?j5A$Ca-*j[J<hMO%
%B&/P$dfhXsL*.@YbaSraW=G;8p&Ob&[Eh8<.b0N/i7/ZfP_(\Zb*qTFBs<mp3!Y"K5eB"&SJc05_5`/K/t9QZLSc`DEKPj`$]TsC
%BC]l@luBplO`k?BG@:cK%k@<bl2c4Bq!gK2V9n3&,;SjCCr'<5BX,f"pAgNVl)lJ@#R4>gpG6goI%)/r0c`iGPsK`YHKl&`atgH9
%A>$i4CH3[_31]28g:58Z<URq7M87NC+J*k%8jL(JcI_*g,p<6G)#Z,HR+5S],@1Ed`iYeMI0(Ic`'Xo*lD,^e%SkMG"8dK<4q>1.
%:l0/=l,"Q./`5W*69>3gJEU,q$oaJo$k'q^.)^6^&`A%/FQH(W%j;EKMfH_+Fm;El!X8=Nq%AK*bi=sf:l63*_')'sk\4Y@UJBM0
%Jtca^^H@,O9P)DrF5`R(3_"i@9jS+4h?Nmc,opHNl2g)2K0rB(I7J4p&M5<[Lob'G#Mc';3OA8,/Z.N5(,ZK>U'n7a/!K-%2d:l$
%D$csWHY7U3hLPrZ$1+1Z_6<&FfUi#Nj$n<?gQ,nEW7N<@*PLa_aZTOLTtU#=rYN8sfcm<:(!Q9Jbdi1d-[Ro$Pk4?q>=,^%aR:%O
%fn(Nj?ilppV:H6nNYV*#<PLZL5;<9KP(K(b*nnV**a\OR/3W/Ra:qdnU4FTA84a#jRtj"'^qq[U,"lbY6g$P_>!AQlefTug]6cQ#
%oI3H!N."nRH+4Y:R$6?^g\8eE`]Q@:"@YU75X,Bh(n](O(s5=0l151,40OZ^3^M,6Ip>@j7$bW07^XA1O0J.b$1T:IFTh2i8f/^@
%U?ndO4'`'[2.0pM4P3Xc7!D&@/'jeQmcm%YlrJ8e1:#j+k<g`!D?;ksG)MWu_-GAkh2!TkM<61m`S(@Tk&&h+4<3<[P-SGIbV[+G
%3i/#\6<XK4,ZC8Tf!E5""OTGs2er@4Likj'$St\G$QEnqeH>M8F[+*tGF+4($75NPZF%C:q@K$]3I>IF['DN;Icm290\@Et4%=&U
%cI]V26!2e/rp*<+.u-K20r'dY'OIFo$.:*,BN.pkm/F5aIjl`Q.i9/O]"ClsU['KlGQh8)+:&o/\AB3kELqe!3(D6*9[aBbik_O\
%G1iQs2u((c0t2cr;Arl$)%Op6dr#n[PS"=#R#Ig/e*^a8BKS9Ldl?Qk"^MU:5N"U>8Ct3ln\QFY0K%0/M&(Lui^T:FE4%#am\`*G
%?&;nKURSMu!rIp2[m0OQGPM>oI6T\*!HtXX*)86m=RPdh'0P5fGj12,*(`D\r6*8iJ$4mb4jN`.E5U/:-A)f6W.FOa$_=sFKW:P?
%)hSVk85<"(lkGmf9Z%PG40FE%=?c3HL;_,q#KU/K_`O]$d!:(<pMAu&DIPdnoo2@AidplrQM@hs#=.`PWDX?=r#0,:L1K.?-Vr;"
%BqY)U2F%;]<d#-@2+NB;#</M\*=O5Ti.TsV!d.0Apo[qH)I/\';B&c;>I`^$OUKeWUKjdEPKM]S6AUcp>CkH%rEGV!P(h]GC%Z5e
%>hnR$<JhI5miS^lZ+_CKGZ=BX;*E-XH=VJrq/![I:^:R=JlP.:\eQWm1gr$;JZFrTi`$pY3-iZI&7)#))N:Y_K*ft>Y_gRhhHL3H
%KbB<!JMojO+u=?nR0grp269BlSjo0+LWC)Xp(n=#M/<7]7$-5(4*2Xgm.@7LjVFjjq+rHH0kOAX?*sK]V(K0Nj"qjLi0^X7MIUWG
%Qq=Q/?eZNU^b4W*DA'@kHgX]NNeb,`.L2jY43-Zs'_IgtpZeSe5^_\J0\_\=W>o_\lKRjd)l6V&F@<jeZ_k/A/0->?$(T4=*)\s;
%&:gllUdZumKd:34,%DKk8e)ONSP?lGp;tC2Ji=OeMb&p>62QF&9<LFR6Y:a=%Wn0K3WWUMI2M_ZZGtDR[Mr0!D)@i(c#@n:1)#G,
%GNDTi:d+1.:7F##9tJ:obr351R!,8:.uPt3CHD\)(.sAIR1qbV3>&AT`C%rW3nNHaNFgr6&!r?$`a90'7#A"#/WR.VVaEOW"'sCW
%KFGUcG'BFmr-QCIZC,(bnm^Ya[5iTR<:o$Z63QTd@O(A1p%"T^263g4WpE;B9t30gX%X9:P<F479d:e5Meor;YSXuq#l7?T^Z%9?
%8I^0B/1ABG]nP[K0'Zp-\D:i0H&]*1Vc3/85I<]AU"*EULI&<iM\.m'/W8hrH5?9S6!@=tlLLpQZH<9:M`3X!c(qcbIC%Jal&Nhf
%1X,+/%8YpQlC"n4^u2#W#VquHiW_?Be2?6=Ml"!L9A'.bA9;pICKh%oi_lu%k@%+C>=7FSXE&/qm&'(#)?#Z"Wo?2S=jPnF_UKrQ
%ZO4M17+t[3WrjnYWZKqsf6Hh*ZXY`O%c=976A5\H9Ht54!\Tf,V9u8&k<$P<VWRa1Yb6gb,N+iA=1,%X*usOODXfF^SNImL5T\-r
%G,260jGj*!E@bBcJg@Xb>bmFU"!7(?"uEl^,75@CliJ;k06Mo])[$p0@;aYPd3T6dQ;3CXPRg=N!:U]Vj;6oppuEY(.D.[HNuY#J
%F?J)K1[h4%o)Y"=5c83[I&Ob`Jn-No)!8Bl8_@_=$CqTn1q6SfI7hm=UjbSp:XLuncaN0P(=^qn\53k"XhgT<e1CFs46+-9\fkc/
%3(.B_7#GmCFGg`O;N.uAh2Y=K-q$I%P[7+Ai1Y35KM3^TUupn-L1WgkdiCb1]0pI[?tkl>*/(_2p-C_>i-BcTA.HKXhD]?)JSouV
%i5Q_NY4s^Y0%.>][c87`XcSiDM3=1D-"E^=b&]SC.99J5?J52nD2#.In[Lu(4N0B9Q@bST>/XAp!Cdk+.Ko_1jUP\jc;+Q9"#7"r
%\gEMK?OVB`G*c4_TTR]m5,lQB^?P:6Uu_$Zo>mQN2:cAiMJplOrN#XZOhJMQio6Y[l1F6TOZh@&e,*XN`9tnPK]WFT.33`>0Mbd4
%C:\CQOsO`Z6&_D$U%_;=lXa!?d=]-EGt,u8jPX7rf!fHaR`U!,SX72M$JWi8F>k"FB>_4D.>'C+^DcPc\6Wu^O.'?c`le,X&-lMY
%SeU4$@L8,^SK&nZT"kGYC,K,RDUG]*2@?_"'P/q:>W1Hq('^G\Y_35h"aa:a/O\HBnQhLu:7(1ImPZMS7Ceo;b63>]1:Jc0*2h?r
%4riC-)b!5$p:7b6hi7!B6.T6d^.pW<m0P5(CLEiljO*GPWeqEO@2W1dS_Bd>Q2:h+@q@C_63X%e[eYqiFIjE:CLl'k(L?]o7gq_]
%IV<<+H&jrLC_c!ulR%Ym"kPQWp?-"pSFrc<:A!d"HYK_%Y\o(af,JH)@lslRKP[W[;'curD-Un&"b2:hpT\5+)=bccMpS?bfS5S\
%2"I_SBp$%n;udp&iYnnU;^1%VaR##7Hb$ZAC:ZlnSg5dLjheabc3u%0#Qj@[gj#;^hi77_"(ajW$1rnm@eY,+e`OYBLsbN!ZUDOV
%jS%8uF6hj5hsErb3I:"6h^H)mKKKeGEH>Sb9UV-sMro-6<#H-@Un<Ef\)L.-c#3Eb2\RQH0EsRhb17Y*es9s&P*-K2nFEBHPp5TX
%)@mbpqt8f#H)`FH.haUk&VH@WEWSdIOTCmS[\[>b@<'?GStR,QA7ISuPfoCRK2jl!CQRSPPh_"+c5o<?f"B#EE#DAoL<2J!'5/F'
%GC&l)6aS)M9fF(90GdeX;*XhJj%(1VHh?Q5+DR?gXZI[]FCo*)as.MUQ;Ho.3EG[lJ/lj^%.8#bW$p3s'`p$GmsK6n:n6rXP4.l+
%YWsJMgtfY%%\O+@591FD*r2SGCO-@WM<(@u__f-(ICug&@6j.$N9P82?&9ih#OgG%9F!bs<qf^_T8,ou]Mp]5K;tXu:^5;t!#!\4
%FiWj^D<qa2MArEh1P&Dn-PJRqCU-r;@$-*^*)CZ/iLlU;G5)tdA2M6\P.>8b3QC`.@*R`I`9Lm_UI<;LZGYu3J`UkKDt%\g=I&]K
%SKreR#YC'IL/6LG4="0lr12'3U^34!=-g^6Nd[oL2F*sG5ns[OiM>ZG7%KE-9DJ%SQ"/S3.mog]m,h94.D'R%OHi:kVMJ1r)kbTq
%LhF8:SNa6e/&aB^R*qT9-&UG?ZDrUn@+j08Oq^$H<DKaPF@0%@WY(0md))99O`u.JB(FL^;*<W:ES]qWB-;=14tbS6CYcq14:6Y7
%&mfJrEhm8OTU8JmJ"[2C>jsR+Zgd3YSqgQ[8[pEY6oOP6a#9DnLR$Kq7c`"eqR4?/IX)<1'=*cEq&C`TVJ9R1#MJc$</D%,7?l@B
%&NR>+koB\#l43`N&gBZn#*IbV!=I&OPC%3i\-rqi-lLEqZ5Q-GVE5!Xm\0/1D1#Nd[0a4J.Otk4`?&GgH9"MCUJ_LuI\%S/V`A^5
%A]hhVV&e7Z%$@*b"1n#-pRC5jfU`4!p5Fc=E?,71p!0QE\@tU+X@hs6HDjG(QDQ[32qI?@O`=]\`-g]b<NQ1-mK]+uedA\0f$YI^
%,I3I#YW@mO%'\K(ehf>dql11bFXrRYlSrQ\;XWdYLrjj`,>r>JJ5foO^;fD'9W:_Y=.]B&cs'H0F\8b(@]ef*lU_j#X_]r*ej69]
%0sk-mRfT,Fo0W05kLq,1V/t$%X-XBD7nAmfR2(6S!`f6_?C@pg<5uGK#H6bJ,1Ti=-(WF'aq_B&D0q161d#8b@'N>3@]#hbe$bte
%Se4C"^VT)kJc3],JZp9iP%NUl6d;b"8e/'E7F]G:.0G<;2:s1KKXO>S?^uMSg5=CU;k7b$FgbU.0H)Mr]ar\udtlZQH4+Q!'G%a>
%$8Y!A#CE.)2R_6Wcjj6P_csjr5s;khM<lHH$PcKj2GAk_UF#&Pa'b@.%?Qs@+`A,Z8@?3NigrN1l_Og#+:m0Qb^O7ID,etD&=B,9
%)sV9[2&*![\#dl1Y0>+['4R[JI[FnpG=pc.4djih#9hYT[t"Z1EF:Q.SRc.Q*S/IC-tDc;q3IBiX0t_J,R9KUodJ67eM>U"FNZ!T
%2WRUL,,6:_4&O'm4Io7+AL:E>9SA<2kPgc>$81B8^U'm$lBk0iTUHS'6&EDkR+@g*X2O[.VrMM,M2B](7$OG*mY,%^TgjuF8NUBt
%>]^X'3/j)m*=Y3N@<3-<\*<>DdN6'810F$ZCr+L\p'HEdYt=.5d)Q!5H$e:O9:"p(lj<)AoH++0i>u!JB1fq[[XZqC6\Z#l,RcsU
%1eEN.c3P6t+mA=,A$(QPFa@\+$J)%.(nbM9S_R4J=deS#,1bE#6VFS.&"u'iCK)<]TIFuC(knfJ+ndFOU-S*9"1SgB4BV93m7mL:
%$blFf+?7OA.8-uA!'T?./KNR6R4bnTlWsI*[7=q]*a=Ep.p]M)^Y:&;W6(Co<*oMdPBF<*H-h@5MuMRD"*pr[X6We7l2fW/aIr*-
%,+!.68p[QWnaWJf6C3Sc!g_<]6C012Lh']Q3Xl8g9WGoE-+oeglobJVkIuWk.<=H^Bj)^G5)"(Aj5qhL`mFT7jXVTTn#DqSl\;P+
%j&Q[ea%uV8C_<p3a7$C%CfRS6nS-,$mkds[3:.L=-3hNZ;kcRAC6+rXLcM`OV#jf:Y.G"1042U?>;RWjS?hAalgJ20.k_W<(Ik!p
%fo&XE`c,D`E.M;9"Ll)LIP%PO-R%`gDLSXpZd2?jMqE;6=l(3FT!=bcF@TlQ;>oSP?+4]#k-c>\!q5(hgt(!qo87Dn4co-m$39L5
%/rp4=]49Mp<>>(CKOcr^#,B_rVtX2cToKff=-WLWr[q5>Z->j%\cGA]))!eqn7j8>5bpiik-9@($p@`e$H%_/Ks\&<4UKOl;O#\`
%PZY+X/q1D=LdA53oSs]s+O"7o9-C3k_8r3?c0<"#3.QO>/KE0#648ik056r&YD.UgoeP(7Hg=M@GA*:F^s(Ulc#ec:nR[`Qql,4M
%p"oAm5"cn,D0,`=\O?a2p$J4B#-J.<FCUK=ZO<J0jVf.ZAZV`_OIq"DpN:c9h1!?&JPlt^*r"KV\jeK,StdYONpgq,G%[-NhDV92
%4do*7PJ<C4]M!MZ$ui2f<0+a=E6+c;Y2Ne8N4#A^=mXA%*7`SU^>JfD>AJ<9=3p._YO#*#j="II#lj0kJ.q7Nh$KmZHJu9s[*^i"
%Xp4M(:Wj4leZf25NYB]uhhWJN>s)e!+,j<h<`X4t03,HmLWX/^aL$Cp+$t&]I1&UakZ=E5HF-c@)a4H)`Jup$Ma_cf[Xb8jDM`I]
%]72@ep3(>C37Y]cr=RGA)Ds"JBT\>[='08o@0/6PqSK`5\DM3THet2O)cu;lB%l>#bifkreBPo'>atH/m3G'HXm8l.Fu8G`#DKNe
%IKis%SfA6tN.QM:'MZZeqE59._*?a<qfqiI4[Q[oI)oltg=*J?"g2H3]LUr^IRI&VDTPHA&L;np--J9SY84<tY8XMJeTn`h&Ggic
%]&O]Uan1][BGU%?Q.7Mc^DS.;8Mc[r\(4j'5o[b$)3SSM`%^4sV.!amI5qe^n?RRc*;U#J64cR_p9j,Q"a1"l,U1n[[(l#W+$OLg
%DFt1=BGJdYK;*u!84De2]=P96f&g3%:j&"BQUS!lbdp#i:8YRSq%d,qiNZ;!N;S'8BOP9KlMf,e`BF1l#&iBWlJb1[@.iCfRA5nT
%P'/OB%(BHQK"P!8:Y`8Yrl%ith@to'Pf?j=gATrJ%$J>]3pR!J1leNW`Oh&.>$9qBBX)o!gPqAu6.;6P81]Ol\QQG_'qh/4BaQAZ
%Tm+i$WT&=0Ga;MCG_.2_T^##8;gUU99+@<Ek,F+HRe9f@h\'X6b=!RXrf(3oFU#FP1;AtT.1^V6@U;OrVS!oYW$<Vi2+8bG%KAnZ
%`qlf=nno7s9-^d5U.L,DVHWX`*'q""Qp*CD.'-UMikkBX%V@^!0-d[Sc.G99jH_q297[Bmi-[R5hMo`Yi20!#GHYl+OHSL89[WN6
%&C8cQaPm)eI1%Yb#V<m`%GuVs=U;bmlHM33FX\ArXc\S9Wqu>3$gN;Q6P4Zp#'<s>],g2`aR`ul>$<U5^fns&CF)2IMXX.0H,m:V
%@#>BE/QI(&FP5WP69"%l,&CJ83K31X]E,8[3F;Se0"SL;,r@!'&b&^m-k*<)BRh+J#n:V#WeQUR8.?c9k)E:@pk*3e*$q%uD&S#0
%`n(:]K?>=;8V+LL>GgER@olb'HEm9bj^,ptL/hC;P0KYZQ#pdI0A"aWe/Y8t?\<@YK2nfd(^!nm:((qi3ndfp8-=\0fPcqM-&'o@
%&,Jdf+[4M1]m6(LA?N9c(R%Dsf@A3[P(L0n6_Y$N41&XgK'NpWE*ZYAC0cQs.-_Ks/W6n<0%s#l&U2#$YF/>W2CTEKcupl4m]fuE
%%d#_aEcA[%O]R<,`&"M!<sK9V_Tc<W*B!G#)-BqT=028/26TgGj%+/cd39"V=4KlMN"18oY-R<t6l$)SndTD)`qp'0O0/Z;'B'Eb
%OUmn7b&!cChmW"WK%qihXhrd2?b!`>465\9Muf0JC2B3!!LpQoLB<[Nq46?bA1I3&W,,)LZ-JFNmt"pOGT`@\d8La/Ijshs'`?<:
%ZOTFt5ml1o5.K=76X"8YcS9erBjAWUF'%8a<"Aeo+oa9,:RPGPBf#YLbq#me"r%XJXfgEf02=\&c'C,'k,a$lI*7B'<!UWk(faQ=
%XCA=t3iJEtCKK],!Ya;gWeOk^f->)_;D`X:V-F6Ui.lQY!$_mEN%5dkYKmlo_&!!WOS?s7JUu?k%bbtcKA/_:X[cfB\*ia>V",V.
%7!Q78kQM!R@#PHTm^<J/K@2tqG3dNNQu5N(,PW0-dOhk^UUk?ZOI7c`V?I4i+n;eq>P;!HC6)\Id&^^@I4*h9DM>P6(tYH>#bPM>
%q"!FRX:X_fJL6M5ctkR_J7"muq=2Y+8\DLK4''DK9ng7(%(a>uP`'EeQc4,DPFH==`X^K1qn_oN4cNSPgl>Hq.oFY:,V<UildV5i
%#q<)O:nZR]oFM*DWpA1V4X5,J#82%#H[lR5Ti:7A%Y@AFCT1t&N.W,&XXm;hL)&8P3C5L\V-qicZC95+"O;q<Zk6sE:&8Nk]5u#R
%D.fT##7kn-UY4KIZi&'ff>^E76Fh@JfHq@S`2'6,*f=/fki"nI^+@-kh,rc$N$t5aLb$o`+gk?g:rM#9J:l5g>ER46Rn5;c*DfDm
%nP#oqf8V)FhMb!TY7?B(VJu.K!Wa4e.a+d>EHpm#5EQXC)nO(TI]_l\4^.%!*&,$S(\a*$Q5uCYUh1N?;jf,HTE$?o^E)g\9uu_2
%'mdi2h7[_G0<Ik3L.n+[DM`abWA223q(E'q!FC%c)3h0o&udJ14uY"&XPa\6GB[b;15a[h%/@i7aruJF`+6Z3&b&k&8AkT>'6%4P
%\Jqd[N,"W5UWpDenWN=cK,]%2_dIa.5XHDQMW&-Er'?-TK#:4ZUtq4$2s>)LZBTI&B%1DQ1uMfSGeRYTf%lq23BL,W7aaZKf=<T<
%UF<CLZ8GV!R."b:6+Wp9cd^ih/^"iu_&DhF7*G?Oe_`rG1e2L`Db\SnB);Q]:+/n7[i\nX;h0$48`!K4R)7&k;Y:uiD36+aFKo$n
%m)KXJ7J$r3_4eEm%?\lIU)#\pYHm_606db<.s`)E*675AD]t:<D29n^"nl]1#I2a+jVI.:D>eWUrP-19Dp".@T*Dg_JQan*(7-:&
%H-oV;^"/00p9gCRM9WlJqtAHOPXnQ-DO@r".<RIL$Lu3V)IpIsdVurG(9SX#BLm*!eP"5bN_&i_];tTo%nH@\5(Y8Ne]EkibhVH_
%4.>^D"JMkTInC*G\FM0K9^35A)p/I^;Gp(99>>Peq-72iap1I1[sA_\S0?Tg]J#?cV;,+\n$k\BVY^"acp/k-)VN*0mX99Gp>$LB
%\(.mh']S@].U,"1EXW%0rp#PQ=r>sRRWbJGS@(DI8Z:V_1'_j@=q4SI%F)oecrDf;NO04ahB+TCGb6g<TIuYpCV,9n]1(kj,5d1b
%!.Pd>hti\<JpfR5AjOEi^oo?N.,43BduTe"9BC%9*HHfBH&r4pb-*jIXAQK^Q0;;a[7;?TmHW(%&Jt"2NW?=-S#m,s/jg#"dFFu'
%EpL37ddAc1CS0$[=O=6O)/VbOU9u+KhhqSMBT^9</gQ5T[Mka0BEi/L0t/s8<#2XMj9]K]_BUmKQN@=S6DUsF,h`8r%6mkhNe"'K
%LVgIcSM>$bfEpXA+M4S@rZnV`)@VIqT(3Rd<e?dX3R]]JQM2?iKiH#j:/jl%`lhu;&.NT"TCq0f+DSbB-QN1U(DZ?ii;S"PmM'Fq
%.YkZf2f2#Kl@+p'BIdU6DC]TnPNqNr[2$_Alh25>e!oSF.h-"<2oX-u;<d?W9kc-+e_P-t@)DG=nrXh1b0I46Bmm0h>[t=V*umOd
%oXhDa7T0n>$)WBI<nsLj/J6mAcS$Ltg\u;)41-<=#7BT\r;RlrXD!\UXZ9-M=&lnSCTet:O_>h`>I3o*hJEOboi&>;)C&F3i#<UR
%Jk4jk`\IsIeaMs<d%bt)8cuLj"G0EZ[Q&j,C(JsXWetF]m^EX]SIkj0l_`OW\9HB#T5'?QoSm.>1F31=10p"D%g?$2'S`-g@-lA^
%E_'JMdEa:A3:+$&!&Y-I@3p&9-e.@`],[0]/J(UDD7QFlQCeji4\^Adeo%>=hJZ+RN:HE]F%CcgU^gW$B8KZa>97r0/U$CHZl.N>
%>8NNn1"9@Nq!EH55]uu8J#1:86m.fB2YLc*1eV,ThDL\cPfooCP#/Dk%]\CF0UQXo's,bIL#O"kqDbPEG<df*X]lJBs%.Fc!XrYg
%`O^mm=)'J)%t0Ha%rViPfqVjF6FL.ogTQ$d]1A7o6:O*.gR-qlN.@ior$)tkhhiP'>;OXh2\$t5fi0RSbp^+H/WurnQ*S-;eT>E#
%l(Xm%Ec__30kcb#8u`q,V@eKNH)mI5&^\;O3",bkXUS6!(k8!+rJ#(6^Pp73=!T4;SfX>/.3^?>/]bS'ZfWZ`5EF&*P'8CB'!&l?
%#c2pf"p*Ms,shQ7![C"&NiDsNXUhFua&W4Y]ZF#`!AAo5!C7C&aQ[p_2+K"]L-lZIrGLa;&?j:9i%V$42\ZXc:;_,G;=lO,^h'12
%&"9[FF7,C;nY<$]PlRaPad/+Jm\j##CtnE8\Q_B*_US!+ELKf7Y^>HEhq7\5A&nJWXE7*Ta5ZeuTql=9du-;[I5YuUk`)6_WXeP9
%2r<aBZN>=_R_&SCk\S7QUF$-Kml.+*#"*D[6U.uZUNBUjY83\*EHMNeA0hE:a5GlH$/HBVe9(&?&\E2h)`k$NO82K,c\(H4=+HVi
%rsF6moOmbkKC"G'-ZC:PV&C!l-9&>Z,s\\$)C,QWnU6M4;"TT=T0+]iSN\u60VBU_qGN6qTX%ej@2"aiVd]BMeU2/D@2[i2RRbrG
%X<@^K%4dRKZ>Se;Wiq`>q0jAh%lpDM`,]GV%qRH$fP2UoK;VN?eF&ArQ;W%nhL+rX^^T5KDVb,;#F^^*cU=2jUg&I3K%fF.F-f5"
%nd(5+(,r-_K`e:UF\.6od%R\Pf1Z&fI_()[o$1,9MmkcHX,F^(>J2?YUF("MNk%VJ_JhHaJN8/WqQ7I/OgPeSNMg4@U:]517+(pD
%Kn:<=/F*QdO-o-4ABH*L)^5%`GlYQ?$sT"4'*W#9/knl%Z?@S\&.,uqi,_##%C%bJLftW;EgoFiTjf_QYmA_B2E$+MCZlr%B`kIY
%m7#7rML[M:6iAjL)a0l)1t-4b+&$N/p,\QA/VXm'<gULU5n]<ghBk-a-q_2DhC1Cgqg`lsAT2k@_hcUVb,q*,2k,C&28?F=i=*Ze
%q\/2@hF@L;=cIQ:0[e\C?utXZI'K`G)0`.2MaHcB<aOl3/Ata_Zd\0tg%5jh!+s0s;>0_16q"DA-cuOb[UZH&^Rkc,*q+3UD9]_A
%iaC([p"U=+Y@ZulQn^*mWG]B"nVrS=rAX\#A./fh:hpG5PiDT/s+iTh6WMYLJU/Q'^C/SM%3c-&MG4du2^fWJ*J(;d[q.3qnuKe&
%55tIT\)(@sBK7NtW]9k+/%LOdH#5_gN6tjOGPl7NY#CMM6%@I[7`0!*o6pqU2,H-+j1<'$.5mE&!Ut;:e[r88`VfUQM!sjlQp/Qr
%6:tF"K.+O;6Ieu<_QVeoonojKnn@`$gdP64P1b'O&u[GM<X[OjMKAuAFEE?Me<u.n^JtG;;1k#*#M>76e%hD0msF5DFKm9k!5YUM
%D`T6)AZ)1i\"n2T.@N'u$SYj0'RY52^LqFT^m*d`b7CG>](0aiC7E4n:hUago>fiLNCXGm(^.mZn)E^=FD'_/`"k[QcVRN)DUWf9
%]sjS".48n+/%;MEp?^WYhDKCAVBoc';fqtPl;$J.%k4k^VUWA,!+=]&G8$=u6*e1>kW/KW<]Y0t@;rV__dGC!9UX(-gru5n7@p%B
%QA%U-qWZ&7`Ehijdk:Ikoq-$aMQ;@6VO$L'&?#!WlLhQXnIN[FI*aE@i,F@L)s&`5kj*t.A:sr[`tB,^^j@$dJ3Wb<MK?E4bs`s^
%gY*tTOX<tu/!bFla"3Zpk09;S.cg&Nk^=[U=l7LcA$[Gp_&[cN:,6oH=fEe$qs<T.*KKai4LT\q>#?Y>kNe8+GF8Lse!"`>VB[d.
%o-Sc,*qE$(&d"mciZJ*PO=$ZYn=()Z[Se;e+N5-2C2iXNbNB_#'M*.J<Oa'/7D3/GHfo;#=LSd`Or"snq.G%)d>nXsV&k1U:Q-$R
%nJsg,N$WdoD6;\MaT\q%X\3SH9_.*na1s0m%5E-I2H!i#P.mX_KbW$H9Qi5b]Sr%k`k6HO;Ic(KK@>'*aB&HL3jD[6`XIkA0o0`>
%MOmUp)Ff`YY_YF[S"5MS)O8!i/t:I:bSDY9JZPds4B!G?$qemOEV-!Q;HLT.Q-=t?4Cuj8O22A,mLI.U^9?"Lchd5I:9IJe0]jpq
%Z>7gFc!]^/qeZUAl=N%)6RYdcDF_p.Vh4gSp(%E&DoAOB6"=(rf7(u=dhj>@_5M#NCM;tK9P6fs\<N!AmR=22O*4ct#o4WK[O7H/
%X<m=M;jrC.qS!dc9qs1lFi<OmA')kDSG2JFZ[EK(=DSK_B>D\Mmmi0ZQfge"TDa/-SMRN/m]Da#AdS'F$EiU[c:!/urHed)_AI(3
%@&uP0-;)S-dsX=qfn+GQ]6C9/VVcr(%-M.I?ZCkYf:Wn=X^kJakD9(b2bTe'[dU#*Gr(3`AF-Is0Qs=dU,0%nXlGUp[/ofd,FWFS
%TqX<_/J0If!4R)d\1C5YbVM#8<#!1Ld1]5k,NafnY4\16!'Sg3W.3mJ)D.Qdl`[WL19aJNb-8*noqW>I@^])=fFf11"Vfq,;+bF.
%VE3NeIlI&O#WWR/1"!X*blC2RSb:P7DX75E%B`;UYbZ9f<1g,Wmbo_+I_hSLjKhC_$b%(r+IMbuL;VoV6AtP`6/O"-"tJr;k+"42
%$i@Lm$Ge[LU5a*l?tKa&/S#;2K/6GVfFaf(I6.75;'?mukZ/QSiej1M$;h&`eqfoGH1)#r$7LA,IATK7?EO+0fO60hH6<(cqJPcb
%i.nbaVR3Lh>WB_?`*<=6)^@tpGMP[!<pf[8(9p`crPosSikOYgiRCai[k_mh@1Ro1Xg["NC%"(X!Lf-6YMP&b<$8`ul',;*/>%fK
%4/R]+)i["VIEQZDnB9J]N(f0'L=+\2_`(+XXMR*-q6TEN3gn`oJ'28Zma%#EHbWdqI%:npG,Wn*:Ea@u#)I);Y!A&9*4bW^Z9LRm
%W]J\?f[PZ&IZ#>h\(g`p\#YL(H(utIYI^K,au:;s:cQWAe,2DNp4'PpV=A$Us%9+s3[pYLU9H9"[MjCO4oRQ^pQl51eldWs9*g`V
%L.jAgqsX"BDM5g7D4trZSpH/[=7!dXGNfJFeUQJsi);;X.hAG/Wb*abJJCETpFTGZ_8c=s3nALlIc9C9\o/QR8Z=5'Ft6/*bm%8g
%i28Zh+8*$@lIjT*F"t#Z-_1V[bs@I44)9b7:UN-j5EK*3);Qmb)/2n94Lqpq04CDEIXu'ZA2ZGfh]Z.WSs(bhbh,r5QP/1+5019P
%"]FRf9sr6RTSb%S\VQc\V[1T;639Icn8>>50'[Z8r\I%NZdkH!9Hrl8_G+@rLVQr5]?Htb>Y$sH3E*Y&<CbUpBQoEN.T?K@QLO=`
%XEq(MAqdaq8@d!hIL@S$-*Dtkp!pJ)H<d&;nA!;@(]P2#X_@'@>sV4kq,:(!M(E/!:,QcF[-2^olN@TB4[\R+>\sP@^)FYMJglbg
%+Pk=SZI>>Jh2lhd[l6G4e,X=l^*N-*I1lZSC]s`0_)f10J%0YXQn&`KViQ^ZRoF0'@;i;V`*CS;3duGqQB<A]m_dS*gtWT=)\h5B
%bX4WHO!EEsI>,AhiFuP7"-uZCT=-7/GR(<I?D0i+_[,!%GfRDOa8,GY5O>g\n:M>*PCSB(RH;fF/C=1hc"UOUKL+?*^]F!lo:h!O
%qipm`JUemhF58ngDk%K43Zp$>1kbr_D:[.?[%gqJeosG%""\R(2fG*K7\-/%fVb&&e<`.L!k\13dh@@-Y&qZ5&iEjP\Y>e*TZoh<
%p?RHJH66[YrmNP>?2@b%Fh9['(X,IfQ30-8EKo"*7s^58:,hRLd@!u*qce01?=mh=glbpCZW!dBO8N*A.ILfLnsJ9hh2a/)b&qcN
%<kJ1_=*0Nb%HD%2TR9OYGN376'<WjMVr*!l>MR7po;qh.Whh9O.b;Bp'icXl>fIl74rM*7dt8WHleaKZ,#9P2VjJ!LEk<^Bp&JNE
%;Mo2_WnAlALk:ROpqIo+ek[(SgbYX,\R2]"i$+.4Q"K5?h:a;#IZ8ZAV5k?uWbIG!1(T,D</*=t=N@qdhgmm8MCQ:<O5_"E&"4eJ
%T;)ZQWun6O,S1i]JF&RRjtW@haq3$4PG=JL7Ot"CQAenD95b[mR&SE%UD"RNnCeIDAIso'a-/GYUSWRuC#c&Ai#u*sW<M6Vjg;$k
%==-tbBJI:T"\,_%'pb?cD+_SBC8`VHp+D8K;%F?^^%3kJRmOi5p/$?9!RaKhL/"YQV>k(ID<Tu+WW$5u?T]:OGKo5I6M^P-!GH%D
%eI*&f*GX!qm#t751C\%7[Zht):t%:9Zslm+/_=X?O+`.kJPb1kqs=T0B.JkoL`YmUl<@.j7NK&RGr$$OPXUt*WfU7sYi4aP!\2rO
%I]%J#YnUdbpQ-Y(QIuT@rPmiWGls/mr:osB8td1O]'W`'bMT[n:IEtcAo.ts+UheN@`V+6H*1A\81W%M493VggdfGgRB^molF[)n
%*GG0prn8B%"L0%(7kRg*UmFprknQd!jO]f*=l.d))[C<_W)(IS\.tMJ*516\gsN9j>4>E^U,P,N*bJn/dEPbNO,ZqK`dJC:[.,h"
%IkC&2OQ^'$#tdrsF`KGJM+.Q+#H;BS,dhB%MVkQWIUb9NkT<qcl#[.pp8r`a=guE%B#m3t(jX*knNc/Hg_*4YJb!#4DDC]#a^M\k
%^1dee-'_U9M<U!?Gn8-+MD0+CM80)PYC9V]rp7tGr:U*cn?7?3(]V\V&-)5Crq8#FplGI$J,8&Ps//*[h&l[T`kVG`s7d+SpgjB1
%^\YhiIfJq^J,?)Bq(L?d^Nf_OYQ)d!s7lH:od,$slp$!u?XNinIsq:Us*gC8bEr(eJ,AedrVPp(hr<@>qodSG?S7#&G0!0V1W@tA
%^75uF9"tkMY^ZUg*SKK3n"5A[0ZP#[Y^?7+^HdMj/Y:3=J/`9,p@d4rXi37b"2+Tig[A<'[G_ACaPqha4$256Wo@M,G3QD^b\65c
%2qC$8jm*+&>W&j=k'_aqJ):!"Ss?]*>"GW[Z"<YSb\ScRB'ohXW#7[;@qIQAr:g7o$NK*Mr6)kMj.H=KJ,&Q3J,%?>q#)<7l^*+o
%1B!V0bHE_pcbKD$s5Qn)r.dN7a"Mr9Q[efI5CWOja1qT!J,2;\rUV]Bj6OR3rVE]\KQY?$I(&%%.5S_&W(AdgC:>cXS;Gsem5?ga
%U"t[Zi8tAdGr+m/8AHh(#hR4kc(cumqq$aU]<o61"<(LmTKh94D`B]&n^7anUN:2@m>emTBZBW6"aR)<`+HASWZ,6Wg!0D[]pe)Y
%68b%JUesA6^i0)+/XbV!%oIl6qmc9Y4U?-S:nE+TBtmAkc1l\%T)@8TX4Q7uW:.1D>;n5a5H)dV-i!CQ1W8>F`8]LOlQtVpRt(7/
%Hm44ASt>r]O-qk,eBF\&@]d2Fg#cW&3%iF`$kB:U:X_!*lLXqr#+sM:W;SM:)N*+`p3"IMjnKrL1M'Sp7VU)TOQPZdAN-%sAB*&'
%h$,VWSh;kkbNa-N%]A\0poRm$MlI7kU!WrL1Rj]<R6Asn1,_kf]_;?]]FgeS?Uom[nu`c`M*cq/!1#?fe?q7cp9WOg/Da+H`jN"h
%bf8PL]/"5(ZaIZbcNjpR"QIi*>AIgH%@E"ccQ/J.[<+Unf1*Ylm2f0>bk'qnj?bZNeo'Q7!oln<`f)n&B;N.(L7.f)^\i'l>h<`!
%4I;7Yr@C9hc"o<&E>JDT^b3#S0J:'ka@'!%^umTIRk7Dq(j"p<T.(7ri%HJPAu)ZdAhDD:2?9R[:]<:r.<5o(Hb2-;2rg;(o4KtC
%`'NY4#G#"Q3q<9QEEoP>S'b3/bkV$X-]JF#<&<*Sks^-bi!obZ!9!F[Og@\_(C.JBZt`]Tf4OGp-q'rKa/s<mc.F]+<qc=+Y9[&a
%bag?t22c-!g8S+)ouh?hJ(&UUbL#F'HsAJBr+"$U0iHh@lF_#)EH;Xdf2gk;]>fC@GoYe4R5$kBGLt[;e:.ngC(@Ii#J%fjq,VM0
%GGk&31k<<?Qan6%kMm<e@#V/8*;kOq3L#FSNc"ZDn)[ZESPPT=*L:Fi`<@u4F$o4":h=!sNaR!NBq:1&ld]UK4id2T:1N`rVmWrr
%!4RCS)"NZ(>VUaf:O<t;l\2t@b1oRNkb4>X1'Y=u,>7Dn"3m6R[E<+s]^9:5?7t3E^2#$1`4kkR=/Rd^U>*gq+`;1+Sh$ra;kNQe
%N@T1G4T-sZR9sink+H>B_(-Sfh3PJ;@)TpY=HMEWf.Q,03Ie37CPR7<Qic-n*3U=3cX3O>brG"-LE&rK8Dar#rqUjtD/JLbil9P1
%#Ok'Q)9467egg=3iauLq"2'XUIpMI8N>XstNV9thYOVg[2&##2V-,ZYqgI@\%sQB0Z:r_IcaCbgbOBch>d4^he;r!U\hCsI>K:Q4
%kkCqH_?\o5f<SlTbLhsIdLgH?T1[o]Dk@GUZn`p4i(N=K"79%R#6uq'3.IgDqh.pCjjUgkLD`1gM\3gVB"#_:DRS-UAi-V$2d.9P
%N)jqr>9&]BE]j.U/r`T.]Z&/Qju%%JE=BW-hg!g.:"LfS9s#aPe%oXIK)[j^ZY"AcS1V*u.eF3E>1S\qSC-6^)?B%VRVpqshV!VI
%6b0H3D6Kr)%^M?Wq.$b"df?/*pADs-Z2]$\G+kMQ([dbc7UkZ2p,5'EaG.%%Da0QcMLAJ"W&(RsN)O_#aO-Apa_cShYD[;WlRc.4
%c&Tg]]%M2iF0R%gj-PNoO(1BRro%1E:\?[LRTX`HpId:\<j^VXDVS!J#o*9oB0WNBCh-3L3[2O!4B:lu",GKNI'IUJi)^`=:Q+OW
%IX,+Qa!LVe]J4;nr0A&O]H3cD-1ABMHP2*s#Mg>,^!&_RqJk*""4PF!g%*X,SDDMiC:u!/I'!II)Ch$2b\Y3`(m-<@D7_fLpLU^$
%h>U[(pKnj>.RtPNN(PG4bKU8DbI7S0`q`gUQhMeuaAA<^SddB2[o5-Tj^-uSPG-D!E[/dfN>pO*a9F^[=9!8U?i&;NSiM1JY!K,9
%l?$]Fn_uC^TnQP#n(<-E!XTCs4T0iiV[%c5aE]Ep29J#g9C@t&*9Y?49bfHn71]A1<4qVOd607QPN5LF-*(nkC8)lQVhe"tcf75$
%gD^"uUV?Q]eo5Q/"nnZf%tln)7ue<.-bm&mS6bkE2uc4LG(ua(M5$Xj&Mi'q2ia?fiT6aa/Z^!F^K/(oa(]k;^4R+g]<?u3A/4m.
%:)D07/n2P"-/GI!6Lt-O/<:Rj=QEp7q;5a9?)RMjoq^A%*LrSn;gF<7a4o^de-R.)\cZmq45]^%QgS7-nG+iR?3stH[f3JLbmRkn
%&%IdXYDSo%#L0;)Md^MT5+j:p(^ruEZt:A.ZPNiM2eDJN"5V'jWA/o*iTt8k[5\mMPNFMA+jebC[Da+,;V[YK/iKJ]3r*ts_SbZ6
%.$6l]Ta(a@@tQC?p-QIULIP:Bnd>&Ta!ak^^`KUiT$oW'lV>.g>M"n.Ge.=h.)]t7Sn4*"=uVn[L)]7M>b2"<@qj)s!%-;XJ4kij
%OZTVg$aVHY4"Kkp95^%G^=+Vla-s++`*O%n_:W79(ph0]F_PSCjgY:&D9BNAWbgD]a:Lh2/jFf1]_5d`LH@KPmI@`IF$M^j^N/H-
%]-G&"'c&)+m1.BSVrBYtrY1_Na2?*arqhQ`e0LLU#aOeDmDgjA,SmDBNH_TD7$3r-eZt7)KBWAE+2H=\]J8l1Ce"6o7&@Il'ntb,
%nJX[\p2Zi\T9q-,I?B)OSk>gYek6EJRfY2XZg\7O=i\iEUjMpA.Ij==epC)b+bBH"QR9?[AKsZic0W4*[H3QM,<'&/HO\psIVlfC
%k%lKe2GJf`VJCF,HgPVh5bMWR!Q%oZ!ROb7j_oUSCe^o^<6a'RR8)GgMGb2bMEneZgc2'PL?nqhTMOg@W[$[JkQ(sf<u`/00N3jm
%c!s_G]b;nsP]^J2iQ(TCKR\<$+2?(mr.]ppq;5$T#6q:HGDIeMR3U@Vh$`/q!Zgsj<U#N.I5'F5s+,BInopN=oK(pk]s]Zq#7/;P
%3sDr']'UWY-,:VlNs3sn(W1<<=Ph47E0'3MemW9W-A[j'=dFWs7e*9oVBino)a,rY=[%Adn2;pEJ0UAoCaMP5Br$XeA'%E%64U2g
%QdR:r"!_8ro3E<I#eQ4aBa=`PmtYfCmW7,Vpsj;+.?aoa#;9IqLr%er"%cGQ>@8Mkp?P2tcHB=/U=f:qL9$fZQrMajEB+?`AO[>N
%2``/NAL``*Go8'rmDeQu$FG5L<%]M?KrOM0$&7Q&9c;9#,h&caDId%iN.T!Y\M"HN?AI4hF77_p-U84orpK$:eOCX4C%DkH4f><A
%Du)5$(&!B)+g=toiW!EuJBe51f6>^_Rf+*"?<hY]^5Qo?2eH-C11P5=QOj:G0([tI;=lkB'$F=6[0QA>Le2'Dmu(k=ZqW?_d#2]<
%a<##G;U*8"W-2(S`_7ZGC.qB2"e!hXTK4[MYC2-"f]bIqMH8?GQ0-#uN$dL(IrD\J]@8/37LEXnZ18o7'>*=jC%,5Vfjo$f"t[u?
%,M+eVH#a?oCDb[ZBJ,2IGca`dQ6WDXJBM1@lcX)SQMjdk=QT3fq\XY[H87XqcFH/k#m&Zdk@&#L[ENcA)/J[sk+G(%`6>@p@)c*g
%O6F\]HoKb/Z,J_hjq+!K6VAID(4XNF)Fu*NG_18;NaiNQH9?b`K?a=OnMK,sk!;GhX1N!9j:G:TO^6B8<in9$o-b)m0Tp>aP<Dpi
%a;>C2b&'@.2`qL,#Bs\IX=U#0matH"^0LX&m\()(k3asKK*EY-.*>"H7[_dc(d3B=17HC_!N_l,k.3NVW2aN]dX3Q8f8Zd\,7t*c
%$1"&5fm@=Ag"QX,f&Gl+VJSBhWA7Zd@%WKugW!^o!QO1?\/5<tC2ko9U4NS'0X[=.)#e7(Ye@Qc]G,8&M>Tt%gO7iBH?lT_f1qC-
%YX9>Ff3Xg>k.WZRI#5YA=0CuMaZTU.`9fCq"#Ml2]J?m$p(R3MLN,K)Dq!7&p1$Ue^h>Oe7[<#]KP+$Io#npI1JV:]MnE:R3lh:/
%55%<`_q[<Jaan/2p_ao2bI@*)^Q1[9^hN#+;l`)Mle:Ud!T2l,2rmFq1n*qQ\\s%ecs$U*1(GC<bSpB8\<5'Y]+n0/o^hh_*s/p'
%;I.A\Q^7:[ZBLXP-B)+)H%@qMDd%-C\h.c;VHS@Nd=K^R`O6%pS6o%Yog(a\J<OB["CLX\@aJo#2u5^b1G5#S/h*Q8<00E%cf/#&
%/q6<-]Sc,A`Q(gjIc6t;/jgM9a)$T$#iTi@3cZ]VhM9;rd?sfnI=EaKR_ZG5*l0V"5!\e-jA4>IN/35,96[Fn.1mq!"%htN(&#a$
%oOR/6&J^b>BG">ngYL;BDQARGctg7`9.TEFc?;.dD+t%X9EZkHd86:4jT'C)Y@7#:OEIX+G[&:6\EpJtk("$VK_dem@.SO:.8u%_
%[$T]nW0bb8Z;tE)K+aM's6.j=2<c\J7>#0uVgGZ$]3#$*A'0H[,RJalk2C%h04SI(?o-O%nLMe+c%dYun6=Jge;W*RMIOMdgMO5h
%P@L(dr)P!&`WHDd5&`C7=*]]U4sQA#d0g^+&gYJq_D9%o<dq`,KJ(H#(sJaF2>i5"/oTY3a"NLGo\n8KfHcIrb&Q`mfVT^u[);&#
%YYcH#e`6@MhPuXkqY:+NT+t/Bb38meT2gYVm<AUp*1"WtolpU(*7r6+rP8e"3XdCnikYqHE*/.Gc+sj8E1)m3F>,Y!=4^H_1bD_q
%n's+nB(T':Xc'>:R6H;/`F$*SNK^RRfXaC^R-Wh,e2,DWp:]s292k>*gng&nqJktR3%#cmPf)bWE)JihC5;ELiN,/5X2bnKiO"%n
%g#%4.#Ck^r>9(><K>[9O2Of[1nHGRZm'HJB-\8MHNbc=O3rC3?U'SuWK[`-Yfsd=Gn]TsE3%gbWATh7>Vkn`Dj6)K^r7*pJ,_u0V
%+jtXlM@L6J1"LZ0bDn=41"n]YL;t_5(iLH?dpif5N-69fj'rdON44kQq([mo7f;H1^dB1%OE#Nd:)l&-a.11[IcQkh3G)QW)4E#H
%.C(snq5i\R0/F6Sg+JZh45%LEpJQ-WF7YsRUkO6*+TCesZZbRZRPDe=cXlPakq(<r@8+BMRuuXg('KWR>k-#;SmjULU@NF+BN\Gj
%^:/U!nFQ#UfspN@>O`aU9G9$aCBtKdf;nZK+CjUF5he0Fd/nsP=mC^G$%:ZG3.^is!71=chHUt,.Y2??Vg_U\7IZB?X2o'f".@M/
%l-D,<[I;5"3+fl5kqK>6MNpKcXXsL4n:Xl?Z)Q//3]^(i\jeJ;<Za+n@qM@,Qa$pJeDZAU!ICQlEEbn-1ukO+Q-Ceh]]KWIR80M`
%6(^3gE<"3`J<@&e4<D8t%T7hI3&YT'H/0RNqtof[3_q)+NTBdgNaOa:m&-k#k((YIc6lFps(19%g(Afl)(5%8!7!E=`oFHoVQ%m_
%2Ogh"Zu4la&RIGIigF3p(QXa\^V3_HR"'1spo><uTpgNn[0SgZXq*4o)4T<i'aEKc\s=u]p!Dt1g`.5?06;ZGn8>bq:f7c&2N5g6
%e*\8QiV_jbB>0;)q_BK=*E]tM._(">nLH33mK;t#I65aRh+o"sKDR[p5X=S,,]#@H[f#UI$Bou.9*U&r5NQicb9tm9qK@,XbDS;C
%!(bUnf=K8%)6Goo)p+A4_\")7n<8J/a!AX@c%A68jfNgM/-O52]W[=cKpb+@!YSE_H5RkiV#_pXYIWZV\9=#@g-er-^5a#m![Pej
%qql&W-h(Smj+N#C@V^dP22,1sTC"t>i6iT?&d2#h9"`U3+Wg\QJYr$_OtP0F2DJ_$k5i+.L7cpp4a[6qX6eP`"j)PY-e+6U04Y_1
%dN-Og2tMeU#P.qmLi"fsWTu-Z;&kMSJ$G"^A84N9&p']Y1:U7]^&h.gW:9Q*?SX0tMXc@Ki_m%?K$`%35q63IW;sMh%=Zsi1*'mj
%M7?]0S/hH'S2-$N=PO;ng<uH7B]=7hi%#Mn:ZC12fP+W4aI]=7n+$#L;OnO^+q$FLCUY"tXp=1M9gT&[>^?ANWrpRY:F.3>q2"o>
%p%MLWo>N/gI<!?0)3&?"a:rj9bOLiU!NCmt%*r_sL&bBpD,h\[KA63c#'^8qJbW^@(_d<C^Fq>ii!)UP=Ph#H^OnqsgL:Wr7btj+
%:6'nX>NM,E8Jo@GZV['g/SE-`ePt!e=%p:/]U'f:9%q<m$LhC\ePb:0;@E-ecjl[uh67.*=bmdh.E;_sBKZ(a_W57'i!*gT0CIpU
%%j!I"\E:Cn6)SI02C@TFVSDOOV!;!taABRbZtXl^,Vp'D"(RE5XDcp"RM:\*@%:Ml.kq3Xr?b%9=SZ*5rB*6Nan^-CA@^\0Opb'Q
%NSnNpZ`=$Z>:%tIT&cDtP<Br>M>)%c*Au&A0t<Vt^)$X4f6LfK/Tu/!$"0:6EX=A35ZmcdE$ui,%3lKq>a<)-32d2(92K#<D7fGG
%RBJDVN`YG)]bt%!.;A,Lk-RN8r,$Y/JYshLY4GLuCsJ?@s*#'+O*j[N2lmId[.jbZ\qjr:Heap(mb^!SJs`VGgg=7mb0J:bG,EL^
%c`P0_bfrAg@Ve(oG<AA&pJZ9/H'$9s73#AWRKq""CR`%_X2=QR[5\pdQ_`A+DUC8;Qraoj]PA6l4#)2cD-#7A#uk03)-hQ-^&q=9
%2_9d4$::3nHH".t`!/J\K:>sPn1=-=9i(jG';qO4'QEGl'Ia06nN=Iu)DHM`W<&b@5FueUc#AoJ%=gHRVV:Mp)__?5U23Rp;[W]I
%!%(Jk'`nnk,=$rAc7C^e:4iaM4O=_T/o<B!q;"3N^p2F`h7H<k]9,)h]3!loHG;VYL2qIEl`ua`hfO]=imZbkL(<Xki2DCNnH"Bc
%ZZlK<KH4HJIg='(q0.eM.-XU.47UkJnrl(kiJEPtR%=S0(#T10YAL':Hc]7j.Y<R)+<m=>"g;mC%c^+QbsOd-j(X!:QGS61aG/_M
%#KO@E[F]R?M5N5RR'4bS6aI\bep#pk8f#:?]!7Yn#nDRDG2&.=OW>Wg+mPS2of`Q7#n0Pa(lI(cC&k@q!9S+:)XP!_ag.FD!%%0'
%X$/p`j/:Q+gpDIJK)H7cXA0%On(ZiAW0W0]X`B6@?"GrEe$`MPh2Pqs^sc%&i#/+KZW=G>Rt:"Y@?oE-h&REo^jH'><(Tf8[A*?q
%ke#%h8kht#<[33@1)Q-JdQ5;SF1$k5n]M,;<W/hX)Jd"-7RoD@=9c\A43u+3W[78*:YnC:\&G1@/]f"@d5,0$Xq:O.12]LMee+iA
%Fg<E*]L*d6q)s$9btE+3eoD@b2opsu_(u+80,R\[#V_R8i;k*Ei8LBC"YT6V35Km8H&R,D==,(<"%hN@+2"`+q1VV2'0q@ZMXDU4
%H@nCteS[VR)16,t4CDC99P0R`@(qfP;D'9r1(rWLSq9YlQ]m4f@&mQa*@$rpK;'t&G!Sn,j7q\nZ+Z]rR_>%W?<!XP[TuC0e0QDW
%1N&,M^+3;DYHNH#U!sJ#8\0blbBG'c(sk8*JG-X63]L[:p?!r("s]$.QI'>GB9_"Pn\p7j&[(ei^&]@%*#.QUq>;tS1oINkrj,^)
%E&ra/EWmdQ7J83VVSJ8G6*G_N6lOgMd];Pf^9kG\$V_T9@@"tOqsSSO%E,Mc1K(I/mhh9sn$jPumttkaR/%2dKr"SU,>+NM3E^5N
%I;o/R&#aW%-S;XtQY#:M,bQ]NrmnkKnWuRB`0jqcgR))ThX$h@WseOrQ*\Vh'C#gN,4/LmGFH=A6f)XnM]l<k0*Ogg*B1;^I5/&c
%5'3Q]\s)"sTFktEjA@,1!?;89ldNi"l+Rm4r4SB(1"?\kla,$HLEVX`3le(-QLt6[*7QiBh+4'Yg-05W&:qH</hVn*Y$9":T27C&
%@%dkA(3-6o3RRY$DPTTT>tKi[:9Hho9[E)&!)ljGQp&Or=-l%q]rl*ofa?X)K-l=F9NPag-u2iC)fAT^;KK7(;KOdSC&tR,d.o",
%$jOf,DCM7[A+#IKWCecC!Sfa!n7n;=N:]Pd,9puSf5tb=#I>61!dC]M@$9t<27T8qKOYO?K3&7n\L0NAi&mFV<JMYV0Qq^DM\.V$
%;^kj2^O:VHmb8I<.2kAHmb!JlkJe4Vj,Ap]66h&Se3h?:[Hf,`#6P@9(=2olNKtl5-!OT&s0lb2MK?.4_c"dZmbi9F<afHNKm(la
%@!_O^Y9_o7O[lGQk^ICl]u?,#HjL#/6gAq$`mH[SHih!gXdt!p1lE:q^1c1k;R-QBg:gn+d/D*4TF?9h!p,H-(+6Q`rmV&"W:R15
%702>^gR?DNqJ($Jl@k:,V2HE(mn#oa,H//=@*i^EeI<`X175,q1^D\kY^FDgOeL]<<TZ)=AM((7q&'>qh(DFE>DV0Cd]G@"o+;k+
%.k0r<'j;b"P7*R'@S<%<9&3/5:`-<bjEJ!f4GH:D,G-h<$S-^+gKRu]eR'8EJ.r[=Q8"MC$QP]FP$.@E-D<os%(Y/Ul<!O;/&aE$
%cI.!K/!ugil8\#Q1sK$W5KbFd08[&A$%L[DTo>@,%sh)mh'pC98[(?:94,L""9)22U_p:.b::Xl`WMgdnlDZ5a`OB]B9`nT=#ehI
%e6&NA*2u2].k(F3aS.LN''#;c3\]+rAJq)IpS[,5"(P3$,2!&8SYT`O:>V4Dj)Y!^6&mpH9phlO_:XMsMK:cr"gaG,AlTdW&Hs>>
%Pj[Q&kUd]WXV*s/fd%YilmNnePdr2kZ?]-\=.>)WU+g%,rkVPqWTu7i/hNok_oVGr[)'.ah3:p@X"L$gg(o1GqLOL_m`0H[)g^Hh
%S3jT[XZE7ESS/+jL5Re^Q$X!=pbWd-$obN"Z[tCG]hWT]VjKfqHHk^C8\=QRYV+IAa<,8')[6J<X="8bKW4oUMUjD[;-%n[r2ErZ
%bU!Bng"r(\9o[>8Ga.Sb@NaS:-]d]!&e"CJ*^t$sj_u9PGBe+;,&4-5VLStc_UL^/niooI::91s(E,qLW$NcT9iJ7e6B_QFMVV/1
%i!jJ8kd\JUCB4^Lp5GR:'O/\`:/[9f+^Q964Yr'=fu#-<?h\_srqAQ2+[$CYX5CV]e2iTV[Oc:uA-VrpJ9e1E/B4b`R'!@'MH_Z4
%.XUirK/o7>Ig9n!fI@q[W0e&2AnjH-rGRTd4_CQj)p0X3(g4p3'!W`j9n-NQV+L&R8h?.4^s+N-?WJcj;_mXhIq([lbTS*A1>Hc;
%dY&i9!Ob8*U1VViAIn.9GP0o(#XYklIXqaVmm$\YnAQ_+^D-21-3BkuoEeE-D(6F0jb0*d*ss7ab]^<&pOp%=B:sTSc-,Or<YW8J
%+k`_M&ER1PIrE?.GPJ.ThjnM!^qHV^5N*RY$..[H-9d^.2ZNYM=@UbIGE`0h1/sKT?-K1YNkT9.qp6:!9NaH!6?VKE07-gP:bO=k
%cG4/<PrQ+eFW0s?%nehr`c>3]e*=(p@U)5o&35(q&k82G!+L),U7j[rW<smB4u"UVXb@4jbt-Ar?s&7p1?k)u%''DL2$MR%@ld5H
%:OlR5ijJFK$pGkCD+f3[[0[UmF(sD4"tuD!R)E$<QQFKUOH0lFRSXnnm^^Fu<`nGUh%De-eHBA/SQGO[D/dQuQ6eH4>J1Tsg<#=L
%,0h.SL?S1R@2ljoC,<42?0KPW=po6!CFs]]:UZ7p0PM&QGbhJ;!;qnd`Z-*3-s0`,!shU-W"D>6aeMlU^gn`,Vb8_HYlh5sM.PY7
%`0[`Vb)]mL0-uB-#8e"$@]qED&\N\s\.p/Apo-\*+Fpf*B-`7*\ri9M)moi`hl>:AWPEElJGOICZfo4-87YGR:*NV>)J%63i'0!0
%?MV#9pJ5B$=f(;mLic*9Q.'3Ch&`3o=G[i:Bi6)r2&ug[PipChf;UP7TL;j6`9d"%1eMniH7'4$0c3b$=XRkr"tR6/S,.etII>rt
%G%f9)6UD81GN47+n;PVY;0<@t\a>T5f2CW=TM#>SN1(H)@,r]\FJH.EI:lP:VO7R"<KSGMC!m3aRrk:_,cRICe$>/!#+Xc[bN%%V
%R%=>#o*WXI,R1Q]!tFM=CdIb?N"=8<p1e=GA=2H;YqAN=%%T,p8#>^+V;6NLlA84o]AmRX'LJ7g8mmDHAi@&#LEHQn'!=k:Bj]qP
%*,Pm)59eU_WGk\Yn$XMJCXSO7`A6)eA;?.7.<+ZU$"MEmVAnc8H%$2l_lNX-+e3TdFJG+jTWTT-Wm&s3Xs&#oisjVdc)KKo+6jSG
%V\4<ca>l8N!U#*eqd;8$^l>8ufb>-BLY)8D`#ga+_-6F_da'2T,GFTt4Zj9`Icau7GDL=Il4?lEakAZL6*n@^%&EZl3gL.BCTm-@
%-tpH,*B%kC*"Zcem`A1Sg+aGo8TO=K$-hD`2M:R)VR:?XpXUVRK)<?^Z;u0IL]@!gj_lgFHO0[V=*N@!MW]g-j==nObq$lL:E&(F
%bZEo6WaRabU1@eG_MiM:;%[lCiD/Om<s*8;@1!VWY#c+KFt&'Q'kJ5LpYBH?SSNb66nq(AS'[ntfm7N-oIFoc?G2-!H+a:s&D-c2
%OoDff9bZHt8]f\r"MR!LV9!*Y&1B7!m:LqWG/So@.LB8+a;R=kT1FU:2URqBE;2`a)`#^#fh-D$f(p-`WBq'Rlt#eta.<is0NS9'
%Gc!`-cu\#k8!/3,+,TPu:`P&K8:kD,4=6k7K_O,ugZ$Qf=!QncP)1%6$2b8R/Y),:HL4W`*U_no\GfC7TbIChI`!F/AI0nuY]_ZD
%fnA[Q)^QUI6h4XS7gs_*7e2^>a'O\D.r5*CVMo&Hj:$t_qt\]e("\D_m7pGVq#FE/dQY.<LVl1e',%HW;$+G7XmUhVkB&@a#l\&^
%X-Oh4mcXuD^38pgW*bINPME5O"&*WijfYJ*0@P7#lgL7R"Fe<_L1:c`iA4;dpRfSfoNTV`I,1T6CM'rh"pefdQ2odMn.a>;!>2On
%c0UhipQP2[mBQ6Db7]pTkon5ajpDrM*q^IUIPY>4GTWe^\N!aH=0hgKKm1=IJR(q(-pNit%(HGM]&E=_)ut@Sj9\V"#\GWX`*&??
%f(SG4FAKdL!1Lh<O4ugMo[Q:uiFu2["[U"pVVoKRDKNOpSttie*Hsb0%+6;jK#U.6B_S5P+j?N'WBjJjSSb0^.!gbNUs((S:=<-<
%&r3iC$,2B.[R)hj^S>e0)Y%%TQ"Y5p<2&=SFo"uqMa62RWPA_>a-'t>cq!$QLX'A`F0itm767W_.X&NpS^of*2mCBg7a!2Ua,D!;
%D)@TR"C(TKpkNmF?:?QS6XkT(pW<o'%dL<rZ`^u80`o[,U0"o"OXM/aT<s>B#s\W^*4\hs-k9\`_;)$NT8Qg50G5(OD378?.uIPc
%M2TYW7C3ki92s8<jCI0Y=@B[!leS#W]L<p83V(toJE#c/I$9IXX'KtER`.OUrCoA'9hNf(48mou<?Go:<^gJB`<j3J-?U.*Lq`do
%S-+i"`l?r3<snh&>djiZEftulI%#Ye\maJZ"#c(31X=AflLUs*!O66'P>4HO^e)*f&\,1V=H,-G15-`%-#*G7o.E5XR"c0>ZL7eU
%5m8rr2f"9hhR=m<N(lDd/(_cLC_T`N.KO5K:MdB%&sQOP-nDXE+rH[7FVK[eME,2Q@'0OX[&PoGU5%XTYF$l8OJ!K6_mAVn1V(]6
%ELrk-C42-(Iqm*3B:QXfebDhCF7:4Dh0^i\SJYa,S$NS"g6QGlj1=<:c2_!6;:]LbE!2`=BnE^F9+S:a:iR+)m#sbcE)HHEc,g</
%8Zk[L#'(G!)4;4)"hYOMP\M,Ye+l0-of2F]oud`+3-Zp4JX6T*KBU\tduE'-7D1AMasLOj(!k'3UcuSQIHr*/%96:q<PmV'O`_5j
%C!*n#"+KkC^;o[Rr"'*q@#$"R'jVHB[5#g9i)rDMcN;u^:=MHJliDdCqIE92$fR"<(%i5ohHb+!g9UZn.b6sS3@@m9FSS\M)a@G)
%B%^t(fZ^AfORBgpMnH.)Fi[WTWIdrEZar./>m&d!)I9pT&KAVo2EWG=@nRHtF(V#WAm:P/E<U-1qsuAn,;F7`($lQ%2^lO>f"!ae
%f8U1Uc$4*Z#?-%lKDpe.kKm=bp*_srk'\U,`>eEYN&Jdn:o!Mb'@P3.(9k^LdAp'Rc$u^mRp&$a8)-Iq`W6c#DgmPc_/O7/:^Zg2
%k\!Ul;$fdF27Y&lU+=n-@mI)f&*[&.ld\`)84_m[3@.-3Z5m7ra,KZ$;(^JU)jiOoImG3OZr!VIcGHGM9%QGY1!X?M^$l_tkY7nA
%TdKpeWQ</-97\1dSL3<++[dL#0m0Jhk&Q=:%<^UU^WfCso+BtD0G4^Ok+0#hRkBZP6ZU[SdBS3o^j1X+g#I=/m"^5D#<&_(nVF[p
%1fA:L9Z-@a`m7p2oh#[9rpFJQ/H`E7Cl3r:C6ti8OCP3*E?S#t2j'aa!4:iiF*LZ[N?Hd6j^8(ceXcf+i5l2+RfQ]rBV\6?oiHdD
%1#G#Y[rU&oD!PIae6XA]HYdV$`.!?Y^W/tLm2I%1;-O;u-dT!n%2cR/?EI5(^)HR(`>CF@&EjRgkG2<&C04G*oVa0SJo/k)ShD=h
%aCijiC*P*-[F"u#g>q0\s"Pk\7LH5C[8\,5MkVbV_'dnpmYZG2#4S3WTaD1fnhAAKQ--R<Vs("DQZ8rU:n\jd$+/3*PE#bcK<W3a
%peCZ%<MNDDi)t/Yf84T!)mET8\bP(N6N`+C?.lknY+MOjki#;-g%+1\s11jF"V4%T,P69!-#Nkc:A(_C2d&EA[a2u./185>Hm?K*
%qe'^]?<euA$E/4W(Bn(bI0l@\7HZTPcAF??-DtDG5:t'ckY&/FJSSVVc=J<CRqJE3_\nQg^4F#Zl%3;.mhH>!,E%Xk?r%+5)#gCb
%HNg_XAMH!dVDf_%Lu"$j`msm!jZPjA)91gc5C#p-k:6_aG%;3Kn?/O!egU9l+c$EoY;>r)@WXPK!";s)D$E$/)hfAI-Mp'R8lb-]
%;&j`;;%BDbKqc0ZAmgt,_;CFUN:o"O,#3aVX?Z&L`#1hp@@0k[ZFl8Fl*21M=S!4qg]lN[?PA]@R6]X/&G?j2>??lQbM<rXFO132
%'Of[$72Bn.@a5!s@X#g=Pn!Y$c"c$gl7]+?bH(V[*2JTlQt0C4MMm=pXl5<s\1!bE#Ces0i4Y38P%-Xf&n?g4LVP\i3uHE)?+_Vc
%/[muq)fI3>DXdeeRsCnBQq9>*=ahcK?\m#qV4UncG3f#0o2&^X5[cH\N[cE#`dVJ*G\pqE4*.H(YqsT9\nK8>OCrc++eZmkg\p;-
%AgkV>]us4/)o1$IIta<[7"4W$`GA&nW1c;Nj(>)#G9iePCLYA9K5t\sM-r+h*9SQG9b?`5^V(=dh\(Sa(eHkA6(iJbh&SJ$-SjR(
%n*e=04L,8hbekYun]YWni'&3-P"/"'"8hZ1e3%b4+8DH5Wp#RDqSYT]E`J1%ejfr2JLu60eNS"mO*oacZhK"SI,kYWGf:15j<J%-
%aD?<56(]"C7rIu5&,XH$5-hfH9^j9Br6-fY;pgZ-o`osCM$e`Cc(Fe(B.EnK[K"&25AC3=FTW-M!foqV8(E3d^;3YSiM`5b<*4BE
%@lPttS2;:IH4WU6LpP1@=cVL?>]J-#GgO>fC1eMd2BESnhS_L9.N_HD+@l*d#G$t^9p1-Xa\h<`/;eJt:H@X?4=IKTeQYd(0+Wpo
%n(KKdNL;.WR\P&N;<?q+&a-*aF4Algd,]K!ml;lr**%Pb!^\9.TgqhOK7;3Fl0(tZkp2pD:g/0AAND;#]dl6/BL89_UQ.rF&#rT!
%"fnELeUoL*;+'ZJ[e6<;FV=4*WdR#YK,mt1%XMUqg11^TAk0hH#BdDKP1icSm6RB3W9&2%I="qL4/g8lFQ^p^F_<SDU[Hs57c%!<
%n"@>fT[NS-k]bDQHdE']C'l$4#9T0;:SNS6otq$2`1s?l8Up7rX78d5nYcG5</Z-#Q98nY*q_"Dg6P5DbQl,2UUoSbL\!g<o0M:*
%TEKRA%6Z2"T!_*2FA!]4:60.g-fNRM`p-E\odnmEe9F-V_*09f*`ZfJEjTK@g7ugX=V(6m485\[HW9'S;"#u&clee?VeBon'JG_7
%^o_UB'#haRb*1uL/e%/uBfcH\&jUo`d_8(kX&-;p:u)1EFBIJkAQZOHGqJ.0&b<ngbkaBF*O>Rf&,Dmoa<`jP:*(6%mo5STj5kh4
%o>%.^F)Fb>S0O*XaS7d$K8rX",Nn9AT6-qc*B6h*r2:j,lH$P_?t^S6>Y!Z&"%V]G-TgnE*]Rm^3noekp:uf;i6r^7G:/^5OjSC8
%r]T`R:R&^@p[F<CGi1DBYocb8aYTpeaM'bl2'\Z-XA0t.MX0'p?#a:8ED;M,e=Xj`%ij1G+83dGI:V"P)7^"?mK:f06jZ%tLECc\
%&"M]>p@8=7q109/U/)kVeji4'Oh:S-o7#VN+5,[%UA9q8INks[nD'(pp`k.bJSBUEje(f7-`6p-._nnGi1r5Leg3:*(d+`;4=DEo
%1__#'(67)W7hpda`J:3L`)0%a6$)$OTAlMSnXt3uUl]TGdQ$Q1*&Td;C*#n,O/#=g8PeD5HfV8,E`=l@:d6rHV&U4M*n48O8hDD^
%QO!2MK20Wf:Zarik+kps<4$r!^,`.Q*;+Cp[<IWl4U4EJBD%mL:s_L*kYZclTN$$_1j[M53bfr]<L"U>Qr#6ZdjfVM@jG,Tg]dh?
%2<6j7"[rU#(H5<pYSE>I61LMA(sRsLCNY"6+O=UlL&m`e:$t&Y/+fc,oq5E0e@%F'?l]rf*gF'm.U3LA>t8b8UCPq/B%Tsdls5D5
%W*"5o2ET*T4Xd0J[FL9uCepL:7s2;)'&6>Am\hf5TLJUJ>Ba&VHVhUA.d%g0p)`l$%bc>$Q+mPm^ls$$;.]5_OmkZMn>LDQdR64_
%-_?S=c_?@YSGK46R+&#4H@eW0:GS(3f0qjQnHLY'='hY5]kmGLSeWi<lBgrpR1G1D:[4E^S^)kbk>D9NW"f*$.XG&:4\:o&Wg^X0
%TH9@r+&u<:!j(i_X[c+;Zhj!?:@(hVp8C4QTN(faCAY/aHdp2dd+*Qki'"%34t-:lVuRq4Jq'($5,o,8Fc+M6`^g!fUJUNVVXdT5
%q5DbidW@\<59H/b+'#.E*fa!(^-<mf)(Ua"5sYeC$;#7QGmTk[3%tVY%&-j6MTHsu'qfSO\V-@mJV:K@^^>nF<!1Upn#&t??P3;c
%Xe$EikhT`k)3n8qUpRrt'\,]o&a"HiXWY,uhjPQk0JTXWY;TTdeZDKHWGZGZCF_0>'-u$>0M:9#DF1k8FD:m/i"t<M8]i3h6N)lt
%RP\30[6MIF]ET$Ze%#:5aiTjKN&Sk>9CW]#E.N>YU_[eJaqdrj,/?_hM0DoGckAJC&#L7X+CI36+/BMr<oRYl%Y`:W_ub^NR1KtM
%XR*TBCc,]D][o@$N'#B0g:S+j,;WPtFC<,1FP"f59uB[`/u+S=)jJ?7QOnqu<mo^7'GOui\pPqI3PYhr:hK'BZjKfJK$1E\&\i^:
%`DEqRib\4$m8S0a4_5=F^f2c#3_'kFeK&JbT"Bo89^>e!D+XoqBA("q">=6ibJ5__3Pc`jrXbOM+*EZO9Q*CdhF?mq/`D&m3d3WA
%8XT_B^I9V$b($peE*X,Li^k%6CQp&iT^GHtGZf/*;qGV6lIu*gW3(3aAMql=XE13+V,mY_>@:K9P_RHHN<A+h77>Pi%%1uK`<+IZ
%?Mo>Wk_^PGbPA,?)8=31llLi3jTSDjQnns9JhqdR/m/%9WnVK*Xi>'e<kllOFVlNcA:k"4]ri:\X2`8BQCicjm;M.XR,tBDnf.so
%hOa*=emkfmF%Ahm:!r(\EpBqLND4"<_6Vi\(mQQISg+NDQi!:2J2#G`UJJ$uCbi:.,G6P0*G'msGt#m='s&nXQhH7=ZlLBCmCSVB
%bUG=PK8rWNGh[@XW*CjDO/7pB)38%q:jfH",Jb5,E]#.u[XM%N;cSI=-&kN..AW(S\mdg$"Z=HqVBSK8"%udNPaCM)^08hJ24&\n
%!V1co2jc*jjI@IjHYm5[ebJoR(kc7GY.UCh.]8)8[[W^QYJMcF_Hl?jGEU<^6,_,_naqIPPF"#U6-6\V<+]YGLU=a2=abFg=Hha6
%ejS5s@kuRLs8/hi[CH)al-e1m`/.[J&*]E8Xi3<20p.C(e1G'j5^tMBO^./8X!`p_2"u0]!MD,:IDF'j"KZ7-3_?7b(`V4rgpHu1
%btXPgdc^V8mJ"YUe!<)i"@?\n<-e=@S'6"':N$J%\$i+;KI"@`>A%N7HbR"H0R<a;S9m.kF`&H[\$<i0.LcMleJ3>\X2RYn_U1\E
%K^\TfNKIY8IVK5HpQ^FlDFpK9P;F[jjmFVJ2C^[R-VWK5$=SdR\M?S8^/EJWOt-fP!:k2*8hT04FM?hWQsIOWBuH.4fOU(E5:!5(
%L<A)+qKN?EJpbi4lB764,:4Dh1keVX&4IFD2(po^-tF,!U-ut]M1r6NX3CZKp'B`BRLi%1VbO]&Qkc'.=P#n>BWZod!Le'?I<!K9
%l]kL_oB!@cNC,#I()L"!TirsAq0E,pRLZJJRW6D+WR/ee\jWO,dVRH>).,WD>Da&%fL:L]V!L+%j*""tQ:TGM9/4:W9g`/YKp><6
%Gn'Nb&9M2bf4nS(2bUAX>Ufp'WBp]7KKQ%]9CB-[ouF631[)j]1obTi!,5]\HNH+PrVO%:>Tfj\j8n#ZQ3;I=lE]5b8hTg3RIk-B
%bKDC=;<K\PbN8b+q6aZT7^lWg%]OXW^[N<TCpBG?nG9SqIh3?&odWT@/A4\o9(93#O`;"5>rG!lb3qa[j8cHd8=g^%3XHMie*k%9
%?@KFC$]pn1Wl2%Cm\n7liUOo<1qW7u".1-7om2I&!;Q/ZqEoWupF3T7bIb_.?DU#Z12;tP?kCIB)tc9baTB2oI'lRb?][/SYRqLI
%%a$lqXZ&D]]W:SQ72u/BM2?ki48'uh#bl4EY2#e*ecNLJS,1MW#'&]YN5?h0<dfK60UY\#])>TH66l7hpca<p^S.i1]e#so)<U:<
%Ak?VmmEDH>fgK/P_p==#>`A)Jkmn^5Vc+A+LuP7rCbWnWFm<!c8YVYYX#.p`"n//r&Y4M9Fqt2.g\&?OI7kil6Bn[6a>e'ZN!0=3
%<+Ha^7ckX`XR=O*cR;>D^la.ghPHGQ_OHZ.#Hgne%/bMcV(*g-8Da_VN^D^P&TGhRns+NQ<i*:X1]p+1'>,q!9L+X\!pE'Mct7&\
%oX`4<)Adlp!75!X(fO8BY.CH.=_9F(T5W9lAG%E5OGBFa_j05C(8l(b!+qc`S8DU7`F8/J5@lGu#WlX]YDg?mNJil)AqN8W>q6Or
%V)N[%`'<*[\nN!/EnJ2EE:(q%YW2-QcKbTkOabCpmG<g2=WmDP3&8[rA<M8HT>3uGlgclc)jThscFD4$!]<Ku$962na:*T10?Sc6
%.18/I6jNq>c#F%429)JLms[mDBXB2ZG;e7R`eb9nA1HP&X><lej-"S)%B[Xk2k-VIX#;(t4?80&F`asbLA!;["dTqrpTI@aZfN0A
%];mL!"$uhAhVhm5"%J)uDoGef^ZZj6a&2Ol*B+_?X&gaH8jEeW=/$&[=piYgobB8Oeg89C_;#KqAimY^:]r\bLP,Zm&cS$N)5j:!
%-g<p84enrp&$,'\g?OKS@3DVfV5aV:ktm^Q`3"dDVWD,3T2nM_[RKqJKFJE4Gadh>c0e>SP9sI\T.!&/`CuAP@CJ=8Q4ED,)q`dY
%`G+O`:9L*%P)&p]5is^m&_%:+4*lu7XGuA)HiP\Z,lX/WqnF%W40?UnDI<ho+FAXtfCI?6Ymf:+W5,ib8agU(8ImJt;4r):<'RM%
%3au-9.+/_WKiu5>i4m%m6?<Og`hMa>996i%Wql_ad]4aDf!C\.8b_nN&,W"FHW6P!ldJ%2ffnWV*Yi^VC:Zpsh4mI.K:_Oap?tj)
%pd%dP9mcZ6;>d)"I+1>DW['eW.R0jb+*F#JRa+G%kHe(YK<"Qr!qfEkH:qH-Dc<aq30CJl8g;k,]Aj*;fVNm^5L;X13rP/n=!.8t
%G_lVoP$0#f-F-3dX:(7*iW3J057C^;A9d(Z.9"/E<F`T]ceM)HHc^D,YK[%\glK)l%LEaa9!UC*a_:R\&!0+kF*Ru+NV'`r?Fm;]
%Qb5G1$XJL]=PCp[0"H/EP]lb7YSe"Pq0`S\o/rARgY*XBTQl^Lk-_bBV]1o%IkA8NB`o%u&J9h7%Ps;'[07.Y+cDW'GR8\6=Y)Ld
%^9a6@>0pNS;9"M`eoT+"N_lQsZ3Ht8,(^^f"H,&k?U!n"#rj_%c,ELA6^k1"KkXlUU<:/@m5bdj7d^N$"nXq;CC?#YLQSb<Q`)-G
%`lani;sO;b*8]+YqV3"*#p2cV,tFr>@lB;uYq4Fi0^FkAUY_Eb;.n5+.a0V@]3rbaqdXC.R"d[LllM=:LIC&TAb_X!4Jj;EP*X,k
%kN1"$-VbuC.s1D1KO:&gTLeUQT=<eIVfGU%R2J>`I3pSHNS'H+]M/4@6_/d^$8F=R<S"dXk%iH23P]fT[7kqP,[M`df(*sggj-kA
%]"3)kn`4601>`Z"bKJ+IA/YtJ#pMSZ2iigBA'4Eu]dfsl;K:CB*$Zsub<3`?=7H3gGh!r,CGaD[#L1^0Tod'R#4!!c7g]-WF=Ft2
%.J'6JK(b3EJ4^s^h35bWP^A*@CtB[q:D@&,RN]nN(o0eeX'3!:lJ!PRSo_hG2ufU9=>j&X[<WeiX"1=':V34!*\?_JG,/<d/VP9[
%B'QJ#-jNg"+(/@!5;m#m.p-63N?lR-ON%CJP3)^;WGa_MoH\tP9Jf[lfSris`$>pcM<Z3ZW-T-D"&dsG2ul47*<RNp>^!5Ne8lGZ
%)Xf<.@riBdTOtqT()WU5oXZsD.e-U.-rql/;#D%5<t8rQI&X!(lj+[V/S/d9oaH[N/>4YqWH*LYf1J"UDL_cjGh62``OV@#\2("e
%Lt[#D+u'Xo?cDrL$aVk6G"CGV&VSWe0bo1DkRLi3^O9I?n#>A3O=LRJo8C^uG\T>HUA=J">P\2XSmSP?P0'j\Cg09o-;UWfc742N
%%\ZUc1CRZm;B6h(jK>sk1>W3#]!X%6ZRW%l^EGDtB=$-(kl\_6PlO0HU7*6,[hgm5h7u!05g\J*pO53][*"`<-/fY065Jp**Pc9]
%_3X?$W5(5YC##Hb4@7/TX.15DA`D?D3FP,Ek38WN:JW'V5S]8@7Gt..FQ-^#KFgWGc,e-tJ\oVtCgIa_KTQg:aL8\NE2?*jhuQMD
%e`"jLeO=)`O:(6u/pP3T2-q,,)&O)@8n]EB=3(S+$J:;)!j=VF[)WSsKW?T<.PW00Q$a/P;9=gnE;A30*ch#Up*!t78K2?k)1uof
%Y9r8WN17:QRpNRWiPBMQG%tT%kshQ8CV(b(93;,>jB%9/+\X&qR:_!l8<T]+:d_@u9XT.%F5G>B8Ogf):T(tTfVRaf'qs8(U*fEA
%4[Sg8Z#L338qW`tb3)[J$"eBf@,,*@F61D3i#Hi'i-^&#Pp";e&tk"R7MCJ-U(\*G$3=?GKn'G$AT8(skn6[GaZ[R+Rnc4C/9B8B
%-<+75cAs]@#CQR_M5n]rAooe<AQsk,Higm%Q-_[d6QLCtp]u+M/h3`/]YB,n>X0kAE<T%WFTUpMZ=$#k^[.kM!u+Hem+N#oAt0=*
%7'2>%R2-E($[!)VCC/!bZ(a9T)rp\fLV/+$`sb64C;k0_aC8Jmkgm&ISu;A%0J5@d3V;1o<gh4+aA\j[qKV'Ch1MIIn_eL/*L*<L
%oAK<^?)3Z?F`b6e*42IkpYbbY3J^0qno3Z>V.BU*@NZ9J"'S[_-[Uh,IQl//e*?O5M1,<m\/^P;pST>:ND"Z1'H6sU)LLh7im&@f
%qPH_h(aN4D=9B,B=,ZYiFAlAf#/GQ[7c%DMpCI)[QcG0d\37KA-/Z(pn4:`RO"<Xh)>cNF)@4CLiW,I%A*-662,9CodAp:-nIZ8W
%g">0#I9$L!+#L<:6JX>4muL%I2KKZji*"1u0#\Q>=UE.f"\KHdDYc-]\KZ[b+NS;"?2f8fTq1p8H)XOJ[Q\`,*6@CtT+=b9*kGET
%EDr+aJAs\(W0dU`p=4P;;$MHm=ure)[7(\1,`U]Zn2Ka9#W9@?c@k.o*:;/8"r[#I$.g:jmYDA3-a:M?#@,1R5Of#e&.?*=U+JmM
%2\bPEQSN%AOIAH@6flZs#<8=--p0$]XWs8J^X'\%Xmq.2E3r)^"K8\PqS?PC>pWlQ'*&GD'e;ol#?[Z+R%\o)2/b)EZ-F'Z'3aAr
%=`M5b4Q&*Bd#N;Ua8mm`hjj9kC*N^Y)jSdMEbs;gUT.KfH-Ze]IGP<.<'mtCEj"'sE.jR#nRF+p2:4(Mjk]+&%$H6Sl=?J626',X
%HJW=G^J]/5Q7%]HN.3Tms)peYr:9'T*Bh$PcMMChoPm+q]_DHa!!50X/T'4+?%l?DY2)dj0o!esl?q&*'LRN',X_iqPX@,kn3;'<
%*`(kgg&:`2J",PDJ,b/`jd:hW6G=.:3Yrm;S,-Zc@\$D$5np^4!Z\\I\'[>u:`)`3G@6l6H83DEke\-=+t&`ibloqDhi5PWeGE:V
%bN40X=-JR$aE6__in&&iqC,s##]G`Scs+lh51<nqB_F"5m\fu*F.XmS"_6R1=$s+cFN4:5H$DG3:T*PS7UuPXCUBR^-c]g%L0rK(
%#4DJf#:kZS#]MXG1MJ/nhsXM5cQ]C_Ib9)Hngat*nHaP02SPq/O*JboBViMsp!_esAZ(9[*K2&(3H8sZpIhm*<*cRYf:Y]90n<XG
%-\6+CI=TQ`Dt<jGXV?m'm!8(:hN.QCNnb^5+1l_=qKtO""FoVWIcrWfd$=O&KDDLsq7.sNTmupDe,!!Ap-\lRA#K(AY4.2Vo#G).
%%t3]'4m\6cmUn(n8t5VVTT?#S77o@p/BM,0d2<,tOf\=>]AG.HEo,Ko-p[dGZ-sD$&5!\`p:AIg=UE]i;N,jTYbBr+'*&;u>Wfio
%.kd2><tt"/p:<5n-<YhJ?/c#&C5UOQSi&4:"RKkg\a,Ddqlk`n&RUS;J@3?#8ck%0,4QGW_f?XHfE3`t^=_0!`c=*)<9oVo9:224
%)=^0`=WJU9/jir9WS?;t#/u-s(/"Gd%O$;8/N+NaFf&8PT2r<[Kpdhk0RH.sr&HWsNP;sqEW<BXS9BfLhu87?p<YU:q"?i5@:V1@
%3jnko8314N#jB#;6=ISG"\^:6I/PpEk7IuG6Auu5V0Fl_%8Ath^OaOPKBc4Ae)cr8M\j<G0IkWb(hpssF?Y7i>990j;$i7p[q-$<
%MI'ksgmMasjL]FPcVX*UCA`T8J&J'',-cojm4H%6,,)X&>1c:q-o@pa5kInf'\XppZk5Xkl`Z/[*ee'aP-RURg$JN'8)@*?ddeiF
%LiIUM^m0T\ff)uL(h$Pf5?LCaa/'nMh70d*IAtsRR2Y@8M>*[_nL]Ik8./,Oq]qbF]#>keAD@F7#)[KC2pnimR_VVa7@(7kN83o1
%IZp`%#[toB=U*RH6@mH+`8)@tmcuZrmL6`)$(]\]'$N=@5>@*'5r/BHD]o`V2AO]b^,rAE%?1D+X^pt8:YdJHB*uI2.Ib2;cl\.?
%J3,+L?n4OP)haTL[*31q\OYAP$qkc%,l(k1V,Burh\ie%MP$c3pl0LE4]?lQ<$DH$&EJ(=h"BMGiUiWj6jfE)N]q-BHWL<CA[3@T
%Y@)u)"8cCtc;D,Mga7pZ-;b?Fgl1RWE&4!5A%0;/c8!,I3V$Xnfc:d<n_18*+5u^Z_[oE3MCiiB5r8*ZNRaE"-:9E#BR5`LY9m@(
%!St"Lp.+cJ!!\\rm#t*N.EF3c?_o$G%tG3a;Cfm0Tgr]ceab4323u.!7(N>G%0=i;H=L;fakaSqR95hp/*I41Q\)5tk%TeR3siW(
%DSo1Q]Ml=,oXLr"[0g1pR&+YDq^LaX-a*D>[:Gq-]ncld-T+nZRC-"ep:1Kjm4=9JC(GbIriW]JrX.P-`7]ZIYQ!KjVkP7Dm&\*X
%9`S2/o!*cd5!7j$C*N[oRr%F")NugN2hi8*2iTqQC$`m=[bB8c#,B>q]=!'==aJI(f^3,'@;+MZd%5;,>-07A5%$<Or=m9o;^E/g
%EGu*,BY`#=7ru=/p)XILK0&WXUP&ngSCm%(95hL)[Jq1Icn,kSIH@ljX;.9DH"`k75R=8i'X&f6nX(A)3^,)JH`PcLnKU5Gkpp?u
%3D/L&F%f)jm8rtH'psgbKX^;Z(7`<#A@YWTrO\m3)WEV_1R0'VQGtcL'5E70@8:R'#W[sJS"kHWq"!,kFcs>4c+,B!L4mG#=1m!t
%GKkkfF82.17r$[:Jn>t/>nO%][J@_a$ML\,:`O5BbQt659=qja-sU:+@XM$KRC0<D!$F_>)I(#F(uOEb]Z3HP=@J=<XjnsG'u`%D
%H]\G-[:U1XX3ub3`=h&0-.n>/enqHkiDqe<[W0!!(fgYN$tDrq7PA`Lgi61ea'tJZHj!#W![#p%B;/eaDJ&FQOAE+HT-:N_['j(O
%X&&f0X$<3GcABGe_sH)_T(0Ka,k*$nG^*NC<#=@8=Ynd:K^,SrY)B)1Cnpp:mi]fd48?=sV?m;L_2\];=Ee`_n@Y!Te!)<a_aDV'
%2F5B/hVl(EZJIVE\VrLKp,+.k0$4#A_V;PdE69?=jiTf$Ao8$&p!.CPcsDDo">qpLnFbr9[Ag:I=&UJ=`29og4$aGG=Yptpb^p6s
%RS%_s]Q:mDQ@QFeDA2PTJ::-51;;k#Ik>#TbUfBld*ot5]a@#ajuO3M(qc`EMtaJ_n5NUO<Zupp=M1K8JaW_l"!rV0q.u=g0-mo%
%CMq4/j8XGM-#*e6AO=h7+HL`oWXkMY!`ql@XHRJO;.Ai>`q:J0FVOXtO97R:LRhDa*otD&dU`qEB*U`0BCW?QTs^(0gOjn.=mGAs
%$25P`pE2;:Pb`YfY<,;2*C]K>"n^)LHUh5Q#78/?gttsGn15c.'HB5+'0aJS5"H_9`=X2F'T\uH7sW+LPiGX7nL+tE+=?n,4F*0i
%4K2JTF>&[VR?(gGBAq+17-?k\o-F6ZPR)\6'0Q\`*X,.XUeHiTV[%e&#;OaA6?dKpGHTn4bc#q#]H>,f>E'K%jNDGH1"9Re_Bn(G
%S5]dSW!^3_Ej_e9=eb3/FLjt*@"uh+FdJEBH%Dc\&$Qd]?=rn#7bd_%A1*$l!pWTWcD#Ku/G82&0[G&R-ZtEA%Ycp+QdBqOdZ9l!
%aHA4FkO$:JjEHgFG";eRN2q#3,PnbohpIQRjL,pO9Y>Cg1oG)Un(Vh'9T$4Q-9YZ$Cg*$)X]VL5_FU[eN*"l<k>`>`iW$\Q(Uls.
%C'!7I\k?#pf)V!-CXN!*ZM%lP4gfmhI_@90[7#ZH?5^F#%6.l$k^Sq<T?sLlC!MMIdd?KLG+G.#`W<$`T@gpb2Z$8*orMV;=E?$I
%1d^<_=[tl&IDuDEi+*fT1C4'_T7STE!(RB;=tG3'$K>$7#6`4D<O#,^)^UTQAYMKf]i9TjO?s$t.oBat_p?g):sXs.Bp;<BCB:H#
%7hL7.<r8,QRUsqB>mrGR"jA#RD7(k!*s7/O<m8Wc<VEOH*>mr,kS#dkd2*.N!R%j'O;!0g+C6^p"\_NXRfM\/0NZ;6N)1gNO[,\H
%$c_kRMfeWC`qo;FL@$sJIe<]LSS?JGN&V2WWJG.@VI<.tJBn8(_L>QTjmD#jNZPc\feK6Y-KRZE*B,PP.:'dg!KIpY@Zn=?_+;_T
%Bm][W5?cQjPP=kF!G^[lErbGp%Au,[S+AulQ]U?g`q(FUA7p]<a5MuQL4_h]\5B3NA5/Tl/A,64AU83_-c%+A&rcfmpYZII?DuT6
%p(][,-"RK%2oAYlYgCaqWb`3F3;0:'>*"?6^Ln/p@2C**aQr`dC+5qn^'$kE&bejaI]=h/&-^!Kol9m-h;2U&6]QBU+`URr@("q8
%\Hlt^<`n5BkfPA\hM-'>7\$3&iao!pDc`HH!J:oEr$1mHQa$B7W(*iEfqXUaKsGbi"RO!:3er+\.lOi<K55f&(D@W_DRY&sbR:b'
%m)D__F>;O_M=ZHML7*<5lhW;,f/&+r@-o5H.8T?gnk&bSd,,AU)02:ZNG(-GHLtB!nI-igG-]%;b*!a>)F'Ye\G-,"[S%2MK-0.u
%L/U1Xea51C!s)2?M0l[S8-^<J9@n3a>;Y!KO'N)l)*5SL]u"UKD-UrCmG:07(/'`0j+0E5JpWm;W5<;309F@JN5.jp>ET(NMGaEI
%.(Fo9og*ZD.9t`2F)bH"[^%O;]Uh+hlcVXE5:fH,3bAs"As"p+XX*`R-1lr4m\=:Mk"]iUC9oknUJ(RNd8t\alOFuoK=CX6=WVt;
%K>79SRqe=;A94cq55nFLY.e#=9.07/l"KL#S1j5R`HP^GQf1^_Ou(nS;>BK+P'3'gH]VPQJT+[j#MV^N"Hf&]cdsu.i9N0Ui<Wn;
%!'Dr6A:fD"Og3pY+<)U<2\[G:2FFkRRmR)'V:NAI$HOp,Wb`skmr7*+'?+A]m$Ybk=hANjM:YANpDKKB"S*NU5B$%ah`e)c5g'Ig
%V6;XCWH-mD93We5T*b"B1WGj.E,,a5CakgHD7CNi7.2@;@O+tMEP"/FP*EX/'s@Jf"a!JV,%J^,=Lp<691"ru(?7q/NFi&j,t#B=
%LFmc#fbtm:H_`H\V]aeT664gJKS$pC+e2:lhI/1uD\=[3B<u'Rh5&g/Y>j7c*Z3=-gGA24]kdlIkQapUD_QIK8.M]DEa+YM\6M..
%=Bi#HAJC:._n;Y1DJ,FX6iWO*ZuCtO<oFrrM:]TL.e;4;;2*J38h?FPTnuI=C-[&YqP'H!WWC"QP:[P)4@YYFYi#0n+;TDA6k&3'
%0-o1.Q`>2e7)1,Zif%)SQErWZKD4CtYI`9P]Q#IDqb[?u([@q5>g!b]23_sjQ@r1@:eer+.PRhj(/*-q(+WR?n+:c#P7S+3HF6;E
%?W("T=ZpYu%R".>i9XNnBL9^RJ.5RS,a5Wq/r'rnF9a=LK.;mN*rtP<$/o+Ug:qC5)jfju\8f^P?WiIt_!YekfjGO3]*/p&<_/l.
%`cDGH`!`9dZVR:+6I,mD?'6[_85NXX<,!;$&nEq]"tXr#5jS@\F_Ie#4e[ms#iu:>o?XAuIg4fkIAR1f4M6s>qg3S>a*$pVJt?#t
%Bk8@:nABQ*YuON+BebFAn$R;U'HboK_n%n3^phkjNl?D#dQW,*f_eL6jMQ^uhKk5eoPlrg[tR>PR;%r3p*hS,dXY&AD`;-t_q#uI
%<rc/qphB8o^/:Th;Nt4h-C"N,<=j8"=EG8uW65>f1+->K.ThU_Q$rg@#sX?u>]JUG3/&K;TK_F)QR:'WK0I'bF4?^'VeqAc?pTD[
%&=A^NE##dB2@S"@\-fn^PW1:TC70Ad8X*T-D03!QM9m0G):=-a:6ld/\c]K-Kts"-'f;r/<^je6Cm9o]No['WkQWr$!qhX;GdE@r
%@:\ubh'q;oHUS,?@0?iLQ&jL^?4C=b>lc06.XL5J,C7:BkBG\50['+``"8RO^eX7'<RW^gZF?I;+b$6SZP5h.=d/IXGKAMV0m#f"
%*H4O[R&(%8dlS3-!B'NMYW;fi*\^fX.RGX"/a%9RI<N+Z,T,d%e#PbQi"^;hBu24T#"3"ZQ`7@*NTt^fk=nDc2cc1:W<-Q^OhtM%
%4LLHG0)h)4O(/M;H"ucl(&1>'?UA!h^t5F2[NI8MM<p"3,$.\rZ$O/u?ta/T>[!'1^A:Pc(eOEM_4<%>i?>us#4T@P#3@$MBC%Ii
%JL''22KRK28X=GmiS_`BD-H8X1-PoaAW!HY>TSu5c:];:7qf?#'NC-a8@YQoN<2eANAg&K_'9]^:l:_V's,F$iLWE!ih^.c;XE(r
%;B?c`&_(,jSQB4D".$lt-[369i=R8ADXkX9Z@3eKAYVYb!g^^(9JuZsj5=WNrYV6:s2";c8F?;^d/t<,mI^G>i'2kqkBPqs>9)[b
%F2W*TDVbP6LT1p\cL;0*A?HhI?Himh^LbG+1AB:Mk1Hj!eC`oW$-oe_cDe"m@ga>YSh%V`DRAE758F-QQ.-i*Ror9p1P`3n'Kujn
%&bMugk@cfMNFKI]LCXCGM%[aYj$W'p-h_Z.orACAeukCdqL//>9hjhe:s'n(96I]magajbi"9>kJ4+cM/KPI`7kE^GDK<@V@ZLPc
%=`cW0<6g7'CqPGj3?TQ9M@Q/n@akR]SX-?BC0,Gcp?*Y>NP=H^9b3<?q"ct-^+?Ib>t@+o>;G:B/*L5,dbd#;LaTg7H7,(11h^+C
%6(Rno7/o%0JQ'PZX,DRF@sY3JCIknO_R+Oflc.4=5S>ds;l-EKV;l_nV7:LE>Heo/9-(s6@@`"Ye55#2:2eG>Z$f3\JWO^@EoK9Q
%9nnpgc#aK@NU,$G*c-%BX36B\#]N-547?L8%u-ITP\q-Tkrc>l,9d-j</PPSOL^1.gR@N+-kd%)`D^cM@DCBWV!-d(_s\<ej(7R[
%CF)`6f,r$\)a:E]ITAJCC*0&0m1+ld6"rdrp+%s2ntgJc5\[9jVN%SDd9,p:7h&s<g6JiJTLe++1:TnjL2RdCM><$%8!NY=`Tm,?
%SBSHcM[0&QdgstP.\RHQQ*Ed3E($R!MUER+-?YK+H;W5K/3``WhfaQS;AUUdhS<R!"X4b#'ORNlMlYVJ01`"@/g34BA,`\6Qo>m[
%r_,aO!>qA,L39>8h7`c;"s>5[-8V'Ig=4WFJ)LkAO3Qeg><]ht1/pWsd8hNu-=i<_Tq#"aM-<u<StjkQaFuNZ2ldItL7mY?(:(],
%PA]qg@JO2gq$4Bk1^ATb&s:/!Q)$Dq#jo-J[(*5EiUHr[>%,9Q\`\*Z3GA'-o$p*.[;HmFp=EUrUV_HpfUZdeUR.:?EUM28:XF.'
%UlRobDCYtp93V,?FgVmc94Hb<4WS-&$U^T5GAS0Cjk'H3HrTpnrSEhofEl[gTEK/L-"g8t!rNaBFX2N*]R2-2<JT_k%Y)N`RXf&b
%$%V*@\m_2-4\fq(#2^(Gnj8:TCe*fj7f[`=<%`nD!n=?])P%7bl>lBHInsq`DTch0k3,[u%1S6/['ENuC%m\F]uh'5r+7?P!#DDB
%*+UH;pQZi66"8rAhY&oV(r0ei[_E[MB]dl`*%jSQNK3Opgf5)#%RGoOUJfo;9sdOPV>`[!q]8hKcjk*'Coiu4hAu4^DI3t"PkHq"
%QQJ'AP#1KYOK3_)IQeA`Q0U"LEWldr\!o1HY8,c.8T'Gd`80'ljBA^o2*smF0c3;8/m_O3#a<("l6;u5D7>^NBE3r-jg]G'ioKKg
%:9V!RFd^]tnRh8E9`7q1M=tTGUb^"!L+3m;g"4YmF)kMX]&iiNp4'hXo7c@JJ3lgNYVeT/n,WOe<$!U>bqpU+/C9R`K;4Kq1/f*a
%7qcsBQ-Dt0Kha$qWAigBmkI':53is^QV2C$S0bogg1Qb`(L)aQ#ADObL$tc3C:Aj,AS#8>JQn"a$i8#4]LO<*9hs1-^K)B>P3^XV
%FRLY`QIp#>#V4=s-@$"Y0H@Z$08EfD&T>YnW7rh.WguFEQoIH+=^>c9hKEQIi-_K("eJGU8/"]ueUWl`CQ7b#dE7qVq1K1'V:]JW
%r\dK:?I:?OH($-`FC<se,1?Q21/f[/f%V3U:M.K=g<AUZB-H9-W7D[><S]s!9lG^cqbqk:;^_BNbPAX@o`"Ub0730A*6E2k$3,VQ
%&,;k)frm-1]P!Z&I\7h*Tag2uVQ?%m@tOek5S4ba1^6=)rq2cDnsl`Jc5JO;3J24JXd'\d;k92AQ'ZQ;c>tORJ@DKDgGjeWJJ?RD
%\R#V$NFcR#iOlD2kf6]Z@r"0D':2ZT0q&=P=>I6D3D25pJ2t!q?#%u6<hUW)IMXI\+O0h2=GAYb*YI$B1E;m[1+FeMc;[Ka=)jn]
%LE3;i>[%ZD!,aPk,BKk.>!#r.@+)*Q`jZ+UUp:sL2VU/EhAUQ5,pNpZiufL(DZJXOjoCZ-C"IX0(J!2eYFrlU'3pc&p3qYo>T-`&
%9(0!a0/0VSg"O'NmL($($[hJMB)+UsI@%.ObA?'I_='/A06$7OB_]2urEX=@IMmZ2_16E7J`S?aSVdU,g'3IX&3;Z^]%%N2.PZ%G
%2K\7HCt+%r;r%^/J9&#s_DG5jKpjM\63m7mOe-ONM2Y5Goe7`];#sf/>NrRZVgL3`R@[FR;a^o)cs024g0LUc#["i?T`:]M&<cd<
%EWm-i#pkcgLYuL$gi]&.lHE_dp_%hHiR4oKEYIXNL.)h>OpIs'Z'&W+:_aC*1d\.`81[^e:kFUNX%Bs;QeHtA.J`lVX-N6J$]K'*
%Ush/!'-e5`;?"e^&X!]_L=m\,`E@m,;qA!KjAM^qj2?m)$-Ba(UAc\t?[#)I]6)a7eCt+dp=_&;?-.WSe18cTi.rYe!+Y,1E@UoS
%bU@>IQgB7UC-)e4I#OQ(>.:NeVu$"$:0IOu9<(?X:+CX#)Mm<cE<_Iq%TBmGN'@N0jZVkX*JekLbIn2Y??>GY=&66B)b)47ZlUgn
%NPoGGCAa1&MM'pu;"hlAg=b*6';./+,3HL9^6>SH':bCd-NuYX!k3X4KD49'\<@9H9c@,/0^.RAFHRF9q$d_2&=o&BDK8/n%AT8m
%Z&m\EPQoQ1(g0B^EH.F21$>M!YbVlY=*D/I8'lD=NjA0cnD$O5?qBkoJnbZJ&E5Adbhg?phbstjGRN"18L_CikOd%t2E&uF2AXD(
%!n+2C#OnXid9VJEpm,jh;bit%$?:[Cjt;h,!j%?7>hk9g7Ca!ho<7Z\:9%>RWG<XXXICcl9e0F=6!Hl]lR'&_PMj"YF%`KTrA;0)
%b$I$;D]o]hiDRli/*[[CJRrA?"tBFAM24^$p@@1<JHEE/<]KGCATi#@d`OleBN_ak*6%^/-c?oNAG_0RFih_lK4B7m3bS5F>*Y;r
%CH7VO0K?lS?oJB,P='P25YcduVZ2\/<F#Ga@_j9dh+Drh<sP53!S*1iBF_C)bQ@"pj61?Tc;lIX,9s%B%]ikLV^W&m"*0,0-YaE=
%4Ft@baKrRS1bsIW8U!_hO>*\)F>4:Fh.^iJOuNVU0r#j;Q(8`7M/.cPifGe[7<QEdl,gn0<"Igd0FJ%7DmVP(hBZrKe_[=9Rt9>=
%ea;MlG&r0MZ@t7/MRsbIrESH<]]O)9F>m-E.BC%HJ_eT$?HDHh9E=PDM(dqS,B[M-24:EPS5M>C.FCf5qf-4gdT">sT*Ug<X^FOd
%M7QUk8gd5-EoP<YpB0A3Ti-!#NHXgT.[C72W&G>9p`0W9k`@0Dr4t-#=F/p=e0X>K$)Ru?R5he\!!=Lq4Yb.1mNdO:N9m5^JMkR*
%W`kCI`*,U"18;Wn%)A<GQA%0SoK<o,*Oar[YOQ(j<Au4>1O3ard7Xul_AjM'H5\*//L"fB6PXJK_CSn3n2Q\tO((qA;"]&WOO<h9
%R99\M`3(5,Lu!$&:*GLuE892^W`h`KR>l.3K9LXM\VUiO4CS@>%u<X9M.JR_>VI,FK(8Mc/'R#^a%;dZK+tg5!WFE@*!mDMmh8fE
%2[FG"QcX@H[(CaD?3N>&85Q=9ENd=T9!l@Knjf2W\P-7@L%bgf=d3lcSA5-dO4MY@]F#I"UcY*q?$>MpXN4]PAN/5HS!Rht-P@pJ
%QS(f>L1O1'DleO3Hg_14r`7"7TFSE]N9&,Ip8hF\"J&%#X?d,f\<fT=>bU&6atu]aEOM7*OrQN62Q/fV/;[OB>LYj]La()P7"')e
%%!iG)IPP"_il9(8!V$t'0])t[mt9\JB_ie>4pZsM*X0f`<Cr'_Wh&j(#GcoWSj>:[@4?P3+k*-K'=!W`dET)_An?'>3&YJN'4;nu
%TOb/A65]h,9J<M68O<lVE#*GB0;7M0q.>DZF+McG9E3Zk$=-=;kb]$cnd`5[$JEejj$X]SBBad.EI:QF6mn\&RsM?,VU9JtSJdrU
%b_>/p!2ri+nI^-;j:1h9>89Y:hal$hr(RH_DC;O:,%QpR[JCsH_h_@-_Wf0F-ZV,ie0CZLLG2LQnma2PT;lZ.)kmY(/W2H?PRPRZ
%K1@R\WOnhh<?-fOcoNL:+L)Ieck$B`@g&ck.u_hGkVUU:ASAHs%q+V"\Ju9uVcmY_j]mg@hT%s;82m$6b8/mp(%-#PDmI]87*i](
%HE1LO//!V%R8X4Q&s9%EWL.1_I?GI_.o>-m<Ik75<kW?,P5I$@Qa:LW.j-XF)0\giY5nrfd"J2\d,V$0lIOEqQId`2liI[0K,O-/
%b85-]?-IU2h7eDmn"SsVq"b.FrW6uPMst)p#!cn;d0`j5hCu#U:^N[me6?Z,4N"WXNg?Gt%SbH-KD7<!)2f>J9bsMN)[<o;S>:7b
%:a_;60G+n23"EM;eCu-%QJ;W6F96nhVjHDp^%q5Tr>UH;RlCb.SJ4PQ:(IAQ9QYBO;dktJQHdo#OqFu\URWTkVl"ZtnuG^/P>4S-
%"0eVQ3m.hhb5X4j:A4c_013,tD%7@#7aUF?^d/r4_`3;!<-@%-UZ#HJ!L%R,DZ42]D;Skr$,k+n6!:_><MAgiq7RGKN%1=V4E:pc
%!@J>@61E%LW5S%hg;'XTX\QHJb"uH,qE(HoF]7_8'5,&O+M](eS8f*$$[U8&Wf9IZ+OMPjd$]dlp!TTBZ>`9@7.2%aJX%Mo7-b9_
%6^MY(32fK/+YOu8!!AE,AF7L&#*g>K\rg&:4+f6VlDHGJ\q=QbqEm,rJg1q3^#-W<H&kWSl9Bml?kjS*%8D:8:U7.B!H)7\[uY27
%,qrq1j,>T]k0s&*+Nl=O(KNI/[[<$=;0>V4rk?TGYLV//G(EQ&%TG6;n8KTr*Gf3n`5A"P8dBde&<R[RWkicc<DHS-*.dq7$M(O6
%,(ti+#Vi3</Q^\$<30&!]0Q=i@,HeHeUF#fBL_p]":E6_9Vufk&[&Y0_J"kMK<1UT9amD\()?Ron4sgHj1sNN!;88E0Hbe4!IN,%
%99RgFSZ%PRj)Cctr8_*^#.u7l>SgSq"lV$7p,_-G/du\21>%-oG(GI-TZ%DVYmZ7jKM?V4Q<c1V+1Tu-H1p3i$dd9Rbd7aKm:036
%@'3d#liMF?"17G^EYmZG?)VZX'YF\omXgE[YiGrno)d^X$]OM)W4RTG4u@Te`nc>rGJW5G5k6PkHi]hQ!+kW9hE(`5"Yb?@Gi+5=
%G5u!JMqG6DLhm*2`^*_f&1X).?$%<!U7aYV80R;2Rru$b(A$-9F5=E1E=3(ph-@R0<o-.I?T6`CRhrSr6eKXBlt.RsA2,]I4Dn\!
%0'#k&nh%JAR7g\Qh2K[/C?Ru"l"7eH2`#S"Mm]&Eg.RE2aJ/&JgibJp(UA:t)8G"_i.X;QDU*5L4*`!5Gp2LaRif>29AQ^Oe#@04
%WIhGgX6)6%;"hB\,ZHp;$UA?'?`,_F&h7:/R&Ju-PSoX0.`MIW-6'</UL"XU=+pr<Q[M+JK:uDL1D34M!*l)B:/G83.'IGd73i(k
%k<rB7ADl72MDZOR&FkAI)F[5PCgP4oBI"4J@jJ$<YW%3J=XMAqKe1lqE3%t::o"6jSKn*V!@+:G;`A)KEti=V01W&td_rum3Lq4j
%!DX+ZScN(5/Yl29Za)5R"$FaUJI/;f4g,<g1JTkQ)SoBm"7jecC7/cn:dVHgktB\&hAQ';RaCKZ)7O"Z'8B5lU+6XPA*Ddl7DIRS
%hMMVF0:!k([44V`8`i/;/BjP)m+6mdXM\hhiZ4t!81"Y)4J5"0<a$@='%`^Tbq&(gn.Pgu[-BE9Ze(USDrF%J,TSd6od`B!6JiUD
%h3@ep1*KiYRT,RZ7DbN"l4(QQ<em*Eid_c=AYIdb,P]UK>mt)>JcmOLDD_BF1#-5Qcj0h@[An5dPLotZ_P)4Q2ZU-/,gC7$6*I_^
%[tg,3+)bT7PbN4-#Y"B?X,$uCCdJ]3#=1hr,'(g-9_/D9-Xh)5[mr?:<]1>,HYC.*0q`3eZuiIL@pj?X]hq6Eq9X\YZ/Ndp<)0fW
%^n3-kUZ=P[*"gQ3==p$'VG&G_]2aW!e((J=Tf`^L#fAX4[OY&',kN4XOX%^oi,IsIatSY'L=!g=4/B^>6\EC.Wc8"'34ZDm#Xc`A
%Em\Xp$s/HK'\T8&h.2l(Lp\W7fII2$UFgi#gIJeVj]FFI,*&l[kpr`+MG1Sna>Zhsfc39gaVsOLW\\l?77]:X4dt+P-PRCj((M[b
%EbH%L&BG$c##H>I!@ss6J-V<m!K<0+"q/TU=0(l?n'sd'bb(=]EJ&sGZ74&^\>P2s"@C5<TE-A<O&im%M@ZaL"WnuBV8Fa9)T/'B
%;dH9#AQ#R\j>]OuWDTL7.KJ"C3m\bB,TO0UBS[LeOh#gj?%pfnRT>SnLmu=o[jnPHmhh;TY8Rd)j,$&#L;YkpLdeNX`^17BKEUU_
%-,]jHHnjL1ND4SkQjXMP1<Vm]ehYOJ8!:Q[(uLO&hb2DdB(IZdro]0_V':[3$O]jH@SEF)!0/`P0V$"t]'Z63fjk/IO]?pb]\4eU
%dhEdq.&^J1,ZaVll7C=:8ZpF>f(C#IIY!=[!A<l1)4HN&RULjQj<fc1=e`(bdbJsOnN,`V+(7*HP5JafD\<+pW<8K$#.p+Q*V.($
%i:oV]]b>EnfIl!^e_Po7mFp7Fh#h&Aj`$%gZ,`EF_6_d(R9SED!orJWD_+_,FQkp!e/pi:O9It555@a9VIY>-":ZJjbu?Y8Jj24<
%dt#$+J8O;BZ-ib317r]qX1c[BGn.jrW(IkdQ),.mG?/RNCV:Y#X3<;siS,NDl-ds1:tKf'DRtK\$fj<RU7DH[Sh>Fe0m?nYWnT6Q
%XbI`*S%D1^ZYAoH0Laf4n?p.`e`EE,i2Z)5>'1^eqIE_l>-0FWecJoSQe/:Y!4KZY7OEW)Mujga#Lds78!;D\pe$hRF(ac1n/5FK
%&U6sH,FPi5\S@KuWn!g^.h,kl=;&T/afp"&n093sG"@e!"E-(G#Ude(+;_CGk*tcGOf$qGR8QLW)95i@jj-9H:5XlI/Js(J/f>UI
%P*E+B>lgCC6=LE#d'D#hP&NuGP)XU@agr0u*P/RO^V`M^riO1O3][)nm/E'^"L-:u:!/8r'gFck7/,)HUYQE%451cVLGbi.qKn4[
%"JrlFA1/JPP_DNo@VS/Z?]BN</G=0RW'/sF=SYPUT2(8#1:0QN1e]hA1<BWK^bc$C%A'Y#1$_eX]!D9A@C^)Q,C=JoX:hZ&[T"3I
%?Uh+qDeu+*fg6^cDT/r9l=f!QgKmWm2gr/;Y%%K6H0&3aG%GB6=lP7#*lC"^nu#>)4U^5V#f-P6[4DL'0J-E_gZA/4SJ\$RBdA88
%V'C(A/+@1R3`^F*i:UK2pY#IK,g>HPmT1m_S^E(#BpkBn>e".RH?D%.j\Rs6WnCT_FqW",IU<7a1Fm'5mi'#pM#3<L/gPit%+>@;
%1l,&b=!ijIPZd3I[Cr:o&Qb;0i7'.j[Z-G.Uu,/QRaJF!\U&LSE3r&=jAo`pJiQsnTXW'[cRJW,6:L;,HIGlaXILK$AqP9HVhtb2
%i(+NSQFDgM=X9@X,h0UCoftdB]\tuO2HVOs"(%(!%(+DR,dPOl%=kF0G'Ca?0LH+@!gMl(#/s/7N'0ojV?L:f,mobefgq0kUe>1&
%5^1Xd7d6)7/C:M@WEC!M>WRNkMhDa,DMg''`<P;?`ur4O=DK%LkcW+S$=6j%$Tk,qLV!@7gPHZa!Og]dNIANb[<HgaB+K.Y>E>1^
%m:s/]EG?tH[.5D_#&+'t]HE)9>b[PJd84ok/!e:/3`T4moiN#F[s%)MFt:FI<0'1@GC?h:$>O$NXt'K8QT(!3RmEiB5&5Sp5VSeC
%A;Du*Q5"cmj$bWrpY7A?(K'qH>.EB(DSkh4\T#<$hSn;THg-:R.g'(ZTrVUD[?7WKda<&`>"*Q).jM(C>nPo#dp6VBMT4snNu+f@
%G:P+dCG,A)1M\iQq0f[Ac2`YpH^?/pcqDACo.D91L^MW@FsPV9[R)!#Gq"VkhoHT\%0euB,[J!-'YB]sF@_(bekjo]&KV!d*'h&<
%2@16LJm[TW<ogt?4V4rro<B?D<<:4*2kUFQ:kYe>Oc^8E*sLLeY3BWW&'1T+9J[09.Gcp"*G4c1p^!5Dju@9d/^?q3p(h:%$=aI#
%;)Z'(kUE9+bgJn%kB(/+2nme-HpM%5PWjH:!n0c.Q).".ZH2Y>o"f)2H2>5M;3;/Pq7RZD.g'n?!Lt/JRH-1+/`B8fKdSKhWMT"6
%h5J"]h)tb(Nf*h8d]F&;XX*p'=\TLhJY4-C!tS$*_qb_=<XMqQB8DBc$c_FX(c-Kf)Eejr!Ych7e&Ztf`m$cM7\J+2?o@4)+>%OY
%/at6@#f\B%5?1/DdB=!o@g7GJ]5_mFgo=K*^M+iZn77)JG;NDkM6f<UNfhKO'#i`PS([&hLk62(c0Xrs/o?etDO>]DB@q5N$/hLZ
%%n`iCO:Y=78OT1AduO^n-S;,<JO,#"\'npNW?mk1*h?<'q5V&u3\,-2/#LK?dq,1T@&m-dPVX(*[M7/QS7V2/4;m8E3+!4+<(ia;
%Ep=GN$fLAO*O(LB4A4pf'A^r9OSiQFfVt)`P^@?eDA)s<,3k?o/^OcG.>J0ZAnC\#E66F>"Iu>e<5hdm0Z'5MRI$@Q6H?(<58Yr]
%RMntYd8N:i+Gs,];WFM&IFA3*<hIV4mupo@#/[Kp`'QnO)f5_fM(dn@03Bd\;mf^R8Pqo5>JQ&qfcf3NQ&:fLd9'*Z#%#!=R=A^9
%@>C4l[X'7DJVO`>Z@R'^=U=5g<$d*O4<i:;"M1jl4*BN]mG-21-eWg>L7^k(gY?VS]%B)$;E_mr"`gUh,-*?XeH.nbk0E8[_8Yfq
%g"F%`@.CVfSh/\RB]Hc%Bl>j13XT2RS3R4Z]2^TNZka>nk!4`T+q5N!004-b'M7PC>S_$u2[FcB`4h-T^g4h80"#YZL:BlZga>$e
%+@:7XBIg^:7-JHqR4U[WHt6<]X&N^p8-//7@8QOF8bJ.CUflBM'X\0H=Ihro-'[>tVb'i7j!Zl9RI'2gJ0*hkiM<cZ"s0KtoY&6G
%Tk8)(#=)r7ffa-\-pWPpVOS1(19f0#3*Jb<1u>C#XJLJYq4!T&O^c@':_G>jBlb;=B]-*B!YN$Vq\u):Sg8t[o-DG&-9G[CVE]l8
%))Q<S:eFEt3eCXr5IN=,.]/d#ZCDOSHJra&AJ-VT^+i&VSrn@/TRbPa^;:a>VANkX!rYl^jf/CtU'/bo@bhn.G06(/X#%^c-rd0<
%BD"i)i@Z!^Q(-ld"+s"m]WfR&(4"'P8>SQZCDm1fP\+sXB_Hu=@Ls8TK`9<t2k>cq9BVJiqQ'c=@l1!C5]&BTTJLZ1.C8U/#t,4>
%gBQ2=[[A2,Z65t]>;"7oBqN9*FHPsg9+07G&F('cmT,BT,M\G"k](Zd8\?qe^Z>+sA[T,R\@]_k#K+-5!eQSra5iRL/"2^MiB6-)
%#if3Q1)Z=uMMMHAjJ=qlH7i2[mhJ@]<`*5&\DAa]hQ>eO;=U3,T16>!H&q:b;19N(WigekpPtPk+#A@PNC%fM1,H3beY>G)^QOC-
%Tf82;Fs18r\'BMZTi_DLE@[uicR46_Q7t3f)T[N_(2ZY/#q,F@l*G,/0gfB(Br$\B,+^cl2&aNu<AjbpKu#K^@K9akBjf@S0S@8V
%S-qj)Z>+PbKga"`kN*i!B4lOLC+^lJG+_3E-l0ZF=\c[4?&j/pAZZa10EWPc_QHG.fsof>=&-=3q8_FMB6HZfkMRQ9[h+J#c3_K*
%4GG!#)6?I&dS)5TgMM)8#9SXAFV@b+GhJ^^I/4>_k"SA#3Wo5\9"SWu?!?onS:^\aTZf><WKP6bKGL:S!jnc[;$(c)+9KWc+e%E@
%/cgSC%Ku9ZWe)IRBp^XWMM40J,l)>PQ]L(9Ti.9oXokFh'C$1GiOXu\Cu@oWj,)V2(tC!q6%^W.Z49,&iMPq*ogAmDQM!r0]3uE7
%Lb*Kka/'hjY9MES(k3RR!HOGJAj%V&p+Xn+-'Vl:FDi;0Os%0XoII5p=p9iI;.<_n6"b_q_+;M>ZKOm_`)ee/9X2ti*(/eQ(s4&0
%GnY,,JZBNuj[-rC:2Sm2%L705/C?V&M'3Y7(3M)H/_!*jW12;=Z.,nqZr":^g70WO-Kg%#5R*f(ibJnj'Xb>0nR/^s)mNu9jWV@:
%$o8ms:Cl6n#s$fiF*=VD:._g!n[+!:C]0uDh=>CjV;AdpiOT3R(5g@Z$e'5kfI`?"l^#QV(=??.G]]H#>rPBr<5l2JidnuoO$Ei:
%7p.cBW*JmJbpY)O0T9("[L<IJ(bN"-5S_!o+s>.e<dY(SFJ)b:Gk/hB%]j^OT?UcZ?\2s:Kil<&L6#C_D\?eG5<E-p(mKREbef4P
%%>8_U1'Sk\<i8(g+$d#;hpr)!D?7M+;L^oZ=hmaZdK99S>>2##FK&K9aU%CW,HpVJY1s!]PcTdb$2`Jr$$R!#$g?V';Rq^"IM+AZ
%g4SJf,lQ]+]_=P#<?8*3(k&_3Bh!6<&!&Q^kL"1Bl]LW2!<;*0E'i:Rah[rPb7CfOs*O>ecQ?7(r9X%4eh;N$pZ@eQn(rNba,A!Y
%X+rbKrpo?Xf68b)TDusfh8Sd3RhM*ZW;)ugUS#$qroO#8_t9S[`6EYu^Y0e0eO8;e`09)Lr1F!NS@kPns.(2/oX-,V[8&9sBbHu_
%78@<JkL8lX-2?.6GN05+_+-8Fk_%@aOCag$rZb!c_;rO0@V:Bs:AT`L:>17AcpIA'oa0W;VSEB3Wd03g(BoW@4"Zu3YBJ(QbGs&g
%E6m0jgE?F8_2%;%>'mF36.3"$NEQ[_$'h]uWf\Fk1=I_@A`B%?e(4c>PYg6?GKLql6o&LW,-riM-cs+Z,IhVpVtO3\5Ai?anP9V4
%?p4!Nqe?Oi,Yg]r]-(RC?m;Z.8j%')2_,)sb8TOQLh=ul:o32!jFpO+Jo,aM-/(lZd%[OgB?K`rkX+u(3R"R^Dp]UEFaflV%t1+$
%*\1#@4ZNp3[K>_:(<<6L(cB?qQ>'d8[0BI"G'\+>?-C3HQsh6cf7[@^Sf]K2]G3e.RGHd$:D.&<s.!5LRaG"SW\(NaG@>qkQ1cHZ
%VQ<-9[SB6RO]9K!fHM"KP_D,,q)7V24(8+Eg*7?.k=nmnmq[k0h%!h=$8NLhoW="9erdrg/[\s@KlqEd^SbR>p5!?j6lQ(JKG$DQ
%&TmA3I`QSlm.Xi]m:k[\B9OC%Z7T(Ik;"f(NMDb;NQRb"P,Mh=Oi0"0jE]_J?6QGSk]pUDYp@ULkdKD_o==S<8J$EjR[m,7"rW?8
%j(0/CHhPrm?j7Ya$dGd^Y%l.GMO]Cq@hPNV8n#]P82`O2[)'1qmpa@]Fu#W'orP.F\tI\IHOd=9VS'HF0_&lsfE,)_PZA=JMF]^f
%,=`RGo/S'h1]+hTq*W!MfAoQXS/u5/Pd)iU,`.4sNa"(p'btQ#.GQ/^SY_[9\EY7!R;;G"V9684lUUp0[0k,EL9.Q3c%0:]8R6=^
%eM=)a(?-OmaA&HBUnu.YGCXtF0Lc>Sjen0\%3dMD.S-=k.a4Z*\;_PCf8..hO='n$CJpIGc@^QSN`)IL=95;+kk1;eTrYU>,BEVq
%a%p%UkS6kc+/?^o1S=bk<)jD(Lf!]+/(`T+2WSI<ko;cLot]U!;(M\[ifX^KILq?a-s.cD:GF&n>8;o;_X*0*JYdp]=P4ek()W]F
%&3VU?T4u=1Lq7AT8()o,[9PFoV(*]u&JhD3,uY5UX*X:rB^OT*?8&J[o9aBWN;BQRmRbsWUXB/;!=Wee`SO;0FA&VG>*/rCJf\0"
%:24DQjas'o?MKr#MeTWB,'G-"d3Q\^9pG;;LZ`nA([Om`9Up=]d,Te:85pR$6\/_"`$+,ti2kUQ(&OF^DM*ak#FYikX&AMZ=m1I/
%#,C!e,RuiYDAa$ADknp!X[>H5$lmd00X2pKPT6F"VucB7,]ut2Rro5F]/j/'/,2K1l@k3kS:1<K^p"B7*!9;ckY7^&-F'G-O]Z+Y
%,]r5b<YS915hJV@OUA,.+V?tC4Q(r:HG57_M4G[+G:)2UO:r7&fCpsK2oJrO"u/V`FW@+_IC(.c@C+@`$*/XR+K<u"'Jqj7#!'*Q
%`0e:6g7k!9l=fGmEti">3@Rra5B].u"F(^*B#(]$W$k-]->OaY$IM1+XPQT=Z-=>_CLeT!<ImFDb#7D>>9ob3kY,;THG9,XGW4W0
%)1tE]=Yroe(<XYoVg]'U]:REYkZDrZYIm`X?`c5gQ@Oeq(5WQr/UKR[]ldiPFj^etdgT5H_AQOd&.cT(W*#%;N6Uat,^:!2K0.><
%n2"oHMuL!k(!o4pZH(W*'VVC;br721(%jjc_A@Q"+MuTbik?2l@g4n)MVf>F=?+Y.%h\)l@S)r][6W?NJ2\.Q%]0h-B?uSM2THMj
%dTf(aQ/t:?)T1!g=qOCG4K^dkktUOLL2uF7EQ8^2IXi'4cDN!_ft%@T=Fu8reT@^8Zr@j<67]LsgOP)?XTb]<2(FNh4Qn:j9aZI\
%qC&K\V88:dU\^"6)!QYsd<aicV-U>A21La;XV>k%ELdPNRMV5`f0+o%n9_:B_7Hb5o,EZeK!/!6BG/Cckc9;3L2.EuC<)kMD2sN/
%iHD.JJ&He1=megFjT_U\KhY(EJ@J4Y-4C3#WWg5Ji:'S6aI1^B-F)%bgbPTOX]s%<9%H6HJSl]k+G$5C7t?anhK4>M$m$\FXB;Vd
%>P(Xdi+m&<)%0GOGJ_IThfGlU`=[;CeKG40;IU3tP3AP`p2C$=UG+pe3C8oU$Yr0/%pD==-5qW,B>Z-F#J"^5cq:b#[IT?b>9st;
%33`"[&jI*C;B&I**"/;A=KP1'8hsTS;)<b-%n8cAHB>-\pfV7_?oV5->8pC1cil(F/7ca4'DAkHr@I>pfY1'Sk&heNIdk^5Mul*A
%Ur/*(,X-k7J_GWp84S$X$U'9:/eVlqWV)(_Ok<%e*)jdI'[=^?;leB$a!_TXTQ)$!<jT96<HUaX-%SNuP?"`H;FK1@/0tmCTSi1Z
%4!.n;ch&kO@WA#6<Hooo5GGJ1i@H$+r.K&T'cB=hfJhaTQ?,4Lk:SZ2m+f%=m%,^`>A"9Eo.?.N1^q?)A7W$mB3*L<FOc">LL-:j
%bRKa(6s%]:<pa&09U)2"BL:6KTgOl;=LCI/nX_hdK$f<S;%R;D@s6Eg$*]VUECJ#:9WPaE8)&P4ZI-'aL^/kj3ZD8Hg+_`U8a*gI
%GBSOLqj+Qt@7>3970k^T3QH*7E**rEF1Q@]6mD.PX@k/0f:C]p1bANm7I'Q'E.i3iPr6X7^u5f_Ug;E&#4l=Qk7Tp^@<O-rp%"n+
%d9uaRi7YYpfYa\Kg'C8ZX!.YZqL[:],kA[LFJP<h:Yfe;PdI*`p".LcrArO?7luX"^]SISXOp4<HG(Pt\MkLEf(Y\PI&cIkLpID3
%YI!dhRiT:D;Z6i)"3o&jL8\SMD)E,o5!-RAOJck@"rpF\Y+qM=^+CfQB$f""q`<Yu>C6=UY;G2ZlPGHiQC3rhlT%r,JlA7BkBXfS
%r>mR!\5JPGYB0as+eQGG(5(s,@Y'`Y0#`%!*R."rg1K=-Tm0KZ[fJ*I'XMcdZBFf\dg04^aYUt#AgQ?!g76seUr)U\*-m:t(KJd'
%EQ39beV]j@);?Up:fb*F+cVE_?J7,HMD"^\-0KjuL__WgLcZMg<u4OF75-\j_SDO<,`E\D!ACRL!Ea_U;O1(cRYlg='ZoFuT"HK]
%bRsd*leWhVp0=GX(RPe0o[ua`b/sWKnH:X27V%[DE:OJgNer4uVJd<h39tc2J)DYJ(PA8:R[:foILlgD=l!*fB;usQGD?I)LI+2c
%!HU#`^(H?tEBqem5O-XI8`-bXKnDX7Wqdsg!5#G1"*Eg;;N!QKN;.?'Rn]>JFu&nBk$6oXd_8_9%;j=KK>jb\A\'E"1bgU<K%2Vj
%eE/[IASbjD!DB>NF*SXj53[Sa/Ck)OW2/I(JJ#?l>#cb#RTqnU7*P<Qi1\$-pTm4\;cdXZC8*B+!\+TLY+9sN+J9.Lp_<Lt>S-o)
%Bkkup,IV-6.;9;!*OJ4R`cG9.gm%_Vc?'?7m)"*h6k;W'H%bN].Ub?S3b='SH4W6:;&tq=U5ImhTR2^//oA%o9IV/e*>"Lf<*<\R
%*1Y'`)8WAQ(bM0XgS#nD$/hW7EtsE1nSC9a'9QF^fi"&UIe$WTN(0D0SBL8&8%Y:#>N[IjQ+%[VSYL'5C)=]ZD)-`cMY]/%NOpL1
%o2(RIWYQl21EmZu'QKM/gW2Qd[MV;t'@pbO$%gR4;G[kdSsJ!j?4CSt!c$Kk<T/NAg6$>>W2'^IE9$N=/)*&qg<^Y7:aMG%1Aen0
%gNjhEI,p+q"i`IS`="3eGi3Y-(QJL>ZQUZ!&Nr5.[=g#@'fE-p>_#4iCF9H+DRDk`I7T()]*]rGihQ:VVEJs-;KqLf6]iMMfb%XO
%eBjGRL=3CD&S;4^&Oq\_Tcu0LJ;oXUA52&4L5fr%D?TS!C]^O@:5!UK_,fA?G+MC/(7XfG3=rk9P>VMZA<<$:_=q[S]e!#l0(=LT
%5g-ad3g'W9SgMjD?4mM<b+1#?e3LhqJl.C+_WCsFe*j&>a_;)YY_\*;/EC/T"Co;S'g5NA:C0::FD.dpL,`8QJPe,CRsuPU%S3RD
%,g0CBP`$*eVMI2eQbV(,72,O^p\9KZNXgLP@n"'AWfC':_[XmnI@[p;#l"OUF_=NgVCf'j)o(R9S>'>Q)t[A_[]%If/PEm=@*p2B
%=I"mGM].BRcJFF./gOIo!D.q&'qfa_K=$8rQ)`5C1T=Y;0F=1j'eV=d`hVA+G"BHK>%SS"#.8ZCGqQ*?eQjmOrP[;RK[o5\8&@,@
%@.5gZ*H':R)"]98+sb_a/is5J'01;l(;U\XBV8IH7Urp_.nNcP-#^^6V`C_mZe<='ED"(R.\QF7&m;kIknIPU'N[=snR.sVPYG._
%De!ND3\5chFO2u]\,]PlIUNGVC:(/a4Ml>Jg!maUV!b;+9gT*W@"D@gd/gp;]UPT\pb-0#<0p<XE4UL3F-rLf%N1I"KS*)ZD2Jfk
%%JjnT$@SR`=ZK!H!/mt2=O#Q4Nk($d$IKud7%#2*R#LW":W9/]O9=YU*En1J_d`:fFqd]YLK*.F!>6][iG9/q,B?9P0WgSU2DGUa
%:S5diSA?\J[D+Kjq`(T07%j7RK>L:@!UV?uiCl^OS?c`b-P/(,FNX].[0Q)OVh>]<La^g>WK`"fb'Hq^[\36%%LZcd^lDFlR=9'^
%,6ckbE.Xo\je(a>Dd%Lhi)j(3"MW?m3*\0[dOYSt@N:KYNq^NJ*g;MSSkKe'eB[Z#.P#e"7GmY><1f,&&K/.BJ9YK*,^s+F?OVn-
%-aXT[2(QaS%1K%M1hg?f,JFf5WA>pqFP)B\Md(sohq&-i&;iDk8kU8XDWK2]^UXFi%#1df!$2LW`e^-0Won9)#kjQT"-sA;\#2,<
%GDmZ,Ko.aWL9<gj&^O-lXT93Y$Nm"5eou(2j&m9Sc&fjb@5YmRM%m2.a\3+L,$_FiFhn5JGi3CN-]9hIB7MHAIS7:]AcV/B&%(l2
%4lAU9Bbo'(`D2jr[Rk+fCnf>O(1VlqR-ND[]:dg[9&,.2A6odUpD8j,DDpNP/Y5^]JEk?%RqAMi%*u9_N,,G7X"5ODC#q.L!^c"i
%D'_s1U/W5-=FaGo'^92Fb\@P:978&\$<Hb^H4WTY(rS`IH0-3J8ZS?p)^?Q#*qB&&bYS`]<BaJ=YU#G2b.0]$4)++C$,_QimVIH?
%)/9kgPYgP08eDMg?3Niu&I4(HK?`=2T]5>K)[&UAgZM$SSpZn"0Mt+$1+X,=%gL)``r?l,Z&uc%H!E[tHofe%Ks$>eL,H6qn%h-(
%VB1P<QnC:e&RhP.B6=S\!u9GA8e9ib#uXVuKTe8mS3s?[TNb@/*Yjs43eiV*bZ:=;D@[?al9U!k)SAKG<'ePJ0pl=7[;e2U#Q(k/
%7`H-B$aL7^!?j!`eo"ImXO!gY;M45^I_HVK\++1h^iZY*.Wp9t=Ob;WV;?hJDA=hbe'-7VLS3N@TOk!GUh;Kj8l50TBN?F$'=][t
%U(@+T!QHK?UN=s\MKt-)H6^uO_aGUb2[TU_eXJO4=4=S]V'5NJeFRZpTNPGX%Yo&h(d`.qXqtM9!+npOD#gkAhrCMei2T$CGb6RA
%_Lpf_;icN^Pu(MO[m%r7P?<GWd3t8NW*(n',/h[^/*Meabe=G7:a>gBNt8tU"7=h)Tn]qqB^1Djj7lIB3'_('h3<CFeJJQli7`K.
%l%N&;TN?H@FcKI#pfI.EgQ'o%jkA_iZTXdMkLiaFmAeP2F0!H+pY"6CB#6Fmr+fTRliF5#$tC-<cHHhQlk_"2P;Pbknp.t^[2CEg
%G(``9X7oZ6PIm1_'^'_p!011g'1b)clbOaFGHG-k%MPU)JS,Z6.e(pg8gsj.c65(L(ss6SU_K^')5LVTmHP(9mX>/U]V;8B;oh&!
%FlQH/Ua@'h:,>d(l(\E,4_#DT!F3G,!l>2`@J4[ua\7MliU4O)SqCHtFIAiY=B!.=KBkF2"AeJBn\\3G*%ijWTp`V3p8T/Y,"CcO
%$FuHtN`77%;^d^ZO";P`9naf=I35+rJ=`D&l5g7ZH3R7"!S+u[(e`;m'T@oiRu)(kCk,eL%i4dI&fj:@YjIYE1/\ut>Ec;AM).Aj
%>?mMP)k_ep_+m\'R)cTRe;#.5iZtfT_a7,bYc4!.X*&,OR7\PCEr*@8XJECY;=5iH+OBSFfud/7%MK!N01)dR?fs])AB_aRUX\QJ
%>">F7h$mWJ*=J)<+jbb&Q-UE5[S$7Eh&<.]96"UgXTlcoESP#+5d+'/l@@DrW(ms9$LEbpcGe=<]I!9E\5NAF0RV4;HTLZ#90&VB
%KZ0,,i9Vh',9]^X]p*/Dg=&Yp85F944=q+4&Fn4_h]T]M+^Q3g,6MQ$cb>at>0fV''.j13=@\dUdD;eGBUoAeb:Z5>N_$)UI&Xr<
%B:+8+%P"@kCn)d)<=:A!PK9-^1P,ntJ[[WJ)8cpG4bg+-K=))UlZ$,2$Hik!/>\\-Gh\s[8kKH:(71DNC')6j/BZ'Co#'8'-,Q&0
%I)/DWeWP2%$DgecF[?0Y/OY74A!h%NBE3"V+N9E&asgdSl+*suQl2/XfH@J'DT_1Y<Yc/_-IRH)WprL,'Rhfqd3r)'P8.S=`aY6,
%9a7I?)ek%FcXeRL5NO4m,7fWs-V\qST:@Y`P^&1%:(23gZ$,qgR,-Oh+.QRNYd.EAP,!_tLPV:4dLlrd\7Vq_3&;p03"L"M3ZPfF
%q=J61"cPe',nqZX7*O\Cr[3at.jO?@Z[-[T:.Kdj>!riT$>q)7"'8WKZ\gWD0$Jnfd92pibYT;ho+1q[@q$F1k8VL?M6"IO1j=\'
%%rH@LnJPtTJ9,e-JbH5PLSe\GOno62O5\YYWA>V>P0`![lP7#Z"uUC6ZlXc@d&T[r0ahS;K(4Yg27%[0DBbZ)48FIe,+enM*Qr51
%[[;[)%U9t#Jaj<ZXpQc+C&ff"[K]ZVa(es4(Y]A`o8+/08iSo5NODkqO;r$"dRonR<cD.P%?@0nSKo#D._uZSM)2VY%&f%`'eXTG
%@b]sYhU!bH%XpT1F%=adVGCf.f3nP`_7ai_J+1O0U0XX<ZIR8.X)[A^i-8D.'4J1G18R;[iAfQbO15oqCaL^b?'<*@1(\7-F#_7*
%K+d@_Bcsmq8/"2J<*_:[!5YsHm;,9plk.`?`?9b#%51"d(.)qM/`BBas!]0(raO5?:ESr1DfKI&ahVT3/eoc>?I4EVN9GiaGa!4<
%I^3jP7Y@8r[Md2$KKoP7T1#%TbqXo-8=Za^[Cque$Qit-S7T<89U.5-%u`Kj@%iUX.Mo\8-`jVGd>u\'D.',!MmeaQ+@``4)R+&h
%N</)XQJY2!>?Su4?+bl^*(jEH41im)!0^+Qb(,rj=CA!./VqIKgWa:?/::\r4%kkQ=pD3G4%i.a<dTK+DG+*&5GI,<0Q49Y[@%ua
%npW/#5r>NP_B[d&-HND-@&.P>"2)qaDBM)[Zn)oFereNF\X[cR&FZki,U[[q;afAJSS!O1Q'&O,?l,Mr:EU`jO'm+E69jQG&srd?
%:Us\$:I?VF@R*RFUR/8\MkcUgs-Z#()<f"4.h#lE=AiRrA#k]Ra$LUbCsg%!is93Ro0Z^3+uD.o<0Z\T%`leI-(csFki\7G41>RB
%1<j<pP):rXS/&=P,IB_,[SKB7)ShE>gKL3@!M=`hZrpui\-SC`]r\.%KIKWj:p7tL(_Vq%SL+PA>m6SHgf.4P4V9`.@#<"X6$ES3
%Log(H"p)SOo]0+5>k:oBc^B:!/H0?eP,;egC"O#T7Blh@M$'nVSr@a`,]MsJ%QVM@AI"Mfp15NE1=k5Nl;o0qF]V7\<!!RC:Te7u
%@@]c%Va<,f0@rV3=_%+Z-hP#0=3p$pVLGVSN.)J%gPKb`?)Ie;K2qa=()Cfi215'd,0Ik]=)NHRJ6c[6H.a))f5Qh2k'/EG3-+OZ
%>hl+F7co4&1"<QSJ#OdVLmrks@5L2aesN=l9<1m7&RjJ]_3oF?.t6Lu5h@^*^tFlioI9B@%5W%.br0\!-(;[aKKMljK',mV7a%C(
%33'BZRHCDP/dBU,9'R*2PKG[!k[o\[Q>B.N;+ZJO&<fTDUFG)"K16k/Bia_s9F>)?0?u"JJAL305eb.$dPRU3V/!\#5ZAOsD'6:Z
%A:@!Hd%Y506oLr/e0HH`;_F[IQp;@UR=&X>i3#+L,N;,%=pdOS47AE7ifsX>&Ad1-$tgJk+=@e_Ql=C1cW089F-BR7H?rH1$$F0]
%jAJiqps:MW9DUf;8='0UR=_)C7^M2MboE_9'$B2BURihYFHj[DKNbmc7\lekV9Y<C7J!9dj*$6A20m>U).?&#FGg^1]9^I&#*Mql
%TJri/+]!Btd84:Oh-ijACugpp9#M_ApTR1DrG'\*!,-B_eu-%\OnP.dmt8uk8-AIb'EROHP6k<MV-r@D$Q26oUgAata$WU6I0Jjl
%`m5Cu-LnX(PK$5TCXd-qZ:tG:/rDUImg;"Z"7*[KK#&F!`BHQlY8`SRoVRRJ-^PTsfP8F#DK%(b3]an(oO'4ZFNJ62+FOl,c6iE=
%D''U4*$ARf7-U?aJG"J.F;27VB;I:09-]5t620.KRT2`[]da'<bRPFG&<*.&^.o8:Q&JCZ0bPgd5:.WieXqX?/qKmhMa\MY.:Z'X
%=*C+q):AgIi"eR/E9W1HmL-)]+miJ4)N=[HCma!cHDRpoZr@0jl7AROc]5o"WCuLA(OnZGWD/nZ9jGr&L?ohYU6:'W!AoUgkm[tR
%AQ7&CD]8pBH(f9.L`OEC2oTl-)c\)=-Vm[">&;F-;DU'\0IP'MeH4=MJ2=@*B]u8O/Ic4$BSrEf_F@p'@\?j-%XtS/kmGY0?@cWr
%9Z\/-fP!9jEL+[5i`Jp!%2t-VH>Q=l[Kr#/)9l;R<FZZqS\W3d2(R-X1`&T;Q6[1s-F'OkW2;os/q_b>n-OEA9#IGt0P^S,:FAEP
%X`>cU1Q9Tdi_;\\H0lq.eu8)C,g\^)7MN\)i9-sIfT]2,oeO9P2-.o+TX#aEK:R#HJEqT>9\MO[[Ke2olJ(=:BcD`:X#Y#X.W[+E
%g>"J6.A;N)!^A#5HIL5[P2[f4oMN&H&j2cpXYqEJl*IhIWmOX2J[UFi-G)s8btUVM9\"O9<Jh&\Zq*fY*<6D0"as"*8A8?aH1o@!
%?>==p&_6t"1b3`.5;,`$+fVU7R9nVP0d'rMgi!ba.Spg;`&6M2!MG7+gF3qJ1/CX_;;SS'H-j`J^6Fldh3:`o$R,p^#Pm"&,HcYe
%0k:g4.OAe`Y(b))/fSL@&"P;%en6Ao%'#4a28[`t3'EeAPb>#BAqX)7&h1F[?VTK'e3Jg,fI/p`.XMedR0#A(-u6+r=!O91qO)MD
%Kb'Fo<lYBmWm6Yq"Ye>pY@ge>]_rc8.jPFtbO:)&+=B'np*ejH7ZKEDVH&<^;-"Qb6B_,TF8Ej9&0sTt0GM1n;ajR_5NH*:J&or^
%LCL5,pRI]j5BTRsRk\j(2Ae#;J+IcMNh(@Bl]1#\#TPo3$RaDr3<LS]mMt$ZNZF!N'V#&[Xs(h>8I/4I0HnjQMm:s?o/2!bhHrna
%gkg\krr2obNt9idO4ST*4ZsN7'6DM"iRRD3V13K;r6lI3rjUcihm@!%rPJOrq:A]_pri-OIt.L\MZ3P(p#Y6,rS>H1&+BCNcVArg
%pY21Lp.qTg>7]=m]mID<qbJU>o'.$`5<N2P4`U;Bp!&t]X#p0%J+ANThE=X67fVfELMsB[hgRcem%7%%nO76]m]WZeI!9T%:*04>
%i<`s8V[(pkJ)Gd'g7EfngFke+q=^;90AVg:\:4&A&EoNX5)(Y$s6ia-rU8(ZF#Rp_p[><C4FZmDs7NYq*5a^:f73b]n``?t\PGDH
%qlg"blLOJ3p[@P,[/U$pIVHVl6i*5^U&VX7IXM%b\5j[MQS$4]0.5N7]8*S]S;N*&\*n4Cppt_<PCHjV`OhV?]?@6&a!/9DC*[Kg
%;kJ/+Q[3ZT?X:=XqTZq.J%odZh;[!gHi0(gaZheY]6C`6\9tsamV7Z>2LkFa&*<6YMoY/(bGE+&)UVc<lqc4lgC.fXiGHl#Ks&&^
%FT'>!mcmSDD5!rLn!Wou4M@odQBpH6Z(Zq:q1AJ&rnYKRe\=7PI/D1]jV@sOAfT,NN5^fOID>gUlJ^amro*)R9M[k,?9#R3rV$6X
%p#@r7iF?t[Q&-mGrJP#gI=:\>d9ufA##dW&9RCMj*"Ad?_6i)La5.b/?U%dP/c+W(pXa<ohILrdZZTXke'g8%d:,.?9Lk$*BJCMZ
%VAE_sSbduIR=9GSh:9adhd!h)s8J*I9j<%"IC5X*$a?21)8hNESIW]Qq!."tdQ)J9k(VU=lpj(k48NYKr9`O6?X8)(I6g$L7VePZ
%rG5R.^KnL!qtBmGm[)*ID''MEqldb`HhI0*:*7jVfP6Tln@j.RKq@jI5:u1[>?pT7rr.l2pCFnI%VXn:rV#OI&+>g1HpG=;L9q9(
%ZsDPGgct`&pYRNk47au^LRTlcBDU9N,l1BOIi9j-p>*X<(RJ31>[D7>'ipoTL;:XSj(Y"Ih9EpVYQ+UhrS?#[(>EEl(S?.]>7^&d
%rpK16`K(nfoSZ)bnk\)gro[,&rR8,JkP*IuDAN40^&O_&HiH=VW!3+hrqc'QHn.#Jj#Ghs^<d=6Y.*Cf,M@8sHZ+?/gO>3seO0=u
%^%qQ2WGep]s*/OsW&bpFY24Uhm-Tg^+]5hKeV([hGnajrVe>_.lUu!g]^'Ggc%Wod/\3"sZg1i^ftT\jQG%OQIf/@%l>_a\qN#ie
%*KF_,,M_A7+1okkl$djLnCK1Z]9fIN]VsN`GTAd'8NtYMYtZKl:E<-$s7XXBqtlji5$VClcdON?r<8C\Vn^$=HHD[=@S)S>r-_Uf
%[d\P/lacM,fD",lnKIrsme,&>aU]2+Y2=*$O7:pP+2jZ7Ru8lXcj+-grU0[DgMcLumf3-jI^22,rt_j8I6EZu5XNri(ci^*a('r!
%nc>NS\*3_G+%4jo=7,6<FS\o[4.g65*ZR<5X/?L.rS=Y]>[2Wj?ai!JpN=BfUb(r3QdUFrEBan-4_A[UZa`6hcrpd,+2XlEFPlim
%db*R-hHtBM+^]Lj0:oXW@f;o*jT#&)6+O=?0(//1DSEWl\[pS=<o3bn-QgpS599"bdDO]9`O"A5^UemkmENW3ea:oCj6nV74f#.<
%J9fAIkkk?d'jFqnqg-m)-hu$0`h./1cR6cSIr1knijhiKf%Z,6eC27a+(n#*dqNqo$&ZKEhgkFkUjCa(g>A+Zl+ZWd8[ZN3Z*,P*
%(+Ft[RB'b'G1"bpnb'fum2!JKIVKD,-BIn*SA4gEdIj@%D<=%>JoX4"qXag<S*r"ZG^9M[FF(TEf^9T?#=#oQo(4?EU7*lB\.Ic,
%BCP5)"ap7EqW;B?K\+I)N+%Y9FrH4Np\3J3VhVSPpa70<c1ToC`R=habDVk5hq`2OTUn=B%)1Q0VcVTkjlO,/GOLCXcTf_AfhXf#
%LFY:3T,u@K2qO,Bheb.hHh*TSq2;lNgMJ;:,GFT;PV27lJ70!noR6b!M8Q_I:?rJrn`ff6!Q-%gkkj6*f58gVIGM+\#mTqjl@3Ze
%C39YG*.\YCG\eBS&7UR3n,Ke8cp3CS^@\!t;NF)!,7ri^^Ej@+#]Y.*5_q#g^Ah9R9*.Gi,7ri?K_T4Bja_mn>P*@D:T>WN@L"$o
%?:Q.K#KO*o+gCV`I&=)jL]h&=T[8_jrmT3j:RT"J!7Ur;3q,fr5CCJXc[YiRYF*;ebFd4^GW7Y-$R+on_Q.u.ds-Vbn]-`**"T"B
%+&McX5TT7np%69d*`0lZl9GlY?U$B`;1UdhoB?E,:fk"2O2o`>Gj6AH8+l+sO/Eee4ro]^j71V^T&sIA07QU,_Vq"_a/\IG*O>&B
%.K>JkjQTM`GK<#<%f,/XhlgqsG]WDmQNs#^pM$[7HtoC+i?UPq'U(`[q_hQ]fqX=EOLZ&!R3,1/CB&W?C&e.5rS@JQce:UR*'TJ0
%D*^R/,_S,i6>Vq<IXAhsXF;:F&D),EY.hWa>HYn(?W5ig>s/+$S%UP'o[DtD5&in2/AK0YDi*H4a\a)S/Y:oDp]orjfGD6_X0&D&
%m]1*9<U]Z'U\uADO<#qKIG38=W"f2cG>FRo4cg,YIC*X*PB=8qD>/1206Z\Ij#fOt3V@%?fIqbYl,R(XHb6J2e8`+0qtk(lhVXVC
%>-kB\1],htV;3oq\pK175J<!T[Y/+YG<P;*f=0D<Is[1rHgu(Rps&3VithL05MhrS3,\I4G9%a2Y.!W20k0rW6nAk9"Rm85r!/$[
%niTamdLVse2^cWojY9AQN)Hf#'?;N_V]4$AND^g#plA:pA!HO$V0k##g-'Ru*i"ts[&r4jJ,T&P/U5S8G%Y_TJA'jqLE2b0Rc`o&
%]8*TE/cN_T1r:b=n"ErkfA5-Y?*j%g[THWN5M3k>al;4K'<OCpaTqFTe]lA;pJ6h5k5):=4LT`(]d3$kV['X/r#rV7A4f&_lbh9'
%h.Q+7\b`CqT@\S+s6RA`qjXY,cQ97GI!5O/EOY.<4sWAAYrq$ncZJe8]j*eN<X8BHflV<orT'lmdFn0YRZ+:CLVb\CkPFo.j&59?
%q>B9h:VN.ce"aFaC&c4sNfMefcfX?aeMS:!kB&[J(I6t]@S!'U"`ZfNqX(anQgJ%)GS,c$_tI0AQfbO)@Q_6uIf9"ZgPrn+b@:&Z
%c[[CqH<f4:@Q&`+$u3eF6hMPMGG1T8nQi(<K3]<aho3ueEV*NVI2>E2`R/mLoN`Gb(OL)]h7Ucd5(InSdIkp*a3jQ(IJ?,<Vk`_B
%OFU_cS$W!%^<,5XP)_!ecbI#/Xrm[gEP:T43M;qV2'-[cGP)=eL-OTqr%4)KpGE\8Mcnrh<;\>ZIS@^FhIYHuAM8R;k/Z_1H[DH'
%X^)q8Z=iFu^><Ek>++DV[V'g;i<4hC^BTa`10\nZR9ok:-tU-fk2OYapW!UXMdorNP<#.Ck*R!u2bNAaCe_sgi(nT*I/W`mX%2II
%_pt7D<n?,GPJ`-V5$c>!c-t2Uq3cZtqU1'Sn+tq6E?"q/pVT4Mmem05s$\Bqqskak<[?c,5/GVVg,hC[e>8d#\Ho[SJY(m'RV]J9
%jojN*")Mt<rr!`2mc*_XhnQpTZONp.+8b\?#[<8HS#`Xk>5$b!'<ik)gX-\=X>#$:nE/+3YX_m\d1`a&qkG48-X_k8+$BZ%F"&.n
%!W2C-Nh1c^d".r>?jCKDnR<Gj`ST=s7k:N&0:)q1+5*CWH`rfCrfhYo:L+msiSsFuio^"0f39LSaKM0R#MT1,TYoAWe#@_;nb26,
%%p/f0mcs4\$Z17XnPAVdH5]>"p[7_cm/qgH%=,tkfhXet]DF6&Y9,Ea>_R5X!Bp.Sl^MaG[.<]0S_;c!eup1`Dn!6bpo.oYDGQJ5
%5Mg<u>22>0kDs.+qa'@bUdA5`-I529ZHXtHA4"+_N_Cik-BuKPDU!k*;*61THM?pZ]:66e&'o*9n2q$3)!1X0'`K?+,94CP?#BUS
%#E0jqNkmB8Eq^'Z;msXmfN0'?n,dPsgPk*I,<AX3qI;T1%c7fqplr@60V7(Y`OU#]`_[X<\NeB'HaK/HR)QG_+agYbN],A6B)8;]
%e'iO2d:PGn9LkT:BJXL#`ST?C0+%[LFN4$*),3m;k\)dnNM`JuF>TGH7ah`"RSM[)Rn`q[rr1/L+"k!(f6_9hD=n)+eS7]0^hVS8
%$qIA_5cppNP$%JOCj8PIp'4ski+_N@QuW-4&%qXJ(a$QE4u*<^hYuA9`df:Xi28ei[]<WD\*)(\h;A)SkNeUL!D3gSJ,SZpipq#[
%SVZM/gPa8@`uk;')`R0=`uh`>?S@I'gD9So%IAUgaBN8?4$2eWne1EU%q7*C>F4]B#P#O.*WO2EfmPl[[]V$gYG]mY"5*LGl**m<
%VkH1jh`Z@8EI%5rji(7=a3)l'hDP/:=X!,!m/E"Q05k9/XT)Z=#:5:Xb>5M9n0]=%pYTeN#CWADW));p<R/Ukrqmp"I(A\N9[Mh:
%dtc#L[eqrF2>^3Sr`=,d*_XZuQ'A&,Z9;n8(>l=qrpB[?eM_0bjtHF):I-A;f=j.mER\*^rFiihc])sE=H3a3+Y,*Nk^dg)=S;cI
%EU^-f+'1"A:\Cod_tWscpX\HkpO6anmCM03?2[+Z@8ABbIp37Kcalltm%LQO\"uUW?$H0+lUrKko<*lIm.qKEp2A9^AM5+-+2>A"
%g4nJ`GaBH>ZB(a:mHo>1o`mK`A^AftID*e3\:s\M.bg]`a/eP,YHl(9U)p@SmDjGG#aaELbl5ZK^]Al[-[?".8/6Ob2.Bo&fua\5
%W&th7H88ZPA6\lV&+XZ+Vf1Gph`.9mpda*hH[?=9P<o5tqo^6\%Zp_E@cu[[:Hm.[Mq6D,g]Ke/Y'Do-lK8*)GOHKt548?8Q)XC"
%e?C0;^clUs5J4db^5q@Kps_u.:[@e&Rt6'89Ypc$>FA`d[.OCj,,e@'i*b:!+P?B'aPNLY8"eF^D=JE=])5'h=F7Y7g_RknO"0Op
%>ucCMqWd#uf+0OMiU\dANl-]`5$iWE`Q7f-=mo.XG&?h)s1G0iCZXO<UYg?@GPU\4F=OqRQ1VYX$n!]N/cFFD/Uc'TjBh8ZoZQEL
%.'Q9/$*o&,\@?n_obM*%qm30!n)@]')1'bm9r$?Ff>3MGBD9tJ3dM=.Iu?+7lLUL7O0H/*a.i?kkM-Z9pJ^&A5/tcq<5julIK!G0
%I/3*?2cb3W7#<0rrr2obO0&^89fNmX0<bA$I5h1]=24c9gYdSXieQ9lmVcG1r:>]%YHHa]GO*\XiT0V(hnOR=l<X;erpXZI*QsOZ
%4W.S(R"gb&W'2Ik[Qain:\u@H@J$-:GfKUnP<8T``N':]nWt?Os7*kX+90kZhk.iNhjs\;s#Za`U%eN_X4'tegg1W5PF;aQX1e27
%M8u<t4-#HAj6PE*82BqN`gT?Y6]<Q)YMBa&$0u@cL3Ra9c+5V5&uX>m/E7$C_s<J^JMs7Rf#`F4ZfQ=n7!Wq]_<]9:.TQ=Fj&#D[
%eRa38]M?ENIbEA&k!j&-^CI+0UTFV^->>="kd8a!P:*&RS`>f-0"&#?eb3eta4I;MN'#dcBY>^#lTd(oL$j(%4U]I!S6XPJg6W^-
%MsK[G9%!ouRR_XkMDcgYo$u@A5]&`,K@a7Jg%/:<G.hth]^r=T:)SJ9AR4M,O#>8u3%'n@T>A2^on1f9'>nYs2+\m;.J.=i*FD<$
%E6#i]_55i2l_#=YL+'6_m>LS[[TA18gA`rngSUB"hSd=t;T=4fQf:EsSKG7j+a>Y'E5RK'FDWkKOP$t%j8!8'@WDl[B%DsqgX8.C
%<LCd*Uk.7>j'<7:>J0AlKYbbk#d:r6C3-iR)$1S:o<S:3<U<'Z1U.;QYUL!P(Dqg<BV8fQL,<!7JNqg!gK0g^83sj,I@;(Q`B3mY
%D16#5g5!`ul-!OZnf_a_M_XJma@R.bRt_b7Z6<c&N=3#6FrKW:?>9S=9qa,n[V>9;(k%XjD2Tg7bian<mCR$6D:o'F:U=\hf=<Kq
%[8u%^TT65KTX<fa"t.))99s4)o8[]u_UlMhI`g[)#s!<7V/^01Ps8gdXZ]`r,5J_m@<q6Tbjm'CcQ]H6Y^&7Ppe-i^LL==T6fJ:"
%>)d%=QdqdX?iCZab!:*I3o5?4A,eE[/"p\g`\NdD'e.Tfj:YN1n*o&Y7pT9ZXg;N=IXO_nAd^9Iq<hrABP33,h.LT9JduS1-hI,E
%pbBn-%6@^8)^X>([2j67h<@+emuZ9B*+P'`S82?3[jj$,g%.2o&g`Yn8VG(%$=W"`,p@Db^Ht\t]2!:"G0Xm<HqJ_A[T>rc=.@Vd
%=&*S$7"=*k,6bcPC0Oa:Y')rg\T4]T"8iliI76.^`cdYIDDu2i0\b!s;ijL`Bn!S8,&#f@CV]6`B_&NV?aL(&<+!=Ag<+0AJ6T^@
%g7(Q\q>@sA;prsF]RI?O[TnQgQRcui'"4Pni?!ksRV[F$g.D>BY%_(SU5%Bc""c'QBq_;l5@g65?[S$e<(E>sk@NE>]#>;%WL\5n
%8-aF,E<fcdgU_]2$L"F+6JnB-A!2P`kd]6I%GMVg[;;iImB*h*Fc+nfT<ko\P,(]hGK2i:hK)hCN(i"L7nDrI.7ojs:0%%[CU_fD
%mhWdUqi%[9h)S3H59Ho,?uD0(q+I82?fh6g=)$`@BqHN.,EJLg)#F-26VWguBs5^7Q5*c?M%5(lo':`$do0=H4%7/R7+`!T;Mk`Y
%;fuVS4RJJ'QR!S(=gjMim8$V.g+Zb21)_"`r?JN*du/Pa>e@!C2aGD<%j3c!a%,P_D7sCYXdtucl&1C[%rq#&C;"V<Rs"+i&ac?1
%dN#d'mGonIHX6GeFP9!#*iE(DEKtDB)H]NZl.1tkRbH=0ZC]Tg=&s(DD<sTX.F.35o0/j(CQtYaI4Tb+;$41"j_f'uc@aXCd^3`D
%K^FL'JR?t\e`p01n2f8SZR&4DCb%t%],`/C=cf@5YaA2Q3Y]8!a$eVd9`a.#Ef]Gc?E$p`]D)-f0sM'1/"o[>7QJ+p3\-cd-G79>
%Q!IL?[[eM.:VT;TX5"gR=Z]jBc):m/>b#7b5'V;52TgTc/NoZX5+qL'#H&J]athePSI]uoEit*MlJbEXoi0H]]_3k`912f.D5G)=
%Hmed!U85."g#`a%/$!t\W,eFlegBeZWi'=l.-jfZXO=(kL?iI`%C#51?[2uVS=Q=t!)pkFM4:38\oGr^^Hm32'S\Ti.W1#V]?U"r
%itLTRVlF$e;-rAKTTO(f=SJS.e`n[Y#-/n(It?*4=iKc59f\(jitA7o3al9>K@1ZOhe4@$<SYmcdB>]+[TFB!#`#i%=kGX!+7pu+
%Bpaji[e*PVp0!FI2Ta7a'oEY,/%3bBe(Pe#FE-Tr(u'0(bJn]l%s\R=YIXU^L#-VJ0.4,/G]ZXpD:c617!gUj?(S4-s&<c1p(o<?
%G+rrrg;2TOW(4>kXAP"Z2NN0.KsA_Y+E>"-nAXsco\"C[kV@7S23AHRC4gLpNfDGoc0VI4A$J2OI8Z5$=RfB"g89XMn()XefsuCP
%6,!FS<&)LMOUi]59JE^)g!73^pEtC/ZWHI%hTb5!ijJif$Yh^,5O]8YHE\Gg\`anupXkm;=K2IbSPnQEC!4\dW.u?C*n"^sUE8[4
%Wl;uQI4'eg';pd!kcuLCONl.*I,9^!^rC672RdI,`)SDCVR0uBhsI.YkWlap,>V_]#!,+_Am;Tuc^f7?2_?QGieW;lau1e.NnO_S
%.\`Hhm9K.\D);D!G7'a;_.A&'>rk)$X]LX-qU(Ed&A:b\V;%Sgi7mhEU;\t.13%5&:KhS^4jNr1#m7;/m)Hk%h+WA>.V[CNbK&Dj
%mcE6L??oUV.3`TC&$.A02f.rEhii</.ZTp6EY:8dR>45c#;VoSpM@/!FEbZHLA7K=WX:K/d@"MHkWk@IT16ENM^TMHD+&i&4+#_n
%=*::;&DU?uB;0Hfe+tIC^8\JV;KuV0;>?pf\e2S]lYW9arlj_+U@6p,8jRWKU8>aHYmCZ6S5"!<]d4&@e--ouDBLrB-;E-QjS&!T
%)/QWCSHoVjAGH@FA-4n9RTOtdoXS.\WX/9f*dq_U*A:pN9W.tp73e+7<aUNO-DKDGb6$Q8Hm$ke2.?AcUq"JX1VeTUk"31Kpk(Rf
%/9hnk1/Ib(*/Fc6^56>4pK1XiRI;%NqjfXGk><R+NYRkb.ELm_X"oUIN_W[M-pFt2L3*h^YZgjUaKqX['ZFC3/rV7obDq9u,0Rc@
%/'u=2?G9,q?/(baF<RG'lF*%[JsOX)(Dl-=(0;A+$%3,[3"IIuN2l7),b]-gQ6%dGSe*Vo4-+BdE,)&),D7N#IEPR04UC=rCRZW+
%``,uD)DSK[dK[nkr0aRU=\S`Og_,ND]ebXg+OY[B7I.#@hrAiqVFN]LRYo@j50;g3pIAAW8`i@bEu2+De`INbZ_-l:Yum8!p-mF,
%^"c3G:.\bn-f7L.n?Rk-$h:*uQr*E](8baSjMIfG/^HDnltr<VFkg$6:gj".bYq&%D01)&[@`H<Y%hEJ\E#<*c.m,UneHTI$G%(X
%\Fq0'8u-R>_<DGB>u64YB#]r*:*Hl<<VOOq`<:'F26'jW@?BqP/dbI1gHW$.mS^_1g%!bG`be1oK^Ye?U&d_I>ju:%2"RrM2E^!u
%+`DuoRRm#kptO/3lF9B'%S<!1mGB^"EDseAlWmLBT9StVa>0um2JbGf#DtJ0,X<B0?G<?XEus_SGXrCT]7AWFc)b[77Ds%l\;=&L
%(2nPnm4/)p&PbRYD\2Y7]C#5UU'W,-J`@"]0%#\)(U[n%=n!.+V[eb3j-p5:65jN0U>@&GGcTTSn1/$*dY3.L;^QS?KOUI\WGV@;
%>,EpZe]YWu`=<2XF^ih,jqD[g68trhYTK$5CIo4m1NboJP9OZ9B\$@XNYje;BMI`Bkf&+-j]Mh6)/4D+ZaW0<!QG5791+@U3#kG1
%KOH[6_5YB^)mVm)/$X)#A-hS[0a6sO,#?1SmP&X3Z-jqq7_>jfF3k!\Le)'#NTtQRVKTE:&k*ZaV,(AOZ"efFKH\GQNu=O%Ed@l%
%/SPeB[d;Xb'#aN<l4s2fBjTdIVlV7qge_TLDSVG<@`W?2[P-rW`?t3A[g&i_\:2Nk4B!o"Q`HOX$8Gom3cB6XOcO,dhqUJO]VslX
%,J0hJMa'aNFE&=HnRi='AV(hJcA=a"l)5gshB6.;1!'R(p;pN7!_mNGW\kX<G=muA0A`^P_2dO?T%TJ\KW!La@9e5h"BfZsWh/u\
%@MRT!O"8,+0&"8324R,&)p3VG2_?!VUlEP\#U(f`V^Bmbm$M<aZr+oqAjAK/UdObI;HHF%#:G@`.+WHdJ/i$old6[gr>Ot@+pG3A
%JYTRlW[[l!gm3%&B<QWT)oVagi(>9D+@t,<Ve=nT1bb:AXiMM3673!u).fO-qE_J=f#$*ZAY"e:20uZ@ZBJZK=WE,i_'Z7X:5n7+
%9]DU9i`qZO7Z(r[3"KNKB3SST+i9r`"0Tn;jZ"')R6D+Pc!F]l#'%CtWu<1Z<_"fk9bI^ldg#H%-#q!p)e_%0h/XFn%=E2A'il/7
%+j(:+Yo]9BBK#UHo\#VN,c>3MfjdE:7,Z_7MFGKAo/SuN[KFDDE7/#^&sAuoQ%G(GNkS^4B)N36Rg_m/^d.ub0/^[8X/jLXa!%J#
%,!WUD8R#6-0gROsKFSQ/1lu"bqh'<f,:o64b?&L:I8g"Ij.KF:T>E?5#p<.?92QKU262Y)Q4ZOc8JlD2e$B[dUOcGnM`]@8@S<b@
%A<`m`h,>\g.'JWqT[kJdk;6(E2!LRWmLe-Z&P!Y:!^dT10%0DV67C#:7T1"j&.=dVQf(gM"#"pS/4D/AIDiUD:h)=='22+o%E"%g
%=iWrLWl,&(WckICOu;Rd?mi?j5Qdh]M>)P5j+UJo&k[85D@r62d\R.qO<,,3R*pLjDmV>FhqG2&mCf9tXBLe@mb2?>!0tb.D8]Cb
%&WB_koU'=&l"A@1QJ;VGp^plf[S%'W%?a@QLIu0"&>rE1bVA<&*1Ws/,AU3HE=B,Za^$PpQF>B!]b'9s-[RFA4GFR\MBnCcH)[ho
%Q(WJ8TOWe2m:K+ph,FpB'+*Cnbf_dHD1KPRW*"J(,g7+(%h?Wf4+4Mf(`eX\Fs"_$Qa!LiD*D=I>'++20k9HiQLu?</<omU.)Y-4
%f@.a'-'M;1]IX@Mo8?OU9"sNdgGdGR5IA+]1s?:i8dnXE^P7CiSrnbD1S?XQnM#4P!tKA,cjimU_r_`a$e;X@0oHo2a=Q66f[QNf
%&Q?59gFP8[")\3`s3N&2!ua)):DdK1((,hrT-]ncg:F?*8CMP`k\$"tZBoN-W-r$AGSG'a7I5UA;O%W\Pd]ceWM(j19V!G#>V`[C
%oZS6UI,o-e7LdV):KC41Jf(ut]TO'5>3nC"(]$tQCZ+S<gRLS?b5TG^s*44C07WNf_rD*pnRl5.jo99!l_!(Bs)m$_45KHlm"fkK
%-?_X:8`t6tQsg]`6-SESSNpf8j]u8+5Pt$;p0W]RF*BMc9_rUL!\rZ_li7rf-?ap!=T_k/a5lKUTOW6*%cB);32\o)'0aT7O="jS
%2c(1![f[2dReUhM)Of:gN$_?h"@kfm3rm^qj)0IEo],?DPN!p4!_Q$3G!`&t'AI!FjQW5^C%>\U_5C#bAI\EVCD3uUoLZd>0&S*k
%@0`<k1p@?c9j60bX!UX2J6'S>pe\VlI*ht=*4b3%$-B.uE]a4ean?8)Okb'>s6&b5W>TVMfBI"gY\^uA9`+I"IeWPtD"8)u@G//I
%h9]ud`$V'Mj?"O=Ukp*GD4%mF8$tnr45no'M;=81gr)t?2Juq^FIVX(Sa^JUnTR7.aVhf#`m&VY%nF0u9(Ck"2nSuO)!Qc:Hir[]
%s0*0j9pWsTGW.1`%n=4b<ONY)9jY:2l4&rc"7AlIkt];Y=]daohdC*bJ:80TE@:[R1pJV6%]8M$(cZDB2\_c=YnIUB#-nmT%[R,!
%(2j'mIQSMY`qg0i39e@VLcB*X(JL@CnkQ,Cq:7Xdijaj$OE''o:=qOD@2F$U1p@WWNgnZ1+X^"NKTY:AG!jBnkL^(g-gPLpUms9H
%/QPX?_Nnjq1q`ut%KkJe0df]^KUK/&jMOi936=?$2g8lCoa]&'W3[S)SV-f]#P9"=KcTZ(jph0+"<ErP7:MYFmiMs*=/F5<o[cOD
%=oP,NnQ#TTDb'rJa^e9_?=Y#%3b[V:Ja8s4mJsGC$Y9QnS`mu'5jY.@Dh.2u2Y_6Y*B2@Jg52N8-.G[nfbSBO:N$WMPG`U)geAHl
%"lrE"h$%m*5M?UO4#:5-*-d6%]E@d947L/(G;>RJ_=+TlG6$QXf4QH:*h7:5JFLL*[1`sebsC%cj2jOP"NNl'@g>8j1pIE6%sR8n
%KCTQqkQ:AF%m*&J`9,\YS0q%t!md&GFopl!'0AMP6s8CRUk^:?JE]W=3s##Y/9ZR/fs9@clTtHBJ3=e.:67VQ@MdC_['0pScXu>B
%JU>kcmXY&m+*N5(8IIT\pr*0f$,S&jpeDqqBjq;aT?P4`5X'"^%u0Yk.J(A`5-2.4i-`tk:4PNB@L#Gr1p@XlcgI54L\5(&Fo_6h
%hX,mk0Zjo]pYcn`E.FSV<'D;]#LC[*+?t*NGC]M29G>]i4See;Sc%T!\%hof!VSH#)'6',SQlfHjL`#_-Z?c1q"F"6Q9"sDV*4KS
%qeu@]J,0,us5I\I+"nZWY9*-2nF#i/qX3W-pCCVYqf))Ce\ga!Hb$E>$%H69dI*>[n#fE7GQ71"2tnhmG01uGe94m$O8eb2R-NDq
%`!0etD&:R0-E/LmrBDjYD'PRlZRLurRE;EZ(C1m%@T&CDN(C/s0o'1/bjegJ3f_gS0T.8F6LPa\6!KB9#;hMDLX=e-jF'A3+Qj8"
%gWkhR6B:Y4:J(_G<7W7&mrShPKafc\?FDKI<mNU"08-&?96j'Cj;#+ugT>82C:d6Z8P6iCJS-6D7'QWP`?TNJ&^E)W,sajF$K55\
%I^oIgG_sAF\>4djjX;DuK=1>C!>@K)]>63fm0ZUcM0"bM,VO?2qQ-`,2Y(_.F5R<I<:'@"0p=Fo0iH-$.pnFCB42W9KlN&0K$809
%H.H@d!easTe&X0CJ?f6S=@Fo=OYHt%VJD2]&@1;pWe)HDFR4RD@ri8MBSqUT!@u%2"PlAQg1:/TfraV4&Rgq`dGY1qW^e>qi2#B!
%**?L(5_B49j`Omf*.T4A(/59jI\Bg,_>u;,#8J(TjtpgQ#W5d#^GkbE9L@?QCeONn["TBH`6g*C,LtE`XT?j=,h>>6[>H-3hC<8b
%'sFPC$cb#kO:`e:m(;?f@^aTPUAuNDilLNtH<-8fap%qi`(e>#cuibji+8TYO;f;P".[o:=oq\(c72L7SCiCuHkL:(Pa>q^]CKpo
%WY&Z;SR`G42Y+3Y>015/?Z&ie?:5Qi3f>8I;#2:]gUba9nhgTb>]_d,$ELXK($fK\T2DdkkuWRm:Z*=u0<5_#Qd-5^jj/0p9OVO6
%Mbp*sFYjdVUNtMn6jmE+-&I5OFEp9eX(f@h[Uqq[/=ElMOQL$/6*%lRPZUkb_X-Qh#80)Vj\`+_8K/\-2&ZY!`CndfrMRJ4$!`C-
%XAKp:fH<%O-*gXkFa0dOO2Fe9-R<\m';WjfWsB#5;-?R>^Re)V'?,h??$b]CM?+]Bq\lQk))DeK=p8"L,fk#KJcER.nPDZ\3T\%@
%44O)k)3\[tZW]8Ggq\`e'0/:3aS9c'A*XEtTW+t`DRkSqA8sXi'b@U%86qIY-K?>k"JK/:K80@OeV2fY?H$[&Gd`-T_D]r.iQ6`@
%'^X-HB_d(`7"g*&:P=<JFb!/kUPIYa"O!1hn)^k`L(C^!q7^,8Ah_"*`P)t9FV$n(9IXO@/N*(0OMBDYE1!qbRZ:;L:sfd03bHpF
%K4g.u3$Ls^_GNR+UBV<l@N#GYA-TFhBs\Kp)iIhYdQgPn1J0V0O#c]=Y7n-Z.!Sn=70-P'0XYeX8Nh6*8AuJYXahFu;9_B[8eS`S
%on8lqX/Zs9%1H]R9P4Q(N1a_KE;32kX0!W))M5jC;k+qH:IPS7$MB3L9/e<J;>jni&thYPfAd8AV\'.H\fB4((Fho?WaIA[XC-%"
%@&T9QI?)_V;Y.gc:"NKF@SaBke1&E<Y#>Y-l_,!:OE;1=n7qr`1pO?'ai:IJ<`$^U7D>OK5j6s`U9:_&i/8ir3"$,MLhG8/6TX=2
%eF4JJeLmi139%T**'&Q<P'Y0SKV(f6`bd$+PBSog3M]1cLO]T]>S*NsqKHVag;4R4DZh/K,:bN"R\idH>kZ4BKq3j6RW_/g8]lSo
%HuFI#/CakC9H8qYLTCc>;"A^!BH1u4Z%p5PhuIXk)/&lGk?r6I!bJ8EdK/Gp2R/35"-nQ$n-TdQ*"Sd`,:1K_p8UYe;Dtm,S`jRL
%QsPlT;1tGk_87XnPn\K5O_)sNj/C;428h+t6#`s3Z<F"K,_1jJ=Rp;Lau,UN*gS=-F'/4m@5jdJI$?i=7mTafcO0>H]2Ali.j00R
%X#go$8/r^G3)om5M*0?M!lEHl0p5G=H\SbE'!+b-0p7[3*<e)'TOJlkgpr:8HiaR>'QeAIE:]t/=($ZDg]8]_cmlLD3"P;$A:LiI
%QF[T@'e&.1FB_0LHO3G6@hge^"-OQ,Vd2Gr`0?#_TPgK3L]h<GW0&R_A&G;gLQdM!e%kp<1`S6!3I#DBMnGs?`jAk^-_X%;$&DHs
%G3*T/+EY2R8Z\q>>HnS]5NRP3Z&'@Tj2LSa\E534JLD+:Bn3BmK`X\N8HoJ*nqtu(Yjt9Hj[LTP!+i>F7[VMW*%&mQ7W3"[C2t=$
%/"bURP[NO^a>im^=L1fE&"I0A&<=V1cGdm%.$9CQ_$6;1$dW;!_=4d`!(`S58uA6e?'[FKj7hoj\lcXDP<DE&N_bR0;>J=4!<SXf
%;=<EjDDNs9dPN._PG/&Q:)P',PX5$EWs@XcaE#q;\;4T\6<5%MF$uQ#qY/-U6rHjP1lt[JV.YAZT*["Q!^rp<_*g5&0X@Gnpbnl"
%<`"#S3XH<ocB&t@"N;E6aeXH+R&29E?te'::[iMRq8Qa_;\#c_MFk$_F;maQF)`*%rt6bs0/lB837fTLfgdd9BT6!<?cQ$P\ptFs
%nAXpEmuUZqgE?=f*G9a\^9(;\J-J:<;m>`l.5t^k9nR1BD^'l]GEZKHKB-]:s7sB=NFL,s`$/aMW&fn[nHB4D)#tHFR^sHEOEq3A
%>Wf/7oWjOOKYh5rLAn!<ZB-<<Utf,aOra`-H8\6c,f!#,HPFgq;%YYgJcH$D(e6kN7nI8\"(A:"%'0HPVE5)XNi`f2V4Ou>YS',d
%Z^QZ+PDB7h/4M0SN6&OTf@%IE5D&373fd54M&Q^hO9t7n$_"3IKVK31;aqao)F2TGjmW/&ZH*?/5^H>MYu%h?W]EHm7E@(.3]'Z1
%&N@/7:q[Gj8jX7`nlVl$J%8D+::%oIeD7.WnM*UEgpNUUi"*$R$3Q.8W@mH;)DGS2Do*cQ.b_W+k-L8uf=EDQ+;CL5PD!k>Y'8$;
%*X1(Y#qpG*7AkA'/8%OUR<)rD,;%&2,-.3\r3L_6?(?c'T4RY`#US&068Y>XrmbX/iN*9JO?GKU_L7N.c$DY<G:IC1;J)o[DXls"
%K;:*sE@)G1[=)t!GGEl&"TS25][cZrki,^8K9_jIN+ro2FYOP\O()8e&gDFnrjf<c@q,ZX!lt.>baupViNt9oA]hVV[f-<)-`<@^
%cqEMrf3uN[#T6R#f[OI!PGoZQ+L[+sn`l0U/AQQHbS,gBs"P=1&H'jhXQu!.DjQP5H+aFs7.bK-ZS'iJQo:II?bKhF<osH;+l!67
%2ntrS1D9:aBf$FOD4H;&c<dV:X'b0^`I,e1Hpe;]8oS@!@a(Io$p&WR0F;:3MOcXED#so[nq3$cmkP:[PG$<ce^"fO<1Yt?d:>p&
%-7hDN-D;8k,iiJ"LKCNNGff_bm=@_ck3a+-f/J+&=DooL5=LbB0q-V"%m-fug$pXsla:Oei.,d:GKXFtPLG4JMW:WlmZTTN`2iJe
%=L,k]@KqZh@D4G$_8$c6ZZNS^<,gD?#hLu[lEe(D<eWR;#Vh##Ze\Zo4g6(`'8kZa6-a3)kNdRUP)7ICqg`2_kIUNga;kWId8b/l
%)4jJcDMZZ8$I<&'T.C7bc$&dp".H?!Ej/<OG.(?n?6.FN&C[==Up\IQqQ_K%>V9m"!G9)Ln%h[Wop(5DX'6/&Xt8j<Tqo/e&.M<B
%lg7ru_o7)F!`\^Tnl+LkYL`S)HZg%UgeP^;f_<RsAXs":]@nutg.ab/':u?!<ni$uX4Su!8uK%F2@S8X7nZ1U3of"c\(f3lRb,j*
%GluLseL.Ua-?8q#^ccF/,fCP_Xi@=sc2:_=n$#ch8a$;F3u8Mf.#.DQEek>Z>htB*]K>_u(oGFdZg/:[7Ijt<@pStfe!!cUDO7C_
%lKg'qZuqmU31J!!NFS?:D#$*%ppjV=2FLY_7\Cb\<2CG4??*f+p]t[br$Si:0FZs?;lG5?9\Zf7\--[ld!MSoHI7XIYb7d)PS"2[
%Z%P6gf&ZRB`NumYXqo9RSb1X(:c0qK!:NhUNJa2gbug4H&<>5GIXir-KJ"R!P'tMeG7k]dcWq-C6)SK2\uE-_Cr3ge,Li`4(b:8V
%$Jhd`1k9Q#lt(h1E@_FJH8(1g4i#6AKPQ]7=WOqakQLCSXtI["NAFN"!2`oJpX&?>OF-KQ`j;&$klP-*D@UjD[&Ztt64A$+3#h56
%.dOE:M@?.71F02X:0.k,a^WmZkF"E!Y`hsp1r36IEtPqUJjcm]g0^7R"OT)TJ6`<=1)2DqG-@&h-^FJ,\5gLVQB>IgVrW^ONYjJR
%%%ISQW]QE_Sr!\Q*22b9'E9\]ArYa+cpS;-M&UOh<IZ12@3hkMrk`dqq]P"f6')[/5"JG9&<V^+,mT6W[M0+B^Z=QQ$/J.B-h`Ye
%3=\`C9DF5hGHD5(]snZJ(D=_b7NVe`+Mn\!Re_[k?`f7>p"=I*MblrSlq))Fd%(TtRerT]4^&]d3U=M=O9)U'!npZKngWUY'UV",
%6t]o#P<s]:&Y50fcbq$g*0t.ZWs[:*6If3)dV-ikOrlCp7_l`>)i,9od?dFIXItp"8fp.s@,u&;];fI3/54?6C"Iq4#2_`AptM$+
%IbsG_:h$0/6HKC;"Ns4a4iB<aG2g$&MoT9uN8hra'6;`<&u'sFZgdQ^$bu(p;78E:]P:=Fg-0'mD59BB!7UpMF7..qYDDQ\kC#fl
%1;+g&X@<NYSq$Z?pAF$QFX\M'.tIdc10.q_%$9,&5u45V+=^^rK16=NN1(()+pT#oLNm)1(`4h0ENpb.E;=6S>VoP@'@&oTF.p'p
%^e[,Z"MQ5"SFTp@"qVI<QK:gk>!b9VJAt8",Ztom9[@Irr&ge7-%biC"tHVU/Eb>S6D[+S(\/l)8;G2L#[BsD_"h.6-;*"Q9)Jf8
%_c7l!<1U?$8/6q$V+A3Re]SLT)P:+M=`R%oV#5$<cmDARE1/hZ$F"3#QjPeU6Li;$k=HR;JP]:?8*%sAmu7uQdVfd2ndUJU&#0;u
%k$egPX:#&ZN2*U<9L8lP;W`C'$j4VeaG</#W*h5W!5mo%`/4s@9eDs2>81##<:W"`A;5/A1T"d8K4IZ3/&I5ZjLLAF/CjnDfo0c`
%R`&*W\n5Nb9+dcDbLMY@C5S+KE!EWO5)D*i_;hjLWuU2eY?!hJ`9Ta*?kO6k`*(kidfc\DV,nEQd>M`<lEi`(]nTpAQ`nuZlJ.eE
%L,)rVBgp)L+d]c[VSlo@qo1PdM@>'R6))&.LBkbu676I1Ps^\$*_%7hVNZnC15&24G1cMBFRc)Qo1B+[=JU#3(KQLFDQ+0Vkcn7'
%EGj$u5]KTc_Fa9d^)*[PQ*e,<-j*H5H6U0c$Rg-ga-<,K(L-BN/l[WA$)=AHW=TM0\cIZ<-K^Dk6sg86-DVsZn?'Q8&\agS%"qn&
%7SP%n[5s(<a!*I=0J=UG3XP&bn9%I(8c*0d_!WKA"Gl2m11g^@$aH%[%('Y-aKZX6`fnWD7O].?g46YGE>"KK#pg+NWOIW4\25u`
%#G<lIl8nhkZi-J2Ydg]+0c1;Olrj!!aciA/dpTOORiS6JlF!@"o;Idco<=?2YPK-5JbV:.G\T6>/_Mgs$(l6iMGQm,O=P8n<ZMNP
%b)1q6:3$(ch`iFI#en;&$8O2c,0EIs<H4jo<=_>LKTsnj_,JTT5&Oci=nW`(X'#20iAD7Adn!k#N)(Q#+,N3MTkd'.e$JCJP'3ns
%Cs:m(SLF>LJ(59UW<3q6'H,M1"DGXbLO&)YK^B]_Z-=.6N!:W6\p#Wf<Xl)n"AX(PbeY86^"Rut@er6T9d8!RN13a`;*km&mW;0Z
%8Q=[Fgfd79-8?hR?Wp.6Mbc<D/-?N"VYhZ*4To+N^+P.*30c8l?kR7&MhI8E]-bJ+f%)E:U\QQU?XX:;O\jJ'VVhk1QGks]Nm`!6
%C(crF<+d(ZbS1>cQ`;>%FbV)F&b?K<(YW2e$S?$Jb<]@gpCf==:5J-g:a$a=jPtNS:HM9-")WoSOH<biX-%u/Z[-M[c]9I^%*[&'
%PuA2[p!og76'YR]!%4rsMbW()q6T3`T-(?'<QE3CEB<ZI^A@2<,>;a_?6/>jaroJro:qqg6+e^`_C>k(X&k2JS;4c)_!Fh^@\oqp
%0cNI/mPNlWM<G_H*9>s_Dd[`mk8?8ce,"u!a]V+m'qh#Oes-#0"CO5Q];dOBaZRQ(=-XG0BMPial(HqI=r0\ObcM.FAX\8Z=?G8N
%^bi$E"r>!k>p.oJN(Vqh;oFi(8scQM+aYXF'DUhI/=NPtPP%cZ(m$*[;sa^$Su6XhSp2cM(jm"T#<.:(j/Z?=SomO&\ft[,1)a9D
%s%h7*LN-"*X]m9.iSK!+68Ne='u5?"1%RW4$OI:L01-703QY[Y9U:t_8o(ar\"Cn0L[_o5)cH(/dhR4NB#.>>Je4HSfT;<53jU!S
%P)$Sm\mk-.@0o"6ipO.:BtGRZb[=(0St!r05jB\@(!BfUQ+>:[CS&Z#%/l&2j8;HVD8Z;&CJQu:4&Mn@#WW6%pmN^Bjp[YIQ0FMj
%X%`7-1LQrIjih^BKO]#`HVki$;ulM8bVSQr7@[!,I+J3`[_X+lpChZi9o5Se)`"%uX]S,N;l-XD]%Wu_fDQ!E[:+9"S:98t2[PHe
%Dt:97'+hcs69rj:H^h8'9aLFG!OM(3liONF5hsdQ(\$77LA+R+ICshAR(`Q0TA80ATD,DfXY_fDbV.K[Y5-9.0+dkV>HY!\T)JX6
%gq_lUC,DW:fr)34U58lTC3BUIoSsh&iToE"UD1rg9IHkA*+[Zb:oUTX$XOI"&6$-hn;/9T'-42X=U25Yhp=5*`:9._:;V"h8O.Po
%FVr_:B#P/?_Mqe)"L5O`&'6QrnN9]*"gN/YetZX%I*Ej>/&EaD2Dq]_L@;+2UTk],6N`n7&#\p]q6qpcR9>=`8cqW'?O8el@?T$A
%/gMo6&4TCB@#bH06LtcNimX1&kq#*"jIjt"7P$I'WB&iD7JYT5I<2t8oX21=jjX`GV49#V\s+VLOAqF[-]J\D#W9A8(@<R(3-"TC
%O<1d0:boIk5p2o[PMEBf1u![t']R]MeHR/a[ebV?bL\)!@n^Q[$D!7#[6[lA8pVUL1[S<gi;AX=`+_Yrf[Pf*R70BPLG4b7_GKT_
%:2@m/WB%hu#U(,E%(MSoJ+fu#'d=&m1=6./`(i=*Ma=["2\;s'&Oar=6[JUC9JA:Wh17(Cgjtsi"i3U6;hS<n31SCAB.g)N+:62Z
%B]ibb70s8T\<.mG`'E^?LmUB!NrE(u)NLCbMQ2=BWX:Z7&6bE$`K[j1@re$o5e7#H_Y'>VJkDE\'G9^N1sEj:b>+8haR-8[<6[lN
%E9bR(m*S,"M9HohC.&uQU^F:n^fJBIcRTG1,%aQ*=/k\*XTp()i061a`DQeVm]'*)*&3+U%=h)a&f+K_<uQTc)R'qOej,bVd"p1G
%+9JK=nSJr/ERK0\4G&M+?Kb8:%WnS;<E<k(fQjbUf;^?o60=)03uasCk8MO^1kLu6W2?ts9iIX\C>CC,WQ\tkZWHI%UFJ.&"#5gN
%d$92=;U%QBS'_9/b>\A\PLWE2](9Z4B/;fQB[P^iV7##?7m+JPf;Y[Kmt[b&m4bB_V,Yb`h4=Lj*pb.V>1aD/<',e?s8PW:G9'>>
%>tOYrnfP;fJ3&La7tdCb/!W.7(cd-tFc1GGrV(Mu1aA!o1:n&N>*bF,L51OKk^44WF^J,f8-\_mZEUNHr5r5Yo4m#mE(A$p"??Y\
%!bWPdSu<`T8#F2&:u(uC"$8Y9^+!'A'jagAn]8%lj#2,eLI=9)TY>"@D"hqB/MlF.#nYMmU5aW#k*A@FouT!!UISr4d#m9K=b^^H
%GOAQ?3]4qdqR&-B0=lW[UR0YI(@j@1X8>1@$A*[*&U#^<O$5$DqmiUG,eXf+0*hR0N/+bl'EH\Y"_J9?YX[_)KRa^gS+\OQ9..<9
%WE;*mO+2W&n-r]l-<7jEl6$6A*`\O^.>P&6>`aiZ1EUNh81*V%&4aD#'mZ'!YrJurS-5KCRd#$8Bfa=e?>_R_!cE"H2&Ic:SoC<#
%q[OfQTnp"\rMC7J@*hj0eUpefZVa',_/:pc=!VS_=m%p(:W?3G#U:+_&]qB-N)e))<r7h<">pWsR,U4l:D+_s?I_;1&N%jAJ-$Jh
%@u,XUDQ"\ZX;[lOWBGY=[ZfSB,qogl\BeJs<j=07`Zc@?>,t8@PJ@p\.1mj^K,+4QH7i]G.S@^(nDNL%qnd_@_UX7),Lg!Dr-Q"2
%0ojM37TO[CB]Y3[O_CB^\Q@,B(R?:k02T(F=1^prdBa#*'.A1kR_/:*Z>.M!s*#X&B(6Be0cIi4!B/r.3+4A<C-`/@]0#i:&k1Us
%&M%sDO6cAGH<+2RjT].iO)G5b>uD1n6+7qaI`uc^0N%<>H2Y(t@+eHTXmkjQ'@\7LZ!iG>]9G%E?OXNH&A]ae1o!H)N=RPXZ:4_[
%]%hSEQ%?!7DhT?B:[@'Sk*=gGZNsl,T:K]g2@JHqDr@'_cA9p]Hs/pR`mu1g.4(_Z3C;nu<l.4mXd\fM9oh9c%(LI1GX!K+<qJuW
%PX-@co1EZ"'f(gjSo"Q476`@7'Mrb7$SMMi"Oh_(;HRM9fZ_=mAd*gr3Vq;6h]aUR%5#Tf"cHYiC93^=/TsS/Cj"5=YIp3+`lVg(
%^73\'Y@.pi=;m[AP'ZJaCe4YD$U`chLUT,:D05Lhf<*YimGL:M6%Y^N!Uj_+o>ge6m%Ip(82CgR@`mV?gcEa&5/4>,/)U4L5hdWf
%mR\$TJe[,DkIp6_L$8`g7+h^Y[s1P2]5c\5#l`0.HY3s0@5YtsLnVA2A#tWm!PU1[gEb_E;=c<ZX>riUUgSV)-D3P5g@r8>>OW,&
%!eS]9J=do>S?K/[bZ^jG)'1Dmr]4teJ-*%^$YrW36!Q14*!6+aK<l(<6GW21^&<N_grZp5g/^78L34#SVZ9]1nC!\$C=W*OSF]`t
%VcEg1Ja:rO\0htA!r`4B/*ePcJ88)BYHe3-!1"_#_)0XK.(a=Z$K1ghX_i>2Eao87d_%@Pg]S=Y>PgcO5<TtXMrcJQ4=CD(R@o]Z
%Tp*$pjTNj,^4ZE!3'lk=fliJl#jE*PP)OreU`9JR>K<KK_8Y/8)_G7?jVu!erh#684]NsrD0iOaS_D4.7"X9Y0-Q_H#'Da(jR3JR
%l7-1%hQ/mg[Uanq3/>0mn_EioF!mXG^(&BE.X2*rLcu.g2$"62R+iBI$iWea?uCb2$VD44ALu@AeblL:`;Pum;VD]Lnpc$Dh21V0
%d]hUo^UJU(a\>K06+?RfKno'S'i\0lPrs$fGWF*J?Qkm/-oQH'I?_B[="sK-9$2O@YE'RHX23(3,>Hou=$E0/q[:"/'oNsdnZG'*
%Nu`=.1_fr_-IL:2\u$PYq/@h[jhlSTL*\&HjSj^N`?E%V3_pU#[jZjm7CpBh/6?&RJNdMUp.Oo<8&&1M5%4_Ahj*LCE_Rq^;,O*i
%'0h'7(20s;5?c+g@7GYb4H'.Qp/m0ahGXF6i!>)<g<P-II13i/'D8l7DUlJL7V"F7rL#q'T4oN"pqCF;!lLS_MQ\:4gkEGP_&MVT
%/Vo-mhj,fO$&`[W2(O(Bj8J-BJrc!9"l'?8C$ou)(``I5>lYts9[28n(:7iY&hG7FUs=/#es;sG]+s,A-sB7^a^b\#;H_+5dXrk*
%/nnlIQpr:)8rCe>8(J[[cSBMR^ecF&7E4>tCst^qJJ#SaYsT4U)8jCrR%(>CN%.d*DE8)BA6N6\)[XuO3?Ql%C`+"=qV!@kf,rRi
%4>b)@N9+TGf:N^-#4GffP"$auW*+XhncVQaR'_RHZjfZ$GS4*]e;=p_p+>uYR@NrSK2`_o)>s](JD0fYjZ6M[C9=<[ZcrQcD-O2?
%)^iI9P8._")7id^JZT/mqJobDfVu4_H2<nXiF/6PK6%ILrZqrZJaUfm&#s+pLcE+J5RiZi;?H#./&*`e?lbNf\S2j2pcNMhWa<O;
%q,]d]^$O?d.fM/N#/C7W&_ki%c6Rr,"'B0GpU!-*=XOG9^hFAP]J&)M6lDIsiU@E&GBJZJbBHQPR0oY+:u<_s=BQf9b1=[$,ju)m
%h^E8S<0Vn@!B')F_'banU;p:S?rNMtCFS@gM?F?L\^)srrq]B,Vq,--UO<%Yo\%$L7oU4<.fS0Kj-O,/.b.dA*dW*p[blUXGlfs4
%Sm'm[q_6Ht[Ii50=7:]H?!)!=foaI4n4<+XKCb\!2?Y$g"_A8:Y,[,A4j]Zo?;#R5@1NpHWL"TAbF#4T<Gl0t<Z]8hX]p/e5^ikL
%Vp!!K/*MD]-Ba+u2E7mC$8R'$5RkL\bI_)ecA^\HgIk`A)1jtXhF]ej-&S@e\YZ>ho5[=u%fI+6pm(DV]9HuREnJ0G4n&%Y?7q`9
%Lalk`9h1rnadXqF&e$GJ59,em+#?#UW2?^ol5qThW]=2IC*p+1d]k9sTKkJ]WSg`S+dF^BA][A.dYr(kO<EKU)uQgoFQTGeg/?0a
%pQIm6NE2n,D<]*$M#`,EY5`mnn>LY!lr^)a8@KpA^I/70D/#Ud[D4/aHtQ/R^>k]5^HVKB[#Pmb'C7r%D40k?H7L+n&`BaCM[-qM
%VP^kN?0L3RdhTJ#$=o$h/Tmsp3n3QsBp%@l_=^3M8eh7PXHuY3AWfLY=HBu=X%_A&'[50W]Cc$YL36)i"G.`q"RO+_6H'kbXA0NF
%+WDlQQ'Q9\0GU2aEW[+%Qc=W_b8HE+)Z)IkKk*X1>k-,aF>f;MOi\5#JWd0UaOuk!2jkO,?>];EUaf73dB0OO*PVV2@A4Hs#1C49
%=VPTY2C!TC:'hrMo"%\]6:0"PqFI.np5&C/4?u6_<&@1MNh\.0A+DC_1L_*<K.IlVE2<GIA5ULEe_9j,%MGd!bGZ+BR#k,NC"L?Q
%V8a)/Kc6",[4Q-oU7c7/qG&p66ZPbWh/6NU5UM)=qcBc,,Wk%F11TT6eteET?pm/=>C>'-hY<3'$HbFW6sL'lgSft-aVC\k6ld%p
%d=XN<h=S.b<NnV6WAeQQ:,H_nk>tJVUb_C-gqO&?d.T%4llX$cO_FkH8#E[_\Hna3g(K[3B=U$j[0I3@qlR=VpP2iFp2ql38D;WB
%QU*0'\[EQ;<NabY"I)taYeiLjY'_5$Ld1Jn./pb(5hl.QIXfSDZOaG^)X'K5GOp!%3-Ug;=Lu<@;/#bXJ?4I18-M+";>b>"Ei%0a
%&/qU()T=s`Z`MDAl/V,,\QM9K"k9DMhJV$GFM"tJ\&[QBmGKeh[J,07N`NXY$?mBrbBW;l;lkAV;U;70CWf+.J<;@0B@qpF<KQs!
%M\k14HBa16S;3kk]RDf=%^NRoZ#':>=RRQ6G-M=]*[#i//1u)+nk'oc:cJdQ'MN)T.PMhL;?2+6g9u=S5^<!,Y1-6a$d;";"l8J9
%q([(EgLd%S=:g?/Z#fnM@2Wi-/nliY=+Q?N:Be8*pUdIiWYHiqU[";ONG`B@Dq<1GMi1FgL/ZFHggY-b-Ge#h\Lh*pU?RMbe-`0-
%;lt`!SVGE"Q7kZ@>Bh&8T\q*8/'YRZJ4-eGcVLP!f9/NAP)!;&e]M!+9+!)7DPdWd#h$NZiYM-Z[S<Iu0h`C]_CP]=(>?TSBf<K2
%5Quh_4TlJ">Zp'?/E$gfq(@=cTr^="[+kcSH[%Lui.SSEGQ^Gb_#L&ZM&FGT,(+b!@qf?470nSLE[^neHtBkl;_&bW>>t]_T2=Uc
%7+GY=JU@W+P1_Qf6e"a7M*ngtKeFXuX1kIg^Rbe0)X4=sc_;N.:jF4l`+&T!5OYP6fKtj+.=LY$BY0H-dd,qQ6Bcomj_srepW<jh
%/E]WSEmU1Jf"OocLoU-3!8)*f5]/iXBdIsmTk^P_k<>W[=$'a41VN/,I(U$Y!ZHl9K]$r=p9k-fD5Mk!5Zl&,iO1PCJ/Xe2L@a`+
%%s[X#aN,-*NdO<Hg]C'^=H#=.6"A#Oa\b@0R,A#)#"Gup$l^V0`rmX^eMf1!S"#:-/b2@];H+SXRg.R^kmuES!l(u4)!<qR&@q5A
%rqF8m&IY\F.1-GZd4pN/.Y1o!goOl)<nH97mdG!7:q[TW(;T#lk,mh$[_hl?>7X$g5uG%GJD.Wj,<?LGGY.(N,ZdRfnsJjPNiDDH
%I!O7_PD!t%fTo[L%28gGf-#4)Ha'c@J8in">:d,;Ef]RY\HdIr6R(GrEVCA=P$dc1Jj>&iRJhbtaS>!O6&Zk'OF03Eq\Z'cGPbY+
%0:T]8$`;JuDZK:12I'.O]\4\_B*[$Z8`Y+d`tJ@tgcdrSIOeoH$Vmj#Pq$27^qn@]'u0kH98JP&\k<X?:9:#o-TN4#NO!.(H-LqW
%9PVrhX-ckr;%TgS?QV):,+;"Cej*3jds=+s:5Zc3"lUT+Q;XkW+""pW$ITe9I7:Q?q%\RoOS#]uVaq^d1,$YnPOk%c`-r#VSq0Y4
%nk2RS=McTlS=q2f4HPn9%"kX`p.H8-a__ptOq:L3.h<Cg:283aaqAEb1m;\9Yk[nT=Os2[Wm<5;BFU<ER[-]S&Ds^\U<:`!^uW%B
%e>@%d<1T"7eD9VdDZZ_O#nX(PGtC>t0Z9^#IfkjC(*uR$T\sbCU8D<'Z\iCNf8X]6G1XZc(UXT8.b1K+/<&i2%Eo`fSVVGSB.O6_
%SSpr'fm#f@kVDJ4.4:t=H5<8%<p/Yd%-QnT0NY/Ebu//rB.R9'#qh*)iE>6bD*'!fAD?+ND=3Mi9"?MgJ;EgS++6'Z\kah=\ZaKE
%>qL]\o+SkL%Ve?e:dI!M3@W#_fab53O5pU<Z.4"X-W\E6/CpR3@G*%M]]\r.7NMjYV0j^#ce:>M8``NiE/$+F;C4PJr2qhQ^T+uD
%)F0k\QuIs63*=-u1]oLXrpGZ.?6)XV`8.3Q0ta@,lMOLJ9'STKoerGa>KM6RkNg"\?iT$(qQKo&B0t)rZ>Wthh&!`8lbQtiSd$%M
%`(SLI=DZ2@3(X=XlK4/sl_q8rWK5$ihAb1CW`]'63$[\Ki%.J!=Yn?a?m+<.jJgo:#(#VmmI20)jHG(K<PVkZIZK\uEb1d0.kM5+
%;V8-7!DVj9[)c;#Y$;:D<9%E5Gti(&m)[c%c/KD^`FZTQ45JZ6)EVrXFj1)RG@V"=CRI,"9CUf5FJCj4^g=KZRMgp-F60*4'bUt9
%]Lo/uf0LlX%G]:+*4LH*gH2m;]V9]_B[SFCjMkQoigW=,92'iHMl,kqPtD5b`1i@iJ3SX4dOR6WHSR&A1J/0/`bX>,*aj#1l_Vmp
%T0Q"c!\C2$/(WD9r+n3TT(t&UEmIt$YM-%E.)VqH96&3lIdA0de<Y4fO`+0"N\n-^pmSnBoEMg\:dDiZ8=BMZq7ZGBdU;>,5Cb[[
%KZpTOh-d4anYMoT>4f_oi8ku&^Xiqd]XXGu=X.2/Fs!hY1b^Et\;4-p!*n-PbQj_='QWZBOQ2Amk9L.,fhZj\jV0+f/*9g`5Pi>8
%Q4gXeo;DKT/CgL$\l9B2Qn0p@TW[N(Bk$2l59q(DH;K;Gb1pL;L!*]0?7K5m;O%jY\`:cqhs6;L6[o8EkiX";I=)5j4sqZ\4DM/&
%ai!1^97Rj?cn]qZ<(b`H/WE<emWQOHip,l-_4fM<cH5G18C8M!Fl(l":a(D/n[W,od3=)@EK4mSgKjnuT/MK,<tFX4YeG)]CWh/\
%gRPfMm!N@546^/HKD?L$gNj@nY?CBQ`aHh>q)kUunH>=SfHa;AmW]9gT8![[.!Vqa9`G+(%Zk0#4\/2u4:sX@+B:1B"hb,mGTG98
%#0jskP!,oRW+45qf'f/YLu7"dbL.P(_?Q81pEOQha75gC_?uc_Xd^V_E5t7pL$u"G%d$d4g28k(50;7OUf=AfkDF6T?DPE'1H'!S
%oIequ$='3F"pK3co\dG^J0,?QYlKD%,@2OA?U8Mo;R_e'GC*4Ebor%5EQ=.fQPT+9cm@"&[nC,#^t8Pil3iDuJ_T7N"DC:(]AE<h
%\OkaTj5<kFJ>uc4PtpRPU9VejD)1/CXMp/[%sIU'M#`aB)*Db@ZYGNd+Ikp=$%)VZHWGS7qgl%7XPY2$#s_7\fCWZnWS]9g$YWOc
%@]@<`<10Ner3&<!8]/;nB%=`go0oaP$[>.O(>OK&E,ON--Q;;!mD7Qb?p!<,(T\*$.9,&j"NQKYSh*+N)t'uuGFO:>/4ugdpXc40
%k9n33Gf+scf1un"5n!(kmHD?:$=7nB`dE3o06UaB7I(G,XoO+0cinr9_&h]8QrCDXS+\V,L$9;-+Qlcj-:^<OBZh/]9-hfif[$Dd
%dd'g@<2rEiRct3_@*Xdf@1o_IQLU)-8I98pWMIO3*f<16lZ((Xmbt"ekc&EkWc:m!E0+SNTb6$]NjfA*\2q6PK#PV'O.]DPVkms_
%<re2i&W6TaTUR2Ti:IROIi-IRRiA;EFJOhtf$%kmCE?(@\gQUrE(\m&@(S=cb2o3!k)?p!9uIn'1FZIf#LrGOhTN!'Y[i&3B"q9H
%,9tNNJX5PG]iYRn15<H<(3'Y\FG'&\c5J1k6WpV@fe+\Zc,A=4RT'5(//tX;>\RE7[Z'C[S#g3J]\]Mo)2RToM1PI'OiM"lf!]:d
%/l6`_H4l+\ZNE1:WtrC#0SduI=T<kabEm'DWs>d8j`YmTU_ca)1>3r1F_=m=>Mb8Rg:39@g]6Bs0S,>kQ6$3Y_hc#"*i'2.n.8X<
%:2"6^bcI+"GeL)cl^cN6G+T$LU.V-F<s4m/H5mX]!3(lrck-)lR,Y@n3[O*lIJ)uH>JfO[[_n`QUFPc%,.b(9)_\'=JrV34!]G@A
%3A[)]r$h&(du;-LYZV1m6HppQ!IJOjF%;a/Nbs:_H;J\C1sYZscX5(oYeAJq\r/,.BAF\\0)Y=6--*ae?#_r!PT[<9aQa^+?+8Cl
%dUXQqZ-PdgCF(g!$WPt_(UG"$:knCq0SC:G-aZMKf9NeV$U\mP4Jd3-?fkMqe%>o5.c/u_cP5BI_rpVj^8dFjSpGt#'m"Tq;DpL9
%/JH0A[+!q*0^ORg4M<f5#nq07(0hjq$fhL5n(,P].]@7J;L'<c]X]E3pqFR5F+=q[+,3]s]%'Ii#FPH1AjP:;G%'&tUg%[EN9'uR
%*j\m1E9Q<4/Zt,_Cg_?GNie2KN1:%^C6_m$.gfeC&O[*?CJMR/=i<aiU^RaqnREERa7;o`hqMSSj%SQJfo=BB>D@^%fH[Y&aRm`;
%^CQK?Dp,bCSWa<4k.!0mbeWPDri]-DYM=FU_90)=?!!`uGN;eV2l2$*n+d\l_&/HI]QPtqm3Vi];MV>\)(1;ejsge-E&/?E]@8Eq
%5H[b7!QL,E">KcH#1&6Z?;lDb8BpE*;FQNFc5@kC*5GrJTP>:X=*OlDh#@@*jYF0e<0PR+"k?AeirH'#7,2^lF='EnGV_'b"aOa\
%iq0&M-)[d<=WYX:))T6AY"#V`C<i2F5fgT*\ZL1#QN)O!Do*1Jn4'B=IikX6NoBE\6%(j(AGWA0,clGd6@hIE;*?ILl\:f\Gb]/p
%ASc)Y1iPZV[$JfAjl:*@7a%JP;'ZUHs5-G<*#IU/lCO=kFBY]OJKgc&H[SLOV!Lcl$P]T0*qgYNVbaIqjac^U",3i`?kQgnfFK+4
%SOl)_e4\!hMbSYWSNT5EiM3&#h5ZUTVZB*f<d[bVob%)>c^4<X#p;gM\+CF(RDndc=*@@+E&ro6$'>OD^;4>C(W4X_finOG;H1Lr
%1)E&a/9,=6+NflhA`U-Jkb3F%!%@:g(F9etH-WU*d+j<VW51%QD;b!#NLaW-f//%s5uaHld>'@?H58>G@k`X[jaHnf?XjJ[`sU.m
%n*Y\>_5t%UA!OlN%%OTs?UfY&I&u_(A[p?6P!fm!"3#X:4ZKV`)hH%SD[Po`pG_laX78rI&LMu?L?mhjFj^V(H>9'^=hF0rj.q(p
%5;`n9I",$4k>>^P6#Op0pV$Eo?NRedS]QAq_5)Id3<F9\ajS6o\-oS8+l[H[HK<9pENL?G%o:H^".kE4rUK&CA]U;]C%0sKd9kTO
%=PVb?5irnGrF\*bEfNRFT"6c0Zn3169,;?>_=\5WG#"/.$6<^SGDf%Ca%/Ebn%gAl.*U;J@KC`k`1Lu;20&rT1).YeULqk9:>*%b
%2-J\7VZ4q<&/JNVohuTka&VZubAfnbR9pEbg6\?fP[r.=k8.Bu(c+,IP`Cc<!'YJscqX@)"r14cn6'3S$PAt%a_Tg8CMIG(f,Ka]
%kso?O_,'L$qoQ:G=dG]Q$'MFDXUKIBmC+5%1&5_bBPUR7adjS-L!-@=/Crpkb2mF))6rO1>_`aL<I9ST/dL!TA&lUfTV^C&.H#G+
%X=;uJ).b/t1NgIh.k"4LLbWPKB=Bo1F.3!N*e<"2)_@nH"Yj?FqV)S1I7<33=!%TBQ[\Bhm/a`^dAb3i"m<)dY,\;el"S.i4Rqdl
%Za+@BSUe5!=>07?Ic)?ZZI4s@Wnd6.GXsW?ch%0/5BQ3B3?I)85ZZ#?`\4:j\Pg9LpjuXIa$@R>mo;!/HqE`bW!JV6DoWW3[cV:J
%%bsZGq;4*c_/LpHXabii0Mh@se;_/<:0epqp!=Ng;M]\S2').mQgPGcq<]#Has"FXIVD7YNm3<*n*@%V&*[6%`b/#p--Qg<4ZjcG
%7:D':,N9X--bfJ(VJ#:u"5N^q&33&bA'Y^<k;VSZhqWeI17gXQ(XFINd'$>)Ag_KLG2LL%=jXKjcR99lIFY1PT0;U$UB4\d]V:he
%@AD#)QE:a!gaZ:]530sfm?k\'$u31jmY6!=([H.Y/@"dBh7u'iBoTeM<ZlMkB-)&nhj0n*ms?A(Sb,VCHSskc\]P_'!G3C#1:6%l
%]>h4uMEkRP_h_;(S\hdE*>MO3&&A(X/5a(LcO$`^>m&P!R>Q6581K!o<%VF>E%.*oJdir?7unYaDucu)d$i>dl`05IUhmb.T6j;u
%/']#\X!J4I!->>8GcBL/Sot3sOl&7k@+M`M-.ipm\!CpDiS&ROUAFcVlS]DHpCf8"FeTBL-=j?sJc_&=AfBhFnUT"bDMNp<q=4=[
%[9f]s[go'DOq.^4pn*(hnBp1W\[YA(&#0t>_^oBXOh;jl(m._hUoE'8)sE^)/)-K4WHj)U6\;'-Yk,qlM2S&2-`j]DD]f9,m&\r7
%Ip;6s]?`/EDH4W%6&f:T=o5D*DQ?brPf1[jV;6qb.;]o041*M1]Qc_PEc<Z4E:K<XNEX/]SrbPE7^b`CIJJ&uAB-Gp0So&m]h7sg
%`kVfA^]&H&Sd6f.@U=,^5g[3p"[Kqjq%Jc'.?,45H,<6aacH20=)P9apc*YmBqGkK^F';g%uDf%DI?k<`&51('.L74CO)E*5>"9^
%37@cd0BM,S7F'.(;b7<2+3YFQ/*ui,;.^_a^YNPJD5_.7XX),&Fu&YD(ruj2"\F?30[M+>FT!`JL7;f^DAR*<<Ri>I^oOOHP_sk?
%I`9ab<f'Rg;jTX4^?aR,8qWD`NC_Tck9H*WPoI?+[1T,"Tc8!&p>p@]#:3Vd`M=gtf\ED(lU!*.\"9ps\b)e2!#=iUMoC[;`3MND
%3Cij1-&'-,eqPgC_<[eX?Q4+u]@!LtdGUkhj<t2G`@2EB9?Pun'p,$tr&I&tfaC33SipWE6cu!6<HPo$EbfI@8oIteW+';fp)a"#
%2$alp&NnL[ec[DFd!L&*h,7+"R2+_.#$'61pW3++@,#I,[ahj[HTNYVp#IFZfnf0n329L36+h*#QtLeh#Z-nKK;q$e3S,(UT.+Nd
%$IX,!eb3U+bH*$dn8AG?20fKUYL<*f2[]Wn;i;Fm%7DYe/g(PB9;K6WVQPmX7sU?b_'/%*$$Y%%g^3V>erp%KMoGYf0r#O3/;"qQ
%i;X<kU6__u7c6A.o(#Qo[]9Zo'CNN.<Nhn9!<Jq)\ST3dV2#k75lf%7b>'Z#qZ6>aJ-$#.=X"Al+<LdVlf2p;IOhhA/%N!UJE'b<
%[!#D8Qda1$R!UYY57X`'GSa2iV:3/SnrRDn+BNe:8nnT.L7I2b`sabAY:<*_q_BA(X1EIQ$05OC<dU<!cp:nm#Y?A6N.G7[Qg5)K
%=^6EEcY4k=^jgk+H&pOkVq.5/^ThZR6h]3]F)IIS'Ge&E_S,7X@<u.e#H8VQNRiP\8MdpQ:A]d_(\3S)a;bZjZ(6;kbV2sWnu.qk
%3)gOW#>j0RGm(S#pHXsi\*u;CjBW5=o0^?ggh:XJ5ZoqRK1fgs<#0MkRYBN^5;$FJgen$iO&d)DS?m"M+j@Rq9/h)>Q>9VJ#k\Q,
%keL@H]J%&X_F7fS=iI_9E[K.]6GNc>5ipO-/`ijN.-QHFXRYeC/@o!G0H*I9&fq0hB&V`t(rN@6T*f2UVh1N3q)&Jg1,p](<&IE7
%a]-4b41D&!E]fc-nL^\r'j#DoQl-`BWbZ$JKlmbX8+0(9V__jJYAS9uJplKVA&oLm;.%BmZ;CbYinpot>hLe'I4%On;1SK9OF#EK
%J.Y$9Jm%DF??OB>c6AkAiqU[*U0E=1N,'^OZkp'aX)<aK1XO=D:n,/%*W$$mnOC)*j_debkKFhqh/,6D.GA-*K>L4<MSOr:h+8M*
%eI&6\Yck)IX]EXdRJRq=0NtIIF2N-VcCXb4TBDZ5_A6Jjqu8q\gfc#j$e.Q&2IckCR]s8*#I&!Faj'L-hTs>ue[EALi!'LDN@TXF
%hDIk7@4@2HGH9HoN@Ht<_\)arFP-aAd(U<I&bnDSK4/K38!](jnj[V04SQ6q!oID)9:;8O>[PtF*,0AuBc,e]jt0&7^4CoC:\VE_
%1do@/CL;cRBY?ae/KK\O%?<&ACiEa"4/CZ(\=^r58O;$=O*#WMBsY>]fbWoF>^38d8FCkY:!M;qoD1fqWXE5L0b'5^0qHj*6F9\A
%K.lRA*`+5f>uE0jRVJ\g:9nGU.T:dbO:,m8Rp>'QhK[kCq_qCi\XE6+cX@_3N=47(qNT+?5_T&c.d;@"Gh_,+R<^[,\FE4:XF6F(
%^8-;%TTm+H$26$ZJO)#^kKG:Vn,U2N1?].*Oc0&i`$1VuM8f(AQuYcA5DnjmNf<._#r@!ZJI89;j,]G\m80po_P-i%0uJIAp6TV=
%A$d0=_Mu3M>E$l@()*``)6PnA;NPcRie]/l#L;V:q1Ub<QR3#^"dq4g@TXfkHM]s'+(m?\N/TMR,0D;Pg("a*GXR@aO5U;$Us\HP
%[56;)/cK^.[cDkgLbg`?arEW$Gi-s!%R*(DqBOO1c(A&Aj^)A`2\sUN1%*GPXD*`[poq!F1ILVo/t=)A92)2eR\-=+'JgTpj<0#)
%U(EKWkjRFTZ\MGD8.H7?pEQ)N&X*KCR..$W)H`)ss+Ft*/,OIB+IX5QiQ*[6/&ZPHNDCp+aqGkP!ldRh1.Gf8JK"%'>fMaJf54/*
%P_dLT3L&/i\<m=#M9?lB\OJceL10KfIIIq\bq9*CB,Q?E14GU&ASfk+6PucRc]"KKmY*B_S9?$Q&Xp-dD$6r%<VPs%#*=%F9d8<m
%s4YbD\;-70TSKT>iJc2l1<eW^5.'?mc(Kh-Z!0tV>"[9-S_#efR\310ZM.&$=Gs7-\TuC`q4rNB8!<`Z<mYjfYZ\V(P0?ME0rojN
%(]m7Ln(s]0R^dW(Lf@gjpd>WX_o':Q=mEgq)!6Xc&WL)1Z3HNF`hZ)NOaH#j)6-YmZ/25KUN_[Rb[J6I*<LJ6D5$:PX\VW"]%XX;
%0PV3e(W*$p+MPg_YF3nKLI8qo,pIOFk5r@<''a,"9DF)QAu'n,)ONd%XCs)b-T4(X+\63s.sHd/^I^(SU;GO-\YSQgie"WBKSM!@
%oXu%eU#`T]N8G//A$3f1E"7WQHG\r>!ob`JAe$%#rqbjJ89W7oqP50]"HCqq9?-C!TTHQE3S7jRnF&u)/$i>^Wl%]Q9\qNIAh\9P
%C1=OkB\Q4hW4#4Q)mY,c:IZ,0ASX!$l0hM0EY]uq_IfiXE?46Dn&ec:UF.;$Vic)*nn>+,'1-<V.,b%1!M%/BVF):>/9dE)9Kc;&
%=Sre"!IH,=5:jCa<'_3%%?N"pV\l/0:<$$'>aVh7A1ekHI2V8WS9L,]Se4s=+Muepa6I3l<$cTkUhOPARsAI`P6:A*1@^PoZ^,$2
%MH^?G:efKHn&W^oj;)OsAEh$VbU0)h]?i*VYbAA"2s"7D+A*$T9%keMF9Mq".g>69D(eGC0<XeOiYTqe2*\)rg7@/S6"LpSZ\BY8
%>M8g_X=)Fj:Sn9mMEi6$:)jlfs/\oV9$.SP3qUD1+Wu\pm(6IOQ$[>T^KShpkS!XpbZEIRU2p\D.E=1oZGm6N<7-7So9QlHc)S+r
%$o[nfaL7a3ZK7!N%%ECmE6H9!U72`.].d!E<fuK"1hZ#"OBJN^f/,H/VI7D\*Z6<V?JuIH$PC/k`7BPJgQHM0<*fp!JY,F:orXK[
%UQ:RWY_+h:;[u=[_;b$r>1Cd4*7.T#SZ"@JSB25F<![AJZV4fB/qRK4[VNZ&9/0'8\,[jNDnH`fgF)%X/#_fZNf$H0!&S%3!@!;^
%=-6i&$'O5R&pdckk/ToSQ16>Z#Y[1Ia^c!@]4Te*.e-,u!VLnP"*9[p3?ph5Y,'#I!RB_OWEMiJ$p`tQ*[jmR2p7ZCNoUh/.)Tkd
%/CAW.*]l`L88$F3L0ib$'%niFmQ=Y=ju<[q@%"tMP5G(`!Z7ATB<X_)<[[K!VW@51o!pU`DfB9S.oB7868kR8Z91\4/`+.nUa.`h
%D*mF2h:6>=c^AMAqZ9.82?g,/,*W>[@/ADoE4_!X*R?!?FOZm/h]in1cJ?QB[T&IEKfso>bcneU!a1&aFGb3`#8O=/C^i/1hKb'#
%jXC#%U(Uc*&"ml+rkMLTPnRG_[jV3Q;ElWS,d#%K5I`+-'GmoAd)`.:8o"&OaNlsT-o`TYK'.L[%mUJX?l=/r/j'86@*sqPYXeN2
%I),he?=_BJ\F=ic``@B9#K.E7La3pF(Z>L'q?6A.T-L\2:d'K'iNMqa1GgNGk4ldPEh?%5,KjP+(aRS+HDcr7cok[FL4$7P=O*$H
%Q\\OaJRrj^C".3*I&4]QEqp)J@<@\,)K?YmRU4p[hNs1jo9`X(WB#/gJ;fsbl&2a+%_%,(#<n^p$HQmM/ZE/A\EKr>Y:T8HY=V=2
%!(Cd"Z'DrR,P`@s?Ys3%Y<1].od?#V1ft^;>^`jLg?sX`Y,u0*bJ/UI9(nnZ.Po6<Lg)>109RR_>h2&]Zf&6S+ua&0CUFi_56][S
%r?d%_HnD-NbMWr%VtV*e*Mp&tMD&c$[sDm-lg;ZIT*JC1q_[6r>gj^Wa1I,7XBQ^.-kL*D5he"h"!b`G44``XljOKT&Df3)]>UV*
%dG>]WA-"`j,".,YUK"ESK2<MjqSP*5P(jEe"d*-lJNXccHp;D=0D9aIe.t"jVNmXiQtZF]0@og)W_8ia2rZ`cAj%"hN?H*oo*1fm
%feu3kgUKoWmpB)iP<A6so8'E1`mdcT`!)kLXZTT@ABF)]Y_U<GdXkGb`C)G@qcj=/^sgp=>Y>9<Sa)WV>pK+#6;;CVRT8W(gbm6c
%')iUH!Y6Ar_*;;SQRiJ5cg1kgX>*L3&5g']Cfg,)N=9bboB'&5T4RaF.Z5f]BfHHC"2ca9G0Q<d)umT?cIj"m(?#cZppGT6Qj08`
%SG*q1Pd,)1X;O:kAcq),'Ih.\ZiC3WP)uNW/>R)H9ASF!#8U3,"+u`87"G25H"^2WCiSQ$XWC?ZNFKYNedRRY$XjRg\62uU?T)_c
%MIjn'?o3@fQd:C4G<MJLd=#8*Wi"KJY-UHu8,8%ZVJP1q%:1.(9oDcS9,-"JFnm48R$Bp47aYA;"nO:O"Sr;UAA3N/c3MjRq@_Yd
%!hY8MaIRF2,)&f=FF4I.!B>ZnNX4O-O)Ziq_d9&1BCIN\GF3E](Ip6a_8i!g)j\LVduu&MV7&"_jX]%s_+gFHf+h'4[[Rp-bTf+P
%gidRAR.c;%[q!!hjVt#?,LiI>mutC8:LoM2\p5KpL><$9e^XD)j1U>%e[;dg<@(SMX"p=rG1l>3#-Z?`+3CgQIDUpcTZh]B#'9+4
%=!5CU&k1T`fOY?hq"6AZ=`?/I^M7K.X@1,bT'Sbq7gr^r<30u]NP-mQ2%@"b8'8:M'^'QPK=.>8)mHaj'IV.dkSIM$IHkB$[C4/`
%m,/eSLg+#D`HWi][1'R=>$buMSEdulr;)f>;4GDe]N*ejEd#sBU'D[TJn[A1&cCZ`ac]qVko(VMr-]RXeh<oNfB6=q%73@a0['%n
%L!hVO@g>R=[.nO(rrr2j0uM,PQnr6fdaGS&?N.Fl]3GOb<j750XW.Go/*.V$Q`66)4lHAu!I6'=S?m3*F>gnn(0gXF_U6q8#@gSB
%cl^4o,s6=P#6S9C0=f6e20a8M8!Q`l6L"8W163V)a==HlUTVT:i;=<ngB,\nngj3#Q>3Do4K<@/eV7ralUWr8$7Cm2e_U3*F9.ng
%5m#d^G,(d4I%%`noG2g-GF25-&cuG0q4p62"i7AN$51^[V/f403(l-a<-kYupjK2n]7iCNr9>Xm_g&L[9!I=7>Fa\G^6bgX;$YZQ
%j-/S@2L(I65Io4Qbl_KL2FWO$fQ3O_#_<(D<*iRLaWMWQ=58.O8N9,q&hU?0m@GXIK>S0g`B'46c=eY[`EEeXT"+%0?>[eCAb(=^
%\uA]CVH]0;6<OZ-?=??.#0pkGM:T^B(:Gc[r;"aunW[h^!1Agr"lr!]S4;BL%GpjpS/*Kd_?p0SWCRVU6VO\f+p,l13^h&Y]/39`
%EKr]Ra\;gu*aPPrJ4DYP?Qa-aO(&K.0LCB`NB4\=(M-BW<'"8)]Yikd=P1L+/R=jA1Mg(M)<8N0rV7iKT?m6S$Z0(*7V$+Mp.rFf
%11ja^DccjV:EA(4e,OK8!PnY>X/p_MQHF*m],e%rIfi180fe)\0N@f=cPs=J'l-h5ZSIgHH-lKA^EaL:2mZ<H"<R.IgCB+g=KG=m
%i_c"/RtG/&Y^Q+T^AUU_NeK@-VE;kEEghA$^WB:QUqIq-.L^LL9D%qS'0ZHfQ=,h9EHsAAH.TKDVm%p[Yf$-Q"RcUi[K4*D8rZZ>
%e#$fagY0t7N;&3XbN?lHji,*HA<SRf8_2N,SjB[U2Xi]jS[K*((`GI?:fHQ]qK28"?OX7LVglkej@6HOP..F6LrU_K2*M'M40\Mt
%8IdE#rPA"*-i?$'a4C_h#BFZt\W4[ccM2d2m[Oi-7qbCd6[Sq>;;9T0$>&@fjKA@`Mp6fG7[9Pulcsa<![TX.H9M*5c;&TgBs).-
%SuK!gO16R*IX,3^0?45=l`>Z6TNW3,]oT>?g&[8(g6*f\&jVN[?n.JNR@@`"`"<)%fFkn)Na]aOPI(6#o_^HS!QLUJ)t0E7atGOO
%,>V*K"W*U#r1lhO:-2"aL2XU7kl`\W,k"M^<I(6SPc)XT%<+J>rG;rWjudBd%W$_aGmmD=aX[\\S@sOOib^%>74\WtU/1VBBJ=4q
%3Ol1*E)FEb+/d=X$Abp!^H@&!gQN%Hm)Vl0Z'k$r"K?Td*oSVG8'cjA\1UtCns,pGYU#1eQ4hP"%XD(beE2TtnKGI-)-+H]gJPqP
%q#G\ho(U5+[&?hkTFP/T>URMYO2>XO,V6UEAUR7)[um'o"3#c8M!p!"Y3*,A7ZoOX5``1I-:p@<c'V2Zk<]cfBKLru1>pm%,:W0g
%]OS[TdO:Nge\9KbbL+/t#q$Ou?_!(.J#VFDB*+*S_Cgb/:/)LZV-RRrlf+P^Dl`&d"^ap9`UBeI'"rpC!ao9"X\Vo,)),t\\#6fE
%W#ob1R)^:9hXdE<S-1rGVOM,3m82&'B_pAP>"m3M_D<T<$!KAJ9ft;nf_.8$/FJC-%OP=9<a`T.Pl^aJm1k#G?P%1r/VPlb,#h-H
%b=D)&VQcS&OK[S4;m:[jHT^]3P;Qg[r7bIIR`Zjs/9)imFopdF?oT:4oILs&6Y5ol<^'k$L-]1B(\0!c'C<-RJ2tF1M_0A98mX!^
%C?5WIZq=q!DY+t["<guYE2:U:-ik2M5/7AfpYT>?F118r23DS!E#1_DI=B#I1_J!YQn`0Mfkkc/lo&\7emTVkN.I")o$0EBOo4c@
%`CsIUNb>^KB-t,U?"N<T024(f02QUk0!>@NHlYRd34f-H?fNCdPWA>j>j/^NPDH&Zs'SZR]?.o8@@ng!Z<gl!S(g2>IcHI<4<LQF
%a;n7P8;:Yr"A7W&7YYs/?-,rYo)r.Z/\N'j5i0`!f*7Dc5#?39>)jb?%%'N;J'OS-dkf\Wo`J03XsW2[EiZqG3Br%3M!!?Vg_5]'
%q943Vi=uNII@;G?Q>(@f@h/b@!:GIjR5QFQps=QSO_2UJ@=,5EEr:OFf\\U%;bgtO<Co/<N8G-%\(6_C\\9G:M<6J+GQEc-:(=4-
%gIY+cgN2LS2=rQE/JEK6Mhf<`Lpd/2KhsU<2/\hNM<D&[9lhK;#SsU&p"kLDf-_;IeBY`c9p#[aQ*l>5<ULJTI,g>t&aFt:Ba`5f
%?Fq3:Q9TC`G&gJ4ZnkfWnl4\<dHBr7[!eFUGrjn>kR6k<mr*Hk0ZctANc"O3`"0H`"M'B6CcIC?bR$%:3k)'+,:iRNP:?5-hkG`J
%'=3`MhB+ARgj%2LWcVjb[?pN-\)24#fJR6+B2eQ!@mS,&B5ZGjil6n<JBOZXk^'psG\$&d^Fh4.];'W[B$>m>M;I80JLfQ2GIe^:
%Ii$<[mWsj#]lb<4H?bLc+94mHlV:>rH?UB'8r]/a)$D5Iq)gF;HSE%Lq?$9R"o@=Bh6bRm?V>gV%8K*A,N?OXofEom9(P-u^)!D!
%2@CRt?JOkh(Fa\_5lMfJ/,#7<?k8"Z]_Y.hd%hHCSl>6_6;\W.OA<#F[PoW-TtS:`_es"NN).P/F,gi!`MV"pa7aKt*:#*;;A!]t
%Vo<4J0t6=9#G0]XWZlL="A&kaE=WpS=2m?AbsYg7$0,GE4j%jj'sUi4"nf)]17<S?qiURp)(@,r_XaIr#A[:jFr6_f$Y(;*2PXrO
%=qHNf==k+r[=ibaQZG22eBfC/&4nDM:MXoWLObp@8+ru2[W3OF>1;mlTXn<[.r*6UMIP/J\"ru'&MR'8I5Sb?hFn+6pCa\o2o3g(
%$`l"K";f2L$sV>]cU-[Jb)Fs\=\Ao'#X-\oQ@!^7_$nOjGZ-c<\)baj.^^sahGtXF<!4'>dlrFO$gr)QD%`7e)A\k6pDug4LCie8
%[Y36_BAp?<c@m2!7CR:^Shq7HF.jP3*&a;?(kFiga1GYaJhEXZ)T>.WYs7R8hB*%-/sJIX56ReDV=b"u(ih42)_C&+kSbG]OMc2d
%WJ=/!!UCs1j@\.cMKL"4NpaNr*9nmn!?c_SGQdh&p(E$U<j8993;4k^D`\rVE$Fh1IU\lSQ-?p(.0>K5p.;-G)u7GOE0La9Y7g$2
%`EFI+]FNG<-rWa?%Ef3.*G<+fKCO\8s+V!D7KW)N@tk4*cl75V?o^KlO<@>uJUlG>^IqY^cO@7Pq+j+0odO/SDMGcN75fq*i1@S,
%ap^&rn`t$u?+Q&k/s(Wj1UZ[sqYQ^u<ZH*cKSZbt%Ia(M+-uH&7U`O&3E2fTj[B9Dg&fCB<7DUGp*=d?C(VAl?MBs*[;L2`E26EM
%JAjQ<Sk7m_6PL/ORQJT6X@QLNPajVL]+7s-,U(;?9EoEF\3^hh`HpeZdZD449'Dh1QkXK[I+ttAlc96i\G<&(i62!7/kHkdBDt>6
%k/PnBgI6[^3oIHAFU3r_7^1-YL-!ZbS.Wq6I@iB&7_6@1\#3Ql8.mi?%[L/$n=gQpjeb*e1^_5Io'b@*RAfJ*a_I#U=L:<0OtMuM
%8`cY9K1SP[o2XTGr/dM9@2=Jhk*AGWA/oXZ!]]@N')rl/WFT0OIuh:iY`fp,p3]&R%Z@k3Yd*AD.'5H>c."dFlK02uZg_Nj<PR*G
%&6HE?;@olO>g#,_(e)c:(jbgt)9@,5+E#n`1HVR_*AhK04mZDBLE8.K@[t<J[F.10bUj3M"uMBnZG:_W:eJTp%L[?bP2JZRi/E">
%d$IuaGmSmnd45PK%U-.C+Gu<21#]=8FL5Lfd2G><e$Jl+q)?[CZGV[UIfHY+&@Z.X-NZiR#Kd3r8\($1+\X7fbE&.J-0.Ihh]2<[
%QSkO>bh;rVeN.%f#u0nmN'%*<b-In<aI6F/ZTFR)Z/_5G!R0kl"oEgbB[(L@lN"ZM<m5!oe?XUMKTQM8OqNY1/Qn^sN4uN^;5o(/
%TE$<2i`6bdDu))O&^hF@!J[RZbAj\qCA-XK>$:dACPlC+:h.U*eF[2\5jr)l%2"peW`IQ>>/A8e%*%L6oEJ)&)Vn#\B>GoVbJ#9<
%J!-_B5gNo7!7XtR;!0eZ"uZjc$-V>-<fHHW>%*0Z(n?_q,ulqcOuT3mSRpb&kCpPCYjGn(ed7[\2%mJ(korED[Z7g<A.CqhA5ljN
%)1LscmfEc,E)V@\&9*5AmrAY.1u0qo3);dCh;uj>i5c0Wl45"-qiZhe!oGk?C\"Zc""uZ33a^^3$Wjk2'[/PU!d+d=F(bg5.[^EU
%ml_j^Hk2Na4Vi*+qtugiRWdJK)dDlqnIrl)7Bh,JF-k7;<D's<;mUdI;Y'tqOm>>K=8lVZY<hTf(j#O_<3X]Sg4FLVf4VEe]g9Tt
%25U<U4N7jDT$Y_'X(ZT]i#olPWur8+m$0VjY_<'qd".j1eRQR^K!C^$-NoCkf`.g#DJm.aKC$G?6lBo[fr`(b7p?&mr0Uo'hu+cZ
%]n2SekcaJZe,(o8Q\$%<@f)W<8)D&CR,7+mg0LjfnE5^]F-jTA&VrN`s$7Z#+4\/Bh#P$m,6XO!"7@jXBg#d3D/@XD"p[0<4"Lmm
%&G`p9;=Y&A*9QX2cfCE*W<]Gi,fh$+>OU2d+46P-H]20<O-eL_3GT-8c2a2DODDiE^sTD]MX2MWiE;R,m5/CZNu/-[FN*AT!g[5P
%Ei'KYm?/j^]!A?ij4p:T#imnt+!0V75i&Jk%BP`X%G\:+Q3b!>f5sKGaP2/[?VQ\T<+10E`:Et-KfaoR^rV,.2[bcf85>!`5gRIH
%qNt^@HL"HBX<(VT-&Wh7j;YII0$4MO-p9O71r#ha^kP2`VuL6P[:&?<huOnWf+E.GFpac(%ip=O;l,MS#N"2Z^U\te:duAE@]]XF
%+96La]kr<E[6Wum*\f0N5_3QIW=G#4b)hDY"T]Ple=8(XD.(lJaL3ngN^ia#+53UAbu+QWHl)9h%rh>C0^9@mmn<!J6_%TC.;Kd(
%N^jicm-';r;f%N11]pm'(uY;[V/:eADX64I8'>C2>HbOqm49*ITEnpdI"E%DDMFD1gSXhs6,,1&IE\p"FosktFs%nu_?dFPKXXKo
%mK,XV&0TYs\'dPaQ:`Pb^^.Sp2ATEJXY.MZFUZK]i>SAOCHj>:>N#9X!=OfR)7Z@/'9WMIi(b>A;N`o!$']%6$19H&@H:_6bVrr$
%=d"':JTQ#kYk?r/[X>8*[<gd*/d`^Wr0)9+]W1N)q\$(F7Z4RES$WS)GLH@Q8]i;qOW#;nYD#D2Y)Jo+%[Mpi,M_$;ahVZ@o>uLM
%+9`ldh]KIK;d3(FpQg"O:ThdN'lY&=p5_f5'dW1o('.u9YTN_T'j$8P8c)l770krq<R`^c$BPB;86udp/'L$]P*qGDS'<u4;-o;4
%<,kET:<!F)q0&O<r]-B6nf3csnAcg+M#?8leCl\><93HZan5tN[%\Z,./sTY,?9=n6\#oR3GFpO\:_0Edrd2!(,e4f=htNQ'WG;i
%^B?O5'kIUHKh9Qc-H$Lf6'5?DoUt,*CF@3@)H\ZY+F?rYI;)mrP?1"S_Ya`E93Y#*i$=QhVP0Eo%2Hc!kZ([H='-\L]m!,bS[!lS
%^n-c\CW=UU!T/J]p$6+BR<rL/O9cDIf$"kYp2n`a_.h(6<*PY(OktNp/eMmjoeF?#G`:]l%?)d1$*jd>,PC=nrg.8+q52$sa2>RL
%nVT*YpBB!i>Fb3mgbL2EfuU=<=-V.>d2@#_&T6)%ggN^L!/-^PSj<rb@&;r;N!Lel[U#)3jp06T'k<p+!QTSO.U_pWbH/PbJ(n#\
%CDqi/[m?7e"cCe2>7V9YV6?@E6bdK`2h'Lq.9_S7P:I4aO'o@g0+hU;*M"/JP&]Yc*AGnHF;EKeiDkcd4KJ26E\N6K8-H555?T*6
%YscU+G*0l2F\1^FHAtb>SG<)fn?bCbbFl.s^^Ghqh"J%=!>hUc,afIO[15[OZ0g`0*D@Ou_j:UeI6e;LMh,feYTLIjm`>A):?;g_
%%:@iUN?4IAa>_kkm2;QV>?BTMeh$607"o%6dg0-^RVcI7G9n3Ac%$26&g2u$JLub'128-\mj(D&1j7+H4r4<R#s[Y:;#S86`PL.I
%qT?8+$6:\e%b>21.2A`!SG@6%8)%P[cbaHHn50rj0mm)19E-kPf*#g`gPi^dgB7utg^Ftf&2&I=EkYL96m9'Alk@Cb@m:!H._riB
%\Xj+,WQph%q9e/j[CUee9<,)R%V*b-&A(;rR_,Q,h6--ZgTc>@,('iH[NW]-r,Z_3;9?^D#*A0L$U;DG^9n^UCg1^>[Gh:9rAauh
%!LA"Mko'69"Qt>Ni3Q\?gVX;k-05o$&.8TV3)Q-!5"[Yk%R[A_+;>rH1JsJ1@B!@C[fHCbolb!?f<ak?Td[$IV'=5sIb5NpebqSj
%F[3^oLu<m2ksL>YqWMSeYlF!PSg%dWE3$!hlb=;JU@Tlf5C`<n#^")Ck4[i$am=L?.>T7W9<WKJ5P*sS'o`;dptN6$Gcgi_!;JF"
%J_$.E<C!>.h4HV,$Km\[MniW-pVF\\52$XQRsBE60eUt1lAk7KSO_)NZeaB'7Nnu/f%^-H;et(k%)0/kSK>4lVaYDC$FV"?gm*oJ
%)I'V\2"5*n^VX3Z3pBP2^_lPD5MlUj7^O%m-O%l<,bqc&OaS:hZ=r?tBjaM41KP'2Ra5T-L,K'@P5G*CiH*\LiS$lB<0O@eqII+Y
%dO1[n:iML9:PVt3>Fu\h^]1J(,kp%7I/R>hq61'DcDbB^[A@TF[H/5T`emY7KakPK/;u53G2`-$mX:Qg9,XSfk:g7m9q=f/5Gh2L
%ocMZZCoo:'nD(Wi]SW;t]a6+II-\`WP)q<SkLZ*!>jF\,dXqU*&&)bY".<&&-(lPK6lb7Pb`HBdmoA9O^6,U[)$Y/s0#\%7p7:.)
%RfIbf;TDcbNU5n2'RoAjV#$lt41\N>:*4T^=U`?$)c@=\a7YKk?-AiDPZLULp*RnUIN!>Eb4N3=(doIanhuA)'VXl>>Je'Xhgt)+
%oXiT?l]p\"]72Ocf"_H[4eQG0l@CogIfeq5LMdFKZ$]Z&Z(F;G6%0fSUG92il9RFilRT2N^;;W2LHW^kf6,!s]EDf,:X<g\_OFgn
%Gr%g=:+OC$ThV\3TZ"tg-"@&4`r``Za/;kOEF45.4rHL#"Q;;Ckt/,:9W#6<(majFd8n#/KAX%d206+s,6FD-OPZ9ZAd)J>2I)I;
%6+4+?qq$;.dUZh>IBsL-aQl+Zd]Fh(kT;ML<@F;E:+B/u-WdA!_E$NJ@`%_e#fm#IpbaXses>58FZsEaj""^BLrSYBI4')/#<bOu
%3Xl@=W>,jdh]KZfoDCm>akW1*/b1;!lB-j%9TTNF&Cq7j:m&Cn752hr'_'2<FW)&r>(OUgD,rDKlJ;eKZZ&<#/*B478C$Oo(QeN0
%RWMUK9kqt0J/Xe*C+`5Y-fqcMOWA58-Qbc]c<+S+]1=BG]?;3Oe9u8GKCWtZ!7mW>.!6T(m0mmV[-2HmllSJHcHg-)'%-IDqA-`d
%*;'hZdG$j#!R?ns,2Z`,[K:IjZra4%-*LN7T6.-L2M__'JCh/H+FA&DF/93tC[QFogSYNL:4pS)s#r[0aT9Q$4uJA+AFMEj00fW[
%2!(a>8?J1AiBH-%*4+=/P02keOG>J*LpU/9V5AFiB7[oDJ=t*f?$$S=nUJQqDf#e=W<K^OP^k"2m2u4sf06cr(WZqrB^#SoD%gkA
%>^#"V[3)Nj$ug'36PHGO<Sk(ffXWD<4gJ04gKLcII`TD.o]nhp5)AOLb#,ihJ_@.,nYjcp0"8:=Ig1=rrd#6nmC,5P5gRQD:69\1
%o=tVkNU59SI0G))p([pN?f;mC1%j*F-/s&],?h9YX9m7$X;8/@?iT$(qQKqliJY`M7)<n`>Wm1UI4`FeY[`1]2-tckQ[5mmLu#K\
%?"=B:$mUhh[W;ciP(PJF*_UmBh%bX2%:&W4jDnC%a.m>nO4)IA[Z,j:TZf;dN]RY4CKBn$L>*#pbe*q.;Ks@mf`^`aDKU1MSaM#f
%^uA.RUmEu8!uJ6u-7P\.a0$PG[n->)g9E&6OK$*=DCRkq+g4EiMcW`"4$kG3n23Sk")6]4j?eKo8>FPBHJC/e0U&<a^aLBK['<^3
%SnM^b=l?R6WWpLN*4aL:QbB]@i5YIcm6Tl\P-m1,N_*HeD7"QAI:+Eo0?QQU/-&u/)2TmFSrjIV3o9):J^f;0-ED[\Fb!*qXK<P'
%HjAPt0YA;452%45ZZp"k4H:__ar=FpkZ3K--?&/i-&`7cMqdK2!KiOb%KCAEr$%ntV-u)2n4N!%NNB5dJg&+=8XK_Hn^-3Dbdu3a
%?9Q-Y[?*ho?*W<n=X.`:"Dmu?=6:HJ0Q46`UE#_X#Tp;f*+!pQ$QY%.4W?[n\?5!ii`m&f\:\uOa'[Y(1HsEi#:!%2=gHbFe":8t
%/I4!b[Wb(RAETH*.+f1HE$^'hLSf[rG7EP[^-(2_%c7\Th1B.YH%k55<q&]LO2]=43qIk4&)\QN,m\Z7gc'Vq4mc8XbT%+RMM$n7
%_bQ#5T(KuTi4_<?LS0/4m'9-](7)6b8CVo;R"@tI.%S'#jb!<[Ec)?o+FWuMIM`T)"V^i3=k3obs"psF$U1KM'(#-Sji9c9LNb@q
%05UeFJd2Ni3rlG:OumqZfi+!=(kZF^1'Dh5]U!k+#LN64fi(jaZ<\=/F=d>H=R<S*F8S9YA@1X3>$LPs"LO8\/)iSY,YO-[->((A
%UkIKc_UTi.m\CcU1/*DW9?J^8@8qVlTV$</7rlbS-%HCaHR+"oHLqEpQBN@Xn-k5p-mbCkNDLRfKJP8q"GC"bF$1_q-FOj>V<]gF
%q(>^X1D$Ci/X/+*f*tEN:ij@jQ>=uX+?$QgKgKcI^r[#-/)6()\W5`3[??6:fDcTh/(FJ3Wh,6$9gJBEWnCKb;9VgGICb'9_OSIT
%'k@/<@.oef0]KiW,+U!"0\X\tULg]G442-4JY#.SA(4c,.`&9m*ElI=m:&3<Sbu.ATJ`tKUGCA?C7>9,:Vf0KLf$9taR5)RAeZpq
%,j%jbA?-:KAh;,#*5L>p(t^'O!.L-4.cER<EiIkteA=Q'K#F0e#hXh<NU10sB=3@ml<(9ZPK^q[jSUl[!5,OP[g:b<!\/jjU0*Yc
%;L'[HYIZ2/p8gg^1(8PA(3B%OW']XE:&KC4^4*6tI26Z1'I#&r,n[/A:@`dOh9?#8Q!1Oq%r:,bN+sRJZaRQ3gc3r='9#&P01Q'0
%=Oj.P:m_N/crVVlBrrq</sI14MV8Z5]p%+"5`fV_8@Op\GE?!Z#;1a+FXM6f:!>$.j?cqN/[,5=R-PFO0WpYcho)ue@R2t5;#ddI
%+^(XN+X7$"?qfr9d:8tIpO9c+?Gc/hDr>fhK]e+N2\N!2Pd7Q?KIa+Ceril2#E'19O?Ijep[ZBl9NYVfh5]asdOh6.fWVb*!<,iG
%Ysef[Raue$0H"/c!!*[o8au?3Dq]XB^--6!_#[Vp#Gj'M6gT%E&ARBb5Wq0e^p5r@W$h<Pn6G:$f_5l7A8iGiq:<Eap?/%(TOor_
%E[J+E33V'#_s3gQlrONB%]MM@KnN(P-8Uj-p$un]k;35V/u'HAE`<EN\!d>*.L4,6HPp*u]mO3pr,n;p]pCJE9A^kR>-=FN#e9:3
%9SSu`Mu2/en"!*ZCaYg^O,Wks"Orbk'YICn%GkO/ln;a4XEbYQ/D>GP2(6oYYSC4W>>(rP$>(''IGL/(["^0K"G$$\^/T'`)MQeK
%N#YmMM-A0ZR]KOr(OY06q(8<SjcD&@/u,_Cc'7gtdOnX<dhJW,6.S>d'se!Qj@?ET@9]YS1[k]0*b$t89I("OH^7Ee=*RhJN,X<W
%$J65L_LKQmKHTn]bcu:RWT)0CRBmIkm9i7(8fj&uMg%kM"t^+-`>*Ag*j(XF(Ce=!7CoK1E:>Ye1aVKV(0MY^L2#.=(k7k4+LN5$
%g%L;iNnS=CR1OqWA19Rg;43\0^o*B<<AY?(Z:Ar9!26^)@!R9)1`fT1<@W2!!1f*5XFXL3"??[bd;*rk?u1lcGs(GP]*.PN#S+nQ
%i@UAtMS%--mWV\D(Q^EW,]0'.S=mjX,P,,O="OucJ1Z[NVYu>?U2#U/)eK[T!8?nJQLhW4\$jr6V$a__>"7;NGn3f7;"XCj1)F>V
%+:3R$a4tABnhc.XKbhXTj">@D5/a_hm?QE,5RJo!a7.CFl;`O:#'ThKCg.$gnn$l4hI%huXEa,jPEo"Q"#G>$Z"#(Uh6WE\W"Km`
%Rr-_7:mkTXMK";Mg4NaVa^"?.k:!>J`B#+VS#e6F(u]lnfY_@JLrRN$kaAsdCe,AD29BAu!Ke]`$"02k'"@NT35sXbPb0dp\+P1#
%HduFF9DJoM5Snsf6Y2i(dP@`$=;Gk9Z!=1EmYgf$7)\ch7'QY!P*?"*-]H(+aOus%CqW07Xf!AV&kmVV0,TZnB/sChU)EsrPn__a
%h$D;PDaEPri5?WM0C'@+4ENIJ/NPXKeIWI'<<S>1)AnQWdI'_l\=JT9"r>BY%cW2"O<-#K0BW`!^u2HeT']#<6/K*36nmX88]s5"
%jQg<1cNB*f6E*VOB[[iWQCN^b]@r2]aTn/cG]bJ_-P?U4Z?u":-g2\,iIOqt81IBn5h'j83=m;4*pZ!1C--23nu2KaR+n?AW972M
%JTr6P[&9*n;?W5!EKNpn9\jRf`#_pi$+QpIr:JNC0J&sqEH%,r#ZB[`pc0@q7Z.o'<hbJBR8d?O\(S=@@!(S<%WY\)r>S>nCQa>#
%"eH'5CAEC"<!EWoQ@c)HpI"V]j6oZ0&coN<\Nsij<?#"09:roCZ8V4M"$D48,:ba>9?\,"=*fCDK(^<?j^#u/3#.?t"Tdpd!'`^1
%Yn[9Z(t"I]&DOaEZ;?f8(,b$An.=Nao;[G4$8hgP4q#*i@CYTE&>eD+>HS5C*?_Q#$C8[8rG]=t5=_QcQHD\95]s,+aqm"(e^PPJ
%V"'d,"%s:kFGR9Q\6;C():/ajU066g2Q$A%4B>]KQ@ZqZRObpGJ_!k`];0<`mA*\-GP'CE5e9NJ3d:BOf6gWf8ThNJ3@8sfJl0F_
%K6bfmk_BrXG_CZ]6u6s5Z)j&kieqj>E>Ech3`8%tggFQ6e@*B4\@dHhS?W0ma;m`P`%lAC7`M7H8S:Zg\FW\T_*\MGRbTsN(0$k8
%mK)2'FlKsU,Q,\<GQYd0HA/U69$G-nS=,%@dQmd]4](W3eeth&jE84O=69uT%R05a0JM`9V"6csd!bc-bc(AH101E(-`!63nc8)]
%@fr]9W;qk6J!eV<8Cg^&81ma+lRCM'dP2_1]iuU.m>;n!=hh:q@&#2ArU));]]s^DoZ^kG[;XV7$-L&^K".!Ch&hAb7LtP?ci[O;
%g0j^fHsmH^,#N<0="ZrCUS=r)q`N&a+/**3[.]9#g\F_'OojoW.A1"JJIs%^$"2,;:'537HUL=Z-$_!EggEgUXWsTig-fJ):sSkJ
%J?g$$d%jimb^(j3ecD>@J[NF32-VWV8[>nfLK#rf%on/Si9R/UK*A/6Qt*@qR)_#f#EIPH^l;_=%sU=D*AAu:,p8_=D`oKcPkFmW
%f?SF(pXH<,WZcElaKfr$!fW,T[=cDYaZ;2_f[8?(K&I+-i$j'E4"PCH?FU!'SUjWbQ:QVNQ;o8l6mt])(n$kH4[L4_>/9t"0P"Cj
%c@RR'V-UUsb8NDp$`@EL]rte,4>s'QYXU7@YI2mm#($G*Sr:.s]YLF9!-9s$7Cctt(A>7\a`,)-mh4]!<:KK1ZN,%\mKE>6F&gA+
%`f@1?H'm>(gWn_sMpVMdrOUB:05K6)#)G*Nd96_[X.7gD@%=3%k2KLL8[.%okp3N!L=KG0L>O[FMjC#tZcUAsZR>M0OU5b[NsThQ
%NSsOe@b22!R`/pBN#d<N(jA[\=:okJ2HU@`]MBkii/:fimhm[K,Eo_BK[::g]Gg,.X:b2r81`Ep^Ae.;_5ce$.g-u2W8IZNI`;L[
%8\f^T$Lh56I0^NlpO*7,LoR+uLuM#d#1a5I1O(S9od7Ihml^A'.,\]F'H?]:T)IZ/N%Ko0k7M@I*X&V49X"ua32`Nd2%P1Wp(hJB
%EAG_ob=3+IS8,TSE[$"l%8Ngio>IQ:'KM)R><mU[_]0pDiM^c[rY:@1QE/"T&We#WfoL!="rOEpbbNcaAc;skZEAsOb6Y5=k0Xq+
%(5L"lYe"QWiaO6mb"BJ9r0iq'9\LT(lZc/*fn4W7f_.Vhl3f]j9^caB+Z7OO,=Z;1\"R;>JW-Pom.'H^8X^1\(>i!0,%B,+;r6Kn
%7bBePc,@Xg:RQbec0,c/'>K"P5lmTTER4gH`sDbl3O(:5.mRS`B9J]p*^'?Sa-l2:@">Y%k=SXBn/:;ij8En8-C#?K)b^@;B1T0t
%Y'STe2/p+/_8.H5LoVr3B1)tUIIt1LXi,%)a[uISK&(6l]2$rtJqP#;]07Y41k@TAO9&7p0m41@D]n>R!2UXXi*>\oW@NmXH<T[@
%?N!:F/3Vo0]a+,6=GWR\!:in<bVl4?N@E>P;?1kl$97c>&b`0&#cT&/09d-%e8<+fkN?dWi4PI\$,s\YG]1%HYOek$^:YnF]r`O7
%-K;]^3HR^^lF+S&d^N.JLg/G/i#/?!d(j)/k2$:&_d9XWCNOu9o30Q9XI<t&6sPooA*It,H;"B`eFrJb@)a^>ptN4^W2#j3eq<6>
%2)/6XCRW:TA<A=W`OK.lg1IqXOpNfOjS+7VSB@7Dlu">TRq%6%pH$ouBe;RdV1<-,OA__(2G[5u0?*&Q+N2X7iJkKG%F2VA"IH2[
%,R`L/n(c=8)0S=?*eR[;'W#sf+")4!aNNTen(a!4rN>7+fU9L&D:\IZjDBCL)-a7B0V1Zcoj^g-47_ICMCf7MY1"-LN:G#8[S*fb
%/>$onR(q/r=9n7..-7NTMn:#p(aajeUhWPeH_Kh)gO2`<c[GqC0Am)^D.7blS4QKWM@M_dT5`.8OInnBII^uj]sgR[9]iP4WLLS@
%oCNUJ0r&c`Ja8G_.\PV%jNiftM_$NVF1I65FbI!dg]Kc;o*!]ZA>,!YNng8BUns@dJahQIm(js_@l3!g<Kq^J[DW!0Hrebu.2(\J
%ZD`UZ-DfGG`IMUcbRY$Fb>;3nH5BCc^4ClIB;u&!Cf7Z@/!uh&cN:h/(i=-\$>OIcf0,`"0hcA/d_F:(J@.,@n,5X[WT8"S>MTBs
%,7,OT,N>Hf2,0jOrCbmcLeCD6l-%,,:k=Y/@)^^#%1i'n`sgE9h*="c)X)'O$G^@)h@l;GjeCVi)S`o]V84@K5R)BgYQ?n&Zm*'2
%.+l>A@>b'$+j>!bDcJA;Ts",.J"Ro)3";t!N8!ArohA57Ep1]/,7t(grO1t"?j-\Sq,X+\%a=dRZ5KYE9/]-TmFht!?7';cL9PcJ
%=p"h(qk(ZK<%EjY@>;e/DQsG@R/fn]KCKK<`Z+.-5-E9@3\ERk@:`"to-/eP`P1<A,0XI[12@enD!>j(LU+rLTQ3dK[)$7e9c*qd
%^-;D/<^]>jmLA5PQ=+(@)QB+E8VT\-mrI+LFlWi!%4ZZj^<<HK=^Dkj7"iY+P+`4`#\S%Pc')BoS;)d@^grs(<9>*c[%r6(OiMFL
%U=n>1-jO^ed6G+'<d3(9p5g@\fk+QCGVO7,-7)h)2stu+^lF\>.CVj)h:$9mmX0H=X`upB]J=f;(.&gFnBM;/dU(SGQR&T,36p?a
%73pA(-]stR2M3SsO)%#rAPQuWWN0Y7LMg?Ko\"-nLcS_\YT#M>`/5ZpV(Q=21rd<*1)MT0;rqk^.55nB4,3Ko(B#hkhBKq\Kp3[Q
%K$kBu'$T4e0gP1+7()<adlijCd&+HDn:r#l7K!1jQ>n%Q9g&J@TC9ra5gt?a28#;A^u,4qf6e>O=m?/?JmVPqFgY7u-9oQkPQKR!
%U>if8g<D,s_FcC1@H:0]A\k"$<m&H@j#u<@^3mOKColPh:*'.\#R/H`\33BK+F@f)a\OGhj9*mT+n*RSN/gJ)?qK8&?]T4DeB]oq
%V74\8Pqp0K$;m5+]sKp1LbY>BPA7sMFCk<lOVZd7-83&DnA*89OcT=:E-rsGJFju_<g(C#I]JdNdp_=kFRXkGYt9Alj,n>MP3l2A
%)bg=mIIg;U!tL=_JAIS8RFK&HjROur/>?)7*tYmT)T;4VE@5IZi5-s#Pt*1+eXBa/!DEX`nHtn15Y&qf*E"gcEG*3K1YKK+>'0Of
%7"MGrer6+8;c"s_cU%7)Gp,kdMcW/!4s0JkUFDV)(F-Eo.p0T_b?nE9j=V[TJOm]3j7YnBb_Y''\@&D(2DY_KDV#7Yp>SYgh5MMU
%_m<dSN7S4\OV9;tO1["I'KfJS:I-6O8k<\=K+).iPXl+'eWJ,#R,.p^.fp8`X$,*f/%So=J;i(0=#bf=TaNj%s3P*R9F)-3#D.7W
%?00q1eL?(<"M#5aD.W4]0Ru;W)t$D;%1n48#kC6.OIL%-`T\@Mb4LgBR=Ica[?S3L4F.2b9CZ-?Ogi&:aE&@n-=FO0@YO(ff,?)b
%37/8/FQ5sKe9lAY%L.X+n!O.$a7?G6p!Mc?R?.7n?nO:8Vadl!B+?`fpPASS+3=qXnY"S,6;I/n+?B$9(W;jY+!)FA7Hk8/7O>0_
%SIUEV7U`#<FgSh"b0-U4QFa^R4NZQE'oDYBLiIC[&j=Qh&A0N+E((u.QDKI5"caQ^#;:ZFp=h$AH:>]Jh5sI0AWF!jIogo_2$WX[
%^Q1^KhNg%Q?Ca6'#]P,W:N(ncIKM30;S)Ydb,"[HVE&#t"<!M5c9Th;T7k&7n5Lt*cK(hf@I/MoYH^G[Y5cT6*#f&l68E^m"8@2L
%W<]%;s6n!XrGS4HbHaG4n1;RDER$ABo14m'F&3i=d9)R.\=b\9g0bCFcCWo8Yn9CNL`B_.ekVMs,CS%(SYS0R#)[p4CZ!Ch#2Sr-
%N1pVdF@Y6]1;6,"a:'XkWW2.VbAD+6dqdl$f68oIpO<`NHDJ3j62iQi?U);CJI)%=_/[VJ8(^>t/OM6*r:e5?95iLg#$/4u9Tt7>
%Y=kiZI.B0YG&2DGWle;(*[iG?RiH%oQ3!C7?:EDp:Xr@JjTN:dA'2-Hn]'%g?HTJXa;d"d/==Q/oK11m.UB92,+u_^C\T!YFfGE(
%j4ccA]hP`f$VPtuh';CG[OXMrBgCDBbuSE1f`+r#pf_"D(h^AmIfaf*LVkJF^2)Pc]gsCVgu>R<KWuhtfTMm[5US#k'!1uu5s!:Z
%GA_\'`<GmfAd;urDY/7#s6N^4,lmEci*4R3!+2u(KS.cVUb4VLjC*8"(k:dMqZV;k<qcb9SB>9/MqI`ihNeCe83$l_e2DQ$dbI*e
%Q#BjKiHQOrE\dC%?nYFS9?eL/P/cOhM*!rXI9&H;iKn_5Y4o\CE!%2/)-1)%IZ$]3<Z&\p>>glsQ4?[0>GL1]f?%KCD,?''1Err<
%SVOudVtP2;h&<m@C[n5!ROooa2<hApWEZ$_V)i9_F>j,)B/KDDUH]7X%,U/1K>K4j@<1)D_]$UV!Lu5p7=jItEA)GDnEp<pWG-r'
%NRU#"0q@^s=Q^V4W1A6fL/U/S93kltq[MW<"o(+N+F0L,p9aaA'_IYb#)#^762-/#+>>?n0X/Zj/1h`$CD^dR12,+Ok;h/DC^@5W
%>0+G2_$I5\e5@$l.a1`+2QGJg*oE\r-''P7q>Bu&8='[lVlu.!G*W)g8I&rg?tqTFBBcV(BC(]CG;9N%+=7P_lCo&i`X5nD\H;2/
%gH^d9'9G^aZ@8'#Zqm$W)G<+t'>9tk8,Uct)rYu<quiToc)K!a(VHIX;T<l=0`;mmV`EMd(:\ujUk-XB-50Wc>`PM03PG;?jHn9G
%c-+#6+GQ2_VOHA?d.GfU0jb3l"42;"/Ha"B"LHg[hFOAJ^HYn3R5!N.SD*qDWitt"C0:(-ot)cu=Yg/$o=?HM-?YuUfotfc]Ct;'
%i#Y+8j%eHNW%\?'!3/n7q^om,!M$e1f8/a=5H<H]2'%*-&aKE\[u>n#ajH,`SoTV)XN8;B1fH7CJH'mn/2FrRg000T1V&q\cDN$L
%-i4`#'notHLmIXE+Ko#8^4BOr3aOSV/=GlfVe''N7.%9c5V9V![QosYTQ=GbdsdAco1+nCFqRWU4KQ?b<\<J-$Fq.'gM]BF/S>)D
%_0Xi;ZWddZ/#7;Q?hXd:-A,G$HWs+;CpRt"n:S2a?dhB>EZT`OjQ=noeE0[jZ5cN6ABP9m_.$r7Q5p"KHf&JOXkOX_W;bR5E)V'?
%>n65BGqChhhIU`.?LH@2en8AqSor)PQJ<S9AYe\XIW=?8$bk2?^:6"]cNcE[a)t#f0^[g>oPVqNWO/diY,bK8.kslL"o>NdYj60$
%A,q)BJ&.(HB`l-YAU@>\3@Xb%V/:'qFaKBJYLN`RBo,LMmuP":.26<)2iqf?DoJPCp-)jr%1Deh)+]?#Qlfo#MTm1RDEZA$^:'8a
%]ukK-IE%mE0eJUiRjI7F?WTr0A]SQensIe4$>'e_o_84[T*T,dilJuI_Eh^Nn&T!RRna3&@;==6'[CG(AbBaQ+qET<QbtqAUFKU"
%B9[EK"h#K%RfT*Hn(,8N@GT[e$hB4,8+?+E!9jY+Qpr\34Z8=-$qH2`eM"?qktIaE&>*r?(YJG*<s$lH<d%'&*dIn_eW:$::-/VJ
%!01&CC@[2EdS'I`#B@)H7I:I!?C90E,oG.qlTo='!Q*H`?l&/Q87VWXD,ol0D:dZhXPhm!'`@[LHk7ZD;f@SpHlqhr7+j!FL:jK:
%C'C`CHY`Cgc%J!m30gWRhp_tti4N'<4)]UN3PP."hH!Bh'Q;1e5L\3?Q9PP[NIh4$=SSd5]%XZ0X(l&08mYS2hNah@9RkeFe'OF%
%A59U<G,l._]N#9JK$/YlW!W4K.)T=H#!:8oYg`';@".SHDbXfF3@b/OM<^>Kou4I1(Dn[raPN'Y>[<8'&?OAbr.8>d+`/cmA0BPu
%ROt%7/X,U$Yc&cR;JNK^oP.&7Hm[!73T6narDG"JM[Lu;Pc/L8<$s`+J5?Sc!NBd67%<D$79'X_1ObqnPGPr/]kjYC^H@24anclt
%Tr9(T\U:cV48A9:gEuB,#8&UW0HQP-7<8@3[$ulk&6hKK%eBT5*l&25iN<,=@)P!\0q]A;4,<kc)EB2^omOdP+X#PH]a)&7IR*sc
%WT7gI5^G%$kkE?J2Z_gCD*9;OY1GF<Fd$^V'rc$&?D3+NDUL;G7Kf;FO,.kNlf/W[&<USd3nA,*fJTq"M#arb'dodlej'lH:EU__
%0RAhCG%.hd\3O$:.-"]43i\[ETs.`[ba]K!Td<&ie"n32OPaP^osWA>kFQM-ePt<adLo;!Fqg1,3[d2uW0ZOA9#<X^8/6KKI_Zk#
%fG-ErLs*H4N)ta6+oq0]E+JfVK<s!*9amHZ"h#.E'18'j9oLEARb8Cj%AKsW:A?RL^$cl0YFO?YR$@?.-!,/l]g@,NH!#KK"sVog
%KmPe8"m<UrTUSgYqNs?6PH0)N#4dtY)7@;kTdo7Foj;W)P8q4-`>ZfNVO"NrHd`ue>Mm_`664:m;L5G&]Sck?\-phbQIL[L/9t4F
%$'lrPSTNa/Wq,LpNo)lZooq'[m:jNk?fn/A:KMZ_j(YG=`U>VZL2+m"2`4%r*/)s;KL1A=F[\l1)KS;3"&!tRrb`I4m+FU:>2T#r
%$R,5!I3UTOY1bJ4_7U=;:m=C`Ki8M6MlR`&;VT^Z&[M)+jbi><_0J[Q0Q2dTat5=_B%>2U4fu_oW]Sld%9d9uY:Xmp7<uOQmF#AS
%q=jQ*l]C&%!k50>>IWKabKH(4XU1qD=]toZ"KH^F<p`PK19&u/pBt$T$kS\))+I&5I^T.:=buP3:Vm[ef:G.+SdW&>ffsa`@hQN5
%XUQ%^SYT8%M`Qj4g;OFB^ES"T!ii^KMl>mqfH]1@'CidScB]OqUE;P<M:fg5g\Mcbrg6pQd#`fr!kE+IEf&bD-Ll$V8u9U6N;SVK
%J.s6ZMOZt-O4mAh4f436K'sW!'d@$Z`;0->Vq3#e(cEFCT-&-tA)7an_m/l0&'$!($lHDFMo\",g;C<ElXAoch6?0@e[0`Hd/NoG
%=OIi?r9[\B!]bVgj6om[]=%=bhDTG,s7tj\=L5^/kh:Xt;WUU4BN88D)?%fp&^%"X_\bW4G)bRGraos8QN"Lg?,P])pLt'gAs(jF
%Jo114CVcU.]m=d(>Qmd#Q,(XZ\$_)"cVhLYXbP5#V'#1I:+MiZ:;^(M+9ROGrVDo?lak`7'7NZEf*;)e;Dj'GA<i+W3EhhTFF^Ie
%MQ]POCBjLpoZECGSHc(4ooce`)<s\WHCum[<%[t[9+BI0P-8""l/&mJNr!+/D/*+ld`f\qfK`U\)d)Nj;V:YNBe/EjX:JUP%rH=T
%P'CDL$*3*.2\>.Rh9j1;h8$=\b:CZO'GLQOQ@l'Vc/KE:#eF#c13JBo-j*d>#e<MaA\)c#U'oRi:=T*N:TEAQm[duL'`h#Y"[JK)
%(QaMu?$$+q>XC6$4=p)6bKMIsY:[>rdUq%NR\gt9dM03)_3-96>tV\m?^:^oYl$R\._:l:H3Ge_J+_[L"I1nrs,PT>dchp/%a(rW
%D:9@T'ta5J+X$B%lZFKo\A">0Uf51De1@S'OVSjAWkrS'@MY;V=-k0X<itF7;tR(:0l4h$pcZe2VZja-$F`GqBNAbYLN<l>>]Pu$
%O-%Wrr<VXZl'8W\H$rUtRpV:b]UV8f2+G(/RP8TVX>sA]1muH[.LW&QO0$0>LWQ?/+<LcKL.9fUosgtBPWl&mhH`S3mpVDr"kNMI
%b#i?g3`;NlIA8q3>>5'BJXIJ+:d.#OU(-G%S;aOqB./mbG8(T\j6+J<2@o]?2CW%>cDfZ'D+-h:mC:uPbN^H6E01Lshga7$P1r:9
%4c05:H1LIOhU\+Go^l$V>2'*W].1%uDTT$8Fr;N)pTACN_&tGbTB3N;"RoSH4b2*C^B/N$5GjWMFSaDeIK4d0Vd-5A<`J=WH3Bkb
%9?fpPEs87L;no?@<67cLUS@ci[usWWka8T&T!jF2PN`e(qq(K;lbBL(cperY,OGk#N;J+qHF9Ws"PIl$01H/T!BA@Z<>*j=kFhD=
%k?0(>O.%c+mISsWX#qa1eZaYs_q),Y.nOR^CQMB;Ru@WObu!gW[25hlWPLo__%!MtHrO;UeZm]6^q:@1kc827"'LNS$4UNQG:bVO
%D0+mfhF\<UQfTsB'1EsC-^sD9Fo$ta;0Yk$9Ms=icUh+D,R754NO6KY[\Fa3ks_>mX(ITb\*?3f7#=o$9hT?*MO9[7W>V0U't`!T
%hr/om_(P`$JZ'b^O9354;BD;[!:e30nleBm3fHU]%S@6;i_c<ihfe@Il-2!K5Wb:G].Q#_?iA6F/ZO8DWVd$#`sVgSmC/_n6d-W2
%4_LcS2it@5ghEeMbJS?QX#DSF#fBLsXfr0'Q:mdeW71t^(U_rF=n1:LmC/`n!6^F_[_G&h4tq(_Y(5V"9253%f4*r<mMk/b;lhIT
%e>9O3+*JLtroABu?:*=e\2JecZu&;:&<`ki\%/pUlV#DNda*sk)lYX;3AFmrA?%%+F0.]O#ZC_I/Qj^`:=cn.otF\F&WiT!D(1Kj
%Q()Z2?/4[Gf.BAflFK&6!Gn8)n%Ok((h?3,I>'6%W)Bt#,CAnd!@Rq>GSZCETIi=b+F9+p1DLEGPqadS6eH33b=i7TC>1;+fqf<L
%\(H=bjV:T\ZbO?aesZ4HoQ@n\cpj<&g9+KYg5/]tdPB,Ma\:)"P=DG[_T&Gd%[JM<A=aBB02XE?(^b_=W&Fm1.j;UY!n-!o[A&n>
%N45*!>38=Xc>"<?9nFO_ggsmc.3jN411`"5MbDmM<K3_;9_C!VBU\2#VS,E&(:N#]KMC/AKr2OhH^&D8mCZQkogR=OVaDYH?XkR/
%)>PgpK\)8/3b2!EDOXN@(2TCmC9UT45%)Ye[:<p[?uOJ2M'#$KgW]]]@&hF."rN_Q$Am&6e#g?YNco_83h0Q^o^F]`a@WAn)?&RZ
%C"=r/G7gB96J\@L2K)@(/PHEWWY]#[,BD6aS"8>+;pXEnIPS++:G5_E%RR:d"gG,artW`s["9NnJu.+jAt.WQ?2:kRq6+CI3K6f,
%HLf[l\"$Nc67TUgBhl$N2?9*P/H[0^Z9OLa[nJK'=I0A!!A+l=Yg@55,.&mAkQ(R$#\cKKTO46U<ZMmT$G\<>"QB9*_$?oZbGBHD
%j=`.K,6`J3-]-J0'p/F<e$r=4M@AoKJeV%#^-]EDc_9F#E3&[e8.WHBa:JB#L%53GABY.'gV%HT4/t:un?@LDZY*EeS)3fJ_RiR)
%^2:Ho>?a//>7V'GGDW5kJ/SO[R$Remcf5a(5N]E2K0MQ^f#]/-6"&-q$M<:\MN26Ve7f'1j-^%7NNEMc2;/1<)-_h$WeM\n-s$<0
%a5$/m5SE)).LJG0`@_d!:4a38moAG4Ceb^l7IUrlU5!LPDA0@L#!HMh<<nWoo)c*FGa*J0N3N*U#(,Y_6:3SmViG/tE(//GgWBnN
%h)CCY+B-&e+n5j>bT<bd7G=&aZ%6K9DK*Ug<ME@n5ncMF4^_KN5qAqr/s,gZDY<\MLIOTBCClWEe\5qa1TNJt8ZSl"P*r2?jF:e@
%P3.6p^tfN/l;eqN'WccaU%6G0KKQBJ-0]jN$>@OIA14/D<X1?8Ft6$\PV\k$PoEes<^J@pB^rfgC%&UWk%7:Q_l>k'KpKmle\q`-
%4,np^2:q4BAMosILaE(?`kC+tc>QV[RQg6h:aiJ"'J/OQX&TjIOi.^H8<dDZ(P3EPb^GPV.,9tE@c2\FUg@ToKYci[ScP%;<Wlqo
%Kg#hqf`UlSGeX[B6(!b81^7j-R%jnYIj^m1Q9D0a+o19lA+"1@YiLak9^cOA+00FH`@G1j@''+25k+.D\F8#o,>/&MOE0Z;rrA'-
%dm<KpA!WUV;;3:sVLqHXA?`D#8[?W75=UKRiANI<X!$8YhPnE6.P`^C&/C1e@Esea.+&HOY3kM8ImTe&&Z\KnW'4J&m(J"m/S4D]
%bFK(!'<4;>4p=H>2;`Sm4[%9ZIMSV&(@^#3b`:GI_Fa*!@$2YGSjJ$)At+JSKu%tDi-AZ`AKb?]KAMamU<&\^],;FhIO0Kb^aS^,
%'';6FVCWtG^0si3)rDEtiHt,Glm,"Q92sU(`+!8#fMhT#5@In$nZo`mdcgBffV4<=:4kpf%4aV260)V+8-rK?:R'`Ybo3LGOL0i/
%F['__h*@/^2SIf\.+e,I@n:QbLU1ica;RU58$`Yh+euHA,p_$.%]3%.$h1U>-_j1X.OD*o>b,WOOH<nY3M^RrbmUKp9(W_'dE1P?
%JrauDJs%To5QsEPAe,5DVgH!A,db$7ga=GPM;5VUs#D&rH7*C)4<<jX%`5\BOR@!GLW!Rt9uUL:-C8>M-p't8908*b0abkLD0";#
%rqB&ki*?>pg'"4&8BheOM?!ghX<0$t.m5:JN^tb&;7j#IgUs_&9Mbt.pX.`9KijjGRH9e[IFMk+JK)jK;V%AiAog@o.1$5n+@Ah_
%3/PCXpL00+;8h!rit8MS3Cea5IsuK\Np4[l,g0Hj%O,b^h>7'5D4?Xn;;]%l85Nh-hG$cpTO(\h[U'^lD-u2/V==q#JI.l([#'d?
%5)r`>b,3d&D1-Gm?U'&uBAEJV!B%X?/6Jdh+2HH[1/$aB;39q&B!%;?;lcTDI4eES[]8Et@fdGfpSkUq1A3Na]ejh11*AW:$j[#<
%QFH0f#+'I"[%Ai(&>&WC"XVqpO!V&lQRP*SFS)MqoW7HiTS:-Uk.KQOj.\urPikF+PL9o/kC^p2A.PU@;1*-?X/+3O$D#PO9>>/V
%l,cs[S`Zd+2$^`n^_q)lVDE[6Tb;K#(FXs(.R<p+V.5C4I#B/:4gPJ?8):uP>2DQ0>#D<fDqb3\d?WV5W7SJPB.N2kjf_6@]+qhN
%Eso1&>sML/7^#gL_@BC,D]!@A^nrVN?,4+UiBH(tjHcH_9">N2d$E9mq,hsDQ.N3T=d/-;]tZa7a4b=fr`$PT#(!D):9(E`OIXra
%<Z<QQgS"CT=$5(SCYT>Vrn7LVla:k3^5?l=X5"u8er-d=W-^D5`B/=\@-,u:FotBPdX(rGp02K^'X.&2!q`o_$BZX>G]2hh6"W2D
%em.GaM]*d#Lf.\O0&g.:7lK[bW)TbSd:$]..\I-haeN%%\bbAi%SeBL8U]sLEmpGBp!@9:'i/ptMh#&*>";"6q!u"=]s$uZ]k(6Y
%OX4%n>\#RhJD</3%rsgK%oe($MiRp!)'f"DZE9A[X"f]FK.9.O$7b8KeGm1hbqJdOT_IBX[ol&eLG)]cem!1?E-c%@95U0[)KcTg
%Y&XI%=W:8J5Le-J;GH+6mX,332X6V%O3@BkEWj.]kKI&Y%&C0DI,_fb:bL=^D-@3hgrXf9D6'no?.X%D/$C6[n))[KC5U=12jFHP
%3\GrpJ02SegqFH[E!N^eY"fdk`5lt523V8!!jCp]F;m<cY4J$A9>YPnquf'Ki)fAu^Z0`;&'I#Q1,\E0p1'o4!]?h^*QqMpgDTX@
%5nm/"4KP?-"/<!K7M2J0?)0ZUPO#KB85M]0)"',ZgeokIYfg1>oJO(VD&2].5XU.1[3<2O[D2l46sWe%<tMd\.A1(*AL\8!aE9'8
%S6qrr@(.b#j*%DG>m^)u5^3K%!,`lZc[B&:iE/=Pr>'34^h'EY\')1XK.pDrfl1<D]N2iWaeJ@4<)enpgSgF1mgm#\,S4##%cR]e
%4I$F.Tj)-(gl<gdTnD^t'1;j8^kY'aqppO6[%on."ao<I)V<>E<^MOQo"o/"?!50U73-!c>MfJaLKV-ID?Vm+'U`Zg*,`PO.bc_]
%pVZT[#(I^lhUtrsXkE8N!/l#u&^S7'c(]bt=H<<N$)9=H,hrQ*J]`&+.-q@+[u56<@GP`Bc$cdJn9(kV,^>bQ%//\UC@o`YC,j>$
%mfLKlQk^Dd=U*aFnEurpAXB\(L;hNtEuj;C/ZL/lQM5A8ARWF'2T!K]0MGaYFus6WmGPrUVI`"KE6ls/)1Q6PbE8S0cG4E/Jmkc#
%?JY%\dtl&QJH#f^o4W_s%pI]h<tn&:TO1JDT]?Sp9P=s^ja>ok_$+pZlEFHd#^Bk_gfWqrNj=*BFW9Z4AA'YAH3VA8XB*pp_4d*/
%"lJY;hY'7[VtR'EpV>W?BcAdO5CthtZ9J[=LjIT-\?At6BFYudNRtiiMe_`ofYEZ4P.&VL*n%WgE*o7n]5'?=.tMRIKAHLX[iVk?
%V.5:m*8HG,I(<*X4psKN%*'B+<aHV@*gXe#]t+)s)_L#t-N!l#f9O+30O^\3-9j0Q[%sJ#\*&+rL7V`Vmap9/&@,k3!"E7pMf%JW
%D<D^2:]o&(.Bd<Qi<f72rQumDcj]KDU`Mmo7ulo`UdU-^]+1)FHA&7BMU#/Sj:@o!;Uje8FrbROR"4Z]':bTHp+jic.#%G,R;T3c
%I"lBE22\@<V:!jd2eU7u_R=N4-?*&DF^>p0Q[bmGO(uC/$%7'+V+(u7^/Ji$\`\&D<].Xp04q]NlZQV(29'a%f1S]lf(u5=/;BI,
%^<cMN\f-I./2!VQC=*#ngEe)$(iKLgUgG%0_[ChDZn`3V"_WWm7f7?>0h2?qi7k]t8tC:tp!MaM?"oi'^]$`rYB9Kr0oKYMA]VBG
%d@u20i0_R3S9t/+p98JN,<U&=/!PlZ^;:DRRuV/%75U7;/Mj7-rZOn8N0p^P't\S7A_=h`WaOMeRTu;W`"EHI<Z`om/Df-=)=ng%
%VV5J%Xs`gFH;GhjL;>e'dK=?Uf$t\lD[!r?3t!IcUeG>SqUVH4b8A0[Q.X&DS["0]aS2!'QG0Q-X<soSQLE=@_>Q&@kMY(^SZRE:
%Q$GLd>Q<eV)2(SR`\.d:,T$S>%eQ7!id7Vi!'ek`Q_$*\8d#i(8I]Gkngg6f:^%-GDQ/&q_)YqQ!%CpmbL2"uYuelAcCu61*sL$N
%/)qq)M@<\UYFok.[_d3a>9t$BkJu@9=&Odtp29CtC:%ktDB/>R#2XtR%G?bV^h)u8*lre2O$ZM5?obm&"h4=\5RrKo=b%KEDqc%p
%a-$dKE#us'OT.*b-Ykk]B_4/hpBRqhmS/49ZhmfpA%^%H:a5&0W%J%!lJ?[HP3'1dH\-^%raS3Vh,N5a2Z,r=A.N4[0ns6[X'lhI
%\OC:ES0eOPGm8YC=%',)OgXr_8GVlX*Y4%U3O.nnb,WTWjGF[&3&ZJVnMlKP`\5CFn!Npq(+k:.]_AHWn+XAr=QdAg8psq^/)G"#
%b':KsVj7#U;mtn8m-sQ#kIk6UcCWK'5l]g$*6.IX&/G$;YRLiaIi*)5E5+i;i9Q.g1D4Iuj/picWY>9n#f(iVm5mdsbHM$D#Ig2M
%lZd-^4*^Z+a0i1_hqfnK+WTminT4K_1&N5'FH"Z``6Z&`+ff+S*ldePa!870p755u`5=e4i-=4YOb'as<k#:%eA.+US("KF^7&m?
%YE)/40!Sn?9/&Hpa(]pkK&Y=rq!`%N^lM9'`hK16`hI?lN*#SFdrgO]fJ,X/*K0GFQr/#cqqF7QG\PZGp,m6kg2l3L]Ccnin)3.E
%E^&p7(ZV.X(?N/rO,jsHgu#rsf6uF1DBg\NnG*o&Sq5&=/5u0#_"YBd:6B&ST&sOO`jV_[g-9t01s6L0l.Xe"@OmCsinR.96]/qT
%V'DM#1TGdX+'k`+F7e_0ds6H>%FNYV2YmIK^S]J!?5YXbd:q&>4o[P&hj7\.X_@"qTrpc:Ak`*SWS0!tIG,;X&+*KYU/bI?#.d4@
%*ZK@WC)D(m552j*]Go2]dXI=uJl/KIf"gAQVhR2$7"W3ce?"X"A':C1)Gt)K1e73610PAF^n\fCO`1-W@bDAQltJa+6,>(-4c3)K
%-T1VRkp&hZl38Zf9F"LT`Te0Fmpa,L]UiXe^ittbm*.#QhVE>aOG<:T)FKo[Nh]/PfN\">/I!WA4%iR:0ZBO/MgpVpD.R;9YGEtJ
%fu!9c9NN,S)n9/m7Y\Ek`e^PMg=9t'_ji;?q#F917RFEp;=b&hC]7`H"O'Cn0CuX3U(boh-KiP3i>-'Y)T@.^.aZBD1bbe=ND>qI
%=rks714@pbn22.UQ6aXmYo'CX2]n%2P#jgO<c/@O+$roW"YJ?aLDfFAjUS_G"(Ie2j4#;_8QouK,6hViQJ,UU):eu>N(*CG4PFQ[
%FQ6u'6/XVinMhSL;\]q`W(H[5^hID&jY.l`r!-K]9&<(R=H"!f3c>JWCQd"`>\Q-TCB\r9]U>&>o[*.>+!/\I[AD4BA;kD+<suXr
%$mFrc-u!pl>^%&CrB8$EC`pq-;MfChqJ>6Q_YDmd!o^'Ig-)bgF^7I2l]9u42,I,1e\g-R/6Y?t#X_r8?&.RMNmP)FnC*?[SJX5`
%j,>2>NQX,(VZ^/s5!uPiCh0549JUh`S&U+&KuYJ3mj8"[L2APdJ21W^4<ooqMXc"67X\[?o*l-S$OTA5G,](O3eO8@>S_!8"/)RF
%,H1@nlEtir&]5?)1$XB>?5,J3MM-N&H9Chm)p@4L6d)mNl`3/j2iQA6!r,YmiN"ON6KuK(Q%VjT9W3(N(aefYh1jm#7e(%/pFuO"
%LIX-EmWTmbo3tu!JGnLF\<^*ucYl:].Z"g=ho\Ln&@2ZO*2J/_[@e>k>BMEIR+!9siO/4L#Yp,!dI+]!@ie%Ik)ksW4G)$:hDL=%
%M_A7F!t#W)hTSA'hDO/9&8%QWV\+lNqlSBCp=-ltD&?3SO2ced,>3]hOPI!%NS\D..//!E1:`I$#'fNP3R]Oi40Rg`i)i&KPU6ll
%_7<*G62gZ=IP$pUT4-SG^'MT<XNBa*#9Dd;:h+!^>j7;t.?#p(`eSDu)r%W/a(FEI0tG^^=d+('\;c]3G.I^XD<b?<4h))DBm:W$
%D'_o#6Ggl_Sh3F`j5qt<HMmH\#F]3gE$c(8#bDd%W72'rFkP/-Ef*i<kiRR.j(\_/JIR:ch)H<KHA)02DL=eR9+S-8I\8]VmlHV<
%L#d\7q%_bd)h3+Bp@*#sYE^Cr6nDd0Fu[RU=dVbe]bsE(E*(VMDeMDa4Wh?9E2IQV5@*p9=X_M7;<B_3;<Bu&\;lQ9Qds3i*ID,m
%HOtdi5=9XDr88C.;n6%%>JC'p@:\8'I!`G]+8!DUP-s/c%p::OqDbD/Y,*l:fXEYJ0WueGbiGMd%I@[(PG#MBN-YP;&&S6lX?CE?
%UU9%SYHE9'iks$uSke"L<:]IGWi4lMJ,aR7j?.Va*D!u*=VM$764Rq[CP.cpESkZ_<[pog'UC:H'h0ANUUKi;D&Bt:bC>n:'tr4O
%+Sn4Xm*c%bUAG2#&qrNeHoE+KT#Ne]HtiWubl)-4j2eYq_"dW^n_.Mg?ROWM?pJ_4PA51rE$.fO;6cr>T!!3D.bY%5p?@;`h9^6K
%VbSB0HHg4Jgu@7pj(5\bf_+o@.X,tin@Bj9l-LE0&('*WD)?Ppo)9./!1LN,94P3.:0[798K`1H\F>c;YN,VKZl\S9GfoWtnVEsA
%k]f4NLR<K`0gbg&K_k*GpfrZY`i=-&.McfAMAlWDU>sRJGDiXB)rVYuNCEenH=+D=dG&>F,b+rIj7*P>q_U=jM9N,,%c$*c4m6GH
%;/XD%TDgs-_nd:J:Nb#%i_%Q8^>;?)_/YReV65S<5E/93Hi*<9\FuSN`Im$GAFZg_CZAtJXi@$F2/o"P*dKOkq;YnS3B87&Z\)s)
%=4Y_63SQ]q.dn4ZhpD/&XIdY+(`EWf-skmb0:C_`aJ"VCGd*Q1UGAD^Veb@U+86;g<kO\rT$3hl'GC"SprqalC!D&*\,4a&C=/SA
%=04QDl;g)n7Y_IU9_^ue4re=;3BVPhLM/tu-\jfeHn4@RF2[4jOgXWbCHf=*h):mG1d6;>qmBl)2gZGFNSt^6ebEf=<;V%T\Vh0u
%\>"$%D$3[lmJ`c'eSk1.n+Zr=NN'kiLPPC4H5<d"*]5Uf4%:5#qL\4?O&CPf1K2d&rqB7]k=H!'rZR_RIJ@7`^*o3ea5'rooJl@^
%jil_cra<*CrEV&B\2JHF*:Q.7_&Pa[I;qUA,I*aVKj>[#394HLmr/^R67*WdDnWmSfkLeN3Sr_H2=*Uu*F0Jb4^&:dgjm"B#)>?T
%GL>rrLCRar5a$#r@Y&-FY#mr"LX'l^GAb(2T8/Y-i3.q&OheG*.mC>]`Om<Tm]p$b(l@mrDUNS.7h9jHWtsM1E.t'6`ur2E7P0R?
%b!ZCam@%"-nJARSTJZ?+JFO.UY(6'@`RlDWf$lm%7_JZ8pi*8q$8:PhC`FOXE&/DgIM;D^[.iph",_l^eN"$K_<ecOMGSj[SmUGg
%49cG=E=BaP"YLd;bep3Oh(cGgR!i:c9EO432`^kI`h0U$Cg_eBESTcVd='766OE7lRHmnE\%9gn`q+*"SjmWUN40l'!d?h[0:V\?
%Y\9VNb3rpjH/FTO\"Zk[E\YSFHZ+Gj\f'P=]WC&iIJL;6qbki27q6N2DXF1Rj14`9:tW%F^rT"OZS1+3d?jX\A?[)e4mZi*.X(3.
%MYQ!d)+(hD)\PHlgQ(F+lFA2R_EB0?bm[u<.\`NS:^.B5PtGP>0*.`#dTF#+;)ot*"%VV/]9R]=2rcce9Mab^V;>o+3U]GIPr([L
%Rtq!rc05/IBiM;)!D5IBd12pQX?PF6>I!8)o'Y,HM`rUkhi(1j?ishLam7u!2^>p<j4f>Z1TM&bBqlJe^\?ZZaLpjT+84Y*!%AsH
%ZO\uO"F6&,#HH'4J.u=6m^,jO2]rU]I="(6Tdo'"gSlX7i1kk08DnJ#M98qUnaNZuB0QQZ&-)VgoYd0ZE;JT;OW7ml%Pl)(/["_%
%gNhjV,;CMF@HWKdH$\Y)k><)Q,j.*dj@'ZqM<)<G>->u=6s4u*gr4GRHKCTrU/9`fVUg,.[Za1(b4TYjLJkDQ2Xj7T(1Vt,Q5FtV
%W()teR=kd/8u(k910^d1F[!@MM1*->:aa,`2.KXJ8ZnR9(>,o5^FjR?Xiui<ZaptuD^Hr@[[rJ[EK+ZCH!P#Fl)M:<qZ)s;CCEam
%<Q=YA:Y/VUopbL*-_?<s'BZjL)V>Mjm/]sl1"Eli>&X?[gomPoRZ,1[EB;S7BNH0Y'*UUH+O#m%*o7]lHj#mnD/8kM]$%ur\*@SQ
%bhfgarkj-P;`@n8j-;4H(bVR$h5"3D)B3T`Q]Q"VrkcsXm;d'm!!fAS;F#-^-Im=afG(*+0WMGj`]&j#h3EuQK&Aqaa?::G9</i=
%Dp-"Y8k^\8+*';QGR0X5bL@sk@tMF@1MR0JJ;/6t>iJr1e:))HUsbOIikem>[HQ7[HCr4Kb3bWm@@!?GLhXeK8Y$oI1XR[Z%"!Mb
%?"VWI&`^95.Bcq3XIbq7A%so<jb<Tt[K`m/CY*aEp+dD[>:XKg(l!CnlC.b9[s`XWlf=2]JYXRX@h_A(,Zobh?t]M?#t<aD(!F6-
%q_6=Gje=bj[YYNhMk6.F6"o_#i,UF.U;YZtN3grZ]j7[N1JWq:aHTOK_>VN*E))J?Fj/LJg!.Tn]j.`q@MJ?9R-uuG)>OcFalC[b
%nIC9YhiF0NVr.2]`(IrP_X'p`'X'5X*1";8X`,R*@)n:=04(@m[/71,`=)GR0gj9p0ODuNC(*K%i*e+,Nt@of2gao-m1K-1O2jC&
%Qqj!XR=1P1j0<s%`p2WF>9CM/p^0Ln"6+r^j]=JNMOE=EYLBEZr:$r;in>KZJ?+^J@hW7kT)8(me;^#I@+Vh5S)+Ckd6J,$S&5f@
%r+I3:qR$[([eMRu@/Tl[^<XB4m0(\sG3*f\P[d_)?-=O6gM,&oip/cdE36-3dreF[aB-^2NC(J,BX7te-pR]R3*]a:aun]VZRsFg
%])VHbRVBXiH0&am](XD2g*&Tu79$D2Lh)i(O7CSho=FPM"28CF[Er5Y^HM=&)lg?^lg1gYSRO^1U4-qoS$.tso.iZ3k4[d2jeg8m
%0QJf+<:S)Zs-,QuWd&t7]=lrGoQVsI0e3EJ<&M\-qfjo<ZJLQ!m+uX"3UtlZ1R;@=-H]a\*]G"iVPdro9dGS#qq0X?dX;sll$[(7
%o#/jMB%K@aNP-(e2!L]Y0tQ?N^7!`%Ghd'Pe7(6&)R#@Yncl8Ef:Qpr`hS+K_=>XnhB(8qC`CEfM^r`7i,UMdIi@4Tfo4$Pd?D]/
%2209c@W]#p4JCMY1NjbL@p,Og%<,`9c>pYSSZVa+GX!@k[5_WE^,mJ#ajYIpe+e$,Q/hAkJ+t\rh-^03Dh%L?s75i,s75J_rSqhr
%nF=9-9`OV>?N9U5^VBb<rd4Td]oMBFbgUYb^;UU/@m@(F_e6Et6PH[(20/;l6e;ui@<QJe_tYBTSq+j6W``>4-0co"=fVq8"bT5(
%LW^L`QWnI6YX+%\]#2&F1r1NIH04XL)7O1?gl9d]\TqEHdqE3WKUKOT`&/]g[`PRi0Mg:6F-,g`XE8;G:[HkOPX4m9r*^[34C9[s
%14Jb\YV-LQCOaDTYuVP?WAGO\^IVS.+!&IW]?(6\9%qf^WS6bsW:Qu%CdAABY`J%!5W?s,,&$N)))j!FWUnJ/P$8U=5Yde@?k1:5
%fsJpTj$;t28N\qO+q4\ofRstOe]EK%'A)J/q7QBQ=!^n`/(m<*EX/iiB_TXMgeQ42`*lr45m,,sHuNBZ)DV]'+&MAo>qe5GIsdD_
%'/-9U4-T\QTm6/U*Yt'fn\]*D#WJKMQZ:OOpl[8i>.i9=$*=L?XA""l"jZdPKKlHU5+defDD]aR_D'?J'l_ulqVYg6P:kDY`\D4N
%b=!#WTN$p]0>%f%"f@!)#^+'%gB="-3%5k=8nX!#-FfMTfZ]ZK-P^Gt.R(p#VA43Z9lO3b>;ioi@@RVGFNo;''4\4d1nf:d],F"V
%@]UNgKd<Kr4"d"Y+6%`Zcu7l79oN3-KbN(4Ke6l1ku&\Z9F(^-_3g"'Xs5$$d+#B\1#)fSU694DDHo!B;Tg\f8#jJZXl^aq-l0>D
%+/kA^.c"Qb`B[Oe/!W<!a?baK-Z*'#O;+&cX\F$XZf(,]N&Em?L)!6(c(g!@3rf\p7n5<+?]A-J(Q8pFbnA;_R^fLQ"\@>M/>9Ik
%Cn&%q@&1l]N=+^RHB5BK;`=_o_N)Q48LH1++d`L902#pk4U.3WNA4BPq]E_sr+\pHNK@OGBo>HQ@hMSC-!]f[4O;21>%Y3Mc"ph^
%N+TD]KObbFj?iP)b,`Rgd>%-5gYI,61h432<l!cX8r2qqBdl"qG1`fqR8TL\+Bo6&&p*CE!&%gJ`LHPU^fK)lE?:hXjk/;u8:MYb
%.MNOj[,16!E%e/'Z3f(MZl]9Ua^`Q2X+@rT066(<RJgrr=Hl,+`jOFl[b7q1%)n!Tb\3[4aZ"mGiaobLSMkJid_!nOGr^BuQ'?jE
%8_>[]WPd\^;KfMo<OCi[:0K)mnQljnbB29ie5eKt1(j4kb3Y&Y>&-G+D$(Ze9F_dA7+kD5p/nU?DA+eG<6@%dkdaR5p45RS2Vk&J
%NQ<ke$SQRa?Xth)aE4j;hT:\)R6ge5D&l?H16CqD=+>@eHWo0Eg51+WAut*A%,6`)E8S@Lf-J<%:jUIaYjcIqDm59d>cShYaU*"p
%42F$oBn@%gV[W63ifE6.,O+V$^\UBrr6(W,Vu1nun7B'-bImfj)?A@,4,O%l[0<.D#h[''eUj.a"u!=pXGM.c'4,E)4QnN4GnVj]
%)uce]K@`c#-JfQ"GZL2.YhoELV..DZD2SW>N+h3:2rjLf+'ts`]W^/]ogKNIe3!Z>IL)Ef<Z?=`9Cf/mJgUJ]ilN]b'MGrF""tBj
%?>?f/l+!sSG>qpUkefM2afp>_RPQV)Bc_A4U4JZ22_XfCT!WUl7!"K)_/9q*K64G$,Q0)H(+j)H_EGq:<K[VS;(aVW7dj1#E_3,U
%9qc7[V#h5Y^Ka6-=qCi_PF#>SUtOa=Fr#OkX5OiM`1H7ccUJ1-Z&,#0Kp2R_Lp>ZD#=D"?I6cCZ+ebZfmT7RD$8YHlVXgCK(5LI`
%N+dU8BiaM:eRmXl'PV+lU$1V)Q/OJsgQu/">-UOOaoNlYBULW,T$oJH=3QUS97Ih]:9/bZ.j3hGXFV@t=ca@EZKh@lZb"rFU$["s
%]tjcO@M]gLkMq>@rnpkaQ0f*,>m]OP%UJYd$Jq^t>5,K<qJ+q7^=$K^:6^)(?q*rm`TWIrFp-6]PE,I3X5/):@9ISO0nMD/`khJ?
%f8,88cFE35JIa:L>9aU$9'.^3>Ae/=;`,XKPdUGKabqfjSgo2fhtX:s(JSEc`MT+IH-L5KZ"$4^lrE+g5"?RAor=ib7rP4fTA"])
%f4,IeHn=LQOXVd.D7O&qY2[<_L9B0j*U@A_D[pa'E?ZE;2<RCMDn8u[k"aS2'aU&XEt5h:Nba,(Y<D6E%srTL7N'O\qRR3L0.riU
%(G!XK='g6I&]uI"W1rKKm84Z,A.t3qll9#W$Pcq4.DaH;;0c_:5K<'>l6H$jN>*MJ]E3$'(sT_HfAfS'=`m\^@MHQ!e3hK/;h%cs
%rJt81MZ&`o,hK,r:<0@7Bi/eLjT*uN[c9GuJA3;J]q13F\P[,cZ&-+0p9LGKA]or-)!(34O?4je/%KrhKM3MI-q\UM`6updj`%#D
%Y(OLohPlt5ZG+1C/I"-'Z?!iE2'*h(5suA>W^j_'1\"G.Jkc0"$5R9RMgJ;02Xn#(`lhO):N\\M`&gs]?Io!uWXZfl?<.\a=``Z'
%5)D/eZC8lsF\eTDUf\9`/#p6\Hf_5%$_)BDe`CB@Q\Sa!d004o;HX3,2,Y;dh(^]4YJdQ$N>_m6Oi,onB]3-:$8+4Q6&^FBR$W5-
%29rJHd=f2FX,k_S^XD\Kd>R-L(%#EC01u/T-jK=<E0)sI:77fB"c8h.(U8g@8fbSrMY'_1M+pNMYZG&OW88j+ZO69!IP4Z_C'8.6
%MT[@1;]H(8)Fnio&G<H.ZV#/_U\q@Y"FCXua;,oQfteTH(1Vul+mAp6lkaL_0BXm'7ObK/aop2s>de.-(a[C/)4t]YG4-p.pkJR(
%B%r^caI'pEC_%0=(l[&3qY92IXKiEa"Q`O?4Ya8Ad\qt#oR]:Q@sHjKGVeo&0Ld^ucS1Eg+-#+b;98%g\<9S)&'#,TiuAuC\Jn$g
%rFf[(8P!P*`a9J@[B&8$E,CXdYAZA:;3W0rXQ0*7o@"5.+lQ]1^aCk3/1Wc+>WFBsm&>?K'\p@rnj^H7L/u:`ipP2:q4Uj,V&Q2E
%1:kJ?#fLOP`8=!mDoS3I[YCN5,(p#o2+_W&P30_cC'!29.W@gSB1V18Fe;A:/p"o#:!.huUS?O5'-8hNd%#!VZqM)dqh:tbF]693
%P,XHn$fGMU=]kNhYXj(L'A#a&-jY&8Y9P2*eI8Ilr^`^BK!fD7O3oM9D_bt303l2*`o>*LMaaT+#@&/VJ<6HhoZCr$8ta0A`jBFO
%PJ6sVl\5T\!6&4H3o8LY#*q2N:506gfa@J0%pBE<ZH^jg:bdtfZ#OA;NJk(08R\g^B/KF8BPt-NN>]tu[B$XIM.5NP1QGsI?$j@6
%NX@DbQIRU#1m&_`ju%KeH/@oLLGT>-_DP/"UBc>A/iArKGG4UjRV6C:&-grYH_I91(&)!I=2IlF`dI,lnfVf.6',Fu7U9X8$oXLT
%0hMq?)7>!C1i_o]r1Qfs:#hkEb*Xn<m(Lli!a.!:#_,\1e7\e)n%"H#@(Z]oZdFY!dJ.lAZ/>j2j'P$ZbEWME5O)2AH:j9INH[3<
%Ku5rY.(.u<VT)*ELA'0SqfkK[:#I?CAPS0t'r?9$L""\$RE&e_*!7<1N]3RW,c&#fj/3JZLZeor`Xc\J.uhIAK3ukJ;=O^o@a(%V
%((1h6Z0b:rGWpFn6:Zp0m&CXd'oI"T@&sMZXjcHp0$d,6VqpXU"'uH>8sA+jHF/Qj`ugHVKCM6N!O)^<M`pU+0qe:4<Er7/J'G[4
%@)MO1!XI12o:q.2(eQ6STAt\md&L;4f%OGZFn8ZV[W<a0R!m*)>[a]rjSH`4NQs;!f[os.d0,!+^dDWMd?u)\a%sG5>djc*Th$/^
%R7<Ds(4K?=W/PdcH$%`^6ihZL>qM:9@h.O2N<"+#U5?0);H6ro`R>S_\JeJ9`Ok]1BlJS)6We1/D(EmB@qFbnA=?>(]R4?\'!D&F
%8$":6kSDWrn9LSce3me!1h+!,<)dfbHI^b#jpYj/M\4!H"casiGu,BY7eBIro3F7l=A?\'N&)>D527%#$f73g_l4E?/MQ8%*)/:k
%Fs;,n5c\m$ndDiCXU/DDR#k0)G/=b^e7+"teBY4i,-k.b5O%;,fkEiSU9*4TS5;o=5m<_"JC-@-._9/%@&sN?r\Wgc`>PT@M@t@X
%X[;?Y^n;Ond>.T0CV70'^G#k<CHo1-9c3XP`YleX`YP16K(5q""u<"lgSuqWQ-bIh.haO&45OOTXHpkMl%"SCd"\Y/_Qnct)W[Zf
%KqTfP%p^V=2No;[!nA+%>%MX=#?*3QA)=lP9!jCO6V;)mKTA&3-I&VN1qJ:kB'uV<VZN],>UK(eWecsI`YOk:0_>V6BrEb/LfQC6
%o;BU6EMX_(@hbi*co(kY0jY7/2C%K5?aa!U$ena$!+H;ECVs`s=a/WZ'HZirXqbVn64+(QcFQErAjt[[=A\:_lhJ;TQuh^6LOf2-
%]nuLbq:TC6OPYE#&qWrb18[++klabkY)Hp8BjCTiXJ$t(4,59.+,d1"jQ$hb_VU=lLE!RG]OIDO_(0MH'pW0*CJZ8Hft4BK\=%WT
%Za4>JpEJ9"]1#cRKJ&6n9`?.a-(m^:HlW`L-U_;>k8-?nH8jNaXYjJ#n73][<22ZOpcmX,85Ka\*R(Y\N$?/K7%a."5@>2.jtU7i
%f6'A]:0:sa]en\")27l+E_n/D>/1Z#ea[*>EeO;?enbcfRAdh7O-/V>bAsSeR"/6b"'-MRkmX-9iWA;!.hqLl^?qesH:/qf[<s5e
%=dd:m6(8<HHSd'B7QHHb9$iX&,*=[(9Z`BX32R1n251CN[#c<_AFQV()Em7c/9k`N">-%7as-P-[d1LFEi!B<`g+S21b7WDg]_+<
%Eu!.X\qq8F;?pu2g\G>6h;-T(B'`X<A&JXu7_Nj+6kJcs/`YE8mUPg?AZ;`8Fr:0DVF<De3;9NkXe>&qk;:9kZhTd=$9b7apH4C)
%$e[@P`qe,NHNbQ/#f.L]3cnnAB,[YK&c+=n]\GZKhC/?a[d?s7k@m-r??"$A]kc.(X"\tFj?Bb_TGe?hV)SkZDXH_DrUH,I;q3WZ
%?9Se#bUngL$0-\RpBnQ*V49@uf$rrPlsXfg>OWf)5TlO\i.`#qIEslI9RojU%uMCF5FU)oK<!aQ-+&Z+(DUC4Y(S&i`9p!n:;!q;
%>o=L4$h=,fHG2FY2F3s*N7?$4_Y!E:oo1,?V^aJV<aF[qPd@<1A)Sq]&4iN3E&Zm6h#(nUN7EaEQl:+1M:.V'0CU<IFX00[N)'+c
%`Q3=N1Ib!&ra:=7nq1oH5DMn'1O]=PF([2A<6Hdr8X,c%R8T21+etKCB0"O0_68eYH*thkJW6eO7$TUB=Yu7XGF)!bKI2j%`$UH<
%I#3W)C@/80#uW=]!&D8*9rL>]qf',</dO@Q@(fgHN,4jYqs6Q2nfPGoB!_n$LVhsbUcBabq^L7<kg&u+&MZ#o.7/uZ7&EGKhoX-'
%]haO/.)T3B#(i;boG42WZ-8"bjjLQnh>^6.*'052Z\1%fiijaZJ(4aR+Ps0Wl1/e+.nsNnWd(.IZ&#Lj9)i&$DHLR?/I2#>IK7?\
%2[cIM&S21DFXXUs2@X1,M/D?Y$^R.=5CCmeh)8<ch)N!ZEZ"T\h)IKW=#['S<g!s\=/qCrB]bZH%g+1t_<6SkZY'p\\Lq@(:.f.4
%TSlAG[qsro4WFc]MEcL:i$H0je!Q9Pi^UAIO\OprrTlc<01>O?O.M?A'j$kZc.f#bm3SQ#ldnJB.)E0JV:_8=$24G)$U$u?fL!_9
%\D"$CJ6QR_Qt-iPY>q.VqeSIus+f[tA^oM(pPkWPo\;ju70^rnd#/T/\EZ8p.t\]?>!lsm8l:7>Yf%D(5NijsJdc[SjmJW?O29I.
%6jRu_Bp=d;5nJkp895,ia<Bdd`0:'n.l7tMho&:eg"VO!-poLUZ!l/3*P>6WL+N4a`Z$It6[;KNA><pp06%PC"pi:d,"!9dIs<eJ
%@eXJfU>^/,e2.U)O<f(%S>G$#$ti5.,&BSPj=E4p;$]k7BPO8,QmV&ui!kIkT/NqiQXr`E,!!j4oH"?i;0u@ap4HfqFbL?/]I6I$
%BE1Nh>FoN\KJQ"B+c&Nfk71k=Nl6sIEL%S<cq[?)SAM"<]K4_\,YO\;%4_7&,\9+<nC`:V2.Md.)j>%"-CCGr+O\T+,^qma+6d<s
%UM>RsNgA<#*1Eo7f>9mp>`moLrG4ajNU>Ha'%lEQ*3?#Qls7mPN<_C33:mbnSu+188NH[6Be)Q,ZTX-BQVfa^CdPG7#I!!_^FXp>
%%:=r(\^+_AA7(('WkiCEE\9c7/r6,no%&b:1J=E!2jteQ2ds),lNcJZ$1>2NmT3'&IWlj+8fS"6I!oQsCbt0p.K@,&RTU('d<s^`
%%b92`?A8;b?3;uRc.I'U#meq(0rD'0hGGh+*_k_^5BP64!9mRDbZs_'PTb;alg0=;S&Z&L@F%dCmY_B/HW(S_a!b.o81)rRXEQ.H
%8j]j%2)jV1ZYH]]C<B[9!Fb?r\tU(cRQ,/HqDFgO4C"Y?9b7cDIMf#kLSE12oMTs-OCG<VrCA0![MQ-u$lKlk44G3%-:I5]ETMc3
%l4<#qaU`7beXK?Y]F0B@A8g/;`=kLX1c.K"r"O"I;Rg?_=`55OdIsY$ZYNRCe?JV>1rGhO25LIkZ;0!r:$2+:$eLugVG$V>0_;5R
%7pV\Q?98:$JG8jdEoG]X-Efe&m5-7]<.3-[1*3+SRB/D7'\'"H?_(I)hJ8EOe%@E]@%8gEjqjpDON+b1R'@sW"eVI[o-ojA/k0Y-
%F8/7#`g;<tF;ff2U-DbE>(0isapD4K7q;.6a#mRFh>@Bj*\#R8Op-/bkEHjW.-V>X*1<85ed_NWV;VIGMA^&Mj/0)YHu$TK5j;*&
%(;D"LS@o^:X'X;'r:"MbRdbL<:]DY@[o_t2pF[eN!$J:Z`X:d9-*Oq)J00Q=/qUI$K%S!0f*q-6U#IiFdhep^mGg2`$cRPp.91+F
%)!aHB@Ak6'Yre,2G<VJB*-cV4.0LmcL0Wqhn&6hULgNAklLI<9Vr#UiXL9Q)M(pJ6At3h,H'N23B\=-@NKKB*MD,lLodDj7C'1-=
%^!%$.a&0j8'Rh,VVJq@0H_CLV+r'E_K)4!7mu[_mdeidfRo^;h+"3_$e7OL=i),o9hA=H.#FrTu7\$IH7U8T\M3MU8Ie\T]Z31CB
%,KK_qM'3p.`XeI$;EHmUT#u8RO]<?X%0O$MFW64AdUP$Yl>C-XKPY`32DH1bOfd,$42n`dDah%lL<FZM&eVs1fKdB#0j=I"6Qq5L
%Ie<H"MM3T+fA?U]V'+jcpD;F?oXrH[/Yh#pHE7Fh-A:$A0Sfp24Sph+AV6o=1FY.]3PLQu/GYtJ6?kK5MD5W+e7[L`DT<1]l7F:>
%&;+CU1HLJNoiR02^tB<j[3$<LaC_TS)QOh3FJE?3&R*^,b!=^nK_F5*R-Fu,kDIRpih80@J!lki.a#VYKj'FcUS95qW77pX,H@cJ
%$2$#kX2SK]O0?H56=<29fK_e.K@bB&,B>jVBL)i^5q*>bIfYc<:\m3QGDaB71&[:B*Z@rRE;[KN0O-*QB^/l7>\riNbaJs)kfdWP
%;XMW>C&)3-@^#\sDtPl#H9rIDKk:2!iRA>pY4cgjd46T5d&b]kM9PH#lU#`&hj_g<Y3j;\$(:Cki/h"aJ1<dN!0A8o>boeim)2Am
%O2H33\aK0+<#ZRP>QmThk1L#/C@$`PQMc7XDg,Iu;8onU]@N+4DH-&1(c=q&-GZK[J0Z(F8;slLKFFh&,l4(?!o3s-._pu[V2#<E
%7V"R8N@hXgk7<_>RX$bF1&ru"<:e6FG)j-;g4W+3STP]9=Kn'Gl4"r*$5dS`<"?T<W@u.N4J8fC\)9KTp:tYgb+1s'UF,oSX[7u;
%7dfhV1j5=t,!k1p+4RD(&WKZVb$nh%/]G]f.KkV@=mGk$`mn>)`Fq,_B%/gTj%/*OSGoPdYW!C<gZ=82lP`T!W%BO8n]40[?MmY(
%+[/a7>#`Ga!)HL"U5A[()ZJ&aZ_Z;`"P4ti-:Z@%FiTX.<ad-U@+<P5'.+Q?epA(`>$G&2LHmbEb\-L,@[:%[G>WfTeeQ`[FlO9F
%@WBD.9%;[_%'(!Ag=]?<iD>iNfi`LfB%1,\V\`G+I'),2/5f#e_d8E`VT(uhYm]euc[RHql.B%&VsBjBdGms+'V7Of*5QL(OogIU
%AN?qFB+RW2N3):W0=c>uCC+9,$+l9hGbc2@G;:gG=FeL`M^Fag&`h\V.29dqS1q\RR)S?4'Y)YlB?!49@Td-q9b.'BOJBlnN(ol-
%0O@,;MU_6(&2fnQq2KMt9"c*F.J5Bhh66k4-<P'WAlS<Fk9djID4AP)?=%spUV72%"*)#5qpjH@f^6h:1ufoqi=>E?$Q+cK:c$K[
%iDWCJfb,")+Y_;sQN+=6?u>sb2/A^\f1DdY+o-^&o$IRR/#'KM@19Q:Rh5he+.HB+,V$EI6?91`hIs8ghtmP<RKj3G(<C5.iimSQ
%`hpTc(5@'L@]WQb@M;[K9MK^7@NiaZOVmCoZU5d!o9%=\*8+JV[kZq).lT9PPhEI5/^*dh(Y'E*19Okn=$q`sFk:FiY.Ug$[>+11
%k&C]ro_Ia,&T>$j5n]$+>PqeY('O/tenE\m/NaD!)WkBlKC+lFT;![TU"1PWWE/?H61?Ju<r'Yh\1Cn`8Ms`hjKOs#/S,UY%kk+-
%1Hc]/]a<o?.^O[@Fs&-$2Rb&rU=It-@N4@Wa^$;^EXfoRX]O&U,'!+9$K>4hkt!NkAV]`SHrXj4]cB>)EHGqNJgR7=`0lL8Tu&$+
%Dp%nWA#\2_D+f;qnOOpfOht7=:0-1E7h`!qkTYhfYY#<lo;dPS(:''"+N7NGV-kIeR&-7iB^)I)1c9iAE\2%T22j,CaGHs>646SJ
%I5,:I?LtKg[5@E'`<l@CN;i4`&$D],;K;Y,SNY93ZS7TO<ugtHjEn0=9OKS%b/gTpGFZAT7ABb)g!)6+A(j<udb&r/*^N2@&EI;%
%khPFQMaf8(cgTjF?Bdj5[dIgtnTM$?h]eB9W2Pf5LL?EFpU@&iC,i4f,gE:rliA]jjR/Z/2@&OaO3)GBipin$:7XO32:L%us7Y:[
%cg#BIRNHL@S#Db7V;L9f;PBrG)JX;i[VX"L$?9N3*f;]n+tP!6e:o%X:6JM(gK5SmrDC7coX;Q7Ljb)C&5@]).T^ht11*aa"'pBO
%*665:rJ!eD#`6*@$bO88C.ED+0tIG)$3>sm0K.(cSJi[[MHO\1+B:OI+hFSn(c,57*%&7pq&$`[DG/.'<PT)6Rk1bad1De+ZSueF
%OuH;"ib9X$aW%*YDKhT:"]LL(]6<YO&ukQ4RK+H.L8-+D,illN+'MUueS+XSe7aC7)5I:MgCFs!\"/p[@QG<;Chs0Kjnn$(iJ5ss
%'.aNO%,U0f31fZu^B61b(-gm*+%CDhIP/]Jk\Dpq@;hG^*4ar^i^P73d65lf(OJWnKA+P*"*n1K;9,(,"303i"3QNcJ%9ta$jkM=
%N/r-F4-1\c(TYqcC18GuG-V+U(lu=T)*t\l8DDs-DZW"nZfmV8,u$bsO:lptOinaH4)`b39j^$(1#W49@)B]<rrG]S8#^Pa,2Tki
%Xp8H@/;enTj@S+'7OZ@-K\4%or*]/\U8YR5_\rb2Xn(o_2frtcRi4<@Fl;B?626[BiF7<7ZTnKb&-(DW:\j&.I..,VF'c;Y-'&XR
%O%eHj^L,9%h1!;"O,3OsQhQDRcT_8Glt]D5pZQ"ej:IF=,IE!HX%.p0llVoE+?aHb:-WS>DitBb6iRW"+IiVrbd7$3[oYdjbZTl6
%`mX.E+Br)8=O+#=26o.q#-P,-1@W>?-Y[B.7.fsP,DZRb_RiSSo(MPr18<2Xdc3^U`"93j?_4'-$RL>7Y)hK9i).u6&jpPZI(\92
%>3K[KI+a@OLX3K\2ufRS$qPi_:_BI"_o6<bO%7]P`imdCJ`ld.R6\l]j_O4AX3;4qnL]42""Ehj<'H;J2b,k8"]eF\e_:VW'fVms
%!g]I>'"tJ'&U"aY6Qn,Tc$t8`[Uto5&;oS<CRp=MePY2*V1R]/E]#6kd]=);[-1*TFrrbboItN]U2;9,dl7:-bXBj^>G:)DWEkCe
%4AV,tDp^hr&9]<Dk]T$@ansSCUP#"^[;[s%%B+1uIaHeUB"WL**'5#KH!_t,,X+;n:/ob6D%J]:YJk,2006>H2a(8b@%jf:nT(2H
%cZ+Df-]QDirduYSR>r^UT7afT*F,X0Wd)*9,XhTrbM(?&NK":@09ef6?p.*1Iu>D[$eYUlP2+B"rjHU:7:CL$"sr>6e*quGnL@rR
%20N`k^C\JQ0)igO25emC^\lhnrU/^<rRKffo^V7N^]!<H^]2hKIJaWUrZ?X]bE(P0rD13+o8iq%Fk(t_rV-0gs6sB%s.e3.s7mad
%pUaf3p/h:fpV6Uq?[h[ks8LWbrO^tbp)j>(bMOAmqu/6cs1A=!=9%o:J,&_erq]._qd9BoTE""SYl*2/5CWLS5Q=c%rT>9Na1o4b
%q[`_s_s]hNO+6hll_"4>qX;2t+Bc9K4D9uc)aimZ?Oj=@*$X5tANc2[1IYPe<M$UMe+e]JprBG#/ENb4s89bVY(-6hY(-5]0@PFK
%fKT:1+92*8,CTJ;\af]Oo(7Zr#f<bpdbc+iM7EV4;!p:O\7TkM)+unl)=:.1%aA0Q9Rp\aAfOMN#JY3k@,=3%cn0)mbegr0hJ>1T
%-OV?QEA%onKU@/ZMoN4:\#5m%gPmRERYY$dh!?_h@rJR.mUms]DI;/tPP%.@s'&e,>qA/,)r;gbdh4g+G-sZ7lt;`\%kl1hbP;_r
%jfs'CB0I9^'4r^ik-JtjC8pgn*N#Hn=q2#QDe>'dTS'(]/$eDA+"fdS;j0P)4[6YujMsJ^Hg]uCk>M167$p71C-]HRH;DGC5fM3V
%rquCUb^iiZj`t=K4[)Zc\,b>+VsV\'rA7WoOaJ#$T:^QlVS]B*oDH&-?N4ZM<<&HFb5L1Gr;D,T)SN9(Ij#3nrtfHn'pp=8PYVci
%hdC?5Z"p"A4(luPh6pmI*%%YZ,E/1s+&6<i6E?u@2;lQ4B]8ZBU0Zg)2G:7HA)4=&T8/]Q8Dd?'I9#(GitoFsMs".SPTsu"PTOM&
%]?8W$e\LQQ64QJq^L[#*i:h6Y<gNmW1UN"oe-tlQ5Gg0AAr]K]ArA"HaL9mB<:&_C(Fo`'.?)NG&o!_Z^GS7s_JY6ipJr5!(8PWP
%l@jsdjmBYJF\m^2,F-"hc+*Fd)"dnt^]l9:a0kfS)-&j2,BO!h!La2e7U\J\D3uY[/8?JfLu3$G4k;0N=<F5-paJQ?:*lStRJp?s
%U+q?l<7,+W5>f`2<ch<[+:V+NLM0>U0`UF07U.2ra&i%fd]jueH/1ouM<7oS&WV9pL(htLZD`OJU\:?]+cahE[8js4i*)WlCr5@$
%iRlU_;![n&kG6l@NQQK4.]EbGDHcn#pA_XG\/8F,.eu@A6O]`obX^?I*>!NAPag[+KR:&G_[E-b5!]q+6+^JC"64(f0V1E5o?gdE
%6eV&/\Va3QbC4gDV3,mSQ7Edd=jf2@gnkf53>CtIG1J@0jCXBcMdRQCXjieic<q;`>m)C=dV(.^Uff/+E*R`acXKdK=0%Rn4cJ,,
%F"SamMcrkc*dZB=QV,!/1b-]u;OsS>;4L!`BS5JVRICo]o'G]([5p(.VjYN,32&\-83*$G]qLZYn39pnfZ,YHTU0;;KC4I._t09A
%26kX9@lEVr_t2%X)f(1cHk0%Dac!hJo'VodaD!M-B9#s[f.LX+[p,ngna+)+m[ep)[5L^EBMmM`Z@MaV[M;Eq_#hKG_Q3gU.2n;m
%V#1c6],Qfrj>9XCZ>,Q.I7;6FIF=AFbLH^p"u:n)/?Ls3:_KcF@RLW5B?tOZZ:C+dN\mZUcUO\'@a5+6+^0cC]obukn8os.F\kQ3
%\gnmupR^F(>#@-@i(0i1\J`R/\5KXcD*oC=(72$d-r%;::8lHAMCL&/6?n*S&S;o;/<k\e9Hp&2TmZ[-UUJ'2?Ns*!a0i3RfEui0
%)91G0%s'N:bcOljY>Jm?4eV<q%ZJR6/C&%?.>OmbjnVlb$%G/H8th1/D#<Qcr8!<GYpu!)3Lc6>P>d').t4c\TJk.JG%C7V%=2*P
%bAEoZjN+3H)!qcSJ1]rl.Yknc=N$U;j03hJec<spUPo8>h%?1>KPKt+)u0rHOn3hb^irWnk>#j.U]M^uV;XagQUOL,Jgi3W-*cH8
%I"9uc86<qCe\@Fji7t<]%6CC@jtm*:`U$/Q&NPIN[=;^$M-2lA_01uahs..Q,[lV'c/_XA=jRRcXZ_TjAC!I=Rj&&d"#s_Y\E&<V
%MB)]&l`\8=T>g-"<9'9l_%8Pt?1t9*lrjpS"\NRYkqB7/-K'Tk,^s1p]!W2T!S$<<gCWDkkhEMFTuc4YL4rHmTk,_d)W%ZRrn7?L
%$k\cFH[W.O#`W%ea7\@g)dt7bFWKpRV(Y"7+@$Oe&t+uiB?UciGP*Dm(ZJh;2'f/2%D;8rB'@4bF%_,n5,VmKX(:eTO:`U*TOrf@
%NC.q>Yod03]e,h6[.5`k9WZecDPBfM958/%*7h#a8Qd+9XqN2F&D(?k*/D"-YsW+KlmSdWA/3<nHc?n5aVtP/fP+')E`'m>rW:sK
%`JC9t5o)KMWK46$7`q/F/%s<):.P$KY/j37K)O&<L?0PW-T$JPY%b)U>V,pVOgjN.I6g*/Iu8!1lF.;d8F;i813Ej#r5&:eX*UQS
%q'[khEc]b[S,2["QQ4c*^<%.BQa]=HoRK$eMMUm%m/nd=)5R)f,_Kg:E15LPH%KgghOJ1BRI`"g]_QV)_Xq"j".j.e.k^jkhIt4,
%4;[[Dp!D"uA8UUiBc:f^,j;B;fa);7r4-34)GuSqAQLA*-9XOiMWs6_A"465MLq%j<GM3?e-*@N\Gt4&G88BS%e!]2J+Z0.dBD%B
%Lh(A^I>J6AnTmX$5o@^N?Jk2B@m?oMnBd6VHl;n018qfKp;:VIc?he*gJ%RN+1rWjOZ%.oQ(Sg%TAt(d5rh]6+6[s7MDCGeVZ[Dp
%BTJoUr*j_MPEsDW85k*fq;QQ7Y<'6Fb*Zl[9`#F_P\YFp*nVcONAV_V.,`8R%`8EQ*D1bE;9)r4%2QaGf=0f;R%S](Rj8si^5lad
%"leQS>_RdkDA:AnKBk:O!Gh(SGT`$]<EtmD$f,)c[r2g3X/mj$!r;I%`*?%6=,U,4$!1m4(`X^cG>qKQOfFWGP%7KW[mScTmQe^^
%B5HBW.ZO]_5k+=bf]:G3A+&c"gAEmG8co\P6BYj'U:Lb_\3,G$0rn<F#*gNXRP:7`ig,c#8!j2=DDG8lipU4Y17f<ND]`:<oq1-r
%(1+*,5J4K)^UW)1E"ei@JT%a*LX5F*rQe6U&+;OncSt_%X38s#H%._8:PBlS]UUsRhjn<([mNBO\%Q^`2p'D7mVpLai=GDFSBnZ3
%5Fts'pK-,4V=KBP0,N3cmk2K'[sRBFGEhiGTBE?:Tc`''*r9km9$aua."-90^V+Zo5JQM05P`bm]^'l.hhtFpl+HLUc5'2'"2!OP
%1#hg%-]Y+:Tc;<NP)[ke"mkhBCYao&lA'R"[HG1#i#CUl0)Ftk*VXi'ro*NVrqYB0q"](tr.t^A?i8b0'2L>+rpV_=6N$GI(DjAb
%jEF"H(khjJfT:,UIsuL\rqnk;6e9%s7>TTOmt_PnPP;\`7*]]Lq/IV,["!P#aBJAA=HPK2?-sj5id9ZRf"h#JN3%a%MA\R!io`^h
%ls5'Agur0KrLCq@#K:o*Ni\*+MB:G%rN>o--i2/L+PFs9Sf!W5iHq:if"uXMOWNAsc\Wp0V=P_4,a'ao,FV"acZd<kp`SH+;6hO_
%/#MCGUn8`/U,29ZE@#X,^E^&FeCpN6>B52Yc]9[r9DH-Y9:dU.F!F@R#Q+<O->VVQU.k8-^+7K>9mfa4aaN?E)f+HFr;"_eH\h-J
%2e`pY,#1f?pl:_?A?%dZ^Ycp-ZbbNilMJ-U\+S^,n8Gc)ZOq/+7B]N[qr,/+9"+[=8>S36?!&D^p?t6sDb2;MGZA^#It#=n]B.A"
%=g8K%5A\@ljuWWgs*mRHpc#tdjY),VnZRE5Rid-*A&Ki3p(7Q/J&,q9%<dq#'ND(6M3HP%H-(q%,+WeMTY/!#f@q+[Fn;Ea8Ec/8
%#\B`pG/]2_)-+&fZlGa]/ii`K6+9+CY,hXQQB2.>DQDM:`hnHe[&cB\]5"<QETL9=:'*8FAi`i_LE0&'odJ'q1.B4(Wch%+E@V?.
%/dgH$cCqRN+P#_;HT*jHnGW4BDD%NIUK[,Pf<uk@kijTOd\+[iT(YumJoL^sN^,[+e_1FrX!.YhMBk%kVC?2Q\S0*6C6uS>?Fr>9
%>d0;X&TP1X`E%_YJjR`RY6aTih%:)%MHs@<0:TE*Bj=.=_Q5d)M$7c>=sgWfcp6B$m<Im$@)=J<2MCFmR^5/om\UM2mW]TI&S0\T
%h($-jpQbN`LJ\N_pFF!&3eU!_YO113o,auF92HHcDP"&^/:0150G]+VR2Ok6kq@%c;tlQj:#7J$H@_E-I"aHUEE>8Skd['YF99gh
%5RZ/CjtH<<6jOQ8\",Iq[8IQe)R\*cbd?h-3`P\?`Q'!_]cB9r`3ncqh8`Tak>:;#R$4XE2&a1sn#L3r[eL3"9Z8)45,/CNdQ"ni
%FuJ8W7!)i3aep(j2"3=@Q$W(\-#:$'.4LT5s&^qPX)"TM20/F&MrZf2$iY!PM?`%ie:F0'PA/JpThF)e"5lnF?4]IVk/Gl[":agm
%L<6O'Wcg/AEau#RM54k]REahjCX1[&'9Ik5]TVs7+]BR.V)ks>RZp7]>!*p-W.!3mR_us0F*+]tk7E$=(*$o<WX,7u4#T%@A@)OJ
%2,dP!M$$I'hh\.CPrK_E'XgPU9)jd9&F+uk"*+`$DK=:ZkasubiE8V=RT*jD1G$RFXo>FS!751=ZHAMYnBB.lr$$LkEN'R$''QC(
%KoOOGeKSfFZ9^W-&Ig/EQY'3NP8DQ>?'%"rH0U*j-DeL*oSgL>p2;h#6or\jWt[(jSP+]!*TEu:B]Bt_<>LoHFTeP5f;k3rSNMZu
%lq"?\^6t2n\P/1';m(\C4DV&j&Pe/A*Ed0C=mG!tZ\XB%BT*I<lGIhAHPn;/*jhl$N'\Phkm-OtZQ82Gkd_6tY,4h'Oir_VS(t.]
%XARJ.XOR[*M$0)cl%.Dik*g/@Ni%QN"C1>g-/^[0_`+GIX0CC;HIo8RFZ,oY+mF8!oIS?&,R6^\;Dlq77<Pn_44';PS$h@\+NmpJ
%GqZqJrS's<ea\^s)*_kh9=4;tB[",DR=@s60'1$S\-%#(VSK:iB,!/-'ME^:N<>XpUlmZ_F=72NIg$3H(!lNk]<5"dOK]eLnMPt"
%TWX!'_=I03+5?A:Vtk<*pK$?B,@bT>-Vc6<%QC2h'.7Rb-6BTh/Hoq)Kt@oGf:A\jW$tdFcI9BJjlOI\jTCo_V@83jD>pSlB>JS"
%3?MJfK+o+Uca0:%;T07s0:OuYcX5Vt5?Wa*Ut!TmqImL'puN6*>`2&;.n_CKCKi@H->E>,etEgHAVmq!2HW`^Fd)L*5#<@:74aYD
%gTdo5C9r?mOelWHe;o9:[!B3i&q7N=%T[A=)nFtq"2BLAR\F8.30PcAU?6'EBRT+@]-`k)*"ZPE7=1MsU6[Q<Mq8$2("!gYoYmf`
%f+ur>jA\W4.STQ#@E^#[9G8M2K*#+9RF\7YUJgoGXB_!(l,s,cp'.nTP)6r35)J_sA"``%<J3<N[FK0Y-;>nP#4D^sIKeC)[BE"/
%cd6bcAQT1q#MFHd&"BUK0.55"B'N3K<pe+WQ2(6a9Kh&_(fYqqHlW_?>@a?9_P#+H4I,OW$\Sdpm+i0sWPX)2aX@'nOF;I-7Chuc
%50O$Ilt!_6`/HN3fU+$Z@R9>:"bdF$Oqrk2Ra'<,*6Gi`F1eCW"'`8ElF5b3S![=8-P9l(<aaQD462o?lFuPt$qI;A-PF1^G^X5H
%\__0Nn6?Ng1R@;-EH]uEJ_<Cj:cW)t$d!_V1c*HpP0r)Oma8,=J\D6)()K,6-qdb4%DYsK[X3js3pFAY4P\*jnE/5@,>ZGK[DM;i
%Gk9IMg([EN>^hkOhis*K=3fm?4hC&1/g>j[;ItI@"WtLJ]TjO"#A_(2X&Gob&q,P%aMl(O5d>Mj@PuEH/Es6L[8AR8/(P_Sr[8d@
%nO-=-5aZ7o>F!RNeceBLrirSANXbqB*hG/2*AQ!%It!4W1chJQV%TM]'?UeM&UlYD&LRVo7dqO2c=^)MagD'2f,4Y">d;nt,o"/V
%=;J!Pd:MO5N]i>0U"cVt*a)!,27T63`5&46c'8MB)8\C$o[&Mo$0GND!:e]^FJ)dDQ4@0SX$:^!U?%!?!mmOg0*O<?`:YX*A.+om
%lO_U6Mdgha<QDObk9:f01S^HUa&c;Par!_B5]u*e$k+8g1hpZ*\T!nHg]bDMh@18<`=uk1Y(Nkc>>:tuC@54B`EhC)B5Tdn.(+%m
%`tK#h'5h0PaRCV,=!!'@Q`8`TKe69di/.(>q50Og\U"$@R%miR:fcp>`/4NUog&NC,@'?O(!G'^'7"\Hfp@ZD/$pA81UT^MG-FU5
%>k'VXAKn-1&c6*<8_1%R"Q!Ufm&)M3E`7ld'\eQ(WYR4\gIbD5mP!V4`N$p^J5<sb*b"joGPF_G>hu&1E`H;E4ff:OmT)!?$bR$B
%92N3,9$G-ql$@\_1UJTUX6e_(*Ji)5W;=4V-84PD^@>Hujl4*,2BX[#e,4<#hN/bTI'3\CS&P-1Xi?tI#oTW:,p<g3]r'h"<J4mK
%!:NKB-`%$G'"Mi9k:f_NHP+i[-p%%G-XD(uM.p;5nn@1W3-tI'1)$9c"7!n>E[4u&*3XNU$bYbR"88,uU9UOF"&"N_/RhtTG^;nh
%':i.&jG06rUeQ8KT&@5eCTVi7(t1Sn!&&8X9gGXOLN5`5#1b9'b()WN@L)-KU1kSf,MarSC]bsKiI\`r()r/S^U#[YY@4Wc46si.
%ea_`^qI7]lE^\=<\5qh##/()=*2Q:gk*5?<7K]dj<Yr0;m#M"*=L>EN_:AjZmt)qbUr>aS&de\J6\FCeXk'&'1#&UAPR`m!N9$Fn
%(GM?*]si0#@1uEXJ4jmZNm/1A6Q#m#9opkG`2GT`FB%<9<MG.$1CK3CMBd-gg'h]4b,RG4j1$DT*G'2U96SIp_K3M5@CPYn+s]p!
%Kq'5sL`A%i_@NtjiZB`in1m=VqSi8^*8'^>AQsieHd::[)ZHn'[_7Re3GU_D-C8m?/;pc4f'F@#ouK"M`/OS(Rp6W_;:\#VVd^94
%;O%f9@\b>^cT"(qQ=J_jd+?me1!7p?-\V/1_W7=qT?D&aH$,!kH/<mj2RFU9bN-D.;YWV2`29VSKCgkJnQ$m"q;k3^Ibg*_O%E:n
%HbMk&9(WCYLH(h.<[X<]M>S09$;)VtgZjH\s$>$_H.MPXX(!a[V.9,>"a]8_g$jFS>eP6s?FXh&`!Zh=[4D%M628_(F!i<uD;Tg@
%dk?4J0>IAH)`cmOLU(A4ShK;9;]P?(GZ?;O5<2n0r8O?Df!SL!=+`q.#'EALJodE7J98@#r.+shW/oVIen_OC!SM\!p@H`<S+A&B
%.`>X%.UbTmMNG6;+i!M7$H]sOMr]baW7!:V=\+"YafW!D1SoY68Q=i5*7;_WrIT**R:J)@icT'AYIIX!ZM]AkLTU<nlE!,F?oQQe
%m_Wt@n,U0,<Q`kN0-('O>t9@<)kY2<m*djaP=ch'5COcqL.GSEA)$=c$*k[V<+"Qb>AY-%2M,3bDD<Ue,VPjjlU]%C9sp^@[*V,S
%f\.*:&^$2:PV8;Yj@]gS(>GN/pcRe(C?YrW?@hRd2mAiB.TEqANAqiWdpE@4+Rc_--L<Q?rsQ'bBgm%'>,[lC0/4o>r>M\#i>Z/<
%gcN6$TPPQ:"kG)f?q"(tFA_'"3L]cN`UHm9X$XI6esNnZgm0J-.BTBdm4&H*PS(WsTIH)Rc:Gk+=Q3L"0Rkp=i$UXk<IE9">JUW$
%X;?$(MSGYcE)qTtP;+GcHtUs6`Bi+XFsm>3@,C4JOJFW!04`<MQ8VE8rf_q8"8<]`]_E-ESg!H8XaVIIZ`X%e$ORs7cde%uRl/oR
%)iG0(gJ7DT:7@@F"EOSQ"U$2?NhjIl[C\0B'bE-M7V30%U^=Vl59Z>bWh#Fp7AlEK%mUE2q$F!h4opN`9<acNHSqWsCD+$n/TQXc
%#D0o>Js:)Vr.6&s-G(l`ch/NO:g`)KPRIk]XVkB6eTITtTfCCT]iI:NS-dT;\seDEXVCLeV_maT0RoTeon+sESeGs1MV7-D/[J65
%gHU7#A8b>-$q!b.&QWadmDFm)qMK;blK24(9g*2!VIUtqI_rK]X&9EP/kJ)ZC>fFoVIF,D3YBj?>!IkWY$moqKfpY^97[HKi&H*T
%VN"#*e4?0cAEEI7JLn\$OZ]]1S=/=Z8c,B<Yc[hfh/$%`!nohQ7F65<Fk).s!u`G<^]O*%lua8:>n_H]`b0DO8B_:8kUE>Q.CY0>
%^e\J',g!=>=0/N=B`i,n>g5j^Iq\mc0=tFZi!Z\f]Z,t8-j_(eXJ3t>f`/m*Zge5<:)EK8XAYPmc.b#6JgS%nXh'Ic=01$XKleVP
%8u8g.0'j3kZX+ASft)$CIfeUK3L2^#1b/_*$[Bg\;$.5mIj06M[6*^m/KBh)_Krnk<02O&_p6u$;U+&',;e#gdN;)_Bc*NQY^r7*
%F0em$INq36M5R/o2IQekK\aX+h1H'7]_VcB,()ZmCk@I=TPkOah@MuOQ]pjnA`=#h5'`&o>0G2GZ/3[Ko!m5h`*5'+;BqrNq9.$#
%7WMQBSB6/YCA]EJ,0R8He_AQK(gZL(%"OW#=?&a!L)Fm%`-8>2U6+"([$h?TG*8K%!#RPeSLF3SUo%DF1QT0Q4r^aFZW[A`26I?0
%%d[@Vl9n^KeasDoF)tb-+F/WNRGj@?/='CQm/(\loaRtM*"*(<8pg>lB#t6dZp9u.;%U:e$2Xg*EB[J^[)IuPD>:c$^N$YMaX7,Q
%n@/i)Clf(uKZ;7Bm]!(D&>)3*Es7dT<\Qi-.Po%@nm"(E^oh`\L9<Dg=S#&X2_1$NYOr&NRne3'euiBi9&S-jarnSD25m@/Z+ImW
%%ZF:0iB1r"1/Uft:7_'e-lXbX)70Q,SM]*s;VC`sB^t#6ClF+s#bkIl+7)E\B"$^_T.JaA-3T<MN'J1BYEbMTOgLgcjpU1#,9'N[
%Cp\WmZc%_.$eX6Zd#bZhat$QRdnoO>4a_)j8(;g>D>5!M[aPTH*<hD&<A181>$;eU6=p9KA!g?hS9\/PfMtnJd`"X?8-63)L=e:-
%qmJ!kAqAL;$8813XU/@Y>Zn-@+_@.M8M*(`q8Fhs(I>/"TUP\o5us4W?@i3-p=FfnnLsq1GB*idph,(((r0MYprd%Cdrj7ApOE'!
%G-_.Ss7+o<rmsC4k(F,*"@Qe,d1o5J@nCDs$4SZ13D'd=!XX#^L=#LX`nd]8jtec-/I*@!e^;Ubnor!Wp-39:20Z^qgr-gEoE+:6
%li_Vh-gme@'[O-8Zl*@P;W#IT1gctt;!c@&8(doXoDRJPL574Mk;_5Q-c2+Z/O5ObHU4hZT)6C5?S#F1N!0r$<2H/&]4G"sf=;r'
%W6=C5GG5=">D5U(Ahp$^GGs&>eVlJJ^@+WW4FLcuAcsd;;0_-1)'imq>_)4#aljS2b4K/4hPW3d)q4X_Ak(L^H>[gMlJu;RWt_uR
%%!f`+$tio\+lNfcS%=FV1jhV(L.*R<3W@Q18C?+qWeg4Oq$"@#Y$mjUOgM.])odDWA=1!0`3]Zq4*0Ub3elu*Fa3j"?qY:_gLN/[
%e;-_!C2?j+#ShD8f=#A$NM@7C%(c^4m3#N94dpF:L\e3E#'L>WKn2YBC9S^Q,-]PS`o=WCV9(4.$FBQM$[Fln&*SmVl[QE7$;SLk
%nJ02+.OT&5WGTb6oPDYn:J_8hH7_q\.X%5_=>eN^$<C7moLcimk%,hC%AS"E3tKBBV._H7cK\qGE#t`/coNs@.U[%,&k>Hu;OhK<
%PdWi/X;[5Khec!"iIIu!2Z8LSAW[MSl(ko7%+Zf&hi`^@8Ot_$Q(B@O7TR$(XFI$[=14*qnB7upfJ'Y_/#6NA-Tr?VgPgqPW#HZ3
%RMBTPDf%(b$RLkL'cq=CY5)\_V$a]L;_,SED_I*K.@0,mi5GX!D.Xa>ibsiNAfkeI%U2EdWZfq9*o&Bl]3K3gnH]Ff3W0k^+OT=S
%#[Lh`P$msam\spr1:71j'P#Gq#lqR*I)34#GN>H4B_7Ji1=mt#R,<G*]o(72i2)q`1ASt[$fA%W0Hng+*cOggf)A"3aH!-t5QU8L
%m?E.EbLmG/&gm]_^;[=,TAVdV42-Lg`*O`T/EHCP>Mnk73U7E<L.?9$4RdR&<X;!u3\js`fj2o=-S6Vf%AK7[_KOs8^^OB8Zj'sL
%=SNOOLO`[9'9fu3Lj(1`hblA>YuRo'\rf\+(bb,#>slEQ/*Y.8Qkn4!a/9l@5Vj!h)kS='P*sMAfk,6hX?c^WXO@h-`W%Lr@0)[9
%?7>be7TN8<aU!V?L6WY,&6'TR#uc$dO+C8>'[5PG?[Dl_.%XS@]9'u^jD^1t[F5,,)/Ea(V<1&P.4R,Fq*>Ejo'XT9a[e9#UT[jZ
%70d[d+hX7[D6ekf3-R]WD_phH7A#+RlR"nu>rQD'j"u\%.h*(h,?[8e.2.c&SrP'aY)*m^d8;WE$q3,A[gt=!F#CFX7C3*c#8q9)
%14UMu*,1Y\Wj+0QK0C/9'YA(g2uno.BD9[&01Kh*)sSWa-L2&%Rb7op6o^!;joDC8h9\]4I2YUOh<Y]fLLbPD6P3h+I&>i."Zmmf
%"p.Op/TiXK*MCl[EH`<M28?gIoifQ@P%U43]9KhkM_WN\2P"_#HictW6+7[n&V;a$m9);CN5cR)nI99\a:%q"22`iRFXD/jq`S/#
%Gs,s,]"mi?%&oAsG:iiF/)e"$ZBt3a#(rmp*M7:&RS2WS6juhs9p_bZf^%+9]+oqtF!aZaSd]5,DX<<nP\(igUp4qT>@,io=l9Bl
%_n77S+"`4Gnm2mH.!6Uo1ltfQ4[o=.Eru?kp]QTR2"DY\W+%$qN'e,u7+f<`Sp-+e_oShaC2O`b>khdYY\6J0>KrrRoL2mZ>5F,3
%r+n=AlmNP[QH*j^.-Ss_:h+WXS)/c+@TW;(G7b3^[?&Da1&+k1Fmq3HP?:)k71Sr9fjc0`R[?+2[^IoUOqB6Q[TOip[Xn2I@6m/0
%EOCJ.)L2N@A]4g1\Maft;T9e=fnf',W0%g"e6JQTaMM]0DIKfFe>Uu$n,V8nmD<a+L0\p=;d:Nbmh,rgAo)AW!\+M1J(9LaHm4G]
%M-^C(-GiVp9KWK8D?f*`?Kb=L2ETl5\>$hr'dJ&:kbsrjVR]EIRn0fJ*7\r0T&bZL]IQ/1=q:a$0;,Oc3m=nKAhmqK7jQu92;e`%
%\sXED5*F[l.[]*%Ni94nE@aoP"Cs"E!dOD'm@),i7]b$)D_lm%K=dabN,0_&+(Xjt*'0HjNmjPte5T=)eY?N>Y3(`J'`hnUe+E`n
%SGUKS*G1PGK"Zg(Omg:1>m#BW@VS:Pkrd^&Vn/P$9F]I%i9JCNjJf=BQ0G6D0#h0-iu:`LBiZQ*j+NSRO\93S`OX#a_gC'.jXV7b
%a_)jdK>X&[5c'#i_cY^(GSk:jB=cb+H/Pc?cQb:,FJBqU]-U0c%g[\VET9M;@%NHJAD(YC@a#<u<<-7#NDa#12ck_fNC0G[\I^tg
%We(\8r3hmW2A?Vmm,[M2`R(hBDHf+,Xj(.nMa0=E!L_E2LW*)PZ94f3D<5.-LdfFa`CR'J+BBmJ5D,/,2=7Y&YJ)_%Gq$u5;:Dl=
%*sT!tY"?g"U-+d`nJL[sQ8*`./?>90%;+_,>?I#VS!1\*%;^eh)i@Wk3;.5Q-"m)u:Dt7(4c=#pRIPSQV#+qLJ?Ph[i+Lf^m$"p3
%&O&VZO<?n9hdmc#N%RHtD5Rs3b_R)d(T:L]T,='.mE=KHDhsLW9\rT%k>fMqCC:t.k=lPLZQS(r.5hs`B)E7+m#Q+fF8uX2"ent.
%/3%jPfk:_%:*0#8rQ9(XgVh6he;Y3]hLth?$+*3)oX^@(.nM:,lU3/%mrr6lM5OsaRoJ`/C;f@:;*WYjcqY8M<VT22f^\(HK"?%(
%Q\nZsd].!#)o:k!9X1/@gZd'6Tjog/&LK-kN0s@H:lCj.bfuE6BFOI7W=3#V[$7QC`3n_G_,G2\<HB29CEPsBmLKMQq>#]<#Wj7%
%;aAc>i`FaYl>$CpoNl*RUM?lQpb6NMT-n6RBZ2daZ:jSBd3r:0>Y)5"Z\?D`fk9f\,`9nKFTd]r_H;W7HC5U-)ml<G[>%=5@Qadj
%/?\WbDH5W>Z!X2i!"Q,kAI1b=N,SBj$]UHWUIJC/#^ch-hYSX?b+M!I&Q4T(i"RDA=#$`lB7n))I4mNGqk@F5ZrUb)!s*)tqL6Cq
%LPVW*"-&f+6<kYDEbcFD>h;]LROl`.2nK;N$crespe-^,S-62a(h-ScS.=d%^fO)V-ks3g8WYTEOanJ[G!V#:-JLs>2]lET2LQ_e
%L8Jc-N,,JHne8/X#d/ep#hR68'P/a@((q4H[kVPl=^+fIFFejU[55Um!/g+%!X"`I-BCfs(`!8%@02!J)#\Up(1sQ9]iA+fd_F;q
%WRTVe+qJ#oKi<XAqD@mM.A<^V7RSPukG<kfDat\0m4p))X9E"0-QpW(d8=Z?#$oi++e%h19:3M@7`eIYF'J!kke'N#3Nf8uk;,kX
%,]uYf(Wb[CZqW=`l>Lq14Mq)d)/[tD8^a3?i-*9M+O_)!,`U$RCR)B@ake$:NCRsV[tF]2d&p)Z83UVUidfbchCINiCF?F#$B;>%
%+qQ"[a9FdorhirFRT>gT8.]fNAHW>j2FJUlSbCq0EN(I["3CbCA.'>S2:\IoAAprb7UWfBV@\q:iZZlR*5WAc@";b+:gTa"N@Sf'
%MsWi]i$K3ae):ra10\Q70ltdgNXCeY&9EWg@9N)6!Nm#'cAm_1%`!'$-u7s4>btjNqIksaRG=rCLc&/$_J7AM,_DOJf(p4I3,][P
%kW/kIiAAIV5c#^+=BFtV?0A):Co"8u3Y\.GT592o4<g2O.5\29=I2oMfr;q"?d/k)"e_SDTs^l))D`PfX\';OH5Bqp1)9aQ,;a=A
%)sCN0VB(Q=\;q:eQIpn-10^Am1GX(%lNrZd1sCFq@*]+_/7k;cR)[92_Ys2(M:B;26b#]TpM*0f<)t0\9N56:P>3QUQ(h).UbIqk
%T81U.OiAMhh`_5Y0[ZYJ2T9SoC4b"Q8AeWlIbW+Pb#H>B%GMY.n'f#pae"bm]#o17\h2&H)2_I>6o@GR8XY1oD0LM4=VVT>+'OAi
%S/@*GW-Rhto>$/"%dtltNF@Jcj^Buq:Y`AASY3<iEYtjL@Rie!EiF$n)AtIH1WYcDhLbI:Jo#H?-h:"8c]#L3.Ptt`'D(Dr&uEF/
%-3.H#A-LsB-\JU)`f4K1J89;t"U2CES1Q'L[2He=j/h*gg(TPtAmfI(C'21R*1X#YCIVD!OIYOG$$ANp>51"qL=F_W`#M"[^;NR0
%7q7^jCT3_A$52ilj/(QOHa<n2fe'PJ!"Pf\.OgiE1-E`j,ItWuGJF1?<$iO`$1*"N[50m2'$L\K3Ba3dL&Z`=4AC*R?^/+`$QF#P
%1S(iGFW/GZi>3o;$)*n\=f,N[oiaBs;/CeuFR^P$*!2.'B6b2]BJu/O1D9=&ksWGF"e@uOOl;b)aQHA:?9n.[%9>fT"hEXA"F/1D
%*.%^Yal*2VB+"=m@GJLSGam/aUM;-WWOUB^/FQ</&TM87L'A[H!6gBh:.!No/[0br,ZDN'9$3KlEUr'cSV9VqU$P%T/&efYK`Gk3
%[29L<:+jN1fkXcG,"&\u327BNaC>Q*3mrjQi"G>$Rg7K:TdT#&b!J]3-i*"R+68[Q+CXpu-5jZ.0KNtp1]"U3q2:^+CFXl*<qk`r
%%VUcJ<r)oE'#KDAe2]870%6:[)/^[LXHUmi+?WeUfO;LL*X<)%R$Hk@UHp#;>iaZsa,6bsBmFu#&X%j?N-t"q*ZD)gj*U,(gJ9p8
%S#C0C89QTuQDk_>_\%5M@s&_CKIGr'N(P;M!W[3lKB@DNUCPqC:?P[Y9cVJO1]E2i/E<aFR2r&uak,gkHNV&0jOcf?CAMPn]YMoN
%(hksB'pqoJRr'Up1's'tB>ll:q<`2MfAJM9`@-Dc7[t.%X*15ACmi'p*"%B=MKTiIlc!4+GO=*n_9=i%)cV(jp&ef;(?DSRUa3sm
%O<pUZ5A-f9`Bj+$m+[+6,C+rc=OOjN75QeqZVaauf+R0&,imM?Z9a^3RGOPRAamBAF?r]/4L@Q^*dH;:Vq.7a!puoi'VF9K*5EsA
%,mBNP"BkgIG6cBY-*$_J2#W!5]WP!I,hPYg`Et-KWoTPZ>/75A(0iqjErZ6XMlcbofM@@[B!e9l0H5"5bXh:9BHO,kJLZ3ADGC*f
%UWYSG9FBu\p*lZ)h(qP5kCsQK>E;+rp(BHj,q(l<:Sf#""i`qo7'6d9W-'6u)Zh$L`^Tqt$H&;Ea)a-+=<l`h-nh64*,NeP'5_`i
%a.fDp''Yf6:dMIZN0$[%E+;s-J>Z^$GuM.HV2?69P=X@pU+d@/e\WJlO1A+C@Y*8KXTZ[EZ3/l3!@J@=58tjUX@Iq"QW"*8juPY!
%D[#V^6?3QJ.$L_e9?tu:N8Zh.dkh:YCT(5Y#&`MF/ge:H9+P1X;B4c!4QUT^9$Y09e9"c%Ak)F^6F!9!Or@ar&>H#V)kcb6c98VY
%9u^i=W@W1mb_]4O!4uG/[%n\r=!PCuV8HNcf.X.@ir0PI,g3/HEEP.o4`O#kUVo*$YYZ6_;rgg/'-fTOf`qNf:!:A\Q;UF>L[aF[
%2/1IsR"M7*Y/;Hn^m\t3GdCPEo@siL-WfhE3;O9EKRej9P5rruHtcTFh9psCVQ<[QHpu1mB>#5J_qN97c=LN,iH#l67G4>llooIb
%`B?,G9oZ1o/iRe%9qNG$SZuO5?2=X&*df&l.$EYBcbqsIm7iekZSTV*)#ludi$TLB^eLGMT[<rDU*U1YHi^ZF89W_8!l2[#<2ltI
%r7Z%22@XDe0DHFJ>33^*p`.KaJkGj/7j>LZ&"P:"U3;5\=F"]4Bs!4%Q!hsHIgVRlq1a%g1"Q\6$>]dA9nSX?4:pO%gg.n/8]V5a
%6#5!dU++XPC.p7sj#T/lR8KUfCeKkI,YjZ+a9_$@Z;UE>:I$=jF)=-E1-<t:2,3/SKtq7g*O-mkj8l#c4F?l6?Yn6m<8F1.cf4W0
%MWOI#'gU2<bZ#t8T)N^I/^qREP6pGP=+3Y1+saL\QT1?M3u1^o%-'o]YD\2k&80jc_6W?oU#1jZ-9*=uoqhoR(O3b!WHMhcVjAAp
%#LHR)1!$S+mb+_('.7CnXI\+P@4C8V(@m/jMNR^`Yk$jKDf7njaM>Zp(2#N"Z:pQ(!Kfj*l4SG?REh^B1f/G,;N>GQi!)J\+Z8U:
%)F+XiqEp7Y%E>+I_qmG5i+$'4iDA]X&ulF)>EW#544Mm)N7tCK>_Vc_qCA(%:9OS)<^;p:%9ift;ek&/+>TOMW,6;)KrN7`S5h2m
%gX$H9)Ku7FeE[<MQeTS^5R'1i,W%b<ju5[4N4aA!]Ski3(54IfBY7f=YQqodGs'(!]o"uhSFCNMcl$K(h^"=8[)5$[6>p)uZogu_
%Q^8NKY(.A=[3\@5mT9qcE<u\?@'+MG'-Ili--5*F6nZ'q:2?)tYZk[Z(bKL+``9\S;=/oKA'AUJab$lM7W[fQ321eQ"\3hFodX[C
%QmsE^'P6(8W&1WGrMPh%1)H;kA!6<'HA\<gTZC,m=f<c%-_R;g)"RANcu*erbp\D3=+10@0eIt`>%sZApK1;>aQ1t'a94FZK8_op
%**[7h=>Q.,,FBq-:6&cYB9W,D1P3ja77d3*-pOlS8fbi]no$5BqdC4;0cg;qTqEM?&',P3:<\MHWCG?X\5^8P;]L.onCqDT&&j-J
%)8a2WPh\>eb46mp%M7R(1]Sdn?DGPp>t<+0@hT^oY9?dmq(:;KHrf&rX9X^i8;50uf#:b@pS\1Ch"3<XCtKD67+2#/%YlbKD%\&5
%;iKk9lum=t`U(^IW!B$g8Y<54\>!<MG]+MR?jD^Rc-H667LXL6T9HSH$b?F[qI(DfA:g6tI!Vo.3*<*?iYodrp4PIgVHc8L8]1mG
%7O)>:N6kJK2NN]:`i;b%:"mgre2hfEUei9Ul\\3K>;_&ZfT6^u:PJE[kpn7LM@h*lO>-J76AM%`\"$`=<Rdj]A;EuTl\*P'L6,=G
%_K"BT\P0h"D.#?H7>#/*1=9+GKCU5U?K>(APJ_9%[+)SiNLM$[RNIefZ&5E-;Pk$!=BS=1A*l\tCIS/^]N>\fi#Eo/Ff'd6o**<&
%@15]!;pHH0PJT('fdV5Y+WEru<o'\XGaHJELnn$)Fdl7(EGZrZOf?Z)-,00K'+Qo>i;W"1///CH7pDLcRYc\\5`n;l=fJ,sq0uRd
%"r1gWPd:p?ZO=i'5:NX3rh1%*<C2p+P8>Ep#Qd>?K:/cc$B-Oj/u1sl$+&5*8>`o7Q\uP'1#qA+03sn=ml3P1<\RhfLmlMcM)MP*
%]*$_b/o7K:47.-g.FmM#C8F_/$oj42pt:>`#V#)4l7bOZ(1tqFVA$;4-42Ggl%';[S*$13-[1M#EWE"W<UJN-eA_ntS/Cc%1Fd@"
%GsTot&#)\j6X&+fX$GR96\u.cng3;n02G%Q@eN1Ei%\19!-4i2.uB;eTd&IYJBD%XeQ[!u_?"QoP^*5B\4X7SPA@t$RCk+"NH\;,
%0I&[0/N9/;^^A;a\Zr3b($J<u;POET<]a7l@Nj)lTZuQb@LOTc5gp#m10Lb/i^S#%qjU]M4eB,s.iI?"X9FHtCu-Vn`004u[>D7[
%aWcs_H>\V/,%ogV5mihpl-BgENQjH&AgG\lNadVd8uj5:`YPQ*ZW,:d=DUC4E_PA$H$M?f+oMjbOTCM1JT'">UrOBE"A%2rTi*^f
%+9ULP#Er22)R4-(f08u?,1H"9=Ogj<#)A_XFlYJ,QOE#[$_YL3L2clOYFA#BW!MNga;V3NB\4dcc&>*Q>-e1(*JY>7%Ma``Ck$_.
%Lms3p$0g*q2\*-qW#D!1l`qo-:aPTk3";\[nIKRN$<G5;cpNeFPg`G:P",TbW-[ZQ46<kPI#S[b"!bd:4>8[6__c/$&1=a?lk;t]
%h)iFiD1I4,.l3e5>c,Ef'BL$eatX@>!PQa4.Dsa>Xh7c9&).99V2;pX!H^=rbgN?"gKd&pST0(=euK\a9&5a8ZGiQ+F&2dX[a4O_
%55WKu?io[m7!3*#6>K*W,,;nDW])0`gm#B3q(2qGETsl%Tb.J;;X(ZaAYbZ1?o?'Cgn^:f21X4DmSe1CFRW(i2^c.XfrD4+7Do\?
%OO/!f,b@%75SV9NW5`?ZGG<lIF&q[q-4oeNnO;N(1Ec8nS]i*n=jgaHi*`<07jEY&;$9?0(8Skho_rrsIZW`E"@rl--s7P87]sL.
%'Sg2.?./*EamP_-VB_;"&6dUh4B#jWfL0jY.fTRC*n,-e7;EN8m$m@T#t^F$0!q''Ysnl^2/R>r<o9"@X_E^M5TbCGiJV4UVOliq
%0]FpOXKK+H"'=c\H6[<Fkr>^Jp="FUXhj7;5(]7mZjA+u#-)#82s]99>)*bfW)Lg,26o%`B;;0a7H[Ng*>NE[olDhk@$A=),4]9!
%HAuk($JLfmP4PV6,@O>N0mY_+"W[K/"SgT.Zq\Yn@JbiQ!9iP.NJsdV=Qe@8%Ul-\-/+J&8WnM2/\oqpk4#@I^qtoOFLYKW6cNZ'
%G"`tF8>q/u)$pEc@>M)qZ62MK3C@X^G>60+X;S<L?lF/[3.sShe;SYhDBf1.T,?$LRpq=_4]U-oIKm@F&3go^QYS[LcH54+`B4*F
%\Q?.Dn6rqIYL/\/F_:3VP(hB\#)\9&BjGq4"apf`.XV_OBfjT8DgV`C\LGX#l8920!@DL8(e\/3Su$\$?[W)r+Fo!sU;X`KBr#k>
%2Qi2\>D`p[\0]7Im3*/g:i6DQW%(sPdk]`o*_,+TknKN(:U=/-->DrNg+J/7V\<QU:mMnJf#;@s=RFY[I/3.Q<orWWOr&-+gGNU*
%2F1t3:=b15:*\iDW[A0HhR0Tk1erUiP[*Xk==+,_&p!pP>MmOYJQ,ArOo<A\82][fkuIf$Y:IKRZqZd+n.b<UoKTHcjo!)P$89Bh
%pu+nG1>4MZh3E;I@Ut<G"Vr[k7EqJT2Wm-4p4O>g_l\#TjD)'ui3d&+KFA`#:D`K&&m&npd*q7[Vbru7N+>a#mZL&)*/HUcB/PJ_
%#YOVD@1B1hHl4?$Ws=JDit?HUof"%d>`>mrc6AW)1-]A`*YPH$,%BuU-8M:E3(`'S!0b`>EE$ckj#e`[E'^72T#u4#_DEF+VTs4U
%EFk/]d+\#ace9`:B[c4M;q!DQ-ml)'>tTr(ANsKt\2ZM#,AdrP,V.(!^nu*"G+up.SKu4"C))3c#"=`kAmM4=ED'7DMJ4?6+I4;)
%eV7H!fWM4;m_mTgA[_HX3N\+%)@+<kU9n:T!+P7+jAK`NSc4=S<u.K,GQaHmbQrig+^gJh!L+T#`%YDu@E]E_eC#1M!&8!nUD:q9
%C#5OYc].;BN3[;4oOM@/VifcYN;lJg*eb#X]u1).Fs$46@Wb^Se79p_ij>ruA_Rr)"-)oN8ZokKW0g+Pbu%RFot@[,J7_1hIm\gW
%'J!.KPMLCA6Ar,]4.dY@!t#?bPBF59`%7(/^56V@b&hgLFB1t2Q]&0bPW++k+Ho5d['B]Hi69Y8)=qD>VJ1YE`3flqRB]SN.$s>r
%$s@;f%ejYe5-PejWl24WitVK8-`<QG@_!0.aj)DI,WcN,B;VqC3BYG&==16tkO=*/K;cr512V():RNT$K0_JA`%Zc9L22o-Ak%jM
%43r9op`S,N`RkfNiG;h5W4o;SmJ'ju/ria4*/E9AA\m?\dU=f\iNYiMD5=Vm949`_0+m6;`+f0F2IP&X:&N0&hjMX;j-aipm?'2<
%)AU2L.,'c8`nHrr-M,snK4=2l\Sp=ioC,WF9Sur3$:iZ^`g)Hp%P`TW]G^n"asg\.lHM`@NfmSjA?:UU0u^2I7^c-oq#j*)ZDY)Y
%(0^J?)HEM6chipc@shRA\?TFRPt7XLVDJ"2>re/-<iuZEkt0UZWB8OZ6^#A[+EaaU]t#2R%#!o]0irmo?:H3u'"qOAdh1=#3SMaB
%adW%M_l1HBN1X\)Nm]`KE[]@M][Ht-BsLWqVKHsL90eQLPAo'>?5No5cU/9j=ECreZ\<:]UuRpl2&s2V(>gHcaG+S!Ud;%,_-OiF
%'1>uhXhjm5J=tSpj"k[ZHnI'?YC91O1W[W]_T@)Y,85Dcj0fm[K,$'sZd$2nrH"%0ark@-X)1c"FW:i7VmUIjkZn+Df4Id^ZBp>u
%!FR`i$QM/Y'L^3k%E/W>!s!$sE,&rS'J3b$DkYBl[&Wm%Rl-V3'5JEac4a]Ub+_l>b6d1Tkp';;I6Wk02sQ++-kE,fW/8m*h9Q47
%m/SLrD0S!k]Ga"WeJ$m5!XpoTYrIuU=`Hr1XT0JFf*"sadfj-jH*mn=Z;M312k\JVPopZ:OBN8LR[)Y9j%m0#[0?$NEWTnFTEt4B
%?*Q0.IZ#pBJQZtr[[[5=?E3,"fjq[YM^#:`=98!*)O\L-RP0se'!%J9gMF:$^[hAlmskH\WBIsb]GQ=9b!GcfH:KT.]:_b:RU'*9
%$#Y01f4sf89QufugAl>>Ej]me2@2"[@$jR&!^a$<\`G:kCITVrg[&X>%2>ErR9k:k^9TWJcVT0K?<S3j.A#k]XO]?m!%*NGl/]>o
%Y]an:B'bg$V>FrLI__igAjdBA<KATf)jFh=<)2JC563(?OjU5oO\eLZpp76FJu62J.l&)Q-l+kP<Kr*NZ4@T5oO:AAPT.lW(u&Z=
%-Sn\L\1fHV>6Y=FnU7&L^.*nZLELTL+LNa6.<0>tP,oSB7Ls[TK7;nOF,*K7,>uF5YnBZn5.H%s'@pd:RHN&aM))up)B*XiPH,5;
%GCTb.i[4ul9$gl[XQ_Qf5bl]=A-:UW,Wst01SUY.4BSYV;.7u-_j?aC2h5D*,/Lo-!14ZDJQt@P3,39fUmRiUV):@j\i#\LaY'XM
%TZKe7cH;?I$+%MXNKV?n7P%H98)gQMj<8-^T,K6L*/>a&lXk$8WP2q$pO3nRfQo@*MXmmZ;%IPQ94SQ0PsW\GL_[bm`@Q$e\h99u
%hQ[)N7i.)&g/hC<eoGA-4&1]2O%R.gc^"pbYgq$0\E+PI[4dgpMg,bomBca*U[.85\o6T;FeR?>_uTKRW5kjfH-WX:_s8lPA0I5q
%G6NdpXAGk^^+XBM1)/-,cHJS@mnge15+iPJ52);5`C@hY=;D@Bc4o\U[0n_dMclRo_g*.^(Ad!^qoERb1XB=\nV#tlj8'@W)[@#p
%")JT+>b&b7n)gtk6m$N<RY)8&f=L8[n0<j)>@%f0+[hHZ=8^G7FurVHhp=W>6afb2DjBUKb>A$fX>cj&AibFg&_=NnMcnrmCl`Qu
%%u!(Cg?cWG1),\3Y!Y$e6GZ9Q8;LLUOYB4+D4MXI:o\)X5Z4OiQ43hNEcW7A9O-]WrZ.s>.qDA?V3KX2G;)#Z8S)&7K?g^"KqQH%
%r[WorNF"ana-YmRUJIB>_S=6:ffDDjF/5p:Kk=O`/Mjh$OZoZ(MK,Q2<dULRW0G:*`f/,0gB$)JcUlri^<I^\iNNFWNk,pokn\":
%%rED^LWeEIpC'25AkQ\OV^hr@G5ibdE$]^S\"P@FoRIpki'B'I^qCTn$,MK''S=_X0lJ+lA8)c]l]FlE1,M)^N6&NmZOi7MNjRAV
%EgR'i^3,<SArf(<S#qofgR]t/_6d66.:EodhpDQjZ@KksSn0>F,;:]0qpBM@,_:-EEc<r;;tY;CrtOgJBY>URiY;4oGb*Mq:S=8]
%5+nk&X?\jQe3Jk+(^:+(+E$rZ/-R%3bJfS"+6bD"*[Q5!#UYnL.nj5:Xb,"`>ED?UhhZic9o2eKq_$>`$%uCsb2DdL0'7a5@U6pP
%AlQq'i;k$I(nJX)N1G/>W4[@X?f*G"oiM/"b>8("MEPSfHbTL*5CFBI8c<ud-nSe,<sgMe*Othfm[^JmoOI.L:KgbK1+:gRkcI&@
%oZ1sV6#Gt^FK,Su?E#AFLfB0]!badIP1I_hH:AJ`;Wu!M6]GPpWl%4/$`,S`Bb-@i`1TRXr7F&\iYoZp@1o\S3e9oZ,5J,XP]]^%
%@+c)N$q_'[<:Yf2T9-T"9A_AZR>$T/e7Ot7Zf6]YDE\6i(?ji.8kRf!L\%ZXcBR-(gH"E@c<,+(p8XY#R-S(e)</GieWI5-^nB9Q
%+_>727$U@gS7ghtR3Lik7[FFRXFtO!_8f)<<A!8eWU4S[3MQ7sBX9@JYReoprJJFq1FjM6@T20eSlY43)5U@b%Hqse]b[Z.>[:me
%>`k.l,\/fLYB$V^EPM!g2$8=6Am%IC?6e)i;B_4(%#SC8/rH$9mT#*m'1\C[.S$NaX0J'hW@9-2U]sAdHa%&1kLS>hGsjAVH*XQ;
%-&/3NjQ]`YPg_KF;N=m4&.8(CgDa#V6qc-DA2[Pr%AYU2]?FVO"Yo8D6CP!uD2]h+)2*O9/qdhifH[WiZt?J!Q_@H<.5%SDBr^VG
%E*>4qUf*5ER"fFY-n[;+2AbV0,#d'1"kcPnVPULDQ5G&1l4[=4#t=H?E/AH#QFUKq<&Jubp/n1iVe-Y:'r.U@r]eW?mB.bYFX6Y`
%pDrZD!TPo'Y0-52i?-L!%EiG&L'B!S(`3>;L`X`IP6*>D^pj&u=:m(LFC,K9!Bh8+U7,lLWEm+c.s#:'=:mNrkF_i@B[$5`/-$du
%DFf_I'!.T_X4Ms>at8Yg7)P]h[S`RF\B$Anq`C>kG%,\D8WMf7l,u??cC,f7-2Jm^mHBfS73/Ra>GZSf7S%mT]K6r^YCB1gIb;P!
%0'gZ(%/jfn.ud3[(gjpVok=3q/Ymn_OL+eJIPss:+pZHK/H^i>`sN#G5J@Id#g_CMD"sA-b#n.("-!/!]Q\AH+t!8u6k>3f<CIV<
%$)T!Bg6@?dTOLB4S2PH.L5fA^^R>]jL+Tsf9#1![.oRHp6^,&VHs)!f#^XuE%?97FXfF?^`L&\?oT4@5>HA\/MZ6Eko3HiLog=)m
%3"R((Fn;lZc`)(ff`k0leLUF+bt8cI4jnh\QHdHQff&Cia+cn;\FcLFW6#\aZE0`;:,.-Y/fR@5>;:I=242UP((3["BE[dfCcnq"
%#=#P'_JEt(?*8(H3[JMP?L&au5\"HMk+>5J>2#;eIR??/VqJsONp)DpdWX5]h_[G"dgq1<LH+c$E!b,Y$`?ZI`pZ0YH!31_htEPd
%VIMnt?360<comu/*:Cd>nQ/gHVcjq8JhO\<\bs1YEcG\fFJfmr4C@OC2X)jb97#F7CKUOug3A)3C4P3\qL#r:eaf+Jo=hni#g$tA
%=6XDZQb^2mof+Pq4"d&p>[-G\EQ@M:Zbf<:QWtd)3a^S>HGqB)9eX8LIWoNmoPC9GbudVdhep?h)VYVU(9(6WJO/O%WnW3._VVWF
%e0K#4">QK\g)K]8[>S54Nc1AKN8q:<npf5)8[)=EhA2"gVUZ4j5W^673PX,bIf'O(j#QOl6bB*Yi7W9Zh8$7Dn$phGHpiSKKh1GW
%M%rI;8BL_fp*^s#inU2ZCSi%&[?="h_o5c*l?h(&\e$t4D(m4-Y)\WEb7^?d#gPiNiO\58GU=TIg%>uY^9-I7X5Y9_/lF",O"<N4
%(*:37Cg8ZD?IkV2<q'O`P$Z&M4?e*r1p"kV9=P9o?<W`,Jkh2^=[.q;<rB;hYg*,O,L),+@OYtod)H.Gbf5@8Ph8E,UrEj?[nAt#
%'t@"Xgpme3rBp?YAF:q7e`a[FP"Btg_(3"4jIq]B,&R$sl0+>,OpUuh>qYF.+b"K'l`!Bq`HrEAmY@ad)83#fSUrc8>.1na1W`C.
%44Q%\@6=?na<d:ED"pA-s1Mc2`f.%0OdBYJkd)"b=aFi#e`2[=<VY-7/sSR9r-u-.A]&lu,8"aC/9<07/po_mLe\P`f_13'.UXu5
%XF#_A$jJ9D,CEQIq1k1:=*JAq[%\%60(.t^L_\m/*S[-3Ze!qI6]%Gf&hl;A0L9m8S$Fh-M^#6jY\q"_;%-N-:slh#/Xu$mW*cGk
%JG)`V6/6Ef!\:Tf#.M=([.$"=*46nB=5:&/#-W\e(1QC5CDr,3\lNEQ^"E6UL,P1)/Y1BH7L2WD<*^)S>(CJd]hU1Z/?Fi%J(5:h
%alAqsYCBVcT_U;\[.M/a8BhA5SO#jFp/mgA1^\U8\f'B&=eT'-eO6Ir[$nn:M\<q<;!5f8j8.j/CNP1ZlF(g>hjb;aF->L,am4n"
%+IK9.E'\Gc)^KGWs6_i)2DOl>OZp6l5+bgr'[.$mo<&qt<pO#<*/tcNM:`R:#7>YKMl?/PiT\pTU2GmLET4&h%gFc!DV`]n)bJ$1
%L/SYZYLjPr;ZbUF^4[a"LMQalf+G;$X5"JkKeib8DnPg>4\H&bD2iI/X43T$8fnHKLMOYnc=dV([Rc,0[&I&N%D?+7F2e-@*N"si
%C;8ZH6`u79i4a[;6XEfL`Eb4AB86+WjGI8X7atq<QITLsYR^'-bZVLkkoqMZ3+ekhYT[(PQ6\XTB1U4/[N,h:9YVj1XfY?oC,;2s
%-roS(#pbnRqaDl<0t*.u-aU:4?.X<ld#I\n6in_VpQ:21L*W=i?.TY.XUV+L>r,H'j#L0SmKq=.5g(lko,]>gAdr7'>9n-i_ukP0
%k[fJj]66Ufn"PI'JoctLN>uD`H=lV+/%o9u'2>gQ+CYqn>(6g'dY^cP_-Y;NUCOL;M>`@ME<<Ulc9Tk<gQ(:2_j%JQ(KuQW`mA7P
%:#o#&i3Z)..Oc-f1<q-89mGWf:-EKn>#H)BV@S.'Te9)>26'U<CKj2ei00E/6fUA/MK.iNWJ$DrdRUWC2sp"1n&'04$p8kbR8^)R
%"th,>*UbiN30_:B#Qk`JfD_l8[=j.Np@4FZ+`m8>C;X(RnE`H"51?<Z5n'MuJaK.FNnj7bHLlooL<:7:`)TY"f,^F[DaI]/`B[Pm
%dR`SS;hPh.@1*h7JCrW7?&qY&.d[*:l/6PS%K*Y\DZjonE=?1S-"$Ihdp,;MMae,u"qi0\*dcmj-gK.Y\b#2lOq1R+j>q`K=[W9+
%o(J9b4i?M9,F1?UF]BOIZqs`98EBf.2RF2+kKOLs6Ye1:K#;K8G)Ds0:4.Bt\+>lj41#A*h'Y*5b?h`),7:-P@k91^&[J%eCicnl
%L,H,;F>1Ub?>7Of)r*BGa7@ct02g&&*q?HH9tChkh*JX^_+mPE]I&s>9goB)p=bRQ<gL,EBh_bhM[P'Y[1H.7D^F3,P=0Amm\&#V
%$bA$%Q\GaCV;meUL\@Qf>AQ=B6U<E[,RIFF)66_ZSV:)5YV._^A-LF"\Yc-UjET^eMAdJ\\sJtM<E_XhSNB9Vkn_E$e*(:E5n?8^
%"Y_p9K?^`il22-Z^NEJP'SW=DJ]3m$@-2M<\tgPTV1j&s<=Rssg2[P:HTm%q"gRbk33-#Y(SG@qL(1GXWYOVPD+D+>7lVjTka"YK
%6_:`VZKX28TY%$\oMAG;0I9ZiF*gkPe>V?aaC%&F2l1:%mN)Reg3Xb&@/ZNk&F7`oo<+u&%8a,0BnbCV\*));N^[P%0i<BDgbKl<
%4G&1GCS6aY`Wa8<6!GQ9(=:@WMIXdUL^4$qn#&FIntCC9hjetRkT/V!o+SDfrWNp0#0mor/;)dPd*o+H$k(*D8u1J&AP684CYXR.
%=Q2f[W<2$1r@j,M8u3<5@6=n5m!uogk+^q-]D"%$T>,Fr@;or%+*a%/.*q7MbE6[K79:TD44^K6fA0%:GD*kdR.ZWF%$W<QW%Kq.
%P?rAL["s$]H\Q#c)aupE;'(S]e^,mKd,&UF1KS-IqGMU@[qft9;mPVQ48R_/@I.PlR[j9>4>rS#/>VpN!klb;7s<bjJ::5!X=MI=
%l^V$>g%#mV3%#R;!6*9p*KKe4jh0DKiGh%9Yk#@HQknMZo$+<-]'K?DVJgZ;LGOP6FO8l?#T));jdUm1ePDR;kXI7nIX#0MPeHAc
%oNkQm2!.PL`]QgcE>kO^D?ha"bOETWC5aKXo;a\a1$EZ;O[SS2]l8UPb1eVb9E$6H7h)gr]#Q%ON%9)D_pB02UTPX5lZ'#"0/J0T
%BkiZ9k-_<<lA'>"4fsVPZ-@tHMP`g^SIQ]o"8X8`6H[(laR-)7,Pi==F@!*#4+U1HBa&B7%dObnQ6Sk6^HWp,_*>PjB9q0L^Hjd3
%C8o0:XYi)_8\5';%Fh`?l9W3.Af^3<_L7/gI>p-th3P)JLh'iNi)!TUS8C!l*-K*?)OH))*\luf45.`B/J09#?"k5I[p)c#[-8mV
%WBbm#5_WYk?ie#).a!pBJqI2O.rAG0"q7.93FG[d2q#0`;dmnIp@A]OC)Nh\;J`h-<2DS8<YhkP)^M6Tku"D@"]XC0'%Ii;DQ=Ks
%4R@pd)gJ4Hc3dl`"Q`F8@!/VO\,-COe^/IcjI3.b_uuaX8GhHE0>2>`8JXDURQP%/n0ZdHd[/7\9GW]$NU=C&[l\er#HoC8]`mX3
%3dEMr?'?9U1WFT@=Ns1g$Anu;:9t/BgF$rTgX&/nV%);_p$YCeg)q#:D.K\oFuZ^)P]kZ+XD350qNPB_g1[F!><N%)C0":,]e)l;
%DWS/FJaj4)/01-:1O-OlOMU(mF\-!VKVKAR/mkDh^"A?jM]nnS[&cjdc>sQRQK/>KC]\s`l5[p9IUl=DfXne3HC+1dZ/(^Gi,C=L
%[I1hVlE<V&"F#TYEQh[[Fs>lsr=]al>K!gnr]N4:0f!2HG$2oW[bA4a[1IZ)?B697(-%QbpRT76?;h)J]DE.(otKfP:El8E\F7;,
%[I.(4nF&^i1?f#[bC-M9d)"c#V.kiHm\Dh.#8OMIA4^*FIur@a#`T.+Ib4J6>c;fXUR?sddufsGP:s.\/BKF18CG4#TsUu>r0<J>
%QMhpNhXNRBH[#ZaAedV*]l"T@(X+H@1Rd5HqmE,3%t#XS[T`-.,iM`"lE5#:7^o[*Nl5W-2sbY8*e?6SW6'505ZP3+cB>:O4_jWH
%['O]T]*A^JIpVR-LG03g3r:XCLm$8X.3-G<43OZfd6$3Sce?L/]@!Cq1kKeYX-"6K^ma@^hH.T,NjY(aeEFX1=I\GT;LR4VR'H8i
%kCu$in?"&=>YuXD4IF^mkW9`L;.E]sm<Lt%/!YX_2(!URi\J_Ki4PU$ea4DIL']bM"%/_2F(Ff1,)gGd\9?!,%q8h]4X9*qki-#I
%o'uIl5BU.<>e;+,5H:N&kCB$`XYfM!pinU^Q040GN*g,\iLS78eC@5iZB5pT8JD1(.2QGYjO7-A[h^UUk1q4@#?-"EAsYBL8sKL#
%bOSdJ*tU)$ECDM7=6SS3\hoj`Bfg1ZnM>Q?;c&Q2Q;J^rW!#kg;<XH\,"a^o&rCeHlft$%oUMR^A040]pQTZf.kdn-WaJfQFfkh:
%JC'jQ#$-h<E9=TA,.gD'o`Wer[)Wi(OBru-qIQXa\O"^iFj#+ZY;pd(p'A471/])`;aO;;V%LX:,P*P^c<tJ,mkQig<;62u[qU;j
%!&o,e[dU;T^*Y$aae3*-@iNMIXWs6s):seJQl3D90Vn3*[;[':/?3&$37AcK'dSq>%Q/J\D<8$G9UV3Y)toNd@l10kA=g"8eM0LZ
%&\PJ^D6`R#4n-u["2RpjkJ1[m\>BnKEO@1*4:Rr,/927tZ,CY4YKUu35\3&?KVrXP)(s=F8!6g1YXQ)<K=;,f21:c%eic^u:0tab
%i]Oj6EPOU>Sa7NT/jfc9YgM"%$!]@9[B9Y7G7%DmdM@skLW=A(e85aY*U9O1ee.93!f!;5oXa^+YE:eE?mJ[@bm7@NahlD?(r@dU
%0pi!SCfeG\&Cf+nGT"u!Ep?JGp]Q$K:sk4\\]NYQhuRK&duD`X1ZX7BP%kQ`fp\r-iHgH6@mc6[n=X2S+u8ME^DS&ZQb*A3`!$+C
%oOS4C*ausL/!7E*(-`)i;TH]7B?62[_M6!p<YL!GCda=e977$2=7mC1ZZ$cn1/2D?_u_c:3g]mPR!`g55qn#qpUCh:9K'O')\K^d
%hl2[g\72rfnU?B'NJ7M"'=pm@R%3U&j7`f1$"6TX&N54X#nc$3kq"O@eoFUT&.II!k]hFVZrJHc4"]^EOK`U;T8FApY\,\U5rVq2
%CM_=DWni2HO:rTa63]>2*?S&&CNC*b?=GR>'cAibN;-f_Rk*X'ikAq+>677QSI[M)3LQ=F5.p>2#^^@5'mp^=/StNR9?-Q89MBE)
%cH'?=Nac?eAoD[/$>/fY4VYC4dY$du*T'B<e='r_)%/P#+Pk'3UMB&Vl:Q7bo_*2$Hj7V@O'uU!e@>"h%7:Bo[>hP"Oj\hoSc'O-
%R>u^m=X$o;j4b97KYM8W.W$,&.qC?]H%\&korN;E/iRfWQ7.OT]=@LEYcg-kTIKmeMQIn&lS8V&\.U6uF_,?9>'OpKJJ$CPOK+Ib
%Bo=YAoLf2FpRnD[-?kP/YGYUI1q<>ndtF6Ta"LeMY6&5s"A19m\Bs&b1Zhu*TM,KXh&JY6X%E(mbO-o#2&YO3+l[Ajl"@Iua=a$s
%SnkQ<fI3]C&mAr9-1LKlAV##KQ`FCGBNpI;S1iA+K]$maSV6YpN@[Za6i8rLLA5#/\Wu`Ga)AA+kmCmRT<%4*/,(!dTQA(t^uCYF
%RD=il%g+&X]u4,LL$YB$M[2r%A$9;#)-<*QhA4`U`s1DWX^<)7X.7JV5Rm%uX%^0(m2SC][CmHgi<.jR1b7:.R7IWp1j_u7S;8,*
%Qg^"c"9kj6=H),--CXI;'Y%aB8rIC\_7ak>FR:&<igKo#'^;HR#>E&V70G35=p#`;r#jg;KNg=sdTn_1c9I-,MIT;cce,gS+55t,
%&s'=+/p/&F?`A`bA)tQBM4n7/GgZsj@s01I-AF$?XO+O?KJ@M)oEI<.T+L([C\"pGf*>K+<4<GL]4cl*Aa8q31[A<T$<1IoQ/b9Q
%2A4u327hFLiKc,QD&!_bPTk!lfL[iggY(=<c3H6KM?OE'Dq8B!lbAec%%oq0>P48?mUcW7Y*#((SYtSZO0!5`CuOS0H]P>9E:r9G
%mRN_qHh'7">bZdDe!X*h)@=6NA6'%%(t^qQ7XHau,i]Y4Z1kaAf5,Ss:-3Z30DE$4CkT?_6+E\B,D)fXaoBfiVl_:H6N#'8RMG2P
%lj7W7%s91;5&)i"A_c7I<3&e[6cIUO,3O(XF9A$<+Z:VMXA9.oc"-/c2nm^rC0?0QF)H`?`BcFY[1<6t\R1TZ`sPN9.AX>CNI)#f
%)c>\o`(`_7NRIC7^1icTo_mujnH8p@Y2fN`CsA(.9TKS>(&ce))O8>1.=X+p6(bQe[78GO>J%9>LnK+6D5SrQA+_I'f=[Bf[iI*E
%h*9RLcZq>r,oc!D,5!5V'QN!@%%2IRS%3Di\Y(3/:b4:uoo/'-6'rCNUjfJNq3J,bppo40Bs&5qC7QM%!/4NSlc+JM35"+@?RoPW
%cYPBHj+1Kjmh!%DasHH\^bbFai1XX>N._ni_$PO!q)=Y4qZ$Qj;Bjj#$CWIa4]3ps&/4Y$=YNHejHO*6;*[KmCWj=="i1tJIN=6t
%k)e]XIkUC%qg!Z(8F@]_-k&mW_sIk=QtF&g6obqCFX^E:-Up#L^"IFC?=oHjeT)UIZ#ON*0^gW(gi,at)ZW<X@XCHeqD2-Z&3Lfg
%E5s$;eL6;2L7Y9bd)-,nPc_*lGF^u3Y"XP\$QH62G:O8H#YeMj:'1kQ[=oCMXMNQcU:YJr`>0XadtQ.OZ;Gcbmd\AR1(uU;U=Vd_
%lVdKtO00h=@aCVYp7V(2a,8@6EZX+aF>);n(b"umQKNC7%uO]KBgl`I5JQE%+Vn7/WUBYMMcBmu_4,WS;u#lOIfdMsHP(:gg<k9-
%J62,UqBjY0N/X2!=Hi@.F8&q6d&g]kD%rm)0Jj:tX@,f'=#G"oc3.DT7=\U#$-!chW1rh,N0@G%U]mqh6/`M01nK'q+\'YZq84Xc
%JBb-6MJ<)Q#"PDW,PPLh3q"r\G!i6l^C5)O(',n-Xr*Hqb>IfNf-6;*LU<\CJS"`UUU9g7YV:fU;,A24n=M#i0EVK,pCjL-(kq9f
%9q"m7XMN%e2r]'d1m-a]K<a/EK0rlupNU9^P<ks)e#n"U]!T*l(n/)l)&*Y;3SNATA!kYcVBEtH9Kt)CRDZ%B'Ve7/W3IBtU=2PI
%m(*e!Ueul".q<([3f?LOMn.ruUQA0B6sP89)3-uuNLXY#HGf5CHDCSfQ9E.l$D*L_Ea1o^^6,pmB>H(8-8NQ!fp3UFrRfVQd`==t
%X:F9`C\uA&E$h@6`SbS5"6"'#Ps$S\Oa:N<($HLaBWq':oE@AB1opE?>qB6k)ac<Wgm&.;5?:!@'g@%29[g<MRCVE89'kc$D)T(H
%jafa91!&fkI4L+!;F.WY\S(+i<h,U%6@YNtlBYfiTbp^7226af(lS(R&pG+V8f$Cu'Nn/)_S-1T1?2&E"6NaDDQLr\OJ(k6&/0N.
%?AM%[e<0RFI9-u!GQJ>LDQCb_\s9[]_AQcn0!>^md9PDrojlELXb3;=+i&o;P,?Ll-dK8%gTGuQF*9Z`@_Yp7O.o1F4##]Q[mkF)
%bOQ0mCj3Q'e0rRr^ls$('EO!qZ#]1hF"1qF[As`s%<7Aj83jM8,mT"`LGi%4WuR1&KY>ObM8m#jV2LMuWun%Vn'K=dK&4oc`'8/C
%IqDpH]uLZQk"=4,F<81H>a#Ca)e7^Ri\GD'K.GEuI714_gm%c9<_.Lt^^7H:!,^i;@8g"gh;<ZoK=5);BQL+4C1Z8Y?2TSWBj"ge
%>]OTK*YdX)qgi2QV\iB-_,SKf=Ceh%%6A@<71`k!;M8Y!T?&DS)-#bq%D+CRfILZp24QfHe5$pdpG9C,9=&0)o4;-/1ET18^c`+o
%%t^Y%]SUgE+,=jGEq_J4pPCVdSPO'hohU\0#Js)sg<=_X<$nV8]+DdWBT['dc,!/K%(C#al+!4k]CW%UkkZ&#:t[3l"/3@%"Rc/$
%l#aGi6gPq.!J4GM[J`]\d[GQ@IUtHC-/<*C;=^*1WWs;Yj'5'BUt^R^M`,N3RZooE7in/ta==SU!i?3-2!M9"BOZROdUfLmbW]`!
%&([O.fWi=S4kB$m.le"]LSHcHRf+!e+a4jqh8RiachF3W%>T^FM2qG,L7Kp@/:?(G@,>]oA,n-h<r'YQm5qe]rD>fGB,CJZ@G%Oc
%d'NP?_9j5b:$ua(CoNBp`)Cd=(2i9>'Uo!M*nI?>-B_Q]Q54&FgW6*LrV3@YgIJ1?;&C@R>QV3r2;uj5W`%Ul`sSqG1],cr';d+u
%QB9-HS,<'/"2[hI"/obL3Dh]/,Q2#>=0d<9[46D(%#PIdaW%oeD"F-LQ?HC4l3*Cu1*1okM^c!GnBC5F45IMV>=keCh\1iOk'9.o
%0WqMZMm?0m\<$'WQ5WoXZ^gJ.4i>EB7XM';:lF"Dod3pNnT[5JDndSVZu\2/9._ZHf$YGr+jqq52R_.;X$.)DZS[iWmFD%*M&R?l
%bO=)%Qrki>$D#bm'!Ch,ULr^k(B\`)-Q)3l/Cam?kV?CUm\9p'^Za;sc(u^B.E%s*)`h?W'uO?R3qOpJ=Q?dNDf30B'C9G!EM&ik
%Vkf7qC@9_k]EGuM77-pRC(XXp5i,OFl/VWj;(!Js*@#e'`epH`/pm$NXHK8FiDY7tVmPEBk"/b!USjW/8csN:2&EV):,CtE+i<q3
%?c\F(P6\0l<J>b+-`3OC.jGX*"90,?mTl=Q@qaSg\suL\b,#k/"LCUKn+E/Io?1\<>Pl`lbWtJ;oQAnn@.HnpA,n+tp;2D7CFppg
%P(9lD<a4W9`YJ,N2?1W!f]]a)G%S0Q:HB.OZ_j7$p7)RWR@^rA.$mA!<QF9;6[H.]Q:-:]iVi_+Zu'6&*c$ReTKP3F*AKmJe5tRf
%k"6T6*f-pX9E+AEq4\6`mF`jM7V_*8iA)l,/T&Q>TD'_+60>*)J_cB=5%jJ2='3t61m=MS=^;K-4-I1BQRu2Kgki(sCrVjia;mRQ
%T3!_91p"/P:u_-h_0-1BBmDm\Tm_Ko%aSo7Rj4<(+Mu9[G02kiPN)%)3Urc+VoibcDaCajO?au[!(n<l/RIT\\rsZSI34eG9M7YV
%`]BBH5dmi&+ieCH:uYs,q4=qf&-^"Z(@_#e#-H0t\^)52<!J`8A/T:P@jqVuI>TqjHK3+A[dW2.O#f;=.o>#<Q\].6m1]$KA.BfR
%!/@b\.EgKW)qphO,Im0J%Q'*'/pE"V8OKN@brd7Ac#3!]#=['P21#GG<a%g6R]%,l7+C[EQ*Dn@HSG0Pp7G/V]=^=$dF67E+aPHh
%pZT?LXVF+ukgLSEr!OARblY'biDLaBg\$h-M"aq:lp^`'J;t6j>2kIrq@H4rm)a91!Y`I4=:Ae#0Z))0J<PtF47?3o!bF[-'!I7X
%XX9"<K]6eNc(2LgM0tC1mjN%e3EtejaNZ/28R?@-`H!5dC+-e<<-4q+dR]\fC?1;>&Fhj;P8)5r^pXauSC%<OiT5[*6($uk'n/fa
%q20L5Y9<C4^>_m::0hhl4"G@6jl!Mk%60L!'J"AJiiH4_ZMU'!>Ja1UMhX3lk^uq^PFkh3a'9I)S]!6_O5'1g-+k]'`(hJ4EMY/C
%j+J&<B5j*aOWFk3Cp;Gf8.J7Nm-F.5p-Ub8cLn:-/BM.pq0V;3H,g8n@.hSf@H1W@W'[X_W=-ocM>CWmfnN!A*Jb3a,7?2`_-lTs
%pR)bM4'P;g>S]tC&!B_-H.E];fXpk!e7DT0CMt@(*Ploih>>nDG#*Tbl4\DN_H;t.pK13.X-o':EcAM])S@V:ZsB!FpQ5Y6fX;m:
%9;4E%'kE=*2c<QL+dP:'_ZIY/N4/-J*A.),j9*0m%YYV&q0IT><&S*)`I-bg@>"*=hglhRD#BJ+`j%bE?+Z7N8Gn7)AhQ07B4>NP
%jO^:@GBu"VI.4em5"!^L+3#)]1$r3ahdk/X(60!W>;h]>ctf?U_qZ<sib_TqWIO3L+K#l<P!WVQ^,rW8$KdTb8Yr)"rJ)eW3`?[I
%$jH<?%q@;/q4eo\b'7=?+u=i,AUDf@;o"t"Ee8!q7e*Db!T.'uR7b0.RN0`sHgcT@?2=T`^g?I%m:SJYM:qOB7=5/^r;q.??VQ%H
%L-4m]C@poh1=V'jU4jFj[oF"re@N(;&T$j[qg\V!c#MPT$\W[K=EI;0dtW)FF\mu.G0(VlET,uDQH#A#MOW>'e@@kig+t&:Y.OYM
%JT&-qfUXMnHMUVGBGf5S_PWYc^N6.Y&bf_VgQq)r$U&;#=JK!Za'6eNgTT(bNE<?E^;s<e'D8tH/JI!jbOmMU=CM_a/s`b'n3(9d
%.pqt8'P'+EHcO5B_R6\UB=4NF5fYsKaCQXGbc)Yc'OK(ZMAY=2jifsI]3lM;@%Q<Mk4EYpV/&gTS?;58>KLX>"P1J&eQ-<N4["h)
%1;A3gOM'R/9So(+g&c;jr+q0icV*sV8mQHfc`q%4dk>]f$K[XXgL:r,Rmfju"ak7bVj/AiMbH=rQ*R7:7X'u\'Ed`INPG9kao#lH
%;6hF2U9^qa&?.S`VbcDL)1WXc`!E>jNG>m>,:K4q#"[\$L14)3lIBRJ]3e@7$C^+tH6P4AlOGE5[00Ltn?p.KUra/<c-&><kP]5X
%<I=+r4=EIrdOTdHJr_-B=Agd_WOVA5\WbQYPdhu<1KkF8n%bV-<RnC0>^8MKhbhqk$<7k`V"S>.?'.[+e$3cHe)?UI/UD]G!$R<a
%ar##':N"-DN\\FQT6KDKV;o_o12OG3)&lkrN&tHdSID:Kfq1*IcBS';RHb;sa2cc1X(CQFb;&kf[o#(R"g7a=kT7u8n..S@30KWi
%'H@TSXb7NsrWMJ+PQYjDa9"p>)XO@>U`$q.c4i_T&+#bH&P+BN^C..jB4g:1_tF%8-h*p4;\^Ngb4maBm1[!r)d.r=dLfel)5ktV
%5Zh%f=R/Q^>PAH&,3']VV(>F,OD!C[!r/e@jN$).0>OuXQL29IIai4OFpdD(HhMTXXrL3@XZ!Jel[+r5G0n2OVl=Rs1Lg^9G>Vm$
%VK1R^_r]O@\H;E=jbtALjEXdIEI&+sSg(3@Wot^27h7u5;EYgtl4mqM.#BJ<FiY`nRIT6)\.,=t%Wl5'bj4:QI1H`WpP8)G_TN,W
%#Gc**?4=qO&&<kNl&fNr\V,p_[1jTUg<Fc:&&o=/asK"'`-(8E8oTQ4K7n*$DVn.kLZK3]Y0QH:6GG/ENp(1RYSt$b%`utS5jh!E
%&*XidIR4BSG+-g1P1.3g031)Sc;Gs,7Qj\:)XR[[1)1U$&Q[%1PI#fn9AQLNJ,;UsSkXgNJs!glH]E)<e^H^]%&Utng%B;tG$W`a
%o%4`(4`#BHLHQ'+RFL7?XDGh(S9:[Ra#L(73-(VP^n!S<[k3XIQAuHHbb[o>@_XE#j)BoXOE<_$=tBF&_a:70g=V^lJ[?WPZUF*O
%E+SnhZuh`Unq^BqPW/QYlHHhT'J,)MAHU+L$nJU4qRA,D?fIM"N--KBRLf;KZ1&+4@/u/[l.?KbnE2#Y>BKekFfsXt(P_h>YMJHp
%i1eMlM]0>eYFn#GG+ApB]'X7'C@WfZ5G\Yu^@Kp/j4u2OXR'.QIQgua$r6Tk1d5$rFrtp"f8[EJ,qG:-g:dUphXG9N>^D[#262>J
%(N>1^j4)9'P5nuHX-q5(6mB6qgJY4GYd]nV/gm_P&Wp$C\MF7k1c4dT++,ocnGQ<p^:1:;ioF<j_`)6!!_m;M?+Qo/PiZDc*a3bF
%3R\87\@)HTN*qu?f#ik!G;GTCc'+;qniFti-%bD8"0([pf@PBQ`!(Pm-*9HHcT^J(.si]Vm(S6(^kQO/0q4(.O.O.P1>i[Tm5b;1
%0]s'>I*&UfYAA:8:\q"`]+M]>#rGVb@ea+r/!dsT&@J]p2716(LYd&9\Z0i4T88Elm.Pl+]n6NCT'DcX,uJP#bHN>\>!A8<2?7:$
%_A*rT!?`7'!EiCb+Q,^hB^JFi$P9-'bQ^<GGUDbJJi!5kLZ,T;L4j/B5p0R1Bf,F+cFki&&)C':$lf2A(LQkGOH8l$Eb949ba@GI
%7>jM'ZC%/l!E%\T9Z-;Z<3(ptS.a?u<DlkZRqFD4#.Gs%K-WSl###]mTG`e/ci2@1^B8(f1PKBRj`/>_O#QC>+uAE6j,qc?CqKB8
%Du;PefcD,W=FgEblF]tb$!&KimG#qC<sh_t$+s_#%23U?WA?U_iOjVn,X-iDp:RWG(*#$YW$:R$QuT&<e:WRr@rL6#R@8g`f2`.0
%PTNGd=$,JcalHj9AVI0#@Mj_[.F`9Fg4`3sOGE>C\C`CeSB94tB;d[%qeec`qiZ%EYB<rr%UhrGc!s>+,*BH6jll;1G?7b#Fis@+
%(?GZZH^l5&cYa8#cjQYnK'(1t2$/)OOEn5C[SlP(NaK2p\bHc"A;/(>$JUjZh/FA6gJ6)e.k09YDCf.tYSNWnXOpBo93SMP+0'Vi
%)Kj"J^pGi%>P[iu',XSiBMYVpmA,8lfKn8sA7i%7')#+a=AaEZ9pJ2ho\Hs$pO4)'!7?&jd7R1um(rHHQIXT2J_AT%A3%UNpQ[TR
%ga)Oqmm*T5co2->8MKqG_W*Dn38KN>-+/=4g3WJ\?8[#'p)dQ('NuTme7crsRdlVf-VQ#.VQ!@fa.Bj*UO-kqS0H"u-AqFjZ0dd_
%B4d@u2VWGZHH_^]8%E)gMIY`d"[0l[UeO`A/h(\L0KeHq*A,leSekr#iXYFpLGE!E[=i+pSL`UJSnZ)5Gaa)M$)-cdi]O=WljI+)
%&K8]`E`gImQ#kg@+pk-)BtkX(br]!?9J%]I-/B#d7^dUq=&T*&MXOXt0gq`WL))]r2L4@s.h:R(#"(3()NR\=*4#iWW*lnGDaPsp
%*(in*a_$IED0f[s&HM3f1(0jF='R;&(V7/gb<R#DEYUW$GmqHRfcgmpD7m'>iJ6_H5T0_L@\7.^^aS@;>W@Up<n[,_fb'Y;JXj:4
%Sap+aX;kJs0j(;*fu"SD>5?/HQW<M"&I(j9)@uMqf#"bk^.rm!)J3Hi*8+Tn%QGJ;:$+sLR&Xkl7X?e5h.@)<<u98JZ-iU[7bH+f
%!9>nlV`bui!O.Pq*TZDm@SjB73h)j##o"h2gMn#R3T^u(:6G='^4JLo(V_AX<Q[KH^26Dr==>;_VNs(!<YYfXp,63AOLd(%N.h0j
%qshk8It4P,*&`?2ln9:]I"]N<.$^`o%,/odRUErqA\2Bq!_`nl9^YM+'3HOR0g7_>jY8seg`Z9$/:>Nknsc5&?N5#Aa<SH9.nKTX
%`bj[JhGN[P2*@`Z+T/:d4REXVTc^%IPQO6*";eE2?&Fsor.6UJ[+'\:*ZH<aVkoq>K/O&&SOhe%=a:sKi?(AHX\M/%CV41a<r5,n
%GdaO5E6a8YbAQsA;`V:;?ld5!17bg=72e1^B09%JI=l%LX3h%I3dO;Mku4P##'NZ&]=q/fR+YAr#J1l,T80T\7\3\/WROAhLB\HF
%=L3pF":5odAK<B]6)*;iQc<n:'&Fe2&^1Y]aK$B.Omq&'=O#94?YT+T`HH1L*2gtSmC3@<,$ENN`^]0kNmerU[NGDanP\(#=2de#
%!X=-dT-$oPoR#YJYn[L%V/ZhD91Ts76aC&Yq6@ESgKLtU'&'m=hJIt2I3hQD;Rmf6H"&"SANTJBlGbi>,DVQpO84,d0D,_JF_\QW
%)Ll%/i5Lb5dLUrrmGO+#0&EuHcl5C.:C0,VFj(QihHcmk,BAJU'#Sr-5&5M>+spYp:<(qX#lbhAe:J95,7clA8aY=F=:G;8Ta$E.
%3k"?U9S5L3Cr04^W#42N&_eAt=a>mbk%J().?Tp0X^W4HRYG&ZR52M:V%o5Lq4"Y,L`Y&OE]-;!Kn]%iSsSm\H8&fF7Sj_"Ug&'1
%a@^H]hQ1VoGib'jDPF[L-l(Y6Phe#LT3FB?@!u=m*-U[te$4,H&8!`['O*H.6F4\4q8N6`R*NKk%f<M<f\HJl(=/U*/u*hZG3FGK
%=+C&Frm+sOjq%La)]YnAr1DLJqQY_bN!A@LCqj9F7&f7D<Qo=+S\19P.)9<F`>8?O_C@9KP&Rbn$N7^VY,e1+O*?RLP=,umP=ZP#
%[lk!B*e]5oO2H-LJrQW(.M#u]oH]DAd1G1_D4ctfg\AJs``]R8=WY*H^&/Wue$UK"MQ0'?WEN`:6b7H<XG9\)_qIZP!h-!AVbV#D
%RQ3sjLJ4`1$j`,/M*ZYJB%`RXQ]*/E9W_SE\aJ8o:.d*H>+YCJ>Zm=Q!If5k_iS(ZIp$R/9.!;jCT[geM@FkH1HHWUc\QbV5A;0K
%^Z*OHN#"O`e^!nFZ%s.]'RTNHK&^?s0(kDF1cYm$?jFR2_AeHmO[W#FE<VL<7pJD';RI/.Lb,MufB>,'NUFr\%:Lus&0(#aG&W`2
%n8b:]r,H`)RLLED4rH1AP20&X41q]\;PI06*.nh-,:gH:GOaf9HPC1KCmI;*G97T*]Wo2P'pEhE;os!]]RlEEHh]&nC5np`ClH1M
%DlI:B+`%;o\0AjS`$"@p@8FU.*-n#-9Oe5RiBi%P27^C0=X%?0(^"Z1PdW@sOt[Tam%5[3N@,S-F/Z''UVJ7%]p1XpF](6MFtpmk
%9nK1C`PU;<Bo-3Dc$1UT4jqD0lEt0,9qtTfkUp>['\BFq26JsRd30(3gk^-uQoS.36;Zo[oa[QGZ<b6=W,Aa(VB8;FO)9pICaGA.
%r([V\hJ9et5_5Xnbqc35Y+=!r6T@8c#+G<ZgnI@-VZ#Vs&Qo7j(\Ck[BWkEVGn#Bak$(-1ipo,dP;G7N4DnuuOsX&nlm0Iadm3&-
%CVcj(>2<&FElh']Ke@8#h8JHd7\V!Hh2#="-b*V9[BCAAH)tA>;^gSBJJKAfCJLR@CSl3ZVc^/icrl`8RNj,hUPSeP>*7'U);^L^
%J'kMfDSTT<CPjYq>+q&5OeEVI@^]l;)`gAhE9#*,k9]Q3inJ?Y>$G,LlR[$egK\L;HbicO&gj.g5XUlUqRqhebqqKAGJum.eb8T/
%a+i:Z_O<`O%r6C.jA=5&LL?BE)0/uIaC]G$/T^)WS_/rPe-'2Sc:fK.c\@f`TV4.jJGVrd'>`i)$4*<D>)%/dP&EEfRV'Z608#Th
%_dg3]dp$;hERJ/:VX^)>g7-7WOa-U3#^XsE<6$3"iB`3X8J*.I"-pd$6q1;b$66m\'8M0NQSru"oUZ(1X#"7:G>c+N9-2!U-V&EB
%Y+[C]$#2(9&!+Q+hJUD4@X<CQ5\rN$[Ok-(ghSX<B[*b:GV*!5L3S<>Nkh/O*KGIj3Z0Fp=&De*k&h]f7m>RU5Z,]2;C!WY?o(*6
%EnrbQ7)q6=`=F)*[i^[]DNCWa=9Ho8E`ZPtiAa[]Wi59[Xp?`T,#<s?R6(;fVJlDFoQ!664a&#n3aO>]SCPo,qm*Q#@W*`_BWF,A
%_[bK7(LItDbFVRXC'<<h_g0l+D^QiEr9=(,.1HT7H4h(])0GG1MJQh+JDJb66g$D_2S%i_![(???fMu?TN+,LfYII/Yq1sl#F9Z.
%iA,)uq4lc(YhZrV*%UL_0T<i7Q28!8o%A5\/CNH_,J=[j2rt<6+uNCD(`PjJhgTT*$Apup56949hS!O0U18%Y/i[j#riW%c1_:Li
%?.HCF/[,f?Q+=V`n7%.6E9(laY@5DLg_mcZ,Np+CH3>=N<MmM!,U9G?H@<j3)Hl2\":`Y[Ma]]b1%/TgZ6,=i6V'RH%Fo[>AIsAs
%jtaR!NB2\d'!T<Ehj#To@Jres#tPu3TWg"ik7$YU$,6B!n3+KI2D)==OAq]mG:`oXVIo(g3L@R7ZmSb\W=iM@$P.m,kh7J<E<SM^
%[ZAI0drSA)/+3?Pj^W!7ok*7L9r!1+e7B2^H^3g(FtdGeb/;C5iFkQ&*d`5lUl!KiD;(EfC;=NO7X9X!73A=f?;VrI^UG"I#,M?p
%i7h$;?c1i2>:AkH:bI/5h!#teJM8E>>4dE;DJN3p]N&nEgkFZLeg'B/.+-H94;Onl'bTEP/'h2`"C4=bW]lVB:&9AR#_@sD`^k:B
%9fTUg7c].Q*I["BMBSs)01r=NDeCbX4KD[c/0PtQ:0$"A(.:]\R=]?A3?7.ea0E_oUu>/C:0?kSWMVk?!qn/9qe^8q9QR7hQkINM
%/_fDdIa;0]LL\G?O-3ZWWlHLTqfg83;`T#aN0h(&bp9r1)_oEhfO8BZ:$eN%f$7D?a0l*lO![#B]g%+GGD=rt0$FYWh+#-V$*G4i
%'..")2_V8qXg,kL>2',U^b&HR2M**pL=5i\-83)`/*?!h0%C817IR+c]bXfm=e3Tqi$<i$VnI$+2PS/`H)s`N>DV)a\qcJW'kAk3
%?M#]KDcGdm[bZ-5jM+HNqYuMY-8LI:74ips&,6/BSS#>'5Y[YQ@5An=.(c:0[V:Cc^+(ZP+EuEJ;td=FpH?_h2F7J-g8*%rCFUL/
%)3P&r<P-Ck81W6c6+62>Y"@SN@]4<#B?*VNXB_6M<hY.bG_S&VfFOsU\31,5LJGY0;A"XfNtOqP"pYsQQ^)%j>ahblkn4bNcb#`;
%)Y%F[YshdC73E:b0<8ZJYG^;Gdn%@J6]4aQYtQ)RV"aY^)*JC.V;?V]H*Xc,nm.)<7TVSX8q,m"Zb%B)$j2\sHl0SF"i>`(lYXP'
%cCH(-<s)5p;FCTh\"tF5(gn%t9sLe",5`2+iC##fNl(:oTn,k&=1%4,9b)J8QWo-0.;>Q@D*(\4.%%2')qDrK[#P]F/e`&gMX]n;
%Oea5\*`O^>Z$SkMV7QDn4tLDa(Ypu5E(TD`2^:;KT>F-5.MTG&T@cb#5$-jKd%Q>ip`+selg][nM^9F)0u.>-itYVGb$]gAR.m+0
%5Jl^T>hQba"V0Rh20)G3\En8=(c;p>e36nlZmhaj[Tca!S(\Sfff^2+oT0Zi>eqOs+fMYs@&uM$5*/A&Ns*`LXal[[8)l"D/u]I=
%GkS`$^78*(P^/Rc\F:sV.2FN$M^OqPmAF;")]NpZ\Rd[Y]N3Mkfs(BXVmtol'"m<;ESfVe+\>3['tJk>BV/8kG8eo8"i]l%ZsCbn
%UNlo(JH6YhDd8U3A!c^BPUas>gAh"!O(m/;F1&nqZIJiLeq,Q65sqa-`]]CM!KUq)08F3)d3.]N!%r!ljKat]Fp6D,62Tna-o=@o
%a9,Sb?%$e$7K+Ki<ZhXRXW>^s^aV(e3'+2Y5nR$\OZP781Sp]qD7[KcS_uEp.7k];Y'>?6@QjrFk&c87R9tp:LACTUZ1G<K<2IcJ
%#I>k2/i$dRj[NtG]*n=<.-^dO1Bqq)Wbdo#0/j/ac/=s7'p5I=#PVq*ZqbrL(T8lCn*O_2#338?#IO&MGi$"@lHeFjIQ*f_V+-p'
%F?SUI@LRF<nV$E\Q)jDMgK]UKUp-ics-q$'g1]ZSGh[72R7FuIc$?etS;K6(o/jCUpo:&<J8OmK;'%lQH3,tHT5asjb?QjJmIul4
%[7J/%p,sPr5iGmW<JC`i#)r'"9C`5FA8BIu&:*N&Wk'TKq!tScBcqT*a$>>@70n#fdGA-L%Rqfr#7O6qHs^M6,f^&l'B*N94RpMn
%E>W#n>J>XP<==:0%:rA9e@(#p=6%pq%3qh4`4AT2GuAsQ^H(Lj3:adGNYRX6`rR%+\I!*#/B^r&\S:5S9Bqh,Xmo-O;Gj(WD@X67
%]sb27H)Et8n@`5UU&<8UK7:sV*.65ZDI,l[A(^p4q8T?N*O+X_LU\C>3%4%&2+Ob_?1brSU7kF0E!V=CWh;Z3OP^.h@4!?U[2=WP
%I6V@UE[(Y"]?bY<^/9*>29&8=luf/K*J2+(F3rIT[[%I=EtPW=c73(28IZY^`b=1[J'dRg2QZ4S+K^gGm?MP?!#6$a3MWOWjNh@u
%eC`9+@jqKrd#oA1ej6=t#a0np=PMC=qF@P",em?C@Bc1><ZQ;Y,?MhHZ$+b'Nb6n8<P2?e=>V&$gq#MI?k=F2&Lkc&Met@NS*er#
%*Emh!+7#dSnNBSN&Te]*kp@cuJ+o#EcCL]=4fK[5^KuMq:NH\UI]@D`.R.?f5:o0`7\=BmeYe&e5dsWFE]D>_&qUD#`>Ju/Ph_Rd
%`ciT068\aR?e\%[RcK!Sh<Bg!IXm4l\5guoUH?_aU6Q.X//GD5IVseu\Ij\<3e378IimZeKE6ea'210kaP=cT%HYqHIsSP!X=L9I
%J9%C-*)@u>3`D28%%CUS\Q,<ab01hk:%J]13S#<^G^*";Q3]))C3DuN_jV+92^_+^a,8BqB2<bJ0"_OklDL;Yi:-@0f_-_4H:jf%
%V%pYh4W'#%>*=$a[]u?X?a(%!^''/G0>\_E0!H:-g=<`Ip;'bN2l<.?e$Mtk6us2a!f-p4\nqi:-W;*e08.k`:_.T*'K=ao>38;=
%3f\ok*UalqYr+LEaosNA)9RP)J\kS-*jlIr^3@WRj4HG/lGrT$H"tRo\:DI3\mc/./!0)]]H0^bC0b3'r%j^VV(6ot4rfJ#4Sj&q
%[##d8as1S57mn.um7s^R0N6pnZp"b!E%YE3_0L+I`3>gj!D9_J9IKH"2.KGY<7]@GTt#^@8On4[cJ38#$t:-Ej7Wn6h*cTH`@F"i
%gSK3oq#h#*-ne!X%aGuLj/.bY4Jt+&Wnr?G^:d1cm[5..b5WQ6;\fW?2\hBqb,+r9*Va@G!B4j:`C&>G=,!V()-]8?12,s/b0W+3
%i^`3GaF*bWQsJ@Aoh_^@TsBYgHUpJP0a+a=c;smPhb.]Ekm;7R7(e)o_54j*G]X>>/,iRC<dI\^IIfG%V:mlteQE6H/I+lY_makh
%Qq53!go==8pUDf$9]P-;!?Zn$ZCZ-JKc2*!:.J6*:(URQd\cku,!;3mC@5p>?u]Bb>ieQjh92dtWVN0RfZpN,bnV^-%/Zk5kZ,uD
%'#NYA*^UZ%kO,M+AQk+-a*S9Z.%r\0!TLZIVuBZ/(E<K$,,eg7"KS@?kTi*0?LrGnE/3<%aGoe30hs^2ZX%r]Zt`L4Tm/^Y^jIL=
%&]%KF<DM$T'rZ:gf+Z`HclXORp9ql35_<u=4K6ffO4TY?S2(ltolO.#`)(6b^fb--&fu0fPj>2K`&J*1m"+k_+o_5=_BcV<+)X"e
%`PN@*NWKF@LN0[R=]N1j#I=,bib>O]0o7%1PQ9Aj9,]H`Z&JfAh-AC[*^Fs!WKR\SC!Gi`aaATJf8!e,?rmTZ/g?G]$>a:>dA1',
%Y\Sc"W)aR*<PK^CZt[B<al[>M+0\Tp8L2`=(rZsCgg1^S^5t/5D;3T'kkT:ZQYMZ$XB6,nQA$hTh]hM)E*@>o\sQ%`Z>#Khm?Wn0
%ZG(apg=9QP^$ROKAbZ#^_GV9-]6^?G!ApOFn4idu&RrQgp&;Sa.]6#VGH1CJmG$K.[g-*J;t(>J'AHeo<aS-#FAP>T<;NNGW@=]`
%d?/%d83Q@1frS-eX:L>X!5?iZ[sZp5Pgr(/)t,$U@jGH*r+m3?>ga44P![tWQP.D#1a,mX*a#FoQ%s9&K#ar:n(4GhZCB?Si('_'
%BRr^Z[T*t`iEV7$Kh.=*Cm7fWB"M7X6$4/g5r,&ILgoQMTMBlm5!*eneP=Qb=dd5jePu$]rL0%/5-M233'5pM5=7(=QTB+2>P8h>
%E?gIlnV@I/UO$L$,8\_c'51`EP,q:FKUfGO\l4Fj/EBp.EET#.+W.%VACe`r5*UJb\rGBA2b`Go:C'm$*4^J$4lH]^,rbc*TaN,D
%Mi:for^mrJYiEOu_#.T=:kFu=8*WcMEATUY'nO_6^SWg`;%-J@\+%ZoCQP-9)d0"HJ;.aenI[UWM;dUAQ@uOlJ2,8nT_j!;c,Q!T
%k.?AHRM`=*Q"V=_FgS46fg7t.*eSd:Kn=-b;&o!Nn#F'7*YH,Wm"Qt']3f]d5Qf'WoZkKZ[8WIp#\`M9q]hJhEO^MtENCu8M(V<G
%$Ih`!#C6rjh_eJ,KT&<g-uPX]dA[o6#`=#uTE.t+XeqIVT:X:7oCs(DGe7b[3h4V[3S<^mGK#8*>'4U/T,r1^"P0Aj?K3fVTH2Cn
%P3P,mc@Xu[kR3#4Cr<uNJ?*G>qm+R'n.\I96Z,5B$Wk]8isIF%%dQ`l/Jur,jU_Q$YM@;mQ%NCf>n6XKlt[UTFL,O"Z"ATd='0M]
%03&'CH&(M4?.GUi'm;L>*B6lpoW&M!Gbo073dcM/SYQ8t8J`?:;7dBAO#Ed^+]j=1W0&.;fW4SEpZZ<SaE%8V].4O3T'F"lhCLY]
%k1i[K@bQi(BR42H?<o)cYbVNqY3]#6g8h*m`KIc$S=jE#hQ5`*WqFdrGTM4BV2rUj@:ih]M&(a*irn"Nck>bj3e?_8mIh+r",:da
%m3dBda^_rf<qQXs$^U$3^fho9pHs(Y@-u=GcJb[\@JFTi-[hngdX$.o+tUI_9$(L@L[NY:14VCP.YeTpgYphS_e+3Z%[DJGrhV/c
%:A<I(BXCg:lfYO7SZ$kFe')Rf7'OOOe2X"BQt5pu(S*H2`M@K"p8:n?@fCg*%Pq8t<0g]e;&dPd9T10s"pl'Cak-GuaW?c1cfGEu
%9s4mB-FB`%LL\l@!9C9YpQIP%1#N!]B")h,#'MjUE/?CRgcMr5%f.Jj.=N@r/uH)3)Gu5LVqhq&Hjg!r&8Su_Ga@"acKD7$UgP82
%4G<T5n)#-Im#F&d;Ya"CD+[mc4!0%Df-BcLH^9SJ<4s-,f8[&A&N:V1glKP$IFYXV>%6S\MaK?X0u@bWLp-PG>hgNZ7-c<?o*mea
%Yh6&NETC\RWEB]hE/!Q9#o_#2\/^jHK=D*!7pq1l3Qt0>=r^l`5YB:+Uca4<43=3cqp-G$P@]\3JTuME$2?R+a7YSUVYG)Qh<5@1
%>[s7)LpU#[ahkr5Wu)Aldc';"4NZ-/QO=SM;2EaQ9uL"a`#is>5<h4*R^-9"o,Tsi>4<j_kZ\qk[snQfWIM^Yo5YS,,3?"`qGgs(
%<H,>Yqk8#be8B<\+jM8f,0Run\F"/p7f$P"M+3N(J]E<fl5=!mI,M)5<r0@qEO;EWIs#"D'(/m+C(U+r2R\f'AmHY*RbE[X0]q&,
%h>Sab^h.a-Nh1&uC`'V>>pFMeNpkbshfb]$"g*Yq`R@:Qoakk/(/OUd:*/f=C#D0c$#n$uWBI$XE`tRR01;jEc!);nn<"D!c;^KX
%9L-)LAL.]'1$kMtCOlaA42GYFH^>m%H/4*-"m#>m_.i]RCFD'\>\h!Q*hUWD#cY$eccb;c+RIlmGZ4<D6aE`Smb5Q0T%U8Bc/VK.
%bQk2H+_-;!<!:sNP&,_Nc)i$^0FW&e;WRJKqQ`Rcc.i+@g]Pr"O_R<36uAme'[^:<*YSE%I5F&I,.L_'S]s:o(#4Nq=l=IdC7H3H
%^U)uOqKbV,WX"/F".;jrcB?`,#[#4%A@;:&BM$rK&hMQ';<T-kC/E"cjD$;i!W4s`7t-7E]^VHS9=Bo?,_VV:]@&Y,_c]3o5\bG;
%Y@bPahp7]2N?k\[G;lF;fkNtbaBKbS]fXpm??Fe<L.@5`D,T`)'I_kciGO"Lmp.D/RJ79CL3U+hS,TgU<VIM:o\,Xj#7$TZh\W&e
%d7?[IqrrN;8ObmV1#o6JT,U:,$f-^9bZN6kVEMP%lptV^5*OW7Uun,rMH2^A>"<a:5`9XW_MDfQo2`S-+Q.6U<H%ekU0O]bV%/HT
%?=CUrI9q,N5pZ$p=inK;:J0-T"*0RTQ$;tOjhU_u)A"13f3$F*&+IKOD'mYET=K@k[FAbLp;dbD6f1f0iA2e`AX*?RCZeP_QiY^U
%K<Nkj"OoKfFFWPt[[gL[`2t)*/eIKjg"A-`7T<I#];*t_j*(ZCBLROprDTeZl(m$+TK\+8i3S;_LOABMZKg``oWmo/dMTW]O>0`l
%2E"Gc;N,%9CLMLJ'<Dk[I:UIU!5LH,!KW</(;D8Xbm%]qOkeK!)I1n-P#iJFY,g;d'1(.K!rh[2+,NDMH2q`=_>lmVmOqqPS$qpt
%EB2J]mrXPnVag$B9Q2#le.GCK0Aufb@@*RaJ'jLi'@0^`RC'h*9jGM*dUTPK'?6Kn"srZW5c5&+(';&<>_#_'=cLAjKh6_cdrL!h
%atTBPGO<YoQ"&]('asdPWE8Q<Q?VV\@lMn\,*S`URZsNQ,'S[rO5_b@(AI'o9=+0#rHR\jNM#mil"b`Bs&T#2dMUdGFdM;A%-p=f
%:,QXh7`CEcd(!E6f(07GCX(ag-BVN51LoN!nIFj!_,]sf9@2C%jtn5RNchq7`.tPO(?*,nWU+dP\C_V,+=?hsASZdBEh@O+$$o3l
%!m(o&VW%#(JORjRLa^"'*mEj&GsL/d$19'"Q`NeOb!A@;Do+E5ap4na\(Ke[eVichR8JbG!$to2Z&/`!PEN!&@a%.?8UPS-.YeTk
%3\"RBkAd\Ag:p20==X].5V]M4(`XPF3,=YQe!L+)"Q@)L%HH[L*t`'B)O'd"c6!q\q&n0C24F9#a7eT^WML/"b%2:t;Rr=gq9CS@
%(Ki0$%$J/s?"5on0Pf[uEiek0'/(dfr+IW2ZGn4W3iRI:[Q6O*&+.JOmo%h*YW65QSWu6M$r7Q:,WpnmLg2n>O(Q#q@9`i[m\V%/
%!1VsOQV]Td+:.*PA^F#`pn%sr_n*k`i96sCi(BN@LYINl*N#TUQR[7^"^<I2?[8Ub#sYYuRmi?o,PEmnlD+q"E2agrF5-<`Dfqe`
%,]Sp_Haf(-a5Q;Ek`(p9WlMBf5(g0^Ui\bcL50U;9!l,mJ&,Oq2VI4qSR93VE,"hQ*7jRV`MI,DP^CI9j`.bN%pW-e\Ibm+ceqQE
%bXtb%.4[NA6WT[#R1Oc[Lqf7rP+2a7iK)o,oBEFNE[\i['_hD(g`Nl+8'puqm/Q7R8/L*t5b[oX3ZBKp7H4ieac@_KP@[>fg47\<
%9"_Y-8+8+&ijHK^G$&pSq@X*Zb7jpm!"@K3Yg84h^CnR_24LN!>qjbK1_+%6cc<:>^LeJj"gqt!Ys0q",+:](g=.QJnkCisbIWb8
%kM6?fp+@Uc4i^&%23cB\lC>j:/sEFiVeUU&<2\Vk7Ki'*3&:jU6&M/SSKCUb3s@4fJYMRC5-=Djn@MSY(meejcg?GXQl9jDNj(<;
%VYDASq.Bh%BobsrRFh'p"!tYT\Bo<sardfRIORsr$'LHF.Zj;0O3U;9^Uj%l9_>VI(Q%uo6159qgkHcnDMK`a$3BQ_\29H7=a19O
%&g\PqABNn5G:V_g&!DjBpSS5*Aulm(:A7]$]+Y&^B:aMWp0!LJM$^ECmO?"H1Z/LQPt2EnD!4[$L(#HbSsf8dD!$tj0IPbF2or:1
%fe+HiD@[`--]fo44nnmK,UGrs?(V"[.$Dj:4W=R?L;#0RNSAJo2Q"rt'^\='e]V4lLq*.WX+QE%D>'G^2_kOYi</!^Y3a8#[e_]^
%(j5]D0@uLa@d9Z`S/&Cuo/.5IWPoP2;s?2lVebNS\Ot,O-[rAD6SR+a6Ys6criLt#;1<(?RcMR-'#2""aXldCr<!>>3+(-`L!2J7
%Xe0TAkl?<t#M*7M0D`,;'M;bcHWC]DM#aI>Qht=VX/6DfVfo#$no7^fR\g-1B_qknEY2b"6ou+[o4fHd8HE2CFY[Qc_--CRN`BC?
%\2sKTkKm1%m+Ei"1*_PhN91*:TQ)3n6K\K\J=e)-Zp8Ed!n@.'T^2d36fNlOC_mfM(M76p&+cRSF7;o9eHF%J03o_dKcogFB:[T.
%q%%,/Q^8rB/k/BC;22,/lIiMV"QH@6c^me]4F>9>p+@iG?O'6;eM'3`-9YVf*R`O;VIPZ(^S)#TS%'S0a*lfmk;E&-8>*pfgB*pd
%@NIUO1(nFIc`=b][8Y$NVP_8!Zm]U>SKEtDd0QA6Z[?'0J"I6/K!eM3IR`_nZf)9$Z$@2A/'uuU+rC2ipc84B;Kd9;[>*4_@d<E*
%G:3>"RX7o^&iSglA!ko:N#p_d@6:W6bnS>%:n6Gs0ekJ9?WWP+*eo'fMjgXS28h6ppp21\"6Kmdjo]`tE[/U.m4pj80*IX1(#/<g
%9SoBsn4I5,:NNGIq!c`'Gn&69BLqNLCJ0d"BN=Y,ebkE"9Qru$@(ls"ZDk`65BWE@HU:;Cn]o7'4]Du:C0i*HP[uhg/%i*@oFN82
%`(2D`YJ>)/cAo9&X4J'`rSaiZA<537C^fXPdf)Eud4;VZGQh;!38I^6G)$Um\hc@,dj/<nV(+I[UIE-S?\)Au."cX[Rl_f$B(D(C
%W)23F,:J](A"139a4B97<5_umQtdpmf*Tru9?3YUiolAk7lgnD>Mm]AH!9$`%9t=hLu;ik+cD_\N$PC[42dKpm908WLaWnXS@X<T
%[R<eC_`+&N6[RCZ]n0f160$YP0L\gpW=Jb-7lJ9&#SWge+)XXha2DV<Q)2=0JDpI!Fad`tQ.UNP\%<L,otb&'Gli8O*G5V_0a6>Q
%_\:8mU;qi`R[l)Vh#A5:lt?O#&N`fB\&13:KDh#[D0p8,iI]*>HMFE[XQRUu=MM2lBb=o'3jFLdeEq4E2hD?6Veu^VQg5iV@n@$S
%n%.;5dY6eIa%.P^Zn#BrJts_Li<8!%5DIGtoG'oRT&JpDQ*p_!:ickng#:].UKLs$4q9*q/8/LI_eR<]/hp'^CN:.;*D)VUjj/(+
%'>YXn,D?FqR(_)^a4>;,$Ht/:W@h=_3V*t&4tH&.?o"&[:Guf*Q'(VkD+8dBmuOU==e$cm$c9c;&S8.+.()D7;P#pkAR-CI)7j%,
%*rL\[4V9-%>M\8ZJXg-<%Qu\`?gY(B/Za#k<#q#W:6uhsH'E(]o]AXMmDi^,nS:'/d#EJ!m@!Dc4@$1C(%$Ers"nU\7(IdtH*7oE
%M"Ru-c>cWVC;IGr)hf'fR*%Va+P*G1RAHJFJA+q-UUV>c99$.5:&sg(X>9?lH3oFCcMJ4G'dt/9\9JC-g0eqn/]fTXSl7,]G$AXZ
%)m+?c+$9).N9mI68+aZU7ot"Ph'p!cR0\:Hdlp+TITrZJESP=f:n*DT;q>e=;YJCHs4q\j\Y<c5i&V>,4+g]r'f>ooDuZKNYq;#J
%@4?d4R]csOE?-4kbPfB/Y]]r0jcV,3fF%HV]Zsl^o62QSMm^0nls6$iTP'Vjc?dNR:oNWl2NF'8.`EO#<3c4e0UQtRFumOb/<Q^k
%DkkO`E'f,j,t9p.\6MV/+lE)nck$1mKU4SE,J3ECp1fmkQ)br0mo/5k)AM3\:3oID,PZN;;\ntYD%L]+JKM_L5:8o=0^+&/ZA><b
%Bpq=?[4O<Y3XqM[,/q0_4cOh@^M8$j\UiT&e(B[BoN$KsIr]:-h0i'XUu*W[['naRCc;Y,.QDGR/g#r5,Z#.!h/VU7%12M88_C4u
%1et<B\?$[FQhdmV"`/I,6e\Mj`--j3m5Ne)il/Z$pGo5T5MiS._c-IdB\33ts73Ssm=504O+7&QYQ'-BpZk'DF,(H)n?DTbMnaVp
%ZN=Zge+o:@lW8M=dp73p+EssMBgTWH]\"lWFM1*T)Ag*%H#V.jASfh:3"ADN5K50:Qm2Q1oE^4Pqp%oWm3YXrTWiIc)lI@='%#\e
%XTnu3]#K$O1Jhq1^gOp]4NAn^(p`ZtN2m<b+SLD,MQ"HnJ@.aO`^9Q,ScWC5a-r/td2gk]%IDM1E6'>dG9W3735H<3_[hta[q>"H
%&?e-'1EP@K9:7p:*TFL5hD/U[Q[F^?X`MtCI)ZClXf=ah2hG8uF[`q4jAf1.^>]hoII-aE.cJos(kPffY3`Jl0Xt?M%X#`r\$%AA
%BFK3V_ViDre:ME2SrYpC/-i!sUNTRk$4d6`^.>rPS:Rs)$\rRAirNJ6W\_"p^?#k6TgO38->o*G$dVOk1uA*h,nmQXHlfP,k'(NL
%<3bo,H-0uu7$Dc8CG-&eON65`FG@$1l`I,/#sg2%IejgH)6h(WqV/g'jQM>Lc:ni!3#X+UI/<VG8fG?3b/\S8^Q/l?Zg!(Z/qU"b
%:@@X<QY]g&B4R!prSA)jnb2Do&c!,8H.9?)E(rO^K+ZUj\0Lq1YW].kqoh."$[b2fB$fO,56[f97`ELb"P1&!Zj?4?qDtMOA,3q]
%US<B?>"SqRfSCXjX:S@=e>K7s-o"[Pq+kAS(dCNS]2,gKEP*urO#,^I[t]gPQQXmRg,Uf[NCknIV3D?XAYVO?cS0/Jc2i,J)ZtgZ
%c+)9;W<#AY^c9o\+ADj6h@Ah9`fVQCES/N4WMm_<_3W`^28o=IiL.IB.Dec4+'e*W.020ndUX6A1R&b3WBHh/PjT'ZO!a-)5p9ab
%&1L%H`SPfaSDog-kT[+UNZD^?WucML%b*>mK<"KkcEQa(%sB#-[ne1$$"_6!H5q2_,)!Sf0lPs+BO[!YAt<>R<=#nVjZJU<+!9\r
%b3bs.WmV,OJDfblG[<hC"o3Ti6.25]g_,.HM0$6m5l4honGsqn,$68oN;(hcI42[BMA#KCVkDra5'T%:ghZ6>3McM3cASDA\a[;'
%b@AHeTJ,#Bq\^icYMc\J_O$C"LL?$GY>8#29WP[7bE>3n@c=uf4Tp&"-oJaje>hOC/,!FloT`&AX>*-4:>rP2Ms)D/=ntShk:jEB
%AbRVfN``>%Zp>X&&RhpI5up/@6a1j<Hg-/c9]q3U(!]HC;m/9i!49hSUF]ckO_#*M:Ts]G>5J*R_)uMlWl$o"6Yn$.h@f8tpBZq?
%&pp>W%'J_kA#E'>'#YGS]gY3)Kb,*QWEI]0_/tDh!P`k_1KJLf]6f[U#K*CF^g.PI=Gfnf`5KV"eft0H::1L8h$?fe3-ks6k0Ic0
%#)TA+TEk'L=5=rCBAS)m!,fjB!TUOm>SRZ*6k#qUnf*@g(bWiTqt4mh5n`S_P33>S*o9\uHK-@WGE(q/bV_2!$jO\DKi`js*c'n#
%R+;fMa4r'OlLO4@dk\B#O1\f%GB``Y%l"?m1q=gg7UMJtX)1dS5cS-ZM`!Y8i>S4@qp#uXl5.o^2Ur5dT">^h<kCC0>CF`8nog!k
%<3au`J7t_!5)#i7PT'e^j"85!Sqd1>:ZUsLI*I?VE3*sJ5)Dj\b/?9iGV*TUk@hd=,?!uBR7VRgm'uI!,_7q!kW^_3]u0q=B>n)@
%@R!cq=5;55/WDa/X]@T6:f;0l>V$aTg>IMa1PjVjF,DA#o)ie(FHpU.e(\SU"@nS?<WV*#MP3?X:*Goe<O2qnfBY>;RJPX.3?`n8
%BR(=uD3t$jKs1luO>91U$J:\t+l:@?KY38I,5Pm?!IN^GMUf("Pt2\*XB'6I(MT(QMWlHXlp['&I*Qg%@&IE@IFFH;s'cVEgF1$X
%.j;Th&8eqFZ"MERhIA^_<!=h%OL"CcZ0[lRNOXk=_sQDX]tB5\a:LPFVM4&;&-)@N<sHQDP=P><GAe[deL<+$14_bXN#%sCF8-rR
%UpB*\H7kpkQ:eS8:K!jCk4bEa:CK]K.YDS#:*I%%D+9^urk?a6M),^`g([\8>f,_$a[@I?hVV`X6Nfhig![G(I9:YVTjr_NR^QEG
%4aVS(d;T_SIJe2n07lNV3@8c4LA`HW]Gt8Ckb:G\+:*n^TTI4bdN"TYcN'djkL@?!_Lc@c%OXCfPBWWCZ7dC1/Mdlc&H9@V"cH8@
%K!3F3d?Wt\,IQf^\W9nVY0Y_\^;F?eg;4F-8uU`'W-RG2DYndP,%#1.fX2g<?^'QO4+,deR:drDiZZ$/nX8E7,<6TiZ$H<ShQ7-f
%@5d_CVhiWC@P'=D^J9X!9@:aH\#6/L.>"B8@!XEgYC*3_Rj'N.?025;j1\O."aF5^=QPQ+I0@7#84ZLNV-^0*n[`3;/iuO*N45I>
%i'?h)[W\V<Gm;hRpjic<]1VHXdnO(89uA)EkFo'G;l%\W^+cur3/%cmfm,Ni[c1tOoOuC32`-,[Z&3-hm+B(DUC1LVFKYjJ#Zi3R
%-\VFBX*Ms8!1O^N]q0\)`%!F2RK?:tjM]%\#F0qC2F9hdb40b7'u(_=>qCK8EA]Gl)N>ZFpC"U^&jc1qpp'N*5\3MghZBflaMb-Q
%deB]mH@"K5Tj+ReB=8Wj^.7ZY-Ga3L\IRO=Ka8eq$22M3aBJDR50V38OMTKQo%XE.-D/R6XZEJp"W=o6Et#G?@p=2C+;bf+k]GW8
%<s+j@0sP*%P'P5LoK7ga$$Kl0aWI5E`a,L-?FIBC^4t_^"n"`/E'PkIg<@RK7&kIC;W*#9iGH'YpRMb9eGpaVOS12=Fn*K'*h-BV
%q3)*W,qgMj/kY]T[ZSDa4bGNkB$7Z)1f)QJ+f&^5I7YUY]KE2Ad_fJgObbfG!\U)E)&TP&Hc65!/%k9S7[/rD/e!K4G`Z>2QBb*K
%_>A_[i;_B`<Hbj[eeR'#-2I7-Oq_h[#(#/u$#LL)cK-sj(:@[8h"/@HKCr!Eb^3P'`f:@30Xmo\Idf>nb+R=R*RdaHBn_SXcQGD/
%Pp0['=I*g%:I'kO\=3`l%(,H.F6)-W%b#tO\eVHHW5=AJ(F;ZVAX']^I21`UP"":6_VVe'&Q`Mi?LoC1gWC0W^^%eBie'+sNiiKq
%3!Ou#LYs\>PUA#5q6Sk5"MKsUK6;AI/&0?r[Ff]:L<bi5!pJ@bi4,,>=5\-@[ZZ),:]_]&I[fLEJ.1(a2D;V/*`#3aa'N,T0t2ae
%k0.8s):[`(i!afGQ7\@<6&36>\fZAk[BKdrM-'gt<B;>&eHeH8)XZRp_CT#8MValFM>KiW?JUI]3BO#iC-B<6L**!CS=UrB`$B<"
%p2(<ibLQ:D6G2J1!kH2baoR<"dApMJL*'<NLdC&<gT,B1E^%MKD.H8m1O(RFGKD)B"hJji9$8A9oA+\AHIq33P#O^3=WCsLn=5)o
%6k#D']*.2TV$t[2_p;<5BUH+mM_+J9i.Fk_=q_]MW%KHj13F>dr-WU3,!S,dQmp`\4ljpLmZeg=PN>:h7W'A+`V=S9/mDi!-D/JB
%cjW.,?@Fn%Z+B+!*<`kmm_YL1>Q&^d\GE/%\JZ5m4WBojAb/K?&GOi&YW0`faIF#3e\D=hGZlaXU_7X$Su,N\,YTW5giff_ZQjWf
%G-Vqip]0rtFX4Y?cSfVTp[8_J34im]0;1$XW$Be,hANsH>.5Rs!5>dtS])eZC8'WnDn?+\['Q%3e<-p-eMoq&W"M6IB<GLXB^D?7
%\.,1@YLC!g<nS]IT%2D(ACp\CWYI[/[8.EeAtdbRdmpW3Y0$Cm1[e_40J(>]AEEFY5^]Nk`cD)#8K+^)k+-"(VJfKk+.LH<QtnRt
%qnM7?VCCP,QBg2S.i#+uJo>),]Z'KNhWpjgd=^D/]iNOE[=Kl<B%STVG.(:J@"48%nUd*,W1ZtO[otXrMVI9_#hk($%e0MQj4mA)
%57oREf#K,mIA($=\%'gn`>\IGgsou1rjA'D'aZXVB^>\@c?Zb-?/tWQ]sB(Z?/+lj\`m[nNpZ)H?Bo4P_A+sgH0k:[9gMti#Xg[G
%iOFZ'QJM`+""*Ier$O;(#55[b$:oN<cT*A/*Da;(iQLY_XA!cARN#J`*6Nb]I3BNu,];fSh:@93;@A_JTL<iT9<6+@TWieV(0[O)
%(4NBEeLfI#hW/a4*H!hN8^m!WPU*A`X"4F4(N9WX2?Wgc/lXhE+nZ13"Q`]R.A:@5Z1B_L2b6uN2>))uKBk]B+5<MQmV*>'fOn=N
%:+^,43:/6$PfLd2dU%bhS8m[?HLG@jMUJMN4'K'KaiqR,2m$&-2lmZ[3F&Pn0cLlmKan4&&(#_L^g(a)RU(8NJ4\d^H;1<U^bugS
%i"?-8E5dg>GH]Rs);G+[Pj7fget]-aN79\h4%KmR;$9CufHb6V5"3%jU5ep1.%SEmMc,P$CItr>SgGAfcuNFJ4`4cAGHNS(Xf8_V
%g78[qLK^p&/g'c>K-TdQ^1%cS-#]9K:qCa-5Ne;jc;^ht)g>1X:!M:_rjkY.@Y9Ma4:^<P+5B5i5Y^R(=&P`Z>:ui;Im(<SkKcYB
%0<?or'(V@u(Q&@2J&uuRVs)+BEY%k,9*>iK.ng=uEeVeMmR([\;6@49i`0Ur^p#<QeU+_.I'7GN;q0Q=LY=55@a%jXSUI[ZFSfe^
%!F)25*`:s:/8M[nN_!D!BSL%.U7G(W+*W0iEq8ba]:\"OTg><%N]6JjB<jauqFmZ\e2m6f+mn*,&OR=9rA9X;-f9/iGIAa/nm1!9
%pG3WFK?I"E/qbm#rj=$Dr0!aIrr$Lj7:tS#C-0_i,>mXNJX#:]=7EeAcb.<6ju&$m>+(]+^Yf1];m[<^k&LkPZ"46"W:IGR.ADn/
%d[mq!>"\_.=t9l]U34S]5#)]\%X_omkFJicm-W%sSAK/9FkgU#^=I$>al8Shi\YZ3dI-@/EU_,b"SM?$H"eT\*`p1,T"Y:a#WdOh
%m5Q$WD3GL-%BoX+^fWnBY%8![PLll%%j:YgfDTjkd@1kN?h8l$`GUgjCN@L<8TC/FJQ.hS!9V@BVtF(9NdVlJlcT?p%'Ehtd<ca6
%G9=Bp;Hm\q$OP.JXd*:?5H9h_me9P>*Q_o02()D^]\2\T]BKJu1N]tggjQbV[i_%`K$hu'IiV90r`_o8@+inq5;JSF^JHaMVj7ns
%G\A;cj6LcNnPT/<:eU0OTN*_`O9'Jeps`$K]hoi["a&dk?TB@)(bBN>kVP6/<Y8SoTUQ[6)fb]gF"b3ID@[Vj=,:6Y:V^:RL@pq'
%EJE\[^e8k^hkSf8j4@5r8m6\s.kUD[iXC$SBic)pBU5MUNK$OO)B_aV)E'bFZ4gom./qhDD6LTICM7Z"E818lM:&mgGY!u^Bd#t9
%Se(&m4%al3/342sFt!T)m4a,Bp<H%E)`&Lir>%j1GpifBaL<W&O&`T3>L1)IE$^YIk,;i7>0(<qd6t<NQ.cP*#D^jP'Xr`Q?9p5d
%,Pq,Kjj@SK_>=us)=PtYn>k[D^bSX[d.pf$nI*l9ZEfasQ\SP:"ho>gMQn2uhX`5`TlR'&G-A&D9JOun$]cHG%i$[eU)-*96itXe
%"9nS`5Z^?S*ET[uNEinHI\S$?fsL*5`'^S/1cG#:B8Kd=(@#dP"**o>[tc#<hr4,tgieE1bFp',Sa)&2;4]trA_D2#/LSQ(BU-@p
%3^>=`bh57&f]WhT7Ft\IR"XArT^."J#q(_2=@\JHG._9VkkfLnmZOJZmq)><P?6QL:"e=28Pr4,_7:Q(IKqf2Ci>hQG554lIL9l/
%AOgms-p.cd'$2%fUKH(5Vs;T72cF\r]j)kKc*(lsHEp=@#Y^jZI\>i/RS$d/K`pV"Yp>E$a2bYoG$?Fq]&=3$6G;'?8WsthJU@4q
%O7>3K#a,">O4-3C]fd9b]uE!j!)CAn'Kq6dpgE:Eml%kA[*g&?5L(/%G!7\G7;uHq1=uL^&=cA5I>X19k);ctGT]@lr(Q'h#'Y=q
%hp16i9pUi1bB9=9E5dP4YN8LAA[_?!j2IaPlbQJPbX1[Fkqb.,"aF\Go+!PF-ZNR]>`$DT?nc,)f[]a>hpQIMr^SgO27+MI[t7A-
%jQsK2X5j$EMepqI8BCF8n%eD\oJ`Y/<`>hirl0ECgU>^o)8m.eMh7B3cZ'P.Wp'*uJ+,s%Q`]iUV?*Snb#gKqE#"_hM79!/b%Rf^
%=Dj@dAlI4k/qs];gkt%$p>Zk=*%Fh=Q^Z42[O8AB/J^KpSenrYGj5_*HWV7&-]._D2,"]Z9YPT6CAW<f>A1!V6/#UI>`nD9hb,]K
%]8*a;n;P9>$4Gpk,*uM:#L,Va'dfEJ&f/4J5*Koi^,Sli!I/7VIDdo0KlTTekj'<H1^QCObp(kP3X%?T2G)j0R6^/d4cQ+-g,iZI
%^2<0=q?#$%[lhWcHUl2?b=@U)hV[#dgTu;EW\5mgD"muN<:PN<=r\QN^fKk@96cH7$>bmG%N-4Y(*pX-!p_n$fOH6!Ocf@RONq"j
%EJ>D#kcX&#+Sa*g8Bm74EL^($2%YM^jnO%Al[(oG7=<`oNK+%pWJ;#=YFmgiB^OTg[4SgO*j+PDd:0J`*n6@r7`Y)@.2'D,SD1mP
%/:L:7hA'XI>uVfP4@N)q3`PINV/glOf^4\0k\HiM[g%o\oY)K2(8n*c[a7UA`IQTk(o@fZe$B8B)F5h!+Sa"qYQJC%':DFT]^%'Q
%gmNtE9".a$HaLg^Lr"ZRS>e-Y80h(JO&*;,dPc6nk>_q?+^<S`4Z@g,0AcK#/G^+jEZRd'poI>iN*m%>%0Uf(L3%%HXt^t82qbLQ
%YYnOg+.aYg]Rntq]<+1,X9WG#pq1`e1&S9W#p<uLF:@LK%Fdr5rGdSD1tjdhgr"i9-15_Dr3ePB)W=D=rXRKtC4)[(%S$1&2,=@-
%1l:.+PGpiA8D@3CXims;F3Q+J`I!SN>b@^D695;"&$[1XIA2UnN1r,,-m@$(IRc,7`Zs6E4&FBeD'S(R+?LJ;^8kos]PZn'-c[LY
%i.EP##dD7CWnf<c#')WPNPLe/78eJE=g&?BQSe>c2aqD.c<uQe%)GcR6P.VF/tsq!30pMI&I_tpIiAr3pL)k/P@XuI;S?EN&uGaA
%N;8jb$F2XNY:_i`f4b@0@)PIV9=lb:]L1:P(K_L.]H]%8%3&J<q@+Z79-PdJU#LXnZ6,X_WK`%?W5Z36%NA@"Bum9_A`C2s[2"Yk
%moK&J[r\pJ=#ViC?RVHr:d%Ycf=B)1'%!4a!VKq13mR\R-JHPC*4`h3mF@iSQ6c4&5Kr2e*R+-(E%KGt)?ur5,L-g2N,U&t%n!?Y
%2Yt6s`W#,RRF8QkLtHIIJ""Br@)FU;g/;\QgZ83$FbH6TXUj3OMs])7crIDD3Bg=1gM)h(\?&6'b]82n=C"9f?J1&Wh[dDF3`Ygm
%hja)&I!;/IM2>aT,:Et=b?rD]d'J\6Pea0Mk.#j33'CAfP2M\Md+"/6r#4\<<?IcA41)urYV1:BMg=`Dil;Z$G(pB;OtE+(;1u.K
%_&VSj&8:hQ's_9J#%fWn:$,GC(;47>;7,C\QX)%r?V9`\-$\lWG\>ocN?5nt?KPatr!V-Spd**ZP=um7$bkc:l<9)5n.TsWY9lt[
%LVWHC4B46<Eb`"2DR2J59!@X0%Yk\S&l4hY5bDYEG$UR:ll*dAAFSO.LJCt4qfQUj2<%A.cq*_/RV**(I%\T`X_1r2%YoZ/cqn"+
%15%3UQ%bOC$(%*">\i!CfV7KrZ:d_kIJ=1g)g;jAB!=K]iO4Z5lc^j2"n^fIPS?Aj%Mrh;-(Z,'Sl'`Yi!\@q-:d4.Ak=K$(+#96
%'qtbj9(f-3Xs6s!JiSI%[\3+#6g"2r@%.r(`Xur7?h8p'DJc=Ok2"9M#]pBQg:1#!Mp;#&>p')9+E9[V*@]Kg<g8$skjJ'-@7KbY
%S'b_OgVRAHo!%8:NORUM^>p*5aQJjW4lc*>@m7pL6cbV6oDh$.4u1a;I&qX9GM7(F(at7:n[:U<;;1_X7\VTif6i?9$h"cj!B"+6
%&)4+okB6;":.7\^D<_,[D"m7:mM>]IA'#%M?rTjf7pu/)X*\)4[)Oa,j,qr7QIj`[`tEF8!YA%4dA#()00(?R'V[:/4PG7b-/WB.
%r1r9,GQ:j-r193'*;8PTl?M0F:e#6q,3Ck+d,jgH.XEsX1F-C3;JQn5buebcd'pVMY2PZ8p]KoKE$pffAqBJD,HU;$lMGRY=(^Ti
%YOjraX*BJeNF.&Sc\Jp@0a<O4>)Bt*>^-FCPgWGrV1G(?"(VSQDR"#k4))M]9sMHrp)j(@A\VKl(,JsXB)=^uj@C)aSYJYGRAW]C
%JXTIB!%pppOV03d@M(@'EHU#C=<aNXDju''hqs719`eEB/Wq%An(7I[GZ+H)DGLP(iLh@l,-=<=+*8p(<k$D'/QY/CF2Wn6f(@\X
%L2FP@p3nJQn0M\5QZp\&:Tb8>\.6T'B3X&#JPB2U?eN?h#Pu;AdY806_*]u7&IcM4;g]"QLFXrTE#"^.MOa9seGR9:;\.mo"jsOf
%^e>u$H]S\kkH@fkW_VM`E1D.3*pV.ZJet%Vd>sm=DG0]/?a6ar:/UtbB2>?5Fk^8d:P`CcV*Fh?c7(;*EbA<6K$D,D`1%%]No3#/
%*;i(L55f=mH6IKIe)7IB(-hWb]S(eXWRIXoM$,ji0;VKu74fDTTUaHu3ZO3oGZ<eSV;52/8j[JIA=B)SJ[J93S+i%V^#%9*kVns>
%B'ICiqhJOpZjn/t"dqmeW:P,/"O2/ZkBV?p`ZEb&hG^U14*l*PMkAa4TRsJ(0J!rT,Ik17cfX2KI=KpF5MZd"/TBXCr2qID@`.%d
%oRHVRIb`Sui2s+=?2AZ#&.n#*rq-'FK>-u/mdmam>4SBph@@tLl1%-0nJKAZO;]4O3^B-!TGS(Pf6r-ZYsT,?kXKXb4dq[ki#HLE
%q7P5`%<f3E"]P0`&#'dBJk=.QGEUKXPd)H#D>3W9icemJ(6\@sf#n?)hAca-4hZGirLTqV`qMO=gKY\tK?NEmrm0M:3P&7cMBA5U
%.,fLYaIRB=1.^U90C@Oimr5<T1-R&Hi)TQ%SCZWg3^fZd;FXCT<V#?:'pR;b0;;^r8+pSZs(bBX)q(k]0J/\gZcD%^@8%4b./is'
%>'#UN;O0$I0:eFN2o"jJ5$hV.g*<R_q%*EoHA1fs$jsk]Tb";L,kZ>k:Qu;9`>qZK!J#%4rR0I75rgZ^c7'2'A7n?mXKkW?qW11D
%,fLqZ`bq/W93B_Y.Sm\4FEEN5ClsiLpQFO$3:S-pNU#M$2\Mo&DtO=;Zg5C3[783oD)N/^j`ZK%?U!qlVs:.kAVHR[(fcK:`TYc"
%7Wc(Feji36;%ee`f>l^#5YYA,Xm:(S!#ONBl\_>-$d\I5P>_-BFGF1KmX=<gG^"YANHM5\'#A2Qf906/5N7;PI2Y:8Zi7%[L/6V,
%SP=CfU\C3!Ls==6R3Ak0q'aH3N/-?Jo'@TIE)%RhN37SPUUjsVc">6JF_t>GZ1B4$Fn5')RJsVL<O3(Up3s*f*6dn+:T@uJ.AnLF
%M*qQiP*ks`I&'=VVpoQ%N\:Hei$mH=.)[c&9L%ckqla[s?9eI6J,T7oqYB%Hj^6oscgQAYqN$.$kMQ=<ci4M4:k/K@LVJ=RTDlge
%rU#+3q@=Wos)5[JVgnR1++O=*rprAQmN6oXg]-dSJ,FNjprD:il*l.i*5A>-qA2-chu+)#s8.<?Vm$-Z&&6SCs/Y&Va+*lt,6-eT
%qM5+GJ,RQ/rq,+GFT)-(YQ+LSJ,/?$ItC_d-*bpgs80:?Gm430Vi*`o"o>2[>g&4N0.;^jNr9\=;lua.a0NJXl%=$Ap%/4]qT&X7
%$N8/omH=N2kC<M]>X/6O^A)Ut@BY*<A<sr%869I\>*DCl7)O>L\l3YG8k5*o<iGcH0"ae6^rSI-fTPPSZ4O65p&egI9G?7*K$:j&
%M%'?m]8D%Si.&$Y7u;n.7T\jCD"8.Ibs"n@kN?`fjhBB^C0FR[^$#IK7570mrFW%m+:dW[IV0J&+J(]uG>=W<qmV!;<jZej\IX`D
%8g=PkY?B%mpD+]X:!$JX7g3iUWThG*qsiXZrU_32PKLT=3TKKc\KeP!aqa$_YPH$#,+[%ZcXA?:f]]ZId^N!0:\e!^f`oB!+F?Y-
%9<jHL]pHaU/WXDe<l:?sI^#Wp+M1Sfk#UO6j+EaAUi*[*WW3crJ=*1A9S8"S#kgBQo7PnSAOlH&.D\YQ[Cd@tf`#9jgO,&=L<$XL
%OR$WR*@)ch3ZDU2UW#+D&]9PFG"'$O@5\[B17+8O*j[Hs[>',@&mV4#h<&GH"#,GS#;*TOn:>+@fdp*??Uo;Fdd-,n$Wk"MP<FBT
%IO`+^A*bEiNUP[(W*QV+Gdgg9mdnK^K+'TJAGejo!PC1656%o1J$Dt/dmF$.i4A6pJO^p-)BX__Ms7AA0V5PAOtt6!r8brShDeIB
%ciK$N.g=e[HX=,Dn0g?M2N%@[C:Q8K7C'dl@KT-[\VQio()5kkqcCe%qLn.p1b!WH7L8cOa:SA_hmcpO7hUW%34`hNoP/j6K6+Y&
%EIfe2+l.ke_1)=$W>E6g.e3C,A;Rd-[AjH)'SoO9F\0sW4l8g+E8rlp^%!nX<Hfjq."R:GC#$>tBH]1,M98DVda_f=ihD9obC3kp
%Hrl@!?Yt,[f3eRJO2(XCfmD2HbHA-U2##W]V,tu>RKHGG5QiR)I=kiL<Bs+Q&qY\%(a1?BPY%O^$7;$'"sP1<P70JU!f/g4<3@@:
%0]^XfG\iCmX+D@L1(Y08_$1--jR0L&hDs3EqnjhKN;MYt*/)PH^U_p#CT]\Tk'<T^RVPsuFlbK-CISZa,HEc[<XWnD[St.e+Yn7n
%l?;Gq4[+J[:o:H0SKT<K$5n<m3R`Y6#uq;<3!HplQ@TfUFO_hj74JX/Zj#!5qFh'h!iZ=O!l'_&ki:Q8p*1L6IoLj%bZ`1JJ.ECI
%/EffO+YK)<RY"Sf+%AQ@6NBd@""A#h@+iQ]Z5TKkA-h;81aqXc>g.lR."`ei<^8\!&6J0G9]<ts`DItT%/>1gFRWTN_FA%?)b;;;
%9.B%]TOUf8957..I(+=(nIg&T^Y@cRY#20+Xo@cm.3_Br_#R_OA-en5\]U$*:-r1-NC+>MHj";e<Q"lQ!_j7o&\PNO]G^>*or@^k
%L12s0P_tqS2bThhIA@:W1>do!!+%_@.t]UZj!KY'U8lhHc2)8@$/c#@muScaRLpZ7JD-8!Q$F&S#qEJW0L![AU>h\2F@N!uK<,nP
%b0G8+WNj9o:hbeuF0Rg"@R?ckU17LcHc8AZ.;VB9Af8D&L\Tp]C-!.G/)t5C)IiNBGK_mV"X/62.\iZKAR&m15a4.Dj&-bVr>P=\
%3C<qZ7tc>Z-9c)_2OP<d6-M1@QL+!NE/LtFTp^#&d?3,i:?_EApEf.#;(_m#L,KT1(5'ND"q-K(,(H3gc6_GN_:KapVLY3&^_i.>
%5S"Ee>O_u)1[dF%['Z-pCPhA;r]2M929YR+bDH)@o#M^8f;MJG^YC&LDn!f.5,<IbVI+53)KgSLZ3sj,bhJ"U#>mpmj<q6)gHoeI
%\TTk&.c6'7eAOBVKJ%s+PeXsAAc&3`@*Xd(.>o2*K=mI6ZK#`FDX7X/8H1!0'?mYBNJ9YQF5r.gX^*"-n]g32Tr?@P__)k6;^j=7
%.$C^<%Fe@^?*2hdURc.0T?O*pY1r.77VVV%rE#D3faP1M/CU[k,BenP%S,3Q!UIp\=#n"JS?T+S>?tIf9F8"VI$:&)!=+E=:>['B
%#6O#Ma1De8n]MOqeQl/h_5U;4lNh6<o4%J0<YmZN4O0V)k-M&XD4YP\@'*R-6>#?Nn/Q/'KqOUoE"GIC,5^"]"G+:d:K=6lA1I&8
%Cc1NS^$ubWTKr\mLu/LB`%96Y9jK5LFO2Rdl+qDejL@_-mnhPQBnTkb&0D'rJ%U4K$Y1NXRnu.e&p;S&#\^%oj#S&2Mrl^X.oelo
%gg2kqR.)fRNR3YaJ]@Mpo@(-F2dX>gp,<*67E[H>Cmr##4ij,_7S]E^_ECnq2HdW/frbJWmj>,kY['Mqg-h6J8&%Wp5iLj+U)>Wd
%QfgX?m;ZC#71bKJX%G-J<,aTe]4r&lTYUijqBgU+R)O0fUn*HYJ:rP=5imZ3*s#`;W9NjF'jGCem.O\Y<\a4:E0(<8$DjK&.V7D6
%`$:,%hX2e[I#e1=cVTK$$SrenHRM7`"Xnoc!HqE>WMoUQ7Y0nto,*"+mc,4[)nbqP_J^G's/qa)/>3l53B`8+!Z<bkasBG3Ob)0L
%[^me&:Xu7`9X]eY2NBV04]h%E=sq82`erU.^6#TK'u:U,)=.2+(Q7%o]_mYIDb*#FID/%JRY$lqW.fop8a?!6AAPY^5mV3XeOE)(
%Y@W$:o)Rh#Tb=FXRuK&Hj6D0b-dGm1GjSd>7muc3,>c1;Z+^fI4jgK-QKF[N8QUnF8SbVY[r`-NRGjlZ=B=4L@WADa*[H"S6KZ@K
%*<R]G,2:_ora&UNl$o\r.fE-P2ACdPd,,5[,oQ+4NPN!\RoOW$6?L_W$3A:pbUcL@Zt[.<^B^ejn+]/fdL'JM!\`n:LH#\j,&Fn2
%OFN*'_^S</?R94NU?5?/?F[2i>a`TieJY[(A5$5RCU"AVFqL`.=c'+D2?I5l(!dRlp\;mgE%#FqK9Cm7DL'_5D$QA5a"47Y^h!f=
%(6)U>A$H,RmCV'-r]/AM[Ts"iYhl2e[n+V<hAeo0piTIOF\c4AZ&;S:'KspGA@][g<(1[+_fG9)j(op032VHA\mo__k](GLM?&5f
%=P%"kfgM86`)br+XUtpZ2_4A\))Rcn6El>&_D51P_Vi;iqO<64'GG@b95nEG^dmdb#Xl`FFU5MJ&Z:qa_A#abD9[ZY'I4,j#DL5E
%f+mP]Fn"<KI$5d;nH^8Fk[(Ru(+u4Yr[Q$EK81Y-;u>[:2KN;_TU-qF]mSU<\39@k`X?G1-Z*r:^et^jQW$.rMH@e0]NAB-QH?3$
%\-X:Jcj0q2(LcaZdaI6O+^S<)>W3uW@FX\Jg&2_tr[sLV0-/%GIN!@BAeG!r[bc5;IKabR&\fQ/r!Ltr@]FQOcKWIdW[@nb&epp0
%9$MBsZLin8[?>g5$a)SOhBeY9@cOeB]*e2YEM46P14lNpkBr.h1P88[*roMW:pdCi@]4N72nGr4(PfjeC8<g?2LJ%pF&qqCmc(cr
%K`h_^<i[2@'>l'shfL/#>N\hc2Gt9)L<=X-JA$\?a'SR9aHXjsNWCtD&5PZ-"-pWF`V2\6Yr+dAWcD9G,dTP4PgL!uM4=q1!!JEe
%"J]B0667b?$dDNkhE0F"Ld[IZ?q9+7d[X=V*Zj3T%SZ^E#AOY)k66g#:0E$(%>J/4"!H"1OQTgmLlAF>(.$0b,h5dG>3f:`(!LQ?
%@PU2+`H7mQink)#*(Vmr.:HsG:psQ`9EQd+*TQB>1TE\?nKt_o::o8q1:8>UGh#*N_=dVNBNCLG2Nfg2>6&Z%QZ%a?b\ffmG)TN4
%#btB>f(n*+Z/O\78X=u=.Za]-:_?3mj]"O/12M?<G\LR0XhrH.2+K66:/"r^Au%JP`=E8pRKdX"QHdc!T<8q]5Z]g=>-H)Z&8%7W
%#bs79o@L`u@,ol2IaP6q"Y+PV2fXYK%h&U&ok9qK7n"lU[3/d&C!su'_NZ9CGi=4s@cp61H2[4hS$37CWi7>79b.7M\U=mJocY[:
%Q=s5<+G3&O:_as6k]1p_gsL,*lDJ:JLNiCB9rF,Oog(PHAJZuO84@:+UhOA-n@0I16$Nll"=FYPDin=8OrulBn]NCD]a:(l5$0E:
%?)p]1MH[/>l>*;)()*:rBU5QhJVpI@QOD<TEs6AHWcUgfQrJmh*K%:l2Kt[HP9[]I;6.e=rA%/L+78jK-GfI*)^?ti`=VCs+^g9>
%i"q(_HFHZ)L\99W`cB:rH`moL9[1"6h7T*Z-]g-rU,m\"oJL<>KST+j<l9JY"S9.7="FNnKKWr%]Uag7R1:);4-$7Bq1+4,!B3XD
%1GPd%%N(=pU6[]OAF.c95YiVtVoXEP/ub$]pGk3$%D0cr.%'$UHr(R1/bAJ6d(2reO!n1WI'I3"5H50n9`^jmdd55m7m]O2PaDO0
%=J0CZ8%hg+;(u0`]q*sgh:YfBJoPDrnai**I=//")M?`iH=C,u?u,B)(st\Y^W!17m@A5+?L^tSFZ<"qpthq+NlL<m.6645S;#>r
%F2jNX2<u:4\Cij%fF^g44F+Co?EXscL@_+<7C8u;qOnLrdb*QE6'L0pZraK@__@$0^]Y)NL&W47DW*m[AG2h:2M`NP1"[M*0:6[U
%K@),n9rbF>K07AO&)YCH&5N\4%+gBAdUcq*W+aa;HTeB]E24l7K4J?94hm6GSE.73+e`b]M,>`u@b*n$Jb_PV\kO"mMs(`pTtp2&
%[V_677ARGT^0ch&KZQh)@8&HR9_%mWQ0al\WAtSdcU.BG>UH!P2Gn#cdZ+dpmF&JeHGr4[gs&f2?NS0lj7?bBXXV#gf%,l+SS7Ka
%_6Vl@a,:TUE*!\pWM#9s!-?!%j2'-Ye6fL1/4.,mn"sg/G\=Q$l0h)`^"_MHc%t`OjCf)^7d6FC$aJ"^9@YhuM[9HCVmrT_QgL<_
%\^Ts5P!PtR<?D\p++7miF?@.)=d[J9ko4!tme.0;Umkb;<nTk6eB1eOQbZc)Pr['TGgEU&A\c.GR'R'DY>A,L4aKX#!"DV4ps(Gk
%^a7YL_J/MAke7smXEe)BOYu.-%3>OO?JG.bh,YQJ[rU&sY^:4dJ#c8dL>Y$$-@(1>0eO5rk?LkJ6mQ]iYgD'.b`P[DOAKt5l_lo(
%c5()^AR:0Q5e`C>r)j@u-4m?=[T\8I:/T(ED,%HPbLfi/Nm:Z0X[&&\7sQdH"n8M907aUT[5=mp?T)!5me4U'5;8I)OCaNemEO(X
%AS+Y^;_L,7[94DVK]p^9hl\h0,H=n2>a(4`!cQ3Y\hd;of<)anI2:#lno?]<.;2]lEBsjFRL'jhk_,,EFlfDT2d[g%6+!8[!XXHL
%h#u>#MPs)-:6S"M)'H_#U6cA'-Z=o'>G/e_h)..&(@26%m?E]ki0[S$=fA@IFhZPk<(75+M"KF36G<R30fOO?,<f.(X59i)=q`0-
%)&L0)A4QJWNLo4noGc>eJ`CMY.cDdS5^Y/@p!PZQM-/PHL(<Rs`mVf\Fo'Rg2r!Dn?_FY35u_VuXG5`s)=IsuP,+lk^_o"8XOrQa
%Xk_4Q7dHoT`\81+KA+qiCpjDoJoG79fOT6VjU<hn1:U2fcna$Rclc;',=nfR`ct`D!(@![Ee-cG@XFU49`2?+0Q_*:4tNB^_b7Z#
%^t*+3e1*q(-eBBkg8p9C)metNl5<s%;ZLZD"p[8kmO#/M2Bd:m]#tqL'i9Ooc%P\O<6Ro[*d$a(\09p;a8q$a@Q($r&+La]>@*u;
%/UC`7+VL&09L;0CY/?U0X+lWsqf5imOB5^/&#Tf/9G9<RXo'a>lFI:^dtaj^\caB*Y7:dl#jJVt3G%Z\7L!Nd6YiLBbFg(Yo9>l+
%#aj$-%8.ff!o3?_9$GPG_r#-m9/VP+2g+#\40ZA"[X\_`2C1M%CbbJ9<pWFjp]SKp-Nc(Wp:lsY,fXr$h1I^kPf;B4J6.^r]bC\'
%H3gZ2?6fgd2gD+J'Ah2MPSLKCK"cBSD%&-k2rn-hf7u]I\epfeg60mI`++')dD4bSJ_1X49bBR@(&OXB;jMq(&2GaF,$J7%+k@0&
%bD5W^noTeh4EE&=NpP1afKWaeX;WII=Yc1_Wtp>s%<1"!3H[GLCmJbCA^:Hl6":a8m`AZHr`$Aaq0.'VMp^*^h<stqH@3UZmkT\Y
%jj@O-c2;+LJqrS,ePmo/95./W[,?bC2d/qYIc3`[f,%aV41@ZWoP?MB4@KE]OqRT(Q4G2q_>5ci"(K/G0320["(!=.crE$QW5Sim
%:LSpD[<:G]/cU2T-Cb"/)0gbPTROC_CG0)O\'el:@3qKLqKHLU3[AOU!WF7V/7S5D9fFkQ2M?!L2dNEZj`u-(\&H0WT-11I[J[B9
%RWstuYg*E%h[l%9aem)8,H<)!ohqQ0c=HUb^g]M&$ls'Og,Fk88f7bt97s:l_\A!&ociHs]Ia?WE.CkE5k::.`4B?S(Ja>4b*J@6
%dW>fr_:"S2&$<Z_FtYZKbF_`&;3O_47Q>S?hp7l;l18Ga!!&iqN:1lA\6&aCgK"ItEME/lNB#&J/<74VX[\EQ!ntUB0P4A^Tl>S@
%c<77OZ_a>n6.&KuOND1`!\t$'"U28)?7cR:]IJHY^88k,"5FL``:M<kpo<m!fHt3AeMjj63a;P,[AiWtn\s4IQu3Al-erMq-^kc)
%6p8k1"HRRMJqYjtg05ue+dKP`Nhj*49pUG4i6^UW;n-l<:<\9L6>.o::IA_cnbJt-@aC+g)PW+J(fk>l^c^h?f=uS9gl1>]&YfcO
%\Yq2(0%tBh$=:P;=CDqAq2MZmPL&HpEm`m#/EJB^<hkhM<M>9cS3e9J65?X*>!CqNh)LbblZ\/AWR;V.B,*&!4G?\fisPoo7C:eQ
%=Uk31HbC,e#>JD;,tKW[BERMCpW1V9@a#h+`35`SX4>&Z)QeD@:n4hX[HX4/,%,QG;#q`Fg`r>d'^3g&QMP!SCVV%6[4Ff,+LXnO
%X0k(7A5HrS9nT%_aE"#f7gr3EaO3qHl)[9&g%jCXBrH1C[Qd_S>,5;#loD&3XPh*-[aFN,8^['-<kBjl)2a4m&PG)0>V3sXT2jCQ
%L)5kSZW1KcHB/shMRooX],;3Cks4PrcU$k'Whggp^;Io:!H1G[bQPNdLouW4T.YI`=&rPJ``U/YSM@)3`?fK8qVg[.6W(+=dQlp@
%TV*4U&%a5GMdL4e!qPu;f::Ys&!b5!^sn3mKT-LlGO'E;gVao.pqPRkX8d5mQ_-Hl#lq]<!mdWBLE2V9/IHH1cT8^S.%RFK`SW-Q
%b=(G,`LD[j"d/7=nMaB`l`X1:`?gpY5<]QZ+'KA4#/N)+RT3=&#6AW*$h81t\W@E,0'HBqI'=N,Ak!e0.a[Q^6#!LM.@:>R]5dKT
%-U9#E<>W')K@I;!%6H8%JZJW;H\sFX4(*gV$0Ocb^_A>!'%/aW\jO2cmq'lDb&5($Dr=?$Ap=2"95*:ePm`O45S6b\>AQ>j3#UMM
%78oD??5FT^Q;+1Uf1h'Y\3_Ynb0R,I(H&Ll2t"LNO:!`]GK6"=Fg<imd/\B%lk?J-[oucpHFql5j/r*]j0]f'`uce>]c&qLETJ3n
%R6hM(Ru8@Whf:ZY3\*DfFlIdlc%]+f4YHVec39Bne/32.Z&(3L%'Q.%PjMHi7F[nJmGhZ!$lrf'Zq`mC3[%/j-p,j&,f,IJ&kdAG
%,&p,j"lZ[I3r\c>0XDFA)0F"]`T9hX"M*0#]O-reTFO#DG3jifm8bXF;Al=1qRR-#WDiB7!\NHKS*Xq;?^h=9(N+Q(Jga6uobHKb
%dQVHCp6YQ,pR0TJf>;40<;*1!Y9/TQHi!A"aGAmA$[n)Q=t1Nub),V?n2sl#GA$^PDCj96g:4a8S^+Y6K?VGQ4]?XDh&@@Y8OZE\
%d;#I--g>-@&Ptic4GA_>8Y6-)F+c@qI@M4^aO0;5Mr8]Q1"U"_,PD+X2Y+[8eG4mP[7SW<"OImI%&kYOaCWf?lP)>LkX\Na'XC`I
%,eQ.(2.Z[I,TFpAFeBIY%sqsS5g;-TmHF%/8m(/TPt&i3:k6[QC=RALo2nUhN*Fir?]#JY:lTT!5mqWm/.r84R^a3.3>B+]V84<,
%$24cDDoi.G,jiFU(+mcD>!726YYihYMCNe18hlS^V!qlM>,iVK9eBFNTf<Np0akLBTTdd#@bZSf:i;Q:)>laN(lG+V-'64tLg@bI
%/hS+NX`]m":8c.<K+.7o%S,5\n3j9,>1Ca&.+5X%=/CS@Pn8c91[:%3BQjjo8lmB8%QXs84/eU(+:b0AMMN'7\lIOK)RInFYH'&b
%U^=SO_15F^4A>!iH8.T0pjlEJjpqcA/u-^JR2?1$;NILKiT.u9;p#iOYO#(Z6q\]W-fPql+VLI?9qd4oMcta\^k6Nu#CP'\NAr]E
%O;/s,2Q3Wqk(jcfmljnmF:rnlSW++jQl@%WE(C(=65@N0Wk)!)0S]MQP&6KrZf]^"qW:RT7g0s5)SI%F?k,AL!Y?hgcrA@c`#D#:
%frjL!U&R7)27OK>gr%:"72a`+hJ>r#<6NWAAH!e/.id*7mFmcNBJt!4LTe8n3<)hMMdk@4>9,9;"S$UTjAC3,qG9ZmTP]SHXcToR
%f9)"kN>'W7?i`L&.BLu':o;KKon8UW\YtZ4!Ds5LRq#2oHHR"T6:__*KS1>WZjpB5*N(O5AkAcEPd(rCB8oE)I(?Zl>h/J.Jlai?
%#T(r&MF+hT;79b7!Upi0BHnPWLgCH35sQG'`F"fr\IOR^6QF``\Nj=l"R0c`HUSClR-9tf9%)HBA)EY7$7[<h'Egj_fENes<cF_;
%J0E4[#W5@`iXI"c"k%N&W"(988ZN7$Y+o;eNl0QYM*nU+jC%s>%X($_9&oio[3P%'qfH6/>S,@Zab[f)=0+b6$dmtXBghVJWsSU1
%U.f'u63fk(!*V`1,h9,/*DlE$6Pk]EZqeLfB%C)XOJ=.T,G"J/>Yt\=E2mJYF18UYY*0<)%]l'.jsn9=UMfp%$a;R4TXc?Frlr/+
%6\mUQJB!F&T-Dmd:EB3C5S+"n(Z%MoT.W$VBM+Pa*LhBZfhUReZ?T(J!D*f#]BZt+],Gq$'8c-?D4oejfm"VQVehA99r51(Ep0Hs
%+h,abO<*X`p/D51O0aQDgI-LDQ];^(co5&M?)PQLUjq#.-f^8#f9U@!i#,$JIdncPQV:;8kur$?Z:Qf8R2!K_S-HfZ.TLC=p!M?l
%Xj7)+nCB!3MTOWo5R#ATEfk2F:;fcG][cCseMq^jKScSG\ho*1Ua<+9o(#ri.3.H>JdPf,#a96"a<./i)R[Pih6NiHPi[XM6\"cL
%^u>nQmbag6HG"$Gm=Wn^").*m7>M5Q0aCZ33btDr/ij(EJIcNlFBgg[dV&._iXS_DmU8i+:j3O[SF!EbY,YeP0[,VDm+B^b9o/-a
%La%Nm(h'h)>!tTL\cUAMeKf7)C]X!HQ65&U.suChW]WI7'k)lG12_I3`Mj0ZbRd]C2ga)?q$F,R1,**6iaFT!D5`;n91/tp;B99Y
%WYnHj@+&\^Np:&#KD/0Bdq08GkQm>@);OMMRpNJ]"F=FDa,J/Aqh$iUakfg2[Qio7XOgj.EG`ohQDD;'DTo]Y>b9`6,*<@YSFSZ*
%kb09O,:cfbH-mmtR7A,gOE,@:Wq(,oaR)DV[Rpi@(?*]IBiFu/<lnPK1-'d3^8V>CTj!&;.p6KuOLd>FZr'1aPWB02rli;4NNp;2
%T!V"6`h?LH%@*32XL`g_pjKQt_n3u5RJ)Ge#KTB\5"rR33s3ns`"g/k@0&N6;IZ7ZTL#Q=q'fpK.^'2DS>$DqXp<i':6]Xt8"+$U
%a2kffR2^!cQKtN%XdDj6L\M4_&Wb;`l33kK'GS'^,(B[=2/[MTChC""WmNC=%U!51<Z1*HBab.UX1*?[@EGDWTC(7X/uTX4DM4Fs
%=dUFD#c51+_Ua9BKBOl1rlqbjL;6!85Ouk=l/fGGhUGu6MojWLM?e8I<+GZHkrc?)GU5Fm/2^g,\>=keg+_l(NGm\0>3'TG:b"fP
%#Hb53A3SQfNJ\DoiW@@W9T@2[FMroi.PIcJ^u0[,<&p/oJ-23K3)+*Tf^Ct&Kscf5.UMql7t>)l-7PK#QTFCLgGr8#0^,3C=a72K
%@h*)4_InEf@Dj'@Cdk^sI'DNI#@s2UKW%^\%i@\+=Ht*W%>$Pm-bU&1d9jj:OgZ]?6K+`g[0(/*PeUf8?%-WM-Y7R29^%9C'?39T
%5Y9KXJBjr;U\@W`NH158DC\G7c(ecpYJk_tV\QG@?4[trc:'Ne0t)-MJ]Np<"m&GGETO36,Vjsa<ScA;q$]%;Q+*UX0M>ls\,q-n
%MCDL#>27#Fn.@U8O>FGhp]d\-.S#[g/=[uLV,8Bfg_c9PM-4\U9LBY6MM_tf&GGG$AR**5*8,d^lX0/$V5LqDOCsGci_i[e2,-48
%r5D)T0G<#j`Tle..:Om-f'mGk3eABsn8^2fi[i>!O?9YCH:?UI">Di%aGl.oUuX)3c>jRN@9;B;i+,TKVR0l=\u3QGF(eO+"rZkI
%Z0F;Q]0oM2^P;63icMQTI+=M(%I+dV99ZP_`+)Ur]FjT^h()&/^Wk/W&/*A7AV35`OOt6MS&cPJ9!6,@%JLmIUG:ki:7ZZ'E/WD#
%-ZN_0C$7bW.@qU1JnD#@A`k="Oqr-a$'ZRZMlGE5T3X\lO="hb()<'6Oh%iLm>+ZV^l=lHR%fSVl/!K3"6:is!ZL`I:7CM-+^CXe
%%<4aHkVreMEl,)tZA#&@68q#S0iQq?%b1#+i?CkQMaqGZW/lfYq!@Qh^lt.p#(1HEi>HA3V'J09AKl%$]MPa]eUZGhJZK)nMNXTT
%.0^bXS(18mNY/#1G"Y+1oW$dq2fe<G=N@KU0#%nm.1cs&&bS#BV:n9G\C`!A_td$k^oE@UB$`]-E,b,2[VsLDc<E,n&.Z)SKl[*<
%UEbD_Qk1`/f']"69/Xu&QT:%%!Hj/g2rW\HSVe*_9ct.(j3*sl)/5#))0ec!-FH;X&Lg(X8RaX#MAH+n'GEnD>O*"/AS##sY0<[U
%i"69aK#qeS"Xld_'P[c!@fi$WL>\'l1-7#FkS>BjKa#:d1a<-ug6WC<@9?OY:S`4MMN/&/@EV7\A%<GlX&[,1-4Jk_ojC]N$6p9e
%-O";r&=]U8Jjn@I-bpa&^S[qaEX"fuh$n^-kZ1]ML,W'EGWfM'#eiPblEEk%6;,I)aS+ua^^311\>`>Z$OJ._ERC&ljeYhrKl(Y^
%ac#+(kYC%N/);j[?HP3"UfhQCcUu*8iIGMiWq+,F>!PIi;u/$XZT;P_0Y=$#`0'n4=M)G6XA`On&,e@)P1%E>?o$t%Zmr"(7ofiu
%fYH+2@7e("nRsOD;oJSXL9H\E_;hGo9QDE7lRA3uE/FY4nKoX^LoaS7]WMui:6!B@BkLVhX-k98S.Vf;W^J3TPM_N\0?*<Fa(fg*
%9821V]Q<AbXDjB1jj_\Qg,4iBfs1:9>0sU9=0?ot,#62hL`REbmN%R@<s],n9B0EgOu-e$dUKVK$MU4ue3aUj$segeQ.RfnE(N!?
%%L#?(\7V;G;h7Sqp%+d(7XU"QI.<(SdEmhg6sZ#/c8aq:2YN,oO22>:pkY1gD0pc[A'8i14&ZAT3O)M)KOCY(K09le:t5q<10kSN
%fimjTj\@Eh0QadlCI(0UXrQ:;*TIf3(^GKU]!%4M)R8s,JJ3NW_9ZN-eLg"Ade%Ej$h6O'S[UdOhbf6k]E'_+;L[teg'r6oKYdaT
%/m?RLhn!YW=]'H5?M9N[B"g&B$cS[UpSHoaf--pSb\h-6kI;E^J3m>J27[]fg$Du'%d+D["CdP$`k07,eO!cGbDKDB)cG//bT?Gt
%.XEaaDt8$#!"*ocQ.;#)-`<HT^pb$%_jQYD"GjS\;/F:</M/%ti&eY*CR>Pn@<)hF0PF"6-pHtg@r"OPqr#cDIDcUdcl?74V],lr
%:+.o/_c56s93P;BN7\0F6l8u[Ggh4N$Q,$o1M0B0l\^`%!gK@>$ut<Hcj46OU(2#KDI+&<pj*&=#%8-5ndM`Mgs8$SDto6.(.)/G
%Gaq0X/.o6AA446k'$jRdGgqWAQQ^rG7bXB(iaT$kBm]$&Q)?*CG*89t%$:Yp3,CU[&Y[=07o<kQj!(*R-"=r+$NLkpY&<Tc2*(Vf
%>Xl_i&ogO*RUm)QLZA"0US;oBhH.h;(0!`^U/eJcCh:C-X;ZcQmfTDVbl4Z_7%&Q:$s9O@:[oA;_ph=iO#P5lNf_o!r\F5!#pD+5
%pl)iSi:AA1_;`U,;p%BDRGE6,KJ&;]W&]L2NP9pWFPL%/:;9+1nA,ZfLnkN`]%e14f0R#1N=CPFOrT6@$Y=F@'(-U_\]9X=j!LaO
%'Lr1?>r5k[K(Lu!_ld$X'D_GUe@jWsY32@TA<U^her5EG=YOOSBG.@E4d7,1-JF1o;fW&iBWGVXiu?!dD;X(R2:BL,K:8!8$GN]d
%'I*V'.=K%PTkhspffXu@Co>.Q_+O@pV*ea7b97Y12]mr\W6KU6ba#e!Fl:a3YC&GmWSaD)ZoU=h,L,B.;&LU+9]%t$`&-,Zj=P>`
%RHjkl\"&f<ZOYB9kDgM^Vj9:boD\QQD%QsR5:X.+9)6Vg5d6)Y43+3=G[tHhEMl5+b^l2kf#]JRXsp=t',[L^6Z]IadV2D".u;,Y
%W,HEU3TFMD'.9+U>S#CR()S"qY3aLQP**U%_M(<]nXGK/K&%n*YBI@p;"]#HrBZ=#-e6,ckT)U6[N/tk-o@FPiM2.<\/JRV;^,aX
%S]j]*)25SgBO3PHcZG+_a=^Q@r`$%#Q)<-KL8Y0'e<gD)>u_GQ%,bnudTnPdpnG#9@H,Pc[^$aXXcN*'G=XKR3_3UhB68g*6hapS
%m<K&k74kcg;PCs$),@20Tu='X5q6lLLP*Y(6mu'8Z;ZCkI4.fsS//dD0n<1081lg:&<oW-b,Ms5*q_Cgm^.S5kp2NeVP)G("f*gR
%J_45HP-&]#'Osm[FY1H'<LaalF.8kJW'ec((mc/i[($k-_r>*EC0r"!:"j_[j%gqBAVsk6#5t4-Lf/T9pP_mE=W+_:O-1"PYNeR.
%)W*ZnZp6g7>#;5d&\K09aA&+!78Y5:"1P0qn!t2?!gp!m]"$b9CSN-dQp08oFY9M=8XC7Wn0rf28^sbf;::hr<%agrfn)ZpaQBGq
%n?_b$;E_C>;l>^_H@mZjG7e?3=).qG<RheNG;S8*1`AqmC@>jT@C=)_p0j2\.;YC*H9k5AD8Y4RDQXB_I96oi`7`&EHLQo0DPnG?
%7eHt-,18?J6DQ!mVbge\?L8kA)dL)5nRrTog>!:V3j+a?dMUa4?OQ@Y4,T#'Ci%I>;4Uh/080tRL6-GjWbGH*pTuZ,Eb5$4p`__e
%3Ia\-2cN6Tm+ASY^XMr/^pg*6cY=4;D#k%djUFT#^p,h3g7L6n4\cUE,%oC8.`5*ad9nDK3`s0[l];A?*'T9'o]R/,7k+hs<65[n
%HF:*$BKDOp,n3UG]`j\dUj]S(3,Oe\kCC6%l\q*EW\16`Hq[-ib]`8n^rE%S/@k#J*[Hfc:NGR?j5A4fK>3cHc*9\e[%BNP$9&HQ
%6(@s#YTFn9^?XFie@muTn\mIPs+,bQWFN)1X@@1M+Mp(]nR<L`-:f/[lF3E+o.^)]+pZf'eb^%C*N/l\4EO0Jn@T#t2&q$H6:&P4
%VRj@cPkNi54VU<"R8Z!7Zajf*K&?eK=*V,mg&s5B)L.ou`Xs=\Ve)pADL`1),4o?AAckA,EX2LBndNZ[,-jQT&0M]%9S2plG`\12
%7>TMB9SUD/Bo>O(8<Yj2']AT)nrnkR<L;bYnY^_0$1uiJ-R(I7$o8V\f+aMNj"RB$O4[a&!k)qmSK%f%P!3C1[8$EldR>U"(8XhC
%J"`@uAqtH#pD>6q,aM\pnrSRaFE-D>@7"WD3<q=h?8.$Oe/qlY<a!%)^ZcN9Z:U^bb[T?s7ZfQ4F_GC3Pf>,f4dK<3^dKZe+JCG9
%F:H-bZlKB12\m^(SH+mX!*`GCD?<WAh#K#7/Sh1EbIK5`17ju>4;(*!YSR%+82VhJU0-ekk*XOud&>1f4N%N^d^97:;qGsmc&BFF
%bus@/iU&+;?&,Ek44qZ<3lkjOET9NIJOjC+F/,a/ma/@C:2lfq<6Wg*pJhmZi3s`,MVJJ@('O^/8"=5%9Ro$S#F!-lPh)VYGb+M$
%im4Z$L]BWXWk"a=,\"-4:QC5[%bMJB+Br,J@70TpZSKsudPpcb"gMZ"7QhkH>+\uh^`^ZZL`Ft'NnbEcI]O\b4D%W77QEEdQ(`0a
%JAm&ENB_spIHX622)dm3PWkW<`XBus=5@j$YSn!da*_J+jGPZ2e]?Yn'bJtsLJ-q%P_%ZQp2',"?:mLpEI+&fRK<paL.>*A0SVjZ
%=@X)53bAp-caMiP=^=Cg"-.E^+O;-p2rmR6U%2.VF;uY\YmWl=!.9#R<?dc)L7o<5![>%E!UWjT-[^@M>9-)3120\C`6f/AgF1RF
%I!GNGK&JZ2MAR.0@N4U2'DUHPR\_Go"!)K:#qJOb[<nFkjZ-2.(4/_.?KpJ%\/o:KC*[kUCtPh%+Io-/CO1dKLT7.Fs!nOX-=o%l
%Gd2RiV&M@Nn#D.O\N$a$;<*uL!(P1^[8t,DT>2T66Vl0S+cXX170aA!pP?CL/0'snoY;rX5(frW7VYa3EX`.WN!@-1M6'/$SK"u?
%$d/IV%\cXb3i'$i`A!&m=I6$WR6hh5,3gS<.,gue#k.G@&Cakg([oIpR0UrmnL@p'A._]rihV==,a097Ee2!2EAu"(&GWBpCilK+
%FC'-0nk^\K&Ea<)R4$NAB/(\k:40%K<=9,EXduH#e@P)_&\_qkN/h!b_g82h'VUE6-aSOVDS)?K?HIhUVUM#T!!&R]b,2G;P[R*=
%Ih>eL)3(XXY8@Qk0*"S(FjkOJd7(;rONqhKF3cm6L-9$=W^?h[d5]k4T`;<r_r1\=LNFC<5<_EuW6J"E4/<Ym2D4$Lg<nAS9!<r+
%XQraG;Yo>1cY4@m9^S.T1jVR6g]YhHd^L4DOc:090edVqAQYS_nma_fBo$65L8@8f64M7&g=-:Qac2uHLOc5CAe&-MJU3h*j"B46
%?F;>OeQUSHn-?6X3])@L:g%n!2EY$8VplPZOdO0kM$dnR%O96@%P&oB)..7=Yc4(A)ad#e+Q-UnflCeYP9Y"'m/P2/<&LX+iMl&p
%$J$/;/ne`CqHu,q^#agh:WlC'P!>DnRq3O@USmEZRcirb''*cLTk`1Mjs>6s8fc&Y1`0(<$qr%i+._@=p`l!IgKBc'cH+EjKZ['g
%0UA8k,1+_sP4aie<S@h.201iFP@Ur)FMIrlX+\C?M(r"!co<F#NETgd)p`U>oQ$Jifl$A[4'8PnK[tt:@Y*=+D'p@sfQBc?`Bg#k
%Z-fLp!+&`(6b08$!Zse<8#0sRB(RR>Uc1_HY,udACT,IG&i3%G9:_"%P6K$+Lp1Ed>(TdE:l6:!P=j@"!cLkE#j<7QZa'[Bi2j4j
%:oWn5,T/T?30;IeD-]54S0#!O?B^2_`*GbO64HL,PPHbcCNL+kDfeN6P`8ObSIr5VD(l.a,3o$J3ane_5[VUUUU^"YCkLReVfC7-
%PX7+1L8WHc6?"fQ%`>Aind2<5\U%2<X8$9"U\\EPTa"=nZ$C0pUCI&9o:MAJDF'`VX19IJ,GQk`0M'tg=R(gaNudkuB'K]+$!pZa
%F.h=@f!`"5/U)Cbm1]\5RuVFgpp$ADpf]NH7muDd]2\2k[bMb!4H=AE'pZs)!@Y*R=(8R=at%dO&\^nPK,fHaT7_t-@8h=e]_L.t
%"68)tG/kkb2m;8;iI,O<J600?%_`;2(_4Gqj?fpd_)l(H$U9q2V$.0('-4,o*jWiE%=>I*&)20WIPS'P5aj?%H0_Ia@I8S@'Y=u8
%F4O/,L$aR4kG""eq+KuA7WCIHJmO]#UKJKKBs&K0n)i3$H7BRpF"e`[*U2BY9rZRm2C"))kpNl2Wgu>l>Tr^7PsS"U]m.gLplc/I
%beFY!!"e_G=\FQQ2^JTbDeARb]Sae'$A*r5K]@d!9hkBD!h(33_JWk>@^6Mt<7]4=.]'0##V1M+^8cWS*$<'d\k-*985E(gJ-]2L
%SATnZW75CC1*c3W/Eebo]+V*iYIR-aOE^m<JqD4\%&]G:6#[2%:CaXflniMnbla_h[(uiK:e_.FSuSc((ZZ3VrfC#3VUOfU%FbQK
%0W^&hK<D-q]'<m.#[JmK%F_;`RUls)*@+M$6AL_lDX#NP)dt$CN#Wq&Y43@&kU;V`Ho$2V:O#7bAu"3*eM4"A+br)!@r]b%LEIbl
%LV5r\@L-Rs;Z-uO^&m\2eL_1q2%XH^MJW6fL1d#q,nJV#40\$TCs)04.!]6^#?A[8EkF@p$:YnPqcqHA2OlP=Hf:V7%pu?$\75S>
%1%DY"*`5G9[o+C"`<s?rfrp\>S(F!r,G[Vm27^VXq,3K:T/Y2/MPWq&ZUm,r$GK!R<Do(0ehn0K/!Il[:r]MDTJbsRC\DM3Sd%d/
%Vg3>>"ZaFi!Wk,q.pR1TbR6\mD9+baWN_[a[#,Pkl#YjHad3)KiZr$l4L.]#nZ<BbG:9=#]%j,@;XM^7EN5b?p8fJH=!8Z!fso""
%<bDq7PK'Rabr2@Xg)XU@1/e=_3E(ub,Ys#_%)LPb87V+_=<Y!#;50g*MKAiJ.(qc\>p98;U$ONL,Be'eGQUB?!=,"e<%hB67-.jZ
%%+6E9jAKV2K)#8_$`+kJ_4@stGN_F]=uR7B[rcZ0Z#F^aF]04lp=,J'Kf(g/Cqgr@%b)('$oYN%W6l<L+_X6&6?:)R-54W(V/Mfk
%5!d^'!X*4n8$U6=5pqJ-.M]YeE?$9ufIg;j>Q$<G)MfFhCa=mC9B;Y,.<3#KBF$_=<,trXT90D?ab]<8QKBbikVAOWG+5b,4(i'r
%1kGBnPZ]&S0ZuNtRS].EAga<EP-koo2$d<b/Z=Nc.'0b1[)trKk0i!.r1&Am`XMF)7X-J][RAGO[45/fN[%(bm"5SKW^7j#K;_X$
%3E54(1ENM6$!bRe(KKa@Xtjm.e6+%aALP&tFO6bFNe.VEXMm*QM!^QNEmc+CG+iNEMPTklIKa5DS5'7S*@r]G[q*cd;g)N"EO:>u
%0Y29*HdJ,(W-`g=,M0f+J6c@tO8o\9do:=uF"(&hI(\O9G?1VP.s2,dKH?8U1D;NI`-7W3]0f/q$(d%E?#AX5.,.Sjl/T,nKUQ<4
%Rad3dRrSZemVAg`?uZX(nf5<.7ZQ$?'(Dim>ch=<6tKi`(^2=ibfN=,gXI3A13j)`)/9W[E,5Nj/jH[:$l9d[9c%B45"'.@efduS
%m7\Of!`pQ4C`*O9#Q0*.k"nOBU4N`eiE[CrC>oN,8^o"J8o7IkCA)>Kn]2Q__+SG[`9Sa66W\oC'K$)rS]LjY<5%!UK9q-dmQ"ZJ
%)**NZ'8lrPR"iFNBP6lRODh6SVN=%FmS;^Q9rW4>bXN%eg7O"WYd1/=8^b1rWbi&Kmu5DTa$$O'UDPMF&#73Weh%QP\5Xh,jD<'K
%,N*ec=RAuPE*6bT604AS"LkM,m6:2j!0G'nqO1qp;-D6%kQh`fS=ig1mR;1H@3ndGk&+9uXWuf?Wg:&+LLLOf;$k!@_S/9pOCq+)
%1&t/;E&<aBQj;o7A2$[+8;eR_,8T0p:#f]Q@T#e4N1c'Z`H>bpE-V!!1?>ME.#c`I%??$@UN4)KCSrT;/]%+X\Tg&0H\?V/l97;[
%o5l7EcuhGA&1.ecWY6efa"Rsr]WAKdMmNUGW_2(I.gK"8D%^VI1.JJXf+f8GTH2<&.'.jebA-k)jf^h?K0a:2=?Fs1Gid#.2;uEf
%&<qa4AhNE'Z"EId6u0-X`3=T>WfUb(#S7X)g;qBg-7YTV?bk=4(a8?.&ma=Ef>+3#VN(p60P(<Y[i:ioRIq?&0o?!-j_o.U-ZV2<
%CL@$6@*tg8/'D9Rn'U>I&sT6`?`,*<`>J6;*+`;ZOLmEjYs#>TS/7>Q2fpdRK!X\nC6^k4?]NV,AG?P"d@jhf('=P[[WTNC@H(2G
%oV1kk$2u`mJ"K4cBjB20O@I'=Zl,";19%[$8uApsWo-9j*F&%K.jGB>J_.4%;[7DDh'A@;@6nW23'!JBD-aFu&7_"W>N=N,;Ym5I
%G6$Gs'FV4hI8Ff;Sl`QZl3IkE#cdr03g+bs.Fr/:c"ccC6U8huMQjp!3:%(;\`k50kY"/h\9WGJ-8-J(WeZ>M/dk%I.P6q9AMrs$
%<,!eEj42<536/2hP0-6cJR@6SS]S4e``H0]fE(S0(4+'Nk.Z.iC2E\-Cfen^D&s19@B4:GaV.15N9*ulKtAd-D&`Y>jt#F@9H=.W
%O*[aPReWbG#a!p"dZeRaNcH:(X[EAE27`jL(eB=d"XO\S=4&*d.?*f\@d#</V8,T-jop]f&Mf];YNeqj67cJ[!,N^u\.4qF*E!lR
%#9[N(LG[=N&Pe;/!kMqT)n"$;$3XJ&V(LGV67bSkLQ[`jj6D$4PLmku?-C';'Ra]-LP43Pjt[*=S?B`3fe1"jVQ7=(=q9=be:D7>
%FD"e_e2j<AQ<@u%0!\h3n['Gn4GHE7Yu7TID0.c3)q\\qHo#4N`BeW9:T7Cn2$\`QfIG%\\<Y%Hj1%_ii`5E.<+qF5,]-M5>Ii20
%-nuMNaVqPE"MbYk0c=O_iq9hFe=)8k5kMbsRfdGX]33)UW`;WX%sP*B7$"j1lKC^Xb0;IS.RDU?5;g!M_S`o0*%!+5.H$rWP&QX6
%+4p/#O#Ei8S2r]/DLD=p6u%AgJ/?kAS*cH!BH"c:&sLk=4_iL07b=cI=^u-oX\5dnm$(FSJOcsi/bRQS_K?ubMI?J'+^qYmra$<?
%8FS#<qI`#Bj4Hj5+l?VG&K?:NV!;>h;&NH#7l3%!l`P)hbsP!7Wm#6BX!Qb_<Z))QRZ`pq.$LU.OaeV)a:5mbdVF;*@Kq/iKaJ=d
%Q?fZfgjKCTJ/VF'Qi*.%B$[>1ZOYFC$C;J!r+5l]4mR&-<]J!1-KD5g(q35-aAOMuL1oT4:@i7DdM(8Rbu$IE<`t$0`7X^%6c-2W
%Ng>I4&X,6&3CAWdRNKj)R;lXp/6*$oVE%*3g(W\$%:8^P/!m)lG0\$F4'R<c+*a`lF(O4lcjF3ej]\-,O],::CuTkU=/pI%g7%VX
%VEVfd_a3Uoq/T3jHA9foA-gu<ZrALW4&9ED_2d4lXT-d@U!@(],0%ubktJLuEmNRc'Q.`%mfnpr+%%G'Pai99@+G/(FGMn%X@;o@
%9kFHG:D4>J6gBbR7%UjU3Y=@#]XTZ`UgcZO'969%o*)lDJP:+;V>7>^<^;X<U,n#ool:.m!>iRQ1X\,\5`Mr)qsQ[ANnEh8I;\Ng
%=6GQHmH,#!fe)TdW0o_.9_;ZXf:)B8V_p!@dtAtud[]Ij>f<SA&@K;tm(1"K@7TKNS0B'rI3LqVb!dbHcref/K?A0H5=FmG.3.<1
%g\3.o+RG9h6+b7`!b&!K":QM#0;:r)7S&5Tk5m]O*0BONLp7[M^l>>ZS[<O?453'd]NO'qA+LD$JrK#'9)$;f<RcTX>)'P?(tK`i
%[FB8D#NFgAaeNR'L.K%f+H7S9q=3(q%ePQMRGl1,d6*f4-ngW0S&H/e0*s=Og2Lmss%+cM38<WQ+oJ1P@'6[Ijbp!,kH,]u^tS:A
%Xq_]X)9R<dSHlrR(+"mpdKdp%\?k'h1]9^<p1&PIj8]V-3j!kkXQ]]p;b+jf!-N+eb1;l/!$Y@f<NIAg=#dMC24$7$7=C;bDpQlA
%nSP@sWr2kg$]&E0lMd5?fm>J<m>800cBsfqb0[7cpE/c$F3N3KnP^XuS&R'HbuB]/,4Uq;HT=?uDf(6@Ms3_\\L4kb///4SM7N^L
%'L)_AU)H!"k/K9FCXJhP<Yk/r)?qr\U4C)cC5cpPKNZVAk(qX]O<(`8\SO2PEb&A0-6,>W&sXl)i,KE4'?C#YZ)pcFm-fP4i^S]R
%$<KG3Yn8h]8]CW;k$;'L:^($l)`;Nij<,OV@ulFZ,/gRZM)=O<#A\DUO/(iRS2XDpEB2m;bLKc766W;i%R4e@BL5F<g1hn[&<hQC
%%jj%a'YU7a6d=Q;`$;)6K$m4s)mclGd=\?*U0j!9AC+Se<r[.6.S%`0qrD0nTsQmQMKF`5Ki*_:LM!_<@F`9GA2C#q"=orVXlqF=
%38;Ug8)s0mEMJgB$c$]a)4;:k&^:L,XJ26.RF)AO=fndBX2DUgn@5Fc-I*?==#a?$GqZ?pG76_%3A):NNc^R:=JXp"Bq1VQI%%`2
%egKGe,U,g1=GC`plUa<O#!W;5`&?r=$DSE^#Po9C'bn1j&?<uD]:O_PLSMrp!nqk!DIC(I>T5;sZhNmg<t(X"n'eG2;*LCWR>f8Q
%7U9R+%t[ts</'S$=#)56)E5Ys>K*X;9MlGbd8CD/D@IBD`^H\@b8H8I1jM.WHFn"8nht#1EahdYoN$rG.JPrR(-9AbDaAJ]NV@Yn
%[BGnQQD+RuKP.W2(UjCJ_.\e#eioubp,4tc&=7)83?F-+"NDr_Um+0d`#uMHOM@3N%&ckGHQ=GJkmZBi/"5?nV>4#S5*TJp';Hgq
%GhKX`U6(^&1iVQR/0hPQ<tD(p"K=kZVB26D>h(Ec7>+,9eMl`W&d$S(0V"<XQ%H2n)l5a.Qm*(N&Or=7;5O]b:r#K@..q3A[_c"M
%P2H_a`[&B5W^d2W[d0o51dTK^q3<=H`[oE#;:%_qm1tI"?CjnZjutsS,lnUg,7[rA)p\gVkRi+%jl-&L?XI36&)CK5)u,+RKR68u
%1"a_-)]d%NLa*8Q*?%9:$UtTj&DS"CB\D=L;+lFaLn[7UH=X[8YN\8)&OG3/rE98(gfP13Ob:)r3eGin;MPftE8*j?Y$Yn4ru-#/
%dr2'LN%_$EBa'*KM@;LS"1/9Q$UC]>-fbp,:b$S58@pW=5),_S"b`%.n+^s\(q5>P]]J82!ZQsVTp5:69'CTI3d`baF032d0e%qt
%7d/XS8J^BBPj'7[E!/(]hZgVqC!9KO9d+,6F"A#VW2fC/AJ\joWD;N;Jjl/%'qm6toGG')$>bfo%dnqS/PT`WC2^@,?BrI/2p)<P
%_c6A\@+td16o%Oe_<"YJKCl"9L:0)Z4EN<>DUjG/I%`SU.133j=@H_"<%,+YBS_12j>[`B'>i9]Xe7Qa/lHg&eela^r4?4&ga4F[
%=/*W<NBhf4s,uL,O@[s9-?mqbG#Au0SqY`c1=<a:2+9M`kCaYb-?Y<[VC/7-Wg`QO+MKqG@'g]<$Faf$Yj0@ilI*b4.pEhWk"\rS
%jhuJAKB.bJP/nn<@3ckKeS8a;?d+tta`O#IYRAPLB8/BKh9*>r.jYr?mBrXP8<7iQT!XBiJ16kH"><LS0>\-dL8ED1BMgIf86&V[
%/3Q'([+%[W4<[PTQD/+oo[B$H>iqn`M#<B9gWfBLEe8`+L)TNUO'aF.8sSrqGrSFH;,iX2)e[.Rdd5_JVAN$eK!2"?'h'V^7srol
%NNoTN?8WY?&s_:?A?C]$2WOq<Ocg+D&.VmP;7/R/!mGu:=Wh:FMeN!J3d+GrC3*bdkXOONmBNA`+IZ+S'/W+^n#'A@?Uu3;aZthp
%W)9>T(f=cGJ&2o!gUt#'lD@7E@b&n>IXRESC-gZq<:5K739B"ob>;\8\;_KG51"59?87q;Un4Y*C,50=%oK4XN.RckOuT>+o.Y5&
%Q-*3Y<=.VV#_$%NN@J9f=,%L`!;U+,%PS1eKllrYAqF:MU`D`-A8*t:Em9b@gV'kD:m]1i+bP;X;PV<W=7sUk74QD/jru3l8sE2n
%!(n1[da#@X=O@Cf.c%3@C=)BU;jc^fB+B,>bQ7;k@b!5IKum5Z:j<9n^INt[U7"nY@M5;,a)RHHQ'g\`ZiN;*>326q<9S&8d8TQc
%F_LSs@bfe"[;0*.JcT&V5^LNYVd7]EfZb-lgd)]LCgLTYF%lm`J9h>R3ntPR)Y7V^6PKpj84T432M[Y=k?mXP6Yu_oeo;K>=\jP<
%:TDn4N#1h;fBTKU#7O^e2KDj]K'Al,5']BWY#'o7X]U<@ch`nqp(29?oID2V:8/gUet!1NX]B=\eAXDp\<)1i\Ja8QK%4Ch:Ir(8
%?q;F(3YirqXG8a3.E9oSb/tcGCKd8uQE)(J4MthC3:6H0P<F2J"g9eL#0Jkh[M/X_"A,+Md^]sN5P]q9?e-e_bK2"X6Q^L`<&EX6
%,t_baYbtGe9:G[s\',>1f)q!rSr'gRCDcrI.UY9,TT'k>Bai53C2.g;*CDZJDK:\.j'?EsP'74!;Y%bYAuKuT,Mk;%Yen<'kU=6;
%!Am3!N1r.dM9g7G'qk0ba/;Bc=&B3<o4&Ab#plcl>+o6`cobb^.%lHh<>pN/X?.]aKL<uck7*;@<PbTp8-9Q"AcnJorOg7-K%?T)
%.<S?0abS;+i#I^&*%,/.ZC%5cRZ<HLVN!2I(PEQD;$<,4H,T,;,YcnqT8FCoLE\7\HrISUp`A4!0a>nDE20[GW/JKOK7T==35&Mo
%a`eFN\r,65@QRIa8:mG_2Gr@/8>]UH`l>M>12%nIT"0HGkfRO1R3Uam9!B=K7Pa6?DTs6AllI1i#2D^#SgWY9F_jdA`Ml<J)q(_2
%8s(#Fkisqgmc]T.)Jb'f<.]R9Zg5XT4\h[oO!BXQr#qu+>`li4<#'*a,S_M_GZb%YB]7GLR)n1rB;S8:>#7_Z-toX--:gY+9*1l_
%[PlUA%otiqi0tFAac9%k@'cM-[DbE!n6B8#i??Vsd_]r!N!*b>gSi'EfJGPB6?^rAG,ch?L(^L%+SW]EfqO=o(S_u2_D>?SqY;/:
%XZ8f5)hCY9a@ghW#rr3BaMfuie!9?Cg)X];mA&sJEZ>lFFNGC^K!;Cc*uX7BX'N1Zrq4S/*(=JC=O=E53suCO^U]jRP"aXmRG_!8
%7B.W[2!e1#guXj8HL72_H-3/XNHG-OfP9<53gt0oj0S936S[Jq2X5/rQh28N;Taf!'iX?+6>ja*d"(ubkSjB?eE?4AllO.P904Tj
%RJ3UV\t.@l%=kkUAg^!.I;g&^LDV>t811tX#6ngaFXJ)8U9m=mKmhn,_*Li\nCW#u*/E>#NL:n5fWhk*F3m68D"CE=YJuR1bssu>
%LRZt^e3)cO0\=#hnS;33eZf0KEI-A\k_1oSgLYZFS]Nq_";lhKFU4<eDqJJ>apE`X%tm,fUM6Bl44;@"bLK&0d7b#dM!njmaNW'<
%^%XLSZkZP?r8Y;sB#0VK2&K7^`.8h>`i]Z]&G,"/UG3AOG\X=4gVc/g7;)(7gl8Tup#2/F.YZP<W'FP6:,]p9pt#iG8..44n]I!\
%Y]VG(,11=?kj%qZf08cm<q"l.?V`oHlBCtQEqeX[=.M<sp%8RYaZK4\B:V#-nC08>o'YH(<I9e>lIlo<*PCNlUQ7N\E:9gMNd^Z<
%H`V\h4feUarr7[r?i;)GXZu:<acjcJ54O/=:EI:A`3K2FFnPQk]_^jba0)"_D\o=V0=gP.bKdkOmpT9<f7-#4m.)Z&BZmC<??u>]
%-P)euo'"W]ID?jcA+cH%+*HMqeUK_iocO!ZT)[]%7h:9*DIlF3j+Z*gqTiLHO,'q8*d'.W4QkYA%rhh-UB,i%J6;/5'fiU^;=#;_
%V#1<dF*&k:36`U!DQfdB_?+jdS#9V+q-Q4AZ,n*J^Q[e(e]H!A'=9]#l-)!Xq"9"^S+jU;i($gHpLE3oB*<%.r7PP&.Oqa6eG(mA
%i%0kmQj"5s#Bik]5>\>0`K(CO)\sZZ+6,Q9LMi7ngt@/.1q0Tfo@--,-(e[chgP"do1r\@jb_.kSpL2$)8!N4mesq$-]c\oV\SA*
%T(0nPX8d_QX(/CV4EL1&DIpF#Hk]kOLj;X\TE!cR\[IpNRVRS1eOCj^`ba#3bB&`MDp?$3[@ZY"UJ?fY!ubQ^k1q2R?p[=oNE]DH
%*fC)ZHj=i(o5D[^VGT:E_<ull&$o'un.huOGj9oWS2e*(m';81?[_RP/!$h+#4K9Qq?H&rq<+(d+>K=MV9f0f#lhbcWn/A.O2H;L
%*k#7`LCYKZB+MTCs.Bhd>2G6>06$Sko_L3'J"IK=\a>I+R)$^s3jNHN8&?9&eMVPq7:)`UHJ,6]^"aIOfEX8@FnCXX3@K8:_+%#)
%hdnJoTs,tA8^cl4h;:n^Po>!LIiac"K_^FCnu"NOm\m)6A3"F>7.j23]g?HJ7U8V<jcSq9Ff:0#jfse`3nC*lPpjO_h3tF)%%SC`
%+=H3/]nJ^'1-#hEA>;;E9qARM28E<EfAWhX$pdu0C$[`EX-SHUI=;e9H0`:_1Cq&)3/>q\ofJ[&SZ(edkR=r"?:1Zk&^>mt.?TGm
%&LAe[auk@J99FK&XqqV)%H[#XDCHY%7m=R5[0.$,%@\cb8/YQ&OAg6\s!\E3[#ot[(r@[:allRf##SBDBQYQ@<XmqYKZ,+CBo&KQ
%F&qXon1\G`N3Ml82"kG\(V3+q&5i3gOuZp9@NcjGWj0Z7]<`\@WA-dV18h;)(t)N?RYe_`"r29XobD*fN%Z`5bd+9UK/@l`BN1Zu
%P"%(Y&e?[U"9J$O9<gu/O<gRXfCW@V"+g5;Kr:Hri&&,F!a\Mh^(%eQWi:UJ02cEciY)ItEj',=/X?Li%O49b<aaF-3G6;A@4ioi
%<gcuW!Vh^H2B3tjU=?<ODH/JY#CUYm4V?."65A`4.\?8IMA<g+*MSudLa"F,rF;QQV-p2<m'Lur[jBCI0?tGA`G!AlOX#Os8JGJc
%l@9:+H_j;h8B&Zi&oZOS\DU(u>5L].89\"Z:Gkk;TV]U]nZ(=1A:72!T?Ua7\/"'#kq;h`]+F>Jg-#hGREWrE7DrDlB@5nH5\Wq7
%d`N(%Brr'aPLMFn4+mYCdM/TnY],`RhjX$NSIXIkUMk*@nNOUIe]n)p>u#MQae5\+DldGdq``5PIQ`a-'Z0HIN"eA0F$U%oiB016
%@UDja\YXl^2icM+'`Ca=NC$mIH,BpG[\P=IWp=t.$-!MVLpG)\Eflr8S!#ZrQemX0,r`-sJKY:Ai:K_e=AFg^BPUf48L[Z#CUH4P
%08d[h[Bo5&R/^[GNk&"N_kXJ3in@6e#IpO56<"@<2CXbe9hHGDNF=A3rcO-7^K+fT*>dE96;K$h&Jd;kW%Is&=RLk%KL^1CSQbFG
%B_,YokABaUclqI2neZ;sZ_++n_\Wum*k+FEi$E6NkG%diH%KVAB0;#%Bq`f7<^]K)q.iu>?bVSq-f`5$UFk1@>V^jpQ[N(B'm(S0
%/P?A,>`88EQ7m,bA8tl.ZA+i\@M^Q/.8jmMD,BM.l^-*Y`4l$73jA^gJ"^sLD19\See@r7Qf"(XA)8FYlW%0Ageh0K][Z'B6Z+K6
%--\LdiQ[;8ZENZilZq9im4QEHao\lbp>QQ^frCM7e#qMl:MkN@V[J7-QKJ:Bmhc?pT,_)rd6#XA@GZq4ST--)#SKLgH^nFGe.6iJ
%Bh&t][4KWn_qr_;kl-X,I\#&>]c;7-MmDI*?b>KW?Z2@g`j7r01e=]r(a`q?&WLK]er%I9r=piLMS\>T7Oi2nULWn'q>^`;0<HXW
%LUFRp\@V5^/PIr18Abk*%64b)HJb$#T;:WI_EK5B(oa`F1FAM'K7R$dkt)ACLriC].Rcq*:issXV'r>,H;"MsM]gWa1mKNPl-gEc
%RQR!uHk+A>nmk@P97reJ(o_@V1[eHN)OV[,".`)*r6fGTUeF0oAb%Rs^$2LL*>0!Z=4$_]>q!H7Fa@h`%fI``[WIF@1^D>6%MYa^
%P]C=!DKRT!BlM?!#R=H);MQ%nAb;cao=U_jjS:n':pm!sAqE%!BFNHOTLSQiFb0_d6W39>$Q7f7Y@-3mo3M6`/qBimY?b[Z-_Hd*
%&<l#DTP<MTb79#kesPs!:7aJpjQ3u;a7hT(&nf'F$itB\.Se(ieJN$Fgg1WI[1$d&kbgm\K4eKeVRq=IalX`qZ:VmL*8k>V>(F#J
%#^sdC&O'WP`U9(4QHnb3D)3Y/gP548:,*aJMGsh%7!k:d12VjWd<;<gj:OtX7Z@p_aJjASN3(!rW'_,$;`'DU6kN@cia0i%R6Xt7
%7EIURki+@p7ZA"B3^hl(&OhaZUlLl_,'=gSj$9_>@)S6'+#eM-7SM2rks,ed@uJdfn8!kIY5NA`T=1U*f#KC0R4ri8dnml`o0nS5
%F-lVao*`g,bbJEd4H:sjD=aOGP"M5cSNc0u%`e*+P*k(Kf9aEk)FNFo-f^nkQ:3Q"gfQu*KCgk$A>ClQPYOt(PO^^dp#S4]YA#2h
%+02!K$,J5!ro@JFdIB(+Kk^8P6Ip(9\7.`5Wh8M5di;^N,L5>^MY5G2R949Wi-b,P8ZZec"Oj>f-Gs(kJ4`)0d`\rJH&uhHgFdV]
%j9i1L%fm_cB3Euoj0C%MgSO>ajL=<krX@3G/pqMoI@kfY_qHP*\a9^R.;+N]30e"pV[oI*I(&'1%P[%r+&3$4NC=LDW:?rsq@`Ef
%>opPX$SlR9<N=dFf)^!-b^hFbU'Qo]7to'tM;7_cK\)]$5`-W\Wq0O#rMR)VLZg1NDbmfod#YCHXtg&3L5<i+]['!idbnKMqG<B/
%LCJ#'%-skcB`PPa"?VKf:qNYUqqf2G@dUM[-Tb!r0%QIHE`t?G=;]H\?e(D$kbTfY&8M!F1n^G"Ag4ObGXS;FPUtTIflC\R&s+.S
%h.EV:Com'BXCZ\.hPVOH#c7k\\:Vt1-=F$O%u5.!A_K#eGJTemlb?bc)`Pc:3M+L-J.BWZT!uor$Z9eP=jWB(Rnmqf1PXJd^6'Wu
%`*11m,t+&a(aKK*rt$qnd4kNnaVQ:$7[\W@fd7$VY!i*P_\@Np=NUG(Aoi33)W-sn7Pnp;eiS#MWn(./+k5m'0emTgEpB:I!GiY!
%*2O`LR!G!!%Y]'koS7k5XGSGVbf(&<W!4*d2YlM>b%`JP,`OZM*PiKk4C].9Tebc`5DNp"<+T2*\FF>\OqdpYWDXWj/W<ecej!)2
%WCq(MZf0%.#_plA/2>*$B;`$MUL"5!es5/.'[2[]?o!#+Ou$j!4aP'f+Ljr6MXNlglnj+/9mum0/\g(R9F7?5*=PY"$at&1](Zu+
%PF3/D,c5>&_9^FNfNjjS'S:tm\/n9'7On&%6](C1K;n7C%@HG#\4VXfjY"L-iEmrThKqm%N<,$hDQK+_)!lp2OcBQN<Yh0G1\ndA
%Z$AllN=qlZ4sJVrf'bZBl*6a'"f+dqHQ!/sD`g)a],+7(RM>4">Sn7rG9J.(`VW,DI^(X>akp2jM#/i+?'rX>onde-g0+u`2EUk\
%T2FcuR(fF?oHDCrce(#9YET$Y)38G0VEJ$ekq3Oa,euYRfIIlI+JFE/-Q5EF[UJ(22T3]q#A"iF=X3%;^:d[$E8D!NTqnr1:3oIS
%:"IaWduHQ=RFB_MEh@+drCE/Ja21BH:'\j2^oe\:,@*AO:*Zr(*Fg<%]QWMD+DK#B6K3U%2E`7X/'fPDO#VF`XBc-0]4m'PKanK[
%L""^<_`Sh.?q^SnF-,&#cr6<%fQSC&qd*T)ZfI=01ihks2U][^:H$YBePA*OaR$+`8-9)Nfgl3"0\Ju!?a+.M%Q)%5issk]A.9'2
%_j]sT+;'g64hq_p9g53c9*9Y$1+$dd+?5*[0]4!f5/[GV9Wli0OUN=I5YflMZ2mdigp[;qR2im@Hs(Lu#>A`M+pXcQE]47$B$E=V
%@%GE)*O)-WkoCn>2&CO'L*h\%J;Yc+HU*_E*;'>;Rb[ajE#S`UJ4$FB$O1ch6l$!JC'm378CgtS@K<p8i5U:n9js+a$sO+.$lIY3
%@MsDH$cNNjg03-@6F)Rnc\-Q_iLgK#[gX<PGe+K%RZM_<-tOg?AH6L4oSm81K`)iuYmDkhi96b?KbeXV7O;BM3qW67d1';p)\Ug2
%463sk(Z^tDhSt9$n;JF'hMQ]NW\&Ljc%;'VD&P21J[iJTeLG2eB7YK<`sQ9$Af7'[/F\kNV)fYKGj^`*2`E+o4(c5crZiJud4sIg
%1@fW<kg0JYeBT%2Nn"nWd6KRYht+]9$F,8idM`rY<*P_Y_q/\N:"Nt(07]X?r2`1NQP2BbR(ek-1SM2!e+?YnPToS<^=;S9J7V&^
%(AW&#r'/:.ndZ3GIu1HF)PIk(i2^\p#kG/B6Xp:11ad5!^E`rQG]?r#JN#^4],[cLaGk=p0o*3F#5Dm;P)_FnTKK>-7g0D\eIpnO
%^U5i1jGOI%&>aREXc?XZ>AgqO?rb"0SB6[;&8:At0NTckiu>,A#n`U%hLT[T(m0TGN[GBtf*'m/Z8GN:W@Z=RTq.n<R&NNTK=go*
%&Gp9/>bai)d2`?']iON1js"s0i7:KD?g[.X7$*#;5*XmA%"g*)8H8f&(k_lYEeqO7]Q6W4h+U!c$jj*`\V=Le&Wj>P;oaV\f34b'
%"Kgf\kU([8?#C7fjf2GslX$($4A!sT.s`RZO,QXgQZPE'ZU^c\.?`nG`>5lT0A#>&-CZqBD-SmMB$bD!Wjo@aZ"IM<K"FR8H7qUX
%g%/UbgR-&Eb:'I=RasCf'lp@V(>DNSA5BWPHDNCiY;S.IeRTYX\'gO+'uk7YCI>=GXEj^]!?AqF82gR'ok6&HU$&j=NHpBqHjuPA
%BA20)lMtgn:-f+D7#;Hm`8D*Y.oZn@>Np"uA6-F+![Oj>10^Gs1C+Z++n@nM!6,<T4Ju%;Si"/rV1dP`Oa37gi!JmAM.roAB*\c?
%^*u)W`@.pLjKPF//#,oWPelFj[]%j=QjeADq30[O?F^PQ%ProE'kVbJ27]1Ck\?7jgcCF?NpN>fd"W`86O;MYW&IX2S51I6k;J#i
%:iVK\H@KWe<U0dQWO[OO6b'!#k>=qZ]`eDR=LEU80sDFV+G3:j+f_8eXO)*<(=N]6)bE<@&Ys8C=u.[iU?WZDX8pT^8-.30A]VRl
%DbO9a!44'U0R3X#\>iZU)FcX2(g/R)(W\e<^6g&?RR*5UZ^>C87)'3H@1$lQ=5-]h]Red>TSm!76r6K_JR0l`!a!`'4@BOT,o9T?
%_,$dn4XL$1:U)7o+i]R/U_+#Gk)I)l@iFqQ&`?uf@b#m80i1_b$b<(\ODrQYo*27C=,Y`_5bFE%fYfZh&f%"8](S[q)Bk#o^HRX&
%MG*a-C6@jca1uBCP+l-#5eLt(26!S2>cLLc0T1WZYgTiV!RO;I..ITJgVr&T0$:=re;NG#0op%3S@!#(XUdT58c)KR$u'74db5bZ
%jD6DVa-k:7EN6;m<[YD^NNM.F7g<ge3NOIse8,Y1`biG[`B6Sh=YI@qZe4`<Fb"K9#6Z9ZHH.AhW]$lS<,[]DT2M92>L?*)2?\3t
%%[br_V`7G2jZNT3(I;Ec-[t6<C!:Y*,UlLF4hJ\`#A9kr*d=C%Y'csV9RZ"rkV&>+@*1L1V*-:43VhrjC_VFA:8\G?p3_*X7oJ'^
%ER`GK%?3%K2CC9+Z9SU]D5\Ujh()Hc?uV7Mk[B1]1o!,h;MrGo[(OdK6rEUUC`kLQ+K_&?LD44u)@b0RAW/oY>'Cq7R&@I4:JQgj
%/)$/h"H+6X2W%mEMK?)EAV^]jh=)PUb@_%UTP_eekrqHV;$WYG":fqM4)FP@!S1kfS75DRT/niVf"ppAl2i7sC]FXaOD<kr<-$)3
%#0_b48LOs7,#+@>MA(CpoT'5!K^X&L8+nQeBu/nE6_oAY4;ufu1=*6l`!HA,OF1B:'8:>TD"se/NfL:/,`GM#AJ0X,GGc%Y`s;j`
%*^uS2?ie]FW1`(>TdU@19D4,M`EI;a(rCBcfB+e`EXD*&FKGiV(=fgI/':tuN2lbgZW*?"]#F#J5asRu*755PW.W)?lp5dSL\9sG
%MP*3*"1(AlCs<ndXA*4cb;JYMQmIr_o2*_T%$`$V2^LT'gl2kG>/L!%6<cH/+H7[4%9=]`FBjQ4!N7]ImYYPeLhR;[I##?jNt;e=
%S]5]1:bU6Fi0YaRCqA$\0X`]NbchT@DN3')81(Q]2u33e&D]4.Olq:5c-Qa&5iU@TS^AVMRl-;/o1E[[_.hM532WnC;@Qu/&Sd#d
%.^0]IhJR.s;dak;(<[>[>?/NC6"b(O.V:!SBt9NEnl$t6aE2V6_!NIrFq($YR,&Y$]9qOMfh5XZDe&S@J@O>V]2N$$joeg`Y*YM^
%>\g>@$e3,eW!721!k5cADW<$RZ)s@r.n]qSg[pft*cEWg'&-O_&6DDtFCVE5e_)Xl`\g*DP9\B5%Vp]g<3Sfi?W.U+I(;!kE5el#
%SFdk!qpA.5-B#"<FW/F`.Qpk^H@mrm&thBPh$rhHRR+9@-gE9]'!BQ=>9iIp/K.N9Jg-EDk[O;>">4JmSSuBRYM)s9D;)MOVQlY$
%b[$E`9HHC[(jsanG7@JmWMt=H6AU"#Gti"UQ"tJ%DCLn0%,L<(Q?OD0$Qu4<,;A#.P,r]01YHhU:1J!9JF1bm'PEdIX0Z/5-n5We
%Z4`lYMF3pgce1"u4\_,NSP)O)/!'-;QJ--^W&&<6Y=ia6G>W@m=(,rV,/e6kn)ZsGRYOG*&+d$7@L-d%KPP&2B_"8"S#$+AqslmL
%A4:bLZS8HLU/MC`RVfN;+UWTLF5\FuUIcW]/UD>&GeKc$ml)T!eWg/9@bCJh7prDdCN)[>!WY8pSs8ViVkE0Dl:?ZN#t)M3;Yk22
%CkVd0,*eW"(hCK@o2iE:Hu.)<l$:>#'b6JWjEKpX5X6P?,%G9#.kD"R3]>!`U7F7Y0L>k=.-Cp(K^q;Nh"MWe7?01(23);`Kka2q
%:(c\p:p5o_b5*CGq4X<Xn6BfY%<8bq^o\YseXgd,+=62;:;F;MnfGfkH3KCue<gJ"+XI5Ti-8VIlZR[B&kSPsmWL=I3?eoiM"OmX
%`iW\u_mjPL_sIu*@mNeZ:B=6[&3>!+Gm9U?9=XB#i0\I5$q:cXe]e]+S%s7Fc-bP$==5?[Y!V'ZV@_N85/cRBUDoHe5;1Q,6LkC.
%@UUVec(-_HWi;m?or#+Dk%&oAYqN4Pf=)0^.sQ+VRqZV1dJtdUOsmIY6^DFIJM:b+_.ad4LC=pe]#MmV,r[GDkUsc7]rYG!"&UG`
%c/u.kLu$oka,Y;Hqmh_jX58&ZD>:QI)/eT?/K;1-rRQPhSUbSS5iD>>bW4X6T!hfto+g$2UUDIg;q<jG>.#5]2f/4N6=2ek2Wq?h
%mV6&C=LaLg<.)eeI7'WBm+PRI)gFJ,A#?7I)PVAlhK^AeRumS(`_N![oj=%_`Mum`!khO%L^3-%5X]L6D&USXC5.,\>2Xf)30FY)
%o%;-T"fjUWDmpQ2OBV_FFR=-Ihg#GW6mKX?A</E(d\rdICgU&o!k].tg4g=T%#VPQOX1i1_%*][#2CCMT_:\WmVg`d?rUMrU":5l
%K'(m'"R)BWju#sT98)47f^`UFA!!o8,6oG1aC910@t_7(C]i'5Hj(kh!7B$K6B!kiGg8V52F.Jf"Y%(4#gm,b6QA^H!ZU8C&=OfH
%JrT7`O.a)oS*Ul'R4;c=$R"K`/2h\pK-\8T)ACqa@*Go81Y/glq\8+!=Mh9[^0YpfD]gW4gfZU`$u:Hq2QP2*-eK=0_!E[_/`s&6
%6*rP2H//sHR<l;OP$Y>](,r"U[7&)K[#)@%3S/0=/c^Z2N8V;3=gp(mPE;n)hcMs40p(K^?E0aWn@:L@0hlZis38rT)(B7(L`'-)
%;2Za)Erf$W4t;OBU*8&)8*Pi!n>/U&oaiP)`,!ZjOp2(qTK=ll)$`2u%o`N.2FHqY='r@Zm,So%Y.\G`cjPk?IgZR.8Zbt8E9$6N
%&:fLK=BFetMI+D^)S0:X`%9=s8ST<L4!5H[%!lj1\CsOj[:;+JZS[Pm\L0fb*#?a@_gJN!+^iPTjs8+:f#Tu*=TmGErPU.t`.j=0
%1XcuWR%r.ud(Qk52="7qFQ?a1SDe't(^Zt<E!BN'%>*n*90GTJWdHEh39b\qpj)P^K`$SD:n,Ba8B=oDXpJe%g"]T\fcCiVXc+;F
%,V=k3eTMnfnd^U>8-UK,7&D4hM*HcQkUc&7Y8RN&";D[eP5>lD'ZCDHY"EoAITn''\9.e#?Bfj#b0*-:n]c3i>M5C%GM&C0+_@Q:
%3FQ0Z>L68/HF^R2BVP8Q;J=KV71.%6<,M+t^s+d>9$l04UFL_Oe,cr[9$162bn.otQ+q6P9X8[LX.DlBaquS]fM-'ce+$E&6L5!$
%Va[MF<_u\m^qu5M8lR#NXGF/%@c+Rl;:1R*af//=K-O@UM>Udn>\elJcbn2C@eG^J*0a8X0McNFH#ZJ'A21[Vn$P,f[86sZERXI_
%<o8;,K79gU/Q,KL&Ni:SAW+iU#l-Pl\4WDgHM(+<_p.I07+4N!XD24KMN8D'4euUt9Sqqb%'U+kl7TjEOp!fkfUX8nVg@&bIHNl>
%AY02*I4>e&KIipt!<NH52R5<aic'QFW1,:mC1OmWhW%;_CZQdU)Jj0LrCsG5NFR$;[1NXTm\lp;j9r$TZg+@-op+1;8QD&?@+9jE
%4ne4Q8][TiGpD'D/oN-FA;V-3J<rdK(C#/>*YlWq6e)?-U1d+h"d>)*O@R=P)Y=M,%Vooe^]P^oQEROf+^de6/V@NUiq5W1n3t&$
%Ha>8q.3D&80>3;q,&@#>V7_@Xm>P_[\=PPeL6lK'?Tp#%qEn3-$hXR4Phf?0-EP]HV.q8K.hR?O!6*^3C^)m9$e`sS&5f2HN'$V)
%7H@W?'i/*CQ3[$)_h;Tj[G4OG8d;4,0B%m]GK8qP8.iune[Q&Bmn_uAj4p&OauWG$kC/u)N7qcKCkT>dBSk?9f!79o*TXWQi%MVV
%WUYhRpaEm'I6S>9c$`,'HOqjlT\)UL<or+7[eO;Y!B:#;;RJ&@;$j+"UD([Kek=KJ-&7M:dMD`CqHH;&hS8q1%DCJ`8W%N\3*?o-
%F\OnZ,BNtMn>''jg:.Z62;$m2%icd=GQP9Lm"#45fo*9Y"i4qDKmmU:/J_3p4M5mr7ooA+q!`Hjo^qt:&"\7<<@<:Sf^;a@?adQ-
%Ha*7Tok$u!JR_32T6'YceQ4r'NRT1cS9:](n3K9Ze^]#pV<7$bL:urRLE4"fN3i@,WuF%ujRpQS>r"#o)6m_"??k/W6O[>?6Njq_
%cbHE8]T7&]qDh'LGm+.#J+3*J=']tHi2Je>Sp82YbN&kqfj9L%M9^Q]=6E6EGNJ@)pVahNNVrrLY?>#nX/=FD<c^9"N;i\o]C*ht
%A#gu!rP8l`rOA5:0*hg%PGEL+[KV*2N5969;G$D?K77t,pf1NXGi9D;\\I21TRVt$DY@JTb+MQ&^ZkI\bkHRYUF2,Zo:THmjEfb$
%ZbH-ts8O2;kC:*$YB=Vem(_A6fD:@X^\+c&[C>#8rS$#`m]19.CYe^649,%Zku-Dd>)RU7Q*,8mH_5HL45W)c]&OYE>^TlTQ<WBI
%\,3mtY'e/6B7B`[ENR\C\EYg#+$]5D>N&J(4T"meT)Rf75Br5niEH'*a$'=qc[,5;\&,PemG*magiV#O+8+R(Id+&$G+\E$T6]Z1
%=.ap<0DVI4Y]K@q5P'c%SpIJeaY.eZBb,L+MdGrEk<J+[=;q.scZn^#^>u7(5OtY#KXX2/g?63:A^A'Xh!b$$?g<kS07<-XJ,2T0
%HH=pVoTrapY/gS'Mk>@PI;ag4ST=Qo+8<Da4S-McHq>ucL=;iSJ*b2<4lsg>m=PAD0B<)Dl[uBhg'p8d=o+:flRT]$s6Fi@52u*.
%II,AV-,%l2X"BMVqP_G!qN<LNXoB3=e-"V+<W(aPT(e%2?1ZG@V7bC2h#7f@_#NH'pO:3?M+c.(c+^sjZ7joW^<N4`99$;WcbB%/
%9CMnOqu600^K?Eh)t)_STi:cQG5`cu4m12+5Q.mkqB@S9VfY^a48n&\\CZ?c56"shA)H0mjk"lW(V<C$j,@Lfqd%O\i1b;@^*_U$
%J)(oNIc&-e3U8lFQG^2?o7#nt1\]dT^\[92o"TXQE8P`^3TD1<BFT/GoAWCr3c_.sIfC/?peCe=RGBcmH/AAShl!/do0!mpG59+4
%&+90.?[nP`rOW$_V:,=g^YlaLLV@J;]A'm:*dQ;4pYYGPr2O\Ke"(CJp&C:MSb8W`cbH)Z/;;h"Ib8e(]DgdPgh!*BqRScEr>p1Y
%:HM:O90N'E#N%bKm1\pI7mHs,Vd/iOr>*KA:;>udSG')bPtR[5DS+L!D<G7&m$I_Do7-\te$oA52kGKnm/,rFPkjpQnbs'QG,\D8
%q7]?_mh]@*.kcDKQ1s/7ddDFr$SH`js%cndS)+&:\^W(eMW_bJS\P-s?[9J1(YjGnTAKCF9<Pek6%-p`mdnbK*e#5;l?6CC^AZLC
%^%(jsr6PE$bqK*R+5F:k^>nQi-a15SJ[a9>^"kgnE7"i%kO&$;J/eNl5Pp4sI-A94ppnF/E/W=lg\X24YtobkZ2<=nM1&%N\`gnO
%b-kHTr]0jYDghZ#IJT-Lq=D)OoZ4bCs8.g@q8T=<qk.0W&>"4J++!.'^N[Hkr2^jor\pI\q;tKQj1A[iPR$#aZiA+s2n\X*O2'bA
%)*taDpI2]\md.R'SpfW\5P3WuDnc$WmsFZtNc)RsDgUu7^YiaBHJ69_puYe$Xj\>5jkcj.g#i[5Em",@kC<KKk>p42`*`Pa$[+I)
%::L,-QbDs&T!`e;Q<`_cpV5]bf,ef+p7LsShta1ro<mHKgku\\FS?HprV9Onm'EkMIt6dUps@&Dq/KcWTf_^sn+u85;E+XQqqh+t
%qepZ8p\L@couf"<qX,pi,k%sYbql!lN"bs@pBMMJr&t'LfD=YpqEM1@r7-!SjCtfBc)Z?jM&5'4&+%Y1TCe;=IGpq3n(3&uPHT8h
%-WZT1bhrHoMg)pOU\e@^qGXSDmAjR_W1>LjFQ9"kM!+cclX'CoF8+ubr7&4Tm:YVprl#hJ\EP-,qN.WQm'"(qkFQh8^@,I<=RUP+
%V/LbYYJ9G(Yg750I+.P4A@46Xqr)btb`s.)`PDdas.WkLrMs<'j6%N>kKj1_QVIL#YK+<HS\P2ODg:]HgS5U@Y'K\es*Zc,O2(]h
%:HN?epNuV*r<ofYr@;f6pqEe*4V@MQN5rX.?13-t]3b*)c&q4^SK$EOO7;`_rI^_(^9Q#ArR.UXicT0ac"^GZL<%#C[^6N/nTB?R
%TauY2GCTU\D6*@O-XQV?Ip#M3diWtl1H'.5e-ho<ZIceSf3\7V5-D(K0H41cT(HgerTM<%p&2XNe&/Y"m&Xj6jb'11?0gDIjHiWC
%mhp?F_&r^Af=g:jYJ'2JkO*-9IEa^sG1PV"rn="EgZLctYO?h]:MoMbGMi;n5Q'_[AUOKLIeP33Yh&R9%t)So?N9_C^A/S:rWQa7
%#B'.J:]L-:5Q9A$>CEQErT?Cnj0Kf4IP@;jN441bVY/UQ^$Y?=Xm]Rt^Z\aKlh>ko%55HlHUm,-:\Kcl]`%I6bK4+9pHR-9qVcY5
%k)!`R:[@3Ci$5VtIcbQtD/XjF]?bcYn%@i>s7=c:qk4T5rbq*Tff+EX[nd\7cD*>sp-6oln];=?YFkjBjXWFY)/oKSm27j4k3q1!
%\E1BkoUmSFlF6f[I=M1gQ_1qBB\dY-^?*XaR16b)4nVO!`<1Se"7LKNdJ5<)g[SACr]ef;DZ8EUrml.Vqeit0V/QC?^]!(4^Zg$m
%L\YL#516p3HB7k1?7kJee,-oUoDeC<?[_LXYj[Xb\G>9:IEsDbZCLKL?MC$%IH3caH0sXQN5ihlbQ$A[*oX9Z0`Cloc[G]JIYscI
%5JHIH:(3W`/m#^PpHJLX\^i/.qTVg'NK*CSfF-U4JUdXmIoq-Xdg#i;)_TRJgnTW"KD;#[qisD-;rd"9]`5)m?>OuapH@s;J,V15
%e8!lccd2XT[(ibEe/s/7;kO'Y]3]O*1t'ulGXr)-rk8&dPDSs<a'S>k+8Rh/QB/]UQ`de'e,u<>cG07`?L-`LrS;Djo^T2,me-A,
%^\?VLs7q_gl_Xn]e,#s;ETmS8f@ag!ahG:R'41F2rur-RlaK%?4Dhdt,CYZfA,YTNmsjLp-YtHIcVr]mrmceu07WcF$cY/5Hi*h_
%@/X9dEQ7ejm'L2QhrW9&]^p(:NIC5in,A"SGI'g7(]SB>](tstp/g^1q/p?9U:];=hYK133IgBk?[:lQpT*b-Qg^<N$2Wi>cM55N
%QTVL3KcdJn`HQh(F7R?-%&;gP)h-h"T,uUqq/[YT_!h9^P928ikKISPrU2p;9BM6*P.?4gG@0s&^?(q&??(AeS7r#kXDD*Ih4OT6
%]3]XaS*f,'0`B#3bWc#M^]3",GPP_B^Yp1T>$^H8s7EI\?TrYN44YWhKJd9:Zj/bRjOHch57X5Oa'\A>J#&;-k)]K:lQ4(c5reE*
%GCB7-2_Y1+jPU!b)kM8Adqd?jI,_?dnr.Y0"8gqrci=!UoT/Efm_c5Xm)c$s*p_k1-a.]?)Xc((qi9jDm84r#ZQ%N-q,8C7j#90b
%@B8GHX;g%_cZ&Q/s6,fQ0/g"\4o!H\5-Q\Fe(Yp(p6[6-`5rCBNH*R*^$muVKDtd=J,eVsdjO:\I-GSLrFa]aFn;Lqr5ZSKX<51J
%.;.Q-)f5'"r2II2h3[THQN-FP_CJD%Hf/UrM5>tkk%W.fi`/o>4C.iap\ZhLn;mP4X08:Zp.djMgp_aj'C48]q,@=_qlb>4rDns,
%><hm3rCl)<U+<K%T74V57pgK9=c9'HD@\r,o]P*+KIcIHT'c8:lYZROT6T7s4mq1VE;6]Qr18tN5K$S%#N#:9X3Wm(/8UTDVc3:E
%h:_4BhMK;O`1rA7T(h!oT6^?+chj[\Y5]YX9m?Wb?i&f4V>(#h2a*#,e%=t\i&BNmmi0k^m4GMeg*Pq\poFGU?a\jbs6S?UI-=jX
%gdaKc),Ied)OB7"%mTbJ0D_ZG*^=Ec=jMB=DpgE?e6fud.:RATqpE1JHQW+F`l1.8(N4]@\Yi^-_V`0GnX4n'UL3g'4_;h)j)9>=
%PP4E/YJiSNs,TA875',8O'OkAN75!/Q,!)R?0a(<Q"tg278JEhHTqAlokT!8")iYN=f36gd]_]D\bT/GqHlJ!-Vs9Z`K,Gm:HeTq
%/m;BOl-^qAs2?X9b*A/LE5>3HmuR%PoNJ/_G3P!)plgc??gNsuI-WT74QZ"O=69O,bE)\b>Aj@I[KQ#;mWHj)nI(q7q818K[WATs
%k)4,gn_/'(6bMkDhnJqN=7>IspX,;U/pmSerq%FN$ia-II*:"-GKMAt55T3&LT^XPlp(I-00P%+e1':!ieEf4oJtNp]1@Im9:t^;
%07No\Is=)o6]ZQ2#<m;%-iWZG:H/GNiRmbYoOf7O?L3jtGghjX?HkVTougGXF9oPPGn8kN-suN:QbNBOO'fIhG<GW\%53%D;m2Rs
%cJ;S%jX37ln*b\loqTc;r_m`amlrJ6`D?EnlQ<`b7,RO]s+e;^Nq02Bdmeh:h3iW)l^H2$B>+k!=&6:`h9uNT#BcFA:_X%f+;cPc
%)F1=DPV<@m-B]np'bN.('N>KK>Uh.h`MEWfR#kkZ'L<uq"UT>Go7h\=0,,+prUnr'Ve<T!rB"YaI<L#4I\6@[DLHeoQ=Ab62sqPM
%,J*82f?B[Fle78T/YTE:W`sA12WCfSj4+*kO2'GaIEh^"3<R=jJ'6g^^<+-+f6[lDEC2GFOn\7)ph%c<A&q@A:%rW`m[cSH^=XS*
%D:bY!1N1"e6<f<7ph)hkIfD>Wn'!HNB!/`4q2]]0CM*23<Hn)4?b4L,h=cl"mlrk))sifO2r-3(@XZ?17+?_7mB\,MZ;sB&>@69n
%s1l(PB:W=M>;5QTAa@+UhR2aQgU]u0(2qP1hY"]pQZFZ!2u*5P[p;p6ZCUmKH.U9NB856U\kNPsfS-D=Q<<Q]_k!u\Ok&ICDr)t5
%d/K)TqRuj17H<#I9a4=`EV#G33Q67XcBp<[iV?F%39`TtFj(!G]R>.k/g2;8^tP@TmueUoB(+HfB#,muTQoC;2btB>:?g'oN,'M?
%o'H:tW(m4Se!AA/]RAo.ZV0^:*'a+]/[iX,YF<q(;Z/,<gE`DLQ&(du68J&!)^Z"WUD.+aF8@\2XaKsDM=p'*WP*>t;XORtf$$:T
%oNd0ecYTmCriQbQW9;36]sUS_p2>EQf'[qOM%/'1]rHSHiP])Xc<J#3j!Umn5()f^$PpMUfhO$nmWB&lQ+uY<0C6=EDHo*qA:3`s
%Vq:7Yr;DB5Vss&"oN<Cc::\$GoH^NejC^^2p>*442Q_=Em7/,(ab7!=dgOd!=E8'!c-,bfW#n-NGmE]Bf5/onrU/\n`q-+84o_f:
%;_C/HUhc@Be_=G>i:#G!mC0^6H"b7PLRRf2hnO9G@.H,>F)/t5YLbsdlaU/j=M;[;ZubV_%;\e9"0T@Hb33.X43]Q./RDeu`adKl
%k58*3J,aoUBkR)V2.`p.bkX?oD?"/.X"2b>bKBS(MV1,+O7(S@rQS81F=uu"poFfqHo%(`[iUu?G>@lRk7517o$)A2>diqhSHk&?
%33[&9f/n0=d_:0?L5bS)1\"1W4JDPV9P[W^?0L#@e_4RFc(-Y'mR'c%I;RM))o(')q7c4L])3<bhkpmtnW$b9#)&hF[:2eJcU'MW
%f_!R[<NB/MY^YV6gV56pgr_;A>r9:qE;h_9k1t#_D6`-ZN/<g(9<N^#mG,F(kI5g3*bbA@gh#2tVOpdVc!9c-?!$^q:&\.B*]3Vn
%(-h-S0=,#r#eAOBnDMcVhgJYtH!JC*TDnW?6g)kNC\MI;:GChibc;gfqXWXVUJK1MlIbqpQ>bW(kWE$q*Vas2]NR,(msfW5Wb(p`
%.KW,10Q,;83tIlNl`]clG\c/hgE(kAj3Kr9AaZdsDV06gZ41B"h[s.@2S]"+MKN:nfY6>;48\3'I=E)Qf3;H`f>Cd?mG#$sa6n?\
%^>HSN<m`r??i&.'*J]+ALKk(uIVW!Yr4>^qnAMm[Ynn0]gK37Z1]OWOf09('q53)j\TYYJn,3*q3_WfVkoo6"+*d0ZpZT]r_/P1q
%I_'ajh=1?MH,i7r2,CFUWTrugQ8`F:c>mlmo\iTr2k"s)pX%":_/VGT_4%!pcbn%22Q_&oY2Augo?AjOnlW?PJSjl25<.7V\kH?)
%fh^-YRWj8XgnZ`IF73ZJf5CVf5&C8M(%[/kqlaMqDLZrL:\J5SY$ZS:q3aNUF87&]\,M0k=OFPNb;\RC3RaRt*-:*2-0p#[Y./u)
%4,YFkOI]"S6gfDG_a06N,ItPG]Q2EL\g0B8D1DA6Dh%;@]PRV.orlT3E3>\DlOW/QH$&.DnZmR)5'q@uNIu!:Ap2qC;]gF7j/sK7
%k9&?iFkuAEgt5^1#HFqtqXF&OGPnDQnb[5_XBmr;@_WRLSVh:1]COep5MZ+qNO/(tCg?l._HS\\e$`(r*Re`@XCkUQh"d^mgAX7i
%2netNUU./6psdFu&jcO:*dR.jc+B#.D$Te&gA9L7Y<4`/MZ3!IoI./[i6"-RIe2SOh]Bnop6gp07k9lgEr2.#3Z\^mHq_Q]f?A[*
%XcL3O^AE\um_HP"]?H:^jblpi4)Je>c(P^!D,,#:2#"!$f7(;Vql\c4n(kIfFi3.QrpP("g:m7'cTYV0ne:Vl:De3)M(Kmuo%1X#
%]&]mEO">SDSI[p`Cr<,'^\[er?/L(FGQ7XE(#O>q_#D#o^,9j)I/O<=]^bQU8+4.Unj2),DKVaARu[He:;1T%_P\/6s2)s_]k)AO
%GitAE>Ka3%>;guAn^A"M^[^md:G8/$l_]O!0'R]1iJ!O:F8T`8/fB*![?IKEE:`Jg(-V9eM_Dj9l>*T:?@'<Yg8hEi\Fc1Zn%J,.
%a]FN@e>mZfj',H)jmPi;Bn+k$B:RMQESRs#VVQLGoU@@9dr2g;g>m%h%.)[C[$p$(KFj2&a45:ueEMoJ.pZeXdHU95VoF4?5a&n8
%$h:#5#5:JA.Df[mfD&I3Atrit<XusRJ[_P!8uk"5qQKo;;h^n",$GsSmom"999M)Y,i@Zr%\3e_eINb$_7MV9VIAE0T`YPo01g%G
%E('*4%=7d=<.Km!?HqHI#VA5"1CeEfoWurb'o@(5Kuo@r6%"?%LFKLk+=s,'9>I-/UXI&gECB^KLmeR6MNT+W*'t`9bk9&q!(&2O
%SdL/W,77BR$@E&'`WkD2!4/-,bGKjI8u/"Cg(QQBi^fTRr4LoF#neBqMZY<NLqog[r3/SXd3O)?:8/ZCQ>aRE>2ueG:g0]Oq'kO6
%S;]1RjJS@J5h4*\B'CNY"Qb7Zl9D#]!TcZ-Bb8$lq-_(J5&T:f`Ek*CAAV-)'`^W58Xru4#aMlT1E!5q8[6^&0`a*fOR5adLVrYI
%7"E8D,0.%^&EV4s.@Z)+MTQo1RM=:Q9&t/`=KjGhhiY3#AD+sh8=qO8&TO[7d#k\X,3g*#"IalqLM.q%GHo(!qP!OUnB:XOP2iiQ
%/+]/sclEV+[?RI%j93[/@1o>/7U7:G9n*XUbe:Nj&3``dI@PG1_"<ic_PcBCM%b-b>YjTsbVpkWS81Q*IgLO!fTMaMP=9,57o8/4
%Nb73Q4qj9^$^i<[(Psa$$LuhZR:f[T7laj!-;eeNo<OMl6uL4JVF"5aV+3?<5[`Ps[M#!0&EG:CVs79`m"opTcmNPU_@gDo#Z3oA
%%#VC9I6dqkMb$;&Ql)%?H3-;CVACP76R@"-mLa!23(dtN+!+5Z80T4[;j%Ud;b>>7dIP4cINY0*TqsSsAl-@GcsV6[Pa",gfd'1k
%>&Q#jjuCX/9?q,TE'(V#k[Z.oB%inY":J21O,$?r%X&^DE&'/18*!8Z#9nehK&Oq3E`3i?O$9[^F[WE89nZ.`NLiq)L$cqkAEA_i
%SZlXVJbY<4*i;t6g*RH_9d0^K7+mf>O0p7SA[s9RQO*S&9oHq<9LT[BAAW7]B)*uaDOT4#FZKWN4&_."((-.0bLGceFPO;-q>)<*
%!M6idrDNF;R!9_FM6'!p@L:M@P'3+$&46:<8r>hVoOX%LVEW>'&7Yp0'gM.iZ5Bh2':0M+f!N3E'a98,9(4.'WfoIhr<&bEESTOT
%A5dD!KDZ^S]@X2Lq0*EjEZja\HDdCF7IssQ5d;LJ.Oj><7j<#`@<=KeGZOAo@6t;7+lNHUN<lV@TkKJF4u]1l*BHm)c]?+=Z5*Qm
%%Kec$J7TRLaHf%e,-8RgIV5K%'>)2,1Wm]m,NqXkd&D2]mZ@d!N=0nTcV$DL#agZq*>e)P3nmU1*sJK>BH!?cf)\aXO/:+V#0'6,
%M[:^i-I;<oAg]Yq<h39XmsfS*Nf[mDbD3gs#`i$I"\b#$5um,JV/F;TF,7Hu,<s$Eh$Q'2^s#,p"(XImlgG>XM/pDtTru9CZoe,g
%.4b=b_qeFeEc/q8I,`B/K+9\b]Z2n]of;YMq<Qh*k)?>T\^g7nhMh>Mk],h@E`\=d&'R$5d'r,>j2Tt>U[MVS;7PQ(S,45_'.8g0
%G3NGdmmYifY7SiuYcHsK:$i=Bs8+LAkVf0l0Dt`E6&p6/q,mg3((.f<">@\Xk:jto0C3%E-ldSi*rP?ZWViag(H@,c?WmdXP3_<O
%W;=a;E7.1Q*HYij.T^;uIK4bj-hM:2oZCFR%<I4eHPjTV:9;(k+Ar$PE>aqK_ki]`Dn]N7+amRR4)<Ro"&>CNiV&+e0^CQ37$eZ1
%#^`.[5I/2fKo794kfE-QqNAu5CMr%G=if3NVcPI`9`@5Y@<<rkO0:@Z>[`EC3=FGWGuL=`F<3WO@_'dP1du&/N\fSmIc%ctmG$sH
%oIl3+_,Yj*/JlR%rLWh^\bZ1SlqbY\%&kq)<=QKKNXiTCYO#t@rp\(sa'QZpQTn=aE;0:(o&h;PmVZqABL;DsO"j!ON5kkg+.jma
%eh3#2h;#[2WpI4O'<ePM3`e7iakVg8mn)i6Rm4G9qlTRXknPP>oB/<PE.n-Po'LkM?eh1M2LPM["N;l4_5CPQGk'!6q!YAHDK#OJ
%$&a'kA+n?)%J\tM`=W<,*e*4U+nGC#T/@^8A%;LnC?^)kdm*i6Wp#:7\%hRX9YjY7]%U-P<;E6R6_A1Cj&5et9]h>.$"<Ih'p$O2
%H9K$@q4#F#I`AMB]m&!Dr:S+sE;O8RQLD<Ph;tshW+Z+Tk.P[CUHc@BgtLPrMVc`-)fbn23TRPoeuj@3+T8qHMgJ1'Y2EBoZbLeS
%CD9A5Q^jCpQK%5eq*KDo`"/?,RlB2[5J&K%dbOcF,NR#A1Q^8hVVuj_l5f2n`uc*]$h*K.8(#FK/B@'',5KQUZG+2ZS+-FV*D^c5
%Pr!=\\T_@!C_A+Fgt]R*'rp&LkFJ[bZtW;\r7^hg#Ms>Rmom]/[Wa>kA"'"(Gl_))kgs2s?DmKDLub\-R[ZO2>o<@2!2r,L<%&/\
%^9@@J$Mq??`sgG-bI`!A*q&\P+;^Y6[Sd^h)t#blE;=k*c!(tc9TtLJVGX7oZS*=/W;'B]dsW)FlLW[V'Q3imI.q1,FoLI$g:-,$
%f)e]qrj/Hhm<9ol\h)Rd]QZC4o^Uu)gj#DQdJ^YU[AMgDI9,pSm[&YB/pV/To<q)Tl[%GNhlcGHDOGr>TeQ2b;O?L3&"HW:p=c,#
%:T!*RJTosp[6R8YQn\9co*T+oYdrhG]l0@rfDiDK]2t%LGFa!G"*Y9==7i#3hp":lNA'`Lq<j7:RgGn>K$V2X#n>SRed#jQB:M3H
%hQ)YiN.-P"qtS9WjSQ]=N>c6bM@UdsT=T"(IFi.#h>'"eAif;R[CC)FSV>'`r5>LSC"//kkq*hCI;bT85TBXVBfDK,^4I9`'/T%l
%P4O%`di@FlktA&n!F+%A[MsSZ'>5_e3DZ:BG[dAu$e204]:+5_D#'r.R(7t/29CIB4&;5gDLm+dkuCXij/@3LQ^u=7:0>,@qst8N
%^'gODf(S`\jOIk"*kN=LDRlf%Rqhc2#NaPV2`<U5J,@(6epm<WL6&n7Wi"e`6f&q&jMpAmjU]!YR""B"4F61An+N6^)eP^%GD]Po
%c@1pbIu=!Uq:\Q<9m^.FZ#(R(LKqMOh.lf:X^@CdWm=a21M>Qk).I^2@s1GRi:_LfR0%:Vkp=RZG(6h]pWn7<8*Uc$B.o\)YAi+%
%dO.Yj:N_gOS2u#98$=N@oM?&TmoX6>d#%4>^UFs7q0fI!JC1D^4S8$N<fXUaI+5_Ter8'*Y5>#;:TV67T=D;1@U"*:$@+n+]CkV0
%[A&odNHb&PWNH)Wk10%ah4J@,E9G$kQc^_'Vj4I\mKHdg$`D6fAPG%3E?Fq<g*aXQh#i"*MT'_S_U?Q1Kkp9I&up6B/ap+T#lF"i
%[TB#@pY&Z`F7u],OVs(jmTTG2TcWuXm2^A%6T;RRa[<l$p8ksfgd9D2iOpbV4pZ+:cb"Cm="(W)]):Nrb%&6^3j=%_luPfA0NZlL
%++!m<%:qern$d_NHL^Xu^^[ld%)(YT7pfE0B'n=Hpfb:Qc,u@h?9bUm_)?RE)Fok'r!L+i+#gd91u@>tEW(r6]?%D9ZW&NRU>oGt
%!.H>B-9*>i'F05Z`$.%+`9M,W;b)KY,B]><^XNu]("-Gf#=Lfa)*!jV`"`MW<>G[tTL^X1gTe<k,:i;\^6qs6cf2Qj6AE[PC2R6G
%R/Q!p&70[Lh,lOtJ]RZ(K-?Zo:^H0L`Ar(o:tbE72"NsT=d871q\0PaS<,;?!02NY2MPCi-iR5rFKa(#7(FRP3@OS23@P9e6ihWJ
%q><AbWO=$B3]WmV>(uZ]f&u+n\h\#$I'<$mV5f1t8oC.m!aG$H&WI3^$ftuZ1*q3j@8p\gMSmAYm:+Z4+\>kb1kC1D0B0LAlBO\O
%b#Q8e#QdgC,\T;I[*oX"gGJYnNg=^[\7T]Xe.skGTL)U*)%_3\(G'!m'bZ-eS<SnJJG;YRM_:^f#+j)TPn"_;DQFP1SU<-p<ata"
%E[q3C?lb<*K^9qBI4J4tGm,_ElLIFkZ$P#p!8qKri^b=_4`uB#d<AaXeced\\pcGZOXFFj]Q]r^_hsa%WN#cH$ulDbO?g(<lP'gj
%'h:Mh7uiCNCDVSc]YI')$[,)!m^85JTn4#P(#c.MI:UMS@N84'8[o!k/WA5GTZ7+JW>^'=pIKpqUg`rI,Tp%eC0(Q-P#01!)UaWH
%aG$l+("IW+69dc)LuVMN5"H;WIGCV#Tc(dg,f35!cq=O=O.U/f5U.ih"C+=X!Ic(sUTW*;3WO[kSlB)AIUC0/,Z`H%*TnbL*.I,0
%!K6Or*fEX2V1d7sT$$]%n9]jl"u6e-#;3l>oIeQ@9LVR*@0WIN"^u%FFeM@CObPd4TN(\4Lj_V%3164./6EFU-V.FH7[.7hcPO,A
%p&("H2$c2EX%8ZBKLlij(Ye\BqKrY;=&2(!*[?$)B;5poYac_65[_!_-ok6eGsUSG!ob@N]aS:6RWrjK"9,;=!NV=M.V5(PY!RbM
%c4l,8h?1_:7UH./'kZGk;HD,p2(B^orCQ2i9+T*,n#.#6<\3u'kg=>c_B]pF,%N%Q"c*^GL57mhcJkeSR.VY'$\t"aBW=e/12S9\
%mXP^6Ji\^i[N"]c^1X-+XMKh2iAukI$J8\q8M;J7f16*$/Yehm$L*Gb-tW]!0f1fn.\;o-E>Ai<"<u5,bCWA"b<.5-<eVT@WOAT*
%Dbsi/MUNpjYfi8r5oump!a.p$d\M&oS^U+n!0XO:1nUr'Uat_$o=<5RW>84U=@CE.0[LFtZRV5@#uplF[E'sVCfN.BFBd>u/Bg8c
%%9.X%Z/5/lZ-*;rD7*fb,SIY$(GHlS_"UB('Ar#Lg']ahcq8gsQ#He-"3kIO'tCh__f/7ID(j4pFhNp&8bJ.dk/i#Pjo?;d0Q8eh
%Csu!uYA\&3-k5bn%(.0IbsCt=T!'>nH`$iPGf;tC$=K8TLcAH;4(d<9o]fgA"b@WF/tWLAKS0RjdtlD5:gpYC8Djk=!^7H"8tfZa
%oMn:3&;2;)$hj^QRaBhnLMEP0]Y8E\lc,*g9PruG0n](j;f?;WLq`G("W?OM/>'0oqCK\.:rZ&UUBopi#=:ZX+`]/<$f+VZJs]CU
%eX&uJ%2-NsFkkCR_V",U;Emf"d1%<^52#3,,@1[u/:40=#XF976I8bE4[pQ?*/-_:+Vk8B9>XYjBKDRB3/SSLRcq*n`[XN9$qUA_
%YWnokC-e^J72S<=OHikAPQet(>%l<I'(A'c\n;d88-O(2\g,f.8d/m]^?peY<iWARZFj1\&#Ek4%JD:"MkC*j-8)O%1:dHkNBGmn
%A2#k4*U^t8.qC8`$sFX,3N7o[i@P.o#cAiDPt5*>4I>iEgM?YBk`$Gn^d3<IPHL2gWE:HO?flE.+[-D>L`*hQ$8>t899<9C8W7C]
%LCUj)C.,6UPS,AqalK9&*Gk)0-YYCcj-jE<>C4L<lf%q&@KrGKOW+_0Qdl)2g12@1/)1tRAm/_>O3hMcEa#:R3XV-,`td'cbZ+Fh
%0\!4"P3p'3UD&o"f%DmeU2rSHV=k:ihTej:W3-8,?\qcO($3CG!&"u`MrG`G1lUh!0!M"daL*$]eh1Z&[Sfu;YVB*29u(?f.n>>F
%)(;3E#`;CO"Hap4IMd(3phL'7Qb_)^)4K>6]SJu&6Yr*7/jj)5ZG1s,fG0i-0YAN:=>B"(YlnhB<B[d(0Re;!$hBcJo0&4/<^@!s
%@.&]AeStu'?Aso\]-<H+\@O0r,IOoJ$"C]E_I_H*9%g(OU^h*_S$X#!Rl/WIO\=^rFR8Q=7QTbN9VrFY+Rdna)=gr2;034#`s17+
%6[DgAIZ7V""UXF(P.[?PQ!Y<a^pj#mW;ns"#WulM+K3)4$/4RJq4_^SB,6&ngG767A:F5.NC5<5CfC2-TWXp9K4JcDO1A]!.6>8d
%&:Z1X#]#BbDNgFq01Z4]NT;4i,0rA/plXB5`=dSa8ph]@*-EuEr,q3.4<o[l.:7TWQrqn$7LWt)mYdmKF8'/9HaMDoXb*UolPdIX
%WXIi$7(T$_<oYFL._t3rYF5ub6CKROSR`Qf+;fuRS/a&HePV^>+4(KaOK<h;K/0uoi_orAE(.'?LQO")K<OGN!1/T9k!rZT-'1tg
%;?^;N$MrF$-DKhl`7bAh>LP#4B94O;g[ko:FbMf[QsWB`?!_?Kps.[G*6E4\!BnGU[@DY&+9S7t6THkFkVK25lPQAWO;c[Y%G?Ar
%^b]oQJligV,c7Qd/Ttn<j_6YnA8J,j`!=t/f8F3`;rBAV3\HmNA3=i9&;a,_7H8W5D^a(*W$dWOE\/.SCaF$)JPLM.B5H0$Sg]dD
%-7@[,O;N+4/SjJi)bGTkQSb'!Z:Ig?M(NPFikT4E7K+VBhW=l!+ta."8Ts8^rji,IH-Es2AO%GDcG?`RTXJ\Xo#n7@3,p-LCTMY=
%Uf9I_MnOg5gZKL&QWmr-'LtOo2gAlp4&GuX<Afd".!?K>e8,.PY+DJ,.5BDk>;>g?=_8;2ZSX_)XcX%QgkV,(_ltVoAPJh:?K?0b
%k--O<OaEquP4N$B(EtRH]+QGl&kN:J(5/V>=4OP&B,SRHPqgc3PB-F7[%\c_S8rKPUjV+SGp)0Z08ald3Nu'Wg$mZ\!2."0Bi2@d
%"pb:=h,:S]kO+5Za1Q3]3@mG,&0Lfs1#q&)F;Qe\4L*>K1cb&k'8L#/4f(=nRs@pEW@5P+?TfTPFF0I>KK,A032GWaF&H0(3AZ.Q
%Me!-"13:.!EoLYFl.UY"Re1&H^?fT*pj4r]GU.-C-armEk%0+n/9P6u6o2su5I-Jei3I6AP/UIT](Elies[&uI`?AkRRCi.=:X7f
%4,uZ;:I+s]2^6\Og+Fi?l3Bl7+r#g/mcjClnepqAdHAUmd\C%DH9QY-;=)H7,"B_;'-3V_E*h^@J<6O=*!fp1,m"=kNd)l.RITC+
%=8$gu/YZ9sDZPT9bu)I%Ai*+J)+%O%7)qFY3*%:gjr"g6hR]/<)i83:S<<&NB#ZWFn0(m$VkGC$l'H*Wq0[:)Ne0P*$C;gSSgs4^
%7h2&!-mpj^k'(r"-)']kQ>N%X0s9.E5bb@K)F(4;.OsPNA8A`BgHFcklK_S"HnTX`EY.dXbL!\;/_3CNZ*d=QcTif]1Ms'U3lU$q
%<)Me'`t??qC>B")X3G^[@fohHBi&;/KWoG#ag3r>I;XP)/;o6;l+ZatV?c3k0aH1[DF)O+-0KqqUeX/XiQ4guM*-V;":+8!qYOgR
%KqF-e@`jss6;2)NCb:W(Cb6DY>>((1W[102FMU?Yoq8P5j&suk\/*Ed'1,cjfQ;D/<`/XCl0?8$J.5meAf'%1`f6',Etk%&n)7;I
%M2%)12sk7h27Wut`$>PC"Z+[]]6SXAHqu;/#=4/9-kh$-ErDU?A8+K_r\o^F8Mi=/Z!&-:@[:abqC4t?<4El3ne:rYXb^Koc!KsZ
%+HkiA>\+'55NMZL&m<3*5Q2MZZbL1e3`:mfc`<(29DDS<4S"+%/ug<%Fa/2%g>U+A8);H2O'L[#3pVI:mq\a1Uh?;rpj3(V+%FIT
%4tu*e9o^Up5)"@M59>P'=h]YYJtRNt[mC+7oj>2,BMs$P;dM0Bf;=aS)*RtNp0alsD7c)k",j@4q+XU\mT8f"bBlsqCDmKkrR*24
%s/C,=qNtd`+5Rc:Bc#V$jF*B+#V,Vm+_#E#2NKlDbEr!k;ZRdYnB`ZnLDC6sqR]'r:B0qsH""=W6Wg&L=e1EWHr;U_[RVlopUO.T
%_B7+jG"ubQb0duMbF;<bcsP'=fI_SG]@t(d)GaW6jiWF66CZ]+@3mBl^IuHg#2MNAcEq03eTjTC_J/$W2&6Pt(N8.0ear_IKna<.
%T37[Ue1&Q?o2jeRKgN8*Z_lgJ.!saVki&"C/-F=@lO,XISp0XGB,'HICtDu^;/UlB9d[QO5;6`;;^c<bopW5bj%hQg8`J#kf=\h:
%>g\H;a'Eq=Oa,2Z!qUEph=g?nd3f]YfnKYGWk-DVOb5?+HY;c#pAU[MBs`<goC<R>Y<;H-$YM*%[D,XRP>ZW"K3&nu,R6.(EljRo
%bO*&_qaX>H4bjblEW4f`/RLV]c8[W2S5[eTX*^AonUeC)=ci'sf5FLLB@smBR)r)C41R8AaYE!JdC<=<!08"fMM\FXW)6h-k<J[*
%jKX'n/V;nuf5pRdqK(TM#Hu;a(KV\s`^n]1G>']]le(nY<gapt9qU4A:`(iO(<u15<*%._DgL=oe)5pDoA=rehE2(nmH>0NI&-S*
%/uKk#jm3p.]YbGlgS9^0h>-DkKn#hZH/d?:f=ZE8TuZpU5PjN#`Im`LF>63tGj(Q2$LJ)J;>"4:ca#t>^>H;KCNZN=T/<+/[p\$p
%Y?0PhGg4eAc+@>$b1B5:?H3kbI:M*V1[gbeJg.N*4LTPr!fEj1Y^FWa6G]Q[^YdLER[a%hs-AmihTa"Z'abrd?Ztgp?glgYn_GQQ
%kbms]9jbVV9s;Db7L"@WC.dO*`4K7NFKX:Uh3X<V3r6?ZDHTY@jdg<GY^#XF4.<Xns4i3K6?0YJ`<5-Kr8b6^Ee*1g(2$L,5Q>lb
%e8(@eV=`)P2Tp<<;#gGgT^FTbM(bJ=c\(hD%9Y$i?Ha+H&8-7=]q9A$Gk6ZPI=oD)$VN2$?U!29Dk=3g9AHd/CS%uuU1<'B0(J=a
%ceW3Eo;iRloX``Rq7WEG_8*g1<5W&Ma)jGo[,0JojPB\k52/ot=ooTAp;LHoT:+"fp!sX/\GFL[VHKmpj*HjKbOp`ehm7'&@DlBh
%.,n%cFt*>Lq/,*M-amV)^H:2qKZA7#Y9VP>YHkD5)eKdr('iOZ=[(P5\Qsj)OI%OoqqJN&AT>(KT:RltB)r0_f0/Y$1#;Q37GS;f
%cgQ'u@FUcM_XH?n.nB/VnjOPnET?5m2]((\o>Y!.%iO&B7c@66n:1JSh#(u/H3<-,04%hb04M-0\!c2:l.YQ.-D/Q/"2tZ(YF.Rt
%o_@`Zpo<F<R_N'M8`A*EAt2q9HCMP9c=`"lUb9/enI)P'qW-S.$/8dY\*VWM/hRQ>cA;#`du*]E%![$9\h=ObI(O%G[SNOZ=6M:Z
%^%TV.9L_2@p50@jM3^*P=&8NAS?[UZHM(i<H$$Uaq8[B?rnQ'ljC#,DkB/<iVQ?]1h\hp0j+OJ)=utJedjp2c%:1t>l]U]NQ))_h
%X4BJb[nrH5Yf;f!&EIp"3r43JebMo(T@gC>o8!/XjrQ9%Vg5'%/;9L!d,,r$RU>mr/2g:BI-n33LWlN=pNptYh789\_g=?'fB(_a
%;1sA"i\oZfeV5_;O52H"bC<:-HbX7=o-N#>LU!^gqukWZ1)d+TqWnFXj>"Imr`(N4d49YGcfD"$[DO&Vg8Lu2E7mNHDbJ\`ZO:E+
%)O4HMBABudcjuCJqq']2E7+'@d8RPqoaghhrS,'anF=?*T!IF4On`g@jm"Ci]&VSoaN)k;hn1ol(G.iA`R[]cV:Y^m*j3i^\'o!&
%o)fnEo1N#&C3jL^];%5\5K26okAKWk.(X`LrSTA$a>Z:CVG,pRfA)DsMqE3ro4(D!0\<iGIaWNOJGksERpJtbZf.%->PU^7[_;_5
%%@-Tfe%td^q>*pAftV=o]%+urRTV('T!'3E4S@9[m<`$fU%j)c4"i]Ml*B8r%n7(MC;2:^4h#gX40)Gd?6e(6mshWSf:IEfp[?kC
%j,4W[Y&<TROQZ9tXoGW&d:;ee48,s1-JuT5PrIQIl]'MfIq2.ZEDip\\)5Pp9hhC;2dU__p4g>Al[M7!8j]F*IVPAGJ#[88IH5?G
%QDuk!#Lj6c5II26E5-:u,6r=*cYmZAArF.j(c/P5XD!@rc@QQt,";F&D<h!17;'Fq)@<8e@4.L)prTo]GjHAa&dNp1"H#L@d+Qp.
%'iP0]'#Q?DNQmif0P*5F3p;:L0s\V.E3>(>$33bid>NK6;URPNMk\G10!RjZ+tW7>nP1BjFg%37q$BF[6B9UD&nnQqmQG)1fX=o/
%.o!m6('gui?6FBZ7N):.pDSB+iCS.q@c/sX<*aLK'1afZ'F"?@)YN4$obctQ>eSc'lj$tmX?W?96A0)cE'7H?>d]Ca&u9LSd#'?p
%dj3$If1Fn(PZX)2J4!QfQj[1G^6>;2ES_T$=q@ZDWk^[?"IG+8XdCOcdu5j+kEmjoU^9UDh#(=AT"+0<D+DZ>PK*E<,RiIOWNWJR
%+ATh;7W9*A+q]OopPg&R$RE$r-QpWo"$mK*`S>sR0*(DSD4mInFXP2+RrKuZp0dr=$FhX&""gNbTZOa#^5SdD+rjXI"S<##Jip'I
%#4r3%)890pEeXoqf?_m6eSJfI'QjNIrsH1TnWuoP$A::h,"oWcpj?pJ>@%%Y5uU*YmgV$J23L*lirO2C86tJ"!@PGaI,J([!ZhN@
%+NT?uji]tD_p*HF@hBnU:;[JD-Od4kAGs/L%bi">:h6O"/mr-/iPr60Kb6!TMZ6+AUqg^ibL$ZHV?@F@%&W/K,7+dDQI2'hQ`5RZ
%i"m\/&ocK&HuCY,JQgiO9*V`#BP0+i3-j6,J>;,p<GS;6OdAN0,mk=8MIDmIl1Q:Z562`>&-^$0`_t\P-o/5-INX[r%A*tbW_2$>
%Rc=aM5[$Ii\qpUBB]%/:8g4)V2bmC.=eEl$5o0\DJ`gtXVdl,j!>CQ'PJm\0LeAG#I@QAVF1?QDY%>i^dPJ<3,miKrYT^nd!#]to
%qn+VA+t&?cN,/n8ieLh$5k[/?&'sGJOjtT>h/tU1ds#)S[gE9@%877qIOAHVc9Z=E%.CFd(Bs+rkDX4>#l'jB$9V]9#=%Z\LfZKO
%A7a"d?ka`>A*L04TLPW765Z7*QQq73-%&<!=:B=]"+C8,cT71?D8$ZP$4"aDIJ0N\/Il5(k['@i/(.m#?Q0+`nc8k1pNIb"@pd,d
%5k%GAWdKkO['0[p[sZMRn3Zo/NT)3k6!?Bj&dF+GIYeNH5e%nk.`EH!D/0\i'IZA)!I]d_'0^X`nhg1i<EsGn!NW'C>I5sh+;"sc
%7%Q?&g`'a4PZpki$^uiIaN?pm8MG?rWMKWIMdhP;d\%LHic3SsAO^[l6'=k4]FGFoeWYQc;'oFS!U@#m\l_W0Djt0W@N-QopnJC$
%k<bi[MUKQoU&>0WI23bKI*HCF<Ds$aa0V)?(M<`$V/d%/r.8#m7`:uON9DMWGfHR0<IeQ3j"(m>``I>%d>D=PM`?S#+[2TSEChuI
%K$-!:cXE#pH*Al_G*FDN$1TkSni)UU#ZtJ$G-N2U>Mq2<Efu>EM$"2T$UZ5Zc^G&;_8>OIe<ko)a\&\c/V/[<_"_Cca>aIr5u81U
%$IlJ[FoZ^:L6!bK2s'<taI#<o;&]RiQF2W,0]Oo`h;Vi^>,*m_c69'<,@;ZN;=*l]j39Unih[J]X&CA^+:EtKJcYCD(8iV?f+Gu\
%a8iW!;4[nT(L+rddZKpdfTQ18qoeYl!*H?jE&>KGk"EK^%DRu)E8WSc8B`ANRHacoj=j80SADV\qIUaV9L$B\@L4r:'PC5<'WKrG
%kt$GD&k=l\_V.`S69H"qm117Q^6@gI.0SP2^EK[mJp8Lq=P+Ap#+nKrETlV8+H(-S8g$8/CPF+sU33aMj9mfK`T83\bcUpp=&XL8
%m&<8?0=*s/E?jO'":,t.Lr@qUO>kdb`/s%lK@&?)72&j*>4[JJXF.*g(4P^c#%mh,0`#7:.mcc=LJh"=EYWdY&a9S;mL\\#a:]P]
%\Kk&CG/WoiKNrCK_?^Z8=[?WtaXXo9XitMqTj5<kVK7"nN2SYn;_`b+&fl\IRp6Cn&4^WC%IN:JF)@(R3ld6NlS[90CE)?$q^g>!
%PC&hm/r?A6>`M`6)G;"?;U+JUCpG4s-pJf1'gR"8M<[JsU*J&?)P.Wk&V0?5ip"6S^_$u=X;nLb+]+ju5H^p"9F^()5G)dKHj%2d
%S@%W4I4qA!00@Em(%Tjm,s7@,SV_!:S`*;&"_.b<)h@e$N#U68:`\\FE%3*0XBFdMg<WU#9Y2;gi3[NErf=rj>?d0gX^J"+gagT*
%Xtir&6"-Y$]*W(A:[ikCL+qEmj8Yu1dus%c%t2VEY+PZ..rT51FSHCHr5Vj4)ZRO*df/^1$\']o=14'+Ck6L$?emp_r)<0dN%H8g
%>A3\:SraXIG0^Gg$iek"`VdJ&Un<$`T0`ErTW)97<Qm\i6$GP3!?9d5kd^-bEe(UUqa]guXieh[s6SBI%=>c`+)tl@3B8A=Y>Zg8
%?X-"RrTCP^lJq,])L<4IBZI#b"1:]rX/XDEeFnjp^rR5h-3$D`547d/29"Lm'@&\+&HY8%o/h^rEf%R"g`7N:haJDpZL-n)H6-G9
%0Rgm3b6FYd]o,D3\qT&@,6-E>kF[0=iE%Ct@9]u'Kh\>bq>8kU\GjKfSI1&l=&86g./^sX9<Jcbo?L,=7sF<6H!EFi]kLs%Z7H>G
%Dg:cflams&cC5'7_/ZC7^@RE!/i3_om^uk0s(>'=lfJPmeAkq(kk18`Sb)2PYKlQ5n9aneE^TY]F%p5Q3ToDqo'\@^cC<:t4GuPn
%I4I7(n]?Lp+2'dPE8r7X"+c)nld%`k!(YGIi?E"3GjO42'.QhET/>f_c+A1J^@qL?:Z"),U6Eh%qR++9:HZ*:i-ArF+50GD<M/OM
%hgAjX(5;2NJ%513-$MJco^QY/WUbP^S[;\+hLp:B4DJC[FHF6nolAT2pK_oNKflMcC%]qb$Nk"b&aJ__.V*MP72L*D0$o$r@),S<
%"^(9j4!'f2EJ5r55I';#1CM54T/)kMoA<6HUUj;ic_2iXqDZrn5CV&k)>BN4k`Nt-b&TIag>`RV@=HY/bPG*!5PFgTB>DHb_g".a
%))^c&PJ_AHC+-dfSgW]\5H-JtIeQ$K(Eo?\N?*qkpRCZ>6Dk-6#lF,]_lp_ke518s1IJXDo'"PHQ$u>\Rhm`giFMj$NLDUH.29YZ
%O"POdrk\K1B#7t8:.6+$GEc7-mdA%i?=2\@+8Wpu-/sItEr-:^'p@u3^Woao4`r:Qa?=Eg?tNd;^V;k:)\;1s-U,9:i@FIqcU+i4
%hV[fX1U!B)rK.8mN#Fq#HqiBQJ*@V*Sm<`QHsl1@oL8.#3/a\q$g0X]jR2rDS:94]S_pOpK%M\S+'nI4]Y!X'!L-!-)je4Jm'^sB
%f=\E_=o+j&obT=CkIA\W>5#nQ>j#dHGt2rIqO*%(f9,eYH0*FXYIJGs_OFE%!u@tCp\'ep^V9N5<E&)bQWtf_UXQDNo\<^i.e9*"
%!<(T_G0V[t?@W!-kGOkV(c[#u1XjW+9g.V"caS;lagU?oDk8c(:+s>W]?W:)k:D%-MADuQh&hf,J)==s[dDrMfn6ub5VKkCgeD'J
%'ArE<QE?W7lu$^tr7"_67gqU@Rq8dLiAH>&f%dVV&*3MM#gu4+^]'F`-C\&HD!BYR:YrG3h!rA,pJ.a7M&f8oq;)e%=^D'WQ9;0T
%,>hWOr:m-p)]gkJDg^L-g#j0S>P!:7[qd'(/^;p^^o/c\^V/aPk65NTDIjF:E5uIe`t%i\Cu2k\2"RA#\!a\hrpYY*?SA#UK%/i+
%+*uIccbI$aoA.[K]Z@2G*Th4[kKpm1D$&-[q4tRsiu*QRdr$7W1>_WFBCF(IHoSh+^),Z)JgH;h'_H;!1F;OZYFbhhH.&TuUV6PU
%LMim?V=oJlT-[=gH1TnkL9VKj\%Hi*GHQZ:9>P"C4uM;h_OU[omeu-tAWpgrSoid5o8*WqOCG>9Y'YQUQ+\W2V")DZGg88:/Ud+5
%Ias`s"V5t-N7mjTLt;t1Ea[@sZd14n_#qFFl0Y<M1cJX7mH+S(E^0)ofon-I03s.ApODi)Qqi?"#ePM?qnF]._Hn1!dV^aPmep4S
%c8_-RO$B%n\Ks4.T^!1$L.V8OL1YGI6SI;7C1I1RW/&??O`Yt(l/7oBI1QP5[n@FB3HWAu/+;n(\/K<PJ?/2@(CQGpJEJC]L:ocr
%85R"[hVPt``AN?20HrI5:.`,hf((;9qV6^CGot].jQ2&"]>`R5C[GWt:upFc5eE`]'iTk.W]&k5K>Ic#]X-gVCTa59$B9<r&4Bm>
%Gk9J;c+`YT_(oskc/3KE/=Q<Nqs:)=2\e]R^A[t^<Gt'BX$t*iqB6EU"5D^_I(Zl_IMdTOgZpfZQ@ZC*]\=pcAH(;hG'9"YeEcPs
%%hjQ's76C_:gmi_h=]W5jg"iD`PW$/f/[m_V]<<5><K/1DUn?][B6Nk"1u<OIK.YdJ?<n\?JC?\q/5doX'^3oH3L>]=-)$QJ$o$D
%cgUjJbmOn+>rM'/;_$s<g33<KX#KFuZZ#kp8n-Y([su!ed"nrq!E\(Rm)s=[p%Aa(<gr?F2'6YkZ02#?4$HrTjK;-[;T(#q3n=`\
%flZIl\]0RG4+>>(k?hHmlI0r_ECiUk?E:6Xq[X]2V!h`L1&\M`s$<+P+HgUbX+]BS(ZLBCiVjBDl+f&J\5lut!7>3@$4JI^657df
%M=MsTm3H^%SN)bn?:b2Y.8D&j7_):Kcm)mkBKc>c,Z\T%cj4Ul(eFl%&2M.mZ@"XU>=S$F&N*8s3J(1J=4FR5]7W\Q6=@qKjjOc)
%#rmhE?X[3VHOO4$\8;q6Pqo1,i+:CM)'<$q'es!@0HXkR#)'*ff.O]=)>crUHF)`IV$]K$@7=k3^R3Y8\@Um1TC9a=\g'Ttf#'k>
%(;>sN=ISYG=_#8UVX+]+s,^.lN]p+5"o<u'QNMR86P*Nb1MhWf/@BTe_W_WI3L=_g#oOM=js*aO%?rn*n1<TG:d#6E#sp!8cnfVA
%GCd.n49coS-SM)gBQK@+qS7==qb"jC=;E.N3@Bq/[gW(g<Yh<-$geeD!L]Bt@^/7;>LcW+F"pZ[NU!f:hjF?Wkf*tUF4@s8MP]qm
%GSO08KO>p'>56%ae6sI+J-kWFn]lfR;\3]j_TD!%(iA6$A+!JrAd\8PLie(9Qq1YdKi+>p9>oDY>TKKMAoZ`KXZY6HfF&4fCPK)+
%;0A$4=7/&h;9S`n)<2m:@W,EqLsRJ7NgQ+Kn;l,\#0\A"M@42\?:]N^mB6:<T-oFKA*!]jJHmRu2MHN=[CiP(F*]?U6Ps#m\YN3n
%n-_b'JY+YXVZM/Ef;ld-EmH,W=i?[2Q[QQ0d',>5a@*SCi+*@(_*TQ:<FGdB!(_p-EQXJR?#^'WN`b,F23[@]@#alVa(6eMJ>r=d
%BU6Rd!\ZUM6)JB<>?^_Ca9dP&jM>0p+CqZl28LWXh]<&dY?L_qPjC*E<?3J@G-8'r8r+)t1VP+/Lfgo_j<)tH!^A>j0lh=Q!#C/_
%bdo>*(-Fe^;k[UVgrmJl)l<t(8-OuEj?QF0'kcH:OF]eAf07OT7S7(o$<A%;@,giYG/9NZO`@)3q6*2%nC7l<'g1!=oOkA1+AY8F
%->r'E$.6U0i?LXi&fL<OkhcLH+Gju:/Zo/J5\b$[Rc,T)phR$J72G1le3sq%,oPbYgbFX@mK<IQ:u3ktGPS[fPZM$)3H]'E4G(A"
%QLe%Rf74\CVPm&u#>D'#hGN\n@(_^f'JU,ppln5E43<UhiX<;4!CEpHL=l(h#%k8QbQYZ**i!F[ekua]U(ajfMrk:miE1f'<rLXe
%+UF$W&@lFqZD^HJPJS.(kR9seLu7<p=#tu^_m-?m=&9]ZatXhC0/AW'$ASqQ9-7)`i]D[1nUpc/'PITt49_+f1+H(n?dg<hRm>nk
%\VYk+*K9QGF,1su",mCQTL;YMK=4D4@0UrfqVmV5OHr*D?>7I6)6hK?its&cNnIsX2+hp9OQL0)@h:Aq52YTZ\37pSnd(+>)?hg>
%$*YO8QKL1kKCNAa'-bUJO&e%e.4^1(G#Xf\fWo[H2DL\YI6WK.cIP"#qdG$El>;t7j]l(UYo4hq\FXd3P;%P#2Cl'A#Ve!OneFQ!
%_<>eH>TdW3GMnQ6G[^lG$PO8="/'EPSSA`h:efcs4Q9e.K;U3;W(j97KbHG'q@"Q'iCm+*h=CT4BRs2cj*qHD5c"DZ343FNW604g
%MJ.PJG8"/1T&BWd"^8_9r;X3=J\OEY>,mm9h6"C$LE3>aoukL,mR(@]O+.%G>#-bMFCf$eqVB!UC\c,qrbogum(O7<^WVuB&+T*!
%4+i%X=^FAk2^b/@f\c5"?PEjfAfh!IN8u*?QdA<$rVtjf5;*_`%Mk0<oK9as:jQhKQ*Q_Wa75(;8"nE'H>:7i1#;\tAT8+C2a?S@
%G$Y.5kb8Ims8#Ngmb:'NrIf_H/l3D&8U\o`^4LjC5`]DN3"Ddd.`"ON`jF\H$(Bc\RP7Xqo)IS4r8ZmsX),EGmd.OAD+t&+@S"]b
%IUDl8c]Ep2PHV?KX#9(-*<#tGga99(Ut]HjH^K#KE)N8ml8N^P_S7BrpuBE>&ERqRSUqi[O0q!a8q6TG@J5s6((,NRdrQoFpZ-fW
%r%b"(5B$DS;lsGCVt3ZJ55(K>*OO>(F.]$gYYb+Ca51+'Ie,:lK3[UnGY?<3pY:+TT(&=.T`,)ciDeNp\ghHjiUM+uT@(L);V/WG
%2%(T:/%"X+'KV2fF2@7]L$R]V1"QkT9]a;pjrYW?-qp?!PqP'KL6'tIs,p^TSTS[#!HZJik6r=eFmaiAQh*^h(jc'(F"b?7S79'A
%d]_QMP/DG2n(mlgST+4F*B&F2?<tU1V:tBXm2Z]hS27;a\UMhm^3Ip"c]K>eqqCWo*-'XSEK?[^eCVsi?U"q=FdGtCa=.[ZS3Dc>
%pNt]baHL\c16G:tR;ZuroBk7'e9p;S9Y:;H$b<a=2X@+?TSUEsF<*H#%^ioD^%YRe@Hhh26OP4rRFN`bQc"aTbu=*M?SHWrbfKs`
%GE.%W,Uit!K.Q)8#u/qFcFs2(]DCNJpp.ME$2)S4MjWYdirp57g0]0T9ikUE%]'YZY,<@*]ZN(WA^cB2"'ma-nH2Hg:j:*)n^%^\
%a6:65(L8cplH=s)=)W3:1X$!-Bh"fCGirmtU@b#VdUVWK^2WpCi[5`AVYE(CI^n=IU"qIf&>dDBIdJ.3SpBF[9.9>cH-9R)JmU3I
%Af]bgHDS20f$CNU4o9a-?]kKtKN$H/D;)Sc"bql`bZaPn_c6K[$Qg"%Vp!Yi-fbA["+G-CeVH/)NgDo0KK&#(2-\Zs3NcS[mj"l7
%biQ:CncPB!2<LN\Zt!dj.s^%0qC.pqD>f%a>?<GKs5M%:^OD/B>Gk[\MGJ+Es#d!-:(R;hjF*lZ((rbr\&V@Z#JSps\)\A"UO2^Z
%3&/-qZ+b0Ls1UPWSp#$YeopLdjFj/0.d+e,o@C=H7N]qGHYcu6e#h(gS?/>;iSD0$kj-3blME_C7.[d$`LP\LDT^kErOle:N3Ii:
%L1Nf<*F"iSSGcn'j377)D(]h^D1*q4mb2AmZ"3?J?Yr!6J*r5-0$h@$L-C*#I[ZF8gT+9E"EYYrX?J`ol%,t?9eTtt/+f?Q=MEKp
%T.HC6S3`ifp785pk!1T2^AIiYH\S+m.(sr`ZLkKSI*)AY)d^5PdPK(<7pV(Bs8(n?^-AReo7:2:f">tJW"rZsB/\TEm&MYohlrk2
%--!Z)?`m^Yhh6aTo&n3DDtqt#mpEYRjZAb;"+1q-J%9^FLA0S32Le%\`T!4!V1*YD)91d%mX93)ghW>_*e@\'r<3uWN6($ti;+P!
%jC*9Z>M.ZXhY#4-H0o@UY^H#1$%TUI!t#G76)6t80/"K:399g:"B28Ej[bYHD,]"nXiYSh.EE^X,3R/,f?;tJT<beHX4m0Ojl0*7
%XNFF='h,#M#ZPdZQ.2m=OM*--aPn1YoFjeM)S&<3nB6kt;;"Ro+,@1-bBco90Wc9a"'@g(+S*R/62*O9YEsi0+rAG-<Ml@/3V\%S
%Op4M\5mM?IG=KDAeWiM4pbOB(IT6dg.gm`R/6W<C.g]2@A+-Q;elFL*Xu'0SF!qR#Wu-Fi*j-knOD:(/;<Wk_m]B$3d5\MgEG\er
%qqn(\N0DF'RtYOQ-ISuC->`O3ghk$j.RY\"(?3e;84Hd#(/>)Arq=hL&I+q^f-=<N.moi,-A=o?j'4Y;6ree5ZT6G-=K0/M2?D&(
%*e[L7)(<:b'4Wt`R]t2+J\'gbW2!9[blXC;=q`+;MmV!#*^iCU^$O!3mm8n8rg:JXUCGDrc`f24*G<el\5"Kkfg6_#bUBVf.:L;&
%""Cim/']qSi`J@fk_">[a3c*FR"Ukq+(5srkdg3&AJ:R.71_!k0l$pON<;[A9djVCh-D5F!7r&KQtDIo5E823M*5H:OGZee$HGI=
%,?8acG_7jYBJ6C6K8O*RM<_"eGW+1a9KA4D7hXsHg-jdMH0?C"l\\:a>R.u6mul[R2$Z4Lj"_(f(M18kGK21_//h;(>Kr>N0ags$
%.7D*!9h!W!gOm1:&Irb[eLZi%qT+MqQDGteMTBpC"]7K/&pBDY%J+V^$mm^hQ7!$-K5s2D!?5^-%9Zjp[.12Q;eEKBJd%pNp#0-c
%!*gXhAmaVE,7_sSM&u!.E$EIJ7g)Q.Eem#K,4AHVO&uS"U$kZ]gg9^B&0[576Xnm9@DiN!&/aufEF1%)X]\U7PV*cDXs?k=),qBY
%DF+-19I<uMW$nZO;1?,VWEXH5"18GWj<b"YdHSet1\MG>&jgb)91:*Me'@MBW_+)+cNn"-M$6Rt^?sRS;9E$,[YMF;E'_V\TstnR
%,M,h!0Jcc5)%d(jE#+IY`mJ3`HjQWWSqY7F/TD8T2FZo"Y@6@HIRqC`DX,3D["g<X0&B),8klbRSA5MX1dr#[9FF7MEfZ352^Y4A
%Qu\fA%\'QZaB-WW-.!:2*uM]6:B]5^#Z(]T,=0pbL_TeE5GU$e&m,B+=sY1t1S?+_7$$LbaWXYT"27n_^S+(kj:7=8gLUr-pZ0AR
%]Vm4d#SeXN3gao&^!o;;`;j[AJE`b?b#FKa1'O%K2'\MNGT$p?8E>+uMA1J,8eEgaR[,rHi@/7S[`qWLjMj&kOUB/U1aj"%/.&qa
%lUhQD\9@59b,Jfb3M3M/iL0i_*-n2=G.GJ&0M<%/>Y<ujnq8?k4+<jI&%\d&8]s@na)b&qX3N,LGEa'uQM-t/--2BiaSIlibUo+b
%/!.:Nh+Ep"Z:%k.P0E8b($gLU<YSPZ^>/#TY_s`p7T*bAU1(4la(G%&+pJoG9'DF/OF0cg"]HYn(Q-:tULleY<#\i&A\0c$dn^UZ
%AJH>0*#T'IW'EpUjnf\<VUI;N$AC$%(c"\$mj%`r/@2G;*s36c`[#D6XA!F`,1SVJJX)0/Le)4-Z'nW+f8lUQ@[u.sbh.Y&/)o%r
%JhcgY?8cr]P\%br9GRi=b;Y&KR6%Q_[Qp8*:`%)+U,$93WGHi8;CEYJAXs$k%)PkFE?S+,XSEV;.:6bbPZ&nGCdBmQZ`#!$=&FpZ
%JoD`C&OC#&q<K#-n!8)3`^CGQ"UW,.#_Kpp(WOTf(.Uu971+Q?/-_o;Bba_d[5p%!GXAQ'SO=,)<tc5^"r-nNZ>G"s90lIAM7B*D
%l1QP:nV#Gm]i[m--:>l3d=Q%?"aRum;M^hHUrOM/\eE_N94f)1/E'-qfN^\MG[p%.%_B[RXO&,<-`M*D"DUEKkd$VNbaP+<",q%+
%kj8N3:4VNf5#fgefuMr$a=Q&#qC8ok1H?`segM"Rd?k-DDfS[DqEj,&>VTk*X:/sp=LXbf#:51GAllf2c*0LZ+qgq&UpZ=2$mDIi
%n15]@0i#.#$23/[P/u<P/eM=d<(&r<X7g-0II%44Ks7qO%l-uCH@0-<V#g]-*T]_L4iY[&LilbCfRi]*KQ<>=$3DA/FhCO$Y"ZE+
%/$=KNBgkVCEqNE1$lE2KKOE8c(04Y.$L3q');gj:ar2[SlrofPO9gb;l8u7MI?;#A;\iCH;WeeRDA'+seHERSP^H'oYp0+E:GuK(
%Jafo=RCK6V19ASq:pDQ_,`*RO&TjBD\qp6Wg1;#_;6oFmli<]R"?Qma,GDFp*u&>"5r&('m)I2eJcVP,-*dg;m[-^UbHg9n.-7+n
%mRgsT-!:FacbSm)^<\p"eHF-V*GQ5Ej\Ai^R:_148N>c""?NElD\?ZK!iLX`_p4A,H6cs8T\D#Y)hMg\[V)nfAm?O5Um4R[N+0&4
%j^e$LYW+SkoL*E!4SarWg0']nG3na"))k>[(8"3X5CCOa:O<).Q]isgRfq7*5r[r((:<>(.b(&%)_E0sIHk!lD?q,LB!Uo//007E
%3T$h^!O&=*H-LqI4ATpT4nV3G?=n,'LbRG7U.)+c&D<Je\;^Z*R?CHZkG4(Z-^naD^n4$`R=,A2&^olC1=/j.4=S\,1X\OLF@\_Z
%<u6E#.>Dja<aCR:WK4`^%RKmq3?1:"5p.h>K`Vdq8Q\Ht>A\d33jpOuGMV!3]6NZCi>^Ig1=0jZ0masN>7lfuMVHAcQRdZ89)ueV
%m+m?!VB>"JS7m5/@/Dh"KKu]6cEep/f%=.#:D?s!/>"R\.@^"Yl%D,.,QPtQa`9DOJWu2EBr/FdSe0V%Ehl<\@]h=7\ZJ$+.V$K7
%<@D'@[$c^o.ss:sM9cNSTQW91on)I-G*hFbE^Ci"n<J#)8W>]-*-%]`ehmeeD3-_Sp]jtVnO(OCm)=/r@:l1=e`Utc:1f@)KPQ%@
%2Ej#eSg4q1@Wc89EO?$]b5j%8DkKiA->gdA)7YfQEcdQ1Gkj\9SckL\3'$'"A"0T9-+cgMU/#I(\q8pXA%(\p@NkE?[8.D;8$$\n
%Nl0F(ocsc'V:7)tq&sp7n2sP7A!7b.TXHMo$J<!\69+;oG2>3`#fMAV`h<U/dA[<r&sBqA,A]7Qp(OJar(O'"L!-#ReV%$],QKd$
%WA,3N8p63=J58:1^Gse"7!s5!@nt=Dicm86ND1,MEf`7,PV$p_-G:[f_f>5k<GIG>48Cq+@ulTrD(&N3Y/I=CSnr$'J1G$.cj^sX
%/eU0kGUF*e;.K3XGkFSV8Dn/@*PI3*X2J*%lo7n,OE`+Y/5je1i_/8=A33?;W"^A>8t++8,;#B?9tG.e1&n1A11p@#dn.[/*/$O0
%OtCF.bsFh7a^3L;bj+Fc>*.IVaM'1M:@u@&T)(4M&ZrcpZ`dVmQF+B-3GPk.MI?jHEp2S/B#$6,,:SH^3E%*4F\WXRI%3Z?*1EHq
%dOl)(CM%3Ni#F_:dnhK-BeGbN&<AZp]171FT:N"?#G8nQaj(T(>dJr,SiAOJO&GL8EaK-^1$cLt6J'Jr1:1JGY^aRp'&#<?KOX/.
%QmrIo(`IH#k+Uo81Bs0eQm&&\G8Yr7D,mnmf_$MP.+9soZ*4icDcp'h!/VI$"L4rlam9@5N@0Ql2`%.*X#f3C.TD(^\C=bl`mKeM
%T/Z/AX)aeH/E>gETVtb[0Ys*t)q?X#?H$[HYbC.K_,u]!AiFlZ&=Q-2V=+:]W]5h=#uK1q\bRJGO:Ngab$c9L[[tPgk&=c9k!`bC
%8J%R:e!>bge_)LtE_O@TNd6V3d9o&fEe#Ah@:!l]aCM0[@gV*<l;Ylkh&@'EmC1$GX5E+3d)$g+V4nD=8"r:@F.cu:jG0mDQd^Vs
%9o\iO4t+HcD<S<'BFL7fMHoiVd!8NsK^8j$,7AR!9,rP/YpX`WM)qtjLM@`R("*t//&mYt7IUbZ.q5O/<)<mk(p[WVSh&,erbabL
%UI9-$CFS32U,<psSO?6sOj=upbQf,_5h&t/art_,()!kX:Jr)]j134an0qhXKlu6LIX3!\k>(a@"33@[gg0a#;hYuPNC$1fb8MYl
%e1(3"GWnjS<SWu=6%.jt8u4L$60/YJ(.CiSC_f%07%/C]_`W-XOSX"q7IqCd.=A]7]/<-"p.M,`#bZfGe]siX7#+72\B;o9;/\N^
%=0`f4a-XE':E#)68l!WC,t):=Pt5!#A`8@6KBpRG"lsE-)V\.(l_n@>V[BFSAI:#;ljG,6(?c7u_o#qUm<PEE,Zncfio6K3,Lt7N
%e1r-C,;F36!$'VoD:+.AZf0\sEbD3YX"an,+k=2W3-'(7?*Oe%Cf$(MZfnK2?qd?o+_4VrW(P-f$`G:\EQ?GV-*)]D]>itug.(Gi
%NBII?Pe9dX@t/@sn)dTWlSNi3@!AbP<B$^nk`AYoqc/W+k#5:?OFHjk#XHB,F`Q;U[3J2m%j0SLeB!AqKBkT/);]f*nCfVi_fPS,
%qEWm;+a+sVGk$k"q):`E8P5IiUP9:rW3>Jm41q3-m8$54<MoiFG:>8%ZmYPYNH91*5J:i*_0mo0!_p<&Lp2oY?AV$X*V"-Vb#9ID
%"o*W&GF5:\I=i"OZ[6<V3Ka*H#tmeD(gb(R!]1(+!B[F5YK?8CQBO#RY.ZXM4):&jKeP[ZL9#KP-TVCG64fW>8H]ud+35]G=b^`W
%?q,WlhSZ%-B-_i'*<*cW7,u*Bec;>-d#?6SRr8[g6Y:]\$C)_\=&;I#is7[RiP1oO`8UrbOXbG^Jb>CUn<bN-4!Mr_qH-]jkc=DU
%^j[jg[:M&P5cPB4^t!:VH<+7!@/YpAFQ$*a@lkNc>9r.eH63.&=MB;Dkkoh&*"IKlLnE.OD&pf]Q8&:.r_eBi;"HIQWuS&Ei.(8=
%:hI<l'$UXa0c6<gZ]-_o2a*BE/e3;tF=7:);<T8rB7h1RU-h7"Jrm[Sn6-&6]]oQlo-bI1n5XV6S9*kgrptrd3'Jb,+p*BV_T%fY
%)eXC\BZA[;_OKdU0*)1W;C1l=J$^;R'90RLg5eGOGGMA2I55'S#sIMQTltsPHD[#Y^J*Wi!?2rHZk0'_QE-dklH$&j&qj.:2nR\L
%V=cApX8EXX"aG,[cKI[igHtd(TPKYE=_K5);aUdF8ch<D=h\i7#[.:h0=1op5k28.]7F*taCRl%8s_UHKI7%9"TMkkYnafEn_1q'
%Eo`_Uo^K]93YHhjh/``p_HIG0&cfm/3FmoIXH#&&,LpcYlpGb:#DtTdGFI=qW$NOe@9N1'[J7Ydd??VV/]*@Bi%/C.L#G]Y[BJ"b
%;r0>g6CEr^LJ%LXl^<$]WFS9T8ohlOO6Sp*Trim!.u&TYUsG=^bAQh9:7D9p[Ys_lpSsH#[8M8=qq8n="$#nJj/:HW"eV>-$'[b9
%"NY5r*!h'K_Y9q@JG<j2#kt)nmu?OM/@?F[i^@/8dO:OHcIC%E%t+Wj&rqR2!Q;>01Z6Pepd0teDNVhfL0j5&OW>q$_$iIW#O'i,
%l=H26A>KG:_c#W\e<@>cO57a`o8Lj%?7-@Q?J4rag@Y^64H`!ljSAnBTLNNu9hs@Ki/'G!NLja1dC(Y;]/3m8-K`O.`2kkc*+cGh
%9Rg-P2lc3*a*K.hK2#-3L``U\%ZFqLqnRXEHb-Oo1E?Bb-d#L,I@),2aY'%u_7CsNPP]s]cDs]X@`EF(VLlo&P6]<A38,SoS$Wug
%Gk/G$C"8-KH`CE[aXe-[1ch]cE0E!N+AnV/TM"!$'AI(b"hTt#J:)1KE+/8kgNf>&\H'X,n3\XT38BU_!WNe@=!0I@g<LR_g:Pns
%O(?SG2uk.KU2!\%PFL94k]1U@'B@/*6J8E')[0i0%nsHS:/AlgO7b,!8ie=;Zds"g!d9!=JIOTD;]d/&]N>SA_PLudaSn!GZZ\0l
%!7XtW;,Yci/YSa]AR'C*KePd)<E"oA3L*B>2j94fTp9'd%\HVV>=;/K][]^=f90"oWG2dUU62?3\.bg\-3rE>L;Qkp/O#-Ue;-ma
%1@?IRAUKpUe@*40+u[.`;%CMj>M&.]nMUf4ih_\f+VJN9jc'9DI0-POg+Mum&d_m-c%_V[rBS`Qa\?0@#s_qik.2mpq,o.N8Y"#-
%Z7BH*B/>NB$?3UgZ^i1Y2r_%Z_0Q>Ir[>EJf$[1VmZC_JDUg1'b;Xi)/8Z9+"dVrM_d%9d=Kb:mA6kqUQ'e(("ClV^(>WbCepOX2
%`$gs<QCN9005%hmEJ5$=,+$*22Ks*5?+F4`l_'9JCJ\S,Jd%551NSlY6t=V,CQi>to+HUfWB8TuXHEcnOQjT&7ETj54uHfQ/O!B#
%@$GN'rS5E>bGlse+C4tQ#tEiIUgSkgL_$F%:Dfq5h1_#g,4T3+4AS]t9(QQW3[W<(FZ!%2^hdo=UR9g-4'%.hYahGZ_ru2+Md^6L
%B-=un9pRAPk_bKs87#%:TGX*mjAFhJGh/V`,WH(;,p5CE2>,HCqZ9@Mk9C@SbhX3mELMCnH):!A%2"G'2&Ug"1/R&1*K;Jr],0dt
%QT/-]`!W$a6s].-Ej5=F-rhQ+OX3:+q8AB(5Fb$*S64!?Q>>b6rE$-)R]%Sm&Sm?gmm[/4.r]!PY[Jp$8'2P--&[f$(.lA8WdHd^
%a12kFgG8)K&igY:6DeE`O.-oS$b=gU5-SN(9)F\M%r5^MOBj$BZ+fT-#m8;ta@]R0=a4n_+eP1T\]u?'So/GU;C#(rCuIq58DK?U
%M!e$M5f-%R!;$XUcpQk0Sb1BfI&nYc>eUll7%cGVXO\[E%BTXi9?a7WZ+=`;$q7n91f@^GN>QqDC,>AGr_Lks8nVqOPeig0lrti1
%FR0@(D+Lrg22'PjNckL"Y1W<(k3"KSV<cXpjHBsB>\;Hu@oms#TR8g"0ilqZ76jp:6YWnl*5O'2BAq$o"[As'%kpB;!@^lO?8r;?
%BJF<gEu>O4L$nW9-,YO-b#KWNb0NU9$UBAi0B07IeN*N#/49r(*X=<CM?KrhTAhD^BLg$:Y9V_!.?sX`n#@(aHNa3qcJhB<<lGpA
%+1/MO/?ig.M1kOnfK2R!J2\nc,IWL9]B@7^B9C.e&K#D^#T^/r(nLj8CZpI(9fJSr8@Qa+(TDPu&50rXATP"BKd.uQ+0:/e<,3I0
%4O^+s%%ZZG(@hd*Qa":kM*VpBiOb':A=#g-JK[3PCj=o,J/]F1FOZs6,TY-C(-!Z(fiWD$84m.s$R2rKFi?.YIQk0B$k(:P7#j/k
%,!4kJBKE)pa$<>ZZ:J8@fSX9$&ei8"+ORHcJ?mG*Ae@ZM66a"0PV!-0+:$IcVF#s)D&uR[a+<RAH#(R?^e_$T(c.XqFlf0pAg,CV
%0EpK-.oRJ,&aL3R+pY34(#iE8=UM-)+X->8d]Jta%2_K&qeu2Npt#C8T(?4=:,T&8!!AfrDT6M?F\MMJQ.@\8_W1D+qB:t%m3-#j
%Q,!S:3Yq%J6U_QuPCZUdFpXU(=[X/4Of5K8peE-(Wkq53Vn42+b%hbWHo#]Sh`lKM:K^ZNd.7c<[&(6)S&a(JF%D378i45\H?$D=
%Oic-^S:j1s>Brkh1K(k1o?OS,qJXqNr>u-2lA&G`*7?OF[XY9+\gq$<M-66ond,*Ys21IJ$(C-ICnhd[j(`C(BOgF3pU/T[pGJ(N
%1T](2!$bqP22D;Z<%2o@^_RJVL7SLYjCYdXM?Qd2-L-9Y`H:#]Sn`jNq9!H80uAS:_f9hXn1@)=8)b0BWcf448XM&\3?_GI;)rE$
%e#+%$(paWhJJ^7Ycm):g^!Zo]13(Gkh\kB-3^8=A+g=l?M@kicKEdg4G]^h9jZ!mB=Eda7]oJ\g_G8Qb\Pu:D+J7*[=]@"]UdGI3
%VALF>%jP1&)/2JdXBaKM@0eQR&V]r:\8E+&ql.H`9[E8(:3rm3B1jO3REs$a!M/E^R+Z)%SXA@1pgk'P7'%G9``Nl\1e31SJV@T4
%!I3nZb=^^(MJ'Dgnl[mQ:<tL`$md="Y.2[:H`+'_3:%Fof.HE2YYKbQZ:spR"*lkf<W\/AOjHLfH*d>iI)YI61"^"f,)R(IbIH#B
%6QCdT3;#UqB5Vo+*f%PWB1#NT!+*TS!\p4/NRBBuVNPo)5m0Q,,TP/aC&^n5-u^"i8A3Xlre/)9Y\\Pq"mcAto7-r#4aX,&UEJZB
%=b$M+00rPuAZ?.mNX.&[E!pLn"I^kVnd`Y<+[h)>T?&iT;_siP-Qt&:GCdW$@Sho$J77o&INho#-6,RqIh_sc&;J/rji=)OJDmA%
%`U\n_A';:mc^(q6_dB)Y;b@[3l2c/\SMmMT)os2P`r%`18]jb]]bFPJ'3WnALijE16n(kqRtM'<UQiT#J5;gQ>OCL-ipSEg%>1]*
%e*+YS^p>0&a.&q4/ZpnZ0[^4l>jhLj_Kopt'@^/RD\*d$e$-hu:mn![kYIV0aGBE4-d:0RGYHi1M-`ICq@RoPSh*3?N::B[i53LN
%)c-A>+q4SUKFjqIp)n>,/.i)JYGKL,Yo?WlQV]ri[!-RNE/Q]8@dt_m@B^Bj#GQ."g=S=])%b$C$Z)bEQ=u4Ea0Ek]V(LQn'2/E4
%Yp3;5#fmL?Z;KoEA!VupZ#gW*-m4*jC+J55RUcd!kY<3='4"j'DDgtg_9FQ#TE:<*@Sa#2On&q?HchM+ZZMc=HrlB!W1GH@%-q2,
%[>7(g6C'N5>'@tT^Co!l2[4`4g(@Hd"-Sd*k*jT\5XR%&LuhnM[B'-F/&^)JJd?BN=p2h\8s@Y1+e1YrT+H;OTi)%o97/$;budbe
%F,`',-`..X$XTgTg4Z"<A[k"j"3#<aj+m.V`7@;8$*"&uN<fh=;%/RB!$ONadTHXE*"jcr:Qu,4)mP9dM_s9I@B_eP`md`L\<H1(
%(Q'/,F<drK%-IsP(F%[n.+hMLQ9`n6H?-4X82*ArkjV/D;t7Q8h2g`*k/VY(+q0tZ0+],h-tK7>_dYq(K>bUO.&s(??F=p7P<sB$
%9/`#08rYT/;TMFLdBZPk)332l#!gDg1@Wi?JAE!-#7\>t@b>q<`_t-UPC#_.d<;!KWsg-_oS%C&&G$g;K2q9B+LI=d'Oo,faqoTX
%FQg5/)bmH"e00h_/;L3&[eVBHV:`epPuipGJH@+H9gVC##3s&]#sh/r%MA!<_FfWG!"P:d4>shk`PKbF.SMJRI3PLGAu,!/Eb>E^
%:aJq'n0:G4NfApK!1L-!i;A_J4X(cAMKBK=3!r8.IN/SaZ#6NEPb(LTWH0_)758VRQ,ir]Vb"[^"=ZnP4',ZM_E#T5>9V$bVlhfG
%V%gT1MH<.gW]4N\q'=5F0O`4V=42Hs]L:DO#`40<D^m2PV"@^SK2HH=#dE:36^1L,f$td8rkhQ6ln39f<SeoX/Mj!<*6"0k5nl^&
%`+L#3MW'@9+RS,-j$j.jV'ebHQA`dA%/M%Jrj(*EfT;FK%a*fsR&[0E/$aIr`l$gbA"Ok+Pe.JmOSBI[T4l_%S9G*9o,VCBWR,#<
%If+m>Pok"5,UsMW?DBL<_O+Ogia=NZ4mf8:VF1Uq/a^(5//,JoF[='1DIpM[0bY)&$S_00`j'EPBnOC<;VD5(LiO[K*eM1i_\--/
%\QAX54O^tm%m]c0-@!p+/h>4)*P_AU;Z\j'ng2)KMNurgX44O,i_HGUR-AC,21RJp?i?692;>_((n^&5kVls7JV7m)c]kZD1h.)J
%S\nX!E:X,1B0T>?_#rY]nM6CoR9a@iZ;tTf@?'ORQNL,(HBLRe15.]2(L9fFkYNE?`.Ord>@oBQEoK1GYEsKKpcj2sM_cJ\MO"%,
%JKmf/--Jk)n/p),,*i_'6k19gn']lViZ$9reHKg@5qeJub7dFFkGdAV:n"EYKeJVqA2k7T5\#jE,,Ya!2YM+0TdL82W-.3;2H2%A
%*@445A5oWap(T:.Th"5,>*gNl;\6(LHuI)'aZQRK'W\m]Y`42T'1nR^c[KnolNk-oTPu+#7IFJo5/rPBM-E')_i-m\Qar5'M[j\^
%4GZ-3Kl^EnC/Bo,/cb>%eFjeT%+JCSAUlYU;PCS))8r,NY:5&5!$N\ZTp[$`V6lrc'B3R`s0a"(JZEETO)g7,0@L`VkDC)n1.\p-
%:jiLF=p=#Pf.G=oSsbXRMIdekq(ptYfKn"b#ZssFPB-m`,u/R9!&5-<V+*2Dg$U2\2qJBp7P*mrJ[F*=VQi?J50R!:^EbnIPB3++
%Jd;1YNK8@sb\L0#m2JppYs]\FJsD9[&gHitZ+BlX;@(gj9ORDd,Tt=477=ShI15XGoQWQ,LrC*!g\Wg(&ju*M0K582!1kUqS,3eu
%)"U5Bg_'.oAYOf,;-#>6?V1uk";OpBdq3d36X[@,-05Gp"!+BR6KAfll!m4)p0*TM7T-`T/LjStP<D.NJ:"qVPK7a_`oUM?aSC$[
%[_*EmdV,&HZZC_p#m`+nJ#<%]JAEmu@UUr.2k8=M;p_>&!o.K?eg0EDM9q.WQ6QU?#d=2og/L,bk@dOfnq=o`\>r"YQNVkcTO?%N
%8J&H?bdF=CMTUIl'a;RNJlt!%GRQ`lFL=A;33ATf.CFK1i8ZM<GF9e3:mOZPGioF69+HZZApQ,eK.ph$;>r3:\6PA]^"BU0'Ki<t
%3bVDn&BA\:EHimUEY'`^>,XPmAM*LPQu5.tdfC*,'a'\j6&5OTA+5&K#S/+)L13,.h+3?u-E.S1U0.L4["^/WU<nhI.Q-%P<;27a
%q5aC\=BWb&g*=a"/:D61fFgN>VFtrA;k<9s@^.=k,mAfZ/NT".Z0PQ!>s^Kd.*KgEGe\-<;Pc/nQ5=.mF<l+"b:5onHjD)]-),IS
%Q3)?6;Bhu)p:t*lTk]9/H8attA7hthK_C'.M$;fHQU!#TMV20hj'sEqFY%#+$+BHq'GT@jY&-F&pc-5-QXeiK*HcKI>+Z(U6ARS]
%GWCh1F(o[G6UMi@nRmNHX[bG7V82/JR'qC1DE2/HRsrP/CfcPqG*eeK+9jga2']?L@bId^F:n@mTJCf3^_s`g@j#kbNn>PV6:sO5
%FD-3R2!/-+,&m/5?-:Sj_=)L:N^GQJ*-Gf'`_hI4qt==>/VFdKih5@dN%ICJ:-gA*fk'j18n/lSjZM)/kE$6pL[7rRqh#d%c75OO
%7F8+;66I>&^93chM\:m;M6/Qa!VNLs,E"eee?`.s(^#LO\jRI]jAZsLEkhr<H='Aln<PC.%-)taCjqenOQaFOpjs#XYmCmRc]/!k
%Fbe^G)3HW+EdbN,rO-6qJX@B/ke[rO-:M`Gm,QRA^46q`\6:lCX?sVC_&5KTm!-?D<>pQH!gFm])Gj\0f_<j7".G\J=mFFC6jJn:
%"9<k0=-k=*1e1%kJJ]aAY>#Wk(P])G:QR>[86#a=P=0gh!3WP!#[D*g-pfcEF9EL+eBug!eWTA6dssSF=?'Qo$K,T<o1#RU,4Gk<
%1+#p7Zp=O7L(YGhT'jNF1bMaO!]st-Etmjn4a\&.?82Q*5s6P'-LHBci(KDZ/JkDIb&-QMnIo7lAH\O`%5Wf\6]83m!k#p.eH/57
%:q"u3K-IiRMJjQG@Cr,Y,d-e(3]W=q!)Mc$Ns)&ZAD,!_L]US"f:!lWNA,'k.eA8/MVUTM>dWmOQN]9S?0)E3B]V>hYXM/+:Fg.S
%*7&<[H-.q'a[O<S"3))>4CX0o,T@Y>LrE=g`^8Lhj30<$!f<c]FbRbW+<nH5VAFB(V2cNW&99K8e@bM=E0&RJlfnS[8YD>@d?Qh$
%o0F5$$'s3j3Ht,tXm*pUq9>3#`Sm0cSr5_90mkjU`1diA>o3SC:F3!'m?;o_A>?epX7do$8Ai:`$J_%O?Q/#G6B5-(XIkQ?!RVJ;
%+H_T0#%Xng7Z*:U&D8eUcN%gG,?%*k-j&!46At#>?OtsH76-K"m0]]s7Mm@KY\2t[fl?Y#MJr/s:Cn44,XV_'b)9$l$#Mo_Q\W0:
%Tp:Gub:+bjNMWk>7,2Cp.qmI8_2B3@J<%m"Ot*r20:,ZiRdZ@/<7R8,17@i73O#@n!iHZ5LY5*G6@126J1:PRPh@RO8=<<5PiOCi
%;rO0<-(5cJBjh-ffGCP--_Oe&L%<lY/-t&J$0$q>[cI46_]MIk,,=4ODj*bAEM@"*5FaQ0HDW[nA2u\Wh$e-mX'+G=V'6?6]Yq*M
%'C^j,[HM*SkT]!\Lb&qnq'$&Z-jsK0Rlk`<-Hq6Bd;<e.eB4<ZQ/M^Sd"..X[N&sW%SFfu7`u>O'ql,&?kHZ:Y0=beDH0F4>iI<J
%ieKY4nSi()DcDFS;u].J+hSOhES?PC*'h:Wg9E+JShM@pi_`@F6^dKI*;tska$&NS6`QUh0t01]3[u_8Y0&Gh:so2oDb/PTMeRml
%f;6=nK_3X#T)1KVo1;]&3&+.\rf7r9<G1Vl`'lr,)PjAV+oCMc[XB`uOD2+Z\HqB.OF1KfjTl;KZin&K\]S11)^QB$0G.&>5*$;m
%N(V@lCuVAJ4#rEuTZIB_6'@0U;OM>Vbp,"$6F#1-d2uQt*fuC%7qJCpI!Ua8!LJ$"jl[EtT6pBJ8**[3ZL\aTT]0ZY`H.FSB/lE8
%US2qjF)uKIT=S'A8.Nh689OgfD[?;$pW6r<Z.Hl0Ddc<D!O$,c92K53.c[TVa@iX47.L@R+@k7ZIRGTSO2>2!88?@+M4?#qLdejq
%;ldTp/%")K.XED+SZER^Z":)m3ZA<$mcZ6H$;9n=]9"O'Rk$Lr9><1P@TRYq=)a.7N='>^c$%LeDu-0=0,u^=!K4E17Cb)jV*PT5
%i)SEma<r5%:a@\lf&i-('1AS!8#qAf'j#A@F@)G^KrbOk-gD!bT/Cs9_)X'La@]hA,sJI34fAWa-j);:FED*`LC11sV5(*TW35(,
%Y3>lI108R`=)b1+Hf+Yp8tPkp>l#c7s13$dF!Dj_;h'fpib06J+Q5$be7p2Xi^c0Nj9$-M1f>s!fH.PIY1VgGH8""d/#f,M#8#/&
%Y"7RA9@S?L1HHcjG7r5,7aW/X:>.\sPpTVcfctKP<'68oeus=G?ZsrVa1ed0A"WuA6A`=Jc?:=#[1l'J.V(/$qReM@PU]6^@sp8(
%op`XBi0N_A-l+\^bE).].Jq">AY<UH1W^[MmP@/*Q%::4==M-iFtW_:LWHQQh5l;$jFW&*7S!de4\8)TF""@Uoj>6cnq7pHc6Dmb
%P`).lbbEJbCKf$@1RC_nkgh4XMY7V>_A'8Y+ELj8b(5N..<)rPY,CK%)8d_^GgVoa<(o],YP]LgP>)a/Hr%,PZpnab6UBY(N"T\Q
%/TI.l2AP%`PoOe/S9DPl;Aqes#>9Rl_%W4p%QXhtU2Ua,5d6U;2IONoM.QT5$FC4p04h;BfIm@$B/`lt"fN7p:a*W)Z`"_$:ap@W
%;NQNKX"&ilPQsu`$FJ_h<"-sK(r/ulfYd83Q\C/n$mMYbE5H5gQ,6HL#-sK4]LWNt"(]Q+C&4(MSV>p"%+;*hcsnMhbE"(km12M,
%@G:gT!-'49AXo\cRXsBq-o(;`;N-QcTQAN!duuq)f>Loi60]qQg/nA1=#JrbZM>kBZrUmWEM=7qidb'upk0d.ihN0;6^EGEG9D4d
%ZO2rZTB^u;H*3#p[Md\=.23t9M%BM`8&+i25d8A;K7U(@:Ma,H(Ad^;]KU?U=@R?O;s6U_7DqS%i3JXC;*B]1-t"d,4sD8-&h3t1
%h:OK/$YOG32sC#7D3<;%pub(Y%2mr<pqX]j#7g0/?-UJ*&X`UWW3_6<Q\9kQehG8EGLqa+WNR7d<1?h_%Cs!_lI=df7LZ6\;EMCs
%J,Sl:Y/C.)66,p4.fQ]M[\7,;s5C@Q#7R\t4*qARda5/>Y8TI-l9A)Wm4-ofVlFKq7K38lpNLGP*EcD,rh<Uk-(B61M\]Yrr'6&C
%\i/(s']2Mc<4Lh,ZnR9ZR^2FRdelf]krRHRmsq.%CBi9H%'&T!2gjQ&(H9k0]p(tI#MPXWenOWHKBI"7J?nB'!&#0q2rmfSk[?Ya
%:fY"$_0#jd41Qsnh0r,$l(iGh)MS[(l997`O?rOkj\AtJ1EB!YX)Ia1Wj^^M9Kt,oF?ag/D4trC-fppdSHSsZc_:C!s(>CErU7R[
%qSV0+],\RF`;`8$p4)F_qXIp_oj)mKq5;8?C2=*+2Ru&op\H0N>nu(.:<``_m%X;IhWts,[/$Uqh]+^Ulg@R@ak;VA0/i-MoWN"W
%DKRJEq8XH\Q%ln">Of(Q5%<[,Sq@:"2V.W'o%R1/J'^..<Jbql8;BYBAW[k4U_%F.0*RYKErQ$eKu#<?;Ng7I>9.=ojJM=m>59\X
%9n$@r.14r[p<$aO<+X6K8^W^\XqNMCp[CdtfRkm>?VHToNuZVF5N8VbB+>u'l!X@C0aZUA+#<+j#R0FZX(ljE.BG8ig7;\(a/40r
%Z!E>kM]E$\R*W^GVDAW#>fAX@lC[8Bg;tprWUs$]OgV(N%f4PO[3Gn,je"eD*qU&*rbgp\>jaJ;j:,Jf9g_DL7t'2)@hJFPO*mFE
%>#f?\&*T%&-L:O.X?+)\W2_bdCg[Mj?U\n83rZ(XG26ngO0%h&2+%TB)`;SF$_NQ2n-;s;akKW>#Ck[)[=lT,3[.I^.fOof+:g^U
%CE-VLc,"@o_[r'JI74ldhi);-"[:HFYc9TE8(;`rWZU$(?b]Xm2NQE1_eTL<ps1,$)ui=FahGKKrM=Au^nIXgo3aAhf?5"EPC'`D
%O+AMp%b\7+@7TUH1)5d6RB)OOG5kEHCOU.@dSt_m7GUF2E`$R):"?r2i),Ik6\Z)PVo1h5LROWFL`,DF'kCY(Db/p(s3bZB9SX,r
%BdT^8g=Q'@?=,pkdSKm?gM^IOQdF9T7b#sHQkFSDXW'9R[WsQgMLXr(B"Ro&,1',VboX,VDS6OC>H`pp%BofX"uGfBY*@T%YW@?\
%D\r`hAK='dD6Y2DVT2_["4t#SGKSkCglFfskruKJs(h)8pCg&_KteG^*=0YqOG&EJQlHOCZ,$Gg9X9Y7-L@<aJ)"]:W`rUS!ja\p
%B@$P4=X1=8<*/LfY!+OQoSa+a:GFZ9*t?enP!(9)5)*-g%%!1G!^@2._C*R/&@>O*4&YciGh65]\nI[/"8O4<Y8,'A1f+2HDpPa6
%D!iquQ,SDHZ<RbnXFGM\'!DWmnuD2o]]rj1oaft\5F_',HY<+\c&X\hPFDtnK0=a;^Gi30$O[S2=.QoK<;b(H^Hkf60CZGTQHjNb
%=MTlaT>P5Y\@/hp/:L*18&N90ZN=fnhkHI;li7qYI>IZL=aR+V#3ZN31hi6P!N_a]%>i>2fM+:d&J;Kh!_6f>%&(IY[`1\C)n`Mg
%$_u6]df%#[A@oe>-BB_Id=6F2^cg!R^,E%b<8cMIlcfj+m?;gFr9%`N'Yh7cX@@hN!K]i=9+=.^q%?&1i__HYJLZ:;l_q$2,5X(*
%jW!#EbiWG*_WZJM+n\q/#L:r.5%KrC+7[9$8g44PAuSJHJKeK=rAj5)[riba<*eBi^+h%s\BPsI35OY/kC!)4r.LCp+A:9,nL*-q
%s&8Jr^0+*^AG;9b'Ol[8lMeU>Nq).OH`QsQZQ=/XcbQ\'=sfZ$.(LD'#rh%ZqH/@+Kh4d*9G(#GEZadN/pDQB\C&M1\dS;\=lB8I
%P^AU`/NbJ+2ld[,L">$iZW+m[8Lr87o.e:]Sf;\:ZH[d))NPT*m/V:h[))e/-e5EHnUIn8riJ?3b4XQRU$_m.YZCLk]C',kMURL2
%K-mW")h>nY`A$9t#8b>Y6g@(94'Gg/?)41oFumSAVT\UEX7S67kuacp0-B<i.O-d,U>Ko9G+<`4/obARmND>jV8&-bs%<dFE-0:K
%$nJ9(UhM>X_oS(WP1l;!QA%ou@U^eh)OVXSGB=)]5I\FehD)35!A4-&(p#0sIR>Q_2cpF[-F89!5nAlD:iH.%&%]q="3q_ocT+6a
%U(f20+*s.XLV%Yo:IL4`Pa(+4PS$p^5pEB/A1:hbJ$nYC)S,^FjAE<Lr,#-]_c[;ur#<qiW.o`'8i$<gL0^LCQP$+>Yn(s$6C;C_
%K/I0,nIK$As-7m?jmL>5PlBRqr5X?o5MbO97esZ`qI*2%@a%99U4^iAldC]4p4%ZS+B>c8_`u,Gs8@rmGU5UqX<;fbn$0`<Nti.B
%3CY6pnc(C=a5=]nobWH*;GldWKO!T"5?6barlCA:#X`!T_F;WN0(0?=C1%,/L&W4.DKAB\-5lTF9E&5,,l*Z&C]>)=4E"$dIX$=R
%GPAu_IJf+Cpg@@F)9!L=`ElZ-mYQ`fd;`!73@Xs8^8$1ll$UnWZ'bP4Z*/p*lbC74H\:?;)!<9`;`4p2.S+](0c(VsCA*\)c5t3d
%@Ir!Y0Pia2]6\s6%G/[?<TRrc*fMg4o-$<4K'1Qd9UFHor$:p%0"o5HWNF'6EY#="psZD'?6&u&FGhQ3M`W+bhh77,8gNt;d%\_'
%<Cf(F0BrH[d\XfbqGQ**kmF!N$<-l3-Jdn3Utf>BD>9#W[1N1nDIMZ,j:3d%9[jZ(X8K^Vqd6r7*U#]\;apE+2"PmLNnE5kqhJ?g
%QU?#p]:<d<,'/YM-m=\t(<3KZFIpbp?u1[9hY9u/Ca*<:aIgJos(Y)dlsdr".%Ag%BBn6G/+IQu^)A,m^GR,n9VAmO7Lh8"iLDh5
%!IteX,1SsKEt0>mC7GQN8e"r\acsd'YNh,[J.2c7@a#.4)CXga2(3]dNlMJB:G?'.Vp\EP?84@u6j42f-f4bSK*6f.6L#!b)]ZJF
%CET9k.2G">Ce\^\;#D<6pMU@qf\[V^/D&tSYf(Djc7_u"_Nh<iT`U,Hh]!7\X,'8*;(?NZ?>f8q&dT&53nI('X[0e"i:*b2&h$<=
%OolF0)6[BZ^Go$PJ&8_S4U:J_4P;<p<rBAacrs$!/FW;p!b[e8A/1+*8M2_\`lF.F\%it-&GCT$n.f.$5FGWg?Z-n_6UHl*4rTq!
%6)$W&Q:E*TT,fQXp")7YN5X!,\Cn;#`d[5e"C;<U3TDM2\;1g2MjUgsW6"EBZrN[Ap>Gr0Y79Ja7)o4'YqZCgO>%dXGQfqHm/_]>
%J8e!Y[fc3E!qt;u%p??Za83j9=#kOD&(Y1N`ii>gJ%rq3J%c6i,,;d<J+i$\jkt@0!rg0M"0"VBQ?FgD6tI*_#9!6)?ML:]Lah+g
%[sd-E0+&H^qanlcRC_iWcq+1&Q]qB+Npq'rCfE_0"5"IF#91S\5\0fI?!4"_]qru's80][d9UUYNVHNDrI*=*X($!]fNit:%Gq]5
%@gPbefVf[-s'*Xuil?)b=&8Vab1PZX16'OpN4fk7ah57B68.t7'sAOFrYV(EF5Im'02u&=!2H'*`cU)5`0fH&Fe7ME[c/pS+HXj*
%K6MnmQcm1:7^C\VJ+Xg`^Klj90D6YO?BV46MANg9NgJ[u:e:-a7Srd#s.N,i^GRM-M$^P:V^7^\C)[,91#_;+d/>I2IV.+"cO&"q
%>P!Ap`PJ78^i+M6rYp(drqU.uCU@8^J9Q2R0^&@]1?j8cO%'rclT7#i+(=3&#iSAt-=IAj0fGUYMQ\j(JZ-=7G?aeSebir\fb/Q)
%/gY;04*b2ZB>Yk@<)N-V>8icU#-UeHO&BD6CT8cIW1T+FhtB&+r?_B5U#/1`q_@q1&\c#EhRXW_n^c6-i%8$b.UIT"A$nf!fD_f[
%3MG-P\pu]mSj-9[.$1aHB8PO,mTJiE>lXQ\*p.]to&\%q.e9Y/?iHC7r6%-M1$bM4f2tP)i0'N'3sF;VD+VN(G:>8cRa_9d*rg8A
%?cP<m^FApPR<Ju8Q0X8+.^L#gY,:fOjlh,GO%K?V%;)+`_I^rE\O%rhiQs+#?$%+I:;k"Cbnm4(&ao5A#dM..o5A^u7=rd1#_om[
%)Gr[S+-[c(TGphD9o9$\lp(RK>Mfb^><4QiZYZ>maQ'IOaeuGbTAJ2[:WM!krm;i#$cgb&reR8IHMt<Z)0#EWKqg.%^VB^&hr;N!
%?g#LZJu@GLAGm\b`m)nQ1#[hkb)+![hD&ALmKm>rN!;hJ[:h/%6@!Q/aR]#GFc2bK!%EGSn;8,Ij5hTB:H.e=$:kcFo>Q?5naKnD
%r4/ZOhhIHorc>Ff1@OoHP_6(CXbQ5ekV\7e=aN+oR4?F)AkuLeqtb!K/Rc\e*U)R)o^TI]27/%>TG9%b1;Uh_;n0@H7sDA/[nc'-
%F));7c>:;K,(%PNR*3P3X5ud[r$7.mi!sh9a2?\ldU?`?mRHoUF`giodT"/2.h!\ON!=%XG_G,H9#*8<$<f%u%'nkO*4j]%Do<?g
%EicXE2N+mWAJ'"#Fekb#*\,\j`>@RUZ68(`q$%#mo&7+<P#Y_.LDQ[XH3sWq$0G7Za0[dtTPj`N.QYuE%9MG#1Yi=8X;CKiic>UE
%o%iQi"/d'SO"r83B['=2X#5W')$JC3RU%K6Cs0=+_!mC.Y584j#LrXWqZ?k2\l]GD/"kMAC?jc>&rZu&g?!]C>^m5B/+d>X>TbEp
%9L/NkK,_$mQIaK31;Z,j/--M<?@Y'Zf_mJIq\unf"gDSjc;'2m%EoUd&kNQ-m=)V`%Ruqeok'$/r>=t?=1<\dOB0)Jk&A":=A'='
%-_T8%#-8KH)_lL]-FS9aFFa@\am!hh_?=dn01J7i))!5HPL3"rBXO52AWN]JHkpqGCFP/oUNJRY-YUrZlt/DihK70%YtBbL"+ZVY
%JSALLRVjI">dUiTfB@`#+QkGe>5QCI_liIeU4.q=$VI(FOoI5.bi!UD!!J+k=V'3IKX/d4QYH-!]/W(UU/q6=d:BI$ZJa]IbIP+G
%T/F@X$GCR(cW6T$]$&W\#_Bogs6*q;MVFlg/!Y96*hV)QX<bR[VU1_cDF$G$TE6gbJJ#tB/J!N%]<81nRK<0Z+:YC]O98Sj__1T5
%-Z4@*mGAQiUa@>qXaeh(EG#FEFa*Kp'7(`'j*^^08H&"q`KG]f?6!]p*0l!p*[XroA:l$7!D(E_3rX64J@YSI;u%e;l0A5nhcLfs
%@PV%[7fC(`0+LK^_+7N2N)s6L%jS^`j&\$DMN.jsGVl,'Rf=5AeR-!.P)KPX$/NSua^g=p0Bc1aXn5[IMN.fGjMfMLeE7BG]gc&A
%[J\!j`>OGG$gQ!gT^UBcn*@%9LcNW/?/#!2^Obmp>d$0F/Gm=)EanrekmoQ7=&36c>^)TLJGnVmfQ/*o!UFJTJmG+j1A:uE>.Jk.
%nI3X[q.=J4Sui1RP]_%`H["c2fuKue0sik$$a+n7&d_'->pECu]&`5)#Xq[3op1gWSa4KV-TkSW-f+IBg-\@ACjs'R5&k*!GZt)$
%['k_h=^-f:dCS'O9h+Fj#3Xb$6*<:XTd_E)SOP1aL9",,`IrY1+s38<je1c2P\neO<9aD_.#\A](%7R=SHKI1h3EiT)^Zj%^"TP(
%J-O^`hGS/8%&l7W<4Zj1Qn#+9>:lrG>:%k>\#dpQh$LCG`GNR'>"IC;UGB#^_Wj\/qTc\kQ[%585DJAMcJ%SZ]!MCE?Vg77S?9?+
%"ru;c,,LSUHj7@6DVUkC('&5_5Q(gFjo_9Qo>Q=!<obi=+I=\W!A3"seuO[!rd*$^\888XrtnKjLkS6pHa8'_+9'ARX4V+V,qN5/
%?jKF+2j)?[]H#(_XiedoX;!?XE@,ppO<EgT?h7U.O%peJ>DuG9C]U%3#j5^]dHk]VOBSfAB\9/'Fn1j!nS$;Pj;IQVa>+HOoQNLf
%<G1cAX+64`)@R>=aL%%];9Uqc-=nfA)WbNcHpgGZ@PY`k0Ou-6A+2]1`d^m/Z^Y_)bV[Kf9[9u3I%uG<G^/nY7Lg!V?lGpIqH`#>
%B_3DO(GhQc]HhleD2sYV;9<e>?:Q8?j?"Ra$;X4mUE,/#Yuh2JhjQSMUG`5:=H=1)_@8p(Fs<\)Q;DEE<l1-$&[`8$%mm7j^2,q)
%7cNBkJ:JSIM5eN<,ZEFbB<hq@k6&t#0*f>hnft(nB=898]b=t,b$3i'&?[\BG(42L*&h%pqENKWJ8*K)XgB2WD:YHgY=C%9grFLV
%>]IS$)Jq`;F,GcgS,RHB:nR=UC`OKh,[7"qB!plCWsUA:ZjKP2iM]9kX'cGC"`$eU'q>^t\gT=5ZVc39@m[aag.Y&5&TlW/]L(1e
%p"9K\-"=uRXcVh`h$,07DW4^s=Tj(,+e[<h.4aZsLBd?=J$.7.V6P-t@'DB(a(=.B;sn\1"?:40I4YYR)g,f"\L-LVXi)bj&s]9b
%"]A*MQuNKX7L?l2on;AC=Q4DELN9Ss2;:f,]118g!7Ao!Ap=Z@JR4rW'_mDLM(L`c+&,&k!ZHDu+WD"^`@89%F(?@akd4S%]K[0g
%MlpbpDU(4=FN)NF(Lbc-4L/RV3oXPW)L]gt@0(*PnS\&&-]2fZq>3^@_t*3+X57MQm:t!"C<EndaqP=C+UC1=h%>X@.5[oZ>4ORD
%&''68$C:K#BsB^L64Mh'%<7_8Mdo"_/7E7'3J`S'f2<B`b\h]g"e..&Vh)8XhQ)PpA8h4R9+>RoG"Y^-T#_sL>5a5meK[Z'"rJ4a
%Obi.aU^>bM`I'Pk)&m]YS0<MjPLJH5J>6loL9)gc=L;=O),n]F<c%FsSY6oRVbM#1-qMp@Xq+S;,d:B];+[$WAH3m;FTba@L59Jq
%)f*`d^gSrJN2ee.G*h6S'TEPYk39cKgSM@Pc7!srjnkQ,JdlfO?C]LrcZ5Y6%!/CJbntHsAi2"I!Lq=;LQ$@4_`f)/"%oh7gU<S,
%rf(OMa_DiLs+H#\fa8W+MYueXAm:\u>5cciN%K%umUQd.Rl8eXCoT@(W\pc9)rel4<Iajt'f!'>m7FnO/mnj!d[eGUEqm=6Y#]`'
%K/(%m#/f,OG9H4r*#SN=F<kIk[E(5%AC*l9o,[-kK4Tt\)Ikn]igiDG8e$!t+E.5I%3mN;$@+(!a@hpf?HN]I;PoPB15!6(*-kCm
%-bW;L?nWhD?>Xe[jOd,i2)g?)PSrhab[<*'L:nBGR:h[M5.(k/UG$<gI7[B$9:A1SdL>u8VU1YdK>-D)qSmX(QSa?/U^V[ZnWB'2
%YEFJdBl4K18MfR'RR(:I%=Rh4\hdXI-&gk:@1%2b;n,Jf_Hk"emLlC9QS='(`&@$Q'btu`-RNf!OQ!?#1(nW_ea;-7mLj,NQOr1p
%<5!!q^+kN(OY$uS;kKdm$=uWiIP*tW+JFDf&K-l>8V8*%6hH0Cd=]SS/DD8.7Sk4:$J-M7E':M',O;`rJ`m[`U2/Zrhcb]sg'Vu@
%0VV(5Loptu'24iq6X_mP:\Sob$HI7I'A=.qVG6#&D2M3>Arr?;KtOc1jJ>Qp05Uo=Bc6Ik3R$Qd%3mNC(jTgOa@hGRQh-eJB4EI7
%)&0VUFIX8l^.HgWUJU76.uju.5A*[`^fIfUV$&64O/p@2TC'o'd,5Iu:\01iZSn6]e:F@f'cU/Jjb2_Z/MF_#G$V$<>PU%^-B,Z<
%SZg%W(\?=ms,$;=KlI8-.6H:l^6Pmgeq=e'6%-F=`3;D5inc.'%G\Eop_]n3+(pr+5Ng40?/*u1qHZkBV5jCRNSjpspL0!O[&TX_
%hTeUSngYpl_Y#>\M_UnZg;fH5='X6c[_J@,]'F\:a)JT;r/AK#^k%+djDVI2>ND?gFJLX`N&^Oset'7J-Zo"h5&$qs;dQe324<lD
%CHhS&@2i9\rQ,9&RWo!>hm&[S0k5j.)$qqFqbB<":ba*.GeBinFY<'s:e[o^CkL[P;tj45Js,Dc>r4:`6+k4_)a07K,J%P6'I+%b
%k.;!J;Kt%J34\'-rcU0;-P.k,!0%bg1tUR:!1.t1F0#\b#t9c2`'MS8U&jXqG<KbjDPk*MG;R^=4MrCO)t&Kp]@$+DK>LMXHr(D\
%aUHN62YgHe4UJ#CL_`Yl_\Hu-`[*@uC!B6s8<#5+I:djYg]1J/1R`+7>)oHrkb(S`l-8_8?qUq+SE:D?:CnY6X8JB]AkOI9"\k[:
%.&naeU[mO&9>gVU5KKN3c+<\7?)R(LR>tL?8,\UJ@e$Y0gWY=@>hCa0WDk`64XBR\Zh4dE>Q*FSOC?E4d>i(qA-L2$/Puk,.>]RL
%5uH/":,:_V\*Vp@5;"f\`OOL'4ELr?4$r6HA:PC1CL)E"X_`fX(%qffJX,oScf**ZlMc@Sm`qnCR=oYbCNkIRZR']#,sFI<BEb)[
%\qGR0Sc+poX:#TG<Y0RE7bZdoRI38c9nst85^k3l`d^#O"LG8oW/LZ%3l38m?0e<`"6Jsd_LV;6!d1p8J"l1-B*B9Q,]pq_2?SWi
%_!L4P_XO=cFYau3S%4-*GJ([1/VG,HRhD;Kg1Homa/i.;EW%A8G'3`D42"G#::^u8oC29M+I?5sVk;(lRI.Xto=J<(;)c!GMV_Bk
%;+EB_>>APPB?C"VlQW[joOF^AFV/h\2!lEA<T1"Ji?sX@-a,gSk1%.JAQCZ<A8u3VlF&"jk^8ruW*Iq1Vt@3]+/REa687X"fG^bR
%BZ#)"6HPXS4dO]RYEp7-)";19oD0q@D6?*Ol)8)j.aU][\Z^kUhVp*!'B_NtcAl@jpXn<pdrVs_&)O8r.W1T#adeAa0:ClN3;"$a
%c:uDd*kY^I(g*Un+Ip=GbC(p#a\3b=n%$ber\O7=9#0t?>j.CEn'($al^m>GVS('dI_<tbYN,(<F\oL-!qEIhCbt":0lqU'%Q5)8
%ilg`T(]0>1GQ*foS=F2^iF?6_df8IQjB]6kr,C[jhjlhm:\t%X)#Z>_(#S>LbfD%AlGf-bUUT=JomDjj36ti\V=/\nXZ)<UdJQ.q
%POm,)`>LhLHc]f2IFlu8\i:#8VU)5=//DF&LU50QQ1U'",i<+HE5&mcYf0kbfR9,(,Y.Z,(\X3.8@\j%@;Z]n9UQX&lcr2<HKr!n
%q@eu+lq@"#l:Atdo2ji6h;B_Roc,Wpg[r\r$VEq&%^[NXdJN/#%)FB`)ge:[(,bObFb5!\>SKN\e)QV9pUEVd7+$oog^A"/E=tE]
%Q,\=Nd\Tn9YLEAXNG5!Y(Z1V*W&@WZe9rHel#b<K(!]!@Cd7Zne!%W"jX]1ZI_sIh<A).K!f_6`qug>Z$'=T)%;I_qn["$'=6O$g
%"0%m>dDtHP5MIZ8q$QSag39gVFWKS<^"_l%8thHo[QaTSCu_IDO_ms(f_oXQV<reO#*6`Y\$HMS+pMg/B_jb*3f?dcb6k^em<R[(
%=WCgo6FU6]0C:a0B6FRRCiL4PV!fp+5Fe&qbN7n=S\2Hs_`JQnN0[>n4KmY/RjVP(TTh'6%!N1Vbf6B[/C"o9C?$o]-=i,rO!N\V
%1,3878On.!bXlSecaM-NRr)!EG#AHeDW;h)2Y='SI-`pSb0&\M\Od3&mc0!Kru&Lq/G=luDdg.\qMAW*Fi$q-!='-oH9'_?-S`'#
%#2Vt.;JX*8odeU)BV3u)Gk68cb?hmE/kYs6o/K%eH@o+E0Pt=^WNZWhga&?"(]'/pl`%p0V<(7ik$W2G/;@5[o%5sUTrq0'LC"X_
%anto-Cut'\n<\W1?J'U]K^XT.PX4B+\sgCs8#oK$EQc-rKCV"%'k()i_rU>%./Cl8d-JQ83e'9T#5rcN4r/m^cFUKtmL5uGk1b/)
%1eP;O9F($h8i5;6R"&Z7>1IMi(r(O(3)=rjnX0X&U?J4V;PiDencAH3P:6.FhoFLPQp<!(L+sc7\a$sO;m,K3ADn94]C&^MrOM.E
%c)3LfXgOWSMc7R2\bDXg.s?<*YCF#PM9,0-(Z)L$=,@?q.?uq8gF$;3nD)\.81N&O]k)C0]cTlmNTb.2#gr4Uk\p,m!6+8N+RFk.
%?TJo2j1!^=5;UKD7b7aL1`L2X.b&3u5j>Wmn_gli/K`gee%BgcETSV26kJb9P<bbFpt<_]BC:)>=JKnV6hXi)Zf,EK;3CDh^#mFW
%^7IW?V#eQW'J\r#cUbf4J&X]G>Fa,[R$RLbqO']E0onQ;5GQIaFcG7TnCRR<H1WZ.FHnuuP[]b?iJ-V[/rHUL.I^lt*'G_>6fh.>
%9;*G>'JuDgM[ViG2#kN$DLuKL^f/*kJ@.X,=_9-sREU91U_%WOkh-:19GdqW+U8UJZI5E@-OVZY@oE_.r65OoMjJE1J<FW*-HAAk
%p2P,tK:n([acCHl>)TV1C!Eb;]FhGdYW-25_0glc-1m1`J`.jX7gcFlpkcWB7kP0jYW/J+R8uX7bq3A$N;qm=`=+6oA8k3S0as]Y
%C0]q'-(p,8B:60+!\;6k'N5JHNg-b[eG)WBW%puQ3-c(4ABX%BP*C-0-Cmk;p_LW0%Ee*s5^+E2OmHgd^foM15pE?p.OY-&)a*_"
%OH`m@$,[@!CD>9m3G@C[#!)$6Jg9/s>)<:>V=C?q%Lqr_0G$>-#JbDnM8i-5(&j*l5JPWKoIfnK%/_X"b.U2dQG%SDW.A,T>K?q:
%[WPZ@PqjUF[Q)IUEX,tbECWI/al_<&>3`1nhTQ;RYka0#%i%j("cc"9KLdVT>=mgtJB>kd@+5u(_*3uq7OGoYWTBj,;#NLPWn(/9
%jKW%6L;ugIfFEuqaG13-M_dO]-Xt&Fs.(dlcG"#_.(RVWHS]HoAt/,O[-4QGgsWZq;C:@-E(7g+7khZE!NJqtn*F%<f0DA*X'JFG
%J,p#lBjoGTMNj+Q8cSK2)gac`.@`')Db;$\,F+U1[W[-0H87Rg>N`N/\f*2(eZU%=J_5D]o!Un^gNLrP*0>?[faase=R>`m==_$k
%YF;.^isF5tich!A\&4I/8_Y([22*SVYq[M3-s@O!@6\;+8qjJG:4DgM%@t.-SKFN^H:`WYqCNJp)9gLh!ePm>Wj0gjMpN2H1>CJH
%ag-_KH%/)jn.G/[0`t[9dr1nX?+KNu^32[s8uIj=?:j*$YslZ_p;)o"#Ql.^mm3_#_%20Q*QWM&B5jG2:=2JZN/HXPKBE::1b'0C
%/-PoYWr7i&RMZQNH!&G/=*j2.'8:Hgp($50OWp_ZI3J(Qg?*[H)(>uS'tIc1Xpa^-^,#3B;M"BIM@9Yt9,5R!"N.`U:QNP2F;6=>
%^3CZpib\3U3>9k$]DJN*UX2q%eut_/XrA6\97)!,)Yff11OFQ']IO^Z"7Cknm.4^22W"'E7(q/U#WB!Dk<M1j@:/StcaKW&?1)eo
%b^'T4%L-^ZnV%KQqo665ZUs4lH-M>JPYHD=3s(6!?ofHm&@k3UIMBF8@.>\)IHZe2:$GPL\r5LSn*I4Sbmi$WAPQuW4.))$2JM&M
%fk,O!"oFHd;OL`n!q-0HJWtLK%2$aritoMOc9>;K]ZH"G@&bp'CDXQqXbrYQfuoo@\q2+R)&8Rl:Yn$iYAEO5gP,`l';G,h$,^R/
%!M2Br*>fQ)@T&Z0X'lFY[qp'6/+1V(onLF,7;_lIW+bn7d%c@j?0W/!"B"Um?ujB<R%0BJO[mQ\DSLG*HSf-lMn6$KW&IfHHt%?;
%^8.OeRmQUV&BH+M^W*pBC.7Nd=e9aF!qHL1ht'\goPfuPi9;/75)6=[#bEPiEofWFje2@I#SQ`.DL.QP.4.nS0'V0A-N".B^0)2!
%hWVRB@L7:7:ap_Opl9!MpYVa0pIam!PC+d8]4*`XA%O+7(+5F#VuCkHK)6>*DRLkM#!77hL])Q^.1@"oFf\>+*Hg(eSl(2FlbY7_
%+1n#l>9N.TNf"idp/6-R(#COfU47Wsa[S&=VddCqn]93+ehd-\*!8Q&fOLu/j^#;pcQFu:"L]\-lHUp_M+tEu'7*61?K:LYj7cm4
%(Qj$]LndoT0W+7A"m,Qge2d=5aTnZjhc&1g%pS2nX?RD*TY9&ij1WE%OK@75fk7P.TT?L@^&o\U4Q2F9,(&u4-$6uH=#B$^5]/>'
%h>q!'O3r(?Wgu.Q,foALZ0foP5g*:-HL=dMKUX4lKAQ?GPK,q>83FIUq-eB8D&'WmDA%03$-N92as=0n-[<Ns*+fS:nG,JPs6p.Z
%;n0p*ZngOn\D^QO8#_DH-<YA4UM%u0ErIhDGK+ER;-(EL:.P8\6FD<laO0b3H>DPJ*B"HM`-'1MITB6DSkEj"$"c+N#`)N>T%&e+
%mtD:m$QVkmJpC1J7UDc=XS&:4hM60*FAJg+,A.6ipM$lKH<`uuDe<VOf'uVDe8ZHe@=>lQip54-O+!,En1:c$]q!\kE@*>diMULm
%F_m6ab?:,![a'2u=L>"_9UP_QXF_Q07k('Y!>R=fI/lH3n@'USc]FQ3@[o$YZE_?m7tQ359js/E6F@+4"C5OfGlfdOMc\6?$>\Ig
%NAIKs`BD;bac&2[k[Knu]@Q.*\o#3aUn2:eTp;ouStm0Hn/73@Y$Q_U;4NR//t/1QBm>YcSZpm?fE!>9@m]B'8]GV6,u;.XcIU_1
%5W!/SFu^rZV?t$4bQ;D="tkB_rXeiX_h@2kT+M[3nu!94_t@<\^C'Fdo1>Y=*B=f+\)h<Q4.4d,4&gqfYl!W406rrr4Vqk@dh&:S
%;:j&XWCXb89?HO[S_MM<2fSas.%2Vse%)Du&Lg\k'B^/2R5@#+S!P)497qq%eXd"`.4(Wcs/+0rAVbI6p3bFAft;bH9\<SA9nEGh
%$,6KYT#F.SL:qI8@pI#WYugA[.cZbb^9Kp_.ClM.CuY'^dSVJN/t+*LJd1@X5Q&TUF-![nMl[g"IgHGt5/YR`RZ;b2rkFUV%0ShO
%US()sA`PCkL.9/O2N9`:=k]FY/\5#s(W8j83O"=)rt4]"&8n/C3_H`MUHIus`@a^5q#Hi,[I!h_at'ojZmZZa4_O;!,!PICJ&8)`
%BWn@$[on/443K9s^mFR\e9G7P]tj&KNj(!bcR=pI*6h_&JleSB,-4L/rUZ3(j,\d16p&5La@u)3j2j"&^LN>_U?B#FQ&8iYB2n-6
%D\iiW/K>F^mD\"sjK=a]i_@G&HN!1q0.,@aDt2+TMcA4*Odk(b?Qr2n;d"Kh<%5m)4N`*IZl;*;^1q2JRp0W3TL>*"l?'B7Z'Cfq
%$n'HNgP%GWXoVcR:N$5B(PB:dH+Q)-,+b0WqSh=('$t@E3kg(mG2K=ngsgO!'$qVYM6r>Mb6Q\aOm(S,esV?^[T87gb'O@OZ/Y]d
%Q+M@a8S$%/^Qu$Xdd^p(bgDn"=?9i(MemFhAEo0W#7VFr\Z`2+VGJ:<Y7'N2G6o:B<ge$(m%c_^W_mba>d\PrT5Qt6hc=(L8fB7]
%`\&86KQmF^[C65NZ9KYSm.bt7-E9l';].a&CB4U8hb%4hp,8bV=)*V3/Bf355Di;e29^p05GE3'%SgL2"N'-6?$JS?325`m3`YH=
%Jg&5aUK@I#m)I0e9>:7kkWHp6hj:Q[(']JCmUg1"CRu[;CS>RW]NV)7!Dr![h1s4so3a6$c<n9n_p_]!Y[LYsJ"o:t^Ft+c4GTZQ
%hUSmYYL0fc0Wlmj;J5q@-tQZ$<q^,\rt_@Q=OjL&N'#4$4N:Qqbma-m<8f&7[=]TH*_"Q8hBIk9V*6E#G]q$30TLLbnsZmC)TP%"
%1R3gM$TOj\br-YZ%d'\N`R/Hdn4YUL7WlD(ga#.naq'ODZblV43[_H:`#JTZq*Yf3/h@R=`ke287AJaNU'YY0=[E1kRuIZ)p;2/)
%E/tid4$2bVXG!?G9iQ,;M@A8(?+(Vr"\aYFDM(o*?#QP-n%f?k[05,.`gO"kXF#7HEDIbq^YJuV=:hMaEI,/,3D^<l;E<>XkkkVQ
%.+AJPWKt`IrDhA-nOOume0*(S%SIR+5jV`?HW@+gd7J:]@"bJ]'f2h)Ha2HL5+Qfa5rT)b^L31\q5F)bn9N2J54JuI`c'8ZX/@TT
%mooD4Z`J)=0sZqn-hCe3lA=RS4J#Dd<k\3DHb-CH;nONhb0JG_@kl>jIt6f*%Z#;#-b/AaXa?@[/e$ROoM/!R>53QZWKUY/S1;11
%g("^h$&"4)&?u0`.@i6O623M@R2H,7eOfa(43tXQ-.,PjFNVS/NCX"R[!mkX4,Q?@>fH]^5!flB;XCfK&`Kft1@eop'U?f@gW4q+
%j$JHtM9Pq+mo[D7T*2^pjj25tClQl4qh7ATn6@r^]b@-^Z$gh&:T@K]RqVBO[KgRcQEWmLjfOJ<NE+-HM%?CMG[Q'bJ7te,UuTEj
%\5=O!nJ*^)$(s>O+$5LEgeV"EZeONZ;<#%ZFHlR1?c(#:1bt>&RID)]j8YtOlm`?J(2LV#&TTC;JZU3cm)3?>ab?tY<^L3!>6lcj
%6L)p?8TUbsr8ppt&)q%h>KL)9_+JDF3"uP=</*baP]H4D3'(%:6ns/:Q]A_t^^TXbLlh)B$`_B2N;fR8e*CP3IrWa5KjU@'cW]WS
%=:jS6`Gq+,Jkk/to5?'bl6c@AF"LSQ2ZMqVd"T`r%m"S,cJZh,Vb0[Q]<_"&TC$$rT!/7!=?,PFpuiV,%iX))R]*liT:sBGE<o0F
%\BJfI^5MhN=:;PapU2acL/sF/iiQ3U_(OX.L,YOIlJj^#aZe8_O/9I#-F>,^d.2Pkh_anKJ;>fG=g0DN[:s6q\bYNRq28NmIC3>.
%Kb4oC(rq:V(8nCRj`C0QL)%Wc^3&%O9WtDF"ZNE*RG,%*HLS7'+U6!SK"0R!e\gss;n*r:FOMgJF(^kq07Am8MOd@ciBqX?ApYgB
%o]7u7:`VB5*?Hla#(9^iI'7IB6#lOo0PnH>^$,_L`BdSqHW"_-$Cu-Ja3'%+g5di2Q0W+t:g31*o+jH/pPs-_Pm6oP;K]C47NIN$
%a308m.+5[qqpp3A9"F/N,(T'WYP?KrI*th0PUO6>/#n5*SAu?"/h4&iD@_PDH.c6Te^F1DQ#H>cn/4CHg/HT[aU[$D\R8d?],G#4
%Kg,%"Uc7$Y8pBrBq,4_<TKt`qW'nDIlelVFBi'_/q6Hrh$cC*kNF!5F%^eV"bL\`LTKMFLdHgRfDD(FO(8l!$Q",q,W=<#kULrS^
%nt<@fm5p`k?7HBkCY?@s4Pn;q\#Zl:U6I('<<eFDNgb18'9tl<01>'$Ee=V9QCSGL<[Z14kcUmEB\C/2<#sIGr5`+l%16lRT%ZNS
%eY7&:L@oEbpq#NLMe-]1^p/T@d!@7pAd</Xgp05@c2.2F%r-*I`TM54ZI[&);1C&b'F2$I^/qSEj#X2"k_44@;B"'E`5?3,SU?`+
%ldh_)*ho&BY*90n"eKL^Tms1(BX;c'Jd4_BCjW:Nc^"*lg7W`NcLh`M*jk@f1d?;=\84tY"V5r]-g.K0^+G,_'=C,A`8)W-;&T#M
%F8("\QF/[ef6Vqto;W;Sl"&E?.YBq6`620(,9%=d@>;J.qY5@bS9bnTI9?fY<<o'QI)cb4K9h>=of%cc;dAWg`j:'8Y4@I&(;BoJ
%PsOFFg\iEqB*RbWf4@&m)MO;2[^5)XreX*sqR24Bb&QEdh+TmaBPJt<oZ_`(`""h'GU7u35*(PYb6Z[`aqMp_G#opjc5'Zf50b0^
%d(hPdW!@1cNbA_'c)e?alLR-S%!q%gqXL5''GeKmD!B*]%/R8)SkE5FXm`'K3_+gW[Un_U)2Qh(^L5F:7R$$VF9[,O*B&0`PchE7
%Rr]XCi^(Ip\+R=CV2hHRV"]Ng%C+1M'?Bg%olUuRV*%u9`H%C6c#.sTn>Yn`r&,@8[;YBWkDF1:?/$f*IJ0e.hBL8&Ff!4JWo6d#
%%sq.DgRPgL!d^o_ep=Z9XE6k)[p)C5YC%ss1KQDlWD`!ZC`0j2WC0_BY1IYKr>8I^><TE+Y3q5"_HVj\B!8@5C=RCG9)7cknP],W
%+rcfVdEZ;M]l>L7"b"U$X1^HTZ+GPGfC@$Sdc3N<H9lKJgRO-\icfD^j6P+Qg[7upbs4t]rMfZHIsR_aH(4E^+"]uCQ+%KX-Qd1g
%$ZDjQ]?$;P;P(*_q<Q4nc`^?HkYld(n21ZY6Boo&"L6/7pH1,N`g+;V^GIq+=lJb+pPHrYmC/YT43S/a+P(t6;KdPkV#5E2E*6B!
%YD12<hhd[qf2pM*!\rm:p#+,4]0'$gHFZ^lY/?ZC[i<!iDSN#geZ8#k'YTbf+f*"d44BJ^`DmK+V\brRKua<_CaP^O*.;8p_q8Vt
%JG07m;E^mhHEtPe[rt)i?0O#tgtVaNY>&P%[VY@ZcNa?u!1S#![fpN;Lrb$<VrhKV9f%FB'1NI;`+L\V"WoXYT=]Y7^7XtKK$GGV
%V0X30dd4qQ]Fg=t^87B@V&BA([7,8!LuG3O@2CgbYo#cMc<+J`i^%;)1Zlg=@7>h&9<SBH6*ZuU1+9*0@-;XMqNtgGp8c3+AQqQN
%:h8bYK8(\)`kgM%qYr?1Cj@3.n;DNf\p5P*mrdb^2!ElmfHCZ\[=;U],V(/@7b[l/Gu2*.<ZfgtqB/`B"faue^WK`T%]''te->;T
%$sG!@&q*G7/Cl7L#=U\mXVuH_We2KZ<iR4aG*V]P^4;!ZJ$Br4\JZ6!GNB[ag4<h/eC&f2Z5MkG\`o'D,&Vt_/9(s#KZe+&n?q.*
%o%h)gH)/>X0jqL#jXIokFTX>3n?`.b&QQYL8'nuI=1%usU@Y9%a2$\>:O.+!h4#BX1c\>bgk1o_28Sdmd-%Xk7/o7A!PICm3*M!g
%4;CD*m]4:ia^L&#$.rQF?$(u'!R<*,bh&r.9PE3@roTZRb7u?tS4B)E'YanQ60KFG(>,$\nLH$_d_0Tg"@*R[bI7rUH&Tt&NE9gd
%Jff`8e4P'cTogSaa8[j_A:-!b:ETc1qF1HFf(g&3NrQX%gXQYs4!SN`^%K3+a@b_]'XW'<I!4,Qd+^eb"cG$m9d<d_*X/b:`2a=u
%j82nqc=H^lq(5TtV:!te@:U0YHqM0uhHf"L4(=KU=b\EhAG=/Ffa%(1gd=\QBD9@rjEiCUS:U>^.5;p3Z@=364iQU^69G7_H;2u.
%Gi>I1nQI2r0<6kc79CFXjk;GiPUXDNpjBK8;WZJW0Q6]\J"FSrdk02eOVM,"@G<82ktsaRf4+O=UfQAcC"PZDm*H"10ge<C'-W+d
%cE6B3/5C(gSn#D_A_u;;0<h,%EBtS".6\Q"&kqK1:kIlKYRs!`lK[AG8sc0bQ,!HgC^Mlb8b]!KPeQ:B7Zc%^%88,*o>)gGSLIKC
%O.%;A9M0M7HX1XAAjq0X`&@uY4F)9,rC&sB&%boe+iQ?CoYPbRgW@TdQ4%.lZiVOtm2)R5B;*Y^0=<sHjL:T5mnqtAmP/^aN3N;O
%><rYGg6-H'JN&7k?=?b$p$GY@f,A3`AH\<^Y\$RoJmd$Y)+FEa-qh,9[TMO^BQ<>)ml8&7>C0gn+"#mOB`eaF0;L\+KO$rG$M-!F
%d_U1#%^d`s"I^)!%pMUT4/eq&FZ(kIqe'p6WH:VoEu\QXU.X:-`OS?K"';sFC0j$3h!Ric;"e'<P*O%+hEY_R>2:eB'6rmF+=?2`
%-5Xf#[<OnEQ$[0LUkWXgO\0V3mF[b3V]!4"ksa3g:o8l+MGa'#i`+AA.WS10B<(m.!5r2%\XEglR5p=.JBjQ]Q)h3rdK"BJRsj%q
%@5K:;h2SC2@mOt0=/ns1i\W>(DBd(p4P<+>9:VE-*Z$Lc&ZKZi9gl-glG,fKlt)Jk0C7Y?(o`>64`k@Y2E>h0.1%chE'K0i\Sia^
%d[@_O2E-/D;ko3Ygp3piUVo>q#R&@*72`9c-2(;;@oA(i!5N"Ujfds#(]^Z+fW;ci]"YN3on<^4c,IRK9WG<teJ4=R<^i4M?<3\o
%7@hDc7&k9STun6(:'JO*bpNIj'(;X0D$jCT(Q22u==-UE"'?-KZ>pmd;A)d-0o:hO8tLs*Ga;ZZoBVsj86j,$i]1U6,g(p4erI+s
%7\ffAkfH=dj=&A2M@I(+cfP!b^GJX]il,Uac+Tm!6f]7Nh\+*opjK%&`,ITJQS""VZS8YWo8S#;h3J`_+!nYc*<@Ac94t6al]\RT
%T/q'Nr&%qa+Rh+jY<f$ZUKD%nW_1n(WjLI[!q!$:e%jl^qnfLj`LqnXjmt4.#qp$k0dt'JM[;\:]KQ>/eDrA]N@S`$H1KZ9'n0Sj
%DJ@=+)a:lVL<VAB&u!J-:>:;[?'>:?C,0KNQ7o*8,8G;M%"K"5B_ON(<WP69"4/cqb@9;Uj7Z()2dfVr9iH/3@DW'RQ?s?iE8i,*
%HU)r&(;o\QFVZ`a?4,Q?/Y7n^,PL4LH%9O>@tZ4Fi[WeBj!%9F@O:J5C.RbRS+a_Y4@DEV-P\s$(5)R-Q=bOEEk*R=IGC7_K[<\2
%1:MM=3>;$ZSm0'14f2Z;Knd1%MArOehj!.)buWlO8*,\*9o4+.)$Hd<rKM=Z.94*-]F#YGG&NBfm*"5_!$#i5<b+O+ld[sb>E./D
%I?Z]05'^3fV,1gShAct5KVj0Ig:oM\d>ZHOmG8flgFp(/]la\;b5ompEBbJoUU(@`>i19<*0TLe,0hjtZ4fRTh&n^=h"%t3_a<%5
%\F@Ueg+*Qrg+i(_@J+isN7QLu%33L-FrFbo(8ilF$_;!Hp"E)?b*/O*]qZZGS;uB8'VE&W-KjB0_.SWSW8JNbUSGmJS4uiBmFelh
%,FY:E5X4OuUT]i=:D7\[j;sj`*EaGu9GTC2m/CDhrU[L]/2V)2+WF'EJ18T,bBC0GgR05V;*UKNF[aK$YWF"3f02=N?]*\.mEuVj
%It.Fr?<%c0P@F7joR!E@`7_P'5J'HRPmt?u2#PJXV'-0PpWI*@&Ga1argfnEK9fH(%@prP\j_/eWp>G.]l)?.6iou3+B;4pOKkIR
%;&\#-Te"h6k;P``8U!SKX'gHtEtFfY:j3ZA5rg8V(o25Tdo.@mRHn&=\^D"dP>=c@84=A(0e/QB$:\4RW*$@hL=(WFWF;S?Lg6.t
%qe^U0]c&;Y&6J:.Cd1b'/aD\,8$n*5MtZBEl>4-a&oU.]Ld,%<@Rs5uUcU"5^/ad@ZCRtn)#7Q1,PY;u&Ku_CBMD*B%(]B=W`W&/
%K#/8B'BdQLDiS;j16s90N2t\7nN[?BctR.>=e(8hU!q;[ZT&JZ6`6J@-bI'#k8ZPM$p$tgi#Xn#g)5"\Cr+qKkd3/0jOo-sk0RgT
%crlloae@2/TT`ppm[QYBSO(<Y^?qIYVk$+$jRDT(6g)qBTMtNFR*;8QcCbjH/i3Zne^N@j#)ll&%(pm5:e!29bik:9la:`Fe-k&,
%p"Tc""-oTcUc,MU:O_>+-^NPtV\e:@0G@*^\ofX;?C[0U36ALCUnL3m<lQ(O#4n77PL.jGrIR*%+)$(MhAf>g>EO"sf,$7t,p\T^
%9M0Vu@sUbAbXW[4Qj0(&;s(;K=iY`&$t7oiV5i2rNZ?VCTMeQ]edDYD=a[ElIGDi*V$07AT,LRA3_M7B$DJ;MhtA^fJjIU--F3X1
%]f`tsUW59_Q)%)'-pLF3k;RYD!+6C9V%H'__[M+A<:dHcR>#NkdL[t6=j'".&lI)ca\D9cY5LZ:Vkdhpb%#cj7[$Mg;bXeLJc0RN
%H$A#WUj89N\4IAY<AY\N^25gNTPPa%aP_p*33Jk*D]fE]QH/a,elF/WkOD-6/IF6%-M"roF,)C1iYZp"8Zg=a<Q(^'e3`MQLInJc
%_"4"fU&@V(.IH"F;$:)E9\oZrb2^sqM(sqtBOA4:6.d']<)R6pB,5)?dtk"_%l*19R2mHJIM?7;Oig`K(l"F-nJb]T6gIUHO'X0"
%0a7HLU78s>'"b1$;EnM`V$it!<JD`/5.4#E+!'WQT.*[Ip/-V9WT]X`=2WZh<5ke@gO:^H>+>!?Tju#U&WS`WF%.ubjc&WSp;r-%
%c(gliVFUM=?moW`;5V-;+@f0MY)`gCQKD)m^[f=:jVsQOOjqRS(R43I<P>J9R22c^aY0]_)7P<+HCRIEOHf(0B1*V.:H#)2_5*$#
%I&S0)9(]BT[JT_AE,s'tZkYl;'MdBM*>o2tGcl"'S/G+TqNPC^Fm_$=`_3]gL!<1DXUI9i*Z<MlF<N5R(H=uL12#\DC?t;Jn53Yg
%A()=caIJAMq$e`67&c`HpW0;Q^e`8ejH5"i\b;(,3]GuZYo$&"gY3s*Z3:p!HNshKCO9S[)6%rXH$adH3"J+QN2cFhp#I*C:"0_$
%)iKm#Cprn2PLh_k\8`b9ntL;`SA_a<;EJ@'W1d'%>WPK+(fO2#7En*YX@5>_/`kYII14)TC>BkA1jr'phCsj"dRBR6Hf^;D(11q!
%GeL5l3gCBlBr8+`J-\oQ;no,#KmL_LV(>RV7Wu:P-`QUZXW<P#.-MB3QZ?S^k^5@$5Q@GKi=+O,[WanT)[.h:Lc]]BS@JpU?1[%9
%EIH)aA<4h'iV(A/1nG5uN1q44GbBFD/g"5b&U3Gd37ajLW&$AtHoRs,!fde_&'*M]U(qFR;a0!&/Z*QiK7#*Q8EoVU9.QQ\0uG`.
%Z:fr&F\<r6O]tZq]@$WFros*3#oS\T1sjSB[2,W8GYp[\j*A\u+=2L*9J4hUmTlW)%(q&-o<"lW9IHB]JXDB)'oqi]&t91_PS'V-
%Z@Iqeqbl(Zllohrm.)*nNK[f@q9B!%8GSW&)&Ak!p3fBm*O9&G-c>Z;+L_C3IS>is>*Krjk5]%KHJ,a'c/*T\oOB"*>b]lOEZ!;o
%oSOO"gSQg?d`C$1g3p9:,4nQ!J/L/A;$PGl1/aaZ&"&IdSK0=-p%eIb)6'E;Soh;;7V^P(iA\aE<&.@FT*+RWkXBSKZ<'7[bU;5*
%<9)RqCUg`2T+W=ZND!3p"rSTXi"q32+!p1&fa*4@W0do>n1h9&3bD:K3"8p55BrPp3"a(;q/^^PKeqo$gbfgAa0%O$.NG0!F\-qY
%<&hmu?m*p?Y>dL<5@uJ5%a!$;DM2)VaM!iq5[oM]3an/,.X-rJQ$&rB'.CJ>d!u39Ff'2ATm7ZU[ut&Q]^+MX:14glW2&+8MJth#
%#O4V[@t_g85WjknlAT/)>W?]Z;+<[P5+l\gC7HJ/98\GDhOiY7>]&t8]srGaF],?YR*=_[kP#/#n@Vm`o/0_fB57G.Mo+B5#./L6
%9+T@F!Tcr.$]I'^mTu#?q//:_/:MjkcGbs3Mf[[])j1J,BaRs'R=AtP-+c==-G(igDb3hbW&V\T-kY;DPsM1*UY(Rh74m1e1W+)B
%f#k3I4!&<?#Ba$n_%3qY/<;=u93.*,6AYo3VLYdRZ"'KWX$#&EQ+3?_A=\!&1[OJ)DGYIPU/X3kW!jSe39eW'RsKfp7k<9[.&oIE
%q:bA;1+90CkI_^=FO`/5DDZA?05GdsK,0BS-&DjJL-8uu/E$M:F7D0F<(OUt.db)u6G"7>L&&u_bSo]mQ^k7;K'7kF[qWAsarfOI
%i`)/'SC`Y/f+#9UKun\J&W^lt`5qn/aT*^]e=Mn6@%$r:_H>2=W@"]2-0:LEQrIB>T%%/6hb$,qC8X[E$<(tKN&l6,/'/\%_Vo:V
%%K`Q=<6X[KopI6QVsB&k]ni2@ol5-3N5k/J9hDhFJ75)ibnUeeV!(f4:d<8#P`Yc3Za-B)\EclnkdEUeHY:eFp;?6^9rF4K-\C!%
%ZK[U>AiY)oSJo0]2OeUAbfAP#Ym#u3W,+L@\^()l&!fq&m"UUMZft.Sj?9g5Uta#PdM_OXS'7a.o!=-iTK5n-SPh)2H>Lp1flTiD
%TgESAT%S4[^g0-j:?,Z7*OG!pEp9f6H-g@gV(%8^bCQt`P]H#aRaN@bl'.E2hU?hUCc\Ek@s")*B%&3.K=d`EWb9d0Fet^;Bf;GU
%)e+TFVGkX6gBV26MP1Nup<'723^uu+J_rJW:=K=5(uufO\dMeu,L3.'')A3RFNQ?-LX)bql@@j8LWlVo8ftqcEY"U5VdqnoZsD*A
%ACDt-K/.l`N@HmrLc=uG%X60p;c63+p%\.dVWf%MBC<W7AcP^^X,j[--k^;CLtT/oDD@[VA2s<a_4)\/aTnhIQWC%c[sQp6[<csf
%prQXAl>Y1RCo[Ra!D5<]<_otSL'!(:C)pJ$le0X\bch/rPa&5lm=S2t.<Ur&g:1!>kuOFAE>X[,%<\i.:h#iE4iD:VKsTt,\Psh&
%`#flebafh")TlHU48)DaD3]M;13\oHE^n?0G:I[C<PMEjO`$LI_.E/Yb(]9-/nh<0SJnue9N*]Pk"a=!-nf[T1*^5>bagpE)iI&4
%/p!qVqe#3a."$4(Eu7.Hm<buO[=dRDS0b@E7eT_el%Z#\h0\>U/8BoK0t-UNP4a3GlSMRZ8#Ma4G#FIXXu)G8B/]Hb5us]g6hMQ3
%j)t5eafi^!UoGii25Bt8U:\o3.r7)?g\F6sWDPsZF"W3qeUmZ79KQcA<:c4!:egQ0:-%oc8)f`p(OCae&;FM7m7079<p57B.lI/`
%6p@NhinU")EBi0i>HEhM7!@P79IJDKo>KaI[0ftL_m>T9PW!t@+R1L2:L>iQiCUVT%+Z7.aY$RiILX!ETN%rcWYIl1g6tO'a8jP.
%MDWF,ERbok>GF'U[51bLk(h>0R'$p#_=2>[1m((fp/g8plI<sDotB#lYN5aAL:1tKhW_BcpTmpb-We?'l\a\-=!^R9Qel[p1mL?L
%&6"DoH7-?rp[W4`'=ki"2SuBtSum"Ah[qkMiD)0Q_Cukm<Oah^[sF)BGOitu^!!-#<k-nl;P#o>;6Q4.OF5?j61U0I<k'sF)rJEI
%S\3g[]Z+728;0.#\!j'7'gq)Wob+Qp__lVIG8,2N0oubn;KG+4<)'I]g3Z:o#+DF44cXMC5j"hmbAq^n\RPEge!l&>j3Z*Q&o1>t
%.Y1>M>>2dRom>XSP*l$g'R@7%Sb(UF&#)2fG5%hDpol[po(d!Q"s6c<@o<>=B;qH-_T0P28n32"d;2n>Q\U3!D2u1/Z[I&4V%dCm
%[^ujX&g_klR)C9@O.eDJ4*APZ:,,.8P/f&>]Tlj,)!6I%/]BCc'MV]seg<cX=kc3P8'u`$qA&6Y<GuX!.JKd6O6)!TAs)&QWM$;J
%*lO$#\E8G7]D6X$@CG/SbT8B-CCBR&j,/`TD2UO<XChWlR@8?4ab>Ae*CKu-&tr2NTJR^VAi@jdQY3+X8^V=E`S-$d;S,qR/1ra3
%9!i_YETV>YIQjA3ePI)qF2<\Sk<q?of"33._fiYZ4=TI2S_BZgbULPU+j'\p:,^%h,fti5Sb0,8P40Zf?K\;)Xu*)rM%[8HF8o;7
%dNG>H-rFa@Y#P[c3eSJ-G5%h9@W*0;Q3.H@T^k-[8`,CI<0Wh`EFJps&"iM.Q/"U9>;\9T\ToFMPONst-WBQ[@.H-:NTth3qai=0
%DlT1BaCV35k,jrt>4J9+p#5(!D:"tW'&N;6KNlUJn1L?U.YG_kP2_2d6*Ick'VC5g'7diC9M[.G<+pJbW#bhAQf_AL\+DMEG-%(4
%7hq7`Nc7X\a]@dV9g<Ve.B6W'Csoe@]3OB@I]+`.WhD,H*YS/DTC3eu,Wjn=8XTp>;9u\6BY+(?ApGli`O1P?C=Vi"2-`0cBEkmT
%gL<q^F.lSP=_Z$0<P)e<ks]9'A!>VP"=WS2'0/dgYIuV)4fGVLD:Gq[R?V%.'@eO':D6R]SUR)pYpkO)[,b4C1<b-S/KH:P$I6-5
%<SP8beR_J*9R/5XG^Ls^HW@R7cKH^K'OjM!q5\hZT`G8j[<R4#*a%.f^AbCh,5,g>lQ:aB2fN<0GH^[*4Ng1E5INda%-NQ5=tQ[/
%l!8950DXS;V(?;U8'U-uZX%o`Hd,#?9TRmI`^Z7SK@OlB2K7qedYsS-R=3M.9,4W;\qEcUZ7?#04.[qtZ822e#Y>"^=o[%V*IU>[
%OU#G,iFjj+/A@G7,76;,%&X0@C>X)?.`Y.7/mdOs<LFKnNXf(X3A@+cMl.hAGOe\LqO#B(5UjH,P00c$.?,"P`dm%H]*mh,(</F7
%chZP]^@BJ_cdoMeV,EQb3n#\[COBIL+X*^hA8;F+W>GB`!FiENB3XW;lImDN""9EfB!VJ;889X[;!T/8eLjNse<=%=-F3]3joD]W
%In,!od2YC\h9nP(T[=`E6WM?0?t-dCSjol]JLj']3IjT)Ct,ckNTXECK#?A$0Ub"PVJKeNdl6Y65X&[kCQi>`e%S9HZn&F&W[OK"
%0AN^!q(.EWJD-fB/]stfOmOM1j\t;OLG$_^dGoue.E[FR5#_ROV\\AmYEj=PU3s!6/,(I7-_"#)I[6R_MBbH*%Aa8MFo?tR-rorp
%l#%o'\pc`Z_X11O:Bb3D<PLoV%>F*Dm2p1\Uop>-SC0^gqIs%(1OM-G:0g)ZG=1b!f2"q-e@Z`8canSZ+c@b<it-A3Zk[b\#bkVi
%qT5'SXm2hJ;qdqJT6<>\7GjeSW32cddO`\]eFbmk"VCXDIbG0=V:aXIrO@MBX]s'EYNr),EMf7i\7>At3:ql"5!mj`1Mb[YY+JU0
%Rm;+CAYnXW+u+BGQ-m0lg86L#.IC?kO+Xl]<Bp*Jp^WDW^2mREmAbX4eDi?6TVA#6@]ll+Af)B183K@H5P@?2V5g.9LNhYJ'TK,A
%P.6E5lM>397JbO.`EZ\5"kUUX8sP11l_e%=mk@mY-1*QO6t^moeb.BTkh=/oh6F,TG#c:?lLC8j'!,)oDspmmpo8cJWQ1p;`#He[
%fWOOQ0^h:^g30[2IL:?2U+8Z$U[2"4:E6^R?.El6X>H.2)&SPJ:tJM7]K$M0Iuq6jg1I^[H@3?VlB]r[3rg-J=7t=M*hQS>>3Ya8
%mCIbD9(C$8P2E4E7pS@HWdYkSO/D4=mENZ[eb.BlEs*K;YHFL6?8AR-QWorDlMBo+leA,9T3<lPDf7=3f2"&4j=k`T[!TVQV$hDf
%]?-QjQ)]9[mS9+4Tqni`OBJEeE-2](\[m5^C4KED*N$!32CMF.d6lFViut;`c.TfIc:H70G$R=RI`l$_qIq<N.bm.s6dAVCWEn'#
%<:lhQ>sE2F:rLEJWp?Rb(iGlimTA(:"dEh'5IH[eZZZ5R:M_T-_pnA.NX&V/Y2,eST.7cuVL\YKP-GXGg'9Ucm+U:]qIp<BGo#SG
%Fo@PY6_+]ri?0/;:2<OkOUG?ZQt"Zbpa@j,aW.o.Vp[#kdD1*Cg7mB!-2=\]=a;PAHhUM+o"p?R0*m0Y"Lo/E\CfId[7!kUR*GTj
%g"6?Lf*0I)8fVi1lDs$0>%MR-O6(L4i(P2Imk5m<8CY-FXG5l,Y,a=:-bO(f7uqgtFmZGF9/e#@q_ag)C>M#ZcLIu=G7?bQJS;Ch
%h2.*rooI>lmIJ`cX::YU`8u(%qlWLCC@BEnld=e%*4jeXFikbLVj$k#^=n^QX(fIqo"OTVB%BUfe*U<k_acW^HoMWsM5/B1cXXY<
%k=bS&h!+:&Bq6)#B8,I</D77Q?coSg)jS%(peL[-L+!XHBqj+g0+hd9r/rI8?%+DmUU.aVo9jd(>lMnf>.BR:ZqPrcIB!#''A='<
%:4"4CGHoG6ol9CB6<?P%2MjT1m(VEUde%9[GV!FlV,TA'(J6qJFTc!\mi,hG9h;kkH$f1sbflfJ[en7:&$OLB<*\bO/U6>>G!7aC
%i[9q[ZdC=r]AB",'V.4tM#-o-:tVZ.@N\]9rW9IrPudTV2.0XK?:$&ko*.V+eP]k70iT?1=)ZB@`4(WR$.e"&':'t9+#+b\@]ne^
%S>(r9\aR.(B^IAOLIok+:p*>h1@Xqq4S+$V]$+3LDjS1+,^!-[*8M%o0B\?&?7D.Tqhbejj%J4Vja/pI@<)/OIcmThY#MH4nMPT\
%+*Bprg72<N5Q4D#H?g>4W(pp^-UQYX!0ZkB-mBjc^'9.VRZG@!\+Uq.Y2OW;_hF'n+r$_6pa8<X1P_So+8uSbI.Ie31BI36#C7Bd
%n_`<#e'kd(a7E7ThHr&\R?P4!$1k<V-gE'kDu:!HpdO&mj'VT#05em_`Q>k%MI1e-hY@t@kXFF.qT6F\o\c!tjgr.K5P'^MQX>An
%quYWoQN?WW7?Tp^6EE_6>S8GnBhDF#FUJ)CR(dpN:;614+4I$p+9Uh?J7gi3J1Bso*p#H(2!RU&W1Ri,?Q2f7.p)KngMQu\M8X!5
%&SdY[To8%m$u]@!r0HnAP65^L<fe2Qn/TCRC=356<qIb%YF-'`mRW;"^bQdnMCm%hl]pT0csoVtUJcTo&i\Sj+mP0u3EE&lgQQ2*
%I7mpZ@kRpC6VX/mV@DQ=XSI^q:?V;8`L3jahnKK]7<peD0t6e%&[G5e8d]9apC)4DKuY[bTREM`'k.-2gf!KGS#9=]l;Z0[m;0b%
%1@e,'/"9^%7:a_CV,=N'g87Xt.-^a'4;1mMc7nW%2VlB<,2(/>k->hK5%RCo@*B\)%,bITQr8?;PIkaLM>Mp=97UA;Slb-(aB-$$
%W$"o#Z]WHDdZ)Fci]<Ir1Zi6s^2%Z8\8Pp,I'^Ec'TWp/OWO#uden")>2o$Im$(qHn$gCd7@+;LK4brcpj^WuddR#@+mS`VaZ?[r
%T&(AQU_Y?T[-g<R<!tCeiI?grH.n$+@X"+8gGh8[$HaVQZ-Q$_/qB#oD]N9j6)kK@ne%R9`eSa)66&50kU'2S!W^]j9@.t-R3ou^
%ah\pk6=`?m`]%_Z]BqR5(KH#tT%W^<4+):Z7a:BIRGLUR*o$qRJU^X`Fl:FbSJ>;>&f5D^gkg2VONmQgh4?e\ZYDgAmM.6NJ@-L9
%98oJS2^X:Q84_=J_a>ZlFF`dZ8<)CK*=a/>@DRV@W;(`Q#To[$Oap425@UsX#)f+)!dtkqT"V3d@>q"Y,'=KQ^H--2mM88=Yr<@n
%+4iii@AL*ZKps6IjKkTtD/#<KMdOi/pLtN5EE=;od%D12quX55pY""'9U%0QDb4=mf[7F[m70H6OqoY3$9nT"QjY3nlHhIgl;`3e
%_N_'1(0"Bnq$"ki7Jg'H/M0rHA0g*TH!^%%=<,5o'#u'QZ6YCS"C2<-An:>C?*"baAI;::A%l77\M.V0It#s>]3sh#.c-!'mA8N+
%KFD[MC`DHEcZqrb3)=C0>Seh]kec.;\p7?08WP&l!L#BR+mm.]iuE;Jm*-3rG8W\H:gtD#Z4''rM\IIOk?!G+$k`GeK0AdhB.Bfd
%En>tl&CP`t`Mq^hTgef,@42?+ft1=#H.i"Ba=E_//:>m-h-GVT!Ka:K'dH#Wg#oFcPoTEN7Z@=GQ(6s%5?T:FI!pX>XHErPs3FZd
%;*578jZcloLOE#uTb")b$QS;AWoTh4,Gk;cX5pK<81E^B3&,m*NYt!4;1__`2kpKlT<jmd]c:34(Mja-1\fX0_QM:(,.)LuZ&4*t
%%Er61/sQ&#N@k]2bc]sAG^p9WnPAqX4V+iOQEe--e<J#-9EWe2c"T$lH<:E?Zh';Dl,2:#Hur7KQUIbCB*dJ&]?;+j41"s[(UpJ.
%:WGR[N*h+e`.7R1.A,g,f3SW74e9W@_bK56DpKt0QJ849+X5@8SM:g,.)onDM]CKISFg3k(IJt*9:XZJZ@(tuK=^Pl`Tk:ms%?R*
%nT_tjO2PPZd*6/X>[B!P+/>7SD`P(UZ;m(#SIO_Xj`&ijrb#N(pG^R[Ci)mM6eQ(c>)c#Z_u>$;K]WQiDo+DY=dL5rLC:.CkY=q`
%QX&K4;'&dY2lU]RSS4q_mQ44SP!\TK)iN2-992kcc66>sq*2W_k\#`Lg)0]]jqD?kpGYo1UL$H!\BJfI^5Mi9TiSQY"k=Zp^6)!j
%pg&+q7DOT&<[(+JiQV&lP^C$<R^$&YbRZr8!QIID`e)^bM)^!DpPE3Knt`L=^HT)O:+p=gN&rk3:p=e,Km:]$pLH&Cl+,&_D83IR
%qS>hsili1ZL'KX:`C%W,rH9_(VT1\iFcHS<j^WHKbcDJ$j%GpQ8#2-T5Q]160^auY[N/N=2R[+K4p&E9\g@],0Z7(H_f!N>rq//@
%ZLiag'@@3eR<0Z]<#BZc*S]+Y[L9;Pf:5]@,m::r.c#6!6XhJN#V2"a_,3D8]uUFHXQ]o;KKp-d$_Y\(/GJ.]jBoR*VHZ(B'qU7P
%0'E0WGJpP,luFt>'EKjh2:#AOHU%^`D;`ABM1:+R\&$B[7d.I:irn:C$&`OOYcqOG@iI20j4LJ;O(7&m1qF#;9AL*\Hlp2N>MQ?I
%fpkn!.EkF/!5IRDJc,U'5S+&a],hMC2E(u_pd]j:+k/Y<:4CDl\#%OtrP]GBRl,`>&(ffN+/LA&Wh+`TcLO<2Z;*hS%d(@aHm#q'
%c[#FL&MKJ+Y$nA-*MdL&?*tbF!L$`P8G%-R*=!t%\hjqNXr,Q4=."d>=Z5$H%C$&_HQ^C9^$:0`5ia`,V"[KTUq%rYqpt(fnR'^S
%(aZXG`rLA\e7Sai+"JHp5=L'mUOUQ+0&Zb9>U_H/T#7c@+EYhrj,?OAR'FiE)L=+ail`X:f]hG:=2A<F'HnC2WhT7,/gKh8m#g))
%\/F6b>`FlW?h(G?:>/(:6R@odF*9[?I@SLe:\-ko9`2]<J%.ftO]"aGBG!3+LF!3X38=M&V*Ws$["7/jmNb<C8M?k8]#AE.3oakk
%,GQ?Y90j/:GZj^ZN17o'a:j:!dlF\X%tOU7>6diQX;lYb)&KQ=pEa)aF;JD.Nl[9QUb3"ZdfTst?`I6KE6apOZ-6@W>b9O7"_S:0
%DtRe3ZNa^gGenOlk*1"=N4<3S>O5@9UsA(>.9if8jkWhD>Abn$h%4e7mFMD5%Tf9U/t15##pYC4bn+6]j.\Zb>RY&>)iT:X!o^MA
%IFeAjZHpO6+54I8n'E%FP"ce[hqci!fQ>jXRTJWjd"&17D9Tr;GE$H"Q2m-1XsJHW'!i_IVbk,!Pe"(if<OBQ3=.QK9?@q;>'^r)
%%\e;:\T:%I\lUcJ&0N1?G"%F)KmD]Efo7,,l96S#^/&/^AD:L3W]L0aIsW:++\X]ZAbSW?(@#1]*.GJ?^t7+SFWoVqSX+h/Amd:d
%SP/)GPfuFPqZ=k#&:9_PjC,+FUTf'=P`&kiDOhMX(Ktl:7(<<@&X>\h`t(%k?bYe;r6kA#@(t_1cf"@b71QR8,h8b$.-H32K2p6I
%MK6uFd>?BET;%k9,&:Z\r21t+]\1K-k<DBqa2.@Vp&(^9kJAXiHLtX1o0_d?g<)GA\eilfT;%i#4sj.Q'pS<[Y]])(;XlasF3W`@
%4A!Mm_T/W?o-BTFhYu#g<)+ZErEn7[e;7EuS`4H.Fq7`G:3b2,Xu?a<+O\@@5=Vu*pW%5e+g&ug&b(;6hcR`f;K43%M85/XH<Tc?
%gpjJOoN:FpQoh#.Ea9OTf;&/C]DQ)3U.5_1p"O5tR^=he44*]>lA!t'*G>nc4NJo#JJiV^KJa/;s6qE6F(HMH;(<QZ&lp1n$)@No
%5DV^tT]$D29SR'@8N91.kQLl09#jKp8":'Q[+4!R?FI!hMcQ:(=Dp?I'b=d^_(H%Kq#N_*iK#X:oV[t_?<Eh+#jVK8i5S)P@k`AM
%)M\8]U(Q*?[=h*qQlonUUUhaF`.E(V@1C7Kr*Lq>@(qN;JcneO[sH/#hVk4t0LA:gX&p3B_&q#_5r&l_BT+?]7)CIs8e^/k!d.1(
%LN2r\4;*T<2o5Z*2H2LGUkj7`ngk9dM?72&0K"A.D+-h2E%?0eqVIeSSgCHr*iAHpoNsGq31a&.JNA<A-"+"J=N!gq,RapaVdOOU
%1km*F<PUG&:LHLC&!Hf>7`GJ*@W[]bYA*2bNrG]G$$PhqX=%HD_oguTE0LiBGXN1,(ksSq^.+)+M(j#RD4#2b5rp"'5QW@nGGo:>
%_,rN2`f8@'BYjoD%7p^JnZWk5pe`;oV^qg4((>sQ=CW&O/f5!K-4KJinc"Y:oH+t?(k>LM.RE',#^coO,0U6:TNfnP(!#X:WA*p*
%9E\kp"\k'qS+7?e"SG7u"LLq^aiOHn!K[(Dhp<(a&Zd0MZC%)RdDCH^E5OBF*_cuiJ.N(tKn]^u@>4tGiCO,d!R@A,'=^:%J9rPr
%'VI+<)A,1A',60ag&j)C%:ae'^e(aqOoYaf$^SVj1$fG?!#cG-UA]%_U#'2,MI7)D@WAH\g<<bKo8gGi2q\Ub8k2N"AJ@f]E_K#[
%7X,]0!]gEh^p>^4N(8]&nh\\&@6c2J6]sq>'t!HaTOTO5Q5'U#7VN!@R!&P^KV$*q&]?#p@#U+"3t#Rb!f$<mlJcFV.5HXl"<o/u
%TKs\414asI",`<4W:6U$$.Dj-5uY/#<B(hl8S/GX)5kDKJ9Ah@b]it@TN[4<F,)tnKJ2ft\rDW>!6Y`pGk<S^B0_AC*45jX73Z/6
%0a'qoGb20./0R,AirT,mdT/)i3IV$8`o8`N"QM.E<Z(43P*&:oIo7(ITn:(o@X)n.R\P*o"9J&o%3HmpM!tNVO5pR55e[t`Q_l/f
%aY8f2-$b*NT8qjkEmJ2[@oS\`2MN/[;cHlkJ-lp&GL1$i,M82>Sf9eb-l,`p.Yaf@L$_2?'#XrE^`Z)+*>`ZG!lR>nRD*>Qm4Wo$
%No:!PnV#s0C^%ZA'E8IV")K\9C;oX,,T9@pLmV_FU;-n@(f4J<-qF[H$U,J*#&SdQ!b+pCn[=)_Y+iH/#nUNCGZGVFK:*phK*N)*
%([[/p$Gp+<BSPu6=omg'oEC/0`JB?6M0R/?1I1Oc't"B3n\i8)-R'_$<<DWGcjHQ^%C--0'I-1]k&Fd-QuRZWLgd.dJ7187p/t]!
%N!Rid.Y`KXgQoWZ+,qC`":tZV-RE!Co3B\o$[apgAHd[!KP/i&F]0P9MIMNdOn1lW?PR]@_A]H"er4W]mE_\gq.;OhY!0IUTliC<
%$q6Ug4i\t0TKZhm/caI]ZdJ^g[[,as"OtJQ<VMQJ[6'l&fA6+=!H5%]bMd2!?OidMq4HjWI)7`G7J*Tjq>]':>ds~>
%AI9_PrivateDataEnd
\ No newline at end of file
diff --git a/contrib/bind9/doc/arm/isc-logo.pdf b/contrib/bind9/doc/arm/isc-logo.pdf
deleted file mode 100644
index f6b9de5..0000000
--- a/contrib/bind9/doc/arm/isc-logo.pdf
+++ /dev/null
@@ -1,1193 +0,0 @@
-%PDF-1.5
%âãÏÓ

-1 0 obj
<</Metadata 93 0 R/Pages 2 0 R/OCProperties<</D<</RBGroups[]/ON[16 0 R 38 0 R 60 0 R 82 0 R]/Order 81 0 R>>/OCGs[16 0 R 38 0 R 60 0 R 82 0 R]>>/Type/Catalog>>
endobj
93 0 obj
<</Subtype/XML/Length 19687/Type/Metadata>>stream

-<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?>
-<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.1-c036 46.277092, Fri Feb 23 2007 14:16:18        ">
-   <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
-      <rdf:Description rdf:about=""
-            xmlns:dc="http://purl.org/dc/elements/1.1/">
-         <dc:format>application/pdf</dc:format>
-         <dc:title>
-            <rdf:Alt>
-               <rdf:li xml:lang="x-default">ISC_logo_only_RGB</rdf:li>
-            </rdf:Alt>
-         </dc:title>
-      </rdf:Description>
-      <rdf:Description rdf:about=""
-            xmlns:xap="http://ns.adobe.com/xap/1.0/"
-            xmlns:xapGImg="http://ns.adobe.com/xap/1.0/g/img/">
-         <xap:CreatorTool>Adobe Illustrator CS3</xap:CreatorTool>
-         <xap:CreateDate>2010-03-03T12:03:19-08:00</xap:CreateDate>
-         <xap:ModifyDate>2010-04-12T11:34:01-07:00</xap:ModifyDate>
-         <xap:MetadataDate>2010-04-12T11:34:01-07:00</xap:MetadataDate>
-         <xap:Thumbnails>
-            <rdf:Alt>
-               <rdf:li rdf:parseType="Resource">
-                  <xapGImg:width>256</xapGImg:width>
-                  <xapGImg:height>100</xapGImg:height>
-                  <xapGImg:format>JPEG</xapGImg:format>
-                  <xapGImg:image>/9j/4AAQSkZJRgABAgEASABIAAD/7QAsUGhvdG9zaG9wIDMuMAA4QklNA+0AAAAAABAASAAAAAEA&#xA;AQBIAAAAAQAB/+4ADkFkb2JlAGTAAAAAAf/bAIQABgQEBAUEBgUFBgkGBQYJCwgGBggLDAoKCwoK&#xA;DBAMDAwMDAwQDA4PEA8ODBMTFBQTExwbGxscHx8fHx8fHx8fHwEHBwcNDA0YEBAYGhURFRofHx8f&#xA;Hx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8f/8AAEQgAZAEAAwER&#xA;AAIRAQMRAf/EAaIAAAAHAQEBAQEAAAAAAAAAAAQFAwIGAQAHCAkKCwEAAgIDAQEBAQEAAAAAAAAA&#xA;AQACAwQFBgcICQoLEAACAQMDAgQCBgcDBAIGAnMBAgMRBAAFIRIxQVEGE2EicYEUMpGhBxWxQiPB&#xA;UtHhMxZi8CRygvElQzRTkqKyY3PCNUQnk6OzNhdUZHTD0uIIJoMJChgZhJRFRqS0VtNVKBry4/PE&#xA;1OT0ZXWFlaW1xdXl9WZ2hpamtsbW5vY3R1dnd4eXp7fH1+f3OEhYaHiImKi4yNjo+Ck5SVlpeYmZ&#xA;qbnJ2en5KjpKWmp6ipqqusra6voRAAICAQIDBQUEBQYECAMDbQEAAhEDBCESMUEFURNhIgZxgZEy&#xA;obHwFMHR4SNCFVJicvEzJDRDghaSUyWiY7LCB3PSNeJEgxdUkwgJChgZJjZFGidkdFU38qOzwygp&#xA;0+PzhJSktMTU5PRldYWVpbXF1eX1RlZmdoaWprbG1ub2R1dnd4eXp7fH1+f3OEhYaHiImKi4yNjo&#xA;+DlJWWl5iZmpucnZ6fkqOkpaanqKmqq6ytrq+v/aAAwDAQACEQMRAD8AimFDsVdirsVdirsVbAJN&#xA;BuT0GKvQfLn5R3ctkNY81Xa6Boy0YmYhZ3B3oqt9ivblv/knFKZP5/8Ay98sAweUNBS+uk2/St+C&#xA;SSP2lDVkofbh8sVSPUvzn/MG9Y8dQWzjP+6raKNQPkzB3/4bFCXRfmb5+ikMi65dFiakMwdf+BYE&#xA;YqyCx/O7X3i+qeYbG012xf8AvY5oljc/LiPT/wCExSipPJ3kXzpE0/ky6/RmsBS8mh3horUFT6TE&#xA;t+BI9lxV5xqel6jpd9LY6hbvbXcJpJDIKEeB9wexGxxQhcVdirsVdirsVdirsVTGx8ueYL+0kvLL&#xA;Tbm5tIq+pPFE7oKdfiUEbd8VS7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FUXpel6hqt9FYaf&#xA;A9zdznjHEgqT4n2A6knpir1SOx8pfldbJcaj6etec3UNDaqaxW1RUMa/Z/1iOR/ZAFTil5x5l82a&#xA;95kvTd6tctMwr6UI+GKMHsidB+s98UJPirsVdirsVXwzTQTJNBI0U0bBo5EJVlYbgqRuCMVepaPr&#xA;+k/mJp6eXvM7pbeY4146RrfEAyN2ilpTc+HRu1G6qXnWu6FqehapPpmpReldQGjDqrA7qynurDoc&#xA;UJfirsVdirsVdirLfy98nwa9fT3epyG38v6Un1jU7mtPhAJEakd2oenb3piqeXv53a/DqsQ0GKKw&#xA;8v2hVLfTBFHR4kP7bcSylh/IRT36lSln5raRY2+uW2s6anDTPMFsmoQKBQK8g/eLt7kMfnihhOKu&#xA;xV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxVNfLnmbWPLl+1/pMwguWiaFmKq44PQnZgR1UHFUvurq5u&#xA;riS5uZWmuJmLyyyEszMepJOKqWKuxV2KuxV2KuxVtHZGDoSrqQVYGhBHQg4q9ZtZI/zO8pNaTU/x&#xA;pokfK3lJAN3AOzE9+x8Gof2jil5O6PG7RyKUdCVdGFCCNiCDihbirsVdiq+KKSaVIolLyyMFRFFS&#xA;WY0AA98VelfmFLH5U8qab5Fs2Au5VW916RD9qVt1jJ8Kj7lXxxS8yxQ9H8xx/XvyZ8s35+KXT7ue&#xA;zY9wsjOw/CNMUvOMUOxVP/LvkXzX5hIOl6fJLATQ3L/u4R4/vHopp4DfFWbw/krpumosvmrzJbWJ&#xA;pU20FGcj/JaQqfujOWY8M5/SCXHz6vFh+uQj8VddP/IvTvhMV/rBH7RZ1/UbUZmQ7MzHnQdTl9pN&#xA;JHkZS9w/XTjrv5RoCkflN2RvtF3+IfI82P45cOyJ/wA4OIfavF0hL7FrN+SN+SkmkXums23rROzA&#xA;e9PVk/4hkJdlZRyILdj9qNMTuJR+A/Whrn8n9J1WJ5/JmvRX5UcvqN1SOYL/AKwC7/60aj3zBy4J&#xA;4/qFO502uw5x+7kJff8ALm851XSNT0m9ex1K2ktLqP7UUgoadiOxB7EbZU5SDxV2KuxV2KuxV2Ku&#xA;xV2KuxV2KuxV2KuxV2Kpl5d12+0HWbXVrJqT2rhuJ6OvRkb2Zag4qzX82tCsLhbHzroq/wC4rXFD&#xA;XAA/u7mh5cqdC1DX/KVsUvOMUOxV2KvQfyZ0O2ufME+u39F03y/CbuZzuPUoTH/wIVn+YGKsQ8x6&#xA;1ca5rt9q1xtJeStJx68V6In+xUBcVS3FU2PmjWD5aHlz1V/RYn+s+nxHLnTpy6074qr+VfJXmHzR&#xA;dehpVsWjUgTXT/DDHX+d/H2FT7Yq9Jh8uflt5GFdVYeY9eXrbAAwxt4MhJQf7Op/yczNPocmXflH&#xA;vdRr+28Gm2J4p9w/T3Jbrv5qeaNSBhtZBpdmBxSC1+Fgo2AMn2v+BoM3OHs7FDmOI+f6nkNZ7Qan&#xA;NsDwR8v18/uYg8jyOzyMXdjVmY1JJ7knM8CnSEkmytwodirsVVIJ57eZJoJGimjPJJEJVlPiCNxk&#xA;SARRZQmYmwaIeg6Vrmk+erJPLfmwKNRoRpWsKAsgkOwVj4n7m/1qHNHruz+EccOXUPa9i9vHIRiz&#xA;fV0l3+R8/v8Afz4vmoerdirsVXxQyzSLFCjSSuaIiAsxPgAMVZRpf5WeftSAaDR5okO/O5424p40&#xA;lKMfoGKsih/IPzSEEl/f2FlGevOR2Ydz0QL0/wArG0r/APlTGmJ8M/nDTYpB1SqH9cq/qxVo/kxp&#xA;z0W384abLJ/LVRt9EjYqpTfkL5t4GSyvLC+j7elK4J/4JOP/AA2Nqx7VPyw8+aYC1xo07oNy9uBc&#xA;Cg7/ALkuQPnihjEkckTtHIpR1NGRgQQfcHFVuKuxV2KuxV6j+U97b67o2r+QtRf93exNcaYzf7rm&#xA;TdqfIhXp7N44peaXlpcWV3PZ3KGO4tpGimjPVXQlWH0EYoUcVdir1XUx/hT8mbOyH7vUvNEvrzdm&#xA;9Cgbr4cBGCP8o4peVYodir0fyV+VsU9kPMPm6b9GaCgDxxMeEs4O491Vu1Pibt45OEJTNRFlqz54&#xA;YomczwxCa+YvzJke0Gj+WIBo+ixDgnpAJK4+a/YB703Pc5vtL2bGG895fY8N2n7RZMtxxeiHf1P6&#xA;mDEkmp3J6nNm827CrsVdirsVdirsVbVmVgykhgagjYgjAoNMbzi32JOPLnlHzD5jufQ0izefiaSz&#xA;fZiT/XdqKPl1xVnf/Kv/ACB5UUSedNZ+uagBU6RYE1r4MRR9+xPDFKyX85LHSka38neXrXTIjUfW&#xA;ZlDysOxYJx3/ANZ2xVi2qfmX561NibjWbhFP+67dvq608KRcK/Tihjk0887mSaRpZD1dyWP3nFVP&#xA;FXYqqQzzwOJIZGikHR0JU/eMVZDpf5k+etMI+razcso6JO31haeAEwen0YqyeP8AOO31ONbfzf5f&#xA;s9WiAp9YjX05l9xy5b/6pXFK8eTPy1807+VdYbSdRf7GlajXiSeio5q33M/yxVh3mbyP5m8tS8dV&#xA;s2jhJol0nxwt8pBtX2ND7YoSHFXYqj9B1i50bWrLVLc/vbOVZQOnIA/Ep9mWoOKs3/OvSLdNbs/M&#xA;Vj8Wn6/bpcI46eoqrX/gkZG+dcUvOcUJp5W0V9b8xadpS1pdzpHIR1EdayN/sUBOKsu/O/WUvfOJ&#xA;06CgtdIhS2jRfshyOb0+XIL/ALHFLz3FD1byZ5I0ny7pkfmzzmnxN8WlaQw+N2G6u6Hv4Kdh1bwy&#xA;7BglllUXD12ux6aHHM+4dSlHmvzfq3mS+NxevwgQn6vaIf3cY9vFvFj+rbOm02mjijQ5975x2h2l&#xA;k1U+KfLoOg/HekeZLgOxV2KuxV2KuxV2KuxV2Ksq0f8ALXRtB0+PXPzAufqkLb22jRms8xG9H47/&#xA;AOxXp3YdM4p9jQPmX83NVu7b9FeXIV0DREHGOG2ASZl/ynWnGvgv0k4qwFmZmLMSWJqSdyScUNYq&#xA;7FXYq7FXYq7FXYq7FXYqzTyv+avmPRozZXhXWdHccJbC9/eDh0Ko7civyNV9sVT248leUPOlvJf+&#xA;R5xY6qql7jy/ckLXufSJJoK+5X/VxS821DT77TryWzvoHtrqE8ZIZAVYH5H8MUIfFXqdiT5m/JW7&#xA;tT8d/wCV5/Wi8fq5q258Ajv/AMCMUvLMUPTvyK0+BNZ1PzDdClroto7l/BpAan6I0fFLzrU7+bUN&#xA;Rur+f++u5nnk7/FIxY/rxQ9G/Lrylp2l6b/jfzOlLKE10ixYDlcS78X4nqKj4P8Agug3tw4ZZJcM&#xA;XF1mshp8ZnPl957kp8zeZNR8w6pJf3rddoYQfgijrsi/xPfOp0+COKPCHzPXa6epyGc/gO4dyU5e&#xA;4bsVdiqvHY3sqGSO3kdAKl1RiAPmBkTMDqzjimRYB+SiyspKsCGGxB2OFgRTWFXYqrQ2d3OCYIJJ&#xA;QOpRGb9QyJkBzLOOKUuQJUmVkYqwKsOoIocNsCK5tYVSrWtc1XWr+S/1S5e5upOrudgOyqBsqjwG&#xA;cU+xIHFXYq7FXYq7FXYq7FXYq7FXYq7FXYqrWl3dWdzHdWsrwXMLBopo2KurDuCNxir1DS/M3l78&#xA;wbOLQ/NpSy19Bw03XUAXmeySjYb+HQ9uJ6qWA+afKuseWdUfTtTi4SD4opV3jlStA6N3H4jvihl/&#xA;5G6jEnme50W4+K01q1kgePszopcf8JzH04pYHq+nS6bqt5p0397ZzSQOfExsVr+GKHpenf7gPyKv&#xA;bv7Nz5huTDGx68OXplf+AhkP04pY1+WnkyPzDq0lzqB9LQdMX19SmOwKipEdf8qhr7V70wgEmhzY&#xA;TmIxMpGgE187+bJPMGpgwr6OlWg9LTrUCgWMbcio2DNT6BQds6jR6UYY1/Eeb5n2t2lLVZb/AIB9&#xA;I/T7yh/JKq3m7R1YAqbuIEHcfaGT1f8AdS9zV2WL1OP+sH0Xd2lp9Um/cx/3bfsjwPtnKxkbG76d&#xA;kxx4TsOT5aVWZgqgliaADcknOyfIgLe/+Svy50fQ7GGa7t0udWZQ000gDiNiPsRg1A49K9T+Gczq&#xA;9dPISAai+j9l9i4sEAZASydSenkEwv8A8wfJ1hftYXWpIl1G3GRAkjqrdKM6KyCnep2yqGiyyjxC&#xA;Ozk5e2NLjnwSmOL4/fVIrXfLOheYbMxX0CTB1/c3KgeolRsySDf+ByGHUTxG4lu1ehw6mFTAPcev&#xA;wL5z1zSZ9I1e702c8pLWRo+Y2DAfZb/ZLQ51WHIJwEh1fMNVpzhyyxnnEvVvyy/LnTk02DWtXgW5&#xA;ubpRJawSjkkcZ+yxU7MzD4t+gp3zS9oa6XEYQNAc3sewuxYDGMuUcUpbgHkB+1mOsecvKugzJaah&#xA;epbS8QVgVHche1ViVuPtXMHFpcuQXEW7vU9p6fTnhnIRPdRP3BW1HR/L/mbTFNzFHd21xGGguFA5&#xA;qGFQ0b9VO+RhlyYZbbEM82mwarH6gJRI2P6i+efNGgzaDrt1pcrc/Qb93J05xsOSN/wJ3986jT5h&#xA;kgJDq+aa/SHT5pYz0+7owfORfV3Yq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXqnlDzJp3nTSF8l&#xA;+a5ALwCmh6s28iyAbRsxpU7UFT8Q2+1TFLEILXUvJfnm0XUE9KfTbqKSQj7LxBgSynurpXFCb/nZ&#xA;pYsfP13IopHfxRXSeHxLwY/S8ZOKp/8AmtaXMGm+TvJdkhe6SBWeBerTOFiQ/S4kxSv84S23ljy/&#xA;aeR9McF0C3Gt3CberO4DcD7dD8gvvm67L03+UPw/W8b7Tdo/5CJ85foH6fkwTN28cnnkf/lMNG/5&#xA;i4v+JDMbV/3UvcXP7K/xrH/XD6QvP95J/wDjG3/ETnKR5h9RyfSfc+YdDeJNb095iBEtzC0hboFE&#xA;gJr9GdfmB4DXcXybSEDLAnlxD731HnHPrj5j8z6RqGk65d2l+jLMJGdXNaSIzEiRSeobOv0+WM4A&#xA;xfJ9fpp4c0oz538/Nn+gfnJY6dotlYXFhNNLawpC0quoDcBxB336DNZm7LlOZkCNy9Jo/aWGLFGE&#xA;okmIr5MJ806vF5l81TX9vE0C3rQosbEMwKosXbb9nNjp8XhYuE71boNfqRqtQZxFcVfcA+kIYY4Y&#xA;UhjHGONQiKOyqKAZyZNm31GMREADkHzR5vvpL7zRqty7cudzIqnr8CMUQfQqjOt00OHHEeT5X2ll&#xA;OTUTkf5x/UPsel/l9+YXlbS/KlnYapf+jdwGQGMxTPRWkZl+JEYdG8c1Ot0WSeUyiNj7nqux+2dP&#xA;i00YZJ1IX0l3+QYb+aOuaLrXmKK90mf6xB9VSOWTg6fvFd6ikiqfslcz+z8M8eOpCjbou3tXiz5x&#xA;PEbHCO8b2e/4PLM5l9IdirsVdirsVdirsVdirsVTLSfLev6w/HS9PuLzsWijZlH+s1OI+k4qzHTv&#xA;yK89XSh7lbbT06t9YmBIHyiEv4nFKOP5P+W7PbVvOthbOOsK+mWr7cpVP/C4qtfyJ+U0QPqec+XH&#xA;Y8EVt+m3ENX6MVW/4B/K2ZVFv51WN23BljUClO4Jjp9JxVa35KveAny95k03ViASEVwjED2jM4+8&#xA;4qxTXvI/m/y43q6jp80EcZBW7j+OIGux9SMsq+1SDihnkxX8y/IrXFAfOHl5P3lPtXMHXt1LUNP8&#xA;sduWKUV5jsP8Rn8ttRoHN6Ira9Y9/SMbP+qTFU/1D6tD508w+db9Q9v5fij0/Skbo9y0YZ/+Babj&#xA;9JPbLcGE5JiI6uJrtUNPilkPQfb0eR3l3cXl3Nd3LmS4ndpJXPdmNSc66MREADkHyrJklORlLck2&#xA;o5Jgnnkf/lMNG/5i4v8AiQzG1f8AdS9xc/sr/Gsf9cPpC8/3kn/4xt/xE5ykeYfUcn0n3PlPO0fH&#xA;3tv5dfmXZahawaTq0oh1OICOKeQ0ScDZfiPSTxB6/hnPa7QGJMo/T9z3vYvbkMkRjymsg2v+d+37&#xA;2Z635e0fXLX6tqdstwgrwY7OhPdHHxLmvw554zcTTvNVo8Wojw5I3+j3PHvOn5T3+jRyX+lu17py&#xA;VaRCP30SjuQNnUdyPu75vdJ2lHJ6ZbS+x4ntT2engBnj9UPtH6/xswvSP+OtZf8AGeL/AImM2GX6&#xA;T7nRab+8j/WH3vqbONfXXyzq/wDx1r3/AIzy/wDEznZYvpHufItT/eS/rH70JljS7FWOZxT7E7FX&#xA;Yq7FXYq7FVyI8jrHGpd3IVEUVJJ2AAGKs70X8odbmtf0j5guIfLulihM14QJSD4RkrQ+zkH2xVMh&#xA;rf5QeV/h0vTZfM1+m31q8+GCvsrLx6/8V/7LFKX6r+dvna8T0bKSDSrYDisVpEKhew5ScyP9jTFD&#xA;DtR13WtTYtqN/cXhO/7+V5PuDE4qgcVdirsVbVmVgykhgagjYgjFWX+XfzW846KRGbw6hY/Zks72&#xA;syFehUM3xrt4Gntir0byU3lnWtYi8yeUE/RWtW+2saAWAimt5DSQxfZXbZlIovIDkFrXFL0ODyrZ&#xA;QHT1iNIdOvZ762joKL9YSYMg9g9wSPCgwK80/OHUobaS28vWh/dq8l/e+81w7OAflyY/IjN72Th2&#xA;Mz7g8V7U6y5Rwjpuf0fjzeaZuXkXYqnnkf8A5TDRv+YuL/iQzG1f91L3Fz+yv8ax/wBcPpC8/wB5&#xA;J/8AjG3/ABE5ykeYfUcn0n3Plmzs7q9uo7W1jM1xMeMUS9WPgM7KUhEWeT5FixSySEYi5FOZPIXn&#xA;GKNpJNJnVEBZ2IFAAKk9cxxrMR/iDnS7I1QFnHJN/J/5pa1ojx218zX+mCimNzWWNf8Aitz4fynb&#xA;5ZRquzoZNx6ZOb2b2/lwERn68f2j3H9H3PdLK8tr6zhvLZxJbXCLJE47qwqM5ycDEkHmH0HFljkg&#xA;JR3jIW8E85aRa6J+YDQwAJaGeG4jQdFWQhmUDwDVp7Z0ulynJgs86IfOu09NHBraj9PED830FnMP&#xA;pL5b1uNo9av42+0lzMp+YkIzssRuA9wfI9UKyzH9I/enflv8uvMHmHTjf2DQCASNF+9dlbkoBOwV&#xA;vHMbProYpcMrtz9F2Lm1MOOHDV1uf2ILzR5R1Xy1cQQaiYi9wheP0mLCgNN6hcs0+pjlBMejRr+z&#xA;smlkBOt+5gOcm+puxV2KuxV2Ksp8nfl3rfmblcpxsdIhqbnVLj4YVC7txrTmR37DuRirJJfOPk3y&#xA;YptfJloupasAVm1+8XkAeh9FdvwoP9bFLA9b8w63rl2brVryS7m34mQ/CoPZEFFUeyjFCXYq7FXY&#xA;q7FXYq7FXYq7FUbo2saho2p2+pafKYbu2YPGw6HxVh3VhsR4Yq+tPLuvWut6BZ6zDRIbqISMCfsM&#xA;NpFJ/wAhgR9GBSafOnmXV21jX77UidrmZmjr1EY+GMfQgAzsNPi4ICPcHyfXajxs0sn84/Z0+xLM&#xA;ucV2Kp55H/5TDRv+YuL/AIkMxtX/AHUvcXP7K/xrH/XD6QvP95J/+Mbf8ROcpHmH1HJ9J9z5n8ra&#xA;hHp3mTTL2U8YYLmNpW8E5AOf+BrnW6iHFjkB1D5VoMwxZ4TPISF+7q+mZY47i3eNviimQqSO6sKb&#xA;ZyINF9WlESjXQvA7v8pvOkN+1tDZi4h5UjulkjCMtdmPJgy/IjOmj2lhMbJryfOcns9qoz4RGx32&#xA;Ke3eW9KfSdBsdNdxJJawqkjjoWpVqe1emc7nycczLvL32i05w4Y4zziHhf5n6pBqHnO9kt2DRQcL&#xA;cOO7RLR/ueozpOz8ZjhF9d3z7t3OMmqkY8ht8v2vcvLGtQ61oNnqMbBjNGvrAfsygUkU/Js5zUYj&#xA;jmYvoGg1Qz4YzHUb+/q8s8+flj5hm8xXV/pFt9btL6QzEK6KySPu4YOV6tUgjNzo+0MYxiMjRDyH&#xA;a3YWeWeU8Q4ozN9NiefN6P5D8vz6D5ZtdPuSPrQ5SXAU1AeRieIP+SKDNVrMwyZDIcnqOydGdPp4&#xA;wl9XM/F5P+cOqxXvm4wRMGWwhS3cjcepVnbf25gH5Zuuy8Zjis9TbxvtJqBk1ND+AV8ef6U7/wCs&#xA;d/8Al2/6fM5x9Ed/1jv/AMu3/T5irv8ArHf/AJdv+nzFXf8AWO//AC7f9PmKtj/oXev/AB7f9PeK&#xA;s18yf4F/wzb/AKX9P/Dnweh6Hq/VqU/d/wC83w8f5a7YFYT/ANY7/wDLt/0+YVd/1jv/AMu3/T5i&#xA;rv8ArHf/AJdv+nzFXf8AWO//AC7f9PmKu/6x3/5dv+nzFXf9Y7/8u3/T5irv+sd/+Xb/AKfMVd/1&#xA;jv8A8u3/AE+Yq7/rHf8A5dv+nzFXf9Y7/wDLt/0+Yq7/AKx3/wCXb/p8xVnflr/B3+Fn/QXH/D9J&#xA;uXD1eNN/Vpz+Px6YY3Yrm15eHgPF9Nb+5in/ACA3/ij/AKes2v8Ahnn9jy/+tH9H/ZO/5Ab/AMUf&#xA;9PWP+Gef2L/rR/R/2Tv+QG/8Uf8AT1j/AIZ5/Yv+tH9H/ZIzRv8AlT/6VtP0Z6P6Q9VfqnH6xX1K&#xA;/DTl8PXxyGX81wnivh68m/TfyZ4kfDrjvb6ubP5fT9J/U/u+J5/Km+awc3pJVW/J5p/yA3/ij/p6&#xA;zbf4Z5/Y8p/rR/R/2T0HR/qH6Ltv0fX6j6Y+rcudfT/Z/vPipTpXtmsy8XEeLm9LpuDw48H0Vtz5&#xA;fHdGZW3qV16X1Wb1uXpcG9Thy5caGvHh8Vafy7+GGN2KYZK4TfKvxy3ebn/lR1d/Qr/0dZtv8M8/&#xA;seX/ANaP6P8AsmV+TP8AB/1a4/wxT6tzHr8PW9P1KdvV25U609q9swtV4tjxOfwdx2Z+V4T+X+m9&#xA;/qq/iyLMV2bj0xV5rcf8qU9eT6x6Xr829bn9b5c6/FyrvWvXNtH85W3L4PLT/kmzxVfX63//2Q==</xapGImg:image>
-               </rdf:li>
-            </rdf:Alt>
-         </xap:Thumbnails>
-      </rdf:Description>
-      <rdf:Description rdf:about=""
-            xmlns:xapMM="http://ns.adobe.com/xap/1.0/mm/"
-            xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#">
-         <xapMM:DocumentID>uuid:9EF2320A284E11DFACBCF5F943788E24</xapMM:DocumentID>
-         <xapMM:InstanceID>uuid:6e7acc0d-a5db-48fe-a148-3d0ba888c54f</xapMM:InstanceID>
-         <xapMM:DerivedFrom rdf:parseType="Resource">
-            <stRef:instanceID>uuid:dd936053-2ab1-11de-bf43-000d93c1f82e</stRef:instanceID>
-         </xapMM:DerivedFrom>
-      </rdf:Description>
-      <rdf:Description rdf:about=""
-            xmlns:xapTPg="http://ns.adobe.com/xap/1.0/t/pg/"
-            xmlns:stDim="http://ns.adobe.com/xap/1.0/sType/Dimensions#"
-            xmlns:xapG="http://ns.adobe.com/xap/1.0/g/">
-         <xapTPg:NPages>1</xapTPg:NPages>
-         <xapTPg:HasVisibleTransparency>False</xapTPg:HasVisibleTransparency>
-         <xapTPg:HasVisibleOverprint>False</xapTPg:HasVisibleOverprint>
-         <xapTPg:MaxPageSize rdf:parseType="Resource">
-            <stDim:w>51.000000</stDim:w>
-            <stDim:h>66.000000</stDim:h>
-            <stDim:unit>Picas</stDim:unit>
-         </xapTPg:MaxPageSize>
-         <xapTPg:PlateNames>
-            <rdf:Seq>
-               <rdf:li>Cyan</rdf:li>
-               <rdf:li>Magenta</rdf:li>
-               <rdf:li>Yellow</rdf:li>
-               <rdf:li>Black</rdf:li>
-            </rdf:Seq>
-         </xapTPg:PlateNames>
-         <xapTPg:SwatchGroups>
-            <rdf:Seq>
-               <rdf:li rdf:parseType="Resource">
-                  <xapG:groupName>Default Swatch Group</xapG:groupName>
-                  <xapG:groupType>0</xapG:groupType>
-                  <xapG:Colorants>
-                     <rdf:Seq>
-                        <rdf:li rdf:parseType="Resource">
-                           <xapG:swatchName>White</xapG:swatchName>
-                           <xapG:mode>RGB</xapG:mode>
-                           <xapG:type>PROCESS</xapG:type>
-                           <xapG:red>255</xapG:red>
-                           <xapG:green>255</xapG:green>
-                           <xapG:blue>255</xapG:blue>
-                        </rdf:li>
-                        <rdf:li rdf:parseType="Resource">
-                           <xapG:swatchName>Black</xapG:swatchName>
-                           <xapG:mode>RGB</xapG:mode>
-                           <xapG:type>PROCESS</xapG:type>
-                           <xapG:red>39</xapG:red>
-                           <xapG:green>37</xapG:green>
-                           <xapG:blue>37</xapG:blue>
-                        </rdf:li>
-                        <rdf:li rdf:parseType="Resource">
-                           <xapG:swatchName>Yellow</xapG:swatchName>
-                           <xapG:mode>RGB</xapG:mode>
-                           <xapG:type>PROCESS</xapG:type>
-                           <xapG:red>255</xapG:red>
-                           <xapG:green>242</xapG:green>
-                           <xapG:blue>45</xapG:blue>
-                        </rdf:li>
-                        <rdf:li rdf:parseType="Resource">
-                           <xapG:swatchName>Lime</xapG:swatchName>
-                           <xapG:mode>RGB</xapG:mode>
-                           <xapG:type>PROCESS</xapG:type>
-                           <xapG:red>189</xapG:red>
-                           <xapG:green>213</xapG:green>
-                           <xapG:blue>118</xapG:blue>
-                        </rdf:li>
-                        <rdf:li rdf:parseType="Resource">
-                           <xapG:swatchName>Night Blue</xapG:swatchName>
-                           <xapG:mode>RGB</xapG:mode>
-                           <xapG:type>PROCESS</xapG:type>
-                           <xapG:red>31</xapG:red>
-                           <xapG:green>113</xapG:green>
-                           <xapG:blue>184</xapG:blue>
-                        </rdf:li>
-                        <rdf:li rdf:parseType="Resource">
-                           <xapG:swatchName>ISC logo blue</xapG:swatchName>
-                           <xapG:type>PROCESS</xapG:type>
-                           <xapG:tint>100.000000</xapG:tint>
-                           <xapG:mode>RGB</xapG:mode>
-                           <xapG:red>0</xapG:red>
-                           <xapG:green>168</xapG:green>
-                           <xapG:blue>204</xapG:blue>
-                        </rdf:li>
-                        <rdf:li rdf:parseType="Resource">
-                           <xapG:swatchName>PANTONE 425 U</xapG:swatchName>
-                           <xapG:type>PROCESS</xapG:type>
-                           <xapG:tint>100.000000</xapG:tint>
-                           <xapG:mode>RGB</xapG:mode>
-                           <xapG:red>94</xapG:red>
-                           <xapG:green>96</xapG:green>
-                           <xapG:blue>98</xapG:blue>
-                        </rdf:li>
-                     </rdf:Seq>
-                  </xapG:Colorants>
-               </rdf:li>
-            </rdf:Seq>
-         </xapTPg:SwatchGroups>
-      </rdf:Description>
-      <rdf:Description rdf:about=""
-            xmlns:illustrator="http://ns.adobe.com/illustrator/1.0/">
-         <illustrator:Type>Document</illustrator:Type>
-      </rdf:Description>
-      <rdf:Description rdf:about=""
-            xmlns:pdf="http://ns.adobe.com/pdf/1.3/">
-         <pdf:Producer>Adobe PDF library 8.00</pdf:Producer>
-      </rdf:Description>
-   </rdf:RDF>
-</x:xmpmeta>
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                           
-<?xpacket end="w"?>
endstream
endobj
2 0 obj
<</Count 1/Type/Pages/Kids[5 0 R]>>
endobj
16 0 obj
<</Intent 17 0 R/Usage 18 0 R/Name(Layer 1)/Type/OCG>>
endobj
38 0 obj
<</Intent 39 0 R/Usage 40 0 R/Name(Layer 1)/Type/OCG>>
endobj
60 0 obj
<</Intent 61 0 R/Usage 62 0 R/Name(Layer 1)/Type/OCG>>
endobj
82 0 obj
<</Intent 83 0 R/Usage 84 0 R/Name(Layer 1)/Type/OCG>>
endobj
83 0 obj
[/View/Design]
endobj
84 0 obj
<</CreatorInfo<</Subtype/Artwork/Creator(Adobe Illustrator 13.0)>>>>
endobj
61 0 obj
[/View/Design]
endobj
62 0 obj
<</CreatorInfo<</Subtype/Artwork/Creator(Adobe Illustrator 13.0)>>>>
endobj
39 0 obj
[/View/Design]
endobj
40 0 obj
<</CreatorInfo<</Subtype/Artwork/Creator(Adobe Illustrator 13.0)>>>>
endobj
17 0 obj
[/View/Design]
endobj
18 0 obj
<</CreatorInfo<</Subtype/Artwork/Creator(Adobe Illustrator 13.0)>>>>
endobj
81 0 obj
[82 0 R]
endobj
5 0 obj
<</Parent 2 0 R/Contents 88 0 R/BleedBox[0.0 0.0 612.0 792.0]/PieceInfo<</Illustrator 72 0 R>>/ArtBox[247.087 367.565 365.086 412.583]/MediaBox[0.0 0.0 612.0 792.0]/Thumb 92 0 R/TrimBox[0.0 0.0 612.0 792.0]/Resources<</ColorSpace<</CS0 86 0 R>>/Properties<</MC0 82 0 R>>/ExtGState<</GS0 85 0 R>>>>/Type/Page/LastModified(D:20100412113400-07'00')>>
endobj
88 0 obj
<</Length 843/Filter/FlateDecode>>stream

-H‰tUIŽ$7¼ç+ô�b‹‹¶«Û†OcàƒP°}©`ÜÿÁLU7Ð6
-ÈT¤$.Aëå·×òòåµ–Ÿ~~-Ç�£–±¬tµrãâŸ?�?Ê÷ãåõ÷Zîo¥ŠÏgçsF)owlÿŠí¿ßŽEKÅO‹õ!ÝZq¼[oQîßî|;ÂÅ`¸–ÇáK¦GQ—¹ð²²$h¿ûñ×ñõƒ=¯KZôUà_*Oƒ·!ˬè�‰Ï7ŸÒ*WYL¢›D‡m‰æ°zá[“˜Šnâ>?|°%6K�ø
-›Øiê?ÃÒš)0*¾ßƒ2!}j´rS…[21Z“ÞGA¨u£r•~îωãÞeT䲎‡¦1'ï�ÇIŒ‚HGGŠ`´kfò¸—wa±FÚFBA[c)L‡4SzZŠÓ¼ÄÓSF¬äDZÊІ9ù¸> H�º¡
-J‚xi†þOá@½-M†xôÉ‚î³_¨OC8³Ä:JXl 0$‡(•vàª~FC¬žm†¢Ëj£4QzÐŒT³«´$Ù‚±³
-F
‘åRe�BC[¬ÐWçz%A
2×¹NôØVš‘æ
-BqÕ•l9uš
-Ì‹<{a˜ïºõ4ÖØ(®)tAtR÷´[bvL·>³o [Õ³ü˜“ÓÓ
–
²\AYŸ`IõÌõ„ˆ‰sz£“$Œ‰ý�Á˜˜IO
-!=§ ¨Œø†vGc	£I#/'~<1‚ÀÔRPy±´ýl1½Ͷw1	чd

}¡þa
-Ë9b	�:žÎÞF"‹>64”~0IGD˜ËØ°$ÙtMâ¯%Z½Gð¾¥Úñ§a�ÑÌ‘I¼ý—/øýzü+À
-8;Z][]*Z8,$q8Pq<-a,+atR/Xlf;Og>R'7AkC?`UH+a:[!:Wd2gY.%C?Yr]87.+,n
-j3C.,APLcVQ0Wa_MIB(XjL_"klFg6$$NL0W09-&5e4ja+~>
endstream
endobj
85 0 obj
<</OPM 1/BM/Normal/CA 1.0/OP false/SMask/None/ca 1.0/AIS false/op false/Type/ExtGState/SA true>>
endobj
86 0 obj
[/ICCBased 87 0 R]
endobj
87 0 obj
<</Length 281/Filter/FlateDecode/N 3>>stream

-H‰b``2ptqre``ÈÍ+)
-rwRˆˆŒR`?ÏÀÆÀÌ
-ò‹KRS€j!îAˆBPˆi
-8;X]O>EqN@%''O_@%e@?J;%+8(9e>X=MR6S?i^YgA3=].HDXF.R$lIL@"pJ+EP(%0
-b]6ajmNZn*!='OQZeQ^Y*,=]?C.B+\Ulg9dhD*"iC[;*=3`oP1[!S^)?1)IZ4dup`
-E1r!/,*0[*9.aFIR2&b-C#s<Xl5FH@[<=!#6V)uDBXnIr.F>oRZ7Dl%MLY\.?d>Mn
-6%Q2oYfNRF$$+ON<+]RUJmC0I<jlL.oXisZ;SYU[/7#<&37rclQKqeJe#,UF7Rgb1
-VNWFKf>nDZ4OTs0S!saG>GGKUlQ*Q?45:CI&4J'_2j<etJICj7e7nPMb=O6S7UOH<
-PO7r\I.Hu&e0d&E<.')fERr/l+*W,)q^D*ai5<uuLX.7g/>$XKrcYp0n+Xl_nU*O(
-l[$6Nn+Z_Nq0]s7hs]`XX1nZ8&94a\~>
endstream
endobj
72 0 obj
<</Private 73 0 R/LastModified(D:20100412113400-07'00')>>
endobj
73 0 obj
<</RoundtripVersion 13/ContainerVersion 11/CreatorVersion 13/AIMetaData 74 0 R/AIPrivateData1 75 0 R/AIPrivateData2 76 0 R/AIPrivateData3 77 0 R/AIPrivateData4 78 0 R/AIPrivateData5 79 0 R/NumBlock 5/RoundtripStreamType 1>>
endobj
74 0 obj
<</Length 981>>stream

-%!PS-Adobe-3.0 
%%Creator: Adobe Illustrator(R) 13.0
%%AI8_CreatorVersion: 13.0.2
%%For: (Brian Reid) ()
%%Title: (ISC_logo_only_RGB.ai)
%%CreationDate: 4/12/10 11:34 AM
%%BoundingBox: 247 367 366 413
%%HiResBoundingBox: 247.0869 367.5654 365.0859 412.583
%%DocumentProcessColors: Cyan Magenta Yellow Black
%AI5_FileFormat 9.0
%AI12_BuildNumber: 434
%AI3_ColorUsage: Color
%AI7_ImageSettings: 0
%%RGBProcessColor: 0 0.658824 0.8 (ISC logo blue)
%%+ 0.372549 0.376471 0.384314 (PANTONE 425 U)
%%+ 0 0 0 ([Registration])
%AI3_TemplateBox: 306.5 395.5 306.5 395.5
%AI3_TileBox: 18 33.1201 594 786.96
%AI3_DocumentPreview: None
%AI5_ArtSize: 612 792
%AI5_RulerUnits: 3
%AI9_ColorModel: 1
%AI5_ArtFlags: 0 0 0 1 0 0 0 0 0
%AI5_TargetResolution: 800
%AI5_NumLayers: 1
%AI9_OpenToView: -381 793 0.92 1268 743 26 0 0 117 75 0 0 1 1 1 0 1
%AI5_OpenViewLayers: 7
%%PageOrigin:0 0
%AI7_GridSettings: 72 8 72 8 1 0 0.8 0.8 0.8 0.9 0.9 0.9
%AI9_Flatten: 1
%AI12_CMSettings: 00.MS
%%EndComments

endstream
endobj
75 0 obj
<</Length 11082>>stream

-%%BoundingBox: 247 367 366 413
%%HiResBoundingBox: 247.0869 367.5654 365.0859 412.583
%AI7_Thumbnail: 128 52 8
%%BeginData: 10932 Hex Bytes
%0000330000660000990000CC0033000033330033660033990033CC0033FF
%0066000066330066660066990066CC0066FF009900009933009966009999
%0099CC0099FF00CC0000CC3300CC6600CC9900CCCC00CCFF00FF3300FF66
%00FF9900FFCC3300003300333300663300993300CC3300FF333300333333
%3333663333993333CC3333FF3366003366333366663366993366CC3366FF
%3399003399333399663399993399CC3399FF33CC0033CC3333CC6633CC99
%33CCCC33CCFF33FF0033FF3333FF6633FF9933FFCC33FFFF660000660033
%6600666600996600CC6600FF6633006633336633666633996633CC6633FF
%6666006666336666666666996666CC6666FF669900669933669966669999
%6699CC6699FF66CC0066CC3366CC6666CC9966CCCC66CCFF66FF0066FF33
%66FF6666FF9966FFCC66FFFF9900009900339900669900999900CC9900FF
%9933009933339933669933999933CC9933FF996600996633996666996699
%9966CC9966FF9999009999339999669999999999CC9999FF99CC0099CC33
%99CC6699CC9999CCCC99CCFF99FF0099FF3399FF6699FF9999FFCC99FFFF
%CC0000CC0033CC0066CC0099CC00CCCC00FFCC3300CC3333CC3366CC3399
%CC33CCCC33FFCC6600CC6633CC6666CC6699CC66CCCC66FFCC9900CC9933
%CC9966CC9999CC99CCCC99FFCCCC00CCCC33CCCC66CCCC99CCCCCCCCCCFF
%CCFF00CCFF33CCFF66CCFF99CCFFCCCCFFFFFF0033FF0066FF0099FF00CC
%FF3300FF3333FF3366FF3399FF33CCFF33FFFF6600FF6633FF6666FF6699
%FF66CCFF66FFFF9900FF9933FF9966FF9999FF99CCFF99FFFFCC00FFCC33
%FFCC66FFCC99FFCCCCFFCCFFFFFF33FFFF66FFFF99FFFFCC110000001100
%000011111111220000002200000022222222440000004400000044444444
%550000005500000055555555770000007700000077777777880000008800
%000088888888AA000000AA000000AAAAAAAABB000000BB000000BBBBBBBB
%DD000000DD000000DDDDDDDDEE000000EE000000EEEEEEEE0000000000FF
%00FF0000FFFFFF0000FF00FFFFFF00FFFFFF
%524C45FD1F52285252A8FD04FFFD05A8FFFFFFA87DFD4F52285252522852
%525228525252285252522852525228525252285252522852277DA8FFFFA8
%7D7D525227FD04527DA8FFFFA85252275252522852525228525252285252
%522852525228525252285252522852525228525252285252522852525228
%52525228525252285252522852525228525252285252522852525228FD21
%52A8FFFF7D7D525227FD0752275252A8FFFF7DFD215227FD2A522E522752
%2E5227522E5227522E5227522E5227522E5227522E5227527DFFFFA85252
%27522E5227522E5227522E5227522752A8FF7D5227522E5227522E522752
%2E5227522E5227522E5227522E5227522E522752277D7D7D275227522E52
%27522E5227522E5227522E5227522E5227522E5227522E5227522E522752
%2E5227FD1A52277DA8FFA87D2EFD11522E527DFFA853FD1D52A8FFFFFF7D
%28FD285228525252285252522852525228525252285252522852277DFFFF
%7D522752525228525252285252522852525228525252275252FFA8522752
%285252522852525228525252285252522852525228525252277DFFA852A8
%FF5227525252285252522852525228525252285252522852525228525252
%285252522852525228FD1852277DFFFFFD1B52FFA8FD1A527DFFA8275252
%FF7DFD265227522E5227522E5227522E5227522E5227522E522752277DFF
%FF525227522E5227522E5227522E5227522E5227522E5227522E52275252
%FFA852275227522E5227522E5227522E5227522E5227522E522752A8A827
%522E527DA9275227522E5227522E5227522E5227522E5227522E52275227
%5227522E5227522E5227522EFD17527DFFA8FD1E527DFFA8FD17527DFFFD
%0452287DFFFD155228FD075228FD08522852525228525252285252522852
%5252285252522852527D2752525228525252285252522852525228525252
%2852525228525252285252527DFF7D522852525228525252285252522852
%525228FD0452FF7D5228FD0452FF52522852525228525252285252522752
%2752527DA1A8A8FFCACFA8CAA17D5252275228FD3C52A8FFFD145228A8FF
%53FD0652FFA82EFD0C527D7DCAFD04FFAFAF85AF85AFAFFFFFFFA87DFD05
%522E5227522E5227522E5227522E5227522E5227522E5227522E5227522E
%5227522E5227522E5227522E5227522E5227522E5227522E5227522752A8
%FF275227522E5227522E5227522E5227522E522752FFA827522E5227522E
%FF7D522E5227522E522752275252A8FFFFAFAF603CFD041413FD04143C60
%AFFFFF535227FD3A52277DFFA827FD11527DFFFD0852A8FFFD0952A8CFFF
%FFAF3C3D1414141A141A141A141A141A14141461AFFFA8FD045228525252
%285252522852525228525252285252522852525228525252285252522852
%5252285252522852525228525252285252522852525227A8FF5227525252
%2852525228525252285252522EFFA85227525252285228A87D5252522852
%27527DFFFFAF603CFD07141A1414141A1414141AFD041460FFA8FD3D52FF
%A8FD10527DFF7DFD0F527DFFFFA9611414141A141A141A141A141A141A14
%1A141A141A141A14143CFFA827522E5227522E5227522E5227522E522752
%2E5227522E5227522E5227522E5227522E5227522E5227522E5227522E52
%27522E5227522E5227522E527DFF525227522E5227522E5227522E522752
%A8FF27522E5227522E5227522852275252A8FFFF3C1413FD191436FFFD3C
%5259FFA828FD0E52FF7DFD0D527DFFFF8B1414141A141A141A141A141A14
%1A141A141A141A141A141A141A141A141460285252522852525228525252
%285252522852525228525252275227522752275227525252285252522852
%52522852525228525252285252522852525227A8FF7D2752525228525252
%2852525227A8FF52275252522852525228522752A8FFA93CFD05141A1414
%141A1414141A1414141A1414141A1414141A1414141A1414FD1552285252
%7D527D597D527DFD065227FD1852FFA8FD0D52FFFFFD0A52277DFFFF601A
%141A141A141A141A141A141A141A141A141A141A141A141A141A141A141A
%141A142E5227522E5227522E5227522E5227522752527D7DA8A8FD09FFA8
%FFA8A87D532852275227522E5227522E5227522E5227522E5227522E527D
%FF525227522E5227522E52275252FF7D522E5227522E522752277DFFFF36
%FD2314FD0E527D7DFD07FFA8A87DA87DA87DFD04A8FD05FFA87DFD15527D
%FFA827FD0A52A8FF7DFD0952A8FFAF1414141A141A141A141A141A141A14
%1A141A141A141A141A141A141A141A141A141A141A145252285252522852
%525227527DA8FFFFFFA87D7D52522752275227522752275227522752527D
%A8FFFFFFA87E52522752525228525252285252522852525227A8FF522752
%5252285252522752FFA8275252522852525227A8FF85FD05141A1414141A
%1414141A1414141A1414141A1414141A1414141A1414141A1414141AFD07
%52275253A8FFFFFFA8FD045227FD0F522EFD04527D7DFFFFFFA87DFD1052
%7DFF7DFD0A52FF7DFD0852A8FF8B1414141A141A141A141A141A141A141A
%141A141A141A141A141A141A141A141A141A141A141A1427522E52275227
%7DA8FFFFA85252275227522E5227522E5227522E5227522E5227522E5227
%522E52275227527DFFFFFF7D52275227522E5227522E5227522752A8A827
%5227522E52275227A8FF5227522752525227A8FF6113FD2714FD0652A8FF
%FF7D7D28FD22527DA8FFFF7DFD0C5227A8FF7DFD0852A8FFFD06522EA8FF
%61141A141A141A141A141A141A141A141A141A141A141A141A141A141A14
%1A141A141A141A141A141A14285227527DFFFF7D52522752285252522852
%525228525252285252522852525228525252285252522852525228522752
%52FFFFA8525228522852525228FD0452FF7D5228525252285252FF7D5252
%52285227A8FF611414141A1414141A1414141A1414141A1414141A141414
%1A1414141A1414141A1414141A1414141A141452277DFFFFA87D28FD2952
%287DFFFF7EFD0B52A8FFFD065227A8FF7D2752525227A8FF8B141A141A14
%1A141A141A141A141A141A141A141A141A141A141A141A141A141A141A14
%1A141A141A141A1428A8FFFF525227522E5227522E5227522E5227522E52
%27522E5227522E5227522E5227522E5227522E5227522E5227522E522752
%7DFFA87D275227522E522752277EFF52275227522852A8FF52522752277D
%FF8BFD121413FD0F1413FD0914FFFFA8FD3352FFFFA8FD0952FF7DFD0652
%FFA8FD04527DFFAF141A141A141A141A141A141A141A141A141A14613C3C
%141A141A141A141A141A141A143D3C3C141A141A141A14FF7D2752525228
%525252285252522852525228525252285252522852525228525252285252
%522852525228525252285252522852525227A8FFA8FD045228525252A8A8
%27522852277DFF7D27522752A8FFFD051461A9AF848B1414141A141436AF
%AFFFFFFFAFAF36FD04141A14141461A9FFAFFFAFAF601A1414141A7D2EFD
%3552277DFFFFFD0752A8FFFD05527DFFFD04527DFF3C14141A141484FFFF
%FFAF1A141A141A85FD09FF841A141A141A14AFFD08FF841A141A1427522E
%5227522E5227522E5227522E5227522E5227522E5227522E5227522E5227
%522E5227522E5227522E5227522E5227522E5227522E52277DA8FF52522E
%5227527DFF52522E5227FFA852275252FF60FD061485FFFFFFAFFD041460
%FD0BFF36FD0414AFFD0AFF60141414FD3A5253FFFF7DFD04527DFFA85252
%527DFFA8285252FFAF1A141A141A141A84FFFFFFAF3D141A14FD05FF603D
%60FD04FFAF141A1461FD04FFA96136AFFD04FF141A142852525228525252
%285252522852525228525252285252522852525228525252285252522852
%52522852525228525252285252522852525228522752A8FF5252285252FF
%A8FD0452FF7D5227A8FF3C141AFD051485FFFFFFAF14141460FD04FF3614
%141460FFFFFFA91A141484FFFFFFA91A141414FD04FF611414FD3D52A8FF
%FD0452A8FF525228A8FF7D277DFF8B141A141A141A141A85FFFFFFAF1A14
%1A60FD04FF3C141A1461FD04FF141A14FD04FF8B141A141AAFFFFFFF601A
%142E5227522E5227522E5227522E5227522E5227522E5227522E5227522E
%5227522E5227522E5227522E5227522E5227522E5227522E5227522E5227
%522752A8FF5252277DFF7D2752A8FF2752A8FFFD08141385FFFFFFAF1414
%1361FD04FF36FD04148584856014133CFD04FF60FD0414FD04FF851314FD
%3D52287DFFFF525252FF7D5252FFA8527DFF3C1A141A141A141A141A85FF
%FFFFAF1A141A60FD04FFAF141A141A141A141A141A3CFD04FF61141A141A
%3C616061361A145252285252522852525228525252285252522852525228
%525252285252522852525228525252285252522852525228525252275252
%522752525228525252277DFF7E2752FFA82753FF7E27FFA914141A141414
%1A1414148BFFFFFFAF1414143CAFFD04FFAFFD091461FD04FF3614141AFD
%07141AFD2B522852285227FD075227FD075227A8FF7D27FFA8527DFF7D7D
%FF3D141A141A141A141A141484FFFFFFA91A141A1485FD06FF603C141A14
%1A14143CFD04FF61141A141A141A141A141A1427522E5227522E5227522E
%5227522E5227522E5227522E5227522E5227522E5227522E522752275227
%FD04527D7DA8A8FFA8FFA8FFA8A87D7D52522752275227FFA8527DFF277D
%FF52A8AF13FD0A1485FFFFFFAFFD0414138BFD06FFA860FD05143CFD04FF
%36FD0B14FD2852A8A8FD07FFA8FFA8FFA8FD06FFA87D5227527DFF7D7DFF
%7DA8FF7DFF3C1A141A141A141A141A141A84FFFFFFAF3D141A141A148BFD
%07FF8B141A141A3CFD04FF61141A141A141A141A141A1428525252285252
%522852525228525252285252522852525228525252285252522752275252
%A8A8FFFFFFA8A87D7DFD065227FD04527D7DA8FFFFA87D2752A8FF52FF7D
%A8A8CAA914141A1414141A1414141A1485FFFFFFAFFD071460A8FD06FF8B
%1414143CFD04FF36FD04141A1414141A1414FD2252A8FD04FF7D7D525228
%5227FD0B52275252527DFFFFFF5253FFA8A8A8FFA8FF61141A141A141A14
%1A141A141A85FFFFFFAF1A141A141A141A141A60FD06FF85141A3CFD04FF
%61141A141A141A141A141A142E5227522E5227522E5227522E5227522E52
%27522E5227522E5227522752277DA8FFFFA859522752275227522E522752
%2E5227522E5227522E5227522752277DA8FF7DA8FFFFA8FFFFAFFD0C1413
%85FFFFFFAFFD061413FD0414AFFD04FFA9141360FD04FF36FD051413FD05
%14FD1D527DFFFFFF7D7DFD1E52A8FFA8FD05FF601A141A141A141A141A14
%1A141A85FFFFFFAF1A141A143D363D141A141A14FD05FF3C1A3CFD04FF61
%141A141A60AF85AF601A1452522852525228525252285252522852525228
%52525228525252277DFFFFA87D2E52275252522852525228525252285252
%52285252522852525228525252285228527DFD06FF3C141A1414141A1414
%141A1414148BFFFFFFAF141414AFFFFFAF8BFD04143CFD04FF3C143CFD04
%FF60FD04148BFFFFFFAF1414FD1752285259FFFFA9525227FD2352A8FD04
%FFAF141A141A141A141A141A141A141484FFFFFFA91A141484FFFFFFA91A
%141A1461FD04FF3C1414FD04FF8B141A141AA9FFFFFF85141427522E5227
%522E5227522E5227522E5227522E52275227527DFFA87D27522E5227522E
%5227522E5227522E5227522E5227522E5227522E5227522E5227522E5227
%522752A8FFFFFF60FD0E1485FFFFFFAF14141485FD04FFFD041436FD04FF
%3C141484FFFFFFA8FD0414FD04FF611414FD16527DFFFF7D5228FD275227
%A8FFFFFF3D141A141A141A141A141A141A141A84FFFFFFAF3D141460FD04
%FFAF363C3CFD05FF141A1461FD04FF853C148BFD04FF3C1A142752275227
%52275227522752275227522752275227A8FFA82852275227522752275227
%522752275227522752275227522752275227522752275227522752275227
%52275252FFFFAFFD0F1485FFFFFFAFFD0414A8FD05FFAFFD05FF36FD0414
%AFFD0AFF841414147D527D527D527D527D527D527D527D527D527D52A8FF
%FF527D527D527D527D527D527D527D527D527D527D527D527D527D527D52
%7D527D527D527D527D527D527D527D527DA8FF853C363D3C3C363D3C3C36
%3D3C3C363D85FFFFFFAF3D363D3685FD0AFFAF3C363D3C3C60FD0AFF6136
%3D3CFD16FFA8FD49FFAFFD11FFAFFD09FFAFFFFFFF
%%EndData

endstream
endobj
76 0 obj
<</Length 65536>>stream

-%AI12_CompressedDataxœì½ëŽ]Iv&öçÒ?t�M*î—¶1@æÉLY%5º[ @±¨ÇE²Áª’Ü~zÇZëûVìs2Y]7�Æ@ç“™+÷‰;"ÖýöÿÓ¯ûâöË�ÿüöE~nNñçOo_óñÓ¯nzó×_}õí×ß|Ð/~óË›¸îZ7Ýþõø7þÃÛO_¿ûøáWú§—iýñQ>ý‹»Oï^¸ùÍÛw_þòæ¿\àß½ûæ«·ëýÛó_}üýÇ/>~øê�_üæ¯î^¾~÷K>x�tÿú›u[ù˘þ2†›•ËÍí߬î>~ûáËw~÷ñÿþÕM*ý&7ù×nJÌëÏÿû»ß¼ýúúž—a´)7¾¬­–õC]�:×GÒË:äc÷ß|ûþí‡o~ýéã›·_}þøÕÇO_ÿêæüÇ5û¿yýûõ—×7ÿçÛ¯¾úøï7w_½~ó�ÖË×/ß}õv½çû×ßÜLY‘Û¿Žé‹»oß}õåß~ûþŸß®(¹8¡#þý×k¨5ªü,àþÅ_¿_�ß¾ýæ›5Ûõ<YÕµÇY,àMxÙꩬ†.Ý�,ÝÍ?õí[Y³ÿyÁsOµLý¡•å‡Qr,7¿øõíßþîïþöᦤzó÷¸]¯_üÓoÞþþ�nëZðÿúK›èïÞ¾ÿÃWkñuírh/ëMžU¾ïŸqçz{½+Ž›œ_ÆâM�å¦�ör6»g¯ëÛ{÷ößuó·?¼µÅ»ýôÍoßý?k9ZL7}&ƒþæÛ¯Þ~úûï¾Y«‘4méþæã—o¿Z�òÏ>~õZWL¯ˆÿÃM°~÷úÓïß~³ŽÂǯ¾ýFæøÓÚšW¯ÿøV¶7Úþîo?üîã?èü^ä×lòZÀ™nbj㦗|“š='ö›^ñȨ�ÅŒd�C÷µÐ¿^{ûwŸÞýþ݇_abý‹¿úôî˽ß=Ýû¦o°vwÿ›üg“\ïûÍ7o?`Òëœ�ÿæpnÂË¿ùízâÇ/ÏßË‚-¨²¶÷Ã:Kë°ØßügýËúø·°Ùëï_¬½ùõ§wdÌÓßê_Æ¿þêÛõ§¿úôñÛ?üõ‡ùxú…„_¿þæ_&¼ýðå×±
f¿ÞØ'ôÕ»{k°…ÛøåwŽ÷»O¯ß¬ÇÞüÝ?ÿ··o¾Y`ÿôÛoß}óöOôÛ7²LŸnî>}ûõ¿Þüîãǯ|~—òi¬P¹ÿŒgüZ?ðáï>ØJ?}n¸~ÒÂŒÿáž²îþüÖÿGýüú«¯ÞýþÓë?üë»7Ï=à™¿û“ìo?àaÇ?½ÝŸ×_ùÿ÷8–|ÿÏ¿z÷õû}�_¿þôÍ»7_½ýí¿þæíû?=ÚýÛYœí°l
-}øðoo¿úø‡Ã$òú×7ÿåõ§?|×вMÿòî×CŸ÷2~|ÿaÚ7¿ý××x«Óýæ_õÎß~�cüÕë¯?Ý(܇ò³Îï¢g—$É`>hýbÆ#é{ñâ;hb¿¹ûpøó_}zýå»Em—@ó÷>¼~ÿöË›ßôËÓSТñõæîËÓ?�þ·Sˆëú¿N?ç`ÿ
øƒ_øôŸ×JÝ=ÜÝß�ïîînïæ]¿kwõ®Üå»xnnïoïnooçºúm»-·ù6݆ù8æyÞMù³Í%–Ì4Ããq<œÆyÜ�c´±ä¿‘Öúc¿_×¹ßõ¹®Ñ{¯ë*=õØc{lëºowm=§�Ö×ÕZYW>µÜR-ÔÇú°®óºÖ$ëm]£ËµŠÜ¹®¼®¸®PCy\×úÎëº/ë•Ê­^£ŒÓv=¸èg
-¿®È+?îËVê׃^ûçõÿ9œ£~—+žÓº"þOç¼.þl¿Ë=ñä€xñgûý;þœ×ñ¹t=ìç“þÚüª×5”¿w\ã	¤ŸÐþÄËÿtxÌŵV*¬µº¯ëj¸tçﮉë×�^g\üzðëQ®ÓýãCÀq%¿²_Wõ«®î×8=¿æáº=\w×ù꺿¼NëÛ羟¿ôT­cÞ×�ŸëØß­õ»_ó|ìa!Eêy�Òº0A¾ÆBšÛ…<çµ”ýq„±–²Ð �>äkŽÛÓ¾³®ôÃx\Hj¦™ŠÖuµ…|‚œsáôÂ÷…Æ÷úÞ�·a]q¡w^W¹]صq=ñvœnÇÂùº»=¯K6M–çñ.¬+®+­+¯KÐLPs½È¢$ýnÍäNŸ²hËí�}�ïÎ'Ûñ4"ê?û¡+Upâ>ïëáp=/¡‡+^\I®“ý·®|u•«ëú«=¹”˜�ì?¿Æ³×üìu{}�ž€îþÔµVªÜüÅwŸ„	.Š¬ÿùÕ}QQûn×¢“ú�WÆw»Òºì{2È	?$ÿ³\—|ý@ôß…«®¹éñYï++q»Níý"#�1Æ¥ÁǶØÏŒ·ëÀÝÇÇõ>)åu$Zêmn×ɾ_æ1ÇœrYG£ç±ä.ß/ž°Ö*–¼Î‡°“¹¿œÌG=kIM[»-[v^tèq­w\œ¬¬Ó"ø.ؾp˜^ËOÉ
ÅÁ½‹"öBjÅhÁfÁdÃbÁ`ÅÞ…·IqVðu(š.Ô<)NVÅÆ©x´ÓÕ¸ e‚ˆ‚ÓB�>’b
-½À±j›7
>]ü!‘XÙ^ô[ä½Òwà¾Ò}ãB«„?§¨z)bŸÖ·µÌë{º_[s¿6íü¸®‡5ÊYÿ�õ^w~	•ZK~E–·¸cV²BC†õ¸”dž«â"-¡�pE½‚]NÏùåì`/.X.rrŸ~±äd[\n_ÑVšÜË‹‹\ˆ_\.¶]ó°äã„uçÚcýít�PÕ	È3mïuÄ[¡ëí²G²?ÁwæNWßV^ä’,òËI×û(iŽƒ¬™TÚ|Tyó‰s¨ÄY!sFH�÷*wÞÎyZ<¬CôÌ+¢	ŸëµDú¼U鳫üYT�*�>@½…ÚTÍ"ƒžU|Tô¬BèT!´ãyÂéÿôÕŸ¿NW€ñ=®ù]×ɼý^×ÝŸºNJÍž\G梤ÿQH¦aÃ:“�OùýApv}?ëÿü~qa}¿Õÿù]þ¿=­ÿ¦^ßåêz5¥ÒòÝø7t|—ÿ“þŸÖe_‹êŸô?ü‚ïÁ0ÖpGÙÀ½^g|?‹HsñýNä"û~Â/óp-þjRÜP9Nd
Ùù´(}­E鈠•Ð aàSu–¶¸C�Î"ˆj-Šð÷¦­œt/eã»k)‹
é‹‹~Ò(z…r£…‹/­gªø"_²£ÿºê´˜Ù­H‚‹±õõHÑu„ÕÅõ;‰’ÝàÈâÛrËc-mõNºD²4\‘1a×Q¢�Ý>¬OÉ&
Ù{e±e1Xa¯÷‹µ¦5í¾^㼤÷°^±(FÜ)/>ºä¨“2ÑGe Â>§2ÏÇ5»¼0¸/l^<SEâ¼0^Äàó’êEö5n9TÚ½_Rn\ädI¶'0ʳ²Ê¨|rsÉ{GMÅjªþÜ.²v^îq“¸V´¨vÓU›Nv>‰¢¢:IQ=c¨úpsQv¤Â3XÔf]Æ$„±=ÚQTf'ÏHÊþ2ÝzШúÉÕ©£*uT¤¶
-¥üáBsÚ:“ëJ'W” ¹^tÔ„Žz�«5`ƒFŒ=.VyZßT
-×˸ê"Àz:TÍ ¢AUÄ—¡¶Ó5¨m¨®ñDÛ8觃²AE㬢Žé�®WP/®
-¢Á»¾ùgQ8Ò—ùÚ`P-\¹ÌP/»šLżw%3AÍü¬aét°,=oW:Z•&JÛœdÆ$3%©!é;Ò£Û�
-ìGf:£U"A¾M-GÅǪ̂B£iÉâl–Ò÷¡”žWóëh
-�‡‘‹���T2	y¹ù8xZ_ËjN©ànÆßné59ÃGµX�2»à/ÃÀBJ?øQÌ“"¾”³òAõ¨œ„ÊÇJ<h=ÙI~uí§ÁÝÒ�uL×…T:ØÎÙ1tÆ@IrE‰W<\éò:ÁkCÏ;.=
-›Íö‹k\]ógÏåuû™ëé×ùú:A‰»¾~ìuºøõñ§_§Ÿ>ÄŸ�"y„ÿ…JÁ5ª²?8Â?‹ò'˜Ý.ð^•ƒòâŸá1ÔOja*°HÀÉiÀý’,„
(ð�˜
ó‚ì&[˜m iOÐ`Bª@Ù–Ò-iæg•C`pj>4Gj9¨Ä8P
-ÒŠM-(†ÑRŒ†ëài5L½ƒsÜ(ÇÃõ ÿ59¡·¯]Ð¥%§i_·¢rçD„ÅܵÚ²éK„ÄÈk©½—äæHtêA=’Ÿ~�^�„H¯ÓMºüú,¦HÖ“ëô¹?\Ѹï}�~øGþãü¡(nþxàèù€Þàé'øÑÁ½‰àõÎ~DpCnêÿÆßvŸ½Ä¦lÞ¼:‚Ï‚?øüÖV©¯ÂpRmáÈô“+¯‚àÅí„~Š«$pRQ€!ÝÑü(¢?
-á³;iíOO0�þîB’ø,Ú‘ÿôy쿸ž¢ÿñ:��Óg¨Âó×5­ø,Íxzýè¯Ó÷¸ç»‰ÑÕuúa·ÿ¨
/Qüg4ý‡¯®t¸2²­—UcNhÃ4Œ¹…ó(²MK iFÕ¨©ÜžàK¤Ð’°Á�
¡h´g>êL\1j6%ï4€ãAýMé´è˜‰)awj¾°
-æzÏŠ—Ž(uE�à¿s¼Å
7
æcäpºŠ¾WαÃSUC‰D“âí•gÔ°øåÅ÷ùpðΩ¹UŸÏT]¢«ïÇüôêÐWâ”Nâr—ý£º…躇¾NÿýT¿�¬Š	LÞü¢V›¬1žTÜîÚð�Œ{ˆ…w|±ã..#..¢-Nµ° ‹‹@�«Ø±Œ«¸×¹Mív�.")†_ýpµÃuŒæ,W&«É¡‹××5¯º¼¾3ü3ŠÿÅÿŒâFñ?£øŸQüÏ(þÿc?:’	çé&‡—9«/x;Š?sƒºá«}ÙÄCõõ‡Š‡4ÎÆÔù'îçüÁŸæFœÏº§¸³»'Ôòá›9ú\I‡JßßðÓÕŸ®?zý�×剱S£ßOOAøÿéúż�ï5ýÈÞžðë­Yg²*:­gÕPÍaÆÕ�D‘O)°£ÒŠjT³ŸöL§j5E²�¢·ÓópH1Û("y>Іdµ,˜½3[¾ÒEîúš4øµ-*}™.R©s«†EÒIƒíjˆ;[sií`u°¼òߦq´ÂšÖ‹|²t¹ ̨èdë•5v»^îá¨5÷‹e¾ØëX‚m³‹éœÔ({ðÀ 5†6ÙÄ(…gKS7”ÝÝ!XL«‹Òxš˜²“?.S?>Ÿöñ�á8§gãq¾#"ç³
9É9ýð˜œË¬š‹�œ%…œ•cbÏs‚ÍOH9]ç�|gôæhp«E&?"ê‹‚Ô¥:¶¶8u¨¶HuªÚI§f“Óé«£he=
-W6Ý-^Ù¤Ï'�7$¬+
Ë¢s->÷ZÄšˆÓ}"b�DÂë"oÐräî5G.)ù3Ï’xŒÕø
-w’À
H’9�©Ÿ­ìk)«(+uíî�+ñ¸²L�{Ö%¤Ë°^þÎcqåMí°®M¨k-n×v=ªõSÂ÷ïî4t_÷‡š3×Ѭë˜ÞÞß/|Jë0�u¸"ç…æ]&z=>gŸÞ¶Mé¤|Ö´
~£C%ˆô¯Eý�Äâ1DqD‡¼pr
DpÞ>ãǾŽy9z¯Ý›¥Cþ©�m�Ø>ÄkCjŽ*/?¨¤|§2ò¸�¯ád1ö&�[bíˆ'+ëÀÊEþ*b�˜!„*¼¬Ÿ‰Lû±C!Tn}Jo襪è…q%â.J¸ŸÄœUh¨ýd
nùåÌ©gôS‡Ò%�ó³ñd$Ùyð%‡Ië÷0ž‘)Ú0?IÂLϪ¥«@5¦׋ÿËáÿç‘/sŽãÖN.öÿLå>þ;9ÔŽ±ë;uúÚ…vAhM/âî,ÞFbm¢º°*œð[°dlM÷ ñM¢JšFµä¼“
-vgOD¶Pº~‘‡4¹*á’a�àâK‹þŽ'J–ü>+qÈ°ªêšÚ
ßî½c½‘iuÏ\«“:�˜lu‹›õ%EuõÏtOWºCŠÒƒ¦&EMGZäK×�¡9øá±Oý1@‡¡~ãિEéuÖŸà¥gÔŸ®‚dd«Ç²¥þ+žìdø®K4Ô�wHv:Ý^ÖVx®¾B‡ƒo*»cºÓƒ:ú©NÙJ‚ÔCŽÓ­»ø‘Ô´š˜Ît«¢¥, =t"üUHÈŸÉi~šÕ¼…ÝËdò«ìæÓ“LòíWðÎr~šçìÂðéVs‘î|�‹ŸÊÆ[>Þaë�’O»îñëÁ¾£Øw$;cٟij[¶×g¤lÞ×és	Ò?V4>}.AúÇæ}�ž‘"¡V¶ªÖµ”-ÂEd
-É“Eâ�˜¬‚2,‘[R¦¬|iŽŒ'X$YèÒ*I»¤½(ÅæƒmÒ‹1Å÷îôŒ}ò»-”´Q²FÑ…�R¬”;û÷ÒFùyåµ}Ò¬“—RcûEèbvª–çv¼¿¾×-²$�÷q“¾(M|âå°Ä
î‡<·Æõô
O…�Ÿ8ÎO“vò³ÒN~Ξ6žØÒ¶%m@cØV«~a
-/JVi:Ʀ6¢‚H¢Ž¨™÷1Ÿ6rBHwUR;Õà91¼Ùë<²JÍŠ'XѲx‡@«¨À¦
-4—b͵ps´ö=s.…�‘Ç%wnË:Z³hÏ¢E6-·j=`¬ó…mk	V{E
\*(›…‹6.Z¹Ì¢ò“$ˆgŒ§ï'?|ÎñCÚÂÏ‘G¾ÇtµLCEÝÆ‹ñÄTֈƋš$W1'ó“ǺœSåħ
-6Ó#+S!“Ýþ/þiãü4^\ŸåÅUê�:/VEgËõÇÿj;¤C¢êUªÐåËÔÕÓ•ô¿ej
-hî6-I¡9_–uÌ‚?Û�V%ÁE�Yg& íѱ”I…ÞÆj4ôUçŽøŸa,Ó?ùf�ï14úÑôFT}yY8 
-ö<QÍÊ(?I÷ìÏ©žýÒ
-ü¤áIØì†Í‹ÚÃ߯|{k5I$!bÐtco8T¸¦¹÷ÁÃ+”ª[fz?oñ=!1’Â�u»wï²â6M°õG^íùëô¹?\ÜôŸ¯Ÿ\ž½ò³WzöŠ'Äÿ]_áx™Xñ3VN¦{z&àÈw•ó>)ü¾�Æíá§[”°åO˽Ã_Ë!˜Éª¥Ûu¾ª:bÚ1£ä{—˜cæ«eÏ;Fõhù´Îvyft‘wtâ¶Òoû<ýÎÛ,o¾eé{N‰ùœ
-se9„]ËŽÂö1Mš³öb“nÊx™^Ü<g"ûÑC]•ùúÁ!Pk¤Ñ[ùY©8Öe<U Á‘f@ý88i2M•ÏYÒ8ßEÉH"í…¤ÑæRhÒµ	}Ì¿<…›Ûõïÿýôíºv‡¼üãúåÿX?ü·ú÷›ró77ÿô_ÃÍ—rïoN/J�–ˆ7¥Ç"L«Ü¼?½É÷å\ÒÎ
üêÜæx)z”€9Âs°ÃÇ?è¬þníMÃ!{ÙœIzÕ;–º‹r„›G®1~øÇ×—óU*œUŸv�¥¸¥z³`yíÝÒ2[l‰`Q`åeïñæ|2èUfÚgÖ„^=ÿ¬W§ÑûÓË…?ÝþPç+t9¿\ïm˜¡·ÛÍeéZÃ$Àñe­	`oìÞÚºŽÐ—
-Ú
-†áÎ%ƒ'�”�Îñ(Á÷æEÏm
ȼî\hË—mmPÖYÁ
«’ˆ�Õa|d	È7‹*‡ZÁfKî.Äâid±q£
IJ¥ý4Ü»”%°tRºEÖù¨EÜZæIJ„±aÏÊœå…� à›ùêýóã)SôEÛ^a^yg³CÓªu˜6	¥Xƒ�L,°‹QÎ/ª„Úaer0¼i퀻z>m€…-±b”cpa�´5ãÛM$*ŠE¥vÿ|nv<6D£tM>5°Üäû­;I[41úÖt—�ÖR-@LÍ Ý
¦lLä
-�9áÖÐ+¥Ìj„¨K3u
-´BÿùñY(à-
"ãÖ%6w|èÞ—8•:&u�%ËšŒŸuo4墮<kR”Õ¶þë3%aú:`¡çËmY@1rÛ½ë0بë€/å×ôb�—…{£o‹ˆÚ•;KÔ^@¥ÖzoŸ�êçbBçe£ëKó«ªf(æé¨J5_|^Ì^g
-3*}ÅÄ{vQqm€b�Ðq_
<!u­³�²
±ÔŒ8áJM(„$O¾p�B ˆ#]¤dw‘°‘XÕXÔ©[�r­{×<pöÕ7`wˆ<é ‡ÌpØ  f
F#xvÊŒû̵"cr^NxIE8�£W›Ù„c;ŽÕÈá\'ÒQ1
Ƙr†xp†¬M	"kÛˆõ©6
¸ö<Wð¤õ’:À’ýÅ®‘@�•
-0Ñ
OŒr[‰ðd9ªöéu¢Ù†½ªÂߌuÛc’+ßµ†è¤J%óB…+¥ %{u.2½fnÀ¥…$ š/bÅ+µë¨ÄK¶î�¤-¤Èö¤.’*nÌ56*¢1…»O°A—p_;d#¥Túnój³b†ÑTº)½
-n1ãAlÜ"Ax\‚¸Îî]W
LPyƒMìŒ
ˆLS‚+³�ŒÞ‹^Ušƒ¸Ð¢`qMXÀ$œOUÃÅC‚©œ
-^·B³KÝï�®Äu‘—9j„
-7`ÁPpk
ãêö¾x1yŒÛ¸�ªæAc\´}ÛÀ�‹¦sƒÄÀY¡µ¦˜x/ÐFÔÓÒ*€JLÇ�x·ìЛMa²‡uîƒ#£˜±‚ïo$âã¸ê—�²”N�h×Ý¢¸™%ÀvBèˆ�×1‰Ø“¨‡¸ù&FîÐó§RoÊÔ�Æ«ÝŠ"„ÞHöƒsÇÚ)g‹|-†ïG�zØw?¼µ¶æÔR�HPÈ�¸WaÑòg. îÃô1?ˆm€Ä=†@†¨o$í	÷&ÓîÖ
-l5JjíóbýQ#™±PÉžíd4uv$šœÄ4ëfO5ÑCæçc¥	h	ø|3–%ÀùÒϧ4ï-Æ
-£ºhÖ㤋wP`¤‚aK“q¡*Œ@º&f(\#ØÎÛ©mcsþÐT
©³C¦áήcß%¥>:;ˆ²b$ÒÙƒnû%p 	(À*£lPe5ê
-ÃdhYZÁœWÐaÕ»—ˆ%ªÅ‚Ån0S6=Å4¢U·­=±ÙÁJ-n‘Íó&
•e-C¢IQ-Q4@ÄAëáóâ+ܽƥ|‹t•ÕtD‘?£rž<FEy $ô&/:01˜PÕL>®”ÖYŽ³¸â•,‡à#(BÒi°l±–²í�rô#dJ•8^=?È+7õ®Í‡¤69qµÉšj!6|—a)ÈG“ÉL^âC„¤ç¦%W!Gcü¯ž}f±HGWÖé~–÷´ª)Ya‹†b1’£¤÷ÂB&‚V´
„ïqkܬ”FÀMÌ<�ÔT¤`0ÿÁÓ	`g­¤Œ.YnÑ&6¥�‰JbÔê´BØžbˆ:%BÄä‡`ª%À!'MçÐ??D†×[)A>y¾ÌëïOó濼ùÇÿrñ“úÑ>|yáEû“εvå\û¡î5’ÜbœD—GÔßjdàWàEŽÖYÉͽi6ÈgÀ‡AÄÏöŸ¾=Å›{¸Ûè@ËÌIÌô­¹�µv¤GVÆ÷TëhdÞ6Êf€vß—Ø`¯‡«@‹«C‹K¾€•þ¶ntÎرœ63ÁÖ]
B—^ÇlعÉb¢ï0'µ>’0B¢Ø7ÌôŸÅPk Zÿ²8Œ(Æ-
-f”…ª5<ñ`3OË¢u9As)‘žƒƒ�®VëÑ›;¾ÌBQª0n�3-²ˆ°C`v³QY2n˼w˜y¹“UmT[Á"Z5' ÜÞ>ŸÜ~8ܾQ’æú`YMöY°ÄY¨-´õ
>OÅ}£â^‰�¤B`Åš
-LÚÁmQ]T›7°=ÓrµÀ•rIK@è�}Æåàïc" ˆYuàÞ¬¬Kï…‹K€�û?ܽ„ßh9†M¦õØ@5[¥IU:»»¢ÔGuz³¦èK¦Ç’a’Á¶‹F Tœª3ü”BokI¸ª’œj
 °
œ\êéà
-+w¥û
-‚KW 
D-
-Œ$®‹­†¨Ðj;öBMÐëņ
-pë‹ÂáUÛQðbꘕóø.f²l³Šb¼}ƒ
¢ú`Ú\?eó.àÒ³³
Í8f3h6ªÊ0n-¡Æ
-)81¨jg™&;}î TIšþHs·XqQiQÕs¨òu5¿XáÒÞ±É
ºv�{3¼ "ò†
Ùn‘g ‘NF�«Xîqë€8°øK•ô[û|ÍÔçRx�:Ûm
ÄB
£–Î8 
-ý§¿‡•rIŠÓ�Påï÷´ªGFHF�¨%þ½B:Rª�¬¾dJÀ÷QGÁKÈ Ôã€{iÅà4§N4 ¡
-�*Ê
-^ŠtÂÃ,@Hg�W»ðægÚe;´:E“%ßÃ4ZTh;‡2~((*á
-Ð#ÞÄWÛÕ"2Œ'P¡5�uS¿¢¹O¥9u)ú&kž`@IpV»SíÀF©$æ£a
-4w�
-ݘ&;õHo°
—Ô\(	ÒO€R‚Çmv4
-äã
-Ë4™	ê”Î[¡=ËÌ
à�°;.´Öˆ³ÀcœBÒTĦ\Šä]Cé 9(–)P‚š€
-¦#›GÀ@ÛÒ}9j,�>Jm€âAñKèlF7ÅñˆSÉÄ3Ë�ÜÙ+€ÝS¢$h'Ó‡–#ãndÄ@h¬owpžŒà¦ÙPóäÜß
|ï¨8÷:“ãÄŠ“¨Ý\|\5¸Ù¸6%ø»½m-Dp÷`«f;•Õ™�óê9ùò"¨Phc7Ç©
->/vz(Sé¼W=Pp/Â|Ü<‹BN-�2@gø8 À7¢sè?=`f‰Âãû"‰âÒyÓ@äò•ëµP¢_Œ;xDÆè×Hkq©‘;ÅCLÈ9s+’ÅVég„oÜ!¨óµ›;l4
-œ~È:¬D†&`Eqˆ¹KÖ”€8L4³jeðu¾:‚=mpiÀs$!j²Ž�NÍØ)ÚËáO¾c‡Šï�¬£»Ÿ/VßÈâo«©L
-N}=þQ�s�j¢
-ž>™
r©ÃAŒnÈ	.AR=±uîøâC¶+cÔ-AëA…­dÂÌŸî‚Ÿe­å,ÙÊ'àÂ(µ&‘«¯¼'MdÕ!"%¾^Çͳãž÷Á•Õú'žÇär±$ØFËä49¤yárØM“š‡Ò.UúŽ€g$q†µ{
;D�éÒásÄ绨{ÉÓ­*S5nȦ€¸Û§óÚÞýÊÉ–Ÿe2ŽÐ’Ü,Z‘ó4¤5ÉPhF±�§�#©‘^+Ätõ\’Ö€Šé‚T!pñÕ\l2¡:•#’‚¶/}Hb>+gLà˜8Ãû@ÒUîæzy†Ö`^�éUÑüȨÌ}�z%*ugå™Vð<™}/	â¶n
Ñ”+£%ûõSDëôå�–‘ä¢>J¼Scî�ýp
-iÓåß@‚ÑQ–ÚB³eTwƒŽl9�6ƒbŠ²8µM*—¬¦Rè¨N–[¢©J\@�vÔœ³É`àƒT �V°3[eU2Ÿ/jkñZ3þ¤Tà±P�Ú„W”ºJ¾þE2~h″Q²¯àX(æñÐ$÷x´4ŒÌ*'šÓp#Î`vqbdF·Ë²$$–åCF‘j(—Û½cÁ@ì ÄS
¢&Žô;Ú6aMŠÓ±‡è´Ï_ûÃ}E=Yfe	Ñt:naú¾€+Ëõt¿5uf•ùiOàD=IÏÐWå
�m'Ya•÷26}à!¡µ?«ïlÏaú±´œè8}sx.93³E…0:PI:ciRáÛ3�As¾-©NJ+&�ƒÇj
$ÞÁ¨\Y=DœI¬J'þ¶XLc~q]üY÷
-¾êíà]ºo
Ĩ€êg¦§ÃIå$¡
³Û�´¦
‹-füϬd§.rK<D
-jö©¼Ô7÷@…¦iÑVvº�’§¯`^šj°fVTPå‰Ô�©¿"äÂ8»F�	DWU‡-¼îs�)PîµÇü¤­Ò\aÞ+'Çø;÷hDö¾æ5U¾ö½–û"ÀÔ‘-¶ò]œò^p(–¶¸š�Pdñ¾°ú\�*RƒØ{€¥Û¤\Ù£ªZ¶©n…
p"îDýø6ÿU«{#
`VÞÈR^¢ºfêè"j:”Ï»¶YäÞé9CÔ$¯¡×N½5¬ì@Ôwí‹
-h#×3@
d‘¬sãë2b0mé3QÐ,?Çž„¬R¸‹Á¼PJLLC`òBºé°,l­§¾Aß�†
-Dºm\BD˜ø�:…eMɾ¸QhæÜÑPSÚ½–ðÓÞ§ÛÍy¦§Àë¬Ëë1ð°²*ò¤^2gÚéL° q�çfq
ÑTº²0·ˆ+*°Km•@
-bù©›l ¨ªì­à¢�ŠR…ªrt"XÖ$ËýqR‡q§Ñ]é]2Ùx7³ñÛd†Øá 4äŸ_j]m2ýE56¥§”s'zÀ%ù½^ä(ºL-4Öꬪ%Ѥ;¥ÇÅÕ>”+|B¤…ˆ#ç§M·†€&¼–ê¨�,ô)å=c½ @MæHXñ—¾V‡fѤ]ïÔé=Á�~éTíTH*A¥[;�àÀÄrmÙKÀ‰h.k©Ø=�
„àZéÉ	G«m•Tæ×Õtëq¿&CæªmmZòt\>0€SˆB‹Æ²Ž	Kꆑ•Ep‚ÚiÌ;QοÓ0
-s?LÅ­Øɪf¿'º�€Y-/jŠú
-¶ûdy
-`¼³y5‚
-Ý[”¢G¯M³áÔXWmzêJ<l1Ͻ›mçx™¿:­ Ã{‚½ºy�
_€(+öÔ^Ø]'$Ó�ñvFòò&˜:@p�cVŠ¸šÁÙQ`SV±ã‚Ç몼ø|ˆæ³K‡„™8¼Ê“ðÜÉhJ¢mÚ±qÃÝÔÉjWr
-r¤¥ùyZTÄ:Š^Rh
-¢�
¾AB¥[À
-CzšóÄ8XKQë“ xôH(cLœ
Á`
^8ÀDÑÕh•íŒté¥
¦è§€ê"ºXžEñ¡0ÊzÀ²ã>u'Ú£:B	Ó¡™…Ì
-&dÌ­J2…È€ðáv×xlQã[>Üÿ$ÞÛñÝ„waö�r?œ�s½:õX_U|‰-9:¯–½`st—†Þ�Í”¸:vB 
:NFAh4dßtõ¸ƒ¨à]L´jE©*f`­MQa«íÌlå ÛÑXûtÜÍ’ô-gá™Å2J~ZW]GV`nO�£2¦LÂÚh
-£r¥¨®ï<\4�ìØS��½…ØCJš¾œ1@u
¹À�*@Ôs™~6ŸÎà¸h4ÄÇ#ØQì¨AÆœ<÷ÊO>~¸×²•Ÿ<žRfd	f
¸b€ €'y,Ía5zå¯iÞ°À½©3k7—Ù·Æ䟿z'‘�µcXïŸ{“ DŽ·4ö&@”ÔÄeÆ+¥¾ôÌ°ÜXX,X
-eMÛî4IÝZñ\¼Ø*2(òe§S4GC
"±YZæ™döö`”¬`ç§Y²=€1è}WžNŒö
4%*Öh@­Z`T¤c5� S¤IÒK$0{Ó%wõH7*ˆ¤Í,²/¬´�Çõqß‹Ôm¯\™Nw—Ü[Y—‡Â ŒŠzjÍûÒ¼vl5ÆpÜjQ¶Œ©îX@´Þ’ò»õU{é-ÿPA³3ÎKŸ?½ßTÝœ\nn7M…±À:ÑêgYS}cÊð6Õ’½_qÔH^5–ˆîà'{pËÃãWv¾�4¼qâwÚÎA’­EÜAÛÆœîBX}~z€Î~²®Î†Ÿ,GÍ·–‚‘Ä\úÐÛ÷Dúèl�ˆíÕÉÒ-Qê¹Ãi3KÞÐQR4KÓ¡n+”02™‚
6%ѯÕ`î=Ó±mÝc”ÄŠï:@ç¨W3Ø©
aööÎL`Øq7Êm@¸Ù4½aÐOGé[ºx„mœ¿Ó•‘`õíÛ�=r«ï\•xÈÐØÁ
O¦»;c2¨Z|À{‚'‘•1¡Ò«cT�	•n™°/V)`L¥_œ6lzFÉC;kv§'+•ÀêÅð²Mb»Ùá8-ÚHž¾Â>×ÔªüX'—BÄ8EvscÝ�ÏS,Äæɽ=‘ºÑöQ]á2�³/:…”ff.:üR_MYšÓ°_Küæè.þvvÊRI/'‚ï…éB@|lŽmÞ,f—к݌‚áa^â�Ç÷é+ðÝ$áƒC¨á⽃É>X‚'ª¢.Ýç§F;xó(ã«Q7ìb—zmEŽ¥Š7ãá Ñ·+[äƒÑð'y"ïÎtØû›Zy@ý~bc·ÇSÏZ‘©¾±Cè!¥>
Ov1#;êé°Hõ%Ç¦¯f~yP‡7<Û÷Âo¥;ŒêUûç~1vô“Öf�·¶Ý,±zSÚ¡Ï‘¸};Idýˆì½ÿ$“l0öàù`7Êäýå<Ô³¢,íq:ÏgàÞD¹ÞqÜWÖ¸¦UIýîäcý¢»ézDOõ2‰Íñ½ï¤÷nr-£ai)¦0x2\%Z¾|™#Ñ®,q7¼á«rʳvv]§‘££á<©±»±«íhÃîþ¢~°’tmûˆ	¨SÑ€L›o�&‘VÍx?Þº”œë``YPi¯û
-?ÕYóvh±H8™ù#qY^î²$)géâ5o„YK]:4DÜýPBb£š„Àš+"ËÍÈ÷Í¥$ÈŒ²âN¿�‡õÂÀÁÊ!‘_B¥`ÆlÖÌÍ5’7D„mE5½ÂF5ù`á	î¾Ùë�+eP,&²3°kG�–Ãô]?š-Ó’·+`b¢C®êV’"¹×Â$cE4­ƒV*ò—Q<=i<~’ÒXY;x5„±Û»%‡pzGÚ4ÙÁgKŽ‹ŠseŸÄ€2†4yMfÐÛ®f8Ø)Ÿi­·{�awÛâh(óklù2;;¿[Â°ûuÓ+@du6½Éë.w=ºç3ó6�tHs êÁ¢­yº'„åc]éydk¸×YkkH©ÒÈSÛRÛý•Š+¿”gpÙ#åã|›
J©¹HÑUÞ^
̉u7ÑÎp`K¥f´â!˜êÝ�d
-Ô·4^ƒ°¾vs³°TnJ�‡‹kVo'ÚŒŸÚçŤCF#âL¨’¹¦@ 25B§/õ…v$dóÁî‘;“ÕMµ3[‹˜`áck–{uF¡ýÜi)°\«¾H0È]熓.ªOžäîZŠ\a4ltTS õ¬~l�œ(w+Ãy0Ù
-/{›ßmXRðÞn³3*�.q"aè§�Íùiª»ÍjTp÷èÕT)ný<…ˆzWZˆ"“%u齌,èV„Ѐ#�
#?m
-›‹ìË
-~�‡Ìú†æŸVnà8wµÔ
-`d«r»¬~¦¦àgª2´JíÅ<¬
-4wKæhýJíA“Í:U@åÍŒü¯°ÙYÎLÛ H
-ov1QÝneLÞxÁ*JüíOß
-f¥Cu=6‘±(>{º·�ˆ>00ÜÞl_«öÑ‚Z¼Ÿ2{¯9�|Q4La½1ÿÆT!\��Q*ZöÈk�‚®oÅŒÛÞ
-¼
ªaX‚Øèê•Ò¼™¥Ê–ÌcC+²�ÚAT͇<4-ŒëÕË�þ %l;�¡iRëÖ¡ÈÜUˆü@ÛèKDò€æzHÉëÂN˜º36€ä&€™F6ƒS¹ä12ª%÷h‰Bׯ‚‰ö°DU,†M1»iL/&ñ:Œ^Ÿž­AíÞ“2p6Û
-´Éî%=›Pî…�o×ñu4°0ñVê»O{�Cg`¹ÔÕd÷‹;Msª1¦êŦ×3Œfí´
vU¸
-[ÖèV{Ïîôü$
gÆbÁƒ¯XîŽ
-ÒV ˜<‘½{0$?Ь1##dÝhÕ_.5rZ»K@‰!Ìöi–¯ŒÐBÔ®’±U“Õ\Cñ¢xÓóóG4>¬Ó0C'ƒØÜ3`)9r{[`éÂ콶GóÖfjŒuߤŠ„z:Ù
(G7ÔªiÔ%ÔÊ–ŒÍ�³%9‚4^
\½ˆ¡2úk»T²¾e/¬†ˆb¹°HóÏð“:0‘½›rꬶA6w½á�Þã6–]‰ ú˜"e¦~ØèQ«'äª#JçA²7`EÓÔW†Yz'—‰V_z.'	¤�èY¦o2P�ÍS•Öt²-†ÛÎÀvUH^¨‘—¨݉'áìmz½š‚$ßf–Y¨Ä"÷Îz…;­YûÀyv¨Ø{«#Wæ
-³p´)„
)Å�8×\¸”#5˜ÊUÝ	½›B¯Ó
-›+LÔ
-F©lM`â^Fž�¼W)¸óàj.ÇHê]⪢ëP÷:îšânI‰ý�¬ÑY�N𞹕=;‘›JeXa¬-CÞ¹÷1vkHtÒ©”‡$oƒjÇDFÓ•�5ÿ� Të¸Ñ�|�¦ö"Ä–
-Ì+€7:OvžÛUƒÖ¸7ƒd¡י€…DfÓTôÊ1FŽ$‰å˜Ûæ `ïƒÚ¼_-LufU'
Z5Q
zœ·v§*àaUȬ
Ó
p2-zûúÛ®wv1éâÅЃw9`%¿¯Þh±Uî‹^h¢xÀĶ´‚{f¢£ª×
-úP["û6´ãµã�8>¹wºv�•&þ×+½ülËÞf%Âó¦@Š•{w'íé
-vç

o�­6‰ä¦a9á&&KÞG£Òͺ6M5Zja›HD/±‡Ôf—ZÚÞûIdáPB²íðŒ°ë‰ˆ»œµ%ô±/žOž8$µùyö/Üâw‹‡vÞ»ÒK£eŽ7jËÓeÄîè¬È«DêÔ~©jÈÂný
AM²	•tN[p
-µTo¸´º2IJN©¼1¿£•ÃÃ6ñ±ÊS
-ƒLP7ñéÖ_¢®w
-Ûù—0r'¥Í(ú£RCÌ&ÅhJáX–\‚í&(6VuÓ¹AzlRm2ÎÌû„[_p“½ˆŽ]è¤=¤e˜µ`ø¸7µè�
-§ž|xpj>Д‰"æ5»1¢¡«zó©O6ü®)òJSÐÏ°«v…cµ�´±BÌ™”±€iº7mø2ÀL$`‡¥IÜvd¬0¡˜:KéMÀ®|³à™TDê´	0É¿VO
-^ŠaŸ/Žc`«güûÒakÑc˜*ÛÁZ�)ÓLÚÀºÌZ‘(¯JÕÖÀä›­I7±@˜¡ÚpÔ-ÑÅÀÊ3ù°·æe ‚Å—ñó,?<_»åÁýùÏ®
x:¥hj÷êTÑ‹x	Ð}@)S«;ût«uçÆMvö
-Òã<F§T8=Öáø|Q;+ÎM§Ï-^¸K
-Þ–EvÆÛɺTšívGH)n‰tÞ`žDnE‚µ2µs]JÐìSœq·â¨Èm`ꨘîÓ>Œ¤ ÚåÓVk‹ÔÃm(³ÑWNÙQì¢ò$¶˜GÆ/E&­Õ¥lpW²%:QÉÞ-cµÕÔ¾W€—ëQ°T¸‘M­Ð¢t¾1;@Áìü=-wÒ€}qé“óª¦AÐ~\ŠÌaSxðbTåEÊîp<[KfÛ¼âJa
}}‰è&§À‰YÀ½zUÈlÝmÂèh[÷°ÓÌ(åçöë6«Wm¯;õ'µ3*©%Xqiˆ‰=šœJ?lXòbˆR'£Ôz jì^Ó“ùŸ^ÌÂÍH`d_™Áb”f‚¡�
³‹åú •C:é7«#É»fRžè	û5Ñ+™=XHÖÊyPA“yW�� ÛHÎv�‰ÜŠ|E°ÃÑ‹z`îsN^^ZV%0ä-{ÛY
w¢¢æöc¶™R"óÚdº—Ϭ»¤Ët†
¢!•ÜçM
¼T/˜qñõèµÏ¬öUª+
Á³1•‚Dòšê"i°–IÀƒÀ0 �œ½p†R°,aŽË¦¯ÁKÓ—âu‘‚™
ˆVgòn­ìqÃÞHÙì]‚ǃÊ}™r€b?ž'­š<`@FÞ…ÍX-v8ãÀb?Ý4EAÇ*ì~Î(ߦh#ª#Á±ÒIÏXO‚FYÆ—Œêð—RNÉJ§±–6nòv•Û³W"êh˜Ï,;% ßEçëþÝpôþ—pŒj°¶ÏÆ­�»>Q¤ÄCKʤ%zœ¨™öùè}v a¢Ó…�ƒZžädB;
r€èQ8t7–ttB¹(¬ë`,Àé”ÈÊ“r\R-Æsæ©éÜæK v0÷WR@)® /
"@3ÛuÊn½öõó3H¨©lqzÎ\“MÇÀ`£É�ÖnÀVÒÁ‡¨p~>x©IîwôVÑBb
È,æx¨[=f6¾t�©x—E�‚1ï‚ÍÊà9–›-ÁKm	¡ûdyÞ
{	윦ίèE°=øqû�òô¶ÉìQ¯žÛ{Õ›ƒ‰ýÑK{åéô/z§³L×+˜çQ˜sù&Oöt *çÏ‚YB¤±Èg
èlÁ‚c0
�ÑRíˆ�cF|pÑ/OöOÁœ¤
-z;®Žf:© çö¸¯‰,�ÇŒjB<_aדe‰'™­W
-mt:  9A(3,4®˜†	†®‰'X>ïù†¬�%/�¹P‡=¥\Љ?©{4s231_ŸòFbYâ
ÿž¦ø´¸@ïMÉR
-ü
-`Ò†dÖTOæ	©£ô@A‰­ì*~j^^ܘZõb(ÑNè½)PÆôßÕÓNƒsIr#e7,p
Ù¢—+UoR¹{I0’k!6>Ë’²�{;µ^홋;=§JëÄòùÃE<æ7¤í�ÊŽÕÝlÈGæç϶uPz+˜%”ªk�Jö°pUrJœªWNò*@çh“
-c*f`7l"3÷–QóB�ÅÝ@»BÞ3t-™
-ÈŽ5ÌIÊFšŠ»È2ö�‰m
-
Ø*FjÃMHö,2¦a¥ä…¢“égÚ>ø�ðåx
Y¤Cªýƒ¡%—Ò!²>%/t›¬tæ}ø²Æ”â¶SÚm4â¸F8¼˜�ÃÉ»r§xÈv¼Ó¦$“®ñJ³
O)¦)ÀÊ$KöÚNÁ¥CöL
-¥œX­;ÅCÏ×äó�iÝn—�wú_­Pˆ™[¼Înœ^Ú)[ÑE@À°{d7·i™ÏøG4ós]^Ü 6g�˜ŠÞÛL€ =l,<Q=ý&nÉ*k¢*{P.^ÙU&‹…Éî=�¦`ìEŽÜ^Ø«Þ:,úÏÂÅcØ“*þ¨² Îm¢WuQ+ÇíÓÃk�]p:%ï÷C
´ZÝ¥pTû±pW¦eý“žþVàÖÕœº|+Š¬òfâM^‚fRZŒ~Øê»#bÖ¬ætç�gáòꑱ2Àच02b'ë7ËÔ5à„‰¥º=KÈü`Éèè×Öªù¥^‘ÎC�j¶†Fµ˜åÚ\ÙMÕkgôC¸ª²ûÄÊznö¢>Y7« ØœpÛêÕêP–.Uwî«i¼ø¸Ùk1åÛªB…®F&ÂL,ÝS£SsÊw,+ššËsÃœ&Œ(¯4<«UEùà•>ëf¥“‡—"�óži‹yWþr?–®#‹$2“\¸�W<ÈtfvÃ#2êìR@ _Ë}7,žÂܬ£s-�5S>TZG
O�M>(oÅ'k�š#çÈË”…Ž·ÚaæÝ„|¾@òè”,Xªï– ÙS#†Yî‰	»š¹–NO\+æ>¥èR?TëOÑ#ø/Žì±,¨¯kp¦&•·{ŠQ²è‡Ú×­’æ�Btf@¤èJN7!'EOËØíÅ�ŠhZ¥—SbñÐ9L&³<¤Æèì†f¬2¦'„`v‰Øå�¥UNð"¬-³Ò¡
-=mÇ㵋·c,WS4‰©bô.¢¨ä�ç;€Ñ:?­°€�½Ð5€çbðQÙMVi�œÞôI%>öM§e&%/ï;�ô	]cmÈøÙеnjìýµíK§g§ïÁ‘�Þ#%vw–Bhž€‘Ò¡ãte®&GYr¦ÀèazïD³^6E9Ø»›g´¼H^|KÛú–-H3¸oºñRˆFaÛ¹�îæìløV=dPð­ñ>‚Ûä6ö¨ÙEf¬¬
-«Åƒ[†r$“�á�Q.s«fÞW
--¼9x·÷d$oÝ%Š‡+žö:ÔHÞ„�˶Ț71+Q!pT–ׇiUL§·¿Ð€{.xš™Qø4*ÏC,±Ü."øÔc›MÏÃJì#|ix~[bt¿ì‚è„ÌdH>‡ÉRS5±£ƒœz&ªDºå"Rë
ˆ˜[9t^þRòGY"BÖžÞi
-Ì«“zo¸H(éÑ’´x¿¦$ï¡�v}Zɵ	Ôµ*3
-³ù¡Vz:H&¡Ò¤ü<;¦O3àÚÊ”ƒ…J;²ã";atãyÚo’û°-	žìÍâ:öê�UµàúN±,½cë¡*YªælÞX³GÆeã™»e±ú‹¹`ÂX+ÀF]Ksä
ÈF¾ÃòDÎ`·Ý¬ip
-
-
-ɶ…´¯Û=	Ò2R”ÔØ”X¯E.~»	ˆA¯˜ôŽ¸ ÌaUK ©ŠÁÈžJÍé¿ß8€€Ž-Ñ‘B�m/iœz¯†�Žõ2ÕÂ{ëP¼wh–YÀÌÝ5Ítˆ£ñeŽŸû©ƒ­õÞõÖ>Kmsÿ�¹E`õíš÷®tc’±³¡®åqe¬¥Û�Ÿ÷uyÛÝ~Åâ�R[÷Ý–ºF3�ž£'Žïpqvg—
Þ6§T=šM›“¿•Ô¼Ky
p©ÉT�¾$pÈ¢“®áa%Œµ¢YìÌ›ÕÕl¾ßû3[ksÝWÏê,¯ìP¿ä(bÿêW€ë­Ý	¤­záµê´Ñ7í®ôOË"Õ±ߎΎ߈"¢]<hSŒX˜VVqß/U¶»‡ÊdÛÈ´~SBt}IèW 3z´Wí>þÅŽ8v‹Eu©¶€§jn‰tz»,2övn›8Õ½výÑ”5*¯h‘�WXl2a3˜ú·ó¸ßo+{Þš9WêCfÚäÛÌèÙÔÍÃô\›öÉí$CÑ­ëRvv4éU…´X~YОߌ‚~‹MÈÄú=
Á?Ý<ûx÷=B¹|Èe¨ÚÓ¶®fM¼Gâ
~DQËnÉHô$€î%Ë8³¯¯ˆ¯­Õyº’ú~cºã{Éô‘?hï•Õ.ý¿ !I3–è·Ö]ÄAÄŒ’fÄ0ãy¥a`:}9Íð²€sú
-²BEQöµèïv!$"Ù´¿î(>l|nJ[hÍ—ƒ¢ƒ
HEé±ìÖæ[êPu”q—E¬Á̺?�N¦¹ƒùYæá±RÄŒü|fha`
-+š¡wÏÄ©â}x–Zx‚$t êFïS{;¸K
™Ü橇šõY5ßidËD#Yþ�]¹uº£2¿’)wb^Fô¦¼
¨#&
5E#Ý
ÿF�Æú­Wòn„K#³œ¢I‡Z¦ZõHAµí˜>5Á(¬Z§âÂõðf8ý/#¯ÚÍØ@1ä–=K�	!à|:'Þ�ÌTà¦FÞw¯mÊ�’ßiLÑõVÏÒ(Èáý›}.5,Ãñ
ß~‘Y¿+êÍ5Îu)”­‘ŒöªúóÍê�¸C{tXJ»ë%ÈóeÓZZ0/ÀZÌrk%?XŠðGöyÇ´”`Š×-Uy^tÙá©B7æ•"l[‚9Œèݼ
± 9^û[.º¶Ï%4'…ðSL(¯Îh€x	
iת†�oH
" æ�Søƒg`%šxm‚¯Æ×ðƒÊ «I�»¤[¦âöcWWóz±ùpå^Åó†UYä’Í �•tk/×Õ®Ô¤h_ƒqãƒU§Y-Nn+:Ú[ÞHˆåØo’¦%…ÖHúGI!>׃½y›d®´%“I	×Õϼ’‚·ÕC¢
�;´g™‚ëp]Z¢j]†Y(ê+-‹².ÚMJwÀ¯™Sî6)´Ðv)÷î±[}æ8rp¼d‘W‡EÄ3­WÂÍ[ô5ófXVÀW¬ú¹5¯OñãHqOÑ"ßWÕI`Œ}‹®²êD	yò
lFÆû	C�®Öá>‘š…Êl¡žß¶ð‚Ü*½­ÂÚ_¸»ó;äê·Œ
”±jl–’
›·¤‡“ºù�ÝËd*óרlJ˱Î�ï�bx ˜
-ÑS)ïdüÐ7³EöA
-Ö�>¸Ú™CZk„Ï1|)i\ŨsWßêTûš!ÿ1cO™[êi3ûçÍ+¬óþ­®Û·/N=ôÍ–2oæ¬~ã|ˉÞTÌwUU¬b®@:¨˜‚kWçµÛ
-æî¶
-³ƒÒ?evëÐù˜nJ`#ø+Ò-µ‡£ºnÁ�™/å¦ê!ñ°á[öS�j�^zЬbé}'Üën…·ס6Ÿ`¿øòâ·¬ìF�&‘…Ðl5v€_ž€ùñ˧I¼¶Â;VÇÐM…¼ÌºÃt”‹n`—ÅvO“›j×ÆÔûÁôz=�YÜŽW�+QÐ!$-f;ëÔ–›	)°KP ÛÄôªëÕ=#vRqÌ{€
µ¡Sêê‚LHk©gÝŒƒØ­,PdžÖ9B2â¥`Õ»²šÒé΋¼´göMúhD»sÇ�mg¢Šs×£ÙÞ!³üÍq×ÆJ-B¹y	Ø&Ĥ¥¦Š[AèáCľ,ÂœÝXå<Œ(�Cˆ+Ò¸!µVnPÄØÔ€ƒÑ[‘ή›I0‚PKèñL©h×�%šÞŒH¯ˆÀ¦póÉ
Ñ*˨ÓqxíÔ?‘=ºÇ•~­ê$=ZçÕ0¼~÷’¶–™ê¤fNS™*º 
-
^yi”«J©-Ñ>7+¹¬àvwwil2Š×]øÆŸÊ!…³ÄdÀ}ðWVHÄ
p\ù¹±	Œj•‡£Í»lñ’î΃wúÃ`y@B=Šáe§üAˆl‚ÃJý¤Ý’í7èló²”tžfÔeä4àa»x¾bîÖÝž½9;RoFÒCÍ×¹0®£(±­²5TØïiÑAº¦ ÏÔßm-ËœÁñDËø%ÕßI|4GpSoMÐjfû
-ÍÁ¡¹Ù
‘̼¢7´¯²òj/xk+zºÇçTo!’¢mˆ1öj©±Ó}åêÜmývRý¿Á˜oÊ�ÿŸ¸ß�Z4£—$3yÑU$½Ö�Böµ›è‰ÍÁºûöÒh”HN‹n˜¸–)u4X
-ñÈÅc½ÁÒp¿#®vhHp‰ÕKÏ¥ŽHõÆ»«õFG÷B>‚*—ÕÉ�nÌÜéª;šò¡«7J¦¸ò+ýLê×Ê	NRRI*K¿sÅù\]?ÊHK·zõœ!ÚX¼/�¥ÜV·ï¸B6¦úö§Ð@$�ÙŪî}víöÝ‹·Õµ®âé[*[;ùr8þê�aZÚ9šv¤œµ:›I¨â2rÈZVi
ÍÆ÷ÐU1m�´™Þ4ïxŸ4y .™æk»…K»Eæ¶"ü†›
-æCüÿ 4¬h�9­9NLWU¼sk¯#…‘h{[³óÞm—õS·n#Zzà‚Há�Æ2xÕïïeУ|J¶E‚Oc¶8�ïjØ�ªŠgJî·
ˆ�
-môgóOƒì‰a'p#¥#&7µ{%@°B$›ñ}�½Pô‰MŸ<-”�>7W0 "KúR‹Ì ²[ïa�í§aù)Õ|kºaÜšGÖ¬!X
+‘µ²n檯–Öù~[9£•Äreíe0³Øj"“ƒ§OøÔî�S–RzéÞ|ô<ÀâÏnÝù~š�‚ÏD™ð¤[ƒ9‚Úèqs—B³ò��7§I…©uI„`С°¶×Ký$~º�òÎR‹·;S«‹¾»[½%ù£&rEŽ¹FEÂp7Õ�9}ýú­½ü‘µÙ�§aÝ¢»Ý)DÑüe…‚÷,ë#�˜èWdÊ"„!úy
-wPkM”âûïÿˆ72CUÕ�z#‘¿Õ‹
"
-!ŠMh7(®�¬¢·e/Yò«Æô>þüN·Þ\_h9)ݪ8úÖ+¹Š~ym>!ŒÑ[twük÷®S’ìAÖ¢FÃjéó~º5P4¥ãºÁM)6”f
ðwZÕ»¶yÅüûqˆïñ6˜>DzBJZoƒ(À­BÕR°Â¯ÝýõŠ¬üòhö[ÜEUð’Ùwô¨.íVØŠtrtt‰Ô™‰U¿UUQƒ‘÷Ø“öÓÀš5ï{çzt±)¥
-æ¥�DOŒ•ñ>½Œ%zwm­ß1ɱ.­KoiLòà-ÇÀ*™
1yp6R]Æ’¾¡õ…ÔcLv3õ¼Œ“mƼußRc˜1ƒÓx9ÈW:±U)ÆŽ1ˆnôŠžO�FŽI°ˆ=›�ŒÁ•½….›×wÌ)¶�¬¨&<S"lJбqô¢ÑRW¾¤•Ì†5<eÏ¥�ÁÿîÃȾ¯Ó“ÏúóN®RJ0æ,·²kЋÍ`çMûmYêf9(C(PÛnGÌŠ§‚üö÷oĦðAcZR×~Í¢Ó$Á¨hkhéÁLgF¸”�ïîE«Û�v\›	ë¶'˜—¬%ïjSš„ïú¾M£*…uÄéÒcÉÊ+œ÷ïK³}XlgÀË8ïGˆ$—çE<Ÿý|œ�3±6î­•%f	ól
-®èíÎDÁý{‡ÂkË`¬>n&JÎÌÓ}<Ù‚x»wª…¦ß�Tçd%_q‡ß× �­dV×çˆý}7KŸã¶ï¤hy3‡d쮧0v¦ ¢3±­ã“µ
ñš#šl]¡¢2Ç-*‡
-Á7Ò¢�p
-4-d
ƒ3S€Ø¡&}:û`Q!ÆèV/⊚y
-QÜÖˆž}yïŠ
-(~¯}¦F«^­û±Øa(:zý
-vÖYƒžK“£†L2ëûïïïn„À·m¡qcžz‡DWìÂ0wéÕßÇàS/Ó+¤„ªf+�@÷-WÁÆúy:Öwm~áå|ºo@I©+’v+IÈÍXà§;ØõµTêÙÒs1³à'�ÍA‘;k‹ŽOµ7·?�[‘Ý-ÇiOð<¹·M/a�K~�e~d69qß!YÛž“-çÌØV—ß+>ȹnRéMµÍµ Š%Œ¹ˆœ±§ÎðBBðn¬².êwÛþ3G	³Õ˜ÝL"íºÂM^â‡ÀVu»Ì¡Á\H;ñ9S¾dUGÖ1hwŒÀ*Tó–ðîȬz¯ªf…¸«H¹ÍÌ~(û%®†EõÕµÛz\ž¤ð¿Ïžÿ�­hìq]AN]ùSOc‰,c‘N5j7´èwŽë{=CìG\m¨¾¼–‚)�µ ÝÎe²Óœ°Ý�w]·7<çÔ
-�€!$sÝ;oœž: -ê4…
.mÖÒ±´£^ÖwB,u
7o™?F�Ÿ+ا–íÔ—8†»÷ÓƒL®tÆ*5Z�¹¢¡µ ÍCöë†jzd�þÓ0]úZûu»9ðÌI–9Dq”Õ‚Gz�pN7í·Ñ™Tóû[t™^fgEÜ’\«³S§Ç�üX;)îf¬ò˜Þ‡Ý�-ÂÊusyV»ùÜWt�:
ãf |OvwãeT®+”§ßî[ÜÇOó¬ûpª¥-*ÖÀ8U(\ÆÓ>¾ÿÓƒ^ëß3:"O&y§˜†r»'Ëö
-*Û{~§y·±f÷�$Z–Ù	úýÆâŽy�éüøõßJ¡'ºí\
Ëß´—OCÞ&fm
!ažbÈHöy®[·H+Ð=<
-ÿâ?üË¿øãŸþ§øñ§øÏøýÿë—õ2ý™E˯3õÏ¿üËÿãOü‡?üÇ/ö—ù?~üãÇ¿ýÏú=.ýó/ÿãëÂýú¯=„uÇë|¶â˜)3¿>¨I3vj·-=œ‰Ú˜í65<¡ÝŒ×àæ
-qy3îÇHÀ-Ð×ÊŸÍ£0ÿû׋»´¼â[Ò ?Ýÿo87ÐñÒ
-)£sjò펽øhÆòòy©�Äf´Rª]½ÙÍû–½šæ£B5•Æ¤Q?ßÀoúÞ-™â«Q€Þû¸ôŽ=t#Pž~i¿M~Íø|ÀžüÙh«×ßð¨ï¶Ó[70(?¨Ì+'øön3ÄãóÄâÚ«ë%ä®›ù£|"ƒýžžþÿ�™5WÔÌ£jb­¹°Ùæ^å8.̶ªoOÓ0êóüʟכ¨ý3?ŠÖÃöuÈöåø ,3eVFi̶�æååe7šdÆÒ]Ý2 ž.4óËês§íø­^ý‹ª[¡Ñ
-3›–µ™=Ñù26Mä¼öþÞ¼ _G‡¶ò®1‰B†
-Pe_’Ž`usi�‹ÇëÕf¬=ÇôŽNcïZ§µ¶=
-Ö*ôÆâf^S¼Ž;]íö�?Â�ö»\¯ò“5ã�¥Y5Yû}ߌwÐb²LÓUϵÆOËðy\±×Ô�ÑSº/Ãz[Çlƒè÷¥õÂÝÁײbðËØ‘ñÒpÉŸJÝoŸn´2%àKé¾íSì08¦Äû„TMåÓ»*‡;¿‹€f¶Æßn¶Öâf4­7ZÔŒVq§[�or<ù6.�M®¼ÅÎ4æ5nžqÀ#ßxÙ0M×(äM­&cÓÁf�‚ÿ9Ö³fv\œ-´€*ôLZÖ�æœÑßî
-Kî’�çÆòM3bEþT¼íÙÑ=2™“äO%«nj¢!¬§ˆL,Ïã?Ûý£¾ùßÖpo¬ö¢Q„7çGŽ"'¿µZœ]÷27ÿB±v†¢¼‰¢ '2Ú‡7Žšäáå¡,-¬-¿V¾ÎÇizþƒE»¯‡døšNÍ�.b¾\%ݧ
-õ•Ç(SOÀ­fžÓ7\ëN½ø[׎ xºa²(Ämfže“Z7š¸†åù\žsciʺ
-´}™T.&u…©îð	†å�MÏv$Óª�nd]ÂŒ‚Ĺ¹/à^‡ÙÜsï×¾'@,þîé–ÕF‚ióº=§ª�oú2fö†u!°UÑáÿd€Î¾×wÔšýú^\v`¾Œme7fW‚2co—z.óß{Qô9LËV‹µõjˆIb™ï‹h�´M3³Ð‹kýÈh�RÍÇèvRÀÆL$îjLNa™Óo :-ί}…øØé;RŠV×•æĽŒ&áo´0»Ô&F
-c™±òT»ä•iðX‚Ùdoì,Ìt#×5Zyr
Uk×Ýh.‹x­NΖ#ª}€Ë\!ëËl–ýT¶Xåõfû{
-غBg˜ëä¡Ô3Ï	ö½ðkKSðyÜ¥�;úqï8'ΔÃéópR=œj‡óïá¬<ž«Çøá´~8Ùß}€áè[½�ƒÃòó6›�ñ Lì³ø‡'�°ÍŽk½v:ü#¢̾„Ô<÷Ù·—üñËã‚8.�‡evZ‘§¥{Zãç�áüÕ<Ä$‡øå!ÒyˆŠÔ1ÖzŒËŽ1Ü1Ú;F†Ç(òo#Óc{Œv#ãc}Œ·�±ù1Ž?FüçäÀCá�qxÈN3ÇœÇc~ä˜K9f]Žš)ô)²9�ù¬å¤/3½Ú.•ý;ÙÂö÷Ruvsó�Ö¤…}¶ þvé%š1ÅßÏeïé,ÔaL¾›‘àâ�Þ\ñËÿžb6ž¢òtÿhYX„¾·´ðóíÙ¸ðF[ñL.]k¿×«ø cè@Û5Óу×Yê…±	}Þk8�øJ
-“ïK„{?åpWË'Öøúvx÷Ë‹7>
-†
-A¿/2'àEXÞÅ¿ƒDÊÛbFÝÀ%NŽ�Ø[å•MIë³P™¨-gÈ7ÕTÓFWL½¼—!øJÚÇ_
-ð_6ÕRß\RôñП€Ý°ÈYˆû)Ç	h<ø÷Âäd¤àg:/îå01¢¸æ»GA§jf6&ç6¦¿î.¤êVÂÈP½¿´i{£$3dc�¬oÝ\š‹Î`œ]›+1€ý&G¬XùYhý<=µÉùw<d¹â’O˜�ài̳ªÿ0[%Ù͞䜈“=Ù‰÷r£5ÌV1¸™%¾ü–×yaÌ-vr?	`œ¹r	.½@X÷²p( R
#c\•À8¨
-ÆKP`tm»ô²™¯3cŽW莽[x)iì
æ´D7ümw��§&1®óQ`lΖ¢ÿw��|MÓ7¬
§´ø2ºˆf{Ü–mîß8€‚˜¬	Ü_[
-ÊÎ΃v¦ÌýÏ­Å¥ÌÍ?Ábl:Ew<G
-÷SwKy�ÍzEW(šÊék›¾x«Âö!µ8?—¤ÛGnÑ3¦˜Wœ¼kc;1~¬mV×/	T\­\|o¾T7,ˆÑ
-B›zÅÍïÄ@…ƒ›X
ð,òaMP
2§¡apíƒ)~ñ<¼¾0{y©
£&?žo‘Íp”«
€9j¦Úð20Æ¢lNGSÆ
-®õ’¾
 yçùü1´4§¯iþ³XRp:†Ür&=Eö*y¦À�ÙA¯~Dۜҫ牾´¹¸Mùa–Èûïs$
ıi3R°×ï”`ï¸"4ïŠj°˜ù
£…¤û#J�Ë9Yn,}pýï¨u�'-²ö—eåó$ ,‘þÖÀ>ñ—BUÄ™^…Û˜XfÞìž_«óû•³Êˆê}"íXãwšÀ¢CÞl¾‹![ì/Fv7³5}1³5>t£�º“ß$ k±äQ"·
KëÓÅÐé¾Uü½•¶1ÕŒë³Ò´‡!�^:Ç¥d–õ
-ßîƒ&†JLWd>(kUãnSµRsµ‹Rt5‹j
°îÐù&ÈÚn)¡
cî‘F©J.
-:0Öežµ÷§åŽcQ "Ù�¤bÞNÞ”aãrú–AŽ8tM˜¨ŸÁ؇0Šs9³”hfU_!�”îâóè-[­BaÙ$€ì(”¹(~²yLÂW›Š¸¢0b+þÁT;©ë0×.-¥žÃÈóдÁµiÝ”U¬«.ŸÌÚµú�‰âîÇuczá%œB´¦­:¤B�h•†‹1ù•{Rø47³´³‚?½Nrh§˜BÍzÍéïI»òã°.ÕkÈm[Ÿ¬'„©ý]ŠÖ.ªQVwÅü©\àÌ%WÙÞ—êM�Ëpx”íFb à'�î¯öEp~åpºwxqc"jª‡¦€	gÂÔ<äò?OQNµåhKY¨%&?MS¯óB“õŠÝR
-#óÌv³÷„¸<g {YÍËîÈV¾U!Ù¦5å]1oƬwø©nß�jmÀ½¦Â?áû	Ðâj&>•½6ÿûOXFÓ`w”ã2T”m]̦¼Ž¾jÿûÐmLY;tBuè./{XÖP/+JÎÀiÌ•8³ÂuöBK7ÆrYTÓê®7b\BM9{6F–á
-#ô>1,™­…
³ÍHÕe`X‰b2é–L«
r5Ö�c:J”O€Xëâµôñ>"`mK{µ	wsiÜ/™Û˜ÄVg—Ð��LšPHî¹É7VXäõÝ;6Õc&�WöømpÈX–%6Ë[½ÓÚÉ�N"ÎІèò$a¼jj3´]èÍÌZnÖk-v-O¶�»0i‡x¤­ù
-Ê´$²´
éÌlAö$ŒÐöjjd˜äâ±.Fõ�1ÉG¥ð�¥Ý|€ê‰M7»ãh„BšªJ`†õf6µZ‡ÿû®K
i_ä�m#?"Ô²©pPÍï¶%kÒ–ëÅ2ØÈd‡�G)píW	cÓ¦éky~
Fëú¡!œst£•› ®%—ªÌÔ®!xã
×Ïͩܤê\§z¸È99œ
çƒ×û`4ÇÀ�¨Ùt‡×÷!Ä2IÁZó.ÒÏ$Á#¡ðH=<`~æ^üwˆs´êS+ÉÚ6úA³À‡¤ø¡:–Ek¯íÀ(hÁ¸6p^hîÉM�Ú1ÔIrðÒ	ÍàÜ6ƒò[¦µoÀ÷Ö$è‚ûÀ¨²VwR‡ÿôtåo/õ{	
-®WÀv)ƒ·e˜÷Ýfá�k€‹D1D›Ð¢îÙzmôô+q[^½‡±y½×úƒ‘þ¶ýMà¼IÉÚ¸¾<�¥Èb(0ìíf‚
-vÄ€c*	YÒÈ@ÑŸHƒ­6Ñ™pøAê2Î�ÙJu¾Öú©B
âìdöÇž†0W
(x¦@WÐsÝ}G‘}
-‰òcP�æH‚e0<&¤d„÷Ø©ÛâÐW#çß’‰à	ü-œëzíS.îâ
-¸þR¶¡ýé~Ã$Re	,d°v/"Ù„ë�% Cò`ðGzåFò’QÇ^‹Æ+ký�¦Œd�äŒûùÓz׌ÄíNOTù
-xõZ~3_Wx¦T¹8YÛW²þv…wÀj�]KÜ(?‘¯¸¸ºáõ«
-�m¤�(zŠU¤Ì#òNÒUO‡´~	¾�
¶B5¿£q�ñ[Ë•hsˆT¡ãuúR8‹@à/©À¬Ç’d^ÐGàá‡ÎbÛs³É[E:¯¹*v¾E�Ö9[7°ÈêFË(OÇŒTm4—¢[öÓø‡r‡^E0³Cb€à÷ÊŒ걦³®½L1Ï]¢W¹÷‘(kŸ´†F	@š¹NØ(aüÁܩ䟋X�0‚m‘E„+Š[†‰‹ÎRE´ŒKTÐUädàXD¸ªëݚѼE 9òÜï€âè|“‹F«]x¢šÅ@“ýM;MJÑH;ýÛ”UhæVEbxÅ	¼ò&u
-ûR\·vr’�o|š‚ªºaß=6‹¢3ÎÑêó¨�
±fB“NB´ÀIº+¸´X�42…/%j
-lI®J“r™@¼V”jÉÓù>
-óÂègMXQ	H‚5¹&‹¢+Ùc@« éTjëÕMøHHæÂ9%F²^xÇŒô¹Q-ÙÛ˜6¹A ¢´P¦'ΦIJ×CÒ1Îeq½ð�èM¥™¡'#©ÈÈ{K�¬�&ád!D!Ð1u©öær‰à
uàпÍK$óâ;0
-7æ�¸´›.ŒØCrÔRѱ€JÀy…ŸÙãx‚쇃Õ6®ñˆ¸4Rp‰LÃð”ÆÏ]õJ
uþîi.-µÚlŠ…ñj—§m�c§Âq!LÉ7‘ ,
-¬zµTC‹¢,…Á'Ù7îŠ}ÄðžK¡
-ãò0Îâ•Ê·X§è¦–—q¨-P¡5	´Ôv“Žƒ°ÂIøMüU£Q.àYt‰×‰t*°\î¹øßïC‡©]Ù¼Y®Ÿ¥UèáNòÙòãßÿºKtE„#ôyÃ%nÿNõ­07Y@ù¶ÏÇ,'À^|#Áüûgl^\*å
-¨y
-]}	šÄEç7 Ί1“&§dó?-Ë´èK°ê�k_“Îe%È›g¡Ã�ؾ�¾äé‚`@ï—#‹�``O
-þ¦ƒ{³e13Φ7#ˆÝ�
-dÍŸøõg*þ™µÿÀï?j
uú�JGÕ‚£¾ÁQᨛpTXxTc8+7œ4ŽzG툳ÈÄYŽâ¨\qиxÐÃ8jgU69ÞÄ;Ž*OŠ Gõ��‘M’ƒ~ÉQéä,ŠrÔO9è¬<(²Õ[N2/Š0ïÚ1G�™'=š£vÍQåæA稞sÔÙyÐäyÐï9*ýU�NB'¡¡GM¢ƒ~ÑQéèQé$ tPZzPe:*8½+==hB�õ£ŽJSªTG«£ÖÕƒ.ÖQC먶õ Ìuñ:ª}=(ƒUÄzcÚd:fGųu´£’ÚQsíAŸí¨åvT}{Tˆ;¨É�tçÎug5»£îÝ£FÞQOï ¼÷ Ò÷ èwÐþ{Ð	<j
-Õ”
-O¢†GõåģªâIñA«ñI×ñ¨
-c$WTÜŽ5ä;ÀE²7T¬°’ÏAñ�¤Í‹ku|
 ÏeK†
šwMî:l+ô¨Bõ XuÔ¶:ê`³”µŽ*\Š]Gm¯£؃fØQ]ì]‡ì¨XvÖ6;Ë =(¦µÕŽ:lOšmGu·“ÜQ5î¨/÷ E÷ [wT¸{PÃ;*ç5öôøÚ}G•¿EÀ“xàQeðA‘ðA½ð¨sxÒD<ê'ž•Ï¢Œ9œú©~˜Ó¨ýz‚FËO2‘þ×E=Õñ/‰W^£e½l÷³ž-�ê—ï2™ŠšOê›g�΃¦çQÿó¨ú *zT =I•>ªš¾ •RUUO¬ïJ­GM׳úëƒNìQSö¨?û Tû¤jû®€{ÔÊ}ÐÕ}Ðà=¨õ>(û>¨
-Iry	˜É80r¢XcŠÉà r[¹„™�„·À
-ˆÑTÓÎï§Oá_ÿ'­žâèÝcu•WJ¤´Á8ÕGræ|)­ ¸xßš]01¬(¯6[WÕ­K­©njk+2©$Ó0Jà¦nB¸­tj×ààSIÊ!¼Bý�0š4Z�µ?ÀļcÓ¸û‹ÉÉ–ªŒ7É�Kñp�zˤm
ÊTi"ÀH‰wT&Ð;¦g `9[¤&Vâd­…Ñ&扙Ƭì¼ul5c¼×>ÚŒ;Ð!Ú¼H#3[¡t`ÆÉt×ÎNMÃM6.£’b”ÆJ—‡ÏVÒÚ¼a¾º|)9ÀQPfì}´
-Uj‚˱�¿|vÅP´»âlójíTt4=enÀT)Ã:GåÕláž»‹†LëXmJêgÙ¾¥/cËÀ..9ÁÛþš×u�^LoF–ÞFí’-á{Á:w:‰I™ä¿E*)ʸ–p]JâI$k”#z îKxxYuS×f.êÚúÚ¨­uÉe5ѯ¬s¤ï¥W
-Þ÷•…8nI “4(Yåî*Ô6*8C'Lái
-a‰‘¹2Dæ¾RÔú’+i
-Q‚|Íðê’�Z#&á4…L†E`5/7ö(d¢DÅ�‰…²k«Í
Zöä’šI§M¹
˜šoX×Bÿh­ƒ©
šs}q̱ë•Vfóåµ�C%ÜV'¡Z+Nùz-š®'šqÈ5©ÐÊ©ºD©·ÒlÕ]_@[ŠaØE…˜¤ì9ŽãvI¯–HÒzK1ÂLMC\K…•K®y
øt]_×j]7K°Y\*Ï©B|„<¤,KõÇ®ú3èÇ4ªrö
-8ÊêÈ€e/ÊF)9ºDÌÍq	 5Æ¥‰ï~J¿h´(ów6ÜûƉAd*á?¬3Vã’vp
­ÆÈ7›¤°«6 Q<9‡ut³£†ö07–ô÷¯OI³åj»«,ÁAûßÞáaGFˆ‚oÅW¸¿è!õÇQö;7´«W)¥J@JW¢
-àZ
-Ñeõ3EÖ%ÅÁÜ
¤f;¼‰P6¶‡„
-ó<—¾ÛÚ£ x”Ò浹ʧ•«-»i*ˆk3“1µl!‹•Ãx	znY,7†¾³™½ZÐ\ªQÆ‹FÖsÍèŽP¥x² h"‚1‹32_>ît	83:ÍÅP<Cš®É…i^æ¢Ê½Ií:FîÆô<ãkŠŒ‡‘®ý—¨#mÆÊŸSêýÞÒjúÜÁ	Jm%G©±c6�-±,Õ”0ë‘Ç£Þ™ÏQgÏÖ*Ì1L»`Êûcj혆;&ì’{‡Dà1eø˜^<¦"’–Ççåλ'N%Ü+tô&„_—  HñªŸ·áî§rPD™BŸ}&.ª�Ø“º¼LûÄC��…
-13UÖ»¤ækÓê9ÀvmµL{±$^$GÖòu±ÜyÅYººw]ñädÓ2ßÞËËÌndF	"?$7�‰ÐcÊô1½*¨eRqÙØ#+?Ë<ÄûWðþ©xÕ ñk4ÐÉÍÓ¡�À“ë;G	ý’t)¿^)ó¡j‚öŽ€J üÝ“Ä
-éÏ.xÁu5^_.Jh"¡WÈ9
-ØŒC¯9�´Çt„«*À*1#�•|QÉ�ùpùÚrø
-
[…€JeqéLˆÉ=Ä>›N@M,sÓ&T\çÎ�1�}
-QTB´Ör®Ùp„—uñc,x5Ñ/ åÝç®’ƒeêdž'5ªFfzÞhd¿Rt8–'Ž…Œ2cÿvD}üòè¯=»ÃÎûk»ôq?ÿ¼÷ÿà
-rÞÙÍ(@þ¾±ÓiJÏöºÌrY	׸RŒx†°¡ß-
-Ù7WmaY?XF·Ç¥ Iݸ³}©Û.™êx‰÷ Æñ-…úHLãû$žfºÅ"¡dÜÍŠsÈ7Ñ°=šÀLíE–³ŒÜð`~“¨óaË–YÙíB�Ï!ÄÝ@îë3˜î»û	�×½Ì8]?MŒ—A2ýo!=6Ó̾;«)
�
ídñ½OÝ)Ðg
-Á3)ðÂ=Њ£€;&ó`+A·„˜�´Ìh¹GÚ¨Kv‹$ùa;¥RLbß´VŠŸ¦–ø�wÐ=S€tT"3äxYÜõÞáôœ+D
-›sŽ>h–{W¡e²R¯`ƒû^KÎQ¹RÜ&‹
-]2˜¥mwû)èÓ'®ýIµd Q½ˆ¡'5U‡™µT ö¹	�í,Ž€j~0þ®¶Äþ
-ßxÄÙ€^¯þác§¢ì¬Ã„M
-„·ìeœÄ5d¹Slý»¥â5a3•÷–Æ4îj†aNj–9�­›£"øòÚ.u’º¥Í¹,L†„ÂÞW¼Ókw͆ysø™
-GjØ9‚f´]©$µùÃÌ
-ö°PjŸÌªéK»¼Ñ(\d!b|QO™µ±Ì
-@�æ:¡¼¦¨‹÷±^ðT[8V!~®X¼¥±�ï€%„bùl•Ÿ/$´QknÈkãÿzÍ%j
-ÐeBÒ› �wѪ™�WG)¬“lÖQbë(Æõ Üuùz�;J‡�TÆäÈŽÒe2gA´gñ´w¡µ“$Ûƒ|ÛYêí 	÷ ÷ 4w”¤{�¯;HÝEñôÎb{GY¾	¿£ÜßQð,"x<H>È>HÅ„�¢‹GyÆ£”ãQöñ(ù &ù <y”¨<©Yžt/�™�bšgáÍ£DçAÍó$üy”}P=
-�J¤L�²§�Ô1ÕBwsww®á`̨}¼Åø[�­äËn²1Ô_ÞÂ%ß	œTã¨
-½#rµ¦óY¢êÑtºG=`†Ê­u—–Òy�¤›°g^föFFÛøèd'„;êPN΢vÁ,õç¥0Ïza'u� †7“—ÐwNÒ�›WÈ’/ïçíÆáäw“ßvHÂŒ«sf#ú´&ßÑ‘Cä¶$L¼ru4§j˜ïÛqLŠ´ù&=]ìlZ“X­X§»ÂHª9ŒWÞ­çUêáÿÀ8·Hõj
à†ºKTô×
-sZ,۩
-âTËLU±I—%�´e¢Aû½T‚´�B(+QbÃÏÓõPψ¹i”LÖk
ª•GßVû”žšeÒø]1AÌAmµ*²ƒÝVÌÈVUö­-æîè4oÑ
-�
Ë´„��! ^/¡LJF›
-T:Á½Âlçm\mêíÞB\K�ã�?‚{˜Ø¨Âj‘/�ËHŒÀE[’<ŠQÿö(¸ƒ³õAsÍ)\Þ¬sq\j¶².×¼ž9ëËC)?,KT:fúf‘4ˆ­$ú%ô†Çî£càæNo�j³7÷£KýêÑW{ðëàƒ·øàY|Ѓ¿úó›j˜{dsªÍ>þQñ®¾X«K'ñTéhîkœ/ìxÅw`ˆ—áO ’3ÜäQøì(’v”S{�^�pWUÛFY‘˜Ï×3Üàë34ábx
-È0²ªl%ïpÝvÅaì™ÃªY»mq‰×JÖ÷œsò!?oð ß>«x@Ë	†¥¯2E©rß|K['ðŸ	ð‡3Æ™ÎpkÚl)š¡m¸\Dï#mb$Uúq»7k’”½)®üÙtMÃ"cȼXº3ÎKB–ÚãH!�eýX%C½õ‡-xÔÙ²{¤3’§ Ý8BÛ˜„‚¾\!œN?Þa2áo.bg³b³Ý¤Ü¯TÛbÒXÛ3ìl½løèPIo0y»H«Ër[‘"¸\<fX[°Âe’
ü ™ng›Cÿ˜‚´pŒ|VáT‰×Â*òØ$Q…ÓgJ,šÈ¡‰L¤j@yiú¢›ª
Ãk“-1<F—°ß÷ ~Dæ$/$Ø6—ªuáDÀ&âŒ[g–³:´ƒ÷ãI¯ºÕî¼q+ÉûQ
-¸
-½”8.�j™zI”_Îmt°H‰Ð±Ñ…%N–ºº¹?…À–„4ªÄVEÀl”�XŽä¦qè6ˆõ�<x³ŒíadóÜÝ)áe{Ea•�Ö–^
at]
#>*zæH#zÄiçwÛØ0ËôøÄ ÀNì´UÓ2•²·Ÿº!~¤í³E
-yjîÍøH¯_B\IÀ×¥Ò¶ 0z‰ì‡i"WS/±z¿h`hf®\Z‹Í¾úM;Iö)Á�)éá!À9ð¾Îå"gì4¿�$Ý�6s×�I–søáàÆìmZëØ2>ÉeŠ©I\�^ÎK ÞGh¶›T��H¸§P�L™�6ê&Á#íPŠ›¬ÆÏážC‘â¥c«RìÙ�R^Ô^Z�W`Í–ÄŸ'w½á"`nñÃó²~Üe£Dž–«L5ú€ãàiTþž¸ÿÁóŒHíûµÑÆíôÿäà?„
çxá[ã�sÄrˆnÞm‡ªøÎð
-?d®P^Íd¿eÇ2÷Ô‚æØ®æÔØæ¡	α_Ω¯ÎcVž+Á	n´âº?ýˆ•ÔÖ›YHg3‡°á>
-Fô§˜çh7¤�bº<‡
-%·›3 ¯ÚmIn‹UÄÝØzäZ®µ5BI¹1D4.^U0“Àùê"£m·“th
-Ì3¤ˆy€
-ÄJ•ã¢^œ™$ì‡T`D1ª%˜w=Hvè5#`_+?ª$?,9¿Sž^~oi¼EeßÆ~RL“åz)Ø4–™]…óÂ&£Wu�­íO\RÑÌh`ÉÐæä,ÕTæІw©_×Y…~Âû]¨˜€´ðïaÒzD`Ìpl’ʨ¬<9S1A_Å�J¶Í÷¹¶
Üd¨FæTC´v±âÀ¤WM�ï¶He9l¶o`¼5ìžJFnÆABnÞ¼Í
*uÒ®óR/Ž´k_A�Û\”Vö~‡ÿ\XáJ°ª¯0°ÙÚ‡¼î+ð+|ñCfù1	ý�¯~Èl?dÁ2æ¯pë�hø‡ŒýCnÿq€AÁ€ae�õ*ƒŠÃÚ«u5†ÕV*1«6ë;ìÔ‚x¡ºT
-($J&_Á½"¹ë4AԙŦñ%ðFÃ¥_áä&Ð)‹*x$Î3b%É *„h„P•‘X¨L ËV“xÑ.µ
Sòù+V+å•ã
-#¦¬W©È¥DíƉQ’sŸEýYa¾’dé´W¨·	íµY8º’
¿©Wš!ÀIl
ÆÊãâTú‡˜QÚŠ/Ù	³Õwø7oµnU¹OõçÙœ²ú]×T‡®œTøÄ4ÁÓâ“¦pk
-$Ë{Ò©í–{ö½åÖ_®žj‰7ŒNÄiÝ,÷�ÄfÂjü�·Šƒã
PöÕ½:Ø×Ã`0Í"æ»S¾“ªÔ3œ—Q'=x
-0LXO0ä"’Æù
+©ƒ”‰arÅ 
c”®±’Ú±–2LYI.qqž>1ç¨è°¤ÑWvºJèºqGÙø'xî£T0¤ùAµ…qfïãÃï©/¼ꆤ”_‹szg);é;‹d'
éF¥øSÔè.Ó|Ë7ù9§Oa…8AgsI\
VÆB.nAÀ¢Üˆ»ùWøý Uk˜Ôµ’
-7a–­xœKÊG1(D¨z<Èh|‰Ì¬bW�;Än¸I§ÅW8îí4U-¡ÆÌÎ7ÁÉ=¢ÜÄC1�“D"óÌ2›.˜
iÁøzÁæ¶Àq§Í$nÀßĉ#Áþ}kîAîù:™î˜vwLÑ« g	Jõ/î•ø^‰öXþˆS!—™ë¬ðþ`-‹Α üÑúiΫp…GzÀ9=d§^ÏŠePs-‡y™v"±¢qé‚ô`XõñÎ*±÷î`ïoT\
-ê`kÍH®dϪÕCÐy”Áš„@Š{I$ÃúMS¦Iº�³Åì”äÐ	´AõicIÔŠØ¢öiFi
õÉ•1è=ÈùÙ`Õˆ#ç'Ä_DÁ|ð}’¡éGÀû  vy4�V%)ª©v>Ê�FyÃŒ„µì…•L‡ANÄJþÄ0×b˜•1ÈàØ¥UM€}°�’µbeL0½´%	5pÂYÄù½„š+䛚ÎJÏ!ýç�(t5E`˜N0Ê;¦(dC§·™.:/Ò÷Ôãøž$‰ABÅ0õb5M£ë":38™˃
P§pç#ŽàÉ;ì³7*ŽÂ¾‘œ¡ø»,ÝNX­EÈ(×jõ?†­|…Ó“³Îälš©GB#ažRäÇVZ?U×6D*[i)Œc�^ƒRA×›8i wLz@b! !LÆRW¡‘ÐižYÊÐèŸÀЦ¹3À§Ze�õ\ŽAÞÇJ†È0›dÈ<äpï²ÏzDÏÁ†z£bP,„A™Sꑦ/©˜-,>ɵ¨oøªÀ�G«ÞÖŒ$¿%ár–ÍodZZpçDñ�°MHš=~>¤n=_gyòÁ®àÀ˜ñ¸|‡>ĬÑí+Hø!j~ˆ¯_Áâ¯àö‡ÿ•l
-÷vq;)Œ�žø˜èèF§Â"g,›©=%#duF9I OMïjò«sÆ“ÎF9°¥�ºÈ	�Êÿ2ÍN÷	L/Sµ+m	šhõ8à ¥©-`5U�·S3œk097à–_FÑö]¦”@ì¼”…›]êÞ�ß;ñŨ²)Î#çPpÖ@¯Œ�JÌ~©
4%juÒ•s†ú‚Ôߥ«›s§�8ó¥
þÈ䌃ÐYЛPm4‚
-ò‹¹"„Šƒ1¦�-WÛÍT¬TU»@ý£`ß™Õ~œUhFüå
-É&Ó8É7Üu¡Ù¢ò k'D¦çEÅ= ü“ÅÞ8°w.€=
>LHŸfÀž3î’d5GgªãÉ8Ü(,?;•
o
.7„Ö
Ax«€½
¸o\…à…C â*hq
-tt3RÇØ՘뻞
-�|:_�§¯@Ù‡°÷
@~L?Þ!úÀ×ù*6l
-rÑjõWŽ8Ù£ÈÝd—WÃZ”앃¦Ñ–½ÚíM.V9–ͬˆ
Ö%}%uI‘I×€|ÓôšÝŒ�¬ÑN º€×Q„TC×ÍÜ69¡ÀX²p0	•C‹ø�@.È5€ê¤
X!%< ,`ŒT7XX¸Z�Ÿ¯’bþÔ¬‰,´’MiAÇ=W” J®
(ñ´Ú½U|XÃ)øÉ.N)ÔÞåŸ2U­“Z$Ç!BJ�*­S
¨~Ð�Á8%á ÿACÄ€ŒÌÝì*lþѵ’¤CÜ%.»Qqµ|Ç \ÕX˜Oò7$ž1A,‚u0Š8 $X§+!Øá«ñÆalrÅ\‰x–Eþ¡²–q6=’ìÅøžÌûQ’þ0›%ó?Wd.9ÄXX�Jcu
-[™ü3
-\¼ŸLç±IV/â+Y
-̽PW‚ÏØÒˆÀ[:É”}ÊUÃR­ÕXi
-ÐôkЇ–…Kz•llHL6¤0Ð�íúvòðo4.3ÈÙf÷
-&€�nîRFܨøÑ)#†�v`ØÙá°¬£Òß['(ý=$CЦ¬$zS
-üjô{e±§#Bíé
ÃÊÏjÿR¤‘¡Ý¤Ò0ÝLÈ$
-a³E\äVb±‚9Y8¡·ÊlÏ)øBEíêzÓUœ¬œ"—fƒvƧŠ�àH3 –·Œ¦Y$˜!$ÔÀõ@@ª¼á<¨6X-A^�c´ÑI$²Éª
€©‚vwÀÄ0CN”çˆÅIVŒ=Î1¦^�5
-‘!ÙȈ˜dHb²Bw2bF’¨¬Ð­©YVh\„/«„#nŠ!‰Åáŧ ÁÙYk œ®ËÁ
-^Yí+;c¸‡†û-Û‰Å
¶Ù[�}¾wµwÆ`
öÛˆ™cëj¸Ñqj*v´ò"ti
-c‰Q6¼è)£TÌÚD
çteöw¾Ôž|ACN”1{Ê
-ÓÊ�•eDß²ÊôòÁjñyú½ùQ‘	Cù½§+tÐ
œ™ä4-áIB…'®l©µí7ܨ£M=<
-X"ˆ‰Æù{3FÔ#Ž"3ÓÈ~*ÆÍ@¬F ÐYa52 ­p%­ð*�Æ+_?UEóÑo
jgî»qw/ܨXÓ¿i!Dðd�R·,£ÄEž2ÇHåv‰âo‘ÍìôsDAËfvøý�¶É<7̼¦3l¹’ðP¬%UOH©æ$¢O¤éG“ñ“R‘À ÆÛù:óÔKÕˆÎjÌ|5\Oƒ•·Ê3ä•2Ь°Õ¨Ê‹[
-iIÎ2x8žŒrtœ/ˆª%ND9õ‡pöªXš1ÏRºßL·Ó
-’_¬;•…r.Ã]Â^Dcr ¡!åaŬ̞.ù�€ÓTŠªx*F8S)“]óAè8•÷ƒWSã)1zD‘ªGj\Ôºo:€Éê“Yÿ}2‹Ý@¸u’X¨ˆq£5€›ø2.ø‚ÅÂ=U‹U’UD³Œ¸šâ=U©Hiµjº0ðê%-ü
-;Ĥ³Õ+a<t€•
œÊB@7¥*	Dä¡Ž$Ð�­Ü©+÷ïà¦Þ9ɶ5ü,:Úîf»ÑÅ> ‘N­�S­Y
)¯Vè±vwÖp®n×ÁÎ
«§ÅðdžA;çÕÏ{«ÐQðrä"hÝ�ŠQ§µ È0BiàøFÑ‘óµHÊ(ä²JûCØ;$ö]%
©…G4ÄCÊâ1¹ñ
-²[D[ÙM&Bg³Íl
"ä#»r]¥ºèA
-pïN“’¯ÎªD%ÍÊN¥¨=°Âê<2+¡Ç=M¢2GÁIÉdWW
ô0×'•U5ð½¡ïÕ
-„š­M
-=¬½E¸%30âæ’xí~ÉïWÊjp‹uO†um‚’�Çä—<+š”1à<ãã]‘2”ÉŠˆ'ä¥;…z®U<GVQ_©¸>*Î>¬â¾Sñ�ŸÜ°¼Çuû(¿
UW?¹{›¥àÇŒŸW£��¤ÌŒlJõhÐý¯$bLè
¥€]HØÀ½3àa(ÖÀdÜ
-jëó	`œ%Œ
’² ¶E[Òz‰}Sú¬ÚVÌP˜a)cŒˆgÎi�ÆñyU�?\apÌ›À×L˜4Ìà0çÂÑ°¬šV!2ëy9	ïÙ=F5—“4;Ð!:a’,'_�.G¼Ê²Vs˜�KaW$Ôl\î�+gÃüSpï3;¢‘sp‘ëˆEWçã
-C�äLV%zm¦Vž¶ºÕƒOÂ�º‹*¼ìÏP>ý
-^é@³
-±ŠÓ¯LÞ$Ôt~vºD0(
í™…�m�2 �V§=À¨`ßÞëa
¿•R?YÀ]|Ò
-úwXLiXtiXžÉðÈ#¯ñ®Ü
-lÃs+Ñ>Š‡UíSŽoA²×ÉafU|‹þPÓùu:=ô�z¬<Åôä4éØ
-¨ƒX“ö£iŽ!-ÓÂjk
 >ôà…u-×0ÃHH®	·
-=ß*Ò¼CM™Ýà
-Òó®)â÷5Ƴa0=™ŒxúFÅJëHã‹–Ú/îÂ:;ÀßÓ1){Ä3Ñ�Æ?	¡�¬�Ž]Éy’ýÞ¿=­õlÒ£R¶¥ªó\F¦¬q´rªQ™“AU,%’X&†</Ý+¤õ=/Œ6–Ä9Ým~©ýr ±f'�AÆbðxÙÎľxh-0�ˆ…æVWµeKEÎBü1Ñc¥°â^$›
Ú`[¼w1d;;™ÎßzÖUl]Pì¤}	±Ü¦¼¹]0ñfØVb”VÙŠH8��£‹üù’¥™}^Îü©àëkr%mN2wÊX5’ÄB:Ç­œŠ
-6àî†ogé¥$®zHyæ}©Rå[ õ£þîZf!CVWíîÀ0›¤®8½jTrq‘mäfÒÒRd½;À¼Y#„ÙòÓrƒH†
-Òh¢
-sÓ
·ÓíÑ·OÒ„ŸuMÊ’ÏyÒ�ÁQÊ—*V€)-z=¦Hèªmƈœ~ÅñÓ×z…Sý[t¸c&4 ŽªªAj^råº;ņÜ�(�cççx¼,Š@B\’aÎ"±«å)¢ºUq("Ì®èX8‰•ý�o�	jÑÓâô™g¬6Ô]#<’ܨåŠ
+U	‹°PU/™bx]Õ‹ÏAkçôzqýŸ[¶EÒôUsÝ“ª¥G¥
ðØ”‹½™�é–T#´"	=¸²œÔÎ Ê=�¼ð3Ób•EìB8£IŠ›(éû_âá\°;	1ñr؆'TD¢âPš
-Ë.Wg;T±¯Éã6ˆ¨w iд*%ß™….èiÐì>#qÈaqˈ�y#e©hªaà æ…™-Á£ämE
€w!©‹ÚÛ¬{(ØÕÙûZÁBU/ldâìãG†… d`Õ¡7�º˜Äš6Fb�U’СWXQ4µa#¡E*¨‡D
-}´!Da³Ñ­	«�ú ©×´4:Þ‚œÚrbÌ_|kÑÌ+µ™ºÃXMNJÕ,��
žÅ²™°l
-*ŠÑ³ÉȶB´P«÷RQl·èYYU`Ђ²ÔyÛI§:“—’žïýÞ5œ/-x4�Eótf¡ì¼î×°ëm‹ŽE‡ýÊåå³Í¦Õ0±À"ñA´eogµ·nl½NúÁtš¡êH8Cëâ)Ø«q‘±¹½–ïÂ~p§ÅþBТ¿lC4еì¶X�"Ô­å†%±¢>hIøbÏ
-Dx^QÜ×}Ì
-˜ØyY‰Ÿ‹©
¨zŽ…N¬V¥%™­‚¨™@“£=HU˜ü¢³l0¼Tq_PIÐ/u,dÆö¶fý"íŒØ¾MMæu [
endstream
endobj
77 0 obj
<</Length 65536>>stream

-~òÐ~Œ<
-«Vh"Þs‡Y0Úð*
-¢Œ«eg
”
-‡…14§ÇI$ϺԒ~ÃÉ}Hò¯Y¤^¯Œ»¹¬A`$í’.4™C9—èÙ
-³Sɯ×'=‰ÇÏÎ
ÄNuÔFH[èÕW´–$‘÷M¥#-üyê^c¡¤U­¿öbܯ—Úáhg±xÀ�Š›ÉS¯wD4÷†ƒÍúžÓ�OU½q6áîuVÞh·˜JÊ¿€k ›yÕUì½­æ‚Òg'¸ò|ÍÄ€ã)Ùu”SзEEÃLzzi_'\r[¯Ÿ÷•&ÜcýbñÁ2s{}	•¹à”çÕùr܈~—\)ʘW:
-l‡’X'€“r_ª0LˆgÛ‰šˆÌ¢,–¢œó³ÏBc4òìì\f×:ÚåÛºT‰©¼U3wŽº=¨]/µÉÒ)êS“wkBç¡"ÏU-H¬gD0")â05·‘}Àl1‚°$¬Íf£k¥ Î=-¯Í½šÐ¨Ô¸ªÂ#´#á„PI¤áÎå©W¶s ´¡/P¡J¬ïeöƒé¶õ8øÈ!
-Œí´‹VäñÀç(/l
-nµD,}H…¼»
-(8â£øµ¦=r`Rwm[ H�ð숰jhÊPCéY‹3ƒŠ£EØP˜ÀFH ²&ñÃFµB×À¼»˜
-‹…ü«� %ÜUÑC•÷”
-b5kŸ9æ*Â9Dƒpe†(`2.÷<—Bœ;th®‹ÕûÅQ8ÓR}SH”°†³M�ÈõôRÛÄ0ˆ<}*;r&«€ÖÿÊØï­©0D öªƒÂKâ	í*;áBFdœ²fv'3KtË
vµ탧„܈(Õë©”‚ÙÊzQû¾ sÛ†…±8`ǪýL¿7°‘îH8ÃÒæòOô¬7­=Vp¬+kßéZ®˜i'1ÈyÇûbn�ÙÅOO¦jçy5••¼Ã¢oùªOFˆŒÜs@¼0¿¯æ/FßZ
-úšd¯R7š4Жˆ¯„rể=6"ÄâÖ¡â÷5"„â
žÒÒÛÖ�ÜÌö[:Âd¨*à±Ð`ŒÈ9¢zî‹`o‰4`É�|{jKÇY¨X³ièÔñÂ4×`�¼0ða}'5ž¥
ÓIìVŒ�H
ë›ÍÄà%Â%\\ „Îvv²H³~
¨âà·´°îü@Ûä�
Vì¤Ùd›t�È&}o1¸Š©®½½šM Ämè@æõ váØæf3Õâét¨Î²iVZÏð…v€qMui•…$:­|U@¨¹­Ä9[”êÐ*™"½,˜Y�ae©o$_Áj~Rb³‹A,”�þ‘š´Ê9±1"êŸÅÕ Qå—*–d¶_9×h'Í='ahˆä.hY FáJ	uy©Ñ€èUp”qp(ØN*Þî°AP´»n„âÉw‰´.ÃBAõ`€Ì`ü�ÁéËšÇ%ɧS-RèºHhX+þÌ3lê�ˆ§ùbÚtV·05Pq­mô
-º5çëQQù¹cØÁlåÅêö a ¯Á[¤@t“ùuY—“r²O`dÌQµ ëÂbdíVuÀúŒ:!5˜.í—{
xŸ–
ÌÇz¢RØ�E]<Tê=âVñ2>-,|ú}
ZfžGz6C«E��fUB7�û2 ú ¿�`|ò2z©ÚI1o±YoÄúa˜$ãFA
-†¯]=
-
-VBYqÞú(WMb
rD£T"¡fÉD‹¯¯ #Ž2û*TC�èw=>øV´k»‡Ò"£©#
-�ãCÍã
-<£ÀP�§NPJòbS€­áBJa¾ŸAúµÕ®¾�èî'`Ì+jº1…¼ƒZ×æª%5á
-ïX L�”¬|ÙÀ°U²ìÖ0EZŠ;cn50N‰ãËz•
-Q¬.Cu’xR`oTv.®Þâ-±Å�È€á{–ßÓ�‡]Êù”",–Äg?1	Y:í¥¼HÓžW²Bz’[äi� ‚ˆŸš}ƒ
-ý”SH`?çn%=
©ôŠ
-Ý‚^Ê6-Ž^ªügöÀl 3­0ˆÕ`I…i‰­BFa|°E[�#”ÕÌiU‹ÐÔ`PQ®'8!+–|Ê`£_Z¦ýÜ*8Ë4�YJ*ÂPrVÈ‚ŒÐuÚ>%k
-.¯¥©¦T{"tÁ“±ƒîøYá„ÉèÉVw\óT'Ï™Á,þyZ’¦eRiØÅ¢X
-òœËç
&g&ß™¸«NXCœ(WK
H|ç�sU¼’`	"¸›‹áLãäD↩!]ó¥J]vn–ªLO/*9¡ŽØ™\*JZ…}I¿ÇÉ’+S´Ìh¶œ©…#5[BY\`Ô󌄎rØŠPWÕˆtÔ¬Ô™Ò­h~ÔlÜQ²&Ϲ,#ìH�nBu×ÒØÒ@’Êô&õ&ä9Ï7JŒª;L	“�üÒL‰˜“þI¦_Mº
-âšpÅ
-ñtpûl ½á#}µ§Hൂë4ï?ÿ¼ÿœ	üO`Ú?]éåOŸ1íWÿöÍo˜Åà›ŸÓ¥õtnœ/„´w�ð‰LãÇ!Ó8Pï? òé€zºÔÃït@�¨'z@ýó]œ¨§|>}

-Ô­ÂÓñt:žÆÇÓI}zÂÇÓ >�Ž§Óñ4<ž–aŽo~ÎXÿÓ9¥NU×O;dßRþ.wÈã>í�¿ãò‡ë¿]½þÃë‹Ÿ¾yÂécŸ·êÅç&
-˜ÎÒÃ@1éã¿ïƒ[<ú”2wæ¾òÓ™KýOgý¿_õ¿ûÿÿUÿ‡³§¤s{œ!N„{‘)ÜÜ®R$<Bˆë7¯®¾»~³^‰q¹¦~¸º¸ÿÍ>{cñè#|•ÅÅ{Æò˜o ’‹Çó$(.Rþnø-ŽEoùvŸêªG�ÐÞkGk |ÈN–ü1mëKTŠþý»‡Ë÷ýöþÐhÏÑ&ïwNë_íØ�óü,åÔqc
´Pvõí¾þ ãöh÷÷Ã~¼¿¬E´]§gŽ±ëk»eÙu÷]xÿe
Å´ìz8ήï±eÿò;öâîúþû›«û=ô‰¿¿;íé¸Ý?ì:<e]íÕ�SÄòçˆX>a½SÄòï bÉó@1K?}µßœœ¢”§(å)J¹}Lœ¢”Ÿó«œ¢”G¥ü’ˆøOQʇ,Äcô›½³ó¥|tç)JyLÛúÕõwß½Ûƒçüèwö¾9ÚÍý´“Ó\½}w÷]W¿Þ“FxãéÏ>œŸ®^¿¾ýëƒcz}ýçïïû¿Ÿ_3äãÚ~þò�÷üJá`ôPxqû¦›áoö8¾v~ð”ÜI²h¿úóÝÕÕ›¯úqrõU7?¯ÿ|ûÕ�×·¯¯î¿º»zõÕíÝÅ›U÷òSò3�Ê#žüL'?ÓÉÏtò3�üL�e
îälúÜ·{}8vñ_×7ïî×j[-?üì‹+?<Š«×ýÿØÏѱxôѼ¿¹f½ø%íšÇHüFtô—ºsŸÐ²~ûÃÕe?´ï¾DøÓöWìQF_këq÷�`í=®þÛ]-ù�qÍ¿8Êq=%S·Å?ƒwééø.ÔS!¾ud°ãä»8ù.N¾‹“ïâä»8ù.N¾‹­±œ|Çgä½~�müÂÐ'×Ë`'׋ôák5O¾—SÎîgþ&GëI:¥ä?þæ~}}ÿ‡‹ëUWÖÚÙ{ÃØŽwW!ÄðO8�¤ðcMÅßcÖ�5�®ŸRñOwÙ¾wÙ@-óaúÝÑ^h{k§»ìQº~¬wÙ‰Væt—Ù]ötÂû_ƒ'J™½:ðH/ÿ"(e¾þþâÕí_O0VÇ´Å'ótŽ™/#­ù‹H~˜­é”üŒï¾{{uO�¾»zµßÊ:úmò´!«—²{õpµD~滾v!-»þ·GÜÆ¿çýð÷¡{ÄÞÿ¢”ðcùŸ*’ò>ÁÉ::;èÜ¥_<¸÷¸�ãÚ«ï{\A{„¾Ïöçæ3uqzøüõúÕ>¨2}ìó�!ì1†ï¯öhÙs'OÀ‘o'OÀºÂð¹Á›'OÀi¡'OÀ±í�út=
{týä	8žKñä	8Žïpò|‚œ<
X¤÷û ,ŽÖ=YAãy¹|ØÇpôÊÝc8Úuyùsâ]>7gûÝÅåýÅëßÝ^ï‘À ¿zhhû³ç<}}¹æ‹ZÚ¡ôØ\¿Þ‡pbãáÏï½zIùæÝÍïûüqŸÁ,Ÿýü ÐçÓÁ|{ñöê_î®þﻫ7—{XC[�?¥3{ŸÙøîîöf�k‹Ÿz„Ïù0)üýí§Åí#tþDærd.'*”õor¢B9Q¡ìŒæK¢BÙç²ÿ»aBù$“ÿxw÷í»×}zŸžÛìÉó$ìcЫQø÷L�pòµý_<UÑ=?^Ñ|€³–uøücnúpDûŒá„#z¢ôû¾Ïž¾ýþ!uïäÉ}4OîÊ'äÈ�ŽÁ“{²˜¾0‹i¯Cød3�l¦“Íôø=6ÓÃ×ÔÉfzì1œl¦“Íôˆ6Ó	ÿrÌVÓÃ9èOÈjzx0'£éó}�“Ñ´Ýý“Ñt2š}[ž»§k6íÕ÷ã5œþçíí«?ß]ì±'�×jJ_€Õ´ÏNVÓµš¾ŒŒõýRq�õ”øBŠ<lOœ2î?ã�÷fÜß¾/kú	lô§Ípâ|ÚŒ
ŸpºWAÉ£?s¾{ÝÍ©ŽùOß¾¾¸üËWg"ºýáâòúþ§ÚÇ‘ööþ§½ê‰ËcŸ¼×§ÚÿX}¤-ò/ô]žÐùr¯è$û8Zoæ[æÌ{ñ3o�ãÜÝǪvü=ûd�å¤Ú·¢àÑO{—F<ÖÍü´Mˆ‡
0oßÝ}wqyõõåÅ^
-ÓÆÓŸ}8ý~Ÿ,Û½J¬/µýüç÷øî¹Ï÷üHá`ôLxqû†‹cïanÿà)9|yu=ar>DNµåA¯9†Úò¿‘�y*-ÿÂ1Ǫ¤<|càcíeìþâЯ{�ëŸÿöÃ훫×ü‹“Nù4tÊ'¦±œ–“Âò*,_ëùyÒXWcùBзV,ýHõ¯“Ã÷ñ7÷Þåê�~gïíñ=Þ]ý…àÃV þ²I_t�ž9B“ð/k�,»îŽsÖר|–]ÇÙõ=öì_cË^Ü]ßsµ½ýé.;ÝeŸD½;ÚûlïrºÊ¥ëÇz•íqëU¶G×OWټʞŽõT…ë8¾Ã'¸üžÀìº<¡Oÿ /ÁRE¿ˆ±'²•B¡§bC?ÓXN•ÇuÿkÿéÛ÷à
žÐIü
·ÊÑÄîlÒÿŒþ2Ƀä¿ö8ðÜgèÍEoêaî�»kÍ€z}{÷Û÷
èwþ—•nõE¨a'â€cÚ ¿ÿ³?‘Ûãsó9=¬Cmþù)ÿóoerqÒÒÿ�/‚õ#¦#‚ío�íytj×ÿÊ®Љu´ÃíQLù¤Ò~ÞUõ§ï®îþåúîpø|Š›ãéÄ1ï/¾ÝcäGí¬÷g{¶y˜ÜÓ�µñðãÑï¼{sùïOèTøVÒór6�}©ké_Oké³®%÷åK¿~,ˆ›”ûwoÞ~·úñ¬iê»ø—¿½éCÓ(ŽÖuðAêìÑI'ïÁãoqFPýêõëO°¹ŸŽEñ�çÜ	—÷sáò>ÅË?¨âÈ/~õonúæŸß¼²Ê#$J$ùæw·oþЛ`Ò„sÿúêÏ×o–ÿðìw?hüO_ÿtóííëgÿð«»‹o¯ÞþßÞ¥gÓÙ¯úÿô×gïúÿ÷ûgÓóX¦TëÙô<Å45ú£ú�|ëþŸþGœBóž$xÆû“;ûÓųñ§Ÿúÿñ?úÿ§‹þzÏ~{ö¿ÿ¿éì½ïߟ�—ÚrIhg5OôWëM·©·ÛZ$q{^ûIæž×X³È|ˆ‘…á¹›B"a}îZˆg/´Y×R qz^Zig$ÏK–úˆz[gÿ‹Ÿ-Ï»$ʳS^_VR©Ò¯§ª/«.ó“åy*>ðËZÿ™kÒ@~JáG{|LÒhÎÑi£!'OBÿ<Ç)Ÿ]jgcªýÙÔÚóÔGÆ�íOôÞ’°w ÏB÷<5ÏÂò<'µ�þ¥¦Êâú<†’´�©æ&/SÑÎd_>ûŽ¨ýgnò:‹.{þ
-Ô®wŽžwþ¹Ï)£±lýóVM�s2ÉòÜó¦¬FžnsªIúàK¡O[k{ýÄÏ'—?¯“~Ü¢¼*ö/Î3Û_boÿ�ülŸfêxOÏKi
.ʼnÐ;ß´�)x/=pSÃ$º>_HìúÇñü²>19†,3ëšö¶ôÎx¦–Š4Pûx¼+"î‹×�‰08Yá¹—^íÎ6>CÀBr^–ß�Š}(a!Va�v…Áóƒð¨˜†)MÖ@àO6Åþ•æRÐîFŸæjñN¾dŸ™›þ!rJú²˜�|ˆšúbLº>r’…Û§!FŒl
-sãB¬²�}ÞKm ô)”…Û7-^£�2¹}å³å|±°m /› ûiñìô<÷żÕj_Ôñ­”¾\Ë䤷­dy–6os;¾õÅôSßOÈæe•Æ©ïTþ”%ôö\‘‰ä㊄幫1Ë—H>‹°ÚÁæå,ã/Q’‚}M‰To5¶ /«Sÿ¾ü%J”�êNu¼ÿJÆþëBWBÕ´2•�)Ó3å7ïôÜÑGÝXå½³-V¿½#z³…îr÷ôô3Åmî³>]A‡µÜ“¹=/¾%Y¸Ag‹n£¤½ö#îl8Ý/ä;ä¾[ò…síËõFÅE?{n�—(‰|I",.V#Ï,	©+ürêÝuz;ôs^ûåSÒó¶¿2j¿ú”F¹rbß$úû>)èõTû²âwõëÉÉ•Så௘é+Ê	ÒúYR¹ÝœíÀìG'OAnÒÒòp—Eлm×€×OÐåió¾èÒ©¾y³ô•Õu
·yõ75~ùò¾êSÒÏ…¼}·å¾\¦¬—+okö£6áŠršì~(ÚIÿí]×´~C
õ''ZXüÒBG9È>U¾ø$«©6™çeÛóºÅq©Ÿw9Hy—q]íÛºzU
-è¨îBߟ c’…SsÜkׇíŠÎZ6UƒöV_Û:Eýß_²´ß’¤Jpw[n¼÷\–#7ÉÒûUJÒ%’SÕ½çú-5á»…0ñ>£«MwN—ðϧ*+˜ÛäSþR§ËWyïUj</ýÄÖxýÄÐßgjªtI{]6´¬øêMt”Ư÷ýOO]Mýi)‰°d¥¦®êÈ´xÚ/‰.I:\²l'ŸúŸ¤Pôaöþe40õûG^ŧ÷ ¸~Un€Žc@슎�Ü�Ú{ŪZ?9ŸÓ!âÜ�Ô{ã7ëú=#ÚGߤ9pgûÉ]¢÷ºòcsÚ@r§W_q•n
XH)éÖ‘MšúÖ˜²žÕtWVjµoìBš)Îê–yŸÐ™ÕdiQ_NÔ
-²ë-Þˆ]8AåìŠSï-Y0¤.ø0qÉÉ2éÂ~$÷wŸÉ`»õéDXh'Ë'è#›Ø
ÑÅêC¡ÏÕ;TE¨çtó¡kw¼ŒI3¡d5,Ù¬¾=MD¿¥—¾)ø@¤©ëÂþµHq‘#f‚ÑÍ“~'ñstXð* ežô9Ö|Ç$î±¾83ß5höGmVÏ£Lª+,­+Èý^«2‹¾6§«»‰Ï,“!ƒ
¬V>!òâèk¢Ø‹Ð…¦B±ìXH'²·}ÜäåÛôÓµŸ‰ABš¢n{¹*hÉ,|qAž`q•á’З Šó”2ΨÊ>Núnfé£î	ã¶óçJk¦l÷-O÷ ¨Û­o– SÙpiÄÄöH,ëó/TíÌbâ÷á–Xœê�©É�H÷m­¯²�×±™ýè*6¯ú$‹Gßeu&™9Ï]ÄšW›OÄÝ~ÒïÅbU.ØIï÷r'±;%y]�|'½€—ET\ˆw…Å„¢÷²0Ek >eiyƳ·wž×q_S�Ùë2O!µÑéMÕÖÄ]ÕÅ°pÉ_"›¹Ûää+úñt1^qýGº•Hér“Óκ 
-ÌŒ)ë�BbŸªî�)‹	Ü…jTõöÃ$ß›\¢÷f'Ý¥z#²ã³«�ÛŒüßM_EŒ|¸àÉNéæaQm¸áþ!oƒ:šHóžøÛÐlê¸HoI—!íߪ⦈ƒÖ»ªZ>)éÓ”e`AmØ~$NoàI€:½|Q9æ<Úeñ” îw
·ºYÕ·‹ˆûüp¡Ú-Þ÷BßUüq"œ~Üß î“~Ûé�DJvÇH\¢I.jÏô²à+
-úiEžŠKÝaâc¥KL�~_'ç è‘Èîjêrð¦vöïE%¥O]1±j€ˆ„!É�žgrz½-i$¶ìØoÄ÷Lêûži^b“SÖ“?n*!7àÉ
1å­gû—u²b“yõ{Õ\?dz¾P/——«™¯
-1`&:ox‘�gßÜD†¼¨ãý#»®£‹?HotqyñgMôe‚|Ή>¿ë¨#GÞ$^¼–dYûä­'�¦¾4ÕŒæ;¥H‘oU¿`›¸º6¦
-áiö-´ÍgK�õ¦­ê‰ï$V¡=ð¸2¼è¢]ìžÃYÔ¿¡ìÇ~Ó¡@ڸ܃âÒsj2Í϶$³¢�B¶5â©&š·—ºJŠ88I<E±žûä#]�æ¸è×P7)€ýlÒr¨¦ðgs[Òuœ½ê…nÿG€+‘Lƒ ]럞}gÒÀdŽ´"w¤�äd”‰é'Ñ®XgÕu2zWójÉd'Á\²8
-›‚]XE�häJLâ�Kâ\“EµTœ§õÙÞ–Zˆ°¨Ã„k³f9ÎE_¦�ƒg³——…IÜoܪ†ˆ©Õ楯I!/´
½bIrÑúLk·œ†xŸ\^…FOˆ²CY¬fÝæž’>³˜ä´*{ŒHˆ[X±¨¸f>Ç—Â~@xΆëHBR4¶RðqúÑw£Â¬ß¡k“!é8(À祆xhuõ™÷8DuXä'!iËj7&(Æ•Ð
b�²+y°¯³Á’©²|ÅFÓ7õoÐ&µòù–QI
-Nš8'9	Ë·ýŽ†ƒ±~
-¤cfr*ËBFˆ˜Ô$
	V$æ0,‰9>+BÇñ:fÑdHèÃ(hË‘ý€Ràz_�¼OHäüágûÙQTÈqÞùIi ‘ÊZDì�¡¯°)†Å˶…ÜêMÔ¡hÇRž’y…íè~ëš±Ú¯q’’pJàÉìdñH�s„3LtI�ЉB¸’_nB^"ñ,.)áY9JIÈ`-}RÀDŽînpLP»‚“éâdÉ‹]¼>몘�|Ûò8Bû½\Ì$MUŒTríÊW$ìY˜Ú®0¶h#È7�g
Ö#@:�ü
-³Z„
-ý«ÍPˆŒæe-„JOéòˆxW×€ãb͈°[2ig!-żƒ6…½)±¦6…ÙÕE$tÂË£X_“6:k4
-V‹—¬eûσ­¸a«QUØ 5U%²XÄuøB3§©èNHâ'H™�W®¢²˜L~½”'Š!ºôЙØxû¬Ü3yZX$ÈrÎ�ÿÉÉñPE³9çÀ?;ÔùêiI3õY-›7Ðy"çÇ?Nzlm°ººšä–‹HO§ƒSñ$+ˆÔE‰j2>²%õú�4ô/©.äþ÷*V[Ƴ¶©žO|§`@Ëï£%"Ü}"D©d’=ì¾!XÆü~/Ÿ]0|°MÈ÷í
-0ƒ
>(ö•¬ƒJ/”RFÔRoù{m§9[¨ë8E
-^sQ@–L½[-©Ç.L©X¢°c6ª9èEIbW£ž°‹qUõ �IŒùÌ ‰”¬?ê|õu\CpøbŠó£í©(
O¡±ié&E:ªŸ¬]”Hüº-0pq ¡ËA½u¡b´®
-Æ‚Å
-'†:9Ùç( 5O|Ót�%%öT‹C�rà:—°º:ÑIG�¯æ£‰•mK6nU·‚"ö(òBß¾‰ºÂb�/’Xà,,t
Ϫ;‡tÊVÔð�šj—Ô[q^CŽÀwI½cYÂO$Tã¶ØÉ;­R$ŽS@l.ˆÏMý;4]}ኅ×ÀÇåÈŠÌŠ¦)³;—ý1laç ›¦ŸQf’r ß›ŸK5
§¢æ!+Â"”<ÜRìáð!8€›TÆ?ê9˜œ†@Ùi…t@9�M,£Ò@%a9¼‚Äǃ¨q£DÐ^IKʆv¤½e‰é¹EÈÙ,œóYI�Y&=66}¶¯!v
L‚k••Õ%!
d¼Ç’ïëP®ÉD÷°\	œÃÂç»ñää£ü	9
-R’{V¨¿ú•:A\
٫X݉
-ˆ‘4òv¼(€Š±U¸síù‚(èäáæÏ®À%¹Jv Uî7pžÔ÷Èþ`Ñ-uÒ*PÈ1鶊,öœ„Æ*f"$5N»zʈ)O@ÝDÁ	ÌfP#U²Ç¦M?'e§�û†41~9xm¬‹¼§ƒÆ´Y'¡G_	ˆQÄvåmî tºŒI¬ª|_±#?焱‰ÞãÅò£¸fÐ@”¯4À×®B�"°$“yÅêYXy£ór#n‚²W#ÌçC3f;£·´b5¹Ž„•OîDJ°ñ\d{]¬Ù'äN²2Gá,ç¢ñ>J¤¢e°A&Á³˜p0üì$
-袨ˆA€"ŒMÐÍQRYÑ@hU“�`Ùu'�ɱÕÁ¸ÔsvVÂGhVó4s1€šÅˆÅ‡†œKr-MŒû#¸Ž¦ó8UŸ¸�P™Àα ÙJ]Øœø›2âÀÔ
-.ºáÖÆÙ|V7Ù¦P‡
-	ÃöE9E	nîÆ Þ�å^så‡Åõ	î"y²”V·>âüd•ˆÛåæ�º8K(mgÎ&òXãæ#[~N.~î®
ÖšhÇ
U)ƪW\0>[
-ÿÉâ:“xê*`(Ó>ì%.�ô^é�^ô",(©¥
!ÜJÈmM~ßW<;–jÑâÙY¯]UCð.¿Vq·§‹2Âq~ÖOp…‘Ð¥¤O²oíÎâ¢é¹Âtºf¡›kÛ,&Ì;0Bm
-§V!ìSè­¢
„ã/›$�cM¸ÕƒY¼è
^¶!ÜŠüÉê°EC'€Ous)Îhœ…b0Í–¾‡v·…܃wžÅÔÌè¦pw°ó¦Ý|rb°ÂÅ`çVYŸ}Pd
-þ@„!Ä´ð
_>Û³ësè2¡�ÆØ“Ü
-Ñ
-×KUùº@nˆy‡nm//…´Yä mîûo'Ä|¨
Hòñ2ͧŸ&š�6ÇHÈ®äÍÈÀòY=·^.�(,ϲ�SBõÕ£QA•Y
-øùÒ,Z¨�³õQ	�gSíhžçK�žx+”|à7ƒšã›Z2žuFÿº!dt2ØÒÿÏ·Œ‡Ö’Ûê–
-a¸Ÿ�ÑŒCa0`SÌü�ÛB‚CÂË0NÎ25³¥¥†ÒÖl/í'³ú!üqˆT»ì|ÃÞ\Xp”“ g6äl°.lH³äa.žoØ»jXÂŽ†xøìlÚng3ØR�—&ó�º^ÅòVSei´Ûšg26C¿âɸ<’mÛ0¿õÖ“ÉNÔ)B6aßrE,œ!ó¨2�²f•éžcL”³\8NŠp,n|/Ê£�
-`ž…ya½lˆSɻϚŸÈ68„Û~¢¡£)QdGæ“·)qªÔmOW¿ë¶
¾6ìNŽÓo»àf¡1äÍž6ubwÎè…co½¡Þ:`6ý˜C`öˆ[¾‡Ðð1Š|Œ7ÓW@ì³{{àó^4 •Ff—ù¥zÂ5¹ÿâ~jËUu۳ߟ„;8üK�&0û”öP4 VÍ žÞ¦!¾.5JÑmÁt¶ÀAv=	•êš³à%Q1•K
Ÿ‚9ÑÑš•u [ò
]3Bo¹é$l
'
å-Õ©m½ÌŠ,…;¹b
ó’câãe¤fbéÄlGÁæùZD¶6„slmn`CßÓ0Gc78‡¹NáÓËo[2³3”�Š¿v¤Â$Ío.$*Cš&i0Gb¡y
-KñùFÜt UrÐy)#ÙÔ\î…¢|ló¾9ß
-úZ\‡rê&¯RN•9_K”YIªÉà“FˆY„šß·ˆö”lœ8zlHúU([‹ QðInØ2šmÂÔ„¸õÅf[ýIŸåk“Å1&´;‡Î›rmП’ˆÑL{V8ÿcqÚ"6µ!tf�î!Œã‹0û¤ÓÖñMjŽ°+Bˆ8nãü_<«w…ƒ—L´
-øFJ–"߈ójHÝ"€ß6±'­Í#ÈHáýÿI{wK’]Iôò¶|€:ˆ§G„œƒ+•:9�+u‹wý÷w‘4#�¾2»0Z–•/†‡‡?è|©Gݹ¡;Ý,X©s`5Ù×kÕ]¤Aöƒ�=Ðç&ËD½Aë
4­¦M[ž&´îFe¶??f8©J3ÖÁGát5çLTó@b3;À~mV?ò_½S™îÜ{*#`ªè…ß“¥õÎsÎxz9®ÕÓþ|Þô¶ÜLís�Ꙥ»òkuvÚ]:Ø®ª�b��Õ}Um Ô#Ⱦ¦ñ+o©Í«mŸÁ%7äàœyDx¢~Ü™£Bqó‹ìôù¦T5VxMeÅ#ÏŽÛàñüƒúš°ÝÇ�¶ÌŒÏ%@H/ˆ6ú¡š[=Ô'Ï4Œ�Y@G†ïd®Þ¹c)èÔ3è×Îœ¿èþ™Œ^f£YÈÛ˜¬îÙ(òýGرœ=ú¨¬ìçžz�ôF¿ 
-XŒ!v¸¡‚°²j�b¤öô5ØNzß—À8Hâ>{­YÅ®4‹l¼i­*åMWD§D”ÌVäË빌½©(ÛÁƒŸÓïóåW^ŽPw�ðïéÎÄ86YÙ= •7&D¢}âç^=«_XŽä½@Õ¾_í5EÏLO è¥kîÚïʪ%ÿß…›Å?ÈÄh
-Ž±2¾øº„n“€·Gͯ ³æ$�‚õš€ú�ißóŠoÁ;T	:k
-Ì,¬EÑqÉ`røã
Î>¨
Ï»õöp'ÓŽi[éXÖ=ð�PùÂKcF©UãrÎWµ�ZD®c÷àžP°øЭ¬Ÿ
-wj+¾’|qöæo¤_´ –}[²Ø$,ºÍÔ¬ð¹�÷Ÿ>B‚p¦¹ÇMbpð7v
|T35kXЮ	H°Œd�:Û	[[‚bìVp£h-i$“!,Ke%'I–ˆ»¤•­`‰Ä*).ŸYsü?ËÈI
-iK5ÝO!5Z•Z·¥;&b¸þó1ãê±c•V!Ýš<ýÀ¶¥}ŠÔŸˆò�5UùŽoþúè£Ð:V O°ÿ¼µe¾Gë­€F€³.ôššâòu¡ƒMWì"(�)Ž¶Ô�jéP·ÿ§E†»×*QøŸ°^6
–Iéc=âB¯2y»P0_÷íÒóÖ)	~ü°sk$³:YP„l¤(WZ¶…ÂT|È
\ˆ\Ê.g@¦kìßœ’�sÅ?‹ÐÙHfF&KüJºÆ!g[rÜdf„xµÍç’ªDÅG·¶®vüÌ„‰R<Hû®dQ¨-ØŒð19%tÜÊëFI
-	=ê#u^Ø#Öcò
-ó¹òqì"þÌó øçš
-Ý“ŸµƒÏ¼×ÞÿM:ZÝÂ+Üi,,ã©ÇM±òáJ=Ÿ­-ñ
-òúݤ:ÈÞVDzí`½—œÚÅ"Øz€ðM±¸Ô‘Ë+uô@á$ÌS0•	«Àp(H
ðÁkÛêAáÙo¹R?µ-0Mt«ÓçÇܱl›yšbA(nÄÎùw…e¬™¸¤­(_6Æ=àšÞï®ú¨V˜TŒªk¾6º�™½Y7ó..FÍN=Ks‹µ¥›??æ¶tÕŠ¦'R+¤ºLµ>w:;X¾Qlái¤€‚“¯4ãÊ
-³
-MþÙ—¿å+Ý+/�°œ+ùÉAc6Yû>! ªÖO`³U
¹
u¦•Ü…ª¥Îœûˆ_íx1Ïô²_óñB¸h ΂Ó	ÙÛH¶™V
-ëSm=½EÕ"jïr�èLÔâ%�’\%UËcºÓ:¦¶[ñåUËMÊåa[fÝ6P\ƒÔiîÁÆZÂEûl±ÌzË=²{æì©
‰€ƒÅÝkI~ɯReö6"㧷1z¼Aòõîcˆ‚ßís‘¿lúŠ/˜Z‡¼
À¿ÚpIyòj›¬œ\#%‘ãKø—pûüú­Œ½-8¹>Uª€Õ?§W
-\=°WÀúƬ-ûÁlsæ>±ó‘Á賈Ùæs¤më9 ¿fÅ׃»äó *Çl.a“@I»ãA�|*( à½j2ýè:@Ž
ô )eóDè°ƒTÉäô`ãuP4+Hö´& ŽE[¿wú!~s÷/K‡	TÜ�¸¡ǃÊ	+l¶n–èÁ
¾§Æ:˜W!k»Ýlû$K÷“R©ÚŸ+Âé{‘[ÎبÍÒ»pû+p}ÒܩуûN
~@TÇ’Œx…ô}±­KÝFþÞíIÑ4‡0bÆCš\ZÄãA—<ÿÜ.�y_û¨/ n“W ùïzã{å&…;�ƒOݪf�W:¥‡‰Æ"[·ÉŒÏ³7ê<Øу'Lºfð´qͪ9®ƒp
'ìõ‡íYùmìÊî°~‡¨&
-ë?‚Nœ––-^
0æF(þ?�n’ €ÓC ýa8×mn ¾Ñ‘.ºZ3«ù¬y$Ùëž”{Ã)mƒíÚh*—{˜3îî5clϤd=PÛx/³fÁ’鵘ýNµŽŒ<³Z¦çõb%¸Èò–ZÄ%¨Ò
¾÷;k¨„e½Jg» Ì6kCiNýg°l¬òq¥m}Ú2žçn²š•ðz›†e ®¯%æD“‰[Û¦…º@ÙÍëI(:Ïàü­Zô
-Â>ƒbýÿ¡-_¶I­¸.”ÛáÍ’^4QÉh‹€×�i=ny/ZhãF’rŒ›ÃFXzø
#öÚ{�.¤ÃCX
;¡™Õ1³Záõ¦Þ®wR3Ø}"4ˆ*…®_`jèqP˜¤.ÆACìcŠÇ‚蔬«öÕ·Ãm	›Û�ªÀkŠèÊ"n¼˜®:žÀØèµåÌd‚ó§¸M3
-#Àf˜5£ˆì¥áÎq†9¶
^èAÍ�Ó8ËÇ>E‹ÂöJçê.²hžuƒ
-ÍEõ°À­f¾à�º—±¥ñÓÀýDÑZ&/”�«U-‡šD‘4�þ+mr\ˆ7©{^¦Ði©ÒŠ€ïõ)
‘²3µ-P¤Â{Ø{�ž>¹ª–²ƒ¶&€I|ía?€Ôv&
S/1,6ù%vö
- ³¸·�Ë7v–™\Ó¾Q}ZDº¬ëYЄ�ÁÖ•÷áû|�-+<«¾»ÿù³Ö–�UË1pÆÞ	ró±¶k–á^ÓIE`ó¥ôà¼jlã½)¸Þßà¯Æ;EF˜üI®‹'ÕI+|é©}Že탎“òÑÿÔ4XòýIiœG‰¡¹1Ÿß÷êw~	èžt&ÿù“òÕæÌ…'K#ûà.ÄÚ‡ˆÃÁé‘3�ĵ‚ð<<5ïx.îôÇŸ+•!kz¤ÁwÇGi‹`q{
™cðôŸáŒÊ9ÑxêÒXÓ¶hd,Y°‘×3Û9E2(t”éß-&
#ý½ŸÈ¡0_ÇŠäa¾Á×ÈdËP猚A÷8e×âÖdm¯šþ;CAXpÉÖOUXWÅ¿/Ç

g~5”k_vÖP’AŸž_p�bÌÜèS::¦
øÌÕC7éT\=Ãg‰Á,Dx&%¯�[­©•-_o8ꦙY?¹·î'Û¦fY~Ö'H¶f·2๷߂ Çä»ñ£­Q
%w†¸.›:³X—Û*—¯­gIJcq2”Wí%b»\ï�÷ƒ–n㤀ãÉ°¦t+g”�ÌÔýz¯ @É ÆœÍžÝê0Ìiî7{
-<¤gÅŸ5M—07Äõðxä…)öŒˆk¬Ÿøî뙞µ·pç/Cä-Œ=Cžßœss¦ËxöÜ]<ŸÐA¿JÕ˜�¸eÛ}/‡gAÏ®=£8höU—‚ö¸ßŒ
-pYòŠfÖ‡�.3Z¶FTq«P�û�7Sµc§1¨Õʹæµ\¬Ï³ÄÊëwë¼¥5öŠX�Ô%œyÄ­~[~v¾ï•,wÒ3µïÕ�_å*_¨˜yðÉЊîÓ+�¹#VAt
-׎uTPÙ<
-D˜iœKÄFK¹*åÇë÷×z•¶ß:€žI>\àÂGƒŸçâ6q>ŒbH
³”…Gò†lcDJÕ“¦jm gþ®lg§æ	:	ŠâÃÎ##&.†œ°Ò¾¿�|°³n/ým­ƒï>ÃL¸Uï5†
dí¿ºº­VÝP'ï•v#Ö¤´a€íÐRƒòâ�ÉÁ½ÀÅcF6jKzB¶ÙÕôåÛí’ËÁ ®ó÷*Õwœÿúß9{"¨ðˆyÍÍA÷V
- \g‰<¬�|À¯�¿iû­Ô¯äÎnŽcÍÒÚQ	]N3+cîÑý8¬Šá]@õ–Nû’ÊC–=€\á¥(©Dr‚Ÿ3̸½ª$mìˈخêÚM%�‡I[ímö@qÍ $™t2v‘\®7eqùi>§©Œ
ÿýÑç=ZÿžZc2ýƺE
ÙgKϹm~QXÐ	÷®ƒ„émݤj”5Zûa%Íäæ;í
-_È;j s8Ävöõ1ÃLíÈ£bãPI°@m£æØ6ßQîÝÂÛ`’w50Ï‹r£Áy
-zÎç×$àÊà $SÕ8ù$S#ìÜ–žÉñdÇ· &V\Éi`f`\©®…qÖ-Ľ+­ŸÎ�ý¼º½öy[�!cÈF}!£ÈFh‹»†se¿Ô÷�ÙF
æÛCêQFüÄf­wyÕ%S;‹x–‹ã+ߊnÞ0®•DÐ^̯º!rÏ@/£Bmö¾vì´ÄéZ”»5}ž3k°t·íp¦hA

-'�+Êw'itT+ vÁ¾®r´Z1wdîo¬Áh¥ÎÏ
×!:{Þ|žkr
-[|Eìÿùsk•°/P…ÛŒ¼hÂÞnÀ®±&7×ûy?+VÛ‚$ 6®Nz×$9„¥4æÞ­jë7ªè¤Gè[Óe�@û^Fàë`†¥
Y.~ËÅ‘ñÜך	|ƒ/enbq}M«s¤Áͦa„»˜·™ùz=ÝçžÓ;¯}Ú õ
-m·t$¾68ºX±Á}½í�râ~.%e‹=ÒὦÍæBd[¬Ïs᩺!¹ó65cÌëy¨.„QÄ4@ÇtV“	ÑNU¾°¯x@�¼vI­dhª•Â;É–á©LùA.°ånr•Ÿzãu_îßHaäfâ÷>‡ip4.PgêS&òª¤÷iàmfæÕãÆ/á±ö]ù’*ƒRò~'Ü·ÔÅxž3ŸÀøJË 30F.êËdN'ÏbÊ%Ùý(¶§;2žC&Ìôý*˜JŽ?Rv·CµÞ
-‡êçÇû±Ú_¶�ŒÑj¤7òÒm1>KXL¬ªe¸Þ„HAºÕˆ'®$8«·æÞ�]š$ØdÖtˆa‰`èí=}œÉ22Êìˆ(£hh;HŒá!–>†,’F«�ÔÎL×·øÃÁÙ’÷]#ÎÀ*süÈà}KS;øø`ê�TÇ5^”{…eÞX0OĸGK²¦=RâÃÂ*Ï½Kºp†$.1™h~Š
-RÌ`¼“ƒŠBHn¢¿ƒ“ÌJU"9H,Ü�dâEL"Ôa£h`A’þ–%¯ìׂhn„#¿@®Ó	7>�l)O|
-™Ë‘=jÀ;s7Ž\·-�P".+åPb3áb
-$.shåùÀ†¹gôÁSŒ5»à�e*Ëøaš•±Q�
a ^?3~ºÆ`rÚ�œFhÚÚ´°BVÝ¿Ç@Þ±5‰lük;çáJšƒ®Î‡3JÉ0{ùÐŽ×5ƒZÄn9j)M£w^ßi‚…ËÞ3Ùb-²šäæ1ÿä“
-Iî;XAËÀfñI2'AǬ’` !¿{Ökâæé R‰)à=
-_;ç’®ï‹Þ¦üÐ÷^”„’×0~?HŽ¹‹Ã9Vë	«+	ˆ¯›9ŒTøë£Ã#Ù5ë“zø4Vû,»S�BÖöä`“AÀ¿+®Ìbm©G3yË€˜ÁÌ•¨‰Ñz m3Ù¢ÚyoÈ=Yà–­Á°¦¿KáÈY˜0	›­ŠÅu ¼+gŒžŒüžFÒÁÊ£±bM™9£€÷'pŸ™m`°ÜY63õHMcñKì•èý°èSQ4@¦Ìœbˆ²:7ásaÊ“¹p4÷e¤/pÞIyFT]€g÷«“yS•Ìu‘¦¥¡næ‰ÉMÈ«ÈÄOÍZ†•)n!à@5UϾ#3Ï‘[¬­“¥ß1›ŒníB³ðÁ†ÊšÞ”oU�(-ô*i¯Ò ¨¬¬Gµ½ I¾¸Â‰_<?×ü¨Êhw‚•eÈÍŠ@le瓱žH7=™ð+y;qHxü³2™+)74èЇ€,
-²ïn©Tî±Õþj1O Kà0_eψÎ-¤ˬÈ+¤REÖÌ[Þ’7«Î>3Øä' Û‚É–/z1lJJÀ-ó‹nFLìÂ8QZE–ÏÐœ¡Ÿ@f¡ª^Óà|˜‚·yd˜\{…CX/D
-µZ�Ì瘒ÃûÈçÖ ¼Á•]®DMÅÙˆšÊò m·xóf“’Ì,µ	�;wW³™>g¦ÝïUÛ¨J‹PDƒéWËÁí*v<“ˆÑQ{š|�X09w#[ÙRMjöüÁ0Ãöâd
æÒ)ÖÕT°±5Èäzç1Ê•£ì“ŠJtÙ?€ÂýøS%WNt5Þžü›Jý¨„�´Kþà¢Q\¸A#£²(©Ù· ?ó$ àœÀ
-žïù?
-ƒÊå/p…ÑIÞkÄeðkz�×z_2nÎcbÝ¥æÜ
2n¥/¾>:ÜòøxZ( £µ¤†õࢫ̼&%9¹5ÅVîb�äwµ�Y¿î„ÕŸT
-Ò`msõÁÖk»»¶Š}.ÿÂ)Ùƒ
-¨Ì(Ë#n©¼H’pY÷ØÍ‚×JŠÜ�™®ÕR$ü`Wô›
-³�²ý,uw�XH
F¦
òKå¡UQ±Å•ÿ´zD7ŠýöY38Æ-„=(ãfiu|Ù°U*–%3�Ñü^>–ÜõpfG÷qu©šjK¹Î
-½å+
-›²�Ç6x}D7-:Õ.Q\Ç×å‹À`V=Eg¡̳Ìèh“ùú;PêKx³
-|"
- wÒ-Š>•Ðñ-˜àò8"|W>ÆÁ|{…ÚŸÁ»|ÝaÊå^ɼkÞmXóNO’€–ں̖¯h›7qš\W8]ÛnJð3�äpÛ¹yaÚ
-ÝŽéÆ•o�6�P‹^¿Oò²<‘=Žè扌v¸VSç��÷*
-V×ÖT•Lͮʀ¢Øe¿ó¼>“}$ËRö	3‚€2ç‘Ì­·^�;Iq×b—%
-G[[ŒA™A•ðÔµx=¼ä*—×àÕÍU.5¥ã›É<Š� «ÄšŽº€óWhm<+ɯÀ#Yª¥âó¨Â…Uº�¬#Ý(œ<BUwûÐp&	l{Ø�ŠZñiöâÑ[ð½ÜaF
H|Áç“þ ¿2(H@‹–Ê-Yá,ÕpS鵶à÷­îödñ«ŸôãÍ*)ÁŠ‹oqŠ/ù^¦2FX[�O–³ÙàQòýäJç6�-Ù-FaÏm®"QyUá%ƒx \qïù%á}K´À&·{š€;ëLZ;£¥k=Èzâ¦7{µ%ß”Éÿ•é¦VõšnEÆe)ìz…m8ŸQ&Z;YزXòçGƒÇS®Õd6þ�•q}O4xãWpZœø
-'ô£¥"E1½ÂŠ$ßé!oîÒ8­ÆUö°'7	ìxt�ré~�¬©>Š-”Á	Ò7êìb^”=©Qépuð›Ç`a·tm’ΰU…gŒ›öç£(|>߃,´i-‘™ÁÙ?ýþȘmy¾]ñÇ=u`�LÿÏé
-”Ìtéõè38;᤹¢�{¦ÆÚ?âždúåuõ¼€¬³–‚jaÜ÷>º2k<njKšðK
-€©XÚfn’�G¬`Kø&8†ŸLÎúGÐóË8oÂm¼+¿ÌŒ<=¡\dÚó“9í 
¾åF¤À´‘¼?½Tå�¶Qž&_7ÀõÜö·1P˜ó¨�9°	å14%%¯$œsö
-î‹·™ì±Ĉ>éÓ Á¬…æà¶RÀE
û~œ2;) žýò
-«Å‘°ð—õ1
ÞFfZÿ9#¾¸š×ªIÊX=Æšš$õ¸5c2mŸEТíþÉ€k�¤ÈðŽù¦J£dÆVûN»,GÏ'œ\Ü~q2þ¥Š³�	8>
-»,F:5Y–v�
­‹:¿­žW|-õ¿§"Kôæ	€q]¶>Q‘eÀ¼µÜžê~¡~¨Í`yσòsð$™n’
·C5?¡écwj193Ï H%héØ4ñÔŒcÛߘ²¸+š9˜dÕX�ñºWè³·Wð™~AÀ·Âx‰P%�-ÅW™ÂršA¾‚MÁöÉíñ´OÖˆåòos!i*�бąˆÛ	”ƒá€¼Ò³l •ÕXù|=}‘^ȧ<L°×Bæ
-EeÔB:ÁÙÞ Ô‡ö#»‘Y2>%OÌ9F›BóÛÇ�p¬«œKE¬eŸ—YÅÜžxr+¨ŠÌÅ$!
--¸Ï	·IdjXpÊß{-B¬£Û^¯œ…ãf8j˜ÝÊ�xÒ\HÎ…n0rØljcöïzy	ºxRjíÆþ¬“{$¸Pòàü�–—ÖÌbȵ¸n°�Ï kpCב¤2µ¬�
-s¨Ÿ|€ì
áäçØKFYÁ†¾áܧ8¾ípÉÄ/ú‰y"T2÷ò¤4nÙ'™RnäûÃQ.ȾJœók‰Èñ:Pï¡L)µ6,7ðuœýÆÂý6�	ÀÏ�`@oàAƒå
-I�ë©;HCþ)¡wRbRÀuðmÏR¬#8â柲‚/ïc¸$]Оù¥™S'mjê€ÛŽÖ!0zÁ6Ïê@pF,õ}Ötéþ’Þžz‰#I؈;XZÉ‹Jø—›îœÐ(�È¿s'e¢²&«M²aÑþKºP&•‡r&EÏWqÿóCzZ†Y2™[Í‘qÈÁàœƒIük0¦’imü=öBÃNb¸Úóùü9,æRÀÆž¢´â<4Së ©›ƒ4Ì—ýTýZë@\åžJA¬‚p-çÈ`=[bèÑÛe ë‰�¸iÎì¤îuФ¥ö°oÁzÀ¤Šq
-óÖJó|2·,ðÐ<ÊãÑC)	s:,ÌÑJ‚í�3îÑ@_r™ä%ô5E¯(Œ8hÉ€(FRÇ„¿¦ÒÑŠ‘Ek	MÏæwçß@+Ë7jûýÃjCÜŽ…� ý(è%åN’„0�l-?nr—��~sÔw^ÖŒ^1g÷CVë|­$4Ák1ò
-|×p­É¿&¼äDé|uk.\áÖS0ãÔ!pΡl«d°½÷ˆñ=XÎõXÌ
íóc†iÚqGnlÉGÆO÷Áî‰Í]BOV)õöNÍêEIÍD®©]ù‡±¼¹ëbÌé‹QÁ>ËjÚÙ^ŸÍFõ“×”þð;HxB7{¬¢Ñy�ƒ[¬‚`@³Wê0¼A‚ÊU�O
-Æb‚Ÿ0žcÿ›¶¸¹õ–²¯e¼µe·7m	ðóc†‘}÷�àô
-^²¡¿ÂkMïËü^
-^¤‹ío†y—cz«Sjw¹zÁŸ/
-Î]úD îüþu8}T¯uèÎŽpF¸Ã¨¥õx‰µ±IÛäPï°<¬@äëöGÉ+œp˜·×=“_J¤¨^’ {Pm½c|DkVï1n‰=^bOæ¬=88\žA®3
-
#®Þ,Hn 9%~
-˜†f7Tk WY�_a�`õÞ-
wÆv
{R­7Ó|ºÔ¯�fî•ù@"@üY3WüÙÓI³§-{PmYZDzû-¸D¬Í×Ç_à1’‡50ª„&Ȍԫ'ù_ž…å›
-»óŠÇ+ÊxßH7oqÆ7pË”¼g#»Ò]QJÏFgÌ}G¸Qp‡•bJxE@�•’g3"œ<ÚvMª™@TŒ�ÂóMª€Õƒ-³
-üm[y¯i¾ÞQÚ(Rl=@ •¾nÎý¶9ßøm§¥h%ÎN®Dl<‚Õ.½D€9wtnôKÆ�[uÀHÐY\‡‡W)Zó¬ÚƒËÁ®"Ȫýd�Ä‹ÚE"«×%™«è5BsâûÃÂÓþ,ƒÊ"/þsÛËV\˜º�d^¸Ö:9ǶŸsw0}„_0ö5(,¾Ã~ìN¸#÷ó;•+T5|i³7z`"ßl·g€âl]qY³¸Ë‚©O#hÅj¶…	Ü•lô6.ìJ€Î¶(Þɨ™Œ¼“QÑØ5ø\&ü ŸCõ»_{è+ÛŠ+t°À;X—m¤T˜sæÏ‘m“!<¯¥ÀGYÅða}-ý×d]¤åo3êÖm8@p3XÀC¸üÍÊùRõ…à^±O?�ýª
->ˆð5ìÙ†óϵ%F%@®÷/üüûÖVü³m±ùÔŠðõç0XæÁ¥gÜœª�Ïr]o#ˆ–”[0B,ãDiú(Ñ4:µ¦ƒP€ôÍDYÒ‡¥b¥Ýø×ÔÛ�Ñ_϶“†¢´n•Š<—ùag$V÷ï�×
ýb#‚>§)꣟áÃþ«OzŠ˜å­ª®ÿf<ˆÎ¯¸üüÑg"Ð{›Û�[&³ÿõ¤ ’Ô.½ÖáþÌ“W4 áoÛÞáµîs
-oÁê¤KicÀü|@Ñf4ž@#“ŒÖFöyË¢•Ÿ¦�%UÍ\9ài>›AÚ„Iîëc†Ïe›†k'SM®né“á*KŸ€"@ÁAr<Zél}Z€ÿþ»¶“Üo{ðõw½åÃÈ9§–ÑÖ–¦ÕÖ–c¨+Ju6à&²0¾¨Ø…Û'¸÷mú,e”–ŸÃ|ý5umÿ˜:…ÖLë³µ¶¤Ásï¦ñ&‚÷& Œó­#HBº€Ÿ_cžr­J
-l=ø¦­dJ­•€–üqŒ«3C–­¼W�#øF¾>fÌýºÛw‚ŸoèJW�4²§_Qø­+“ê“’íèb‘8}Ôd1nHM@×?Ju-P^9Ù›$‹úiÔY(ÓãŽb}ËÛ(RQ„²ëm	÷n}®KÐïN»¯W¢[îþŬXtö€žÑ©â0ý	¬Gº%TÇòaùÅ~¥ùq¬ŽÆØž©å4®¯À–ù
-Ë ö Ÿ]×
¯ó”=>=¯Á
-ovñäÍ:­ [„6¹Ò�+[”Œ
pÜÞŸN
Ç}
Fødô`„ß¼¦'Á~3™Úr`XÖWG[ýî
~ÓÖÌÍÖ�pÒCz[Θt¥ÚpMÎÙÎÊí_ûéJ“‰a÷ÍB(#¯¹K·–Ø¢ÀÈW¡h†9©HyŸ\­Vç|ß‹	Ï" à×´„Z[‚{Ôù˜A�¯˜ £Oö�Ì-ôÑé4 Ü¥V4ˆ|¿Ìó
%s[†´È£4¨GV1A"
-ÈyÐ^¡æ—¼ní|Ò­Û *œ^Ó¾�ìÁ]Ì•*À¬¹ãímŸ:9
güûü˜'(ûÔ8Ê’ÁÓ¨½
-‹
-Ä£>?ºÜÚRÿô�úëM
-Ó¹©üà…¼"½,^Aáí­PÀ×�¤�“
Ž"�Bçêq¿ ÁL’^£ˆ|ÐÆ^ù{¢™¥d�ÇN«qäJÃ]öʃÛ;µ™ëIÖÖˆ;&mí¶Ñâi÷��$½(å³
-�rh"|Ä^pxå™/t rõlyᶦ7‰sAÔãÞ•u_Íø\§Œ<±gÉjONžáµ ¼ÈØÞ
U��o.£`OLÀ•š
-Öß5ˆ÷ùòpï:|38vŽ%ç†w[Á'½?3éÌ><€ƒt” Øupßðýö´[-0s8<*6ê
;!æyÒ¿€ûò‚V°Ë©ZXÊÞ Qç¹`
-.±¡töN—æ_˹9(€ôÝùa<ˆLôGeY+üÓÀV.øœ–K°Ç•í޹ུ
Àˆí
-W‹H¹“jlË0r/)§\‡Qñ¹�~ÒÉ)·–
-Å
'3(¯p3zä:’ëÔJ‚^ÿ[¬PóW¨z:6
Õƒªfc‘E1?�õéÆ
-s
-GTŒñC�ÙO¾ÂˆÿŽ‰t’ÈÁh/ŸŒ–Å®íD#Kz™ŒQs-«»ÆvhU‘¶‹ñŒwò/‘ƒÖÀâ�ÊTË©m
-`=óp#FñH"»;ª›QÀ@‘˜;I’­F$˜±,;q
-™Ÿ6ñó…úú½FôY´=Pˆ¬h–D¨R:ÉóÁu7øVjÑZ=¬…ë0ª�<ÌÚöRrã`N0ò ¾°cU‹ÎBa"ÈA_¡@¥µ²ºP^Œ+jGtöNb[Ažm!Ý^:ÝAj¸:Õ�Ì)61£(“]¹¶ÀLb®O¬Ã¸R:ßöˆáà@ýÇš„d•Š…Œì‚1µ£D�‘:Ýûñz	¿/¾�ÛUžæÜH˜ÚQÊÆꮬ[KF,FÐAöàõßË#1ay]v«ª'J·Œúb¿Þz
-ÿ‚Ð71ÇÖõ¤Š7ËeÎB°·ƒ	…(y@,Þ1q´ ìWÄ=y´N_4éªBÀÁÏhÑ”°Ydul¦Q_aüY’ƒÔv”eÛ+^:j³ÙgBÖ’¥èLGeVæ
-(î6‹ºßYE\@Î�´q&r‚{�Ìo™]µ@´¶,&™ö#‹ª-Öm˜E,
h¿ÏZÎã>ßÚb7—*àjq¿æ=HABÑÓçÊ\€-‚$
-•yVHËœ®bYÀ9Ær�f¸/Ú›×ËÁú3HR€Ÿ0“#gc"³õ
-¥¶žŠôJ0éž`4Žœå„iŠfø¯WRP³u#8ë½���wP¼¬WòÐÕ´·èÈìTCT€U8öi`@ÎE»7Iâv2~X,C9ˆ*Bz¸4½œ/tƒÃÆ{¶Éyß’ÁŒS$-óh‘¯�>,š¥.…¢Mg,ZrÆìj3f$\âÕ©˜œHPËî¹G� ƒ†NÅ#©8…QÏåä@|ü{¬ût¨í¬È£òócn‹z¡ž[âyÓžNvIPªÅE2M1u»	{Té&ࢢñÓWkÁ°ˆîÇÁMn#H�àçt¬-J0[‰*vfRiíÜfçNƒÑ�Ï:Èae÷o$©¯IVx*˜©åÆQ ¬[
-¦’ÝÕ׎¿3Iàæç™�Wm\-}ö:ËÚÀóð¦Ž¬àX.1W¤\é
î	Úƒ¼”w%[áT,ê¬G
üü˜ÇVp`DG®AlçúÉBU¦XÔ€{ÂC€ÏΫn*Ô
-ž±ÑŲFˆ/Ê™ÇYÜÉëHí,rƒ…ÙQÛãòŽrÆ”"waËÈá“*'�)ÕãÎSq%`hrë@[Py:¸x‡×‰ç2�ð+Ãà
óéÆ:(1{pf’Iù«ô@ÁûXgÐ.�×ý¦]™;ð8ø°sÁÀ¤��ÎûìA÷é3£ê‡ÉX©ú��nªÊ¸k�
¤v¥,~ÿaFÇ YOõ ¹@µ¯§d³IÇpõn�¤´+r
-âJúw¢=<æ@pQjƒåCð…1ô‹DÁ
^¹ŒŠ¾žíó,G~„‚ÁÓÚæmçGyK
-¨‡¥€z­F„Ð$€A+:
¤míÍ”ä­pƒ1©¶ŽŒúi‘B9çC
-†/ă§ðÉï°Äá{ádvF™X"	.[V™8¡,AadnöyÔk
ç¯Ã�m¹:®$–vá®/kè¼,œ†±õ¾~Mòؘ²Á¹�¾ÖVGì
¼x.æóŸ"
ÌÍÄå–YØãÖ%Ãë¾K�»QÁϳÌÌQ¸ä£ÌU)Û;¶çangl;ƒÇ-FìôëF缬eû Ò¨Ek ¬rb_�q¦v™‹cÍ&Ázƒ¤“ÄVg¹~Ãä,Z‚BÎ&/'̞ܛG&¨Õ<&È•4‚ßψ]G(hŸ¹2vô`Ü5%`EèiÚ`-èó>™¬�/n
¾g°|ŽLîBC€ój¬Ó³FÜo"±døúÿs«ª¯®€°¡‚Œú%
ó])Àk©õ!PpÝ÷<"ª‚"Š+áX7øÌཛྷכ
-2i
-×KßN-!nYO�g�ÚB‡›{�{ÉÚ®Ñõ•ÍkEß³j²™qMjŒ¥ÃÝë1	ØQÛϳ€¯ÔáoÛ ŽnR[ª·ÔÄdÝ­i—‘E¦ãrmh›é–K&À4�ßr*gÞ±»­°nŽJßë\¦µ
-–�©
-ì°ÑŠäV£`φ)ú‡0ÏÕ¼Uµ „ºÞkü�‚tà4°â2j—gÕ7=
Ê¡/GŽD4ôۦ߂ ç[}.90ëÃÊf¨,Ùe´k3¬x™œYÂÒõi
HíãQ­(b‡ÓºÅˆf0Æ?¬o ¯û¸F/è¸ô�†•%
Í‹®û†çŠ0‡ýȬiT²¥»±Ê§€Ê9yÐ�ý6aúúè[©¹7�;Y‚}!k¤b'Ù¿Ëe»×‘#È7¨è	ù.£2eyYì"7K†*X!œ¹™6Oríp*“qQ™k\Ò’^GÃÙŠfsÛ¢À‘FÿÜJZÝUØC~üd›y
âÅȹ›”h5ܸëQ
-JWPJ0{oÇ
-h;ŠŠïVk7¯¤+µ¬„‘;I•FZ)ÛŒ÷€wøòíూ79uä"4?àö Y‚ì¥
$?±�P‡„¼+¯2:&9�%}C=Ê]P?ÏŒ”Þ2³WÊ/)DeþöÒö, ÆhŠLª	¯Ñ•é/GZt—›¼ô–Á3gF>æ£Âñ•¤
Òƒô[ISù­ZO‡‘kÓÁ¦Ç&õI�GÆiJ¶O…n4
Œ÷ÍGq84Ò_JfR3‘ËÃ$±ˆNÍ@ØÞkÏ7Ä�¤1‚«ÐT™ÄVkrY0´Ç+|Ò
%{vHÝÅ�ßÌdûúhÑá÷²z[3r^LA©?Ùä…0Å.^
Éø|Ø/�¦d†^Œà¬`
“.e¡“»Œœ"
g�Û0#rOãÖ²ÙÌ,€¹]/ðØ‹'áu§‚Üφ¹2^œDN´°<ò²Pð`Ñ<‘�(!©}2€µR"%ÔUG63cz´­@\­ö`®èj2ZW_áÒ†.à$ÿC0!8¼êÉt•{cV§¾äR·•Á7Ã
-az[Öh{uöÜ!Àí	=½Rù
¸|IéâŸ+“Ò›æ€MdX‚9I‹kÃS±°;“—®‡±þ½Æ
¹þ#Ësl�	ÉØ…
Üóͦ|~ü¿ÿõ¿q/ËõóÿÄ9Ï´Î#9îÌAqðDcI–â‚Ò|kƒ9Ä8{~ÄFA#rx)X;Y�ôMKv’Úà(
-¬}7ct×Ë0Š&€Ñ}×ËøÝ!3´ ¥þŸ�.·µ
O¯�ã\ßÁLÝÿA@é‘ò
-ùÃ~ýüº"àgÇ)a­·ÅHðß3,½eÇXݪ3MÖ¾.¥þðÉÛôرáÕ©*SIz  ¼nr˜i[dêxUW?UKÅ–ø�)ÏjÆOçz)Ã" sÌT³`&SÓï$ó«tÁŠ€“­áÐÖ¥þŸ�oû0÷6Áz/,ýùu�¼Û®ôp§
iÇ7[•mcÿW¥àkycœåNü	ØíŸ ø®u?ö"‘,p‹ÃþÆ–ˆbK‚º
-·T‡Éi'k ;pîØŠûǽÔ5À»¸¥¦	n4RëäÆp¾§c�o4 vêNít,uyÙï7�_àçÔƒäqRÛÓòßQÐW66MÝZ‚À°ìÁÀ&{²´dì¬a¤¹Ë IŸç\S³!¼òj!ûf#¼²QKUäª0C	Û¨j+z|‹n•<ª„çó߯!]*Øž¾>fØUþ?&¤Ý€©Ùä�¥¿Âž±?¢ßÉ(”‚˜4Tª‹Z�+h‰æ
-¸�m9¶M@UÉúUîÐ>]jj,éxMôzÂñGŸo„Ûñóxf5§:“^ðŠZHÛÝÀôkœælo[à2‘&šLp]q9†
-æôî¯�_F_7/ß‚Z®šjz£BÓO¿Ç|!È@ãѶÿÌjŸz#‰~ýþh�eÂ|�qj÷·ª¾Ê'¨aÍWÕï²,gÍÌÍ뮜šÔ�ŠfO¶GîÚ“g€{üŽ;yǡ¤
-
-aáŸnèjã®­ª�µ+y]™yWŠÊ2ým£LC_v�9ÝnÙ­>ÜòV%à
-.ÿI£&ÜW£wÍìH“ÃN¿—‚ùÁ¼5•µæ¬È%ªS.×ç]`¬Ø#{Gúsu-®A°Rkñ†5„´±D’�d/i¶prµLºOÁ¢Ž(H©ÉŽÐ«1Uð™(Oå„£žôK�p-.¤¼R¢¾UP�è¤B)œ¤¦Ym¢?U%ÍøyòO–ö^ô²¡æÿòž'ëgÔ…¢‚xäòÑ~îà¿n›¼»D¼ÁxXFÉõÇÒn"Cl	E;ÈûSx
-õäaõˆxSîá œû–‚nFýëcîM®òÈO®fÔ熪 oÔ½
MrìÖk ¿˜ZÊÚîMw´l};+
-u0+K鱂ó. à.TKYRâ°äQU'Xž uÒ}s¨Ê³¿9~ëìÔSº°´§·|™“*>]Õ‰Œ§¡š¿Ïèª)¿ßÔÑsb/
-–Ô%…iÌ

,íIø»U@²gÿ i}Ûƒ,„Øö�Ô¸j·ÄóBØ@Q©N=.®fÐJmSƒGÈÖ—–+ª«ç-QÁ¼%*(·ÄT˜U;O÷´sªîd»4h‘ͼ¶Ô�åñ~µKƒEäß×Û­C‚›
-ܪ:lÝ~7-/K¢·& ºei
¨â¡Zµ/iʤj_Ý/Xe3@TZe½ùÕö›g!¾«?	C0_{ö¬z.à–eÿä]�Iø~·6X°u’V±-ê4þj/€üŠì­¨Þn,¢¦sc�poNÄûf8[~„Œ~è 'bmëcðûcn�CCº	ä²
È%†kšÄÃ	(•"s1ò3R
-³ŠY\ê]]’�Xµ’·LÑ«šÄ°â÷,?œðÞ+Ü%¡Y��Î1¬qÉEÞ?B:7ô#¤'¥WÒÆæõMym~E~ñrUÕÝjk´�²æ\ùÓd&7©,�®>²Ó&“¶�|@açÔã¦zPú¤–xw•¿‡M²Xçó+c¥=èHu.÷�ö$l1ýçfnLCùô4ˆ6¬÷r2²ê�¡DÖÝQ@(�ŸsÛ<ìsÛ¤€É:§zgµ
5·ãv«.«ŸÜÀE*Àÿ]ÛInõö(DåÉÃC{[gZÓÓK9imLíªÀöº%·nÛeŒTÝ»ºµƒÀd–ÛvÀkµô
-Ð1ÿ˜NvÑéKø
ôMœr©rXQ¥‡ê|6/5•Ì„šMýªÚR%/]ŒŠþ_ÝJJ¡cÂöyÚzO¦S(ï_Óï¯ÿ®¾BmŒ´/ì0îÿÉëÕšBdÓ¼Üà8ÇTIT{ŸƒÊןg‘Ü>j¼¶Ïc›¬òœTÃ
-Î[ËV®$µ¬AB5o2" 6C¹§Ô^¨¦¤A7´òQm!TÇZÛóR¤ ¯Žyd)Ö+4�}ݵ̬¶Í�G{+=˜^–ÇOyX�h²ûÖé+Eá9©3EU«<'U)�HU6Ò+ÚŽj ¥‰>¯šQjÞª5%VÕ4-µµ*bVʦfl®TìVß|‡ï‘»øû¢ŠA
-
-–W@Íþ
-+XgÚWÐ×ýF@Y
-h»^	h'JIË<$3EgL�:›N8X¢8‘yFˆ½DÁ´a(øí¡Þ
-Žt
-–bwšmvëwåÓ>ç¿šµå4:ÕëÉ_ÃÞr^Y
-©ì"§9Ñ®Ù
-éò>‡’¯Â­ÚÇ =ü* CôÊ�1ðm÷¶î¨æÔÀÃ
-RÍžeémz×;ï:Aú¶éònméo=(pÝ%ž†jÄc^Ä=�Wøü˜Ûzþø˜['�t�Io+Їk):–1P§4�gP6¶& Öhpel"¨†è£XõŸsÇ
IˆK«(
-¦½ç6››1
«öhZ.;T¨í4¾×\·›”Õlr"–üÃ÷n#9¿IùkúÄŸ@¡¸¾P°¨¿®VQ E7#Qv¥^Zü1÷=¢pKÞˆ�û9�z‘™ŸÛzLFZ�éú(´dÐ×âý2paB²Ò¸ábŽ|þ�€zXö º…ä›Ï�¹·)À’3ö1½—¥|¬ÊQ¯pE�±ÞÛÁ·à¾_�Œ,œAÊ­þ8¢LÁÏ�Yn~Fm‹´š&¹‘ÁÎ:&É:/ý%Þ…ÛÈ@¯‚x7z§#«ÈÀ¨CT4F†9/f£D3ô¹¶«?þ	}âG¬&q¢úp³÷
-&·”Á;,w2|O¨}øIÖ|Û
÷ôL«ûY„’XÀgo3;no
-'±s�I‚ôz
-	>™mß‘�ç}Á”…tµzK
-ˆ"_’ïf`ø•ü!£ÀoK˜ëpš²Œhû†A1m|[\†ïɯ°“½,Qe‹‹‘ÙaOåÇü„}
ÄËê^J£Û÷`‹2R8
i7¬ø‘—M#%lq<Q~4kœZBÒ"ª×ý´ÅuMÚØôj_ \×ËŒ!Áéζe"k MÍ6P†ŒÖ––�Tc:˜>Í.ÀÛþžŒé©”¨¦ruª%CB†Õæ�¾e5/¤Š(ÑGÔF'›Ã>Îu
-Jª�

-‘ÐÞÂpŸ˜¼&rãþþçpDé� ¡òt¸g:ßAº»áƒE5ƒA™\šÉ¢ì ­-í0bÇ(W·ÉaÏûß/u�w
ìj�"5O(ܲ~´¼®ô 9"µ¬Fí¾®mó¾ž1A¤ÝGoËbqZe–cŠôQ›En4«IYs^›Í¦$¤�19â$þ‚݇A*GW—�GÀ2æ’ýùÑÍ9¦+#�,sñ;ˆ´}vëó£·mF"D}÷ A‘=x7=¥€z]ÙzY€´}}Û–Æ/|&tÒÐ&6žú8b5)›^›µõÉe~ý
-;@ý¼a¸©
-ÐÛî(D–Äâ½¥×™í
-àdŒè¯Ë¶R¾¯Æ@Š
ª
-Ôê¸
-Ô˜*t,_‘mgÐ+Q@Áò°’ú
ˆ¾RE”žu‘úxN®Çj"AÉ`¸Ç¬rKÅÈÁ.gqÒ×ئ¶YÈ[
	ÒÖ†ðjÖuU5\AÔ"§€‚%–©@Ô"×µp~…&€Ýº˜�Û¥Þu%Èëá
¸}X=÷q½…cýÔö[°õ
-CƒÏuŒ·¶¨šÜ[ÞÇ]”…KÛ›À0u%Øí�)·ƒ+™–
ÍÀ=KCeü™Á,G’68Ç5†µnxu»ëN#Ûþ0Ì£	Î=hm\Q¥�~=¥€’;˜1¡=8—óy{ÐM©Ãj‰"à‘pcµ»8Êú1Ôm¬¯“õ¾8ë—°Z]‡R®|¯Ï{Û5ŸÚ£Þ{ǤmÄàýÞ¼Êþ(€ êUÏà¾^U¡9lÄ6^÷–,ªÁŸaKFJÚ6§yHëjÂ}�Êì®Ý ­º5v÷_ßzÌþ”Žîrp+róåFiù,ðœ2w¸YyaHyXs÷æön´„û™ðx_Wþ>„‰Î˜ü¼ÀÓ’Ž¾Þžï�z~¸_w§AÈ–ý
-?€n:¢qÑPڶ̘ø‡(±2b¶TìÒA—aSª‚eÓjri’K,lZ}´¤²xo+fÌol›j‡-»žÌoéA�lÛpK´mZWkd¿
-¾~x4#±æ4ÞZ
£:±�Ž
-O
üø°9ÝÚå«Ù&ðúhÔè;³³Ó~œÆÇ)(^
Œ¯†
üødf,*š`,ê6Çx%?:]§ˆ†äÖ±_ƒew³¿Ý³�—FýfÏãÖ¯=¾¿[_øÎ!çã¾|1þoQ¾›ùø8ñÉý<}ÝÇ=ã6¢
Ÿ�q娼Í25?|Ÿ»ç9æîi>¦il[¬ýÇG³ÑŸ®��+¶ÂØ(έ46¤x,_:ÂÉ9£º7óÑUz>GŸÎ;�÷§ß=}m£pÿk:
ç•aã�6íÐóŸ3þ}ùeÓŠ¦žê:¤mÆ´��ªý¢Ô§-!òÐŽ%.ZÅ•l KDì±�—­†QGås|Æ»ñœ.íi,•
-`
\ŽpjˆO$\FÍÚx4¶Ì™©e6@sDŸ/£Eñ<:Lù¶?.–-qÞÔ¼‚Ø£qRcß�>²d£n€bÍt0ÅX¬^¡ð.ÌëIö|7	ÂÞ¬êÝm×
-ÉíÚÓè­fƒrŸW#“ûxh€×Þ–3Í’»ózÎŽµ³@iâ œ‹$Ô¯îׂYôæmä‹ Éš¬.uÐî56¶Ç•þØ—Âørg|؆¹±[vlVN“+­’5yg�Û8Ùh§ðÚ¦¾ÅÛƒ—†ÇñÚVÒt'$¬ìæÙbt=nîr§Ç_ß| YögâpŒàYщJ}À\—
$§H•Œn^Ø0®F°Ø@˜Ý�£ñ¤G¸¿æÆ74°ôÐúàšsø®#éUHî×’_á­ºñ‡‡k÷ôZYÂCÄvn‡ƒÌ›…™”Л‘dweÝø†$ÝóÁëgúæúÓE¿�…Â|eN£eγƒë؈yY�¼Û±çõ¿!øø3tçÇ~!<•›…´åÛFö
Æ·§›øA/Œ Yë]ü�u2¯�sÚíZƒŽ};SóZ²ÌL.êÞÀ^Æ?	ªËͨ'`ö ÌÏÇÚÓ7J+nÿêÊW->Üüíé¤�K%ﮩŠÎô÷?7BÎc×ß�ܘEQà$äðö¼6(9÷í6m¥BaÉUa$R0j[O׆Ñ[½ü‡©XÑ{=¢ÏóÍ>=€"º+Qè3ÌwãÑêiœ#ϧ€ÁÜov3Žl+Œo¯M¦öuÂ=·:©FG²t[úáéZ¦¢] `ŸnØÒ
Mwpꂯ׼Â-î:^v„]_¯¥rG'¯;â™ÍÑø
-$é¦+hVèŠDvèrçÆ;üyH	þzÈ	|KµâC‹\̲ã.«õŽ‘H¯ë&=7pô€×ºjѽ
W8ºw\bÔÂ8§LTÀÒ®IEA›JSŸÿÐå
-ß_Œ=BgMíófÄËŒ·º£ðbÍÆññ7£�è7a¯@{ÏÞ: x(]�Ãð̾›¡8ãùnÆc qÇ0ŒYàÂQÇ<<JÚ“‹‚Ùç…Ç$ ¾x“ã?fü9‹Î8Ç�ŽÝÇŒ?”
-Þß—_{¾/
4WïÖ.Ê=ž+…û	Œ|„0ûÂ}}‰�MÛÁÛÃŽ¢b×ß}“!„û°!ĽíhŽ«ž["!ÜCBÚÌ
-õ-gjÍ7a;id§\ïF|(›o�äf16è`‰±W‹j4É–Ih@©4úN.³¥z]ç“ë›Ø÷ku"üZ3V™äÊéb�-Ûñë2'ÑÊüh6«‹1òf¢òeëÙÈטö�×eÖ“®š{·p³Æ€ÄXeLÿðtmÅP¿¯}âÙ˜:ažË¬�Ý0ßà4S½£õÖßÁýZ§ÉH<§3½ŽvÅÁ5Qð£Âü(ãá}ÁÈG yضvo »<Ìu«nÍì}{è?Ì÷>u£Å=^ÙR�á2šÑMš¯±ñVt	¹fï/ìlÚ.×6
p`ú"äfnR}ÇŒM1š£:a|Ãx×]Ù˜-´‰Üc¡°´j‘û¶,ü¨Ä”Âú!ws†‡pµL�²2&è«7£v�
hhWÍ%®µLí‡L*]Y,.¬u\‹ŽÝ¦÷i<¯Ü®éf©éƒ˜F<—Ôé�7­òÅ°èØeVí1^›–òªåÍêÉé2öksQ^¸¿nkàÚ´vm÷k/cQºµ²–Ša¸×­®ù~ÛÇG¸N™HJÂ>FQôI‚U¨	vö¿šPôýY±Ì›±ã\].šsh›ø ºèI„öŽ.×.J|íË8+½×Ûµj6ãÔH‹Leܯìçôø\ÇŒ�›ÝŒ|ØËõ#F¯…ù~³›‘ïàš<îLï`xðý˜Irúm�F¬Dl ̾”Iñ#ÄaÙ»ß
-W²
vìXöâ%ÊA»?U¼€/3ô\ãÅ­Æ0D¦âùñip³ÇÜ�/üxܳ�ét‰›Ù·‰0»×i¬Nî¸õÁˆ¯p40 >èW~¥³ ˜ém÷:�ÚÀ-®ý¸ê8<6
†ì¹/ŸFÝØÙvm[²é}€
Äð¸9ñÊ�â£_«j‹3ƯîëÌ;×NÐ|nWNWA9V¥Ûµ\·�Í(¾îcתš4]çt�|õ¼Ü(ìŒ6‹P‡òã_‡ÃÕŧÌ3®4ÛÒ|©û__®™&l�Wž6¨kßl®Ò³QDÕšŒHvÙòý9¯;ï=àkÆ_í5õÛs_¶¡j¼ÎþúÚ)Æã'ê×V±ù*ù1/#äon¾_nÊ,#ç2NŸ<ýO©S¨Šç÷±Û»mB�×Ò³R GUc¼»�73'ëÍÎîífœÏ3céåi¢æãq£�mzJfÔD’»�½�!݇јÞ7V/Oüüdv-¤ÖØ[1N“Š£+žà›¹­‡Ç½–A-6ó®ñ:©-oà}ýéfa<ˆŸüìíqm¶qº¸òö.£ö§ñ�›Í˜L=™ì]SØü FW+̺í7cÇ¡;–%Ù
-uôVêó©Ýq=6±ÄÇ‚>™¢"Ý–†ì*.LièŠ
Ù±Ž&òæ
-�õfU�-l;¾ãø+bÜëÙ¸“µ›È{a/;*S¶œ¸�AO¹ƒµ’›‡NȈ¢D÷N,í,SGÚç:là�ª	/ë+<Ôb`/+7¼Sãá¡D4ñ¢zÄË:O5)ØÄŸ¨`q–º¸Å`/+h¼¬µñT—ƒM¼SÅãe½�§Ú lâe%‘—5Gžê“X/«™¼S÷ä©FŠ5ñ²¢Ê;µWžê´°‰—U]^Öy¨M€¯"•e�U#•ÑÔ3còJܺب1P9¼Í�®E§àbsÄ8X‚yÙçUãkMØk¶ú8�÷+-O½hÎSÑ6ñ¢ÄÏ‹b@/
-Yï”zY�è©x›x§ÔÑË¢H”Ø„${µ¥Œêmr0« Oê÷B©F`V©¸l‚>Å�ð©q4GQ_k:«ô=ÊkN°÷°�l
²�¬al168‚îoË~Ñ&òrÎÒf”âZ¤L@MÀe;V‰QÂœ•ñ¹æk÷®�oˆïh¶��ŒIÜÏö 1ŽÁh½®�oÞÄ*QBP.ÅØ#ë/�Š8E/øC2†çý†7#ocôâúóhûÑè½…¬¾Ž+ÙDüpÜð4Ρ!›»q¤Ò�&†ž„”æ`üU1^»®×ö¸òúv#EùaÏ:Ž>?ý°ÞU
-*";5ü“^¾Ÿ�FT%ÊêýÊ	Å$T ©�c­¢KVÆZæOƒnRœqÚ®(áÇÑ*´Š1}¸ÿ°Æ‹«÷c ·öC{Õ„�obœa\nlñ9$Ϫh SŠ±­
-£R	ÍHµ2á2´ã]æÅji|—ˆHmØš ,+«A>*ZZÒøЕc3B*P}ñ«UöÆ~0Õ25æÍ«­D‹5¤¤FEøxÃaÒÌzC£+ˆmæŽz|*PjÆeB/¢Šhéela	C€ž†S‡hU³:j,WêÁ7FqJ	mãµ€l3¢^òek%·°}õ ¦p»6l&‘u·Ná1¿âZ�f'¤ �í¬K„mVΊ¥®ºŽ̈9÷žq˜ÿÕ›ˆ�Ÿ}öéÝ÷+!+cªšNà„ëÊX’ÆÕÿÂjÒ³s˜²ü±¸ZENþ€&ìý¨q¸1«Ç+Æy¼7WQ	6µ5"Ÿ½ÛjŽ›™Ç;;‹æz/’Ý°[d•MèÒ(Æä¢RjÔÀ×ñ xBäÕ~ñC¦w“MÛZóõO2L5úÄÿã=�Õ
-ÚžvN“ü0‹O©­Ðc*uÏÃx´�M³fœO}¹Wr�̱ªCG&v¦aÊ¡O#ÆË݃ê�Ò_nÛ.õqžöcá—ÌÝ»V�°
-Ó·Lîóºªñ ]Š³ ïÖ®nØO9:U-3ãåÃàÊÜÒ8š0N¨v¯À«TÊI3cM�žÉö6³¢	²ùnh!Ý÷ŒÓÄØDü Ø1ü£Iý9¨Ú�WBÛ(zQ!öâJHbDì>´êÄK[Е�‘½¿o¯ç«ófôyÄH½¼#L/?\ß’wª2cÕ®K9‹J7¾b�$z
wS~ÈͯVÄX�8Ž©Q'™(MYñoÂXGòÃÀètÿVŒœ§7c¤dé&H#?§þs¸ä9ãÐ7wóKµ¼²•DÙ9“)%É2ªÙv–c-üʨ“W»LØØjLTIÓ›EÙvwÉIh"ÉAlˆϗx¨§Ö[� ÅB ã‹Ñ„T°§›ä‚`ãÖËÅÊÈvÉ¿Ïþƒ.ÿ¡hF«0s(nAšS‚¾Ÿ¢]Œîœ?£�"ÄhIdj4ú�ÜìØû¤¸Œ2œµm ¨‰Lo1*ËŒ¨S.]ëÝýï´È¡9=K#k¢òWm
-ž.w¶Ò4f¬Š÷Y‹ØÊ ôŸE놅FÔrpoäPz³PšQf°_‡B[eÓ@æ�ØV¾µ`y)þÃ'
ÖmcuÝ�£Û+‡‘ÏÐ�³óxuƒ
-e%éà~¥Ù‹f~©þ0pò|~è6{6Ñ�ë"Æë¤t6
º˜dpËöýÙÑ@¨øÃ'
^,8�¹-ndÛÙT~ÓÏþÿBt�ðèÙ˜[qµÓ¼=:ß^Bª´~-TŒÛXŠ½y•p»ÐcDŽ-¤,ƒ«ÍʸEÖ�I&¡üZÕy¾Ïö#ðHn^FÍ­yߨ™KÏM„^d°½H�„«î#¼2˜ 5„f¤E(Kœ1òƒnA!È gXîÎ)ðŒ�C„pW’F)™‘ø�4§ ˆ’®A<¹ï´BSÑðMì´Ÿ½íh†2´‚FMÝÁfȲi¼Á¢9”B6ºføg€€Ì&2¤1ü‡G#%voF(>7AMà I‚ÈYÊ-Îp¶4*Â&äEÎrs…ÀTŒ¦&
-„i’nÞpHýikqY–4#’³¼Nï¡
-‡H¼*°&BÑþ&¨O=üIÀ!½?½yEQù�â)Gm†8
-BÎ~q}CÏëüÐ2ªí¤ÇšlBˆÍ	ƒh ųZ6x
->“Bc•ãûÈÌ’Ê „‡³¬óðC}¦-ívÌ�¯ÞB1ö3£ÃˆX�ŸœÑYû¡‰l暪±º±M7:f¡Uý¡´½Khß­…©ž�r®øÜ :Ãû—Ùi®¢,X¨Å8*ª¢ˆJÝÊ0¢ª
-›Pó¶ZFñø:l&Fƒ
4d0x�3"·ó€dДòpü@ið¤Ïã§XŒÓ?™à¡!µÇÿûå⌦ÞUÆÅæ®Ì¬É@‰Îl6!ծ̛–/öÊ?ôV/£¦'„1ZXÆ/NíPãj‡½r¢	Í:=šÈ±.Tö½¹<íÚŽ˜�9?y%¨òƒ	
-B¢ßi+Ð=à§̈QzxðnD¦ÃÝØ‚‹rþ 飙W#ðòI5¯,aç¨[ M¸tÖYgA„[y¨Þ ’©€Á¶EåЕú2¼ÃÚ*tþkסÜY40jÂÜ*ÄØiä./Fc§‰+NûAÝ
-Ñõ®,&F×R\®B ‘¥®?l\Í•[ŒVShF�C1ŽnÇé¯Ê{ƒ±±]ž¸±®
E…Ú²�l”ãÅUâ¡EEÌð$õ%šˆ®áÿ|5KªFpmbdbWw‰nb
-rŒYªIŒ–Ž*FS¨(×¢6]ÃØ‚ˆœ¸J'´ðÄØSFá5?TKÿgœ�ïÊèß^üà:ê/ןÔÙãÜ;3i{Åq¿K¾'›Àc¢Œ¬º{Çé»P$ÚÏœÝ3¦Mt"�ÍéD´A.v…Î�^½hÄ2ûü.ÞâEIth뎦o×Úõ-bI�Š
-yxfu{º©†£ÚDÒœºÀЂMîþùns°~ñ˜,÷/ozèÔÙãS3Mòoïýð¬Þö¯ù
÷¹‰š)^ú-~(Z®¡&gjËv¬®'Fã¡(Ó!ÂBÒDmø!á$)å·�"ÚÕ«HoœŠØ‡8	ÑH­ru÷*óÕ6Ðå—Ïq¼LÑohÔŠ�˜ë·°+Œ£vT‡£+@¬€ˆc£¼Û©!² ˜¥ÆRÅc¢{šŒ1såÁa¢{š�±춤l]ì`´ÉòŠ
±É8{ó"y#E.ž62™¼azåv·É^0é±k÷n+‘Zo«	ðÑo8zrBBN¬ð¡5Å]�VßO�(�Aжý0quÛ™¹$¦saÆÆ&@Z¾Þ~XÝ;Á²àÈà}~Œãþ;
-k/×ùüçWxÒèüæ?˜b˜é˜‚ó9ÈÛßÁµú£Š§«CBÔ_¹¬}Óب@úB)”Ö“4ý·ø¡»�=à ÉýÌæo»&Z¦wcPB®5
?8¯–Pc§æý�|éâ_¼Ss*}üË¿ýÕï>þÙ_ýmN¿þúÛo~ýû_ýÓÇÿøþñ7¿üøí×ÿôË?ÿø_]Wý7ׯÿÿÿåõ?zmþŸþñw¿ûåoõï~ÿ»ÿåW¿üïýÛ¿ûÍoÿñ¿üíq½ïÿÒö¿ÿï~õO÷‡oÿǯÄ¿ÿõ/ÿù_~ËŸ½ýã·ßüóoåÖþ!}ü«ë¿ÿðŸ>üþCþøW¿¹þùo®ÿþ»’¥»ÄƒV‰°1¤^ôåÀ!âmSÖ#©5SÄõVåY+8�ø‡¼ZÉRnúúÏ?üáú—{ýÃÿu™þÓÇöñüø¿ýïéã?É�ÿg”§7lD~U‘þö`NÌЃrÇaÀ5«ÊXºÑÊho2shÖzb,3ãhB8ø…›
-ó©jÃ4cQ+IDüf3í±f¹ÄúEÂOrp*	õÉôϪ�)<¢Š#ø‰z6°¢£*ixÚ:D[…ùW÷4â"©9¾Â”ŽAÊë.ºM4ÇJ‹pì;4œˆþ•E=4µµ
-qlÞ¯­ò�×âô`>
-ÇžÖ‚ZÇ×;'å^hTÆRIU@rÓÒŸ´ÿǵÃÅØ¢QÉ‚b…e>Ê~ì€Ð¡Ü%Ü›=^
-]\gÛgâïfL‹U¡¼ÌÙ¤L˜œLZñ“¥
µ�f±#«hл*]n¥%G6íÃho l9¯U9Á"Ît‡ÕÓ°hVe¨ìŽà4'T{ÜÈox�œÇk¾‹Ê8wbû%	/
â»,J"LYù*‰ïâäž@ºRn¨þ½ä
-¶“¬ûVG=#	[ül&wJ΂fkíY”&{öñß1øÀ	ÛÄ%'DSì
- F?؆Fß®U
E2,„Ò-[‰Ðð~Eô׈bˆ¨<Þë‹uAhÜš:®—Ú[ɬëxÏ*}ñ
-¨¥xø¯£Êq
-ý@Ç«T”©<:%`B{â›Ëš´\VGš<É·ÃxÕÑ]QÆLÃ`Ú� §\³sñÀ.9k¬é¨B
_>p&ÐêPêK�:æ’o°
-ºº®u"ö<cë~Qq4P
‚—ïÀ&�swWÓæ¿aS�(’kÕeøÃå!LŒY­ê4¨4©Ó„á·”¬?ºìOw“±òÿ2�ñ¼xûðr©ÿüÞ¶ðbMÿá½õÿÅí~€›ðä|{í=|~gëv~xסx¾ÙX]žfÈû³éy*üðáåÄùüî${¾úñ¼í}{½I~~w‡{Þ
xwç|¾úñ¼‚¾¿Ú>/•?|x¹°~~w~¾ÝS?¸£¼¿û<oýàFóÐ�cSz¾Fé³ëüí•›ýù]'ùÉŸþá]×ûù^œ*Oç…?r¶x:Ø
�Ÿß?q<Ý
Ýx^’lŒ>-`ŸßYë^,T?¼»¨=ßíß
-‘ª™Ö-ª“ÝÛ�¶߬-wYÎÏ{ùîßV²¯ŽÔÏøQ#\¢�§Ecæ5Ìüsp)'vÅÈã3fõ>£˜‘¥XÊjØ!•¼Ñ£CÈù+Xªx¦/Þu�:„„õXŽ¯!
-àkP¥\þÒ`Óuä'ºñ‰,Ä>m“4©ÄaûãblˆÄ…?¶½œ ’Eõ~µÕfQb#صâ£RBòšºŽdÝT+šG-T�­mñ¡yEùR™H¾”€o±Z‚Ï“Þ£–n°íøŽ|Ûi¤B…‹Þˆ£±:ýu€
ò^»iÂNÃò¿
-IãþBÖbiÃ4å?)x5p¯¡Â‹?aà®Öê'B8Ûš?¹ à!þ\íX·Y£]¸±Ø€ºíT?á¤)éO0ÐP@p2äH
-ÌZ»3]
!ógdö€Dš Ûøbù©Úi¹QtZyú
-y½O«©�m'ù	€A#Ú‰b¯LjÊ%=óÈk೫1«
-Ö .
ª2üQƒZª»;\àÀ(%Îö,ådíÔY‹²ÑbœA[€ÓI³�/•]¯�NÈÆh(� šÅùÁ^ôcf+ŽþɲÝlBÐHÇtÑóZ™IIúj¾ .8²!EÅFë'0K¬¨°€Í�
Y«­¼r5>
ßÕÃ×&rD�w؆ŸÁj;­pÞQÀ¸Zõrꨥ•a&d& 2†y5Ï™g%Œ]Ee*]\„$P+kˆ=C²o»raX«ð2úÝšðÅÌ•Å*R¶I›ÔÒc“_¬Ò{ĺª™?dEùå%ðgÿßüË¿û�Á?þÙß	ð×?þòWÿt�õÿÃÿò‡ß
-h7m§\^ΆÀ’8	Èò-†üß!ÙñEÌ ö*
b!ŸWÙúv·ÌY¯X4<’kã�¿«µB¢Õ‘áZÎîz®8i)	iÍ4¶fÈ‚§5ËÅŸø8ì’�˜Ì�E¼3qû–²¡�­j�Ò�d2ÆxI7év^IGÇ´¨69>Ý š‰hÛøñ“Ì\–Î6‹Sgâ·g�ž)þoI°¤óBéW3²r‚IF0Ü0¬Ì¨† ÚàJ˜ºÓx¤£`oøÚ
-Œ«%´ÕÈ3€)+.¨ÉµY�2þÈÉFt'C�¬à¢æêÌEVv‹¥F½Æ‚èNiv2ìªÃ˜â!~—H(7cs£PI(ü«fœåQDKô2p3ŽRcâ)Ht3—ôBŸ‚´Ù	_Þ©Ùƒ@GÕ<6ÍmÒÛDŠ�ä¨vsõ$?¬ã]éQ×z 
-­phu,K Jc|«g]h´ä5ʪCà3`ñÞ7‘S:‰�j´
-!f¢Ú:žtJñ«…z!…‰ÿ<\~‹4Éûö1 €‰´)~ÃQ´¾@Ö"÷ÛnæR¦*æiض{Ÿþ
Iö¬tÒU¶ÓÐmQþÈP´Â#ª1ŠKÊDo»Äʪ˜0úÐ*ôäÄH”DÍ{šFÌpxW
l#$)£ù{â®Eï�]•ÃXý;B“K�«Ðȸ‘˜Ažœô´d““8‘w"xfÜÍW¡aKž˜Gg�(
¦4

-QR¾ôŒ“�ê,D"eÊ])–¥,P»«Åˆˆtr)nÎ^Ó2š…ÄÕ¸AS@Ñ‘N$—PÞ<¨
=9§RR‚8ÉOßû §d	«—1É^€ÑY#™ÑÇ]É_ÔL_S
”·º7�s@[ä³ÒГ>̠Ή±v™Þ<Êp
d�lÖ
áÉòÃó=ô8X˜Æ¬DG
Qã"ç¦9V<HË˃Š�,üdäkÏòÐX½ßc‡Ø~â)ØDmÛ@²s‘°LÅ ŽØ‹«Ûp!D)ŸcTé
-ð¸;h¶,QÅ_ é¬åuuÊ ÁFZ-þZ!T%ÇÜÕfmµàÚÙœ^dÕ‡Ã~Jì6£Å�Ùˆ»bF’‡@û8ÝT
œwkò¯]¾QaR@�²O
åìž9Š87Œ
-¢íd„TŠ‡»²
<õ:É›²u*Uä™DÊ&…±Ð«‰|Ì�’Ü®h%8®’àV	8qØùÙ Y`="œ¹œ2Ø3×éaz+€o’s0C™d�Yr–¶f×É�¦9HYC­"1p#_v1ñ¥XzÈ–â gå)—›RröU§¦»33¢‡Šõ•Ô‚-åÞ
-Þª|Ɔ”py*¤ßH_QYWŒ ±�„É7:Ü$¼åìR«¢.e#CtjZ'tæ0„œŠŽëÉe
-ÎiÃY.,ƒ‘‰®b”�÷"§Bœvó¡¥Æ5hÜüˆ×ü¨\ŠU4õ“2…°ÇÊb:k/’X+âäÅz°çѬ3™/X
-c@úœröpž–AÉNÑ+Ù@*±êF-À»<¶G$­‚©ÛŒ"�k	�L}–*ñÅ¿Ÿp°Ù
-|›Æ"=Ö@"@Ê^	•¢‘øf9˜´ªÓˆm¹öÁÏ™~?Ī78ä¼­#¿!¹\@w]
-�0`�J¿
-#½t«Iæ&½´®
¬rŸšc£ƒš¼9É¥ËVuµ."v€…„Ž;&ñÔÉ
-¿L§À,~šÅÚ2IƒÐv9,<�[ƒ²¼X±.N³Çj¯FæËo±*_w�¼ˆsß®13·	:›q²>”p!gV=YPò®�% q
-̤ärÿÅ28“�ëØúNž	¤rj‰ìGGªQ?L·~]F§m¢œƒ§pW§ÿi+ç/6Tx)–Çg¢’Ñ–Éï®Ô{#K\)°h¹*jU±9×ѵ'ÔØn¥k"W£Õ¯ƒ dÈÀzºxw•¸bs†žV8�â¬f$ƒ²p—4ªä@Ì!;«AÌ@PŠ§	kH}áË@Ñ\=Hä— £«¿	ùäb„sÁL‘ù1;ó�Hõs6‘	¥ÆI
-'
˜|&‹£j»çAá„5óT¶¦	á4u–�+s„ÖŽ}Ö6‘G›N‡�š~ÉF1qMèRJ\)ûñ‚ÂÅɹi{Ð!YY&6�C±%&ì$1ÆS«ðs7(š6ë"��[¢’PL#9±$¹®6ürÇvMEw'¦ž(³ÕWÎiE¤Ô88¶¥ýŠ[� —R[ìô/,»²�Â#ЬaFÄ
“ì äÐ'†Ùr
c¦ˆ¢–Æ`ˆ!k­P¦Lóuznd·f”m3£'K=�äffüO*ö(d8ì%.(´û€w«³Ê¢&;™§�](Û®àhœGMr6FÅD‚jŽÂ¨ï•Í4#âøܤX¡²œì¶ÃZ”�ØùqPH
-³�}‰%Nëw²
«iâW~ÿÎT®Ï„ch�œAÓ¨ fDц4Öæì5™ßcoÎ}óš‡�rgRÄjT8²V3®\<sˆœãÕˆVNù"So&bv”Ôj&cE|�)^-4²…ZÍ' ‚“=­E±ÐÂWШÅzÞŸãëjÄ�3«DU5�ÁŸìÊ¡·r=ÀHOÒ®NÝ‘’$V©[•ïÍõØd TŽ¹Ôô2"
—èåJšŽÐfÏÑnNOÖÌoFŽgü,[v”žQ—C‘Nã�ÀK“•b4­›Û\zÔ�„«ÆôÂ8zŠ(Áš»]›-t£$ß<©áÐõ³ø6ÙC6t"
Z%	î.š ʲl
ÞŸÍNŸ‰Ûâsy!zõkB˜AFNÎã™ØÛ·Ýx¬€¡™mömèŸ{ÄUAsXm“R¯ãh9­…3AçòO¼6s‚•½<
-�çÕȦÔ|±Ì‘XÕüÝf«}ý•÷Ï|ðHíñ5âÅ ôUº·Ô;r‘ÛUêÐìÒ‚Kp냻Vƒwdº³Ìß »“«�«²IpaÃT
-j�Î-WYY3*yÞfO«l øÜÉôêSñ•­¹~†
-œñÒÊIñ\ïfµÆÙ
0AdN'Ç倵ss1c·Ì(ÝG[ö>U0#ª¨­zL	ß K rßü	(Á�Œ^M�„2ŠÀŸ�54åÅ\‘áC±Ð±­¢–}�P§Cª¦ÜhÆÅØ6>™™êÃ…a
Ù288‹ïÝð5B8‰ã©e™H‰‹;’dÕ86z°ãô#�Ÿ;lj‘.Œ•P¢ôÁõ“™°6CÎ<ŸVO”~ÖÐ��\}X¾è?9 W‚ö²`M§Ñ…æ%à>"áùΛ�äÁZýŒ
-£Î¾Ä¼
Ã	æµ
-²uB~«T\†Òwa½	¥6ÓùƒŽ°Ö­ZÌúæf{Œãy(Ôé×f–—¡`¤t¢™
-VbDBä:ˆ„)Âjëä€R-’B³l
-‘\ePü
-qQÄŒs¯Jô›8ºìT9ZY�Í„JM)q#5@*݃%£>·ÖÈ#Š1Ê“m­,1$•!W¯B£œ®‘‘rÌr�P¨—ØÞˆb'ÿ7so»kÉr‰=Á}‡ûGÀxŒ¦«ò;ø‡t`Ãc´aCj�sD�e°É�L¶À·Ÿ±"VÖé¾2Œ
g`	¢šk×É]»>2WÆŠAëÚ[�
1l©á”ù»å †³%¤iWî`4áÌ$_v„ÄO°ñ4;בe05ÅÉP}‡Àiñk§î˜V™Ë̪ŧ@d*Æ­"{1Z
-kjŠágNã^2ÍàÇÚ�w'¶¨f“öX¡RÇ°Œ}ŒvMŒë9h
-Þ©SÍ�AéWªÛ„¬ÂÞ³ÏÔ$pþ1žgÚõ+µ‹ZÌŽoš‘Œã´ òÖ°$X¬ho‹Å
Ój	 »œ_k?~–ñwÊ¡ÝQ ðl»®n`X¿wÜi*>"AóB¤ô”ÄŠ¢E¤d}qû)ÅâÜ ƒk¦-µ’F¸ÃŨ=õ½jd]†6˜‘zWÇȪe‰Îg"Þp]t<“�Þìz‰UßVò·Uñ�©ÝG–aßf6.˜?/ëMu+ø0KI¯afŸ½-Öå™%Ü„ /-Ì\A'EƬÇN+þYuØæ~®‘fÅq±4-hc�pfãBTJì",Rã¨Û% Š
-\'8îÜ…�þ!ü)2wÌjt^É$=Íà•ÛaòГ^"mövé蓤’	ú°].êë!~sHë©GsÅ{ÇÎyzS‰;m€µloïf’�ØvªÇä‡íì%—hn²á�ý÷~%3¶âF^–½£ÏV<fé©
W�+úUá[¹Tö\ðÿÕj—
óŒD°²Ì™è»ðíD :E°bÛ+®ª€Å`±îÂñ0`!ỊÉ?¤¸ºK¦uÐrqO_D¬wìØîÜ›µî®JüÄ–€Á)…	²ËÞ”�©YaÍ„uËÕ�b¸:ƒŠÎÝkÙTÇDý:-´wzâ‚X™%3¸õU¤…¿ùæ¨y¹âŽE1x%ü²+¯]ÓXœÕµ2ëÅæ_2´‰ÌmiPË!(}SuE¼i
¶é÷:¹P±°6vþUgp'�wƾþ]™�æÇhÐÒ
W#5Üw%ñÛcm~ÓSà+ÐÍðæÏ
-ݪ­&Z§Õ†]”Î…:Ov×'§_O7¸¢n[gðÍ)q0'Ž—¼Î˜‚ÙW·A"÷òï~nS¯ésëæóYåAÁì€0ïŠÑnµÎÍÑxœˆ]a `w¿ˆïžn
)ê¶èxNœÕèÆ &×­;šp#©¸Üp
-‚ô›‚vJ
-±¸*fùÌÐ>Š\Ñ+͈zŒÓ²šŒÖ¡�–9K—"]¥
-°�·ŸîNo±Ì±¬«ú@§…¢òE"ÿW´¡­P8ovZSQv»µSvâÛk¸�¯”Ý¡]pè>±qYöÊÍQ­ca±Ž�ýg›“Å5¬qÕ¢ƒôJSFØà¾	=–¯~‘jóˆ‡�hÒuðîÚmvBZæ5±Äo*J¶×~̳²¤½NkÒ²Y\
-‚Ñ&I rÊX¥ªë,¬‚‡}‰	$+˜ÎÈ5-$ÇoUÔà8ê^vFVi
]uî§[(ãL£�e=­Àà¨6Ïb¦óGXþÖM™RŽ–,®4
3ŸKÐ%1(-¬“­jgЖSÞóô%ˆµ?ÂY¥R½
-¢F
GÓa»)]‹p÷c`¨½§‘Ö¯±]=ïºÑ
-T*º‡ðÍ™‰ÞŽg~BÖÆ¿@ÂÉÀ™�e°Ûzºõ�aá˜H‰T¼»l‰Ë`�kpKÜ7U ¼¥FY©Ô7ŒG!˜0˜Í\”¼s÷>fîów.%.=òe8Ê3;çr¤›WÑHÄŽ5«ÕuµRÆáð f½¤+%.ªKMÀ¤W]-¢ážá˜ÌFQÏv”Gb{5t‰´wÂÌUŽ¾TžëíZœË”,ºåŽþö~{™�&ç~:�
f()=Ï@¯2ù‘ÝW
-« Å0rù"UëÅvÌ[!§eMjwžƒð¶$GØgØSUçHæô#‹rÇÞå]Ó»”÷‰í¶¬‡{
¨uÖS%‚&¸3\Œcæú´	o韀 Þ"–Õóï¹Ñ�'#žÁ.Y^VûÖ¾BïØëQÄÀ§ᾓX×kê
-|S—F,m§-:~_¤Œe”G=*�hº¦™ˆRÍ•D¢Ýï:{§='(ÙÇ£º{Ê8Ε'ÕU0*è:×
N@èNK+ÈA8sÛ3‘]¤ïºƒjÚã‰;H/*ý²ÔÅÜ ê‘ºå½“×»S{„\Y)Ž¤)!(šÒb¤‘y—{g06âw™vªûü±Û4¿T€›;uÛwVE_‘œdP±Ÿ±
dðÖ‘LÉŒëEVÌ\,RxÌZ¸�Õ/œi
‚
-’H~‡<•¶òX;¦LËÝ
{Êø6šÔY2OX‡ê˜¢Ë^Ú²¶Øwùøl›�à©ís`³~¸¦¸qµ'º<
 !,rP±ÄqÕ¯ÌçH€ÊxxOÙ,3\¢m�$§Äa‹r-oXkú,!¬k˜æ�<ƒQÄyvÉã€u:ÙC¸]†Da£«W¸j¤k]	Zï®æ¤-"õ�áÔm;ê§Öìç†î—ôºug¯‘8U`$SœÍV«ÉÂÐkÂ+.1˜
¼lWÁ`ÔÑëxÓšrêPxx
-�†•ºM˜œîàã÷×	aNÓ6‚	Þné,0ØÖrPîß®èx{´U&¼;-éÑ�°nŸŠº°g1•AY?klÏ{ªÝ€s�+B6=NÏksû^b/‚4‰Œøa›+æ­â¾d[Eâ�3(9™šb>¼ï&{kÏ|v-m
•KÆóLLp©ÎÈ_%Žb_Ifoqr
-fñ+=¸	Ò�éißGÖÔšei;÷ ÝÆ÷£jéûêJw?ôöný|Ç*�Çʨ¨qᑆìki½"¥Ï:û9¨2ûö³D¬äÇ·).	ÕUÚ6¤VÈ`¢ók‚ëYël]nä<-QÙwqéua_wœASþK[;´ÖeÄçJ¤ÔÖ•­ñná¾y
-�ñ#Pr)Á‰î&œ1¯Še"Øìæø1\MÂ÷ZvgÙ¨É0—	wcI?»]Bvéìu_ƒÃFAm–Ð:s/�—g/´»»\í‚AÛjœã|¡¦ —ëí$¬¿éÉ’t>ÄŸÃeˆ÷u˜[)ïxüV+—® Vø¾šî·r¿ñ
-:Wœ,n	”	ìxûð`„µ—x«©�½S~A	zìl<㪒ÚÛ;âØÀÛ»õ«#h•Ó¨a½x•‰Wª�(¾¶7#7|€[ƒfE»/)�ŒfÏ©�qaîòR… `µ‹Ñ[^D3þŒ×lHi1-*¸Wn…®�Ï‘¸f
-ÕmÕW2º›˜¹F^fwž–ã>²ºQ²…£·ì=ºÎÂՓøiRïÉï\qŠ6MgJj$w’Y)ü``ó<0Ús!#·PŠ½Ç�¸f«ÃtÚ¹3{¹Ïéf#Ì�Â4UOþŸ8m5±âg®Õ¬`?gO€Óz¨+�óQ“1)ãw¥Z}*®Î9¯ëA7ÀybSRÀú”àÙLÆ>rã+�¨–5è3çfX[tóTû
-±¨Ö�
ñqx½A¿V”žÙfÆ»ß!r}•KÜ€gÞ¹ÀCÇn	)šƒúÄòo.?õÿýó¥D¶4W6z¤^| &惲`”àÈ)ÃÈ£€†îÖ–wS
-‚-Bý:³Í!˳ÿ^æöóþ$�ÜGò¡0<u
·3xašùÎåL˜×¥`‰œÙp÷f˵y™UUËm¼ÅÆ©íÁ¼»ŒqÃQl
-u6\yîV"æ#4m
9
,¤ÔZh³cë‹îÎý[ˆMBgÉFÙq¸Ç#oÊLÜtŠ^©¬Kás<ºšÜŠ={J؃ֻ+N»Ë¹}ëѽd—` Ì·Yž×ÝýPôâN+J+ûþE�±ÐâSuß¿\¬"xÞ¼C˜Â·/úÛ‹�ãÔŽÞ¼jwÓ7‘.fd̼ǚœ¿ž»ç…nn£8¥�¡y¨a%râ8«‘{r&èzP¸µ˜`|†*ßÌÔJ$-x
-
-§h¡ñä1Z†ÍNÙl^…SLûç18ݹ÷Ñy¯Ù¶J•üe€‹·P©sÅ°DZŽŠG¾�L9¤ýÜ,ÛߥÅ'†…gxµ
-têi¯ô¶ô	<ê4«øï],\¹C0§Ü•J?V?J>}@LÓ³™¹å3Jìè�m6½på�Bn1Èï`}+ˆ$RA³F¹gè>Vœš!BzuK°ˆPŒ)¯ÃAXŒÅzv‰;‹J%ñŠ¬&Qa_‚+™q&¶
ó,EÖd+HÐô¼‰	?`/Ä"\êÈ|â¾+8@�Q·UcÝÊÚEጰ2—׆°h.mùz2èªÖAPú`ÄWIÓf÷ç\ªmW¿“9;±ß*ÏGQ$Õ˜ñÅ[£¹ eù?¶»Þj”fCàI<rŠ
-Í~jkÕ>I­iK‹²ÞmdÑœ~üÔËí£Óþ(�T.
ÙÊšpçÙªRÜÇ
-­Q3û×J¦&É–�Ç8›ûúÐÂO¨dÅ9Q6¢#ý`›W²9µ*xŠ É½Lló›„–vYj
-º¯šÿâlôÚr;3Û£'�	žYSÎ0{ΠLÏ\”Ë"¨ªãsµ!½Ú9K¢@Åðþþ@Ú¶°@�5Ä� =6»1B˜Ôgà�æJȈ­8Kþîêù¢BíÙ'=Fjç)á2*"-mÈŸ÷' Aæ§â�Ý�‚>gówWXÔ�4“žvY]
�;’º˜—-U܉«•lƘÑÈA³ŸW0›ôXoƒ ÄëýÛ)x§åù¼…ö¶:<¯‰lŽ`¾‚+3Ú)ë0OŠ¿3åÄ�Nž*«é¾Ñ:B…È(yˆ·x�wèJî¦ô}\1-ëTBÙºÒ†³�@‰‹)ç{ÎâCÓZÀÛ´:ïå>oS`:“e¸µ�¥÷)ÚÔê�'7Ù¾†g?êä¯@q·]"ŽE¶Oć“9ˆpƶ¦,s?lhsÂ�àºÏ:Ð,6ºÜ~%
©ž7ó�5»½ëI—Õì
[i	‰h¢jQ¿ÃUƶ
-IŒ+U
J€žÁQNGz(´²ÁVK!9(ñd_‡W²²Ùw®g}gIæ:Íß;§Í;V`«Ÿl6Þ5@r}J]`¶HÔ‹È6<é@tY€Y[w¿Ï¬(ÜÙR‚à²X"{�<ÀåYW(`ïÚ'S—Q­¬½…,tÛuvïkgØ=ýE©Oà…	cI~ÝÏzÂXÍ„Ä”ƒ»µ×àiY£í²Œ¾�4€Á¶ýø]Åé® óp#%•bÙ³;,ÃhÛ~ßÑ’G>ð›ïPH!›¯xBeó5WÌWî6¯ùèÁÅÆ?Ù`û\µ+É‚Äiö’�óL쬟üúâNO&‚ž—Ùg(ºåÍØB=¦�Kã›LºÎÂ1¢zËfòzM`˜Û]¼mJ õOý0Èé�¤�˜“š‚y%DR)hœÿ!
-¢Î”D7CA=ÛÃÌZþ(‹2سȌ`wÙ^ôÅpg¾œ`Ú‘Q<êBÀ·–[¦R/°&‡´ÇÞû`a—~@9°—{}û™jb6=r ¯_ÀNê«éOß�ÇUQ�¾=_†úB´Ãë²*b†Z×6%‚­ÝyýÏ_»9®Ûb�ÐŽ‹Î�4mx×_µa—œÁN^ii¬ù¥¸©ýJ�„§=SRîºÛ?ø¦›�ݹ §_e€†A-#lzô;Êq¦¼m™þ¹Ð³†�5ŠE~¼Õ̳ý:ÍØxëè‹\Å;Q¿+Ö2áE½\ÿ2„%Ö€çb«ß3»òUoIAfS·wœL!\+;{VKê
->ŽaI½<¤âº¶åNV«Qâ’PÍhI0¿‡>TUËråù¬}GU·+TY$“Ú“‰uE"õMǶyO‡[¶è彄0ž+c¸}=¹+9Êc=îʯKÇ•óeØnw36º~wÂÞ:F¹³?iôœ)ïÓ2ÕÒŽ�­SWËÔS–côï/£.Œ
-\÷ƒÑ=š…àtÈq$/Ë)8’Z	1ºü	Òå(	ÚŽ‘’4ØO3H3~�)ŒØ5Ë#�T¨~ZMÎÌÌ·†ëÿ»ð¤VS#eÊø2Õí
ÜË�¬Ã:é/¯ŒSj% ,«
-zrH{f|xnƒ©¹Ùóú¸O_Òý!ûƒðrÁý
©’CòÓ0!vzdÙF.!#r-‡“vs]éƒ1…³²IÍqz€ÜáÞ a[£ÛwÁa9„«³û•Ð¯Ë¼#z¬n¯Cr3#�û×Cº�Ÿ�™�f´ ä40Ý‹UÎœ³TÉ›QÏÔ©F;
¶LÅÅS„•òÌälàËR÷)×ßþºg“ Ï`ä/óžcœRõ´O*ƒ)quv=|4»Nlyl‹ç¶<‚ÃÇLêqV6b?F]©ó1ŽªŽœg9p'ÏÊmËc‚¥£ƒ's©Ò‚ØïŠÂ8Üâ$Ý�¯ÖJ¾ö°Ð)ƒ6¶åj ­ˆõ,‘z=\Ù>-�æ†<"Ö	åMÿ°:³îK¢XÙÀ2ÃJ,µ>.Ëå—¸&	c�	¾æÍ~v,¼Ân@b~:¶C1üyÏ¿t�3¸Ó…á>ökwú5¸¨óè¢Æ/Í3(�«]g�n»Z§š|J×OiB„¯<öàx·Ê%+ûÖŽŸÏ–4ƒ¾=�Ö¶ÝÇ]Òu#¯AÉŠ¥î¶Ï@‚7<['—^eeͪ`ñ	¢à8õ²õ$
-I|{ìyaƒ-8`ªQEÖí1ãP'¨‹ÇÞ¼ô35a®­²)?�W;äuÉä`³e…«bx9(ÔobÚ…LP�‡ðøØ-ÚœÉÓ#ÔŠ}·¡È}Iº�ç:,?‡°$á汤G‘Hݨrôù¦«+ªÄ:ezj‹r‚œ=ó³Û�/èRfAódå
=>ȼÚ[)÷\ǯÚÕ\üI²Âc`…mK‰n8>ÿÛNÏô+)Ýn,_®°™B¬ØQwKZ¯/ªzuÅ)À´1²[ùò¶QvhO©íí¤€�ØAÛ±df¯ðöO’XQ{iM•FÈôݶy÷~
-ö….Ù�ãP9,å°Êw¸H‚ébÚ/[óÎSKJaIw¢‘­žÓÕ€–â;ÖJ<"QC‹›üäh+╆f¾5nŸš9f
ÀPÁd+Þ†Ræ8”˜¬’Í{ÛôÆ"
-öè]ü¢4V)ûxø¶!b¡€tšZÒŒ[UlØÛtUBêº|3úçìÇ/Ëþ
ª‚ñ±
DgÙ(à#4îG©D•dÐfÖÑö)Û
k`JHbrWz™À"±�ñá6.?ããÎ
R_Ƈ<(¿é.èõWŠ<ò˶‚ÄolÜŽæÕ¾[�Ç4„õ™ÃîÀú1êF9 ôBp2ËÞ¥xIÂ/�„–ZPÌcC„ü´´SfÐ&�½iü1+/#2ü#ˆ¼Õ)ˆc�—ÌËjÏöôÎnÙ�~s*Ç6¬£˜W¦³6¨H#‡ôŒ'*±/pÌx5z€_Gï¨0}
-ÕØÀné|×Wj3[ŠçÁnFöçáëƒ'Ï+¾Tê"ìCŠA¬ÙÅF‚Œ¹²› QðÙ—Æm÷Þ!©ÌRÈ«nÏ‘ðÙ©XÍÒo_ióvÅvoÔ|N—›ÚqÜD²®	��ÐS§7lmßø1⥴q®Š•4þÌ>?¢>è÷Èýb+lJÏ),!iLÉ~áäÇÞ·µh=%´skÜm…”}%L4R¹Ayb#ˆe;òâêÆ9‡#‡–�ù{—úü:5^"�¿.6ðâGDéAövðH&ïÚè
"û:fŠxï®Qµ¹Â‰a¼	Ÿµ=Q“/)'clO„�~jÁ«‘‡Ù¤ön¬†
-]Ü»‰Ís�D?’»¹&¸b+µ¯ùy¬_—S(àÄ� �kN¡nk¦t²§X°BÐY˜Tš#%¹£ˆû\Z‘ÍzÞ‘³ѱBnÀ^âkŠ,.Z¡�Ü‘¡‡b¶fE:DXpãÌ–ç%îÀâÛn`Z[Yë,qfÛ\jÌ{ÁWD&�@C—.ú½ŒTÍ4:ãwÅB8ÕöóMdžÚš@�kwÅäPÐþ‡`•Qr\•Èfq·-sçX�ØŽ*ÔaMÎL$#φ˜P ¡3)€ûJ|Áæö
- ÅZ†uB’o;]šfÉJ/ƒ—RÃc¸±Ó[c
-qÒ^!¦ñ™êÚ›Êô‘x÷zÓó¨ŽE„Ã“"D¬*‡M‰Œ²8‚§N
-–]ÚÔ¡Ñ{˜¬ÎŒÞIõB-yÇžá=ºeQKPs	yx<œêí†,%¦·w=ˆmζe©…k-&­V¯åŠÍOpÓ˜S¨ÃqMD'cÅä*
-ªÌ¼®cùÈ(j9AŠäDl&¨R®;gŸèøf°ø$íöã±Úí±”k
-cƒèàÛOGA±§ï'`šÀ»×ÌVt¬íÍ'îÏß•´ˆò«Ú¶¼B»2××^Ì°Ž¼Mú5¬8•;ƒw{�ãI�àã±ÊÔ÷�d¤uZ¯ï˜_#Ë܆ Áùu±h§&æ}ìBöƒ2|i«¡úN¸�Ë\f·ºQg°I–˜ó»e+¬_i*
Iö…îœAý?Á·Ÿ¾ÇwǦ¥’jÓî®eàÖÔ,�4ç2¸‘öDê6U«`áaP];e0ΠÇÛöñØjz.JcŽÿ¢|,Í¡Þl\½é©ß;uDç^%ú­YŽòðòC8šžÇÞž
ibtg›¶fƒ0Ú»QÞ oÑi¤WÔˆêïí‘Ai€(øö“Ã×pxØJû”Kwº	W ŒI‘½`§Û•oÕÛ=w!x�õúJt´=�EêSEDxôÊ3Õ;AWмªÏäS“>àB`#ƒñ$;ø&œ[/#rÁ–Ž>òPÅ#©]/J¬±og0…<«[T,!ÇNUÚLDH˜™‚o?9å³Ç±É¤áPõNXìž©¦>?ìWæ÷ÛÞ˜™æV
1%’o[¶Í§üž³ÒÇ’Ó%µT�OÜ÷ï˜ù¦rì$/sOšIxÃ6b�±ÃÌ0›ØAS¬�³>Žm	<Mz{Mï½Cœ˜bº�|ù\7ê&Lºân^XÏKc�´¶ö�K¤6mC”
¥ñ}L^|WÌÍñ]ª°ŠÞMw{-¶:²:�#ÁI
-ª‚öÓÝPhŠ®�²Œ»úâh‹üE­@f[;î€Sf¢qtœ/‚"¦€"w`ÞfJ?[Út}_;ÁmÞS’B¶]ñx�Å|
-TÌém2¿Ñ
óñ!bçg¡©J—ÇfS]d¾âÌ�ÒÊwì»PÔ
6fè
-TÙ(­^nøšÁ1I*"SCîaK´N{¨,6ïífwã¾Ï´ò}xÞºêÏá¬~7
 R#Mjºîðt1»Å¸Ã¸•ÊU8è6—¢)ljûÿ¦çQm´óX¼m9¥Ì#_Äæ¼[NEÿùÛQ|UQÀ¶y¤(�žAÝ�åϸ
-yŠêZ¢½¹�<�¬0,ñ}���L„—õòÄ'Äaxéjù¦W-ü½4”A©RÛþ\�có4Œ ’ë.åIéQþæ ïáÈëò8V@Ú`Lç&°I³,Kéæ¦�ó-©[N¶Æ7­KE}Ê»9èÒôÚÆjæ�
-%À÷‚=‡òC¿
ú)£qðM3»y!=�eøå£ftÀ–+nâz¤á ¤ëÒµRtÑ{ˆ†F‘À!(~¨‚iC~ø…™œÀÔâ1„éû•É�øî>Û¹ùFÝUÖ+U³×•2wCÍAWÛZBPÌEÀò8«p™%5pÔ£uþA·wÙ°®�i•,n¯l»¨x0ÎE…%&ƒ¤Æ¦>K¸€–äرR-G�,ÌÆÚ¶ŽÐ?R¥ ù­šƒÕÜ°ê Ó¹">�µÃ.p4»þ¬âµŠÁ¢épåÖÍaƒø°ŽH9.]l³™Úl×–ïÐâcøX7]‰ïi2ˆ ›(N79‘û»<vî½íI¡ýõ|}š+`óS�ËWù	Óûi	Š4úL“ª>lº•‚‘Ã1jH"èg$ìQr[Bß…¼
-Õ
-T»³ë	k]è’c{ÛaP Á¸žÔiðÇóJ;N™Œzº)wb¨5`à,±G	�:%ÊuS,b/ö@ûÆÿ{Wa’Ûè—•báŠ5Ÿ݇q´.YU¾†dñÅÓZÙcA¾)
²a–4^ªbhº¹¤¯=€ðRR'ÔÝšÑ?’ùþp¯Ã`WÏ."’
-le–Ѥ]Œ°k€d¨VLU¿!ë´iÂ:Éæjf°Q.I$Ò†Å
áÜ^7¾�3æmÛÕüÐóç/Õ"‰Y±&j,W‚¾EÞ-à´èt1‘ðeÓ$ÛÛ-#ñe}ûlµ«¿’{ÛcšÊîóË…¥2ºwõL=hDEá›öß"Ä‚#êýwÉUN�*îTïÉÚ·½Én´t§à!T&¶»®¬¾‚è †
-Æ“€Ùñ³aqIGôI
-u»\J$çЄXÙx`©
-V¾�³Š¼^›bËnR“�¡Ö "ÅÚVM€„s)ê"Aþ³QF=7ÛÝzªã˜’ù¬@C
-*ðÔ;-dcŽâp7yWíEóˆðíd7LñÝýª“8®¦wÞƪ�Ê@@SçÝÁ¼�Ãýó�c¥ÑHt9ŠV ^ª>Ѓ¸ý®¹J"d$ÚDqû4ˆNµÀFPä{
˜ªh5ÅDúôlV˜Ç·
-ÛQãtÚa’Ý+\tÚ˜“Æ•ØŸV©ˆùû¥8Ìh5PYjQEm“11Š°$Xœ&_óƒ%{Xš?—#5½*h˜Ð¢VŽUÏ�·êßOÞXÆ|ý¯˜ÝΑx°«i�K¤àÞ±-rÐ/�KñûPt1µÝÖˆ2Ì9íŽÈàã
0±æK€{™-༿
-J
-æÑÎC¸õþݱÃîˆó(•Ï”ئtÕ½ó=ÿ³g¹¸HÕ‹±xÝ;q£�ÅýˆÜÜW-›­%V>´8T3#ÌV�øz¿ÄÅ-‚H´®’1_Àó
-‘6Ê*YxØmã¡Y:¼ÜŒ'¹úðrÁ9
-±z¥‰˜Š�øù—GG_SÖ뾃G_ÞD}+ƒýö¯À+õxt^®âQ¤üuS¿*¬ª
-ÎVb?4Ž›ÚMN;ÄYdFdÙx&n»›Ž‘~˜W¢‘#jàq`‰zØ98ë—•~®fm¨Û_Ÿ„{V�Ä=��í$ŒY׳¦öâ"Œyö[·¿É$°™]†£'[†mx׈]“ã;wè·](XA«"ZqتB
Éâ©^ÒÉ£=8
܇,
N¹,µ‡4@N‹å…hU«y	$>’‚™*TŽ	èÖ<­DÁøû'ÐZ ÂÊN°ÚÄÞeHI^×`L
y=[pZÞÃJÍ1×ïªÇçr&B*ìÍó²x;·Þ”=Ø�¬ª¹»ö0‹g¶ëSó8óÁêiÈØ¡'Áö¨$› Us«‡
†�nRŠœUŸÖÈ©y{Ÿ„k ú)R­È„¨
5�"ú«ÚC¢¥�†ŸŽîÕte3Ï~·aK¸�¤§ìï,ùŠ¾žÑ“êÁ`уÌ&	gÉêi¬äl²Zýw´¤í#	jù(tM5¨ä	r5—º
-'VëÈÎ
-h1ŸÑÌoÞÊ<Ž­ê�Q”KU¨Ô�±Ó+ì7ºÇuGD"o�J®yR¢&�“¬®¼º÷+Ö—Õ€ ¾ÆŠæz€þm3‰NûÌíó¨¥.Û±G~ ú–rï1!(«˜Y;�"Â .n|µN' Öá¦ûKg¶í¼·zà¹@¼gg˸Q]éîŽ^s=¿+`C+ôèŸb…Lƒj/�úž�*Òò©Kʪ¯/Ð˺3KcðRBÆTÑØØH¹H1†	®…å5X'xûÈ’»
€k*Û-~Q›
ÈÚ"¹«Í4¸®k%¯0F\W·Å&‚ª
üá?>‰Òõ
-¶T¿òT)~`a7‹GìeVÕ 
p©psÛóûou¢·$q�Â{·�óÇáê:è�—_ªÇ±Ë>ƒ³¤t=–†‡lôJ´¹>Áa6ÙæY�_ÁvpiñÖïRÅ¥dý”{Çêåq·s
\V-¹­’÷àNzÌJQð)+<?‡¬6E2!ú&-�%9
ÀÃÁÇæÓ]ëåP†·)îó¸?f_� ¯�ØÿÏc‘.º��Bït6P¢‹Æp“K&Ë”´
©+•xoï�à[ÞÅk}wì°ì.õ%ð–)
-
îD¸ô(Ó³ð¤$J:¢È”ůîVÈ)$=ïO
pÍX3´�î§|w%ú9Î<ûì³ å`½ÝS„™fÀÔ*‘ÀØПf
N¸=3ëÙÌ)maN¾1o�e»²]D<Ü8Ž�-.=÷ü÷$%Gl]žý•(’Íå=À†¾+k�Ûrr6¦Ó¢íEÕË\÷ˆ¸öS«ƒ�ñmö›=72áà"®ìÉG¶ú1uúï/×–Mbê¡úœ´Có5•©ÅãSé6‚§ké5¹Jͱ'~²ÊC0×JCl·Úþ­‡ÍQ~e>šäÉ¿ºÉ,ì?ý¾8_Ó~…Ì77­ŸçÂÒ
#¬¿2_ôe)”À÷¬ ,
N×/÷ÉÎWMOíP#å㬾5MDÐö	Ìå"Ä6ˆv(öçÕD0’¾šëd̃³èC«¼bpuôßÏ¡©˜Ø³SveF+Ëÿ÷AãF„…Î
-ÐïºÜŒÒ…å”Ç“LbiW¸ÔIMfÂ
-’0{¯Ž­åò˜_ÐR]²Äræ30|VÜ¿Àd.!žlÌ:*#åaÚŒðèß[ݳ8Kb„…#Ê^sPj…ê¥<uèʺ>63t·=ø	5{"R·ºÃ‘r‚Å;ôÔø~µÃâµ°Î�Ru<Ö8]fLåQ®aЛ%´�ůÝ�@7ö9·g¾ƒð
-Þ§Ä�5(ÆSœô�xGðñ´§,æÛ âà?‚‘IŒ4`Ð
“eImÓ4ƒ\j[nÜt4DŠw5{ùZ~Õò r»×§±wè­
-ØòꆴS‰í
-MÛo¶cÅ‹‹îsT~¼^�»ø_Ñ®ûÿåsý»ÿþõÿúO¯ÿ€›÷ë?ÿs)ð°õþ«¿]³d�Óù–ëW}°Ó]x¥ w­æiBÁ¼Ø/qt½E½¿ypÑsÊئçpŒ–~<«ø`ŠüWÑ#Ví;7͵›@	�ÂÊMoÑŒ$ ÉOZ²t�qÝ3PmtÀ`¿°<Ç]Ùø ž«
-þ ö‚1DTâ*ÀÚ¡/c¡ý-‡À3ˆcMI¯èl:vé!8ä’Ç+IJ0…ëð¥Ë­YûÄ«NØŒG7ÔR&ǾCÜÁ[†Lã’oѯ56}Íg|`Õª:´z#¸•^W´OžE5í+†êcÇV	¯†Ã´òweŸ�‚ÁÝ:W¨+îº}m±AcÐÛ/Þ§LÓ÷¼Õ!c9(%µ›:TxhöEêýå<+¾pØ2nàÅ»:C{æ[þÀ:ÄfâViºplº£ñÚÇ�LÄÞó~Ħ™ß¥�Qžÿæ�ÛD‰&ë’×^’ �¿èas×[Q—‚\}÷-„2`‹£ô·�‡É§:7=Pãh˜Dðîãƒ)ið)Çv€gÓ	‡]‡èNîñA—lY§gd� ýÞ\ñöï yˆ¦<j\+¸&ŸõÁjE\þpØ×Ö=òÎ銴¸ÑOÁSOÅÊÖ·m´òú<¦ücùÁOE©´”º±A:X!¨j©‡¨×(ñ¨XòŸ¾¼ñüMî>ÕRÄç…é|Œ€
o=.ê^‚\3iç<15*Á(—R.|*
J9°I8¸»Ù0üiÆ¥öM=0ô	Œc
Òpêí ^iYrˆÃn†JE~
¶Ä¶­!Î÷÷ü-‡3~p©?§ÄÄS“e<G(3bR{<#”î¦�&êA!cÐ)ESÅÞwyñÊPtÖhÇ3«x“Ô4߃ªò~FX÷ö;�ÞÛCˆvBYò±Gž“᮸ÍÛW"š˜c¢Y's‚ìs9÷£ïÇ:‹rûè–ªô
 øz?žglA¾H�ôæ
·àmâœîÐ~×W|@‰¢V
-
-TÑü¾Óí‰ÁhFe°�ÇRëÝf4)æïm˜�8Ö¦ÈÊãF×O&2ùñú»"(2˖έ¯Ã²ó	$Õ´Ý"éÙã‹Ž†“@ì㧛}²Ìg"dØo²ÈËÇK]t(aÑòX^šã”ëy@iÊ9u°µ°`»ÃIÊäÝCDöE„¡eÆÁ¿­`QŠGðµù,:3Ý}¤V=O÷1ëÜõùšÜwÌV[8A	U5�\ÁmÏ!òÕæ�]û!ü5I¾ºÂ·½•9BÉñ]ŠGŽ[�ä`øÅæø¼[\Ãlæ-‡ˆÎxb-1·¿†ÄÞ¥hã¡ËSÔ‘ÁÒ
0½ôW>ÓµM‘å.ó
”qߪß¼­¬rÇž>‚^a$$§§¥^ªZñ¼c
-.;ž²xÞ‚6‚ÅÚÚ¡¾ç¬að‚v•Ú‡¦›8‰š†A�ÎC]ÛC¤Î¾0¶VBÁì¼›^[q´@z4eÊÁÐXE³'vìßÎÑ…0=º×‚*„3­Â~‘Õ¼æ<€Í
-¾^OßAb•—†¦
-4tºî˜«�Ì•˜Ø¯`ɼå=‡�&Á®L%ù#Ôݸë´ÒË×ßç°\¢Àuˆ(eT›Ùx—HõnW
-Üo7¼ívûº³¡® ÄÒ~%­.ÞøÚcsK9¡¾ä‰ÄÄEIþØ62¼gp&ÀlùvŽæ -BjÖÓ—¢ÏË£z"=–o‰83(àâþŸã•d¯ø@l…×ÕÀ壃ƒÇS<H0~ËÊ¥®àý¿Sðkî*»[[ë
-ïð’|û%IŠ·�ÞwRBÛųs¹Í¬E-7÷|0å`½S,óÞVƒ±c‚Ì­é•<Ž¾2¨ufÇtzZ¡cîħ¦RD,˲íô	ˆçîæÁ;­»ì|òn
-XSTaÄï‹%‚2J\ž
-1„dø�°7®UÄ´×üHѶòÄ	ð
ñ�ø`�­£+Á>AËCð•DÊ–ÀüYîD‚^ÉšÁº»†•ßæöZì«^CçÇ'
tmèḗ–Wàs~l%ý† <(ý6ÏI
-š3‡�#¨ÉÁî.,[*/‚�}t?üŽja	"±ÞªtDP«‚š4ÚÇç
-³xѽ9“÷‘z½º—svH_Ôz~?<g8=G0ˆIàNíÛT–«ëÁ…xÏ!¹ÃÊ
ˆgÑ«\O†oRŠˆAãÛ«sr>ÇmdJÚ3x/�»äÞ];	¥å›ùî¼>½ëömI* õ,²(x†à$�K�]rÇR†g�á{*k4ÌY¡E–ù`ðA(o­‰)T—P™:‹m~>º<‘�!fŠvRùs>÷ÊŽçÉò£#·šbü:Ÿ.[c½&ŸË·Ð?™^~9�buÏ­:p9Ü…9ƒ·úíÜpõQOs3ð„õlp¦–Í'íAÜc;Ãâ$÷ sZU.ÀÓz©!•€zšVÕ“0¡@sÛµJÎŽØ5ÙÉbàÐëÖ‘ôÆ=Û´UÜ¿K¼àì¦%¾„¾Ü ŽPWxgðvhݾ…
-H{¢Ï9'ˆO»‰áÓLu±š[ØÊ€}!zàIÜÐÝÖ…-R”Œ Ds0K«Çµ °|Z¤ò~­ŒÕ-Ùz^ä3Â7Š¤éuAJ’ÖÁU–‚Ÿƒ~›�ýªœ‰�z#‚ò«¢”P³ÆØy™©$+Öšú:¯‡ë>Û¢=îiEØ#¬t§–3mûJ,å±ñ�´Wâ
gœyŠÞû´¢´ªÞŽ–íL2s0ÂM+U_
ëÄPW*n̆ÅO¡ÃÀð
tß0W›´f×`Òø£^Ó)1°�„¸Ä€\q£ëÝ«5UÆv?'¥º<ÄzôtŽ‘š&véÁ3Šàè›díÎC¤&ÚxŽÒ‰<±(Õx¹–d{ài¢±-×ÕÝã6¶{çúrКZ+­ÝÙPw¨+çòQŸ=8Òï+6Ñ_ò²I
-¥KwósžÉèLµú²q'%ÕÔ|
ꯋT+6˜¸Æã>ðÁ=4Ô´Þx%Š¹årŠþ׃Ë{þ|t÷Â*3$!Ùp¡H
-z¡Ñ·ÿ-�Ë
Þ·HÉx�–…_-¯–iʇÎÇúŽ_¨.’•­d½<¤*-ðÝ‹UŒíÐ÷žga•;õ´{uubŠ‘æ_xQ{¨hiˆ^u	8¿àŸ]Yu\Ùú5rÙÆó1̦e"ZÕ¢±©;KÌŠ¶PwSˆ›W¸=ô@û—Oâ¶3´Y‘îTO¤Šòôi.˦Ão91¶D«ÞÑ
rYgΚÃFh(ºÎŠÅ$üö]ïûH8iDÅ:‚´·ãSB߯ët—<-{/Ó™¼êjhÊæ¾MŠjjÎå ö;¸ b{cˆÙå_aû)¬—Õi£ð J$k<�bU³Ÿª?{ÝLÅ
ôr•T6¿ªýêÉ>5!0}ù�šËj*m� ;Æ’@ßrÙm©Pé†CX	õfg&M^ôîé<Æcˆ"÷§yZz{4{�oz8Ÿ!z)ðÁÎÅßmz#i¥?˜œÜv>2éEp[?2×þ4œJÇ=DIsF£LÜ�¡7~¦ð8ƒ»<‚oçö…&ËÇ£å:N¸bÀ×ò¦q™í½åóbÑÆõ`)Bf!öéôš‡¼³õyø“¸°K®Dân024ìj|�oi8/ÿ£„Ú�Ž[A§Arö]—Õñü÷E¶êW$dz³wà÷wúSH«©R'c¿îmÛkÇb	ªEAMŠç8‰2Uôz�?ø#¦ËVù}Ó€Ó)e,šQ¸ŠKêÄ[Ne4UZ,7JI³©jCnEp]û1Ä5‡JTö¥¦³®í‰,d‹EOžçE.2ž:ƒûGÅIâ¾]
…“ïÜ:Û¾ÙZª\�vWWd;Ï÷RLóî!­<ãð¶Ây©ÈåVÖAóPŸ…Éæ©„…/»Ïä[¬/Ž¡õ
-¨b=ZûDEE#¨(!Ò•~G1tÆ#Û³;PÓ:m#ãg ;ú¾«h*¼méG'Ç$Ïàƒ+r°Ä¤ªÝ/5r6Õ…À”ÕER{fY¯^§4ô�7Eh}Î`‹‰ÁP½CЫN¢-W8–¨°^)g÷`ÞÖ“e}R½_¦?ó1™dqz¾ºäH_Ã>À-/í²”ó]_�`]lóŽ¸x5lh
é7<
ZA™</ûÑéœJ9xµØVÓac*;
9õ¶Lü–¿¶‚QþÝjÞývŽÖýê&¦á¥“ª'Êá»,+
í™P?¶ cìÿ3ÑFnåÈýåk¯þt¶$¹?ýa&Gí`ŽOñH�kˆî�8?”1‘p?©îØèû§_gJßî!b«Åþiv‘Ó–Rkß&×?ª#Üìl}à¦\l·†ƒ®šMÊñ‰ŠßN“$ÄeEje–ûsÄêbòÊ6ù~èÅÓ©¢?þÞ|Ïä»s
-ÖCCuÙȲ˜VZ'\jÂq­a[c‹–¿Ë.!eõá/¼mÜAô™Áþì„Û.j®3«`ЋƒRR
-<*Õ£ú¾ŽTaæ¾Ù‚Â?<2ÏÛ´ 7ŽPKùšÌvkC¥2ïn&B KPÕÆ�*^lÆGèúø7‰jèH¡´¢ìKGw�«›ÁÓoF�um‡�ÈÚ;6Þj3ø’_¸"Ÿ[õŒÓ{=óù|1„|iL? ÆGæ:š�U�îN[<Jb~¼lÏw”¶}š‘(Lö5ß!ÏÂ;…N@
WËö*îy]ü�SC›:@8ÛýúŒÝb?z,9
Œª	ó,wv�S‡Öøea<òzÎòúÚóXBNY
-ÃÇ£í·Zò�¦ÄO
-Þ�€Éïi™ÂaŽ£ŽçÝe´†ObŽ3].�¢¢WÓ5C–%µ&AÔŒµ}»Ûã^	�?Ð^	W"	gŸ4ÂÚþ®¾C¼23}¥ç¡]ÅK´lüâýxÞ¬å�1PÜ×Jô5ãÂ+褔–*
Ôä +v‹eëÝI^iŠý•´ÿÀ×-ûåJ¶˜©Â4ÛïQ Gº0í5JÊ<]ªÔ”B
-^¼GE?z»-ÙË~źò¢úGÏžJ궿$ŸÁ¾JôÑ�!,:rgS=‚ÍÁfěӎà<
ü@Ñ>ýmMz!wjÓà°»ßùñ<…€ ©Ó¤,‰:+/¥P„E-ü œÒî:�½xTåÔ¥ÝV^JBp+dšž?�µO6›÷‘e½ÞÔìè7š—féÈÙû‡_Á´™H¨ót§ÍwïçyyÉÆ×òÞS¯.;zwW‹ŸÛa ‚²†0,l#¸¶ƒÏæá‘}ÙN?Ý
�-pà£ü®(ùbÃÞ>ô÷Ä~ÜØÊà­­5]ú4Dˆs+z}ðA_ú@×ùÙ-yQoéµôø!ÍxŒä2H��\ M P†Šë¾?²Ø¡at£¹ùMKCp5Þ<n5BƒÝ­‡`êÞýA´¢@0ióN²úŠ2vd¨í~!~7¶f!i�`½Œ ëÍaPÛÓ+X×ï9„7¾×iÞæÚP\Wø?ƒ§åèZ‰*~`Æ£„ïG@ABWxjçrz‡[=‘ñ6)¯ÂÿcXƒÇë…âN5ÝWÉ£÷TP^W<‰r5ÙŸMþ¯9IoH·Öôd>͇‡1A¸ ôçïhÍ-úIYÆsxi\zÜüÂ[úx�Ah�¤å?ô龋1(ã†>¸Ú‘ÔÛå>Q6œw4=
-éEÀ.Š÷›¥¢ƒ8¤“ø�]È‚xò8ß9m’íßöMZѾ8ç:<‚(�X¿f-ß][lŒ5%_!À‰¤¦7ìÇ›ûöÓ¿ÿUîýÏyÞ~“;b˦\QÞüš¼NÒùLõ¶Â‹�>++}ëþ”_•”m@¼²‡Ô·Ëhß{éY¸åqÌÙj8sÞ–d—ªÂÜj|~|0óƒÔí] "³Ô–i�Ážçs~ÐÛ°ìÈ>,%xé©–7£Ûlw›ï‘Æð¸wzäzZ}	H¹ÎÙÕhqMvÄ0c†]Ñ®m˜
DžÌeežÇlK­¡ßƒ×è{·yþ
-CŠ
|ÏIô¶ (\¿2¦Ô'T'ÿOì½iÔeWY.škß•^9ƒö ”
�Jfß WH¿„` &FHŠ/%	ÔWÁ¤È@¤ï2è	 Â@Q¹Ò*¹4Ñãà¢`/W¢¢"Øà ‡Üý6Ï;çÚ{å’q~Üœƒ�9÷7ךkÍ5çÛ<ïó°H9Œ2
�)ä¿\7®*ÇÅ
-AŸþbä‹V6•âûÈ"_MKQØ� Þb©M	½wí‹Tnšc×/¾´Ê‹pR(MÏÎ.d¶h$s’•éª±e‚¤‰2—mÙwÕFù_Ö<9kïW»úêÕ}]qõÞš‘BöÈê�·ÕB”íT1]ˆÌ� º�zV�� 9”)¬DgH	¼B†ßÎ4á`BUÂ,NÁî©e Å]uJu‘ŠÂmA5¡>SA©@*Á´Ào#úø·šýˆøUŸ,³Ö²
àC6z“]ˆ‹å·¦ Uô‡QPóÀRù@ÊÚ+X¶q¹¬Æ(!B91
Šz)3!6Ê I³PŽ6ÄÕ:
-S¸1Bq”	(þ^1¼…°ÑXì’ÉÎRʹ"èTÛ’ßíl¼ÄÝíïöø�«U*X«ÿ»VŠˆÒn0
-ÛPºY0ñ!>9‹šÎEÅʸٕ†X¾ê3ÍYAȱÊ(èn×™9eÍð¸Td¿=vÎ
î¡_¦‰‡M¦B3
·%{»œâlHh&�jt¤¶‚º}ü}Éúh”K@ ¡
Ä�Åàp±Á£™Èßg�sI8kðµ») ç:0dÐÄãV<B×ÌûŽ>-­%éZ⺣¿ŽŠBͲ<ðr¢¾³<rû5ê“Õ/÷ÈÚÛ-²œiÞ£é—[§F`±ì‚V'ó¶¢ÕAT‘+ù‰lÒ¶�Ûf®]
½Ê7"65±¡Ká	åï/CÙ¾($˜³cRÊ"‡ø oå�ìøZ³;BÒIèókd£á�Ìܸbnk—‡x|³¹Z(j4Ú°‹ÆìTŠ‹Šd«l5UlW«¶ìh§ÚØ'3é¤ëö9¾QÚ}lÿU&^6ƒ,:Ë4+Òˆ]"ƒÃQöjÀú²àUŽo6'lëÍV×Ö6S‚¬ ßäflÀ
¢�ÓwÇÊ�@ùùñnƒaü²ÄJuWEpjÔê:‚ÚÙ¼~…Õ…M"�3h¬ùlª|›'XkÖ“�Yù<<GÚc!¨¤:DQ¬È>vA oêSUé*™Ê;&[ÍúSoüÄhAâwB
1Ë3sS—Š4_z°49îQô;Tõ[!ÄG�ܯŸÆÉè&”ÎœD]t
-`z€Ý**>¹Q {Ò<`Ÿû¸†è/~‚ð[ÿ+&0KèaN�â¬@†Ì©r	ÑLd vº­®	ÆS5i“mâª�#ÍZÏU»½Ö	±²±bw·/dlJE0…rÆ:?ÂÅâö3/¿¢ãRLŸ¯�ª¦àå&j!a|’z½:Yp-C‚šKµRÓk™^â<À8u¨+Ëf£Ëó¸:`ü‰³V^{WÖ‘»Ð0d¬oDTO4,“¥ù¦oÒUchÒšìÞ-ÝÃQf¸(–÷§Xœ*›I^ˆ�9rcÇ
-|O�&„¬¢Œ°ÌŽ0¸p¸þ¦a=Å„›ÕÙðQ;(2D®|Ä©å¦0…S\[³ ICÖA!2ÉuEºn<8ßäO<H-º×,�…Ë'•¿J²áà¡HâÔ~¹£Í\"è%	r/wnO¼˜ñ™õI°„ÉåОâ•q/Ö–‘eòª=n'4BÂËE˜{´´t¹hˆW!×�ÉIuûkvÿE®¿‹eÜK‡ñ„ŸF]¯YDÿ¶­÷Ý­_�dÄïÈ¿B5�˜j�•sºr…êÉ@°…§’R³œœ,½!z­dÞé‚ëθwÉ&žØø,ß®½t\hÆ€Œ ªæ9Ÿ"ÖÌ`ÒãÀ–­kº*^Ï�.*ÞÅ¡0Ž)‹
Õœ=®»x.\!A¿Õ*GÀÄ0‰À7]ÉÌÖ9”«�T…š¡r]`¯aÖ±W~2årŠc
-^uPgp}þšfž�¤ŒÅ@ãå›â
³‘ˆ#VÂh‡u>7Wl¸¸R’å ƒ
-d€>TÄÑh9U�¤Ÿ*^s«0ôrÍQËšS—¦©eñCBœ¦A›¼e34ȧ«EÐUÍ“Ö«r.„Ù%
-ÂhÍÍüõïØø5½_4+j�ŠÜäMâèAy=š§àQQÊt-ˆ—Išt±«0åˆ^xà²ØùQJ^?<Í&¬Â²jªÉfÓC
-æ¸TvË<|+´nð#ŠV_,YÆ�jÃjSÀg‚4{³ï‘�P%¦À7¨ÚÊQ¯”lŒÖXogwCwv•¯`œ™}üüåb_k–Æ v‰žØÚ¼<FôÐÂoqjd{g\ƒWüÔx-Î’
-‹pÇ»i.ÞY.Eú»]ïvøj3"»:9D�Q:gÕBì³ÁRõŒêb‚Àâ)®éÍe;§qît{»d�©mÕ‡ƒÈGŸš%Ýïf¦³@úÆ—»»ýƒé&XžUö�=µrÕø%°@eó%Þ3lXp0:æ,BÞ+”Ô`�’
-ZÕC\B…fB†":¡¤s]9éÌÍ×}í'©@‚ R7Á5’"*R¹Ó¤PWp—è¥CïÉÛbÎhðJwÍ�®»
T;%$#8æ•Lª*t�o¶9•‘‚."ý¶ƒ�/ACÌMŸøˆ�ÕÓªwê´Ö‰^Æ…ð/Ù‘¾V£'¹9ýFõlàøš„J8Ê_‹b½4ÍL"7š¡;´±41w­þ4ëÍ6¹ê—hìBÕÚ«¡¸yÆû‚º$)ipFM+¶£u+·³µÑºi�1ŒÅé ö5/›­À´ Ù6u9 nÔ,´Œô4ÕÚRª±1—@Ñ
-Œ™•~(\ ¸sVëÀl)hPôS<d2Z´€ÂGA
m’W¯
- ´oé1Í
-²tÔc:+‘Jvþ6wjÝ»íU�i{Nê%+¸±˜m´ûdRt<•ÕîŠC†""HÄN	W‹qägõ®á…ãÖlÕ؊ޣƈ¢n+ÑnFDd:ÐúÎsÐz‚j)�ïp±IÀ›Ñ 3Á.¢«¢é§ËÞÒ•Õ–²11Ugê{q	Ü®~xºÑPT, 4P94(¨öÃ.ÊÌâ—Z¦€<}á5gwÕC%²$0u¢ aãÃßݺÐ6ñ¥*þïrÍêÿ\Ãå§÷c€/«Àó¨Õaeb‹Ú³ïJ'kCñ·ÊÂ2QyEñ&"mAä;PüÍTÛúk”uqI¦×��Ö‡E¡Að̃fÕÚAÀšúB<d.dÄ«úU8¬†›™QG‘
-t;UPš«t
-æÁÄn\=Ä	�‰eÕE-ä uíQÃÌbàªþÑž¢ÖØ¡D¹Ñ0•„4Ž›î�oá{4¿²›0×xS™Ù]ÉZ¸kåãP„Óæ›ÎN7jÑÔ$§×ǪeS)Àu¢"®�
-Šòó*ãE�lè�{p¤‚ŒÆݱ¥Q�,�f4À]û+í­VU�Þ®öÀx+~ìx­Æéñ‡Šm¯†Ž[\yÇ`¦PñæâGÑ·Ü�«ÎŠ�}�8Ÿ]³¡TR�Ëþ¡s�¤95FœklbŒ/Ãëæe{ÕFµçFû¸˜C‡˜­�·NÈÒ=ÊŽ4	Ip#˜ÄRªHÜÑpA8쎎?}&Ìì„_�rNqy:A.öïWå9¨ƒÎ£û W»
-®TFiª¾neê”<´@Ëxð&ûô×&‚Ú…›^¬ Šm}…x¿´ÏZ©ý%þསõÚµ0š-•½©ÃëGbËž>=2â¸úRߣ°–J‚r"ü <�VÉÝY~€Ëô¾6înG§s�ü sòZÏTÞp÷F‡HRÑSW´éÊIú˜jÔP'O!#IÒ'
Ü!
I§Æ,r´úø"8i̵Ɉ=€œ�|0uþ!vmRó(
tÅ$C*J)r™ôñ:Ž<:T…l•-	oÎe
Y9ÉƲZh…ØÃÞ™:P3Íf;:¼‘ùj¥r`²ºZõœÈ<–ÒãV5ú—¢D$Tc�@Ðœ‹D‚�&.Fh¯LipHK½Æ[2
:I{p­EK³„V�^+l”ô˜¢ŠÝ£RL%)ü¢–ªÇASËÕV(ŽÃYÌn èd´©Øv!”[%q?P †"éP	dr
-b×o‹‹‡Bkå¼Óé±ì |³Ã‘6<‘êŠõ2-Š4®þU)ag%búŒúc.ÚCƒÒÕ‰“ƒŽñª&"ˆÃè¨"âE�n·¤Æìôàë*ÊiBn\0 *S: ^ŒO	~`�ùC‚�˨3b&ÆÁ§Ô#(8y1ø”rEé+;ÑRˆö‰øÅ_ˆ(}S(!Ì¢Ö ð [è
_5c#ŽŒ5d…È�
ªjœ9¢EÅ»�V�„Þgg£CæFÒ
-Gõh»ö$4šMÕá«®
Î?þ¢XöÒV‹2A|]yT¬>ÔÑh›âx+$íäu$#UãÄ3XÀOn
-ëô
”isY=a%t.ª¤G@ÔÞ易•Þ2Å ’Ä!!Ç.­C—gǩ˲YÒ(4elÇYã‘_®mW5=¤à•�ÂÅ´„¢nk”m×V
-I&AÑ"¶A
-½¨,`ˆs2B�“—xˆL�t]ªCJxÒ*ƒ€ë¨—�ã°öBâÐ,
9˜¿‹ƒ�ÏžÒ8sí{å>Ø9Ä´S2¢0ÒëÐÈB´8sQ=ÌjB¾­(Ó«ÐÁP	€ÖPI5ìXT½ÒУ$­ÓpŠ™5–=ä¨ÉàH'}+W”Áœj™ØÜí-€ëdØk¦ƒ¹Ê0稛>ÓìMh.ɾ³oÊb
! q"ͧÈuêS¾„€þ…÷�Ú§‹�!šR¥hÇæ^A¶Óx£,^“A@ÒÃÔ®ºîÔ®íD¢{O(xA6ÈÄ)›#HSé,˜:êhÈ­s&dÇ:”=•
Åã¬!Á6‘ᥣ„3ô
VHש0.é6ÄÉøãÙµå3xÆQ�_¼Iû%“Ôbº…l’ŒO&E°3§AðŸJÕ[K}´5këó
-G9§ B×2Â$=òǨ„Fm±l·,)'e¹!àÐ_½°8ĉû7)“ïÚ`û 5Ó
-¢H!FXí Ñ�¨®
-ß‹*��QEØaŸŒÛ^}qj03ÄÔÑÍ^ue~+‹˜”x˜Mjbë‘
™TÙƒjÆÒ#˜ô™¨£zßàýÓê´ÙÄ :‚¤Q·:覭8�Þ—æ1£²Õþà�t²÷“›í�¹#ë5X_\³‘%)°‚³.;—'·¤H¤ƒ§<Î:z(	õÈŠg^4‰cæQ¤\\¾ª<œ:r{QŽ­RB…E¸´lÚT?ªUò�LNß´oê
B¨–àæJÖÙ¤®�mÔ¥Ž‚¸?3qKcl0„'í‘žq(–YCeå «n_~_môð.rH¦="à
²Ñ³ÓnÈ΀tqÅ°@X@O�”اhP*d~Š¨Ê«%§(C�ëÁ÷†¥둦YÐ1rniæF[�åzª`+¦ÓÊ!¾ÂlÄ#t³zAèn¬ÈŸ@s�›Ùl‰jtK‡CV§U:ICÁÃêmBXò©Ãgûu´jƈafqæÈB)¯’°uàÖ :³ó¬‡!°Oä�ü1sz9®¼7u˜êb26¿âA]ÕØý]:í5^ÉÎK
Xn)¡­6;Yã›w·ù›”ŠÐñA+,+™�uH£"…ˆ¸@³S£r%±!¢ÊKê0¸_%UÎä5à@¦NSö{Ua­â¨ŠW>òàX�IJgÅ¥ŽzÆvN•zèY^lÔ˜C™¹ðY Q±
[­%,¸Æ
&!*ÚÆ=VåHIƒ ÎËIïƒqôW±H¤mÊ•P8©tí€Úå¯ÙA—_ÎIY:âÄ1PPRu 3©Éè}Ôi£Üä ÛJaóè˜Þk1Äil¬DƇsÑŒTŒíœI 2$PA9“{\¹*‰ŒàYU·vX>ƒLxåm©;Ì’X2®Àß„bÊ”¾÷ð|Ä
"äLn2¾
j®ÊÑd'ÉdiTH7eibV›#ÓF›¢"„2„ýºn—ð#G¶ßÜú¼qééî䙢š¸”oMS�
-Œö`±:»FŠXª5üÚ…Ž`G3¼Ì�8KóäΫ©^·

LNr##0)9K¬³Ü„KØ8 8™“¥)-—î©ñé¡AÆ{F¬:ÎÖ.Q”Ú¯!|¡8m4_uerƒ:†ÞÒä«ñ”oÄ»J÷JRÄost „D´HÙ �$6Á&òFª’kñBÃ}ìhLy£SgÞÜbvàI\Ùnº�~Š§µ ™ªMÙ9‰Ž¤ÝH%ôbªvÖg�¤IÛ±EeUd.-`;¢T0p#§9¦hcpº·Gõ
-DƒoD}Íc©öP.¶Ûp~S:°*£¹tÏ%Ü:‘íÛó5óM&„CmB¡ÿÞèÈ '&„ÊŽµûfÂRM³íeN#T@Ý!ÒM8¸`§"…@Eáø2gjFÚ"ižRžI­QEDÊY’ØM²¢¿ÅDÃÖzÅAYY¶+3)xD‚¦`òš^

-3…Aߘ
-ªÊ‘ÕA
6ðõgXÒnQ<šKÑ1¿ˆá+dWðøé*“I÷z
-¦)œ"€p¼ÉI?"+U8¯k…œSc²sÚ™–ñjf	+gÄêš*ÑIÇä·dÍKq»Ð±ÚÝ×Rawïœ:4+Ü$m9uô¨v
cvvì=¥ô¬ã•+Ÿ‰ˆ²¢G‹{GeßUÂAùÒ8˜­$�Yµ´X-¥Â}¨
õÐÂCãh%v\Ò� CÁ‘
-€Â�EeudíÉé&2ð-ópf¤7
"n}ÛqeKËÇøŽ¯ËfO˜\ƒ;R"ŠÏúüØš‘Æ>¸3s±4ÇÈéÆ
·ÊÙ0Õõí’#v€/ÆUÞtà׆äÐŒ™Óɺ¢£¿
-"±ê›WÎ8XéÄÉe׃5‘‡�+;t†d¤p‡p¡Wü&£§`·JÊ«�í1TýE�bãIõ°5zÇ� m‡™.
-Ífxø¨a.®Æ×”YW'³UF!n&šWÍÊ3c²Ë´?•kU¥©u°!ªÀ5f
PWDøZ”tL#¾h,H˜x³¶­,Fmë#}Ê’¥ÒWÙ!êнW{{žvQKì�T¨0S†“ªT(q+^�JÜèáà±7J•ªìÔ pJÓ§E/Bà”’‹M0e³rª®ŽG}Í©;­ f:Iå’)(ue
)Œ@ 6W±d+œ)Ř]]K°}'EÑÜf(êÐr>Æ¥Æ4-n…÷°xXœÚWÇp“vÝÑø	]™"˜†A?(/¢Ô^ð=ãTVîУ¤ƒÿ«zѵÆ7O0-�O£”*f¯G r“æSQTˆíÀíéÐ{gÅž
-ó]ÄôÕÁWU5æM¸	�FÒ—Ú{šFX­ñ‚}åh
-¦¶^S[Û°·�›+CEÃ.qöp°|ãšÛéÆ¥Q½
�ˆtMªé	ú)TØ�W;ˆ×W¯w<Ú¸6wD°Žkå§4ƶý×üáŽbcô\T'–ñK!D°!¤Ü¯jUý=mŒ \þ%¾HŽfÎßR×
•;v,ðïôý5ðí(þ³šÅG[
-í§Ï‘Â�ÃbgÀìGGµ¯ºö0µ¯Žn|1ÎÏ  Kê˜+«Q\ˆð
s¼XLj	R‡«ú-(Ç<?œÈAvkõ>OÇ©¿]R6</R
G–Pq�©®.4¥ý¶@pæTÍüln7!xÁÅ^mœ6
�ƒ¨�qÈÐiÙ*¯`C˜½˜©Ù€Ð—Ü
?€<ƒ2œˆìÐH“`}deG¢õ	“¡ðHÚ"R2Òä+ø|²ü$¢HÕ%yDüéÞSý5ꉈ�%ÃLÏ5…%À8ÌéÑ#v¥€m›I'GA‘¤ÏØvmþ“tQŠšE)”Å_è&»Ùáè=†	1‰%W£<da8]\yT˜ÚEÎ�µáõ‡VºUÖîÑoºE«l()³·‘QdÍVšY3¥1Jp�åV#0‘Ê/HèË	]ð)mÇÁÍ�E	e'
-u(Þ~�`ø�²"ÆE•Ø†:êþ÷�fiŠÎ@aÂ
-’FígtyN§ÅÓ‹Wº86®Ç™¥ÉÜ!6ëg¨ÖšbÄ¡*©ÓÿJ•IYM
^¬ÞhéÆ�â»êaX.Ž«XÔøe€ó_­U°ê'0HúÐÓ´]H£²eÑÁCþ=¢n‡¥=°
-«Ï 뱑T„\A£�0D"kwçFí낲­ƒ(S¦iìm1Ì!	Ö¥ªQ¦�²ˆ:
-$J8©:Â{½!µÖÁÅ{²_æ
sb¼
-
Y„�8©!.ɤ�\à¯lÜM2%~k;i6�—œ<ÔIÄ9BæI5ÍYLÉ�_jmÕB‚nkgê-µî;E„//£#ÖÈ°žé-E¨"õɬaŠÛ®f™Wò ¢éô¦
-Ó	òGg8
-þÈdóve¤3²4
¡²S?Œe'¤tt£d½£`•ö_ÍÜNÐ$Yì,°@Ú*á0ubLU4ŠI£ÖXÓÆ3ݽ§{¶›|êÖ*.¡5â·X ·gÛIG=v]’aq§il4*€×UÔPîê«ÀÇ�í)Û ½Ê%éMÑ–këœþ*³¦ÄÌQæRç"ùd
ò",Y©– •”b‡ì¤5¾ÀÛÓ:Þ¬ì€8«¬Tê»
-IN?äój[׎§Çl…×$â0qQ‡PCRÇd>â„Ö’ec^g-_L�¼ˆºþ²NØh*Ðòò(®½Û 7Èi\µ¥PŒ¬á©t�\M§Ã0+�|‚*F®ÞÔä*~™ý¨~Xv¨
TUl^ÃhƒþÅüç%ª[�¦újîèȨ‹·–ú¢ñc½¬™zÂk‚—Õõ(7¶µ­mIËÝ]I;Áئ#\
-#LJ¤k<F(:Š$<ßLŸìÞ¸Ù¨7Hu*\ÈaòX\sØ!HÈõa/˜‚Y TÿRŸ¯@»XuCP
¹"[©á'\ÉÃ5èìú›²»J^ØãAÕp¨/N�‚QÜ>×s“
§Lð^8(Æ×*%î˜
-#ó�w²Ž^*¬å­"SúœxdòåÀ†8É8�lSq|kÄΊi„.wé�T{3Bœª(­=ëÈÂUÈZ6nñ”ÕÙCÒ¤q*O³
iŽvGœÌ
mÎԣɓ`'Cðõ&ÒØ»(Vˆlu”è(‡"ÀJoO[—@Q(»Lň]œ#Þ@QWÀ
&>ÕKQyX+ƒ4É/¹ÔY‡ >ñBiÇVp'mú:‘�ÖÍÞ-�\q,œ\@ÝÔ†„=5fhaÍ�1Û/‹u„ƒM­-j4gÚP£�œq­ÉD3@雦¦OPµ�
-ëì!­rƒ¹ô¶?§ ¶1ƒü¥‹©-ÑóX­J„ãÒû B¬ªý jL:äŒGªFWrÅE•ºœ«ŒuÉP
-®´¨¤£ Â,k±
7b;¦‡œtˆ™]¨Y©")ý‰_ÁX$§S
{ËÊÁ-™3֔ݗ`í 
-U
-£5gƒ£ Õ¨œ¯êÚ)ŠwKpýi.Þ
ÔáݺºÏNõ<É%tÝÎ<„	€ê
-í1LC(/+íó"-Á�ªR7ÀÊÁTd›ÄZ�Œ¬ÃuGh‡ó
-k_ü²Zþuùkè`ÐÚ"ÖŽt*^92dM¸00eख़˺v¬Ù{9ÑÚì41ì^ *$Ù„D·6rò ‰Š§Ñ061FÈ{ŽDWwà50)±©#BL™
-nÞ´ÉËǹê¡!²ËÂЪJKeuY
¼UZŠäxµ29αk»¤²QRàW7rgòì´ñU2vÀ|�…ò´¹¯^Ÿ¾9Û•sU›‡ƒ_ت›jòÄ‘&cùTaán
-SÇ
-SG€Ý£*Ÿ&¾©%¤··4%[°£\ˆN+‘A`�®€#álAÉÃèUôT
-c<ººJ{)ð‘—y
ã]„Ì%å«:”—Ë
-¸¨·$%ÊÇ5=ð£Mé*§ŽŽ”ß>‘áàöëf;%#šÆ0ŠÄd5h�õ¹ÑuklÖÚtëR«);åTWàQìHK½´¹pȤ"ØqH˜ì…¿WE
-&4µî rœÄQûW
-Gøäö}Š)»$Ðnr³@Ø)
ÃÉ‹¨Ñ»R!ݹ€-$;:bl…pcêz'mÝêÎv�:oVwìØ<Å¥ ã:˜Ò}±du ¸–!.!†µÇN-õœÞ�8¹iòh¡!’ï-H£Hg~üu¸=âRføqG4f0ÊË#Êf±óKœ6\Ñ‹-Îö¹w)0˜ë+Eù¢)Òyë>°6ü¤k…B†òÞxç
°�EÉb·ô�òîì7ÔL?”ý˜ß9
-i8s§¦Ÿf/�õ‰¸‰H –á›ÕzÒ™Á��±Íú·ÂèEó�>FWEn„jsÑ®g!éáhr�€öݪØ.׆ëì½ûêCgÕû´«g”O¦X&c²ºQWYÀƒ –Ua:å•LÊ­Æ�±ÎVñjS”„y´C·[ƒ…¹1‘iÛr£-Mž¾Þ.[²¼
Y‹œ˜“½UcS
-¾ÎŸ…1Ë[[ãý�~í«¥·¥¨�áÙlÜÅMÀk0#¨µÏ鋽�Ž6ÄešAŽã�ñ
-)e21ˆ-8äo&&*Óó^‡‰Z:C7ÝŠæ·Ti¾T¥eÜÄ(I^vn·(ä¥
\¹)ËHíÊÕÃè;Aª‘¦©çWuKc¡BõM:¥„
-Ý3Ү̎�!è]
¡¤Ñ;þ\"Æmâ
-oyy7Á"y(å=�ºÞ³MÕ\ë¯XLJ¢†:7t’ù!eº‡<�Mä·AîV³”~SˆYåE ªj<rÙÅØpª¹¤`ÑæRE¨‹=Æ-¦$§ƒ» lKÓX«Ú[¬ŠW%±ê�r�ô0Õ= ØöÀ‘ÌSJp9Õõ })©¡m]¤[u!_¨NLŠ‚«VÑX
--" 9NÒ„põN+¨M„‹T݃54
-ÿ.—&·	
-Ù•(1W#�^Ý¿dù9$’u¯ÉÝô³�ÔÄŒg¡õ‘L4/VMQŽÍ9áE¯I]ã®é‰é¥ª&}ˆïŽ-­…¦Âí ¬ºò�º42ãÊÖE»¹“UT9±^é ¹¡Ž$2‰QIÇaµÚÙñ³fx2Ýæ(ìòþ™!NV·ò®ÐJ‰EC{m(%Òã¹'­â/`
-æ#Á‹“Á‹0ƒ¦a)u.Z,RKÏN-u.O”¶¥¨Zý4å—¹i"¤Õv3}¸œ`»¡Æûèã׊¼R¥<JŽRudáÆY1º4ûv£)FS£àk©QEÑJÃßµVcl+�W�F±De7&Ykâ™
¹
-m
-ɦ“è‰uçV«•Ûu1N4.äŸJn†÷´`5™â’.1ºŽÅÈ!ëá�iŠqu°²²‡ÜšV§‘åª2Ï0ÚNû½ÑdO^bÁk�¥�òÍ�í„A§�tnÄãOþàÖ—uÌr2	ÊÐÇÍ8j‰’Yì)•Ð’fþñ-³Cßõ@£�g"-ÕÆ>ª
-X'h£Æ_ó³šÚ_Ç
¥›£Òx—Ú¾ä]‚�”<ñ j^Õˆwͬð°3:
-pg
-¨¢g•¡ë‰7áP³Àyƒ¢RUði9Ò
-N¯VòE‹®â6’ØŽ’ 'µMÔw’éÖ¡±1.‹Úˆšg® (ºò™RæÈøªlÇ™‘Œ:„[³G1»G‡²
÷Q‹ç‰¹E[Ófqª‘džtª³R¤ÆººŒº;ú¢¿Æša• _ÛìúqH�ShÈãH£&Èi&Wd°UEI…H#^V
-š*´	ÒQê’À¨¨­Í4íƒUO+ø&Åc²#Ø,èUm1�;<Wkxˆô‰´ð›>#�ô6*±66Í
·��u¹�*	¶¡„ªÈ}°R¶hbçÅ(¹ðL–¸~~GlkúFàR!ò’žTBŽÁ r1Mát¥;�vÙDû¨:«Ç…
-]rÆŽ ¬+ØGÆùêj×툽3=G‘Ù+4­Í΂âo.ç†$÷N&¸}‘*	4
;Õ
w¹e¯^ûæcž²ª|#]?6¶Ú÷¦ŽfÁøl<âPÌ·©�ºÛÅ%=¡”2¢VÅTzƒ�1:4 >=º?2õy{»‡1ÂÒNŠ{æýi”nguG`-¼Ù	d\†Í!FÉ8Ò‰nÃ�Á™]݉˜(-laxtp�S:<vÞ.Ç!·uc&ˆv¬mÇ´ÐÛ¼“ð«q£móÑ�Çáfv%5ϸ#̵ïJüÚUWu¬ÀRœÞöz¡
ÎvYÞog²N<
FáLÂåËv˜‡raâ¡ÏÜhhçŽ43ôru‘t4“Ãâ;™2³4Bï=N&mUÿ8.®Ypdq
ÆÔq Æ™±«/Ä|yÞhL„<žëà6ñNEÑÙ{w£ìM}xeƒJa6*�V´“Mð	þu‚=ÒÂÌM¼r$;l�Š­Hô[º:>Ûµ�|»Õ{ú×Óϸêä½®Ø=yÅ•'Ž^uÝÁ»óŽ}úY'N<õŒ³¼;¸{åÞ#®¼æÄe¯¾üè#ŽÜ»ò²cßwðn«_}ÿê?«ÿá]Wÿ‡ëÏ;zò䱫NÜǯ8qì>W^uþ#®:zݱ«¦ßÛÅiìKî}â²ó¯Û{È•Çõß{è'´åÔs¯xèå'žòèUßwÀ<cõŸyàšÕÝoõùžÿß…G„ƒneJIã…×­úÏ^ý�‡­úy0<çàÅr/£
~ø€XìN9³�Qì8¤üIst)²8Í!.n¯¢`Âu^›§_gù_;‹±Éã¿“æ"ÕÉË_´7XéÌ4öøõ|'›÷½sàÇWS÷câºglŠüÙbv**²¸Ôø5à,�±˜ôvNÅ?P©€Å�x#�ã>Ö‡n’ÜÙ~×4·­«óÔCT%ŸcoßwðôóO^uʼn‡<õðá3vw¯Ùûá+O¥ßN+Î<ã«WÿÃVÇb?xæê¿ÜÊv;øHº*ó–0?ÿ½esm3›5׫�JL�Ù q—çeßš+j=Õ/F�q4ÀÔÌ»C@Á„ŒÊ·ª&=ùìnçߎyM£n>ƒÝ‡bŸØáËWOðÔž8qtïØezÕÑË®8¶Ú¼û¾é”ÿæŸ?ô
-›ò”$­ÎÐýÍ„X©±Wõç!¹G˜�'ª“厊JM–³–FT¿tÓ+¤FaÔ¥ÔRÙÞU‡ªHPÛø¦cMZY‰2|Ö­ÉÚÈÐÙ1r2ÞØ[Ô"“ãPE6Ú“ØÔ)›SŒµrÞZ„E‘Æn#´jYÈÖç'¡�·Ì6󠻀s(�Z¿ÃyÓ‰šÞ‹Îp›ê5„ªÑ(Ÿ™ˆQr"£ÌC(¿™Gàzñ€ØPî®ê–â�äÃ{RKðÀÞ°‰RŒ”‘¥9E‡óŸÒ°M9¸�!Œb‘ŒÅnUe‡V7‚lÕð­DXb›†(j4gÅ~	cÖÀ+IcOp¡{Ä…$™f)Ò¢›\´;+‚“Cd!sêJ�!�U¨™Ø+kPQgZ_q†ÂøÂÈ,»ê5H£×€Fº$iä²-ñ
-vŠÁN{'~[­÷âœáUŒ–Œ9B8œDá£ÈгWštˆTŒl,ñ¶M�ÞÔ¦µOÔ�t7ýTÓÔ	ZZ¯ªÝNÖ×ýÙü5�[1®Ÿî¢o½Á^¬Ý³ÐšÉìLTD¼y}”Öô!­ü �ÖJQ1IM»C(° Mqš9ý­	Ñéн6úgïÃYÝìÏÚåT÷�ºšôÆ:æ¶ïÃÜç×ó¸F!<ßÅH±Ó=t γ!öÕ´�[*hpãxLÑßtÖ(Äeš7Œ
-Û5c’91X5™žä°ˆ˜ìd¤R”T
-E×LZŠ’Š®Çd
-æÝ5ßµÏéxºôÚE&wò‰™
-1ùMšVŽ¹ìð·i�	ÿéä™3M^®›~|Ÿ3&q&ìà g¦â”lP�¡&Âí%¡]Ë�–�~jD6xÖµoºûg”l’"›,Ì
>F­X‹‰Ð‡ìáæWì~gé¬~Ñ6£2´m?ìÃ!®Hu0G´‡	$Ó–ØmGšE‘$jÔø°…œz‡ÄÈZ|Š:Á5E³hG1•)îż”	´eS”¬sŽ..cjÔ©Cô�Qô8E꨹!R§Q=ÔºF,‰ÿq£iÄ-”á5¶(�
¿–(äÚ/òikÊ`}ì"”	s8
ì:_´H:wyß3¿Ð<É<ÊeÇãÈ"Õ6?º,©ÄéÑécÎãp/$‰Ù½|}I¼¦1^v2ÚiY$ƒÄ�ED>HóJFú"Jéä´2)ŸãR_®còš&bû±ê	œìràO_Q˜f?/dýöˆ+Ô ú‰>Íñ53â<ΫX?}–‰Å&Î7?“Äê6C0�êf2Ì•¨ä*½,{�Éf°íRwF® Kóà‘v–µ;.{â¶]êþL~{^ìÏ=ïÂ׶Ø÷™g?¬�”ÛžP�r¦h‡SIÖqújÀg;îä
-¦/A?Ôå‘˺ ÓÖV¥ªM@çËø2,Š IuT˜Ì›ÈMÏCx½	¤èÁ¯:ïUÐj;xˆž2ùöd;ýká*#ðbˆhLÃûLÄ,
þ5¬5IxØ°fÀ°ŽjŸPkG°£¸µ‹ª²ï-Œ(Ö>~²ÃÔäb­)#§U㌅�ÿUM9Ž^º2
¡†KêÙh&"‹G4ªAÉÂ]“-gæ'
éÁÑm†jÍÆê>ÌZ–gí}B�`Šð‚+ØÌeö*úp×T¦]ã|Ìi·þëÕ¸qc\•ãÙ¼èp,îyËì²àÆ6Ÿ=9¿ùä¶>ch-ë9bC¬uQBdY‰A²Àö!
Ó/š|ae”ɇ‘m’`íJ”Ï>LÑGŠ•¼ïc6‡§¦ñ�™kDÃ6c½SGªjMÕBÝ.óF'§þYÀ–áÌQú¡„™gyåPhDØG̪˜¢Â\ìP‚j€m“^ ¬Æ‚GÒXSÔl
À3f!*cžýsˆÆGU†e�¿V"IñÏ“*¥1ÓˆUhý3%•ºÔö1®,€`XmÆC~v*[1ê…
-B²üöŒ-sþJ	à™ñxæoÚƒÕ•î!LÄ€½¢A:èq¢Q”dö=lCœlsP¶�”5R~ëÛ›%çÍpJÛ椇´Üd-M9íÈ#�9mÝ#÷¹¶Ñ�Dét,Œ”êt€ŒìÚq3ÒµÓá4òºÓ16²Àk‡’¶l'$.kÓ#ºòlrõˆ“×ÏÚ•µ›†ÈRè°°Y8�Ý3Ì“1Æ 4‰ý=…y„}ça¹ïåõ4K>ÙH#§¾f#�üd#�\ýd#�Ìþš�4p
-n¨×À°µ É€‘M!–�7³PÌÀ¦­…m&$ÛòL˜·šrËàÑ„§¡¦	y7‚R†Ò[°&DßvMØ¿›�‚Žî	Vh
7mTâu«CŸÝ°¥¶!‘­°C®«qAŽ9îm\x
Ïèñë­ÈÇ©Ú’'Ú,9Õ¦1ˆû;^­r&sØG{¬ Fb–±ùÁ?]ªãÁ‚ç.Ivss‚»cökãOÂñÓ­+#—‚]@BíÌåXma
T³ù=/Ì¢K(+­�1Cµ…Y4|½Ýt]ýè©ÇÏ$t9‘#‹éké1J»<M_•M)òžìKí^	X&¤f‘O‡Âÿ“| ï
-­im#_!·Êj±ÍäIöd«¡W*Sÿj#SVMƱx+]ùSa§¾6ǚǟÀ¼‰tPX�ÓznÓ˜§HÁ× ¹¦ÝݳàÖétpC”‘AÞ ½Bµ@¹•ÞfOfå)@ª$³Š7ƒ0±"t
`œàÀs¥ãIã«VJ¨­™gI
-ž
-uALŽk‹Š=ŽÉÀÇš?éì•ëðå0ƒ¨Ua¦7S“«ÙŽ®&éÀ­Ó˜çÈî¹m(‚4„Ð�‹z35Ãùd2pnSø׸®÷—fSµNP™š¨4„kªpÕ„Ð[
-È
-]×g1Í�¼‘ôAÚF¥5³ò(ª®
Í
-
-xøëÓ˜§¸„®ÉžuŒ¶-)ª%ÄÛ_“šÚÍ¥Ú4³XØ+-ë
-
-ÞŠÒ�³dØP¬%׊!L×ymó$—ÀÎIך `Q]k¸¢Œ˨º�6K•ù¥[Ìn´9óÎÝà�:h¼ÂT7~X¿.¡ú3?0;´ÏÖ¼1ÄÚD–³\ÃŽŽY2y9å\ÇP)b|SÂ#ÌÝa¥%l¯)´•sÒXÔ`52FÇeh€
-3ê®H¶‹˜Ö°ÃwÈ;óáàÖi,çõ"�Ž9BɦÍc£Æë€îÖMŽd+w“_Ñ]CyèÖ�0$níØ¿YÉ:¯„æœvm†cúŠ.Õðõ¡Vx©kîíƆ9†×n±,±¹U%LtæƦbV�–kY!?…²�Lw·
-�¸/ßCEV”‡0³
-/:¥ð£Ùv«¢Àç2^’=š‚Ý¢÷6„×ø~c"[]`%†�/qÆJ´G$%
-jž¤Ždˆœ0ü*¥Ï&ÀFèÿ!R¹9€A&\3uÌÇæ<–žwl]á@9M~·ž	4R"2vö»Â’
-ÁíâC\.>ºA	ÿóR'$�P"vBÐÜYc¨šz*R*+mNæûÒºt}˺‚7ç±™¦¶$
°b#‰âJ2d™¦ƒVœ–‘wÈP
¯k¬<Yrã2„î2Ù˺õ8u2ÜlÞzŽØí­uìX»Ÿë¨µê}Ç؆o[›áfþÚ²qkÛoß	ضn_Àœ.èi«å4_±m=j[7em§U›�vÃvÏ#ôµƒasËì®æU�…‰OÅ—LÕ7ô¹Æ®�%»�dz3fªê¡!Z7ì�G"·	Ù/cì´ISÿuU¬J¥'Ð;µ‰x€nDävצ±œ£fÈ׬Χ�#¹ #�½¼Y°ŠÓôv‹q¹0N×>'õ�w°B4BÌIöƒ#�ú)Æöµ-À+!¨mX!Á ˆkY‚ì
-mu‚�QÌî"Öb®Dkó˜×íÀ–©g;&éõºiq3ŠYK„|F›¨»�síïp¸Å®›žu6	Ùjó�µ£Yä¥*ú
Ÿ{sÓ$'ðß=™‘‚‹˜1…µX;à4ç£Ò¸"R�q”Ž¸	_jÔW�’M¼æL/iPк3™q óô0õÿµzÏ»êʽc'/?vÍÕ†^pôú›HÈKj¥Z†Wo‡
-¡Oä+ãZ–Þ«oâ „²�ybÏ‹[*!‹Ñ%¯Å9«…(Œ›–7°úækôS•i‘’r�àù)-[t¦CÈßÃUmÒ«‡z-nVï!š"eUƒU|”Èî!%cJ<d€]Twù­—$Ð!Áî$A8ÕÓ&ê;b.û4èïS�h"d!E
0X°‘ÅI‡#lBÝ\‘Q#ÓðgÊ^+QÓ`S#ïor}k›«�8(sG%�!_XeŸU'E®¯Ä®MªªL£&Të±gHB¥ÌÙ®ryCQ S´h
-öþ}ièÕÎLRŒ«ÇÉš8«kÒá¡@‡'­šÕÆ}�«Á?ôÀ!’‡'PÅ(à”½hËQ¬vTèWöÚb¥ËÃ{~|uO‡o7IOŸÿýàéç^yò‡�í^yÕe«[¾{Ÿ[oæô>vôø9GO^uÅ£ØH=rÆYgêðãW^µ']jž®lØË®|ȱKÎ8«_²º�óO^wüØ%㲓KÆç…—­=Äðe<D�Ûóü‹šÈû租sôê‡óÿòO?|å•Çžºsʼn‡»Ln�™í…ØžèìWvu¾ä>W?vwüÛØ?|ôê•¥¾jZ]j5—3Åè¿×±k¯Ø=¶zB×¼�Ü�‹I÷‚pP<Iª'`[Ðwͬ¦ •:èW‡Ž_µ…ƒ^þŸûK~
-¶nÕÎûÑ‹ÎÜ÷ý†oùºÿú¥Â½Ï9猻}›5ÜéÌ‹/½èÈöûý×~Û·ÿWgv›xæyçÿPŸ†¾õ÷_pÙC/>|p¿¿ø–[ßê›ÿk—J÷=ÿ‚óŽúö©í.ç{Ä•—Þw¿óòëou‡;Üú[þ+—:ë
ž¿X
-·9ü�k{ÝÃιÓ>ôÍw¸ëÝîôŸvšV—zàE¼o\Û'ÜÅ�zÚ³ž|õ÷[ ·=ýîßÚ­þ+—:+Ýf­ý;ϽæÙ/ùùçÿÔŧoÿ»o;ýðÙ÷Îÿ)óçVñ¾Øv©SNùÁG<ïW^ÿÚ—=íŠ{niw¾Ïݯÿ'.vwŸ}.uJ¸üù¯{×»ßñÚ\{Á]·ýéϺäòËзüå>ÿ|ÏáûÓ¥n»¥ë».}Þ›ÞûñoyÙOÿȶòÝg;yÍ÷¿Éëmï~¿‹.8;o¿·û]ÿýÙ?|ì#þÎ_|Ìý·x}·¹÷Ãó„G»×MœØ-ÓÎEžS¶ÍjõÏÙÏ|Ûÿí³ŸþØ_¼ý†Gô-ý?xüI×?õšÜD‡ðÔûþèƒøûíçg=ëó™oüì?¾ï5O~Àwlö¹êY?÷¼Ç]rÓŒ ÛÞó¢ÝKwöÝaϾþ]ùü�7Þø‰¼åyG7_Ëw>ð§^ð7<õagÜâ¦\ë´\±wé½öy‚§œòCÏùÿð…Õµ>õ׿õ‚ÝÍ“Óí>õ¥¯ü…gî¾)׺ý}/ä5GÛ¾ýç<ÿwÿé‹|­·?÷âƒÝýÄséU/æû0ýüè'=öK8tçýÜ{>¾ºÔ�ÿþ�7=å¾›Ý÷¾î†WýÚËž¶{SÉÛï\ýŒç?ýÄÝ÷ýÁE/{ÿ¿Ñµþù�þÏë6õ½zê+^óêŸÂÅ7å;ôà'¾øå?÷¨Ãûõßåäk>ð©Õ¥>÷÷ï~Ñî÷ntßã'~öU¯{Õ¹³e…nü“þÜ_}ý+Ÿzî~ý‡Ÿò¶¿ý=¿|ã6¤Sôä—¿öu¿øÌË÷}³Åz÷“/yÓ;~ó¥W†}~ûÀ~ÿc«¥ñù�¾ç®Øø.ÞïºþÚ^ý¢Ÿ:ÿà>þU_=ýË=ýÊw½÷÷ßøÜK·G1]ýê?ÿ÷Õ´>ùÁ7?õ¬�Þïß{ö/¿á
¯¼þaû®BõDäŸ3ûê÷|àïyÍ7G¢vžõNz„_üøüâñ�}þ®—>å¯ãkVÓÚ7<öõ³¥uø	¯ÿ£�|ôC¿÷KWo[µw;ñÊ÷ÿËjZŸýðÛŸ¾q3§^øø—¾þÍ¿ñÊ/ñq}í�ÙÐ:òÄßøó�ò_?øÛ7<lËÅÎzÆ[?üéÕµþíO~õÄúžq§ù©Ÿý[ßòºuî¾VÝ7Þb¶³?á7þâß¾ðùýÀ[vsºëÞ/ýáÇW+ã‹ÿô{?s¿µ¾ïºÿ£_ü†w¼ë-¿ü´/+8pëÿ}ú·ü©×ýÙê[ýü?ÿ雞ù õƒá짿õC4­Ïäí�ók}÷¸ê…¿þ;¿ÿ;o|ÑU?0×}²oûŽÛM±œüå÷ý3}«}ßkžpæú´~ñ>Fûîçþæ7öÖ§¼ûœ×ÿîûß÷?^ýÔ
á¯ZwÉnñ]ß5Mì{ŽÞðî 3ãÓùŸ¿ôËWvÖÓßò!Ú3nüÜß½ù±ËyÝá
O|Õ»ÿìüŽ—�¼ÇhÝpÿnyÇ;ÍÝ}žòæ¿â
?ù¡w¾àèü•Ýåø+ÞûO4­¿ð�¿óœå¾[®|É;þìo?üÇo~Þôa~õ†�t«Sï6ŸÁ«eý>zÿ7~ñ_þüן4/ìûâ.n¼ñ_ßÿŠ-§üÄ׿ÿ#ûÈû_÷¸#£qñáò?·¾[¸ó·Nÿ~Þsßñ·Ÿá'õ�ïùÅÃæ¼Óå/ýý�~^®õé¿~Ëãgcã{òsïúпþû?¬¾ðiƒÿº
é–w«aþ ¾ÿ'_û§|jÜø©¾íú‹m/ÿÁǾá/>!—Zíïÿ¥Ÿ˜ö×ÕŠúÃ�~æ³}Ï‹/šFúÆ
éÀ]àžq2±¾÷Ø‹ßý‘ÏòkùØû~õ:‹@Ýï¹ïú»ÏêµnüÌßýÎÏ+ç�{ßÿÛ¿ø±÷Üð€iZß>?.}
-P‡ ˆ�²¨
$CQÂEP1‘d©¨€€�¥ b
-'Oym›m±�«æt£Tÿš6Ëçb%âå¼�ô¿þæ‰CÏ)˜t›öÜ;+_}pBÝ…=k®™³”{Àž5s/(}Waðs›íŒ¿ç£‡êøñYïì�´ƒ[_¿£ßzêÀë§\Û·ôpâ/Cç-ß°éÓUK½ÿ¾‹ßý|7}ïúGkËßõü—ö]û7-›t:>vü³tfþ~ã‹“yö=þ¼&_USzÖ~Òóëv|÷íŽÍë?X»nã™pl~é†SKm¹~
õƒ'¯j‹}öšZ±ß}òÔ8þ”V]9yò••t
³¹z÷+ü{¿ývo6íZûHC~ÿû—vOznCnm9ðõÚgï{ûS«·Ù‡v¯}` ›Si¿ënž<ª{ÉN󜉋7”¯ñØô½=$÷ß?ŸzÖy=GNžksþŽ;?]ùúŠ
;²ò}³b6�ïã;7ÜtÛ䊻>«Â߈åè�G&Ô^Ð¥ë…C¯žtÛÝ—­úb÷¡¢;íÛõõ®½¹´¯ßš.ã»ÆL|“�RüY¦µ*˜.tíýjí²GæΙ3÷‘g–¾±jݦoöU¾/»¶/¿�Ç÷Ão¹kÖÄ~aég­ØVñ³P�»6¯[³jÕê�6lújçwe†[ùe¾‹Æ÷.º~μ»n¬)vœ3¡rkÉuà»Ý;wîþvßþCMß“»L{ÑôsÆÈ™½çÚî¿É¿êÏæ¾Óägýeö+—"×Ú›~öÉ{¯,>�kwóŸ|{ä<š{íýüÙñfœœ{ÝCK_]<wÔéùW�Xw×ò­ŽœGs¯C_¯šWc†÷ƒ¯®Zµì¾‘EàˆSÆ.úp÷‘³hþõý—ïÌ?ãÉw?ùbÝks‡uÃS—m,3üŽéÚ·õƒ·V¬ÿj×Î�oÞÝ7�ìûC¿{ÞÙÞ¼ÖìëÀž�»ö8ôýÖ峊։øŠGÖî:òã?ä:ôõ;³ºäßuúø§Öÿˆ½°èÚ¹ò®nùwµ¹áùOË7?εçýyåßÕvÂâÏŽ8ÇýÀkïúÇëóÃmoüéÞµã‹7äÕ×?»á§ªÃCÛÞšž;ËÁiÒÇ?UßhÜýÁ#õ¹ƒã°~ÁšŸ¨ÏÃÎY6µCö®ß÷½ûím?òX¶×¡ï=88×;:N]úùOÕ9÷~öÂÄsssï•×îü©>ìàöó†eû¯kï|uãOöaßnX|ËE™A_}Õc«·ÿˆXѵË[óFŸkÏSN¸dÚ’õ?UW<¸í½E/ÎN¥Ü!÷¾¾ñ0Æͱ\ßo]¹hJm’þ¶¹êáw¿üI^vp׆×æ�¿ÐÍÞõ‡^“_ùS¼ìÀ®Ïß^tˀ꼙ݪ÷”ÇßÝ´çGîù‡ön_ÿæc·*�µ¬™òèòÏvý¨½ñûo6®^:BŸSK�Š­z]sÿËoÿñÆÙ÷»6­}uáWôlU(»Nh?bÖó«7íþQ>íà¾�›?xýñÙW_vf剠ïÍ�½ññÖ=Çú¶Cû÷lÿüýמ˜uuß6Mz[_|ÍÝϾýɶo�åmÌFxÝŠe�ÝyMŸv‡Ã9ŸÐ®ßõsŸ{gÝ–�{ÈëØ·Çì¸W¾üÔýSÇÔV	QÝâì�ç>óæÚ϶îܳ÷ûý6o:øýÞ=;·oùü㕯>5oÚø
ç�Ú-ý{û˯�ýØ’7Þûè“Ï7nÞòÕ×ßìùîûýªøÖC‡îß÷­yË>zï­W—<~ÿ­W
è|z³#Z´ë3fÒŒyŸYüâK¯¾ñŽÙQâ�Û¶m/¿¶mÛºeÓg¯~ëÕŸ]4Ö­Æ^Þé´£+9á䳺^>êš&N¹ù¶;ç-zîÅ—_}íõ7Þx³ôzã�×_{yés�ß?ã–I×�нC›“›SuåïKÎhsÖÙçœ×}ÐØ&O½åÖi·U¸¦ÝzËÔI×�îß­ÃYÕ'ý!-Nªn×¾ý9çVºÎ9§ýÙmÏŒÿ
-�$³âIÛîƒhR„Íž­ñ±&ÍFǶ«‚koÏhŸVµùþÏè*åÑâ z×’ÝX’œáõ|“£9´ÜP7¼^ƒwmrõÀþC‡öÜ·$¹Mÿ5—
Ô»O¦\Zòj'Fhñá™qˆ;§��6®H¬ÓR˜ìˆÄGÈv˜{ÂâY¼ì96*=lGÄ/‚¨yP©(	‚Ï!ôQÄ\�L ´²æ©Pˆ0¢@U Àg�gl~0«É»lè­DÚ	¤=±#*ŽÄéËÏû­’ B±8`ÒŒLÊK¤
Âà$ªlù,«5þŠ¥UŠ˜Ÿ‚>ËÉH~ŠI
-
ÆÇHIySžM¢ÄªõæeŽã²äl†
-ïƒ>‘5HP,aZQÒ®’Bˆ?DIñ'„¾ÌQÈÔçÙbÌ ²âç=KV}âòÉšö»¢€�M	¾¤TµR‡¤ Ô:Ž[\€lêÍe�Ÿ£r÷ÚÕ'ÿ."N¤½Lïô·h>L(V¤B%%òHdî6ŒÏJþ&LHa"$< °�õ0Í1Üç&Ô»C‡)÷ùñXIÖ‚@Åa@ç°CÙòJ„8Ìï¬tdb—ønFÙXfý(:-¨{$Â]ã‚ÉóR
-æc]ÇE{ƒÎö̾ÇAéšÆ&Éu@Ôíci3·�qÒçb‚	ŽÉ3ý˜ÙÉŽ�U§Ùåûož�cäÙÑò¡¯:£y
¤]\:U©›qëánüÈOð7ƒM'0³Ðß
-¿úh7Ög\Øî(Ÿ8wø€£ïzý�=�|WþºðÖ9c+En5}õšþàÍ]�|[îê:í¡éù¶ÜuÒ¸{§÷>ª'
-ßr[Ÿ£{âÔ±S¯8Êú½ôÆqB™wu»ª¡M¡ð?�â‰Î#êüÂÏ�ä˜GœŸ×¿S¡ð»#ðBüsƒÜ꒾Յ‰GèÁ¿Î�ÊŸYw±S(ü¥©à!¹ŽÏ�ªÏí']tÖaGÖ¯r…öëúÁ7zJ�&C¯ÌõÛ0Wèó‡üíÔÚKµœ”!yÛ^qùæ[÷һɸ³Vm3àÔÙãïœÀ³öÃFtlâ�°Ûùö#ÛNZ¸h"ƒŽÜÞ£.¯±æöœ…|�xvÕÒ+åï“Ž*ôñuÎè«í�»`á†moë…Ãë+–낉“u&h7óÃï¼?ξ½vtßÒØ\5·ß~‰üÙç¹o?¼ÚþtòÀ!殪!wÍÑ!7äµ}��_“ýØ}X—ò'
-ýî�?Tþ¼üå½��ëÆg¿u=¤Âhì;ÿÉ©kíøØ×��ë¯Í~ë1áº
-¡sµó—̽Tþž¸¾±ñÓ³ßjnŸVa"ºhî‹GÈßõïhüò¶ì·áóï%(^ñ>ã¦Å‹gžÃwz|gã·OYÌã9³—.ˆ?~Ya0àÑמ"ßôyã¡·†ë/#—~ð"ýãߪŠžhç+¯Í<õ«MõN‘:=òéö·®À_'dÞšF-Yñ¤¼¤û‹û¿yBêg슽ûW�Æ_Ì·†`ù>ß_>[‚zæïnÜÿö0ú³óÂí��«è-²÷O˜CκoíúçúÓ¿{¼¼ßëj~Å{÷¿A‘TÉy9h)¾ñ½/¥ÇNø¸±±qÓ-ø³ãÂm��ß<F®|?‰ýo®×¬Þµþ&üqÉóðÞî~�|Är¼n’ÿÜ>ë+üºñÜõTgS9ó6’{ç�Á&qÒ'��û^£Êm×ët} Eá7lh<ônƒy×*Fµ½w%Óôü­КAŸ�ãuf‚HÞ±¹±ñóÙ…þ/€ú£‰…ÂÐå­ ¯;ô0�»¼ËúãáîÏrñÙ+q½ñžSW}Ðظ}!À4éÈëéÔuþÃ
¿öCº/B}1û”Â-Ÿ›ïž„».š4Eûv<üÀ©/z¾Ô½ýþøBÇE;÷/GŸ>yÜœ[zÉ]nœRcê}Þç%ì}eHáòWö6îX„¹®ÇmóíúÞçöi
-cÞ.uYnyè¼Â°7ö5~:wõ¿û�ëBzÊø¹wô*œûÐÖ’ö¿mz_ßvî]=ÖÜuê
Ý;@^ÑmÚ·u+zu_ÉwozÐL í|ñÕ+hÈîw<<S?ã¢é÷_{raÔ{tÛ'O¿'ßÿÝÔV|ü0úÔ%3¸^#ê.ºm†é°ãÖⶭw­â'>›K£vÌ+ïЀï=cf?mð§ÞbêùjjŒO͸[HÎïÝÏr�Û¯¬^lMŸ·ôÐ'ºOœÜKŸødB¡ûKÔ©>¸Ž½rùæU˜¹†ß3Ñ‚ô;ŒŸpa�zƒéUS
-c©xû—]È¿Ž_»o狽<sƒíéqýufŠ³7n»§0›jù»‡å×[656î|÷á76¬{(ÃÇ\rmÃI…!orÓÜò‡ÞL¿õx½óÐwMÝ
³O\8Ù,yç?Í°?Å{î~ãÖQ¦=núĶ�C®Þ[ï0ýêŽ-%½ê‹ÕÏÍ™÷A†Ýö„].¾óþ‘¦À›KzI㡽ßìÌýóÀÊz}¢Çì%óúîÙQúDéõ™N’…3g¯X÷Ƣώô@ã®…v
�ðÁ÷û›á�?ðš
½îã#ߎkå(ûĺæ=±f¬>qã§Í{bíUúÄeÛÄWËÚÜÍÇÈÍh¼¯OLiæg4®–/ïòT3�;‡Þ½BFÙ{Í|Åw/Ñ]8k~3kªñ˸—Ô<ýuóØ¿R,®‹–N†M\[‘PÍ3o¿Y@Øo_·½ê‚{×6ž³oõôÌXì~ÏÊoŽôÀ÷kﲺÉUO
þ¶oí]Š®Kî_ùõa€ûÞ¿»W¡ä:ïªGß)�
ãëÐÎU³/,}À\�®zäÍ�6–
y¾ßñéêÅÓÊ7èê8ôê›måšµk?àkíÚ5+_]xÓؾ‡Ûäu4jÜUWëuÕØQƒJã]þ×»¶‹\ÛÝJÕb*:¾Å
à‡¢g‚câAâ@p“X„&“X}
nêˆ0c¤îè—º¢§Búkê€H!‡ò‰¸â ªÊbà‰E;VW`d%¾Ô7“ª÷Y|·PÈpYSÍmå³?ÜÂKﲫZ29_x0Dó

-¡ü²8§.*[~”f$‹r|Ÿâ!„’…ÀѯÚÆPËðÄKšîÕš�(—D,ÅÞ!'%
›(`o"Ÿ¿§!ÕvI''´N«Ð¾Ìúœ<UWFÍŠïž°T•0EÉ�“I`‹�;¢‘Ar¡ÜŒQ¦$/ŒJÌEq˜X¯]Ìz=$I+š&ðòEWU½RhM¹*XA
-h¤…�€k=ÀÏãkÔ•I
-LÄïùŒÄªÚ«ãܤŠÃ<`qÞÄcQI®”PÀS™¾~¯0Ë@&BøÀEX�ÞE:…©HI0Ì@´¹ ììª.I8ÒІ”
-¿±Oh'Ss‰ë
ôIKV‹òKìù"W¥žr©!g`)�0i¢÷bû~QŸO¡ýê	(Ãcdôl´
–³£
-¬V%‡*'/ÈœP@<䤗
HOîiÀ_U-`Ò]¥l“ÀUhPÌ™"QÕ{ ˜Ãè
-Sqú$v™²2ÈÃ4I ‹hLšÔ®¶sÉ@ò5�æÓ›tEi>Z6-ES4Q³(´ЬJ¥UUr-²Ë[Õ‹6ÝÖµ
-R"’%ìé‚Z�)KF
-d¥Õ(eÁpªZô¤¼O€î™
RÁ\©îȵ€R
¡o»¢••*¬Š,o•ÝCi~ƒ½Šô"h€±‰lªŒ.@W#Ov*
}‡û1æ
-™K ƒbNêbHxË@$ÂiÈi%’9Ï%>ëöš~"zcÆpÐ^-IWKŒT¬®/󹩟Č]i˜±¼%H¬ö$Fµ¨C‡\Õ¢×J	–dòRƒ6vÌ“4”qÍ°ò­=e’uñ€1ƒO‘È
†ÕËj€Qm²­n33-²¦Gè³9­R
-…ʘãŠéHf*}@êV'Év`èщÊ/ëlZÑ9 ½RûPoç&dTW­¯Äª¢Šòb€‰þEqxÆvSXÐaäÚŽ%k—´ [©¨_Ø*˜&`3“•#ÃÀ”ÐuE§{‚È-?Œ8Zü5ƒ€K`jˆMî^D"è!¶Ë<—!1 Ùß@6ì
-M^�0¬˜sõX‚5€ª[4¿<ÁùM�ùžÈ%« „.0wÂÐ긅Y/FÇà]‘IL\Ý„‘ZZø1`Qá2mX¥lÓ1R‡´»MZ¡ÍjiÂÈ¥ñ:vù#ôa&S‰�÷ë�y-€(:˜cí°!½+0¿F®ö‚„t2IÞÎËÊ/‹oà[ûÃT€džµTàÄísÙ|Ñ6”3‹ÀÑm™éD2?û™F"¶)}SP×ÏéA²µçÇÜ0-):ÀÉ*ÒkŒ–n“˜/Hk�ä µ"Ï<5ø‘ÝVÅ}@J|äu1aüuè<#‰
)_€-˜XÕ‘Fh¢î‹¤µs÷bô{´×ð­‚«Çë½ÈªãDº IVã#Í*Àç)¯%$…4_˜;É0V@0Ý89V0«£0e? „ YùÀerŧ"áŠdÁ#QŒ_Ï%
-¸Hô³ILD×׉µš¶¦S Î QH·é"ë
-qb1¿�¨º¼ØXñ�¹­9’åpzŒ	k9ûj@>ˇrbDÐgR�Ö1DÉ!5¬²#�gÞ˜±.†HLS�[ìÖÊÓnâÈØLùˆ²Ñ®Ëì¦ÀcJt\6SÈxâ ›X‹ÆñäÞP¦‘POIäZ2HØJà�ô0ÎØ®<Q&=LN¼½!1ê”ZÖÌ=6’É.i.ãe‘ ¤[ØXÅ�Ñ0ŠüM¼ÍpD\¦’ìÎ�üuÚò˜{ÅÊ€D¶œƒa5AmÛ:ä—aµpâD¾ÖXërH©xf{‹¶Ï5¢/·Æ(ŽˆnðÈÊw¢
-yAÖgõ÷ɪ?/Å”+…˜ÒjØZkØZ,f¶– ±UKŽH邉&êAa™Ç³¶q-žó'„®8±éò8­¢ðÓÕ�%
-bµ86Å,ÕfôUŒd©p7~ä'ø¿›Éš½äß@$˹ÊðÈõÃ$²Š¯ü1ÄgÑ|u¤&¯ŸW»–ð¯þxìù]TQêèò8³í±‹ŽºÚ»ÄgtÞ)Gß×JHÏ?¥ð÷|?Š˜­|`Êß›Oíq÷Ø<
-E²|‡A›ÚÎ…àê¿nRѤìú§¼`Ò¯M'ë8jÜÅmÀR÷ÛÖMk_ÿò›œ Ü¯Z›—wŸzÏT"ú¥W.þSéúõ	'ä?¼´Ò.½ûé®pTð—#Äàpmžp’—/ñ	g4Þï‘×-þõw…°œþéòÂv?‡°B«óÚø´î€l�Xòþ#…?žÛù‚ÒX•ãŸ—7¡h ¿\Ø¿sþ–Ö5ƒ�4ž°rËÊ	…B‹š†a%*E¿KÃ"Ý?üδeÃuyE�ÂYc'*ú.Þ~ð«û
-§^unq&Qû(ÿÏ_y'
-�'Ìšœ§£ìzë¢Go�¾HËí/Ý6iÞý7žS”lj�ºE¹ý16™ô˜öÐœaN¡ uÕ}ÎòO>ÝÄ$‰»?[óæ±E/.œtÉEEâ=	ÌÇõšñèÜQ§~Ù‚ª:N_‘ƒ0ïxoî%öþŸAi´Mß^ù‰æWzÀ%3ÜÑ×)´H©;üÁ+[’ƒ™nYrÍérûï[ýÓe·aE\œ¿wQË—Íœ3ÖŒ5çôñ–]/jwñ½ë-Hw÷›7+ô3ìÒÌd§Ž™T“Ïäô¢h쬛�ÇÎÄDÖqäÈŽ…‹žøJòØ»òvAp·î6jýÙîÃ7手[žlÆH§Éw�7�ëÄ6§V™GN›Ô½P'A�ëïVVÊo}èÓà…žóß~ûþ<ÔmçD¼Þ|Ldz°rþ-ße
-ÛùqF¬î~þ’Â?ÑÈ<uÊ‹k^¿±ÐuÜÓë¾ùrñ€|&M>òÜõ…6ýj©ú.½oÙ"
-…Éèï÷Æäó8åÚg–N3ßôÚ‘Yƒ×Oκä{E%éyߪµÏô.æ®q$ùÜ°žþ^s]>“º§6îþâ‘Þ…¹GŒÈiÜd:Kaæ—ô÷º;òK¿ÅæéMo<±áˆy4îý`ÎÔ»×ðxøàæüº\ó,Šp YÜƾڸ…óØûê°üç´»ÿËæ<_rmkjÆOpc3£�Š®Ïo6Ožüá_ÅrµâðL~fZ;ìÚ¾…ššý—fô6u}5»pîÈ‘™…wΛŽüPéupí}Ý™=…kVÿ€ï9¸cËÇOÎõ”%?ŒÄwÇk×e
Õíæ–F>6ïúæåñ¹hñú—›3”^?´.×ßΞþÞh ­¯LΩé™Åï®æDý_›^¸¥C¡èê>÷££$!ßôôè2�Ëîs×±í¶G—fa®þ´ù
-ò¨úÐ'
-x�‚ #â”/½7çiŒEˆ 9
3œ0Àš‘õó†9lw¬A‘¡â»€‰u„ÓrFÀ\(þA‘«�,G+ü™<è2˜šïŒ$0TZFc]¦
-Ö�_”IÀaCñ½¹Àjq×-Ìž¢�ÍáäiOŽŠËW­…ÊF^Õ—(LP+†aŽ¦Û‡„ÿpX@ÓK}Û ÈØBù�<Ž4|*Ô¨*m‡–WÒ
-
-ÖM,¸Fû†P
-Ùo¾q²ŠÉú\ö	º(Ø<‡C8Ë|
-˜€›,.0@\¢xëã|ŸÃÝ3q-k6�ž±(I
-mÂ茸1„.áS¢Àb¨ð˜yÖ‰lió�(R8X6ê³7iq£@÷‚,^‘cúÚ °� À¸¿1û>‚_ÂWå{¼£…%€¼å{„Âgl'
Ò≓08ŒñKlàÂý8T)ö8j[ƒø¢@!:èCŸðÁ‘§Ñ7©âzc	X-}Þ¢mQ
-P§
ÐÅb*xÛ£Û À…°:%V”FF	í7Øé³Ø0ákVÛ¨%E0y<ki{q@X*×€Î/ˆõaDʈ>"�g\ªR(–=ÎBád|e÷­&·ˆ£˜âj—D“#¸Lcù6©˜ÛiG‰Bš_# óX‚€&d´“%'¹è“8Ð@´0TRü¬i@,ÌÎ@�I¸–¬ÔZÝx¨Œ?V‚Œƒ %±£@][j`gmøˆ²~S®¾„Œ)ôµ!@hY»83.ãÔ-¶¡5:sëbJ8ò5"Å>¯0ެà ^Ša´:ur
²pÈ,�eqš~Q̈PåIðs±…Œ ‰	�-Ù?°¿\߀Õ:GC,a¾¬Ôð	
-�rKŠO“=(þe6ˆ2n„ü†
-^®â.'"!ØbýYÂ3—$JÞŽ8Ž�Ë
Fá¡'+¨¬?Ye­•YÍ"”Ë·Ñt.ï�Õ&|*æÏ@¢£y“«
	âÈ-¶¡Ýüh®
Mç¸Q~½æÚbmƒürŸå`r�³Þ%‘Ô�ËqŠEcIc^Z²z
-›l/ÊÏGb^R¢:‘èHtŒ†'Jàû¹x:ðpƒ+G¬qThÐ�ë)0SyòÏgÛÁ/'-»JßËèëËNsš…<õ›	�dpgâ™bgxScÁ˜
ë ~0ãÆô&T‡ùœÊˆ)kV:�ö3T,ÓnÇ8­\œÿë0ÓæÖã)˜)
-3�«ÌtX˜iîn‚™ÒüßÍ!LwÃø¿(Ì´äúû#ßr„ëgÿÚÌ›þÃ?ÿ±™¨Æ¿o¢´ÿûø‹ЕMã› ÛþW÷ÏÿŒ¼*cÓHÚ&Zý—§$…v]2‚èÂ?6]1ÿoé§_Ôs@Ÿhê×Eó�yÐÝÏ›Àƶ:v\¿ í÷þñ¹_«ò2è?;±XÃ^¯³G\ÓpA‰öëÔÉåÑvÿ9­¨úxö€�=Šh´ã³´�Z¤gU·ÌÿÔêœ6ÀÈþ%ÿE>éünÕÅàÅSz]È� ûEÂ"¹Äßwè�Ôï¢3ÙêìžÝN.e?eÀ•P½Þeõ5ná·¿ÈÿvúEçŸXøÕiçØluIÃÈrþ¾VýnºelûB¡ëu“z
-¿pþ’«Ã¸×EIáøvÝ,�kÛ1·NèV–E¡ÛÍ?|S—Bý¼y@œtVî;ÿØýSÀ“zu×ú?oÂ=·U ¦>ùÚEo¾òøœçßy}vׂߣ{”Êç\h*£Å—µ‘Ÿ;aÞœ¾åYjX¹ñËO7n\÷ê¬Áƒ.ïÔ\îÖ8Š/•–�ÇÌ�7¾eùi_ߺwÏk?\ñìŒQ—žnЯŽzê…�
-íÇß%ìÃ'¿ærSC-«™ºÍäÇŸ½§ôSÚÞ¶xÉͧã¯hääI¡ž||¡óM?@5»e
-Ú e;™ejï]üôM%žò¡O­\"ø!wÞ|i!ébòë0eÑ3wÀ�Üõ–‡fö6ÿû»s;ó�>}“K½:õ,tàÃ�¯2óê9Ó[pûÈq£Í×Ä
ó—>uËù…Bÿ‡–>D_Ôæâóxú¸dÎKîÍÊÙ3Öìþn%Ävœòø’'çÝ{ÿt $ÚÞ²äíe3.(\ÿÚÚçé‹ÚÖ]Ì�Ÿ“®zdÙSr�£áÕ]��f
-�êï[òÚãw\=cÑÂÛP©ý¬\ÿîÓ÷¾¹õ›U“é—_*У³o\ôÂ=*ò‚Ç
-, Œ]��Jˆz.Q¾$²�DN¥'²Ü+I 'ÅI¤À(×izä‹	­Ç‰Ä
-Í!.
-mN^ø}_ɸËb>ç$’ãvaÿÐÊâ³j¡ƒ7 SsN,VÈm¥ZÊp.¦
-¨Q]v賿ÝXáyŽú—L±”þ¯b
-œÄJŸXš:$
0Á] Þ™Ðr
-B
Z8ùœ£-|sÌ=ÊLáž‘®O)lKaÔ&÷±µ)W(¯Y8G+6öÂÃéšalDT�äÕ;rÔ2>cÆxH©Ø›	"´A�#¦åüc5¹
sI‚⚎’_[»«¾Ëç	"ÌX9€jàÁI¾M!_N-ïªÏœÞ
-ÜÆP.)Õ;ü‘pàgŒÎ©€Àõªp±Üó	s1fÁe_o$4,
2Q.,8ÙCW°ÊeX¿0
-`*¾2š%±ŠÀ‹p�©šÇ––=rBá
-�H�Iä@
Çgàf��D×>Ï÷FJa
-V `âõTvÁ—¾‘q¡Âù¯DkðÕ
-Ÿ<Ô ôg¯® O@Ê&néP	ÑÂá#A¬ôèß ‰nV-® @jj%šá&eøk®kEëÔE„%äÜ1‰2îþéPÞ/ôwù¶r”WZ9uj<‚À�–óS¨×€¦¨AL¨ÞQî.`¼”>1¥ø”Eû;É‘[â¹k
B­à†Øòôfµc̼ϣidÖR¶¢³1‹æ|áX…›Vý×Â!Œ€¹gt²¨L�“ÂîèG]ˆßå«W:ƒÒñ®(WPzÊ1/2�i
-‡	•KS�â;€qñƒüðhÓ<˜À2*O¡_Ó%™›@à�¹‰€ðŒò‰sˆ âŒF DQ ƒ¶Jãaxúâ�ú�–?^iÇÚ°ÐØã$ÌŽÙ`¿5Js%�æfÔc1«>ßé1¸=ÈÈòŠB0x	° =–ç7?ƒñai"Ë(�V3+)+‡€vT—ƒØ²vz61›Š}?‡ÎÖ9xûa€ðêmš#å\]?±#¸ósœ“0�6+²1/ÅòD^Áèo\ f/wà�,xbš“ k �j.Ð’º­yÄÃOUˆQ›TA
-'põDd™¢»åÿ/ÑÍ®Æÿh�HýÿqjÑQ•éfÑî&´
-¿o×££Õo>ál�ýo©¾î¾û¯×ÞÓúÕ�b>œJ{Z'E�|ò½7§·5µÔ©w7Í‚Ã
-­Û9…¶ãî^pçpáz8gô�Sùq•ùGÛž
-Shxm˦Åð;]Þ�½³NÍå`Ž9ñ‚þ¦Ì]0ç*þˆ¶Cï|lîåø€3L×Lúô9]r¸ñÃýû×Ý
G§aýØãÕiôªý®7ÜõÈÂ9c»“ëç¼i‹×|ø	Ò¶©éuɈ+ˆ{ì‚g¾nlüúy8®;ŽFN� ~ÚD:ÜïzócOÏÃD6g¾½mß·k'Ró�›<õ¦k.áÞ~Ö¬u‡@ƒÏè4f$jwšrÿÄÃÒñ¦GL`2«3¦,‡í›gà5¾xÊ왓úKï¬$)‡Vƒ,äâñ
Ôù.¼óñ{zã�øÊ{g	õÎ¥‹˜æâ“—Ú\që­×^.¥¶wo >¾Ö4Ï•S‡Q]:wñCLZP{û4ñÐ
Çè�Ï]=†tQotís̲yz¡0èîÙEé=ÿ•'ع|É´[ÅOXÿ¶ø6ö¼àÆ¡�3>¥Æù~í]ÓŸ{í±Ë)ñÂyË_ºš_0kf-ß8j¥º46̯5=ûýÉ�Â)ë¯6oßüÃDªg­øàQ*ý¨…�¹Ó•kÔòÀ
?·ÃjÄ[9Ç˾U›rãšížÛ¹Ðû±Õ+ær[\ó‘ÍázóÏ?Ú14äµ¼ïoÃdN�ºáÐÁí+ÏyÓ·_¿Áª­Ó,ŧ·›žÒV§‡>Kò¾Ò‰ž ó“¨ÞCßí€[òËÑ={gœß¾\W8£oo�sϺ?/k»ÿrÂ�_•óâî{çS£�æø=¶/½õŽ©#N×Ïÿ~ÞmôõbSõ}ž+¢yÚ³bÎ�K7çïÚùÁ²ûFX@ØÀeE”Û–Íœýr	ãÌ÷_m-qÚm'§îÚ~n±dðw_m=²îËç®ÊÁC†¾xd~š’kÇëSòtm§¯>:'é¡íoL+bÉ+t›sT¾Ú=Ÿ.™RœA¡pþÝ«ç@/º¾ûâõû†žU(½ºÝ¾ôóæ|ÉÁÝ_¿ÿŠsËžG]Œœÿ滾?¬òó¡=›×¼tßÈ&]‹ç6Üûüë+?ܸ«2%Æ�=[V/{`üÀòòçËÑgø˜\º|å{–
|ŸlÙ¾mã‡ï.›?~`Åâ—¥nx1ÆUï|ÑÜëúƒ_±ÍÅŽÈãoàúo¯äQx%›ØÚÒÞõϼyíd·°|òš	€ºŽ
-ýA¤F@//!™8ä÷YS¨ÎåH•cmSÖ`­Îr)È"Í"çËß×ÝÜýŸ²³v«Úð³åâPR¬ÊRRE§*Tq•Ô¬š�½*“ÈâpôI0¹EøðË�\QÙJ؇³\ËzN.0­GX@k òLjA÷=¡¯—‚E"˱U¦žs9ø~,’JApwFÁK-+‡rñgTüª"VN¦Y4|V¨ÖÓÞ]1¬­b
-�Xƹt艪�fs¢ï±R…Ïlš<©è2P€)'Æn"5a£/uÛQG§Šš8´&D¾i©/=ˆˆpºÛ›‰Þ…j^ý1�iF–©Ÿag:Τ“p�Rˆ³…:�™Q\™RÂ�¹RvÉVœg´Ä±z˜ÑýH�£E|1	3‰>Â.ÈÐsá�Ë&6ñ‹ X<bÖÄŽ�šPÌ6»»DŽ
®1t0Í"Ñ~‹ü{Ì‚ �
-Ž…FªäðkÐ^T¥ÂÕO¥ñl°˜r"Ž$Ì#µ‰¼]òÐA¦×•T¸|‘Þ%Åí–ìÌŽË40_”õBÜ«ü±h<ql5KÇ,PÉ¥�4YmöFE8ÀUU³DÂé#'¶Z–ž€+"×eDýŒHØE"7ÌË%3˜ÄŒ[ž(dÊý`l 6diåÐƯ"N™ÝŒ²Ö‡s9
-ŸÁ,I
-ÂuœE™1å¯s|½[ÖYI $?"
-³^+Y)Á)
-4t”5ö/+"ÖY5cÎ?ÊUê(„ØÔñB­¸2éR­¸
-B§%QËÕSõ3`lU‚M'ZXmi*¨[êe|g*k è±ke:A",.©ïÄRõAê
-LYXIH�W„»I¸6WôjRò%ÍÇŠð£žÙt‘ÂÃâg⦎˰&KAŲ”‘$zˆEÐaè"î‡j—U Gɦ{±€Žì ŒŽ„β|P˜ñÅر+€š—È"�»c6}-ËšŸ£”ƒzº+‰±—d˜=³×ø>ó,¶$hnìP“ø.w²–•ifx“„3O cºû&av)p*Ø;ìy®G"¶ºÍò¸!¨†h{&›lÆ%BHZ¹¤À(+WNV‹sCMO”&˓ψ¬�U‰mÇo•qóTdñ©ÄøÇlö´py9ÉB´I@�tc~jA›~ªBíi¶ÑòÓ§®…è†�±i&ŸÅÒ
¨•ó­JðZŠ�×,èÅóÇØSO”åeöƇs](Z´š‘�	ŒÛX€–))UvNÚøq¢™ÖüIôžÙ‡!�^%
EÆ“==#
ôH‡$¤su(‘b(ça-+q;õ´wÓ!(ÿ ‡È"ä…±Pà!7	Ëx«­/DÇvç®[;|�= |#›Xš-9fÏCl+‚qKq»ÙárE�o	 ¸§½›Öô½„MÏl¿†˜È5ÔyeÌ;ÿ‰"“åó(e³^:�pÇ�@9(Y.7�Ò‘:­tÏB[OŽT‰PÌÕ…%·µGWeÌ8¸
-eˈ6Qd…ï9ñY!Ôî&¸^P}Êî�^NȾRî!©GŠ#N”̺Fa°
'
-ÿ@&~ˆY™½øî$Ìt¶ú\Ž×É,1™pÍÖÆdžȓDbGlY™v\íÁØr@JȨӅIÛ±Fnä�e:^¾®'�&*N¹êØfëZÉî’ª¨•ÚjYAqvP¶ëIb!õ¤µOG¬q=ŽÃÖ3õ$:¥Ô-«ù!v„ð<Píc“¨ ¶/Ç
-ؼFB8ëçvÞ8±ăäÆ¡ŸÑ©%’½h#l6ö[jø™Ps—;…ª	±hH
-3Žv,ø¼i‡]•óTc'ÏE•ò„	¾LÞ¨†Yô*Vk‡
%—ƪm5»±+�ÐDò(uï§RÅI,H€²ÉÍ!…|P±Sãd뉌b'–`^$†žê1myHU­ÍÂ,Ç4là˜×È
¶s-8æõv‹Lfº;–.¢N•lÙ½AÜ~S¼»ú}>-ÜáZ*ÚÀq$”4*ÖD~èÚu9MxÛ4ÈþÀå8­
}6
-�
G‘Ë^
-8¼h
Çl'ÑSHäó†4ó
Ç(µV’r\–…D,“”ÆÊxî±6|Š˜na�w”Ÿô¹“}üÀñ�8wW~óT¡P£Òõ²É:uJ¾žOvÊý ¾rW¥R˜ rˆ#‹"%F6‹T"Í<Çaž;5H}9þ¢ùŒÍ>Ý…Ý$9û%Q-ÐÁ§jgÐx¢C£T\åd�¨·� +Y¡ãËÝÊ'�Df%§f³"²ÑJ¤+æ²ðBùÁõãÌr51�m)ŠuT2çSÕ•2…–žö…Qt‡øáa1¥ö<Q
¬4ZqqÎבêi0j™�ý‘˜¸|
-4íæ#Â:{%…uÄÇÑ*O…8ànßažö
:|Ìî™ÑçDâã&,qcx	‹
-Ðäì´R¿&Ã7XNÂX»ö΄ï¬V:ÂôÀ®Úžè
-ØÐؤ…(õ³\ÍUGf­” ”‚¹Ù½®-­g‘Y埀.À£CrF'²ßÚ]ƒäBCAž:�QRÏò…ÃAÐh|¡5€
-­ûwøŒß"bšä­f:¿¦Œ:OUS
-“7×59ÌÏJÙJâdv•]!ã8›itR€Û-›íü�»‡ÍÖ;ÐñGá-²–VZw�Ýu«ÎZ¾é“aiË`-°|²æ¢#ÀzM‚"ë}®Äää!³£µè^k³æsÍ%F¹²äÔ³}9Ë5�+”@¹¶´¹{³ïÊåZ^µÄ]ƒ*û,x䟙³Ô'ͳ6Yæ>/ˆ–ºC]Ä*iЙ<W¤ŒgãS#öÚâ³µFÙ6ÚÏm½¬ŠÒåï•`ÞD
-FÈ‹ø€šñ„QÛ](Y*OÉóäD¢4?–®c2�RWõÌæV=Š¹=¿c…ØË)ê9ŒNç³vÆr¬ÕdÙ2‡®Ù„äåDŠ‘™O.�g-zO‚ƒP[âZSO-²/�D~>²Çܽ§	h‘W
-Ñ‘èU“ÑW-EŽÚш2½{±Ny‰“ÕK¬ÀIMÔÅŽ"‹ï…RU"Y$‘OyûÃdɉÅÌe¹¦ŽÒåJ ‰zr±Æxþ^Ä¿¸7Vv’|¤LQ^²è8l‘$¬¤Ê‡ƒxœ;
¹-³^(‘CA&dŠ6ô¸i±¹�[íî;¦ ´	ð°Z&
-ÙÂëÛ>�0�,�¬„5š…gò™‰�ëràéæ†+E¥ÈŽ$�Ä)�èî´$|d@¿@=DnÑI?�ÈÇj‚Äå;qLjóÆj]bÒÐp³Äl*«»ÚÎPä+K#öÓˆ‘—¥6Ïîÿôì­t¶¶K¬‰Ì¾u²DÇ®°Ù†$;SCh�ëh'�ïŠ-Ïh~.SºV�N>¹€Äe6Ý;v•×ʧãc…=\tÅ3”Aö‡c8Eá,|Ù±àuø
fˆ= %ªËGA-†
h.®н¾µd±H¹JHù©f
ˆïE<6·:d?”…¨!ÑãÀ%O‘@÷SœÅ1í¨Øéu,{*…2ÿð]•"r�a_ÅYËΪcýƒöV”í8‘°>	{Ǩð&…aÄva÷yï,²&í¡#¶Óà`
½°©é†³éV™ò"µb‰˜­lΕ¨pEჵ‰j�c†gšTž¡S�ÇB>!ô6(1ÈB=|—Ñ�ìò90Älj
/œpcƒ€Žt…¤£ÍÇä<Ë®
-q-â,…T¨�øéÖ’Ï
DFûoöÊøÖýIžó\×N5ª“
-íB`¥ò#‡	
05ñè†%Êq$6±ö¸â{=a…�¦¹r©ä@>¥ù³¨\ÀH‡–M1@|F°J2ÒˆNX¹´åÃ`.#
-íÁqÝ.âöS…­™žãñ�ôR•Î–Jt2Ÿ•m:Ñ0³Í
-sŠA%Æ
†½#ú‰d!˜p ÿU
-6Uµ%Ðt…žÜë;Œ�%:|RÕP|¯o÷ã¹—ù±£gÆÇ:
-Ù)ú°Xý q°3Š*i”Wm-ã¤î’
¥“Ò ™,)䤸hÙ'»Gj ænøêgÀ`‹„ƒÞk1l<^c©gÐɽ"‡h»M£U†úBº5ˆy
ÓÁ*vXÚI
-1då@j:tܦ�¦ÖJêÇ–ÃT)Ûü”ûRlcÚÊ+FÖ@
ê&!¤?uᙄ %	‡õ]a%DH
-J+~I±n©”žJµ©s/fE1l£•È
-»
-¤Í3�ýáña¦Êý%Ù™�œÃ´$x°/Ûø˜·Ë¼FÒ¾EKô¡+XÉ$!ß«Û/"…P=ÌŸOÂÌZDdÛÇ_E�çó…X\q´½O%1ä~sS™à‰â½¹±Š1oäÌ1\&:¨eõâó¥4ÑHPQÕ5mfg;f[Rž
-š4R€;mÅä(ZqßrÄ`áµS›Jçú�iJžpØw•Hç’ PÌ!	BW�¹Öp\QP¹¢ XT0Ëæ�¡'‘®H§5.¥VÏ|fï.Ó¤Êéï\AuÉ¡ð-™Þ‹÷ P”¿Ë;.×åc/v¬1ª–šı›tÊ�ÄŠŽ*�XYËü¦Ãt€„sÅ
-Q/ÂÉN‰è\¨¥@^«”ˆ©�=pØa¨Z቞
:™™ë¡=aCb
xÃ%�JŒb¶âø˜IcËXA‚í|<E÷�kÐ>NqÅåX{\;]ˆÖ'¡â
9^ÎcÞ\šœõÐ_ü¡gë‘Žy)09"¦-_¦[ŽXǦßrÛ#€Ý¥gˆ
NxÍ,³Xö*
-ivY½6ÓXÇY9O5ð9$DÜ!ûTÚþ`°³J(z4«€ˆ¡¯«%æ¢D¢|bëÌJ@ýêëÈ"
-�Õ�ÀNYÚEzLß�WÌÀrP�	ƒI»`
-u…Äv "¼¦u~¥Ž;r1Ô¼öèp�ÖRëêµI •JÑ•<_óAµ	–Ø9wõ­éÈÓùÍ•ùÅᘞ‹<±1|5¦Ä¢R]

O%©’í“|@d£¼Š«ö'9HÃÂ
-Ü™X_É9„¯Y?/¢!ÂA"£
È^YŒ!û ²c†Ÿ
Ú&G¦ŽQ®#„ÏϾºaŠr"�ÚLŒ0F¦`ÏÄÓ³ãèÙßêÅž (”H†Þ•�öÚ~º/uÓC+Ó—SL\Ka‰¸ÍŽWЪ±‚5
-àgé?ä	Ž‡+S£*œœú¢á­ ŠÓŽÌä
-e”(ci‰ÃL³©è^«äˆ«ä´ãÝ“Ò
-
œEÅp„J�•‚t[U1$¢<x¢R —¢bXFÅ
-Á–o¹,4¤bI¥€>¨žR1�¥,æEr¨ SLÓ³ìî,ô¦b�N¥€K¡\~L9ÈþĶð	'’]Ɖ*¤>…#//ÅÈ:M<=Ù3vMÌõ¤®B¨�sUÞ'›ÒDk•Æ'z¡'h¥‰OB,>
-Ú9dYH|¢·=«@iþ©8–çªxd›qM—B!2–øÀOuô‹¿›L;¸êöĆ5a¡_ßËë#Ç�e4Ç1…N4QDL´
-k̺Ög˱¡Nol]-Öb»þÍgâQÓú®â8õOô
­å–¿Tz¨K}�iºÃ>tf͈þµù'P—‡}Ä£¿v.÷šLò†¯ù¦!õÿQW;ÄX„}ð#ß&ŸVÕ\ݺ£�ɺî?«N®:®ªE.Â'WÑ[«N>®ªuçšáõ¾¥zÈà>#û×7ñùPu—¼
urøWKæÆ3MÇ®jÑmD]Û†ºÁ�úôÁWRMgUG\UüÿŽ !
-©¤N’ILI„
-Øhüiì4ÆûÃöÛß=µ«©�}t¾MÔñ»%Qô/€ÝÞûÇdF®…B£L*¯ôÔQ_þ®ýL�ÌI@~i@Ô°°!¤oÞò
ï"Ös2%þ¶R±?P¾føf—Lè�ú(…ÿÝÌR‡”’7|ñwW~së<ð)]ßѾarõš’aàÚëPù=1å.fhŸÈƒö«íÁp2¶	IùUÓAò–0’ÿêÚÕ¹¥û“q×h»òƒdR0‰Rj
î7\Z/
-P³%Yù*ÖaEé|U*Í Ÿ6w;òüx¡ý¬·úç.<©ËUÚ^¸ÔŸ(T|±µ
-Œ7/C½RÏh·Û,ïï¤
-hÛ�ÝÄ"à¿èúþ·×·ví˨tQjÅáÃÈÿm�µÆ;òXF*‹¡^ÂM]åd€ÅœÅ0ä%sÄÿ!ubOî)á’5ô_N‡øoºL’JŸE¢©ôú�Äfž¥”åaP*ÐŽ²1áÝnÚ}¼YÔôg¨ô?ÅÐs.;S$¨|¼¯¡É{›™N#Òie62yv“hhz
-X96lP�ª�
-ÚÚfàþø׌ø"9Ø?,6F�
-
-Ó£¬}LG…¬Mæ—ô7#&|Nݹð™QÇŸ¢õ‡ügÅÁïzÀþ#=ÿ~3墧ªÀ»å˜syØïË/ÿÑèâ?¾ãý#zxgÝô£åÑAÙ¦‡YæÐMg0>õós·}/Q-÷•=—ÀCw!…÷äþóx8覵¦DÁgoÉ*ý¯N-÷6Etkj"·ÐØ虿£øû›õ{
-L”„€	~àÁ9°R”pmØï¡�Ñ–
-axÞ2ðœpOöåq7Ü‚Gz~=FŸ¨1r<)uÃÝÿ�ÃÕNo,·zýÞø;ã|[&È}'l5å­¢Ó°åQW}5]Lȇ„ùÐì,6G§l# Jû;€B¯VMÏ”ï$Løú®ƒ¯ÈÙæ{2�
-MÈÿ#â !éÿFiÈ�èøGí¡OÕƒbPƒÎ„	øŽï,ÅŠÔ±ÒQÔôódÐö"kÔHŒó*�VšïÔ˜'"Aúr”.‚¶…$
-6|lȸA?�v°…e9#5
vª:Æm\”
½¼¿¥�¦Ûí€M·ð“¡­…÷Ä	À¶HùoÉŠ4Q;‹%„8iõ/Œ«o;•b†a4'Qöh4T{>cÃ.�Azõä4¨ÀÑ1Œ‰ô”:ZŽ]¹�ª—róZãrÞÔ†„‚m-ðÒb* 
‹…jæ¤ê™= ú™rw©	7]	€Ã8+ÌQ›¿ËÊ›jGc†Æ&}0´Å°‰†çÁ8Ýé�”ç¡©¹2têàónàö�KqªÀ6º4Ôǵ.­t¶Ãö2_¤¶Â]¥”­lºMBÙp‡&ŸºÞ E��_ÃÏÜñV¯ §‡Ú…×|ƒI{ÎYoó—Ëêw¶B‘ÃF_¾íþò'j{Ôo§£�Ö¦=P½ 	ÚŒ{}ÓÛE¥gÕÉõhƒ(ÔOb(…‘¦¬ÑŒmKˆmÔIËX•H}›_ƒÔ¢…R·<eÌ û"ÃüA4Ðï<Úôù6ò̸,§H•�Á�˜ÄVv©Ÿ'‰2 -îÜ,ß5b†¹ÝªÖŒ8³šÇCÛCËEî
�ŠSRŒžÛv£@…Ùƒˆ-Àù=ƒÇ”Evw	Ç‚xÅü>&:È(ß	§•Ú#Ê
--#…
ªH§Ã~Ï‹WŸéÌýA»?q~vâå óIìÖèBÛ,訌õî0ÏD�>`ªRÆö; /=µÎo”á
-r#YÝh£

-^iªsÙÇLF%iR€ÃôÕqüO6�q3Ò¬ð¦º÷•®Õâ�­Ø+’®ck	ävÌî7ØÜ<èf7xs`8©–ºFdfxóg¥û1±H–ÈÎðd£8‰?¨{jûý»o·õÛ·û
-¨µ¨µhðì|žíƒ¬.ÅY´D×#þµß)'ÞžLYǽÞ•Ø‘W
-‚¼†¼$>fky¥`È+C^)(òJìÈ+Ù‘7Mv”Ûº€¿’Ó¼ÿÌí(Ì1~àDáœ(0 °
-{ P{8aÃ^ŽÑ9;¢û5¶á¢wË ˆÎ9–K÷Þ .®sAq�ÃqÝoò
5ѹ@Œšs`9[kÅ•a¨áòwyà‹á\
-vôõFJ
C_’™ak}úò>è+C_!(ú
-ìè+A_!ú
-�ÐW„¾}õ‹yü0R€½B ìÙ±W´c¯7NŠözëÒb0ì�rÚÇ6ƒ!¯yEväƒ ¯yÅ@È+B^‘‚¼ÚeT~ø(À]Ñ�»Æ‘üþà-/ØÁÎâ}®•]nJãh,¹ÝÚ+™“½âzMŽ)›¥æóÑBcc·‰lˆ‹ÿì¬�쌥ÉZéäŸÊ�Z�ÿþ‹DO•Hde9‰Ä¢¡êèë?xImrG9ÛçÁ*üÙÜÍ?¼ôÁ‹çðFÛ|½´Ó­£yÄzð½´sõð‘
-ÄAÕÂ5Ot/[Œí¾‘݈.…bêòâpDZ«2yJ/Æ[‹ç÷¤A“Bƒ¶ÒÜÂÂÕ—cÉ`2¾o·_¸Z)wBp´ö­°8×OIƒrµçöuÐPlIÈÞVÉkÍÞv¸z]¹%ïjíãR(_´bà³ìе§Ëïkú §ËË`_ì»**W™W4(¿²ÛªÚwõNy¨\�ÂAnTÊ>dÇéËUÒ ¡˜ò0Ú;°†uš;æÖhƒ¶•¯þ†<èqueá#79BƒifV]•j´A÷¶…
ÿ…<h6q›\ï_“k™<m&Vv®WdÒZ¹Z±ºE4·°Ø¼RÖ)ƒÞ>pµ‡½s4(Ä1'*©ë±·ÌU“8h=59¦ºÜ}Ù9!

-Ö¢lD2Š::]„î¸
-uÐÇÇÝñ5eÐû,÷pr‘p
-Fц=>yùvSÙX!ú0NŸQ}?M.ÝЭq�g`âZOvÊÝ®Z&Zý¶š£ZØ‹\s
mP9:®£Aá(š¬‰l+“ë»,4é"š“…õÄ×Éû#tSqú´r¾¨úV\±
*½.qGÇÒ”ê}ay+¾gp‘´¢¾,ÀAWÝì¡‘ŽÜ/äj`ÐÕ%Sï‡EmÐíx5…E£è
-|K`k­A._[äá[ÒD÷^G¹ÁrNDTIz?Pò'{åíx\à·¾äÉo÷—";'×Õ3ë­M‹î�×÷TòׇÜC#™”&”·¹Çã�­É2é-ÐÇ¢‡‡Ï§kù«Uâ×…ã/|"¾}÷
-T[`ç<âú˜mØÛ¯ƒÖ#}Ph瘃Š¶AÀÞ‡úÿ½1l½oð>h¶¹ˆƒ÷lç´³´´`
Š´kP(+m
->€A‹`6w~¥ô­¦éÉ¢ÍûØÞÖV5†ý8£¥1Ÿéî2«ñéÒ‡ÑD_®5aî@ŠÅÀ(ð :ØŒ}f'æ
-*É­–¸‡
ƒ|ýòü\‚æÃd…4%Ë£MJõžT¦·°–BÿhðÔ|.O òÆÄ9Òù‰@Gÿœãv5a}ÛüaÃo}àh%É7ï·¯.Žüö/u¤ã‹fÓØÖ‡FA+\_ñûþÕ›~~K*°<:»bFvÜâ#
‹{^þ¸™³,ÈjT9äåÅå½Y oÂ=C‚»¾/A!ßRqݧDb>`Ê©�“õTïË#|
-ÅŒu%–Ъȼý65B‚bʦz_IÛ0Ý$CžsÝÓô’]WÇ·i«~ÿAÀä@€y^‹¡Ié3i,)�ôÀd¾Þ™êZÂêcvº“£
⪃Š|¹f65žìÞËT5¥ý£ï•vHáF‹–eØN]îë\9¢	”,G�xjg™×arÓ=¯µšÜo	BéKñ€Œ°©Rœ …ymÉ[a„6Ä´^Á¤À×—Š'¯ee=u–šµfD•–`ò×±ýíÔí\Õ-–(†b~ûûV˜Ì¬=é´&ߊx®/ã;¥bÔCVZóaPéÀx¯´)íX4kí²’(;è£Ò=N–Y÷/óSéXéó­ ˜¢ÊÙU(6Eg�e¹h^&·twf(3-ÊJ6œg茪ÕM1‹×Î
bvŽp‘º_ËôÃ¥›ÛU»áºI¥:³vœÜoi|Ñ‹¯)A¦ƒ—=Võ:£é
-{NK|jª|Ù{˜”ÊÚy,
:Û1*WÕe%tØÍ>7l4M	n÷é;«±@Ûi•ÊB1†©a7ñÑ,qm*~\€e"vÝÒ˜ˆS·ô�‰Ù;,Ö˜0u»ˆ*Ý<fƒÙäÚ±¤-ÈÈÀý5tÈ}nÓ”¶ã•q°
(N�}hàÖ©:‰}P˜aDOš’~*ê1©y0
- +ÝÀ²“øæ‘8>Wþ
- ×Îæ@/‡NHãJx¾v±?Ñ®[²¹lÅí˘|A¶Uwn|ìž`tè�v¸|	» £0
-v&ÌÌÑ€�ÐŒÎNû—�…ö/gæhÈ~Aý̬S ^æpöŠúy¤�ípÝñeFÇ!›.€q~û–­sTwƒíèÐåqÃÃBõ‰,£“÷­GP×”�„Õ_!3ÚSg8’ÛÉÀdC166:óÔê½™¬�'ƒÎfŽ~€q:N“?{e&çê}%ˆ)Ppôã£È1Î&íðöLÛ‹&bè‡N9þ*9~š€:ãgèÌîÈJ¤²Pãc×sÓïï?H²0 Åm,
F’…!w²±Þ“ùèM
»Ê:|°S!ší.Î.Å®gviY»?»~M•…Á¤Ø5ƒ~OêÏ®5ú™FR6ìHðð'—†0$<å�…Vä‹Éù§–†7^Ne=tJ‹èÆ1¨ë3û:¡m‰
”AROß ±à£Q2kº «,çg¡îµ¸äçU``ÜÄê.Ñtbò
#�{�žRp¸®ž+ÿp:ç”èDŠaDˆU0¥	FÚ-«X
-ù†Ñ“ÒÃHcˆ\³Ûû·ÎXz(Yˆ«tó�S´-ììÃG´`òÅûôv6ž‰Ýcñ'c*†ídÀ¾“Žà[šVb”Ó�à[#2‡ñš”ãtªXU\OÖ‚Â	ãáùrñóÅ<¼Œ¥	3ã‘ÕÂê#Ê¡óΠÅæ“Cç�AŠÍ'‡Î;ƒÎq{ÃÔ9tÞt¶lÁrè¼3èìÙ‚ÓçÐygÐ9³§Í¡óΠÅæ“Cç�AçÈœ:‡Î;ƒNÏ}›9‡Î;ƒÎÊá�-‡.é™AGõ�Ì¡óΠÃ|ž
Éô´·ƒÑk��§gí£ÏX§dZ¯§KŠ_àöf+Î�HŠr±ÛȬžüÓ%ŸXrvO/€Ói�XrêÖ-Gýâ”Xáä̲±‡…tÏ––'«+—ý;KÍi}fÞœIû®H:Öõ¥¦%2äì‡9�§„e>ú¸Á<àä›2‡üÉ>¾c6„½M)T³�öK ¢§'û…‚8,¾¯ÕYÜƶ¥­b1ŸQj>K
-B‹´¿M�HÁ AuñLžÞ*ë±�a%‘Iæ§Ñu~Æ
-ôÄ~†,0GßÝØ[�`Ïã³9[1ð
òÀ|s‡Ž†x¼Ç¤ÆÛ1ÉžZˆ<ð`RôxSdÚ¿â"iÿ¦‰"py0}÷Ï+�Ï7'†ྸïA˜³()2Ø™E�Î<¢êƒCŒœ33%ÄèG!�I¾
-�bvÇo^q†ÖÃL¿L.6ûeÏ7�Q'vªßÒ?_ŽÒ…Õ
•áX™�¼ö�u�·‰Ôí}ÔA>u¹v=Œ=¢*&”n£Kv¯uð.nY¬ëXÃ�3â™*ǺCÍCOqó£}0ˆYiB p0äÈâúLpxi.{þWž,xùÆíz¤ð ¶Òv=rß/+Ö¡EÒ1ùAq[ø¥ÇydÙ¹=#Š!=™M“bÉø¢nÚô±‡q|i.pZvLÉAÄ
-'o÷Ž<<W(7.ˆ§�>%°û>w¹ñ’6%1˜óÊ°ä‘¡F§[iqÓÀÉî‘ÙæT×ÝâbqäcÓ±xd¶ùCç
(SD©÷ÈPcàßæä‘
K[ž=‚è€Á#bIC›Ù#³‹3x{d°ŒT¿ü¼<2†&Pz=9À&Ç„ÉlQ;WêÚYÄ?nœEYÎ#'qû’÷Ž`54-—ÉÈ©3:dˆœ
ù§¡m&fNƒ±£^7‡±¦�yßb!]˜96Sþ¨fñN¯çÊ«£¤�Ø3…ýDPrý’*
-õ⺥#TŒ¼°ì8IÏâÞYDAG°_ê§ïó·#ûùç�ÇtÿØÌùpz´##nÞùpÁ"T§Í‡sÆõ5ç’=â̇›%[�=N…8§|8#Ùž7ï|8Ý£8¯37J>é–€¥¹çÃ7·x…ZN•ç²Å(Ç:З2‡”Ž•Ýšê“/Æé¸d˜®[²ÄDº¢$¦£ýËÙÓë!bŒ„dèÇ}­Eà^Ø�Ãxžr6P‰Ÿ9“öã{©ïñ|ééóI'Ð æ CÂQLb@†"´Y`#f¾¶ì¸!»óÆiv2¬Þ_1PŽ��QÉ°z�Ut^Aûev2¼Íå6`ÔO
-:›_FêýÇ2Rù¨3éfªŒT9z”
-Äï(© Ÿ9ðMÐv22S?,æ“oF*û5Ð.-ç	ÄãÒÔ AF�=¤,"4GY‹ûl#Sá,>4['H*œ¡ÁÒüƒóI…à ÆäÏ™..˜ßrÚT8»rN©p�^è’v^©pšW�!Ót¦T8Ó?Ævåç7ÂS%rKµHL‘Wg-RåôQ´ŽÎ¨1�Ž»È°3ÊE†Áu˜–j¿dxÚÔ†ݨãÛE8À¸º�AŠ1ˆ,¯Ž
#œÂÁðŽjâA÷
�iUãˆèl+ž¾{εÁK�ªòuóqó¢òÆ—K™ƒëÊB÷ YÙN6/B±ÍáS2þ®Ÿ‚–ËåÚÍ}­#,oE+š8Bî^ÌŸ|åÎ;+oã¹XŽrqW·§¶U{
-ØÖZùî––ìvCMvS&Ok¼cP<ÃŽ«q+G”As‹ùóÄ-ÙÍ3Ãn$zeØÕ¾\R]Þo¥_h¹X	G.–£Ÿ$`ƒÚSÀÔåü’UêÕ™ìK\ö)Yg	Ï»hMNSåj‡§”As±ìq剞a÷è•ì¶˜£Z?[øBÖã‹�ôŽdZ†Ý¹G.áñá}Ðjõ²fóÀƒaµŒ¿ô\¼ÉÊfƾû”vb™óngTa~ZYÛeè1¹6W-Ñ	Ö|›u*¢æ
Ž%N±|ä²W̽oÈ­#L~eWJX'DšÜ¯p¢§ölËœglE¿ìš°ÿ”È1W`ReŸxRÆ,?Õ?æjªJr„)ÅB¬N^ßJr¬^8tíÙ\à4´‹yÿ¸¾ Eä|½pÓ‘cYŸQ÷�5V×oJ¾µ˜�Κ+`M‰èU`¨Ç>%è¾ñ¬,I
-w�ª
-[§ïî|¢ÓwVAçs.ÓÕÒ³L›g4TsžÑPÍàÒŽœù8%ñÙóÖAˆF/Óöã�Skõ¢Ù•ýÌ#Ÿ3ŠÍL�¨oÞ�kã>‘]¨³À‰µxž¸3±–pE1x¶é-¥Ùo„�•�é+�4<[Wc�!LvQAù­»â
JR½W¯j ­%œ‰à™O‘&§%N�¡¾d­Qí�™r5œ�&¡u5¿
-†WCÖDOÚWߦ¨SëÕ_Ù]_	Í¡Æ�ë–â©N«Q?3åsu¬\WO»*{rºý†CÖT‹@%2ø�ðBÝkÅ•O´üᳬx½ÆÝlGäF…;ψf2ô«p nõ�3—E'V¸›¶R^0ò¡WÊ›K>ge.yIŒîX|ã³W¸sÖ{uÖ¸Ûb©pÇz«9Ra*í—�EטâÞQØÙ#C.,¦æ
-(ï”3†)�éfJ³�¸/7s»ÚvÌöéý–vˆyÛî
ìJ˜è9eæƒi†WtÆL1„SrÆ*¼•ß©–Ó«.Å°œÆ&L»µ‰É>»e(÷ˆÝwá_‘î•zSƒO¹G‚>VNû˜EÌWS�®$?ˆ±ç¸–Óλù¦Öa\ñAìµgÏq…EòÜ"�œõÌ�˜éyÇ›S8xÜAdÑ/—©=®’Æ3Ò̺eEÙæcZŠÞÅvþ¶ò¥v{QùRUvv÷r¡X¹”n—Ë¥Ì!ãlŽÑëÛ§§{—uØ.Gý;r>ÜFäÎÊœÒ|¶Ü¿³µS•lùpÉõö	-	Oz]‰mD†¤AC1˜°EÏýS£µN†:(W»(�QÍ-X9búî۳Ğ<­¯±A�uØÖ’ª9(–šŠ!
-Ž`×Àxæ
-xŸZ”�^-kžEù¨õ+g(Êç˜R#{o?Å#B.™Rƒ�º~ÖHUý¦ºŠP×oŠX¸)êúQ ¦Wõ›ÇÝP°®ßìѶ,uý|ã”æR×Ï»ªóÝP>uýX­®Ÿ•Žèy7ÔŒuý¼Ca6Ç<êúy+줢iêú9—k¯êGô)MQ×Ï;ž)äïÐeªëç½´Pl>uýæQ
Ä¿®Ÿ÷‚t)6s]?#áÎëVóÙëúyGœ‘s§L?ÂCOÌä#xͳ¶–Ùëú‘rÛ,ª›)+Í·	ë
T¬uý¼M]CSšµ®Ÿ
mrU¿àõøæ�ó>u]?ïª~³Ôãc?P¡çŒ«ëç†2RçQ×O?P¡TõÃrxgMOñ¨êg‹»˜¡®ŸçQd’¾/Áêú\#;UΣ®ŸwU¿ùd¥Õ¼×¼€�ñÍT×Ïû Ë•+:e]?ïª~3ÔãP$Ø«ßÌ·x˜UýæR�ÏW‰gÈæp×õcÌ{ FÛÎT×��÷€])Š�2S]?<fÙ]Õoʬ´€ñ“çP×Ïó¼¹h.uý¼Íè õø¦¯Õm«Ç72$Wõ›®_P[št{ƒ»®_ R|ήœ7êÌP×Ï»ªŸGæc º~3ó1¦º~ÞjŽ…c³ÕõsÌËaUOsk©®ß¾¾)êúÑza¼½�±®Ÿ_ÎÈ|êúy÷‚|JGt{Àœ'JU¿
-Õ	ÝßZ²–fIÛùåµ¥¡�­^—>®v2ã•
-à0Ål+Sª
-{;àéÑÁÎóåÅñî^îé8Y”6·kÅÅóNùá`a­T(Ý&«a£Kݶê×qxÂOVR±I-¾·¿ÏW¿®m”{r†‡›3¨¶ß>Š�^nÞV…ǽNŠËÈ«PÆ/ˆˆUø5˜›Ã7qû2šFÇ5o_XFÆ—‘²	ô@lg~®%ÑO@ÌçàçΪ~Êzì¦ÐßââÆÆSí1qwÈ=ÝyÙYoD0ïC|¢)nðd¾XÁ_”c-óE
-qÉwB1óUõ²ùl¾à°«‹û¯Æ‹ãZ)_oDeóYk\ÿšn£ÈF>^Å_�Ö8ø,£‹阃	Kïü^®!ÀŸ‚ÖwëkÌìû,©5i�øUøsÕd8‹
-—X,pB¿	¤X5UL|ÝYç®q”,Sc©ÈÂt[¯:ç=f=’úC–8s�Ö#ŸYP7’—ëJnë2{¼›èÄ5jJ|iFþ‚5ß	»ïÆŠí^_?Yè%$&�7céײ•½M¨	^kØ-T¾ìóÚWÚ'’þWÿRÐÿšÜ}E¤.Tò£+vT“gX®ìæ(†‘½I•¬dh;»‚I÷;u´�h¿2‘OOˆd祥«càÁ»fJ
-ßg’Õ«›=Ê{=’Yâ㨼&ªƒ	~æW4Š—£Í,êÚ4ún
-Gð×ãØ‚{H“Iú
ÂË™Unê+Qëf(ù¢ðÅ­=K~Ù\ÐëÊ�"¶Œ«và Gôhñí»0ÑlÝyK‚žÁ÷%{ûÅR’ìE‹�Â�
-RØéÐ]ë¹ò¦)þ次v¡Ïû+¾ýËcÚFd6±
ÎÛçV°.b‘'£‹MÁê"ÞZ<¿§ìd‚T€Éž³°w‘šr¦-ö”X�ui*(Ž±,ƒ£t±)ØÚ¥ès b*ÅØ£9y­rú±qMÈgoLJbô™™¬¡4<×ï^9,;Î÷3+ؤâú©ãî¤
-­‡2»û<9èkJ·{Ñý߸2lOÞ»ƒqx-œÙm–÷÷R¥Ûvº 9õ“µ�+ºËO÷É4Ý:¬áRª<ëo{ç›rå™»ÝrºïâÞ&tß�‡b‘äÖÛF$Öå#©×oMø³¦)mšýæð	kÊûP;s+•®RšT“G�ëÊá~¤i©öHõ•ú­êGåKM&üîž´«l'_ïJOÇB3¸³�?Û«š…†Œ»›rþ¼é=¶åI!ý~¼Ilgá2®à¬�‚Y¬2‘Tbg>=ˆ$ϢǑd;}_lGVwÅN$ut³YùXP ¦Ku“�Ôv˜YëúÆ×
"=Z$Ð
Æý²…lG�»½EB/½ï}ÌqñtF³»òc\ÿë[wE§8F/èçZcO3×à±]#«w
¬Ä±aTîsVs{ò¸h ±�¬8è`±¼i¼(¯b¬é
Ñ„EÖ@—/»Æ‹Þ|ñU7Ýê›+Ö3|äz9…¹#¾âc×÷ÓPX
VÍ=’É	 ‚¿MÀ‹sýB=~žîX}?¢8
ð¬†Dõ
-`aÝÂ6hf�[µQ@¾IÐè$-õàcü¼DÝ®h›“9½MIÀ¿°±€ü
`€4·�U‹c£ Œÿ VÉÈKk/ƒåËÚF5ûÍ$¾¸n
-ÅQÛ0Ÿ7
-Y‘φ㧻Ç'ÇÕpV�—	´Š›·§/	óü8
-‹à¥œ”
¿‡DžKù¼õ¨¹|:+Ãb�Gÿ+ä‹ÚWù|šËòaW/åÐ3ø¨˜–²9ðU^­À oŽ×á9Ð^	á,'¦‹°ã,è°
-¼‚}»çƒf	V[³è!ü_8Çš“X„€9Áby)œåy0˜½
-ðkØH*Š ÐFëFJgÅ<€"z»FÌçÒ"j‡æ´ox!-D®è‘”CS¶€ŸO‹"k^ÐÖƒ‹Á¼x´|þ�x@…´PäÑ3>ˆP’¶
EÐ-ìD( õfQû-ré<ø"Ëñ›Ê!øö—å8кˆ&ãø[<ì~“
- 9mDc=+ä
-œ;ø#ñ<
Ý°'€å‰íöÐ"W€­
-Ö^IY�ïc­
-0000000016 00000 n

-0000019955 00000 n

-0000000004 00000 f

-0000000006 00000 f

-0000020779 00000 n

-0000000007 00000 f

-0000000008 00000 f

-0000000009 00000 f

-0000000010 00000 f

-0000000011 00000 f

-0000000012 00000 f

-0000000013 00000 f

-0000000014 00000 f

-0000000015 00000 f

-0000000019 00000 f

-0000020006 00000 n

-0000020638 00000 n

-0000020669 00000 n

-0000000020 00000 f

-0000000021 00000 f

-0000000022 00000 f

-0000000023 00000 f

-0000000024 00000 f

-0000000025 00000 f

-0000000026 00000 f

-0000000027 00000 f

-0000000028 00000 f

-0000000029 00000 f

-0000000030 00000 f

-0000000031 00000 f

-0000000032 00000 f

-0000000033 00000 f

-0000000034 00000 f

-0000000035 00000 f

-0000000036 00000 f

-0000000037 00000 f

-0000000041 00000 f

-0000020077 00000 n

-0000020522 00000 n

-0000020553 00000 n

-0000000042 00000 f

-0000000043 00000 f

-0000000044 00000 f

-0000000045 00000 f

-0000000046 00000 f

-0000000047 00000 f

-0000000048 00000 f

-0000000049 00000 f

-0000000050 00000 f

-0000000051 00000 f

-0000000052 00000 f

-0000000053 00000 f

-0000000054 00000 f

-0000000055 00000 f

-0000000056 00000 f

-0000000057 00000 f

-0000000058 00000 f

-0000000059 00000 f

-0000000063 00001 f

-0000020148 00000 n

-0000020406 00000 n

-0000020437 00000 n

-0000000064 00000 f

-0000000065 00000 f

-0000000066 00000 f

-0000000067 00000 f

-0000000068 00001 f

-0000000069 00000 f

-0000000070 00000 f

-0000000071 00000 f

-0000000080 00000 f

-0000023371 00000 n

-0000023445 00000 n

-0000023685 00000 n

-0000024716 00000 n

-0000035850 00000 n

-0000101438 00000 n

-0000167026 00000 n

-0000232614 00000 n

-0000000000 00001 f

-0000020754 00000 n

-0000020219 00000 n

-0000020290 00000 n

-0000020321 00000 n

-0000022308 00000 n

-0000022421 00000 n

-0000022456 00000 n

-0000021142 00000 n

-0000285780 00000 n

-0000022810 00000 n

-0000022858 00000 n

-0000022054 00000 n

-0000000190 00000 n

-trailer
<</Size 94/Root 1 0 R/Info 89 0 R/ID[<E860A29C0F544C9DAF309FDA979179E1><879DB089327A454292F4CFF94C60DAE4>]>>
startxref
285961
%%EOF
\ No newline at end of file
diff --git a/contrib/bind9/doc/arm/libdns.xml b/contrib/bind9/doc/arm/libdns.xml
deleted file mode 100644
index 6134ff6..0000000
--- a/contrib/bind9/doc/arm/libdns.xml
+++ /dev/null
@@ -1,530 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!--
- - Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<sect1 id="bind9.library">
-  <title>BIND 9 DNS Library Support</title>
-  <para>This version of BIND 9 "exports" its internal libraries so
-  that they can be used by third-party applications more easily (we
-  call them "export" libraries in this document). In addition to
-  all major DNS-related APIs BIND 9 is currently using, the export
-  libraries provide the following features:</para>
-  <itemizedlist>
-    <listitem>
-      <para>The newly created "DNS client" module. This is a higher
-      level API that provides an interface to name resolution,
-      single DNS transaction with a particular server, and dynamic
-      update. Regarding name resolution, it supports advanced
-      features such as DNSSEC validation and caching. This module
-      supports both synchronous and asynchronous mode.</para>
-    </listitem>
-    <listitem>
-      <para>The new "IRS" (Information Retrieval System) library.
-      It provides an interface to parse the traditional resolv.conf
-      file and more advanced, DNS-specific configuration file for
-      the rest of this package (see the description for the
-      dns.conf file below).</para>
-    </listitem>
-    <listitem>
-      <para>As part of the IRS library, newly implemented standard
-      address-name mapping functions, getaddrinfo() and
-      getnameinfo(), are provided. They use the DNSSEC-aware
-      validating resolver backend, and could use other advanced
-      features of the BIND 9 libraries such as caching. The
-      getaddrinfo() function resolves both A and AAAA RRs
-      concurrently (when the address family is unspecified).</para>
-    </listitem>
-    <listitem>
-      <para>An experimental framework to support other event
-      libraries than BIND 9's internal event task system.</para>
-    </listitem>
-  </itemizedlist>
-  <sect2>
-    <title>Prerequisite</title>
-  <para>GNU make is required to build the export libraries (other
-  part of BIND 9 can still be built with other types of make). In
-  the reminder of this document, "make" means GNU make. Note that
-  in some platforms you may need to invoke a different command name
-  than "make" (e.g. "gmake") to indicate it's GNU make.</para>
-  </sect2>
-  <sect2>
-    <title>Compilation</title>
-  <screen>
-$ <userinput>./configure --enable-exportlib <replaceable>[other flags]</replaceable></userinput>
-$ <userinput>make</userinput>
-</screen>
-  <para>
-  This will create (in addition to usual BIND 9 programs) and a
-  separate set of libraries under the lib/export directory. For
-  example, <filename>lib/export/dns/libdns.a</filename> is the archive file of the
-  export version of the BIND 9 DNS library. Sample application
-  programs using the libraries will also be built under the
-  lib/export/samples directory (see below).</para>
-  </sect2>
-  <sect2>
-    <title>Installation</title>
-  <screen>
-$ <userinput>cd lib/export</userinput>
-$ <userinput>make install</userinput>
-</screen>
-  <para>
-  This will install library object files under the directory
-  specified by the --with-export-libdir configure option (default:
-  EPREFIX/lib/bind9), and header files under the directory
-  specified by the --with-export-includedir configure option
-  (default: PREFIX/include/bind9).
-  Root privilege is normally required.
-  "<command>make install</command>" at the top directory will do the
-  same.
-  </para>
-  <para>
-  To see how to build your own
-  application after the installation, see
-  <filename>lib/export/samples/Makefile-postinstall.in</filename>.</para>
-  </sect2>
-  <sect2>
-    <title>Known Defects/Restrictions</title>
-  <itemizedlist>
-    <listitem>
-<!-- TODO: what about AIX? -->
-      <para>Currently, win32 is not supported for the export
-      library. (Normal BIND 9 application can be built as
-      before).</para>
-    </listitem>
-    <listitem>
-      <para>The "fixed" RRset order is not (currently) supported in
-      the export library. If you want to use "fixed" RRset order
-      for, e.g. <command>named</command> while still building the
-      export library even without the fixed order support, build
-      them separately:
-      <screen>
-$ <userinput>./configure --enable-fixed-rrset <replaceable>[other flags, but not --enable-exportlib]</replaceable></userinput>
-$ <userinput>make</userinput>
-$ <userinput>./configure --enable-exportlib <replaceable>[other flags, but not --enable-fixed-rrset]</replaceable></userinput>
-$ <userinput>cd lib/export</userinput>
-$ <userinput>make</userinput>
-</screen>
-    </para>
-    </listitem>
-    <listitem>
-      <para>The client module and the IRS library currently do not
-      support DNSSEC validation using DLV (the underlying modules
-      can handle it, but there is no tunable interface to enable
-      the feature).</para>
-    </listitem>
-    <listitem>
-      <para>RFC 5011 is not supported in the validating stub
-      resolver of the export library. In fact, it is not clear
-      whether it should: trust anchors would be a system-wide
-      configuration which would be managed by an administrator,
-      while the stub resolver will be used by ordinary applications
-      run by a normal user.</para>
-    </listitem>
-    <listitem>
-      <para>Not all common <filename>/etc/resolv.conf</filename>
-      options are supported
-      in the IRS library. The only available options in this
-      version are "debug" and "ndots".</para>
-    </listitem>
-  </itemizedlist>
-  </sect2>
-  <sect2>
-    <title>The dns.conf File</title>
-  <para>The IRS library supports an "advanced" configuration file
-  related to the DNS library for configuration parameters that
-  would be beyond the capability of the
-  <filename>resolv.conf</filename> file.
-  Specifically, it is intended to provide DNSSEC related
-  configuration parameters. By default the path to this
-  configuration file is <filename>/etc/dns.conf</filename>.
-  This module is very
-  experimental and the configuration syntax or library interfaces
-  may change in future versions. Currently, only the
-  <command>trusted-keys</command>
-  statement is supported, whose syntax is the same as the same name
-  of statement for <filename>named.conf</filename>. (See
-  <xref linkend="trusted-keys" /> for details.)</para>
-  </sect2>
-  <sect2>
-    <title>Sample Applications</title>
-  <para>Some sample application programs using this API are
-  provided for reference. The following is a brief description of
-  these applications.
-  </para>
-  <sect3>
-    <title>sample: a simple stub resolver utility</title>
-  <para>
-  It sends a query of a given name (of a given optional RR type) to a
-  specified recursive server, and prints the result as a list of
-  RRs. It can also act as a validating stub resolver if a trust
-  anchor is given via a set of command line options.</para>
-  <para>
-  Usage: sample [options] server_address hostname
-  </para>
-  <para>
-  Options and Arguments:
-  </para>
-  <variablelist>
-  <varlistentry>
-  <term>
-  -t RRtype
-  </term>
-  <listitem><para>
-        specify the RR type of the query.  The default is the A RR.
-  </para></listitem>
-  </varlistentry>
-  <varlistentry>
-  <term>
-  [-a algorithm] [-e] -k keyname -K keystring
-  </term>
-  <listitem><para>
-        specify a command-line DNS key to validate the answer.  For
-        example, to specify the following DNSKEY of example.com:
-<literallayout>
-                example.com. 3600 IN DNSKEY 257 3 5 xxx
-</literallayout>
-        specify the options as follows:
-<screen>
-<userinput>
-          -e -k example.com -K "xxx"
-</userinput>
-</screen>
-        -e means that this key is a zone's "key signing key" (as known
-        as "secure Entry point").
-        When -a is omitted rsasha1 will be used by default.
-  </para></listitem>
-  </varlistentry>
-  <varlistentry>
-  <term>
-  -s domain:alt_server_address
-  </term>
-  <listitem><para>
-         specify a separate recursive server address for the specific
-        "domain".  Example: -s example.com:2001:db8::1234
-  </para></listitem>
-  </varlistentry>
-  <varlistentry>
-  <term>server_address</term>
-  <listitem><para>
-        an IP(v4/v6) address of the recursive server to which queries
-        are sent.
-  </para></listitem>
-  </varlistentry>
-  <varlistentry>
-  <term>hostname</term>
-  <listitem><para>
-        the domain name for the query
-  </para></listitem>
-  </varlistentry>
-  </variablelist>
-  </sect3>
-  <sect3>
-    <title>sample-async: a simple stub resolver, working asynchronously</title>
-  <para>
-  Similar to "sample", but accepts a list
-  of (query) domain names as a separate file and resolves the names
-  asynchronously.</para>
-  <para>
-    Usage: sample-async [-s server_address] [-t RR_type] input_file</para>
-  <para>
- Options and Arguments:
-  </para>
-  <variablelist>
-  <varlistentry>
-   <term>
-   -s server_address
-   </term>
-  <listitem>
-   an IPv4 address of the recursive server to which queries are sent.
-  (IPv6 addresses are not supported in this implementation)
-  </listitem>
-  </varlistentry>
-  <varlistentry>
-  <term>
-   -t RR_type
-  </term>
-  <listitem>
-  specify the RR type of the queries. The default is the A
-  RR.
-  </listitem>
-  </varlistentry>
-  <varlistentry>
-  <term>
-   input_file
-  </term>
-  <listitem>
-   a list of domain names to be resolved. each line
-  consists of a single domain name. Example:
-  <literallayout>
-  www.example.com
-  mx.examle.net
-  ns.xxx.example
-</literallayout>
-  </listitem>
-    </varlistentry>
-    </variablelist>
-  </sect3>
-  <sect3>
-    <title>sample-request: a simple DNS transaction client</title>
-  <para>
-  It sends a query to a specified server, and
-  prints the response with minimal processing. It doesn't act as a
-  "stub resolver": it stops the processing once it gets any
-  response from the server, whether it's a referral or an alias
-  (CNAME or DNAME) that would require further queries to get the
-  ultimate answer. In other words, this utility acts as a very
-  simplified <command>dig</command>.
-  </para>
-  <para>
-  Usage: sample-request [-t RRtype] server_address hostname
-  </para>
-  <para>
-    Options and Arguments:
-  </para>
-  <variablelist>
-  <varlistentry>
-   <term>
-   -t RRtype
-  </term>
-  <listitem>
-  <para>
-  specify the RR type of
-  the queries. The default is the A RR.
-  </para>
-  </listitem>
-  </varlistentry>
-  <varlistentry>
-  <term>
-  server_address
-  </term>
-  <listitem>
-  <para>
-   an IP(v4/v6)
-  address of the recursive server to which the query is sent.
-  </para>
-  </listitem>
-  </varlistentry>
-  <varlistentry>
-  <term>
-  hostname
-  </term>
-  <listitem>
-  <para>
-  the domain name for the query
-  </para>
-  </listitem>
-  </varlistentry>
-  </variablelist>
-  </sect3>
-  <sect3>
-    <title>sample-gai: getaddrinfo() and getnameinfo() test code</title>
-  <para>
-  This is a test program
-  to check getaddrinfo() and getnameinfo() behavior. It takes a
-  host name as an argument, calls getaddrinfo() with the given host
-  name, and calls getnameinfo() with the resulting IP addresses
-  returned by getaddrinfo(). If the dns.conf file exists and
-  defines a trust anchor, the underlying resolver will act as a
-  validating resolver, and getaddrinfo()/getnameinfo() will fail
-  with an EAI_INSECUREDATA error when DNSSEC validation fails.
-  </para>
-  <para>
-  Usage: sample-gai hostname
-  </para>
-  </sect3>
-  <sect3>
-    <title>sample-update: a simple dynamic update client program</title>
-  <para>
-  It accepts a single update command as a
-  command-line argument, sends an update request message to the
-  authoritative server, and shows the response from the server. In
-  other words, this is a simplified <command>nsupdate</command>.
-  </para>
-  <para>
-   Usage: sample-update [options] (add|delete) "update data"
-  </para>
-  <para>
-  Options and Arguments:
-  </para>
-  <variablelist>
-  <varlistentry>
-   <term>
-  -a auth_server
-   </term>
-   <listitem><para>
-        An IP address of the authoritative server that has authority
-        for the zone containing the update name.  This should normally
-        be the primary authoritative server that accepts dynamic
-        updates.  It can also be a secondary server that is configured
-        to forward update requests to the primary server.
-   </para></listitem>
-   </varlistentry>
-   <varlistentry>
-   <term>
-  -k keyfile
-   </term>
-   <listitem><para>
-        A TSIG key file to secure the update transaction.  The keyfile
-        format is the same as that for the nsupdate utility.
-   </para></listitem>
-   </varlistentry>
-   <varlistentry>
-   <term>
-  -p prerequisite
-   </term>
-   <listitem><para>
-        A prerequisite for the update (only one prerequisite can be
-        specified).  The prerequisite format is the same as that is
-        accepted by the nsupdate utility.
-   </para></listitem>
-   </varlistentry>
-   <varlistentry>
-   <term>
-  -r recursive_server
-   </term>
-   <listitem><para>
-        An IP address of a recursive server that this utility will
-        use.  A recursive server may be necessary to identify the
-        authoritative server address to which the update request is
-        sent.
-   </para></listitem>
-   </varlistentry>
-   <varlistentry>
-   <term>
-  -z zonename
-   </term>
-   <listitem><para>
-        The domain name of the zone that contains
-   </para></listitem>
-   </varlistentry>
-   <varlistentry>
-   <term>
-  (add|delete)
-   </term>
-   <listitem><para>
-        Specify the type of update operation.  Either "add" or "delete"
-        must be specified.
-   </para></listitem>
-   </varlistentry>
-   <varlistentry>
-   <term>
-  "update data"
-   </term>
-   <listitem><para>
-        Specify the data to be updated.  A typical example of the data
-        would look like "name TTL RRtype RDATA".
-  </para></listitem>
-  </varlistentry>
-  </variablelist>
-
-   <note>In practice, either -a or -r must be specified.  Others can
-   be optional; the underlying library routine tries to identify the
-   appropriate server and the zone name for the update.</note>
-
-   <para>
-   Examples: assuming the primary authoritative server of the
-   dynamic.example.com zone has an IPv6 address 2001:db8::1234,
-   </para>
-   <screen>
-$ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key add "foo.dynamic.example.com 30 IN A 192.168.2.1"</userinput></screen>
-   <para>
-     adds an A RR for foo.dynamic.example.com using the given key.
-   </para>
-   <screen>
-$ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com 30 IN A"</userinput></screen>
-   <para>
-     removes all A RRs for foo.dynamic.example.com using the given key.
-   </para>
-   <screen>   
-$ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com"</userinput></screen>
-   <para>
-     removes all RRs for foo.dynamic.example.com using the given key.
-   </para>
-  </sect3>
-  <sect3>
-    <title>nsprobe: domain/name server checker in terms of RFC 4074</title>
-  <para>
-  It checks a set
-  of domains to see the name servers of the domains behave
-  correctly in terms of RFC 4074. This is included in the set of
-  sample programs to show how the export library can be used in a
-  DNS-related application.
-  </para>
-  <para>
- Usage: nsprobe [-d] [-v [-v...]] [-c cache_address] [input_file]
-  </para>
-  <para>
-   Options
-  </para>
-
-  <variablelist>
-  <varlistentry>
-  <term>
-  -d
-  </term>
-  <listitem><para>
-        run in the "debug" mode.  with this option nsprobe will dump
-        every RRs it receives.
-  </para></listitem>
-  </varlistentry>
-  <varlistentry>
-  <term>
-  -v
-  </term>
-  <listitem><para>
-        increase verbosity of other normal log messages.  This can be
-        specified multiple times
-  </para></listitem>
-  </varlistentry>
-  <varlistentry>
-  <term>
-  -c cache_address
-  </term>
-  <listitem><para>
-        specify an IP address of a recursive (caching) name server.
-        nsprobe uses this server to get the NS RRset of each domain and
-        the A and/or AAAA RRsets for the name servers.  The default
-        value is 127.0.0.1.
-  </para></listitem>
-  </varlistentry>
-  <varlistentry>
-  <term>
-  input_file
-  </term>
-  <listitem><para>
-        a file name containing a list of domain (zone) names to be
-        probed.  when omitted the standard input will be used.  Each
-        line of the input file specifies a single domain name such as
-        "example.com".  In general this domain name must be the apex
-        name of some DNS zone (unlike normal "host names" such as
-        "www.example.com").  nsprobe first identifies the NS RRsets for
-        the given domain name, and sends A and AAAA queries to these
-        servers for some "widely used" names under the zone;
-        specifically, adding "www" and "ftp" to the zone name.
-  </para></listitem>
-  </varlistentry>
-  </variablelist>
-  </sect3>
-  </sect2>
-  <sect2>
-    <title>Library References</title>
-  <para>As of this writing, there is no formal "manual" of the
-  libraries, except this document, header files (some of them
-  provide pretty detailed explanations), and sample application
-  programs.</para>
-  </sect2>
-</sect1>
-<!-- $Id: libdns.xml,v 1.3 2010/02/03 23:49:07 tbox Exp $ -->
diff --git a/contrib/bind9/doc/arm/man.arpaname.html b/contrib/bind9/doc/arm/man.arpaname.html
deleted file mode 100644
index 45391da..0000000
--- a/contrib/bind9/doc/arm/man.arpaname.html
+++ /dev/null
@@ -1,91 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>arpaname</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
-<link rel="prev" href="man.ddns-confgen.html" title="ddns-confgen">
-<link rel="next" href="man.genrandom.html" title="genrandom">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">arpaname</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.ddns-confgen.html">Prev</a> </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.genrandom.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry" lang="en">
-<a name="man.arpaname"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">arpaname</span> &#8212; translate IP addresses to the corresponding ARPA names</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">arpaname</code>  {<em class="replaceable"><code>ipaddress </code></em>...}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2619538"></a><h2>DESCRIPTION</h2>
-<p>
-      <span><strong class="command">arpaname</strong></span> translates IP addresses (IPv4 and
-      IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2619553"></a><h2>SEE ALSO</h2>
-<p>
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2619566"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.ddns-confgen.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.genrandom.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">ddns-confgen</span> </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">genrandom</span>
-</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/man.ddns-confgen.html b/contrib/bind9/doc/arm/man.ddns-confgen.html
deleted file mode 100644
index fed8fbc..0000000
--- a/contrib/bind9/doc/arm/man.ddns-confgen.html
+++ /dev/null
@@ -1,180 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>ddns-confgen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
-<link rel="prev" href="man.rndc-confgen.html" title="rndc-confgen">
-<link rel="next" href="man.arpaname.html" title="arpaname">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">ddns-confgen</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.rndc-confgen.html">Prev</a> </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.arpaname.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry" lang="en">
-<a name="man.ddns-confgen"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">ddns-confgen</span> &#8212; ddns key generation tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">ddns-confgen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em>  |   -z <em class="replaceable"><code>zone</code></em> ] [<code class="option">-q</code>] [name]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2657925"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">ddns-confgen</strong></span>
-      generates a key for use by <span><strong class="command">nsupdate</strong></span>
-      and <span><strong class="command">named</strong></span>.  It simplifies configuration
-      of dynamic zones by generating a key and providing the
-      <span><strong class="command">nsupdate</strong></span> and <span><strong class="command">named.conf</strong></span>
-      syntax that will be needed to use it, including an example
-      <span><strong class="command">update-policy</strong></span> statement.
-    </p>
-<p>
-      If a domain name is specified on the command line, it will
-      be used in the name of the generated key and in the sample
-      <span><strong class="command">named.conf</strong></span> syntax.  For example,
-      <span><strong class="command">ddns-confgen example.com</strong></span> would
-      generate a key called "ddns-key.example.com", and sample
-      <span><strong class="command">named.conf</strong></span> command that could be used
-      in the zone definition for "example.com".
-    </p>
-<p>
-      Note that <span><strong class="command">named</strong></span> itself can configure a
-      local DDNS key for use with <span><strong class="command">nsupdate -l</strong></span>.
-      <span><strong class="command">ddns-confgen</strong></span> is only needed when a 
-      more elaborate configuration is required: for instance, if
-      <span><strong class="command">nsupdate</strong></span> is to be used from a remote system.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2658012"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd><p>
-            Specifies the algorithm to use for the TSIG key.  Available
-            choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
-            hmac-sha384 and hmac-sha512.  The default is hmac-sha256.
-	  </p></dd>
-<dt><span class="term">-h</span></dt>
-<dd><p>
-	    Prints a short summary of the options and arguments to
-	    <span><strong class="command">ddns-confgen</strong></span>.
-	  </p></dd>
-<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
-<dd><p>
-	    Specifies the key name of the DDNS authentication key.
-	    The default is <code class="constant">ddns-key</code> when neither
-	    the <code class="option">-s</code> nor <code class="option">-z</code> option is
-	    specified; otherwise, the default
-	    is <code class="constant">ddns-key</code> as a separate label
-	    followed by the argument of the option, e.g.,
-	    <code class="constant">ddns-key.example.com.</code>
-	    The key name must have the format of a valid domain name,
-	    consisting of letters, digits, hyphens and periods.
-	  </p></dd>
-<dt><span class="term">-q</span></dt>
-<dd><p>
-	    Quiet mode:  Print only the key, with no explanatory text or
-            usage examples.
-	  </p></dd>
-<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
-<dd><p>
-            Specifies a source of random data for generating the
-            authorization.  If the operating system does not provide a
-            <code class="filename">/dev/random</code> or equivalent device, the
-            default source of randomness is keyboard input.
-            <code class="filename">randomdev</code> specifies the name of a
-            character device or file containing random data to be used
-            instead of the default.  The special value
-            <code class="filename">keyboard</code> indicates that keyboard input
-            should be used.
-	  </p></dd>
-<dt><span class="term">-s <em class="replaceable"><code>name</code></em></span></dt>
-<dd><p>
-	    Single host mode: The example <span><strong class="command">named.conf</strong></span> text
-	    shows how to set an update policy for the specified
-	    <em class="replaceable"><code>name</code></em>
-	    using the "name" nametype.
-	    The default key name is
-	    ddns-key.<em class="replaceable"><code>name</code></em>.
-	    Note that the "self" nametype cannot be used, since
-	    the name to be updated may differ from the key name.
-	    This option cannot be used with the <code class="option">-z</code> option.
-	  </p></dd>
-<dt><span class="term">-z <em class="replaceable"><code>zone</code></em></span></dt>
-<dd><p>
-	    zone mode:  The example <span><strong class="command">named.conf</strong></span> text
-            shows how to set an update policy for the specified
-	    <em class="replaceable"><code>zone</code></em>
-	    using the "zonesub" nametype, allowing updates to all subdomain
-	    names within
-	    that <em class="replaceable"><code>zone</code></em>.
-	    This option cannot be used with the <code class="option">-s</code> option.
-	  </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2658418"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2658456"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.rndc-confgen.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.arpaname.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">rndc-confgen</span> </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">arpaname</span>
-</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/man.dig.html b/contrib/bind9/doc/arm/man.dig.html
deleted file mode 100644
index 556e34b..0000000
--- a/contrib/bind9/doc/arm/man.dig.html
+++ /dev/null
@@ -1,709 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dig</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
-<link rel="prev" href="Bv9ARM.ch10.html" title="Manual pages">
-<link rel="next" href="man.host.html" title="host">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">dig</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch10.html">Prev</a> </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.host.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry" lang="en">
-<a name="man.dig"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>dig &#8212; DNS lookup utility</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dig</code>  [@server] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-k <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-m</code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]name:key</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] [name] [type] [class] [queryopt...]</p></div>
-<div class="cmdsynopsis"><p><code class="command">dig</code>  [<code class="option">-h</code>]</p></div>
-<div class="cmdsynopsis"><p><code class="command">dig</code>  [global-queryopt...] [query...]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2611368"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">dig</strong></span>
-      (domain information groper) is a flexible tool
-      for interrogating DNS name servers.  It performs DNS lookups and
-      displays the answers that are returned from the name server(s) that
-      were queried.  Most DNS administrators use <span><strong class="command">dig</strong></span> to
-      troubleshoot DNS problems because of its flexibility, ease of use and
-      clarity of output.  Other lookup tools tend to have less functionality
-      than <span><strong class="command">dig</strong></span>.
-    </p>
-<p>
-      Although <span><strong class="command">dig</strong></span> is normally used with
-      command-line
-      arguments, it also has a batch mode of operation for reading lookup
-      requests from a file.  A brief summary of its command-line arguments
-      and options is printed when the <code class="option">-h</code> option is given.
-      Unlike earlier versions, the BIND 9 implementation of
-      <span><strong class="command">dig</strong></span> allows multiple lookups to be issued
-      from the
-      command line.
-    </p>
-<p>
-      Unless it is told to query a specific name server,
-      <span><strong class="command">dig</strong></span> will try each of the servers listed in
-      <code class="filename">/etc/resolv.conf</code>. If no usable server addreses
-      are found, <span><strong class="command">dig</strong></span> will send the query to the local
-      host.
-    </p>
-<p>
-      When no command line arguments or options are given,
-      <span><strong class="command">dig</strong></span> will perform an NS query for "." (the root).
-    </p>
-<p>
-      It is possible to set per-user defaults for <span><strong class="command">dig</strong></span> via
-      <code class="filename">${HOME}/.digrc</code>.  This file is read and
-      any options in it
-      are applied before the command line arguments.
-    </p>
-<p>
-      The IN and CH class names overlap with the IN and CH top level
-      domains names.  Either use the <code class="option">-t</code> and
-      <code class="option">-c</code> options to specify the type and class, 
-      use the <code class="option">-q</code> the specify the domain name, or
-      use "IN." and "CH." when looking up these top level domains.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2611470"></a><h2>SIMPLE USAGE</h2>
-<p>
-      A typical invocation of <span><strong class="command">dig</strong></span> looks like:
-      </p>
-<pre class="programlisting"> dig @server name type </pre>
-<p>
-      where:
-
-      </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">server</code></span></dt>
-<dd>
-<p>
-              is the name or IP address of the name server to query.  This
-              can be an IPv4 address in dotted-decimal notation or an IPv6
-              address in colon-delimited notation.  When the supplied
-              <em class="parameter"><code>server</code></em> argument is a hostname,
-              <span><strong class="command">dig</strong></span> resolves that name before querying
-              that name server.
-            </p>
-<p>
-              If no <em class="parameter"><code>server</code></em> argument is
-              provided, <span><strong class="command">dig</strong></span> consults
-              <code class="filename">/etc/resolv.conf</code>; if an
-              address is found there, it queries the name server at
-              that address. If either of the <code class="option">-4</code> or
-              <code class="option">-6</code> options are in use, then
-              only addresses for the corresponding transport
-              will be tried.  If no usable addresses are found,
-              <span><strong class="command">dig</strong></span> will send the query to the
-              local host.  The reply from the name server that
-              responds is displayed.
-            </p>
-</dd>
-<dt><span class="term"><code class="constant">name</code></span></dt>
-<dd><p>
-              is the name of the resource record that is to be looked up.
-            </p></dd>
-<dt><span class="term"><code class="constant">type</code></span></dt>
-<dd><p>
-              indicates what type of query is required &#8212;
-              ANY, A, MX, SIG, etc.
-              <em class="parameter"><code>type</code></em> can be any valid query
-              type.  If no
-              <em class="parameter"><code>type</code></em> argument is supplied,
-              <span><strong class="command">dig</strong></span> will perform a lookup for an
-              A record.
-            </p></dd>
-</dl></div>
-<p>
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2611596"></a><h2>OPTIONS</h2>
-<p>
-      The <code class="option">-b</code> option sets the source IP address of the query
-      to <em class="parameter"><code>address</code></em>.  This must be a valid
-      address on
-      one of the host's network interfaces or "0.0.0.0" or "::".  An optional
-      port
-      may be specified by appending "#&lt;port&gt;"
-    </p>
-<p>
-      The default query class (IN for internet) is overridden by the
-      <code class="option">-c</code> option.  <em class="parameter"><code>class</code></em> is
-      any valid
-      class, such as HS for Hesiod records or CH for Chaosnet records.
-    </p>
-<p>
-      The <code class="option">-f</code> option makes <span><strong class="command">dig </strong></span>
-      operate
-      in batch mode by reading a list of lookup requests to process from the
-      file <em class="parameter"><code>filename</code></em>.  The file contains a
-      number of
-      queries, one per line.  Each entry in the file should be organized in
-      the same way they would be presented as queries to
-      <span><strong class="command">dig</strong></span> using the command-line interface.
-    </p>
-<p>
-      The <code class="option">-m</code> option enables memory usage debugging.
-      
-    </p>
-<p>
-      If a non-standard port number is to be queried, the
-      <code class="option">-p</code> option is used.  <em class="parameter"><code>port#</code></em> is
-      the port number that <span><strong class="command">dig</strong></span> will send its
-      queries
-      instead of the standard DNS port number 53.  This option would be used
-      to test a name server that has been configured to listen for queries
-      on a non-standard port number.
-    </p>
-<p>
-      The <code class="option">-4</code> option forces <span><strong class="command">dig</strong></span>
-      to only
-      use IPv4 query transport.  The <code class="option">-6</code> option forces
-      <span><strong class="command">dig</strong></span> to only use IPv6 query transport.
-    </p>
-<p>
-      The <code class="option">-t</code> option sets the query type to
-      <em class="parameter"><code>type</code></em>.  It can be any valid query type
-      which is
-      supported in BIND 9.  The default query type is "A", unless the
-      <code class="option">-x</code> option is supplied to indicate a reverse lookup.
-      A zone transfer can be requested by specifying a type of AXFR.  When
-      an incremental zone transfer (IXFR) is required,
-      <em class="parameter"><code>type</code></em> is set to <code class="literal">ixfr=N</code>.
-      The incremental zone transfer will contain the changes made to the zone
-      since the serial number in the zone's SOA record was
-      <em class="parameter"><code>N</code></em>.
-    </p>
-<p>
-      The <code class="option">-q</code> option sets the query name to 
-      <em class="parameter"><code>name</code></em>.  This useful do distinguish the
-      <em class="parameter"><code>name</code></em> from other arguments.
-    </p>
-<p>
-      Reverse lookups &#8212; mapping addresses to names &#8212; are simplified by the
-      <code class="option">-x</code> option.  <em class="parameter"><code>addr</code></em> is
-      an IPv4
-      address in dotted-decimal notation, or a colon-delimited IPv6 address.
-      When this option is used, there is no need to provide the
-      <em class="parameter"><code>name</code></em>, <em class="parameter"><code>class</code></em> and
-      <em class="parameter"><code>type</code></em> arguments.  <span><strong class="command">dig</strong></span>
-      automatically performs a lookup for a name like
-      <code class="literal">11.12.13.10.in-addr.arpa</code> and sets the
-      query type and
-      class to PTR and IN respectively.  By default, IPv6 addresses are
-      looked up using nibble format under the IP6.ARPA domain.
-      To use the older RFC1886 method using the IP6.INT domain
-      specify the <code class="option">-i</code> option.  Bit string labels (RFC2874)
-      are now experimental and are not attempted.
-    </p>
-<p>
-      To sign the DNS queries sent by <span><strong class="command">dig</strong></span> and
-      their
-      responses using transaction signatures (TSIG), specify a TSIG key file
-      using the <code class="option">-k</code> option.  You can also specify the TSIG
-      key itself on the command line using the <code class="option">-y</code> option;
-      <em class="parameter"><code>hmac</code></em> is the type of the TSIG, default HMAC-MD5,
-      <em class="parameter"><code>name</code></em> is the name of the TSIG key and
-      <em class="parameter"><code>key</code></em> is the actual key.  The key is a
-      base-64
-      encoded string, typically generated by
-      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
-
-      Caution should be taken when using the <code class="option">-y</code> option on
-      multi-user systems as the key can be visible in the output from
-      <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>
-      or in the shell's history file.  When
-      using TSIG authentication with <span><strong class="command">dig</strong></span>, the name
-      server that is queried needs to know the key and algorithm that is
-      being used.  In BIND, this is done by providing appropriate
-      <span><strong class="command">key</strong></span> and <span><strong class="command">server</strong></span> statements in
-      <code class="filename">named.conf</code>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2664641"></a><h2>QUERY OPTIONS</h2>
-<p><span><strong class="command">dig</strong></span>
-      provides a number of query options which affect
-      the way in which lookups are made and the results displayed.  Some of
-      these set or reset flag bits in the query header, some determine which
-      sections of the answer get printed, and others determine the timeout
-      and retry strategies.
-    </p>
-<p>
-      Each query option is identified by a keyword preceded by a plus sign
-      (<code class="literal">+</code>).  Some keywords set or reset an
-      option.  These may be preceded
-      by the string <code class="literal">no</code> to negate the meaning of
-      that keyword.  Other
-      keywords assign values to options like the timeout interval.  They
-      have the form <code class="option">+keyword=value</code>.
-      The query options are:
-
-      </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
-<dd><p>
-              Use [do not use] TCP when querying name servers.  The default
-              behavior is to use UDP unless an AXFR or IXFR query is
-              requested, in
-              which case a TCP connection is used.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]vc</code></span></dt>
-<dd><p>
-              Use [do not use] TCP when querying name servers.  This alternate
-              syntax to <em class="parameter"><code>+[no]tcp</code></em> is
-              provided for backwards
-              compatibility.  The "vc" stands for "virtual circuit".
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]ignore</code></span></dt>
-<dd><p>
-              Ignore truncation in UDP responses instead of retrying with TCP.
-               By
-              default, TCP retries are performed.
-            </p></dd>
-<dt><span class="term"><code class="option">+domain=somename</code></span></dt>
-<dd><p>
-              Set the search list to contain the single domain
-              <em class="parameter"><code>somename</code></em>, as if specified in
-              a
-              <span><strong class="command">domain</strong></span> directive in
-              <code class="filename">/etc/resolv.conf</code>, and enable
-              search list
-              processing as if the <em class="parameter"><code>+search</code></em>
-              option were given.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]search</code></span></dt>
-<dd><p>
-              Use [do not use] the search list defined by the searchlist or
-              domain
-              directive in <code class="filename">resolv.conf</code> (if
-              any).
-              The search list is not used by default.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]showsearch</code></span></dt>
-<dd><p>
-              Perform [do not perform] a search showing intermediate
-	      results.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]defname</code></span></dt>
-<dd><p>
-              Deprecated, treated as a synonym for <em class="parameter"><code>+[no]search</code></em>
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]aaonly</code></span></dt>
-<dd><p>
-              Sets the "aa" flag in the query.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]aaflag</code></span></dt>
-<dd><p>
-              A synonym for <em class="parameter"><code>+[no]aaonly</code></em>.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]adflag</code></span></dt>
-<dd><p>
-	      Set [do not set] the AD (authentic data) bit in the
-	      query.  This requests the server to return whether
-	      all of the answer and authority sections have all
-	      been validated as secure according to the security
-	      policy of the server.  AD=1 indicates that all records
-	      have been validated as secure and the answer is not
-	      from a OPT-OUT range.  AD=0 indicate that some part
-	      of the answer was insecure or not validated.  This
-	      bit is set by default.
-	    </p></dd>
-<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
-<dd><p>
-              Set [do not set] the CD (checking disabled) bit in the query.
-              This
-              requests the server to not perform DNSSEC validation of
-              responses.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]cl</code></span></dt>
-<dd><p>
-              Display [do not display] the CLASS when printing the record.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]ttlid</code></span></dt>
-<dd><p>
-              Display [do not display] the TTL when printing the record.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]recurse</code></span></dt>
-<dd><p>
-	      Toggle the setting of the RD (recursion desired) bit
-	      in the query.  This bit is set by default, which means
-	      <span><strong class="command">dig</strong></span> normally sends recursive
-	      queries.  Recursion is automatically disabled when
-	      the <em class="parameter"><code>+nssearch</code></em> or
-	      <em class="parameter"><code>+trace</code></em> query options are used.
-	    </p></dd>
-<dt><span class="term"><code class="option">+[no]nssearch</code></span></dt>
-<dd><p>
-              When this option is set, <span><strong class="command">dig</strong></span>
-              attempts to find the
-              authoritative name servers for the zone containing the name
-              being
-              looked up and display the SOA record that each name server has
-              for the
-              zone.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]trace</code></span></dt>
-<dd>
-<p>
-	      Toggle tracing of the delegation path from the root
-	      name servers for the name being looked up.  Tracing
-	      is disabled by default.  When tracing is enabled,
-	      <span><strong class="command">dig</strong></span> makes iterative queries to
-	      resolve the name being looked up.  It will follow
-	      referrals from the root servers, showing the answer
-	      from each server that was used to resolve the lookup.
-	    </p>
-<p>
-	      <span><strong class="command">+dnssec</strong></span> is also set when +trace is
-	      set to better emulate the default queries from a nameserver.
-	    </p>
-</dd>
-<dt><span class="term"><code class="option">+[no]cmd</code></span></dt>
-<dd><p>
-              Toggles the printing of the initial comment in the output
-              identifying
-              the version of <span><strong class="command">dig</strong></span> and the query
-              options that have
-              been applied.  This comment is printed by default.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]short</code></span></dt>
-<dd><p>
-              Provide a terse answer.  The default is to print the answer in a
-              verbose form.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]identify</code></span></dt>
-<dd><p>
-              Show [or do not show] the IP address and port number that
-              supplied the
-              answer when the <em class="parameter"><code>+short</code></em> option
-              is enabled.  If
-              short form answers are requested, the default is not to show the
-              source address and port number of the server that provided the
-              answer.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
-<dd><p>
-              Toggle the display of comment lines in the output.  The default
-              is to print comments.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
-<dd><p>
-              Toggle the display of per-record comments in the output (for
-              example, human-readable key information about DNSKEY records).
-              The default is not to print record comments unless multiline
-              mode is active.
-            </p></dd>
-<dt><span class="term"><code class="option">+split=W</code></span></dt>
-<dd><p>
-              Split long hex- or base64-formatted fields in resource
-              records into chunks of <em class="parameter"><code>W</code></em> characters
-              (where <em class="parameter"><code>W</code></em> is rounded up to the nearest
-              multiple of 4).
-              <em class="parameter"><code>+nosplit</code></em> or
-              <em class="parameter"><code>+split=0</code></em> causes fields not to be
-              split at all.  The default is 56 characters, or 44 characters
-              when multiline mode is active.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]stats</code></span></dt>
-<dd><p>
-              This query option toggles the printing of statistics: when the
-              query
-              was made, the size of the reply and so on.  The default
-              behavior is
-              to print the query statistics.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]qr</code></span></dt>
-<dd><p>
-              Print [do not print] the query as it is sent.
-              By default, the query is not printed.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]question</code></span></dt>
-<dd><p>
-              Print [do not print] the question section of a query when an
-              answer is
-              returned.  The default is to print the question section as a
-              comment.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]answer</code></span></dt>
-<dd><p>
-              Display [do not display] the answer section of a reply.  The
-              default
-              is to display it.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]authority</code></span></dt>
-<dd><p>
-              Display [do not display] the authority section of a reply.  The
-              default is to display it.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]additional</code></span></dt>
-<dd><p>
-              Display [do not display] the additional section of a reply.
-              The default is to display it.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]all</code></span></dt>
-<dd><p>
-              Set or clear all display flags.
-            </p></dd>
-<dt><span class="term"><code class="option">+time=T</code></span></dt>
-<dd><p>
-
-              Sets the timeout for a query to
-              <em class="parameter"><code>T</code></em> seconds.  The default
-	      timeout is 5 seconds.
-              An attempt to set <em class="parameter"><code>T</code></em> to less
-              than 1 will result
-              in a query timeout of 1 second being applied.
-            </p></dd>
-<dt><span class="term"><code class="option">+tries=T</code></span></dt>
-<dd><p>
-              Sets the number of times to try UDP queries to server to
-              <em class="parameter"><code>T</code></em> instead of the default, 3.
-              If
-              <em class="parameter"><code>T</code></em> is less than or equal to
-              zero, the number of
-              tries is silently rounded up to 1.
-            </p></dd>
-<dt><span class="term"><code class="option">+retry=T</code></span></dt>
-<dd><p>
-              Sets the number of times to retry UDP queries to server to
-              <em class="parameter"><code>T</code></em> instead of the default, 2.
-              Unlike
-              <em class="parameter"><code>+tries</code></em>, this does not include
-              the initial
-              query.
-            </p></dd>
-<dt><span class="term"><code class="option">+ndots=D</code></span></dt>
-<dd><p>
-              Set the number of dots that have to appear in
-              <em class="parameter"><code>name</code></em> to <em class="parameter"><code>D</code></em> for it to be
-              considered absolute.  The default value is that defined using
-              the
-              ndots statement in <code class="filename">/etc/resolv.conf</code>, or 1 if no
-              ndots statement is present.  Names with fewer dots are
-              interpreted as
-              relative names and will be searched for in the domains listed in
-              the
-              <code class="option">search</code> or <code class="option">domain</code> directive in
-              <code class="filename">/etc/resolv.conf</code>.
-            </p></dd>
-<dt><span class="term"><code class="option">+bufsize=B</code></span></dt>
-<dd><p>
-              Set the UDP message buffer size advertised using EDNS0 to
-              <em class="parameter"><code>B</code></em> bytes.  The maximum and minimum sizes
-	      of this buffer are 65535 and 0 respectively.  Values outside
-	      this range are rounded up or down appropriately.  
-	      Values other than zero will cause a EDNS query to be sent.
-            </p></dd>
-<dt><span class="term"><code class="option">+edns=#</code></span></dt>
-<dd><p>
-	       Specify the EDNS version to query with.  Valid values
-	       are 0 to 255.  Setting the EDNS version will cause
-	       a EDNS query to be sent.  <code class="option">+noedns</code>
-	       clears the remembered EDNS version.  EDNS is set to
-	       0 by default.
-	    </p></dd>
-<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
-<dd><p>
-              Print records like the SOA records in a verbose multi-line
-              format with human-readable comments.  The default is to print
-              each record on a single line, to facilitate machine parsing
-              of the <span><strong class="command">dig</strong></span> output.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]onesoa</code></span></dt>
-<dd><p>
-	      Print only one (starting) SOA record when performing
-	      an AXFR. The default is to print both the starting and
-	      ending SOA records.
-	    </p></dd>
-<dt><span class="term"><code class="option">+[no]fail</code></span></dt>
-<dd><p>
-              Do not try the next server if you receive a SERVFAIL.  The
-              default is
-              to not try the next server which is the reverse of normal stub
-              resolver
-              behavior.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]besteffort</code></span></dt>
-<dd><p>
-              Attempt to display the contents of messages which are malformed.
-              The default is to not display malformed answers.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
-<dd><p>
-              Requests DNSSEC records be sent by setting the DNSSEC OK bit
-              (DO)
-              in the OPT record in the additional section of the query.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]sigchase</code></span></dt>
-<dd><p>
-              Chase DNSSEC signature chains.  Requires dig be compiled with
-              -DDIG_SIGCHASE.
-            </p></dd>
-<dt><span class="term"><code class="option">+trusted-key=####</code></span></dt>
-<dd>
-<p>
-              Specifies a file containing trusted keys to be used with
-	      <code class="option">+sigchase</code>.  Each DNSKEY record must be
-	      on its own line.
-            </p>
-<p>
-	      If not specified, <span><strong class="command">dig</strong></span> will look for
-	      <code class="filename">/etc/trusted-key.key</code> then
-	      <code class="filename">trusted-key.key</code> in the current directory.
-	    </p>
-<p>
-              Requires dig be compiled with -DDIG_SIGCHASE.
-	    </p>
-</dd>
-<dt><span class="term"><code class="option">+[no]topdown</code></span></dt>
-<dd><p>
-              When chasing DNSSEC signature chains perform a top-down
-              validation.
-              Requires dig be compiled with -DDIG_SIGCHASE.
-            </p></dd>
-<dt><span class="term"><code class="option">+[no]nsid</code></span></dt>
-<dd><p>
-              Include an EDNS name server ID request when sending a query.
-            </p></dd>
-</dl></div>
-<p>
-
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2665643"></a><h2>MULTIPLE QUERIES</h2>
-<p>
-      The BIND 9 implementation of <span><strong class="command">dig </strong></span>
-      supports
-      specifying multiple queries on the command line (in addition to
-      supporting the <code class="option">-f</code> batch file option).  Each of those
-      queries can be supplied with its own set of flags, options and query
-      options.
-    </p>
-<p>
-      In this case, each <em class="parameter"><code>query</code></em> argument
-      represent an
-      individual query in the command-line syntax described above.  Each
-      consists of any of the standard options and flags, the name to be
-      looked up, an optional query type and class and any query options that
-      should be applied to that query.
-    </p>
-<p>
-      A global set of query options, which should be applied to all queries,
-      can also be supplied.  These global query options must precede the
-      first tuple of name, class, type, options, flags, and query options
-      supplied on the command line.  Any global query options (except
-      the <code class="option">+[no]cmd</code> option) can be
-      overridden by a query-specific set of query options.  For example:
-      </p>
-<pre class="programlisting">
-dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-</pre>
-<p>
-      shows how <span><strong class="command">dig</strong></span> could be used from the
-      command line
-      to make three lookups: an ANY query for <code class="literal">www.isc.org</code>, a
-      reverse lookup of 127.0.0.1 and a query for the NS records of
-      <code class="literal">isc.org</code>.
-
-      A global query option of <em class="parameter"><code>+qr</code></em> is
-      applied, so
-      that <span><strong class="command">dig</strong></span> shows the initial query it made
-      for each
-      lookup.  The final query has a local query option of
-      <em class="parameter"><code>+noqr</code></em> which means that <span><strong class="command">dig</strong></span>
-      will not print the initial query when it looks up the NS records for
-      <code class="literal">isc.org</code>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2665729"></a><h2>IDN SUPPORT</h2>
-<p>
-      If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
-      domain name) support, it can accept and display non-ASCII domain names.
-      <span><strong class="command">dig</strong></span> appropriately converts character encoding of
-      domain name before sending a request to DNS server or displaying a
-      reply from the server.
-      If you'd like to turn off the IDN support for some reason, defines
-      the <code class="envar">IDN_DISABLE</code> environment variable.
-      The IDN support is disabled if the variable is set when 
-      <span><strong class="command">dig</strong></span> runs.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2665962"></a><h2>FILES</h2>
-<p><code class="filename">/etc/resolv.conf</code>
-    </p>
-<p><code class="filename">${HOME}/.digrc</code>
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2665984"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
-      <em class="citetitle">RFC1035</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2666021"></a><h2>BUGS</h2>
-<p>
-      There are probably too many query options.
-    </p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch10.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.host.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Manual pages </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> host</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/man.dnssec-dsfromkey.html b/contrib/bind9/doc/arm/man.dnssec-dsfromkey.html
deleted file mode 100644
index bb8d136..0000000
--- a/contrib/bind9/doc/arm/man.dnssec-dsfromkey.html
+++ /dev/null
@@ -1,208 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-dsfromkey</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
-<link rel="prev" href="man.dnssec-coverage.html" title="dnssec-coverage">
-<link rel="next" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">dnssec-dsfromkey</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.dnssec-coverage.html">Prev</a> </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-keyfromlabel.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry" lang="en">
-<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">dnssec-dsfromkey</span> &#8212; DNSSEC DS RR generation tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] {keyfile}</p></div>
-<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2615475"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">dnssec-dsfromkey</strong></span>
-      outputs the Delegation Signer (DS) resource record (RR), as defined in
-      RFC 3658 and RFC 4509, for the given key(s).
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2615489"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-1</span></dt>
-<dd><p>
-            Use SHA-1 as the digest algorithm (the default is to use
-            both SHA-1 and SHA-256).
-          </p></dd>
-<dt><span class="term">-2</span></dt>
-<dd><p>
-            Use SHA-256 as the digest algorithm.
-          </p></dd>
-<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd><p>
-            Select the digest algorithm. The value of
-            <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
-            SHA-256 (SHA256), GOST or SHA-384 (SHA384).
-            These values are case insensitive.
-          </p></dd>
-<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
-<dd><p>
-            Specifies the TTL of the DS records.
-          </p></dd>
-<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-            Look for key files (or, in keyset mode,
-            <code class="filename">keyset-</code> files) in
-            <code class="option">directory</code>.
-          </p></dd>
-<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
-<dd>
-<p>
-            Zone file mode: in place of the keyfile name, the argument is
-            the DNS domain name of a zone master file, which can be read
-            from <code class="option">file</code>.  If the zone name is the same as
-            <code class="option">file</code>, then it may be omitted.
-          </p>
-<p>
-            If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
-            the zone data is read from the standard input.  This makes it
-            possible to use the output of the <span><strong class="command">dig</strong></span>
-            command as input, as in:
-          </p>
-<p>
-            <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
-          </p>
-</dd>
-<dt><span class="term">-A</span></dt>
-<dd><p>
-            Include ZSK's when generating DS records.  Without this option,
-            only keys which have the KSK flag set will be converted to DS
-            records and printed.  Useful only in zone file mode. 
-          </p></dd>
-<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
-<dd><p>
-            Generate a DLV set instead of a DS set.  The specified
-            <code class="option">domain</code> is appended to the name for each
-            record in the set.
-            The DNSSEC Lookaside Validation (DLV) RR is described
-            in RFC 4431.
-          </p></dd>
-<dt><span class="term">-s</span></dt>
-<dd><p>
-            Keyset mode: in place of the keyfile name, the argument is
-            the DNS domain name of a keyset file.
-          </p></dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd><p>
-            Specifies the DNS class (default is IN).  Useful only
-            in keyset or zone file mode.
-          </p></dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
-            Sets the debugging level.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2615860"></a><h2>EXAMPLE</h2>
-<p>
-      To build the SHA-256 DS RR from the
-      <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
-      keyfile name, the following command would be issued:
-    </p>
-<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
-    </p>
-<p>
-      The command would print something like:
-    </p>
-<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2615896"></a><h2>FILES</h2>
-<p>
-      The keyfile can be designed by the key identification
-      <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
-      <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
-      <span class="refentrytitle">dnssec-keygen</span>(8).
-    </p>
-<p>
-      The keyset file name is built from the <code class="option">directory</code>,
-      the string <code class="filename">keyset-</code> and the
-      <code class="option">dnsname</code>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2615938"></a><h2>CAVEAT</h2>
-<p>
-      A keyfile error can give a "file not found" even if the file exists.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2615947"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 3658</em>,
-      <em class="citetitle">RFC 4431</em>.
-      <em class="citetitle">RFC 4509</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2615987"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.dnssec-coverage.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-keyfromlabel.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">dnssec-coverage</span> </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">dnssec-keyfromlabel</span>
-</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/man.dnssec-keyfromlabel.html b/contrib/bind9/doc/arm/man.dnssec-keyfromlabel.html
deleted file mode 100644
index dad8837..0000000
--- a/contrib/bind9/doc/arm/man.dnssec-keyfromlabel.html
+++ /dev/null
@@ -1,314 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-keyfromlabel</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
-<link rel="prev" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
-<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a> </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-keygen.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry" lang="en">
-<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">dnssec-keyfromlabel</span> &#8212; DNSSEC key generation tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code>  {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2616617"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
-      gets keys with the given label from a crypto hardware and builds
-      key files for DNSSEC (Secure DNS), as defined in RFC 2535
-      and RFC 4034.  
-    </p>
-<p>
-      The <code class="option">name</code> of the key is specified on the command
-      line.  This must match the name of the zone for which the key is
-      being generated.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2616637"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd>
-<p>
-	    Selects the cryptographic algorithm.  The value of
-            <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
-	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
-	    ECDSAP256SHA256 or ECDSAP384SHA384.
-	    These values are case insensitive.
-	  </p>
-<p>
-            If no algorithm is specified, then RSASHA1 will be used by
-            default, unless the <code class="option">-3</code> option is specified,
-            in which case NSEC3RSASHA1 will be used instead.  (If
-            <code class="option">-3</code> is used and an algorithm is specified,
-            that algorithm will be checked for compatibility with NSEC3.)
-          </p>
-<p>
-            Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
-            algorithm, and DSA is recommended.
-          </p>
-<p>
-            Note 2: DH automatically sets the -k flag.
-          </p>
-</dd>
-<dt><span class="term">-3</span></dt>
-<dd><p>
-	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
-            If this option is used and no algorithm is explicitly
-            set on the command line, NSEC3RSASHA1 will be used by
-            default.
-          </p></dd>
-<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
-<dd><p>
-            Specifies the name of the crypto hardware (OpenSSL engine).
-            When compiled with PKCS#11 support it defaults to "pkcs11".
-          </p></dd>
-<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
-<dd><p>
-            Specifies the label of the key pair in the crypto hardware.
-            The label may be preceded by an optional OpenSSL engine name,
-            separated by a colon, as in "pkcs11:keylabel".
-          </p></dd>
-<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
-<dd><p>
-            Specifies the owner type of the key.  The value of
-            <code class="option">nametype</code> must either be ZONE (for a DNSSEC
-            zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
-            a host (KEY)),
-            USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
-            These values are case insensitive.
-          </p></dd>
-<dt><span class="term">-C</span></dt>
-<dd><p>
-	    Compatibility mode:  generates an old-style key, without
-	    any metadata.  By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
-	    will include the key's creation date in the metadata stored
-	    with the private key, and other dates may be set there as well
-	    (publication date, activation date, etc).  Keys that include
-	    this data may be incompatible with older versions of BIND; the
-	    <code class="option">-C</code> option suppresses them.
-          </p></dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd><p>
-            Indicates that the DNS record containing the key should have
-            the specified class.  If not specified, class IN is used.
-          </p></dd>
-<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
-<dd><p>
-            Set the specified flag in the flag field of the KEY/DNSKEY record.
-            The only recognized flags are KSK (Key Signing Key) and REVOKE.
-          </p></dd>
-<dt><span class="term">-G</span></dt>
-<dd><p>
-            Generate a key, but do not publish it or sign with it.  This
-            option is incompatible with -P and -A.
-          </p></dd>
-<dt><span class="term">-h</span></dt>
-<dd><p>
-            Prints a short summary of the options and arguments to
-            <span><strong class="command">dnssec-keyfromlabel</strong></span>.
-          </p></dd>
-<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-            Sets the directory in which the key files are to be written.
-          </p></dd>
-<dt><span class="term">-k</span></dt>
-<dd><p>
-            Generate KEY records rather than DNSKEY records.
-          </p></dd>
-<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd><p>
-            Sets the default TTL to use for this key when it is converted
-            into a DNSKEY RR.  If the key is imported into a zone,
-            this is the TTL that will be used for it, unless there was
-            already a DNSKEY RRset in place, in which case the existing TTL
-            would take precedence.  Setting the default TTL to
-            <code class="literal">0</code> or <code class="literal">none</code> removes it.
-          </p></dd>
-<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
-<dd><p>
-            Sets the protocol value for the key.  The protocol
-            is a number between 0 and 255.  The default is 3 (DNSSEC).
-            Other possible values for this argument are listed in
-            RFC 2535 and its successors.
-          </p></dd>
-<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
-<dd><p>
-            Indicates the use of the key.  <code class="option">type</code> must be
-            one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
-            is AUTHCONF.  AUTH refers to the ability to authenticate
-            data, and CONF the ability to encrypt data.
-          </p></dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
-            Sets the debugging level.
-          </p></dd>
-<dt><span class="term">-y</span></dt>
-<dd><p>
-            Allows DNSSEC key files to be generated even if the key ID
-	    would collide with that of an existing key, in the event of
-	    either key being revoked.  (This is only safe to use if you
-            are sure you won't be using RFC 5011 trust anchor maintenance
-            with either of the keys involved.)
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2618535"></a><h2>TIMING OPTIONS</h2>
-<p>
-      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
-      If the argument begins with a '+' or '-', it is interpreted as
-      an offset from the present time.  For convenience, if such an offset
-      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
-      then the offset is computed in years (defined as 365 24-hour days,
-      ignoring leap years), months (defined as 30 24-hour days), weeks,
-      days, hours, or minutes, respectively.  Without a suffix, the offset
-      is computed in seconds.
-    </p>
-<div class="variablelist"><dl>
-<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which a key is to be published to the zone.
-            After that date, the key will be included in the zone but will
-            not be used to sign it.  If not set, and if the -G option has
-            not been used, the default is "now".
-          </p></dd>
-<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which the key is to be activated.  After that
-            date, the key will be included in the zone and used to sign
-            it.  If not set, and if the -G option has not been used, the
-            default is "now".
-          </p></dd>
-<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which the key is to be revoked.  After that
-            date, the key will be flagged as revoked.  It will be included
-            in the zone and will be used to sign it.
-          </p></dd>
-<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which the key is to be retired.  After that
-            date, the key will still be included in the zone, but it
-            will not be used to sign it.
-          </p></dd>
-<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which the key is to be deleted.  After that
-            date, the key will no longer be included in the zone.  (It
-            may remain in the key repository, however.)
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2618633"></a><h2>GENERATED KEY FILES</h2>
-<p>
-      When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
-      successfully,
-      it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
-      to the standard output.  This is an identification string for
-      the key files it has generated.
-    </p>
-<div class="itemizedlist"><ul type="disc">
-<li><p><code class="filename">nnnn</code> is the key name.
-        </p></li>
-<li><p><code class="filename">aaa</code> is the numeric representation
-          of the algorithm.
-        </p></li>
-<li><p><code class="filename">iiiii</code> is the key identifier (or
-          footprint).
-        </p></li>
-</ul></div>
-<p><span><strong class="command">dnssec-keyfromlabel</strong></span> 
-      creates two files, with names based
-      on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
-      contains the public key, and
-      <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
-      private key.
-    </p>
-<p>
-      The <code class="filename">.key</code> file contains a DNS KEY record
-      that
-      can be inserted into a zone file (directly or with a $INCLUDE
-      statement).
-    </p>
-<p>
-      The <code class="filename">.private</code> file contains
-      algorithm-specific
-      fields.  For obvious security reasons, this file does not have
-      general read permission.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2669176"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 4034</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2669209"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-keygen.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">dnssec-dsfromkey</span> </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">dnssec-keygen</span>
-</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/man.dnssec-keygen.html b/contrib/bind9/doc/arm/man.dnssec-keygen.html
deleted file mode 100644
index 8f846e0..0000000
--- a/contrib/bind9/doc/arm/man.dnssec-keygen.html
+++ /dev/null
@@ -1,449 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-keygen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
-<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
-<link rel="next" href="man.dnssec-revoke.html" title="dnssec-revoke">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a> </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-revoke.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry" lang="en">
-<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2617453"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">dnssec-keygen</strong></span>
-      generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
-      and RFC 4034.  It can also generate keys for use with
-      TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
-      (Transaction Key) as defined in RFC 2930.
-    </p>
-<p>
-      The <code class="option">name</code> of the key is specified on the command
-      line.  For DNSSEC keys, this must match the name of the zone for
-      which the key is being generated.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2617474"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd>
-<p>
-            Selects the cryptographic algorithm.  For DNSSEC keys, the value
-            of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
-	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
-	    ECDSAP256SHA256 or ECDSAP384SHA384.
-	    For TSIG/TKEY, the value must
-            be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
-            HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512.  These values are
-            case insensitive.
-          </p>
-<p>
-            If no algorithm is specified, then RSASHA1 will be used by
-            default, unless the <code class="option">-3</code> option is specified,
-            in which case NSEC3RSASHA1 will be used instead.  (If
-            <code class="option">-3</code> is used and an algorithm is specified,
-            that algorithm will be checked for compatibility with NSEC3.)
-          </p>
-<p>
-            Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
-            algorithm, and DSA is recommended.  For TSIG, HMAC-MD5 is
-	    mandatory.
-          </p>
-<p>
-            Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
-            automatically set the -T KEY option.
-          </p>
-</dd>
-<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
-<dd>
-<p>
-            Specifies the number of bits in the key.  The choice of key
-            size depends on the algorithm used.  RSA keys must be
-            between 512 and 2048 bits.  Diffie Hellman keys must be between
-            128 and 4096 bits.  DSA keys must be between 512 and 1024
-            bits and an exact multiple of 64.  HMAC keys must be
-            between 1 and 512 bits. Elliptic curve algorithms don't need
-            this parameter.
-          </p>
-<p>
-            The key size does not need to be specified if using a default
-            algorithm.  The default key size is 1024 bits for zone signing
-            keys (ZSK's) and 2048 bits for key signing keys (KSK's,
-            generated with <code class="option">-f KSK</code>).  However, if an
-            algorithm is explicitly specified with the <code class="option">-a</code>,
-            then there is no default key size, and the <code class="option">-b</code>
-            must be used.
-          </p>
-</dd>
-<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
-<dd><p>
-            Specifies the owner type of the key.  The value of
-            <code class="option">nametype</code> must either be ZONE (for a DNSSEC
-            zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
-            a host (KEY)),
-            USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
-            These values are case insensitive.  Defaults to ZONE for DNSKEY
-	    generation.
-          </p></dd>
-<dt><span class="term">-3</span></dt>
-<dd><p>
-	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
-            If this option is used and no algorithm is explicitly
-            set on the command line, NSEC3RSASHA1 will be used by
-            default. Note that RSASHA256, RSASHA512, ECCGOST,
-	    ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
-	    are NSEC3-capable.
-          </p></dd>
-<dt><span class="term">-C</span></dt>
-<dd><p>
-	    Compatibility mode:  generates an old-style key, without
-	    any metadata.  By default, <span><strong class="command">dnssec-keygen</strong></span>
-	    will include the key's creation date in the metadata stored
-	    with the private key, and other dates may be set there as well
-	    (publication date, activation date, etc).  Keys that include
-	    this data may be incompatible with older versions of BIND; the
-	    <code class="option">-C</code> option suppresses them.
-          </p></dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd><p>
-            Indicates that the DNS record containing the key should have
-            the specified class.  If not specified, class IN is used.
-          </p></dd>
-<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
-<dd><p>
-            Uses a crypto hardware (OpenSSL engine) for random number
-            and, when supported, key generation. When compiled with PKCS#11
-            support it defaults to pkcs11; the empty name resets it to
-            no engine.
-          </p></dd>
-<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
-<dd><p>
-            Set the specified flag in the flag field of the KEY/DNSKEY record.
-            The only recognized flags are KSK (Key Signing Key) and REVOKE.
-          </p></dd>
-<dt><span class="term">-G</span></dt>
-<dd><p>
-            Generate a key, but do not publish it or sign with it.  This
-            option is incompatible with -P and -A.
-          </p></dd>
-<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
-<dd><p>
-            If generating a Diffie Hellman key, use this generator.
-            Allowed values are 2 and 5.  If no generator
-            is specified, a known prime from RFC 2539 will be used
-            if possible; otherwise the default is 2.
-          </p></dd>
-<dt><span class="term">-h</span></dt>
-<dd><p>
-            Prints a short summary of the options and arguments to
-            <span><strong class="command">dnssec-keygen</strong></span>.
-          </p></dd>
-<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-            Sets the directory in which the key files are to be written.
-          </p></dd>
-<dt><span class="term">-k</span></dt>
-<dd><p>
-            Deprecated in favor of -T KEY.
-          </p></dd>
-<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd><p>
-            Sets the default TTL to use for this key when it is converted
-            into a DNSKEY RR.  If the key is imported into a zone,
-            this is the TTL that will be used for it, unless there was
-            already a DNSKEY RRset in place, in which case the existing TTL
-            would take precedence.  Setting the default TTL to
-            <code class="literal">0</code> or <code class="literal">none</code> removes it.
-          </p></dd>
-<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
-<dd><p>
-            Sets the protocol value for the generated key.  The protocol
-            is a number between 0 and 255.  The default is 3 (DNSSEC).
-            Other possible values for this argument are listed in
-            RFC 2535 and its successors.
-          </p></dd>
-<dt><span class="term">-q</span></dt>
-<dd><p>
-            Quiet mode: Suppresses unnecessary output, including
-            progress indication.  Without this option, when
-            <span><strong class="command">dnssec-keygen</strong></span> is run interactively
-            to generate an RSA or DSA key pair, it will print a string
-            of symbols to <code class="filename">stderr</code> indicating the
-            progress of the key generation.  A '.' indicates that a
-            random number has been found which passed an initial
-            sieve test; '+' means a number has passed a single
-            round of the Miller-Rabin primality test; a space
-            means that the number has passed all the tests and is
-            a satisfactory key.
-          </p></dd>
-<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
-<dd><p>
-            Specifies the source of randomness.  If the operating
-            system does not provide a <code class="filename">/dev/random</code>
-            or equivalent device, the default source of randomness
-            is keyboard input.  <code class="filename">randomdev</code>
-            specifies
-            the name of a character device or file containing random
-            data to be used instead of the default.  The special value
-            <code class="filename">keyboard</code> indicates that keyboard
-            input should be used.
-          </p></dd>
-<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
-<dd><p>
-            Create a new key which is an explicit successor to an
-            existing key.  The name, algorithm, size, and type of the
-            key will be set to match the existing key.  The activation
-            date of the new key will be set to the inactivation date of
-            the existing one.  The publication date will be set to the
-            activation date minus the prepublication interval, which
-            defaults to 30 days.
-          </p></dd>
-<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
-<dd><p>
-            Specifies the strength value of the key.  The strength is
-            a number between 0 and 15, and currently has no defined
-            purpose in DNSSEC.
-          </p></dd>
-<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
-<dd>
-<p>
-            Specifies the resource record type to use for the key.
-            <code class="option">rrtype</code> must be either DNSKEY or KEY.  The
-            default is DNSKEY when using a DNSSEC algorithm, but it can be
-            overridden to KEY for use with SIG(0).
-          </p>
-<p>
-          </p>
-<p>
-            Using any TSIG algorithm (HMAC-* or DH) forces this option
-            to KEY.
-          </p>
-</dd>
-<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
-<dd><p>
-            Indicates the use of the key.  <code class="option">type</code> must be
-            one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
-            is AUTHCONF.  AUTH refers to the ability to authenticate
-            data, and CONF the ability to encrypt data.
-          </p></dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
-            Sets the debugging level.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2669682"></a><h2>TIMING OPTIONS</h2>
-<p>
-      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
-      If the argument begins with a '+' or '-', it is interpreted as
-      an offset from the present time.  For convenience, if such an offset
-      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
-      then the offset is computed in years (defined as 365 24-hour days,
-      ignoring leap years), months (defined as 30 24-hour days), weeks,
-      days, hours, or minutes, respectively.  Without a suffix, the offset
-      is computed in seconds.
-    </p>
-<div class="variablelist"><dl>
-<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which a key is to be published to the zone.
-            After that date, the key will be included in the zone but will
-            not be used to sign it.  If not set, and if the -G option has
-            not been used, the default is "now".
-          </p></dd>
-<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which the key is to be activated.  After that
-            date, the key will be included in the zone and used to sign
-            it.  If not set, and if the -G option has not been used, the
-            default is "now".
-          </p></dd>
-<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which the key is to be revoked.  After that
-            date, the key will be flagged as revoked.  It will be included
-            in the zone and will be used to sign it.
-          </p></dd>
-<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which the key is to be retired.  After that
-            date, the key will still be included in the zone, but it
-            will not be used to sign it.
-          </p></dd>
-<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which the key is to be deleted.  After that
-            date, the key will no longer be included in the zone.  (It
-            may remain in the key repository, however.)
-          </p></dd>
-<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
-<dd>
-<p>
-            Sets the prepublication interval for a key.  If set, then
-            the publication and activation dates must be separated by at least
-            this much time.  If the activation date is specified but the
-            publication date isn't, then the publication date will default
-            to this much time before the activation date; conversely, if
-            the publication date is specified but activation date isn't,
-            then activation will be set to this much time after publication.
-          </p>
-<p>
-            If the key is being created as an explicit successor to another
-            key, then the default prepublication interval is 30 days; 
-            otherwise it is zero.
-          </p>
-<p>
-            As with date offsets, if the argument is followed by one of
-            the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
-            interval is measured in years, months, weeks, days, hours,
-            or minutes, respectively.  Without a suffix, the interval is
-            measured in seconds.
-          </p>
-</dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2669872"></a><h2>GENERATED KEYS</h2>
-<p>
-      When <span><strong class="command">dnssec-keygen</strong></span> completes
-      successfully,
-      it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
-      to the standard output.  This is an identification string for
-      the key it has generated.
-    </p>
-<div class="itemizedlist"><ul type="disc">
-<li><p><code class="filename">nnnn</code> is the key name.
-        </p></li>
-<li><p><code class="filename">aaa</code> is the numeric representation
-          of the
-          algorithm.
-        </p></li>
-<li><p><code class="filename">iiiii</code> is the key identifier (or
-          footprint).
-        </p></li>
-</ul></div>
-<p><span><strong class="command">dnssec-keygen</strong></span> 
-      creates two files, with names based
-      on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
-      contains the public key, and
-      <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
-      private
-      key.
-    </p>
-<p>
-      The <code class="filename">.key</code> file contains a DNS KEY record
-      that
-      can be inserted into a zone file (directly or with a $INCLUDE
-      statement).
-    </p>
-<p>
-      The <code class="filename">.private</code> file contains
-      algorithm-specific
-      fields.  For obvious security reasons, this file does not have
-      general read permission.
-    </p>
-<p>
-      Both <code class="filename">.key</code> and <code class="filename">.private</code>
-      files are generated for symmetric encryption algorithms such as
-      HMAC-MD5, even though the public and private key are equivalent.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2669979"></a><h2>EXAMPLE</h2>
-<p>
-      To generate a 768-bit DSA key for the domain
-      <strong class="userinput"><code>example.com</code></strong>, the following command would be
-      issued:
-    </p>
-<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
-    </p>
-<p>
-      The command would print a string of the form:
-    </p>
-<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
-    </p>
-<p>
-      In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
-      the files <code class="filename">Kexample.com.+003+26160.key</code>
-      and
-      <code class="filename">Kexample.com.+003+26160.private</code>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2670036"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 2539</em>,
-      <em class="citetitle">RFC 2845</em>,
-      <em class="citetitle">RFC 4034</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2670067"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-revoke.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">dnssec-keyfromlabel</span> </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">dnssec-revoke</span>
-</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/man.dnssec-revoke.html b/contrib/bind9/doc/arm/man.dnssec-revoke.html
deleted file mode 100644
index c6490ef..0000000
--- a/contrib/bind9/doc/arm/man.dnssec-revoke.html
+++ /dev/null
@@ -1,131 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-revoke</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
-<link rel="prev" href="man.dnssec-keygen.html" title="dnssec-keygen">
-<link rel="next" href="man.dnssec-settime.html" title="dnssec-settime">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">dnssec-revoke</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.dnssec-keygen.html">Prev</a> </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-settime.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry" lang="en">
-<a name="man.dnssec-revoke"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">dnssec-revoke</span> &#8212; Set the REVOKED bit on a DNSSEC key</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code>  [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] [<code class="option">-R</code>] {keyfile}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2617950"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">dnssec-revoke</strong></span>
-      reads a DNSSEC key file, sets the REVOKED bit on the key as defined
-      in RFC 5011, and creates a new pair of key files containing the
-      now-revoked key.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2617964"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-h</span></dt>
-<dd><p>
-	    Emit usage message and exit.
-	  </p></dd>
-<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-            Sets the directory in which the key files are to reside.
-          </p></dd>
-<dt><span class="term">-r</span></dt>
-<dd><p>
-	    After writing the new keyset files remove the original keyset
-	    files.
-	  </p></dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
-            Sets the debugging level.
-          </p></dd>
-<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
-<dd><p>
-            Use the given OpenSSL engine. When compiled with PKCS#11 support
-            it defaults to pkcs11; the empty name resets it to no engine.
-          </p></dd>
-<dt><span class="term">-f</span></dt>
-<dd><p>
-            Force overwrite: Causes <span><strong class="command">dnssec-revoke</strong></span> to
-            write the new key pair even if a file already exists matching
-            the algorithm and key ID of the revoked key.
-          </p></dd>
-<dt><span class="term">-R</span></dt>
-<dd><p>
-	    Print the key tag of the key with the REVOKE bit set but do
-	    not revoke the key.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2618085"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 5011</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2618109"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.dnssec-keygen.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-settime.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">dnssec-keygen</span> </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">dnssec-settime</span>
-</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/man.dnssec-settime.html b/contrib/bind9/doc/arm/man.dnssec-settime.html
deleted file mode 100644
index 3e121c4..0000000
--- a/contrib/bind9/doc/arm/man.dnssec-settime.html
+++ /dev/null
@@ -1,259 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-settime</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
-<link rel="prev" href="man.dnssec-revoke.html" title="dnssec-revoke">
-<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">dnssec-settime</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.dnssec-revoke.html">Prev</a> </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-signzone.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry" lang="en">
-<a name="man.dnssec-settime"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">dnssec-settime</span> &#8212; Set the key timing metadata for a DNSSEC key</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code>  [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2619165"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">dnssec-settime</strong></span>
-      reads a DNSSEC private key file and sets the key timing metadata
-      as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
-      <code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>
-      options.  The metadata can then be used by
-      <span><strong class="command">dnssec-signzone</strong></span> or other signing software to
-      determine when a key is to be published, whether it should be
-      used for signing a zone, etc.
-    </p>
-<p>
-      If none of these options is set on the command line,
-      then <span><strong class="command">dnssec-settime</strong></span> simply prints the key timing
-      metadata already stored in the key.
-    </p>
-<p>
-      When key metadata fields are changed, both files of a key
-      pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
-      <code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
-      Metadata fields are stored in the private file.  A human-readable
-      description of the metadata is also placed in comments in the key
-      file.  The private file's permissions are always set to be
-      inaccessible to anyone other than the owner (mode 0600).
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2619224"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-f</span></dt>
-<dd><p>
-	    Force an update of an old-format key with no metadata fields.
-            Without this option, <span><strong class="command">dnssec-settime</strong></span> will
-            fail when attempting to update a legacy key.  With this option,
-            the key will be recreated in the new format, but with the
-            original key data retained.  The key's creation date will be
-            set to the present time.  If no other values are specified, 
-            then the key's publication and activation dates will also 
-            be set to the present time.
-	  </p></dd>
-<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-            Sets the directory in which the key files are to reside.
-          </p></dd>
-<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd><p>
-            Sets the default TTL to use for this key when it is converted
-            into a DNSKEY RR.  If the key is imported into a zone,
-            this is the TTL that will be used for it, unless there was
-            already a DNSKEY RRset in place, in which case the existing TTL
-            would take precedence.  Setting the default TTL to
-            <code class="literal">0</code> or <code class="literal">none</code> removes it.
-          </p></dd>
-<dt><span class="term">-h</span></dt>
-<dd><p>
-	    Emit usage message and exit.
-	  </p></dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
-            Sets the debugging level.
-          </p></dd>
-<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
-<dd><p>
-            Use the given OpenSSL engine. When compiled with PKCS#11 support
-            it defaults to pkcs11; the empty name resets it to no engine.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2619346"></a><h2>TIMING OPTIONS</h2>
-<p>
-      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
-      If the argument begins with a '+' or '-', it is interpreted as
-      an offset from the present time.  For convenience, if such an offset
-      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
-      then the offset is computed in years (defined as 365 24-hour days,
-      ignoring leap years), months (defined as 30 24-hour days), weeks,
-      days, hours, or minutes, respectively.  Without a suffix, the offset
-      is computed in seconds.  To unset a date, use 'none'.
-    </p>
-<div class="variablelist"><dl>
-<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which a key is to be published to the zone.
-            After that date, the key will be included in the zone but will
-            not be used to sign it.
-          </p></dd>
-<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which the key is to be activated.  After that
-            date, the key will be included in the zone and used to sign
-            it.
-          </p></dd>
-<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which the key is to be revoked.  After that
-            date, the key will be flagged as revoked.  It will be included
-            in the zone and will be used to sign it.
-          </p></dd>
-<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which the key is to be retired.  After that
-            date, the key will still be included in the zone, but it
-            will not be used to sign it.
-          </p></dd>
-<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
-<dd><p>
-            Sets the date on which the key is to be deleted.  After that
-            date, the key will no longer be included in the zone.  (It
-            may remain in the key repository, however.)
-          </p></dd>
-<dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
-<dd><p>
-            Select a key for which the key being modified will be an
-            explicit successor.  The name, algorithm, size, and type of the
-            predecessor key must exactly match those of the key being
-            modified.  The activation date of the successor key will be set
-            to the inactivation date of the predecessor.  The publication
-            date will be set to the activation date minus the prepublication
-            interval, which defaults to 30 days.
-          </p></dd>
-<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
-<dd>
-<p>
-            Sets the prepublication interval for a key.  If set, then
-            the publication and activation dates must be separated by at least
-            this much time.  If the activation date is specified but the
-            publication date isn't, then the publication date will default
-            to this much time before the activation date; conversely, if
-            the publication date is specified but activation date isn't,
-            then activation will be set to this much time after publication.
-          </p>
-<p>
-            If the key is being set to be an explicit successor to another
-            key, then the default prepublication interval is 30 days; 
-            otherwise it is zero.
-          </p>
-<p>
-            As with date offsets, if the argument is followed by one of
-            the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
-            interval is measured in years, months, weeks, days, hours,
-            or minutes, respectively.  Without a suffix, the interval is
-            measured in seconds.
-          </p>
-</dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2620167"></a><h2>PRINTING OPTIONS</h2>
-<p>
-      <span><strong class="command">dnssec-settime</strong></span> can also be used to print the
-      timing metadata associated with a key.
-    </p>
-<div class="variablelist"><dl>
-<dt><span class="term">-u</span></dt>
-<dd><p>
-	    Print times in UNIX epoch format.
-	  </p></dd>
-<dt><span class="term">-p <em class="replaceable"><code>C/P/A/R/I/D/all</code></em></span></dt>
-<dd><p>
-	    Print a specific metadata value or set of metadata values.
-            The <code class="option">-p</code> option may be followed by one or more
-            of the following letters to indicate which value or values to print:
-            <code class="option">C</code> for the creation date,
-            <code class="option">P</code> for the publication date,
-            <code class="option">A</code> for the activation date,
-            <code class="option">R</code> for the revocation date,
-            <code class="option">I</code> for the inactivation date, or
-            <code class="option">D</code> for the deletion date.
-            To print all of the metadata, use <code class="option">-p all</code>.
-	  </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2620315"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 5011</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2621372"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.dnssec-revoke.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-signzone.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">dnssec-revoke</span> </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">dnssec-signzone</span>
-</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/man.dnssec-signzone.html b/contrib/bind9/doc/arm/man.dnssec-signzone.html
deleted file mode 100644
index 290e770..0000000
--- a/contrib/bind9/doc/arm/man.dnssec-signzone.html
+++ /dev/null
@@ -1,529 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-signzone</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
-<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
-<link rel="next" href="man.dnssec-verify.html" title="dnssec-verify">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.dnssec-settime.html">Prev</a> </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-verify.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry" lang="en">
-<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2620935"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">dnssec-signzone</strong></span>
-      signs a zone.  It generates
-      NSEC and RRSIG records and produces a signed version of the
-      zone. The security status of delegations from the signed zone
-      (that is, whether the child zones are secure or not) is
-      determined by the presence or absence of a
-      <code class="filename">keyset</code> file for each child zone.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2620954"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-a</span></dt>
-<dd><p>
-            Verify all generated signatures.
-          </p></dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd><p>
-            Specifies the DNS class of the zone.
-          </p></dd>
-<dt><span class="term">-C</span></dt>
-<dd><p>
-            Compatibility mode: Generate a
-            <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
-            file in addition to
-            <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
-            when signing a zone, for use by older versions of
-            <span><strong class="command">dnssec-signzone</strong></span>.
-          </p></dd>
-<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-            Look for <code class="filename">dsset-</code> or
-            <code class="filename">keyset-</code> files in <code class="option">directory</code>.
-          </p></dd>
-<dt><span class="term">-D</span></dt>
-<dd><p>
-	    Output only those record types automatically managed by
-	    <span><strong class="command">dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
-	    NSEC3 and NSEC3PARAM records. If smart signing
-	    (<code class="option">-S</code>) is used, DNSKEY records are also
-	    included. The resulting file can be included in the original
-	    zone file with <span><strong class="command">$INCLUDE</strong></span>. This option
-	    cannot be combined with <code class="option">-O raw</code> or serial
-	    number updating.
-          </p></dd>
-<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
-<dd><p>
-            Uses a crypto hardware (OpenSSL engine) for the crypto operations
-            it supports, for instance signing with private keys from
-            a secure key store. When compiled with PKCS#11 support
-            it defaults to pkcs11; the empty name resets it to no engine.
-          </p></dd>
-<dt><span class="term">-g</span></dt>
-<dd><p>
-            Generate DS records for child zones from
-            <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
-            file.  Existing DS records will be removed.
-          </p></dd>
-<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-            Key repository: Specify a directory to search for DNSSEC keys.
-            If not specified, defaults to the current directory.
-          </p></dd>
-<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
-<dd><p>
-            Treat specified key as a key signing key ignoring any
-            key flags.  This option may be specified multiple times.
-          </p></dd>
-<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
-<dd><p>
-            Generate a DLV set in addition to the key (DNSKEY) and DS sets.
-            The domain is appended to the name of the records.
-          </p></dd>
-<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
-<dd><p>
-            Specify the date and time when the generated RRSIG records
-            become valid.  This can be either an absolute or relative
-            time.  An absolute start time is indicated by a number
-            in YYYYMMDDHHMMSS notation; 20000530144500 denotes
-            14:45:00 UTC on May 30th, 2000.  A relative start time is
-            indicated by +N, which is N seconds from the current time.
-            If no <code class="option">start-time</code> is specified, the current
-            time minus 1 hour (to allow for clock skew) is used.
-          </p></dd>
-<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
-<dd><p>
-            Specify the date and time when the generated RRSIG records
-            expire.  As with <code class="option">start-time</code>, an absolute
-            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
-            to the start time is indicated with +N, which is N seconds from
-            the start time.  A time relative to the current time is
-            indicated with now+N.  If no <code class="option">end-time</code> is
-            specified, 30 days from the start time is used as a default.
-            <code class="option">end-time</code> must be later than
-            <code class="option">start-time</code>.
-          </p></dd>
-<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
-<dd>
-<p>
-            Specify the date and time when the generated RRSIG records
-            for the DNSKEY RRset will expire.  This is to be used in cases
-            when the DNSKEY signatures need to persist longer than
-            signatures on other records; e.g., when the private component
-            of the KSK is kept offline and the KSK signature is to be
-            refreshed manually.
-          </p>
-<p>
-            As with <code class="option">start-time</code>, an absolute
-            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
-            to the start time is indicated with +N, which is N seconds from
-            the start time.  A time relative to the current time is
-            indicated with now+N.  If no <code class="option">extended end-time</code> is
-            specified, the value of <code class="option">end-time</code> is used as
-            the default.  (<code class="option">end-time</code>, in turn, defaults to
-            30 days from the start time.) <code class="option">extended end-time</code>
-            must be later than <code class="option">start-time</code>.
-          </p>
-</dd>
-<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
-<dd><p>
-            The name of the output file containing the signed zone.  The
-            default is to append <code class="filename">.signed</code> to
-            the input filename.  If <code class="option">output-file</code> is
-            set to <code class="literal">"-"</code>, then the signed zone is
-            written to the standard output, with a default output
-            format of "full".
-          </p></dd>
-<dt><span class="term">-h</span></dt>
-<dd><p>
-            Prints a short summary of the options and arguments to
-            <span><strong class="command">dnssec-signzone</strong></span>.
-          </p></dd>
-<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
-<dd>
-<p>
-            When a previously-signed zone is passed as input, records
-            may be resigned.  The <code class="option">interval</code> option
-            specifies the cycle interval as an offset from the current
-            time (in seconds).  If a RRSIG record expires after the
-            cycle interval, it is retained.  Otherwise, it is considered
-            to be expiring soon, and it will be replaced.
-          </p>
-<p>
-            The default cycle interval is one quarter of the difference
-            between the signature end and start times.  So if neither
-            <code class="option">end-time</code> or <code class="option">start-time</code>
-            are specified, <span><strong class="command">dnssec-signzone</strong></span>
-            generates
-            signatures that are valid for 30 days, with a cycle
-            interval of 7.5 days.  Therefore, if any existing RRSIG records
-            are due to expire in less than 7.5 days, they would be
-            replaced.
-          </p>
-</dd>
-<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
-<dd><p>
-            The format of the input zone file.
-	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
-	    and <span><strong class="command">"raw"</strong></span>.
-	    This option is primarily intended to be used for dynamic
-            signed zones so that the dumped zone file in a non-text
-            format containing updates can be signed directly.
-	    The use of this option does not make much sense for
-	    non-dynamic zones.
-          </p></dd>
-<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
-<dd>
-<p>
-            When signing a zone with a fixed signature lifetime, all
-            RRSIG records issued at the time of signing expires
-            simultaneously.  If the zone is incrementally signed, i.e.
-            a previously-signed zone is passed as input to the signer,
-            all expired signatures have to be regenerated at about the
-            same time.  The <code class="option">jitter</code> option specifies a
-            jitter window that will be used to randomize the signature
-            expire time, thus spreading incremental signature
-            regeneration over time.
-          </p>
-<p>
-            Signature lifetime jitter also to some extent benefits
-            validators and servers by spreading out cache expiration,
-            i.e. if large numbers of RRSIGs don't expire at the same time
-            from all caches there will be less congestion than if all
-            validators need to refetch at mostly the same time.
-          </p>
-</dd>
-<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
-<dd><p>
-            When writing a signed zone to 'raw' format, set the "source serial" 
-            value in the header to the specified serial number.  (This is
-            expected to be used primarily for testing purposes.)
-          </p></dd>
-<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
-<dd><p>
-            Specifies the number of threads to use.  By default, one
-            thread is started for each detected CPU.
-          </p></dd>
-<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
-<dd>
-<p>
-            The SOA serial number format of the signed zone.
-	    Possible formats are <span><strong class="command">"keep"</strong></span> (default),
-            <span><strong class="command">"increment"</strong></span> and
-	    <span><strong class="command">"unixtime"</strong></span>.
-          </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
-<dd><p>Do not modify the SOA serial number.</p></dd>
-<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
-<dd><p>Increment the SOA serial number using RFC 1982
-                      arithmetics.</p></dd>
-<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
-<dd><p>Set the SOA serial number to the number of seconds
-	        since epoch.</p></dd>
-</dl></div>
-</dd>
-<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
-<dd><p>
-            The zone origin.  If not specified, the name of the zone file
-            is assumed to be the origin.
-          </p></dd>
-<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
-<dd><p>
-            The format of the output file containing the signed zone.
-	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
-	    <span><strong class="command">"full"</strong></span>, which is text output in a
-            format suitable for processing by external scripts,
-            and <span><strong class="command">"raw"</strong></span> or <span><strong class="command">"raw=N"</strong></span>,
-            which store the zone in a binary format for rapid loading
-            by <span><strong class="command">named</strong></span>.  <span><strong class="command">"raw=N"</strong></span>
-            specifies the format version of the raw zone file: if N
-            is 0, the raw file can be read by any version of
-            <span><strong class="command">named</strong></span>; if N is 1, the file can be
-            read by release 9.9.0 or higher.  The default is 1.
-          </p></dd>
-<dt><span class="term">-p</span></dt>
-<dd><p>
-            Use pseudo-random data when signing the zone.  This is faster,
-            but less secure, than using real random data.  This option
-            may be useful when signing large zones or when the entropy
-            source is limited.
-          </p></dd>
-<dt><span class="term">-P</span></dt>
-<dd>
-<p>
-	    Disable post sign verification tests.
-          </p>
-<p>
-	    The post sign verification test ensures that for each algorithm
-	    in use there is at least one non revoked self signed KSK key,
-	    that all revoked KSK keys are self signed, and that all records
-	    in the zone are signed by the algorithm.
-	    This option skips these tests.
-          </p>
-</dd>
-<dt><span class="term">-R</span></dt>
-<dd>
-<p>
-	    Remove signatures from keys that no longer exist.
-          </p>
-<p>
-            Normally, when a previously-signed zone is passed as input
-            to the signer, and a DNSKEY record has been removed and
-            replaced with a new one, signatures from the old key 
-            that are still within their validity period are retained.
-	    This allows the zone to continue to validate with cached
-	    copies of the old DNSKEY RRset.  The <code class="option">-R</code> forces
-            <span><strong class="command">dnssec-signzone</strong></span> to remove all orphaned
-            signatures.
-          </p>
-</dd>
-<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
-<dd><p>
-            Specifies the source of randomness.  If the operating
-            system does not provide a <code class="filename">/dev/random</code>
-            or equivalent device, the default source of randomness
-            is keyboard input.  <code class="filename">randomdev</code>
-            specifies
-            the name of a character device or file containing random
-            data to be used instead of the default.  The special value
-            <code class="filename">keyboard</code> indicates that keyboard
-            input should be used.
-          </p></dd>
-<dt><span class="term">-S</span></dt>
-<dd>
-<p>
-            Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
-            search the key repository for keys that match the zone being
-            signed, and to include them in the zone if appropriate.
-          </p>
-<p>
-            When a key is found, its timing metadata is examined to
-            determine how it should be used, according to the following
-            rules.  Each successive rule takes priority over the prior
-            ones:
-          </p>
-<div class="variablelist"><dl>
-<dt></dt>
-<dd><p>
-                  If no timing metadata has been set for the key, the key is
-                  published in the zone and used to sign the zone.
-                </p></dd>
-<dt></dt>
-<dd><p>
-                  If the key's publication date is set and is in the past, the
-                  key is published in the zone.
-                </p></dd>
-<dt></dt>
-<dd><p>
-                  If the key's activation date is set and in the past, the
-                  key is published (regardless of publication date) and
-                  used to sign the zone.  
-                </p></dd>
-<dt></dt>
-<dd><p>
-                  If the key's revocation date is set and in the past, and the
-                  key is published, then the key is revoked, and the revoked key
-                  is used to sign the zone.
-                </p></dd>
-<dt></dt>
-<dd><p>
-                  If either of the key's unpublication or deletion dates are set
-                  and in the past, the key is NOT published or used to sign the
-                  zone, regardless of any other metadata.
-                </p></dd>
-</dl></div>
-</dd>
-<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
-<dd><p>
-            Specifies a TTL to be used for new DNSKEY records imported
-            into the zone from the key repository.  If not
-            specified, the default is the TTL value from the zone's SOA
-            record.  This option is ignored when signing without
-            <code class="option">-S</code>, since DNSKEY records are not imported
-            from the key repository in that case.  It is also ignored if
-            there are any pre-existing DNSKEY records at the zone apex,
-            in which case new records' TTL values will be set to match
-            them, or if any of the imported DNSKEY records had a default
-            TTL value.  In the event of a a conflict between TTL values in
-            imported keys, the shortest one is used.
-          </p></dd>
-<dt><span class="term">-t</span></dt>
-<dd><p>
-            Print statistics at completion.
-          </p></dd>
-<dt><span class="term">-u</span></dt>
-<dd><p>
-            Update NSEC/NSEC3 chain when re-signing a previously signed
-            zone.  With this option, a zone signed with NSEC can be
-            switched to NSEC3, or a zone signed with NSEC3 can
-            be switch to NSEC or to NSEC3 with different parameters.
-            Without this option, <span><strong class="command">dnssec-signzone</strong></span> will
-            retain the existing chain when re-signing.
-          </p></dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
-            Sets the debugging level.
-          </p></dd>
-<dt><span class="term">-x</span></dt>
-<dd><p>
-            Only sign the DNSKEY RRset with key-signing keys, and omit
-            signatures from zone-signing keys.  (This is similar to the
-            <span><strong class="command">dnssec-dnskey-kskonly yes;</strong></span> zone option in
-            <span><strong class="command">named</strong></span>.)
-          </p></dd>
-<dt><span class="term">-z</span></dt>
-<dd><p>
-            Ignore KSK flag on key when determining what to sign.  This
-            causes KSK-flagged keys to sign all records, not just the
-            DNSKEY RRset.  (This is similar to the
-            <span><strong class="command">update-check-ksk no;</strong></span> zone option in
-            <span><strong class="command">named</strong></span>.)
-          </p></dd>
-<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
-<dd><p>
-            Generate an NSEC3 chain with the given hex encoded salt.
-	    A dash (<em class="replaceable"><code>salt</code></em>) can
-	    be used to indicate that no salt is to be used when generating		    the NSEC3 chain.
-          </p></dd>
-<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
-<dd><p>
-	    When generating an NSEC3 chain, use this many interations.  The
-	    default is 10.
-          </p></dd>
-<dt><span class="term">-A</span></dt>
-<dd>
-<p>
-	    When generating an NSEC3 chain set the OPTOUT flag on all
-	    NSEC3 records and do not generate NSEC3 records for insecure
-	    delegations.
-          </p>
-<p>
-	    Using this option twice (i.e., <code class="option">-AA</code>)
-	    turns the OPTOUT flag off for all records.  This is useful
-	    when using the <code class="option">-u</code> option to modify an NSEC3
-	    chain which previously had OPTOUT set.
-          </p>
-</dd>
-<dt><span class="term">zonefile</span></dt>
-<dd><p>
-            The file containing the zone to be signed.
-          </p></dd>
-<dt><span class="term">key</span></dt>
-<dd><p>
-	    Specify which keys should be used to sign the zone.  If
-	    no keys are specified, then the zone will be examined
-	    for DNSKEY records at the zone apex.  If these are found and
-	    there are matching private keys, in the current directory,
-	    then these will be used for signing.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2675701"></a><h2>EXAMPLE</h2>
-<p>
-      The following command signs the <strong class="userinput"><code>example.com</code></strong>
-      zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
-      (Kexample.com.+003+17247).  Because the <span><strong class="command">-S</strong></span> option
-      is not being used, the zone's keys must be in the master file
-      (<code class="filename">db.example.com</code>).  This invocation looks
-      for <code class="filename">dsset</code> files, in the current directory,
-      so that DS records can be imported from them (<span><strong class="command">-g</strong></span>).
-    </p>
-<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
-Kexample.com.+003+17247
-db.example.com.signed
-%</pre>
-<p>
-      In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
-      the file <code class="filename">db.example.com.signed</code>.  This
-      file should be referenced in a zone statement in a
-      <code class="filename">named.conf</code> file.
-    </p>
-<p>
-      This example re-signs a previously signed zone with default parameters.
-      The private keys are assumed to be in the current directory.
-    </p>
-<pre class="programlisting">% cp db.example.com.signed db.example.com
-% dnssec-signzone -o example.com db.example.com
-db.example.com.signed
-%</pre>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2675848"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 4033</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2675873"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.dnssec-settime.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-verify.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">dnssec-settime</span> </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">dnssec-verify</span>
-</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/man.dnssec-verify.html b/contrib/bind9/doc/arm/man.dnssec-verify.html
deleted file mode 100644
index d8a0bf0..0000000
--- a/contrib/bind9/doc/arm/man.dnssec-verify.html
+++ /dev/null
@@ -1,156 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-verify</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
-<link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
-<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">dnssec-verify</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.dnssec-signzone.html">Prev</a> </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.named-checkconf.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry" lang="en">
-<a name="man.dnssec-verify"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">dnssec-verify</span> &#8212; DNSSEC zone verification tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code>  [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2622443"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">dnssec-verify</strong></span>
-      verifies that a zone is fully signed for each algorithm found
-      in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
-      chains are complete.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2622457"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd><p>
-            Specifies the DNS class of the zone.
-          </p></dd>
-<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
-<dd><p>
-            The format of the input zone file.
-	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
-	    and <span><strong class="command">"raw"</strong></span>.
-	    This option is primarily intended to be used for dynamic
-            signed zones so that the dumped zone file in a non-text
-            format containing updates can be verified independently.
-	    The use of this option does not make much sense for
-	    non-dynamic zones.
-          </p></dd>
-<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
-<dd><p>
-            The zone origin.  If not specified, the name of the zone file
-            is assumed to be the origin.
-          </p></dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
-            Sets the debugging level.
-          </p></dd>
-<dt><span class="term">-x</span></dt>
-<dd><p>
-            Only verify that the DNSKEY RRset is signed with key-signing
-            keys.  Without this flag, it is assumed that the DNSKEY RRset
-            will be signed by all active keys.  When this flag is set,
-            it will not be an error if the DNSKEY RRset is not signed
-            by zone-signing keys.  This corresponds to the <code class="option">-x</code>
-            option in <span><strong class="command">dnssec-signzone</strong></span>.
-          </p></dd>
-<dt><span class="term">-z</span></dt>
-<dd>
-<p>
-	    Ignore the KSK flag on the keys when determining whether
-            the zone if correctly signed.  Without this flag it is
-	    assumed that there will be a non-revoked, self-signed
-	    DNSKEY with the KSK flag set for each algorithm and
-	    that RRsets other than DNSKEY RRset will be signed with
-            a different DNSKEY without the KSK flag set.
-	  </p>
-<p>
-	    With this flag set, we only require that for each algorithm,
-            there will be at least one non-revoked, self-signed DNSKEY,
-            regardless of the KSK flag state, and that other RRsets
-	    will be signed by a non-revoked key for the same algorithm
-            that includes the self-signed key; the same key may be used
-            for both purposes.  This corresponds to the <code class="option">-z</code>
-            option in <span><strong class="command">dnssec-signzone</strong></span>.
-	  </p>
-</dd>
-<dt><span class="term">zonefile</span></dt>
-<dd><p>
-            The file containing the zone to be signed.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2622606"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 4033</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2622632"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.dnssec-signzone.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.named-checkconf.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">dnssec-signzone</span> </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">named-checkconf</span>
-</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/man.genrandom.html b/contrib/bind9/doc/arm/man.genrandom.html
deleted file mode 100644
index e7f0eeb..0000000
--- a/contrib/bind9/doc/arm/man.genrandom.html
+++ /dev/null
@@ -1,112 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>genrandom</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
-<link rel="prev" href="man.arpaname.html" title="arpaname">
-<link rel="next" href="man.isc-hmac-fixup.html" title="isc-hmac-fixup">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">genrandom</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.arpaname.html">Prev</a> </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.isc-hmac-fixup.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry" lang="en">
-<a name="man.genrandom"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">genrandom</span> &#8212; generate a file containing random data</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">genrandom</code>  [<code class="option">-n <em class="replaceable"><code>number</code></em></code>] {<em class="replaceable"><code>size</code></em>} {<em class="replaceable"><code>filename</code></em>}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2619662"></a><h2>DESCRIPTION</h2>
-<p>
-      <span><strong class="command">genrandom</strong></span>
-      generates a file or a set of files containing a specified quantity
-      of pseudo-random data, which can be used as a source of entropy for
-      other commands on systems with no random device.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2658794"></a><h2>ARGUMENTS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-n <em class="replaceable"><code>number</code></em></span></dt>
-<dd><p>
-            In place of generating one file, generates <code class="option">number</code>
-            (from 2 to 9) files, appending <code class="option">number</code> to the name.
-          </p></dd>
-<dt><span class="term">size</span></dt>
-<dd><p>
-            The size of the file, in kilobytes, to generate.
-          </p></dd>
-<dt><span class="term">filename</span></dt>
-<dd><p>
-            The file name into which random data should be written.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2658855"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">rand</span>(3)</span>,
-      <span class="citerefentry"><span class="refentrytitle">arc4random</span>(3)</span>
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2658882"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.arpaname.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.isc-hmac-fixup.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">arpaname</span> </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">isc-hmac-fixup</span>
-</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/man.host.html b/contrib/bind9/doc/arm/man.host.html
deleted file mode 100644
index 2166dd2..0000000
--- a/contrib/bind9/doc/arm/man.host.html
+++ /dev/null
@@ -1,249 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>host</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
-<link rel="prev" href="man.dig.html" title="dig">
-<link rel="next" href="man.dnssec-checkds.html" title="dnssec-checkds">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">host</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.dig.html">Prev</a> </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-checkds.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry" lang="en">
-<a name="man.host"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>host &#8212; DNS lookup utility</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">host</code>  [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2612042"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">host</strong></span>
-      is a simple utility for performing DNS lookups.
-      It is normally used to convert names to IP addresses and vice versa.
-      When no arguments or options are given,
-      <span><strong class="command">host</strong></span>
-      prints a short summary of its command line arguments and options.
-    </p>
-<p><em class="parameter"><code>name</code></em> is the domain name that is to be
-      looked
-      up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
-      IPv6 address, in which case <span><strong class="command">host</strong></span> will by
-      default
-      perform a reverse lookup for that address.
-      <em class="parameter"><code>server</code></em> is an optional argument which
-      is either
-      the name or IP address of the name server that <span><strong class="command">host</strong></span>
-      should query instead of the server or servers listed in
-      <code class="filename">/etc/resolv.conf</code>.
-    </p>
-<p>
-      The <code class="option">-a</code> (all) option is equivalent to setting the
-      <code class="option">-v</code> option and asking <span><strong class="command">host</strong></span> to make
-      a query of type ANY.
-    </p>
-<p>
-      When the <code class="option">-C</code> option is used, <span><strong class="command">host</strong></span>
-      will attempt to display the SOA records for zone
-      <em class="parameter"><code>name</code></em> from all the listed
-      authoritative name
-      servers for that zone.  The list of name servers is defined by the NS
-      records that are found for the zone.
-    </p>
-<p>
-      The <code class="option">-c</code> option instructs to make a DNS query of class
-      <em class="parameter"><code>class</code></em>.  This can be used to lookup
-      Hesiod or
-      Chaosnet class resource records.  The default class is IN (Internet).
-    </p>
-<p>
-      Verbose output is generated by <span><strong class="command">host</strong></span> when
-      the
-      <code class="option">-d</code> or <code class="option">-v</code> option is used.  The two
-      options are equivalent.  They have been provided for backwards
-      compatibility.  In previous versions, the <code class="option">-d</code> option
-      switched on debugging traces and <code class="option">-v</code> enabled verbose
-      output.
-    </p>
-<p>
-      List mode is selected by the <code class="option">-l</code> option.  This makes
-      <span><strong class="command">host</strong></span> perform a zone transfer for zone
-      <em class="parameter"><code>name</code></em>.  Transfer the zone printing out
-      the NS, PTR
-      and address records (A/AAAA).  If combined with <code class="option">-a</code>
-      all records will be printed.
-    </p>
-<p>
-      The <code class="option">-i</code>
-      option specifies that reverse lookups of IPv6 addresses should
-      use the IP6.INT domain as defined in RFC1886.
-      The default is to use IP6.ARPA.
-    </p>
-<p>
-      The <code class="option">-N</code> option sets the number of dots that have to be
-      in <em class="parameter"><code>name</code></em> for it to be considered
-      absolute.  The
-      default value is that defined using the ndots statement in
-      <code class="filename">/etc/resolv.conf</code>, or 1 if no ndots
-      statement is
-      present.  Names with fewer dots are interpreted as relative names and
-      will be searched for in the domains listed in the <span class="type">search</span>
-      or <span class="type">domain</span> directive in
-      <code class="filename">/etc/resolv.conf</code>.
-    </p>
-<p>
-      The number of UDP retries for a lookup can be changed with the
-      <code class="option">-R</code> option.  <em class="parameter"><code>number</code></em>
-      indicates
-      how many times <span><strong class="command">host</strong></span> will repeat a query
-      that does
-      not get answered.  The default number of retries is 1.  If
-      <em class="parameter"><code>number</code></em> is negative or zero, the
-      number of
-      retries will default to 1.
-    </p>
-<p>
-      Non-recursive queries can be made via the <code class="option">-r</code> option.
-      Setting this option clears the <span class="type">RD</span> &#8212; recursion
-      desired &#8212; bit in the query which <span><strong class="command">host</strong></span> makes.
-      This should mean that the name server receiving the query will not
-      attempt to resolve <em class="parameter"><code>name</code></em>.  The
-      <code class="option">-r</code> option enables <span><strong class="command">host</strong></span>
-      to mimic
-      the behavior of a name server by making non-recursive queries and
-      expecting to receive answers to those queries that are usually
-      referrals to other name servers.
-    </p>
-<p>
-      By default, <span><strong class="command">host</strong></span> uses UDP when making
-      queries.  The
-      <code class="option">-T</code> option makes it use a TCP connection when querying
-      the name server.  TCP will be automatically selected for queries that
-      require it, such as zone transfer (AXFR) requests.
-    </p>
-<p>
-      The <code class="option">-4</code> option forces <span><strong class="command">host</strong></span> to only
-      use IPv4 query transport.  The <code class="option">-6</code> option forces
-      <span><strong class="command">host</strong></span> to only use IPv6 query transport.
-    </p>
-<p>
-      The <code class="option">-t</code> option is used to select the query type.
-      <em class="parameter"><code>type</code></em> can be any recognized query
-      type: CNAME,
-      NS, SOA, SIG, KEY, AXFR, etc.  When no query type is specified,
-      <span><strong class="command">host</strong></span> automatically selects an appropriate
-      query
-      type.  By default, it looks for A, AAAA, and MX records, but if the
-      <code class="option">-C</code> option was given, queries will be made for SOA
-      records, and if <em class="parameter"><code>name</code></em> is a
-      dotted-decimal IPv4
-      address or colon-delimited IPv6 address, <span><strong class="command">host</strong></span> will
-      query for PTR records.  If a query type of IXFR is chosen the starting
-      serial number can be specified by appending an equal followed by the
-      starting serial number (e.g. -t IXFR=12345678).
-    </p>
-<p>
-      The time to wait for a reply can be controlled through the
-      <code class="option">-W</code> and <code class="option">-w</code> options.  The
-      <code class="option">-W</code> option makes <span><strong class="command">host</strong></span>
-      wait for
-      <em class="parameter"><code>wait</code></em> seconds.  If <em class="parameter"><code>wait</code></em>
-      is less than one, the wait interval is set to one second.  When the
-      <code class="option">-w</code> option is used, <span><strong class="command">host</strong></span>
-      will
-      effectively wait forever for a reply.  The time to wait for a response
-      will be set to the number of seconds given by the hardware's maximum
-      value for an integer quantity.
-    </p>
-<p>
-      The <code class="option">-s</code> option tells <span><strong class="command">host</strong></span> 
-      <span class="emphasis"><em>not</em></span> to send the query to the next nameserver
-      if any server responds with a SERVFAIL response, which is the
-      reverse of normal stub resolver behavior.
-    </p>
-<p>
-      The <code class="option">-m</code> can be used to set the memory usage debugging
-      flags
-      <em class="parameter"><code>record</code></em>, <em class="parameter"><code>usage</code></em> and
-      <em class="parameter"><code>trace</code></em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2613034"></a><h2>IDN SUPPORT</h2>
-<p>
-      If <span><strong class="command">host</strong></span> has been built with IDN (internationalized
-      domain name) support, it can accept and display non-ASCII domain names. 
-      <span><strong class="command">host</strong></span> appropriately converts character encoding of
-      domain name before sending a request to DNS server or displaying a
-      reply from the server.
-      If you'd like to turn off the IDN support for some reason, defines
-      the <code class="envar">IDN_DISABLE</code> environment variable.
-      The IDN support is disabled if the variable is set when
-      <span><strong class="command">host</strong></span> runs.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2613131"></a><h2>FILES</h2>
-<p><code class="filename">/etc/resolv.conf</code>
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2613145"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
-    </p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.dig.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-checkds.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">dig </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">dnssec-checkds</span>
-</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/man.isc-hmac-fixup.html b/contrib/bind9/doc/arm/man.isc-hmac-fixup.html
deleted file mode 100644
index 5b35c38..0000000
--- a/contrib/bind9/doc/arm/man.isc-hmac-fixup.html
+++ /dev/null
@@ -1,122 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>isc-hmac-fixup</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
-<link rel="prev" href="man.genrandom.html" title="genrandom">
-<link rel="next" href="man.nsec3hash.html" title="nsec3hash">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">isc-hmac-fixup</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.genrandom.html">Prev</a> </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.nsec3hash.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry" lang="en">
-<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">isc-hmac-fixup</span> &#8212; fixes HMAC keys generated by older versions of BIND</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code>  {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2659345"></a><h2>DESCRIPTION</h2>
-<p>
-      Versions of BIND 9 up to and including BIND 9.6 had a bug causing
-      HMAC-SHA* TSIG keys which were longer than the digest length of the
-      hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
-      longer than 256 bits, etc) to be used incorrectly, generating a
-      message authentication code that was incompatible with other DNS
-      implementations.
-    </p>
-<p>
-      This bug has been fixed in BIND 9.7.  However, the fix may
-      cause incompatibility between older and newer versions of
-      BIND, when using long keys.  <span><strong class="command">isc-hmac-fixup</strong></span>
-      modifies those keys to restore compatibility.
-    </p>
-<p>
-      To modify a key, run <span><strong class="command">isc-hmac-fixup</strong></span> and
-      specify the key's algorithm and secret on the command line.  If the
-      secret is longer than the digest length of the algorithm (64 bytes
-      for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
-      new secret will be generated consisting of a hash digest of the old
-      secret.  (If the secret did not require conversion, then it will be
-      printed without modification.)
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2659372"></a><h2>SECURITY CONSIDERATIONS</h2>
-<p>
-      Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
-      are shortened, but as this is how the HMAC protocol works in
-      operation anyway, it does not affect security.  RFC 2104 notes,
-      "Keys longer than [the digest length] are acceptable but the
-      extra length would not significantly increase the function
-      strength."
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2659388"></a><h2>SEE ALSO</h2>
-<p>
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 2104</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2659405"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.genrandom.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.nsec3hash.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">genrandom</span> </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">nsec3hash</span>
-</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/man.named-checkconf.html b/contrib/bind9/doc/arm/man.named-checkconf.html
deleted file mode 100644
index d120cb4..0000000
--- a/contrib/bind9/doc/arm/man.named-checkconf.html
+++ /dev/null
@@ -1,151 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>named-checkconf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
-<link rel="prev" href="man.dnssec-verify.html" title="dnssec-verify">
-<link rel="next" href="man.named-checkzone.html" title="named-checkzone">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">named-checkconf</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.dnssec-verify.html">Prev</a> </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.named-checkzone.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry" lang="en">
-<a name="man.named-checkconf"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">named-checkconf</span> &#8212; named configuration file syntax checking tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-p</code>] [<code class="option">-z</code>]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2628740"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">named-checkconf</strong></span>
-      checks the syntax, but not the semantics, of a
-      <span><strong class="command">named</strong></span> configuration file.  The file is parsed
-      and checked for syntax errors, along with all files included by it.
-      If no file is specified, <code class="filename">/etc/named.conf</code> is read
-      by default.
-    </p>
-<p>
-      Note: files that <span><strong class="command">named</strong></span> reads in separate
-      parser contexts, such as <code class="filename">rndc.key</code> and
-      <code class="filename">bind.keys</code>, are not automatically read
-      by <span><strong class="command">named-checkconf</strong></span>.  Configuration
-      errors in these files may cause <span><strong class="command">named</strong></span> to
-      fail to run, even if <span><strong class="command">named-checkconf</strong></span> was
-      successful.  <span><strong class="command">named-checkconf</strong></span> can be run
-      on these files explicitly, however.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2628810"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-h</span></dt>
-<dd><p>
-            Print the usage summary and exit.
-          </p></dd>
-<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-            Chroot to <code class="filename">directory</code> so that include
-            directives in the configuration file are processed as if
-            run by a similarly chrooted named.
-          </p></dd>
-<dt><span class="term">-v</span></dt>
-<dd><p>
-            Print the version of the <span><strong class="command">named-checkconf</strong></span>
-            program and exit.
-          </p></dd>
-<dt><span class="term">-p</span></dt>
-<dd><p>
-	    Print out the <code class="filename">named.conf</code> and included files
-	    in canonical form if no errors were detected.
-          </p></dd>
-<dt><span class="term">-z</span></dt>
-<dd><p>
-	    Perform a test load of all master zones found in
-	    <code class="filename">named.conf</code>.
-          </p></dd>
-<dt><span class="term">-j</span></dt>
-<dd><p>
-            When loading a zonefile read the journal if it exists.
-          </p></dd>
-<dt><span class="term">filename</span></dt>
-<dd><p>
-            The name of the configuration file to be checked.  If not
-            specified, it defaults to <code class="filename">/etc/named.conf</code>.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2634474"></a><h2>RETURN VALUES</h2>
-<p><span><strong class="command">named-checkconf</strong></span>
-      returns an exit status of 1 if
-      errors were detected and 0 otherwise.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2634488"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2634518"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.dnssec-verify.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.named-checkzone.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">dnssec-verify</span> </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">named-checkzone</span>
-</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/man.named-checkzone.html b/contrib/bind9/doc/arm/man.named-checkzone.html
deleted file mode 100644
index b828f19..0000000
--- a/contrib/bind9/doc/arm/man.named-checkzone.html
+++ /dev/null
@@ -1,331 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>named-checkzone</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
-<link rel="prev" href="man.named-checkconf.html" title="named-checkconf">
-<link rel="next" href="man.named.html" title="named">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">named-checkzone</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.named-checkconf.html">Prev</a> </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.named.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry" lang="en">
-<a name="man.named-checkzone"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">named-checkzone</span>, <span class="application">named-compilezone</span> &#8212; zone file validity checking or converting tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
-<div class="cmdsynopsis"><p><code class="command">named-compilezone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2641051"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">named-checkzone</strong></span>
-      checks the syntax and integrity of a zone file.  It performs the
-      same checks as <span><strong class="command">named</strong></span> does when loading a
-      zone.  This makes <span><strong class="command">named-checkzone</strong></span> useful for
-      checking zone files before configuring them into a name server.
-    </p>
-<p>
-        <span><strong class="command">named-compilezone</strong></span> is similar to
-	<span><strong class="command">named-checkzone</strong></span>, but it always dumps the
-        zone contents to a specified file in a specified format.
-	Additionally, it applies stricter check levels by default,
-        since the dump output will be used as an actual zone file
-	loaded by <span><strong class="command">named</strong></span>.
-	When manually specified otherwise, the check levels must at
-        least be as strict as those specified in the
-	<span><strong class="command">named</strong></span> configuration file.
-     </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2678170"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-d</span></dt>
-<dd><p>
-            Enable debugging.
-          </p></dd>
-<dt><span class="term">-h</span></dt>
-<dd><p>
-            Print the usage summary and exit.
-          </p></dd>
-<dt><span class="term">-q</span></dt>
-<dd><p>
-            Quiet mode - exit code only.
-          </p></dd>
-<dt><span class="term">-v</span></dt>
-<dd><p>
-            Print the version of the <span><strong class="command">named-checkzone</strong></span>
-            program and exit.
-          </p></dd>
-<dt><span class="term">-j</span></dt>
-<dd><p>
-            When loading the zone file read the journal if it exists.
-          </p></dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd><p>
-            Specify the class of the zone.  If not specified, "IN" is assumed.
-          </p></dd>
-<dt><span class="term">-i <em class="replaceable"><code>mode</code></em></span></dt>
-<dd>
-<p>
-	      Perform post-load zone integrity checks.  Possible modes are
-	      <span><strong class="command">"full"</strong></span> (default),
-	      <span><strong class="command">"full-sibling"</strong></span>,
-	      <span><strong class="command">"local"</strong></span>,
-	      <span><strong class="command">"local-sibling"</strong></span> and
-	      <span><strong class="command">"none"</strong></span>.
-	  </p>
-<p>
-	      Mode <span><strong class="command">"full"</strong></span> checks that MX records
-	      refer to A or AAAA record (both in-zone and out-of-zone
-	      hostnames).  Mode <span><strong class="command">"local"</strong></span> only
-	      checks MX records which refer to in-zone hostnames.
-	  </p>
-<p>
-	      Mode <span><strong class="command">"full"</strong></span> checks that SRV records
-	      refer to A or AAAA record (both in-zone and out-of-zone
-	      hostnames).  Mode <span><strong class="command">"local"</strong></span> only
-	      checks SRV records which refer to in-zone hostnames.
-	  </p>
-<p>
-	      Mode <span><strong class="command">"full"</strong></span> checks that delegation NS
-	      records refer to A or AAAA record (both in-zone and out-of-zone
-	      hostnames).  It also checks that glue address records
-	      in the zone match those advertised by the child.
-	      Mode <span><strong class="command">"local"</strong></span> only checks NS records which
-	      refer to in-zone hostnames or that some required glue exists,
-	      that is when the nameserver is in a child zone.
-	  </p>
-<p>
-	      Mode <span><strong class="command">"full-sibling"</strong></span> and
-	      <span><strong class="command">"local-sibling"</strong></span> disable sibling glue
-	      checks but are otherwise the same as <span><strong class="command">"full"</strong></span>
-	      and <span><strong class="command">"local"</strong></span> respectively.
-	  </p>
-<p>
-	      Mode <span><strong class="command">"none"</strong></span> disables the checks.
-	  </p>
-</dd>
-<dt><span class="term">-f <em class="replaceable"><code>format</code></em></span></dt>
-<dd><p>
-	    Specify the format of the zone file.
-	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
-	    and <span><strong class="command">"raw"</strong></span>.
-	  </p></dd>
-<dt><span class="term">-F <em class="replaceable"><code>format</code></em></span></dt>
-<dd>
-<p>
-	    Specify the format of the output file specified.
-	    For <span><strong class="command">named-checkzone</strong></span>,
-	    this does not cause any effects unless it dumps the zone
-	    contents.
-	  </p>
-<p>
-	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
-	    and <span><strong class="command">"raw"</strong></span> or <span><strong class="command">"raw=N"</strong></span>,
-            which store the zone in a binary format for rapid loading
-            by <span><strong class="command">named</strong></span>.  <span><strong class="command">"raw=N"</strong></span>
-            specifies the format version of the raw zone file: if N
-            is 0, the raw file can be read by any version of
-            <span><strong class="command">named</strong></span>; if N is 1, the file can be read
-            by release 9.9.0 or higher.  The default is 1.
-	  </p>
-</dd>
-<dt><span class="term">-k <em class="replaceable"><code>mode</code></em></span></dt>
-<dd><p>
-            Perform <span><strong class="command">"check-names"</strong></span> checks with the
-	    specified failure mode.
-            Possible modes are <span><strong class="command">"fail"</strong></span>
-	    (default for <span><strong class="command">named-compilezone</strong></span>),
-            <span><strong class="command">"warn"</strong></span>
-	    (default for <span><strong class="command">named-checkzone</strong></span>) and
-            <span><strong class="command">"ignore"</strong></span>.
-          </p></dd>
-<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
-<dd><p>
-            When compiling a zone to 'raw' format, set the "source serial" 
-            value in the header to the specified serial number.  (This is
-            expected to be used primarily for testing purposes.)
-          </p></dd>
-<dt><span class="term">-m <em class="replaceable"><code>mode</code></em></span></dt>
-<dd><p>
-            Specify whether MX records should be checked to see if they
-            are addresses.  Possible modes are <span><strong class="command">"fail"</strong></span>,
-            <span><strong class="command">"warn"</strong></span> (default) and
-            <span><strong class="command">"ignore"</strong></span>.
-          </p></dd>
-<dt><span class="term">-M <em class="replaceable"><code>mode</code></em></span></dt>
-<dd><p>
-	    Check if a MX record refers to a CNAME.
-            Possible modes are <span><strong class="command">"fail"</strong></span>,
-            <span><strong class="command">"warn"</strong></span> (default) and
-            <span><strong class="command">"ignore"</strong></span>.
-	  </p></dd>
-<dt><span class="term">-n <em class="replaceable"><code>mode</code></em></span></dt>
-<dd><p>
-            Specify whether NS records should be checked to see if they
-            are addresses.
-	    Possible modes are <span><strong class="command">"fail"</strong></span>
-	    (default for <span><strong class="command">named-compilezone</strong></span>),
-            <span><strong class="command">"warn"</strong></span>
-	    (default for <span><strong class="command">named-checkzone</strong></span>) and
-            <span><strong class="command">"ignore"</strong></span>.
-          </p></dd>
-<dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt>
-<dd><p>
-            Write zone output to <code class="filename">filename</code>.
-	    If <code class="filename">filename</code> is <code class="filename">-</code> then
-	    write to standard out.
-	    This is mandatory for <span><strong class="command">named-compilezone</strong></span>.
-          </p></dd>
-<dt><span class="term">-r <em class="replaceable"><code>mode</code></em></span></dt>
-<dd><p>
-            Check for records that are treated as different by DNSSEC but
-	    are semantically equal in plain DNS.  
-            Possible modes are <span><strong class="command">"fail"</strong></span>,
-            <span><strong class="command">"warn"</strong></span> (default) and
-            <span><strong class="command">"ignore"</strong></span>.
-	  </p></dd>
-<dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
-<dd><p>
-	    Specify the style of the dumped zone file.
-	    Possible styles are <span><strong class="command">"full"</strong></span> (default)
-	    and <span><strong class="command">"relative"</strong></span>.
-	    The full format is most suitable for processing
-	    automatically by a separate script.
-	    On the other hand, the relative format is more
-	    human-readable and is thus suitable for editing by hand.
-	    For <span><strong class="command">named-checkzone</strong></span>
-	    this does not cause any effects unless it dumps the zone
-	    contents.
-	    It also does not have any meaning if the output format
-	    is not text.
-	  </p></dd>
-<dt><span class="term">-S <em class="replaceable"><code>mode</code></em></span></dt>
-<dd><p>
-	    Check if a SRV record refers to a CNAME.
-            Possible modes are <span><strong class="command">"fail"</strong></span>,
-            <span><strong class="command">"warn"</strong></span> (default) and
-            <span><strong class="command">"ignore"</strong></span>.
-	  </p></dd>
-<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-            Chroot to <code class="filename">directory</code> so that
-            include
-            directives in the configuration file are processed as if
-            run by a similarly chrooted named.
-          </p></dd>
-<dt><span class="term">-T <em class="replaceable"><code>mode</code></em></span></dt>
-<dd><p>
-	    Check if Sender Policy Framework records (TXT and SPF)
-	    both exist or both don't exist.  A warning is issued
-	    if they don't match.  Possible modes are
-	    <span><strong class="command">"warn"</strong></span> (default), <span><strong class="command">"ignore"</strong></span>.
-	  </p></dd>
-<dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-            chdir to <code class="filename">directory</code> so that
-            relative
-            filenames in master file $INCLUDE directives work.  This
-            is similar to the directory clause in
-            <code class="filename">named.conf</code>.
-          </p></dd>
-<dt><span class="term">-D</span></dt>
-<dd><p>
-            Dump zone file in canonical format.
-	    This is always enabled for <span><strong class="command">named-compilezone</strong></span>.
-          </p></dd>
-<dt><span class="term">-W <em class="replaceable"><code>mode</code></em></span></dt>
-<dd><p>
-            Specify whether to check for non-terminal wildcards.
-            Non-terminal wildcards are almost always the result of a
-            failure to understand the wildcard matching algorithm (RFC 1034).
-            Possible modes are <span><strong class="command">"warn"</strong></span> (default)
-            and
-            <span><strong class="command">"ignore"</strong></span>.
-          </p></dd>
-<dt><span class="term">zonename</span></dt>
-<dd><p>
-            The domain name of the zone being checked.
-          </p></dd>
-<dt><span class="term">filename</span></dt>
-<dd><p>
-            The name of the zone file.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2679079"></a><h2>RETURN VALUES</h2>
-<p><span><strong class="command">named-checkzone</strong></span>
-      returns an exit status of 1 if
-      errors were detected and 0 otherwise.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2679093"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
-      <em class="citetitle">RFC 1035</em>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2679126"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.named-checkconf.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.named.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">named-checkconf</span> </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">named</span>
-</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/man.named-journalprint.html b/contrib/bind9/doc/arm/man.named-journalprint.html
deleted file mode 100644
index 5c1f3db..0000000
--- a/contrib/bind9/doc/arm/man.named-journalprint.html
+++ /dev/null
@@ -1,112 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>named-journalprint</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
-<link rel="prev" href="man.named.html" title="named">
-<link rel="next" href="man.nsupdate.html" title="nsupdate">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">named-journalprint</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.named.html">Prev</a> </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.nsupdate.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry" lang="en">
-<a name="man.named-journalprint"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">named-journalprint</span> &#8212; print zone journal in human-readable form</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-journalprint</code>  {<em class="replaceable"><code>journal</code></em>}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2616467"></a><h2>DESCRIPTION</h2>
-<p>
-      <span><strong class="command">named-journalprint</strong></span>
-      prints the contents of a zone journal file in a human-readable
-      form. 
-    </p>
-<p>
-      Journal files are automatically created by <span><strong class="command">named</strong></span> 
-      when changes are made to dynamic zones (e.g., by
-      <span><strong class="command">nsupdate</strong></span>).  They record each addition
-      or deletion of a resource record, in binary format, allowing the
-      changes to be re-applied to the zone when the server is
-      restarted after a shutdown or crash.  By default, the name of
-      the journal file is formed by appending the extension
-      <code class="filename">.jnl</code> to the name of the corresponding
-      zone file.
-    </p>
-<p>
-      <span><strong class="command">named-journalprint</strong></span> converts the contents of a given
-      journal file into a human-readable text format.  Each line begins
-      with "add" or "del", to indicate whether the record was added or
-      deleted, and continues with the resource record in master-file
-      format.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2616513"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">nsupdate</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2643372"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.named.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.nsupdate.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">named</span> </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">nsupdate</span>
-</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/man.named.html b/contrib/bind9/doc/arm/man.named.html
deleted file mode 100644
index 02d6135..0000000
--- a/contrib/bind9/doc/arm/man.named.html
+++ /dev/null
@@ -1,348 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>named</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
-<link rel="prev" href="man.named-checkzone.html" title="named-checkzone">
-<link rel="next" href="man.named-journalprint.html" title="named-journalprint">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">named</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.named-checkzone.html">Prev</a> </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.named-journalprint.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry" lang="en">
-<a name="man.named"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">named</span> &#8212; Internet domain name server</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named</code>  [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine-name</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-U <em class="replaceable"><code>#listeners</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2641300"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">named</strong></span>
-      is a Domain Name System (DNS) server,
-      part of the BIND 9 distribution from ISC.  For more
-      information on the DNS, see RFCs 1033, 1034, and 1035.
-    </p>
-<p>
-      When invoked without arguments, <span><strong class="command">named</strong></span>
-      will
-      read the default configuration file
-      <code class="filename">/etc/named.conf</code>, read any initial
-      data, and listen for queries.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2641331"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-4</span></dt>
-<dd><p>
-            Use IPv4 only even if the host machine is capable of IPv6.
-            <code class="option">-4</code> and <code class="option">-6</code> are mutually
-            exclusive.
-          </p></dd>
-<dt><span class="term">-6</span></dt>
-<dd><p>
-            Use IPv6 only even if the host machine is capable of IPv4.
-            <code class="option">-4</code> and <code class="option">-6</code> are mutually
-            exclusive.
-          </p></dd>
-<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
-<dd><p>
-            Use <em class="replaceable"><code>config-file</code></em> as the
-            configuration file instead of the default,
-            <code class="filename">/etc/named.conf</code>.  To
-            ensure that reloading the configuration file continues
-            to work after the server has changed its working
-            directory due to to a possible
-            <code class="option">directory</code> option in the configuration
-            file, <em class="replaceable"><code>config-file</code></em> should be
-            an absolute pathname.
-          </p></dd>
-<dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt>
-<dd><p>
-            Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>.
-            Debugging traces from <span><strong class="command">named</strong></span> become
-            more verbose as the debug level increases.
-          </p></dd>
-<dt><span class="term">-E <em class="replaceable"><code>engine-name</code></em></span></dt>
-<dd><p>
-            Use a crypto hardware (OpenSSL engine) for the crypto operations
-            it supports, for instance re-signing with private keys from
-            a secure key store. When compiled with PKCS#11 support
-            <em class="replaceable"><code>engine-name</code></em>
-            defaults to pkcs11, the empty name resets it to no engine.
-          </p></dd>
-<dt><span class="term">-f</span></dt>
-<dd><p>
-            Run the server in the foreground (i.e. do not daemonize).
-          </p></dd>
-<dt><span class="term">-g</span></dt>
-<dd><p>
-            Run the server in the foreground and force all logging
-            to <code class="filename">stderr</code>.
-          </p></dd>
-<dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt>
-<dd><p>
-	    Turn on memory usage debugging flags.  Possible flags are
-	    <em class="replaceable"><code>usage</code></em>,
-	    <em class="replaceable"><code>trace</code></em>,
-	    <em class="replaceable"><code>record</code></em>,
-	    <em class="replaceable"><code>size</code></em>, and
-	    <em class="replaceable"><code>mctx</code></em>.
-	    These correspond to the ISC_MEM_DEBUGXXXX flags described in
-	    <code class="filename">&lt;isc/mem.h&gt;</code>.
-          </p></dd>
-<dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt>
-<dd><p>
-            Create <em class="replaceable"><code>#cpus</code></em> worker threads
-            to take advantage of multiple CPUs.  If not specified,
-            <span><strong class="command">named</strong></span> will try to determine the
-            number of CPUs present and create one thread per CPU.
-            If it is unable to determine the number of CPUs, a
-            single worker thread will be created.
-          </p></dd>
-<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd><p>
-            Listen for queries on port <em class="replaceable"><code>port</code></em>.  If not
-            specified, the default is port 53.
-          </p></dd>
-<dt><span class="term">-s</span></dt>
-<dd>
-<p>
-            Write memory usage statistics to <code class="filename">stdout</code> on exit.
-          </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-              This option is mainly of interest to BIND 9 developers
-              and may be removed or changed in a future release.
-            </p>
-</div>
-</dd>
-<dt><span class="term">-S <em class="replaceable"><code>#max-socks</code></em></span></dt>
-<dd>
-<p>
-	    Allow <span><strong class="command">named</strong></span> to use up to
-	    <em class="replaceable"><code>#max-socks</code></em> sockets.
-	  </p>
-<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Warning</h3>
-<p>
-              This option should be unnecessary for the vast majority
-              of users.
-	      The use of this option could even be harmful because the
-              specified value may exceed the limitation of the
-              underlying system API.
-	      It is therefore set only when the default configuration
-              causes exhaustion of file descriptors and the
-              operational environment is known to support the
-              specified number of sockets.
-	      Note also that the actual maximum number is normally a little
-              fewer than the specified value because
-	      <span><strong class="command">named</strong></span> reserves some file descriptors
-	      for its internal use.
-            </p>
-</div>
-</dd>
-<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-<p>Chroot
-	    to <em class="replaceable"><code>directory</code></em> after
-            processing the command line arguments, but before
-            reading the configuration file.
-          </p>
-<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Warning</h3>
-<p>
-              This option should be used in conjunction with the
-              <code class="option">-u</code> option, as chrooting a process
-              running as root doesn't enhance security on most
-              systems; the way <code class="function">chroot(2)</code> is
-              defined allows a process with root privileges to
-              escape a chroot jail.
-            </p>
-</div>
-</dd>
-<dt><span class="term">-U <em class="replaceable"><code>#listeners</code></em></span></dt>
-<dd><p>
-            Use <em class="replaceable"><code>#listeners</code></em>
-            worker threads to listen for incoming UDP packets on each
-            address.  If not specified, <span><strong class="command">named</strong></span> will
-            use the number of detected CPUs.  If <code class="option">-n</code>
-            has been set to a higher value than the number of CPUs,
-            then <code class="option">-U</code> may be increased as high as that
-            value, but no higher.
-          </p></dd>
-<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
-<dd>
-<p>Setuid
-	    to <em class="replaceable"><code>user</code></em> after completing
-            privileged operations, such as creating sockets that
-            listen on privileged ports.
-          </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-              On Linux, <span><strong class="command">named</strong></span> uses the kernel's
-              		capability mechanism to drop all root privileges
-              except the ability to <code class="function">bind(2)</code> to
-              a
-              privileged port and set process resource limits.
-              Unfortunately, this means that the <code class="option">-u</code>
-              option only works when <span><strong class="command">named</strong></span> is
-              run
-              on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or
-              later, since previous kernels did not allow privileges
-              to be retained after <code class="function">setuid(2)</code>.
-            </p>
-</div>
-</dd>
-<dt><span class="term">-v</span></dt>
-<dd><p>
-            Report the version number and exit.
-          </p></dd>
-<dt><span class="term">-V</span></dt>
-<dd><p>
-            Report the version number and build options, and exit.
-          </p></dd>
-<dt><span class="term">-x <em class="replaceable"><code>cache-file</code></em></span></dt>
-<dd>
-<p>
-            Load data from <em class="replaceable"><code>cache-file</code></em> into the
-            cache of the default view.
-          </p>
-<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Warning</h3>
-<p>
-              This option must not be used.  It is only of interest
-              to BIND 9 developers and may be removed or changed in a
-              future release.
-            </p>
-</div>
-</dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2679261"></a><h2>SIGNALS</h2>
-<p>
-      In routine operation, signals should not be used to control
-      the nameserver; <span><strong class="command">rndc</strong></span> should be used
-      instead.
-    </p>
-<div class="variablelist"><dl>
-<dt><span class="term">SIGHUP</span></dt>
-<dd><p>
-            Force a reload of the server.
-          </p></dd>
-<dt><span class="term">SIGINT, SIGTERM</span></dt>
-<dd><p>
-            Shut down the server.
-          </p></dd>
-</dl></div>
-<p>
-      The result of sending any other signals to the server is undefined.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2679312"></a><h2>CONFIGURATION</h2>
-<p>
-      The <span><strong class="command">named</strong></span> configuration file is too complex
-      to describe in detail here.  A complete description is provided
-      in the
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-<p>
-      <span><strong class="command">named</strong></span> inherits the <code class="function">umask</code>
-      (file creation mode mask) from the parent process. If files
-      created by <span><strong class="command">named</strong></span>, such as journal files,
-      need to have custom permissions, the <code class="function">umask</code>
-      should be set explicitly in the script used to start the
-      <span><strong class="command">named</strong></span> process.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2679361"></a><h2>FILES</h2>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
-<dd><p>
-            The default configuration file.
-          </p></dd>
-<dt><span class="term"><code class="filename">/var/run/named/named.pid</code></span></dt>
-<dd><p>
-            The default process-id file.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2679404"></a><h2>SEE ALSO</h2>
-<p><em class="citetitle">RFC 1033</em>,
-      <em class="citetitle">RFC 1034</em>,
-      <em class="citetitle">RFC 1035</em>,
-      <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2679475"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.named-checkzone.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.named-journalprint.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">named-checkzone</span> </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">named-journalprint</span>
-</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/man.nsec3hash.html b/contrib/bind9/doc/arm/man.nsec3hash.html
deleted file mode 100644
index bdba8a6..0000000
--- a/contrib/bind9/doc/arm/man.nsec3hash.html
+++ /dev/null
@@ -1,113 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>nsec3hash</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
-<link rel="prev" href="man.isc-hmac-fixup.html" title="isc-hmac-fixup">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">nsec3hash</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.isc-hmac-fixup.html">Prev</a> </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> </td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry" lang="en">
-<a name="man.nsec3hash"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">nsec3hash</span> &#8212; generate NSEC3 hash</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">nsec3hash</code>  {<em class="replaceable"><code>salt</code></em>} {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>iterations</code></em>} {<em class="replaceable"><code>domain</code></em>}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2621016"></a><h2>DESCRIPTION</h2>
-<p>
-      <span><strong class="command">nsec3hash</strong></span> generates an NSEC3 hash based on
-      a set of NSEC3 parameters.  This can be used to check the validity
-      of NSEC3 records in a signed zone.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2659465"></a><h2>ARGUMENTS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">salt</span></dt>
-<dd><p>
-            The salt provided to the hash algorithm.
-          </p></dd>
-<dt><span class="term">algorithm</span></dt>
-<dd><p>
-            A number indicating the hash algorithm.  Currently the
-            only supported hash algorithm for NSEC3 is SHA-1, which is
-            indicated by the number 1; consequently "1" is the only
-            useful value for this argument.
-          </p></dd>
-<dt><span class="term">iterations</span></dt>
-<dd><p>
-            The number of additional times the hash should be performed.
-          </p></dd>
-<dt><span class="term">domain</span></dt>
-<dd><p>
-            The domain name to be hashed.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2659527"></a><h2>SEE ALSO</h2>
-<p>
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 5155</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2659612"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.isc-hmac-fixup.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right"> </td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">isc-hmac-fixup</span> </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> </td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/man.nsupdate.html b/contrib/bind9/doc/arm/man.nsupdate.html
deleted file mode 100644
index 6793b42..0000000
--- a/contrib/bind9/doc/arm/man.nsupdate.html
+++ /dev/null
@@ -1,622 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>nsupdate</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
-<link rel="prev" href="man.named-journalprint.html" title="named-journalprint">
-<link rel="next" href="man.rndc.html" title="rndc">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">nsupdate</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.named-journalprint.html">Prev</a> </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.rndc.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry" lang="en">
-<a name="man.nsupdate"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">nsupdate</span> &#8212; Dynamic DNS update utility</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">nsupdate</code>  [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-g</code>] |  [<code class="option">-o</code>] |  [<code class="option">-l</code>] |  [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] |  [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [filename]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2643632"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">nsupdate</strong></span>
-      is used to submit Dynamic DNS Update requests as defined in RFC 2136
-      to a name server.
-      This allows resource records to be added or removed from a zone
-      without manually editing the zone file.
-      A single update request can contain requests to add or remove more than
-      one
-      resource record.
-    </p>
-<p>
-      Zones that are under dynamic control via
-      <span><strong class="command">nsupdate</strong></span>
-      or a DHCP server should not be edited by hand.
-      Manual edits could
-      conflict with dynamic updates and cause data to be lost.
-    </p>
-<p>
-      The resource records that are dynamically added or removed with
-      <span><strong class="command">nsupdate</strong></span>
-      have to be in the same zone.
-      Requests are sent to the zone's master server.
-      This is identified by the MNAME field of the zone's SOA record.
-    </p>
-<p>
-      The
-      <code class="option">-d</code>
-      option makes
-      <span><strong class="command">nsupdate</strong></span>
-      operate in debug mode.
-      This provides tracing information about the update requests that are
-      made and the replies received from the name server.
-    </p>
-<p>
-      The <code class="option">-D</code> option makes <span><strong class="command">nsupdate</strong></span>
-      report additional debugging information to <code class="option">-d</code>.
-    </p>
-<p>
-      The <code class="option">-L</code> option with an integer argument of zero or
-      higher sets the logging debug level.  If zero, logging is disabled.
-    </p>
-<p>
-      Transaction signatures can be used to authenticate the Dynamic
-      DNS updates.  These use the TSIG resource record type described
-      in RFC 2845 or the SIG(0) record described in RFC 2535 and
-      RFC 2931 or GSS-TSIG as described in RFC 3645.  TSIG relies on
-      a shared secret that should only be known to
-      <span><strong class="command">nsupdate</strong></span> and the name server.  Currently,
-      the only supported encryption algorithm for TSIG is HMAC-MD5,
-      which is defined in RFC 2104.  Once other algorithms are
-      defined for TSIG, applications will need to ensure they select
-      the appropriate algorithm as well as the key when authenticating
-      each other.  For instance, suitable <span class="type">key</span> and
-      <span class="type">server</span> statements would be added to
-      <code class="filename">/etc/named.conf</code> so that the name server
-      can associate the appropriate secret key and algorithm with
-      the IP address of the client application that will be using
-      TSIG authentication.  SIG(0) uses public key cryptography.
-      To use a SIG(0) key, the public key must be stored in a KEY
-      record in a zone served by the name server.
-      <span><strong class="command">nsupdate</strong></span> does not read
-      <code class="filename">/etc/named.conf</code>.
-    </p>
-<p>
-      GSS-TSIG uses Kerberos credentials.  Standard GSS-TSIG mode
-      is switched on with the <code class="option">-g</code> flag.  A
-      non-standards-compliant variant of GSS-TSIG used by Windows
-      2000 can be switched on with the <code class="option">-o</code> flag.
-    </p>
-<p><span><strong class="command">nsupdate</strong></span>
-      uses the <code class="option">-y</code> or <code class="option">-k</code> option
-      to provide the shared secret needed to generate a TSIG record
-      for authenticating Dynamic DNS update requests, default type
-      HMAC-MD5.  These options are mutually exclusive. 
-    </p>
-<p>
-      When the <code class="option">-y</code> option is used, a signature is
-      generated from
-      [<span class="optional"><em class="parameter"><code>hmac:</code></em></span>]<em class="parameter"><code>keyname:secret.</code></em>
-      <em class="parameter"><code>keyname</code></em> is the name of the key, and
-      <em class="parameter"><code>secret</code></em> is the base64 encoded shared secret.
-      Use of the <code class="option">-y</code> option is discouraged because the
-      shared secret is supplied as a command line argument in clear text.
-      This may be visible in the output from
-      <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>
-      or in a history file maintained by the user's shell.
-    </p>
-<p>
-      With the
-      <code class="option">-k</code> option, <span><strong class="command">nsupdate</strong></span> reads
-      the shared secret from the file <em class="parameter"><code>keyfile</code></em>.
-      Keyfiles may be in two formats: a single file containing
-      a <code class="filename">named.conf</code>-format <span><strong class="command">key</strong></span>
-      statement, which may be generated automatically by
-      <span><strong class="command">ddns-confgen</strong></span>, or a pair of files whose names are
-      of the format <code class="filename">K{name}.+157.+{random}.key</code> and
-      <code class="filename">K{name}.+157.+{random}.private</code>, which can be
-      generated by <span><strong class="command">dnssec-keygen</strong></span>.
-      The <code class="option">-k</code> may also be used to specify a SIG(0) key used
-      to authenticate Dynamic DNS update requests.  In this case, the key
-      specified is not an HMAC-MD5 key.
-    </p>
-<p>
-      <span><strong class="command">nsupdate</strong></span> can be run in a local-host only mode
-      using the <code class="option">-l</code> flag.  This sets the server address to
-      localhost (disabling the <span><strong class="command">server</strong></span> so that the server
-      address cannot be overridden).  Connections to the local server will
-      use a TSIG key found in <code class="filename">/var/run/named/session.key</code>,
-      which is automatically generated by <span><strong class="command">named</strong></span> if any
-      local master zone has set <span><strong class="command">update-policy</strong></span> to
-      <span><strong class="command">local</strong></span>.  The location of this key file can be
-      overridden with the <code class="option">-k</code> option.
-    </p>
-<p>
-      By default, <span><strong class="command">nsupdate</strong></span>
-      uses UDP to send update requests to the name server unless they are too
-      large to fit in a UDP request in which case TCP will be used.
-      The
-      <code class="option">-v</code>
-      option makes
-      <span><strong class="command">nsupdate</strong></span>
-      use a TCP connection.
-      This may be preferable when a batch of update requests is made.
-    </p>
-<p>
-      The <code class="option">-p</code> sets the default port number to use for
-      connections to a name server.  The default is 53.
-    </p>
-<p>
-      The <code class="option">-t</code> option sets the maximum time an update request
-      can
-      take before it is aborted.  The default is 300 seconds.  Zero can be
-      used
-      to disable the timeout.
-    </p>
-<p>
-      The <code class="option">-u</code> option sets the UDP retry interval.  The default
-      is
-      3 seconds.  If zero, the interval will be computed from the timeout
-      interval
-      and number of UDP retries.
-    </p>
-<p>
-      The <code class="option">-r</code> option sets the number of UDP retries. The
-      default is
-      3.  If zero, only one update request will be made.
-    </p>
-<p>
-      The <code class="option">-R <em class="replaceable"><code>randomdev</code></em></code> option
-      specifies a source of randomness.  If the operating system
-      does not provide a <code class="filename">/dev/random</code> or
-      equivalent device, the default source of randomness is keyboard
-      input.  <code class="filename">randomdev</code> specifies the name of
-      a character device or file containing random data to be used
-      instead of the default.  The special value
-      <code class="filename">keyboard</code> indicates that keyboard input
-      should be used.  This option may be specified multiple times.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2644170"></a><h2>INPUT FORMAT</h2>
-<p><span><strong class="command">nsupdate</strong></span>
-      reads input from
-      <em class="parameter"><code>filename</code></em>
-      or standard input.
-      Each command is supplied on exactly one line of input.
-      Some commands are for administrative purposes.
-      The others are either update instructions or prerequisite checks on the
-      contents of the zone.
-      These checks set conditions that some name or set of
-      resource records (RRset) either exists or is absent from the zone.
-      These conditions must be met if the entire update request is to succeed.
-      Updates will be rejected if the tests for the prerequisite conditions
-      fail.
-    </p>
-<p>
-      Every update request consists of zero or more prerequisites
-      and zero or more updates.
-      This allows a suitably authenticated update request to proceed if some
-      specified resource records are present or missing from the zone.
-      A blank input line (or the <span><strong class="command">send</strong></span> command)
-      causes the
-      accumulated commands to be sent as one Dynamic DNS update request to the
-      name server.
-    </p>
-<p>
-      The command formats and their meaning are as follows:
-      </p>
-<div class="variablelist"><dl>
-<dt><span class="term">
-              <span><strong class="command">server</strong></span>
-               {servername}
-               [port]
-            </span></dt>
-<dd><p>
-              Sends all dynamic update requests to the name server
-              <em class="parameter"><code>servername</code></em>.
-              When no server statement is provided,
-              <span><strong class="command">nsupdate</strong></span>
-              will send updates to the master server of the correct zone.
-              The MNAME field of that zone's SOA record will identify the
-              master
-              server for that zone.
-              <em class="parameter"><code>port</code></em>
-              is the port number on
-              <em class="parameter"><code>servername</code></em>
-              where the dynamic update requests get sent.
-              If no port number is specified, the default DNS port number of
-              53 is
-              used.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">local</strong></span>
-               {address}
-               [port]
-            </span></dt>
-<dd><p>
-              Sends all dynamic update requests using the local
-              <em class="parameter"><code>address</code></em>.
-
-              When no local statement is provided,
-              <span><strong class="command">nsupdate</strong></span>
-              will send updates using an address and port chosen by the
-              system.
-              <em class="parameter"><code>port</code></em>
-              can additionally be used to make requests come from a specific
-              port.
-              If no port number is specified, the system will assign one.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">zone</strong></span>
-               {zonename}
-            </span></dt>
-<dd><p>
-              Specifies that all updates are to be made to the zone
-              <em class="parameter"><code>zonename</code></em>.
-              If no
-              <em class="parameter"><code>zone</code></em>
-              statement is provided,
-              <span><strong class="command">nsupdate</strong></span>
-              will attempt determine the correct zone to update based on the
-              rest of the input.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">class</strong></span>
-               {classname}
-            </span></dt>
-<dd><p>
-              Specify the default class.
-              If no <em class="parameter"><code>class</code></em> is specified, the
-              default class is
-              <em class="parameter"><code>IN</code></em>.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">ttl</strong></span>
-               {seconds}
-            </span></dt>
-<dd><p>
-              Specify the default time to live for records to be added.
-	      The value <em class="parameter"><code>none</code></em> will clear the default
-	      ttl.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">key</strong></span>
-               {name}
-               {secret}
-            </span></dt>
-<dd><p>
-              Specifies that all updates are to be TSIG-signed using the
-              <em class="parameter"><code>keyname</code></em> <em class="parameter"><code>keysecret</code></em> pair.
-              The <span><strong class="command">key</strong></span> command
-              overrides any key specified on the command line via
-              <code class="option">-y</code> or <code class="option">-k</code>.
-            </p></dd>
-<dt><span class="term">
-            <span><strong class="command">gsstsig</strong></span>
-          </span></dt>
-<dd><p>
-	      Use GSS-TSIG to sign the updated.  This is equivalent to
-	      specifying <code class="option">-g</code> on the commandline.
-            </p></dd>
-<dt><span class="term">
-            <span><strong class="command">oldgsstsig</strong></span>
-          </span></dt>
-<dd><p>
-	      Use the Windows 2000 version of GSS-TSIG to sign the updated.
-	      This is equivalent to specifying <code class="option">-o</code> on the
-	      commandline.
-            </p></dd>
-<dt><span class="term">
-            <span><strong class="command">realm</strong></span>
-             {[<span class="optional">realm_name</span>]}
-          </span></dt>
-<dd><p>
-	      When using GSS-TSIG use <em class="parameter"><code>realm_name</code></em> rather
-	      than the default realm in <code class="filename">krb5.conf</code>.  If no
-	      realm is specified the saved realm is cleared.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">[<span class="optional">prereq</span>] nxdomain</strong></span>
-               {domain-name}
-            </span></dt>
-<dd><p>
-              Requires that no resource record of any type exists with name
-              <em class="parameter"><code>domain-name</code></em>.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">[<span class="optional">prereq</span>] yxdomain</strong></span>
-               {domain-name}
-            </span></dt>
-<dd><p>
-              Requires that
-              <em class="parameter"><code>domain-name</code></em>
-              exists (has as at least one resource record, of any type).
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">[<span class="optional">prereq</span>] nxrrset</strong></span>
-               {domain-name}
-               [class]
-               {type}
-            </span></dt>
-<dd><p>
-              Requires that no resource record exists of the specified
-              <em class="parameter"><code>type</code></em>,
-              <em class="parameter"><code>class</code></em>
-              and
-              <em class="parameter"><code>domain-name</code></em>.
-              If
-              <em class="parameter"><code>class</code></em>
-              is omitted, IN (internet) is assumed.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">[<span class="optional">prereq</span>] yxrrset</strong></span>
-               {domain-name}
-               [class]
-               {type}
-            </span></dt>
-<dd><p>
-              This requires that a resource record of the specified
-              <em class="parameter"><code>type</code></em>,
-              <em class="parameter"><code>class</code></em>
-              and
-              <em class="parameter"><code>domain-name</code></em>
-              must exist.
-              If
-              <em class="parameter"><code>class</code></em>
-              is omitted, IN (internet) is assumed.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">[<span class="optional">prereq</span>] yxrrset</strong></span>
-               {domain-name}
-               [class]
-               {type}
-               {data...}
-            </span></dt>
-<dd><p>
-              The
-              <em class="parameter"><code>data</code></em>
-              from each set of prerequisites of this form
-              sharing a common
-              <em class="parameter"><code>type</code></em>,
-              <em class="parameter"><code>class</code></em>,
-              and
-              <em class="parameter"><code>domain-name</code></em>
-              are combined to form a set of RRs.  This set of RRs must
-              exactly match the set of RRs existing in the zone at the
-              given
-              <em class="parameter"><code>type</code></em>,
-              <em class="parameter"><code>class</code></em>,
-              and
-              <em class="parameter"><code>domain-name</code></em>.
-              The
-              <em class="parameter"><code>data</code></em>
-              are written in the standard text representation of the resource
-              record's
-              RDATA.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">[<span class="optional">update</span>] del[<span class="optional">ete</span>]</strong></span>
-               {domain-name}
-               [ttl]
-               [class]
-               [type [data...]]
-            </span></dt>
-<dd><p>
-              Deletes any resource records named
-              <em class="parameter"><code>domain-name</code></em>.
-              If
-              <em class="parameter"><code>type</code></em>
-              and
-              <em class="parameter"><code>data</code></em>
-              is provided, only matching resource records will be removed.
-              The internet class is assumed if
-              <em class="parameter"><code>class</code></em>
-              is not supplied.  The
-              <em class="parameter"><code>ttl</code></em>
-              is ignored, and is only allowed for compatibility.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">[<span class="optional">update</span>] add</strong></span>
-               {domain-name}
-               {ttl}
-               [class]
-               {type}
-               {data...}
-            </span></dt>
-<dd><p>
-              Adds a new resource record with the specified
-              <em class="parameter"><code>ttl</code></em>,
-              <em class="parameter"><code>class</code></em>
-              and
-              <em class="parameter"><code>data</code></em>.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">show</strong></span>
-            </span></dt>
-<dd><p>
-              Displays the current message, containing all of the
-              prerequisites and
-              updates specified since the last send.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">send</strong></span>
-            </span></dt>
-<dd><p>
-              Sends the current message.  This is equivalent to entering a
-              blank line.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">answer</strong></span>
-            </span></dt>
-<dd><p>
-              Displays the answer.
-            </p></dd>
-<dt><span class="term">
-              <span><strong class="command">debug</strong></span>
-            </span></dt>
-<dd><p>
-              Turn on debugging.
-            </p></dd>
-</dl></div>
-<p>
-    </p>
-<p>
-      Lines beginning with a semicolon are comments and are ignored.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2681622"></a><h2>EXAMPLES</h2>
-<p>
-      The examples below show how
-      <span><strong class="command">nsupdate</strong></span>
-      could be used to insert and delete resource records from the
-      <span class="type">example.com</span>
-      zone.
-      Notice that the input in each example contains a trailing blank line so
-      that
-      a group of commands are sent as one dynamic update request to the
-      master name server for
-      <span class="type">example.com</span>.
-
-      </p>
-<pre class="programlisting">
-# nsupdate
-&gt; update delete oldhost.example.com A
-&gt; update add newhost.example.com 86400 A 172.16.1.1
-&gt; send
-</pre>
-<p>
-    </p>
-<p>
-      Any A records for
-      <span class="type">oldhost.example.com</span>
-      are deleted.
-      And an A record for
-      <span class="type">newhost.example.com</span>
-      with IP address 172.16.1.1 is added.
-      The newly-added record has a 1 day TTL (86400 seconds).
-      </p>
-<pre class="programlisting">
-# nsupdate
-&gt; prereq nxdomain nickname.example.com
-&gt; update add nickname.example.com 86400 CNAME somehost.example.com
-&gt; send
-</pre>
-<p>
-    </p>
-<p>
-      The prerequisite condition gets the name server to check that there
-      are no resource records of any type for
-      <span class="type">nickname.example.com</span>.
-
-      If there are, the update request fails.
-      If this name does not exist, a CNAME for it is added.
-      This ensures that when the CNAME is added, it cannot conflict with the
-      long-standing rule in RFC 1034 that a name must not exist as any other
-      record type if it exists as a CNAME.
-      (The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have
-      RRSIG, DNSKEY and NSEC records.)
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2681672"></a><h2>FILES</h2>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
-<dd><p>
-            used to identify default name server
-          </p></dd>
-<dt><span class="term"><code class="constant">/var/run/named/session.key</code></span></dt>
-<dd><p>
-            sets the default TSIG key for use in local-only mode
-          </p></dd>
-<dt><span class="term"><code class="constant">K{name}.+157.+{random}.key</code></span></dt>
-<dd><p>
-            base-64 encoding of HMAC-MD5 key created by
-            <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
-          </p></dd>
-<dt><span class="term"><code class="constant">K{name}.+157.+{random}.private</code></span></dt>
-<dd><p>
-            base-64 encoding of HMAC-MD5 key created by
-            <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2681755"></a><h2>SEE ALSO</h2>
-<p>
-      <em class="citetitle">RFC 2136</em>,
-      <em class="citetitle">RFC 3007</em>,
-      <em class="citetitle">RFC 2104</em>,
-      <em class="citetitle">RFC 2845</em>,
-      <em class="citetitle">RFC 1034</em>,
-      <em class="citetitle">RFC 2535</em>,
-      <em class="citetitle">RFC 2931</em>,
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">ddns-confgen</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2681813"></a><h2>BUGS</h2>
-<p>
-      The TSIG key is redundantly stored in two separate files.
-      This is a consequence of nsupdate using the DST library
-      for its cryptographic operations, and may change in future
-      releases.
-    </p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.named-journalprint.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.rndc.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">named-journalprint</span> </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">rndc</span>
-</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/man.rndc-confgen.html b/contrib/bind9/doc/arm/man.rndc-confgen.html
deleted file mode 100644
index 1ad009b..0000000
--- a/contrib/bind9/doc/arm/man.rndc-confgen.html
+++ /dev/null
@@ -1,226 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>rndc-confgen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
-<link rel="prev" href="man.rndc.conf.html" title="rndc.conf">
-<link rel="next" href="man.ddns-confgen.html" title="ddns-confgen">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">rndc-confgen</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.rndc.conf.html">Prev</a> </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.ddns-confgen.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry" lang="en">
-<a name="man.rndc-confgen"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">rndc-confgen</span> &#8212; rndc key generation tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code>  [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2657330"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">rndc-confgen</strong></span>
-      generates configuration files
-      for <span><strong class="command">rndc</strong></span>.  It can be used as a
-      convenient alternative to writing the
-      <code class="filename">rndc.conf</code> file
-      and the corresponding <span><strong class="command">controls</strong></span>
-      and <span><strong class="command">key</strong></span>
-      statements in <code class="filename">named.conf</code> by hand.
-      Alternatively, it can be run with the <span><strong class="command">-a</strong></span>
-      option to set up a <code class="filename">rndc.key</code> file and
-      avoid the need for a <code class="filename">rndc.conf</code> file
-      and a <span><strong class="command">controls</strong></span> statement altogether.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2657396"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-a</span></dt>
-<dd>
-<p>
-            Do automatic <span><strong class="command">rndc</strong></span> configuration.
-            This creates a file <code class="filename">rndc.key</code>
-            in <code class="filename">/etc</code> (or whatever
-            <code class="varname">sysconfdir</code>
-            was specified as when <acronym class="acronym">BIND</acronym> was
-            built)
-            that is read by both <span><strong class="command">rndc</strong></span>
-            and <span><strong class="command">named</strong></span> on startup.  The
-            <code class="filename">rndc.key</code> file defines a default
-            command channel and authentication key allowing
-            <span><strong class="command">rndc</strong></span> to communicate with
-            <span><strong class="command">named</strong></span> on the local host
-            with no further configuration.
-          </p>
-<p>
-            Running <span><strong class="command">rndc-confgen -a</strong></span> allows
-            BIND 9 and <span><strong class="command">rndc</strong></span> to be used as
-            drop-in
-            replacements for BIND 8 and <span><strong class="command">ndc</strong></span>,
-            with no changes to the existing BIND 8
-            <code class="filename">named.conf</code> file.
-          </p>
-<p>
-            If a more elaborate configuration than that
-            generated by <span><strong class="command">rndc-confgen -a</strong></span>
-            is required, for example if rndc is to be used remotely,
-            you should run <span><strong class="command">rndc-confgen</strong></span> without
-            the
-            <span><strong class="command">-a</strong></span> option and set up a
-            <code class="filename">rndc.conf</code> and
-            <code class="filename">named.conf</code>
-            as directed.
-          </p>
-</dd>
-<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
-<dd><p>
-            Specifies the size of the authentication key in bits.
-            Must be between 1 and 512 bits; the default is 128.
-          </p></dd>
-<dt><span class="term">-c <em class="replaceable"><code>keyfile</code></em></span></dt>
-<dd><p>
-            Used with the <span><strong class="command">-a</strong></span> option to specify
-            an alternate location for <code class="filename">rndc.key</code>.
-          </p></dd>
-<dt><span class="term">-h</span></dt>
-<dd><p>
-            Prints a short summary of the options and arguments to
-            <span><strong class="command">rndc-confgen</strong></span>.
-          </p></dd>
-<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
-<dd><p>
-            Specifies the key name of the rndc authentication key.
-            This must be a valid domain name.
-            The default is <code class="constant">rndc-key</code>.
-          </p></dd>
-<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd><p>
-            Specifies the command channel port where <span><strong class="command">named</strong></span>
-            listens for connections from <span><strong class="command">rndc</strong></span>.
-            The default is 953.
-          </p></dd>
-<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
-<dd><p>
-            Specifies a source of random data for generating the
-            authorization.  If the operating
-            system does not provide a <code class="filename">/dev/random</code>
-            or equivalent device, the default source of randomness
-            is keyboard input.  <code class="filename">randomdev</code>
-            specifies
-            the name of a character device or file containing random
-            data to be used instead of the default.  The special value
-            <code class="filename">keyboard</code> indicates that keyboard
-            input should be used.
-          </p></dd>
-<dt><span class="term">-s <em class="replaceable"><code>address</code></em></span></dt>
-<dd><p>
-            Specifies the IP address where <span><strong class="command">named</strong></span>
-            listens for command channel connections from
-            <span><strong class="command">rndc</strong></span>.  The default is the loopback
-            address 127.0.0.1.
-          </p></dd>
-<dt><span class="term">-t <em class="replaceable"><code>chrootdir</code></em></span></dt>
-<dd><p>
-            Used with the <span><strong class="command">-a</strong></span> option to specify
-            a directory where <span><strong class="command">named</strong></span> will run
-            chrooted.  An additional copy of the <code class="filename">rndc.key</code>
-            will be written relative to this directory so that
-            it will be found by the chrooted <span><strong class="command">named</strong></span>.
-          </p></dd>
-<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
-<dd><p>
-            Used with the <span><strong class="command">-a</strong></span> option to set the
-            owner
-            of the <code class="filename">rndc.key</code> file generated.
-            If
-            <span><strong class="command">-t</strong></span> is also specified only the file
-            in
-            the chroot area has its owner changed.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2659147"></a><h2>EXAMPLES</h2>
-<p>
-      To allow <span><strong class="command">rndc</strong></span> to be used with
-      no manual configuration, run
-    </p>
-<p><strong class="userinput"><code>rndc-confgen -a</code></strong>
-    </p>
-<p>
-      To print a sample <code class="filename">rndc.conf</code> file and
-      corresponding <span><strong class="command">controls</strong></span> and <span><strong class="command">key</strong></span>
-      statements to be manually inserted into <code class="filename">named.conf</code>,
-      run
-    </p>
-<p><strong class="userinput"><code>rndc-confgen</code></strong>
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2659204"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2659242"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.rndc.conf.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.ddns-confgen.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<code class="filename">rndc.conf</code> </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">ddns-confgen</span>
-</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/man.rndc.conf.html b/contrib/bind9/doc/arm/man.rndc.conf.html
deleted file mode 100644
index 6b9ea5f..0000000
--- a/contrib/bind9/doc/arm/man.rndc.conf.html
+++ /dev/null
@@ -1,255 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>rndc.conf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
-<link rel="prev" href="man.rndc.html" title="rndc">
-<link rel="next" href="man.rndc-confgen.html" title="rndc-confgen">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><code class="filename">rndc.conf</code></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.rndc.html">Prev</a> </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.rndc-confgen.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry" lang="en">
-<a name="man.rndc.conf"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><code class="filename">rndc.conf</code> &#8212; rndc configuration file</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2649469"></a><h2>DESCRIPTION</h2>
-<p><code class="filename">rndc.conf</code> is the configuration file
-      for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
-      utility.  This file has a similar structure and syntax to
-      <code class="filename">named.conf</code>.  Statements are enclosed
-      in braces and terminated with a semi-colon.  Clauses in
-      the statements are also semi-colon terminated.  The usual
-      comment styles are supported:
-    </p>
-<p>
-      C style: /* */
-    </p>
-<p>
-      C++ style: // to end of line
-    </p>
-<p>
-      Unix style: # to end of line
-    </p>
-<p><code class="filename">rndc.conf</code> is much simpler than
-      <code class="filename">named.conf</code>.  The file uses three
-      statements: an options statement, a server statement
-      and a key statement.
-    </p>
-<p>
-      The <code class="option">options</code> statement contains five clauses.
-      The <code class="option">default-server</code> clause is followed by the
-      name or address of a name server.  This host will be used when
-      no name server is given as an argument to
-      <span><strong class="command">rndc</strong></span>.  The <code class="option">default-key</code>
-      clause is followed by the name of a key which is identified by
-      a <code class="option">key</code> statement.  If no
-      <code class="option">keyid</code> is provided on the rndc command line,
-      and no <code class="option">key</code> clause is found in a matching
-      <code class="option">server</code> statement, this default key will be
-      used to authenticate the server's commands and responses.  The
-      <code class="option">default-port</code> clause is followed by the port
-      to connect to on the remote name server.  If no
-      <code class="option">port</code> option is provided on the rndc command
-      line, and no <code class="option">port</code> clause is found in a
-      matching <code class="option">server</code> statement, this default port
-      will be used to connect.
-      The <code class="option">default-source-address</code> and
-      <code class="option">default-source-address-v6</code> clauses which
-      can be used to set the IPv4 and IPv6 source addresses
-      respectively.
-    </p>
-<p>
-      After the <code class="option">server</code> keyword, the server
-      statement includes a string which is the hostname or address
-      for a name server.  The statement has three possible clauses:
-      <code class="option">key</code>, <code class="option">port</code> and
-      <code class="option">addresses</code>. The key name must match the
-      name of a key statement in the file.  The port number
-      specifies the port to connect to.  If an <code class="option">addresses</code>
-      clause is supplied these addresses will be used instead of
-      the server name.  Each address can take an optional port.
-      If an <code class="option">source-address</code> or <code class="option">source-address-v6</code>
-      of supplied then these will be used to specify the IPv4 and IPv6
-      source addresses respectively.
-    </p>
-<p>
-      The <code class="option">key</code> statement begins with an identifying
-      string, the name of the key.  The statement has two clauses.
-      <code class="option">algorithm</code> identifies the encryption algorithm
-      for <span><strong class="command">rndc</strong></span> to use; currently only HMAC-MD5
-      is
-      supported.  This is followed by a secret clause which contains
-      the base-64 encoding of the algorithm's encryption key.  The
-      base-64 string is enclosed in double quotes.
-    </p>
-<p>
-      There are two common ways to generate the base-64 string for the
-      secret.  The BIND 9 program <span><strong class="command">rndc-confgen</strong></span>
-      can
-      be used to generate a random key, or the
-      <span><strong class="command">mmencode</strong></span> program, also known as
-      <span><strong class="command">mimencode</strong></span>, can be used to generate a
-      base-64
-      string from known input.  <span><strong class="command">mmencode</strong></span> does
-      not
-      ship with BIND 9 but is available on many systems.  See the
-      EXAMPLE section for sample command lines for each.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2650392"></a><h2>EXAMPLE</h2>
-<pre class="programlisting">
-      options {
-        default-server  localhost;
-        default-key     samplekey;
-      };
-</pre>
-<p>
-    </p>
-<pre class="programlisting">
-      server localhost {
-        key             samplekey;
-      };
-</pre>
-<p>
-    </p>
-<pre class="programlisting">
-      server testserver {
-        key		testkey;
-        addresses	{ localhost port 5353; };
-      };
-</pre>
-<p>
-    </p>
-<pre class="programlisting">
-      key samplekey {
-        algorithm       hmac-md5;
-        secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
-      };
-</pre>
-<p>
-    </p>
-<pre class="programlisting">
-      key testkey {
-        algorithm	hmac-md5;
-        secret		"R3HI8P6BKw9ZwXwN3VZKuQ==";
-      };
-    </pre>
-<p>
-    </p>
-<p>
-      In the above example, <span><strong class="command">rndc</strong></span> will by
-      default use
-      the server at localhost (127.0.0.1) and the key called samplekey.
-      Commands to the localhost server will use the samplekey key, which
-      must also be defined in the server's configuration file with the
-      same name and secret.  The key statement indicates that samplekey
-      uses the HMAC-MD5 algorithm and its secret clause contains the
-      base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
-    </p>
-<p>
-      If <span><strong class="command">rndc -s testserver</strong></span> is used then <span><strong class="command">rndc</strong></span> will
-      connect to server on localhost port 5353 using the key testkey.
-    </p>
-<p>
-      To generate a random secret with <span><strong class="command">rndc-confgen</strong></span>:
-    </p>
-<p><strong class="userinput"><code>rndc-confgen</code></strong>
-    </p>
-<p>
-      A complete <code class="filename">rndc.conf</code> file, including
-      the
-      randomly generated key, will be written to the standard
-      output.  Commented-out <code class="option">key</code> and
-      <code class="option">controls</code> statements for
-      <code class="filename">named.conf</code> are also printed.
-    </p>
-<p>
-      To generate a base-64 secret with <span><strong class="command">mmencode</strong></span>:
-    </p>
-<p><strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong>
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2650514"></a><h2>NAME SERVER CONFIGURATION</h2>
-<p>
-      The name server must be configured to accept rndc connections and
-      to recognize the key specified in the <code class="filename">rndc.conf</code>
-      file, using the controls statement in <code class="filename">named.conf</code>.
-      See the sections on the <code class="option">controls</code> statement in the
-      BIND 9 Administrator Reference Manual for details.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2654704"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2654742"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.rndc.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.rndc-confgen.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">rndc</span> </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">rndc-confgen</span>
-</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/man.rndc.html b/contrib/bind9/doc/arm/man.rndc.html
deleted file mode 100644
index 059f726..0000000
--- a/contrib/bind9/doc/arm/man.rndc.html
+++ /dev/null
@@ -1,203 +0,0 @@
-<!--
- - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>rndc</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
-<link rel="prev" href="man.nsupdate.html" title="nsupdate">
-<link rel="next" href="man.rndc.conf.html" title="rndc.conf">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center"><span class="application">rndc</span></th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="man.nsupdate.html">Prev</a> </td>
-<th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.rndc.conf.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="refentry" lang="en">
-<a name="man.rndc"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">rndc</span> &#8212; name server control utility</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">rndc</code>  [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2644796"></a><h2>DESCRIPTION</h2>
-<p><span><strong class="command">rndc</strong></span>
-      controls the operation of a name
-      server.  It supersedes the <span><strong class="command">ndc</strong></span> utility
-      that was provided in old BIND releases.  If
-      <span><strong class="command">rndc</strong></span> is invoked with no command line
-      options or arguments, it prints a short summary of the
-      supported commands and the available options and their
-      arguments.
-    </p>
-<p><span><strong class="command">rndc</strong></span>
-      communicates with the name server
-      over a TCP connection, sending commands authenticated with
-      digital signatures.  In the current versions of
-      <span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span>,
-      the only supported authentication algorithm is HMAC-MD5,
-      which uses a shared secret on each end of the connection.
-      This provides TSIG-style authentication for the command
-      request and the name server's response.  All commands sent
-      over the channel must be signed by a key_id known to the
-      server.
-    </p>
-<p><span><strong class="command">rndc</strong></span>
-      reads a configuration file to
-      determine how to contact the name server and decide what
-      algorithm and key it should use.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2644846"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
-<dd><p>
-            Use <em class="replaceable"><code>source-address</code></em>
-            as the source address for the connection to the server.
-            Multiple instances are permitted to allow setting of both
-            the IPv4 and IPv6 source addresses.
-          </p></dd>
-<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
-<dd><p>
-            Use <em class="replaceable"><code>config-file</code></em>
-            as the configuration file instead of the default,
-            <code class="filename">/etc/rndc.conf</code>.
-          </p></dd>
-<dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt>
-<dd><p>
-            Use <em class="replaceable"><code>key-file</code></em>
-            as the key file instead of the default,
-            <code class="filename">/etc/rndc.key</code>.  The key in
-            <code class="filename">/etc/rndc.key</code> will be used to
-            authenticate
-            commands sent to the server if the <em class="replaceable"><code>config-file</code></em>
-            does not exist.
-          </p></dd>
-<dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
-<dd><p><em class="replaceable"><code>server</code></em> is
-            the name or address of the server which matches a
-            server statement in the configuration file for
-            <span><strong class="command">rndc</strong></span>.  If no server is supplied on the
-            command line, the host named by the default-server clause
-            in the options statement of the <span><strong class="command">rndc</strong></span>
-	    configuration file will be used.
-          </p></dd>
-<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd><p>
-            Send commands to TCP port
-            <em class="replaceable"><code>port</code></em>
-            instead
-            of BIND 9's default control channel port, 953.
-          </p></dd>
-<dt><span class="term">-V</span></dt>
-<dd><p>
-            Enable verbose logging.
-          </p></dd>
-<dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt>
-<dd><p>
-            Use the key <em class="replaceable"><code>key_id</code></em>
-            from the configuration file.
-            <em class="replaceable"><code>key_id</code></em>
-            must be
-            known by named with the same algorithm and secret string
-            in order for control message validation to succeed.
-            If no <em class="replaceable"><code>key_id</code></em>
-            is specified, <span><strong class="command">rndc</strong></span> will first look
-            for a key clause in the server statement of the server
-            being used, or if no server statement is present for that
-            host, then the default-key clause of the options statement.
-            Note that the configuration file contains shared secrets
-            which are used to send authenticated control commands
-            to name servers.  It should therefore not have general read
-            or write access.
-          </p></dd>
-</dl></div>
-<p>
-      For the complete set of commands supported by <span><strong class="command">rndc</strong></span>,
-      see the BIND 9 Administrator Reference Manual or run
-      <span><strong class="command">rndc</strong></span> without arguments to see its help
-      message.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2646710"></a><h2>LIMITATIONS</h2>
-<p><span><strong class="command">rndc</strong></span>
-      does not yet support all the commands of
-      the BIND 8 <span><strong class="command">ndc</strong></span> utility.
-    </p>
-<p>
-      There is currently no way to provide the shared secret for a
-      <code class="option">key_id</code> without using the configuration file.
-    </p>
-<p>
-      Several error messages could be clearer.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2646741"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
-      <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
-      <span class="citerefentry"><span class="refentrytitle">ndc</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2654647"></a><h2>AUTHOR</h2>
-<p><span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="man.nsupdate.html">Prev</a> </td>
-<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.rndc.conf.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">
-<span class="application">nsupdate</span> </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <code class="filename">rndc.conf</code>
-</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/managed-keys.xml b/contrib/bind9/doc/arm/managed-keys.xml
deleted file mode 100644
index 5194948..0000000
--- a/contrib/bind9/doc/arm/managed-keys.xml
+++ /dev/null
@@ -1,100 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!--
- - Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: managed-keys.xml,v 1.3 2010/02/03 23:49:07 tbox Exp $ -->
-
-<sect1 id="rfc5011.support">
-  <title>Dynamic Trust Anchor Management</title>
-  <para>BIND 9.7.0 introduces support for RFC 5011, dynamic trust
-  anchor management. Using this feature allows 
-  <command>named</command> to keep track of changes to critical
-  DNSSEC keys without any need for the operator to make changes to
-  configuration files.</para>
-  <sect2>
-    <title>Validating Resolver</title>
-    <!-- TODO: command tag is overloaded for configuration and executables -->
-    <para>To configure a validating resolver to use RFC 5011 to
-    maintain a trust anchor, configure the trust anchor using a 
-    <command>managed-keys</command> statement. Information about
-    this can be found in 
-    <xref linkend="managed-keys" />.</para>
-    <!-- TODO: managed-keys examples
-also in DNSSEC section above here in ARM -->
-  </sect2>
-  <sect2>
-    <title>Authoritative Server</title>
-    <para>To set up an authoritative zone for RFC 5011 trust anchor
-    maintenance, generate two (or more) key signing keys (KSKs) for
-    the zone. Sign the zone with one of them; this is the "active"
-    KSK. All KSK's which do not sign the zone are "stand-by"
-    keys.</para>
-    <para>Any validating resolver which is configured to use the
-    active KSK as an RFC 5011-managed trust anchor will take note
-    of the stand-by KSKs in the zone's DNSKEY RRset, and store them
-    for future reference. The resolver will recheck the zone
-    periodically, and after 30 days, if the new key is still there,
-    then the key will be accepted by the resolver as a valid trust
-    anchor for the zone. Any time after this 30-day acceptance
-    timer has completed, the active KSK can be revoked, and the
-    zone can be "rolled over" to the newly accepted key.</para>
-    <para>The easiest way to place a stand-by key in a zone is to
-    use the "smart signing" features of 
-    <command>dnssec-keygen</command> and 
-    <command>dnssec-signzone</command>. If a key with a publication
-    date in the past, but an activation date which is unset or in
-    the future, " 
-    <command>dnssec-signzone -S</command>" will include the DNSKEY
-    record in the zone, but will not sign with it:</para>
-    <screen>
-$ <userinput>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</userinput>
-$ <userinput>dnssec-signzone -S -K keys example.net</userinput>
-</screen>
-    <para>To revoke a key, the new command 
-    <command>dnssec-revoke</command> has been added. This adds the
-    REVOKED bit to the key flags and re-generates the 
-    <filename>K*.key</filename> and 
-    <filename>K*.private</filename> files.</para>
-    <para>After revoking the active key, the zone must be signed
-    with both the revoked KSK and the new active KSK. (Smart
-    signing takes care of this automatically.)</para>
-    <para>Once a key has been revoked and used to sign the DNSKEY
-    RRset in which it appears, that key will never again be
-    accepted as a valid trust anchor by the resolver. However,
-    validation can proceed using the new active key (which had been
-    accepted by the resolver when it was a stand-by key).</para>
-    <para>See RFC 5011 for more details on key rollover
-    scenarios.</para>
-    <para>When a key has been revoked, its key ID changes,
-    increasing by 128, and wrapping around at 65535. So, for
-    example, the key "<filename>Kexample.com.+005+10000</filename>" becomes
-    "<filename>Kexample.com.+005+10128</filename>".</para>
-    <para>If two keys have ID's exactly 128 apart, and one is
-    revoked, then the two key ID's will collide, causing several
-    problems. To prevent this, 
-    <command>dnssec-keygen</command> will not generate a new key if
-    another key is present which may collide. This checking will
-    only occur if the new keys are written to the same directory
-    which holds all other keys in use for that zone.</para>
-    <para>Older versions of BIND 9 did not have this precaution.
-    Exercise caution if using key revocation on keys that were
-    generated by previous releases, or if using keys stored in
-    multiple directories or on multiple machines.</para>
-    <para>It is expected that a future release of BIND 9 will
-    address this problem in a different way, by storing revoked
-    keys with their original unrevoked key ID's.</para>
-  </sect2>
-</sect1>
diff --git a/contrib/bind9/doc/arm/pkcs11.xml b/contrib/bind9/doc/arm/pkcs11.xml
deleted file mode 100644
index 8a0062f..0000000
--- a/contrib/bind9/doc/arm/pkcs11.xml
+++ /dev/null
@@ -1,443 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-               [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: pkcs11.xml,v 1.7 2012/01/16 22:50:12 each Exp $ -->
-
-<sect1 id="pkcs11">
-  <title>PKCS #11 (Cryptoki) support</title>
-  <para>PKCS #11 (Public Key Cryptography Standard #11) defines a
-  platform- independent API for the control of hardware security
-  modules (HSMs) and other cryptographic support devices.</para>
-  <para>BIND 9 is known to work with two HSMs: The Sun SCA 6000
-  cryptographic acceleration board, tested under Solaris x86, and
-  the AEP Keyper network-attached key storage device, tested with
-  Debian Linux, Solaris x86 and Windows Server 2003.</para>
-  <sect2>
-    <title>Prerequisites</title>
-    <para>See the HSM vendor documentation for information about
-    installing, initializing, testing and troubleshooting the
-    HSM.</para>
-    <para>BIND 9 uses OpenSSL for cryptography, but stock OpenSSL
-    does not yet fully support PKCS #11. However, a PKCS #11 engine
-    for OpenSSL is available from the OpenSolaris project. It has
-    been modified by ISC to work with with BIND 9, and to provide
-    new features such as PIN management and key by
-    reference.</para>
-    <para>The patched OpenSSL depends on a "PKCS #11 provider".
-    This is a shared library object, providing a low-level PKCS #11
-    interface to the HSM hardware. It is dynamically loaded by
-    OpenSSL at runtime. The PKCS #11 provider comes from the HSM
-    vendor, and is specific to the HSM to be controlled.</para>
-    <para>There are two "flavors" of PKCS #11 support provided by
-    the patched OpenSSL, one of which must be chosen at
-    configuration time. The correct choice depends on the HSM
-    hardware:</para>
-    <itemizedlist>
-      <listitem>
-        <para>Use 'crypto-accelerator' with HSMs that have hardware
-        cryptographic acceleration features, such as the SCA 6000
-        board. This causes OpenSSL to run all supported
-        cryptographic operations in the HSM.</para>
-      </listitem>
-      <listitem>
-        <para>Use 'sign-only' with HSMs that are designed to
-        function primarily as secure key storage devices, but lack
-        hardware acceleration. These devices are highly secure, but
-        are not necessarily any faster at cryptography than the
-        system CPU &mdash; often, they are slower. It is therefore
-        most efficient to use them only for those cryptographic
-        functions that require access to the secured private key,
-        such as zone signing, and to use the system CPU for all
-        other computationally-intensive operations. The AEP Keyper
-        is an example of such a device.</para>
-      </listitem>
-    </itemizedlist>
-    <para>The modified OpenSSL code is included in the BIND 9 release,
-        in the form of a context diff against the latest verions of
-        OpenSSL.  OpenSSL 0.9.8 and 1.0.0 are both supported; there are
-        separate diffs for each version.  In the examples to follow,
-        we use OpenSSL 0.9.8, but the same methods work with OpenSSL 1.0.0.
-    </para>
-    <note>
-      The latest OpenSSL versions at the time of the BIND release
-      are 0.9.8s and 1.0.0f.
-      ISC will provide an updated patch as new versions of OpenSSL
-      are released. The version number in the following examples
-      is expected to change.</note>
-    <para>
-    Before building BIND 9 with PKCS #11 support, it will be
-    necessary to build OpenSSL with this patch in place and inform
-    it of the path to the HSM-specific PKCS #11 provider
-    library.</para>
-    <para>Obtain OpenSSL 0.9.8s:</para>
-    <screen>
-$ <userinput>wget <ulink>http://www.openssl.org/source/openssl-0.9.8s.tar.gz</ulink></userinput>
-</screen>
-    <para>Extract the tarball:</para>
-    <screen>
-$ <userinput>tar zxf openssl-0.9.8s.tar.gz</userinput>
-</screen>
-    <para>Apply the patch from the BIND 9 release:</para>
-    <screen>
-$ <userinput>patch -p1 -d openssl-0.9.8s \
-            &lt; bind9/bin/pkcs11/openssl-0.9.8s-patch</userinput>
-</screen>
-    <note>(Note that the patch file may not be compatible with the
-    "patch" utility on all operating systems. You may need to
-    install GNU patch.)</note>
-    <para>When building OpenSSL, place it in a non-standard
-    location so that it does not interfere with OpenSSL libraries
-    elsewhere on the system. In the following examples, we choose
-    to install into "/opt/pkcs11/usr". We will use this location
-    when we configure BIND 9.</para>
-    <sect3>
-      <!-- Example 1 -->
-      <title>Building OpenSSL for the AEP Keyper on Linux</title>
-      <para>The AEP Keyper is a highly secure key storage device,
-      but does not provide hardware cryptographic acceleration. It
-      can carry out cryptographic operations, but it is probably
-      slower than your system's CPU. Therefore, we choose the
-      'sign-only' flavor when building OpenSSL.</para>
-      <para>The Keyper-specific PKCS #11 provider library is
-      delivered with the Keyper software. In this example, we place
-      it /opt/pkcs11/usr/lib:</para>
-      <screen>
-$ <userinput>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</userinput>
-</screen>
-      <para>This library is only available for Linux as a 32-bit
-      binary. If we are compiling on a 64-bit Linux system, it is
-      necessary to force a 32-bit build, by specifying -m32 in the
-      build options.</para>
-      <para>Finally, the Keyper library requires threads, so we
-      must specify -pthread.</para>
-      <screen>
-$ <userinput>cd openssl-0.9.8s</userinput>
-$ <userinput>./Configure linux-generic32 -m32 -pthread \
-            --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
-            --pk11-flavor=sign-only \
-            --prefix=/opt/pkcs11/usr</userinput>
-</screen>
-      <para>After configuring, run "<command>make</command>"
-      and "<command>make test</command>". If "<command>make
-      test</command>" fails with "pthread_atfork() not found", you forgot to
-      add the -pthread above.</para>
-    </sect3>
-    <sect3>
-      <!-- Example 2 -->
-      <title>Building OpenSSL for the SCA 6000 on Solaris</title>
-      <para>The SCA-6000 PKCS #11 provider is installed as a system
-      library, libpkcs11. It is a true crypto accelerator, up to 4
-      times faster than any CPU, so the flavor shall be
-      'crypto-accelerator'.</para>
-      <para>In this example, we are building on Solaris x86 on an
-      AMD64 system.</para>
-      <screen>
-$ <userinput>cd openssl-0.9.8s</userinput>
-$ <userinput>./Configure solaris64-x86_64-cc \
-            --pk11-libname=/usr/lib/64/libpkcs11.so \
-            --pk11-flavor=crypto-accelerator \
-            --prefix=/opt/pkcs11/usr</userinput>
-</screen>
-      <para>(For a 32-bit build, use "solaris-x86-cc" and
-      /usr/lib/libpkcs11.so.)</para>
-      <para>After configuring, run 
-      <command>make</command> and 
-      <command>make test</command>.</para>
-    </sect3>
-    <sect3>
-      <!-- Example 3 -->
-      <title>Building OpenSSL for SoftHSM</title>
-      <para>SoftHSM is a software library provided by the OpenDNSSEC
-      project (http://www.opendnssec.org) which provides a PKCS#11
-      interface to a virtual HSM, implemented in the form of encrypted
-      data on the local filesystem.  It uses the Botan library for
-      encryption and SQLite3 for data storage.  Though less secure
-      than a true HSM, it can provide more secure key storage than
-      traditional key files, and can allow you to experiment with
-      PKCS#11 when an HSM is not available.</para>
-      <para>The SoftHSM cryptographic store must be installed and
-      initialized before using it with OpenSSL, and the SOFTHSM_CONF
-      environment variable must always point to the SoftHSM configuration
-      file:</para>
-      <screen>
-$ <userinput> cd softhsm-1.3.0 </userinput>
-$ <userinput> configure --prefix=/opt/pkcs11/usr </userinput>
-$ <userinput> make </userinput>
-$ <userinput> make install </userinput>
-$ <userinput> export SOFTHSM_CONF=/opt/pkcs11/softhsm.conf </userinput>
-$ <userinput> echo "0:/opt/pkcs11/softhsm.db" > $SOFTHSM_CONF </userinput>
-$ <userinput> /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm </userinput>
-</screen>
-      <para>SoftHSM can perform all cryptographic operations, but
-      since it only uses your system CPU, there is no need to use it
-      for anything but signing.  Therefore, we choose the 'sign-only'
-      flavor when building OpenSSL.</para>
-      <screen>
-$ <userinput>cd openssl-0.9.8s</userinput>
-$ <userinput>./Configure linux-x86_64 -pthread \
-            --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
-            --pk11-flavor=sign-only \
-            --prefix=/opt/pkcs11/usr</userinput>
-</screen>
-      <para>After configuring, run "<command>make</command>"
-      and "<command>make test</command>".</para>
-    </sect3>
-    <para>Once you have built OpenSSL, run
-    "<command>apps/openssl engine pkcs11</command>" to confirm
-    that PKCS #11 support was compiled in correctly. The output
-    should be one of the following lines, depending on the flavor
-    selected:</para>
-    <screen>
-        (pkcs11) PKCS #11 engine support (sign only)
-</screen>
-    <para>Or:</para>
-    <screen>
-        (pkcs11) PKCS #11 engine support (crypto accelerator)
-</screen>
-    <para>Next, run
-    "<command>apps/openssl engine pkcs11 -t</command>". This will
-    attempt to initialize the PKCS #11 engine. If it is able to
-    do so successfully, it will report
-    <quote><literal>[ available ]</literal></quote>.</para>
-    <para>If the output is correct, run
-    "<command>make install</command>" which will install the
-    modified OpenSSL suite to 
-    <filename>/opt/pkcs11/usr</filename>.</para>
-  </sect2>
-  <sect2>
-    <title>Building BIND 9 with PKCS#11</title>
-    <para>When building BIND 9, the location of the custom-built
-    OpenSSL library must be specified via configure.</para>
-    <sect3>
-      <!-- Example 4 -->
-      <title>Configuring BIND 9 for Linux with the AEP Keyper</title>
-      <para>To link with the PKCS #11 provider, threads must be
-      enabled in the BIND 9 build.</para>
-      <para>The PKCS #11 library for the AEP Keyper is currently
-      only available as a 32-bit binary. If we are building on a
-      64-bit host, we must force a 32-bit build by adding "-m32" to
-      the CC options on the "configure" command line.</para>
-      <screen>
-$ <userinput>cd ../bind9</userinput>
-$ <userinput>./configure CC="gcc -m32" --enable-threads \
-           --with-openssl=/opt/pkcs11/usr \
-           --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</userinput>
-</screen>
-    </sect3>
-    <sect3>
-      <!-- Example 5 -->
-      <title>Configuring BIND 9 for Solaris with the SCA 6000</title>
-      <para>To link with the PKCS #11 provider, threads must be
-      enabled in the BIND 9 build.</para>
-      <screen>
-$ <userinput>cd ../bind9</userinput>
-$ <userinput>./configure CC="cc -xarch=amd64" --enable-threads \
-            --with-openssl=/opt/pkcs11/usr \
-            --with-pkcs11=/usr/lib/64/libpkcs11.so</userinput>
-</screen>
-      <para>(For a 32-bit build, omit CC="cc -xarch=amd64".)</para>
-      <para>If configure complains about OpenSSL not working, you
-      may have a 32/64-bit architecture mismatch. Or, you may have
-      incorrectly specified the path to OpenSSL (it should be the
-      same as the --prefix argument to the OpenSSL
-      Configure).</para>
-    </sect3>
-    <sect3>
-      <!-- Example 6 -->
-      <title>Configuring BIND 9 for SoftHSM</title>
-      <screen>
-$ <userinput>cd ../bind9</userinput>
-$ <userinput>./configure --enable-threads \
-           --with-openssl=/opt/pkcs11/usr \
-           --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</userinput>
-</screen>
-    </sect3>
-    <para>After configuring, run
-    "<command>make</command>",
-    "<command>make test</command>" and
-    "<command>make install</command>".</para>
-    <para>(Note: If "make test" fails in the "pkcs11" system test, you may
-    have forgotten to set the SOFTHSM_CONF environment variable.)</para>
-  </sect2>
-  <sect2>
-    <title>PKCS #11 Tools</title>
-    <para>BIND 9 includes a minimal set of tools to operate the
-    HSM, including 
-    <command>pkcs11-keygen</command> to generate a new key pair
-    within the HSM, 
-    <command>pkcs11-list</command> to list objects currently
-    available, and 
-    <command>pkcs11-destroy</command> to remove objects.</para>
-    <para>In UNIX/Linux builds, these tools are built only if BIND
-    9 is configured with the --with-pkcs11 option. (NOTE: If
-    --with-pkcs11 is set to "yes", rather than to the path of the
-    PKCS #11 provider, then the tools will be built but the
-    provider will be left undefined. Use the -m option or the
-    PKCS11_PROVIDER environment variable to specify the path to the
-    provider.)</para>
-  </sect2>
-  <sect2>
-    <title>Using the HSM</title>
-    <para>First, we must set up the runtime environment so the
-    OpenSSL and PKCS #11 libraries can be loaded:</para>
-    <screen>
-$ <userinput>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</userinput>
-</screen>
-    <para>When operating an AEP Keyper, it is also necessary to
-    specify the location of the "machine" file, which stores
-    information about the Keyper for use by PKCS #11 provider
-    library. If the machine file is in 
-    <filename>/opt/Keyper/PKCS11Provider/machine</filename>,
-    use:</para>
-    <screen>
-$ <userinput>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</userinput>
-</screen>
-    <!-- TODO: why not defined at compile time? -->
-    <para>These environment variables must be set whenever running
-    any tool that uses the HSM, including 
-    <command>pkcs11-keygen</command>, 
-    <command>pkcs11-list</command>, 
-    <command>pkcs11-destroy</command>, 
-    <command>dnssec-keyfromlabel</command>, 
-    <command>dnssec-signzone</command>, 
-    <command>dnssec-keygen</command>(which will use the HSM for
-    random number generation), and 
-    <command>named</command>.</para>
-    <para>We can now create and use keys in the HSM. In this case,
-    we will create a 2048 bit key and give it the label
-    "sample-ksk":</para>
-    <screen>
-$ <userinput>pkcs11-keygen -b 2048 -l sample-ksk</userinput>
-</screen>
-    <para>To confirm that the key exists:</para>
-    <screen>
-$ <userinput>pkcs11-list</userinput>
-Enter PIN:
-object[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0]
-object[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0]
-</screen>
-    <para>Before using this key to sign a zone, we must create a
-    pair of BIND 9 key files. The "dnssec-keyfromlabel" utility
-    does this. In this case, we will be using the HSM key
-    "sample-ksk" as the key-signing key for "example.net":</para>
-    <screen>
-$ <userinput>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</userinput>
-</screen>
-    <para>The resulting K*.key and K*.private files can now be used
-    to sign the zone. Unlike normal K* files, which contain both
-    public and private key data, these files will contain only the
-    public key data, plus an identifier for the private key which
-    remains stored within the HSM. The HSM handles signing with the
-    private key.</para>
-    <para>If you wish to generate a second key in the HSM for use
-    as a zone-signing key, follow the same procedure above, using a
-    different keylabel, a smaller key size, and omitting "-f KSK"
-    from the dnssec-keyfromlabel arguments:</para>
-    <screen>
-$ <userinput>pkcs11-keygen -b 1024 -l sample-zsk</userinput>
-$ <userinput>dnssec-keyfromlabel -l sample-zsk example.net</userinput>
-</screen>
-    <para>Alternatively, you may prefer to generate a conventional
-    on-disk key, using dnssec-keygen:</para>
-    <screen>
-$ <userinput>dnssec-keygen example.net</userinput>
-</screen>
-    <para>This provides less security than an HSM key, but since
-    HSMs can be slow or cumbersome to use for security reasons, it
-    may be more efficient to reserve HSM keys for use in the less
-    frequent key-signing operation. The zone-signing key can be
-    rolled more frequently, if you wish, to compensate for a
-    reduction in key security.</para>
-    <para>Now you can sign the zone. (Note: If not using the -S
-    option to 
-    <command>dnssec-signzone</command>, it will be necessary to add
-    the contents of both 
-    <filename>K*.key</filename> files to the zone master file before
-    signing it.)</para>
-    <screen>
-$ <userinput>dnssec-signzone -S example.net</userinput>
-Enter PIN:
-Verifying the zone using the following algorithms:
-NSEC3RSASHA1.
-Zone signing complete:
-Algorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by
-example.net.signed
-</screen>
-  </sect2>
-  <sect2>
-    <title>Specifying the engine on the command line</title>
-    <para>The OpenSSL engine can be specified in 
-    <command>named</command> and all of the BIND 
-    <command>dnssec-*</command> tools by using the "-E
-    &lt;engine&gt;" command line option. If BIND 9 is built with
-    the --with-pkcs11 option, this option defaults to "pkcs11".
-    Specifying the engine will generally not be necessary unless
-    for some reason you wish to use a different OpenSSL
-    engine.</para>
-    <para>If you wish to disable use of the "pkcs11" engine &mdash;
-    for troubleshooting purposes, or because the HSM is unavailable
-    &mdash; set the engine to the empty string. For example:</para>
-    <screen>
-$ <userinput>dnssec-signzone -E '' -S example.net</userinput>
-</screen>
-    <para>This causes 
-    <command>dnssec-signzone</command> to run as if it were compiled
-    without the --with-pkcs11 option.</para>
-  </sect2>
-  <sect2>
-    <title>Running named with automatic zone re-signing</title>
-    <para>If you want 
-    <command>named</command> to dynamically re-sign zones using HSM
-    keys, and/or to to sign new records inserted via nsupdate, then
-    named must have access to the HSM PIN. This can be accomplished
-    by placing the PIN into the openssl.cnf file (in the above
-    examples, 
-    <filename>/opt/pkcs11/usr/ssl/openssl.cnf</filename>).</para>
-    <para>The location of the openssl.cnf file can be overridden by
-    setting the OPENSSL_CONF environment variable before running
-    named.</para>
-    <para>Sample openssl.cnf:</para>
-    <programlisting>
-        openssl_conf = openssl_def
-        [ openssl_def ]
-        engines = engine_section
-        [ engine_section ]
-        pkcs11 = pkcs11_section
-        [ pkcs11_section ]
-        PIN = <replaceable>&lt;PLACE PIN HERE&gt;</replaceable>
-</programlisting>
-    <para>This will also allow the dnssec-* tools to access the HSM
-    without PIN entry. (The pkcs11-* tools access the HSM directly,
-    not via OpenSSL, so a PIN will still be required to use
-    them.)</para>
-<!-- 
-If the PIN is not known, I believe the first time named needs the
-PIN to open a key, it'll ask you to type in the PIN, which will be
-a problem because it probably won't be running on a terminal
--->
-    <warning>
-      <para>Placing the HSM's PIN in a text file in
-      this manner may reduce the security advantage of using an
-      HSM. Be sure this is what you want to do before configuring
-      OpenSSL in this way.</para>
-    </warning>
-  </sect2>
-  <!-- TODO: what is alternative then for named dynamic re-signing? -->
-  <!-- TODO: what happens if PIN is not known? named will log about it? -->
-</sect1>
diff --git a/contrib/bind9/doc/misc/Makefile.in b/contrib/bind9/doc/misc/Makefile.in
deleted file mode 100644
index 0ddd14d..0000000
--- a/contrib/bind9/doc/misc/Makefile.in
+++ /dev/null
@@ -1,50 +0,0 @@
-# Copyright (C) 2004, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.9 2009/07/10 23:47:58 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_MAKE_RULES@
-
-PERL = @PERL@
-
-MANOBJS = options
-
-doc man:: ${MANOBJS}
-
-docclean manclean maintainer-clean::
-	rm -f options
-
-# Do not make options depend on ../../bin/tests/cfg_test, doing so
-# will cause excessively clever versions of make to attempt to build
-# that program right here, right now, if it is missing, which will
-# cause make doc to bomb.
-
-CFG_TEST = ../../bin/tests/cfg_test
-
-options: FORCE
-	if test -x ${CFG_TEST} ; \
-	then \
-		${CFG_TEST} --named --grammar > $@.raw ; \
-		${PERL} ${srcdir}/sort-options.pl < $@.raw > $@.sorted ; \
-		${PERL} ${srcdir}/format-options.pl < $@.sorted > $@.new ; \
-		mv -f $@.new $@ ; \
-		rm -f $@.raw $@.sorted ; \
-	else \
-		rm -f $@.new $@.raw $@.sorted ; \
-	fi
diff --git a/contrib/bind9/doc/misc/dnssec b/contrib/bind9/doc/misc/dnssec
deleted file mode 100644
index 4451e6c..0000000
--- a/contrib/bind9/doc/misc/dnssec
+++ /dev/null
@@ -1,84 +0,0 @@
-Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-Copyright (C) 2000-2002  Internet Software Consortium.
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-
-DNSSEC Release Notes
-
-This document summarizes the state of the DNSSEC implementation in
-this release of BIND9.
-
-
-OpenSSL Library Required
-
-To support DNSSEC, BIND 9 must be linked with version 0.9.6e or newer of
-the OpenSSL library.  As of BIND 9.2, the library is no longer
-included in the distribution - it must be provided by the operating
-system or installed separately.
-
-To build BIND 9 with OpenSSL, use "configure --with-openssl".  If
-the OpenSSL library is installed in a nonstandard location, you can
-specify a path as in "configure --with-openssl=/var".
-
-
-Key Generation and Signing
-
-The tools for generating DNSSEC keys and signatures are now in the
-bin/dnssec directory.  Documentation for these programs can be found
-in doc/arm/Bv9ARM.4.html and the man pages.
-
-The random data used in generating DNSSEC keys and signatures comes
-from either /dev/random (if the OS supports it) or keyboard input.
-Alternatively, a device or file containing entropy/random data can be
-specified.
-
-
-Serving Secure Zones
-
-When acting as an authoritative name server, BIND9 includes KEY, SIG
-and NXT records in responses as specified in RFC2535 when the request
-has the DO flag set in the query.
-
-
-Secure Resolution
-
-Basic support for validation of DNSSEC signatures in responses has
-been implemented but should still be considered experimental.
-
-When acting as a caching name server, BIND9 is capable of performing
-basic DNSSEC validation of positive as well as nonexistence responses.
-This functionality is enabled by including a "trusted-keys" clause
-in the configuration file, containing the top-level zone key of the
-the DNSSEC tree.
-
-Validation of wildcard responses is not currently supported.  In
-particular, a "name does not exist" response will validate
-successfully even if it does not contain the NXT records to prove the
-nonexistence of a matching wildcard.
-
-Proof of insecure status for insecure zones delegated from secure
-zones works when the zones are completely insecure.  Privately
-secured zones delegated from secure zones will not work in all cases,
-such as when the privately secured zone is served by the same server
-as an ancestor (but not parent) zone.
-
-Handling of the CD bit in queries is now fully implemented.  Validation
-is not attempted for recursive queries if CD is set.
-
-
-Secure Dynamic Update
-
-Dynamic update of secure zones has been implemented, but may not be
-complete.  Affected NXT and SIG records are updated by the server when
-an update occurs.  Advanced access control is possible using the
-"update-policy" statement in the zone definition.
-
-
-Secure Zone Transfers
-
-BIND 9 does not implement the zone transfer security mechanisms of
-RFC2535 section 5.6, and we have no plans to implement them in the
-future as we consider them inferior to the use of TSIG or SIG(0) to
-ensure the integrity of zone transfers.
-
-
-$Id: dnssec,v 1.19 2004/03/05 05:04:53 marka Exp $
diff --git a/contrib/bind9/doc/misc/format-options.pl b/contrib/bind9/doc/misc/format-options.pl
deleted file mode 100644
index c405ee2..0000000
--- a/contrib/bind9/doc/misc/format-options.pl
+++ /dev/null
@@ -1,49 +0,0 @@
-#!/usr/bin/perl
-#
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: format-options.pl,v 1.5 2007/09/24 04:21:59 marka Exp $
-
-print <<END;
-
-This is a summary of the named.conf options supported by 
-this version of BIND 9.
-
-END
-
-# Break long lines
-while (<>) {
-	chomp;
-	s/\t/        /g;
-	my $line = $_;
-	m!^( *)!;
-	my $indent = $1;
-	my $comment = "";
-	if ( $line =~ m!//.*! ) {
-		$comment = $&;
-		$line =~ s!//.*!!;
-	}
-	my $start = "";
-	while (length($line) >= 79 - length($comment)) {
-		$_ = $line;
-		# this makes sure that the comment has something in front of it
-		$len = 75 - length($comment);
-		m!^(.{0,$len}) (.*)$!;
-		$start = $start.$1."\n";
-		$line = $indent."    ".$2;
-	}
-	print $start.$line.$comment."\n";
-}
diff --git a/contrib/bind9/doc/misc/ipv6 b/contrib/bind9/doc/misc/ipv6
deleted file mode 100644
index 4060bc3..0000000
--- a/contrib/bind9/doc/misc/ipv6
+++ /dev/null
@@ -1,113 +0,0 @@
-Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-Copyright (C) 2000, 2001  Internet Software Consortium.
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-
-Currently, there are multiple interesting problems with ipv6
-implementations on various platforms.  These problems range from not
-being able to use ipv6 with bind9 (or in particular the ISC socket
-library, contained in libisc) to listen-on lists not being respected,
-to strange warnings but seemingly correct behavior of named.
-
-COMPILE-TIME ISSUES
--------------------
-
-The socket library requires a certain level of support from the
-operating system.  In particular, it must follow the advanced ipv6
-socket API to be usable.  The systems which do not follow this will
-currently not get any warnings or errors, but ipv6 will simply not
-function on them.
-
-These systems currently include, but are not limited to:
-
-	AIX 3.4 (with ipv6 patches)
-
-
-RUN-TIME ISSUES
----------------
-
-In the original drafts of the ipv6 RFC documents, binding an ipv6
-socket to the ipv6 wildcard address would also cause the socket to
-accept ipv4 connections and datagrams.  When an ipv4 packet is
-received on these systems, it is mapped into an ipv6 address.  For
-example, 1.2.3.4 would be mapped into ::ffff:1.2.3.4.  The intent of
-this mapping was to make transition from an ipv4-only application into
-ipv6 easier, by only requiring one socket to be open on a given port.
-
-Later, it was discovered that this was generally a bad idea.  For one,
-many firewalls will block connection to 1.2.3.4, but will let through
-::ffff:1.2.3.4.  This, of course, is bad.  Also, access control lists
-written to accept only ipv4 addresses were suddenly ignored unless
-they were rewritten to handle the ipv6 mapped addresses as well.
-
-Partly because of these problems, the latest IPv6 API introduces an
-explicit knob (the "IPV6_V6ONLY" socket option ) to turn off the ipv6
-mapped address usage.
-
-In bind9, we first check if both the advanced API and the IPV6_V6ONLY
-socket option are available.  If both of them are available, bind9
-named will bind to the ipv6 wildcard port for both TCP and UDP.
-Otherwise named will make a warning and try to bind to all available
-ipv6 addresses separately.
-
-In any case, bind9 named binds to specific addresses for ipv4 sockets.
-
-The followings are historical notes when we always bound to the ipv6
-wildcard port regardless of the availability of the API support.
-These problems should not happen with the closer checks above.
-
-
-IPV6 Sockets Accept IPV4, Specific IPV4 Addresses Bindings Fail
----------------------------------------------------------------
-
-The only OS which seems to do this is (some kernel versions of) linux.
-If an ipv6 socket is bound to the ipv6 wildcard socket, and a specific
-ipv4 socket is later bound (say, to 1.2.3.4 port 53) the ipv4 binding
-will fail.
-
-What this means to bind9 is that the application will log warnings
-about being unable to bind to a socket because the address is already
-in use.  Since the ipv6 socket will accept ipv4 packets and map them,
-however, the ipv4 addresses continue to function.
-
-The effect is that the config file listen-on directive will not be
-respected on these systems.
-
-
-IPV6 Sockets Accept IPV4, Specific IPV4 Address Bindings Succeed
-----------------------------------------------------------------
-
-In this case, the system allows opening an ipv6 wildcard address
-socket and then binding to a more specific ipv4 address later.  An
-example of this type of system is Digital Unix with ipv6 patches
-applied.
-
-What this means to bind9 is that the application will respect
-listen-on in regards to ipv4 sockets, but it will use mapped ipv6
-addresses for any that do not match the listen-on list.  This, in
-effect, makes listen-on useless for these machines as well.
-
-
-IPV6 Sockets Do Not Accept IPV4
--------------------------------
-
-On these systems, opening an IPV6 socket does not implicitly open any
-ipv4 sockets.  An example of these systems are NetBSD-current with the
-latest KAME patch, and other systems which use the latest KAME patches
-as their ipv6 implementation.
-
-On these systems, listen-on is fully functional, as the ipv6 socket
-only accepts ipv6 packets, and the ipv4 sockets will handle the ipv4
-packets.
-
-
-RELEVANT RFCs
--------------
-
-3513:  Internet Protocol Version 6 (IPv6) Addressing Architecture
-
-3493:  Basic Socket Interface Extensions for IPv6
-
-3542:  Advanced Sockets Application Program Interface (API) for IPv6
-
-
-$Id: ipv6,v 1.9 2004/08/10 04:27:51 jinmei Exp $
diff --git a/contrib/bind9/doc/misc/migration b/contrib/bind9/doc/misc/migration
deleted file mode 100644
index 21856bf..0000000
--- a/contrib/bind9/doc/misc/migration
+++ /dev/null
@@ -1,267 +0,0 @@
-Copyright (C) 2004, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
-Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-
-                   BIND 8 to BIND 9 Migration Notes
-
-BIND 9 is designed to be mostly upwards compatible with BIND 8, but
-there is still a number of caveats you should be aware of when
-upgrading an existing BIND 8 installation to use BIND 9.
-
-
-1. Configuration File Compatibility
-
-1.1. Unimplemented Options and Changed Defaults
-
-BIND 9 supports most, but not all of the named.conf options of BIND 8.
-For a complete list of implemented options, see doc/misc/options.
-
-If your named.conf file uses an unimplemented option, named will log a
-warning message.  A message is also logged about each option whose
-default has changed unless the option is set explicitly in named.conf.
-
-The default of the "transfer-format" option has changed from
-"one-answer" to "many-answers".  If you have slave servers that do not
-understand the many-answers zone transfer format (e.g., BIND 4.9.5 or
-older) you need to explicitly specify "transfer-format one-answer;" in
-either the options block or a server statement.
-
-BIND 9.4 onwards implements "allow-query-cache".  The "allow-query"
-option is no longer used to specify access to the cache.  The
-"allow-query" option continues to specify which hosts are allowed
-to ask ordinary DNS questions.  The new "allow-query-cache" option
-is used to specify which hosts are allowed to get answers from the
-cache. Since BIND 9.4.1, if "allow-query-cache" is not set then
-"allow-recursion" is used if it is set, otherwise "allow-query" is
-used if it is set, otherwise the default localnets and localhost
-is used.
-
-1.2. Handling of Configuration File Errors
-
-In BIND 9, named refuses to start if it detects an error in
-named.conf.  Earlier versions would start despite errors, causing the
-server to run with a partial configuration.  Errors detected during
-subsequent reloads do not cause the server to exit.
-
-Errors in master files do not cause the server to exit, but they
-do cause the zone not to load.
-
-1.3. Logging
-
-The set of logging categories in BIND 9 is different from that
-in BIND 8.  If you have customised your logging on a per-category
-basis, you need to modify your logging statement to use the
-new categories.
-
-Another difference is that the "logging" statement only takes effect
-after the entire named.conf file has been read.  This means that when
-the server starts up, any messages about errors in the configuration
-file are always logged to the default destination (syslog) when the
-server first starts up, regardless of the contents of the "logging"
-statement.  In BIND 8, the new logging configuration took effect
-immediately after the "logging" statement was read.
-
-1.4. Notify messages and Refresh queries
-
-The source address and port for these is now controlled by
-"notify-source" and "transfer-source", respectively, rather that
-query-source as in BIND 8.
-
-1.5. Multiple Classes.
-
-Multiple classes have to be put into explicit views for each class.
-
-
-2. Zone File Compatibility
-
-2.1. Strict RFC1035 Interpretation of TTLs in Zone Files
-
-BIND 9 strictly complies with the RFC1035 and RFC2308 rules regarding
-omitted TTLs in zone files.  Omitted TTLs are replaced by the value
-specified with the $TTL directive, or by the previous explicit TTL if
-there is no $TTL directive.
-
-If there is no $TTL directive and the first RR in the file does not
-have an explicit TTL field, the zone file is illegal according to
-RFC1035 since the TTL of the first RR is undefined.  Unfortunately,
-BIND 4 and many versions of BIND 8 accept such files without warning
-and use the value of the SOA MINTTL field as a default for missing TTL
-values.
-
-BIND 9.0 and 9.1 completely refused to load such files.  BIND 9.2
-emulates the nonstandard BIND 4/8 SOA MINTTL behaviour and loads the
-files anyway (provided the SOA is the first record in the file), but
-will issue the warning message "no TTL specified; using SOA MINTTL
-instead".
-
-To avoid problems, we recommend that you use a $TTL directive in each
-zone file.
-
-2.2. Periods in SOA Serial Numbers Deprecated
-
-Some versions of BIND allow SOA serial numbers with an embedded
-period, like "3.002", and convert them into integers in a rather
-unintuitive way.  This feature is not supported by BIND 9; serial
-numbers must be integers.
-
-2.3. Handling of Unbalanced Quotes
-
-TXT records with unbalanced quotes, like 'host TXT "foo', were not
-treated as errors in some versions of BIND.  If your zone files
-contain such records, you will get potentially confusing error
-messages like "unexpected end of file" because BIND 9 will interpret
-everything up to the next quote character as a literal string.
-
-2.4. Handling of Line Breaks
-
-Some versions of BIND accept RRs containing line breaks that are not
-properly quoted with parentheses, like the following SOA:
-
-	@	IN SOA	ns.example. hostmaster.example.
-			( 1 3600 1800 1814400 3600 )
-
-This is not legal master file syntax and will be treated as an error
-by BIND 9.  The fix is to move the opening parenthesis to the first
-line.
-
-2.5. Unimplemented BIND 8 Extensions
-
-$GENERATE: The "$$" construct for getting a literal $ into a domain
-name is deprecated.  Use \$ instead.
-
-2.6. TXT records are no longer automatically split.
-
-Some versions of BIND accepted strings in TXT RDATA consisting of more
-than 255 characters and silently split them to be able to encode the
-strings in a protocol conformant way. You may now see errors like this
-        dns_rdata_fromtext: local.db:119: ran out of space
-if you have TXT RRs with too longs strings. Make sure to split the
-string in the zone data file at or before a single one reaches 255
-characters.
-
-3. Interoperability Impact of New Protocol Features
-
-3.1. EDNS0
-
-BIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size.  It
-also sets DO EDNS flag bit in queries to indicate that it wishes to
-receive DNSSEC responses.
-
-Most older servers that do not support EDNS0, including prior versions
-of BIND, will send a FORMERR or NOTIMP response to these queries.
-When this happens, BIND 9 will automatically retry the query without
-EDNS0.
-
-Unfortunately, there exists at least one non-BIND name server
-implementation that silently ignores these queries instead of sending
-an error response.  Resolving names in zones where all or most
-authoritative servers use this server will be very slow or fail
-completely.  We have contacted the manufacturer of the name server in
-case, and they are working on a solution.
-
-When BIND 9 communicates with a server that does support EDNS0, such as
-another BIND 9 server, responses of up to 4096 bytes may be
-transmitted as a single UDP datagram which is subject to fragmentation
-at the IP level.  If a firewall incorrectly drops IP fragments, it can
-cause resolution to slow down dramatically or fail.
-
-3.2. Zone Transfers
-
-Outgoing zone transfers now use the "many-answers" format by default.
-This format is not understood by certain old versions of BIND 4.  
-You can work around this problem using the option "transfer-format
-one-answer;", but since these old versions all have known security
-problems, the correct fix is to upgrade the slave servers.
-
-Zone transfers to Windows 2000 DNS servers sometimes fail due to a
-bug in the Windows 2000 DNS server where DNS messages larger than
-16K are not handled properly.  Obtain the latest service pack for
-Windows 2000 from Microsoft to address this issue.  In the meantime,
-the problem can be worked around by setting "transfer-format one-answer;".
-http://support.microsoft.com/default.aspx?scid=kb;en-us;297936
-
-4. Unrestricted Character Set
-
-		BIND 9.2 only
-
-BIND 9 does not restrict the character set of domain names - it is
-fully 8-bit clean in accordance with RFC2181 section 11.
-
-It is strongly recommended that hostnames published in the DNS follow
-the RFC952 rules, but BIND 9 will not enforce this restriction.
-
-Historically, some applications have suffered from security flaws
-where data originating from the network, such as names returned by
-gethostbyaddr(), are used with insufficient checking and may cause a
-breach of security when containing unexpected characters; see
-<http://www.cert.org/advisories/CA-96.04.corrupt_info_from_servers.html>
-for details.  Some earlier versions of BIND attempt to protect these
-flawed applications from attack by discarding data containing
-characters deemed inappropriate in host names or mail addresses, under
-the control of the "check-names" option in named.conf and/or "options
-no-check-names" in resolv.conf.  BIND 9 provides no such protection;
-if applications with these flaws are still being used, they should
-be upgraded.
-
-	BIND 9.3 onwards implements check-names.
-
-5. Server Administration Tools
-
-5.1 Ndc Replaced by Rndc
-
-The "ndc" program has been replaced by "rndc", which is capable of
-remote operation.  Unlike ndc, rndc requires a configuration file.
-The easiest way to generate a configuration file is to run
-"rndc-confgen -a"; see the man pages for rndc(8), rndc-confgen(8),
-and rndc.conf(5) for details.
-
-5.2. Nsupdate Differences
-
-The BIND 8 implementation of nsupdate had an undocumented feature
-where an update request would be broken down into multiple requests
-based upon the discovered zones that contained the records.  This
-behaviour has not been implemented in BIND 9.  Each update request
-must pertain to a single zone, but it is still possible to do multiple
-updates in a single invocation of nsupdate by terminating each update
-with an empty line or a "send" command.
-
-
-6. No Information Leakage between Zones
-
-BIND 9 stores the authoritative data for each zone in a separate data
-structure, as recommended in RFC1035 and as required by DNSSEC and
-IXFR.  When a BIND 9 server is authoritative for both a child zone and
-its parent, it will have two distinct sets of NS records at the
-delegation point: the authoritative NS records at the child's apex,
-and a set of glue NS records in the parent.
-
-BIND 8 was unable to properly distinguish between these two sets of NS
-records and would "leak" the child's NS records into the parent,
-effectively causing the parent zone to be silently modified: responses
-and zone transfers from the parent contained the child's NS records
-rather than the glue configured into the parent (if any).  In the case
-of children of type "stub", this behaviour was documented as a feature,
-allowing the glue NS records to be omitted from the parent
-configuration.
-
-Sites that were relying on this BIND 8 behaviour need to add any
-omitted glue NS records, and any necessary glue A records, to the
-parent zone.
-
-Although stub zones can no longer be used as a mechanism for injecting
-NS records into their parent zones, they are still useful as a way of
-directing queries for a given domain to a particular set of name
-servers.
-
-
-7. Umask not Modified
-
-The BIND 8 named unconditionally sets the umask to 022.  BIND 9 does
-not; the umask inherited from the parent process remains in effect.
-This may cause files created by named, such as journal files, to be
-created with different file permissions than they did in BIND 8.  If
-necessary, the umask should be set explicitly in the script used to
-start the named process.
-
-
-$Id: migration,v 1.49 2008/03/18 15:42:53 jreed Exp $
diff --git a/contrib/bind9/doc/misc/migration-4to9 b/contrib/bind9/doc/misc/migration-4to9
deleted file mode 100644
index 008cbed..0000000
--- a/contrib/bind9/doc/misc/migration-4to9
+++ /dev/null
@@ -1,57 +0,0 @@
-Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-Copyright (C) 2001  Internet Software Consortium.
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-
-$Id: migration-4to9,v 1.4 2004/03/05 05:04:53 marka Exp $
-
-		   BIND 4 to BIND 9 Migration Notes
-
-To transition from BIND 4 to BIND 9 you first need to convert your
-configuration file to the new format.  There is a conversion tool in
-contrib/named-bootconf that allows you to do this.
-
-	named-bootconf.sh < /etc/named.boot > /etc/named.conf
-
-BIND 9 uses a system assigned port for the UDP queries it makes rather
-than port 53 that BIND 4 uses.  This may conflict with some firewalls.
-The following directives in /etc/named.conf allows you to specify
-a port to use.
-
-	query-source address * port 53;
-	transfer-source * port 53;
-	notify-source * port 53;
-
-BIND 9 no longer uses the minimum field to specify the TTL of records
-without a explicit TTL.  Use the $TTL directive to specify a default TTL
-before the first record without a explicit TTL.
-
-	$TTL 3600
-	@	IN	SOA	ns1.example.com. hostmaster.example.com. (
-				2001021100
-				7200
-				1200
-				3600000
-				7200 )
-
-BIND 9 does not support multiple CNAMEs with the same owner name.
-	
-	Illegal:
-	www.example.com. CNAME host1.example.com.
-	www.example.com. CNAME host2.example.com.
-
-BIND 9 does not support "CNAMEs with other data" with the same owner name,
-ignoring the DNSSEC records (SIG, NXT, KEY) that BIND 4 did not support.
-
-	Illegal:
-	www.example.com. CNAME host1.example.com.
-	www.example.com. MX 10 host2.example.com.
-
-BIND 9 is less tolerant of errors in master files, so check your logs and
-fix any errors reported.  The named-checkzone program can also be to check
-master files.
-
-Outgoing zone transfers now use the "many-answers" format by default.
-This format is not understood by certain old versions of BIND 4.  
-You can work around this problem using the option "transfer-format
-one-answer;", but since these old versions all have known security
-problems, the correct fix is to upgrade the slave servers.
diff --git a/contrib/bind9/doc/misc/options b/contrib/bind9/doc/misc/options
deleted file mode 100644
index 2c9cddd..0000000
--- a/contrib/bind9/doc/misc/options
+++ /dev/null
@@ -1,650 +0,0 @@
-
-This is a summary of the named.conf options supported by 
-this version of BIND 9.
-
-acl <string> { <address_match_element>; ... };
-
-controls {
-        inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | *
-            ) ] allow { <address_match_element>; ... } [ keys { <string>;
-            ... } ];
-        unix <quoted_string> perm <integer> owner <integer> group <integer>
-            [ keys { <string>; ... } ];
-};
-
-dlz <string> {
-        database <string>;
-};
-
-key <string> {
-        algorithm <string>;
-        secret <string>;
-};
-
-logging {
-        category <string> { <string>; ... };
-        channel <string> {
-                file <quoted_string> [ versions ( "unlimited" | <integer> )
-                    ] [ size <size> ];
-                null;
-                print-category <boolean>;
-                print-severity <boolean>;
-                print-time <boolean>;
-                severity <log_severity>;
-                stderr;
-                syslog <optional_facility>;
-        };
-};
-
-lwres {
-        listen-on [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
-            [ port <integer> ]; ... };
-        ndots <integer>;
-        search { <string>; ... };
-        view <string> <optional_class>;
-};
-
-managed-keys { <string> <string> <integer> <integer> <integer>
-    <quoted_string>; ... };
-
-masters <string> [ port <integer> ] { ( <masters> | <ipv4_address> [ port
-    <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
-
-options {
-        acache-cleaning-interval <integer>;
-        acache-enable <boolean>;
-        additional-from-auth <boolean>;
-        additional-from-cache <boolean>;
-        allow-new-zones <boolean>;
-        allow-notify { <address_match_element>; ... };
-        allow-query { <address_match_element>; ... };
-        allow-query-cache { <address_match_element>; ... };
-        allow-query-cache-on { <address_match_element>; ... };
-        allow-query-on { <address_match_element>; ... };
-        allow-recursion { <address_match_element>; ... };
-        allow-recursion-on { <address_match_element>; ... };
-        allow-transfer { <address_match_element>; ... };
-        allow-update { <address_match_element>; ... };
-        allow-update-forwarding { <address_match_element>; ... };
-        allow-v6-synthesis { <address_match_element>; ... }; // obsolete
-        also-notify [ port <integer> ] { ( <masters> | <ipv4_address> [
-            port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key
-            <string> ]; ... };
-        alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
-            * ) ];
-        attach-cache <string>;
-        auth-nxdomain <boolean>; // default changed
-        auto-dnssec ( allow | maintain | off );
-        avoid-v4-udp-ports { <portrange>; ... };
-        avoid-v6-udp-ports { <portrange>; ... };
-        bindkeys-file <quoted_string>;
-        blackhole { <address_match_element>; ... };
-        cache-file <quoted_string>;
-        check-dup-records ( fail | warn | ignore );
-        check-integrity <boolean>;
-        check-mx ( fail | warn | ignore );
-        check-mx-cname ( fail | warn | ignore );
-        check-names ( master | slave | response ) ( fail | warn | ignore );
-        check-sibling <boolean>;
-        check-spf ( warn | ignore );
-        check-srv-cname ( fail | warn | ignore );
-        check-wildcard <boolean>;
-        cleaning-interval <integer>;
-        clients-per-query <integer>;
-        coresize <size>;
-        datasize <size>;
-        deallocate-on-exit <boolean>; // obsolete
-        deny-answer-addresses { <address_match_element>; ... } [
-            except-from { <quoted_string>; ... } ];
-        deny-answer-aliases { <quoted_string>; ... } [ except-from {
-            <quoted_string>; ... } ];
-        dialup <dialuptype>;
-        directory <quoted_string>;
-        disable-algorithms <string> { <string>; ... };
-        disable-empty-zone <string>;
-        dns64 <netprefix> {
-                break-dnssec <boolean>;
-                clients { <address_match_element>; ... };
-                exclude { <address_match_element>; ... };
-                mapped { <address_match_element>; ... };
-                recursive-only <boolean>;
-                suffix <ipv6_address>;
-        };
-        dns64-contact <string>;
-        dns64-server <string>;
-        dnssec-accept-expired <boolean>;
-        dnssec-dnskey-kskonly <boolean>;
-        dnssec-enable <boolean>;
-        dnssec-loadkeys-interval <integer>;
-        dnssec-lookaside ( <string> trust-anchor <string> | auto | no );
-        dnssec-must-be-secure <string> <boolean>;
-        dnssec-secure-to-insecure <boolean>;
-        dnssec-update-mode ( maintain | no-resign );
-        dnssec-validation ( yes | no | auto );
-        dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
-            <integer> ] | <ipv4_address> [ port <integer> ] |
-            <ipv6_address> [ port <integer> ] ); ... };
-        dump-file <quoted_string>;
-        edns-udp-size <integer>;
-        empty-contact <string>;
-        empty-server <string>;
-        empty-zones-enable <boolean>;
-        fake-iquery <boolean>; // obsolete
-        fetch-glue <boolean>; // obsolete
-        files <size>;
-        filter-aaaa { <address_match_element>; ... }; // not configured
-        filter-aaaa-on-v4 <v4_aaaa>; // not configured
-        flush-zones-on-shutdown <boolean>;
-        forward ( first | only );
-        forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
-            [ port <integer> ]; ... };
-        has-old-clients <boolean>; // obsolete
-        heartbeat-interval <integer>;
-        host-statistics <boolean>; // not implemented
-        host-statistics-max <integer>; // not implemented
-        hostname ( <quoted_string> | none );
-        inline-signing <boolean>;
-        interface-interval <integer>;
-        ixfr-from-differences <ixfrdiff>;
-        key-directory <quoted_string>;
-        lame-ttl <integer>;
-        listen-on [ port <integer> ] { <address_match_element>; ... };
-        listen-on-v6 [ port <integer> ] { <address_match_element>; ... };
-        maintain-ixfr-base <boolean>; // obsolete
-        managed-keys-directory <quoted_string>;
-        masterfile-format ( text | raw );
-        match-mapped-addresses <boolean>;
-        max-acache-size <size_no_default>;
-        max-cache-size <size_no_default>;
-        max-cache-ttl <integer>;
-        max-clients-per-query <integer>;
-        max-ixfr-log-size <size>; // obsolete
-        max-journal-size <size_no_default>;
-        max-ncache-ttl <integer>;
-        max-refresh-time <integer>;
-        max-retry-time <integer>;
-        max-rsa-exponent-size <integer>;
-        max-transfer-idle-in <integer>;
-        max-transfer-idle-out <integer>;
-        max-transfer-time-in <integer>;
-        max-transfer-time-out <integer>;
-        max-udp-size <integer>;
-        memstatistics <boolean>;
-        memstatistics-file <quoted_string>;
-        min-refresh-time <integer>;
-        min-retry-time <integer>;
-        min-roots <integer>; // not implemented
-        minimal-responses <boolean>;
-        multi-master <boolean>;
-        multiple-cnames <boolean>; // obsolete
-        named-xfer <quoted_string>; // obsolete
-        notify <notifytype>;
-        notify-delay <integer>;
-        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
-        notify-to-soa <boolean>;
-        nsec3-test-zone <boolean>; // test only
-        pid-file ( <quoted_string> | none );
-        port <integer>;
-        preferred-glue <string>;
-        provide-ixfr <boolean>;
-        query-source <querysource4>;
-        query-source-v6 <querysource6>;
-        querylog <boolean>;
-        queryport-pool-ports <integer>; // obsolete
-        queryport-pool-updateinterval <integer>; // obsolete
-        random-device <quoted_string>;
-        recursing-file <quoted_string>;
-        recursion <boolean>;
-        recursive-clients <integer>;
-        request-ixfr <boolean>;
-        request-ixfr <boolean>;
-        request-nsid <boolean>;
-        reserved-sockets <integer>;
-        resolver-query-timeout <integer>;
-        response-policy { zone <quoted_string> [ policy ( given | disabled
-            | passthru | no-op | nxdomain | nodata | cname <quoted_string>
-            ) ] [ recursive-only <boolean> ] [ max-policy-ttl <integer> ];
-            ... } [ recursive-only <boolean> ] [ break-dnssec <boolean> ] [
-            max-policy-ttl <integer> ] [ min-ns-dots <integer> ];
-        rfc2308-type1 <boolean>; // not yet implemented
-        root-delegation-only [ exclude { <quoted_string>; ... } ];
-        rrset-order { [ class <string> ] [ type <string> ] [ name
-            <quoted_string> ] <string> <string>; ... };
-        secroots-file <quoted_string>;
-        serial-queries <integer>; // obsolete
-        serial-query-rate <integer>;
-        serial-update-method ( increment | unixtime );
-        server-id ( <quoted_string> | none | hostname );
-        session-keyalg <string>;
-        session-keyfile ( <quoted_string> | none );
-        session-keyname <string>;
-        sig-signing-nodes <integer>;
-        sig-signing-signatures <integer>;
-        sig-signing-type <integer>;
-        sig-validity-interval <integer> [ <integer> ];
-        sortlist { <address_match_element>; ... };
-        stacksize <size>;
-        statistics-file <quoted_string>;
-        statistics-interval <integer>; // not yet implemented
-        suppress-initial-notify <boolean>; // not yet implemented
-        tcp-clients <integer>;
-        tcp-listen-queue <integer>;
-        tkey-dhkey <quoted_string> <integer>;
-        tkey-domain <quoted_string>;
-        tkey-gssapi-credential <quoted_string>;
-        tkey-gssapi-keytab <quoted_string>;
-        topology { <address_match_element>; ... }; // not implemented
-        transfer-format ( many-answers | one-answer );
-        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
-        transfers-in <integer>;
-        transfers-out <integer>;
-        transfers-per-ns <integer>;
-        treat-cr-as-space <boolean>; // obsolete
-        try-tcp-refresh <boolean>;
-        update-check-ksk <boolean>;
-        use-alt-transfer-source <boolean>;
-        use-id-pool <boolean>; // obsolete
-        use-ixfr <boolean>;
-        use-queryport-pool <boolean>; // obsolete
-        use-v4-udp-ports { <portrange>; ... };
-        use-v6-udp-ports { <portrange>; ... };
-        version ( <quoted_string> | none );
-        zero-no-soa-ttl <boolean>;
-        zero-no-soa-ttl-cache <boolean>;
-        zone-statistics <zonestat>;
-};
-
-server <netprefix> {
-        bogus <boolean>;
-        edns <boolean>;
-        edns-udp-size <integer>;
-        keys <server_key>;
-        max-udp-size <integer>;
-        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
-        provide-ixfr <boolean>;
-        query-source <querysource4>;
-        query-source-v6 <querysource6>;
-        request-ixfr <boolean>;
-        support-ixfr <boolean>; // obsolete
-        transfer-format ( many-answers | one-answer );
-        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
-        transfers <integer>;
-};
-
-statistics-channels {
-        inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | *
-            ) ] [ allow { <address_match_element>; ... } ];
-};
-
-trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... };
-
-view <string> <optional_class> {
-        acache-cleaning-interval <integer>;
-        acache-enable <boolean>;
-        additional-from-auth <boolean>;
-        additional-from-cache <boolean>;
-        allow-new-zones <boolean>;
-        allow-notify { <address_match_element>; ... };
-        allow-query { <address_match_element>; ... };
-        allow-query-cache { <address_match_element>; ... };
-        allow-query-cache-on { <address_match_element>; ... };
-        allow-query-on { <address_match_element>; ... };
-        allow-recursion { <address_match_element>; ... };
-        allow-recursion-on { <address_match_element>; ... };
-        allow-transfer { <address_match_element>; ... };
-        allow-update { <address_match_element>; ... };
-        allow-update-forwarding { <address_match_element>; ... };
-        allow-v6-synthesis { <address_match_element>; ... }; // obsolete
-        also-notify [ port <integer> ] { ( <masters> | <ipv4_address> [
-            port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key
-            <string> ]; ... };
-        alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
-            * ) ];
-        attach-cache <string>;
-        auth-nxdomain <boolean>; // default changed
-        auto-dnssec ( allow | maintain | off );
-        cache-file <quoted_string>;
-        check-dup-records ( fail | warn | ignore );
-        check-integrity <boolean>;
-        check-mx ( fail | warn | ignore );
-        check-mx-cname ( fail | warn | ignore );
-        check-names ( master | slave | response ) ( fail | warn | ignore );
-        check-sibling <boolean>;
-        check-spf ( warn | ignore );
-        check-srv-cname ( fail | warn | ignore );
-        check-wildcard <boolean>;
-        cleaning-interval <integer>;
-        clients-per-query <integer>;
-        database <string>;
-        deny-answer-addresses { <address_match_element>; ... } [
-            except-from { <quoted_string>; ... } ];
-        deny-answer-aliases { <quoted_string>; ... } [ except-from {
-            <quoted_string>; ... } ];
-        dialup <dialuptype>;
-        disable-algorithms <string> { <string>; ... };
-        disable-empty-zone <string>;
-        dlz <string> {
-                database <string>;
-        };
-        dns64 <netprefix> {
-                break-dnssec <boolean>;
-                clients { <address_match_element>; ... };
-                exclude { <address_match_element>; ... };
-                mapped { <address_match_element>; ... };
-                recursive-only <boolean>;
-                suffix <ipv6_address>;
-        };
-        dns64-contact <string>;
-        dns64-server <string>;
-        dnssec-accept-expired <boolean>;
-        dnssec-dnskey-kskonly <boolean>;
-        dnssec-enable <boolean>;
-        dnssec-loadkeys-interval <integer>;
-        dnssec-lookaside ( <string> trust-anchor <string> | auto | no );
-        dnssec-must-be-secure <string> <boolean>;
-        dnssec-secure-to-insecure <boolean>;
-        dnssec-update-mode ( maintain | no-resign );
-        dnssec-validation ( yes | no | auto );
-        dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
-            <integer> ] | <ipv4_address> [ port <integer> ] |
-            <ipv6_address> [ port <integer> ] ); ... };
-        edns-udp-size <integer>;
-        empty-contact <string>;
-        empty-server <string>;
-        empty-zones-enable <boolean>;
-        fetch-glue <boolean>; // obsolete
-        filter-aaaa { <address_match_element>; ... }; // not configured
-        filter-aaaa-on-v4 <v4_aaaa>; // not configured
-        forward ( first | only );
-        forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
-            [ port <integer> ]; ... };
-        inline-signing <boolean>;
-        ixfr-from-differences <ixfrdiff>;
-        key <string> {
-                algorithm <string>;
-                secret <string>;
-        };
-        key-directory <quoted_string>;
-        lame-ttl <integer>;
-        maintain-ixfr-base <boolean>; // obsolete
-        managed-keys { <string> <string> <integer> <integer> <integer>
-            <quoted_string>; ... };
-        masterfile-format ( text | raw );
-        match-clients { <address_match_element>; ... };
-        match-destinations { <address_match_element>; ... };
-        match-recursive-only <boolean>;
-        max-acache-size <size_no_default>;
-        max-cache-size <size_no_default>;
-        max-cache-ttl <integer>;
-        max-clients-per-query <integer>;
-        max-ixfr-log-size <size>; // obsolete
-        max-journal-size <size_no_default>;
-        max-ncache-ttl <integer>;
-        max-refresh-time <integer>;
-        max-retry-time <integer>;
-        max-transfer-idle-in <integer>;
-        max-transfer-idle-out <integer>;
-        max-transfer-time-in <integer>;
-        max-transfer-time-out <integer>;
-        max-udp-size <integer>;
-        min-refresh-time <integer>;
-        min-retry-time <integer>;
-        min-roots <integer>; // not implemented
-        minimal-responses <boolean>;
-        multi-master <boolean>;
-        notify <notifytype>;
-        notify-delay <integer>;
-        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
-        notify-to-soa <boolean>;
-        nsec3-test-zone <boolean>; // test only
-        preferred-glue <string>;
-        provide-ixfr <boolean>;
-        query-source <querysource4>;
-        query-source-v6 <querysource6>;
-        queryport-pool-ports <integer>; // obsolete
-        queryport-pool-updateinterval <integer>; // obsolete
-        recursion <boolean>;
-        request-ixfr <boolean>;
-        request-ixfr <boolean>;
-        request-nsid <boolean>;
-        resolver-query-timeout <integer>;
-        response-policy { zone <quoted_string> [ policy ( given | disabled
-            | passthru | no-op | nxdomain | nodata | cname <quoted_string>
-            ) ] [ recursive-only <boolean> ] [ max-policy-ttl <integer> ];
-            ... } [ recursive-only <boolean> ] [ break-dnssec <boolean> ] [
-            max-policy-ttl <integer> ] [ min-ns-dots <integer> ];
-        rfc2308-type1 <boolean>; // not yet implemented
-        root-delegation-only [ exclude { <quoted_string>; ... } ];
-        rrset-order { [ class <string> ] [ type <string> ] [ name
-            <quoted_string> ] <string> <string>; ... };
-        serial-update-method ( increment | unixtime );
-        server <netprefix> {
-                bogus <boolean>;
-                edns <boolean>;
-                edns-udp-size <integer>;
-                keys <server_key>;
-                max-udp-size <integer>;
-                notify-source ( <ipv4_address> | * ) [ port ( <integer> | *
-                    ) ];
-                notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer>
-                    | * ) ];
-                provide-ixfr <boolean>;
-                query-source <querysource4>;
-                query-source-v6 <querysource6>;
-                request-ixfr <boolean>;
-                support-ixfr <boolean>; // obsolete
-                transfer-format ( many-answers | one-answer );
-                transfer-source ( <ipv4_address> | * ) [ port ( <integer> |
-                    * ) ];
-                transfer-source-v6 ( <ipv6_address> | * ) [ port (
-                    <integer> | * ) ];
-                transfers <integer>;
-        };
-        sig-signing-nodes <integer>;
-        sig-signing-signatures <integer>;
-        sig-signing-type <integer>;
-        sig-validity-interval <integer> [ <integer> ];
-        sortlist { <address_match_element>; ... };
-        suppress-initial-notify <boolean>; // not yet implemented
-        topology { <address_match_element>; ... }; // not implemented
-        transfer-format ( many-answers | one-answer );
-        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
-        trusted-keys { <string> <integer> <integer> <integer>
-            <quoted_string>; ... };
-        try-tcp-refresh <boolean>;
-        update-check-ksk <boolean>;
-        use-alt-transfer-source <boolean>;
-        use-queryport-pool <boolean>; // obsolete
-        zero-no-soa-ttl <boolean>;
-        zero-no-soa-ttl-cache <boolean>;
-        zone <string> <optional_class> {
-                allow-notify { <address_match_element>; ... };
-                allow-query { <address_match_element>; ... };
-                allow-query-on { <address_match_element>; ... };
-                allow-transfer { <address_match_element>; ... };
-                allow-update { <address_match_element>; ... };
-                allow-update-forwarding { <address_match_element>; ... };
-                also-notify [ port <integer> ] { ( <masters> |
-                    <ipv4_address> [ port <integer> ] | <ipv6_address> [
-                    port <integer> ] ) [ key <string> ]; ... };
-                alt-transfer-source ( <ipv4_address> | * ) [ port (
-                    <integer> | * ) ];
-                alt-transfer-source-v6 ( <ipv6_address> | * ) [ port (
-                    <integer> | * ) ];
-                auto-dnssec ( allow | maintain | off );
-                check-dup-records ( fail | warn | ignore );
-                check-integrity <boolean>;
-                check-mx ( fail | warn | ignore );
-                check-mx-cname ( fail | warn | ignore );
-                check-names ( fail | warn | ignore );
-                check-sibling <boolean>;
-                check-spf ( warn | ignore );
-                check-srv-cname ( fail | warn | ignore );
-                check-wildcard <boolean>;
-                database <string>;
-                delegation-only <boolean>;
-                dialup <dialuptype>;
-                dnssec-dnskey-kskonly <boolean>;
-                dnssec-loadkeys-interval <integer>;
-                dnssec-secure-to-insecure <boolean>;
-                dnssec-update-mode ( maintain | no-resign );
-                file <quoted_string>;
-                forward ( first | only );
-                forwarders [ port <integer> ] { ( <ipv4_address> |
-                    <ipv6_address> ) [ port <integer> ]; ... };
-                inline-signing <boolean>;
-                ixfr-base <quoted_string>; // obsolete
-                ixfr-from-differences <boolean>;
-                ixfr-tmp-file <quoted_string>; // obsolete
-                journal <quoted_string>;
-                key-directory <quoted_string>;
-                maintain-ixfr-base <boolean>; // obsolete
-                masterfile-format ( text | raw );
-                masters [ port <integer> ] { ( <masters> | <ipv4_address> [
-                    port <integer> ] | <ipv6_address> [ port <integer> ] )
-                    [ key <string> ]; ... };
-                max-ixfr-log-size <size>; // obsolete
-                max-journal-size <size_no_default>;
-                max-refresh-time <integer>;
-                max-retry-time <integer>;
-                max-transfer-idle-in <integer>;
-                max-transfer-idle-out <integer>;
-                max-transfer-time-in <integer>;
-                max-transfer-time-out <integer>;
-                min-refresh-time <integer>;
-                min-retry-time <integer>;
-                multi-master <boolean>;
-                notify <notifytype>;
-                notify-delay <integer>;
-                notify-source ( <ipv4_address> | * ) [ port ( <integer> | *
-                    ) ];
-                notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer>
-                    | * ) ];
-                notify-to-soa <boolean>;
-                nsec3-test-zone <boolean>; // test only
-                pubkey <integer> <integer> <integer>
-                    <quoted_string>; // obsolete
-                request-ixfr <boolean>;
-                serial-update-method ( increment | unixtime );
-                server-addresses { ( <ipv4_address> | <ipv6_address> ) [
-                    port <integer> ]; ... };
-                server-names { <quoted_string>; ... };
-                sig-signing-nodes <integer>;
-                sig-signing-signatures <integer>;
-                sig-signing-type <integer>;
-                sig-validity-interval <integer> [ <integer> ];
-                transfer-source ( <ipv4_address> | * ) [ port ( <integer> |
-                    * ) ];
-                transfer-source-v6 ( <ipv6_address> | * ) [ port (
-                    <integer> | * ) ];
-                try-tcp-refresh <boolean>;
-                type ( master | slave | stub | static-stub | hint | forward
-                    | delegation-only | redirect );
-                update-check-ksk <boolean>;
-                update-policy ( local | { ( grant | deny ) <string> ( name
-                    | subdomain | wildcard | self | selfsub | selfwild |
-                    krb5-self | ms-self | krb5-subdomain | ms-subdomain |
-                    tcp-self | 6to4-self | zonesub | external ) [ <string>
-                    ] <rrtypelist>; ... };
-                use-alt-transfer-source <boolean>;
-                zero-no-soa-ttl <boolean>;
-                zone-statistics <zonestat>;
-        };
-        zone-statistics <zonestat>;
-};
-
-zone <string> <optional_class> {
-        allow-notify { <address_match_element>; ... };
-        allow-query { <address_match_element>; ... };
-        allow-query-on { <address_match_element>; ... };
-        allow-transfer { <address_match_element>; ... };
-        allow-update { <address_match_element>; ... };
-        allow-update-forwarding { <address_match_element>; ... };
-        also-notify [ port <integer> ] { ( <masters> | <ipv4_address> [
-            port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key
-            <string> ]; ... };
-        alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
-            * ) ];
-        auto-dnssec ( allow | maintain | off );
-        check-dup-records ( fail | warn | ignore );
-        check-integrity <boolean>;
-        check-mx ( fail | warn | ignore );
-        check-mx-cname ( fail | warn | ignore );
-        check-names ( fail | warn | ignore );
-        check-sibling <boolean>;
-        check-spf ( warn | ignore );
-        check-srv-cname ( fail | warn | ignore );
-        check-wildcard <boolean>;
-        database <string>;
-        delegation-only <boolean>;
-        dialup <dialuptype>;
-        dnssec-dnskey-kskonly <boolean>;
-        dnssec-loadkeys-interval <integer>;
-        dnssec-secure-to-insecure <boolean>;
-        dnssec-update-mode ( maintain | no-resign );
-        file <quoted_string>;
-        forward ( first | only );
-        forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
-            [ port <integer> ]; ... };
-        inline-signing <boolean>;
-        ixfr-base <quoted_string>; // obsolete
-        ixfr-from-differences <boolean>;
-        ixfr-tmp-file <quoted_string>; // obsolete
-        journal <quoted_string>;
-        key-directory <quoted_string>;
-        maintain-ixfr-base <boolean>; // obsolete
-        masterfile-format ( text | raw );
-        masters [ port <integer> ] { ( <masters> | <ipv4_address> [ port
-            <integer> ] | <ipv6_address> [ port <integer> ] ) [ key
-            <string> ]; ... };
-        max-ixfr-log-size <size>; // obsolete
-        max-journal-size <size_no_default>;
-        max-refresh-time <integer>;
-        max-retry-time <integer>;
-        max-transfer-idle-in <integer>;
-        max-transfer-idle-out <integer>;
-        max-transfer-time-in <integer>;
-        max-transfer-time-out <integer>;
-        min-refresh-time <integer>;
-        min-retry-time <integer>;
-        multi-master <boolean>;
-        notify <notifytype>;
-        notify-delay <integer>;
-        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
-        notify-to-soa <boolean>;
-        nsec3-test-zone <boolean>; // test only
-        pubkey <integer> <integer> <integer> <quoted_string>; // obsolete
-        request-ixfr <boolean>;
-        serial-update-method ( increment | unixtime );
-        server-addresses { ( <ipv4_address> | <ipv6_address> ) [ port
-            <integer> ]; ... };
-        server-names { <quoted_string>; ... };
-        sig-signing-nodes <integer>;
-        sig-signing-signatures <integer>;
-        sig-signing-type <integer>;
-        sig-validity-interval <integer> [ <integer> ];
-        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
-        try-tcp-refresh <boolean>;
-        type ( master | slave | stub | static-stub | hint | forward |
-            delegation-only | redirect );
-        update-check-ksk <boolean>;
-        update-policy ( local | { ( grant | deny ) <string> ( name |
-            subdomain | wildcard | self | selfsub | selfwild | krb5-self |
-            ms-self | krb5-subdomain | ms-subdomain | tcp-self | 6to4-self
-            | zonesub | external ) [ <string> ] <rrtypelist>; ... };
-        use-alt-transfer-source <boolean>;
-        zero-no-soa-ttl <boolean>;
-        zone-statistics <zonestat>;
-};
-
diff --git a/contrib/bind9/doc/misc/rfc-compliance b/contrib/bind9/doc/misc/rfc-compliance
deleted file mode 100644
index 4c87c66..0000000
--- a/contrib/bind9/doc/misc/rfc-compliance
+++ /dev/null
@@ -1,62 +0,0 @@
-Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-Copyright (C) 2001  Internet Software Consortium.
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-
-$Id: rfc-compliance,v 1.4 2004/03/05 05:04:53 marka Exp $
-
-BIND 9 is striving for strict compliance with IETF standards.  We
-believe this release of BIND 9 complies with the following RFCs, with
-the caveats and exceptions listed in the numbered notes below.  Note
-that a number of these RFCs do not have the status of Internet
-standards but are proposed or draft standards, experimental RFCs, 
-or Best Current Practice (BCP) documents.
-
-  RFC1034
-  RFC1035 [1] [2]
-  RFC1123
-  RFC1183
-  RFC1535
-  RFC1536
-  RFC1706
-  RFC1712
-  RFC1750
-  RFC1876
-  RFC1982
-  RFC1995
-  RFC1996
-  RFC2136
-  RFC2163
-  RFC2181
-  RFC2230
-  RFC2308
-  RFC2535 [3] [4]
-  RFC2536
-  RFC2537
-  RFC2538
-  RFC2539
-  RFC2671
-  RFC2672
-  RFC2673
-  RFC2782
-  RFC2915
-  RFC2930
-  RFC2931 [5]
-  RFC3007
-
-
-[1] Queries to zones that have failed to load return SERVFAIL rather
-than a non-authoritative response.  This is considered a feature.
-
-[2] CLASS ANY queries are not supported.  This is considered a feature.
-
-[3] Wildcard records are not supported in DNSSEC secure zones.
-
-[4] Servers authoritative for secure zones being resolved by BIND 9
-must support EDNS0 (RFC2671), and must return all relevant SIGs and
-NXTs in responses rather than relying on the resolving server to
-perform separate queries for missing SIGs and NXTs.
-
-[5] When receiving a query signed with a SIG(0), the server will only
-be able to verify the signature if it has the key in its local
-authoritative data; it will not do recursion or validation to
-retrieve unknown keys.
diff --git a/contrib/bind9/doc/misc/roadmap b/contrib/bind9/doc/misc/roadmap
deleted file mode 100644
index f63a469..0000000
--- a/contrib/bind9/doc/misc/roadmap
+++ /dev/null
@@ -1,47 +0,0 @@
-Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-Copyright (C) 2000, 2001  Internet Software Consortium.
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-
-$Id: roadmap,v 1.2 2004/03/05 05:04:54 marka Exp $
-
-Road Map to the BIND 9 Source Tree
-
-bin/named		The name server.  This relies heavily on the
-			libraries in lib/isc and lib/dns.
-    client.c		Handling of incoming client requests
-    query.c		Query processing
-bin/rndc		The remote name daemon control program
-bin/dig			The "dig" program
-bin/dnssec		The DNSSEC signer and other DNSSEC tools
-bin/nsupdate		The "nsupdate" program
-bin/tests		Test suites and miscellaneous test programs
-bin/tests/system	System tests; see bin/tests/system/README
-lib/dns			The DNS library
-    resolver.c		The "full resolver" (performs recursive lookups)
-    validator.c		The DNSSEC validator
-    db.c		The database interface
-    sdb.c		The simple database interface
-    rbtdb.c		The red-black tree database
-lib/dns/rdata		Routines for handling the various RR types
-lib/dns/sec		Cryptographic libraries for DNSSEC
-lib/isc			The ISC library
-    task.c		Task library
-    unix/socket.c	Unix implementation of socket library
-lib/isccfg		Routines for reading and writing ISC-style
-			configuration files like named.conf and rndc.conf
-lib/isccc		The command channel library, used by rndc.
-lib/tests		Support code for the test suites.
-lib/lwres		The lightweight resolver library.
-doc/draft		Current internet-drafts pertaining to the DNS
-doc/rfc			RFCs pertaining to the DNS
-doc/misc		Miscellaneous documentation
-doc/arm			The BIND 9 Administrator Reference Manual
-doc/man			Man pages
-contrib			Contributed and other auxiliary code
-contrib/idn/mdnkit	The multilingual domain name evaluation kit
-contrib/sdb		Sample drivers for the simple database interface
-make			Makefile fragments, used by configure
-
-The library interfaces are mainly documented in the form of comments
-in the header files.  For example, the task subsystem is documented in
-lib/isc/include/isc/task.h
diff --git a/contrib/bind9/doc/misc/sdb b/contrib/bind9/doc/misc/sdb
deleted file mode 100644
index 552028a..0000000
--- a/contrib/bind9/doc/misc/sdb
+++ /dev/null
@@ -1,169 +0,0 @@
-Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-Copyright (C) 2000, 2001  Internet Software Consortium.
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-
-Using the BIND 9 Simplified Database Interface
-
-This document describes the care and feeding of the BIND 9 Simplified
-Database Interface, which allows you to extend BIND 9 with new ways
-of obtaining the data that is published as DNS zones.
-
-
-The Original BIND 9 Database Interface
-
-BIND 9 has a well-defined "back-end database interface" that makes it
-possible to replace the component of the name server responsible for
-the storage and retrieval of zone data, called the "database", on a
-per-zone basis.  The default database is an in-memory, red-black-tree
-data structure commonly referred to as "rbtdb", but it is possible to
-write drivers to support any number of alternative database
-technologies such as in-memory hash tables, application specific
-persistent on-disk databases, object databases, or relational
-databases.
-
-The original BIND 9 database interface defined in <dns/db.h> is
-designed to efficiently support the full set of database functionality
-needed by a name server that implements the complete DNS protocols,
-including features such as zone transfers, dynamic update, and DNSSEC.
-Each of these aspects of name server operations places its own set of
-demands on the data store, with the result that the database API is
-quite complex and contains operations that are highly specific to the
-DNS.  For example, data are stored in a binary format, the name space
-is tree structured, and sets of data records are conceptually
-associated with DNSSEC signature sets.  For these reasons, writing a
-driver using this interface is a highly nontrivial undertaking.
-
-
-The Simplified Database Interface
-
-Many BIND users wish to provide access to various data sources through
-the DNS, but are not necessarily interested in completely replacing
-the in-memory "rbt" database or in supporting features like dynamic
-update, DNSSEC, or even zone transfers.
-
-Often, all you want is limited, read-only DNS access to an existing
-system.  For example, you may have an existing relational database
-containing hostname/address mappings and wish to provide forvard and
-reverse DNS lookups based on this information.  Or perhaps you want to
-set up a simple DNS-based load balancing system where the name server
-answers queries about a single DNS name with a dynamically changing
-set of A records.
-
-BIND 9.1 introduced a new, simplified database interface, or "sdb",
-which greatly simplifies the writing of drivers for these kinds of
-applications.
-
-
-The sdb Driver
-
-An sdb driver is an object module, typically written in C, which is
-linked into the name server and registers itself with the sdb
-subsystem.  It provides a set of callback functions, which also serve
-to advertise its capabilities.  When the name server receives DNS
-queries, invokes the callback functions to obtain the data to respond
-with.
-
-Unlike the full database interface, the sdb interface represents all
-domain names and resource records as ASCII text.
-
-
-Writing an sdb Driver
-
-When a driver is registered, it specifies its name, a list of callback
-functions, and flags.
-
-The flags specify whether the driver wants to use relative domain
-names where possible.
-
-The callback functions are as follows.  The only one that must be
-defined is lookup().
-
-  - create(zone, argc, argv, driverdata, dbdata)
-	  Create a database object for "zone".
-
-  - destroy(zone, driverdata, dbdata)
-	  Destroy the database object for "zone".
-
-  - lookup(zone, name, dbdata, lookup)
-	  Return all the records at the domain name "name".
-
-  - authority(zone, dbdata, lookup)
-	  Return the SOA and NS records at the zone apex.
-
-  - allnodes(zone, dbdata, allnodes)
-	  Return all data in the zone, for zone transfers.
-
-For more detail about these functions and their parameters, see
-bind9/lib/dns/include/dns/sdb.h.  For example drivers, see
-bind9/contrib/sdb.
-
-
-Rebuilding the Server
-
-The driver module and header file must be copied to (or linked into)
-the bind9/bin/named and bind9/bin/named/include directories
-respectively, and must be added to the DBDRIVER_OBJS and DBDRIVER_SRCS
-lines in bin/named/Makefile.in (e.g. for the timedb sample sdb driver,
-add timedb.c to DBDRIVER_SRCS and timedb.@O@ to DBDRIVER_OBJS).  If
-the driver needs additional header files or libraries in nonstandard
-places, the DBDRIVER_INCLUDES and DBDRIVER_LIBS lines should also be
-updated.
-
-Calls to dns_sdb_register() and dns_sdb_unregister() (or wrappers,
-e.g. timedb_init() and timedb_clear() for the timedb sample sdb
-driver) must be inserted into the server, in bind9/bin/named/main.c.
-Registration should be in setup(), before the call to
-ns_server_create().  Unregistration should be in cleanup(),
-after the call to ns_server_destroy().  A #include should be added
-corresponding to the driver header file.
-
-You should try doing this with one or more of the sample drivers
-before attempting to write a driver of your own.
-
-
-Configuring the Server
-
-To make a zone use a new database driver, specify a "database" option
-in its "zone" statement in named.conf.  For example, if the driver
-registers itself under the name "acmedb", you might say
-
-   zone "foo.com" {
-	   database "acmedb";
-   };
-
-You can pass arbitrary arguments to the create() function of the
-driver by adding any number of whitespace-separated words after the
-driver name:
-
-   zone "foo.com" {
-	   database "acmedb -mode sql -connect 10.0.0.1";
-   };
-
-
-Hints for Driver Writers
-
- - If a driver is generating data on the fly, it probably should
-   not implement the allnodes() function, since a zone transfer
-   will not be meaningful.  The allnodes() function is more relevant
-   with data from a database.
-
- - The authority() function is necessary if and only if the lookup()
-   function will not add SOA and NS records at the zone apex.  If
-   SOA and NS records are provided by the lookup() function,
-   the authority() function should be NULL.
-
- - When a driver is registered, an opaque object can be provided.  This
-   object is passed into the database create() and destroy() functions.
-
- - When a database is created, an opaque object can be created that
-   is associated with that database.  This object is passed into the
-   lookup(), authority(), and allnodes() functions, and is
-   destroyed by the destroy() function.
-
-
-Future Directions
-
-A future release may support dynamic loading of sdb drivers.
-
-
-$Id: sdb,v 1.6 2004/03/05 05:04:54 marka Exp $
diff --git a/contrib/bind9/doc/misc/sort-options.pl b/contrib/bind9/doc/misc/sort-options.pl
deleted file mode 100755
index 0030525..0000000
--- a/contrib/bind9/doc/misc/sort-options.pl
+++ /dev/null
@@ -1,50 +0,0 @@
-#!/bin/perl
-#
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: sort-options.pl,v 1.3 2007/09/24 23:46:48 tbox Exp $
-
-sub sortlevel() {
-	my @options = ();
-	my $fin = "";
-	my $i = 0;
-	while (<>) {
-		if (/^\s*};$/) {
-			$fin = $_;
-			# print 2, $_;
-			last;
-		}
-		next if (/^$/);
-		if (/{$/) {
-			# print 3, $_;
-			my $sec = $_;
-			push(@options, $sec . sortlevel());
-		} else {
-			push(@options, $_);
-			# print 1, $_;
-		}
-		$i++;
-	}
-	my $result = "";
-	foreach my $i (sort @options) {
-		$result = ${result}.${i};
-		$result = $result."\n" if ($i =~ /^[a-z]/i);
-		# print 5, ${i};
-	}
-	$result = ${result}.${fin};
-	return ($result);
-}
-
-print sortlevel();
diff --git a/contrib/bind9/install-sh b/contrib/bind9/install-sh
deleted file mode 100755
index 058b26c..0000000
--- a/contrib/bind9/install-sh
+++ /dev/null
@@ -1,250 +0,0 @@
-#! /bin/sh
-#
-# install - install a program, script, or datafile
-# This comes from X11R5 (mit/util/scripts/install.sh).
-#
-# Copyright 1991 by the Massachusetts Institute of Technology
-#
-# Permission to use, copy, modify, distribute, and sell this software and its
-# documentation for any purpose is hereby granted without fee, provided that
-# the above copyright notice appear in all copies and that both that
-# copyright notice and this permission notice appear in supporting
-# documentation, and that the name of M.I.T. not be used in advertising or
-# publicity pertaining to distribution of the software without specific,
-# written prior permission.  M.I.T. makes no representations about the
-# suitability of this software for any purpose.  It is provided "as is"
-# without express or implied warranty.
-#
-# Calling this script install-sh is preferred over install.sh, to prevent
-# `make' implicit rules from creating a file called install from it
-# when there is no Makefile.
-#
-# This script is compatible with the BSD install script, but was written
-# from scratch.  It can only install one file at a time, a restriction
-# shared with many OS's install programs.
-
-
-# set DOITPROG to echo to test this script
-
-# Don't use :- since 4.3BSD and earlier shells don't like it.
-doit="${DOITPROG-}"
-
-
-# put in absolute paths if you don't have them in your path; or use env. vars.
-
-mvprog="${MVPROG-mv}"
-cpprog="${CPPROG-cp}"
-chmodprog="${CHMODPROG-chmod}"
-chownprog="${CHOWNPROG-chown}"
-chgrpprog="${CHGRPPROG-chgrp}"
-stripprog="${STRIPPROG-strip}"
-rmprog="${RMPROG-rm}"
-mkdirprog="${MKDIRPROG-mkdir}"
-
-transformbasename=""
-transform_arg=""
-instcmd="$mvprog"
-chmodcmd="$chmodprog 0755"
-chowncmd=""
-chgrpcmd=""
-stripcmd=""
-rmcmd="$rmprog -f"
-mvcmd="$mvprog"
-src=""
-dst=""
-dir_arg=""
-
-while [ x"$1" != x ]; do
-    case $1 in
-	-c) instcmd="$cpprog"
-	    shift
-	    continue;;
-
-	-d) dir_arg=true
-	    shift
-	    continue;;
-
-	-m) chmodcmd="$chmodprog $2"
-	    shift
-	    shift
-	    continue;;
-
-	-o) chowncmd="$chownprog $2"
-	    shift
-	    shift
-	    continue;;
-
-	-g) chgrpcmd="$chgrpprog $2"
-	    shift
-	    shift
-	    continue;;
-
-	-s) stripcmd="$stripprog"
-	    shift
-	    continue;;
-
-	-t=*) transformarg=`echo $1 | sed 's/-t=//'`
-	    shift
-	    continue;;
-
-	-b=*) transformbasename=`echo $1 | sed 's/-b=//'`
-	    shift
-	    continue;;
-
-	*)  if [ x"$src" = x ]
-	    then
-		src=$1
-	    else
-		# this colon is to work around a 386BSD /bin/sh bug
-		:
-		dst=$1
-	    fi
-	    shift
-	    continue;;
-    esac
-done
-
-if [ x"$src" = x ]
-then
-	echo "install:	no input file specified"
-	exit 1
-else
-	true
-fi
-
-if [ x"$dir_arg" != x ]; then
-	dst=$src
-	src=""
-
-	if [ -d $dst ]; then
-		instcmd=:
-	else
-		instcmd=mkdir
-	fi
-else
-
-# Waiting for this to be detected by the "$instcmd $src $dsttmp" command
-# might cause directories to be created, which would be especially bad
-# if $src (and thus $dsttmp) contains '*'.
-
-	if [ -f $src -o -d $src ]
-	then
-		true
-	else
-		echo "install:  $src does not exist"
-		exit 1
-	fi
-
-	if [ x"$dst" = x ]
-	then
-		echo "install:	no destination specified"
-		exit 1
-	else
-		true
-	fi
-
-# If destination is a directory, append the input filename; if your system
-# does not like double slashes in filenames, you may need to add some logic
-
-	if [ -d $dst ]
-	then
-		dst="$dst"/`basename $src`
-	else
-		true
-	fi
-fi
-
-## this sed command emulates the dirname command
-dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'`
-
-# Make sure that the destination directory exists.
-#  this part is taken from Noah Friedman's mkinstalldirs script
-
-# Skip lots of stat calls in the usual case.
-if [ ! -d "$dstdir" ]; then
-defaultIFS='
-'
-IFS="${IFS-${defaultIFS}}"
-
-oIFS="${IFS}"
-# Some sh's can't handle IFS=/ for some reason.
-IFS='%'
-set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'`
-IFS="${oIFS}"
-
-pathcomp=''
-
-while [ $# -ne 0 ] ; do
-	pathcomp="${pathcomp}${1}"
-	shift
-
-	if [ ! -d "${pathcomp}" ] ;
-        then
-		$mkdirprog "${pathcomp}"
-	else
-		true
-	fi
-
-	pathcomp="${pathcomp}/"
-done
-fi
-
-if [ x"$dir_arg" != x ]
-then
-	$doit $instcmd $dst &&
-
-	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi &&
-	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi &&
-	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi &&
-	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi
-else
-
-# If we're going to rename the final executable, determine the name now.
-
-	if [ x"$transformarg" = x ]
-	then
-		dstfile=`basename $dst`
-	else
-		dstfile=`basename $dst $transformbasename |
-			sed $transformarg`$transformbasename
-	fi
-
-# don't allow the sed command to completely eliminate the filename
-
-	if [ x"$dstfile" = x ]
-	then
-		dstfile=`basename $dst`
-	else
-		true
-	fi
-
-# Make a temp file name in the proper directory.
-
-	dsttmp=$dstdir/#inst.$$#
-
-# Move or copy the file name to the temp name
-
-	$doit $instcmd $src $dsttmp &&
-
-	trap "rm -f ${dsttmp}" 0 &&
-
-# and set any options; do chmod last to preserve setuid bits
-
-# If any of these fail, we abort the whole thing.  If we want to
-# ignore errors from any of these, just make sure not to ignore
-# errors from the above "$doit $instcmd $src $dsttmp" command.
-
-	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi &&
-	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi &&
-	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi &&
-	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi &&
-
-# Now rename the file to the real destination.
-
-	$doit $rmcmd -f $dstdir/$dstfile &&
-	$doit $mvcmd $dsttmp $dstdir/$dstfile
-
-fi &&
-
-
-exit 0
diff --git a/contrib/bind9/isc-config.sh.in b/contrib/bind9/isc-config.sh.in
deleted file mode 100644
index 10df275..0000000
--- a/contrib/bind9/isc-config.sh.in
+++ /dev/null
@@ -1,161 +0,0 @@
-#!/bin/sh
-#
-# Copyright (C) 2004, 2007, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: isc-config.sh.in,v 1.17 2007/06/19 23:46:59 tbox Exp $
-
-prefix=@prefix@
-exec_prefix=@exec_prefix@
-exec_prefix_set=
-includedir=@includedir@
-libdir=@libdir@
-
-usage()
-{
-	cat << EOF
-Usage: isc-config [OPTIONS] [LIBRARIES]
-Options:
-	[--prefix[=DIR]]
-	[--exec-prefix[=DIR]]
-	[--version]
-	[--libs]
-	[--cflags]
-Libraries:
-	isc
-	isccc
-	isccfg
-	dns
-	lwres
-	bind9
-EOF
-	exit $1
-}
-
-if test $# -eq 0; then
-	usage 1 1>&2
-fi
-
-while test $# -gt 0; do
-	case "$1" in
-	-*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
-	*) optarg= ;;
-	esac
-
-	case "$1" in
-	--prefix=*)
-		prefix=$optarg
-		if test "x$exec_prefix_set" = x ; then
-			exec_prefix=$prefix
-			exec_prefix_set=true
-		fi
-		;;
-	--prefix)
-		echo_prefix=true
-		;;
-	--exec-prefix=*)
-		exec_prefix=$optarg
-		exec_prefix_set=true
-		;;
-	--exec-prefix)
-		echo_exec_prefix=true
-		;;
-	--version)
-		echo @BIND9_VERSION@
-		exit 0
-		;;
-	--cflags)
-		echo_cflags=true
-		;;
-	--libs)
-		echo_libs=true;
-		;;
-	isc)
-		libisc=true;
-		;;
-	isccc)
-		libisccc=true;
-		libisc=true;
-		;;
-	isccfg)
-		libisccfg=true;
-		libisc=true;
-		;;
-	dns)
-		libdns=true;
-		libisc=true;
-		;;
-	lwres)
-		liblwres=true;
-		;;
-	bind9)
-		libdns=true;
-		libisc=true;
-		libisccfg=true;
-		libbind9=true;
-		;;
-	*)
-		usage 1 1>&2
-	esac
-	shift
-done
-
-if test x"$echo_prefix" = x"true" ; then
-	echo $prefix
-fi
-if test x"$echo_exec_prefix" = x"true" ; then
-	echo $exec_prefix
-fi
-if test x"$echo_cflags" = x"true"; then
-	if test x"${exec_prefix_set}" = x"true"; then
-		includes="-I${exec_prefix}/include"
-	else
-		includes="-I${includedir}"
-	fi
-	if test x"$libisc" = x"true"; then
-		includes="$includes @ALWAYS_DEFINES@ @STD_CINCLUDES@ @STD_CDEFINES@ @CCOPT@"
-	fi
-	echo $includes
-fi
-if test x"$echo_libs" = x"true"; then
-	if test x"${exec_prefix_set}" = x"true"; then
-		includes="-L${exec_prefix}/lib"
-	else
-		libs="-L${libdir}"
-	fi
-	if test x"$liblwres" = x"true" ; then
-		libs="$libs -llwres"
-	fi
-	if test x"$libbind9" = x"true" ; then
-		libs="$libs -lbind9"
-	fi
-	if test x"$libdns" = x"true" ; then
-		libs="$libs -ldns @DNS_CRYPTO_LIBS@"
-	fi
-	if test x"$libisccfg" = x"true" ; then
-		libs="$libs -lisccfg"
-	fi
-	if test x"$libisccc" = x"true" ; then
-		libs="$libs -lisccc"
-	fi
-	if test x"$libisc" = x"true" ; then
-		libs="$libs -lisc"
-		needothers=true
-	fi
-	if test x"$needothers" = x"true" ; then
-		libs="$libs @CCOPT@ @LIBS@"
-	fi
-	echo $libs
-fi
diff --git a/contrib/bind9/lib/Makefile.in b/contrib/bind9/lib/Makefile.in
deleted file mode 100644
index 8dc1d38..0000000
--- a/contrib/bind9/lib/Makefile.in
+++ /dev/null
@@ -1,34 +0,0 @@
-# Copyright (C) 2004, 2007, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001, 2003  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.21 2007/06/19 23:47:13 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-# Note: the order of SUBDIRS is important.
-# Attempt to disable parallel processing.
-.NOTPARALLEL:
-.NO_PARALLEL:
-SUBDIRS =	isc isccc dns isccfg bind9 lwres tests
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-distclean::
-	@echo "making $@ in `pwd`/irs"; \
-	(cd irs; ${MAKE} ${MAKEDEFS} DESTDIR="${DESTDIR}" $@) || exit 1;
-
diff --git a/contrib/bind9/lib/bind9/Makefile.in b/contrib/bind9/lib/bind9/Makefile.in
deleted file mode 100644
index b6633e5..0000000
--- a/contrib/bind9/lib/bind9/Makefile.in
+++ /dev/null
@@ -1,85 +0,0 @@
-# Copyright (C) 2004, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.14 2009/12/05 23:31:40 each Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-@LIBBIND9_API@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	-I. ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
-		${ISCCFG_INCLUDES}
-
-CDEFINES =
-CWARNINGS =
-
-ISCLIBS =	../../lib/isc/libisc.@A@
-ISCCFGLIBS =    ../../lib/isccfg/libisccfg.@A@
-DNSLIBS =    ../../lib/dns/libdns.@A@
-
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
-ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
-DNSDEPLIBS =    ../../lib/dns/libdns.@A@
-
-LIBS =		@LIBS@
-
-SUBDIRS =	include
-
-# Alphabetically
-OBJS =		check.@O@ getaddresses.@O@ version.@O@
-
-# Alphabetically
-SRCS =		check.c getaddresses.c version.c
-
-TARGETS = 	timestamp
-
-@BIND9_MAKE_RULES@
-
-version.@O@: version.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DVERSION=\"${VERSION}\" \
-		-DLIBINTERFACE=${LIBINTERFACE} \
-		-DLIBREVISION=${LIBREVISION} \
-		-DLIBAGE=${LIBAGE} \
-		-c ${srcdir}/version.c
-
-libbind9.@SA@: ${OBJS}
-	${AR} ${ARFLAGS} $@ ${OBJS}
-	${RANLIB} $@
-
-libbind9.la: ${OBJS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL_MODE_LINK} \
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libbind9.la -rpath ${libdir} \
-		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
-		${OBJS} ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ \
-		${LIBS}
-
-timestamp: libbind9.@A@
-	touch timestamp
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
-
-install:: timestamp installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libbind9.@A@ ${DESTDIR}${libdir}
-
-clean distclean::
-	rm -f libbind9.@A@ timestamp
diff --git a/contrib/bind9/lib/bind9/api b/contrib/bind9/lib/bind9/api
deleted file mode 100644
index a27437f..0000000
--- a/contrib/bind9/lib/bind9/api
+++ /dev/null
@@ -1,9 +0,0 @@
-# LIBINTERFACE ranges
-# 9.6: 50-59, 110-119
-# 9.7: 60-79
-# 9.8: 80-89, 120-129
-# 9.9: 90-109
-# 9.9-sub: 130-139
-LIBINTERFACE = 90
-LIBREVISION = 7
-LIBAGE = 0
diff --git a/contrib/bind9/lib/bind9/check.c b/contrib/bind9/lib/bind9/check.c
deleted file mode 100644
index 91f8bff..0000000
--- a/contrib/bind9/lib/bind9/check.c
+++ /dev/null
@@ -1,2935 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/base64.h>
-#include <isc/buffer.h>
-#include <isc/log.h>
-#include <isc/mem.h>
-#include <isc/netaddr.h>
-#include <isc/parseint.h>
-#include <isc/region.h>
-#include <isc/result.h>
-#include <isc/sockaddr.h>
-#include <isc/string.h>
-#include <isc/symtab.h>
-#include <isc/util.h>
-
-#include <dns/acl.h>
-#include <dns/fixedname.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatatype.h>
-#include <dns/secalg.h>
-
-#include <dst/dst.h>
-
-#include <isccfg/aclconf.h>
-#include <isccfg/cfg.h>
-
-#include <bind9/check.h>
-
-static void
-freekey(char *key, unsigned int type, isc_symvalue_t value, void *userarg) {
-	UNUSED(type);
-	UNUSED(value);
-	isc_mem_free(userarg, key);
-}
-
-static isc_result_t
-check_orderent(const cfg_obj_t *ent, isc_log_t *logctx) {
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-	isc_textregion_t r;
-	dns_fixedname_t fixed;
-	const cfg_obj_t *obj;
-	dns_rdataclass_t rdclass;
-	dns_rdatatype_t rdtype;
-	isc_buffer_t b;
-	const char *str;
-
-	dns_fixedname_init(&fixed);
-	obj = cfg_tuple_get(ent, "class");
-	if (cfg_obj_isstring(obj)) {
-
-		DE_CONST(cfg_obj_asstring(obj), r.base);
-		r.length = strlen(r.base);
-		tresult = dns_rdataclass_fromtext(&rdclass, &r);
-		if (tresult != ISC_R_SUCCESS) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "rrset-order: invalid class '%s'",
-				    r.base);
-			result = ISC_R_FAILURE;
-		}
-	}
-
-	obj = cfg_tuple_get(ent, "type");
-	if (cfg_obj_isstring(obj)) {
-
-		DE_CONST(cfg_obj_asstring(obj), r.base);
-		r.length = strlen(r.base);
-		tresult = dns_rdatatype_fromtext(&rdtype, &r);
-		if (tresult != ISC_R_SUCCESS) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "rrset-order: invalid type '%s'",
-				    r.base);
-			result = ISC_R_FAILURE;
-		}
-	}
-
-	obj = cfg_tuple_get(ent, "name");
-	if (cfg_obj_isstring(obj)) {
-		str = cfg_obj_asstring(obj);
-		isc_buffer_constinit(&b, str, strlen(str));
-		isc_buffer_add(&b, strlen(str));
-		tresult = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
-					    dns_rootname, 0, NULL);
-		if (tresult != ISC_R_SUCCESS) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "rrset-order: invalid name '%s'", str);
-			result = ISC_R_FAILURE;
-		}
-	}
-
-	obj = cfg_tuple_get(ent, "order");
-	if (!cfg_obj_isstring(obj) ||
-	    strcasecmp("order", cfg_obj_asstring(obj)) != 0) {
-		cfg_obj_log(ent, logctx, ISC_LOG_ERROR,
-			    "rrset-order: keyword 'order' missing");
-		result = ISC_R_FAILURE;
-	}
-
-	obj = cfg_tuple_get(ent, "ordering");
-	if (!cfg_obj_isstring(obj)) {
-	    cfg_obj_log(ent, logctx, ISC_LOG_ERROR,
-			"rrset-order: missing ordering");
-		result = ISC_R_FAILURE;
-	} else if (strcasecmp(cfg_obj_asstring(obj), "fixed") == 0) {
-#if !DNS_RDATASET_FIXED
-		cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
-			    "rrset-order: order 'fixed' was disabled at "
-			    "compilation time");
-#endif
-	} else if (strcasecmp(cfg_obj_asstring(obj), "random") != 0 &&
-		   strcasecmp(cfg_obj_asstring(obj), "cyclic") != 0) {
-		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-			    "rrset-order: invalid order '%s'",
-			    cfg_obj_asstring(obj));
-		result = ISC_R_FAILURE;
-	}
-	return (result);
-}
-
-static isc_result_t
-check_order(const cfg_obj_t *options, isc_log_t *logctx) {
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-	const cfg_listelt_t *element;
-	const cfg_obj_t *obj = NULL;
-
-	if (cfg_map_get(options, "rrset-order", &obj) != ISC_R_SUCCESS)
-		return (result);
-
-	for (element = cfg_list_first(obj);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		tresult = check_orderent(cfg_listelt_value(element), logctx);
-		if (tresult != ISC_R_SUCCESS)
-			result = tresult;
-	}
-	return (result);
-}
-
-static isc_result_t
-check_dual_stack(const cfg_obj_t *options, isc_log_t *logctx) {
-	const cfg_listelt_t *element;
-	const cfg_obj_t *alternates = NULL;
-	const cfg_obj_t *value;
-	const cfg_obj_t *obj;
-	const char *str;
-	dns_fixedname_t fixed;
-	dns_name_t *name;
-	isc_buffer_t buffer;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-
-	(void)cfg_map_get(options, "dual-stack-servers", &alternates);
-
-	if (alternates == NULL)
-		return (ISC_R_SUCCESS);
-
-	obj = cfg_tuple_get(alternates, "port");
-	if (cfg_obj_isuint32(obj)) {
-		isc_uint32_t val = cfg_obj_asuint32(obj);
-		if (val > ISC_UINT16_MAX) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "port '%u' out of range", val);
-			result = ISC_R_FAILURE;
-		}
-	}
-	obj = cfg_tuple_get(alternates, "addresses");
-	for (element = cfg_list_first(obj);
-	     element != NULL;
-	     element = cfg_list_next(element)) {
-		value = cfg_listelt_value(element);
-		if (cfg_obj_issockaddr(value))
-			continue;
-		obj = cfg_tuple_get(value, "name");
-		str = cfg_obj_asstring(obj);
-		isc_buffer_constinit(&buffer, str, strlen(str));
-		isc_buffer_add(&buffer, strlen(str));
-		dns_fixedname_init(&fixed);
-		name = dns_fixedname_name(&fixed);
-		tresult = dns_name_fromtext(name, &buffer, dns_rootname,
-					    0, NULL);
-		if (tresult != ISC_R_SUCCESS) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "bad name '%s'", str);
-			result = ISC_R_FAILURE;
-		}
-		obj = cfg_tuple_get(value, "port");
-		if (cfg_obj_isuint32(obj)) {
-			isc_uint32_t val = cfg_obj_asuint32(obj);
-			if (val > ISC_UINT16_MAX) {
-				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					    "port '%u' out of range", val);
-				result = ISC_R_FAILURE;
-			}
-		}
-	}
-	return (result);
-}
-
-static isc_result_t
-check_forward(const cfg_obj_t *options,  const cfg_obj_t *global,
-	      isc_log_t *logctx)
-{
-	const cfg_obj_t *forward = NULL;
-	const cfg_obj_t *forwarders = NULL;
-
-	(void)cfg_map_get(options, "forward", &forward);
-	(void)cfg_map_get(options, "forwarders", &forwarders);
-
-	if (forwarders != NULL && global != NULL) {
-		const char *file = cfg_obj_file(global);
-		unsigned int line = cfg_obj_line(global);
-		cfg_obj_log(forwarders, logctx, ISC_LOG_ERROR,
-			    "forwarders declared in root zone and "
-			    "in general configuration: %s:%u",
-			    file, line);
-		return (ISC_R_FAILURE);
-	}
-	if (forward != NULL && forwarders == NULL) {
-		cfg_obj_log(forward, logctx, ISC_LOG_ERROR,
-			    "no matching 'forwarders' statement");
-		return (ISC_R_FAILURE);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-disabled_algorithms(const cfg_obj_t *disabled, isc_log_t *logctx) {
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-	const cfg_listelt_t *element;
-	const char *str;
-	isc_buffer_t b;
-	dns_fixedname_t fixed;
-	dns_name_t *name;
-	const cfg_obj_t *obj;
-
-	dns_fixedname_init(&fixed);
-	name = dns_fixedname_name(&fixed);
-	obj = cfg_tuple_get(disabled, "name");
-	str = cfg_obj_asstring(obj);
-	isc_buffer_constinit(&b, str, strlen(str));
-	isc_buffer_add(&b, strlen(str));
-	tresult = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
-	if (tresult != ISC_R_SUCCESS) {
-		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-			    "bad domain name '%s'", str);
-		result = tresult;
-	}
-
-	obj = cfg_tuple_get(disabled, "algorithms");
-
-	for (element = cfg_list_first(obj);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		isc_textregion_t r;
-		dns_secalg_t alg;
-		isc_result_t tresult;
-
-		DE_CONST(cfg_obj_asstring(cfg_listelt_value(element)), r.base);
-		r.length = strlen(r.base);
-
-		tresult = dns_secalg_fromtext(&alg, &r);
-		if (tresult != ISC_R_SUCCESS) {
-			cfg_obj_log(cfg_listelt_value(element), logctx,
-				    ISC_LOG_ERROR, "invalid algorithm '%s'",
-				    r.base);
-			result = tresult;
-		}
-	}
-	return (result);
-}
-
-static isc_result_t
-nameexist(const cfg_obj_t *obj, const char *name, int value,
-	  isc_symtab_t *symtab, const char *fmt, isc_log_t *logctx,
-	  isc_mem_t *mctx)
-{
-	char *key;
-	const char *file;
-	unsigned int line;
-	isc_result_t result;
-	isc_symvalue_t symvalue;
-
-	key = isc_mem_strdup(mctx, name);
-	if (key == NULL)
-		return (ISC_R_NOMEMORY);
-	symvalue.as_cpointer = obj;
-	result = isc_symtab_define(symtab, key, value, symvalue,
-				   isc_symexists_reject);
-	if (result == ISC_R_EXISTS) {
-		RUNTIME_CHECK(isc_symtab_lookup(symtab, key, value,
-						&symvalue) == ISC_R_SUCCESS);
-		file = cfg_obj_file(symvalue.as_cpointer);
-		line = cfg_obj_line(symvalue.as_cpointer);
-
-		if (file == NULL)
-			file = "<unknown file>";
-		cfg_obj_log(obj, logctx, ISC_LOG_ERROR, fmt, key, file, line);
-		isc_mem_free(mctx, key);
-		result = ISC_R_EXISTS;
-	} else if (result != ISC_R_SUCCESS) {
-		isc_mem_free(mctx, key);
-	}
-	return (result);
-}
-
-static isc_result_t
-mustbesecure(const cfg_obj_t *secure, isc_symtab_t *symtab, isc_log_t *logctx,
-	     isc_mem_t *mctx)
-{
-	const cfg_obj_t *obj;
-	char namebuf[DNS_NAME_FORMATSIZE];
-	const char *str;
-	dns_fixedname_t fixed;
-	dns_name_t *name;
-	isc_buffer_t b;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	dns_fixedname_init(&fixed);
-	name = dns_fixedname_name(&fixed);
-	obj = cfg_tuple_get(secure, "name");
-	str = cfg_obj_asstring(obj);
-	isc_buffer_constinit(&b, str, strlen(str));
-	isc_buffer_add(&b, strlen(str));
-	result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
-	if (result != ISC_R_SUCCESS) {
-		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-			    "bad domain name '%s'", str);
-	} else {
-		dns_name_format(name, namebuf, sizeof(namebuf));
-		result = nameexist(secure, namebuf, 1, symtab,
-				   "dnssec-must-be-secure '%s': already "
-				   "exists previous definition: %s:%u",
-				   logctx, mctx);
-	}
-	return (result);
-}
-
-static isc_result_t
-checkacl(const char *aclname, cfg_aclconfctx_t *actx, const cfg_obj_t *zconfig,
-	 const cfg_obj_t *voptions, const cfg_obj_t *config,
-	 isc_log_t *logctx, isc_mem_t *mctx)
-{
-	isc_result_t result;
-	const cfg_obj_t *aclobj = NULL;
-	const cfg_obj_t *options;
-	dns_acl_t *acl = NULL;
-
-	if (zconfig != NULL) {
-		options = cfg_tuple_get(zconfig, "options");
-		cfg_map_get(options, aclname, &aclobj);
-	}
-	if (voptions != NULL && aclobj == NULL)
-		cfg_map_get(voptions, aclname, &aclobj);
-	if (config != NULL && aclobj == NULL) {
-		options = NULL;
-		cfg_map_get(config, "options", &options);
-		if (options != NULL)
-			cfg_map_get(options, aclname, &aclobj);
-	}
-	if (aclobj == NULL)
-		return (ISC_R_SUCCESS);
-	result = cfg_acl_fromconfig(aclobj, config, logctx,
-				    actx, mctx, 0, &acl);
-	if (acl != NULL)
-		dns_acl_detach(&acl);
-	return (result);
-}
-
-static isc_result_t
-check_viewacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
-	       const cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx)
-{
-	isc_result_t result = ISC_R_SUCCESS, tresult;
-	int i = 0;
-
-	static const char *acls[] = { "allow-query", "allow-query-on",
-		"allow-query-cache", "allow-query-cache-on",
-		"blackhole", "match-clients", "match-destinations",
-		"sortlist", "filter-aaaa", NULL };
-
-	while (acls[i] != NULL) {
-		tresult = checkacl(acls[i++], actx, NULL, voptions, config,
-				   logctx, mctx);
-		if (tresult != ISC_R_SUCCESS)
-			result = tresult;
-	}
-	return (result);
-}
-
-static const unsigned char zeros[16];
-
-static isc_result_t
-check_dns64(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
-	    const cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	const cfg_obj_t *dns64 = NULL;
-	const cfg_obj_t *options;
-	const cfg_listelt_t *element;
-	const cfg_obj_t *map, *obj;
-	isc_netaddr_t na, sa;
-	unsigned int prefixlen;
-	int nbytes;
-	int i;
-
-	static const char *acls[] = { "clients", "exclude", "mapped", NULL};
-
-	if (voptions != NULL)
-		cfg_map_get(voptions, "dns64", &dns64);
-	if (config != NULL && dns64 == NULL) {
-		options = NULL;
-		cfg_map_get(config, "options", &options);
-		if (options != NULL)
-			cfg_map_get(options, "dns64", &dns64);
-	}
-	if (dns64 == NULL)
-		return (ISC_R_SUCCESS);
-
-	for (element = cfg_list_first(dns64);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		map = cfg_listelt_value(element);
-		obj = cfg_map_getname(map);
-
-		cfg_obj_asnetprefix(obj, &na, &prefixlen);
-		if (na.family != AF_INET6) {
-			cfg_obj_log(map, logctx, ISC_LOG_ERROR,
-				    "dns64 requires a IPv6 prefix");
-			result = ISC_R_FAILURE;
-			continue;
-		}
-
-		if (prefixlen != 32 && prefixlen != 40 && prefixlen != 48 &&
-		    prefixlen != 56 && prefixlen != 64 && prefixlen != 96) {
-			cfg_obj_log(map, logctx, ISC_LOG_ERROR,
-				    "bad prefix length %u [32/40/48/56/64/96]",
-				    prefixlen);
-			result = ISC_R_FAILURE;
-			continue;
-		}
-
-		for (i = 0; acls[i] != NULL; i++) {
-			obj = NULL;
-			(void)cfg_map_get(map, acls[i], &obj);
-			if (obj != NULL) {
-				dns_acl_t *acl = NULL;
-				isc_result_t tresult;
-
-				tresult = cfg_acl_fromconfig(obj, config,
-							     logctx, actx,
-							     mctx, 0, &acl);
-				if (acl != NULL)
-					dns_acl_detach(&acl);
-				if (tresult != ISC_R_SUCCESS)
-					result = tresult;
-			}
-		}
-
-		obj = NULL;
-		(void)cfg_map_get(map, "suffix", &obj);
-		if (obj != NULL) {
-			isc_netaddr_fromsockaddr(&sa, cfg_obj_assockaddr(obj));
-			if (sa.family != AF_INET6) {
-				cfg_obj_log(map, logctx, ISC_LOG_ERROR,
-					    "dns64 requires a IPv6 suffix");
-				result = ISC_R_FAILURE;
-				continue;
-			}
-			nbytes = prefixlen / 8 + 4;
-			if (prefixlen >= 32 && prefixlen <= 64)
-				nbytes++;
-			if (memcmp(sa.type.in6.s6_addr, zeros, nbytes) != 0) {
-				char netaddrbuf[ISC_NETADDR_FORMATSIZE];
-				isc_netaddr_format(&sa, netaddrbuf,
-						   sizeof(netaddrbuf));
-				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					    "bad suffix '%s' leading "
-					    "%u octets not zeros",
-					    netaddrbuf, nbytes);
-				result = ISC_R_FAILURE;
-			}
-		}
-	}
-
-	return (result);
-}
-
-
-/*
- * Check allow-recursion and allow-recursion-on acls, and also log a
- * warning if they're inconsistent with the "recursion" option.
- */
-static isc_result_t
-check_recursionacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
-		    const char *viewname, const cfg_obj_t *config,
-		    isc_log_t *logctx, isc_mem_t *mctx)
-{
-	const cfg_obj_t *options, *aclobj, *obj = NULL;
-	dns_acl_t *acl = NULL;
-	isc_result_t result = ISC_R_SUCCESS, tresult;
-	isc_boolean_t recursion;
-	const char *forview = " for view ";
-	int i = 0;
-
-	static const char *acls[] = { "allow-recursion", "allow-recursion-on",
-				      NULL };
-
-	if (voptions != NULL)
-		cfg_map_get(voptions, "recursion", &obj);
-	if (obj == NULL && config != NULL) {
-		options = NULL;
-		cfg_map_get(config, "options", &options);
-		if (options != NULL)
-			cfg_map_get(options, "recursion", &obj);
-	}
-	if (obj == NULL)
-		recursion = ISC_TRUE;
-	else
-		recursion = cfg_obj_asboolean(obj);
-
-	if (viewname == NULL) {
-		viewname = "";
-		forview = "";
-	}
-
-	for (i = 0; acls[i] != NULL; i++) {
-		aclobj = options = NULL;
-		acl = NULL;
-
-		if (voptions != NULL)
-			cfg_map_get(voptions, acls[i], &aclobj);
-		if (config != NULL && aclobj == NULL) {
-			options = NULL;
-			cfg_map_get(config, "options", &options);
-			if (options != NULL)
-				cfg_map_get(options, acls[i], &aclobj);
-		}
-		if (aclobj == NULL)
-			continue;
-
-		tresult = cfg_acl_fromconfig(aclobj, config, logctx,
-					    actx, mctx, 0, &acl);
-
-		if (tresult != ISC_R_SUCCESS)
-			result = tresult;
-
-		if (acl == NULL)
-			continue;
-
-		if (recursion == ISC_FALSE && !dns_acl_isnone(acl)) {
-			cfg_obj_log(aclobj, logctx, ISC_LOG_WARNING,
-				    "both \"recursion no;\" and "
-				    "\"%s\" active%s%s",
-				    acls[i], forview, viewname);
-		}
-
-		if (acl != NULL)
-			dns_acl_detach(&acl);
-	}
-
-	return (result);
-}
-
-static isc_result_t
-check_filteraaaa(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
-		 const char *viewname, const cfg_obj_t *config,
-		 isc_log_t *logctx, isc_mem_t *mctx)
-{
-	const cfg_obj_t *options, *aclobj, *obj = NULL;
-	dns_acl_t *acl = NULL;
-	isc_result_t result = ISC_R_SUCCESS, tresult;
-	dns_v4_aaaa_t filter;
-	const char *forview = " for view ";
-
-	if (voptions != NULL)
-		cfg_map_get(voptions, "filter-aaaa-on-v4", &obj);
-	if (obj == NULL && config != NULL) {
-		options = NULL;
-		cfg_map_get(config, "options", &options);
-		if (options != NULL)
-			cfg_map_get(options, "filter-aaaa-on-v4", &obj);
-	}
-
-	if (obj == NULL)
-		filter = dns_v4_aaaa_ok;		/* default */
-	else if (cfg_obj_isboolean(obj))
-		filter = cfg_obj_asboolean(obj) ? dns_v4_aaaa_filter :
-						  dns_v4_aaaa_ok;
-	else
-		filter = dns_v4_aaaa_break_dnssec; 	/* break-dnssec */
-
-	if (viewname == NULL) {
-		viewname = "";
-		forview = "";
-	}
-
-	aclobj = options = NULL;
-	acl = NULL;
-
-	if (voptions != NULL)
-		cfg_map_get(voptions, "filter-aaaa", &aclobj);
-	if (config != NULL && aclobj == NULL) {
-		options = NULL;
-		cfg_map_get(config, "options", &options);
-		if (options != NULL)
-			cfg_map_get(options, "filter-aaaa", &aclobj);
-	}
-	if (aclobj == NULL)
-		return (result);
-
-	tresult = cfg_acl_fromconfig(aclobj, config, logctx,
-				    actx, mctx, 0, &acl);
-
-	if (tresult != ISC_R_SUCCESS) {
-		result = tresult;
-	} else if (filter != dns_v4_aaaa_ok && dns_acl_isnone(acl)) {
-		cfg_obj_log(aclobj, logctx, ISC_LOG_WARNING,
-			    "both \"filter-aaaa-on-v4 %s;\" and "
-			    "\"filter-aaaa\" is 'none;'%s%s",
-			    filter == dns_v4_aaaa_break_dnssec ?
-			    "break-dnssec" : "yes", forview, viewname);
-		result = ISC_R_FAILURE;
-	} else if (filter == dns_v4_aaaa_ok && !dns_acl_isnone(acl)) {
-		cfg_obj_log(aclobj, logctx, ISC_LOG_WARNING,
-			    "both \"filter-aaaa-on-v4 no;\" and "
-			    "\"filter-aaaa\" is set%s%s", forview, viewname);
-		result = ISC_R_FAILURE;
-	}
-
-	if (acl != NULL)
-		dns_acl_detach(&acl);
-
-	return (result);
-}
-
-typedef struct {
-	const char *name;
-	unsigned int scale;
-	unsigned int max;
-} intervaltable;
-
-typedef enum {
-	optlevel_config,
-	optlevel_options,
-	optlevel_view,
-	optlevel_zone
-} optlevel_t;
-
-static isc_result_t
-check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
-	      optlevel_t optlevel)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-	unsigned int i;
-	const cfg_obj_t *obj = NULL;
-	const cfg_obj_t *resignobj = NULL;
-	const cfg_listelt_t *element;
-	isc_symtab_t *symtab = NULL;
-	dns_fixedname_t fixed;
-	const char *str;
-	dns_name_t *name;
-	isc_buffer_t b;
-
-	static intervaltable intervals[] = {
-	{ "cleaning-interval", 60, 28 * 24 * 60 },	/* 28 days */
-	{ "heartbeat-interval", 60, 28 * 24 * 60 },	/* 28 days */
-	{ "interface-interval", 60, 28 * 24 * 60 },	/* 28 days */
-	{ "max-transfer-idle-in", 60, 28 * 24 * 60 },	/* 28 days */
-	{ "max-transfer-idle-out", 60, 28 * 24 * 60 },	/* 28 days */
-	{ "max-transfer-time-in", 60, 28 * 24 * 60 },	/* 28 days */
-	{ "max-transfer-time-out", 60, 28 * 24 * 60 },	/* 28 days */
-	{ "statistics-interval", 60, 28 * 24 * 60 },	/* 28 days */
-	};
-
-	static const char *server_contact[] = {
-		"empty-server", "empty-contact",
-		"dns64-server", "dns64-contact",
-		NULL
-	};
-
-	/*
-	 * Check that fields specified in units of time other than seconds
-	 * have reasonable values.
-	 */
-	for (i = 0; i < sizeof(intervals) / sizeof(intervals[0]); i++) {
-		isc_uint32_t val;
-		obj = NULL;
-		(void)cfg_map_get(options, intervals[i].name, &obj);
-		if (obj == NULL)
-			continue;
-		val = cfg_obj_asuint32(obj);
-		if (val > intervals[i].max) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "%s '%u' is out of range (0..%u)",
-				    intervals[i].name, val,
-				    intervals[i].max);
-			result = ISC_R_RANGE;
-		} else if (val > (ISC_UINT32_MAX / intervals[i].scale)) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "%s '%d' is out of range",
-				    intervals[i].name, val);
-			result = ISC_R_RANGE;
-		}
-	}
-
-	obj = NULL;
-	cfg_map_get(options, "max-rsa-exponent-size", &obj);
-	if (obj != NULL) {
-		isc_uint32_t val;
-
-		val = cfg_obj_asuint32(obj);
-		if (val != 0 && (val < 35 || val > 4096)) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "max-rsa-exponent-size '%u' is out of "
-				    "range (35..4096)", val);
-			result = ISC_R_RANGE;
-		}
-	}
-
-	obj = NULL;
-	cfg_map_get(options, "sig-validity-interval", &obj);
-	if (obj != NULL) {
-		isc_uint32_t validity, resign = 0;
-
-		validity = cfg_obj_asuint32(cfg_tuple_get(obj, "validity"));
-		resignobj = cfg_tuple_get(obj, "re-sign");
-		if (!cfg_obj_isvoid(resignobj))
-			resign = cfg_obj_asuint32(resignobj);
-
-		if (validity > 3660 || validity == 0) { /* 10 years */
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "%s '%u' is out of range (1..3660)",
-				    "sig-validity-interval", validity);
-			result = ISC_R_RANGE;
-		}
-
-		if (!cfg_obj_isvoid(resignobj)) {
-			if (resign > 3660 || resign == 0) { /* 10 years */
-				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					    "%s '%u' is out of range (1..3660)",
-					    "sig-validity-interval (re-sign)",
-					    validity);
-				result = ISC_R_RANGE;
-			} else if ((validity > 7 && validity < resign) ||
-				   (validity <= 7 && validity * 24 < resign)) {
-				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					    "validity interval (%u days) "
-					    "less than re-signing interval "
-					    "(%u %s)", validity, resign,
-					    (validity > 7) ? "days" : "hours");
-				result = ISC_R_RANGE;
-			}
-		}
-	}
-
-	obj = NULL;
-	(void)cfg_map_get(options, "preferred-glue", &obj);
-	if (obj != NULL) {
-		const char *str;
-		str = cfg_obj_asstring(obj);
-		if (strcasecmp(str, "a") != 0 &&
-		    strcasecmp(str, "aaaa") != 0 &&
-		    strcasecmp(str, "none") != 0)
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "preferred-glue unexpected value '%s'",
-				    str);
-	}
-
-	obj = NULL;
-	(void)cfg_map_get(options, "root-delegation-only", &obj);
-	if (obj != NULL) {
-		if (!cfg_obj_isvoid(obj)) {
-			const cfg_listelt_t *element;
-			const cfg_obj_t *exclude;
-			const char *str;
-			dns_fixedname_t fixed;
-			dns_name_t *name;
-			isc_buffer_t b;
-
-			dns_fixedname_init(&fixed);
-			name = dns_fixedname_name(&fixed);
-			for (element = cfg_list_first(obj);
-			     element != NULL;
-			     element = cfg_list_next(element)) {
-				exclude = cfg_listelt_value(element);
-				str = cfg_obj_asstring(exclude);
-				isc_buffer_constinit(&b, str, strlen(str));
-				isc_buffer_add(&b, strlen(str));
-				tresult = dns_name_fromtext(name, &b,
-							   dns_rootname,
-							   0, NULL);
-				if (tresult != ISC_R_SUCCESS) {
-					cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-						    "bad domain name '%s'",
-						    str);
-					result = tresult;
-				}
-			}
-		}
-	}
-
-	/*
-	 * Set supported DNSSEC algorithms.
-	 */
-	obj = NULL;
-	(void)cfg_map_get(options, "disable-algorithms", &obj);
-	if (obj != NULL) {
-		for (element = cfg_list_first(obj);
-		     element != NULL;
-		     element = cfg_list_next(element))
-		{
-			obj = cfg_listelt_value(element);
-			tresult = disabled_algorithms(obj, logctx);
-			if (tresult != ISC_R_SUCCESS)
-				result = tresult;
-		}
-	}
-
-	dns_fixedname_init(&fixed);
-	name = dns_fixedname_name(&fixed);
-
-	/*
-	 * Check the DLV zone name.
-	 */
-	obj = NULL;
-	(void)cfg_map_get(options, "dnssec-lookaside", &obj);
-	if (obj != NULL) {
-		tresult = isc_symtab_create(mctx, 100, freekey, mctx,
-					    ISC_FALSE, &symtab);
-		if (tresult != ISC_R_SUCCESS)
-			result = tresult;
-		for (element = cfg_list_first(obj);
-		     element != NULL;
-		     element = cfg_list_next(element))
-		{
-			const char *dlv;
-			const cfg_obj_t *dlvobj, *anchor;
-
-			obj = cfg_listelt_value(element);
-
-			anchor = cfg_tuple_get(obj, "trust-anchor");
-			dlvobj = cfg_tuple_get(obj, "domain");
-			dlv = cfg_obj_asstring(dlvobj);
-
-			/*
-			 * If domain is "auto" or "no" and trust anchor
-			 * is missing, skip remaining tests
-			 */
-			if (cfg_obj_isvoid(anchor)) {
-				if (!strcasecmp(dlv, "no") ||
-				    !strcasecmp(dlv, "auto"))
-					continue;
-			}
-
-			isc_buffer_constinit(&b, dlv, strlen(dlv));
-			isc_buffer_add(&b, strlen(dlv));
-			tresult = dns_name_fromtext(name, &b, dns_rootname,
-						    0, NULL);
-			if (tresult != ISC_R_SUCCESS) {
-				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					    "bad domain name '%s'", dlv);
-				result = tresult;
-				continue;
-			}
-			if (symtab != NULL) {
-				tresult = nameexist(obj, dlv, 1, symtab,
-						    "dnssec-lookaside '%s': "
-						    "already exists previous "
-						    "definition: %s:%u",
-						    logctx, mctx);
-				if (tresult != ISC_R_SUCCESS &&
-				    result == ISC_R_SUCCESS)
-					result = tresult;
-			}
-			/*
-			 * XXXMPA to be removed when multiple lookaside
-			 * namespaces are supported.
-			 */
-			if (!dns_name_equal(dns_rootname, name)) {
-				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					    "dnssec-lookaside '%s': "
-					    "non-root not yet supported", dlv);
-				if (result == ISC_R_SUCCESS)
-					result = ISC_R_FAILURE;
-			}
-
-			if (!cfg_obj_isvoid(anchor)) {
-				dlv = cfg_obj_asstring(anchor);
-				isc_buffer_constinit(&b, dlv, strlen(dlv));
-				isc_buffer_add(&b, strlen(dlv));
-				tresult = dns_name_fromtext(name, &b,
-							    dns_rootname,
-							    DNS_NAME_DOWNCASE,
-							    NULL);
-				if (tresult != ISC_R_SUCCESS) {
-					cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-						    "bad domain name '%s'",
-						    dlv);
-					if (result == ISC_R_SUCCESS)
-						result = tresult;
-				}
-			} else {
-				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					"dnssec-lookaside requires "
-					"either 'auto' or 'no', or a "
-					"domain and trust anchor");
-				if (result == ISC_R_SUCCESS)
-					result = ISC_R_FAILURE;
-			}
-		}
-
-		if (symtab != NULL)
-			isc_symtab_destroy(&symtab);
-	}
-
-	/*
-	 * Check auto-dnssec at the view/options level
-	 */
-	obj = NULL;
-	(void)cfg_map_get(options, "auto-dnssec", &obj);
-	if (obj != NULL) {
-		const char *arg = cfg_obj_asstring(obj);
-		if (optlevel != optlevel_zone && strcasecmp(arg, "off") != 0) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "auto-dnssec may only be activated at the "
-				    "zone level");
-			result = ISC_R_FAILURE;
-		}
-	}
-
-	/*
-	 * Check dnssec-must-be-secure.
-	 */
-	obj = NULL;
-	(void)cfg_map_get(options, "dnssec-must-be-secure", &obj);
-	if (obj != NULL) {
-		isc_symtab_t *symtab = NULL;
-		tresult = isc_symtab_create(mctx, 100, freekey, mctx,
-					    ISC_FALSE, &symtab);
-		if (tresult != ISC_R_SUCCESS)
-			result = tresult;
-		for (element = cfg_list_first(obj);
-		     element != NULL;
-		     element = cfg_list_next(element))
-		{
-			obj = cfg_listelt_value(element);
-			tresult = mustbesecure(obj, symtab, logctx, mctx);
-			if (tresult != ISC_R_SUCCESS)
-				result = tresult;
-		}
-		if (symtab != NULL)
-			isc_symtab_destroy(&symtab);
-	}
-
-	/*
-	 * Check server/contacts for syntactic validity.
-	 */
-	for (i= 0; server_contact[i] != NULL; i++) {
-		obj = NULL;
-		(void)cfg_map_get(options, server_contact[i], &obj);
-		if (obj != NULL) {
-			str = cfg_obj_asstring(obj);
-			isc_buffer_constinit(&b, str, strlen(str));
-			isc_buffer_add(&b, strlen(str));
-			tresult = dns_name_fromtext(dns_fixedname_name(&fixed),
-						    &b, dns_rootname, 0, NULL);
-			if (tresult != ISC_R_SUCCESS) {
-				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					    "%s: invalid name '%s'",
-					    server_contact[i], str);
-				result = ISC_R_FAILURE;
-			}
-		}
-	}
-
-	/*
-	 * Check empty zone configuration.
-	 */
-	obj = NULL;
-	(void)cfg_map_get(options, "disable-empty-zone", &obj);
-	for (element = cfg_list_first(obj);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		obj = cfg_listelt_value(element);
-		str = cfg_obj_asstring(obj);
-		isc_buffer_constinit(&b, str, strlen(str));
-		isc_buffer_add(&b, strlen(str));
-		tresult = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
-					    dns_rootname, 0, NULL);
-		if (tresult != ISC_R_SUCCESS) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "disable-empty-zone: invalid name '%s'",
-				    str);
-			result = ISC_R_FAILURE;
-		}
-	}
-
-	/*
-	 * Check that server-id is not too long.
-	 * 1024 bytes should be big enough.
-	 */
-	obj = NULL;
-	(void)cfg_map_get(options, "server-id", &obj);
-	if (obj != NULL && cfg_obj_isstring(obj) &&
-	    strlen(cfg_obj_asstring(obj)) > 1024U) {
-		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-			    "'server-id' too big (>1024 bytes)");
-		result = ISC_R_FAILURE;
-	}
-
-	return (result);
-}
-
-static isc_result_t
-get_masters_def(const cfg_obj_t *cctx, const char *name, const cfg_obj_t **ret) {
-	isc_result_t result;
-	const cfg_obj_t *masters = NULL;
-	const cfg_listelt_t *elt;
-
-	result = cfg_map_get(cctx, "masters", &masters);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	for (elt = cfg_list_first(masters);
-	     elt != NULL;
-	     elt = cfg_list_next(elt)) {
-		const cfg_obj_t *list;
-		const char *listname;
-
-		list = cfg_listelt_value(elt);
-		listname = cfg_obj_asstring(cfg_tuple_get(list, "name"));
-
-		if (strcasecmp(listname, name) == 0) {
-			*ret = list;
-			return (ISC_R_SUCCESS);
-		}
-	}
-	return (ISC_R_NOTFOUND);
-}
-
-static isc_result_t
-validate_masters(const cfg_obj_t *obj, const cfg_obj_t *config,
-		 isc_uint32_t *countp, isc_log_t *logctx, isc_mem_t *mctx)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-	isc_uint32_t count = 0;
-	isc_symtab_t *symtab = NULL;
-	isc_symvalue_t symvalue;
-	const cfg_listelt_t *element;
-	const cfg_listelt_t **stack = NULL;
-	isc_uint32_t stackcount = 0, pushed = 0;
-	const cfg_obj_t *list;
-
-	REQUIRE(countp != NULL);
-	result = isc_symtab_create(mctx, 100, NULL, NULL, ISC_FALSE, &symtab);
-	if (result != ISC_R_SUCCESS) {
-		*countp = count;
-		return (result);
-	}
-
- newlist:
-	list = cfg_tuple_get(obj, "addresses");
-	element = cfg_list_first(list);
- resume:
-	for ( ;
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		const char *listname;
-		const cfg_obj_t *addr;
-		const cfg_obj_t *key;
-
-		addr = cfg_tuple_get(cfg_listelt_value(element),
-				     "masterselement");
-		key = cfg_tuple_get(cfg_listelt_value(element), "key");
-
-		if (cfg_obj_issockaddr(addr)) {
-			count++;
-			continue;
-		}
-		if (!cfg_obj_isvoid(key)) {
-			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
-				    "unexpected token '%s'",
-				    cfg_obj_asstring(key));
-			if (result == ISC_R_SUCCESS)
-				result = ISC_R_FAILURE;
-		}
-		listname = cfg_obj_asstring(addr);
-		symvalue.as_cpointer = addr;
-		tresult = isc_symtab_define(symtab, listname, 1, symvalue,
-					    isc_symexists_reject);
-		if (tresult == ISC_R_EXISTS)
-			continue;
-		tresult = get_masters_def(config, listname, &obj);
-		if (tresult != ISC_R_SUCCESS) {
-			if (result == ISC_R_SUCCESS)
-				result = tresult;
-			cfg_obj_log(addr, logctx, ISC_LOG_ERROR,
-				    "unable to find masters list '%s'",
-				    listname);
-			continue;
-		}
-		/* Grow stack? */
-		if (stackcount == pushed) {
-			void * new;
-			isc_uint32_t newlen = stackcount + 16;
-			size_t newsize, oldsize;
-
-			newsize = newlen * sizeof(*stack);
-			oldsize = stackcount * sizeof(*stack);
-			new = isc_mem_get(mctx, newsize);
-			if (new == NULL)
-				goto cleanup;
-			if (stackcount != 0) {
-				void *ptr;
-
-				DE_CONST(stack, ptr);
-				memcpy(new, stack, oldsize);
-				isc_mem_put(mctx, ptr, oldsize);
-			}
-			stack = new;
-			stackcount = newlen;
-		}
-		stack[pushed++] = cfg_list_next(element);
-		goto newlist;
-	}
-	if (pushed != 0) {
-		element = stack[--pushed];
-		goto resume;
-	}
- cleanup:
-	if (stack != NULL) {
-		void *ptr;
-
-		DE_CONST(stack, ptr);
-		isc_mem_put(mctx, ptr, stackcount * sizeof(*stack));
-	}
-	isc_symtab_destroy(&symtab);
-	*countp = count;
-	return (result);
-}
-
-static isc_result_t
-check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) {
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-	const cfg_listelt_t *element;
-	const cfg_listelt_t *element2;
-	dns_fixedname_t fixed;
-	const char *str;
-	isc_buffer_t b;
-
-	/* Check for "update-policy local;" */
-	if (cfg_obj_isstring(policy) &&
-	    strcmp("local", cfg_obj_asstring(policy)) == 0)
-		return (ISC_R_SUCCESS);
-
-	/* Now check the grant policy */
-	for (element = cfg_list_first(policy);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		const cfg_obj_t *stmt = cfg_listelt_value(element);
-		const cfg_obj_t *identity = cfg_tuple_get(stmt, "identity");
-		const cfg_obj_t *matchtype = cfg_tuple_get(stmt, "matchtype");
-		const cfg_obj_t *dname = cfg_tuple_get(stmt, "name");
-		const cfg_obj_t *typelist = cfg_tuple_get(stmt, "types");
-
-		dns_fixedname_init(&fixed);
-		str = cfg_obj_asstring(identity);
-		isc_buffer_constinit(&b, str, strlen(str));
-		isc_buffer_add(&b, strlen(str));
-		tresult = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
-					    dns_rootname, 0, NULL);
-		if (tresult != ISC_R_SUCCESS) {
-			cfg_obj_log(identity, logctx, ISC_LOG_ERROR,
-				    "'%s' is not a valid name", str);
-			result = tresult;
-		}
-
-		if (tresult == ISC_R_SUCCESS &&
-		    strcasecmp(cfg_obj_asstring(matchtype), "zonesub") != 0) {
-			dns_fixedname_init(&fixed);
-			str = cfg_obj_asstring(dname);
-			isc_buffer_constinit(&b, str, strlen(str));
-			isc_buffer_add(&b, strlen(str));
-			tresult = dns_name_fromtext(dns_fixedname_name(&fixed),
-						    &b, dns_rootname, 0, NULL);
-			if (tresult != ISC_R_SUCCESS) {
-				cfg_obj_log(dname, logctx, ISC_LOG_ERROR,
-					    "'%s' is not a valid name", str);
-				result = tresult;
-			}
-		}
-
-		if (tresult == ISC_R_SUCCESS &&
-		    strcasecmp(cfg_obj_asstring(matchtype), "wildcard") == 0 &&
-		    !dns_name_iswildcard(dns_fixedname_name(&fixed))) {
-			cfg_obj_log(identity, logctx, ISC_LOG_ERROR,
-				    "'%s' is not a wildcard", str);
-			result = ISC_R_FAILURE;
-		}
-
-		for (element2 = cfg_list_first(typelist);
-		     element2 != NULL;
-		     element2 = cfg_list_next(element2))
-		{
-			const cfg_obj_t *typeobj;
-			isc_textregion_t r;
-			dns_rdatatype_t type;
-
-			typeobj = cfg_listelt_value(element2);
-			DE_CONST(cfg_obj_asstring(typeobj), r.base);
-			r.length = strlen(r.base);
-
-			tresult = dns_rdatatype_fromtext(&type, &r);
-			if (tresult != ISC_R_SUCCESS) {
-				cfg_obj_log(typeobj, logctx, ISC_LOG_ERROR,
-					    "'%s' is not a valid type", r.base);
-				result = tresult;
-			}
-		}
-	}
-	return (result);
-}
-
-#define MASTERZONE	1
-#define SLAVEZONE	2
-#define STUBZONE	4
-#define HINTZONE	8
-#define FORWARDZONE	16
-#define DELEGATIONZONE	32
-#define STATICSTUBZONE	64
-#define REDIRECTZONE	128
-#define STREDIRECTZONE	0	/* Set to REDIRECTZONE to allow xfr-in. */
-#define CHECKACL	512
-
-typedef struct {
-	const char *name;
-	int allowed;
-} optionstable;
-
-static isc_result_t
-check_nonzero(const cfg_obj_t *options, isc_log_t *logctx) {
-	isc_result_t result = ISC_R_SUCCESS;
-	const cfg_obj_t *obj = NULL;
-	unsigned int i;
-
-	static const char *nonzero[] = { "max-retry-time", "min-retry-time",
-				 "max-refresh-time", "min-refresh-time" };
-	/*
-	 * Check if value is zero.
-	 */
-	for (i = 0; i < sizeof(nonzero) / sizeof(nonzero[0]); i++) {
-		obj = NULL;
-		if (cfg_map_get(options, nonzero[i], &obj) == ISC_R_SUCCESS &&
-		    cfg_obj_asuint32(obj) == 0) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "'%s' must not be zero", nonzero[i]);
-			result = ISC_R_FAILURE;
-		}
-	}
-	return (result);
-}
-
-static isc_result_t
-check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
-	       const cfg_obj_t *config, isc_symtab_t *symtab,
-	       dns_rdataclass_t defclass, cfg_aclconfctx_t *actx,
-	       isc_log_t *logctx, isc_mem_t *mctx)
-{
-	const char *znamestr;
-	const char *typestr;
-	unsigned int ztype;
-	const cfg_obj_t *zoptions, *goptions = NULL;
-	const cfg_obj_t *obj = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-	unsigned int i;
-	dns_rdataclass_t zclass;
-	dns_fixedname_t fixedname;
-	dns_name_t *zname = NULL;
-	isc_buffer_t b;
-	isc_boolean_t root = ISC_FALSE;
-	const cfg_listelt_t *element;
-
-	static optionstable options[] = {
-	{ "allow-query", MASTERZONE | SLAVEZONE | STUBZONE | REDIRECTZONE |
-	   CHECKACL | STATICSTUBZONE },
-	{ "allow-notify", SLAVEZONE | CHECKACL },
-	{ "allow-transfer", MASTERZONE | SLAVEZONE | CHECKACL },
-	{ "notify", MASTERZONE | SLAVEZONE },
-	{ "also-notify", MASTERZONE | SLAVEZONE },
-	{ "dialup", MASTERZONE | SLAVEZONE | STUBZONE | STREDIRECTZONE },
-	{ "delegation-only", HINTZONE | STUBZONE | DELEGATIONZONE },
-	{ "forward", MASTERZONE | SLAVEZONE | STUBZONE |
-	  STATICSTUBZONE | FORWARDZONE },
-	{ "forwarders", MASTERZONE | SLAVEZONE | STUBZONE |
-	  STATICSTUBZONE | FORWARDZONE },
-	{ "maintain-ixfr-base", MASTERZONE | SLAVEZONE | STREDIRECTZONE },
-	{ "max-ixfr-log-size", MASTERZONE | SLAVEZONE | STREDIRECTZONE },
-	{ "notify-source", MASTERZONE | SLAVEZONE },
-	{ "notify-source-v6", MASTERZONE | SLAVEZONE },
-	{ "transfer-source", SLAVEZONE | STUBZONE | STREDIRECTZONE },
-	{ "transfer-source-v6", SLAVEZONE | STUBZONE | STREDIRECTZONE },
-	{ "max-transfer-time-in", SLAVEZONE | STUBZONE | STREDIRECTZONE },
-	{ "max-transfer-time-out", MASTERZONE | SLAVEZONE },
-	{ "max-transfer-idle-in", SLAVEZONE | STUBZONE | STREDIRECTZONE },
-	{ "max-transfer-idle-out", MASTERZONE | SLAVEZONE },
-	{ "max-retry-time", SLAVEZONE | STUBZONE | STREDIRECTZONE },
-	{ "min-retry-time", SLAVEZONE | STUBZONE | STREDIRECTZONE },
-	{ "max-refresh-time", SLAVEZONE | STUBZONE | STREDIRECTZONE },
-	{ "min-refresh-time", SLAVEZONE | STUBZONE | STREDIRECTZONE },
-	{ "dnssec-secure-to-insecure", MASTERZONE },
-	{ "sig-re-signing-interval", MASTERZONE | SLAVEZONE },
-	{ "sig-signing-nodes", MASTERZONE | SLAVEZONE },
-	{ "sig-signing-signatures", MASTERZONE | SLAVEZONE },
-	{ "sig-signing-type", MASTERZONE | SLAVEZONE },
-	{ "sig-validity-interval", MASTERZONE | SLAVEZONE },
-	{ "signing", MASTERZONE | SLAVEZONE },
-	{ "zone-statistics", MASTERZONE | SLAVEZONE | STUBZONE |
-	  STATICSTUBZONE | REDIRECTZONE },
-	{ "allow-update", MASTERZONE | CHECKACL },
-	{ "allow-update-forwarding", SLAVEZONE | CHECKACL },
-	{ "file", MASTERZONE | SLAVEZONE | STUBZONE | HINTZONE | REDIRECTZONE },
-	{ "journal", MASTERZONE | SLAVEZONE | STREDIRECTZONE },
-	{ "ixfr-base", MASTERZONE | SLAVEZONE },
-	{ "ixfr-tmp-file", MASTERZONE | SLAVEZONE },
-	{ "masters", SLAVEZONE | STUBZONE | REDIRECTZONE },
-	{ "pubkey", MASTERZONE | SLAVEZONE | STUBZONE },
-	{ "update-policy", MASTERZONE },
-	{ "database", MASTERZONE | SLAVEZONE | STUBZONE | REDIRECTZONE },
-	{ "key-directory", MASTERZONE | SLAVEZONE },
-	{ "check-wildcard", MASTERZONE },
-	{ "check-mx", MASTERZONE },
-	{ "check-dup-records", MASTERZONE },
-	{ "integrity-check", MASTERZONE },
-	{ "check-mx-cname", MASTERZONE },
-	{ "check-srv-cname", MASTERZONE },
-	{ "masterfile-format", MASTERZONE | SLAVEZONE | STUBZONE | HINTZONE |
-	  REDIRECTZONE },
-	{ "update-check-ksk", MASTERZONE | SLAVEZONE },
-	{ "dnssec-dnskey-kskonly", MASTERZONE | SLAVEZONE },
-	{ "dnssec-loadkeys-interval", MASTERZONE | SLAVEZONE },
-	{ "auto-dnssec", MASTERZONE | SLAVEZONE },
-	{ "try-tcp-refresh", SLAVEZONE | STREDIRECTZONE },
-	{ "server-addresses", STATICSTUBZONE },
-	{ "server-names", STATICSTUBZONE },
-	};
-
-	static optionstable dialups[] = {
-	{ "notify", MASTERZONE | SLAVEZONE | STREDIRECTZONE },
-	{ "notify-passive", SLAVEZONE | STREDIRECTZONE },
-	{ "refresh", SLAVEZONE | STUBZONE | STREDIRECTZONE },
-	{ "passive", SLAVEZONE | STUBZONE | STREDIRECTZONE },
-	};
-
-	znamestr = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
-
-	zoptions = cfg_tuple_get(zconfig, "options");
-
-	if (config != NULL)
-		cfg_map_get(config, "options", &goptions);
-
-	obj = NULL;
-	(void)cfg_map_get(zoptions, "type", &obj);
-	if (obj == NULL) {
-		cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
-			    "zone '%s': type not present", znamestr);
-		return (ISC_R_FAILURE);
-	}
-
-	typestr = cfg_obj_asstring(obj);
-	if (strcasecmp(typestr, "master") == 0)
-		ztype = MASTERZONE;
-	else if (strcasecmp(typestr, "slave") == 0)
-		ztype = SLAVEZONE;
-	else if (strcasecmp(typestr, "stub") == 0)
-		ztype = STUBZONE;
-	else if (strcasecmp(typestr, "static-stub") == 0)
-		ztype = STATICSTUBZONE;
-	else if (strcasecmp(typestr, "forward") == 0)
-		ztype = FORWARDZONE;
-	else if (strcasecmp(typestr, "hint") == 0)
-		ztype = HINTZONE;
-	else if (strcasecmp(typestr, "delegation-only") == 0)
-		ztype = DELEGATIONZONE;
-	else if (strcasecmp(typestr, "redirect") == 0)
-		ztype = REDIRECTZONE;
-	else {
-		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-			    "zone '%s': invalid type %s",
-			    znamestr, typestr);
-		return (ISC_R_FAILURE);
-	}
-
-	if (ztype == REDIRECTZONE && strcmp(znamestr, ".") != 0) {
-		cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
-			    "redirect zones must be called \".\"");
-		return (ISC_R_FAILURE);
-	}
-	obj = cfg_tuple_get(zconfig, "class");
-	if (cfg_obj_isstring(obj)) {
-		isc_textregion_t r;
-
-		DE_CONST(cfg_obj_asstring(obj), r.base);
-		r.length = strlen(r.base);
-		result = dns_rdataclass_fromtext(&zclass, &r);
-		if (result != ISC_R_SUCCESS) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "zone '%s': invalid class %s",
-				    znamestr, r.base);
-			return (ISC_R_FAILURE);
-		}
-		if (zclass != defclass) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "zone '%s': class '%s' does not "
-				    "match view/default class",
-				    znamestr, r.base);
-			return (ISC_R_FAILURE);
-		}
-	}
-
-	/*
-	 * Look for an already existing zone.
-	 * We need to make this canonical as isc_symtab_define()
-	 * deals with strings.
-	 */
-	dns_fixedname_init(&fixedname);
-	isc_buffer_constinit(&b, znamestr, strlen(znamestr));
-	isc_buffer_add(&b, strlen(znamestr));
-	tresult = dns_name_fromtext(dns_fixedname_name(&fixedname), &b,
-				    dns_rootname, DNS_NAME_DOWNCASE, NULL);
-	if (tresult != ISC_R_SUCCESS) {
-		cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
-			    "zone '%s': is not a valid name", znamestr);
-		result = ISC_R_FAILURE;
-	} else {
-		char namebuf[DNS_NAME_FORMATSIZE];
-
-		zname = dns_fixedname_name(&fixedname);
-		dns_name_format(zname, namebuf, sizeof(namebuf));
-		tresult = nameexist(zconfig, namebuf, ztype == HINTZONE ? 1 :
-				    ztype == REDIRECTZONE ? 2 : 3,
-				    symtab, "zone '%s': already exists "
-				    "previous definition: %s:%u", logctx, mctx);
-		if (tresult != ISC_R_SUCCESS)
-			result = tresult;
-		if (dns_name_equal(zname, dns_rootname))
-			root = ISC_TRUE;
-	}
-
-	/*
-	 * Check if value is zero.
-	 */
-	if (check_nonzero(zoptions, logctx) != ISC_R_SUCCESS)
-		result = ISC_R_FAILURE;
-
-	/*
-	 * Look for inappropriate options for the given zone type.
-	 * Check that ACLs expand correctly.
-	 */
-	for (i = 0; i < sizeof(options) / sizeof(options[0]); i++) {
-		obj = NULL;
-		if ((options[i].allowed & ztype) == 0 &&
-		    cfg_map_get(zoptions, options[i].name, &obj) ==
-		    ISC_R_SUCCESS)
-		{
-			if (strcmp(options[i].name, "allow-update") != 0 ||
-			    ztype != SLAVEZONE) {
-				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					    "option '%s' is not allowed "
-					    "in '%s' zone '%s'",
-					    options[i].name, typestr,
-					    znamestr);
-					result = ISC_R_FAILURE;
-			} else
-				cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
-					    "option '%s' is not allowed "
-					    "in '%s' zone '%s'",
-					    options[i].name, typestr,
-					    znamestr);
-		}
-		obj = NULL;
-		if ((options[i].allowed & ztype) != 0 &&
-		    (options[i].allowed & CHECKACL) != 0) {
-
-			tresult = checkacl(options[i].name, actx, zconfig,
-					   voptions, config, logctx, mctx);
-			if (tresult != ISC_R_SUCCESS)
-				result = tresult;
-		}
-
-	}
-
-	/*
-	 * Master & slave zones must have a "also-notify" field.
-	 */
-	if (ztype == MASTERZONE || ztype == SLAVEZONE ) {
-		obj = NULL;
-		tresult = cfg_map_get(zoptions, "also-notify", &obj);
-		if (tresult == ISC_R_SUCCESS) {
-			isc_uint32_t count;
-			tresult = validate_masters(obj, config, &count,
-						   logctx, mctx);
-			if (tresult != ISC_R_SUCCESS && result == ISC_R_SUCCESS)
-				result = tresult;
-		}
-	}
-
-	/*
-	 * Slave & stub zones must have a "masters" field.
-	 */
-	if (ztype == SLAVEZONE || ztype == STUBZONE) {
-		obj = NULL;
-		if (cfg_map_get(zoptions, "masters", &obj) != ISC_R_SUCCESS) {
-			cfg_obj_log(zoptions, logctx, ISC_LOG_ERROR,
-				    "zone '%s': missing 'masters' entry",
-				    znamestr);
-			result = ISC_R_FAILURE;
-		} else {
-			isc_uint32_t count;
-			tresult = validate_masters(obj, config, &count,
-						   logctx, mctx);
-			if (tresult != ISC_R_SUCCESS && result == ISC_R_SUCCESS)
-				result = tresult;
-			if (tresult == ISC_R_SUCCESS && count == 0) {
-				cfg_obj_log(zoptions, logctx, ISC_LOG_ERROR,
-					    "zone '%s': empty 'masters' entry",
-					    znamestr);
-				result = ISC_R_FAILURE;
-			}
-		}
-	}
-
-	/*
-	 * Master zones can't have both "allow-update" and "update-policy".
-	 */
-	if (ztype == MASTERZONE || ztype == SLAVEZONE) {
-		isc_result_t res1, res2, res3;
-		const char *arg;
-		isc_boolean_t ddns = ISC_FALSE, signing = ISC_FALSE;
-
-		obj = NULL;
-		res1 = cfg_map_get(zoptions, "allow-update", &obj);
-		obj = NULL;
-		res2 = cfg_map_get(zoptions, "update-policy", &obj);
-		if (res1 == ISC_R_SUCCESS && res2 == ISC_R_SUCCESS) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "zone '%s': 'allow-update' is ignored "
-				    "when 'update-policy' is present",
-				    znamestr);
-			result = ISC_R_FAILURE;
-		} else if (res2 == ISC_R_SUCCESS &&
-			   check_update_policy(obj, logctx) != ISC_R_SUCCESS)
-			result = ISC_R_FAILURE;
-		ddns = ISC_TF(res1 == ISC_R_SUCCESS || res2 == ISC_R_SUCCESS);
-
-		obj = NULL;
-		res1 = cfg_map_get(zoptions, "inline-signing", &obj);
-		if (res1 == ISC_R_SUCCESS)
-			signing = cfg_obj_asboolean(obj);
-
-		obj = NULL;
-		arg = "off";
-		res3 = cfg_map_get(zoptions, "auto-dnssec", &obj);
-		if (res3 == ISC_R_SUCCESS)
-			arg = cfg_obj_asstring(obj);
-		if (strcasecmp(arg, "off") != 0 && !ddns && !signing) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "'auto-dnssec %s;' requires%s "
-				    "inline-signing to be configured for "
-				    "the zone", arg,
-				    (ztype == MASTERZONE) ?
-					 " dynamic DNS or" : "");
-			result = ISC_R_FAILURE;
-		}
-		if (strcasecmp(arg, "create") == 0) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "'auto-dnssec create;' is not "
-				    "yet implemented");
-			result = ISC_R_FAILURE;
-		}
-
-		obj = NULL;
-		res1 = cfg_map_get(zoptions, "sig-signing-type", &obj);
-		if (res1 == ISC_R_SUCCESS) {
-			isc_uint32_t type = cfg_obj_asuint32(obj);
-			if (type < 0xff00U || type > 0xffffU)
-				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					    "sig-signing-type: %u out of "
-					    "range [%u..%u]", type,
-					    0xff00U, 0xffffU);
-			result = ISC_R_FAILURE;
-		}
-
-		obj = NULL;
-		res1 = cfg_map_get(zoptions, "dnssec-dnskey-kskonly", &obj);
-		if (res1 == ISC_R_SUCCESS && ztype == SLAVEZONE && !signing) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "dnssec-dnskey-kskonly: requires "
-				    "inline-signing when used in slave zone");
-			result = ISC_R_FAILURE;
-		}
-
-		obj = NULL;
-		res1 = cfg_map_get(zoptions, "dnssec-loadkeys-interval", &obj);
-		if (res1 == ISC_R_SUCCESS && ztype == SLAVEZONE && !signing) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "dnssec-loadkeys-interval: requires "
-				    "inline-signing when used in slave zone");
-			result = ISC_R_FAILURE;
-		}
-
-		obj = NULL;
-		res1 = cfg_map_get(zoptions, "update-check-ksk", &obj);
-		if (res1 == ISC_R_SUCCESS && ztype == SLAVEZONE && !signing) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "update-check-ksk: requires "
-				    "inline-signing when used in slave zone");
-			result = ISC_R_FAILURE;
-		}
-	}
-
-	/*
-	 * Check the excessively complicated "dialup" option.
-	 */
-	if (ztype == MASTERZONE || ztype == SLAVEZONE || ztype == STUBZONE) {
-		const cfg_obj_t *dialup = NULL;
-		(void)cfg_map_get(zoptions, "dialup", &dialup);
-		if (dialup != NULL && cfg_obj_isstring(dialup)) {
-			const char *str = cfg_obj_asstring(dialup);
-			for (i = 0;
-			     i < sizeof(dialups) / sizeof(dialups[0]);
-			     i++)
-			{
-				if (strcasecmp(dialups[i].name, str) != 0)
-					continue;
-				if ((dialups[i].allowed & ztype) == 0) {
-					cfg_obj_log(obj, logctx,
-						    ISC_LOG_ERROR,
-						    "dialup type '%s' is not "
-						    "allowed in '%s' "
-						    "zone '%s'",
-						    str, typestr, znamestr);
-					result = ISC_R_FAILURE;
-				}
-				break;
-			}
-			if (i == sizeof(dialups) / sizeof(dialups[0])) {
-				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					    "invalid dialup type '%s' in zone "
-					    "'%s'", str, znamestr);
-				result = ISC_R_FAILURE;
-			}
-		}
-	}
-
-	/*
-	 * Check that forwarding is reasonable.
-	 */
-	obj = NULL;
-	if (root) {
-		if (voptions != NULL)
-			(void)cfg_map_get(voptions, "forwarders", &obj);
-		if (obj == NULL) {
-			const cfg_obj_t *options = NULL;
-			(void)cfg_map_get(config, "options", &options);
-			if (options != NULL)
-				(void)cfg_map_get(options, "forwarders", &obj);
-		}
-	}
-	if (check_forward(zoptions, obj, logctx) != ISC_R_SUCCESS)
-		result = ISC_R_FAILURE;
-
-	/*
-	 * Check validity of static stub server addresses.
-	 */
-	obj = NULL;
-	(void)cfg_map_get(zoptions, "server-addresses", &obj);
-	if (ztype == STATICSTUBZONE && obj != NULL) {
-		for (element = cfg_list_first(obj);
-		     element != NULL;
-		     element = cfg_list_next(element))
-		{
-			isc_sockaddr_t sa;
-			isc_netaddr_t na;
-			obj = cfg_listelt_value(element);
-			sa = *cfg_obj_assockaddr(obj);
-
-			if (isc_sockaddr_getport(&sa) != 0) {
-				result = ISC_R_FAILURE;
-				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					    "port is not configurable for "
-					    "static stub server-addresses");
-			}
-
-			isc_netaddr_fromsockaddr(&na, &sa);
-			if (isc_netaddr_getzone(&na) != 0) {
-				result = ISC_R_FAILURE;
-				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					    "scoped address is not allowed "
-					    "for static stub "
-					    "server-addresses");
-			}
-		}
-	}
-
-	/*
-	 * Check validity of static stub server names.
-	 */
-	obj = NULL;
-	(void)cfg_map_get(zoptions, "server-names", &obj);
-	if (zname != NULL && ztype == STATICSTUBZONE && obj != NULL) {
-		for (element = cfg_list_first(obj);
-		     element != NULL;
-		     element = cfg_list_next(element))
-		{
-			const char *snamestr;
-			dns_fixedname_t fixed_sname;
-			isc_buffer_t b2;
-			dns_name_t *sname;
-
-			obj = cfg_listelt_value(element);
-			snamestr = cfg_obj_asstring(obj);
-
-			dns_fixedname_init(&fixed_sname);
-			isc_buffer_constinit(&b2, snamestr, strlen(snamestr));
-			isc_buffer_add(&b2, strlen(snamestr));
-			sname = dns_fixedname_name(&fixed_sname);
-			tresult = dns_name_fromtext(sname, &b2, dns_rootname,
-						    0, NULL);
-			if (tresult != ISC_R_SUCCESS) {
-				cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
-					    "server-name '%s' is not a valid "
-					    "name", snamestr);
-				result = ISC_R_FAILURE;
-			} else if (dns_name_issubdomain(sname, zname)) {
-				cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
-					    "server-name '%s' must not be a "
-					    "subdomain of zone name '%s'",
-					    snamestr, znamestr);
-				result = ISC_R_FAILURE;
-			}
-		}
-	}
-
-	/*
-	 * Check various options.
-	 */
-	tresult = check_options(zoptions, logctx, mctx, optlevel_zone);
-	if (tresult != ISC_R_SUCCESS)
-		result = tresult;
-
-	/*
-	 * If the zone type is rbt/rbt64 then master/hint zones
-	 * require file clauses.
-	 * If inline signing is used, then slave zones require a
-	 * file clause as well
-	 */
-	obj = NULL;
-	tresult = cfg_map_get(zoptions, "database", &obj);
-	if (tresult == ISC_R_NOTFOUND ||
-	    (tresult == ISC_R_SUCCESS &&
-	     (strcmp("rbt", cfg_obj_asstring(obj)) == 0 ||
-	      strcmp("rbt64", cfg_obj_asstring(obj)) == 0)))
-	{
-		isc_result_t res1;
-		obj = NULL;
-		tresult = cfg_map_get(zoptions, "file", &obj);
-		obj = NULL;
-		res1 = cfg_map_get(zoptions, "inline-signing", &obj);
-		if ((tresult != ISC_R_SUCCESS &&
-		    (ztype == MASTERZONE || ztype == HINTZONE)) ||
-		    (ztype == SLAVEZONE && res1 == ISC_R_SUCCESS)) {
-			cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
-			    "zone '%s': missing 'file' entry",
-			    znamestr);
-			result = tresult;
-		}
-	}
-
-	return (result);
-}
-
-
-typedef struct keyalgorithms {
-	const char *name;
-	isc_uint16_t size;
-} algorithmtable;
-
-isc_result_t
-bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) {
-	const cfg_obj_t *algobj = NULL;
-	const cfg_obj_t *secretobj = NULL;
-	const char *keyname = cfg_obj_asstring(cfg_map_getname(key));
-	const char *algorithm;
-	int i;
-	size_t len = 0;
-	isc_result_t result;
-	isc_buffer_t buf;
-	unsigned char secretbuf[1024];
-	static const algorithmtable algorithms[] = {
-		{ "hmac-md5", 128 },
-		{ "hmac-md5.sig-alg.reg.int", 0 },
-		{ "hmac-md5.sig-alg.reg.int.", 0 },
-		{ "hmac-sha1", 160 },
-		{ "hmac-sha224", 224 },
-		{ "hmac-sha256", 256 },
-		{ "hmac-sha384", 384 },
-		{ "hmac-sha512", 512 },
-		{  NULL, 0 }
-	};
-
-	(void)cfg_map_get(key, "algorithm", &algobj);
-	(void)cfg_map_get(key, "secret", &secretobj);
-	if (secretobj == NULL || algobj == NULL) {
-		cfg_obj_log(key, logctx, ISC_LOG_ERROR,
-			    "key '%s' must have both 'secret' and "
-			    "'algorithm' defined",
-			    keyname);
-		return (ISC_R_FAILURE);
-	}
-
-	isc_buffer_init(&buf, secretbuf, sizeof(secretbuf));
-	result = isc_base64_decodestring(cfg_obj_asstring(secretobj), &buf);
-	if (result != ISC_R_SUCCESS) {
-		cfg_obj_log(secretobj, logctx, ISC_LOG_ERROR,
-			    "bad secret '%s'", isc_result_totext(result));
-		return (result);
-	}
-
-	algorithm = cfg_obj_asstring(algobj);
-	for (i = 0; algorithms[i].name != NULL; i++) {
-		len = strlen(algorithms[i].name);
-		if (strncasecmp(algorithms[i].name, algorithm, len) == 0 &&
-		    (algorithm[len] == '\0' ||
-		     (algorithms[i].size != 0 && algorithm[len] == '-')))
-			break;
-	}
-	if (algorithms[i].name == NULL) {
-		cfg_obj_log(algobj, logctx, ISC_LOG_ERROR,
-			    "unknown algorithm '%s'", algorithm);
-		return (ISC_R_NOTFOUND);
-	}
-	if (algorithm[len] == '-') {
-		isc_uint16_t digestbits;
-		isc_result_t result;
-		result = isc_parse_uint16(&digestbits, algorithm + len + 1, 10);
-		if (result == ISC_R_SUCCESS || result == ISC_R_RANGE) {
-			if (result == ISC_R_RANGE ||
-			    digestbits > algorithms[i].size) {
-				cfg_obj_log(algobj, logctx, ISC_LOG_ERROR,
-					    "key '%s' digest-bits too large "
-					    "[%u..%u]", keyname,
-					    algorithms[i].size / 2,
-					    algorithms[i].size);
-				return (ISC_R_RANGE);
-			}
-			if ((digestbits % 8) != 0) {
-				cfg_obj_log(algobj, logctx, ISC_LOG_ERROR,
-					    "key '%s' digest-bits not multiple"
-					    " of 8", keyname);
-				return (ISC_R_RANGE);
-			}
-			/*
-			 * Recommended minima for hmac algorithms.
-			 */
-			if ((digestbits < (algorithms[i].size / 2U) ||
-			     (digestbits < 80U)))
-				cfg_obj_log(algobj, logctx, ISC_LOG_WARNING,
-					    "key '%s' digest-bits too small "
-					    "[<%u]", keyname,
-					    algorithms[i].size/2);
-		} else {
-			cfg_obj_log(algobj, logctx, ISC_LOG_ERROR,
-				    "key '%s': unable to parse digest-bits",
-				    keyname);
-			return (result);
-		}
-	}
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Check key list for duplicates key names and that the key names
- * are valid domain names as these keys are used for TSIG.
- *
- * Check the key contents for validity.
- */
-static isc_result_t
-check_keylist(const cfg_obj_t *keys, isc_symtab_t *symtab,
-	      isc_mem_t *mctx, isc_log_t *logctx)
-{
-	char namebuf[DNS_NAME_FORMATSIZE];
-	dns_fixedname_t fname;
-	dns_name_t *name;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-	const cfg_listelt_t *element;
-
-	dns_fixedname_init(&fname);
-	name = dns_fixedname_name(&fname);
-	for (element = cfg_list_first(keys);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		const cfg_obj_t *key = cfg_listelt_value(element);
-		const char *keyid = cfg_obj_asstring(cfg_map_getname(key));
-		isc_symvalue_t symvalue;
-		isc_buffer_t b;
-		char *keyname;
-
-		isc_buffer_constinit(&b, keyid, strlen(keyid));
-		isc_buffer_add(&b, strlen(keyid));
-		tresult = dns_name_fromtext(name, &b, dns_rootname,
-					    0, NULL);
-		if (tresult != ISC_R_SUCCESS) {
-			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
-				    "key '%s': bad key name", keyid);
-			result = tresult;
-			continue;
-		}
-		tresult = bind9_check_key(key, logctx);
-		if (tresult != ISC_R_SUCCESS)
-			return (tresult);
-
-		dns_name_format(name, namebuf, sizeof(namebuf));
-		keyname = isc_mem_strdup(mctx, namebuf);
-		if (keyname == NULL)
-			return (ISC_R_NOMEMORY);
-		symvalue.as_cpointer = key;
-		tresult = isc_symtab_define(symtab, keyname, 1, symvalue,
-					    isc_symexists_reject);
-		if (tresult == ISC_R_EXISTS) {
-			const char *file;
-			unsigned int line;
-
-			RUNTIME_CHECK(isc_symtab_lookup(symtab, keyname,
-					    1, &symvalue) == ISC_R_SUCCESS);
-			file = cfg_obj_file(symvalue.as_cpointer);
-			line = cfg_obj_line(symvalue.as_cpointer);
-
-			if (file == NULL)
-				file = "<unknown file>";
-			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
-				    "key '%s': already exists "
-				    "previous definition: %s:%u",
-				    keyid, file, line);
-			isc_mem_free(mctx, keyname);
-			result = tresult;
-		} else if (tresult != ISC_R_SUCCESS) {
-			isc_mem_free(mctx, keyname);
-			return (tresult);
-		}
-	}
-	return (result);
-}
-
-static struct {
-	const char *v4;
-	const char *v6;
-} sources[] = {
-	{ "transfer-source", "transfer-source-v6" },
-	{ "notify-source", "notify-source-v6" },
-	{ "query-source", "query-source-v6" },
-	{ NULL, NULL }
-};
-
-/*
- * RNDC keys are not normalised unlike TSIG keys.
- *
- * 	"foo." is different to "foo".
- */
-static isc_boolean_t
-rndckey_exists(const cfg_obj_t *keylist, const char *keyname) {
-	const cfg_listelt_t *element;
-	const cfg_obj_t *obj;
-	const char *str;
-
-	if (keylist == NULL)
-		return (ISC_FALSE);
-
-	for (element = cfg_list_first(keylist);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		obj = cfg_listelt_value(element);
-		str = cfg_obj_asstring(cfg_map_getname(obj));
-		if (!strcasecmp(str, keyname))
-			return (ISC_TRUE);
-	}
-	return (ISC_FALSE);
-}
-
-static isc_result_t
-check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions,
-	      isc_symtab_t *symtab, isc_log_t *logctx)
-{
-	dns_fixedname_t fname;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-	const cfg_listelt_t *e1, *e2;
-	const cfg_obj_t *v1, *v2, *keys;
-	const cfg_obj_t *servers;
-	isc_netaddr_t n1, n2;
-	unsigned int p1, p2;
-	const cfg_obj_t *obj;
-	char buf[ISC_NETADDR_FORMATSIZE];
-	char namebuf[DNS_NAME_FORMATSIZE];
-	const char *xfr;
-	const char *keyval;
-	isc_buffer_t b;
-	int source;
-	dns_name_t *keyname;
-
-	servers = NULL;
-	if (voptions != NULL)
-		(void)cfg_map_get(voptions, "server", &servers);
-	if (servers == NULL)
-		(void)cfg_map_get(config, "server", &servers);
-	if (servers == NULL)
-		return (ISC_R_SUCCESS);
-
-	for (e1 = cfg_list_first(servers); e1 != NULL; e1 = cfg_list_next(e1)) {
-		v1 = cfg_listelt_value(e1);
-		cfg_obj_asnetprefix(cfg_map_getname(v1), &n1, &p1);
-		/*
-		 * Check that unused bits are zero.
-		 */
-		tresult = isc_netaddr_prefixok(&n1, p1);
-		if (tresult != ISC_R_SUCCESS) {
-			INSIST(tresult == ISC_R_FAILURE);
-			isc_netaddr_format(&n1, buf, sizeof(buf));
-			cfg_obj_log(v1, logctx, ISC_LOG_ERROR,
-				    "server '%s/%u': invalid prefix "
-				    "(extra bits specified)", buf, p1);
-			result = tresult;
-		}
-		source = 0;
-		do {
-			obj = NULL;
-			if (n1.family == AF_INET)
-				xfr = sources[source].v6;
-			else
-				xfr = sources[source].v4;
-			(void)cfg_map_get(v1, xfr, &obj);
-			if (obj != NULL) {
-				isc_netaddr_format(&n1, buf, sizeof(buf));
-				cfg_obj_log(v1, logctx, ISC_LOG_ERROR,
-					    "server '%s/%u': %s not legal",
-					    buf, p1, xfr);
-				result = ISC_R_FAILURE;
-			}
-		} while (sources[++source].v4 != NULL);
-		e2 = e1;
-		while ((e2 = cfg_list_next(e2)) != NULL) {
-			v2 = cfg_listelt_value(e2);
-			cfg_obj_asnetprefix(cfg_map_getname(v2), &n2, &p2);
-			if (p1 == p2 && isc_netaddr_equal(&n1, &n2)) {
-				const char *file = cfg_obj_file(v1);
-				unsigned int line = cfg_obj_line(v1);
-
-				if (file == NULL)
-					file = "<unknown file>";
-
-				isc_netaddr_format(&n2, buf, sizeof(buf));
-				cfg_obj_log(v2, logctx, ISC_LOG_ERROR,
-					    "server '%s/%u': already exists "
-					    "previous definition: %s:%u",
-					    buf, p2, file, line);
-				result = ISC_R_FAILURE;
-			}
-		}
-		keys = NULL;
-		cfg_map_get(v1, "keys", &keys);
-		if (keys != NULL) {
-			/*
-			 * Normalize key name.
-			 */
-			keyval = cfg_obj_asstring(keys);
-			dns_fixedname_init(&fname);
-			isc_buffer_constinit(&b, keyval, strlen(keyval));
-			isc_buffer_add(&b, strlen(keyval));
-			keyname = dns_fixedname_name(&fname);
-			tresult = dns_name_fromtext(keyname, &b, dns_rootname,
-						    0, NULL);
-			if (tresult != ISC_R_SUCCESS) {
-				cfg_obj_log(keys, logctx, ISC_LOG_ERROR,
-					    "bad key name '%s'", keyval);
-				result = ISC_R_FAILURE;
-				continue;
-			}
-			dns_name_format(keyname, namebuf, sizeof(namebuf));
-			tresult = isc_symtab_lookup(symtab, namebuf, 1, NULL);
-			if (tresult != ISC_R_SUCCESS) {
-				cfg_obj_log(keys, logctx, ISC_LOG_ERROR,
-					    "unknown key '%s'", keyval);
-				result = ISC_R_FAILURE;
-			}
-		}
-	}
-	return (result);
-}
-
-static isc_result_t
-check_trusted_key(const cfg_obj_t *key, isc_boolean_t managed,
-		  isc_log_t *logctx)
-{
-	const char *keystr, *keynamestr;
-	dns_fixedname_t fkeyname;
-	dns_name_t *keyname;
-	isc_buffer_t b;
-	isc_region_t r;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-	isc_uint32_t flags, proto, alg;
-	unsigned char keydata[4096];
-
-	flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
-	proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
-	alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm"));
-
-	dns_fixedname_init(&fkeyname);
-	keyname = dns_fixedname_name(&fkeyname);
-	keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
-
-	isc_buffer_constinit(&b, keynamestr, strlen(keynamestr));
-	isc_buffer_add(&b, strlen(keynamestr));
-	result = dns_name_fromtext(keyname, &b, dns_rootname, 0, NULL);
-	if (result != ISC_R_SUCCESS) {
-		cfg_obj_log(key, logctx, ISC_LOG_WARNING, "bad key name: %s\n",
-			    isc_result_totext(result));
-		result = ISC_R_FAILURE;
-	}
-
-	if (flags > 0xffff) {
-		cfg_obj_log(key, logctx, ISC_LOG_WARNING,
-			    "flags too big: %u\n", flags);
-		result = ISC_R_FAILURE;
-	}
-	if (proto > 0xff) {
-		cfg_obj_log(key, logctx, ISC_LOG_WARNING,
-			    "protocol too big: %u\n", proto);
-		result = ISC_R_FAILURE;
-	}
-	if (alg > 0xff) {
-		cfg_obj_log(key, logctx, ISC_LOG_WARNING,
-			    "algorithm too big: %u\n", alg);
-		result = ISC_R_FAILURE;
-	}
-
-	if (managed) {
-		const char *initmethod;
-		initmethod = cfg_obj_asstring(cfg_tuple_get(key, "init"));
-
-		if (strcasecmp(initmethod, "initial-key") != 0) {
-			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
-				    "managed key '%s': "
-				    "invalid initialization method '%s'",
-				    keynamestr, initmethod);
-			result = ISC_R_FAILURE;
-		}
-	}
-
-	isc_buffer_init(&b, keydata, sizeof(keydata));
-
-	keystr = cfg_obj_asstring(cfg_tuple_get(key, "key"));
-	tresult = isc_base64_decodestring(keystr, &b);
-
-	if (tresult != ISC_R_SUCCESS) {
-		cfg_obj_log(key, logctx, ISC_LOG_ERROR,
-			    "%s", isc_result_totext(tresult));
-		result = ISC_R_FAILURE;
-	} else {
-		isc_buffer_usedregion(&b, &r);
-
-		if ((alg == DST_ALG_RSASHA1 || alg == DST_ALG_RSAMD5) &&
-		    r.length > 1 && r.base[0] == 1 && r.base[1] == 3)
-			cfg_obj_log(key, logctx, ISC_LOG_WARNING,
-				    "%s key '%s' has a weak exponent",
-				    managed ? "managed" : "trusted",
-				    keynamestr);
-	}
-
-	return (result);
-}
-
-static isc_result_t
-check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
-	       const char *viewname, dns_rdataclass_t vclass,
-	       isc_log_t *logctx, isc_mem_t *mctx)
-{
-	const cfg_obj_t *zones = NULL;
-	const cfg_obj_t *keys = NULL;
-	const cfg_listelt_t *element, *element2;
-	isc_symtab_t *symtab = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult = ISC_R_SUCCESS;
-	cfg_aclconfctx_t *actx = NULL;
-	const cfg_obj_t *obj;
-	const cfg_obj_t *options = NULL;
-	isc_boolean_t enablednssec, enablevalidation;
-	const char *valstr = "no";
-
-	/*
-	 * Get global options block
-	 */
-	(void)cfg_map_get(config, "options", &options);
-
-	/*
-	 * Check that all zone statements are syntactically correct and
-	 * there are no duplicate zones.
-	 */
-	tresult = isc_symtab_create(mctx, 1000, freekey, mctx,
-				    ISC_FALSE, &symtab);
-	if (tresult != ISC_R_SUCCESS)
-		return (ISC_R_NOMEMORY);
-
-	cfg_aclconfctx_create(mctx, &actx);
-
-	if (voptions != NULL)
-		(void)cfg_map_get(voptions, "zone", &zones);
-	else
-		(void)cfg_map_get(config, "zone", &zones);
-
-	for (element = cfg_list_first(zones);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		isc_result_t tresult;
-		const cfg_obj_t *zone = cfg_listelt_value(element);
-
-		tresult = check_zoneconf(zone, voptions, config, symtab,
-					 vclass, actx, logctx, mctx);
-		if (tresult != ISC_R_SUCCESS)
-			result = ISC_R_FAILURE;
-	}
-
-	isc_symtab_destroy(&symtab);
-
-	/*
-	 * Check that forwarding is reasonable.
-	 */
-	if (voptions == NULL) {
-		if (options != NULL)
-			if (check_forward(options, NULL,
-					  logctx) != ISC_R_SUCCESS)
-				result = ISC_R_FAILURE;
-	} else {
-		if (check_forward(voptions, NULL, logctx) != ISC_R_SUCCESS)
-			result = ISC_R_FAILURE;
-	}
-
-	/*
-	 * Check non-zero options at the global and view levels.
-	 */
-	if (options != NULL && check_nonzero(options, logctx) != ISC_R_SUCCESS)
-		result = ISC_R_FAILURE;
-	if (voptions != NULL &&check_nonzero(voptions, logctx) != ISC_R_SUCCESS)
-		result = ISC_R_FAILURE;
-
-	/*
-	 * Check that dual-stack-servers is reasonable.
-	 */
-	if (voptions == NULL) {
-		if (options != NULL)
-			if (check_dual_stack(options, logctx) != ISC_R_SUCCESS)
-				result = ISC_R_FAILURE;
-	} else {
-		if (check_dual_stack(voptions, logctx) != ISC_R_SUCCESS)
-			result = ISC_R_FAILURE;
-	}
-
-	/*
-	 * Check that rrset-order is reasonable.
-	 */
-	if (voptions != NULL) {
-		if (check_order(voptions, logctx) != ISC_R_SUCCESS)
-			result = ISC_R_FAILURE;
-	}
-
-	/*
-	 * Check that all key statements are syntactically correct and
-	 * there are no duplicate keys.
-	 */
-	tresult = isc_symtab_create(mctx, 1000, freekey, mctx,
-				    ISC_FALSE, &symtab);
-	if (tresult != ISC_R_SUCCESS)
-		goto cleanup;
-
-	(void)cfg_map_get(config, "key", &keys);
-	tresult = check_keylist(keys, symtab, mctx, logctx);
-	if (tresult == ISC_R_EXISTS)
-		result = ISC_R_FAILURE;
-	else if (tresult != ISC_R_SUCCESS) {
-		result = tresult;
-		goto cleanup;
-	}
-
-	if (voptions != NULL) {
-		keys = NULL;
-		(void)cfg_map_get(voptions, "key", &keys);
-		tresult = check_keylist(keys, symtab, mctx, logctx);
-		if (tresult == ISC_R_EXISTS)
-			result = ISC_R_FAILURE;
-		else if (tresult != ISC_R_SUCCESS) {
-			result = tresult;
-			goto cleanup;
-		}
-	}
-
-	/*
-	 * Global servers can refer to keys in views.
-	 */
-	if (check_servers(config, voptions, symtab, logctx) != ISC_R_SUCCESS)
-		result = ISC_R_FAILURE;
-
-	isc_symtab_destroy(&symtab);
-
-	/*
-	 * Check that dnssec-enable/dnssec-validation are sensible.
-	 */
-	obj = NULL;
-	if (voptions != NULL)
-		(void)cfg_map_get(voptions, "dnssec-enable", &obj);
-	if (obj == NULL && options != NULL)
-		(void)cfg_map_get(options, "dnssec-enable", &obj);
-	if (obj == NULL)
-		enablednssec = ISC_TRUE;
-	else
-		enablednssec = cfg_obj_asboolean(obj);
-
-	obj = NULL;
-	if (voptions != NULL)
-		(void)cfg_map_get(voptions, "dnssec-validation", &obj);
-	if (obj == NULL && options != NULL)
-		(void)cfg_map_get(options, "dnssec-validation", &obj);
-	if (obj == NULL) {
-		enablevalidation = enablednssec;
-		valstr = "yes";
-	} else if (cfg_obj_isboolean(obj)) {
-		enablevalidation = cfg_obj_asboolean(obj);
-		valstr = enablevalidation ? "yes" : "no";
-	} else {
-		enablevalidation = ISC_TRUE;
-		valstr = "auto";
-	}
-
-	if (enablevalidation && !enablednssec)
-		cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
-			    "'dnssec-validation %s;' and 'dnssec-enable no;'",
-			    valstr);
-
-	/*
-	 * Check trusted-keys and managed-keys.
-	 */
-	keys = NULL;
-	if (voptions != NULL)
-		(void)cfg_map_get(voptions, "trusted-keys", &keys);
-	if (keys == NULL)
-		(void)cfg_map_get(config, "trusted-keys", &keys);
-
-	for (element = cfg_list_first(keys);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		const cfg_obj_t *keylist = cfg_listelt_value(element);
-		for (element2 = cfg_list_first(keylist);
-		     element2 != NULL;
-		     element2 = cfg_list_next(element2)) {
-			obj = cfg_listelt_value(element2);
-			tresult = check_trusted_key(obj, ISC_FALSE, logctx);
-			if (tresult != ISC_R_SUCCESS)
-				result = tresult;
-		}
-	}
-
-	keys = NULL;
-	if (voptions != NULL)
-		(void)cfg_map_get(voptions, "managed-keys", &keys);
-	if (keys == NULL)
-		(void)cfg_map_get(config, "managed-keys", &keys);
-
-	for (element = cfg_list_first(keys);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		const cfg_obj_t *keylist = cfg_listelt_value(element);
-		for (element2 = cfg_list_first(keylist);
-		     element2 != NULL;
-		     element2 = cfg_list_next(element2)) {
-			obj = cfg_listelt_value(element2);
-			tresult = check_trusted_key(obj, ISC_TRUE, logctx);
-			if (tresult != ISC_R_SUCCESS)
-				result = tresult;
-		}
-	}
-
-	/*
-	 * Check options.
-	 */
-	if (voptions != NULL)
-		tresult = check_options(voptions, logctx, mctx,
-					optlevel_view);
-	else
-		tresult = check_options(config, logctx, mctx,
-					optlevel_config);
-	if (tresult != ISC_R_SUCCESS)
-		result = tresult;
-
-	tresult = check_viewacls(actx, voptions, config, logctx, mctx);
-	if (tresult != ISC_R_SUCCESS)
-		result = tresult;
-
-	tresult = check_recursionacls(actx, voptions, viewname,
-				      config, logctx, mctx);
-	if (tresult != ISC_R_SUCCESS)
-		result = tresult;
-
-	tresult = check_filteraaaa(actx, voptions, viewname, config,
-				   logctx, mctx);
-	if (tresult != ISC_R_SUCCESS)
-		result = tresult;
-
-	tresult = check_dns64(actx, voptions, config, logctx, mctx);
-	if (tresult != ISC_R_SUCCESS)
-		result = tresult;
-
- cleanup:
-	if (symtab != NULL)
-		isc_symtab_destroy(&symtab);
-	if (actx != NULL)
-		cfg_aclconfctx_detach(&actx);
-
-	return (result);
-}
-
-static const char *
-default_channels[] = {
-	"default_syslog",
-	"default_stderr",
-	"default_debug",
-	"null",
-	NULL
-};
-
-static isc_result_t
-bind9_check_logging(const cfg_obj_t *config, isc_log_t *logctx,
-		    isc_mem_t *mctx)
-{
-	const cfg_obj_t *categories = NULL;
-	const cfg_obj_t *category;
-	const cfg_obj_t *channels = NULL;
-	const cfg_obj_t *channel;
-	const cfg_listelt_t *element;
-	const cfg_listelt_t *delement;
-	const char *channelname;
-	const char *catname;
-	const cfg_obj_t *fileobj = NULL;
-	const cfg_obj_t *syslogobj = NULL;
-	const cfg_obj_t *nullobj = NULL;
-	const cfg_obj_t *stderrobj = NULL;
-	const cfg_obj_t *logobj = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-	isc_symtab_t *symtab = NULL;
-	isc_symvalue_t symvalue;
-	int i;
-
-	(void)cfg_map_get(config, "logging", &logobj);
-	if (logobj == NULL)
-		return (ISC_R_SUCCESS);
-
-	result = isc_symtab_create(mctx, 100, NULL, NULL, ISC_FALSE, &symtab);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	symvalue.as_cpointer = NULL;
-	for (i = 0; default_channels[i] != NULL; i++) {
-		tresult = isc_symtab_define(symtab, default_channels[i], 1,
-					    symvalue, isc_symexists_replace);
-		if (tresult != ISC_R_SUCCESS)
-			result = tresult;
-	}
-
-	cfg_map_get(logobj, "channel", &channels);
-
-	for (element = cfg_list_first(channels);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		channel = cfg_listelt_value(element);
-		channelname = cfg_obj_asstring(cfg_map_getname(channel));
-		fileobj = syslogobj = nullobj = stderrobj = NULL;
-		(void)cfg_map_get(channel, "file", &fileobj);
-		(void)cfg_map_get(channel, "syslog", &syslogobj);
-		(void)cfg_map_get(channel, "null", &nullobj);
-		(void)cfg_map_get(channel, "stderr", &stderrobj);
-		i = 0;
-		if (fileobj != NULL)
-			i++;
-		if (syslogobj != NULL)
-			i++;
-		if (nullobj != NULL)
-			i++;
-		if (stderrobj != NULL)
-			i++;
-		if (i != 1) {
-			cfg_obj_log(channel, logctx, ISC_LOG_ERROR,
-				    "channel '%s': exactly one of file, syslog, "
-				    "null, and stderr must be present",
-				     channelname);
-			result = ISC_R_FAILURE;
-		}
-		tresult = isc_symtab_define(symtab, channelname, 1,
-					    symvalue, isc_symexists_replace);
-		if (tresult != ISC_R_SUCCESS)
-			result = tresult;
-	}
-
-	cfg_map_get(logobj, "category", &categories);
-
-	for (element = cfg_list_first(categories);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		category = cfg_listelt_value(element);
-		catname = cfg_obj_asstring(cfg_tuple_get(category, "name"));
-		if (isc_log_categorybyname(logctx, catname) == NULL) {
-			cfg_obj_log(category, logctx, ISC_LOG_ERROR,
-				    "undefined category: '%s'", catname);
-			result = ISC_R_FAILURE;
-		}
-		channels = cfg_tuple_get(category, "destinations");
-		for (delement = cfg_list_first(channels);
-		     delement != NULL;
-		     delement = cfg_list_next(delement))
-		{
-			channel = cfg_listelt_value(delement);
-			channelname = cfg_obj_asstring(channel);
-			tresult = isc_symtab_lookup(symtab, channelname, 1,
-						    &symvalue);
-			if (tresult != ISC_R_SUCCESS) {
-				cfg_obj_log(channel, logctx, ISC_LOG_ERROR,
-					    "undefined channel: '%s'",
-					    channelname);
-				result = tresult;
-			}
-		}
-	}
-	isc_symtab_destroy(&symtab);
-	return (result);
-}
-
-static isc_result_t
-bind9_check_controlskeys(const cfg_obj_t *control, const cfg_obj_t *keylist,
-			 isc_log_t *logctx)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	const cfg_obj_t *control_keylist;
-	const cfg_listelt_t *element;
-	const cfg_obj_t *key;
-	const char *keyval;
-
-	control_keylist = cfg_tuple_get(control, "keys");
-	if (cfg_obj_isvoid(control_keylist))
-		return (ISC_R_SUCCESS);
-
-	for (element = cfg_list_first(control_keylist);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		key = cfg_listelt_value(element);
-		keyval = cfg_obj_asstring(key);
-
-		if (!rndckey_exists(keylist, keyval)) {
-			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
-				    "unknown key '%s'", keyval);
-			result = ISC_R_NOTFOUND;
-		}
-	}
-	return (result);
-}
-
-static isc_result_t
-bind9_check_controls(const cfg_obj_t *config, isc_log_t *logctx,
-		     isc_mem_t *mctx)
-{
-	isc_result_t result = ISC_R_SUCCESS, tresult;
-	cfg_aclconfctx_t *actx = NULL;
-	const cfg_listelt_t *element, *element2;
-	const cfg_obj_t *allow;
-	const cfg_obj_t *control;
-	const cfg_obj_t *controls;
-	const cfg_obj_t *controlslist = NULL;
-	const cfg_obj_t *inetcontrols;
-	const cfg_obj_t *unixcontrols;
-	const cfg_obj_t *keylist = NULL;
-	const char *path;
-	isc_uint32_t perm, mask;
-	dns_acl_t *acl = NULL;
-	isc_sockaddr_t addr;
-	int i;
-
-	(void)cfg_map_get(config, "controls", &controlslist);
-	if (controlslist == NULL)
-		return (ISC_R_SUCCESS);
-
-	(void)cfg_map_get(config, "key", &keylist);
-
-	cfg_aclconfctx_create(mctx, &actx);
-
-	/*
-	 * INET: Check allow clause.
-	 * UNIX: Check "perm" for sanity, check path length.
-	 */
-	for (element = cfg_list_first(controlslist);
-	     element != NULL;
-	     element = cfg_list_next(element)) {
-		controls = cfg_listelt_value(element);
-		unixcontrols = NULL;
-		inetcontrols = NULL;
-		(void)cfg_map_get(controls, "unix", &unixcontrols);
-		(void)cfg_map_get(controls, "inet", &inetcontrols);
-		for (element2 = cfg_list_first(inetcontrols);
-		     element2 != NULL;
-		     element2 = cfg_list_next(element2)) {
-			control = cfg_listelt_value(element2);
-			allow = cfg_tuple_get(control, "allow");
-			tresult = cfg_acl_fromconfig(allow, config, logctx,
-						     actx, mctx, 0, &acl);
-			if (acl != NULL)
-				dns_acl_detach(&acl);
-			if (tresult != ISC_R_SUCCESS)
-				result = tresult;
-			tresult = bind9_check_controlskeys(control, keylist,
-							   logctx);
-			if (tresult != ISC_R_SUCCESS)
-				result = tresult;
-		}
-		for (element2 = cfg_list_first(unixcontrols);
-		     element2 != NULL;
-		     element2 = cfg_list_next(element2)) {
-			control = cfg_listelt_value(element2);
-			path = cfg_obj_asstring(cfg_tuple_get(control, "path"));
-			tresult = isc_sockaddr_frompath(&addr, path);
-			if (tresult == ISC_R_NOSPACE) {
-				cfg_obj_log(control, logctx, ISC_LOG_ERROR,
-					    "unix control '%s': path too long",
-					    path);
-				result = ISC_R_NOSPACE;
-			}
-			perm = cfg_obj_asuint32(cfg_tuple_get(control, "perm"));
-			for (i = 0; i < 3; i++) {
-#ifdef NEED_SECURE_DIRECTORY
-				mask = (0x1 << (i*3));	/* SEARCH */
-#else
-				mask = (0x6 << (i*3)); 	/* READ + WRITE */
-#endif
-				if ((perm & mask) == mask)
-					break;
-			}
-			if (i == 0) {
-				cfg_obj_log(control, logctx, ISC_LOG_WARNING,
-					    "unix control '%s' allows access "
-					    "to everyone", path);
-			} else if (i == 3) {
-				cfg_obj_log(control, logctx, ISC_LOG_WARNING,
-					    "unix control '%s' allows access "
-					    "to nobody", path);
-			}
-			tresult = bind9_check_controlskeys(control, keylist,
-							   logctx);
-			if (tresult != ISC_R_SUCCESS)
-				result = tresult;
-		}
-	}
-	cfg_aclconfctx_detach(&actx);
-	return (result);
-}
-
-isc_result_t
-bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
-		      isc_mem_t *mctx)
-{
-	const cfg_obj_t *options = NULL;
-	const cfg_obj_t *views = NULL;
-	const cfg_obj_t *acls = NULL;
-	const cfg_obj_t *kals = NULL;
-	const cfg_obj_t *obj;
-	const cfg_listelt_t *velement;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-	isc_symtab_t *symtab = NULL;
-
-	static const char *builtin[] = { "localhost", "localnets",
-					 "any", "none"};
-
-	(void)cfg_map_get(config, "options", &options);
-
-	if (options != NULL &&
-	    check_options(options, logctx, mctx,
-			  optlevel_options) != ISC_R_SUCCESS)
-		result = ISC_R_FAILURE;
-
-	if (bind9_check_logging(config, logctx, mctx) != ISC_R_SUCCESS)
-		result = ISC_R_FAILURE;
-
-	if (bind9_check_controls(config, logctx, mctx) != ISC_R_SUCCESS)
-		result = ISC_R_FAILURE;
-
-	if (options != NULL &&
-	    check_order(options, logctx) != ISC_R_SUCCESS)
-		result = ISC_R_FAILURE;
-
-	(void)cfg_map_get(config, "view", &views);
-
-	if (views != NULL && options != NULL)
-		if (check_dual_stack(options, logctx) != ISC_R_SUCCESS)
-			result = ISC_R_FAILURE;
-
-	if (views == NULL) {
-		if (check_viewconf(config, NULL, NULL, dns_rdataclass_in,
-				   logctx, mctx) != ISC_R_SUCCESS)
-			result = ISC_R_FAILURE;
-	} else {
-		const cfg_obj_t *zones = NULL;
-
-		(void)cfg_map_get(config, "zone", &zones);
-		if (zones != NULL) {
-			cfg_obj_log(zones, logctx, ISC_LOG_ERROR,
-				    "when using 'view' statements, "
-				    "all zones must be in views");
-			result = ISC_R_FAILURE;
-		}
-	}
-
-	tresult = isc_symtab_create(mctx, 100, NULL, NULL, ISC_TRUE, &symtab);
-	if (tresult != ISC_R_SUCCESS)
-		result = tresult;
-	for (velement = cfg_list_first(views);
-	     velement != NULL;
-	     velement = cfg_list_next(velement))
-	{
-		const cfg_obj_t *view = cfg_listelt_value(velement);
-		const cfg_obj_t *vname = cfg_tuple_get(view, "name");
-		const cfg_obj_t *voptions = cfg_tuple_get(view, "options");
-		const cfg_obj_t *vclassobj = cfg_tuple_get(view, "class");
-		dns_rdataclass_t vclass = dns_rdataclass_in;
-		isc_result_t tresult = ISC_R_SUCCESS;
-		const char *key = cfg_obj_asstring(vname);
-		isc_symvalue_t symvalue;
-
-		if (cfg_obj_isstring(vclassobj)) {
-			isc_textregion_t r;
-
-			DE_CONST(cfg_obj_asstring(vclassobj), r.base);
-			r.length = strlen(r.base);
-			tresult = dns_rdataclass_fromtext(&vclass, &r);
-			if (tresult != ISC_R_SUCCESS)
-				cfg_obj_log(vclassobj, logctx, ISC_LOG_ERROR,
-					    "view '%s': invalid class %s",
-					    cfg_obj_asstring(vname), r.base);
-		}
-		if (tresult == ISC_R_SUCCESS && symtab != NULL) {
-			symvalue.as_cpointer = view;
-			tresult = isc_symtab_define(symtab, key, vclass,
-						    symvalue,
-						    isc_symexists_reject);
-			if (tresult == ISC_R_EXISTS) {
-				const char *file;
-				unsigned int line;
-				RUNTIME_CHECK(isc_symtab_lookup(symtab, key,
-					   vclass, &symvalue) == ISC_R_SUCCESS);
-				file = cfg_obj_file(symvalue.as_cpointer);
-				line = cfg_obj_line(symvalue.as_cpointer);
-				cfg_obj_log(view, logctx, ISC_LOG_ERROR,
-					    "view '%s': already exists "
-					    "previous definition: %s:%u",
-					    key, file, line);
-				result = tresult;
-			} else if (tresult != ISC_R_SUCCESS) {
-				result = tresult;
-			} else if ((strcasecmp(key, "_bind") == 0 &&
-				    vclass == dns_rdataclass_ch) ||
-				   (strcasecmp(key, "_default") == 0 &&
-				    vclass == dns_rdataclass_in)) {
-				cfg_obj_log(view, logctx, ISC_LOG_ERROR,
-					    "attempt to redefine builtin view "
-					    "'%s'", key);
-				result = ISC_R_EXISTS;
-			}
-		}
-		if (tresult == ISC_R_SUCCESS)
-			tresult = check_viewconf(config, voptions, key,
-						 vclass, logctx, mctx);
-		if (tresult != ISC_R_SUCCESS)
-			result = ISC_R_FAILURE;
-	}
-	if (symtab != NULL)
-		isc_symtab_destroy(&symtab);
-
-	if (views != NULL && options != NULL) {
-		obj = NULL;
-		tresult = cfg_map_get(options, "cache-file", &obj);
-		if (tresult == ISC_R_SUCCESS) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "'cache-file' cannot be a global "
-				    "option if views are present");
-			result = ISC_R_FAILURE;
-		}
-	}
-
-	cfg_map_get(config, "acl", &acls);
-
-	if (acls != NULL) {
-		const cfg_listelt_t *elt;
-		const cfg_listelt_t *elt2;
-		const char *aclname;
-
-		for (elt = cfg_list_first(acls);
-		     elt != NULL;
-		     elt = cfg_list_next(elt)) {
-			const cfg_obj_t *acl = cfg_listelt_value(elt);
-			unsigned int line = cfg_obj_line(acl);
-			unsigned int i;
-
-			aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
-			for (i = 0;
-			     i < sizeof(builtin) / sizeof(builtin[0]);
-			     i++)
-				if (strcasecmp(aclname, builtin[i]) == 0) {
-					cfg_obj_log(acl, logctx, ISC_LOG_ERROR,
-						    "attempt to redefine "
-						    "builtin acl '%s'",
-						    aclname);
-					result = ISC_R_FAILURE;
-					break;
-				}
-
-			for (elt2 = cfg_list_next(elt);
-			     elt2 != NULL;
-			     elt2 = cfg_list_next(elt2)) {
-				const cfg_obj_t *acl2 = cfg_listelt_value(elt2);
-				const char *name;
-				name = cfg_obj_asstring(cfg_tuple_get(acl2,
-								      "name"));
-				if (strcasecmp(aclname, name) == 0) {
-					const char *file = cfg_obj_file(acl);
-
-					if (file == NULL)
-						file = "<unknown file>";
-
-					cfg_obj_log(acl2, logctx, ISC_LOG_ERROR,
-						    "attempt to redefine "
-						    "acl '%s' previous "
-						    "definition: %s:%u",
-						     name, file, line);
-					result = ISC_R_FAILURE;
-				}
-			}
-		}
-	}
-
-	tresult = cfg_map_get(config, "kal", &kals);
-	if (tresult == ISC_R_SUCCESS) {
-		const cfg_listelt_t *elt;
-		const cfg_listelt_t *elt2;
-		const char *aclname;
-
-		for (elt = cfg_list_first(kals);
-		     elt != NULL;
-		     elt = cfg_list_next(elt)) {
-			const cfg_obj_t *acl = cfg_listelt_value(elt);
-
-			aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
-
-			for (elt2 = cfg_list_next(elt);
-			     elt2 != NULL;
-			     elt2 = cfg_list_next(elt2)) {
-				const cfg_obj_t *acl2 = cfg_listelt_value(elt2);
-				const char *name;
-				name = cfg_obj_asstring(cfg_tuple_get(acl2,
-								      "name"));
-				if (strcasecmp(aclname, name) == 0) {
-					const char *file = cfg_obj_file(acl);
-					unsigned int line = cfg_obj_line(acl);
-
-					if (file == NULL)
-						file = "<unknown file>";
-
-					cfg_obj_log(acl2, logctx, ISC_LOG_ERROR,
-						    "attempt to redefine "
-						    "kal '%s' previous "
-						    "definition: %s:%u",
-						     name, file, line);
-					result = ISC_R_FAILURE;
-				}
-			}
-		}
-	}
-
-	return (result);
-}
diff --git a/contrib/bind9/lib/bind9/getaddresses.c b/contrib/bind9/lib/bind9/getaddresses.c
deleted file mode 100644
index a75e14e..0000000
--- a/contrib/bind9/lib/bind9/getaddresses.c
+++ /dev/null
@@ -1,231 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001, 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: getaddresses.c,v 1.22 2007/06/19 23:47:16 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-#include <string.h>
-
-#include <isc/net.h>
-#include <isc/netaddr.h>
-#include <isc/netdb.h>
-#include <isc/netscope.h>
-#include <isc/result.h>
-#include <isc/sockaddr.h>
-#include <isc/util.h>
-
-#include <bind9/getaddresses.h>
-
-#ifdef HAVE_ADDRINFO
-#ifdef HAVE_GETADDRINFO
-#ifdef HAVE_GAISTRERROR
-#define USE_GETADDRINFO
-#endif
-#endif
-#endif
-
-#ifndef USE_GETADDRINFO
-#ifndef ISC_PLATFORM_NONSTDHERRNO
-extern int h_errno;
-#endif
-#endif
-
-isc_result_t
-bind9_getaddresses(const char *hostname, in_port_t port,
-		   isc_sockaddr_t *addrs, int addrsize, int *addrcount)
-{
-	struct in_addr in4;
-	struct in6_addr in6;
-	isc_boolean_t have_ipv4, have_ipv6;
-	int i;
-
-#ifdef USE_GETADDRINFO
-	struct addrinfo *ai = NULL, *tmpai, hints;
-	int result;
-#else
-	struct hostent *he;
-#endif
-
-	REQUIRE(hostname != NULL);
-	REQUIRE(addrs != NULL);
-	REQUIRE(addrcount != NULL);
-	REQUIRE(addrsize > 0);
-
-	have_ipv4 = ISC_TF((isc_net_probeipv4() == ISC_R_SUCCESS));
-	have_ipv6 = ISC_TF((isc_net_probeipv6() == ISC_R_SUCCESS));
-
-	/*
-	 * Try IPv4, then IPv6.  In order to handle the extended format
-	 * for IPv6 scoped addresses (address%scope_ID), we'll use a local
-	 * working buffer of 128 bytes.  The length is an ad-hoc value, but
-	 * should be enough for this purpose; the buffer can contain a string
-	 * of at least 80 bytes for scope_ID in addition to any IPv6 numeric
-	 * addresses (up to 46 bytes), the delimiter character and the
-	 * terminating NULL character.
-	 */
-	if (inet_pton(AF_INET, hostname, &in4) == 1) {
-		if (have_ipv4)
-			isc_sockaddr_fromin(&addrs[0], &in4, port);
-		else
-			isc_sockaddr_v6fromin(&addrs[0], &in4, port);
-		*addrcount = 1;
-		return (ISC_R_SUCCESS);
-	} else if (strlen(hostname) <= 127U) {
-		char tmpbuf[128], *d;
-		isc_uint32_t zone = 0;
-
-		strcpy(tmpbuf, hostname);
-		d = strchr(tmpbuf, '%');
-		if (d != NULL)
-			*d = '\0';
-
-		if (inet_pton(AF_INET6, tmpbuf, &in6) == 1) {
-			isc_netaddr_t na;
-
-			if (!have_ipv6)
-				return (ISC_R_FAMILYNOSUPPORT);
-
-			if (d != NULL) {
-#ifdef ISC_PLATFORM_HAVESCOPEID
-				isc_result_t result;
-
-				result = isc_netscope_pton(AF_INET6, d + 1,
-							   &in6, &zone);
-				    
-				if (result != ISC_R_SUCCESS)
-					return (result);
-#else
-				/*
-				 * The extended format is specified while the
-				 * system does not provide the ability to use
-				 * it.  Throw an explicit error instead of
-				 * ignoring the specified value.
-				 */
-				return (ISC_R_BADADDRESSFORM);
-#endif
-			}
-
-			isc_netaddr_fromin6(&na, &in6);
-			isc_netaddr_setzone(&na, zone);
-			isc_sockaddr_fromnetaddr(&addrs[0],
-						 (const isc_netaddr_t *)&na,
-						 port);
-
-			*addrcount = 1;
-			return (ISC_R_SUCCESS);
-			
-		}
-	}
-#ifdef USE_GETADDRINFO
-	memset(&hints, 0, sizeof(hints));
-	if (!have_ipv6)
-		hints.ai_family = PF_INET;
-	else if (!have_ipv4)
-		hints.ai_family = PF_INET6;
-	else {
-		hints.ai_family = PF_UNSPEC;
-#ifdef AI_ADDRCONFIG
-		hints.ai_flags = AI_ADDRCONFIG;
-#endif
-	}
-	hints.ai_socktype = SOCK_STREAM;
-#ifdef AI_ADDRCONFIG
- again:
-#endif
-	result = getaddrinfo(hostname, NULL, &hints, &ai);
-	switch (result) {
-	case 0:
-		break;
-	case EAI_NONAME:
-#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
-	case EAI_NODATA:
-#endif
-		return (ISC_R_NOTFOUND);
-#ifdef AI_ADDRCONFIG
-	case EAI_BADFLAGS:
-		if ((hints.ai_flags & AI_ADDRCONFIG) != 0) {
-			hints.ai_flags &= ~AI_ADDRCONFIG;
-			goto again;
-		}
-#endif
-	default:
-		return (ISC_R_FAILURE);
-	}
-	for (tmpai = ai, i = 0;
-	     tmpai != NULL && i < addrsize;
-	     tmpai = tmpai->ai_next)
-	{
-		if (tmpai->ai_family != AF_INET &&
-		    tmpai->ai_family != AF_INET6)
-			continue;
-		if (tmpai->ai_family == AF_INET) {
-			struct sockaddr_in *sin;
-			sin = (struct sockaddr_in *)tmpai->ai_addr;
-			isc_sockaddr_fromin(&addrs[i], &sin->sin_addr, port);
-		} else {
-			struct sockaddr_in6 *sin6;
-			sin6 = (struct sockaddr_in6 *)tmpai->ai_addr;
-			isc_sockaddr_fromin6(&addrs[i], &sin6->sin6_addr,
-					     port);
-		}
-		i++;
-
-	}
-	freeaddrinfo(ai);
-	*addrcount = i;
-#else
-	he = gethostbyname(hostname);
-	if (he == NULL) {
-		switch (h_errno) {
-		case HOST_NOT_FOUND:
-#ifdef NO_DATA
-		case NO_DATA:
-#endif
-#if defined(NO_ADDRESS) && (!defined(NO_DATA) || (NO_DATA != NO_ADDRESS))
-		case NO_ADDRESS:
-#endif
-			return (ISC_R_NOTFOUND);
-		default:
-			return (ISC_R_FAILURE);
-		}
-	}
-	if (he->h_addrtype != AF_INET && he->h_addrtype != AF_INET6)
-		return (ISC_R_NOTFOUND);
-	for (i = 0; i < addrsize; i++) {
-		if (he->h_addrtype == AF_INET) {
-			struct in_addr *inp;
-			inp = (struct in_addr *)(he->h_addr_list[i]);
-			if (inp == NULL)
-				break;
-			isc_sockaddr_fromin(&addrs[i], inp, port);
-		} else {
-			struct in6_addr *in6p;
-			in6p = (struct in6_addr *)(he->h_addr_list[i]);
-			if (in6p == NULL)
-				break;
-			isc_sockaddr_fromin6(&addrs[i], in6p, port);
-		}
-	}
-	*addrcount = i;
-#endif
-	if (*addrcount == 0)
-		return (ISC_R_NOTFOUND);
-	else
-		return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/bind9/include/Makefile.in b/contrib/bind9/lib/bind9/include/Makefile.in
deleted file mode 100644
index 0a7436c..0000000
--- a/contrib/bind9/lib/bind9/include/Makefile.in
+++ /dev/null
@@ -1,25 +0,0 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.4 2007/06/19 23:47:16 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	bind9
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/bind9/include/bind9/Makefile.in b/contrib/bind9/lib/bind9/include/bind9/Makefile.in
deleted file mode 100644
index 11ae586..0000000
--- a/contrib/bind9/lib/bind9/include/bind9/Makefile.in
+++ /dev/null
@@ -1,42 +0,0 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.8 2007/06/19 23:47:16 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-#
-# Only list headers that are to be installed and are not
-# machine generated.  The latter are handled specially in the
-# install target below.
-#
-HEADERS =	check.h getaddresses.h version.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/bind9
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/bind9 ; \
-	done
diff --git a/contrib/bind9/lib/bind9/include/bind9/check.h b/contrib/bind9/lib/bind9/include/bind9/check.h
deleted file mode 100644
index 1647568..0000000
--- a/contrib/bind9/lib/bind9/include/bind9/check.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: check.h,v 1.9 2007/06/19 23:47:16 tbox Exp $ */
-
-#ifndef BIND9_CHECK_H
-#define BIND9_CHECK_H 1
-
-/*! \file bind9/check.h */
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-#include <isccfg/cfg.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
-		      isc_mem_t *mctx);
-/*%<
- * Check the syntactic validity of a configuration parse tree generated from
- * a named.conf file.
- *
- * Requires:
- *\li	config is a valid parse tree
- *
- *\li	logctx is a valid logging context.
- *
- * Returns:
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_FAILURE
- */
-
-isc_result_t
-bind9_check_key(const cfg_obj_t *config, isc_log_t *logctx);
-/*%<
- * Same as bind9_check_namedconf(), but for a single 'key' statement.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* BIND9_CHECK_H */
diff --git a/contrib/bind9/lib/bind9/include/bind9/getaddresses.h b/contrib/bind9/lib/bind9/include/bind9/getaddresses.h
deleted file mode 100644
index 01aa67a..0000000
--- a/contrib/bind9/lib/bind9/include/bind9/getaddresses.h
+++ /dev/null
@@ -1,61 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: getaddresses.h,v 1.11 2009/01/17 23:47:42 tbox Exp $ */
-
-#ifndef BIND9_GETADDRESSES_H
-#define BIND9_GETADDRESSES_H 1
-
-/*! \file bind9/getaddresses.h */
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-#include <isc/net.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-bind9_getaddresses(const char *hostname, in_port_t port,
-		   isc_sockaddr_t *addrs, int addrsize, int *addrcount);
-/*%<
- * Use the system resolver to get the addresses associated with a hostname.
- * If successful, the number of addresses found is returned in 'addrcount'.
- * If a hostname lookup is performed and addresses of an unknown family is
- * seen, it is ignored.  If more than 'addrsize' addresses are seen, the
- * first 'addrsize' are returned and the remainder silently truncated.
- *
- * This routine may block.  If called by a program using the isc_app
- * framework, it should be surrounded by isc_app_block()/isc_app_unblock().
- *
- *  Requires:
- *\li	'hostname' is not NULL.
- *\li	'addrs' is not NULL.
- *\li	'addrsize' > 0
- *\li	'addrcount' is not NULL.
- *
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOTFOUND
- *\li	#ISC_R_NOFAMILYSUPPORT - 'hostname' is an IPv6 address, and IPv6 is
- *		not supported.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* BIND9_GETADDRESSES_H */
diff --git a/contrib/bind9/lib/bind9/include/bind9/version.h b/contrib/bind9/lib/bind9/include/bind9/version.h
deleted file mode 100644
index 5b08b7c..0000000
--- a/contrib/bind9/lib/bind9/include/bind9/version.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: version.h,v 1.9 2007/06/19 23:47:16 tbox Exp $ */
-
-/*! \file bind9/version.h */
-
-#include <isc/platform.h>
-
-LIBBIND9_EXTERNAL_DATA extern const char bind9_version[];
-
-LIBBIND9_EXTERNAL_DATA extern const unsigned int bind9_libinterface;
-LIBBIND9_EXTERNAL_DATA extern const unsigned int bind9_librevision;
-LIBBIND9_EXTERNAL_DATA extern const unsigned int bind9_libage;
diff --git a/contrib/bind9/lib/bind9/version.c b/contrib/bind9/lib/bind9/version.c
deleted file mode 100644
index d5934cc..0000000
--- a/contrib/bind9/lib/bind9/version.c
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: version.c,v 1.8 2007/06/19 23:47:16 tbox Exp $ */
-
-/*! \file */
-
-#include <bind9/version.h>
-
-const char bind9_version[] = VERSION;
-
-const unsigned int bind9_libinterface = LIBINTERFACE;
-const unsigned int bind9_librevision = LIBREVISION;
-const unsigned int bind9_libage = LIBAGE;
diff --git a/contrib/bind9/lib/dns/Makefile.in b/contrib/bind9/lib/dns/Makefile.in
deleted file mode 100644
index b712ab1..0000000
--- a/contrib/bind9/lib/dns/Makefile.in
+++ /dev/null
@@ -1,186 +0,0 @@
-# Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2003  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.180 2011/10/11 00:09:03 each Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-# Attempt to disable parallel processing.
-.NOTPARALLEL:
-.NO_PARALLEL:
-
-@BIND9_VERSION@
-
-@LIBDNS_API@
-
-@BIND9_MAKE_INCLUDES@
-
-USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
-
-CINCLUDES =	-I. -Iinclude ${DNS_INCLUDES} \
-		${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
-
-CDEFINES =	-DUSE_MD5 @USE_OPENSSL@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
-
-CWARNINGS =
-
-ISCLIBS =	../../lib/isc/libisc.@A@
-
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
-
-LIBS =		@LIBS@
-
-# Alphabetically
-
-OPENSSLGOSTLINKOBJS = opensslgost_link.@O@
-OPENSSLLINKOBJS = openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \
-		  opensslecdsa_link.@O@ @OPENSSLGOSTLINKOBJS@ \
-		  opensslrsa_link.@O@
-
-DSTOBJS =	@DST_EXTRA_OBJS@ @OPENSSLLINKOBJS@ \
-		dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
-		gssapi_link.@O@ gssapictx.@O@ hmac_link.@O@ key.@O@ 
-
-# Alphabetically
-DNSOBJS =	acache.@O@ acl.@O@ adb.@O@ byaddr.@O@ \
-		cache.@O@ callbacks.@O@ clientinfo.@O@ compress.@O@ \
-		db.@O@ dbiterator.@O@ dbtable.@O@ diff.@O@ dispatch.@O@ \
-		dlz.@O@ dns64.@O@ dnssec.@O@ ds.@O@ forward.@O@ iptable.@O@ \
-		journal.@O@ keydata.@O@ keytable.@O@ \
-		lib.@O@ log.@O@ lookup.@O@ \
-		master.@O@ masterdump.@O@ message.@O@ \
-		name.@O@ ncache.@O@ nsec.@O@ nsec3.@O@ order.@O@ peer.@O@ \
-		portlist.@O@ private.@O@ \
-		rbt.@O@ rbtdb.@O@ rbtdb64.@O@ rcode.@O@ rdata.@O@ \
-		rdatalist.@O@ rdataset.@O@ rdatasetiter.@O@ rdataslab.@O@ \
-		request.@O@ resolver.@O@ result.@O@ rootns.@O@ rpz.@O@ \
-		rriterator.@O@ sdb.@O@ \
-		sdlz.@O@ soa.@O@ ssu.@O@ ssu_external.@O@ \
-		stats.@O@ tcpmsg.@O@ time.@O@ timer.@O@ tkey.@O@ \
-		tsec.@O@ tsig.@O@ ttl.@O@ update.@O@ validator.@O@ \
-		version.@O@ view.@O@ xfrin.@O@ zone.@O@ zonekey.@O@ zt.@O@
-
-OBJS=		${DNSOBJS} ${OTHEROBJS} ${DSTOBJS}
-
-# Alphabetically
-OPENSSLGOSTLINKSRCS = opensslgost_link.c
-OPENSSLLINKSRCS = openssl_link.c openssldh_link.c openssldsa_link.c \
-		  opensslecdsa_link.c @OPENSSLGOSTLINKSRCS@ opensslrsa_link.c
-
-DSTSRCS =	@DST_EXTRA_SRCS@ @OPENSSLLINKSRCS@ \
-		dst_api.c dst_lib.c dst_parse.c \
-		dst_result.c gssapi_link.c gssapictx.c \
-		hmac_link.c key.c
-
-DNSSRCS =	acache.c acl.c adb.c byaddr.c \
-		cache.c callbacks.c clientinfo.c compress.c \
-		db.c dbiterator.c dbtable.c diff.c dispatch.c \
-		dlz.c dns64.c dnssec.c ds.c forward.c iptable.c journal.c \
-		keydata.c keytable.c lib.c log.c lookup.c \
-		master.c masterdump.c message.c \
-		name.c ncache.c nsec.c nsec3.c order.c peer.c portlist.c \
-		rbt.c rbtdb.c rbtdb64.c rcode.c rdata.c rdatalist.c \
-		rdataset.c rdatasetiter.c rdataslab.c request.c \
-		resolver.c result.c rootns.c rpz.c rriterator.c \
-		sdb.c sdlz.c soa.c ssu.c ssu_external.c \
-		stats.c tcpmsg.c time.c timer.c tkey.c \
-		tsec.c tsig.c ttl.c update.c validator.c \
-		version.c view.c xfrin.c zone.c zonekey.c zt.c ${OTHERSRCS}
-
-SRCS = ${DSTSRCS} ${DNSSRCS}
-
-SUBDIRS =	include
-TARGETS =	include/dns/enumtype.h include/dns/enumclass.h \
-		include/dns/rdatastruct.h timestamp
-TESTDIRS =	@UNITTESTS@
-
-DEPENDEXTRA =	./gen -F include/dns/rdatastruct.h \
-		-s ${srcdir} -d >> Makefile ;
-
-@BIND9_MAKE_RULES@
-
-version.@O@: version.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DVERSION=\"${VERSION}\" \
-		-DLIBINTERFACE=${LIBINTERFACE} \
-		-DLIBREVISION=${LIBREVISION} \
-		-DLIBAGE=${LIBAGE} \
-		-c ${srcdir}/version.c
-
-libdns.@SA@: ${OBJS}
-	${AR} ${ARFLAGS} $@ ${OBJS}
-	${RANLIB} $@
-
-libdns.la: ${OBJS}
-	${LIBTOOL_MODE_LINK} \
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \
-		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
-		${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
-
-timestamp: libdns.@A@
-	touch timestamp
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
-
-install:: timestamp installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libdns.@A@ ${DESTDIR}${libdir}
-
-clean distclean::
-	rm -f libdns.@A@ timestamp
-	rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
-	rm -f include/dns/rdatastruct.h
-
-newrr::
-	rm -f code.h include/dns/enumtype.h include/dns/enumclass.h
-	rm -f include/dns/rdatastruct.h
-
-include: include/dns/enumtype.h include/dns/enumclass.h \
-	include/dns/rdatastruct.h
-
-rdata.@O@: code.h
-
-include/dns/enumtype.h: gen
-	./gen -s ${srcdir} -t > $@
-
-include/dns/enumclass.h: gen
-	./gen -s ${srcdir} -c > $@
-
-include/dns/rdatastruct.h: gen \
-		${srcdir}/rdata/rdatastructpre.h \
-		${srcdir}/rdata/rdatastructsuf.h
-	./gen -s ${srcdir} -i \
-		-P ${srcdir}/rdata/rdatastructpre.h \
-		-S ${srcdir}/rdata/rdatastructsuf.h > $@
-
-code.h:	gen
-	./gen -s ${srcdir} > code.h
-
-gen: gen.c
-	${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \
-	${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS}
-
-rbtdb64.@O@: rbtdb.c
-
-depend: include/dns/enumtype.h include/dns/enumclass.h \
-	include/dns/rdatastruct.h code.h
-subdirs: include/dns/enumtype.h include/dns/enumclass.h \
-	include/dns/rdatastruct.h code.h
-${OBJS}: include/dns/enumtype.h include/dns/enumclass.h \
-	include/dns/rdatastruct.h
-
-spnego.@O@: spnego_asn1.c spnego.h
diff --git a/contrib/bind9/lib/dns/acache.c b/contrib/bind9/lib/dns/acache.c
deleted file mode 100644
index 6df9b98..0000000
--- a/contrib/bind9/lib/dns/acache.c
+++ /dev/null
@@ -1,1800 +0,0 @@
-/*
- * Copyright (C) 2004-2008, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: acache.c,v 1.22 2008/02/07 23:46:54 tbox Exp $ */
-
-#include <config.h>
-
-#include <isc/atomic.h>
-#include <isc/event.h>
-#include <isc/hash.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/mutex.h>
-#include <isc/random.h>
-#include <isc/refcount.h>
-#include <isc/rwlock.h>
-#include <isc/serial.h>
-#include <isc/task.h>
-#include <isc/time.h>
-#include <isc/timer.h>
-
-#include <dns/acache.h>
-#include <dns/db.h>
-#include <dns/events.h>
-#include <dns/log.h>
-#include <dns/message.h>
-#include <dns/name.h>
-#include <dns/rdataset.h>
-#include <dns/result.h>
-#include <dns/zone.h>
-
-#define ACACHE_MAGIC			ISC_MAGIC('A', 'C', 'H', 'E')
-#define DNS_ACACHE_VALID(acache)	ISC_MAGIC_VALID(acache, ACACHE_MAGIC)
-
-#define ACACHEENTRY_MAGIC		ISC_MAGIC('A', 'C', 'E', 'T')
-#define DNS_ACACHEENTRY_VALID(entry)	ISC_MAGIC_VALID(entry, ACACHEENTRY_MAGIC)
-
-#define DBBUCKETS	67
-
-#if 0
-#define ATRACE(m)       isc_log_write(dns_lctx, \
-				      DNS_LOGCATEGORY_DATABASE, \
-				      DNS_LOGMODULE_ACACHE, \
-				      ISC_LOG_DEBUG(3), \
-				      "acache %p: %s", acache, (m))
-#define AATRACE(a,m)    isc_log_write(dns_lctx, \
-				      DNS_LOGCATEGORY_DATABASE, \
-				      DNS_LOGMODULE_ACACHE, \
-				      ISC_LOG_DEBUG(3), \
-				      "acache %p: %s", (a), (m))
-#else
-#define ATRACE(m)
-#define AATRACE(a, m)
-#endif
-
-/*
- * The following variables control incremental cleaning.
- * MINSIZE is how many bytes is the floor for dns_acache_setcachesize().
- * CLEANERINCREMENT is how many entries are examined in one pass.
- * (XXX simply derived from definitions in cache.c  There may be better
- *  constants here.)
- */
-#define DNS_ACACHE_MINSIZE 		2097152U /* Bytes.  2097152 = 2 MB */
-#define DNS_ACACHE_CLEANERINCREMENT	1000	 /* Number of entries. */
-
-#define DEFAULT_ACACHE_ENTRY_LOCK_COUNT	1009	 /*%< Should be prime. */
-
-#if defined(ISC_RWLOCK_USEATOMIC) && defined(ISC_PLATFORM_HAVEATOMICSTORE)
-#define ACACHE_USE_RWLOCK 1
-#endif
-
-#ifdef ACACHE_USE_RWLOCK
-#define ACACHE_INITLOCK(l)	isc_rwlock_init((l), 0, 0)
-#define ACACHE_DESTROYLOCK(l)	isc_rwlock_destroy(l)
-#define ACACHE_LOCK(l, t)	RWLOCK((l), (t))
-#define ACACHE_UNLOCK(l, t)	RWUNLOCK((l), (t))
-
-#define acache_storetime(entry, t) \
-	(isc_atomic_store((isc_int32_t *)&(entry)->lastused, (t)))
-#else
-#define ACACHE_INITLOCK(l)	isc_mutex_init(l)
-#define ACACHE_DESTROYLOCK(l)	DESTROYLOCK(l)
-#define ACACHE_LOCK(l, t)	LOCK(l)
-#define ACACHE_UNLOCK(l, t)	UNLOCK(l)
-
-#define acache_storetime(entry, t) ((entry)->lastused = (t))
-#endif
-
-/* Locked by acache lock */
-typedef struct dbentry {
-	ISC_LINK(struct dbentry)	link;
-
-	dns_db_t			*db;
-	ISC_LIST(dns_acacheentry_t)	originlist;
-	ISC_LIST(dns_acacheentry_t)	referlist;
-} dbentry_t;
-
-typedef ISC_LIST(dbentry_t) dbentrylist_t;
-
-typedef struct acache_cleaner acache_cleaner_t;
-
-typedef enum {
-	cleaner_s_idle,	/* Waiting for cleaning-interval to expire. */
-	cleaner_s_busy,	/* Currently cleaning. */
-	cleaner_s_done  /* Freed enough memory after being overmem. */
-} cleaner_state_t;
-
-/*
- * Convenience macros for comprehensive assertion checking.
- */
-#define CLEANER_IDLE(c) ((c)->state == cleaner_s_idle && \
-			 (c)->resched_event != NULL)
-#define CLEANER_BUSY(c) ((c)->state == cleaner_s_busy && \
-			 (c)->resched_event == NULL)
-
-struct acache_cleaner {
-	isc_mutex_t		lock;
-	/*
-	 * Locks overmem_event, overmem.  (See cache.c)
-	 */
-
-	dns_acache_t		*acache;
-	unsigned int		cleaning_interval; /* The cleaning-interval
-						      from named.conf,
-						      in seconds. */
-
-	isc_stdtime_t		last_cleanup_time; /* The time when the last
-						      cleanup task completed */
-
-	isc_timer_t 		*cleaning_timer;
-	isc_event_t		*resched_event;	/* Sent by cleaner task to
-						   itself to reschedule */
-	isc_event_t		*overmem_event;
-
-	dns_acacheentry_t	*current_entry;	/* The bookmark entry to
-						   restart the cleaning.
-						   Locked by acache lock. */
-	int 		 	increment;	/* Number of entries to
-						   clean in one increment */
-
-	unsigned long		ncleaned;	/* Number of entries cleaned
-						   up (for logging purposes) */
-	cleaner_state_t  	state;		/* Idle/Busy/Done. */
-	isc_boolean_t	 	overmem;	/* The acache is in an overmem
-						   state. */
-};
-
-struct dns_acachestats {
-	unsigned int			hits;
-	unsigned int			queries;
-	unsigned int			misses;
-	unsigned int			adds;
-	unsigned int			deleted;
-	unsigned int			cleaned;
-	unsigned int			cleaner_runs;
-	unsigned int			overmem;
-	unsigned int			overmem_nocreates;
-	unsigned int			nomem;
-};
-
-/*
- * The actual acache object.
- */
-
-struct dns_acache {
-	unsigned int			magic;
-
-	isc_mem_t			*mctx;
-	isc_refcount_t			refs;
-
-#ifdef ACACHE_USE_RWLOCK
-	isc_rwlock_t 			*entrylocks;
-#else
-	isc_mutex_t 			*entrylocks;
-#endif
-
-	isc_mutex_t			lock;
-
-	int				live_cleaners;
-	acache_cleaner_t		cleaner;
-	ISC_LIST(dns_acacheentry_t)	entries;
-	unsigned int			dbentries;
-	dbentrylist_t			dbbucket[DBBUCKETS];
-
-	isc_boolean_t			shutting_down;
-
-	isc_task_t 			*task;
-	isc_event_t			cevent;
-	isc_boolean_t			cevent_sent;
-
-	dns_acachestats_t		stats;
-};
-
-struct dns_acacheentry {
-	unsigned int 		magic;
-
-	unsigned int		locknum;
-	isc_refcount_t 		references;
-
-	dns_acache_t 		*acache;
-
-	/* Data for Management of cache entries */
-	ISC_LINK(dns_acacheentry_t) link;
-	ISC_LINK(dns_acacheentry_t) olink;
-	ISC_LINK(dns_acacheentry_t) rlink;
-
-	dns_db_t 		*origdb; /* reference to the DB
-					    holding this entry */
-
-	/* Cache data */
-	dns_zone_t 		*zone;		/* zone this entry
-						   belongs to */
-	dns_db_t		*db;   		/* DB this entry belongs to */
-	dns_dbversion_t		*version;	/* the version of the DB */
-	dns_dbnode_t 		*node;		/* node this entry
-						   belongs to */
-	dns_name_t 		*foundname;	/* corresponding DNS name
-						   and rdataset */
-
-	/* Callback function and its argument */
-	void 			(*callback)(dns_acacheentry_t *, void **);
-	void 			*cbarg;
-
-	/* Timestamp of the last time this entry is referred to */
-	isc_stdtime32_t		lastused;
-};
-
-/*
- *	Internal functions (and prototypes).
- */
-static inline isc_boolean_t check_noentry(dns_acache_t *acache);
-static void destroy(dns_acache_t *acache);
-static void shutdown_entries(dns_acache_t *acache);
-static void shutdown_buckets(dns_acache_t *acache);
-static void destroy_entry(dns_acacheentry_t *ent);
-static inline void unlink_dbentries(dns_acache_t *acache,
-				    dns_acacheentry_t *ent);
-static inline isc_result_t finddbent(dns_acache_t *acache,
-				     dns_db_t *db, dbentry_t **dbentryp);
-static inline void clear_entry(dns_acache_t *acache, dns_acacheentry_t *entry);
-static isc_result_t acache_cleaner_init(dns_acache_t *acache,
-					isc_timermgr_t *timermgr,
-					acache_cleaner_t *cleaner);
-static void acache_cleaning_timer_action(isc_task_t *task, isc_event_t *event);
-static void acache_incremental_cleaning_action(isc_task_t *task,
-					       isc_event_t *event);
-static void acache_overmem_cleaning_action(isc_task_t *task,
-					   isc_event_t *event);
-static void acache_cleaner_shutdown_action(isc_task_t *task,
-					   isc_event_t *event);
-
-/*
- * acache should be locked.  If it is not, the stats can get out of whack,
- * which is not a big deal for us since this is for debugging / stats
- */
-static void
-reset_stats(dns_acache_t *acache) {
-	acache->stats.hits = 0;
-	acache->stats.queries = 0;
-	acache->stats.misses = 0;
-	acache->stats.adds = 0;
-	acache->stats.deleted = 0;
-	acache->stats.cleaned = 0;
-	acache->stats.overmem = 0;
-	acache->stats.overmem_nocreates = 0;
-	acache->stats.nomem = 0;
-}
-
-/*
- * The acache must be locked before calling.
- */
-static inline isc_boolean_t
-check_noentry(dns_acache_t *acache) {
-	if (ISC_LIST_EMPTY(acache->entries) && acache->dbentries == 0) {
-		return (ISC_TRUE);
-	}
-
-	return (ISC_FALSE);
-}
-
-/*
- * The acache must be locked before calling.
- */
-static void
-shutdown_entries(dns_acache_t *acache) {
-	dns_acacheentry_t *entry, *entry_next;
-
-	REQUIRE(DNS_ACACHE_VALID(acache));
-	INSIST(acache->shutting_down);
-
-	/*
-	 * Release the dependency of all entries, and detach them.
-	 */
-	for (entry = ISC_LIST_HEAD(acache->entries);
-	     entry != NULL;
-	     entry = entry_next) {
-		entry_next = ISC_LIST_NEXT(entry, link);
-
-		ACACHE_LOCK(&acache->entrylocks[entry->locknum],
-			    isc_rwlocktype_write);
-
-		/*
-		 * If the cleaner holds this entry, it will be unlinked and
-		 * freed in the cleaner later.
-		 */
-		if (acache->cleaner.current_entry != entry)
-			ISC_LIST_UNLINK(acache->entries, entry, link);
-		unlink_dbentries(acache, entry);
-		if (entry->callback != NULL) {
-			(entry->callback)(entry, &entry->cbarg);
-			entry->callback = NULL;
-		}
-
-		ACACHE_UNLOCK(&acache->entrylocks[entry->locknum],
-			      isc_rwlocktype_write);
-
-		if (acache->cleaner.current_entry != entry)
-			dns_acache_detachentry(&entry);
-	}
-}
-
-/*
- * The acache must be locked before calling.
- */
-static void
-shutdown_buckets(dns_acache_t *acache) {
-	int i;
-	dbentry_t *dbent;
-
-	REQUIRE(DNS_ACACHE_VALID(acache));
-	INSIST(acache->shutting_down);
-
-	for (i = 0; i < DBBUCKETS; i++) {
-		while ((dbent = ISC_LIST_HEAD(acache->dbbucket[i])) != NULL) {
-			INSIST(ISC_LIST_EMPTY(dbent->originlist) &&
-			       ISC_LIST_EMPTY(dbent->referlist));
-			ISC_LIST_UNLINK(acache->dbbucket[i], dbent, link);
-
-			dns_db_detach(&dbent->db);
-
-			isc_mem_put(acache->mctx, dbent, sizeof(*dbent));
-
-			acache->dbentries--;
-		}
-	}
-
-	INSIST(acache->dbentries == 0);
-}
-
-static void
-shutdown_task(isc_task_t *task, isc_event_t *ev) {
-	dns_acache_t *acache;
-
-	UNUSED(task);
-
-	acache = ev->ev_arg;
-	INSIST(DNS_ACACHE_VALID(acache));
-
-	isc_event_free(&ev);
-
-	LOCK(&acache->lock);
-
-	shutdown_entries(acache);
-	shutdown_buckets(acache);
-
-	UNLOCK(&acache->lock);
-
-	dns_acache_detach(&acache);
-}
-
-/* The acache and the entry must be locked before calling. */
-static inline void
-unlink_dbentries(dns_acache_t *acache, dns_acacheentry_t *ent) {
-	isc_result_t result;
-	dbentry_t *dbent;
-
-	if (ISC_LINK_LINKED(ent, olink)) {
-		INSIST(ent->origdb != NULL);
-		dbent = NULL;
-		result = finddbent(acache, ent->origdb, &dbent);
-		INSIST(result == ISC_R_SUCCESS);
-
-		ISC_LIST_UNLINK(dbent->originlist, ent, olink);
-	}
-	if (ISC_LINK_LINKED(ent, rlink)) {
-		INSIST(ent->db != NULL);
-		dbent = NULL;
-		result = finddbent(acache, ent->db, &dbent);
-		INSIST(result == ISC_R_SUCCESS);
-
-		ISC_LIST_UNLINK(dbent->referlist, ent, rlink);
-	}
-}
-
-/* There must not be a reference to this entry. */
-static void
-destroy_entry(dns_acacheentry_t *entry) {
-	dns_acache_t *acache;
-
-	REQUIRE(DNS_ACACHEENTRY_VALID(entry));
-
-	acache = entry->acache;
-	REQUIRE(DNS_ACACHE_VALID(acache));
-
-	/*
-	 * Since there is no reference to this entry, it is safe to call
-	 * clear_entry() here.
-	 */
-	clear_entry(acache, entry);
-
-	isc_mem_put(acache->mctx, entry, sizeof(*entry));
-
-	dns_acache_detach(&acache);
-}
-
-static void
-destroy(dns_acache_t *acache) {
-	int i;
-
-	REQUIRE(DNS_ACACHE_VALID(acache));
-
-	ATRACE("destroy");
-
-	isc_mem_setwater(acache->mctx, NULL, NULL, 0, 0);
-
-	if (acache->cleaner.overmem_event != NULL)
-		isc_event_free(&acache->cleaner.overmem_event);
-
-	if (acache->cleaner.resched_event != NULL)
-		isc_event_free(&acache->cleaner.resched_event);
-
-	if (acache->task != NULL)
-		isc_task_detach(&acache->task);
-
-	for (i = 0; i < DEFAULT_ACACHE_ENTRY_LOCK_COUNT; i++)
-		ACACHE_DESTROYLOCK(&acache->entrylocks[i]);
-	isc_mem_put(acache->mctx, acache->entrylocks,
-		    sizeof(*acache->entrylocks) *
-		    DEFAULT_ACACHE_ENTRY_LOCK_COUNT);
-
-	DESTROYLOCK(&acache->cleaner.lock);
-
-	DESTROYLOCK(&acache->lock);
-	acache->magic = 0;
-
-	isc_mem_putanddetach(&acache->mctx, acache, sizeof(*acache));
-}
-
-static inline isc_result_t
-finddbent(dns_acache_t *acache, dns_db_t *db, dbentry_t **dbentryp) {
-	int bucket;
-	dbentry_t *dbentry;
-
-	REQUIRE(DNS_ACACHE_VALID(acache));
-	REQUIRE(db != NULL);
-	REQUIRE(dbentryp != NULL && *dbentryp == NULL);
-
-	/*
-	 * The caller must be holding the acache lock.
-	 */
-
-	bucket = isc_hash_calc((const unsigned char *)&db,
-			       sizeof(db), ISC_TRUE) % DBBUCKETS;
-
-	for (dbentry = ISC_LIST_HEAD(acache->dbbucket[bucket]);
-	     dbentry != NULL;
-	     dbentry = ISC_LIST_NEXT(dbentry, link)) {
-		if (dbentry->db == db)
-			break;
-	}
-
-	*dbentryp = dbentry;
-
-	if (dbentry == NULL)
-		return (ISC_R_NOTFOUND);
-	else
-		return (ISC_R_SUCCESS);
-}
-
-static inline void
-clear_entry(dns_acache_t *acache, dns_acacheentry_t *entry) {
-	REQUIRE(DNS_ACACHE_VALID(acache));
-	REQUIRE(DNS_ACACHEENTRY_VALID(entry));
-
-	/*
-	 * The caller must be holing the entry lock.
-	 */
-
-	if (entry->foundname) {
-		dns_rdataset_t *rdataset, *rdataset_next;
-
-		for (rdataset = ISC_LIST_HEAD(entry->foundname->list);
-		     rdataset != NULL;
-		     rdataset = rdataset_next) {
-			rdataset_next = ISC_LIST_NEXT(rdataset, link);
-			ISC_LIST_UNLINK(entry->foundname->list,
-					rdataset, link);
-			dns_rdataset_disassociate(rdataset);
-			isc_mem_put(acache->mctx, rdataset, sizeof(*rdataset));
-		}
-		if (dns_name_dynamic(entry->foundname))
-			dns_name_free(entry->foundname, acache->mctx);
-		isc_mem_put(acache->mctx, entry->foundname,
-			    sizeof(*entry->foundname));
-		entry->foundname = NULL;
-	}
-
-	if (entry->node != NULL) {
-		INSIST(entry->db != NULL);
-		dns_db_detachnode(entry->db, &entry->node);
-	}
-	if (entry->version != NULL) {
-		INSIST(entry->db != NULL);
-		dns_db_closeversion(entry->db, &entry->version, ISC_FALSE);
-	}
-	if (entry->db != NULL)
-		dns_db_detach(&entry->db);
-	if (entry->zone != NULL)
-		dns_zone_detach(&entry->zone);
-
-	if (entry->origdb != NULL)
-		dns_db_detach(&entry->origdb);
-}
-
-static isc_result_t
-acache_cleaner_init(dns_acache_t *acache, isc_timermgr_t *timermgr,
-		    acache_cleaner_t *cleaner)
-{
-	int result;
-
-	ATRACE("acache cleaner init");
-
-	result = isc_mutex_init(&cleaner->lock);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	cleaner->increment = DNS_ACACHE_CLEANERINCREMENT;
-	cleaner->state = cleaner_s_idle;
-	cleaner->acache = acache;
-	cleaner->overmem = ISC_FALSE;
-
-	cleaner->cleaning_timer = NULL;
-	cleaner->resched_event = NULL;
-	cleaner->overmem_event = NULL;
-	cleaner->current_entry = NULL;
-
-	if (timermgr != NULL) {
-		cleaner->acache->live_cleaners++;
-
-		result = isc_task_onshutdown(acache->task,
-					     acache_cleaner_shutdown_action,
-					     acache);
-		if (result != ISC_R_SUCCESS) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "acache cleaner: "
-					 "isc_task_onshutdown() failed: %s",
-					 dns_result_totext(result));
-			goto cleanup;
-		}
-
-		cleaner->cleaning_interval = 0; /* Initially turned off. */
-		isc_stdtime_get(&cleaner->last_cleanup_time);
-		result = isc_timer_create(timermgr, isc_timertype_inactive,
-					  NULL, NULL,
-					  acache->task,
-					  acache_cleaning_timer_action,
-					  cleaner, &cleaner->cleaning_timer);
-		if (result != ISC_R_SUCCESS) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_timer_create() failed: %s",
-					 dns_result_totext(result));
-			result = ISC_R_UNEXPECTED;
-			goto cleanup;
-		}
-
-		cleaner->resched_event =
-			isc_event_allocate(acache->mctx, cleaner,
-					   DNS_EVENT_ACACHECLEAN,
-					   acache_incremental_cleaning_action,
-					   cleaner, sizeof(isc_event_t));
-		if (cleaner->resched_event == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup;
-		}
-
-		cleaner->overmem_event =
-			isc_event_allocate(acache->mctx, cleaner,
-					   DNS_EVENT_ACACHEOVERMEM,
-					   acache_overmem_cleaning_action,
-					   cleaner, sizeof(isc_event_t));
-		if (cleaner->overmem_event == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup;
-		}
-	}
-
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (cleaner->overmem_event != NULL)
-		isc_event_free(&cleaner->overmem_event);
-	if (cleaner->resched_event != NULL)
-		isc_event_free(&cleaner->resched_event);
-	if (cleaner->cleaning_timer != NULL)
-		isc_timer_detach(&cleaner->cleaning_timer);
-	cleaner->acache->live_cleaners--;
-	DESTROYLOCK(&cleaner->lock);
- fail:
-	return (result);
-}
-
-static void
-begin_cleaning(acache_cleaner_t *cleaner) {
-	dns_acacheentry_t *head;
-	dns_acache_t *acache = cleaner->acache;
-
-	/*
-	 * This function does not have to lock the cleaner, since critical
-	 * parameters (except current_entry, which is locked by acache lock,)
-	 * are only used in a single task context.
-	 */
-
-	REQUIRE(CLEANER_IDLE(cleaner));
-	INSIST(DNS_ACACHE_VALID(acache));
-	INSIST(cleaner->current_entry == NULL);
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-		      DNS_LOGMODULE_ACACHE, ISC_LOG_DEBUG(1),
-		      "begin acache cleaning, mem inuse %lu",
-		      (unsigned long)isc_mem_inuse(cleaner->acache->mctx));
-
-	LOCK(&acache->lock);
-
-	head = ISC_LIST_HEAD(acache->entries);
-	if (head != NULL)
-		dns_acache_attachentry(head, &cleaner->current_entry);
-
-	UNLOCK(&acache->lock);
-
-	if (cleaner->current_entry != NULL) {
-		cleaner->ncleaned = 0;
-		cleaner->state = cleaner_s_busy;
-		isc_task_send(acache->task, &cleaner->resched_event);
-	}
-
-	return;
-}
-
-static void
-end_cleaning(acache_cleaner_t *cleaner, isc_event_t *event) {
-	dns_acache_t *acache = cleaner->acache;
-
-	REQUIRE(CLEANER_BUSY(cleaner));
-	REQUIRE(event != NULL);
-	REQUIRE(DNS_ACACHEENTRY_VALID(cleaner->current_entry));
-
-	/* No need to lock the cleaner (see begin_cleaning()). */
-
-	LOCK(&acache->lock);
-
-	/*
-	 * Even if the cleaner has the last reference to the entry, which means
-	 * the entry has been unused, it may still be linked if unlinking the
-	 * entry has been delayed due to the reference.
-	 */
-	if (isc_refcount_current(&cleaner->current_entry->references) == 1) {
-		INSIST(cleaner->current_entry->callback == NULL);
-
-		if (ISC_LINK_LINKED(cleaner->current_entry, link)) {
-			ISC_LIST_UNLINK(acache->entries,
-					cleaner->current_entry, link);
-		}
-	}
-	dns_acache_detachentry(&cleaner->current_entry);
-
-	if (cleaner->overmem)
-		acache->stats.overmem++;
-	acache->stats.cleaned += cleaner->ncleaned;
-	acache->stats.cleaner_runs++;
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ACACHE,
-		      ISC_LOG_NOTICE,
-		      "acache %p stats: hits=%d misses=%d queries=%d "
-		      "adds=%d deleted=%d "
-		      "cleaned=%d cleaner_runs=%d overmem=%d "
-		      "overmem_nocreates=%d nomem=%d",
-		      acache,
-		      acache->stats.hits, acache->stats.misses,
-		      acache->stats.queries,
-		      acache->stats.adds, acache->stats.deleted,
-		      acache->stats.cleaned, acache->stats.cleaner_runs,
-		      acache->stats.overmem, acache->stats.overmem_nocreates,
-		      acache->stats.nomem);
-	reset_stats(acache);
-
-	isc_stdtime_get(&cleaner->last_cleanup_time);
-
-	UNLOCK(&acache->lock);
-
-	dns_acache_setcleaninginterval(cleaner->acache,
-				       cleaner->cleaning_interval);
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ACACHE,
-		      ISC_LOG_DEBUG(1), "end acache cleaning, "
-		      "%lu entries cleaned, mem inuse %lu",
-		      cleaner->ncleaned,
-		      (unsigned long)isc_mem_inuse(cleaner->acache->mctx));
-
-	if (cleaner->overmem) {
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-			      DNS_LOGMODULE_ACACHE, ISC_LOG_NOTICE,
-			      "acache is still in overmem state "
-			      "after cleaning");
-	}
-
-	cleaner->ncleaned = 0;
-	cleaner->state = cleaner_s_idle;
-	cleaner->resched_event = event;
-}
-
-/*
- * This is run once for every acache-cleaning-interval as defined
- * in named.conf.
- */
-static void
-acache_cleaning_timer_action(isc_task_t *task, isc_event_t *event) {
-	acache_cleaner_t *cleaner = event->ev_arg;
-
-	UNUSED(task);
-
-	INSIST(event->ev_type == ISC_TIMEREVENT_TICK);
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ACACHE,
-		      ISC_LOG_DEBUG(1), "acache cleaning timer fired, "
-		      "cleaner state = %d", cleaner->state);
-
-	if (cleaner->state == cleaner_s_idle)
-		begin_cleaning(cleaner);
-
-	isc_event_free(&event);
-}
-
-/* The caller must hold entry lock. */
-static inline isc_boolean_t
-entry_stale(acache_cleaner_t *cleaner, dns_acacheentry_t *entry,
-	    isc_stdtime32_t now32, unsigned int interval)
-{
-	/*
-	 * If the callback has been canceled, we definitely do not need the
-	 * entry.
-	 */
-	if (entry->callback == NULL)
-		return (ISC_TRUE);
-
-	if (interval > cleaner->cleaning_interval)
-		interval = cleaner->cleaning_interval;
-
-	if (entry->lastused + interval < now32)
-		return (ISC_TRUE);
-
-	/*
-	 * If the acache is in the overmem state, probabilistically decide if
-	 * the entry should be purged, based on the time passed from its last
-	 * use and the cleaning interval.
-	 */
-	if (cleaner->overmem) {
-		unsigned int passed;
-		isc_uint32_t val;
-
-		if (isc_serial_ge(now32, entry->lastused))
-			passed = now32 - entry->lastused; /* <= interval */
-		else
-			passed = 0;
-
-		if (passed > interval / 2)
-			return (ISC_TRUE);
-		isc_random_get(&val);
-		if (passed > interval / 4)
-			return (ISC_TF(val % 4 == 0));
-		return (ISC_TF(val % 8 == 0));
-	}
-
-	return (ISC_FALSE);
-}
-
-/*
- * Do incremental cleaning.
- */
-static void
-acache_incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
-	acache_cleaner_t *cleaner = event->ev_arg;
-	dns_acache_t *acache = cleaner->acache;
-	dns_acacheentry_t *entry, *next = NULL;
-	int n_entries;
-	isc_stdtime32_t now32, last32;
-	isc_stdtime_t now;
-	unsigned int interval;
-
-	INSIST(DNS_ACACHE_VALID(acache));
-	INSIST(task == acache->task);
-	INSIST(event->ev_type == DNS_EVENT_ACACHECLEAN);
-
-	if (cleaner->state == cleaner_s_done) {
-		cleaner->state = cleaner_s_busy;
-		end_cleaning(cleaner, event);
-		return;
-	}
-
-	INSIST(CLEANER_BUSY(cleaner));
-
-	n_entries = cleaner->increment;
-
-	isc_stdtime_get(&now);
-	isc_stdtime_convert32(now, &now32);
-
-	LOCK(&acache->lock);
-
-	entry = cleaner->current_entry;
-	isc_stdtime_convert32(cleaner->last_cleanup_time, &last32);
-	if (isc_serial_ge(now32, last32))
-		interval = now32 - last32;
-	else
-		interval = 0;
-
-	while (n_entries-- > 0) {
-		isc_boolean_t is_stale = ISC_FALSE;
-
-		INSIST(entry != NULL);
-
-		next = ISC_LIST_NEXT(entry, link);
-
-		ACACHE_LOCK(&acache->entrylocks[entry->locknum],
-			    isc_rwlocktype_write);
-
-		is_stale = entry_stale(cleaner, entry, now32, interval);
-		if (is_stale) {
-			ISC_LIST_UNLINK(acache->entries, entry, link);
-			unlink_dbentries(acache, entry);
-			if (entry->callback != NULL)
-				(entry->callback)(entry, &entry->cbarg);
-			entry->callback = NULL;
-
-			cleaner->ncleaned++;
-		}
-
-		ACACHE_UNLOCK(&acache->entrylocks[entry->locknum],
-			      isc_rwlocktype_write);
-
-		if (is_stale)
-			dns_acache_detachentry(&entry);
-
-		if (next == NULL) {
-			if (cleaner->overmem) {
-				entry = ISC_LIST_HEAD(acache->entries);
-				if (entry != NULL) {
-					/*
-					 * If we are still in the overmem
-					 * state, keep cleaning.  In case we
-					 * exit from the loop immediately after
-					 * this, reset next to the head entry
-					 * as we'll expect it will be never
-					 * NULL.
-					 */
-					isc_log_write(dns_lctx,
-						      DNS_LOGCATEGORY_DATABASE,
-						      DNS_LOGMODULE_ACACHE,
-						      ISC_LOG_DEBUG(1),
-						      "acache cleaner: "
-						      "still overmem, "
-						      "reset and try again");
-					next = entry;
-					continue;
-				}
-			}
-
-			UNLOCK(&acache->lock);
-			end_cleaning(cleaner, event);
-			return;
-		}
-
-		entry = next;
-	}
-
-	/*
-	 * We have successfully performed a cleaning increment but have
-	 * not gone through the entire cache.  Remember the entry that will
-	 * be the starting point in the next clean-up, and reschedule another
-	 * batch.  If it fails, just try to continue anyway.
-	 */
-	INSIST(next != NULL);
-	dns_acache_detachentry(&cleaner->current_entry);
-	dns_acache_attachentry(next, &cleaner->current_entry);
-
-	UNLOCK(&acache->lock);
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ACACHE,
-		      ISC_LOG_DEBUG(1), "acache cleaner: checked %d entries, "
-		      "mem inuse %lu, sleeping", cleaner->increment,
-		      (unsigned long)isc_mem_inuse(cleaner->acache->mctx));
-
-	isc_task_send(task, &event);
-	INSIST(CLEANER_BUSY(cleaner));
-
-	return;
-}
-
-/*
- * This is called when the acache either surpasses its upper limit
- * or shrinks beyond its lower limit.
- */
-static void
-acache_overmem_cleaning_action(isc_task_t *task, isc_event_t *event) {
-	acache_cleaner_t *cleaner = event->ev_arg;
-	isc_boolean_t want_cleaning = ISC_FALSE;
-
-	UNUSED(task);
-
-	INSIST(event->ev_type == DNS_EVENT_ACACHEOVERMEM);
-	INSIST(cleaner->overmem_event == NULL);
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ACACHE,
-		      ISC_LOG_DEBUG(1), "overmem_cleaning_action called, "
-		      "overmem = %d, state = %d", cleaner->overmem,
-		      cleaner->state);
-
-	LOCK(&cleaner->lock);
-
-	if (cleaner->overmem) {
-		if (cleaner->state == cleaner_s_idle)
-			want_cleaning = ISC_TRUE;
-	} else {
-		if (cleaner->state == cleaner_s_busy)
-			/*
-			 * end_cleaning() can't be called here because
-			 * then both cleaner->overmem_event and
-			 * cleaner->resched_event will point to this
-			 * event.  Set the state to done, and then
-			 * when the acache_incremental_cleaning_action() event
-			 * is posted, it will handle the end_cleaning.
-			 */
-			cleaner->state = cleaner_s_done;
-	}
-
-	cleaner->overmem_event = event;
-
-	UNLOCK(&cleaner->lock);
-
-	if (want_cleaning)
-		begin_cleaning(cleaner);
-}
-
-static void
-water(void *arg, int mark) {
-	dns_acache_t *acache = arg;
-	isc_boolean_t overmem = ISC_TF(mark == ISC_MEM_HIWATER);
-
-	REQUIRE(DNS_ACACHE_VALID(acache));
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-		      DNS_LOGMODULE_ACACHE, ISC_LOG_DEBUG(1),
-		      "acache memory reaches %s watermark, mem inuse %lu",
-		      overmem ? "high" : "low",
-		      (unsigned long)isc_mem_inuse(acache->mctx));
-
-	LOCK(&acache->cleaner.lock);
-
-	if (acache->cleaner.overmem != overmem) {
-		acache->cleaner.overmem = overmem;
-
-		if (acache->cleaner.overmem_event != NULL)
-			isc_task_send(acache->task,
-				      &acache->cleaner.overmem_event);
-		isc_mem_waterack(acache->mctx, mark);
-	}
-
-	UNLOCK(&acache->cleaner.lock);
-}
-
-/*
- * The cleaner task is shutting down; do the necessary cleanup.
- */
-static void
-acache_cleaner_shutdown_action(isc_task_t *task, isc_event_t *event) {
-	dns_acache_t *acache = event->ev_arg;
-	isc_boolean_t should_free = ISC_FALSE;
-
-	INSIST(task == acache->task);
-	INSIST(event->ev_type == ISC_TASKEVENT_SHUTDOWN);
-	INSIST(DNS_ACACHE_VALID(acache));
-
-	ATRACE("acache cleaner shutdown");
-
-	if (CLEANER_BUSY(&acache->cleaner))
-		end_cleaning(&acache->cleaner, event);
-	else
-		isc_event_free(&event);
-
-	LOCK(&acache->lock);
-
-	acache->live_cleaners--;
-	INSIST(acache->live_cleaners == 0);
-
-	if (isc_refcount_current(&acache->refs) == 0) {
-		INSIST(check_noentry(acache) == ISC_TRUE);
-		should_free = ISC_TRUE;
-	}
-
-	/*
-	 * By detaching the timer in the context of its task,
-	 * we are guaranteed that there will be no further timer
-	 * events.
-	 */
-	if (acache->cleaner.cleaning_timer != NULL)
-		isc_timer_detach(&acache->cleaner.cleaning_timer);
-
-	/* Make sure we don't reschedule anymore. */
-	(void)isc_task_purge(task, NULL, DNS_EVENT_ACACHECLEAN, NULL);
-
-	UNLOCK(&acache->lock);
-
-	if (should_free)
-		destroy(acache);
-}
-
-/*
- *	Public functions.
- */
-
-isc_result_t
-dns_acache_create(dns_acache_t **acachep, isc_mem_t *mctx,
-		  isc_taskmgr_t *taskmgr, isc_timermgr_t *timermgr)
-{
-	int i;
-	isc_result_t result;
-	dns_acache_t *acache;
-
-	REQUIRE(acachep != NULL && *acachep == NULL);
-	REQUIRE(mctx != NULL);
-	REQUIRE(taskmgr != NULL);
-
-	acache = isc_mem_get(mctx, sizeof(*acache));
-	if (acache == NULL)
-		return (ISC_R_NOMEMORY);
-
-	ATRACE("create");
-
-	result = isc_refcount_init(&acache->refs, 1);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, acache, sizeof(*acache));
-		return (result);
-	}
-
-	result = isc_mutex_init(&acache->lock);
-	if (result != ISC_R_SUCCESS) {
-		isc_refcount_decrement(&acache->refs, NULL);
-		isc_refcount_destroy(&acache->refs);
-		isc_mem_put(mctx, acache, sizeof(*acache));
-		return (result);
-	}
-
-	acache->mctx = NULL;
-	isc_mem_attach(mctx, &acache->mctx);
-	ISC_LIST_INIT(acache->entries);
-
-	acache->shutting_down = ISC_FALSE;
-
-	acache->task = NULL;
-	acache->entrylocks = NULL;
-
-	result = isc_task_create(taskmgr, 1, &acache->task);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_task_create() failed(): %s",
-				 dns_result_totext(result));
-		result = ISC_R_UNEXPECTED;
-		goto cleanup;
-	}
-	isc_task_setname(acache->task, "acachetask", acache);
-	ISC_EVENT_INIT(&acache->cevent, sizeof(acache->cevent), 0, NULL,
-		       DNS_EVENT_ACACHECONTROL, shutdown_task, NULL,
-		       NULL, NULL, NULL);
-	acache->cevent_sent = ISC_FALSE;
-
-	acache->dbentries = 0;
-	for (i = 0; i < DBBUCKETS; i++)
-		ISC_LIST_INIT(acache->dbbucket[i]);
-
-	acache->entrylocks = isc_mem_get(mctx, sizeof(*acache->entrylocks) *
-					 DEFAULT_ACACHE_ENTRY_LOCK_COUNT);
-	if (acache->entrylocks == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
-	}
-	for (i = 0; i < DEFAULT_ACACHE_ENTRY_LOCK_COUNT; i++) {
-		result = ACACHE_INITLOCK(&acache->entrylocks[i]);
-		if (result != ISC_R_SUCCESS) {
-			while (i-- > 0)
-				ACACHE_DESTROYLOCK(&acache->entrylocks[i]);
-			isc_mem_put(mctx, acache->entrylocks,
-				    sizeof(*acache->entrylocks) *
-				    DEFAULT_ACACHE_ENTRY_LOCK_COUNT);
-			acache->entrylocks = NULL;
-			goto cleanup;
-		}
-	}
-
-	acache->live_cleaners = 0;
-	result = acache_cleaner_init(acache, timermgr, &acache->cleaner);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	acache->stats.cleaner_runs = 0;
-	reset_stats(acache);
-
-	acache->magic = ACACHE_MAGIC;
-
-	*acachep = acache;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (acache->task != NULL)
-		isc_task_detach(&acache->task);
-	DESTROYLOCK(&acache->lock);
-	isc_refcount_decrement(&acache->refs, NULL);
-	isc_refcount_destroy(&acache->refs);
-	if (acache->entrylocks != NULL) {
-		for (i = 0; i < DEFAULT_ACACHE_ENTRY_LOCK_COUNT; i++)
-			ACACHE_DESTROYLOCK(&acache->entrylocks[i]);
-		isc_mem_put(mctx, acache->entrylocks,
-			    sizeof(*acache->entrylocks) *
-			    DEFAULT_ACACHE_ENTRY_LOCK_COUNT);
-	}
-	isc_mem_put(mctx, acache, sizeof(*acache));
-	isc_mem_detach(&mctx);
-
-	return (result);
-}
-
-void
-dns_acache_attach(dns_acache_t *source, dns_acache_t **targetp) {
-	REQUIRE(DNS_ACACHE_VALID(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	AATRACE(source, "attach");
-
-	isc_refcount_increment(&source->refs, NULL);
-
-	*targetp = source;
-}
-
-void
-dns_acache_countquerymiss(dns_acache_t *acache) {
-	acache->stats.misses++; 	/* XXXSK danger: unlocked! */
-	acache->stats.queries++;	/* XXXSK danger: unlocked! */
-}
-
-void
-dns_acache_detach(dns_acache_t **acachep) {
-	dns_acache_t *acache;
-	unsigned int refs;
-	isc_boolean_t should_free = ISC_FALSE;
-
-	REQUIRE(acachep != NULL && DNS_ACACHE_VALID(*acachep));
-	acache = *acachep;
-
-	ATRACE("detach");
-
-	isc_refcount_decrement(&acache->refs, &refs);
-	if (refs == 0) {
-		INSIST(check_noentry(acache) == ISC_TRUE);
-		should_free = ISC_TRUE;
-	}
-
-	*acachep = NULL;
-
-	/*
-	 * If we're exiting and the cleaner task exists, let it free the cache.
-	 */
-	if (should_free && acache->live_cleaners > 0) {
-		isc_task_shutdown(acache->task);
-		should_free = ISC_FALSE;
-	}
-
-	if (should_free)
-		destroy(acache);
-}
-
-void
-dns_acache_shutdown(dns_acache_t *acache) {
-	REQUIRE(DNS_ACACHE_VALID(acache));
-
-	LOCK(&acache->lock);
-
-	ATRACE("shutdown");
-
-	if (!acache->shutting_down) {
-		isc_event_t *event;
-		dns_acache_t *acache_evarg = NULL;
-
-		INSIST(!acache->cevent_sent);
-
-		acache->shutting_down = ISC_TRUE;
-
-		isc_mem_setwater(acache->mctx, NULL, NULL, 0, 0);
-
-		/*
-		 * Self attach the object in order to prevent it from being
-		 * destroyed while waiting for the event.
-		 */
-		dns_acache_attach(acache, &acache_evarg);
-		event = &acache->cevent;
-		event->ev_arg = acache_evarg;
-		isc_task_send(acache->task, &event);
-		acache->cevent_sent = ISC_TRUE;
-	}
-
-	UNLOCK(&acache->lock);
-}
-
-isc_result_t
-dns_acache_setdb(dns_acache_t *acache, dns_db_t *db) {
-	int bucket;
-	dbentry_t *dbentry;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(DNS_ACACHE_VALID(acache));
-	REQUIRE(db != NULL);
-
-	ATRACE("setdb");
-
-	LOCK(&acache->lock);
-
-	dbentry = NULL;
-	result = finddbent(acache, db, &dbentry);
-	if (result == ISC_R_SUCCESS) {
-		result = ISC_R_EXISTS;
-		goto end;
-	}
-	result = ISC_R_SUCCESS;
-
-	dbentry = isc_mem_get(acache->mctx, sizeof(*dbentry));
-	if (dbentry == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto end;
-	}
-
-	ISC_LINK_INIT(dbentry, link);
-	ISC_LIST_INIT(dbentry->originlist);
-	ISC_LIST_INIT(dbentry->referlist);
-
-	dbentry->db = NULL;
-	dns_db_attach(db, &dbentry->db);
-
-	bucket = isc_hash_calc((const unsigned char *)&db,
-			       sizeof(db), ISC_TRUE) % DBBUCKETS;
-
-	ISC_LIST_APPEND(acache->dbbucket[bucket], dbentry, link);
-
-	acache->dbentries++;
-
- end:
-	UNLOCK(&acache->lock);
-
-	return (result);
-}
-
-isc_result_t
-dns_acache_putdb(dns_acache_t *acache, dns_db_t *db) {
-	int bucket;
-	isc_result_t result;
-	dbentry_t *dbentry;
-	dns_acacheentry_t *entry;
-
-	REQUIRE(DNS_ACACHE_VALID(acache));
-	REQUIRE(db != NULL);
-
-	ATRACE("putdb");
-
-	LOCK(&acache->lock);
-
-	dbentry = NULL;
-	result = finddbent(acache, db, &dbentry);
-	if (result != ISC_R_SUCCESS) {
-		/*
-		 * The entry may have not been created due to memory shortage.
-		 */
-		UNLOCK(&acache->lock);
-		return (ISC_R_NOTFOUND);
-	}
-
-	/*
-	 * Release corresponding cache entries: for each entry, release all
-	 * links the entry has, and then callback to the entry holder (if any).
-	 * If no other external references exist (this can happen if the
-	 * original holder has canceled callback,) destroy it here.
-	 */
-	while ((entry = ISC_LIST_HEAD(dbentry->originlist)) != NULL) {
-		ACACHE_LOCK(&acache->entrylocks[entry->locknum],
-			    isc_rwlocktype_write);
-
-		/*
-		 * Releasing olink first would avoid finddbent() in
-		 * unlink_dbentries().
-		 */
-		ISC_LIST_UNLINK(dbentry->originlist, entry, olink);
-		if (acache->cleaner.current_entry != entry)
-			ISC_LIST_UNLINK(acache->entries, entry, link);
-		unlink_dbentries(acache, entry);
-
-		if (entry->callback != NULL)
-			(entry->callback)(entry, &entry->cbarg);
-		entry->callback = NULL;
-
-		ACACHE_UNLOCK(&acache->entrylocks[entry->locknum],
-			      isc_rwlocktype_write);
-
-		if (acache->cleaner.current_entry != entry)
-			dns_acache_detachentry(&entry);
-	}
-	while ((entry = ISC_LIST_HEAD(dbentry->referlist)) != NULL) {
-		ACACHE_LOCK(&acache->entrylocks[entry->locknum],
-			    isc_rwlocktype_write);
-
-		ISC_LIST_UNLINK(dbentry->referlist, entry, rlink);
-		if (acache->cleaner.current_entry != entry)
-			ISC_LIST_UNLINK(acache->entries, entry, link);
-		unlink_dbentries(acache, entry);
-
-		if (entry->callback != NULL)
-			(entry->callback)(entry, &entry->cbarg);
-		entry->callback = NULL;
-
-		ACACHE_UNLOCK(&acache->entrylocks[entry->locknum],
-			      isc_rwlocktype_write);
-
-		if (acache->cleaner.current_entry != entry)
-			dns_acache_detachentry(&entry);
-	}
-
-	INSIST(ISC_LIST_EMPTY(dbentry->originlist) &&
-	       ISC_LIST_EMPTY(dbentry->referlist));
-
-	bucket = isc_hash_calc((const unsigned char *)&db,
-			       sizeof(db), ISC_TRUE) % DBBUCKETS;
-	ISC_LIST_UNLINK(acache->dbbucket[bucket], dbentry, link);
-	dns_db_detach(&dbentry->db);
-
-	isc_mem_put(acache->mctx, dbentry, sizeof(*dbentry));
-
-	acache->dbentries--;
-
-	acache->stats.deleted++;
-
-	UNLOCK(&acache->lock);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_acache_createentry(dns_acache_t *acache, dns_db_t *origdb,
-		       void (*callback)(dns_acacheentry_t *, void **),
-		       void *cbarg, dns_acacheentry_t **entryp)
-{
-	dns_acacheentry_t *newentry;
-	isc_result_t result;
-	isc_uint32_t r;
-
-	REQUIRE(DNS_ACACHE_VALID(acache));
-	REQUIRE(entryp != NULL && *entryp == NULL);
-	REQUIRE(origdb != NULL);
-
-	/*
-	 * Should we exceed our memory limit for some reason (for
-	 * example, if the cleaner does not run aggressively enough),
-	 * then we will not create additional entries.
-	 *
-	 * XXXSK: It might be better to lock the acache->cleaner->lock,
-	 * but locking may be an expensive bottleneck. If we misread
-	 * the value, we will occasionally refuse to create a few
-	 * cache entries, or create a few that we should not. I do not
-	 * expect this to happen often, and it will not have very bad
-	 * effects when it does. So no lock for now.
-	 */
-	if (acache->cleaner.overmem) {
-		acache->stats.overmem_nocreates++; /* XXXSK danger: unlocked! */
-		return (ISC_R_NORESOURCES);
-	}
-
-	newentry = isc_mem_get(acache->mctx, sizeof(*newentry));
-	if (newentry == NULL) {
-		acache->stats.nomem++;  /* XXXMLG danger: unlocked! */
-		return (ISC_R_NOMEMORY);
-	}
-
-	isc_random_get(&r);
-	newentry->locknum = r % DEFAULT_ACACHE_ENTRY_LOCK_COUNT;
-
-	result = isc_refcount_init(&newentry->references, 1);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(acache->mctx, newentry, sizeof(*newentry));
-		return (result);
-	};
-
-	ISC_LINK_INIT(newentry, link);
-	ISC_LINK_INIT(newentry, olink);
-	ISC_LINK_INIT(newentry, rlink);
-
-	newentry->acache = NULL;
-	dns_acache_attach(acache, &newentry->acache);
-
-	newentry->zone = NULL;
-	newentry->db = NULL;
-	newentry->version = NULL;
-	newentry->node = NULL;
-	newentry->foundname = NULL;
-
-	newentry->callback = callback;
-	newentry->cbarg = cbarg;
-	newentry->origdb = NULL;
-	dns_db_attach(origdb, &newentry->origdb);
-
-	isc_stdtime_get(&newentry->lastused);
-
-	newentry->magic = ACACHEENTRY_MAGIC;
-
-	*entryp = newentry;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_acache_getentry(dns_acacheentry_t *entry, dns_zone_t **zonep,
-		    dns_db_t **dbp, dns_dbversion_t **versionp,
-		    dns_dbnode_t **nodep, dns_name_t *fname,
-		    dns_message_t *msg, isc_stdtime_t now)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	dns_rdataset_t *erdataset;
-	isc_stdtime32_t	now32;
-	dns_acache_t *acache;
-	int locknum;
-
-	REQUIRE(DNS_ACACHEENTRY_VALID(entry));
-	REQUIRE(zonep == NULL || *zonep == NULL);
-	REQUIRE(dbp != NULL && *dbp == NULL);
-	REQUIRE(versionp != NULL && *versionp == NULL);
-	REQUIRE(nodep != NULL && *nodep == NULL);
-	REQUIRE(fname != NULL);
-	REQUIRE(msg != NULL);
-	acache = entry->acache;
-	REQUIRE(DNS_ACACHE_VALID(acache));
-
-	locknum = entry->locknum;
-	ACACHE_LOCK(&acache->entrylocks[locknum], isc_rwlocktype_read);
-
-	isc_stdtime_convert32(now, &now32);
-	acache_storetime(entry, now32);
-
-	if (entry->zone != NULL && zonep != NULL)
-		dns_zone_attach(entry->zone, zonep);
-
-	if (entry->db == NULL) {
-		*dbp = NULL;
-		*versionp = NULL;
-	} else {
-		dns_db_attach(entry->db, dbp);
-		dns_db_attachversion(entry->db, entry->version, versionp);
-	}
-	if (entry->node == NULL)
-		*nodep = NULL;
-	else {
-		dns_db_attachnode(entry->db, entry->node, nodep);
-
-		INSIST(entry->foundname != NULL);
-		dns_name_copy(entry->foundname, fname, NULL);
-		for (erdataset = ISC_LIST_HEAD(entry->foundname->list);
-		     erdataset != NULL;
-		     erdataset = ISC_LIST_NEXT(erdataset, link)) {
-			dns_rdataset_t *ardataset;
-
-			ardataset = NULL;
-			result = dns_message_gettemprdataset(msg, &ardataset);
-			if (result != ISC_R_SUCCESS) {
-				ACACHE_UNLOCK(&acache->entrylocks[locknum],
-					      isc_rwlocktype_read);
-				goto fail;
-			}
-
-			/*
-			 * XXXJT: if we simply clone the rdataset, we'll get
-			 * lost wrt cyclic ordering.  We'll need an additional
-			 * trick to get the latest counter from the original
-			 * header.
-			 */
-			dns_rdataset_init(ardataset);
-			dns_rdataset_clone(erdataset, ardataset);
-			ISC_LIST_APPEND(fname->list, ardataset, link);
-		}
-	}
-
-	entry->acache->stats.hits++; /* XXXMLG danger: unlocked! */
-	entry->acache->stats.queries++;
-
-	ACACHE_UNLOCK(&acache->entrylocks[locknum], isc_rwlocktype_read);
-
-	return (result);
-
-  fail:
-	while ((erdataset = ISC_LIST_HEAD(fname->list)) != NULL) {
-		ISC_LIST_UNLINK(fname->list, erdataset, link);
-		dns_rdataset_disassociate(erdataset);
-		dns_message_puttemprdataset(msg, &erdataset);
-	}
-	if (*nodep != NULL)
-		dns_db_detachnode(*dbp, nodep);
-	if (*versionp != NULL)
-		dns_db_closeversion(*dbp, versionp, ISC_FALSE);
-	if (*dbp != NULL)
-		dns_db_detach(dbp);
-	if (zonep != NULL && *zonep != NULL)
-		dns_zone_detach(zonep);
-
-	return (result);
-}
-
-isc_result_t
-dns_acache_setentry(dns_acache_t *acache, dns_acacheentry_t *entry,
-		    dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
-		    dns_dbnode_t *node, dns_name_t *fname)
-{
-	isc_result_t result;
-	dbentry_t *odbent;
-	dbentry_t *rdbent = NULL;
-	isc_boolean_t close_version = ISC_FALSE;
-	dns_acacheentry_t *dummy_entry = NULL;
-
-	REQUIRE(DNS_ACACHE_VALID(acache));
-	REQUIRE(DNS_ACACHEENTRY_VALID(entry));
-
-	LOCK(&acache->lock);	/* XXX: need to lock it here for ordering */
-	ACACHE_LOCK(&acache->entrylocks[entry->locknum], isc_rwlocktype_write);
-
-	/* Set zone */
-	if (zone != NULL)
-		dns_zone_attach(zone, &entry->zone);
-	/* Set DB */
-	if (db != NULL)
-		dns_db_attach(db, &entry->db);
-	/*
-	 * Set DB version.  If the version is not given by the caller,
-	 * which is the case for glue or cache DBs, use the current version.
-	 */
-	if (version == NULL) {
-		if (db != NULL) {
-			dns_db_currentversion(db, &version);
-			close_version = ISC_TRUE;
-		}
-	}
-	if (version != NULL) {
-		INSIST(db != NULL);
-		dns_db_attachversion(db, version, &entry->version);
-	}
-	if (close_version)
-		dns_db_closeversion(db, &version, ISC_FALSE);
-	/* Set DB node. */
-	if (node != NULL) {
-		INSIST(db != NULL);
-		dns_db_attachnode(db, node, &entry->node);
-	}
-
-	/*
-	 * Set list of the corresponding rdatasets, if given.
-	 * To minimize the overhead and memory consumption, we'll do this for
-	 * positive cache only, in which case the DB node is non NULL.
-	 * We do not want to cache incomplete information, so give up the
-	 * entire entry when a memory shortage happen during the process.
-	 */
-	if (node != NULL) {
-		dns_rdataset_t *ardataset, *crdataset;
-
-		entry->foundname = isc_mem_get(acache->mctx,
-					       sizeof(*entry->foundname));
-
-		if (entry->foundname == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto fail;
-		}
-		dns_name_init(entry->foundname, NULL);
-		result = dns_name_dup(fname, acache->mctx,
-				      entry->foundname);
-		if (result != ISC_R_SUCCESS)
-			goto fail;
-
-		for (ardataset = ISC_LIST_HEAD(fname->list);
-		     ardataset != NULL;
-		     ardataset = ISC_LIST_NEXT(ardataset, link)) {
-			crdataset = isc_mem_get(acache->mctx,
-						sizeof(*crdataset));
-			if (crdataset == NULL) {
-				result = ISC_R_NOMEMORY;
-				goto fail;
-			}
-
-			dns_rdataset_init(crdataset);
-			dns_rdataset_clone(ardataset, crdataset);
-			ISC_LIST_APPEND(entry->foundname->list, crdataset,
-					link);
-		}
-	}
-
-	odbent = NULL;
-	result = finddbent(acache, entry->origdb, &odbent);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-	if (db != NULL) {
-		rdbent = NULL;
-		result = finddbent(acache, db, &rdbent);
-		if (result != ISC_R_SUCCESS)
-			goto fail;
-	}
-
-	ISC_LIST_APPEND(acache->entries, entry, link);
-	ISC_LIST_APPEND(odbent->originlist, entry, olink);
-	if (rdbent != NULL)
-		ISC_LIST_APPEND(rdbent->referlist, entry, rlink);
-
-	/*
-	 * The additional cache needs an implicit reference to entries in its
-	 * link.
-	 */
-	dns_acache_attachentry(entry, &dummy_entry);
-
-	ACACHE_UNLOCK(&acache->entrylocks[entry->locknum],
-		      isc_rwlocktype_write);
-
-	acache->stats.adds++;
-	UNLOCK(&acache->lock);
-
-	return (ISC_R_SUCCESS);
-
- fail:
-	clear_entry(acache, entry);
-
-	ACACHE_UNLOCK(&acache->entrylocks[entry->locknum],
-		      isc_rwlocktype_write);
-	UNLOCK(&acache->lock);
-
-	return (result);
-}
-
-isc_boolean_t
-dns_acache_cancelentry(dns_acacheentry_t *entry) {
-	dns_acache_t *acache;
-	isc_boolean_t callback_active;
-
-	REQUIRE(DNS_ACACHEENTRY_VALID(entry));
-
-	acache = entry->acache;
-	callback_active = ISC_TF(entry->cbarg != NULL);
-
-	INSIST(DNS_ACACHE_VALID(entry->acache));
-
-	LOCK(&acache->lock);
-	ACACHE_LOCK(&acache->entrylocks[entry->locknum], isc_rwlocktype_write);
-
-	/*
-	 * Release dependencies stored in this entry as much as possible.
-	 * The main link cannot be released, since the acache object has
-	 * a reference to this entry; the empty entry will be released in
-	 * the next cleaning action.
-	 */
-	unlink_dbentries(acache, entry);
-	clear_entry(entry->acache, entry);
-
-	entry->callback = NULL;
-	entry->cbarg = NULL;
-
-	ACACHE_UNLOCK(&acache->entrylocks[entry->locknum],
-		      isc_rwlocktype_write);
-	UNLOCK(&acache->lock);
-
-	return (callback_active);
-}
-
-void
-dns_acache_attachentry(dns_acacheentry_t *source,
-		       dns_acacheentry_t **targetp)
-{
-	REQUIRE(DNS_ACACHEENTRY_VALID(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	isc_refcount_increment(&source->references, NULL);
-
-	*targetp = source;
-}
-
-void
-dns_acache_detachentry(dns_acacheentry_t **entryp) {
-	dns_acacheentry_t *entry;
-	unsigned int refs;
-
-	REQUIRE(entryp != NULL && DNS_ACACHEENTRY_VALID(*entryp));
-	entry = *entryp;
-
-	isc_refcount_decrement(&entry->references, &refs);
-
-	/*
-	 * If there are no references to the entry, the entry must have been
-	 * unlinked and can be destroyed safely.
-	 */
-	if (refs == 0) {
-		INSIST(!ISC_LINK_LINKED(entry, link));
-		(*entryp)->acache->stats.deleted++;
-		destroy_entry(entry);
-	}
-
-	*entryp = NULL;
-}
-
-void
-dns_acache_setcleaninginterval(dns_acache_t *acache, unsigned int t) {
-	isc_interval_t interval;
-	isc_result_t result;
-
-	REQUIRE(DNS_ACACHE_VALID(acache));
-
-	ATRACE("dns_acache_setcleaninginterval");
-
-	LOCK(&acache->lock);
-
-	/*
-	 * It may be the case that the acache has already shut down.
-	 * If so, it has no timer.  (Not sure if this can really happen.)
-	 */
-	if (acache->cleaner.cleaning_timer == NULL)
-		goto unlock;
-
-	acache->cleaner.cleaning_interval = t;
-
-	if (t == 0) {
-		result = isc_timer_reset(acache->cleaner.cleaning_timer,
-					 isc_timertype_inactive,
-					 NULL, NULL, ISC_TRUE);
-	} else {
-		isc_interval_set(&interval, acache->cleaner.cleaning_interval,
-				 0);
-		result = isc_timer_reset(acache->cleaner.cleaning_timer,
-					 isc_timertype_ticker,
-					 NULL, &interval, ISC_FALSE);
-	}
-	if (result != ISC_R_SUCCESS)
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-			      DNS_LOGMODULE_ACACHE, ISC_LOG_WARNING,
-			      "could not set acache cleaning interval: %s",
-			      isc_result_totext(result));
-	else
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-			      DNS_LOGMODULE_ACACHE, ISC_LOG_NOTICE,
-			      "acache %p cleaning interval set to %d.",
-			      acache, t);
-
- unlock:
-	UNLOCK(&acache->lock);
-}
-
-/*
- * This function was derived from cache.c:dns_cache_setcachesize().  See the
- * function for more details about the logic.
- */
-void
-dns_acache_setcachesize(dns_acache_t *acache, size_t size) {
-	size_t hiwater, lowater;
-
-	REQUIRE(DNS_ACACHE_VALID(acache));
-
-	if (size != 0U && size < DNS_ACACHE_MINSIZE)
-		size = DNS_ACACHE_MINSIZE;
-
-	hiwater = size - (size >> 3);
-	lowater = size - (size >> 2);
-
-	if (size == 0U || hiwater == 0U || lowater == 0U)
-		isc_mem_setwater(acache->mctx, water, acache, 0, 0);
-	else
-		isc_mem_setwater(acache->mctx, water, acache,
-				 hiwater, lowater);
-}
diff --git a/contrib/bind9/lib/dns/acl.c b/contrib/bind9/lib/dns/acl.c
deleted file mode 100644
index 3221d30..0000000
--- a/contrib/bind9/lib/dns/acl.c
+++ /dev/null
@@ -1,633 +0,0 @@
-/*
- * Copyright (C) 2004-2009, 2011, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: acl.c,v 1.55 2011/06/17 23:47:49 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/once.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/acl.h>
-#include <dns/iptable.h>
-
-/*
- * Create a new ACL, including an IP table and an array with room
- * for 'n' ACL elements.  The elements are uninitialized and the
- * length is 0.
- */
-isc_result_t
-dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target) {
-	isc_result_t result;
-	dns_acl_t *acl;
-
-	/*
-	 * Work around silly limitation of isc_mem_get().
-	 */
-	if (n == 0)
-		n = 1;
-
-	acl = isc_mem_get(mctx, sizeof(*acl));
-	if (acl == NULL)
-		return (ISC_R_NOMEMORY);
-
-	acl->mctx = NULL;
-	isc_mem_attach(mctx, &acl->mctx);
-
-	acl->name = NULL;
-
-	result = isc_refcount_init(&acl->refcount, 1);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, acl, sizeof(*acl));
-		return (result);
-	}
-
-	result = dns_iptable_create(mctx, &acl->iptable);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, acl, sizeof(*acl));
-		return (result);
-	}
-
-	acl->elements = NULL;
-	acl->alloc = 0;
-	acl->length = 0;
-	acl->has_negatives = ISC_FALSE;
-
-	ISC_LINK_INIT(acl, nextincache);
-	/*
-	 * Must set magic early because we use dns_acl_detach() to clean up.
-	 */
-	acl->magic = DNS_ACL_MAGIC;
-
-	acl->elements = isc_mem_get(mctx, n * sizeof(dns_aclelement_t));
-	if (acl->elements == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
-	}
-	acl->alloc = n;
-	memset(acl->elements, 0, n * sizeof(dns_aclelement_t));
-	*target = acl;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	dns_acl_detach(&acl);
-	return (result);
-}
-
-/*
- * Create a new ACL and initialize it with the value "any" or "none",
- * depending on the value of the "neg" parameter.
- * "any" is a positive iptable entry with bit length 0.
- * "none" is the same as "!any".
- */
-static isc_result_t
-dns_acl_anyornone(isc_mem_t *mctx, isc_boolean_t neg, dns_acl_t **target) {
-	isc_result_t result;
-	dns_acl_t *acl = NULL;
-
-	result = dns_acl_create(mctx, 0, &acl);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dns_iptable_addprefix(acl->iptable, NULL, 0, ISC_TF(!neg));
-	if (result != ISC_R_SUCCESS) {
-		dns_acl_detach(&acl);
-		return (result);
-	}
-
-	*target = acl;
-	return (result);
-}
-
-/*
- * Create a new ACL that matches everything.
- */
-isc_result_t
-dns_acl_any(isc_mem_t *mctx, dns_acl_t **target) {
-	return (dns_acl_anyornone(mctx, ISC_FALSE, target));
-}
-
-/*
- * Create a new ACL that matches nothing.
- */
-isc_result_t
-dns_acl_none(isc_mem_t *mctx, dns_acl_t **target) {
-	return (dns_acl_anyornone(mctx, ISC_TRUE, target));
-}
-
-/*
- * If pos is ISC_TRUE, test whether acl is set to "{ any; }"
- * If pos is ISC_FALSE, test whether acl is set to "{ none; }"
- */
-static isc_boolean_t
-dns_acl_isanyornone(dns_acl_t *acl, isc_boolean_t pos)
-{
-	/* Should never happen but let's be safe */
-	if (acl == NULL ||
-	    acl->iptable == NULL ||
-	    acl->iptable->radix == NULL ||
-	    acl->iptable->radix->head == NULL ||
-	    acl->iptable->radix->head->prefix == NULL)
-		return (ISC_FALSE);
-
-	if (acl->length != 0 || acl->node_count != 1)
-		return (ISC_FALSE);
-
-	if (acl->iptable->radix->head->prefix->bitlen == 0 &&
-	    acl->iptable->radix->head->data[0] != NULL &&
-	    acl->iptable->radix->head->data[0] ==
-		    acl->iptable->radix->head->data[1] &&
-	    *(isc_boolean_t *) (acl->iptable->radix->head->data[0]) == pos)
-		return (ISC_TRUE);
-
-	return (ISC_FALSE); /* All others */
-}
-
-/*
- * Test whether acl is set to "{ any; }"
- */
-isc_boolean_t
-dns_acl_isany(dns_acl_t *acl)
-{
-	return (dns_acl_isanyornone(acl, ISC_TRUE));
-}
-
-/*
- * Test whether acl is set to "{ none; }"
- */
-isc_boolean_t
-dns_acl_isnone(dns_acl_t *acl)
-{
-	return (dns_acl_isanyornone(acl, ISC_FALSE));
-}
-
-/*
- * Determine whether a given address or signer matches a given ACL.
- * For a match with a positive ACL element or iptable radix entry,
- * return with a positive value in match; for a match with a negated ACL
- * element or radix entry, return with a negative value in match.
- */
-isc_result_t
-dns_acl_match(const isc_netaddr_t *reqaddr,
-	      const dns_name_t *reqsigner,
-	      const dns_acl_t *acl,
-	      const dns_aclenv_t *env,
-	      int *match,
-	      const dns_aclelement_t **matchelt)
-{
-	isc_uint16_t bitlen, family;
-	isc_prefix_t pfx;
-	isc_radix_node_t *node = NULL;
-	const isc_netaddr_t *addr;
-	isc_netaddr_t v4addr;
-	isc_result_t result;
-	int match_num = -1;
-	unsigned int i;
-
-	REQUIRE(reqaddr != NULL);
-	REQUIRE(matchelt == NULL || *matchelt == NULL);
-
-	if (env == NULL || env->match_mapped == ISC_FALSE ||
-	    reqaddr->family != AF_INET6 ||
-	    !IN6_IS_ADDR_V4MAPPED(&reqaddr->type.in6))
-		addr = reqaddr;
-	else {
-		isc_netaddr_fromv4mapped(&v4addr, reqaddr);
-		addr = &v4addr;
-	}
-
-	/* Always match with host addresses. */
-	family = addr->family;
-	bitlen = family == AF_INET6 ? 128 : 32;
-	NETADDR_TO_PREFIX_T(addr, pfx, bitlen);
-
-	/* Assume no match. */
-	*match = 0;
-
-	/* Search radix. */
-	result = isc_radix_search(acl->iptable->radix, &node, &pfx);
-
-	/* Found a match. */
-	if (result == ISC_R_SUCCESS && node != NULL) {
-		match_num = node->node_num[ISC_IS6(family)];
-		if (*(isc_boolean_t *) node->data[ISC_IS6(family)] == ISC_TRUE)
-			*match = match_num;
-		else
-			*match = -match_num;
-	}
-
-	/* Now search non-radix elements for a match with a lower node_num. */
-	for (i = 0; i < acl->length; i++) {
-		dns_aclelement_t *e = &acl->elements[i];
-
-		/* Already found a better match? */
-		if (match_num != -1 && match_num < e->node_num) {
-			isc_refcount_destroy(&pfx.refcount);
-			return (ISC_R_SUCCESS);
-		}
-
-		if (dns_aclelement_match(reqaddr, reqsigner,
-					 e, env, matchelt)) {
-			if (match_num == -1 || e->node_num < match_num) {
-				if (e->negative == ISC_TRUE)
-					*match = -e->node_num;
-				else
-					*match = e->node_num;
-			}
-			isc_refcount_destroy(&pfx.refcount);
-			return (ISC_R_SUCCESS);
-		}
-	}
-
-	isc_refcount_destroy(&pfx.refcount);
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Merge the contents of one ACL into another.  Call dns_iptable_merge()
- * for the IP tables, then concatenate the element arrays.
- *
- * If pos is set to false, then the nested ACL is to be negated.  This
- * means reverse the sense of each *positive* element or IP table node,
- * but leave negatives alone, so as to prevent a double-negative causing
- * an unexpected positive match in the parent ACL.
- */
-isc_result_t
-dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, isc_boolean_t pos)
-{
-	isc_result_t result;
-	unsigned int newalloc, nelem, i;
-	int max_node = 0, nodes;
-
-	/* Resize the element array if needed. */
-	if (dest->length + source->length > dest->alloc) {
-		void *newmem;
-
-		newalloc = dest->alloc + source->alloc;
-		if (newalloc < 4)
-			newalloc = 4;
-
-		newmem = isc_mem_get(dest->mctx,
-				     newalloc * sizeof(dns_aclelement_t));
-		if (newmem == NULL)
-			return (ISC_R_NOMEMORY);
-
-		/* Copy in the original elements */
-		memcpy(newmem, dest->elements,
-		       dest->length * sizeof(dns_aclelement_t));
-
-		/* Release the memory for the old elements array */
-		isc_mem_put(dest->mctx, dest->elements,
-			    dest->alloc * sizeof(dns_aclelement_t));
-		dest->elements = newmem;
-		dest->alloc = newalloc;
-	}
-
-	/*
-	 * Now copy in the new elements, increasing their node_num
-	 * values so as to keep the new ACL consistent.  If we're
-	 * negating, then negate positive elements, but keep negative
-	 * elements the same for security reasons.
-	 */
-	nelem = dest->length;
-	dest->length += source->length;
-	for (i = 0; i < source->length; i++) {
-		if (source->elements[i].node_num > max_node)
-			max_node = source->elements[i].node_num;
-
-		/* Copy type. */
-		dest->elements[nelem + i].type = source->elements[i].type;
-
-		/* Adjust node numbering. */
-		dest->elements[nelem + i].node_num =
-			source->elements[i].node_num + dest->node_count;
-
-		/* Duplicate nested acl. */
-		if (source->elements[i].type == dns_aclelementtype_nestedacl &&
-		   source->elements[i].nestedacl != NULL)
-			dns_acl_attach(source->elements[i].nestedacl,
-				       &dest->elements[nelem + i].nestedacl);
-
-		/* Duplicate key name. */
-		if (source->elements[i].type == dns_aclelementtype_keyname) {
-			dns_name_init(&dest->elements[nelem+i].keyname, NULL);
-			result = dns_name_dup(&source->elements[i].keyname,
-					      dest->mctx,
-					      &dest->elements[nelem+i].keyname);
-			if (result != ISC_R_SUCCESS)
-				return result;
-		}
-
-		/* reverse sense of positives if this is a negative acl */
-		if (!pos && source->elements[i].negative == ISC_FALSE) {
-			dest->elements[nelem + i].negative = ISC_TRUE;
-		} else {
-			dest->elements[nelem + i].negative =
-				source->elements[i].negative;
-		}
-	}
-
-	/*
-	 * Merge the iptables.  Make sure the destination ACL's
-	 * node_count value is set correctly afterward.
-	 */
-	nodes = max_node + dest->node_count;
-	result = dns_iptable_merge(dest->iptable, source->iptable, pos);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (nodes > dest->node_count)
-		dest->node_count = nodes;
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Like dns_acl_match, but matches against the single ACL element 'e'
- * rather than a complete ACL, and returns ISC_TRUE iff it matched.
- *
- * To determine whether the match was positive or negative, the
- * caller should examine e->negative.  Since the element 'e' may be
- * a reference to a named ACL or a nested ACL, a matching element
- * returned through 'matchelt' is not necessarily 'e' itself.
- */
-isc_boolean_t
-dns_aclelement_match(const isc_netaddr_t *reqaddr,
-		     const dns_name_t *reqsigner,
-		     const dns_aclelement_t *e,
-		     const dns_aclenv_t *env,
-		     const dns_aclelement_t **matchelt)
-{
-	dns_acl_t *inner = NULL;
-	int indirectmatch;
-	isc_result_t result;
-
-	switch (e->type) {
-	case dns_aclelementtype_keyname:
-		if (reqsigner != NULL &&
-		    dns_name_equal(reqsigner, &e->keyname)) {
-			if (matchelt != NULL)
-				*matchelt = e;
-			return (ISC_TRUE);
-		} else {
-			return (ISC_FALSE);
-		}
-
-	case dns_aclelementtype_nestedacl:
-		inner = e->nestedacl;
-		break;
-
-	case dns_aclelementtype_localhost:
-		if (env == NULL || env->localhost == NULL)
-			return (ISC_FALSE);
-		inner = env->localhost;
-		break;
-
-	case dns_aclelementtype_localnets:
-		if (env == NULL || env->localnets == NULL)
-			return (ISC_FALSE);
-		inner = env->localnets;
-		break;
-
-	default:
-		/* Should be impossible. */
-		INSIST(0);
-	}
-
-	result = dns_acl_match(reqaddr, reqsigner, inner, env,
-			       &indirectmatch, matchelt);
-	INSIST(result == ISC_R_SUCCESS);
-
-	/*
-	 * Treat negative matches in indirect ACLs as "no match".
-	 * That way, a negated indirect ACL will never become a
-	 * surprise positive match through double negation.
-	 * XXXDCL this should be documented.
-	 */
-
-	if (indirectmatch > 0) {
-		if (matchelt != NULL)
-			*matchelt = e;
-		return (ISC_TRUE);
-	}
-
-	/*
-	 * A negative indirect match may have set *matchelt, but we don't
-	 * want it set when we return.
-	 */
-
-	if (matchelt != NULL)
-		*matchelt = NULL;
-
-	return (ISC_FALSE);
-}
-
-void
-dns_acl_attach(dns_acl_t *source, dns_acl_t **target) {
-	REQUIRE(DNS_ACL_VALID(source));
-
-	isc_refcount_increment(&source->refcount, NULL);
-	*target = source;
-}
-
-static void
-destroy(dns_acl_t *dacl) {
-	unsigned int i;
-
-	INSIST(!ISC_LINK_LINKED(dacl, nextincache));
-
-	for (i = 0; i < dacl->length; i++) {
-		dns_aclelement_t *de = &dacl->elements[i];
-		if (de->type == dns_aclelementtype_keyname) {
-			dns_name_free(&de->keyname, dacl->mctx);
-		} else if (de->type == dns_aclelementtype_nestedacl) {
-			dns_acl_detach(&de->nestedacl);
-		}
-	}
-	if (dacl->elements != NULL)
-		isc_mem_put(dacl->mctx, dacl->elements,
-			    dacl->alloc * sizeof(dns_aclelement_t));
-	if (dacl->name != NULL)
-		isc_mem_free(dacl->mctx, dacl->name);
-	if (dacl->iptable != NULL)
-		dns_iptable_detach(&dacl->iptable);
-	isc_refcount_destroy(&dacl->refcount);
-	dacl->magic = 0;
-	isc_mem_putanddetach(&dacl->mctx, dacl, sizeof(*dacl));
-}
-
-void
-dns_acl_detach(dns_acl_t **aclp) {
-	dns_acl_t *acl = *aclp;
-	unsigned int refs;
-
-	REQUIRE(DNS_ACL_VALID(acl));
-
-	isc_refcount_decrement(&acl->refcount, &refs);
-	if (refs == 0)
-		destroy(acl);
-	*aclp = NULL;
-}
-
-
-static isc_once_t	insecure_prefix_once = ISC_ONCE_INIT;
-static isc_mutex_t	insecure_prefix_lock;
-static isc_boolean_t	insecure_prefix_found;
-
-static void
-initialize_action(void) {
-	RUNTIME_CHECK(isc_mutex_init(&insecure_prefix_lock) == ISC_R_SUCCESS);
-}
-
-/*
- * Called via isc_radix_walk() to find IP table nodes that are
- * insecure.
- */
-static void
-is_insecure(isc_prefix_t *prefix, void **data) {
-	isc_boolean_t secure;
-	int bitlen, family;
-
-	bitlen = prefix->bitlen;
-	family = prefix->family;
-
-	/* Negated entries are always secure. */
-	secure = * (isc_boolean_t *)data[ISC_IS6(family)];
-	if (!secure) {
-		return;
-	}
-
-	/* If loopback prefix found, return */
-	switch (family) {
-	case AF_INET:
-		if (bitlen == 32 &&
-		    htonl(prefix->add.sin.s_addr) == INADDR_LOOPBACK)
-			return;
-		break;
-	case AF_INET6:
-		if (bitlen == 128 && IN6_IS_ADDR_LOOPBACK(&prefix->add.sin6))
-			return;
-		break;
-	default:
-		break;
-	}
-
-	/* Non-negated, non-loopback */
-	insecure_prefix_found = ISC_TRUE;	/* LOCKED */
-	return;
-}
-
-/*
- * Return ISC_TRUE iff the acl 'a' is considered insecure, that is,
- * if it contains IP addresses other than those of the local host.
- * This is intended for applications such as printing warning
- * messages for suspect ACLs; it is not intended for making access
- * control decisions.  We make no guarantee that an ACL for which
- * this function returns ISC_FALSE is safe.
- */
-isc_boolean_t
-dns_acl_isinsecure(const dns_acl_t *a) {
-	unsigned int i;
-	isc_boolean_t insecure;
-
-	RUNTIME_CHECK(isc_once_do(&insecure_prefix_once,
-				  initialize_action) == ISC_R_SUCCESS);
-
-	/*
-	 * Walk radix tree to find out if there are any non-negated,
-	 * non-loopback prefixes.
-	 */
-	LOCK(&insecure_prefix_lock);
-	insecure_prefix_found = ISC_FALSE;
-	isc_radix_process(a->iptable->radix, is_insecure);
-	insecure = insecure_prefix_found;
-	UNLOCK(&insecure_prefix_lock);
-	if (insecure)
-		return(ISC_TRUE);
-
-	/* Now check non-radix elements */
-	for (i = 0; i < a->length; i++) {
-		dns_aclelement_t *e = &a->elements[i];
-
-		/* A negated match can never be insecure. */
-		if (e->negative)
-			continue;
-
-		switch (e->type) {
-		case dns_aclelementtype_keyname:
-		case dns_aclelementtype_localhost:
-			continue;
-
-		case dns_aclelementtype_nestedacl:
-			if (dns_acl_isinsecure(e->nestedacl))
-				return (ISC_TRUE);
-			continue;
-
-		case dns_aclelementtype_localnets:
-			return (ISC_TRUE);
-
-		default:
-			INSIST(0);
-			return (ISC_TRUE);
-		}
-	}
-
-	/* No insecure elements were found. */
-	return (ISC_FALSE);
-}
-
-/*
- * Initialize ACL environment, setting up localhost and localnets ACLs
- */
-isc_result_t
-dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env) {
-	isc_result_t result;
-
-	env->localhost = NULL;
-	env->localnets = NULL;
-	result = dns_acl_create(mctx, 0, &env->localhost);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_nothing;
-	result = dns_acl_create(mctx, 0, &env->localnets);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_localhost;
-	env->match_mapped = ISC_FALSE;
-	return (ISC_R_SUCCESS);
-
- cleanup_localhost:
-	dns_acl_detach(&env->localhost);
- cleanup_nothing:
-	return (result);
-}
-
-void
-dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s) {
-	dns_acl_detach(&t->localhost);
-	dns_acl_attach(s->localhost, &t->localhost);
-	dns_acl_detach(&t->localnets);
-	dns_acl_attach(s->localnets, &t->localnets);
-	t->match_mapped = s->match_mapped;
-}
-
-void
-dns_aclenv_destroy(dns_aclenv_t *env) {
-	dns_acl_detach(&env->localhost);
-	dns_acl_detach(&env->localnets);
-}
diff --git a/contrib/bind9/lib/dns/adb.c b/contrib/bind9/lib/dns/adb.c
deleted file mode 100644
index ef7875d..0000000
--- a/contrib/bind9/lib/dns/adb.c
+++ /dev/null
@@ -1,4148 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: adb.c,v 1.264 2011/12/05 17:10:51 each Exp $ */
-
-/*! \file
- *
- * \note
- * In finds, if task == NULL, no events will be generated, and no events
- * have been sent.  If task != NULL but taskaction == NULL, an event has been
- * posted but not yet freed.  If neither are NULL, no event was posted.
- *
- */
-
-#include <config.h>
-
-#include <limits.h>
-
-#include <isc/mutexblock.h>
-#include <isc/netaddr.h>
-#include <isc/random.h>
-#include <isc/stats.h>
-#include <isc/string.h>         /* Required for HP/UX (and others?) */
-#include <isc/task.h>
-#include <isc/util.h>
-
-#include <dns/adb.h>
-#include <dns/db.h>
-#include <dns/events.h>
-#include <dns/log.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/resolver.h>
-#include <dns/result.h>
-#include <dns/stats.h>
-
-#define DNS_ADB_MAGIC             ISC_MAGIC('D', 'a', 'd', 'b')
-#define DNS_ADB_VALID(x)          ISC_MAGIC_VALID(x, DNS_ADB_MAGIC)
-#define DNS_ADBNAME_MAGIC         ISC_MAGIC('a', 'd', 'b', 'N')
-#define DNS_ADBNAME_VALID(x)      ISC_MAGIC_VALID(x, DNS_ADBNAME_MAGIC)
-#define DNS_ADBNAMEHOOK_MAGIC     ISC_MAGIC('a', 'd', 'N', 'H')
-#define DNS_ADBNAMEHOOK_VALID(x)  ISC_MAGIC_VALID(x, DNS_ADBNAMEHOOK_MAGIC)
-#define DNS_ADBLAMEINFO_MAGIC     ISC_MAGIC('a', 'd', 'b', 'Z')
-#define DNS_ADBLAMEINFO_VALID(x)  ISC_MAGIC_VALID(x, DNS_ADBLAMEINFO_MAGIC)
-#define DNS_ADBENTRY_MAGIC        ISC_MAGIC('a', 'd', 'b', 'E')
-#define DNS_ADBENTRY_VALID(x)     ISC_MAGIC_VALID(x, DNS_ADBENTRY_MAGIC)
-#define DNS_ADBFETCH_MAGIC        ISC_MAGIC('a', 'd', 'F', '4')
-#define DNS_ADBFETCH_VALID(x)     ISC_MAGIC_VALID(x, DNS_ADBFETCH_MAGIC)
-#define DNS_ADBFETCH6_MAGIC       ISC_MAGIC('a', 'd', 'F', '6')
-#define DNS_ADBFETCH6_VALID(x)    ISC_MAGIC_VALID(x, DNS_ADBFETCH6_MAGIC)
-
-/*!
- * For type 3 negative cache entries, we will remember that the address is
- * broken for this long.  XXXMLG This is also used for actual addresses, too.
- * The intent is to keep us from constantly asking about A/AAAA records
- * if the zone has extremely low TTLs.
- */
-#define ADB_CACHE_MINIMUM       10      /*%< seconds */
-#define ADB_CACHE_MAXIMUM       86400   /*%< seconds (86400 = 24 hours) */
-#define ADB_ENTRY_WINDOW        1800    /*%< seconds */
-
-/*%
- * The period in seconds after which an ADB name entry is regarded as stale
- * and forced to be cleaned up.
- * TODO: This should probably be configurable at run-time.
- */
-#ifndef ADB_STALE_MARGIN
-#define ADB_STALE_MARGIN        1800
-#endif
-
-#define FREE_ITEMS              64      /*%< free count for memory pools */
-#define FILL_COUNT              16      /*%< fill count for memory pools */
-
-#define DNS_ADB_INVALIDBUCKET (-1)      /*%< invalid bucket address */
-
-#define DNS_ADB_MINADBSIZE      (1024U*1024U)     /*%< 1 Megabyte */
-
-typedef ISC_LIST(dns_adbname_t) dns_adbnamelist_t;
-typedef struct dns_adbnamehook dns_adbnamehook_t;
-typedef ISC_LIST(dns_adbnamehook_t) dns_adbnamehooklist_t;
-typedef struct dns_adblameinfo dns_adblameinfo_t;
-typedef ISC_LIST(dns_adbentry_t) dns_adbentrylist_t;
-typedef struct dns_adbfetch dns_adbfetch_t;
-typedef struct dns_adbfetch6 dns_adbfetch6_t;
-
-/*% dns adb structure */
-struct dns_adb {
-	unsigned int                    magic;
-
-	isc_mutex_t                     lock;
-	isc_mutex_t                     reflock; /*%< Covers irefcnt, erefcnt */
-	isc_mutex_t                     overmemlock; /*%< Covers overmem */
-	isc_mem_t                      *mctx;
-	dns_view_t                     *view;
-
-	isc_taskmgr_t                  *taskmgr;
-	isc_task_t                     *task;
-	isc_task_t                     *excl;
-
-	isc_interval_t                  tick_interval;
-	int                             next_cleanbucket;
-
-	unsigned int                    irefcnt;
-	unsigned int                    erefcnt;
-
-	isc_mutex_t                     mplock;
-	isc_mempool_t                  *nmp;    /*%< dns_adbname_t */
-	isc_mempool_t                  *nhmp;   /*%< dns_adbnamehook_t */
-	isc_mempool_t                  *limp;   /*%< dns_adblameinfo_t */
-	isc_mempool_t                  *emp;    /*%< dns_adbentry_t */
-	isc_mempool_t                  *ahmp;   /*%< dns_adbfind_t */
-	isc_mempool_t                  *aimp;   /*%< dns_adbaddrinfo_t */
-	isc_mempool_t                  *afmp;   /*%< dns_adbfetch_t */
-
-	/*!
-	 * Bucketized locks and lists for names.
-	 *
-	 * XXXRTH  Have a per-bucket structure that contains all of these?
-	 */
-	unsigned int			nnames;
-	isc_mutex_t                     namescntlock;
-	unsigned int			namescnt;
-	dns_adbnamelist_t               *names;
-	dns_adbnamelist_t               *deadnames;
-	isc_mutex_t                     *namelocks;
-	isc_boolean_t                   *name_sd;
-	unsigned int                    *name_refcnt;
-
-	/*!
-	 * Bucketized locks and lists for entries.
-	 *
-	 * XXXRTH  Have a per-bucket structure that contains all of these?
-	 */
-	unsigned int			nentries;
-	isc_mutex_t                     entriescntlock;
-	unsigned int			entriescnt;
-	dns_adbentrylist_t              *entries;
-	dns_adbentrylist_t              *deadentries;
-	isc_mutex_t                     *entrylocks;
-	isc_boolean_t                   *entry_sd; /*%< shutting down */
-	unsigned int                    *entry_refcnt;
-
-	isc_event_t                     cevent;
-	isc_boolean_t                   cevent_sent;
-	isc_boolean_t                   shutting_down;
-	isc_eventlist_t                 whenshutdown;
-	isc_event_t			growentries;
-	isc_boolean_t			growentries_sent;
-	isc_event_t			grownames;
-	isc_boolean_t			grownames_sent;
-};
-
-/*
- * XXXMLG  Document these structures.
- */
-
-/*% dns_adbname structure */
-struct dns_adbname {
-	unsigned int                    magic;
-	dns_name_t                      name;
-	dns_adb_t                      *adb;
-	unsigned int                    partial_result;
-	unsigned int                    flags;
-	int                             lock_bucket;
-	dns_name_t                      target;
-	isc_stdtime_t                   expire_target;
-	isc_stdtime_t                   expire_v4;
-	isc_stdtime_t                   expire_v6;
-	unsigned int                    chains;
-	dns_adbnamehooklist_t           v4;
-	dns_adbnamehooklist_t           v6;
-	dns_adbfetch_t                 *fetch_a;
-	dns_adbfetch_t                 *fetch_aaaa;
-	unsigned int                    fetch_err;
-	unsigned int                    fetch6_err;
-	dns_adbfindlist_t               finds;
-	/* for LRU-based management */
-	isc_stdtime_t                   last_used;
-
-	ISC_LINK(dns_adbname_t)         plink;
-};
-
-/*% The adbfetch structure */
-struct dns_adbfetch {
-	unsigned int                    magic;
-	dns_fetch_t                    *fetch;
-	dns_rdataset_t                  rdataset;
-};
-
-/*%
- * This is a small widget that dangles off a dns_adbname_t.  It contains a
- * pointer to the address information about this host, and a link to the next
- * namehook that will contain the next address this host has.
- */
-struct dns_adbnamehook {
-	unsigned int                    magic;
-	dns_adbentry_t                 *entry;
-	ISC_LINK(dns_adbnamehook_t)     plink;
-};
-
-/*%
- * This is a small widget that holds qname-specific information about an
- * address.  Currently limited to lameness, but could just as easily be
- * extended to other types of information about zones.
- */
-struct dns_adblameinfo {
-	unsigned int                    magic;
-
-	dns_name_t                      qname;
-	dns_rdatatype_t                 qtype;
-	isc_stdtime_t                   lame_timer;
-
-	ISC_LINK(dns_adblameinfo_t)     plink;
-};
-
-/*%
- * An address entry.  It holds quite a bit of information about addresses,
- * including edns state (in "flags"), rtt, and of course the address of
- * the host.
- */
-struct dns_adbentry {
-	unsigned int                    magic;
-
-	int                             lock_bucket;
-	unsigned int                    refcnt;
-
-	unsigned int                    flags;
-	unsigned int                    srtt;
-	isc_sockaddr_t                  sockaddr;
-
-	isc_stdtime_t                   expires;
-	/*%<
-	 * A nonzero 'expires' field indicates that the entry should
-	 * persist until that time.  This allows entries found
-	 * using dns_adb_findaddrinfo() to persist for a limited time
-	 * even though they are not necessarily associated with a
-	 * name.
-	 */
-
-	ISC_LIST(dns_adblameinfo_t)     lameinfo;
-	ISC_LINK(dns_adbentry_t)        plink;
-
-};
-
-/*
- * Internal functions (and prototypes).
- */
-static inline dns_adbname_t *new_adbname(dns_adb_t *, dns_name_t *);
-static inline void free_adbname(dns_adb_t *, dns_adbname_t **);
-static inline dns_adbnamehook_t *new_adbnamehook(dns_adb_t *,
-						 dns_adbentry_t *);
-static inline void free_adbnamehook(dns_adb_t *, dns_adbnamehook_t **);
-static inline dns_adblameinfo_t *new_adblameinfo(dns_adb_t *, dns_name_t *,
-						 dns_rdatatype_t);
-static inline void free_adblameinfo(dns_adb_t *, dns_adblameinfo_t **);
-static inline dns_adbentry_t *new_adbentry(dns_adb_t *);
-static inline void free_adbentry(dns_adb_t *, dns_adbentry_t **);
-static inline dns_adbfind_t *new_adbfind(dns_adb_t *);
-static inline isc_boolean_t free_adbfind(dns_adb_t *, dns_adbfind_t **);
-static inline dns_adbaddrinfo_t *new_adbaddrinfo(dns_adb_t *, dns_adbentry_t *,
-						 in_port_t);
-static inline dns_adbfetch_t *new_adbfetch(dns_adb_t *);
-static inline void free_adbfetch(dns_adb_t *, dns_adbfetch_t **);
-static inline dns_adbname_t *find_name_and_lock(dns_adb_t *, dns_name_t *,
-						unsigned int, int *);
-static inline dns_adbentry_t *find_entry_and_lock(dns_adb_t *,
-						  isc_sockaddr_t *, int *,
-						  isc_stdtime_t);
-static void dump_adb(dns_adb_t *, FILE *, isc_boolean_t debug, isc_stdtime_t);
-static void print_dns_name(FILE *, dns_name_t *);
-static void print_namehook_list(FILE *, const char *legend,
-				dns_adbnamehooklist_t *list,
-				isc_boolean_t debug,
-				isc_stdtime_t now);
-static void print_find_list(FILE *, dns_adbname_t *);
-static void print_fetch_list(FILE *, dns_adbname_t *);
-static inline isc_boolean_t dec_adb_irefcnt(dns_adb_t *);
-static inline void inc_adb_irefcnt(dns_adb_t *);
-static inline void inc_adb_erefcnt(dns_adb_t *);
-static inline void inc_entry_refcnt(dns_adb_t *, dns_adbentry_t *,
-				    isc_boolean_t);
-static inline isc_boolean_t dec_entry_refcnt(dns_adb_t *, isc_boolean_t,
-					     dns_adbentry_t *, isc_boolean_t);
-static inline void violate_locking_hierarchy(isc_mutex_t *, isc_mutex_t *);
-static isc_boolean_t clean_namehooks(dns_adb_t *, dns_adbnamehooklist_t *);
-static void clean_target(dns_adb_t *, dns_name_t *);
-static void clean_finds_at_name(dns_adbname_t *, isc_eventtype_t,
-				unsigned int);
-static isc_boolean_t check_expire_namehooks(dns_adbname_t *, isc_stdtime_t);
-static isc_boolean_t check_expire_entry(dns_adb_t *, dns_adbentry_t **,
-					isc_stdtime_t);
-static void cancel_fetches_at_name(dns_adbname_t *);
-static isc_result_t dbfind_name(dns_adbname_t *, isc_stdtime_t,
-				dns_rdatatype_t);
-static isc_result_t fetch_name(dns_adbname_t *, isc_boolean_t,
-			       dns_rdatatype_t);
-static inline void check_exit(dns_adb_t *);
-static void destroy(dns_adb_t *);
-static isc_boolean_t shutdown_names(dns_adb_t *);
-static isc_boolean_t shutdown_entries(dns_adb_t *);
-static inline void link_name(dns_adb_t *, int, dns_adbname_t *);
-static inline isc_boolean_t unlink_name(dns_adb_t *, dns_adbname_t *);
-static inline void link_entry(dns_adb_t *, int, dns_adbentry_t *);
-static inline isc_boolean_t unlink_entry(dns_adb_t *, dns_adbentry_t *);
-static isc_boolean_t kill_name(dns_adbname_t **, isc_eventtype_t);
-static void water(void *, int);
-static void dump_entry(FILE *, dns_adbentry_t *, isc_boolean_t, isc_stdtime_t);
-
-/*
- * MUST NOT overlap DNS_ADBFIND_* flags!
- */
-#define FIND_EVENT_SENT         0x40000000
-#define FIND_EVENT_FREED        0x80000000
-#define FIND_EVENTSENT(h)       (((h)->flags & FIND_EVENT_SENT) != 0)
-#define FIND_EVENTFREED(h)      (((h)->flags & FIND_EVENT_FREED) != 0)
-
-#define NAME_NEEDS_POKE         0x80000000
-#define NAME_IS_DEAD            0x40000000
-#define NAME_HINT_OK            DNS_ADBFIND_HINTOK
-#define NAME_GLUE_OK            DNS_ADBFIND_GLUEOK
-#define NAME_STARTATZONE        DNS_ADBFIND_STARTATZONE
-#define NAME_DEAD(n)            (((n)->flags & NAME_IS_DEAD) != 0)
-#define NAME_NEEDSPOKE(n)       (((n)->flags & NAME_NEEDS_POKE) != 0)
-#define NAME_GLUEOK(n)          (((n)->flags & NAME_GLUE_OK) != 0)
-#define NAME_HINTOK(n)          (((n)->flags & NAME_HINT_OK) != 0)
-
-/*
- * Private flag(s) for entries.
- * MUST NOT overlap FCTX_ADDRINFO_xxx and DNS_FETCHOPT_NOEDNS0.
- */
-#define ENTRY_IS_DEAD		0x80000000
-
-/*
- * To the name, address classes are all that really exist.  If it has a
- * V6 address it doesn't care if it came from a AAAA query.
- */
-#define NAME_HAS_V4(n)          (!ISC_LIST_EMPTY((n)->v4))
-#define NAME_HAS_V6(n)          (!ISC_LIST_EMPTY((n)->v6))
-#define NAME_HAS_ADDRS(n)       (NAME_HAS_V4(n) || NAME_HAS_V6(n))
-
-/*
- * Fetches are broken out into A and AAAA types.  In some cases,
- * however, it makes more sense to test for a particular class of fetches,
- * like V4 or V6 above.
- * Note: since we have removed the support of A6 in adb, FETCH_A and FETCH_AAAA
- * are now equal to FETCH_V4 and FETCH_V6, respectively.
- */
-#define NAME_FETCH_A(n)         ((n)->fetch_a != NULL)
-#define NAME_FETCH_AAAA(n)      ((n)->fetch_aaaa != NULL)
-#define NAME_FETCH_V4(n)        (NAME_FETCH_A(n))
-#define NAME_FETCH_V6(n)        (NAME_FETCH_AAAA(n))
-#define NAME_FETCH(n)           (NAME_FETCH_V4(n) || NAME_FETCH_V6(n))
-
-/*
- * Find options and tests to see if there are addresses on the list.
- */
-#define FIND_WANTEVENT(fn)      (((fn)->options & DNS_ADBFIND_WANTEVENT) != 0)
-#define FIND_WANTEMPTYEVENT(fn) (((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0)
-#define FIND_AVOIDFETCHES(fn)   (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) \
-				 != 0)
-#define FIND_STARTATZONE(fn)    (((fn)->options & DNS_ADBFIND_STARTATZONE) \
-				 != 0)
-#define FIND_HINTOK(fn)         (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
-#define FIND_GLUEOK(fn)         (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
-#define FIND_HAS_ADDRS(fn)      (!ISC_LIST_EMPTY((fn)->list))
-#define FIND_RETURNLAME(fn)     (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
-
-/*
- * These are currently used on simple unsigned ints, so they are
- * not really associated with any particular type.
- */
-#define WANT_INET(x)            (((x) & DNS_ADBFIND_INET) != 0)
-#define WANT_INET6(x)           (((x) & DNS_ADBFIND_INET6) != 0)
-
-#define EXPIRE_OK(exp, now)     ((exp == INT_MAX) || (exp < now))
-
-/*
- * Find out if the flags on a name (nf) indicate if it is a hint or
- * glue, and compare this to the appropriate bits set in o, to see if
- * this is ok.
- */
-#define GLUE_OK(nf, o) (!NAME_GLUEOK(nf) || (((o) & DNS_ADBFIND_GLUEOK) != 0))
-#define HINT_OK(nf, o) (!NAME_HINTOK(nf) || (((o) & DNS_ADBFIND_HINTOK) != 0))
-#define GLUEHINT_OK(nf, o) (GLUE_OK(nf, o) || HINT_OK(nf, o))
-#define STARTATZONE_MATCHES(nf, o) (((nf)->flags & NAME_STARTATZONE) == \
-				    ((o) & DNS_ADBFIND_STARTATZONE))
-
-#define ENTER_LEVEL             ISC_LOG_DEBUG(50)
-#define EXIT_LEVEL              ENTER_LEVEL
-#define CLEAN_LEVEL             ISC_LOG_DEBUG(100)
-#define DEF_LEVEL               ISC_LOG_DEBUG(5)
-#define NCACHE_LEVEL            ISC_LOG_DEBUG(20)
-
-#define NCACHE_RESULT(r)        ((r) == DNS_R_NCACHENXDOMAIN || \
-				 (r) == DNS_R_NCACHENXRRSET)
-#define AUTH_NX(r)              ((r) == DNS_R_NXDOMAIN || \
-				 (r) == DNS_R_NXRRSET)
-#define NXDOMAIN_RESULT(r)      ((r) == DNS_R_NXDOMAIN || \
-				 (r) == DNS_R_NCACHENXDOMAIN)
-#define NXRRSET_RESULT(r)       ((r) == DNS_R_NCACHENXRRSET || \
-				 (r) == DNS_R_NXRRSET || \
-				 (r) == DNS_R_HINTNXRRSET)
-
-/*
- * Error state rankings.
- */
-
-#define FIND_ERR_SUCCESS                0  /* highest rank */
-#define FIND_ERR_CANCELED               1
-#define FIND_ERR_FAILURE                2
-#define FIND_ERR_NXDOMAIN               3
-#define FIND_ERR_NXRRSET                4
-#define FIND_ERR_UNEXPECTED             5
-#define FIND_ERR_NOTFOUND               6
-#define FIND_ERR_MAX                    7
-
-static const char *errnames[] = {
-	"success",
-	"canceled",
-	"failure",
-	"nxdomain",
-	"nxrrset",
-	"unexpected",
-	"not_found"
-};
-
-#define NEWERR(old, new)        (ISC_MIN((old), (new)))
-
-static isc_result_t find_err_map[FIND_ERR_MAX] = {
-	ISC_R_SUCCESS,
-	ISC_R_CANCELED,
-	ISC_R_FAILURE,
-	DNS_R_NXDOMAIN,
-	DNS_R_NXRRSET,
-	ISC_R_UNEXPECTED,
-	ISC_R_NOTFOUND          /* not YET found */
-};
-
-static void
-DP(int level, const char *format, ...) ISC_FORMAT_PRINTF(2, 3);
-
-static void
-DP(int level, const char *format, ...) {
-	va_list args;
-
-	va_start(args, format);
-	isc_log_vwrite(dns_lctx,
-		       DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ADB,
-		       level, format, args);
-	va_end(args);
-}
-
-/*%
- * Increment resolver-related statistics counters.
- */
-static inline void
-inc_stats(dns_adb_t *adb, isc_statscounter_t counter) {
-	if (adb->view->resstats != NULL)
-		isc_stats_increment(adb->view->resstats, counter);
-}
-
-static inline dns_ttl_t
-ttlclamp(dns_ttl_t ttl) {
-	if (ttl < ADB_CACHE_MINIMUM)
-		ttl = ADB_CACHE_MINIMUM;
-	if (ttl > ADB_CACHE_MAXIMUM)
-		ttl = ADB_CACHE_MAXIMUM;
-
-	return (ttl);
-}
-
-/*
- * Hashing is most efficient if the number of buckets is prime.
- * The sequence below is the closest previous primes to 2^n and
- * 1.5 * 2^n, for values of n from 10 to 28.  (The tables will
- * no longer grow beyond 2^28 entries.)
- */
-static const unsigned nbuckets[] = { 1021, 1531, 2039, 3067, 4093, 6143,
-				     8191, 12281, 16381, 24571, 32749,
-				     49193, 65521, 98299, 131071, 199603,
-				     262139, 393209, 524287, 768431, 1048573,
-				     1572853, 2097143, 3145721, 4194301,
-				     6291449, 8388593, 12582893, 16777213,
-				     25165813, 33554393, 50331599, 67108859,
-				     100663291, 134217689, 201326557,
-				     268535431, 0 };
-
-static void
-grow_entries(isc_task_t *task, isc_event_t *ev) {
-	dns_adb_t *adb;
-	dns_adbentry_t *e;
-	dns_adbentrylist_t *newdeadentries = NULL;
-	dns_adbentrylist_t *newentries = NULL;
-	isc_boolean_t *newentry_sd = NULL;
-	isc_mutex_t *newentrylocks = NULL;
-	isc_result_t result;
-	unsigned int *newentry_refcnt = NULL;
-	unsigned int i, n, bucket;
-
-	adb = ev->ev_arg;
-	INSIST(DNS_ADB_VALID(adb));
-
-	isc_event_free(&ev);
-
-	result = isc_task_beginexclusive(task);
-	if (result != ISC_R_SUCCESS)
-		goto check_exit;
-
-	i = 0;
-	while (nbuckets[i] != 0 && adb->nentries >= nbuckets[i])
-		i++;
-	if (nbuckets[i] != 0)
-		n = nbuckets[i];
-	else
-		goto done;
-
-	DP(ISC_LOG_INFO, "adb: grow_entries to %u starting", n);
-
-	/*
-	 * Are we shutting down?
-	 */
-	for (i = 0; i < adb->nentries; i++)
-		if (adb->entry_sd[i])
-			goto cleanup;
-
-	/*
-	 * Grab all the resources we need.
-	 */
-	newentries = isc_mem_get(adb->mctx, sizeof(*newentries) * n);
-	newdeadentries = isc_mem_get(adb->mctx, sizeof(*newdeadentries) * n);
-	newentrylocks = isc_mem_get(adb->mctx, sizeof(*newentrylocks) * n);
-	newentry_sd = isc_mem_get(adb->mctx, sizeof(*newentry_sd) * n);
-	newentry_refcnt = isc_mem_get(adb->mctx, sizeof(*newentry_refcnt) * n);
-	if (newentries == NULL || newdeadentries == NULL ||
-	    newentrylocks == NULL || newentry_sd == NULL ||
-	    newentry_refcnt == NULL)
-		goto cleanup;
-
-	/*
-	 * Initialise the new resources.
-	 */
-	result = isc_mutexblock_init(newentrylocks, n);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	for (i = 0; i < n; i++) {
-		ISC_LIST_INIT(newentries[i]);
-		ISC_LIST_INIT(newdeadentries[i]);
-		newentry_sd[i] = ISC_FALSE;
-		newentry_refcnt[i] = 0;
-		adb->irefcnt++;
-	}
-
-	/*
-	 * Move entries to new arrays.
-	 */
-	for (i = 0; i < adb->nentries; i++) {
-		e = ISC_LIST_HEAD(adb->entries[i]);
-		while (e != NULL) {
-			ISC_LIST_UNLINK(adb->entries[i], e, plink);
-			bucket = isc_sockaddr_hash(&e->sockaddr, ISC_TRUE) % n;
-			e->lock_bucket = bucket;
-			ISC_LIST_APPEND(newentries[bucket], e, plink);
-			INSIST(adb->entry_refcnt[i] > 0);
-			adb->entry_refcnt[i]--;
-			newentry_refcnt[bucket]++;
-			e = ISC_LIST_HEAD(adb->entries[i]);
-		}
-		e = ISC_LIST_HEAD(adb->deadentries[i]);
-		while (e != NULL) {
-			ISC_LIST_UNLINK(adb->deadentries[i], e, plink);
-			bucket = isc_sockaddr_hash(&e->sockaddr, ISC_TRUE) % n;
-			e->lock_bucket = bucket;
-			ISC_LIST_APPEND(newdeadentries[bucket], e, plink);
-			INSIST(adb->entry_refcnt[i] > 0);
-			adb->entry_refcnt[i]--;
-			newentry_refcnt[bucket]++;
-			e = ISC_LIST_HEAD(adb->deadentries[i]);
-		}
-		INSIST(adb->entry_refcnt[i] == 0);
-		adb->irefcnt--;
-	}
-
-	/*
-	 * Cleanup old resources.
-	 */
-	DESTROYMUTEXBLOCK(adb->entrylocks, adb->nentries);
-	isc_mem_put(adb->mctx, adb->entries,
-		    sizeof(*adb->entries) * adb->nentries);
-	isc_mem_put(adb->mctx, adb->deadentries,
-		    sizeof(*adb->deadentries) * adb->nentries);
-	isc_mem_put(adb->mctx, adb->entrylocks,
-		    sizeof(*adb->entrylocks) * adb->nentries);
-	isc_mem_put(adb->mctx, adb->entry_sd,
-		    sizeof(*adb->entry_sd) * adb->nentries);
-	isc_mem_put(adb->mctx, adb->entry_refcnt,
-		    sizeof(*adb->entry_refcnt) * adb->nentries);
-
-	/*
-	 * Install new resources.
-	 */
-	adb->entries = newentries;
-	adb->deadentries = newdeadentries;
-	adb->entrylocks = newentrylocks;
-	adb->entry_sd = newentry_sd;
-	adb->entry_refcnt = newentry_refcnt;
-	adb->nentries = n;
-
-	/*
-	 * Only on success do we set adb->growentries_sent to ISC_FALSE.
-	 * This will prevent us being continuously being called on error.
-	 */
-	adb->growentries_sent = ISC_FALSE;
-	goto done;
-
- cleanup:
-	if (newentries != NULL)
-		isc_mem_put(adb->mctx, newentries,
-			    sizeof(*newentries) * n);
-	if (newdeadentries != NULL)
-		isc_mem_put(adb->mctx, newdeadentries,
-			    sizeof(*newdeadentries) * n);
-	if (newentrylocks != NULL)
-		isc_mem_put(adb->mctx, newentrylocks,
-			    sizeof(*newentrylocks) * n);
-	if (newentry_sd != NULL)
-		isc_mem_put(adb->mctx, newentry_sd,
-			    sizeof(*newentry_sd) * n);
-	if (newentry_refcnt != NULL)
-		isc_mem_put(adb->mctx, newentry_refcnt,
-			     sizeof(*newentry_refcnt) * n);
- done:
-	isc_task_endexclusive(task);
-
- check_exit:
-	LOCK(&adb->lock);
-	if (dec_adb_irefcnt(adb))
-		check_exit(adb);
-	UNLOCK(&adb->lock);
-	DP(ISC_LOG_INFO, "adb: grow_entries finished");
-}
-
-static void
-grow_names(isc_task_t *task, isc_event_t *ev) {
-	dns_adb_t *adb;
-	dns_adbname_t *name;
-	dns_adbnamelist_t *newdeadnames = NULL;
-	dns_adbnamelist_t *newnames = NULL;
-	isc_boolean_t *newname_sd = NULL;
-	isc_mutex_t *newnamelocks = NULL;
-	isc_result_t result;
-	unsigned int *newname_refcnt = NULL;
-	unsigned int i, n, bucket;
-
-	adb = ev->ev_arg;
-	INSIST(DNS_ADB_VALID(adb));
-
-	isc_event_free(&ev);
-
-	result = isc_task_beginexclusive(task);
-	if (result != ISC_R_SUCCESS)
-		goto check_exit;
-
-	i = 0;
-	while (nbuckets[i] != 0 && adb->nnames >= nbuckets[i])
-		i++;
-	if (nbuckets[i] != 0)
-		n = nbuckets[i];
-	else
-		goto done;
-
-	DP(ISC_LOG_INFO, "adb: grow_names to %u starting", n);
-
-	/*
-	 * Are we shutting down?
-	 */
-	for (i = 0; i < adb->nnames; i++)
-		if (adb->name_sd[i])
-			goto cleanup;
-
-	/*
-	 * Grab all the resources we need.
-	 */
-	newnames = isc_mem_get(adb->mctx, sizeof(*newnames) * n);
-	newdeadnames = isc_mem_get(adb->mctx, sizeof(*newdeadnames) * n);
-	newnamelocks = isc_mem_get(adb->mctx, sizeof(*newnamelocks) * n);
-	newname_sd = isc_mem_get(adb->mctx, sizeof(*newname_sd) * n);
-	newname_refcnt = isc_mem_get(adb->mctx, sizeof(*newname_refcnt) * n);
-	if (newnames == NULL || newdeadnames == NULL ||
-	    newnamelocks == NULL || newname_sd == NULL ||
-	    newname_refcnt == NULL)
-		goto cleanup;
-
-	/*
-	 * Initialise the new resources.
-	 */
-	result = isc_mutexblock_init(newnamelocks, n);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	for (i = 0; i < n; i++) {
-		ISC_LIST_INIT(newnames[i]);
-		ISC_LIST_INIT(newdeadnames[i]);
-		newname_sd[i] = ISC_FALSE;
-		newname_refcnt[i] = 0;
-		adb->irefcnt++;
-	}
-
-	/*
-	 * Move names to new arrays.
-	 */
-	for (i = 0; i < adb->nnames; i++) {
-		name = ISC_LIST_HEAD(adb->names[i]);
-		while (name != NULL) {
-			ISC_LIST_UNLINK(adb->names[i], name, plink);
-			bucket = dns_name_fullhash(&name->name, ISC_TRUE) % n;
-			name->lock_bucket = bucket;
-			ISC_LIST_APPEND(newnames[bucket], name, plink);
-			INSIST(adb->name_refcnt[i] > 0);
-			adb->name_refcnt[i]--;
-			newname_refcnt[bucket]++;
-			name = ISC_LIST_HEAD(adb->names[i]);
-		}
-		name = ISC_LIST_HEAD(adb->deadnames[i]);
-		while (name != NULL) {
-			ISC_LIST_UNLINK(adb->deadnames[i], name, plink);
-			bucket = dns_name_fullhash(&name->name, ISC_TRUE) % n;
-			name->lock_bucket = bucket;
-			ISC_LIST_APPEND(newdeadnames[bucket], name, plink);
-			INSIST(adb->name_refcnt[i] > 0);
-			adb->name_refcnt[i]--;
-			newname_refcnt[bucket]++;
-			name = ISC_LIST_HEAD(adb->deadnames[i]);
-		}
-		INSIST(adb->name_refcnt[i] == 0);
-		adb->irefcnt--;
-	}
-
-	/*
-	 * Cleanup old resources.
-	 */
-	DESTROYMUTEXBLOCK(adb->namelocks, adb->nnames);
-	isc_mem_put(adb->mctx, adb->names,
-		    sizeof(*adb->names) * adb->nnames);
-	isc_mem_put(adb->mctx, adb->deadnames,
-		    sizeof(*adb->deadnames) * adb->nnames);
-	isc_mem_put(adb->mctx, adb->namelocks,
-		    sizeof(*adb->namelocks) * adb->nnames);
-	isc_mem_put(adb->mctx, adb->name_sd,
-		    sizeof(*adb->name_sd) * adb->nnames);
-	isc_mem_put(adb->mctx, adb->name_refcnt,
-		    sizeof(*adb->name_refcnt) * adb->nnames);
-
-	/*
-	 * Install new resources.
-	 */
-	adb->names = newnames;
-	adb->deadnames = newdeadnames;
-	adb->namelocks = newnamelocks;
-	adb->name_sd = newname_sd;
-	adb->name_refcnt = newname_refcnt;
-	adb->nnames = n;
-
-	/*
-	 * Only on success do we set adb->grownames_sent to ISC_FALSE.
-	 * This will prevent us being continuously being called on error.
-	 */
-	adb->grownames_sent = ISC_FALSE;
-	goto done;
-
- cleanup:
-	if (newnames != NULL)
-		isc_mem_put(adb->mctx, newnames, sizeof(*newnames) * n);
-	if (newdeadnames != NULL)
-		isc_mem_put(adb->mctx, newdeadnames, sizeof(*newdeadnames) * n);
-	if (newnamelocks != NULL)
-		isc_mem_put(adb->mctx, newnamelocks, sizeof(*newnamelocks) * n);
-	if (newname_sd != NULL)
-		isc_mem_put(adb->mctx, newname_sd, sizeof(*newname_sd) * n);
-	if (newname_refcnt != NULL)
-		isc_mem_put(adb->mctx, newname_refcnt,
-			     sizeof(*newname_refcnt) * n);
- done:
-	isc_task_endexclusive(task);
-
- check_exit:
-	LOCK(&adb->lock);
-	if (dec_adb_irefcnt(adb))
-		check_exit(adb);
-	UNLOCK(&adb->lock);
-	DP(ISC_LOG_INFO, "adb: grow_names finished");
-}
-
-/*
- * Requires the adbname bucket be locked and that no entry buckets be locked.
- *
- * This code handles A and AAAA rdatasets only.
- */
-static isc_result_t
-import_rdataset(dns_adbname_t *adbname, dns_rdataset_t *rdataset,
-		isc_stdtime_t now)
-{
-	isc_result_t result;
-	dns_adb_t *adb;
-	dns_adbnamehook_t *nh;
-	dns_adbnamehook_t *anh;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	struct in_addr ina;
-	struct in6_addr in6a;
-	isc_sockaddr_t sockaddr;
-	dns_adbentry_t *foundentry;  /* NO CLEAN UP! */
-	int addr_bucket;
-	isc_boolean_t new_addresses_added;
-	dns_rdatatype_t rdtype;
-	unsigned int findoptions;
-	dns_adbnamehooklist_t *hookhead;
-
-	INSIST(DNS_ADBNAME_VALID(adbname));
-	adb = adbname->adb;
-	INSIST(DNS_ADB_VALID(adb));
-
-	rdtype = rdataset->type;
-	INSIST((rdtype == dns_rdatatype_a) || (rdtype == dns_rdatatype_aaaa));
-	if (rdtype == dns_rdatatype_a)
-		findoptions = DNS_ADBFIND_INET;
-	else
-		findoptions = DNS_ADBFIND_INET6;
-
-	addr_bucket = DNS_ADB_INVALIDBUCKET;
-	new_addresses_added = ISC_FALSE;
-
-	nh = NULL;
-	result = dns_rdataset_first(rdataset);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdata_reset(&rdata);
-		dns_rdataset_current(rdataset, &rdata);
-		if (rdtype == dns_rdatatype_a) {
-			INSIST(rdata.length == 4);
-			memcpy(&ina.s_addr, rdata.data, 4);
-			isc_sockaddr_fromin(&sockaddr, &ina, 0);
-			hookhead = &adbname->v4;
-		} else {
-			INSIST(rdata.length == 16);
-			memcpy(in6a.s6_addr, rdata.data, 16);
-			isc_sockaddr_fromin6(&sockaddr, &in6a, 0);
-			hookhead = &adbname->v6;
-		}
-
-		INSIST(nh == NULL);
-		nh = new_adbnamehook(adb, NULL);
-		if (nh == NULL) {
-			adbname->partial_result |= findoptions;
-			result = ISC_R_NOMEMORY;
-			goto fail;
-		}
-
-		foundentry = find_entry_and_lock(adb, &sockaddr, &addr_bucket,
-						 now);
-		if (foundentry == NULL) {
-			dns_adbentry_t *entry;
-
-			entry = new_adbentry(adb);
-			if (entry == NULL) {
-				adbname->partial_result |= findoptions;
-				result = ISC_R_NOMEMORY;
-				goto fail;
-			}
-
-			entry->sockaddr = sockaddr;
-			entry->refcnt = 1;
-
-			nh->entry = entry;
-
-			link_entry(adb, addr_bucket, entry);
-		} else {
-			for (anh = ISC_LIST_HEAD(*hookhead);
-			     anh != NULL;
-			     anh = ISC_LIST_NEXT(anh, plink))
-				if (anh->entry == foundentry)
-					break;
-			if (anh == NULL) {
-				foundentry->refcnt++;
-				nh->entry = foundentry;
-			} else
-				free_adbnamehook(adb, &nh);
-		}
-
-		new_addresses_added = ISC_TRUE;
-		if (nh != NULL)
-			ISC_LIST_APPEND(*hookhead, nh, plink);
-		nh = NULL;
-		result = dns_rdataset_next(rdataset);
-	}
-
- fail:
-	if (nh != NULL)
-		free_adbnamehook(adb, &nh);
-
-	if (addr_bucket != DNS_ADB_INVALIDBUCKET)
-		UNLOCK(&adb->entrylocks[addr_bucket]);
-
-	if (rdataset->trust == dns_trust_glue ||
-	    rdataset->trust == dns_trust_additional)
-		rdataset->ttl = ADB_CACHE_MINIMUM;
-	else if (rdataset->trust == dns_trust_ultimate)
-		rdataset->ttl = 0;
-	else
-		rdataset->ttl = ttlclamp(rdataset->ttl);
-
-	if (rdtype == dns_rdatatype_a) {
-		DP(NCACHE_LEVEL, "expire_v4 set to MIN(%u,%u) import_rdataset",
-		   adbname->expire_v4, now + rdataset->ttl);
-		adbname->expire_v4 = ISC_MIN(adbname->expire_v4,
-					     now + rdataset->ttl);
-	} else {
-		DP(NCACHE_LEVEL, "expire_v6 set to MIN(%u,%u) import_rdataset",
-		   adbname->expire_v6, now + rdataset->ttl);
-		adbname->expire_v6 = ISC_MIN(adbname->expire_v6,
-					     now + rdataset->ttl);
-	}
-
-	if (new_addresses_added) {
-		/*
-		 * Lie a little here.  This is more or less so code that cares
-		 * can find out if any new information was added or not.
-		 */
-		return (ISC_R_SUCCESS);
-	}
-
-	return (result);
-}
-
-/*
- * Requires the name's bucket be locked.
- */
-static isc_boolean_t
-kill_name(dns_adbname_t **n, isc_eventtype_t ev) {
-	dns_adbname_t *name;
-	isc_boolean_t result = ISC_FALSE;
-	isc_boolean_t result4, result6;
-	int bucket;
-	dns_adb_t *adb;
-
-	INSIST(n != NULL);
-	name = *n;
-	*n = NULL;
-	INSIST(DNS_ADBNAME_VALID(name));
-	adb = name->adb;
-	INSIST(DNS_ADB_VALID(adb));
-
-	DP(DEF_LEVEL, "killing name %p", name);
-
-	/*
-	 * If we're dead already, just check to see if we should go
-	 * away now or not.
-	 */
-	if (NAME_DEAD(name) && !NAME_FETCH(name)) {
-		result = unlink_name(adb, name);
-		free_adbname(adb, &name);
-		if (result)
-			result = dec_adb_irefcnt(adb);
-		return (result);
-	}
-
-	/*
-	 * Clean up the name's various lists.  These two are destructive
-	 * in that they will always empty the list.
-	 */
-	clean_finds_at_name(name, ev, DNS_ADBFIND_ADDRESSMASK);
-	result4 = clean_namehooks(adb, &name->v4);
-	result6 = clean_namehooks(adb, &name->v6);
-	clean_target(adb, &name->target);
-	result = ISC_TF(result4 || result6);
-
-	/*
-	 * If fetches are running, cancel them.  If none are running, we can
-	 * just kill the name here.
-	 */
-	if (!NAME_FETCH(name)) {
-		INSIST(result == ISC_FALSE);
-		result = unlink_name(adb, name);
-		free_adbname(adb, &name);
-		if (result)
-			result = dec_adb_irefcnt(adb);
-	} else {
-		cancel_fetches_at_name(name);
-		if (!NAME_DEAD(name)) {
-			bucket = name->lock_bucket;
-			ISC_LIST_UNLINK(adb->names[bucket], name, plink);
-			ISC_LIST_APPEND(adb->deadnames[bucket], name, plink);
-			name->flags |= NAME_IS_DEAD;
-		}
-	}
-	return (result);
-}
-
-/*
- * Requires the name's bucket be locked and no entry buckets be locked.
- */
-static isc_boolean_t
-check_expire_namehooks(dns_adbname_t *name, isc_stdtime_t now) {
-	dns_adb_t *adb;
-	isc_boolean_t result4 = ISC_FALSE;
-	isc_boolean_t result6 = ISC_FALSE;
-
-	INSIST(DNS_ADBNAME_VALID(name));
-	adb = name->adb;
-	INSIST(DNS_ADB_VALID(adb));
-
-	/*
-	 * Check to see if we need to remove the v4 addresses
-	 */
-	if (!NAME_FETCH_V4(name) && EXPIRE_OK(name->expire_v4, now)) {
-		if (NAME_HAS_V4(name)) {
-			DP(DEF_LEVEL, "expiring v4 for name %p", name);
-			result4 = clean_namehooks(adb, &name->v4);
-			name->partial_result &= ~DNS_ADBFIND_INET;
-		}
-		name->expire_v4 = INT_MAX;
-		name->fetch_err = FIND_ERR_UNEXPECTED;
-	}
-
-	/*
-	 * Check to see if we need to remove the v6 addresses
-	 */
-	if (!NAME_FETCH_V6(name) && EXPIRE_OK(name->expire_v6, now)) {
-		if (NAME_HAS_V6(name)) {
-			DP(DEF_LEVEL, "expiring v6 for name %p", name);
-			result6 = clean_namehooks(adb, &name->v6);
-			name->partial_result &= ~DNS_ADBFIND_INET6;
-		}
-		name->expire_v6 = INT_MAX;
-		name->fetch6_err = FIND_ERR_UNEXPECTED;
-	}
-
-	/*
-	 * Check to see if we need to remove the alias target.
-	 */
-	if (EXPIRE_OK(name->expire_target, now)) {
-		clean_target(adb, &name->target);
-		name->expire_target = INT_MAX;
-	}
-	return (ISC_TF(result4 || result6));
-}
-
-/*
- * Requires the name's bucket be locked.
- */
-static inline void
-link_name(dns_adb_t *adb, int bucket, dns_adbname_t *name) {
-	INSIST(name->lock_bucket == DNS_ADB_INVALIDBUCKET);
-
-	ISC_LIST_PREPEND(adb->names[bucket], name, plink);
-	name->lock_bucket = bucket;
-	adb->name_refcnt[bucket]++;
-}
-
-/*
- * Requires the name's bucket be locked.
- */
-static inline isc_boolean_t
-unlink_name(dns_adb_t *adb, dns_adbname_t *name) {
-	int bucket;
-	isc_boolean_t result = ISC_FALSE;
-
-	bucket = name->lock_bucket;
-	INSIST(bucket != DNS_ADB_INVALIDBUCKET);
-
-	if (NAME_DEAD(name))
-		ISC_LIST_UNLINK(adb->deadnames[bucket], name, plink);
-	else
-		ISC_LIST_UNLINK(adb->names[bucket], name, plink);
-	name->lock_bucket = DNS_ADB_INVALIDBUCKET;
-	INSIST(adb->name_refcnt[bucket] > 0);
-	adb->name_refcnt[bucket]--;
-	if (adb->name_sd[bucket] && adb->name_refcnt[bucket] == 0)
-		result = ISC_TRUE;
-	return (result);
-}
-
-/*
- * Requires the entry's bucket be locked.
- */
-static inline void
-link_entry(dns_adb_t *adb, int bucket, dns_adbentry_t *entry) {
-	int i;
-	dns_adbentry_t *e;
-
-	if (isc_mem_isovermem(adb->mctx)) {
-		for (i = 0; i < 2; i++) {
-			e = ISC_LIST_TAIL(adb->entries[bucket]);
-			if (e == NULL)
-				break;
-			if (e->refcnt == 0) {
-				unlink_entry(adb, e);
-				free_adbentry(adb, &e);
-				continue;
-			}
-			INSIST((e->flags & ENTRY_IS_DEAD) == 0);
-			e->flags |= ENTRY_IS_DEAD;
-			ISC_LIST_UNLINK(adb->entries[bucket], e, plink);
-			ISC_LIST_PREPEND(adb->deadentries[bucket], e, plink);
-		}
-	}
-
-	ISC_LIST_PREPEND(adb->entries[bucket], entry, plink);
-	entry->lock_bucket = bucket;
-	adb->entry_refcnt[bucket]++;
-}
-
-/*
- * Requires the entry's bucket be locked.
- */
-static inline isc_boolean_t
-unlink_entry(dns_adb_t *adb, dns_adbentry_t *entry) {
-	int bucket;
-	isc_boolean_t result = ISC_FALSE;
-
-	bucket = entry->lock_bucket;
-	INSIST(bucket != DNS_ADB_INVALIDBUCKET);
-
-	if ((entry->flags & ENTRY_IS_DEAD) != 0)
-		ISC_LIST_UNLINK(adb->deadentries[bucket], entry, plink);
-	else
-		ISC_LIST_UNLINK(adb->entries[bucket], entry, plink);
-	entry->lock_bucket = DNS_ADB_INVALIDBUCKET;
-	INSIST(adb->entry_refcnt[bucket] > 0);
-	adb->entry_refcnt[bucket]--;
-	if (adb->entry_sd[bucket] && adb->entry_refcnt[bucket] == 0)
-		result = ISC_TRUE;
-	return (result);
-}
-
-static inline void
-violate_locking_hierarchy(isc_mutex_t *have, isc_mutex_t *want) {
-	if (isc_mutex_trylock(want) != ISC_R_SUCCESS) {
-		UNLOCK(have);
-		LOCK(want);
-		LOCK(have);
-	}
-}
-
-/*
- * The ADB _MUST_ be locked before calling.  Also, exit conditions must be
- * checked after calling this function.
- */
-static isc_boolean_t
-shutdown_names(dns_adb_t *adb) {
-	unsigned int bucket;
-	isc_boolean_t result = ISC_FALSE;
-	dns_adbname_t *name;
-	dns_adbname_t *next_name;
-
-	for (bucket = 0; bucket < adb->nnames; bucket++) {
-		LOCK(&adb->namelocks[bucket]);
-		adb->name_sd[bucket] = ISC_TRUE;
-
-		name = ISC_LIST_HEAD(adb->names[bucket]);
-		if (name == NULL) {
-			/*
-			 * This bucket has no names.  We must decrement the
-			 * irefcnt ourselves, since it will not be
-			 * automatically triggered by a name being unlinked.
-			 */
-			INSIST(result == ISC_FALSE);
-			result = dec_adb_irefcnt(adb);
-		} else {
-			/*
-			 * Run through the list.  For each name, clean up finds
-			 * found there, and cancel any fetches running.  When
-			 * all the fetches are canceled, the name will destroy
-			 * itself.
-			 */
-			while (name != NULL) {
-				next_name = ISC_LIST_NEXT(name, plink);
-				INSIST(result == ISC_FALSE);
-				result = kill_name(&name,
-						   DNS_EVENT_ADBSHUTDOWN);
-				name = next_name;
-			}
-		}
-
-		UNLOCK(&adb->namelocks[bucket]);
-	}
-	return (result);
-}
-
-/*
- * The ADB _MUST_ be locked before calling.  Also, exit conditions must be
- * checked after calling this function.
- */
-static isc_boolean_t
-shutdown_entries(dns_adb_t *adb) {
-	unsigned int bucket;
-	isc_boolean_t result = ISC_FALSE;
-	dns_adbentry_t *entry;
-	dns_adbentry_t *next_entry;
-
-	for (bucket = 0; bucket < adb->nentries; bucket++) {
-		LOCK(&adb->entrylocks[bucket]);
-		adb->entry_sd[bucket] = ISC_TRUE;
-
-		entry = ISC_LIST_HEAD(adb->entries[bucket]);
-		if (adb->entry_refcnt[bucket] == 0) {
-			/*
-			 * This bucket has no entries.  We must decrement the
-			 * irefcnt ourselves, since it will not be
-			 * automatically triggered by an entry being unlinked.
-			 */
-			result = dec_adb_irefcnt(adb);
-		} else {
-			/*
-			 * Run through the list.  Cleanup any entries not
-			 * associated with names, and which are not in use.
-			 */
-			while (entry != NULL) {
-				next_entry = ISC_LIST_NEXT(entry, plink);
-				if (entry->refcnt == 0 &&
-				    entry->expires != 0) {
-					result = unlink_entry(adb, entry);
-					free_adbentry(adb, &entry);
-					if (result)
-						result = dec_adb_irefcnt(adb);
-				}
-				entry = next_entry;
-			}
-		}
-
-		UNLOCK(&adb->entrylocks[bucket]);
-	}
-	return (result);
-}
-
-/*
- * Name bucket must be locked
- */
-static void
-cancel_fetches_at_name(dns_adbname_t *name) {
-	if (NAME_FETCH_A(name))
-	    dns_resolver_cancelfetch(name->fetch_a->fetch);
-
-	if (NAME_FETCH_AAAA(name))
-	    dns_resolver_cancelfetch(name->fetch_aaaa->fetch);
-}
-
-/*
- * Assumes the name bucket is locked.
- */
-static isc_boolean_t
-clean_namehooks(dns_adb_t *adb, dns_adbnamehooklist_t *namehooks) {
-	dns_adbentry_t *entry;
-	dns_adbnamehook_t *namehook;
-	int addr_bucket;
-	isc_boolean_t result = ISC_FALSE;
-	isc_boolean_t overmem = isc_mem_isovermem(adb->mctx);
-
-	addr_bucket = DNS_ADB_INVALIDBUCKET;
-	namehook = ISC_LIST_HEAD(*namehooks);
-	while (namehook != NULL) {
-		INSIST(DNS_ADBNAMEHOOK_VALID(namehook));
-
-		/*
-		 * Clean up the entry if needed.
-		 */
-		entry = namehook->entry;
-		if (entry != NULL) {
-			INSIST(DNS_ADBENTRY_VALID(entry));
-
-			if (addr_bucket != entry->lock_bucket) {
-				if (addr_bucket != DNS_ADB_INVALIDBUCKET)
-					UNLOCK(&adb->entrylocks[addr_bucket]);
-				addr_bucket = entry->lock_bucket;
-				INSIST(addr_bucket != DNS_ADB_INVALIDBUCKET);
-				LOCK(&adb->entrylocks[addr_bucket]);
-			}
-
-			result = dec_entry_refcnt(adb, overmem, entry,
-						  ISC_FALSE);
-		}
-
-		/*
-		 * Free the namehook
-		 */
-		namehook->entry = NULL;
-		ISC_LIST_UNLINK(*namehooks, namehook, plink);
-		free_adbnamehook(adb, &namehook);
-
-		namehook = ISC_LIST_HEAD(*namehooks);
-	}
-
-	if (addr_bucket != DNS_ADB_INVALIDBUCKET)
-		UNLOCK(&adb->entrylocks[addr_bucket]);
-	return (result);
-}
-
-static void
-clean_target(dns_adb_t *adb, dns_name_t *target) {
-	if (dns_name_countlabels(target) > 0) {
-		dns_name_free(target, adb->mctx);
-		dns_name_init(target, NULL);
-	}
-}
-
-static isc_result_t
-set_target(dns_adb_t *adb, dns_name_t *name, dns_name_t *fname,
-	   dns_rdataset_t *rdataset, dns_name_t *target)
-{
-	isc_result_t result;
-	dns_namereln_t namereln;
-	unsigned int nlabels;
-	int order;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_fixedname_t fixed1, fixed2;
-	dns_name_t *prefix, *new_target;
-
-	REQUIRE(dns_name_countlabels(target) == 0);
-
-	if (rdataset->type == dns_rdatatype_cname) {
-		dns_rdata_cname_t cname;
-
-		/*
-		 * Copy the CNAME's target into the target name.
-		 */
-		result = dns_rdataset_first(rdataset);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		dns_rdataset_current(rdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &cname, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		result = dns_name_dup(&cname.cname, adb->mctx, target);
-		dns_rdata_freestruct(&cname);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	} else {
-		dns_rdata_dname_t dname;
-
-		INSIST(rdataset->type == dns_rdatatype_dname);
-		namereln = dns_name_fullcompare(name, fname, &order, &nlabels);
-		INSIST(namereln == dns_namereln_subdomain);
-		/*
-		 * Get the target name of the DNAME.
-		 */
-		result = dns_rdataset_first(rdataset);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		dns_rdataset_current(rdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &dname, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		/*
-		 * Construct the new target name.
-		 */
-		dns_fixedname_init(&fixed1);
-		prefix = dns_fixedname_name(&fixed1);
-		dns_fixedname_init(&fixed2);
-		new_target = dns_fixedname_name(&fixed2);
-		dns_name_split(name, nlabels, prefix, NULL);
-		result = dns_name_concatenate(prefix, &dname.dname, new_target,
-					      NULL);
-		dns_rdata_freestruct(&dname);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		result = dns_name_dup(new_target, adb->mctx, target);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Assumes nothing is locked, since this is called by the client.
- */
-static void
-event_free(isc_event_t *event) {
-	dns_adbfind_t *find;
-
-	INSIST(event != NULL);
-	find = event->ev_destroy_arg;
-	INSIST(DNS_ADBFIND_VALID(find));
-
-	LOCK(&find->lock);
-	find->flags |= FIND_EVENT_FREED;
-	event->ev_destroy_arg = NULL;
-	UNLOCK(&find->lock);
-}
-
-/*
- * Assumes the name bucket is locked.
- */
-static void
-clean_finds_at_name(dns_adbname_t *name, isc_eventtype_t evtype,
-		    unsigned int addrs)
-{
-	isc_event_t *ev;
-	isc_task_t *task;
-	dns_adbfind_t *find;
-	dns_adbfind_t *next_find;
-	isc_boolean_t process;
-	unsigned int wanted, notify;
-
-	DP(ENTER_LEVEL,
-	   "ENTER clean_finds_at_name, name %p, evtype %08x, addrs %08x",
-	   name, evtype, addrs);
-
-	find = ISC_LIST_HEAD(name->finds);
-	while (find != NULL) {
-		LOCK(&find->lock);
-		next_find = ISC_LIST_NEXT(find, plink);
-
-		process = ISC_FALSE;
-		wanted = find->flags & DNS_ADBFIND_ADDRESSMASK;
-		notify = wanted & addrs;
-
-		switch (evtype) {
-		case DNS_EVENT_ADBMOREADDRESSES:
-			DP(ISC_LOG_DEBUG(3), "DNS_EVENT_ADBMOREADDRESSES");
-			if ((notify) != 0) {
-				find->flags &= ~addrs;
-				process = ISC_TRUE;
-			}
-			break;
-		case DNS_EVENT_ADBNOMOREADDRESSES:
-			DP(ISC_LOG_DEBUG(3), "DNS_EVENT_ADBNOMOREADDRESSES");
-			find->flags &= ~addrs;
-			wanted = find->flags & DNS_ADBFIND_ADDRESSMASK;
-			if (wanted == 0)
-				process = ISC_TRUE;
-			break;
-		default:
-			find->flags &= ~addrs;
-			process = ISC_TRUE;
-		}
-
-		if (process) {
-			DP(DEF_LEVEL, "cfan: processing find %p", find);
-			/*
-			 * Unlink the find from the name, letting the caller
-			 * call dns_adb_destroyfind() on it to clean it up
-			 * later.
-			 */
-			ISC_LIST_UNLINK(name->finds, find, plink);
-			find->adbname = NULL;
-			find->name_bucket = DNS_ADB_INVALIDBUCKET;
-
-			INSIST(!FIND_EVENTSENT(find));
-
-			ev = &find->event;
-			task = ev->ev_sender;
-			ev->ev_sender = find;
-			find->result_v4 = find_err_map[name->fetch_err];
-			find->result_v6 = find_err_map[name->fetch6_err];
-			ev->ev_type = evtype;
-			ev->ev_destroy = event_free;
-			ev->ev_destroy_arg = find;
-
-			DP(DEF_LEVEL,
-			   "sending event %p to task %p for find %p",
-			   ev, task, find);
-
-			isc_task_sendanddetach(&task, (isc_event_t **)&ev);
-		} else {
-			DP(DEF_LEVEL, "cfan: skipping find %p", find);
-		}
-
-		UNLOCK(&find->lock);
-		find = next_find;
-	}
-
-	DP(ENTER_LEVEL, "EXIT clean_finds_at_name, name %p", name);
-}
-
-static inline void
-check_exit(dns_adb_t *adb) {
-	isc_event_t *event;
-	/*
-	 * The caller must be holding the adb lock.
-	 */
-	if (adb->shutting_down) {
-		/*
-		 * If there aren't any external references either, we're
-		 * done.  Send the control event to initiate shutdown.
-		 */
-		INSIST(!adb->cevent_sent);      /* Sanity check. */
-		event = &adb->cevent;
-		isc_task_send(adb->task, &event);
-		adb->cevent_sent = ISC_TRUE;
-	}
-}
-
-static inline isc_boolean_t
-dec_adb_irefcnt(dns_adb_t *adb) {
-	isc_event_t *event;
-	isc_task_t *etask;
-	isc_boolean_t result = ISC_FALSE;
-
-	LOCK(&adb->reflock);
-
-	INSIST(adb->irefcnt > 0);
-	adb->irefcnt--;
-
-	if (adb->irefcnt == 0) {
-		event = ISC_LIST_HEAD(adb->whenshutdown);
-		while (event != NULL) {
-			ISC_LIST_UNLINK(adb->whenshutdown, event, ev_link);
-			etask = event->ev_sender;
-			event->ev_sender = adb;
-			isc_task_sendanddetach(&etask, &event);
-			event = ISC_LIST_HEAD(adb->whenshutdown);
-		}
-	}
-
-	if (adb->irefcnt == 0 && adb->erefcnt == 0)
-		result = ISC_TRUE;
-	UNLOCK(&adb->reflock);
-	return (result);
-}
-
-static inline void
-inc_adb_irefcnt(dns_adb_t *adb) {
-	LOCK(&adb->reflock);
-	adb->irefcnt++;
-	UNLOCK(&adb->reflock);
-}
-
-static inline void
-inc_adb_erefcnt(dns_adb_t *adb) {
-	LOCK(&adb->reflock);
-	adb->erefcnt++;
-	UNLOCK(&adb->reflock);
-}
-
-static inline void
-inc_entry_refcnt(dns_adb_t *adb, dns_adbentry_t *entry, isc_boolean_t lock) {
-	int bucket;
-
-	bucket = entry->lock_bucket;
-
-	if (lock)
-		LOCK(&adb->entrylocks[bucket]);
-
-	entry->refcnt++;
-
-	if (lock)
-		UNLOCK(&adb->entrylocks[bucket]);
-}
-
-static inline isc_boolean_t
-dec_entry_refcnt(dns_adb_t *adb, isc_boolean_t overmem, dns_adbentry_t *entry,
-		 isc_boolean_t lock)
-{
-	int bucket;
-	isc_boolean_t destroy_entry;
-	isc_boolean_t result = ISC_FALSE;
-
-	bucket = entry->lock_bucket;
-
-	if (lock)
-		LOCK(&adb->entrylocks[bucket]);
-
-	INSIST(entry->refcnt > 0);
-	entry->refcnt--;
-
-	destroy_entry = ISC_FALSE;
-	if (entry->refcnt == 0 &&
-	    (adb->entry_sd[bucket] || entry->expires == 0 || overmem ||
-	     (entry->flags & ENTRY_IS_DEAD) != 0)) {
-		destroy_entry = ISC_TRUE;
-		result = unlink_entry(adb, entry);
-	}
-
-	if (lock)
-		UNLOCK(&adb->entrylocks[bucket]);
-
-	if (!destroy_entry)
-		return (result);
-
-	entry->lock_bucket = DNS_ADB_INVALIDBUCKET;
-
-	free_adbentry(adb, &entry);
-	if (result)
-		result = dec_adb_irefcnt(adb);
-
-	return (result);
-}
-
-static inline dns_adbname_t *
-new_adbname(dns_adb_t *adb, dns_name_t *dnsname) {
-	dns_adbname_t *name;
-
-	name = isc_mempool_get(adb->nmp);
-	if (name == NULL)
-		return (NULL);
-
-	dns_name_init(&name->name, NULL);
-	if (dns_name_dup(dnsname, adb->mctx, &name->name) != ISC_R_SUCCESS) {
-		isc_mempool_put(adb->nmp, name);
-		return (NULL);
-	}
-	dns_name_init(&name->target, NULL);
-	name->magic = DNS_ADBNAME_MAGIC;
-	name->adb = adb;
-	name->partial_result = 0;
-	name->flags = 0;
-	name->expire_v4 = INT_MAX;
-	name->expire_v6 = INT_MAX;
-	name->expire_target = INT_MAX;
-	name->chains = 0;
-	name->lock_bucket = DNS_ADB_INVALIDBUCKET;
-	ISC_LIST_INIT(name->v4);
-	ISC_LIST_INIT(name->v6);
-	name->fetch_a = NULL;
-	name->fetch_aaaa = NULL;
-	name->fetch_err = FIND_ERR_UNEXPECTED;
-	name->fetch6_err = FIND_ERR_UNEXPECTED;
-	ISC_LIST_INIT(name->finds);
-	ISC_LINK_INIT(name, plink);
-
-	LOCK(&adb->namescntlock);
-	adb->namescnt++;
-	if (!adb->grownames_sent && adb->excl != NULL &&
-	    adb->namescnt > (adb->nnames * 8))
-	{
-		isc_event_t *event = &adb->grownames;
-		inc_adb_irefcnt(adb);
-		isc_task_send(adb->excl, &event);
-		adb->grownames_sent = ISC_TRUE;
-	}
-	UNLOCK(&adb->namescntlock);
-
-	return (name);
-}
-
-static inline void
-free_adbname(dns_adb_t *adb, dns_adbname_t **name) {
-	dns_adbname_t *n;
-
-	INSIST(name != NULL && DNS_ADBNAME_VALID(*name));
-	n = *name;
-	*name = NULL;
-
-	INSIST(!NAME_HAS_V4(n));
-	INSIST(!NAME_HAS_V6(n));
-	INSIST(!NAME_FETCH(n));
-	INSIST(ISC_LIST_EMPTY(n->finds));
-	INSIST(!ISC_LINK_LINKED(n, plink));
-	INSIST(n->lock_bucket == DNS_ADB_INVALIDBUCKET);
-	INSIST(n->adb == adb);
-
-	n->magic = 0;
-	dns_name_free(&n->name, adb->mctx);
-
-	isc_mempool_put(adb->nmp, n);
-	LOCK(&adb->namescntlock);
-	adb->namescnt--;
-	UNLOCK(&adb->namescntlock);
-}
-
-static inline dns_adbnamehook_t *
-new_adbnamehook(dns_adb_t *adb, dns_adbentry_t *entry) {
-	dns_adbnamehook_t *nh;
-
-	nh = isc_mempool_get(adb->nhmp);
-	if (nh == NULL)
-		return (NULL);
-
-	nh->magic = DNS_ADBNAMEHOOK_MAGIC;
-	nh->entry = entry;
-	ISC_LINK_INIT(nh, plink);
-
-	return (nh);
-}
-
-static inline void
-free_adbnamehook(dns_adb_t *adb, dns_adbnamehook_t **namehook) {
-	dns_adbnamehook_t *nh;
-
-	INSIST(namehook != NULL && DNS_ADBNAMEHOOK_VALID(*namehook));
-	nh = *namehook;
-	*namehook = NULL;
-
-	INSIST(nh->entry == NULL);
-	INSIST(!ISC_LINK_LINKED(nh, plink));
-
-	nh->magic = 0;
-	isc_mempool_put(adb->nhmp, nh);
-}
-
-static inline dns_adblameinfo_t *
-new_adblameinfo(dns_adb_t *adb, dns_name_t *qname, dns_rdatatype_t qtype) {
-	dns_adblameinfo_t *li;
-
-	li = isc_mempool_get(adb->limp);
-	if (li == NULL)
-		return (NULL);
-
-	dns_name_init(&li->qname, NULL);
-	if (dns_name_dup(qname, adb->mctx, &li->qname) != ISC_R_SUCCESS) {
-		isc_mempool_put(adb->limp, li);
-		return (NULL);
-	}
-	li->magic = DNS_ADBLAMEINFO_MAGIC;
-	li->lame_timer = 0;
-	li->qtype = qtype;
-	ISC_LINK_INIT(li, plink);
-
-	return (li);
-}
-
-static inline void
-free_adblameinfo(dns_adb_t *adb, dns_adblameinfo_t **lameinfo) {
-	dns_adblameinfo_t *li;
-
-	INSIST(lameinfo != NULL && DNS_ADBLAMEINFO_VALID(*lameinfo));
-	li = *lameinfo;
-	*lameinfo = NULL;
-
-	INSIST(!ISC_LINK_LINKED(li, plink));
-
-	dns_name_free(&li->qname, adb->mctx);
-
-	li->magic = 0;
-
-	isc_mempool_put(adb->limp, li);
-}
-
-static inline dns_adbentry_t *
-new_adbentry(dns_adb_t *adb) {
-	dns_adbentry_t *e;
-	isc_uint32_t r;
-
-	e = isc_mempool_get(adb->emp);
-	if (e == NULL)
-		return (NULL);
-
-	e->magic = DNS_ADBENTRY_MAGIC;
-	e->lock_bucket = DNS_ADB_INVALIDBUCKET;
-	e->refcnt = 0;
-	e->flags = 0;
-	isc_random_get(&r);
-	e->srtt = (r & 0x1f) + 1;
-	e->expires = 0;
-	ISC_LIST_INIT(e->lameinfo);
-	ISC_LINK_INIT(e, plink);
-	LOCK(&adb->entriescntlock);
-	adb->entriescnt++;
-	if (!adb->growentries_sent && adb->growentries_sent &&
-	    adb->entriescnt > (adb->nentries * 8))
-	{
-		isc_event_t *event = &adb->growentries;
-		inc_adb_irefcnt(adb);
-		isc_task_send(adb->task, &event);
-		adb->growentries_sent = ISC_TRUE;
-	}
-	UNLOCK(&adb->entriescntlock);
-
-	return (e);
-}
-
-static inline void
-free_adbentry(dns_adb_t *adb, dns_adbentry_t **entry) {
-	dns_adbentry_t *e;
-	dns_adblameinfo_t *li;
-
-	INSIST(entry != NULL && DNS_ADBENTRY_VALID(*entry));
-	e = *entry;
-	*entry = NULL;
-
-	INSIST(e->lock_bucket == DNS_ADB_INVALIDBUCKET);
-	INSIST(e->refcnt == 0);
-	INSIST(!ISC_LINK_LINKED(e, plink));
-
-	e->magic = 0;
-
-	li = ISC_LIST_HEAD(e->lameinfo);
-	while (li != NULL) {
-		ISC_LIST_UNLINK(e->lameinfo, li, plink);
-		free_adblameinfo(adb, &li);
-		li = ISC_LIST_HEAD(e->lameinfo);
-	}
-
-	isc_mempool_put(adb->emp, e);
-	LOCK(&adb->entriescntlock);
-	adb->entriescnt--;
-	UNLOCK(&adb->entriescntlock);
-}
-
-static inline dns_adbfind_t *
-new_adbfind(dns_adb_t *adb) {
-	dns_adbfind_t *h;
-	isc_result_t result;
-
-	h = isc_mempool_get(adb->ahmp);
-	if (h == NULL)
-		return (NULL);
-
-	/*
-	 * Public members.
-	 */
-	h->magic = 0;
-	h->adb = adb;
-	h->partial_result = 0;
-	h->options = 0;
-	h->flags = 0;
-	h->result_v4 = ISC_R_UNEXPECTED;
-	h->result_v6 = ISC_R_UNEXPECTED;
-	ISC_LINK_INIT(h, publink);
-	ISC_LINK_INIT(h, plink);
-	ISC_LIST_INIT(h->list);
-	h->adbname = NULL;
-	h->name_bucket = DNS_ADB_INVALIDBUCKET;
-
-	/*
-	 * private members
-	 */
-	result = isc_mutex_init(&h->lock);
-	if (result != ISC_R_SUCCESS) {
-		isc_mempool_put(adb->ahmp, h);
-		return (NULL);
-	}
-
-	ISC_EVENT_INIT(&h->event, sizeof(isc_event_t), 0, 0, 0, NULL, NULL,
-		       NULL, NULL, h);
-
-	inc_adb_irefcnt(adb);
-	h->magic = DNS_ADBFIND_MAGIC;
-	return (h);
-}
-
-static inline dns_adbfetch_t *
-new_adbfetch(dns_adb_t *adb) {
-	dns_adbfetch_t *f;
-
-	f = isc_mempool_get(adb->afmp);
-	if (f == NULL)
-		return (NULL);
-
-	f->magic = 0;
-	f->fetch = NULL;
-
-	dns_rdataset_init(&f->rdataset);
-
-	f->magic = DNS_ADBFETCH_MAGIC;
-
-	return (f);
-}
-
-static inline void
-free_adbfetch(dns_adb_t *adb, dns_adbfetch_t **fetch) {
-	dns_adbfetch_t *f;
-
-	INSIST(fetch != NULL && DNS_ADBFETCH_VALID(*fetch));
-	f = *fetch;
-	*fetch = NULL;
-
-	f->magic = 0;
-
-	if (dns_rdataset_isassociated(&f->rdataset))
-		dns_rdataset_disassociate(&f->rdataset);
-
-	isc_mempool_put(adb->afmp, f);
-}
-
-static inline isc_boolean_t
-free_adbfind(dns_adb_t *adb, dns_adbfind_t **findp) {
-	dns_adbfind_t *find;
-
-	INSIST(findp != NULL && DNS_ADBFIND_VALID(*findp));
-	find = *findp;
-	*findp = NULL;
-
-	INSIST(!FIND_HAS_ADDRS(find));
-	INSIST(!ISC_LINK_LINKED(find, publink));
-	INSIST(!ISC_LINK_LINKED(find, plink));
-	INSIST(find->name_bucket == DNS_ADB_INVALIDBUCKET);
-	INSIST(find->adbname == NULL);
-
-	find->magic = 0;
-
-	DESTROYLOCK(&find->lock);
-	isc_mempool_put(adb->ahmp, find);
-	return (dec_adb_irefcnt(adb));
-}
-
-/*
- * Copy bits from the entry into the newly allocated addrinfo.  The entry
- * must be locked, and the reference count must be bumped up by one
- * if this function returns a valid pointer.
- */
-static inline dns_adbaddrinfo_t *
-new_adbaddrinfo(dns_adb_t *adb, dns_adbentry_t *entry, in_port_t port) {
-	dns_adbaddrinfo_t *ai;
-
-	ai = isc_mempool_get(adb->aimp);
-	if (ai == NULL)
-		return (NULL);
-
-	ai->magic = DNS_ADBADDRINFO_MAGIC;
-	ai->sockaddr = entry->sockaddr;
-	isc_sockaddr_setport(&ai->sockaddr, port);
-	ai->srtt = entry->srtt;
-	ai->flags = entry->flags;
-	ai->entry = entry;
-	ISC_LINK_INIT(ai, publink);
-
-	return (ai);
-}
-
-static inline void
-free_adbaddrinfo(dns_adb_t *adb, dns_adbaddrinfo_t **ainfo) {
-	dns_adbaddrinfo_t *ai;
-
-	INSIST(ainfo != NULL && DNS_ADBADDRINFO_VALID(*ainfo));
-	ai = *ainfo;
-	*ainfo = NULL;
-
-	INSIST(ai->entry == NULL);
-	INSIST(!ISC_LINK_LINKED(ai, publink));
-
-	ai->magic = 0;
-
-	isc_mempool_put(adb->aimp, ai);
-}
-
-/*
- * Search for the name.  NOTE:  The bucket is kept locked on both
- * success and failure, so it must always be unlocked by the caller!
- *
- * On the first call to this function, *bucketp must be set to
- * DNS_ADB_INVALIDBUCKET.
- */
-static inline dns_adbname_t *
-find_name_and_lock(dns_adb_t *adb, dns_name_t *name,
-		   unsigned int options, int *bucketp)
-{
-	dns_adbname_t *adbname;
-	int bucket;
-
-	bucket = dns_name_fullhash(name, ISC_FALSE) % adb->nnames;
-
-	if (*bucketp == DNS_ADB_INVALIDBUCKET) {
-		LOCK(&adb->namelocks[bucket]);
-		*bucketp = bucket;
-	} else if (*bucketp != bucket) {
-		UNLOCK(&adb->namelocks[*bucketp]);
-		LOCK(&adb->namelocks[bucket]);
-		*bucketp = bucket;
-	}
-
-	adbname = ISC_LIST_HEAD(adb->names[bucket]);
-	while (adbname != NULL) {
-		if (!NAME_DEAD(adbname)) {
-			if (dns_name_equal(name, &adbname->name)
-			    && GLUEHINT_OK(adbname, options)
-			    && STARTATZONE_MATCHES(adbname, options))
-				return (adbname);
-		}
-		adbname = ISC_LIST_NEXT(adbname, plink);
-	}
-
-	return (NULL);
-}
-
-/*
- * Search for the address.  NOTE:  The bucket is kept locked on both
- * success and failure, so it must always be unlocked by the caller.
- *
- * On the first call to this function, *bucketp must be set to
- * DNS_ADB_INVALIDBUCKET.  This will cause a lock to occur.  On
- * later calls (within the same "lock path") it can be left alone, so
- * if this function is called multiple times locking is only done if
- * the bucket changes.
- */
-static inline dns_adbentry_t *
-find_entry_and_lock(dns_adb_t *adb, isc_sockaddr_t *addr, int *bucketp,
-	isc_stdtime_t now)
-{
-	dns_adbentry_t *entry, *entry_next;
-	int bucket;
-
-	bucket = isc_sockaddr_hash(addr, ISC_TRUE) % adb->nentries;
-
-	if (*bucketp == DNS_ADB_INVALIDBUCKET) {
-		LOCK(&adb->entrylocks[bucket]);
-		*bucketp = bucket;
-	} else if (*bucketp != bucket) {
-		UNLOCK(&adb->entrylocks[*bucketp]);
-		LOCK(&adb->entrylocks[bucket]);
-		*bucketp = bucket;
-	}
-
-	/* Search the list, while cleaning up expired entries. */
-	for (entry = ISC_LIST_HEAD(adb->entries[bucket]);
-	     entry != NULL;
-	     entry = entry_next) {
-		entry_next = ISC_LIST_NEXT(entry, plink);
-		(void)check_expire_entry(adb, &entry, now);
-		if (entry != NULL &&
-		    isc_sockaddr_equal(addr, &entry->sockaddr)) {
-			ISC_LIST_UNLINK(adb->entries[bucket], entry, plink);
-			ISC_LIST_PREPEND(adb->entries[bucket], entry, plink);
-			return (entry);
-		}
-	}
-
-	return (NULL);
-}
-
-/*
- * Entry bucket MUST be locked!
- */
-static isc_boolean_t
-entry_is_lame(dns_adb_t *adb, dns_adbentry_t *entry, dns_name_t *qname,
-	      dns_rdatatype_t qtype, isc_stdtime_t now)
-{
-	dns_adblameinfo_t *li, *next_li;
-	isc_boolean_t is_bad;
-
-	is_bad = ISC_FALSE;
-
-	li = ISC_LIST_HEAD(entry->lameinfo);
-	if (li == NULL)
-		return (ISC_FALSE);
-	while (li != NULL) {
-		next_li = ISC_LIST_NEXT(li, plink);
-
-		/*
-		 * Has the entry expired?
-		 */
-		if (li->lame_timer < now) {
-			ISC_LIST_UNLINK(entry->lameinfo, li, plink);
-			free_adblameinfo(adb, &li);
-		}
-
-		/*
-		 * Order tests from least to most expensive.
-		 *
-		 * We do not break out of the main loop here as
-		 * we use the loop for house keeping.
-		 */
-		if (li != NULL && !is_bad && li->qtype == qtype &&
-		    dns_name_equal(qname, &li->qname))
-			is_bad = ISC_TRUE;
-
-		li = next_li;
-	}
-
-	return (is_bad);
-}
-
-static void
-copy_namehook_lists(dns_adb_t *adb, dns_adbfind_t *find, dns_name_t *qname,
-		    dns_rdatatype_t qtype, dns_adbname_t *name,
-		    isc_stdtime_t now)
-{
-	dns_adbnamehook_t *namehook;
-	dns_adbaddrinfo_t *addrinfo;
-	dns_adbentry_t *entry;
-	int bucket;
-
-	bucket = DNS_ADB_INVALIDBUCKET;
-
-	if (find->options & DNS_ADBFIND_INET) {
-		namehook = ISC_LIST_HEAD(name->v4);
-		while (namehook != NULL) {
-			entry = namehook->entry;
-			bucket = entry->lock_bucket;
-			INSIST(bucket != DNS_ADB_INVALIDBUCKET);
-			LOCK(&adb->entrylocks[bucket]);
-
-			if (!FIND_RETURNLAME(find)
-			    && entry_is_lame(adb, entry, qname, qtype, now)) {
-				find->options |= DNS_ADBFIND_LAMEPRUNED;
-				goto nextv4;
-			}
-			addrinfo = new_adbaddrinfo(adb, entry, find->port);
-			if (addrinfo == NULL) {
-				find->partial_result |= DNS_ADBFIND_INET;
-				goto out;
-			}
-			/*
-			 * Found a valid entry.  Add it to the find's list.
-			 */
-			inc_entry_refcnt(adb, entry, ISC_FALSE);
-			ISC_LIST_APPEND(find->list, addrinfo, publink);
-			addrinfo = NULL;
-		nextv4:
-			UNLOCK(&adb->entrylocks[bucket]);
-			bucket = DNS_ADB_INVALIDBUCKET;
-			namehook = ISC_LIST_NEXT(namehook, plink);
-		}
-	}
-
-	if (find->options & DNS_ADBFIND_INET6) {
-		namehook = ISC_LIST_HEAD(name->v6);
-		while (namehook != NULL) {
-			entry = namehook->entry;
-			bucket = entry->lock_bucket;
-			INSIST(bucket != DNS_ADB_INVALIDBUCKET);
-			LOCK(&adb->entrylocks[bucket]);
-
-			if (!FIND_RETURNLAME(find)
-			    && entry_is_lame(adb, entry, qname, qtype, now)) {
-				find->options |= DNS_ADBFIND_LAMEPRUNED;
-				goto nextv6;
-			}
-			addrinfo = new_adbaddrinfo(adb, entry, find->port);
-			if (addrinfo == NULL) {
-				find->partial_result |= DNS_ADBFIND_INET6;
-				goto out;
-			}
-			/*
-			 * Found a valid entry.  Add it to the find's list.
-			 */
-			inc_entry_refcnt(adb, entry, ISC_FALSE);
-			ISC_LIST_APPEND(find->list, addrinfo, publink);
-			addrinfo = NULL;
-		nextv6:
-			UNLOCK(&adb->entrylocks[bucket]);
-			bucket = DNS_ADB_INVALIDBUCKET;
-			namehook = ISC_LIST_NEXT(namehook, plink);
-		}
-	}
-
- out:
-	if (bucket != DNS_ADB_INVALIDBUCKET)
-		UNLOCK(&adb->entrylocks[bucket]);
-}
-
-static void
-shutdown_task(isc_task_t *task, isc_event_t *ev) {
-	dns_adb_t *adb;
-
-	UNUSED(task);
-
-	adb = ev->ev_arg;
-	INSIST(DNS_ADB_VALID(adb));
-
-	isc_event_free(&ev);
-	/*
-	 * Wait for lock around check_exit() call to be released.
-	 */
-	LOCK(&adb->lock);
-	UNLOCK(&adb->lock);
-	destroy(adb);
-}
-
-/*
- * Name bucket must be locked; adb may be locked; no other locks held.
- */
-static isc_boolean_t
-check_expire_name(dns_adbname_t **namep, isc_stdtime_t now) {
-	dns_adbname_t *name;
-	isc_boolean_t result = ISC_FALSE;
-
-	INSIST(namep != NULL && DNS_ADBNAME_VALID(*namep));
-	name = *namep;
-
-	if (NAME_HAS_V4(name) || NAME_HAS_V6(name))
-		return (result);
-	if (NAME_FETCH(name))
-		return (result);
-	if (!EXPIRE_OK(name->expire_v4, now))
-		return (result);
-	if (!EXPIRE_OK(name->expire_v6, now))
-		return (result);
-	if (!EXPIRE_OK(name->expire_target, now))
-		return (result);
-
-	/*
-	 * The name is empty.  Delete it.
-	 */
-	result = kill_name(&name, DNS_EVENT_ADBEXPIRED);
-	*namep = NULL;
-
-	/*
-	 * Our caller, or one of its callers, will be calling check_exit() at
-	 * some point, so we don't need to do it here.
-	 */
-	return (result);
-}
-
-/*%
- * Examine the tail entry of the LRU list to see if it expires or is stale
- * (unused for some period); if so, the name entry will be freed.  If the ADB
- * is in the overmem condition, the tail and the next to tail entries
- * will be unconditionally removed (unless they have an outstanding fetch).
- * We don't care about a race on 'overmem' at the risk of causing some
- * collateral damage or a small delay in starting cleanup, so we don't bother
- * to lock ADB (if it's not locked).
- *
- * Name bucket must be locked; adb may be locked; no other locks held.
- */
-static void
-check_stale_name(dns_adb_t *adb, int bucket, isc_stdtime_t now) {
-	int victims, max_victims;
-	dns_adbname_t *victim, *next_victim;
-	isc_boolean_t overmem = isc_mem_isovermem(adb->mctx);
-	int scans = 0;
-
-	INSIST(bucket != DNS_ADB_INVALIDBUCKET);
-
-	max_victims = overmem ? 2 : 1;
-
-	/*
-	 * We limit the number of scanned entries to 10 (arbitrary choice)
-	 * in order to avoid examining too many entries when there are many
-	 * tail entries that have fetches (this should be rare, but could
-	 * happen).
-	 */
-	victim = ISC_LIST_TAIL(adb->names[bucket]);
-	for (victims = 0;
-	     victim != NULL && victims < max_victims && scans < 10;
-	     victim = next_victim) {
-		INSIST(!NAME_DEAD(victim));
-		scans++;
-		next_victim = ISC_LIST_PREV(victim, plink);
-		(void)check_expire_name(&victim, now);
-		if (victim == NULL) {
-			victims++;
-			goto next;
-		}
-
-		if (!NAME_FETCH(victim) &&
-		    (overmem || victim->last_used + ADB_STALE_MARGIN <= now)) {
-			RUNTIME_CHECK(kill_name(&victim,
-						DNS_EVENT_ADBCANCELED) ==
-				      ISC_FALSE);
-			victims++;
-		}
-
-	next:
-		if (!overmem)
-			break;
-	}
-}
-
-/*
- * Entry bucket must be locked; adb may be locked; no other locks held.
- */
-static isc_boolean_t
-check_expire_entry(dns_adb_t *adb, dns_adbentry_t **entryp, isc_stdtime_t now)
-{
-	dns_adbentry_t *entry;
-	isc_boolean_t result = ISC_FALSE;
-
-	INSIST(entryp != NULL && DNS_ADBENTRY_VALID(*entryp));
-	entry = *entryp;
-
-	if (entry->refcnt != 0)
-		return (result);
-
-	if (entry->expires == 0 || entry->expires > now)
-		return (result);
-
-	/*
-	 * The entry is not in use.  Delete it.
-	 */
-	DP(DEF_LEVEL, "killing entry %p", entry);
-	INSIST(ISC_LINK_LINKED(entry, plink));
-	result = unlink_entry(adb, entry);
-	free_adbentry(adb, &entry);
-	if (result)
-		dec_adb_irefcnt(adb);
-	*entryp = NULL;
-	return (result);
-}
-
-/*
- * ADB must be locked, and no other locks held.
- */
-static isc_boolean_t
-cleanup_names(dns_adb_t *adb, int bucket, isc_stdtime_t now) {
-	dns_adbname_t *name;
-	dns_adbname_t *next_name;
-	isc_boolean_t result = ISC_FALSE;
-
-	DP(CLEAN_LEVEL, "cleaning name bucket %d", bucket);
-
-	LOCK(&adb->namelocks[bucket]);
-	if (adb->name_sd[bucket]) {
-		UNLOCK(&adb->namelocks[bucket]);
-		return (result);
-	}
-
-	name = ISC_LIST_HEAD(adb->names[bucket]);
-	while (name != NULL) {
-		next_name = ISC_LIST_NEXT(name, plink);
-		INSIST(result == ISC_FALSE);
-		result = check_expire_namehooks(name, now);
-		if (!result)
-			result = check_expire_name(&name, now);
-		name = next_name;
-	}
-	UNLOCK(&adb->namelocks[bucket]);
-	return (result);
-}
-
-/*
- * ADB must be locked, and no other locks held.
- */
-static isc_boolean_t
-cleanup_entries(dns_adb_t *adb, int bucket, isc_stdtime_t now) {
-	dns_adbentry_t *entry, *next_entry;
-	isc_boolean_t result = ISC_FALSE;
-
-	DP(CLEAN_LEVEL, "cleaning entry bucket %d", bucket);
-
-	LOCK(&adb->entrylocks[bucket]);
-	entry = ISC_LIST_HEAD(adb->entries[bucket]);
-	while (entry != NULL) {
-		next_entry = ISC_LIST_NEXT(entry, plink);
-		INSIST(result == ISC_FALSE);
-		result = check_expire_entry(adb, &entry, now);
-		entry = next_entry;
-	}
-	UNLOCK(&adb->entrylocks[bucket]);
-	return (result);
-}
-
-static void
-destroy(dns_adb_t *adb) {
-	adb->magic = 0;
-
-	isc_task_detach(&adb->task);
-	if (adb->excl != NULL)
-		isc_task_detach(&adb->excl);
-
-	isc_mempool_destroy(&adb->nmp);
-	isc_mempool_destroy(&adb->nhmp);
-	isc_mempool_destroy(&adb->limp);
-	isc_mempool_destroy(&adb->emp);
-	isc_mempool_destroy(&adb->ahmp);
-	isc_mempool_destroy(&adb->aimp);
-	isc_mempool_destroy(&adb->afmp);
-
-	DESTROYMUTEXBLOCK(adb->entrylocks, adb->nentries);
-	isc_mem_put(adb->mctx, adb->entries,
-		    sizeof(*adb->entries) * adb->nentries);
-	isc_mem_put(adb->mctx, adb->deadentries,
-		    sizeof(*adb->deadentries) * adb->nentries);
-	isc_mem_put(adb->mctx, adb->entrylocks,
-		    sizeof(*adb->entrylocks) * adb->nentries);
-	isc_mem_put(adb->mctx, adb->entry_sd,
-		    sizeof(*adb->entry_sd) * adb->nentries);
-	isc_mem_put(adb->mctx, adb->entry_refcnt,
-		    sizeof(*adb->entry_refcnt) * adb->nentries);
-
-	DESTROYMUTEXBLOCK(adb->namelocks, adb->nnames);
-	isc_mem_put(adb->mctx, adb->names,
-		    sizeof(*adb->names) * adb->nnames);
-	isc_mem_put(adb->mctx, adb->deadnames,
-		    sizeof(*adb->deadnames) * adb->nnames);
-	isc_mem_put(adb->mctx, adb->namelocks,
-		    sizeof(*adb->namelocks) * adb->nnames);
-	isc_mem_put(adb->mctx, adb->name_sd,
-		    sizeof(*adb->name_sd) * adb->nnames);
-	isc_mem_put(adb->mctx, adb->name_refcnt,
-		    sizeof(*adb->name_refcnt) * adb->nnames);
-
-	DESTROYLOCK(&adb->reflock);
-	DESTROYLOCK(&adb->lock);
-	DESTROYLOCK(&adb->mplock);
-	DESTROYLOCK(&adb->overmemlock);
-	DESTROYLOCK(&adb->entriescntlock);
-	DESTROYLOCK(&adb->namescntlock);
-
-	isc_mem_putanddetach(&adb->mctx, adb, sizeof(dns_adb_t));
-}
-
-
-/*
- * Public functions.
- */
-
-isc_result_t
-dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
-	       isc_taskmgr_t *taskmgr, dns_adb_t **newadb)
-{
-	dns_adb_t *adb;
-	isc_result_t result;
-	unsigned int i;
-
-	REQUIRE(mem != NULL);
-	REQUIRE(view != NULL);
-	REQUIRE(timermgr != NULL); /* this is actually unused */
-	REQUIRE(taskmgr != NULL);
-	REQUIRE(newadb != NULL && *newadb == NULL);
-
-	UNUSED(timermgr);
-
-	adb = isc_mem_get(mem, sizeof(dns_adb_t));
-	if (adb == NULL)
-		return (ISC_R_NOMEMORY);
-
-	/*
-	 * Initialize things here that cannot fail, and especially things
-	 * that must be NULL for the error return to work properly.
-	 */
-	adb->magic = 0;
-	adb->erefcnt = 1;
-	adb->irefcnt = 0;
-	adb->nmp = NULL;
-	adb->nhmp = NULL;
-	adb->limp = NULL;
-	adb->emp = NULL;
-	adb->ahmp = NULL;
-	adb->aimp = NULL;
-	adb->afmp = NULL;
-	adb->task = NULL;
-	adb->excl = NULL;
-	adb->mctx = NULL;
-	adb->view = view;
-	adb->taskmgr = taskmgr;
-	adb->next_cleanbucket = 0;
-	ISC_EVENT_INIT(&adb->cevent, sizeof(adb->cevent), 0, NULL,
-		       DNS_EVENT_ADBCONTROL, shutdown_task, adb,
-		       adb, NULL, NULL);
-	adb->cevent_sent = ISC_FALSE;
-	adb->shutting_down = ISC_FALSE;
-	ISC_LIST_INIT(adb->whenshutdown);
-
-	adb->nentries = nbuckets[0];
-	adb->entriescnt = 0;
-	adb->entries = NULL;
-	adb->deadentries = NULL;
-	adb->entry_sd = NULL;
-	adb->entry_refcnt = NULL;
-	adb->entrylocks = NULL;
-	ISC_EVENT_INIT(&adb->growentries, sizeof(adb->growentries), 0, NULL,
-		       DNS_EVENT_ADBGROWENTRIES, grow_entries, adb,
-		       adb, NULL, NULL);
-	adb->growentries_sent = ISC_FALSE;
-
-	adb->nnames = nbuckets[0];
-	adb->namescnt = 0;
-	adb->names = NULL;
-	adb->deadnames = NULL;
-	adb->name_sd = NULL;
-	adb->name_refcnt = NULL;
-	adb->namelocks = NULL;
-	ISC_EVENT_INIT(&adb->grownames, sizeof(adb->grownames), 0, NULL,
-		       DNS_EVENT_ADBGROWNAMES, grow_names, adb,
-		       adb, NULL, NULL);
-	adb->grownames_sent = ISC_FALSE;
-
-	result = isc_taskmgr_excltask(adb->taskmgr, &adb->excl);
-	if (result != ISC_R_SUCCESS) {
-		DP(ISC_LOG_INFO, "adb: task-exclusive mode unavailable, "
-				 "intializing table sizes to %u\n",
-				 nbuckets[11]);
-		adb->nentries = nbuckets[11];
-		adb->nnames= nbuckets[11];
-
-	}
-
-	isc_mem_attach(mem, &adb->mctx);
-
-	result = isc_mutex_init(&adb->lock);
-	if (result != ISC_R_SUCCESS)
-		goto fail0b;
-
-	result = isc_mutex_init(&adb->mplock);
-	if (result != ISC_R_SUCCESS)
-		goto fail0c;
-
-	result = isc_mutex_init(&adb->reflock);
-	if (result != ISC_R_SUCCESS)
-		goto fail0d;
-
-	result = isc_mutex_init(&adb->overmemlock);
-	if (result != ISC_R_SUCCESS)
-		goto fail0e;
-
-	result = isc_mutex_init(&adb->entriescntlock);
-	if (result != ISC_R_SUCCESS)
-		goto fail0f;
-
-	result = isc_mutex_init(&adb->namescntlock);
-	if (result != ISC_R_SUCCESS)
-		goto fail0g;
-
-#define ALLOCENTRY(adb, el) \
-	do { \
-		(adb)->el = isc_mem_get((adb)->mctx, \
-				     sizeof(*(adb)->el) * (adb)->nentries); \
-		if ((adb)->el == NULL) { \
-			result = ISC_R_NOMEMORY; \
-			goto fail1; \
-		}\
-	} while (0)
-	ALLOCENTRY(adb, entries);
-	ALLOCENTRY(adb, deadentries);
-	ALLOCENTRY(adb, entrylocks);
-	ALLOCENTRY(adb, entry_sd);
-	ALLOCENTRY(adb, entry_refcnt);
-#undef ALLOCENTRY
-
-#define ALLOCNAME(adb, el) \
-	do { \
-		(adb)->el = isc_mem_get((adb)->mctx, \
-				     sizeof(*(adb)->el) * (adb)->nnames); \
-		if ((adb)->el == NULL) { \
-			result = ISC_R_NOMEMORY; \
-			goto fail1; \
-		}\
-	} while (0)
-	ALLOCNAME(adb, names);
-	ALLOCNAME(adb, deadnames);
-	ALLOCNAME(adb, namelocks);
-	ALLOCNAME(adb, name_sd);
-	ALLOCNAME(adb, name_refcnt);
-#undef ALLOCNAME
-
-	/*
-	 * Initialize the bucket locks for names and elements.
-	 * May as well initialize the list heads, too.
-	 */
-	result = isc_mutexblock_init(adb->namelocks, adb->nnames);
-	if (result != ISC_R_SUCCESS)
-		goto fail1;
-	for (i = 0; i < adb->nnames; i++) {
-		ISC_LIST_INIT(adb->names[i]);
-		ISC_LIST_INIT(adb->deadnames[i]);
-		adb->name_sd[i] = ISC_FALSE;
-		adb->name_refcnt[i] = 0;
-		adb->irefcnt++;
-	}
-	for (i = 0; i < adb->nentries; i++) {
-		ISC_LIST_INIT(adb->entries[i]);
-		ISC_LIST_INIT(adb->deadentries[i]);
-		adb->entry_sd[i] = ISC_FALSE;
-		adb->entry_refcnt[i] = 0;
-		adb->irefcnt++;
-	}
-	result = isc_mutexblock_init(adb->entrylocks, adb->nentries);
-	if (result != ISC_R_SUCCESS)
-		goto fail2;
-
-	/*
-	 * Memory pools
-	 */
-#define MPINIT(t, p, n) do { \
-	result = isc_mempool_create(mem, sizeof(t), &(p)); \
-	if (result != ISC_R_SUCCESS) \
-		goto fail3; \
-	isc_mempool_setfreemax((p), FREE_ITEMS); \
-	isc_mempool_setfillcount((p), FILL_COUNT); \
-	isc_mempool_setname((p), n); \
-	isc_mempool_associatelock((p), &adb->mplock); \
-} while (0)
-
-	MPINIT(dns_adbname_t, adb->nmp, "adbname");
-	MPINIT(dns_adbnamehook_t, adb->nhmp, "adbnamehook");
-	MPINIT(dns_adblameinfo_t, adb->limp, "adblameinfo");
-	MPINIT(dns_adbentry_t, adb->emp, "adbentry");
-	MPINIT(dns_adbfind_t, adb->ahmp, "adbfind");
-	MPINIT(dns_adbaddrinfo_t, adb->aimp, "adbaddrinfo");
-	MPINIT(dns_adbfetch_t, adb->afmp, "adbfetch");
-
-#undef MPINIT
-
-	/*
-	 * Allocate an internal task.
-	 */
-	result = isc_task_create(adb->taskmgr, 0, &adb->task);
-	if (result != ISC_R_SUCCESS)
-		goto fail3;
-
-	isc_task_setname(adb->task, "ADB", adb);
-
-	/*
-	 * Normal return.
-	 */
-	adb->magic = DNS_ADB_MAGIC;
-	*newadb = adb;
-	return (ISC_R_SUCCESS);
-
- fail3:
-	if (adb->task != NULL)
-		isc_task_detach(&adb->task);
-
-	/* clean up entrylocks */
-	DESTROYMUTEXBLOCK(adb->entrylocks, adb->nentries);
-
- fail2: /* clean up namelocks */
-	DESTROYMUTEXBLOCK(adb->namelocks, adb->nnames);
-
- fail1: /* clean up only allocated memory */
-	if (adb->entries != NULL)
-		isc_mem_put(adb->mctx, adb->entries,
-			    sizeof(*adb->entries) * adb->nentries);
-	if (adb->deadentries != NULL)
-		isc_mem_put(adb->mctx, adb->deadentries,
-			    sizeof(*adb->deadentries) * adb->nentries);
-	if (adb->entrylocks != NULL)
-		isc_mem_put(adb->mctx, adb->entrylocks,
-			    sizeof(*adb->entrylocks) * adb->nentries);
-	if (adb->entry_sd != NULL)
-		isc_mem_put(adb->mctx, adb->entry_sd,
-			    sizeof(*adb->entry_sd) * adb->nentries);
-	if (adb->entry_refcnt != NULL)
-		isc_mem_put(adb->mctx, adb->entry_refcnt,
-			    sizeof(*adb->entry_refcnt) * adb->nentries);
-	if (adb->names != NULL)
-		isc_mem_put(adb->mctx, adb->names,
-			    sizeof(*adb->names) * adb->nnames);
-	if (adb->deadnames != NULL)
-		isc_mem_put(adb->mctx, adb->deadnames,
-			    sizeof(*adb->deadnames) * adb->nnames);
-	if (adb->namelocks != NULL)
-		isc_mem_put(adb->mctx, adb->namelocks,
-			    sizeof(*adb->namelocks) * adb->nnames);
-	if (adb->name_sd != NULL)
-		isc_mem_put(adb->mctx, adb->name_sd,
-			    sizeof(*adb->name_sd) * adb->nnames);
-	if (adb->name_refcnt != NULL)
-		isc_mem_put(adb->mctx, adb->name_refcnt,
-			    sizeof(*adb->name_refcnt) * adb->nnames);
-	if (adb->nmp != NULL)
-		isc_mempool_destroy(&adb->nmp);
-	if (adb->nhmp != NULL)
-		isc_mempool_destroy(&adb->nhmp);
-	if (adb->limp != NULL)
-		isc_mempool_destroy(&adb->limp);
-	if (adb->emp != NULL)
-		isc_mempool_destroy(&adb->emp);
-	if (adb->ahmp != NULL)
-		isc_mempool_destroy(&adb->ahmp);
-	if (adb->aimp != NULL)
-		isc_mempool_destroy(&adb->aimp);
-	if (adb->afmp != NULL)
-		isc_mempool_destroy(&adb->afmp);
-
-	DESTROYLOCK(&adb->namescntlock);
- fail0g:
-	DESTROYLOCK(&adb->entriescntlock);
- fail0f:
-	DESTROYLOCK(&adb->overmemlock);
- fail0e:
-	DESTROYLOCK(&adb->reflock);
- fail0d:
-	DESTROYLOCK(&adb->mplock);
- fail0c:
-	DESTROYLOCK(&adb->lock);
- fail0b:
-	isc_mem_putanddetach(&adb->mctx, adb, sizeof(dns_adb_t));
-
-	return (result);
-}
-
-void
-dns_adb_attach(dns_adb_t *adb, dns_adb_t **adbx) {
-
-	REQUIRE(DNS_ADB_VALID(adb));
-	REQUIRE(adbx != NULL && *adbx == NULL);
-
-	inc_adb_erefcnt(adb);
-	*adbx = adb;
-}
-
-void
-dns_adb_detach(dns_adb_t **adbx) {
-	dns_adb_t *adb;
-	isc_boolean_t need_exit_check;
-
-	REQUIRE(adbx != NULL && DNS_ADB_VALID(*adbx));
-
-	adb = *adbx;
-	*adbx = NULL;
-
-	INSIST(adb->erefcnt > 0);
-
-	LOCK(&adb->reflock);
-	adb->erefcnt--;
-	need_exit_check = ISC_TF(adb->erefcnt == 0 && adb->irefcnt == 0);
-	UNLOCK(&adb->reflock);
-
-	if (need_exit_check) {
-		LOCK(&adb->lock);
-		INSIST(adb->shutting_down);
-		check_exit(adb);
-		UNLOCK(&adb->lock);
-	}
-}
-
-void
-dns_adb_whenshutdown(dns_adb_t *adb, isc_task_t *task, isc_event_t **eventp) {
-	isc_task_t *clone;
-	isc_event_t *event;
-	isc_boolean_t zeroirefcnt = ISC_FALSE;
-
-	/*
-	 * Send '*eventp' to 'task' when 'adb' has shutdown.
-	 */
-
-	REQUIRE(DNS_ADB_VALID(adb));
-	REQUIRE(eventp != NULL);
-
-	event = *eventp;
-	*eventp = NULL;
-
-	LOCK(&adb->lock);
-
-	LOCK(&adb->reflock);
-	zeroirefcnt = ISC_TF(adb->irefcnt == 0);
-
-	if (adb->shutting_down && zeroirefcnt &&
-	    isc_mempool_getallocated(adb->ahmp) == 0) {
-		/*
-		 * We're already shutdown.  Send the event.
-		 */
-		event->ev_sender = adb;
-		isc_task_send(task, &event);
-	} else {
-		clone = NULL;
-		isc_task_attach(task, &clone);
-		event->ev_sender = clone;
-		ISC_LIST_APPEND(adb->whenshutdown, event, ev_link);
-	}
-
-	UNLOCK(&adb->reflock);
-	UNLOCK(&adb->lock);
-}
-
-void
-dns_adb_shutdown(dns_adb_t *adb) {
-	isc_boolean_t need_check_exit;
-
-	/*
-	 * Shutdown 'adb'.
-	 */
-
-	LOCK(&adb->lock);
-
-	if (!adb->shutting_down) {
-		adb->shutting_down = ISC_TRUE;
-		isc_mem_setwater(adb->mctx, water, adb, 0, 0);
-		need_check_exit = shutdown_names(adb);
-		if (!need_check_exit)
-			need_check_exit = shutdown_entries(adb);
-		if (need_check_exit)
-			check_exit(adb);
-	}
-
-	UNLOCK(&adb->lock);
-}
-
-isc_result_t
-dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
-		   void *arg, dns_name_t *name, dns_name_t *qname,
-		   dns_rdatatype_t qtype, unsigned int options,
-		   isc_stdtime_t now, dns_name_t *target,
-		   in_port_t port, dns_adbfind_t **findp)
-{
-	dns_adbfind_t *find;
-	dns_adbname_t *adbname;
-	int bucket;
-	isc_boolean_t want_event, start_at_zone, alias, have_address;
-	isc_result_t result;
-	unsigned int wanted_addresses;
-	unsigned int wanted_fetches;
-	unsigned int query_pending;
-
-	REQUIRE(DNS_ADB_VALID(adb));
-	if (task != NULL) {
-		REQUIRE(action != NULL);
-	}
-	REQUIRE(name != NULL);
-	REQUIRE(qname != NULL);
-	REQUIRE(findp != NULL && *findp == NULL);
-	REQUIRE(target == NULL || dns_name_hasbuffer(target));
-
-	REQUIRE((options & DNS_ADBFIND_ADDRESSMASK) != 0);
-
-	result = ISC_R_UNEXPECTED;
-	POST(result);
-	wanted_addresses = (options & DNS_ADBFIND_ADDRESSMASK);
-	wanted_fetches = 0;
-	query_pending = 0;
-	want_event = ISC_FALSE;
-	start_at_zone = ISC_FALSE;
-	alias = ISC_FALSE;
-
-	if (now == 0)
-		isc_stdtime_get(&now);
-
-	/*
-	 * XXXMLG  Move this comment somewhere else!
-	 *
-	 * Look up the name in our internal database.
-	 *
-	 * Possibilities:  Note that these are not always exclusive.
-	 *
-	 *      No name found.  In this case, allocate a new name header and
-	 *      an initial namehook or two.  If any of these allocations
-	 *      fail, clean up and return ISC_R_NOMEMORY.
-	 *
-	 *      Name found, valid addresses present.  Allocate one addrinfo
-	 *      structure for each found and append it to the linked list
-	 *      of addresses for this header.
-	 *
-	 *      Name found, queries pending.  In this case, if a task was
-	 *      passed in, allocate a job id, attach it to the name's job
-	 *      list and remember to tell the caller that there will be
-	 *      more info coming later.
-	 */
-
-	find = new_adbfind(adb);
-	if (find == NULL)
-		return (ISC_R_NOMEMORY);
-
-	find->port = port;
-
-	/*
-	 * Remember what types of addresses we are interested in.
-	 */
-	find->options = options;
-	find->flags |= wanted_addresses;
-	if (FIND_WANTEVENT(find)) {
-		REQUIRE(task != NULL);
-	}
-
-	/*
-	 * Try to see if we know anything about this name at all.
-	 */
-	bucket = DNS_ADB_INVALIDBUCKET;
-	adbname = find_name_and_lock(adb, name, find->options, &bucket);
-	INSIST(bucket != DNS_ADB_INVALIDBUCKET);
-	if (adb->name_sd[bucket]) {
-		DP(DEF_LEVEL,
-		   "dns_adb_createfind: returning ISC_R_SHUTTINGDOWN");
-		RUNTIME_CHECK(free_adbfind(adb, &find) == ISC_FALSE);
-		result = ISC_R_SHUTTINGDOWN;
-		goto out;
-	}
-
-	/*
-	 * Nothing found.  Allocate a new adbname structure for this name.
-	 */
-	if (adbname == NULL) {
-		/*
-		 * See if there is any stale name at the end of list, and purge
-		 * it if so.
-		 */
-		check_stale_name(adb, bucket, now);
-
-		adbname = new_adbname(adb, name);
-		if (adbname == NULL) {
-			RUNTIME_CHECK(free_adbfind(adb, &find) == ISC_FALSE);
-			result = ISC_R_NOMEMORY;
-			goto out;
-		}
-		link_name(adb, bucket, adbname);
-		if (FIND_HINTOK(find))
-			adbname->flags |= NAME_HINT_OK;
-		if (FIND_GLUEOK(find))
-			adbname->flags |= NAME_GLUE_OK;
-		if (FIND_STARTATZONE(find))
-			adbname->flags |= NAME_STARTATZONE;
-	} else {
-		/* Move this name forward in the LRU list */
-		ISC_LIST_UNLINK(adb->names[bucket], adbname, plink);
-		ISC_LIST_PREPEND(adb->names[bucket], adbname, plink);
-	}
-	adbname->last_used = now;
-
-	/*
-	 * Expire old entries, etc.
-	 */
-	RUNTIME_CHECK(check_expire_namehooks(adbname, now) == ISC_FALSE);
-
-	/*
-	 * Do we know that the name is an alias?
-	 */
-	if (!EXPIRE_OK(adbname->expire_target, now)) {
-		/*
-		 * Yes, it is.
-		 */
-		DP(DEF_LEVEL,
-		   "dns_adb_createfind: name %p is an alias (cached)",
-		   adbname);
-		alias = ISC_TRUE;
-		goto post_copy;
-	}
-
-	/*
-	 * Try to populate the name from the database and/or
-	 * start fetches.  First try looking for an A record
-	 * in the database.
-	 */
-	if (!NAME_HAS_V4(adbname) && EXPIRE_OK(adbname->expire_v4, now)
-	    && WANT_INET(wanted_addresses)) {
-		result = dbfind_name(adbname, now, dns_rdatatype_a);
-		if (result == ISC_R_SUCCESS) {
-			DP(DEF_LEVEL,
-			   "dns_adb_createfind: found A for name %p in db",
-			   adbname);
-			goto v6;
-		}
-
-		/*
-		 * Did we get a CNAME or DNAME?
-		 */
-		if (result == DNS_R_ALIAS) {
-			DP(DEF_LEVEL,
-			   "dns_adb_createfind: name %p is an alias",
-			   adbname);
-			alias = ISC_TRUE;
-			goto post_copy;
-		}
-
-		/*
-		 * If the name doesn't exist at all, don't bother with
-		 * v6 queries; they won't work.
-		 *
-		 * If the name does exist but we didn't get our data, go
-		 * ahead and try AAAA.
-		 *
-		 * If the result is neither of these, try a fetch for A.
-		 */
-		if (NXDOMAIN_RESULT(result))
-			goto fetch;
-		else if (NXRRSET_RESULT(result))
-			goto v6;
-
-		if (!NAME_FETCH_V4(adbname))
-			wanted_fetches |= DNS_ADBFIND_INET;
-	}
-
- v6:
-	if (!NAME_HAS_V6(adbname) && EXPIRE_OK(adbname->expire_v6, now)
-	    && WANT_INET6(wanted_addresses)) {
-		result = dbfind_name(adbname, now, dns_rdatatype_aaaa);
-		if (result == ISC_R_SUCCESS) {
-			DP(DEF_LEVEL,
-			   "dns_adb_createfind: found AAAA for name %p",
-			   adbname);
-			goto fetch;
-		}
-
-		/*
-		 * Did we get a CNAME or DNAME?
-		 */
-		if (result == DNS_R_ALIAS) {
-			DP(DEF_LEVEL,
-			   "dns_adb_createfind: name %p is an alias",
-			   adbname);
-			alias = ISC_TRUE;
-			goto post_copy;
-		}
-
-		/*
-		 * Listen to negative cache hints, and don't start
-		 * another query.
-		 */
-		if (NCACHE_RESULT(result) || AUTH_NX(result))
-			goto fetch;
-
-		if (!NAME_FETCH_V6(adbname))
-			wanted_fetches |= DNS_ADBFIND_INET6;
-	}
-
- fetch:
-	if ((WANT_INET(wanted_addresses) && NAME_HAS_V4(adbname)) ||
-	    (WANT_INET6(wanted_addresses) && NAME_HAS_V6(adbname)))
-		have_address = ISC_TRUE;
-	else
-		have_address = ISC_FALSE;
-	if (wanted_fetches != 0 &&
-	    ! (FIND_AVOIDFETCHES(find) && have_address)) {
-		/*
-		 * We're missing at least one address family.  Either the
-		 * caller hasn't instructed us to avoid fetches, or we don't
-		 * know anything about any of the address families that would
-		 * be acceptable so we have to launch fetches.
-		 */
-
-		if (FIND_STARTATZONE(find))
-			start_at_zone = ISC_TRUE;
-
-		/*
-		 * Start V4.
-		 */
-		if (WANT_INET(wanted_fetches) &&
-		    fetch_name(adbname, start_at_zone,
-			       dns_rdatatype_a) == ISC_R_SUCCESS) {
-			DP(DEF_LEVEL,
-			   "dns_adb_createfind: started A fetch for name %p",
-			   adbname);
-		}
-
-		/*
-		 * Start V6.
-		 */
-		if (WANT_INET6(wanted_fetches) &&
-		    fetch_name(adbname, start_at_zone,
-			       dns_rdatatype_aaaa) == ISC_R_SUCCESS) {
-			DP(DEF_LEVEL,
-			   "dns_adb_createfind: "
-			   "started AAAA fetch for name %p",
-			   adbname);
-		}
-	}
-
-	/*
-	 * Run through the name and copy out the bits we are
-	 * interested in.
-	 */
-	copy_namehook_lists(adb, find, qname, qtype, adbname, now);
-
- post_copy:
-	if (NAME_FETCH_V4(adbname))
-		query_pending |= DNS_ADBFIND_INET;
-	if (NAME_FETCH_V6(adbname))
-		query_pending |= DNS_ADBFIND_INET6;
-
-	/*
-	 * Attach to the name's query list if there are queries
-	 * already running, and we have been asked to.
-	 */
-	want_event = ISC_TRUE;
-	if (!FIND_WANTEVENT(find))
-		want_event = ISC_FALSE;
-	if (FIND_WANTEMPTYEVENT(find) && FIND_HAS_ADDRS(find))
-		want_event = ISC_FALSE;
-	if ((wanted_addresses & query_pending) == 0)
-		want_event = ISC_FALSE;
-	if (alias)
-		want_event = ISC_FALSE;
-	if (want_event) {
-		find->adbname = adbname;
-		find->name_bucket = bucket;
-		ISC_LIST_APPEND(adbname->finds, find, plink);
-		find->query_pending = (query_pending & wanted_addresses);
-		find->flags &= ~DNS_ADBFIND_ADDRESSMASK;
-		find->flags |= (find->query_pending & DNS_ADBFIND_ADDRESSMASK);
-		DP(DEF_LEVEL, "createfind: attaching find %p to adbname %p",
-		   find, adbname);
-	} else {
-		/*
-		 * Remove the flag so the caller knows there will never
-		 * be an event, and set internal flags to fake that
-		 * the event was sent and freed, so dns_adb_destroyfind() will
-		 * do the right thing.
-		 */
-		find->query_pending = (query_pending & wanted_addresses);
-		find->options &= ~DNS_ADBFIND_WANTEVENT;
-		find->flags |= (FIND_EVENT_SENT | FIND_EVENT_FREED);
-		find->flags &= ~DNS_ADBFIND_ADDRESSMASK;
-	}
-
-	find->partial_result |= (adbname->partial_result & wanted_addresses);
-	if (alias) {
-		if (target != NULL) {
-			result = dns_name_copy(&adbname->target, target, NULL);
-			if (result != ISC_R_SUCCESS)
-				goto out;
-		}
-		result = DNS_R_ALIAS;
-	} else
-		result = ISC_R_SUCCESS;
-
-	/*
-	 * Copy out error flags from the name structure into the find.
-	 */
-	find->result_v4 = find_err_map[adbname->fetch_err];
-	find->result_v6 = find_err_map[adbname->fetch6_err];
-
- out:
-	if (find != NULL) {
-		*findp = find;
-
-		if (want_event) {
-			isc_task_t *taskp;
-
-			INSIST((find->flags & DNS_ADBFIND_ADDRESSMASK) != 0);
-			taskp = NULL;
-			isc_task_attach(task, &taskp);
-			find->event.ev_sender = taskp;
-			find->event.ev_action = action;
-			find->event.ev_arg = arg;
-		}
-	}
-
-	UNLOCK(&adb->namelocks[bucket]);
-
-	return (result);
-}
-
-void
-dns_adb_destroyfind(dns_adbfind_t **findp) {
-	dns_adbfind_t *find;
-	dns_adbentry_t *entry;
-	dns_adbaddrinfo_t *ai;
-	int bucket;
-	dns_adb_t *adb;
-	isc_boolean_t overmem;
-
-	REQUIRE(findp != NULL && DNS_ADBFIND_VALID(*findp));
-	find = *findp;
-	*findp = NULL;
-
-	LOCK(&find->lock);
-
-	DP(DEF_LEVEL, "dns_adb_destroyfind on find %p", find);
-
-	adb = find->adb;
-	REQUIRE(DNS_ADB_VALID(adb));
-
-	REQUIRE(FIND_EVENTFREED(find));
-
-	bucket = find->name_bucket;
-	INSIST(bucket == DNS_ADB_INVALIDBUCKET);
-
-	UNLOCK(&find->lock);
-
-	/*
-	 * The find doesn't exist on any list, and nothing is locked.
-	 * Return the find to the memory pool, and decrement the adb's
-	 * reference count.
-	 */
-	overmem = isc_mem_isovermem(adb->mctx);
-	ai = ISC_LIST_HEAD(find->list);
-	while (ai != NULL) {
-		ISC_LIST_UNLINK(find->list, ai, publink);
-		entry = ai->entry;
-		ai->entry = NULL;
-		INSIST(DNS_ADBENTRY_VALID(entry));
-		RUNTIME_CHECK(dec_entry_refcnt(adb, overmem, entry, ISC_TRUE) ==
-			      ISC_FALSE);
-		free_adbaddrinfo(adb, &ai);
-		ai = ISC_LIST_HEAD(find->list);
-	}
-
-	/*
-	 * WARNING:  The find is freed with the adb locked.  This is done
-	 * to avoid a race condition where we free the find, some other
-	 * thread tests to see if it should be destroyed, detects it should
-	 * be, destroys it, and then we try to lock it for our check, but the
-	 * lock is destroyed.
-	 */
-	LOCK(&adb->lock);
-	if (free_adbfind(adb, &find))
-		check_exit(adb);
-	UNLOCK(&adb->lock);
-}
-
-void
-dns_adb_cancelfind(dns_adbfind_t *find) {
-	isc_event_t *ev;
-	isc_task_t *task;
-	dns_adb_t *adb;
-	int bucket;
-	int unlock_bucket;
-
-	LOCK(&find->lock);
-
-	DP(DEF_LEVEL, "dns_adb_cancelfind on find %p", find);
-
-	adb = find->adb;
-	REQUIRE(DNS_ADB_VALID(adb));
-
-	REQUIRE(!FIND_EVENTFREED(find));
-	REQUIRE(FIND_WANTEVENT(find));
-
-	bucket = find->name_bucket;
-	if (bucket == DNS_ADB_INVALIDBUCKET)
-		goto cleanup;
-
-	/*
-	 * We need to get the adbname's lock to unlink the find.
-	 */
-	unlock_bucket = bucket;
-	violate_locking_hierarchy(&find->lock, &adb->namelocks[unlock_bucket]);
-	bucket = find->name_bucket;
-	if (bucket != DNS_ADB_INVALIDBUCKET) {
-		ISC_LIST_UNLINK(find->adbname->finds, find, plink);
-		find->adbname = NULL;
-		find->name_bucket = DNS_ADB_INVALIDBUCKET;
-	}
-	UNLOCK(&adb->namelocks[unlock_bucket]);
-	bucket = DNS_ADB_INVALIDBUCKET;
-	POST(bucket);
-
- cleanup:
-
-	if (!FIND_EVENTSENT(find)) {
-		ev = &find->event;
-		task = ev->ev_sender;
-		ev->ev_sender = find;
-		ev->ev_type = DNS_EVENT_ADBCANCELED;
-		ev->ev_destroy = event_free;
-		ev->ev_destroy_arg = find;
-		find->result_v4 = ISC_R_CANCELED;
-		find->result_v6 = ISC_R_CANCELED;
-
-		DP(DEF_LEVEL, "sending event %p to task %p for find %p",
-		   ev, task, find);
-
-		isc_task_sendanddetach(&task, (isc_event_t **)&ev);
-	}
-
-	UNLOCK(&find->lock);
-}
-
-void
-dns_adb_dump(dns_adb_t *adb, FILE *f) {
-	unsigned int i;
-	isc_stdtime_t now;
-
-	REQUIRE(DNS_ADB_VALID(adb));
-	REQUIRE(f != NULL);
-
-	/*
-	 * Lock the adb itself, lock all the name buckets, then lock all
-	 * the entry buckets.  This should put the adb into a state where
-	 * nothing can change, so we can iterate through everything and
-	 * print at our leisure.
-	 */
-
-	LOCK(&adb->lock);
-	isc_stdtime_get(&now);
-
-	for (i = 0; i < adb->nnames; i++)
-		RUNTIME_CHECK(cleanup_names(adb, i, now) == ISC_FALSE);
-	for (i = 0; i < adb->nentries; i++)
-		RUNTIME_CHECK(cleanup_entries(adb, i, now) == ISC_FALSE);
-
-	dump_adb(adb, f, ISC_FALSE, now);
-	UNLOCK(&adb->lock);
-}
-
-static void
-dump_ttl(FILE *f, const char *legend, isc_stdtime_t value, isc_stdtime_t now) {
-	if (value == INT_MAX)
-		return;
-	fprintf(f, " [%s TTL %d]", legend, value - now);
-}
-
-static void
-dump_adb(dns_adb_t *adb, FILE *f, isc_boolean_t debug, isc_stdtime_t now) {
-	unsigned int i;
-	dns_adbname_t *name;
-	dns_adbentry_t *entry;
-
-	fprintf(f, ";\n; Address database dump\n;\n");
-	if (debug)
-		fprintf(f, "; addr %p, erefcnt %u, irefcnt %u, finds out %u\n",
-			adb, adb->erefcnt, adb->irefcnt,
-			isc_mempool_getallocated(adb->nhmp));
-
-	for (i = 0; i < adb->nnames; i++)
-		LOCK(&adb->namelocks[i]);
-	for (i = 0; i < adb->nentries; i++)
-		LOCK(&adb->entrylocks[i]);
-
-	/*
-	 * Dump the names
-	 */
-	for (i = 0; i < adb->nnames; i++) {
-		name = ISC_LIST_HEAD(adb->names[i]);
-		if (name == NULL)
-			continue;
-		if (debug)
-			fprintf(f, "; bucket %d\n", i);
-		for (;
-		     name != NULL;
-		     name = ISC_LIST_NEXT(name, plink))
-		{
-			if (debug)
-				fprintf(f, "; name %p (flags %08x)\n",
-					name, name->flags);
-
-			fprintf(f, "; ");
-			print_dns_name(f, &name->name);
-			if (dns_name_countlabels(&name->target) > 0) {
-				fprintf(f, " alias ");
-				print_dns_name(f, &name->target);
-			}
-
-			dump_ttl(f, "v4", name->expire_v4, now);
-			dump_ttl(f, "v6", name->expire_v6, now);
-			dump_ttl(f, "target", name->expire_target, now);
-
-			fprintf(f, " [v4 %s] [v6 %s]",
-				errnames[name->fetch_err],
-				errnames[name->fetch6_err]);
-
-			fprintf(f, "\n");
-
-			print_namehook_list(f, "v4", &name->v4, debug, now);
-			print_namehook_list(f, "v6", &name->v6, debug, now);
-
-			if (debug)
-				print_fetch_list(f, name);
-			if (debug)
-				print_find_list(f, name);
-
-		}
-	}
-
-	fprintf(f, ";\n; Unassociated entries\n;\n");
-
-	for (i = 0; i < adb->nentries; i++) {
-		entry = ISC_LIST_HEAD(adb->entries[i]);
-		while (entry != NULL) {
-			if (entry->refcnt == 0)
-				dump_entry(f, entry, debug, now);
-			entry = ISC_LIST_NEXT(entry, plink);
-		}
-	}
-
-	/*
-	 * Unlock everything
-	 */
-	for (i = 0; i < adb->nentries; i++)
-		UNLOCK(&adb->entrylocks[i]);
-	for (i = 0; i < adb->nnames; i++)
-		UNLOCK(&adb->namelocks[i]);
-}
-
-static void
-dump_entry(FILE *f, dns_adbentry_t *entry, isc_boolean_t debug,
-	   isc_stdtime_t now)
-{
-	char addrbuf[ISC_NETADDR_FORMATSIZE];
-	char typebuf[DNS_RDATATYPE_FORMATSIZE];
-	isc_netaddr_t netaddr;
-	dns_adblameinfo_t *li;
-
-	isc_netaddr_fromsockaddr(&netaddr, &entry->sockaddr);
-	isc_netaddr_format(&netaddr, addrbuf, sizeof(addrbuf));
-
-	if (debug)
-		fprintf(f, ";\t%p: refcnt %u\n", entry, entry->refcnt);
-
-	fprintf(f, ";\t%s [srtt %u] [flags %08x]",
-		addrbuf, entry->srtt, entry->flags);
-	if (entry->expires != 0)
-		fprintf(f, " [ttl %d]", entry->expires - now);
-	fprintf(f, "\n");
-	for (li = ISC_LIST_HEAD(entry->lameinfo);
-	     li != NULL;
-	     li = ISC_LIST_NEXT(li, plink)) {
-		fprintf(f, ";\t\t");
-		print_dns_name(f, &li->qname);
-		dns_rdatatype_format(li->qtype, typebuf, sizeof(typebuf));
-		fprintf(f, " %s [lame TTL %d]\n", typebuf,
-			li->lame_timer - now);
-	}
-}
-
-void
-dns_adb_dumpfind(dns_adbfind_t *find, FILE *f) {
-	char tmp[512];
-	const char *tmpp;
-	dns_adbaddrinfo_t *ai;
-	isc_sockaddr_t *sa;
-
-	/*
-	 * Not used currently, in the API Just In Case we
-	 * want to dump out the name and/or entries too.
-	 */
-
-	LOCK(&find->lock);
-
-	fprintf(f, ";Find %p\n", find);
-	fprintf(f, ";\tqpending %08x partial %08x options %08x flags %08x\n",
-		find->query_pending, find->partial_result,
-		find->options, find->flags);
-	fprintf(f, ";\tname_bucket %d, name %p, event sender %p\n",
-		find->name_bucket, find->adbname, find->event.ev_sender);
-
-	ai = ISC_LIST_HEAD(find->list);
-	if (ai != NULL)
-		fprintf(f, "\tAddresses:\n");
-	while (ai != NULL) {
-		sa = &ai->sockaddr;
-		switch (sa->type.sa.sa_family) {
-		case AF_INET:
-			tmpp = inet_ntop(AF_INET, &sa->type.sin.sin_addr,
-					 tmp, sizeof(tmp));
-			break;
-		case AF_INET6:
-			tmpp = inet_ntop(AF_INET6, &sa->type.sin6.sin6_addr,
-					 tmp, sizeof(tmp));
-			break;
-		default:
-			tmpp = "UnkFamily";
-		}
-
-		if (tmpp == NULL)
-			tmpp = "BadAddress";
-
-		fprintf(f, "\t\tentry %p, flags %08x"
-			" srtt %u addr %s\n",
-			ai->entry, ai->flags, ai->srtt, tmpp);
-
-		ai = ISC_LIST_NEXT(ai, publink);
-	}
-
-	UNLOCK(&find->lock);
-}
-
-static void
-print_dns_name(FILE *f, dns_name_t *name) {
-	char buf[DNS_NAME_FORMATSIZE];
-
-	INSIST(f != NULL);
-
-	dns_name_format(name, buf, sizeof(buf));
-	fprintf(f, "%s", buf);
-}
-
-static void
-print_namehook_list(FILE *f, const char *legend, dns_adbnamehooklist_t *list,
-		    isc_boolean_t debug, isc_stdtime_t now)
-{
-	dns_adbnamehook_t *nh;
-
-	for (nh = ISC_LIST_HEAD(*list);
-	     nh != NULL;
-	     nh = ISC_LIST_NEXT(nh, plink))
-	{
-		if (debug)
-			fprintf(f, ";\tHook(%s) %p\n", legend, nh);
-		dump_entry(f, nh->entry, debug, now);
-	}
-}
-
-static inline void
-print_fetch(FILE *f, dns_adbfetch_t *ft, const char *type) {
-	fprintf(f, "\t\tFetch(%s): %p -> { fetch %p }\n",
-		type, ft, ft->fetch);
-}
-
-static void
-print_fetch_list(FILE *f, dns_adbname_t *n) {
-	if (NAME_FETCH_A(n))
-		print_fetch(f, n->fetch_a, "A");
-	if (NAME_FETCH_AAAA(n))
-		print_fetch(f, n->fetch_aaaa, "AAAA");
-}
-
-static void
-print_find_list(FILE *f, dns_adbname_t *name) {
-	dns_adbfind_t *find;
-
-	find = ISC_LIST_HEAD(name->finds);
-	while (find != NULL) {
-		dns_adb_dumpfind(find, f);
-		find = ISC_LIST_NEXT(find, plink);
-	}
-}
-
-static isc_result_t
-dbfind_name(dns_adbname_t *adbname, isc_stdtime_t now, dns_rdatatype_t rdtype)
-{
-	isc_result_t result;
-	dns_rdataset_t rdataset;
-	dns_adb_t *adb;
-	dns_fixedname_t foundname;
-	dns_name_t *fname;
-
-	INSIST(DNS_ADBNAME_VALID(adbname));
-	adb = adbname->adb;
-	INSIST(DNS_ADB_VALID(adb));
-	INSIST(rdtype == dns_rdatatype_a || rdtype == dns_rdatatype_aaaa);
-
-	dns_fixedname_init(&foundname);
-	fname = dns_fixedname_name(&foundname);
-	dns_rdataset_init(&rdataset);
-
-	if (rdtype == dns_rdatatype_a)
-		adbname->fetch_err = FIND_ERR_UNEXPECTED;
-	else
-		adbname->fetch6_err = FIND_ERR_UNEXPECTED;
-
-	/*
-	 * We need to specify whether to search static-stub zones (if
-	 * configured) depending on whether this is a "start at zone" lookup,
-	 * i.e., whether it's a "bailiwick" glue.  If it's bailiwick (in which
-	 * case NAME_STARTATZONE is set) we need to stop the search at any
-	 * matching static-stub zone without looking into the cache to honor
-	 * the configuration on which server we should send queries to.
-	 */
-	result = dns_view_find2(adb->view, &adbname->name, rdtype, now,
-				NAME_GLUEOK(adbname) ? DNS_DBFIND_GLUEOK : 0,
-				ISC_TF(NAME_HINTOK(adbname)),
-				(adbname->flags & NAME_STARTATZONE) != 0 ?
-				ISC_TRUE : ISC_FALSE,
-				NULL, NULL, fname, &rdataset, NULL);
-
-	/* XXXVIX this switch statement is too sparse to gen a jump table. */
-	switch (result) {
-	case DNS_R_GLUE:
-	case DNS_R_HINT:
-	case ISC_R_SUCCESS:
-		/*
-		 * Found in the database.  Even if we can't copy out
-		 * any information, return success, or else a fetch
-		 * will be made, which will only make things worse.
-		 */
-		if (rdtype == dns_rdatatype_a)
-			adbname->fetch_err = FIND_ERR_SUCCESS;
-		else
-			adbname->fetch6_err = FIND_ERR_SUCCESS;
-		result = import_rdataset(adbname, &rdataset, now);
-		break;
-	case DNS_R_NXDOMAIN:
-	case DNS_R_NXRRSET:
-		/*
-		 * We're authoritative and the data doesn't exist.
-		 * Make up a negative cache entry so we don't ask again
-		 * for a while.
-		 *
-		 * XXXRTH  What time should we use?  I'm putting in 30 seconds
-		 * for now.
-		 */
-		if (rdtype == dns_rdatatype_a) {
-			adbname->expire_v4 = now + 30;
-			DP(NCACHE_LEVEL,
-			   "adb name %p: Caching auth negative entry for A",
-			   adbname);
-			if (result == DNS_R_NXDOMAIN)
-				adbname->fetch_err = FIND_ERR_NXDOMAIN;
-			else
-				adbname->fetch_err = FIND_ERR_NXRRSET;
-		} else {
-			DP(NCACHE_LEVEL,
-			   "adb name %p: Caching auth negative entry for AAAA",
-			   adbname);
-			adbname->expire_v6 = now + 30;
-			if (result == DNS_R_NXDOMAIN)
-				adbname->fetch6_err = FIND_ERR_NXDOMAIN;
-			else
-				adbname->fetch6_err = FIND_ERR_NXRRSET;
-		}
-		break;
-	case DNS_R_NCACHENXDOMAIN:
-	case DNS_R_NCACHENXRRSET:
-		/*
-		 * We found a negative cache entry.  Pull the TTL from it
-		 * so we won't ask again for a while.
-		 */
-		rdataset.ttl = ttlclamp(rdataset.ttl);
-		if (rdtype == dns_rdatatype_a) {
-			adbname->expire_v4 = rdataset.ttl + now;
-			if (result == DNS_R_NCACHENXDOMAIN)
-				adbname->fetch_err = FIND_ERR_NXDOMAIN;
-			else
-				adbname->fetch_err = FIND_ERR_NXRRSET;
-			DP(NCACHE_LEVEL,
-			  "adb name %p: Caching negative entry for A (ttl %u)",
-			   adbname, rdataset.ttl);
-		} else {
-			DP(NCACHE_LEVEL,
-		       "adb name %p: Caching negative entry for AAAA (ttl %u)",
-			   adbname, rdataset.ttl);
-			adbname->expire_v6 = rdataset.ttl + now;
-			if (result == DNS_R_NCACHENXDOMAIN)
-				adbname->fetch6_err = FIND_ERR_NXDOMAIN;
-			else
-				adbname->fetch6_err = FIND_ERR_NXRRSET;
-		}
-		break;
-	case DNS_R_CNAME:
-	case DNS_R_DNAME:
-		/*
-		 * Clear the hint and glue flags, so this will match
-		 * more often.
-		 */
-		adbname->flags &= ~(DNS_ADBFIND_GLUEOK | DNS_ADBFIND_HINTOK);
-
-		rdataset.ttl = ttlclamp(rdataset.ttl);
-		clean_target(adb, &adbname->target);
-		adbname->expire_target = INT_MAX;
-		result = set_target(adb, &adbname->name, fname, &rdataset,
-				    &adbname->target);
-		if (result == ISC_R_SUCCESS) {
-			result = DNS_R_ALIAS;
-			DP(NCACHE_LEVEL,
-			   "adb name %p: caching alias target",
-			   adbname);
-			adbname->expire_target = rdataset.ttl + now;
-		}
-		if (rdtype == dns_rdatatype_a)
-			adbname->fetch_err = FIND_ERR_SUCCESS;
-		else
-			adbname->fetch6_err = FIND_ERR_SUCCESS;
-		break;
-	}
-
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-
-	return (result);
-}
-
-static void
-fetch_callback(isc_task_t *task, isc_event_t *ev) {
-	dns_fetchevent_t *dev;
-	dns_adbname_t *name;
-	dns_adb_t *adb;
-	dns_adbfetch_t *fetch;
-	int bucket;
-	isc_eventtype_t ev_status;
-	isc_stdtime_t now;
-	isc_result_t result;
-	unsigned int address_type;
-	isc_boolean_t want_check_exit = ISC_FALSE;
-
-	UNUSED(task);
-
-	INSIST(ev->ev_type == DNS_EVENT_FETCHDONE);
-	dev = (dns_fetchevent_t *)ev;
-	name = ev->ev_arg;
-	INSIST(DNS_ADBNAME_VALID(name));
-	adb = name->adb;
-	INSIST(DNS_ADB_VALID(adb));
-
-	bucket = name->lock_bucket;
-	LOCK(&adb->namelocks[bucket]);
-
-	INSIST(NAME_FETCH_A(name) || NAME_FETCH_AAAA(name));
-	address_type = 0;
-	if (NAME_FETCH_A(name) && (name->fetch_a->fetch == dev->fetch)) {
-		address_type = DNS_ADBFIND_INET;
-		fetch = name->fetch_a;
-		name->fetch_a = NULL;
-	} else if (NAME_FETCH_AAAA(name)
-		   && (name->fetch_aaaa->fetch == dev->fetch)) {
-		address_type = DNS_ADBFIND_INET6;
-		fetch = name->fetch_aaaa;
-		name->fetch_aaaa = NULL;
-	} else
-		fetch = NULL;
-
-	INSIST(address_type != 0 && fetch != NULL);
-
-	dns_resolver_destroyfetch(&fetch->fetch);
-	dev->fetch = NULL;
-
-	ev_status = DNS_EVENT_ADBNOMOREADDRESSES;
-
-	/*
-	 * Cleanup things we don't care about.
-	 */
-	if (dev->node != NULL)
-		dns_db_detachnode(dev->db, &dev->node);
-	if (dev->db != NULL)
-		dns_db_detach(&dev->db);
-
-	/*
-	 * If this name is marked as dead, clean up, throwing away
-	 * potentially good data.
-	 */
-	if (NAME_DEAD(name)) {
-		free_adbfetch(adb, &fetch);
-		isc_event_free(&ev);
-
-		want_check_exit = kill_name(&name, DNS_EVENT_ADBCANCELED);
-
-		UNLOCK(&adb->namelocks[bucket]);
-
-		if (want_check_exit) {
-			LOCK(&adb->lock);
-			check_exit(adb);
-			UNLOCK(&adb->lock);
-		}
-
-		return;
-	}
-
-	isc_stdtime_get(&now);
-
-	/*
-	 * If we got a negative cache response, remember it.
-	 */
-	if (NCACHE_RESULT(dev->result)) {
-		dev->rdataset->ttl = ttlclamp(dev->rdataset->ttl);
-		if (address_type == DNS_ADBFIND_INET) {
-			DP(NCACHE_LEVEL, "adb fetch name %p: "
-			   "caching negative entry for A (ttl %u)",
-			   name, dev->rdataset->ttl);
-			name->expire_v4 = ISC_MIN(name->expire_v4,
-						  dev->rdataset->ttl + now);
-			if (dev->result == DNS_R_NCACHENXDOMAIN)
-				name->fetch_err = FIND_ERR_NXDOMAIN;
-			else
-				name->fetch_err = FIND_ERR_NXRRSET;
-			inc_stats(adb, dns_resstatscounter_gluefetchv4fail);
-		} else {
-			DP(NCACHE_LEVEL, "adb fetch name %p: "
-			   "caching negative entry for AAAA (ttl %u)",
-			   name, dev->rdataset->ttl);
-			name->expire_v6 = ISC_MIN(name->expire_v6,
-						  dev->rdataset->ttl + now);
-			if (dev->result == DNS_R_NCACHENXDOMAIN)
-				name->fetch6_err = FIND_ERR_NXDOMAIN;
-			else
-				name->fetch6_err = FIND_ERR_NXRRSET;
-			inc_stats(adb, dns_resstatscounter_gluefetchv6fail);
-		}
-		goto out;
-	}
-
-	/*
-	 * Handle CNAME/DNAME.
-	 */
-	if (dev->result == DNS_R_CNAME || dev->result == DNS_R_DNAME) {
-		dev->rdataset->ttl = ttlclamp(dev->rdataset->ttl);
-		clean_target(adb, &name->target);
-		name->expire_target = INT_MAX;
-		result = set_target(adb, &name->name,
-				    dns_fixedname_name(&dev->foundname),
-				    dev->rdataset,
-				    &name->target);
-		if (result == ISC_R_SUCCESS) {
-			DP(NCACHE_LEVEL,
-			   "adb fetch name %p: caching alias target",
-			   name);
-			name->expire_target = dev->rdataset->ttl + now;
-		}
-		goto check_result;
-	}
-
-	/*
-	 * Did we get back junk?  If so, and there are no more fetches
-	 * sitting out there, tell all the finds about it.
-	 */
-	if (dev->result != ISC_R_SUCCESS) {
-		char buf[DNS_NAME_FORMATSIZE];
-
-		dns_name_format(&name->name, buf, sizeof(buf));
-		DP(DEF_LEVEL, "adb: fetch of '%s' %s failed: %s",
-		   buf, address_type == DNS_ADBFIND_INET ? "A" : "AAAA",
-		   dns_result_totext(dev->result));
-		/* XXXMLG Don't pound on bad servers. */
-		if (address_type == DNS_ADBFIND_INET) {
-			name->expire_v4 = ISC_MIN(name->expire_v4, now + 300);
-			name->fetch_err = FIND_ERR_FAILURE;
-			inc_stats(adb, dns_resstatscounter_gluefetchv4fail);
-		} else {
-			name->expire_v6 = ISC_MIN(name->expire_v6, now + 300);
-			name->fetch6_err = FIND_ERR_FAILURE;
-			inc_stats(adb, dns_resstatscounter_gluefetchv6fail);
-		}
-		goto out;
-	}
-
-	/*
-	 * We got something potentially useful.
-	 */
-	result = import_rdataset(name, &fetch->rdataset, now);
-
- check_result:
-	if (result == ISC_R_SUCCESS) {
-		ev_status = DNS_EVENT_ADBMOREADDRESSES;
-		if (address_type == DNS_ADBFIND_INET)
-			name->fetch_err = FIND_ERR_SUCCESS;
-		else
-			name->fetch6_err = FIND_ERR_SUCCESS;
-	}
-
- out:
-	free_adbfetch(adb, &fetch);
-	isc_event_free(&ev);
-
-	clean_finds_at_name(name, ev_status, address_type);
-
-	UNLOCK(&adb->namelocks[bucket]);
-}
-
-static isc_result_t
-fetch_name(dns_adbname_t *adbname,
-	   isc_boolean_t start_at_zone,
-	   dns_rdatatype_t type)
-{
-	isc_result_t result;
-	dns_adbfetch_t *fetch = NULL;
-	dns_adb_t *adb;
-	dns_fixedname_t fixed;
-	dns_name_t *name;
-	dns_rdataset_t rdataset;
-	dns_rdataset_t *nameservers;
-	unsigned int options;
-
-	INSIST(DNS_ADBNAME_VALID(adbname));
-	adb = adbname->adb;
-	INSIST(DNS_ADB_VALID(adb));
-
-	INSIST((type == dns_rdatatype_a && !NAME_FETCH_V4(adbname)) ||
-	       (type == dns_rdatatype_aaaa && !NAME_FETCH_V6(adbname)));
-
-	adbname->fetch_err = FIND_ERR_NOTFOUND;
-
-	name = NULL;
-	nameservers = NULL;
-	dns_rdataset_init(&rdataset);
-
-	options = DNS_FETCHOPT_NOVALIDATE;
-	if (start_at_zone) {
-		DP(ENTER_LEVEL,
-		   "fetch_name: starting at zone for name %p",
-		   adbname);
-		dns_fixedname_init(&fixed);
-		name = dns_fixedname_name(&fixed);
-		result = dns_view_findzonecut2(adb->view, &adbname->name, name,
-					       0, 0, ISC_TRUE, ISC_FALSE,
-					       &rdataset, NULL);
-		if (result != ISC_R_SUCCESS && result != DNS_R_HINT)
-			goto cleanup;
-		nameservers = &rdataset;
-		options |= DNS_FETCHOPT_UNSHARED;
-	}
-
-	fetch = new_adbfetch(adb);
-	if (fetch == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
-	}
-
-	result = dns_resolver_createfetch(adb->view->resolver, &adbname->name,
-					  type, name, nameservers, NULL,
-					  options, adb->task, fetch_callback,
-					  adbname, &fetch->rdataset, NULL,
-					  &fetch->fetch);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	if (type == dns_rdatatype_a) {
-		adbname->fetch_a = fetch;
-		inc_stats(adb, dns_resstatscounter_gluefetchv4);
-	} else {
-		adbname->fetch_aaaa = fetch;
-		inc_stats(adb, dns_resstatscounter_gluefetchv6);
-	}
-	fetch = NULL;  /* Keep us from cleaning this up below. */
-
- cleanup:
-	if (fetch != NULL)
-		free_adbfetch(adb, &fetch);
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-
-	return (result);
-}
-
-/*
- * XXXMLG Needs to take a find argument and an address info, no zone or adb,
- * since these can be extracted from the find itself.
- */
-isc_result_t
-dns_adb_marklame(dns_adb_t *adb, dns_adbaddrinfo_t *addr, dns_name_t *qname,
-		 dns_rdatatype_t qtype, isc_stdtime_t expire_time)
-{
-	dns_adblameinfo_t *li;
-	int bucket;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(DNS_ADB_VALID(adb));
-	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
-	REQUIRE(qname != NULL);
-
-	bucket = addr->entry->lock_bucket;
-	LOCK(&adb->entrylocks[bucket]);
-	li = ISC_LIST_HEAD(addr->entry->lameinfo);
-	while (li != NULL &&
-	       (li->qtype != qtype || !dns_name_equal(qname, &li->qname)))
-		li = ISC_LIST_NEXT(li, plink);
-	if (li != NULL) {
-		if (expire_time > li->lame_timer)
-			li->lame_timer = expire_time;
-		goto unlock;
-	}
-	li = new_adblameinfo(adb, qname, qtype);
-	if (li == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto unlock;
-	}
-
-	li->lame_timer = expire_time;
-
-	ISC_LIST_PREPEND(addr->entry->lameinfo, li, plink);
- unlock:
-	UNLOCK(&adb->entrylocks[bucket]);
-
-	return (result);
-}
-
-void
-dns_adb_adjustsrtt(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
-		   unsigned int rtt, unsigned int factor)
-{
-	int bucket;
-	unsigned int new_srtt;
-	isc_stdtime_t now;
-
-	REQUIRE(DNS_ADB_VALID(adb));
-	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
-	REQUIRE(factor <= 10);
-
-	bucket = addr->entry->lock_bucket;
-	LOCK(&adb->entrylocks[bucket]);
-
-	if (factor == DNS_ADB_RTTADJAGE)
-		new_srtt = addr->entry->srtt * 98 / 100;
-	else
-		new_srtt = (addr->entry->srtt / 10 * factor)
-			+ (rtt / 10 * (10 - factor));
-
-	addr->entry->srtt = new_srtt;
-	addr->srtt = new_srtt;
-
-	if (addr->entry->expires == 0) {
-		isc_stdtime_get(&now);
-		addr->entry->expires = now + ADB_ENTRY_WINDOW;
-	}
-
-	UNLOCK(&adb->entrylocks[bucket]);
-}
-
-void
-dns_adb_changeflags(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
-		    unsigned int bits, unsigned int mask)
-{
-	int bucket;
-	isc_stdtime_t now;
-
-	REQUIRE(DNS_ADB_VALID(adb));
-	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
-
-	bucket = addr->entry->lock_bucket;
-	LOCK(&adb->entrylocks[bucket]);
-
-	addr->entry->flags = (addr->entry->flags & ~mask) | (bits & mask);
-	if (addr->entry->expires == 0) {
-		isc_stdtime_get(&now);
-		addr->entry->expires = now + ADB_ENTRY_WINDOW;
-	}
-
-	/*
-	 * Note that we do not update the other bits in addr->flags with
-	 * the most recent values from addr->entry->flags.
-	 */
-	addr->flags = (addr->flags & ~mask) | (bits & mask);
-
-	UNLOCK(&adb->entrylocks[bucket]);
-}
-
-isc_result_t
-dns_adb_findaddrinfo(dns_adb_t *adb, isc_sockaddr_t *sa,
-		     dns_adbaddrinfo_t **addrp, isc_stdtime_t now)
-{
-	int bucket;
-	dns_adbentry_t *entry;
-	dns_adbaddrinfo_t *addr;
-	isc_result_t result;
-	in_port_t port;
-
-	REQUIRE(DNS_ADB_VALID(adb));
-	REQUIRE(addrp != NULL && *addrp == NULL);
-
-	UNUSED(now);
-
-	result = ISC_R_SUCCESS;
-	bucket = DNS_ADB_INVALIDBUCKET;
-	entry = find_entry_and_lock(adb, sa, &bucket, now);
-	INSIST(bucket != DNS_ADB_INVALIDBUCKET);
-	if (adb->entry_sd[bucket]) {
-		result = ISC_R_SHUTTINGDOWN;
-		goto unlock;
-	}
-	if (entry == NULL) {
-		/*
-		 * We don't know anything about this address.
-		 */
-		entry = new_adbentry(adb);
-		if (entry == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto unlock;
-		}
-		entry->sockaddr = *sa;
-		link_entry(adb, bucket, entry);
-		DP(ENTER_LEVEL, "findaddrinfo: new entry %p", entry);
-	} else
-		DP(ENTER_LEVEL, "findaddrinfo: found entry %p", entry);
-
-	port = isc_sockaddr_getport(sa);
-	addr = new_adbaddrinfo(adb, entry, port);
-	if (addr == NULL) {
-		result = ISC_R_NOMEMORY;
-	} else {
-		inc_entry_refcnt(adb, entry, ISC_FALSE);
-		*addrp = addr;
-	}
-
- unlock:
-	UNLOCK(&adb->entrylocks[bucket]);
-
-	return (result);
-}
-
-void
-dns_adb_freeaddrinfo(dns_adb_t *adb, dns_adbaddrinfo_t **addrp) {
-	dns_adbaddrinfo_t *addr;
-	dns_adbentry_t *entry;
-	int bucket;
-	isc_stdtime_t now;
-	isc_boolean_t want_check_exit = ISC_FALSE;
-	isc_boolean_t overmem;
-
-	REQUIRE(DNS_ADB_VALID(adb));
-	REQUIRE(addrp != NULL);
-	addr = *addrp;
-	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
-	entry = addr->entry;
-	REQUIRE(DNS_ADBENTRY_VALID(entry));
-
-	*addrp = NULL;
-	overmem = isc_mem_isovermem(adb->mctx);
-
-	bucket = addr->entry->lock_bucket;
-	LOCK(&adb->entrylocks[bucket]);
-
-	if (entry->expires == 0) {
-		isc_stdtime_get(&now);
-		entry->expires = now + ADB_ENTRY_WINDOW;
-	}
-
-	want_check_exit = dec_entry_refcnt(adb, overmem, entry, ISC_FALSE);
-
-	UNLOCK(&adb->entrylocks[bucket]);
-
-	addr->entry = NULL;
-	free_adbaddrinfo(adb, &addr);
-
-	if (want_check_exit) {
-		LOCK(&adb->lock);
-		check_exit(adb);
-		UNLOCK(&adb->lock);
-	}
-}
-
-void
-dns_adb_flush(dns_adb_t *adb) {
-	unsigned int i;
-
-	INSIST(DNS_ADB_VALID(adb));
-
-	LOCK(&adb->lock);
-
-	/*
-	 * Call our cleanup routines.
-	 */
-	for (i = 0; i < adb->nnames; i++)
-		RUNTIME_CHECK(cleanup_names(adb, i, INT_MAX) == ISC_FALSE);
-	for (i = 0; i < adb->nentries; i++)
-		RUNTIME_CHECK(cleanup_entries(adb, i, INT_MAX) == ISC_FALSE);
-
-#ifdef DUMP_ADB_AFTER_CLEANING
-	dump_adb(adb, stdout, ISC_TRUE, INT_MAX);
-#endif
-
-	UNLOCK(&adb->lock);
-}
-
-void
-dns_adb_flushname(dns_adb_t *adb, dns_name_t *name) {
-	dns_adbname_t *adbname;
-	dns_adbname_t *nextname;
-	int bucket;
-
-	INSIST(DNS_ADB_VALID(adb));
-
-	LOCK(&adb->lock);
-	bucket = dns_name_hash(name, ISC_FALSE) % adb->nnames;
-	LOCK(&adb->namelocks[bucket]);
-	adbname = ISC_LIST_HEAD(adb->names[bucket]);
-	while (adbname != NULL) {
-		nextname = ISC_LIST_NEXT(adbname, plink);
-		if (!NAME_DEAD(adbname) &&
-		    dns_name_equal(name, &adbname->name)) {
-			RUNTIME_CHECK(kill_name(&adbname,
-						DNS_EVENT_ADBCANCELED) ==
-				      ISC_FALSE);
-		}
-		adbname = nextname;
-	}
-	UNLOCK(&adb->namelocks[bucket]);
-	UNLOCK(&adb->lock);
-}
-
-static void
-water(void *arg, int mark) {
-	/*
-	 * We're going to change the way to handle overmem condition: use
-	 * isc_mem_isovermem() instead of storing the state via this callback,
-	 * since the latter way tends to cause race conditions.
-	 * To minimize the change, and in case we re-enable the callback
-	 * approach, however, keep this function at the moment.
-	 */
-
-	dns_adb_t *adb = arg;
-	isc_boolean_t overmem = ISC_TF(mark == ISC_MEM_HIWATER);
-
-	REQUIRE(DNS_ADB_VALID(adb));
-
-	DP(ISC_LOG_DEBUG(1),
-	   "adb reached %s water mark", overmem ? "high" : "low");
-}
-
-void
-dns_adb_setadbsize(dns_adb_t *adb, size_t size) {
-	size_t hiwater, lowater;
-
-	INSIST(DNS_ADB_VALID(adb));
-
-	if (size != 0U && size < DNS_ADB_MINADBSIZE)
-		size = DNS_ADB_MINADBSIZE;
-
-	hiwater = size - (size >> 3);   /* Approximately 7/8ths. */
-	lowater = size - (size >> 2);   /* Approximately 3/4ths. */
-
-	if (size == 0U || hiwater == 0U || lowater == 0U)
-		isc_mem_setwater(adb->mctx, water, adb, 0, 0);
-	else
-		isc_mem_setwater(adb->mctx, water, adb, hiwater, lowater);
-}
diff --git a/contrib/bind9/lib/dns/api b/contrib/bind9/lib/dns/api
deleted file mode 100644
index a888110..0000000
--- a/contrib/bind9/lib/dns/api
+++ /dev/null
@@ -1,9 +0,0 @@
-# LIBINTERFACE ranges
-# 9.6: 50-59, 110-119
-# 9.7: 60-79
-# 9.8: 80-89, 120-129
-# 9.9: 90-109
-# 9.9-sub: 130-139
-LIBINTERFACE = 99
-LIBREVISION = 1
-LIBAGE = 0
diff --git a/contrib/bind9/lib/dns/byaddr.c b/contrib/bind9/lib/dns/byaddr.c
deleted file mode 100644
index eb05f9f..0000000
--- a/contrib/bind9/lib/dns/byaddr.c
+++ /dev/null
@@ -1,318 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: byaddr.c,v 1.41 2009/09/02 23:48:02 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/netaddr.h>
-#include <isc/print.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/task.h>
-#include <isc/util.h>
-
-#include <dns/byaddr.h>
-#include <dns/db.h>
-#include <dns/events.h>
-#include <dns/lookup.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/resolver.h>
-#include <dns/result.h>
-#include <dns/view.h>
-
-/*
- * XXXRTH  We could use a static event...
- */
-
-static char hex_digits[] = {
-	'0', '1', '2', '3', '4', '5', '6', '7',
-	'8', '9', 'a', 'b', 'c', 'd', 'e', 'f'
-};
-
-isc_result_t
-dns_byaddr_createptrname(isc_netaddr_t *address, isc_boolean_t nibble,
-			 dns_name_t *name)
-{
-	/*
-	 * We dropped bitstring labels, so all lookups will use nibbles.
-	 */
-	UNUSED(nibble);
-
-	return (dns_byaddr_createptrname2(address,
-					  DNS_BYADDROPT_IPV6INT, name));
-}
-
-isc_result_t
-dns_byaddr_createptrname2(isc_netaddr_t *address, unsigned int options,
-			  dns_name_t *name)
-{
-	char textname[128];
-	unsigned char *bytes;
-	int i;
-	char *cp;
-	isc_buffer_t buffer;
-	unsigned int len;
-
-	REQUIRE(address != NULL);
-
-	/*
-	 * We create the text representation and then convert to a
-	 * dns_name_t.  This is not maximally efficient, but it keeps all
-	 * of the knowledge of wire format in the dns_name_ routines.
-	 */
-
-	bytes = (unsigned char *)(&address->type);
-	if (address->family == AF_INET) {
-		(void)snprintf(textname, sizeof(textname),
-			       "%u.%u.%u.%u.in-addr.arpa.",
-			       (bytes[3] & 0xff),
-			       (bytes[2] & 0xff),
-			       (bytes[1] & 0xff),
-			       (bytes[0] & 0xff));
-	} else if (address->family == AF_INET6) {
-		cp = textname;
-		for (i = 15; i >= 0; i--) {
-			*cp++ = hex_digits[bytes[i] & 0x0f];
-			*cp++ = '.';
-			*cp++ = hex_digits[(bytes[i] >> 4) & 0x0f];
-			*cp++ = '.';
-		}
-		if ((options & DNS_BYADDROPT_IPV6INT) != 0)
-			strcpy(cp, "ip6.int.");
-		else
-			strcpy(cp, "ip6.arpa.");
-	} else
-		return (ISC_R_NOTIMPLEMENTED);
-
-	len = (unsigned int)strlen(textname);
-	isc_buffer_init(&buffer, textname, len);
-	isc_buffer_add(&buffer, len);
-	return (dns_name_fromtext(name, &buffer, dns_rootname, 0, NULL));
-}
-
-#ifdef BIND9
-struct dns_byaddr {
-	/* Unlocked. */
-	unsigned int		magic;
-	isc_mem_t *		mctx;
-	isc_mutex_t		lock;
-	dns_fixedname_t		name;
-	/* Locked by lock. */
-	unsigned int		options;
-	dns_lookup_t *		lookup;
-	isc_task_t *		task;
-	dns_byaddrevent_t *	event;
-	isc_boolean_t		canceled;
-};
-
-#define BYADDR_MAGIC			ISC_MAGIC('B', 'y', 'A', 'd')
-#define VALID_BYADDR(b)			ISC_MAGIC_VALID(b, BYADDR_MAGIC)
-
-#define MAX_RESTARTS 16
-
-static inline isc_result_t
-copy_ptr_targets(dns_byaddr_t *byaddr, dns_rdataset_t *rdataset) {
-	isc_result_t result;
-	dns_name_t *name;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-
-	/*
-	 * The caller must be holding the byaddr's lock.
-	 */
-
-	result = dns_rdataset_first(rdataset);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdata_ptr_t ptr;
-		dns_rdataset_current(rdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &ptr, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		name = isc_mem_get(byaddr->mctx, sizeof(*name));
-		if (name == NULL) {
-			dns_rdata_freestruct(&ptr);
-			return (ISC_R_NOMEMORY);
-		}
-		dns_name_init(name, NULL);
-		result = dns_name_dup(&ptr.ptr, byaddr->mctx, name);
-		dns_rdata_freestruct(&ptr);
-		if (result != ISC_R_SUCCESS) {
-			isc_mem_put(byaddr->mctx, name, sizeof(*name));
-			return (ISC_R_NOMEMORY);
-		}
-		ISC_LIST_APPEND(byaddr->event->names, name, link);
-		dns_rdata_reset(&rdata);
-		result = dns_rdataset_next(rdataset);
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
-	return (result);
-}
-
-static void
-lookup_done(isc_task_t *task, isc_event_t *event) {
-	dns_byaddr_t *byaddr = event->ev_arg;
-	dns_lookupevent_t *levent;
-	isc_result_t result;
-
-	REQUIRE(event->ev_type == DNS_EVENT_LOOKUPDONE);
-	REQUIRE(VALID_BYADDR(byaddr));
-	REQUIRE(byaddr->task == task);
-
-	UNUSED(task);
-
-	levent = (dns_lookupevent_t *)event;
-
-	if (levent->result == ISC_R_SUCCESS) {
-		result = copy_ptr_targets(byaddr, levent->rdataset);
-		byaddr->event->result = result;
-	} else
-		byaddr->event->result = levent->result;
-	isc_event_free(&event);
-	isc_task_sendanddetach(&byaddr->task, (isc_event_t **)&byaddr->event);
-}
-
-static void
-bevent_destroy(isc_event_t *event) {
-	dns_byaddrevent_t *bevent;
-	dns_name_t *name, *next_name;
-	isc_mem_t *mctx;
-
-	REQUIRE(event->ev_type == DNS_EVENT_BYADDRDONE);
-	mctx = event->ev_destroy_arg;
-	bevent = (dns_byaddrevent_t *)event;
-
-	for (name = ISC_LIST_HEAD(bevent->names);
-	     name != NULL;
-	     name = next_name) {
-		next_name = ISC_LIST_NEXT(name, link);
-		ISC_LIST_UNLINK(bevent->names, name, link);
-		dns_name_free(name, mctx);
-		isc_mem_put(mctx, name, sizeof(*name));
-	}
-	isc_mem_put(mctx, event, event->ev_size);
-}
-
-isc_result_t
-dns_byaddr_create(isc_mem_t *mctx, isc_netaddr_t *address, dns_view_t *view,
-		  unsigned int options, isc_task_t *task,
-		  isc_taskaction_t action, void *arg, dns_byaddr_t **byaddrp)
-{
-	isc_result_t result;
-	dns_byaddr_t *byaddr;
-	isc_event_t *ievent;
-
-	byaddr = isc_mem_get(mctx, sizeof(*byaddr));
-	if (byaddr == NULL)
-		return (ISC_R_NOMEMORY);
-	byaddr->mctx = NULL;
-	isc_mem_attach(mctx, &byaddr->mctx);
-	byaddr->options = options;
-
-	byaddr->event = isc_mem_get(mctx, sizeof(*byaddr->event));
-	if (byaddr->event == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_byaddr;
-	}
-	ISC_EVENT_INIT(byaddr->event, sizeof(*byaddr->event), 0, NULL,
-		       DNS_EVENT_BYADDRDONE, action, arg, byaddr,
-		       bevent_destroy, mctx);
-	byaddr->event->result = ISC_R_FAILURE;
-	ISC_LIST_INIT(byaddr->event->names);
-
-	byaddr->task = NULL;
-	isc_task_attach(task, &byaddr->task);
-
-	result = isc_mutex_init(&byaddr->lock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_event;
-
-	dns_fixedname_init(&byaddr->name);
-
-	result = dns_byaddr_createptrname2(address, options,
-					   dns_fixedname_name(&byaddr->name));
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_lock;
-
-	byaddr->lookup = NULL;
-	result = dns_lookup_create(mctx, dns_fixedname_name(&byaddr->name),
-				   dns_rdatatype_ptr, view, 0, task,
-				   lookup_done, byaddr, &byaddr->lookup);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_lock;
-
-	byaddr->canceled = ISC_FALSE;
-	byaddr->magic = BYADDR_MAGIC;
-
-	*byaddrp = byaddr;
-
-	return (ISC_R_SUCCESS);
-
- cleanup_lock:
-	DESTROYLOCK(&byaddr->lock);
-
- cleanup_event:
-	ievent = (isc_event_t *)byaddr->event;
-	isc_event_free(&ievent);
-	byaddr->event = NULL;
-
-	isc_task_detach(&byaddr->task);
-
- cleanup_byaddr:
-	isc_mem_putanddetach(&mctx, byaddr, sizeof(*byaddr));
-
-	return (result);
-}
-
-void
-dns_byaddr_cancel(dns_byaddr_t *byaddr) {
-	REQUIRE(VALID_BYADDR(byaddr));
-
-	LOCK(&byaddr->lock);
-
-	if (!byaddr->canceled) {
-		byaddr->canceled = ISC_TRUE;
-		if (byaddr->lookup != NULL)
-			dns_lookup_cancel(byaddr->lookup);
-	}
-
-	UNLOCK(&byaddr->lock);
-}
-
-void
-dns_byaddr_destroy(dns_byaddr_t **byaddrp) {
-	dns_byaddr_t *byaddr;
-
-	REQUIRE(byaddrp != NULL);
-	byaddr = *byaddrp;
-	REQUIRE(VALID_BYADDR(byaddr));
-	REQUIRE(byaddr->event == NULL);
-	REQUIRE(byaddr->task == NULL);
-	dns_lookup_destroy(&byaddr->lookup);
-
-	DESTROYLOCK(&byaddr->lock);
-	byaddr->magic = 0;
-	isc_mem_putanddetach(&byaddr->mctx, byaddr, sizeof(*byaddr));
-
-	*byaddrp = NULL;
-}
-#endif /* BIND9 */
diff --git a/contrib/bind9/lib/dns/cache.c b/contrib/bind9/lib/dns/cache.c
deleted file mode 100644
index d0f05b9..0000000
--- a/contrib/bind9/lib/dns/cache.c
+++ /dev/null
@@ -1,1280 +0,0 @@
-/*
- * Copyright (C) 2004-2009, 2011, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: cache.c,v 1.91 2011/08/26 05:12:56 marka Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/time.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#include <dns/cache.h>
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/events.h>
-#include <dns/lib.h>
-#include <dns/log.h>
-#include <dns/masterdump.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/result.h>
-
-#include "rbtdb.h"
-
-#define CACHE_MAGIC		ISC_MAGIC('$', '$', '$', '$')
-#define VALID_CACHE(cache)	ISC_MAGIC_VALID(cache, CACHE_MAGIC)
-
-/*!
- * Control incremental cleaning.
- * DNS_CACHE_MINSIZE is how many bytes is the floor for dns_cache_setcachesize().
- * See also DNS_CACHE_CLEANERINCREMENT
- */
-#define DNS_CACHE_MINSIZE	2097152U /*%< Bytes.  2097152 = 2 MB */
-/*!
- * Control incremental cleaning.
- * CLEANERINCREMENT is how many nodes are examined in one pass.
- * See also DNS_CACHE_MINSIZE
- */
-#define DNS_CACHE_CLEANERINCREMENT	1000U	/*%< Number of nodes. */
-
-/***
- ***	Types
- ***/
-
-/*
- * A cache_cleaner_t encapsulates the state of the periodic
- * cache cleaning.
- */
-
-typedef struct cache_cleaner cache_cleaner_t;
-
-typedef enum {
-	cleaner_s_idle,	/*%< Waiting for cleaning-interval to expire. */
-	cleaner_s_busy,	/*%< Currently cleaning. */
-	cleaner_s_done	/*%< Freed enough memory after being overmem. */
-} cleaner_state_t;
-
-/*
- * Convenience macros for comprehensive assertion checking.
- */
-#define CLEANER_IDLE(c) ((c)->state == cleaner_s_idle && \
-			 (c)->resched_event != NULL)
-#define CLEANER_BUSY(c) ((c)->state == cleaner_s_busy && \
-			 (c)->iterator != NULL && \
-			 (c)->resched_event == NULL)
-
-/*%
- * Accesses to a cache cleaner object are synchronized through
- * task/event serialization, or locked from the cache object.
- */
-struct cache_cleaner {
-	isc_mutex_t	lock;
-	/*%<
-	 * Locks overmem_event, overmem.  Note: never allocate memory
-	 * while holding this lock - that could lead to deadlock since
-	 * the lock is take by water() which is called from the memory
-	 * allocator.
-	 */
-
-	dns_cache_t	*cache;
-	isc_task_t	*task;
-	unsigned int	cleaning_interval; /*% The cleaning-interval from
-					      named.conf, in seconds. */
-	isc_timer_t	*cleaning_timer;
-	isc_event_t	*resched_event;	/*% Sent by cleaner task to
-					   itself to reschedule */
-	isc_event_t	*overmem_event;
-
-	dns_dbiterator_t *iterator;
-	unsigned int	increment;	/*% Number of names to
-					   clean in one increment */
-	cleaner_state_t	state;		/*% Idle/Busy. */
-	isc_boolean_t	overmem;	/*% The cache is in an overmem state. */
-	isc_boolean_t	 replaceiterator;
-};
-
-/*%
- * The actual cache object.
- */
-
-struct dns_cache {
-	/* Unlocked. */
-	unsigned int		magic;
-	isc_mutex_t		lock;
-	isc_mutex_t		filelock;
-	isc_mem_t		*mctx;		/* Main cache memory */
-	isc_mem_t		*hmctx;		/* Heap memory */
-	char			*name;
-
-	/* Locked by 'lock'. */
-	int			references;
-	int			live_tasks;
-	dns_rdataclass_t	rdclass;
-	dns_db_t		*db;
-	cache_cleaner_t		cleaner;
-	char			*db_type;
-	int			db_argc;
-	char			**db_argv;
-	size_t			size;
-
-	/* Locked by 'filelock'. */
-	char			*filename;
-	/* Access to the on-disk cache file is also locked by 'filelock'. */
-};
-
-/***
- ***	Functions
- ***/
-
-static isc_result_t
-cache_cleaner_init(dns_cache_t *cache, isc_taskmgr_t *taskmgr,
-		   isc_timermgr_t *timermgr, cache_cleaner_t *cleaner);
-
-static void
-cleaning_timer_action(isc_task_t *task, isc_event_t *event);
-
-static void
-incremental_cleaning_action(isc_task_t *task, isc_event_t *event);
-
-static void
-cleaner_shutdown_action(isc_task_t *task, isc_event_t *event);
-
-static void
-overmem_cleaning_action(isc_task_t *task, isc_event_t *event);
-
-static inline isc_result_t
-cache_create_db(dns_cache_t *cache, dns_db_t **db) {
-	return (dns_db_create(cache->mctx, cache->db_type, dns_rootname,
-			      dns_dbtype_cache, cache->rdclass,
-			      cache->db_argc, cache->db_argv, db));
-}
-
-isc_result_t
-dns_cache_create(isc_mem_t *cmctx, isc_taskmgr_t *taskmgr,
-		 isc_timermgr_t *timermgr, dns_rdataclass_t rdclass,
-		 const char *db_type, unsigned int db_argc, char **db_argv,
-		 dns_cache_t **cachep)
-{
-	return (dns_cache_create3(cmctx, cmctx, taskmgr, timermgr, rdclass, "",
-				  db_type, db_argc, db_argv, cachep));
-}
-
-isc_result_t
-dns_cache_create2(isc_mem_t *cmctx, isc_taskmgr_t *taskmgr,
-		  isc_timermgr_t *timermgr, dns_rdataclass_t rdclass,
-		  const char *cachename, const char *db_type,
-		  unsigned int db_argc, char **db_argv, dns_cache_t **cachep)
-{
-	return (dns_cache_create3(cmctx, cmctx, taskmgr, timermgr, rdclass,
-				  cachename, db_type, db_argc, db_argv,
-				  cachep));
-}
-
-isc_result_t
-dns_cache_create3(isc_mem_t *cmctx, isc_mem_t *hmctx, isc_taskmgr_t *taskmgr,
-		  isc_timermgr_t *timermgr, dns_rdataclass_t rdclass,
-		  const char *cachename, const char *db_type,
-		  unsigned int db_argc, char **db_argv, dns_cache_t **cachep)
-{
-	isc_result_t result;
-	dns_cache_t *cache;
-	int i, extra = 0;
-	isc_task_t *dbtask;
-
-	REQUIRE(cachep != NULL);
-	REQUIRE(*cachep == NULL);
-	REQUIRE(cmctx != NULL);
-	REQUIRE(hmctx != NULL);
-	REQUIRE(cachename != NULL);
-
-	cache = isc_mem_get(cmctx, sizeof(*cache));
-	if (cache == NULL)
-		return (ISC_R_NOMEMORY);
-
-	cache->mctx = cache->hmctx = NULL;
-	isc_mem_attach(cmctx, &cache->mctx);
-	isc_mem_attach(hmctx, &cache->hmctx);
-
-	cache->name = NULL;
-	if (cachename != NULL) {
-		cache->name = isc_mem_strdup(cmctx, cachename);
-		if (cache->name == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup_mem;
-		}
-	}
-
-	result = isc_mutex_init(&cache->lock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_mem;
-
-	result = isc_mutex_init(&cache->filelock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_lock;
-
-	cache->references = 1;
-	cache->live_tasks = 0;
-	cache->rdclass = rdclass;
-
-	cache->db_type = isc_mem_strdup(cmctx, db_type);
-	if (cache->db_type == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_filelock;
-	}
-
-	/*
-	 * For databases of type "rbt" we pass hmctx to dns_db_create()
-	 * via cache->db_argv, followed by the rest of the arguments in
-	 * db_argv (of which there really shouldn't be any).
-	 */
-	if (strcmp(cache->db_type, "rbt") == 0)
-		extra = 1;
-
-	cache->db_argc = db_argc + extra;
-	cache->db_argv = NULL;
-
-	if (cache->db_argc != 0) {
-		cache->db_argv = isc_mem_get(cmctx,
-					     cache->db_argc * sizeof(char *));
-		if (cache->db_argv == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup_dbtype;
-		}
-
-		for (i = 0; i < cache->db_argc; i++)
-			cache->db_argv[i] = NULL;
-
-		cache->db_argv[0] = (char *) hmctx;
-		for (i = extra; i < cache->db_argc; i++) {
-			cache->db_argv[i] = isc_mem_strdup(cmctx,
-							   db_argv[i - extra]);
-			if (cache->db_argv[i] == NULL) {
-				result = ISC_R_NOMEMORY;
-				goto cleanup_dbargv;
-			}
-		}
-	}
-
-	/*
-	 * Create the database
-	 */
-	cache->db = NULL;
-	result = cache_create_db(cache, &cache->db);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_dbargv;
-	if (taskmgr != NULL) {
-		dbtask = NULL;
-		result = isc_task_create(taskmgr, 1, &dbtask);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_db;
-		dns_db_settask(cache->db, dbtask);
-		isc_task_detach(&dbtask);
-	}
-
-	cache->filename = NULL;
-
-	cache->magic = CACHE_MAGIC;
-
-	/*
-	 * RBT-type cache DB has its own mechanism of cache cleaning and doesn't
-	 * need the control of the generic cleaner.
-	 */
-	if (strcmp(db_type, "rbt") == 0)
-		result = cache_cleaner_init(cache, NULL, NULL, &cache->cleaner);
-	else {
-		result = cache_cleaner_init(cache, taskmgr, timermgr,
-					    &cache->cleaner);
-	}
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_db;
-
-	*cachep = cache;
-	return (ISC_R_SUCCESS);
-
- cleanup_db:
-	dns_db_detach(&cache->db);
- cleanup_dbargv:
-	for (i = extra; i < cache->db_argc; i++)
-		if (cache->db_argv[i] != NULL)
-			isc_mem_free(cmctx, cache->db_argv[i]);
-	if (cache->db_argv != NULL)
-		isc_mem_put(cmctx, cache->db_argv,
-			    cache->db_argc * sizeof(char *));
- cleanup_dbtype:
-	isc_mem_free(cmctx, cache->db_type);
- cleanup_filelock:
-	DESTROYLOCK(&cache->filelock);
- cleanup_lock:
-	DESTROYLOCK(&cache->lock);
- cleanup_mem:
-	if (cache->name != NULL)
-		isc_mem_free(cmctx, cache->name);
-	isc_mem_detach(&cache->hmctx);
-	isc_mem_putanddetach(&cache->mctx, cache, sizeof(*cache));
-	return (result);
-}
-
-static void
-cache_free(dns_cache_t *cache) {
-	int i;
-
-	REQUIRE(VALID_CACHE(cache));
-	REQUIRE(cache->references == 0);
-
-	isc_mem_setwater(cache->mctx, NULL, NULL, 0, 0);
-
-	if (cache->cleaner.task != NULL)
-		isc_task_detach(&cache->cleaner.task);
-
-	if (cache->cleaner.overmem_event != NULL)
-		isc_event_free(&cache->cleaner.overmem_event);
-
-	if (cache->cleaner.resched_event != NULL)
-		isc_event_free(&cache->cleaner.resched_event);
-
-	if (cache->cleaner.iterator != NULL)
-		dns_dbiterator_destroy(&cache->cleaner.iterator);
-
-	DESTROYLOCK(&cache->cleaner.lock);
-
-	if (cache->filename) {
-		isc_mem_free(cache->mctx, cache->filename);
-		cache->filename = NULL;
-	}
-
-	if (cache->db != NULL)
-		dns_db_detach(&cache->db);
-
-	if (cache->db_argv != NULL) {
-		/*
-		 * We don't free db_argv[0] in "rbt" cache databases
-		 * as it's a pointer to hmctx
-		 */
-		int extra = 0;
-		if (strcmp(cache->db_type, "rbt") == 0)
-			extra = 1;
-		for (i = extra; i < cache->db_argc; i++)
-			if (cache->db_argv[i] != NULL)
-				isc_mem_free(cache->mctx, cache->db_argv[i]);
-		isc_mem_put(cache->mctx, cache->db_argv,
-			    cache->db_argc * sizeof(char *));
-	}
-
-	if (cache->db_type != NULL)
-		isc_mem_free(cache->mctx, cache->db_type);
-
-	if (cache->name != NULL)
-		isc_mem_free(cache->mctx, cache->name);
-
-	DESTROYLOCK(&cache->lock);
-	DESTROYLOCK(&cache->filelock);
-
-	cache->magic = 0;
-	isc_mem_detach(&cache->hmctx);
-	isc_mem_putanddetach(&cache->mctx, cache, sizeof(*cache));
-}
-
-
-void
-dns_cache_attach(dns_cache_t *cache, dns_cache_t **targetp) {
-
-	REQUIRE(VALID_CACHE(cache));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	LOCK(&cache->lock);
-	cache->references++;
-	UNLOCK(&cache->lock);
-
-	*targetp = cache;
-}
-
-void
-dns_cache_detach(dns_cache_t **cachep) {
-	dns_cache_t *cache;
-	isc_boolean_t free_cache = ISC_FALSE;
-
-	REQUIRE(cachep != NULL);
-	cache = *cachep;
-	REQUIRE(VALID_CACHE(cache));
-
-	LOCK(&cache->lock);
-	REQUIRE(cache->references > 0);
-	cache->references--;
-	if (cache->references == 0) {
-		cache->cleaner.overmem = ISC_FALSE;
-		free_cache = ISC_TRUE;
-	}
-
-	*cachep = NULL;
-
-	if (free_cache) {
-		/*
-		 * When the cache is shut down, dump it to a file if one is
-		 * specified.
-		 */
-		isc_result_t result = dns_cache_dump(cache);
-		if (result != ISC_R_SUCCESS)
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-				      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
-				      "error dumping cache: %s ",
-				      isc_result_totext(result));
-
-		/*
-		 * If the cleaner task exists, let it free the cache.
-		 */
-		if (cache->live_tasks > 0) {
-			isc_task_shutdown(cache->cleaner.task);
-			free_cache = ISC_FALSE;
-		}
-	}
-
-	UNLOCK(&cache->lock);
-
-	if (free_cache)
-		cache_free(cache);
-}
-
-void
-dns_cache_attachdb(dns_cache_t *cache, dns_db_t **dbp) {
-	REQUIRE(VALID_CACHE(cache));
-	REQUIRE(dbp != NULL && *dbp == NULL);
-	REQUIRE(cache->db != NULL);
-
-	LOCK(&cache->lock);
-	dns_db_attach(cache->db, dbp);
-	UNLOCK(&cache->lock);
-
-}
-
-isc_result_t
-dns_cache_setfilename(dns_cache_t *cache, const char *filename) {
-	char *newname;
-
-	REQUIRE(VALID_CACHE(cache));
-	REQUIRE(filename != NULL);
-
-	newname = isc_mem_strdup(cache->mctx, filename);
-	if (newname == NULL)
-		return (ISC_R_NOMEMORY);
-
-	LOCK(&cache->filelock);
-	if (cache->filename)
-		isc_mem_free(cache->mctx, cache->filename);
-	cache->filename = newname;
-	UNLOCK(&cache->filelock);
-
-	return (ISC_R_SUCCESS);
-}
-
-#ifdef BIND9
-isc_result_t
-dns_cache_load(dns_cache_t *cache) {
-	isc_result_t result;
-
-	REQUIRE(VALID_CACHE(cache));
-
-	if (cache->filename == NULL)
-		return (ISC_R_SUCCESS);
-
-	LOCK(&cache->filelock);
-	result = dns_db_load(cache->db, cache->filename);
-	UNLOCK(&cache->filelock);
-
-	return (result);
-}
-#endif /* BIND9 */
-
-isc_result_t
-dns_cache_dump(dns_cache_t *cache) {
-#ifdef BIND9
-	isc_result_t result;
-#endif
-
-	REQUIRE(VALID_CACHE(cache));
-
-	if (cache->filename == NULL)
-		return (ISC_R_SUCCESS);
-
-#ifdef BIND9
-	LOCK(&cache->filelock);
-	result = dns_master_dump(cache->mctx, cache->db, NULL,
-				 &dns_master_style_cache, cache->filename);
-	UNLOCK(&cache->filelock);
-	return (result);
-#else
-	return (ISC_R_NOTIMPLEMENTED);
-#endif
-
-}
-
-void
-dns_cache_setcleaninginterval(dns_cache_t *cache, unsigned int t) {
-	isc_interval_t interval;
-	isc_result_t result;
-
-	LOCK(&cache->lock);
-
-	/*
-	 * It may be the case that the cache has already shut down.
-	 * If so, it has no timer.
-	 */
-	if (cache->cleaner.cleaning_timer == NULL)
-		goto unlock;
-
-	cache->cleaner.cleaning_interval = t;
-
-	if (t == 0) {
-		result = isc_timer_reset(cache->cleaner.cleaning_timer,
-					 isc_timertype_inactive,
-					 NULL, NULL, ISC_TRUE);
-	} else {
-		isc_interval_set(&interval, cache->cleaner.cleaning_interval,
-				 0);
-		result = isc_timer_reset(cache->cleaner.cleaning_timer,
-					 isc_timertype_ticker,
-					 NULL, &interval, ISC_FALSE);
-	}
-	if (result != ISC_R_SUCCESS)
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-			      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
-			      "could not set cache cleaning interval: %s",
-			      isc_result_totext(result));
-
- unlock:
-	UNLOCK(&cache->lock);
-}
-
-unsigned int
-dns_cache_getcleaninginterval(dns_cache_t *cache) {
-	unsigned int t;
-
-	REQUIRE(VALID_CACHE(cache));
-
-	LOCK(&cache->lock);
-	t = cache->cleaner.cleaning_interval;
-	UNLOCK(&cache->lock);
-
-	return (t);
-}
-
-const char *
-dns_cache_getname(dns_cache_t *cache) {
-	REQUIRE(VALID_CACHE(cache));
-
-	return (cache->name);
-}
-
-/*
- * Initialize the cache cleaner object at *cleaner.
- * Space for the object must be allocated by the caller.
- */
-
-static isc_result_t
-cache_cleaner_init(dns_cache_t *cache, isc_taskmgr_t *taskmgr,
-		   isc_timermgr_t *timermgr, cache_cleaner_t *cleaner)
-{
-	isc_result_t result;
-
-	result = isc_mutex_init(&cleaner->lock);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	cleaner->increment = DNS_CACHE_CLEANERINCREMENT;
-	cleaner->state = cleaner_s_idle;
-	cleaner->cache = cache;
-	cleaner->iterator = NULL;
-	cleaner->overmem = ISC_FALSE;
-	cleaner->replaceiterator = ISC_FALSE;
-
-	cleaner->task = NULL;
-	cleaner->cleaning_timer = NULL;
-	cleaner->resched_event = NULL;
-	cleaner->overmem_event = NULL;
-	cleaner->cleaning_interval = 0; /* Initially turned off. */
-
-	result = dns_db_createiterator(cleaner->cache->db, ISC_FALSE,
-				       &cleaner->iterator);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	if (taskmgr != NULL && timermgr != NULL) {
-		result = isc_task_create(taskmgr, 1, &cleaner->task);
-		if (result != ISC_R_SUCCESS) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_task_create() failed: %s",
-					 dns_result_totext(result));
-			result = ISC_R_UNEXPECTED;
-			goto cleanup;
-		}
-		cleaner->cache->live_tasks++;
-		isc_task_setname(cleaner->task, "cachecleaner", cleaner);
-
-		result = isc_task_onshutdown(cleaner->task,
-					     cleaner_shutdown_action, cache);
-		if (result != ISC_R_SUCCESS) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "cache cleaner: "
-					 "isc_task_onshutdown() failed: %s",
-					 dns_result_totext(result));
-			goto cleanup;
-		}
-
-		result = isc_timer_create(timermgr, isc_timertype_inactive,
-					   NULL, NULL, cleaner->task,
-					   cleaning_timer_action, cleaner,
-					   &cleaner->cleaning_timer);
-		if (result != ISC_R_SUCCESS) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_timer_create() failed: %s",
-					 dns_result_totext(result));
-			result = ISC_R_UNEXPECTED;
-			goto cleanup;
-		}
-
-		cleaner->resched_event =
-			isc_event_allocate(cache->mctx, cleaner,
-					   DNS_EVENT_CACHECLEAN,
-					   incremental_cleaning_action,
-					   cleaner, sizeof(isc_event_t));
-		if (cleaner->resched_event == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup;
-		}
-
-		cleaner->overmem_event =
-			isc_event_allocate(cache->mctx, cleaner,
-					   DNS_EVENT_CACHEOVERMEM,
-					   overmem_cleaning_action,
-					   cleaner, sizeof(isc_event_t));
-		if (cleaner->overmem_event == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup;
-		}
-	}
-
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (cleaner->overmem_event != NULL)
-		isc_event_free(&cleaner->overmem_event);
-	if (cleaner->resched_event != NULL)
-		isc_event_free(&cleaner->resched_event);
-	if (cleaner->cleaning_timer != NULL)
-		isc_timer_detach(&cleaner->cleaning_timer);
-	if (cleaner->task != NULL)
-		isc_task_detach(&cleaner->task);
-	if (cleaner->iterator != NULL)
-		dns_dbiterator_destroy(&cleaner->iterator);
-	DESTROYLOCK(&cleaner->lock);
- fail:
-	return (result);
-}
-
-static void
-begin_cleaning(cache_cleaner_t *cleaner) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(CLEANER_IDLE(cleaner));
-
-	/*
-	 * Create an iterator, if it does not already exist, and
-	 * position it at the beginning of the cache.
-	 */
-	if (cleaner->iterator == NULL)
-		result = dns_db_createiterator(cleaner->cache->db, ISC_FALSE,
-					       &cleaner->iterator);
-	if (result != ISC_R_SUCCESS)
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-			      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
-			      "cache cleaner could not create "
-			      "iterator: %s", isc_result_totext(result));
-	else {
-		dns_dbiterator_setcleanmode(cleaner->iterator, ISC_TRUE);
-		result = dns_dbiterator_first(cleaner->iterator);
-	}
-	if (result != ISC_R_SUCCESS) {
-		/*
-		 * If the result is ISC_R_NOMORE, the database is empty,
-		 * so there is nothing to be cleaned.
-		 */
-		if (result != ISC_R_NOMORE && cleaner->iterator != NULL) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "cache cleaner: "
-					 "dns_dbiterator_first() failed: %s",
-					 dns_result_totext(result));
-			dns_dbiterator_destroy(&cleaner->iterator);
-		} else if (cleaner->iterator != NULL) {
-			result = dns_dbiterator_pause(cleaner->iterator);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		}
-	} else {
-		/*
-		 * Pause the iterator to free its lock.
-		 */
-		result = dns_dbiterator_pause(cleaner->iterator);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-			      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
-			      "begin cache cleaning, mem inuse %lu",
-			    (unsigned long)isc_mem_inuse(cleaner->cache->mctx));
-		cleaner->state = cleaner_s_busy;
-		isc_task_send(cleaner->task, &cleaner->resched_event);
-	}
-
-	return;
-}
-
-static void
-end_cleaning(cache_cleaner_t *cleaner, isc_event_t *event) {
-	isc_result_t result;
-
-	REQUIRE(CLEANER_BUSY(cleaner));
-	REQUIRE(event != NULL);
-
-	result = dns_dbiterator_pause(cleaner->iterator);
-	if (result != ISC_R_SUCCESS)
-		dns_dbiterator_destroy(&cleaner->iterator);
-
-	dns_cache_setcleaninginterval(cleaner->cache,
-				      cleaner->cleaning_interval);
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
-		      ISC_LOG_DEBUG(1), "end cache cleaning, mem inuse %lu",
-		      (unsigned long)isc_mem_inuse(cleaner->cache->mctx));
-
-	cleaner->state = cleaner_s_idle;
-	cleaner->resched_event = event;
-}
-
-/*
- * This is run once for every cache-cleaning-interval as defined in named.conf.
- */
-static void
-cleaning_timer_action(isc_task_t *task, isc_event_t *event) {
-	cache_cleaner_t *cleaner = event->ev_arg;
-
-	UNUSED(task);
-
-	INSIST(task == cleaner->task);
-	INSIST(event->ev_type == ISC_TIMEREVENT_TICK);
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
-		      ISC_LOG_DEBUG(1), "cache cleaning timer fired, "
-		      "cleaner state = %d", cleaner->state);
-
-	if (cleaner->state == cleaner_s_idle)
-		begin_cleaning(cleaner);
-
-	isc_event_free(&event);
-}
-
-/*
- * This is called when the cache either surpasses its upper limit
- * or shrinks beyond its lower limit.
- */
-static void
-overmem_cleaning_action(isc_task_t *task, isc_event_t *event) {
-	cache_cleaner_t *cleaner = event->ev_arg;
-	isc_boolean_t want_cleaning = ISC_FALSE;
-
-	UNUSED(task);
-
-	INSIST(task == cleaner->task);
-	INSIST(event->ev_type == DNS_EVENT_CACHEOVERMEM);
-	INSIST(cleaner->overmem_event == NULL);
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
-		      ISC_LOG_DEBUG(1), "overmem_cleaning_action called, "
-		      "overmem = %d, state = %d", cleaner->overmem,
-		      cleaner->state);
-
-	LOCK(&cleaner->lock);
-
-	if (cleaner->overmem) {
-		if (cleaner->state == cleaner_s_idle)
-			want_cleaning = ISC_TRUE;
-	} else {
-		if (cleaner->state == cleaner_s_busy)
-			/*
-			 * end_cleaning() can't be called here because
-			 * then both cleaner->overmem_event and
-			 * cleaner->resched_event will point to this
-			 * event.  Set the state to done, and then
-			 * when the incremental_cleaning_action() event
-			 * is posted, it will handle the end_cleaning.
-			 */
-			cleaner->state = cleaner_s_done;
-	}
-
-	cleaner->overmem_event = event;
-
-	UNLOCK(&cleaner->lock);
-
-	if (want_cleaning)
-		begin_cleaning(cleaner);
-}
-
-/*
- * Do incremental cleaning.
- */
-static void
-incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
-	cache_cleaner_t *cleaner = event->ev_arg;
-	isc_result_t result;
-	unsigned int n_names;
-	isc_time_t start;
-
-	UNUSED(task);
-
-	INSIST(task == cleaner->task);
-	INSIST(event->ev_type == DNS_EVENT_CACHECLEAN);
-
-	if (cleaner->state == cleaner_s_done) {
-		cleaner->state = cleaner_s_busy;
-		end_cleaning(cleaner, event);
-		LOCK(&cleaner->cache->lock);
-		LOCK(&cleaner->lock);
-		if (cleaner->replaceiterator) {
-			dns_dbiterator_destroy(&cleaner->iterator);
-			(void) dns_db_createiterator(cleaner->cache->db,
-						     ISC_FALSE,
-						     &cleaner->iterator);
-			cleaner->replaceiterator = ISC_FALSE;
-		}
-		UNLOCK(&cleaner->lock);
-		UNLOCK(&cleaner->cache->lock);
-		return;
-	}
-
-	INSIST(CLEANER_BUSY(cleaner));
-
-	n_names = cleaner->increment;
-
-	REQUIRE(DNS_DBITERATOR_VALID(cleaner->iterator));
-
-	isc_time_now(&start);
-	while (n_names-- > 0) {
-		dns_dbnode_t *node = NULL;
-
-		result = dns_dbiterator_current(cleaner->iterator, &node,
-						NULL);
-		if (result != ISC_R_SUCCESS) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "cache cleaner: dns_dbiterator_current() "
-				 "failed: %s", dns_result_totext(result));
-
-			end_cleaning(cleaner, event);
-			return;
-		}
-
-		/*
-		 * The node was not needed, but was required by
-		 * dns_dbiterator_current().  Give up its reference.
-		 */
-		dns_db_detachnode(cleaner->cache->db, &node);
-
-		/*
-		 * Step to the next node.
-		 */
-		result = dns_dbiterator_next(cleaner->iterator);
-
-		if (result != ISC_R_SUCCESS) {
-			/*
-			 * Either the end was reached (ISC_R_NOMORE) or
-			 * some error was signaled.  If the cache is still
-			 * overmem and no error was encountered,
-			 * keep trying to clean it, otherwise stop cleaning.
-			 */
-			if (result != ISC_R_NOMORE)
-				UNEXPECTED_ERROR(__FILE__, __LINE__,
-						 "cache cleaner: "
-						 "dns_dbiterator_next() "
-						 "failed: %s",
-						 dns_result_totext(result));
-			else if (cleaner->overmem) {
-				result = dns_dbiterator_first(cleaner->
-							      iterator);
-				if (result == ISC_R_SUCCESS) {
-					isc_log_write(dns_lctx,
-						      DNS_LOGCATEGORY_DATABASE,
-						      DNS_LOGMODULE_CACHE,
-						      ISC_LOG_DEBUG(1),
-						      "cache cleaner: "
-						      "still overmem, "
-						      "reset and try again");
-					continue;
-				}
-			}
-
-			end_cleaning(cleaner, event);
-			return;
-		}
-	}
-
-	/*
-	 * We have successfully performed a cleaning increment but have
-	 * not gone through the entire cache.  Free the iterator locks
-	 * and reschedule another batch.  If it fails, just try to continue
-	 * anyway.
-	 */
-	result = dns_dbiterator_pause(cleaner->iterator);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
-		      ISC_LOG_DEBUG(1), "cache cleaner: checked %u nodes, "
-		      "mem inuse %lu, sleeping", cleaner->increment,
-		      (unsigned long)isc_mem_inuse(cleaner->cache->mctx));
-
-	isc_task_send(task, &event);
-	INSIST(CLEANER_BUSY(cleaner));
-	return;
-}
-
-/*
- * Do immediate cleaning.
- */
-isc_result_t
-dns_cache_clean(dns_cache_t *cache, isc_stdtime_t now) {
-	isc_result_t result;
-	dns_dbiterator_t *iterator = NULL;
-
-	REQUIRE(VALID_CACHE(cache));
-
-	result = dns_db_createiterator(cache->db, 0, &iterator);
-	if (result != ISC_R_SUCCESS)
-		return result;
-
-	result = dns_dbiterator_first(iterator);
-
-	while (result == ISC_R_SUCCESS) {
-		dns_dbnode_t *node = NULL;
-		result = dns_dbiterator_current(iterator, &node,
-						(dns_name_t *)NULL);
-		if (result != ISC_R_SUCCESS)
-			break;
-
-		/*
-		 * Check TTLs, mark expired rdatasets stale.
-		 */
-		result = dns_db_expirenode(cache->db, node, now);
-		if (result != ISC_R_SUCCESS) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "cache cleaner: dns_db_expirenode() "
-					 "failed: %s",
-					 dns_result_totext(result));
-			/*
-			 * Continue anyway.
-			 */
-		}
-
-		/*
-		 * This is where the actual freeing takes place.
-		 */
-		dns_db_detachnode(cache->db, &node);
-
-		result = dns_dbiterator_next(iterator);
-	}
-
-	dns_dbiterator_destroy(&iterator);
-
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
-	return (result);
-}
-
-static void
-water(void *arg, int mark) {
-	dns_cache_t *cache = arg;
-	isc_boolean_t overmem = ISC_TF(mark == ISC_MEM_HIWATER);
-
-	REQUIRE(VALID_CACHE(cache));
-
-	LOCK(&cache->cleaner.lock);
-
-	if (overmem != cache->cleaner.overmem) {
-		dns_db_overmem(cache->db, overmem);
-		cache->cleaner.overmem = overmem;
-		isc_mem_waterack(cache->mctx, mark);
-	}
-
-	if (cache->cleaner.overmem_event != NULL)
-		isc_task_send(cache->cleaner.task,
-			      &cache->cleaner.overmem_event);
-
-	UNLOCK(&cache->cleaner.lock);
-}
-
-void
-dns_cache_setcachesize(dns_cache_t *cache, size_t size) {
-	size_t hiwater, lowater;
-
-	REQUIRE(VALID_CACHE(cache));
-
-	/*
-	 * Impose a minimum cache size; pathological things happen if there
-	 * is too little room.
-	 */
-	if (size != 0U && size < DNS_CACHE_MINSIZE)
-		size = DNS_CACHE_MINSIZE;
-
-	LOCK(&cache->lock);
-	cache->size = size;
-	UNLOCK(&cache->lock);
-
-	hiwater = size - (size >> 3);	/* Approximately 7/8ths. */
-	lowater = size - (size >> 2);	/* Approximately 3/4ths. */
-
-	/*
-	 * If the cache was overmem and cleaning, but now with the new limits
-	 * it is no longer in an overmem condition, then the next
-	 * isc_mem_put for cache memory will do the right thing and trigger
-	 * water().
-	 */
-
-	if (size == 0U || hiwater == 0U || lowater == 0U)
-		/*
-		 * Disable cache memory limiting.
-		 */
-		isc_mem_setwater(cache->mctx, water, cache, 0, 0);
-	else
-		/*
-		 * Establish new cache memory limits (either for the first
-		 * time, or replacing other limits).
-		 */
-		isc_mem_setwater(cache->mctx, water, cache, hiwater, lowater);
-}
-
-size_t
-dns_cache_getcachesize(dns_cache_t *cache) {
-	size_t size;
-
-	REQUIRE(VALID_CACHE(cache));
-
-	LOCK(&cache->lock);
-	size = cache->size;
-	UNLOCK(&cache->lock);
-
-	return (size);
-}
-
-/*
- * The cleaner task is shutting down; do the necessary cleanup.
- */
-static void
-cleaner_shutdown_action(isc_task_t *task, isc_event_t *event) {
-	dns_cache_t *cache = event->ev_arg;
-	isc_boolean_t should_free = ISC_FALSE;
-
-	UNUSED(task);
-
-	INSIST(task == cache->cleaner.task);
-	INSIST(event->ev_type == ISC_TASKEVENT_SHUTDOWN);
-
-	if (CLEANER_BUSY(&cache->cleaner))
-		end_cleaning(&cache->cleaner, event);
-	else
-		isc_event_free(&event);
-
-	LOCK(&cache->lock);
-
-	cache->live_tasks--;
-	INSIST(cache->live_tasks == 0);
-
-	if (cache->references == 0)
-		should_free = ISC_TRUE;
-
-	/*
-	 * By detaching the timer in the context of its task,
-	 * we are guaranteed that there will be no further timer
-	 * events.
-	 */
-	if (cache->cleaner.cleaning_timer != NULL)
-		isc_timer_detach(&cache->cleaner.cleaning_timer);
-
-	/* Make sure we don't reschedule anymore. */
-	(void)isc_task_purge(task, NULL, DNS_EVENT_CACHECLEAN, NULL);
-
-	UNLOCK(&cache->lock);
-
-	if (should_free)
-		cache_free(cache);
-}
-
-isc_result_t
-dns_cache_flush(dns_cache_t *cache) {
-	dns_db_t *db = NULL;
-	isc_result_t result;
-
-	result = cache_create_db(cache, &db);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	LOCK(&cache->lock);
-	LOCK(&cache->cleaner.lock);
-	if (cache->cleaner.state == cleaner_s_idle) {
-		if (cache->cleaner.iterator != NULL)
-			dns_dbiterator_destroy(&cache->cleaner.iterator);
-		(void) dns_db_createiterator(db, ISC_FALSE,
-					     &cache->cleaner.iterator);
-	} else {
-		if (cache->cleaner.state == cleaner_s_busy)
-			cache->cleaner.state = cleaner_s_done;
-		cache->cleaner.replaceiterator = ISC_TRUE;
-	}
-	dns_db_detach(&cache->db);
-	cache->db = db;
-	UNLOCK(&cache->cleaner.lock);
-	UNLOCK(&cache->lock);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-clearnode(dns_db_t *db, dns_dbnode_t *node) {
-	isc_result_t result;
-	dns_rdatasetiter_t *iter = NULL;
-
-	result = dns_db_allrdatasets(db, node, NULL, (isc_stdtime_t)0, &iter);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	for (result = dns_rdatasetiter_first(iter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdatasetiter_next(iter))
-	{
-		dns_rdataset_t rdataset;
-		dns_rdataset_init(&rdataset);
-
-		dns_rdatasetiter_current(iter, &rdataset);
-		result = dns_db_deleterdataset(db, node, NULL,
-					       rdataset.type, rdataset.covers);
-		dns_rdataset_disassociate(&rdataset);
-		if (result != ISC_R_SUCCESS && result != DNS_R_UNCHANGED)
-			break;
-	}
-
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
-	dns_rdatasetiter_destroy(&iter);
-	return (result);
-}
-
-static isc_result_t
-cleartree(dns_db_t *db, dns_name_t *name) {
-	isc_result_t result, answer = ISC_R_SUCCESS;
-	dns_dbiterator_t *iter = NULL;
-	dns_dbnode_t *node = NULL;
-	dns_fixedname_t fnodename;
-	dns_name_t *nodename;
-
-	dns_fixedname_init(&fnodename);
-	nodename = dns_fixedname_name(&fnodename);
-
-	result = dns_db_createiterator(db, 0, &iter);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = dns_dbiterator_seek(iter, name);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	while (result == ISC_R_SUCCESS) {
-		result = dns_dbiterator_current(iter, &node, nodename);
-		if (result == DNS_R_NEWORIGIN)
-			result = ISC_R_SUCCESS;
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		/*
-		 * Are we done?
-		 */
-		if (! dns_name_issubdomain(nodename, name))
-			goto cleanup;
-
-		/*
-		 * If clearnode fails record and move onto the next node.
-		 */
-		result = clearnode(db, node);
-		if (result != ISC_R_SUCCESS && answer == ISC_R_SUCCESS)
-			answer = result;
-		dns_db_detachnode(db, &node);
-		result = dns_dbiterator_next(iter);
-	}
-
- cleanup:
-	if (result == ISC_R_NOMORE || result == ISC_R_NOTFOUND)
-		result = ISC_R_SUCCESS;
-	if (result != ISC_R_SUCCESS && answer == ISC_R_SUCCESS)
-		answer = result;
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	if (iter != NULL)
-		dns_dbiterator_destroy(&iter);
-
-	return (answer);
-}
-
-isc_result_t
-dns_cache_flushname(dns_cache_t *cache, dns_name_t *name) {
-	return (dns_cache_flushnode(cache, name, ISC_FALSE));
-}
-
-isc_result_t
-dns_cache_flushnode(dns_cache_t *cache, dns_name_t *name,
-		    isc_boolean_t tree)
-{
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	dns_db_t *db = NULL;
-
-	if (dns_name_equal(name, dns_rootname))
-		return (dns_cache_flush(cache));
-
-	LOCK(&cache->lock);
-	if (cache->db != NULL)
-		dns_db_attach(cache->db, &db);
-	UNLOCK(&cache->lock);
-	if (db == NULL)
-		return (ISC_R_SUCCESS);
-
-	if (tree) {
-		result = cleartree(cache->db, name);
-	} else {
-		result = dns_db_findnode(cache->db, name, ISC_FALSE, &node);
-		if (result == ISC_R_NOTFOUND) {
-			result = ISC_R_SUCCESS;
-			goto cleanup_db;
-		}
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_db;
-		result = clearnode(cache->db, node);
-		dns_db_detachnode(cache->db, &node);
-	}
-
- cleanup_db:
-	dns_db_detach(&db);
-	return (result);
-}
diff --git a/contrib/bind9/lib/dns/callbacks.c b/contrib/bind9/lib/dns/callbacks.c
deleted file mode 100644
index 0ef17ab..0000000
--- a/contrib/bind9/lib/dns/callbacks.c
+++ /dev/null
@@ -1,115 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2011  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: callbacks.c,v 1.19 2011/12/09 23:47:05 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/util.h>
-
-#include <dns/callbacks.h>
-#include <dns/log.h>
-
-static void
-stdio_error_warn_callback(dns_rdatacallbacks_t *, const char *, ...)
-     ISC_FORMAT_PRINTF(2, 3);
-
-static void
-isclog_error_callback(dns_rdatacallbacks_t *callbacks, const char *fmt, ...)
-     ISC_FORMAT_PRINTF(2, 3);
-
-static void
-isclog_warn_callback(dns_rdatacallbacks_t *callbacks, const char *fmt, ...)
-     ISC_FORMAT_PRINTF(2, 3);
-
-/*
- * Private
- */
-
-static void
-stdio_error_warn_callback(dns_rdatacallbacks_t *callbacks,
-			  const char *fmt, ...)
-{
-	va_list ap;
-
-	UNUSED(callbacks);
-
-	va_start(ap, fmt);
-	vfprintf(stderr, fmt, ap);
-	va_end(ap);
-	fprintf(stderr, "\n");
-}
-
-static void
-isclog_error_callback(dns_rdatacallbacks_t *callbacks, const char *fmt, ...) {
-	va_list ap;
-
-	UNUSED(callbacks);
-
-	va_start(ap, fmt);
-	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-		       DNS_LOGMODULE_MASTER, /* XXX */
-		       ISC_LOG_ERROR, fmt, ap);
-	va_end(ap);
-}
-
-static void
-isclog_warn_callback(dns_rdatacallbacks_t *callbacks, const char *fmt, ...) {
-	va_list ap;
-
-	UNUSED(callbacks);
-
-	va_start(ap, fmt);
-
-	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-		       DNS_LOGMODULE_MASTER, /* XXX */
-		       ISC_LOG_WARNING, fmt, ap);
-	va_end(ap);
-}
-
-static void
-dns_rdatacallbacks_initcommon(dns_rdatacallbacks_t *callbacks) {
-	REQUIRE(callbacks != NULL);
-
-	callbacks->add = NULL;
-	callbacks->rawdata = NULL;
-	callbacks->zone = NULL;
-	callbacks->add_private = NULL;
-	callbacks->error_private = NULL;
-	callbacks->warn_private = NULL;
-}
-
-/*
- * Public.
- */
-
-void
-dns_rdatacallbacks_init(dns_rdatacallbacks_t *callbacks) {
-	dns_rdatacallbacks_initcommon(callbacks);
-	callbacks->error = isclog_error_callback;
-	callbacks->warn = isclog_warn_callback;
-}
-
-void
-dns_rdatacallbacks_init_stdio(dns_rdatacallbacks_t *callbacks) {
-	dns_rdatacallbacks_initcommon(callbacks);
-	callbacks->error = stdio_error_warn_callback;
-	callbacks->warn = stdio_error_warn_callback;
-}
-
diff --git a/contrib/bind9/lib/dns/client.c b/contrib/bind9/lib/dns/client.c
deleted file mode 100644
index fc551cf..0000000
--- a/contrib/bind9/lib/dns/client.c
+++ /dev/null
@@ -1,3043 +0,0 @@
-/*
- * Copyright (C) 2009-2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: client.c,v 1.14 2011/03/12 04:59:47 tbox Exp $ */
-
-#include <config.h>
-
-#include <stddef.h>
-
-#include <isc/app.h>
-#include <isc/mem.h>
-#include <isc/mutex.h>
-#include <isc/sockaddr.h>
-#include <isc/socket.h>
-#include <isc/task.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#include <dns/adb.h>
-#include <dns/client.h>
-#include <dns/db.h>
-#include <dns/dispatch.h>
-#include <dns/events.h>
-#include <dns/forward.h>
-#include <dns/keytable.h>
-#include <dns/message.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatatype.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatastruct.h>
-#include <dns/request.h>
-#include <dns/resolver.h>
-#include <dns/result.h>
-#include <dns/tsec.h>
-#include <dns/tsig.h>
-#include <dns/view.h>
-
-#include <dst/dst.h>
-
-#define DNS_CLIENT_MAGIC		ISC_MAGIC('D', 'N', 'S', 'c')
-#define DNS_CLIENT_VALID(c)		ISC_MAGIC_VALID(c, DNS_CLIENT_MAGIC)
-
-#define RCTX_MAGIC			ISC_MAGIC('R', 'c', 't', 'x')
-#define RCTX_VALID(c)			ISC_MAGIC_VALID(c, RCTX_MAGIC)
-
-#define REQCTX_MAGIC			ISC_MAGIC('R', 'q', 'c', 'x')
-#define REQCTX_VALID(c)			ISC_MAGIC_VALID(c, REQCTX_MAGIC)
-
-#define UCTX_MAGIC			ISC_MAGIC('U', 'c', 't', 'x')
-#define UCTX_VALID(c)			ISC_MAGIC_VALID(c, UCTX_MAGIC)
-
-#define MAX_RESTARTS 16
-
-/*%
- * DNS client object
- */
-struct dns_client {
-	/* Unlocked */
-	unsigned int			magic;
-	unsigned int			attributes;
-	isc_mutex_t			lock;
-	isc_mem_t			*mctx;
-	isc_appctx_t			*actx;
-	isc_taskmgr_t			*taskmgr;
-	isc_task_t			*task;
-	isc_socketmgr_t			*socketmgr;
-	isc_timermgr_t			*timermgr;
-	dns_dispatchmgr_t		*dispatchmgr;
-	dns_dispatch_t			*dispatchv4;
-	dns_dispatch_t			*dispatchv6;
-
-	unsigned int			update_timeout;
-	unsigned int			update_udptimeout;
-	unsigned int			update_udpretries;
-	unsigned int			find_timeout;
-	unsigned int			find_udpretries;
-
-	/* Locked */
-	unsigned int			references;
-	dns_viewlist_t			viewlist;
-	ISC_LIST(struct resctx)		resctxs;
-	ISC_LIST(struct reqctx)		reqctxs;
-	ISC_LIST(struct updatectx)	updatectxs;
-};
-
-/*%
- * Timeout/retry constants for dynamic update borrowed from nsupdate
- */
-#define DEF_UPDATE_TIMEOUT	300
-#define MIN_UPDATE_TIMEOUT	30
-#define DEF_UPDATE_UDPTIMEOUT	3
-#define DEF_UPDATE_UDPRETRIES	3
-
-#define DEF_FIND_TIMEOUT	5
-#define DEF_FIND_UDPRETRIES	3
-
-#define DNS_CLIENTATTR_OWNCTX			0x01
-
-#define DNS_CLIENTVIEW_NAME			"dnsclient"
-
-/*%
- * Internal state for a single name resolution procedure
- */
-typedef struct resctx {
-	/* Unlocked */
-	unsigned int		magic;
-	isc_mutex_t		lock;
-	dns_client_t		*client;
-	isc_boolean_t		want_dnssec;
-
-	/* Locked */
-	ISC_LINK(struct resctx)	link;
-	isc_task_t		*task;
-	dns_view_t		*view;
-	unsigned int		restarts;
-	dns_fixedname_t		name;
-	dns_rdatatype_t		type;
-	dns_fetch_t		*fetch;
-	dns_namelist_t		namelist;
-	isc_result_t		result;
-	dns_clientresevent_t	*event;
-	isc_boolean_t		canceled;
-	dns_rdataset_t		*rdataset;
-	dns_rdataset_t		*sigrdataset;
-} resctx_t;
-
-/*%
- * Argument of an internal event for synchronous name resolution.
- */
-typedef struct resarg {
-	/* Unlocked */
-	isc_appctx_t		*actx;
-	dns_client_t		*client;
-	isc_mutex_t		lock;
-
-	/* Locked */
-	isc_result_t		result;
-	isc_result_t		vresult;
-	dns_namelist_t		*namelist;
-	dns_clientrestrans_t	*trans;
-	isc_boolean_t		canceled;
-} resarg_t;
-
-/*%
- * Internal state for a single DNS request
- */
-typedef struct reqctx {
-	/* Unlocked */
-	unsigned int		magic;
-	isc_mutex_t		lock;
-	dns_client_t		*client;
-	unsigned int		parseoptions;
-
-	/* Locked */
-	ISC_LINK(struct reqctx)	link;
-	isc_boolean_t		canceled;
-	dns_tsigkey_t		*tsigkey;
-	dns_request_t		*request;
-	dns_clientreqevent_t	*event;
-} reqctx_t;
-
-/*%
- * Argument of an internal event for synchronous DNS request.
- */
-typedef struct reqarg {
-	/* Unlocked */
-	isc_appctx_t		*actx;
-	dns_client_t		*client;
-	isc_mutex_t		lock;
-
-	/* Locked */
-	isc_result_t		result;
-	dns_clientreqtrans_t	*trans;
-	isc_boolean_t		canceled;
-} reqarg_t;
-
-/*%
- * Argument of an internal event for synchronous name resolution.
- */
-typedef struct updatearg {
-	/* Unlocked */
-	isc_appctx_t		*actx;
-	dns_client_t		*client;
-	isc_mutex_t		lock;
-
-	/* Locked */
-	isc_result_t		result;
-	dns_clientupdatetrans_t	*trans;
-	isc_boolean_t		canceled;
-} updatearg_t;
-
-/*%
- * Internal state for a single dynamic update procedure
- */
-typedef struct updatectx {
-	/* Unlocked */
-	unsigned int			magic;
-	isc_mutex_t			lock;
-	dns_client_t			*client;
-
-	/* Locked */
-	dns_request_t			*updatereq;
-	dns_request_t			*soareq;
-	dns_clientrestrans_t		*restrans;
-	dns_clientrestrans_t		*restrans2;
-	isc_boolean_t			canceled;
-
-	/* Task Locked */
-	ISC_LINK(struct updatectx) 	link;
-	dns_clientupdatestate_t		state;
-	dns_rdataclass_t		rdclass;
-	dns_view_t			*view;
-	dns_message_t			*updatemsg;
-	dns_message_t			*soaquery;
-	dns_clientupdateevent_t		*event;
-	dns_tsigkey_t			*tsigkey;
-	dst_key_t			*sig0key;
-	dns_name_t			*firstname;
-	dns_name_t			soaqname;
-	dns_fixedname_t			zonefname;
-	dns_name_t			*zonename;
-	isc_sockaddrlist_t		servers;
-	unsigned int			nservers;
-	isc_sockaddr_t			*currentserver;
-	struct updatectx		*bp4;
-	struct updatectx		*bp6;
-} updatectx_t;
-
-static isc_result_t request_soa(updatectx_t *uctx);
-static void client_resfind(resctx_t *rctx, dns_fetchevent_t *event);
-static isc_result_t send_update(updatectx_t *uctx);
-
-static isc_result_t
-getudpdispatch(int family, dns_dispatchmgr_t *dispatchmgr,
-	       isc_socketmgr_t *socketmgr, isc_taskmgr_t *taskmgr,
-	       isc_boolean_t is_shared, dns_dispatch_t **dispp)
-{
-	unsigned int attrs, attrmask;
-	isc_sockaddr_t sa;
-	dns_dispatch_t *disp;
-	unsigned buffersize, maxbuffers, maxrequests, buckets, increment;
-	isc_result_t result;
-
-	attrs = 0;
-	attrs |= DNS_DISPATCHATTR_UDP;
-	switch (family) {
-	case AF_INET:
-		attrs |= DNS_DISPATCHATTR_IPV4;
-		break;
-	case AF_INET6:
-		attrs |= DNS_DISPATCHATTR_IPV6;
-		break;
-	default:
-		INSIST(0);
-	}
-	attrmask = 0;
-	attrmask |= DNS_DISPATCHATTR_UDP;
-	attrmask |= DNS_DISPATCHATTR_TCP;
-	attrmask |= DNS_DISPATCHATTR_IPV4;
-	attrmask |= DNS_DISPATCHATTR_IPV6;
-
-	isc_sockaddr_anyofpf(&sa, family);
-
-	buffersize = 4096;
-	maxbuffers = is_shared ? 1000 : 8;
-	maxrequests = 32768;
-	buckets = is_shared ? 16411 : 3;
-	increment = is_shared ? 16433 : 5;
-
-	disp = NULL;
-	result = dns_dispatch_getudp(dispatchmgr, socketmgr,
-				     taskmgr, &sa,
-				     buffersize, maxbuffers, maxrequests,
-				     buckets, increment,
-				     attrs, attrmask, &disp);
-	if (result == ISC_R_SUCCESS)
-		*dispp = disp;
-
-	return (result);
-}
-
-static isc_result_t
-dns_client_createview(isc_mem_t *mctx, dns_rdataclass_t rdclass,
-		      unsigned int options, isc_taskmgr_t *taskmgr,
-		      unsigned int ntasks, isc_socketmgr_t *socketmgr,
-		      isc_timermgr_t *timermgr, dns_dispatchmgr_t *dispatchmgr,
-		      dns_dispatch_t *dispatchv4, dns_dispatch_t *dispatchv6,
-		      dns_view_t **viewp)
-{
-	isc_result_t result;
-	dns_view_t *view = NULL;
-	const char *dbtype;
-
-	result = dns_view_create(mctx, rdclass, DNS_CLIENTVIEW_NAME, &view);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/* Initialize view security roots */
-	result = dns_view_initsecroots(view, mctx);
-	if (result != ISC_R_SUCCESS) {
-		dns_view_detach(&view);
-		return (result);
-	}
-
-	result = dns_view_createresolver(view, taskmgr, ntasks, 1, socketmgr,
-					 timermgr, 0, dispatchmgr,
-					 dispatchv4, dispatchv6);
-	if (result != ISC_R_SUCCESS) {
-		dns_view_detach(&view);
-		return (result);
-	}
-
-	/*
-	 * Set cache DB.
-	 * XXX: it may be better if specific DB implementations can be
-	 * specified via some configuration knob.
-	 */
-	if ((options & DNS_CLIENTCREATEOPT_USECACHE) != 0)
-		dbtype = "rbt";
-	else
-		dbtype = "ecdb";
-	result = dns_db_create(mctx, dbtype, dns_rootname, dns_dbtype_cache,
-			       rdclass, 0, NULL, &view->cachedb);
-	if (result != ISC_R_SUCCESS) {
-		dns_view_detach(&view);
-		return (result);
-	}
-
-	*viewp = view;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_client_create(dns_client_t **clientp, unsigned int options) {
-	isc_result_t result;
-	isc_mem_t *mctx = NULL;
-	isc_appctx_t *actx = NULL;
-	isc_taskmgr_t *taskmgr = NULL;
-	isc_socketmgr_t *socketmgr = NULL;
-	isc_timermgr_t *timermgr = NULL;
-#if 0
-	/* XXXMPA add debug logging support */
-	isc_log_t *lctx = NULL;
-	isc_logconfig_t *logconfig = NULL;
-	unsigned int logdebuglevel = 0;
-#endif
-
-	result = isc_mem_create(0, 0, &mctx);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	result = isc_appctx_create(mctx, &actx);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = isc_app_ctxstart(actx);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = isc_taskmgr_createinctx(mctx, actx, 1, 0, &taskmgr);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = isc_socketmgr_createinctx(mctx, actx, &socketmgr);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = isc_timermgr_createinctx(mctx, actx, &timermgr);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-#if 0
-	result = isc_log_create(mctx, &lctx, &logconfig);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	isc_log_setcontext(lctx);
-	dns_log_init(lctx);
-	dns_log_setcontext(lctx);
-	result = isc_log_usechannel(logconfig, "default_debug", NULL, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	isc_log_setdebuglevel(lctx, logdebuglevel);
-#endif
-	result = dns_client_createx(mctx, actx, taskmgr, socketmgr, timermgr,
-				    options, clientp);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	(*clientp)->attributes |= DNS_CLIENTATTR_OWNCTX;
-
-	/* client has its own reference to mctx, so we can detach it here */
-	isc_mem_detach(&mctx);
-
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (taskmgr != NULL)
-		isc_taskmgr_destroy(&taskmgr);
-	if (timermgr != NULL)
-		isc_timermgr_destroy(&timermgr);
-	if (socketmgr != NULL)
-		isc_socketmgr_destroy(&socketmgr);
-	if (actx != NULL)
-		isc_appctx_destroy(&actx);
-	isc_mem_detach(&mctx);
-
-	return (result);
-}
-
-isc_result_t
-dns_client_createx(isc_mem_t *mctx, isc_appctx_t *actx, isc_taskmgr_t *taskmgr,
-		   isc_socketmgr_t *socketmgr, isc_timermgr_t *timermgr,
-		   unsigned int options, dns_client_t **clientp)
-{
-	dns_client_t *client;
-	isc_result_t result;
-	dns_dispatchmgr_t *dispatchmgr = NULL;
-	dns_dispatch_t *dispatchv4 = NULL;
-	dns_dispatch_t *dispatchv6 = NULL;
-	dns_view_t *view = NULL;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(taskmgr != NULL);
-	REQUIRE(timermgr != NULL);
-	REQUIRE(socketmgr != NULL);
-	REQUIRE(clientp != NULL && *clientp == NULL);
-
-	client = isc_mem_get(mctx, sizeof(*client));
-	if (client == NULL)
-		return (ISC_R_NOMEMORY);
-
-	result = isc_mutex_init(&client->lock);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, client, sizeof(*client));
-		return (result);
-	}
-
-	client->actx = actx;
-	client->taskmgr = taskmgr;
-	client->socketmgr = socketmgr;
-	client->timermgr = timermgr;
-
-	client->task = NULL;
-	result = isc_task_create(client->taskmgr, 0, &client->task);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = dns_dispatchmgr_create(mctx, NULL, &dispatchmgr);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	client->dispatchmgr = dispatchmgr;
-
-	/* TODO: whether to use dispatch v4 or v6 should be configurable */
-	client->dispatchv4 = NULL;
-	client->dispatchv6 = NULL;
-	result = getudpdispatch(AF_INET, dispatchmgr, socketmgr,
-				taskmgr, ISC_TRUE, &dispatchv4);
-	if (result == ISC_R_SUCCESS)
-		client->dispatchv4 = dispatchv4;
-	result = getudpdispatch(AF_INET6, dispatchmgr, socketmgr,
-				taskmgr, ISC_TRUE, &dispatchv6);
-	if (result == ISC_R_SUCCESS)
-		client->dispatchv6 = dispatchv6;
-
-	/* We need at least one of the dispatchers */
-	if (dispatchv4 == NULL && dispatchv6 == NULL) {
-		INSIST(result != ISC_R_SUCCESS);
-		goto cleanup;
-	}
-
-	/* Create the default view for class IN */
-	result = dns_client_createview(mctx, dns_rdataclass_in, options,
-				       taskmgr, 31, socketmgr, timermgr,
-				       dispatchmgr, dispatchv4, dispatchv6,
-				       &view);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	ISC_LIST_INIT(client->viewlist);
-	ISC_LIST_APPEND(client->viewlist, view, link);
-
-	dns_view_freeze(view); /* too early? */
-
-	ISC_LIST_INIT(client->resctxs);
-	ISC_LIST_INIT(client->reqctxs);
-	ISC_LIST_INIT(client->updatectxs);
-
-	client->mctx = NULL;
-	isc_mem_attach(mctx, &client->mctx);
-
-	client->update_timeout = DEF_UPDATE_TIMEOUT;
-	client->update_udptimeout = DEF_UPDATE_UDPTIMEOUT;
-	client->update_udpretries = DEF_UPDATE_UDPRETRIES;
-	client->find_timeout = DEF_FIND_TIMEOUT;
-	client->find_udpretries = DEF_FIND_UDPRETRIES;
-	client->attributes = 0;
-
-	client->references = 1;
-	client->magic = DNS_CLIENT_MAGIC;
-
-	*clientp = client;
-
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (dispatchv4 != NULL)
-		dns_dispatch_detach(&dispatchv4);
-	if (dispatchv6 != NULL)
-		dns_dispatch_detach(&dispatchv6);
-	if (dispatchmgr != NULL)
-		dns_dispatchmgr_destroy(&dispatchmgr);
-	if (client->task != NULL)
-		isc_task_detach(&client->task);
-	isc_mem_put(mctx, client, sizeof(*client));
-
-	return (result);
-}
-
-static void
-destroyclient(dns_client_t **clientp) {
-	dns_client_t *client = *clientp;
-	dns_view_t *view;
-
-	while ((view = ISC_LIST_HEAD(client->viewlist)) != NULL) {
-		ISC_LIST_UNLINK(client->viewlist, view, link);
-		dns_view_detach(&view);
-	}
-
-	if (client->dispatchv4 != NULL)
-		dns_dispatch_detach(&client->dispatchv4);
-	if (client->dispatchv6 != NULL)
-		dns_dispatch_detach(&client->dispatchv6);
-
-	dns_dispatchmgr_destroy(&client->dispatchmgr);
-
-	isc_task_detach(&client->task);
-
-	/*
-	 * If the client has created its own running environments,
-	 * destroy them.
-	 */
-	if ((client->attributes & DNS_CLIENTATTR_OWNCTX) != 0) {
-		isc_taskmgr_destroy(&client->taskmgr);
-		isc_timermgr_destroy(&client->timermgr);
-		isc_socketmgr_destroy(&client->socketmgr);
-
-		isc_app_ctxfinish(client->actx);
-		isc_appctx_destroy(&client->actx);
-	}
-
-	DESTROYLOCK(&client->lock);
-	client->magic = 0;
-
-	isc_mem_putanddetach(&client->mctx, client, sizeof(*client));
-
-	*clientp = NULL;
-}
-
-void
-dns_client_destroy(dns_client_t **clientp) {
-	dns_client_t *client;
-	isc_boolean_t destroyok = ISC_FALSE;
-
-	REQUIRE(clientp != NULL);
-	client = *clientp;
-	REQUIRE(DNS_CLIENT_VALID(client));
-
-	LOCK(&client->lock);
-	client->references--;
-	if (client->references == 0 && ISC_LIST_EMPTY(client->resctxs) &&
-	    ISC_LIST_EMPTY(client->reqctxs) &&
-	    ISC_LIST_EMPTY(client->updatectxs)) {
-		destroyok = ISC_TRUE;
-	}
-	UNLOCK(&client->lock);
-
-	if (destroyok)
-		destroyclient(&client);
-
-	*clientp = NULL;
-}
-
-isc_result_t
-dns_client_setservers(dns_client_t *client, dns_rdataclass_t rdclass,
-		      dns_name_t *namespace, isc_sockaddrlist_t *addrs)
-{
-	isc_result_t result;
-	dns_view_t *view = NULL;
-
-	REQUIRE(DNS_CLIENT_VALID(client));
-	REQUIRE(addrs != NULL);
-
-	if (namespace == NULL)
-		namespace = dns_rootname;
-
-	LOCK(&client->lock);
-	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
-				   rdclass, &view);
-	if (result != ISC_R_SUCCESS) {
-		UNLOCK(&client->lock);
-		return (result);
-	}
-	UNLOCK(&client->lock);
-
-	result = dns_fwdtable_add(view->fwdtable, namespace, addrs,
-				  dns_fwdpolicy_only);
-
-	dns_view_detach(&view);
-
-	return (result);
-}
-
-isc_result_t
-dns_client_clearservers(dns_client_t *client, dns_rdataclass_t rdclass,
-			dns_name_t *namespace)
-{
-	isc_result_t result;
-	dns_view_t *view = NULL;
-
-	REQUIRE(DNS_CLIENT_VALID(client));
-
-	if (namespace == NULL)
-		namespace = dns_rootname;
-
-	LOCK(&client->lock);
-	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
-				   rdclass, &view);
-	if (result != ISC_R_SUCCESS) {
-		UNLOCK(&client->lock);
-		return (result);
-	}
-	UNLOCK(&client->lock);
-
-	result = dns_fwdtable_delete(view->fwdtable, namespace);
-
-	dns_view_detach(&view);
-
-	return (result);
-}
-
-static isc_result_t
-getrdataset(isc_mem_t *mctx, dns_rdataset_t **rdatasetp) {
-	dns_rdataset_t *rdataset;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(rdatasetp != NULL && *rdatasetp == NULL);
-
-	rdataset = isc_mem_get(mctx, sizeof(*rdataset));
-	if (rdataset == NULL)
-		return (ISC_R_NOMEMORY);
-
-	dns_rdataset_init(rdataset);
-
-	*rdatasetp = rdataset;
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-putrdataset(isc_mem_t *mctx, dns_rdataset_t **rdatasetp) {
-	dns_rdataset_t *rdataset;
-
-	REQUIRE(rdatasetp != NULL);
-	rdataset = *rdatasetp;
-	REQUIRE(rdataset != NULL);
-
-	if (dns_rdataset_isassociated(rdataset))
-		dns_rdataset_disassociate(rdataset);
-
-	isc_mem_put(mctx, rdataset, sizeof(*rdataset));
-
-	*rdatasetp = NULL;
-}
-
-static void
-fetch_done(isc_task_t *task, isc_event_t *event) {
-	resctx_t *rctx = event->ev_arg;
-	dns_fetchevent_t *fevent;
-
-	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
-	REQUIRE(RCTX_VALID(rctx));
-	REQUIRE(rctx->task == task);
-	fevent = (dns_fetchevent_t *)event;
-
-	client_resfind(rctx, fevent);
-}
-
-static inline isc_result_t
-start_fetch(resctx_t *rctx) {
-	isc_result_t result;
-
-	/*
-	 * The caller must be holding the rctx's lock.
-	 */
-
-	REQUIRE(rctx->fetch == NULL);
-
-	result = dns_resolver_createfetch(rctx->view->resolver,
-					  dns_fixedname_name(&rctx->name),
-					  rctx->type,
-					  NULL, NULL, NULL, 0,
-					  rctx->task, fetch_done, rctx,
-					  rctx->rdataset,
-					  rctx->sigrdataset,
-					  &rctx->fetch);
-
-	return (result);
-}
-
-static isc_result_t
-view_find(resctx_t *rctx, dns_db_t **dbp, dns_dbnode_t **nodep,
-	  dns_name_t *foundname)
-{
-	isc_result_t result;
-	dns_name_t *name = dns_fixedname_name(&rctx->name);
-	dns_rdatatype_t type;
-
-	if (rctx->type == dns_rdatatype_rrsig)
-		type = dns_rdatatype_any;
-	else
-		type = rctx->type;
-
-	result = dns_view_find(rctx->view, name, type, 0, 0, ISC_FALSE,
-			       dbp, nodep, foundname, rctx->rdataset,
-			       rctx->sigrdataset);
-
-	return (result);
-}
-
-static void
-client_resfind(resctx_t *rctx, dns_fetchevent_t *event) {
-	isc_mem_t *mctx;
-	isc_result_t tresult, result = ISC_R_SUCCESS;
-	isc_result_t vresult = ISC_R_SUCCESS;
-	isc_boolean_t want_restart;
-	isc_boolean_t send_event = ISC_FALSE;
-	dns_name_t *name, *prefix;
-	dns_fixedname_t foundname, fixed;
-	dns_rdataset_t *trdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	unsigned int nlabels;
-	int order;
-	dns_namereln_t namereln;
-	dns_rdata_cname_t cname;
-	dns_rdata_dname_t dname;
-
-	REQUIRE(RCTX_VALID(rctx));
-
-	LOCK(&rctx->lock);
-
-	mctx = rctx->view->mctx;
-
-	name = dns_fixedname_name(&rctx->name);
-
-	do {
-		dns_name_t *fname = NULL;
-		dns_name_t *ansname = NULL;
-		dns_db_t *db = NULL;
-		dns_dbnode_t *node = NULL;
-
-		rctx->restarts++;
-		want_restart = ISC_FALSE;
-
-		if (event == NULL && !rctx->canceled) {
-			dns_fixedname_init(&foundname);
-			fname = dns_fixedname_name(&foundname);
-			INSIST(!dns_rdataset_isassociated(rctx->rdataset));
-			INSIST(rctx->sigrdataset == NULL ||
-			       !dns_rdataset_isassociated(rctx->sigrdataset));
-			result = view_find(rctx, &db, &node, fname);
-			if (result == ISC_R_NOTFOUND) {
-				/*
-				 * We don't know anything about the name.
-				 * Launch a fetch.
-				 */
-				if (node != NULL) {
-					INSIST(db != NULL);
-					dns_db_detachnode(db, &node);
-				}
-				if (db != NULL)
-					dns_db_detach(&db);
-				result = start_fetch(rctx);
-				if (result != ISC_R_SUCCESS) {
-					putrdataset(mctx, &rctx->rdataset);
-					if (rctx->sigrdataset != NULL)
-						putrdataset(mctx,
-							    &rctx->sigrdataset);
-					send_event = ISC_TRUE;
-				}
-				goto done;
-			}
-		} else {
-			INSIST(event != NULL);
-			INSIST(event->fetch == rctx->fetch);
-			dns_resolver_destroyfetch(&rctx->fetch);
-			db = event->db;
-			node = event->node;
-			result = event->result;
-			vresult = event->vresult;
-			fname = dns_fixedname_name(&event->foundname);
-			INSIST(event->rdataset == rctx->rdataset);
-			INSIST(event->sigrdataset == rctx->sigrdataset);
-		}
-
-		/*
-		 * If we've been canceled, forget about the result.
-		 */
-		if (rctx->canceled)
-			result = ISC_R_CANCELED;
-		else {
-			/*
-			 * Otherwise, get some resource for copying the
-			 * result.
-			 */
-			ansname = isc_mem_get(mctx, sizeof(*ansname));
-			if (ansname == NULL)
-				tresult = ISC_R_NOMEMORY;
-			else {
-				dns_name_t *aname;
-
-				aname = dns_fixedname_name(&rctx->name);
-				dns_name_init(ansname, NULL);
-				tresult = dns_name_dup(aname, mctx, ansname);
-				if (tresult != ISC_R_SUCCESS)
-					isc_mem_put(mctx, ansname,
-						    sizeof(*ansname));
-			}
-			if (tresult != ISC_R_SUCCESS)
-				result = tresult;
-		}
-
-		switch (result) {
-		case ISC_R_SUCCESS:
-			send_event = ISC_TRUE;
-			/*
-			 * This case is handled in the main line below.
-			 */
-			break;
-		case DNS_R_CNAME:
-			/*
-			 * Add the CNAME to the answer list.
-			 */
-			trdataset = rctx->rdataset;
-			ISC_LIST_APPEND(ansname->list, rctx->rdataset, link);
-			rctx->rdataset = NULL;
-			if (rctx->sigrdataset != NULL) {
-				ISC_LIST_APPEND(ansname->list,
-						rctx->sigrdataset, link);
-				rctx->sigrdataset = NULL;
-			}
-			ISC_LIST_APPEND(rctx->namelist, ansname, link);
-			ansname = NULL;
-
-			/*
-			 * Copy the CNAME's target into the lookup's
-			 * query name and start over.
-			 */
-			tresult = dns_rdataset_first(trdataset);
-			if (tresult != ISC_R_SUCCESS)
-				goto done;
-			dns_rdataset_current(trdataset, &rdata);
-			tresult = dns_rdata_tostruct(&rdata, &cname, NULL);
-			dns_rdata_reset(&rdata);
-			if (tresult != ISC_R_SUCCESS)
-				goto done;
-			tresult = dns_name_copy(&cname.cname, name, NULL);
-			dns_rdata_freestruct(&cname);
-			if (tresult == ISC_R_SUCCESS)
-				want_restart = ISC_TRUE;
-			else
-				result = tresult;
-			goto done;
-		case DNS_R_DNAME:
-			/*
-			 * Add the DNAME to the answer list.
-			 */
-			trdataset = rctx->rdataset;
-			ISC_LIST_APPEND(ansname->list, rctx->rdataset, link);
-			rctx->rdataset = NULL;
-			if (rctx->sigrdataset != NULL) {
-				ISC_LIST_APPEND(ansname->list,
-						rctx->sigrdataset, link);
-				rctx->sigrdataset = NULL;
-			}
-			ISC_LIST_APPEND(rctx->namelist, ansname, link);
-			ansname = NULL;
-
-			namereln = dns_name_fullcompare(name, fname, &order,
-							&nlabels);
-			INSIST(namereln == dns_namereln_subdomain);
-			/*
-			 * Get the target name of the DNAME.
-			 */
-			tresult = dns_rdataset_first(trdataset);
-			if (tresult != ISC_R_SUCCESS) {
-				result = tresult;
-				goto done;
-			}
-			dns_rdataset_current(trdataset, &rdata);
-			tresult = dns_rdata_tostruct(&rdata, &dname, NULL);
-			dns_rdata_reset(&rdata);
-			if (tresult != ISC_R_SUCCESS) {
-				result = tresult;
-				goto done;
-			}
-			/*
-			 * Construct the new query name and start over.
-			 */
-			dns_fixedname_init(&fixed);
-			prefix = dns_fixedname_name(&fixed);
-			dns_name_split(name, nlabels, prefix, NULL);
-			tresult = dns_name_concatenate(prefix, &dname.dname,
-						      name, NULL);
-			dns_rdata_freestruct(&dname);
-			if (tresult == ISC_R_SUCCESS)
-				want_restart = ISC_TRUE;
-			else
-				result = tresult;
-			goto done;
-		case DNS_R_NCACHENXDOMAIN:
-		case DNS_R_NCACHENXRRSET:
-			ISC_LIST_APPEND(ansname->list, rctx->rdataset, link);
-			ISC_LIST_APPEND(rctx->namelist, ansname, link);
-			ansname = NULL;
-			rctx->rdataset = NULL;
-			/* What about sigrdataset? */
-			if (rctx->sigrdataset != NULL)
-				putrdataset(mctx, &rctx->sigrdataset);
-			send_event = ISC_TRUE;
-			goto done;
-		default:
-			if (rctx->rdataset != NULL)
-				putrdataset(mctx, &rctx->rdataset);
-			if (rctx->sigrdataset != NULL)
-				putrdataset(mctx, &rctx->sigrdataset);
-			send_event = ISC_TRUE;
-			goto done;
-		}
-
-		if (rctx->type == dns_rdatatype_any) {
-			int n = 0;
-			dns_rdatasetiter_t *rdsiter = NULL;
-
-			tresult = dns_db_allrdatasets(db, node, NULL, 0,
-						      &rdsiter);
-			if (tresult != ISC_R_SUCCESS) {
-				result = tresult;
-				goto done;
-			}
-
-			tresult = dns_rdatasetiter_first(rdsiter);
-			while (tresult == ISC_R_SUCCESS) {
-				dns_rdatasetiter_current(rdsiter,
-							 rctx->rdataset);
-				if (rctx->rdataset->type != 0) {
-					ISC_LIST_APPEND(ansname->list,
-							rctx->rdataset,
-							link);
-					n++;
-					rctx->rdataset = NULL;
-				} else {
-					/*
-					 * We're not interested in this
-					 * rdataset.
-					 */
-					dns_rdataset_disassociate(
-						rctx->rdataset);
-				}
-				tresult = dns_rdatasetiter_next(rdsiter);
-
-				if (tresult == ISC_R_SUCCESS &&
-				    rctx->rdataset == NULL) {
-					tresult = getrdataset(mctx,
-							      &rctx->rdataset);
-					if (tresult != ISC_R_SUCCESS) {
-						result = tresult;
-						POST(result);
-						break;
-					}
-				}
-			}
-			if (n == 0) {
-				/*
-				 * We didn't match any rdatasets (which means
-				 * something went wrong in this
-				 * implementation).
-				 */
-				result = DNS_R_SERVFAIL; /* better code? */
-				POST(result);
-			} else {
-				ISC_LIST_APPEND(rctx->namelist, ansname, link);
-				ansname = NULL;
-			}
-			dns_rdatasetiter_destroy(&rdsiter);
-			if (tresult != ISC_R_NOMORE)
-				result = DNS_R_SERVFAIL; /* ditto */
-			else
-				result = ISC_R_SUCCESS;
-			goto done;
-		} else {
-			/*
-			 * This is the "normal" case -- an ordinary question
-			 * to which we've got the answer.
-			 */
-			ISC_LIST_APPEND(ansname->list, rctx->rdataset, link);
-			rctx->rdataset = NULL;
-			if (rctx->sigrdataset != NULL) {
-				ISC_LIST_APPEND(ansname->list,
-						rctx->sigrdataset, link);
-				rctx->sigrdataset = NULL;
-			}
-			ISC_LIST_APPEND(rctx->namelist, ansname, link);
-			ansname = NULL;
-		}
-
-	done:
-		/*
-		 * Free temporary resources
-		 */
-		if (ansname != NULL) {
-			dns_rdataset_t *rdataset;
-
-			while ((rdataset = ISC_LIST_HEAD(ansname->list))
-			       != NULL) {
-				ISC_LIST_UNLINK(ansname->list, rdataset, link);
-				putrdataset(mctx, &rdataset);
-			}
-			dns_name_free(ansname, mctx);
-			isc_mem_put(mctx, ansname, sizeof(*ansname));
-		}
-
-		if (node != NULL)
-			dns_db_detachnode(db, &node);
-		if (db != NULL)
-			dns_db_detach(&db);
-		if (event != NULL)
-			isc_event_free(ISC_EVENT_PTR(&event));
-
-		/*
-		 * Limit the number of restarts.
-		 */
-		if (want_restart && rctx->restarts == MAX_RESTARTS) {
-			want_restart = ISC_FALSE;
-			result = ISC_R_QUOTA;
-			send_event = ISC_TRUE;
-		}
-
-		/*
-		 * Prepare further find with new resources
-		 */
-		if (want_restart) {
-			INSIST(rctx->rdataset == NULL &&
-			       rctx->sigrdataset == NULL);
-
-			result = getrdataset(mctx, &rctx->rdataset);
-			if (result == ISC_R_SUCCESS && rctx->want_dnssec) {
-				result = getrdataset(mctx, &rctx->sigrdataset);
-				if (result != ISC_R_SUCCESS) {
-					putrdataset(mctx, &rctx->rdataset);
-				}
-			}
-
-			if (result != ISC_R_SUCCESS) {
-				want_restart = ISC_FALSE;
-				send_event = ISC_TRUE;
-			}
-		}
-	} while (want_restart);
-
-	if (send_event) {
-		isc_task_t *task;
-
-		while ((name = ISC_LIST_HEAD(rctx->namelist)) != NULL) {
-			ISC_LIST_UNLINK(rctx->namelist, name, link);
-			ISC_LIST_APPEND(rctx->event->answerlist, name, link);
-		}
-
-		rctx->event->result = result;
-		rctx->event->vresult = vresult;
-		task = rctx->event->ev_sender;
-		rctx->event->ev_sender = rctx;
-		isc_task_sendanddetach(&task, ISC_EVENT_PTR(&rctx->event));
-	}
-
-	UNLOCK(&rctx->lock);
-}
-
-static void
-resolve_done(isc_task_t *task, isc_event_t *event) {
-	resarg_t *resarg = event->ev_arg;
-	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
-	dns_name_t *name;
-
-	UNUSED(task);
-
-	LOCK(&resarg->lock);
-
-	resarg->result = rev->result;
-	resarg->vresult = rev->vresult;
-	while ((name = ISC_LIST_HEAD(rev->answerlist)) != NULL) {
-		ISC_LIST_UNLINK(rev->answerlist, name, link);
-		ISC_LIST_APPEND(*resarg->namelist, name, link);
-	}
-
-	dns_client_destroyrestrans(&resarg->trans);
-	isc_event_free(&event);
-
-	if (!resarg->canceled) {
-		UNLOCK(&resarg->lock);
-
-		/* Exit from the internal event loop */
-		isc_app_ctxsuspend(resarg->actx);
-	} else {
-		/*
-		 * We have already exited from the loop (due to some
-		 * unexpected event).  Just clean the arg up.
-		 */
-		UNLOCK(&resarg->lock);
-		DESTROYLOCK(&resarg->lock);
-		isc_mem_put(resarg->client->mctx, resarg, sizeof(*resarg));
-	}
-}
-
-isc_result_t
-dns_client_resolve(dns_client_t *client, dns_name_t *name,
-		   dns_rdataclass_t rdclass, dns_rdatatype_t type,
-		   unsigned int options, dns_namelist_t *namelist)
-{
-	isc_result_t result;
-	isc_appctx_t *actx;
-	resarg_t *resarg;
-
-	REQUIRE(DNS_CLIENT_VALID(client));
-	REQUIRE(namelist != NULL && ISC_LIST_EMPTY(*namelist));
-
-	if ((client->attributes & DNS_CLIENTATTR_OWNCTX) == 0 &&
-	    (options & DNS_CLIENTRESOPT_ALLOWRUN) == 0) {
-		/*
-		 * If the client is run under application's control, we need
-		 * to create a new running (sub)environment for this
-		 * particular resolution.
-		 */
-		return (ISC_R_NOTIMPLEMENTED); /* XXXTBD */
-	} else
-		actx = client->actx;
-
-	resarg = isc_mem_get(client->mctx, sizeof(*resarg));
-	if (resarg == NULL)
-		return (ISC_R_NOMEMORY);
-
-	result = isc_mutex_init(&resarg->lock);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(client->mctx, resarg, sizeof(*resarg));
-		return (result);
-	}
-
-	resarg->actx = actx;
-	resarg->client = client;
-	resarg->result = DNS_R_SERVFAIL;
-	resarg->namelist = namelist;
-	resarg->trans = NULL;
-	resarg->canceled = ISC_FALSE;
-	result = dns_client_startresolve(client, name, rdclass, type, options,
-					 client->task, resolve_done, resarg,
-					 &resarg->trans);
-	if (result != ISC_R_SUCCESS) {
-		DESTROYLOCK(&resarg->lock);
-		isc_mem_put(client->mctx, resarg, sizeof(*resarg));
-		return (result);
-	}
-
-	/*
-	 * Start internal event loop.  It blocks until the entire process
-	 * is completed.
-	 */
-	result = isc_app_ctxrun(actx);
-
-	LOCK(&resarg->lock);
-	if (result == ISC_R_SUCCESS || result == ISC_R_SUSPEND)
-		result = resarg->result;
-	if (result != ISC_R_SUCCESS && resarg->vresult != ISC_R_SUCCESS) {
-		/*
-		 * If this lookup failed due to some error in DNSSEC
-		 * validation, return the validation error code.
-		 * XXX: or should we pass the validation result separately?
-		 */
-		result = resarg->vresult;
-	}
-	if (resarg->trans != NULL) {
-		/*
-		 * Unusual termination (perhaps due to signal).  We need some
-		 * tricky cleanup process.
-		 */
-		resarg->canceled = ISC_TRUE;
-		dns_client_cancelresolve(resarg->trans);
-
-		UNLOCK(&resarg->lock);
-
-		/* resarg will be freed in the event handler. */
-	} else {
-		UNLOCK(&resarg->lock);
-
-		DESTROYLOCK(&resarg->lock);
-		isc_mem_put(client->mctx, resarg, sizeof(*resarg));
-	}
-
-	return (result);
-}
-
-isc_result_t
-dns_client_startresolve(dns_client_t *client, dns_name_t *name,
-			dns_rdataclass_t rdclass, dns_rdatatype_t type,
-			unsigned int options, isc_task_t *task,
-			isc_taskaction_t action, void *arg,
-			dns_clientrestrans_t **transp)
-{
-	dns_view_t *view = NULL;
-	dns_clientresevent_t *event = NULL;
-	resctx_t *rctx = NULL;
-	isc_task_t *clone = NULL;
-	isc_mem_t *mctx;
-	isc_result_t result;
-	dns_rdataset_t *rdataset, *sigrdataset;
-	isc_boolean_t want_dnssec;
-
-	REQUIRE(DNS_CLIENT_VALID(client));
-	REQUIRE(transp != NULL && *transp == NULL);
-
-	LOCK(&client->lock);
-	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
-				   rdclass, &view);
-	UNLOCK(&client->lock);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	mctx = client->mctx;
-	rdataset = NULL;
-	sigrdataset = NULL;
-	want_dnssec = ISC_TF((options & DNS_CLIENTRESOPT_NODNSSEC) == 0);
-
-	/*
-	 * Prepare some intermediate resources
-	 */
-	clone = NULL;
-	isc_task_attach(task, &clone);
-	event = (dns_clientresevent_t *)
-		isc_event_allocate(mctx, clone, DNS_EVENT_CLIENTRESDONE,
-				   action, arg, sizeof(*event));
-	if (event == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
-	}
-	event->result = DNS_R_SERVFAIL;
-	ISC_LIST_INIT(event->answerlist);
-
-	rctx = isc_mem_get(mctx, sizeof(*rctx));
-	if (rctx == NULL)
-		result = ISC_R_NOMEMORY;
-	else {
-		result = isc_mutex_init(&rctx->lock);
-		if (result != ISC_R_SUCCESS) {
-			isc_mem_put(mctx, rctx, sizeof(*rctx));
-			rctx = NULL;
-		}
-	}
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = getrdataset(mctx, &rdataset);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	rctx->rdataset = rdataset;
-
-	if (want_dnssec) {
-		result = getrdataset(mctx, &sigrdataset);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-	}
-	rctx->sigrdataset = sigrdataset;
-
-	dns_fixedname_init(&rctx->name);
-	result = dns_name_copy(name, dns_fixedname_name(&rctx->name), NULL);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	rctx->client = client;
-	ISC_LINK_INIT(rctx, link);
-	rctx->canceled = ISC_FALSE;
-	rctx->task = client->task;
-	rctx->type = type;
-	rctx->view = view;
-	rctx->restarts = 0;
-	rctx->fetch = NULL;
-	rctx->want_dnssec = want_dnssec;
-	ISC_LIST_INIT(rctx->namelist);
-	rctx->event = event;
-
-	rctx->magic = RCTX_MAGIC;
-
-	LOCK(&client->lock);
-	ISC_LIST_APPEND(client->resctxs, rctx, link);
-	UNLOCK(&client->lock);
-
-	client_resfind(rctx, NULL);
-
-	*transp = (dns_clientrestrans_t *)rctx;
-
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (rdataset != NULL)
-		putrdataset(client->mctx, &rdataset);
-	if (sigrdataset != NULL)
-		putrdataset(client->mctx, &sigrdataset);
-	if (rctx != NULL) {
-		DESTROYLOCK(&rctx->lock);
-		isc_mem_put(mctx, rctx, sizeof(*rctx));
-	}
-	if (event != NULL)
-		isc_event_free(ISC_EVENT_PTR(&event));
-	isc_task_detach(&clone);
-	dns_view_detach(&view);
-
-	return (result);
-}
-
-void
-dns_client_cancelresolve(dns_clientrestrans_t *trans) {
-	resctx_t *rctx;
-
-	REQUIRE(trans != NULL);
-	rctx = (resctx_t *)trans;
-	REQUIRE(RCTX_VALID(rctx));
-
-	LOCK(&rctx->lock);
-
-	if (!rctx->canceled) {
-		rctx->canceled = ISC_TRUE;
-		if (rctx->fetch != NULL)
-			dns_resolver_cancelfetch(rctx->fetch);
-	}
-
-	UNLOCK(&rctx->lock);
-}
-
-void
-dns_client_freeresanswer(dns_client_t *client, dns_namelist_t *namelist) {
-	dns_name_t *name;
-	dns_rdataset_t *rdataset;
-
-	REQUIRE(DNS_CLIENT_VALID(client));
-	REQUIRE(namelist != NULL);
-
-	while ((name = ISC_LIST_HEAD(*namelist)) != NULL) {
-		ISC_LIST_UNLINK(*namelist, name, link);
-		while ((rdataset = ISC_LIST_HEAD(name->list)) != NULL) {
-			ISC_LIST_UNLINK(name->list, rdataset, link);
-			putrdataset(client->mctx, &rdataset);
-		}
-		dns_name_free(name, client->mctx);
-		isc_mem_put(client->mctx, name, sizeof(*name));
-	}
-}
-
-void
-dns_client_destroyrestrans(dns_clientrestrans_t **transp) {
-	resctx_t *rctx;
-	isc_mem_t *mctx;
-	dns_client_t *client;
-	isc_boolean_t need_destroyclient = ISC_FALSE;
-
-	REQUIRE(transp != NULL);
-	rctx = (resctx_t *)*transp;
-	REQUIRE(RCTX_VALID(rctx));
-	REQUIRE(rctx->fetch == NULL);
-	REQUIRE(rctx->event == NULL);
-	client = rctx->client;
-	REQUIRE(DNS_CLIENT_VALID(client));
-
-	mctx = client->mctx;
-	dns_view_detach(&rctx->view);
-
-	LOCK(&client->lock);
-
-	INSIST(ISC_LINK_LINKED(rctx, link));
-	ISC_LIST_UNLINK(client->resctxs, rctx, link);
-
-	if (client->references == 0 && ISC_LIST_EMPTY(client->resctxs) &&
-	    ISC_LIST_EMPTY(client->reqctxs) &&
-	    ISC_LIST_EMPTY(client->updatectxs))
-		need_destroyclient = ISC_TRUE;
-
-	UNLOCK(&client->lock);
-
-	INSIST(ISC_LIST_EMPTY(rctx->namelist));
-
-	DESTROYLOCK(&rctx->lock);
-	rctx->magic = 0;
-
-	isc_mem_put(mctx, rctx, sizeof(*rctx));
-
-	if (need_destroyclient)
-		destroyclient(&client);
-
-	*transp = NULL;
-}
-
-isc_result_t
-dns_client_addtrustedkey(dns_client_t *client, dns_rdataclass_t rdclass,
-			 dns_name_t *keyname, isc_buffer_t *keydatabuf)
-{
-	isc_result_t result;
-	dns_view_t *view = NULL;
-	dst_key_t *dstkey = NULL;
-	dns_keytable_t *secroots = NULL;
-
-	REQUIRE(DNS_CLIENT_VALID(client));
-
-	LOCK(&client->lock);
-	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
-				   rdclass, &view);
-	UNLOCK(&client->lock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = dns_view_getsecroots(view, &secroots);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = dst_key_fromdns(keyname, rdclass, keydatabuf, client->mctx,
-				 &dstkey);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = dns_keytable_add(secroots, ISC_FALSE, &dstkey);
-
- cleanup:
-	if (dstkey != NULL)
-		dst_key_free(&dstkey);
-	if (view != NULL)
-		dns_view_detach(&view);
-	if (secroots != NULL)
-		dns_keytable_detach(&secroots);
-	return (result);
-}
-
-/*%
- * Simple request routines
- */
-static void
-request_done(isc_task_t *task, isc_event_t *event) {
-	dns_requestevent_t *reqev = NULL;
-	dns_request_t *request;
-	isc_result_t result, eresult;
-	reqctx_t *ctx;
-
-	UNUSED(task);
-
-	REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE);
-	reqev = (dns_requestevent_t *)event;
-	request = reqev->request;
-	result = eresult = reqev->result;
-	ctx = reqev->ev_arg;
-	REQUIRE(REQCTX_VALID(ctx));
-
-	isc_event_free(&event);
-
-	LOCK(&ctx->lock);
-
-	if (eresult == ISC_R_SUCCESS) {
-		result = dns_request_getresponse(request, ctx->event->rmessage,
-						 ctx->parseoptions);
-	}
-
-	if (ctx->tsigkey != NULL)
-		dns_tsigkey_detach(&ctx->tsigkey);
-
-	if (ctx->canceled)
-		ctx->event->result = ISC_R_CANCELED;
-	else
-		ctx->event->result = result;
-	task = ctx->event->ev_sender;
-	ctx->event->ev_sender = ctx;
-	isc_task_sendanddetach(&task, ISC_EVENT_PTR(&ctx->event));
-
-	UNLOCK(&ctx->lock);
-}
-
-static void
-localrequest_done(isc_task_t *task, isc_event_t *event) {
-	reqarg_t *reqarg = event->ev_arg;
-	dns_clientreqevent_t *rev =(dns_clientreqevent_t *)event;
-
-	UNUSED(task);
-
-	REQUIRE(event->ev_type == DNS_EVENT_CLIENTREQDONE);
-
-	LOCK(&reqarg->lock);
-
-	reqarg->result = rev->result;
-	dns_client_destroyreqtrans(&reqarg->trans);
-	isc_event_free(&event);
-
-	if (!reqarg->canceled) {
-		UNLOCK(&reqarg->lock);
-
-		/* Exit from the internal event loop */
-		isc_app_ctxsuspend(reqarg->actx);
-	} else {
-		/*
-		 * We have already exited from the loop (due to some
-		 * unexpected event).  Just clean the arg up.
-		 */
-		UNLOCK(&reqarg->lock);
-		DESTROYLOCK(&reqarg->lock);
-		isc_mem_put(reqarg->client->mctx, reqarg, sizeof(*reqarg));
-	}
-}
-
-isc_result_t
-dns_client_request(dns_client_t *client, dns_message_t *qmessage,
-		   dns_message_t *rmessage, isc_sockaddr_t *server,
-		   unsigned int options, unsigned int parseoptions,
-		   dns_tsec_t *tsec, unsigned int timeout,
-		   unsigned int udptimeout, unsigned int udpretries)
-{
-	isc_appctx_t *actx;
-	reqarg_t *reqarg;
-	isc_result_t result;
-
-	REQUIRE(DNS_CLIENT_VALID(client));
-	REQUIRE(qmessage != NULL);
-	REQUIRE(rmessage != NULL);
-
-	if ((client->attributes & DNS_CLIENTATTR_OWNCTX) == 0 &&
-	    (options & DNS_CLIENTREQOPT_ALLOWRUN) == 0) {
-		/*
-		 * If the client is run under application's control, we need
-		 * to create a new running (sub)environment for this
-		 * particular resolution.
-		 */
-		return (ISC_R_NOTIMPLEMENTED); /* XXXTBD */
-	} else
-		actx = client->actx;
-
-	reqarg = isc_mem_get(client->mctx, sizeof(*reqarg));
-	if (reqarg == NULL)
-		return (ISC_R_NOMEMORY);
-
-	result = isc_mutex_init(&reqarg->lock);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(client->mctx, reqarg, sizeof(*reqarg));
-		return (result);
-	}
-
-	reqarg->actx = actx;
-	reqarg->client = client;
-	reqarg->trans = NULL;
-	reqarg->canceled = ISC_FALSE;
-
-	result = dns_client_startrequest(client, qmessage, rmessage, server,
-					 options, parseoptions, tsec, timeout,
-					 udptimeout, udpretries,
-					 client->task, localrequest_done,
-					 reqarg, &reqarg->trans);
-	if (result != ISC_R_SUCCESS) {
-		DESTROYLOCK(&reqarg->lock);
-		isc_mem_put(client->mctx, reqarg, sizeof(*reqarg));
-		return (result);
-	}
-
-	/*
-	 * Start internal event loop.  It blocks until the entire process
-	 * is completed.
-	 */
-	result = isc_app_ctxrun(actx);
-
-	LOCK(&reqarg->lock);
-	if (result == ISC_R_SUCCESS || result == ISC_R_SUSPEND)
-		result = reqarg->result;
-	if (reqarg->trans != NULL) {
-		/*
-		 * Unusual termination (perhaps due to signal).  We need some
-		 * tricky cleanup process.
-		 */
-		reqarg->canceled = ISC_TRUE;
-		dns_client_cancelresolve(reqarg->trans);
-
-		UNLOCK(&reqarg->lock);
-
-		/* reqarg will be freed in the event handler. */
-	} else {
-		UNLOCK(&reqarg->lock);
-
-		DESTROYLOCK(&reqarg->lock);
-		isc_mem_put(client->mctx, reqarg, sizeof(*reqarg));
-	}
-
-	return (result);
-}
-
-isc_result_t
-dns_client_startrequest(dns_client_t *client, dns_message_t *qmessage,
-			dns_message_t *rmessage, isc_sockaddr_t *server,
-			unsigned int options, unsigned int parseoptions,
-			dns_tsec_t *tsec, unsigned int timeout,
-			unsigned int udptimeout, unsigned int udpretries,
-			isc_task_t *task, isc_taskaction_t action, void *arg,
-			dns_clientreqtrans_t **transp)
-{
-	isc_result_t result;
-	dns_view_t *view = NULL;
-	isc_task_t *clone = NULL;
-	dns_clientreqevent_t *event = NULL;
-	reqctx_t *ctx = NULL;
-	dns_tsectype_t tsectype = dns_tsectype_none;
-
-	UNUSED(options);
-
-	REQUIRE(DNS_CLIENT_VALID(client));
-	REQUIRE(qmessage != NULL);
-	REQUIRE(rmessage != NULL);
-	REQUIRE(transp != NULL && *transp == NULL);
-
-	if (tsec != NULL) {
-		tsectype = dns_tsec_gettype(tsec);
-		if (tsectype != dns_tsectype_tsig)
-			return (ISC_R_NOTIMPLEMENTED); /* XXX */
-	}
-
-	LOCK(&client->lock);
-	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
-				   qmessage->rdclass, &view);
-	UNLOCK(&client->lock);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	clone = NULL;
-	isc_task_attach(task, &clone);
-	event = (dns_clientreqevent_t *)
-		isc_event_allocate(client->mctx, clone,
-				   DNS_EVENT_CLIENTREQDONE,
-				   action, arg, sizeof(*event));
-	if (event == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
-	}
-
-	ctx = isc_mem_get(client->mctx, sizeof(*ctx));
-	if (ctx == NULL)
-		result = ISC_R_NOMEMORY;
-	else {
-		result = isc_mutex_init(&ctx->lock);
-		if (result != ISC_R_SUCCESS) {
-			isc_mem_put(client->mctx, ctx, sizeof(*ctx));
-			ctx = NULL;
-		}
-	}
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	ctx->client = client;
-	ISC_LINK_INIT(ctx, link);
-	ctx->parseoptions = parseoptions;
-	ctx->canceled = ISC_FALSE;
-	ctx->event = event;
-	ctx->event->rmessage = rmessage;
-	ctx->tsigkey = NULL;
-	if (tsec != NULL)
-		dns_tsec_getkey(tsec, &ctx->tsigkey);
-
-	ctx->magic = REQCTX_MAGIC;
-
-	LOCK(&client->lock);
-	ISC_LIST_APPEND(client->reqctxs, ctx, link);
-	UNLOCK(&client->lock);
-
-	ctx->request = NULL;
-	result = dns_request_createvia3(view->requestmgr, qmessage, NULL,
-					server, options, ctx->tsigkey,
-					timeout, udptimeout, udpretries,
-					client->task, request_done, ctx,
-					&ctx->request);
-	if (result == ISC_R_SUCCESS) {
-		dns_view_detach(&view);
-		*transp = (dns_clientreqtrans_t *)ctx;
-		return (ISC_R_SUCCESS);
-	}
-
- cleanup:
-	if (ctx != NULL) {
-		LOCK(&client->lock);
-		ISC_LIST_UNLINK(client->reqctxs, ctx, link);
-		UNLOCK(&client->lock);
-		DESTROYLOCK(&ctx->lock);
-		isc_mem_put(client->mctx, ctx, sizeof(*ctx));
-	}
-	if (event != NULL)
-		isc_event_free(ISC_EVENT_PTR(&event));
-	isc_task_detach(&clone);
-	dns_view_detach(&view);
-
-	return (result);
-}
-
-void
-dns_client_cancelrequest(dns_clientreqtrans_t *trans) {
-	reqctx_t *ctx;
-
-	REQUIRE(trans != NULL);
-	ctx = (reqctx_t *)trans;
-	REQUIRE(REQCTX_VALID(ctx));
-
-	LOCK(&ctx->lock);
-
-	if (!ctx->canceled) {
-		ctx->canceled = ISC_TRUE;
-		if (ctx->request != NULL)
-			dns_request_cancel(ctx->request);
-	}
-
-	UNLOCK(&ctx->lock);
-}
-
-void
-dns_client_destroyreqtrans(dns_clientreqtrans_t **transp) {
-	reqctx_t *ctx;
-	isc_mem_t *mctx;
-	dns_client_t *client;
-	isc_boolean_t need_destroyclient = ISC_FALSE;
-
-	REQUIRE(transp != NULL);
-	ctx = (reqctx_t *)*transp;
-	REQUIRE(REQCTX_VALID(ctx));
-	client = ctx->client;
-	REQUIRE(DNS_CLIENT_VALID(client));
-	REQUIRE(ctx->event == NULL);
-	REQUIRE(ctx->request != NULL);
-
-	dns_request_destroy(&ctx->request);
-	mctx = client->mctx;
-
-	LOCK(&client->lock);
-
-	INSIST(ISC_LINK_LINKED(ctx, link));
-	ISC_LIST_UNLINK(client->reqctxs, ctx, link);
-
-	if (client->references == 0 && ISC_LIST_EMPTY(client->resctxs) &&
-	    ISC_LIST_EMPTY(client->reqctxs) &&
-	    ISC_LIST_EMPTY(client->updatectxs)) {
-		need_destroyclient = ISC_TRUE;
-	}
-
-	UNLOCK(&client->lock);
-
-	DESTROYLOCK(&ctx->lock);
-	ctx->magic = 0;
-
-	isc_mem_put(mctx, ctx, sizeof(*ctx));
-
-	if (need_destroyclient)
-		destroyclient(&client);
-
-	*transp = NULL;
-}
-
-/*%
- * Dynamic update routines
- */
-static isc_result_t
-rcode2result(dns_rcode_t rcode) {
-	/* XXX: isn't there a similar function? */
-	switch (rcode) {
-	case dns_rcode_formerr:
-		return (DNS_R_FORMERR);
-	case dns_rcode_servfail:
-		return (DNS_R_SERVFAIL);
-	case dns_rcode_nxdomain:
-		return (DNS_R_NXDOMAIN);
-	case dns_rcode_notimp:
-		return (DNS_R_NOTIMP);
-	case dns_rcode_refused:
-		return (DNS_R_REFUSED);
-	case dns_rcode_yxdomain:
-		return (DNS_R_YXDOMAIN);
-	case dns_rcode_yxrrset:
-		return (DNS_R_YXRRSET);
-	case dns_rcode_nxrrset:
-		return (DNS_R_NXRRSET);
-	case dns_rcode_notauth:
-		return (DNS_R_NOTAUTH);
-	case dns_rcode_notzone:
-		return (DNS_R_NOTZONE);
-	case dns_rcode_badvers:
-		return (DNS_R_BADVERS);
-	}
-
-	return (ISC_R_FAILURE);
-}
-
-static void
-update_sendevent(updatectx_t *uctx, isc_result_t result) {
-	isc_task_t *task;
-
-	dns_message_destroy(&uctx->updatemsg);
-	if (uctx->tsigkey != NULL)
-		dns_tsigkey_detach(&uctx->tsigkey);
-	if (uctx->sig0key != NULL)
-		dst_key_free(&uctx->sig0key);
-
-	if (uctx->canceled)
-		uctx->event->result = ISC_R_CANCELED;
-	else
-		uctx->event->result = result;
-	uctx->event->state = uctx->state;
-	task = uctx->event->ev_sender;
-	uctx->event->ev_sender = uctx;
-	isc_task_sendanddetach(&task, ISC_EVENT_PTR(&uctx->event));
-}
-
-static void
-update_done(isc_task_t *task, isc_event_t *event) {
-	isc_result_t result;
-	dns_requestevent_t *reqev = NULL;
-	dns_request_t *request;
-	dns_message_t *answer = NULL;
-	updatectx_t *uctx = event->ev_arg;
-	dns_client_t *client;
-	unsigned int timeout;
-
-	UNUSED(task);
-
-	REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE);
-	reqev = (dns_requestevent_t *)event;
-	request = reqev->request;
-	REQUIRE(UCTX_VALID(uctx));
-	client = uctx->client;
-	REQUIRE(DNS_CLIENT_VALID(client));
-
-	result = reqev->result;
-	if (result != ISC_R_SUCCESS)
-		goto out;
-
-	result = dns_message_create(client->mctx, DNS_MESSAGE_INTENTPARSE,
-				    &answer);
-	if (result != ISC_R_SUCCESS)
-		goto out;
-	uctx->state = dns_clientupdatestate_done;
-	result = dns_request_getresponse(request, answer,
-					 DNS_MESSAGEPARSE_PRESERVEORDER);
-	if (result == ISC_R_SUCCESS && answer->rcode != dns_rcode_noerror)
-		result = rcode2result(answer->rcode);
-
- out:
-	if (answer != NULL)
-		dns_message_destroy(&answer);
-	isc_event_free(&event);
-
-	LOCK(&uctx->lock);
-	uctx->currentserver = ISC_LIST_NEXT(uctx->currentserver, link);
-	dns_request_destroy(&uctx->updatereq);
-	if (result != ISC_R_SUCCESS && !uctx->canceled &&
-	    uctx->currentserver != NULL) {
-		dns_message_renderreset(uctx->updatemsg);
-		dns_message_settsigkey(uctx->updatemsg, NULL);
-
-		timeout = client->update_timeout / uctx->nservers;
-		if (timeout < MIN_UPDATE_TIMEOUT)
-			timeout = MIN_UPDATE_TIMEOUT;
-		result = dns_request_createvia3(uctx->view->requestmgr,
-						uctx->updatemsg,
-						NULL,
-						uctx->currentserver, 0,
-						uctx->tsigkey,
-						timeout,
-						client->update_udptimeout,
-						client->update_udpretries,
-						client->task,
-						update_done, uctx,
-						&uctx->updatereq);
-		UNLOCK(&uctx->lock);
-
-		if (result == ISC_R_SUCCESS) {
-			/* XXX: should we keep the 'done' state here? */
-			uctx->state = dns_clientupdatestate_sent;
-			return;
-		}
-	} else
-		UNLOCK(&uctx->lock);
-
-	update_sendevent(uctx, result);
-}
-
-static isc_result_t
-send_update(updatectx_t *uctx) {
-	isc_result_t result;
-	dns_name_t *name = NULL;
-	dns_rdataset_t *rdataset = NULL;
-	dns_client_t *client = uctx->client;
-	unsigned int timeout;
-
-	REQUIRE(uctx->zonename != NULL && uctx->currentserver != NULL);
-
-	result = dns_message_gettempname(uctx->updatemsg, &name);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_name_init(name, NULL);
-	dns_name_clone(uctx->zonename, name);
-	result = dns_message_gettemprdataset(uctx->updatemsg, &rdataset);
-	if (result != ISC_R_SUCCESS) {
-		dns_message_puttempname(uctx->updatemsg, &name);
-		return (result);
-	}
-	dns_rdataset_makequestion(rdataset, uctx->rdclass, dns_rdatatype_soa);
-	ISC_LIST_INIT(name->list);
-	ISC_LIST_APPEND(name->list, rdataset, link);
-	dns_message_addname(uctx->updatemsg, name, DNS_SECTION_ZONE);
-	if (uctx->tsigkey == NULL && uctx->sig0key != NULL) {
-		result = dns_message_setsig0key(uctx->updatemsg,
-						uctx->sig0key);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	timeout = client->update_timeout / uctx->nservers;
-	if (timeout < MIN_UPDATE_TIMEOUT)
-		timeout = MIN_UPDATE_TIMEOUT;
-	result = dns_request_createvia3(uctx->view->requestmgr,
-					uctx->updatemsg,
-					NULL, uctx->currentserver, 0,
-					uctx->tsigkey, timeout,
-					client->update_udptimeout,
-					client->update_udpretries,
-					client->task, update_done, uctx,
-					&uctx->updatereq);
-	if (result == ISC_R_SUCCESS &&
-	    uctx->state == dns_clientupdatestate_prepare) {
-		uctx->state = dns_clientupdatestate_sent;
-	}
-
-	return (result);
-}
-
-static void
-resolveaddr_done(isc_task_t *task, isc_event_t *event) {
-	isc_result_t result;
-	int family;
-	dns_rdatatype_t qtype;
-	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
-	dns_name_t *name;
-	dns_rdataset_t *rdataset;
-	updatectx_t *uctx;
-	isc_boolean_t completed = ISC_FALSE;
-
-	UNUSED(task);
-
-	REQUIRE(event->ev_arg != NULL);
-	uctx = *(updatectx_t **)event->ev_arg;
-	REQUIRE(UCTX_VALID(uctx));
-
-	if (event->ev_arg == &uctx->bp4) {
-		family = AF_INET;
-		qtype = dns_rdatatype_a;
-		LOCK(&uctx->lock);
-		dns_client_destroyrestrans(&uctx->restrans);
-		UNLOCK(&uctx->lock);
-	} else {
-		INSIST(event->ev_arg == &uctx->bp6);
-		family = AF_INET6;
-		qtype = dns_rdatatype_aaaa;
-		LOCK(&uctx->lock);
-		dns_client_destroyrestrans(&uctx->restrans2);
-		UNLOCK(&uctx->lock);
-	}
-
-	result = rev->result;
-	if (result != ISC_R_SUCCESS)
-		goto done;
-
-	for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
-	     name = ISC_LIST_NEXT(name, link)) {
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			if (!dns_rdataset_isassociated(rdataset))
-				continue;
-			if (rdataset->type != qtype)
-				continue;
-
-			for (result = dns_rdataset_first(rdataset);
-			     result == ISC_R_SUCCESS;
-			     result = dns_rdataset_next(rdataset)) {
-				dns_rdata_t rdata;
-				dns_rdata_in_a_t rdata_a;
-				dns_rdata_in_aaaa_t rdata_aaaa;
-				isc_sockaddr_t *sa;
-
-				sa = isc_mem_get(uctx->client->mctx,
-						 sizeof(*sa));
-				if (sa == NULL) {
-					/*
-					 * If we fail to get a sockaddr,
-					 we simply move forward with the
-					 * addresses we've got so far.
-					 */
-					goto done;
-				}
-
-				dns_rdata_init(&rdata);
-				switch (family) {
-				case AF_INET:
-					dns_rdataset_current(rdataset, &rdata);
-					result = dns_rdata_tostruct(&rdata, &rdata_a,
-								    NULL);
-					RUNTIME_CHECK(result == ISC_R_SUCCESS);
-					isc_sockaddr_fromin(sa,
-							    &rdata_a.in_addr,
-							    53);
-					dns_rdata_freestruct(&rdata_a);
-					break;
-				case AF_INET6:
-					dns_rdataset_current(rdataset, &rdata);
-					result = dns_rdata_tostruct(&rdata, &rdata_aaaa,
-								    NULL);
-					RUNTIME_CHECK(result == ISC_R_SUCCESS);
-					isc_sockaddr_fromin6(sa,
-							     &rdata_aaaa.in6_addr,
-							     53);
-					dns_rdata_freestruct(&rdata_aaaa);
-					break;
-				}
-
-				ISC_LINK_INIT(sa, link);
-				ISC_LIST_APPEND(uctx->servers, sa, link);
-				uctx->nservers++;
-			}
-		}
-	}
-
- done:
-	dns_client_freeresanswer(uctx->client, &rev->answerlist);
-	isc_event_free(&event);
-
-	LOCK(&uctx->lock);
-	if (uctx->restrans == NULL && uctx->restrans2 == NULL)
-		completed = ISC_TRUE;
-	UNLOCK(&uctx->lock);
-
-	if (completed) {
-		INSIST(uctx->currentserver == NULL);
-		uctx->currentserver = ISC_LIST_HEAD(uctx->servers);
-		if (uctx->currentserver != NULL && !uctx->canceled)
-			send_update(uctx);
-		else {
-			if (result == ISC_R_SUCCESS)
-				result = ISC_R_NOTFOUND;
-			update_sendevent(uctx, result);
-		}
-	}
-}
-
-static isc_result_t
-process_soa(updatectx_t *uctx, dns_rdataset_t *soaset, dns_name_t *soaname) {
-	isc_result_t result;
-	dns_rdata_t soarr = DNS_RDATA_INIT;
-	dns_rdata_soa_t soa;
-	dns_name_t primary;
-
-	result = dns_rdataset_first(soaset);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_rdata_init(&soarr);
-	dns_rdataset_current(soaset, &soarr);
-	result = dns_rdata_tostruct(&soarr, &soa, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	dns_name_init(&primary, NULL);
-	dns_name_clone(&soa.origin, &primary);
-
-	if (uctx->zonename == NULL) {
-		uctx->zonename = dns_fixedname_name(&uctx->zonefname);
-		result = dns_name_copy(soaname, uctx->zonename, NULL);
-		if (result != ISC_R_SUCCESS)
-			goto out;
-	}
-
-	if (uctx->currentserver != NULL)
-		result = send_update(uctx);
-	else {
-		/*
-		 * Get addresses of the primary server.  We don't use the ADB
-		 * feature so that we could avoid caching data.
-		 */
-		LOCK(&uctx->lock);
-		uctx->bp4 = uctx;
-		result = dns_client_startresolve(uctx->client, &primary,
-						 uctx->rdclass,
-						 dns_rdatatype_a,
-						 0, uctx->client->task,
-						 resolveaddr_done, &uctx->bp4,
-						 &uctx->restrans);
-		if (result == ISC_R_SUCCESS) {
-			uctx->bp6 = uctx;
-			result = dns_client_startresolve(uctx->client,
-							 &primary,
-							 uctx->rdclass,
-							 dns_rdatatype_aaaa,
-							 0, uctx->client->task,
-							 resolveaddr_done,
-							 &uctx->bp6,
-							 &uctx->restrans2);
-		}
-		UNLOCK(&uctx->lock);
-	}
-
- out:
-	dns_rdata_freestruct(&soa);
-
-	return (result);
-}
-
-static void
-receive_soa(isc_task_t *task, isc_event_t *event) {
-	dns_requestevent_t *reqev = NULL;
-	updatectx_t *uctx;
-	dns_client_t *client;
-	isc_result_t result, eresult;
-	dns_request_t *request;
-	dns_message_t *rcvmsg = NULL;
-	dns_section_t section;
-	dns_rdataset_t *soaset = NULL;
-	int pass = 0;
-	dns_name_t *name;
-	dns_message_t *soaquery = NULL;
-	isc_sockaddr_t *addr;
-	isc_boolean_t seencname = ISC_FALSE;
-	isc_boolean_t droplabel = ISC_FALSE;
-	dns_name_t tname;
-	unsigned int nlabels;
-
-	UNUSED(task);
-
-	REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE);
-	reqev = (dns_requestevent_t *)event;
-	request = reqev->request;
-	result = eresult = reqev->result;
-	POST(result);
-	uctx = reqev->ev_arg;
-	client = uctx->client;
-	soaquery = uctx->soaquery;
-	addr = uctx->currentserver;
-	INSIST(addr != NULL);
-
-	isc_event_free(&event);
-
-	if (eresult != ISC_R_SUCCESS) {
-		result = eresult;
-		goto out;
-	}
-
-	result = dns_message_create(uctx->client->mctx,
-				    DNS_MESSAGE_INTENTPARSE, &rcvmsg);
-	if (result != ISC_R_SUCCESS)
-		goto out;
-	result = dns_request_getresponse(request, rcvmsg,
-					 DNS_MESSAGEPARSE_PRESERVEORDER);
-
-	if (result == DNS_R_TSIGERRORSET) {
-		dns_request_t *newrequest = NULL;
-
-		/* Retry SOA request without TSIG */
-		dns_message_destroy(&rcvmsg);
-		dns_message_renderreset(uctx->soaquery);
-		result = dns_request_createvia3(uctx->view->requestmgr,
-						uctx->soaquery, NULL, addr, 0,
-						NULL,
-						client->find_timeout * 20,
-						client->find_timeout, 3,
-						uctx->client->task,
-						receive_soa, uctx,
-						&newrequest);
-		if (result == ISC_R_SUCCESS) {
-			LOCK(&uctx->lock);
-			dns_request_destroy(&uctx->soareq);
-			uctx->soareq = newrequest;
-			UNLOCK(&uctx->lock);
-
-			return;
-		}
-		goto out;
-	}
-
-	section = DNS_SECTION_ANSWER;
-	POST(section);
-
-	if (rcvmsg->rcode != dns_rcode_noerror &&
-	    rcvmsg->rcode != dns_rcode_nxdomain) {
-		result = rcode2result(rcvmsg->rcode);
-		goto out;
-	}
-
- lookforsoa:
-	if (pass == 0)
-		section = DNS_SECTION_ANSWER;
-	else if (pass == 1)
-		section = DNS_SECTION_AUTHORITY;
-	else {
-		droplabel = ISC_TRUE;
-		goto out;
-	}
-
-	result = dns_message_firstname(rcvmsg, section);
-	if (result != ISC_R_SUCCESS) {
-		pass++;
-		goto lookforsoa;
-	}
-	while (result == ISC_R_SUCCESS) {
-		name = NULL;
-		dns_message_currentname(rcvmsg, section, &name);
-		soaset = NULL;
-		result = dns_message_findtype(name, dns_rdatatype_soa, 0,
-					      &soaset);
-		if (result == ISC_R_SUCCESS)
-			break;
-		if (section == DNS_SECTION_ANSWER) {
-			dns_rdataset_t *tset = NULL;
-			if (dns_message_findtype(name, dns_rdatatype_cname, 0,
-						 &tset) == ISC_R_SUCCESS
-			    ||
-			    dns_message_findtype(name, dns_rdatatype_dname, 0,
-						 &tset) == ISC_R_SUCCESS
-			    )
-			{
-				seencname = ISC_TRUE;
-				break;
-			}
-		}
-
-		result = dns_message_nextname(rcvmsg, section);
-	}
-
-	if (soaset == NULL && !seencname) {
-		pass++;
-		goto lookforsoa;
-	}
-
-	if (seencname) {
-		droplabel = ISC_TRUE;
-		goto out;
-	}
-
-	result = process_soa(uctx, soaset, name);
-
- out:
-	if (droplabel) {
-		result = dns_message_firstname(soaquery, DNS_SECTION_QUESTION);
-		INSIST(result == ISC_R_SUCCESS);
-		name = NULL;
-		dns_message_currentname(soaquery, DNS_SECTION_QUESTION, &name);
-		nlabels = dns_name_countlabels(name);
-		if (nlabels == 1)
-			result = DNS_R_SERVFAIL; /* is there a better error? */
-		else {
-			dns_name_init(&tname, NULL);
-			dns_name_getlabelsequence(name, 1, nlabels - 1,
-						  &tname);
-			dns_name_clone(&tname, name);
-			dns_request_destroy(&request);
-			LOCK(&uctx->lock);
-			uctx->soareq = NULL;
-			UNLOCK(&uctx->lock);
-			dns_message_renderreset(soaquery);
-			dns_message_settsigkey(soaquery, NULL);
-			result = dns_request_createvia3(uctx->view->requestmgr,
-							soaquery, NULL,
-							uctx->currentserver, 0,
-							uctx->tsigkey,
-							client->find_timeout *
-							20,
-							client->find_timeout,
-							3, client->task,
-							receive_soa, uctx,
-							&uctx->soareq);
-		}
-	}
-
-	if (!droplabel || result != ISC_R_SUCCESS) {
-		dns_message_destroy(&uctx->soaquery);
-		LOCK(&uctx->lock);
-		dns_request_destroy(&uctx->soareq);
-		UNLOCK(&uctx->lock);
-	}
-
-	if (rcvmsg != NULL)
-		dns_message_destroy(&rcvmsg);
-
-	if (result != ISC_R_SUCCESS)
-		update_sendevent(uctx, result);
-}
-
-static isc_result_t
-request_soa(updatectx_t *uctx) {
-	isc_result_t result;
-	dns_message_t *soaquery = uctx->soaquery;
-	dns_name_t *name = NULL;
-	dns_rdataset_t *rdataset = NULL;
-
-	if (soaquery == NULL) {
-		result = dns_message_create(uctx->client->mctx,
-					    DNS_MESSAGE_INTENTRENDER,
-					    &soaquery);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	soaquery->flags |= DNS_MESSAGEFLAG_RD;
-	result = dns_message_gettempname(soaquery, &name);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-	result = dns_message_gettemprdataset(soaquery, &rdataset);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-	dns_rdataset_makequestion(rdataset, uctx->rdclass, dns_rdatatype_soa);
-	dns_name_clone(uctx->firstname, name);
-	ISC_LIST_APPEND(name->list, rdataset, link);
-	dns_message_addname(soaquery, name, DNS_SECTION_QUESTION);
-	rdataset = NULL;
-	name = NULL;
-
-	result = dns_request_createvia3(uctx->view->requestmgr,
-					soaquery, NULL, uctx->currentserver, 0,
-					uctx->tsigkey,
-					uctx->client->find_timeout * 20,
-					uctx->client->find_timeout, 3,
-					uctx->client->task, receive_soa, uctx,
-					&uctx->soareq);
-	if (result == ISC_R_SUCCESS) {
-		uctx->soaquery = soaquery;
-		return (ISC_R_SUCCESS);
-	}
-
- fail:
-	if (rdataset != NULL) {
-		ISC_LIST_UNLINK(name->list, rdataset, link); /* for safety */
-		dns_message_puttemprdataset(soaquery, &rdataset);
-	}
-	if (name != NULL)
-		dns_message_puttempname(soaquery, &name);
-	dns_message_destroy(&soaquery);
-
-	return (result);
-}
-
-static void
-resolvesoa_done(isc_task_t *task, isc_event_t *event) {
-	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
-	updatectx_t *uctx;
-	dns_name_t *name, tname;
-	dns_rdataset_t *rdataset = NULL;
-	isc_result_t result = rev->result;
-	unsigned int nlabels;
-
-	UNUSED(task);
-
-	uctx = event->ev_arg;
-	REQUIRE(UCTX_VALID(uctx));
-
-	LOCK(&uctx->lock);
-	dns_client_destroyrestrans(&uctx->restrans);
-	UNLOCK(&uctx->lock);
-
-	uctx = event->ev_arg;
-	if (result != ISC_R_SUCCESS &&
-	    result != DNS_R_NCACHENXDOMAIN &&
-	    result != DNS_R_NCACHENXRRSET) {
-		/* XXX: what about DNSSEC failure? */
-		goto out;
-	}
-
-	for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
-	     name = ISC_LIST_NEXT(name, link)) {
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			if (dns_rdataset_isassociated(rdataset) &&
-			    rdataset->type == dns_rdatatype_soa)
-				break;
-		}
-	}
-
-	if (rdataset == NULL) {
-		/* Drop one label and retry resolution. */
-		nlabels = dns_name_countlabels(&uctx->soaqname);
-		if (nlabels == 1) {
-			result = DNS_R_SERVFAIL; /* is there a better error? */
-			goto out;
-		}
-		dns_name_init(&tname, NULL);
-		dns_name_getlabelsequence(&uctx->soaqname, 1, nlabels - 1,
-					  &tname);
-		dns_name_clone(&tname, &uctx->soaqname);
-
-		result = dns_client_startresolve(uctx->client, &uctx->soaqname,
-						 uctx->rdclass,
-						 dns_rdatatype_soa, 0,
-						 uctx->client->task,
-						 resolvesoa_done, uctx,
-						 &uctx->restrans);
-	} else
-		result = process_soa(uctx, rdataset, &uctx->soaqname);
-
- out:
-	dns_client_freeresanswer(uctx->client, &rev->answerlist);
-	isc_event_free(&event);
-
-	if (result != ISC_R_SUCCESS)
-		update_sendevent(uctx, result);
-}
-
-static isc_result_t
-copy_name(isc_mem_t *mctx, dns_message_t *msg, dns_name_t *name,
-	  dns_name_t **newnamep)
-{
-	isc_result_t result;
-	dns_name_t *newname = NULL;
-	isc_region_t r;
-	isc_buffer_t *namebuf = NULL, *rdatabuf = NULL;
-	dns_rdatalist_t *rdatalist;
-	dns_rdataset_t *rdataset, *newrdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT, *newrdata;
-
-	result = dns_message_gettempname(msg, &newname);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	result = isc_buffer_allocate(mctx, &namebuf, DNS_NAME_MAXWIRE);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-	dns_name_init(newname, NULL);
-	dns_name_setbuffer(newname, namebuf);
-	dns_message_takebuffer(msg, &namebuf);
-	result = dns_name_copy(name, newname, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
-	     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-		rdatalist = NULL;
-		result = dns_message_gettemprdatalist(msg, &rdatalist);
-		if (result != ISC_R_SUCCESS)
-			goto fail;
-		dns_rdatalist_init(rdatalist);
-		rdatalist->type = rdataset->type;
-		rdatalist->rdclass = rdataset->rdclass;
-		rdatalist->covers = rdataset->covers;
-		rdatalist->ttl = rdataset->ttl;
-
-		result = dns_rdataset_first(rdataset);
-		while (result == ISC_R_SUCCESS) {
-			dns_rdata_reset(&rdata);
-			dns_rdataset_current(rdataset, &rdata);
-
-			newrdata = NULL;
-			result = dns_message_gettemprdata(msg, &newrdata);
-			if (result != ISC_R_SUCCESS)
-				goto fail;
-			dns_rdata_toregion(&rdata, &r);
-			rdatabuf = NULL;
-			result = isc_buffer_allocate(mctx, &rdatabuf,
-						     r.length);
-			if (result != ISC_R_SUCCESS)
-				goto fail;
-			isc_buffer_putmem(rdatabuf, r.base, r.length);
-			isc_buffer_usedregion(rdatabuf, &r);
-			dns_rdata_init(newrdata);
-			dns_rdata_fromregion(newrdata, rdata.rdclass,
-					     rdata.type, &r);
-			newrdata->flags = rdata.flags;
-
-			ISC_LIST_APPEND(rdatalist->rdata, newrdata, link);
-			dns_message_takebuffer(msg, &rdatabuf);
-
-			result = dns_rdataset_next(rdataset);
-		}
-
-		newrdataset = NULL;
-		result = dns_message_gettemprdataset(msg, &newrdataset);
-		if (result != ISC_R_SUCCESS)
-			goto fail;
-		dns_rdataset_init(newrdataset);
-		dns_rdatalist_tordataset(rdatalist, newrdataset);
-
-		ISC_LIST_APPEND(newname->list, newrdataset, link);
-	}
-
-	*newnamep = newname;
-
-	return (ISC_R_SUCCESS);
-
- fail:
-	dns_message_puttempname(msg, &newname);
-
-	return (result);
-
-}
-
-static void
-internal_update_callback(isc_task_t *task, isc_event_t *event) {
-	updatearg_t *uarg = event->ev_arg;
-	dns_clientupdateevent_t *uev = (dns_clientupdateevent_t *)event;
-
-	UNUSED(task);
-
-	LOCK(&uarg->lock);
-
-	uarg->result = uev->result;
-
-	dns_client_destroyupdatetrans(&uarg->trans);
-	isc_event_free(&event);
-
-	if (!uarg->canceled) {
-		UNLOCK(&uarg->lock);
-
-		/* Exit from the internal event loop */
-		isc_app_ctxsuspend(uarg->actx);
-	} else {
-		/*
-		 * We have already exited from the loop (due to some
-		 * unexpected event).  Just clean the arg up.
-		 */
-		UNLOCK(&uarg->lock);
-		DESTROYLOCK(&uarg->lock);
-		isc_mem_put(uarg->client->mctx, uarg, sizeof(*uarg));
-	}
-}
-
-isc_result_t
-dns_client_update(dns_client_t *client, dns_rdataclass_t rdclass,
-		  dns_name_t *zonename, dns_namelist_t *prerequisites,
-		  dns_namelist_t *updates, isc_sockaddrlist_t *servers,
-		  dns_tsec_t *tsec, unsigned int options)
-{
-	isc_result_t result;
-	isc_appctx_t *actx;
-	updatearg_t *uarg;
-
-	REQUIRE(DNS_CLIENT_VALID(client));
-
-	if ((client->attributes & DNS_CLIENTATTR_OWNCTX) == 0 &&
-	    (options & DNS_CLIENTRESOPT_ALLOWRUN) == 0) {
-		/*
-		 * If the client is run under application's control, we need
-		 * to create a new running (sub)environment for this
-		 * particular resolution.
-		 */
-		return (ISC_R_NOTIMPLEMENTED); /* XXXTBD */
-	} else
-		actx = client->actx;
-
-	uarg = isc_mem_get(client->mctx, sizeof(*uarg));
-	if (uarg == NULL)
-		return (ISC_R_NOMEMORY);
-
-	result = isc_mutex_init(&uarg->lock);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(client->mctx, uarg, sizeof(*uarg));
-		return (result);
-	}
-
-	uarg->actx = actx;
-	uarg->client = client;
-	uarg->result = ISC_R_FAILURE;
-	uarg->trans = NULL;
-	uarg->canceled = ISC_FALSE;
-
-	result = dns_client_startupdate(client, rdclass, zonename,
-					prerequisites, updates, servers,
-					tsec, options, client->task,
-					internal_update_callback, uarg,
-					&uarg->trans);
-	if (result != ISC_R_SUCCESS) {
-		DESTROYLOCK(&uarg->lock);
-		isc_mem_put(client->mctx, uarg, sizeof(*uarg));
-		return (result);
-	}
-
-	/*
-	 * Start internal event loop.  It blocks until the entire process
-	 * is completed.
-	 */
-	result = isc_app_ctxrun(actx);
-
-	LOCK(&uarg->lock);
-	if (result == ISC_R_SUCCESS || result == ISC_R_SUSPEND)
-		result = uarg->result;
-
-	if (uarg->trans != NULL) {
-		/*
-		 * Unusual termination (perhaps due to signal).  We need some
-		 * tricky cleanup process.
-		 */
-		uarg->canceled = ISC_TRUE;
-		dns_client_cancelupdate(uarg->trans);
-
-		UNLOCK(&uarg->lock);
-
-		/* uarg will be freed in the event handler. */
-	} else {
-		UNLOCK(&uarg->lock);
-
-		DESTROYLOCK(&uarg->lock);
-		isc_mem_put(client->mctx, uarg, sizeof(*uarg));
-	}
-
-	return (result);
-}
-
-isc_result_t
-dns_client_startupdate(dns_client_t *client, dns_rdataclass_t rdclass,
-		       dns_name_t *zonename, dns_namelist_t *prerequisites,
-		       dns_namelist_t *updates, isc_sockaddrlist_t *servers,
-		       dns_tsec_t *tsec, unsigned int options,
-		       isc_task_t *task, isc_taskaction_t action, void *arg,
-		       dns_clientupdatetrans_t **transp)
-{
-	dns_view_t *view = NULL;
-	isc_result_t result;
-	dns_name_t *name, *newname;
-	updatectx_t *uctx;
-	isc_task_t *clone = NULL;
-	dns_section_t section = DNS_SECTION_UPDATE;
-	isc_sockaddr_t *server, *sa = NULL;
-	dns_tsectype_t tsectype = dns_tsectype_none;
-
-	UNUSED(options);
-
-	REQUIRE(DNS_CLIENT_VALID(client));
-	REQUIRE(transp != NULL && *transp == NULL);
-	REQUIRE(updates != NULL);
-	REQUIRE(task != NULL);
-
-	if (tsec != NULL) {
-		tsectype = dns_tsec_gettype(tsec);
-		if (tsectype != dns_tsectype_tsig)
-			return (ISC_R_NOTIMPLEMENTED); /* XXX */
-	}
-
-	LOCK(&client->lock);
-	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
-				   rdclass, &view);
-	UNLOCK(&client->lock);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/* Create a context and prepare some resources */
-	uctx = isc_mem_get(client->mctx, sizeof(*uctx));
-	if (uctx == NULL) {
-		dns_view_detach(&view);
-		return (ISC_R_NOMEMORY);
-	}
-	result = isc_mutex_init(&uctx->lock);
-	if (result != ISC_R_SUCCESS) {
-		dns_view_detach(&view);
-		isc_mem_put(client->mctx, uctx, sizeof(*uctx));
-		return (ISC_R_NOMEMORY);
-	}
-	clone = NULL;
-	isc_task_attach(task, &clone);
-	uctx->client = client;
-	ISC_LINK_INIT(uctx, link);
-	uctx->state = dns_clientupdatestate_prepare;
-	uctx->view = view;
-	uctx->rdclass = rdclass;
-	uctx->canceled = ISC_FALSE;
-	uctx->updatemsg = NULL;
-	uctx->soaquery = NULL;
-	uctx->updatereq = NULL;
-	uctx->restrans = NULL;
-	uctx->restrans2 = NULL;
-	uctx->bp4 = NULL;
-	uctx->bp6 = NULL;
-	uctx->soareq = NULL;
-	uctx->event = NULL;
-	uctx->tsigkey = NULL;
-	uctx->sig0key = NULL;
-	uctx->zonename = NULL;
-	dns_name_init(&uctx->soaqname, NULL);
-	ISC_LIST_INIT(uctx->servers);
-	uctx->nservers = 0;
-	uctx->currentserver = NULL;
-	dns_fixedname_init(&uctx->zonefname);
-	if (tsec != NULL)
-		dns_tsec_getkey(tsec, &uctx->tsigkey);
-	uctx->event = (dns_clientupdateevent_t *)
-		isc_event_allocate(client->mctx, clone, DNS_EVENT_UPDATEDONE,
-				   action, arg, sizeof(*uctx->event));
-	if (uctx->event == NULL)
-		goto fail;
-	if (zonename != NULL) {
-		uctx->zonename = dns_fixedname_name(&uctx->zonefname);
-		result = dns_name_copy(zonename, uctx->zonename, NULL);
-	}
-	if (servers != NULL) {
-		for (server = ISC_LIST_HEAD(*servers);
-		     server != NULL;
-		     server = ISC_LIST_NEXT(server, link)) {
-			sa = isc_mem_get(client->mctx, sizeof(*sa));
-			if (sa == NULL)
-				goto fail;
-			sa->type = server->type;
-			sa->length = server->length;
-			ISC_LINK_INIT(sa, link);
-			ISC_LIST_APPEND(uctx->servers, sa, link);
-			if (uctx->currentserver == NULL)
-				uctx->currentserver = sa;
-			uctx->nservers++;
-		}
-	}
-
-	/* Make update message */
-	result = dns_message_create(client->mctx, DNS_MESSAGE_INTENTRENDER,
-				    &uctx->updatemsg);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-	uctx->updatemsg->opcode = dns_opcode_update;
-
-	if (prerequisites != NULL) {
-		for (name = ISC_LIST_HEAD(*prerequisites); name != NULL;
-		     name = ISC_LIST_NEXT(name, link)) {
-			newname = NULL;
-			result = copy_name(client->mctx, uctx->updatemsg,
-					   name, &newname);
-			if (result != ISC_R_SUCCESS)
-				goto fail;
-			dns_message_addname(uctx->updatemsg, newname,
-					    DNS_SECTION_PREREQUISITE);
-		}
-	}
-
-	for (name = ISC_LIST_HEAD(*updates); name != NULL;
-	     name = ISC_LIST_NEXT(name, link)) {
-		newname = NULL;
-		result = copy_name(client->mctx, uctx->updatemsg, name,
-				   &newname);
-		if (result != ISC_R_SUCCESS)
-			goto fail;
-		dns_message_addname(uctx->updatemsg, newname,
-				    DNS_SECTION_UPDATE);
-	}
-
-	uctx->firstname = NULL;
-	result = dns_message_firstname(uctx->updatemsg, section);
-	if (result == ISC_R_NOMORE) {
-		section = DNS_SECTION_PREREQUISITE;
-		result = dns_message_firstname(uctx->updatemsg, section);
-	}
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-	dns_message_currentname(uctx->updatemsg, section, &uctx->firstname);
-
-	uctx->magic = UCTX_MAGIC;
-
-	LOCK(&client->lock);
-	ISC_LIST_APPEND(client->updatectxs, uctx, link);
-	UNLOCK(&client->lock);
-
-	if (uctx->zonename != NULL && uctx->currentserver != NULL) {
-		result = send_update(uctx);
-		if (result != ISC_R_SUCCESS)
-			goto fail;
-	} else if (uctx->currentserver != NULL) {
-		result = request_soa(uctx);
-		if (result != ISC_R_SUCCESS)
-			goto fail;
-	} else {
-		dns_name_clone(uctx->firstname, &uctx->soaqname);
-		result = dns_client_startresolve(uctx->client, &uctx->soaqname,
-						 uctx->rdclass,
-						 dns_rdatatype_soa, 0,
-						 client->task, resolvesoa_done,
-						 uctx, &uctx->restrans);
-		if (result != ISC_R_SUCCESS)
-			goto fail;
-	}
-
-	*transp = (dns_clientupdatetrans_t *)uctx;
-
-	return (ISC_R_SUCCESS);
-
- fail:
-	if (ISC_LINK_LINKED(uctx, link)) {
-		LOCK(&client->lock);
-		ISC_LIST_UNLINK(client->updatectxs, uctx, link);
-		UNLOCK(&client->lock);
-	}
-	if (uctx->updatemsg != NULL)
-		dns_message_destroy(&uctx->updatemsg);
-	while ((sa = ISC_LIST_HEAD(uctx->servers)) != NULL) {
-		ISC_LIST_UNLINK(uctx->servers, sa, link);
-		isc_mem_put(client->mctx, sa, sizeof(*sa));
-	}
-	if (uctx->event != NULL)
-		isc_event_free(ISC_EVENT_PTR(&uctx->event));
-	if (uctx->tsigkey != NULL)
-		dns_tsigkey_detach(&uctx->tsigkey);
-	isc_task_detach(&clone);
-	DESTROYLOCK(&uctx->lock);
-	uctx->magic = 0;
-	isc_mem_put(client->mctx, uctx, sizeof(*uctx));
-	dns_view_detach(&view);
-
-	return (result);
-}
-
-void
-dns_client_cancelupdate(dns_clientupdatetrans_t *trans) {
-	updatectx_t *uctx;
-
-	REQUIRE(trans != NULL);
-	uctx = (updatectx_t *)trans;
-	REQUIRE(UCTX_VALID(uctx));
-
-	LOCK(&uctx->lock);
-
-	if (!uctx->canceled) {
-		uctx->canceled = ISC_TRUE;
-		if (uctx->updatereq != NULL)
-			dns_request_cancel(uctx->updatereq);
-		if (uctx->soareq != NULL)
-			dns_request_cancel(uctx->soareq);
-		if (uctx->restrans != NULL)
-			dns_client_cancelresolve(uctx->restrans);
-		if (uctx->restrans2 != NULL)
-			dns_client_cancelresolve(uctx->restrans2);
-	}
-
-	UNLOCK(&uctx->lock);
-}
-
-void
-dns_client_destroyupdatetrans(dns_clientupdatetrans_t **transp) {
-	updatectx_t *uctx;
-	isc_mem_t *mctx;
-	dns_client_t *client;
-	isc_boolean_t need_destroyclient = ISC_FALSE;
-	isc_sockaddr_t *sa;
-
-	REQUIRE(transp != NULL);
-	uctx = (updatectx_t *)*transp;
-	REQUIRE(UCTX_VALID(uctx));
-	client = uctx->client;
-	REQUIRE(DNS_CLIENT_VALID(client));
-	REQUIRE(uctx->updatereq == NULL && uctx->updatemsg == NULL &&
-		uctx->soareq == NULL && uctx->soaquery == NULL &&
-		uctx->event == NULL && uctx->tsigkey == NULL &&
-		uctx->sig0key == NULL);
-
-	mctx = client->mctx;
-	dns_view_detach(&uctx->view);
-	while ((sa = ISC_LIST_HEAD(uctx->servers)) != NULL) {
-		ISC_LIST_UNLINK(uctx->servers, sa, link);
-		isc_mem_put(mctx, sa, sizeof(*sa));
-	}
-
-	LOCK(&client->lock);
-
-	INSIST(ISC_LINK_LINKED(uctx, link));
-	ISC_LIST_UNLINK(client->updatectxs, uctx, link);
-
-	if (client->references == 0 && ISC_LIST_EMPTY(client->resctxs) &&
-	    ISC_LIST_EMPTY(client->reqctxs) &&
-	    ISC_LIST_EMPTY(client->updatectxs))
-		need_destroyclient = ISC_TRUE;
-
-	UNLOCK(&client->lock);
-
-	DESTROYLOCK(&uctx->lock);
-	uctx->magic = 0;
-
-	isc_mem_put(mctx, uctx, sizeof(*uctx));
-
-	if (need_destroyclient)
-		destroyclient(&client);
-
-	*transp = NULL;
-}
-
-isc_mem_t *
-dns_client_mctx(dns_client_t *client) {
-
-	REQUIRE(DNS_CLIENT_VALID(client));
-	return (client->mctx);
-}
-
-typedef struct {
-	isc_buffer_t 	buffer;
-	dns_rdataset_t	rdataset;
-	dns_rdatalist_t	rdatalist;
-	dns_rdata_t	rdata;
-	size_t		size;
-	isc_mem_t *	mctx;
-	unsigned char	data[FLEXIBLE_ARRAY_MEMBER];
-} dns_client_updaterec_t;
-
-isc_result_t
-dns_client_updaterec(dns_client_updateop_t op, dns_name_t *owner,
-		     dns_rdatatype_t type, dns_rdata_t *source,
-		     dns_ttl_t ttl, dns_name_t *target,
-		     dns_rdataset_t *rdataset, dns_rdatalist_t *rdatalist,
-		     dns_rdata_t *rdata, isc_mem_t *mctx)
-{
-	dns_client_updaterec_t *updaterec = NULL;
-	size_t size = offsetof(dns_client_updaterec_t, data);
-
-	REQUIRE(op < updateop_max);
-	REQUIRE(owner != NULL);
-	REQUIRE((rdataset != NULL && rdatalist != NULL && rdata != NULL) ||
-		(rdataset == NULL && rdatalist == NULL && rdata == NULL &&
-		 mctx != NULL));
-	if (op == updateop_add)
-		REQUIRE(source != NULL);
-	if (source != NULL) {
-		REQUIRE(source->type == type);
-		REQUIRE(op == updateop_add || op == updateop_delete ||
-			op == updateop_exist);
-	}
-
-	size += owner->length;
-	if (source != NULL)
-		size += source->length;
-
-	if (rdataset == NULL) {
-		updaterec = isc_mem_get(mctx, size);
-		if (updaterec == NULL)
-			return (ISC_R_NOMEMORY);
-		rdataset = &updaterec->rdataset;
-		rdatalist = &updaterec->rdatalist;
-		rdata = &updaterec->rdata;
-		dns_rdataset_init(rdataset);
-		dns_rdatalist_init(&updaterec->rdatalist);
-		dns_rdata_init(&updaterec->rdata);
-		isc_buffer_init(&updaterec->buffer, updaterec->data,
-				size - offsetof(dns_client_updaterec_t, data));
-		dns_name_copy(owner, target, &updaterec->buffer);
-		if (source != NULL) {
-			isc_region_t r;
-			dns_rdata_clone(source, rdata);
-			dns_rdata_toregion(rdata, &r);
-			rdata->data = isc_buffer_used(&updaterec->buffer);
-			isc_buffer_copyregion(&updaterec->buffer, &r);
-		}
-		updaterec->mctx = NULL;
-		isc_mem_attach(mctx, &updaterec->mctx);
-	} else if (source != NULL)
-		dns_rdata_clone(source, rdata);
-
-	switch (op) {
-	case updateop_add:
-		break;
-	case updateop_delete:
-		if (source != NULL) {
-			ttl = 0;
-			dns_rdata_makedelete(rdata);
-		} else
-			dns_rdata_deleterrset(rdata, type);
-		break;
-	case updateop_notexist:
-		dns_rdata_notexist(rdata, type);
-		break;
-	case updateop_exist:
-		if (source == NULL) {
-			ttl = 0;
-			dns_rdata_exists(rdata, type);
-		}
-	case updateop_none:
-		break;
-	default:
-		INSIST(0);
-	}
-
-	rdatalist->type = rdata->type;
-	rdatalist->rdclass = rdata->rdclass;
-	if (source != NULL) {
-		rdatalist->covers = dns_rdata_covers(rdata);
-		rdatalist->ttl = ttl;
-	}
-	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-	dns_rdatalist_tordataset(rdatalist, rdataset);
-	ISC_LIST_APPEND(target->list, rdataset, link);
-	if (updaterec != NULL) {
-		target->attributes |= DNS_NAMEATTR_HASUPDATEREC;
-		dns_name_setbuffer(target, &updaterec->buffer);
-	}
-	if (op == updateop_add || op == updateop_delete)
-		target->attributes |= DNS_NAMEATTR_UPDATE;
-	else
-		target->attributes |= DNS_NAMEATTR_PREREQUISITE;
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_client_freeupdate(dns_name_t **namep) {
-	dns_client_updaterec_t *updaterec;
-	dns_rdatalist_t *rdatalist;
-	dns_rdataset_t *rdataset;
-	dns_rdata_t *rdata;
-	dns_name_t *name;
-
-	REQUIRE(namep != NULL && *namep != NULL);
-
-	name = *namep;
-	for (rdataset = ISC_LIST_HEAD(name->list);
-	     rdataset != NULL;
-	     rdataset = ISC_LIST_HEAD(name->list)) {
-		ISC_LIST_UNLINK(name->list, rdataset, link);
-		rdatalist = NULL;
-		dns_rdatalist_fromrdataset(rdataset, &rdatalist);
-		if (rdatalist == NULL) {
-			dns_rdataset_disassociate(rdataset);
-			continue;
-		}
-		for (rdata = ISC_LIST_HEAD(rdatalist->rdata);
-		     rdata != NULL;
-		     rdata = ISC_LIST_HEAD(rdatalist->rdata))
-			ISC_LIST_UNLINK(rdatalist->rdata, rdata, link);
-		dns_rdataset_disassociate(rdataset);
-	}
-
-	if ((name->attributes & DNS_NAMEATTR_HASUPDATEREC) != 0) {
-		updaterec = (dns_client_updaterec_t *)name->buffer;
-		INSIST(updaterec != NULL);
-		isc_mem_putanddetach(&updaterec->mctx, updaterec,
-				     updaterec->size);
-		*namep = NULL;
-	}
-}
diff --git a/contrib/bind9/lib/dns/clientinfo.c b/contrib/bind9/lib/dns/clientinfo.c
deleted file mode 100644
index fd5a5e2..0000000
--- a/contrib/bind9/lib/dns/clientinfo.c
+++ /dev/null
@@ -1,38 +0,0 @@
-/*
- * Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: clientinfo.c,v 1.3 2011/10/11 00:25:12 marka Exp $ */
-
-/*! \file */
-
-#include "config.h"
-
-#include <dns/clientinfo.h>
-
-void
-dns_clientinfomethods_init(dns_clientinfomethods_t *methods,
-			   dns_clientinfo_sourceip_t sourceip)
-{
-	methods->version = DNS_CLIENTINFOMETHODS_VERSION;
-	methods->age = DNS_CLIENTINFOMETHODS_AGE;
-	methods->sourceip = sourceip;
-}
-
-void
-dns_clientinfo_init(dns_clientinfo_t *ci, void *data) {
-	ci->version = DNS_CLIENTINFO_VERSION;
-	ci->data = data;
-}
diff --git a/contrib/bind9/lib/dns/compress.c b/contrib/bind9/lib/dns/compress.c
deleted file mode 100644
index 11473ee..0000000
--- a/contrib/bind9/lib/dns/compress.c
+++ /dev/null
@@ -1,341 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: compress.c,v 1.59 2007/06/19 23:47:16 tbox Exp $ */
-
-/*! \file */
-
-#define DNS_NAME_USEINLINE 1
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/compress.h>
-#include <dns/fixedname.h>
-#include <dns/rbt.h>
-#include <dns/result.h>
-
-#define CCTX_MAGIC	ISC_MAGIC('C', 'C', 'T', 'X')
-#define VALID_CCTX(x)	ISC_MAGIC_VALID(x, CCTX_MAGIC)
-
-#define DCTX_MAGIC	ISC_MAGIC('D', 'C', 'T', 'X')
-#define VALID_DCTX(x)	ISC_MAGIC_VALID(x, DCTX_MAGIC)
-
-/***
- ***	Compression
- ***/
-
-isc_result_t
-dns_compress_init(dns_compress_t *cctx, int edns, isc_mem_t *mctx) {
-	unsigned int i;
-
-	REQUIRE(cctx != NULL);
-	REQUIRE(mctx != NULL);	/* See: rdataset.c:towiresorted(). */
-
-	cctx->allowed = 0;
-	cctx->edns = edns;
-	for (i = 0; i < DNS_COMPRESS_TABLESIZE; i++)
-		cctx->table[i] = NULL;
-	cctx->mctx = mctx;
-	cctx->count = 0;
-	cctx->magic = CCTX_MAGIC;
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_compress_invalidate(dns_compress_t *cctx) {
-	dns_compressnode_t *node;
-	unsigned int i;
-
-	REQUIRE(VALID_CCTX(cctx));
-
-	cctx->magic = 0;
-	for (i = 0; i < DNS_COMPRESS_TABLESIZE; i++) {
-		while (cctx->table[i] != NULL) {
-			node = cctx->table[i];
-			cctx->table[i] = cctx->table[i]->next;
-			if (node->count < DNS_COMPRESS_INITIALNODES)
-				continue;
-			isc_mem_put(cctx->mctx, node, sizeof(*node));
-		}
-	}
-	cctx->allowed = 0;
-	cctx->edns = -1;
-}
-
-void
-dns_compress_setmethods(dns_compress_t *cctx, unsigned int allowed) {
-	REQUIRE(VALID_CCTX(cctx));
-
-	cctx->allowed &= ~DNS_COMPRESS_ALL;
-	cctx->allowed |= (allowed & DNS_COMPRESS_ALL);
-}
-
-unsigned int
-dns_compress_getmethods(dns_compress_t *cctx) {
-	REQUIRE(VALID_CCTX(cctx));
-	return (cctx->allowed & DNS_COMPRESS_ALL);
-}
-
-void
-dns_compress_setsensitive(dns_compress_t *cctx, isc_boolean_t sensitive) {
-	REQUIRE(VALID_CCTX(cctx));
-
-	if (sensitive)
-		cctx->allowed |= DNS_COMPRESS_CASESENSITIVE;
-	else
-		cctx->allowed &= ~DNS_COMPRESS_CASESENSITIVE;
-}
-
-isc_boolean_t
-dns_compress_getsensitive(dns_compress_t *cctx) {
-	REQUIRE(VALID_CCTX(cctx));
-
-	return (ISC_TF((cctx->allowed & DNS_COMPRESS_CASESENSITIVE) != 0));
-}
-
-int
-dns_compress_getedns(dns_compress_t *cctx) {
-	REQUIRE(VALID_CCTX(cctx));
-	return (cctx->edns);
-}
-
-#define NODENAME(node, name) \
-do { \
-	(name)->length = (node)->r.length; \
-	(name)->labels = (node)->labels; \
-	(name)->ndata = (node)->r.base; \
-	(name)->attributes = DNS_NAMEATTR_ABSOLUTE; \
-} while (0)
-
-/*
- * Find the longest match of name in the table.
- * If match is found return ISC_TRUE. prefix, suffix and offset are updated.
- * If no match is found return ISC_FALSE.
- */
-isc_boolean_t
-dns_compress_findglobal(dns_compress_t *cctx, const dns_name_t *name,
-			dns_name_t *prefix, isc_uint16_t *offset)
-{
-	dns_name_t tname, nname;
-	dns_compressnode_t *node = NULL;
-	unsigned int labels, hash, n;
-
-	REQUIRE(VALID_CCTX(cctx));
-	REQUIRE(dns_name_isabsolute(name) == ISC_TRUE);
-	REQUIRE(offset != NULL);
-
-	if (cctx->count == 0)
-		return (ISC_FALSE);
-
-	labels = dns_name_countlabels(name);
-	INSIST(labels > 0);
-
-	dns_name_init(&tname, NULL);
-	dns_name_init(&nname, NULL);
-
-	for (n = 0; n < labels - 1; n++) {
-		dns_name_getlabelsequence(name, n, labels - n, &tname);
-		hash = dns_name_hash(&tname, ISC_FALSE) %
-		       DNS_COMPRESS_TABLESIZE;
-		for (node = cctx->table[hash]; node != NULL; node = node->next)
-		{
-			NODENAME(node, &nname);
-			if ((cctx->allowed & DNS_COMPRESS_CASESENSITIVE) != 0) {
-				if (dns_name_caseequal(&nname, &tname))
-					break;
-			} else {
-				if (dns_name_equal(&nname, &tname))
-					break;
-			}
-		}
-		if (node != NULL)
-			break;
-	}
-
-	/*
-	 * If node == NULL, we found no match at all.
-	 */
-	if (node == NULL)
-		return (ISC_FALSE);
-
-	if (n == 0)
-		dns_name_reset(prefix);
-	else
-		dns_name_getlabelsequence(name, 0, n, prefix);
-
-	*offset = node->offset;
-	return (ISC_TRUE);
-}
-
-static inline unsigned int
-name_length(const dns_name_t *name) {
-	isc_region_t r;
-	dns_name_toregion(name, &r);
-	return (r.length);
-}
-
-void
-dns_compress_add(dns_compress_t *cctx, const dns_name_t *name,
-		 const dns_name_t *prefix, isc_uint16_t offset)
-{
-	dns_name_t tname;
-	unsigned int start;
-	unsigned int n;
-	unsigned int count;
-	unsigned int hash;
-	dns_compressnode_t *node;
-	unsigned int length;
-	unsigned int tlength;
-	isc_uint16_t toffset;
-
-	REQUIRE(VALID_CCTX(cctx));
-	REQUIRE(dns_name_isabsolute(name));
-
-	dns_name_init(&tname, NULL);
-
-	n = dns_name_countlabels(name);
-	count = dns_name_countlabels(prefix);
-	if (dns_name_isabsolute(prefix))
-		count--;
-	start = 0;
-	length = name_length(name);
-	while (count > 0) {
-		if (offset >= 0x4000)
-			break;
-		dns_name_getlabelsequence(name, start, n, &tname);
-		hash = dns_name_hash(&tname, ISC_FALSE) %
-		       DNS_COMPRESS_TABLESIZE;
-		tlength = name_length(&tname);
-		toffset = (isc_uint16_t)(offset + (length - tlength));
-		/*
-		 * Create a new node and add it.
-		 */
-		if (cctx->count < DNS_COMPRESS_INITIALNODES)
-			node = &cctx->initialnodes[cctx->count];
-		else {
-			node = isc_mem_get(cctx->mctx,
-					   sizeof(dns_compressnode_t));
-			if (node == NULL)
-				return;
-		}
-		node->count = cctx->count++;
-		node->offset = toffset;
-		dns_name_toregion(&tname, &node->r);
-		node->labels = (isc_uint8_t)dns_name_countlabels(&tname);
-		node->next = cctx->table[hash];
-		cctx->table[hash] = node;
-		start++;
-		n--;
-		count--;
-	}
-}
-
-void
-dns_compress_rollback(dns_compress_t *cctx, isc_uint16_t offset) {
-	unsigned int i;
-	dns_compressnode_t *node;
-
-	REQUIRE(VALID_CCTX(cctx));
-
-	for (i = 0; i < DNS_COMPRESS_TABLESIZE; i++) {
-		node = cctx->table[i];
-		/*
-		 * This relies on nodes with greater offsets being
-		 * closer to the beginning of the list, and the
-		 * items with the greatest offsets being at the end 
-		 * of the initialnodes[] array.
-		 */
-		while (node != NULL && node->offset >= offset) {
-			cctx->table[i] = node->next;
-			if (node->count >= DNS_COMPRESS_INITIALNODES)
-				isc_mem_put(cctx->mctx, node, sizeof(*node));
-			cctx->count--;
-			node = cctx->table[i];
-		}
-	}
-}
-
-/***
- ***	Decompression
- ***/
-
-void
-dns_decompress_init(dns_decompress_t *dctx, int edns,
-		    dns_decompresstype_t type) {
-
-	REQUIRE(dctx != NULL);
-	REQUIRE(edns >= -1 && edns <= 255);
-
-	dctx->allowed = DNS_COMPRESS_NONE;
-	dctx->edns = edns;
-	dctx->type = type;
-	dctx->magic = DCTX_MAGIC;
-}
-
-void
-dns_decompress_invalidate(dns_decompress_t *dctx) {
-
-	REQUIRE(VALID_DCTX(dctx));
-
-	dctx->magic = 0;
-}
-
-void
-dns_decompress_setmethods(dns_decompress_t *dctx, unsigned int allowed) {
-
-	REQUIRE(VALID_DCTX(dctx));
-
-	switch (dctx->type) {
-	case DNS_DECOMPRESS_ANY:
-		dctx->allowed = DNS_COMPRESS_ALL;
-		break;
-	case DNS_DECOMPRESS_NONE:
-		dctx->allowed = DNS_COMPRESS_NONE;
-		break;
-	case DNS_DECOMPRESS_STRICT:
-		dctx->allowed = allowed;
-		break;
-	}
-}
-
-unsigned int
-dns_decompress_getmethods(dns_decompress_t *dctx) {
-
-	REQUIRE(VALID_DCTX(dctx));
-
-	return (dctx->allowed);
-}
-
-int
-dns_decompress_edns(dns_decompress_t *dctx) {
-
-	REQUIRE(VALID_DCTX(dctx));
-
-	return (dctx->edns);
-}
-
-dns_decompresstype_t
-dns_decompress_type(dns_decompress_t *dctx) {
-
-	REQUIRE(VALID_DCTX(dctx));
-
-	return (dctx->type);
-}
diff --git a/contrib/bind9/lib/dns/db.c b/contrib/bind9/lib/dns/db.c
deleted file mode 100644
index bf4a5b3..0000000
--- a/contrib/bind9/lib/dns/db.c
+++ /dev/null
@@ -1,1027 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007-2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: db.c,v 1.99.4.1 2011/10/23 20:12:07 vjs Exp $ */
-
-/*! \file */
-
-/***
- *** Imports
- ***/
-
-#include <config.h>
-
-#include <isc/buffer.h>
-#include <isc/mem.h>
-#include <isc/once.h>
-#include <isc/rwlock.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/callbacks.h>
-#include <dns/clientinfo.h>
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/log.h>
-#include <dns/master.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/result.h>
-
-/***
- *** Private Types
- ***/
-
-struct dns_dbimplementation {
-	const char *				name;
-	dns_dbcreatefunc_t			create;
-	isc_mem_t *				mctx;
-	void *					driverarg;
-	ISC_LINK(dns_dbimplementation_t)	link;
-};
-
-/***
- *** Supported DB Implementations Registry
- ***/
-
-/*
- * Built in database implementations are registered here.
- */
-
-#include "rbtdb.h"
-#ifdef BIND9
-#include "rbtdb64.h"
-#endif
-
-static ISC_LIST(dns_dbimplementation_t) implementations;
-static isc_rwlock_t implock;
-static isc_once_t once = ISC_ONCE_INIT;
-
-static dns_dbimplementation_t rbtimp;
-#ifdef BIND9
-static dns_dbimplementation_t rbt64imp;
-#endif
-
-static void
-initialize(void) {
-	RUNTIME_CHECK(isc_rwlock_init(&implock, 0, 0) == ISC_R_SUCCESS);
-
-	rbtimp.name = "rbt";
-	rbtimp.create = dns_rbtdb_create;
-	rbtimp.mctx = NULL;
-	rbtimp.driverarg = NULL;
-	ISC_LINK_INIT(&rbtimp, link);
-
-#ifdef BIND9
-	rbt64imp.name = "rbt64";
-	rbt64imp.create = dns_rbtdb64_create;
-	rbt64imp.mctx = NULL;
-	rbt64imp.driverarg = NULL;
-	ISC_LINK_INIT(&rbt64imp, link);
-#endif
-
-	ISC_LIST_INIT(implementations);
-	ISC_LIST_APPEND(implementations, &rbtimp, link);
-#ifdef BIND9
-	ISC_LIST_APPEND(implementations, &rbt64imp, link);
-#endif
-}
-
-static inline dns_dbimplementation_t *
-impfind(const char *name) {
-	dns_dbimplementation_t *imp;
-
-	for (imp = ISC_LIST_HEAD(implementations);
-	     imp != NULL;
-	     imp = ISC_LIST_NEXT(imp, link))
-		if (strcasecmp(name, imp->name) == 0)
-			return (imp);
-	return (NULL);
-}
-
-
-/***
- *** Basic DB Methods
- ***/
-
-isc_result_t
-dns_db_create(isc_mem_t *mctx, const char *db_type, dns_name_t *origin,
-	      dns_dbtype_t type, dns_rdataclass_t rdclass,
-	      unsigned int argc, char *argv[], dns_db_t **dbp)
-{
-	dns_dbimplementation_t *impinfo;
-
-	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
-
-	/*
-	 * Create a new database using implementation 'db_type'.
-	 */
-
-	REQUIRE(dbp != NULL && *dbp == NULL);
-	REQUIRE(dns_name_isabsolute(origin));
-
-	RWLOCK(&implock, isc_rwlocktype_read);
-	impinfo = impfind(db_type);
-	if (impinfo != NULL) {
-		isc_result_t result;
-		result = ((impinfo->create)(mctx, origin, type,
-					    rdclass, argc, argv,
-					    impinfo->driverarg, dbp));
-		RWUNLOCK(&implock, isc_rwlocktype_read);
-		return (result);
-	}
-
-	RWUNLOCK(&implock, isc_rwlocktype_read);
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-		      DNS_LOGMODULE_DB, ISC_LOG_ERROR,
-		      "unsupported database type '%s'", db_type);
-
-	return (ISC_R_NOTFOUND);
-}
-
-void
-dns_db_attach(dns_db_t *source, dns_db_t **targetp) {
-
-	/*
-	 * Attach *targetp to source.
-	 */
-
-	REQUIRE(DNS_DB_VALID(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	(source->methods->attach)(source, targetp);
-
-	ENSURE(*targetp == source);
-}
-
-void
-dns_db_detach(dns_db_t **dbp) {
-
-	/*
-	 * Detach *dbp from its database.
-	 */
-
-	REQUIRE(dbp != NULL);
-	REQUIRE(DNS_DB_VALID(*dbp));
-
-	((*dbp)->methods->detach)(dbp);
-
-	ENSURE(*dbp == NULL);
-}
-
-isc_result_t
-dns_db_ondestroy(dns_db_t *db, isc_task_t *task, isc_event_t **eventp)
-{
-	REQUIRE(DNS_DB_VALID(db));
-
-	return (isc_ondestroy_register(&db->ondest, task, eventp));
-}
-
-
-isc_boolean_t
-dns_db_iscache(dns_db_t *db) {
-
-	/*
-	 * Does 'db' have cache semantics?
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-
-	if ((db->attributes & DNS_DBATTR_CACHE) != 0)
-		return (ISC_TRUE);
-
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-dns_db_iszone(dns_db_t *db) {
-
-	/*
-	 * Does 'db' have zone semantics?
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-
-	if ((db->attributes & (DNS_DBATTR_CACHE|DNS_DBATTR_STUB)) == 0)
-		return (ISC_TRUE);
-
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-dns_db_isstub(dns_db_t *db) {
-
-	/*
-	 * Does 'db' have stub semantics?
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-
-	if ((db->attributes & DNS_DBATTR_STUB) != 0)
-		return (ISC_TRUE);
-
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-dns_db_isdnssec(dns_db_t *db) {
-
-	/*
-	 * Is 'db' secure or partially secure?
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
-
-	if (db->methods->isdnssec != NULL)
-		return ((db->methods->isdnssec)(db));
-	return ((db->methods->issecure)(db));
-}
-
-isc_boolean_t
-dns_db_issecure(dns_db_t *db) {
-
-	/*
-	 * Is 'db' secure?
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
-
-	return ((db->methods->issecure)(db));
-}
-
-isc_boolean_t
-dns_db_ispersistent(dns_db_t *db) {
-
-	/*
-	 * Is 'db' persistent?
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-
-	return ((db->methods->ispersistent)(db));
-}
-
-dns_name_t *
-dns_db_origin(dns_db_t *db) {
-	/*
-	 * The origin of the database.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-
-	return (&db->origin);
-}
-
-dns_rdataclass_t
-dns_db_class(dns_db_t *db) {
-	/*
-	 * The class of the database.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-
-	return (db->rdclass);
-}
-
-#ifdef BIND9
-isc_result_t
-dns_db_beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp,
-		 dns_dbload_t **dbloadp) {
-	/*
-	 * Begin loading 'db'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(addp != NULL && *addp == NULL);
-	REQUIRE(dbloadp != NULL && *dbloadp == NULL);
-
-	return ((db->methods->beginload)(db, addp, dbloadp));
-}
-
-isc_result_t
-dns_db_endload(dns_db_t *db, dns_dbload_t **dbloadp) {
-	/*
-	 * Finish loading 'db'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(dbloadp != NULL && *dbloadp != NULL);
-
-	return ((db->methods->endload)(db, dbloadp));
-}
-
-isc_result_t
-dns_db_load(dns_db_t *db, const char *filename) {
-	return (dns_db_load3(db, filename, dns_masterformat_text, 0));
-}
-
-isc_result_t
-dns_db_load2(dns_db_t *db, const char *filename, dns_masterformat_t format) {
-	return (dns_db_load3(db, filename, format, 0));
-}
-
-isc_result_t
-dns_db_load3(dns_db_t *db, const char *filename, dns_masterformat_t format,
-	     unsigned int options) {
-	isc_result_t result, eresult;
-	dns_rdatacallbacks_t callbacks;
-
-	/*
-	 * Load master file 'filename' into 'db'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-
-	if ((db->attributes & DNS_DBATTR_CACHE) != 0)
-		options |= DNS_MASTER_AGETTL;
-
-	dns_rdatacallbacks_init(&callbacks);
-
-	result = dns_db_beginload(db, &callbacks.add, &callbacks.add_private);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	result = dns_master_loadfile2(filename, &db->origin, &db->origin,
-				      db->rdclass, options,
-				      &callbacks, db->mctx, format);
-	eresult = dns_db_endload(db, &callbacks.add_private);
-	/*
-	 * We always call dns_db_endload(), but we only want to return its
-	 * result if dns_master_loadfile() succeeded.  If dns_master_loadfile()
-	 * failed, we want to return the result code it gave us.
-	 */
-	if (eresult != ISC_R_SUCCESS &&
-	    (result == ISC_R_SUCCESS || result == DNS_R_SEENINCLUDE))
-		result = eresult;
-
-	return (result);
-}
-
-isc_result_t
-dns_db_dump(dns_db_t *db, dns_dbversion_t *version, const char *filename) {
-	return ((db->methods->dump)(db, version, filename,
-				    dns_masterformat_text));
-}
-
-isc_result_t
-dns_db_dump2(dns_db_t *db, dns_dbversion_t *version, const char *filename,
-	     dns_masterformat_t masterformat) {
-	/*
-	 * Dump 'db' into master file 'filename' in the 'masterformat' format.
-	 * XXXJT: is it okay to modify the interface to the existing "dump"
-	 * method?
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-
-	return ((db->methods->dump)(db, version, filename, masterformat));
-}
-#endif /* BIND9 */
-
-/***
- *** Version Methods
- ***/
-
-void
-dns_db_currentversion(dns_db_t *db, dns_dbversion_t **versionp) {
-
-	/*
-	 * Open the current version for reading.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
-	REQUIRE(versionp != NULL && *versionp == NULL);
-
-	(db->methods->currentversion)(db, versionp);
-}
-
-isc_result_t
-dns_db_newversion(dns_db_t *db, dns_dbversion_t **versionp) {
-
-	/*
-	 * Open a new version for reading and writing.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
-	REQUIRE(versionp != NULL && *versionp == NULL);
-
-	return ((db->methods->newversion)(db, versionp));
-}
-
-void
-dns_db_attachversion(dns_db_t *db, dns_dbversion_t *source,
-		     dns_dbversion_t **targetp)
-{
-	/*
-	 * Attach '*targetp' to 'source'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
-	REQUIRE(source != NULL);
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	(db->methods->attachversion)(db, source, targetp);
-
-	ENSURE(*targetp != NULL);
-}
-
-void
-dns_db_closeversion(dns_db_t *db, dns_dbversion_t **versionp,
-		    isc_boolean_t commit)
-{
-
-	/*
-	 * Close version '*versionp'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
-	REQUIRE(versionp != NULL && *versionp != NULL);
-
-	(db->methods->closeversion)(db, versionp, commit);
-
-	ENSURE(*versionp == NULL);
-}
-
-/***
- *** Node Methods
- ***/
-
-isc_result_t
-dns_db_findnode(dns_db_t *db, dns_name_t *name,
-		isc_boolean_t create, dns_dbnode_t **nodep)
-{
-
-	/*
-	 * Find the node with name 'name'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(nodep != NULL && *nodep == NULL);
-
-	if (db->methods->findnode != NULL)
-		return ((db->methods->findnode)(db, name, create, nodep));
-	else
-		return ((db->methods->findnodeext)(db, name, create,
-						   NULL, NULL, nodep));
-}
-
-isc_result_t
-dns_db_findnodeext(dns_db_t *db, dns_name_t *name,
-		   isc_boolean_t create, dns_clientinfomethods_t *methods,
-		   dns_clientinfo_t *clientinfo, dns_dbnode_t **nodep)
-{
-	/*
-	 * Find the node with name 'name', passing 'arg' to the database
-	 * implementation.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(nodep != NULL && *nodep == NULL);
-
-	if (db->methods->findnodeext != NULL)
-		return ((db->methods->findnodeext)(db, name, create,
-						   methods, clientinfo, nodep));
-	else
-		return ((db->methods->findnode)(db, name, create, nodep));
-}
-
-isc_result_t
-dns_db_findnsec3node(dns_db_t *db, dns_name_t *name,
-		     isc_boolean_t create, dns_dbnode_t **nodep)
-{
-
-	/*
-	 * Find the node with name 'name'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(nodep != NULL && *nodep == NULL);
-
-	return ((db->methods->findnsec3node)(db, name, create, nodep));
-}
-
-isc_result_t
-dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
-	    dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
-	    dns_dbnode_t **nodep, dns_name_t *foundname,
-	    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	/*
-	 * Find the best match for 'name' and 'type' in version 'version'
-	 * of 'db'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(type != dns_rdatatype_rrsig);
-	REQUIRE(nodep == NULL || (nodep != NULL && *nodep == NULL));
-	REQUIRE(dns_name_hasbuffer(foundname));
-	REQUIRE(rdataset == NULL ||
-		(DNS_RDATASET_VALID(rdataset) &&
-		 ! dns_rdataset_isassociated(rdataset)));
-	REQUIRE(sigrdataset == NULL ||
-		(DNS_RDATASET_VALID(sigrdataset) &&
-		 ! dns_rdataset_isassociated(sigrdataset)));
-
-	if (db->methods->find != NULL)
-		return ((db->methods->find)(db, name, version, type,
-					    options, now, nodep, foundname,
-					    rdataset, sigrdataset));
-	else
-		return ((db->methods->findext)(db, name, version, type,
-					       options, now, nodep, foundname,
-					       NULL, NULL,
-					       rdataset, sigrdataset));
-}
-
-isc_result_t
-dns_db_findext(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
-	       dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
-	       dns_dbnode_t **nodep, dns_name_t *foundname,
-	       dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo,
-	       dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-
-	/*
-	 * Find the best match for 'name' and 'type' in version 'version'
-	 * of 'db', passing in 'arg'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(type != dns_rdatatype_rrsig);
-	REQUIRE(nodep == NULL || (nodep != NULL && *nodep == NULL));
-	REQUIRE(dns_name_hasbuffer(foundname));
-	REQUIRE(rdataset == NULL ||
-		(DNS_RDATASET_VALID(rdataset) &&
-		 ! dns_rdataset_isassociated(rdataset)));
-	REQUIRE(sigrdataset == NULL ||
-		(DNS_RDATASET_VALID(sigrdataset) &&
-		 ! dns_rdataset_isassociated(sigrdataset)));
-
-	if (db->methods->findext != NULL)
-		return ((db->methods->findext)(db, name, version, type,
-					       options, now, nodep, foundname,
-					       methods, clientinfo,
-					       rdataset, sigrdataset));
-	else
-		return ((db->methods->find)(db, name, version, type,
-					    options, now, nodep, foundname,
-					    rdataset, sigrdataset));
-}
-
-isc_result_t
-dns_db_findzonecut(dns_db_t *db, dns_name_t *name,
-		   unsigned int options, isc_stdtime_t now,
-		   dns_dbnode_t **nodep, dns_name_t *foundname,
-		   dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	/*
-	 * Find the deepest known zonecut which encloses 'name' in 'db'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE((db->attributes & DNS_DBATTR_CACHE) != 0);
-	REQUIRE(nodep == NULL || (nodep != NULL && *nodep == NULL));
-	REQUIRE(dns_name_hasbuffer(foundname));
-	REQUIRE(sigrdataset == NULL ||
-		(DNS_RDATASET_VALID(sigrdataset) &&
-		 ! dns_rdataset_isassociated(sigrdataset)));
-
-	return ((db->methods->findzonecut)(db, name, options, now, nodep,
-					   foundname, rdataset, sigrdataset));
-}
-
-void
-dns_db_attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) {
-
-	/*
-	 * Attach *targetp to source.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(source != NULL);
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	(db->methods->attachnode)(db, source, targetp);
-}
-
-void
-dns_db_detachnode(dns_db_t *db, dns_dbnode_t **nodep) {
-
-	/*
-	 * Detach *nodep from its node.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(nodep != NULL && *nodep != NULL);
-
-	(db->methods->detachnode)(db, nodep);
-
-	ENSURE(*nodep == NULL);
-}
-
-void
-dns_db_transfernode(dns_db_t *db, dns_dbnode_t **sourcep,
-		    dns_dbnode_t **targetp)
-{
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-	/*
-	 * This doesn't check the implementation magic.  If we find that
-	 * we need such checks in future then this will be done in the
-	 * method.
-	 */
-	REQUIRE(sourcep != NULL && *sourcep != NULL);
-
-	UNUSED(db);
-
-	if (db->methods->transfernode == NULL) {
-		*targetp = *sourcep;
-		*sourcep = NULL;
-	} else
-		(db->methods->transfernode)(db, sourcep, targetp);
-
-	ENSURE(*sourcep == NULL);
-}
-
-isc_result_t
-dns_db_expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
-
-	/*
-	 * Mark as stale all records at 'node' which expire at or before 'now'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE((db->attributes & DNS_DBATTR_CACHE) != 0);
-	REQUIRE(node != NULL);
-
-	return ((db->methods->expirenode)(db, node, now));
-}
-
-void
-dns_db_printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) {
-	/*
-	 * Print a textual representation of the contents of the node to
-	 * 'out'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(node != NULL);
-
-	(db->methods->printnode)(db, node, out);
-}
-
-/***
- *** DB Iterator Creation
- ***/
-
-isc_result_t
-dns_db_createiterator(dns_db_t *db, unsigned int flags,
-		      dns_dbiterator_t **iteratorp)
-{
-	/*
-	 * Create an iterator for version 'version' of 'db'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(iteratorp != NULL && *iteratorp == NULL);
-
-	return (db->methods->createiterator(db, flags, iteratorp));
-}
-
-/***
- *** Rdataset Methods
- ***/
-
-isc_result_t
-dns_db_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-		    dns_rdatatype_t type, dns_rdatatype_t covers,
-		    isc_stdtime_t now, dns_rdataset_t *rdataset,
-		    dns_rdataset_t *sigrdataset)
-{
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(node != NULL);
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(! dns_rdataset_isassociated(rdataset));
-	REQUIRE(covers == 0 || type == dns_rdatatype_rrsig);
-	REQUIRE(type != dns_rdatatype_any);
-	REQUIRE(sigrdataset == NULL ||
-		(DNS_RDATASET_VALID(sigrdataset) &&
-		 ! dns_rdataset_isassociated(sigrdataset)));
-
-	return ((db->methods->findrdataset)(db, node, version, type,
-					    covers, now, rdataset,
-					    sigrdataset));
-}
-
-isc_result_t
-dns_db_allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-		    isc_stdtime_t now, dns_rdatasetiter_t **iteratorp)
-{
-	/*
-	 * Make '*iteratorp' an rdataset iteratator for all rdatasets at
-	 * 'node' in version 'version' of 'db'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(iteratorp != NULL && *iteratorp == NULL);
-
-	return ((db->methods->allrdatasets)(db, node, version, now,
-					    iteratorp));
-}
-
-isc_result_t
-dns_db_addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-		   isc_stdtime_t now, dns_rdataset_t *rdataset,
-		   unsigned int options, dns_rdataset_t *addedrdataset)
-{
-	/*
-	 * Add 'rdataset' to 'node' in version 'version' of 'db'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(node != NULL);
-	REQUIRE(((db->attributes & DNS_DBATTR_CACHE) == 0 && version != NULL)||
-		((db->attributes & DNS_DBATTR_CACHE) != 0 &&
-		 version == NULL && (options & DNS_DBADD_MERGE) == 0));
-	REQUIRE((options & DNS_DBADD_EXACT) == 0 ||
-		(options & DNS_DBADD_MERGE) != 0);
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(dns_rdataset_isassociated(rdataset));
-	REQUIRE(rdataset->rdclass == db->rdclass);
-	REQUIRE(addedrdataset == NULL ||
-		(DNS_RDATASET_VALID(addedrdataset) &&
-		 ! dns_rdataset_isassociated(addedrdataset)));
-
-	return ((db->methods->addrdataset)(db, node, version, now, rdataset,
-					   options, addedrdataset));
-}
-
-isc_result_t
-dns_db_subtractrdataset(dns_db_t *db, dns_dbnode_t *node,
-			dns_dbversion_t *version, dns_rdataset_t *rdataset,
-			unsigned int options, dns_rdataset_t *newrdataset)
-{
-	/*
-	 * Remove any rdata in 'rdataset' from 'node' in version 'version' of
-	 * 'db'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(node != NULL);
-	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0 && version != NULL);
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(dns_rdataset_isassociated(rdataset));
-	REQUIRE(rdataset->rdclass == db->rdclass);
-	REQUIRE(newrdataset == NULL ||
-		(DNS_RDATASET_VALID(newrdataset) &&
-		 ! dns_rdataset_isassociated(newrdataset)));
-
-	return ((db->methods->subtractrdataset)(db, node, version, rdataset,
-						options, newrdataset));
-}
-
-isc_result_t
-dns_db_deleterdataset(dns_db_t *db, dns_dbnode_t *node,
-		      dns_dbversion_t *version, dns_rdatatype_t type,
-		      dns_rdatatype_t covers)
-{
-	/*
-	 * Make it so that no rdataset of type 'type' exists at 'node' in
-	 * version version 'version' of 'db'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(node != NULL);
-	REQUIRE(((db->attributes & DNS_DBATTR_CACHE) == 0 && version != NULL)||
-		((db->attributes & DNS_DBATTR_CACHE) != 0 && version == NULL));
-
-	return ((db->methods->deleterdataset)(db, node, version,
-					      type, covers));
-}
-
-void
-dns_db_overmem(dns_db_t *db, isc_boolean_t overmem) {
-
-	REQUIRE(DNS_DB_VALID(db));
-
-	(db->methods->overmem)(db, overmem);
-}
-
-isc_result_t
-dns_db_getsoaserial(dns_db_t *db, dns_dbversion_t *ver, isc_uint32_t *serialp)
-{
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_buffer_t buffer;
-
-	REQUIRE(dns_db_iszone(db) || dns_db_isstub(db));
-
-	result = dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_soa, 0,
-				     (isc_stdtime_t)0, &rdataset, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto freenode;
-
-	result = dns_rdataset_first(&rdataset);
-	if (result != ISC_R_SUCCESS)
-		goto freerdataset;
-	dns_rdataset_current(&rdataset, &rdata);
-	result = dns_rdataset_next(&rdataset);
-	INSIST(result == ISC_R_NOMORE);
-
-	INSIST(rdata.length > 20);
-	isc_buffer_init(&buffer, rdata.data, rdata.length);
-	isc_buffer_add(&buffer, rdata.length);
-	isc_buffer_forward(&buffer, rdata.length - 20);
-	*serialp = isc_buffer_getuint32(&buffer);
-
-	result = ISC_R_SUCCESS;
-
- freerdataset:
-	dns_rdataset_disassociate(&rdataset);
-
- freenode:
-	dns_db_detachnode(db, &node);
-	return (result);
-}
-
-unsigned int
-dns_db_nodecount(dns_db_t *db) {
-	REQUIRE(DNS_DB_VALID(db));
-
-	return ((db->methods->nodecount)(db));
-}
-
-void
-dns_db_settask(dns_db_t *db, isc_task_t *task) {
-	REQUIRE(DNS_DB_VALID(db));
-
-	(db->methods->settask)(db, task);
-}
-
-isc_result_t
-dns_db_register(const char *name, dns_dbcreatefunc_t create, void *driverarg,
-		isc_mem_t *mctx, dns_dbimplementation_t **dbimp)
-{
-	dns_dbimplementation_t *imp;
-
-	REQUIRE(name != NULL);
-	REQUIRE(dbimp != NULL && *dbimp == NULL);
-
-	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
-
-	RWLOCK(&implock, isc_rwlocktype_write);
-	imp = impfind(name);
-	if (imp != NULL) {
-		RWUNLOCK(&implock, isc_rwlocktype_write);
-		return (ISC_R_EXISTS);
-	}
-
-	imp = isc_mem_get(mctx, sizeof(dns_dbimplementation_t));
-	if (imp == NULL) {
-		RWUNLOCK(&implock, isc_rwlocktype_write);
-		return (ISC_R_NOMEMORY);
-	}
-	imp->name = name;
-	imp->create = create;
-	imp->mctx = NULL;
-	imp->driverarg = driverarg;
-	isc_mem_attach(mctx, &imp->mctx);
-	ISC_LINK_INIT(imp, link);
-	ISC_LIST_APPEND(implementations, imp, link);
-	RWUNLOCK(&implock, isc_rwlocktype_write);
-
-	*dbimp = imp;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_db_unregister(dns_dbimplementation_t **dbimp) {
-	dns_dbimplementation_t *imp;
-	isc_mem_t *mctx;
-
-	REQUIRE(dbimp != NULL && *dbimp != NULL);
-
-	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
-
-	imp = *dbimp;
-	*dbimp = NULL;
-	RWLOCK(&implock, isc_rwlocktype_write);
-	ISC_LIST_UNLINK(implementations, imp, link);
-	mctx = imp->mctx;
-	isc_mem_put(mctx, imp, sizeof(dns_dbimplementation_t));
-	isc_mem_detach(&mctx);
-	RWUNLOCK(&implock, isc_rwlocktype_write);
-	ENSURE(*dbimp == NULL);
-}
-
-isc_result_t
-dns_db_getoriginnode(dns_db_t *db, dns_dbnode_t **nodep) {
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(dns_db_iszone(db) == ISC_TRUE);
-	REQUIRE(nodep != NULL && *nodep == NULL);
-
-	if (db->methods->getoriginnode != NULL)
-		return ((db->methods->getoriginnode)(db, nodep));
-
-	return (ISC_R_NOTFOUND);
-}
-
-dns_stats_t *
-dns_db_getrrsetstats(dns_db_t *db) {
-	REQUIRE(DNS_DB_VALID(db));
-
-	if (db->methods->getrrsetstats != NULL)
-		return ((db->methods->getrrsetstats)(db));
-
-	return (NULL);
-}
-
-isc_result_t
-dns_db_getnsec3parameters(dns_db_t *db, dns_dbversion_t *version,
-			  dns_hash_t *hash, isc_uint8_t *flags,
-			  isc_uint16_t *iterations,
-			  unsigned char *salt, size_t *salt_length)
-{
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(dns_db_iszone(db) == ISC_TRUE);
-
-	if (db->methods->getnsec3parameters != NULL)
-		return ((db->methods->getnsec3parameters)(db, version, hash,
-							  flags, iterations,
-							  salt, salt_length));
-
-	return (ISC_R_NOTFOUND);
-}
-
-isc_result_t
-dns_db_setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset,
-		      isc_stdtime_t resign)
-{
-	if (db->methods->setsigningtime != NULL)
-		return ((db->methods->setsigningtime)(db, rdataset, resign));
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-isc_result_t
-dns_db_getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, dns_name_t *name)
-{
-	if (db->methods->getsigningtime != NULL)
-		return ((db->methods->getsigningtime)(db, rdataset, name));
-	return (ISC_R_NOTFOUND);
-}
-
-void
-dns_db_resigned(dns_db_t *db, dns_rdataset_t *rdataset,
-		dns_dbversion_t *version)
-{
-	if (db->methods->resigned != NULL)
-		(db->methods->resigned)(db, rdataset, version);
-}
-
-isc_result_t
-dns_db_rpz_enabled(dns_db_t *db, dns_rpz_st_t *st)
-{
-	if (db->methods->rpz_enabled != NULL)
-		return ((db->methods->rpz_enabled)(db, st));
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_db_rpz_findips(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type,
-		   dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
-		   dns_rdataset_t *ardataset, dns_rpz_st_t *st,
-		   dns_name_t *query_qname)
-{
-	if (db->methods->rpz_findips != NULL)
-		(db->methods->rpz_findips)(rpz, rpz_type, zone, db, version,
-					   ardataset, st, query_qname);
-}
diff --git a/contrib/bind9/lib/dns/dbiterator.c b/contrib/bind9/lib/dns/dbiterator.c
deleted file mode 100644
index 8981e49..0000000
--- a/contrib/bind9/lib/dns/dbiterator.c
+++ /dev/null
@@ -1,143 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dbiterator.c,v 1.18 2007/06/19 23:47:16 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/util.h>
-
-#include <dns/dbiterator.h>
-#include <dns/name.h>
-
-void
-dns_dbiterator_destroy(dns_dbiterator_t **iteratorp) {
-	/*
-	 * Destroy '*iteratorp'.
-	 */
-
-	REQUIRE(iteratorp != NULL);
-	REQUIRE(DNS_DBITERATOR_VALID(*iteratorp));
-
-	(*iteratorp)->methods->destroy(iteratorp);
-
-	ENSURE(*iteratorp == NULL);
-}
-
-isc_result_t
-dns_dbiterator_first(dns_dbiterator_t *iterator) {
-	/*
-	 * Move the node cursor to the first node in the database (if any).
-	 */
-
-	REQUIRE(DNS_DBITERATOR_VALID(iterator));
-
-	return (iterator->methods->first(iterator));
-}
-
-isc_result_t
-dns_dbiterator_last(dns_dbiterator_t *iterator) {
-	/*
-	 * Move the node cursor to the first node in the database (if any).
-	 */
-
-	REQUIRE(DNS_DBITERATOR_VALID(iterator));
-
-	return (iterator->methods->last(iterator));
-}
-
-isc_result_t
-dns_dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name) {
-	/*
-	 * Move the node cursor to the node with name 'name'.
-	 */
-
-	REQUIRE(DNS_DBITERATOR_VALID(iterator));
-
-	return (iterator->methods->seek(iterator, name));
-}
-
-isc_result_t
-dns_dbiterator_prev(dns_dbiterator_t *iterator) {
-	/*
-	 * Move the node cursor to the previous node in the database (if any).
-	 */
-
-	REQUIRE(DNS_DBITERATOR_VALID(iterator));
-
-	return (iterator->methods->prev(iterator));
-}
-
-isc_result_t
-dns_dbiterator_next(dns_dbiterator_t *iterator) {
-	/*
-	 * Move the node cursor to the next node in the database (if any).
-	 */
-
-	REQUIRE(DNS_DBITERATOR_VALID(iterator));
-
-	return (iterator->methods->next(iterator));
-}
-
-isc_result_t
-dns_dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
-		       dns_name_t *name)
-{
-	/*
-	 * Return the current node.
-	 */
-
-	REQUIRE(DNS_DBITERATOR_VALID(iterator));
-	REQUIRE(nodep != NULL && *nodep == NULL);
-	REQUIRE(name == NULL || dns_name_hasbuffer(name));
-
-	return (iterator->methods->current(iterator, nodep, name));
-}
-
-isc_result_t
-dns_dbiterator_pause(dns_dbiterator_t *iterator) {
-	/*
-	 * Pause iteration.
-	 */
-
-	REQUIRE(DNS_DBITERATOR_VALID(iterator));
-
-	return (iterator->methods->pause(iterator));
-}
-
-isc_result_t
-dns_dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name) {
-
-	/*
-	 * Return the origin to which returned node names are relative.
-	 */
-
-	REQUIRE(DNS_DBITERATOR_VALID(iterator));
-	REQUIRE(iterator->relative_names);
-	REQUIRE(dns_name_hasbuffer(name));
-
-	return (iterator->methods->origin(iterator, name));
-}
-
-void
-dns_dbiterator_setcleanmode(dns_dbiterator_t *iterator, isc_boolean_t mode) {
-	REQUIRE(DNS_DBITERATOR_VALID(iterator));
-
-	iterator->cleaning = mode;
-}
diff --git a/contrib/bind9/lib/dns/dbtable.c b/contrib/bind9/lib/dns/dbtable.c
deleted file mode 100644
index 2009220..0000000
--- a/contrib/bind9/lib/dns/dbtable.c
+++ /dev/null
@@ -1,292 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * $Id: dbtable.c,v 1.33 2007/06/19 23:47:16 tbox Exp $
- */
-
-/*! \file
- * \author
- * Principal Author: DCL
- */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/rwlock.h>
-#include <isc/util.h>
-
-#include <dns/dbtable.h>
-#include <dns/db.h>
-#include <dns/rbt.h>
-#include <dns/result.h>
-
-struct dns_dbtable {
-	/* Unlocked. */
-	unsigned int		magic;
-	isc_mem_t *		mctx;
-	dns_rdataclass_t	rdclass;
-	isc_mutex_t		lock;
-	isc_rwlock_t		tree_lock;
-	/* Locked by lock. */
-	unsigned int		references;
-	/* Locked by tree_lock. */
-	dns_rbt_t *		rbt;
-	dns_db_t *		default_db;
-};
-
-#define DBTABLE_MAGIC		ISC_MAGIC('D', 'B', '-', '-')
-#define VALID_DBTABLE(dbtable)	ISC_MAGIC_VALID(dbtable, DBTABLE_MAGIC)
-
-static void
-dbdetach(void *data, void *arg) {
-	dns_db_t *db = data;
-
-	UNUSED(arg);
-
-	dns_db_detach(&db);
-}
-
-isc_result_t
-dns_dbtable_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
-		   dns_dbtable_t **dbtablep)
-{
-	dns_dbtable_t *dbtable;
-	isc_result_t result;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(dbtablep != NULL && *dbtablep == NULL);
-
-	dbtable = (dns_dbtable_t *)isc_mem_get(mctx, sizeof(*dbtable));
-	if (dbtable == NULL)
-		return (ISC_R_NOMEMORY);
-
-	dbtable->rbt = NULL;
-	result = dns_rbt_create(mctx, dbdetach, NULL, &dbtable->rbt);
-	if (result != ISC_R_SUCCESS)
-		goto clean1;
-
-	result = isc_mutex_init(&dbtable->lock);
-	if (result != ISC_R_SUCCESS)
-		goto clean2;
-
-	result = isc_rwlock_init(&dbtable->tree_lock, 0, 0);
-	if (result != ISC_R_SUCCESS)
-		goto clean3;
-
-	dbtable->default_db = NULL;
-	dbtable->mctx = NULL;
-	isc_mem_attach(mctx, &dbtable->mctx);
-	dbtable->rdclass = rdclass;
-	dbtable->magic = DBTABLE_MAGIC;
-	dbtable->references = 1;
-
-	*dbtablep = dbtable;
-
-	return (ISC_R_SUCCESS);
-
- clean3:
-	DESTROYLOCK(&dbtable->lock);
-
- clean2:
-	dns_rbt_destroy(&dbtable->rbt);
-
- clean1:
-	isc_mem_putanddetach(&mctx, dbtable, sizeof(*dbtable));
-
-	return (result);
-}
-
-static inline void
-dbtable_free(dns_dbtable_t *dbtable) {
-	/*
-	 * Caller must ensure that it is safe to call.
-	 */
-
-	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
-
-	if (dbtable->default_db != NULL)
-		dns_db_detach(&dbtable->default_db);
-
-	dns_rbt_destroy(&dbtable->rbt);
-
-	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
-
-	isc_rwlock_destroy(&dbtable->tree_lock);
-
-	dbtable->magic = 0;
-
-	isc_mem_putanddetach(&dbtable->mctx, dbtable, sizeof(*dbtable));
-}
-
-void
-dns_dbtable_attach(dns_dbtable_t *source, dns_dbtable_t **targetp) {
-	REQUIRE(VALID_DBTABLE(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	LOCK(&source->lock);
-
-	INSIST(source->references > 0);
-	source->references++;
-	INSIST(source->references != 0);
-
-	UNLOCK(&source->lock);
-
-	*targetp = source;
-}
-
-void
-dns_dbtable_detach(dns_dbtable_t **dbtablep) {
-	dns_dbtable_t *dbtable;
-	isc_boolean_t free_dbtable = ISC_FALSE;
-
-	REQUIRE(dbtablep != NULL);
-	dbtable = *dbtablep;
-	REQUIRE(VALID_DBTABLE(dbtable));
-
-	LOCK(&dbtable->lock);
-
-	INSIST(dbtable->references > 0);
-	dbtable->references--;
-	if (dbtable->references == 0)
-		free_dbtable = ISC_TRUE;
-
-	UNLOCK(&dbtable->lock);
-
-	if (free_dbtable)
-		dbtable_free(dbtable);
-
-	*dbtablep = NULL;
-}
-
-isc_result_t
-dns_dbtable_add(dns_dbtable_t *dbtable, dns_db_t *db) {
-	isc_result_t result;
-	dns_db_t *clone;
-
-	REQUIRE(VALID_DBTABLE(dbtable));
-	REQUIRE(dns_db_class(db) == dbtable->rdclass);
-
-	clone = NULL;
-	dns_db_attach(db, &clone);
-
-	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
-	result = dns_rbt_addname(dbtable->rbt, dns_db_origin(clone), clone);
-	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
-
-	return (result);
-}
-
-void
-dns_dbtable_remove(dns_dbtable_t *dbtable, dns_db_t *db) {
-	dns_db_t *stored_data = NULL;
-	isc_result_t result;
-	dns_name_t *name;
-
-	REQUIRE(VALID_DBTABLE(dbtable));
-
-	name = dns_db_origin(db);
-
-	/*
-	 * There is a requirement that the association of name with db
-	 * be verified.  With the current rbt.c this is expensive to do,
-	 * because effectively two find operations are being done, but
-	 * deletion is relatively infrequent.
-	 * XXXDCL ... this could be cheaper now with dns_rbt_deletenode.
-	 */
-
-	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
-
-	result = dns_rbt_findname(dbtable->rbt, name, 0, NULL,
-				  (void **) (void *)&stored_data);
-
-	if (result == ISC_R_SUCCESS) {
-		INSIST(stored_data == db);
-
-		(void)dns_rbt_deletename(dbtable->rbt, name, ISC_FALSE);
-	}
-
-	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
-}
-
-void
-dns_dbtable_adddefault(dns_dbtable_t *dbtable, dns_db_t *db) {
-	REQUIRE(VALID_DBTABLE(dbtable));
-	REQUIRE(dbtable->default_db == NULL);
-	REQUIRE(dns_name_compare(dns_db_origin(db), dns_rootname) == 0);
-
-	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
-
-	dbtable->default_db = NULL;
-	dns_db_attach(db, &dbtable->default_db);
-
-	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
-}
-
-void
-dns_dbtable_getdefault(dns_dbtable_t *dbtable, dns_db_t **dbp) {
-	REQUIRE(VALID_DBTABLE(dbtable));
-	REQUIRE(dbp != NULL && *dbp == NULL);
-
-	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_read);
-
-	dns_db_attach(dbtable->default_db, dbp);
-
-	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_read);
-}
-
-void
-dns_dbtable_removedefault(dns_dbtable_t *dbtable) {
-	REQUIRE(VALID_DBTABLE(dbtable));
-
-	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
-
-	dns_db_detach(&dbtable->default_db);
-
-	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
-}
-
-isc_result_t
-dns_dbtable_find(dns_dbtable_t *dbtable, dns_name_t *name,
-		 unsigned int options, dns_db_t **dbp)
-{
-	dns_db_t *stored_data = NULL;
-	isc_result_t result;
-	unsigned int rbtoptions = 0;
-
-	REQUIRE(dbp != NULL && *dbp == NULL);
-
-	if ((options & DNS_DBTABLEFIND_NOEXACT) != 0)
-		rbtoptions |= DNS_RBTFIND_NOEXACT;
-
-	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_read);
-
-	result = dns_rbt_findname(dbtable->rbt, name, rbtoptions, NULL,
-				  (void **) (void *)&stored_data);
-
-	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
-		dns_db_attach(stored_data, dbp);
-	else if (dbtable->default_db != NULL) {
-		dns_db_attach(dbtable->default_db, dbp);
-		result = DNS_R_PARTIALMATCH;
-	} else
-		result = ISC_R_NOTFOUND;
-
-	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_read);
-
-	return (result);
-}
diff --git a/contrib/bind9/lib/dns/diff.c b/contrib/bind9/lib/dns/diff.c
deleted file mode 100644
index ff60d46..0000000
--- a/contrib/bind9/lib/dns/diff.c
+++ /dev/null
@@ -1,661 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007-2009, 2011, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: diff.c,v 1.26 2011/03/25 23:53:02 each Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/buffer.h>
-#include <isc/file.h>
-#include <isc/mem.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/diff.h>
-#include <dns/log.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/result.h>
-
-#define CHECK(op) \
-	do { result = (op);					\
-		if (result != ISC_R_SUCCESS) goto failure;	\
-	} while (0)
-
-#define DIFF_COMMON_LOGARGS \
-	dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_DIFF
-
-static dns_rdatatype_t
-rdata_covers(dns_rdata_t *rdata) {
-	return (rdata->type == dns_rdatatype_rrsig ?
-		dns_rdata_covers(rdata) : 0);
-}
-
-isc_result_t
-dns_difftuple_create(isc_mem_t *mctx,
-		     dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
-		     dns_rdata_t *rdata, dns_difftuple_t **tp)
-{
-	dns_difftuple_t *t;
-	unsigned int size;
-	unsigned char *datap;
-
-	REQUIRE(tp != NULL && *tp == NULL);
-
-	/*
-	 * Create a new tuple.  The variable-size wire-format name data and
-	 * rdata immediately follow the dns_difftuple_t structure
-	 * in memory.
-	 */
-	size = sizeof(*t) + name->length + rdata->length;
-	t = isc_mem_allocate(mctx, size);
-	if (t == NULL)
-		return (ISC_R_NOMEMORY);
-	t->mctx = NULL;
-	isc_mem_attach(mctx, &t->mctx);
-	t->op = op;
-
-	datap = (unsigned char *)(t + 1);
-
-	memcpy(datap, name->ndata, name->length);
-	dns_name_init(&t->name, NULL);
-	dns_name_clone(name, &t->name);
-	t->name.ndata = datap;
-	datap += name->length;
-
-	t->ttl = ttl;
-
-	memcpy(datap, rdata->data, rdata->length);
-	dns_rdata_init(&t->rdata);
-	dns_rdata_clone(rdata, &t->rdata);
-	t->rdata.data = datap;
-	datap += rdata->length;
-
-	ISC_LINK_INIT(&t->rdata, link);
-	ISC_LINK_INIT(t, link);
-	t->magic = DNS_DIFFTUPLE_MAGIC;
-
-	INSIST(datap == (unsigned char *)t + size);
-
-	*tp = t;
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_difftuple_free(dns_difftuple_t **tp) {
-	dns_difftuple_t *t = *tp;
-	isc_mem_t *mctx;
-
-	REQUIRE(DNS_DIFFTUPLE_VALID(t));
-
-	dns_name_invalidate(&t->name);
-	t->magic = 0;
-	mctx = t->mctx;
-	isc_mem_free(mctx, t);
-	isc_mem_detach(&mctx);
-	*tp = NULL;
-}
-
-isc_result_t
-dns_difftuple_copy(dns_difftuple_t *orig, dns_difftuple_t **copyp) {
-	return (dns_difftuple_create(orig->mctx, orig->op, &orig->name,
-				     orig->ttl, &orig->rdata, copyp));
-}
-
-void
-dns_diff_init(isc_mem_t *mctx, dns_diff_t *diff) {
-	diff->mctx = mctx;
-	diff->resign = 0;
-	ISC_LIST_INIT(diff->tuples);
-	diff->magic = DNS_DIFF_MAGIC;
-}
-
-void
-dns_diff_clear(dns_diff_t *diff) {
-	dns_difftuple_t *t;
-	REQUIRE(DNS_DIFF_VALID(diff));
-	while ((t = ISC_LIST_HEAD(diff->tuples)) != NULL) {
-		ISC_LIST_UNLINK(diff->tuples, t, link);
-		dns_difftuple_free(&t);
-	}
-	ENSURE(ISC_LIST_EMPTY(diff->tuples));
-}
-
-void
-dns_diff_append(dns_diff_t *diff, dns_difftuple_t **tuplep)
-{
-	ISC_LIST_APPEND(diff->tuples, *tuplep, link);
-	*tuplep = NULL;
-}
-
-/* XXX this is O(N) */
-
-void
-dns_diff_appendminimal(dns_diff_t *diff, dns_difftuple_t **tuplep)
-{
-	dns_difftuple_t *ot, *next_ot;
-
-	REQUIRE(DNS_DIFF_VALID(diff));
-	REQUIRE(DNS_DIFFTUPLE_VALID(*tuplep));
-
-	/*
-	 * Look for an existing tuple with the same owner name,
-	 * rdata, and TTL.   If we are doing an addition and find a
-	 * deletion or vice versa, remove both the old and the
-	 * new tuple since they cancel each other out (assuming
-	 * that we never delete nonexistent data or add existing
-	 * data).
-	 *
-	 * If we find an old update of the same kind as
-	 * the one we are doing, there must be a programming
-	 * error.  We report it but try to continue anyway.
-	 */
-	for (ot = ISC_LIST_HEAD(diff->tuples); ot != NULL;
-	     ot = next_ot)
-	{
-		next_ot = ISC_LIST_NEXT(ot, link);
-		if (dns_name_equal(&ot->name, &(*tuplep)->name) &&
-		    dns_rdata_compare(&ot->rdata, &(*tuplep)->rdata) == 0 &&
-		    ot->ttl == (*tuplep)->ttl)
-		{
-			ISC_LIST_UNLINK(diff->tuples, ot, link);
-			if ((*tuplep)->op == ot->op) {
-				UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "unexpected non-minimal diff");
-			} else {
-				dns_difftuple_free(tuplep);
-			}
-			dns_difftuple_free(&ot);
-			break;
-		}
-	}
-
-	if (*tuplep != NULL) {
-		ISC_LIST_APPEND(diff->tuples, *tuplep, link);
-		*tuplep = NULL;
-	}
-
-	ENSURE(*tuplep == NULL);
-}
-
-static isc_stdtime_t
-setresign(dns_rdataset_t *modified, isc_uint32_t delta) {
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_rrsig_t sig;
-	isc_stdtime_t when;
-	isc_result_t result;
-
-	result = dns_rdataset_first(modified);
-	INSIST(result == ISC_R_SUCCESS);
-	dns_rdataset_current(modified, &rdata);
-	(void)dns_rdata_tostruct(&rdata, &sig, NULL);
-	if ((rdata.flags & DNS_RDATA_OFFLINE) != 0)
-		when = 0;
-	else
-		when = sig.timeexpire - delta;
-	dns_rdata_reset(&rdata);
-
-	result = dns_rdataset_next(modified);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdataset_current(modified, &rdata);
-		(void)dns_rdata_tostruct(&rdata, &sig, NULL);
-		if ((rdata.flags & DNS_RDATA_OFFLINE) != 0) {
-			goto next_rr;
-		}
-		if (when == 0 || sig.timeexpire - delta < when)
-			when = sig.timeexpire - delta;
- next_rr:
-		dns_rdata_reset(&rdata);
-		result = dns_rdataset_next(modified);
-	}
-	INSIST(result == ISC_R_NOMORE);
-	return (when);
-}
-
-static isc_result_t
-diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
-	   isc_boolean_t warn)
-{
-	dns_difftuple_t *t;
-	dns_dbnode_t *node = NULL;
-	isc_result_t result;
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char typebuf[DNS_RDATATYPE_FORMATSIZE];
-	char classbuf[DNS_RDATACLASS_FORMATSIZE];
-
-	REQUIRE(DNS_DIFF_VALID(diff));
-	REQUIRE(DNS_DB_VALID(db));
-
-	t = ISC_LIST_HEAD(diff->tuples);
-	while (t != NULL) {
-		dns_name_t *name;
-
-		INSIST(node == NULL);
-		name = &t->name;
-		/*
-		 * Find the node.
-		 * We create the node if it does not exist.
-		 * This will cause an empty node to be created if the diff
-		 * contains a deletion of an RR at a nonexistent name,
-		 * but such diffs should never be created in the first
-		 * place.
-		 */
-
-		while (t != NULL && dns_name_equal(&t->name, name)) {
-			dns_rdatatype_t type, covers;
-			dns_diffop_t op;
-			dns_rdatalist_t rdl;
-			dns_rdataset_t rds;
-			dns_rdataset_t ardataset;
-			dns_rdataset_t *modified = NULL;
-
-			op = t->op;
-			type = t->rdata.type;
-			covers = rdata_covers(&t->rdata);
-
-			/*
-			 * Collect a contiguous set of updates with
-			 * the same operation (add/delete) and RR type
-			 * into a single rdatalist so that the
-			 * database rrset merging/subtraction code
-			 * can work more efficiently than if each
-			 * RR were merged into / subtracted from
-			 * the database separately.
-			 *
-			 * This is done by linking rdata structures from the
-			 * diff into "rdatalist".  This uses the rdata link
-			 * field, not the diff link field, so the structure
-			 * of the diff itself is not affected.
-			 */
-
-			rdl.type = type;
-			rdl.covers = covers;
-			rdl.rdclass = t->rdata.rdclass;
-			rdl.ttl = t->ttl;
-			ISC_LIST_INIT(rdl.rdata);
-			ISC_LINK_INIT(&rdl, link);
-
-			node = NULL;
-			if (type != dns_rdatatype_nsec3 &&
-			    covers != dns_rdatatype_nsec3)
-				CHECK(dns_db_findnode(db, name, ISC_TRUE,
-						      &node));
-			else
-				CHECK(dns_db_findnsec3node(db, name, ISC_TRUE,
-							   &node));
-
-			while (t != NULL &&
-			       dns_name_equal(&t->name, name) &&
-			       t->op == op &&
-			       t->rdata.type == type &&
-			       rdata_covers(&t->rdata) == covers)
-			{
-				dns_name_format(name, namebuf, sizeof(namebuf));
-				dns_rdatatype_format(t->rdata.type, typebuf,
-						     sizeof(typebuf));
-				dns_rdataclass_format(t->rdata.rdclass,
-						      classbuf,
-						      sizeof(classbuf));
-				if (t->ttl != rdl.ttl && warn)
-					isc_log_write(DIFF_COMMON_LOGARGS,
-						ISC_LOG_WARNING,
-						"'%s/%s/%s': TTL differs in "
-						"rdataset, adjusting "
-						"%lu -> %lu",
-						namebuf, typebuf, classbuf,
-						(unsigned long) t->ttl,
-						(unsigned long) rdl.ttl);
-				ISC_LIST_APPEND(rdl.rdata, &t->rdata, link);
-				t = ISC_LIST_NEXT(t, link);
-			}
-
-			/*
-			 * Convert the rdatalist into a rdataset.
-			 */
-			dns_rdataset_init(&rds);
-			CHECK(dns_rdatalist_tordataset(&rdl, &rds));
-			if (rds.type == dns_rdatatype_rrsig)
-				switch (op) {
-				case DNS_DIFFOP_ADDRESIGN:
-				case DNS_DIFFOP_DELRESIGN:
-					modified = &ardataset;
-					dns_rdataset_init(modified);
-					break;
-				default:
-					break;
-				}
-			rds.trust = dns_trust_ultimate;
-
-			/*
-			 * Merge the rdataset into the database.
-			 */
-			switch (op) {
-			case DNS_DIFFOP_ADD:
-			case DNS_DIFFOP_ADDRESIGN:
-				result = dns_db_addrdataset(db, node, ver,
-							    0, &rds,
-							    DNS_DBADD_MERGE|
-							    DNS_DBADD_EXACT|
-							    DNS_DBADD_EXACTTTL,
-							    modified);
-				break;
-			case DNS_DIFFOP_DEL:
-			case DNS_DIFFOP_DELRESIGN:
-				result = dns_db_subtractrdataset(db, node, ver,
-							       &rds,
-							       DNS_DBSUB_EXACT,
-							       modified);
-				break;
-			default:
-				INSIST(0);
-			}
-
-			if (result == ISC_R_SUCCESS) {
-				if (modified != NULL) {
-					isc_stdtime_t resign;
-					resign = setresign(modified,
-							   diff->resign);
-					dns_db_setsigningtime(db, modified,
-							      resign);
-					if (diff->resign == 0 &&
-					    (op == DNS_DIFFOP_ADDRESIGN ||
-					     op == DNS_DIFFOP_DELRESIGN))
-						isc_log_write(
-							DIFF_COMMON_LOGARGS,
-							ISC_LOG_WARNING,
-							"resign requested "
-							"with 0 resign "
-							"interval");
-				}
-			} else if (result == DNS_R_UNCHANGED) {
-				/*
-				 * This will not happen when executing a
-				 * dynamic update, because that code will
-				 * generate strictly minimal diffs.
-				 * It may happen when receiving an IXFR
-				 * from a server that is not as careful.
-				 * Issue a warning and continue.
-				 */
-				if (warn) {
-					char classbuf[DNS_RDATATYPE_FORMATSIZE];
-					char namebuf[DNS_NAME_FORMATSIZE];
-
-					dns_name_format(dns_db_origin(db),
-							namebuf,
-							sizeof(namebuf));
-					dns_rdataclass_format(dns_db_class(db),
-							      classbuf,
-							      sizeof(classbuf));
-					isc_log_write(DIFF_COMMON_LOGARGS,
-						      ISC_LOG_WARNING,
-						      "%s/%s: dns_diff_apply: "
-						      "update with no effect",
-						      namebuf, classbuf);
-				}
-			} else if (result == DNS_R_NXRRSET) {
-				/*
-				 * OK.
-				 */
-			} else {
-				if (modified != NULL &&
-				    dns_rdataset_isassociated(modified))
-					dns_rdataset_disassociate(modified);
-				CHECK(result);
-			}
-			dns_db_detachnode(db, &node);
-			if (modified != NULL &&
-			    dns_rdataset_isassociated(modified))
-				dns_rdataset_disassociate(modified);
-		}
-	}
-	return (ISC_R_SUCCESS);
-
- failure:
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	return (result);
-}
-
-isc_result_t
-dns_diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver) {
-	return (diff_apply(diff, db, ver, ISC_TRUE));
-}
-
-isc_result_t
-dns_diff_applysilently(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver) {
-	return (diff_apply(diff, db, ver, ISC_FALSE));
-}
-
-/* XXX this duplicates lots of code in diff_apply(). */
-
-isc_result_t
-dns_diff_load(dns_diff_t *diff, dns_addrdatasetfunc_t addfunc,
-	      void *add_private)
-{
-	dns_difftuple_t *t;
-	isc_result_t result;
-
-	REQUIRE(DNS_DIFF_VALID(diff));
-
-	t = ISC_LIST_HEAD(diff->tuples);
-	while (t != NULL) {
-		dns_name_t *name;
-
-		name = &t->name;
-		while (t != NULL && dns_name_equal(&t->name, name)) {
-			dns_rdatatype_t type, covers;
-			dns_diffop_t op;
-			dns_rdatalist_t rdl;
-			dns_rdataset_t rds;
-
-			op = t->op;
-			type = t->rdata.type;
-			covers = rdata_covers(&t->rdata);
-
-			rdl.type = type;
-			rdl.covers = covers;
-			rdl.rdclass = t->rdata.rdclass;
-			rdl.ttl = t->ttl;
-			ISC_LIST_INIT(rdl.rdata);
-			ISC_LINK_INIT(&rdl, link);
-
-			while (t != NULL && dns_name_equal(&t->name, name) &&
-			       t->op == op && t->rdata.type == type &&
-			       rdata_covers(&t->rdata) == covers)
-			{
-				ISC_LIST_APPEND(rdl.rdata, &t->rdata, link);
-				t = ISC_LIST_NEXT(t, link);
-			}
-
-			/*
-			 * Convert the rdatalist into a rdataset.
-			 */
-			dns_rdataset_init(&rds);
-			CHECK(dns_rdatalist_tordataset(&rdl, &rds));
-			rds.trust = dns_trust_ultimate;
-
-			INSIST(op == DNS_DIFFOP_ADD);
-			result = (*addfunc)(add_private, name, &rds);
-			if (result == DNS_R_UNCHANGED) {
-				isc_log_write(DIFF_COMMON_LOGARGS,
-					      ISC_LOG_WARNING,
-					      "dns_diff_load: "
-					      "update with no effect");
-			} else if (result == ISC_R_SUCCESS ||
-				   result == DNS_R_NXRRSET) {
-				/*
-				 * OK.
-				 */
-			} else {
-				CHECK(result);
-			}
-		}
-	}
-	result = ISC_R_SUCCESS;
- failure:
-	return (result);
-}
-
-/*
- * XXX uses qsort(); a merge sort would be more natural for lists,
- * and perhaps safer wrt thread stack overflow.
- */
-isc_result_t
-dns_diff_sort(dns_diff_t *diff, dns_diff_compare_func *compare) {
-	unsigned int length = 0;
-	unsigned int i;
-	dns_difftuple_t **v;
-	dns_difftuple_t *p;
-	REQUIRE(DNS_DIFF_VALID(diff));
-
-	for (p = ISC_LIST_HEAD(diff->tuples);
-	     p != NULL;
-	     p = ISC_LIST_NEXT(p, link))
-		length++;
-	if (length == 0)
-		return (ISC_R_SUCCESS);
-	v = isc_mem_get(diff->mctx, length * sizeof(dns_difftuple_t *));
-	if (v == NULL)
-		return (ISC_R_NOMEMORY);
-	for (i = 0; i < length; i++) {
-		p = ISC_LIST_HEAD(diff->tuples);
-		v[i] = p;
-		ISC_LIST_UNLINK(diff->tuples, p, link);
-	}
-	INSIST(ISC_LIST_HEAD(diff->tuples) == NULL);
-	qsort(v, length, sizeof(v[0]), compare);
-	for (i = 0; i < length; i++) {
-		ISC_LIST_APPEND(diff->tuples, v[i], link);
-	}
-	isc_mem_put(diff->mctx, v, length * sizeof(dns_difftuple_t *));
-	return (ISC_R_SUCCESS);
-}
-
-
-/*
- * Create an rdataset containing the single RR of the given
- * tuple.  The caller must allocate the rdata, rdataset and
- * an rdatalist structure for it to refer to.
- */
-
-static isc_result_t
-diff_tuple_tordataset(dns_difftuple_t *t, dns_rdata_t *rdata,
-		      dns_rdatalist_t *rdl, dns_rdataset_t *rds)
-{
-	REQUIRE(DNS_DIFFTUPLE_VALID(t));
-	REQUIRE(rdl != NULL);
-	REQUIRE(rds != NULL);
-
-	rdl->type = t->rdata.type;
-	rdl->rdclass = t->rdata.rdclass;
-	rdl->ttl = t->ttl;
-	ISC_LIST_INIT(rdl->rdata);
-	ISC_LINK_INIT(rdl, link);
-	dns_rdataset_init(rds);
-	ISC_LINK_INIT(rdata, link);
-	dns_rdata_clone(&t->rdata, rdata);
-	ISC_LIST_APPEND(rdl->rdata, rdata, link);
-	return (dns_rdatalist_tordataset(rdl, rds));
-}
-
-isc_result_t
-dns_diff_print(dns_diff_t *diff, FILE *file) {
-	isc_result_t result;
-	dns_difftuple_t *t;
-	char *mem = NULL;
-	unsigned int size = 2048;
-	const char *op = NULL;
-
-	REQUIRE(DNS_DIFF_VALID(diff));
-
-	mem = isc_mem_get(diff->mctx, size);
-	if (mem == NULL)
-		return (ISC_R_NOMEMORY);
-
-	for (t = ISC_LIST_HEAD(diff->tuples); t != NULL;
-	     t = ISC_LIST_NEXT(t, link))
-	{
-		isc_buffer_t buf;
-		isc_region_t r;
-
-		dns_rdatalist_t rdl;
-		dns_rdataset_t rds;
-		dns_rdata_t rd = DNS_RDATA_INIT;
-
-		result = diff_tuple_tordataset(t, &rd, &rdl, &rds);
-		if (result != ISC_R_SUCCESS) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "diff_tuple_tordataset failed: %s",
-					 dns_result_totext(result));
-			result =  ISC_R_UNEXPECTED;
-			goto cleanup;
-		}
- again:
-		isc_buffer_init(&buf, mem, size);
-		result = dns_rdataset_totext(&rds, &t->name,
-					     ISC_FALSE, ISC_FALSE, &buf);
-
-		if (result == ISC_R_NOSPACE) {
-			isc_mem_put(diff->mctx, mem, size);
-			size += 1024;
-			mem = isc_mem_get(diff->mctx, size);
-			if (mem == NULL) {
-				result = ISC_R_NOMEMORY;
-				goto cleanup;
-			}
-			goto again;
-		}
-
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		/*
-		 * Get rid of final newline.
-		 */
-		INSIST(buf.used >= 1 &&
-		       ((char *) buf.base)[buf.used-1] == '\n');
-		buf.used--;
-
-		isc_buffer_usedregion(&buf, &r);
-		switch (t->op) {
-		case DNS_DIFFOP_EXISTS: op = "exists"; break;
-		case DNS_DIFFOP_ADD: op = "add"; break;
-		case DNS_DIFFOP_DEL: op = "del"; break;
-		case DNS_DIFFOP_ADDRESIGN: op = "add re-sign"; break;
-		case DNS_DIFFOP_DELRESIGN: op = "del re-sign"; break;
-		}
-		if (file != NULL)
-			fprintf(file, "%s %.*s\n", op, (int) r.length,
-				(char *) r.base);
-		else
-			isc_log_write(DIFF_COMMON_LOGARGS, ISC_LOG_DEBUG(7),
-				      "%s %.*s", op, (int) r.length,
-				      (char *) r.base);
-	}
-	result = ISC_R_SUCCESS;
- cleanup:
-	if (mem != NULL)
-		isc_mem_put(diff->mctx, mem, size);
-	return (result);
-}
diff --git a/contrib/bind9/lib/dns/dispatch.c b/contrib/bind9/lib/dns/dispatch.c
deleted file mode 100644
index 5063914..0000000
--- a/contrib/bind9/lib/dns/dispatch.c
+++ /dev/null
@@ -1,3859 +0,0 @@
-/*
- * Copyright (C) 2004-2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dispatch.c,v 1.175 2011/11/29 01:03:47 marka Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <sys/types.h>
-#include <unistd.h>
-#include <stdlib.h>
-
-#include <isc/entropy.h>
-#include <isc/mem.h>
-#include <isc/mutex.h>
-#include <isc/portset.h>
-#include <isc/print.h>
-#include <isc/random.h>
-#include <isc/socket.h>
-#include <isc/stats.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/time.h>
-#include <isc/util.h>
-
-#include <dns/acl.h>
-#include <dns/dispatch.h>
-#include <dns/events.h>
-#include <dns/log.h>
-#include <dns/message.h>
-#include <dns/portlist.h>
-#include <dns/stats.h>
-#include <dns/tcpmsg.h>
-#include <dns/types.h>
-
-typedef ISC_LIST(dns_dispentry_t)	dns_displist_t;
-
-typedef struct dispsocket		dispsocket_t;
-typedef ISC_LIST(dispsocket_t)		dispsocketlist_t;
-
-typedef struct dispportentry		dispportentry_t;
-typedef ISC_LIST(dispportentry_t)	dispportlist_t;
-
-/* ARC4 Random generator state */
-typedef struct arc4ctx {
-	isc_uint8_t	i;
-	isc_uint8_t	j;
-	isc_uint8_t	s[256];
-	int		count;
-	isc_entropy_t	*entropy;	/*%< entropy source for ARC4 */
-	isc_mutex_t	*lock;
-} arc4ctx_t;
-
-typedef struct dns_qid {
-	unsigned int	magic;
-	unsigned int	qid_nbuckets;	/*%< hash table size */
-	unsigned int	qid_increment;	/*%< id increment on collision */
-	isc_mutex_t	lock;
-	dns_displist_t	*qid_table;	/*%< the table itself */
-	dispsocketlist_t *sock_table;	/*%< socket table */
-} dns_qid_t;
-
-struct dns_dispatchmgr {
-	/* Unlocked. */
-	unsigned int			magic;
-	isc_mem_t		       *mctx;
-	dns_acl_t		       *blackhole;
-	dns_portlist_t		       *portlist;
-	isc_stats_t		       *stats;
-	isc_entropy_t		       *entropy; /*%< entropy source */
-
-	/* Locked by "lock". */
-	isc_mutex_t			lock;
-	unsigned int			state;
-	ISC_LIST(dns_dispatch_t)	list;
-
-	/* Locked by arc4_lock. */
-	isc_mutex_t			arc4_lock;
-	arc4ctx_t			arc4ctx;    /*%< ARC4 context for QID */
-
-	/* locked by buffer lock */
-	dns_qid_t			*qid;
-	isc_mutex_t			buffer_lock;
-	unsigned int			buffers;    /*%< allocated buffers */
-	unsigned int			buffersize; /*%< size of each buffer */
-	unsigned int			maxbuffers; /*%< max buffers */
-
-	/* Locked internally. */
-	isc_mutex_t			depool_lock;
-	isc_mempool_t		       *depool;	/*%< pool for dispatch events */
-	isc_mutex_t			rpool_lock;
-	isc_mempool_t		       *rpool;	/*%< pool for replies */
-	isc_mutex_t			dpool_lock;
-	isc_mempool_t		       *dpool;  /*%< dispatch allocations */
-	isc_mutex_t			bpool_lock;
-	isc_mempool_t		       *bpool;	/*%< pool for buffers */
-	isc_mutex_t			spool_lock;
-	isc_mempool_t		       *spool;	/*%< pool for dispsocks */
-
-	/*%
-	 * Locked by qid->lock if qid exists; otherwise, can be used without
-	 * being locked.
-	 * Memory footprint considerations: this is a simple implementation of
-	 * available ports, i.e., an ordered array of the actual port numbers.
-	 * This will require about 256KB of memory in the worst case (128KB for
-	 * each of IPv4 and IPv6).  We could reduce it by representing it as a
-	 * more sophisticated way such as a list (or array) of ranges that are
-	 * searched to identify a specific port.  Our decision here is the saved
-	 * memory isn't worth the implementation complexity, considering the
-	 * fact that the whole BIND9 process (which is mainly named) already
-	 * requires a pretty large memory footprint.  We may, however, have to
-	 * revisit the decision when we want to use it as a separate module for
-	 * an environment where memory requirement is severer.
-	 */
-	in_port_t	*v4ports;	/*%< available ports for IPv4 */
-	unsigned int	nv4ports;	/*%< # of available ports for IPv4 */
-	in_port_t	*v6ports;	/*%< available ports for IPv4 */
-	unsigned int	nv6ports;	/*%< # of available ports for IPv4 */
-};
-
-#define MGR_SHUTTINGDOWN		0x00000001U
-#define MGR_IS_SHUTTINGDOWN(l)	(((l)->state & MGR_SHUTTINGDOWN) != 0)
-
-#define IS_PRIVATE(d)	(((d)->attributes & DNS_DISPATCHATTR_PRIVATE) != 0)
-
-struct dns_dispentry {
-	unsigned int			magic;
-	dns_dispatch_t		       *disp;
-	dns_messageid_t			id;
-	in_port_t			port;
-	unsigned int			bucket;
-	isc_sockaddr_t			host;
-	isc_task_t		       *task;
-	isc_taskaction_t		action;
-	void			       *arg;
-	isc_boolean_t			item_out;
-	dispsocket_t			*dispsocket;
-	ISC_LIST(dns_dispatchevent_t)	items;
-	ISC_LINK(dns_dispentry_t)	link;
-};
-
-/*%
- * Maximum number of dispatch sockets that can be pooled for reuse.  The
- * appropriate value may vary, but experiments have shown a busy caching server
- * may need more than 1000 sockets concurrently opened.  The maximum allowable
- * number of dispatch sockets (per manager) will be set to the double of this
- * value.
- */
-#ifndef DNS_DISPATCH_POOLSOCKS
-#define DNS_DISPATCH_POOLSOCKS			2048
-#endif
-
-/*%
- * Quota to control the number of dispatch sockets.  If a dispatch has more
- * than the quota of sockets, new queries will purge oldest ones, so that
- * a massive number of outstanding queries won't prevent subsequent queries
- * (especially if the older ones take longer time and result in timeout).
- */
-#ifndef DNS_DISPATCH_SOCKSQUOTA
-#define DNS_DISPATCH_SOCKSQUOTA			3072
-#endif
-
-struct dispsocket {
-	unsigned int			magic;
-	isc_socket_t			*socket;
-	dns_dispatch_t			*disp;
-	isc_sockaddr_t			host;
-	in_port_t			localport; /* XXX: should be removed later */
-	dispportentry_t			*portentry;
-	dns_dispentry_t			*resp;
-	isc_task_t			*task;
-	ISC_LINK(dispsocket_t)		link;
-	unsigned int			bucket;
-	ISC_LINK(dispsocket_t)		blink;
-};
-
-/*%
- * A port table entry.  We remember every port we first open in a table with a
- * reference counter so that we can 'reuse' the same port (with different
- * destination addresses) using the SO_REUSEADDR socket option.
- */
-struct dispportentry {
-	in_port_t			port;
-	unsigned int			refs;
-	ISC_LINK(struct dispportentry)	link;
-};
-
-#ifndef DNS_DISPATCH_PORTTABLESIZE
-#define DNS_DISPATCH_PORTTABLESIZE	1024
-#endif
-
-#define INVALID_BUCKET		(0xffffdead)
-
-/*%
- * Number of tasks for each dispatch that use separate sockets for different
- * transactions.  This must be a power of 2 as it will divide 32 bit numbers
- * to get an uniformly random tasks selection.  See get_dispsocket().
- */
-#define MAX_INTERNAL_TASKS	64
-
-struct dns_dispatch {
-	/* Unlocked. */
-	unsigned int		magic;		/*%< magic */
-	dns_dispatchmgr_t      *mgr;		/*%< dispatch manager */
-	int			ntasks;
-	/*%
-	 * internal task buckets.  We use multiple tasks to distribute various
-	 * socket events well when using separate dispatch sockets.  We use the
-	 * 1st task (task[0]) for internal control events.
-	 */
-	isc_task_t	       *task[MAX_INTERNAL_TASKS];
-	isc_socket_t	       *socket;		/*%< isc socket attached to */
-	isc_sockaddr_t		local;		/*%< local address */
-	in_port_t		localport;	/*%< local UDP port */
-	unsigned int		maxrequests;	/*%< max requests */
-	isc_event_t	       *ctlevent;
-
-	isc_mutex_t		sepool_lock;
-	isc_mempool_t	       *sepool;		/*%< pool for socket events */
-
-	/*% Locked by mgr->lock. */
-	ISC_LINK(dns_dispatch_t) link;
-
-	/* Locked by "lock". */
-	isc_mutex_t		lock;		/*%< locks all below */
-	isc_sockettype_t	socktype;
-	unsigned int		attributes;
-	unsigned int		refcount;	/*%< number of users */
-	dns_dispatchevent_t    *failsafe_ev;	/*%< failsafe cancel event */
-	unsigned int		shutting_down : 1,
-				shutdown_out : 1,
-				connected : 1,
-				tcpmsg_valid : 1,
-				recv_pending : 1; /*%< is a recv() pending? */
-	isc_result_t		shutdown_why;
-	ISC_LIST(dispsocket_t)	activesockets;
-	ISC_LIST(dispsocket_t)	inactivesockets;
-	unsigned int		nsockets;
-	unsigned int		requests;	/*%< how many requests we have */
-	unsigned int		tcpbuffers;	/*%< allocated buffers */
-	dns_tcpmsg_t		tcpmsg;		/*%< for tcp streams */
-	dns_qid_t		*qid;
-	arc4ctx_t		arc4ctx;	/*%< for QID/UDP port num */
-	dispportlist_t		*port_table;	/*%< hold ports 'owned' by us */
-	isc_mempool_t		*portpool;	/*%< port table entries  */
-};
-
-#define QID_MAGIC		ISC_MAGIC('Q', 'i', 'd', ' ')
-#define VALID_QID(e)		ISC_MAGIC_VALID((e), QID_MAGIC)
-
-#define RESPONSE_MAGIC		ISC_MAGIC('D', 'r', 's', 'p')
-#define VALID_RESPONSE(e)	ISC_MAGIC_VALID((e), RESPONSE_MAGIC)
-
-#define DISPSOCK_MAGIC		ISC_MAGIC('D', 's', 'o', 'c')
-#define VALID_DISPSOCK(e)	ISC_MAGIC_VALID((e), DISPSOCK_MAGIC)
-
-#define DISPATCH_MAGIC		ISC_MAGIC('D', 'i', 's', 'p')
-#define VALID_DISPATCH(e)	ISC_MAGIC_VALID((e), DISPATCH_MAGIC)
-
-#define DNS_DISPATCHMGR_MAGIC	ISC_MAGIC('D', 'M', 'g', 'r')
-#define VALID_DISPATCHMGR(e)	ISC_MAGIC_VALID((e), DNS_DISPATCHMGR_MAGIC)
-
-#define DNS_QID(disp) ((disp)->socktype == isc_sockettype_tcp) ? \
-		       (disp)->qid : (disp)->mgr->qid
-#define DISP_ARC4CTX(disp) ((disp)->socktype == isc_sockettype_udp) ? \
-			(&(disp)->arc4ctx) : (&(disp)->mgr->arc4ctx)
-
-/*%
- * Locking a query port buffer is a bit tricky.  We access the buffer without
- * locking until qid is created.  Technically, there is a possibility of race
- * between the creation of qid and access to the port buffer; in practice,
- * however, this should be safe because qid isn't created until the first
- * dispatch is created and there should be no contending situation until then.
- */
-#define PORTBUFLOCK(mgr) if ((mgr)->qid != NULL) LOCK(&((mgr)->qid->lock))
-#define PORTBUFUNLOCK(mgr) if ((mgr)->qid != NULL) UNLOCK((&(mgr)->qid->lock))
-
-/*
- * Statics.
- */
-static dns_dispentry_t *entry_search(dns_qid_t *, isc_sockaddr_t *,
-				     dns_messageid_t, in_port_t, unsigned int);
-static isc_boolean_t destroy_disp_ok(dns_dispatch_t *);
-static void destroy_disp(isc_task_t *task, isc_event_t *event);
-static void destroy_dispsocket(dns_dispatch_t *, dispsocket_t **);
-static void deactivate_dispsocket(dns_dispatch_t *, dispsocket_t *);
-static void udp_exrecv(isc_task_t *, isc_event_t *);
-static void udp_shrecv(isc_task_t *, isc_event_t *);
-static void udp_recv(isc_event_t *, dns_dispatch_t *, dispsocket_t *);
-static void tcp_recv(isc_task_t *, isc_event_t *);
-static isc_result_t startrecv(dns_dispatch_t *, dispsocket_t *);
-static isc_uint32_t dns_hash(dns_qid_t *, isc_sockaddr_t *, dns_messageid_t,
-			     in_port_t);
-static void free_buffer(dns_dispatch_t *disp, void *buf, unsigned int len);
-static void *allocate_udp_buffer(dns_dispatch_t *disp);
-static inline void free_devent(dns_dispatch_t *disp, dns_dispatchevent_t *ev);
-static inline dns_dispatchevent_t *allocate_devent(dns_dispatch_t *disp);
-static void do_cancel(dns_dispatch_t *disp);
-static dns_dispentry_t *linear_first(dns_qid_t *disp);
-static dns_dispentry_t *linear_next(dns_qid_t *disp,
-				    dns_dispentry_t *resp);
-static void dispatch_free(dns_dispatch_t **dispp);
-static isc_result_t get_udpsocket(dns_dispatchmgr_t *mgr,
-				  dns_dispatch_t *disp,
-				  isc_socketmgr_t *sockmgr,
-				  isc_sockaddr_t *localaddr,
-				  isc_socket_t **sockp,
-				  isc_socket_t *dup_socket);
-static isc_result_t dispatch_createudp(dns_dispatchmgr_t *mgr,
-				       isc_socketmgr_t *sockmgr,
-				       isc_taskmgr_t *taskmgr,
-				       isc_sockaddr_t *localaddr,
-				       unsigned int maxrequests,
-				       unsigned int attributes,
-				       dns_dispatch_t **dispp,
-				       isc_socket_t *dup_socket);
-static isc_boolean_t destroy_mgr_ok(dns_dispatchmgr_t *mgr);
-static void destroy_mgr(dns_dispatchmgr_t **mgrp);
-static isc_result_t qid_allocate(dns_dispatchmgr_t *mgr, unsigned int buckets,
-				 unsigned int increment, dns_qid_t **qidp,
-				 isc_boolean_t needaddrtable);
-static void qid_destroy(isc_mem_t *mctx, dns_qid_t **qidp);
-static isc_result_t open_socket(isc_socketmgr_t *mgr, isc_sockaddr_t *local,
-				unsigned int options, isc_socket_t **sockp,
-				isc_socket_t *dup_socket);
-static isc_boolean_t portavailable(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
-				   isc_sockaddr_t *sockaddrp);
-
-#define LVL(x) ISC_LOG_DEBUG(x)
-
-static void
-mgr_log(dns_dispatchmgr_t *mgr, int level, const char *fmt, ...)
-     ISC_FORMAT_PRINTF(3, 4);
-
-static void
-mgr_log(dns_dispatchmgr_t *mgr, int level, const char *fmt, ...) {
-	char msgbuf[2048];
-	va_list ap;
-
-	if (! isc_log_wouldlog(dns_lctx, level))
-		return;
-
-	va_start(ap, fmt);
-	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
-	va_end(ap);
-
-	isc_log_write(dns_lctx,
-		      DNS_LOGCATEGORY_DISPATCH, DNS_LOGMODULE_DISPATCH,
-		      level, "dispatchmgr %p: %s", mgr, msgbuf);
-}
-
-static inline void
-inc_stats(dns_dispatchmgr_t *mgr, isc_statscounter_t counter) {
-	if (mgr->stats != NULL)
-		isc_stats_increment(mgr->stats, counter);
-}
-
-static void
-dispatch_log(dns_dispatch_t *disp, int level, const char *fmt, ...)
-     ISC_FORMAT_PRINTF(3, 4);
-
-static void
-dispatch_log(dns_dispatch_t *disp, int level, const char *fmt, ...) {
-	char msgbuf[2048];
-	va_list ap;
-
-	if (! isc_log_wouldlog(dns_lctx, level))
-		return;
-
-	va_start(ap, fmt);
-	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
-	va_end(ap);
-
-	isc_log_write(dns_lctx,
-		      DNS_LOGCATEGORY_DISPATCH, DNS_LOGMODULE_DISPATCH,
-		      level, "dispatch %p: %s", disp, msgbuf);
-}
-
-static void
-request_log(dns_dispatch_t *disp, dns_dispentry_t *resp,
-	    int level, const char *fmt, ...)
-     ISC_FORMAT_PRINTF(4, 5);
-
-static void
-request_log(dns_dispatch_t *disp, dns_dispentry_t *resp,
-	    int level, const char *fmt, ...)
-{
-	char msgbuf[2048];
-	char peerbuf[256];
-	va_list ap;
-
-	if (! isc_log_wouldlog(dns_lctx, level))
-		return;
-
-	va_start(ap, fmt);
-	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
-	va_end(ap);
-
-	if (VALID_RESPONSE(resp)) {
-		isc_sockaddr_format(&resp->host, peerbuf, sizeof(peerbuf));
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DISPATCH,
-			      DNS_LOGMODULE_DISPATCH, level,
-			      "dispatch %p response %p %s: %s", disp, resp,
-			      peerbuf, msgbuf);
-	} else {
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DISPATCH,
-			      DNS_LOGMODULE_DISPATCH, level,
-			      "dispatch %p req/resp %p: %s", disp, resp,
-			      msgbuf);
-	}
-}
-
-/*%
- * ARC4 random number generator derived from OpenBSD.
- * Only dispatch_random() and dispatch_uniformrandom() are expected
- * to be called from general dispatch routines; the rest of them are subroutines
- * for these two.
- *
- * The original copyright follows:
- * Copyright (c) 1996, David Mazieres <dm@uun.org>
- * Copyright (c) 2008, Damien Miller <djm@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#ifdef BIND9
-static void
-dispatch_initrandom(arc4ctx_t *actx, isc_entropy_t *entropy,
-		    isc_mutex_t *lock)
-{
-	int n;
-	for (n = 0; n < 256; n++)
-		actx->s[n] = n;
-	actx->i = 0;
-	actx->j = 0;
-	actx->count = 0;
-	actx->entropy = entropy; /* don't have to attach */
-	actx->lock = lock;
-}
-
-static void
-dispatch_arc4addrandom(arc4ctx_t *actx, unsigned char *dat, int datlen) {
-	int n;
-	isc_uint8_t si;
-
-	actx->i--;
-	for (n = 0; n < 256; n++) {
-		actx->i = (actx->i + 1);
-		si = actx->s[actx->i];
-		actx->j = (actx->j + si + dat[n % datlen]);
-		actx->s[actx->i] = actx->s[actx->j];
-		actx->s[actx->j] = si;
-	}
-	actx->j = actx->i;
-}
-
-static inline isc_uint8_t
-dispatch_arc4get8(arc4ctx_t *actx) {
-	isc_uint8_t si, sj;
-
-	actx->i = (actx->i + 1);
-	si = actx->s[actx->i];
-	actx->j = (actx->j + si);
-	sj = actx->s[actx->j];
-	actx->s[actx->i] = sj;
-	actx->s[actx->j] = si;
-
-	return (actx->s[(si + sj) & 0xff]);
-}
-
-static inline isc_uint16_t
-dispatch_arc4get16(arc4ctx_t *actx) {
-	isc_uint16_t val;
-
-	val = dispatch_arc4get8(actx) << 8;
-	val |= dispatch_arc4get8(actx);
-
-	return (val);
-}
-
-static void
-dispatch_arc4stir(arc4ctx_t *actx) {
-	int i;
-	union {
-		unsigned char rnd[128];
-		isc_uint32_t rnd32[32];
-	} rnd;
-	isc_result_t result;
-
-	if (actx->entropy != NULL) {
-		/*
-		 * We accept any quality of random data to avoid blocking.
-		 */
-		result = isc_entropy_getdata(actx->entropy, rnd.rnd,
-					     sizeof(rnd), NULL, 0);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	} else {
-		for (i = 0; i < 32; i++)
-			isc_random_get(&rnd.rnd32[i]);
-	}
-	dispatch_arc4addrandom(actx, rnd.rnd, sizeof(rnd.rnd));
-
-	/*
-	 * Discard early keystream, as per recommendations in:
-	 * http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps
-	 */
-	for (i = 0; i < 256; i++)
-		(void)dispatch_arc4get8(actx);
-
-	/*
-	 * Derived from OpenBSD's implementation.  The rationale is not clear,
-	 * but should be conservative enough in safety, and reasonably large
-	 * for efficiency.
-	 */
-	actx->count = 1600000;
-}
-
-static isc_uint16_t
-dispatch_random(arc4ctx_t *actx) {
-	isc_uint16_t result;
-
-	if (actx->lock != NULL)
-		LOCK(actx->lock);
-
-	actx->count -= sizeof(isc_uint16_t);
-	if (actx->count <= 0)
-		dispatch_arc4stir(actx);
-	result = dispatch_arc4get16(actx);
-
-	if (actx->lock != NULL)
-		UNLOCK(actx->lock);
-
-	return (result);
-}
-#else
-/*
- * For general purpose library, we don't have to be too strict about the
- * quality of random values.  Performance doesn't matter much, either.
- * So we simply use the isc_random module to keep the library as small as
- * possible.
- */
-
-static void
-dispatch_initrandom(arc4ctx_t *actx, isc_entropy_t *entropy,
-		    isc_mutex_t *lock)
-{
-	UNUSED(actx);
-	UNUSED(entropy);
-	UNUSED(lock);
-
-	return;
-}
-
-static isc_uint16_t
-dispatch_random(arc4ctx_t *actx) {
-	isc_uint32_t r;
-
-	UNUSED(actx);
-
-	isc_random_get(&r);
-	return (r & 0xffff);
-}
-#endif	/* BIND9 */
-
-static isc_uint16_t
-dispatch_uniformrandom(arc4ctx_t *actx, isc_uint16_t upper_bound) {
-	isc_uint16_t min, r;
-
-	if (upper_bound < 2)
-		return (0);
-
-	/*
-	 * Ensure the range of random numbers [min, 0xffff] be a multiple of
-	 * upper_bound and contain at least a half of the 16 bit range.
-	 */
-
-	if (upper_bound > 0x8000)
-		min = 1 + ~upper_bound; /* 0x8000 - upper_bound */
-	else
-		min = (isc_uint16_t)(0x10000 % (isc_uint32_t)upper_bound);
-
-	/*
-	 * This could theoretically loop forever but each retry has
-	 * p > 0.5 (worst case, usually far better) of selecting a
-	 * number inside the range we need, so it should rarely need
-	 * to re-roll.
-	 */
-	for (;;) {
-		r = dispatch_random(actx);
-		if (r >= min)
-			break;
-	}
-
-	return (r % upper_bound);
-}
-
-/*
- * Return a hash of the destination and message id.
- */
-static isc_uint32_t
-dns_hash(dns_qid_t *qid, isc_sockaddr_t *dest, dns_messageid_t id,
-	 in_port_t port)
-{
-	unsigned int ret;
-
-	ret = isc_sockaddr_hash(dest, ISC_TRUE);
-	ret ^= (id << 16) | port;
-	ret %= qid->qid_nbuckets;
-
-	INSIST(ret < qid->qid_nbuckets);
-
-	return (ret);
-}
-
-/*
- * Find the first entry in 'qid'.  Returns NULL if there are no entries.
- */
-static dns_dispentry_t *
-linear_first(dns_qid_t *qid) {
-	dns_dispentry_t *ret;
-	unsigned int bucket;
-
-	bucket = 0;
-
-	while (bucket < qid->qid_nbuckets) {
-		ret = ISC_LIST_HEAD(qid->qid_table[bucket]);
-		if (ret != NULL)
-			return (ret);
-		bucket++;
-	}
-
-	return (NULL);
-}
-
-/*
- * Find the next entry after 'resp' in 'qid'.  Return NULL if there are
- * no more entries.
- */
-static dns_dispentry_t *
-linear_next(dns_qid_t *qid, dns_dispentry_t *resp) {
-	dns_dispentry_t *ret;
-	unsigned int bucket;
-
-	ret = ISC_LIST_NEXT(resp, link);
-	if (ret != NULL)
-		return (ret);
-
-	bucket = resp->bucket;
-	bucket++;
-	while (bucket < qid->qid_nbuckets) {
-		ret = ISC_LIST_HEAD(qid->qid_table[bucket]);
-		if (ret != NULL)
-			return (ret);
-		bucket++;
-	}
-
-	return (NULL);
-}
-
-/*
- * The dispatch must be locked.
- */
-static isc_boolean_t
-destroy_disp_ok(dns_dispatch_t *disp)
-{
-	if (disp->refcount != 0)
-		return (ISC_FALSE);
-
-	if (disp->recv_pending != 0)
-		return (ISC_FALSE);
-
-	if (!ISC_LIST_EMPTY(disp->activesockets))
-		return (ISC_FALSE);
-
-	if (disp->shutting_down == 0)
-		return (ISC_FALSE);
-
-	return (ISC_TRUE);
-}
-
-/*
- * Called when refcount reaches 0 (and safe to destroy).
- *
- * The dispatcher must not be locked.
- * The manager must be locked.
- */
-static void
-destroy_disp(isc_task_t *task, isc_event_t *event) {
-	dns_dispatch_t *disp;
-	dns_dispatchmgr_t *mgr;
-	isc_boolean_t killmgr;
-	dispsocket_t *dispsocket;
-	int i;
-
-	INSIST(event->ev_type == DNS_EVENT_DISPATCHCONTROL);
-
-	UNUSED(task);
-
-	disp = event->ev_arg;
-	mgr = disp->mgr;
-
-	LOCK(&mgr->lock);
-	ISC_LIST_UNLINK(mgr->list, disp, link);
-
-	dispatch_log(disp, LVL(90),
-		     "shutting down; detaching from sock %p, task %p",
-		     disp->socket, disp->task[0]); /* XXXX */
-
-	if (disp->sepool != NULL) {
-		isc_mempool_destroy(&disp->sepool);
-		(void)isc_mutex_destroy(&disp->sepool_lock);
-	}
-
-	if (disp->socket != NULL)
-		isc_socket_detach(&disp->socket);
-	while ((dispsocket = ISC_LIST_HEAD(disp->inactivesockets)) != NULL) {
-		ISC_LIST_UNLINK(disp->inactivesockets, dispsocket, link);
-		destroy_dispsocket(disp, &dispsocket);
-	}
-	for (i = 0; i < disp->ntasks; i++)
-		isc_task_detach(&disp->task[i]);
-	isc_event_free(&event);
-
-	dispatch_free(&disp);
-
-	killmgr = destroy_mgr_ok(mgr);
-	UNLOCK(&mgr->lock);
-	if (killmgr)
-		destroy_mgr(&mgr);
-}
-
-/*%
- * Manipulate port table per dispatch: find an entry for a given port number,
- * create a new entry, and decrement a given entry with possible clean-up.
- */
-static dispportentry_t *
-port_search(dns_dispatch_t *disp, in_port_t port) {
-	dispportentry_t *portentry;
-
-	REQUIRE(disp->port_table != NULL);
-
-	portentry = ISC_LIST_HEAD(disp->port_table[port %
-						   DNS_DISPATCH_PORTTABLESIZE]);
-	while (portentry != NULL) {
-		if (portentry->port == port)
-			return (portentry);
-		portentry = ISC_LIST_NEXT(portentry, link);
-	}
-
-	return (NULL);
-}
-
-static dispportentry_t *
-new_portentry(dns_dispatch_t *disp, in_port_t port) {
-	dispportentry_t *portentry;
-
-	REQUIRE(disp->port_table != NULL);
-
-	portentry = isc_mempool_get(disp->portpool);
-	if (portentry == NULL)
-		return (portentry);
-
-	portentry->port = port;
-	portentry->refs = 0;
-	ISC_LINK_INIT(portentry, link);
-	ISC_LIST_APPEND(disp->port_table[port % DNS_DISPATCH_PORTTABLESIZE],
-			portentry, link);
-
-	return (portentry);
-}
-
-/*%
- * The caller must not hold the qid->lock.
- */
-static void
-deref_portentry(dns_dispatch_t *disp, dispportentry_t **portentryp) {
-	dispportentry_t *portentry = *portentryp;
-	isc_boolean_t unlink = ISC_FALSE;
-	dns_qid_t *qid;
-
-	REQUIRE(disp->port_table != NULL);
-	REQUIRE(portentry != NULL && portentry->refs > 0);
-
-	qid = DNS_QID(disp);
-	LOCK(&qid->lock);
-	portentry->refs--;
-	unlink = ISC_TF(portentry->refs == 0);
-	UNLOCK(&qid->lock);
-
-	if (unlink) {
-		ISC_LIST_UNLINK(disp->port_table[portentry->port %
-						 DNS_DISPATCH_PORTTABLESIZE],
-				portentry, link);
-		isc_mempool_put(disp->portpool, portentry);
-	}
-
-	*portentryp = NULL;
-}
-
-/*%
- * Find a dispsocket for socket address 'dest', and port number 'port'.
- * Return NULL if no such entry exists.
- */
-static dispsocket_t *
-socket_search(dns_qid_t *qid, isc_sockaddr_t *dest, in_port_t port,
-	      unsigned int bucket)
-{
-	dispsocket_t *dispsock;
-
-	REQUIRE(bucket < qid->qid_nbuckets);
-
-	dispsock = ISC_LIST_HEAD(qid->sock_table[bucket]);
-
-	while (dispsock != NULL) {
-		if (dispsock->portentry != NULL &&
-		    dispsock->portentry->port == port &&
-		    isc_sockaddr_equal(dest, &dispsock->host))
-			return (dispsock);
-		dispsock = ISC_LIST_NEXT(dispsock, blink);
-	}
-
-	return (NULL);
-}
-
-/*%
- * Make a new socket for a single dispatch with a random port number.
- * The caller must hold the disp->lock
- */
-static isc_result_t
-get_dispsocket(dns_dispatch_t *disp, isc_sockaddr_t *dest,
-	       isc_socketmgr_t *sockmgr, dispsocket_t **dispsockp,
-	       in_port_t *portp)
-{
-	int i;
-	isc_uint32_t r;
-	dns_dispatchmgr_t *mgr = disp->mgr;
-	isc_socket_t *sock = NULL;
-	isc_result_t result = ISC_R_FAILURE;
-	in_port_t port;
-	isc_sockaddr_t localaddr;
-	unsigned int bucket = 0;
-	dispsocket_t *dispsock;
-	unsigned int nports;
-	in_port_t *ports;
-	unsigned int bindoptions;
-	dispportentry_t *portentry = NULL;
-	dns_qid_t *qid;
-
-	if (isc_sockaddr_pf(&disp->local) == AF_INET) {
-		nports = disp->mgr->nv4ports;
-		ports = disp->mgr->v4ports;
-	} else {
-		nports = disp->mgr->nv6ports;
-		ports = disp->mgr->v6ports;
-	}
-	if (nports == 0)
-		return (ISC_R_ADDRNOTAVAIL);
-
-	dispsock = ISC_LIST_HEAD(disp->inactivesockets);
-	if (dispsock != NULL) {
-		ISC_LIST_UNLINK(disp->inactivesockets, dispsock, link);
-		sock = dispsock->socket;
-		dispsock->socket = NULL;
-	} else {
-		dispsock = isc_mempool_get(mgr->spool);
-		if (dispsock == NULL)
-			return (ISC_R_NOMEMORY);
-
-		disp->nsockets++;
-		dispsock->socket = NULL;
-		dispsock->disp = disp;
-		dispsock->resp = NULL;
-		dispsock->portentry = NULL;
-		isc_random_get(&r);
-		dispsock->task = NULL;
-		isc_task_attach(disp->task[r % disp->ntasks], &dispsock->task);
-		ISC_LINK_INIT(dispsock, link);
-		ISC_LINK_INIT(dispsock, blink);
-		dispsock->magic = DISPSOCK_MAGIC;
-	}
-
-	/*
-	 * Pick up a random UDP port and open a new socket with it.  Avoid
-	 * choosing ports that share the same destination because it will be
-	 * very likely to fail in bind(2) or connect(2).
-	 */
-	localaddr = disp->local;
-	qid = DNS_QID(disp);
-
-	for (i = 0; i < 64; i++) {
-		port = ports[dispatch_uniformrandom(DISP_ARC4CTX(disp),
-							nports)];
-		isc_sockaddr_setport(&localaddr, port);
-
-		LOCK(&qid->lock);
-		bucket = dns_hash(qid, dest, 0, port);
-		if (socket_search(qid, dest, port, bucket) != NULL) {
-			UNLOCK(&qid->lock);
-			continue;
-		}
-		UNLOCK(&qid->lock);
-		bindoptions = 0;
-		portentry = port_search(disp, port);
-
-		if (portentry != NULL)
-			bindoptions |= ISC_SOCKET_REUSEADDRESS;
-		result = open_socket(sockmgr, &localaddr, bindoptions, &sock,
-				     NULL);
-		if (result == ISC_R_SUCCESS) {
-			if (portentry == NULL) {
-				portentry = new_portentry(disp, port);
-				if (portentry == NULL) {
-					result = ISC_R_NOMEMORY;
-					break;
-				}
-			}
-			portentry->refs++;
-			break;
-		} else if (result == ISC_R_NOPERM) {
-			char buf[ISC_SOCKADDR_FORMATSIZE];
-			isc_sockaddr_format(&localaddr, buf, sizeof(buf));
-			dispatch_log(disp, ISC_LOG_WARNING,
-				     "open_socket(%s) -> %s: continuing",
-				     buf, isc_result_totext(result));
-		} else if (result != ISC_R_ADDRINUSE)
-			break;
-	}
-
-	if (result == ISC_R_SUCCESS) {
-		dispsock->socket = sock;
-		dispsock->host = *dest;
-		dispsock->portentry = portentry;
-		dispsock->bucket = bucket;
-		LOCK(&qid->lock);
-		ISC_LIST_APPEND(qid->sock_table[bucket], dispsock, blink);
-		UNLOCK(&qid->lock);
-		*dispsockp = dispsock;
-		*portp = port;
-	} else {
-		/*
-		 * We could keep it in the inactive list, but since this should
-		 * be an exceptional case and might be resource shortage, we'd
-		 * rather destroy it.
-		 */
-		if (sock != NULL)
-			isc_socket_detach(&sock);
-		destroy_dispsocket(disp, &dispsock);
-	}
-
-	return (result);
-}
-
-/*%
- * Destroy a dedicated dispatch socket.
- */
-static void
-destroy_dispsocket(dns_dispatch_t *disp, dispsocket_t **dispsockp) {
-	dispsocket_t *dispsock;
-	dns_qid_t *qid;
-
-	/*
-	 * The dispatch must be locked.
-	 */
-
-	REQUIRE(dispsockp != NULL && *dispsockp != NULL);
-	dispsock = *dispsockp;
-	REQUIRE(!ISC_LINK_LINKED(dispsock, link));
-
-	disp->nsockets--;
-	dispsock->magic = 0;
-	if (dispsock->portentry != NULL)
-		deref_portentry(disp, &dispsock->portentry);
-	if (dispsock->socket != NULL)
-		isc_socket_detach(&dispsock->socket);
-	if (ISC_LINK_LINKED(dispsock, blink)) {
-		qid = DNS_QID(disp);
-		LOCK(&qid->lock);
-		ISC_LIST_UNLINK(qid->sock_table[dispsock->bucket], dispsock,
-				blink);
-		UNLOCK(&qid->lock);
-	}
-	if (dispsock->task != NULL)
-		isc_task_detach(&dispsock->task);
-	isc_mempool_put(disp->mgr->spool, dispsock);
-
-	*dispsockp = NULL;
-}
-
-/*%
- * Deactivate a dedicated dispatch socket.  Move it to the inactive list for
- * future reuse unless the total number of sockets are exceeding the maximum.
- */
-static void
-deactivate_dispsocket(dns_dispatch_t *disp, dispsocket_t *dispsock) {
-	isc_result_t result;
-	dns_qid_t *qid;
-
-	/*
-	 * The dispatch must be locked.
-	 */
-	ISC_LIST_UNLINK(disp->activesockets, dispsock, link);
-	if (dispsock->resp != NULL) {
-		INSIST(dispsock->resp->dispsocket == dispsock);
-		dispsock->resp->dispsocket = NULL;
-	}
-
-	INSIST(dispsock->portentry != NULL);
-	deref_portentry(disp, &dispsock->portentry);
-
-#ifdef BIND9
-	if (disp->nsockets > DNS_DISPATCH_POOLSOCKS)
-		destroy_dispsocket(disp, &dispsock);
-	else {
-		result = isc_socket_close(dispsock->socket);
-
-		qid = DNS_QID(disp);
-		LOCK(&qid->lock);
-		ISC_LIST_UNLINK(qid->sock_table[dispsock->bucket], dispsock,
-				blink);
-		UNLOCK(&qid->lock);
-
-		if (result == ISC_R_SUCCESS)
-			ISC_LIST_APPEND(disp->inactivesockets, dispsock, link);
-		else {
-			/*
-			 * If the underlying system does not allow this
-			 * optimization, destroy this temporary structure (and
-			 * create a new one for a new transaction).
-			 */
-			INSIST(result == ISC_R_NOTIMPLEMENTED);
-			destroy_dispsocket(disp, &dispsock);
-		}
-	}
-#else
-	/* This kind of optimization isn't necessary for normal use */
-	UNUSED(qid);
-	UNUSED(result);
-
-	destroy_dispsocket(disp, &dispsock);
-#endif
-}
-
-/*
- * Find an entry for query ID 'id', socket address 'dest', and port number
- * 'port'.
- * Return NULL if no such entry exists.
- */
-static dns_dispentry_t *
-entry_search(dns_qid_t *qid, isc_sockaddr_t *dest, dns_messageid_t id,
-	     in_port_t port, unsigned int bucket)
-{
-	dns_dispentry_t *res;
-
-	REQUIRE(bucket < qid->qid_nbuckets);
-
-	res = ISC_LIST_HEAD(qid->qid_table[bucket]);
-
-	while (res != NULL) {
-		if (res->id == id && isc_sockaddr_equal(dest, &res->host) &&
-		    res->port == port) {
-			return (res);
-		}
-		res = ISC_LIST_NEXT(res, link);
-	}
-
-	return (NULL);
-}
-
-static void
-free_buffer(dns_dispatch_t *disp, void *buf, unsigned int len) {
-	isc_mempool_t *bpool;
-	INSIST(buf != NULL && len != 0);
-
-
-	switch (disp->socktype) {
-	case isc_sockettype_tcp:
-		INSIST(disp->tcpbuffers > 0);
-		disp->tcpbuffers--;
-		isc_mem_put(disp->mgr->mctx, buf, len);
-		break;
-	case isc_sockettype_udp:
-		LOCK(&disp->mgr->buffer_lock);
-		INSIST(disp->mgr->buffers > 0);
-		INSIST(len == disp->mgr->buffersize);
-		disp->mgr->buffers--;
-		bpool = disp->mgr->bpool;
-		UNLOCK(&disp->mgr->buffer_lock);
-		isc_mempool_put(bpool, buf);
-		break;
-	default:
-		INSIST(0);
-		break;
-	}
-}
-
-static void *
-allocate_udp_buffer(dns_dispatch_t *disp) {
-	isc_mempool_t *bpool;
-	void *temp;
-
-	LOCK(&disp->mgr->buffer_lock);
-	bpool = disp->mgr->bpool;
-	disp->mgr->buffers++;
-	UNLOCK(&disp->mgr->buffer_lock);
-
-	temp = isc_mempool_get(bpool);
-
-	if (temp == NULL) {
-		LOCK(&disp->mgr->buffer_lock);
-		disp->mgr->buffers--;
-		UNLOCK(&disp->mgr->buffer_lock);
-	}
-
-	return (temp);
-}
-
-static inline void
-free_sevent(isc_event_t *ev) {
-	isc_mempool_t *pool = ev->ev_destroy_arg;
-	isc_socketevent_t *sev = (isc_socketevent_t *) ev;
-	isc_mempool_put(pool, sev);
-}
-
-static inline isc_socketevent_t *
-allocate_sevent(dns_dispatch_t *disp, isc_socket_t *socket,
-		isc_eventtype_t type, isc_taskaction_t action, const void *arg)
-{
-	isc_socketevent_t *ev;
-	void *deconst_arg;
-
-	ev = isc_mempool_get(disp->sepool);
-	if (ev == NULL)
-		return (NULL);
-	DE_CONST(arg, deconst_arg);
-	ISC_EVENT_INIT(ev, sizeof(*ev), 0, NULL, type,
-		       action, deconst_arg, socket,
-		       free_sevent, disp->sepool);
-	ev->result = ISC_R_UNSET;
-	ISC_LINK_INIT(ev, ev_link);
-	ISC_LIST_INIT(ev->bufferlist);
-	ev->region.base = NULL;
-	ev->n = 0;
-	ev->offset = 0;
-	ev->attributes = 0;
-
-	return (ev);
-}
-
-
-static inline void
-free_devent(dns_dispatch_t *disp, dns_dispatchevent_t *ev) {
-	if (disp->failsafe_ev == ev) {
-		INSIST(disp->shutdown_out == 1);
-		disp->shutdown_out = 0;
-
-		return;
-	}
-
-	isc_mempool_put(disp->mgr->depool, ev);
-}
-
-static inline dns_dispatchevent_t *
-allocate_devent(dns_dispatch_t *disp) {
-	dns_dispatchevent_t *ev;
-
-	ev = isc_mempool_get(disp->mgr->depool);
-	if (ev == NULL)
-		return (NULL);
-	ISC_EVENT_INIT(ev, sizeof(*ev), 0, NULL, 0,
-		       NULL, NULL, NULL, NULL, NULL);
-
-	return (ev);
-}
-
-static void
-udp_exrecv(isc_task_t *task, isc_event_t *ev) {
-	dispsocket_t *dispsock = ev->ev_arg;
-
-	UNUSED(task);
-
-	REQUIRE(VALID_DISPSOCK(dispsock));
-	udp_recv(ev, dispsock->disp, dispsock);
-}
-
-static void
-udp_shrecv(isc_task_t *task, isc_event_t *ev) {
-	dns_dispatch_t *disp = ev->ev_arg;
-
-	UNUSED(task);
-
-	REQUIRE(VALID_DISPATCH(disp));
-	udp_recv(ev, disp, NULL);
-}
-
-/*
- * General flow:
- *
- * If I/O result == CANCELED or error, free the buffer.
- *
- * If query, free the buffer, restart.
- *
- * If response:
- *	Allocate event, fill in details.
- *		If cannot allocate, free buffer, restart.
- *	find target.  If not found, free buffer, restart.
- *	if event queue is not empty, queue.  else, send.
- *	restart.
- */
-static void
-udp_recv(isc_event_t *ev_in, dns_dispatch_t *disp, dispsocket_t *dispsock) {
-	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
-	dns_messageid_t id;
-	isc_result_t dres;
-	isc_buffer_t source;
-	unsigned int flags;
-	dns_dispentry_t *resp = NULL;
-	dns_dispatchevent_t *rev;
-	unsigned int bucket;
-	isc_boolean_t killit;
-	isc_boolean_t queue_response;
-	dns_dispatchmgr_t *mgr;
-	dns_qid_t *qid;
-	isc_netaddr_t netaddr;
-	int match;
-	int result;
-	isc_boolean_t qidlocked = ISC_FALSE;
-
-	LOCK(&disp->lock);
-
-	mgr = disp->mgr;
-	qid = mgr->qid;
-
-	dispatch_log(disp, LVL(90),
-		     "got packet: requests %d, buffers %d, recvs %d",
-		     disp->requests, disp->mgr->buffers, disp->recv_pending);
-
-	if (dispsock == NULL && ev->ev_type == ISC_SOCKEVENT_RECVDONE) {
-		/*
-		 * Unless the receive event was imported from a listening
-		 * interface, in which case the event type is
-		 * DNS_EVENT_IMPORTRECVDONE, receive operation must be pending.
-		 */
-		INSIST(disp->recv_pending != 0);
-		disp->recv_pending = 0;
-	}
-
-	if (dispsock != NULL &&
-	    (ev->result == ISC_R_CANCELED || dispsock->resp == NULL)) {
-		/*
-		 * dispsock->resp can be NULL if this transaction was canceled
-		 * just after receiving a response.  Since this socket is
-		 * exclusively used and there should be at most one receive
-		 * event the canceled event should have been no effect.  So
-		 * we can (and should) deactivate the socket right now.
-		 */
-		deactivate_dispsocket(disp, dispsock);
-		dispsock = NULL;
-	}
-
-	if (disp->shutting_down) {
-		/*
-		 * This dispatcher is shutting down.
-		 */
-		free_buffer(disp, ev->region.base, ev->region.length);
-
-		isc_event_free(&ev_in);
-		ev = NULL;
-
-		killit = destroy_disp_ok(disp);
-		UNLOCK(&disp->lock);
-		if (killit)
-			isc_task_send(disp->task[0], &disp->ctlevent);
-
-		return;
-	}
-
-	if ((disp->attributes & DNS_DISPATCHATTR_EXCLUSIVE) != 0) {
-		if (dispsock != NULL) {
-			resp = dispsock->resp;
-			id = resp->id;
-			if (ev->result != ISC_R_SUCCESS) {
-				/*
-				 * This is most likely a network error on a
-				 * connected socket.  It makes no sense to
-				 * check the address or parse the packet, but it
-				 * will help to return the error to the caller.
-				 */
-				goto sendresponse;
-			}
-		} else {
-			free_buffer(disp, ev->region.base, ev->region.length);
-
-			UNLOCK(&disp->lock);
-			isc_event_free(&ev_in);
-			return;
-		}
-	} else if (ev->result != ISC_R_SUCCESS) {
-		free_buffer(disp, ev->region.base, ev->region.length);
-
-		if (ev->result != ISC_R_CANCELED)
-			dispatch_log(disp, ISC_LOG_ERROR,
-				     "odd socket result in udp_recv(): %s",
-				     isc_result_totext(ev->result));
-
-		UNLOCK(&disp->lock);
-		isc_event_free(&ev_in);
-		return;
-	}
-
-	/*
-	 * If this is from a blackholed address, drop it.
-	 */
-	isc_netaddr_fromsockaddr(&netaddr, &ev->address);
-	if (disp->mgr->blackhole != NULL &&
-	    dns_acl_match(&netaddr, NULL, disp->mgr->blackhole,
-			  NULL, &match, NULL) == ISC_R_SUCCESS &&
-	    match > 0)
-	{
-		if (isc_log_wouldlog(dns_lctx, LVL(10))) {
-			char netaddrstr[ISC_NETADDR_FORMATSIZE];
-			isc_netaddr_format(&netaddr, netaddrstr,
-					   sizeof(netaddrstr));
-			dispatch_log(disp, LVL(10),
-				     "blackholed packet from %s",
-				     netaddrstr);
-		}
-		free_buffer(disp, ev->region.base, ev->region.length);
-		goto restart;
-	}
-
-	/*
-	 * Peek into the buffer to see what we can see.
-	 */
-	isc_buffer_init(&source, ev->region.base, ev->region.length);
-	isc_buffer_add(&source, ev->n);
-	dres = dns_message_peekheader(&source, &id, &flags);
-	if (dres != ISC_R_SUCCESS) {
-		free_buffer(disp, ev->region.base, ev->region.length);
-		dispatch_log(disp, LVL(10), "got garbage packet");
-		goto restart;
-	}
-
-	dispatch_log(disp, LVL(92),
-		     "got valid DNS message header, /QR %c, id %u",
-		     ((flags & DNS_MESSAGEFLAG_QR) ? '1' : '0'), id);
-
-	/*
-	 * Look at flags.  If query, drop it. If response,
-	 * look to see where it goes.
-	 */
-	if ((flags & DNS_MESSAGEFLAG_QR) == 0) {
-		/* query */
-		free_buffer(disp, ev->region.base, ev->region.length);
-		goto restart;
-	}
-
-	/*
-	 * Search for the corresponding response.  If we are using an exclusive
-	 * socket, we've already identified it and we can skip the search; but
-	 * the ID and the address must match the expected ones.
-	 */
-	if (resp == NULL) {
-		bucket = dns_hash(qid, &ev->address, id, disp->localport);
-		LOCK(&qid->lock);
-		qidlocked = ISC_TRUE;
-		resp = entry_search(qid, &ev->address, id, disp->localport,
-				    bucket);
-		dispatch_log(disp, LVL(90),
-			     "search for response in bucket %d: %s",
-			     bucket, (resp == NULL ? "not found" : "found"));
-
-		if (resp == NULL) {
-			inc_stats(mgr, dns_resstatscounter_mismatch);
-			free_buffer(disp, ev->region.base, ev->region.length);
-			goto unlock;
-		}
-	} else if (resp->id != id || !isc_sockaddr_equal(&ev->address,
-							 &resp->host)) {
-		dispatch_log(disp, LVL(90),
-			     "response to an exclusive socket doesn't match");
-		inc_stats(mgr, dns_resstatscounter_mismatch);
-		free_buffer(disp, ev->region.base, ev->region.length);
-		goto unlock;
-	}
-
-	/*
-	 * Now that we have the original dispatch the query was sent
-	 * from check that the address and port the response was
-	 * sent to make sense.
-	 */
-	if (disp != resp->disp) {
-		isc_sockaddr_t a1;
-		isc_sockaddr_t a2;
-
-		/*
-		 * Check that the socket types and ports match.
-		 */
-		if (disp->socktype != resp->disp->socktype ||
-		    isc_sockaddr_getport(&disp->local) !=
-		    isc_sockaddr_getport(&resp->disp->local)) {
-			free_buffer(disp, ev->region.base, ev->region.length);
-			goto unlock;
-		}
-
-		/*
-		 * If both dispatches are bound to an address then fail as
-		 * the addresses can't be equal (enforced by the IP stack).
-		 *
-		 * Note under Linux a packet can be sent out via IPv4 socket
-		 * and the response be received via a IPv6 socket.
-		 *
-		 * Requests sent out via IPv6 should always come back in
-		 * via IPv6.
-		 */
-		if (isc_sockaddr_pf(&resp->disp->local) == PF_INET6 &&
-		    isc_sockaddr_pf(&disp->local) != PF_INET6) {
-			free_buffer(disp, ev->region.base, ev->region.length);
-			goto unlock;
-		}
-		isc_sockaddr_anyofpf(&a1, isc_sockaddr_pf(&resp->disp->local));
-		isc_sockaddr_anyofpf(&a2, isc_sockaddr_pf(&disp->local));
-		if (!isc_sockaddr_eqaddr(&a1, &resp->disp->local) &&
-		    !isc_sockaddr_eqaddr(&a2, &disp->local)) {
-			free_buffer(disp, ev->region.base, ev->region.length);
-			goto unlock;
-		}
-	}
-
-  sendresponse:
-	queue_response = resp->item_out;
-	rev = allocate_devent(resp->disp);
-	if (rev == NULL) {
-		free_buffer(disp, ev->region.base, ev->region.length);
-		goto unlock;
-	}
-
-	/*
-	 * At this point, rev contains the event we want to fill in, and
-	 * resp contains the information on the place to send it to.
-	 * Send the event off.
-	 */
-	isc_buffer_init(&rev->buffer, ev->region.base, ev->region.length);
-	isc_buffer_add(&rev->buffer, ev->n);
-	rev->result = ev->result;
-	rev->id = id;
-	rev->addr = ev->address;
-	rev->pktinfo = ev->pktinfo;
-	rev->attributes = ev->attributes;
-	if (queue_response) {
-		ISC_LIST_APPEND(resp->items, rev, ev_link);
-	} else {
-		ISC_EVENT_INIT(rev, sizeof(*rev), 0, NULL,
-			       DNS_EVENT_DISPATCH,
-			       resp->action, resp->arg, resp, NULL, NULL);
-		request_log(disp, resp, LVL(90),
-			    "[a] Sent event %p buffer %p len %d to task %p",
-			    rev, rev->buffer.base, rev->buffer.length,
-			    resp->task);
-		resp->item_out = ISC_TRUE;
-		isc_task_send(resp->task, ISC_EVENT_PTR(&rev));
-	}
- unlock:
-	if (qidlocked)
-		UNLOCK(&qid->lock);
-
-	/*
-	 * Restart recv() to get the next packet.
-	 */
- restart:
-	result = startrecv(disp, dispsock);
-	if (result != ISC_R_SUCCESS && dispsock != NULL) {
-		/*
-		 * XXX: wired. There seems to be no recovery process other than
-		 * deactivate this socket anyway (since we cannot start
-		 * receiving, we won't be able to receive a cancel event
-		 * from the user).
-		 */
-		deactivate_dispsocket(disp, dispsock);
-	}
-	UNLOCK(&disp->lock);
-
-	isc_event_free(&ev_in);
-}
-
-/*
- * General flow:
- *
- * If I/O result == CANCELED, EOF, or error, notify everyone as the
- * various queues drain.
- *
- * If query, restart.
- *
- * If response:
- *	Allocate event, fill in details.
- *		If cannot allocate, restart.
- *	find target.  If not found, restart.
- *	if event queue is not empty, queue.  else, send.
- *	restart.
- */
-static void
-tcp_recv(isc_task_t *task, isc_event_t *ev_in) {
-	dns_dispatch_t *disp = ev_in->ev_arg;
-	dns_tcpmsg_t *tcpmsg = &disp->tcpmsg;
-	dns_messageid_t id;
-	isc_result_t dres;
-	unsigned int flags;
-	dns_dispentry_t *resp;
-	dns_dispatchevent_t *rev;
-	unsigned int bucket;
-	isc_boolean_t killit;
-	isc_boolean_t queue_response;
-	dns_qid_t *qid;
-	int level;
-	char buf[ISC_SOCKADDR_FORMATSIZE];
-
-	UNUSED(task);
-
-	REQUIRE(VALID_DISPATCH(disp));
-
-	qid = disp->qid;
-
-	dispatch_log(disp, LVL(90),
-		     "got TCP packet: requests %d, buffers %d, recvs %d",
-		     disp->requests, disp->tcpbuffers, disp->recv_pending);
-
-	LOCK(&disp->lock);
-
-	INSIST(disp->recv_pending != 0);
-	disp->recv_pending = 0;
-
-	if (disp->refcount == 0) {
-		/*
-		 * This dispatcher is shutting down.  Force cancelation.
-		 */
-		tcpmsg->result = ISC_R_CANCELED;
-	}
-
-	if (tcpmsg->result != ISC_R_SUCCESS) {
-		switch (tcpmsg->result) {
-		case ISC_R_CANCELED:
-			break;
-
-		case ISC_R_EOF:
-			dispatch_log(disp, LVL(90), "shutting down on EOF");
-			do_cancel(disp);
-			break;
-
-		case ISC_R_CONNECTIONRESET:
-			level = ISC_LOG_INFO;
-			goto logit;
-
-		default:
-			level = ISC_LOG_ERROR;
-		logit:
-			isc_sockaddr_format(&tcpmsg->address, buf, sizeof(buf));
-			dispatch_log(disp, level, "shutting down due to TCP "
-				     "receive error: %s: %s", buf,
-				     isc_result_totext(tcpmsg->result));
-			do_cancel(disp);
-			break;
-		}
-
-		/*
-		 * The event is statically allocated in the tcpmsg
-		 * structure, and destroy_disp() frees the tcpmsg, so we must
-		 * free the event *before* calling destroy_disp().
-		 */
-		isc_event_free(&ev_in);
-
-		disp->shutting_down = 1;
-		disp->shutdown_why = tcpmsg->result;
-
-		/*
-		 * If the recv() was canceled pass the word on.
-		 */
-		killit = destroy_disp_ok(disp);
-		UNLOCK(&disp->lock);
-		if (killit)
-			isc_task_send(disp->task[0], &disp->ctlevent);
-		return;
-	}
-
-	dispatch_log(disp, LVL(90), "result %d, length == %d, addr = %p",
-		     tcpmsg->result,
-		     tcpmsg->buffer.length, tcpmsg->buffer.base);
-
-	/*
-	 * Peek into the buffer to see what we can see.
-	 */
-	dres = dns_message_peekheader(&tcpmsg->buffer, &id, &flags);
-	if (dres != ISC_R_SUCCESS) {
-		dispatch_log(disp, LVL(10), "got garbage packet");
-		goto restart;
-	}
-
-	dispatch_log(disp, LVL(92),
-		     "got valid DNS message header, /QR %c, id %u",
-		     ((flags & DNS_MESSAGEFLAG_QR) ? '1' : '0'), id);
-
-	/*
-	 * Allocate an event to send to the query or response client, and
-	 * allocate a new buffer for our use.
-	 */
-
-	/*
-	 * Look at flags.  If query, drop it. If response,
-	 * look to see where it goes.
-	 */
-	if ((flags & DNS_MESSAGEFLAG_QR) == 0) {
-		/*
-		 * Query.
-		 */
-		goto restart;
-	}
-
-	/*
-	 * Response.
-	 */
-	bucket = dns_hash(qid, &tcpmsg->address, id, disp->localport);
-	LOCK(&qid->lock);
-	resp = entry_search(qid, &tcpmsg->address, id, disp->localport, bucket);
-	dispatch_log(disp, LVL(90),
-		     "search for response in bucket %d: %s",
-		     bucket, (resp == NULL ? "not found" : "found"));
-
-	if (resp == NULL)
-		goto unlock;
-	queue_response = resp->item_out;
-	rev = allocate_devent(disp);
-	if (rev == NULL)
-		goto unlock;
-
-	/*
-	 * At this point, rev contains the event we want to fill in, and
-	 * resp contains the information on the place to send it to.
-	 * Send the event off.
-	 */
-	dns_tcpmsg_keepbuffer(tcpmsg, &rev->buffer);
-	disp->tcpbuffers++;
-	rev->result = ISC_R_SUCCESS;
-	rev->id = id;
-	rev->addr = tcpmsg->address;
-	if (queue_response) {
-		ISC_LIST_APPEND(resp->items, rev, ev_link);
-	} else {
-		ISC_EVENT_INIT(rev, sizeof(*rev), 0, NULL, DNS_EVENT_DISPATCH,
-			       resp->action, resp->arg, resp, NULL, NULL);
-		request_log(disp, resp, LVL(90),
-			    "[b] Sent event %p buffer %p len %d to task %p",
-			    rev, rev->buffer.base, rev->buffer.length,
-			    resp->task);
-		resp->item_out = ISC_TRUE;
-		isc_task_send(resp->task, ISC_EVENT_PTR(&rev));
-	}
- unlock:
-	UNLOCK(&qid->lock);
-
-	/*
-	 * Restart recv() to get the next packet.
-	 */
- restart:
-	(void)startrecv(disp, NULL);
-
-	UNLOCK(&disp->lock);
-
-	isc_event_free(&ev_in);
-}
-
-/*
- * disp must be locked.
- */
-static isc_result_t
-startrecv(dns_dispatch_t *disp, dispsocket_t *dispsock) {
-	isc_result_t res;
-	isc_region_t region;
-	isc_socket_t *socket;
-
-	if (disp->shutting_down == 1)
-		return (ISC_R_SUCCESS);
-
-	if ((disp->attributes & DNS_DISPATCHATTR_NOLISTEN) != 0)
-		return (ISC_R_SUCCESS);
-
-	if (disp->recv_pending != 0 && dispsock == NULL)
-		return (ISC_R_SUCCESS);
-
-	if (disp->mgr->buffers >= disp->mgr->maxbuffers)
-		return (ISC_R_NOMEMORY);
-
-	if ((disp->attributes & DNS_DISPATCHATTR_EXCLUSIVE) != 0 &&
-	    dispsock == NULL)
-		return (ISC_R_SUCCESS);
-
-	if (dispsock != NULL)
-		socket = dispsock->socket;
-	else
-		socket = disp->socket;
-	INSIST(socket != NULL);
-
-	switch (disp->socktype) {
-		/*
-		 * UDP reads are always maximal.
-		 */
-	case isc_sockettype_udp:
-		region.length = disp->mgr->buffersize;
-		region.base = allocate_udp_buffer(disp);
-		if (region.base == NULL)
-			return (ISC_R_NOMEMORY);
-		if (dispsock != NULL) {
-			isc_task_t *dt = dispsock->task;
-			isc_socketevent_t *sev =
-				allocate_sevent(disp, socket,
-						ISC_SOCKEVENT_RECVDONE,
-						udp_exrecv, dispsock);
-			if (sev == NULL) {
-				free_buffer(disp, region.base, region.length);
-				return (ISC_R_NOMEMORY);
-			}
-
-			res = isc_socket_recv2(socket, &region, 1, dt, sev, 0);
-			if (res != ISC_R_SUCCESS) {
-				free_buffer(disp, region.base, region.length);
-				return (res);
-			}
-		} else {
-			isc_task_t *dt = disp->task[0];
-			isc_socketevent_t *sev =
-				allocate_sevent(disp, socket,
-						ISC_SOCKEVENT_RECVDONE,
-						udp_shrecv, disp);
-			if (sev == NULL) {
-				free_buffer(disp, region.base, region.length);
-				return (ISC_R_NOMEMORY);
-			}
-
-			res = isc_socket_recv2(socket, &region, 1, dt, sev, 0);
-			if (res != ISC_R_SUCCESS) {
-				free_buffer(disp, region.base, region.length);
-				disp->shutdown_why = res;
-				disp->shutting_down = 1;
-				do_cancel(disp);
-				return (ISC_R_SUCCESS); /* recover by cancel */
-			}
-			INSIST(disp->recv_pending == 0);
-			disp->recv_pending = 1;
-		}
-		break;
-
-	case isc_sockettype_tcp:
-		res = dns_tcpmsg_readmessage(&disp->tcpmsg, disp->task[0],
-					     tcp_recv, disp);
-		if (res != ISC_R_SUCCESS) {
-			disp->shutdown_why = res;
-			disp->shutting_down = 1;
-			do_cancel(disp);
-			return (ISC_R_SUCCESS); /* recover by cancel */
-		}
-		INSIST(disp->recv_pending == 0);
-		disp->recv_pending = 1;
-		break;
-	default:
-		INSIST(0);
-		break;
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Mgr must be locked when calling this function.
- */
-static isc_boolean_t
-destroy_mgr_ok(dns_dispatchmgr_t *mgr) {
-	mgr_log(mgr, LVL(90),
-		"destroy_mgr_ok: shuttingdown=%d, listnonempty=%d, "
-		"depool=%d, rpool=%d, dpool=%d",
-		MGR_IS_SHUTTINGDOWN(mgr), !ISC_LIST_EMPTY(mgr->list),
-		isc_mempool_getallocated(mgr->depool),
-		isc_mempool_getallocated(mgr->rpool),
-		isc_mempool_getallocated(mgr->dpool));
-	if (!MGR_IS_SHUTTINGDOWN(mgr))
-		return (ISC_FALSE);
-	if (!ISC_LIST_EMPTY(mgr->list))
-		return (ISC_FALSE);
-	if (isc_mempool_getallocated(mgr->depool) != 0)
-		return (ISC_FALSE);
-	if (isc_mempool_getallocated(mgr->rpool) != 0)
-		return (ISC_FALSE);
-	if (isc_mempool_getallocated(mgr->dpool) != 0)
-		return (ISC_FALSE);
-
-	return (ISC_TRUE);
-}
-
-/*
- * Mgr must be unlocked when calling this function.
- */
-static void
-destroy_mgr(dns_dispatchmgr_t **mgrp) {
-	isc_mem_t *mctx;
-	dns_dispatchmgr_t *mgr;
-
-	mgr = *mgrp;
-	*mgrp = NULL;
-
-	mctx = mgr->mctx;
-
-	mgr->magic = 0;
-	mgr->mctx = NULL;
-	DESTROYLOCK(&mgr->lock);
-	mgr->state = 0;
-
-	DESTROYLOCK(&mgr->arc4_lock);
-
-	isc_mempool_destroy(&mgr->depool);
-	isc_mempool_destroy(&mgr->rpool);
-	isc_mempool_destroy(&mgr->dpool);
-	if (mgr->bpool != NULL)
-		isc_mempool_destroy(&mgr->bpool);
-	if (mgr->spool != NULL)
-		isc_mempool_destroy(&mgr->spool);
-
-	DESTROYLOCK(&mgr->spool_lock);
-	DESTROYLOCK(&mgr->bpool_lock);
-	DESTROYLOCK(&mgr->dpool_lock);
-	DESTROYLOCK(&mgr->rpool_lock);
-	DESTROYLOCK(&mgr->depool_lock);
-
-#ifdef BIND9
-	if (mgr->entropy != NULL)
-		isc_entropy_detach(&mgr->entropy);
-#endif /* BIND9 */
-	if (mgr->qid != NULL)
-		qid_destroy(mctx, &mgr->qid);
-
-	DESTROYLOCK(&mgr->buffer_lock);
-
-	if (mgr->blackhole != NULL)
-		dns_acl_detach(&mgr->blackhole);
-
-	if (mgr->stats != NULL)
-		isc_stats_detach(&mgr->stats);
-
-	if (mgr->v4ports != NULL) {
-		isc_mem_put(mctx, mgr->v4ports,
-			    mgr->nv4ports * sizeof(in_port_t));
-	}
-	if (mgr->v6ports != NULL) {
-		isc_mem_put(mctx, mgr->v6ports,
-			    mgr->nv6ports * sizeof(in_port_t));
-	}
-	isc_mem_put(mctx, mgr, sizeof(dns_dispatchmgr_t));
-	isc_mem_detach(&mctx);
-}
-
-static isc_result_t
-open_socket(isc_socketmgr_t *mgr, isc_sockaddr_t *local,
-	    unsigned int options, isc_socket_t **sockp,
-	    isc_socket_t *dup_socket)
-{
-	isc_socket_t *sock;
-	isc_result_t result;
-
-	sock = *sockp;
-	if (sock != NULL) {
-#ifdef BIND9
-		result = isc_socket_open(sock);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-#else
-		INSIST(0);
-#endif
-	} else if (dup_socket != NULL) {
-		result = isc_socket_dup(dup_socket, &sock);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-
-		isc_socket_setname(sock, "dispatcher", NULL);
-		*sockp = sock;
-		return (ISC_R_SUCCESS);
-	} else {
-		result = isc_socket_create(mgr, isc_sockaddr_pf(local),
-					isc_sockettype_udp, &sock);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	isc_socket_setname(sock, "dispatcher", NULL);
-
-#ifndef ISC_ALLOW_MAPPED
-	isc_socket_ipv6only(sock, ISC_TRUE);
-#endif
-	result = isc_socket_bind(sock, local, options);
-	if (result != ISC_R_SUCCESS) {
-		if (*sockp == NULL)
-			isc_socket_detach(&sock);
-		else {
-#ifdef BIND9
-			isc_socket_close(sock);
-#else
-			INSIST(0);
-#endif
-		}
-		return (result);
-	}
-
-	*sockp = sock;
-	return (ISC_R_SUCCESS);
-}
-
-/*%
- * Create a temporary port list to set the initial default set of dispatch
- * ports: [1024, 65535].  This is almost meaningless as the application will
- * normally set the ports explicitly, but is provided to fill some minor corner
- * cases.
- */
-static isc_result_t
-create_default_portset(isc_mem_t *mctx, isc_portset_t **portsetp) {
-	isc_result_t result;
-
-	result = isc_portset_create(mctx, portsetp);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_portset_addrange(*portsetp, 1024, 65535);
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Publics.
- */
-
-isc_result_t
-dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy,
-		       dns_dispatchmgr_t **mgrp)
-{
-	dns_dispatchmgr_t *mgr;
-	isc_result_t result;
-	isc_portset_t *v4portset = NULL;
-	isc_portset_t *v6portset = NULL;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(mgrp != NULL && *mgrp == NULL);
-
-	mgr = isc_mem_get(mctx, sizeof(dns_dispatchmgr_t));
-	if (mgr == NULL)
-		return (ISC_R_NOMEMORY);
-
-	mgr->mctx = NULL;
-	isc_mem_attach(mctx, &mgr->mctx);
-
-	mgr->blackhole = NULL;
-	mgr->stats = NULL;
-
-	result = isc_mutex_init(&mgr->lock);
-	if (result != ISC_R_SUCCESS)
-		goto deallocate;
-
-	result = isc_mutex_init(&mgr->arc4_lock);
-	if (result != ISC_R_SUCCESS)
-		goto kill_lock;
-
-	result = isc_mutex_init(&mgr->buffer_lock);
-	if (result != ISC_R_SUCCESS)
-		goto kill_arc4_lock;
-
-	result = isc_mutex_init(&mgr->depool_lock);
-	if (result != ISC_R_SUCCESS)
-		goto kill_buffer_lock;
-
-	result = isc_mutex_init(&mgr->rpool_lock);
-	if (result != ISC_R_SUCCESS)
-		goto kill_depool_lock;
-
-	result = isc_mutex_init(&mgr->dpool_lock);
-	if (result != ISC_R_SUCCESS)
-		goto kill_rpool_lock;
-
-	result = isc_mutex_init(&mgr->bpool_lock);
-	if (result != ISC_R_SUCCESS)
-		goto kill_dpool_lock;
-
-	result = isc_mutex_init(&mgr->spool_lock);
-	if (result != ISC_R_SUCCESS)
-		goto kill_bpool_lock;
-
-	mgr->depool = NULL;
-	if (isc_mempool_create(mgr->mctx, sizeof(dns_dispatchevent_t),
-			       &mgr->depool) != ISC_R_SUCCESS) {
-		result = ISC_R_NOMEMORY;
-		goto kill_spool_lock;
-	}
-
-	mgr->rpool = NULL;
-	if (isc_mempool_create(mgr->mctx, sizeof(dns_dispentry_t),
-			       &mgr->rpool) != ISC_R_SUCCESS) {
-		result = ISC_R_NOMEMORY;
-		goto kill_depool;
-	}
-
-	mgr->dpool = NULL;
-	if (isc_mempool_create(mgr->mctx, sizeof(dns_dispatch_t),
-			       &mgr->dpool) != ISC_R_SUCCESS) {
-		result = ISC_R_NOMEMORY;
-		goto kill_rpool;
-	}
-
-	isc_mempool_setname(mgr->depool, "dispmgr_depool");
-	isc_mempool_setmaxalloc(mgr->depool, 32768);
-	isc_mempool_setfreemax(mgr->depool, 32768);
-	isc_mempool_associatelock(mgr->depool, &mgr->depool_lock);
-	isc_mempool_setfillcount(mgr->depool, 256);
-
-	isc_mempool_setname(mgr->rpool, "dispmgr_rpool");
-	isc_mempool_setmaxalloc(mgr->rpool, 32768);
-	isc_mempool_setfreemax(mgr->rpool, 32768);
-	isc_mempool_associatelock(mgr->rpool, &mgr->rpool_lock);
-	isc_mempool_setfillcount(mgr->rpool, 256);
-
-	isc_mempool_setname(mgr->dpool, "dispmgr_dpool");
-	isc_mempool_setmaxalloc(mgr->dpool, 32768);
-	isc_mempool_setfreemax(mgr->dpool, 32768);
-	isc_mempool_associatelock(mgr->dpool, &mgr->dpool_lock);
-	isc_mempool_setfillcount(mgr->dpool, 256);
-
-	mgr->buffers = 0;
-	mgr->buffersize = 0;
-	mgr->maxbuffers = 0;
-	mgr->bpool = NULL;
-	mgr->spool = NULL;
-	mgr->entropy = NULL;
-	mgr->qid = NULL;
-	mgr->state = 0;
-	ISC_LIST_INIT(mgr->list);
-	mgr->v4ports = NULL;
-	mgr->v6ports = NULL;
-	mgr->nv4ports = 0;
-	mgr->nv6ports = 0;
-	mgr->magic = DNS_DISPATCHMGR_MAGIC;
-
-	result = create_default_portset(mctx, &v4portset);
-	if (result == ISC_R_SUCCESS) {
-		result = create_default_portset(mctx, &v6portset);
-		if (result == ISC_R_SUCCESS) {
-			result = dns_dispatchmgr_setavailports(mgr,
-							       v4portset,
-							       v6portset);
-		}
-	}
-	if (v4portset != NULL)
-		isc_portset_destroy(mctx, &v4portset);
-	if (v6portset != NULL)
-		isc_portset_destroy(mctx, &v6portset);
-	if (result != ISC_R_SUCCESS)
-		goto kill_dpool;
-
-#ifdef BIND9
-	if (entropy != NULL)
-		isc_entropy_attach(entropy, &mgr->entropy);
-#else
-	UNUSED(entropy);
-#endif
-
-	dispatch_initrandom(&mgr->arc4ctx, mgr->entropy, &mgr->arc4_lock);
-
-	*mgrp = mgr;
-	return (ISC_R_SUCCESS);
-
- kill_dpool:
-	isc_mempool_destroy(&mgr->dpool);
- kill_rpool:
-	isc_mempool_destroy(&mgr->rpool);
- kill_depool:
-	isc_mempool_destroy(&mgr->depool);
- kill_spool_lock:
-	DESTROYLOCK(&mgr->spool_lock);
- kill_bpool_lock:
-	DESTROYLOCK(&mgr->bpool_lock);
- kill_dpool_lock:
-	DESTROYLOCK(&mgr->dpool_lock);
- kill_rpool_lock:
-	DESTROYLOCK(&mgr->rpool_lock);
- kill_depool_lock:
-	DESTROYLOCK(&mgr->depool_lock);
- kill_buffer_lock:
-	DESTROYLOCK(&mgr->buffer_lock);
- kill_arc4_lock:
-	DESTROYLOCK(&mgr->arc4_lock);
- kill_lock:
-	DESTROYLOCK(&mgr->lock);
- deallocate:
-	isc_mem_put(mctx, mgr, sizeof(dns_dispatchmgr_t));
-	isc_mem_detach(&mctx);
-
-	return (result);
-}
-
-void
-dns_dispatchmgr_setblackhole(dns_dispatchmgr_t *mgr, dns_acl_t *blackhole) {
-	REQUIRE(VALID_DISPATCHMGR(mgr));
-	if (mgr->blackhole != NULL)
-		dns_acl_detach(&mgr->blackhole);
-	dns_acl_attach(blackhole, &mgr->blackhole);
-}
-
-dns_acl_t *
-dns_dispatchmgr_getblackhole(dns_dispatchmgr_t *mgr) {
-	REQUIRE(VALID_DISPATCHMGR(mgr));
-	return (mgr->blackhole);
-}
-
-void
-dns_dispatchmgr_setblackportlist(dns_dispatchmgr_t *mgr,
-				 dns_portlist_t *portlist)
-{
-	REQUIRE(VALID_DISPATCHMGR(mgr));
-	UNUSED(portlist);
-
-	/* This function is deprecated: use dns_dispatchmgr_setavailports(). */
-	return;
-}
-
-dns_portlist_t *
-dns_dispatchmgr_getblackportlist(dns_dispatchmgr_t *mgr) {
-	REQUIRE(VALID_DISPATCHMGR(mgr));
-	return (NULL);		/* this function is deprecated */
-}
-
-isc_result_t
-dns_dispatchmgr_setavailports(dns_dispatchmgr_t *mgr, isc_portset_t *v4portset,
-			      isc_portset_t *v6portset)
-{
-	in_port_t *v4ports, *v6ports, p;
-	unsigned int nv4ports, nv6ports, i4, i6;
-
-	REQUIRE(VALID_DISPATCHMGR(mgr));
-
-	nv4ports = isc_portset_nports(v4portset);
-	nv6ports = isc_portset_nports(v6portset);
-
-	v4ports = NULL;
-	if (nv4ports != 0) {
-		v4ports = isc_mem_get(mgr->mctx, sizeof(in_port_t) * nv4ports);
-		if (v4ports == NULL)
-			return (ISC_R_NOMEMORY);
-	}
-	v6ports = NULL;
-	if (nv6ports != 0) {
-		v6ports = isc_mem_get(mgr->mctx, sizeof(in_port_t) * nv6ports);
-		if (v6ports == NULL) {
-			if (v4ports != NULL) {
-				isc_mem_put(mgr->mctx, v4ports,
-					    sizeof(in_port_t) *
-					    isc_portset_nports(v4portset));
-			}
-			return (ISC_R_NOMEMORY);
-		}
-	}
-
-	p = 0;
-	i4 = 0;
-	i6 = 0;
-	do {
-		if (isc_portset_isset(v4portset, p)) {
-			INSIST(i4 < nv4ports);
-			v4ports[i4++] = p;
-		}
-		if (isc_portset_isset(v6portset, p)) {
-			INSIST(i6 < nv6ports);
-			v6ports[i6++] = p;
-		}
-	} while (p++ < 65535);
-	INSIST(i4 == nv4ports && i6 == nv6ports);
-
-	PORTBUFLOCK(mgr);
-	if (mgr->v4ports != NULL) {
-		isc_mem_put(mgr->mctx, mgr->v4ports,
-			    mgr->nv4ports * sizeof(in_port_t));
-	}
-	mgr->v4ports = v4ports;
-	mgr->nv4ports = nv4ports;
-
-	if (mgr->v6ports != NULL) {
-		isc_mem_put(mgr->mctx, mgr->v6ports,
-			    mgr->nv6ports * sizeof(in_port_t));
-	}
-	mgr->v6ports = v6ports;
-	mgr->nv6ports = nv6ports;
-	PORTBUFUNLOCK(mgr);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dns_dispatchmgr_setudp(dns_dispatchmgr_t *mgr,
-		       unsigned int buffersize, unsigned int maxbuffers,
-		       unsigned int maxrequests, unsigned int buckets,
-		       unsigned int increment)
-{
-	isc_result_t result;
-
-	REQUIRE(VALID_DISPATCHMGR(mgr));
-	REQUIRE(buffersize >= 512 && buffersize < (64 * 1024));
-	REQUIRE(maxbuffers > 0);
-	REQUIRE(buckets < 2097169);  /* next prime > 65536 * 32 */
-	REQUIRE(increment > buckets);
-
-	/*
-	 * Keep some number of items around.  This should be a config
-	 * option.  For now, keep 8, but later keep at least two even
-	 * if the caller wants less.  This allows us to ensure certain
-	 * things, like an event can be "freed" and the next allocation
-	 * will always succeed.
-	 *
-	 * Note that if limits are placed on anything here, we use one
-	 * event internally, so the actual limit should be "wanted + 1."
-	 *
-	 * XXXMLG
-	 */
-
-	if (maxbuffers < 8)
-		maxbuffers = 8;
-
-	LOCK(&mgr->buffer_lock);
-
-	/* Create or adjust buffer pool */
-	if (mgr->bpool != NULL) {
-		/*
-		 * We only increase the maxbuffers to avoid accidental buffer
-		 * shortage.  Ideally we'd separate the manager-wide maximum
-		 * from per-dispatch limits and respect the latter within the
-		 * global limit.  But at this moment that's deemed to be
-		 * overkilling and isn't worth additional implementation
-		 * complexity.
-		 */
-		if (maxbuffers > mgr->maxbuffers) {
-			isc_mempool_setmaxalloc(mgr->bpool, maxbuffers);
-			isc_mempool_setfreemax(mgr->bpool, maxbuffers);
-			mgr->maxbuffers = maxbuffers;
-		}
-	} else {
-		result = isc_mempool_create(mgr->mctx, buffersize, &mgr->bpool);
-		if (result != ISC_R_SUCCESS) {
-			UNLOCK(&mgr->buffer_lock);
-			return (result);
-		}
-		isc_mempool_setname(mgr->bpool, "dispmgr_bpool");
-		isc_mempool_setmaxalloc(mgr->bpool, maxbuffers);
-		isc_mempool_setfreemax(mgr->bpool, maxbuffers);
-		isc_mempool_associatelock(mgr->bpool, &mgr->bpool_lock);
-		isc_mempool_setfillcount(mgr->bpool, 256);
-	}
-
-	/* Create or adjust socket pool */
-	if (mgr->spool != NULL) {
-		if (maxrequests < DNS_DISPATCH_POOLSOCKS * 2)
-		  isc_mempool_setmaxalloc(mgr->spool, DNS_DISPATCH_POOLSOCKS * 2);
-		  isc_mempool_setfreemax(mgr->spool, DNS_DISPATCH_POOLSOCKS * 2);
-		UNLOCK(&mgr->buffer_lock);
-		return (ISC_R_SUCCESS);
-	}
-	result = isc_mempool_create(mgr->mctx, sizeof(dispsocket_t),
-				    &mgr->spool);
-	if (result != ISC_R_SUCCESS) {
-		UNLOCK(&mgr->buffer_lock);
-		goto cleanup;
-	}
-	isc_mempool_setname(mgr->spool, "dispmgr_spool");
-	isc_mempool_setmaxalloc(mgr->spool, maxrequests);
-	isc_mempool_setfreemax(mgr->spool, maxrequests);
-	isc_mempool_associatelock(mgr->spool, &mgr->spool_lock);
-	isc_mempool_setfillcount(mgr->spool, 256);
-
-	result = qid_allocate(mgr, buckets, increment, &mgr->qid, ISC_TRUE);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	mgr->buffersize = buffersize;
-	mgr->maxbuffers = maxbuffers;
-	UNLOCK(&mgr->buffer_lock);
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	isc_mempool_destroy(&mgr->bpool);
-	if (mgr->spool != NULL)
-		isc_mempool_destroy(&mgr->spool);
-	UNLOCK(&mgr->buffer_lock);
-	return (result);
-}
-
-void
-dns_dispatchmgr_destroy(dns_dispatchmgr_t **mgrp) {
-	dns_dispatchmgr_t *mgr;
-	isc_boolean_t killit;
-
-	REQUIRE(mgrp != NULL);
-	REQUIRE(VALID_DISPATCHMGR(*mgrp));
-
-	mgr = *mgrp;
-	*mgrp = NULL;
-
-	LOCK(&mgr->lock);
-	mgr->state |= MGR_SHUTTINGDOWN;
-
-	killit = destroy_mgr_ok(mgr);
-	UNLOCK(&mgr->lock);
-
-	mgr_log(mgr, LVL(90), "destroy: killit=%d", killit);
-
-	if (killit)
-		destroy_mgr(&mgr);
-}
-
-void
-dns_dispatchmgr_setstats(dns_dispatchmgr_t *mgr, isc_stats_t *stats) {
-	REQUIRE(VALID_DISPATCHMGR(mgr));
-	REQUIRE(ISC_LIST_EMPTY(mgr->list));
-	REQUIRE(mgr->stats == NULL);
-
-	isc_stats_attach(stats, &mgr->stats);
-}
-
-static int
-port_cmp(const void *key, const void *ent) {
-	in_port_t p1 = *(const in_port_t *)key;
-	in_port_t p2 = *(const in_port_t *)ent;
-
-	if (p1 < p2)
-		return (-1);
-	else if (p1 == p2)
-		return (0);
-	else
-		return (1);
-}
-
-static isc_boolean_t
-portavailable(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
-	      isc_sockaddr_t *sockaddrp)
-{
-	isc_sockaddr_t sockaddr;
-	isc_result_t result;
-	in_port_t *ports, port;
-	unsigned int nports;
-	isc_boolean_t available = ISC_FALSE;
-
-	REQUIRE(sock != NULL || sockaddrp != NULL);
-
-	PORTBUFLOCK(mgr);
-	if (sock != NULL) {
-		sockaddrp = &sockaddr;
-		result = isc_socket_getsockname(sock, sockaddrp);
-		if (result != ISC_R_SUCCESS)
-			goto unlock;
-	}
-
-	if (isc_sockaddr_pf(sockaddrp) == AF_INET) {
-		ports = mgr->v4ports;
-		nports = mgr->nv4ports;
-	} else {
-		ports = mgr->v6ports;
-		nports = mgr->nv6ports;
-	}
-	if (ports == NULL)
-		goto unlock;
-
-	port = isc_sockaddr_getport(sockaddrp);
-	if (bsearch(&port, ports, nports, sizeof(in_port_t), port_cmp) != NULL)
-		available = ISC_TRUE;
-
-unlock:
-	PORTBUFUNLOCK(mgr);
-	return (available);
-}
-
-#define ATTRMATCH(_a1, _a2, _mask) (((_a1) & (_mask)) == ((_a2) & (_mask)))
-
-static isc_boolean_t
-local_addr_match(dns_dispatch_t *disp, isc_sockaddr_t *addr) {
-	isc_sockaddr_t sockaddr;
-	isc_result_t result;
-
-	REQUIRE(disp->socket != NULL);
-
-	if (addr == NULL)
-		return (ISC_TRUE);
-
-	/*
-	 * Don't match wildcard ports unless the port is available in the
-	 * current configuration.
-	 */
-	if (isc_sockaddr_getport(addr) == 0 &&
-	    isc_sockaddr_getport(&disp->local) == 0 &&
-	    !portavailable(disp->mgr, disp->socket, NULL)) {
-		return (ISC_FALSE);
-	}
-
-	/*
-	 * Check if we match the binding <address,port>.
-	 * Wildcard ports match/fail here.
-	 */
-	if (isc_sockaddr_equal(&disp->local, addr))
-		return (ISC_TRUE);
-	if (isc_sockaddr_getport(addr) == 0)
-		return (ISC_FALSE);
-
-	/*
-	 * Check if we match a bound wildcard port <address,port>.
-	 */
-	if (!isc_sockaddr_eqaddr(&disp->local, addr))
-		return (ISC_FALSE);
-	result = isc_socket_getsockname(disp->socket, &sockaddr);
-	if (result != ISC_R_SUCCESS)
-		return (ISC_FALSE);
-
-	return (isc_sockaddr_equal(&sockaddr, addr));
-}
-
-/*
- * Requires mgr be locked.
- *
- * No dispatcher can be locked by this thread when calling this function.
- *
- *
- * NOTE:
- *	If a matching dispatcher is found, it is locked after this function
- *	returns, and must be unlocked by the caller.
- */
-static isc_result_t
-dispatch_find(dns_dispatchmgr_t *mgr, isc_sockaddr_t *local,
-	      unsigned int attributes, unsigned int mask,
-	      dns_dispatch_t **dispp)
-{
-	dns_dispatch_t *disp;
-	isc_result_t result;
-
-	/*
-	 * Make certain that we will not match a private or exclusive dispatch.
-	 */
-	attributes &= ~(DNS_DISPATCHATTR_PRIVATE|DNS_DISPATCHATTR_EXCLUSIVE);
-	mask |= (DNS_DISPATCHATTR_PRIVATE|DNS_DISPATCHATTR_EXCLUSIVE);
-
-	disp = ISC_LIST_HEAD(mgr->list);
-	while (disp != NULL) {
-		LOCK(&disp->lock);
-		if ((disp->shutting_down == 0)
-		    && ATTRMATCH(disp->attributes, attributes, mask)
-		    && local_addr_match(disp, local))
-			break;
-		UNLOCK(&disp->lock);
-		disp = ISC_LIST_NEXT(disp, link);
-	}
-
-	if (disp == NULL) {
-		result = ISC_R_NOTFOUND;
-		goto out;
-	}
-
-	*dispp = disp;
-	result = ISC_R_SUCCESS;
- out:
-
-	return (result);
-}
-
-static isc_result_t
-qid_allocate(dns_dispatchmgr_t *mgr, unsigned int buckets,
-	     unsigned int increment, dns_qid_t **qidp,
-	     isc_boolean_t needsocktable)
-{
-	dns_qid_t *qid;
-	unsigned int i;
-	isc_result_t result;
-
-	REQUIRE(VALID_DISPATCHMGR(mgr));
-	REQUIRE(buckets < 2097169);  /* next prime > 65536 * 32 */
-	REQUIRE(increment > buckets);
-	REQUIRE(qidp != NULL && *qidp == NULL);
-
-	qid = isc_mem_get(mgr->mctx, sizeof(*qid));
-	if (qid == NULL)
-		return (ISC_R_NOMEMORY);
-
-	qid->qid_table = isc_mem_get(mgr->mctx,
-				     buckets * sizeof(dns_displist_t));
-	if (qid->qid_table == NULL) {
-		isc_mem_put(mgr->mctx, qid, sizeof(*qid));
-		return (ISC_R_NOMEMORY);
-	}
-
-	qid->sock_table = NULL;
-	if (needsocktable) {
-		qid->sock_table = isc_mem_get(mgr->mctx, buckets *
-					      sizeof(dispsocketlist_t));
-		if (qid->sock_table == NULL) {
-			isc_mem_put(mgr->mctx, qid->qid_table,
-				    buckets * sizeof(dns_displist_t));
-			isc_mem_put(mgr->mctx, qid, sizeof(*qid));
-			return (ISC_R_NOMEMORY);
-		}
-	}
-
-	result = isc_mutex_init(&qid->lock);
-	if (result != ISC_R_SUCCESS) {
-		if (qid->sock_table != NULL) {
-			isc_mem_put(mgr->mctx, qid->sock_table,
-				    buckets * sizeof(dispsocketlist_t));
-		}
-		isc_mem_put(mgr->mctx, qid->qid_table,
-			    buckets * sizeof(dns_displist_t));
-		isc_mem_put(mgr->mctx, qid, sizeof(*qid));
-		return (result);
-	}
-
-	for (i = 0; i < buckets; i++) {
-		ISC_LIST_INIT(qid->qid_table[i]);
-		if (qid->sock_table != NULL)
-			ISC_LIST_INIT(qid->sock_table[i]);
-	}
-
-	qid->qid_nbuckets = buckets;
-	qid->qid_increment = increment;
-	qid->magic = QID_MAGIC;
-	*qidp = qid;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-qid_destroy(isc_mem_t *mctx, dns_qid_t **qidp) {
-	dns_qid_t *qid;
-
-	REQUIRE(qidp != NULL);
-	qid = *qidp;
-
-	REQUIRE(VALID_QID(qid));
-
-	*qidp = NULL;
-	qid->magic = 0;
-	isc_mem_put(mctx, qid->qid_table,
-		    qid->qid_nbuckets * sizeof(dns_displist_t));
-	if (qid->sock_table != NULL) {
-		isc_mem_put(mctx, qid->sock_table,
-			    qid->qid_nbuckets * sizeof(dispsocketlist_t));
-	}
-	DESTROYLOCK(&qid->lock);
-	isc_mem_put(mctx, qid, sizeof(*qid));
-}
-
-/*
- * Allocate and set important limits.
- */
-static isc_result_t
-dispatch_allocate(dns_dispatchmgr_t *mgr, unsigned int maxrequests,
-		  dns_dispatch_t **dispp)
-{
-	dns_dispatch_t *disp;
-	isc_result_t result;
-
-	REQUIRE(VALID_DISPATCHMGR(mgr));
-	REQUIRE(dispp != NULL && *dispp == NULL);
-
-	/*
-	 * Set up the dispatcher, mostly.  Don't bother setting some of
-	 * the options that are controlled by tcp vs. udp, etc.
-	 */
-
-	disp = isc_mempool_get(mgr->dpool);
-	if (disp == NULL)
-		return (ISC_R_NOMEMORY);
-
-	disp->magic = 0;
-	disp->mgr = mgr;
-	disp->maxrequests = maxrequests;
-	disp->attributes = 0;
-	ISC_LINK_INIT(disp, link);
-	disp->refcount = 1;
-	disp->recv_pending = 0;
-	memset(&disp->local, 0, sizeof(disp->local));
-	disp->localport = 0;
-	disp->shutting_down = 0;
-	disp->shutdown_out = 0;
-	disp->connected = 0;
-	disp->tcpmsg_valid = 0;
-	disp->shutdown_why = ISC_R_UNEXPECTED;
-	disp->requests = 0;
-	disp->tcpbuffers = 0;
-	disp->qid = NULL;
-	ISC_LIST_INIT(disp->activesockets);
-	ISC_LIST_INIT(disp->inactivesockets);
-	disp->nsockets = 0;
-	dispatch_initrandom(&disp->arc4ctx, mgr->entropy, NULL);
-	disp->port_table = NULL;
-	disp->portpool = NULL;
-
-	result = isc_mutex_init(&disp->lock);
-	if (result != ISC_R_SUCCESS)
-		goto deallocate;
-
-	disp->failsafe_ev = allocate_devent(disp);
-	if (disp->failsafe_ev == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto kill_lock;
-	}
-
-	disp->magic = DISPATCH_MAGIC;
-
-	*dispp = disp;
-	return (ISC_R_SUCCESS);
-
-	/*
-	 * error returns
-	 */
- kill_lock:
-	DESTROYLOCK(&disp->lock);
- deallocate:
-	isc_mempool_put(mgr->dpool, disp);
-
-	return (result);
-}
-
-
-/*
- * MUST be unlocked, and not used by anything.
- */
-static void
-dispatch_free(dns_dispatch_t **dispp)
-{
-	dns_dispatch_t *disp;
-	dns_dispatchmgr_t *mgr;
-	int i;
-
-	REQUIRE(VALID_DISPATCH(*dispp));
-	disp = *dispp;
-	*dispp = NULL;
-
-	mgr = disp->mgr;
-	REQUIRE(VALID_DISPATCHMGR(mgr));
-
-	if (disp->tcpmsg_valid) {
-		dns_tcpmsg_invalidate(&disp->tcpmsg);
-		disp->tcpmsg_valid = 0;
-	}
-
-	INSIST(disp->tcpbuffers == 0);
-	INSIST(disp->requests == 0);
-	INSIST(disp->recv_pending == 0);
-	INSIST(ISC_LIST_EMPTY(disp->activesockets));
-	INSIST(ISC_LIST_EMPTY(disp->inactivesockets));
-
-	isc_mempool_put(mgr->depool, disp->failsafe_ev);
-	disp->failsafe_ev = NULL;
-
-	if (disp->qid != NULL)
-		qid_destroy(mgr->mctx, &disp->qid);
-
-	if (disp->port_table != NULL) {
-		for (i = 0; i < DNS_DISPATCH_PORTTABLESIZE; i++)
-			INSIST(ISC_LIST_EMPTY(disp->port_table[i]));
-		isc_mem_put(mgr->mctx, disp->port_table,
-			    sizeof(disp->port_table[0]) *
-			    DNS_DISPATCH_PORTTABLESIZE);
-	}
-
-	if (disp->portpool != NULL)
-		isc_mempool_destroy(&disp->portpool);
-
-	disp->mgr = NULL;
-	DESTROYLOCK(&disp->lock);
-	disp->magic = 0;
-	isc_mempool_put(mgr->dpool, disp);
-}
-
-isc_result_t
-dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
-		       isc_taskmgr_t *taskmgr, unsigned int buffersize,
-		       unsigned int maxbuffers, unsigned int maxrequests,
-		       unsigned int buckets, unsigned int increment,
-		       unsigned int attributes, dns_dispatch_t **dispp)
-{
-	isc_result_t result;
-	dns_dispatch_t *disp;
-
-	UNUSED(maxbuffers);
-	UNUSED(buffersize);
-
-	REQUIRE(VALID_DISPATCHMGR(mgr));
-	REQUIRE(isc_socket_gettype(sock) == isc_sockettype_tcp);
-	REQUIRE((attributes & DNS_DISPATCHATTR_TCP) != 0);
-	REQUIRE((attributes & DNS_DISPATCHATTR_UDP) == 0);
-
-	attributes |= DNS_DISPATCHATTR_PRIVATE;  /* XXXMLG */
-
-	LOCK(&mgr->lock);
-
-	/*
-	 * dispatch_allocate() checks mgr for us.
-	 * qid_allocate() checks buckets and increment for us.
-	 */
-	disp = NULL;
-	result = dispatch_allocate(mgr, maxrequests, &disp);
-	if (result != ISC_R_SUCCESS) {
-		UNLOCK(&mgr->lock);
-		return (result);
-	}
-
-	result = qid_allocate(mgr, buckets, increment, &disp->qid, ISC_FALSE);
-	if (result != ISC_R_SUCCESS)
-		goto deallocate_dispatch;
-
-	disp->socktype = isc_sockettype_tcp;
-	disp->socket = NULL;
-	isc_socket_attach(sock, &disp->socket);
-
-	disp->sepool = NULL;
-
-	disp->ntasks = 1;
-	disp->task[0] = NULL;
-	result = isc_task_create(taskmgr, 0, &disp->task[0]);
-	if (result != ISC_R_SUCCESS)
-		goto kill_socket;
-
-	disp->ctlevent = isc_event_allocate(mgr->mctx, disp,
-					    DNS_EVENT_DISPATCHCONTROL,
-					    destroy_disp, disp,
-					    sizeof(isc_event_t));
-	if (disp->ctlevent == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto kill_task;
-	}
-
-	isc_task_setname(disp->task[0], "tcpdispatch", disp);
-
-	dns_tcpmsg_init(mgr->mctx, disp->socket, &disp->tcpmsg);
-	disp->tcpmsg_valid = 1;
-
-	disp->attributes = attributes;
-
-	/*
-	 * Append it to the dispatcher list.
-	 */
-	ISC_LIST_APPEND(mgr->list, disp, link);
-	UNLOCK(&mgr->lock);
-
-	mgr_log(mgr, LVL(90), "created TCP dispatcher %p", disp);
-	dispatch_log(disp, LVL(90), "created task %p", disp->task[0]);
-
-	*dispp = disp;
-
-	return (ISC_R_SUCCESS);
-
-	/*
-	 * Error returns.
-	 */
- kill_task:
-	isc_task_detach(&disp->task[0]);
- kill_socket:
-	isc_socket_detach(&disp->socket);
- deallocate_dispatch:
-	dispatch_free(&disp);
-
-	UNLOCK(&mgr->lock);
-
-	return (result);
-}
-
-isc_result_t
-dns_dispatch_getudp_dup(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
-		    isc_taskmgr_t *taskmgr, isc_sockaddr_t *localaddr,
-		    unsigned int buffersize,
-		    unsigned int maxbuffers, unsigned int maxrequests,
-		    unsigned int buckets, unsigned int increment,
-		    unsigned int attributes, unsigned int mask,
-		    dns_dispatch_t **dispp, dns_dispatch_t *dup_dispatch)
-{
-	isc_result_t result;
-	dns_dispatch_t *disp = NULL;
-
-	REQUIRE(VALID_DISPATCHMGR(mgr));
-	REQUIRE(sockmgr != NULL);
-	REQUIRE(localaddr != NULL);
-	REQUIRE(taskmgr != NULL);
-	REQUIRE(buffersize >= 512 && buffersize < (64 * 1024));
-	REQUIRE(maxbuffers > 0);
-	REQUIRE(buckets < 2097169);  /* next prime > 65536 * 32 */
-	REQUIRE(increment > buckets);
-	REQUIRE(dispp != NULL && *dispp == NULL);
-	REQUIRE((attributes & DNS_DISPATCHATTR_TCP) == 0);
-
-	result = dns_dispatchmgr_setudp(mgr, buffersize, maxbuffers,
-					maxrequests, buckets, increment);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	LOCK(&mgr->lock);
-
-	if ((attributes & DNS_DISPATCHATTR_EXCLUSIVE) != 0) {
-		REQUIRE(isc_sockaddr_getport(localaddr) == 0);
-		goto createudp;
-	}
-
-	/*
-	 * See if we have a dispatcher that matches.
-	 */
-	if (dup_dispatch == NULL) {
-		result = dispatch_find(mgr, localaddr, attributes, mask, &disp);
-		if (result == ISC_R_SUCCESS) {
-			disp->refcount++;
-
-			if (disp->maxrequests < maxrequests)
-				disp->maxrequests = maxrequests;
-
-			if ((disp->attributes & DNS_DISPATCHATTR_NOLISTEN) == 0
-			    && (attributes & DNS_DISPATCHATTR_NOLISTEN) != 0)
-			{
-				disp->attributes |= DNS_DISPATCHATTR_NOLISTEN;
-				if (disp->recv_pending != 0)
-					isc_socket_cancel(disp->socket,
-							  disp->task[0],
-							  ISC_SOCKCANCEL_RECV);
-			}
-
-			UNLOCK(&disp->lock);
-			UNLOCK(&mgr->lock);
-
-			*dispp = disp;
-
-			return (ISC_R_SUCCESS);
-		}
-	}
-
- createudp:
-	/*
-	 * Nope, create one.
-	 */
-	result = dispatch_createudp(mgr, sockmgr, taskmgr, localaddr,
-				    maxrequests, attributes, &disp,
-				    dup_dispatch == NULL
-					    ? NULL
-					    : dup_dispatch->socket);
-
-	if (result != ISC_R_SUCCESS) {
-		UNLOCK(&mgr->lock);
-		return (result);
-	}
-
-	UNLOCK(&mgr->lock);
-	*dispp = disp;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_dispatch_getudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
-		    isc_taskmgr_t *taskmgr, isc_sockaddr_t *localaddr,
-		    unsigned int buffersize,
-		    unsigned int maxbuffers, unsigned int maxrequests,
-		    unsigned int buckets, unsigned int increment,
-		    unsigned int attributes, unsigned int mask,
-		    dns_dispatch_t **dispp)
-{
-	return (dns_dispatch_getudp_dup(mgr, sockmgr, taskmgr, localaddr,
-					buffersize, maxbuffers, maxrequests,
-					buckets, increment, attributes,
-					mask, dispp, NULL));
-}
-
-/*
- * mgr should be locked.
- */
-
-#ifndef DNS_DISPATCH_HELD
-#define DNS_DISPATCH_HELD 20U
-#endif
-
-static isc_result_t
-get_udpsocket(dns_dispatchmgr_t *mgr, dns_dispatch_t *disp,
-	      isc_socketmgr_t *sockmgr, isc_sockaddr_t *localaddr,
-	      isc_socket_t **sockp, isc_socket_t *dup_socket)
-{
-	unsigned int i, j;
-	isc_socket_t *held[DNS_DISPATCH_HELD];
-	isc_sockaddr_t localaddr_bound;
-	isc_socket_t *sock = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_boolean_t anyport;
-
-	INSIST(sockp != NULL && *sockp == NULL);
-
-	localaddr_bound = *localaddr;
-	anyport = ISC_TF(isc_sockaddr_getport(localaddr) == 0);
-
-	if (anyport) {
-		unsigned int nports;
-		in_port_t *ports;
-
-		/*
-		 * If no port is specified, we first try to pick up a random
-		 * port by ourselves.
-		 */
-		if (isc_sockaddr_pf(localaddr) == AF_INET) {
-			nports = disp->mgr->nv4ports;
-			ports = disp->mgr->v4ports;
-		} else {
-			nports = disp->mgr->nv6ports;
-			ports = disp->mgr->v6ports;
-		}
-		if (nports == 0)
-			return (ISC_R_ADDRNOTAVAIL);
-
-		for (i = 0; i < 1024; i++) {
-			in_port_t prt;
-
-			prt = ports[dispatch_uniformrandom(
-					DISP_ARC4CTX(disp),
-					nports)];
-			isc_sockaddr_setport(&localaddr_bound, prt);
-			result = open_socket(sockmgr, &localaddr_bound,
-					     0, &sock, NULL);
-			/*
-			 * Continue if the port choosen is already in use
-			 * or the OS has reserved it.
-			 */
-			if (result == ISC_R_NOPERM ||
-			    result == ISC_R_ADDRINUSE)
-				continue;
-			disp->localport = prt;
-			*sockp = sock;
-			return (result);
-		}
-
-		/*
-		 * If this fails 1024 times, we then ask the kernel for
-		 * choosing one.
-		 */
-	} else {
-		/* Allow to reuse address for non-random ports. */
-		result = open_socket(sockmgr, localaddr,
-				     ISC_SOCKET_REUSEADDRESS, &sock,
-				     dup_socket);
-
-		if (result == ISC_R_SUCCESS)
-			*sockp = sock;
-
-		return (result);
-	}
-
-	memset(held, 0, sizeof(held));
-	i = 0;
-
-	for (j = 0; j < 0xffffU; j++) {
-		result = open_socket(sockmgr, localaddr, 0, &sock, NULL);
-		if (result != ISC_R_SUCCESS)
-			goto end;
-		else if (portavailable(mgr, sock, NULL))
-			break;
-		if (held[i] != NULL)
-			isc_socket_detach(&held[i]);
-		held[i++] = sock;
-		sock = NULL;
-		if (i == DNS_DISPATCH_HELD)
-			i = 0;
-	}
-	if (j == 0xffffU) {
-		mgr_log(mgr, ISC_LOG_ERROR,
-			"avoid-v%s-udp-ports: unable to allocate "
-			"an available port",
-			isc_sockaddr_pf(localaddr) == AF_INET ? "4" : "6");
-		result = ISC_R_FAILURE;
-		goto end;
-	}
-	*sockp = sock;
-
-end:
-	for (i = 0; i < DNS_DISPATCH_HELD; i++) {
-		if (held[i] != NULL)
-			isc_socket_detach(&held[i]);
-	}
-
-	return (result);
-}
-
-static isc_result_t
-dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
-		   isc_taskmgr_t *taskmgr,
-		   isc_sockaddr_t *localaddr,
-		   unsigned int maxrequests,
-		   unsigned int attributes,
-		   dns_dispatch_t **dispp,
-		   isc_socket_t *dup_socket)
-{
-	isc_result_t result;
-	dns_dispatch_t *disp;
-	isc_socket_t *sock = NULL;
-	int i = 0;
-
-	/*
-	 * dispatch_allocate() checks mgr for us.
-	 */
-	disp = NULL;
-	result = dispatch_allocate(mgr, maxrequests, &disp);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if ((attributes & DNS_DISPATCHATTR_EXCLUSIVE) == 0) {
-		result = get_udpsocket(mgr, disp, sockmgr, localaddr, &sock,
-				       dup_socket);
-		if (result != ISC_R_SUCCESS)
-			goto deallocate_dispatch;
-
-		if (isc_log_wouldlog(dns_lctx, 90)) {
-			char addrbuf[ISC_SOCKADDR_FORMATSIZE];
-
-			isc_sockaddr_format(localaddr, addrbuf,
-					    ISC_SOCKADDR_FORMATSIZE);
-			mgr_log(mgr, LVL(90), "dns_dispatch_createudp: Created"
-				" UDP dispatch for %s with socket fd %d\n",
-				addrbuf, isc_socket_getfd(sock));
-		}
-
-	} else {
-		isc_sockaddr_t sa_any;
-
-		/*
-		 * For dispatches using exclusive sockets with a specific
-		 * source address, we only check if the specified address is
-		 * available on the system.  Query sockets will be created later
-		 * on demand.
-		 */
-		isc_sockaddr_anyofpf(&sa_any, isc_sockaddr_pf(localaddr));
-		if (!isc_sockaddr_eqaddr(&sa_any, localaddr)) {
-			result = open_socket(sockmgr, localaddr, 0, &sock, NULL);
-			if (sock != NULL)
-				isc_socket_detach(&sock);
-			if (result != ISC_R_SUCCESS)
-				goto deallocate_dispatch;
-		}
-
-		disp->port_table = isc_mem_get(mgr->mctx,
-					       sizeof(disp->port_table[0]) *
-					       DNS_DISPATCH_PORTTABLESIZE);
-		if (disp->port_table == NULL)
-			goto deallocate_dispatch;
-		for (i = 0; i < DNS_DISPATCH_PORTTABLESIZE; i++)
-			ISC_LIST_INIT(disp->port_table[i]);
-
-		result = isc_mempool_create(mgr->mctx, sizeof(dispportentry_t),
-					    &disp->portpool);
-		if (result != ISC_R_SUCCESS)
-			goto deallocate_dispatch;
-		isc_mempool_setname(disp->portpool, "disp_portpool");
-		isc_mempool_setfreemax(disp->portpool, 128);
-	}
-	disp->socktype = isc_sockettype_udp;
-	disp->socket = sock;
-	disp->local = *localaddr;
-
-	if ((attributes & DNS_DISPATCHATTR_EXCLUSIVE) != 0)
-		disp->ntasks = MAX_INTERNAL_TASKS;
-	else
-		disp->ntasks = 1;
-	for (i = 0; i < disp->ntasks; i++) {
-		disp->task[i] = NULL;
-		result = isc_task_create(taskmgr, 0, &disp->task[i]);
-		if (result != ISC_R_SUCCESS) {
-			while (--i >= 0) {
-				isc_task_shutdown(disp->task[i]);
-				isc_task_detach(&disp->task[i]);
-			}
-			goto kill_socket;
-		}
-		isc_task_setname(disp->task[i], "udpdispatch", disp);
-	}
-
-	disp->ctlevent = isc_event_allocate(mgr->mctx, disp,
-					    DNS_EVENT_DISPATCHCONTROL,
-					    destroy_disp, disp,
-					    sizeof(isc_event_t));
-	if (disp->ctlevent == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto kill_task;
-	}
-
-	disp->sepool = NULL;
-	if (isc_mempool_create(mgr->mctx, sizeof(isc_socketevent_t),
-			       &disp->sepool) != ISC_R_SUCCESS)
-	{
-		result = ISC_R_NOMEMORY;
-		goto kill_ctlevent;
-	}
-
-	result = isc_mutex_init(&disp->sepool_lock);
-	if (result != ISC_R_SUCCESS)
-		goto kill_sepool;
-
-	isc_mempool_setname(disp->sepool, "disp_sepool");
-	isc_mempool_setmaxalloc(disp->sepool, 32768);
-	isc_mempool_setfreemax(disp->sepool, 32768);
-	isc_mempool_associatelock(disp->sepool, &disp->sepool_lock);
-	isc_mempool_setfillcount(disp->sepool, 16);
-
-	attributes &= ~DNS_DISPATCHATTR_TCP;
-	attributes |= DNS_DISPATCHATTR_UDP;
-	disp->attributes = attributes;
-
-	/*
-	 * Append it to the dispatcher list.
-	 */
-	ISC_LIST_APPEND(mgr->list, disp, link);
-
-	mgr_log(mgr, LVL(90), "created UDP dispatcher %p", disp);
-	dispatch_log(disp, LVL(90), "created task %p", disp->task[0]); /* XXX */
-	if (disp->socket != NULL)
-		dispatch_log(disp, LVL(90), "created socket %p", disp->socket);
-
-	*dispp = disp;
-
-	return (result);
-
-	/*
-	 * Error returns.
-	 */
- kill_sepool:
-	isc_mempool_destroy(&disp->sepool);
- kill_ctlevent:
-	isc_event_free(&disp->ctlevent);
- kill_task:
-	for (i = 0; i < disp->ntasks; i++)
-		isc_task_detach(&disp->task[i]);
- kill_socket:
-	if (disp->socket != NULL)
-		isc_socket_detach(&disp->socket);
- deallocate_dispatch:
-	dispatch_free(&disp);
-
-	return (result);
-}
-
-void
-dns_dispatch_attach(dns_dispatch_t *disp, dns_dispatch_t **dispp) {
-	REQUIRE(VALID_DISPATCH(disp));
-	REQUIRE(dispp != NULL && *dispp == NULL);
-
-	LOCK(&disp->lock);
-	disp->refcount++;
-	UNLOCK(&disp->lock);
-
-	*dispp = disp;
-}
-
-/*
- * It is important to lock the manager while we are deleting the dispatch,
- * since dns_dispatch_getudp will call dispatch_find, which returns to
- * the caller a dispatch but does not attach to it until later.  _getudp
- * locks the manager, however, so locking it here will keep us from attaching
- * to a dispatcher that is in the process of going away.
- */
-void
-dns_dispatch_detach(dns_dispatch_t **dispp) {
-	dns_dispatch_t *disp;
-	dispsocket_t *dispsock;
-	isc_boolean_t killit;
-
-	REQUIRE(dispp != NULL && VALID_DISPATCH(*dispp));
-
-	disp = *dispp;
-	*dispp = NULL;
-
-	LOCK(&disp->lock);
-
-	INSIST(disp->refcount > 0);
-	disp->refcount--;
-	if (disp->refcount == 0) {
-		if (disp->recv_pending > 0)
-			isc_socket_cancel(disp->socket, disp->task[0],
-					  ISC_SOCKCANCEL_RECV);
-		for (dispsock = ISC_LIST_HEAD(disp->activesockets);
-		     dispsock != NULL;
-		     dispsock = ISC_LIST_NEXT(dispsock, link)) {
-			isc_socket_cancel(dispsock->socket, dispsock->task,
-					  ISC_SOCKCANCEL_RECV);
-		}
-		disp->shutting_down = 1;
-	}
-
-	dispatch_log(disp, LVL(90), "detach: refcount %d", disp->refcount);
-
-	killit = destroy_disp_ok(disp);
-	UNLOCK(&disp->lock);
-	if (killit)
-		isc_task_send(disp->task[0], &disp->ctlevent);
-}
-
-isc_result_t
-dns_dispatch_addresponse2(dns_dispatch_t *disp, isc_sockaddr_t *dest,
-			  isc_task_t *task, isc_taskaction_t action, void *arg,
-			  dns_messageid_t *idp, dns_dispentry_t **resp,
-			  isc_socketmgr_t *sockmgr)
-{
-	dns_dispentry_t *res;
-	unsigned int bucket;
-	in_port_t localport = 0;
-	dns_messageid_t id;
-	int i;
-	isc_boolean_t ok;
-	dns_qid_t *qid;
-	dispsocket_t *dispsocket = NULL;
-	isc_result_t result;
-
-	REQUIRE(VALID_DISPATCH(disp));
-	REQUIRE(task != NULL);
-	REQUIRE(dest != NULL);
-	REQUIRE(resp != NULL && *resp == NULL);
-	REQUIRE(idp != NULL);
-	if ((disp->attributes & DNS_DISPATCHATTR_EXCLUSIVE) != 0)
-		REQUIRE(sockmgr != NULL);
-
-	LOCK(&disp->lock);
-
-	if (disp->shutting_down == 1) {
-		UNLOCK(&disp->lock);
-		return (ISC_R_SHUTTINGDOWN);
-	}
-
-	if (disp->requests >= disp->maxrequests) {
-		UNLOCK(&disp->lock);
-		return (ISC_R_QUOTA);
-	}
-
-	if ((disp->attributes & DNS_DISPATCHATTR_EXCLUSIVE) != 0 &&
-	    disp->nsockets > DNS_DISPATCH_SOCKSQUOTA) {
-		dispsocket_t *oldestsocket;
-		dns_dispentry_t *oldestresp;
-		dns_dispatchevent_t *rev;
-
-		/*
-		 * Kill oldest outstanding query if the number of sockets
-		 * exceeds the quota to keep the room for new queries.
-		 */
-		oldestsocket = ISC_LIST_HEAD(disp->activesockets);
-		oldestresp = oldestsocket->resp;
-		if (oldestresp != NULL && !oldestresp->item_out) {
-			rev = allocate_devent(oldestresp->disp);
-			if (rev != NULL) {
-				rev->buffer.base = NULL;
-				rev->result = ISC_R_CANCELED;
-				rev->id = oldestresp->id;
-				ISC_EVENT_INIT(rev, sizeof(*rev), 0,
-					       NULL, DNS_EVENT_DISPATCH,
-					       oldestresp->action,
-					       oldestresp->arg, oldestresp,
-					       NULL, NULL);
-				oldestresp->item_out = ISC_TRUE;
-				isc_task_send(oldestresp->task,
-					      ISC_EVENT_PTR(&rev));
-				inc_stats(disp->mgr,
-					  dns_resstatscounter_dispabort);
-			}
-		}
-
-		/*
-		 * Move this entry to the tail so that it won't (easily) be
-		 * examined before actually being canceled.
-		 */
-		ISC_LIST_UNLINK(disp->activesockets, oldestsocket, link);
-		ISC_LIST_APPEND(disp->activesockets, oldestsocket, link);
-	}
-
-	qid = DNS_QID(disp);
-
-	if ((disp->attributes & DNS_DISPATCHATTR_EXCLUSIVE) != 0) {
-		/*
-		 * Get a separate UDP socket with a random port number.
-		 */
-		result = get_dispsocket(disp, dest, sockmgr, &dispsocket,
-					&localport);
-		if (result != ISC_R_SUCCESS) {
-			UNLOCK(&disp->lock);
-			inc_stats(disp->mgr, dns_resstatscounter_dispsockfail);
-			return (result);
-		}
-	} else {
-		localport = disp->localport;
-	}
-
-	/*
-	 * Try somewhat hard to find an unique ID.
-	 */
-	LOCK(&qid->lock);
-	id = (dns_messageid_t)dispatch_random(DISP_ARC4CTX(disp));
-	bucket = dns_hash(qid, dest, id, localport);
-	ok = ISC_FALSE;
-	for (i = 0; i < 64; i++) {
-		if (entry_search(qid, dest, id, localport, bucket) == NULL) {
-			ok = ISC_TRUE;
-			break;
-		}
-		id += qid->qid_increment;
-		id &= 0x0000ffff;
-		bucket = dns_hash(qid, dest, id, localport);
-	}
-	UNLOCK(&qid->lock);
-
-	if (!ok) {
-		UNLOCK(&disp->lock);
-		return (ISC_R_NOMORE);
-	}
-
-	res = isc_mempool_get(disp->mgr->rpool);
-	if (res == NULL) {
-		UNLOCK(&disp->lock);
-		if (dispsocket != NULL)
-			destroy_dispsocket(disp, &dispsocket);
-		return (ISC_R_NOMEMORY);
-	}
-
-	disp->refcount++;
-	disp->requests++;
-	res->task = NULL;
-	isc_task_attach(task, &res->task);
-	res->disp = disp;
-	res->id = id;
-	res->port = localport;
-	res->bucket = bucket;
-	res->host = *dest;
-	res->action = action;
-	res->arg = arg;
-	res->dispsocket = dispsocket;
-	if (dispsocket != NULL)
-		dispsocket->resp = res;
-	res->item_out = ISC_FALSE;
-	ISC_LIST_INIT(res->items);
-	ISC_LINK_INIT(res, link);
-	res->magic = RESPONSE_MAGIC;
-
-	LOCK(&qid->lock);
-	ISC_LIST_APPEND(qid->qid_table[bucket], res, link);
-	UNLOCK(&qid->lock);
-
-	request_log(disp, res, LVL(90),
-		    "attached to task %p", res->task);
-
-	if (((disp->attributes & DNS_DISPATCHATTR_UDP) != 0) ||
-	    ((disp->attributes & DNS_DISPATCHATTR_CONNECTED) != 0)) {
-		result = startrecv(disp, dispsocket);
-		if (result != ISC_R_SUCCESS) {
-			LOCK(&qid->lock);
-			ISC_LIST_UNLINK(qid->qid_table[bucket], res, link);
-			UNLOCK(&qid->lock);
-
-			if (dispsocket != NULL)
-				destroy_dispsocket(disp, &dispsocket);
-
-			disp->refcount--;
-			disp->requests--;
-
-			UNLOCK(&disp->lock);
-			isc_task_detach(&res->task);
-			isc_mempool_put(disp->mgr->rpool, res);
-			return (result);
-		}
-	}
-
-	if (dispsocket != NULL)
-		ISC_LIST_APPEND(disp->activesockets, dispsocket, link);
-
-	UNLOCK(&disp->lock);
-
-	*idp = id;
-	*resp = res;
-
-	if ((disp->attributes & DNS_DISPATCHATTR_EXCLUSIVE) != 0)
-		INSIST(res->dispsocket != NULL);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_dispatch_addresponse(dns_dispatch_t *disp, isc_sockaddr_t *dest,
-			 isc_task_t *task, isc_taskaction_t action, void *arg,
-			 dns_messageid_t *idp, dns_dispentry_t **resp)
-{
-	REQUIRE(VALID_DISPATCH(disp));
-	REQUIRE((disp->attributes & DNS_DISPATCHATTR_EXCLUSIVE) == 0);
-
-	return (dns_dispatch_addresponse2(disp, dest, task, action, arg,
-					  idp, resp, NULL));
-}
-
-void
-dns_dispatch_starttcp(dns_dispatch_t *disp) {
-
-	REQUIRE(VALID_DISPATCH(disp));
-
-	dispatch_log(disp, LVL(90), "starttcp %p", disp->task[0]);
-
-	LOCK(&disp->lock);
-	disp->attributes |= DNS_DISPATCHATTR_CONNECTED;
-	(void)startrecv(disp, NULL);
-	UNLOCK(&disp->lock);
-}
-
-void
-dns_dispatch_removeresponse(dns_dispentry_t **resp,
-			    dns_dispatchevent_t **sockevent)
-{
-	dns_dispatchmgr_t *mgr;
-	dns_dispatch_t *disp;
-	dns_dispentry_t *res;
-	dispsocket_t *dispsock;
-	dns_dispatchevent_t *ev;
-	unsigned int bucket;
-	isc_boolean_t killit;
-	unsigned int n;
-	isc_eventlist_t events;
-	dns_qid_t *qid;
-
-	REQUIRE(resp != NULL);
-	REQUIRE(VALID_RESPONSE(*resp));
-
-	res = *resp;
-	*resp = NULL;
-
-	disp = res->disp;
-	REQUIRE(VALID_DISPATCH(disp));
-	mgr = disp->mgr;
-	REQUIRE(VALID_DISPATCHMGR(mgr));
-
-	qid = DNS_QID(disp);
-
-	if (sockevent != NULL) {
-		REQUIRE(*sockevent != NULL);
-		ev = *sockevent;
-		*sockevent = NULL;
-	} else {
-		ev = NULL;
-	}
-
-	LOCK(&disp->lock);
-
-	INSIST(disp->requests > 0);
-	disp->requests--;
-	INSIST(disp->refcount > 0);
-	disp->refcount--;
-	if (disp->refcount == 0) {
-		if (disp->recv_pending > 0)
-			isc_socket_cancel(disp->socket, disp->task[0],
-					  ISC_SOCKCANCEL_RECV);
-		for (dispsock = ISC_LIST_HEAD(disp->activesockets);
-		     dispsock != NULL;
-		     dispsock = ISC_LIST_NEXT(dispsock, link)) {
-			isc_socket_cancel(dispsock->socket, dispsock->task,
-					  ISC_SOCKCANCEL_RECV);
-		}
-		disp->shutting_down = 1;
-	}
-
-	bucket = res->bucket;
-
-	LOCK(&qid->lock);
-	ISC_LIST_UNLINK(qid->qid_table[bucket], res, link);
-	UNLOCK(&qid->lock);
-
-	if (ev == NULL && res->item_out) {
-		/*
-		 * We've posted our event, but the caller hasn't gotten it
-		 * yet.  Take it back.
-		 */
-		ISC_LIST_INIT(events);
-		n = isc_task_unsend(res->task, res, DNS_EVENT_DISPATCH,
-				    NULL, &events);
-		/*
-		 * We had better have gotten it back.
-		 */
-		INSIST(n == 1);
-		ev = (dns_dispatchevent_t *)ISC_LIST_HEAD(events);
-	}
-
-	if (ev != NULL) {
-		REQUIRE(res->item_out == ISC_TRUE);
-		res->item_out = ISC_FALSE;
-		if (ev->buffer.base != NULL)
-			free_buffer(disp, ev->buffer.base, ev->buffer.length);
-		free_devent(disp, ev);
-	}
-
-	request_log(disp, res, LVL(90), "detaching from task %p", res->task);
-	isc_task_detach(&res->task);
-
-	if (res->dispsocket != NULL) {
-		isc_socket_cancel(res->dispsocket->socket,
-				  res->dispsocket->task, ISC_SOCKCANCEL_RECV);
-		res->dispsocket->resp = NULL;
-	}
-
-	/*
-	 * Free any buffered requests as well
-	 */
-	ev = ISC_LIST_HEAD(res->items);
-	while (ev != NULL) {
-		ISC_LIST_UNLINK(res->items, ev, ev_link);
-		if (ev->buffer.base != NULL)
-			free_buffer(disp, ev->buffer.base, ev->buffer.length);
-		free_devent(disp, ev);
-		ev = ISC_LIST_HEAD(res->items);
-	}
-	res->magic = 0;
-	isc_mempool_put(disp->mgr->rpool, res);
-	if (disp->shutting_down == 1)
-		do_cancel(disp);
-	else
-		(void)startrecv(disp, NULL);
-
-	killit = destroy_disp_ok(disp);
-	UNLOCK(&disp->lock);
-	if (killit)
-		isc_task_send(disp->task[0], &disp->ctlevent);
-}
-
-static void
-do_cancel(dns_dispatch_t *disp) {
-	dns_dispatchevent_t *ev;
-	dns_dispentry_t *resp;
-	dns_qid_t *qid;
-
-	if (disp->shutdown_out == 1)
-		return;
-
-	qid = DNS_QID(disp);
-
-	/*
-	 * Search for the first response handler without packets outstanding
-	 * unless a specific hander is given.
-	 */
-	LOCK(&qid->lock);
-	for (resp = linear_first(qid);
-	     resp != NULL && resp->item_out;
-	     /* Empty. */)
-		resp = linear_next(qid, resp);
-
-	/*
-	 * No one to send the cancel event to, so nothing to do.
-	 */
-	if (resp == NULL)
-		goto unlock;
-
-	/*
-	 * Send the shutdown failsafe event to this resp.
-	 */
-	ev = disp->failsafe_ev;
-	ISC_EVENT_INIT(ev, sizeof(*ev), 0, NULL, DNS_EVENT_DISPATCH,
-		       resp->action, resp->arg, resp, NULL, NULL);
-	ev->result = disp->shutdown_why;
-	ev->buffer.base = NULL;
-	ev->buffer.length = 0;
-	disp->shutdown_out = 1;
-	request_log(disp, resp, LVL(10),
-		    "cancel: failsafe event %p -> task %p",
-		    ev, resp->task);
-	resp->item_out = ISC_TRUE;
-	isc_task_send(resp->task, ISC_EVENT_PTR(&ev));
- unlock:
-	UNLOCK(&qid->lock);
-}
-
-isc_socket_t *
-dns_dispatch_getsocket(dns_dispatch_t *disp) {
-	REQUIRE(VALID_DISPATCH(disp));
-
-	return (disp->socket);
-}
-
-isc_socket_t *
-dns_dispatch_getentrysocket(dns_dispentry_t *resp) {
-	REQUIRE(VALID_RESPONSE(resp));
-
-	if (resp->dispsocket != NULL)
-		return (resp->dispsocket->socket);
-	else
-		return (NULL);
-}
-
-isc_result_t
-dns_dispatch_getlocaladdress(dns_dispatch_t *disp, isc_sockaddr_t *addrp) {
-
-	REQUIRE(VALID_DISPATCH(disp));
-	REQUIRE(addrp != NULL);
-
-	if (disp->socktype == isc_sockettype_udp) {
-		*addrp = disp->local;
-		return (ISC_R_SUCCESS);
-	}
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-void
-dns_dispatch_cancel(dns_dispatch_t *disp) {
-	REQUIRE(VALID_DISPATCH(disp));
-
-	LOCK(&disp->lock);
-
-	if (disp->shutting_down == 1) {
-		UNLOCK(&disp->lock);
-		return;
-	}
-
-	disp->shutdown_why = ISC_R_CANCELED;
-	disp->shutting_down = 1;
-	do_cancel(disp);
-
-	UNLOCK(&disp->lock);
-
-	return;
-}
-
-unsigned int
-dns_dispatch_getattributes(dns_dispatch_t *disp) {
-	REQUIRE(VALID_DISPATCH(disp));
-
-	/*
-	 * We don't bother locking disp here; it's the caller's responsibility
-	 * to use only non volatile flags.
-	 */
-	return (disp->attributes);
-}
-
-void
-dns_dispatch_changeattributes(dns_dispatch_t *disp,
-			      unsigned int attributes, unsigned int mask)
-{
-	REQUIRE(VALID_DISPATCH(disp));
-	/* Exclusive attribute can only be set on creation */
-	REQUIRE((attributes & DNS_DISPATCHATTR_EXCLUSIVE) == 0);
-	/* Also, a dispatch with randomport specified cannot start listening */
-	REQUIRE((disp->attributes & DNS_DISPATCHATTR_EXCLUSIVE) == 0 ||
-		(attributes & DNS_DISPATCHATTR_NOLISTEN) == 0);
-
-	/* XXXMLG
-	 * Should check for valid attributes here!
-	 */
-
-	LOCK(&disp->lock);
-
-	if ((mask & DNS_DISPATCHATTR_NOLISTEN) != 0) {
-		if ((disp->attributes & DNS_DISPATCHATTR_NOLISTEN) != 0 &&
-		    (attributes & DNS_DISPATCHATTR_NOLISTEN) == 0) {
-			disp->attributes &= ~DNS_DISPATCHATTR_NOLISTEN;
-			(void)startrecv(disp, NULL);
-		} else if ((disp->attributes & DNS_DISPATCHATTR_NOLISTEN)
-			   == 0 &&
-			   (attributes & DNS_DISPATCHATTR_NOLISTEN) != 0) {
-			disp->attributes |= DNS_DISPATCHATTR_NOLISTEN;
-			if (disp->recv_pending != 0)
-				isc_socket_cancel(disp->socket, disp->task[0],
-						  ISC_SOCKCANCEL_RECV);
-		}
-	}
-
-	disp->attributes &= ~mask;
-	disp->attributes |= (attributes & mask);
-	UNLOCK(&disp->lock);
-}
-
-void
-dns_dispatch_importrecv(dns_dispatch_t *disp, isc_event_t *event) {
-	void *buf;
-	isc_socketevent_t *sevent, *newsevent;
-
-	REQUIRE(VALID_DISPATCH(disp));
-	REQUIRE((disp->attributes & DNS_DISPATCHATTR_NOLISTEN) != 0);
-	REQUIRE(event != NULL);
-
-	sevent = (isc_socketevent_t *)event;
-
-	INSIST(sevent->n <= disp->mgr->buffersize);
-	newsevent = (isc_socketevent_t *)
-		    isc_event_allocate(disp->mgr->mctx, NULL,
-				      DNS_EVENT_IMPORTRECVDONE, udp_shrecv,
-				      disp, sizeof(isc_socketevent_t));
-	if (newsevent == NULL)
-		return;
-
-	buf = allocate_udp_buffer(disp);
-	if (buf == NULL) {
-		isc_event_free(ISC_EVENT_PTR(&newsevent));
-		return;
-	}
-	memcpy(buf, sevent->region.base, sevent->n);
-	newsevent->region.base = buf;
-	newsevent->region.length = disp->mgr->buffersize;
-	newsevent->n = sevent->n;
-	newsevent->result = sevent->result;
-	newsevent->address = sevent->address;
-	newsevent->timestamp = sevent->timestamp;
-	newsevent->pktinfo = sevent->pktinfo;
-	newsevent->attributes = sevent->attributes;
-
-	isc_task_send(disp->task[0], ISC_EVENT_PTR(&newsevent));
-}
-
-dns_dispatch_t *
-dns_dispatchset_get(dns_dispatchset_t *dset) {
-	dns_dispatch_t *disp;
-
-	/* check that dispatch set is configured */
-	if (dset == NULL || dset->ndisp == 0)
-		return (NULL);
-
-	LOCK(&dset->lock);
-	disp = dset->dispatches[dset->cur];
-	dset->cur++;
-	if (dset->cur == dset->ndisp)
-		dset->cur = 0;
-	UNLOCK(&dset->lock);
-
-	return (disp);
-}
-
-isc_result_t
-dns_dispatchset_create(isc_mem_t *mctx, isc_socketmgr_t *sockmgr,
-		       isc_taskmgr_t *taskmgr, dns_dispatch_t *source,
-		       dns_dispatchset_t **dsetp, int n)
-{
-	isc_result_t result;
-	dns_dispatchset_t *dset;
-	dns_dispatchmgr_t *mgr;
-	int i, j;
-
-	REQUIRE(VALID_DISPATCH(source));
-	REQUIRE((source->attributes & DNS_DISPATCHATTR_UDP) != 0);
-	REQUIRE(dsetp != NULL && *dsetp == NULL);
-
-	mgr = source->mgr;
-
-	dset = isc_mem_get(mctx, sizeof(dns_dispatchset_t));
-	if (dset == NULL)
-		return (ISC_R_NOMEMORY);
-	memset(dset, 0, sizeof(*dset));
-
-	result = isc_mutex_init(&dset->lock);
-	if (result != ISC_R_SUCCESS)
-		goto fail_alloc;
-
-	dset->dispatches = isc_mem_get(mctx, sizeof(dns_dispatch_t *) * n);
-	if (dset == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto fail_lock;
-	}
-
-	isc_mem_attach(mctx, &dset->mctx);
-	dset->ndisp = n;
-	dset->cur = 0;
-
-	dset->dispatches[0] = NULL;
-	dns_dispatch_attach(source, &dset->dispatches[0]);
-
-	LOCK(&mgr->lock);
-	for (i = 1; i < n; i++) {
-		dset->dispatches[i] = NULL;
-		result = dispatch_createudp(mgr, sockmgr, taskmgr,
-					    &source->local,
-					    source->maxrequests,
-					    source->attributes,
-					    &dset->dispatches[i],
-					    source->socket);
-		if (result != ISC_R_SUCCESS)
-			goto fail;
-	}
-
-	UNLOCK(&mgr->lock);
-	*dsetp = dset;
-
-	return (ISC_R_SUCCESS);
-
- fail:
-	UNLOCK(&mgr->lock);
-
-	for (j = 0; j < i; j++)
-		dns_dispatch_detach(&(dset->dispatches[j]));
-	isc_mem_put(mctx, dset->dispatches, sizeof(dns_dispatch_t *) * n);
-	if (dset->mctx == mctx)
-		isc_mem_detach(&dset->mctx);
-
- fail_lock:
-	DESTROYLOCK(&dset->lock);
-
- fail_alloc:
-	isc_mem_put(mctx, dset, sizeof(dns_dispatchset_t));
-	return (result);
-}
-
-void
-dns_dispatchset_cancelall(dns_dispatchset_t *dset, isc_task_t *task) {
-	int i;
-
-	REQUIRE(dset != NULL);
-
-	for (i = 0; i < dset->ndisp; i++) {
-		isc_socket_t *sock;
-		sock = dns_dispatch_getsocket(dset->dispatches[i]);
-		isc_socket_cancel(sock, task, ISC_SOCKCANCEL_ALL);
-	}
-}
-
-void
-dns_dispatchset_destroy(dns_dispatchset_t **dsetp) {
-	dns_dispatchset_t *dset;
-	int i;
-
-	REQUIRE(dsetp != NULL && *dsetp != NULL);
-
-	dset = *dsetp;
-	for (i = 0; i < dset->ndisp; i++)
-		dns_dispatch_detach(&(dset->dispatches[i]));
-	isc_mem_put(dset->mctx, dset->dispatches,
-		    sizeof(dns_dispatch_t *) * dset->ndisp);
-	DESTROYLOCK(&dset->lock);
-	isc_mem_putanddetach(&dset->mctx, dset, sizeof(dns_dispatchset_t));
-
-	*dsetp = NULL;
-}
-
-#if 0
-void
-dns_dispatchmgr_dump(dns_dispatchmgr_t *mgr) {
-	dns_dispatch_t *disp;
-	char foo[1024];
-
-	disp = ISC_LIST_HEAD(mgr->list);
-	while (disp != NULL) {
-		isc_sockaddr_format(&disp->local, foo, sizeof(foo));
-		printf("\tdispatch %p, addr %s\n", disp, foo);
-		disp = ISC_LIST_NEXT(disp, link);
-	}
-}
-#endif
diff --git a/contrib/bind9/lib/dns/dlz.c b/contrib/bind9/lib/dns/dlz.c
deleted file mode 100644
index 19c600c..0000000
--- a/contrib/bind9/lib/dns/dlz.c
+++ /dev/null
@@ -1,655 +0,0 @@
-/*
- * Portions Copyright (C) 2005, 2007, 2009-2013  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the
- * above copyright notice and this permission notice appear in all
- * copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * STICHTING NLNET BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
- * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
- * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
- * USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
- * conceived and contributed by Rob Butler.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the
- * above copyright notice and this permission notice appear in all
- * copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ROB BUTLER
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * ROB BUTLER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
- * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
- * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
- * USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-/***
- *** Imports
- ***/
-
-#include <config.h>
-
-#include <dns/fixedname.h>
-#include <dns/log.h>
-#include <dns/master.h>
-#include <dns/dlz.h>
-#include <dns/ssu.h>
-#include <dns/zone.h>
-
-
-#include <isc/buffer.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/once.h>
-#include <isc/rwlock.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-/***
- *** Supported DLZ DB Implementations Registry
- ***/
-
-static ISC_LIST(dns_dlzimplementation_t) dlz_implementations;
-static isc_rwlock_t dlz_implock;
-static isc_once_t once = ISC_ONCE_INIT;
-
-static void
-dlz_initialize(void) {
-	RUNTIME_CHECK(isc_rwlock_init(&dlz_implock, 0, 0) == ISC_R_SUCCESS);
-	ISC_LIST_INIT(dlz_implementations);
-}
-
-/*%
- * Searches the dlz_implementations list for a driver matching name.
- */
-static inline dns_dlzimplementation_t *
-dlz_impfind(const char *name) {
-	dns_dlzimplementation_t *imp;
-
-	for (imp = ISC_LIST_HEAD(dlz_implementations);
-	     imp != NULL;
-	     imp = ISC_LIST_NEXT(imp, link))
-		if (strcasecmp(name, imp->name) == 0)
-			return (imp);
-	return (NULL);
-}
-
-/***
- *** Basic DLZ Methods
- ***/
-
-isc_result_t
-dns_dlzallowzonexfr(dns_view_t *view, dns_name_t *name,
-		    isc_sockaddr_t *clientaddr, dns_db_t **dbp)
-{
-	isc_result_t result;
-	dns_dlzallowzonexfr_t allowzonexfr;
-	dns_dlzdb_t *dlzdatabase;
-
-	/*
-	 * Performs checks to make sure data is as we expect it to be.
-	 */
-	REQUIRE(DNS_DLZ_VALID(view->dlzdatabase));
-	REQUIRE(name != NULL);
-	REQUIRE(dbp != NULL && *dbp == NULL);
-
-	/* ask driver if the zone is supported */
-	dlzdatabase = view->dlzdatabase;
-	allowzonexfr = dlzdatabase->implementation->methods->allowzonexfr;
-	result = (*allowzonexfr)(dlzdatabase->implementation->driverarg,
-				 dlzdatabase->dbdata, dlzdatabase->mctx,
-				 view->rdclass, name, clientaddr, dbp);
-
-	if (result == ISC_R_NOTIMPLEMENTED)
-		return (ISC_R_NOTFOUND);
-	return (result);
-}
-
-isc_result_t
-dns_dlzcreate(isc_mem_t *mctx, const char *dlzname, const char *drivername,
-	      unsigned int argc, char *argv[], dns_dlzdb_t **dbp)
-{
-	dns_dlzimplementation_t *impinfo;
-	isc_result_t result;
-	dns_dlzdb_t *db = NULL;
-
-	/*
-	 * initialize the dlz_implementations list, this is guaranteed
-	 * to only really happen once.
-	 */
-	RUNTIME_CHECK(isc_once_do(&once, dlz_initialize) == ISC_R_SUCCESS);
-
-	/*
-	 * Performs checks to make sure data is as we expect it to be.
-	 */
-	REQUIRE(dbp != NULL && *dbp == NULL);
-	REQUIRE(dlzname != NULL);
-	REQUIRE(drivername != NULL);
-	REQUIRE(mctx != NULL);
-
-	/* write log message */
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-		      DNS_LOGMODULE_DLZ, ISC_LOG_INFO,
-		      "Loading '%s' using driver %s", dlzname, drivername);
-
-	/* lock the dlz_implementations list so we can search it. */
-	RWLOCK(&dlz_implock, isc_rwlocktype_read);
-
-	/* search for the driver implementation	 */
-	impinfo = dlz_impfind(drivername);
-	if (impinfo == NULL) {
-		RWUNLOCK(&dlz_implock, isc_rwlocktype_read);
-
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
-			      "unsupported DLZ database driver '%s'."
-			      "  %s not loaded.",
-			      drivername, dlzname);
-
-		return (ISC_R_NOTFOUND);
-	}
-
-	/* Allocate memory to hold the DLZ database driver */
-	db = isc_mem_get(mctx, sizeof(dns_dlzdb_t));
-	if (db == NULL) {
-		RWUNLOCK(&dlz_implock, isc_rwlocktype_read);
-		return (ISC_R_NOMEMORY);
-	}
-
-	/* Make sure memory region is set to all 0's */
-	memset(db, 0, sizeof(dns_dlzdb_t));
-
-	db->implementation = impinfo;
-
-	/* Create a new database using implementation 'drivername'. */
-	result = ((impinfo->methods->create)(mctx, dlzname, argc, argv,
-					     impinfo->driverarg,
-					     &db->dbdata));
-
-	/* mark the DLZ driver as valid */
-	if (result == ISC_R_SUCCESS) {
-		RWUNLOCK(&dlz_implock, isc_rwlocktype_read);
-		db->magic = DNS_DLZ_MAGIC;
-		isc_mem_attach(mctx, &db->mctx);
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-			      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
-			      "DLZ driver loaded successfully.");
-		*dbp = db;
-		return (ISC_R_SUCCESS);
-	} else {
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
-			      "DLZ driver failed to load.");
-	}
-
-	/* impinfo->methods->create failed. */
-	RWUNLOCK(&dlz_implock, isc_rwlocktype_read);
-	isc_mem_put(mctx, db, sizeof(dns_dlzdb_t));
-	return (result);
-}
-
-void
-dns_dlzdestroy(dns_dlzdb_t **dbp) {
-	isc_mem_t *mctx;
-	dns_dlzdestroy_t destroy;
-
-	/* Write debugging message to log */
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-		      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
-		      "Unloading DLZ driver.");
-
-	/*
-	 * Perform checks to make sure data is as we expect it to be.
-	 */
-	REQUIRE(dbp != NULL && DNS_DLZ_VALID(*dbp));
-
-#ifdef BIND9
-	if ((*dbp)->ssutable != NULL) {
-		dns_ssutable_detach(&(*dbp)->ssutable);
-	}
-#endif
-
-	/* call the drivers destroy method */
-	if ((*dbp) != NULL) {
-		mctx = (*dbp)->mctx;
-		destroy = (*dbp)->implementation->methods->destroy;
-		(*destroy)((*dbp)->implementation->driverarg,(*dbp)->dbdata);
-		/* return memory */
-		isc_mem_put(mctx, (*dbp), sizeof(dns_dlzdb_t));
-		isc_mem_detach(&mctx);
-	}
-
-	*dbp = NULL;
-}
-
-
-isc_result_t
-dns_dlzfindzone(dns_view_t *view, dns_name_t *name, unsigned int minlabels,
-		dns_db_t **dbp)
-{
-	dns_fixedname_t fname;
-	dns_name_t *zonename;
-	unsigned int namelabels;
-	unsigned int i;
-	isc_result_t result;
-	dns_dlzfindzone_t findzone;
-	dns_dlzdb_t *dlzdatabase;
-
-	/*
-	 * Performs checks to make sure data is as we expect it to be.
-	 */
-	REQUIRE(DNS_DLZ_VALID(view->dlzdatabase));
-	REQUIRE(name != NULL);
-	REQUIRE(dbp != NULL && *dbp == NULL);
-
-	/* setup a "fixed" dns name */
-	dns_fixedname_init(&fname);
-	zonename = dns_fixedname_name(&fname);
-
-	/* count the number of labels in the name */
-	namelabels = dns_name_countlabels(name);
-
-	/*
-	 * loop through starting with the longest domain name and
-	 * trying shorter names portions of the name until we find a
-	 * match, have an error, or are below the 'minlabels'
-	 * threshold.  minlabels is 0, if the standard database didn't
-	 * have a zone name match.  Otherwise minlabels is the number
-	 * of labels in that name.  We need to beat that for a
-	 * "better" match for the DLZ database to be authoritative
-	 * instead of the standard database.
-	 */
-	for (i = namelabels; i > minlabels && i > 1; i--) {
-		if (i == namelabels) {
-			result = dns_name_copy(name, zonename, NULL);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-		} else
-			dns_name_split(name, i, NULL, zonename);
-
-		/* ask SDLZ driver if the zone is supported */
-		dlzdatabase = view->dlzdatabase;
-		findzone = dlzdatabase->implementation->methods->findzone;
-		result = (*findzone)(dlzdatabase->implementation->driverarg,
-				     dlzdatabase->dbdata, dlzdatabase->mctx,
-				     view->rdclass, zonename, dbp);
-		if (result != ISC_R_NOTFOUND)
-			return (result);
-	}
-	return (ISC_R_NOTFOUND);
-}
-
-/*%
- * Registers a DLZ driver.  This basically just adds the dlz
- * driver to the list of available drivers in the dlz_implementations list.
- */
-isc_result_t
-dns_dlzregister(const char *drivername, const dns_dlzmethods_t *methods,
-		void *driverarg, isc_mem_t *mctx,
-		dns_dlzimplementation_t **dlzimp)
-{
-
-	dns_dlzimplementation_t *dlz_imp;
-
-	/* Write debugging message to log */
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-		      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
-		      "Registering DLZ driver '%s'", drivername);
-
-	/*
-	 * Performs checks to make sure data is as we expect it to be.
-	 */
-	REQUIRE(drivername != NULL);
-	REQUIRE(methods != NULL);
-	REQUIRE(methods->create != NULL);
-	REQUIRE(methods->destroy != NULL);
-	REQUIRE(methods->findzone != NULL);
-	REQUIRE(mctx != NULL);
-	REQUIRE(dlzimp != NULL && *dlzimp == NULL);
-
-	/*
-	 * initialize the dlz_implementations list, this is guaranteed
-	 * to only really happen once.
-	 */
-	RUNTIME_CHECK(isc_once_do(&once, dlz_initialize) == ISC_R_SUCCESS);
-
-	/* lock the dlz_implementations list so we can modify it. */
-	RWLOCK(&dlz_implock, isc_rwlocktype_write);
-
-	/*
-	 * check that another already registered driver isn't using
-	 * the same name
-	 */
-	dlz_imp = dlz_impfind(drivername);
-	if (dlz_imp != NULL) {
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-			      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
-			      "DLZ Driver '%s' already registered",
-			      drivername);
-		RWUNLOCK(&dlz_implock, isc_rwlocktype_write);
-		return (ISC_R_EXISTS);
-	}
-
-	/*
-	 * Allocate memory for a dlz_implementation object.  Error if
-	 * we cannot.
-	 */
-	dlz_imp = isc_mem_get(mctx, sizeof(dns_dlzimplementation_t));
-	if (dlz_imp == NULL) {
-		RWUNLOCK(&dlz_implock, isc_rwlocktype_write);
-		return (ISC_R_NOMEMORY);
-	}
-
-	/* Make sure memory region is set to all 0's */
-	memset(dlz_imp, 0, sizeof(dns_dlzimplementation_t));
-
-	/* Store the data passed into this method */
-	dlz_imp->name = drivername;
-	dlz_imp->methods = methods;
-	dlz_imp->mctx = NULL;
-	dlz_imp->driverarg = driverarg;
-
-	/* attach the new dlz_implementation object to a memory context */
-	isc_mem_attach(mctx, &dlz_imp->mctx);
-
-	/*
-	 * prepare the dlz_implementation object to be put in a list,
-	 * and append it to the list
-	 */
-	ISC_LINK_INIT(dlz_imp, link);
-	ISC_LIST_APPEND(dlz_implementations, dlz_imp, link);
-
-	/* Unlock the dlz_implementations list.	 */
-	RWUNLOCK(&dlz_implock, isc_rwlocktype_write);
-
-	/* Pass back the dlz_implementation that we created. */
-	*dlzimp = dlz_imp;
-
-	return (ISC_R_SUCCESS);
-}
-
-/*%
- * Helper function for dns_dlzstrtoargv().
- * Pardon the gratuitous recursion.
- */
-static isc_result_t
-dns_dlzstrtoargvsub(isc_mem_t *mctx, char *s, unsigned int *argcp,
-		    char ***argvp, unsigned int n)
-{
-	isc_result_t result;
-
- restart:
-	/* Discard leading whitespace. */
-	while (*s == ' ' || *s == '\t')
-		s++;
-
-	if (*s == '\0') {
-		/* We have reached the end of the string. */
-		*argcp = n;
-		*argvp = isc_mem_get(mctx, n * sizeof(char *));
-		if (*argvp == NULL)
-			return (ISC_R_NOMEMORY);
-	} else {
-		char *p = s;
-		while (*p != ' ' && *p != '\t' && *p != '\0' && *p != '{') {
-			if (*p == '\n') {
-				*p = ' ';
-				goto restart;
-			}
-			p++;
-		}
-
-		/* do "grouping", items between { and } are one arg */
-		if (*p == '{') {
-			char *t = p;
-			/*
-			 * shift all characters to left by 1 to get rid of '{'
-			 */
-			while (*t != '\0') {
-				t++;
-				*(t-1) = *t;
-			}
-			while (*p != '\0' && *p != '}') {
-				p++;
-			}
-			/* get rid of '}' character */
-			if (*p == '}') {
-				*p = '\0';
-				p++;
-			}
-			/* normal case, no "grouping" */
-		} else if (*p != '\0')
-			*p++ = '\0';
-
-		result = dns_dlzstrtoargvsub(mctx, p, argcp, argvp, n + 1);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		(*argvp)[n] = s;
-	}
-	return (ISC_R_SUCCESS);
-}
-
-/*%
- * Tokenize the string "s" into whitespace-separated words,
- * return the number of words in '*argcp' and an array
- * of pointers to the words in '*argvp'.  The caller
- * must free the array using isc_mem_put().  The string
- * is modified in-place.
- */
-isc_result_t
-dns_dlzstrtoargv(isc_mem_t *mctx, char *s,
-		 unsigned int *argcp, char ***argvp)
-{
-	return(dns_dlzstrtoargvsub(mctx, s, argcp, argvp, 0));
-}
-
-/*%
- * Unregisters a DLZ driver.  This basically just removes the dlz
- * driver from the list of available drivers in the dlz_implementations list.
- */
-void
-dns_dlzunregister(dns_dlzimplementation_t **dlzimp) {
-	dns_dlzimplementation_t *dlz_imp;
-	isc_mem_t *mctx;
-
-	/* Write debugging message to log */
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-		      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
-		      "Unregistering DLZ driver.");
-
-	/*
-	 * Performs checks to make sure data is as we expect it to be.
-	 */
-	REQUIRE(dlzimp != NULL && *dlzimp != NULL);
-
-	/*
-	 * initialize the dlz_implementations list, this is guaranteed
-	 * to only really happen once.
-	 */
-	RUNTIME_CHECK(isc_once_do(&once, dlz_initialize) == ISC_R_SUCCESS);
-
-	dlz_imp = *dlzimp;
-
-	/* lock the dlz_implementations list so we can modify it. */
-	RWLOCK(&dlz_implock, isc_rwlocktype_write);
-
-	/* remove the dlz_implementation object from the list */
-	ISC_LIST_UNLINK(dlz_implementations, dlz_imp, link);
-	mctx = dlz_imp->mctx;
-
-	/*
-	 * Return the memory back to the available memory pool and
-	 * remove it from the memory context.
-	 */
-	isc_mem_put(mctx, dlz_imp, sizeof(dns_dlzimplementation_t));
-	isc_mem_detach(&mctx);
-
-	/* Unlock the dlz_implementations list. */
-	RWUNLOCK(&dlz_implock, isc_rwlocktype_write);
-}
-
-#ifdef BIND9
-/*
- * Create a writeable DLZ zone. This can be called by DLZ drivers
- * during configure() to create a zone that can be updated. The zone
- * type is set to dns_zone_dlz, which is equivalent to a master zone
- *
- * This function uses a callback setup in dns_dlzconfigure() to call
- * into the server zone code to setup the remaining pieces of server
- * specific functionality on the zone
- */
-isc_result_t
-dns_dlz_writeablezone(dns_view_t *view, const char *zone_name) {
-	dns_zone_t *zone = NULL;
-	dns_zone_t *dupzone = NULL;
-	isc_result_t result;
-	isc_buffer_t buffer;
-	dns_fixedname_t fixorigin;
-	dns_name_t *origin;
-	dns_dlzdb_t *dlzdatabase;
-
-	REQUIRE(DNS_DLZ_VALID(view->dlzdatabase));
-
-	dlzdatabase = view->dlzdatabase;
-
-	REQUIRE(dlzdatabase->configure_callback != NULL);
-
-	isc_buffer_constinit(&buffer, zone_name, strlen(zone_name));
-	isc_buffer_add(&buffer, strlen(zone_name));
-	dns_fixedname_init(&fixorigin);
-	result = dns_name_fromtext(dns_fixedname_name(&fixorigin),
-				   &buffer, dns_rootname, 0, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	origin = dns_fixedname_name(&fixorigin);
-
-	/* See if the zone already exists */
-	result = dns_view_findzone(view, origin, &dupzone);
-	if (result == ISC_R_SUCCESS) {
-		dns_zone_detach(&dupzone);
-		result = ISC_R_EXISTS;
-		goto cleanup;
-	}
-	INSIST(dupzone == NULL);
-
-	/* Create it */
-	result = dns_zone_create(&zone, view->mctx);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_zone_setorigin(zone, origin);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	dns_zone_setview(zone, view);
-
-	dns_zone_setadded(zone, ISC_TRUE);
-
-	if (dlzdatabase->ssutable == NULL) {
-		result = dns_ssutable_createdlz(dlzdatabase->mctx,
-						&dlzdatabase->ssutable,
-						view->dlzdatabase);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-	}
-	dns_zone_setssutable(zone, dlzdatabase->ssutable);
-
-	result = dlzdatabase->configure_callback(view, zone);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	/*
-	 * Add the zone to its view in the new view list.
-	 */
-	result = dns_view_addzone(view, zone);
-
- cleanup:
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-
-	return (result);
-}
-#endif
-
-/*%
- * Configure a DLZ driver. This is optional, and if supplied gives
- * the backend an opportunity to configure parameters related to DLZ.
- */
-isc_result_t
-dns_dlzconfigure(dns_view_t *view, isc_result_t (*callback)(dns_view_t *,
-		 dns_zone_t *))
-{
-	dns_dlzimplementation_t *impl;
-	dns_dlzdb_t *dlzdatabase;
-	isc_result_t result;
-
-	REQUIRE(view != NULL);
-	REQUIRE(DNS_DLZ_VALID(view->dlzdatabase));
-	REQUIRE(view->dlzdatabase->implementation != NULL);
-
-	dlzdatabase = view->dlzdatabase;
-	impl = dlzdatabase->implementation;
-
-	if (impl->methods->configure == NULL)
-		return (ISC_R_SUCCESS);
-
-	dlzdatabase->configure_callback = callback;
-
-	result = impl->methods->configure(impl->driverarg,
-					  dlzdatabase->dbdata, view);
-	return (result);
-}
-
-isc_boolean_t
-dns_dlz_ssumatch(dns_dlzdb_t *dlzdatabase,
-		  dns_name_t *signer, dns_name_t *name, isc_netaddr_t *tcpaddr,
-		  dns_rdatatype_t type, const dst_key_t *key)
-{
-	dns_dlzimplementation_t *impl;
-	isc_boolean_t r;
-
-	REQUIRE(dlzdatabase != NULL);
-	REQUIRE(dlzdatabase->implementation != NULL);
-	REQUIRE(dlzdatabase->implementation->methods != NULL);
-	impl = dlzdatabase->implementation;
-
-	if (impl->methods->ssumatch == NULL) {
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-			      DNS_LOGMODULE_DLZ, ISC_LOG_INFO,
-			      "No ssumatch method for DLZ database");
-		return (ISC_FALSE);
-	}
-
-	r = impl->methods->ssumatch(signer, name, tcpaddr, type, key,
-				    impl->driverarg, dlzdatabase->dbdata);
-	return (r);
-}
diff --git a/contrib/bind9/lib/dns/dns64.c b/contrib/bind9/lib/dns/dns64.c
deleted file mode 100644
index 78eff57..0000000
--- a/contrib/bind9/lib/dns/dns64.c
+++ /dev/null
@@ -1,301 +0,0 @@
-/*
- * Copyright (C) 2010, 2011  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dns64.c,v 1.8 2011/03/12 04:59:47 tbox Exp $ */
-
-#include <config.h>
-
-#include <isc/list.h>
-#include <isc/mem.h>
-#include <isc/netaddr.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/acl.h>
-#include <dns/dns64.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/result.h>
-
-struct dns_dns64 {
-	unsigned char		bits[16];	/*
-						 * Prefix + suffix bits.
-						 */
-	dns_acl_t *		clients;	/*
-						 * Which clients get mapped
-						 * addresses.
-						 */
-	dns_acl_t *		mapped;		/*
-						 * IPv4 addresses to be mapped.
-						 */
-	dns_acl_t *		excluded;	/*
-						 * IPv6 addresses that are
-						 * treated as not existing.
-						 */
-	unsigned int		prefixlen;	/*
-						 * Start of mapped address.
-						 */
-	unsigned int		flags;
-	isc_mem_t *		mctx;
-	ISC_LINK(dns_dns64_t)	link;
-};
-
-isc_result_t
-dns_dns64_create(isc_mem_t *mctx, isc_netaddr_t *prefix,
-		 unsigned int prefixlen, isc_netaddr_t *suffix,
-		 dns_acl_t *clients, dns_acl_t *mapped, dns_acl_t *excluded,
-		 unsigned int flags, dns_dns64_t **dns64)
-{
-	dns_dns64_t *new;
-	unsigned int nbytes = 16;
-
-	REQUIRE(prefix != NULL && prefix->family == AF_INET6);
-	/* Legal prefix lengths from draft-ietf-behave-address-format-04. */
-	REQUIRE(prefixlen == 32 || prefixlen == 40 || prefixlen == 48 ||
-		prefixlen == 56 || prefixlen == 64 || prefixlen == 96);
-	REQUIRE(isc_netaddr_prefixok(prefix, prefixlen) == ISC_R_SUCCESS);
-	REQUIRE(dns64 != NULL && *dns64 == NULL);
-
-	if (suffix != NULL) {
-		static const unsigned char zeros[16];
-		REQUIRE(prefix->family == AF_INET6);
-		nbytes = prefixlen / 8 + 4;
-		/* Bits 64-71 are zeros. draft-ietf-behave-address-format-04 */
-		if (prefixlen >= 32 && prefixlen <= 64)
-			nbytes++;
-		REQUIRE(memcmp(suffix->type.in6.s6_addr, zeros, nbytes) == 0);
-	}
-
-	new = isc_mem_get(mctx, sizeof(dns_dns64_t));
-	if (new == NULL)
-		return (ISC_R_NOMEMORY);
-	memset(new->bits, 0, sizeof(new->bits));
-	memcpy(new->bits, prefix->type.in6.s6_addr, prefixlen / 8);
-	if (suffix != NULL)
-		memcpy(new->bits + nbytes, suffix->type.in6.s6_addr + nbytes,
-		       16 - nbytes);
-	new->clients = NULL;
-	if (clients != NULL)
-		dns_acl_attach(clients, &new->clients);
-	new->mapped = NULL;
-	if (mapped != NULL)
-		dns_acl_attach(mapped, &new->mapped);
-	new->excluded = NULL;
-	if (excluded != NULL)
-		dns_acl_attach(excluded, &new->excluded);
-	new->prefixlen = prefixlen;
-	new->flags = flags;
-	ISC_LINK_INIT(new, link);
-	new->mctx = NULL;
-	isc_mem_attach(mctx, &new->mctx);
-	*dns64 = new;
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_dns64_destroy(dns_dns64_t **dns64p) {
-	dns_dns64_t *dns64;
-
-	REQUIRE(dns64p != NULL && *dns64p != NULL);
-
-	dns64 = *dns64p;
-	*dns64p = NULL;
-
-	REQUIRE(!ISC_LINK_LINKED(dns64, link));
-
-	if (dns64->clients != NULL)
-		dns_acl_detach(&dns64->clients);
-	if (dns64->mapped != NULL)
-		dns_acl_detach(&dns64->mapped);
-	if (dns64->excluded != NULL)
-		dns_acl_detach(&dns64->excluded);
-	isc_mem_putanddetach(&dns64->mctx, dns64, sizeof(*dns64));
-}
-
-isc_result_t
-dns_dns64_aaaafroma(const dns_dns64_t *dns64, const isc_netaddr_t *reqaddr,
-		    const dns_name_t *reqsigner, const dns_aclenv_t *env,
-		    unsigned int flags, unsigned char *a, unsigned char *aaaa)
-{
-	unsigned int nbytes, i;
-	isc_result_t result;
-	int match;
-
-	if ((dns64->flags & DNS_DNS64_RECURSIVE_ONLY) != 0 &&
-	    (flags & DNS_DNS64_RECURSIVE) == 0)
-		return (DNS_R_DISALLOWED);
-
-	if ((dns64->flags & DNS_DNS64_BREAK_DNSSEC) == 0 &&
-	    (flags & DNS_DNS64_DNSSEC) != 0)
-		return (DNS_R_DISALLOWED);
-
-	if (dns64->clients != NULL) {
-		result = dns_acl_match(reqaddr, reqsigner, dns64->clients, env,
-				       &match, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		if (match <= 0)
-			return (DNS_R_DISALLOWED);
-	}
-
-	if (dns64->mapped != NULL) {
-		struct in_addr ina;
-		isc_netaddr_t netaddr;
-
-		memcpy(&ina.s_addr, a, 4);
-		isc_netaddr_fromin(&netaddr, &ina);
-		result = dns_acl_match(&netaddr, NULL, dns64->mapped, env,
-				       &match, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		if (match <= 0)
-			return (DNS_R_DISALLOWED);
-	}
-
-	nbytes = dns64->prefixlen / 8;
-	INSIST(nbytes <= 12);
-	/* Copy prefix. */
-	memcpy(aaaa, dns64->bits, nbytes);
-	/* Bits 64-71 are zeros. draft-ietf-behave-address-format-04 */
-	if (nbytes == 8)
-		aaaa[nbytes++] = 0;
-	/* Copy mapped address. */
-	for (i = 0; i < 4U; i++) {
-		aaaa[nbytes++] = a[i];
-		/* Bits 64-71 are zeros. draft-ietf-behave-address-format-04 */
-		if (nbytes == 8)
-			aaaa[nbytes++] = 0;
-	}
-	/* Copy suffix. */
-	memcpy(aaaa + nbytes, dns64->bits + nbytes, 16 - nbytes);
-	return (ISC_R_SUCCESS);
-}
-
-dns_dns64_t *
-dns_dns64_next(dns_dns64_t *dns64) {
-	dns64 = ISC_LIST_NEXT(dns64, link);
-	return (dns64);
-}
-
-void
-dns_dns64_append(dns_dns64list_t *list, dns_dns64_t *dns64) {
-	ISC_LIST_APPEND(*list, dns64, link);
-}
-
-void
-dns_dns64_unlink(dns_dns64list_t *list, dns_dns64_t *dns64) {
-	ISC_LIST_UNLINK(*list, dns64, link);
-}
-
-isc_boolean_t
-dns_dns64_aaaaok(const dns_dns64_t *dns64, const isc_netaddr_t *reqaddr,
-		 const dns_name_t *reqsigner, const dns_aclenv_t *env,
-		 unsigned int flags, dns_rdataset_t *rdataset,
-		 isc_boolean_t *aaaaok, size_t aaaaoklen)
-{
-	struct in6_addr in6;
-	isc_netaddr_t netaddr;
-	isc_result_t result;
-	int match;
-	isc_boolean_t answer = ISC_FALSE;
-	isc_boolean_t found = ISC_FALSE;
-	unsigned int i, ok;
-
-	REQUIRE(rdataset != NULL);
-	REQUIRE(rdataset->type == dns_rdatatype_aaaa);
-	REQUIRE(rdataset->rdclass == dns_rdataclass_in);
-	if (aaaaok != NULL)
-		REQUIRE(aaaaoklen == dns_rdataset_count(rdataset));
-
-	for (;dns64 != NULL; dns64 = ISC_LIST_NEXT(dns64, link)) {
-		if ((dns64->flags & DNS_DNS64_RECURSIVE_ONLY) != 0 &&
-		    (flags & DNS_DNS64_RECURSIVE) == 0)
-			continue;
-
-		if ((dns64->flags & DNS_DNS64_BREAK_DNSSEC) == 0 &&
-		    (flags & DNS_DNS64_DNSSEC) != 0)
-			continue;
-		/*
-		 * Work out if this dns64 structure applies to this client.
-		 */
-		if (dns64->clients != NULL) {
-			result = dns_acl_match(reqaddr, reqsigner,
-					       dns64->clients, env,
-					       &match, NULL);
-			if (result != ISC_R_SUCCESS)
-				continue;
-			if (match <= 0)
-				continue;
-		}
-
-		if (!found && aaaaok != NULL) {
-			for (i = 0; i < aaaaoklen; i++)
-				aaaaok[i] = ISC_FALSE;
-		}
-		found = ISC_TRUE;
-
-		/*
-		 * If we are not excluding any addresses then any AAAA
-		 * will do.
-		 */
-		if (dns64->excluded == NULL) {
-			answer = ISC_TRUE;
-			if (aaaaok == NULL)
-				goto done;
-			for (i = 0; i < aaaaoklen; i++)
-				aaaaok[i] = ISC_TRUE;
-			goto done;
-		}
-
-		i = 0; ok = 0;
-		for (result = dns_rdataset_first(rdataset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(rdataset)) {
-			dns_rdata_t rdata = DNS_RDATA_INIT;
-			if (aaaaok == NULL || !aaaaok[i]) {
-
-				dns_rdataset_current(rdataset, &rdata);
-				memcpy(&in6.s6_addr, rdata.data, 16);
-				isc_netaddr_fromin6(&netaddr, &in6);
-
-				result = dns_acl_match(&netaddr, NULL,
-						       dns64->excluded,
-						       env, &match, NULL);
-				if (result == ISC_R_SUCCESS && match <= 0) {
-					answer = ISC_TRUE;
-					if (aaaaok == NULL)
-						goto done;
-					aaaaok[i] = ISC_TRUE;
-					ok++;
-				}
-			} else
-				ok++;
-			i++;
-		}
-		/*
-		 * Are all addresses ok?
-		 */
-		if (aaaaok != NULL && ok == aaaaoklen)
-			goto done;
-	}
-
- done:
-	if (!found && aaaaok != NULL) {
-		for (i = 0; i < aaaaoklen; i++)
-			aaaaok[i] = ISC_TRUE;
-	}
-	return (found ? answer : ISC_TRUE);
-}
diff --git a/contrib/bind9/lib/dns/dnssec.c b/contrib/bind9/lib/dns/dnssec.c
deleted file mode 100644
index d00c99b..0000000
--- a/contrib/bind9/lib/dns/dnssec.c
+++ /dev/null
@@ -1,1884 +0,0 @@
-/*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * $Id$
- */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/buffer.h>
-#include <isc/dir.h>
-#include <isc/mem.h>
-#include <isc/serial.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/diff.h>
-#include <dns/dnssec.h>
-#include <dns/fixedname.h>
-#include <dns/keyvalues.h>
-#include <dns/log.h>
-#include <dns/message.h>
-#include <dns/rdata.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/result.h>
-#include <dns/stats.h>
-#include <dns/tsig.h>		/* for DNS_TSIG_FUDGE */
-
-#include <dst/result.h>
-
-LIBDNS_EXTERNAL_DATA isc_stats_t *dns_dnssec_stats;
-
-#define is_response(msg) (msg->flags & DNS_MESSAGEFLAG_QR)
-
-#define RETERR(x) do { \
-	result = (x); \
-	if (result != ISC_R_SUCCESS) \
-		goto failure; \
-	} while (0)
-
-
-#define TYPE_SIGN 0
-#define TYPE_VERIFY 1
-
-static isc_result_t
-digest_callback(void *arg, isc_region_t *data);
-
-static int
-rdata_compare_wrapper(const void *rdata1, const void *rdata2);
-
-static isc_result_t
-rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
-			dns_rdata_t **rdata, int *nrdata);
-
-static isc_result_t
-digest_callback(void *arg, isc_region_t *data) {
-	dst_context_t *ctx = arg;
-
-	return (dst_context_adddata(ctx, data));
-}
-
-static inline void
-inc_stat(isc_statscounter_t counter) {
-	if (dns_dnssec_stats != NULL)
-		isc_stats_increment(dns_dnssec_stats, counter);
-}
-
-/*
- * Make qsort happy.
- */
-static int
-rdata_compare_wrapper(const void *rdata1, const void *rdata2) {
-	return (dns_rdata_compare((const dns_rdata_t *)rdata1,
-				  (const dns_rdata_t *)rdata2));
-}
-
-/*
- * Sort the rdataset into an array.
- */
-static isc_result_t
-rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
-			dns_rdata_t **rdata, int *nrdata)
-{
-	isc_result_t ret;
-	int i = 0, n;
-	dns_rdata_t *data;
-	dns_rdataset_t rdataset;
-
-	n = dns_rdataset_count(set);
-
-	data = isc_mem_get(mctx, n * sizeof(dns_rdata_t));
-	if (data == NULL)
-		return (ISC_R_NOMEMORY);
-
-	dns_rdataset_init(&rdataset);
-	dns_rdataset_clone(set, &rdataset);
-	ret = dns_rdataset_first(&rdataset);
-	if (ret != ISC_R_SUCCESS) {
-		dns_rdataset_disassociate(&rdataset);
-		isc_mem_put(mctx, data, n * sizeof(dns_rdata_t));
-		return (ret);
-	}
-
-	/*
-	 * Put them in the array.
-	 */
-	do {
-		dns_rdata_init(&data[i]);
-		dns_rdataset_current(&rdataset, &data[i++]);
-	} while (dns_rdataset_next(&rdataset) == ISC_R_SUCCESS);
-
-	/*
-	 * Sort the array.
-	 */
-	qsort(data, n, sizeof(dns_rdata_t), rdata_compare_wrapper);
-	*rdata = data;
-	*nrdata = n;
-	dns_rdataset_disassociate(&rdataset);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_dnssec_keyfromrdata(dns_name_t *name, dns_rdata_t *rdata, isc_mem_t *mctx,
-			dst_key_t **key)
-{
-	isc_buffer_t b;
-	isc_region_t r;
-
-	INSIST(name != NULL);
-	INSIST(rdata != NULL);
-	INSIST(mctx != NULL);
-	INSIST(key != NULL);
-	INSIST(*key == NULL);
-	REQUIRE(rdata->type == dns_rdatatype_key ||
-		rdata->type == dns_rdatatype_dnskey);
-
-	dns_rdata_toregion(rdata, &r);
-	isc_buffer_init(&b, r.base, r.length);
-	isc_buffer_add(&b, r.length);
-	return (dst_key_fromdns(name, rdata->rdclass, &b, mctx, key));
-}
-
-static isc_result_t
-digest_sig(dst_context_t *ctx, isc_boolean_t downcase, dns_rdata_t *sigrdata,
-	   dns_rdata_rrsig_t *rrsig)
-{
-	isc_region_t r;
-	isc_result_t ret;
-	dns_fixedname_t fname;
-
-	dns_rdata_toregion(sigrdata, &r);
-	INSIST(r.length >= 19);
-
-	r.length = 18;
-	ret = dst_context_adddata(ctx, &r);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-	if (downcase) {
-		dns_fixedname_init(&fname);
-
-		RUNTIME_CHECK(dns_name_downcase(&rrsig->signer,
-						dns_fixedname_name(&fname),
-						NULL) == ISC_R_SUCCESS);
-		dns_name_toregion(dns_fixedname_name(&fname), &r);
-	} else
-		dns_name_toregion(&rrsig->signer, &r);
-
-	return (dst_context_adddata(ctx, &r));
-}
-
-isc_result_t
-dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
-		isc_stdtime_t *inception, isc_stdtime_t *expire,
-		isc_mem_t *mctx, isc_buffer_t *buffer, dns_rdata_t *sigrdata)
-{
-	dns_rdata_rrsig_t sig;
-	dns_rdata_t tmpsigrdata;
-	dns_rdata_t *rdatas;
-	int nrdatas, i;
-	isc_buffer_t sigbuf, envbuf;
-	isc_region_t r;
-	dst_context_t *ctx = NULL;
-	isc_result_t ret;
-	isc_buffer_t *databuf = NULL;
-	char data[256 + 8];
-	isc_uint32_t flags;
-	unsigned int sigsize;
-	dns_fixedname_t fnewname;
-	dns_fixedname_t fsigner;
-
-	REQUIRE(name != NULL);
-	REQUIRE(dns_name_countlabels(name) <= 255);
-	REQUIRE(set != NULL);
-	REQUIRE(key != NULL);
-	REQUIRE(inception != NULL);
-	REQUIRE(expire != NULL);
-	REQUIRE(mctx != NULL);
-	REQUIRE(sigrdata != NULL);
-
-	if (*inception >= *expire)
-		return (DNS_R_INVALIDTIME);
-
-	/*
-	 * Is the key allowed to sign data?
-	 */
-	flags = dst_key_flags(key);
-	if (flags & DNS_KEYTYPE_NOAUTH)
-		return (DNS_R_KEYUNAUTHORIZED);
-	if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
-		return (DNS_R_KEYUNAUTHORIZED);
-
-	sig.mctx = mctx;
-	sig.common.rdclass = set->rdclass;
-	sig.common.rdtype = dns_rdatatype_rrsig;
-	ISC_LINK_INIT(&sig.common, link);
-
-	/*
-	 * Downcase signer.
-	 */
-	dns_name_init(&sig.signer, NULL);
-	dns_fixedname_init(&fsigner);
-	RUNTIME_CHECK(dns_name_downcase(dst_key_name(key),
-		      dns_fixedname_name(&fsigner), NULL) == ISC_R_SUCCESS);
-	dns_name_clone(dns_fixedname_name(&fsigner), &sig.signer);
-
-	sig.covered = set->type;
-	sig.algorithm = dst_key_alg(key);
-	sig.labels = dns_name_countlabels(name) - 1;
-	if (dns_name_iswildcard(name))
-		sig.labels--;
-	sig.originalttl = set->ttl;
-	sig.timesigned = *inception;
-	sig.timeexpire = *expire;
-	sig.keyid = dst_key_id(key);
-	ret = dst_key_sigsize(key, &sigsize);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-	sig.siglen = sigsize;
-	/*
-	 * The actual contents of sig.signature are not important yet, since
-	 * they're not used in digest_sig().
-	 */
-	sig.signature = isc_mem_get(mctx, sig.siglen);
-	if (sig.signature == NULL)
-		return (ISC_R_NOMEMORY);
-
-	ret = isc_buffer_allocate(mctx, &databuf, sigsize + 256 + 18);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_signature;
-
-	dns_rdata_init(&tmpsigrdata);
-	ret = dns_rdata_fromstruct(&tmpsigrdata, sig.common.rdclass,
-				   sig.common.rdtype, &sig, databuf);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_databuf;
-
-	ret = dst_context_create2(key, mctx, DNS_LOGCATEGORY_DNSSEC, &ctx);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_databuf;
-
-	/*
-	 * Digest the SIG rdata.
-	 */
-	ret = digest_sig(ctx, ISC_FALSE, &tmpsigrdata, &sig);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_context;
-
-	dns_fixedname_init(&fnewname);
-	RUNTIME_CHECK(dns_name_downcase(name, dns_fixedname_name(&fnewname),
-					NULL) == ISC_R_SUCCESS);
-	dns_name_toregion(dns_fixedname_name(&fnewname), &r);
-
-	/*
-	 * Create an envelope for each rdata: <name|type|class|ttl>.
-	 */
-	isc_buffer_init(&envbuf, data, sizeof(data));
-	memcpy(data, r.base, r.length);
-	isc_buffer_add(&envbuf, r.length);
-	isc_buffer_putuint16(&envbuf, set->type);
-	isc_buffer_putuint16(&envbuf, set->rdclass);
-	isc_buffer_putuint32(&envbuf, set->ttl);
-
-	ret = rdataset_to_sortedarray(set, mctx, &rdatas, &nrdatas);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_context;
-	isc_buffer_usedregion(&envbuf, &r);
-
-	for (i = 0; i < nrdatas; i++) {
-		isc_uint16_t len;
-		isc_buffer_t lenbuf;
-		isc_region_t lenr;
-
-		/*
-		 * Skip duplicates.
-		 */
-		if (i > 0 && dns_rdata_compare(&rdatas[i], &rdatas[i-1]) == 0)
-		    continue;
-
-		/*
-		 * Digest the envelope.
-		 */
-		ret = dst_context_adddata(ctx, &r);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_array;
-
-		/*
-		 * Digest the length of the rdata.
-		 */
-		isc_buffer_init(&lenbuf, &len, sizeof(len));
-		INSIST(rdatas[i].length < 65536);
-		isc_buffer_putuint16(&lenbuf, (isc_uint16_t)rdatas[i].length);
-		isc_buffer_usedregion(&lenbuf, &lenr);
-		ret = dst_context_adddata(ctx, &lenr);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_array;
-
-		/*
-		 * Digest the rdata.
-		 */
-		ret = dns_rdata_digest(&rdatas[i], digest_callback, ctx);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_array;
-	}
-
-	isc_buffer_init(&sigbuf, sig.signature, sig.siglen);
-	ret = dst_context_sign(ctx, &sigbuf);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_array;
-	isc_buffer_usedregion(&sigbuf, &r);
-	if (r.length != sig.siglen) {
-		ret = ISC_R_NOSPACE;
-		goto cleanup_array;
-	}
-
-	ret = dns_rdata_fromstruct(sigrdata, sig.common.rdclass,
-				   sig.common.rdtype, &sig, buffer);
-
-cleanup_array:
-	isc_mem_put(mctx, rdatas, nrdatas * sizeof(dns_rdata_t));
-cleanup_context:
-	dst_context_destroy(&ctx);
-cleanup_databuf:
-	isc_buffer_free(&databuf);
-cleanup_signature:
-	isc_mem_put(mctx, sig.signature, sig.siglen);
-
-	return (ret);
-}
-
-isc_result_t
-dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
-		   isc_boolean_t ignoretime, isc_mem_t *mctx,
-		   dns_rdata_t *sigrdata, dns_name_t *wild)
-{
-	return (dns_dnssec_verify3(name, set, key, ignoretime, 0, mctx,
-				   sigrdata, wild));
-}
-
-isc_result_t
-dns_dnssec_verify3(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
-		   isc_boolean_t ignoretime, unsigned int maxbits,
-		   isc_mem_t *mctx, dns_rdata_t *sigrdata, dns_name_t *wild)
-{
-	dns_rdata_rrsig_t sig;
-	dns_fixedname_t fnewname;
-	isc_region_t r;
-	isc_buffer_t envbuf;
-	dns_rdata_t *rdatas;
-	int nrdatas, i;
-	isc_stdtime_t now;
-	isc_result_t ret;
-	unsigned char data[300];
-	dst_context_t *ctx = NULL;
-	int labels = 0;
-	isc_uint32_t flags;
-	isc_boolean_t downcase = ISC_FALSE;
-
-	REQUIRE(name != NULL);
-	REQUIRE(set != NULL);
-	REQUIRE(key != NULL);
-	REQUIRE(mctx != NULL);
-	REQUIRE(sigrdata != NULL && sigrdata->type == dns_rdatatype_rrsig);
-
-	ret = dns_rdata_tostruct(sigrdata, &sig, NULL);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	if (set->type != sig.covered)
-		return (DNS_R_SIGINVALID);
-
-	if (isc_serial_lt(sig.timeexpire, sig.timesigned)) {
-		inc_stat(dns_dnssecstats_fail);
-		return (DNS_R_SIGINVALID);
-	}
-
-	if (!ignoretime) {
-		isc_stdtime_get(&now);
-
-		/*
-		 * Is SIG temporally valid?
-		 */
-		if (isc_serial_lt((isc_uint32_t)now, sig.timesigned)) {
-			inc_stat(dns_dnssecstats_fail);
-			return (DNS_R_SIGFUTURE);
-		} else if (isc_serial_lt(sig.timeexpire, (isc_uint32_t)now)) {
-			inc_stat(dns_dnssecstats_fail);
-			return (DNS_R_SIGEXPIRED);
-		}
-	}
-
-	/*
-	 * NS, SOA and DNSSKEY records are signed by their owner.
-	 * DS records are signed by the parent.
-	 */
-	switch (set->type) {
-	case dns_rdatatype_ns:
-	case dns_rdatatype_soa:
-	case dns_rdatatype_dnskey:
-		if (!dns_name_equal(name, &sig.signer)) {
-			inc_stat(dns_dnssecstats_fail);
-			return (DNS_R_SIGINVALID);
-		}
-		break;
-	case dns_rdatatype_ds:
-		if (dns_name_equal(name, &sig.signer)) {
-			inc_stat(dns_dnssecstats_fail);
-			return (DNS_R_SIGINVALID);
-		}
-		/* FALLTHROUGH */
-	default:
-		if (!dns_name_issubdomain(name, &sig.signer)) {
-			inc_stat(dns_dnssecstats_fail);
-			return (DNS_R_SIGINVALID);
-		}
-		break;
-	}
-
-	/*
-	 * Is the key allowed to sign data?
-	 */
-	flags = dst_key_flags(key);
-	if (flags & DNS_KEYTYPE_NOAUTH) {
-		inc_stat(dns_dnssecstats_fail);
-		return (DNS_R_KEYUNAUTHORIZED);
-	}
-	if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) {
-		inc_stat(dns_dnssecstats_fail);
-		return (DNS_R_KEYUNAUTHORIZED);
-	}
-
- again:
-	ret = dst_context_create2(key, mctx, DNS_LOGCATEGORY_DNSSEC, &ctx);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_struct;
-
-	/*
-	 * Digest the SIG rdata (not including the signature).
-	 */
-	ret = digest_sig(ctx, downcase, sigrdata, &sig);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_context;
-
-	/*
-	 * If the name is an expanded wildcard, use the wildcard name.
-	 */
-	dns_fixedname_init(&fnewname);
-	labels = dns_name_countlabels(name) - 1;
-	RUNTIME_CHECK(dns_name_downcase(name, dns_fixedname_name(&fnewname),
-					NULL) == ISC_R_SUCCESS);
-	if (labels - sig.labels > 0)
-		dns_name_split(dns_fixedname_name(&fnewname), sig.labels + 1,
-			       NULL, dns_fixedname_name(&fnewname));
-
-	dns_name_toregion(dns_fixedname_name(&fnewname), &r);
-
-	/*
-	 * Create an envelope for each rdata: <name|type|class|ttl>.
-	 */
-	isc_buffer_init(&envbuf, data, sizeof(data));
-	if (labels - sig.labels > 0) {
-		isc_buffer_putuint8(&envbuf, 1);
-		isc_buffer_putuint8(&envbuf, '*');
-		memcpy(data + 2, r.base, r.length);
-	}
-	else
-		memcpy(data, r.base, r.length);
-	isc_buffer_add(&envbuf, r.length);
-	isc_buffer_putuint16(&envbuf, set->type);
-	isc_buffer_putuint16(&envbuf, set->rdclass);
-	isc_buffer_putuint32(&envbuf, sig.originalttl);
-
-	ret = rdataset_to_sortedarray(set, mctx, &rdatas, &nrdatas);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_context;
-
-	isc_buffer_usedregion(&envbuf, &r);
-
-	for (i = 0; i < nrdatas; i++) {
-		isc_uint16_t len;
-		isc_buffer_t lenbuf;
-		isc_region_t lenr;
-
-		/*
-		 * Skip duplicates.
-		 */
-		if (i > 0 && dns_rdata_compare(&rdatas[i], &rdatas[i-1]) == 0)
-		    continue;
-
-		/*
-		 * Digest the envelope.
-		 */
-		ret = dst_context_adddata(ctx, &r);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_array;
-
-		/*
-		 * Digest the rdata length.
-		 */
-		isc_buffer_init(&lenbuf, &len, sizeof(len));
-		INSIST(rdatas[i].length < 65536);
-		isc_buffer_putuint16(&lenbuf, (isc_uint16_t)rdatas[i].length);
-		isc_buffer_usedregion(&lenbuf, &lenr);
-
-		/*
-		 * Digest the rdata.
-		 */
-		ret = dst_context_adddata(ctx, &lenr);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_array;
-		ret = dns_rdata_digest(&rdatas[i], digest_callback, ctx);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_array;
-	}
-
-	r.base = sig.signature;
-	r.length = sig.siglen;
-	ret = dst_context_verify2(ctx, maxbits, &r);
-	if (ret == ISC_R_SUCCESS && downcase) {
-		char namebuf[DNS_NAME_FORMATSIZE];
-		dns_name_format(&sig.signer, namebuf, sizeof(namebuf));
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
-			      DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(1),
-			      "successfully validated after lower casing "
-			      "signer '%s'", namebuf);
-		inc_stat(dns_dnssecstats_downcase);
-	} else if (ret == ISC_R_SUCCESS)
-		inc_stat(dns_dnssecstats_asis);
-
-cleanup_array:
-	isc_mem_put(mctx, rdatas, nrdatas * sizeof(dns_rdata_t));
-cleanup_context:
-	dst_context_destroy(&ctx);
-	if (ret == DST_R_VERIFYFAILURE && !downcase) {
-		downcase = ISC_TRUE;
-		goto again;
-	}
-cleanup_struct:
-	dns_rdata_freestruct(&sig);
-
-	if (ret == DST_R_VERIFYFAILURE)
-		ret = DNS_R_SIGINVALID;
-
-	if (ret != ISC_R_SUCCESS)
-		inc_stat(dns_dnssecstats_fail);
-
-	if (ret == ISC_R_SUCCESS && labels - sig.labels > 0) {
-		if (wild != NULL)
-			RUNTIME_CHECK(dns_name_concatenate(dns_wildcardname,
-						 dns_fixedname_name(&fnewname),
-						 wild, NULL) == ISC_R_SUCCESS);
-		inc_stat(dns_dnssecstats_wildcard);
-		ret = DNS_R_FROMWILDCARD;
-	}
-	return (ret);
-}
-
-isc_result_t
-dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
-		  isc_boolean_t ignoretime, isc_mem_t *mctx,
-		  dns_rdata_t *sigrdata)
-{
-	isc_result_t result;
-
-	result = dns_dnssec_verify2(name, set, key, ignoretime, mctx,
-				    sigrdata, NULL);
-	if (result == DNS_R_FROMWILDCARD)
-		result = ISC_R_SUCCESS;
-	return (result);
-}
-
-static isc_boolean_t
-key_active(dst_key_t *key, isc_stdtime_t now) {
-	isc_result_t result;
-	isc_stdtime_t publish, active, revoke, inactive, delete;
-	isc_boolean_t pubset = ISC_FALSE, actset = ISC_FALSE;
-	isc_boolean_t revset = ISC_FALSE, inactset = ISC_FALSE;
-	isc_boolean_t delset = ISC_FALSE;
-	int major, minor;
-
-	/* Is this an old-style key? */
-	result = dst_key_getprivateformat(key, &major, &minor);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-	/*
-	 * Smart signing started with key format 1.3; prior to that, all
-	 * keys are assumed active
-	 */
-	if (major == 1 && minor <= 2)
-		return (ISC_TRUE);
-
-	result = dst_key_gettime(key, DST_TIME_PUBLISH, &publish);
-	if (result == ISC_R_SUCCESS)
-		pubset = ISC_TRUE;
-
-	result = dst_key_gettime(key, DST_TIME_ACTIVATE, &active);
-	if (result == ISC_R_SUCCESS)
-		actset = ISC_TRUE;
-
-	result = dst_key_gettime(key, DST_TIME_REVOKE, &revoke);
-	if (result == ISC_R_SUCCESS)
-		revset = ISC_TRUE;
-
-	result = dst_key_gettime(key, DST_TIME_INACTIVE, &inactive);
-	if (result == ISC_R_SUCCESS)
-		inactset = ISC_TRUE;
-
-	result = dst_key_gettime(key, DST_TIME_DELETE, &delete);
-	if (result == ISC_R_SUCCESS)
-		delset = ISC_TRUE;
-
-	if ((inactset && inactive <= now) || (delset && delete <= now))
-		return (ISC_FALSE);
-
-	if (revset && revoke <= now && pubset && publish <= now)
-		return (ISC_TRUE);
-
-	if (actset && active <= now)
-		return (ISC_TRUE);
-
-	return (ISC_FALSE);
-}
-
-#define is_zone_key(key) ((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) \
-			  == DNS_KEYOWNER_ZONE)
-
-isc_result_t
-dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
-			 dns_dbnode_t *node, dns_name_t *name,
-			 const char *directory, isc_mem_t *mctx,
-			 unsigned int maxkeys, dst_key_t **keys,
-			 unsigned int *nkeys)
-{
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_result_t result;
-	dst_key_t *pubkey = NULL;
-	unsigned int count = 0;
-	isc_stdtime_t now;
-
-	REQUIRE(nkeys != NULL);
-	REQUIRE(keys != NULL);
-
-	isc_stdtime_get(&now);
-
-	*nkeys = 0;
-	dns_rdataset_init(&rdataset);
-	RETERR(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0,
-				   &rdataset, NULL));
-	RETERR(dns_rdataset_first(&rdataset));
-	while (result == ISC_R_SUCCESS && count < maxkeys) {
-		pubkey = NULL;
-		dns_rdataset_current(&rdataset, &rdata);
-		RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey));
-		dst_key_setttl(pubkey, rdataset.ttl);
-
-		if (!is_zone_key(pubkey) ||
-		    (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
-			goto next;
-		/* Corrupted .key file? */
-		if (!dns_name_equal(name, dst_key_name(pubkey)))
-			goto next;
-		keys[count] = NULL;
-		result = dst_key_fromfile(dst_key_name(pubkey),
-					  dst_key_id(pubkey),
-					  dst_key_alg(pubkey),
-					  DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
-					  directory,
-					  mctx, &keys[count]);
-
-		/*
-		 * If the key was revoked and the private file
-		 * doesn't exist, maybe it was revoked internally
-		 * by named.  Try loading the unrevoked version.
-		 */
-		if (result == ISC_R_FILENOTFOUND) {
-			isc_uint32_t flags;
-			flags = dst_key_flags(pubkey);
-			if ((flags & DNS_KEYFLAG_REVOKE) != 0) {
-				dst_key_setflags(pubkey,
-						 flags & ~DNS_KEYFLAG_REVOKE);
-				result = dst_key_fromfile(dst_key_name(pubkey),
-							  dst_key_id(pubkey),
-							  dst_key_alg(pubkey),
-							  DST_TYPE_PUBLIC|
-							  DST_TYPE_PRIVATE,
-							  directory,
-							  mctx, &keys[count]);
-				if (result == ISC_R_SUCCESS &&
-				    dst_key_pubcompare(pubkey, keys[count],
-						       ISC_FALSE)) {
-					dst_key_setflags(keys[count], flags);
-				}
-				dst_key_setflags(pubkey, flags);
-			}
-		}
-
-		if (result != ISC_R_SUCCESS) {
-			char keybuf[DNS_NAME_FORMATSIZE];
-			char algbuf[DNS_SECALG_FORMATSIZE];
-			dns_name_format(dst_key_name(pubkey), keybuf,
-					sizeof(keybuf));
-			dns_secalg_format(dst_key_alg(pubkey), algbuf,
-					  sizeof(algbuf));
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-				      DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING,
-				      "dns_dnssec_findzonekeys2: error "
-				      "reading private key file %s/%s/%d: %s",
-				      keybuf, algbuf, dst_key_id(pubkey),
-				      isc_result_totext(result));
-		}
-
-		if (result == ISC_R_FILENOTFOUND || result == ISC_R_NOPERM) {
-			keys[count] = pubkey;
-			pubkey = NULL;
-			count++;
-			goto next;
-		}
-
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-
-		/*
-		 * If a key is marked inactive, skip it
-		 */
-		if (!key_active(keys[count], now)) {
-			dst_key_free(&keys[count]);
-			keys[count] = pubkey;
-			pubkey = NULL;
-			count++;
-			goto next;
-		}
-
-		/*
-		 * Whatever the key's default TTL may have
-		 * been, the rdataset TTL takes priority.
-		 */
-		dst_key_setttl(keys[count], rdataset.ttl);
-
-		if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) {
-			/* We should never get here. */
-			dst_key_free(&keys[count]);
-			goto next;
-		}
-		count++;
- next:
-		if (pubkey != NULL)
-			dst_key_free(&pubkey);
-		dns_rdata_reset(&rdata);
-		result = dns_rdataset_next(&rdataset);
-	}
-	if (result != ISC_R_NOMORE)
-		goto failure;
-	if (count == 0)
-		result = ISC_R_NOTFOUND;
-	else
-		result = ISC_R_SUCCESS;
-
- failure:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	if (pubkey != NULL)
-		dst_key_free(&pubkey);
-	if (result != ISC_R_SUCCESS)
-		while (count > 0)
-			dst_key_free(&keys[--count]);
-	*nkeys = count;
-	return (result);
-}
-
-isc_result_t
-dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
-			dns_dbnode_t *node, dns_name_t *name, isc_mem_t *mctx,
-			unsigned int maxkeys, dst_key_t **keys,
-			unsigned int *nkeys)
-{
-	return (dns_dnssec_findzonekeys2(db, ver, node, name, NULL, mctx,
-					 maxkeys, keys, nkeys));
-}
-
-isc_result_t
-dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
-	dns_rdata_sig_t sig;	/* SIG(0) */
-	unsigned char data[512];
-	unsigned char header[DNS_MESSAGE_HEADERLEN];
-	isc_buffer_t headerbuf, databuf, sigbuf;
-	unsigned int sigsize;
-	isc_buffer_t *dynbuf = NULL;
-	dns_rdata_t *rdata;
-	dns_rdatalist_t *datalist;
-	dns_rdataset_t *dataset;
-	isc_region_t r;
-	isc_stdtime_t now;
-	dst_context_t *ctx = NULL;
-	isc_mem_t *mctx;
-	isc_result_t result;
-	isc_boolean_t signeedsfree = ISC_TRUE;
-
-	REQUIRE(msg != NULL);
-	REQUIRE(key != NULL);
-
-	if (is_response(msg))
-		REQUIRE(msg->query.base != NULL);
-
-	mctx = msg->mctx;
-
-	memset(&sig, 0, sizeof(sig));
-
-	sig.mctx = mctx;
-	sig.common.rdclass = dns_rdataclass_any;
-	sig.common.rdtype = dns_rdatatype_sig;	/* SIG(0) */
-	ISC_LINK_INIT(&sig.common, link);
-
-	sig.covered = 0;
-	sig.algorithm = dst_key_alg(key);
-	sig.labels = 0; /* the root name */
-	sig.originalttl = 0;
-
-	isc_stdtime_get(&now);
-	sig.timesigned = now - DNS_TSIG_FUDGE;
-	sig.timeexpire = now + DNS_TSIG_FUDGE;
-
-	sig.keyid = dst_key_id(key);
-
-	dns_name_init(&sig.signer, NULL);
-	dns_name_clone(dst_key_name(key), &sig.signer);
-
-	sig.siglen = 0;
-	sig.signature = NULL;
-
-	isc_buffer_init(&databuf, data, sizeof(data));
-
-	RETERR(dst_context_create2(key, mctx, DNS_LOGCATEGORY_DNSSEC, &ctx));
-
-	/*
-	 * Digest the fields of the SIG - we can cheat and use
-	 * dns_rdata_fromstruct.  Since siglen is 0, the digested data
-	 * is identical to dns format.
-	 */
-	RETERR(dns_rdata_fromstruct(NULL, dns_rdataclass_any,
-				    dns_rdatatype_sig /* SIG(0) */,
-				    &sig, &databuf));
-	isc_buffer_usedregion(&databuf, &r);
-	RETERR(dst_context_adddata(ctx, &r));
-
-	/*
-	 * If this is a response, digest the query.
-	 */
-	if (is_response(msg))
-		RETERR(dst_context_adddata(ctx, &msg->query));
-
-	/*
-	 * Digest the header.
-	 */
-	isc_buffer_init(&headerbuf, header, sizeof(header));
-	dns_message_renderheader(msg, &headerbuf);
-	isc_buffer_usedregion(&headerbuf, &r);
-	RETERR(dst_context_adddata(ctx, &r));
-
-	/*
-	 * Digest the remainder of the message.
-	 */
-	isc_buffer_usedregion(msg->buffer, &r);
-	isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
-	RETERR(dst_context_adddata(ctx, &r));
-
-	RETERR(dst_key_sigsize(key, &sigsize));
-	sig.siglen = sigsize;
-	sig.signature = (unsigned char *) isc_mem_get(mctx, sig.siglen);
-	if (sig.signature == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto failure;
-	}
-
-	isc_buffer_init(&sigbuf, sig.signature, sig.siglen);
-	RETERR(dst_context_sign(ctx, &sigbuf));
-	dst_context_destroy(&ctx);
-
-	rdata = NULL;
-	RETERR(dns_message_gettemprdata(msg, &rdata));
-	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 1024));
-	RETERR(dns_rdata_fromstruct(rdata, dns_rdataclass_any,
-				    dns_rdatatype_sig /* SIG(0) */,
-				    &sig, dynbuf));
-
-	isc_mem_put(mctx, sig.signature, sig.siglen);
-	signeedsfree = ISC_FALSE;
-
-	dns_message_takebuffer(msg, &dynbuf);
-
-	datalist = NULL;
-	RETERR(dns_message_gettemprdatalist(msg, &datalist));
-	datalist->rdclass = dns_rdataclass_any;
-	datalist->type = dns_rdatatype_sig;	/* SIG(0) */
-	datalist->covers = 0;
-	datalist->ttl = 0;
-	ISC_LIST_INIT(datalist->rdata);
-	ISC_LIST_APPEND(datalist->rdata, rdata, link);
-	dataset = NULL;
-	RETERR(dns_message_gettemprdataset(msg, &dataset));
-	dns_rdataset_init(dataset);
-	RUNTIME_CHECK(dns_rdatalist_tordataset(datalist, dataset) == ISC_R_SUCCESS);
-	msg->sig0 = dataset;
-
-	return (ISC_R_SUCCESS);
-
-failure:
-	if (dynbuf != NULL)
-		isc_buffer_free(&dynbuf);
-	if (signeedsfree)
-		isc_mem_put(mctx, sig.signature, sig.siglen);
-	if (ctx != NULL)
-		dst_context_destroy(&ctx);
-
-	return (result);
-}
-
-isc_result_t
-dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
-			 dst_key_t *key)
-{
-	dns_rdata_sig_t sig;	/* SIG(0) */
-	unsigned char header[DNS_MESSAGE_HEADERLEN];
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_region_t r, source_r, sig_r, header_r;
-	isc_stdtime_t now;
-	dst_context_t *ctx = NULL;
-	isc_mem_t *mctx;
-	isc_result_t result;
-	isc_uint16_t addcount;
-	isc_boolean_t signeedsfree = ISC_FALSE;
-
-	REQUIRE(source != NULL);
-	REQUIRE(msg != NULL);
-	REQUIRE(key != NULL);
-
-	mctx = msg->mctx;
-
-	msg->verify_attempted = 1;
-
-	if (is_response(msg)) {
-		if (msg->query.base == NULL)
-			return (DNS_R_UNEXPECTEDTSIG);
-	}
-
-	isc_buffer_usedregion(source, &source_r);
-
-	RETERR(dns_rdataset_first(msg->sig0));
-	dns_rdataset_current(msg->sig0, &rdata);
-
-	RETERR(dns_rdata_tostruct(&rdata, &sig, NULL));
-	signeedsfree = ISC_TRUE;
-
-	if (sig.labels != 0) {
-		result = DNS_R_SIGINVALID;
-		goto failure;
-	}
-
-	if (isc_serial_lt(sig.timeexpire, sig.timesigned)) {
-		result = DNS_R_SIGINVALID;
-		msg->sig0status = dns_tsigerror_badtime;
-		goto failure;
-	}
-
-	isc_stdtime_get(&now);
-	if (isc_serial_lt((isc_uint32_t)now, sig.timesigned)) {
-		result = DNS_R_SIGFUTURE;
-		msg->sig0status = dns_tsigerror_badtime;
-		goto failure;
-	}
-	else if (isc_serial_lt(sig.timeexpire, (isc_uint32_t)now)) {
-		result = DNS_R_SIGEXPIRED;
-		msg->sig0status = dns_tsigerror_badtime;
-		goto failure;
-	}
-
-	if (!dns_name_equal(dst_key_name(key), &sig.signer)) {
-		result = DNS_R_SIGINVALID;
-		msg->sig0status = dns_tsigerror_badkey;
-		goto failure;
-	}
-
-	RETERR(dst_context_create2(key, mctx, DNS_LOGCATEGORY_DNSSEC, &ctx));
-
-	/*
-	 * Digest the SIG(0) record, except for the signature.
-	 */
-	dns_rdata_toregion(&rdata, &r);
-	r.length -= sig.siglen;
-	RETERR(dst_context_adddata(ctx, &r));
-
-	/*
-	 * If this is a response, digest the query.
-	 */
-	if (is_response(msg))
-		RETERR(dst_context_adddata(ctx, &msg->query));
-
-	/*
-	 * Extract the header.
-	 */
-	memcpy(header, source_r.base, DNS_MESSAGE_HEADERLEN);
-
-	/*
-	 * Decrement the additional field counter.
-	 */
-	memcpy(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
-	addcount = htons((isc_uint16_t)(ntohs(addcount) - 1));
-	memcpy(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
-
-	/*
-	 * Digest the modified header.
-	 */
-	header_r.base = (unsigned char *) header;
-	header_r.length = DNS_MESSAGE_HEADERLEN;
-	RETERR(dst_context_adddata(ctx, &header_r));
-
-	/*
-	 * Digest all non-SIG(0) records.
-	 */
-	r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
-	r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
-	RETERR(dst_context_adddata(ctx, &r));
-
-	sig_r.base = sig.signature;
-	sig_r.length = sig.siglen;
-	result = dst_context_verify(ctx, &sig_r);
-	if (result != ISC_R_SUCCESS) {
-		msg->sig0status = dns_tsigerror_badsig;
-		goto failure;
-	}
-
-	msg->verified_sig = 1;
-
-	dst_context_destroy(&ctx);
-	dns_rdata_freestruct(&sig);
-
-	return (ISC_R_SUCCESS);
-
-failure:
-	if (signeedsfree)
-		dns_rdata_freestruct(&sig);
-	if (ctx != NULL)
-		dst_context_destroy(&ctx);
-
-	return (result);
-}
-
-/*%
- * Does this key ('rdata') self sign the rrset ('rdataset')?
- */
-isc_boolean_t
-dns_dnssec_selfsigns(dns_rdata_t *rdata, dns_name_t *name,
-		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
-		     isc_boolean_t ignoretime, isc_mem_t *mctx)
-{
-	INSIST(rdataset->type == dns_rdatatype_key ||
-	       rdataset->type == dns_rdatatype_dnskey);
-	if (rdataset->type == dns_rdatatype_key) {
-		INSIST(sigrdataset->type == dns_rdatatype_sig);
-		INSIST(sigrdataset->covers == dns_rdatatype_key);
-	} else {
-		INSIST(sigrdataset->type == dns_rdatatype_rrsig);
-		INSIST(sigrdataset->covers == dns_rdatatype_dnskey);
-	}
-
-	return (dns_dnssec_signs(rdata, name, rdataset, sigrdataset,
-				 ignoretime, mctx));
-
-}
-
-isc_boolean_t
-dns_dnssec_signs(dns_rdata_t *rdata, dns_name_t *name,
-		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
-		     isc_boolean_t ignoretime, isc_mem_t *mctx)
-{
-	dst_key_t *dstkey = NULL;
-	dns_keytag_t keytag;
-	dns_rdata_dnskey_t key;
-	dns_rdata_rrsig_t sig;
-	dns_rdata_t sigrdata = DNS_RDATA_INIT;
-	isc_result_t result;
-
-	INSIST(sigrdataset->type == dns_rdatatype_rrsig);
-	if (sigrdataset->covers != rdataset->type)
-		return (ISC_FALSE);
-
-	result = dns_dnssec_keyfromrdata(name, rdata, mctx, &dstkey);
-	if (result != ISC_R_SUCCESS)
-		return (ISC_FALSE);
-	result = dns_rdata_tostruct(rdata, &key, NULL);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-	keytag = dst_key_id(dstkey);
-	for (result = dns_rdataset_first(sigrdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(sigrdataset))
-	{
-		dns_rdata_reset(&sigrdata);
-		dns_rdataset_current(sigrdataset, &sigrdata);
-		result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-		if (sig.algorithm == key.algorithm &&
-		    sig.keyid == keytag) {
-			result = dns_dnssec_verify2(name, rdataset, dstkey,
-						    ignoretime, mctx,
-						    &sigrdata, NULL);
-			if (result == ISC_R_SUCCESS) {
-				dst_key_free(&dstkey);
-				return (ISC_TRUE);
-			}
-		}
-	}
-	dst_key_free(&dstkey);
-	return (ISC_FALSE);
-}
-
-isc_result_t
-dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey,
-		     dns_dnsseckey_t **dkp)
-{
-	isc_result_t result;
-	dns_dnsseckey_t *dk;
-	int major, minor;
-
-	REQUIRE(dkp != NULL && *dkp == NULL);
-	dk = isc_mem_get(mctx, sizeof(dns_dnsseckey_t));
-	if (dk == NULL)
-		return (ISC_R_NOMEMORY);
-
-	dk->key = *dstkey;
-	*dstkey = NULL;
-	dk->force_publish = ISC_FALSE;
-	dk->force_sign = ISC_FALSE;
-	dk->hint_publish = ISC_FALSE;
-	dk->hint_sign = ISC_FALSE;
-	dk->hint_remove = ISC_FALSE;
-	dk->first_sign = ISC_FALSE;
-	dk->is_active = ISC_FALSE;
-	dk->prepublish = 0;
-	dk->source = dns_keysource_unknown;
-	dk->index = 0;
-
-	/* KSK or ZSK? */
-	dk->ksk = ISC_TF((dst_key_flags(dk->key) & DNS_KEYFLAG_KSK) != 0);
-
-	/* Is this an old-style key? */
-	result = dst_key_getprivateformat(dk->key, &major, &minor);
-	INSIST(result == ISC_R_SUCCESS);
-
-	/* Smart signing started with key format 1.3 */
-	dk->legacy = ISC_TF(major == 1 && minor <= 2);
-
-	ISC_LINK_INIT(dk, link);
-	*dkp = dk;
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_dnsseckey_destroy(isc_mem_t *mctx, dns_dnsseckey_t **dkp) {
-	dns_dnsseckey_t *dk;
-
-	REQUIRE(dkp != NULL && *dkp != NULL);
-	dk = *dkp;
-	if (dk->key != NULL)
-		dst_key_free(&dk->key);
-	isc_mem_put(mctx, dk, sizeof(dns_dnsseckey_t));
-	*dkp = NULL;
-}
-
-static void
-get_hints(dns_dnsseckey_t *key, isc_stdtime_t now) {
-	isc_result_t result;
-	isc_stdtime_t publish, active, revoke, inactive, delete;
-	isc_boolean_t pubset = ISC_FALSE, actset = ISC_FALSE;
-	isc_boolean_t revset = ISC_FALSE, inactset = ISC_FALSE;
-	isc_boolean_t delset = ISC_FALSE;
-
-	REQUIRE(key != NULL && key->key != NULL);
-
-	result = dst_key_gettime(key->key, DST_TIME_PUBLISH, &publish);
-	if (result == ISC_R_SUCCESS)
-		pubset = ISC_TRUE;
-
-	result = dst_key_gettime(key->key, DST_TIME_ACTIVATE, &active);
-	if (result == ISC_R_SUCCESS)
-		actset = ISC_TRUE;
-
-	result = dst_key_gettime(key->key, DST_TIME_REVOKE, &revoke);
-	if (result == ISC_R_SUCCESS)
-		revset = ISC_TRUE;
-
-	result = dst_key_gettime(key->key, DST_TIME_INACTIVE, &inactive);
-	if (result == ISC_R_SUCCESS)
-		inactset = ISC_TRUE;
-
-	result = dst_key_gettime(key->key, DST_TIME_DELETE, &delete);
-	if (result == ISC_R_SUCCESS)
-		delset = ISC_TRUE;
-
-	/* Metadata says publish (but possibly not activate) */
-	if (pubset && publish <= now)
-		key->hint_publish = ISC_TRUE;
-
-	/* Metadata says activate (so we must also publish) */
-	if (actset && active <= now) {
-		key->hint_sign = ISC_TRUE;
-		key->hint_publish = ISC_TRUE;
-	}
-
-	/*
-	 * Activation date is set (maybe in the future), but
-	 * publication date isn't. Most likely the user wants to
-	 * publish now and activate later.
-	 */
-	if (actset && !pubset)
-		key->hint_publish = ISC_TRUE;
-
-	/*
-	 * If activation date is in the future, make note of how far off
-	 */
-	if (key->hint_publish && actset && active > now) {
-		key->prepublish = active - now;
-	}
-
-	/*
-	 * Key has been marked inactive: we can continue publishing,
-	 * but don't sign.
-	 */
-	if (key->hint_publish && inactset && inactive <= now) {
-		key->hint_sign = ISC_FALSE;
-	}
-
-	/*
-	 * Metadata says revoke.  If the key is published,
-	 * we *have to* sign with it per RFC5011--even if it was
-	 * not active before.
-	 *
-	 * If it hasn't already been done, we should also revoke it now.
-	 */
-	if (key->hint_publish && (revset && revoke <= now)) {
-		isc_uint32_t flags;
-		key->hint_sign = ISC_TRUE;
-		flags = dst_key_flags(key->key);
-		if ((flags & DNS_KEYFLAG_REVOKE) == 0) {
-			flags |= DNS_KEYFLAG_REVOKE;
-			dst_key_setflags(key->key, flags);
-		}
-	}
-
-	/*
-	 * Metadata says delete, so don't publish this key or sign with it.
-	 */
-	if (delset && delete <= now) {
-		key->hint_publish = ISC_FALSE;
-		key->hint_sign = ISC_FALSE;
-		key->hint_remove = ISC_TRUE;
-	}
-}
-
-/*%
- * Get a list of DNSSEC keys from the key repository
- */
-isc_result_t
-dns_dnssec_findmatchingkeys(dns_name_t *origin, const char *directory,
-			    isc_mem_t *mctx, dns_dnsseckeylist_t *keylist)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_boolean_t dir_open = ISC_FALSE;
-	dns_dnsseckeylist_t list;
-	isc_dir_t dir;
-	dns_dnsseckey_t *key = NULL;
-	dst_key_t *dstkey = NULL;
-	char namebuf[DNS_NAME_FORMATSIZE], *p;
-	isc_buffer_t b;
-	unsigned int len;
-	isc_stdtime_t now;
-
-	REQUIRE(keylist != NULL);
-	ISC_LIST_INIT(list);
-	isc_dir_init(&dir);
-
-	isc_buffer_init(&b, namebuf, sizeof(namebuf) - 1);
-	RETERR(dns_name_tofilenametext(origin, ISC_FALSE, &b));
-	len = isc_buffer_usedlength(&b);
-	namebuf[len] = '\0';
-
-	if (directory == NULL)
-		directory = ".";
-	RETERR(isc_dir_open(&dir, directory));
-	dir_open = ISC_TRUE;
-
-	isc_stdtime_get(&now);
-
-	while (isc_dir_read(&dir) == ISC_R_SUCCESS) {
-		if (dir.entry.name[0] == 'K' &&
-		    dir.entry.length > len + 1 &&
-		    dir.entry.name[len + 1] == '+' &&
-		    strncasecmp(dir.entry.name + 1, namebuf, len) == 0) {
-			p = strrchr(dir.entry.name, '.');
-			if (p != NULL && strcmp(p, ".private") != 0)
-				continue;
-
-			dstkey = NULL;
-			result = dst_key_fromnamedfile(dir.entry.name,
-						       directory,
-						       DST_TYPE_PUBLIC |
-						       DST_TYPE_PRIVATE,
-						       mctx, &dstkey);
-
-			if (result != ISC_R_SUCCESS) {
-				isc_log_write(dns_lctx,
-					      DNS_LOGCATEGORY_GENERAL,
-					      DNS_LOGMODULE_DNSSEC,
-					      ISC_LOG_WARNING,
-					      "dns_dnssec_findmatchingkeys: "
-					      "error reading key file %s: %s",
-					      dir.entry.name,
-					      isc_result_totext(result));
-				continue;
-			}
-
-			RETERR(dns_dnsseckey_create(mctx, &dstkey, &key));
-			key->source = dns_keysource_repository;
-			get_hints(key, now);
-
-			if (key->legacy) {
-				dns_dnsseckey_destroy(mctx, &key);
-			} else {
-				ISC_LIST_APPEND(list, key, link);
-				key = NULL;
-			}
-		}
-	}
-
-	if (!ISC_LIST_EMPTY(list))
-		ISC_LIST_APPENDLIST(*keylist, list, link);
-	else
-		result = ISC_R_NOTFOUND;
-
- failure:
-	if (dir_open)
-		isc_dir_close(&dir);
-	INSIST(key == NULL);
-	while ((key = ISC_LIST_HEAD(list)) != NULL) {
-		ISC_LIST_UNLINK(list, key, link);
-		INSIST(key->key != NULL);
-		dst_key_free(&key->key);
-		dns_dnsseckey_destroy(mctx, &key);
-	}
-	if (dstkey != NULL)
-		dst_key_free(&dstkey);
-	return (result);
-}
-
-/*%
- * Add 'newkey' to 'keylist' if it's not already there.
- *
- * If 'savekeys' is ISC_TRUE, then we need to preserve all
- * the keys in the keyset, regardless of whether they have
- * metadata indicating they should be deactivated or removed.
- */
-static isc_result_t
-addkey(dns_dnsseckeylist_t *keylist, dst_key_t **newkey,
-       isc_boolean_t savekeys, isc_mem_t *mctx)
-{
-	dns_dnsseckey_t *key;
-	isc_result_t result;
-
-	/* Skip duplicates */
-	for (key = ISC_LIST_HEAD(*keylist);
-	     key != NULL;
-	     key = ISC_LIST_NEXT(key, link)) {
-		if (dst_key_id(key->key) == dst_key_id(*newkey) &&
-		    dst_key_alg(key->key) == dst_key_alg(*newkey) &&
-		    dns_name_equal(dst_key_name(key->key),
-				   dst_key_name(*newkey)))
-			break;
-	}
-
-	if (key != NULL) {
-		/*
-		 * Found a match.  If the old key was only public and the
-		 * new key is private, replace the old one; otherwise
-		 * leave it.  But either way, mark the key as having
-		 * been found in the zone.
-		 */
-		if (dst_key_isprivate(key->key)) {
-			dst_key_free(newkey);
-		} else if (dst_key_isprivate(*newkey)) {
-			dst_key_free(&key->key);
-			key->key = *newkey;
-		}
-
-		key->source = dns_keysource_zoneapex;
-		return (ISC_R_SUCCESS);
-	}
-
-	result = dns_dnsseckey_create(mctx, newkey, &key);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (key->legacy || savekeys) {
-		key->force_publish = ISC_TRUE;
-		key->force_sign = dst_key_isprivate(key->key);
-	}
-	key->source = dns_keysource_zoneapex;
-	ISC_LIST_APPEND(*keylist, key, link);
-	*newkey = NULL;
-	return (ISC_R_SUCCESS);
-}
-
-
-/*%
- * Mark all keys which signed the DNSKEY/SOA RRsets as "active",
- * for future reference.
- */
-static isc_result_t
-mark_active_keys(dns_dnsseckeylist_t *keylist, dns_rdataset_t *rrsigs) {
-	isc_result_t result = ISC_R_SUCCESS;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdataset_t sigs;
-	dns_dnsseckey_t *key;
-
-	REQUIRE(rrsigs != NULL && dns_rdataset_isassociated(rrsigs));
-
-	dns_rdataset_init(&sigs);
-	dns_rdataset_clone(rrsigs, &sigs);
-	for (key = ISC_LIST_HEAD(*keylist);
-	     key != NULL;
-	     key = ISC_LIST_NEXT(key, link)) {
-		isc_uint16_t keyid, sigid;
-		dns_secalg_t keyalg, sigalg;
-		keyid = dst_key_id(key->key);
-		keyalg = dst_key_alg(key->key);
-
-		for (result = dns_rdataset_first(&sigs);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&sigs)) {
-			dns_rdata_rrsig_t sig;
-
-			dns_rdata_reset(&rdata);
-			dns_rdataset_current(&sigs, &rdata);
-			result = dns_rdata_tostruct(&rdata, &sig, NULL);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			sigalg = sig.algorithm;
-			sigid = sig.keyid;
-			if (keyid == sigid && keyalg == sigalg) {
-				key->is_active = ISC_TRUE;
-				break;
-			}
-		}
-	}
-
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
-	if (dns_rdataset_isassociated(&sigs))
-		dns_rdataset_disassociate(&sigs);
-	return (result);
-}
-
-/*%
- * Add the contents of a DNSKEY rdataset 'keyset' to 'keylist'.
- */
-isc_result_t
-dns_dnssec_keylistfromrdataset(dns_name_t *origin,
-			       const char *directory, isc_mem_t *mctx,
-			       dns_rdataset_t *keyset, dns_rdataset_t *keysigs,
-			       dns_rdataset_t *soasigs, isc_boolean_t savekeys,
-			       isc_boolean_t public,
-			       dns_dnsseckeylist_t *keylist)
-{
-	dns_rdataset_t keys;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dst_key_t *pubkey = NULL, *privkey = NULL;
-	isc_result_t result;
-
-	REQUIRE(keyset != NULL && dns_rdataset_isassociated(keyset));
-
-	dns_rdataset_init(&keys);
-
-	dns_rdataset_clone(keyset, &keys);
-	for (result = dns_rdataset_first(&keys);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&keys)) {
-		dns_rdata_reset(&rdata);
-		dns_rdataset_current(&keys, &rdata);
-		RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &pubkey));
-		dst_key_setttl(pubkey, keys.ttl);
-
-		if (!is_zone_key(pubkey) ||
-		    (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
-			goto skip;
-
-		/* Corrupted .key file? */
-		if (!dns_name_equal(origin, dst_key_name(pubkey)))
-			goto skip;
-
-		if (public) {
-			RETERR(addkey(keylist, &pubkey, savekeys, mctx));
-			goto skip;
-		}
-
-		result = dst_key_fromfile(dst_key_name(pubkey),
-					  dst_key_id(pubkey),
-					  dst_key_alg(pubkey),
-					  DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
-					  directory, mctx, &privkey);
-
-		/*
-		 * If the key was revoked and the private file
-		 * doesn't exist, maybe it was revoked internally
-		 * by named.  Try loading the unrevoked version.
-		 */
-		if (result == ISC_R_FILENOTFOUND) {
-			isc_uint32_t flags;
-			flags = dst_key_flags(pubkey);
-			if ((flags & DNS_KEYFLAG_REVOKE) != 0) {
-				dst_key_setflags(pubkey,
-						 flags & ~DNS_KEYFLAG_REVOKE);
-				result = dst_key_fromfile(dst_key_name(pubkey),
-							  dst_key_id(pubkey),
-							  dst_key_alg(pubkey),
-							  DST_TYPE_PUBLIC|
-							  DST_TYPE_PRIVATE,
-							  directory,
-							  mctx, &privkey);
-				if (result == ISC_R_SUCCESS &&
-				    dst_key_pubcompare(pubkey, privkey,
-						       ISC_FALSE)) {
-					dst_key_setflags(privkey, flags);
-				}
-				dst_key_setflags(pubkey, flags);
-			}
-		}
-
-		if (result != ISC_R_SUCCESS) {
-			char keybuf[DNS_NAME_FORMATSIZE];
-			char algbuf[DNS_SECALG_FORMATSIZE];
-			dns_name_format(dst_key_name(pubkey), keybuf,
-					sizeof(keybuf));
-			dns_secalg_format(dst_key_alg(pubkey), algbuf,
-					  sizeof(algbuf));
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-				      DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING,
-				      "dns_dnssec_keylistfromrdataset: error "
-				      "reading private key file %s/%s/%d: %s",
-				      keybuf, algbuf, dst_key_id(pubkey),
-				      isc_result_totext(result));
-		}
-
-		if (result == ISC_R_FILENOTFOUND || result == ISC_R_NOPERM) {
-			RETERR(addkey(keylist, &pubkey, savekeys, mctx));
-			goto skip;
-		}
-		RETERR(result);
-
-		/* This should never happen. */
-		if ((dst_key_flags(privkey) & DNS_KEYTYPE_NOAUTH) != 0)
-			goto skip;
-
-		/*
-		 * Whatever the key's default TTL may have
-		 * been, the rdataset TTL takes priority.
-		 */
-		dst_key_setttl(privkey, dst_key_getttl(pubkey));
-
-		RETERR(addkey(keylist, &privkey, savekeys, mctx));
- skip:
-		if (pubkey != NULL)
-			dst_key_free(&pubkey);
-		if (privkey != NULL)
-			dst_key_free(&privkey);
-	}
-
-	if (result != ISC_R_NOMORE)
-		RETERR(result);
-
-	if (keysigs != NULL && dns_rdataset_isassociated(keysigs))
-		RETERR(mark_active_keys(keylist, keysigs));
-
-	if (soasigs != NULL && dns_rdataset_isassociated(soasigs))
-		RETERR(mark_active_keys(keylist, soasigs));
-
-	result = ISC_R_SUCCESS;
-
- failure:
-	if (dns_rdataset_isassociated(&keys))
-		dns_rdataset_disassociate(&keys);
-	if (pubkey != NULL)
-		dst_key_free(&pubkey);
-	if (privkey != NULL)
-		dst_key_free(&privkey);
-	return (result);
-}
-
-static isc_result_t
-make_dnskey(dst_key_t *key, unsigned char *buf, int bufsize,
-	    dns_rdata_t *target)
-{
-	isc_result_t result;
-	isc_buffer_t b;
-	isc_region_t r;
-
-	isc_buffer_init(&b, buf, bufsize);
-	result = dst_key_todns(key, &b);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	dns_rdata_reset(target);
-	isc_buffer_usedregion(&b, &r);
-	dns_rdata_fromregion(target, dst_key_class(key),
-			     dns_rdatatype_dnskey, &r);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-publish_key(dns_diff_t *diff, dns_dnsseckey_t *key, dns_name_t *origin,
-	    dns_ttl_t ttl, isc_mem_t *mctx, isc_boolean_t allzsk,
-	    void (*report)(const char *, ...))
-{
-	isc_result_t result;
-	dns_difftuple_t *tuple = NULL;
-	unsigned char buf[DST_KEY_MAXSIZE];
-	dns_rdata_t dnskey = DNS_RDATA_INIT;
-	char alg[80];
-
-	dns_rdata_reset(&dnskey);
-	RETERR(make_dnskey(key->key, buf, sizeof(buf), &dnskey));
-
-	dns_secalg_format(dst_key_alg(key->key), alg, sizeof(alg));
-	report("Fetching %s %d/%s from key %s.",
-	       key->ksk ?  (allzsk ?  "KSK/ZSK" : "KSK") : "ZSK",
-	       dst_key_id(key->key), alg,
-	       key->source == dns_keysource_user ?  "file" : "repository");
-
-	if (key->prepublish && ttl > key->prepublish) {
-		char keystr[DST_KEY_FORMATSIZE];
-		isc_stdtime_t now;
-
-		dst_key_format(key->key, keystr, sizeof(keystr));
-		report("Key %s: Delaying activation to match the DNSKEY TTL.\n",
-		       keystr, ttl);
-
-		isc_stdtime_get(&now);
-		dst_key_settime(key->key, DST_TIME_ACTIVATE, now + ttl);
-	}
-
-	/* publish key */
-	RETERR(dns_difftuple_create(mctx, DNS_DIFFOP_ADD, origin, ttl,
-				    &dnskey, &tuple));
-	dns_diff_appendminimal(diff, &tuple);
-	result = ISC_R_SUCCESS;
-
- failure:
-	return (result);
-}
-
-static isc_result_t
-remove_key(dns_diff_t *diff, dns_dnsseckey_t *key, dns_name_t *origin,
-	  dns_ttl_t ttl, isc_mem_t *mctx, const char *reason,
-	  void (*report)(const char *, ...))
-{
-	isc_result_t result;
-	dns_difftuple_t *tuple = NULL;
-	unsigned char buf[DST_KEY_MAXSIZE];
-	dns_rdata_t dnskey = DNS_RDATA_INIT;
-	char alg[80];
-
-	dns_secalg_format(dst_key_alg(key->key), alg, sizeof(alg));
-	report("Removing %s key %d/%s from DNSKEY RRset.",
-	       reason, dst_key_id(key->key), alg);
-
-	RETERR(make_dnskey(key->key, buf, sizeof(buf), &dnskey));
-	RETERR(dns_difftuple_create(mctx, DNS_DIFFOP_DEL, origin, ttl, &dnskey,
-				    &tuple));
-	dns_diff_appendminimal(diff, &tuple);
-	result = ISC_R_SUCCESS;
-
- failure:
-	return (result);
-}
-
-/*
- * Update 'keys' with information from 'newkeys'.
- *
- * If 'removed' is not NULL, any keys that are being removed from
- * the zone will be added to the list for post-removal processing.
- */
-isc_result_t
-dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
-		      dns_dnsseckeylist_t *removed, dns_name_t *origin,
-		      dns_ttl_t hint_ttl, dns_diff_t *diff,
-		      isc_boolean_t allzsk, isc_mem_t *mctx,
-		      void (*report)(const char *, ...))
-{
-	isc_result_t result;
-	dns_dnsseckey_t *key, *key1, *key2, *next;
-	isc_boolean_t found_ttl = ISC_FALSE;
-	dns_ttl_t ttl = hint_ttl;
-
-	/*
-	 * First, look through the existing key list to find keys
-	 * supplied from the command line which are not in the zone.
-	 * Update the zone to include them.
-	 *
-	 * Also, if there are keys published in the zone already,
-	 * use their TTL for all subsequent published keys.
-	 */
-	for (key = ISC_LIST_HEAD(*keys);
-	     key != NULL;
-	     key = ISC_LIST_NEXT(key, link)) {
-		if (key->source == dns_keysource_user &&
-		    (key->hint_publish || key->force_publish)) {
-			RETERR(publish_key(diff, key, origin, ttl,
-					   mctx, allzsk, report));
-		}
-		if (key->source == dns_keysource_zoneapex) {
-			ttl = dst_key_getttl(key->key);
-			found_ttl = ISC_TRUE;
-		}
-	}
-
-	/*
-	 * If there were no existing keys, use the smallest nonzero
-	 * TTL of the keys found in the repository.
-	 */
-	if (!found_ttl && !ISC_LIST_EMPTY(*newkeys)) {
-		dns_ttl_t shortest = 0;
-
-		for (key = ISC_LIST_HEAD(*newkeys);
-		     key != NULL;
-		     key = ISC_LIST_NEXT(key, link)) {
-			dns_ttl_t thisttl = dst_key_getttl(key->key);
-			if (thisttl != 0 &&
-			    (shortest == 0 || thisttl < shortest))
-				shortest = thisttl;
-		}
-
-		if (shortest != 0)
-			ttl = shortest;
-	}
-
-	/*
-	 * Second, scan the list of newly found keys looking for matches
-	 * with known keys, and update accordingly.
-	 */
-	for (key1 = ISC_LIST_HEAD(*newkeys); key1 != NULL; key1 = next) {
-		isc_boolean_t key_revoked = ISC_FALSE;
-
-		next = ISC_LIST_NEXT(key1, link);
-
-		for (key2 = ISC_LIST_HEAD(*keys);
-		     key2 != NULL;
-		     key2 = ISC_LIST_NEXT(key2, link)) {
-			if (dst_key_pubcompare(key1->key, key2->key,
-					       ISC_TRUE)) {
-				int r1, r2;
-				r1 = dst_key_flags(key1->key) &
-					DNS_KEYFLAG_REVOKE;
-				r2 = dst_key_flags(key2->key) &
-					DNS_KEYFLAG_REVOKE;
-				key_revoked = ISC_TF(r1 != r2);
-				break;
-			}
-		}
-
-		/* No match found in keys; add the new key. */
-		if (key2 == NULL) {
-			ISC_LIST_UNLINK(*newkeys, key1, link);
-			ISC_LIST_APPEND(*keys, key1, link);
-
-			if (key1->source != dns_keysource_zoneapex &&
-			    (key1->hint_publish || key1->force_publish)) {
-				RETERR(publish_key(diff, key1, origin, ttl,
-						   mctx, allzsk, report));
-				if (key1->hint_sign || key1->force_sign)
-					key1->first_sign = ISC_TRUE;
-			}
-
-			continue;
-		}
-
-		/* Match found: remove or update it as needed */
-		if (key1->hint_remove) {
-			RETERR(remove_key(diff, key2, origin, ttl, mctx,
-					  "expired", report));
-			ISC_LIST_UNLINK(*keys, key2, link);
-			if (removed != NULL)
-				ISC_LIST_APPEND(*removed, key2, link);
-			else
-				dns_dnsseckey_destroy(mctx, &key2);
-		} else if (key_revoked &&
-			 (dst_key_flags(key1->key) & DNS_KEYFLAG_REVOKE) != 0) {
-
-			/*
-			 * A previously valid key has been revoked.
-			 * We need to remove the old version and pull
-			 * in the new one.
-			 */
-			RETERR(remove_key(diff, key2, origin, ttl, mctx,
-					  "revoked", report));
-			ISC_LIST_UNLINK(*keys, key2, link);
-			if (removed != NULL)
-				ISC_LIST_APPEND(*removed, key2, link);
-			else
-				dns_dnsseckey_destroy(mctx, &key2);
-
-			RETERR(publish_key(diff, key1, origin, ttl,
-					   mctx, allzsk, report));
-			ISC_LIST_UNLINK(*newkeys, key1, link);
-			ISC_LIST_APPEND(*keys, key1, link);
-
-			/*
-			 * XXX: The revoke flag is only defined for trust
-			 * anchors.  Setting the flag on a non-KSK is legal,
-			 * but not defined in any RFC.  It seems reasonable
-			 * to treat it the same as a KSK: keep it in the
-			 * zone, sign the DNSKEY set with it, but not
-			 * sign other records with it.
-			 */
-			key1->ksk = ISC_TRUE;
-			continue;
-		} else {
-			if (!key2->is_active &&
-			    (key1->hint_sign || key1->force_sign))
-				key2->first_sign = ISC_TRUE;
-			key2->hint_sign = key1->hint_sign;
-			key2->hint_publish = key1->hint_publish;
-		}
-	}
-
-	/* Free any leftover keys in newkeys */
-	while (!ISC_LIST_EMPTY(*newkeys)) {
-		key1 = ISC_LIST_HEAD(*newkeys);
-		ISC_LIST_UNLINK(*newkeys, key1, link);
-		dns_dnsseckey_destroy(mctx, &key1);
-	}
-
-	result = ISC_R_SUCCESS;
-
- failure:
-	return (result);
-}
diff --git a/contrib/bind9/lib/dns/ds.c b/contrib/bind9/lib/dns/ds.c
deleted file mode 100644
index e72ecbb..0000000
--- a/contrib/bind9/lib/dns/ds.c
+++ /dev/null
@@ -1,183 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ds.c,v 1.13 2010/12/23 23:47:08 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <string.h>
-
-#include <isc/buffer.h>
-#include <isc/region.h>
-#include <isc/sha1.h>
-#include <isc/sha2.h>
-#include <isc/util.h>
-
-#include <dns/ds.h>
-#include <dns/fixedname.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdatastruct.h>
-#include <dns/result.h>
-
-#include <dst/dst.h>
-
-#ifdef HAVE_OPENSSL_GOST
-#include <dst/result.h>
-#include <openssl/evp.h>
-
-extern const EVP_MD * EVP_gost(void);
-#endif
-
-isc_result_t
-dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
-		  unsigned int digest_type, unsigned char *buffer,
-		  dns_rdata_t *rdata)
-{
-	dns_fixedname_t fname;
-	dns_name_t *name;
-	unsigned char digest[ISC_SHA384_DIGESTLENGTH];
-	isc_region_t r;
-	isc_buffer_t b;
-	dns_rdata_ds_t ds;
-	isc_sha1_t sha1;
-	isc_sha256_t sha256;
-	isc_sha384_t sha384;
-#ifdef HAVE_OPENSSL_GOST
-	EVP_MD_CTX ctx;
-	const EVP_MD *md;
-#endif
-
-	REQUIRE(key != NULL);
-	REQUIRE(key->type == dns_rdatatype_dnskey);
-
-	if (!dns_ds_digest_supported(digest_type))
-		return (ISC_R_NOTIMPLEMENTED);
-
-	dns_fixedname_init(&fname);
-	name = dns_fixedname_name(&fname);
-	(void)dns_name_downcase(owner, name, NULL);
-
-	memset(buffer, 0, DNS_DS_BUFFERSIZE);
-	isc_buffer_init(&b, buffer, DNS_DS_BUFFERSIZE);
-
-	switch (digest_type) {
-	case DNS_DSDIGEST_SHA1:
-		isc_sha1_init(&sha1);
-		dns_name_toregion(name, &r);
-		isc_sha1_update(&sha1, r.base, r.length);
-		dns_rdata_toregion(key, &r);
-		INSIST(r.length >= 4);
-		isc_sha1_update(&sha1, r.base, r.length);
-		isc_sha1_final(&sha1, digest);
-		break;
-
-#ifdef HAVE_OPENSSL_GOST
-#define CHECK(x)					\
-	if ((x) != 1) {					\
-		EVP_MD_CTX_cleanup(&ctx);		\
-		return (DST_R_CRYPTOFAILURE);		\
-	}
-
-	case DNS_DSDIGEST_GOST:
-		md = EVP_gost();
-		if (md == NULL)
-			return (DST_R_CRYPTOFAILURE);
-		EVP_MD_CTX_init(&ctx);
-		CHECK(EVP_DigestInit(&ctx, md));
-		dns_name_toregion(name, &r);
-		CHECK(EVP_DigestUpdate(&ctx,
-				       (const void *) r.base,
-				       (size_t) r.length));
-		dns_rdata_toregion(key, &r);
-		INSIST(r.length >= 4);
-		CHECK(EVP_DigestUpdate(&ctx,
-				       (const void *) r.base,
-				       (size_t) r.length));
-		CHECK(EVP_DigestFinal(&ctx, digest, NULL));
-		break;
-#endif
-
-	case DNS_DSDIGEST_SHA384:
-		isc_sha384_init(&sha384);
-		dns_name_toregion(name, &r);
-		isc_sha384_update(&sha384, r.base, r.length);
-		dns_rdata_toregion(key, &r);
-		INSIST(r.length >= 4);
-		isc_sha384_update(&sha384, r.base, r.length);
-		isc_sha384_final(digest, &sha384);
-		break;
-
-	case DNS_DSDIGEST_SHA256:
-	default:
-		isc_sha256_init(&sha256);
-		dns_name_toregion(name, &r);
-		isc_sha256_update(&sha256, r.base, r.length);
-		dns_rdata_toregion(key, &r);
-		INSIST(r.length >= 4);
-		isc_sha256_update(&sha256, r.base, r.length);
-		isc_sha256_final(digest, &sha256);
-		break;
-	}
-
-	ds.mctx = NULL;
-	ds.common.rdclass = key->rdclass;
-	ds.common.rdtype = dns_rdatatype_ds;
-	ds.algorithm = r.base[3];
-	ds.key_tag = dst_region_computeid(&r, ds.algorithm);
-	ds.digest_type = digest_type;
-	switch (digest_type) {
-	case DNS_DSDIGEST_SHA1:
-		ds.length = ISC_SHA1_DIGESTLENGTH;
-		break;
-
-#ifdef HAVE_OPENSSL_GOST
-	case DNS_DSDIGEST_GOST:
-		ds.length = ISC_GOST_DIGESTLENGTH;
-		break;
-#endif
-
-	case DNS_DSDIGEST_SHA384:
-		ds.length = ISC_SHA384_DIGESTLENGTH;
-		break;
-
-	case DNS_DSDIGEST_SHA256:
-	default:
-		ds.length = ISC_SHA256_DIGESTLENGTH;
-		break;
-	}
-	ds.digest = digest;
-
-	return (dns_rdata_fromstruct(rdata, key->rdclass, dns_rdatatype_ds,
-				     &ds, &b));
-}
-
-isc_boolean_t
-dns_ds_digest_supported(unsigned int digest_type) {
-#ifdef HAVE_OPENSSL_GOST
-	return  (ISC_TF(digest_type == DNS_DSDIGEST_SHA1 ||
-			digest_type == DNS_DSDIGEST_SHA256 ||
-			digest_type == DNS_DSDIGEST_GOST ||
-			digest_type == DNS_DSDIGEST_SHA384));
-#else
-	return  (ISC_TF(digest_type == DNS_DSDIGEST_SHA1 ||
-			digest_type == DNS_DSDIGEST_SHA256 ||
-			digest_type == DNS_DSDIGEST_SHA384));
-#endif
-}
diff --git a/contrib/bind9/lib/dns/dst_api.c b/contrib/bind9/lib/dns/dst_api.c
deleted file mode 100644
index 9860724..0000000
--- a/contrib/bind9/lib/dns/dst_api.c
+++ /dev/null
@@ -1,1862 +0,0 @@
-/*
- * Portions Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.65 2011/10/20 21:20:02 marka Exp $
- */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <time.h>
-
-#include <isc/buffer.h>
-#include <isc/dir.h>
-#include <isc/entropy.h>
-#include <isc/fsaccess.h>
-#include <isc/hmacsha.h>
-#include <isc/lex.h>
-#include <isc/mem.h>
-#include <isc/once.h>
-#include <isc/platform.h>
-#include <isc/print.h>
-#include <isc/refcount.h>
-#include <isc/random.h>
-#include <isc/string.h>
-#include <isc/time.h>
-#include <isc/util.h>
-#include <isc/file.h>
-
-#define DST_KEY_INTERNAL
-
-#include <dns/fixedname.h>
-#include <dns/keyvalues.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/ttl.h>
-#include <dns/types.h>
-
-#include <dst/result.h>
-
-#include "dst_internal.h"
-
-#define DST_AS_STR(t) ((t).value.as_textregion.base)
-
-static dst_func_t *dst_t_func[DST_MAX_ALGS];
-#ifdef BIND9
-static isc_entropy_t *dst_entropy_pool = NULL;
-#endif
-static unsigned int dst_entropy_flags = 0;
-static isc_boolean_t dst_initialized = ISC_FALSE;
-
-void gss_log(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
-
-isc_mem_t *dst__memory_pool = NULL;
-
-/*
- * Static functions.
- */
-static dst_key_t *	get_key_struct(dns_name_t *name,
-				       unsigned int alg,
-				       unsigned int flags,
-				       unsigned int protocol,
-				       unsigned int bits,
-				       dns_rdataclass_t rdclass,
-				       dns_ttl_t ttl,
-				       isc_mem_t *mctx);
-static isc_result_t	write_public_key(const dst_key_t *key, int type,
-					 const char *directory);
-static isc_result_t	buildfilename(dns_name_t *name,
-				      dns_keytag_t id,
-				      unsigned int alg,
-				      unsigned int type,
-				      const char *directory,
-				      isc_buffer_t *out);
-static isc_result_t	computeid(dst_key_t *key);
-static isc_result_t	frombuffer(dns_name_t *name,
-				   unsigned int alg,
-				   unsigned int flags,
-				   unsigned int protocol,
-				   dns_rdataclass_t rdclass,
-				   isc_buffer_t *source,
-				   isc_mem_t *mctx,
-				   dst_key_t **keyp);
-
-static isc_result_t	algorithm_status(unsigned int alg);
-
-static isc_result_t	addsuffix(char *filename, int len,
-				  const char *dirname, const char *ofilename,
-				  const char *suffix);
-
-#define RETERR(x)				\
-	do {					\
-		result = (x);			\
-		if (result != ISC_R_SUCCESS)	\
-			goto out;		\
-	} while (0)
-
-#define CHECKALG(alg)				\
-	do {					\
-		isc_result_t _r;		\
-		_r = algorithm_status(alg);	\
-		if (_r != ISC_R_SUCCESS)	\
-			return (_r);		\
-	} while (0);				\
-
-#if defined(OPENSSL) && defined(BIND9)
-static void *
-default_memalloc(void *arg, size_t size) {
-	UNUSED(arg);
-	if (size == 0U)
-		size = 1;
-	return (malloc(size));
-}
-
-static void
-default_memfree(void *arg, void *ptr) {
-	UNUSED(arg);
-	free(ptr);
-}
-#endif
-
-isc_result_t
-dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
-	return (dst_lib_init2(mctx, ectx, NULL, eflags));
-}
-
-isc_result_t
-dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
-	      const char *engine, unsigned int eflags) {
-	isc_result_t result;
-
-	REQUIRE(mctx != NULL);
-#ifdef BIND9
-	REQUIRE(ectx != NULL);
-#else
-	UNUSED(ectx);
-#endif
-	REQUIRE(dst_initialized == ISC_FALSE);
-
-#ifndef OPENSSL
-	UNUSED(engine);
-#endif
-
-	dst__memory_pool = NULL;
-
-#if defined(OPENSSL) && defined(BIND9)
-	UNUSED(mctx);
-	/*
-	 * When using --with-openssl, there seems to be no good way of not
-	 * leaking memory due to the openssl error handling mechanism.
-	 * Avoid assertions by using a local memory context and not checking
-	 * for leaks on exit.  Note: as there are leaks we cannot use
-	 * ISC_MEMFLAG_INTERNAL as it will free up memory still being used
-	 * by libcrypto.
-	 */
-	result = isc_mem_createx2(0, 0, default_memalloc, default_memfree,
-				  NULL, &dst__memory_pool, 0);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_mem_setname(dst__memory_pool, "dst", NULL);
-#ifndef OPENSSL_LEAKS
-	isc_mem_setdestroycheck(dst__memory_pool, ISC_FALSE);
-#endif
-#else
-	isc_mem_attach(mctx, &dst__memory_pool);
-#endif
-#ifdef BIND9
-	isc_entropy_attach(ectx, &dst_entropy_pool);
-#endif
-	dst_entropy_flags = eflags;
-
-	dst_result_register();
-
-	memset(dst_t_func, 0, sizeof(dst_t_func));
-	RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5]));
-	RETERR(dst__hmacsha1_init(&dst_t_func[DST_ALG_HMACSHA1]));
-	RETERR(dst__hmacsha224_init(&dst_t_func[DST_ALG_HMACSHA224]));
-	RETERR(dst__hmacsha256_init(&dst_t_func[DST_ALG_HMACSHA256]));
-	RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384]));
-	RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
-#ifdef OPENSSL
-	RETERR(dst__openssl_init(engine));
-	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5],
-				    DST_ALG_RSAMD5));
-	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1],
-				    DST_ALG_RSASHA1));
-	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1],
-				    DST_ALG_NSEC3RSASHA1));
-	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA256],
-				    DST_ALG_RSASHA256));
-	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA512],
-				    DST_ALG_RSASHA512));
-#ifdef HAVE_OPENSSL_DSA
-	RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
-	RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
-#endif
-	RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
-#ifdef HAVE_OPENSSL_GOST
-	RETERR(dst__opensslgost_init(&dst_t_func[DST_ALG_ECCGOST]));
-#endif
-#ifdef HAVE_OPENSSL_ECDSA
-	RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
-	RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
-#endif
-#endif /* OPENSSL */
-#ifdef GSSAPI
-	RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
-#endif
-	dst_initialized = ISC_TRUE;
-	return (ISC_R_SUCCESS);
-
- out:
-	/* avoid immediate crash! */
-	dst_initialized = ISC_TRUE;
-	dst_lib_destroy();
-	return (result);
-}
-
-void
-dst_lib_destroy(void) {
-	int i;
-	RUNTIME_CHECK(dst_initialized == ISC_TRUE);
-	dst_initialized = ISC_FALSE;
-
-	for (i = 0; i < DST_MAX_ALGS; i++)
-		if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL)
-			dst_t_func[i]->cleanup();
-#ifdef OPENSSL
-	dst__openssl_destroy();
-#endif
-	if (dst__memory_pool != NULL)
-		isc_mem_detach(&dst__memory_pool);
-#ifdef BIND9
-	if (dst_entropy_pool != NULL)
-		isc_entropy_detach(&dst_entropy_pool);
-#endif
-}
-
-isc_boolean_t
-dst_algorithm_supported(unsigned int alg) {
-	REQUIRE(dst_initialized == ISC_TRUE);
-
-	if (alg >= DST_MAX_ALGS || dst_t_func[alg] == NULL)
-		return (ISC_FALSE);
-	return (ISC_TRUE);
-}
-
-isc_result_t
-dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp) {
-	return (dst_context_create2(key, mctx,
-				    DNS_LOGCATEGORY_GENERAL, dctxp));
-}
-
-isc_result_t
-dst_context_create2(dst_key_t *key, isc_mem_t *mctx,
-		    isc_logcategory_t *category, dst_context_t **dctxp) {
-	dst_context_t *dctx;
-	isc_result_t result;
-
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(VALID_KEY(key));
-	REQUIRE(mctx != NULL);
-	REQUIRE(dctxp != NULL && *dctxp == NULL);
-
-	if (key->func->createctx == NULL)
-		return (DST_R_UNSUPPORTEDALG);
-	if (key->keydata.generic == NULL)
-		return (DST_R_NULLKEY);
-
-	dctx = isc_mem_get(mctx, sizeof(dst_context_t));
-	if (dctx == NULL)
-		return (ISC_R_NOMEMORY);
-	dctx->key = key;
-	dctx->mctx = mctx;
-	dctx->category = category;
-	result = key->func->createctx(key, dctx);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, dctx, sizeof(dst_context_t));
-		return (result);
-	}
-	dctx->magic = CTX_MAGIC;
-	*dctxp = dctx;
-	return (ISC_R_SUCCESS);
-}
-
-void
-dst_context_destroy(dst_context_t **dctxp) {
-	dst_context_t *dctx;
-
-	REQUIRE(dctxp != NULL && VALID_CTX(*dctxp));
-
-	dctx = *dctxp;
-	INSIST(dctx->key->func->destroyctx != NULL);
-	dctx->key->func->destroyctx(dctx);
-	dctx->magic = 0;
-	isc_mem_put(dctx->mctx, dctx, sizeof(dst_context_t));
-	*dctxp = NULL;
-}
-
-isc_result_t
-dst_context_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	REQUIRE(VALID_CTX(dctx));
-	REQUIRE(data != NULL);
-	INSIST(dctx->key->func->adddata != NULL);
-
-	return (dctx->key->func->adddata(dctx, data));
-}
-
-isc_result_t
-dst_context_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	dst_key_t *key;
-
-	REQUIRE(VALID_CTX(dctx));
-	REQUIRE(sig != NULL);
-
-	key = dctx->key;
-	CHECKALG(key->key_alg);
-	if (key->keydata.generic == NULL)
-		return (DST_R_NULLKEY);
-
-	if (key->func->sign == NULL)
-		return (DST_R_NOTPRIVATEKEY);
-	if (key->func->isprivate == NULL ||
-	    key->func->isprivate(key) == ISC_FALSE)
-		return (DST_R_NOTPRIVATEKEY);
-
-	return (key->func->sign(dctx, sig));
-}
-
-isc_result_t
-dst_context_verify(dst_context_t *dctx, isc_region_t *sig) {
-	REQUIRE(VALID_CTX(dctx));
-	REQUIRE(sig != NULL);
-
-	CHECKALG(dctx->key->key_alg);
-	if (dctx->key->keydata.generic == NULL)
-		return (DST_R_NULLKEY);
-	if (dctx->key->func->verify == NULL)
-		return (DST_R_NOTPUBLICKEY);
-
-	return (dctx->key->func->verify(dctx, sig));
-}
-
-isc_result_t
-dst_context_verify2(dst_context_t *dctx, unsigned int maxbits,
-		    isc_region_t *sig)
-{
-	REQUIRE(VALID_CTX(dctx));
-	REQUIRE(sig != NULL);
-
-	CHECKALG(dctx->key->key_alg);
-	if (dctx->key->keydata.generic == NULL)
-		return (DST_R_NULLKEY);
-	if (dctx->key->func->verify == NULL &&
-	    dctx->key->func->verify2 == NULL)
-		return (DST_R_NOTPUBLICKEY);
-
-	return (dctx->key->func->verify2 != NULL ?
-		dctx->key->func->verify2(dctx, maxbits, sig) :
-		dctx->key->func->verify(dctx, sig));
-}
-
-isc_result_t
-dst_key_computesecret(const dst_key_t *pub, const dst_key_t *priv,
-		      isc_buffer_t *secret)
-{
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(VALID_KEY(pub) && VALID_KEY(priv));
-	REQUIRE(secret != NULL);
-
-	CHECKALG(pub->key_alg);
-	CHECKALG(priv->key_alg);
-
-	if (pub->keydata.generic == NULL || priv->keydata.generic == NULL)
-		return (DST_R_NULLKEY);
-
-	if (pub->key_alg != priv->key_alg ||
-	    pub->func->computesecret == NULL ||
-	    priv->func->computesecret == NULL)
-		return (DST_R_KEYCANNOTCOMPUTESECRET);
-
-	if (dst_key_isprivate(priv) == ISC_FALSE)
-		return (DST_R_NOTPRIVATEKEY);
-
-	return (pub->func->computesecret(pub, priv, secret));
-}
-
-isc_result_t
-dst_key_tofile(const dst_key_t *key, int type, const char *directory) {
-	isc_result_t ret = ISC_R_SUCCESS;
-
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(VALID_KEY(key));
-	REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
-
-	CHECKALG(key->key_alg);
-
-	if (key->func->tofile == NULL)
-		return (DST_R_UNSUPPORTEDALG);
-
-	if (type & DST_TYPE_PUBLIC) {
-		ret = write_public_key(key, type, directory);
-		if (ret != ISC_R_SUCCESS)
-			return (ret);
-	}
-
-	if ((type & DST_TYPE_PRIVATE) &&
-	    (key->key_flags & DNS_KEYFLAG_TYPEMASK) != DNS_KEYTYPE_NOKEY)
-		return (key->func->tofile(key, directory));
-	else
-		return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dst_key_fromfile(dns_name_t *name, dns_keytag_t id,
-		 unsigned int alg, int type, const char *directory,
-		 isc_mem_t *mctx, dst_key_t **keyp)
-{
-	char filename[ISC_DIR_NAMEMAX];
-	isc_buffer_t b;
-	dst_key_t *key;
-	isc_result_t result;
-
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(dns_name_isabsolute(name));
-	REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
-	REQUIRE(mctx != NULL);
-	REQUIRE(keyp != NULL && *keyp == NULL);
-
-	CHECKALG(alg);
-
-	isc_buffer_init(&b, filename, sizeof(filename));
-	result = buildfilename(name, id, alg, type, directory, &b);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	key = NULL;
-	result = dst_key_fromnamedfile(filename, NULL, type, mctx, &key);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = computeid(key);
-	if (result != ISC_R_SUCCESS) {
-		dst_key_free(&key);
-		return (result);
-	}
-
-	if (!dns_name_equal(name, key->key_name) || id != key->key_id ||
-	    alg != key->key_alg) {
-		dst_key_free(&key);
-		return (DST_R_INVALIDPRIVATEKEY);
-	}
-
-	*keyp = key;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dst_key_fromnamedfile(const char *filename, const char *dirname,
-		      int type, isc_mem_t *mctx, dst_key_t **keyp)
-{
-	isc_result_t result;
-	dst_key_t *pubkey = NULL, *key = NULL;
-	char *newfilename = NULL;
-	int newfilenamelen = 0;
-	isc_lex_t *lex = NULL;
-
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(filename != NULL);
-	REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
-	REQUIRE(mctx != NULL);
-	REQUIRE(keyp != NULL && *keyp == NULL);
-
-	/* If an absolute path is specified, don't use the key directory */
-#ifndef WIN32
-	if (filename[0] == '/')
-		dirname = NULL;
-#else /* WIN32 */
-	if (filename[0] == '/' || filename[0] == '\\')
-		dirname = NULL;
-#endif
-
-	newfilenamelen = strlen(filename) + 5;
-	if (dirname != NULL)
-		newfilenamelen += strlen(dirname) + 1;
-	newfilename = isc_mem_get(mctx, newfilenamelen);
-	if (newfilename == NULL)
-		return (ISC_R_NOMEMORY);
-	result = addsuffix(newfilename, newfilenamelen,
-			   dirname, filename, ".key");
-	INSIST(result == ISC_R_SUCCESS);
-
-	result = dst_key_read_public(newfilename, type, mctx, &pubkey);
-	isc_mem_put(mctx, newfilename, newfilenamelen);
-	newfilename = NULL;
-	RETERR(result);
-
-	if ((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) == DST_TYPE_PUBLIC ||
-	    (pubkey->key_flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
-		result = computeid(pubkey);
-		if (result != ISC_R_SUCCESS) {
-			dst_key_free(&pubkey);
-			return (result);
-		}
-
-		*keyp = pubkey;
-		return (ISC_R_SUCCESS);
-	}
-
-	result = algorithm_status(pubkey->key_alg);
-	if (result != ISC_R_SUCCESS) {
-		dst_key_free(&pubkey);
-		return (result);
-	}
-
-	key = get_key_struct(pubkey->key_name, pubkey->key_alg,
-			     pubkey->key_flags, pubkey->key_proto, 0,
-			     pubkey->key_class, pubkey->key_ttl, mctx);
-	if (key == NULL) {
-		dst_key_free(&pubkey);
-		return (ISC_R_NOMEMORY);
-	}
-
-	if (key->func->parse == NULL)
-		RETERR(DST_R_UNSUPPORTEDALG);
-
-	newfilenamelen = strlen(filename) + 9;
-	if (dirname != NULL)
-		newfilenamelen += strlen(dirname) + 1;
-	newfilename = isc_mem_get(mctx, newfilenamelen);
-	if (newfilename == NULL)
-		RETERR(ISC_R_NOMEMORY);
-	result = addsuffix(newfilename, newfilenamelen,
-			   dirname, filename, ".private");
-	INSIST(result == ISC_R_SUCCESS);
-
-	RETERR(isc_lex_create(mctx, 1500, &lex));
-	RETERR(isc_lex_openfile(lex, newfilename));
-	isc_mem_put(mctx, newfilename, newfilenamelen);
-
-	RETERR(key->func->parse(key, lex, pubkey));
-	isc_lex_destroy(&lex);
-
-	RETERR(computeid(key));
-
-	if (pubkey->key_id != key->key_id)
-		RETERR(DST_R_INVALIDPRIVATEKEY);
-	dst_key_free(&pubkey);
-
-	*keyp = key;
-	return (ISC_R_SUCCESS);
-
- out:
-	if (pubkey != NULL)
-		dst_key_free(&pubkey);
-	if (newfilename != NULL)
-		isc_mem_put(mctx, newfilename, newfilenamelen);
-	if (lex != NULL)
-		isc_lex_destroy(&lex);
-	if (key != NULL)
-		dst_key_free(&key);
-	return (result);
-}
-
-isc_result_t
-dst_key_todns(const dst_key_t *key, isc_buffer_t *target) {
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(VALID_KEY(key));
-	REQUIRE(target != NULL);
-
-	CHECKALG(key->key_alg);
-
-	if (key->func->todns == NULL)
-		return (DST_R_UNSUPPORTEDALG);
-
-	if (isc_buffer_availablelength(target) < 4)
-		return (ISC_R_NOSPACE);
-	isc_buffer_putuint16(target, (isc_uint16_t)(key->key_flags & 0xffff));
-	isc_buffer_putuint8(target, (isc_uint8_t)key->key_proto);
-	isc_buffer_putuint8(target, (isc_uint8_t)key->key_alg);
-
-	if (key->key_flags & DNS_KEYFLAG_EXTENDED) {
-		if (isc_buffer_availablelength(target) < 2)
-			return (ISC_R_NOSPACE);
-		isc_buffer_putuint16(target,
-				     (isc_uint16_t)((key->key_flags >> 16)
-						    & 0xffff));
-	}
-
-	if (key->keydata.generic == NULL) /*%< NULL KEY */
-		return (ISC_R_SUCCESS);
-
-	return (key->func->todns(key, target));
-}
-
-isc_result_t
-dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass,
-		isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp)
-{
-	isc_uint8_t alg, proto;
-	isc_uint32_t flags, extflags;
-	dst_key_t *key = NULL;
-	dns_keytag_t id, rid;
-	isc_region_t r;
-	isc_result_t result;
-
-	REQUIRE(dst_initialized);
-
-	isc_buffer_remainingregion(source, &r);
-
-	if (isc_buffer_remaininglength(source) < 4)
-		return (DST_R_INVALIDPUBLICKEY);
-	flags = isc_buffer_getuint16(source);
-	proto = isc_buffer_getuint8(source);
-	alg = isc_buffer_getuint8(source);
-
-	id = dst_region_computeid(&r, alg);
-	rid = dst_region_computerid(&r, alg);
-
-	if (flags & DNS_KEYFLAG_EXTENDED) {
-		if (isc_buffer_remaininglength(source) < 2)
-			return (DST_R_INVALIDPUBLICKEY);
-		extflags = isc_buffer_getuint16(source);
-		flags |= (extflags << 16);
-	}
-
-	result = frombuffer(name, alg, flags, proto, rdclass, source,
-			    mctx, &key);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	key->key_id = id;
-	key->key_rid = rid;
-
-	*keyp = key;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dst_key_frombuffer(dns_name_t *name, unsigned int alg,
-		   unsigned int flags, unsigned int protocol,
-		   dns_rdataclass_t rdclass,
-		   isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp)
-{
-	dst_key_t *key = NULL;
-	isc_result_t result;
-
-	REQUIRE(dst_initialized);
-
-	result = frombuffer(name, alg, flags, protocol, rdclass, source,
-			    mctx, &key);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = computeid(key);
-	if (result != ISC_R_SUCCESS) {
-		dst_key_free(&key);
-		return (result);
-	}
-
-	*keyp = key;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dst_key_tobuffer(const dst_key_t *key, isc_buffer_t *target) {
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(VALID_KEY(key));
-	REQUIRE(target != NULL);
-
-	CHECKALG(key->key_alg);
-
-	if (key->func->todns == NULL)
-		return (DST_R_UNSUPPORTEDALG);
-
-	return (key->func->todns(key, target));
-}
-
-isc_result_t
-dst_key_privatefrombuffer(dst_key_t *key, isc_buffer_t *buffer) {
-	isc_lex_t *lex = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(VALID_KEY(key));
-	REQUIRE(!dst_key_isprivate(key));
-	REQUIRE(buffer != NULL);
-
-	if (key->func->parse == NULL)
-		RETERR(DST_R_UNSUPPORTEDALG);
-
-	RETERR(isc_lex_create(key->mctx, 1500, &lex));
-	RETERR(isc_lex_openbuffer(lex, buffer));
-	RETERR(key->func->parse(key, lex, NULL));
- out:
-	if (lex != NULL)
-		isc_lex_destroy(&lex);
-	return (result);
-}
-
-gss_ctx_id_t
-dst_key_getgssctx(const dst_key_t *key)
-{
-	REQUIRE(key != NULL);
-
-	return (key->keydata.gssctx);
-}
-
-isc_result_t
-dst_key_fromgssapi(dns_name_t *name, gss_ctx_id_t gssctx, isc_mem_t *mctx,
-		   dst_key_t **keyp, isc_region_t *intoken)
-{
-	dst_key_t *key;
-	isc_result_t result;
-
-	REQUIRE(gssctx != NULL);
-	REQUIRE(keyp != NULL && *keyp == NULL);
-
-	key = get_key_struct(name, DST_ALG_GSSAPI, 0, DNS_KEYPROTO_DNSSEC,
-			     0, dns_rdataclass_in, 0, mctx);
-	if (key == NULL)
-		return (ISC_R_NOMEMORY);
-
-	if (intoken != NULL) {
-		/*
-		 * Keep the token for use by external ssu rules. They may need
-		 * to examine the PAC in the kerberos ticket.
-		 */
-		RETERR(isc_buffer_allocate(key->mctx, &key->key_tkeytoken,
-		       intoken->length));
-		RETERR(isc_buffer_copyregion(key->key_tkeytoken, intoken));
-	}
-
-	key->keydata.gssctx = gssctx;
-	*keyp = key;
-	result = ISC_R_SUCCESS;
-out:
-	return result;
-}
-
-isc_result_t
-dst_key_buildinternal(dns_name_t *name, unsigned int alg,
-		      unsigned int bits, unsigned int flags,
-		      unsigned int protocol, dns_rdataclass_t rdclass,
-		      void *data, isc_mem_t *mctx, dst_key_t **keyp)
-{
-	dst_key_t *key;
-	isc_result_t result;
-
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(dns_name_isabsolute(name));
-	REQUIRE(mctx != NULL);
-	REQUIRE(keyp != NULL && *keyp == NULL);
-	REQUIRE(data != NULL);
-
-	CHECKALG(alg);
-
-	key = get_key_struct(name, alg, flags, protocol, bits, rdclass,
-			     0, mctx);
-	if (key == NULL)
-		return (ISC_R_NOMEMORY);
-
-	key->keydata.generic = data;
-
-	result = computeid(key);
-	if (result != ISC_R_SUCCESS) {
-		dst_key_free(&key);
-		return (result);
-	}
-
-	*keyp = key;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dst_key_fromlabel(dns_name_t *name, int alg, unsigned int flags,
-		  unsigned int protocol, dns_rdataclass_t rdclass,
-		  const char *engine, const char *label, const char *pin,
-		  isc_mem_t *mctx, dst_key_t **keyp)
-{
-	dst_key_t *key;
-	isc_result_t result;
-
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(dns_name_isabsolute(name));
-	REQUIRE(mctx != NULL);
-	REQUIRE(keyp != NULL && *keyp == NULL);
-	REQUIRE(label != NULL);
-
-	CHECKALG(alg);
-
-	key = get_key_struct(name, alg, flags, protocol, 0, rdclass, 0, mctx);
-	if (key == NULL)
-		return (ISC_R_NOMEMORY);
-
-	if (key->func->fromlabel == NULL) {
-		dst_key_free(&key);
-		return (DST_R_UNSUPPORTEDALG);
-	}
-
-	result = key->func->fromlabel(key, engine, label, pin);
-	if (result != ISC_R_SUCCESS) {
-		dst_key_free(&key);
-		return (result);
-	}
-
-	result = computeid(key);
-	if (result != ISC_R_SUCCESS) {
-		dst_key_free(&key);
-		return (result);
-	}
-
-	*keyp = key;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dst_key_generate(dns_name_t *name, unsigned int alg,
-		 unsigned int bits, unsigned int param,
-		 unsigned int flags, unsigned int protocol,
-		 dns_rdataclass_t rdclass,
-		 isc_mem_t *mctx, dst_key_t **keyp)
-{
-	return (dst_key_generate2(name, alg, bits, param, flags, protocol,
-				  rdclass, mctx, keyp, NULL));
-}
-
-isc_result_t
-dst_key_generate2(dns_name_t *name, unsigned int alg,
-		  unsigned int bits, unsigned int param,
-		  unsigned int flags, unsigned int protocol,
-		  dns_rdataclass_t rdclass,
-		  isc_mem_t *mctx, dst_key_t **keyp,
-		  void (*callback)(int))
-{
-	dst_key_t *key;
-	isc_result_t ret;
-
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(dns_name_isabsolute(name));
-	REQUIRE(mctx != NULL);
-	REQUIRE(keyp != NULL && *keyp == NULL);
-
-	CHECKALG(alg);
-
-	key = get_key_struct(name, alg, flags, protocol, bits,
-			     rdclass, 0, mctx);
-	if (key == NULL)
-		return (ISC_R_NOMEMORY);
-
-	if (bits == 0) { /*%< NULL KEY */
-		key->key_flags |= DNS_KEYTYPE_NOKEY;
-		*keyp = key;
-		return (ISC_R_SUCCESS);
-	}
-
-	if (key->func->generate == NULL) {
-		dst_key_free(&key);
-		return (DST_R_UNSUPPORTEDALG);
-	}
-
-	ret = key->func->generate(key, param, callback);
-	if (ret != ISC_R_SUCCESS) {
-		dst_key_free(&key);
-		return (ret);
-	}
-
-	ret = computeid(key);
-	if (ret != ISC_R_SUCCESS) {
-		dst_key_free(&key);
-		return (ret);
-	}
-
-	*keyp = key;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dst_key_getnum(const dst_key_t *key, int type, isc_uint32_t *valuep)
-{
-	REQUIRE(VALID_KEY(key));
-	REQUIRE(valuep != NULL);
-	REQUIRE(type <= DST_MAX_NUMERIC);
-	if (!key->numset[type])
-		return (ISC_R_NOTFOUND);
-	*valuep = key->nums[type];
-	return (ISC_R_SUCCESS);
-}
-
-void
-dst_key_setnum(dst_key_t *key, int type, isc_uint32_t value)
-{
-	REQUIRE(VALID_KEY(key));
-	REQUIRE(type <= DST_MAX_NUMERIC);
-	key->nums[type] = value;
-	key->numset[type] = ISC_TRUE;
-}
-
-void
-dst_key_unsetnum(dst_key_t *key, int type)
-{
-	REQUIRE(VALID_KEY(key));
-	REQUIRE(type <= DST_MAX_NUMERIC);
-	key->numset[type] = ISC_FALSE;
-}
-
-isc_result_t
-dst_key_gettime(const dst_key_t *key, int type, isc_stdtime_t *timep) {
-	REQUIRE(VALID_KEY(key));
-	REQUIRE(timep != NULL);
-	REQUIRE(type <= DST_MAX_TIMES);
-	if (!key->timeset[type])
-		return (ISC_R_NOTFOUND);
-	*timep = key->times[type];
-	return (ISC_R_SUCCESS);
-}
-
-void
-dst_key_settime(dst_key_t *key, int type, isc_stdtime_t when) {
-	REQUIRE(VALID_KEY(key));
-	REQUIRE(type <= DST_MAX_TIMES);
-	key->times[type] = when;
-	key->timeset[type] = ISC_TRUE;
-}
-
-void
-dst_key_unsettime(dst_key_t *key, int type) {
-	REQUIRE(VALID_KEY(key));
-	REQUIRE(type <= DST_MAX_TIMES);
-	key->timeset[type] = ISC_FALSE;
-}
-
-isc_result_t
-dst_key_getprivateformat(const dst_key_t *key, int *majorp, int *minorp) {
-	REQUIRE(VALID_KEY(key));
-	REQUIRE(majorp != NULL);
-	REQUIRE(minorp != NULL);
-	*majorp = key->fmt_major;
-	*minorp = key->fmt_minor;
-	return (ISC_R_SUCCESS);
-}
-
-void
-dst_key_setprivateformat(dst_key_t *key, int major, int minor) {
-	REQUIRE(VALID_KEY(key));
-	key->fmt_major = major;
-	key->fmt_minor = minor;
-}
-
-static isc_boolean_t
-comparekeys(const dst_key_t *key1, const dst_key_t *key2,
-	    isc_boolean_t match_revoked_key,
-	    isc_boolean_t (*compare)(const dst_key_t *key1,
-				     const dst_key_t *key2))
-{
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(VALID_KEY(key1));
-	REQUIRE(VALID_KEY(key2));
-
-	if (key1 == key2)
-		return (ISC_TRUE);
-
-	if (key1 == NULL || key2 == NULL)
-		return (ISC_FALSE);
-
-	if (key1->key_alg != key2->key_alg)
-		return (ISC_FALSE);
-
-	if (key1->key_id != key2->key_id) {
-		if (!match_revoked_key)
-			return (ISC_FALSE);
-		if (key1->key_alg == DST_ALG_RSAMD5)
-			return (ISC_FALSE);
-		if ((key1->key_flags & DNS_KEYFLAG_REVOKE) ==
-		    (key2->key_flags & DNS_KEYFLAG_REVOKE))
-			return (ISC_FALSE);
-		if (key1->key_id != key2->key_rid &&
-		    key1->key_rid != key2->key_id)
-			return (ISC_FALSE);
-	}
-
-	if (compare != NULL)
-		return (compare(key1, key2));
-	else
-		return (ISC_FALSE);
-}
-
-
-/*
- * Compares only the public portion of two keys, by converting them
- * both to wire format and comparing the results.
- */
-static isc_boolean_t
-pub_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	isc_result_t result;
-	unsigned char buf1[DST_KEY_MAXSIZE], buf2[DST_KEY_MAXSIZE];
-	isc_buffer_t b1, b2;
-	isc_region_t r1, r2;
-
-	isc_buffer_init(&b1, buf1, sizeof(buf1));
-	result = dst_key_todns(key1, &b1);
-	if (result != ISC_R_SUCCESS)
-		return (ISC_FALSE);
-	/* Zero out flags. */
-	buf1[0] = buf1[1] = 0;
-	if ((key1->key_flags & DNS_KEYFLAG_EXTENDED) != 0)
-		isc_buffer_subtract(&b1, 2);
-
-	isc_buffer_init(&b2, buf2, sizeof(buf2));
-	result = dst_key_todns(key2, &b2);
-	if (result != ISC_R_SUCCESS)
-		return (ISC_FALSE);
-	/* Zero out flags. */
-	buf2[0] = buf2[1] = 0;
-	if ((key2->key_flags & DNS_KEYFLAG_EXTENDED) != 0)
-		isc_buffer_subtract(&b2, 2);
-
-	isc_buffer_usedregion(&b1, &r1);
-	/* Remove extended flags. */
-	if ((key1->key_flags & DNS_KEYFLAG_EXTENDED) != 0) {
-		memmove(&buf1[4], &buf1[6], r1.length - 6);
-		r1.length -= 2;
-	}
-
-	isc_buffer_usedregion(&b2, &r2);
-	/* Remove extended flags. */
-	if ((key2->key_flags & DNS_KEYFLAG_EXTENDED) != 0) {
-		memmove(&buf2[4], &buf2[6], r2.length - 6);
-		r2.length -= 2;
-	}
-	return (ISC_TF(isc_region_compare(&r1, &r2) == 0));
-}
-
-isc_boolean_t
-dst_key_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	return (comparekeys(key1, key2, ISC_FALSE, key1->func->compare));
-}
-
-isc_boolean_t
-dst_key_pubcompare(const dst_key_t *key1, const dst_key_t *key2,
-		   isc_boolean_t match_revoked_key)
-{
-	return (comparekeys(key1, key2, match_revoked_key, pub_compare));
-}
-
-
-isc_boolean_t
-dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(VALID_KEY(key1));
-	REQUIRE(VALID_KEY(key2));
-
-	if (key1 == key2)
-		return (ISC_TRUE);
-	if (key1 == NULL || key2 == NULL)
-		return (ISC_FALSE);
-	if (key1->key_alg == key2->key_alg &&
-	    key1->func->paramcompare != NULL &&
-	    key1->func->paramcompare(key1, key2) == ISC_TRUE)
-		return (ISC_TRUE);
-	else
-		return (ISC_FALSE);
-}
-
-void
-dst_key_attach(dst_key_t *source, dst_key_t **target) {
-
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(target != NULL && *target == NULL);
-	REQUIRE(VALID_KEY(source));
-
-	isc_refcount_increment(&source->refs, NULL);
-	*target = source;
-}
-
-void
-dst_key_free(dst_key_t **keyp) {
-	isc_mem_t *mctx;
-	dst_key_t *key;
-	unsigned int refs;
-
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(keyp != NULL && VALID_KEY(*keyp));
-
-	key = *keyp;
-	mctx = key->mctx;
-
-	isc_refcount_decrement(&key->refs, &refs);
-	if (refs != 0)
-		return;
-
-	isc_refcount_destroy(&key->refs);
-	if (key->keydata.generic != NULL) {
-		INSIST(key->func->destroy != NULL);
-		key->func->destroy(key);
-	}
-	if (key->engine != NULL)
-		isc_mem_free(mctx, key->engine);
-	if (key->label != NULL)
-		isc_mem_free(mctx, key->label);
-	dns_name_free(key->key_name, mctx);
-	isc_mem_put(mctx, key->key_name, sizeof(dns_name_t));
-	if (key->key_tkeytoken) {
-		isc_buffer_free(&key->key_tkeytoken);
-	}
-	memset(key, 0, sizeof(dst_key_t));
-	isc_mem_putanddetach(&mctx, key, sizeof(dst_key_t));
-	*keyp = NULL;
-}
-
-isc_boolean_t
-dst_key_isprivate(const dst_key_t *key) {
-	REQUIRE(VALID_KEY(key));
-	INSIST(key->func->isprivate != NULL);
-	return (key->func->isprivate(key));
-}
-
-isc_result_t
-dst_key_buildfilename(const dst_key_t *key, int type,
-		      const char *directory, isc_buffer_t *out) {
-
-	REQUIRE(VALID_KEY(key));
-	REQUIRE(type == DST_TYPE_PRIVATE || type == DST_TYPE_PUBLIC ||
-		type == 0);
-
-	return (buildfilename(key->key_name, key->key_id, key->key_alg,
-			      type, directory, out));
-}
-
-isc_result_t
-dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(VALID_KEY(key));
-	REQUIRE(n != NULL);
-
-	/* XXXVIX this switch statement is too sparse to gen a jump table. */
-	switch (key->key_alg) {
-	case DST_ALG_RSAMD5:
-	case DST_ALG_RSASHA1:
-	case DST_ALG_NSEC3RSASHA1:
-	case DST_ALG_RSASHA256:
-	case DST_ALG_RSASHA512:
-		*n = (key->key_size + 7) / 8;
-		break;
-	case DST_ALG_DSA:
-	case DST_ALG_NSEC3DSA:
-		*n = DNS_SIG_DSASIGSIZE;
-		break;
-	case DST_ALG_ECCGOST:
-		*n = DNS_SIG_GOSTSIGSIZE;
-		break;
-	case DST_ALG_ECDSA256:
-		*n = DNS_SIG_ECDSA256SIZE;
-		break;
-	case DST_ALG_ECDSA384:
-		*n = DNS_SIG_ECDSA384SIZE;
-		break;
-	case DST_ALG_HMACMD5:
-		*n = 16;
-		break;
-	case DST_ALG_HMACSHA1:
-		*n = ISC_SHA1_DIGESTLENGTH;
-		break;
-	case DST_ALG_HMACSHA224:
-		*n = ISC_SHA224_DIGESTLENGTH;
-		break;
-	case DST_ALG_HMACSHA256:
-		*n = ISC_SHA256_DIGESTLENGTH;
-		break;
-	case DST_ALG_HMACSHA384:
-		*n = ISC_SHA384_DIGESTLENGTH;
-		break;
-	case DST_ALG_HMACSHA512:
-		*n = ISC_SHA512_DIGESTLENGTH;
-		break;
-	case DST_ALG_GSSAPI:
-		*n = 128; /*%< XXX */
-		break;
-	case DST_ALG_DH:
-	default:
-		return (DST_R_UNSUPPORTEDALG);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dst_key_secretsize(const dst_key_t *key, unsigned int *n) {
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(VALID_KEY(key));
-	REQUIRE(n != NULL);
-
-	if (key->key_alg == DST_ALG_DH)
-		*n = (key->key_size + 7) / 8;
-	else
-		return (DST_R_UNSUPPORTEDALG);
-	return (ISC_R_SUCCESS);
-}
-
-/*%
- * Set the flags on a key, then recompute the key ID
- */
-isc_result_t
-dst_key_setflags(dst_key_t *key, isc_uint32_t flags) {
-	REQUIRE(VALID_KEY(key));
-	key->key_flags = flags;
-	return (computeid(key));
-}
-
-void
-dst_key_format(const dst_key_t *key, char *cp, unsigned int size) {
-	char namestr[DNS_NAME_FORMATSIZE];
-	char algstr[DNS_NAME_FORMATSIZE];
-
-	dns_name_format(dst_key_name(key), namestr, sizeof(namestr));
-	dns_secalg_format((dns_secalg_t) dst_key_alg(key), algstr,
-			  sizeof(algstr));
-	snprintf(cp, size, "%s/%s/%d", namestr, algstr, dst_key_id(key));
-}
-
-isc_result_t
-dst_key_dump(dst_key_t *key, isc_mem_t *mctx, char **buffer, int *length) {
-
-	REQUIRE(buffer != NULL && *buffer == NULL);
-	REQUIRE(length != NULL && *length == 0);
-	REQUIRE(VALID_KEY(key));
-
-	if (key->func->dump == NULL)
-		return (ISC_R_NOTIMPLEMENTED);
-	return (key->func->dump(key, mctx, buffer, length));
-}
-
-isc_result_t
-dst_key_restore(dns_name_t *name, unsigned int alg, unsigned int flags,
-		unsigned int protocol, dns_rdataclass_t rdclass,
-		isc_mem_t *mctx, const char *keystr, dst_key_t **keyp)
-{
-	isc_result_t result;
-	dst_key_t *key;
-
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(keyp != NULL && *keyp == NULL);
-
-	if (alg >= DST_MAX_ALGS || dst_t_func[alg] == NULL)
-		return (DST_R_UNSUPPORTEDALG);
-
-	if (dst_t_func[alg]->restore == NULL)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	key = get_key_struct(name, alg, flags, protocol, 0, rdclass, 0, mctx);
-	if (key == NULL)
-		return (ISC_R_NOMEMORY);
-
-	result = (dst_t_func[alg]->restore)(key, keystr);
-	if (result == ISC_R_SUCCESS)
-		*keyp = key;
-	else
-		dst_key_free(&key);
-
-	return (result);
-}
-
-/***
- *** Static methods
- ***/
-
-/*%
- * Allocates a key structure and fills in some of the fields.
- */
-static dst_key_t *
-get_key_struct(dns_name_t *name, unsigned int alg,
-	       unsigned int flags, unsigned int protocol,
-	       unsigned int bits, dns_rdataclass_t rdclass,
-	       dns_ttl_t ttl, isc_mem_t *mctx)
-{
-	dst_key_t *key;
-	isc_result_t result;
-	int i;
-
-	key = (dst_key_t *) isc_mem_get(mctx, sizeof(dst_key_t));
-	if (key == NULL)
-		return (NULL);
-
-	memset(key, 0, sizeof(dst_key_t));
-
-	key->key_name = isc_mem_get(mctx, sizeof(dns_name_t));
-	if (key->key_name == NULL) {
-		isc_mem_put(mctx, key, sizeof(dst_key_t));
-		return (NULL);
-	}
-
-	dns_name_init(key->key_name, NULL);
-	result = dns_name_dup(name, mctx, key->key_name);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, key->key_name, sizeof(dns_name_t));
-		isc_mem_put(mctx, key, sizeof(dst_key_t));
-		return (NULL);
-	}
-
-	result = isc_refcount_init(&key->refs, 1);
-	if (result != ISC_R_SUCCESS) {
-		dns_name_free(key->key_name, mctx);
-		isc_mem_put(mctx, key->key_name, sizeof(dns_name_t));
-		isc_mem_put(mctx, key, sizeof(dst_key_t));
-		return (NULL);
-	}
-	isc_mem_attach(mctx, &key->mctx);
-	key->key_alg = alg;
-	key->key_flags = flags;
-	key->key_proto = protocol;
-	key->keydata.generic = NULL;
-	key->key_size = bits;
-	key->key_class = rdclass;
-	key->key_ttl = ttl;
-	key->func = dst_t_func[alg];
-	key->fmt_major = 0;
-	key->fmt_minor = 0;
-	for (i = 0; i < (DST_MAX_TIMES + 1); i++) {
-		key->times[i] = 0;
-		key->timeset[i] = ISC_FALSE;
-	}
-	key->magic = KEY_MAGIC;
-	return (key);
-}
-
-/*%
- * Reads a public key from disk
- */
-isc_result_t
-dst_key_read_public(const char *filename, int type,
-		    isc_mem_t *mctx, dst_key_t **keyp)
-{
-	u_char rdatabuf[DST_KEY_MAXSIZE];
-	isc_buffer_t b;
-	dns_fixedname_t name;
-	isc_lex_t *lex = NULL;
-	isc_token_t token;
-	isc_result_t ret;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	unsigned int opt = ISC_LEXOPT_DNSMULTILINE;
-	dns_rdataclass_t rdclass = dns_rdataclass_in;
-	isc_lexspecials_t specials;
-	isc_uint32_t ttl = 0;
-	isc_result_t result;
-	dns_rdatatype_t keytype;
-
-	/*
-	 * Open the file and read its formatted contents
-	 * File format:
-	 *    domain.name [ttl] [class] [KEY|DNSKEY] <flags> <protocol> <algorithm> <key>
-	 */
-
-	/* 1500 should be large enough for any key */
-	ret = isc_lex_create(mctx, 1500, &lex);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup;
-
-	memset(specials, 0, sizeof(specials));
-	specials['('] = 1;
-	specials[')'] = 1;
-	specials['"'] = 1;
-	isc_lex_setspecials(lex, specials);
-	isc_lex_setcomments(lex, ISC_LEXCOMMENT_DNSMASTERFILE);
-
-	ret = isc_lex_openfile(lex, filename);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup;
-
-#define NEXTTOKEN(lex, opt, token) { \
-	ret = isc_lex_gettoken(lex, opt, token); \
-	if (ret != ISC_R_SUCCESS) \
-		goto cleanup; \
-	}
-
-#define BADTOKEN() { \
-	ret = ISC_R_UNEXPECTEDTOKEN; \
-	goto cleanup; \
-	}
-
-	/* Read the domain name */
-	NEXTTOKEN(lex, opt, &token);
-	if (token.type != isc_tokentype_string)
-		BADTOKEN();
-
-	/*
-	 * We don't support "@" in .key files.
-	 */
-	if (!strcmp(DST_AS_STR(token), "@"))
-		BADTOKEN();
-
-	dns_fixedname_init(&name);
-	isc_buffer_init(&b, DST_AS_STR(token), strlen(DST_AS_STR(token)));
-	isc_buffer_add(&b, strlen(DST_AS_STR(token)));
-	ret = dns_name_fromtext(dns_fixedname_name(&name), &b, dns_rootname,
-				0, NULL);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup;
-
-	/* Read the next word: either TTL, class, or 'KEY' */
-	NEXTTOKEN(lex, opt, &token);
-
-	if (token.type != isc_tokentype_string)
-		BADTOKEN();
-
-	/* If it's a TTL, read the next one */
-	result = dns_ttl_fromtext(&token.value.as_textregion, &ttl);
-	if (result == ISC_R_SUCCESS)
-		NEXTTOKEN(lex, opt, &token);
-
-	if (token.type != isc_tokentype_string)
-		BADTOKEN();
-
-	ret = dns_rdataclass_fromtext(&rdclass, &token.value.as_textregion);
-	if (ret == ISC_R_SUCCESS)
-		NEXTTOKEN(lex, opt, &token);
-
-	if (token.type != isc_tokentype_string)
-		BADTOKEN();
-
-	if (strcasecmp(DST_AS_STR(token), "DNSKEY") == 0)
-		keytype = dns_rdatatype_dnskey;
-	else if (strcasecmp(DST_AS_STR(token), "KEY") == 0)
-		keytype = dns_rdatatype_key; /*%< SIG(0), TKEY */
-	else
-		BADTOKEN();
-
-	if (((type & DST_TYPE_KEY) != 0 && keytype != dns_rdatatype_key) ||
-	    ((type & DST_TYPE_KEY) == 0 && keytype != dns_rdatatype_dnskey)) {
-		ret = DST_R_BADKEYTYPE;
-		goto cleanup;
-	}
-
-	isc_buffer_init(&b, rdatabuf, sizeof(rdatabuf));
-	ret = dns_rdata_fromtext(&rdata, rdclass, keytype, lex, NULL,
-				 ISC_FALSE, mctx, &b, NULL);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup;
-
-	ret = dst_key_fromdns(dns_fixedname_name(&name), rdclass, &b, mctx,
-			      keyp);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup;
-
-	dst_key_setttl(*keyp, ttl);
-
- cleanup:
-	if (lex != NULL)
-		isc_lex_destroy(&lex);
-	return (ret);
-}
-
-static isc_boolean_t
-issymmetric(const dst_key_t *key) {
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(VALID_KEY(key));
-
-	/* XXXVIX this switch statement is too sparse to gen a jump table. */
-	switch (key->key_alg) {
-	case DST_ALG_RSAMD5:
-	case DST_ALG_RSASHA1:
-	case DST_ALG_NSEC3RSASHA1:
-	case DST_ALG_RSASHA256:
-	case DST_ALG_RSASHA512:
-	case DST_ALG_DSA:
-	case DST_ALG_NSEC3DSA:
-	case DST_ALG_DH:
-	case DST_ALG_ECCGOST:
-	case DST_ALG_ECDSA256:
-	case DST_ALG_ECDSA384:
-		return (ISC_FALSE);
-	case DST_ALG_HMACMD5:
-	case DST_ALG_GSSAPI:
-		return (ISC_TRUE);
-	default:
-		return (ISC_FALSE);
-	}
-}
-
-/*%
- * Write key timing metadata to a file pointer, preceded by 'tag'
- */
-static void
-printtime(const dst_key_t *key, int type, const char *tag, FILE *stream) {
-	isc_result_t result;
-#ifdef ISC_PLATFORM_USETHREADS
-	char output[26]; /* Minimum buffer as per ctime_r() specification. */
-#else
-	const char *output;
-#endif
-	isc_stdtime_t when;
-	time_t t;
-	char utc[sizeof("YYYYMMDDHHSSMM")];
-	isc_buffer_t b;
-	isc_region_t r;
-
-	result = dst_key_gettime(key, type, &when);
-	if (result == ISC_R_NOTFOUND)
-		return;
-
-	/* time_t and isc_stdtime_t might be different sizes */
-	t = when;
-#ifdef ISC_PLATFORM_USETHREADS
-#ifdef WIN32
-	if (ctime_s(output, sizeof(output), &t) != 0)
-		goto error;
-#else
-	if (ctime_r(&t, output) == NULL)
-		goto error;
-#endif
-#else
-	output = ctime(&t);
-#endif
-
-	isc_buffer_init(&b, utc, sizeof(utc));
-	result = dns_time32_totext(when, &b);
-	if (result != ISC_R_SUCCESS)
-		goto error;
-
-	isc_buffer_usedregion(&b, &r);
-	fprintf(stream, "%s: %.*s (%.*s)\n", tag, (int)r.length, r.base,
-		 (int)strlen(output) - 1, output);
-	return;
-
- error:
-	fprintf(stream, "%s: (set, unable to display)\n", tag);
-}
-
-/*%
- * Writes a public key to disk in DNS format.
- */
-static isc_result_t
-write_public_key(const dst_key_t *key, int type, const char *directory) {
-	FILE *fp;
-	isc_buffer_t keyb, textb, fileb, classb;
-	isc_region_t r;
-	char filename[ISC_DIR_NAMEMAX];
-	unsigned char key_array[DST_KEY_MAXSIZE];
-	char text_array[DST_KEY_MAXTEXTSIZE];
-	char class_array[10];
-	isc_result_t ret;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_fsaccess_t access;
-
-	REQUIRE(VALID_KEY(key));
-
-	isc_buffer_init(&keyb, key_array, sizeof(key_array));
-	isc_buffer_init(&textb, text_array, sizeof(text_array));
-	isc_buffer_init(&classb, class_array, sizeof(class_array));
-
-	ret = dst_key_todns(key, &keyb);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	isc_buffer_usedregion(&keyb, &r);
-	dns_rdata_fromregion(&rdata, key->key_class, dns_rdatatype_dnskey, &r);
-
-	ret = dns_rdata_totext(&rdata, (dns_name_t *) NULL, &textb);
-	if (ret != ISC_R_SUCCESS)
-		return (DST_R_INVALIDPUBLICKEY);
-
-	ret = dns_rdataclass_totext(key->key_class, &classb);
-	if (ret != ISC_R_SUCCESS)
-		return (DST_R_INVALIDPUBLICKEY);
-
-	/*
-	 * Make the filename.
-	 */
-	isc_buffer_init(&fileb, filename, sizeof(filename));
-	ret = dst_key_buildfilename(key, DST_TYPE_PUBLIC, directory, &fileb);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	/*
-	 * Create public key file.
-	 */
-	if ((fp = fopen(filename, "w")) == NULL)
-		return (DST_R_WRITEERROR);
-
-	if (issymmetric(key)) {
-		access = 0;
-		isc_fsaccess_add(ISC_FSACCESS_OWNER,
-				 ISC_FSACCESS_READ | ISC_FSACCESS_WRITE,
-				 &access);
-		(void)isc_fsaccess_set(filename, access);
-	}
-
-	/* Write key information in comments */
-	if ((type & DST_TYPE_KEY) == 0) {
-		fprintf(fp, "; This is a %s%s-signing key, keyid %d, for ",
-			(key->key_flags & DNS_KEYFLAG_REVOKE) != 0 ?
-				"revoked " :
-				"",
-			(key->key_flags & DNS_KEYFLAG_KSK) != 0 ?
-				"key" :
-				"zone",
-			key->key_id);
-		ret = dns_name_print(key->key_name, fp);
-		if (ret != ISC_R_SUCCESS) {
-			fclose(fp);
-			return (ret);
-		}
-		fputc('\n', fp);
-
-		printtime(key, DST_TIME_CREATED, "; Created", fp);
-		printtime(key, DST_TIME_PUBLISH, "; Publish", fp);
-		printtime(key, DST_TIME_ACTIVATE, "; Activate", fp);
-		printtime(key, DST_TIME_REVOKE, "; Revoke", fp);
-		printtime(key, DST_TIME_INACTIVE, "; Inactive", fp);
-		printtime(key, DST_TIME_DELETE, "; Delete", fp);
-	}
-
-	/* Now print the actual key */
-	ret = dns_name_print(key->key_name, fp);
-	fprintf(fp, " ");
-
-	if (key->key_ttl != 0)
-		fprintf(fp, "%d ", key->key_ttl);
-
-	isc_buffer_usedregion(&classb, &r);
-	if ((unsigned) fwrite(r.base, 1, r.length, fp) != r.length)
-	       ret = DST_R_WRITEERROR;
-
-	if ((type & DST_TYPE_KEY) != 0)
-		fprintf(fp, " KEY ");
-	else
-		fprintf(fp, " DNSKEY ");
-
-	isc_buffer_usedregion(&textb, &r);
-	if ((unsigned) fwrite(r.base, 1, r.length, fp) != r.length)
-	       ret = DST_R_WRITEERROR;
-
-	fputc('\n', fp);
-	fflush(fp);
-	if (ferror(fp))
-		ret = DST_R_WRITEERROR;
-	fclose(fp);
-
-	return (ret);
-}
-
-static isc_result_t
-buildfilename(dns_name_t *name, dns_keytag_t id,
-	      unsigned int alg, unsigned int type,
-	      const char *directory, isc_buffer_t *out)
-{
-	const char *suffix = "";
-	unsigned int len;
-	isc_result_t result;
-
-	REQUIRE(out != NULL);
-	if ((type & DST_TYPE_PRIVATE) != 0)
-		suffix = ".private";
-	else if (type == DST_TYPE_PUBLIC)
-		suffix = ".key";
-	if (directory != NULL) {
-		if (isc_buffer_availablelength(out) < strlen(directory))
-			return (ISC_R_NOSPACE);
-		isc_buffer_putstr(out, directory);
-		if (strlen(directory) > 0U &&
-		    directory[strlen(directory) - 1] != '/')
-			isc_buffer_putstr(out, "/");
-	}
-	if (isc_buffer_availablelength(out) < 1)
-		return (ISC_R_NOSPACE);
-	isc_buffer_putstr(out, "K");
-	result = dns_name_tofilenametext(name, ISC_FALSE, out);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	len = 1 + 3 + 1 + 5 + strlen(suffix) + 1;
-	if (isc_buffer_availablelength(out) < len)
-		return (ISC_R_NOSPACE);
-	sprintf((char *) isc_buffer_used(out), "+%03d+%05d%s", alg, id,
-		suffix);
-	isc_buffer_add(out, len);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-computeid(dst_key_t *key) {
-	isc_buffer_t dnsbuf;
-	unsigned char dns_array[DST_KEY_MAXSIZE];
-	isc_region_t r;
-	isc_result_t ret;
-
-	isc_buffer_init(&dnsbuf, dns_array, sizeof(dns_array));
-	ret = dst_key_todns(key, &dnsbuf);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	isc_buffer_usedregion(&dnsbuf, &r);
-	key->key_id = dst_region_computeid(&r, key->key_alg);
-	key->key_rid = dst_region_computerid(&r, key->key_alg);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-frombuffer(dns_name_t *name, unsigned int alg, unsigned int flags,
-	   unsigned int protocol, dns_rdataclass_t rdclass,
-	   isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp)
-{
-	dst_key_t *key;
-	isc_result_t ret;
-
-	REQUIRE(dns_name_isabsolute(name));
-	REQUIRE(source != NULL);
-	REQUIRE(mctx != NULL);
-	REQUIRE(keyp != NULL && *keyp == NULL);
-
-	key = get_key_struct(name, alg, flags, protocol, 0, rdclass, 0, mctx);
-	if (key == NULL)
-		return (ISC_R_NOMEMORY);
-
-	if (isc_buffer_remaininglength(source) > 0) {
-		ret = algorithm_status(alg);
-		if (ret != ISC_R_SUCCESS) {
-			dst_key_free(&key);
-			return (ret);
-		}
-		if (key->func->fromdns == NULL) {
-			dst_key_free(&key);
-			return (DST_R_UNSUPPORTEDALG);
-		}
-
-		ret = key->func->fromdns(key, source);
-		if (ret != ISC_R_SUCCESS) {
-			dst_key_free(&key);
-			return (ret);
-		}
-	}
-
-	*keyp = key;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-algorithm_status(unsigned int alg) {
-	REQUIRE(dst_initialized == ISC_TRUE);
-
-	if (dst_algorithm_supported(alg))
-		return (ISC_R_SUCCESS);
-#ifndef OPENSSL
-	if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
-	    alg == DST_ALG_DSA || alg == DST_ALG_DH ||
-	    alg == DST_ALG_HMACMD5 || alg == DST_ALG_NSEC3DSA ||
-	    alg == DST_ALG_NSEC3RSASHA1 ||
-	    alg == DST_ALG_RSASHA256 || alg == DST_ALG_RSASHA512 ||
-	    alg == DST_ALG_ECCGOST ||
-	    alg == DST_ALG_ECDSA256 || alg == DST_ALG_ECDSA384)
-		return (DST_R_NOCRYPTO);
-#endif
-	return (DST_R_UNSUPPORTEDALG);
-}
-
-static isc_result_t
-addsuffix(char *filename, int len, const char *odirname,
-	  const char *ofilename, const char *suffix)
-{
-	int olen = strlen(ofilename);
-	int n;
-
-	if (olen > 1 && ofilename[olen - 1] == '.')
-		olen -= 1;
-	else if (olen > 8 && strcmp(ofilename + olen - 8, ".private") == 0)
-		olen -= 8;
-	else if (olen > 4 && strcmp(ofilename + olen - 4, ".key") == 0)
-		olen -= 4;
-
-	if (odirname == NULL)
-		n = snprintf(filename, len, "%.*s%s", olen, ofilename, suffix);
-	else
-		n = snprintf(filename, len, "%s/%.*s%s",
-			     odirname, olen, ofilename, suffix);
-	if (n < 0)
-		return (ISC_R_FAILURE);
-	if (n >= len)
-		return (ISC_R_NOSPACE);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
-#ifdef BIND9
-	unsigned int flags = dst_entropy_flags;
-
-	if (len == 0)
-		return (ISC_R_SUCCESS);
-	if (pseudo)
-		flags &= ~ISC_ENTROPY_GOODONLY;
-	else
-		flags |= ISC_ENTROPY_BLOCKING;
-	return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
-#else
-	UNUSED(buf);
-	UNUSED(len);
-	UNUSED(pseudo);
-
-	return (ISC_R_NOTIMPLEMENTED);
-#endif
-}
-
-unsigned int
-dst__entropy_status(void) {
-#ifdef BIND9
-#ifdef GSSAPI
-	unsigned int flags = dst_entropy_flags;
-	isc_result_t ret;
-	unsigned char buf[32];
-	static isc_boolean_t first = ISC_TRUE;
-
-	if (first) {
-		/* Someone believes RAND_status() initializes the PRNG */
-		flags &= ~ISC_ENTROPY_GOODONLY;
-		ret = isc_entropy_getdata(dst_entropy_pool, buf,
-					  sizeof(buf), NULL, flags);
-		INSIST(ret == ISC_R_SUCCESS);
-		isc_entropy_putdata(dst_entropy_pool, buf,
-				    sizeof(buf), 2 * sizeof(buf));
-		first = ISC_FALSE;
-	}
-#endif
-	return (isc_entropy_status(dst_entropy_pool));
-#else
-	return (0);
-#endif
-}
-
-isc_buffer_t *
-dst_key_tkeytoken(const dst_key_t *key) {
-	REQUIRE(VALID_KEY(key));
-	return (key->key_tkeytoken);
-}
diff --git a/contrib/bind9/lib/dns/dst_internal.h b/contrib/bind9/lib/dns/dst_internal.h
deleted file mode 100644
index c3e8e29..0000000
--- a/contrib/bind9/lib/dns/dst_internal.h
+++ /dev/null
@@ -1,254 +0,0 @@
-/*
- * Portions Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dst_internal.h,v 1.31 2011/10/20 21:20:02 marka Exp $ */
-
-#ifndef DST_DST_INTERNAL_H
-#define DST_DST_INTERNAL_H 1
-
-#include <isc/lang.h>
-#include <isc/buffer.h>
-#include <isc/int.h>
-#include <isc/magic.h>
-#include <isc/region.h>
-#include <isc/types.h>
-#include <isc/md5.h>
-#include <isc/refcount.h>
-#include <isc/sha1.h>
-#include <isc/sha2.h>
-#include <isc/stdtime.h>
-#include <isc/hmacmd5.h>
-#include <isc/hmacsha.h>
-
-#include <dns/time.h>
-
-#include <dst/dst.h>
-
-#ifdef OPENSSL
-#include <openssl/dh.h>
-#include <openssl/dsa.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-#include <openssl/rsa.h>
-#endif
-
-ISC_LANG_BEGINDECLS
-
-#define KEY_MAGIC	ISC_MAGIC('D','S','T','K')
-#define CTX_MAGIC	ISC_MAGIC('D','S','T','C')
-
-#define VALID_KEY(x) ISC_MAGIC_VALID(x, KEY_MAGIC)
-#define VALID_CTX(x) ISC_MAGIC_VALID(x, CTX_MAGIC)
-
-extern isc_mem_t *dst__memory_pool;
-
-/***
- *** Types
- ***/
-
-typedef struct dst_func dst_func_t;
-
-typedef struct dst_hmacmd5_key	  dst_hmacmd5_key_t;
-typedef struct dst_hmacsha1_key   dst_hmacsha1_key_t;
-typedef struct dst_hmacsha224_key dst_hmacsha224_key_t;
-typedef struct dst_hmacsha256_key dst_hmacsha256_key_t;
-typedef struct dst_hmacsha384_key dst_hmacsha384_key_t;
-typedef struct dst_hmacsha512_key dst_hmacsha512_key_t;
-
-/*% DST Key Structure */
-struct dst_key {
-	unsigned int	magic;
-	isc_refcount_t	refs;
-	dns_name_t *	key_name;	/*%< name of the key */
-	unsigned int	key_size;	/*%< size of the key in bits */
-	unsigned int	key_proto;	/*%< protocols this key is used for */
-	unsigned int	key_alg;	/*%< algorithm of the key */
-	isc_uint32_t	key_flags;	/*%< flags of the public key */
-	isc_uint16_t	key_id;		/*%< identifier of the key */
-	isc_uint16_t	key_rid;	/*%< identifier of the key when
-					     revoked */
-	isc_uint16_t	key_bits;	/*%< hmac digest bits */
-	dns_rdataclass_t key_class;	/*%< class of the key record */
-	dns_ttl_t	key_ttl;	/*%< default/initial dnskey ttl */
-	isc_mem_t	*mctx;		/*%< memory context */
-	char		*engine;	/*%< engine name (HSM) */
-	char		*label;		/*%< engine label (HSM) */
-	union {
-		void *generic;
-		gss_ctx_id_t gssctx;
-#ifdef OPENSSL
-#if !defined(USE_EVP) || !USE_EVP
-		RSA *rsa;
-#endif
-		DSA *dsa;
-		DH *dh;
-		EVP_PKEY *pkey;
-#endif
-		dst_hmacmd5_key_t *hmacmd5;
-		dst_hmacsha1_key_t *hmacsha1;
-		dst_hmacsha224_key_t *hmacsha224;
-		dst_hmacsha256_key_t *hmacsha256;
-		dst_hmacsha384_key_t *hmacsha384;
-		dst_hmacsha512_key_t *hmacsha512;
-
-	} keydata;			/*%< pointer to key in crypto pkg fmt */
-
-	isc_stdtime_t	times[DST_MAX_TIMES + 1];    /*%< timing metadata */
-	isc_boolean_t	timeset[DST_MAX_TIMES + 1];  /*%< data set? */
-	isc_stdtime_t	nums[DST_MAX_NUMERIC + 1];   /*%< numeric metadata */
-	isc_boolean_t	numset[DST_MAX_NUMERIC + 1]; /*%< data set? */
-
-	int		fmt_major;     /*%< private key format, major version */
-	int		fmt_minor;     /*%< private key format, minor version */
-
-	dst_func_t *    func;	       /*%< crypto package specific functions */
-	isc_buffer_t   *key_tkeytoken; /*%< TKEY token data */
-};
-
-struct dst_context {
-	unsigned int magic;
-	dst_key_t *key;
-	isc_mem_t *mctx;
-	isc_logcategory_t *category;
-	union {
-		void *generic;
-		dst_gssapi_signverifyctx_t *gssctx;
-		isc_md5_t *md5ctx;
-		isc_sha1_t *sha1ctx;
-		isc_sha256_t *sha256ctx;
-		isc_sha512_t *sha512ctx;
-		isc_hmacmd5_t *hmacmd5ctx;
-		isc_hmacsha1_t *hmacsha1ctx;
-		isc_hmacsha224_t *hmacsha224ctx;
-		isc_hmacsha256_t *hmacsha256ctx;
-		isc_hmacsha384_t *hmacsha384ctx;
-		isc_hmacsha512_t *hmacsha512ctx;
-#ifdef OPENSSL
-		EVP_MD_CTX *evp_md_ctx;
-#endif
-	} ctxdata;
-};
-
-struct dst_func {
-	/*
-	 * Context functions
-	 */
-	isc_result_t (*createctx)(dst_key_t *key, dst_context_t *dctx);
-	void (*destroyctx)(dst_context_t *dctx);
-	isc_result_t (*adddata)(dst_context_t *dctx, const isc_region_t *data);
-
-	/*
-	 * Key operations
-	 */
-	isc_result_t (*sign)(dst_context_t *dctx, isc_buffer_t *sig);
-	isc_result_t (*verify)(dst_context_t *dctx, const isc_region_t *sig);
-	isc_result_t (*verify2)(dst_context_t *dctx, int maxbits,
-				const isc_region_t *sig);
-	isc_result_t (*computesecret)(const dst_key_t *pub,
-				      const dst_key_t *priv,
-				      isc_buffer_t *secret);
-	isc_boolean_t (*compare)(const dst_key_t *key1, const dst_key_t *key2);
-	isc_boolean_t (*paramcompare)(const dst_key_t *key1,
-				      const dst_key_t *key2);
-	isc_result_t (*generate)(dst_key_t *key, int parms,
-				 void (*callback)(int));
-	isc_boolean_t (*isprivate)(const dst_key_t *key);
-	void (*destroy)(dst_key_t *key);
-
-	/* conversion functions */
-	isc_result_t (*todns)(const dst_key_t *key, isc_buffer_t *data);
-	isc_result_t (*fromdns)(dst_key_t *key, isc_buffer_t *data);
-	isc_result_t (*tofile)(const dst_key_t *key, const char *directory);
-	isc_result_t (*parse)(dst_key_t *key,
-			      isc_lex_t *lexer,
-			      dst_key_t *pub);
-
-	/* cleanup */
-	void (*cleanup)(void);
-
-	isc_result_t (*fromlabel)(dst_key_t *key, const char *engine,
-				  const char *label, const char *pin);
-	isc_result_t (*dump)(dst_key_t *key, isc_mem_t *mctx, char **buffer,
-			     int *length);
-	isc_result_t (*restore)(dst_key_t *key, const char *keystr);
-};
-
-/*%
- * Initializers
- */
-isc_result_t dst__openssl_init(const char *engine);
-
-isc_result_t dst__hmacmd5_init(struct dst_func **funcp);
-isc_result_t dst__hmacsha1_init(struct dst_func **funcp);
-isc_result_t dst__hmacsha224_init(struct dst_func **funcp);
-isc_result_t dst__hmacsha256_init(struct dst_func **funcp);
-isc_result_t dst__hmacsha384_init(struct dst_func **funcp);
-isc_result_t dst__hmacsha512_init(struct dst_func **funcp);
-isc_result_t dst__opensslrsa_init(struct dst_func **funcp,
-				  unsigned char algorithm);
-isc_result_t dst__openssldsa_init(struct dst_func **funcp);
-isc_result_t dst__openssldh_init(struct dst_func **funcp);
-isc_result_t dst__gssapi_init(struct dst_func **funcp);
-#ifdef HAVE_OPENSSL_GOST
-isc_result_t dst__opensslgost_init(struct dst_func **funcp);
-#endif
-#ifdef HAVE_OPENSSL_ECDSA
-isc_result_t dst__opensslecdsa_init(struct dst_func **funcp);
-#endif
-
-/*%
- * Destructors
- */
-void dst__openssl_destroy(void);
-
-/*%
- * Memory allocators using the DST memory pool.
- */
-void * dst__mem_alloc(size_t size);
-void   dst__mem_free(void *ptr);
-void * dst__mem_realloc(void *ptr, size_t size);
-
-/*%
- * Entropy retriever using the DST entropy pool.
- */
-isc_result_t dst__entropy_getdata(void *buf, unsigned int len,
-				  isc_boolean_t pseudo);
-
-/*
- * Entropy status hook.
- */
-unsigned int dst__entropy_status(void);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DST_DST_INTERNAL_H */
-/*! \file */
diff --git a/contrib/bind9/lib/dns/dst_lib.c b/contrib/bind9/lib/dns/dst_lib.c
deleted file mode 100644
index f1021d3..0000000
--- a/contrib/bind9/lib/dns/dst_lib.c
+++ /dev/null
@@ -1,67 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Principal Author: Brian Wellington
- * $Id: dst_lib.c,v 1.5 2007/06/19 23:47:16 tbox Exp $
- */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stddef.h>
-
-#include <isc/once.h>
-#include <isc/msgcat.h>
-#include <isc/util.h>
-
-#include <dst/lib.h>
-
-/***
- *** Globals
- ***/
-
-LIBDNS_EXTERNAL_DATA isc_msgcat_t *		dst_msgcat = NULL;
-
-
-/***
- *** Private
- ***/
-
-static isc_once_t		msgcat_once = ISC_ONCE_INIT;
-
-
-/***
- *** Functions
- ***/
-
-static void
-open_msgcat(void) {
-	isc_msgcat_open("libdst.cat", &dst_msgcat);
-}
-
-void
-dst_lib_initmsgcat(void) {
-
-	/*
-	 * Initialize the DST library's message catalog, dst_msgcat, if it
-	 * has not already been initialized.
-	 */
-
-	RUNTIME_CHECK(isc_once_do(&msgcat_once, open_msgcat) == ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/dns/dst_openssl.h b/contrib/bind9/lib/dns/dst_openssl.h
deleted file mode 100644
index 99a43ef..0000000
--- a/contrib/bind9/lib/dns/dst_openssl.h
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dst_openssl.h,v 1.11 2011/03/12 04:59:48 tbox Exp $ */
-
-#ifndef DST_OPENSSL_H
-#define DST_OPENSSL_H 1
-
-#include <isc/lang.h>
-#include <isc/log.h>
-#include <isc/result.h>
-
-#include <openssl/err.h>
-#include <openssl/rand.h>
-#include <openssl/evp.h>
-#include <openssl/conf.h>
-#include <openssl/crypto.h>
-
-#if !defined(OPENSSL_NO_ENGINE) && defined(CRYPTO_LOCK_ENGINE) && \
-    (OPENSSL_VERSION_NUMBER >= 0x0090707f)
-#define USE_ENGINE 1
-#endif
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dst__openssl_toresult(isc_result_t fallback);
-
-isc_result_t
-dst__openssl_toresult2(const char *funcname, isc_result_t fallback);
-
-isc_result_t
-dst__openssl_toresult3(isc_logcategory_t *category,
-		       const char *funcname, isc_result_t fallback);
-
-#ifdef USE_ENGINE
-ENGINE *
-dst__openssl_getengine(const char *engine);
-#else
-#define dst__openssl_getengine(x) NULL
-#endif
-
-ISC_LANG_ENDDECLS
-
-#endif /* DST_OPENSSL_H */
-/*! \file */
diff --git a/contrib/bind9/lib/dns/dst_parse.c b/contrib/bind9/lib/dns/dst_parse.c
deleted file mode 100644
index ca43cb3..0000000
--- a/contrib/bind9/lib/dns/dst_parse.c
+++ /dev/null
@@ -1,727 +0,0 @@
-/*
- * Portions Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*%
- * Principal Author: Brian Wellington
- * $Id: dst_parse.c,v 1.29 2011/08/18 23:46:35 tbox Exp $
- */
-
-#include <config.h>
-
-#include <isc/base64.h>
-#include <isc/dir.h>
-#include <isc/fsaccess.h>
-#include <isc/lex.h>
-#include <isc/mem.h>
-#include <isc/stdtime.h>
-#include <isc/string.h>
-#include <isc/util.h>
-#include <isc/file.h>
-
-#include <dns/time.h>
-#include <dns/log.h>
-
-#include "dst_internal.h"
-#include "dst_parse.h"
-#include "dst/result.h"
-
-#define DST_AS_STR(t) ((t).value.as_textregion.base)
-
-#define PRIVATE_KEY_STR "Private-key-format:"
-#define ALGORITHM_STR "Algorithm:"
-
-#define TIMING_NTAGS (DST_MAX_TIMES + 1)
-static const char *timetags[TIMING_NTAGS] = {
-	"Created:",
-	"Publish:",
-	"Activate:",
-	"Revoke:",
-	"Inactive:",
-	"Delete:",
-	"DSPublish:"
-};
-
-#define NUMERIC_NTAGS (DST_MAX_NUMERIC + 1)
-static const char *numerictags[NUMERIC_NTAGS] = {
-	"Predecessor:",
-	"Successor:",
-	"MaxTTL:",
-	"RollPeriod:"
-};
-
-struct parse_map {
-	const int value;
-	const char *tag;
-};
-
-static struct parse_map map[] = {
-	{TAG_RSA_MODULUS, "Modulus:"},
-	{TAG_RSA_PUBLICEXPONENT, "PublicExponent:"},
-	{TAG_RSA_PRIVATEEXPONENT, "PrivateExponent:"},
-	{TAG_RSA_PRIME1, "Prime1:"},
-	{TAG_RSA_PRIME2, "Prime2:"},
-	{TAG_RSA_EXPONENT1, "Exponent1:"},
-	{TAG_RSA_EXPONENT2, "Exponent2:"},
-	{TAG_RSA_COEFFICIENT, "Coefficient:"},
-	{TAG_RSA_ENGINE, "Engine:" },
-	{TAG_RSA_LABEL, "Label:" },
-	{TAG_RSA_PIN, "PIN:" },
-
-	{TAG_DH_PRIME, "Prime(p):"},
-	{TAG_DH_GENERATOR, "Generator(g):"},
-	{TAG_DH_PRIVATE, "Private_value(x):"},
-	{TAG_DH_PUBLIC, "Public_value(y):"},
-
-	{TAG_DSA_PRIME, "Prime(p):"},
-	{TAG_DSA_SUBPRIME, "Subprime(q):"},
-	{TAG_DSA_BASE, "Base(g):"},
-	{TAG_DSA_PRIVATE, "Private_value(x):"},
-	{TAG_DSA_PUBLIC, "Public_value(y):"},
-
-	{TAG_GOST_PRIVASN1, "GostAsn1:"},
-
-	{TAG_ECDSA_PRIVATEKEY, "PrivateKey:"},
-
-	{TAG_HMACMD5_KEY, "Key:"},
-	{TAG_HMACMD5_BITS, "Bits:"},
-
-	{TAG_HMACSHA1_KEY, "Key:"},
-	{TAG_HMACSHA1_BITS, "Bits:"},
-
-	{TAG_HMACSHA224_KEY, "Key:"},
-	{TAG_HMACSHA224_BITS, "Bits:"},
-
-	{TAG_HMACSHA256_KEY, "Key:"},
-	{TAG_HMACSHA256_BITS, "Bits:"},
-
-	{TAG_HMACSHA384_KEY, "Key:"},
-	{TAG_HMACSHA384_BITS, "Bits:"},
-
-	{TAG_HMACSHA512_KEY, "Key:"},
-	{TAG_HMACSHA512_BITS, "Bits:"},
-
-	{0, NULL}
-};
-
-static int
-find_value(const char *s, const unsigned int alg) {
-	int i;
-
-	for (i = 0; map[i].tag != NULL; i++) {
-		if (strcasecmp(s, map[i].tag) == 0 &&
-		    (TAG_ALG(map[i].value) == alg))
-			return (map[i].value);
-	}
-	return (-1);
-}
-
-static const char *
-find_tag(const int value) {
-	int i;
-
-	for (i = 0; ; i++) {
-		if (map[i].tag == NULL)
-			return (NULL);
-		else if (value == map[i].value)
-			return (map[i].tag);
-	}
-}
-
-static int
-find_metadata(const char *s, const char *tags[], int ntags) {
-	int i;
-
-	for (i = 0; i < ntags; i++) {
-		if (strcasecmp(s, tags[i]) == 0)
-			return (i);
-	}
-
-	return (-1);
-}
-
-static int
-find_timedata(const char *s) {
-	return (find_metadata(s, timetags, TIMING_NTAGS));
-}
-
-static int
-find_numericdata(const char *s) {
-	return (find_metadata(s, numerictags, NUMERIC_NTAGS));
-}
-
-static int
-check_rsa(const dst_private_t *priv) {
-	int i, j;
-	isc_boolean_t have[RSA_NTAGS];
-	isc_boolean_t ok;
-	unsigned int mask;
-
-	for (i = 0; i < RSA_NTAGS; i++)
-		have[i] = ISC_FALSE;
-	for (j = 0; j < priv->nelements; j++) {
-		for (i = 0; i < RSA_NTAGS; i++)
-			if (priv->elements[j].tag == TAG(DST_ALG_RSAMD5, i))
-				break;
-		if (i == RSA_NTAGS)
-			return (-1);
-		have[i] = ISC_TRUE;
-	}
-
-	mask = ~0;
-	mask <<= sizeof(mask) * 8 - TAG_SHIFT;
-	mask >>= sizeof(mask) * 8 - TAG_SHIFT;
-
-	if (have[TAG_RSA_ENGINE & mask])
-		ok = have[TAG_RSA_MODULUS & mask] &&
-		     have[TAG_RSA_PUBLICEXPONENT & mask] &&
-		     have[TAG_RSA_LABEL & mask];
-	else
-		ok = have[TAG_RSA_MODULUS & mask] &&
-		     have[TAG_RSA_PUBLICEXPONENT & mask] &&
-		     have[TAG_RSA_PRIVATEEXPONENT & mask] &&
-		     have[TAG_RSA_PRIME1 & mask] &&
-		     have[TAG_RSA_PRIME2 & mask] &&
-		     have[TAG_RSA_EXPONENT1 & mask] &&
-		     have[TAG_RSA_EXPONENT2 & mask] &&
-		     have[TAG_RSA_COEFFICIENT & mask];
-	return (ok ? 0 : -1 );
-}
-
-static int
-check_dh(const dst_private_t *priv) {
-	int i, j;
-	if (priv->nelements != DH_NTAGS)
-		return (-1);
-	for (i = 0; i < DH_NTAGS; i++) {
-		for (j = 0; j < priv->nelements; j++)
-			if (priv->elements[j].tag == TAG(DST_ALG_DH, i))
-				break;
-		if (j == priv->nelements)
-			return (-1);
-	}
-	return (0);
-}
-
-static int
-check_dsa(const dst_private_t *priv) {
-	int i, j;
-	if (priv->nelements != DSA_NTAGS)
-		return (-1);
-	for (i = 0; i < DSA_NTAGS; i++) {
-		for (j = 0; j < priv->nelements; j++)
-			if (priv->elements[j].tag == TAG(DST_ALG_DSA, i))
-				break;
-		if (j == priv->nelements)
-			return (-1);
-	}
-	return (0);
-}
-
-static int
-check_gost(const dst_private_t *priv) {
-	if (priv->nelements != GOST_NTAGS)
-		return (-1);
-	if (priv->elements[0].tag != TAG(DST_ALG_ECCGOST, 0))
-		return (-1);
-	return (0);
-}
-
-static int
-check_ecdsa(const dst_private_t *priv) {
-	if (priv->nelements != ECDSA_NTAGS)
-		return (-1);
-	if (priv->elements[0].tag != TAG(DST_ALG_ECDSA256, 0))
-		return (-1);
-	return (0);
-}
-
-static int
-check_hmac_md5(const dst_private_t *priv, isc_boolean_t old) {
-	int i, j;
-
-	if (priv->nelements != HMACMD5_NTAGS) {
-		/*
-		 * If this is a good old format and we are accepting
-		 * the old format return success.
-		 */
-		if (old && priv->nelements == OLD_HMACMD5_NTAGS &&
-		    priv->elements[0].tag == TAG_HMACMD5_KEY)
-			return (0);
-		return (-1);
-	}
-	/*
-	 * We must be new format at this point.
-	 */
-	for (i = 0; i < HMACMD5_NTAGS; i++) {
-		for (j = 0; j < priv->nelements; j++)
-			if (priv->elements[j].tag == TAG(DST_ALG_HMACMD5, i))
-				break;
-		if (j == priv->nelements)
-			return (-1);
-	}
-	return (0);
-}
-
-static int
-check_hmac_sha(const dst_private_t *priv, unsigned int ntags,
-	       unsigned int alg)
-{
-	unsigned int i, j;
-	if (priv->nelements != ntags)
-		return (-1);
-	for (i = 0; i < ntags; i++) {
-		for (j = 0; j < priv->nelements; j++)
-			if (priv->elements[j].tag == TAG(alg, i))
-				break;
-		if (j == priv->nelements)
-			return (-1);
-	}
-	return (0);
-}
-
-static int
-check_data(const dst_private_t *priv, const unsigned int alg,
-	   isc_boolean_t old)
-{
-	/* XXXVIX this switch statement is too sparse to gen a jump table. */
-	switch (alg) {
-	case DST_ALG_RSAMD5:
-	case DST_ALG_RSASHA1:
-	case DST_ALG_NSEC3RSASHA1:
-	case DST_ALG_RSASHA256:
-	case DST_ALG_RSASHA512:
-		return (check_rsa(priv));
-	case DST_ALG_DH:
-		return (check_dh(priv));
-	case DST_ALG_DSA:
-	case DST_ALG_NSEC3DSA:
-		return (check_dsa(priv));
-	case DST_ALG_ECCGOST:
-		return (check_gost(priv));
-	case DST_ALG_ECDSA256:
-	case DST_ALG_ECDSA384:
-		return (check_ecdsa(priv));
-	case DST_ALG_HMACMD5:
-		return (check_hmac_md5(priv, old));
-	case DST_ALG_HMACSHA1:
-		return (check_hmac_sha(priv, HMACSHA1_NTAGS, alg));
-	case DST_ALG_HMACSHA224:
-		return (check_hmac_sha(priv, HMACSHA224_NTAGS, alg));
-	case DST_ALG_HMACSHA256:
-		return (check_hmac_sha(priv, HMACSHA256_NTAGS, alg));
-	case DST_ALG_HMACSHA384:
-		return (check_hmac_sha(priv, HMACSHA384_NTAGS, alg));
-	case DST_ALG_HMACSHA512:
-		return (check_hmac_sha(priv, HMACSHA512_NTAGS, alg));
-	default:
-		return (DST_R_UNSUPPORTEDALG);
-	}
-}
-
-void
-dst__privstruct_free(dst_private_t *priv, isc_mem_t *mctx) {
-	int i;
-
-	if (priv == NULL)
-		return;
-	for (i = 0; i < priv->nelements; i++) {
-		if (priv->elements[i].data == NULL)
-			continue;
-		memset(priv->elements[i].data, 0, MAXFIELDSIZE);
-		isc_mem_put(mctx, priv->elements[i].data, MAXFIELDSIZE);
-	}
-	priv->nelements = 0;
-}
-
-isc_result_t
-dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
-		      isc_mem_t *mctx, dst_private_t *priv)
-{
-	int n = 0, major, minor, check;
-	isc_buffer_t b;
-	isc_token_t token;
-	unsigned char *data = NULL;
-	unsigned int opt = ISC_LEXOPT_EOL;
-	isc_stdtime_t when;
-	isc_result_t ret;
-
-	REQUIRE(priv != NULL);
-
-	priv->nelements = 0;
-	memset(priv->elements, 0, sizeof(priv->elements));
-
-#define NEXTTOKEN(lex, opt, token)				\
-	do {							\
-		ret = isc_lex_gettoken(lex, opt, token);	\
-		if (ret != ISC_R_SUCCESS)			\
-			goto fail;				\
-	} while (0)
-
-#define READLINE(lex, opt, token)				\
-	do {							\
-		ret = isc_lex_gettoken(lex, opt, token);	\
-		if (ret == ISC_R_EOF)				\
-			break;					\
-		else if (ret != ISC_R_SUCCESS)			\
-			goto fail;				\
-	} while ((*token).type != isc_tokentype_eol)
-
-	/*
-	 * Read the description line.
-	 */
-	NEXTTOKEN(lex, opt, &token);
-	if (token.type != isc_tokentype_string ||
-	    strcmp(DST_AS_STR(token), PRIVATE_KEY_STR) != 0)
-	{
-		ret = DST_R_INVALIDPRIVATEKEY;
-		goto fail;
-	}
-
-	NEXTTOKEN(lex, opt, &token);
-	if (token.type != isc_tokentype_string ||
-	    (DST_AS_STR(token))[0] != 'v')
-	{
-		ret = DST_R_INVALIDPRIVATEKEY;
-		goto fail;
-	}
-	if (sscanf(DST_AS_STR(token), "v%d.%d", &major, &minor) != 2)
-	{
-		ret = DST_R_INVALIDPRIVATEKEY;
-		goto fail;
-	}
-
-	if (major > DST_MAJOR_VERSION) {
-		ret = DST_R_INVALIDPRIVATEKEY;
-		goto fail;
-	}
-
-	/*
-	 * Store the private key format version number
-	 */
-	dst_key_setprivateformat(key, major, minor);
-
-	READLINE(lex, opt, &token);
-
-	/*
-	 * Read the algorithm line.
-	 */
-	NEXTTOKEN(lex, opt, &token);
-	if (token.type != isc_tokentype_string ||
-	    strcmp(DST_AS_STR(token), ALGORITHM_STR) != 0)
-	{
-		ret = DST_R_INVALIDPRIVATEKEY;
-		goto fail;
-	}
-
-	NEXTTOKEN(lex, opt | ISC_LEXOPT_NUMBER, &token);
-	if (token.type != isc_tokentype_number ||
-	    token.value.as_ulong != (unsigned long) dst_key_alg(key))
-	{
-		ret = DST_R_INVALIDPRIVATEKEY;
-		goto fail;
-	}
-
-	READLINE(lex, opt, &token);
-
-	/*
-	 * Read the key data.
-	 */
-	for (n = 0; n < MAXFIELDS; n++) {
-		int tag;
-		isc_region_t r;
-		do {
-			ret = isc_lex_gettoken(lex, opt, &token);
-			if (ret == ISC_R_EOF)
-				goto done;
-			if (ret != ISC_R_SUCCESS)
-				goto fail;
-		} while (token.type == isc_tokentype_eol);
-
-		if (token.type != isc_tokentype_string) {
-			ret = DST_R_INVALIDPRIVATEKEY;
-			goto fail;
-		}
-
-		/* Numeric metadata */
-		tag = find_numericdata(DST_AS_STR(token));
-		if (tag >= 0) {
-			INSIST(tag < NUMERIC_NTAGS);
-
-			NEXTTOKEN(lex, opt | ISC_LEXOPT_NUMBER, &token);
-			if (token.type != isc_tokentype_number) {
-				ret = DST_R_INVALIDPRIVATEKEY;
-				goto fail;
-			}
-
-			dst_key_setnum(key, tag, token.value.as_ulong);
-			goto next;
-		}
-
-		/* Timing metadata */
-		tag = find_timedata(DST_AS_STR(token));
-		if (tag >= 0) {
-			INSIST(tag < TIMING_NTAGS);
-
-			NEXTTOKEN(lex, opt, &token);
-			if (token.type != isc_tokentype_string) {
-				ret = DST_R_INVALIDPRIVATEKEY;
-				goto fail;
-			}
-
-			ret = dns_time32_fromtext(DST_AS_STR(token), &when);
-			if (ret != ISC_R_SUCCESS)
-				goto fail;
-
-			dst_key_settime(key, tag, when);
-
-			goto next;
-		}
-
-		/* Key data */
-		tag = find_value(DST_AS_STR(token), alg);
-		if (tag < 0 && minor > DST_MINOR_VERSION)
-			goto next;
-		else if (tag < 0) {
-			ret = DST_R_INVALIDPRIVATEKEY;
-			goto fail;
-		}
-
-		priv->elements[n].tag = tag;
-
-		data = (unsigned char *) isc_mem_get(mctx, MAXFIELDSIZE);
-		if (data == NULL)
-			goto fail;
-
-		isc_buffer_init(&b, data, MAXFIELDSIZE);
-		ret = isc_base64_tobuffer(lex, &b, -1);
-		if (ret != ISC_R_SUCCESS)
-			goto fail;
-
-		isc_buffer_usedregion(&b, &r);
-		priv->elements[n].length = r.length;
-		priv->elements[n].data = r.base;
-		priv->nelements++;
-
-	  next:
-		READLINE(lex, opt, &token);
-		data = NULL;
-	}
- done:
-	check = check_data(priv, alg, ISC_TRUE);
-	if (check < 0) {
-		ret = DST_R_INVALIDPRIVATEKEY;
-		goto fail;
-	} else if (check != ISC_R_SUCCESS) {
-		ret = check;
-		goto fail;
-	}
-
-	return (ISC_R_SUCCESS);
-
-fail:
-	dst__privstruct_free(priv, mctx);
-	if (data != NULL)
-		isc_mem_put(mctx, data, MAXFIELDSIZE);
-
-	return (ret);
-}
-
-isc_result_t
-dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
-			  const char *directory)
-{
-	FILE *fp;
-	isc_result_t result;
-	char filename[ISC_DIR_NAMEMAX];
-	char buffer[MAXFIELDSIZE * 2];
-	isc_fsaccess_t access;
-	isc_stdtime_t when;
-	isc_uint32_t value;
-	isc_buffer_t b;
-	isc_region_t r;
-	int major, minor;
-	mode_t mode;
-	int i, ret;
-
-	REQUIRE(priv != NULL);
-
-	ret = check_data(priv, dst_key_alg(key), ISC_FALSE);
-	if (ret < 0)
-		return (DST_R_INVALIDPRIVATEKEY);
-	else if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	isc_buffer_init(&b, filename, sizeof(filename));
-	result = dst_key_buildfilename(key, DST_TYPE_PRIVATE, directory, &b);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = isc_file_mode(filename, &mode);
-	if (result == ISC_R_SUCCESS && mode != 0600) {
-		/* File exists; warn that we are changing its permissions */
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-			      DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING,
-			      "Permissions on the file %s "
-			      "have changed from 0%o to 0600 as "
-			      "a result of this operation.",
-			      filename, (unsigned int)mode);
-	}
-
-	if ((fp = fopen(filename, "w")) == NULL)
-		return (DST_R_WRITEERROR);
-
-	access = 0;
-	isc_fsaccess_add(ISC_FSACCESS_OWNER,
-			 ISC_FSACCESS_READ | ISC_FSACCESS_WRITE,
-			 &access);
-	(void)isc_fsaccess_set(filename, access);
-
-	dst_key_getprivateformat(key, &major, &minor);
-	if (major == 0 && minor == 0) {
-		major = DST_MAJOR_VERSION;
-		minor = DST_MINOR_VERSION;
-	}
-
-	/* XXXDCL return value should be checked for full filesystem */
-	fprintf(fp, "%s v%d.%d\n", PRIVATE_KEY_STR, major, minor);
-
-	fprintf(fp, "%s %d ", ALGORITHM_STR, dst_key_alg(key));
-
-	/* XXXVIX this switch statement is too sparse to gen a jump table. */
-	switch (dst_key_alg(key)) {
-	case DST_ALG_RSAMD5:
-		fprintf(fp, "(RSA)\n");
-		break;
-	case DST_ALG_DH:
-		fprintf(fp, "(DH)\n");
-		break;
-	case DST_ALG_DSA:
-		fprintf(fp, "(DSA)\n");
-		break;
-	case DST_ALG_RSASHA1:
-		fprintf(fp, "(RSASHA1)\n");
-		break;
-	case DST_ALG_NSEC3RSASHA1:
-		fprintf(fp, "(NSEC3RSASHA1)\n");
-		break;
-	case DST_ALG_NSEC3DSA:
-		fprintf(fp, "(NSEC3DSA)\n");
-		break;
-	case DST_ALG_RSASHA256:
-		fprintf(fp, "(RSASHA256)\n");
-		break;
-	case DST_ALG_RSASHA512:
-		fprintf(fp, "(RSASHA512)\n");
-		break;
-	case DST_ALG_ECCGOST:
-		fprintf(fp, "(ECC-GOST)\n");
-		break;
-	case DST_ALG_ECDSA256:
-		fprintf(fp, "(ECDSAP256SHA256)\n");
-		break;
-	case DST_ALG_ECDSA384:
-		fprintf(fp, "(ECDSAP384SHA384)\n");
-		break;
-	case DST_ALG_HMACMD5:
-		fprintf(fp, "(HMAC_MD5)\n");
-		break;
-	case DST_ALG_HMACSHA1:
-		fprintf(fp, "(HMAC_SHA1)\n");
-		break;
-	case DST_ALG_HMACSHA224:
-		fprintf(fp, "(HMAC_SHA224)\n");
-		break;
-	case DST_ALG_HMACSHA256:
-		fprintf(fp, "(HMAC_SHA256)\n");
-		break;
-	case DST_ALG_HMACSHA384:
-		fprintf(fp, "(HMAC_SHA384)\n");
-		break;
-	case DST_ALG_HMACSHA512:
-		fprintf(fp, "(HMAC_SHA512)\n");
-		break;
-	default:
-		fprintf(fp, "(?)\n");
-		break;
-	}
-
-	for (i = 0; i < priv->nelements; i++) {
-		const char *s;
-
-		s = find_tag(priv->elements[i].tag);
-
-		r.base = priv->elements[i].data;
-		r.length = priv->elements[i].length;
-		isc_buffer_init(&b, buffer, sizeof(buffer));
-		result = isc_base64_totext(&r, sizeof(buffer), "", &b);
-		if (result != ISC_R_SUCCESS) {
-			fclose(fp);
-			return (DST_R_INVALIDPRIVATEKEY);
-		}
-		isc_buffer_usedregion(&b, &r);
-
-	       fprintf(fp, "%s %.*s\n", s, (int)r.length, r.base);
-	}
-
-	/* Add the metadata tags */
-	if (major > 1 || (major == 1 && minor >= 3)) {
-		for (i = 0; i < NUMERIC_NTAGS; i++) {
-			result = dst_key_getnum(key, i, &value);
-			if (result != ISC_R_SUCCESS)
-				continue;
-			fprintf(fp, "%s %u\n", numerictags[i], value);
-		}
-		for (i = 0; i < TIMING_NTAGS; i++) {
-			result = dst_key_gettime(key, i, &when);
-			if (result != ISC_R_SUCCESS)
-				continue;
-
-			isc_buffer_init(&b, buffer, sizeof(buffer));
-			result = dns_time32_totext(when, &b);
-		       if (result != ISC_R_SUCCESS) {
-			       fclose(fp);
-			       return (DST_R_INVALIDPRIVATEKEY);
-		       }
-
-			isc_buffer_usedregion(&b, &r);
-
-		       fprintf(fp, "%s %.*s\n", timetags[i], (int)r.length,
-				r.base);
-		}
-	}
-
-	fflush(fp);
-	result = ferror(fp) ? DST_R_WRITEERROR : ISC_R_SUCCESS;
-	fclose(fp);
-	return (result);
-}
-
-/*! \file */
diff --git a/contrib/bind9/lib/dns/dst_parse.h b/contrib/bind9/lib/dns/dst_parse.h
deleted file mode 100644
index f048bf0..0000000
--- a/contrib/bind9/lib/dns/dst_parse.h
+++ /dev/null
@@ -1,142 +0,0 @@
-/*
- * Portions Copyright (C) 2004-2010, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dst_parse.h,v 1.17 2010/12/23 23:47:08 tbox Exp $ */
-
-/*! \file */
-#ifndef DST_DST_PARSE_H
-#define DST_DST_PARSE_H 1
-
-#include <isc/lang.h>
-
-#include <dst/dst.h>
-
-#define MAXFIELDSIZE		512
-
-/*
- * Maximum number of fields in a private file is 18 (12 algorithm-
- * specific fields for RSA, plus 6 generic fields).
- */
-#define MAXFIELDS		12+6
-
-#define TAG_SHIFT		4
-#define TAG_ALG(tag)		((unsigned int)(tag) >> TAG_SHIFT)
-#define TAG(alg, off)		(((alg) << TAG_SHIFT) + (off))
-
-/* These are used by both RSA-MD5 and RSA-SHA1 */
-#define RSA_NTAGS		11
-#define TAG_RSA_MODULUS		((DST_ALG_RSAMD5 << TAG_SHIFT) + 0)
-#define TAG_RSA_PUBLICEXPONENT	((DST_ALG_RSAMD5 << TAG_SHIFT) + 1)
-#define TAG_RSA_PRIVATEEXPONENT	((DST_ALG_RSAMD5 << TAG_SHIFT) + 2)
-#define TAG_RSA_PRIME1		((DST_ALG_RSAMD5 << TAG_SHIFT) + 3)
-#define TAG_RSA_PRIME2		((DST_ALG_RSAMD5 << TAG_SHIFT) + 4)
-#define TAG_RSA_EXPONENT1	((DST_ALG_RSAMD5 << TAG_SHIFT) + 5)
-#define TAG_RSA_EXPONENT2	((DST_ALG_RSAMD5 << TAG_SHIFT) + 6)
-#define TAG_RSA_COEFFICIENT	((DST_ALG_RSAMD5 << TAG_SHIFT) + 7)
-#define TAG_RSA_ENGINE		((DST_ALG_RSAMD5 << TAG_SHIFT) + 8)
-#define TAG_RSA_LABEL		((DST_ALG_RSAMD5 << TAG_SHIFT) + 9)
-#define TAG_RSA_PIN		((DST_ALG_RSAMD5 << TAG_SHIFT) + 10)
-
-#define DH_NTAGS		4
-#define TAG_DH_PRIME		((DST_ALG_DH << TAG_SHIFT) + 0)
-#define TAG_DH_GENERATOR	((DST_ALG_DH << TAG_SHIFT) + 1)
-#define TAG_DH_PRIVATE		((DST_ALG_DH << TAG_SHIFT) + 2)
-#define TAG_DH_PUBLIC		((DST_ALG_DH << TAG_SHIFT) + 3)
-
-#define DSA_NTAGS		5
-#define TAG_DSA_PRIME		((DST_ALG_DSA << TAG_SHIFT) + 0)
-#define TAG_DSA_SUBPRIME	((DST_ALG_DSA << TAG_SHIFT) + 1)
-#define TAG_DSA_BASE		((DST_ALG_DSA << TAG_SHIFT) + 2)
-#define TAG_DSA_PRIVATE		((DST_ALG_DSA << TAG_SHIFT) + 3)
-#define TAG_DSA_PUBLIC		((DST_ALG_DSA << TAG_SHIFT) + 4)
-
-#define GOST_NTAGS		1
-#define TAG_GOST_PRIVASN1	((DST_ALG_ECCGOST << TAG_SHIFT) + 0)
-
-#define ECDSA_NTAGS		1
-#define TAG_ECDSA_PRIVATEKEY	((DST_ALG_ECDSA256 << TAG_SHIFT) + 0)
-
-#define OLD_HMACMD5_NTAGS	1
-#define HMACMD5_NTAGS		2
-#define TAG_HMACMD5_KEY		((DST_ALG_HMACMD5 << TAG_SHIFT) + 0)
-#define TAG_HMACMD5_BITS	((DST_ALG_HMACMD5 << TAG_SHIFT) + 1)
-
-#define HMACSHA1_NTAGS		2
-#define TAG_HMACSHA1_KEY	((DST_ALG_HMACSHA1 << TAG_SHIFT) + 0)
-#define TAG_HMACSHA1_BITS	((DST_ALG_HMACSHA1 << TAG_SHIFT) + 1)
-
-#define HMACSHA224_NTAGS	2
-#define TAG_HMACSHA224_KEY	((DST_ALG_HMACSHA224 << TAG_SHIFT) + 0)
-#define TAG_HMACSHA224_BITS	((DST_ALG_HMACSHA224 << TAG_SHIFT) + 1)
-
-#define HMACSHA256_NTAGS	2
-#define TAG_HMACSHA256_KEY	((DST_ALG_HMACSHA256 << TAG_SHIFT) + 0)
-#define TAG_HMACSHA256_BITS	((DST_ALG_HMACSHA256 << TAG_SHIFT) + 1)
-
-#define HMACSHA384_NTAGS	2
-#define TAG_HMACSHA384_KEY	((DST_ALG_HMACSHA384 << TAG_SHIFT) + 0)
-#define TAG_HMACSHA384_BITS	((DST_ALG_HMACSHA384 << TAG_SHIFT) + 1)
-
-#define HMACSHA512_NTAGS	2
-#define TAG_HMACSHA512_KEY	((DST_ALG_HMACSHA512 << TAG_SHIFT) + 0)
-#define TAG_HMACSHA512_BITS	((DST_ALG_HMACSHA512 << TAG_SHIFT) + 1)
-
-struct dst_private_element {
-	unsigned short tag;
-	unsigned short length;
-	unsigned char *data;
-};
-
-typedef struct dst_private_element dst_private_element_t;
-
-struct dst_private {
-	unsigned short nelements;
-	dst_private_element_t elements[MAXFIELDS];
-};
-
-typedef struct dst_private dst_private_t;
-
-ISC_LANG_BEGINDECLS
-
-void
-dst__privstruct_free(dst_private_t *priv, isc_mem_t *mctx);
-
-isc_result_t
-dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
-		      isc_mem_t *mctx, dst_private_t *priv);
-
-isc_result_t
-dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
-			  const char *directory);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DST_DST_PARSE_H */
diff --git a/contrib/bind9/lib/dns/dst_result.c b/contrib/bind9/lib/dns/dst_result.c
deleted file mode 100644
index 297e809..0000000
--- a/contrib/bind9/lib/dns/dst_result.c
+++ /dev/null
@@ -1,89 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*%
- * Principal Author: Brian Wellington
- * $Id: dst_result.c,v 1.7 2008/04/01 23:47:10 tbox Exp $
- */
-
-#include <config.h>
-
-#include <isc/once.h>
-#include <isc/util.h>
-
-#include <dst/result.h>
-#include <dst/lib.h>
-
-static const char *text[DST_R_NRESULTS] = {
-	"algorithm is unsupported",		/*%< 0 */
-	"crypto failure",			/*%< 1 */
-	"built with no crypto support",		/*%< 2 */
-	"illegal operation for a null key",	/*%< 3 */
-	"public key is invalid",		/*%< 4 */
-	"private key is invalid",		/*%< 5 */
-	"UNUSED6",				/*%< 6 */
-	"error occurred writing key to disk",	/*%< 7 */
-	"invalid algorithm specific parameter",	/*%< 8 */
-	"UNUSED9",				/*%< 9 */
-	"UNUSED10",				/*%< 10 */
-	"sign failure",				/*%< 11 */
-	"UNUSED12",				/*%< 12 */
-	"UNUSED13",				/*%< 13 */
-	"verify failure",			/*%< 14 */
-	"not a public key",			/*%< 15 */
-	"not a private key",			/*%< 16 */
-	"not a key that can compute a secret",	/*%< 17 */
-	"failure computing a shared secret",	/*%< 18 */
-	"no randomness available",		/*%< 19 */
-	"bad key type",				/*%< 20 */
-	"no engine"				/*%< 21 */
-};
-
-#define DST_RESULT_RESULTSET			2
-
-static isc_once_t		once = ISC_ONCE_INIT;
-
-static void
-initialize_action(void) {
-	isc_result_t result;
-
-	result = isc_result_register(ISC_RESULTCLASS_DST, DST_R_NRESULTS,
-				     text, dst_msgcat, DST_RESULT_RESULTSET);
-	if (result != ISC_R_SUCCESS)
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_result_register() failed: %u", result);
-}
-
-static void
-initialize(void) {
-	dst_lib_initmsgcat();
-	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
-}
-
-const char *
-dst_result_totext(isc_result_t result) {
-	initialize();
-
-	return (isc_result_totext(result));
-}
-
-void
-dst_result_register(void) {
-	initialize();
-}
-
-/*! \file */
diff --git a/contrib/bind9/lib/dns/ecdb.c b/contrib/bind9/lib/dns/ecdb.c
deleted file mode 100644
index 8b3f774..0000000
--- a/contrib/bind9/lib/dns/ecdb.c
+++ /dev/null
@@ -1,827 +0,0 @@
-/*
- * Copyright (C) 2009-2011, 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ecdb.c,v 1.10 2011/12/20 00:06:53 marka Exp $ */
-
-#include "config.h"
-
-#include <isc/result.h>
-#include <isc/util.h>
-#include <isc/mutex.h>
-#include <isc/mem.h>
-
-#include <dns/db.h>
-#include <dns/ecdb.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdataslab.h>
-
-#define ECDB_MAGIC		ISC_MAGIC('E', 'C', 'D', 'B')
-#define VALID_ECDB(db)		((db) != NULL && \
-				 (db)->common.impmagic == ECDB_MAGIC)
-
-#define ECDBNODE_MAGIC		ISC_MAGIC('E', 'C', 'D', 'N')
-#define VALID_ECDBNODE(ecdbn)	ISC_MAGIC_VALID(ecdbn, ECDBNODE_MAGIC)
-
-/*%
- * The 'ephemeral' cache DB (ecdb) implementation.  An ecdb just provides
- * temporary storage for ongoing name resolution with the common DB interfaces.
- * It actually doesn't cache anything.  The implementation expects any stored
- * data is released within a short period, and does not care about the
- * scalability in terms of the number of nodes.
- */
-
-typedef struct dns_ecdb {
-	/* Unlocked */
-	dns_db_t			common;
-	isc_mutex_t			lock;
-
-	/* Locked */
-	unsigned int			references;
-	ISC_LIST(struct dns_ecdbnode)	nodes;
-} dns_ecdb_t;
-
-typedef struct dns_ecdbnode {
-	/* Unlocked */
-	unsigned int			magic;
-	isc_mutex_t			lock;
-	dns_ecdb_t			*ecdb;
-	dns_name_t			name;
-	ISC_LINK(struct dns_ecdbnode)	link;
-
-	/* Locked */
-	ISC_LIST(struct rdatasetheader)	rdatasets;
-	unsigned int			references;
-} dns_ecdbnode_t;
-
-typedef struct rdatasetheader {
-	dns_rdatatype_t			type;
-	dns_ttl_t			ttl;
-	dns_trust_t			trust;
-	dns_rdatatype_t			covers;
-	unsigned int			attributes;
-
-	ISC_LINK(struct rdatasetheader)	link;
-} rdatasetheader_t;
-
-/* Copied from rbtdb.c */
-#define RDATASET_ATTR_NXDOMAIN		0x0010
-#define RDATASET_ATTR_NEGATIVE		0x0100
-#define NXDOMAIN(header) \
-	(((header)->attributes & RDATASET_ATTR_NXDOMAIN) != 0)
-#define NEGATIVE(header) \
-	(((header)->attributes & RDATASET_ATTR_NEGATIVE) != 0)
-
-static isc_result_t dns_ecdb_create(isc_mem_t *mctx, dns_name_t *origin,
-				    dns_dbtype_t type,
-				    dns_rdataclass_t rdclass,
-				    unsigned int argc, char *argv[],
-				    void *driverarg, dns_db_t **dbp);
-
-static void rdataset_disassociate(dns_rdataset_t *rdataset);
-static isc_result_t rdataset_first(dns_rdataset_t *rdataset);
-static isc_result_t rdataset_next(dns_rdataset_t *rdataset);
-static void rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata);
-static void rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target);
-static unsigned int rdataset_count(dns_rdataset_t *rdataset);
-static void rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust);
-
-static dns_rdatasetmethods_t rdataset_methods = {
-	rdataset_disassociate,
-	rdataset_first,
-	rdataset_next,
-	rdataset_current,
-	rdataset_clone,
-	rdataset_count,
-	NULL,			/* addnoqname */
-	NULL,			/* getnoqname */
-	NULL,			/* addclosest */
-	NULL,			/* getclosest */
-	NULL,			/* getadditional */
-	NULL,			/* setadditional */
-	NULL,			/* putadditional */
-	rdataset_settrust,	/* settrust */
-	NULL			/* expire */
-};
-
-typedef struct ecdb_rdatasetiter {
-	dns_rdatasetiter_t		common;
-	rdatasetheader_t	       *current;
-} ecdb_rdatasetiter_t;
-
-static void		rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp);
-static isc_result_t	rdatasetiter_first(dns_rdatasetiter_t *iterator);
-static isc_result_t	rdatasetiter_next(dns_rdatasetiter_t *iterator);
-static void		rdatasetiter_current(dns_rdatasetiter_t *iterator,
-					     dns_rdataset_t *rdataset);
-
-static dns_rdatasetitermethods_t rdatasetiter_methods = {
-	rdatasetiter_destroy,
-	rdatasetiter_first,
-	rdatasetiter_next,
-	rdatasetiter_current
-};
-
-isc_result_t
-dns_ecdb_register(isc_mem_t *mctx, dns_dbimplementation_t **dbimp) {
-	REQUIRE(mctx != NULL);
-	REQUIRE(dbimp != NULL && *dbimp == NULL);
-
-	return (dns_db_register("ecdb", dns_ecdb_create, NULL, mctx, dbimp));
-}
-
-void
-dns_ecdb_unregister(dns_dbimplementation_t **dbimp) {
-	REQUIRE(dbimp != NULL && *dbimp != NULL);
-
-	dns_db_unregister(dbimp);
-}
-
-/*%
- * DB routines
- */
-
-static void
-attach(dns_db_t *source, dns_db_t **targetp) {
-	dns_ecdb_t *ecdb = (dns_ecdb_t *)source;
-
-	REQUIRE(VALID_ECDB(ecdb));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	LOCK(&ecdb->lock);
-	ecdb->references++;
-	UNLOCK(&ecdb->lock);
-
-	*targetp = source;
-}
-
-static void
-destroy_ecdb(dns_ecdb_t **ecdbp) {
-	dns_ecdb_t *ecdb = *ecdbp;
-	isc_mem_t *mctx = ecdb->common.mctx;
-
-	if (dns_name_dynamic(&ecdb->common.origin))
-		dns_name_free(&ecdb->common.origin, mctx);
-
-	DESTROYLOCK(&ecdb->lock);
-
-	ecdb->common.impmagic = 0;
-	ecdb->common.magic = 0;
-
-	isc_mem_putanddetach(&mctx, ecdb, sizeof(*ecdb));
-
-	*ecdbp = NULL;
-}
-
-static void
-detach(dns_db_t **dbp) {
-	dns_ecdb_t *ecdb;
-	isc_boolean_t need_destroy = ISC_FALSE;
-
-	REQUIRE(dbp != NULL);
-	ecdb = (dns_ecdb_t *)*dbp;
-	REQUIRE(VALID_ECDB(ecdb));
-
-	LOCK(&ecdb->lock);
-	ecdb->references--;
-	if (ecdb->references == 0 && ISC_LIST_EMPTY(ecdb->nodes))
-		need_destroy = ISC_TRUE;
-	UNLOCK(&ecdb->lock);
-
-	if (need_destroy)
-		destroy_ecdb(&ecdb);
-
-	*dbp = NULL;
-}
-
-static void
-attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) {
-	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
-	dns_ecdbnode_t *node = (dns_ecdbnode_t *)source;
-
-	REQUIRE(VALID_ECDB(ecdb));
-	REQUIRE(VALID_ECDBNODE(node));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	LOCK(&node->lock);
-	INSIST(node->references > 0);
-	node->references++;
-	INSIST(node->references != 0);		/* Catch overflow. */
-	UNLOCK(&node->lock);
-
-	*targetp = node;
-}
-
-static void
-destroynode(dns_ecdbnode_t *node) {
-	isc_mem_t *mctx;
-	dns_ecdb_t *ecdb = node->ecdb;
-	isc_boolean_t need_destroydb = ISC_FALSE;
-	rdatasetheader_t *header;
-
-	mctx = ecdb->common.mctx;
-
-	LOCK(&ecdb->lock);
-	ISC_LIST_UNLINK(ecdb->nodes, node, link);
-	if (ecdb->references == 0 && ISC_LIST_EMPTY(ecdb->nodes))
-		need_destroydb = ISC_TRUE;
-	UNLOCK(&ecdb->lock);
-
-	dns_name_free(&node->name, mctx);
-
-	while ((header = ISC_LIST_HEAD(node->rdatasets)) != NULL) {
-		unsigned int headersize;
-
-		ISC_LIST_UNLINK(node->rdatasets, header, link);
-		headersize =
-			dns_rdataslab_size((unsigned char *)header,
-					   sizeof(*header));
-		isc_mem_put(mctx, header, headersize);
-	}
-
-	DESTROYLOCK(&node->lock);
-
-	node->magic = 0;
-	isc_mem_put(mctx, node, sizeof(*node));
-
-	if (need_destroydb)
-		destroy_ecdb(&ecdb);
-}
-
-static void
-detachnode(dns_db_t *db, dns_dbnode_t **nodep) {
-	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
-	dns_ecdbnode_t *node;
-	isc_boolean_t need_destroy = ISC_FALSE;
-
-	REQUIRE(VALID_ECDB(ecdb));
-	REQUIRE(nodep != NULL);
-	node = (dns_ecdbnode_t *)*nodep;
-	REQUIRE(VALID_ECDBNODE(node));
-
-	UNUSED(ecdb);		/* in case REQUIRE() is empty */
-
-	LOCK(&node->lock);
-	INSIST(node->references > 0);
-	node->references--;
-	if (node->references == 0)
-		need_destroy = ISC_TRUE;
-	UNLOCK(&node->lock);
-
-	if (need_destroy)
-		destroynode(node);
-
-	*nodep = NULL;
-}
-
-static isc_result_t
-find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
-    dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
-    dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset,
-    dns_rdataset_t *sigrdataset)
-{
-	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
-
-	REQUIRE(VALID_ECDB(ecdb));
-
-	UNUSED(name);
-	UNUSED(version);
-	UNUSED(type);
-	UNUSED(options);
-	UNUSED(now);
-	UNUSED(nodep);
-	UNUSED(foundname);
-	UNUSED(rdataset);
-	UNUSED(sigrdataset);
-
-	return (ISC_R_NOTFOUND);
-}
-
-static isc_result_t
-findzonecut(dns_db_t *db, dns_name_t *name,
-	    unsigned int options, isc_stdtime_t now,
-	    dns_dbnode_t **nodep, dns_name_t *foundname,
-	    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
-
-	REQUIRE(VALID_ECDB(ecdb));
-
-	UNUSED(name);
-	UNUSED(options);
-	UNUSED(now);
-	UNUSED(nodep);
-	UNUSED(foundname);
-	UNUSED(rdataset);
-	UNUSED(sigrdataset);
-
-	return (ISC_R_NOTFOUND);
-}
-
-static isc_result_t
-findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
-	 dns_dbnode_t **nodep)
-{
-	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
-	isc_mem_t *mctx;
-	dns_ecdbnode_t *node;
-	isc_result_t result;
-
-	REQUIRE(VALID_ECDB(ecdb));
-	REQUIRE(nodep != NULL && *nodep == NULL);
-
-	UNUSED(name);
-
-	if (create != ISC_TRUE)	{
-		/* an 'ephemeral' node is never reused. */
-		return (ISC_R_NOTFOUND);
-	}
-
-	mctx = ecdb->common.mctx;
-	node = isc_mem_get(mctx, sizeof(*node));
-	if (node == NULL)
-		return (ISC_R_NOMEMORY);
-
-	result = isc_mutex_init(&node->lock);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 isc_result_totext(result));
-		isc_mem_put(mctx, node, sizeof(*node));
-		return (ISC_R_UNEXPECTED);
-	}
-
-	dns_name_init(&node->name, NULL);
-	result = dns_name_dup(name, mctx, &node->name);
-	if (result != ISC_R_SUCCESS) {
-		DESTROYLOCK(&node->lock);
-		isc_mem_put(mctx, node, sizeof(*node));
-		return (result);
-	}
-	node->ecdb= ecdb;
-	node->references = 1;
-	ISC_LIST_INIT(node->rdatasets);
-
-	ISC_LINK_INIT(node, link);
-
-	LOCK(&ecdb->lock);
-	ISC_LIST_APPEND(ecdb->nodes, node, link);
-	UNLOCK(&ecdb->lock);
-
-	node->magic = ECDBNODE_MAGIC;
-
-	*nodep = node;
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-bind_rdataset(dns_ecdb_t *ecdb, dns_ecdbnode_t *node,
-	      rdatasetheader_t *header, dns_rdataset_t *rdataset)
-{
-	unsigned char *raw;
-
-	/*
-	 * Caller must be holding the node lock.
-	 */
-
-	REQUIRE(!dns_rdataset_isassociated(rdataset));
-
-	rdataset->methods = &rdataset_methods;
-	rdataset->rdclass = ecdb->common.rdclass;
-	rdataset->type = header->type;
-	rdataset->covers = header->covers;
-	rdataset->ttl = header->ttl;
-	rdataset->trust = header->trust;
-	if (NXDOMAIN(header))
-		rdataset->attributes |= DNS_RDATASETATTR_NXDOMAIN;
-	if (NEGATIVE(header))
-		rdataset->attributes |= DNS_RDATASETATTR_NEGATIVE;
-
-	rdataset->private1 = ecdb;
-	rdataset->private2 = node;
-	raw = (unsigned char *)header + sizeof(*header);
-	rdataset->private3 = raw;
-	rdataset->count = 0;
-
-	/*
-	 * Reset iterator state.
-	 */
-	rdataset->privateuint4 = 0;
-	rdataset->private5 = NULL;
-
-	INSIST(node->references > 0);
-	node->references++;
-}
-
-static isc_result_t
-addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-	    isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
-	    dns_rdataset_t *addedrdataset)
-{
-	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
-	isc_region_t r;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_mem_t *mctx;
-	dns_ecdbnode_t *ecdbnode = (dns_ecdbnode_t *)node;
-	rdatasetheader_t *header;
-
-	REQUIRE(VALID_ECDB(ecdb));
-	REQUIRE(VALID_ECDBNODE(ecdbnode));
-
-	UNUSED(version);
-	UNUSED(now);
-	UNUSED(options);
-
-	mctx = ecdb->common.mctx;
-
-	LOCK(&ecdbnode->lock);
-
-	/*
-	 * Sanity check: this implementation does not allow overriding an
-	 * existing rdataset of the same type.
-	 */
-	for (header = ISC_LIST_HEAD(ecdbnode->rdatasets); header != NULL;
-	     header = ISC_LIST_NEXT(header, link)) {
-		INSIST(header->type != rdataset->type ||
-		       header->covers != rdataset->covers);
-	}
-
-	result = dns_rdataslab_fromrdataset(rdataset, mctx,
-					    &r, sizeof(rdatasetheader_t));
-	if (result != ISC_R_SUCCESS)
-		goto unlock;
-
-	header = (rdatasetheader_t *)r.base;
-	header->type = rdataset->type;
-	header->ttl = rdataset->ttl;
-	header->trust = rdataset->trust;
-	header->covers = rdataset->covers;
-	header->attributes = 0;
-	if ((rdataset->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
-		header->attributes |= RDATASET_ATTR_NXDOMAIN;
-	if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
-		header->attributes |= RDATASET_ATTR_NEGATIVE;
-	ISC_LINK_INIT(header, link);
-	ISC_LIST_APPEND(ecdbnode->rdatasets, header, link);
-
-	if (addedrdataset == NULL)
-		goto unlock;
-
-	bind_rdataset(ecdb, ecdbnode, header, addedrdataset);
-
- unlock:
-	UNLOCK(&ecdbnode->lock);
-
-	return (result);
-}
-
-static isc_result_t
-deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-	       dns_rdatatype_t type, dns_rdatatype_t covers)
-{
-	UNUSED(db);
-	UNUSED(node);
-	UNUSED(version);
-	UNUSED(type);
-	UNUSED(covers);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static isc_result_t
-createiterator(dns_db_t *db, unsigned int options,
-	       dns_dbiterator_t **iteratorp)
-{
-	UNUSED(db);
-	UNUSED(options);
-	UNUSED(iteratorp);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static isc_result_t
-allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-	     isc_stdtime_t now, dns_rdatasetiter_t **iteratorp)
-{
-	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
-	dns_ecdbnode_t *ecdbnode = (dns_ecdbnode_t *)node;
-	isc_mem_t *mctx;
-	ecdb_rdatasetiter_t *iterator;
-
-	REQUIRE(VALID_ECDB(ecdb));
-	REQUIRE(VALID_ECDBNODE(ecdbnode));
-
-	mctx = ecdb->common.mctx;
-
-	iterator = isc_mem_get(mctx, sizeof(ecdb_rdatasetiter_t));
-	if (iterator == NULL)
-		return (ISC_R_NOMEMORY);
-
-	iterator->common.magic = DNS_RDATASETITER_MAGIC;
-	iterator->common.methods = &rdatasetiter_methods;
-	iterator->common.db = db;
-	iterator->common.node = NULL;
-	attachnode(db, node, &iterator->common.node);
-	iterator->common.version = version;
-	iterator->common.now = now;
-
-	*iteratorp = (dns_rdatasetiter_t *)iterator;
-
-	return (ISC_R_SUCCESS);
-}
-
-static dns_dbmethods_t ecdb_methods = {
-	attach,
-	detach,
-	NULL,			/* beginload */
-	NULL,			/* endload */
-	NULL,			/* dump */
-	NULL,			/* currentversion */
-	NULL,			/* newversion */
-	NULL,			/* attachversion */
-	NULL,			/* closeversion */
-	findnode,
-	find,
-	findzonecut,
-	attachnode,
-	detachnode,
-	NULL,			/* expirenode */
-	NULL,			/* printnode */
-	createiterator,		/* createiterator */
-	NULL,			/* findrdataset */
-	allrdatasets,
-	addrdataset,
-	NULL,			/* subtractrdataset */
-	deleterdataset,
-	NULL,			/* issecure */
-	NULL,			/* nodecount */
-	NULL,			/* ispersistent */
-	NULL,			/* overmem */
-	NULL,			/* settask */
-	NULL,			/* getoriginnode */
-	NULL,			/* transfernode */
-	NULL,			/* getnsec3parameters */
-	NULL,			/* findnsec3node */
-	NULL,			/* setsigningtime */
-	NULL,			/* getsigningtime */
-	NULL,			/* resigned */
-	NULL,			/* isdnssec */
-	NULL,			/* getrrsetstats */
-	NULL,			/* rpz_enabled */
-	NULL,			/* rpz_findips */
-	NULL,			/* findnodeext */
-	NULL			/* findext */
-};
-
-static isc_result_t
-dns_ecdb_create(isc_mem_t *mctx, dns_name_t *origin, dns_dbtype_t type,
-		dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
-		void *driverarg, dns_db_t **dbp)
-{
-	dns_ecdb_t *ecdb;
-	isc_result_t result;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(origin == dns_rootname);
-	REQUIRE(type == dns_dbtype_cache);
-	REQUIRE(dbp != NULL && *dbp == NULL);
-
-	UNUSED(argc);
-	UNUSED(argv);
-	UNUSED(driverarg);
-
-	ecdb = isc_mem_get(mctx, sizeof(*ecdb));
-	if (ecdb == NULL)
-		return (ISC_R_NOMEMORY);
-
-	ecdb->common.attributes = DNS_DBATTR_CACHE;
-	ecdb->common.rdclass = rdclass;
-	ecdb->common.methods = &ecdb_methods;
-	dns_name_init(&ecdb->common.origin, NULL);
-	result = dns_name_dupwithoffsets(origin, mctx, &ecdb->common.origin);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, ecdb, sizeof(*ecdb));
-		return (result);
-	}
-
-	result = isc_mutex_init(&ecdb->lock);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 isc_result_totext(result));
-		if (dns_name_dynamic(&ecdb->common.origin))
-			dns_name_free(&ecdb->common.origin, mctx);
-		isc_mem_put(mctx, ecdb, sizeof(*ecdb));
-		return (ISC_R_UNEXPECTED);
-	}
-
-	ecdb->references = 1;
-	ISC_LIST_INIT(ecdb->nodes);
-
-	ecdb->common.mctx = NULL;
-	isc_mem_attach(mctx, &ecdb->common.mctx);
-	ecdb->common.impmagic = ECDB_MAGIC;
-	ecdb->common.magic = DNS_DB_MAGIC;
-
-	*dbp = (dns_db_t *)ecdb;
-
-	return (ISC_R_SUCCESS);
-}
-
-/*%
- * Rdataset Methods
- */
-
-static void
-rdataset_disassociate(dns_rdataset_t *rdataset) {
-	dns_db_t *db = rdataset->private1;
-	dns_dbnode_t *node = rdataset->private2;
-
-	dns_db_detachnode(db, &node);
-}
-
-static isc_result_t
-rdataset_first(dns_rdataset_t *rdataset) {
-	unsigned char *raw = rdataset->private3;
-	unsigned int count;
-
-	count = raw[0] * 256 + raw[1];
-	if (count == 0) {
-		rdataset->private5 = NULL;
-		return (ISC_R_NOMORE);
-	}
-#if DNS_RDATASET_FIXED
-	raw += 2 + (4 * count);
-#else
-	raw += 2;
-#endif
-	/*
-	 * The privateuint4 field is the number of rdata beyond the cursor
-	 * position, so we decrement the total count by one before storing
-	 * it.
-	 */
-	count--;
-	rdataset->privateuint4 = count;
-	rdataset->private5 = raw;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-rdataset_next(dns_rdataset_t *rdataset) {
-	unsigned int count;
-	unsigned int length;
-	unsigned char *raw;
-
-	count = rdataset->privateuint4;
-	if (count == 0)
-		return (ISC_R_NOMORE);
-	count--;
-	rdataset->privateuint4 = count;
-	raw = rdataset->private5;
-	length = raw[0] * 256 + raw[1];
-#if DNS_RDATASET_FIXED
-	raw += length + 4;
-#else
-	raw += length + 2;
-#endif
-	rdataset->private5 = raw;
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
-	unsigned char *raw = rdataset->private5;
-	isc_region_t r;
-	unsigned int length;
-	unsigned int flags = 0;
-
-	REQUIRE(raw != NULL);
-
-	length = raw[0] * 256 + raw[1];
-#if DNS_RDATASET_FIXED
-	raw += 4;
-#else
-	raw += 2;
-#endif
-	if (rdataset->type == dns_rdatatype_rrsig) {
-		if (*raw & DNS_RDATASLAB_OFFLINE)
-			flags |= DNS_RDATA_OFFLINE;
-		length--;
-		raw++;
-	}
-	r.length = length;
-	r.base = raw;
-	dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r);
-	rdata->flags |= flags;
-}
-
-static void
-rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
-	dns_db_t *db = source->private1;
-	dns_dbnode_t *node = source->private2;
-	dns_dbnode_t *cloned_node = NULL;
-
-	attachnode(db, node, &cloned_node);
-	*target = *source;
-
-	/*
-	 * Reset iterator state.
-	 */
-	target->privateuint4 = 0;
-	target->private5 = NULL;
-}
-
-static unsigned int
-rdataset_count(dns_rdataset_t *rdataset) {
-	unsigned char *raw = rdataset->private3;
-	unsigned int count;
-
-	count = raw[0] * 256 + raw[1];
-
-	return (count);
-}
-
-static void
-rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust) {
-	rdatasetheader_t *header = rdataset->private3;
-
-	header--;
-	header->trust = rdataset->trust = trust;
-}
-
-/*
- * Rdataset Iterator Methods
- */
-
-static void
-rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) {
-	ecdb_rdatasetiter_t *ecdbiterator;
-	isc_mem_t *mctx;
-
-	REQUIRE(iteratorp != NULL);
-	ecdbiterator = (ecdb_rdatasetiter_t *)*iteratorp;
-	REQUIRE(DNS_RDATASETITER_VALID(&ecdbiterator->common));
-
-	mctx = ecdbiterator->common.db->mctx;
-
-	ecdbiterator->common.magic = 0;
-
-	dns_db_detachnode(ecdbiterator->common.db, &ecdbiterator->common.node);
-	isc_mem_put(mctx, ecdbiterator, sizeof(ecdb_rdatasetiter_t));
-
-	*iteratorp = NULL;
-}
-
-static isc_result_t
-rdatasetiter_first(dns_rdatasetiter_t *iterator) {
-	ecdb_rdatasetiter_t *ecdbiterator = (ecdb_rdatasetiter_t *)iterator;
-	dns_ecdbnode_t *ecdbnode = (dns_ecdbnode_t *)iterator->node;
-
-	REQUIRE(DNS_RDATASETITER_VALID(iterator));
-
-	if (ISC_LIST_EMPTY(ecdbnode->rdatasets))
-		return (ISC_R_NOMORE);
-	ecdbiterator->current = ISC_LIST_HEAD(ecdbnode->rdatasets);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-rdatasetiter_next(dns_rdatasetiter_t *iterator) {
-	ecdb_rdatasetiter_t *ecdbiterator = (ecdb_rdatasetiter_t *)iterator;
-
-	REQUIRE(DNS_RDATASETITER_VALID(iterator));
-
-	ecdbiterator->current = ISC_LIST_NEXT(ecdbiterator->current, link);
-	if (ecdbiterator->current == NULL)
-		return (ISC_R_NOMORE);
-	else
-		return (ISC_R_SUCCESS);
-}
-
-static void
-rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) {
-	ecdb_rdatasetiter_t *ecdbiterator = (ecdb_rdatasetiter_t *)iterator;
-	dns_ecdb_t *ecdb;
-
-	ecdb = (dns_ecdb_t *)iterator->db;
-	REQUIRE(VALID_ECDB(ecdb));
-
-	bind_rdataset(ecdb, iterator->node, ecdbiterator->current, rdataset);
-}
diff --git a/contrib/bind9/lib/dns/forward.c b/contrib/bind9/lib/dns/forward.c
deleted file mode 100644
index 7ec4e5c..0000000
--- a/contrib/bind9/lib/dns/forward.c
+++ /dev/null
@@ -1,215 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: forward.c,v 1.14 2009/09/02 23:48:02 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/rwlock.h>
-#include <isc/sockaddr.h>
-#include <isc/util.h>
-
-#include <dns/forward.h>
-#include <dns/rbt.h>
-#include <dns/result.h>
-#include <dns/types.h>
-
-struct dns_fwdtable {
-	/* Unlocked. */
-	unsigned int		magic;
-	isc_mem_t		*mctx;
-	isc_rwlock_t		rwlock;
-	/* Locked by lock. */
-	dns_rbt_t		*table;
-};
-
-#define FWDTABLEMAGIC		ISC_MAGIC('F', 'w', 'd', 'T')
-#define VALID_FWDTABLE(ft) 	ISC_MAGIC_VALID(ft, FWDTABLEMAGIC)
-
-static void
-auto_detach(void *, void *);
-
-isc_result_t
-dns_fwdtable_create(isc_mem_t *mctx, dns_fwdtable_t **fwdtablep) {
-	dns_fwdtable_t *fwdtable;
-	isc_result_t result;
-
-	REQUIRE(fwdtablep != NULL && *fwdtablep == NULL);
-
-	fwdtable = isc_mem_get(mctx, sizeof(dns_fwdtable_t));
-	if (fwdtable == NULL)
-		return (ISC_R_NOMEMORY);
-
-	fwdtable->table = NULL;
-	result = dns_rbt_create(mctx, auto_detach, fwdtable, &fwdtable->table);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_fwdtable;
-
-	result = isc_rwlock_init(&fwdtable->rwlock, 0, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_rbt;
-
-	fwdtable->mctx = NULL;
-	isc_mem_attach(mctx, &fwdtable->mctx);
-	fwdtable->magic = FWDTABLEMAGIC;
-	*fwdtablep = fwdtable;
-
-	return (ISC_R_SUCCESS);
-
-   cleanup_rbt:
-	dns_rbt_destroy(&fwdtable->table);
-
-   cleanup_fwdtable:
-	isc_mem_put(mctx, fwdtable, sizeof(dns_fwdtable_t));
-
-	return (result);
-}
-
-isc_result_t
-dns_fwdtable_add(dns_fwdtable_t *fwdtable, dns_name_t *name,
-		 isc_sockaddrlist_t *addrs, dns_fwdpolicy_t fwdpolicy)
-{
-	isc_result_t result;
-	dns_forwarders_t *forwarders;
-	isc_sockaddr_t *sa, *nsa;
-
-	REQUIRE(VALID_FWDTABLE(fwdtable));
-
-	forwarders = isc_mem_get(fwdtable->mctx, sizeof(dns_forwarders_t));
-	if (forwarders == NULL)
-		return (ISC_R_NOMEMORY);
-
-	ISC_LIST_INIT(forwarders->addrs);
-	for (sa = ISC_LIST_HEAD(*addrs);
-	     sa != NULL;
-	     sa = ISC_LIST_NEXT(sa, link))
-	{
-		nsa = isc_mem_get(fwdtable->mctx, sizeof(isc_sockaddr_t));
-		if (nsa == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup;
-		}
-		*nsa = *sa;
-		ISC_LINK_INIT(nsa, link);
-		ISC_LIST_APPEND(forwarders->addrs, nsa, link);
-	}
-	forwarders->fwdpolicy = fwdpolicy;
-
-	RWLOCK(&fwdtable->rwlock, isc_rwlocktype_write);
-	result = dns_rbt_addname(fwdtable->table, name, forwarders);
-	RWUNLOCK(&fwdtable->rwlock, isc_rwlocktype_write);
-
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	while (!ISC_LIST_EMPTY(forwarders->addrs)) {
-		sa = ISC_LIST_HEAD(forwarders->addrs);
-		ISC_LIST_UNLINK(forwarders->addrs, sa, link);
-		isc_mem_put(fwdtable->mctx, sa, sizeof(isc_sockaddr_t));
-	}
-	isc_mem_put(fwdtable->mctx, forwarders, sizeof(dns_forwarders_t));
-	return (result);
-}
-
-isc_result_t
-dns_fwdtable_delete(dns_fwdtable_t *fwdtable, dns_name_t *name) {
-	isc_result_t result;
-
-	REQUIRE(VALID_FWDTABLE(fwdtable));
-
-	RWLOCK(&fwdtable->rwlock, isc_rwlocktype_write);
-	result = dns_rbt_deletename(fwdtable->table, name, ISC_FALSE);
-	RWUNLOCK(&fwdtable->rwlock, isc_rwlocktype_write);
-
-	if (result == DNS_R_PARTIALMATCH)
-		result = ISC_R_NOTFOUND;
-
-	return (result);
-}
-
-isc_result_t
-dns_fwdtable_find(dns_fwdtable_t *fwdtable, dns_name_t *name,
-		  dns_forwarders_t **forwardersp)
-{
-	return (dns_fwdtable_find2(fwdtable, name, NULL, forwardersp));
-}
-
-isc_result_t
-dns_fwdtable_find2(dns_fwdtable_t *fwdtable, dns_name_t *name,
-		   dns_name_t *foundname, dns_forwarders_t **forwardersp)
-{
-	isc_result_t result;
-
-	REQUIRE(VALID_FWDTABLE(fwdtable));
-
-	RWLOCK(&fwdtable->rwlock, isc_rwlocktype_read);
-
-	result = dns_rbt_findname(fwdtable->table, name, 0, foundname,
-				  (void **)forwardersp);
-	if (result == DNS_R_PARTIALMATCH)
-		result = ISC_R_SUCCESS;
-
-	RWUNLOCK(&fwdtable->rwlock, isc_rwlocktype_read);
-
-	return (result);
-}
-
-void
-dns_fwdtable_destroy(dns_fwdtable_t **fwdtablep) {
-	dns_fwdtable_t *fwdtable;
-	isc_mem_t *mctx;
-
-	REQUIRE(fwdtablep != NULL && VALID_FWDTABLE(*fwdtablep));
-
-	fwdtable = *fwdtablep;
-
-	dns_rbt_destroy(&fwdtable->table);
-	isc_rwlock_destroy(&fwdtable->rwlock);
-	fwdtable->magic = 0;
-	mctx = fwdtable->mctx;
-	isc_mem_put(mctx, fwdtable, sizeof(dns_fwdtable_t));
-	isc_mem_detach(&mctx);
-
-	*fwdtablep = NULL;
-}
-
-/***
- *** Private
- ***/
-
-static void
-auto_detach(void *data, void *arg) {
-	dns_forwarders_t *forwarders = data;
-	dns_fwdtable_t *fwdtable = arg;
-	isc_sockaddr_t *sa;
-
-	UNUSED(arg);
-
-	while (!ISC_LIST_EMPTY(forwarders->addrs)) {
-		sa = ISC_LIST_HEAD(forwarders->addrs);
-		ISC_LIST_UNLINK(forwarders->addrs, sa, link);
-		isc_mem_put(fwdtable->mctx, sa, sizeof(isc_sockaddr_t));
-	}
-	isc_mem_put(fwdtable->mctx, forwarders, sizeof(dns_forwarders_t));
-}
diff --git a/contrib/bind9/lib/dns/gen-unix.h b/contrib/bind9/lib/dns/gen-unix.h
deleted file mode 100644
index 87529d4..0000000
--- a/contrib/bind9/lib/dns/gen-unix.h
+++ /dev/null
@@ -1,97 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: gen-unix.h,v 1.21 2009/01/17 23:47:42 tbox Exp $ */
-
-/*! \file
- * \brief
- * This file is responsible for defining two operations that are not
- * directly portable between Unix-like systems and Windows NT, option
- * parsing and directory scanning.  It is here because it was decided
- * that the "gen" build utility was not to depend on libisc.a, so
- * the functions declared in isc/commandline.h and isc/dir.h could not
- * be used.
- *
- * The commandline stuff is really just a wrapper around getopt().
- * The dir stuff was shrunk to fit the needs of gen.c.
- */
-
-#ifndef DNS_GEN_UNIX_H
-#define DNS_GEN_UNIX_H 1
-
-#include <sys/types.h>          /* Required on some systems for dirent.h. */
-
-#include <dirent.h>
-#include <unistd.h>		/* XXXDCL Required for ?. */
-
-#include <isc/boolean.h>
-#include <isc/lang.h>
-
-#ifdef NEED_OPTARG
-extern char *optarg;
-#endif
-
-#define isc_commandline_parse		getopt
-#define isc_commandline_argument 	optarg
-
-typedef struct {
-	DIR *handle;
-	char *filename;
-} isc_dir_t;
-
-ISC_LANG_BEGINDECLS
-
-static isc_boolean_t
-start_directory(const char *path, isc_dir_t *dir) {
-	dir->handle = opendir(path);
-
-	if (dir->handle != NULL)
-		return (ISC_TRUE);
-	else
-		return (ISC_FALSE);
-
-}
-
-static isc_boolean_t
-next_file(isc_dir_t *dir) {
-	struct dirent *dirent;
-
-	dir->filename = NULL;
-
-	if (dir->handle != NULL) {
-		dirent = readdir(dir->handle);
-		if (dirent != NULL)
-			dir->filename = dirent->d_name;
-	}
-
-	if (dir->filename != NULL)
-		return (ISC_TRUE);
-	else
-		return (ISC_FALSE);
-}
-
-static void
-end_directory(isc_dir_t *dir) {
-	if (dir->handle != NULL)
-		(void)closedir(dir->handle);
-
-	dir->handle = NULL;
-}
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_GEN_UNIX_H */
diff --git a/contrib/bind9/lib/dns/gen.c b/contrib/bind9/lib/dns/gen.c
deleted file mode 100644
index 6b533dd..0000000
--- a/contrib/bind9/lib/dns/gen.c
+++ /dev/null
@@ -1,910 +0,0 @@
-/*
- * Copyright (C) 2004-2009, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*! \file */
-
-#ifdef WIN32
-/*
- * Silence compiler warnings about using strcpy and friends.
- */
-#define _CRT_SECURE_NO_DEPRECATE 1
-/*
- * We use snprintf.
- */
-#define snprintf _snprintf
-#endif
-
-#include <sys/types.h>
-
-#include <ctype.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-
-#ifdef WIN32
-#include "gen-win32.h"
-#else
-#include "gen-unix.h"
-#endif
-
-#define INSIST(cond) \
-	if (!(cond)) { \
-		fprintf(stderr, "%s:%d: INSIST(%s)\n", \
-			 __FILE__, __LINE__, #cond); \
-		abort(); \
-	}
-
-#define FROMTEXTARGS "rdclass, type, lexer, origin, options, target, callbacks"
-#define FROMTEXTCLASS "rdclass"
-#define FROMTEXTTYPE "type"
-#define FROMTEXTDEF "result = DNS_R_UNKNOWN"
-
-#define TOTEXTARGS "rdata, tctx, target"
-#define TOTEXTCLASS "rdata->rdclass"
-#define TOTEXTTYPE "rdata->type"
-#define TOTEXTDEF "use_default = ISC_TRUE"
-
-#define FROMWIREARGS "rdclass, type, source, dctx, options, target"
-#define FROMWIRECLASS "rdclass"
-#define FROMWIRETYPE "type"
-#define FROMWIREDEF "use_default = ISC_TRUE"
-
-#define TOWIREARGS "rdata, cctx, target"
-#define TOWIRECLASS "rdata->rdclass"
-#define TOWIRETYPE "rdata->type"
-#define TOWIREDEF "use_default = ISC_TRUE"
-
-#define FROMSTRUCTARGS "rdclass, type, source, target"
-#define FROMSTRUCTCLASS "rdclass"
-#define FROMSTRUCTTYPE "type"
-#define FROMSTRUCTDEF "use_default = ISC_TRUE"
-
-#define TOSTRUCTARGS "rdata, target, mctx"
-#define TOSTRUCTCLASS "rdata->rdclass"
-#define TOSTRUCTTYPE "rdata->type"
-#define TOSTRUCTDEF "use_default = ISC_TRUE"
-
-#define FREESTRUCTARGS "source"
-#define FREESTRUCTCLASS "common->rdclass"
-#define FREESTRUCTTYPE "common->rdtype"
-#define FREESTRUCTDEF NULL
-
-#define COMPAREARGS "rdata1, rdata2"
-#define COMPARECLASS "rdata1->rdclass"
-#define COMPARETYPE "rdata1->type"
-#define COMPAREDEF "use_default = ISC_TRUE"
-
-#define ADDITIONALDATAARGS "rdata, add, arg"
-#define ADDITIONALDATACLASS "rdata->rdclass"
-#define ADDITIONALDATATYPE "rdata->type"
-#define ADDITIONALDATADEF "use_default = ISC_TRUE"
-
-#define DIGESTARGS "rdata, digest, arg"
-#define DIGESTCLASS "rdata->rdclass"
-#define DIGESTTYPE "rdata->type"
-#define DIGESTDEF "use_default = ISC_TRUE"
-
-#define CHECKOWNERARGS "name, rdclass, type, wildcard"
-#define CHECKOWNERCLASS "rdclass"
-#define CHECKOWNERTYPE "type"
-#define CHECKOWNERDEF "result = ISC_TRUE"
-
-#define CHECKNAMESARGS "rdata, owner, bad"
-#define CHECKNAMESCLASS "rdata->rdclass"
-#define CHECKNAMESTYPE "rdata->type"
-#define CHECKNAMESDEF "result = ISC_TRUE"
-
-static const char copyright[] =
-"/*\n"
-" * Copyright (C) 2004%s Internet Systems Consortium, Inc. (\"ISC\")\n"
-" * Copyright (C) 1998-2003 Internet Software Consortium.\n"
-" *\n"
-" * Permission to use, copy, modify, and distribute this software for any\n"
-" * purpose with or without fee is hereby granted, provided that the above\n"
-" * copyright notice and this permission notice appear in all copies.\n"
-" *\n"
-" * THE SOFTWARE IS PROVIDED \"AS IS\" AND ISC DISCLAIMS ALL WARRANTIES WITH\n"
-" * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY\n"
-" * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,\n"
-" * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM\n"
-" * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE\n"
-" * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR\n"
-" * PERFORMANCE OF THIS SOFTWARE.\n"
-" */\n"
-"\n"
-"/***************\n"
-" ***************\n"
-" ***************   THIS FILE IS AUTOMATICALLY GENERATED BY gen.c.\n"
-" ***************   DO NOT EDIT!\n"
-" ***************\n"
-" ***************/\n"
-"\n"
-"/*! \\file */\n"
-"\n";
-
-#define STR_EXPAND(tok) #tok
-#define STR(tok) STR_EXPAND(tok)
-
-#define TYPENAMES 256
-#define TYPECLASSLEN 20		/* DNS mnemonic size. Must be less than 100. */
-#define TYPECLASSBUF (TYPECLASSLEN + 1)
-#define TYPECLASSFMT "%" STR(TYPECLASSLEN) "[-0-9a-z]_%d"
-#define ATTRIBUTESIZE 256
-#define DIRNAMESIZE 256
-
-static struct cc {
-	struct cc *next;
-	int rdclass;
-	char classname[TYPECLASSBUF];
-} *classes;
-
-static struct tt {
-	struct tt *next;
-	int rdclass;
-	int type;
-	char classname[TYPECLASSBUF];
-	char typename[TYPECLASSBUF];
-	char dirname[DIRNAMESIZE];	/* XXX Should be max path length */
-} *types;
-
-static struct ttnam {
-	char typename[TYPECLASSBUF];
-	char macroname[TYPECLASSBUF];
-	char attr[ATTRIBUTESIZE];
-	unsigned int sorted;
-	int type;
-} typenames[TYPENAMES];
-
-static int maxtype = -1;
-
-static char *
-upper(char *);
-static char *
-funname(const char *, char *);
-static void
-doswitch(const char *, const char *, const char *, const char *,
-	 const char *, const char *);
-static void
-add(int, const char *, int, const char *, const char *);
-static void
-sd(int, const char *, const char *, char);
-static void
-insert_into_typenames(int, const char *, const char *);
-
-/*%
- * If you use more than 10 of these in, say, a printf(), you'll have problems.
- */
-static char *
-upper(char *s) {
-	static int buf_to_use = 0;
-	static char buf[10][256];
-	char *b;
-	int c;
-
-	buf_to_use++;
-	if (buf_to_use > 9)
-		buf_to_use = 0;
-
-	b = buf[buf_to_use];
-	memset(b, 0, 256);
-
-	while ((c = (*s++) & 0xff))
-		*b++ = islower(c) ? toupper(c) : c;
-	*b = '\0';
-	return (buf[buf_to_use]);
-}
-
-static char *
-funname(const char *s, char *buf) {
-	char *b = buf;
-	char c;
-
-	INSIST(strlen(s) < TYPECLASSBUF);
-	while ((c = *s++)) {
-		*b++ = (c == '-') ? '_' : c;
-	}
-	*b = '\0';
-	return (buf);
-}
-
-static void
-doswitch(const char *name, const char *function, const char *args,
-	 const char *tsw, const char *csw, const char *res)
-{
-	struct tt *tt;
-	int first = 1;
-	int lasttype = 0;
-	int subswitch = 0;
-	char buf1[TYPECLASSBUF], buf2[TYPECLASSBUF];
-	const char *result = " result =";
-
-	if (res == NULL)
-		result = "";
-
-	for (tt = types; tt != NULL; tt = tt->next) {
-		if (first) {
-			fprintf(stdout, "\n#define %s \\\n", name);
-			fprintf(stdout, "\tswitch (%s) { \\\n" /*}*/, tsw);
-			first = 0;
-		}
-		if (tt->type != lasttype && subswitch) {
-			if (res == NULL)
-				fprintf(stdout, "\t\tdefault: break; \\\n");
-			else
-				fprintf(stdout,
-					"\t\tdefault: %s; break; \\\n", res);
-			fputs(/*{*/ "\t\t} \\\n", stdout);
-			fputs("\t\tbreak; \\\n", stdout);
-			subswitch = 0;
-		}
-		if (tt->rdclass && tt->type != lasttype) {
-			fprintf(stdout, "\tcase %d: switch (%s) { \\\n" /*}*/,
-				tt->type, csw);
-			subswitch = 1;
-		}
-		if (tt->rdclass == 0)
-			fprintf(stdout,
-				"\tcase %d:%s %s_%s(%s); break;",
-				tt->type, result, function,
-				funname(tt->typename, buf1), args);
-		else
-			fprintf(stdout,
-				"\t\tcase %d:%s %s_%s_%s(%s); break;",
-				tt->rdclass, result, function,
-				funname(tt->classname, buf1),
-				funname(tt->typename, buf2), args);
-		fputs(" \\\n", stdout);
-		lasttype = tt->type;
-	}
-	if (subswitch) {
-		if (res == NULL)
-			fprintf(stdout, "\t\tdefault: break; \\\n");
-		else
-			fprintf(stdout, "\t\tdefault: %s; break; \\\n", res);
-		fputs(/*{*/ "\t\t} \\\n", stdout);
-		fputs("\t\tbreak; \\\n", stdout);
-	}
-	if (first) {
-		if (res == NULL)
-			fprintf(stdout, "\n#define %s\n", name);
-		else
-			fprintf(stdout, "\n#define %s %s;\n", name, res);
-	} else {
-		if (res == NULL)
-			fprintf(stdout, "\tdefault: break; \\\n");
-		else
-			fprintf(stdout, "\tdefault: %s; break; \\\n", res);
-		fputs(/*{*/ "\t}\n", stdout);
-	}
-}
-
-static struct ttnam *
-find_typename(int type) {
-	int i;
-
-	for (i = 0; i < TYPENAMES; i++) {
-		if (typenames[i].typename[0] != 0 &&
-		    typenames[i].type == type)
-			return (&typenames[i]);
-	}
-	return (NULL);
-}
-
-static void
-insert_into_typenames(int type, const char *typename, const char *attr) {
-	struct ttnam *ttn = NULL;
-	int c, i, n;
-	char tmp[256];
-
-	INSIST(strlen(typename) < TYPECLASSBUF);
-	for (i = 0; i < TYPENAMES; i++) {
-		if (typenames[i].typename[0] != 0 &&
-		    typenames[i].type == type &&
-		    strcmp(typename, typenames[i].typename) != 0) {
-			fprintf(stderr,
-				"Error:  type %d has two names: %s, %s\n",
-				type, typenames[i].typename, typename);
-			exit(1);
-		}
-		if (typenames[i].typename[0] == 0 && ttn == NULL)
-			ttn = &typenames[i];
-	}
-	if (ttn == NULL) {
-		fprintf(stderr, "Error: typenames array too small\n");
-		exit(1);
-	}
-
-	if (strlen(typename) > sizeof(ttn->typename) - 1) {
-		fprintf(stderr, "Error:  type name %s is too long\n",
-			typename);
-		exit(1);
-	}
-	strncpy(ttn->typename, typename, sizeof(ttn->typename));
-	ttn->type = type;
-
-	strncpy(ttn->macroname, ttn->typename, sizeof(ttn->macroname));
-	c = strlen(ttn->macroname);
-	while (c > 0) {
-		if (ttn->macroname[c - 1] == '-')
-			ttn->macroname[c - 1] = '_';
-		c--;
-	}
-
-	if (attr == NULL) {
-		n = snprintf(tmp, sizeof(tmp),
-			     "RRTYPE_%s_ATTRIBUTES", upper(ttn->macroname));
-		INSIST(n > 0 && (unsigned)n < sizeof(tmp));
-		attr = tmp;
-	}
-
-	if (ttn->attr[0] != 0 && strcmp(attr, ttn->attr) != 0) {
-		fprintf(stderr, "Error:  type %d has different attributes: "
-			"%s, %s\n", type, ttn->attr, attr);
-		exit(1);
-	}
-
-	if (strlen(attr) > sizeof(ttn->attr) - 1) {
-		fprintf(stderr, "Error:  attr (%s) [name %s] is too long\n",
-			attr, typename);
-		exit(1);
-	}
-	strncpy(ttn->attr, attr, sizeof(ttn->attr));
-	ttn->sorted = 0;
-	if (maxtype < type)
-		maxtype = type;
-}
-
-static void
-add(int rdclass, const char *classname, int type, const char *typename,
-    const char *dirname)
-{
-	struct tt *newtt = (struct tt *)malloc(sizeof(*newtt));
-	struct tt *tt, *oldtt;
-	struct cc *newcc;
-	struct cc *cc, *oldcc;
-
-	INSIST(strlen(typename) < TYPECLASSBUF);
-	INSIST(strlen(classname) < TYPECLASSBUF);
-	INSIST(strlen(dirname) < DIRNAMESIZE);
-
-	insert_into_typenames(type, typename, NULL);
-
-	if (newtt == NULL) {
-		fprintf(stderr, "malloc() failed\n");
-		exit(1);
-	}
-
-	newtt->next = NULL;
-	newtt->rdclass = rdclass;
-	newtt->type = type;
-	strncpy(newtt->classname, classname, sizeof(newtt->classname));
-	strncpy(newtt->typename, typename, sizeof(newtt->typename));
-	if (strncmp(dirname, "./", 2) == 0)
-		dirname += 2;
-	strncpy(newtt->dirname, dirname, sizeof(newtt->dirname));
-
-	tt = types;
-	oldtt = NULL;
-
-	while ((tt != NULL) && (tt->type < type)) {
-		oldtt = tt;
-		tt = tt->next;
-	}
-
-	while ((tt != NULL) && (tt->type == type) && (tt->rdclass < rdclass)) {
-		if (strcmp(tt->typename, typename) != 0)
-			exit(1);
-		oldtt = tt;
-		tt = tt->next;
-	}
-
-	if ((tt != NULL) && (tt->type == type) && (tt->rdclass == rdclass))
-		exit(1);
-
-	newtt->next = tt;
-	if (oldtt != NULL)
-		oldtt->next = newtt;
-	else
-		types = newtt;
-
-	/*
-	 * Do a class switch for this type.
-	 */
-	if (rdclass == 0)
-		return;
-
-	newcc = (struct cc *)malloc(sizeof(*newcc));
-	if (newcc == NULL) {
-		fprintf(stderr, "malloc() failed\n");
-		exit(1);
-	}
-	newcc->rdclass = rdclass;
-	strncpy(newcc->classname, classname, sizeof(newcc->classname));
-	cc = classes;
-	oldcc = NULL;
-
-	while ((cc != NULL) && (cc->rdclass < rdclass)) {
-		oldcc = cc;
-		cc = cc->next;
-	}
-
-	if ((cc != NULL) && cc->rdclass == rdclass) {
-		free((char *)newcc);
-		return;
-	}
-
-	newcc->next = cc;
-	if (oldcc != NULL)
-		oldcc->next = newcc;
-	else
-		classes = newcc;
-}
-
-static void
-sd(int rdclass, const char *classname, const char *dirname, char filetype) {
-	char buf[TYPECLASSLEN + sizeof("_65535.h")];
-	char typename[TYPECLASSBUF];
-	int type, n;
-	isc_dir_t dir;
-
-	if (!start_directory(dirname, &dir))
-		return;
-
-	while (next_file(&dir)) {
-		if (sscanf(dir.filename, TYPECLASSFMT, typename, &type) != 2)
-			continue;
-		if ((type > 65535) || (type < 0))
-			continue;
-
-		n = snprintf(buf, sizeof(buf), "%s_%d.%c", typename,
-			     type, filetype);
-		INSIST(n > 0 && (unsigned)n < sizeof(buf));
-		if (strcmp(buf, dir.filename) != 0)
-			continue;
-		add(rdclass, classname, type, typename, dirname);
-	}
-
-	end_directory(&dir);
-}
-
-static unsigned int
-HASH(char *string) {
-	unsigned int n;
-	unsigned char a, b;
-
-	n = strlen(string);
-	if (n == 0) {
-		fprintf(stderr, "n == 0?\n");
-		exit(1);
-	}
-	a = tolower((unsigned char)string[0]);
-	b = tolower((unsigned char)string[n - 1]);
-
-	return ((a + n) * b) % 256;
-}
-
-int
-main(int argc, char **argv) {
-	char buf[DIRNAMESIZE];		/* XXX Should be max path length */
-	char srcdir[DIRNAMESIZE];	/* XXX Should be max path length */
-	int rdclass;
-	char classname[TYPECLASSBUF];
-	struct tt *tt;
-	struct cc *cc;
-	struct ttnam *ttn, *ttn2;
-	unsigned int hash;
-	struct tm *tm;
-	time_t now;
-	char year[11];
-	int lasttype;
-	int code = 1;
-	int class_enum = 0;
-	int type_enum = 0;
-	int structs = 0;
-	int depend = 0;
-	int c, i, j, n;
-	char buf1[TYPECLASSBUF];
-	char filetype = 'c';
-	FILE *fd;
-	char *prefix = NULL;
-	char *suffix = NULL;
-	char *file = NULL;
-	isc_dir_t dir;
-
-	for (i = 0; i < TYPENAMES; i++)
-		memset(&typenames[i], 0, sizeof(typenames[i]));
-
-	strcpy(srcdir, "");
-	while ((c = isc_commandline_parse(argc, argv, "cdits:F:P:S:")) != -1)
-		switch (c) {
-		case 'c':
-			code = 0;
-			depend = 0;
-			type_enum = 0;
-			class_enum = 1;
-			filetype = 'c';
-			structs = 0;
-			break;
-		case 'd':
-			code = 0;
-			depend = 1;
-			class_enum = 0;
-			type_enum = 0;
-			structs = 0;
-			filetype = 'h';
-			break;
-		case 't':
-			code = 0;
-			depend = 0;
-			class_enum = 0;
-			type_enum = 1;
-			filetype = 'c';
-			structs = 0;
-			break;
-		case 'i':
-			code = 0;
-			depend = 0;
-			class_enum = 0;
-			type_enum = 0;
-			structs = 1;
-			filetype = 'h';
-			break;
-		case 's':
-			if (strlen(isc_commandline_argument) >
-			    DIRNAMESIZE - 2 * TYPECLASSLEN  -
-			    sizeof("/rdata/_65535_65535")) {
-				fprintf(stderr, "\"%s\" too long\n",
-					isc_commandline_argument);
-				exit(1);
-			}
-			n = snprintf(srcdir, sizeof(srcdir), "%s/",
-				     isc_commandline_argument);
-			INSIST(n > 0 && (unsigned)n < sizeof(srcdir));
-			break;
-		case 'F':
-			file = isc_commandline_argument;
-			break;
-		case 'P':
-			prefix = isc_commandline_argument;
-			break;
-		case 'S':
-			suffix = isc_commandline_argument;
-			break;
-		case '?':
-			exit(1);
-		}
-
-	n = snprintf(buf, sizeof(buf), "%srdata", srcdir);
-	INSIST(n > 0 && (unsigned)n < sizeof(srcdir));
-
-	if (!start_directory(buf, &dir))
-		exit(1);
-
-	while (next_file(&dir)) {
-		if (sscanf(dir.filename, TYPECLASSFMT, classname,
-			   &rdclass) != 2)
-			continue;
-		if ((rdclass > 65535) || (rdclass < 0))
-			continue;
-
-		n = snprintf(buf, sizeof(buf), "%srdata/%s_%d",
-			     srcdir, classname, rdclass);
-		INSIST(n > 0 && (unsigned)n < sizeof(buf));
-		if (strcmp(buf + 6 + strlen(srcdir), dir.filename) != 0)
-			continue;
-		sd(rdclass, classname, buf, filetype);
-	}
-	end_directory(&dir);
-	n = snprintf(buf, sizeof(buf), "%srdata/generic", srcdir);
-	INSIST(n > 0 && (unsigned)n < sizeof(srcdir));
-	sd(0, "", buf, filetype);
-
-	if (time(&now) != -1) {
-		if ((tm = localtime(&now)) != NULL && tm->tm_year > 104) {
-			n = snprintf(year, sizeof(year), "-%d",
-				     tm->tm_year + 1900);
-			INSIST(n > 0 && (unsigned)n < sizeof(year));
-		} else
-			year[0] = 0;
-	} else
-		year[0] = 0;
-
-	if (!depend) fprintf(stdout, copyright, year);
-
-	if (code) {
-		fputs("#ifndef DNS_CODE_H\n", stdout);
-		fputs("#define DNS_CODE_H 1\n\n", stdout);
-
-		fputs("#include <isc/boolean.h>\n", stdout);
-		fputs("#include <isc/result.h>\n\n", stdout);
-		fputs("#include <dns/name.h>\n\n", stdout);
-
-		for (tt = types; tt != NULL; tt = tt->next)
-			fprintf(stdout, "#include \"%s/%s_%d.c\"\n",
-				tt->dirname, tt->typename, tt->type);
-
-		fputs("\n\n", stdout);
-
-		doswitch("FROMTEXTSWITCH", "fromtext", FROMTEXTARGS,
-			 FROMTEXTTYPE, FROMTEXTCLASS, FROMTEXTDEF);
-		doswitch("TOTEXTSWITCH", "totext", TOTEXTARGS,
-			 TOTEXTTYPE, TOTEXTCLASS, TOTEXTDEF);
-		doswitch("FROMWIRESWITCH", "fromwire", FROMWIREARGS,
-			 FROMWIRETYPE, FROMWIRECLASS, FROMWIREDEF);
-		doswitch("TOWIRESWITCH", "towire", TOWIREARGS,
-			 TOWIRETYPE, TOWIRECLASS, TOWIREDEF);
-		doswitch("COMPARESWITCH", "compare", COMPAREARGS,
-			  COMPARETYPE, COMPARECLASS, COMPAREDEF);
-		doswitch("CASECOMPARESWITCH", "casecompare", COMPAREARGS,
-			  COMPARETYPE, COMPARECLASS, COMPAREDEF);
-		doswitch("FROMSTRUCTSWITCH", "fromstruct", FROMSTRUCTARGS,
-			  FROMSTRUCTTYPE, FROMSTRUCTCLASS, FROMSTRUCTDEF);
-		doswitch("TOSTRUCTSWITCH", "tostruct", TOSTRUCTARGS,
-			  TOSTRUCTTYPE, TOSTRUCTCLASS, TOSTRUCTDEF);
-		doswitch("FREESTRUCTSWITCH", "freestruct", FREESTRUCTARGS,
-			  FREESTRUCTTYPE, FREESTRUCTCLASS, FREESTRUCTDEF);
-		doswitch("ADDITIONALDATASWITCH", "additionaldata",
-			 ADDITIONALDATAARGS, ADDITIONALDATATYPE,
-			 ADDITIONALDATACLASS, ADDITIONALDATADEF);
-		doswitch("DIGESTSWITCH", "digest",
-			 DIGESTARGS, DIGESTTYPE,
-			 DIGESTCLASS, DIGESTDEF);
-		doswitch("CHECKOWNERSWITCH", "checkowner",
-			CHECKOWNERARGS, CHECKOWNERTYPE,
-			CHECKOWNERCLASS, CHECKOWNERDEF);
-		doswitch("CHECKNAMESSWITCH", "checknames",
-			CHECKNAMESARGS, CHECKNAMESTYPE,
-			CHECKNAMESCLASS, CHECKNAMESDEF);
-
-		/*
-		 * From here down, we are processing the rdata names and
-		 * attributes.
-		 */
-
-#define PRINT_COMMA(x) (x == maxtype ? "" : ",")
-
-#define METANOTQUESTION  "DNS_RDATATYPEATTR_META | " \
-			 "DNS_RDATATYPEATTR_NOTQUESTION"
-#define METAQUESTIONONLY "DNS_RDATATYPEATTR_META | " \
-			 "DNS_RDATATYPEATTR_QUESTIONONLY"
-#define RESERVED "DNS_RDATATYPEATTR_RESERVED"
-
-		/*
-		 * Add in reserved/special types.  This will let us
-		 * sort them without special cases.
-		 */
-		insert_into_typenames(0, "reserved0", RESERVED);
-		insert_into_typenames(31, "eid", RESERVED);
-		insert_into_typenames(32, "nimloc", RESERVED);
-		insert_into_typenames(34, "atma", RESERVED);
-		insert_into_typenames(100, "uinfo", RESERVED);
-		insert_into_typenames(101, "uid", RESERVED);
-		insert_into_typenames(102, "gid", RESERVED);
-		insert_into_typenames(251, "ixfr", METAQUESTIONONLY);
-		insert_into_typenames(252, "axfr", METAQUESTIONONLY);
-		insert_into_typenames(253, "mailb", METAQUESTIONONLY);
-		insert_into_typenames(254, "maila", METAQUESTIONONLY);
-		insert_into_typenames(255, "any", METAQUESTIONONLY);
-
-		/*
-		 * Spit out a quick and dirty hash function.  Here,
-		 * we walk through the list of type names, and calculate
-		 * a hash.  This isn't perfect, but it will generate "pretty
-		 * good" estimates.  Lowercase the characters before
-		 * computing in all cases.
-		 *
-		 * Here, walk the list from top to bottom, calculating
-		 * the hash (mod 256) for each name.
-		 */
-		fprintf(stdout, "#define RDATATYPE_COMPARE(_s, _d, _tn, _n, _tp) \\\n");
-		fprintf(stdout, "\tdo { \\\n");
-		fprintf(stdout, "\t\tif (sizeof(_s) - 1 == _n && \\\n"
-				"\t\t    strncasecmp(_s,(_tn),"
-				"(sizeof(_s) - 1)) == 0) { \\\n");
-		fprintf(stdout, "\t\t\tif ((dns_rdatatype_attributes(_d) & "
-				  "DNS_RDATATYPEATTR_RESERVED) != 0) \\\n");
-		fprintf(stdout, "\t\t\t\treturn (ISC_R_NOTIMPLEMENTED); \\\n");
-		fprintf(stdout, "\t\t\t*(_tp) = _d; \\\n");
-		fprintf(stdout, "\t\t\treturn (ISC_R_SUCCESS); \\\n");
-		fprintf(stdout, "\t\t} \\\n");
-		fprintf(stdout, "\t} while (0)\n\n");
-
-		fprintf(stdout, "#define RDATATYPE_FROMTEXT_SW(_hash,"
-				"_typename,_length,_typep) \\\n");
-		fprintf(stdout, "\tswitch (_hash) { \\\n");
-		for (i = 0; i <= maxtype; i++) {
-			ttn = find_typename(i);
-			if (ttn == NULL)
-				continue;
-
-			/*
-			 * Skip entries we already processed.
-			 */
-			if (ttn->sorted != 0)
-				continue;
-
-			hash = HASH(ttn->typename);
-			fprintf(stdout, "\t\tcase %u: \\\n", hash);
-
-			/*
-			 * Find all other entries that happen to match
-			 * this hash.
-			 */
-			for (j = 0; j <= maxtype; j++) {
-				ttn2 = find_typename(j);
-				if (ttn2 == NULL)
-					continue;
-				if (hash == HASH(ttn2->typename)) {
-					fprintf(stdout, "\t\t\tRDATATYPE_COMPARE"
-					       "(\"%s\", %u, "
-					       "_typename, _length, _typep); \\\n",
-					       ttn2->typename, ttn2->type);
-					ttn2->sorted = 1;
-				}
-			}
-			fprintf(stdout, "\t\t\tbreak; \\\n");
-		}
-		fprintf(stdout, "\t}\n");
-
-		fprintf(stdout, "#define RDATATYPE_ATTRIBUTE_SW \\\n");
-		fprintf(stdout, "\tswitch (type) { \\\n");
-		for (i = 0; i <= maxtype; i++) {
-			ttn = find_typename(i);
-			if (ttn == NULL)
-				continue;
-			fprintf(stdout, "\tcase %u: return (%s); \\\n",
-				i, upper(ttn->attr));
-		}
-		fprintf(stdout, "\t}\n");
-
-		fprintf(stdout, "#define RDATATYPE_TOTEXT_SW \\\n");
-		fprintf(stdout, "\tswitch (type) { \\\n");
-		for (i = 0; i <= maxtype; i++) {
-			ttn = find_typename(i);
-			if (ttn == NULL)
-				continue;
-			fprintf(stdout, "\tcase %u: return "
-				"(str_totext(\"%s\", target)); \\\n",
-				i, upper(ttn->typename));
-		}
-		fprintf(stdout, "\t}\n");
-
-		fputs("#endif /* DNS_CODE_H */\n", stdout);
-	} else if (type_enum) {
-		char *s;
-
-		fprintf(stdout, "#ifndef DNS_ENUMTYPE_H\n");
-		fprintf(stdout, "#define DNS_ENUMTYPE_H 1\n\n");
-
-		fprintf(stdout, "enum {\n");
-		fprintf(stdout, "\tdns_rdatatype_none = 0,\n");
-
-		lasttype = 0;
-		for (tt = types; tt != NULL; tt = tt->next)
-			if (tt->type != lasttype)
-				fprintf(stdout,
-					"\tdns_rdatatype_%s = %d,\n",
-					funname(tt->typename, buf1),
-					lasttype = tt->type);
-
-		fprintf(stdout, "\tdns_rdatatype_ixfr = 251,\n");
-		fprintf(stdout, "\tdns_rdatatype_axfr = 252,\n");
-		fprintf(stdout, "\tdns_rdatatype_mailb = 253,\n");
-		fprintf(stdout, "\tdns_rdatatype_maila = 254,\n");
-		fprintf(stdout, "\tdns_rdatatype_any = 255\n");
-
-		fprintf(stdout, "};\n\n");
-
-		fprintf(stdout, "#define dns_rdatatype_none\t"
-			"((dns_rdatatype_t)dns_rdatatype_none)\n");
-
-		for (tt = types; tt != NULL; tt = tt->next)
-			if (tt->type != lasttype) {
-				s = funname(tt->typename, buf1);
-				fprintf(stdout,
-					"#define dns_rdatatype_%s\t%s"
-					"((dns_rdatatype_t)dns_rdatatype_%s)"
-					"\n",
-					s, strlen(s) < 2U ? "\t" : "", s);
-				lasttype = tt->type;
-			}
-
-		fprintf(stdout, "#define dns_rdatatype_ixfr\t"
-			"((dns_rdatatype_t)dns_rdatatype_ixfr)\n");
-		fprintf(stdout, "#define dns_rdatatype_axfr\t"
-			"((dns_rdatatype_t)dns_rdatatype_axfr)\n");
-		fprintf(stdout, "#define dns_rdatatype_mailb\t"
-			"((dns_rdatatype_t)dns_rdatatype_mailb)\n");
-		fprintf(stdout, "#define dns_rdatatype_maila\t"
-			"((dns_rdatatype_t)dns_rdatatype_maila)\n");
-		fprintf(stdout, "#define dns_rdatatype_any\t"
-			"((dns_rdatatype_t)dns_rdatatype_any)\n");
-
-		fprintf(stdout, "\n#endif /* DNS_ENUMTYPE_H */\n");
-
-	} else if (class_enum) {
-		char *s;
-		int classnum;
-
-		fprintf(stdout, "#ifndef DNS_ENUMCLASS_H\n");
-		fprintf(stdout, "#define DNS_ENUMCLASS_H 1\n\n");
-
-		fprintf(stdout, "enum {\n");
-
-		fprintf(stdout, "\tdns_rdataclass_reserved0 = 0,\n");
-		fprintf(stdout, "#define dns_rdataclass_reserved0 \\\n\t\t\t\t"
-			"((dns_rdataclass_t)dns_rdataclass_reserved0)\n");
-
-#define PRINTCLASS(name, num) \
-	do { \
-		s = funname(name, buf1); \
-		classnum = num; \
-		fprintf(stdout, "\tdns_rdataclass_%s = %d%s\n", s, classnum, \
-		       classnum != 255 ? "," : ""); \
-		fprintf(stdout, "#define dns_rdataclass_%s\t" \
-		       "((dns_rdataclass_t)dns_rdataclass_%s)\n", s, s); \
-	} while (0)
-
-		for (cc = classes; cc != NULL; cc = cc->next) {
-			if (cc->rdclass == 3)
-				PRINTCLASS("chaos", 3);
-			else if (cc->rdclass == 255)
-				PRINTCLASS("none", 254);
-			PRINTCLASS(cc->classname, cc->rdclass);
-		}
-
-#undef PRINTCLASS
-
-		fprintf(stdout, "};\n\n");
-		fprintf(stdout, "#endif /* DNS_ENUMCLASS_H */\n");
-	} else if (structs) {
-		if (prefix != NULL) {
-			if ((fd = fopen(prefix,"r")) != NULL) {
-				while (fgets(buf, sizeof(buf), fd) != NULL)
-					fputs(buf, stdout);
-				fclose(fd);
-			}
-		}
-		for (tt = types; tt != NULL; tt = tt->next) {
-			snprintf(buf, sizeof(buf), "%s/%s_%d.h",
-				tt->dirname, tt->typename, tt->type);
-			if ((fd = fopen(buf,"r")) != NULL) {
-				while (fgets(buf, sizeof(buf), fd) != NULL)
-					fputs(buf, stdout);
-				fclose(fd);
-			}
-		}
-		if (suffix != NULL) {
-			if ((fd = fopen(suffix,"r")) != NULL) {
-				while (fgets(buf, sizeof(buf), fd) != NULL)
-					fputs(buf, stdout);
-				fclose(fd);
-			}
-		}
-	} else if (depend) {
-		for (tt = types; tt != NULL; tt = tt->next)
-			fprintf(stdout, "%s:\t%s/%s_%d.h\n", file,
-				tt->dirname, tt->typename, tt->type);
-	}
-
-	if (ferror(stdout) != 0)
-		exit(1);
-
-	return (0);
-}
diff --git a/contrib/bind9/lib/dns/gssapi_link.c b/contrib/bind9/lib/dns/gssapi_link.c
deleted file mode 100644
index 5ad81cd..0000000
--- a/contrib/bind9/lib/dns/gssapi_link.c
+++ /dev/null
@@ -1,394 +0,0 @@
-/*
- * Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * $Id: gssapi_link.c,v 1.17 2011/03/28 05:32:16 marka Exp $
- */
-
-#include <config.h>
-
-#ifdef GSSAPI
-
-#include <isc/base64.h>
-#include <isc/buffer.h>
-#include <isc/mem.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dst/result.h>
-
-#include "dst_internal.h"
-#include "dst_parse.h"
-
-#include <dst/gssapi.h>
-
-#define INITIAL_BUFFER_SIZE 1024
-#define BUFFER_EXTRA 1024
-
-#define REGION_TO_GBUFFER(r, gb) \
-	do { \
-		(gb).length = (r).length; \
-		(gb).value = (r).base; \
-	} while (0)
-
-#define GBUFFER_TO_REGION(gb, r) \
-	do { \
-		(r).length = (gb).length; \
-		(r).base = (gb).value; \
-	} while (0)
-
-
-struct dst_gssapi_signverifyctx {
-	isc_buffer_t *buffer;
-};
-
-/*%
- * Allocate a temporary "context" for use in gathering data for signing
- * or verifying.
- */
-static isc_result_t
-gssapi_create_signverify_ctx(dst_key_t *key, dst_context_t *dctx) {
-	dst_gssapi_signverifyctx_t *ctx;
-	isc_result_t result;
-
-	UNUSED(key);
-
-	ctx = isc_mem_get(dctx->mctx, sizeof(dst_gssapi_signverifyctx_t));
-	if (ctx == NULL)
-		return (ISC_R_NOMEMORY);
-	ctx->buffer = NULL;
-	result = isc_buffer_allocate(dctx->mctx, &ctx->buffer,
-				     INITIAL_BUFFER_SIZE);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(dctx->mctx, ctx, sizeof(dst_gssapi_signverifyctx_t));
-		return (result);
-	}
-
-	dctx->ctxdata.gssctx = ctx;
-
-	return (ISC_R_SUCCESS);
-}
-
-/*%
- * Destroy the temporary sign/verify context.
- */
-static void
-gssapi_destroy_signverify_ctx(dst_context_t *dctx) {
-	dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
-
-	if (ctx != NULL) {
-		if (ctx->buffer != NULL)
-			isc_buffer_free(&ctx->buffer);
-		isc_mem_put(dctx->mctx, ctx, sizeof(dst_gssapi_signverifyctx_t));
-		dctx->ctxdata.gssctx = NULL;
-	}
-}
-
-/*%
- * Add data to our running buffer of data we will be signing or verifying.
- * This code will see if the new data will fit in our existing buffer, and
- * copy it in if it will.  If not, it will attempt to allocate a larger
- * buffer and copy old+new into it, and free the old buffer.
- */
-static isc_result_t
-gssapi_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
-	isc_buffer_t *newbuffer = NULL;
-	isc_region_t r;
-	unsigned int length;
-	isc_result_t result;
-
-	result = isc_buffer_copyregion(ctx->buffer, data);
-	if (result == ISC_R_SUCCESS)
-		return (ISC_R_SUCCESS);
-
-	length = isc_buffer_length(ctx->buffer) + data->length + BUFFER_EXTRA;
-
-	result = isc_buffer_allocate(dctx->mctx, &newbuffer, length);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	isc_buffer_usedregion(ctx->buffer, &r);
-	(void)isc_buffer_copyregion(newbuffer, &r);
-	(void)isc_buffer_copyregion(newbuffer, data);
-
-	isc_buffer_free(&ctx->buffer);
-	ctx->buffer = newbuffer;
-
-	return (ISC_R_SUCCESS);
-}
-
-/*%
- * Sign.
- */
-static isc_result_t
-gssapi_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
-	isc_region_t message;
-	gss_buffer_desc gmessage, gsig;
-	OM_uint32 minor, gret;
-	gss_ctx_id_t gssctx = dctx->key->keydata.gssctx;
-	char buf[1024];
-
-	/*
-	 * Convert the data we wish to sign into a structure gssapi can
-	 * understand.
-	 */
-	isc_buffer_usedregion(ctx->buffer, &message);
-	REGION_TO_GBUFFER(message, gmessage);
-
-	/*
-	 * Generate the signature.
-	 */
-	gret = gss_get_mic(&minor, gssctx, GSS_C_QOP_DEFAULT, &gmessage,
-			   &gsig);
-
-	/*
-	 * If it did not complete, we log the result and return a generic
-	 * failure code.
-	 */
-	if (gret != GSS_S_COMPLETE) {
-		gss_log(3, "GSS sign error: %s",
-			gss_error_tostring(gret, minor, buf, sizeof(buf)));
-		return (ISC_R_FAILURE);
-	}
-
-	/*
-	 * If it will not fit in our allocated buffer, return that we need
-	 * more space.
-	 */
-	if (gsig.length > isc_buffer_availablelength(sig)) {
-		gss_release_buffer(&minor, &gsig);
-		return (ISC_R_NOSPACE);
-	}
-
-	/*
-	 * Copy the output into our buffer space, and release the gssapi
-	 * allocated space.
-	 */
-	isc_buffer_putmem(sig, gsig.value, gsig.length);
-	if (gsig.length != 0U)
-		gss_release_buffer(&minor, &gsig);
-
-	return (ISC_R_SUCCESS);
-}
-
-/*%
- * Verify.
- */
-static isc_result_t
-gssapi_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
-	isc_region_t message, r;
-	gss_buffer_desc gmessage, gsig;
-	OM_uint32 minor, gret;
-	gss_ctx_id_t gssctx = dctx->key->keydata.gssctx;
-	unsigned char *buf;
-	char err[1024];
-
-	/*
-	 * Convert the data we wish to sign into a structure gssapi can
-	 * understand.
-	 */
-	isc_buffer_usedregion(ctx->buffer, &message);
-	REGION_TO_GBUFFER(message, gmessage);
-
-	/*
-	 * XXXMLG
-	 * It seem that gss_verify_mic() modifies the signature buffer,
-	 * at least on Heimdal's implementation.  Copy it here to an allocated
-	 * buffer.
-	 */
-	buf = isc_mem_allocate(dst__memory_pool, sig->length);
-	if (buf == NULL)
-		return (ISC_R_FAILURE);
-	memcpy(buf, sig->base, sig->length);
-	r.base = buf;
-	r.length = sig->length;
-	REGION_TO_GBUFFER(r, gsig);
-
-	/*
-	 * Verify the data.
-	 */
-	gret = gss_verify_mic(&minor, gssctx, &gmessage, &gsig, NULL);
-
-	isc_mem_free(dst__memory_pool, buf);
-
-	/*
-	 * Convert return codes into something useful to us.
-	 */
-	if (gret != GSS_S_COMPLETE) {
-		gss_log(3, "GSS verify error: %s",
-			gss_error_tostring(gret, minor, err, sizeof(err)));
-		if (gret == GSS_S_DEFECTIVE_TOKEN ||
-		    gret == GSS_S_BAD_SIG ||
-		    gret == GSS_S_DUPLICATE_TOKEN ||
-		    gret == GSS_S_OLD_TOKEN ||
-		    gret == GSS_S_UNSEQ_TOKEN ||
-		    gret == GSS_S_GAP_TOKEN ||
-		    gret == GSS_S_CONTEXT_EXPIRED ||
-		    gret == GSS_S_NO_CONTEXT ||
-		    gret == GSS_S_FAILURE)
-			return(DST_R_VERIFYFAILURE);
-		else
-			return (ISC_R_FAILURE);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_boolean_t
-gssapi_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	gss_ctx_id_t gsskey1 = key1->keydata.gssctx;
-	gss_ctx_id_t gsskey2 = key2->keydata.gssctx;
-
-	/* No idea */
-	return (ISC_TF(gsskey1 == gsskey2));
-}
-
-static isc_result_t
-gssapi_generate(dst_key_t *key, int unused, void (*callback)(int)) {
-	UNUSED(key);
-	UNUSED(unused);
-	UNUSED(callback);
-
-	/* No idea */
-	return (ISC_R_FAILURE);
-}
-
-static isc_boolean_t
-gssapi_isprivate(const dst_key_t *key) {
-	UNUSED(key);
-	return (ISC_TRUE);
-}
-
-static void
-gssapi_destroy(dst_key_t *key) {
-	REQUIRE(key != NULL);
-	dst_gssapi_deletectx(key->mctx, &key->keydata.gssctx);
-	key->keydata.gssctx = NULL;
-}
-
-static isc_result_t
-gssapi_restore(dst_key_t *key, const char *keystr) {
-	OM_uint32 major, minor;
-	size_t len;
-	isc_buffer_t *b = NULL;
-	isc_region_t r;
-	gss_buffer_desc gssbuffer;
-	isc_result_t result;
-
-	len = strlen(keystr);
-	if ((len % 4) != 0U)
-		return (ISC_R_BADBASE64);
-
-	len = (len / 4) * 3;
-
-	result = isc_buffer_allocate(key->mctx, &b, len);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = isc_base64_decodestring(keystr, b);
-	if (result != ISC_R_SUCCESS) {
-		isc_buffer_free(&b);
-		return (result);
-	}
-
-	isc_buffer_remainingregion(b, &r);
-	REGION_TO_GBUFFER(r, gssbuffer);
-	major = gss_import_sec_context(&minor, &gssbuffer,
-				       &key->keydata.gssctx);
-	if (major != GSS_S_COMPLETE) {
-		isc_buffer_free(&b);
-		return (ISC_R_FAILURE);
-	}
-
-	isc_buffer_free(&b);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-gssapi_dump(dst_key_t *key, isc_mem_t *mctx, char **buffer, int *length) {
-	OM_uint32 major, minor;
-	gss_buffer_desc gssbuffer;
-	size_t len;
-	char *buf;
-	isc_buffer_t b;
-	isc_region_t r;
-	isc_result_t result;
-
-	major = gss_export_sec_context(&minor, &key->keydata.gssctx,
-				       &gssbuffer);
-	if (major != GSS_S_COMPLETE) {
-		fprintf(stderr, "gss_export_sec_context -> %d, %d\n",
-			major, minor);
-		return (ISC_R_FAILURE);
-	}
-	if (gssbuffer.length == 0U)
-		return (ISC_R_FAILURE);
-	len = ((gssbuffer.length + 2)/3) * 4;
-	buf = isc_mem_get(mctx, len);
-	if (buf == NULL) {
-		gss_release_buffer(&minor, &gssbuffer);
-		return (ISC_R_NOMEMORY);
-	}
-	isc_buffer_init(&b, buf, len);
-	GBUFFER_TO_REGION(gssbuffer, r);
-	result = isc_base64_totext(&r, 0, "", &b);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	gss_release_buffer(&minor, &gssbuffer);
-	*buffer = buf;
-	*length = len;
-	return (ISC_R_SUCCESS);
-}
-
-static dst_func_t gssapi_functions = {
-	gssapi_create_signverify_ctx,
-	gssapi_destroy_signverify_ctx,
-	gssapi_adddata,
-	gssapi_sign,
-	gssapi_verify,
-	NULL, /*%< verify2 */
-	NULL, /*%< computesecret */
-	gssapi_compare,
-	NULL, /*%< paramcompare */
-	gssapi_generate,
-	gssapi_isprivate,
-	gssapi_destroy,
-	NULL, /*%< todns */
-	NULL, /*%< fromdns */
-	NULL, /*%< tofile */
-	NULL, /*%< parse */
-	NULL, /*%< cleanup */
-	NULL,  /*%< fromlabel */
-	gssapi_dump,
-	gssapi_restore,
-};
-
-isc_result_t
-dst__gssapi_init(dst_func_t **funcp) {
-	REQUIRE(funcp != NULL);
-	if (*funcp == NULL)
-		*funcp = &gssapi_functions;
-	return (ISC_R_SUCCESS);
-}
-
-#else
-int  gssapi_link_unneeded = 1;
-#endif
-
-/*! \file */
diff --git a/contrib/bind9/lib/dns/gssapictx.c b/contrib/bind9/lib/dns/gssapictx.c
deleted file mode 100644
index a8c5900..0000000
--- a/contrib/bind9/lib/dns/gssapictx.c
+++ /dev/null
@@ -1,872 +0,0 @@
-/*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: gssapictx.c,v 1.29 2011/08/29 06:33:25 marka Exp $ */
-
-#include <config.h>
-
-#include <ctype.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/buffer.h>
-#include <isc/dir.h>
-#include <isc/entropy.h>
-#include <isc/file.h>
-#include <isc/lex.h>
-#include <isc/mem.h>
-#include <isc/once.h>
-#include <isc/print.h>
-#include <isc/platform.h>
-#include <isc/random.h>
-#include <isc/string.h>
-#include <isc/time.h>
-#include <isc/util.h>
-
-#include <dns/fixedname.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/result.h>
-#include <dns/types.h>
-#include <dns/keyvalues.h>
-#include <dns/log.h>
-
-#include <dst/gssapi.h>
-#include <dst/result.h>
-
-#include "dst_internal.h"
-
-/*
- * If we're using our own SPNEGO implementation (see configure.in),
- * pull it in now.  Otherwise, we just use whatever GSSAPI supplies.
- */
-#if defined(GSSAPI) && defined(USE_ISC_SPNEGO)
-#include "spnego.h"
-#define	gss_accept_sec_context	gss_accept_sec_context_spnego
-#define	gss_init_sec_context	gss_init_sec_context_spnego
-#endif
-
-/*
- * Solaris8 apparently needs an explicit OID set, and Solaris10 needs
- * one for anything but Kerberos.  Supplying an explicit OID set
- * doesn't appear to hurt anything in other implementations, so we
- * always use one.  If we're not using our own SPNEGO implementation,
- * we include SPNEGO's OID.
- */
-#if defined(GSSAPI)
-#include ISC_PLATFORM_KRB5HEADER
-
-static unsigned char krb5_mech_oid_bytes[] = {
-	0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02
-};
-
-#ifndef USE_ISC_SPNEGO
-static unsigned char spnego_mech_oid_bytes[] = {
-	0x2b, 0x06, 0x01, 0x05, 0x05, 0x02
-};
-#endif
-
-static gss_OID_desc mech_oid_set_array[] = {
-	{ sizeof(krb5_mech_oid_bytes), krb5_mech_oid_bytes },
-#ifndef USE_ISC_SPNEGO
-	{ sizeof(spnego_mech_oid_bytes), spnego_mech_oid_bytes },
-#endif
-};
-
-static gss_OID_set_desc mech_oid_set = {
-	sizeof(mech_oid_set_array) / sizeof(*mech_oid_set_array),
-	mech_oid_set_array
-};
-
-#endif
-
-#define REGION_TO_GBUFFER(r, gb) \
-	do { \
-		(gb).length = (r).length; \
-		(gb).value = (r).base; \
-	} while (0)
-
-#define GBUFFER_TO_REGION(gb, r) \
-	do { \
-		(r).length = (gb).length; \
-		(r).base = (gb).value; \
-	} while (0)
-
-
-#define RETERR(x) do { \
-	result = (x); \
-	if (result != ISC_R_SUCCESS) \
-		goto out; \
-	} while (0)
-
-#ifdef GSSAPI
-static inline void
-name_to_gbuffer(dns_name_t *name, isc_buffer_t *buffer,
-		gss_buffer_desc *gbuffer)
-{
-	dns_name_t tname, *namep;
-	isc_region_t r;
-	isc_result_t result;
-
-	if (!dns_name_isabsolute(name))
-		namep = name;
-	else
-	{
-		unsigned int labels;
-		dns_name_init(&tname, NULL);
-		labels = dns_name_countlabels(name);
-		dns_name_getlabelsequence(name, 0, labels - 1, &tname);
-		namep = &tname;
-	}
-
-	result = dns_name_toprincipal(namep, buffer);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	isc_buffer_putuint8(buffer, 0);
-	isc_buffer_usedregion(buffer, &r);
-	REGION_TO_GBUFFER(r, *gbuffer);
-}
-
-static void
-log_cred(const gss_cred_id_t cred) {
-	OM_uint32 gret, minor, lifetime;
-	gss_name_t gname;
-	gss_buffer_desc gbuffer;
-	gss_cred_usage_t usage;
-	const char *usage_text;
-	char buf[1024];
-
-	gret = gss_inquire_cred(&minor, cred, &gname, &lifetime, &usage, NULL);
-	if (gret != GSS_S_COMPLETE) {
-		gss_log(3, "failed gss_inquire_cred: %s",
-			gss_error_tostring(gret, minor, buf, sizeof(buf)));
-		return;
-	}
-
-	gret = gss_display_name(&minor, gname, &gbuffer, NULL);
-	if (gret != GSS_S_COMPLETE)
-		gss_log(3, "failed gss_display_name: %s",
-			gss_error_tostring(gret, minor, buf, sizeof(buf)));
-	else {
-		switch (usage) {
-		case GSS_C_BOTH:
-			usage_text = "GSS_C_BOTH";
-			break;
-		case GSS_C_INITIATE:
-			usage_text = "GSS_C_INITIATE";
-			break;
-		case GSS_C_ACCEPT:
-			usage_text = "GSS_C_ACCEPT";
-			break;
-		default:
-			usage_text = "???";
-		}
-		gss_log(3, "gss cred: \"%s\", %s, %lu", (char *)gbuffer.value,
-			usage_text, (unsigned long)lifetime);
-	}
-
-	if (gret == GSS_S_COMPLETE) {
-		if (gbuffer.length != 0U) {
-			gret = gss_release_buffer(&minor, &gbuffer);
-			if (gret != GSS_S_COMPLETE)
-				gss_log(3, "failed gss_release_buffer: %s",
-					gss_error_tostring(gret, minor, buf,
-							   sizeof(buf)));
-		}
-	}
-
-	gret = gss_release_name(&minor, &gname);
-	if (gret != GSS_S_COMPLETE)
-		gss_log(3, "failed gss_release_name: %s",
-			gss_error_tostring(gret, minor, buf, sizeof(buf)));
-}
-#endif
-
-#ifdef GSSAPI
-/*
- * check for the most common configuration errors.
- *
- * The errors checked for are:
- *   - tkey-gssapi-credential doesn't start with DNS/
- *   - the default realm in /etc/krb5.conf and the
- *     tkey-gssapi-credential bind config option don't match
- *
- * Note that if tkey-gssapi-keytab is set then these configure checks
- * are not performed, and runtime errors from gssapi are used instead
- */
-static void
-check_config(const char *gss_name) {
-	const char *p;
-	krb5_context krb5_ctx;
-	char *krb5_realm = NULL;
-
-	if (strncasecmp(gss_name, "DNS/", 4) != 0) {
-		gss_log(ISC_LOG_ERROR, "tkey-gssapi-credential (%s) "
-			"should start with 'DNS/'", gss_name);
-		return;
-	}
-
-	if (krb5_init_context(&krb5_ctx) != 0) {
-		gss_log(ISC_LOG_ERROR, "Unable to initialise krb5 context");
-		return;
-	}
-	if (krb5_get_default_realm(krb5_ctx, &krb5_realm) != 0) {
-		gss_log(ISC_LOG_ERROR, "Unable to get krb5 default realm");
-		krb5_free_context(krb5_ctx);
-		return;
-	}
-	p = strchr(gss_name, '/');
-	if (p == NULL) {
-		gss_log(ISC_LOG_ERROR, "badly formatted "
-			"tkey-gssapi-credentials (%s)", gss_name);
-		krb5_free_context(krb5_ctx);
-		return;
-	}
-	if (strcasecmp(p + 1, krb5_realm) != 0) {
-		gss_log(ISC_LOG_ERROR, "default realm from krb5.conf (%s) "
-			"does not match tkey-gssapi-credential (%s)",
-			krb5_realm, gss_name);
-		krb5_free_context(krb5_ctx);
-		return;
-	}
-	krb5_free_context(krb5_ctx);
-}
-#endif
-
-isc_result_t
-dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
-		       gss_cred_id_t *cred)
-{
-#ifdef GSSAPI
-	isc_buffer_t namebuf;
-	gss_name_t gname;
-	gss_buffer_desc gnamebuf;
-	unsigned char array[DNS_NAME_MAXTEXT + 1];
-	OM_uint32 gret, minor;
-	gss_OID_set mechs;
-	OM_uint32 lifetime;
-	gss_cred_usage_t usage;
-	char buf[1024];
-
-	REQUIRE(cred != NULL && *cred == NULL);
-
-	/*
-	 * XXXSRA In theory we could use GSS_C_NT_HOSTBASED_SERVICE
-	 * here when we're in the acceptor role, which would let us
-	 * default the hostname and use a compiled in default service
-	 * name of "DNS", giving one less thing to configure in
-	 * named.conf.	Unfortunately, this creates a circular
-	 * dependency due to DNS-based realm lookup in at least one
-	 * GSSAPI implementation (Heimdal).  Oh well.
-	 */
-	if (name != NULL) {
-		isc_buffer_init(&namebuf, array, sizeof(array));
-		name_to_gbuffer(name, &namebuf, &gnamebuf);
-		gret = gss_import_name(&minor, &gnamebuf,
-				       GSS_C_NO_OID, &gname);
-		if (gret != GSS_S_COMPLETE) {
-			check_config((char *)array);
-
-			gss_log(3, "failed gss_import_name: %s",
-				gss_error_tostring(gret, minor, buf,
-						   sizeof(buf)));
-			return (ISC_R_FAILURE);
-		}
-	} else
-		gname = NULL;
-
-	/* Get the credentials. */
-	if (gname != NULL)
-		gss_log(3, "acquiring credentials for %s",
-			(char *)gnamebuf.value);
-	else {
-		/* XXXDCL does this even make any sense? */
-		gss_log(3, "acquiring credentials for ?");
-	}
-
-	if (initiate)
-		usage = GSS_C_INITIATE;
-	else
-		usage = GSS_C_ACCEPT;
-
-	gret = gss_acquire_cred(&minor, gname, GSS_C_INDEFINITE,
-				&mech_oid_set,
-				usage, cred, &mechs, &lifetime);
-
-	if (gret != GSS_S_COMPLETE) {
-		gss_log(3, "failed to acquire %s credentials for %s: %s",
-			initiate ? "initiate" : "accept",
-			(gname != NULL) ? (char *)gnamebuf.value : "?",
-			gss_error_tostring(gret, minor, buf, sizeof(buf)));
-		check_config((char *)array);
-		return (ISC_R_FAILURE);
-	}
-
-	gss_log(4, "acquired %s credentials for %s",
-		initiate ? "initiate" : "accept",
-		(gname != NULL) ? (char *)gnamebuf.value : "?");
-
-	log_cred(*cred);
-
-	return (ISC_R_SUCCESS);
-#else
-	REQUIRE(cred != NULL && *cred == NULL);
-
-	UNUSED(name);
-	UNUSED(initiate);
-	UNUSED(cred);
-
-	return (ISC_R_NOTIMPLEMENTED);
-#endif
-}
-
-isc_boolean_t
-dst_gssapi_identitymatchesrealmkrb5(dns_name_t *signer, dns_name_t *name,
-				    dns_name_t *realm)
-{
-#ifdef GSSAPI
-	char sbuf[DNS_NAME_FORMATSIZE];
-	char nbuf[DNS_NAME_FORMATSIZE];
-	char rbuf[DNS_NAME_FORMATSIZE];
-	char *sname;
-	char *rname;
-	isc_buffer_t buffer;
-	isc_result_t result;
-
-	/*
-	 * It is far, far easier to write the names we are looking at into
-	 * a string, and do string operations on them.
-	 */
-	isc_buffer_init(&buffer, sbuf, sizeof(sbuf));
-	result = dns_name_toprincipal(signer, &buffer);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	isc_buffer_putuint8(&buffer, 0);
-	if (name != NULL)
-		dns_name_format(name, nbuf, sizeof(nbuf));
-	dns_name_format(realm, rbuf, sizeof(rbuf));
-
-	/*
-	 * Find the realm portion.  This is the part after the @.  If it
-	 * does not exist, we don't have something we like, so we fail our
-	 * compare.
-	 */
-	rname = strchr(sbuf, '@');
-	if (rname == NULL)
-		return (isc_boolean_false);
-	*rname = '\0';
-	rname++;
-
-	/*
-	 * Find the host portion of the signer's name.	We do this by
-	 * searching for the first / character.  We then check to make
-	 * certain the instance name is "host"
-	 *
-	 * This will work for
-	 *    host/example.com@EXAMPLE.COM
-	 */
-	sname = strchr(sbuf, '/');
-	if (sname == NULL)
-		return (isc_boolean_false);
-	*sname = '\0';
-	sname++;
-	if (strcmp(sbuf, "host") != 0)
-		return (isc_boolean_false);
-
-	/*
-	 * Now, we do a simple comparison between the name and the realm.
-	 */
-	if (name != NULL) {
-		if ((strcasecmp(sname, nbuf) == 0)
-		    && (strcmp(rname, rbuf) == 0))
-			return (isc_boolean_true);
-	} else {
-		if (strcmp(rname, rbuf) == 0)
-			return (isc_boolean_true);
-	}
-
-	return (isc_boolean_false);
-#else
-	UNUSED(signer);
-	UNUSED(name);
-	UNUSED(realm);
-	return (isc_boolean_false);
-#endif
-}
-
-isc_boolean_t
-dst_gssapi_identitymatchesrealmms(dns_name_t *signer, dns_name_t *name,
-				  dns_name_t *realm)
-{
-#ifdef GSSAPI
-	char sbuf[DNS_NAME_FORMATSIZE];
-	char nbuf[DNS_NAME_FORMATSIZE];
-	char rbuf[DNS_NAME_FORMATSIZE];
-	char *sname;
-	char *nname;
-	char *rname;
-	isc_buffer_t buffer;
-	isc_result_t result;
-
-	/*
-	 * It is far, far easier to write the names we are looking at into
-	 * a string, and do string operations on them.
-	 */
-	isc_buffer_init(&buffer, sbuf, sizeof(sbuf));
-	result = dns_name_toprincipal(signer, &buffer);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	isc_buffer_putuint8(&buffer, 0);
-	if (name != NULL)
-		dns_name_format(name, nbuf, sizeof(nbuf));
-	dns_name_format(realm, rbuf, sizeof(rbuf));
-
-	/*
-	 * Find the realm portion.  This is the part after the @.  If it
-	 * does not exist, we don't have something we like, so we fail our
-	 * compare.
-	 */
-	rname = strchr(sbuf, '@');
-	if (rname == NULL)
-		return (isc_boolean_false);
-	sname = strchr(sbuf, '$');
-	if (sname == NULL)
-		return (isc_boolean_false);
-
-	/*
-	 * Verify that the $ and @ follow one another.
-	 */
-	if (rname - sname != 1)
-		return (isc_boolean_false);
-
-	/*
-	 * Find the host portion of the signer's name.	Zero out the $ so
-	 * it terminates the signer's name, and skip past the @ for
-	 * the realm.
-	 *
-	 * All service principals in Microsoft format seem to be in
-	 *    machinename$@EXAMPLE.COM
-	 * format.
-	 */
-	rname++;
-	*sname = '\0';
-	sname = sbuf;
-
-	/*
-	 * Find the first . in the target name, and make it the end of
-	 * the string.	 The rest of the name has to match the realm.
-	 */
-	if (name != NULL) {
-		nname = strchr(nbuf, '.');
-		if (nname == NULL)
-			return (isc_boolean_false);
-		*nname++ = '\0';
-	}
-
-	/*
-	 * Now, we do a simple comparison between the name and the realm.
-	 */
-	if (name != NULL) {
-		if ((strcasecmp(sname, nbuf) == 0)
-		    && (strcmp(rname, rbuf) == 0)
-		    && (strcasecmp(nname, rbuf) == 0))
-			return (isc_boolean_true);
-	} else {
-		if (strcmp(rname, rbuf) == 0)
-			return (isc_boolean_true);
-	}
-
-
-	return (isc_boolean_false);
-#else
-	UNUSED(signer);
-	UNUSED(name);
-	UNUSED(realm);
-	return (isc_boolean_false);
-#endif
-}
-
-isc_result_t
-dst_gssapi_releasecred(gss_cred_id_t *cred) {
-#ifdef GSSAPI
-	OM_uint32 gret, minor;
-	char buf[1024];
-
-	REQUIRE(cred != NULL && *cred != NULL);
-
-	gret = gss_release_cred(&minor, cred);
-	if (gret != GSS_S_COMPLETE) {
-		/* Log the error, but still free the credential's memory */
-		gss_log(3, "failed releasing credential: %s",
-			gss_error_tostring(gret, minor, buf, sizeof(buf)));
-	}
-	*cred = NULL;
-
-	return(ISC_R_SUCCESS);
-#else
-	UNUSED(cred);
-
-	return (ISC_R_NOTIMPLEMENTED);
-#endif
-}
-
-#ifdef GSSAPI
-/*
- * Format a gssapi error message info into a char ** on the given memory
- * context. This is used to return gssapi error messages back up the
- * call chain for reporting to the user.
- */
-static void
-gss_err_message(isc_mem_t *mctx, isc_uint32_t major, isc_uint32_t minor,
-		char **err_message)
-{
-	char buf[1024];
-	char *estr;
-
-	if (err_message == NULL || mctx == NULL) {
-		/* the caller doesn't want any error messages */
-		return;
-	}
-
-	estr = gss_error_tostring(major, minor, buf, sizeof(buf));
-	if (estr != NULL)
-		(*err_message) = isc_mem_strdup(mctx, estr);
-}
-#endif
-
-isc_result_t
-dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
-		   isc_buffer_t *outtoken, gss_ctx_id_t *gssctx,
-		   isc_mem_t *mctx, char **err_message)
-{
-#ifdef GSSAPI
-	isc_region_t r;
-	isc_buffer_t namebuf;
-	gss_name_t gname;
-	OM_uint32 gret, minor, ret_flags, flags;
-	gss_buffer_desc gintoken, *gintokenp, gouttoken = GSS_C_EMPTY_BUFFER;
-	isc_result_t result;
-	gss_buffer_desc gnamebuf;
-	unsigned char array[DNS_NAME_MAXTEXT + 1];
-
-	/* Client must pass us a valid gss_ctx_id_t here */
-	REQUIRE(gssctx != NULL);
-	REQUIRE(mctx != NULL);
-
-	isc_buffer_init(&namebuf, array, sizeof(array));
-	name_to_gbuffer(name, &namebuf, &gnamebuf);
-
-	/* Get the name as a GSS name */
-	gret = gss_import_name(&minor, &gnamebuf, GSS_C_NO_OID, &gname);
-	if (gret != GSS_S_COMPLETE) {
-		gss_err_message(mctx, gret, minor, err_message);
-		result = ISC_R_FAILURE;
-		goto out;
-	}
-
-	if (intoken != NULL) {
-		/* Don't call gss_release_buffer for gintoken! */
-		REGION_TO_GBUFFER(*intoken, gintoken);
-		gintokenp = &gintoken;
-	} else {
-		gintokenp = NULL;
-	}
-
-	/*
-	 * Note that we don't set GSS_C_SEQUENCE_FLAG as Windows DNS
-	 * servers don't like it.
-	 */
-	flags = GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG;
-
-	gret = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, gssctx,
-				    gname, GSS_SPNEGO_MECHANISM, flags,
-				    0, NULL, gintokenp,
-				    NULL, &gouttoken, &ret_flags, NULL);
-
-	if (gret != GSS_S_COMPLETE && gret != GSS_S_CONTINUE_NEEDED) {
-		gss_err_message(mctx, gret, minor, err_message);
-		if (err_message != NULL && *err_message != NULL)
-			gss_log(3, "Failure initiating security context: %s",
-				*err_message);
-		else
-			gss_log(3, "Failure initiating security context");
-
-		result = ISC_R_FAILURE;
-		goto out;
-	}
-
-	/*
-	 * XXXSRA Not handled yet: RFC 3645 3.1.1: check ret_flags
-	 * MUTUAL and INTEG flags, fail if either not set.
-	 */
-
-	/*
-	 * RFC 2744 states the a valid output token has a non-zero length.
-	 */
-	if (gouttoken.length != 0U) {
-		GBUFFER_TO_REGION(gouttoken, r);
-		RETERR(isc_buffer_copyregion(outtoken, &r));
-		(void)gss_release_buffer(&minor, &gouttoken);
-	}
-	(void)gss_release_name(&minor, &gname);
-
-	if (gret == GSS_S_COMPLETE)
-		result = ISC_R_SUCCESS;
-	else
-		result = DNS_R_CONTINUE;
-
- out:
-	return (result);
-#else
-	UNUSED(name);
-	UNUSED(intoken);
-	UNUSED(outtoken);
-	UNUSED(gssctx);
-	UNUSED(mctx);
-	UNUSED(err_message);
-
-	return (ISC_R_NOTIMPLEMENTED);
-#endif
-}
-
-isc_result_t
-dst_gssapi_acceptctx(gss_cred_id_t cred,
-		     const char *gssapi_keytab,
-		     isc_region_t *intoken, isc_buffer_t **outtoken,
-		     gss_ctx_id_t *ctxout, dns_name_t *principal,
-		     isc_mem_t *mctx)
-{
-#ifdef GSSAPI
-	isc_region_t r;
-	isc_buffer_t namebuf;
-	gss_buffer_desc gnamebuf = GSS_C_EMPTY_BUFFER, gintoken,
-			gouttoken = GSS_C_EMPTY_BUFFER;
-	OM_uint32 gret, minor;
-	gss_ctx_id_t context = GSS_C_NO_CONTEXT;
-	gss_name_t gname = NULL;
-	isc_result_t result;
-	char buf[1024];
-
-	REQUIRE(outtoken != NULL && *outtoken == NULL);
-
-	REGION_TO_GBUFFER(*intoken, gintoken);
-
-	if (*ctxout == NULL)
-		context = GSS_C_NO_CONTEXT;
-	else
-		context = *ctxout;
-
-	if (gssapi_keytab != NULL) {
-#ifdef ISC_PLATFORM_GSSAPI_KRB5_HEADER
-		gret = gsskrb5_register_acceptor_identity(gssapi_keytab);
-		if (gret != GSS_S_COMPLETE) {
-			gss_log(3, "failed "
-				"gsskrb5_register_acceptor_identity(%s): %s",
-				gssapi_keytab,
-				gss_error_tostring(gret, 0, buf, sizeof(buf)));
-			return (DNS_R_INVALIDTKEY);
-		}
-#else
-		/*
-		 * Minimize memory leakage by only setting KRB5_KTNAME
-		 * if it needs to change.
-		 */
-		const char *old = getenv("KRB5_KTNAME");
-		if (old == NULL || strcmp(old, gssapi_keytab) != 0) {
-			char *kt = malloc(strlen(gssapi_keytab) + 13);
-			if (kt == NULL)
-				return (ISC_R_NOMEMORY);
-			sprintf(kt, "KRB5_KTNAME=%s", gssapi_keytab);
-			if (putenv(kt) != 0)
-				return (ISC_R_NOMEMORY);
-		}
-#endif
-	}
-
-	log_cred(cred);
-
-	gret = gss_accept_sec_context(&minor, &context, cred, &gintoken,
-				      GSS_C_NO_CHANNEL_BINDINGS, &gname,
-				      NULL, &gouttoken, NULL, NULL, NULL);
-
-	result = ISC_R_FAILURE;
-
-	switch (gret) {
-	case GSS_S_COMPLETE:
-		result = ISC_R_SUCCESS;
-		break;
-	case GSS_S_CONTINUE_NEEDED:
-		result = DNS_R_CONTINUE;
-		break;
-	case GSS_S_DEFECTIVE_TOKEN:
-	case GSS_S_DEFECTIVE_CREDENTIAL:
-	case GSS_S_BAD_SIG:
-	case GSS_S_DUPLICATE_TOKEN:
-	case GSS_S_OLD_TOKEN:
-	case GSS_S_NO_CRED:
-	case GSS_S_CREDENTIALS_EXPIRED:
-	case GSS_S_BAD_BINDINGS:
-	case GSS_S_NO_CONTEXT:
-	case GSS_S_BAD_MECH:
-	case GSS_S_FAILURE:
-		result = DNS_R_INVALIDTKEY;
-		/* fall through */
-	default:
-		gss_log(3, "failed gss_accept_sec_context: %s",
-			gss_error_tostring(gret, minor, buf, sizeof(buf)));
-		return (result);
-	}
-
-	if (gouttoken.length > 0U) {
-		RETERR(isc_buffer_allocate(mctx, outtoken, gouttoken.length));
-		GBUFFER_TO_REGION(gouttoken, r);
-		RETERR(isc_buffer_copyregion(*outtoken, &r));
-		(void)gss_release_buffer(&minor, &gouttoken);
-	}
-
-	if (gret == GSS_S_COMPLETE) {
-		gret = gss_display_name(&minor, gname, &gnamebuf, NULL);
-		if (gret != GSS_S_COMPLETE) {
-			gss_log(3, "failed gss_display_name: %s",
-				gss_error_tostring(gret, minor,
-						   buf, sizeof(buf)));
-			RETERR(ISC_R_FAILURE);
-		}
-
-		/*
-		 * Compensate for a bug in Solaris8's implementation
-		 * of gss_display_name().  Should be harmless in any
-		 * case, since principal names really should not
-		 * contain null characters.
-		 */
-		if (gnamebuf.length > 0U &&
-		    ((char *)gnamebuf.value)[gnamebuf.length - 1] == '\0')
-			gnamebuf.length--;
-
-		gss_log(3, "gss-api source name (accept) is %.*s",
-			(int)gnamebuf.length, (char *)gnamebuf.value);
-
-		GBUFFER_TO_REGION(gnamebuf, r);
-		isc_buffer_init(&namebuf, r.base, r.length);
-		isc_buffer_add(&namebuf, r.length);
-
-		RETERR(dns_name_fromtext(principal, &namebuf, dns_rootname,
-					 0, NULL));
-
-		if (gnamebuf.length != 0U) {
-			gret = gss_release_buffer(&minor, &gnamebuf);
-			if (gret != GSS_S_COMPLETE)
-				gss_log(3, "failed gss_release_buffer: %s",
-					gss_error_tostring(gret, minor, buf,
-							   sizeof(buf)));
-		}
-	}
-
-	*ctxout = context;
-
- out:
-	if (gname != NULL) {
-		gret = gss_release_name(&minor, &gname);
-		if (gret != GSS_S_COMPLETE)
-			gss_log(3, "failed gss_release_name: %s",
-				gss_error_tostring(gret, minor, buf,
-						   sizeof(buf)));
-	}
-
-	return (result);
-#else
-	UNUSED(cred);
-	UNUSED(gssapi_keytab);
-	UNUSED(intoken);
-	UNUSED(outtoken);
-	UNUSED(ctxout);
-	UNUSED(principal);
-	UNUSED(mctx);
-
-	return (ISC_R_NOTIMPLEMENTED);
-#endif
-}
-
-isc_result_t
-dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx)
-{
-#ifdef GSSAPI
-	OM_uint32 gret, minor;
-	char buf[1024];
-
-	UNUSED(mctx);
-
-	REQUIRE(gssctx != NULL && *gssctx != NULL);
-
-	/* Delete the context from the GSS provider */
-	gret = gss_delete_sec_context(&minor, gssctx, GSS_C_NO_BUFFER);
-	if (gret != GSS_S_COMPLETE) {
-		/* Log the error, but still free the context's memory */
-		gss_log(3, "Failure deleting security context %s",
-			gss_error_tostring(gret, minor, buf, sizeof(buf)));
-	}
-	return(ISC_R_SUCCESS);
-#else
-	UNUSED(mctx);
-	UNUSED(gssctx);
-	return (ISC_R_NOTIMPLEMENTED);
-#endif
-}
-
-char *
-gss_error_tostring(isc_uint32_t major, isc_uint32_t minor,
-		   char *buf, size_t buflen) {
-#ifdef GSSAPI
-	gss_buffer_desc msg_minor = GSS_C_EMPTY_BUFFER,
-			msg_major = GSS_C_EMPTY_BUFFER;
-	OM_uint32 msg_ctx, minor_stat;
-
-	/* Handle major status */
-	msg_ctx = 0;
-	(void)gss_display_status(&minor_stat, major, GSS_C_GSS_CODE,
-				 GSS_C_NULL_OID, &msg_ctx, &msg_major);
-
-	/* Handle minor status */
-	msg_ctx = 0;
-	(void)gss_display_status(&minor_stat, minor, GSS_C_MECH_CODE,
-				 GSS_C_NULL_OID, &msg_ctx, &msg_minor);
-
-	snprintf(buf, buflen, "GSSAPI error: Major = %s, Minor = %s.",
-		(char *)msg_major.value, (char *)msg_minor.value);
-
-	if (msg_major.length != 0U)
-		(void)gss_release_buffer(&minor_stat, &msg_major);
-	if (msg_minor.length != 0U)
-		(void)gss_release_buffer(&minor_stat, &msg_minor);
-	return(buf);
-#else
-	snprintf(buf, buflen, "GSSAPI error: Major = %u, Minor = %u.",
-		 major, minor);
-
-	return (buf);
-#endif
-}
-
-void
-gss_log(int level, const char *fmt, ...) {
-	va_list ap;
-
-	va_start(ap, fmt);
-	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-		       DNS_LOGMODULE_TKEY, ISC_LOG_DEBUG(level), fmt, ap);
-	va_end(ap);
-}
-
-/*! \file */
diff --git a/contrib/bind9/lib/dns/hmac_link.c b/contrib/bind9/lib/dns/hmac_link.c
deleted file mode 100644
index 256abb6..0000000
--- a/contrib/bind9/lib/dns/hmac_link.c
+++ /dev/null
@@ -1,1734 +0,0 @@
-/*
- * Portions Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Principal Author: Brian Wellington
- * $Id: hmac_link.c,v 1.19 2011/01/11 23:47:13 tbox Exp $
- */
-
-#include <config.h>
-
-#include <isc/buffer.h>
-#include <isc/hmacmd5.h>
-#include <isc/hmacsha.h>
-#include <isc/md5.h>
-#include <isc/sha1.h>
-#include <isc/mem.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dst/result.h>
-
-#include "dst_internal.h"
-#include "dst_parse.h"
-
-static isc_result_t hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data);
-
-struct dst_hmacmd5_key {
-	unsigned char key[ISC_MD5_BLOCK_LENGTH];
-};
-
-static isc_result_t
-getkeybits(dst_key_t *key, struct dst_private_element *element) {
-
-	if (element->length != 2)
-		return (DST_R_INVALIDPRIVATEKEY);
-
-	key->key_bits =	(element->data[0] << 8) + element->data[1];
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacmd5_createctx(dst_key_t *key, dst_context_t *dctx) {
-	isc_hmacmd5_t *hmacmd5ctx;
-	dst_hmacmd5_key_t *hkey = key->keydata.hmacmd5;
-
-	hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t));
-	if (hmacmd5ctx == NULL)
-		return (ISC_R_NOMEMORY);
-	isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH);
-	dctx->ctxdata.hmacmd5ctx = hmacmd5ctx;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-hmacmd5_destroyctx(dst_context_t *dctx) {
-	isc_hmacmd5_t *hmacmd5ctx = dctx->ctxdata.hmacmd5ctx;
-
-	if (hmacmd5ctx != NULL) {
-		isc_hmacmd5_invalidate(hmacmd5ctx);
-		isc_mem_put(dctx->mctx, hmacmd5ctx, sizeof(isc_hmacmd5_t));
-		dctx->ctxdata.hmacmd5ctx = NULL;
-	}
-}
-
-static isc_result_t
-hmacmd5_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	isc_hmacmd5_t *hmacmd5ctx = dctx->ctxdata.hmacmd5ctx;
-
-	isc_hmacmd5_update(hmacmd5ctx, data->base, data->length);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacmd5_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	isc_hmacmd5_t *hmacmd5ctx = dctx->ctxdata.hmacmd5ctx;
-	unsigned char *digest;
-
-	if (isc_buffer_availablelength(sig) < ISC_MD5_DIGESTLENGTH)
-		return (ISC_R_NOSPACE);
-	digest = isc_buffer_used(sig);
-	isc_hmacmd5_sign(hmacmd5ctx, digest);
-	isc_buffer_add(sig, ISC_MD5_DIGESTLENGTH);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacmd5_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	isc_hmacmd5_t *hmacmd5ctx = dctx->ctxdata.hmacmd5ctx;
-
-	if (sig->length > ISC_MD5_DIGESTLENGTH)
-		return (DST_R_VERIFYFAILURE);
-
-	if (isc_hmacmd5_verify2(hmacmd5ctx, sig->base, sig->length))
-		return (ISC_R_SUCCESS);
-	else
-		return (DST_R_VERIFYFAILURE);
-}
-
-static isc_boolean_t
-hmacmd5_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	dst_hmacmd5_key_t *hkey1, *hkey2;
-
-	hkey1 = key1->keydata.hmacmd5;
-	hkey2 = key2->keydata.hmacmd5;
-
-	if (hkey1 == NULL && hkey2 == NULL)
-		return (ISC_TRUE);
-	else if (hkey1 == NULL || hkey2 == NULL)
-		return (ISC_FALSE);
-
-	if (memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH) == 0)
-		return (ISC_TRUE);
-	else
-		return (ISC_FALSE);
-}
-
-static isc_result_t
-hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
-	isc_buffer_t b;
-	isc_result_t ret;
-	unsigned int bytes;
-	unsigned char data[ISC_SHA1_BLOCK_LENGTH];
-
-	UNUSED(callback);
-
-	bytes = (key->key_size + 7) / 8;
-	if (bytes > ISC_SHA1_BLOCK_LENGTH) {
-		bytes = ISC_SHA1_BLOCK_LENGTH;
-		key->key_size = ISC_SHA1_BLOCK_LENGTH * 8;
-	}
-
-	memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
-	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
-
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	isc_buffer_init(&b, data, bytes);
-	isc_buffer_add(&b, bytes);
-	ret = hmacmd5_fromdns(key, &b);
-	memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
-
-	return (ret);
-}
-
-static isc_boolean_t
-hmacmd5_isprivate(const dst_key_t *key) {
-	UNUSED(key);
-	return (ISC_TRUE);
-}
-
-static void
-hmacmd5_destroy(dst_key_t *key) {
-	dst_hmacmd5_key_t *hkey = key->keydata.hmacmd5;
-
-	memset(hkey, 0, sizeof(dst_hmacmd5_key_t));
-	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacmd5_key_t));
-	key->keydata.hmacmd5 = NULL;
-}
-
-static isc_result_t
-hmacmd5_todns(const dst_key_t *key, isc_buffer_t *data) {
-	dst_hmacmd5_key_t *hkey;
-	unsigned int bytes;
-
-	REQUIRE(key->keydata.hmacmd5 != NULL);
-
-	hkey = key->keydata.hmacmd5;
-
-	bytes = (key->key_size + 7) / 8;
-	if (isc_buffer_availablelength(data) < bytes)
-		return (ISC_R_NOSPACE);
-	isc_buffer_putmem(data, hkey->key, bytes);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	dst_hmacmd5_key_t *hkey;
-	int keylen;
-	isc_region_t r;
-	isc_md5_t md5ctx;
-
-	isc_buffer_remainingregion(data, &r);
-	if (r.length == 0)
-		return (ISC_R_SUCCESS);
-
-	hkey = isc_mem_get(key->mctx, sizeof(dst_hmacmd5_key_t));
-	if (hkey == NULL)
-		return (ISC_R_NOMEMORY);
-
-	memset(hkey->key, 0, sizeof(hkey->key));
-
-	if (r.length > ISC_SHA1_BLOCK_LENGTH) {
-		isc_md5_init(&md5ctx);
-		isc_md5_update(&md5ctx, r.base, r.length);
-		isc_md5_final(&md5ctx, hkey->key);
-		keylen = ISC_MD5_DIGESTLENGTH;
-	}
-	else {
-		memcpy(hkey->key, r.base, r.length);
-		keylen = r.length;
-	}
-
-	key->key_size = keylen * 8;
-	key->keydata.hmacmd5 = hkey;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacmd5_tofile(const dst_key_t *key, const char *directory) {
-	int cnt = 0;
-	dst_hmacmd5_key_t *hkey;
-	dst_private_t priv;
-	int bytes = (key->key_size + 7) / 8;
-	unsigned char buf[2];
-
-	if (key->keydata.hmacmd5 == NULL)
-		return (DST_R_NULLKEY);
-
-	hkey = key->keydata.hmacmd5;
-
-	priv.elements[cnt].tag = TAG_HMACMD5_KEY;
-	priv.elements[cnt].length = bytes;
-	priv.elements[cnt++].data = hkey->key;
-
-	buf[0] = (key->key_bits >> 8) & 0xffU;
-	buf[1] = key->key_bits & 0xffU;
-	priv.elements[cnt].tag = TAG_HMACMD5_BITS;
-	priv.elements[cnt].data = buf;
-	priv.elements[cnt++].length = 2;
-
-	priv.nelements = cnt;
-	return (dst__privstruct_writefile(key, &priv, directory));
-}
-
-static isc_result_t
-hmacmd5_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
-	dst_private_t priv;
-	isc_result_t result, tresult;
-	isc_buffer_t b;
-	isc_mem_t *mctx = key->mctx;
-	unsigned int i;
-
-	UNUSED(pub);
-	/* read private key file */
-	result = dst__privstruct_parse(key, DST_ALG_HMACMD5, lexer, mctx,
-				       &priv);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	key->key_bits = 0;
-	for (i = 0; i < priv.nelements && result == ISC_R_SUCCESS; i++) {
-		switch (priv.elements[i].tag) {
-		case TAG_HMACMD5_KEY:
-			isc_buffer_init(&b, priv.elements[i].data,
-					priv.elements[i].length);
-			isc_buffer_add(&b, priv.elements[i].length);
-			tresult = hmacmd5_fromdns(key, &b);
-			if (tresult != ISC_R_SUCCESS)
-				result = tresult;
-			break;
-		case TAG_HMACMD5_BITS:
-			tresult = getkeybits(key, &priv.elements[i]);
-			if (tresult != ISC_R_SUCCESS)
-				result = tresult;
-			break;
-		default:
-			result = DST_R_INVALIDPRIVATEKEY;
-			break;
-		}
-	}
-	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
-	return (result);
-}
-
-static dst_func_t hmacmd5_functions = {
-	hmacmd5_createctx,
-	hmacmd5_destroyctx,
-	hmacmd5_adddata,
-	hmacmd5_sign,
-	hmacmd5_verify,
-	NULL, /*%< verify2 */
-	NULL, /*%< computesecret */
-	hmacmd5_compare,
-	NULL, /*%< paramcompare */
-	hmacmd5_generate,
-	hmacmd5_isprivate,
-	hmacmd5_destroy,
-	hmacmd5_todns,
-	hmacmd5_fromdns,
-	hmacmd5_tofile,
-	hmacmd5_parse,
-	NULL, /*%< cleanup */
-	NULL, /*%< fromlabel */
-	NULL, /*%< dump */
-	NULL, /*%< restore */
-};
-
-isc_result_t
-dst__hmacmd5_init(dst_func_t **funcp) {
-	REQUIRE(funcp != NULL);
-	if (*funcp == NULL)
-		*funcp = &hmacmd5_functions;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data);
-
-struct dst_hmacsha1_key {
-	unsigned char key[ISC_SHA1_BLOCK_LENGTH];
-};
-
-static isc_result_t
-hmacsha1_createctx(dst_key_t *key, dst_context_t *dctx) {
-	isc_hmacsha1_t *hmacsha1ctx;
-	dst_hmacsha1_key_t *hkey = key->keydata.hmacsha1;
-
-	hmacsha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha1_t));
-	if (hmacsha1ctx == NULL)
-		return (ISC_R_NOMEMORY);
-	isc_hmacsha1_init(hmacsha1ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH);
-	dctx->ctxdata.hmacsha1ctx = hmacsha1ctx;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-hmacsha1_destroyctx(dst_context_t *dctx) {
-	isc_hmacsha1_t *hmacsha1ctx = dctx->ctxdata.hmacsha1ctx;
-
-	if (hmacsha1ctx != NULL) {
-		isc_hmacsha1_invalidate(hmacsha1ctx);
-		isc_mem_put(dctx->mctx, hmacsha1ctx, sizeof(isc_hmacsha1_t));
-		dctx->ctxdata.hmacsha1ctx = NULL;
-	}
-}
-
-static isc_result_t
-hmacsha1_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	isc_hmacsha1_t *hmacsha1ctx = dctx->ctxdata.hmacsha1ctx;
-
-	isc_hmacsha1_update(hmacsha1ctx, data->base, data->length);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacsha1_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	isc_hmacsha1_t *hmacsha1ctx = dctx->ctxdata.hmacsha1ctx;
-	unsigned char *digest;
-
-	if (isc_buffer_availablelength(sig) < ISC_SHA1_DIGESTLENGTH)
-		return (ISC_R_NOSPACE);
-	digest = isc_buffer_used(sig);
-	isc_hmacsha1_sign(hmacsha1ctx, digest, ISC_SHA1_DIGESTLENGTH);
-	isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacsha1_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	isc_hmacsha1_t *hmacsha1ctx = dctx->ctxdata.hmacsha1ctx;
-
-	if (sig->length > ISC_SHA1_DIGESTLENGTH || sig->length == 0)
-		return (DST_R_VERIFYFAILURE);
-
-	if (isc_hmacsha1_verify(hmacsha1ctx, sig->base, sig->length))
-		return (ISC_R_SUCCESS);
-	else
-		return (DST_R_VERIFYFAILURE);
-}
-
-static isc_boolean_t
-hmacsha1_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	dst_hmacsha1_key_t *hkey1, *hkey2;
-
-	hkey1 = key1->keydata.hmacsha1;
-	hkey2 = key2->keydata.hmacsha1;
-
-	if (hkey1 == NULL && hkey2 == NULL)
-		return (ISC_TRUE);
-	else if (hkey1 == NULL || hkey2 == NULL)
-		return (ISC_FALSE);
-
-	if (memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH) == 0)
-		return (ISC_TRUE);
-	else
-		return (ISC_FALSE);
-}
-
-static isc_result_t
-hmacsha1_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
-	isc_buffer_t b;
-	isc_result_t ret;
-	unsigned int bytes;
-	unsigned char data[ISC_SHA1_BLOCK_LENGTH];
-
-	UNUSED(callback);
-
-	bytes = (key->key_size + 7) / 8;
-	if (bytes > ISC_SHA1_BLOCK_LENGTH) {
-		bytes = ISC_SHA1_BLOCK_LENGTH;
-		key->key_size = ISC_SHA1_BLOCK_LENGTH * 8;
-	}
-
-	memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
-	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
-
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	isc_buffer_init(&b, data, bytes);
-	isc_buffer_add(&b, bytes);
-	ret = hmacsha1_fromdns(key, &b);
-	memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
-
-	return (ret);
-}
-
-static isc_boolean_t
-hmacsha1_isprivate(const dst_key_t *key) {
-	UNUSED(key);
-	return (ISC_TRUE);
-}
-
-static void
-hmacsha1_destroy(dst_key_t *key) {
-	dst_hmacsha1_key_t *hkey = key->keydata.hmacsha1;
-
-	memset(hkey, 0, sizeof(dst_hmacsha1_key_t));
-	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha1_key_t));
-	key->keydata.hmacsha1 = NULL;
-}
-
-static isc_result_t
-hmacsha1_todns(const dst_key_t *key, isc_buffer_t *data) {
-	dst_hmacsha1_key_t *hkey;
-	unsigned int bytes;
-
-	REQUIRE(key->keydata.hmacsha1 != NULL);
-
-	hkey = key->keydata.hmacsha1;
-
-	bytes = (key->key_size + 7) / 8;
-	if (isc_buffer_availablelength(data) < bytes)
-		return (ISC_R_NOSPACE);
-	isc_buffer_putmem(data, hkey->key, bytes);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	dst_hmacsha1_key_t *hkey;
-	int keylen;
-	isc_region_t r;
-	isc_sha1_t sha1ctx;
-
-	isc_buffer_remainingregion(data, &r);
-	if (r.length == 0)
-		return (ISC_R_SUCCESS);
-
-	hkey = isc_mem_get(key->mctx, sizeof(dst_hmacsha1_key_t));
-	if (hkey == NULL)
-		return (ISC_R_NOMEMORY);
-
-	memset(hkey->key, 0, sizeof(hkey->key));
-
-	if (r.length > ISC_SHA1_BLOCK_LENGTH) {
-		isc_sha1_init(&sha1ctx);
-		isc_sha1_update(&sha1ctx, r.base, r.length);
-		isc_sha1_final(&sha1ctx, hkey->key);
-		keylen = ISC_SHA1_DIGESTLENGTH;
-	}
-	else {
-		memcpy(hkey->key, r.base, r.length);
-		keylen = r.length;
-	}
-
-	key->key_size = keylen * 8;
-	key->keydata.hmacsha1 = hkey;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacsha1_tofile(const dst_key_t *key, const char *directory) {
-	int cnt = 0;
-	dst_hmacsha1_key_t *hkey;
-	dst_private_t priv;
-	int bytes = (key->key_size + 7) / 8;
-	unsigned char buf[2];
-
-	if (key->keydata.hmacsha1 == NULL)
-		return (DST_R_NULLKEY);
-
-	hkey = key->keydata.hmacsha1;
-
-	priv.elements[cnt].tag = TAG_HMACSHA1_KEY;
-	priv.elements[cnt].length = bytes;
-	priv.elements[cnt++].data = hkey->key;
-
-	buf[0] = (key->key_bits >> 8) & 0xffU;
-	buf[1] = key->key_bits & 0xffU;
-	priv.elements[cnt].tag = TAG_HMACSHA1_BITS;
-	priv.elements[cnt].data = buf;
-	priv.elements[cnt++].length = 2;
-
-	priv.nelements = cnt;
-	return (dst__privstruct_writefile(key, &priv, directory));
-}
-
-static isc_result_t
-hmacsha1_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
-	dst_private_t priv;
-	isc_result_t result, tresult;
-	isc_buffer_t b;
-	isc_mem_t *mctx = key->mctx;
-	unsigned int i;
-
-	UNUSED(pub);
-	/* read private key file */
-	result = dst__privstruct_parse(key, DST_ALG_HMACSHA1, lexer, mctx,
-				       &priv);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	key->key_bits = 0;
-	for (i = 0; i < priv.nelements; i++) {
-		switch (priv.elements[i].tag) {
-		case TAG_HMACSHA1_KEY:
-			isc_buffer_init(&b, priv.elements[i].data,
-					priv.elements[i].length);
-			isc_buffer_add(&b, priv.elements[i].length);
-			tresult = hmacsha1_fromdns(key, &b);
-			if (tresult != ISC_R_SUCCESS)
-				result = tresult;
-			break;
-		case TAG_HMACSHA1_BITS:
-			tresult = getkeybits(key, &priv.elements[i]);
-			if (tresult != ISC_R_SUCCESS)
-				result = tresult;
-			break;
-		default:
-			result = DST_R_INVALIDPRIVATEKEY;
-			break;
-		}
-	}
-	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
-	return (result);
-}
-
-static dst_func_t hmacsha1_functions = {
-	hmacsha1_createctx,
-	hmacsha1_destroyctx,
-	hmacsha1_adddata,
-	hmacsha1_sign,
-	hmacsha1_verify,
-	NULL, /* verify2 */
-	NULL, /* computesecret */
-	hmacsha1_compare,
-	NULL, /* paramcompare */
-	hmacsha1_generate,
-	hmacsha1_isprivate,
-	hmacsha1_destroy,
-	hmacsha1_todns,
-	hmacsha1_fromdns,
-	hmacsha1_tofile,
-	hmacsha1_parse,
-	NULL, /* cleanup */
-	NULL, /* fromlabel */
-	NULL, /* dump */
-	NULL, /* restore */
-};
-
-isc_result_t
-dst__hmacsha1_init(dst_func_t **funcp) {
-	REQUIRE(funcp != NULL);
-	if (*funcp == NULL)
-		*funcp = &hmacsha1_functions;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data);
-
-struct dst_hmacsha224_key {
-	unsigned char key[ISC_SHA224_BLOCK_LENGTH];
-};
-
-static isc_result_t
-hmacsha224_createctx(dst_key_t *key, dst_context_t *dctx) {
-	isc_hmacsha224_t *hmacsha224ctx;
-	dst_hmacsha224_key_t *hkey = key->keydata.hmacsha224;
-
-	hmacsha224ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha224_t));
-	if (hmacsha224ctx == NULL)
-		return (ISC_R_NOMEMORY);
-	isc_hmacsha224_init(hmacsha224ctx, hkey->key, ISC_SHA224_BLOCK_LENGTH);
-	dctx->ctxdata.hmacsha224ctx = hmacsha224ctx;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-hmacsha224_destroyctx(dst_context_t *dctx) {
-	isc_hmacsha224_t *hmacsha224ctx = dctx->ctxdata.hmacsha224ctx;
-
-	if (hmacsha224ctx != NULL) {
-		isc_hmacsha224_invalidate(hmacsha224ctx);
-		isc_mem_put(dctx->mctx, hmacsha224ctx, sizeof(isc_hmacsha224_t));
-		dctx->ctxdata.hmacsha224ctx = NULL;
-	}
-}
-
-static isc_result_t
-hmacsha224_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	isc_hmacsha224_t *hmacsha224ctx = dctx->ctxdata.hmacsha224ctx;
-
-	isc_hmacsha224_update(hmacsha224ctx, data->base, data->length);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacsha224_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	isc_hmacsha224_t *hmacsha224ctx = dctx->ctxdata.hmacsha224ctx;
-	unsigned char *digest;
-
-	if (isc_buffer_availablelength(sig) < ISC_SHA224_DIGESTLENGTH)
-		return (ISC_R_NOSPACE);
-	digest = isc_buffer_used(sig);
-	isc_hmacsha224_sign(hmacsha224ctx, digest, ISC_SHA224_DIGESTLENGTH);
-	isc_buffer_add(sig, ISC_SHA224_DIGESTLENGTH);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacsha224_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	isc_hmacsha224_t *hmacsha224ctx = dctx->ctxdata.hmacsha224ctx;
-
-	if (sig->length > ISC_SHA224_DIGESTLENGTH || sig->length == 0)
-		return (DST_R_VERIFYFAILURE);
-
-	if (isc_hmacsha224_verify(hmacsha224ctx, sig->base, sig->length))
-		return (ISC_R_SUCCESS);
-	else
-		return (DST_R_VERIFYFAILURE);
-}
-
-static isc_boolean_t
-hmacsha224_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	dst_hmacsha224_key_t *hkey1, *hkey2;
-
-	hkey1 = key1->keydata.hmacsha224;
-	hkey2 = key2->keydata.hmacsha224;
-
-	if (hkey1 == NULL && hkey2 == NULL)
-		return (ISC_TRUE);
-	else if (hkey1 == NULL || hkey2 == NULL)
-		return (ISC_FALSE);
-
-	if (memcmp(hkey1->key, hkey2->key, ISC_SHA224_BLOCK_LENGTH) == 0)
-		return (ISC_TRUE);
-	else
-		return (ISC_FALSE);
-}
-
-static isc_result_t
-hmacsha224_generate(dst_key_t *key, int pseudorandom_ok,
-		    void (*callback)(int))
-{
-	isc_buffer_t b;
-	isc_result_t ret;
-	unsigned int bytes;
-	unsigned char data[ISC_SHA224_BLOCK_LENGTH];
-
-	UNUSED(callback);
-
-	bytes = (key->key_size + 7) / 8;
-	if (bytes > ISC_SHA224_BLOCK_LENGTH) {
-		bytes = ISC_SHA224_BLOCK_LENGTH;
-		key->key_size = ISC_SHA224_BLOCK_LENGTH * 8;
-	}
-
-	memset(data, 0, ISC_SHA224_BLOCK_LENGTH);
-	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
-
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	isc_buffer_init(&b, data, bytes);
-	isc_buffer_add(&b, bytes);
-	ret = hmacsha224_fromdns(key, &b);
-	memset(data, 0, ISC_SHA224_BLOCK_LENGTH);
-
-	return (ret);
-}
-
-static isc_boolean_t
-hmacsha224_isprivate(const dst_key_t *key) {
-	UNUSED(key);
-	return (ISC_TRUE);
-}
-
-static void
-hmacsha224_destroy(dst_key_t *key) {
-	dst_hmacsha224_key_t *hkey = key->keydata.hmacsha224;
-
-	memset(hkey, 0, sizeof(dst_hmacsha224_key_t));
-	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha224_key_t));
-	key->keydata.hmacsha224 = NULL;
-}
-
-static isc_result_t
-hmacsha224_todns(const dst_key_t *key, isc_buffer_t *data) {
-	dst_hmacsha224_key_t *hkey;
-	unsigned int bytes;
-
-	REQUIRE(key->keydata.hmacsha224 != NULL);
-
-	hkey = key->keydata.hmacsha224;
-
-	bytes = (key->key_size + 7) / 8;
-	if (isc_buffer_availablelength(data) < bytes)
-		return (ISC_R_NOSPACE);
-	isc_buffer_putmem(data, hkey->key, bytes);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	dst_hmacsha224_key_t *hkey;
-	int keylen;
-	isc_region_t r;
-	isc_sha224_t sha224ctx;
-
-	isc_buffer_remainingregion(data, &r);
-	if (r.length == 0)
-		return (ISC_R_SUCCESS);
-
-	hkey = isc_mem_get(key->mctx, sizeof(dst_hmacsha224_key_t));
-	if (hkey == NULL)
-		return (ISC_R_NOMEMORY);
-
-	memset(hkey->key, 0, sizeof(hkey->key));
-
-	if (r.length > ISC_SHA224_BLOCK_LENGTH) {
-		isc_sha224_init(&sha224ctx);
-		isc_sha224_update(&sha224ctx, r.base, r.length);
-		isc_sha224_final(hkey->key, &sha224ctx);
-		keylen = ISC_SHA224_DIGESTLENGTH;
-	}
-	else {
-		memcpy(hkey->key, r.base, r.length);
-		keylen = r.length;
-	}
-
-	key->key_size = keylen * 8;
-	key->keydata.hmacsha224 = hkey;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacsha224_tofile(const dst_key_t *key, const char *directory) {
-	int cnt = 0;
-	dst_hmacsha224_key_t *hkey;
-	dst_private_t priv;
-	int bytes = (key->key_size + 7) / 8;
-	unsigned char buf[2];
-
-	if (key->keydata.hmacsha224 == NULL)
-		return (DST_R_NULLKEY);
-
-	hkey = key->keydata.hmacsha224;
-
-	priv.elements[cnt].tag = TAG_HMACSHA224_KEY;
-	priv.elements[cnt].length = bytes;
-	priv.elements[cnt++].data = hkey->key;
-
-	buf[0] = (key->key_bits >> 8) & 0xffU;
-	buf[1] = key->key_bits & 0xffU;
-	priv.elements[cnt].tag = TAG_HMACSHA224_BITS;
-	priv.elements[cnt].data = buf;
-	priv.elements[cnt++].length = 2;
-
-	priv.nelements = cnt;
-	return (dst__privstruct_writefile(key, &priv, directory));
-}
-
-static isc_result_t
-hmacsha224_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
-	dst_private_t priv;
-	isc_result_t result, tresult;
-	isc_buffer_t b;
-	isc_mem_t *mctx = key->mctx;
-	unsigned int i;
-
-	UNUSED(pub);
-	/* read private key file */
-	result = dst__privstruct_parse(key, DST_ALG_HMACSHA224, lexer, mctx,
-				       &priv);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	key->key_bits = 0;
-	for (i = 0; i < priv.nelements; i++) {
-		switch (priv.elements[i].tag) {
-		case TAG_HMACSHA224_KEY:
-			isc_buffer_init(&b, priv.elements[i].data,
-					priv.elements[i].length);
-			isc_buffer_add(&b, priv.elements[i].length);
-			tresult = hmacsha224_fromdns(key, &b);
-			if (tresult != ISC_R_SUCCESS)
-				result = tresult;
-			break;
-		case TAG_HMACSHA224_BITS:
-			tresult = getkeybits(key, &priv.elements[i]);
-			if (tresult != ISC_R_SUCCESS)
-				result = tresult;
-			break;
-		default:
-			result = DST_R_INVALIDPRIVATEKEY;
-			break;
-		}
-	}
-	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
-	return (result);
-}
-
-static dst_func_t hmacsha224_functions = {
-	hmacsha224_createctx,
-	hmacsha224_destroyctx,
-	hmacsha224_adddata,
-	hmacsha224_sign,
-	hmacsha224_verify,
-	NULL, /* verify2 */
-	NULL, /* computesecret */
-	hmacsha224_compare,
-	NULL, /* paramcompare */
-	hmacsha224_generate,
-	hmacsha224_isprivate,
-	hmacsha224_destroy,
-	hmacsha224_todns,
-	hmacsha224_fromdns,
-	hmacsha224_tofile,
-	hmacsha224_parse,
-	NULL, /* cleanup */
-	NULL, /* fromlabel */
-	NULL, /* dump */
-	NULL, /* restore */
-};
-
-isc_result_t
-dst__hmacsha224_init(dst_func_t **funcp) {
-	REQUIRE(funcp != NULL);
-	if (*funcp == NULL)
-		*funcp = &hmacsha224_functions;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data);
-
-struct dst_hmacsha256_key {
-	unsigned char key[ISC_SHA256_BLOCK_LENGTH];
-};
-
-static isc_result_t
-hmacsha256_createctx(dst_key_t *key, dst_context_t *dctx) {
-	isc_hmacsha256_t *hmacsha256ctx;
-	dst_hmacsha256_key_t *hkey = key->keydata.hmacsha256;
-
-	hmacsha256ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha256_t));
-	if (hmacsha256ctx == NULL)
-		return (ISC_R_NOMEMORY);
-	isc_hmacsha256_init(hmacsha256ctx, hkey->key, ISC_SHA256_BLOCK_LENGTH);
-	dctx->ctxdata.hmacsha256ctx = hmacsha256ctx;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-hmacsha256_destroyctx(dst_context_t *dctx) {
-	isc_hmacsha256_t *hmacsha256ctx = dctx->ctxdata.hmacsha256ctx;
-
-	if (hmacsha256ctx != NULL) {
-		isc_hmacsha256_invalidate(hmacsha256ctx);
-		isc_mem_put(dctx->mctx, hmacsha256ctx, sizeof(isc_hmacsha256_t));
-		dctx->ctxdata.hmacsha256ctx = NULL;
-	}
-}
-
-static isc_result_t
-hmacsha256_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	isc_hmacsha256_t *hmacsha256ctx = dctx->ctxdata.hmacsha256ctx;
-
-	isc_hmacsha256_update(hmacsha256ctx, data->base, data->length);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacsha256_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	isc_hmacsha256_t *hmacsha256ctx = dctx->ctxdata.hmacsha256ctx;
-	unsigned char *digest;
-
-	if (isc_buffer_availablelength(sig) < ISC_SHA256_DIGESTLENGTH)
-		return (ISC_R_NOSPACE);
-	digest = isc_buffer_used(sig);
-	isc_hmacsha256_sign(hmacsha256ctx, digest, ISC_SHA256_DIGESTLENGTH);
-	isc_buffer_add(sig, ISC_SHA256_DIGESTLENGTH);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacsha256_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	isc_hmacsha256_t *hmacsha256ctx = dctx->ctxdata.hmacsha256ctx;
-
-	if (sig->length > ISC_SHA256_DIGESTLENGTH || sig->length == 0)
-		return (DST_R_VERIFYFAILURE);
-
-	if (isc_hmacsha256_verify(hmacsha256ctx, sig->base, sig->length))
-		return (ISC_R_SUCCESS);
-	else
-		return (DST_R_VERIFYFAILURE);
-}
-
-static isc_boolean_t
-hmacsha256_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	dst_hmacsha256_key_t *hkey1, *hkey2;
-
-	hkey1 = key1->keydata.hmacsha256;
-	hkey2 = key2->keydata.hmacsha256;
-
-	if (hkey1 == NULL && hkey2 == NULL)
-		return (ISC_TRUE);
-	else if (hkey1 == NULL || hkey2 == NULL)
-		return (ISC_FALSE);
-
-	if (memcmp(hkey1->key, hkey2->key, ISC_SHA256_BLOCK_LENGTH) == 0)
-		return (ISC_TRUE);
-	else
-		return (ISC_FALSE);
-}
-
-static isc_result_t
-hmacsha256_generate(dst_key_t *key, int pseudorandom_ok,
-		    void (*callback)(int))
-{
-	isc_buffer_t b;
-	isc_result_t ret;
-	unsigned int bytes;
-	unsigned char data[ISC_SHA256_BLOCK_LENGTH];
-
-	UNUSED(callback);
-
-	bytes = (key->key_size + 7) / 8;
-	if (bytes > ISC_SHA256_BLOCK_LENGTH) {
-		bytes = ISC_SHA256_BLOCK_LENGTH;
-		key->key_size = ISC_SHA256_BLOCK_LENGTH * 8;
-	}
-
-	memset(data, 0, ISC_SHA256_BLOCK_LENGTH);
-	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
-
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	isc_buffer_init(&b, data, bytes);
-	isc_buffer_add(&b, bytes);
-	ret = hmacsha256_fromdns(key, &b);
-	memset(data, 0, ISC_SHA256_BLOCK_LENGTH);
-
-	return (ret);
-}
-
-static isc_boolean_t
-hmacsha256_isprivate(const dst_key_t *key) {
-	UNUSED(key);
-	return (ISC_TRUE);
-}
-
-static void
-hmacsha256_destroy(dst_key_t *key) {
-	dst_hmacsha256_key_t *hkey = key->keydata.hmacsha256;
-
-	memset(hkey, 0, sizeof(dst_hmacsha256_key_t));
-	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha256_key_t));
-	key->keydata.hmacsha256 = NULL;
-}
-
-static isc_result_t
-hmacsha256_todns(const dst_key_t *key, isc_buffer_t *data) {
-	dst_hmacsha256_key_t *hkey;
-	unsigned int bytes;
-
-	REQUIRE(key->keydata.hmacsha256 != NULL);
-
-	hkey = key->keydata.hmacsha256;
-
-	bytes = (key->key_size + 7) / 8;
-	if (isc_buffer_availablelength(data) < bytes)
-		return (ISC_R_NOSPACE);
-	isc_buffer_putmem(data, hkey->key, bytes);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	dst_hmacsha256_key_t *hkey;
-	int keylen;
-	isc_region_t r;
-	isc_sha256_t sha256ctx;
-
-	isc_buffer_remainingregion(data, &r);
-	if (r.length == 0)
-		return (ISC_R_SUCCESS);
-
-	hkey = isc_mem_get(key->mctx, sizeof(dst_hmacsha256_key_t));
-	if (hkey == NULL)
-		return (ISC_R_NOMEMORY);
-
-	memset(hkey->key, 0, sizeof(hkey->key));
-
-	if (r.length > ISC_SHA256_BLOCK_LENGTH) {
-		isc_sha256_init(&sha256ctx);
-		isc_sha256_update(&sha256ctx, r.base, r.length);
-		isc_sha256_final(hkey->key, &sha256ctx);
-		keylen = ISC_SHA256_DIGESTLENGTH;
-	}
-	else {
-		memcpy(hkey->key, r.base, r.length);
-		keylen = r.length;
-	}
-
-	key->key_size = keylen * 8;
-	key->keydata.hmacsha256 = hkey;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacsha256_tofile(const dst_key_t *key, const char *directory) {
-	int cnt = 0;
-	dst_hmacsha256_key_t *hkey;
-	dst_private_t priv;
-	int bytes = (key->key_size + 7) / 8;
-	unsigned char buf[2];
-
-	if (key->keydata.hmacsha256 == NULL)
-		return (DST_R_NULLKEY);
-
-	hkey = key->keydata.hmacsha256;
-
-	priv.elements[cnt].tag = TAG_HMACSHA256_KEY;
-	priv.elements[cnt].length = bytes;
-	priv.elements[cnt++].data = hkey->key;
-
-	buf[0] = (key->key_bits >> 8) & 0xffU;
-	buf[1] = key->key_bits & 0xffU;
-	priv.elements[cnt].tag = TAG_HMACSHA256_BITS;
-	priv.elements[cnt].data = buf;
-	priv.elements[cnt++].length = 2;
-
-	priv.nelements = cnt;
-	return (dst__privstruct_writefile(key, &priv, directory));
-}
-
-static isc_result_t
-hmacsha256_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
-	dst_private_t priv;
-	isc_result_t result, tresult;
-	isc_buffer_t b;
-	isc_mem_t *mctx = key->mctx;
-	unsigned int i;
-
-	UNUSED(pub);
-	/* read private key file */
-	result = dst__privstruct_parse(key, DST_ALG_HMACSHA256, lexer, mctx,
-				       &priv);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	key->key_bits = 0;
-	for (i = 0; i < priv.nelements; i++) {
-		switch (priv.elements[i].tag) {
-		case TAG_HMACSHA256_KEY:
-			isc_buffer_init(&b, priv.elements[i].data,
-					priv.elements[i].length);
-			isc_buffer_add(&b, priv.elements[i].length);
-			tresult = hmacsha256_fromdns(key, &b);
-			if (tresult != ISC_R_SUCCESS)
-				result = tresult;
-			break;
-		case TAG_HMACSHA256_BITS:
-			tresult = getkeybits(key, &priv.elements[i]);
-			if (tresult != ISC_R_SUCCESS)
-				result = tresult;
-			break;
-		default:
-			result = DST_R_INVALIDPRIVATEKEY;
-			break;
-		}
-	}
-	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
-	return (result);
-}
-
-static dst_func_t hmacsha256_functions = {
-	hmacsha256_createctx,
-	hmacsha256_destroyctx,
-	hmacsha256_adddata,
-	hmacsha256_sign,
-	hmacsha256_verify,
-	NULL, /* verify2 */
-	NULL, /* computesecret */
-	hmacsha256_compare,
-	NULL, /* paramcompare */
-	hmacsha256_generate,
-	hmacsha256_isprivate,
-	hmacsha256_destroy,
-	hmacsha256_todns,
-	hmacsha256_fromdns,
-	hmacsha256_tofile,
-	hmacsha256_parse,
-	NULL, /* cleanup */
-	NULL, /* fromlabel */
-	NULL, /* dump */
-	NULL, /* restore */
-};
-
-isc_result_t
-dst__hmacsha256_init(dst_func_t **funcp) {
-	REQUIRE(funcp != NULL);
-	if (*funcp == NULL)
-		*funcp = &hmacsha256_functions;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data);
-
-struct dst_hmacsha384_key {
-	unsigned char key[ISC_SHA384_BLOCK_LENGTH];
-};
-
-static isc_result_t
-hmacsha384_createctx(dst_key_t *key, dst_context_t *dctx) {
-	isc_hmacsha384_t *hmacsha384ctx;
-	dst_hmacsha384_key_t *hkey = key->keydata.hmacsha384;
-
-	hmacsha384ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha384_t));
-	if (hmacsha384ctx == NULL)
-		return (ISC_R_NOMEMORY);
-	isc_hmacsha384_init(hmacsha384ctx, hkey->key, ISC_SHA384_BLOCK_LENGTH);
-	dctx->ctxdata.hmacsha384ctx = hmacsha384ctx;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-hmacsha384_destroyctx(dst_context_t *dctx) {
-	isc_hmacsha384_t *hmacsha384ctx = dctx->ctxdata.hmacsha384ctx;
-
-	if (hmacsha384ctx != NULL) {
-		isc_hmacsha384_invalidate(hmacsha384ctx);
-		isc_mem_put(dctx->mctx, hmacsha384ctx, sizeof(isc_hmacsha384_t));
-		dctx->ctxdata.hmacsha384ctx = NULL;
-	}
-}
-
-static isc_result_t
-hmacsha384_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	isc_hmacsha384_t *hmacsha384ctx = dctx->ctxdata.hmacsha384ctx;
-
-	isc_hmacsha384_update(hmacsha384ctx, data->base, data->length);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacsha384_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	isc_hmacsha384_t *hmacsha384ctx = dctx->ctxdata.hmacsha384ctx;
-	unsigned char *digest;
-
-	if (isc_buffer_availablelength(sig) < ISC_SHA384_DIGESTLENGTH)
-		return (ISC_R_NOSPACE);
-	digest = isc_buffer_used(sig);
-	isc_hmacsha384_sign(hmacsha384ctx, digest, ISC_SHA384_DIGESTLENGTH);
-	isc_buffer_add(sig, ISC_SHA384_DIGESTLENGTH);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacsha384_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	isc_hmacsha384_t *hmacsha384ctx = dctx->ctxdata.hmacsha384ctx;
-
-	if (sig->length > ISC_SHA384_DIGESTLENGTH || sig->length == 0)
-		return (DST_R_VERIFYFAILURE);
-
-	if (isc_hmacsha384_verify(hmacsha384ctx, sig->base, sig->length))
-		return (ISC_R_SUCCESS);
-	else
-		return (DST_R_VERIFYFAILURE);
-}
-
-static isc_boolean_t
-hmacsha384_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	dst_hmacsha384_key_t *hkey1, *hkey2;
-
-	hkey1 = key1->keydata.hmacsha384;
-	hkey2 = key2->keydata.hmacsha384;
-
-	if (hkey1 == NULL && hkey2 == NULL)
-		return (ISC_TRUE);
-	else if (hkey1 == NULL || hkey2 == NULL)
-		return (ISC_FALSE);
-
-	if (memcmp(hkey1->key, hkey2->key, ISC_SHA384_BLOCK_LENGTH) == 0)
-		return (ISC_TRUE);
-	else
-		return (ISC_FALSE);
-}
-
-static isc_result_t
-hmacsha384_generate(dst_key_t *key, int pseudorandom_ok,
-		    void (*callback)(int))
-{
-	isc_buffer_t b;
-	isc_result_t ret;
-	unsigned int bytes;
-	unsigned char data[ISC_SHA384_BLOCK_LENGTH];
-
-	UNUSED(callback);
-
-	bytes = (key->key_size + 7) / 8;
-	if (bytes > ISC_SHA384_BLOCK_LENGTH) {
-		bytes = ISC_SHA384_BLOCK_LENGTH;
-		key->key_size = ISC_SHA384_BLOCK_LENGTH * 8;
-	}
-
-	memset(data, 0, ISC_SHA384_BLOCK_LENGTH);
-	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
-
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	isc_buffer_init(&b, data, bytes);
-	isc_buffer_add(&b, bytes);
-	ret = hmacsha384_fromdns(key, &b);
-	memset(data, 0, ISC_SHA384_BLOCK_LENGTH);
-
-	return (ret);
-}
-
-static isc_boolean_t
-hmacsha384_isprivate(const dst_key_t *key) {
-	UNUSED(key);
-	return (ISC_TRUE);
-}
-
-static void
-hmacsha384_destroy(dst_key_t *key) {
-	dst_hmacsha384_key_t *hkey = key->keydata.hmacsha384;
-
-	memset(hkey, 0, sizeof(dst_hmacsha384_key_t));
-	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha384_key_t));
-	key->keydata.hmacsha384 = NULL;
-}
-
-static isc_result_t
-hmacsha384_todns(const dst_key_t *key, isc_buffer_t *data) {
-	dst_hmacsha384_key_t *hkey;
-	unsigned int bytes;
-
-	REQUIRE(key->keydata.hmacsha384 != NULL);
-
-	hkey = key->keydata.hmacsha384;
-
-	bytes = (key->key_size + 7) / 8;
-	if (isc_buffer_availablelength(data) < bytes)
-		return (ISC_R_NOSPACE);
-	isc_buffer_putmem(data, hkey->key, bytes);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	dst_hmacsha384_key_t *hkey;
-	int keylen;
-	isc_region_t r;
-	isc_sha384_t sha384ctx;
-
-	isc_buffer_remainingregion(data, &r);
-	if (r.length == 0)
-		return (ISC_R_SUCCESS);
-
-	hkey = isc_mem_get(key->mctx, sizeof(dst_hmacsha384_key_t));
-	if (hkey == NULL)
-		return (ISC_R_NOMEMORY);
-
-	memset(hkey->key, 0, sizeof(hkey->key));
-
-	if (r.length > ISC_SHA384_BLOCK_LENGTH) {
-		isc_sha384_init(&sha384ctx);
-		isc_sha384_update(&sha384ctx, r.base, r.length);
-		isc_sha384_final(hkey->key, &sha384ctx);
-		keylen = ISC_SHA384_DIGESTLENGTH;
-	}
-	else {
-		memcpy(hkey->key, r.base, r.length);
-		keylen = r.length;
-	}
-
-	key->key_size = keylen * 8;
-	key->keydata.hmacsha384 = hkey;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacsha384_tofile(const dst_key_t *key, const char *directory) {
-	int cnt = 0;
-	dst_hmacsha384_key_t *hkey;
-	dst_private_t priv;
-	int bytes = (key->key_size + 7) / 8;
-	unsigned char buf[2];
-
-	if (key->keydata.hmacsha384 == NULL)
-		return (DST_R_NULLKEY);
-
-	hkey = key->keydata.hmacsha384;
-
-	priv.elements[cnt].tag = TAG_HMACSHA384_KEY;
-	priv.elements[cnt].length = bytes;
-	priv.elements[cnt++].data = hkey->key;
-
-	buf[0] = (key->key_bits >> 8) & 0xffU;
-	buf[1] = key->key_bits & 0xffU;
-	priv.elements[cnt].tag = TAG_HMACSHA384_BITS;
-	priv.elements[cnt].data = buf;
-	priv.elements[cnt++].length = 2;
-
-	priv.nelements = cnt;
-	return (dst__privstruct_writefile(key, &priv, directory));
-}
-
-static isc_result_t
-hmacsha384_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
-	dst_private_t priv;
-	isc_result_t result, tresult;
-	isc_buffer_t b;
-	isc_mem_t *mctx = key->mctx;
-	unsigned int i;
-
-	UNUSED(pub);
-	/* read private key file */
-	result = dst__privstruct_parse(key, DST_ALG_HMACSHA384, lexer, mctx,
-				       &priv);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	key->key_bits = 0;
-	for (i = 0; i < priv.nelements; i++) {
-		switch (priv.elements[i].tag) {
-		case TAG_HMACSHA384_KEY:
-			isc_buffer_init(&b, priv.elements[i].data,
-					priv.elements[i].length);
-			isc_buffer_add(&b, priv.elements[i].length);
-			tresult = hmacsha384_fromdns(key, &b);
-			if (tresult != ISC_R_SUCCESS)
-				result = tresult;
-			break;
-		case TAG_HMACSHA384_BITS:
-			tresult = getkeybits(key, &priv.elements[i]);
-			if (tresult != ISC_R_SUCCESS)
-				result = tresult;
-			break;
-		default:
-			result = DST_R_INVALIDPRIVATEKEY;
-			break;
-		}
-	}
-	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
-	return (result);
-}
-
-static dst_func_t hmacsha384_functions = {
-	hmacsha384_createctx,
-	hmacsha384_destroyctx,
-	hmacsha384_adddata,
-	hmacsha384_sign,
-	hmacsha384_verify,
-	NULL, /* verify2 */
-	NULL, /* computesecret */
-	hmacsha384_compare,
-	NULL, /* paramcompare */
-	hmacsha384_generate,
-	hmacsha384_isprivate,
-	hmacsha384_destroy,
-	hmacsha384_todns,
-	hmacsha384_fromdns,
-	hmacsha384_tofile,
-	hmacsha384_parse,
-	NULL, /* cleanup */
-	NULL, /* fromlabel */
-	NULL, /* dump */
-	NULL, /* restore */
-};
-
-isc_result_t
-dst__hmacsha384_init(dst_func_t **funcp) {
-	REQUIRE(funcp != NULL);
-	if (*funcp == NULL)
-		*funcp = &hmacsha384_functions;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data);
-
-struct dst_hmacsha512_key {
-	unsigned char key[ISC_SHA512_BLOCK_LENGTH];
-};
-
-static isc_result_t
-hmacsha512_createctx(dst_key_t *key, dst_context_t *dctx) {
-	isc_hmacsha512_t *hmacsha512ctx;
-	dst_hmacsha512_key_t *hkey = key->keydata.hmacsha512;
-
-	hmacsha512ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha512_t));
-	if (hmacsha512ctx == NULL)
-		return (ISC_R_NOMEMORY);
-	isc_hmacsha512_init(hmacsha512ctx, hkey->key, ISC_SHA512_BLOCK_LENGTH);
-	dctx->ctxdata.hmacsha512ctx = hmacsha512ctx;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-hmacsha512_destroyctx(dst_context_t *dctx) {
-	isc_hmacsha512_t *hmacsha512ctx = dctx->ctxdata.hmacsha512ctx;
-
-	if (hmacsha512ctx != NULL) {
-		isc_hmacsha512_invalidate(hmacsha512ctx);
-		isc_mem_put(dctx->mctx, hmacsha512ctx, sizeof(isc_hmacsha512_t));
-		dctx->ctxdata.hmacsha512ctx = NULL;
-	}
-}
-
-static isc_result_t
-hmacsha512_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	isc_hmacsha512_t *hmacsha512ctx = dctx->ctxdata.hmacsha512ctx;
-
-	isc_hmacsha512_update(hmacsha512ctx, data->base, data->length);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacsha512_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	isc_hmacsha512_t *hmacsha512ctx = dctx->ctxdata.hmacsha512ctx;
-	unsigned char *digest;
-
-	if (isc_buffer_availablelength(sig) < ISC_SHA512_DIGESTLENGTH)
-		return (ISC_R_NOSPACE);
-	digest = isc_buffer_used(sig);
-	isc_hmacsha512_sign(hmacsha512ctx, digest, ISC_SHA512_DIGESTLENGTH);
-	isc_buffer_add(sig, ISC_SHA512_DIGESTLENGTH);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacsha512_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	isc_hmacsha512_t *hmacsha512ctx = dctx->ctxdata.hmacsha512ctx;
-
-	if (sig->length > ISC_SHA512_DIGESTLENGTH || sig->length == 0)
-		return (DST_R_VERIFYFAILURE);
-
-	if (isc_hmacsha512_verify(hmacsha512ctx, sig->base, sig->length))
-		return (ISC_R_SUCCESS);
-	else
-		return (DST_R_VERIFYFAILURE);
-}
-
-static isc_boolean_t
-hmacsha512_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	dst_hmacsha512_key_t *hkey1, *hkey2;
-
-	hkey1 = key1->keydata.hmacsha512;
-	hkey2 = key2->keydata.hmacsha512;
-
-	if (hkey1 == NULL && hkey2 == NULL)
-		return (ISC_TRUE);
-	else if (hkey1 == NULL || hkey2 == NULL)
-		return (ISC_FALSE);
-
-	if (memcmp(hkey1->key, hkey2->key, ISC_SHA512_BLOCK_LENGTH) == 0)
-		return (ISC_TRUE);
-	else
-		return (ISC_FALSE);
-}
-
-static isc_result_t
-hmacsha512_generate(dst_key_t *key, int pseudorandom_ok,
-		    void (*callback)(int))
-{
-	isc_buffer_t b;
-	isc_result_t ret;
-	unsigned int bytes;
-	unsigned char data[ISC_SHA512_BLOCK_LENGTH];
-
-	UNUSED(callback);
-
-	bytes = (key->key_size + 7) / 8;
-	if (bytes > ISC_SHA512_BLOCK_LENGTH) {
-		bytes = ISC_SHA512_BLOCK_LENGTH;
-		key->key_size = ISC_SHA512_BLOCK_LENGTH * 8;
-	}
-
-	memset(data, 0, ISC_SHA512_BLOCK_LENGTH);
-	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
-
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	isc_buffer_init(&b, data, bytes);
-	isc_buffer_add(&b, bytes);
-	ret = hmacsha512_fromdns(key, &b);
-	memset(data, 0, ISC_SHA512_BLOCK_LENGTH);
-
-	return (ret);
-}
-
-static isc_boolean_t
-hmacsha512_isprivate(const dst_key_t *key) {
-	UNUSED(key);
-	return (ISC_TRUE);
-}
-
-static void
-hmacsha512_destroy(dst_key_t *key) {
-	dst_hmacsha512_key_t *hkey = key->keydata.hmacsha512;
-
-	memset(hkey, 0, sizeof(dst_hmacsha512_key_t));
-	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha512_key_t));
-	key->keydata.hmacsha512 = NULL;
-}
-
-static isc_result_t
-hmacsha512_todns(const dst_key_t *key, isc_buffer_t *data) {
-	dst_hmacsha512_key_t *hkey;
-	unsigned int bytes;
-
-	REQUIRE(key->keydata.hmacsha512 != NULL);
-
-	hkey = key->keydata.hmacsha512;
-
-	bytes = (key->key_size + 7) / 8;
-	if (isc_buffer_availablelength(data) < bytes)
-		return (ISC_R_NOSPACE);
-	isc_buffer_putmem(data, hkey->key, bytes);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	dst_hmacsha512_key_t *hkey;
-	int keylen;
-	isc_region_t r;
-	isc_sha512_t sha512ctx;
-
-	isc_buffer_remainingregion(data, &r);
-	if (r.length == 0)
-		return (ISC_R_SUCCESS);
-
-	hkey = isc_mem_get(key->mctx, sizeof(dst_hmacsha512_key_t));
-	if (hkey == NULL)
-		return (ISC_R_NOMEMORY);
-
-	memset(hkey->key, 0, sizeof(hkey->key));
-
-	if (r.length > ISC_SHA512_BLOCK_LENGTH) {
-		isc_sha512_init(&sha512ctx);
-		isc_sha512_update(&sha512ctx, r.base, r.length);
-		isc_sha512_final(hkey->key, &sha512ctx);
-		keylen = ISC_SHA512_DIGESTLENGTH;
-	}
-	else {
-		memcpy(hkey->key, r.base, r.length);
-		keylen = r.length;
-	}
-
-	key->key_size = keylen * 8;
-	key->keydata.hmacsha512 = hkey;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacsha512_tofile(const dst_key_t *key, const char *directory) {
-	int cnt = 0;
-	dst_hmacsha512_key_t *hkey;
-	dst_private_t priv;
-	int bytes = (key->key_size + 7) / 8;
-	unsigned char buf[2];
-
-	if (key->keydata.hmacsha512 == NULL)
-		return (DST_R_NULLKEY);
-
-	hkey = key->keydata.hmacsha512;
-
-	priv.elements[cnt].tag = TAG_HMACSHA512_KEY;
-	priv.elements[cnt].length = bytes;
-	priv.elements[cnt++].data = hkey->key;
-
-	buf[0] = (key->key_bits >> 8) & 0xffU;
-	buf[1] = key->key_bits & 0xffU;
-	priv.elements[cnt].tag = TAG_HMACSHA512_BITS;
-	priv.elements[cnt].data = buf;
-	priv.elements[cnt++].length = 2;
-
-	priv.nelements = cnt;
-	return (dst__privstruct_writefile(key, &priv, directory));
-}
-
-static isc_result_t
-hmacsha512_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
-	dst_private_t priv;
-	isc_result_t result, tresult;
-	isc_buffer_t b;
-	isc_mem_t *mctx = key->mctx;
-	unsigned int i;
-
-	UNUSED(pub);
-	/* read private key file */
-	result = dst__privstruct_parse(key, DST_ALG_HMACSHA512, lexer, mctx,
-				       &priv);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	key->key_bits = 0;
-	for (i = 0; i < priv.nelements; i++) {
-		switch (priv.elements[i].tag) {
-		case TAG_HMACSHA512_KEY:
-			isc_buffer_init(&b, priv.elements[i].data,
-					priv.elements[i].length);
-			isc_buffer_add(&b, priv.elements[i].length);
-			tresult = hmacsha512_fromdns(key, &b);
-			if (tresult != ISC_R_SUCCESS)
-				result = tresult;
-			break;
-		case TAG_HMACSHA512_BITS:
-			tresult = getkeybits(key, &priv.elements[i]);
-			if (tresult != ISC_R_SUCCESS)
-				result = tresult;
-			break;
-		default:
-			result = DST_R_INVALIDPRIVATEKEY;
-			break;
-		}
-	}
-	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
-	return (result);
-}
-
-static dst_func_t hmacsha512_functions = {
-	hmacsha512_createctx,
-	hmacsha512_destroyctx,
-	hmacsha512_adddata,
-	hmacsha512_sign,
-	hmacsha512_verify,
-	NULL, /* verify2 */
-	NULL, /* computesecret */
-	hmacsha512_compare,
-	NULL, /* paramcompare */
-	hmacsha512_generate,
-	hmacsha512_isprivate,
-	hmacsha512_destroy,
-	hmacsha512_todns,
-	hmacsha512_fromdns,
-	hmacsha512_tofile,
-	hmacsha512_parse,
-	NULL, /* cleanup */
-	NULL, /* fromlabel */
-	NULL, /* dump */
-	NULL, /* restore */
-};
-
-isc_result_t
-dst__hmacsha512_init(dst_func_t **funcp) {
-	REQUIRE(funcp != NULL);
-	if (*funcp == NULL)
-		*funcp = &hmacsha512_functions;
-	return (ISC_R_SUCCESS);
-}
-
-/*! \file */
diff --git a/contrib/bind9/lib/dns/include/Makefile.in b/contrib/bind9/lib/dns/include/Makefile.in
deleted file mode 100644
index 10d798d..0000000
--- a/contrib/bind9/lib/dns/include/Makefile.in
+++ /dev/null
@@ -1,25 +0,0 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.15 2007/06/19 23:47:16 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	dns dst
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/dns/include/dns/Makefile.in b/contrib/bind9/lib/dns/include/dns/Makefile.in
deleted file mode 100644
index 1a69f2c..0000000
--- a/contrib/bind9/lib/dns/include/dns/Makefile.in
+++ /dev/null
@@ -1,52 +0,0 @@
-# Copyright (C) 2004, 2007-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2003  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.60 2011/11/14 18:32:34 each Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-HEADERS =	acl.h adb.h byaddr.h cache.h callbacks.h cert.h compress.h \
-		clientinfo.h db.h dbiterator.h dbtable.h diff.h dispatch.h \
-		dlz.h dnssec.h ds.h events.h fixedname.h iptable.h journal.h \
-		keyflags.h keytable.h keyvalues.h lib.h log.h \
-		master.h masterdump.h message.h name.h ncache.h nsec.h \
-		peer.h portlist.h private.h rbt.h rcode.h \
-		rdata.h rdataclass.h rdatalist.h rdataset.h rdatasetiter.h \
-		rdataslab.h rdatatype.h request.h resolver.h result.h \
-		rootns.h rpz.h sdb.h sdlz.h secalg.h secproto.h soa.h ssu.h \
-		tcpmsg.h time.h tkey.h tsig.h ttl.h types.h \
-		validator.h version.h view.h xfrin.h zone.h zonekey.h zt.h
-
-GENHEADERS =	enumclass.h enumtype.h rdatastruct.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/dns
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/dns ; \
-	done
-	for i in ${GENHEADERS}; do \
-		${INSTALL_DATA} $$i ${DESTDIR}${includedir}/dns ; \
-	done
diff --git a/contrib/bind9/lib/dns/include/dns/acache.h b/contrib/bind9/lib/dns/include/dns/acache.h
deleted file mode 100644
index 304cba7..0000000
--- a/contrib/bind9/lib/dns/include/dns/acache.h
+++ /dev/null
@@ -1,448 +0,0 @@
-/*
- * Copyright (C) 2004, 2006, 2007, 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: acache.h,v 1.8 2007/06/19 23:47:16 tbox Exp $ */
-
-#ifndef DNS_ACACHE_H
-#define DNS_ACACHE_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Acache
- *
- * The Additional Cache Object
- *
- *	This module manages internal caching entries that correspond to
- *	the additional section data of a DNS DB node (an RRset header, more
- *	accurately).  An additional cache entry is expected to be (somehow)
- *	attached to a particular RR in a particular DB node, and contains a set
- *	of information of an additional data for the DB node.
- *
- *	An additional cache object is intended to be created as a per-view
- *	object, and manages all cache entries within the view.
- *
- *	The intended usage of the additional caching is to provide a short cut
- *	to additional glue RRs of an NS RR.  For each NS RR, it is often
- *	necessary to look for glue RRs to make a proper response.  Once the
- *	glue RRs are known, the additional caching allows the client to
- *	associate the information to the original NS RR so that further
- *	expensive lookups can be avoided for the NS RR.
- *
- *	Each additional cache entry contains information to identify a
- *	particular DB node and (optionally) an associated RRset.  The
- *	information consists of its zone, database, the version of the
- *	database, database node, and RRset.
- *
- *	A "negative" information can also be cached.  For example, if a glue
- *	RR does not exist as an authoritative data in the same zone as that
- *	of the NS RR, this fact can be cached by specifying a NULL pointer
- *	for the database, version, and node.  (See the description for
- *	dns_acache_getentry() below for more details.)
- *
- *	Since each member stored in an additional cache entry holds a reference
- *	to a corresponding object, a stale cache entry may cause unnecessary
- *	memory consumption.  For instance, when a zone is reloaded, additional
- *	cache entries that have a reference to the zone (and its DB and/or
- *	DB nodes) can delay the cleanup of the referred objects.  In order to
- *	minimize such a bad effect, this module provides several cleanup
- *	mechanisms.
- *
- *	The first one is a shutdown procedure called when the associated view
- *	is shut down.  In this case, dns_acache_shutdown() will be called and
- *	all cache entries will be purged.  This mechanism will help the
- *	situation when the configuration is reloaded or the main server is
- *	stopped.
- *
- *	Per-DB cleanup mechanism is also provided.  Each additional cache entry
- *	is associated with related DB, which is expected to have been
- *	registered when the DB was created by dns_acache_setdb().  If a
- *	particular DB is going to be destroyed, the primary holder of the DB,
- *	a typical example of which is a zone, will call dns_acache_putdb().
- *	Then this module will clean-up all cache entries associated with the
- *	DB.  This mechanism is effective when a secondary zone DB is going to
- *	be stale after a zone transfer.
- *
- *	Finally, this module supports for periodic clean-up of stale entries.
- *	Each cache entry has a timestamp field, which is updated every time
- *	the entry is referred.  A periodically invoked cleaner checks the
- *	timestamp of each entry, and purge entries that have not been referred
- *	for a certain period.  The cleaner interval can be specified by
- *	dns_acache_setcleaninginterval().  If the periodic clean-up is not
- *	enough, it is also possible to specify the upper limit of entries
- *	in terms of the memory consumption.  If the maximum value is
- *	specified, the cleaner is invoked when the memory consumption reaches
- *	the high watermark inferred from the maximum value.  In this case,
- *	the cleaner will use more aggressive algorithm to decide the "victim"
- *	entries.  The maximum value can be specified by
- *	dns_acache_setcachesize().
- *
- *	When a cache entry is going to be purged within this module, the
- *	callback function specified at the creation time will be called.
- *	The callback function is expected to release all internal resources
- *	related to the entry, which will typically be specific to DB
- *	implementation, and to call dns_acache_detachentry().  The callback
- *	mechanism is very important, since the holder of an additional cache
- *	entry may not be able to initiate the clean-up of the entry, due to
- *	the reference ordering.  For example, as long as an additional cache
- *	entry has a reference to a DB object, the DB cannot be freed, in which
- *	a DB node may have a reference to the cache entry.
- *
- *	Credits:
- *	The basic idea of this kind of short-cut for frequently used
- *	information is similar to the "pre-compiled answer" approach adopted
- *	in nsd by NLnet LABS with RIPE NCC.  Our work here is an independent
- *	effort, but the success of nsd encouraged us to pursue this path.
- *
- *	The design and implementation of the periodic memory management and
- *	the upper limitation of memory consumption was derived from the cache
- *	DB implementation of BIND9.
- *
- * MP:
- *	There are two main locks in this module.  One is for each entry, and
- *	the other is for the additional cache object.
- *
- * Reliability:
- *	The callback function for a cache entry is called with holding the
- *	entry lock.  Thus, it implicitly assumes the callback function does not
- *	call a function that can require the lock.  Typically, the only
- *	function that can be called from the callback function safely is
- *	dns_acache_detachentry().  The breakage of this implicit assumption
- *	may cause a deadlock.
- *
- * Resources:
- *	In a 32-bit architecture (such as i386), the following additional
- *	memory is required comparing to the case that disables this module.
- *	- 76 bytes for each additional cache entry
- *	- if the entry has a DNS name and associated RRset,
- *	  * 44 bytes + size of the name (1-255 bytes)
- *	  * 52 bytes x number_of_RRs
- *	- 28 bytes for each DB related to this module
- *
- *	Using the additional cache also requires extra memory consumption in
- *	the DB implementation.  In the current implementation for rbtdb, we
- *	need:
- *	- two additional pointers for each DB node (8 bytes for a 32-bit
- *	  architecture
- *	- for each RR associated to an RR in a DB node, we also need
- *	  a pointer and management objects to support the additional cache
- *	  function.  These are allocated on-demand.  The total size is
- *	  32 bytes for a 32-bit architecture.
- *
- * Security:
- *	Since this module does not handle any low-level data directly,
- *	no security issue specific to this module is anticipated.
- *
- * Standards:
- *	None.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/mutex.h>
-#include <isc/lang.h>
-#include <isc/refcount.h>
-#include <isc/stdtime.h>
-
-#include <dns/types.h>
-
-/***
- *** Functions
- ***/
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_acache_create(dns_acache_t **acachep, isc_mem_t *mctx,
-		  isc_taskmgr_t *taskmgr, isc_timermgr_t *timermgr);
-/*
- * Create a new DNS additional cache object.
- *
- * Requires:
- *
- *	'mctx' is a valid memory context
- *
- *	'taskmgr' is a valid task manager
- *
- *	'timermgr' is a valid timer or NULL.  If NULL, no periodic cleaning of
- *	the cache will take place.
- *
- *	'acachep' is a valid pointer, and *acachep == NULL
- *
- * Ensures:
- *
- *	'*acachep' is attached to the newly created cache
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_UNEXPECTED
- */
-
-void
-dns_acache_attach(dns_acache_t *source, dns_acache_t **targetp);
-/*
- * Attach *targetp to cache.
- *
- * Requires:
- *
- *	'acache' is a valid additional cache.
- *
- *	'targetp' points to a NULL dns_acache_t *.
- *
- * Ensures:
- *
- *	*targetp is attached to the 'source' additional cache.
- */
-
-void
-dns_acache_detach(dns_acache_t **acachep);
-/*
- * Detach *acachep from its cache.
- *
- * Requires:
- *
- *	'*acachep' points to a valid additional cache.
- *
- * Ensures:
- *
- *	*acachep is NULL.
- *
- *	If '*acachep' is the last reference to the cache and the additional
- *	cache does not have an outstanding task, all resources used by the
- *	cache will be freed.
- */
-
-void
-dns_acache_setcleaninginterval(dns_acache_t *acache, unsigned int t);
-/*
- * Set the periodic cleaning interval of an additional cache to 'interval'
- * seconds.
- */
-
-void
-dns_acache_setcachesize(dns_acache_t *acache, size_t size);
-/*
- * Set the maximum additional cache size.  0 means unlimited.
- */
-
-isc_result_t
-dns_acache_setdb(dns_acache_t *acache, dns_db_t *db);
-/*
- * Set 'db' in 'acache' when the db can be referred from acache, in order
- * to provide a hint for resolving the back reference.
- *
- * Requires:
- *	'acache' is a valid acache pointer.
- *	'db' is a valid DNS DB pointer.
- *
- * Ensures:
- *	'acache' will have a reference to 'db'.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_EXISTS	(which means the specified 'db' is already set)
- *	ISC_R_NOMEMORY
- */
-
-isc_result_t
-dns_acache_putdb(dns_acache_t *acache, dns_db_t *db);
-/*
- * Release 'db' from 'acache' if it has been set by dns_acache_setdb().
- *
- * Requires:
- *	'acache' is a valid acache pointer.
- *	'db' is a valid DNS DB pointer.
- *
- * Ensures:
- *	'acache' will release the reference to 'db'.  Additionally, the content
- *	of each cache entry that is related to the 'db' will be released via
- *	the callback function.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOTFOUND	(which means the specified 'db' is not set in 'acache')
- *	ISC_R_NOMEMORY
- */
-
-void
-dns_acache_shutdown(dns_acache_t *acache);
-/*
- * Shutdown 'acache'.
- *
- * Requires:
- *
- * 	'*acache' is a valid additional cache.
- */
-
-isc_result_t
-dns_acache_createentry(dns_acache_t *acache, dns_db_t *origdb,
-		       void (*callback)(dns_acacheentry_t *, void **),
-		       void *cbarg, dns_acacheentry_t **entryp);
-/*
- * Create an additional cache entry.  A new entry is created and attached to
- * the given additional cache object.  A callback function is also associated
- * with the created entry, which will be called when the cache entry is purged
- * for some reason.
- *
- * Requires:
- *
- * 	'acache' is a valid additional cache.
- *	'entryp' is a valid pointer, and *entryp == NULL
- *	'origdb' is a valid DNS DB pointer.
- *	'callback' and 'cbarg' can be NULL.  In this case, however, the entry
- *	is meaningless (and will be cleaned-up in the next periodical
- *	cleaning).
- *
- * Ensures:
- *	'*entryp' will point to a new additional cache entry.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- */
-
-isc_result_t
-dns_acache_getentry(dns_acacheentry_t *entry, dns_zone_t **zonep,
-		    dns_db_t **dbp, dns_dbversion_t **versionp,
-		    dns_dbnode_t **nodep, dns_name_t *fname,
-		    dns_message_t *msg, isc_stdtime_t now);
-/*
- * Get content from a particular additional cache entry.
- *
- * Requires:
- *
- * 	'entry' is a valid additional cache entry.
- *	'zonep' is a NULL pointer or '*zonep' == NULL (this is the only
- *	optional parameter.)
- *	'dbp' is a valid pointer, and '*dbp' == NULL
- *	'versionp' is a valid pointer, and '*versionp' == NULL
- *	'nodep' is a valid pointer, and '*nodep' == NULL
- *	'fname' is a valid DNS name.
- *	'msg' is a valid DNS message.
- *
- * Ensures:
- *	Several possible cases can happen according to the content.
- *	1. For a positive cache entry,
- *	'*zonep' will point to the corresponding zone (if zonep is a valid
- *	pointer),
- *	'*dbp' will point to a DB for the zone,
- *	'*versionp' will point to its version, and
- *	'*nodep' will point to the corresponding DB node.
- *	'fname' will have the DNS name of the DB node and contain a list of
- *	rdataset for the node (which can be an empty list).
- *
- * 	2. For a negative cache entry that means no corresponding zone exists,
- *	'*zonep' == NULL (if zonep is a valid pointer)
- *	'*dbp', '*versionp', and '*nodep' will be NULL.
- *
- *	3. For a negative cache entry that means no corresponding DB node
- *	exists, '*zonep' will point to the corresponding zone (if zonep is a
- *	valid pointer),
- *	'*dbp' will point to a corresponding DB for zone,
- *	'*versionp' will point to its version.
- *	'*nodep' will be kept as NULL.
- *	'fname' will not change.
- *
- *	On failure, no new references will be created.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- */
-
-isc_result_t
-dns_acache_setentry(dns_acache_t *acache, dns_acacheentry_t *entry,
-		    dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
-		    dns_dbnode_t *node, dns_name_t *fname);
-/*
- * Set content to a particular additional cache entry.
- *
- * Requires:
- *	'acache' is a valid additional cache.
- *	'entry' is a valid additional cache entry.
- *	All the others pointers are NULL or a valid pointer of the
- *	corresponding type.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_NOTFOUND
- */
-
-isc_boolean_t
-dns_acache_cancelentry(dns_acacheentry_t *entry);
-/*
- * Cancel the use of the cache entry 'entry'.  This function is supposed to
- * be called when the node that holds the entry finds the content is not
- * correct any more.  This function will try to release as much dependency as
- * possible, and will be ready to be cleaned-up.  The registered callback
- * function will be canceled and will never called.
- *
- * Requires:
- *	'entry' is a valid additional cache entry.
- *
- * Returns:
- * 	ISC_TRUE if the entry was active when canceled
- */
-
-void
-dns_acache_attachentry(dns_acacheentry_t *source, dns_acacheentry_t **targetp);
-/*
- * Attach *targetp to the cache entry 'source'.
- *
- * Requires:
- *
- *	'source' is a valid additional cache entry.
- *
- *	'targetp' points to a NULL dns_acacheentry_t *.
- *
- * Ensures:
- *
- *	*targetp is attached to 'source'.
- */
-
-void
-dns_acache_detachentry(dns_acacheentry_t **entryp);
-/*
- * Detach *entryp from its cache.
- *
- * Requires:
- *
- *	'*entryp' points to a valid additional cache entry.
- *
- * Ensures:
- *
- *	*entryp is NULL.
- *
- *	If '*entryp' is the last reference to the entry,
- *	cache does not have an outstanding task, all resources used by the
- *	entry (including the entry object itself) will be freed.
- */
-
-void
-dns_acache_countquerymiss(dns_acache_t *acache);
-/*
- * Count up a missed acache query.  XXXMLG need more docs.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_ACACHE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/acl.h b/contrib/bind9/lib/dns/include/dns/acl.h
deleted file mode 100644
index f4fc4a3..0000000
--- a/contrib/bind9/lib/dns/include/dns/acl.h
+++ /dev/null
@@ -1,239 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009, 2011  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: acl.h,v 1.35 2011/06/17 23:47:49 tbox Exp $ */
-
-#ifndef DNS_ACL_H
-#define DNS_ACL_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/acl.h
- * \brief
- * Address match list handling.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-#include <isc/netaddr.h>
-#include <isc/refcount.h>
-
-#include <dns/name.h>
-#include <dns/types.h>
-#include <dns/iptable.h>
-
-/***
- *** Types
- ***/
-
-typedef enum {
-	dns_aclelementtype_ipprefix,
-	dns_aclelementtype_keyname,
-	dns_aclelementtype_nestedacl,
-	dns_aclelementtype_localhost,
-	dns_aclelementtype_localnets,
-	dns_aclelementtype_any
-} dns_aclelemettype_t;
-
-typedef struct dns_aclipprefix dns_aclipprefix_t;
-
-struct dns_aclipprefix {
-	isc_netaddr_t address; /* IP4/IP6 */
-	unsigned int prefixlen;
-};
-
-struct dns_aclelement {
-	dns_aclelemettype_t	type;
-	isc_boolean_t		negative;
-	dns_name_t		keyname;
-	dns_acl_t		*nestedacl;
-	int			node_num;
-};
-
-struct dns_acl {
-	unsigned int		magic;
-	isc_mem_t		*mctx;
-	isc_refcount_t		refcount;
-	dns_iptable_t		*iptable;
-#define node_count		iptable->radix->num_added_node
-	dns_aclelement_t	*elements;
-	isc_boolean_t 		has_negatives;
-	unsigned int 		alloc;		/*%< Elements allocated */
-	unsigned int 		length;		/*%< Elements initialized */
-	char 			*name;		/*%< Temporary use only */
-	ISC_LINK(dns_acl_t) 	nextincache;	/*%< Ditto */
-};
-
-struct dns_aclenv {
-	dns_acl_t *localhost;
-	dns_acl_t *localnets;
-	isc_boolean_t match_mapped;
-};
-
-#define DNS_ACL_MAGIC		ISC_MAGIC('D','a','c','l')
-#define DNS_ACL_VALID(a)	ISC_MAGIC_VALID(a, DNS_ACL_MAGIC)
-
-/***
- *** Functions
- ***/
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target);
-/*%<
- * Create a new ACL, including an IP table and an array with room
- * for 'n' ACL elements.  The elements are uninitialized and the
- * length is 0.
- */
-
-isc_result_t
-dns_acl_any(isc_mem_t *mctx, dns_acl_t **target);
-/*%<
- * Create a new ACL that matches everything.
- */
-
-isc_result_t
-dns_acl_none(isc_mem_t *mctx, dns_acl_t **target);
-/*%<
- * Create a new ACL that matches nothing.
- */
-
-isc_boolean_t
-dns_acl_isany(dns_acl_t *acl);
-/*%<
- * Test whether ACL is set to "{ any; }"
- */
-
-isc_boolean_t
-dns_acl_isnone(dns_acl_t *acl);
-/*%<
- * Test whether ACL is set to "{ none; }"
- */
-
-isc_result_t
-dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, isc_boolean_t pos);
-/*%<
- * Merge the contents of one ACL into another.  Call dns_iptable_merge()
- * for the IP tables, then concatenate the element arrays.
- *
- * If pos is set to false, then the nested ACL is to be negated.  This
- * means reverse the sense of each *positive* element or IP table node,
- * but leave negatives alone, so as to prevent a double-negative causing
- * an unexpected positive match in the parent ACL.
- */
-
-void
-dns_acl_attach(dns_acl_t *source, dns_acl_t **target);
-/*%<
- * Attach to acl 'source'.
- *
- * Requires:
- *\li	'source' to be a valid acl.
- *\li	'target' to be non NULL and '*target' to be NULL.
- */
-
-void
-dns_acl_detach(dns_acl_t **aclp);
-/*%<
- * Detach the acl. On final detach the acl must not be linked on any
- * list.
- *
- * Requires:
- *\li	'*aclp' to be a valid acl.
- *
- * Insists:
- *\li	'*aclp' is not linked on final detach.
- */
-
-isc_boolean_t
-dns_acl_isinsecure(const dns_acl_t *a);
-/*%<
- * Return #ISC_TRUE iff the acl 'a' is considered insecure, that is,
- * if it contains IP addresses other than those of the local host.
- * This is intended for applications such as printing warning
- * messages for suspect ACLs; it is not intended for making access
- * control decisions.  We make no guarantee that an ACL for which
- * this function returns #ISC_FALSE is safe.
- */
-
-isc_result_t
-dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env);
-/*%<
- * Initialize ACL environment, setting up localhost and localnets ACLs
- */
-
-void
-dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s);
-
-void
-dns_aclenv_destroy(dns_aclenv_t *env);
-
-isc_result_t
-dns_acl_match(const isc_netaddr_t *reqaddr,
-	      const dns_name_t *reqsigner,
-	      const dns_acl_t *acl,
-	      const dns_aclenv_t *env,
-	      int *match,
-	      const dns_aclelement_t **matchelt);
-/*%<
- * General, low-level ACL matching.  This is expected to
- * be useful even for weird stuff like the topology and sortlist statements.
- *
- * Match the address 'reqaddr', and optionally the key name 'reqsigner',
- * against 'acl'.  'reqsigner' may be NULL.
- *
- * If there is a match, '*match' will be set to an integer whose absolute
- * value corresponds to the order in which the matching value was inserted
- * into the ACL.  For a positive match, this value will be positive; for a
- * negative match, it will be negative.
- *
- * If there is no match, *match will be set to zero.
- *
- * If there is a match in the element list (either positive or negative)
- * and 'matchelt' is non-NULL, *matchelt will be pointed to the matching
- * element.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		Always succeeds.
- */
-
-isc_boolean_t
-dns_aclelement_match(const isc_netaddr_t *reqaddr,
-		     const dns_name_t *reqsigner,
-		     const dns_aclelement_t *e,
-		     const dns_aclenv_t *env,
-		     const dns_aclelement_t **matchelt);
-/*%<
- * Like dns_acl_match, but matches against the single ACL element 'e'
- * rather than a complete ACL, and returns ISC_TRUE iff it matched.
- *
- * To determine whether the match was positive or negative, the
- * caller should examine e->negative.  Since the element 'e' may be
- * a reference to a named ACL or a nested ACL, a matching element
- * returned through 'matchelt' is not necessarily 'e' itself.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_ACL_H */
diff --git a/contrib/bind9/lib/dns/include/dns/adb.h b/contrib/bind9/lib/dns/include/dns/adb.h
deleted file mode 100644
index a5a3124..0000000
--- a/contrib/bind9/lib/dns/include/dns/adb.h
+++ /dev/null
@@ -1,634 +0,0 @@
-/*
- * Copyright (C) 2004-2008, 2011, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: adb.h,v 1.88 2011/12/05 17:10:51 each Exp $ */
-
-#ifndef DNS_ADB_H
-#define DNS_ADB_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/adb.h
- *\brief
- * DNS Address Database
- *
- * This module implements an address database (ADB) for mapping a name
- * to an isc_sockaddr_t. It also provides statistical information on
- * how good that address might be.
- *
- * A client will pass in a dns_name_t, and the ADB will walk through
- * the rdataset looking up addresses associated with the name.  If it
- * is found on the internal lists, a structure is filled in with the
- * address information and stats for found addresses.
- *
- * If the name cannot be found on the internal lists, a new entry will
- * be created for a name if all the information needed can be found
- * in the zone table or cache.  This new address will then be returned.
- *
- * If a request must be made to remote servers to satisfy a name lookup,
- * this module will start fetches to try to complete these addresses.  When
- * at least one more completes, an event is sent to the caller.  If none of
- * them resolve before the fetch times out, an event indicating this is
- * sent instead.
- *
- * Records are stored internally until a timer expires. The timer is the
- * smaller of the TTL or signature validity period.
- *
- * Lameness is stored per <qname,qtype> tuple, and this data hangs off each
- * address field.  When an address is marked lame for a given tuple the address
- * will not be returned to a caller.
- *
- *
- * MP:
- *
- *\li	The ADB takes care of all necessary locking.
- *
- *\li	Only the task which initiated the name lookup can cancel the lookup.
- *
- *
- * Security:
- *
- *\li	None, since all data stored is required to be pre-filtered.
- *	(Cache needs to be sane, fetches return bounds-checked and sanity-
- *       checked data, caller passes a good dns_name_t for the zone, etc)
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/sockaddr.h>
-
-#include <dns/types.h>
-#include <dns/view.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Magic number checks
- ***/
-
-#define DNS_ADBFIND_MAGIC	  ISC_MAGIC('a','d','b','H')
-#define DNS_ADBFIND_VALID(x)	  ISC_MAGIC_VALID(x, DNS_ADBFIND_MAGIC)
-#define DNS_ADBADDRINFO_MAGIC	  ISC_MAGIC('a','d','A','I')
-#define DNS_ADBADDRINFO_VALID(x)  ISC_MAGIC_VALID(x, DNS_ADBADDRINFO_MAGIC)
-
-
-/***
- *** TYPES
- ***/
-
-typedef struct dns_adbname		dns_adbname_t;
-
-/*!
- *\brief
- * Represents a lookup for a single name.
- *
- * On return, the client can safely use "list", and can reorder the list.
- * Items may not be _deleted_ from this list, however, or added to it
- * other than by using the dns_adb_*() API.
- */
-struct dns_adbfind {
-	/* Public */
-	unsigned int			magic;		/*%< RO: magic */
-	dns_adbaddrinfolist_t		list;		/*%< RO: list of addrs */
-	unsigned int			query_pending;	/*%< RO: partial list */
-	unsigned int			partial_result;	/*%< RO: addrs missing */
-	unsigned int			options;	/*%< RO: options */
-	isc_result_t			result_v4;	/*%< RO: v4 result */
-	isc_result_t			result_v6;	/*%< RO: v6 result */
-	ISC_LINK(dns_adbfind_t)		publink;	/*%< RW: client use */
-
-	/* Private */
-	isc_mutex_t			lock;		/* locks all below */
-	in_port_t			port;
-	int				name_bucket;
-	unsigned int			flags;
-	dns_adbname_t		       *adbname;
-	dns_adb_t		       *adb;
-	isc_event_t			event;
-	ISC_LINK(dns_adbfind_t)		plink;
-};
-
-/*
- * _INET:
- * _INET6:
- *	return addresses of that type.
- *
- * _EMPTYEVENT:
- *	Only schedule an event if no addresses are known.
- *	Must set _WANTEVENT for this to be meaningful.
- *
- * _WANTEVENT:
- *	An event is desired.  Check this bit in the returned find to see
- *	if one will actually be generated.
- *
- * _AVOIDFETCHES:
- *	If set, fetches will not be generated unless no addresses are
- *	available in any of the address families requested.
- *
- * _STARTATZONE:
- *	Fetches will start using the closest zone data or use the root servers.
- *	This is useful for reestablishing glue that has expired.
- *
- * _GLUEOK:
- * _HINTOK:
- *	Glue or hints are ok.  These are used when matching names already
- *	in the adb, and when dns databases are searched.
- *
- * _RETURNLAME:
- *	Return lame servers in a find, so that all addresses are returned.
- *
- * _LAMEPRUNED:
- *	At least one address was omitted from the list because it was lame.
- *	This bit will NEVER be set if _RETURNLAME is set in the createfind().
- */
-/*% Return addresses of type INET. */
-#define DNS_ADBFIND_INET		0x00000001
-/*% Return addresses of type INET6. */
-#define DNS_ADBFIND_INET6		0x00000002
-#define DNS_ADBFIND_ADDRESSMASK		0x00000003
-/*%
- *      Only schedule an event if no addresses are known.
- *      Must set _WANTEVENT for this to be meaningful.
- */
-#define DNS_ADBFIND_EMPTYEVENT		0x00000004
-/*%
- *	An event is desired.  Check this bit in the returned find to see
- *	if one will actually be generated.
- */
-#define DNS_ADBFIND_WANTEVENT		0x00000008
-/*%
- *	If set, fetches will not be generated unless no addresses are
- *	available in any of the address families requested.
- */
-#define DNS_ADBFIND_AVOIDFETCHES	0x00000010
-/*%
- *	Fetches will start using the closest zone data or use the root servers.
- *	This is useful for reestablishing glue that has expired.
- */
-#define DNS_ADBFIND_STARTATZONE		0x00000020
-/*%
- *	Glue or hints are ok.  These are used when matching names already
- *	in the adb, and when dns databases are searched.
- */
-#define DNS_ADBFIND_GLUEOK		0x00000040
-/*%
- *	Glue or hints are ok.  These are used when matching names already
- *	in the adb, and when dns databases are searched.
- */
-#define DNS_ADBFIND_HINTOK		0x00000080
-/*%
- *	Return lame servers in a find, so that all addresses are returned.
- */
-#define DNS_ADBFIND_RETURNLAME		0x00000100
-/*%
- *      Only schedule an event if no addresses are known.
- *      Must set _WANTEVENT for this to be meaningful.
- */
-#define DNS_ADBFIND_LAMEPRUNED		0x00000200
-
-/*%
- * The answers to queries come back as a list of these.
- */
-struct dns_adbaddrinfo {
-	unsigned int			magic;		/*%< private */
-
-	isc_sockaddr_t			sockaddr;	/*%< [rw] */
-	unsigned int			srtt;		/*%< [rw] microseconds */
-	unsigned int			flags;		/*%< [rw] */
-	dns_adbentry_t		       *entry;		/*%< private */
-	ISC_LINK(dns_adbaddrinfo_t)	publink;
-};
-
-/*!<
- * The event sent to the caller task is just a plain old isc_event_t.  It
- * contains no data other than a simple status, passed in the "type" field
- * to indicate that another address resolved, or all partially resolved
- * addresses have failed to resolve.
- *
- * "sender" is the dns_adbfind_t used to issue this query.
- *
- * This is simply a standard event, with the "type" set to:
- *
- *\li	#DNS_EVENT_ADBMOREADDRESSES   -- another address resolved.
- *\li	#DNS_EVENT_ADBNOMOREADDRESSES -- all pending addresses failed,
- *					were canceled, or otherwise will
- *					not be usable.
- *\li	#DNS_EVENT_ADBCANCELED	     -- The request was canceled by a
- *					3rd party.
- *\li	#DNS_EVENT_ADBNAMEDELETED     -- The name was deleted, so this request
- *					was canceled.
- *
- * In each of these cases, the addresses returned by the initial call
- * to dns_adb_createfind() can still be used until they are no longer needed.
- */
-
-/****
- **** FUNCTIONS
- ****/
-
-
-isc_result_t
-dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *tmgr,
-	       isc_taskmgr_t *taskmgr, dns_adb_t **newadb);
-/*%<
- * Create a new ADB.
- *
- * Notes:
- *
- *\li	Generally, applications should not create an ADB directly, but
- *	should instead call dns_view_createresolver().
- *
- * Requires:
- *
- *\li	'mem' must be a valid memory context.
- *
- *\li	'view' be a pointer to a valid view.
- *
- *\li	'tmgr' be a pointer to a valid timer manager.
- *
- *\li	'taskmgr' be a pointer to a valid task manager.
- *
- *\li	'newadb' != NULL && '*newadb' == NULL.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS	after happiness.
- *\li	#ISC_R_NOMEMORY	after resource allocation failure.
- */
-
-void
-dns_adb_attach(dns_adb_t *adb, dns_adb_t **adbp);
-/*%
- * Attach to an 'adb' to 'adbp'.
- *
- * Requires:
- *\li	'adb' to be a valid dns_adb_t, created via dns_adb_create().
- *\li	'adbp' to be a valid pointer to a *dns_adb_t which is initialized
- *	to NULL.
- */
-
-void
-dns_adb_detach(dns_adb_t **adb);
-/*%
- * Delete the ADB. Sets *ADB to NULL. Cancels any outstanding requests.
- *
- * Requires:
- *
- *\li	'adb' be non-NULL and '*adb' be a valid dns_adb_t, created via
- *	dns_adb_create().
- */
-
-void
-dns_adb_whenshutdown(dns_adb_t *adb, isc_task_t *task, isc_event_t **eventp);
-/*%
- * Send '*eventp' to 'task' when 'adb' has shutdown.
- *
- * Requires:
- *
- *\li	'*adb' is a valid dns_adb_t.
- *
- *\li	eventp != NULL && *eventp is a valid event.
- *
- * Ensures:
- *
- *\li	*eventp == NULL
- *
- *\li	The event's sender field is set to the value of adb when the event
- *	is sent.
- */
-
-void
-dns_adb_shutdown(dns_adb_t *adb);
-/*%<
- * Shutdown 'adb'.
- *
- * Requires:
- *
- * \li	'*adb' is a valid dns_adb_t.
- */
-
-isc_result_t
-dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
-		   void *arg, dns_name_t *name, dns_name_t *qname,
-		   dns_rdatatype_t qtype, unsigned int options,
-		   isc_stdtime_t now, dns_name_t *target,
-		   in_port_t port, dns_adbfind_t **find);
-/*%<
- * Main interface for clients. The adb will look up the name given in
- * "name" and will build up a list of found addresses, and perhaps start
- * internal fetches to resolve names that are unknown currently.
- *
- * If other addresses resolve after this call completes, an event will
- * be sent to the <task, taskaction, arg> with the sender of that event
- * set to a pointer to the dns_adbfind_t returned by this function.
- *
- * If no events will be generated, the *find->result_v4 and/or result_v6
- * members may be examined for address lookup status.  The usual #ISC_R_SUCCESS,
- * #ISC_R_FAILURE, #DNS_R_NXDOMAIN, and #DNS_R_NXRRSET are returned, along with
- * #ISC_R_NOTFOUND meaning the ADB has not _yet_ found the values.  In this
- * latter case, retrying may produce more addresses.
- *
- * If events will be returned, the result_v[46] members are only valid
- * when that event is actually returned.
- *
- * The list of addresses returned is unordered.  The caller must impose
- * any ordering required.  The list will not contain "known bad" addresses,
- * however.  For instance, it will not return hosts that are known to be
- * lame for the zone in question.
- *
- * The caller cannot (directly) modify the contents of the address list's
- * fields other than the "link" field.  All values can be read at any
- * time, however.
- *
- * The "now" parameter is used only for determining which entries that
- * have a specific time to live or expire time should be removed from
- * the running database.  If specified as zero, the current time will
- * be retrieved and used.
- *
- * If 'target' is not NULL and 'name' is an alias (i.e. the name is
- * CNAME'd or DNAME'd to another name), then 'target' will be updated with
- * the domain name that 'name' is aliased to.
- *
- * All addresses returned will have the sockaddr's port set to 'port.'
- * The caller may change them directly in the dns_adbaddrinfo_t since
- * they are copies of the internal address only.
- *
- * XXXMLG  Document options, especially the flags which control how
- *         events are sent.
- *
- * Requires:
- *
- *\li	*adb be a valid isc_adb_t object.
- *
- *\li	If events are to be sent, *task be a valid task,
- *	and isc_taskaction_t != NULL.
- *
- *\li	*name is a valid dns_name_t.
- *
- *\li	qname != NULL and *qname be a valid dns_name_t.
- *
- *\li	target == NULL or target is a valid name with a buffer.
- *
- *\li	find != NULL && *find == NULL.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS	Addresses might have been returned, and events will be
- *			delivered for unresolved addresses.
- *\li	#ISC_R_NOMORE	Addresses might have been returned, but no events
- *			will ever be posted for this context.  This is only
- *			returned if task != NULL.
- *\li	#ISC_R_NOMEMORY	insufficient resources
- *\li	#DNS_R_ALIAS	'name' is an alias for another name.
- *
- * Calls, and returns error codes from:
- *
- *\li	isc_stdtime_get()
- *
- * Notes:
- *
- *\li	No internal reference to "name" exists after this function
- *	returns.
- */
-
-void
-dns_adb_cancelfind(dns_adbfind_t *find);
-/*%<
- * Cancels the find, and sends the event off to the caller.
- *
- * It is an error to call dns_adb_cancelfind() on a find where
- * no event is wanted, or will ever be sent.
- *
- * Note:
- *
- *\li	It is possible that the real completion event was posted just
- *	before the dns_adb_cancelfind() call was made.  In this case,
- *	dns_adb_cancelfind() will do nothing.  The event callback needs
- *	to be prepared to find this situation (i.e. result is valid but
- *	the caller expects it to be canceled).
- *
- * Requires:
- *
- *\li	'find' be a valid dns_adbfind_t pointer.
- *
- *\li	events would have been posted to the task.  This can be checked
- *	with (find->options & DNS_ADBFIND_WANTEVENT).
- *
- * Ensures:
- *
- *\li	The event was posted to the task.
- */
-
-void
-dns_adb_destroyfind(dns_adbfind_t **find);
-/*%<
- * Destroys the find reference.
- *
- * Note:
- *
- *\li	This can only be called after the event was delivered for a
- *	find.  Additionally, the event MUST have been freed via
- *	isc_event_free() BEFORE this function is called.
- *
- * Requires:
- *
- *\li	'find' != NULL and *find be valid dns_adbfind_t pointer.
- *
- * Ensures:
- *
- *\li	No "address found" events will be posted to the originating task
- *	after this function returns.
- */
-
-void
-dns_adb_dump(dns_adb_t *adb, FILE *f);
-/*%<
- * This function is only used for debugging.  It will dump as much of the
- * state of the running system as possible.
- *
- * Requires:
- *
- *\li	adb be valid.
- *
- *\li	f != NULL, and is a file open for writing.
- */
-
-void
-dns_adb_dumpfind(dns_adbfind_t *find, FILE *f);
-/*%<
- * This function is only used for debugging.  Dump the data associated
- * with a find.
- *
- * Requires:
- *
- *\li	find is valid.
- *
- * \li	f != NULL, and is a file open for writing.
- */
-
-isc_result_t
-dns_adb_marklame(dns_adb_t *adb, dns_adbaddrinfo_t *addr, dns_name_t *qname,
-		 dns_rdatatype_t type, isc_stdtime_t expire_time);
-/*%<
- * Mark the given address as lame for the <qname,qtype>.  expire_time should
- * be set to the time when the entry should expire.  That is, if it is to
- * expire 10 minutes in the future, it should set it to (now + 10 * 60).
- *
- * Requires:
- *
- *\li	adb be valid.
- *
- *\li	addr be valid.
- *
- *\li	qname be the qname used in the dns_adb_createfind() call.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS		-- all is well.
- *\li	#ISC_R_NOMEMORY		-- could not mark address as lame.
- */
-
-/*
- * A reasonable default for RTT adjustments
- */
-#define DNS_ADB_RTTADJDEFAULT		7	/*%< default scale */
-#define DNS_ADB_RTTADJREPLACE		0	/*%< replace with our rtt */
-#define DNS_ADB_RTTADJAGE		10	/*%< age this rtt */
-
-void
-dns_adb_adjustsrtt(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
-		   unsigned int rtt, unsigned int factor);
-/*%<
- * Mix the round trip time into the existing smoothed rtt.
-
- * The formula used
- * (where srtt is the existing rtt value, and rtt and factor are arguments to
- * this function):
- *
- *\code
- *	new_srtt = (old_srtt / 10 * factor) + (rtt / 10 * (10 - factor));
- *\endcode
- *
- * XXXRTH  Do we want to publish the formula?  What if we want to change how
- *         this works later on?  Recommend/require that the units are
- *	   microseconds?
- *
- * Requires:
- *
- *\li	adb be valid.
- *
- *\li	addr be valid.
- *
- *\li	0 <= factor <= 10
- *
- * Note:
- *
- *\li	The srtt in addr will be updated to reflect the new global
- *	srtt value.  This may include changes made by others.
- */
-
-void
-dns_adb_changeflags(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
-		    unsigned int bits, unsigned int mask);
-/*%
- * Change Flags.
- *
- * Set the flags as given by:
- *
- *\li	newflags = (oldflags & ~mask) | (bits & mask);
- *
- * Requires:
- *
- *\li	adb be valid.
- *
- *\li	addr be valid.
- */
-
-isc_result_t
-dns_adb_findaddrinfo(dns_adb_t *adb, isc_sockaddr_t *sa,
-		     dns_adbaddrinfo_t **addrp, isc_stdtime_t now);
-/*%<
- * Return a dns_adbaddrinfo_t that is associated with address 'sa'.
- *
- * Requires:
- *
- *\li	adb is valid.
- *
- *\li	sa is valid.
- *
- *\li	addrp != NULL && *addrp == NULL
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- *\li	#ISC_R_SHUTTINGDOWN
- */
-
-void
-dns_adb_freeaddrinfo(dns_adb_t *adb, dns_adbaddrinfo_t **addrp);
-/*%<
- * Free a dns_adbaddrinfo_t allocated by dns_adb_findaddrinfo().
- *
- * Requires:
- *
- *\li	adb is valid.
- *
- *\li	*addrp is a valid dns_adbaddrinfo_t *.
- */
-
-void
-dns_adb_flush(dns_adb_t *adb);
-/*%<
- * Flushes all cached data from the adb.
- *
- * Requires:
- *\li 	adb is valid.
- */
-
-void
-dns_adb_setadbsize(dns_adb_t *adb, size_t size);
-/*%<
- * Set a target memory size.  If memory usage exceeds the target
- * size entries will be removed before they would have expired on
- * a random basis.
- *
- * If 'size' is 0 then memory usage is unlimited.
- *
- * Requires:
- *\li	'adb' is valid.
- */
-
-void
-dns_adb_flushname(dns_adb_t *adb, dns_name_t *name);
-/*%<
- * Flush 'name' from the adb cache.
- *
- * Requires:
- *\li	'adb' is valid.
- *\li	'name' is valid.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_ADB_H */
diff --git a/contrib/bind9/lib/dns/include/dns/bit.h b/contrib/bind9/lib/dns/include/dns/bit.h
deleted file mode 100644
index 28c733d..0000000
--- a/contrib/bind9/lib/dns/include/dns/bit.h
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: bit.h,v 1.14 2007/06/19 23:47:16 tbox Exp $ */
-
-#ifndef DNS_BIT_H
-#define DNS_BIT_H 1
-
-/*! \file dns/bit.h */
-
-#include <isc/int.h>
-#include <isc/boolean.h>
-
-typedef isc_uint64_t dns_bitset_t;
-
-#define DNS_BIT_SET(bit, bitset) \
-     (*(bitset) |= ((dns_bitset_t)1 << (bit)))
-#define DNS_BIT_CLEAR(bit, bitset) \
-     (*(bitset) &= ~((dns_bitset_t)1 << (bit)))
-#define DNS_BIT_CHECK(bit, bitset) \
-     ISC_TF((*(bitset) & ((dns_bitset_t)1 << (bit))) \
-	    == ((dns_bitset_t)1 << (bit)))
-
-#endif /* DNS_BIT_H */
-
diff --git a/contrib/bind9/lib/dns/include/dns/byaddr.h b/contrib/bind9/lib/dns/include/dns/byaddr.h
deleted file mode 100644
index edf8430..0000000
--- a/contrib/bind9/lib/dns/include/dns/byaddr.h
+++ /dev/null
@@ -1,171 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: byaddr.h,v 1.22 2007/06/19 23:47:16 tbox Exp $ */
-
-#ifndef DNS_BYADDR_H
-#define DNS_BYADDR_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/byaddr.h
- * \brief
- * The byaddr module provides reverse lookup services for IPv4 and IPv6
- * addresses.
- *
- * MP:
- *\li	The module ensures appropriate synchronization of data structures it
- *	creates and manipulates.
- *
- * Reliability:
- *\li	No anticipated impact.
- *
- * Resources:
- *\li	TBS
- *
- * Security:
- *\li	No anticipated impact.
- *
- * Standards:
- *\li	RFCs:	1034, 1035, 2181, TBS
- *\li	Drafts:	TBS
- */
-
-#include <isc/lang.h>
-#include <isc/event.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*%
- * A 'dns_byaddrevent_t' is returned when a byaddr completes.
- * The sender field will be set to the byaddr that completed.  If 'result'
- * is ISC_R_SUCCESS, then 'names' will contain a list of names associated
- * with the address.  The recipient of the event must not change the list
- * and must not refer to any of the name data after the event is freed.
- */
-typedef struct dns_byaddrevent {
-	ISC_EVENT_COMMON(struct dns_byaddrevent);
-	isc_result_t			result;
-	dns_namelist_t			names;
-} dns_byaddrevent_t;
-
-/*
- * This option is deprecated since we now only consider nibbles.
-#define DNS_BYADDROPT_IPV6NIBBLE	0x0001
- */
-/*% Note DNS_BYADDROPT_IPV6NIBBLE is now deprecated. */
-#define DNS_BYADDROPT_IPV6INT		0x0002
-
-isc_result_t
-dns_byaddr_create(isc_mem_t *mctx, isc_netaddr_t *address, dns_view_t *view,
-		  unsigned int options, isc_task_t *task,
-		  isc_taskaction_t action, void *arg, dns_byaddr_t **byaddrp);
-/*%<
- * Find the domain name of 'address'.
- *
- * Notes:
- *
- *\li	There is a reverse lookup format for IPv6 addresses, 'nibble'
- *
- *\li	The 'nibble' format for that address is
- *
- * \code
- *   1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa.
- * \endcode
- *
- *\li	#DNS_BYADDROPT_IPV6INT can be used to get nibble lookups under ip6.int.
- *
- * Requires:
- *
- *\li	'mctx' is a valid mctx.
- *
- *\li	'address' is a valid IPv4 or IPv6 address.
- *
- *\li	'view' is a valid view which has a resolver.
- *
- *\li	'task' is a valid task.
- *
- *\li	byaddrp != NULL && *byaddrp == NULL
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- *
- *\li	Any resolver-related error (e.g. #ISC_R_SHUTTINGDOWN) may also be
- *	returned.
- */
-
-void
-dns_byaddr_cancel(dns_byaddr_t *byaddr);
-/*%<
- * Cancel 'byaddr'.
- *
- * Notes:
- *
- *\li	If 'byaddr' has not completed, post its #DNS_EVENT_BYADDRDONE
- *	event with a result code of #ISC_R_CANCELED.
- *
- * Requires:
- *
- *\li	'byaddr' is a valid byaddr.
- */
-
-void
-dns_byaddr_destroy(dns_byaddr_t **byaddrp);
-/*%<
- * Destroy 'byaddr'.
- *
- * Requires:
- *
- *\li	'*byaddrp' is a valid byaddr.
- *
- *\li	The caller has received the #DNS_EVENT_BYADDRDONE event (either because
- *	the byaddr completed or because dns_byaddr_cancel() was called).
- *
- * Ensures:
- *
- *\li	*byaddrp == NULL.
- */
-
-isc_result_t
-dns_byaddr_createptrname(isc_netaddr_t *address, isc_boolean_t nibble,
-			 dns_name_t *name);
-
-isc_result_t
-dns_byaddr_createptrname2(isc_netaddr_t *address, unsigned int options,
-			  dns_name_t *name);
-/*%<
- * Creates a name that would be used in a PTR query for this address.  The
- * nibble flag indicates that the 'nibble' format is to be used if an IPv6
- * address is provided, instead of the 'bitstring' format.  Since we dropped
- * the support of the bitstring labels, it is expected that the flag is always
- * set.  'options' are the same as for dns_byaddr_create().
- *
- * Requires:
- * 
- * \li	'address' is a valid address.
- * \li	'name' is a valid name with a dedicated buffer.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_BYADDR_H */
diff --git a/contrib/bind9/lib/dns/include/dns/cache.h b/contrib/bind9/lib/dns/include/dns/cache.h
deleted file mode 100644
index f7140aa..0000000
--- a/contrib/bind9/lib/dns/include/dns/cache.h
+++ /dev/null
@@ -1,311 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009, 2011, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: cache.h,v 1.32 2011/08/02 23:47:52 tbox Exp $ */
-
-#ifndef DNS_CACHE_H
-#define DNS_CACHE_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/cache.h
- * \brief
- * Defines dns_cache_t, the cache object.
- *
- * Notes:
- *\li 	A cache object contains DNS data of a single class.
- *	Multiple classes will be handled by creating multiple
- *	views, each with a different class and its own cache.
- *
- * MP:
- *\li	See notes at the individual functions.
- *
- * Reliability:
- *
- * Resources:
- *
- * Security:
- *
- * Standards:
- */
-
-/***
- ***	Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/stdtime.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- ***	Functions
- ***/
-
-isc_result_t
-dns_cache_create(isc_mem_t *cmctx, isc_taskmgr_t *taskmgr,
-		 isc_timermgr_t *timermgr, dns_rdataclass_t rdclass,
-		 const char *db_type, unsigned int db_argc, char **db_argv,
-		 dns_cache_t **cachep);
-isc_result_t
-dns_cache_create2(isc_mem_t *cmctx, isc_taskmgr_t *taskmgr,
-		  isc_timermgr_t *timermgr, dns_rdataclass_t rdclass,
-		  const char *cachename, const char *db_type,
-		  unsigned int db_argc, char **db_argv, dns_cache_t **cachep);
-isc_result_t
-dns_cache_create3(isc_mem_t *cmctx, isc_mem_t *hmctx, isc_taskmgr_t *taskmgr,
-		  isc_timermgr_t *timermgr, dns_rdataclass_t rdclass,
-		  const char *cachename, const char *db_type,
-		  unsigned int db_argc, char **db_argv, dns_cache_t **cachep);
-/*%<
- * Create a new DNS cache.
- *
- * dns_cache_create2() will create a named cache.
- *
- * dns_cache_create3() will create a named cache using two separate memory
- * contexts, one for cache data which can be cleaned and a separate one for
- * memory allocated for the heap (which can grow without an upper limit and
- * has no mechanism for shrinking).
- *
- * dns_cache_create() is a backward compatible version that internally
- * specifies an empty cache name and a single memory context.
- *
- * Requires:
- *
- *\li	'cmctx' (and 'hmctx' if applicable) is a valid memory context.
- *
- *\li	'taskmgr' is a valid task manager and 'timermgr' is a valid timer
- * 	manager, or both are NULL.  If NULL, no periodic cleaning of the
- * 	cache will take place.
- *
- *\li	'cachename' is a valid string.  This must not be NULL.
- *
- *\li	'cachep' is a valid pointer, and *cachep == NULL
- *
- * Ensures:
- *
- *\li	'*cachep' is attached to the newly created cache
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- */
-
-void
-dns_cache_attach(dns_cache_t *cache, dns_cache_t **targetp);
-/*%<
- * Attach *targetp to cache.
- *
- * Requires:
- *
- *\li	'cache' is a valid cache.
- *
- *\li	'targetp' points to a NULL dns_cache_t *.
- *
- * Ensures:
- *
- *\li	*targetp is attached to cache.
- */
-
-void
-dns_cache_detach(dns_cache_t **cachep);
-/*%<
- * Detach *cachep from its cache.
- *
- * Requires:
- *
- *\li	'cachep' points to a valid cache.
- *
- * Ensures:
- *
- *\li	*cachep is NULL.
- *
- *\li	If '*cachep' is the last reference to the cache,
- *		all resources used by the cache will be freed
- */
-
-void
-dns_cache_attachdb(dns_cache_t *cache, dns_db_t **dbp);
-/*%<
- * Attach *dbp to the cache's database.
- *
- * Notes:
- *
- *\li	This may be used to get a reference to the database for
- *	the purpose of cache lookups (XXX currently it is also
- * 	the way to add data to the cache, but having a
- * 	separate dns_cache_add() interface instead would allow
- * 	more control over memory usage).
- *	The caller should call dns_db_detach() on the reference
- *	when it is no longer needed.
- *
- * Requires:
- *
- *\li	'cache' is a valid cache.
- *
- *\li	'dbp' points to a NULL dns_db *.
- *
- * Ensures:
- *
- *\li	*dbp is attached to the database.
- */
-
-
-isc_result_t
-dns_cache_setfilename(dns_cache_t *cache, const char *filename);
-/*%<
- * If 'filename' is non-NULL, make the cache persistent.
- * The cache's data will be stored in the given file.
- * If 'filename' is NULL, make the cache non-persistent.
- * Files that are no longer used are not unlinked automatically.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- *\li	Various file-related failures
- */
-
-isc_result_t
-dns_cache_load(dns_cache_t *cache);
-/*%<
- * If the cache has a file name, load the cache contents from the file.
- * Previous cache contents are not discarded.
- * If no file name has been set, do nothing and return success.
- *
- * MT:
- *\li	Multiple simultaneous attempts to load or dump the cache
- * 	will be serialized with respect to one another, but
- *	the cache may be read and updated while the dump is
- *	in progress.  Updates performed during loading
- *	may or may not be preserved, and reads may return
- * 	either the old or the newly loaded data.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *  \li    Various failures depending on the database implementation type
- */
-
-isc_result_t
-dns_cache_dump(dns_cache_t *cache);
-/*%<
- * If the cache has a file name, write the cache contents to disk,
- * overwriting any preexisting file.  If no file name has been set,
- * do nothing and return success.
- *
- * MT:
- *\li	Multiple simultaneous attempts to load or dump the cache
- * 	will be serialized with respect to one another, but
- *	the cache may be read and updated while the dump is
- *	in progress.  Updates performed during the dump may
- * 	or may not be reflected in the dumped file.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *  \li    Various failures depending on the database implementation type
- */
-
-isc_result_t
-dns_cache_clean(dns_cache_t *cache, isc_stdtime_t now);
-/*%<
- * Force immediate cleaning of the cache, freeing all rdatasets
- * whose TTL has expired as of 'now' and that have no pending
- * references.
- */
-
-void
-dns_cache_setcleaninginterval(dns_cache_t *cache, unsigned int interval);
-/*%<
- * Set the periodic cache cleaning interval to 'interval' seconds.
- */
-
-unsigned int
-dns_cache_getcleaninginterval(dns_cache_t *cache);
-/*%<
- * Get the periodic cache cleaning interval to 'interval' seconds.
- */
-
-const char *
-dns_cache_getname(dns_cache_t *cache);
-/*%<
- * Get the cache name.
- */
-
-void
-dns_cache_setcachesize(dns_cache_t *cache, size_t size);
-/*%<
- * Set the maximum cache size.  0 means unlimited.
- */
-
-size_t
-dns_cache_getcachesize(dns_cache_t *cache);
-/*%<
- * Get the maximum cache size.
- */
-
-isc_result_t
-dns_cache_flush(dns_cache_t *cache);
-/*%<
- * Flushes all data from the cache.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- */
-
-isc_result_t
-dns_cache_flushnode(dns_cache_t *cache, dns_name_t *name,
-		    isc_boolean_t tree);
-/*
- * Flush a given name from the cache.  If 'tree' is true, then
- * also flush all names under 'name'.
- *
- * Requires:
- *\li	'cache' to be valid.
- *\li	'name' to be valid.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- *\li	other error returns.
- */
-
-isc_result_t
-dns_cache_flushname(dns_cache_t *cache, dns_name_t *name);
-/*
- * Flush a given name from the cache.  Equivalent to
- * dns_cache_flushpartial(cache, name, ISC_FALSE).
- *
- * Requires:
- *\li	'cache' to be valid.
- *\li	'name' to be valid.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- *\li	other error returns.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_CACHE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/callbacks.h b/contrib/bind9/lib/dns/include/dns/callbacks.h
deleted file mode 100644
index 5e9cb71..0000000
--- a/contrib/bind9/lib/dns/include/dns/callbacks.h
+++ /dev/null
@@ -1,95 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2011  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: callbacks.h,v 1.26 2011/12/09 23:47:05 tbox Exp $ */
-
-#ifndef DNS_CALLBACKS_H
-#define DNS_CALLBACKS_H 1
-
-/*! \file dns/callbacks.h */
-
-/***
- ***	Imports
- ***/
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- ***	Types
- ***/
-
-struct dns_rdatacallbacks {
-	/*%
-	 * dns_load_master calls this when it has rdatasets to commit.
-	 */
-	dns_addrdatasetfunc_t add;
-
-	/*%
-	 * dns_master_load*() call this when loading a raw zonefile,
-	 * to pass back information obtained from the file header
-	 */
-	dns_rawdatafunc_t rawdata;
-	dns_zone_t *zone;
-
-	/*%
-	 * dns_load_master / dns_rdata_fromtext call this to issue a error.
-	 */
-	void	(*error)(struct dns_rdatacallbacks *, const char *, ...);
-	/*%
-	 * dns_load_master / dns_rdata_fromtext call this to issue a warning.
-	 */
-	void	(*warn)(struct dns_rdatacallbacks *, const char *, ...);
-	/*%
-	 * Private data handles for use by the above callback functions.
-	 */
-	void	*add_private;
-	void	*error_private;
-	void	*warn_private;
-};
-
-/***
- ***	Initialization
- ***/
-
-void
-dns_rdatacallbacks_init(dns_rdatacallbacks_t *callbacks);
-/*%<
- * Initialize 'callbacks'.
- *
- *
- * \li	'error' and 'warn' are set to default callbacks that print the
- *	error message through the DNS library log context.
- *
- *\li	All other elements are initialized to NULL.
- *
- * Requires:
- *  \li    'callbacks' is a valid dns_rdatacallbacks_t,
- */
-
-void
-dns_rdatacallbacks_init_stdio(dns_rdatacallbacks_t *callbacks);
-/*%<
- * Like dns_rdatacallbacks_init, but logs to stdio.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_CALLBACKS_H */
diff --git a/contrib/bind9/lib/dns/include/dns/cert.h b/contrib/bind9/lib/dns/include/dns/cert.h
deleted file mode 100644
index 1cda848..0000000
--- a/contrib/bind9/lib/dns/include/dns/cert.h
+++ /dev/null
@@ -1,69 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: cert.h,v 1.19 2007/06/19 23:47:16 tbox Exp $ */
-
-#ifndef DNS_CERT_H
-#define DNS_CERT_H 1
-
-/*! \file dns/cert.h */
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_cert_fromtext(dns_cert_t *certp, isc_textregion_t *source);
-/*%<
- * Convert the text 'source' refers to into a certificate type.
- * The text may contain either a mnemonic type name or a decimal type number.
- *
- * Requires:
- *\li	'certp' is a valid pointer.
- *
- *\li	'source' is a valid text region.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS			on success
- *\li	#ISC_R_RANGE			numeric type is out of range
- *\li	#DNS_R_UNKNOWN			mnemonic type is unknown
- */
-
-isc_result_t
-dns_cert_totext(dns_cert_t cert, isc_buffer_t *target);
-/*%<
- * Put a textual representation of certificate type 'cert' into 'target'.
- *
- * Requires:
- *\li	'cert' is a valid cert.
- *
- *\li	'target' is a valid text buffer.
- *
- * Ensures:
- *\li	If the result is success:
- *		The used space in 'target' is updated.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS			on success
- *\li	#ISC_R_NOSPACE			target buffer is too small
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_CERT_H */
diff --git a/contrib/bind9/lib/dns/include/dns/client.h b/contrib/bind9/lib/dns/include/dns/client.h
deleted file mode 100644
index d21dff7..0000000
--- a/contrib/bind9/lib/dns/include/dns/client.h
+++ /dev/null
@@ -1,621 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: client.h,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
-
-#ifndef DNS_CLIENT_H
-#define DNS_CLIENT_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file
- *
- * \brief
- * The DNS client module provides convenient programming interfaces to various
- * DNS services, such as name resolution with or without DNSSEC validation or
- * dynamic DNS update.  This module is primarily expected to be used by other
- * applications than BIND9-related ones that need such advanced DNS features.
- *
- * MP:
- *\li	In the typical usage of this module, application threads will not share
- *	the same data structures created and manipulated in this module.
- *	However, the module still ensures appropriate synchronization of such
- *	data structures.
- *
- * Resources:
- *\li	TBS
- *
- * Security:
- *\li	This module does not handle any low-level data directly, and so no
- *	security issue specific to this module is anticipated.
- */
-
-#include <isc/event.h>
-#include <isc/sockaddr.h>
-
-#include <dns/tsig.h>
-#include <dns/types.h>
-
-#include <dst/dst.h>
-
-typedef enum {
-	updateop_none = 0,
-	updateop_add = 1,
-	updateop_delete = 2,
-	updateop_exist = 3,
-	updateop_notexist = 4,
-	updateop_max = 5
-} dns_client_updateop_t;
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Types
- ***/
-
-/*%
- * Optional flags for dns_client_create(x).
- */
-/*%< Enable caching resolution results (experimental). */
-#define DNS_CLIENTCREATEOPT_USECACHE	0x8000
-
-/*%
- * Optional flags for dns_client_(start)resolve.
- */
-/*%< Disable DNSSEC validation. */
-#define DNS_CLIENTRESOPT_NODNSSEC	0x01
-/*%< Allow running external context. */
-#define DNS_CLIENTRESOPT_ALLOWRUN	0x02
-
-/*%
- * Optional flags for dns_client_(start)request.
- */
-/*%< Allow running external context. */
-#define DNS_CLIENTREQOPT_ALLOWRUN	0x01
-
-/*%
- * A dns_clientresevent_t is sent when name resolution performed by a client
- * completes.  'result' stores the result code of the entire resolution
- * procedure.  'vresult' specifically stores the result code of DNSSEC
- * validation if it is performed.  When name resolution successfully completes,
- * 'answerlist' is typically non empty, containing answer names along with
- * RRsets.  It is the receiver's responsibility to free this list by calling
- * dns_client_freeresanswer() before freeing the event structure.
- */
-typedef struct dns_clientresevent {
-	ISC_EVENT_COMMON(struct dns_clientresevent);
-	isc_result_t	result;
-	isc_result_t	vresult;
-	dns_namelist_t	answerlist;
-} dns_clientresevent_t;		/* too long? */
-
-/*%
- * Status of a dynamic update procedure.
- */
-typedef enum {
-	dns_clientupdatestate_prepare,	/*%< no updates have been sent */
-	dns_clientupdatestate_sent,	/*%< updates were sent, no response */
-	dns_clientupdatestate_done	/*%< update was sent and succeeded */
-} dns_clientupdatestate_t;
-
-/*%
- * A dns_clientreqevent_t is sent when a DNS request is completed by a client.
- * 'result' stores the result code of the entire transaction.
- * If the transaction is successfully completed but the response packet cannot
- * be parsed, 'result' will store the result code of dns_message_parse().
- * If the response packet is received, 'rmessage' will contain the response
- * message, whether it is successfully parsed or not.
- */
-typedef struct dns_clientreqevent {
-	ISC_EVENT_COMMON(struct dns_clientreqevent);
-	isc_result_t	result;
-	dns_message_t	*rmessage;
-} dns_clientreqevent_t;		/* too long? */
-
-/*%
- * A dns_clientupdateevent_t is sent when dynamic update performed by a client
- * completes.  'result' stores the result code of the entire update procedure.
- * 'state' specifies the status of the update procedure when this event is
- * sent.  This can be used as a hint by the receiver to determine whether
- * the update attempt was ever made.  In particular, if the state is
- * dns_clientupdatestate_prepare, the receiver can be sure that the requested
- * update was not applied.
- */
-typedef struct dns_clientupdateevent {
-	ISC_EVENT_COMMON(struct dns_clientupdateevent);
-	isc_result_t		result;
-	dns_clientupdatestate_t	state;
-} dns_clientupdateevent_t;	/* too long? */
-
-isc_result_t
-dns_client_create(dns_client_t **clientp, unsigned int options);
-
-isc_result_t
-dns_client_createx(isc_mem_t *mctx, isc_appctx_t *actx, isc_taskmgr_t *taskmgr,
-		   isc_socketmgr_t *socketmgr, isc_timermgr_t *timermgr,
-		   unsigned int options, dns_client_t **clientp);
-/*%<
- * Create a DNS client.  These functions create a new client object with
- * minimal internal resources such as the default 'view' for the IN class and
- * IPv4/IPv6 dispatches for the view.
- *
- * dns_client_createx() takes 'manager' arguments so that the caller can
- * control the behavior of the client through the underlying event framework.
- * On the other hand, dns_client_create() simplifies the interface and creates
- * the managers internally.  A DNS client object created via
- * dns_client_create() is expected to be used by an application that only needs
- * simple synchronous services or by a thread-based application.
- *
- * If the DNS_CLIENTCREATEOPT_USECACHE flag is set in 'options',
- * dns_client_create(x) will create a cache database with the view.
- *
- * Requires:
- *
- *\li	'mctx' is a valid memory context.
- *
- *\li	'actx' is a valid application context.
- *
- *\li	'taskmgr' is a valid task manager.
- *
- *\li	'socketmgr' is a valid socket manager.
- *
- *\li	'timermgr' is a valid timer manager.
- *
- *\li	clientp != NULL && *clientp == NULL.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS				On success.
- *
- *\li	Anything else				Failure.
- */
-
-void
-dns_client_destroy(dns_client_t **clientp);
-/*%<
- * Destroy 'client'.
- *
- * Requires:
- *
- *\li	'*clientp' is a valid client.
- *
- * Ensures:
- *
- *\li	*clientp == NULL.
- */
-
-isc_result_t
-dns_client_setservers(dns_client_t *client, dns_rdataclass_t rdclass,
-		      dns_name_t *namespace, isc_sockaddrlist_t *addrs);
-/*%<
- * Specify a list of addresses of recursive name servers that the client will
- * use for name resolution.  A view for the 'rdclass' class must be created
- * beforehand.  If 'namespace' is non NULL, the specified server will be used
- * if and only if the query name is a subdomain of 'namespace'.  When servers
- * for multiple 'namespace's are provided, and a query name is covered by
- * more than one 'namespace', the servers for the best (longest) matching
- * namespace will be used.  If 'namespace' is NULL, it works as if
- * dns_rootname (.) were specified.
- *
- * Requires:
- *
- *\li	'client' is a valid client.
- *
- *\li	'namespace' is NULL or a valid name.
- *
- *\li	'addrs' != NULL.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS				On success.
- *
- *\li	Anything else				Failure.
- */
-
-isc_result_t
-dns_client_clearservers(dns_client_t *client, dns_rdataclass_t rdclass,
-			dns_name_t *namespace);
-/*%<
- * Remove configured recursive name servers for the 'rdclass' and 'namespace'
- * from the client.  See the description of dns_client_setservers() for
- * the requirements about 'rdclass' and 'namespace'.
- *
- * Requires:
- *
- *\li	'client' is a valid client.
- *
- *\li	'namespace' is NULL or a valid name.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS				On success.
- *
- *\li	Anything else				Failure.
- */
-
-isc_result_t
-dns_client_resolve(dns_client_t *client, dns_name_t *name,
-		   dns_rdataclass_t rdclass, dns_rdatatype_t type,
-		   unsigned int options, dns_namelist_t *namelist);
-
-isc_result_t
-dns_client_startresolve(dns_client_t *client, dns_name_t *name,
-			dns_rdataclass_t rdclass, dns_rdatatype_t type,
-			unsigned int options, isc_task_t *task,
-			isc_taskaction_t action, void *arg,
-			dns_clientrestrans_t **transp);
-/*%<
- * Perform name resolution for 'name', 'rdclass', and 'type'.
- *
- * If any trusted keys are configured and the query name is considered to
- * belong to a secure zone, these functions also validate the responses
- * using DNSSEC by default.  If the DNS_CLIENTRESOPT_NODNSSEC flag is set
- * in 'options', DNSSEC validation is disabled regardless of the configured
- * trusted keys or the query name.
- *
- * dns_client_resolve() provides a synchronous service.  This function starts
- * name resolution internally and blocks until it completes.  On success,
- * 'namelist' will contain a list of answer names, each of which has
- * corresponding RRsets.  The caller must provide a valid empty list, and
- * is responsible for freeing the list content via dns_client_freeresanswer().
- * If the name resolution fails due to an error in DNSSEC validation,
- * dns_client_resolve() returns the result code indicating the validation
- * error. Otherwise, it returns the result code of the entire resolution
- * process, either success or failure.
- *
- * It is typically expected that the client object passed to
- * dns_client_resolve() was created via dns_client_create() and has its own
- * managers and contexts.  However, if the DNS_CLIENTRESOPT_ALLOWRUN flag is
- * set in 'options', this function performs the synchronous service even if
- * it does not have its own manager and context structures.
- *
- * dns_client_startresolve() is an asynchronous version of dns_client_resolve()
- * and does not block.  When name resolution is completed, 'action' will be
- * called with the argument of a 'dns_clientresevent_t' object, which contains
- * the resulting list of answer names (on success).  On return, '*transp' is
- * set to an opaque transaction ID so that the caller can cancel this
- * resolution process.
- *
- * Requires:
- *
- *\li	'client' is a valid client.
- *
- *\li	'addrs' != NULL.
- *
- *\li	'name' is a valid name.
- *
- *\li	'namelist' != NULL and is not empty.
- *
- *\li	'task' is a valid task.
- *
- *\li	'transp' != NULL && *transp == NULL;
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS				On success.
- *
- *\li	Anything else				Failure.
- */
-
-void
-dns_client_cancelresolve(dns_clientrestrans_t *trans);
-/*%<
- * Cancel an ongoing resolution procedure started via
- * dns_client_startresolve().
- *
- * Notes:
- *
- *\li	If the resolution procedure has not completed, post its CLIENTRESDONE
- *	event with a result code of #ISC_R_CANCELED.
- *
- * Requires:
- *
- *\li	'trans' is a valid transaction ID.
- */
-
-void
-dns_client_destroyrestrans(dns_clientrestrans_t **transp);
-/*%<
- * Destroy name resolution transaction state identified by '*transp'.
- *
- * Requires:
- *
- *\li	'*transp' is a valid transaction ID.
- *
- *\li	The caller has received the CLIENTRESDONE event (either because the
- *	resolution completed or because dns_client_cancelresolve() was called).
- *
- * Ensures:
- *
- *\li	*transp == NULL.
- */
-
-void
-dns_client_freeresanswer(dns_client_t *client, dns_namelist_t *namelist);
-/*%<
- * Free resources allocated for the content of 'namelist'.
- *
- * Requires:
- *
- *\li	'client' is a valid client.
- *
- *\li	'namelist' != NULL.
- */
-
-isc_result_t
-dns_client_addtrustedkey(dns_client_t *client, dns_rdataclass_t rdclass,
-			 dns_name_t *keyname, isc_buffer_t *keydatabuf);
-/*%<
- * Add a DNSSEC trusted key for the 'rdclass' class.  A view for the 'rdclass'
- * class must be created beforehand.  'keyname' is the DNS name of the key,
- * and 'keydatabuf' stores the resource data of the key.
- *
- * Requires:
- *
- *\li	'client' is a valid client.
- *
- *\li	'keyname' is a valid name.
- *
- *\li	'keydatabuf' is a valid buffer.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS				On success.
- *
- *\li	Anything else				Failure.
- */
-
-isc_result_t
-dns_client_request(dns_client_t *client, dns_message_t *qmessage,
-		   dns_message_t *rmessage, isc_sockaddr_t *server,
-		   unsigned int options, unsigned int parseoptions,
-		   dns_tsec_t *tsec, unsigned int timeout,
-		   unsigned int udptimeout, unsigned int udpretries);
-
-isc_result_t
-dns_client_startrequest(dns_client_t *client, dns_message_t *qmessage,
-			dns_message_t *rmessage, isc_sockaddr_t *server,
-			unsigned int options, unsigned int parseoptions,
-			dns_tsec_t *tsec, unsigned int timeout,
-			unsigned int udptimeout, unsigned int udpretries,
-			isc_task_t *task, isc_taskaction_t action, void *arg,
-			dns_clientreqtrans_t **transp);
-
-/*%<
- * Send a DNS request containig a query message 'query' to 'server'.
- *
- * 'parseoptions' will be used when the response packet is parsed, and will be
- * passed to dns_message_parse() via dns_request_getresponse().  See
- * dns_message_parse() for more details.
- *
- * 'tsec' is a transaction security object containing, e.g. a TSIG key for
- * authenticating the request/response transaction.  This is optional and can
- * be NULL, in which case this library performs the transaction  without any
- * transaction authentication.
- *
- * 'timeout', 'udptimeout', and 'udpretries' are passed to
- * dns_request_createvia3().  See dns_request_createvia3() for more details.
- *
- * dns_client_request() provides a synchronous service.  This function sends
- * the request and blocks until a response is received.  On success,
- * 'rmessage' will contain the response message.  The caller must provide a
- * valid initialized message.
- *
- * It is usually expected that the client object passed to
- * dns_client_request() was created via dns_client_create() and has its own
- * managers and contexts.  However, if the DNS_CLIENTREQOPT_ALLOWRUN flag is
- * set in 'options', this function performs the synchronous service even if
- * it does not have its own manager and context structures.
- *
- * dns_client_startrequest() is an asynchronous version of dns_client_request()
- * and does not block.  When the transaction is completed, 'action' will be
- * called with the argument of a 'dns_clientreqevent_t' object, which contains
- * the response message (on success).  On return, '*transp' is set to an opaque
- * transaction ID so that the caller can cancel this request.
- *
- * Requires:
- *
- *\li	'client' is a valid client.
- *
- *\li	'qmessage' and 'rmessage' are valid initialized message.
- *
- *\li	'server' is a valid socket address structure.
- *
- *\li	'task' is a valid task.
- *
- *\li	'transp' != NULL && *transp == NULL;
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS				On success.
- *
- *\li	Anything else				Failure.
- *
- *\li	Any result that dns_message_parse() can return.
- */
-
-void
-dns_client_cancelrequest(dns_clientreqtrans_t *transp);
-/*%<
- * Cancel an ongoing DNS request procedure started via
- * dns_client_startrequest().
- *
- * Notes:
- *
- *\li	If the request procedure has not completed, post its CLIENTREQDONE
- *	event with a result code of #ISC_R_CANCELED.
- *
- * Requires:
- *
- *\li	'trans' is a valid transaction ID.
- */
-
-void
-dns_client_destroyreqtrans(dns_clientreqtrans_t **transp);
-/*%
- * Destroy DNS request transaction state identified by '*transp'.
- *
- * Requires:
- *
- *\li	'*transp' is a valid transaction ID.
- *
- *\li	The caller has received the CLIENTREQDONE event (either because the
- *	request completed or because dns_client_cancelrequest() was called).
- *
- * Ensures:
- *
- *\li	*transp == NULL.
- */
-
-isc_result_t
-dns_client_update(dns_client_t *client, dns_rdataclass_t rdclass,
-		  dns_name_t *zonename, dns_namelist_t *prerequisites,
-		  dns_namelist_t *updates, isc_sockaddrlist_t *servers,
-		  dns_tsec_t *tsec, unsigned int options);
-
-isc_result_t
-dns_client_startupdate(dns_client_t *client, dns_rdataclass_t rdclass,
-		       dns_name_t *zonename, dns_namelist_t *prerequisites,
-		       dns_namelist_t *updates, isc_sockaddrlist_t *servers,
-		       dns_tsec_t *tsec, unsigned int options,
-		       isc_task_t *task, isc_taskaction_t action, void *arg,
-		       dns_clientupdatetrans_t **transp);
-/*%<
- * Perform DNS dynamic update for 'updates' of the 'rdclass' class with
- * optional 'prerequisites'.
- *
- * 'updates' are a list of names with associated RRsets to be updated.
- *
- * 'prerequisites' are a list of names with associated RRsets corresponding to
- * the prerequisites of the updates.  This is optional and can be NULL, in
- * which case the prerequisite section of the update message will be empty.
- *
- * Both 'updates' and 'prerequisites' must be constructed as specified in
- * RFC2136.
- *
- * 'zonename' is the name of the zone in which the updated names exist.
- * This is optional and can be NULL.  In this case, these functions internally
- * identify the appropriate zone through some queries for the SOA RR starting
- * with the first name in prerequisites or updates.
- *
- * 'servers' is a list of authoritative servers to which the update message
- * should be sent.  This is optional and can be NULL.  In this case, these
- * functions internally identify the appropriate primary server name and its
- * addresses through some queries for the SOA RR (like the case of zonename)
- * and supplemental A/AAAA queries for the server name.
- * Note: The client module generally assumes the given addresses are of the
- * primary server of the corresponding zone.  It will work even if a secondary
- * server address is specified as long as the server allows update forwarding,
- * it is generally discouraged to include secondary server addresses unless
- * there's strong reason to do so.
- *
- * 'tsec' is a transaction security object containing, e.g. a TSIG key for
- * authenticating the update transaction (and the supplemental query/response
- * transactions if the server is specified).  This is optional and can be
- * NULL, in which case the library tries the update without any transaction
- * authentication.
- *
- * dns_client_update() provides a synchronous service.  This function blocks
- * until the entire update procedure completes, including the additional
- * queries when necessary.
- *
- * dns_client_startupdate() is an asynchronous version of dns_client_update().
- * It immediately returns (typically with *transp being set to a non-NULL
- * pointer), and performs the update procedure through a set of internal
- * events.  All transactions including the additional query exchanges are
- * performed as a separate event, so none of these events cause blocking
- * operation.  When the update procedure completes, the specified function
- * 'action' will be called with the argument of a 'dns_clientupdateevent_t'
- * structure.  On return, '*transp' is set to an opaque transaction ID so that
- * the caller can cancel this update process.
- *
- * Notes:
- *\li	No options are currently defined.
- *
- * Requires:
- *
- *\li	'client' is a valid client.
- *
- *\li	'updates' != NULL.
- *
- *\li	'task' is a valid task.
- *
- *\li	'transp' != NULL && *transp == NULL;
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS				On success.
- *
- *\li	Anything else				Failure.
- */
-
-void
-dns_client_cancelupdate(dns_clientupdatetrans_t *trans);
-/*%<
- * Cancel an ongoing dynamic update procedure started via
- * dns_client_startupdate().
- *
- * Notes:
- *
- *\li	If the update procedure has not completed, post its UPDATEDONE
- *	event with a result code of #ISC_R_CANCELED.
- *
- * Requires:
- *
- *\li	'trans' is a valid transaction ID.
- */
-
-void
-dns_client_destroyupdatetrans(dns_clientupdatetrans_t **transp);
-/*%<
- * Destroy dynamic update transaction identified by '*transp'.
- *
- * Requires:
- *
- *\li	'*transp' is a valid transaction ID.
- *
- *\li	The caller has received the UPDATEDONE event (either because the
- *	update completed or because dns_client_cancelupdate() was called).
- *
- * Ensures:
- *
- *\li	*transp == NULL.
- */
-
-isc_result_t
-dns_client_updaterec(dns_client_updateop_t op, dns_name_t *owner,
-		     dns_rdatatype_t type, dns_rdata_t *source,
-		     dns_ttl_t ttl, dns_name_t *target,
-		     dns_rdataset_t *rdataset, dns_rdatalist_t *rdatalist,
-		     dns_rdata_t *rdata, isc_mem_t *mctx);
-/*%<
- * TBD
- */
-
-void
-dns_client_freeupdate(dns_name_t **namep);
-/*%<
- * TBD
- */
-
-isc_mem_t *
-dns_client_mctx(dns_client_t *client);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_CLIENT_H */
diff --git a/contrib/bind9/lib/dns/include/dns/clientinfo.h b/contrib/bind9/lib/dns/include/dns/clientinfo.h
deleted file mode 100644
index 4f2b89c..0000000
--- a/contrib/bind9/lib/dns/include/dns/clientinfo.h
+++ /dev/null
@@ -1,85 +0,0 @@
-/*
- * Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: clientinfo.h,v 1.3 2011/10/11 23:46:45 tbox Exp $ */
-
-#ifndef DNS_CLIENTINFO_H
-#define DNS_CLIENTINFO_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/clientinfo.h
- * \brief
- * The DNS clientinfo interface allows libdns to retrieve information
- * about the client from the caller.
- *
- * The clientinfo interface is used by the DNS DB and DLZ interfaces;
- * it allows databases to modify their answers on the basis of information
- * about the client, such as source IP address.
- *
- * dns_clientinfo_t contains a pointer to an opaque structure containing
- * client information in some form.  dns_clientinfomethods_t contains a
- * list of methods which operate on that opaque structure to return
- * potentially useful data.  Both structures also contain versioning
- * information.
- */
-
-/*****
- ***** Imports
- *****/
-
-#include <isc/sockaddr.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*****
- ***** Types
- *****/
-
-#define DNS_CLIENTINFO_VERSION 1
-typedef struct dns_clientinfo {
-	isc_uint16_t version;
-	void *data;
-} dns_clientinfo_t;
-
-typedef isc_result_t (*dns_clientinfo_sourceip_t)(dns_clientinfo_t *client,
-						  isc_sockaddr_t **addrp);
-
-#define DNS_CLIENTINFOMETHODS_VERSION 1
-#define DNS_CLIENTINFOMETHODS_AGE 0
-
-typedef struct dns_clientinfomethods {
-	isc_uint16_t version;
-	isc_uint16_t age;
-	dns_clientinfo_sourceip_t sourceip;
-} dns_clientinfomethods_t;
-
-/*****
- ***** Methods
- *****/
-void
-dns_clientinfomethods_init(dns_clientinfomethods_t *methods,
-			   dns_clientinfo_sourceip_t sourceip);
-
-void
-dns_clientinfo_init(dns_clientinfo_t *ci, void *data);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_CLIENTINFO_H */
diff --git a/contrib/bind9/lib/dns/include/dns/compress.h b/contrib/bind9/lib/dns/include/dns/compress.h
deleted file mode 100644
index a10f4d3..0000000
--- a/contrib/bind9/lib/dns/include/dns/compress.h
+++ /dev/null
@@ -1,269 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: compress.h,v 1.42 2009/01/17 23:47:43 tbox Exp $ */
-
-#ifndef DNS_COMPRESS_H
-#define DNS_COMPRESS_H 1
-
-#include <isc/lang.h>
-#include <isc/region.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-#define DNS_COMPRESS_NONE		0x00	/*%< no compression */
-#define DNS_COMPRESS_GLOBAL14		0x01	/*%< "normal" compression. */
-#define DNS_COMPRESS_ALL		0x01	/*%< all compression. */
-#define DNS_COMPRESS_CASESENSITIVE	0x02	/*%< case sensitive compression. */
-
-/*! \file dns/compress.h
- *	Direct manipulation of the structures is strongly discouraged.
- */
-
-#define DNS_COMPRESS_TABLESIZE 64
-#define DNS_COMPRESS_INITIALNODES 16
-
-typedef struct dns_compressnode dns_compressnode_t;
-
-struct dns_compressnode {
-	isc_region_t		r;
-	isc_uint16_t		offset;
-	isc_uint16_t		count;
-	isc_uint8_t		labels;
-	dns_compressnode_t	*next;
-};
-
-struct dns_compress {
-	unsigned int		magic;		/*%< Magic number. */
-	unsigned int		allowed;	/*%< Allowed methods. */
-	int			edns;		/*%< Edns version or -1. */
-	/*% Global compression table. */
-	dns_compressnode_t	*table[DNS_COMPRESS_TABLESIZE];
-	/*% Preallocated nodes for the table. */
-	dns_compressnode_t	initialnodes[DNS_COMPRESS_INITIALNODES];
-	isc_uint16_t		count;		/*%< Number of nodes. */
-	isc_mem_t		*mctx;		/*%< Memory context. */
-};
-
-typedef enum {
-	DNS_DECOMPRESS_ANY,			/*%< Any compression */
-	DNS_DECOMPRESS_STRICT,			/*%< Allowed compression */
-	DNS_DECOMPRESS_NONE			/*%< No compression */
-} dns_decompresstype_t;
-
-struct dns_decompress {
-	unsigned int		magic;		/*%< Magic number. */
-	unsigned int		allowed;	/*%< Allowed methods. */
-	int			edns;		/*%< Edns version or -1. */
-	dns_decompresstype_t	type;		/*%< Strict checking */
-};
-
-isc_result_t
-dns_compress_init(dns_compress_t *cctx, int edns, isc_mem_t *mctx);
-/*%<
- *	Initialise the compression context structure pointed to by 'cctx'.
- *
- *	Requires:
- *	\li	'cctx' is a valid dns_compress_t structure.
- *	\li	'mctx' is an initialized memory context.
- *	Ensures:
- *	\li	cctx->global is initialized.
- *
- *	Returns:
- *	\li	#ISC_R_SUCCESS
- *	\li	failures from dns_rbt_create()
- */
-
-void
-dns_compress_invalidate(dns_compress_t *cctx);
-
-/*%<
- *	Invalidate the compression structure pointed to by cctx.
- *
- *	Requires:
- *\li		'cctx' to be initialized.
- */
-
-void
-dns_compress_setmethods(dns_compress_t *cctx, unsigned int allowed);
-
-/*%<
- *	Sets allowed compression methods.
- *
- *	Requires:
- *\li		'cctx' to be initialized.
- */
-
-unsigned int
-dns_compress_getmethods(dns_compress_t *cctx);
-
-/*%<
- *	Gets allowed compression methods.
- *
- *	Requires:
- *\li		'cctx' to be initialized.
- *
- *	Returns:
- *\li		allowed compression bitmap.
- */
-
-void
-dns_compress_setsensitive(dns_compress_t *cctx, isc_boolean_t sensitive);
-
-/*
- *	Preserve the case of compressed domain names.
- *
- *	Requires:
- *		'cctx' to be initialized.
- */
-
-isc_boolean_t
-dns_compress_getsensitive(dns_compress_t *cctx);
-/*
- *	Return whether case is to be preserved when compressing
- *	domain names.
- *
- *	Requires:
- *		'cctx' to be initialized.
- */
-
-int
-dns_compress_getedns(dns_compress_t *cctx);
-
-/*%<
- *	Gets edns value.
- *
- *	Requires:
- *\li		'cctx' to be initialized.
- *
- *	Returns:
- *\li		-1 .. 255
- */
-
-isc_boolean_t
-dns_compress_findglobal(dns_compress_t *cctx, const dns_name_t *name,
-			dns_name_t *prefix, isc_uint16_t *offset);
-/*%<
- *	Finds longest possible match of 'name' in the global compression table.
- *
- *	Requires:
- *\li		'cctx' to be initialized.
- *\li		'name' to be a absolute name.
- *\li		'prefix' to be initialized.
- *\li		'offset' to point to an isc_uint16_t.
- *
- *	Ensures:
- *\li		'prefix' and 'offset' are valid if ISC_TRUE is 	returned.
- *
- *	Returns:
- *\li		#ISC_TRUE / #ISC_FALSE
- */
-
-void
-dns_compress_add(dns_compress_t *cctx, const dns_name_t *name,
-		 const dns_name_t *prefix, isc_uint16_t offset);
-/*%<
- *	Add compression pointers for 'name' to the compression table,
- *	not replacing existing pointers.
- *
- *	Requires:
- *\li		'cctx' initialized
- *
- *\li		'name' must be initialized and absolute, and must remain
- *		valid until the message compression is complete.
- *
- *\li		'prefix' must be a prefix returned by
- *		dns_compress_findglobal(), or the same as 'name'.
- */
-
-void
-dns_compress_rollback(dns_compress_t *cctx, isc_uint16_t offset);
-
-/*%<
- *	Remove any compression pointers from global table >= offset.
- *
- *	Requires:
- *\li		'cctx' is initialized.
- */
-
-void
-dns_decompress_init(dns_decompress_t *dctx, int edns,
-		    dns_decompresstype_t type);
-
-/*%<
- *	Initializes 'dctx'.
- *	Records 'edns' and 'type' into the structure.
- *
- *	Requires:
- *\li		'dctx' to be a valid pointer.
- */
-
-void
-dns_decompress_invalidate(dns_decompress_t *dctx);
-
-/*%<
- *	Invalidates 'dctx'.
- *
- *	Requires:
- *\li		'dctx' to be initialized
- */
-
-void
-dns_decompress_setmethods(dns_decompress_t *dctx, unsigned int allowed);
-
-/*%<
- *	Sets 'dctx->allowed' to 'allowed'.
- *
- *	Requires:
- *\li		'dctx' to be initialized
- */
-
-unsigned int
-dns_decompress_getmethods(dns_decompress_t *dctx);
-
-/*%<
- *	Returns 'dctx->allowed'
- *
- *	Requires:
- *\li		'dctx' to be initialized
- */
-
-int
-dns_decompress_edns(dns_decompress_t *dctx);
-
-/*%<
- *	Returns 'dctx->edns'
- *
- *	Requires:
- *\li		'dctx' to be initialized
- */
-
-dns_decompresstype_t
-dns_decompress_type(dns_decompress_t *dctx);
-
-/*%<
- *	Returns 'dctx->type'
- *
- *	Requires:
- *\li		'dctx' to be initialized
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_COMPRESS_H */
diff --git a/contrib/bind9/lib/dns/include/dns/db.h b/contrib/bind9/lib/dns/include/dns/db.h
deleted file mode 100644
index 66bc3e3..0000000
--- a/contrib/bind9/lib/dns/include/dns/db.h
+++ /dev/null
@@ -1,1573 +0,0 @@
-/*
- * Copyright (C) 2004-2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: db.h,v 1.107.4.1 2011/10/23 20:12:08 vjs Exp $ */
-
-#ifndef DNS_DB_H
-#define DNS_DB_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/db.h
- * \brief
- * The DNS DB interface allows named rdatasets to be stored and retrieved.
- *
- * The dns_db_t type is like a "virtual class".  To actually use
- * DBs, an implementation of the class is required.
- *
- * XXX more XXX
- *
- * MP:
- * \li	The module ensures appropriate synchronization of data structures it
- *	creates and manipulates.
- *
- * Reliability:
- * \li	No anticipated impact.
- *
- * Resources:
- * \li	TBS
- *
- * Security:
- * \li	No anticipated impact.
- *
- * Standards:
- * \li	None.
- */
-
-/*****
- ***** Imports
- *****/
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-#include <isc/ondestroy.h>
-#include <isc/stdtime.h>
-
-#include <dns/clientinfo.h>
-#include <dns/fixedname.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rpz.h>
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*****
- ***** Types
- *****/
-
-typedef struct dns_dbmethods {
-	void		(*attach)(dns_db_t *source, dns_db_t **targetp);
-	void		(*detach)(dns_db_t **dbp);
-	isc_result_t	(*beginload)(dns_db_t *db, dns_addrdatasetfunc_t *addp,
-				     dns_dbload_t **dbloadp);
-	isc_result_t	(*endload)(dns_db_t *db, dns_dbload_t **dbloadp);
-	isc_result_t	(*dump)(dns_db_t *db, dns_dbversion_t *version,
-				const char *filename,
-				dns_masterformat_t masterformat);
-	void		(*currentversion)(dns_db_t *db,
-					  dns_dbversion_t **versionp);
-	isc_result_t	(*newversion)(dns_db_t *db,
-				      dns_dbversion_t **versionp);
-	void		(*attachversion)(dns_db_t *db, dns_dbversion_t *source,
-					 dns_dbversion_t **targetp);
-	void		(*closeversion)(dns_db_t *db,
-					dns_dbversion_t **versionp,
-					isc_boolean_t commit);
-	isc_result_t	(*findnode)(dns_db_t *db, dns_name_t *name,
-				    isc_boolean_t create,
-				    dns_dbnode_t **nodep);
-	isc_result_t	(*find)(dns_db_t *db, dns_name_t *name,
-				dns_dbversion_t *version,
-				dns_rdatatype_t type, unsigned int options,
-				isc_stdtime_t now,
-				dns_dbnode_t **nodep, dns_name_t *foundname,
-				dns_rdataset_t *rdataset,
-				dns_rdataset_t *sigrdataset);
-	isc_result_t	(*findzonecut)(dns_db_t *db, dns_name_t *name,
-				       unsigned int options, isc_stdtime_t now,
-				       dns_dbnode_t **nodep,
-				       dns_name_t *foundname,
-				       dns_rdataset_t *rdataset,
-				       dns_rdataset_t *sigrdataset);
-	void		(*attachnode)(dns_db_t *db,
-				      dns_dbnode_t *source,
-				      dns_dbnode_t **targetp);
-	void		(*detachnode)(dns_db_t *db,
-				      dns_dbnode_t **targetp);
-	isc_result_t	(*expirenode)(dns_db_t *db, dns_dbnode_t *node,
-				      isc_stdtime_t now);
-	void		(*printnode)(dns_db_t *db, dns_dbnode_t *node,
-				     FILE *out);
-	isc_result_t 	(*createiterator)(dns_db_t *db, unsigned int options,
-					  dns_dbiterator_t **iteratorp);
-	isc_result_t	(*findrdataset)(dns_db_t *db, dns_dbnode_t *node,
-					dns_dbversion_t *version,
-					dns_rdatatype_t type,
-					dns_rdatatype_t covers,
-					isc_stdtime_t now,
-					dns_rdataset_t *rdataset,
-					dns_rdataset_t *sigrdataset);
-	isc_result_t	(*allrdatasets)(dns_db_t *db, dns_dbnode_t *node,
-					dns_dbversion_t *version,
-					isc_stdtime_t now,
-					dns_rdatasetiter_t **iteratorp);
-	isc_result_t	(*addrdataset)(dns_db_t *db, dns_dbnode_t *node,
-				       dns_dbversion_t *version,
-				       isc_stdtime_t now,
-				       dns_rdataset_t *rdataset,
-				       unsigned int options,
-				       dns_rdataset_t *addedrdataset);
-	isc_result_t	(*subtractrdataset)(dns_db_t *db, dns_dbnode_t *node,
-					    dns_dbversion_t *version,
-					    dns_rdataset_t *rdataset,
-					    unsigned int options,
-					    dns_rdataset_t *newrdataset);
-	isc_result_t	(*deleterdataset)(dns_db_t *db, dns_dbnode_t *node,
-					  dns_dbversion_t *version,
-					  dns_rdatatype_t type,
-					  dns_rdatatype_t covers);
-	isc_boolean_t	(*issecure)(dns_db_t *db);
-	unsigned int	(*nodecount)(dns_db_t *db);
-	isc_boolean_t	(*ispersistent)(dns_db_t *db);
-	void		(*overmem)(dns_db_t *db, isc_boolean_t overmem);
-	void		(*settask)(dns_db_t *db, isc_task_t *);
-	isc_result_t	(*getoriginnode)(dns_db_t *db, dns_dbnode_t **nodep);
-	void		(*transfernode)(dns_db_t *db, dns_dbnode_t **sourcep,
-					dns_dbnode_t **targetp);
-	isc_result_t    (*getnsec3parameters)(dns_db_t *db,
-					      dns_dbversion_t *version,
-					      dns_hash_t *hash,
-					      isc_uint8_t *flags,
-					      isc_uint16_t *iterations,
-					      unsigned char *salt,
-					      size_t *salt_len);
-	isc_result_t    (*findnsec3node)(dns_db_t *db, dns_name_t *name,
-					 isc_boolean_t create,
-					 dns_dbnode_t **nodep);
-	isc_result_t	(*setsigningtime)(dns_db_t *db,
-					  dns_rdataset_t *rdataset,
-					  isc_stdtime_t resign);
-	isc_result_t	(*getsigningtime)(dns_db_t *db,
-					  dns_rdataset_t *rdataset,
-					  dns_name_t *name);
-	void		(*resigned)(dns_db_t *db, dns_rdataset_t *rdataset,
-					   dns_dbversion_t *version);
-	isc_boolean_t	(*isdnssec)(dns_db_t *db);
-	dns_stats_t	*(*getrrsetstats)(dns_db_t *db);
-	isc_result_t	(*rpz_enabled)(dns_db_t *db, dns_rpz_st_t *st);
-	void		(*rpz_findips)(dns_rpz_zone_t *rpz,
-				       dns_rpz_type_t rpz_type,
-				       dns_zone_t *zone, dns_db_t *db,
-				       dns_dbversion_t *version,
-				       dns_rdataset_t *ardataset,
-				       dns_rpz_st_t *st,
-				       dns_name_t *query_qname);
-	isc_result_t	(*findnodeext)(dns_db_t *db, dns_name_t *name,
-				     isc_boolean_t create,
-				     dns_clientinfomethods_t *methods,
-				     dns_clientinfo_t *clientinfo,
-				     dns_dbnode_t **nodep);
-	isc_result_t	(*findext)(dns_db_t *db, dns_name_t *name,
-				   dns_dbversion_t *version,
-				   dns_rdatatype_t type, unsigned int options,
-				   isc_stdtime_t now,
-				   dns_dbnode_t **nodep, dns_name_t *foundname,
-				   dns_clientinfomethods_t *methods,
-				   dns_clientinfo_t *clientinfo,
-				   dns_rdataset_t *rdataset,
-				   dns_rdataset_t *sigrdataset);
-} dns_dbmethods_t;
-
-typedef isc_result_t
-(*dns_dbcreatefunc_t)(isc_mem_t *mctx, dns_name_t *name,
-		      dns_dbtype_t type, dns_rdataclass_t rdclass,
-		      unsigned int argc, char *argv[], void *driverarg,
-		      dns_db_t **dbp);
-
-#define DNS_DB_MAGIC		ISC_MAGIC('D','N','S','D')
-#define DNS_DB_VALID(db)	ISC_MAGIC_VALID(db, DNS_DB_MAGIC)
-
-/*%
- * This structure is actually just the common prefix of a DNS db
- * implementation's version of a dns_db_t.
- * \brief
- * Direct use of this structure by clients is forbidden.  DB implementations
- * may change the structure.  'magic' must be DNS_DB_MAGIC for any of the
- * dns_db_ routines to work.  DB implementations must maintain all DB
- * invariants.
- */
-struct dns_db {
-	unsigned int			magic;
-	unsigned int			impmagic;
-	dns_dbmethods_t *		methods;
-	isc_uint16_t			attributes;
-	dns_rdataclass_t		rdclass;
-	dns_name_t			origin;
-	isc_ondestroy_t			ondest;
-	isc_mem_t *			mctx;
-};
-
-#define DNS_DBATTR_CACHE		0x01
-#define DNS_DBATTR_STUB			0x02
-
-/*@{*/
-/*%
- * Options that can be specified for dns_db_find().
- */
-#define DNS_DBFIND_GLUEOK		0x0001
-#define DNS_DBFIND_VALIDATEGLUE		0x0002
-#define DNS_DBFIND_NOWILD		0x0004
-#define DNS_DBFIND_PENDINGOK		0x0008
-#define DNS_DBFIND_NOEXACT		0x0010
-#define DNS_DBFIND_FORCENSEC		0x0020
-#define DNS_DBFIND_COVERINGNSEC		0x0040
-#define DNS_DBFIND_FORCENSEC3		0x0080
-#define DNS_DBFIND_ADDITIONALOK		0x0100
-/*@}*/
-
-/*@{*/
-/*%
- * Options that can be specified for dns_db_addrdataset().
- */
-#define DNS_DBADD_MERGE			0x01
-#define DNS_DBADD_FORCE			0x02
-#define DNS_DBADD_EXACT			0x04
-#define DNS_DBADD_EXACTTTL		0x08
-/*@}*/
-
-/*%
- * Options that can be specified for dns_db_subtractrdataset().
- */
-#define DNS_DBSUB_EXACT			0x01
-
-/*@{*/
-/*%
- * Iterator options
- */
-#define DNS_DB_RELATIVENAMES	0x1
-#define DNS_DB_NSEC3ONLY	0x2
-#define DNS_DB_NONSEC3		0x4
-/*@}*/
-
-/*****
- ***** Methods
- *****/
-
-/***
- *** Basic DB Methods
- ***/
-
-isc_result_t
-dns_db_create(isc_mem_t *mctx, const char *db_type, dns_name_t *origin,
-	      dns_dbtype_t type, dns_rdataclass_t rdclass,
-	      unsigned int argc, char *argv[], dns_db_t **dbp);
-/*%<
- * Create a new database using implementation 'db_type'.
- *
- * Notes:
- * \li	All names in the database must be subdomains of 'origin' and in class
- *	'rdclass'.  The database makes its own copy of the origin, so the
- *	caller may do whatever they like with 'origin' and its storage once the
- *	call returns.
- *
- * \li	DB implementation-specific parameters are passed using argc and argv.
- *
- * Requires:
- *
- * \li	dbp != NULL and *dbp == NULL
- *
- * \li	'origin' is a valid absolute domain name.
- *
- * \li	mctx is a valid memory context
- *
- * Ensures:
- *
- * \li	A copy of 'origin' has been made for the databases use, and the
- *	caller is free to do whatever they want with the name and storage
- *	associated with 'origin'.
- *
- * Returns:
- *
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_NOMEMORY
- * \li	#ISC_R_NOTFOUND				db_type not found
- *
- * \li	Many other errors are possible, depending on what db_type was
- *	specified.
- */
-
-void
-dns_db_attach(dns_db_t *source, dns_db_t **targetp);
-/*%<
- * Attach *targetp to source.
- *
- * Requires:
- *
- * \li	'source' is a valid database.
- *
- * \li	'targetp' points to a NULL dns_db_t *.
- *
- * Ensures:
- *
- * \li	*targetp is attached to source.
- */
-
-void
-dns_db_detach(dns_db_t **dbp);
-/*%<
- * Detach *dbp from its database.
- *
- * Requires:
- *
- * \li	'dbp' points to a valid database.
- *
- * Ensures:
- *
- * \li	*dbp is NULL.
- *
- * \li	If '*dbp' is the last reference to the database,
- *		all resources used by the database will be freed
- */
-
-isc_result_t
-dns_db_ondestroy(dns_db_t *db, isc_task_t *task, isc_event_t **eventp);
-/*%<
- * Causes 'eventp' to be sent to be sent to 'task' when the database is
- * destroyed.
- *
- * Note; ownership of the eventp is taken from the caller (and *eventp is
- * set to NULL). The sender field of the event is set to 'db' before it is
- * sent to the task.
- */
-
-isc_boolean_t
-dns_db_iscache(dns_db_t *db);
-/*%<
- * Does 'db' have cache semantics?
- *
- * Requires:
- *
- * \li	'db' is a valid database.
- *
- * Returns:
- * \li	#ISC_TRUE	'db' has cache semantics
- * \li	#ISC_FALSE	otherwise
- */
-
-isc_boolean_t
-dns_db_iszone(dns_db_t *db);
-/*%<
- * Does 'db' have zone semantics?
- *
- * Requires:
- *
- * \li	'db' is a valid database.
- *
- * Returns:
- * \li	#ISC_TRUE	'db' has zone semantics
- * \li	#ISC_FALSE	otherwise
- */
-
-isc_boolean_t
-dns_db_isstub(dns_db_t *db);
-/*%<
- * Does 'db' have stub semantics?
- *
- * Requires:
- *
- * \li	'db' is a valid database.
- *
- * Returns:
- * \li	#ISC_TRUE	'db' has zone semantics
- * \li	#ISC_FALSE	otherwise
- */
-
-isc_boolean_t
-dns_db_issecure(dns_db_t *db);
-/*%<
- * Is 'db' secure?
- *
- * Requires:
- *
- * \li	'db' is a valid database with zone semantics.
- *
- * Returns:
- * \li	#ISC_TRUE	'db' is secure.
- * \li	#ISC_FALSE	'db' is not secure.
- */
-
-isc_boolean_t
-dns_db_isdnssec(dns_db_t *db);
-/*%<
- * Is 'db' secure or partially secure?
- *
- * Requires:
- *
- * \li	'db' is a valid database with zone semantics.
- *
- * Returns:
- * \li	#ISC_TRUE	'db' is secure or is partially.
- * \li	#ISC_FALSE	'db' is not secure.
- */
-
-dns_name_t *
-dns_db_origin(dns_db_t *db);
-/*%<
- * The origin of the database.
- *
- * Note: caller must not try to change this name.
- *
- * Requires:
- *
- * \li	'db' is a valid database.
- *
- * Returns:
- *
- * \li	The origin of the database.
- */
-
-dns_rdataclass_t
-dns_db_class(dns_db_t *db);
-/*%<
- * The class of the database.
- *
- * Requires:
- *
- * \li	'db' is a valid database.
- *
- * Returns:
- *
- * \li	The class of the database.
- */
-
-isc_result_t
-dns_db_beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp,
-		 dns_dbload_t **dbloadp);
-/*%<
- * Begin loading 'db'.
- *
- * Requires:
- *
- * \li	'db' is a valid database.
- *
- * \li	This is the first attempt to load 'db'.
- *
- * \li	addp != NULL && *addp == NULL
- *
- * \li	dbloadp != NULL && *dbloadp == NULL
- *
- * Ensures:
- *
- * \li	On success, *addp will be a valid dns_addrdatasetfunc_t suitable
- *	for loading 'db'.  *dbloadp will be a valid DB load context which
- *	should be used as 'arg' when *addp is called.
- *
- * Returns:
- *
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_NOMEMORY
- *
- * \li	Other results are possible, depending upon the database
- *	implementation used, syntax errors in the master file, etc.
- */
-
-isc_result_t
-dns_db_endload(dns_db_t *db, dns_dbload_t **dbloadp);
-/*%<
- * Finish loading 'db'.
- *
- * Requires:
- *
- * \li	'db' is a valid database that is being loaded.
- *
- * \li	dbloadp != NULL and *dbloadp is a valid database load context.
- *
- * Ensures:
- *
- * \li	*dbloadp == NULL
- *
- * Returns:
- *
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_NOMEMORY
- *
- * \li	Other results are possible, depending upon the database
- *	implementation used, syntax errors in the master file, etc.
- */
-
-isc_result_t
-dns_db_load(dns_db_t *db, const char *filename);
-
-isc_result_t
-dns_db_load2(dns_db_t *db, const char *filename, dns_masterformat_t format);
-
-isc_result_t
-dns_db_load3(dns_db_t *db, const char *filename, dns_masterformat_t format,
-	     unsigned int options);
-/*%<
- * Load master file 'filename' into 'db'.
- *
- * Notes:
- * \li	This routine is equivalent to calling
- *
- *\code
- *		dns_db_beginload();
- *		dns_master_loadfile();
- *		dns_db_endload();
- *\endcode
- *
- * Requires:
- *
- * \li	'db' is a valid database.
- *
- * \li	This is the first attempt to load 'db'.
- *
- * Returns:
- *
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_NOMEMORY
- *
- * \li	Other results are possible, depending upon the database
- *	implementation used, syntax errors in the master file, etc.
- */
-
-isc_result_t
-dns_db_dump(dns_db_t *db, dns_dbversion_t *version, const char *filename);
-
-isc_result_t
-dns_db_dump2(dns_db_t *db, dns_dbversion_t *version, const char *filename,
-	     dns_masterformat_t masterformat);
-/*%<
- * Dump version 'version' of 'db' to master file 'filename'.
- *
- * Requires:
- *
- * \li	'db' is a valid database.
- *
- * \li	'version' is a valid version.
- *
- * Returns:
- *
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_NOMEMORY
- *
- * \li	Other results are possible, depending upon the database
- *	implementation used, OS file errors, etc.
- */
-
-/***
- *** Version Methods
- ***/
-
-void
-dns_db_currentversion(dns_db_t *db, dns_dbversion_t **versionp);
-/*%<
- * Open the current version for reading.
- *
- * Requires:
- *
- * \li	'db' is a valid database with zone semantics.
- *
- * \li	versionp != NULL && *verisonp == NULL
- *
- * Ensures:
- *
- * \li	On success, '*versionp' is attached to the current version.
- *
- */
-
-isc_result_t
-dns_db_newversion(dns_db_t *db, dns_dbversion_t **versionp);
-/*%<
- * Open a new version for reading and writing.
- *
- * Requires:
- *
- * \li	'db' is a valid database with zone semantics.
- *
- * \li	versionp != NULL && *verisonp == NULL
- *
- * Ensures:
- *
- * \li	On success, '*versionp' is attached to the current version.
- *
- * Returns:
- *
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_NOMEMORY
- *
- * \li	Other results are possible, depending upon the database
- *	implementation used.
- */
-
-void
-dns_db_attachversion(dns_db_t *db, dns_dbversion_t *source,
-		     dns_dbversion_t **targetp);
-/*%<
- * Attach '*targetp' to 'source'.
- *
- * Requires:
- *
- * \li	'db' is a valid database with zone semantics.
- *
- * \li	source is a valid open version
- *
- * \li	targetp != NULL && *targetp == NULL
- *
- * Ensures:
- *
- * \li	'*targetp' is attached to source.
- */
-
-void
-dns_db_closeversion(dns_db_t *db, dns_dbversion_t **versionp,
-		    isc_boolean_t commit);
-/*%<
- * Close version '*versionp'.
- *
- * Note: if '*versionp' is a read-write version and 'commit' is ISC_TRUE,
- * then all changes made in the version will take effect, otherwise they
- * will be rolled back.  The value of 'commit' is ignored for read-only
- * versions.
- *
- * Requires:
- *
- * \li	'db' is a valid database with zone semantics.
- *
- * \li	'*versionp' refers to a valid version.
- *
- * \li	If committing a writable version, then there must be no other
- *	outstanding references to the version (e.g. an active rdataset
- *	iterator).
- *
- * Ensures:
- *
- * \li	*versionp == NULL
- *
- * \li	If *versionp is a read-write version, and commit is ISC_TRUE, then
- *	the version will become the current version.  If !commit, then all
- *	changes made in the version will be undone, and the version will
- *	not become the current version.
- */
-
-/***
- *** Node Methods
- ***/
-
-isc_result_t
-dns_db_findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
-		dns_dbnode_t **nodep);
-
-isc_result_t
-dns_db_findnodeext(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
-		   dns_clientinfomethods_t *methods,
-		   dns_clientinfo_t *clientinfo, dns_dbnode_t **nodep);
-/*%<
- * Find the node with name 'name'.
- *
- * dns_db_findnodeext() (findnode extended) also accepts parameters
- * 'methods' and 'clientinfo', which, when provided, enable the database to
- * retreive information about the client from the caller, and modify its
- * response on the basis of that information.
- *
- * Notes:
- * \li	If 'create' is ISC_TRUE and no node with name 'name' exists, then
- *	such a node will be created.
- *
- * \li	This routine is for finding or creating a node with the specified
- *	name.  There are no partial matches.  It is not suitable for use
- *	in building responses to ordinary DNS queries; clients which wish
- *	to do that should use dns_db_find() instead.
- *
- * Requires:
- *
- * \li	'db' is a valid database.
- *
- * \li	'name' is a valid, non-empty, absolute name.
- *
- * \li	nodep != NULL && *nodep == NULL
- *
- * Ensures:
- *
- * \li	On success, *nodep is attached to the node with name 'name'.
- *
- * Returns:
- *
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_NOTFOUND			If !create and name not found.
- * \li	#ISC_R_NOMEMORY			Can only happen if create is ISC_TRUE.
- *
- * \li	Other results are possible, depending upon the database
- *	implementation used.
- */
-
-isc_result_t
-dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
-	    dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
-	    dns_dbnode_t **nodep, dns_name_t *foundname,
-	    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
-
-isc_result_t
-dns_db_findext(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
-	       dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
-	       dns_dbnode_t **nodep, dns_name_t *foundname,
-	       dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo,
-	       dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
-/*%<
- * Find the best match for 'name' and 'type' in version 'version' of 'db'.
- *
- * dns_db_findext() (find extended) also accepts parameters 'methods'
- * and 'clientinfo', which when provided enable the database to retreive
- * information about the client from the caller, and modify its response
- * on the basis of this information.
- *
- * Notes:
- *
- * \li	If type == dns_rdataset_any, then rdataset will not be bound.
- *
- * \li	If 'options' does not have #DNS_DBFIND_GLUEOK set, then no glue will
- *	be returned.  For zone databases, glue is as defined in RFC2181.
- *	For cache databases, glue is any rdataset with a trust of
- *	dns_trust_glue.
- *
- * \li	If 'options' does not have #DNS_DBFIND_ADDITIONALOK set, then no
- *	additional records will be returned.  Only caches can have
- *	rdataset with trust dns_trust_additional.
- *
- * \li	If 'options' does not have #DNS_DBFIND_PENDINGOK set, then no
- *	pending data will be returned.  This option is only meaningful for
- *	cache databases.
- *
- * \li	If the #DNS_DBFIND_NOWILD option is set, then wildcard matching will
- *	be disabled.  This option is only meaningful for zone databases.
- *
- * \li	If the #DNS_DBFIND_FORCENSEC option is set, the database is assumed to
- *	have NSEC records, and these will be returned when appropriate.  This
- *	is only necessary when querying a database that was not secure
- *	when created.
- *
- * \li	If the DNS_DBFIND_COVERINGNSEC option is set, then look for a
- *	NSEC record that potentially covers 'name' if a answer cannot
- *	be found.  Note the returned NSEC needs to be checked to ensure
- *	that it is correct.  This only affects answers returned from the
- *	cache.
- *
- * \li	In the #DNS_DBFIND_FORCENSEC3 option is set, then we are looking
- *	in the NSEC3 tree and not the main tree.  Without this option being
- *	set NSEC3 records will not be found.
- *
- * \li	To respond to a query for SIG records, the caller should create a
- *	rdataset iterator and extract the signatures from each rdataset.
- *
- * \li	Making queries of type ANY with #DNS_DBFIND_GLUEOK is not recommended,
- *	because the burden of determining whether a given rdataset is valid
- *	glue or not falls upon the caller.
- *
- * \li	The 'now' field is ignored if 'db' is a zone database.  If 'db' is a
- *	cache database, an rdataset will not be found unless it expires after
- *	'now'.  Any ANY query will not match unless at least one rdataset at
- *	the node expires after 'now'.  If 'now' is zero, then the current time
- *	will be used.
- *
- * Requires:
- *
- * \li	'db' is a valid database.
- *
- * \li	'type' is not SIG, or a meta-RR type other than 'ANY' (e.g. 'OPT').
- *
- * \li	'nodep' is NULL, or nodep is a valid pointer and *nodep == NULL.
- *
- * \li	'foundname' is a valid name with a dedicated buffer.
- *
- * \li	'rdataset' is NULL, or is a valid unassociated rdataset.
- *
- * Ensures,
- *	on a non-error completion:
- *
- *	\li	If nodep != NULL, then it is bound to the found node.
- *
- *	\li	If foundname != NULL, then it contains the full name of the
- *		found node.
- *
- *	\li	If rdataset != NULL and type != dns_rdatatype_any, then
- *		rdataset is bound to the found rdataset.
- *
- *	Non-error results are:
- *
- *	\li	#ISC_R_SUCCESS			The desired node and type were
- *						found.
- *
- *	\li	#DNS_R_WILDCARD			The desired node and type were
- *						found after performing
- *						wildcard matching.  This is
- *						only returned if the
- *						#DNS_DBFIND_INDICATEWILD
- *						option is set; otherwise
- *						#ISC_R_SUCCESS is returned.
- *
- *	\li	#DNS_R_GLUE			The desired node and type were
- *						found, but are glue.  This
- *						result can only occur if
- *						the DNS_DBFIND_GLUEOK option
- *						is set.  This result can only
- *						occur if 'db' is a zone
- *						database.  If type ==
- *						dns_rdatatype_any, then the
- *						node returned may contain, or
- *						consist entirely of invalid
- *						glue (i.e. data occluded by a
- *						zone cut).  The caller must
- *						take care not to return invalid
- *						glue to a client.
- *
- *	\li	#DNS_R_DELEGATION		The data requested is beneath
- *						a zone cut.  node, foundname,
- *						and rdataset reference the
- *						NS RRset of the zone cut.
- *						If 'db' is a cache database,
- *						then this is the deepest known
- *						delegation.
- *
- *	\li	#DNS_R_ZONECUT			type == dns_rdatatype_any, and
- *						the desired node is a zonecut.
- *						The caller must take care not
- *						to return inappropriate glue
- *						to a client.  This result can
- *						only occur if 'db' is a zone
- *						database and DNS_DBFIND_GLUEOK
- *						is set.
- *
- *	\li	#DNS_R_DNAME			The data requested is beneath
- *						a DNAME.  node, foundname,
- *						and rdataset reference the
- *						DNAME RRset.
- *
- *	\li	#DNS_R_CNAME			The rdataset requested was not
- *						found, but there is a CNAME
- *						at the desired name.  node,
- *						foundname, and rdataset
- *						reference the CNAME RRset.
- *
- *	\li	#DNS_R_NXDOMAIN			The desired name does not
- *						exist.
- *
- *	\li	#DNS_R_NXRRSET			The desired name exists, but
- *						the desired type does not.
- *
- *	\li	#ISC_R_NOTFOUND			The desired name does not
- *						exist, and no delegation could
- *						be found.  This result can only
- *						occur if 'db' is a cache
- *						database.  The caller should
- *						use its nameserver(s) of last
- *						resort (e.g. root hints).
- *
- *	\li	#DNS_R_NCACHENXDOMAIN		The desired name does not
- *						exist.  'node' is bound to the
- *						cache node with the desired
- *						name, and 'rdataset' contains
- *						the negative caching proof.
- *
- *	\li	#DNS_R_NCACHENXRRSET		The desired type does not
- *						exist.  'node' is bound to the
- *						cache node with the desired
- *						name, and 'rdataset' contains
- *						the negative caching proof.
- *
- *	\li	#DNS_R_EMPTYNAME		The name exists but there is
- *						no data at the name.
- *
- *	\li	#DNS_R_COVERINGNSEC		The returned data is a NSEC
- *						that potentially covers 'name'.
- *
- *	\li	#DNS_R_EMPTYWILD		The name is a wildcard without
- *						resource records.
- *
- *	Error results:
- *
- *	\li	#ISC_R_NOMEMORY
- *
- *	\li	#DNS_R_BADDB			Data that is required to be
- *						present in the DB, e.g. an NSEC
- *						record in a secure zone, is not
- *						present.
- *
- *	\li	Other results are possible, and should all be treated as
- *		errors.
- */
-
-isc_result_t
-dns_db_findzonecut(dns_db_t *db, dns_name_t *name,
-		   unsigned int options, isc_stdtime_t now,
-		   dns_dbnode_t **nodep, dns_name_t *foundname,
-		   dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
-/*%<
- * Find the deepest known zonecut which encloses 'name' in 'db'.
- *
- * Notes:
- *
- * \li	If the #DNS_DBFIND_NOEXACT option is set, then the zonecut returned
- *	(if any) will be the deepest known ancestor of 'name'.
- *
- * \li	If 'now' is zero, then the current time will be used.
- *
- * Requires:
- *
- * \li	'db' is a valid database with cache semantics.
- *
- * \li	'nodep' is NULL, or nodep is a valid pointer and *nodep == NULL.
- *
- * \li	'foundname' is a valid name with a dedicated buffer.
- *
- * \li	'rdataset' is NULL, or is a valid unassociated rdataset.
- *
- * Ensures, on a non-error completion:
- *
- * \li	If nodep != NULL, then it is bound to the found node.
- *
- * \li	If foundname != NULL, then it contains the full name of the
- *	found node.
- *
- * \li	If rdataset != NULL and type != dns_rdatatype_any, then
- *	rdataset is bound to the found rdataset.
- *
- * Non-error results are:
- *
- * \li	#ISC_R_SUCCESS
- *
- * \li	#ISC_R_NOTFOUND
- *
- * \li	Other results are possible, and should all be treated as
- *	errors.
- */
-
-void
-dns_db_attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp);
-/*%<
- * Attach *targetp to source.
- *
- * Requires:
- *
- * \li	'db' is a valid database.
- *
- * \li	'source' is a valid node.
- *
- * \li	'targetp' points to a NULL dns_dbnode_t *.
- *
- * Ensures:
- *
- * \li	*targetp is attached to source.
- */
-
-void
-dns_db_detachnode(dns_db_t *db, dns_dbnode_t **nodep);
-/*%<
- * Detach *nodep from its node.
- *
- * Requires:
- *
- * \li	'db' is a valid database.
- *
- * \li	'nodep' points to a valid node.
- *
- * Ensures:
- *
- * \li	*nodep is NULL.
- */
-
-void
-dns_db_transfernode(dns_db_t *db, dns_dbnode_t **sourcep,
-		    dns_dbnode_t **targetp);
-/*%<
- * Transfer a node between pointer.
- *
- * This is equivalent to calling dns_db_attachnode() then dns_db_detachnode().
- *
- * Requires:
- *
- * \li	'db' is a valid database.
- *
- * \li	'*sourcep' is a valid node.
- *
- * \li	'targetp' points to a NULL dns_dbnode_t *.
- *
- * Ensures:
- *
- * \li	'*sourcep' is NULL.
- */
-
-isc_result_t
-dns_db_expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now);
-/*%<
- * Mark as stale all records at 'node' which expire at or before 'now'.
- *
- * Note: if 'now' is zero, then the current time will be used.
- *
- * Requires:
- *
- * \li	'db' is a valid cache database.
- *
- * \li	'node' is a valid node.
- */
-
-void
-dns_db_printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out);
-/*%<
- * Print a textual representation of the contents of the node to
- * 'out'.
- *
- * Note: this function is intended for debugging, not general use.
- *
- * Requires:
- *
- * \li	'db' is a valid database.
- *
- * \li	'node' is a valid node.
- */
-
-/***
- *** DB Iterator Creation
- ***/
-
-isc_result_t
-dns_db_createiterator(dns_db_t *db, unsigned int options,
-		      dns_dbiterator_t **iteratorp);
-/*%<
- * Create an iterator for version 'version' of 'db'.
- *
- * Notes:
- *
- * \li	One or more of the following options can be set.
- *	#DNS_DB_RELATIVENAMES
- *	#DNS_DB_NSEC3ONLY
- *	#DNS_DB_NONSEC3
- *
- * Requires:
- *
- * \li	'db' is a valid database.
- *
- * \li	iteratorp != NULL && *iteratorp == NULL
- *
- * Ensures:
- *
- * \li	On success, *iteratorp will be a valid database iterator.
- *
- * Returns:
- *
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_NOMEMORY
- */
-
-/***
- *** Rdataset Methods
- ***/
-
-/*
- * XXXRTH  Should we check for glue and pending data in dns_db_findrdataset()?
- */
-
-isc_result_t
-dns_db_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-		    dns_rdatatype_t type, dns_rdatatype_t covers,
-		    isc_stdtime_t now, dns_rdataset_t *rdataset,
-		    dns_rdataset_t *sigrdataset);
-
-/*%<
- * Search for an rdataset of type 'type' at 'node' that are in version
- * 'version' of 'db'.  If found, make 'rdataset' refer to it.
- *
- * Notes:
- *
- * \li	If 'version' is NULL, then the current version will be used.
- *
- * \li	Care must be used when using this routine to build a DNS response:
- *	'node' should have been found with dns_db_find(), not
- *	dns_db_findnode().  No glue checking is done.  No checking for
- *	pending data is done.
- *
- * \li	The 'now' field is ignored if 'db' is a zone database.  If 'db' is a
- *	cache database, an rdataset will not be found unless it expires after
- *	'now'.  If 'now' is zero, then the current time will be used.
- *
- * Requires:
- *
- * \li	'db' is a valid database.
- *
- * \li	'node' is a valid node.
- *
- * \li	'rdataset' is a valid, disassociated rdataset.
- *
- * \li	'sigrdataset' is a valid, disassociated rdataset, or it is NULL.
- *
- * \li	If 'covers' != 0, 'type' must be SIG.
- *
- * \li	'type' is not a meta-RR type such as 'ANY' or 'OPT'.
- *
- * Ensures:
- *
- * \li	On success, 'rdataset' is associated with the found rdataset.
- *
- * Returns:
- *
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_NOTFOUND
- *
- * \li	Other results are possible, depending upon the database
- *	implementation used.
- */
-
-isc_result_t
-dns_db_allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-		    isc_stdtime_t now, dns_rdatasetiter_t **iteratorp);
-/*%<
- * Make '*iteratorp' an rdataset iterator for all rdatasets at 'node' in
- * version 'version' of 'db'.
- *
- * Notes:
- *
- * \li	If 'version' is NULL, then the current version will be used.
- *
- * \li	The 'now' field is ignored if 'db' is a zone database.  If 'db' is a
- *	cache database, an rdataset will not be found unless it expires after
- *	'now'.  Any ANY query will not match unless at least one rdataset at
- *	the node expires after 'now'.  If 'now' is zero, then the current time
- *	will be used.
- *
- * Requires:
- *
- * \li	'db' is a valid database.
- *
- * \li	'node' is a valid node.
- *
- * \li	iteratorp != NULL && *iteratorp == NULL
- *
- * Ensures:
- *
- * \li	On success, '*iteratorp' is a valid rdataset iterator.
- *
- * Returns:
- *
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_NOTFOUND
- *
- * \li	Other results are possible, depending upon the database
- *	implementation used.
- */
-
-isc_result_t
-dns_db_addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-		   isc_stdtime_t now, dns_rdataset_t *rdataset,
-		   unsigned int options, dns_rdataset_t *addedrdataset);
-/*%<
- * Add 'rdataset' to 'node' in version 'version' of 'db'.
- *
- * Notes:
- *
- * \li	If the database has zone semantics, the #DNS_DBADD_MERGE option is set,
- *	and an rdataset of the same type as 'rdataset' already exists at
- *	'node' then the contents of 'rdataset' will be merged with the existing
- *	rdataset.  If the option is not set, then rdataset will replace any
- *	existing rdataset of the same type.  If not merging and the
- *	#DNS_DBADD_FORCE option is set, then the data will update the database
- *	without regard to trust levels.  If not forcing the data, then the
- *	rdataset will only be added if its trust level is >= the trust level of
- *	any existing rdataset.  Forcing is only meaningful for cache databases.
- *	If #DNS_DBADD_EXACT is set then there must be no rdata in common between
- *	the old and new rdata sets.  If #DNS_DBADD_EXACTTTL is set then both
- *	the old and new rdata sets must have the same ttl.
- *
- * \li	The 'now' field is ignored if 'db' is a zone database.  If 'db' is
- *	a cache database, then the added rdataset will expire no later than
- *	now + rdataset->ttl.
- *
- * \li	If 'addedrdataset' is not NULL, then it will be attached to the
- *	resulting new rdataset in the database, or to the existing data if
- *	the existing data was better.
- *
- * Requires:
- *
- * \li	'db' is a valid database.
- *
- * \li	'node' is a valid node.
- *
- * \li	'rdataset' is a valid, associated rdataset with the same class
- *	as 'db'.
- *
- * \li	'addedrdataset' is NULL, or a valid, unassociated rdataset.
- *
- * \li	The database has zone semantics and 'version' is a valid
- *	read-write version, or the database has cache semantics
- *	and version is NULL.
- *
- * \li	If the database has cache semantics, the #DNS_DBADD_MERGE option must
- *	not be set.
- *
- * Returns:
- *
- * \li	#ISC_R_SUCCESS
- * \li	#DNS_R_UNCHANGED			The operation did not change anything.
- * \li	#ISC_R_NOMEMORY
- * \li	#DNS_R_NOTEXACT
- *
- * \li	Other results are possible, depending upon the database
- *	implementation used.
- */
-
-isc_result_t
-dns_db_subtractrdataset(dns_db_t *db, dns_dbnode_t *node,
-			dns_dbversion_t *version, dns_rdataset_t *rdataset,
-			unsigned int options, dns_rdataset_t *newrdataset);
-/*%<
- * Remove any rdata in 'rdataset' from 'node' in version 'version' of
- * 'db'.
- *
- * Notes:
- *
- * \li	If 'newrdataset' is not NULL, then it will be attached to the
- *	resulting new rdataset in the database, unless the rdataset has
- *	become nonexistent.  If DNS_DBSUB_EXACT is set then all elements
- *	of 'rdataset' must exist at 'node'.
- *
- * Requires:
- *
- * \li	'db' is a valid database.
- *
- * \li	'node' is a valid node.
- *
- * \li	'rdataset' is a valid, associated rdataset with the same class
- *	as 'db'.
- *
- * \li	'newrdataset' is NULL, or a valid, unassociated rdataset.
- *
- * \li	The database has zone semantics and 'version' is a valid
- *	read-write version.
- *
- * Returns:
- *
- * \li	#ISC_R_SUCCESS
- * \li	#DNS_R_UNCHANGED			The operation did not change anything.
- * \li	#DNS_R_NXRRSET			All rdata of the same type as those
- *					in 'rdataset' have been deleted.
- * \li	#DNS_R_NOTEXACT			Some part of 'rdataset' did not
- *					exist and DNS_DBSUB_EXACT was set.
- *
- * \li	Other results are possible, depending upon the database
- *	implementation used.
- */
-
-isc_result_t
-dns_db_deleterdataset(dns_db_t *db, dns_dbnode_t *node,
-		      dns_dbversion_t *version, dns_rdatatype_t type,
-		      dns_rdatatype_t covers);
-/*%<
- * Make it so that no rdataset of type 'type' exists at 'node' in version
- * version 'version' of 'db'.
- *
- * Notes:
- *
- * \li	If 'type' is dns_rdatatype_any, then no rdatasets will exist in
- *	'version' (provided that the dns_db_deleterdataset() isn't followed
- *	by one or more dns_db_addrdataset() calls).
- *
- * Requires:
- *
- * \li	'db' is a valid database.
- *
- * \li	'node' is a valid node.
- *
- * \li	The database has zone semantics and 'version' is a valid
- *	read-write version, or the database has cache semantics
- *	and version is NULL.
- *
- * \li	'type' is not a meta-RR type, except for dns_rdatatype_any, which is
- *	allowed.
- *
- * \li	If 'covers' != 0, 'type' must be SIG.
- *
- * Returns:
- *
- * \li	#ISC_R_SUCCESS
- * \li	#DNS_R_UNCHANGED			No rdatasets of 'type' existed before
- *					the operation was attempted.
- *
- * \li	Other results are possible, depending upon the database
- *	implementation used.
- */
-
-isc_result_t
-dns_db_getsoaserial(dns_db_t *db, dns_dbversion_t *ver, isc_uint32_t *serialp);
-/*%<
- * Get the current SOA serial number from a zone database.
- *
- * Requires:
- * \li	'db' is a valid database with zone semantics.
- * \li	'ver' is a valid version.
- */
-
-void
-dns_db_overmem(dns_db_t *db, isc_boolean_t overmem);
-/*%<
- * Enable / disable aggressive cache cleaning.
- */
-
-unsigned int
-dns_db_nodecount(dns_db_t *db);
-/*%<
- * Count the number of nodes in 'db'.
- *
- * Requires:
- *
- * \li	'db' is a valid database.
- *
- * Returns:
- * \li	The number of nodes in the database
- */
-
-void
-dns_db_settask(dns_db_t *db, isc_task_t *task);
-/*%<
- * If task is set then the final detach maybe performed asynchronously.
- *
- * Requires:
- * \li	'db' is a valid database.
- * \li	'task' to be valid or NULL.
- */
-
-isc_boolean_t
-dns_db_ispersistent(dns_db_t *db);
-/*%<
- * Is 'db' persistent?  A persistent database does not need to be loaded
- * from disk or written to disk.
- *
- * Requires:
- *
- * \li	'db' is a valid database.
- *
- * Returns:
- * \li	#ISC_TRUE	'db' is persistent.
- * \li	#ISC_FALSE	'db' is not persistent.
- */
-
-isc_result_t
-dns_db_register(const char *name, dns_dbcreatefunc_t create, void *driverarg,
-		isc_mem_t *mctx, dns_dbimplementation_t **dbimp);
-
-/*%<
- * Register a new database implementation and add it to the list of
- * supported implementations.
- *
- * Requires:
- *
- * \li 	'name' is not NULL
- * \li	'order' is a valid function pointer
- * \li	'mctx' is a valid memory context
- * \li	dbimp != NULL && *dbimp == NULL
- *
- * Returns:
- * \li	#ISC_R_SUCCESS	The registration succeeded
- * \li	#ISC_R_NOMEMORY	Out of memory
- * \li	#ISC_R_EXISTS	A database implementation with the same name exists
- *
- * Ensures:
- *
- * \li	*dbimp points to an opaque structure which must be passed to
- *	dns_db_unregister().
- */
-
-void
-dns_db_unregister(dns_dbimplementation_t **dbimp);
-/*%<
- * Remove a database implementation from the list of supported
- * implementations.  No databases of this type can be active when this
- * is called.
- *
- * Requires:
- * \li 	dbimp != NULL && *dbimp == NULL
- *
- * Ensures:
- *
- * \li	Any memory allocated in *dbimp will be freed.
- */
-
-isc_result_t
-dns_db_getoriginnode(dns_db_t *db, dns_dbnode_t **nodep);
-/*%<
- * Get the origin DB node corresponding to the DB's zone.  This function
- * should typically succeed unless the underlying DB implementation doesn't
- * support the feature.
- *
- * Requires:
- *
- * \li	'db' is a valid zone database.
- * \li	'nodep' != NULL && '*nodep' == NULL
- *
- * Ensures:
- * \li	On success, '*nodep' will point to the DB node of the zone's origin.
- *
- * Returns:
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_NOTFOUND - the DB implementation does not support this feature.
- */
-
-isc_result_t
-dns_db_getnsec3parameters(dns_db_t *db, dns_dbversion_t *version,
-			  dns_hash_t *hash, isc_uint8_t *flags,
-			  isc_uint16_t *interations,
-			  unsigned char *salt, size_t *salt_length);
-/*%<
- * Get the NSEC3 parameters that are associated with this zone.
- *
- * Requires:
- * \li	'db' is a valid zone database.
- *
- * Returns:
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_NOTFOUND - the DB implementation does not support this feature
- *			  or this zone does not have NSEC3 records.
- */
-
-isc_result_t
-dns_db_findnsec3node(dns_db_t *db, dns_name_t *name,
-		     isc_boolean_t create, dns_dbnode_t **nodep);
-/*%<
- * Find the NSEC3 node with name 'name'.
- *
- * Notes:
- * \li	If 'create' is ISC_TRUE and no node with name 'name' exists, then
- *	such a node will be created.
- *
- * Requires:
- *
- * \li	'db' is a valid database.
- *
- * \li	'name' is a valid, non-empty, absolute name.
- *
- * \li	nodep != NULL && *nodep == NULL
- *
- * Ensures:
- *
- * \li	On success, *nodep is attached to the node with name 'name'.
- *
- * Returns:
- *
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_NOTFOUND			If !create and name not found.
- * \li	#ISC_R_NOMEMORY			Can only happen if create is ISC_TRUE.
- *
- * \li	Other results are possible, depending upon the database
- *	implementation used.
- */
-
-isc_result_t
-dns_db_setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset,
-		      isc_stdtime_t resign);
-/*%<
- * Sets the re-signing time associated with 'rdataset' to 'resign'.
- *
- * Requires:
- * \li	'db' is a valid zone database.
- * \li	'rdataset' is or is to be associated with 'db'.
- * \li  'rdataset' is not pending removed from the heap via an
- *       uncommitted call to dns_db_resigned().
- *
- * Returns:
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_NOMEMORY
- * \li	#ISC_R_NOTIMPLEMENTED - Not supported by this DB implementation.
- */
-
-isc_result_t
-dns_db_getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, dns_name_t *name);
-/*%<
- * Return the rdataset with the earliest signing time in the zone.
- * Note: the rdataset is version agnostic.
- *
- * Requires:
- * \li	'db' is a valid zone database.
- * \li	'rdataset' to be initialized but not associated.
- * \li	'name' to be NULL or have a buffer associated with it.
- *
- * Returns:
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_NOTFOUND - No dataset exists.
- */
-
-void
-dns_db_resigned(dns_db_t *db, dns_rdataset_t *rdataset,
-		dns_dbversion_t *version);
-/*%<
- * Mark 'rdataset' as not being available to be returned by
- * dns_db_getsigningtime().  If the changes associated with 'version'
- * are committed this will be permanent.  If the version is not committed
- * this change will be rolled back when the version is closed.  Until
- * 'version' is either committed or rolled back, 'rdataset' can no longer
- * be acted upon by dns_db_setsigningtime().
- *
- * Requires:
- * \li	'db' is a valid zone database.
- * \li	'rdataset' to be associated with 'db'.
- * \li	'version' to be open for writing.
- */
-
-dns_stats_t *
-dns_db_getrrsetstats(dns_db_t *db);
-/*%<
- * Get statistics information counting RRsets stored in the DB, when available.
- * The statistics may not be available depending on the DB implementation.
- *
- * Requires:
- *
- * \li	'db' is a valid database (zone or cache).
- *
- * Returns:
- * \li	when available, a pointer to a statistics object created by
- *	dns_rdatasetstats_create(); otherwise NULL.
- */
-
-isc_result_t
-dns_db_rpz_enabled(dns_db_t *db, dns_rpz_st_t *st);
-/*%<
- * Mark a database for response policy rewriting
- * or find which RPZ data is available.
- */
-
-void
-dns_db_rpz_findips(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type,
-		   dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
-		   dns_rdataset_t *ardataset, dns_rpz_st_t *st,
-		   dns_name_t *query_qname);
-/*%<
- * Search the CDIR block tree of a response policy tree of trees for the best
- * match to any of the IP addresses in an A or AAAA rdataset.
- *
- * Requires:
- * \li	search in policy zone 'rpz' for a match of 'rpz_type' either
- *	    DNS_RPZ_TYPE_IP or DNS_RPZ_TYPE_NSIP
- * \li	'zone' and 'db' are the database corresponding to 'rpz'
- * \li	'version' is the required version of the database
- * \li	'ardataset' is an A or AAAA rdataset of addresses to check
- * \li	'found' specifies the previous best match if any or
- *	    or NULL, an empty name, 0, DNS_RPZ_POLICY_MISS, and 0
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_DB_H */
diff --git a/contrib/bind9/lib/dns/include/dns/dbiterator.h b/contrib/bind9/lib/dns/include/dns/dbiterator.h
deleted file mode 100644
index 366d676..0000000
--- a/contrib/bind9/lib/dns/include/dns/dbiterator.h
+++ /dev/null
@@ -1,297 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dbiterator.h,v 1.25 2007/06/19 23:47:16 tbox Exp $ */
-
-#ifndef DNS_DBITERATOR_H
-#define DNS_DBITERATOR_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/dbiterator.h
- * \brief
- * The DNS DB Iterator interface allows iteration of all of the nodes in a
- * database.
- *
- * The dns_dbiterator_t type is like a "virtual class".  To actually use
- * it, an implementation of the class is required.  This implementation is
- * supplied by the database.
- *
- * It is the client's responsibility to call dns_db_detachnode() on all
- * nodes returned.
- *
- * XXX &lt;more&gt; XXX
- *
- * MP:
- *\li	The iterator itself is not locked.  The caller must ensure
- *	synchronization.
- *
- *\li	The iterator methods ensure appropriate database locking.
- *
- * Reliability:
- *\li	No anticipated impact.
- *
- * Resources:
- *\li	TBS
- *
- * Security:
- *\li	No anticipated impact.
- *
- * Standards:
- *\li	None.
- */
-
-/*****
- ***** Imports
- *****/
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*****
- ***** Types
- *****/
-
-typedef struct dns_dbiteratormethods {
-	void		(*destroy)(dns_dbiterator_t **iteratorp);
-	isc_result_t	(*first)(dns_dbiterator_t *iterator);
-	isc_result_t	(*last)(dns_dbiterator_t *iterator);
-	isc_result_t	(*seek)(dns_dbiterator_t *iterator, dns_name_t *name);
-	isc_result_t	(*prev)(dns_dbiterator_t *iterator);
-	isc_result_t	(*next)(dns_dbiterator_t *iterator);
-	isc_result_t	(*current)(dns_dbiterator_t *iterator,
-				   dns_dbnode_t **nodep, dns_name_t *name);
-	isc_result_t	(*pause)(dns_dbiterator_t *iterator);
-	isc_result_t	(*origin)(dns_dbiterator_t *iterator,
-				  dns_name_t *name);
-} dns_dbiteratormethods_t;
-
-#define DNS_DBITERATOR_MAGIC	     ISC_MAGIC('D','N','S','I')
-#define DNS_DBITERATOR_VALID(dbi)    ISC_MAGIC_VALID(dbi, DNS_DBITERATOR_MAGIC)
-/*%
- * This structure is actually just the common prefix of a DNS db
- * implementation's version of a dns_dbiterator_t.
- *
- * Clients may use the 'db' field of this structure.  Except for that field,
- * direct use of this structure by clients is forbidden.  DB implementations
- * may change the structure.  'magic' must be DNS_DBITERATOR_MAGIC for any of
- * the dns_dbiterator routines to work.  DB iterator implementations must
- * maintain all DB iterator invariants.
- */
-struct dns_dbiterator {
-	/* Unlocked. */
-	unsigned int			magic;
-	dns_dbiteratormethods_t *	methods;
-	dns_db_t *			db;
-	isc_boolean_t			relative_names;
-	isc_boolean_t			cleaning;
-};
-
-void
-dns_dbiterator_destroy(dns_dbiterator_t **iteratorp);
-/*%<
- * Destroy '*iteratorp'.
- *
- * Requires:
- *
- *\li	'*iteratorp' is a valid iterator.
- *
- * Ensures:
- *
- *\li	All resources used by the iterator are freed.
- *
- *\li	*iteratorp == NULL.
- */
-
-isc_result_t
-dns_dbiterator_first(dns_dbiterator_t *iterator);
-/*%<
- * Move the node cursor to the first node in the database (if any).
- *
- * Requires:
- *\li	'iterator' is a valid iterator.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMORE			There are no nodes in the database.
- *
- *\li	Other results are possible, depending on the DB implementation.
- */
-
-isc_result_t
-dns_dbiterator_last(dns_dbiterator_t *iterator);
-/*%<
- * Move the node cursor to the last node in the database (if any).
- *
- * Requires:
- *\li	'iterator' is a valid iterator.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMORE			There are no nodes in the database.
- *
- *\li	Other results are possible, depending on the DB implementation.
- */
-
-isc_result_t
-dns_dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name);
-/*%<
- * Move the node cursor to the node with name 'name'.
- *
- * Requires:
- *\li	'iterator' is a valid iterator.
- *
- *\li	'name' is a valid name.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOTFOUND
- *
- *\li	Other results are possible, depending on the DB implementation.
- */
-
-isc_result_t
-dns_dbiterator_prev(dns_dbiterator_t *iterator);
-/*%<
- * Move the node cursor to the previous node in the database (if any).
- *
- * Requires:
- *\li	'iterator' is a valid iterator.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMORE			There are no more nodes in the
- *					database.
- *
- *\li	Other results are possible, depending on the DB implementation.
- */
-
-isc_result_t
-dns_dbiterator_next(dns_dbiterator_t *iterator);
-/*%<
- * Move the node cursor to the next node in the database (if any).
- *
- * Requires:
- *\li	'iterator' is a valid iterator.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMORE			There are no more nodes in the
- *					database.
- *
- *\li	Other results are possible, depending on the DB implementation.
- */
-
-isc_result_t
-dns_dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
-		       dns_name_t *name);
-/*%<
- * Return the current node.
- *
- * Notes:
- *\li	If 'name' is not NULL, it will be set to the name of the node.
- *
- * Requires:
- *\li	'iterator' is a valid iterator.
- *
- *\li	nodep != NULL && *nodep == NULL
- *
- *\li	The node cursor of 'iterator' is at a valid location (i.e. the
- *	result of last call to a cursor movement command was ISC_R_SUCCESS).
- *
- *\li	'name' is NULL, or is a valid name with a dedicated buffer.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *\li	#DNS_R_NEWORIGIN			If this iterator was created with
- *					'relative_names' set to ISC_TRUE,
- *					then #DNS_R_NEWORIGIN will be returned
- *					when the origin the names are
- *					relative to changes.  This result
- *					can occur only when 'name' is not
- *					NULL.  This is also a successful
- *					result.
- *
- *\li	Other results are possible, depending on the DB implementation.
- */
-
-isc_result_t
-dns_dbiterator_pause(dns_dbiterator_t *iterator);
-/*%<
- * Pause iteration.
- *
- * Calling a cursor movement method or dns_dbiterator_current() may cause
- * database locks to be acquired.  Rather than reacquire these locks every
- * time one of these routines is called, the locks may simply be held.
- * Calling dns_dbiterator_pause() releases any such locks.  Iterator clients
- * should call this routine any time they are not going to execute another
- * iterator method in the immediate future.
- *
- * Requires:
- *\li	'iterator' is a valid iterator.
- *
- * Ensures:
- *\li	Any database locks being held for efficiency of iterator access are
- *	released.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *
- *\li	Other results are possible, depending on the DB implementation.
- */
-
-isc_result_t
-dns_dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name);
-/*%<
- * Return the origin to which returned node names are relative.
- *
- * Requires:
- *
- *\li	'iterator' is a valid relative_names iterator.
- *
- *\li	'name' is a valid name with a dedicated buffer.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOSPACE
- *
- *\li	Other results are possible, depending on the DB implementation.
- */
-
-void
-dns_dbiterator_setcleanmode(dns_dbiterator_t *iterator, isc_boolean_t mode);
-/*%<
- * Indicate that the given iterator is/is not cleaning the DB.
- *
- * Notes:
- *\li	When 'mode' is ISC_TRUE, 
- *
- * Requires:
- *\li	'iterator' is a valid iterator.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_DBITERATOR_H */
diff --git a/contrib/bind9/lib/dns/include/dns/dbtable.h b/contrib/bind9/lib/dns/include/dns/dbtable.h
deleted file mode 100644
index 503de95..0000000
--- a/contrib/bind9/lib/dns/include/dns/dbtable.h
+++ /dev/null
@@ -1,165 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dbtable.h,v 1.23 2007/06/19 23:47:16 tbox Exp $ */
-
-#ifndef DNS_DBTABLE_H
-#define DNS_DBTABLE_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/dbtable.h
- * \brief
- * DNS DB Tables
- *
- * XXX TBS XXX
- *
- * MP:
- *\li	The module ensures appropriate synchronization of data structures it
- *	creates and manipulates.
- *
- * Reliability:
- *\li	No anticipated impact.
- *
- * Resources:
- *\li	None.
- *
- * Security:
- *\li	No anticipated impact.
- *
- * Standards:
- *\li	None.
- */
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-#define DNS_DBTABLEFIND_NOEXACT		0x01
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_dbtable_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
-		   dns_dbtable_t **dbtablep);
-/*%<
- * Make a new dbtable of class 'rdclass'
- *
- * Requires:
- *\li	mctx != NULL
- * \li	dbtablep != NULL && *dptablep == NULL
- *\li	'rdclass' is a valid class
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- *\li	#ISC_R_UNEXPECTED
- */
-
-void
-dns_dbtable_attach(dns_dbtable_t *source, dns_dbtable_t **targetp);
-/*%<
- * Attach '*targetp' to 'source'.
- *
- * Requires:
- *
- *\li	'source' is a valid dbtable.
- *
- *\li	'targetp' points to a NULL dns_dbtable_t *.
- *
- * Ensures:
- *
- *\li	*targetp is attached to source.
- */
-
-void
-dns_dbtable_detach(dns_dbtable_t **dbtablep);
-/*%<
- * Detach *dbtablep from its dbtable.
- *
- * Requires:
- *
- *\li	'*dbtablep' points to a valid dbtable.
- *
- * Ensures:
- *
- *\li	*dbtablep is NULL.
- *
- *\li	If '*dbtablep' is the last reference to the dbtable,
- *		all resources used by the dbtable will be freed
- */
-
-isc_result_t
-dns_dbtable_add(dns_dbtable_t *dbtable, dns_db_t *db);
-/*%<
- * Add 'db' to 'dbtable'.
- *
- * Requires:
- *\li	'dbtable' is a valid dbtable.
- *
- *\li	'db' is a valid database with the same class as 'dbtable'
- */
-
-void
-dns_dbtable_remove(dns_dbtable_t *dbtable, dns_db_t *db);
-/*%<
- * Remove 'db' from 'dbtable'.
- *
- * Requires:
- *\li	'db' was previously added to 'dbtable'.
- */
-
-void
-dns_dbtable_adddefault(dns_dbtable_t *dbtable, dns_db_t *db);
-/*%<
- * Use 'db' as the result of a dns_dbtable_find() if no better match is
- * available.
- */
-
-void
-dns_dbtable_getdefault(dns_dbtable_t *dbtable, dns_db_t **db);
-/*%<
- * Get the 'db' used as the result of a dns_dbtable_find()
- * if no better match is available.
- */
-
-void
-dns_dbtable_removedefault(dns_dbtable_t *dbtable);
-/*%<
- * Remove the default db from 'dbtable'.
- */
-
-isc_result_t
-dns_dbtable_find(dns_dbtable_t *dbtable, dns_name_t *name,
-		 unsigned int options, dns_db_t **dbp);
-/*%<
- * Find the deepest match to 'name' in the dbtable, and return it
- *
- * Notes:
- *\li	If the DNS_DBTABLEFIND_NOEXACT option is set, the best partial
- *	match (if any) to 'name' will be returned.
- *
- * Returns:  
- * \li #ISC_R_SUCCESS		on success
- *\li	     something else:		no default and match
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_DBTABLE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/diff.h b/contrib/bind9/lib/dns/include/dns/diff.h
deleted file mode 100644
index d522feb..0000000
--- a/contrib/bind9/lib/dns/include/dns/diff.h
+++ /dev/null
@@ -1,291 +0,0 @@
-/*
- * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: diff.h,v 1.19 2010/06/04 23:51:14 tbox Exp $ */
-
-#ifndef DNS_DIFF_H
-#define DNS_DIFF_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/diff.h
- * \brief
- * A diff is a convenience type representing a list of changes to be
- * made to a database.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/types.h>
-
-/***
- *** Types
- ***/
-
-/*%
- * A dns_difftuple_t represents a single RR being added or deleted.
- * The RR type and class are in the 'rdata' member; the class is always
- * the real one, not a DynDNS meta-class, so that the rdatas can be
- * compared using dns_rdata_compare().  The TTL is significant
- * even for deletions, because a deletion/addition pair cannot
- * be canceled out if the TTL differs (it might be an explicit
- * TTL update).
- *
- * Tuples are also used to represent complete RRs with owner
- * names for a couple of other purposes, such as the
- * individual RRs of a "RRset exists (value dependent)"
- * prerequisite set.  In this case, op==DNS_DIFFOP_EXISTS,
- * and the TTL is ignored.
- *
- * DNS_DIFFOP_*RESIGN will cause the 'resign' attribute of the resulting
- * RRset to be recomputed to be 'resign' seconds before the earliest RRSIG
- * timeexpire.
- */
-
-typedef enum {
-	DNS_DIFFOP_ADD = 0,		/*%< Add an RR. */
-	DNS_DIFFOP_DEL = 1,		/*%< Delete an RR. */
-	DNS_DIFFOP_EXISTS = 2,		/*%< Assert RR existence. */
-	DNS_DIFFOP_ADDRESIGN = 4,	/*%< ADD + RESIGN. */
-	DNS_DIFFOP_DELRESIGN = 5	/*%< DEL + RESIGN. */
-} dns_diffop_t;
-
-typedef struct dns_difftuple dns_difftuple_t;
-
-#define DNS_DIFFTUPLE_MAGIC	ISC_MAGIC('D','I','F','T')
-#define DNS_DIFFTUPLE_VALID(t)	ISC_MAGIC_VALID(t, DNS_DIFFTUPLE_MAGIC)
-
-struct dns_difftuple {
-	unsigned int			magic;
-	isc_mem_t			*mctx;
-	dns_diffop_t			op;
-	dns_name_t			name;
-	dns_ttl_t			ttl;
-	dns_rdata_t			rdata;
-	ISC_LINK(dns_difftuple_t)	link;
-	/* Variable-size name data and rdata follows. */
-};
-
-/*%
- * A dns_diff_t represents a set of changes being applied to
- * a zone.  Diffs are also used to represent "RRset exists
- * (value dependent)" prerequisites.
- */
-typedef struct dns_diff dns_diff_t;
-
-#define DNS_DIFF_MAGIC		ISC_MAGIC('D','I','F','F')
-#define DNS_DIFF_VALID(t)	ISC_MAGIC_VALID(t, DNS_DIFF_MAGIC)
-
-struct dns_diff {
-	unsigned int			magic;
-	isc_mem_t *			mctx;
-	/*
-	 * Set the 'resign' attribute to this many second before the
-	 * earliest RRSIG timeexpire.
-	 */
-	isc_uint32_t			resign;
-	ISC_LIST(dns_difftuple_t)	tuples;
-};
-
-/* Type of comparison function for sorting diffs. */
-typedef int dns_diff_compare_func(const void *, const void *);
-
-/***
- *** Functions
- ***/
-
-ISC_LANG_BEGINDECLS
-
-/**************************************************************************/
-/*
- * Manipulation of diffs and tuples.
- */
-
-isc_result_t
-dns_difftuple_create(isc_mem_t *mctx,
-		     dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
-		     dns_rdata_t *rdata, dns_difftuple_t **tp);
-/*%<
- * Create a tuple.  Deep copies are made of the name and rdata, so
- * they need not remain valid after the call.
- *
- * Requires:
- *\li	*tp != NULL && *tp == NULL.
- *
- * Returns:
- *\li	ISC_R_SUCCESS
- *  \li    ISC_R_NOMEMORY
- */
-
-void
-dns_difftuple_free(dns_difftuple_t **tp);
-/*%<
- * Free a tuple.
- *
- * Requires:
- *    \li   **tp is a valid tuple.
- *
- * Ensures:
- *     \li  *tp == NULL
- *      \li All memory used by the tuple is freed.
- */
-
-isc_result_t
-dns_difftuple_copy(dns_difftuple_t *orig, dns_difftuple_t **copyp);
-/*%<
- * Copy a tuple.
- *
- * Requires:
- * \li	'orig' points to a valid tuple
- *\li	copyp != NULL && *copyp == NULL
- */
-
-void
-dns_diff_init(isc_mem_t *mctx, dns_diff_t *diff);
-/*%<
- * Initialize a diff.
- *
- * Requires:
- * \li   'diff' points to an uninitialized dns_diff_t
- *  \li  allocated by the caller.
- *
- * Ensures:
- * \li   '*diff' is a valid, empty diff.
- */
-
-void
-dns_diff_clear(dns_diff_t *diff);
-/*%<
- * Clear a diff, destroying all its tuples.
- *
- * Requires:
- * \li   'diff' points to a valid dns_diff_t.
- *
- * Ensures:
- * \li    Any tuples in the diff are destroyed.
- *     The diff now empty, but it is still valid
- *     and may be reused without calling dns_diff_init
- *     again.  The only memory used is that of the
- *     dns_diff_t structure itself.
- *
- * Notes:
- * \li    Managing the memory of the dns_diff_t structure itself
- *     is the caller's responsibility.
- */
-
-void
-dns_diff_append(dns_diff_t *diff, dns_difftuple_t **tuple);
-/*%<
- * Append a single tuple to a diff.
- *
- *\li	'diff' is a valid diff.
- * \li	'*tuple' is a valid tuple.
- *
- * Ensures:
- *\li	*tuple is NULL.
- *\li	The tuple has been freed, or will be freed when the diff is cleared.
- */
-
-void
-dns_diff_appendminimal(dns_diff_t *diff, dns_difftuple_t **tuple);
-/*%<
- * Append 'tuple' to 'diff', removing any duplicate
- * or conflicting updates as needed to create a minimal diff.
- *
- * Requires:
- *\li	'diff' is a minimal diff.
- *
- * Ensures:
- *\li	'diff' is still a minimal diff.
- *  \li 	*tuple is NULL.
- *   \li	The tuple has been freed, or will be freed when the diff is cleared.
- *
- */
-
-isc_result_t
-dns_diff_sort(dns_diff_t *diff, dns_diff_compare_func *compare);
-/*%<
- * Sort 'diff' in-place according to the comparison function 'compare'.
- */
-
-isc_result_t
-dns_diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver);
-isc_result_t
-dns_diff_applysilently(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver);
-/*%<
- * Apply 'diff' to the database 'db'.
- *
- * dns_diff_apply() logs warnings about updates with no effect or
- * with inconsistent TTLs; dns_diff_applysilently() does not.
- *
- * For efficiency, the diff should be sorted by owner name.
- * If it is not sorted, operation will still be correct,
- * but less efficient.
- *
- * Requires:
- *\li	*diff is a valid diff (possibly empty), containing
- *   	tuples of type #DNS_DIFFOP_ADD and/or
- *  	For #DNS_DIFFOP_DEL tuples, the TTL is ignored.
- *
- */
-
-isc_result_t
-dns_diff_load(dns_diff_t *diff, dns_addrdatasetfunc_t addfunc,
-	      void *add_private);
-/*%<
- * Like dns_diff_apply, but for use when loading a new database
- * instead of modifying an existing one.  This bypasses the
- * database transaction mechanisms.
- *
- * Requires:
- *\li 	'addfunc' is a valid dns_addradatasetfunc_t obtained from
- * 	dns_db_beginload()
- *
- *\li	'add_private' points to a corresponding dns_dbload_t *
- *      (XXX why is it a void pointer, then?)
- */
-
-isc_result_t
-dns_diff_print(dns_diff_t *diff, FILE *file);
-
-/*%<
- * Print the differences to 'file' or if 'file' is NULL via the
- * logging system.
- *
- * Require:
- *\li	'diff' to be valid.
- *\li	'file' to refer to a open file or NULL.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- *\li	#ISC_R_UNEXPECTED
- *\li	any error from dns_rdataset_totext()
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_DIFF_H */
diff --git a/contrib/bind9/lib/dns/include/dns/dispatch.h b/contrib/bind9/lib/dns/include/dns/dispatch.h
deleted file mode 100644
index 1235f7c..0000000
--- a/contrib/bind9/lib/dns/include/dns/dispatch.h
+++ /dev/null
@@ -1,563 +0,0 @@
-/*
- * Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dispatch.h,v 1.64 2011/07/28 23:47:58 tbox Exp $ */
-
-#ifndef DNS_DISPATCH_H
-#define DNS_DISPATCH_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/dispatch.h
- * \brief
- * DNS Dispatch Management
- * 	Shared UDP and single-use TCP dispatches for queries and responses.
- *
- * MP:
- *
- *\li     	All locking is performed internally to each dispatch.
- * 	Restrictions apply to dns_dispatch_removeresponse().
- *
- * Reliability:
- *
- * Resources:
- *
- * Security:
- *
- *\li	Depends on the isc_socket_t and dns_message_t for prevention of
- *	buffer overruns.
- *
- * Standards:
- *
- *\li	None.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/buffer.h>
-#include <isc/lang.h>
-#include <isc/mutex.h>
-#include <isc/socket.h>
-#include <isc/types.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*%
- * This event is sent to a task when a response comes in.
- * No part of this structure should ever be modified by the caller,
- * other than parts of the buffer.  The holy parts of the buffer are
- * the base and size of the buffer.  All other parts of the buffer may
- * be used.  On event delivery the used region contains the packet.
- *
- * "id" is the received message id,
- *
- * "addr" is the host that sent it to us,
- *
- * "buffer" holds state on the received data.
- *
- * The "free" routine for this event will clean up itself as well as
- * any buffer space allocated from common pools.
- */
-
-struct dns_dispatchevent {
-	ISC_EVENT_COMMON(dns_dispatchevent_t);	/*%< standard event common */
-	isc_result_t		result;		/*%< result code */
-	isc_int32_t		id;		/*%< message id */
-	isc_sockaddr_t		addr;		/*%< address recv'd from */
-	struct in6_pktinfo	pktinfo;	/*%< reply info for v6 */
-	isc_buffer_t	        buffer;		/*%< data buffer */
-	isc_uint32_t		attributes;	/*%< mirrored from socket.h */
-};
-
-/*%
- * This is a set of one or more dispatches which can be retrieved
- * round-robin fashion.
- */
-struct dns_dispatchset {
-	isc_mem_t		*mctx;
-	dns_dispatch_t		**dispatches;
-	int			ndisp;
-	int			cur;
-	isc_mutex_t		lock;
-};
-
-/*@{*/
-/*%
- * Attributes for added dispatchers.
- *
- * Values with the mask 0xffff0000 are application defined.
- * Values with the mask 0x0000ffff are library defined.
- *
- * Insane values (like setting both TCP and UDP) are not caught.  Don't
- * do that.
- *
- * _PRIVATE
- *	The dispatcher cannot be shared.
- *
- * _TCP, _UDP
- *	The dispatcher is a TCP or UDP socket.
- *
- * _IPV4, _IPV6
- *	The dispatcher uses an IPv4 or IPv6 socket.
- *
- * _NOLISTEN
- *	The dispatcher should not listen on the socket.
- *
- * _MAKEQUERY
- *	The dispatcher can be used to issue queries to other servers, and
- *	accept replies from them.
- *
- * _RANDOMPORT
- *	Previously used to indicate that the port of a dispatch UDP must be
- *	chosen randomly.  This behavior now always applies and the attribute
- *	is obsoleted.
- *
- * _EXCLUSIVE
- *	A separate socket will be used on-demand for each transaction.
- */
-#define DNS_DISPATCHATTR_PRIVATE	0x00000001U
-#define DNS_DISPATCHATTR_TCP		0x00000002U
-#define DNS_DISPATCHATTR_UDP		0x00000004U
-#define DNS_DISPATCHATTR_IPV4		0x00000008U
-#define DNS_DISPATCHATTR_IPV6		0x00000010U
-#define DNS_DISPATCHATTR_NOLISTEN	0x00000020U
-#define DNS_DISPATCHATTR_MAKEQUERY	0x00000040U
-#define DNS_DISPATCHATTR_CONNECTED	0x00000080U
-/*#define DNS_DISPATCHATTR_RANDOMPORT	0x00000100U*/
-#define DNS_DISPATCHATTR_EXCLUSIVE	0x00000200U
-/*@}*/
-
-isc_result_t
-dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy,
-		       dns_dispatchmgr_t **mgrp);
-/*%<
- * Creates a new dispatchmgr object.
- *
- * Requires:
- *\li	"mctx" be a valid memory context.
- *
- *\li	mgrp != NULL && *mgrp == NULL
- *
- *\li	"entropy" may be NULL, in which case an insecure random generator
- *	will be used.  If it is non-NULL, it must be a valid entropy
- *	source.
- *
- * Returns:
- *\li	ISC_R_SUCCESS	-- all ok
- *
- *\li	anything else	-- failure
- */
-
-
-void
-dns_dispatchmgr_destroy(dns_dispatchmgr_t **mgrp);
-/*%<
- * Destroys the dispatchmgr when it becomes empty.  This could be
- * immediately.
- *
- * Requires:
- *\li	mgrp != NULL && *mgrp is a valid dispatchmgr.
- */
-
-
-void
-dns_dispatchmgr_setblackhole(dns_dispatchmgr_t *mgr, dns_acl_t *blackhole);
-/*%<
- * Sets the dispatcher's "blackhole list," a list of addresses that will
- * be ignored by all dispatchers created by the dispatchmgr.
- *
- * Requires:
- * \li	mgrp is a valid dispatchmgr
- * \li	blackhole is a valid acl
- */
-
-
-dns_acl_t *
-dns_dispatchmgr_getblackhole(dns_dispatchmgr_t *mgr);
-/*%<
- * Gets a pointer to the dispatcher's current blackhole list,
- * without incrementing its reference count.
- *
- * Requires:
- *\li 	mgr is a valid dispatchmgr
- * Returns:
- *\li	A pointer to the current blackhole list, or NULL.
- */
-
-void
-dns_dispatchmgr_setblackportlist(dns_dispatchmgr_t *mgr,
-				 dns_portlist_t *portlist);
-/*%<
- * This function is deprecated.  Use dns_dispatchmgr_setavailports() instead.
- *
- * Requires:
- *\li	mgr is a valid dispatchmgr
- */
-
-dns_portlist_t *
-dns_dispatchmgr_getblackportlist(dns_dispatchmgr_t *mgr);
-/*%<
- * This function is deprecated and always returns NULL.
- *
- * Requires:
- *\li	mgr is a valid dispatchmgr
- */
-
-isc_result_t
-dns_dispatchmgr_setavailports(dns_dispatchmgr_t *mgr, isc_portset_t *v4portset,
-			      isc_portset_t *v6portset);
-/*%<
- * Sets a list of UDP ports that can be used for outgoing UDP messages.
- *
- * Requires:
- *\li	mgr is a valid dispatchmgr
- *\li	v4portset is NULL or a valid port set
- *\li	v6portset is NULL or a valid port set
- */
-
-void
-dns_dispatchmgr_setstats(dns_dispatchmgr_t *mgr, isc_stats_t *stats);
-/*%<
- * Sets statistics counter for the dispatchmgr.  This function is expected to
- * be called only on zone creation (when necessary).
- * Once installed, it cannot be removed or replaced.  Also, there is no
- * interface to get the installed stats from the zone; the caller must keep the
- * stats to reference (e.g. dump) it later.
- *
- * Requires:
- *\li	mgr is a valid dispatchmgr with no managed dispatch.
- *\li	stats is a valid statistics supporting resolver statistics counters
- *	(see dns/stats.h).
- */
-
-isc_result_t
-dns_dispatch_getudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
-		    isc_taskmgr_t *taskmgr, isc_sockaddr_t *localaddr,
-		    unsigned int buffersize,
-		    unsigned int maxbuffers, unsigned int maxrequests,
-		    unsigned int buckets, unsigned int increment,
-		    unsigned int attributes, unsigned int mask,
-		    dns_dispatch_t **dispp);
-
-isc_result_t
-dns_dispatch_getudp_dup(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
-		    isc_taskmgr_t *taskmgr, isc_sockaddr_t *localaddr,
-		    unsigned int buffersize,
-		    unsigned int maxbuffers, unsigned int maxrequests,
-		    unsigned int buckets, unsigned int increment,
-		    unsigned int attributes, unsigned int mask,
-		    dns_dispatch_t **dispp, dns_dispatch_t *dup);
-/*%<
- * Attach to existing dns_dispatch_t if one is found with dns_dispatchmgr_find,
- * otherwise create a new UDP dispatch.
- *
- * Requires:
- *\li	All pointer parameters be valid for their respective types.
- *
- *\li	dispp != NULL && *disp == NULL
- *
- *\li	512 <= buffersize <= 64k
- *
- *\li	maxbuffers > 0
- *
- *\li	buckets < 2097169
- *
- *\li	increment > buckets
- *
- *\li	(attributes & DNS_DISPATCHATTR_TCP) == 0
- *
- * Returns:
- *\li	ISC_R_SUCCESS	-- success.
- *
- *\li	Anything else	-- failure.
- */
-
-isc_result_t
-dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
-		       isc_taskmgr_t *taskmgr, unsigned int buffersize,
-		       unsigned int maxbuffers, unsigned int maxrequests,
-		       unsigned int buckets, unsigned int increment,
-		       unsigned int attributes, dns_dispatch_t **dispp);
-/*%<
- * Create a new dns_dispatch and attach it to the provided isc_socket_t.
- *
- * For all dispatches, "buffersize" is the maximum packet size we will
- * accept.
- *
- * "maxbuffers" and "maxrequests" control the number of buffers in the
- * overall system and the number of buffers which can be allocated to
- * requests.
- *
- * "buckets" is the number of buckets to use, and should be prime.
- *
- * "increment" is used in a collision avoidance function, and needs to be
- * a prime > buckets, and not 2.
- *
- * Requires:
- *
- *\li	mgr is a valid dispatch manager.
- *
- *\li	sock is a valid.
- *
- *\li	task is a valid task that can be used internally to this dispatcher.
- *
- * \li	512 <= buffersize <= 64k
- *
- *\li	maxbuffers > 0.
- *
- *\li	maxrequests <= maxbuffers.
- *
- *\li	buckets < 2097169 (the next prime after 65536 * 32)
- *
- *\li	increment > buckets (and prime).
- *
- *\li	attributes includes #DNS_DISPATCHATTR_TCP and does not include
- *	#DNS_DISPATCHATTR_UDP.
- *
- * Returns:
- *\li	ISC_R_SUCCESS	-- success.
- *
- *\li	Anything else	-- failure.
- */
-
-void
-dns_dispatch_attach(dns_dispatch_t *disp, dns_dispatch_t **dispp);
-/*%<
- * Attach to a dispatch handle.
- *
- * Requires:
- *\li	disp is valid.
- *
- *\li	dispp != NULL && *dispp == NULL
- */
-
-void
-dns_dispatch_detach(dns_dispatch_t **dispp);
-/*%<
- * Detaches from the dispatch.
- *
- * Requires:
- *\li	dispp != NULL and *dispp be a valid dispatch.
- */
-
-void
-dns_dispatch_starttcp(dns_dispatch_t *disp);
-/*%<
- * Start processing of a TCP dispatch once the socket connects.
- *
- * Requires:
- *\li	'disp' is valid.
- */
-
-isc_result_t
-dns_dispatch_addresponse2(dns_dispatch_t *disp, isc_sockaddr_t *dest,
-			  isc_task_t *task, isc_taskaction_t action, void *arg,
-			  isc_uint16_t *idp, dns_dispentry_t **resp,
-			  isc_socketmgr_t *sockmgr);
-
-isc_result_t
-dns_dispatch_addresponse(dns_dispatch_t *disp, isc_sockaddr_t *dest,
-			 isc_task_t *task, isc_taskaction_t action, void *arg,
-			 isc_uint16_t *idp, dns_dispentry_t **resp);
-/*%<
- * Add a response entry for this dispatch.
- *
- * "*idp" is filled in with the assigned message ID, and *resp is filled in
- * to contain the magic token used to request event flow stop.
- *
- * Arranges for the given task to get a callback for response packets.  When
- * the event is delivered, it must be returned using dns_dispatch_freeevent()
- * or through dns_dispatch_removeresponse() for another to be delivered.
- *
- * Requires:
- *\li	"idp" be non-NULL.
- *
- *\li	"task" "action" and "arg" be set as appropriate.
- *
- *\li	"dest" be non-NULL and valid.
- *
- *\li	"resp" be non-NULL and *resp be NULL
- *
- *\li	"sockmgr" be NULL or a valid socket manager.  If 'disp' has
- *	the DNS_DISPATCHATTR_EXCLUSIVE attribute, this must not be NULL,
- *	which also means dns_dispatch_addresponse() cannot be used.
- *
- * Ensures:
- *
- *\li	&lt;id, dest> is a unique tuple.  That means incoming messages
- *	are identifiable.
- *
- * Returns:
- *
- *\li	ISC_R_SUCCESS		-- all is well.
- *\li	ISC_R_NOMEMORY		-- memory could not be allocated.
- *\li	ISC_R_NOMORE		-- no more message ids can be allocated
- *				   for this destination.
- */
-
-
-void
-dns_dispatch_removeresponse(dns_dispentry_t **resp,
-			    dns_dispatchevent_t **sockevent);
-/*%<
- * Stops the flow of responses for the provided id and destination.
- * If "sockevent" is non-NULL, the dispatch event and associated buffer is
- * also returned to the system.
- *
- * Requires:
- *\li	"resp" != NULL and "*resp" contain a value previously allocated
- *	by dns_dispatch_addresponse();
- *
- *\li	May only be called from within the task given as the 'task'
- * 	argument to dns_dispatch_addresponse() when allocating '*resp'.
- */
-
-isc_socket_t *
-dns_dispatch_getentrysocket(dns_dispentry_t *resp);
-
-isc_socket_t *
-dns_dispatch_getsocket(dns_dispatch_t *disp);
-/*%<
- * Return the socket associated with this dispatcher.
- *
- * Requires:
- *\li	disp is valid.
- *
- * Returns:
- *\li	The socket the dispatcher is using.
- */
-
-isc_result_t
-dns_dispatch_getlocaladdress(dns_dispatch_t *disp, isc_sockaddr_t *addrp);
-/*%<
- * Return the local address for this dispatch.
- * This currently only works for dispatches using UDP sockets.
- *
- * Requires:
- *\li	disp is valid.
- *\li	addrp to be non null.
- *
- * Returns:
- *\li	ISC_R_SUCCESS
- *\li	ISC_R_NOTIMPLEMENTED
- */
-
-void
-dns_dispatch_cancel(dns_dispatch_t *disp);
-/*%<
- * cancel outstanding clients
- *
- * Requires:
- *\li	disp is valid.
- */
-
-unsigned int
-dns_dispatch_getattributes(dns_dispatch_t *disp);
-/*%<
- * Return the attributes (DNS_DISPATCHATTR_xxx) of this dispatch.  Only the
- * non-changeable attributes are expected to be referenced by the caller.
- *
- * Requires:
- *\li	disp is valid.
- */
-
-void
-dns_dispatch_changeattributes(dns_dispatch_t *disp,
-			      unsigned int attributes, unsigned int mask);
-/*%<
- * Set the bits described by "mask" to the corresponding values in
- * "attributes".
- *
- * That is:
- *
- * \code
- *	new = (old & ~mask) | (attributes & mask)
- * \endcode
- *
- * This function has a side effect when #DNS_DISPATCHATTR_NOLISTEN changes.
- * When the flag becomes off, the dispatch will start receiving on the
- * corresponding socket.  When the flag becomes on, receive events on the
- * corresponding socket will be canceled.
- *
- * Requires:
- *\li	disp is valid.
- *
- *\li	attributes are reasonable for the dispatch.  That is, setting the UDP
- *	attribute on a TCP socket isn't reasonable.
- */
-
-void
-dns_dispatch_importrecv(dns_dispatch_t *disp, isc_event_t *event);
-/*%<
- * Inform the dispatcher of a socket receive.  This is used for sockets
- * shared between dispatchers and clients.  If the dispatcher fails to copy
- * or send the event, nothing happens.
- *
- * Requires:
- *\li 	disp is valid, and the attribute DNS_DISPATCHATTR_NOLISTEN is set.
- * 	event != NULL
- */
-
-dns_dispatch_t *
-dns_dispatchset_get(dns_dispatchset_t *dset);
-/*%<
- * Retrieve the next dispatch from dispatch set 'dset', and increment
- * the round-robin counter.
- *
- * Requires:
- *\li 	dset != NULL
- */
-
-isc_result_t
-dns_dispatchset_create(isc_mem_t *mctx, isc_socketmgr_t *sockmgr,
-		       isc_taskmgr_t *taskmgr, dns_dispatch_t *source,
-		       dns_dispatchset_t **dsetp, int n);
-/*%<
- * Given a valid dispatch 'source', create a dispatch set containing
- * 'n' UDP dispatches, with the remainder filled out by clones of the
- * source.
- *
- * Requires:
- *\li 	source is a valid UDP dispatcher
- *\li 	dsetp != NULL, *dsetp == NULL
- */
-
-void
-dns_dispatchset_cancelall(dns_dispatchset_t *dset, isc_task_t *task);
-/*%<
- * Cancel socket operations for the dispatches in 'dset'.
- */
-
-void
-dns_dispatchset_destroy(dns_dispatchset_t **dsetp);
-/*%<
- * Dereference all the dispatches in '*dsetp', free the dispatchset
- * memory, and set *dsetp to NULL.
- *
- * Requires:
- *\li 	dset is valid
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_DISPATCH_H */
diff --git a/contrib/bind9/lib/dns/include/dns/dlz.h b/contrib/bind9/lib/dns/include/dns/dlz.h
deleted file mode 100644
index 48dfb83..0000000
--- a/contrib/bind9/lib/dns/include/dns/dlz.h
+++ /dev/null
@@ -1,346 +0,0 @@
-/*
- * Portions Copyright (C) 2005-2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the
- * above copyright notice and this permission notice appear in all
- * copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * STICHTING NLNET BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
- * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
- * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
- * USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
- * conceived and contributed by Rob Butler.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the
- * above copyright notice and this permission notice appear in all
- * copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ROB BUTLER
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * ROB BUTLER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
- * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
- * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
- * USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file dns/dlz.h */
-
-#ifndef DLZ_H
-#define DLZ_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * DLZ Interface
- *
- * The DLZ interface allows zones to be looked up using a driver instead of
- * Bind's default in memory zone table.
- *
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *
- * Security:
- *	No anticipated impact.
- *
- * Standards:
- *	None.
- */
-
-/*****
- ***** Imports
- *****/
-
-#include <dns/name.h>
-#include <dns/types.h>
-#include <dns/view.h>
-#include <dst/dst.h>
-
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Types
- ***/
-
-#define DNS_DLZ_MAGIC		ISC_MAGIC('D','L','Z','D')
-#define DNS_DLZ_VALID(dlz)	ISC_MAGIC_VALID(dlz, DNS_DLZ_MAGIC)
-
-typedef isc_result_t
-(*dns_dlzallowzonexfr_t)(void *driverarg, void *dbdata, isc_mem_t *mctx,
-			 dns_rdataclass_t rdclass, dns_name_t *name,
-			 isc_sockaddr_t *clientaddr,
-			 dns_db_t **dbp);
-
-/*%<
- * Method prototype.  Drivers implementing the DLZ interface MUST
- * supply an allow zone transfer method.  This method is called when
- * the DNS server is performing a zone transfer query.  The driver's
- * method should return ISC_R_SUCCESS and a database pointer to the
- * name server if the zone is supported by the database, and zone
- * transfer is allowed.  Otherwise it will return ISC_R_NOTFOUND if
- * the zone is not supported by the database, or ISC_R_NOPERM if zone
- * transfers are not allowed.  If an error occurs it should return a
- * result code indicating the type of error.
- */
-
-typedef isc_result_t
-(*dns_dlzcreate_t)(isc_mem_t *mctx, const char *dlzname, unsigned int argc,
-		   char *argv[], void *driverarg, void **dbdata);
-
-/*%<
- * Method prototype.  Drivers implementing the DLZ interface MUST
- * supply a create method.  This method is called when the DNS server
- * is starting up and creating drivers for use later.
- */
-
-typedef void
-(*dns_dlzdestroy_t)(void *driverarg, void **dbdata);
-
-/*%<
- * Method prototype.  Drivers implementing the DLZ interface MUST
- * supply a destroy method.  This method is called when the DNS server
- * is shutting down and no longer needs the driver.
- */
-
-typedef isc_result_t
-(*dns_dlzfindzone_t)(void *driverarg, void *dbdata, isc_mem_t *mctx,
-		     dns_rdataclass_t rdclass, dns_name_t *name,
-		     dns_db_t **dbp);
-
-/*%<
-
- * Method prototype.  Drivers implementing the DLZ interface MUST
- * supply a find zone method.  This method is called when the DNS
- * server is performing a query.  The find zone method will be called
- * with the longest possible name first, and continue to be called
- * with successively shorter domain names, until any of the following
- * occur:
- *
- * \li	1) a match is found, and the function returns (ISC_R_SUCCESS)
- *
- * \li	2) a problem occurs, and the functions returns anything other
- *	   than (ISC_R_NOTFOUND)
- * \li	3) we run out of domain name labels. I.E. we have tried the
- *	   shortest domain name
- * \li	4) the number of labels in the domain name is less than
- *	   min_labels for dns_dlzfindzone
- *
- * The driver's find zone method should return ISC_R_SUCCESS and a
- * database pointer to the name server if the zone is supported by the
- * database.  Otherwise it will return ISC_R_NOTFOUND, and a null
- * pointer if the zone is not supported.  If an error occurs it should
- * return a result code indicating the type of error.
- */
-
-
-typedef isc_result_t
-(*dns_dlzconfigure_t)(void *driverarg, void *dbdata, dns_view_t *view);
-/*%<
- * Method prototype.  Drivers implementing the DLZ interface may
- * optionally supply a configure method. If supplied, this will be
- * called immediately after the create method is called. The driver
- * may call configuration functions during the configure call
- */
-
-
-typedef isc_boolean_t (*dns_dlzssumatch_t)(dns_name_t *signer,
-					   dns_name_t *name,
-					   isc_netaddr_t *tcpaddr,
-					   dns_rdatatype_t type,
-					   const dst_key_t *key,
-					   void *driverarg, void *dbdata);
-/*%<
- * Method prototype.  Drivers implementing the DLZ interface may
- * optionally supply a ssumatch method. If supplied, this will be
- * called to authorize update requests
- */
-
-/*% the methods supplied by a DLZ driver */
-typedef struct dns_dlzmethods {
-	dns_dlzcreate_t		create;
-	dns_dlzdestroy_t	destroy;
-	dns_dlzfindzone_t	findzone;
-	dns_dlzallowzonexfr_t	allowzonexfr;
-	dns_dlzconfigure_t	configure;
-	dns_dlzssumatch_t	ssumatch;
-} dns_dlzmethods_t;
-
-/*% information about a DLZ driver */
-struct dns_dlzimplementation {
-	const char				*name;
-	const dns_dlzmethods_t			*methods;
-	isc_mem_t				*mctx;
-	void					*driverarg;
-	ISC_LINK(dns_dlzimplementation_t)	link;
-};
-
-typedef isc_result_t (*dlzconfigure_callback_t)(dns_view_t *, dns_zone_t *);
-
-/*% An instance of a DLZ driver */
-struct dns_dlzdb {
-	unsigned int		magic;
-	isc_mem_t		*mctx;
-	dns_dlzimplementation_t	*implementation;
-	void			*dbdata;
-	dlzconfigure_callback_t configure_callback;
-#ifdef BIND9
-	dns_ssutable_t 		*ssutable;
-#endif
-};
-
-
-/***
- *** Method declarations
- ***/
-
-isc_result_t
-dns_dlzallowzonexfr(dns_view_t *view, dns_name_t *name,
-		    isc_sockaddr_t *clientaddr, dns_db_t **dbp);
-
-/*%<
- * This method is called when the DNS server is performing a zone
- * transfer query.  It will call the DLZ driver's allow zone transfer
- * method.
- */
-
-isc_result_t
-dns_dlzcreate(isc_mem_t *mctx, const char *dlzname,
-	      const char *drivername, unsigned int argc,
-	      char *argv[], dns_dlzdb_t **dbp);
-
-/*%<
- * This method is called when the DNS server is starting up and
- * creating drivers for use later.  It will search the DLZ driver list
- * for 'drivername' and return a DLZ driver via dbp if a match is
- * found.  If the DLZ driver supplies a create method, this function
- * will call it.
- */
-
-void
-dns_dlzdestroy(dns_dlzdb_t **dbp);
-
-/*%<
- * This method is called when the DNS server is shutting down and no
- * longer needs the driver.  If the DLZ driver supplies a destroy
- * methods, this function will call it.
- */
-
-isc_result_t
-dns_dlzfindzone(dns_view_t *view, dns_name_t *name,
-		unsigned int minlabels, dns_db_t **dbp);
-
-/*%<
- * This method is called when the DNS server is performing a query.
- * It will call the DLZ driver's find zone method.
- */
-
-isc_result_t
-dns_dlzregister(const char *drivername, const dns_dlzmethods_t *methods,
-		 void *driverarg, isc_mem_t *mctx,
-		dns_dlzimplementation_t **dlzimp);
-
-/*%<
- * Register a dynamically loadable zones (DLZ) driver for the database
- * type 'drivername', implemented by the functions in '*methods'.
- *
- * dlzimp must point to a NULL dlz_implementation_t pointer.  That is,
- * dlzimp != NULL && *dlzimp == NULL.  It will be assigned a value that
- * will later be used to identify the driver when deregistering it.
- */
-
-isc_result_t
-dns_dlzstrtoargv(isc_mem_t *mctx, char *s, unsigned int *argcp, char ***argvp);
-
-/*%<
- * This method is called when the name server is starting up to parse
- * the DLZ driver command line from named.conf.  Basically it splits
- * up a string into and argc / argv.  The primary difference of this
- * method is items between braces { } are considered only 1 word.  for
- * example the command line "this is { one grouped phrase } and this
- * isn't" would be parsed into:
- *
- * \li	argv[0]: "this"
- * \li	argv[1]: "is"
- * \li	argv{2]: " one grouped phrase "
- * \li	argv[3]: "and"
- * \li	argv[4]: "this"
- * \li	argv{5}: "isn't"
- *
- * braces should NOT be nested, more than one grouping in the command
- * line is allowed.  Notice, argv[2] has an extra space at the
- * beginning and end.  Extra spaces are not stripped between a
- * grouping.  You can do so in your driver if needed, or be sure not
- * to put extra spaces before / after the braces.
- */
-
-void
-dns_dlzunregister(dns_dlzimplementation_t **dlzimp);
-
-/*%<
- * Removes the dlz driver from the list of registered dlz drivers.
- * There must be no active dlz drivers of this type when this function
- * is called.
- */
-
-
-typedef isc_result_t dns_dlz_writeablezone_t(dns_view_t *view,
-					     const char *zone_name);
-dns_dlz_writeablezone_t dns_dlz_writeablezone;
-/*%<
- * creates a writeable DLZ zone. Must be called from within the
- * configure() method of a DLZ driver.
- */
-
-
-isc_result_t
-dns_dlzconfigure(dns_view_t *view, dlzconfigure_callback_t callback);
-/*%<
- * call a DLZ drivers configure method, if supplied
- */
-
-isc_boolean_t
-dns_dlz_ssumatch(dns_dlzdb_t *dlzdatabase,
-		  dns_name_t *signer, dns_name_t *name, isc_netaddr_t *tcpaddr,
-		  dns_rdatatype_t type, const dst_key_t *key);
-/*%<
- * call a DLZ drivers ssumatch method, if supplied. Otherwise return ISC_FALSE
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DLZ_H */
diff --git a/contrib/bind9/lib/dns/include/dns/dlz_dlopen.h b/contrib/bind9/lib/dns/include/dns/dlz_dlopen.h
deleted file mode 100644
index f87722c..0000000
--- a/contrib/bind9/lib/dns/include/dns/dlz_dlopen.h
+++ /dev/null
@@ -1,171 +0,0 @@
-/*
- * Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file dns/dlz_open.h */
-
-#ifndef DLZ_DLOPEN_H
-#define DLZ_DLOPEN_H
-
-#include <dns/sdlz.h>
-
-ISC_LANG_BEGINDECLS
-
-/*
- * This header provides a minimal set of defines and typedefs needed
- * for the entry points of an external DLZ module for bind9.
- */
-
-#define DLZ_DLOPEN_VERSION 2
-
-/*
- * dlz_dlopen_version() is required for all DLZ external drivers. It
- * should return DLZ_DLOPEN_VERSION
- */
-typedef int dlz_dlopen_version_t (unsigned int *flags);
-
-/*
- * dlz_dlopen_create() is required for all DLZ external drivers.
- */
-typedef isc_result_t dlz_dlopen_create_t (const char *dlzname,
-					  unsigned int argc,
-					  char *argv[],
-					  void **dbdata,
-					  ...);
-
-/*
- * dlz_dlopen_destroy() is optional, and will be called when the
- * driver is unloaded if supplied
- */
-typedef void dlz_dlopen_destroy_t (void *dbdata);
-
-/*
- * dlz_dlopen_findzonedb() is required for all DLZ external drivers
- */
-typedef isc_result_t dlz_dlopen_findzonedb_t (void *dbdata,
-					      const char *name);
-
-/*
- * dlz_dlopen_lookup() is required for all DLZ external drivers
- */
-typedef isc_result_t dlz_dlopen_lookup_t (const char *zone,
-					  const char *name,
-					  void *dbdata,
-					  dns_sdlzlookup_t *lookup,
-					  dns_clientinfomethods_t *methods,
-					  dns_clientinfo_t *clientinfo);
-
-/*
- * dlz_dlopen_authority is optional() if dlz_dlopen_lookup()
- * supplies authority information for the dns record
- */
-typedef isc_result_t dlz_dlopen_authority_t (const char *zone,
-					     void *dbdata,
-					     dns_sdlzlookup_t *lookup);
-
-/*
- * dlz_dlopen_allowzonexfr() is optional, and should be supplied if
- * you want to support zone transfers
- */
-typedef isc_result_t dlz_dlopen_allowzonexfr_t (void *dbdata,
-						const char *name,
-						const char *client);
-
-/*
- * dlz_dlopen_allnodes() is optional, but must be supplied if supply a
- * dlz_dlopen_allowzonexfr() function
- */
-typedef isc_result_t dlz_dlopen_allnodes_t (const char *zone,
-					    void *dbdata,
-					    dns_sdlzallnodes_t *allnodes);
-
-/*
- * dlz_dlopen_newversion() is optional. It should be supplied if you
- * want to support dynamic updates.
- */
-typedef isc_result_t dlz_dlopen_newversion_t (const char *zone,
-					      void *dbdata,
-					      void **versionp);
-
-/*
- * dlz_closeversion() is optional, but must be supplied if you supply
- * a dlz_newversion() function
- */
-typedef void dlz_dlopen_closeversion_t (const char *zone,
-					isc_boolean_t commit,
-					void *dbdata,
-					void **versionp);
-
-/*
- * dlz_dlopen_configure() is optional, but must be supplied if you
- * want to support dynamic updates
- */
-typedef isc_result_t dlz_dlopen_configure_t (dns_view_t *view,
-					     void *dbdata);
-
-/*
- * dlz_dlopen_setclientcallback() is optional, but must be supplied if you
- * want to retrieve information about the client (e.g., source address)
- * before sending a replay.
- */
-typedef isc_result_t dlz_dlopen_setclientcallback_t (dns_view_t *view,
-						     void *dbdata);
-
-
-/*
- * dlz_dlopen_ssumatch() is optional, but must be supplied if you want
- * to support dynamic updates
- */
-typedef isc_boolean_t dlz_dlopen_ssumatch_t (const char *signer,
-					     const char *name,
-					     const char *tcpaddr,
-					     const char *type,
-					     const char *key,
-					     isc_uint32_t keydatalen,
-					     unsigned char *keydata,
-					     void *dbdata);
-
-/*
- * dlz_dlopen_addrdataset() is optional, but must be supplied if you
- * want to support dynamic updates
- */
-typedef isc_result_t dlz_dlopen_addrdataset_t (const char *name,
-					       const char *rdatastr,
-					       void *dbdata,
-					       void *version);
-
-/*
- * dlz_dlopen_subrdataset() is optional, but must be supplied if you
- * want to support dynamic updates
- */
-typedef isc_result_t dlz_dlopen_subrdataset_t (const char *name,
-					       const char *rdatastr,
-					       void *dbdata,
-					       void *version);
-
-/*
- * dlz_dlopen_delrdataset() is optional, but must be supplied if you
- * want to support dynamic updates
- */
-typedef isc_result_t dlz_dlopen_delrdataset_t (const char *name,
-					       const char *type,
-					       void *dbdata,
-					       void *version);
-
-ISC_LANG_ENDDECLS
-
-#endif
diff --git a/contrib/bind9/lib/dns/include/dns/dns64.h b/contrib/bind9/lib/dns/include/dns/dns64.h
deleted file mode 100644
index eb8f8d6..0000000
--- a/contrib/bind9/lib/dns/include/dns/dns64.h
+++ /dev/null
@@ -1,175 +0,0 @@
-/*
- * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dns64.h,v 1.3 2010/12/08 23:51:56 tbox Exp $ */
-
-#ifndef DNS_DNS64_H
-#define DNS_DNS64_H 1
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*
- * dns_dns64_create() flags.
- */
-#define DNS_DNS64_RECURSIVE_ONLY	0x01	/* If set then this record
-						 * only applies to recursive
-						 * queries.
-						 */
-#define DNS_DNS64_BREAK_DNSSEC		0x02	/* If set then still perform
-						 * DNSSEC synthesis even
-						 * though the result would
-						 * fail validation.
-						 */
-
-/*
- * dns_dns64_aaaaok() and dns_dns64_aaaafroma() flags.
- */
-#define DNS_DNS64_RECURSIVE		0x01	/* Recursive query. */
-#define DNS_DNS64_DNSSEC		0x02	/* DNSSEC sensitive query. */
-
-isc_result_t
-dns_dns64_create(isc_mem_t *mctx, isc_netaddr_t *prefix,
-		 unsigned int prefixlen, isc_netaddr_t *suffix,
-		 dns_acl_t *client, dns_acl_t *mapped, dns_acl_t *excluded,
-		 unsigned int flags, dns_dns64_t **dns64);
-/*
- * Create a dns64 record which is used to identify the set of clients
- * it applies to and how to perform the DNS64 synthesis.
- *
- * 'prefix' and 'prefixlen' defined the leading bits of the AAAA records
- * to be synthesised.  'suffix' defines the bits after the A records bits.
- * If suffix is NULL zeros will be used for these bits.  'client' defines
- * for which clients this record applies.  If 'client' is NULL then all
- * clients apply.  'mapped' defines which A records are candidated for
- * mapping.  If 'mapped' is NULL then all A records will be mapped.
- * 'excluded' defines which AAAA are to be treated as non-existent for the
- * purposed of determining whether to perform syntesis.  If 'excluded' is
- * NULL then no AAAA records prevent synthesis.
- *
- * If DNS_DNS64_RECURSIVE_ONLY is set then the record will only match if
- * DNS_DNS64_RECURSIVE is set when calling  dns_dns64_aaaaok() and
- * dns_dns64_aaaafroma().
- *
- * If DNS_DNS64_BREAK_DNSSEC is set then the record will still apply if
- * DNS_DNS64_DNSSEC is set when calling  dns_dns64_aaaaok() and
- * dns_dns64_aaaafroma() otherwise the record will be ignored.
- *
- * Requires:
- *      'mctx'          to be valid.
- *      'prefix'        to be valid and the address family to AF_INET6.
- *      'prefixlen'     to be one of 32, 40, 48, 56, 72 and 96.
- *                      the bits not covered by prefixlen in prefix to
- *                      be zero.
- *      'suffix'        to be NULL or the address family be set to AF_INET6
- *                      and the leading 'prefixlen' + 32 bits of the 'suffix'
- *                      to be zero.  If 'prefixlen' is 40, 48 or 56 then the
- *                      the leading 'prefixlen' + 40 bits of 'suffix' must be
- *                      zero.
- *	'client'	to be NULL or a valid acl.
- *	'mapped'	to be NULL or a valid acl.
- *	'exculded'	to be NULL or a valid acl.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- */
-
-void
-dns_dns64_destroy(dns_dns64_t **dns64p);
-/*
- * Destroys a dns64 record.
- *
- * Requires the record to not be linked.
- */
-
-isc_result_t
-dns_dns64_aaaafroma(const dns_dns64_t *dns64, const isc_netaddr_t *reqaddr,
-		    const dns_name_t *reqsigner, const dns_aclenv_t *env,
-		    unsigned int flags, unsigned char *a, unsigned char *aaaa);
-/*
- * dns_dns64_aaaafroma() determines whether to perform a DNS64 address
- * synthesis from 'a' based on 'dns64', 'reqaddr', 'reqsigner', 'env',
- * 'flags' and 'aaaa'.  If synthesis is performed then the result is
- * written to '*aaaa'.
- *
- * The synthesised address will be of the form:
- *
- *	 <prefix bits><a bits><suffix bits>
- *
- * If <a bits> straddle bits 64-71 of the AAAA record, then 8 zero bits will
- * be inserted at bits 64-71.
- *
- * Requires:
- *	'dns64'		to be valid.
- *	'reqaddr'	to be valid.
- *	'reqsigner'	to be NULL or valid.
- *	'env'		to be valid.
- *	'a'		to point to a IPv4 address in network order.
- *	'aaaa'		to point to a IPv6 address buffer in network order.
- *
- * Returns:
- *	ISC_R_SUCCESS		if synthesis was performed.
- *	DNS_R_DISALLOWED	if there is no match.
- */
-
-dns_dns64_t *
-dns_dns64_next(dns_dns64_t *dns64);
-/*
- * Return the next dns64 record in the list.
- */
-
-void
-dns_dns64_append(dns_dns64list_t *list, dns_dns64_t *dns64);
-/*
- * Append the dns64 record to the list.
- */
-
-void
-dns_dns64_unlink(dns_dns64list_t *list, dns_dns64_t *dns64);
-/*
- * Unlink the dns64 record from the list.
- */
-
-isc_boolean_t
-dns_dns64_aaaaok(const dns_dns64_t *dns64, const isc_netaddr_t *reqaddr,
-		 const dns_name_t *reqsigner, const dns_aclenv_t *env,
-		 unsigned int flags, dns_rdataset_t *rdataset,
-		 isc_boolean_t *aaaaok, size_t aaaaoklen);
-/*
- * Determine if there are any non-excluded AAAA records in from the
- * matching dns64 records in the list starting at 'dns64'.  If there
- * is a non-exluded address return ISC_TRUE.  If all addresses are
- * excluded in the matched records return ISC_FALSE.   If no records
- * match then return ISC_TRUE.
- *
- * If aaaaok is defined then dns_dns64_aaaaok() return a array of which
- * addresses in 'rdataset' were deemed to not be exclude by any matching
- * record.  If there are no matching records then all entries are set
- * to ISC_TRUE.
- *
- * Requires
- * 	'rdataset'	to be valid and to be for type AAAA and class IN.
- *	'aaaaoklen'	must match the number of records in 'rdataset'
- *			if 'aaaaok' in non NULL.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_DNS64_H */
diff --git a/contrib/bind9/lib/dns/include/dns/dnssec.h b/contrib/bind9/lib/dns/include/dns/dnssec.h
deleted file mode 100644
index e443f91..0000000
--- a/contrib/bind9/lib/dns/include/dns/dnssec.h
+++ /dev/null
@@ -1,350 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef DNS_DNSSEC_H
-#define DNS_DNSSEC_H 1
-
-/*! \file dns/dnssec.h */
-
-#include <isc/lang.h>
-#include <isc/stdtime.h>
-#include <isc/stats.h>
-
-#include <dns/diff.h>
-#include <dns/types.h>
-
-#include <dst/dst.h>
-
-ISC_LANG_BEGINDECLS
-
-LIBDNS_EXTERNAL_DATA extern isc_stats_t *dns_dnssec_stats;
-
-/*%< Maximum number of keys supported in a zone. */
-#define DNS_MAXZONEKEYS 32
-
-/*
- * Indicates how the signer found this key: in the key repository, at the
- * zone apex, or specified by the user.
- */
-typedef enum {
-	dns_keysource_unknown,
-	dns_keysource_repository,
-	dns_keysource_zoneapex,
-	dns_keysource_user
-} dns_keysource_t;
-
-/*
- * A DNSSEC key and hints about its intended use gleaned from metadata
- */
-struct dns_dnsseckey {
-	dst_key_t *key;
-	isc_boolean_t hint_publish;  /*% metadata says to publish */
-	isc_boolean_t force_publish; /*% publish regardless of metadata */
-	isc_boolean_t hint_sign;     /*% metadata says to sign with this key */
-	isc_boolean_t force_sign;    /*% sign with key regardless of metadata */
-	isc_boolean_t hint_remove;   /*% metadata says *don't* publish */
-	isc_boolean_t is_active;     /*% key is already active */
-	isc_boolean_t first_sign;    /*% key is newly becoming active */
-	unsigned int prepublish;     /*% how long until active? */
-	dns_keysource_t source;      /*% how the key was found */
-	isc_boolean_t ksk;           /*% this is a key-signing key */
-	isc_boolean_t legacy;        /*% this is old-style key with no
-					 metadata (possibly generated by
-					 an older version of BIND9) and
-					 should be ignored when searching
-					 for keys to import into the zone */
-	unsigned int index;          /*% position in list */
-	ISC_LINK(dns_dnsseckey_t) link;
-};
-
-isc_result_t
-dns_dnssec_keyfromrdata(dns_name_t *name, dns_rdata_t *rdata, isc_mem_t *mctx,
-			dst_key_t **key);
-/*%<
- *	Creates a DST key from a DNS record.  Basically a wrapper around
- *	dst_key_fromdns().
- *
- *	Requires:
- *\li		'name' is not NULL
- *\li		'rdata' is not NULL
- *\li		'mctx' is not NULL
- *\li		'key' is not NULL
- *\li		'*key' is NULL
- *
- *	Returns:
- *\li		#ISC_R_SUCCESS
- *\li		#ISC_R_NOMEMORY
- *\li		DST_R_INVALIDPUBLICKEY
- *\li		various errors from dns_name_totext
- */
-
-isc_result_t
-dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
-		isc_stdtime_t *inception, isc_stdtime_t *expire,
-		isc_mem_t *mctx, isc_buffer_t *buffer, dns_rdata_t *sigrdata);
-/*%<
- *	Generates a RRSIG record covering this rdataset.  This has no effect
- *	on existing RRSIG records.
- *
- *	Requires:
- *\li		'name' (the owner name of the record) is a valid name
- *\li		'set' is a valid rdataset
- *\li		'key' is a valid key
- *\li		'inception' is not NULL
- *\li		'expire' is not NULL
- *\li		'mctx' is not NULL
- *\li		'buffer' is not NULL
- *\li		'sigrdata' is not NULL
- *
- *	Returns:
- *\li		#ISC_R_SUCCESS
- *\li		#ISC_R_NOMEMORY
- *\li		#ISC_R_NOSPACE
- *\li		#DNS_R_INVALIDTIME - the expiration is before the inception
- *\li		#DNS_R_KEYUNAUTHORIZED - the key cannot sign this data (either
- *			it is not a zone key or its flags prevent
- *			authentication)
- *\li		DST_R_*
- */
-
-isc_result_t
-dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
-		  isc_boolean_t ignoretime, isc_mem_t *mctx,
-		  dns_rdata_t *sigrdata);
-
-isc_result_t
-dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
-		   isc_boolean_t ignoretime, isc_mem_t *mctx,
-		   dns_rdata_t *sigrdata, dns_name_t *wild);
-
-isc_result_t
-dns_dnssec_verify3(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
-		   isc_boolean_t ignoretime, unsigned int maxbits,
-		   isc_mem_t *mctx, dns_rdata_t *sigrdata, dns_name_t *wild);
-/*%<
- *	Verifies the RRSIG record covering this rdataset signed by a specific
- *	key.  This does not determine if the key's owner is authorized to sign
- *	this record, as this requires a resolver or database.
- *	If 'ignoretime' is ISC_TRUE, temporal validity will not be checked.
- *
- *	'maxbits' specifies the maximum number of rsa exponent bits accepted.
- *
- *	Requires:
- *\li		'name' (the owner name of the record) is a valid name
- *\li		'set' is a valid rdataset
- *\li		'key' is a valid key
- *\li		'mctx' is not NULL
- *\li		'sigrdata' is a valid rdata containing a SIG record
- *\li		'wild' if non-NULL then is a valid and has a buffer.
- *
- *	Returns:
- *\li		#ISC_R_SUCCESS
- *\li		#ISC_R_NOMEMORY
- *\li		#DNS_R_FROMWILDCARD - the signature is valid and is from
- *			a wildcard expansion.  dns_dnssec_verify2() only.
- *			'wild' contains the name of the wildcard if non-NULL.
- *\li		#DNS_R_SIGINVALID - the signature fails to verify
- *\li		#DNS_R_SIGEXPIRED - the signature has expired
- *\li		#DNS_R_SIGFUTURE - the signature's validity period has not begun
- *\li		#DNS_R_KEYUNAUTHORIZED - the key cannot sign this data (either
- *			it is not a zone key or its flags prevent
- *			authentication)
- *\li		DST_R_*
- */
-
-/*@{*/
-isc_result_t
-dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
-			dns_name_t *name, isc_mem_t *mctx,
-			unsigned int maxkeys, dst_key_t **keys,
-			unsigned int *nkeys);
-isc_result_t
-dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
-			 dns_dbnode_t *node, dns_name_t *name,
-			 const char *directory, isc_mem_t *mctx,
-			 unsigned int maxkeys, dst_key_t **keys,
-			 unsigned int *nkeys);
-/*%<
- * 	Finds a set of zone keys.
- * 	XXX temporary - this should be handled in dns_zone_t.
- */
-/*@}*/
-
-isc_result_t
-dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key);
-/*%<
- *	Signs a message with a SIG(0) record.  This is implicitly called by
- *	dns_message_renderend() if msg->sig0key is not NULL.
- *
- *	Requires:
- *\li		'msg' is a valid message
- *\li		'key' is a valid key that can be used for signing
- *
- *	Returns:
- *\li		#ISC_R_SUCCESS
- *\li		#ISC_R_NOMEMORY
- *\li		DST_R_*
- */
-
-isc_result_t
-dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
-			 dst_key_t *key);
-/*%<
- *	Verifies a message signed by a SIG(0) record.  This is not
- *	called implicitly by dns_message_parse().  If dns_message_signer()
- *	is called before dns_dnssec_verifymessage(), it will return
- *	#DNS_R_NOTVERIFIEDYET.  dns_dnssec_verifymessage() will set
- *	the verified_sig0 flag in msg if the verify succeeds, and
- *	the sig0status field otherwise.
- *
- *	Requires:
- *\li		'source' is a valid buffer containing the unparsed message
- *\li		'msg' is a valid message
- *\li		'key' is a valid key
- *
- *	Returns:
- *\li		#ISC_R_SUCCESS
- *\li		#ISC_R_NOMEMORY
- *\li		#ISC_R_NOTFOUND - no SIG(0) was found
- *\li		#DNS_R_SIGINVALID - the SIG record is not well-formed or
- *				   was not generated by the key.
- *\li		DST_R_*
- */
-
-isc_boolean_t
-dns_dnssec_selfsigns(dns_rdata_t *rdata, dns_name_t *name,
-		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
-		     isc_boolean_t ignoretime, isc_mem_t *mctx);
-
-
-isc_boolean_t
-dns_dnssec_signs(dns_rdata_t *rdata, dns_name_t *name,
-		 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
-		 isc_boolean_t ignoretime, isc_mem_t *mctx);
-/*%<
- * Verify that 'rdataset' is validly signed in 'sigrdataset' by
- * the key in 'rdata'.
- *
- * dns_dnssec_selfsigns() requires that rdataset be a DNSKEY or KEY
- * rrset.  dns_dnssec_signs() works on any rrset.
- */
-
-
-isc_result_t
-dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey,
-		     dns_dnsseckey_t **dkp);
-/*%<
- * Create and initialize a dns_dnsseckey_t structure.
- *
- *	Requires:
- *\li		'dkp' is not NULL and '*dkp' is NULL.
- *
- *	Returns:
- *\li		#ISC_R_SUCCESS
- *\li		#ISC_R_NOMEMORY
- */
-
-void
-dns_dnsseckey_destroy(isc_mem_t *mctx, dns_dnsseckey_t **dkp);
-/*%<
- * Reclaim a dns_dnsseckey_t structure.
- *
- *	Requires:
- *\li		'dkp' is not NULL and '*dkp' is not NULL.
- *
- *	Ensures:
- *\li		'*dkp' is NULL.
- */
-
-isc_result_t
-dns_dnssec_findmatchingkeys(dns_name_t *origin, const char *directory,
-			    isc_mem_t *mctx, dns_dnsseckeylist_t *keylist);
-/*%<
- * Search 'directory' for K* key files matching the name in 'origin'.
- * Append all such keys, along with use hints gleaned from their
- * metadata, onto 'keylist'.
- *
- *	Requires:
- *\li		'keylist' is not NULL
- *
- *	Returns:
- *\li		#ISC_R_SUCCESS
- *\li		#ISC_R_NOTFOUND
- *\li		#ISC_R_NOMEMORY
- *\li		any error returned by dns_name_totext(), isc_dir_open(), or
- *              dst_key_fromnamedfile()
- *
- *	Ensures:
- *\li		On error, keylist is unchanged
- */
-
-isc_result_t
-dns_dnssec_keylistfromrdataset(dns_name_t *origin,
-			       const char *directory, isc_mem_t *mctx,
-			       dns_rdataset_t *keyset, dns_rdataset_t *keysigs,
-			       dns_rdataset_t *soasigs, isc_boolean_t savekeys,
-			       isc_boolean_t public,
-			       dns_dnsseckeylist_t *keylist);
-/*%<
- * Append the contents of a DNSKEY rdataset 'keyset' to 'keylist'.
- * Omit duplicates.  If 'public' is ISC_FALSE, search 'directory' for
- * matching key files, and load the private keys that go with
- * the public ones.  If 'savekeys' is ISC_TRUE, mark the keys so
- * they will not be deleted or inactivated regardless of metadata.
- *
- * 'keysigs' and 'soasigs', if not NULL and associated, contain the
- * RRSIGS for the DNSKEY and SOA records respectively and are used to mark
- * whether a key is already active in the zone.
- */
-
-isc_result_t
-dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
-		      dns_dnsseckeylist_t *removed, dns_name_t *origin,
-		      dns_ttl_t hint_ttl, dns_diff_t *diff, isc_boolean_t allzsk,
-		      isc_mem_t *mctx, void (*report)(const char *, ...));
-/*%<
- * Update the list of keys in 'keys' with new key information in 'newkeys'.
- *
- * For each key in 'newkeys', see if it has a match in 'keys'.
- * - If not, and if the metadata says the key should be published:
- *   add it to 'keys', and place a dns_difftuple into 'diff' so
- *   the key can be added to the DNSKEY set.  If the metadata says it
- *   should be active, set the first_sign flag.
- * - If so, and if the metadata says it should be removed:
- *   remove it from 'keys', and place a dns_difftuple into 'diff' so
- *   the key can be removed from the DNSKEY set.  if 'removed' is non-NULL,
- *   copy the key into that list; otherwise destroy it.
- * - Otherwise, make sure keys has current metadata.
- *
- * If 'allzsk' is true, we are allowing KSK-flagged keys to be used as
- * ZSKs.
- *
- * 'hint_ttl' is the TTL to use for the DNSKEY RRset if there is no
- * existing RRset, and if none of the keys to be added has a default TTL
- * (in which case we would use the shortest one).  If the TTL is longer
- * than the time until a new key will be activated, then we have to delay
- * the key's activation.
- *
- * 'report' points to a function for reporting status.
- *
- * On completion, any remaining keys in 'newkeys' are freed.
- */
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_DNSSEC_H */
diff --git a/contrib/bind9/lib/dns/include/dns/ds.h b/contrib/bind9/lib/dns/include/dns/ds.h
deleted file mode 100644
index 03ab0ed..0000000
--- a/contrib/bind9/lib/dns/include/dns/ds.h
+++ /dev/null
@@ -1,69 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ds.h,v 1.12 2010/12/23 23:47:08 tbox Exp $ */
-
-#ifndef DNS_DS_H
-#define DNS_DS_H 1
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-#define DNS_DSDIGEST_SHA1 (1)
-#define DNS_DSDIGEST_SHA256 (2)
-#define DNS_DSDIGEST_GOST (3)
-#define DNS_DSDIGEST_SHA384 (4)
-
-/* should not be here... */
-
-#define ISC_GOST_DIGESTLENGTH 32U
-
-/*
- * Assuming SHA-384 digest type.
- */
-#define DNS_DS_BUFFERSIZE (52)
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
-		  unsigned int digest_type, unsigned char *buffer,
-		  dns_rdata_t *rdata);
-/*%<
- * Build the rdata of a DS record.
- *
- * Requires:
- *\li	key	Points to a valid DNS KEY record.
- *\li	buffer	Points to a temporary buffer of at least
- * 		#DNS_DS_BUFFERSIZE bytes.
- *\li	rdata	Points to an initialized dns_rdata_t.
- *
- * Ensures:
- *  \li    *rdata	Contains a valid DS rdata.  The 'data' member refers
- *		to 'buffer'.
- */
-
-isc_boolean_t
-dns_ds_digest_supported(unsigned int digest_type);
-/*%<
- * Is this digest algorithm supported by dns_ds_buildrdata()?
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_DS_H */
diff --git a/contrib/bind9/lib/dns/include/dns/ecdb.h b/contrib/bind9/lib/dns/include/dns/ecdb.h
deleted file mode 100644
index 246cc30..0000000
--- a/contrib/bind9/lib/dns/include/dns/ecdb.h
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ecdb.h,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
-
-#ifndef DNS_ECDB_H
-#define DNS_ECDB_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/* TBD */
-
-/***
- *** Imports
- ***/
-
-#include <dns/types.h>
-
-/***
- *** Types
- ***/
-
-/***
- *** Functions
- ***/
-
-ISC_LANG_BEGINDECLS
-
-/* TBD: describe those */
-
-isc_result_t
-dns_ecdb_register(isc_mem_t *mctx, dns_dbimplementation_t **dbimp);
-
-void
-dns_ecdb_unregister(dns_dbimplementation_t **dbimp);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_ECDB_H */
diff --git a/contrib/bind9/lib/dns/include/dns/events.h b/contrib/bind9/lib/dns/include/dns/events.h
deleted file mode 100644
index fd2144f..0000000
--- a/contrib/bind9/lib/dns/include/dns/events.h
+++ /dev/null
@@ -1,86 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009-2011  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: events.h,v 1.61 2011/10/28 06:20:06 each Exp $ */
-
-#ifndef DNS_EVENTS_H
-#define DNS_EVENTS_H 1
-
-#include <isc/eventclass.h>
-
-/*! \file dns/events.h
- * \brief
- * Registry of DNS event numbers.
- */
-
-#define DNS_EVENT_FETCHCONTROL			(ISC_EVENTCLASS_DNS + 0)
-#define DNS_EVENT_FETCHDONE			(ISC_EVENTCLASS_DNS + 1)
-#define DNS_EVENT_VIEWRESSHUTDOWN		(ISC_EVENTCLASS_DNS + 2)
-#define DNS_EVENT_VIEWADBSHUTDOWN		(ISC_EVENTCLASS_DNS + 3)
-#define DNS_EVENT_UPDATE			(ISC_EVENTCLASS_DNS + 4)
-#define DNS_EVENT_UPDATEDONE			(ISC_EVENTCLASS_DNS + 5)
-#define DNS_EVENT_DISPATCH			(ISC_EVENTCLASS_DNS + 6)
-#define DNS_EVENT_TCPMSG			(ISC_EVENTCLASS_DNS + 7)
-#define DNS_EVENT_ADBMOREADDRESSES		(ISC_EVENTCLASS_DNS + 8)
-#define DNS_EVENT_ADBNOMOREADDRESSES		(ISC_EVENTCLASS_DNS + 9)
-#define DNS_EVENT_ADBCANCELED			(ISC_EVENTCLASS_DNS + 10)
-#define DNS_EVENT_ADBNAMEDELETED		(ISC_EVENTCLASS_DNS + 11)
-#define DNS_EVENT_ADBSHUTDOWN			(ISC_EVENTCLASS_DNS + 12)
-#define DNS_EVENT_ADBEXPIRED			(ISC_EVENTCLASS_DNS + 13)
-#define DNS_EVENT_ADBCONTROL			(ISC_EVENTCLASS_DNS + 14)
-#define DNS_EVENT_CACHECLEAN			(ISC_EVENTCLASS_DNS + 15)
-#define DNS_EVENT_BYADDRDONE			(ISC_EVENTCLASS_DNS + 16)
-#define DNS_EVENT_ZONECONTROL			(ISC_EVENTCLASS_DNS + 17)
-#define DNS_EVENT_DBDESTROYED			(ISC_EVENTCLASS_DNS + 18)
-#define DNS_EVENT_VALIDATORDONE			(ISC_EVENTCLASS_DNS + 19)
-#define DNS_EVENT_REQUESTDONE			(ISC_EVENTCLASS_DNS + 20)
-#define DNS_EVENT_VALIDATORSTART		(ISC_EVENTCLASS_DNS + 21)
-#define DNS_EVENT_VIEWREQSHUTDOWN		(ISC_EVENTCLASS_DNS + 22)
-#define DNS_EVENT_NOTIFYSENDTOADDR		(ISC_EVENTCLASS_DNS + 23)
-#define DNS_EVENT_ZONE				(ISC_EVENTCLASS_DNS + 24)
-#define DNS_EVENT_ZONESTARTXFRIN		(ISC_EVENTCLASS_DNS + 25)
-#define DNS_EVENT_MASTERQUANTUM			(ISC_EVENTCLASS_DNS + 26)
-#define DNS_EVENT_CACHEOVERMEM			(ISC_EVENTCLASS_DNS + 27)
-#define DNS_EVENT_MASTERNEXTZONE		(ISC_EVENTCLASS_DNS + 28)
-#define DNS_EVENT_IOREADY			(ISC_EVENTCLASS_DNS + 29)
-#define DNS_EVENT_LOOKUPDONE			(ISC_EVENTCLASS_DNS + 30)
-#define DNS_EVENT_RBTDEADNODES			(ISC_EVENTCLASS_DNS + 31)
-#define DNS_EVENT_DISPATCHCONTROL		(ISC_EVENTCLASS_DNS + 32)
-#define DNS_EVENT_REQUESTCONTROL		(ISC_EVENTCLASS_DNS + 33)
-#define DNS_EVENT_DUMPQUANTUM			(ISC_EVENTCLASS_DNS + 34)
-#define DNS_EVENT_IMPORTRECVDONE		(ISC_EVENTCLASS_DNS + 35)
-#define DNS_EVENT_FREESTORAGE			(ISC_EVENTCLASS_DNS + 36)
-#define DNS_EVENT_VIEWACACHESHUTDOWN		(ISC_EVENTCLASS_DNS + 37)
-#define DNS_EVENT_ACACHECONTROL			(ISC_EVENTCLASS_DNS + 38)
-#define DNS_EVENT_ACACHECLEAN			(ISC_EVENTCLASS_DNS + 39)
-#define DNS_EVENT_ACACHEOVERMEM			(ISC_EVENTCLASS_DNS + 40)
-#define DNS_EVENT_RBTPRUNE			(ISC_EVENTCLASS_DNS + 41)
-#define DNS_EVENT_MANAGEKEYS			(ISC_EVENTCLASS_DNS + 42)
-#define DNS_EVENT_CLIENTRESDONE			(ISC_EVENTCLASS_DNS + 43)
-#define DNS_EVENT_CLIENTREQDONE			(ISC_EVENTCLASS_DNS + 44)
-#define DNS_EVENT_ADBGROWENTRIES		(ISC_EVENTCLASS_DNS + 45)
-#define DNS_EVENT_ADBGROWNAMES			(ISC_EVENTCLASS_DNS + 46)
-#define DNS_EVENT_ZONESECURESERIAL		(ISC_EVENTCLASS_DNS + 47)
-#define DNS_EVENT_ZONESECUREDB			(ISC_EVENTCLASS_DNS + 48)
-#define DNS_EVENT_ZONELOAD			(ISC_EVENTCLASS_DNS + 49)
-#define DNS_EVENT_KEYDONE			(ISC_EVENTCLASS_DNS + 50)
-#define DNS_EVENT_SETNSEC3PARAM			(ISC_EVENTCLASS_DNS + 51)
-
-#define DNS_EVENT_FIRSTEVENT			(ISC_EVENTCLASS_DNS + 0)
-#define DNS_EVENT_LASTEVENT			(ISC_EVENTCLASS_DNS + 65535)
-
-#endif /* DNS_EVENTS_H */
diff --git a/contrib/bind9/lib/dns/include/dns/fixedname.h b/contrib/bind9/lib/dns/include/dns/fixedname.h
deleted file mode 100644
index 5a2aaf3..0000000
--- a/contrib/bind9/lib/dns/include/dns/fixedname.h
+++ /dev/null
@@ -1,86 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: fixedname.h,v 1.19 2007/06/19 23:47:16 tbox Exp $ */
-
-#ifndef DNS_FIXEDNAME_H
-#define DNS_FIXEDNAME_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/fixedname.h
- * \brief
- * Fixed-size Names
- *
- * dns_fixedname_t is a convenience type containing a name, an offsets table,
- * and a dedicated buffer big enough for the longest possible name.
- *
- * MP:
- *\li	The caller must ensure any required synchronization.
- *
- * Reliability:
- *\li	No anticipated impact.
- *
- * Resources:
- *\li	Per dns_fixedname_t:
- *\code
- *		sizeof(dns_name_t) + sizeof(dns_offsets_t) +
- *		sizeof(isc_buffer_t) + 255 bytes + structure padding
- *\endcode
- *
- * Security:
- *\li	No anticipated impact.
- *
- * Standards:
- *\li	None.
- */
-
-/*****
- ***** Imports
- *****/
-
-#include <isc/buffer.h>
-
-#include <dns/name.h>
-
-/*****
- ***** Types
- *****/
-
-struct dns_fixedname {
-	dns_name_t			name;
-	dns_offsets_t			offsets;
-	isc_buffer_t			buffer;
-	unsigned char			data[DNS_NAME_MAXWIRE];
-};
-
-#define dns_fixedname_init(fn) \
-	do { \
-		dns_name_init(&((fn)->name), (fn)->offsets); \
-		isc_buffer_init(&((fn)->buffer), (fn)->data, \
-                                  DNS_NAME_MAXWIRE); \
-		dns_name_setbuffer(&((fn)->name), &((fn)->buffer)); \
-	} while (0)
-
-#define dns_fixedname_invalidate(fn) \
-	dns_name_invalidate(&((fn)->name))
-
-#define dns_fixedname_name(fn)		(&((fn)->name))
-
-#endif /* DNS_FIXEDNAME_H */
diff --git a/contrib/bind9/lib/dns/include/dns/forward.h b/contrib/bind9/lib/dns/include/dns/forward.h
deleted file mode 100644
index 23e94be..0000000
--- a/contrib/bind9/lib/dns/include/dns/forward.h
+++ /dev/null
@@ -1,133 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: forward.h,v 1.13 2009/09/02 23:48:02 tbox Exp $ */
-
-#ifndef DNS_FORWARD_H
-#define DNS_FORWARD_H 1
-
-/*! \file dns/forward.h */
-
-#include <isc/lang.h>
-#include <isc/result.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-struct dns_forwarders {
-	isc_sockaddrlist_t	addrs;
-	dns_fwdpolicy_t		fwdpolicy;
-};
-
-isc_result_t
-dns_fwdtable_create(isc_mem_t *mctx, dns_fwdtable_t **fwdtablep);
-/*%<
- * Creates a new forwarding table.
- *
- * Requires:
- * \li 	mctx is a valid memory context.
- * \li	fwdtablep != NULL && *fwdtablep == NULL
- *
- * Returns:
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_NOMEMORY
- */
-
-isc_result_t
-dns_fwdtable_add(dns_fwdtable_t *fwdtable, dns_name_t *name,
-		 isc_sockaddrlist_t *addrs, dns_fwdpolicy_t policy);
-/*%<
- * Adds an entry to the forwarding table.  The entry associates
- * a domain with a list of forwarders and a forwarding policy.  The
- * addrs list is copied if not empty, so the caller should free its copy.
- *
- * Requires:
- * \li	fwdtable is a valid forwarding table.
- * \li	name is a valid name
- * \li	addrs is a valid list of sockaddrs, which may be empty.
- *
- * Returns:
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_NOMEMORY
- */
-
-isc_result_t
-dns_fwdtable_delete(dns_fwdtable_t *fwdtable, dns_name_t *name);
-/*%<
- * Removes an entry for 'name' from the forwarding table.  If an entry
- * that exactly matches 'name' does not exist, ISC_R_NOTFOUND will be returned.
- *
- * Requires:
- * \li	fwdtable is a valid forwarding table.
- * \li	name is a valid name
- *
- * Returns:
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_NOTFOUND
- */
-
-isc_result_t
-dns_fwdtable_find(dns_fwdtable_t *fwdtable, dns_name_t *name,
-		  dns_forwarders_t **forwardersp);
-/*%<
- * Finds a domain in the forwarding table.  The closest matching parent
- * domain is returned.
- *
- * Requires:
- * \li	fwdtable is a valid forwarding table.
- * \li	name is a valid name
- * \li	forwardersp != NULL && *forwardersp == NULL
- *
- * Returns:
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_NOTFOUND
- */
-
-isc_result_t
-dns_fwdtable_find2(dns_fwdtable_t *fwdtable, dns_name_t *name,
-		   dns_name_t *foundname, dns_forwarders_t **forwardersp);
-/*%<
- * Finds a domain in the forwarding table.  The closest matching parent
- * domain is returned.
- *
- * Requires:
- * \li	fwdtable is a valid forwarding table.
- * \li	name is a valid name
- * \li	forwardersp != NULL && *forwardersp == NULL
- * \li	foundname to be NULL or a valid name with buffer.
- *
- * Returns:
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_NOTFOUND
- */
-
-void
-dns_fwdtable_destroy(dns_fwdtable_t **fwdtablep);
-/*%<
- * Destroys a forwarding table.
- *
- * Requires:
- * \li	fwtablep != NULL && *fwtablep != NULL
- *
- * Ensures:
- * \li	all memory associated with the forwarding table is freed.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_FORWARD_H */
diff --git a/contrib/bind9/lib/dns/include/dns/iptable.h b/contrib/bind9/lib/dns/include/dns/iptable.h
deleted file mode 100644
index 2ce8e18..0000000
--- a/contrib/bind9/lib/dns/include/dns/iptable.h
+++ /dev/null
@@ -1,72 +0,0 @@
-/*
- * Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: iptable.h,v 1.4 2007/09/14 01:46:05 marka Exp $ */
-
-#ifndef DNS_IPTABLE_H
-#define DNS_IPTABLE_H 1
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-#include <isc/radix.h>
-
-#include <dns/types.h>
-
-struct dns_iptable {
-	unsigned int		magic;
-	isc_mem_t		*mctx;
-	isc_refcount_t		refcount;
-	isc_radix_tree_t	*radix;
-	ISC_LINK(dns_iptable_t)	nextincache;
-};
-
-#define DNS_IPTABLE_MAGIC	ISC_MAGIC('T','a','b','l')
-#define DNS_IPTABLE_VALID(a)	ISC_MAGIC_VALID(a, DNS_IPTABLE_MAGIC)
-
-/***
- *** Functions
- ***/
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_iptable_create(isc_mem_t *mctx, dns_iptable_t **target);
-/*
- * Create a new IP table and the underlying radix structure
- */
-
-isc_result_t
-dns_iptable_addprefix(dns_iptable_t *tab, isc_netaddr_t *addr,
-		      isc_uint16_t bitlen, isc_boolean_t pos);
-/*
- * Add an IP prefix to an existing IP table
- */
-
-isc_result_t
-dns_iptable_merge(dns_iptable_t *tab, dns_iptable_t *source, isc_boolean_t pos);
-/*
- * Merge one IP table into another one.
- */
-
-void
-dns_iptable_attach(dns_iptable_t *source, dns_iptable_t **target);
-
-void
-dns_iptable_detach(dns_iptable_t **tabp);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_IPTABLE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/journal.h b/contrib/bind9/lib/dns/include/dns/journal.h
deleted file mode 100644
index 68ba8b3..0000000
--- a/contrib/bind9/lib/dns/include/dns/journal.h
+++ /dev/null
@@ -1,309 +0,0 @@
-/*
- * Copyright (C) 2004-2009, 2011  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: journal.h,v 1.43 2011/12/22 07:32:41 each Exp $ */
-
-#ifndef DNS_JOURNAL_H
-#define DNS_JOURNAL_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/journal.h
- * \brief
- * Database journaling.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-
-#include <dns/name.h>
-#include <dns/diff.h>
-#include <dns/rdata.h>
-#include <dns/types.h>
-
-/***
- *** Defines.
- ***/
-#define DNS_JOURNALOPT_RESIGN	0x00000001
-
-#define DNS_JOURNAL_READ	0x00000000	/* ISC_FALSE */
-#define DNS_JOURNAL_CREATE	0x00000001	/* ISC_TRUE */
-#define DNS_JOURNAL_WRITE	0x00000002
-
-/***
- *** Types
- ***/
-
-/*%
- * A dns_journal_t represents an open journal file.  This is an opaque type.
- *
- * A particular dns_journal_t object may be opened for writing, in which case
- * it can be used for writing transactions to a journal file, or it can be
- * opened for reading, in which case it can be used for reading transactions
- * from (iterating over) a journal file.  A single dns_journal_t object may
- * not be used for both purposes.
- */
-typedef struct dns_journal dns_journal_t;
-
-
-/***
- *** Functions
- ***/
-
-ISC_LANG_BEGINDECLS
-
-/**************************************************************************/
-
-isc_result_t
-dns_db_createsoatuple(dns_db_t *db, dns_dbversion_t *ver, isc_mem_t *mctx,
-		      dns_diffop_t op, dns_difftuple_t **tp);
-/*!< brief
- * Create a diff tuple for the current database SOA.
- * XXX this probably belongs somewhere else.
- */
-
-
-/*@{*/
-#define DNS_SERIAL_GT(a, b) ((int)(((a) - (b)) & 0xFFFFFFFF) > 0)
-#define DNS_SERIAL_GE(a, b) ((int)(((a) - (b)) & 0xFFFFFFFF) >= 0)
-/*!< brief
- * Compare SOA serial numbers.  DNS_SERIAL_GT(a, b) returns true iff
- * a is "greater than" b where "greater than" is as defined in RFC1982.
- * DNS_SERIAL_GE(a, b) returns true iff a is "greater than or equal to" b.
- */
-/*@}*/
-
-/**************************************************************************/
-/*
- * Journal object creation and destruction.
- */
-
-isc_result_t
-dns_journal_open(isc_mem_t *mctx, const char *filename, unsigned int mode,
-		 dns_journal_t **journalp);
-/*%<
- * Open the journal file 'filename' and create a dns_journal_t object for it.
- *
- * DNS_JOURNAL_CREATE open the journal for reading and writing and create
- * the journal if it does not exist.
- * DNS_JOURNAL_WRITE open the journal for reading and writing.
- * DNS_JOURNAL_READ open the journal for reading only.
- */
-
-void
-dns_journal_destroy(dns_journal_t **journalp);
-/*%<
- * Destroy a dns_journal_t, closing any open files and freeing its memory.
- */
-
-/**************************************************************************/
-/*
- * Writing transactions to journals.
- */
-
-isc_result_t
-dns_journal_begin_transaction(dns_journal_t *j);
-/*%<
- * Prepare to write a new transaction to the open journal file 'j'.
- *
- * Requires:
- *     \li 'j' is open for writing.
- */
-
-isc_result_t
-dns_journal_writediff(dns_journal_t *j, dns_diff_t *diff);
-/*%<
- * Write 'diff' to the current transaction of journal file 'j'.
- *
- * Requires:
- * \li     'j' is open for writing and dns_journal_begin_transaction()
- * 	has been called.
- *
- *\li 	'diff' is a full or partial, correctly ordered IXFR
- *      difference sequence.
- */
-
-isc_result_t
-dns_journal_commit(dns_journal_t *j);
-/*%<
- * Commit the current transaction of journal file 'j'.
- *
- * Requires:
- * \li     'j' is open for writing and dns_journal_begin_transaction()
- * 	has been called.
- *
- *   \li   dns_journal_writediff() has been called one or more times
- * 	to form a complete, correctly ordered IXFR difference
- *      sequence.
- */
-
-isc_result_t
-dns_journal_write_transaction(dns_journal_t *j, dns_diff_t *diff);
-/*%
- * Write a complete transaction at once to a journal file,
- * sorting it if necessary, and commit it.  Equivalent to calling
- * dns_diff_sort(), dns_journal_begin_transaction(),
- * dns_journal_writediff(), and dns_journal_commit().
- *
- * Requires:
- *\li      'j' is open for writing.
- *
- * \li	'diff' contains exactly one SOA deletion, one SOA addition
- *       with a greater serial number, and possibly other changes,
- *       in arbitrary order.
- */
-
-/**************************************************************************/
-/*
- * Reading transactions from journals.
- */
-
-isc_uint32_t
-dns_journal_first_serial(dns_journal_t *j);
-isc_uint32_t
-dns_journal_last_serial(dns_journal_t *j);
-/*%<
- * Get the first and last addressable serial number in the journal.
- */
-
-isc_result_t
-dns_journal_iter_init(dns_journal_t *j,
-		      isc_uint32_t begin_serial, isc_uint32_t end_serial);
-/*%<
- * Prepare to iterate over the transactions that will bring the database
- * from SOA serial number 'begin_serial' to 'end_serial'.
- *
- * Returns:
- *\li	ISC_R_SUCCESS
- *\li	ISC_R_RANGE	begin_serial is outside the addressable range.
- *\li	ISC_R_NOTFOUND	begin_serial is within the range of addressable
- *			serial numbers covered by the journal, but
- *			this particular serial number does not exist.
- */
-
-/*@{*/
-isc_result_t
-dns_journal_first_rr(dns_journal_t *j);
-isc_result_t
-dns_journal_next_rr(dns_journal_t *j);
-/*%<
- * Position the iterator at the first/next RR in a journal
- * transaction sequence established using dns_journal_iter_init().
- *
- * Requires:
- *    \li  dns_journal_iter_init() has been called.
- *
- */
-/*@}*/
-
-void
-dns_journal_current_rr(dns_journal_t *j, dns_name_t **name, isc_uint32_t *ttl,
-		       dns_rdata_t **rdata);
-/*%<
- * Get the name, ttl, and rdata of the current journal RR.
- *
- * Requires:
- * \li     The last call to dns_journal_first_rr() or dns_journal_next_rr()
- *      returned ISC_R_SUCCESS.
- */
-
-/**************************************************************************/
-/*
- * Database roll-forward.
- */
-
-isc_result_t
-dns_journal_rollforward(isc_mem_t *mctx, dns_db_t *db, unsigned int options,
-			const char *filename);
-
-isc_result_t
-dns_journal_rollforward2(isc_mem_t *mctx, dns_db_t *db, unsigned int options,
-			 isc_uint32_t resign, const char *filename);
-/*%<
- * Roll forward (play back) the journal file "filename" into the
- * database "db".  This should be called when the server starts
- * after a shutdown or crash.  'resign' is how many seconds before
- * a RRSIG is due to expire it should be scheduled to be regenerated.
- *
- * Requires:
- *\li	dns_journal_rollforward() requires that DNS_JOURNALOPT_RESIGN
- *	is not set.
- *\li   'mctx' is a valid memory context.
- *\li	'db' is a valid database which does not have a version
- *           open for writing.
- *\li   'filename' is the name of the journal file belonging to 'db'.
- *
- * Returns:
- *\li	DNS_R_NOJOURNAL when journal does not exist.
- *\li	ISC_R_NOTFOUND when current serial in not in journal.
- *\li	ISC_R_RANGE when current serial in not in journals range.
- *\li	ISC_R_SUCCESS journal has been applied successfully to database.
- *	others
- */
-
-isc_result_t
-dns_journal_print(isc_mem_t *mctx, const char *filename, FILE *file);
-/* For debugging not general use */
-
-isc_result_t
-dns_db_diff(isc_mem_t *mctx,
-	    dns_db_t *dba, dns_dbversion_t *dbvera,
-	    dns_db_t *dbb, dns_dbversion_t *dbverb,
-	    const char *journal_filename);
-
-isc_result_t
-dns_db_diffx(dns_diff_t *diff, dns_db_t *dba, dns_dbversion_t *dbvera,
-	     dns_db_t *dbb, dns_dbversion_t *dbverb,
-	     const char *journal_filename);
-/*%<
- * Compare the databases 'dba' and 'dbb' and generate a diff/journal
- * entry containing the changes to make 'dba' from 'dbb' (note
- * the order).  This journal entry will consist of a single,
- * possibly very large transaction.  Append the journal
- * entry to the journal file specified by 'journal_filename' if
- * non-NULL.
- */
-
-isc_result_t
-dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial,
-		    isc_uint32_t target_size);
-/*%<
- * Attempt to compact the journal if it is greater that 'target_size'.
- * Changes from 'serial' onwards will be preserved.  If the journal
- * exists and is non-empty 'serial' must exist in the journal.
- */
-
-isc_boolean_t
-dns_journal_get_sourceserial(dns_journal_t *j, isc_uint32_t *sourceserial);
-void
-dns_journal_set_sourceserial(dns_journal_t *j, isc_uint32_t sourceserial);
-/*%<
- * Get and set source serial.
- *
- * Returns:
- *	 ISC_TRUE if sourceserial has previously been set.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_JOURNAL_H */
diff --git a/contrib/bind9/lib/dns/include/dns/keydata.h b/contrib/bind9/lib/dns/include/dns/keydata.h
deleted file mode 100644
index f24ca06..0000000
--- a/contrib/bind9/lib/dns/include/dns/keydata.h
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: keydata.h,v 1.2 2009/06/30 02:52:32 each Exp $ */
-
-#ifndef DNS_KEYDATA_H
-#define DNS_KEYDATA_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/keydata.h
- * \brief
- * KEYDATA utilities.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-#include <dns/types.h>
-#include <dns/rdatastruct.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_keydata_todnskey(dns_rdata_keydata_t *keydata,
-		     dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx);
-
-isc_result_t
-dns_keydata_fromdnskey(dns_rdata_keydata_t *keydata,
-		       dns_rdata_dnskey_t *dnskey,
-		       isc_uint32_t refresh, isc_uint32_t addhd,
-		       isc_uint32_t removehd, isc_mem_t *mctx);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_KEYDATA_H */
diff --git a/contrib/bind9/lib/dns/include/dns/keyflags.h b/contrib/bind9/lib/dns/include/dns/keyflags.h
deleted file mode 100644
index 74a1740..0000000
--- a/contrib/bind9/lib/dns/include/dns/keyflags.h
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: keyflags.h,v 1.16 2007/06/19 23:47:16 tbox Exp $ */
-
-#ifndef DNS_KEYFLAGS_H
-#define DNS_KEYFLAGS_H 1
-
-/*! \file dns/keyflags.h */
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_keyflags_fromtext(dns_keyflags_t *flagsp, isc_textregion_t *source);
-/*%<
- * Convert the text 'source' refers to into a DNSSEC KEY flags value.
- * The text may contain either a set of flag mnemonics separated by
- * vertical bars or a decimal flags value.  For compatibility with
- * older versions of BIND and the DNSSEC signer, octal values
- * prefixed with a zero and hexadecimal values prefixed with "0x"
- * are also accepted.
- *
- * Requires:
- *\li	'flagsp' is a valid pointer.
- *
- *\li	'source' is a valid text region.
- *
- * Returns:
- *\li	ISC_R_SUCCESS			on success
- *\li	ISC_R_RANGE			numeric flag value is out of range
- *\li	DNS_R_UNKNOWN			mnemonic flag is unknown
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_KEYFLAGS_H */
diff --git a/contrib/bind9/lib/dns/include/dns/keytable.h b/contrib/bind9/lib/dns/include/dns/keytable.h
deleted file mode 100644
index 3f4adaf..0000000
--- a/contrib/bind9/lib/dns/include/dns/keytable.h
+++ /dev/null
@@ -1,457 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: keytable.h,v 1.23 2010/06/25 03:24:05 marka Exp $ */
-
-#ifndef DNS_KEYTABLE_H
-#define DNS_KEYTABLE_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file
- * \brief
- * The keytable module provides services for storing and retrieving DNSSEC
- * trusted keys, as well as the ability to find the deepest matching key
- * for a given domain name.
- *
- * MP:
- *\li	The module ensures appropriate synchronization of data structures it
- *	creates and manipulates.
- *
- * Resources:
- *\li	TBS
- *
- * Security:
- *\li	No anticipated impact.
- */
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-#include <isc/refcount.h>
-#include <isc/rwlock.h>
-#include <isc/stdtime.h>
-
-#include <dns/types.h>
-
-#include <dst/dst.h>
-
-ISC_LANG_BEGINDECLS
-
-struct dns_keytable {
-	/* Unlocked. */
-	unsigned int		magic;
-	isc_mem_t		*mctx;
-	isc_mutex_t		lock;
-	isc_rwlock_t		rwlock;
-	/* Locked by lock. */
-	isc_uint32_t		active_nodes;
-	/* Locked by rwlock. */
-	isc_uint32_t		references;
-	dns_rbt_t		*table;
-};
-
-#define KEYTABLE_MAGIC			ISC_MAGIC('K', 'T', 'b', 'l')
-#define VALID_KEYTABLE(kt)	 	ISC_MAGIC_VALID(kt, KEYTABLE_MAGIC)
-
-struct dns_keynode {
-	unsigned int		magic;
-	isc_refcount_t		refcount;
-	dst_key_t *		key;
-	isc_boolean_t           managed;
-	struct dns_keynode *	next;
-};
-
-#define KEYNODE_MAGIC			ISC_MAGIC('K', 'N', 'o', 'd')
-#define VALID_KEYNODE(kn)	 	ISC_MAGIC_VALID(kn, KEYNODE_MAGIC)
-
-isc_result_t
-dns_keytable_create(isc_mem_t *mctx, dns_keytable_t **keytablep);
-/*%<
- * Create a keytable.
- *
- * Requires:
- *
- *\li	'mctx' is a valid memory context.
- *
- *\li	keytablep != NULL && *keytablep == NULL
- *
- * Ensures:
- *
- *\li	On success, *keytablep is a valid, empty key table.
- *
- * Returns:
- *
- *\li	ISC_R_SUCCESS
- *
- *\li	Any other result indicates failure.
- */
-
-
-void
-dns_keytable_attach(dns_keytable_t *source, dns_keytable_t **targetp);
-/*%<
- * Attach *targetp to source.
- *
- * Requires:
- *
- *\li	'source' is a valid keytable.
- *
- *\li	'targetp' points to a NULL dns_keytable_t *.
- *
- * Ensures:
- *
- *\li	*targetp is attached to source.
- */
-
-void
-dns_keytable_detach(dns_keytable_t **keytablep);
-/*%<
- * Detach *keytablep from its keytable.
- *
- * Requires:
- *
- *\li	'keytablep' points to a valid keytable.
- *
- * Ensures:
- *
- *\li	*keytablep is NULL.
- *
- *\li	If '*keytablep' is the last reference to the keytable,
- *		all resources used by the keytable will be freed
- */
-
-isc_result_t
-dns_keytable_add(dns_keytable_t *keytable, isc_boolean_t managed,
-		 dst_key_t **keyp);
-/*%<
- * Add '*keyp' to 'keytable' (using the name in '*keyp').
- * The value of keynode->managed is set to 'managed'
- *
- * Notes:
- *
- *\li	Ownership of *keyp is transferred to the keytable.
- *\li   If the key already exists in the table, ISC_R_EXISTS is
- *      returned and the new key is freed.
- *
- * Requires:
- *
- *\li	'keytable' points to a valid keytable.
- *
- *\li	keyp != NULL && *keyp is a valid dst_key_t *.
- *
- * Ensures:
- *
- *\li	On success, *keyp == NULL
- *
- * Returns:
- *
- *\li	ISC_R_SUCCESS
- *\li	ISC_R_EXISTS
- *
- *\li	Any other result indicates failure.
- */
-
-isc_result_t
-dns_keytable_marksecure(dns_keytable_t *keytable, dns_name_t *name);
-/*%<
- * Add a null key to 'keytable' for name 'name'.  This marks the
- * name as a secure domain, but doesn't supply any key data to allow the
- * domain to be validated.  (Used when automated trust anchor management
- * has gotten broken by a zone misconfiguration; for example, when the
- * active key has been revoked but the stand-by key was still in its 30-day
- * waiting period for validity.)
- *
- * Notes:
- *
- *\li   If a key already exists in the table, ISC_R_EXISTS is
- *      returned and nothing is done.
- *
- * Requires:
- *
- *\li	'keytable' points to a valid keytable.
- *
- *\li	keyp != NULL && *keyp is a valid dst_key_t *.
- *
- * Returns:
- *
- *\li	ISC_R_SUCCESS
- *\li	ISC_R_EXISTS
- *
- *\li	Any other result indicates failure.
- */
-
-isc_result_t
-dns_keytable_delete(dns_keytable_t *keytable, dns_name_t *keyname);
-/*%<
- * Delete node(s) from 'keytable' matching name 'keyname'
- *
- * Requires:
- *
- *\li	'keytable' points to a valid keytable.
- *
- *\li	'name' is not NULL
- *
- * Returns:
- *
- *\li	ISC_R_SUCCESS
- *
- *\li	Any other result indicates failure.
- */
-
-isc_result_t
-dns_keytable_deletekeynode(dns_keytable_t *keytable, dst_key_t *dstkey);
-/*%<
- * Delete node(s) from 'keytable' containing copies of the key pointed
- * to by 'dstkey'
- *
- * Requires:
- *
- *\li	'keytable' points to a valid keytable.
- *\li	'dstkey' is not NULL
- *
- * Returns:
- *
- *\li	ISC_R_SUCCESS
- *
- *\li	Any other result indicates failure.
- */
-
-isc_result_t
-dns_keytable_find(dns_keytable_t *keytable, dns_name_t *keyname,
-		  dns_keynode_t **keynodep);
-/*%<
- * Search for the first instance of a key named 'name' in 'keytable',
- * without regard to keyid and algorithm.  Use dns_keytable_nextkeynode()
- * to find subsequent instances.
- *
- * Requires:
- *
- *\li	'keytable' is a valid keytable.
- *
- *\li	'name' is a valid absolute name.
- *
- *\li	keynodep != NULL && *keynodep == NULL
- *
- * Returns:
- *
- *\li	ISC_R_SUCCESS
- *\li	ISC_R_NOTFOUND
- *
- *\li	Any other result indicates an error.
- */
-
-isc_result_t
-dns_keytable_nextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
-			 dns_keynode_t **nextnodep);
-/*%<
- * Return for the next key after 'keynode' in 'keytable', without regard to
- * keyid and algorithm.
- *
- * Requires:
- *
- *\li	'keytable' is a valid keytable.
- *
- *\li	'keynode' is a valid keynode.
- *
- *\li	nextnodep != NULL && *nextnodep == NULL
- *
- * Returns:
- *
- *\li	ISC_R_SUCCESS
- *\li	ISC_R_NOTFOUND
- *
- *\li	Any other result indicates an error.
- */
-
-isc_result_t
-dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
-			 dns_secalg_t algorithm, dns_keytag_t tag,
-			 dns_keynode_t **keynodep);
-/*%<
- * Search for a key named 'name', matching 'algorithm' and 'tag' in
- * 'keytable'.  This finds the first instance which matches.  Use
- * dns_keytable_findnextkeynode() to find other instances.
- *
- * Requires:
- *
- *\li	'keytable' is a valid keytable.
- *
- *\li	'name' is a valid absolute name.
- *
- *\li	keynodep != NULL && *keynodep == NULL
- *
- * Returns:
- *
- *\li	ISC_R_SUCCESS
- *\li	DNS_R_PARTIALMATCH	the name existed in the keytable.
- *\li	ISC_R_NOTFOUND
- *
- *\li	Any other result indicates an error.
- */
-
-isc_result_t
-dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
-					     dns_keynode_t **nextnodep);
-/*%<
- * Search for the next key with the same properties as 'keynode' in
- * 'keytable' as found by dns_keytable_findkeynode().
- *
- * Requires:
- *
- *\li	'keytable' is a valid keytable.
- *
- *\li	'keynode' is a valid keynode.
- *
- *\li	nextnodep != NULL && *nextnodep == NULL
- *
- * Returns:
- *
- *\li	ISC_R_SUCCESS
- *\li	ISC_R_NOTFOUND
- *
- *\li	Any other result indicates an error.
- */
-
-isc_result_t
-dns_keytable_finddeepestmatch(dns_keytable_t *keytable, dns_name_t *name,
-			      dns_name_t *foundname);
-/*%<
- * Search for the deepest match of 'name' in 'keytable'.
- *
- * Requires:
- *
- *\li	'keytable' is a valid keytable.
- *
- *\li	'name' is a valid absolute name.
- *
- *\li	'foundname' is a name with a dedicated buffer.
- *
- * Returns:
- *
- *\li	ISC_R_SUCCESS
- *\li	ISC_R_NOTFOUND
- *
- *\li	Any other result indicates an error.
- */
-
-void
-dns_keytable_attachkeynode(dns_keytable_t *keytable, dns_keynode_t *source,
-			   dns_keynode_t **target);
-/*%<
- * Attach a keynode and and increment the active_nodes counter in a
- * corresponding keytable.
- *
- * Requires:
- *
- *\li	'keytable' is a valid keytable.
- *
- *\li	'source' is a valid keynode.
- *
- *\li	'target' is not null and '*target' is null.
- */
-
-void
-dns_keytable_detachkeynode(dns_keytable_t *keytable,
-			   dns_keynode_t **keynodep);
-/*%<
- * Give back a keynode found via dns_keytable_findkeynode().
- *
- * Requires:
- *
- *\li	'keytable' is a valid keytable.
- *
- *\li	*keynodep is a valid keynode returned by a call to
- *	dns_keytable_findkeynode().
- *
- * Ensures:
- *
- *\li	*keynodep == NULL
- */
-
-isc_result_t
-dns_keytable_issecuredomain(dns_keytable_t *keytable, dns_name_t *name,
-			    isc_boolean_t *wantdnssecp);
-/*%<
- * Is 'name' at or beneath a trusted key?
- *
- * Requires:
- *
- *\li	'keytable' is a valid keytable.
- *
- *\li	'name' is a valid absolute name.
- *
- *\li	'*wantsdnssecp' is a valid isc_boolean_t.
- *
- * Ensures:
- *
- *\li	On success, *wantsdnssecp will be ISC_TRUE if and only if 'name'
- *	is at or beneath a trusted key.
- *
- * Returns:
- *
- *\li	ISC_R_SUCCESS
- *
- *\li	Any other result is an error.
- */
-
-isc_result_t
-dns_keytable_dump(dns_keytable_t *keytable, FILE *fp);
-/*%<
- * Dump the keytable on fp.
- */
-
-dst_key_t *
-dns_keynode_key(dns_keynode_t *keynode);
-/*%<
- * Get the DST key associated with keynode.
- */
-
-isc_boolean_t
-dns_keynode_managed(dns_keynode_t *keynode);
-/*%<
- * Is this flagged as a managed key?
- */
-
-isc_result_t
-dns_keynode_create(isc_mem_t *mctx, dns_keynode_t **target);
-/*%<
- * Allocate space for a keynode
- */
-
-void
-dns_keynode_attach(dns_keynode_t *source, dns_keynode_t **target);
-/*%<
- * Attach keynode 'source' to '*target'
- */
-
-void
-dns_keynode_detach(isc_mem_t *mctx, dns_keynode_t **target);
-/*%<
- * Detach a single keynode, without touching any keynodes that
- * may be pointed to by its 'next' pointer
- */
-
-void
-dns_keynode_detachall(isc_mem_t *mctx, dns_keynode_t **target);
-/*%<
- * Detach a keynode and all its succesors.
- */
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_KEYTABLE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/keyvalues.h b/contrib/bind9/lib/dns/include/dns/keyvalues.h
deleted file mode 100644
index 0c392ca..0000000
--- a/contrib/bind9/lib/dns/include/dns/keyvalues.h
+++ /dev/null
@@ -1,112 +0,0 @@
-/*
- * Copyright (C) 2004-2010, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: keyvalues.h,v 1.29 2010/12/23 23:47:08 tbox Exp $ */
-
-#ifndef DNS_KEYVALUES_H
-#define DNS_KEYVALUES_H 1
-
-/*! \file dns/keyvalues.h */
-
-/*
- * Flags field of the KEY RR rdata
- */
-#define DNS_KEYFLAG_TYPEMASK	0xC000	/*%< Mask for "type" bits */
-#define DNS_KEYTYPE_AUTHCONF	0x0000	/*%< Key usable for both */
-#define DNS_KEYTYPE_CONFONLY	0x8000	/*%< Key usable for confidentiality */
-#define DNS_KEYTYPE_AUTHONLY	0x4000	/*%< Key usable for authentication */
-#define DNS_KEYTYPE_NOKEY	0xC000	/*%< No key usable for either; no key */
-#define DNS_KEYTYPE_NOAUTH	DNS_KEYTYPE_CONFONLY
-#define DNS_KEYTYPE_NOCONF	DNS_KEYTYPE_AUTHONLY
-
-#define DNS_KEYFLAG_RESERVED2	0x2000	/*%< reserved - must be zero */
-#define DNS_KEYFLAG_EXTENDED	0x1000	/*%< key has extended flags */
-#define DNS_KEYFLAG_RESERVED4	0x0800	/*%< reserved - must be zero */
-#define DNS_KEYFLAG_RESERVED5	0x0400	/*%< reserved - must be zero */
-#define DNS_KEYFLAG_OWNERMASK	0x0300	/*%< these bits determine the type */
-#define DNS_KEYOWNER_USER	0x0000	/*%< key is assoc. with user */
-#define DNS_KEYOWNER_ENTITY	0x0200	/*%< key is assoc. with entity eg host */
-#define DNS_KEYOWNER_ZONE	0x0100	/*%< key is zone key */
-#define DNS_KEYOWNER_RESERVED	0x0300	/*%< reserved meaning */
-#define DNS_KEYFLAG_REVOKE	0x0080	/*%< key revoked (per rfc5011) */
-#define DNS_KEYFLAG_RESERVED9	0x0040	/*%< reserved - must be zero */
-#define DNS_KEYFLAG_RESERVED10	0x0020	/*%< reserved - must be zero */
-#define DNS_KEYFLAG_RESERVED11	0x0010	/*%< reserved - must be zero */
-#define DNS_KEYFLAG_SIGNATORYMASK 0x000F /*%< key can sign RR's of same name */
-
-#define DNS_KEYFLAG_RESERVEDMASK (DNS_KEYFLAG_RESERVED2 | \
-				  DNS_KEYFLAG_RESERVED4 | \
-				  DNS_KEYFLAG_RESERVED5 | \
-				  DNS_KEYFLAG_RESERVED9 | \
-				  DNS_KEYFLAG_RESERVED10 | \
-				  DNS_KEYFLAG_RESERVED11 )
-#define DNS_KEYFLAG_KSK		0x0001	/*%< key signing key */
-
-#define DNS_KEYFLAG_RESERVEDMASK2 0xFFFF	/*%< no bits defined here */
-
-/* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */
-#define DNS_KEYALG_RSAMD5	1       /*%< RSA with MD5 */
-#define DNS_KEYALG_RSA		DNS_KEYALG_RSAMD5
-#define DNS_KEYALG_DH		2       /*%< Diffie Hellman KEY */
-#define DNS_KEYALG_DSA		3       /*%< DSA KEY */
-#define DNS_KEYALG_NSEC3DSA	6
-#define DNS_KEYALG_DSS		DNS_ALG_DSA
-#define DNS_KEYALG_ECC		4
-#define DNS_KEYALG_RSASHA1	5
-#define DNS_KEYALG_NSEC3RSASHA1	7
-#define DNS_KEYALG_RSASHA256	8
-#define DNS_KEYALG_RSASHA512	10
-#define DNS_KEYALG_ECCGOST	12
-#define DNS_KEYALG_ECDSA256	13
-#define DNS_KEYALG_ECDSA384	14
-#define DNS_KEYALG_INDIRECT	252
-#define DNS_KEYALG_PRIVATEDNS	253
-#define DNS_KEYALG_PRIVATEOID	254     /*%< Key begins with OID giving alg */
-
-/* Protocol values  */
-#define	DNS_KEYPROTO_RESERVED	0
-#define DNS_KEYPROTO_TLS	1
-#define DNS_KEYPROTO_EMAIL	2
-#define DNS_KEYPROTO_DNSSEC	3
-#define DNS_KEYPROTO_IPSEC	4
-#define DNS_KEYPROTO_ANY	255
-
-/* Signatures */
-#define DNS_SIG_RSAMINBITS	512	/*%< Size of a mod or exp in bits */
-#define DNS_SIG_RSAMAXBITS	2552
-	/* Total of binary mod and exp */
-#define DNS_SIG_RSAMAXBYTES	((DNS_SIG_RSAMAXBITS+7/8)*2+3)
-	/*%< Max length of text sig block */
-#define DNS_SIG_RSAMAXBASE64	(((DNS_SIG_RSAMAXBYTES+2)/3)*4)
-#define DNS_SIG_RSAMINSIZE	((DNS_SIG_RSAMINBITS+7)/8)
-#define DNS_SIG_RSAMAXSIZE	((DNS_SIG_RSAMAXBITS+7)/8)
-
-#define DNS_SIG_DSASIGSIZE	41
-#define DNS_SIG_DSAMINBITS	512
-#define DNS_SIG_DSAMAXBITS	1024
-#define DNS_SIG_DSAMINBYTES	213
-#define DNS_SIG_DSAMAXBYTES	405
-
-#define DNS_SIG_GOSTSIGSIZE	64
-
-#define DNS_SIG_ECDSA256SIZE	64
-#define DNS_SIG_ECDSA384SIZE	96
-
-#define DNS_KEY_ECDSA256SIZE	64
-#define DNS_KEY_ECDSA384SIZE	96
-
-#endif /* DNS_KEYVALUES_H */
diff --git a/contrib/bind9/lib/dns/include/dns/lib.h b/contrib/bind9/lib/dns/include/dns/lib.h
deleted file mode 100644
index a78562f..0000000
--- a/contrib/bind9/lib/dns/include/dns/lib.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lib.h,v 1.18 2009/09/02 23:48:02 tbox Exp $ */
-
-#ifndef DNS_LIB_H
-#define DNS_LIB_H 1
-
-/*! \file dns/lib.h */
-
-#include <isc/types.h>
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
-/*%
- * Tuning: external query load in packets per seconds.
- */
-LIBDNS_EXTERNAL_DATA extern unsigned int dns_pps;
-LIBDNS_EXTERNAL_DATA extern isc_msgcat_t *dns_msgcat;
-
-void
-dns_lib_initmsgcat(void);
-/*%<
- * Initialize the DNS library's message catalog, dns_msgcat, if it
- * has not already been initialized.
- */
-
-isc_result_t
-dns_lib_init(void);
-/*%<
- * A set of initialization procedure used in the DNS library.  This function
- * is provided for an application that is not aware of the underlying ISC or
- * DNS libraries much.
- */
-
-void
-dns_lib_shutdown(void);
-/*%<
- * Free temporary resources allocated in dns_lib_init().
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_LIB_H */
diff --git a/contrib/bind9/lib/dns/include/dns/log.h b/contrib/bind9/lib/dns/include/dns/log.h
deleted file mode 100644
index 3c4df8a..0000000
--- a/contrib/bind9/lib/dns/include/dns/log.h
+++ /dev/null
@@ -1,110 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: log.h,v 1.47 2011/10/13 22:48:24 tbox Exp $ */
-
-/*! \file dns/log.h
- * \author  Principal Authors: DCL */
-
-#ifndef DNS_LOG_H
-#define DNS_LOG_H 1
-
-#include <isc/lang.h>
-#include <isc/log.h>
-
-LIBDNS_EXTERNAL_DATA extern isc_log_t *dns_lctx;
-LIBDNS_EXTERNAL_DATA extern isc_logcategory_t dns_categories[];
-LIBDNS_EXTERNAL_DATA extern isc_logmodule_t dns_modules[];
-
-#define DNS_LOGCATEGORY_NOTIFY		(&dns_categories[0])
-#define DNS_LOGCATEGORY_DATABASE	(&dns_categories[1])
-#define DNS_LOGCATEGORY_SECURITY	(&dns_categories[2])
-/* DNS_LOGCATEGORY_CONFIG superseded by CFG_LOGCATEGORY_CONFIG */
-#define DNS_LOGCATEGORY_DNSSEC		(&dns_categories[4])
-#define DNS_LOGCATEGORY_RESOLVER	(&dns_categories[5])
-#define DNS_LOGCATEGORY_XFER_IN		(&dns_categories[6])
-#define DNS_LOGCATEGORY_XFER_OUT	(&dns_categories[7])
-#define DNS_LOGCATEGORY_DISPATCH	(&dns_categories[8])
-#define DNS_LOGCATEGORY_LAME_SERVERS	(&dns_categories[9])
-#define DNS_LOGCATEGORY_DELEGATION_ONLY	(&dns_categories[10])
-#define DNS_LOGCATEGORY_EDNS_DISABLED	(&dns_categories[11])
-#define DNS_LOGCATEGORY_RPZ		(&dns_categories[12])
-
-/* Backwards compatibility. */
-#define DNS_LOGCATEGORY_GENERAL		ISC_LOGCATEGORY_GENERAL
-
-#define DNS_LOGMODULE_DB		(&dns_modules[0])
-#define DNS_LOGMODULE_RBTDB		(&dns_modules[1])
-#define DNS_LOGMODULE_RBTDB64		(&dns_modules[2])
-#define DNS_LOGMODULE_RBT		(&dns_modules[3])
-#define DNS_LOGMODULE_RDATA		(&dns_modules[4])
-#define DNS_LOGMODULE_MASTER		(&dns_modules[5])
-#define DNS_LOGMODULE_MESSAGE		(&dns_modules[6])
-#define DNS_LOGMODULE_CACHE		(&dns_modules[7])
-#define DNS_LOGMODULE_CONFIG		(&dns_modules[8])
-#define DNS_LOGMODULE_RESOLVER		(&dns_modules[9])
-#define DNS_LOGMODULE_ZONE		(&dns_modules[10])
-#define DNS_LOGMODULE_JOURNAL		(&dns_modules[11])
-#define DNS_LOGMODULE_ADB		(&dns_modules[12])
-#define DNS_LOGMODULE_XFER_IN		(&dns_modules[13])
-#define DNS_LOGMODULE_XFER_OUT		(&dns_modules[14])
-#define DNS_LOGMODULE_ACL		(&dns_modules[15])
-#define DNS_LOGMODULE_VALIDATOR		(&dns_modules[16])
-#define DNS_LOGMODULE_DISPATCH		(&dns_modules[17])
-#define DNS_LOGMODULE_REQUEST		(&dns_modules[18])
-#define DNS_LOGMODULE_MASTERDUMP	(&dns_modules[19])
-#define DNS_LOGMODULE_TSIG		(&dns_modules[20])
-#define DNS_LOGMODULE_TKEY		(&dns_modules[21])
-#define DNS_LOGMODULE_SDB		(&dns_modules[22])
-#define DNS_LOGMODULE_DIFF		(&dns_modules[23])
-#define DNS_LOGMODULE_HINTS		(&dns_modules[24])
-#define DNS_LOGMODULE_ACACHE		(&dns_modules[25])
-#define DNS_LOGMODULE_DLZ		(&dns_modules[26])
-#define DNS_LOGMODULE_DNSSEC		(&dns_modules[27])
-#define DNS_LOGMODULE_CRYPTO		(&dns_modules[28])
-
-ISC_LANG_BEGINDECLS
-
-void
-dns_log_init(isc_log_t *lctx);
-/*%
- * Make the libdns categories and modules available for use with the
- * ISC logging library.
- *
- * Requires:
- *\li	lctx is a valid logging context.
- *
- *\li	dns_log_init() is called only once.
- *
- * Ensures:
- * \li	The categories and modules defined above are available for
- * 	use by isc_log_usechannnel() and isc_log_write().
- */
-
-void
-dns_log_setcontext(isc_log_t *lctx);
-/*%
- * Make the libdns library use the provided context for logging internal
- * messages.
- *
- * Requires:
- *\li	lctx is a valid logging context.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_LOG_H */
diff --git a/contrib/bind9/lib/dns/include/dns/lookup.h b/contrib/bind9/lib/dns/include/dns/lookup.h
deleted file mode 100644
index e825e00..0000000
--- a/contrib/bind9/lib/dns/include/dns/lookup.h
+++ /dev/null
@@ -1,137 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lookup.h,v 1.14 2009/01/17 23:47:43 tbox Exp $ */
-
-#ifndef DNS_LOOKUP_H
-#define DNS_LOOKUP_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/lookup.h
- * \brief
- * The lookup module performs simple DNS lookups.  It implements
- * the full resolver algorithm, both looking for local data and
- * resolving external names as necessary.
- *
- * MP:
- *\li	The module ensures appropriate synchronization of data structures it
- *	creates and manipulates.
- *
- * Reliability:
- *\li	No anticipated impact.
- *
- * Resources:
- *\li	TBS
- *
- * Security:
- *\li	No anticipated impact.
- *
- * Standards:
- *\li	RFCs:	1034, 1035, 2181, TBS
- *\li	Drafts:	TBS
- */
-
-#include <isc/lang.h>
-#include <isc/event.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*%
- * A 'dns_lookupevent_t' is returned when a lookup completes.
- * The sender field will be set to the lookup that completed.  If 'result'
- * is ISC_R_SUCCESS, then 'names' will contain a list of names associated
- * with the address.  The recipient of the event must not change the list
- * and must not refer to any of the name data after the event is freed.
- */
-typedef struct dns_lookupevent {
-	ISC_EVENT_COMMON(struct dns_lookupevent);
-	isc_result_t			result;
-	dns_name_t			*name;
-	dns_rdataset_t			*rdataset;
-	dns_rdataset_t			*sigrdataset;
-	dns_db_t			*db;
-	dns_dbnode_t			*node;
-} dns_lookupevent_t;
-
-isc_result_t
-dns_lookup_create(isc_mem_t *mctx, dns_name_t *name, dns_rdatatype_t type,
-		  dns_view_t *view, unsigned int options, isc_task_t *task,
-		  isc_taskaction_t action, void *arg, dns_lookup_t **lookupp);
-/*%<
- * Finds the rrsets matching 'name' and 'type'.
- *
- * Requires:
- *
- *\li	'mctx' is a valid mctx.
- *
- *\li	'name' is a valid name.
- *
- *\li	'view' is a valid view which has a resolver.
- *
- *\li	'task' is a valid task.
- *
- *\li	lookupp != NULL && *lookupp == NULL
- *
- * Returns:
- *
- *\li	ISC_R_SUCCESS
- *\li	ISC_R_NOMEMORY
- *
- *\li	Any resolver-related error (e.g. ISC_R_SHUTTINGDOWN) may also be
- *	returned.
- */
-
-void
-dns_lookup_cancel(dns_lookup_t *lookup);
-/*%<
- * Cancel 'lookup'.
- *
- * Notes:
- *
- *\li	If 'lookup' has not completed, post its LOOKUPDONE event with a
- *	result code of ISC_R_CANCELED.
- *
- * Requires:
- *
- *\li	'lookup' is a valid lookup.
- */
-
-void
-dns_lookup_destroy(dns_lookup_t **lookupp);
-/*%<
- * Destroy 'lookup'.
- *
- * Requires:
- *
- *\li	'*lookupp' is a valid lookup.
- *
- *\li	The caller has received the LOOKUPDONE event (either because the
- *	lookup completed or because dns_lookup_cancel() was called).
- *
- * Ensures:
- *
- *\li	*lookupp == NULL.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_LOOKUP_H */
diff --git a/contrib/bind9/lib/dns/include/dns/master.h b/contrib/bind9/lib/dns/include/dns/master.h
deleted file mode 100644
index 896c6e9..0000000
--- a/contrib/bind9/lib/dns/include/dns/master.h
+++ /dev/null
@@ -1,324 +0,0 @@
-/*
- * Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef DNS_MASTER_H
-#define DNS_MASTER_H 1
-
-/*! \file dns/master.h */
-
-/***
- ***	Imports
- ***/
-
-#include <stdio.h>
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-/*
- * Flags to be passed in the 'options' argument in the functions below.
- */
-#define	DNS_MASTER_AGETTL 	0x00000001	/*%< Age the ttl based on $DATE. */
-#define DNS_MASTER_MANYERRORS 	0x00000002	/*%< Continue processing on errors. */
-#define DNS_MASTER_NOINCLUDE 	0x00000004	/*%< Disallow $INCLUDE directives. */
-#define DNS_MASTER_ZONE 	0x00000008	/*%< Loading a zone master file. */
-#define DNS_MASTER_HINT 	0x00000010	/*%< Loading a hint master file. */
-#define DNS_MASTER_SLAVE 	0x00000020	/*%< Loading a slave master file. */
-#define DNS_MASTER_CHECKNS 	0x00000040	/*%<
-						 * Check NS records to see
-						 * if they are an address
-						 */
-#define DNS_MASTER_FATALNS 	0x00000080	/*%<
-						 * Treat DNS_MASTER_CHECKNS
-						 * matches as fatal
-						 */
-#define DNS_MASTER_CHECKNAMES   0x00000100
-#define DNS_MASTER_CHECKNAMESFAIL 0x00000200
-#define DNS_MASTER_CHECKWILDCARD 0x00000400	/* Check for internal wildcards. */
-#define DNS_MASTER_CHECKMX	0x00000800
-#define DNS_MASTER_CHECKMXFAIL	0x00001000
-
-#define DNS_MASTER_RESIGN	0x00002000
-#define DNS_MASTER_KEY	 	0x00004000	/*%< Loading a key zone master file. */
-
-ISC_LANG_BEGINDECLS
-
-/*
- * Structures that implement the "raw" format for master dump.
- * These are provided for a reference purpose only; in the actual
- * encoding, we directly read/write each field so that the encoded data
- * is always "packed", regardless of the hardware architecture.
- */
-#define DNS_RAWFORMAT_VERSION 1
-
-/*
- * Flags to indicate the status of the data in the raw file header
- */
-#define DNS_MASTERRAW_COMPAT 		0x01
-#define DNS_MASTERRAW_SOURCESERIALSET	0x02
-#define DNS_MASTERRAW_LASTXFRINSET	0x04
-
-/* Common header */
-struct dns_masterrawheader {
-	isc_uint32_t		format;		/* must be
-						 * dns_masterformat_raw */
-	isc_uint32_t		version;	/* compatibility for future
-						 * extensions */
-	isc_uint32_t		dumptime;	/* timestamp on creation
-						 * (currently unused) */
-	isc_uint32_t		flags;		/* Flags */
-	isc_uint32_t		sourceserial;	/* Source serial number (used
-						 * by inline-signing zones) */
-	isc_uint32_t		lastxfrin;	/* timestamp of last transfer
-						 * (used by slave zones) */
-};
-
-/* The structure for each RRset */
-typedef struct {
-	isc_uint32_t		totallen;	/* length of the data for this
-						 * RRset, including the
-						 * "header" part */
-	dns_rdataclass_t	rdclass;	/* 16-bit class */
-	dns_rdatatype_t		type;		/* 16-bit type */
-	dns_rdatatype_t		covers;		/* same as type */
-	dns_ttl_t		ttl;		/* 32-bit TTL */
-	isc_uint32_t		nrdata;		/* number of RRs in this set */
-	/* followed by encoded owner name, and then rdata */
-} dns_masterrawrdataset_t;
-
-/***
- ***	Function
- ***/
-
-isc_result_t
-dns_master_loadfile(const char *master_file,
-		    dns_name_t *top,
-		    dns_name_t *origin,
-		    dns_rdataclass_t zclass,
-		    unsigned int options,
-		    dns_rdatacallbacks_t *callbacks,
-		    isc_mem_t *mctx);
-
-isc_result_t
-dns_master_loadfile2(const char *master_file,
-		     dns_name_t *top,
-		     dns_name_t *origin,
-		     dns_rdataclass_t zclass,
-		     unsigned int options,
-		     dns_rdatacallbacks_t *callbacks,
-		     isc_mem_t *mctx,
-		     dns_masterformat_t format);
-
-isc_result_t
-dns_master_loadfile3(const char *master_file,
-		     dns_name_t *top,
-		     dns_name_t *origin,
-		     dns_rdataclass_t zclass,
-		     unsigned int options,
-		     isc_uint32_t resign,
-		     dns_rdatacallbacks_t *callbacks,
-		     isc_mem_t *mctx,
-		     dns_masterformat_t format);
-
-isc_result_t
-dns_master_loadstream(FILE *stream,
-		      dns_name_t *top,
-		      dns_name_t *origin,
-		      dns_rdataclass_t zclass,
-		      unsigned int options,
-		      dns_rdatacallbacks_t *callbacks,
-		      isc_mem_t *mctx);
-
-isc_result_t
-dns_master_loadbuffer(isc_buffer_t *buffer,
-		      dns_name_t *top,
-		      dns_name_t *origin,
-		      dns_rdataclass_t zclass,
-		      unsigned int options,
-		      dns_rdatacallbacks_t *callbacks,
-		      isc_mem_t *mctx);
-
-isc_result_t
-dns_master_loadlexer(isc_lex_t *lex,
-		     dns_name_t *top,
-		     dns_name_t *origin,
-		     dns_rdataclass_t zclass,
-		     unsigned int options,
-		     dns_rdatacallbacks_t *callbacks,
-		     isc_mem_t *mctx);
-
-isc_result_t
-dns_master_loadfileinc(const char *master_file,
-		       dns_name_t *top,
-		       dns_name_t *origin,
-		       dns_rdataclass_t zclass,
-		       unsigned int options,
-		       dns_rdatacallbacks_t *callbacks,
-		       isc_task_t *task,
-		       dns_loaddonefunc_t done, void *done_arg,
-		       dns_loadctx_t **ctxp, isc_mem_t *mctx);
-
-isc_result_t
-dns_master_loadfileinc2(const char *master_file,
-			dns_name_t *top,
-			dns_name_t *origin,
-			dns_rdataclass_t zclass,
-			unsigned int options,
-			dns_rdatacallbacks_t *callbacks,
-			isc_task_t *task,
-			dns_loaddonefunc_t done, void *done_arg,
-			dns_loadctx_t **ctxp, isc_mem_t *mctx,
-			dns_masterformat_t format);
-
-isc_result_t
-dns_master_loadfileinc3(const char *master_file,
-			dns_name_t *top,
-			dns_name_t *origin,
-			dns_rdataclass_t zclass,
-			unsigned int options,
-			isc_uint32_t resign,
-			dns_rdatacallbacks_t *callbacks,
-			isc_task_t *task,
-			dns_loaddonefunc_t done, void *done_arg,
-			dns_loadctx_t **ctxp, isc_mem_t *mctx,
-			dns_masterformat_t format);
-
-isc_result_t
-dns_master_loadstreaminc(FILE *stream,
-			 dns_name_t *top,
-			 dns_name_t *origin,
-			 dns_rdataclass_t zclass,
-			 unsigned int options,
-			 dns_rdatacallbacks_t *callbacks,
-			 isc_task_t *task,
-			 dns_loaddonefunc_t done, void *done_arg,
-			 dns_loadctx_t **ctxp, isc_mem_t *mctx);
-
-isc_result_t
-dns_master_loadbufferinc(isc_buffer_t *buffer,
-			 dns_name_t *top,
-			 dns_name_t *origin,
-			 dns_rdataclass_t zclass,
-			 unsigned int options,
-			 dns_rdatacallbacks_t *callbacks,
-			 isc_task_t *task,
-			 dns_loaddonefunc_t done, void *done_arg,
-			 dns_loadctx_t **ctxp, isc_mem_t *mctx);
-
-isc_result_t
-dns_master_loadlexerinc(isc_lex_t *lex,
-			dns_name_t *top,
-			dns_name_t *origin,
-			dns_rdataclass_t zclass,
-			unsigned int options,
-			dns_rdatacallbacks_t *callbacks,
-			isc_task_t *task,
-			dns_loaddonefunc_t done, void *done_arg,
-			dns_loadctx_t **ctxp, isc_mem_t *mctx);
-
-/*%<
- * Loads a RFC1305 master file from a file, stream, buffer, or existing
- * lexer into rdatasets and then calls 'callbacks->commit' to commit the
- * rdatasets.  Rdata memory belongs to dns_master_load and will be
- * reused / released when the callback completes.  dns_load_master will
- * abort if callbacks->commit returns any value other than ISC_R_SUCCESS.
- *
- * If 'DNS_MASTER_AGETTL' is set and the master file contains one or more
- * $DATE directives, the TTLs of the data will be aged accordingly.
- *
- * 'callbacks->commit' is assumed to call 'callbacks->error' or
- * 'callbacks->warn' to generate any error messages required.
- *
- * 'done' is called with 'done_arg' and a result code when the loading
- * is completed or has failed.  If the initial setup fails 'done' is
- * not called.
- *
- * 'resign' the number of seconds before a RRSIG expires that it should
- * be re-signed.  0 is used if not provided.
- *
- * Requires:
- *\li	'master_file' points to a valid string.
- *\li	'lexer' points to a valid lexer.
- *\li	'top' points to a valid name.
- *\li	'origin' points to a valid name.
- *\li	'callbacks->commit' points to a valid function.
- *\li	'callbacks->error' points to a valid function.
- *\li	'callbacks->warn' points to a valid function.
- *\li	'mctx' points to a valid memory context.
- *\li	'task' and 'done' to be valid.
- *\li	'lmgr' to be valid.
- *\li	'ctxp != NULL && ctxp == NULL'.
- *
- * Returns:
- *\li	ISC_R_SUCCESS upon successfully loading the master file.
- *\li	ISC_R_SEENINCLUDE upon successfully loading the master file with
- *		a $INCLUDE statement.
- *\li	ISC_R_NOMEMORY out of memory.
- *\li	ISC_R_UNEXPECTEDEND expected to be able to read a input token and
- *		there was not one.
- *\li	ISC_R_UNEXPECTED
- *\li	DNS_R_NOOWNER failed to specify a ownername.
- *\li	DNS_R_NOTTL failed to specify a ttl.
- *\li	DNS_R_BADCLASS record class did not match zone class.
- *\li	DNS_R_CONTINUE load still in progress (dns_master_load*inc() only).
- *\li	Any dns_rdata_fromtext() error code.
- *\li	Any error code from callbacks->commit().
- */
-
-void
-dns_loadctx_detach(dns_loadctx_t **ctxp);
-/*%<
- * Detach from the load context.
- *
- * Requires:
- *\li	'*ctxp' to be valid.
- *
- * Ensures:
- *\li	'*ctxp == NULL'
- */
-
-void
-dns_loadctx_attach(dns_loadctx_t *source, dns_loadctx_t **target);
-/*%<
- * Attach to the load context.
- *
- * Requires:
- *\li	'source' to be valid.
- *\li	'target != NULL && *target == NULL'.
- */
-
-void
-dns_loadctx_cancel(dns_loadctx_t *ctx);
-/*%<
- * Cancel loading the zone file associated with this load context.
- *
- * Requires:
- *\li	'ctx' to be valid
- */
-
-void
-dns_master_initrawheader(dns_masterrawheader_t *header);
-/*%<
- * Initializes the header for a raw master file, setting all
- * values to zero.
- */
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_MASTER_H */
diff --git a/contrib/bind9/lib/dns/include/dns/masterdump.h b/contrib/bind9/lib/dns/include/dns/masterdump.h
deleted file mode 100644
index 8631248..0000000
--- a/contrib/bind9/lib/dns/include/dns/masterdump.h
+++ /dev/null
@@ -1,372 +0,0 @@
-/*
- * Copyright (C) 2004-2008, 2011  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: masterdump.h,v 1.47 2011/12/08 23:46:49 tbox Exp $ */
-
-#ifndef DNS_MASTERDUMP_H
-#define DNS_MASTERDUMP_H 1
-
-/*! \file dns/masterdump.h */
-
-/***
- ***	Imports
- ***/
-
-#include <stdio.h>
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-/***
- *** Types
- ***/
-
-typedef struct dns_master_style dns_master_style_t;
-
-/***
- *** Definitions
- ***/
-
-/*
- * Flags affecting master file formatting.  Flags 0x0000FFFF
- * define the formatting of the rdata part and are defined in
- * rdata.h.
- */
-
-/*% Omit the owner name when possible. */
-#define	DNS_STYLEFLAG_OMIT_OWNER        0x00010000U
-
-/*%
- * Omit the TTL when possible.  If DNS_STYLEFLAG_TTL is
- * also set, this means no TTLs are ever printed
- * because $TTL directives are generated before every
- * change in the TTL.  In this case, no columns need to
- * be reserved for the TTL.  Master files generated with
- * these options will be rejected by BIND 4.x because it
- * does not recognize the $TTL directive.
- *
- * If DNS_STYLEFLAG_TTL is not also set, the TTL will be
- * omitted when it is equal to the previous TTL.
- * This is correct according to RFC1035, but the
- * TTLs may be silently misinterpreted by older
- * versions of BIND which use the SOA MINTTL as a
- * default TTL value.
- */
-#define	DNS_STYLEFLAG_OMIT_TTL		0x00020000U
-
-/*% Omit the class when possible. */
-#define	DNS_STYLEFLAG_OMIT_CLASS	0x00040000U
-
-/*% Output $TTL directives. */
-#define	DNS_STYLEFLAG_TTL		0x00080000U
-
-/*%
- * Output $ORIGIN directives and print owner names relative to
- * the origin when possible.
- */
-#define	DNS_STYLEFLAG_REL_OWNER		0x00100000U
-
-/*% Print domain names in RR data in relative form when possible.
-   For this to take effect, DNS_STYLEFLAG_REL_OWNER must also be set. */
-#define	DNS_STYLEFLAG_REL_DATA		0x00200000U
-
-/*% Print the trust level of each rdataset. */
-#define	DNS_STYLEFLAG_TRUST		0x00400000U
-
-/*% Print negative caching entries. */
-#define	DNS_STYLEFLAG_NCACHE		0x00800000U
-
-/*% Never print the TTL. */
-#define	DNS_STYLEFLAG_NO_TTL		0x01000000U
-
-/*% Never print the CLASS. */
-#define	DNS_STYLEFLAG_NO_CLASS		0x02000000U
-
-/*% Report re-signing time. */
-#define	DNS_STYLEFLAG_RESIGN		0x04000000U
-
-ISC_LANG_BEGINDECLS
-
-/***
- ***	Constants
- ***/
-
-/*%
- * The default master file style.
- *
- * This uses $TTL directives to avoid the need to dedicate a
- * tab stop for the TTL.  The class is only printed for the first
- * rrset in the file and shares a tab stop with the RR type.
- */
-LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_default;
-
-/*%
- * A master file style that dumps zones to a very generic format easily
- * imported/checked with external tools.
- */
-LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_full;
-
-/*%
- * A master file style that prints explicit TTL values on each
- * record line, never using $TTL statements.  The TTL has a tab
- * stop of its own, but the class and type share one.
- */
-LIBDNS_EXTERNAL_DATA extern const dns_master_style_t
-					dns_master_style_explicitttl;
-
-/*%
- * A master style format designed for cache files.  It prints explicit TTL
- * values on each record line and never uses $ORIGIN or relative names.
- */
-LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_cache;
-
-/*%
- * A master style that prints name, ttl, class, type, and value on
- * every line.  Similar to explicitttl above, but more verbose.
- * Intended for generating master files which can be easily parsed
- * by perl scripts and similar applications.
- */
-LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_simple;
-
-/*%
- * The style used for debugging, "dig" output, etc.
- */
-LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_debug;
-
-/***
- ***	Functions
- ***/
-
-void
-dns_dumpctx_attach(dns_dumpctx_t *source, dns_dumpctx_t **target);
-/*%<
- * Attach to a dump context.
- *
- * Require:
- *\li	'source' to be valid.
- *\li	'target' to be non NULL and '*target' to be NULL.
- */
-
-void
-dns_dumpctx_detach(dns_dumpctx_t **dctxp);
-/*%<
- * Detach from a dump context.
- *
- * Require:
- *\li	'dctxp' to point to a valid dump context.
- *
- * Ensures:
- *\li	'*dctxp' is NULL.
- */
-
-void
-dns_dumpctx_cancel(dns_dumpctx_t *dctx);
-/*%<
- * Cancel a in progress dump.
- *
- * Require:
- *\li	'dctx' to be valid.
- */
-
-dns_dbversion_t *
-dns_dumpctx_version(dns_dumpctx_t *dctx);
-/*%<
- * Return the version handle (if any) of the database being dumped.
- *
- * Require:
- *\li	'dctx' to be valid.
- */
-
-dns_db_t *
-dns_dumpctx_db(dns_dumpctx_t *dctx);
-/*%<
- * Return the database being dumped.
- *
- * Require:
- *\li	'dctx' to be valid.
- */
-
-
-/*@{*/
-isc_result_t
-dns_master_dumptostreaminc(isc_mem_t *mctx, dns_db_t *db,
-			   dns_dbversion_t *version,
-			   const dns_master_style_t *style, FILE *f,
-			   isc_task_t *task, dns_dumpdonefunc_t done,
-			   void *done_arg, dns_dumpctx_t **dctxp);
-
-isc_result_t
-dns_master_dumptostream(isc_mem_t *mctx, dns_db_t *db,
-			dns_dbversion_t *version,
-			const dns_master_style_t *style, FILE *f);
-
-isc_result_t
-dns_master_dumptostream2(isc_mem_t *mctx, dns_db_t *db,
-			 dns_dbversion_t *version,
-			 const dns_master_style_t *style,
-			 dns_masterformat_t format, FILE *f);
-
-isc_result_t
-dns_master_dumptostream3(isc_mem_t *mctx, dns_db_t *db,
-			 dns_dbversion_t *version,
-			 const dns_master_style_t *style,
-			 dns_masterformat_t format,
-			 dns_masterrawheader_t *header, FILE *f);
-/*%<
- * Dump the database 'db' to the steam 'f' in the specified format by
- * 'format'.  If the format is dns_masterformat_text (the RFC1035 format),
- * 'style' specifies the file style (e.g., &dns_master_style_default).
- *
- * dns_master_dumptostream() is an old form of dns_master_dumptostream3(),
- * which always specifies the dns_masterformat_text format.
- * dns_master_dumptostream2() is an old form which always specifies
- * a NULL header.
- *
- * If 'format' is dns_masterformat_raw, then 'header' can contain
- * information to be written to the file header.
- *
- * Temporary dynamic memory may be allocated from 'mctx'.
- *
- * Require:
- *\li	'task' to be valid.
- *\li	'done' to be non NULL.
- *\li	'dctxp' to be non NULL && '*dctxp' to be NULL.
- *
- * Returns:
- *\li	ISC_R_SUCCESS
- *\li	ISC_R_CONTINUE	dns_master_dumptostreaminc() only.
- *\li	ISC_R_NOMEMORY
- *\li	Any database or rrset iterator error.
- *\li	Any dns_rdata_totext() error code.
- */
-/*@}*/
-
-/*@{*/
-isc_result_t
-dns_master_dumpinc(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
-		   const dns_master_style_t *style, const char *filename,
-		   isc_task_t *task, dns_dumpdonefunc_t done, void *done_arg,
-		   dns_dumpctx_t **dctxp);
-
-isc_result_t
-dns_master_dumpinc2(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
-		    const dns_master_style_t *style, const char *filename,
-		    isc_task_t *task, dns_dumpdonefunc_t done, void *done_arg,			    dns_dumpctx_t **dctxp, dns_masterformat_t format);
-
-isc_result_t
-dns_master_dumpinc3(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
-		    const dns_master_style_t *style, const char *filename,
-		    isc_task_t *task, dns_dumpdonefunc_t done, void
-		    *done_arg, dns_dumpctx_t **dctxp,
-		    dns_masterformat_t format, dns_masterrawheader_t *header);
-
-isc_result_t
-dns_master_dump(isc_mem_t *mctx, dns_db_t *db,
-		dns_dbversion_t *version,
-		const dns_master_style_t *style, const char *filename);
-
-isc_result_t
-dns_master_dump2(isc_mem_t *mctx, dns_db_t *db,
-		 dns_dbversion_t *version,
-		 const dns_master_style_t *style, const char *filename,
-		 dns_masterformat_t format);
-
-isc_result_t
-dns_master_dump3(isc_mem_t *mctx, dns_db_t *db,
-		 dns_dbversion_t *version,
-		 const dns_master_style_t *style, const char *filename,
-		 dns_masterformat_t format, dns_masterrawheader_t *header);
-
-/*%<
- * Dump the database 'db' to the file 'filename' in the specified format by
- * 'format'.  If the format is dns_masterformat_text (the RFC1035 format),
- * 'style' specifies the file style (e.g., &dns_master_style_default).
- *
- * dns_master_dumpinc() and dns_master_dump() are old forms of _dumpinc3()
- * and _dump3(), respectively, which always specify the dns_masterformat_text
- * format.  dns_master_dumpinc2() and dns_master_dump2() are old forms which
- * always specify a NULL header.
- *
- * If 'format' is dns_masterformat_raw, then 'header' can contain
- * information to be written to the file header.
- *
- * Temporary dynamic memory may be allocated from 'mctx'.
- *
- * Returns:
- *\li	ISC_R_SUCCESS
- *\li	ISC_R_CONTINUE	dns_master_dumpinc() only.
- *\li	ISC_R_NOMEMORY
- *\li	Any database or rrset iterator error.
- *\li	Any dns_rdata_totext() error code.
- */
-/*@}*/
-
-isc_result_t
-dns_master_rdatasettotext(dns_name_t *owner_name,
-			  dns_rdataset_t *rdataset,
-			  const dns_master_style_t *style,
-			  isc_buffer_t *target);
-/*%<
- * Convert 'rdataset' to text format, storing the result in 'target'.
- *
- * Notes:
- *\li	The rdata cursor position will be changed.
- *
- * Requires:
- *\li	'rdataset' is a valid non-question rdataset.
- *
- *\li	'rdataset' is not empty.
- */
-
-isc_result_t
-dns_master_questiontotext(dns_name_t *owner_name,
-			  dns_rdataset_t *rdataset,
-			  const dns_master_style_t *style,
-			  isc_buffer_t *target);
-
-isc_result_t
-dns_master_dumpnodetostream(isc_mem_t *mctx, dns_db_t *db,
-			    dns_dbversion_t *version,
-			    dns_dbnode_t *node, dns_name_t *name,
-			    const dns_master_style_t *style,
-			    FILE *f);
-
-isc_result_t
-dns_master_dumpnode(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
-		    dns_dbnode_t *node, dns_name_t *name,
-		    const dns_master_style_t *style, const char *filename);
-
-isc_result_t
-dns_master_stylecreate(dns_master_style_t **style, unsigned int flags,
-		       unsigned int ttl_column, unsigned int class_column,
-		       unsigned int type_column, unsigned int rdata_column,
-		       unsigned int line_length, unsigned int tab_width,
-		       isc_mem_t *mctx);
-
-isc_result_t
-dns_master_stylecreate2(dns_master_style_t **style, unsigned int flags,
-		       unsigned int ttl_column, unsigned int class_column,
-		       unsigned int type_column, unsigned int rdata_column,
-		       unsigned int line_length, unsigned int tab_width,
-		       unsigned int split_width, isc_mem_t *mctx);
-void
-dns_master_styledestroy(dns_master_style_t **style, isc_mem_t *mctx);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_MASTERDUMP_H */
diff --git a/contrib/bind9/lib/dns/include/dns/message.h b/contrib/bind9/lib/dns/include/dns/message.h
deleted file mode 100644
index a6862fa..0000000
--- a/contrib/bind9/lib/dns/include/dns/message.h
+++ /dev/null
@@ -1,1379 +0,0 @@
-/*
- * Copyright (C) 2004-2010, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef DNS_MESSAGE_H
-#define DNS_MESSAGE_H 1
-
-/***
- ***	Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-
-#include <dns/compress.h>
-#include <dns/masterdump.h>
-#include <dns/types.h>
-
-#include <dst/dst.h>
-
-/*! \file dns/message.h
- * \brief Message Handling Module
- *
- * How this beast works:
- *
- * When a dns message is received in a buffer, dns_message_fromwire() is called
- * on the memory region.  Various items are checked including the format
- * of the message (if counts are right, if counts consume the entire sections,
- * and if sections consume the entire message) and known pseudo-RRs in the
- * additional data section are analyzed and removed.
- *
- * TSIG checking is also done at this layer, and any DNSSEC transaction
- * signatures should also be checked here.
- *
- * Notes on using the gettemp*() and puttemp*() functions:
- *
- * These functions return items (names, rdatasets, etc) allocated from some
- * internal state of the dns_message_t.
- *
- * Names and rdatasets must be put back into the dns_message_t in
- * one of two ways.  Assume a name was allocated via
- * dns_message_gettempname():
- *
- *\li	(1) insert it into a section, using dns_message_addname().
- *
- *\li	(2) return it to the message using dns_message_puttempname().
- *
- * The same applies to rdatasets.
- *
- * On the other hand, offsets, rdatalists and rdatas allocated using
- * dns_message_gettemp*() will always be freed automatically
- * when the message is reset or destroyed; calling dns_message_puttemp*()
- * on rdatalists and rdatas is optional and serves only to enable the item
- * to be reused multiple times during the lifetime of the message; offsets
- * cannot be reused.
- *
- * Buffers allocated using isc_buffer_allocate() can be automatically freed
- * as well by giving the buffer to the message using dns_message_takebuffer().
- * Doing this will cause the buffer to be freed using isc_buffer_free()
- * when the section lists are cleared, such as in a reset or in a destroy.
- * Since the buffer itself exists until the message is destroyed, this sort
- * of code can be written:
- *
- * \code
- *	buffer = isc_buffer_allocate(mctx, 512);
- *	name = NULL;
- *	name = dns_message_gettempname(message, &name);
- *	dns_name_init(name, NULL);
- *	result = dns_name_fromtext(name, &source, dns_rootname, 0, buffer);
- *	dns_message_takebuffer(message, &buffer);
- * \endcode
- *
- *
- * TODO:
- *
- * XXX Needed:  ways to set and retrieve EDNS information, add rdata to a
- * section, move rdata from one section to another, remove rdata, etc.
- */
-
-#define DNS_MESSAGEFLAG_QR		0x8000U
-#define DNS_MESSAGEFLAG_AA		0x0400U
-#define DNS_MESSAGEFLAG_TC		0x0200U
-#define DNS_MESSAGEFLAG_RD		0x0100U
-#define DNS_MESSAGEFLAG_RA		0x0080U
-#define DNS_MESSAGEFLAG_AD		0x0020U
-#define DNS_MESSAGEFLAG_CD		0x0010U
-
-/*%< EDNS0 extended message flags */
-#define DNS_MESSAGEEXTFLAG_DO		0x8000U
-
-/*%< EDNS0 extended OPT codes */
-#define DNS_OPT_NSID		0x0003		/*%< NSID opt code */
-
-#define DNS_MESSAGE_REPLYPRESERVE	(DNS_MESSAGEFLAG_RD|DNS_MESSAGEFLAG_CD)
-#define DNS_MESSAGEEXTFLAG_REPLYPRESERVE (DNS_MESSAGEEXTFLAG_DO)
-
-#define DNS_MESSAGE_HEADERLEN		12 /*%< 6 isc_uint16_t's */
-
-#define DNS_MESSAGE_MAGIC		ISC_MAGIC('M','S','G','@')
-#define DNS_MESSAGE_VALID(msg)		ISC_MAGIC_VALID(msg, DNS_MESSAGE_MAGIC)
-
-/*
- * Ordering here matters.  DNS_SECTION_ANY must be the lowest and negative,
- * and DNS_SECTION_MAX must be one greater than the last used section.
- */
-typedef int dns_section_t;
-#define DNS_SECTION_ANY			(-1)
-#define DNS_SECTION_QUESTION		0
-#define DNS_SECTION_ANSWER		1
-#define DNS_SECTION_AUTHORITY		2
-#define DNS_SECTION_ADDITIONAL		3
-#define DNS_SECTION_MAX			4
-
-typedef int dns_pseudosection_t;
-#define DNS_PSEUDOSECTION_ANY		(-1)
-#define DNS_PSEUDOSECTION_OPT           0
-#define DNS_PSEUDOSECTION_TSIG          1
-#define DNS_PSEUDOSECTION_SIG0          2
-#define DNS_PSEUDOSECTION_MAX           3
-
-typedef int dns_messagetextflag_t;
-#define DNS_MESSAGETEXTFLAG_NOCOMMENTS	0x0001
-#define DNS_MESSAGETEXTFLAG_NOHEADERS	0x0002
-#define DNS_MESSAGETEXTFLAG_ONESOA	0x0004
-#define DNS_MESSAGETEXTFLAG_OMITSOA	0x0008
-
-/*
- * Dynamic update names for these sections.
- */
-#define DNS_SECTION_ZONE		DNS_SECTION_QUESTION
-#define DNS_SECTION_PREREQUISITE	DNS_SECTION_ANSWER
-#define DNS_SECTION_UPDATE		DNS_SECTION_AUTHORITY
-
-/*
- * These tell the message library how the created dns_message_t will be used.
- */
-#define DNS_MESSAGE_INTENTUNKNOWN	0 /*%< internal use only */
-#define DNS_MESSAGE_INTENTPARSE		1 /*%< parsing messages */
-#define DNS_MESSAGE_INTENTRENDER	2 /*%< rendering */
-
-/*
- * Control behavior of parsing
- */
-#define DNS_MESSAGEPARSE_PRESERVEORDER	0x0001	/*%< preserve rdata order */
-#define DNS_MESSAGEPARSE_BESTEFFORT	0x0002	/*%< return a message if a
-						   recoverable parse error
-						   occurs */
-#define DNS_MESSAGEPARSE_CLONEBUFFER	0x0004	/*%< save a copy of the
-						   source buffer */
-#define DNS_MESSAGEPARSE_IGNORETRUNCATION 0x0008 /*%< truncation errors are
-						  * not fatal. */
-
-/*
- * Control behavior of rendering
- */
-#define DNS_MESSAGERENDER_ORDERED	0x0001	/*%< don't change order */
-#define DNS_MESSAGERENDER_PARTIAL	0x0002	/*%< allow a partial rdataset */
-#define DNS_MESSAGERENDER_OMITDNSSEC	0x0004	/*%< omit DNSSEC records */
-#define DNS_MESSAGERENDER_PREFER_A	0x0008	/*%< prefer A records in
-						      additional section. */
-#define DNS_MESSAGERENDER_PREFER_AAAA	0x0010	/*%< prefer AAAA records in
-						  additional section. */
-#ifdef ALLOW_FILTER_AAAA_ON_V4
-#define DNS_MESSAGERENDER_FILTER_AAAA	0x0020	/*%< filter AAAA records */
-#endif
-
-typedef struct dns_msgblock dns_msgblock_t;
-
-struct dns_message {
-	/* public from here down */
-	unsigned int			magic;
-
-	dns_messageid_t			id;
-	unsigned int			flags;
-	dns_rcode_t			rcode;
-	unsigned int			opcode;
-	dns_rdataclass_t		rdclass;
-
-	/* 4 real, 1 pseudo */
-	unsigned int			counts[DNS_SECTION_MAX];
-
-	/* private from here down */
-	dns_namelist_t			sections[DNS_SECTION_MAX];
-	dns_name_t		       *cursors[DNS_SECTION_MAX];
-	dns_rdataset_t		       *opt;
-	dns_rdataset_t		       *sig0;
-	dns_rdataset_t		       *tsig;
-
-	int				state;
-	unsigned int			from_to_wire : 2;
-	unsigned int			header_ok : 1;
-	unsigned int			question_ok : 1;
-	unsigned int			tcp_continuation : 1;
-	unsigned int			verified_sig : 1;
-	unsigned int			verify_attempted : 1;
-	unsigned int			free_query : 1;
-	unsigned int			free_saved : 1;
-
-	unsigned int			opt_reserved;
-	unsigned int			sig_reserved;
-	unsigned int			reserved; /* reserved space (render) */
-
-	isc_buffer_t		       *buffer;
-	dns_compress_t		       *cctx;
-
-	isc_mem_t		       *mctx;
-	isc_mempool_t		       *namepool;
-	isc_mempool_t		       *rdspool;
-
-	isc_bufferlist_t		scratchpad;
-	isc_bufferlist_t		cleanup;
-
-	ISC_LIST(dns_msgblock_t)	rdatas;
-	ISC_LIST(dns_msgblock_t)	rdatalists;
-	ISC_LIST(dns_msgblock_t)	offsets;
-
-	ISC_LIST(dns_rdata_t)		freerdata;
-	ISC_LIST(dns_rdatalist_t)	freerdatalist;
-
-	dns_rcode_t			tsigstatus;
-	dns_rcode_t			querytsigstatus;
-	dns_name_t		       *tsigname; /* Owner name of TSIG, if any */
-	dns_rdataset_t		       *querytsig;
-	dns_tsigkey_t		       *tsigkey;
-	dst_context_t		       *tsigctx;
-	int				sigstart;
-	int				timeadjust;
-
-	dns_name_t		       *sig0name; /* Owner name of SIG0, if any */
-	dst_key_t		       *sig0key;
-	dns_rcode_t			sig0status;
-	isc_region_t			query;
-	isc_region_t			saved;
-
-	dns_rdatasetorderfunc_t		order;
-	const void *			order_arg;
-};
-
-struct dns_ednsopt {
-	isc_uint16_t			code;
-	isc_uint16_t			length;
-	unsigned char			*value;
-};
-
-/***
- *** Functions
- ***/
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_message_create(isc_mem_t *mctx, unsigned int intent, dns_message_t **msgp);
-
-/*%<
- * Create msg structure.
- *
- * This function will allocate some internal blocks of memory that are
- * expected to be needed for parsing or rendering nearly any type of message.
- *
- * Requires:
- *\li	'mctx' be a valid memory context.
- *
- *\li	'msgp' be non-null and '*msg' be NULL.
- *
- *\li	'intent' must be one of DNS_MESSAGE_INTENTPARSE or
- *	#DNS_MESSAGE_INTENTRENDER.
- *
- * Ensures:
- *\li	The data in "*msg" is set to indicate an unused and empty msg
- *	structure.
- *
- * Returns:
- *\li	#ISC_R_NOMEMORY		-- out of memory
- *\li	#ISC_R_SUCCESS		-- success
- */
-
-void
-dns_message_reset(dns_message_t *msg, unsigned int intent);
-/*%<
- * Reset a message structure to default state.  All internal lists are freed
- * or reset to a default state as well.  This is simply a more efficient
- * way to call dns_message_destroy() followed by dns_message_allocate(),
- * since it avoid many memory allocations.
- *
- * If any data loanouts (buffers, names, rdatas, etc) were requested,
- * the caller must no longer use them after this call.
- *
- * The intended next use of the message will be 'intent'.
- *
- * Requires:
- *
- *\li	'msg' be valid.
- *
- *\li	'intent' is DNS_MESSAGE_INTENTPARSE or DNS_MESSAGE_INTENTRENDER
- */
-
-void
-dns_message_destroy(dns_message_t **msgp);
-/*%<
- * Destroy all state in the message.
- *
- * Requires:
- *
- *\li	'msgp' be valid.
- *
- * Ensures:
- *\li	'*msgp' == NULL
- */
-
-isc_result_t
-dns_message_sectiontotext(dns_message_t *msg, dns_section_t section,
-			  const dns_master_style_t *style,
-			  dns_messagetextflag_t flags,
-			  isc_buffer_t *target);
-
-isc_result_t
-dns_message_pseudosectiontotext(dns_message_t *msg,
-				dns_pseudosection_t section,
-				const dns_master_style_t *style,
-				dns_messagetextflag_t flags,
-				isc_buffer_t *target);
-/*%<
- * Convert section 'section' or 'pseudosection' of message 'msg' to
- * a cleartext representation
- *
- * Notes:
- *     \li See dns_message_totext for meanings of flags.
- *
- * Requires:
- *
- *\li	'msg' is a valid message.
- *
- *\li	'style' is a valid master dump style.
- *
- *\li	'target' is a valid buffer.
- *
- *\li	'section' is a valid section label.
- *
- * Ensures:
- *
- *\li	If the result is success:
- *		The used space in 'target' is updated.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOSPACE
- *\li	#ISC_R_NOMORE
- *
- *\li	Note: On error return, *target may be partially filled with data.
-*/
-
-isc_result_t
-dns_message_totext(dns_message_t *msg, const dns_master_style_t *style,
-		   dns_messagetextflag_t flags, isc_buffer_t *target);
-/*%<
- * Convert all sections of message 'msg' to a cleartext representation
- *
- * Notes:
- * \li     In flags, If #DNS_MESSAGETEXTFLAG_OMITDOT is set, then the
- *      final '.' in absolute names will not be emitted.  If
- *      #DNS_MESSAGETEXTFLAG_NOCOMMENTS is cleared, lines beginning
- *      with ";;" will be emitted indicating section name.  If
- *      #DNS_MESSAGETEXTFLAG_NOHEADERS is cleared, header lines will
- *      be emitted.
- *
- *	If #DNS_MESSAGETEXTFLAG_ONESOA is set then only print the
- *	first SOA record in the answer section.  If
- *	#DNS_MESSAGETEXTFLAG_OMITSOA is set don't print any SOA records
- *	in the answer section.  These are useful for suppressing the
- *	display of the second SOA record in a AXFR by setting
- *	#DNS_MESSAGETEXTFLAG_ONESOA on the first message in a AXFR stream
- *	and #DNS_MESSAGETEXTFLAG_OMITSOA on subsequent messages.
- *
- * Requires:
- *
- *\li	'msg' is a valid message.
- *
- *\li	'style' is a valid master dump style.
- *
- *\li	'target' is a valid buffer.
- *
- * Ensures:
- *
- *\li	If the result is success:
- *		The used space in 'target' is updated.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOSPACE
- *\li	#ISC_R_NOMORE
- *
- *\li	Note: On error return, *target may be partially filled with data.
- */
-
-isc_result_t
-dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
-		  unsigned int options);
-/*%<
- * Parse raw wire data in 'source' as a DNS message.
- *
- * OPT records are detected and stored in the pseudo-section "opt".
- * TSIGs are detected and stored in the pseudo-section "tsig".
- *
- * If #DNS_MESSAGEPARSE_PRESERVEORDER is set, or if the opcode of the message
- * is UPDATE, a separate dns_name_t object will be created for each RR in the
- * message.  Each such dns_name_t will have a single rdataset containing the
- * single RR, and the order of the RRs in the message is preserved.
- * Otherwise, only one dns_name_t object will be created for each unique
- * owner name in the section, and each such dns_name_t will have a list
- * of rdatasets.  To access the names and their data, use
- * dns_message_firstname() and dns_message_nextname().
- *
- * If #DNS_MESSAGEPARSE_BESTEFFORT is set, errors in message content will
- * not be considered FORMERRs.  If the entire message can be parsed, it
- * will be returned and DNS_R_RECOVERABLE will be returned.
- *
- * If #DNS_MESSAGEPARSE_IGNORETRUNCATION is set then return as many complete
- * RR's as possible, DNS_R_RECOVERABLE will be returned.
- *
- * OPT and TSIG records are always handled specially, regardless of the
- * 'preserve_order' setting.
- *
- * Requires:
- *\li	"msg" be valid.
- *
- *\li	"buffer" be a wire format buffer.
- *
- * Ensures:
- *\li	The buffer's data format is correct.
- *
- *\li	The buffer's contents verify as correct regarding header bits, buffer
- * 	and rdata sizes, etc.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		-- all is well
- *\li	#ISC_R_NOMEMORY		-- no memory
- *\li	#DNS_R_RECOVERABLE	-- the message parsed properly, but contained
- *				   errors.
- *\li	Many other errors possible XXXMLG
- */
-
-isc_result_t
-dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx,
-			isc_buffer_t *buffer);
-/*%<
- * Begin rendering on a message.  Only one call can be made to this function
- * per message.
- *
- * The compression context is "owned" by the message library until
- * dns_message_renderend() is called.  It must be invalidated by the caller.
- *
- * The buffer is "owned" by the message library until dns_message_renderend()
- * is called.
- *
- * Requires:
- *
- *\li	'msg' be valid.
- *
- *\li	'cctx' be valid.
- *
- *\li	'buffer' is a valid buffer.
- *
- * Side Effects:
- *
- *\li	The buffer is cleared before it is used.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		-- all is well
- *\li	#ISC_R_NOSPACE		-- output buffer is too small
- */
-
-isc_result_t
-dns_message_renderchangebuffer(dns_message_t *msg, isc_buffer_t *buffer);
-/*%<
- * Reset the buffer.  This can be used after growing the old buffer
- * on a ISC_R_NOSPACE return from most of the render functions.
- *
- * On successful completion, the old buffer is no longer used by the
- * library.  The new buffer is owned by the library until
- * dns_message_renderend() is called.
- *
- * Requires:
- *
- *\li	'msg' be valid.
- *
- *\li	dns_message_renderbegin() was called.
- *
- *\li	buffer != NULL.
- *
- * Returns:
- *\li	#ISC_R_NOSPACE		-- new buffer is too small
- *\li	#ISC_R_SUCCESS		-- all is well.
- */
-
-isc_result_t
-dns_message_renderreserve(dns_message_t *msg, unsigned int space);
-/*%<
- * XXXMLG should use size_t rather than unsigned int once the buffer
- * API is cleaned up
- *
- * Reserve "space" bytes in the given buffer.
- *
- * Requires:
- *
- *\li	'msg' be valid.
- *
- *\li	dns_message_renderbegin() was called.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		-- all is well.
- *\li	#ISC_R_NOSPACE		-- not enough free space in the buffer.
- */
-
-void
-dns_message_renderrelease(dns_message_t *msg, unsigned int space);
-/*%<
- * XXXMLG should use size_t rather than unsigned int once the buffer
- * API is cleaned up
- *
- * Release "space" bytes in the given buffer that was previously reserved.
- *
- * Requires:
- *
- *\li	'msg' be valid.
- *
- *\li	'space' is less than or equal to the total amount of space reserved
- *	via prior calls to dns_message_renderreserve().
- *
- *\li	dns_message_renderbegin() was called.
- */
-
-isc_result_t
-dns_message_rendersection(dns_message_t *msg, dns_section_t section,
-			  unsigned int options);
-/*%<
- * Render all names, rdatalists, etc from the given section at the
- * specified priority or higher.
- *
- * Requires:
- *\li	'msg' be valid.
- *
- *\li	'section' be a valid section.
- *
- *\li	dns_message_renderbegin() was called.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		-- all records were written, and there are
- *				   no more records for this section.
- *\li	#ISC_R_NOSPACE		-- Not enough room in the buffer to write
- *				   all records requested.
- *\li	#DNS_R_MOREDATA		-- All requested records written, and there
- *				   are records remaining for this section.
- */
-
-void
-dns_message_renderheader(dns_message_t *msg, isc_buffer_t *target);
-/*%<
- * Render the message header.  This is implicitly called by
- * dns_message_renderend().
- *
- * Requires:
- *
- *\li	'msg' be a valid message.
- *
- *\li	dns_message_renderbegin() was called.
- *
- *\li	'target' is a valid buffer with enough space to hold a message header
- */
-
-isc_result_t
-dns_message_renderend(dns_message_t *msg);
-/*%<
- * Finish rendering to the buffer.  Note that more data can be in the
- * 'msg' structure.  Destroying the structure will free this, or in a multi-
- * part EDNS1 message this data can be rendered to another buffer later.
- *
- * Requires:
- *
- *\li	'msg' be a valid message.
- *
- *\li	dns_message_renderbegin() was called.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		-- all is well.
- */
-
-void
-dns_message_renderreset(dns_message_t *msg);
-/*%<
- * Reset the message so that it may be rendered again.
- *
- * Notes:
- *
- *\li	If dns_message_renderbegin() has been called, dns_message_renderend()
- *	must be called before calling this function.
- *
- * Requires:
- *
- *\li	'msg' be a valid message with rendering intent.
- */
-
-isc_result_t
-dns_message_firstname(dns_message_t *msg, dns_section_t section);
-/*%<
- * Set internal per-section name pointer to the beginning of the section.
- *
- * The functions dns_message_firstname() and dns_message_nextname() may
- * be used for iterating over the owner names in a section.
- *
- * Requires:
- *
- *\li   	'msg' be valid.
- *
- *\li	'section' be a valid section.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		-- All is well.
- *\li	#ISC_R_NOMORE		-- No names on given section.
- */
-
-isc_result_t
-dns_message_nextname(dns_message_t *msg, dns_section_t section);
-/*%<
- * Sets the internal per-section name pointer to point to the next name
- * in that section.
- *
- * Requires:
- *
- * \li  	'msg' be valid.
- *
- *\li	'section' be a valid section.
- *
- *\li	dns_message_firstname() must have been called on this section,
- *	and the result was ISC_R_SUCCESS.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		-- All is well.
- *\li	#ISC_R_NOMORE		-- No more names in given section.
- */
-
-void
-dns_message_currentname(dns_message_t *msg, dns_section_t section,
-			dns_name_t **name);
-/*%<
- * Sets 'name' to point to the name where the per-section internal name
- * pointer is currently set.
- *
- * This function returns the name in the database, so any data associated
- * with it (via the name's "list" member) contains the actual rdatasets.
- *
- * Requires:
- *
- *\li	'msg' be valid.
- *
- *\li	'name' be non-NULL, and *name be NULL.
- *
- *\li	'section' be a valid section.
- *
- *\li	dns_message_firstname() must have been called on this section,
- *	and the result of it and any dns_message_nextname() calls was
- *	#ISC_R_SUCCESS.
- */
-
-isc_result_t
-dns_message_findname(dns_message_t *msg, dns_section_t section,
-		     dns_name_t *target, dns_rdatatype_t type,
-		     dns_rdatatype_t covers, dns_name_t **foundname,
-		     dns_rdataset_t **rdataset);
-/*%<
- * Search for a name in the specified section.  If it is found, *name is
- * set to point to the name, and *rdataset is set to point to the found
- * rdataset (if type is specified as other than dns_rdatatype_any).
- *
- * Requires:
- *\li	'msg' be valid.
- *
- *\li	'section' be a valid section.
- *
- *\li	If a pointer to the name is desired, 'foundname' should be non-NULL.
- *	If it is non-NULL, '*foundname' MUST be NULL.
- *
- *\li	If a type other than dns_datatype_any is searched for, 'rdataset'
- *	may be non-NULL, '*rdataset' be NULL, and will point at the found
- *	rdataset.  If the type is dns_datatype_any, 'rdataset' must be NULL.
- *
- *\li	'target' be a valid name.
- *
- *\li	'type' be a valid type.
- *
- *\li	If 'type' is dns_rdatatype_rrsig, 'covers' must be a valid type.
- *	Otherwise it should be 0.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		-- all is well.
- *\li	#DNS_R_NXDOMAIN		-- name does not exist in that section.
- *\li	#DNS_R_NXRRSET		-- The name does exist, but the desired
- *				   type does not.
- */
-
-isc_result_t
-dns_message_findtype(dns_name_t *name, dns_rdatatype_t type,
-		     dns_rdatatype_t covers, dns_rdataset_t **rdataset);
-/*%<
- * Search the name for the specified type.  If it is found, *rdataset is
- * filled in with a pointer to that rdataset.
- *
- * Requires:
- *\li	if '**rdataset' is non-NULL, *rdataset needs to be NULL.
- *
- *\li	'type' be a valid type, and NOT dns_rdatatype_any.
- *
- *\li	If 'type' is dns_rdatatype_rrsig, 'covers' must be a valid type.
- *	Otherwise it should be 0.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		-- all is well.
- *\li	#ISC_R_NOTFOUND		-- the desired type does not exist.
- */
-
-isc_result_t
-dns_message_find(dns_name_t *name, dns_rdataclass_t rdclass,
-		 dns_rdatatype_t type, dns_rdatatype_t covers,
-		 dns_rdataset_t **rdataset);
-/*%<
- * Search the name for the specified rdclass and type.  If it is found,
- * *rdataset is filled in with a pointer to that rdataset.
- *
- * Requires:
- *\li	if '**rdataset' is non-NULL, *rdataset needs to be NULL.
- *
- *\li	'type' be a valid type, and NOT dns_rdatatype_any.
- *
- *\li	If 'type' is dns_rdatatype_rrsig, 'covers' must be a valid type.
- *	Otherwise it should be 0.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		-- all is well.
- *\li	#ISC_R_NOTFOUND		-- the desired type does not exist.
- */
-
-void
-dns_message_movename(dns_message_t *msg, dns_name_t *name,
-		     dns_section_t fromsection,
-		     dns_section_t tosection);
-/*%<
- * Move a name from one section to another.
- *
- * Requires:
- *
- *\li	'msg' be valid.
- *
- *\li	'name' must be a name already in 'fromsection'.
- *
- *\li	'fromsection' must be a valid section.
- *
- *\li	'tosection' must be a valid section.
- */
-
-void
-dns_message_addname(dns_message_t *msg, dns_name_t *name,
-		    dns_section_t section);
-/*%<
- * Adds the name to the given section.
- *
- * It is the caller's responsibility to enforce any unique name requirements
- * in a section.
- *
- * Requires:
- *
- *\li	'msg' be valid, and be a renderable message.
- *
- *\li	'name' be a valid absolute name.
- *
- *\li	'section' be a named section.
- */
-
-void
-dns_message_removename(dns_message_t *msg, dns_name_t *name,
-		       dns_section_t section);
-/*%<
- * Remove a existing name from a given section.
- *
- * It is the caller's responsibility to ensure the name is part of the
- * given section.
- *
- * Requires:
- *
- *\li	'msg' be valid, and be a renderable message.
- *
- *\li	'name' be a valid absolute name.
- *
- *\li	'section' be a named section.
- */
-
-
-/*
- * LOANOUT FUNCTIONS
- *
- * Each of these functions loan a particular type of data to the caller.
- * The storage for these will vanish when the message is destroyed or
- * reset, and must NOT be used after these operations.
- */
-
-isc_result_t
-dns_message_gettempname(dns_message_t *msg, dns_name_t **item);
-/*%<
- * Return a name that can be used for any temporary purpose, including
- * inserting into the message's linked lists.  The name must be returned
- * to the message code using dns_message_puttempname() or inserted into
- * one of the message's sections before the message is destroyed.
- *
- * It is the caller's responsibility to initialize this name.
- *
- * Requires:
- *\li	msg be a valid message
- *
- *\li	item != NULL && *item == NULL
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		-- All is well.
- *\li	#ISC_R_NOMEMORY		-- No item can be allocated.
- */
-
-isc_result_t
-dns_message_gettempoffsets(dns_message_t *msg, dns_offsets_t **item);
-/*%<
- * Return an offsets array that can be used for any temporary purpose,
- * such as attaching to a temporary name.  The offsets will be freed
- * when the message is destroyed or reset.
- *
- * Requires:
- *\li	msg be a valid message
- *
- *\li	item != NULL && *item == NULL
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		-- All is well.
- *\li	#ISC_R_NOMEMORY		-- No item can be allocated.
- */
-
-isc_result_t
-dns_message_gettemprdata(dns_message_t *msg, dns_rdata_t **item);
-/*%<
- * Return a rdata that can be used for any temporary purpose, including
- * inserting into the message's linked lists.  The rdata will be freed
- * when the message is destroyed or reset.
- *
- * Requires:
- *\li	msg be a valid message
- *
- *\li	item != NULL && *item == NULL
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		-- All is well.
- *\li	#ISC_R_NOMEMORY		-- No item can be allocated.
- */
-
-isc_result_t
-dns_message_gettemprdataset(dns_message_t *msg, dns_rdataset_t **item);
-/*%<
- * Return a rdataset that can be used for any temporary purpose, including
- * inserting into the message's linked lists. The name must be returned
- * to the message code using dns_message_puttempname() or inserted into
- * one of the message's sections before the message is destroyed.
- *
- * Requires:
- *\li	msg be a valid message
- *
- *\li	item != NULL && *item == NULL
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		-- All is well.
- *\li	#ISC_R_NOMEMORY		-- No item can be allocated.
- */
-
-isc_result_t
-dns_message_gettemprdatalist(dns_message_t *msg, dns_rdatalist_t **item);
-/*%<
- * Return a rdatalist that can be used for any temporary purpose, including
- * inserting into the message's linked lists.  The rdatalist will be
- * destroyed when the message is destroyed or reset.
- *
- * Requires:
- *\li	msg be a valid message
- *
- *\li	item != NULL && *item == NULL
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		-- All is well.
- *\li	#ISC_R_NOMEMORY		-- No item can be allocated.
- */
-
-void
-dns_message_puttempname(dns_message_t *msg, dns_name_t **item);
-/*%<
- * Return a borrowed name to the message's name free list.
- *
- * Requires:
- *\li	msg be a valid message
- *
- *\li	item != NULL && *item point to a name returned by
- *	dns_message_gettempname()
- *
- * Ensures:
- *\li	*item == NULL
- */
-
-void
-dns_message_puttemprdata(dns_message_t *msg, dns_rdata_t **item);
-/*%<
- * Return a borrowed rdata to the message's rdata free list.
- *
- * Requires:
- *\li	msg be a valid message
- *
- *\li	item != NULL && *item point to a rdata returned by
- *	dns_message_gettemprdata()
- *
- * Ensures:
- *\li	*item == NULL
- */
-
-void
-dns_message_puttemprdataset(dns_message_t *msg, dns_rdataset_t **item);
-/*%<
- * Return a borrowed rdataset to the message's rdataset free list.
- *
- * Requires:
- *\li	msg be a valid message
- *
- *\li	item != NULL && *item point to a rdataset returned by
- *	dns_message_gettemprdataset()
- *
- * Ensures:
- *\li	*item == NULL
- */
-
-void
-dns_message_puttemprdatalist(dns_message_t *msg, dns_rdatalist_t **item);
-/*%<
- * Return a borrowed rdatalist to the message's rdatalist free list.
- *
- * Requires:
- *\li	msg be a valid message
- *
- *\li	item != NULL && *item point to a rdatalist returned by
- *	dns_message_gettemprdatalist()
- *
- * Ensures:
- *\li	*item == NULL
- */
-
-isc_result_t
-dns_message_peekheader(isc_buffer_t *source, dns_messageid_t *idp,
-		       unsigned int *flagsp);
-/*%<
- * Assume the remaining region of "source" is a DNS message.  Peek into
- * it and fill in "*idp" with the message id, and "*flagsp" with the flags.
- *
- * Requires:
- *
- *\li	source != NULL
- *
- * Ensures:
- *
- *\li	if (idp != NULL) *idp == message id.
- *
- *\li	if (flagsp != NULL) *flagsp == message flags.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS		-- all is well.
- *
- *\li	#ISC_R_UNEXPECTEDEND	-- buffer doesn't contain enough for a header.
- */
-
-isc_result_t
-dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section);
-/*%<
- * Start formatting a reply to the query in 'msg'.
- *
- * Requires:
- *
- *\li	'msg' is a valid message with parsing intent, and contains a query.
- *
- * Ensures:
- *
- *\li	The message will have a rendering intent.  If 'want_question_section'
- *	is true, the message opcode is query or notify, and the question
- *	section is present and properly formatted, then the question section
- *	will be included in the reply.  All other sections will be cleared.
- *	The QR flag will be set, the RD flag will be preserved, and all other
- *	flags will be cleared.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS		-- all is well.
- *
- *\li	#DNS_R_FORMERR		-- the header or question section of the
- *				   message is invalid, replying is impossible.
- *				   If DNS_R_FORMERR is returned when
- *				   want_question_section is ISC_FALSE, then
- *				   it's the header section that's bad;
- *				   otherwise either of the header or question
- *				   sections may be bad.
- */
-
-dns_rdataset_t *
-dns_message_getopt(dns_message_t *msg);
-/*%<
- * Get the OPT record for 'msg'.
- *
- * Requires:
- *
- *\li	'msg' is a valid message.
- *
- * Returns:
- *
- *\li	The OPT rdataset of 'msg', or NULL if there isn't one.
- */
-
-isc_result_t
-dns_message_setopt(dns_message_t *msg, dns_rdataset_t *opt);
-/*%<
- * Set the OPT record for 'msg'.
- *
- * Requires:
- *
- *\li	'msg' is a valid message with rendering intent
- *	and no sections have been rendered.
- *
- *\li	'opt' is a valid OPT record.
- *
- * Ensures:
- *
- *\li	The OPT record has either been freed or ownership of it has
- *	been transferred to the message.
- *
- *\li	If ISC_R_SUCCESS was returned, the OPT record will be rendered
- *	when dns_message_renderend() is called.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS		-- all is well.
- *
- *\li	#ISC_R_NOSPACE		-- there is no space for the OPT record.
- */
-
-dns_rdataset_t *
-dns_message_gettsig(dns_message_t *msg, dns_name_t **owner);
-/*%<
- * Get the TSIG record and owner for 'msg'.
- *
- * Requires:
- *
- *\li	'msg' is a valid message.
- *\li	'owner' is NULL or *owner is NULL.
- *
- * Returns:
- *
- *\li	The TSIG rdataset of 'msg', or NULL if there isn't one.
- *
- * Ensures:
- *
- * \li	If 'owner' is not NULL, it will point to the owner name.
- */
-
-isc_result_t
-dns_message_settsigkey(dns_message_t *msg, dns_tsigkey_t *key);
-/*%<
- * Set the tsig key for 'msg'.  This is only necessary for when rendering a
- * query or parsing a response.  The key (if non-NULL) is attached to, and
- * will be detached when the message is destroyed.
- *
- * Requires:
- *
- *\li	'msg' is a valid message with rendering intent,
- *	dns_message_renderbegin() has been called, and no sections have been
- *	rendered.
- *\li	'key' is a valid tsig key or NULL.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS		-- all is well.
- *
- *\li	#ISC_R_NOSPACE		-- there is no space for the TSIG record.
- */
-
-dns_tsigkey_t *
-dns_message_gettsigkey(dns_message_t *msg);
-/*%<
- * Gets the tsig key for 'msg'.
- *
- * Requires:
- *
- *\li	'msg' is a valid message
- */
-
-isc_result_t
-dns_message_setquerytsig(dns_message_t *msg, isc_buffer_t *querytsig);
-/*%<
- * Indicates that 'querytsig' is the TSIG from the signed query for which
- * 'msg' is the response.  This is also used for chained TSIGs in TCP
- * responses.
- *
- * Requires:
- *
- *\li	'querytsig' is a valid buffer as returned by dns_message_getquerytsig()
- *	or NULL
- *
- *\li	'msg' is a valid message
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- */
-
-isc_result_t
-dns_message_getquerytsig(dns_message_t *msg, isc_mem_t *mctx,
-			 isc_buffer_t **querytsig);
-/*%<
- * Gets the tsig from the TSIG from the signed query 'msg'.  This is also used
- * for chained TSIGs in TCP responses.  Unlike dns_message_gettsig, this makes
- * a copy of the data, so can be used if the message is destroyed.
- *
- * Requires:
- *
- *\li	'msg' is a valid signed message
- *\li	'mctx' is a valid memory context
- *\li	querytsig != NULL && *querytsig == NULL
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- *
- * Ensures:
- *\li 	'tsig' points to NULL or an allocated buffer which must be freed
- * 	by the caller.
- */
-
-dns_rdataset_t *
-dns_message_getsig0(dns_message_t *msg, dns_name_t **owner);
-/*%<
- * Get the SIG(0) record and owner for 'msg'.
- *
- * Requires:
- *
- *\li	'msg' is a valid message.
- *\li	'owner' is NULL or *owner is NULL.
- *
- * Returns:
- *
- *\li	The SIG(0) rdataset of 'msg', or NULL if there isn't one.
- *
- * Ensures:
- *
- * \li	If 'owner' is not NULL, it will point to the owner name.
- */
-
-isc_result_t
-dns_message_setsig0key(dns_message_t *msg, dst_key_t *key);
-/*%<
- * Set the SIG(0) key for 'msg'.
- *
- * Requires:
- *
- *\li	'msg' is a valid message with rendering intent,
- *	dns_message_renderbegin() has been called, and no sections have been
- *	rendered.
- *\li	'key' is a valid sig key or NULL.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS		-- all is well.
- *
- *\li	#ISC_R_NOSPACE		-- there is no space for the SIG(0) record.
- */
-
-dst_key_t *
-dns_message_getsig0key(dns_message_t *msg);
-/*%<
- * Gets the SIG(0) key for 'msg'.
- *
- * Requires:
- *
- *\li	'msg' is a valid message
- */
-
-void
-dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer);
-/*%<
- * Give the *buffer to the message code to clean up when it is no
- * longer needed.  This is usually when the message is reset or
- * destroyed.
- *
- * Requires:
- *
- *\li	msg be a valid message.
- *
- *\li	buffer != NULL && *buffer is a valid isc_buffer_t, which was
- *	dynamically allocated via isc_buffer_allocate().
- */
-
-isc_result_t
-dns_message_signer(dns_message_t *msg, dns_name_t *signer);
-/*%<
- * If this message was signed, return the identity of the signer.
- * Unless ISC_R_NOTFOUND is returned, signer will reflect the name of the
- * key that signed the message.
- *
- * Requires:
- *
- *\li	msg is a valid parsed message.
- *\li	signer is a valid name
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS		- the message was signed, and *signer
- *				  contains the signing identity
- *
- *\li	#ISC_R_NOTFOUND		- no TSIG or SIG(0) record is present in the
- *				  message
- *
- *\li	#DNS_R_TSIGVERIFYFAILURE	- the message was signed by a TSIG, but the
- *				  signature failed to verify
- *
- *\li	#DNS_R_TSIGERRORSET	- the message was signed by a TSIG and
- *				  verified, but the query was rejected by
- *				  the server
- *
- *\li	#DNS_R_NOIDENTITY	- the message was signed by a TSIG and
- *				  verified, but the key has no identity since
- *				  it was generated by an unsigned TKEY process
- *
- *\li	#DNS_R_SIGINVALID	- the message was signed by a SIG(0), but
- *				  the signature failed to verify
- *
- *\li	#DNS_R_NOTVERIFIEDYET	- the message was signed by a TSIG or SIG(0),
- *				  but the signature has not been verified yet
- */
-
-isc_result_t
-dns_message_checksig(dns_message_t *msg, dns_view_t *view);
-/*%<
- * If this message was signed, verify the signature.
- *
- * Requires:
- *
- *\li	msg is a valid parsed message.
- *\li	view is a valid view or NULL
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS		- the message was unsigned, or the message
- *				  was signed correctly.
- *
- *\li	#DNS_R_EXPECTEDTSIG	- A TSIG was expected, but not seen
- *\li	#DNS_R_UNEXPECTEDTSIG	- A TSIG was seen but not expected
- *\li	#DNS_R_TSIGVERIFYFAILURE - The TSIG failed to verify
- */
-
-isc_result_t
-dns_message_rechecksig(dns_message_t *msg, dns_view_t *view);
-/*%<
- * Reset the signature state and then if the message was signed,
- * verify the message.
- *
- * Requires:
- *
- *\li	msg is a valid parsed message.
- *\li	view is a valid view or NULL
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS		- the message was unsigned, or the message
- *				  was signed correctly.
- *
- *\li	#DNS_R_EXPECTEDTSIG	- A TSIG was expected, but not seen
- *\li	#DNS_R_UNEXPECTEDTSIG	- A TSIG was seen but not expected
- *\li	#DNS_R_TSIGVERIFYFAILURE - The TSIG failed to verify
- */
-
-void
-dns_message_resetsig(dns_message_t *msg);
-/*%<
- * Reset the signature state.
- *
- * Requires:
- *\li	'msg' is a valid parsed message.
- */
-
-isc_region_t *
-dns_message_getrawmessage(dns_message_t *msg);
-/*%<
- * Retrieve the raw message in compressed wire format.  The message must
- * have been successfully parsed for it to have been saved.
- *
- * Requires:
- *\li	msg is a valid parsed message.
- *
- * Returns:
- *\li	NULL	if there is no saved message.
- *	a pointer to a region which refers the dns message.
- */
-
-void
-dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
-			 const void *order_arg);
-/*%<
- * Define the order in which RR sets get rendered by
- * dns_message_rendersection() to be the ascending order
- * defined by the integer value returned by 'order' when
- * given each RR and 'arg' as arguments.  If 'order' and
- * 'order_arg' are NULL, a default order is used.
- *
- * Requires:
- *\li	msg be a valid message.
- *\li	order_arg is NULL if and only if order is NULL.
- */
-
-void
-dns_message_settimeadjust(dns_message_t *msg, int timeadjust);
-/*%<
- * Adjust the time used to sign/verify a message by timeadjust.
- * Currently only TSIG.
- *
- * Requires:
- *\li	msg be a valid message.
- */
-
-int
-dns_message_gettimeadjust(dns_message_t *msg);
-/*%<
- * Return the current time adjustment.
- *
- * Requires:
- *\li	msg be a valid message.
- */
-
-isc_result_t
-dns_message_buildopt(dns_message_t *msg, dns_rdataset_t **opt,
-		     unsigned int version, isc_uint16_t udpsize,
-		     unsigned int flags, dns_ednsopt_t *ednsopts, size_t count);
-/*%<
- * Built a opt record.
- *
- * Requires:
- * \li   msg be a valid message.
- * \li   opt to be a non NULL and *opt to be NULL.
- *
- * Returns:
- * \li	 ISC_R_SUCCESS on success.
- * \li	 ISC_R_NOMEMORY
- * \li	 ISC_R_NOSPACE
- * \li	 other.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_MESSAGE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/name.h b/contrib/bind9/lib/dns/include/dns/name.h
deleted file mode 100644
index 1a88e53..0000000
--- a/contrib/bind9/lib/dns/include/dns/name.h
+++ /dev/null
@@ -1,1364 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: name.h,v 1.137 2011/01/13 04:59:26 tbox Exp $ */
-
-#ifndef DNS_NAME_H
-#define DNS_NAME_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/name.h
- * \brief
- * Provides facilities for manipulating DNS names and labels, including
- * conversions to and from wire format and text format.
- *
- * Given the large number of names possible in a nameserver, and because
- * names occur in rdata, it was important to come up with a very efficient
- * way of storing name data, but at the same time allow names to be
- * manipulated.  The decision was to store names in uncompressed wire format,
- * and not to make them fully abstracted objects; i.e. certain parts of the
- * server know names are stored that way.  This saves a lot of memory, and
- * makes adding names to messages easy.  Having much of the server know
- * the representation would be perilous, and we certainly don't want each
- * user of names to be manipulating such a low-level structure.  This is
- * where the Names and Labels module comes in.  The module allows name or
- * label handles to be created and attached to uncompressed wire format
- * regions.  All name operations and conversions are done through these
- * handles.
- *
- * MP:
- *\li	Clients of this module must impose any required synchronization.
- *
- * Reliability:
- *\li	This module deals with low-level byte streams.  Errors in any of
- *	the functions are likely to crash the server or corrupt memory.
- *
- * Resources:
- *\li	None.
- *
- * Security:
- *
- *\li	*** WARNING ***
- *
- *\li	dns_name_fromwire() deals with raw network data.  An error in
- *	this routine could result in the failure or hijacking of the server.
- *
- * Standards:
- *\li	RFC1035
- *\li	Draft EDNS0 (0)
- *\li	Draft Binary Labels (2)
- *
- */
-
-/***
- *** Imports
- ***/
-
-#include <stdio.h>
-
-#include <isc/boolean.h>
-#include <isc/lang.h>
-#include <isc/magic.h>
-#include <isc/region.h>		/* Required for storage size of dns_label_t. */
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*****
- ***** Labels
- *****
- ***** A 'label' is basically a region.  It contains one DNS wire format
- ***** label of type 00 (ordinary).
- *****/
-
-/*****
- ***** Names
- *****
- ***** A 'name' is a handle to a binary region.  It contains a sequence of one
- ***** or more DNS wire format labels of type 00 (ordinary).
- ***** Note that all names are not required to end with the root label,
- ***** as they are in the actual DNS wire protocol.
- *****/
-
-/***
- *** Types
- ***/
-
-/*%
- * Clients are strongly discouraged from using this type directly,  with
- * the exception of the 'link' and 'list' fields which may be used directly
- * for whatever purpose the client desires.
- */
-struct dns_name {
-	unsigned int			magic;
-	unsigned char *			ndata;
-	unsigned int			length;
-	unsigned int			labels;
-	unsigned int			attributes;
-	unsigned char *			offsets;
-	isc_buffer_t *			buffer;
-	ISC_LINK(dns_name_t)		link;
-	ISC_LIST(dns_rdataset_t)	list;
-};
-
-#define DNS_NAME_MAGIC			ISC_MAGIC('D','N','S','n')
-
-#define DNS_NAMEATTR_ABSOLUTE		0x00000001
-#define DNS_NAMEATTR_READONLY		0x00000002
-#define DNS_NAMEATTR_DYNAMIC		0x00000004
-#define DNS_NAMEATTR_DYNOFFSETS		0x00000008
-#define DNS_NAMEATTR_NOCOMPRESS		0x00000010
-/*
- * Attributes below 0x0100 reserved for name.c usage.
- */
-#define DNS_NAMEATTR_CACHE		0x00000100	/*%< Used by resolver. */
-#define DNS_NAMEATTR_ANSWER		0x00000200	/*%< Used by resolver. */
-#define DNS_NAMEATTR_NCACHE		0x00000400	/*%< Used by resolver. */
-#define DNS_NAMEATTR_CHAINING		0x00000800	/*%< Used by resolver. */
-#define DNS_NAMEATTR_CHASE		0x00001000	/*%< Used by resolver. */
-#define DNS_NAMEATTR_WILDCARD		0x00002000	/*%< Used by server. */
-#define DNS_NAMEATTR_PREREQUISITE	0x00004000	/*%< Used by client. */
-#define DNS_NAMEATTR_UPDATE		0x00008000	/*%< Used by client. */
-#define DNS_NAMEATTR_HASUPDATEREC	0x00010000	/*%< Used by client. */
-
-/*
- * Various flags.
- */
-#define DNS_NAME_DOWNCASE		0x0001
-#define DNS_NAME_CHECKNAMES		0x0002		/*%< Used by rdata. */
-#define DNS_NAME_CHECKNAMESFAIL		0x0004		/*%< Used by rdata. */
-#define DNS_NAME_CHECKREVERSE		0x0008		/*%< Used by rdata. */
-#define DNS_NAME_CHECKMX		0x0010		/*%< Used by rdata. */
-#define DNS_NAME_CHECKMXFAIL		0x0020		/*%< Used by rdata. */
-
-LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_rootname;
-LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_wildcardname;
-
-/*%
- * Standard size of a wire format name
- */
-#define DNS_NAME_MAXWIRE 255
-
-/*
- * Text output filter procedure.
- * 'target' is the buffer to be converted.  The region to be converted
- * is from 'buffer'->base + 'used_org' to the end of the used region.
- */
-typedef isc_result_t (*dns_name_totextfilter_t)(isc_buffer_t *target,
-						unsigned int used_org,
-						isc_boolean_t absolute);
-
-/***
- *** Initialization
- ***/
-
-void
-dns_name_init(dns_name_t *name, unsigned char *offsets);
-/*%<
- * Initialize 'name'.
- *
- * Notes:
- * \li	'offsets' is never required to be non-NULL, but specifying a
- *	dns_offsets_t for 'offsets' will improve the performance of most
- *	name operations if the name is used more than once.
- *
- * Requires:
- * \li	'name' is not NULL and points to a struct dns_name.
- *
- * \li	offsets == NULL or offsets is a dns_offsets_t.
- *
- * Ensures:
- * \li	'name' is a valid name.
- * \li	dns_name_countlabels(name) == 0
- * \li	dns_name_isabsolute(name) == ISC_FALSE
- */
-
-void
-dns_name_reset(dns_name_t *name);
-/*%<
- * Reinitialize 'name'.
- *
- * Notes:
- * \li	This function distinguishes itself from dns_name_init() in two
- *	key ways:
- *
- * \li	+ If any buffer is associated with 'name' (via dns_name_setbuffer()
- *	  or by being part of a dns_fixedname_t) the link to the buffer
- *	  is retained but the buffer itself is cleared.
- *
- * \li	+ Of the attributes associated with 'name', all are retained except
- *	  DNS_NAMEATTR_ABSOLUTE.
- *
- * Requires:
- * \li	'name' is a valid name.
- *
- * Ensures:
- * \li	'name' is a valid name.
- * \li	dns_name_countlabels(name) == 0
- * \li	dns_name_isabsolute(name) == ISC_FALSE
- */
-
-void
-dns_name_invalidate(dns_name_t *name);
-/*%<
- * Make 'name' invalid.
- *
- * Requires:
- * \li	'name' is a valid name.
- *
- * Ensures:
- * \li	If assertion checking is enabled, future attempts to use 'name'
- *	without initializing it will cause an assertion failure.
- *
- * \li	If the name had a dedicated buffer, that association is ended.
- */
-
-
-/***
- *** Dedicated Buffers
- ***/
-
-void
-dns_name_setbuffer(dns_name_t *name, isc_buffer_t *buffer);
-/*%<
- * Dedicate a buffer for use with 'name'.
- *
- * Notes:
- * \li	Specification of a target buffer in dns_name_fromwire(),
- *	dns_name_fromtext(), and dns_name_concatenate() is optional if
- *	'name' has a dedicated buffer.
- *
- * \li	The caller must not write to buffer until the name has been
- *	invalidated or is otherwise known not to be in use.
- *
- * \li	If buffer is NULL and the name previously had a dedicated buffer,
- *	than that buffer is no longer dedicated to use with this name.
- *	The caller is responsible for ensuring that the storage used by
- *	the name remains valid.
- *
- * Requires:
- * \li	'name' is a valid name.
- *
- * \li	'buffer' is a valid binary buffer and 'name' doesn't have a
- *	dedicated buffer already, or 'buffer' is NULL.
- */
-
-isc_boolean_t
-dns_name_hasbuffer(const dns_name_t *name);
-/*%<
- * Does 'name' have a dedicated buffer?
- *
- * Requires:
- * \li	'name' is a valid name.
- *
- * Returns:
- * \li	ISC_TRUE	'name' has a dedicated buffer.
- * \li	ISC_FALSE	'name' does not have a dedicated buffer.
- */
-
-/***
- *** Properties
- ***/
-
-isc_boolean_t
-dns_name_isabsolute(const dns_name_t *name);
-/*%<
- * Does 'name' end in the root label?
- *
- * Requires:
- * \li	'name' is a valid name
- *
- * Returns:
- * \li	TRUE		The last label in 'name' is the root label.
- * \li	FALSE		The last label in 'name' is not the root label.
- */
-
-isc_boolean_t
-dns_name_iswildcard(const dns_name_t *name);
-/*%<
- * Is 'name' a wildcard name?
- *
- * Requires:
- * \li	'name' is a valid name
- *
- * \li	dns_name_countlabels(name) > 0
- *
- * Returns:
- * \li	TRUE		The least significant label of 'name' is '*'.
- * \li	FALSE		The least significant label of 'name' is not '*'.
- */
-
-unsigned int
-dns_name_hash(dns_name_t *name, isc_boolean_t case_sensitive);
-/*%<
- * Provide a hash value for 'name'.
- *
- * Note: if 'case_sensitive' is ISC_FALSE, then names which differ only in
- * case will have the same hash value.
- *
- * Requires:
- * \li	'name' is a valid name
- *
- * Returns:
- * \li	A hash value
- */
-
-unsigned int
-dns_name_fullhash(dns_name_t *name, isc_boolean_t case_sensitive);
-/*%<
- * Provide a hash value for 'name'.  Unlike dns_name_hash(), this function
- * always takes into account of the entire name to calculate the hash value.
- *
- * Note: if 'case_sensitive' is ISC_FALSE, then names which differ only in
- * case will have the same hash value.
- *
- * Requires:
- *\li	'name' is a valid name
- *
- * Returns:
- *\li	A hash value
- */
-
-unsigned int
-dns_name_hashbylabel(dns_name_t *name, isc_boolean_t case_sensitive);
-/*%<
- * Provide a hash value for 'name', where the hash value is the sum
- * of the hash values of each label.
- *
- * Note: if 'case_sensitive' is ISC_FALSE, then names which differ only in
- * case will have the same hash value.
- *
- * Requires:
- *\li	'name' is a valid name
- *
- * Returns:
- *\li	A hash value
- */
-
-/*
- *** Comparisons
- ***/
-
-dns_namereln_t
-dns_name_fullcompare(const dns_name_t *name1, const dns_name_t *name2,
-		     int *orderp, unsigned int *nlabelsp);
-/*%<
- * Determine the relative ordering under the DNSSEC order relation of
- * 'name1' and 'name2', and also determine the hierarchical
- * relationship of the names.
- *
- * Note: It makes no sense for one of the names to be relative and the
- * other absolute.  If both names are relative, then to be meaningfully
- * compared the caller must ensure that they are both relative to the
- * same domain.
- *
- * Requires:
- *\li	'name1' is a valid name
- *
- *\li	dns_name_countlabels(name1) > 0
- *
- *\li	'name2' is a valid name
- *
- *\li	dns_name_countlabels(name2) > 0
- *
- *\li	orderp and nlabelsp are valid pointers.
- *
- *\li	Either name1 is absolute and name2 is absolute, or neither is.
- *
- * Ensures:
- *
- *\li	*orderp is < 0 if name1 < name2, 0 if name1 = name2, > 0 if
- *	name1 > name2.
- *
- *\li	*nlabelsp is the number of common significant labels.
- *
- * Returns:
- *\li	dns_namereln_none		There's no hierarchical relationship
- *					between name1 and name2.
- *\li	dns_namereln_contains		name1 properly contains name2; i.e.
- *					name2 is a proper subdomain of name1.
- *\li	dns_namereln_subdomain		name1 is a proper subdomain of name2.
- *\li	dns_namereln_equal		name1 and name2 are equal.
- *\li	dns_namereln_commonancestor	name1 and name2 share a common
- *					ancestor.
- */
-
-int
-dns_name_compare(const dns_name_t *name1, const dns_name_t *name2);
-/*%<
- * Determine the relative ordering under the DNSSEC order relation of
- * 'name1' and 'name2'.
- *
- * Note: It makes no sense for one of the names to be relative and the
- * other absolute.  If both names are relative, then to be meaningfully
- * compared the caller must ensure that they are both relative to the
- * same domain.
- *
- * Requires:
- * \li	'name1' is a valid name
- *
- * \li	'name2' is a valid name
- *
- * \li	Either name1 is absolute and name2 is absolute, or neither is.
- *
- * Returns:
- * \li	< 0		'name1' is less than 'name2'
- * \li	0		'name1' is equal to 'name2'
- * \li	> 0		'name1' is greater than 'name2'
- */
-
-isc_boolean_t
-dns_name_equal(const dns_name_t *name1, const dns_name_t *name2);
-/*%<
- * Are 'name1' and 'name2' equal?
- *
- * Notes:
- * \li	Because it only needs to test for equality, dns_name_equal() can be
- *	significantly faster than dns_name_fullcompare() or dns_name_compare().
- *
- * \li	Offsets tables are not used in the comparision.
- *
- * \li	It makes no sense for one of the names to be relative and the
- *	other absolute.  If both names are relative, then to be meaningfully
- * 	compared the caller must ensure that they are both relative to the
- * 	same domain.
- *
- * Requires:
- * \li	'name1' is a valid name
- *
- * \li	'name2' is a valid name
- *
- * \li	Either name1 is absolute and name2 is absolute, or neither is.
- *
- * Returns:
- * \li	ISC_TRUE	'name1' and 'name2' are equal
- * \li	ISC_FALSE	'name1' and 'name2' are not equal
- */
-
-isc_boolean_t
-dns_name_caseequal(const dns_name_t *name1, const dns_name_t *name2);
-/*%<
- * Case sensitive version of dns_name_equal().
- */
-
-int
-dns_name_rdatacompare(const dns_name_t *name1, const dns_name_t *name2);
-/*%<
- * Compare two names as if they are part of rdata in DNSSEC canonical
- * form.
- *
- * Requires:
- * \li	'name1' is a valid absolute name
- *
- * \li	dns_name_countlabels(name1) > 0
- *
- * \li	'name2' is a valid absolute name
- *
- * \li	dns_name_countlabels(name2) > 0
- *
- * Returns:
- * \li	< 0		'name1' is less than 'name2'
- * \li	0		'name1' is equal to 'name2'
- * \li	> 0		'name1' is greater than 'name2'
- */
-
-isc_boolean_t
-dns_name_issubdomain(const dns_name_t *name1, const dns_name_t *name2);
-/*%<
- * Is 'name1' a subdomain of 'name2'?
- *
- * Notes:
- * \li	name1 is a subdomain of name2 if name1 is contained in name2, or
- *	name1 equals name2.
- *
- * \li	It makes no sense for one of the names to be relative and the
- *	other absolute.  If both names are relative, then to be meaningfully
- *	compared the caller must ensure that they are both relative to the
- *	same domain.
- *
- * Requires:
- * \li	'name1' is a valid name
- *
- * \li	'name2' is a valid name
- *
- * \li	Either name1 is absolute and name2 is absolute, or neither is.
- *
- * Returns:
- * \li	TRUE		'name1' is a subdomain of 'name2'
- * \li	FALSE		'name1' is not a subdomain of 'name2'
- */
-
-isc_boolean_t
-dns_name_matcheswildcard(const dns_name_t *name, const dns_name_t *wname);
-/*%<
- * Does 'name' match the wildcard specified in 'wname'?
- *
- * Notes:
- * \li	name matches the wildcard specified in wname if all labels
- *	following the wildcard in wname are identical to the same number
- *	of labels at the end of name.
- *
- * \li	It makes no sense for one of the names to be relative and the
- *	other absolute.  If both names are relative, then to be meaningfully
- *	compared the caller must ensure that they are both relative to the
- *	same domain.
- *
- * Requires:
- * \li	'name' is a valid name
- *
- * \li	dns_name_countlabels(name) > 0
- *
- * \li	'wname' is a valid name
- *
- * \li	dns_name_countlabels(wname) > 0
- *
- * \li	dns_name_iswildcard(wname) is true
- *
- * \li	Either name is absolute and wname is absolute, or neither is.
- *
- * Returns:
- * \li	TRUE		'name' matches the wildcard specified in 'wname'
- * \li	FALSE		'name' does not match the wildcard specified in 'wname'
- */
-
-/***
- *** Labels
- ***/
-
-unsigned int
-dns_name_countlabels(const dns_name_t *name);
-/*%<
- * How many labels does 'name' have?
- *
- * Notes:
- * \li	In this case, as in other places, a 'label' is an ordinary label.
- *
- * Requires:
- * \li	'name' is a valid name
- *
- * Ensures:
- * \li	The result is <= 128.
- *
- * Returns:
- * \li	The number of labels in 'name'.
- */
-
-void
-dns_name_getlabel(const dns_name_t *name, unsigned int n, dns_label_t *label);
-/*%<
- * Make 'label' refer to the 'n'th least significant label of 'name'.
- *
- * Notes:
- * \li	Numbering starts at 0.
- *
- * \li	Given "rc.vix.com.", the label 0 is "rc", and label 3 is the
- *	root label.
- *
- * \li	'label' refers to the same memory as 'name', so 'name' must not
- *	be changed while 'label' is still in use.
- *
- * Requires:
- * \li	n < dns_name_countlabels(name)
- */
-
-void
-dns_name_getlabelsequence(const dns_name_t *source, unsigned int first,
-			  unsigned int n, dns_name_t *target);
-/*%<
- * Make 'target' refer to the 'n' labels including and following 'first'
- * in 'source'.
- *
- * Notes:
- * \li	Numbering starts at 0.
- *
- * \li	Given "rc.vix.com.", the label 0 is "rc", and label 3 is the
- *	root label.
- *
- * \li	'target' refers to the same memory as 'source', so 'source'
- *	must not be changed while 'target' is still in use.
- *
- * Requires:
- * \li	'source' and 'target' are valid names.
- *
- * \li	first < dns_name_countlabels(name)
- *
- * \li	first + n <= dns_name_countlabels(name)
- */
-
-
-void
-dns_name_clone(const dns_name_t *source, dns_name_t *target);
-/*%<
- * Make 'target' refer to the same name as 'source'.
- *
- * Notes:
- *
- * \li	'target' refers to the same memory as 'source', so 'source'
- *	must not be changed while 'target' is still in use.
- *
- * \li	This call is functionally equivalent to:
- *
- * \code
- *		dns_name_getlabelsequence(source, 0,
- *					  dns_name_countlabels(source),
- *					  target);
- * \endcode
- *
- *	but is more efficient.  Also, dns_name_clone() works even if 'source'
- *	is empty.
- *
- * Requires:
- *
- * \li	'source' is a valid name.
- *
- * \li	'target' is a valid name that is not read-only.
- */
-
-/***
- *** Conversions
- ***/
-
-void
-dns_name_fromregion(dns_name_t *name, const isc_region_t *r);
-/*%<
- * Make 'name' refer to region 'r'.
- *
- * Note:
- * \li	If the conversion encounters a root label before the end of the
- *	region the conversion stops and the length is set to the length
- *	so far converted.  A maximum of 255 bytes is converted.
- *
- * Requires:
- * \li	The data in 'r' is a sequence of one or more type 00 or type 01000001
- *	labels.
- */
-
-void
-dns_name_toregion(dns_name_t *name, isc_region_t *r);
-/*%<
- * Make 'r' refer to 'name'.
- *
- * Requires:
- *
- * \li	'name' is a valid name.
- *
- * \li	'r' is a valid region.
- */
-
-isc_result_t
-dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
-		  dns_decompress_t *dctx, unsigned int options,
-		  isc_buffer_t *target);
-/*%<
- * Copy the possibly-compressed name at source (active region) into target,
- * decompressing it.
- *
- * Notes:
- * \li	Decompression policy is controlled by 'dctx'.
- *
- * \li	If DNS_NAME_DOWNCASE is set, any uppercase letters in 'source' will be
- *	downcased when they are copied into 'target'.
- *
- * Security:
- *
- * \li	*** WARNING ***
- *
- * \li	This routine will often be used when 'source' contains raw network
- *	data.  A programming error in this routine could result in a denial
- *	of service, or in the hijacking of the server.
- *
- * Requires:
- *
- * \li	'name' is a valid name.
- *
- * \li	'source' is a valid buffer and the first byte of the active
- *	region should be the first byte of a DNS wire format domain name.
- *
- * \li	'target' is a valid buffer or 'target' is NULL and 'name' has
- *	a dedicated buffer.
- *
- * \li	'dctx' is a valid decompression context.
- *
- * Ensures:
- *
- *	If result is success:
- * \li	 	If 'target' is not NULL, 'name' is attached to it.
- *
- * \li		Uppercase letters are downcased in the copy iff
- *		DNS_NAME_DOWNCASE is set in options.
- *
- * \li		The current location in source is advanced, and the used space
- *		in target is updated.
- *
- * Result:
- * \li	Success
- * \li	Bad Form: Label Length
- * \li	Bad Form: Unknown Label Type
- * \li	Bad Form: Name Length
- * \li	Bad Form: Compression type not allowed
- * \li	Bad Form: Bad compression pointer
- * \li	Bad Form: Input too short
- * \li	Resource Limit: Too many compression pointers
- * \li	Resource Limit: Not enough space in buffer
- */
-
-isc_result_t
-dns_name_towire(const dns_name_t *name, dns_compress_t *cctx,
-		isc_buffer_t *target);
-/*%<
- * Convert 'name' into wire format, compressing it as specified by the
- * compression context 'cctx', and storing the result in 'target'.
- *
- * Notes:
- * \li	If the compression context allows global compression, then the
- *	global compression table may be updated.
- *
- * Requires:
- * \li	'name' is a valid name
- *
- * \li	dns_name_countlabels(name) > 0
- *
- * \li	dns_name_isabsolute(name) == TRUE
- *
- * \li	target is a valid buffer.
- *
- * \li	Any offsets specified in a global compression table are valid
- *	for buffer.
- *
- * Ensures:
- *
- *	If the result is success:
- *
- * \li		The used space in target is updated.
- *
- * Returns:
- * \li	Success
- * \li	Resource Limit: Not enough space in buffer
- */
-
-isc_result_t
-dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
-		  const dns_name_t *origin, unsigned int options,
-		  isc_buffer_t *target);
-/*%<
- * Convert the textual representation of a DNS name at source
- * into uncompressed wire form stored in target.
- *
- * Notes:
- * \li	Relative domain names will have 'origin' appended to them
- *	unless 'origin' is NULL, in which case relative domain names
- *	will remain relative.
- *
- * \li	If DNS_NAME_DOWNCASE is set in 'options', any uppercase letters
- *	in 'source' will be downcased when they are copied into 'target'.
- *
- * Requires:
- *
- * \li	'name' is a valid name.
- *
- * \li	'source' is a valid buffer.
- *
- * \li	'target' is a valid buffer or 'target' is NULL and 'name' has
- *	a dedicated buffer.
- *
- * Ensures:
- *
- *	If result is success:
- * \li	 	If 'target' is not NULL, 'name' is attached to it.
- *
- * \li		Uppercase letters are downcased in the copy iff
- *		DNS_NAME_DOWNCASE is set in 'options'.
- *
- * \li		The current location in source is advanced, and the used space
- *		in target is updated.
- *
- * Result:
- *\li	#ISC_R_SUCCESS
- *\li	#DNS_R_EMPTYLABEL
- *\li	#DNS_R_LABELTOOLONG
- *\li	#DNS_R_BADESCAPE
- *\li	(#DNS_R_BADBITSTRING: should not be returned)
- *\li	(#DNS_R_BITSTRINGTOOLONG: should not be returned)
- *\li	#DNS_R_BADDOTTEDQUAD
- *\li	#ISC_R_NOSPACE
- *\li	#ISC_R_UNEXPECTEDEND
- */
-
-#define DNS_NAME_OMITFINALDOT	0x01U
-#define DNS_NAME_MASTERFILE	0x02U	/* escape $ and @ */
-
-isc_result_t
-dns_name_toprincipal(dns_name_t *name, isc_buffer_t *target);
-
-isc_result_t
-dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
-		isc_buffer_t *target);
-
-isc_result_t
-dns_name_totext2(dns_name_t *name, unsigned int options, isc_buffer_t *target);
-/*%<
- * Convert 'name' into text format, storing the result in 'target'.
- *
- * Notes:
- *\li	If 'omit_final_dot' is true, then the final '.' in absolute
- *	names other than the root name will be omitted.
- *
- *\li	If DNS_NAME_OMITFINALDOT is set in options, then the final '.'
- *	in absolute names other than the root name will be omitted.
- *
- *\li	If DNS_NAME_MASTERFILE is set in options, '$' and '@' will also
- *	be escaped.
- *
- *\li	If dns_name_countlabels == 0, the name will be "@", representing the
- *	current origin as described by RFC1035.
- *
- *\li	The name is not NUL terminated.
- *
- * Requires:
- *
- *\li	'name' is a valid name
- *
- *\li	'target' is a valid buffer.
- *
- *\li	if dns_name_isabsolute == FALSE, then omit_final_dot == FALSE
- *
- * Ensures:
- *
- *\li	If the result is success:
- *		the used space in target is updated.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOSPACE
- */
-
-#define DNS_NAME_MAXTEXT 1023
-/*%<
- * The maximum length of the text representation of a domain
- * name as generated by dns_name_totext().  This does not
- * include space for a terminating NULL.
- *
- * This definition is conservative - the actual maximum
- * is 1004, derived as follows:
- *
- *   A backslash-decimal escaped character takes 4 bytes.
- *   A wire-encoded name can be up to 255 bytes and each
- *   label is one length byte + at most 63 bytes of data.
- *   Maximizing the label lengths gives us a name of
- *   three 63-octet labels, one 61-octet label, and the
- *   root label:
- *
- *      1 + 63 + 1 + 63 + 1 + 63 + 1 + 61 + 1 = 255
- *
- *   When printed, this is (3 * 63 + 61) * 4
- *   bytes for the escaped label data + 4 bytes for the
- *   dot terminating each label = 1004 bytes total.
- */
-
-isc_result_t
-dns_name_tofilenametext(dns_name_t *name, isc_boolean_t omit_final_dot,
-			isc_buffer_t *target);
-/*%<
- * Convert 'name' into an alternate text format appropriate for filenames,
- * storing the result in 'target'.  The name data is downcased, guaranteeing
- * that the filename does not depend on the case of the converted name.
- *
- * Notes:
- *\li	If 'omit_final_dot' is true, then the final '.' in absolute
- *	names other than the root name will be omitted.
- *
- *\li	The name is not NUL terminated.
- *
- * Requires:
- *
- *\li	'name' is a valid absolute name
- *
- *\li	'target' is a valid buffer.
- *
- * Ensures:
- *
- *\li	If the result is success:
- *		the used space in target is updated.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOSPACE
- */
-
-isc_result_t
-dns_name_downcase(dns_name_t *source, dns_name_t *name,
-		  isc_buffer_t *target);
-/*%<
- * Downcase 'source'.
- *
- * Requires:
- *
- *\li	'source' and 'name' are valid names.
- *
- *\li	If source == name, then
- *		'source' must not be read-only
- *
- *\li	Otherwise,
- *		'target' is a valid buffer or 'target' is NULL and
- *		'name' has a dedicated buffer.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOSPACE
- *
- * Note: if source == name, then the result will always be ISC_R_SUCCESS.
- */
-
-isc_result_t
-dns_name_concatenate(dns_name_t *prefix, dns_name_t *suffix,
-		     dns_name_t *name, isc_buffer_t *target);
-/*%<
- *	Concatenate 'prefix' and 'suffix'.
- *
- * Requires:
- *
- *\li	'prefix' is a valid name or NULL.
- *
- *\li	'suffix' is a valid name or NULL.
- *
- *\li	'name' is a valid name or NULL.
- *
- *\li	'target' is a valid buffer or 'target' is NULL and 'name' has
- *	a dedicated buffer.
- *
- *\li	If 'prefix' is absolute, 'suffix' must be NULL or the empty name.
- *
- * Ensures:
- *
- *\li	On success,
- *	 	If 'target' is not NULL and 'name' is not NULL, then 'name'
- *		is attached to it.
- *		The used space in target is updated.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOSPACE
- *\li	#DNS_R_NAMETOOLONG
- */
-
-void
-dns_name_split(dns_name_t *name, unsigned int suffixlabels,
-	       dns_name_t *prefix, dns_name_t *suffix);
-/*%<
- *
- * Split 'name' into two pieces on a label boundary.
- *
- * Notes:
- * \li     'name' is split such that 'suffix' holds the most significant
- *      'suffixlabels' labels.  All other labels are stored in 'prefix'.
- *
- *\li	Copying name data is avoided as much as possible, so 'prefix'
- *	and 'suffix' will end up pointing at the data for 'name'.
- *
- *\li	It is legitimate to pass a 'prefix' or 'suffix' that has
- *	its name data stored someplace other than the dedicated buffer.
- *	This is useful to avoid name copying in the calling function.
- *
- *\li	It is also legitimate to pass a 'prefix' or 'suffix' that is
- *	the same dns_name_t as 'name'.
- *
- * Requires:
- *\li	'name' is a valid name.
- *
- *\li	'suffixlabels' cannot exceed the number of labels in 'name'.
- *
- * \li	'prefix' is a valid name or NULL, and cannot be read-only.
- *
- *\li	'suffix' is a valid name or NULL, and cannot be read-only.
- *
- *\li	If non-NULL, 'prefix' and 'suffix' must have dedicated buffers.
- *
- *\li	'prefix' and 'suffix' cannot point to the same buffer.
- *
- * Ensures:
- *
- *\li	On success:
- *		If 'prefix' is not NULL it will contain the least significant
- *		labels.
- *		If 'suffix' is not NULL it will contain the most significant
- *		labels.  dns_name_countlabels(suffix) will be equal to
- *		suffixlabels.
- *
- *\li	On failure:
- *		Either 'prefix' or 'suffix' is invalidated (depending
- *		on which one the problem was encountered with).
- *
- * Returns:
- *\li	#ISC_R_SUCCESS	No worries.  (This function should always success).
- */
-
-isc_result_t
-dns_name_dup(const dns_name_t *source, isc_mem_t *mctx,
-	     dns_name_t *target);
-/*%<
- * Make 'target' a dynamically allocated copy of 'source'.
- *
- * Requires:
- *
- *\li	'source' is a valid non-empty name.
- *
- *\li	'target' is a valid name that is not read-only.
- *
- *\li	'mctx' is a valid memory context.
- */
-
-isc_result_t
-dns_name_dupwithoffsets(dns_name_t *source, isc_mem_t *mctx,
-			dns_name_t *target);
-/*%<
- * Make 'target' a read-only dynamically allocated copy of 'source'.
- * 'target' will also have a dynamically allocated offsets table.
- *
- * Requires:
- *
- *\li	'source' is a valid non-empty name.
- *
- *\li	'target' is a valid name that is not read-only.
- *
- *\li	'target' has no offsets table.
- *
- *\li	'mctx' is a valid memory context.
- */
-
-void
-dns_name_free(dns_name_t *name, isc_mem_t *mctx);
-/*%<
- * Free 'name'.
- *
- * Requires:
- *
- *\li	'name' is a valid name created previously in 'mctx' by dns_name_dup().
- *
- *\li	'mctx' is a valid memory context.
- *
- * Ensures:
- *
- *\li	All dynamic resources used by 'name' are freed and the name is
- *	invalidated.
- */
-
-isc_result_t
-dns_name_digest(dns_name_t *name, dns_digestfunc_t digest, void *arg);
-/*%<
- * Send 'name' in DNSSEC canonical form to 'digest'.
- *
- * Requires:
- *
- *\li	'name' is a valid name.
- *
- *\li	'digest' is a valid dns_digestfunc_t.
- *
- * Ensures:
- *
- *\li	If successful, the DNSSEC canonical form of 'name' will have been
- *	sent to 'digest'.
- *
- *\li	If digest() returns something other than ISC_R_SUCCESS, that result
- *	will be returned as the result of dns_name_digest().
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *
- *\li	Many other results are possible if not successful.
- *
- */
-
-isc_boolean_t
-dns_name_dynamic(dns_name_t *name);
-/*%<
- * Returns whether there is dynamic memory associated with this name.
- *
- * Requires:
- *
- *\li	'name' is a valid name.
- *
- * Returns:
- *
- *\li	'ISC_TRUE' if the name is dynamic otherwise 'ISC_FALSE'.
- */
-
-isc_result_t
-dns_name_print(dns_name_t *name, FILE *stream);
-/*%<
- * Print 'name' on 'stream'.
- *
- * Requires:
- *
- *\li	'name' is a valid name.
- *
- *\li	'stream' is a valid stream.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *
- *\li	Any error that dns_name_totext() can return.
- */
-
-void
-dns_name_format(dns_name_t *name, char *cp, unsigned int size);
-/*%<
- * Format 'name' as text appropriate for use in log messages.
- *
- * Store the formatted name at 'cp', writing no more than
- * 'size' bytes.  The resulting string is guaranteed to be
- * null terminated.
- *
- * The formatted name will have a terminating dot only if it is
- * the root.
- *
- * This function cannot fail, instead any errors are indicated
- * in the returned text.
- *
- * Requires:
- *
- *\li	'name' is a valid name.
- *
- *\li	'cp' points a valid character array of size 'size'.
- *
- *\li	'size' > 0.
- *
- */
-
-isc_result_t
-dns_name_tostring(dns_name_t *source, char **target, isc_mem_t *mctx);
-/*%<
- * Convert 'name' to string format, allocating sufficient memory to
- * hold it (free with isc_mem_free()).
- *
- * Differs from dns_name_format in that it allocates its own memory.
- *
- * Requires:
- *
- *\li	'name' is a valid name.
- *\li	'target' is not NULL.
- *\li	'*target' is NULL.
- *
- * Returns:
- *
- *\li	ISC_R_SUCCESS
- *
- *\li	Any error that dns_name_totext() can return.
- */
-
-isc_result_t
-dns_name_fromstring(dns_name_t *target, const char *src, unsigned int options,
-		    isc_mem_t *mctx);
-isc_result_t
-dns_name_fromstring2(dns_name_t *target, const char *src,
-		     const dns_name_t *origin, unsigned int options,
-		     isc_mem_t *mctx);
-/*%<
- * Convert a string to a name and place it in target, allocating memory
- * as necessary.  'options' has the same semantics as that of
- * dns_name_fromtext().
- *
- * If 'target' has a buffer then the name will be copied into it rather than
- * memory being allocated.
- *
- * Requires:
- *
- * \li	'target' is a valid name that is not read-only.
- * \li	'src' is not NULL.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *
- *\li	Any error that dns_name_fromtext() can return.
- *
- *\li	Any error that dns_name_dup() can return.
- */
-
-isc_result_t
-dns_name_settotextfilter(dns_name_totextfilter_t proc);
-/*%<
- * Set / clear a thread specific function 'proc' to be called at the
- * end of dns_name_totext().
- *
- * Note: Under Windows you need to call "dns_name_settotextfilter(NULL);"
- * prior to exiting the thread otherwise memory will be leaked.
- * For other platforms, which are pthreads based, this is still a good
- * idea but not required.
- *
- * Returns
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_UNEXPECTED
- */
-
-#define DNS_NAME_FORMATSIZE (DNS_NAME_MAXTEXT + 1)
-/*%<
- * Suggested size of buffer passed to dns_name_format().
- * Includes space for the terminating NULL.
- */
-
-isc_result_t
-dns_name_copy(dns_name_t *source, dns_name_t *dest, isc_buffer_t *target);
-/*%<
- * Makes 'dest' refer to a copy of the name in 'source'.  The data are
- * either copied to 'target' or the dedicated buffer in 'dest'.
- *
- * Requires:
- * \li	'source' is a valid name.
- *
- * \li	'dest' is an initialized name with a dedicated buffer.
- *
- * \li	'target' is NULL or an initialized buffer.
- *
- * \li	Either dest has a dedicated buffer or target != NULL.
- *
- * Ensures:
- *
- *\li	On success, the used space in target is updated.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOSPACE
- */
-
-isc_boolean_t
-dns_name_ishostname(const dns_name_t *name, isc_boolean_t wildcard);
-/*%<
- * Return if 'name' is a valid hostname.  RFC 952 / RFC 1123.
- * If 'wildcard' is ISC_TRUE then allow the first label of name to
- * be a wildcard.
- * The root is also accepted.
- *
- * Requires:
- *	'name' to be valid.
- */
-
-
-isc_boolean_t
-dns_name_ismailbox(const dns_name_t *name);
-/*%<
- * Return if 'name' is a valid mailbox.  RFC 821.
- *
- * Requires:
- * \li	'name' to be valid.
- */
-
-isc_boolean_t
-dns_name_internalwildcard(const dns_name_t *name);
-/*%<
- * Return if 'name' contains a internal wildcard name.
- *
- * Requires:
- * \li	'name' to be valid.
- */
-
-void
-dns_name_destroy(void);
-/*%<
- * Cleanup dns_name_settotextfilter() / dns_name_totext() state.
- *
- * This should be called as part of the final cleanup process.
- *
- * Note: dns_name_settotextfilter(NULL); should be called for all
- * threads which have called dns_name_settotextfilter() with a
- * non-NULL argument prior to calling dns_name_destroy();
- */
-
-ISC_LANG_ENDDECLS
-
-/*
- *** High Performance Macros
- ***/
-
-/*
- * WARNING:  Use of these macros by applications may require recompilation
- *           of the application in some situations where calling the function
- *           would not.
- *
- * WARNING:  No assertion checking is done for these macros.
- */
-
-#define DNS_NAME_INIT(n, o) \
-do { \
-	dns_name_t *_n = (n); \
-	/* memset(_n, 0, sizeof(*_n)); */ \
-	_n->magic = DNS_NAME_MAGIC; \
-	_n->ndata = NULL; \
-	_n->length = 0; \
-	_n->labels = 0; \
-	_n->attributes = 0; \
-	_n->offsets = (o); \
-	_n->buffer = NULL; \
-	ISC_LINK_INIT(_n, link); \
-	ISC_LIST_INIT(_n->list); \
-} while (0)
-
-#define DNS_NAME_RESET(n) \
-do { \
-	(n)->ndata = NULL; \
-	(n)->length = 0; \
-	(n)->labels = 0; \
-	(n)->attributes &= ~DNS_NAMEATTR_ABSOLUTE; \
-	if ((n)->buffer != NULL) \
-		isc_buffer_clear((n)->buffer); \
-} while (0)
-
-#define DNS_NAME_SETBUFFER(n, b) \
-	(n)->buffer = (b)
-
-#define DNS_NAME_ISABSOLUTE(n) \
-	(((n)->attributes & DNS_NAMEATTR_ABSOLUTE) != 0 ? ISC_TRUE : ISC_FALSE)
-
-#define DNS_NAME_COUNTLABELS(n) \
-	((n)->labels)
-
-#define DNS_NAME_TOREGION(n, r) \
-do { \
-	(r)->base = (n)->ndata; \
-	(r)->length = (n)->length; \
-} while (0)
-
-#define DNS_NAME_SPLIT(n, l, p, s) \
-do { \
-	dns_name_t *_n = (n); \
-	dns_name_t *_p = (p); \
-	dns_name_t *_s = (s); \
-	unsigned int _l = (l); \
-	if (_p != NULL) \
-		dns_name_getlabelsequence(_n, 0, _n->labels - _l, _p); \
-	if (_s != NULL) \
-		dns_name_getlabelsequence(_n, _n->labels - _l, _l, _s); \
-} while (0)
-
-#ifdef DNS_NAME_USEINLINE
-
-#define dns_name_init(n, o)		DNS_NAME_INIT(n, o)
-#define dns_name_reset(n)		DNS_NAME_RESET(n)
-#define dns_name_setbuffer(n, b)	DNS_NAME_SETBUFFER(n, b)
-#define dns_name_countlabels(n)		DNS_NAME_COUNTLABELS(n)
-#define dns_name_isabsolute(n)		DNS_NAME_ISABSOLUTE(n)
-#define dns_name_toregion(n, r)		DNS_NAME_TOREGION(n, r)
-#define dns_name_split(n, l, p, s)	DNS_NAME_SPLIT(n, l, p, s)
-
-#endif /* DNS_NAME_USEINLINE */
-
-#endif /* DNS_NAME_H */
diff --git a/contrib/bind9/lib/dns/include/dns/ncache.h b/contrib/bind9/lib/dns/include/dns/ncache.h
deleted file mode 100644
index 337e834..0000000
--- a/contrib/bind9/lib/dns/include/dns/ncache.h
+++ /dev/null
@@ -1,191 +0,0 @@
-/*
- * Copyright (C) 2004-2010, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ncache.h,v 1.29 2010/05/14 23:50:40 tbox Exp $ */
-
-#ifndef DNS_NCACHE_H
-#define DNS_NCACHE_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/ncache.h
- *\brief
- * DNS Ncache
- *
- * XXX TBS XXX
- *
- * MP:
- *\li	The caller must ensure any required synchronization.
- *
- * Reliability:
- *\li	No anticipated impact.
- *
- * Resources:
- *\li	TBS
- *
- * Security:
- *\li	No anticipated impact.
- *
- * Standards:
- *\li	RFC2308
- */
-
-#include <isc/lang.h>
-#include <isc/stdtime.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*%
- * _OMITDNSSEC:
- *      Omit DNSSEC records when rendering.
- */
-#define DNS_NCACHETOWIRE_OMITDNSSEC   0x0001
-
-isc_result_t
-dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
-	       dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
-	       dns_rdataset_t *addedrdataset);
-isc_result_t
-dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
-		     dns_dbnode_t *node, dns_rdatatype_t covers,
-		     isc_stdtime_t now, dns_ttl_t maxttl,
-		     isc_boolean_t optout, dns_rdataset_t *addedrdataset);
-/*%<
- * Convert the authority data from 'message' into a negative cache
- * rdataset, and store it in 'cache' at 'node' with a TTL limited to
- * 'maxttl'.
- *
- * \li dns_ncache_add produces a negative cache entry with a trust of no
- *     more than answer
- * \li dns_ncache_addoptout produces a negative cache entry which will have
- *     a trust of secure if all the records that make up the entry are secure.
- *
- * The 'covers' argument is the RR type whose nonexistence we are caching,
- * or dns_rdatatype_any when caching a NXDOMAIN response.
- *
- * 'optout' indicates a DNS_RDATASETATTR_OPTOUT should be set.
- *
- * Note:
- *\li	If 'addedrdataset' is not NULL, then it will be attached to the added
- *	rdataset.  See dns_db_addrdataset() for more details.
- *
- * Requires:
- *\li	'message' is a valid message with a properly formatting negative cache
- *	authority section.
- *
- *\li	The requirements of dns_db_addrdataset() apply to 'cache', 'node',
- *	'now', and 'addedrdataset'.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOSPACE
- *
- *\li	Any result code of dns_db_addrdataset() is a possible result code
- *	of dns_ncache_add().
- */
-
-isc_result_t
-dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
-		  isc_buffer_t *target, unsigned int options,
-		  unsigned int *countp);
-/*%<
- * Convert the negative caching rdataset 'rdataset' to wire format,
- * compressing names as specified in 'cctx', and storing the result in
- * 'target'.  If 'omit_dnssec' is set, DNSSEC records will not
- * be added to 'target'.
- *
- * Notes:
- *\li	The number of RRs added to target will be added to *countp.
- *
- * Requires:
- *\li	'rdataset' is a valid negative caching rdataset.
- *
- *\li	'rdataset' is not empty.
- *
- *\li	'countp' is a valid pointer.
- *
- * Ensures:
- *\li	On a return of ISC_R_SUCCESS, 'target' contains a wire format
- *	for the data contained in 'rdataset'.  Any error return leaves
- *	the buffer unchanged.
- *
- *\li	*countp has been incremented by the number of RRs added to
- *	target.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		- all ok
- *\li	#ISC_R_NOSPACE		- 'target' doesn't have enough room
- *
- *\li	Any error returned by dns_rdata_towire(), dns_rdataset_next(),
- *	dns_name_towire().
- */
-
-isc_result_t
-dns_ncache_getrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
-		       dns_rdatatype_t type, dns_rdataset_t *rdataset);
-/*%<
- * Search the negative caching rdataset for an rdataset with the
- * specified name and type.
- *
- * Requires:
- *\li	'ncacherdataset' is a valid negative caching rdataset.
- *
- *\li	'ncacherdataset' is not empty.
- *
- *\li	'name' is a valid name.
- *
- *\li	'type' is not SIG, or a meta-RR type.
- *
- *\li	'rdataset' is a valid disassociated rdataset.
- *
- * Ensures:
- *\li	On a return of ISC_R_SUCCESS, 'rdataset' is bound to the found
- *	rdataset.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		- the rdataset was found.
- *\li	#ISC_R_NOTFOUND		- the rdataset was not found.
- *
- */
-
-isc_result_t
-dns_ncache_getsigrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
-			  dns_rdatatype_t covers, dns_rdataset_t *rdataset);
-/*%<
- * Similar to dns_ncache_getrdataset() but get the rrsig that matches.
- */
-
-void
-dns_ncache_current(dns_rdataset_t *ncacherdataset, dns_name_t *found,
-		   dns_rdataset_t *rdataset);
-
-/*%<
- * Extract the current rdataset and name from a ncache entry.
- *
- * Requires:
- * \li	'ncacherdataset' to be valid and to be a negative cache entry
- * \li	'found' to be valid.
- * \li	'rdataset' to be unassociated.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_NCACHE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/nsec.h b/contrib/bind9/lib/dns/include/dns/nsec.h
deleted file mode 100644
index 440ee4e..0000000
--- a/contrib/bind9/lib/dns/include/dns/nsec.h
+++ /dev/null
@@ -1,116 +0,0 @@
-/*
- * Copyright (C) 2004-2008, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: nsec.h,v 1.14 2011/06/10 23:47:32 tbox Exp $ */
-
-#ifndef DNS_NSEC_H
-#define DNS_NSEC_H 1
-
-/*! \file dns/nsec.h */
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-#include <dns/name.h>
-
-#define DNS_NSEC_BUFFERSIZE (DNS_NAME_MAXWIRE + 8192 + 512)
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version,
-		    dns_dbnode_t *node, dns_name_t *target,
-		    unsigned char *buffer, dns_rdata_t *rdata);
-/*%<
- * Build the rdata of a NSEC record.
- *
- * Requires:
- *\li	buffer	Points to a temporary buffer of at least
- * 		DNS_NSEC_BUFFERSIZE bytes.
- *\li	rdata	Points to an initialized dns_rdata_t.
- *
- * Ensures:
- *  \li    *rdata	Contains a valid NSEC rdata.  The 'data' member refers
- *		to 'buffer'.
- */
-
-isc_result_t
-dns_nsec_build(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
-	       dns_name_t *target, dns_ttl_t ttl);
-/*%<
- * Build a NSEC record and add it to a database.
- */
-
-isc_boolean_t
-dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type);
-/*%<
- * Determine if a type is marked as present in an NSEC record.
- *
- * Requires:
- *\li	'nsec' points to a valid rdataset of type NSEC
- */
-
-isc_result_t
-dns_nsec_nseconly(dns_db_t *db, dns_dbversion_t *version,
-		  isc_boolean_t *answer);
-/*
- * Report whether the DNSKEY RRset has a NSEC only algorithm.  Unknown
- * algorithms are assumed to support NSEC3.  If DNSKEY is not found,
- * *answer is set to ISC_FALSE, and ISC_R_NOTFOUND is returned.
- *
- * Requires:
- * 	'answer' to be non NULL.
- */
-
-unsigned int
-dns_nsec_compressbitmap(unsigned char *map, const unsigned char *raw,
-			unsigned int max_type);
-/*%<
- * Convert a raw bitmap into a compressed windowed bit map.  'map' and 'raw'
- * may overlap.
- *
- * Returns the length of the compressed windowed bit map.
- */
-
-void
-dns_nsec_setbit(unsigned char *array, unsigned int type, unsigned int bit);
-/*%<
- * Set type bit in raw 'array' to 'bit'.
- */
-
-isc_boolean_t
-dns_nsec_isset(const unsigned char *array, unsigned int type);
-/*%<
- * Test if the corresponding 'type' bit is set in 'array'.
- */
-
-isc_result_t
-dns_nsec_noexistnodata(dns_rdatatype_t type, dns_name_t *name,
-		       dns_name_t *nsecname, dns_rdataset_t *nsecset,
-		       isc_boolean_t *exists, isc_boolean_t *data,
-		       dns_name_t *wild, dns_nseclog_t log, void *arg);
-/*%
- * Return ISC_R_SUCCESS if we can determine that the name doesn't exist
- * or we can determine whether there is data or not at the name.
- * If the name does not exist return the wildcard name.
- *
- * Return ISC_R_IGNORE when the NSEC is not the appropriate one.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_NSEC_H */
diff --git a/contrib/bind9/lib/dns/include/dns/nsec3.h b/contrib/bind9/lib/dns/include/dns/nsec3.h
deleted file mode 100644
index e4a2286..0000000
--- a/contrib/bind9/lib/dns/include/dns/nsec3.h
+++ /dev/null
@@ -1,262 +0,0 @@
-/*
- * Copyright (C) 2008-2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: nsec3.h,v 1.14 2011/10/28 12:20:31 tbox Exp $ */
-
-#ifndef DNS_NSEC3_H
-#define DNS_NSEC3_H 1
-
-#include <isc/lang.h>
-#include <isc/iterated_hash.h>
-
-#include <dns/db.h>
-#include <dns/diff.h>
-#include <dns/name.h>
-#include <dns/rdatastruct.h>
-#include <dns/types.h>
-
-#define DNS_NSEC3_SALTSIZE 255
-
-/*
- * hash = 1, flags =1, iterations = 2, salt length = 1, salt = 255 (max)
- * hash length = 1, hash = 255 (max), bitmap = 8192 + 512 (max)
- */
-#define DNS_NSEC3_BUFFERSIZE (6 + 255 + 255 + 8192 + 512)
-/*
- * hash = 1, flags = 1, iterations = 2, salt length = 1, salt = 255 (max)
- */
-#define DNS_NSEC3PARAM_BUFFERSIZE (5 + 255)
-
-/*
- * Test "unknown" algorithm.  Is mapped to dns_hash_sha1.
- */
-#define DNS_NSEC3_UNKNOWNALG 245U
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version,
-		     dns_dbnode_t *node, unsigned int hashalg,
-		     unsigned int optin, unsigned int iterations,
-		     const unsigned char *salt, size_t salt_length,
-		     const unsigned char *nexthash, size_t hash_length,
-		     unsigned char *buffer, dns_rdata_t *rdata);
-/*%<
- * Build the rdata of a NSEC3 record for the data at 'node'.
- * Note: 'node' is not the node where the NSEC3 record will be stored.
- *
- * Requires:
- *	buffer	Points to a temporary buffer of at least
- * 		DNS_NSEC_BUFFERSIZE bytes.
- *	rdata	Points to an initialized dns_rdata_t.
- *
- * Ensures:
- *      *rdata	Contains a valid NSEC3 rdata.  The 'data' member refers
- *		to 'buffer'.
- */
-
-isc_boolean_t
-dns_nsec3_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type);
-/*%<
- * Determine if a type is marked as present in an NSEC3 record.
- *
- * Requires:
- *	'nsec' points to a valid rdataset of type NSEC3
- */
-
-isc_result_t
-dns_nsec3_hashname(dns_fixedname_t *result,
-		   unsigned char rethash[NSEC3_MAX_HASH_LENGTH],
-		   size_t *hash_length, dns_name_t *name, dns_name_t *origin,
-		   dns_hash_t hashalg, unsigned int iterations,
-		   const unsigned char *salt, size_t saltlength);
-/*%<
- * Make a hashed domain name from an unhashed one. If rethash is not NULL
- * the raw hash is stored there.
- */
-
-unsigned int
-dns_nsec3_hashlength(dns_hash_t hash);
-/*%<
- * Return the length of the hash produced by the specified algorithm
- * or zero when unknown.
- */
-
-isc_boolean_t
-dns_nsec3_supportedhash(dns_hash_t hash);
-/*%<
- * Return whether we support this hash algorithm or not.
- */
-
-isc_result_t
-dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
-		   dns_name_t *name, const dns_rdata_nsec3param_t *nsec3param,
-		   dns_ttl_t nsecttl, isc_boolean_t unsecure, dns_diff_t *diff);
-
-isc_result_t
-dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
-		    dns_name_t *name, dns_ttl_t nsecttl,
-		    isc_boolean_t unsecure, dns_diff_t *diff);
-
-isc_result_t
-dns_nsec3_addnsec3sx(dns_db_t *db, dns_dbversion_t *version,
-		     dns_name_t *name, dns_ttl_t nsecttl,
-		     isc_boolean_t unsecure, dns_rdatatype_t private,
-		     dns_diff_t *diff);
-/*%<
- * Add NSEC3 records for 'name', recording the change in 'diff'.
- * Adjust previous NSEC3 records, if any, to reflect the addition.
- * The existing NSEC3 records are removed.
- *
- * dns_nsec3_addnsec3() will only add records to the chain identified by
- * 'nsec3param'.
- *
- * 'unsecure' should be set to reflect if this is a potentially
- * unsecure delegation (no DS record).
- *
- * dns_nsec3_addnsec3s() will examine the NSEC3PARAM RRset to determine which
- * chains to be updated.  NSEC3PARAM records with the DNS_NSEC3FLAG_CREATE
- * will be preferentially chosen over NSEC3PARAM records without
- * DNS_NSEC3FLAG_CREATE set.  NSEC3PARAM records with DNS_NSEC3FLAG_REMOVE
- * set will be ignored by dns_nsec3_addnsec3s().  If DNS_NSEC3FLAG_CREATE
- * is set then the new NSEC3 will have OPTOUT set to match the that in the
- * NSEC3PARAM record otherwise OPTOUT will be inherited from the previous
- * record in the chain.
- *
- * dns_nsec3_addnsec3sx() is similar to dns_nsec3_addnsec3s() but 'private'
- * specifies the type of the private rdataset to be checked in addition to
- * the nsec3param rdataset at the zone apex.
- *
- * Requires:
- *	'db' to be valid.
- *	'version' to be valid or NULL.
- *	'name' to be valid.
- *	'nsec3param' to be valid.
- *	'diff' to be valid.
- */
-
-isc_result_t
-dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
-		   const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff);
-
-isc_result_t
-dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
-		    dns_diff_t *diff);
-
-isc_result_t
-dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
-		     dns_rdatatype_t private, dns_diff_t *diff);
-/*%<
- * Remove NSEC3 records for 'name', recording the change in 'diff'.
- * Adjust previous NSEC3 records, if any, to reflect the removal.
- *
- * dns_nsec3_delnsec3() performs the above for the chain identified by
- * 'nsec3param'.
- *
- * dns_nsec3_delnsec3s() examines the NSEC3PARAM RRset in a similar manner
- * to dns_nsec3_addnsec3s().  Unlike dns_nsec3_addnsec3s() updated NSEC3
- * records have the OPTOUT flag preserved.
- *
- * dns_nsec3_delnsec3sx() is similar to dns_nsec3_delnsec3s() but 'private'
- * specifies the type of the private rdataset to be checked in addition to
- * the nsec3param rdataset at the zone apex.
- *
- * Requires:
- *	'db' to be valid.
- *	'version' to be valid or NULL.
- *	'name' to be valid.
- *	'nsec3param' to be valid.
- *	'diff' to be valid.
- */
-
-isc_result_t
-dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version,
-		 isc_boolean_t complete, isc_boolean_t *answer);
-
-isc_result_t
-dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version,
-		  isc_boolean_t complete, dns_rdatatype_t private,
-		  isc_boolean_t *answer);
-/*%<
- * Check if there are any complete/to be built NSEC3 chains.
- * If 'complete' is ISC_TRUE only complete chains will be recognized.
- *
- * dns_nsec3_activex() is similar to dns_nsec3_active() but 'private'
- * specifies the type of the private rdataset to be checked in addition to
- * the nsec3param rdataset at the zone apex.
- *
- * Requires:
- *	'db' to be valid.
- *	'version' to be valid or NULL.
- *	'answer' to be non NULL.
- */
-
-isc_result_t
-dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
-			isc_mem_t *mctx, unsigned int *iterationsp);
-/*%<
- * Find the maximum permissible number of iterations allowed based on
- * the key strength.
- *
- * Requires:
- *	'db' to be valid.
- *	'version' to be valid or NULL.
- *	'mctx' to be valid.
- *	'iterationsp' to be non NULL.
- */
-
-isc_boolean_t
-dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target,
-			   unsigned char *buf, size_t buflen);
-/*%<
- * Convert a private rdata to a nsec3param rdata.
- *
- * Return ISC_TRUE if 'src' could be successfully converted.
- *
- * 'buf' should be at least DNS_NSEC3PARAM_BUFFERSIZE in size.
- */
-
-void
-dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target,
-			 dns_rdatatype_t privatetype,
-			 unsigned char *buf, size_t buflen);
-/*%<
- * Convert a nsec3param rdata to a private rdata.
- *
- * 'buf' should be at least src->length + 1 in size.
- */
-
-isc_result_t
-dns_nsec3param_deletechains(dns_db_t *db, dns_dbversion_t *ver,
-			    dns_zone_t *zone, isc_boolean_t nonsec,
-			    dns_diff_t *diff);
-
-/*%<
- * Mark NSEC3PARAM for deletion.
- */
-
-isc_result_t
-dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
-			dns_name_t *nsec3name, dns_rdataset_t *nsec3set,
-			dns_name_t *zonename, isc_boolean_t *exists,
-			isc_boolean_t *data, isc_boolean_t *optout,
-			isc_boolean_t *unknown, isc_boolean_t *setclosest,
-			isc_boolean_t *setnearest, dns_name_t *closest,
-			dns_name_t *nearest, dns_nseclog_t logit, void *arg);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_NSEC3_H */
diff --git a/contrib/bind9/lib/dns/include/dns/opcode.h b/contrib/bind9/lib/dns/include/dns/opcode.h
deleted file mode 100644
index 368b2b2..0000000
--- a/contrib/bind9/lib/dns/include/dns/opcode.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: opcode.h,v 1.8 2007/06/19 23:47:17 tbox Exp $ */
-
-#ifndef DNS_OPCODE_H
-#define DNS_OPCODE_H 1
-
-/*! \file dns/opcode.h */
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t dns_opcode_totext(dns_opcode_t opcode, isc_buffer_t *target);
-/*%<
- * Put a textual representation of error 'opcode' into 'target'.
- *
- * Requires:
- *\li	'opcode' is a valid opcode.
- *
- *\li	'target' is a valid text buffer.
- *
- * Ensures:
- *\li	If the result is success:
- *		The used space in 'target' is updated.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS			on success
- *\li	#ISC_R_NOSPACE			target buffer is too small
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_OPCODE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/order.h b/contrib/bind9/lib/dns/include/dns/order.h
deleted file mode 100644
index 85663c3..0000000
--- a/contrib/bind9/lib/dns/include/dns/order.h
+++ /dev/null
@@ -1,99 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: order.h,v 1.9 2007/06/19 23:47:17 tbox Exp $ */
-
-#ifndef DNS_ORDER_H
-#define DNS_ORDER_H 1
-
-/*! \file dns/order.h */
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_order_create(isc_mem_t *mctx, dns_order_t **orderp);
-/*%<
- * Create a order object.
- *
- * Requires:
- * \li	'orderp' to be non NULL and '*orderp == NULL'.
- *\li	'mctx' to be valid.
- *
- * Returns:
- *\li	ISC_R_SUCCESS
- *\li	ISC_R_NOMEMORY
- */
-
-isc_result_t
-dns_order_add(dns_order_t *order, dns_name_t *name,
-	      dns_rdatatype_t rdtype, dns_rdataclass_t rdclass,
-	      unsigned int mode);
-/*%<
- * Add a entry to the end of the order list.
- *
- * Requires:
- * \li	'order' to be valid.
- *\li	'name' to be valid.
- *\li	'mode' to be one of #DNS_RDATASERATTR_RANDOMIZE,
- *		#DNS_RDATASERATTR_RANDOMIZE or zero (#DNS_RDATASERATTR_CYCLIC).
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- */
-
-unsigned int
-dns_order_find(dns_order_t *order, dns_name_t *name,
-	       dns_rdatatype_t rdtype, dns_rdataclass_t rdclass);
-/*%<
- * Find the first matching entry on the list.
- *
- * Requires:
- *\li	'order' to be valid.
- *\li	'name' to be valid.
- *
- * Returns the mode set by dns_order_add() or zero.
- */
-
-void
-dns_order_attach(dns_order_t *source, dns_order_t **target);
-/*%<
- * Attach to the 'source' object.
- *
- * Requires:
- * \li	'source' to be valid.
- *\li	'target' to be non NULL and '*target == NULL'.
- */
-
-void
-dns_order_detach(dns_order_t **orderp);
-/*%<
- * Detach from the object.  Clean up if last this was the last
- * reference.
- *
- * Requires:
- *\li	'*orderp' to be valid.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_ORDER_H */
diff --git a/contrib/bind9/lib/dns/include/dns/peer.h b/contrib/bind9/lib/dns/include/dns/peer.h
deleted file mode 100644
index 86324a3..0000000
--- a/contrib/bind9/lib/dns/include/dns/peer.h
+++ /dev/null
@@ -1,219 +0,0 @@
-/*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: peer.h,v 1.35 2009/01/17 23:47:43 tbox Exp $ */
-
-#ifndef DNS_PEER_H
-#define DNS_PEER_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/peer.h
- * \brief
- * Data structures for peers (e.g. a 'server' config file statement)
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-#include <isc/netaddr.h>
-
-#include <dns/types.h>
-
-#define DNS_PEERLIST_MAGIC	ISC_MAGIC('s','e','R','L')
-#define DNS_PEER_MAGIC		ISC_MAGIC('S','E','r','v')
-
-#define DNS_PEERLIST_VALID(ptr)	ISC_MAGIC_VALID(ptr, DNS_PEERLIST_MAGIC)
-#define DNS_PEER_VALID(ptr)	ISC_MAGIC_VALID(ptr, DNS_PEER_MAGIC)
-
-/***
- *** Types
- ***/
-
-struct dns_peerlist {
-	unsigned int		magic;
-	isc_uint32_t		refs;
-
-	isc_mem_t	       *mem;
-
-	ISC_LIST(dns_peer_t) elements;
-};
-
-struct dns_peer {
-	unsigned int		magic;
-	isc_uint32_t		refs;
-
-	isc_mem_t	       *mem;
-
-	isc_netaddr_t		address;
-	unsigned int		prefixlen;
-	isc_boolean_t		bogus;
-	dns_transfer_format_t	transfer_format;
-	isc_uint32_t		transfers;
-	isc_boolean_t		support_ixfr;
-	isc_boolean_t		provide_ixfr;
-	isc_boolean_t		request_ixfr;
-	isc_boolean_t		support_edns;
-	isc_boolean_t		request_nsid;
-	dns_name_t	       *key;
-	isc_sockaddr_t	       *transfer_source;
-	isc_sockaddr_t	       *notify_source;
-	isc_sockaddr_t	       *query_source;
-	isc_uint16_t		udpsize;		/* receive size */
-	isc_uint16_t		maxudp;			/* transmit size */
-
-	isc_uint32_t		bitflags;
-
-	ISC_LINK(dns_peer_t)	next;
-};
-
-/***
- *** Functions
- ***/
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_peerlist_new(isc_mem_t *mem, dns_peerlist_t **list);
-
-void
-dns_peerlist_attach(dns_peerlist_t *source, dns_peerlist_t **target);
-
-void
-dns_peerlist_detach(dns_peerlist_t **list);
-
-/*
- * After return caller still holds a reference to peer.
- */
-void
-dns_peerlist_addpeer(dns_peerlist_t *peers, dns_peer_t *peer);
-
-/*
- * Ditto. */
-isc_result_t
-dns_peerlist_peerbyaddr(dns_peerlist_t *peers, isc_netaddr_t *addr,
-			dns_peer_t **retval);
-
-/*
- * What he said.
- */
-isc_result_t
-dns_peerlist_currpeer(dns_peerlist_t *peers, dns_peer_t **retval);
-
-isc_result_t
-dns_peer_new(isc_mem_t *mem, isc_netaddr_t *ipaddr, dns_peer_t **peer);
-
-isc_result_t
-dns_peer_newprefix(isc_mem_t *mem, isc_netaddr_t *ipaddr,
-		   unsigned int prefixlen, dns_peer_t **peer);
-
-void
-dns_peer_attach(dns_peer_t *source, dns_peer_t **target);
-
-void
-dns_peer_detach(dns_peer_t **list);
-
-isc_result_t
-dns_peer_setbogus(dns_peer_t *peer, isc_boolean_t newval);
-
-isc_result_t
-dns_peer_getbogus(dns_peer_t *peer, isc_boolean_t *retval);
-
-isc_result_t
-dns_peer_setrequestixfr(dns_peer_t *peer, isc_boolean_t newval);
-
-isc_result_t
-dns_peer_getrequestixfr(dns_peer_t *peer, isc_boolean_t *retval);
-
-isc_result_t
-dns_peer_setprovideixfr(dns_peer_t *peer, isc_boolean_t newval);
-
-isc_result_t
-dns_peer_getprovideixfr(dns_peer_t *peer, isc_boolean_t *retval);
-
-isc_result_t
-dns_peer_setrequestnsid(dns_peer_t *peer, isc_boolean_t newval);
-
-isc_result_t
-dns_peer_getrequestnsid(dns_peer_t *peer, isc_boolean_t *retval);
-
-isc_result_t
-dns_peer_setsupportedns(dns_peer_t *peer, isc_boolean_t newval);
-
-isc_result_t
-dns_peer_getsupportedns(dns_peer_t *peer, isc_boolean_t *retval);
-
-isc_result_t
-dns_peer_settransfers(dns_peer_t *peer, isc_uint32_t newval);
-
-isc_result_t
-dns_peer_gettransfers(dns_peer_t *peer, isc_uint32_t *retval);
-
-isc_result_t
-dns_peer_settransferformat(dns_peer_t *peer, dns_transfer_format_t newval);
-
-isc_result_t
-dns_peer_gettransferformat(dns_peer_t *peer, dns_transfer_format_t *retval);
-
-isc_result_t
-dns_peer_setkeybycharp(dns_peer_t *peer, const char *keyval);
-
-isc_result_t
-dns_peer_getkey(dns_peer_t *peer, dns_name_t **retval);
-
-isc_result_t
-dns_peer_setkey(dns_peer_t *peer, dns_name_t **keyval);
-
-isc_result_t
-dns_peer_settransfersource(dns_peer_t *peer,
-			   const isc_sockaddr_t *transfer_source);
-
-isc_result_t
-dns_peer_gettransfersource(dns_peer_t *peer, isc_sockaddr_t *transfer_source);
-
-isc_result_t
-dns_peer_setudpsize(dns_peer_t *peer, isc_uint16_t udpsize);
-
-isc_result_t
-dns_peer_getudpsize(dns_peer_t *peer, isc_uint16_t *udpsize);
-
-isc_result_t
-dns_peer_setmaxudp(dns_peer_t *peer, isc_uint16_t maxudp);
-
-isc_result_t
-dns_peer_getmaxudp(dns_peer_t *peer, isc_uint16_t *maxudp);
-
-isc_result_t
-dns_peer_setnotifysource(dns_peer_t *peer, const isc_sockaddr_t *notify_source);
-
-isc_result_t
-dns_peer_getnotifysource(dns_peer_t *peer, isc_sockaddr_t *notify_source);
-
-isc_result_t
-dns_peer_setquerysource(dns_peer_t *peer, const isc_sockaddr_t *query_source);
-
-isc_result_t
-dns_peer_getquerysource(dns_peer_t *peer, isc_sockaddr_t *query_source);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_PEER_H */
diff --git a/contrib/bind9/lib/dns/include/dns/portlist.h b/contrib/bind9/lib/dns/include/dns/portlist.h
deleted file mode 100644
index f76731a..0000000
--- a/contrib/bind9/lib/dns/include/dns/portlist.h
+++ /dev/null
@@ -1,101 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: portlist.h,v 1.9 2007/06/19 23:47:17 tbox Exp $ */
-
-/*! \file dns/portlist.h */
-
-#include <isc/lang.h>
-#include <isc/net.h>
-#include <isc/types.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_portlist_create(isc_mem_t *mctx, dns_portlist_t **portlistp);
-/*%<
- * Create a port list.
- * 
- * Requires:
- *\li	'mctx' to be valid.
- *\li	'portlistp' to be non NULL and '*portlistp' to be NULL;
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- *\li	#ISC_R_UNEXPECTED
- */
-
-isc_result_t
-dns_portlist_add(dns_portlist_t *portlist, int af, in_port_t port);
-/*%<
- * Add the given <port,af> tuple to the portlist.
- *
- * Requires:
- *\li	'portlist' to be valid.
- *\li	'af' to be AF_INET or AF_INET6
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- */
-
-void
-dns_portlist_remove(dns_portlist_t *portlist, int af, in_port_t port);
-/*%<
- * Remove the given <port,af> tuple to the portlist.
- *
- * Requires:
- *\li	'portlist' to be valid.
- *\li	'af' to be AF_INET or AF_INET6
- */
-
-isc_boolean_t
-dns_portlist_match(dns_portlist_t *portlist, int af, in_port_t port);
-/*%<
- * Find the given <port,af> tuple to the portlist.
- *
- * Requires:
- *\li	'portlist' to be valid.
- *\li	'af' to be AF_INET or AF_INET6
- *
- * Returns
- * \li	#ISC_TRUE if the tuple is found, ISC_FALSE otherwise.
- */
-
-void
-dns_portlist_attach(dns_portlist_t *portlist, dns_portlist_t **portlistp);
-/*%<
- * Attach to a port list.
- *
- * Requires:
- *\li	'portlist' to be valid.
- *\li	'portlistp' to be non NULL and '*portlistp' to be NULL;
- */
-
-void
-dns_portlist_detach(dns_portlist_t **portlistp);
-/*%<
- * Detach from a port list.
- *
- * Requires:
- *\li	'*portlistp' to be valid.
- */
-
-ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/private.h b/contrib/bind9/lib/dns/include/dns/private.h
deleted file mode 100644
index c4a2ae6..0000000
--- a/contrib/bind9/lib/dns/include/dns/private.h
+++ /dev/null
@@ -1,72 +0,0 @@
-/*
- * Copyright (C) 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: private.h,v 1.5 2011/10/28 12:20:31 tbox Exp $ */
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-#include <dns/types.h>
-#include <dns/db.h>
-
-#ifndef DNS_PRIVATE_H
-#define DNS_PRIVATE_H
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_private_chains(dns_db_t *db, dns_dbversion_t *ver,
-		   dns_rdatatype_t privatetype,
-		   isc_boolean_t *build_nsec, isc_boolean_t *build_nsec3);
-/*%<
- * Examine the NSEC, NSEC3PARAM and privatetype RRsets at the apex of the
- * database to determine which of NSEC or NSEC3 chains we are currently
- * maintaining.  In normal operations only one of NSEC or NSEC3 is being
- * maintained but when we are transitiong between NSEC and NSEC3 we need
- * to update both sets of chains.  If 'privatetype' is zero then the
- * privatetype RRset will not be examined.
- *
- * Requires:
- * \li	'db' is valid.
- * \li	'version' is valid or NULL.
- * \li	'build_nsec' is a pointer to a isc_boolean_t or NULL.
- * \li	'build_nsec3' is a pointer to a isc_boolean_t or NULL.
- *
- * Returns:
- * \li 	ISC_R_SUCCESS, 'build_nsec' and 'build_nsec3' will be valid.
- * \li	other on error
- */
-
-isc_result_t
-dns_private_totext(dns_rdata_t *privaterdata, isc_buffer_t *buffer);
-/*%<
- * Convert a private-type RR 'privaterdata' to human-readable form,
- * and place the result in 'buffer'.  The text should indicate
- * which action the private-type record specifies and whether the
- * action has been completed.
- *
- * Requires:
- * \li	'privaterdata' is a valid rdata containing at least five bytes
- * \li	'buffer' is a valid buffer
- *
- * Returns:
- * \li 	ISC_R_SUCCESS
- * \li	other on error
- */
-
-ISC_LANG_ENDDECLS
-
-#endif
diff --git a/contrib/bind9/lib/dns/include/dns/rbt.h b/contrib/bind9/lib/dns/include/dns/rbt.h
deleted file mode 100644
index 3e9dc88..0000000
--- a/contrib/bind9/lib/dns/include/dns/rbt.h
+++ /dev/null
@@ -1,942 +0,0 @@
-/*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rbt.h,v 1.77 2009/11/04 01:18:19 marka Exp $ */
-
-#ifndef DNS_RBT_H
-#define DNS_RBT_H 1
-
-/*! \file dns/rbt.h */
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-#include <isc/refcount.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-#define DNS_RBT_USEHASH 1
-
-/*@{*/
-/*%
- * Option values for dns_rbt_findnode() and dns_rbt_findname().
- * These are used to form a bitmask.
- */
-#define DNS_RBTFIND_NOOPTIONS                   0x00
-#define DNS_RBTFIND_EMPTYDATA                   0x01
-#define DNS_RBTFIND_NOEXACT                     0x02
-#define DNS_RBTFIND_NOPREDECESSOR               0x04
-/*@}*/
-
-#ifndef DNS_RBT_USEISCREFCOUNT
-#ifdef ISC_REFCOUNT_HAVEATOMIC
-#define DNS_RBT_USEISCREFCOUNT 1
-#endif
-#endif
-
-/*
- * These should add up to 30.
- */
-#define DNS_RBT_LOCKLENGTH                      10
-#define DNS_RBT_REFLENGTH                       20
-
-#define DNS_RBTNODE_MAGIC               ISC_MAGIC('R','B','N','O')
-#if DNS_RBT_USEMAGIC
-#define DNS_RBTNODE_VALID(n)            ISC_MAGIC_VALID(n, DNS_RBTNODE_MAGIC)
-#else
-#define DNS_RBTNODE_VALID(n)            ISC_TRUE
-#endif
-
-/*%
- * This is the structure that is used for each node in the red/black
- * tree of trees.  NOTE WELL:  the implementation manages this as a variable
- * length structure, with the actual wire-format name and other data
- * appended to this structure.  Allocating a contiguous block of memory for
- * multiple dns_rbtnode structures will not work.
- */
-typedef struct dns_rbtnode dns_rbtnode_t;
-enum {
-	DNS_RBT_NSEC_NORMAL=0,      /* in main tree */
-	DNS_RBT_NSEC_HAS_NSEC=1,    /* also has node in nsec tree */
-	DNS_RBT_NSEC_NSEC=2,        /* in nsec tree */
-	DNS_RBT_NSEC_NSEC3=3        /* in nsec3 tree */
-};
-struct dns_rbtnode {
-#if DNS_RBT_USEMAGIC
-	unsigned int magic;
-#endif
-	dns_rbtnode_t *parent;
-	dns_rbtnode_t *left;
-	dns_rbtnode_t *right;
-	dns_rbtnode_t *down;
-#ifdef DNS_RBT_USEHASH
-	dns_rbtnode_t *hashnext;
-#endif
-
-	/*%
-	 * Used for LRU cache.  This linked list is used to mark nodes which
-	 * have no data any longer, but we cannot unlink at that exact moment
-	 * because we did not or could not obtain a write lock on the tree.
-	 */
-	ISC_LINK(dns_rbtnode_t) deadlink;
-
-	/*@{*/
-	/*!
-	 * The following bitfields add up to a total bitwidth of 32.
-	 * The range of values necessary for each item is indicated,
-	 * but in the case of "attributes" the field is wider to accommodate
-	 * possible future expansion.
-	 *
-	 * In each case below the "range" indicated is what's _necessary_ for
-	 * the bitfield to hold, not what it actually _can_ hold.
-	 */
-	unsigned int is_root : 1;       /*%< range is 0..1 */
-	unsigned int color : 1;         /*%< range is 0..1 */
-	unsigned int find_callback : 1; /*%< range is 0..1 */
-	unsigned int attributes : 3;    /*%< range is 0..2 */
-	unsigned int nsec : 2;          /*%< range is 0..3 */
-	unsigned int namelen : 8;       /*%< range is 1..255 */
-	unsigned int offsetlen : 8;     /*%< range is 1..128 */
-	unsigned int oldnamelen : 8;    /*%< range is 1..255 */
-	/*@}*/
-
-#ifdef DNS_RBT_USEHASH
-	unsigned int hashval;
-#endif
-
-	/*@{*/
-	/*!
-	 * These values are used in the RBT DB implementation.  The appropriate
-	 * node lock must be held before accessing them.
-	 */
-	void *data;
-	unsigned int dirty:1;
-	unsigned int wild:1;
-	unsigned int locknum:DNS_RBT_LOCKLENGTH;
-#ifndef DNS_RBT_USEISCREFCOUNT
-	unsigned int references:DNS_RBT_REFLENGTH;
-#else
-	isc_refcount_t references; /* note that this is not in the bitfield */
-#endif
-	/*@}*/
-};
-
-typedef isc_result_t (*dns_rbtfindcallback_t)(dns_rbtnode_t *node,
-					      dns_name_t *name,
-					      void *callback_arg);
-
-/*****
- *****  Chain Info
- *****/
-
-/*!
- * A chain is used to keep track of the sequence of nodes to reach any given
- * node from the root of the tree.  Originally nodes did not have parent
- * pointers in them (for memory usage reasons) so there was no way to find
- * the path back to the root from any given node.  Now that nodes have parent
- * pointers, chains might be going away in a future release, though the
- * movement functionality would remain.
- *
- * In any event, parent information, whether via parent pointers or chains, is
- * necessary information for iterating through the tree or for basic internal
- * tree maintenance issues (ie, the rotations that are done to rebalance the
- * tree when a node is added).  The obvious implication of this is that for a
- * chain to remain valid, the tree has to be locked down against writes for the
- * duration of the useful life of the chain, because additions or removals can
- * change the path from the root to the node the chain has targeted.
- *
- * The dns_rbtnodechain_ functions _first, _last, _prev and _next all take
- * dns_name_t parameters for the name and the origin, which can be NULL.  If
- * non-NULL, 'name' will end up pointing to the name data and offsets that are
- * stored at the node (and thus it will be read-only), so it should be a
- * regular dns_name_t that has been initialized with dns_name_init.  When
- * 'origin' is non-NULL, it will get the name of the origin stored in it, so it
- * needs to have its own buffer space and offsets, which is most easily
- * accomplished with a dns_fixedname_t.  It is _not_ necessary to reinitialize
- * either 'name' or 'origin' between calls to the chain functions.
- *
- * NOTE WELL: even though the name data at the root of the tree of trees will
- * be absolute (typically just "."), it will will be made into a relative name
- * with an origin of "." -- an empty name when the node is ".".  This is
- * because a common on operation on 'name' and 'origin' is to use
- * dns_name_concatenate() on them to generate the complete name.  An empty name
- * can be detected when dns_name_countlabels == 0, and is printed by
- * dns_name_totext()/dns_name_format() as "@", consistent with RFC1035's
- * definition of "@" as the current origin.
- *
- * dns_rbtnodechain_current is similar to the _first, _last, _prev and _next
- * functions but additionally can provide the node to which the chain points.
- */
-
-/*%
- * The number of level blocks to allocate at a time.  Currently the maximum
- * number of levels is allocated directly in the structure, but future
- * revisions of this code might have a static initial block with dynamic
- * growth.  Allocating space for 256 levels when the tree is almost never that
- * deep is wasteful, but it's not clear that it matters, since the waste is
- * only 2MB for 1000 concurrently active chains on a system with 64-bit
- * pointers.
- */
-#define DNS_RBT_LEVELBLOCK 254
-
-typedef struct dns_rbtnodechain {
-	unsigned int            magic;
-	isc_mem_t *             mctx;
-	/*%
-	 * The terminal node of the chain.  It is not in levels[].
-	 * This is ostensibly private ... but in a pinch it could be
-	 * used tell that the chain points nowhere without needing to
-	 * call dns_rbtnodechain_current().
-	 */
-	dns_rbtnode_t *         end;
-	/*%
-	 * The maximum number of labels in a name is 128; bitstrings mean
-	 * a conceptually very large number (which I have not bothered to
-	 * compute) of logical levels because splitting can potentially occur
-	 * at each bit.  However, DNSSEC restricts the number of "logical"
-	 * labels in a name to 255, meaning only 254 pointers are needed
-	 * in the worst case.
-	 */
-	dns_rbtnode_t *         levels[DNS_RBT_LEVELBLOCK];
-	/*%
-	 * level_count indicates how deep the chain points into the
-	 * tree of trees, and is the index into the levels[] array.
-	 * Thus, levels[level_count - 1] is the last level node stored.
-	 * A chain that points to the top level of the tree of trees has
-	 * a level_count of 0, the first level has a level_count of 1, and
-	 * so on.
-	 */
-	unsigned int            level_count;
-	/*%
-	 * level_matches tells how many levels matched above the node
-	 * returned by dns_rbt_findnode().  A match (partial or exact) found
-	 * in the first level thus results in level_matches being set to 1.
-	 * This is used by the rbtdb to set the start point for a recursive
-	 * search of superdomains until the RR it is looking for is found.
-	 */
-	unsigned int            level_matches;
-} dns_rbtnodechain_t;
-
-/*****
- ***** Public interfaces.
- *****/
-isc_result_t
-dns_rbt_create(isc_mem_t *mctx, void (*deleter)(void *, void *),
-	       void *deleter_arg, dns_rbt_t **rbtp);
-/*%<
- * Initialize a red-black tree of trees.
- *
- * Notes:
- *\li   The deleter argument, if non-null, points to a function that is
- *      responsible for cleaning up any memory associated with the data
- *      pointer of a node when the node is deleted.  It is passed the
- *      deleted node's data pointer as its first argument and deleter_arg
- *      as its second argument.
- *
- * Requires:
- * \li  mctx is a pointer to a valid memory context.
- *\li   rbtp != NULL && *rbtp == NULL
- *\li   arg == NULL iff deleter == NULL
- *
- * Ensures:
- *\li   If result is ISC_R_SUCCESS:
- *              *rbtp points to a valid red-black tree manager
- *
- *\li   If result is failure:
- *              *rbtp does not point to a valid red-black tree manager.
- *
- * Returns:
- *\li   #ISC_R_SUCCESS  Success
- *\li   #ISC_R_NOMEMORY Resource limit: Out of Memory
- */
-
-isc_result_t
-dns_rbt_addname(dns_rbt_t *rbt, dns_name_t *name, void *data);
-/*%<
- * Add 'name' to the tree of trees, associated with 'data'.
- *
- * Notes:
- *\li   'data' is never required to be non-NULL, but specifying it
- *      when the name is added is faster than searching for 'name'
- *      again and then setting the data pointer.  The lack of a data pointer
- *      for a node also has other ramifications regarding whether
- *      dns_rbt_findname considers a node to exist, or dns_rbt_deletename
- *      joins nodes.
- *
- * Requires:
- *\li   rbt is a valid rbt manager.
- *\li   dns_name_isabsolute(name) == TRUE
- *
- * Ensures:
- *\li   'name' is not altered in any way.
- *
- *\li   Any external references to nodes in the tree are unaffected by
- *      node splits that are necessary to insert the new name.
- *
- *\li   If result is #ISC_R_SUCCESS:
- *              'name' is findable in the red/black tree of trees in O(log N).
- *              The data pointer of the node for 'name' is set to 'data'.
- *
- *\li   If result is #ISC_R_EXISTS or #ISC_R_NOSPACE:
- *              The tree of trees is unaltered.
- *
- *\li   If result is #ISC_R_NOMEMORY:
- *              No guarantees.
- *
- * Returns:
- *\li   #ISC_R_SUCCESS  Success
- *\li   #ISC_R_EXISTS   The name already exists with associated data.
- *\li   #ISC_R_NOSPACE  The name had more logical labels than are allowed.
- *\li   #ISC_R_NOMEMORY Resource Limit: Out of Memory
- */
-
-isc_result_t
-dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep);
-
-/*%<
- * Just like dns_rbt_addname, but returns the address of the node.
- *
- * Requires:
- *\li   rbt is a valid rbt structure.
- *\li   dns_name_isabsolute(name) == TRUE
- *\li   nodep != NULL && *nodep == NULL
- *
- * Ensures:
- *\li   'name' is not altered in any way.
- *
- *\li   Any external references to nodes in the tree are unaffected by
- *      node splits that are necessary to insert the new name.
- *
- *\li   If result is ISC_R_SUCCESS:
- *              'name' is findable in the red/black tree of trees in O(log N).
- *              *nodep is the node that was added for 'name'.
- *
- *\li   If result is ISC_R_EXISTS:
- *              The tree of trees is unaltered.
- *              *nodep is the existing node for 'name'.
- *
- *\li   If result is ISC_R_NOMEMORY:
- *              No guarantees.
- *
- * Returns:
- *\li   #ISC_R_SUCCESS  Success
- *\li   #ISC_R_EXISTS   The name already exists, possibly without data.
- *\li   #ISC_R_NOMEMORY Resource Limit: Out of Memory
- */
-
-isc_result_t
-dns_rbt_findname(dns_rbt_t *rbt, dns_name_t *name, unsigned int options,
-		 dns_name_t *foundname, void **data);
-/*%<
- * Get the data pointer associated with 'name'.
- *
- * Notes:
- *\li   When #DNS_RBTFIND_NOEXACT is set, the closest matching superdomain is
- *      returned (also subject to #DNS_RBTFIND_EMPTYDATA), even when there is
- *      an exact match in the tree.
- *
- *\li   A node that has no data is considered not to exist for this function,
- *      unless the #DNS_RBTFIND_EMPTYDATA option is set.
- *
- * Requires:
- *\li   rbt is a valid rbt manager.
- *\li   dns_name_isabsolute(name) == TRUE
- *\li   data != NULL && *data == NULL
- *
- * Ensures:
- *\li   'name' and the tree are not altered in any way.
- *
- *\li   If result is ISC_R_SUCCESS:
- *              *data is the data associated with 'name'.
- *
- *\li   If result is DNS_R_PARTIALMATCH:
- *              *data is the data associated with the deepest superdomain
- *              of 'name' which has data.
- *
- *\li   If result is ISC_R_NOTFOUND:
- *              Neither the name nor a superdomain was found with data.
- *
- * Returns:
- *\li   #ISC_R_SUCCESS          Success
- *\li   #DNS_R_PARTIALMATCH     Superdomain found with data
- *\li   #ISC_R_NOTFOUND         No match
- *\li   #ISC_R_NOSPACE          Concatenating nodes to form foundname failed
- */
-
-isc_result_t
-dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
-		 dns_rbtnode_t **node, dns_rbtnodechain_t *chain,
-		 unsigned int options, dns_rbtfindcallback_t callback,
-		 void *callback_arg);
-/*%<
- * Find the node for 'name'.
- *
- * Notes:
- *\li   A node that has no data is considered not to exist for this function,
- *      unless the DNS_RBTFIND_EMPTYDATA option is set.  This applies to both
- *      exact matches and partial matches.
- *
- *\li   If the chain parameter is non-NULL, then the path through the tree
- *      to the DNSSEC predecessor of the searched for name is maintained,
- *      unless the DNS_RBTFIND_NOPREDECESSOR or DNS_RBTFIND_NOEXACT option
- *      is used. (For more details on those options, see below.)
- *
- *\li   If there is no predecessor, then the chain will point to nowhere, as
- *      indicated by chain->end being NULL or dns_rbtnodechain_current
- *      returning ISC_R_NOTFOUND.  Note that in a normal Internet DNS RBT
- *      there will always be a predecessor for all names except the root
- *      name, because '.' will exist and '.' is the predecessor of
- *      everything.  But you can certainly construct a trivial tree and a
- *      search for it that has no predecessor.
- *
- *\li   Within the chain structure, the 'levels' member of the structure holds
- *      the root node of each level except the first.
- *
- *\li   The 'level_count' of the chain indicates how deep the chain to the
- *      predecessor name is, as an index into the 'levels[]' array.  It does
- *      not count name elements, per se, but only levels of the tree of trees,
- *      the distinction arising because multiple labels from a name can be
- *      stored on only one level.  It is also does not include the level
- *      that has the node, since that level is not stored in levels[].
- *
- *\li   The chain's 'level_matches' is not directly related to the predecessor.
- *      It is the number of levels above the level of the found 'node',
- *      regardless of whether it was a partial match or exact match.  When
- *      the node is found in the top level tree, or no node is found at all,
- *      level_matches is 0.
- *
- *\li   When DNS_RBTFIND_NOEXACT is set, the closest matching superdomain is
- *      returned (also subject to DNS_RBTFIND_EMPTYDATA), even when
- *      there is an exact match in the tree.  In this case, the chain
- *      will not point to the DNSSEC predecessor, but will instead point
- *      to the exact match, if there was any.  Thus the preceding paragraphs
- *      should have "exact match" substituted for "predecessor" to describe
- *      how the various elements of the chain are set.  This was done to
- *      ensure that the chain's state was sane, and to prevent problems that
- *      occurred when running the predecessor location code under conditions
- *      it was not designed for.  It is not clear *where* the chain should
- *      point when DNS_RBTFIND_NOEXACT is set, so if you end up using a chain
- *      with this option because you want a particular node, let us know
- *      where you want the chain pointed, so this can be made more firm.
- *
- * Requires:
- *\li   rbt is a valid rbt manager.
- *\li   dns_name_isabsolute(name) == TRUE.
- *\li   node != NULL && *node == NULL.
- *\li   #DNS_RBTFIND_NOEXACT and DNS_RBTFIND_NOPREDECESSOR are mutually
- *              exclusive.
- *
- * Ensures:
- *\li   'name' and the tree are not altered in any way.
- *
- *\li   If result is ISC_R_SUCCESS:
- *\verbatim
- *              *node is the terminal node for 'name'.
-
- *              'foundname' and 'name' represent the same name (though not
- *              the same memory).
-
- *              'chain' points to the DNSSEC predecessor, if any, of 'name'.
- *
- *              chain->level_matches and chain->level_count are equal.
- *\endverbatim
- *
- *      If result is DNS_R_PARTIALMATCH:
- *\verbatim
- *              *node is the data associated with the deepest superdomain
- *              of 'name' which has data.
- *
- *              'foundname' is the name of deepest superdomain (which has
- *              data, unless the DNS_RBTFIND_EMPTYDATA option is set).
- *
- *              'chain' points to the DNSSEC predecessor, if any, of 'name'.
- *\endverbatim
- *
- *\li   If result is ISC_R_NOTFOUND:
- *\verbatim
- *              Neither the name nor a superdomain was found.  *node is NULL.
- *
- *              'chain' points to the DNSSEC predecessor, if any, of 'name'.
- *
- *              chain->level_matches is 0.
- *\endverbatim
- *
- * Returns:
- *\li   #ISC_R_SUCCESS          Success
- *\li   #DNS_R_PARTIALMATCH     Superdomain found with data
- *\li   #ISC_R_NOTFOUND         No match, or superdomain with no data
- *\li   #ISC_R_NOSPACE Concatenating nodes to form foundname failed
- */
-
-isc_result_t
-dns_rbt_deletename(dns_rbt_t *rbt, dns_name_t *name, isc_boolean_t recurse);
-/*%<
- * Delete 'name' from the tree of trees.
- *
- * Notes:
- *\li   When 'name' is removed, if recurse is ISC_TRUE then all of its
- *      subnames are removed too.
- *
- * Requires:
- *\li   rbt is a valid rbt manager.
- *\li   dns_name_isabsolute(name) == TRUE
- *
- * Ensures:
- *\li   'name' is not altered in any way.
- *
- *\li   Does NOT ensure that any external references to nodes in the tree
- *      are unaffected by node joins.
- *
- *\li   If result is ISC_R_SUCCESS:
- *              'name' does not appear in the tree with data; however,
- *              the node for the name might still exist which can be
- *              found with dns_rbt_findnode (but not dns_rbt_findname).
- *
- *\li   If result is ISC_R_NOTFOUND:
- *              'name' does not appear in the tree with data, because
- *              it did not appear in the tree before the function was called.
- *
- *\li   If result is something else:
- *              See result codes for dns_rbt_findnode (if it fails, the
- *              node is not deleted) or dns_rbt_deletenode (if it fails,
- *              the node is deleted, but the tree is not optimized when
- *              it could have been).
- *
- * Returns:
- *\li   #ISC_R_SUCCESS  Success
- *\li   #ISC_R_NOTFOUND No match
- *\li   something_else  Any return code from dns_rbt_findnode except
- *                      DNS_R_PARTIALMATCH (which causes ISC_R_NOTFOUND
- *                      to be returned instead), and any code from
- *                      dns_rbt_deletenode.
- */
-
-isc_result_t
-dns_rbt_deletenode(dns_rbt_t *rbt, dns_rbtnode_t *node, isc_boolean_t recurse);
-/*%<
- * Delete 'node' from the tree of trees.
- *
- * Notes:
- *\li   When 'node' is removed, if recurse is ISC_TRUE then all nodes
- *      in levels down from it are removed too.
- *
- * Requires:
- *\li   rbt is a valid rbt manager.
- *\li   node != NULL.
- *
- * Ensures:
- *\li   Does NOT ensure that any external references to nodes in the tree
- *      are unaffected by node joins.
- *
- *\li   If result is ISC_R_SUCCESS:
- *              'node' does not appear in the tree with data; however,
- *              the node might still exist if it serves as a pointer to
- *              a lower tree level as long as 'recurse' was false, hence
- *              the node could can be found with dns_rbt_findnode when
- *              that function's empty_data_ok parameter is true.
- *
- *\li   If result is ISC_R_NOMEMORY or ISC_R_NOSPACE:
- *              The node was deleted, but the tree structure was not
- *              optimized.
- *
- * Returns:
- *\li   #ISC_R_SUCCESS  Success
- *\li   #ISC_R_NOMEMORY Resource Limit: Out of Memory when joining nodes.
- *\li   #ISC_R_NOSPACE  dns_name_concatenate failed when joining nodes.
- */
-
-void
-dns_rbt_namefromnode(dns_rbtnode_t *node, dns_name_t *name);
-/*%<
- * Convert the sequence of labels stored at 'node' into a 'name'.
- *
- * Notes:
- *\li   This function does not return the full name, from the root, but
- *      just the labels at the indicated node.
- *
- *\li   The name data pointed to by 'name' is the information stored
- *      in the node, not a copy.  Altering the data at this pointer
- *      will likely cause grief.
- *
- * Requires:
- * \li  name->offsets == NULL
- *
- * Ensures:
- * \li  'name' is DNS_NAMEATTR_READONLY.
- *
- * \li  'name' will point directly to the labels stored after the
- *      dns_rbtnode_t struct.
- *
- * \li  'name' will have offsets that also point to the information stored
- *      as part of the node.
- */
-
-isc_result_t
-dns_rbt_fullnamefromnode(dns_rbtnode_t *node, dns_name_t *name);
-/*%<
- * Like dns_rbt_namefromnode, but returns the full name from the root.
- *
- * Notes:
- * \li  Unlike dns_rbt_namefromnode, the name will not point directly
- *      to node data.  Rather, dns_name_concatenate will be used to copy
- *      the name data from each node into the 'name' argument.
- *
- * Requires:
- * \li  name != NULL
- * \li  name has a dedicated buffer.
- *
- * Returns:
- * \li  ISC_R_SUCCESS
- * \li  ISC_R_NOSPACE           (possible via dns_name_concatenate)
- * \li  DNS_R_NAMETOOLONG       (possible via dns_name_concatenate)
- */
-
-char *
-dns_rbt_formatnodename(dns_rbtnode_t *node, char *printname,
-		       unsigned int size);
-/*%<
- * Format the full name of a node for printing, using dns_name_format().
- *
- * Notes:
- * \li  'size' is the length of the printname buffer.  This should be
- *      DNS_NAME_FORMATSIZE or larger.
- *
- * Requires:
- * \li  node and printname are not NULL.
- *
- * Returns:
- * \li  The 'printname' pointer.
- */
-
-unsigned int
-dns_rbt_nodecount(dns_rbt_t *rbt);
-/*%<
- * Obtain the number of nodes in the tree of trees.
- *
- * Requires:
- * \li  rbt is a valid rbt manager.
- */
-
-void
-dns_rbt_destroy(dns_rbt_t **rbtp);
-isc_result_t
-dns_rbt_destroy2(dns_rbt_t **rbtp, unsigned int quantum);
-/*%<
- * Stop working with a red-black tree of trees.
- * If 'quantum' is zero then the entire tree will be destroyed.
- * If 'quantum' is non zero then up to 'quantum' nodes will be destroyed
- * allowing the rbt to be incrementally destroyed by repeated calls to
- * dns_rbt_destroy2().  Once dns_rbt_destroy2() has been called no other
- * operations than dns_rbt_destroy()/dns_rbt_destroy2() should be
- * performed on the tree of trees.
- *
- * Requires:
- * \li  *rbt is a valid rbt manager.
- *
- * Ensures on ISC_R_SUCCESS:
- * \li  All space allocated by the RBT library has been returned.
- *
- * \li  *rbt is invalidated as an rbt manager.
- *
- * Returns:
- * \li  ISC_R_SUCCESS
- * \li  ISC_R_QUOTA if 'quantum' nodes have been destroyed.
- */
-
-void
-dns_rbt_printall(dns_rbt_t *rbt);
-/*%<
- * Print an ASCII representation of the internal structure of the red-black
- * tree of trees.
- *
- * Notes:
- * \li  The name stored at each node, along with the node's color, is printed.
- *      Then the down pointer, left and right pointers are displayed
- *      recursively in turn.  NULL down pointers are silently omitted;
- *      NULL left and right pointers are printed.
- */
-
-/*****
- ***** Chain Functions
- *****/
-
-void
-dns_rbtnodechain_init(dns_rbtnodechain_t *chain, isc_mem_t *mctx);
-/*%<
- * Initialize 'chain'.
- *
- * Requires:
- *\li   'chain' is a valid pointer.
- *
- *\li   'mctx' is a valid memory context.
- *
- * Ensures:
- *\li   'chain' is suitable for use.
- */
-
-void
-dns_rbtnodechain_reset(dns_rbtnodechain_t *chain);
-/*%<
- * Free any dynamic storage associated with 'chain', and then reinitialize
- * 'chain'.
- *
- * Requires:
- *\li   'chain' is a valid pointer.
- *
- * Ensures:
- *\li   'chain' is suitable for use, and uses no dynamic storage.
- */
-
-void
-dns_rbtnodechain_invalidate(dns_rbtnodechain_t *chain);
-/*%<
- * Free any dynamic storage associated with 'chain', and then invalidates it.
- *
- * Notes:
- *\li   Future calls to any dns_rbtnodechain_ function will need to call
- *      dns_rbtnodechain_init on the chain first (except, of course,
- *      dns_rbtnodechain_init itself).
- *
- * Requires:
- *\li   'chain' is a valid chain.
- *
- * Ensures:
- *\li   'chain' is no longer suitable for use, and uses no dynamic storage.
- */
-
-isc_result_t
-dns_rbtnodechain_current(dns_rbtnodechain_t *chain, dns_name_t *name,
-			 dns_name_t *origin, dns_rbtnode_t **node);
-/*%<
- * Provide the name, origin and node to which the chain is currently pointed.
- *
- * Notes:
- *\li   The tree need not have be locked against additions for the chain
- *      to remain valid, however there are no guarantees if any deletion
- *      has been made since the chain was established.
- *
- * Requires:
- *\li   'chain' is a valid chain.
- *
- * Ensures:
- *\li   'node', if non-NULL, is the node to which the chain was pointed
- *      by dns_rbt_findnode, dns_rbtnodechain_first or dns_rbtnodechain_last.
- *      If none were called for the chain since it was initialized or reset,
- *      or if the was no predecessor to the name searched for with
- *      dns_rbt_findnode, then '*node' is NULL and ISC_R_NOTFOUND is returned.
- *
- *\li   'name', if non-NULL, is the name stored at the terminal level of
- *      the chain.  This is typically a single label, like the "www" of
- *      "www.isc.org", but need not be so.  At the root of the tree of trees,
- *      if the node is "." then 'name' is ".", otherwise it is relative to ".".
- *      (Minimalist and atypical case:  if the tree has just the name
- *      "isc.org." then the root node's stored name is "isc.org." but 'name'
- *      will be "isc.org".)
- *
- *\li   'origin', if non-NULL, is the sequence of labels in the levels
- *      above the terminal level, such as "isc.org." in the above example.
- *      'origin' is always "." for the root node.
- *
- *
- * Returns:
- *\li   #ISC_R_SUCCESS          name, origin & node were successfully set.
- *\li   #ISC_R_NOTFOUND         The chain does not point to any node.
- *\li   &lt;something_else>     Any error return from dns_name_concatenate.
- */
-
-isc_result_t
-dns_rbtnodechain_first(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
-		       dns_name_t *name, dns_name_t *origin);
-/*%<
- * Set the chain to the lexically first node in the tree of trees.
- *
- * Notes:
- *\li   By the definition of ordering for DNS names, the root of the tree of
- *      trees is the very first node, since everything else in the megatree
- *      uses it as a common suffix.
- *
- * Requires:
- *\li   'chain' is a valid chain.
- *\li   'rbt' is a valid rbt manager.
- *
- * Ensures:
- *\li   The chain points to the very first node of the tree.
- *
- *\li   'name' and 'origin', if non-NULL, are set as described for
- *      dns_rbtnodechain_current.  Thus 'origin' will always be ".".
- *
- * Returns:
- *\li   #DNS_R_NEWORIGIN                The name & origin were successfully set.
- *\li   &lt;something_else>     Any error result from dns_rbtnodechain_current.
- */
-
-isc_result_t
-dns_rbtnodechain_last(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
-		       dns_name_t *name, dns_name_t *origin);
-/*%<
- * Set the chain to the lexically last node in the tree of trees.
- *
- * Requires:
- *\li   'chain' is a valid chain.
- *\li   'rbt' is a valid rbt manager.
- *
- * Ensures:
- *\li   The chain points to the very last node of the tree.
- *
- *\li   'name' and 'origin', if non-NULL, are set as described for
- *      dns_rbtnodechain_current.
- *
- * Returns:
- *\li   #DNS_R_NEWORIGIN                The name & origin were successfully set.
- *\li   #ISC_R_NOMEMORY         Resource Limit: Out of Memory building chain.
- *\li   &lt;something_else>     Any error result from dns_name_concatenate.
- */
-
-isc_result_t
-dns_rbtnodechain_prev(dns_rbtnodechain_t *chain, dns_name_t *name,
-		      dns_name_t *origin);
-/*%<
- * Adjusts chain to point the DNSSEC predecessor of the name to which it
- * is currently pointed.
- *
- * Requires:
- *\li   'chain' is a valid chain.
- *\li   'chain' has been pointed somewhere in the tree with dns_rbt_findnode,
- *      dns_rbtnodechain_first or dns_rbtnodechain_last -- and remember that
- *      dns_rbt_findnode is not guaranteed to point the chain somewhere,
- *      since there may have been no predecessor to the searched for name.
- *
- * Ensures:
- *\li   The chain is pointed to the predecessor of its current target.
- *
- *\li   'name' and 'origin', if non-NULL, are set as described for
- *      dns_rbtnodechain_current.
- *
- *\li   'origin' is only if a new origin was found.
- *
- * Returns:
- *\li   #ISC_R_SUCCESS          The predecessor was found and 'name' was set.
- *\li   #DNS_R_NEWORIGIN                The predecessor was found with a different
- *                              origin and 'name' and 'origin' were set.
- *\li   #ISC_R_NOMORE           There was no predecessor.
- *\li   &lt;something_else>     Any error result from dns_rbtnodechain_current.
- */
-
-isc_result_t
-dns_rbtnodechain_next(dns_rbtnodechain_t *chain, dns_name_t *name,
-		      dns_name_t *origin);
-/*%<
- * Adjusts chain to point the DNSSEC successor of the name to which it
- * is currently pointed.
- *
- * Requires:
- *\li   'chain' is a valid chain.
- *\li   'chain' has been pointed somewhere in the tree with dns_rbt_findnode,
- *      dns_rbtnodechain_first or dns_rbtnodechain_last -- and remember that
- *      dns_rbt_findnode is not guaranteed to point the chain somewhere,
- *      since there may have been no predecessor to the searched for name.
- *
- * Ensures:
- *\li   The chain is pointed to the successor of its current target.
- *
- *\li   'name' and 'origin', if non-NULL, are set as described for
- *      dns_rbtnodechain_current.
- *
- *\li   'origin' is only if a new origin was found.
- *
- * Returns:
- *\li   #ISC_R_SUCCESS          The successor was found and 'name' was set.
- *\li   #DNS_R_NEWORIGIN                The successor was found with a different
- *                              origin and 'name' and 'origin' were set.
- *\li   #ISC_R_NOMORE           There was no successor.
- *\li   &lt;something_else>     Any error result from dns_name_concatenate.
- */
-
-isc_result_t
-dns_rbtnodechain_down(dns_rbtnodechain_t *chain, dns_name_t *name,
-		      dns_name_t *origin);
-/*%<
- * Descend down if possible.
- */
-
-isc_result_t
-dns_rbtnodechain_nextflat(dns_rbtnodechain_t *chain, dns_name_t *name);
-/*%<
- * Find the next node at the current depth in DNSSEC order.
- */
-
-/*
- * Wrapper macros for manipulating the rbtnode reference counter:
- *   Since we selectively use isc_refcount_t for the reference counter of
- *   a rbtnode, operations on the counter depend on the actual type of it.
- *   The following macros provide a common interface to these operations,
- *   hiding the back-end.  The usage is the same as that of isc_refcount_xxx().
- */
-#ifdef DNS_RBT_USEISCREFCOUNT
-#define dns_rbtnode_refinit(node, n)                            \
-	do {                                                    \
-		isc_refcount_init(&(node)->references, (n));    \
-	} while (0)
-#define dns_rbtnode_refdestroy(node)                            \
-	do {                                                    \
-		isc_refcount_destroy(&(node)->references);      \
-	} while (0)
-#define dns_rbtnode_refcurrent(node)                            \
-	isc_refcount_current(&(node)->references)
-#define dns_rbtnode_refincrement0(node, refs)                   \
-	do {                                                    \
-		isc_refcount_increment0(&(node)->references, (refs)); \
-	} while (0)
-#define dns_rbtnode_refincrement(node, refs)                    \
-	do {                                                    \
-		isc_refcount_increment(&(node)->references, (refs)); \
-	} while (0)
-#define dns_rbtnode_refdecrement(node, refs)                    \
-	do {                                                    \
-		isc_refcount_decrement(&(node)->references, (refs)); \
-	} while (0)
-#else  /* DNS_RBT_USEISCREFCOUNT */
-#define dns_rbtnode_refinit(node, n)    ((node)->references = (n))
-#define dns_rbtnode_refdestroy(node)    REQUIRE((node)->references == 0)
-#define dns_rbtnode_refcurrent(node)    ((node)->references)
-#define dns_rbtnode_refincrement0(node, refs)                   \
-	do {                                                    \
-		unsigned int *_tmp = (unsigned int *)(refs);    \
-		(node)->references++;                           \
-		if ((_tmp) != NULL)                             \
-			(*_tmp) = (node)->references;           \
-	} while (0)
-#define dns_rbtnode_refincrement(node, refs)                    \
-	do {                                                    \
-		REQUIRE((node)->references > 0);                \
-		(node)->references++;                           \
-		if ((refs) != NULL)                             \
-			(*refs) = (node)->references;           \
-	} while (0)
-#define dns_rbtnode_refdecrement(node, refs)                    \
-	do {                                                    \
-		REQUIRE((node)->references > 0);                \
-		(node)->references--;                           \
-		if ((refs) != NULL)                             \
-			(*refs) = (node)->references;           \
-	} while (0)
-#endif /* DNS_RBT_USEISCREFCOUNT */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RBT_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rcode.h b/contrib/bind9/lib/dns/include/dns/rcode.h
deleted file mode 100644
index 94e831b..0000000
--- a/contrib/bind9/lib/dns/include/dns/rcode.h
+++ /dev/null
@@ -1,113 +0,0 @@
-/*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rcode.h,v 1.21 2008/09/25 04:02:39 tbox Exp $ */
-
-#ifndef DNS_RCODE_H
-#define DNS_RCODE_H 1
-
-/*! \file dns/rcode.h */
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t dns_rcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source);
-/*%<
- * Convert the text 'source' refers to into a DNS error value.
- *
- * Requires:
- *\li	'rcodep' is a valid pointer.
- *
- *\li	'source' is a valid text region.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS			on success
- *\li	#DNS_R_UNKNOWN			type is unknown
- */
-
-isc_result_t dns_rcode_totext(dns_rcode_t rcode, isc_buffer_t *target);
-/*%<
- * Put a textual representation of error 'rcode' into 'target'.
- *
- * Requires:
- *\li	'rcode' is a valid rcode.
- *
- *\li	'target' is a valid text buffer.
- *
- * Ensures:
- *\li	If the result is success:
- *		The used space in 'target' is updated.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS			on success
- *\li	#ISC_R_NOSPACE			target buffer is too small
- */
-
-isc_result_t dns_tsigrcode_fromtext(dns_rcode_t *rcodep,
-				    isc_textregion_t *source);
-/*%<
- * Convert the text 'source' refers to into a TSIG/TKEY error value.
- *
- * Requires:
- *\li	'rcodep' is a valid pointer.
- *
- *\li	'source' is a valid text region.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS			on success
- *\li	#DNS_R_UNKNOWN			type is unknown
- */
-
-isc_result_t dns_tsigrcode_totext(dns_rcode_t rcode, isc_buffer_t *target);
-/*%<
- * Put a textual representation of TSIG/TKEY error 'rcode' into 'target'.
- *
- * Requires:
- *\li	'rcode' is a valid TSIG/TKEY error code.
- *
- *\li	'target' is a valid text buffer.
- *
- * Ensures:
- *\li	If the result is success:
- *		The used space in 'target' is updated.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS			on success
- *\li	#ISC_R_NOSPACE			target buffer is too small
- */
-
-isc_result_t
-dns_hashalg_fromtext(unsigned char *hashalg, isc_textregion_t *source);
-/*%<
- * Convert the text 'source' refers to into a has algorithm value.
- *
- * Requires:
- *\li	'hashalg' is a valid pointer.
- *
- *\li	'source' is a valid text region.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS			on success
- *\li	#DNS_R_UNKNOWN			type is unknown
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RCODE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rdata.h b/contrib/bind9/lib/dns/include/dns/rdata.h
deleted file mode 100644
index 89ecaf8..0000000
--- a/contrib/bind9/lib/dns/include/dns/rdata.h
+++ /dev/null
@@ -1,774 +0,0 @@
-/*
- * Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rdata.h,v 1.80 2011/03/20 02:31:53 marka Exp $ */
-
-#ifndef DNS_RDATA_H
-#define DNS_RDATA_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/rdata.h
- * \brief
- * Provides facilities for manipulating DNS rdata, including conversions to
- * and from wire format and text format.
- *
- * Given the large amount of rdata possible in a nameserver, it was important
- * to come up with a very efficient way of storing rdata, but at the same
- * time allow it to be manipulated.
- *
- * The decision was to store rdata in uncompressed wire format,
- * and not to make it a fully abstracted object; i.e. certain parts of the
- * server know rdata is stored that way.  This saves a lot of memory, and
- * makes adding rdata to messages easy.  Having much of the server know
- * the representation would be perilous, and we certainly don't want each
- * user of rdata to be manipulating such a low-level structure.  This is
- * where the rdata module comes in.  The module allows rdata handles to be
- * created and attached to uncompressed wire format regions.  All rdata
- * operations and conversions are done through these handles.
- *
- * Implementation Notes:
- *
- *\li	The routines in this module are expected to be synthesized by the
- *	build process from a set of source files, one per rdata type.  For
- *	portability, it's probably best that the building be done by a C
- *	program.  Adding a new rdata type will be a simple matter of adding
- *	a file to a directory and rebuilding the server.  *All* knowledge of
- *	the format of a particular rdata type is in this file.
- *
- * MP:
- *\li	Clients of this module must impose any required synchronization.
- *
- * Reliability:
- *\li	This module deals with low-level byte streams.  Errors in any of
- *	the functions are likely to crash the server or corrupt memory.
- *
- *\li	Rdata is typed, and the caller must know what type of rdata it has.
- *	A caller that gets this wrong could crash the server.
- *
- *\li	The fromstruct() and tostruct() routines use a void * pointer to
- *	represent the structure.  The caller must ensure that it passes a
- *	pointer to the appropriate type, or the server could crash or memory
- *	could be corrupted.
- *
- * Resources:
- *\li	None.
- *
- * Security:
- *
- *\li	*** WARNING ***
- *	dns_rdata_fromwire() deals with raw network data.  An error in
- *	this routine could result in the failure or hijacking of the server.
- *
- * Standards:
- *\li	RFC1035
- *\li	Draft EDNS0 (0)
- *\li	Draft EDNS1 (0)
- *\li	Draft Binary Labels (2)
- *\li	Draft Local Compression (1)
- *\li	Various RFCs for particular types; these will be documented in the
- *	 sources files of the types.
- *
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-#include <dns/name.h>
-#include <dns/message.h>
-
-ISC_LANG_BEGINDECLS
-
-
-/***
- *** Types
- ***/
-
-/*%
- ***** An 'rdata' is a handle to a binary region.  The handle has an RR
- ***** class and type, and the data in the binary region is in the format
- ***** of the given class and type.
- *****/
-/*%
- * Clients are strongly discouraged from using this type directly, with
- * the exception of the 'link' field which may be used directly for whatever
- * purpose the client desires.
- */
-struct dns_rdata {
-	unsigned char *			data;
-	unsigned int			length;
-	dns_rdataclass_t		rdclass;
-	dns_rdatatype_t			type;
-	unsigned int			flags;
-	ISC_LINK(dns_rdata_t)		link;
-};
-
-#define DNS_RDATA_INIT { NULL, 0, 0, 0, 0, {(void*)(-1), (void *)(-1)}}
-
-#define DNS_RDATA_CHECKINITIALIZED
-#ifdef DNS_RDATA_CHECKINITIALIZED
-#define DNS_RDATA_INITIALIZED(rdata) \
-	((rdata)->data == NULL && (rdata)->length == 0 && \
-	 (rdata)->rdclass == 0 && (rdata)->type == 0 && (rdata)->flags == 0 && \
-	 !ISC_LINK_LINKED((rdata), link))
-#else
-#ifdef ISC_LIST_CHECKINIT
-#define DNS_RDATA_INITIALIZED(rdata) \
-	(!ISC_LINK_LINKED((rdata), link))
-#else
-#define DNS_RDATA_INITIALIZED(rdata) ISC_TRUE
-#endif
-#endif
-
-#define DNS_RDATA_UPDATE	0x0001		/*%< update pseudo record. */
-#define DNS_RDATA_OFFLINE	0x0002		/*%< RRSIG has a offline key. */
-
-#define DNS_RDATA_VALIDFLAGS(rdata) \
-	(((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0)
-
-/*
- * The maximum length of a RDATA that can be sent on the wire.
- * Max packet size (65535) less header (12), less name (1), type (2),
- * class (2), ttl(4), length (2).
- *
- * None of the defined types that support name compression can exceed
- * this and all new types are to be sent uncompressed.
- */
-
-#define DNS_RDATA_MAXLENGTH	65512U
-
-/*
- * Flags affecting rdata formatting style.  Flags 0xFFFF0000
- * are used by masterfile-level formatting and defined elsewhere.
- * See additional comments at dns_rdata_tofmttext().
- */
-
-/*% Split the rdata into multiple lines to try to keep it
- within the "width". */
-#define DNS_STYLEFLAG_MULTILINE		0x00000001U
-
-/*% Output explanatory comments. */
-#define DNS_STYLEFLAG_COMMENT		0x00000002U
-#define DNS_STYLEFLAG_RRCOMMENT		0x00000004U
-
-#define DNS_RDATA_DOWNCASE		DNS_NAME_DOWNCASE
-#define DNS_RDATA_CHECKNAMES		DNS_NAME_CHECKNAMES
-#define DNS_RDATA_CHECKNAMESFAIL	DNS_NAME_CHECKNAMESFAIL
-#define DNS_RDATA_CHECKREVERSE		DNS_NAME_CHECKREVERSE
-#define DNS_RDATA_CHECKMX		DNS_NAME_CHECKMX
-#define DNS_RDATA_CHECKMXFAIL		DNS_NAME_CHECKMXFAIL
-#define DNS_RDATA_UNKNOWNESCAPE		0x80000000
-
-/***
- *** Initialization
- ***/
-
-void
-dns_rdata_init(dns_rdata_t *rdata);
-/*%<
- * Make 'rdata' empty.
- *
- * Requires:
- *	'rdata' is a valid rdata (i.e. not NULL, points to a struct dns_rdata)
- */
-
-void
-dns_rdata_reset(dns_rdata_t *rdata);
-/*%<
- * Make 'rdata' empty.
- *
- * Requires:
- *\li	'rdata' is a previously initialized rdata and is not linked.
- */
-
-void
-dns_rdata_clone(const dns_rdata_t *src, dns_rdata_t *target);
-/*%<
- * Clone 'target' from 'src'.
- *
- * Requires:
- *\li	'src' to be initialized.
- *\li	'target' to be initialized.
- */
-
-/***
- *** Comparisons
- ***/
-
-int
-dns_rdata_compare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2);
-/*%<
- * Determine the relative ordering under the DNSSEC order relation of
- * 'rdata1' and 'rdata2'.
- *
- * Requires:
- *
- *\li	'rdata1' is a valid, non-empty rdata
- *
- *\li	'rdata2' is a valid, non-empty rdata
- *
- * Returns:
- *\li	< 0		'rdata1' is less than 'rdata2'
- *\li	0		'rdata1' is equal to 'rdata2'
- *\li	> 0		'rdata1' is greater than 'rdata2'
- */
-
-int
-dns_rdata_casecompare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2);
-/*%<
- * dns_rdata_casecompare() is similar to dns_rdata_compare() but also
- * compares domain names case insensitively in known rdata types that
- * are treated as opaque data by dns_rdata_compare().
- *
- * Requires:
- *
- *\li	'rdata1' is a valid, non-empty rdata
- *
- *\li	'rdata2' is a valid, non-empty rdata
- *
- * Returns:
- *\li	< 0		'rdata1' is less than 'rdata2'
- *\li	0		'rdata1' is equal to 'rdata2'
- *\li	> 0		'rdata1' is greater than 'rdata2'
- */
-
-/***
- *** Conversions
- ***/
-
-void
-dns_rdata_fromregion(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
-		     dns_rdatatype_t type, isc_region_t *r);
-/*%<
- * Make 'rdata' refer to region 'r'.
- *
- * Requires:
- *
- *\li	The data in 'r' is properly formatted for whatever type it is.
- */
-
-void
-dns_rdata_toregion(const dns_rdata_t *rdata, isc_region_t *r);
-/*%<
- * Make 'r' refer to 'rdata'.
- */
-
-isc_result_t
-dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
-		   dns_rdatatype_t type, isc_buffer_t *source,
-		   dns_decompress_t *dctx, unsigned int options,
-		   isc_buffer_t *target);
-/*%<
- * Copy the possibly-compressed rdata at source into the target region.
- *
- * Notes:
- *\li	Name decompression policy is controlled by 'dctx'.
- *
- *	'options'
- *\li	DNS_RDATA_DOWNCASE	downcase domain names when they are copied
- *				into target.
- *
- * Requires:
- *
- *\li	'rdclass' and 'type' are valid.
- *
- *\li	'source' is a valid buffer, and the active region of 'source'
- *	references the rdata to be processed.
- *
- *\li	'target' is a valid buffer.
- *
- *\li	'dctx' is a valid decompression context.
- *
- * Ensures,
- *	if result is success:
- *	\li 	If 'rdata' is not NULL, it is attached to the target.
- *	\li	The conditions dns_name_fromwire() ensures for names hold
- *		for all names in the rdata.
- *	\li	The current location in source is advanced, and the used space
- *		in target is updated.
- *
- * Result:
- *\li	Success
- *\li	Any non-success status from dns_name_fromwire()
- *\li	Various 'Bad Form' class failures depending on class and type
- *\li	Bad Form: Input too short
- *\li	Resource Limit: Not enough space
- */
-
-isc_result_t
-dns_rdata_towire(dns_rdata_t *rdata, dns_compress_t *cctx,
-		 isc_buffer_t *target);
-/*%<
- * Convert 'rdata' into wire format, compressing it as specified by the
- * compression context 'cctx', and storing the result in 'target'.
- *
- * Notes:
- *\li	If the compression context allows global compression, then the
- *	global compression table may be updated.
- *
- * Requires:
- *\li	'rdata' is a valid, non-empty rdata
- *
- *\li	target is a valid buffer
- *
- *\li	Any offsets specified in a global compression table are valid
- *	for target.
- *
- * Ensures,
- *	if the result is success:
- *	\li	The used space in target is updated.
- *
- * Returns:
- *\li	Success
- *\li	Any non-success status from dns_name_towire()
- *\li	Resource Limit: Not enough space
- */
-
-isc_result_t
-dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
-		   dns_rdatatype_t type, isc_lex_t *lexer, dns_name_t *origin,
-		   unsigned int options, isc_mem_t *mctx,
-		   isc_buffer_t *target, dns_rdatacallbacks_t *callbacks);
-/*%<
- * Convert the textual representation of a DNS rdata into uncompressed wire
- * form stored in the target region.  Tokens constituting the text of the rdata
- * are taken from 'lexer'.
- *
- * Notes:
- *\li	Relative domain names in the rdata will have 'origin' appended to them.
- *	A NULL origin implies "origin == dns_rootname".
- *
- *
- *	'options'
- *\li	DNS_RDATA_DOWNCASE	downcase domain names when they are copied
- *				into target.
- *\li	DNS_RDATA_CHECKNAMES 	perform checknames checks.
- *\li	DNS_RDATA_CHECKNAMESFAIL fail if the checknames check fail.  If
- *				not set a warning will be issued.
- *\li	DNS_RDATA_CHECKREVERSE  this should set if the owner name ends
- *				in IP6.ARPA, IP6.INT or IN-ADDR.ARPA.
- *
- * Requires:
- *
- *\li	'rdclass' and 'type' are valid.
- *
- *\li	'lexer' is a valid isc_lex_t.
- *
- *\li	'mctx' is a valid isc_mem_t.
- *
- *\li	'target' is a valid region.
- *
- *\li	'origin' if non NULL it must be absolute.
- *
- *\li	'callbacks' to be NULL or callbacks->warn and callbacks->error be
- *	initialized.
- *
- * Ensures,
- *	if result is success:
- *\li	 	If 'rdata' is not NULL, it is attached to the target.
-
- *\li		The conditions dns_name_fromtext() ensures for names hold
- *		for all names in the rdata.
-
- *\li		The used space in target is updated.
- *
- * Result:
- *\li	Success
- *\li	Translated result codes from isc_lex_gettoken
- *\li	Various 'Bad Form' class failures depending on class and type
- *\li	Bad Form: Input too short
- *\li	Resource Limit: Not enough space
- *\li	Resource Limit: Not enough memory
- */
-
-isc_result_t
-dns_rdata_totext(dns_rdata_t *rdata, dns_name_t *origin, isc_buffer_t *target);
-/*%<
- * Convert 'rdata' into text format, storing the result in 'target'.
- * The text will consist of a single line, with fields separated by
- * single spaces.
- *
- * Notes:
- *\li	If 'origin' is not NULL, then any names in the rdata that are
- *	subdomains of 'origin' will be made relative it.
- *
- *\li	XXX Do we *really* want to support 'origin'?  I'm inclined towards "no"
- *	at the moment.
- *
- * Requires:
- *
- *\li	'rdata' is a valid, non-empty rdata
- *
- *\li	'origin' is NULL, or is a valid name
- *
- *\li	'target' is a valid text buffer
- *
- * Ensures,
- *	if the result is success:
- *
- *	\li	The used space in target is updated.
- *
- * Returns:
- *\li	Success
- *\li	Any non-success status from dns_name_totext()
- *\li	Resource Limit: Not enough space
- */
-
-isc_result_t
-dns_rdata_tofmttext(dns_rdata_t *rdata, dns_name_t *origin, unsigned int flags,
-		    unsigned int width, unsigned int split_width,
-		    const char *linebreak, isc_buffer_t *target);
-/*%<
- * Like dns_rdata_totext, but do formatted output suitable for
- * database dumps.  This is intended for use by dns_db_dump();
- * library users are discouraged from calling it directly.
- *
- * If (flags & #DNS_STYLEFLAG_MULTILINE) != 0, attempt to stay
- * within 'width' by breaking the text into multiple lines.
- * The string 'linebreak' is inserted between lines, and parentheses
- * are added when necessary.  Because RRs contain unbreakable elements
- * such as domain names whose length is variable, unpredictable, and
- * potentially large, there is no guarantee that the lines will
- * not exceed 'width' anyway.
- *
- * If (flags & #DNS_STYLEFLAG_MULTILINE) == 0, the rdata is always
- * printed as a single line, and no parentheses are used.
- * The 'width' and 'linebreak' arguments are ignored.
- *
- * If (flags & #DNS_STYLEFLAG_COMMENT) != 0, output explanatory
- * comments next to things like the SOA timer fields.  Some
- * comments (e.g., the SOA ones) are only printed when multiline
- * output is selected.
- *
- * base64 rdata text (e.g., DNSKEY records) will be split into chunks
- * of 'split_width' characters.  If split_width == 0, the text will
- * not be split at all.  If split_width == UINT_MAX (0xffffffff), then
- * it is undefined and falls back to the default value of 'width'
- */
-
-isc_result_t
-dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
-		     dns_rdatatype_t type, void *source, isc_buffer_t *target);
-/*%<
- * Convert the C structure representation of an rdata into uncompressed wire
- * format in 'target'.
- *
- * XXX  Should we have a 'size' parameter as a sanity check on target?
- *
- * Requires:
- *
- *\li	'rdclass' and 'type' are valid.
- *
- *\li	'source' points to a valid C struct for the class and type.
- *
- *\li	'target' is a valid buffer.
- *
- *\li	All structure pointers to memory blocks should be NULL if their
- *	corresponding length values are zero.
- *
- * Ensures,
- *	if result is success:
- *	\li 	If 'rdata' is not NULL, it is attached to the target.
- *
- *	\li	The used space in 'target' is updated.
- *
- * Result:
- *\li	Success
- *\li	Various 'Bad Form' class failures depending on class and type
- *\li	Resource Limit: Not enough space
- */
-
-isc_result_t
-dns_rdata_tostruct(dns_rdata_t *rdata, void *target, isc_mem_t *mctx);
-/*%<
- * Convert an rdata into its C structure representation.
- *
- * If 'mctx' is NULL then 'rdata' must persist while 'target' is being used.
- *
- * If 'mctx' is non NULL then memory will be allocated if required.
- *
- * Requires:
- *
- *\li	'rdata' is a valid, non-empty rdata.
- *
- *\li	'target' to point to a valid pointer for the type and class.
- *
- * Result:
- *\li	Success
- *\li	Resource Limit: Not enough memory
- */
-
-void
-dns_rdata_freestruct(void *source);
-/*%<
- * Free dynamic memory attached to 'source' (if any).
- *
- * Requires:
- *
- *\li	'source' to point to the structure previously filled in by
- *	dns_rdata_tostruct().
- */
-
-isc_boolean_t
-dns_rdatatype_ismeta(dns_rdatatype_t type);
-/*%<
- * Return true iff the rdata type 'type' is a meta-type
- * like ANY or AXFR.
- */
-
-isc_boolean_t
-dns_rdatatype_issingleton(dns_rdatatype_t type);
-/*%<
- * Return true iff the rdata type 'type' is a singleton type,
- * like CNAME or SOA.
- *
- * Requires:
- * \li	'type' is a valid rdata type.
- *
- */
-
-isc_boolean_t
-dns_rdataclass_ismeta(dns_rdataclass_t rdclass);
-/*%<
- * Return true iff the rdata class 'rdclass' is a meta-class
- * like ANY or NONE.
- */
-
-isc_boolean_t
-dns_rdatatype_isdnssec(dns_rdatatype_t type);
-/*%<
- * Return true iff 'type' is one of the DNSSEC
- * rdata types that may exist alongside a CNAME record.
- *
- * Requires:
- * \li	'type' is a valid rdata type.
- */
-
-isc_boolean_t
-dns_rdatatype_iszonecutauth(dns_rdatatype_t type);
-/*%<
- * Return true iff rdata of type 'type' is considered authoritative
- * data (not glue) in the NSEC chain when it occurs in the parent zone
- * at a zone cut.
- *
- * Requires:
- * \li	'type' is a valid rdata type.
- *
- */
-
-isc_boolean_t
-dns_rdatatype_isknown(dns_rdatatype_t type);
-/*%<
- * Return true iff the rdata type 'type' is known.
- *
- * Requires:
- * \li	'type' is a valid rdata type.
- *
- */
-
-
-isc_result_t
-dns_rdata_additionaldata(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
-			 void *arg);
-/*%<
- * Call 'add' for each name and type from 'rdata' which is subject to
- * additional section processing.
- *
- * Requires:
- *
- *\li	'rdata' is a valid, non-empty rdata.
- *
- *\li	'add' is a valid dns_additionalfunc_t.
- *
- * Ensures:
- *
- *\li	If successful, then add() will have been called for each name
- *	and type subject to additional section processing.
- *
- *\li	If add() returns something other than #ISC_R_SUCCESS, that result
- *	will be returned as the result of dns_rdata_additionaldata().
- *
- * Returns:
- *
- *\li	ISC_R_SUCCESS
- *
- *\li	Many other results are possible if not successful.
- */
-
-isc_result_t
-dns_rdata_digest(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg);
-/*%<
- * Send 'rdata' in DNSSEC canonical form to 'digest'.
- *
- * Note:
- *\li	'digest' may be called more than once by dns_rdata_digest().  The
- *	concatenation of all the regions, in the order they were given
- *	to 'digest', will be the DNSSEC canonical form of 'rdata'.
- *
- * Requires:
- *
- *\li	'rdata' is a valid, non-empty rdata.
- *
- *\li	'digest' is a valid dns_digestfunc_t.
- *
- * Ensures:
- *
- *\li	If successful, then all of the rdata's data has been sent, in
- *	DNSSEC canonical form, to 'digest'.
- *
- *\li	If digest() returns something other than ISC_R_SUCCESS, that result
- *	will be returned as the result of dns_rdata_digest().
- *
- * Returns:
- *
- *\li	ISC_R_SUCCESS
- *
- *\li	Many other results are possible if not successful.
- */
-
-isc_boolean_t
-dns_rdatatype_questiononly(dns_rdatatype_t type);
-/*%<
- * Return true iff rdata of type 'type' can only appear in the question
- * section of a properly formatted message.
- *
- * Requires:
- * \li	'type' is a valid rdata type.
- *
- */
-
-isc_boolean_t
-dns_rdatatype_notquestion(dns_rdatatype_t type);
-/*%<
- * Return true iff rdata of type 'type' can not appear in the question
- * section of a properly formatted message.
- *
- * Requires:
- * \li	'type' is a valid rdata type.
- *
- */
-
-isc_boolean_t
-dns_rdatatype_atparent(dns_rdatatype_t type);
-/*%<
- * Return true iff rdata of type 'type' should appear at the parent of
- * a zone cut.
- *
- * Requires:
- * \li	'type' is a valid rdata type.
- *
- */
-
-unsigned int
-dns_rdatatype_attributes(dns_rdatatype_t rdtype);
-/*%<
- * Return attributes for the given type.
- *
- * Requires:
- *\li	'rdtype' are known.
- *
- * Returns:
- *\li	a bitmask consisting of the following flags.
- */
-
-/*% only one may exist for a name */
-#define DNS_RDATATYPEATTR_SINGLETON		0x00000001U
-/*% requires no other data be present */
-#define DNS_RDATATYPEATTR_EXCLUSIVE		0x00000002U
-/*% Is a meta type */
-#define DNS_RDATATYPEATTR_META			0x00000004U
-/*% Is a DNSSEC type, like RRSIG or NSEC */
-#define DNS_RDATATYPEATTR_DNSSEC		0x00000008U
-/*% Is a zone cut authority type */
-#define DNS_RDATATYPEATTR_ZONECUTAUTH		0x00000010U
-/*% Is reserved (unusable) */
-#define DNS_RDATATYPEATTR_RESERVED		0x00000020U
-/*% Is an unknown type */
-#define DNS_RDATATYPEATTR_UNKNOWN		0x00000040U
-/*% Is META, and can only be in a question section */
-#define DNS_RDATATYPEATTR_QUESTIONONLY		0x00000080U
-/*% is META, and can NOT be in a question section */
-#define DNS_RDATATYPEATTR_NOTQUESTION		0x00000100U
-/*% Is present at zone cuts in the parent, not the child */
-#define DNS_RDATATYPEATTR_ATPARENT		0x00000200U
-
-dns_rdatatype_t
-dns_rdata_covers(dns_rdata_t *rdata);
-/*%<
- * Return the rdatatype that this type covers.
- *
- * Requires:
- *\li	'rdata' is a valid, non-empty rdata.
- *
- *\li	'rdata' is a type that covers other rdata types.
- *
- * Returns:
- *\li	The type covered.
- */
-
-isc_boolean_t
-dns_rdata_checkowner(dns_name_t* name, dns_rdataclass_t rdclass,
-		     dns_rdatatype_t type, isc_boolean_t wildcard);
-/*
- * Returns whether this is a valid ownername for this <type,class>.
- * If wildcard is true allow the first label to be a wildcard if
- * appropriate.
- *
- * Requires:
- *	'name' is a valid name.
- */
-
-isc_boolean_t
-dns_rdata_checknames(dns_rdata_t *rdata, dns_name_t *owner, dns_name_t *bad);
-/*
- * Returns whether 'rdata' contains valid domain names.  The checks are
- * sensitive to the owner name.
- *
- * If 'bad' is non-NULL and a domain name fails the check the
- * the offending name will be return in 'bad' by cloning from
- * the 'rdata' contents.
- *
- * Requires:
- *	'rdata' to be valid.
- *	'owner' to be valid.
- *	'bad'	to be NULL or valid.
- */
-
-void
-dns_rdata_exists(dns_rdata_t *rdata, dns_rdatatype_t type);
-
-void
-dns_rdata_notexist(dns_rdata_t *rdata, dns_rdatatype_t type);
-
-void
-dns_rdata_deleterrset(dns_rdata_t *rdata, dns_rdatatype_t type);
-
-void
-dns_rdata_makedelete(dns_rdata_t *rdata);
-
-const char *
-dns_rdata_updateop(dns_rdata_t *rdata, dns_section_t section);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RDATA_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rdataclass.h b/contrib/bind9/lib/dns/include/dns/rdataclass.h
deleted file mode 100644
index 786eb6a..0000000
--- a/contrib/bind9/lib/dns/include/dns/rdataclass.h
+++ /dev/null
@@ -1,81 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rdataclass.h,v 1.24 2007/06/19 23:47:17 tbox Exp $ */
-
-#ifndef DNS_RDATACLASS_H
-#define DNS_RDATACLASS_H 1
-
-/*! \file dns/rdataclass.h */
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_rdataclass_fromtext(dns_rdataclass_t *classp, isc_textregion_t *source);
-/*%<
- * Convert the text 'source' refers to into a DNS class.
- *
- * Requires:
- *\li	'classp' is a valid pointer.
- *
- *\li	'source' is a valid text region.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS			on success
- *\li	#DNS_R_UNKNOWN			class is unknown
- */
-
-isc_result_t
-dns_rdataclass_totext(dns_rdataclass_t rdclass, isc_buffer_t *target);
-/*%<
- * Put a textual representation of class 'rdclass' into 'target'.
- *
- * Requires:
- *\li	'rdclass' is a valid class.
- *
- *\li	'target' is a valid text buffer.
- *
- * Ensures,
- *	if the result is success:
- *\li		The used space in 'target' is updated.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS			on success
- *\li	#ISC_R_NOSPACE			target buffer is too small
- */
-
-void
-dns_rdataclass_format(dns_rdataclass_t rdclass,
-		      char *array, unsigned int size);
-/*%<
- * Format a human-readable representation of the class 'rdclass'
- * into the character array 'array', which is of size 'size'.
- * The resulting string is guaranteed to be null-terminated.
- */
-
-#define DNS_RDATACLASS_FORMATSIZE sizeof("CLASS65535")
-/*%<
- * Minimum size of array to pass to dns_rdataclass_format().
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RDATACLASS_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rdatalist.h b/contrib/bind9/lib/dns/include/dns/rdatalist.h
deleted file mode 100644
index 57debc3..0000000
--- a/contrib/bind9/lib/dns/include/dns/rdatalist.h
+++ /dev/null
@@ -1,124 +0,0 @@
-/*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rdatalist.h,v 1.22 2008/04/03 06:09:05 tbox Exp $ */
-
-#ifndef DNS_RDATALIST_H
-#define DNS_RDATALIST_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/rdatalist.h
- * \brief
- * A DNS rdatalist is a list of rdata of a common type and class.
- *
- * MP:
- *\li	Clients of this module must impose any required synchronization.
- *
- * Reliability:
- *\li	No anticipated impact.
- *
- * Resources:
- *\li	TBS
- *
- * Security:
- *\li	No anticipated impact.
- *
- * Standards:
- *\li	None.
- */
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-/*%
- * Clients may use this type directly.
- */
-struct dns_rdatalist {
-	dns_rdataclass_t		rdclass;
-	dns_rdatatype_t			type;
-	dns_rdatatype_t			covers;
-	dns_ttl_t			ttl;
-	ISC_LIST(dns_rdata_t)		rdata;
-	ISC_LINK(dns_rdatalist_t)	link;
-};
-
-ISC_LANG_BEGINDECLS
-
-void
-dns_rdatalist_init(dns_rdatalist_t *rdatalist);
-/*%<
- * Initialize rdatalist.
- *
- * Ensures:
- *\li	All fields of rdatalist have been initialized to their default
- *	values.
- */
-
-isc_result_t
-dns_rdatalist_tordataset(dns_rdatalist_t *rdatalist,
-			 dns_rdataset_t *rdataset);
-/*%<
- * Make 'rdataset' refer to the rdata in 'rdatalist'.
- *
- * Note:
- *\li	The caller must ensure that 'rdatalist' remains valid and unchanged
- *	while 'rdataset' is associated with it.
- *
- * Requires:
- *
- *\li	'rdatalist' is a valid rdatalist.
- *
- *\li	'rdataset' is a valid rdataset that is not currently associated with
- *	any rdata.
- *
- * Ensures,
- *	on success,
- *
- *\li		'rdataset' is associated with the rdata in rdatalist.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- */
-
-isc_result_t
-dns_rdatalist_fromrdataset(dns_rdataset_t *rdataset,
-			   dns_rdatalist_t **rdatalist);
-/*%<
- * Point 'rdatalist' to the rdatalist in 'rdataset'.
- *
- * Requires:
- *
- *\li	'rdatalist' is a pointer to a NULL dns_rdatalist_t pointer.
- *
- *\li	'rdataset' is a valid rdataset associated with an rdatalist.
- *
- * Ensures,
- *	on success,
- *
- *\li		'rdatalist' is pointed to the rdatalist in rdataset.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RDATALIST_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rdataset.h b/contrib/bind9/lib/dns/include/dns/rdataset.h
deleted file mode 100644
index 31bcd15..0000000
--- a/contrib/bind9/lib/dns/include/dns/rdataset.h
+++ /dev/null
@@ -1,682 +0,0 @@
-/*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rdataset.h,v 1.72 2011/06/08 22:13:51 each Exp $ */
-
-#ifndef DNS_RDATASET_H
-#define DNS_RDATASET_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/rdataset.h
- * \brief
- * A DNS rdataset is a handle that can be associated with a collection of
- * rdata all having a common owner name, class, and type.
- *
- * The dns_rdataset_t type is like a "virtual class".  To actually use
- * rdatasets, an implementation of the method suite (e.g. "slabbed rdata") is
- * required.
- *
- * XXX &lt;more&gt; XXX
- *
- * MP:
- *\li	Clients of this module must impose any required synchronization.
- *
- * Reliability:
- *\li	No anticipated impact.
- *
- * Resources:
- *\li	TBS
- *
- * Security:
- *\li	No anticipated impact.
- *
- * Standards:
- *\li	None.
- */
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-#include <isc/stdtime.h>
-
-#include <dns/types.h>
-#include <dns/rdatastruct.h>
-
-ISC_LANG_BEGINDECLS
-
-typedef enum {
-	dns_rdatasetadditional_fromauth,
-	dns_rdatasetadditional_fromcache,
-	dns_rdatasetadditional_fromglue
-} dns_rdatasetadditional_t;
-
-typedef struct dns_rdatasetmethods {
-	void			(*disassociate)(dns_rdataset_t *rdataset);
-	isc_result_t		(*first)(dns_rdataset_t *rdataset);
-	isc_result_t		(*next)(dns_rdataset_t *rdataset);
-	void			(*current)(dns_rdataset_t *rdataset,
-					   dns_rdata_t *rdata);
-	void			(*clone)(dns_rdataset_t *source,
-					 dns_rdataset_t *target);
-	unsigned int		(*count)(dns_rdataset_t *rdataset);
-	isc_result_t		(*addnoqname)(dns_rdataset_t *rdataset,
-					      dns_name_t *name);
-	isc_result_t		(*getnoqname)(dns_rdataset_t *rdataset,
-					      dns_name_t *name,
-					      dns_rdataset_t *neg,
-					      dns_rdataset_t *negsig);
-	isc_result_t		(*addclosest)(dns_rdataset_t *rdataset,
-					      dns_name_t *name);
-	isc_result_t		(*getclosest)(dns_rdataset_t *rdataset,
-					      dns_name_t *name,
-					      dns_rdataset_t *neg,
-					      dns_rdataset_t *negsig);
-	isc_result_t		(*getadditional)(dns_rdataset_t *rdataset,
-						 dns_rdatasetadditional_t type,
-						 dns_rdatatype_t qtype,
-						 dns_acache_t *acache,
-						 dns_zone_t **zonep,
-						 dns_db_t **dbp,
-						 dns_dbversion_t **versionp,
-						 dns_dbnode_t **nodep,
-						 dns_name_t *fname,
-						 dns_message_t *msg,
-						 isc_stdtime_t now);
-	isc_result_t		(*setadditional)(dns_rdataset_t *rdataset,
-						 dns_rdatasetadditional_t type,
-						 dns_rdatatype_t qtype,
-						 dns_acache_t *acache,
-						 dns_zone_t *zone,
-						 dns_db_t *db,
-						 dns_dbversion_t *version,
-						 dns_dbnode_t *node,
-						 dns_name_t *fname);
-	isc_result_t		(*putadditional)(dns_acache_t *acache,
-						 dns_rdataset_t *rdataset,
-						 dns_rdatasetadditional_t type,
-						 dns_rdatatype_t qtype);
-	void			(*settrust)(dns_rdataset_t *rdataset,
-					    dns_trust_t trust);
-	void			(*expire)(dns_rdataset_t *rdataset);
-} dns_rdatasetmethods_t;
-
-#define DNS_RDATASET_MAGIC	       ISC_MAGIC('D','N','S','R')
-#define DNS_RDATASET_VALID(set)	       ISC_MAGIC_VALID(set, DNS_RDATASET_MAGIC)
-
-/*%
- * Direct use of this structure by clients is strongly discouraged, except
- * for the 'link' field which may be used however the client wishes.  The
- * 'private', 'current', and 'index' fields MUST NOT be changed by clients.
- * rdataset implementations may change any of the fields.
- */
-struct dns_rdataset {
-	unsigned int			magic;		/* XXX ? */
-	dns_rdatasetmethods_t *		methods;
-	ISC_LINK(dns_rdataset_t)	link;
-	/*
-	 * XXX do we need these, or should they be retrieved by methods?
-	 * Leaning towards the latter, since they are not frequently required
-	 * once you have the rdataset.
-	 */
-	dns_rdataclass_t		rdclass;
-	dns_rdatatype_t			type;
-	dns_ttl_t			ttl;
-	dns_trust_t			trust;
-	dns_rdatatype_t			covers;
-	/*
-	 * attributes
-	 */
-	unsigned int			attributes;
-	/*%
-	 * the counter provides the starting point in the "cyclic" order.
-	 * The value ISC_UINT32_MAX has a special meaning of "picking up a
-	 * random value." in order to take care of databases that do not
-	 * increment the counter.
-	 */
-	isc_uint32_t			count;
-	/*
-	 * This RRSIG RRset should be re-generated around this time.
-	 * Only valid if DNS_RDATASETATTR_RESIGN is set in attributes.
-	 */
-	isc_stdtime_t			resign;
-	/*@{*/
-	/*%
-	 * These are for use by the rdataset implementation, and MUST NOT
-	 * be changed by clients.
-	 */
-	void *				private1;
-	void *				private2;
-	void *				private3;
-	unsigned int			privateuint4;
-	void *				private5;
-	void *				private6;
-	void *				private7;
-	/*@}*/
-
-};
-
-/*!
- * \def DNS_RDATASETATTR_RENDERED
- *	Used by message.c to indicate that the rdataset was rendered.
- *
- * \def DNS_RDATASETATTR_TTLADJUSTED
- *	Used by message.c to indicate that the rdataset's rdata had differing
- *	TTL values, and the rdataset->ttl holds the smallest.
- *
- * \def DNS_RDATASETATTR_LOADORDER
- *	Output the RRset in load order.
- */
-
-#define DNS_RDATASETATTR_QUESTION	0x00000001
-#define DNS_RDATASETATTR_RENDERED	0x00000002	/*%< Used by message.c */
-#define DNS_RDATASETATTR_ANSWERED	0x00000004	/*%< Used by server. */
-#define DNS_RDATASETATTR_CACHE		0x00000008	/*%< Used by resolver. */
-#define DNS_RDATASETATTR_ANSWER		0x00000010	/*%< Used by resolver. */
-#define DNS_RDATASETATTR_ANSWERSIG	0x00000020	/*%< Used by resolver. */
-#define DNS_RDATASETATTR_EXTERNAL	0x00000040	/*%< Used by resolver. */
-#define DNS_RDATASETATTR_NCACHE		0x00000080	/*%< Used by resolver. */
-#define DNS_RDATASETATTR_CHAINING	0x00000100	/*%< Used by resolver. */
-#define DNS_RDATASETATTR_TTLADJUSTED	0x00000200	/*%< Used by message.c */
-#define DNS_RDATASETATTR_FIXEDORDER	0x00000400
-#define DNS_RDATASETATTR_RANDOMIZE	0x00000800
-#define DNS_RDATASETATTR_CHASE		0x00001000	/*%< Used by resolver. */
-#define DNS_RDATASETATTR_NXDOMAIN	0x00002000
-#define DNS_RDATASETATTR_NOQNAME	0x00004000
-#define DNS_RDATASETATTR_CHECKNAMES	0x00008000	/*%< Used by resolver. */
-#define DNS_RDATASETATTR_REQUIREDGLUE	0x00010000
-#define DNS_RDATASETATTR_LOADORDER	0x00020000
-#define DNS_RDATASETATTR_RESIGN		0x00040000
-#define DNS_RDATASETATTR_CLOSEST	0x00080000
-#define DNS_RDATASETATTR_OPTOUT		0x00100000	/*%< OPTOUT proof */
-#define DNS_RDATASETATTR_NEGATIVE	0x00200000
-
-/*%
- * _OMITDNSSEC:
- * 	Omit DNSSEC records when rendering ncache records.
- */
-#define DNS_RDATASETTOWIRE_OMITDNSSEC	0x0001
-
-void
-dns_rdataset_init(dns_rdataset_t *rdataset);
-/*%<
- * Make 'rdataset' a valid, disassociated rdataset.
- *
- * Requires:
- *\li	'rdataset' is not NULL.
- *
- * Ensures:
- *\li	'rdataset' is a valid, disassociated rdataset.
- */
-
-void
-dns_rdataset_invalidate(dns_rdataset_t *rdataset);
-/*%<
- * Invalidate 'rdataset'.
- *
- * Requires:
- *\li	'rdataset' is a valid, disassociated rdataset.
- *
- * Ensures:
- *\li	If assertion checking is enabled, future attempts to use 'rdataset'
- *	without initializing it will cause an assertion failure.
- */
-
-void
-dns_rdataset_disassociate(dns_rdataset_t *rdataset);
-/*%<
- * Disassociate 'rdataset' from its rdata, allowing it to be reused.
- *
- * Notes:
- *\li	The client must ensure it has no references to rdata in the rdataset
- *	before disassociating.
- *
- * Requires:
- *\li	'rdataset' is a valid, associated rdataset.
- *
- * Ensures:
- *\li	'rdataset' is a valid, disassociated rdataset.
- */
-
-isc_boolean_t
-dns_rdataset_isassociated(dns_rdataset_t *rdataset);
-/*%<
- * Is 'rdataset' associated?
- *
- * Requires:
- *\li	'rdataset' is a valid rdataset.
- *
- * Returns:
- *\li	#ISC_TRUE			'rdataset' is associated.
- *\li	#ISC_FALSE			'rdataset' is not associated.
- */
-
-void
-dns_rdataset_makequestion(dns_rdataset_t *rdataset, dns_rdataclass_t rdclass,
-			  dns_rdatatype_t type);
-/*%<
- * Make 'rdataset' a valid, associated, question rdataset, with a
- * question class of 'rdclass' and type 'type'.
- *
- * Notes:
- *\li	Question rdatasets have a class and type, but no rdata.
- *
- * Requires:
- *\li	'rdataset' is a valid, disassociated rdataset.
- *
- * Ensures:
- *\li	'rdataset' is a valid, associated, question rdataset.
- */
-
-void
-dns_rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target);
-/*%<
- * Make 'target' refer to the same rdataset as 'source'.
- *
- * Requires:
- *\li	'source' is a valid, associated rdataset.
- *
- *\li	'target' is a valid, dissociated rdataset.
- *
- * Ensures:
- *\li	'target' references the same rdataset as 'source'.
- */
-
-unsigned int
-dns_rdataset_count(dns_rdataset_t *rdataset);
-/*%<
- * Return the number of records in 'rdataset'.
- *
- * Requires:
- *\li	'rdataset' is a valid, associated rdataset.
- *
- * Returns:
- *\li	The number of records in 'rdataset'.
- */
-
-isc_result_t
-dns_rdataset_first(dns_rdataset_t *rdataset);
-/*%<
- * Move the rdata cursor to the first rdata in the rdataset (if any).
- *
- * Requires:
- *\li	'rdataset' is a valid, associated rdataset.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMORE			There are no rdata in the set.
- */
-
-isc_result_t
-dns_rdataset_next(dns_rdataset_t *rdataset);
-/*%<
- * Move the rdata cursor to the next rdata in the rdataset (if any).
- *
- * Requires:
- *\li	'rdataset' is a valid, associated rdataset.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMORE			There are no more rdata in the set.
- */
-
-void
-dns_rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata);
-/*%<
- * Make 'rdata' refer to the current rdata.
- *
- * Notes:
- *
- *\li	The data returned in 'rdata' is valid for the life of the
- *	rdataset; in particular, subsequent changes in the cursor position
- *	do not invalidate 'rdata'.
- *
- * Requires:
- *\li	'rdataset' is a valid, associated rdataset.
- *
- *\li	The rdata cursor of 'rdataset' is at a valid location (i.e. the
- *	result of last call to a cursor movement command was ISC_R_SUCCESS).
- *
- * Ensures:
- *\li	'rdata' refers to the rdata at the rdata cursor location of
- *\li	'rdataset'.
- */
-
-isc_result_t
-dns_rdataset_totext(dns_rdataset_t *rdataset,
-		    dns_name_t *owner_name,
-		    isc_boolean_t omit_final_dot,
-		    isc_boolean_t question,
-		    isc_buffer_t *target);
-/*%<
- * Convert 'rdataset' to text format, storing the result in 'target'.
- *
- * Notes:
- *\li	The rdata cursor position will be changed.
- *
- *\li	The 'question' flag should normally be #ISC_FALSE.  If it is
- *	#ISC_TRUE, the TTL and rdata fields are not printed.  This is
- *	for use when printing an rdata representing a question section.
- *
- *\li	This interface is deprecated; use dns_master_rdatasettottext()
- * 	and/or dns_master_questiontotext() instead.
- *
- * Requires:
- *\li	'rdataset' is a valid rdataset.
- *
- *\li	'rdataset' is not empty.
- */
-
-isc_result_t
-dns_rdataset_towire(dns_rdataset_t *rdataset,
-		    dns_name_t *owner_name,
-		    dns_compress_t *cctx,
-		    isc_buffer_t *target,
-		    unsigned int options,
-		    unsigned int *countp);
-/*%<
- * Convert 'rdataset' to wire format, compressing names as specified
- * in 'cctx', and storing the result in 'target'.
- *
- * Notes:
- *\li	The rdata cursor position will be changed.
- *
- *\li	The number of RRs added to target will be added to *countp.
- *
- * Requires:
- *\li	'rdataset' is a valid rdataset.
- *
- *\li	'rdataset' is not empty.
- *
- *\li	'countp' is a valid pointer.
- *
- * Ensures:
- *\li	On a return of ISC_R_SUCCESS, 'target' contains a wire format
- *	for the data contained in 'rdataset'.  Any error return leaves
- *	the buffer unchanged.
- *
- *\li	*countp has been incremented by the number of RRs added to
- *	target.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		- all ok
- *\li	#ISC_R_NOSPACE		- 'target' doesn't have enough room
- *
- *\li	Any error returned by dns_rdata_towire(), dns_rdataset_next(),
- *	dns_name_towire().
- */
-
-isc_result_t
-dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
-			  const dns_name_t *owner_name,
-			  dns_compress_t *cctx,
-			  isc_buffer_t *target,
-			  dns_rdatasetorderfunc_t order,
-			  const void *order_arg,
-			  unsigned int options,
-			  unsigned int *countp);
-/*%<
- * Like dns_rdataset_towire(), but sorting the rdatasets according to
- * the integer value returned by 'order' when called with the rdataset
- * and 'order_arg' as arguments.
- *
- * Requires:
- *\li	All the requirements of dns_rdataset_towire(), and
- *	that order_arg is NULL if and only if order is NULL.
- */
-
-isc_result_t
-dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
-			   const dns_name_t *owner_name,
-			   dns_compress_t *cctx,
-			   isc_buffer_t *target,
-			   dns_rdatasetorderfunc_t order,
-			   const void *order_arg,
-			   unsigned int options,
-			   unsigned int *countp,
-			   void **state);
-/*%<
- * Like dns_rdataset_towiresorted() except that a partial rdataset
- * may be written.
- *
- * Requires:
- *\li	All the requirements of dns_rdataset_towiresorted().
- *	If 'state' is non NULL then the current position in the
- *	rdataset will be remembered if the rdataset in not
- *	completely written and should be passed on on subsequent
- *	calls (NOT CURRENTLY IMPLEMENTED).
- *
- * Returns:
- *\li	#ISC_R_SUCCESS if all of the records were written.
- *\li	#ISC_R_NOSPACE if unable to fit in all of the records. *countp
- *		      will be updated to reflect the number of records
- *		      written.
- */
-
-isc_result_t
-dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
-			    dns_additionaldatafunc_t add, void *arg);
-/*%<
- * For each rdata in rdataset, call 'add' for each name and type in the
- * rdata which is subject to additional section processing.
- *
- * Requires:
- *
- *\li	'rdataset' is a valid, non-question rdataset.
- *
- *\li	'add' is a valid dns_additionaldatafunc_t
- *
- * Ensures:
- *
- *\li	If successful, dns_rdata_additionaldata() will have been called for
- *	each rdata in 'rdataset'.
- *
- *\li	If a call to dns_rdata_additionaldata() is not successful, the
- *	result returned will be the result of dns_rdataset_additionaldata().
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *
- *\li	Any error that dns_rdata_additionaldata() can return.
- */
-
-isc_result_t
-dns_rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
-			dns_rdataset_t *neg, dns_rdataset_t *negsig);
-/*%<
- * Return the noqname proof for this record.
- *
- * Requires:
- *\li	'rdataset' to be valid and #DNS_RDATASETATTR_NOQNAME to be set.
- *\li	'name' to be valid.
- *\li	'neg' and 'negsig' to be valid and not associated.
- */
-
-isc_result_t
-dns_rdataset_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name);
-/*%<
- * Associate a noqname proof with this record.
- * Sets #DNS_RDATASETATTR_NOQNAME if successful.
- * Adjusts the 'rdataset->ttl' to minimum of the 'rdataset->ttl' and
- * the 'nsec'/'nsec3' and 'rrsig(nsec)'/'rrsig(nsec3)' ttl.
- *
- * Requires:
- *\li	'rdataset' to be valid and #DNS_RDATASETATTR_NOQNAME to be set.
- *\li	'name' to be valid and have NSEC or NSEC3 and associated RRSIG
- *	 rdatasets.
- */
-
-isc_result_t
-dns_rdataset_getclosest(dns_rdataset_t *rdataset, dns_name_t *name,
-			dns_rdataset_t *nsec, dns_rdataset_t *nsecsig);
-/*%<
- * Return the closest encloser for this record.
- *
- * Requires:
- *\li	'rdataset' to be valid and #DNS_RDATASETATTR_CLOSEST to be set.
- *\li	'name' to be valid.
- *\li	'nsec' and 'nsecsig' to be valid and not associated.
- */
-
-isc_result_t
-dns_rdataset_addclosest(dns_rdataset_t *rdataset, dns_name_t *name);
-/*%<
- * Associate a closest encloset proof with this record.
- * Sets #DNS_RDATASETATTR_CLOSEST if successful.
- * Adjusts the 'rdataset->ttl' to minimum of the 'rdataset->ttl' and
- * the 'nsec' and 'rrsig(nsec)' ttl.
- *
- * Requires:
- *\li	'rdataset' to be valid and #DNS_RDATASETATTR_CLOSEST to be set.
- *\li	'name' to be valid and have NSEC3 and RRSIG(NSEC3) rdatasets.
- */
-
-isc_result_t
-dns_rdataset_getadditional(dns_rdataset_t *rdataset,
-			   dns_rdatasetadditional_t type,
-			   dns_rdatatype_t qtype,
-			   dns_acache_t *acache,
-			   dns_zone_t **zonep,
-			   dns_db_t **dbp,
-			   dns_dbversion_t **versionp,
-			   dns_dbnode_t **nodep,
-			   dns_name_t *fname,
-			   dns_message_t *msg,
-			   isc_stdtime_t now);
-/*%<
- * Get cached additional information from the DB node for a particular
- * 'rdataset.'  'type' is one of dns_rdatasetadditional_fromauth,
- * dns_rdatasetadditional_fromcache, and dns_rdatasetadditional_fromglue,
- * which specifies the origin of the information.  'qtype' is intended to
- * be used for specifying a particular rdata type in the cached information.
- *
- * Requires:
- * \li	'rdataset' is a valid rdataset.
- * \li	'acache' can be NULL, in which case this function will simply return
- * 	ISC_R_FAILURE.
- * \li	For the other pointers, see dns_acache_getentry().
- *
- * Ensures:
- * \li	See dns_acache_getentry().
- *
- * Returns:
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_FAILURE	- additional information caching is not supported.
- * \li	#ISC_R_NOTFOUND	- the corresponding DB node has not cached additional
- *			  information for 'rdataset.'
- * \li	Any error that dns_acache_getentry() can return.
- */
-
-isc_result_t
-dns_rdataset_setadditional(dns_rdataset_t *rdataset,
-			   dns_rdatasetadditional_t type,
-			   dns_rdatatype_t qtype,
-			   dns_acache_t *acache,
-			   dns_zone_t *zone,
-			   dns_db_t *db,
-			   dns_dbversion_t *version,
-			   dns_dbnode_t *node,
-			   dns_name_t *fname);
-/*%<
- * Set cached additional information to the DB node for a particular
- * 'rdataset.'  See dns_rdataset_getadditional for the semantics of 'type'
- * and 'qtype'.
- *
- * Requires:
- * \li	'rdataset' is a valid rdataset.
- * \li	'acache' can be NULL, in which case this function will simply return
- *	ISC_R_FAILURE.
- * \li	For the other pointers, see dns_acache_setentry().
- *
- * Ensures:
- * \li	See dns_acache_setentry().
- *
- * Returns:
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_FAILURE	- additional information caching is not supported.
- * \li	#ISC_R_NOMEMORY
- * \li	Any error that dns_acache_setentry() can return.
- */
-
-isc_result_t
-dns_rdataset_putadditional(dns_acache_t *acache,
-			   dns_rdataset_t *rdataset,
-			   dns_rdatasetadditional_t type,
-			   dns_rdatatype_t qtype);
-/*%<
- * Discard cached additional information stored in the DB node for a particular
- * 'rdataset.'  See dns_rdataset_getadditional for the semantics of 'type'
- * and 'qtype'.
- *
- * Requires:
- * \li	'rdataset' is a valid rdataset.
- * \li	'acache' can be NULL, in which case this function will simply return
- *	ISC_R_FAILURE.
- *
- * Ensures:
- * \li	See dns_acache_cancelentry().
- *
- * Returns:
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_FAILURE	- additional information caching is not supported.
- * \li	#ISC_R_NOTFOUND	- the corresponding DB node has not cached additional
- *			  information for 'rdataset.'
- */
-
-void
-dns_rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust);
-/*%<
- * Set the trust of the 'rdataset' to trust in any in the backing database.
- * The local trust level of 'rdataset' is also set.
- */
-
-void
-dns_rdataset_expire(dns_rdataset_t *rdataset);
-/*%<
- * Mark the rdataset to be expired in the backing database.
- */
-
-void
-dns_rdataset_trimttl(dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
-		     dns_rdata_rrsig_t *rrsig, isc_stdtime_t now,
-		     isc_boolean_t acceptexpired);
-/*%<
- * Trim the ttl of 'rdataset' and 'sigrdataset' so that they will expire
- * at or before 'rrsig->expiretime'.  If 'acceptexpired' is true and the
- * signature has expired or will expire in the next 120 seconds, limit
- * the ttl to be no more than 120 seconds.
- *
- * The ttl is further limited by the original ttl as stored in 'rrsig'
- * and the original ttl values of 'rdataset' and 'sigrdataset'.
- *
- * Requires:
- * \li	'rdataset' is a valid rdataset.
- * \li	'sigrdataset' is a valid rdataset.
- * \li	'rrsig' is non NULL.
- */
-
-const char *
-dns_trust_totext(dns_trust_t trust);
-/*
- * Display trust in textual form.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RDATASET_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rdatasetiter.h b/contrib/bind9/lib/dns/include/dns/rdatasetiter.h
deleted file mode 100644
index dcde367..0000000
--- a/contrib/bind9/lib/dns/include/dns/rdatasetiter.h
+++ /dev/null
@@ -1,170 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rdatasetiter.h,v 1.21 2007/06/19 23:47:17 tbox Exp $ */
-
-#ifndef DNS_RDATASETITER_H
-#define DNS_RDATASETITER_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/rdatasetiter.h
- * \brief
- * The DNS Rdataset Iterator interface allows iteration of all of the
- * rdatasets at a node.
- *
- * The dns_rdatasetiter_t type is like a "virtual class".  To actually use
- * it, an implementation of the class is required.  This implementation is
- * supplied by the database.
- *
- * It is the client's responsibility to call dns_rdataset_disassociate()
- * on all rdatasets returned.
- *
- * XXX more XXX
- *
- * MP:
- *\li	The iterator itself is not locked.  The caller must ensure
- *	synchronization.
- *
- *\li	The iterator methods ensure appropriate database locking.
- *
- * Reliability:
- *\li	No anticipated impact.
- *
- * Resources:
- *\li	TBS
- *
- * Security:
- *\li	No anticipated impact.
- *
- * Standards:
- *\li	None.
- */
-
-/*****
- ***** Imports
- *****/
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-#include <isc/stdtime.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*****
- ***** Types
- *****/
-
-typedef struct dns_rdatasetitermethods {
-	void		(*destroy)(dns_rdatasetiter_t **iteratorp);
-	isc_result_t	(*first)(dns_rdatasetiter_t *iterator);
-	isc_result_t	(*next)(dns_rdatasetiter_t *iterator);
-	void		(*current)(dns_rdatasetiter_t *iterator,
-				   dns_rdataset_t *rdataset);
-} dns_rdatasetitermethods_t;
-
-#define DNS_RDATASETITER_MAGIC	     ISC_MAGIC('D','N','S','i')
-#define DNS_RDATASETITER_VALID(i)    ISC_MAGIC_VALID(i, DNS_RDATASETITER_MAGIC)
-
-/*%
- * This structure is actually just the common prefix of a DNS db
- * implementation's version of a dns_rdatasetiter_t.
- * \brief
- * Direct use of this structure by clients is forbidden.  DB implementations
- * may change the structure.  'magic' must be #DNS_RDATASETITER_MAGIC for
- * any of the dns_rdatasetiter routines to work.  DB implementations must
- * maintain all DB rdataset iterator invariants.
- */
-struct dns_rdatasetiter {
-	/* Unlocked. */
-	unsigned int			magic;
-	dns_rdatasetitermethods_t *	methods;
-	dns_db_t *			db;
-	dns_dbnode_t *			node;
-	dns_dbversion_t *		version;
-	isc_stdtime_t			now;
-};
-
-void
-dns_rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp);
-/*%<
- * Destroy '*iteratorp'.
- *
- * Requires:
- *
- *\li	'*iteratorp' is a valid iterator.
- *
- * Ensures:
- *
- *\li	All resources used by the iterator are freed.
- *
- *\li	*iteratorp == NULL.
- */
-
-isc_result_t
-dns_rdatasetiter_first(dns_rdatasetiter_t *iterator);
-/*%<
- * Move the rdataset cursor to the first rdataset at the node (if any).
- *
- * Requires:
- *\li	'iterator' is a valid iterator.
- *
- * Returns:
- *\li	ISC_R_SUCCESS
- *\li	ISC_R_NOMORE			There are no rdatasets at the node.
- *
- *\li	Other results are possible, depending on the DB implementation.
- */
-
-isc_result_t
-dns_rdatasetiter_next(dns_rdatasetiter_t *iterator);
-/*%<
- * Move the rdataset cursor to the next rdataset at the node (if any).
- *
- * Requires:
- *\li	'iterator' is a valid iterator.
- *
- * Returns:
- *\li	ISC_R_SUCCESS
- *\li	ISC_R_NOMORE			There are no more rdatasets at the
- *					node.
- *
- *\li	Other results are possible, depending on the DB implementation.
- */
-
-void
-dns_rdatasetiter_current(dns_rdatasetiter_t *iterator,
-			 dns_rdataset_t *rdataset);
-/*%<
- * Return the current rdataset.
- *
- * Requires:
- *\li	'iterator' is a valid iterator.
- *
- *\li	'rdataset' is a valid, disassociated rdataset.
- *
- *\li	The rdataset cursor of 'iterator' is at a valid location (i.e. the
- *	result of last call to a cursor movement command was #ISC_R_SUCCESS).
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RDATASETITER_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rdataslab.h b/contrib/bind9/lib/dns/include/dns/rdataslab.h
deleted file mode 100644
index 3ac44b8..0000000
--- a/contrib/bind9/lib/dns/include/dns/rdataslab.h
+++ /dev/null
@@ -1,170 +0,0 @@
-/*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rdataslab.h,v 1.33 2008/04/01 23:47:10 tbox Exp $ */
-
-#ifndef DNS_RDATASLAB_H
-#define DNS_RDATASLAB_H 1
-
-/*! \file dns/rdataslab.h
- * \brief
- * Implements storage of rdatasets into slabs of memory.
- *
- * MP:
- *\li	Clients of this module must impose any required synchronization.
- *
- * Reliability:
- *\li	This module deals with low-level byte streams.  Errors in any of
- *	the functions are likely to crash the server or corrupt memory.
- *
- *\li	If the caller passes invalid memory references, these functions are
- *	likely to crash the server or corrupt memory.
- *
- * Resources:
- *\li	None.
- *
- * Security:
- *\li	None.
- *
- * Standards:
- *\li	None.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-#define DNS_RDATASLAB_FORCE 0x1
-#define DNS_RDATASLAB_EXACT 0x2
-
-#define DNS_RDATASLAB_OFFLINE 0x01 	/* RRSIG is for offline DNSKEY */
-#define DNS_RDATASLAB_WARNMASK 0x0E	/*%< RRSIG(DNSKEY) expired
-					 * warnings number mask. */
-#define DNS_RDATASLAB_WARNSHIFT 1	/*%< How many bits to shift to find
-					 * remaining expired warning number. */
-
-
-/***
- *** Functions
- ***/
-
-isc_result_t
-dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
-			   isc_region_t *region, unsigned int reservelen);
-/*%<
- * Slabify a rdataset.  The slab area will be allocated and returned
- * in 'region'.
- *
- * Requires:
- *\li	'rdataset' is valid.
- *
- * Ensures:
- *\li	'region' will have base pointing to the start of allocated memory,
- *	with the slabified region beginning at region->base + reservelen.
- *	region->length contains the total length allocated.
- *
- * Returns:
- *\li	ISC_R_SUCCESS		- successful completion
- *\li	ISC_R_NOMEMORY		- no memory.
- *\li	XXX others
- */
-
-void
-dns_rdataslab_tordataset(unsigned char *slab, unsigned int reservelen,
-			 dns_rdataclass_t rdclass, dns_rdatatype_t rdtype,
-			 dns_rdatatype_t covers, dns_ttl_t ttl,
-			 dns_rdataset_t *rdataset);
-/*%<
- * Construct an rdataset from a slab.
- *
- * Requires:
- *\li	'slab' points to a slab.
- *\li	'rdataset' is disassociated.
- *
- * Ensures:
- *\li	'rdataset' is associated and points to a valid rdataest.
- */
-unsigned int
-dns_rdataslab_size(unsigned char *slab, unsigned int reservelen);
-/*%<
- * Return the total size of an rdataslab.
- *
- * Requires:
- *\li	'slab' points to a slab.
- *
- * Returns:
- *\li	The number of bytes in the slab, including the reservelen.
- */
-
-isc_result_t
-dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
-		    unsigned int reservelen, isc_mem_t *mctx,
-		    dns_rdataclass_t rdclass, dns_rdatatype_t type,
-		    unsigned int flags, unsigned char **tslabp);
-/*%<
- * Merge 'oslab' and 'nslab'.
- */
-
-isc_result_t
-dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
-		       unsigned int reservelen, isc_mem_t *mctx,
-		       dns_rdataclass_t rdclass, dns_rdatatype_t type,
-		       unsigned int flags, unsigned char **tslabp);
-/*%<
- * Subtract 'sslab' from 'mslab'.  If 'exact' is true then all elements
- * of 'sslab' must exist in 'mslab'.
- *
- * XXX
- * valid flags are DNS_RDATASLAB_EXACT
- */
-
-isc_boolean_t
-dns_rdataslab_equal(unsigned char *slab1, unsigned char *slab2,
-		    unsigned int reservelen);
-/*%<
- * Compare two rdataslabs for equality.  This does _not_ do a full
- * DNSSEC comparison.
- *
- * Requires:
- *\li	'slab1' and 'slab2' point to slabs.
- *
- * Returns:
- *\li	ISC_TRUE if the slabs are equal, ISC_FALSE otherwise.
- */
-isc_boolean_t
-dns_rdataslab_equalx(unsigned char *slab1, unsigned char *slab2,
-		     unsigned int reservelen, dns_rdataclass_t rdclass,
-		     dns_rdatatype_t type);
-/*%<
- * Compare two rdataslabs for DNSSEC equality.
- *
- * Requires:
- *\li	'slab1' and 'slab2' point to slabs.
- *
- * Returns:
- *\li	ISC_TRUE if the slabs are equal, #ISC_FALSE otherwise.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RDATASLAB_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rdatatype.h b/contrib/bind9/lib/dns/include/dns/rdatatype.h
deleted file mode 100644
index ba9a92c..0000000
--- a/contrib/bind9/lib/dns/include/dns/rdatatype.h
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rdatatype.h,v 1.26 2008/09/25 04:02:39 tbox Exp $ */
-
-#ifndef DNS_RDATATYPE_H
-#define DNS_RDATATYPE_H 1
-
-/*! \file dns/rdatatype.h */
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_rdatatype_fromtext(dns_rdatatype_t *typep, isc_textregion_t *source);
-/*%<
- * Convert the text 'source' refers to into a DNS rdata type.
- *
- * Requires:
- *\li	'typep' is a valid pointer.
- *
- *\li	'source' is a valid text region.
- *
- * Returns:
- *\li	ISC_R_SUCCESS			on success
- *\li	DNS_R_UNKNOWN			type is unknown
- */
-
-isc_result_t
-dns_rdatatype_totext(dns_rdatatype_t type, isc_buffer_t *target);
-/*%<
- * Put a textual representation of type 'type' into 'target'.
- *
- * Requires:
- *\li	'type' is a valid type.
- *
- *\li	'target' is a valid text buffer.
- *
- * Ensures,
- *	if the result is success:
- *\li		The used space in 'target' is updated.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS			on success
- *\li	#ISC_R_NOSPACE			target buffer is too small
- */
-
-void
-dns_rdatatype_format(dns_rdatatype_t rdtype,
-		     char *array, unsigned int size);
-/*%<
- * Format a human-readable representation of the type 'rdtype'
- * into the character array 'array', which is of size 'size'.
- * The resulting string is guaranteed to be null-terminated.
- */
-
-#define DNS_RDATATYPE_FORMATSIZE sizeof("NSEC3PARAM")
-
-/*%<
- * Minimum size of array to pass to dns_rdatatype_format().
- * May need to be adjusted if a new RR type with a very long
- * name is defined.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RDATATYPE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/request.h b/contrib/bind9/lib/dns/include/dns/request.h
deleted file mode 100644
index 8c792dd..0000000
--- a/contrib/bind9/lib/dns/include/dns/request.h
+++ /dev/null
@@ -1,381 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: request.h,v 1.31 2010/03/04 23:50:34 tbox Exp $ */
-
-#ifndef DNS_REQUEST_H
-#define DNS_REQUEST_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/request.h
- *
- * \brief
- * The request module provides simple request/response services useful for
- * sending SOA queries, DNS Notify messages, and dynamic update requests.
- *
- * MP:
- *\li	The module ensures appropriate synchronization of data structures it
- *	creates and manipulates.
- *
- * Resources:
- *\li	TBS
- *
- * Security:
- *\li	No anticipated impact.
- */
-
-#include <isc/lang.h>
-#include <isc/event.h>
-
-#include <dns/types.h>
-
-#define DNS_REQUESTOPT_TCP 0x00000001U
-#define DNS_REQUESTOPT_CASE 0x00000002U
-
-typedef struct dns_requestevent {
-	ISC_EVENT_COMMON(struct dns_requestevent);
-	isc_result_t result;
-	dns_request_t *request;
-} dns_requestevent_t;
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_requestmgr_create(isc_mem_t *mctx, isc_timermgr_t *timermgr,
-		      isc_socketmgr_t *socketmgr, isc_taskmgr_t *taskmgr,
-		      dns_dispatchmgr_t *dispatchmgr,
-		      dns_dispatch_t *dispatchv4, dns_dispatch_t *dispatchv6,
-		      dns_requestmgr_t **requestmgrp);
-/*%<
- * Create a request manager.
- *
- * Requires:
- *
- *\li	'mctx' is a valid memory context.
- *
- *\li	'timermgr' is a valid timer manager.
- *
- *\li	'socketmgr' is a valid socket manager.
- *
- *\li	'taskmgr' is a valid task manager.
- *
- *\li	'dispatchv4' is a valid dispatcher with an IPv4 UDP socket, or is NULL.
- *
- *\li	'dispatchv6' is a valid dispatcher with an IPv6 UDP socket, or is NULL.
- *
- *\li	requestmgrp != NULL && *requestmgrp == NULL
- *
- * Ensures:
- *
- *\li	On success, *requestmgrp is a valid request manager.
- *
- * Returns:
- *
- *\li	ISC_R_SUCCESS
- *
- *\li	Any other result indicates failure.
- */
-
-void
-dns_requestmgr_whenshutdown(dns_requestmgr_t *requestmgr, isc_task_t *task,
-			    isc_event_t **eventp);
-/*%<
- * Send '*eventp' to 'task' when 'requestmgr' has completed shutdown.
- *
- * Notes:
- *
- *\li	It is not safe to detach the last reference to 'requestmgr' until
- *	shutdown is complete.
- *
- * Requires:
- *
- *\li	'requestmgr' is a valid request manager.
- *
- *\li	'task' is a valid task.
- *
- *\li	*eventp is a valid event.
- *
- * Ensures:
- *
- *\li	*eventp == NULL.
- */
-
-void
-dns_requestmgr_shutdown(dns_requestmgr_t *requestmgr);
-/*%<
- * Start the shutdown process for 'requestmgr'.
- *
- * Notes:
- *
- *\li	This call has no effect if the request manager is already shutting
- *	down.
- *
- * Requires:
- *
- *\li	'requestmgr' is a valid requestmgr.
- */
-
-void
-dns_requestmgr_attach(dns_requestmgr_t *source, dns_requestmgr_t **targetp);
-/*%<
- *	Attach to the request manager.  dns_requestmgr_shutdown() must not
- *	have been called on 'source' prior to calling dns_requestmgr_attach().
- *
- * Requires:
- *
- *\li	'source' is a valid requestmgr.
- *
- *\li	'targetp' to be non NULL and '*targetp' to be NULL.
- */
-
-void
-dns_requestmgr_detach(dns_requestmgr_t **requestmgrp);
-/*%<
- *	Detach from the given requestmgr.  If this is the final detach
- *	requestmgr will be destroyed.  dns_requestmgr_shutdown() must
- *	be called before the final detach.
- *
- * Requires:
- *
- *\li	'*requestmgrp' is a valid requestmgr.
- *
- * Ensures:
- *\li	'*requestmgrp' is NULL.
- */
-
-isc_result_t
-dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message,
-		   isc_sockaddr_t *address, unsigned int options,
-		   dns_tsigkey_t *key,
-		   unsigned int timeout, isc_task_t *task,
-		   isc_taskaction_t action, void *arg,
-		   dns_request_t **requestp);
-/*%<
- * Create and send a request.
- *
- * Notes:
- *
- *\li	'message' will be rendered and sent to 'address'.  If the
- *	#DNS_REQUESTOPT_TCP option is set, TCP will be used.  The request
- *	will timeout after 'timeout' seconds.
- *
- *\li	If the #DNS_REQUESTOPT_CASE option is set, use case sensitive
- *	compression.
- *
- *\li	When the request completes, successfully, due to a timeout, or
- *	because it was canceled, a completion event will be sent to 'task'.
- *
- * Requires:
- *
- *\li	'message' is a valid DNS message.
- *
- *\li	'address' is a valid sockaddr.
- *
- *\li	'timeout' > 0
- *
- *\li	'task' is a valid task.
- *
- *\li	requestp != NULL && *requestp == NULL
- */
-
-/*% See dns_request_createvia3() */
-isc_result_t
-dns_request_createvia(dns_requestmgr_t *requestmgr, dns_message_t *message,
-		      isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		      unsigned int options, dns_tsigkey_t *key,
-		      unsigned int timeout, isc_task_t *task,
-		      isc_taskaction_t action, void *arg,
-		      dns_request_t **requestp);
-
-/*% See dns_request_createvia3() */
-isc_result_t
-dns_request_createvia2(dns_requestmgr_t *requestmgr, dns_message_t *message,
-		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		       unsigned int options, dns_tsigkey_t *key,
-		       unsigned int timeout, unsigned int udptimeout,
-		       isc_task_t *task, isc_taskaction_t action, void *arg,
-		       dns_request_t **requestp);
-
-isc_result_t
-dns_request_createvia3(dns_requestmgr_t *requestmgr, dns_message_t *message,
-		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		       unsigned int options, dns_tsigkey_t *key,
-		       unsigned int timeout, unsigned int udptimeout,
-		       unsigned int udpretries, isc_task_t *task,
-		       isc_taskaction_t action, void *arg,
-		       dns_request_t **requestp);
-/*%<
- * Create and send a request.
- *
- * Notes:
- *
- *\li	'message' will be rendered and sent to 'address'.  If the
- *	#DNS_REQUESTOPT_TCP option is set, TCP will be used.  The request
- *	will timeout after 'timeout' seconds.  UDP requests will be resent
- *	at 'udptimeout' intervals if non-zero or 'udpretries' is non-zero.
- *
- *\li	If the #DNS_REQUESTOPT_CASE option is set, use case sensitive
- *	compression.
- *
- *\li	When the request completes, successfully, due to a timeout, or
- *	because it was canceled, a completion event will be sent to 'task'.
- *
- * Requires:
- *
- *\li	'message' is a valid DNS message.
- *
- *\li	'dstaddr' is a valid sockaddr.
- *
- *\li	'srcaddr' is a valid sockaddr or NULL.
- *
- *\li	'srcaddr' and 'dstaddr' are the same protocol family.
- *
- *\li	'timeout' > 0
- *
- *\li	'task' is a valid task.
- *
- *\li	requestp != NULL && *requestp == NULL
- */
-
-/*% See dns_request_createraw3() */
-isc_result_t
-dns_request_createraw(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
-		      isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		      unsigned int options, unsigned int timeout,
-		      isc_task_t *task, isc_taskaction_t action, void *arg,
-		      dns_request_t **requestp);
-
-/*% See dns_request_createraw3() */
-isc_result_t
-dns_request_createraw2(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
-		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		       unsigned int options, unsigned int timeout,
-		       unsigned int udptimeout, isc_task_t *task,
-		       isc_taskaction_t action, void *arg,
-		       dns_request_t **requestp);
-
-isc_result_t
-dns_request_createraw3(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
-		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		       unsigned int options, unsigned int timeout,
-		       unsigned int udptimeout, unsigned int udpretries,
-		       isc_task_t *task, isc_taskaction_t action, void *arg,
-		       dns_request_t **requestp);
-/*!<
- * \brief Create and send a request.
- *
- * Notes:
- *
- *\li	'msgbuf' will be sent to 'destaddr' after setting the id.  If the
- *	#DNS_REQUESTOPT_TCP option is set, TCP will be used.  The request
- *	will timeout after 'timeout' seconds.   UDP requests will be resent
- *	at 'udptimeout' intervals if non-zero or if 'udpretries' is not zero.
- *
- *\li	When the request completes, successfully, due to a timeout, or
- *	because it was canceled, a completion event will be sent to 'task'.
- *
- * Requires:
- *
- *\li	'msgbuf' is a valid DNS message in compressed wire format.
- *
- *\li	'destaddr' is a valid sockaddr.
- *
- *\li	'srcaddr' is a valid sockaddr or NULL.
- *
- *\li	'srcaddr' and 'dstaddr' are the same protocol family.
- *
- *\li	'timeout' > 0
- *
- *\li	'task' is a valid task.
- *
- *\li	requestp != NULL && *requestp == NULL
- */
-
-void
-dns_request_cancel(dns_request_t *request);
-/*%<
- * Cancel 'request'.
- *
- * Requires:
- *
- *\li	'request' is a valid request.
- *
- * Ensures:
- *
- *\li	If the completion event for 'request' has not yet been sent, it
- *	will be sent, and the result code will be ISC_R_CANCELED.
- */
-
-isc_result_t
-dns_request_getresponse(dns_request_t *request, dns_message_t *message,
-			unsigned int options);
-/*%<
- * Get the response to 'request' by filling in 'message'.
- *
- * 'options' is passed to dns_message_parse().  See dns_message_parse()
- * for more details.
- *
- * Requires:
- *
- *\li	'request' is a valid request for which the caller has received the
- *	completion event.
- *
- *\li	The result code of the completion event was #ISC_R_SUCCESS.
- *
- * Returns:
- *
- *\li	ISC_R_SUCCESS
- *
- *\li	Any result that dns_message_parse() can return.
- */
-
-isc_boolean_t
-dns_request_usedtcp(dns_request_t *request);
-/*%<
- * Return whether this query used TCP or not.  Setting #DNS_REQUESTOPT_TCP
- * in the call to dns_request_create() will cause the function to return
- * #ISC_TRUE, otherwise the result is based on the query message size.
- *
- * Requires:
- *\li	'request' is a valid request.
- *
- * Returns:
- *\li	ISC_TRUE	if TCP was used.
- *\li	ISC_FALSE	if UDP was used.
- */
-
-void
-dns_request_destroy(dns_request_t **requestp);
-/*%<
- * Destroy 'request'.
- *
- * Requires:
- *
- *\li	'request' is a valid request for which the caller has received the
- *	completion event.
- *
- * Ensures:
- *
- *\li	*requestp == NULL
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_REQUEST_H */
diff --git a/contrib/bind9/lib/dns/include/dns/resolver.h b/contrib/bind9/lib/dns/include/dns/resolver.h
deleted file mode 100644
index 095269e..0000000
--- a/contrib/bind9/lib/dns/include/dns/resolver.h
+++ /dev/null
@@ -1,580 +0,0 @@
-/*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: resolver.h,v 1.72 2011/12/05 17:10:51 each Exp $ */
-
-#ifndef DNS_RESOLVER_H
-#define DNS_RESOLVER_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/resolver.h
- *
- * \brief
- * This is the BIND 9 resolver, the module responsible for resolving DNS
- * requests by iteratively querying authoritative servers and following
- * referrals.  This is a "full resolver", not to be confused with
- * the stub resolvers most people associate with the word "resolver".
- * The full resolver is part of the caching name server or resolver
- * daemon the stub resolver talks to.
- *
- * MP:
- *\li	The module ensures appropriate synchronization of data structures it
- *	creates and manipulates.
- *
- * Reliability:
- *\li	No anticipated impact.
- *
- * Resources:
- *\li	TBS
- *
- * Security:
- *\li	No anticipated impact.
- *
- * Standards:
- *\li	RFCs:	1034, 1035, 2181, TBS
- *\li	Drafts:	TBS
- */
-
-#include <isc/lang.h>
-#include <isc/socket.h>
-
-#include <dns/types.h>
-#include <dns/fixedname.h>
-
-ISC_LANG_BEGINDECLS
-
-/*%
- * A dns_fetchevent_t is sent when a 'fetch' completes.  Any of 'db',
- * 'node', 'rdataset', and 'sigrdataset' may be bound.  It is the
- * receiver's responsibility to detach before freeing the event.
- * \brief
- * 'rdataset', 'sigrdataset', 'client' and 'id' are the values that were
- * supplied when dns_resolver_createfetch() was called.  They are returned
- *  to the caller so that they may be freed.
- */
-typedef struct dns_fetchevent {
-	ISC_EVENT_COMMON(struct dns_fetchevent);
-	dns_fetch_t *			fetch;
-	isc_result_t			result;
-	dns_rdatatype_t			qtype;
-	dns_db_t *			db;
-	dns_dbnode_t *			node;
-	dns_rdataset_t *		rdataset;
-	dns_rdataset_t *		sigrdataset;
-	dns_fixedname_t			foundname;
-	isc_sockaddr_t *		client;
-	dns_messageid_t			id;
-	isc_result_t			vresult;
-} dns_fetchevent_t;
-
-/*
- * Options that modify how a 'fetch' is done.
- */
-#define DNS_FETCHOPT_TCP		0x01	     /*%< Use TCP. */
-#define DNS_FETCHOPT_UNSHARED		0x02	     /*%< See below. */
-#define DNS_FETCHOPT_RECURSIVE		0x04	     /*%< Set RD? */
-#define DNS_FETCHOPT_NOEDNS0		0x08	     /*%< Do not use EDNS. */
-#define DNS_FETCHOPT_FORWARDONLY	0x10	     /*%< Only use forwarders. */
-#define DNS_FETCHOPT_NOVALIDATE		0x20	     /*%< Disable validation. */
-#define DNS_FETCHOPT_EDNS512		0x40	     /*%< Advertise a 512 byte
-							  UDP buffer. */
-#define DNS_FETCHOPT_WANTNSID           0x80         /*%< Request NSID */
-
-#define	DNS_FETCHOPT_EDNSVERSIONSET	0x00800000
-#define	DNS_FETCHOPT_EDNSVERSIONMASK	0xff000000
-#define	DNS_FETCHOPT_EDNSVERSIONSHIFT	24
-
-/*
- * Upper bounds of class of query RTT (ms).  Corresponds to
- * dns_resstatscounter_queryrttX statistics counters.
- */
-#define DNS_RESOLVER_QRYRTTCLASS0	10
-#define DNS_RESOLVER_QRYRTTCLASS0STR	"10"
-#define DNS_RESOLVER_QRYRTTCLASS1	100
-#define DNS_RESOLVER_QRYRTTCLASS1STR	"100"
-#define DNS_RESOLVER_QRYRTTCLASS2	500
-#define DNS_RESOLVER_QRYRTTCLASS2STR	"500"
-#define DNS_RESOLVER_QRYRTTCLASS3	800
-#define DNS_RESOLVER_QRYRTTCLASS3STR	"800"
-#define DNS_RESOLVER_QRYRTTCLASS4	1600
-#define DNS_RESOLVER_QRYRTTCLASS4STR	"1600"
-
-/*
- * XXXRTH  Should this API be made semi-private?  (I.e.
- * _dns_resolver_create()).
- */
-
-#define DNS_RESOLVER_CHECKNAMES		0x01
-#define DNS_RESOLVER_CHECKNAMESFAIL	0x02
-
-isc_result_t
-dns_resolver_create(dns_view_t *view,
-		    isc_taskmgr_t *taskmgr,
-		    unsigned int ntasks, unsigned int ndisp,
-		    isc_socketmgr_t *socketmgr,
-		    isc_timermgr_t *timermgr,
-		    unsigned int options,
-		    dns_dispatchmgr_t *dispatchmgr,
-		    dns_dispatch_t *dispatchv4,
-		    dns_dispatch_t *dispatchv6,
-		    dns_resolver_t **resp);
-
-/*%<
- * Create a resolver.
- *
- * Notes:
- *
- *\li	Generally, applications should not create a resolver directly, but
- *	should instead call dns_view_createresolver().
- *
- * Requires:
- *
- *\li	'view' is a valid view.
- *
- *\li	'taskmgr' is a valid task manager.
- *
- *\li	'ntasks' > 0.
- *
- *\li	'socketmgr' is a valid socket manager.
- *
- *\li	'timermgr' is a valid timer manager.
- *
- *\li	'dispatchv4' is a dispatch with an IPv4 UDP socket, or is NULL.
- *	If not NULL, 'ndisp' clones of it will be created by the resolver.
- *
- *\li	'dispatchv6' is a dispatch with an IPv6 UDP socket, or is NULL.
- *	If not NULL, 'ndisp' clones of it will be created by the resolver.
- *
- *\li	resp != NULL && *resp == NULL.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS				On success.
- *
- *\li	Anything else				Failure.
- */
-
-void
-dns_resolver_freeze(dns_resolver_t *res);
-/*%<
- * Freeze resolver.
- *
- * Notes:
- *
- *\li	Certain configuration changes cannot be made after the resolver
- *	is frozen.  Fetches cannot be created until the resolver is frozen.
- *
- * Requires:
- *
- *\li	'res' is a valid resolver.
- *
- * Ensures:
- *
- *\li	'res' is frozen.
- */
-
-void
-dns_resolver_prime(dns_resolver_t *res);
-/*%<
- * Prime resolver.
- *
- * Notes:
- *
- *\li	Resolvers which have a forwarding policy other than dns_fwdpolicy_only
- *	need to be primed with the root nameservers, otherwise the root
- *	nameserver hints data may be used indefinitely.  This function requests
- *	that the resolver start a priming fetch, if it isn't already priming.
- *
- * Requires:
- *
- *\li	'res' is a valid, frozen resolver.
- */
-
-
-void
-dns_resolver_whenshutdown(dns_resolver_t *res, isc_task_t *task,
-			  isc_event_t **eventp);
-/*%<
- * Send '*eventp' to 'task' when 'res' has completed shutdown.
- *
- * Notes:
- *
- *\li	It is not safe to detach the last reference to 'res' until
- *	shutdown is complete.
- *
- * Requires:
- *
- *\li	'res' is a valid resolver.
- *
- *\li	'task' is a valid task.
- *
- *\li	*eventp is a valid event.
- *
- * Ensures:
- *
- *\li	*eventp == NULL.
- */
-
-void
-dns_resolver_shutdown(dns_resolver_t *res);
-/*%<
- * Start the shutdown process for 'res'.
- *
- * Notes:
- *
- *\li	This call has no effect if the resolver is already shutting down.
- *
- * Requires:
- *
- *\li	'res' is a valid resolver.
- */
-
-void
-dns_resolver_attach(dns_resolver_t *source, dns_resolver_t **targetp);
-
-void
-dns_resolver_detach(dns_resolver_t **resp);
-
-isc_result_t
-dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name,
-			 dns_rdatatype_t type,
-			 dns_name_t *domain, dns_rdataset_t *nameservers,
-			 dns_forwarders_t *forwarders,
-			 unsigned int options, isc_task_t *task,
-			 isc_taskaction_t action, void *arg,
-			 dns_rdataset_t *rdataset,
-			 dns_rdataset_t *sigrdataset,
-			 dns_fetch_t **fetchp);
-
-isc_result_t
-dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name,
-			  dns_rdatatype_t type,
-			  dns_name_t *domain, dns_rdataset_t *nameservers,
-			  dns_forwarders_t *forwarders,
-			  isc_sockaddr_t *client, isc_uint16_t id,
-			  unsigned int options, isc_task_t *task,
-			  isc_taskaction_t action, void *arg,
-			  dns_rdataset_t *rdataset,
-			  dns_rdataset_t *sigrdataset,
-			  dns_fetch_t **fetchp);
-/*%<
- * Recurse to answer a question.
- *
- * Notes:
- *
- *\li	This call starts a query for 'name', type 'type'.
- *
- *\li	The 'domain' is a parent domain of 'name' for which
- *	a set of name servers 'nameservers' is known.  If no
- *	such name server information is available, set
- * 	'domain' and 'nameservers' to NULL.
- *
- *\li	'forwarders' is unimplemented, and subject to change when
- *	we figure out how selective forwarding will work.
- *
- *\li	When the fetch completes (successfully or otherwise), a
- *	#DNS_EVENT_FETCHDONE event with action 'action' and arg 'arg' will be
- *	posted to 'task'.
- *
- *\li	The values of 'rdataset' and 'sigrdataset' will be returned in
- *	the FETCHDONE event.
- *
- *\li	'client' and 'id' are used for duplicate query detection.  '*client'
- *	must remain stable until after 'action' has been called or
- *	dns_resolver_cancelfetch() is called.
- *
- * Requires:
- *
- *\li	'res' is a valid resolver that has been frozen.
- *
- *\li	'name' is a valid name.
- *
- *\li	'type' is not a meta type other than ANY.
- *
- *\li	'domain' is a valid name or NULL.
- *
- *\li	'nameservers' is a valid NS rdataset (whose owner name is 'domain')
- *	iff. 'domain' is not NULL.
- *
- *\li	'forwarders' is NULL.
- *
- *\li	'client' is a valid sockaddr or NULL.
- *
- *\li	'options' contains valid options.
- *
- *\li	'rdataset' is a valid, disassociated rdataset.
- *
- *\li	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
- *
- *\li	fetchp != NULL && *fetchp == NULL.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS					Success
- *\li	#DNS_R_DUPLICATE
- *\li	#DNS_R_DROP
- *
- *\li	Many other values are possible, all of which indicate failure.
- */
-
-void
-dns_resolver_cancelfetch(dns_fetch_t *fetch);
-/*%<
- * Cancel 'fetch'.
- *
- * Notes:
- *
- *\li	If 'fetch' has not completed, post its FETCHDONE event with a
- *	result code of #ISC_R_CANCELED.
- *
- * Requires:
- *
- *\li	'fetch' is a valid fetch.
- */
-
-void
-dns_resolver_destroyfetch(dns_fetch_t **fetchp);
-/*%<
- * Destroy 'fetch'.
- *
- * Requires:
- *
- *\li	'*fetchp' is a valid fetch.
- *
- *\li	The caller has received the FETCHDONE event (either because the
- *	fetch completed or because dns_resolver_cancelfetch() was called).
- *
- * Ensures:
- *
- *\li	*fetchp == NULL.
- */
-
-void
-dns_resolver_logfetch(dns_fetch_t *fetch, isc_log_t *lctx,
-		      isc_logcategory_t *category, isc_logmodule_t *module,
-		      int level, isc_boolean_t duplicateok);
-/*%<
- * Dump a log message on internal state at the completion of given 'fetch'.
- * 'lctx', 'category', 'module', and 'level' are used to write the log message.
- * By default, only one log message is written even if the corresponding fetch
- * context serves multiple clients; if 'duplicateok' is true the suppression
- * is disabled and the message can be written every time this function is
- * called.
- *
- * Requires:
- *
- *\li	'fetch' is a valid fetch, and has completed.
- */
-
-dns_dispatchmgr_t *
-dns_resolver_dispatchmgr(dns_resolver_t *resolver);
-
-dns_dispatch_t *
-dns_resolver_dispatchv4(dns_resolver_t *resolver);
-
-dns_dispatch_t *
-dns_resolver_dispatchv6(dns_resolver_t *resolver);
-
-isc_socketmgr_t *
-dns_resolver_socketmgr(dns_resolver_t *resolver);
-
-isc_taskmgr_t *
-dns_resolver_taskmgr(dns_resolver_t *resolver);
-
-isc_uint32_t
-dns_resolver_getlamettl(dns_resolver_t *resolver);
-/*%<
- * Get the resolver's lame-ttl.  zero => no lame processing.
- *
- * Requires:
- *\li	'resolver' to be valid.
- */
-
-void
-dns_resolver_setlamettl(dns_resolver_t *resolver, isc_uint32_t lame_ttl);
-/*%<
- * Set the resolver's lame-ttl.  zero => no lame processing.
- *
- * Requires:
- *\li	'resolver' to be valid.
- */
-
-unsigned int
-dns_resolver_nrunning(dns_resolver_t *resolver);
-/*%<
- * Return the number of currently running resolutions in this
- * resolver.  This is may be less than the number of outstanding
- * fetches due to multiple identical fetches, or more than the
- * number of of outstanding fetches due to the fact that resolution
- * can continue even though a fetch has been canceled.
- */
-
-isc_result_t
-dns_resolver_addalternate(dns_resolver_t *resolver, isc_sockaddr_t *alt,
-			  dns_name_t *name, in_port_t port);
-/*%<
- * Add alternate addresses to be tried in the event that the nameservers
- * for a zone are not available in the address families supported by the
- * operating system.
- *
- * Require:
- * \li	only one of 'name' or 'alt' to be valid.
- */
-
-void
-dns_resolver_setudpsize(dns_resolver_t *resolver, isc_uint16_t udpsize);
-/*%<
- * Set the EDNS UDP buffer size advertised by the server.
- */
-
-isc_uint16_t
-dns_resolver_getudpsize(dns_resolver_t *resolver);
-/*%<
- * Get the current EDNS UDP buffer size.
- */
-
-void
-dns_resolver_reset_algorithms(dns_resolver_t *resolver);
-/*%<
- * Clear the disabled DNSSEC algorithms.
- */
-
-isc_result_t
-dns_resolver_disable_algorithm(dns_resolver_t *resolver, dns_name_t *name,
-			       unsigned int alg);
-/*%<
- * Mark the give DNSSEC algorithm as disabled and below 'name'.
- * Valid algorithms are less than 256.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_RANGE
- *\li	#ISC_R_NOMEMORY
- */
-
-isc_boolean_t
-dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
-				 unsigned int alg);
-/*%<
- * Check if the given algorithm is supported by this resolver.
- * This checks if the algorithm has been disabled via
- * dns_resolver_disable_algorithm() then the underlying
- * crypto libraries if not specifically disabled.
- */
-
-isc_boolean_t
-dns_resolver_digest_supported(dns_resolver_t *resolver, unsigned int digest_type);
-/*%<
- * Is this digest type supported.
- */
-
-void
-dns_resolver_resetmustbesecure(dns_resolver_t *resolver);
-
-isc_result_t
-dns_resolver_setmustbesecure(dns_resolver_t *resolver, dns_name_t *name,
-			     isc_boolean_t value);
-
-isc_boolean_t
-dns_resolver_getmustbesecure(dns_resolver_t *resolver, dns_name_t *name);
-
-
-void
-dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int seconds);
-/*%<
- * Set the length of time the resolver will work on a query, in seconds.
- *
- * If timeout is 0, the default timeout will be applied.
- *
- * Requires:
- * \li  resolver to be valid.
- */
-
-unsigned int
-dns_resolver_gettimeout(dns_resolver_t *resolver);
-/*%<
- * Get the current length of time the resolver will work on a query, in seconds.
- *
- * Requires:
- * \li  resolver to be valid.
- */
-
-void
-dns_resolver_setclientsperquery(dns_resolver_t *resolver,
-				isc_uint32_t min, isc_uint32_t max);
-
-void
-dns_resolver_getclientsperquery(dns_resolver_t *resolver, isc_uint32_t *cur,
-				isc_uint32_t *min, isc_uint32_t *max);
-
-isc_boolean_t
-dns_resolver_getzeronosoattl(dns_resolver_t *resolver);
-
-void
-dns_resolver_setzeronosoattl(dns_resolver_t *resolver, isc_boolean_t state);
-
-unsigned int
-dns_resolver_getoptions(dns_resolver_t *resolver);
-
-void
-dns_resolver_addbadcache(dns_resolver_t *resolver, dns_name_t *name,
-			 dns_rdatatype_t type, isc_time_t *expire);
-/*%<
- * Add a entry to the bad cache for <name,type> that will expire at 'expire'.
- *
- * Requires:
- * \li	resolver to be valid.
- * \li	name to be valid.
- */
-
-isc_boolean_t
-dns_resolver_getbadcache(dns_resolver_t *resolver, dns_name_t *name,
-			 dns_rdatatype_t type, isc_time_t *now);
-/*%<
- * Check to see if there is a unexpired entry in the bad cache for
- * <name,type>.
- *
- * Requires:
- * \li	resolver to be valid.
- * \li	name to be valid.
- */
-
-void
-dns_resolver_flushbadcache(dns_resolver_t *resolver, dns_name_t *name);
-/*%<
- * Flush the bad cache of all entries at 'name' if 'name' is non NULL.
- * Flush the entire bad cache if 'name' is NULL.
- *
- * Requires:
- * \li	resolver to be valid.
- */
-
-void
-dns_resolver_printbadcache(dns_resolver_t *resolver, FILE *fp);
-/*%
- * Print out the contents of the bad cache to 'fp'.
- *
- * Requires:
- * \li	resolver to be valid.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RESOLVER_H */
diff --git a/contrib/bind9/lib/dns/include/dns/result.h b/contrib/bind9/lib/dns/include/dns/result.h
deleted file mode 100644
index 12aacf9..0000000
--- a/contrib/bind9/lib/dns/include/dns/result.h
+++ /dev/null
@@ -1,196 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: result.h,v 1.123 2011/03/21 07:22:14 each Exp $ */
-
-#ifndef DNS_RESULT_H
-#define DNS_RESULT_H 1
-
-/*! \file dns/result.h */
-
-#include <isc/lang.h>
-#include <isc/resultclass.h>
-
-#include <dns/types.h>
-
-/*
- * Nothing in this file truly depends on <isc/result.h>, but the
- * DNS result codes are considered to be publicly derived from
- * the ISC result codes, so including this file buys you the ISC_R_
- * namespace too.
- */
-#include <isc/result.h>		/* Contractual promise. */
-
-/*
- * DNS library result codes
- */
-#define DNS_R_LABELTOOLONG		(ISC_RESULTCLASS_DNS + 0)
-#define DNS_R_BADESCAPE			(ISC_RESULTCLASS_DNS + 1)
-/*
- * Since we dropped the support of bitstring labels, deprecate the related
- * result codes too.
-
-#define DNS_R_BADBITSTRING		(ISC_RESULTCLASS_DNS + 2)
-#define DNS_R_BITSTRINGTOOLONG		(ISC_RESULTCLASS_DNS + 3)
-*/
-#define DNS_R_EMPTYLABEL		(ISC_RESULTCLASS_DNS + 4)
-#define DNS_R_BADDOTTEDQUAD		(ISC_RESULTCLASS_DNS + 5)
-#define DNS_R_INVALIDNS			(ISC_RESULTCLASS_DNS + 6)
-#define DNS_R_UNKNOWN			(ISC_RESULTCLASS_DNS + 7)
-#define DNS_R_BADLABELTYPE		(ISC_RESULTCLASS_DNS + 8)
-#define DNS_R_BADPOINTER		(ISC_RESULTCLASS_DNS + 9)
-#define DNS_R_TOOMANYHOPS		(ISC_RESULTCLASS_DNS + 10)
-#define DNS_R_DISALLOWED		(ISC_RESULTCLASS_DNS + 11)
-#define DNS_R_EXTRATOKEN		(ISC_RESULTCLASS_DNS + 12)
-#define DNS_R_EXTRADATA			(ISC_RESULTCLASS_DNS + 13)
-#define DNS_R_TEXTTOOLONG		(ISC_RESULTCLASS_DNS + 14)
-#define DNS_R_NOTZONETOP		(ISC_RESULTCLASS_DNS + 15)
-#define DNS_R_SYNTAX			(ISC_RESULTCLASS_DNS + 16)
-#define DNS_R_BADCKSUM			(ISC_RESULTCLASS_DNS + 17)
-#define DNS_R_BADAAAA			(ISC_RESULTCLASS_DNS + 18)
-#define DNS_R_NOOWNER			(ISC_RESULTCLASS_DNS + 19)
-#define DNS_R_NOTTL			(ISC_RESULTCLASS_DNS + 20)
-#define DNS_R_BADCLASS			(ISC_RESULTCLASS_DNS + 21)
-#define DNS_R_NAMETOOLONG		(ISC_RESULTCLASS_DNS + 22)
-#define DNS_R_PARTIALMATCH		(ISC_RESULTCLASS_DNS + 23)
-#define DNS_R_NEWORIGIN			(ISC_RESULTCLASS_DNS + 24)
-#define DNS_R_UNCHANGED			(ISC_RESULTCLASS_DNS + 25)
-#define DNS_R_BADTTL			(ISC_RESULTCLASS_DNS + 26)
-#define DNS_R_NOREDATA			(ISC_RESULTCLASS_DNS + 27)
-#define DNS_R_CONTINUE			(ISC_RESULTCLASS_DNS + 28)
-#define DNS_R_DELEGATION		(ISC_RESULTCLASS_DNS + 29)
-#define DNS_R_GLUE			(ISC_RESULTCLASS_DNS + 30)
-#define DNS_R_DNAME			(ISC_RESULTCLASS_DNS + 31)
-#define DNS_R_CNAME			(ISC_RESULTCLASS_DNS + 32)
-#define DNS_R_BADDB			(ISC_RESULTCLASS_DNS + 33)
-#define DNS_R_ZONECUT			(ISC_RESULTCLASS_DNS + 34)
-#define DNS_R_BADZONE			(ISC_RESULTCLASS_DNS + 35)
-#define DNS_R_MOREDATA			(ISC_RESULTCLASS_DNS + 36)
-#define DNS_R_UPTODATE			(ISC_RESULTCLASS_DNS + 37)
-#define DNS_R_TSIGVERIFYFAILURE		(ISC_RESULTCLASS_DNS + 38)
-#define DNS_R_TSIGERRORSET		(ISC_RESULTCLASS_DNS + 39)
-#define DNS_R_SIGINVALID		(ISC_RESULTCLASS_DNS + 40)
-#define DNS_R_SIGEXPIRED		(ISC_RESULTCLASS_DNS + 41)
-#define DNS_R_SIGFUTURE			(ISC_RESULTCLASS_DNS + 42)
-#define DNS_R_KEYUNAUTHORIZED		(ISC_RESULTCLASS_DNS + 43)
-#define DNS_R_INVALIDTIME		(ISC_RESULTCLASS_DNS + 44)
-#define DNS_R_EXPECTEDTSIG		(ISC_RESULTCLASS_DNS + 45)
-#define DNS_R_UNEXPECTEDTSIG		(ISC_RESULTCLASS_DNS + 46)
-#define DNS_R_INVALIDTKEY		(ISC_RESULTCLASS_DNS + 47)
-#define DNS_R_HINT			(ISC_RESULTCLASS_DNS + 48)
-#define DNS_R_DROP			(ISC_RESULTCLASS_DNS + 49)
-#define DNS_R_NOTLOADED			(ISC_RESULTCLASS_DNS + 50)
-#define DNS_R_NCACHENXDOMAIN		(ISC_RESULTCLASS_DNS + 51)
-#define DNS_R_NCACHENXRRSET		(ISC_RESULTCLASS_DNS + 52)
-#define DNS_R_WAIT			(ISC_RESULTCLASS_DNS + 53)
-#define DNS_R_NOTVERIFIEDYET		(ISC_RESULTCLASS_DNS + 54)
-#define DNS_R_NOIDENTITY		(ISC_RESULTCLASS_DNS + 55)
-#define DNS_R_NOJOURNAL			(ISC_RESULTCLASS_DNS + 56)
-#define DNS_R_ALIAS			(ISC_RESULTCLASS_DNS + 57)
-#define DNS_R_USETCP			(ISC_RESULTCLASS_DNS + 58)
-#define DNS_R_NOVALIDSIG		(ISC_RESULTCLASS_DNS + 59)
-#define DNS_R_NOVALIDNSEC		(ISC_RESULTCLASS_DNS + 60)
-#define DNS_R_NOTINSECURE		(ISC_RESULTCLASS_DNS + 61)
-#define DNS_R_UNKNOWNSERVICE		(ISC_RESULTCLASS_DNS + 62)
-#define DNS_R_RECOVERABLE		(ISC_RESULTCLASS_DNS + 63)
-#define DNS_R_UNKNOWNOPT		(ISC_RESULTCLASS_DNS + 64)
-#define DNS_R_UNEXPECTEDID		(ISC_RESULTCLASS_DNS + 65)
-#define DNS_R_SEENINCLUDE		(ISC_RESULTCLASS_DNS + 66)
-#define DNS_R_NOTEXACT			(ISC_RESULTCLASS_DNS + 67)
-#define DNS_R_BLACKHOLED		(ISC_RESULTCLASS_DNS + 68)
-#define DNS_R_BADALG			(ISC_RESULTCLASS_DNS + 69)
-#define DNS_R_METATYPE			(ISC_RESULTCLASS_DNS + 70)
-#define DNS_R_CNAMEANDOTHER		(ISC_RESULTCLASS_DNS + 71)
-#define DNS_R_SINGLETON			(ISC_RESULTCLASS_DNS + 72)
-#define DNS_R_HINTNXRRSET		(ISC_RESULTCLASS_DNS + 73)
-#define DNS_R_NOMASTERFILE		(ISC_RESULTCLASS_DNS + 74)
-#define DNS_R_UNKNOWNPROTO		(ISC_RESULTCLASS_DNS + 75)
-#define DNS_R_CLOCKSKEW			(ISC_RESULTCLASS_DNS + 76)
-#define DNS_R_BADIXFR			(ISC_RESULTCLASS_DNS + 77)
-#define DNS_R_NOTAUTHORITATIVE		(ISC_RESULTCLASS_DNS + 78)
-#define DNS_R_NOVALIDKEY		(ISC_RESULTCLASS_DNS + 79)
-#define DNS_R_OBSOLETE			(ISC_RESULTCLASS_DNS + 80)
-#define DNS_R_FROZEN			(ISC_RESULTCLASS_DNS + 81)
-#define DNS_R_UNKNOWNFLAG		(ISC_RESULTCLASS_DNS + 82)
-#define DNS_R_EXPECTEDRESPONSE		(ISC_RESULTCLASS_DNS + 83)
-#define DNS_R_NOVALIDDS			(ISC_RESULTCLASS_DNS + 84)
-#define DNS_R_NSISADDRESS		(ISC_RESULTCLASS_DNS + 85)
-#define DNS_R_REMOTEFORMERR		(ISC_RESULTCLASS_DNS + 86)
-#define DNS_R_TRUNCATEDTCP		(ISC_RESULTCLASS_DNS + 87)
-#define DNS_R_LAME			(ISC_RESULTCLASS_DNS + 88)
-#define DNS_R_UNEXPECTEDRCODE		(ISC_RESULTCLASS_DNS + 89)
-#define DNS_R_UNEXPECTEDOPCODE		(ISC_RESULTCLASS_DNS + 90)
-#define DNS_R_CHASEDSSERVERS		(ISC_RESULTCLASS_DNS + 91)
-#define DNS_R_EMPTYNAME			(ISC_RESULTCLASS_DNS + 92)
-#define DNS_R_EMPTYWILD			(ISC_RESULTCLASS_DNS + 93)
-#define DNS_R_BADBITMAP			(ISC_RESULTCLASS_DNS + 94)
-#define DNS_R_FROMWILDCARD		(ISC_RESULTCLASS_DNS + 95)
-#define DNS_R_BADOWNERNAME		(ISC_RESULTCLASS_DNS + 96)
-#define DNS_R_BADNAME			(ISC_RESULTCLASS_DNS + 97)
-#define DNS_R_DYNAMIC			(ISC_RESULTCLASS_DNS + 98)
-#define DNS_R_UNKNOWNCOMMAND		(ISC_RESULTCLASS_DNS + 99)
-#define DNS_R_MUSTBESECURE		(ISC_RESULTCLASS_DNS + 100)
-#define DNS_R_COVERINGNSEC		(ISC_RESULTCLASS_DNS + 101)
-#define DNS_R_MXISADDRESS		(ISC_RESULTCLASS_DNS + 102)
-#define DNS_R_DUPLICATE			(ISC_RESULTCLASS_DNS + 103)
-#define DNS_R_INVALIDNSEC3		(ISC_RESULTCLASS_DNS + 104)
-#define DNS_R_NOTMASTER 		(ISC_RESULTCLASS_DNS + 105)
-#define DNS_R_BROKENCHAIN		(ISC_RESULTCLASS_DNS + 106)
-#define DNS_R_EXPIRED			(ISC_RESULTCLASS_DNS + 107)
-#define DNS_R_NOTDYNAMIC 		(ISC_RESULTCLASS_DNS + 108)
-#define DNS_R_BADEUI	 		(ISC_RESULTCLASS_DNS + 109)
-
-#define DNS_R_NRESULTS			110	/*%< Number of results */
-
-/*
- * DNS wire format rcodes.
- *
- * By making these their own class we can easily convert them into the
- * wire-format rcode value simply by masking off the resultclass.
- */
-#define DNS_R_NOERROR			(ISC_RESULTCLASS_DNSRCODE + 0)
-#define DNS_R_FORMERR			(ISC_RESULTCLASS_DNSRCODE + 1)
-#define DNS_R_SERVFAIL			(ISC_RESULTCLASS_DNSRCODE + 2)
-#define DNS_R_NXDOMAIN			(ISC_RESULTCLASS_DNSRCODE + 3)
-#define DNS_R_NOTIMP			(ISC_RESULTCLASS_DNSRCODE + 4)
-#define DNS_R_REFUSED			(ISC_RESULTCLASS_DNSRCODE + 5)
-#define DNS_R_YXDOMAIN			(ISC_RESULTCLASS_DNSRCODE + 6)
-#define DNS_R_YXRRSET			(ISC_RESULTCLASS_DNSRCODE + 7)
-#define DNS_R_NXRRSET			(ISC_RESULTCLASS_DNSRCODE + 8)
-#define DNS_R_NOTAUTH			(ISC_RESULTCLASS_DNSRCODE + 9)
-#define DNS_R_NOTZONE			(ISC_RESULTCLASS_DNSRCODE + 10)
-#define DNS_R_BADVERS			(ISC_RESULTCLASS_DNSRCODE + 16)
-
-#define DNS_R_NRCODERESULTS		17	/*%< Number of rcode results */
-
-#define DNS_RESULT_ISRCODE(result) \
-	(ISC_RESULTCLASS_INCLASS(ISC_RESULTCLASS_DNSRCODE, (result)))
-
-ISC_LANG_BEGINDECLS
-
-const char *
-dns_result_totext(isc_result_t);
-
-void
-dns_result_register(void);
-
-dns_rcode_t
-dns_result_torcode(isc_result_t result);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RESULT_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rootns.h b/contrib/bind9/lib/dns/include/dns/rootns.h
deleted file mode 100644
index 6da3f79..0000000
--- a/contrib/bind9/lib/dns/include/dns/rootns.h
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rootns.h,v 1.16 2007/06/19 23:47:17 tbox Exp $ */
-
-#ifndef DNS_ROOTNS_H
-#define DNS_ROOTNS_H 1
-
-/*! \file dns/rootns.h */
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_rootns_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
-                  const char *filename, dns_db_t **target);
-
-void
-dns_root_checkhints(dns_view_t *view, dns_db_t *hints, dns_db_t *db);
-/*
- * Reports differences between hints and the real roots.
- *
- * Requires view, hints and (cache) db to be valid.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_ROOTNS_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rpz.h b/contrib/bind9/lib/dns/include/dns/rpz.h
deleted file mode 100644
index e1d50a5..0000000
--- a/contrib/bind9/lib/dns/include/dns/rpz.h
+++ /dev/null
@@ -1,204 +0,0 @@
-/*
- * Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-
-#ifndef DNS_RPZ_H
-#define DNS_RPZ_H 1
-
-#include <isc/lang.h>
-
-#include <dns/fixedname.h>
-#include <dns/rdata.h>
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-#define DNS_RPZ_PREFIX		"rpz-"
-#define DNS_RPZ_IP_ZONE		DNS_RPZ_PREFIX"ip"
-#define DNS_RPZ_NSIP_ZONE	DNS_RPZ_PREFIX"nsip"
-#define DNS_RPZ_NSDNAME_ZONE	DNS_RPZ_PREFIX"nsdname"
-#define DNS_RPZ_PASSTHRU_ZONE	DNS_RPZ_PREFIX"passthru"
-
-typedef isc_uint8_t		dns_rpz_cidr_bits_t;
-
-typedef enum {
-	DNS_RPZ_TYPE_BAD,
-	DNS_RPZ_TYPE_QNAME,
-	DNS_RPZ_TYPE_IP,
-	DNS_RPZ_TYPE_NSDNAME,
-	DNS_RPZ_TYPE_NSIP
-} dns_rpz_type_t;
-
-/*
- * Require DNS_RPZ_POLICY_PASSTHRU < DNS_RPZ_POLICY_NXDOMAIN <
- * DNS_RPZ_POLICY_NODATA < DNS_RPZ_POLICY_CNAME to choose among competing
- * policies.
- */
-typedef enum {
-	DNS_RPZ_POLICY_GIVEN = 0,	/* 'given': what policy record says */
-	DNS_RPZ_POLICY_DISABLED = 1,	/* 'cname x': answer with x's rrsets */
-	DNS_RPZ_POLICY_PASSTHRU = 2,	/* 'passthru': do not rewrite */
-	DNS_RPZ_POLICY_NXDOMAIN = 3,	/* 'nxdomain': answer with NXDOMAIN */
-	DNS_RPZ_POLICY_NODATA = 4,	/* 'nodata': answer with ANCOUNT=0 */
-	DNS_RPZ_POLICY_CNAME = 5,	/* 'cname x': answer with x's rrsets */
-	DNS_RPZ_POLICY_RECORD,
-	DNS_RPZ_POLICY_WILDCNAME,
-	DNS_RPZ_POLICY_MISS,
-	DNS_RPZ_POLICY_ERROR
-} dns_rpz_policy_t;
-
-/*
- * Specify a response policy zone.
- */
-typedef struct dns_rpz_zone dns_rpz_zone_t;
-
-struct dns_rpz_zone {
-	ISC_LINK(dns_rpz_zone_t) link;
-	int			 num;	  /* ordinal in list of policy zones */
-	dns_name_t		 origin;  /* Policy zone name */
-	dns_name_t		 nsdname; /* DNS_RPZ_NSDNAME_ZONE.origin */
-	dns_name_t		 passthru;/* DNS_RPZ_PASSTHRU_ZONE. */
-	dns_name_t		 cname;	  /* override value for ..._CNAME */
-	dns_ttl_t		 max_policy_ttl;
-	dns_rpz_policy_t	 policy;  /* DNS_RPZ_POLICY_GIVEN or override */
-	isc_boolean_t		 recursive_only;
-	isc_boolean_t		 defined;
-};
-
-/*
- * Radix trees for response policy IP addresses.
- */
-typedef struct dns_rpz_cidr	dns_rpz_cidr_t;
-
-/*
- * context for finding the best policy
- */
-typedef struct {
-	unsigned int		state;
-# define DNS_RPZ_REWRITTEN	0x0001
-# define DNS_RPZ_DONE_QNAME	0x0002	/* qname checked */
-# define DNS_RPZ_DONE_QNAME_IP	0x0004	/* IP addresses of qname checked */
-# define DNS_RPZ_DONE_NSDNAME	0x0008	/* NS name missed; checking addresses */
-# define DNS_RPZ_DONE_IPv4 	0x0010
-# define DNS_RPZ_RECURSING	0x0020
-# define DNS_RPZ_HAVE_IP 	0x0040	/* a policy zone has IP addresses */
-# define DNS_RPZ_HAVE_NSIPv4	0x0080	/*		  IPv4 NISP addresses */
-# define DNS_RPZ_HAVE_NSIPv6	0x0100	/*		  IPv6 NISP addresses */
-# define DNS_RPZ_HAVE_NSDNAME	0x0200	/*		  NS names */
-	/*
-	 * Best match so far.
-	 */
-	struct {
-		dns_rpz_type_t		type;
-		dns_rpz_zone_t		*rpz;
-		dns_rpz_cidr_bits_t	prefix;
-		dns_rpz_policy_t	policy;
-		dns_ttl_t		ttl;
-		isc_result_t		result;
-		dns_zone_t		*zone;
-		dns_db_t		*db;
-		dns_dbversion_t		*version;
-		dns_dbnode_t		*node;
-		dns_rdataset_t		*rdataset;
-	} m;
-	/*
-	 * State for chasing IP addresses and NS names including recursion.
-	 */
-	struct {
-		unsigned int		label;
-		dns_db_t		*db;
-		dns_rdataset_t		*ns_rdataset;
-		dns_rdatatype_t		r_type;
-		isc_result_t		r_result;
-		dns_rdataset_t		*r_rdataset;
-	} r;
-	/*
-	 * State of real query while recursing for NSIP or NSDNAME.
-	 */
-	struct {
-		isc_result_t		result;
-		isc_boolean_t		is_zone;
-		isc_boolean_t		authoritative;
-		dns_zone_t		*zone;
-		dns_db_t		*db;
-		dns_dbnode_t		*node;
-		dns_rdataset_t		*rdataset;
-		dns_rdataset_t		*sigrdataset;
-		dns_rdatatype_t		qtype;
-	} q;
-	dns_name_t		*qname;
-	dns_name_t		*r_name;
-	dns_name_t		*fname;
-	dns_fixedname_t		_qnamef;
-	dns_fixedname_t		_r_namef;
-	dns_fixedname_t		_fnamef;
-} dns_rpz_st_t;
-
-#define DNS_RPZ_TTL_DEFAULT		5
-#define DNS_RPZ_MAX_TTL_DEFAULT		DNS_RPZ_TTL_DEFAULT
-
-/*
- * So various response policy zone messages can be turned up or down.
- */
-#define DNS_RPZ_ERROR_LEVEL	ISC_LOG_WARNING
-#define DNS_RPZ_INFO_LEVEL	ISC_LOG_INFO
-#define DNS_RPZ_DEBUG_LEVEL1	ISC_LOG_DEBUG(1)
-#define DNS_RPZ_DEBUG_LEVEL2	ISC_LOG_DEBUG(2)
-#define DNS_RPZ_DEBUG_LEVEL3	ISC_LOG_DEBUG(3)
-#define DNS_RPZ_DEBUG_QUIET	(DNS_RPZ_DEBUG_LEVEL3+1)
-
-const char *
-dns_rpz_type2str(dns_rpz_type_t type);
-
-dns_rpz_policy_t
-dns_rpz_str2policy(const char *str);
-
-const char *
-dns_rpz_policy2str(dns_rpz_policy_t policy);
-
-void
-dns_rpz_cidr_free(dns_rpz_cidr_t **cidr);
-
-void
-dns_rpz_view_destroy(dns_view_t *view);
-
-isc_result_t
-dns_rpz_new_cidr(isc_mem_t *mctx, dns_name_t *origin,
-		 dns_rpz_cidr_t **rbtdb_cidr);
-void
-dns_rpz_enabled_get(dns_rpz_cidr_t *cidr, dns_rpz_st_t *st);
-
-void
-dns_rpz_cidr_deleteip(dns_rpz_cidr_t *cidr, dns_name_t *name);
-
-void
-dns_rpz_cidr_addip(dns_rpz_cidr_t *cidr, dns_name_t *name);
-
-isc_result_t
-dns_rpz_cidr_find(dns_rpz_cidr_t *cidr, const isc_netaddr_t *netaddr,
-		  dns_rpz_type_t type, dns_name_t *canon_name,
-		  dns_name_t *search_name, dns_rpz_cidr_bits_t *prefix);
-
-dns_rpz_policy_t
-dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset,
-		     dns_name_t *selfname);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RPZ_H */
-
diff --git a/contrib/bind9/lib/dns/include/dns/rriterator.h b/contrib/bind9/lib/dns/include/dns/rriterator.h
deleted file mode 100644
index c979f22..0000000
--- a/contrib/bind9/lib/dns/include/dns/rriterator.h
+++ /dev/null
@@ -1,187 +0,0 @@
-/*
- * Copyright (C) 2009, 2011  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rriterator.h,v 1.4 2011/11/01 23:47:00 tbox Exp $ */
-
-#ifndef DNS_RRITERATOR_H
-#define DNS_RRITERATOR_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/rriterator.h
- * \brief
- * Functions for "walking" a zone database, visiting each RR or RRset in turn.
- */
-
-/*****
- ***** Imports
- *****/
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-#include <isc/ondestroy.h>
-#include <isc/stdtime.h>
-
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/fixedname.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*****
- ***** Types
- *****/
-
-/*%
- * A dns_rriterator_t is an iterator that iterates over an entire database,
- * returning one RR at a time, in some arbitrary order.
- */
-
-typedef struct dns_rriterator {
-	unsigned int		magic;
-	isc_result_t		result;
-	dns_db_t		*db;
-	dns_dbiterator_t 	*dbit;
-	dns_dbversion_t 	*ver;
-	isc_stdtime_t		now;
-	dns_dbnode_t		*node;
-	dns_fixedname_t		fixedname;
-	dns_rdatasetiter_t 	*rdatasetit;
-	dns_rdataset_t 		rdataset;
-	dns_rdata_t		rdata;
-} dns_rriterator_t;
-
-#define RRITERATOR_MAGIC		ISC_MAGIC('R', 'R', 'I', 't')
-#define VALID_RRITERATOR(m)		ISC_MAGIC_VALID(m, RRITERATOR_MAGIC)
-
-isc_result_t
-dns_rriterator_init(dns_rriterator_t *it, dns_db_t *db,
-		       dns_dbversion_t *ver, isc_stdtime_t now);
-/*%
- * Initialize an rriterator; sets the cursor to the origin node
- * of the database.
- *
- * Requires:
- *
- * \li	'db' is a valid database.
- *
- * Returns:
- *
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_NOMEMORY
- */
-
-isc_result_t
-dns_rriterator_first(dns_rriterator_t *it);
-/*%<
- * Move the rriterator cursor to the first rdata in the database.
- *
- * Requires:
- *\li	'it' is a valid, initialized rriterator
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMORE			There are no rdata in the set.
- */
-
-isc_result_t
-dns_rriterator_nextrrset(dns_rriterator_t *it);
-/*%<
- * Move the rriterator cursor to the next rrset in the database,
- * skipping over any remaining records that have the same rdatatype
- * as the current one.
- *
- * Requires:
- *\li	'it' is a valid, initialized rriterator
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMORE			No more rrsets in the database
- */
-
-isc_result_t
-dns_rriterator_next(dns_rriterator_t *it);
-/*%<
- * Move the rriterator cursor to the next rrset in the database,
- * skipping over any remaining records that have the same rdatatype
- * as the current one.
- *
- * Requires:
- *\li	'it' is a valid, initialized rriterator
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMORE			No more records in the database
- */
-
-void
-dns_rriterator_current(dns_rriterator_t *it, dns_name_t **name,
-			  isc_uint32_t *ttl, dns_rdataset_t **rdataset,
-			  dns_rdata_t **rdata);
-/*%<
- * Make '*name' refer to the current name.  If 'rdataset' is not NULL,
- * make '*rdataset' refer to the current * rdataset.  If '*rdata' is not
- * NULL, make '*rdata' refer to the current record.
- *
- * Requires:
- *\li	'*name' is a valid name object
- *\li	'rdataset' is NULL or '*rdataset' is NULL
- *\li	'rdata' is NULL or '*rdata' is NULL
- *
- * Ensures:
- *\li	'rdata' refers to the rdata at the rdata cursor location of
- *\li	'rdataset'.
- */
-
-void
-dns_rriterator_pause(dns_rriterator_t *it);
-/*%<
- * Pause rriterator.  Frees any locks held by the database iterator.
- * Callers should use this routine any time they are not going to
- * execute another rriterator method in the immediate future.
- *
- * Requires:
- *\li	'it' is a valid iterator.
- *
- * Ensures:
- *\li	Any database locks being held for efficiency of iterator access are
- *	released.
- */
-
-void
-dns_rriterator_destroy(dns_rriterator_t *it);
-/*%<
- * Shut down and free resources in rriterator 'it'.
- *
- * Requires:
- *
- *\li	'it' is a valid iterator.
- *
- * Ensures:
- *
- *\li	All resources used by the rriterator are freed.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RRITERATOR_H */
diff --git a/contrib/bind9/lib/dns/include/dns/sdb.h b/contrib/bind9/lib/dns/include/dns/sdb.h
deleted file mode 100644
index 2751903..0000000
--- a/contrib/bind9/lib/dns/include/dns/sdb.h
+++ /dev/null
@@ -1,219 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: sdb.h,v 1.25 2011/10/11 23:46:45 tbox Exp $ */
-
-#ifndef DNS_SDB_H
-#define DNS_SDB_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/sdb.h
- * \brief
- * Simple database API.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-
-#include <dns/clientinfo.h>
-#include <dns/types.h>
-
-/***
- *** Types
- ***/
-
-/*%
- * A simple database.  This is an opaque type.
- */
-typedef struct dns_sdb dns_sdb_t;
-
-/*%
- * A simple database lookup in progress.  This is an opaque type.
- */
-typedef struct dns_sdblookup dns_sdblookup_t;
-
-/*%
- * A simple database traversal in progress.  This is an opaque type.
- */
-typedef struct dns_sdballnodes dns_sdballnodes_t;
-
-typedef isc_result_t
-(*dns_sdblookupfunc_t)(const char *zone, const char *name, void *dbdata,
-		       dns_sdblookup_t *lookup,
-		       dns_clientinfomethods_t *methods,
-		       dns_clientinfo_t *clientinfo);
-typedef isc_result_t
-(*dns_sdblookup2func_t)(const dns_name_t *zone, const dns_name_t *name,
-			void *dbdata, dns_sdblookup_t *lookup,
-			dns_clientinfomethods_t *methods,
-			dns_clientinfo_t *clientinfo);
-
-typedef isc_result_t
-(*dns_sdbauthorityfunc_t)(const char *zone, void *dbdata, dns_sdblookup_t *);
-
-typedef isc_result_t
-(*dns_sdballnodesfunc_t)(const char *zone, void *dbdata,
-			 dns_sdballnodes_t *allnodes);
-
-typedef isc_result_t
-(*dns_sdbcreatefunc_t)(const char *zone, int argc, char **argv,
-		       void *driverdata, void **dbdata);
-
-typedef void
-(*dns_sdbdestroyfunc_t)(const char *zone, void *driverdata, void **dbdata);
-
-
-typedef struct dns_sdbmethods {
-	dns_sdblookupfunc_t	lookup;
-	dns_sdbauthorityfunc_t	authority;
-	dns_sdballnodesfunc_t	allnodes;
-	dns_sdbcreatefunc_t	create;
-	dns_sdbdestroyfunc_t	destroy;
-	dns_sdblookup2func_t	lookup2;
-} dns_sdbmethods_t;
-
-/***
- *** Functions
- ***/
-
-ISC_LANG_BEGINDECLS
-
-#define DNS_SDBFLAG_RELATIVEOWNER 0x00000001U
-#define DNS_SDBFLAG_RELATIVERDATA 0x00000002U
-#define DNS_SDBFLAG_THREADSAFE 0x00000004U
-#define DNS_SDBFLAG_DNS64 0x00000008U
-
-isc_result_t
-dns_sdb_register(const char *drivername, const dns_sdbmethods_t *methods,
-		 void *driverdata, unsigned int flags, isc_mem_t *mctx,
-		 dns_sdbimplementation_t **sdbimp);
-/*%<
- * Register a simple database driver for the database type 'drivername',
- * implemented by the functions in '*methods'.
- *
- * sdbimp must point to a NULL dns_sdbimplementation_t pointer.  That is,
- * sdbimp != NULL && *sdbimp == NULL.  It will be assigned a value that
- * will later be used to identify the driver when deregistering it.
- *
- * The name server will perform lookups in the database by calling the
- * function 'lookup', passing it a printable zone name 'zone', a printable
- * domain name 'name', and a copy of the argument 'dbdata' that
- * was potentially returned by the create function.  The 'dns_sdblookup_t'
- * argument to 'lookup' and 'authority' is an opaque pointer to be passed to
- * ns_sdb_putrr().
- *
- * The lookup function returns the lookup results to the name server
- * by calling ns_sdb_putrr() once for each record found.  On success,
- * the return value of the lookup function should be ISC_R_SUCCESS.
- * If the domain name 'name' does not exist, the lookup function should
- * ISC_R_NOTFOUND.  Any other return value is treated as an error.
- *
- * Lookups at the zone apex will cause the server to also call the
- * function 'authority' (if non-NULL), which must provide an SOA record
- * and NS records for the zone by calling ns_sdb_putrr() once for each of
- * these records.  The 'authority' function may be NULL if invoking
- * the 'lookup' function on the zone apex will return SOA and NS records.
- *
- * The allnodes function, if non-NULL, fills in an opaque structure to be
- * used by a database iterator.  This allows the zone to be transferred.
- * This may use a considerable amount of memory for large zones, and the
- * zone transfer may not be fully RFC1035 compliant if the zone is
- * frequently changed.
- *
- * The create function will be called for each zone configured
- * into the name server using this database type.  It can be used
- * to create a "database object" containing zone specific data,
- * which can make use of the database arguments specified in the
- * name server configuration.
- *
- * The destroy function will be called to free the database object
- * when its zone is destroyed.
- *
- * The create and destroy functions may be NULL.
- *
- * If flags includes DNS_SDBFLAG_RELATIVEOWNER, the lookup and authority
- * functions will be called with relative names rather than absolute names.
- * The string "@" represents the zone apex in this case.
- *
- * If flags includes DNS_SDBFLAG_RELATIVERDATA, the rdata strings may
- * include relative names.  Otherwise, all names in the rdata string must
- * be absolute.  Be aware that if relative names are allowed, any
- * absolute names must contain a trailing dot.
- *
- * If flags includes DNS_SDBFLAG_THREADSAFE, the driver must be able to
- * handle multiple lookups in parallel.  Otherwise, calls into the driver
- * are serialized.
- */
-
-void
-dns_sdb_unregister(dns_sdbimplementation_t **sdbimp);
-/*%<
- * Removes the simple database driver from the list of registered database
- * types.  There must be no active databases of this type when this function
- * is called.
- */
-
-/*% See dns_sdb_putradata() */
-isc_result_t
-dns_sdb_putrr(dns_sdblookup_t *lookup, const char *type, dns_ttl_t ttl,
-	      const char *data);
-isc_result_t
-dns_sdb_putrdata(dns_sdblookup_t *lookup, dns_rdatatype_t type, dns_ttl_t ttl,
-		 const unsigned char *rdata, unsigned int rdlen);
-/*%<
- * Add a single resource record to the lookup structure to be
- * returned in the query response.  dns_sdb_putrr() takes the
- * resource record in master file text format as a null-terminated
- * string, and dns_sdb_putrdata() takes the raw RDATA in
- * uncompressed wire format.
- */
-
-/*% See dns_sdb_putnamerdata() */
-isc_result_t
-dns_sdb_putnamedrr(dns_sdballnodes_t *allnodes, const char *name,
-		   const char *type, dns_ttl_t ttl, const char *data);
-isc_result_t
-dns_sdb_putnamedrdata(dns_sdballnodes_t *allnodes, const char *name,
-		      dns_rdatatype_t type, dns_ttl_t ttl,
-		      const void *rdata, unsigned int rdlen);
-/*%<
- * Add a single resource record to the allnodes structure to be
- * included in a zone transfer response, in text or wire
- * format as above.
- */
-
-isc_result_t
-dns_sdb_putsoa(dns_sdblookup_t *lookup, const char *mname, const char *rname,
-	       isc_uint32_t serial);
-/*%<
- * This function may optionally be called from the 'authority' callback
- * to simplify construction of the SOA record for 'zone'.  It will
- * provide a SOA listing 'mname' as as the master server and 'rname' as
- * the responsible person mailbox.  It is the responsibility of the
- * driver to increment the serial number between responses if necessary.
- * All other SOA fields will have reasonable default values.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_SDB_H */
diff --git a/contrib/bind9/lib/dns/include/dns/sdlz.h b/contrib/bind9/lib/dns/include/dns/sdlz.h
deleted file mode 100644
index fbc6b95..0000000
--- a/contrib/bind9/lib/dns/include/dns/sdlz.h
+++ /dev/null
@@ -1,376 +0,0 @@
-/*
- * Portions Copyright (C) 2005-2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the
- * above copyright notice and this permission notice appear in all
- * copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * STICHTING NLNET BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
- * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
- * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
- * USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
- * conceived and contributed by Rob Butler.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the
- * above copyright notice and this permission notice appear in all
- * copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ROB BUTLER
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * ROB BUTLER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
- * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
- * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
- * USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file dns/sdlz.h */
-
-#ifndef SDLZ_H
-#define SDLZ_H 1
-
-#include <dns/clientinfo.h>
-#include <dns/dlz.h>
-
-ISC_LANG_BEGINDECLS
-
-#define DNS_SDLZFLAG_THREADSAFE		0x00000001U
-#define DNS_SDLZFLAG_RELATIVEOWNER	0x00000002U
-#define DNS_SDLZFLAG_RELATIVERDATA	0x00000004U
-
- /* A simple DLZ database. */
-typedef struct dns_sdlz_db dns_sdlz_db_t;
-
- /* A simple DLZ database lookup in progress. */
-typedef struct dns_sdlzlookup dns_sdlzlookup_t;
-
- /* A simple DLZ database traversal in progress. */
-typedef struct dns_sdlzallnodes dns_sdlzallnodes_t;
-
-typedef isc_result_t (*dns_sdlzallnodesfunc_t)(const char *zone,
-					       void *driverarg,
-					       void *dbdata,
-					       dns_sdlzallnodes_t *allnodes);
-/*%<
- * Method prototype.  Drivers implementing the SDLZ interface may
- * supply an all nodes method.  This method is called when the DNS
- * server is performing a zone transfer query, after the allow zone
- * transfer method has been called.  This method is only called if the
- * allow zone transfer method returned ISC_R_SUCCESS.  This method and
- * the allow zone transfer method are both required for zone transfers
- * to be supported.  If the driver generates data dynamically (instead
- * of searching in a database for it) it should not implement this
- * function as a zone transfer would be meaningless.  A SDLZ driver
- * does not have to implement an all nodes method.
- */
-
-typedef isc_result_t (*dns_sdlzallowzonexfr_t)(void *driverarg,
-					       void *dbdata, const char *name,
-					       const char *client);
-
-/*%<
- * Method prototype.  Drivers implementing the SDLZ interface may
- * supply an allow zone transfer method.  This method is called when
- * the DNS server is performing a zone transfer query, before the all
- * nodes method can be called.  This method and the all node method
- * are both required for zone transfers to be supported.  If the
- * driver generates data dynamically (instead of searching in a
- * database for it) it should not implement this function as a zone
- * transfer would be meaningless.  A SDLZ driver does not have to
- * implement an allow zone transfer method.
- *
- * This method should return ISC_R_SUCCESS if the zone is supported by
- * the database and a zone transfer is allowed for the specified
- * client.  If the zone is supported by the database, but zone
- * transfers are not allowed for the specified client this method
- * should return ISC_R_NOPERM..  Lastly the method should return
- * ISC_R_NOTFOUND if the zone is not supported by the database.  If an
- * error occurs it should return a result code indicating the type of
- * error.
- */
-
-typedef isc_result_t (*dns_sdlzauthorityfunc_t)(const char *zone,
-						void *driverarg, void *dbdata,
-						dns_sdlzlookup_t *lookup);
-
-/*%<
- * Method prototype.  Drivers implementing the SDLZ interface may
- * supply an authority method.  This method is called when the DNS
- * server is performing a query, after both the find zone and lookup
- * methods have been called.  This method is required if the lookup
- * function does not supply authority information for the dns
- * record. A SDLZ driver does not have to implement an authority
- * method.
- */
-
-typedef isc_result_t (*dns_sdlzcreate_t)(const char *dlzname,
-					 unsigned int argc, char *argv[],
-					 void *driverarg, void **dbdata);
-
-/*%<
- * Method prototype.  Drivers implementing the SDLZ interface may
- * supply a create method.  This method is called when the DNS server
- * is starting up and creating drivers for use later. A SDLZ driver
- * does not have to implement a create method.
- */
-
-typedef void (*dns_sdlzdestroy_t)(void *driverarg, void *dbdata);
-
-/*%<
- * Method prototype.  Drivers implementing the SDLZ interface may
- * supply a destroy method.  This method is called when the DNS server
- * is shutting down and no longer needs the driver.  A SDLZ driver does
- * not have to implement a destroy method.
- */
-
-typedef isc_result_t
-(*dns_sdlzfindzone_t)(void *driverarg, void *dbdata, const char *name);
-
-/*%<
- * Method prototype.  Drivers implementing the SDLZ interface MUST
- * supply a find zone method.  This method is called when the DNS
- * server is performing a query to to determine if 'name' is a
- * supported dns zone.  The find zone method will be called with the
- * longest possible name first, and continue to be called with
- * successively shorter domain names, until any of the following
- * occur:
- *
- * \li	1) the function returns (ISC_R_SUCCESS) indicating a zone name
- *	   match.
- *
- * \li	2) a problem occurs, and the functions returns anything other than
- *	   (ISC_R_NOTFOUND)
- *
- * \li	3) we run out of domain name labels. I.E. we have tried the
- *	   shortest domain name
- *
- * \li	4) the number of labels in the domain name is less than min_labels
- *	   for dns_dlzfindzone
- *
- * The driver's find zone method should return ISC_R_SUCCESS if the
- * zone is supported by the database.  Otherwise it should return
- * ISC_R_NOTFOUND, if the zone is not supported.  If an error occurs
- * it should return a result code indicating the type of error.
- */
-
-typedef isc_result_t
-(*dns_sdlzlookupfunc_t)(const char *zone, const char *name, void *driverarg,
-			void *dbdata, dns_sdlzlookup_t *lookup,
-			dns_clientinfomethods_t *methods,
-			dns_clientinfo_t *clientinfo);
-
-/*%<
- * Method prototype.  Drivers implementing the SDLZ interface MUST
- * supply a lookup method.  This method is called when the
- * DNS server is performing a query, after the find zone and before any
- * other methods have been called.  This function returns DNS record
- * information using the dns_sdlz_putrr and dns_sdlz_putsoa functions.
- * If this function supplies authority information for the DNS record
- * the authority method is not required.  If it does not, the
- * authority function is required.
- *
- * The 'methods' and 'clientinfo' args allow an SDLZ driver to retrieve
- * information about the querying client (such as source IP address)
- * from the caller.
- */
-
-typedef isc_result_t (*dns_sdlznewversion_t)(const char *zone,
-					     void *driverarg, void *dbdata,
-					     void **versionp);
-/*%<
- * Method prototype.  Drivers implementing the SDLZ interface may
- * supply a newversion method.  This method is called to start a
- * write transaction on a zone and should only be implemented by
- * writeable backends.
- * When implemented, the driver should create a new transaction, and
- * fill *versionp with a pointer to the transaction state. The
- * closeversion function will be called to close the transaction.
- */
-
-typedef void (*dns_sdlzcloseversion_t)(const char *zone, isc_boolean_t commit,
-				       void *driverarg, void *dbdata,
-				       void **versionp);
-/*%<
- * Method prototype.  Drivers implementing the SDLZ interface must
- * supply a closeversion method if they supply a newversion method.
- * When implemented, the driver should close the given transaction,
- * committing changes if 'commit' is ISC_TRUE. If 'commit' is not true
- * then all changes should be discarded and the database rolled back.
- * If the call is successful then *versionp should be set to NULL
- */
-
-typedef isc_result_t (*dns_sdlzconfigure_t)(dns_view_t *view, void *driverarg,
-					    void *dbdata);
-/*%<
- * Method prototype.  Drivers implementing the SDLZ interface may
- * supply a configure method. When supplied, it will be called
- * immediately after the create method to give the driver a chance
- * to configure writeable zones
- */
-
-
-typedef isc_boolean_t (*dns_sdlzssumatch_t)(const char *signer,
-					    const char *name,
-					    const char *tcpaddr,
-					    const char *type,
-					    const char *key,
-					    isc_uint32_t keydatalen,
-					    unsigned char *keydata,
-					    void *driverarg,
-					    void *dbdata);
-
-/*%<
- * Method prototype.  Drivers implementing the SDLZ interface may
- * supply a ssumatch method. If supplied, then ssumatch will be
- * called to authorize any zone updates. The driver should return
- * ISC_TRUE to allow the update, and ISC_FALSE to deny it. For a DLZ
- * controlled zone, this is the only access control on updates.
- */
-
-
-typedef isc_result_t (*dns_sdlzmodrdataset_t)(const char *name,
-					      const char *rdatastr,
-					      void *driverarg, void *dbdata,
-					      void *version);
-/*%<
- * Method prototype.  Drivers implementing the SDLZ interface may
- * supply addrdataset and subtractrdataset methods. If supplied, then these
- * will be called when rdatasets are added/subtracted during
- * updates. The version parameter comes from a call to the sdlz
- * newversion() method from the driver. The rdataset parameter is a
- * linearise string representation of the rdataset change. The format
- * is the same as used by dig when displaying records. The fields are
- * tab delimited.
- */
-
-typedef isc_result_t (*dns_sdlzdelrdataset_t)(const char *name,
-					      const char *type,
-					      void *driverarg, void *dbdata,
-					      void *version);
-/*%<
- * Method prototype.  Drivers implementing the SDLZ interface may
- * supply a delrdataset method. If supplied, then this
- * function will be called when rdatasets are deleted during
- * updates. The call should remove all rdatasets of the given type for
- * the specified name.
- */
-
-typedef struct dns_sdlzmethods {
-	dns_sdlzcreate_t	create;
-	dns_sdlzdestroy_t	destroy;
-	dns_sdlzfindzone_t	findzone;
-	dns_sdlzlookupfunc_t	lookup;
-	dns_sdlzauthorityfunc_t	authority;
-	dns_sdlzallnodesfunc_t	allnodes;
-	dns_sdlzallowzonexfr_t	allowzonexfr;
-	dns_sdlznewversion_t    newversion;
-	dns_sdlzcloseversion_t  closeversion;
-	dns_sdlzconfigure_t	configure;
-	dns_sdlzssumatch_t	ssumatch;
-	dns_sdlzmodrdataset_t	addrdataset;
-	dns_sdlzmodrdataset_t	subtractrdataset;
-	dns_sdlzdelrdataset_t	delrdataset;
-} dns_sdlzmethods_t;
-
-isc_result_t
-dns_sdlzregister(const char *drivername, const dns_sdlzmethods_t *methods,
-		 void *driverarg, unsigned int flags, isc_mem_t *mctx,
-		 dns_sdlzimplementation_t **sdlzimp);
-/*%<
- * Register a dynamically loadable zones (dlz) driver for the database
- * type 'drivername', implemented by the functions in '*methods'.
- *
- * sdlzimp must point to a NULL dns_sdlzimplementation_t pointer.
- * That is, sdlzimp != NULL && *sdlzimp == NULL.  It will be assigned
- * a value that will later be used to identify the driver when
- * deregistering it.
- */
-
-void
-dns_sdlzunregister(dns_sdlzimplementation_t **sdlzimp);
-
-/*%<
- * Removes the sdlz driver from the list of registered sdlz drivers.
- * There must be no active sdlz drivers of this type when this
- * function is called.
- */
-
-typedef isc_result_t dns_sdlz_putnamedrr_t(dns_sdlzallnodes_t *allnodes,
-					   const char *name,
-					   const char *type,
-					   dns_ttl_t ttl,
-					   const char *data);
-dns_sdlz_putnamedrr_t dns_sdlz_putnamedrr;
-
-/*%<
- * Add a single resource record to the allnodes structure to be later
- * parsed into a zone transfer response.
- */
-
-typedef isc_result_t dns_sdlz_putrr_t(dns_sdlzlookup_t *lookup,
-				      const char *type,
-				      dns_ttl_t ttl,
-				      const char *data);
-dns_sdlz_putrr_t dns_sdlz_putrr;
-/*%<
- * Add a single resource record to the lookup structure to be later
- * parsed into a query response.
- */
-
-typedef isc_result_t dns_sdlz_putsoa_t(dns_sdlzlookup_t *lookup,
-				       const char *mname,
-				       const char *rname,
-				       isc_uint32_t serial);
-dns_sdlz_putsoa_t dns_sdlz_putsoa;
-/*%<
- * This function may optionally be called from the 'authority'
- * callback to simplify construction of the SOA record for 'zone'.  It
- * will provide a SOA listing 'mname' as as the master server and
- * 'rname' as the responsible person mailbox.  It is the
- * responsibility of the driver to increment the serial number between
- * responses if necessary.  All other SOA fields will have reasonable
- * default values.
- */
-
-
-typedef isc_result_t dns_sdlz_setdb_t(dns_dlzdb_t *dlzdatabase,
-				      dns_rdataclass_t rdclass,
-				      dns_name_t *name,
-				      dns_db_t **dbp);
-dns_sdlz_setdb_t dns_sdlz_setdb;
-/*%<
- * Create the database pointers for a writeable SDLZ zone
- */
-
-
-ISC_LANG_ENDDECLS
-
-#endif /* SDLZ_H */
diff --git a/contrib/bind9/lib/dns/include/dns/secalg.h b/contrib/bind9/lib/dns/include/dns/secalg.h
deleted file mode 100644
index 43d9fb2..0000000
--- a/contrib/bind9/lib/dns/include/dns/secalg.h
+++ /dev/null
@@ -1,78 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: secalg.h,v 1.21 2009/10/12 23:48:02 tbox Exp $ */
-
-#ifndef DNS_SECALG_H
-#define DNS_SECALG_H 1
-
-/*! \file dns/secalg.h */
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source);
-/*%<
- * Convert the text 'source' refers to into a DNSSEC security algorithm value.
- * The text may contain either a mnemonic algorithm name or a decimal algorithm
- * number.
- *
- * Requires:
- *\li	'secalgp' is a valid pointer.
- *
- *\li	'source' is a valid text region.
- *
- * Returns:
- *\li	ISC_R_SUCCESS			on success
- *\li	ISC_R_RANGE			numeric type is out of range
- *\li	DNS_R_UNKNOWN			mnemonic type is unknown
- */
-
-isc_result_t
-dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target);
-/*%<
- * Put a textual representation of the DNSSEC security algorithm 'secalg'
- * into 'target'.
- *
- * Requires:
- *\li	'secalg' is a valid secalg.
- *
- *\li	'target' is a valid text buffer.
- *
- * Ensures,
- *	if the result is success:
- *\li		The used space in 'target' is updated.
- *
- * Returns:
- *\li	ISC_R_SUCCESS			on success
- *\li	ISC_R_NOSPACE			target buffer is too small
- */
-
-#define DNS_SECALG_FORMATSIZE 20
-void
-dns_secalg_format(dns_secalg_t alg, char *cp, unsigned int size);
-/*%<
- * Wrapper for dns_secalg_totext(), writing text into 'cp'
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_SECALG_H */
diff --git a/contrib/bind9/lib/dns/include/dns/secproto.h b/contrib/bind9/lib/dns/include/dns/secproto.h
deleted file mode 100644
index b9179c0..0000000
--- a/contrib/bind9/lib/dns/include/dns/secproto.h
+++ /dev/null
@@ -1,71 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: secproto.h,v 1.16 2007/06/19 23:47:17 tbox Exp $ */
-
-#ifndef DNS_SECPROTO_H
-#define DNS_SECPROTO_H 1
-
-/*! \file dns/secproto.h */
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_secproto_fromtext(dns_secproto_t *secprotop, isc_textregion_t *source);
-/*%<
- * Convert the text 'source' refers to into a DNSSEC security protocol value.
- * The text may contain either a mnemonic protocol name or a decimal protocol
- * number.
- *
- * Requires:
- *\li	'secprotop' is a valid pointer.
- *
- *\li	'source' is a valid text region.
- *
- * Returns:
- *\li	ISC_R_SUCCESS			on success
- *\li	ISC_R_RANGE			numeric type is out of range
- *\li	DNS_R_UNKNOWN			mnemonic type is unknown
- */
-
-isc_result_t
-dns_secproto_totext(dns_secproto_t secproto, isc_buffer_t *target);
-/*%<
- * Put a textual representation of the DNSSEC security protocol 'secproto'
- * into 'target'.
- *
- * Requires:
- *\li	'secproto' is a valid secproto.
- *
- *\li	'target' is a valid text buffer.
- *
- * Ensures,
- *	if the result is success:
- *	\li	The used space in 'target' is updated.
- *
- * Returns:
- *\li	ISC_R_SUCCESS			on success
- *\li	ISC_R_NOSPACE			target buffer is too small
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_SECPROTO_H */
diff --git a/contrib/bind9/lib/dns/include/dns/soa.h b/contrib/bind9/lib/dns/include/dns/soa.h
deleted file mode 100644
index 696235e..0000000
--- a/contrib/bind9/lib/dns/include/dns/soa.h
+++ /dev/null
@@ -1,103 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: soa.h,v 1.12 2009/09/10 01:47:09 each Exp $ */
-
-#ifndef DNS_SOA_H
-#define DNS_SOA_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/soa.h
- * \brief
- * SOA utilities.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-#define DNS_SOA_BUFFERSIZE      ((2 * DNS_NAME_MAXWIRE) + (4 * 5))
-
-isc_result_t
-dns_soa_buildrdata(dns_name_t *origin, dns_name_t *contact,
-		   dns_rdataclass_t rdclass,
-		   isc_uint32_t serial, isc_uint32_t refresh,
-		   isc_uint32_t retry, isc_uint32_t expire,
-		   isc_uint32_t minimum, unsigned char *buffer,
-		   dns_rdata_t *rdata);
-/*%<
- * Build the rdata of an SOA record.
- *
- * Requires:
- *\li   buffer  Points to a temporary buffer of at least
- *              DNS_SOA_BUFFERSIZE bytes.
- *\li   rdata   Points to an initialized dns_rdata_t.
- *
- * Ensures:
- *  \li    *rdata       Contains a valid SOA rdata.  The 'data' member
- *  			refers to 'buffer'.
- */
-
-isc_uint32_t
-dns_soa_getserial(dns_rdata_t *rdata);
-isc_uint32_t
-dns_soa_getrefresh(dns_rdata_t *rdata);
-isc_uint32_t
-dns_soa_getretry(dns_rdata_t *rdata);
-isc_uint32_t
-dns_soa_getexpire(dns_rdata_t *rdata);
-isc_uint32_t
-dns_soa_getminimum(dns_rdata_t *rdata);
-/*
- * Extract an integer field from the rdata of a SOA record.
- *
- * Requires:
- *	rdata refers to the rdata of a well-formed SOA record.
- */
-
-void
-dns_soa_setserial(isc_uint32_t val, dns_rdata_t *rdata);
-void
-dns_soa_setrefresh(isc_uint32_t val, dns_rdata_t *rdata);
-void
-dns_soa_setretry(isc_uint32_t val, dns_rdata_t *rdata);
-void
-dns_soa_setexpire(isc_uint32_t val, dns_rdata_t *rdata);
-void
-dns_soa_setminimum(isc_uint32_t val, dns_rdata_t *rdata);
-/*
- * Change an integer field of a SOA record by modifying the
- * rdata in-place.
- *
- * Requires:
- *	rdata refers to the rdata of a well-formed SOA record.
- */
-
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_SOA_H */
diff --git a/contrib/bind9/lib/dns/include/dns/ssu.h b/contrib/bind9/lib/dns/include/dns/ssu.h
deleted file mode 100644
index fbe01c3..0000000
--- a/contrib/bind9/lib/dns/include/dns/ssu.h
+++ /dev/null
@@ -1,212 +0,0 @@
-/*
- * Copyright (C) 2004-2008, 2010, 2011  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ssu.h,v 1.28 2011/01/06 23:47:00 tbox Exp $ */
-
-#ifndef DNS_SSU_H
-#define DNS_SSU_H 1
-
-/*! \file dns/ssu.h */
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-#include <dst/dst.h>
-
-ISC_LANG_BEGINDECLS
-
-#define DNS_SSUMATCHTYPE_NAME		0
-#define DNS_SSUMATCHTYPE_SUBDOMAIN	1
-#define DNS_SSUMATCHTYPE_WILDCARD	2
-#define DNS_SSUMATCHTYPE_SELF		3
-#define DNS_SSUMATCHTYPE_SELFSUB	4
-#define DNS_SSUMATCHTYPE_SELFWILD	5
-#define DNS_SSUMATCHTYPE_SELFKRB5	6
-#define DNS_SSUMATCHTYPE_SELFMS		7
-#define DNS_SSUMATCHTYPE_SUBDOMAINMS	8
-#define DNS_SSUMATCHTYPE_SUBDOMAINKRB5	9
-#define DNS_SSUMATCHTYPE_TCPSELF	10
-#define DNS_SSUMATCHTYPE_6TO4SELF	11
-#define DNS_SSUMATCHTYPE_EXTERNAL	12
-#define DNS_SSUMATCHTYPE_DLZ		13
-#define DNS_SSUMATCHTYPE_MAX 		12  /* max value */
-
-isc_result_t
-dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **table);
-/*%<
- *	Creates a table that will be used to store simple-secure-update rules.
- *	Note: all locking must be provided by the client.
- *
- *	Requires:
- *\li		'mctx' is a valid memory context
- *\li		'table' is not NULL, and '*table' is NULL
- *
- *	Returns:
- *\li		ISC_R_SUCCESS
- *\li		ISC_R_NOMEMORY
- */
-
-isc_result_t
-dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep,
-		       dns_dlzdb_t *dlzdatabase);
-/*%<
- * Create an SSU table that contains a dlzdatabase pointer, and a
- * single rule with matchtype DNS_SSUMATCHTYPE_DLZ. This type of SSU
- * table is used by writeable DLZ drivers to offload authorization for
- * updates to the driver.
- */
-
-void
-dns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp);
-/*%<
- *	Attach '*targetp' to 'source'.
- *
- *	Requires:
- *\li		'source' is a valid SSU table
- *\li		'targetp' points to a NULL dns_ssutable_t *.
- *
- *	Ensures:
- *\li		*targetp is attached to source.
- */
-
-void
-dns_ssutable_detach(dns_ssutable_t **tablep);
-/*%<
- *	Detach '*tablep' from its simple-secure-update rule table.
- *
- *	Requires:
- *\li		'tablep' points to a valid dns_ssutable_t
- *
- *	Ensures:
- *\li		*tablep is NULL
- *\li		If '*tablep' is the last reference to the SSU table, all
- *			resources used by the table will be freed.
- */
-
-isc_result_t
-dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
-		     dns_name_t *identity, unsigned int matchtype,
-		     dns_name_t *name, unsigned int ntypes,
-		     dns_rdatatype_t *types);
-/*%<
- *	Adds a new rule to a simple-secure-update rule table.  The rule
- *	either grants or denies update privileges of an identity (or set of
- *	identities) to modify a name (or set of names) or certain types present
- *	at that name.
- *
- *	Notes:
- *\li		If 'matchtype' is of SELF type, this rule only matches if the
- *              name to be updated matches the signing identity.
- *
- *\li		If 'ntypes' is 0, this rule applies to all types except
- *		NS, SOA, RRSIG, and NSEC.
- *
- *\li		If 'types' includes ANY, this rule applies to all types
- *		except NSEC.
- *
- *	Requires:
- *\li		'table' is a valid SSU table
- *\li		'identity' is a valid absolute name
- *\li		'matchtype' must be one of the defined constants.
- *\li		'name' is a valid absolute name
- *\li		If 'ntypes' > 0, 'types' must not be NULL
- *
- *	Returns:
- *\li		ISC_R_SUCCESS
- *\li		ISC_R_NOMEMORY
- */
-
-isc_boolean_t
-dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
-			dns_name_t *name, isc_netaddr_t *tcpaddr,
-			dns_rdatatype_t type, const dst_key_t *key);
-/*%<
- *	Checks that the attempted update of (name, type) is allowed according
- *	to the rules specified in the simple-secure-update rule table.  If
- *	no rules are matched, access is denied.
- *
- *	Notes:
- *		'tcpaddr' should only be set if the request received
- *		via TCP.  This provides a weak assurance that the
- *		request was not spoofed.  'tcpaddr' is to to validate
- *		DNS_SSUMATCHTYPE_TCPSELF and DNS_SSUMATCHTYPE_6TO4SELF
- *		rules.
- *
- *		For DNS_SSUMATCHTYPE_TCPSELF the addresses are mapped to
- *		the standard reverse names under IN-ADDR.ARPA and IP6.ARPA.
- *		RFC 1035, Section 3.5, "IN-ADDR.ARPA domain" and RFC 3596,
- *		Section 2.5, "IP6.ARPA Domain".
- *
- *		For DNS_SSUMATCHTYPE_6TO4SELF, IPv4 address are converted
- *		to a 6to4 prefix (48 bits) per the rules in RFC 3056.  Only
- *		the top	48 bits of the IPv6 address are mapped to the reverse
- *		name. This is independent of whether the most significant 16
- *		bits match 2002::/16, assigned for 6to4 prefixes, or not.
- *
- *	Requires:
- *\li		'table' is a valid SSU table
- *\li		'signer' is NULL or a valid absolute name
- *\li		'tcpaddr' is NULL or a valid network address.
- *\li		'name' is a valid absolute name
- */
-
-
-/*% Accessor functions to extract rule components */
-isc_boolean_t	dns_ssurule_isgrant(const dns_ssurule_t *rule);
-/*% Accessor functions to extract rule components */
-dns_name_t *	dns_ssurule_identity(const dns_ssurule_t *rule);
-/*% Accessor functions to extract rule components */
-unsigned int	dns_ssurule_matchtype(const dns_ssurule_t *rule);
-/*% Accessor functions to extract rule components */
-dns_name_t *	dns_ssurule_name(const dns_ssurule_t *rule);
-/*% Accessor functions to extract rule components */
-unsigned int	dns_ssurule_types(const dns_ssurule_t *rule,
-				  dns_rdatatype_t **types);
-
-isc_result_t	dns_ssutable_firstrule(const dns_ssutable_t *table,
-				       dns_ssurule_t **rule);
-/*%<
- * Initiates a rule iterator.  There is no need to maintain any state.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMORE
- */
-
-isc_result_t	dns_ssutable_nextrule(dns_ssurule_t *rule,
-				      dns_ssurule_t **nextrule);
-/*%<
- * Returns the next rule in the table.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMORE
- */
-
-
-/*%<
- * Check a policy rule via an external application
- */
-isc_boolean_t
-dns_ssu_external_match(dns_name_t *identity, dns_name_t *signer,
-		       dns_name_t *name, isc_netaddr_t *tcpaddr,
-		       dns_rdatatype_t type, const dst_key_t *key,
-		       isc_mem_t *mctx);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_SSU_H */
diff --git a/contrib/bind9/lib/dns/include/dns/stats.h b/contrib/bind9/lib/dns/include/dns/stats.h
deleted file mode 100644
index 5364267..0000000
--- a/contrib/bind9/lib/dns/include/dns/stats.h
+++ /dev/null
@@ -1,376 +0,0 @@
-/*
- * Copyright (C) 2004-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef DNS_STATS_H
-#define DNS_STATS_H 1
-
-/*! \file dns/stats.h */
-
-#include <dns/types.h>
-
-/*%
- * Statistics counters.  Used as isc_statscounter_t values.
- */
-enum {
-	/*%
-	 * Resolver statistics counters.
-	 */
-	dns_resstatscounter_queryv4 = 0,
-	dns_resstatscounter_queryv6 = 1,
-	dns_resstatscounter_responsev4 = 2,
-	dns_resstatscounter_responsev6 = 3,
-	dns_resstatscounter_nxdomain = 4,
-	dns_resstatscounter_servfail = 5,
-	dns_resstatscounter_formerr = 6,
-	dns_resstatscounter_othererror = 7,
-	dns_resstatscounter_edns0fail = 8,
-	dns_resstatscounter_mismatch = 9,
-	dns_resstatscounter_truncated = 10,
-	dns_resstatscounter_lame = 11,
-	dns_resstatscounter_retry = 12,
-	dns_resstatscounter_gluefetchv4 = 13,
-	dns_resstatscounter_gluefetchv6 = 14,
-	dns_resstatscounter_gluefetchv4fail = 15,
-	dns_resstatscounter_gluefetchv6fail = 16,
-	dns_resstatscounter_val = 17,
-	dns_resstatscounter_valsuccess = 18,
-	dns_resstatscounter_valnegsuccess = 19,
-	dns_resstatscounter_valfail = 20,
-	dns_resstatscounter_dispabort = 21,
-	dns_resstatscounter_dispsockfail = 22,
-	dns_resstatscounter_querytimeout = 23,
-	dns_resstatscounter_queryrtt0 = 24,
-	dns_resstatscounter_queryrtt1 = 25,
-	dns_resstatscounter_queryrtt2 = 26,
-	dns_resstatscounter_queryrtt3 = 27,
-	dns_resstatscounter_queryrtt4 = 28,
-	dns_resstatscounter_queryrtt5 = 29,
-
-	dns_resstatscounter_max = 30,
-
-	/*
-	 * DNSSEC stats.
-	 */
-	dns_dnssecstats_asis = 0,
-	dns_dnssecstats_downcase = 1,
-	dns_dnssecstats_wildcard = 2,
-	dns_dnssecstats_fail = 3,
-
-	dns_dnssecstats_max = 4,
-
-	/*%
-	 * Zone statistics counters.
-	 */
-	dns_zonestatscounter_notifyoutv4 = 0,
-	dns_zonestatscounter_notifyoutv6 = 1,
-	dns_zonestatscounter_notifyinv4 = 2,
-	dns_zonestatscounter_notifyinv6 = 3,
-	dns_zonestatscounter_notifyrej = 4,
-	dns_zonestatscounter_soaoutv4 = 5,
-	dns_zonestatscounter_soaoutv6 = 6,
-	dns_zonestatscounter_axfrreqv4 = 7,
-	dns_zonestatscounter_axfrreqv6 = 8,
-	dns_zonestatscounter_ixfrreqv4 = 9,
-	dns_zonestatscounter_ixfrreqv6 = 10,
-	dns_zonestatscounter_xfrsuccess = 11,
-	dns_zonestatscounter_xfrfail = 12,
-
-	dns_zonestatscounter_max = 13,
-
-	/*%
-	* Query statistics counters (obsolete).
-	*/
-	dns_statscounter_success = 0,    /*%< Successful lookup */
-	dns_statscounter_referral = 1,   /*%< Referral result */
-	dns_statscounter_nxrrset = 2,    /*%< NXRRSET result */
-	dns_statscounter_nxdomain = 3,   /*%< NXDOMAIN result */
-	dns_statscounter_recursion = 4,  /*%< Recursion was used */
-	dns_statscounter_failure = 5,    /*%< Some other failure */
-	dns_statscounter_duplicate = 6,  /*%< Duplicate query */
-	dns_statscounter_dropped = 7	 /*%< Duplicate query (dropped) */
-};
-
-#define DNS_STATS_NCOUNTERS 8
-
-#if 0
-/*%<
- * Flag(s) for dns_xxxstats_dump().  DNS_STATSDUMP_VERBOSE is obsolete.
- * ISC_STATSDUMP_VERBOSE should be used instead.  These two values are
- * intentionally defined to be the same value to ensure binary compatibility.
- */
-#define DNS_STATSDUMP_VERBOSE	0x00000001 /*%< dump 0-value counters */
-#endif
-
-/*%<
- * (Obsoleted)
- */
-LIBDNS_EXTERNAL_DATA extern const char *dns_statscounter_names[];
-
-/*%
- * Attributes for statistics counters of RRset and Rdatatype types.
- *
- * _OTHERTYPE
- *	The rdata type is not explicitly supported and the corresponding counter
- *	is counted for other such types, too.  When this attribute is set,
- *	the base type is of no use.
- *
- * _NXRRSET
- * 	RRset type counters only.  Indicates the RRset is non existent.
- *
- * _NXDOMAIN
- *	RRset type counters only.  Indicates a non existent name.  When this
- *	attribute is set, the base type is of no use.
- */
-#define DNS_RDATASTATSTYPE_ATTR_OTHERTYPE	0x0001
-#define DNS_RDATASTATSTYPE_ATTR_NXRRSET		0x0002
-#define DNS_RDATASTATSTYPE_ATTR_NXDOMAIN	0x0004
-
-/*%<
- * Conversion macros among dns_rdatatype_t, attributes and isc_statscounter_t.
- */
-#define DNS_RDATASTATSTYPE_BASE(type)	((dns_rdatatype_t)((type) & 0xFFFF))
-#define DNS_RDATASTATSTYPE_ATTR(type)	((type) >> 16)
-#define DNS_RDATASTATSTYPE_VALUE(b, a)	(((a) << 16) | (b))
-
-/*%<
- * Types of dump callbacks.
- */
-typedef void (*dns_generalstats_dumper_t)(isc_statscounter_t, isc_uint64_t,
-					  void *);
-typedef void (*dns_rdatatypestats_dumper_t)(dns_rdatastatstype_t, isc_uint64_t,
-					    void *);
-typedef void (*dns_opcodestats_dumper_t)(dns_opcode_t, isc_uint64_t, void *);
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_generalstats_create(isc_mem_t *mctx, dns_stats_t **statsp, int ncounters);
-/*%<
- * Create a statistics counter structure of general type.  It counts a general
- * set of counters indexed by an ID between 0 and ncounters -1.
- * This function is obsolete.  A more general function, isc_stats_create(),
- * should be used.
- *
- * Requires:
- *\li	'mctx' must be a valid memory context.
- *
- *\li	'statsp' != NULL && '*statsp' == NULL.
- *
- * Returns:
- *\li	ISC_R_SUCCESS	-- all ok
- *
- *\li	anything else	-- failure
- */
-
-isc_result_t
-dns_rdatatypestats_create(isc_mem_t *mctx, dns_stats_t **statsp);
-/*%<
- * Create a statistics counter structure per rdatatype.
- *
- * Requires:
- *\li	'mctx' must be a valid memory context.
- *
- *\li	'statsp' != NULL && '*statsp' == NULL.
- *
- * Returns:
- *\li	ISC_R_SUCCESS	-- all ok
- *
- *\li	anything else	-- failure
- */
-
-isc_result_t
-dns_rdatasetstats_create(isc_mem_t *mctx, dns_stats_t **statsp);
-/*%<
- * Create a statistics counter structure per RRset.
- *
- * Requires:
- *\li	'mctx' must be a valid memory context.
- *
- *\li	'statsp' != NULL && '*statsp' == NULL.
- *
- * Returns:
- *\li	ISC_R_SUCCESS	-- all ok
- *
- *\li	anything else	-- failure
- */
-
-isc_result_t
-dns_opcodestats_create(isc_mem_t *mctx, dns_stats_t **statsp);
-/*%<
- * Create a statistics counter structure per opcode.
- *
- * Requires:
- *\li	'mctx' must be a valid memory context.
- *
- *\li	'statsp' != NULL && '*statsp' == NULL.
- *
- * Returns:
- *\li	ISC_R_SUCCESS	-- all ok
- *
- *\li	anything else	-- failure
- */
-
-void
-dns_stats_attach(dns_stats_t *stats, dns_stats_t **statsp);
-/*%<
- * Attach to a statistics set.
- *
- * Requires:
- *\li	'stats' is a valid dns_stats_t.
- *
- *\li	'statsp' != NULL && '*statsp' == NULL
- */
-
-void
-dns_stats_detach(dns_stats_t **statsp);
-/*%<
- * Detaches from the statistics set.
- *
- * Requires:
- *\li	'statsp' != NULL and '*statsp' is a valid dns_stats_t.
- */
-
-void
-dns_generalstats_increment(dns_stats_t *stats, isc_statscounter_t counter);
-/*%<
- * Increment the counter-th counter of stats.  This function is obsolete.
- * A more general function, isc_stats_increment(), should be used.
- *
- * Requires:
- *\li	'stats' is a valid dns_stats_t created by dns_generalstats_create().
- *
- *\li	counter is less than the maximum available ID for the stats specified
- *	on creation.
- */
-
-void
-dns_rdatatypestats_increment(dns_stats_t *stats, dns_rdatatype_t type);
-/*%<
- * Increment the statistics counter for 'type'.
- *
- * Requires:
- *\li	'stats' is a valid dns_stats_t created by dns_rdatatypestats_create().
- */
-
-void
-dns_rdatasetstats_increment(dns_stats_t *stats, dns_rdatastatstype_t rrsettype);
-/*%<
- * Increment the statistics counter for 'rrsettype'.
- *
- * Requires:
- *\li	'stats' is a valid dns_stats_t created by dns_rdatasetstats_create().
- */
-
-void
-dns_rdatasetstats_decrement(dns_stats_t *stats, dns_rdatastatstype_t rrsettype);
-/*%<
- * Decrement the statistics counter for 'rrsettype'.
- *
- * Requires:
- *\li	'stats' is a valid dns_stats_t created by dns_rdatasetstats_create().
- */
-
-void
-dns_opcodestats_increment(dns_stats_t *stats, dns_opcode_t code);
-/*%<
- * Increment the statistics counter for 'code'.
- *
- * Requires:
- *\li	'stats' is a valid dns_stats_t created by dns_opcodestats_create().
- */
-
-void
-dns_generalstats_dump(dns_stats_t *stats, dns_generalstats_dumper_t dump_fn,
-		      void *arg, unsigned int options);
-/*%<
- * Dump the current statistics counters in a specified way.  For each counter
- * in stats, dump_fn is called with its current value and the given argument
- * arg.  By default counters that have a value of 0 is skipped; if options has
- * the ISC_STATSDUMP_VERBOSE flag, even such counters are dumped.
- *
- * This function is obsolete.  A more general function, isc_stats_dump(),
- * should be used.
- *
- * Requires:
- *\li	'stats' is a valid dns_stats_t created by dns_generalstats_create().
- */
-
-void
-dns_rdatatypestats_dump(dns_stats_t *stats, dns_rdatatypestats_dumper_t dump_fn,
-			void *arg, unsigned int options);
-/*%<
- * Dump the current statistics counters in a specified way.  For each counter
- * in stats, dump_fn is called with the corresponding type in the form of
- * dns_rdatastatstype_t, the current counter value and the given argument
- * arg.  By default counters that have a value of 0 is skipped; if options has
- * the ISC_STATSDUMP_VERBOSE flag, even such counters are dumped.
- *
- * Requires:
- *\li	'stats' is a valid dns_stats_t created by dns_generalstats_create().
- */
-
-void
-dns_rdatasetstats_dump(dns_stats_t *stats, dns_rdatatypestats_dumper_t dump_fn,
-		       void *arg, unsigned int options);
-/*%<
- * Dump the current statistics counters in a specified way.  For each counter
- * in stats, dump_fn is called with the corresponding type in the form of
- * dns_rdatastatstype_t, the current counter value and the given argument
- * arg.  By default counters that have a value of 0 is skipped; if options has
- * the ISC_STATSDUMP_VERBOSE flag, even such counters are dumped.
- *
- * Requires:
- *\li	'stats' is a valid dns_stats_t created by dns_generalstats_create().
- */
-
-void
-dns_opcodestats_dump(dns_stats_t *stats, dns_opcodestats_dumper_t dump_fn,
-		     void *arg, unsigned int options);
-/*%<
- * Dump the current statistics counters in a specified way.  For each counter
- * in stats, dump_fn is called with the corresponding opcode, the current
- * counter value and the given argument arg.  By default counters that have a
- * value of 0 is skipped; if options has the ISC_STATSDUMP_VERBOSE flag, even
- * such counters are dumped.
- *
- * Requires:
- *\li	'stats' is a valid dns_stats_t created by dns_generalstats_create().
- */
-
-isc_result_t
-dns_stats_alloccounters(isc_mem_t *mctx, isc_uint64_t **ctrp);
-/*%<
- * Allocate an array of query statistics counters from the memory
- * context 'mctx'.
- *
- * This function is obsoleted.  Use dns_xxxstats_create() instead.
- */
-
-void
-dns_stats_freecounters(isc_mem_t *mctx, isc_uint64_t **ctrp);
-/*%<
- * Free an array of query statistics counters allocated from the memory
- * context 'mctx'.
- *
- * This function is obsoleted.  Use dns_stats_destroy() instead.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_STATS_H */
diff --git a/contrib/bind9/lib/dns/include/dns/tcpmsg.h b/contrib/bind9/lib/dns/include/dns/tcpmsg.h
deleted file mode 100644
index fe83c53..0000000
--- a/contrib/bind9/lib/dns/include/dns/tcpmsg.h
+++ /dev/null
@@ -1,147 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: tcpmsg.h,v 1.22 2007/06/19 23:47:17 tbox Exp $ */
-
-#ifndef DNS_TCPMSG_H
-#define DNS_TCPMSG_H 1
-
-/*! \file dns/tcpmsg.h */
-
-#include <isc/buffer.h>
-#include <isc/lang.h>
-#include <isc/socket.h>
-
-typedef struct dns_tcpmsg {
-	/* private (don't touch!) */
-	unsigned int		magic;
-	isc_uint16_t		size;
-	isc_buffer_t		buffer;
-	unsigned int		maxsize;
-	isc_mem_t	       *mctx;
-	isc_socket_t	       *sock;
-	isc_task_t	       *task;
-	isc_taskaction_t	action;
-	void		       *arg;
-	isc_event_t		event;
-	/* public (read-only) */
-	isc_result_t		result;
-	isc_sockaddr_t		address;
-} dns_tcpmsg_t;
-
-ISC_LANG_BEGINDECLS
-
-void
-dns_tcpmsg_init(isc_mem_t *mctx, isc_socket_t *sock, dns_tcpmsg_t *tcpmsg);
-/*%<
- * Associate a tcp message state with a given memory context and
- * TCP socket.
- *
- * Requires:
- *
- *\li	"mctx" and "sock" be non-NULL and valid types.
- *
- *\li	"sock" be a read/write TCP socket.
- *
- *\li	"tcpmsg" be non-NULL and an uninitialized or invalidated structure.
- *
- * Ensures:
- *
- *\li	"tcpmsg" is a valid structure.
- */
-
-void
-dns_tcpmsg_setmaxsize(dns_tcpmsg_t *tcpmsg, unsigned int maxsize);
-/*%<
- * Set the maximum packet size to "maxsize"
- *
- * Requires:
- *
- *\li	"tcpmsg" be valid.
- *
- *\li	512 <= "maxsize" <= 65536
- */
-
-isc_result_t
-dns_tcpmsg_readmessage(dns_tcpmsg_t *tcpmsg,
-		       isc_task_t *task, isc_taskaction_t action, void *arg);
-/*%<
- * Schedule an event to be delivered when a DNS message is readable, or
- * when an error occurs on the socket.
- *
- * Requires:
- *
- *\li	"tcpmsg" be valid.
- *
- *\li	"task", "taskaction", and "arg" be valid.
- *
- * Returns:
- *
- *\li	ISC_R_SUCCESS		-- no error
- *\li	Anything that the isc_socket_recv() call can return.  XXXMLG
- *
- * Notes:
- *
- *\li	The event delivered is a fully generic event.  It will contain no
- *	actual data.  The sender will be a pointer to the dns_tcpmsg_t.
- *	The result code inside that structure should be checked to see
- *	what the final result was.
- */
-
-void
-dns_tcpmsg_cancelread(dns_tcpmsg_t *tcpmsg);
-/*%<
- * Cancel a readmessage() call.  The event will still be posted with a
- * CANCELED result code.
- *
- * Requires:
- *
- *\li	"tcpmsg" be valid.
- */
-
-void
-dns_tcpmsg_keepbuffer(dns_tcpmsg_t *tcpmsg, isc_buffer_t *buffer);
-/*%<
- * If a dns buffer is to be kept between calls, this function marks the
- * internal state-machine buffer as invalid, and copies all the contents
- * of the state into "buffer".
- *
- * Requires:
- *
- *\li	"tcpmsg" be valid.
- *
- *\li	"buffer" be non-NULL.
- */
-
-void
-dns_tcpmsg_invalidate(dns_tcpmsg_t *tcpmsg);
-/*%<
- * Clean up all allocated state, and invalidate the structure.
- *
- * Requires:
- *
- *\li	"tcpmsg" be valid.
- *
- * Ensures:
- *
- *\li	"tcpmsg" is invalidated and disassociated with all memory contexts,
- *	sockets, etc.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_TCPMSG_H */
diff --git a/contrib/bind9/lib/dns/include/dns/time.h b/contrib/bind9/lib/dns/include/dns/time.h
deleted file mode 100644
index 6a59c8a..0000000
--- a/contrib/bind9/lib/dns/include/dns/time.h
+++ /dev/null
@@ -1,78 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: time.h,v 1.19 2012/01/27 23:46:58 tbox Exp $ */
-
-#ifndef DNS_TIME_H
-#define DNS_TIME_H 1
-
-/*! \file dns/time.h */
-
-/***
- ***	Imports
- ***/
-
-#include <isc/buffer.h>
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- ***	Functions
- ***/
-
-isc_result_t
-dns_time64_fromtext(const char *source, isc_int64_t *target);
-/*%<
- * Convert a date and time in YYYYMMDDHHMMSS text format at 'source'
- * into to a 64-bit count of seconds since Jan 1 1970 0:00 GMT.
- * Store the count at 'target'.
- */
-
-isc_result_t
-dns_time32_fromtext(const char *source, isc_uint32_t *target);
-/*%<
- * Like dns_time64_fromtext, but returns the second count modulo 2^32
- * as per RFC2535.
- */
-
-
-isc_result_t
-dns_time64_totext(isc_int64_t value, isc_buffer_t *target);
-/*%<
- * Convert a 64-bit count of seconds since Jan 1 1970 0:00 GMT into
- * a YYYYMMDDHHMMSS text representation and append it to 'target'.
- */
-
-isc_result_t
-dns_time32_totext(isc_uint32_t value, isc_buffer_t *target);
-/*%<
- * Like dns_time64_totext, but for a 32-bit cyclic time value.
- * Of those dates whose counts of seconds since Jan 1 1970 0:00 GMT
- * are congruent with 'value' modulo 2^32, the one closest to the
- * current date is chosen.
- */
-
-isc_int64_t
-dns_time64_from32(isc_uint32_t value);
-/*%<
- * Covert a 32-bit cyclic time value into a 64 bit time stamp.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_TIME_H */
diff --git a/contrib/bind9/lib/dns/include/dns/timer.h b/contrib/bind9/lib/dns/include/dns/timer.h
deleted file mode 100644
index 48d6d56..0000000
--- a/contrib/bind9/lib/dns/include/dns/timer.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: timer.h,v 1.9 2007/06/19 23:47:17 tbox Exp $ */
-
-#ifndef DNS_TIMER_H
-#define DNS_TIMER_H 1
-
-/*! \file dns/timer.h */
-
-/***
- ***	Imports
- ***/
-
-#include <isc/buffer.h>
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- ***	Functions
- ***/
-
-isc_result_t
-dns_timer_setidle(isc_timer_t *timer, unsigned int maxtime,
-		  unsigned int idletime, isc_boolean_t purge);
-/*%<
- * Convenience function for setting up simple, one-second-granularity
- * idle timers as used by zone transfers.
- * \brief
- * Set the timer 'timer' to go off after 'idletime' seconds of inactivity,
- * or after 'maxtime' at the very latest.  Events are purged iff
- * 'purge' is ISC_TRUE.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_TIMER_H */
diff --git a/contrib/bind9/lib/dns/include/dns/tkey.h b/contrib/bind9/lib/dns/include/dns/tkey.h
deleted file mode 100644
index 0dcec1e..0000000
--- a/contrib/bind9/lib/dns/include/dns/tkey.h
+++ /dev/null
@@ -1,252 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009-2011  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: tkey.h,v 1.32 2011/01/08 23:47:01 tbox Exp $ */
-
-#ifndef DNS_TKEY_H
-#define DNS_TKEY_H 1
-
-/*! \file dns/tkey.h */
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-#include <dst/dst.h>
-#include <dst/gssapi.h>
-
-ISC_LANG_BEGINDECLS
-
-/* Key agreement modes */
-#define DNS_TKEYMODE_SERVERASSIGNED		1
-#define DNS_TKEYMODE_DIFFIEHELLMAN		2
-#define DNS_TKEYMODE_GSSAPI			3
-#define DNS_TKEYMODE_RESOLVERASSIGNED		4
-#define DNS_TKEYMODE_DELETE			5
-
-struct dns_tkeyctx {
-	dst_key_t *dhkey;
-	dns_name_t *domain;
-	gss_cred_id_t gsscred;
-	isc_mem_t *mctx;
-	isc_entropy_t *ectx;
-	char *gssapi_keytab;
-};
-
-isc_result_t
-dns_tkeyctx_create(isc_mem_t *mctx, isc_entropy_t *ectx,
-		   dns_tkeyctx_t **tctxp);
-/*%<
- *	Create an empty TKEY context.
- *
- * 	Requires:
- *\li		'mctx' is not NULL
- *\li		'tctx' is not NULL
- *\li		'*tctx' is NULL
- *
- *	Returns
- *\li		#ISC_R_SUCCESS
- *\li		#ISC_R_NOMEMORY
- *\li		return codes from dns_name_fromtext()
- */
-
-void
-dns_tkeyctx_destroy(dns_tkeyctx_t **tctxp);
-/*%<
- *      Frees all data associated with the TKEY context
- *
- * 	Requires:
- *\li		'tctx' is not NULL
- *\li		'*tctx' is not NULL
- */
-
-isc_result_t
-dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
-		      dns_tsig_keyring_t *ring);
-/*%<
- *	Processes a query containing a TKEY record, adding or deleting TSIG
- *	keys if necessary, and modifies the message to contain the response.
- *
- *	Requires:
- *\li		'msg' is a valid message
- *\li		'tctx' is a valid TKEY context
- *\li		'ring' is a valid TSIG keyring
- *
- *	Returns
- *\li		#ISC_R_SUCCESS	msg was updated (the TKEY operation succeeded,
- *				or msg now includes a TKEY with an error set)
- *		DNS_R_FORMERR	the packet was malformed (missing a TKEY
- *				or KEY).
- *\li		other		An error occurred while processing the message
- */
-
-isc_result_t
-dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
-		      dns_name_t *algorithm, isc_buffer_t *nonce,
-		      isc_uint32_t lifetime);
-/*%<
- *	Builds a query containing a TKEY that will generate a shared
- *	secret using a Diffie-Hellman key exchange.  The shared key
- *	will be of the specified algorithm (only DNS_TSIG_HMACMD5_NAME
- *	is supported), and will be named either 'name',
- *	'name' + server chosen domain, or random data + server chosen domain
- *	if 'name' == dns_rootname.  If nonce is not NULL, it supplies
- *	random data used in the shared secret computation.  The key is
- *	requested to have the specified lifetime (in seconds)
- *
- *
- *	Requires:
- *\li		'msg' is a valid message
- *\li		'key' is a valid Diffie Hellman dst key
- *\li		'name' is a valid name
- *\li		'algorithm' is a valid name
- *
- *	Returns:
- *\li		#ISC_R_SUCCESS	msg was successfully updated to include the
- *				query to be sent
- *\li		other		an error occurred while building the message
- */
-
-isc_result_t
-dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name, dns_name_t *gname,
-		       isc_buffer_t *intoken, isc_uint32_t lifetime,
-		       gss_ctx_id_t *context, isc_boolean_t win2k,
-		       isc_mem_t *mctx, char **err_message);
-/*%<
- *	Builds a query containing a TKEY that will generate a GSSAPI context.
- *	The key is requested to have the specified lifetime (in seconds).
- *
- *	Requires:
- *\li		'msg'	  is a valid message
- *\li		'name'	  is a valid name
- *\li		'gname'	  is a valid name
- *\li		'context' is a pointer to a valid gss_ctx_id_t
- *			  (which may have the value GSS_C_NO_CONTEXT)
- *\li		'win2k'   when true says to turn on some hacks to work
- *			  with the non-standard GSS-TSIG of Windows 2000
- *
- *	Returns:
- *\li		ISC_R_SUCCESS	msg was successfully updated to include the
- *				query to be sent
- *\li		other		an error occurred while building the message
- *\li		*err_message	optional error message
- */
-
-
-isc_result_t
-dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key);
-/*%<
- *	Builds a query containing a TKEY record that will delete the
- *	specified shared secret from the server.
- *
- *	Requires:
- *\li		'msg' is a valid message
- *\li		'key' is a valid TSIG key
- *
- *	Returns:
- *\li		#ISC_R_SUCCESS	msg was successfully updated to include the
- *				query to be sent
- *\li		other		an error occurred while building the message
- */
-
-isc_result_t
-dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
-			   dst_key_t *key, isc_buffer_t *nonce,
-			   dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring);
-/*%<
- *	Processes a response to a query containing a TKEY that was
- *	designed to generate a shared secret using a Diffie-Hellman key
- *	exchange.  If the query was successful, a new shared key
- *	is created and added to the list of shared keys.
- *
- *	Requires:
- *\li		'qmsg' is a valid message (the query)
- *\li		'rmsg' is a valid message (the response)
- *\li		'key' is a valid Diffie Hellman dst key
- *\li		'outkey' is either NULL or a pointer to NULL
- *\li		'ring' is a valid keyring or NULL
- *
- *	Returns:
- *\li		#ISC_R_SUCCESS	the shared key was successfully added
- *\li		#ISC_R_NOTFOUND	an error occurred while looking for a
- *				component of the query or response
- */
-
-isc_result_t
-dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
-			    dns_name_t *gname, gss_ctx_id_t *context,
-			    isc_buffer_t *outtoken, dns_tsigkey_t **outkey,
-			    dns_tsig_keyring_t *ring, char **err_message);
-/*%<
- * XXX
- */
-
-isc_result_t
-dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
-			       dns_tsig_keyring_t *ring);
-/*%<
- *	Processes a response to a query containing a TKEY that was
- *	designed to delete a shared secret.  If the query was successful,
- *	the shared key is deleted from the list of shared keys.
- *
- *	Requires:
- *\li		'qmsg' is a valid message (the query)
- *\li		'rmsg' is a valid message (the response)
- *\li		'ring' is not NULL
- *
- *	Returns:
- *\li		#ISC_R_SUCCESS	the shared key was successfully deleted
- *\li		#ISC_R_NOTFOUND	an error occurred while looking for a
- *				component of the query or response
- */
-
-isc_result_t
-dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
-		      dns_name_t *server, gss_ctx_id_t *context,
-		      dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring,
-		      isc_boolean_t win2k, char **err_message);
-
-/*
- *	Client side negotiation of GSS-TSIG.  Process the response
- *	to a TKEY, and establish a TSIG key if negotiation was successful.
- *	Build a response to the input TKEY message.  Can take multiple
- *	calls to successfully establish the context.
- *
- *	Requires:
- *		'qmsg'    is a valid message, the original TKEY request;
- *			     it will be filled with the new message to send
- *		'rmsg'    is a valid message, the incoming TKEY message
- *		'server'  is the server name
- *		'context' is the input context handle
- *		'outkey'  receives the established key, if non-NULL;
- *			      if non-NULL must point to NULL
- *		'ring'	  is the keyring in which to establish the key,
- *			      or NULL
- *		'win2k'   when true says to turn on some hacks to work
- *			      with the non-standard GSS-TSIG of Windows 2000
- *
- *	Returns:
- *		ISC_R_SUCCESS	context was successfully established
- *		ISC_R_NOTFOUND  couldn't find a needed part of the query
- *					or response
- *		DNS_R_CONTINUE  additional context negotiation is required;
- *					send the new qmsg to the server
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_TKEY_H */
diff --git a/contrib/bind9/lib/dns/include/dns/tsec.h b/contrib/bind9/lib/dns/include/dns/tsec.h
deleted file mode 100644
index 4f31c3e..0000000
--- a/contrib/bind9/lib/dns/include/dns/tsec.h
+++ /dev/null
@@ -1,137 +0,0 @@
-/*
- * Copyright (C) 2009, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: tsec.h,v 1.6 2010/12/09 00:54:34 marka Exp $ */
-
-#ifndef DNS_TSEC_H
-#define DNS_TSEC_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file
- *
- * \brief
- * The TSEC (Transaction Security) module is an abstraction layer for managing
- * DNS transaction mechanisms such as TSIG or SIG(0).  A TSEC structure is a
- * mechanism-independent object containing key information specific to the
- * mechanism, and is expected to be used as an argument to other modules
- * that use transaction security in a mechanism-independent manner.
- *
- * MP:
- *\li	A TSEC structure is expected to be thread-specific.  No inter-thread
- *	synchronization is ensured in multiple access to a single TSEC
- *	structure.
- *
- * Resources:
- *\li	TBS
- *
- * Security:
- *\li	This module does not handle any low-level data directly, and so no
- *	security issue specific to this module is anticipated.
- */
-
-#include <dns/types.h>
-
-#include <dst/dst.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Types
- ***/
-
-/*%
- * Transaction security types.
- */
-typedef enum {
-	dns_tsectype_none,
-	dns_tsectype_tsig,
-	dns_tsectype_sig0
-} dns_tsectype_t;
-
-isc_result_t
-dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key,
-		dns_tsec_t **tsecp);
-/*%<
- * Create a TSEC structure and stores a type-dependent key structure in it.
- * For a TSIG key (type is dns_tsectype_tsig), dns_tsec_create() creates a
- * TSIG key structure from '*key' and keeps it in the structure.  For other
- * types, this function simply retains '*key' in the structure.  In either
- * case, the ownership of '*key' is transferred to the TSEC module; the caller
- * must not modify or destroy it after the call to dns_tsec_create().
- *
- * Requires:
- *
- *\li	'mctx' is a valid memory context.
- *
- *\li	'type' is a valid value of dns_tsectype_t (see above).
- *
- *\li	'key' is a valid key.
- *
- *\li	tsecp != NULL && *tsecp == NULL.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS				On success.
- *
- *\li	Anything else				Failure.
- */
-
-void
-dns_tsec_destroy(dns_tsec_t **tsecp);
-/*%<
- * Destroy the TSEC structure.  The stored key is also detached or destroyed.
- *
- * Requires
- *
- *\li	'*tsecp' is a valid TSEC structure.
- *
- * Ensures
- *
- *\li	*tsecp == NULL.
- *
- */
-
-dns_tsectype_t
-dns_tsec_gettype(dns_tsec_t *tsec);
-/*%<
- * Return the TSEC type of '*tsec'.
- *
- * Requires
- *
- *\li	'tsec' is a valid TSEC structure.
- *
- */
-
-void
-dns_tsec_getkey(dns_tsec_t *tsec, void *keyp);
-/*%<
- * Return the TSEC key of '*tsec' in '*keyp'.
- *
- * Requires
- *
- *\li	keyp != NULL
- *
- * Ensures
- *
- *\li	*tsecp points to a valid key structure depending on the TSEC type.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_TSEC_H */
diff --git a/contrib/bind9/lib/dns/include/dns/tsig.h b/contrib/bind9/lib/dns/include/dns/tsig.h
deleted file mode 100644
index 0422414..0000000
--- a/contrib/bind9/lib/dns/include/dns/tsig.h
+++ /dev/null
@@ -1,294 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009-2011  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: tsig.h,v 1.59 2011/01/11 23:47:13 tbox Exp $ */
-
-#ifndef DNS_TSIG_H
-#define DNS_TSIG_H 1
-
-/*! \file dns/tsig.h */
-
-#include <isc/lang.h>
-#include <isc/refcount.h>
-#include <isc/rwlock.h>
-#include <isc/stdio.h>
-#include <isc/stdtime.h>
-
-#include <dns/types.h>
-#include <dns/name.h>
-
-#include <dst/dst.h>
-
-/*
- * Algorithms.
- */
-LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_hmacmd5_name;
-#define DNS_TSIG_HMACMD5_NAME		dns_tsig_hmacmd5_name
-LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_gssapi_name;
-#define DNS_TSIG_GSSAPI_NAME		dns_tsig_gssapi_name
-LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_gssapims_name;
-#define DNS_TSIG_GSSAPIMS_NAME		dns_tsig_gssapims_name
-LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_hmacsha1_name;
-#define DNS_TSIG_HMACSHA1_NAME		dns_tsig_hmacsha1_name
-LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_hmacsha224_name;
-#define DNS_TSIG_HMACSHA224_NAME	dns_tsig_hmacsha224_name
-LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_hmacsha256_name;
-#define DNS_TSIG_HMACSHA256_NAME	dns_tsig_hmacsha256_name
-LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_hmacsha384_name;
-#define DNS_TSIG_HMACSHA384_NAME	dns_tsig_hmacsha384_name
-LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_hmacsha512_name;
-#define DNS_TSIG_HMACSHA512_NAME	dns_tsig_hmacsha512_name
-
-/*%
- * Default fudge value.
- */
-#define DNS_TSIG_FUDGE			300
-
-struct dns_tsig_keyring {
-	dns_rbt_t *keys;
-	unsigned int writecount;
-	isc_rwlock_t lock;
-	isc_mem_t *mctx;
-	/*
-	 * LRU list of generated key along with a count of the keys on the
-	 * list and a maximum size.
-	 */
-	unsigned int generated;
-	unsigned int maxgenerated;
-	ISC_LIST(dns_tsigkey_t) lru;
-	unsigned int references;
-};
-
-struct dns_tsigkey {
-	/* Unlocked */
-	unsigned int		magic;		/*%< Magic number. */
-	isc_mem_t		*mctx;
-	dst_key_t		*key;		/*%< Key */
-	dns_name_t		name;		/*%< Key name */
-	dns_name_t		*algorithm;	/*%< Algorithm name */
-	dns_name_t		*creator;	/*%< name that created secret */
-	isc_boolean_t		generated;	/*%< was this generated? */
-	isc_stdtime_t		inception;	/*%< start of validity period */
-	isc_stdtime_t		expire;		/*%< end of validity period */
-	dns_tsig_keyring_t	*ring;		/*%< the enclosing keyring */
-	isc_refcount_t		refs;		/*%< reference counter */
-	ISC_LINK(dns_tsigkey_t) link;
-};
-
-#define dns_tsigkey_identity(tsigkey) \
-	((tsigkey) == NULL ? NULL : \
-	 (tsigkey)->generated ? ((tsigkey)->creator) : \
-	 (&((tsigkey)->name)))
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
-		   unsigned char *secret, int length, isc_boolean_t generated,
-		   dns_name_t *creator, isc_stdtime_t inception,
-		   isc_stdtime_t expire, isc_mem_t *mctx,
-		   dns_tsig_keyring_t *ring, dns_tsigkey_t **key);
-
-isc_result_t
-dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
-			  dst_key_t *dstkey, isc_boolean_t generated,
-			  dns_name_t *creator, isc_stdtime_t inception,
-			  isc_stdtime_t expire, isc_mem_t *mctx,
-			  dns_tsig_keyring_t *ring, dns_tsigkey_t **key);
-/*%<
- *	Creates a tsig key structure and saves it in the keyring.  If key is
- *	not NULL, *key will contain a copy of the key.  The keys validity
- *	period is specified by (inception, expire), and will not expire if
- *	inception == expire.  If the key was generated, the creating identity,
- *	if there is one, should be in the creator parameter.  Specifying an
- *	unimplemented algorithm will cause failure only if dstkey != NULL; this
- *	allows a transient key with an invalid algorithm to exist long enough
- *	to generate a BADKEY response.
- *
- *	If dns_tsigkey_createfromkey is successful a new reference to 'dstkey'
- *	will have been made.
- *
- *	Requires:
- *\li		'name' is a valid dns_name_t
- *\li		'algorithm' is a valid dns_name_t
- *\li		'secret' is a valid pointer
- *\li		'length' is an integer >= 0
- *\li		'dstkey' is a valid dst key or NULL
- *\li		'creator' points to a valid dns_name_t or is NULL
- *\li		'mctx' is a valid memory context
- *\li		'ring' is a valid TSIG keyring or NULL
- *\li		'key' or '*key' must be NULL
- *
- *	Returns:
- *\li		#ISC_R_SUCCESS
- *\li		#ISC_R_EXISTS - a key with this name already exists
- *\li		#ISC_R_NOTIMPLEMENTED - algorithm is not implemented
- *\li		#ISC_R_NOMEMORY
- */
-
-void
-dns_tsigkey_attach(dns_tsigkey_t *source, dns_tsigkey_t **targetp);
-/*%<
- *	Attach '*targetp' to 'source'.
- *
- *	Requires:
- *\li		'key' is a valid TSIG key
- *
- *	Ensures:
- *\li		*targetp is attached to source.
- */
-
-void
-dns_tsigkey_detach(dns_tsigkey_t **keyp);
-/*%<
- *	Detaches from the tsig key structure pointed to by '*key'.
- *
- *	Requires:
- *\li		'keyp' is not NULL and '*keyp' is a valid TSIG key
- *
- *	Ensures:
- *\li		'keyp' points to NULL
- */
-
-void
-dns_tsigkey_setdeleted(dns_tsigkey_t *key);
-/*%<
- *	Prevents this key from being used again.  It will be deleted when
- *	no references exist.
- *
- *	Requires:
- *\li		'key' is a valid TSIG key on a keyring
- */
-
-isc_result_t
-dns_tsig_sign(dns_message_t *msg);
-/*%<
- *	Generates a TSIG record for this message
- *
- *	Requires:
- *\li		'msg' is a valid message
- *\li		'msg->tsigkey' is a valid TSIG key
- *\li		'msg->tsig' is NULL
- *
- *	Returns:
- *\li		#ISC_R_SUCCESS
- *\li		#ISC_R_NOMEMORY
- *\li		#ISC_R_NOSPACE
- *\li		#DNS_R_EXPECTEDTSIG
- *			- this is a response & msg->querytsig is NULL
- */
-
-isc_result_t
-dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
-		dns_tsig_keyring_t *ring1, dns_tsig_keyring_t *ring2);
-/*%<
- *	Verifies the TSIG record in this message
- *
- *	Requires:
- *\li		'source' is a valid buffer containing the unparsed message
- *\li		'msg' is a valid message
- *\li		'msg->tsigkey' is a valid TSIG key if this is a response
- *\li		'msg->tsig' is NULL
- *\li		'msg->querytsig' is not NULL if this is a response
- *\li		'ring1' and 'ring2' are each either a valid keyring or NULL
- *
- *	Returns:
- *\li		#ISC_R_SUCCESS
- *\li		#ISC_R_NOMEMORY
- *\li		#DNS_R_EXPECTEDTSIG - A TSIG was expected but not seen
- *\li		#DNS_R_UNEXPECTEDTSIG - A TSIG was seen but not expected
- *\li		#DNS_R_TSIGERRORSET - the TSIG verified but ->error was set
- *				     and this is a query
- *\li		#DNS_R_CLOCKSKEW - the TSIG failed to verify because of
- *				  the time was out of the allowed range.
- *\li		#DNS_R_TSIGVERIFYFAILURE - the TSIG failed to verify
- *\li		#DNS_R_EXPECTEDRESPONSE - the message was set over TCP and
- *					 should have been a response,
- *					 but was not.
- */
-
-isc_result_t
-dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name,
-		 dns_name_t *algorithm, dns_tsig_keyring_t *ring);
-/*%<
- *	Returns the TSIG key corresponding to this name and (possibly)
- *	algorithm.  Also increments the key's reference counter.
- *
- *	Requires:
- *\li		'tsigkey' is not NULL
- *\li		'*tsigkey' is NULL
- *\li		'name' is a valid dns_name_t
- *\li		'algorithm' is a valid dns_name_t or NULL
- *\li		'ring' is a valid keyring
- *
- *	Returns:
- *\li		#ISC_R_SUCCESS
- *\li		#ISC_R_NOTFOUND
- */
-
-
-isc_result_t
-dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp);
-/*%<
- *	Create an empty TSIG key ring.
- *
- *	Requires:
- *\li		'mctx' is not NULL
- *\li		'ringp' is not NULL, and '*ringp' is NULL
- *
- *	Returns:
- *\li		#ISC_R_SUCCESS
- *\li		#ISC_R_NOMEMORY
- */
-
-isc_result_t
-dns_tsigkeyring_add(dns_tsig_keyring_t *ring, dns_name_t *name,
-		    dns_tsigkey_t *tkey);
-/*%<
- *      Place a TSIG key onto a key ring.
- *
- *	Requires:
- *\li		'ring', 'name' and 'tkey' are not NULL
- *
- *	Returns:
- *\li		#ISC_R_SUCCESS
- *\li		Any other value indicates failure.
- */
-
-
-void
-dns_tsigkeyring_attach(dns_tsig_keyring_t *source, dns_tsig_keyring_t **target);
-
-void
-dns_tsigkeyring_detach(dns_tsig_keyring_t **ringp);
-
-isc_result_t
-dns_tsigkeyring_dumpanddetach(dns_tsig_keyring_t **ringp, FILE *fp);
-
-/*%<
- *	Destroy a TSIG key ring.
- *
- *	Requires:
- *\li		'ringp' is not NULL
- */
-
-void
-dns_keyring_restore(dns_tsig_keyring_t *ring, FILE *fp);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_TSIG_H */
diff --git a/contrib/bind9/lib/dns/include/dns/ttl.h b/contrib/bind9/lib/dns/include/dns/ttl.h
deleted file mode 100644
index c252518..0000000
--- a/contrib/bind9/lib/dns/include/dns/ttl.h
+++ /dev/null
@@ -1,78 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ttl.h,v 1.19 2007/06/19 23:47:17 tbox Exp $ */
-
-#ifndef DNS_TTL_H
-#define DNS_TTL_H 1
-
-/*! \file dns/ttl.h */
-
-/***
- ***	Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- ***	Functions
- ***/
-
-isc_result_t
-dns_ttl_totext(isc_uint32_t src, isc_boolean_t verbose,
-	       isc_buffer_t *target);
-/*%<
- * Output a TTL or other time interval in a human-readable form.
- * The time interval is given as a count of seconds in 'src'.
- * The text representation is appended to 'target'.
- *
- * If 'verbose' is ISC_FALSE, use the terse BIND 8 style, like "1w2d3h4m5s".
- *
- * If 'verbose' is ISC_TRUE, use a verbose style like the SOA comments
- * in "dig", like "1 week 2 days 3 hours 4 minutes 5 seconds".
- *
- * Returns:
- * \li	ISC_R_SUCCESS
- * \li	ISC_R_NOSPACE
- */
-
-isc_result_t
-dns_counter_fromtext(isc_textregion_t *source, isc_uint32_t *ttl);
-/*%<
- * Converts a counter from either a plain number or a BIND 8 style value.
- *
- * Returns:
- *\li	ISC_R_SUCCESS
- *\li	DNS_R_SYNTAX
- */
-
-isc_result_t
-dns_ttl_fromtext(isc_textregion_t *source, isc_uint32_t *ttl);
-/*%<
- * Converts a ttl from either a plain number or a BIND 8 style value.
- *
- * Returns:
- *\li	ISC_R_SUCCESS
- *\li	DNS_R_BADTTL
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_TTL_H */
diff --git a/contrib/bind9/lib/dns/include/dns/types.h b/contrib/bind9/lib/dns/include/dns/types.h
deleted file mode 100644
index 76167c2..0000000
--- a/contrib/bind9/lib/dns/include/dns/types.h
+++ /dev/null
@@ -1,399 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef DNS_TYPES_H
-#define DNS_TYPES_H 1
-
-/*! \file dns/types.h
- * \brief
- * Including this file gives you type declarations suitable for use in
- * .h files, which lets us avoid circular type reference problems.
- * \brief
- * To actually use a type or get declarations of its methods, you must
- * include the appropriate .h file too.
- */
-
-#include <isc/types.h>
-
-typedef struct dns_acache			dns_acache_t;
-typedef struct dns_acacheentry			dns_acacheentry_t;
-typedef struct dns_acachestats			dns_acachestats_t;
-typedef struct dns_acl 				dns_acl_t;
-typedef struct dns_aclelement 			dns_aclelement_t;
-typedef struct dns_aclenv			dns_aclenv_t;
-typedef struct dns_adb				dns_adb_t;
-typedef struct dns_adbaddrinfo			dns_adbaddrinfo_t;
-typedef ISC_LIST(dns_adbaddrinfo_t)		dns_adbaddrinfolist_t;
-typedef struct dns_adbentry			dns_adbentry_t;
-typedef struct dns_adbfind			dns_adbfind_t;
-typedef ISC_LIST(dns_adbfind_t)			dns_adbfindlist_t;
-typedef struct dns_byaddr			dns_byaddr_t;
-typedef struct dns_client			dns_client_t;
-typedef void					dns_clientrestrans_t;
-typedef void					dns_clientreqtrans_t;
-typedef void					dns_clientupdatetrans_t;
-typedef struct dns_cache			dns_cache_t;
-typedef isc_uint16_t				dns_cert_t;
-typedef struct dns_compress			dns_compress_t;
-typedef struct dns_db				dns_db_t;
-typedef struct dns_dbimplementation		dns_dbimplementation_t;
-typedef struct dns_dbiterator			dns_dbiterator_t;
-typedef void					dns_dbload_t;
-typedef void					dns_dbnode_t;
-typedef struct dns_dbtable			dns_dbtable_t;
-typedef void					dns_dbversion_t;
-typedef struct dns_dlzimplementation		dns_dlzimplementation_t;
-typedef struct dns_dlzdb			dns_dlzdb_t;
-typedef struct dns_sdlzimplementation		dns_sdlzimplementation_t;
-typedef struct dns_decompress			dns_decompress_t;
-typedef struct dns_dispatch			dns_dispatch_t;
-typedef struct dns_dispatchevent		dns_dispatchevent_t;
-typedef struct dns_dispatchlist			dns_dispatchlist_t;
-typedef struct dns_dispatchset			dns_dispatchset_t;
-typedef struct dns_dispatchmgr			dns_dispatchmgr_t;
-typedef struct dns_dispentry			dns_dispentry_t;
-typedef struct dns_dns64			dns_dns64_t;
-typedef ISC_LIST(dns_dns64_t)			dns_dns64list_t;
-typedef struct dns_dnsseckey			dns_dnsseckey_t;
-typedef ISC_LIST(dns_dnsseckey_t)		dns_dnsseckeylist_t;
-typedef struct dns_dumpctx			dns_dumpctx_t;
-typedef struct dns_ednsopt			dns_ednsopt_t;
-typedef struct dns_fetch			dns_fetch_t;
-typedef struct dns_fixedname			dns_fixedname_t;
-typedef struct dns_forwarders			dns_forwarders_t;
-typedef struct dns_fwdtable			dns_fwdtable_t;
-typedef struct dns_iptable			dns_iptable_t;
-typedef isc_uint32_t				dns_iterations_t;
-typedef isc_uint16_t				dns_keyflags_t;
-typedef struct dns_keynode			dns_keynode_t;
-typedef ISC_LIST(dns_keynode_t)			dns_keynodelist_t;
-typedef struct dns_keytable			dns_keytable_t;
-typedef isc_uint16_t				dns_keytag_t;
-typedef struct dns_loadctx			dns_loadctx_t;
-typedef struct dns_loadmgr			dns_loadmgr_t;
-typedef struct dns_masterrawheader		dns_masterrawheader_t;
-typedef struct dns_message			dns_message_t;
-typedef isc_uint16_t				dns_messageid_t;
-typedef isc_region_t				dns_label_t;
-typedef struct dns_lookup			dns_lookup_t;
-typedef struct dns_name				dns_name_t;
-typedef ISC_LIST(dns_name_t)			dns_namelist_t;
-typedef isc_uint16_t				dns_opcode_t;
-typedef unsigned char				dns_offsets_t[128];
-typedef struct dns_order			dns_order_t;
-typedef struct dns_peer				dns_peer_t;
-typedef struct dns_peerlist			dns_peerlist_t;
-typedef struct dns_portlist			dns_portlist_t;
-typedef struct dns_rbt				dns_rbt_t;
-typedef isc_uint16_t				dns_rcode_t;
-typedef struct dns_rdata			dns_rdata_t;
-typedef struct dns_rdatacallbacks		dns_rdatacallbacks_t;
-typedef isc_uint16_t				dns_rdataclass_t;
-typedef struct dns_rdatalist			dns_rdatalist_t;
-typedef struct dns_rdataset			dns_rdataset_t;
-typedef ISC_LIST(dns_rdataset_t)		dns_rdatasetlist_t;
-typedef struct dns_rdatasetiter			dns_rdatasetiter_t;
-typedef isc_uint16_t				dns_rdatatype_t;
-typedef struct dns_request			dns_request_t;
-typedef struct dns_requestmgr			dns_requestmgr_t;
-typedef struct dns_resolver			dns_resolver_t;
-typedef struct dns_sdbimplementation		dns_sdbimplementation_t;
-typedef isc_uint8_t				dns_secalg_t;
-typedef isc_uint8_t				dns_secproto_t;
-typedef struct dns_signature			dns_signature_t;
-typedef struct dns_ssurule			dns_ssurule_t;
-typedef struct dns_ssutable			dns_ssutable_t;
-typedef struct dns_stats			dns_stats_t;
-typedef isc_uint32_t				dns_rdatastatstype_t;
-typedef struct dns_tkeyctx			dns_tkeyctx_t;
-typedef isc_uint16_t				dns_trust_t;
-typedef struct dns_tsec				dns_tsec_t;
-typedef struct dns_tsig_keyring			dns_tsig_keyring_t;
-typedef struct dns_tsigkey			dns_tsigkey_t;
-typedef isc_uint32_t				dns_ttl_t;
-typedef struct dns_validator			dns_validator_t;
-typedef struct dns_view				dns_view_t;
-typedef ISC_LIST(dns_view_t)			dns_viewlist_t;
-typedef struct dns_zone				dns_zone_t;
-typedef ISC_LIST(dns_zone_t)			dns_zonelist_t;
-typedef struct dns_zonemgr			dns_zonemgr_t;
-typedef struct dns_zt				dns_zt_t;
-
-/*
- * If we are not using GSSAPI, define the types we use as opaque types here.
- */
-#ifndef GSSAPI
-typedef struct not_defined_gss_cred_id *gss_cred_id_t;
-typedef struct not_defined_gss_ctx *gss_ctx_id_t;
-#endif
-typedef struct dst_gssapi_signverifyctx dst_gssapi_signverifyctx_t;
-
-typedef enum {
-	dns_hash_sha1 = 1
-} dns_hash_t;
-
-typedef enum {
-	dns_fwdpolicy_none = 0,
-	dns_fwdpolicy_first = 1,
-	dns_fwdpolicy_only = 2
-} dns_fwdpolicy_t;
-
-typedef enum {
-	dns_namereln_none = 0,
-	dns_namereln_contains = 1,
-	dns_namereln_subdomain = 2,
-	dns_namereln_equal = 3,
-	dns_namereln_commonancestor = 4
-} dns_namereln_t;
-
-typedef enum {
-	dns_one_answer, dns_many_answers
-} dns_transfer_format_t;
-
-typedef enum {
-	dns_dbtype_zone = 0, dns_dbtype_cache = 1, dns_dbtype_stub = 3
-} dns_dbtype_t;
-
-typedef enum {
-	dns_notifytype_no = 0,
-	dns_notifytype_yes = 1,
-	dns_notifytype_explicit = 2,
-	dns_notifytype_masteronly = 3
-} dns_notifytype_t;
-
-typedef enum {
-	dns_dialuptype_no = 0,
-	dns_dialuptype_yes = 1,
-	dns_dialuptype_notify = 2,
-	dns_dialuptype_notifypassive = 3,
-	dns_dialuptype_refresh = 4,
-	dns_dialuptype_passive = 5
-} dns_dialuptype_t;
-
-typedef enum {
-	dns_masterformat_none = 0,
-	dns_masterformat_text = 1,
-	dns_masterformat_raw = 2
-} dns_masterformat_t;
-
-typedef enum {
-	dns_v4_aaaa_ok = 0,
-	dns_v4_aaaa_filter = 1,
-	dns_v4_aaaa_break_dnssec = 2
-} dns_v4_aaaa_t;
-
-/*
- * These are generated by gen.c.
- */
-#include <dns/enumtype.h>	/* Provides dns_rdatatype_t. */
-#include <dns/enumclass.h>	/* Provides dns_rdataclass_t. */
-
-/*%
- * rcodes.
- */
-enum {
-	/*
-	 * Standard rcodes.
-	 */
-	dns_rcode_noerror = 0,
-#define dns_rcode_noerror		((dns_rcode_t)dns_rcode_noerror)
-	dns_rcode_formerr = 1,
-#define dns_rcode_formerr		((dns_rcode_t)dns_rcode_formerr)
-	dns_rcode_servfail = 2,
-#define dns_rcode_servfail		((dns_rcode_t)dns_rcode_servfail)
-	dns_rcode_nxdomain = 3,
-#define dns_rcode_nxdomain		((dns_rcode_t)dns_rcode_nxdomain)
-	dns_rcode_notimp = 4,
-#define dns_rcode_notimp		((dns_rcode_t)dns_rcode_notimp)
-	dns_rcode_refused = 5,
-#define dns_rcode_refused		((dns_rcode_t)dns_rcode_refused)
-	dns_rcode_yxdomain = 6,
-#define dns_rcode_yxdomain		((dns_rcode_t)dns_rcode_yxdomain)
-	dns_rcode_yxrrset = 7,
-#define dns_rcode_yxrrset		((dns_rcode_t)dns_rcode_yxrrset)
-	dns_rcode_nxrrset = 8,
-#define dns_rcode_nxrrset		((dns_rcode_t)dns_rcode_nxrrset)
-	dns_rcode_notauth = 9,
-#define dns_rcode_notauth		((dns_rcode_t)dns_rcode_notauth)
-	dns_rcode_notzone = 10,
-#define dns_rcode_notzone		((dns_rcode_t)dns_rcode_notzone)
-	/*
-	 * Extended rcodes.
-	 */
-	dns_rcode_badvers = 16
-#define dns_rcode_badvers		((dns_rcode_t)dns_rcode_badvers)
-};
-
-/*%
- * TSIG errors.
- */
-enum {
-	dns_tsigerror_badsig = 16,
-	dns_tsigerror_badkey = 17,
-	dns_tsigerror_badtime = 18,
-	dns_tsigerror_badmode = 19,
-	dns_tsigerror_badname = 20,
-	dns_tsigerror_badalg = 21,
-	dns_tsigerror_badtrunc = 22
-};
-
-/*%
- * Opcodes.
- */
-enum {
-	dns_opcode_query = 0,
-#define dns_opcode_query		((dns_opcode_t)dns_opcode_query)
-	dns_opcode_iquery = 1,
-#define dns_opcode_iquery		((dns_opcode_t)dns_opcode_iquery)
-	dns_opcode_status = 2,
-#define dns_opcode_status		((dns_opcode_t)dns_opcode_status)
-	dns_opcode_notify = 4,
-#define dns_opcode_notify		((dns_opcode_t)dns_opcode_notify)
-	dns_opcode_update = 5		/* dynamic update */
-#define dns_opcode_update		((dns_opcode_t)dns_opcode_update)
-};
-
-/*%
- * Trust levels.  Must be kept in sync with trustnames[] in masterdump.c.
- */
-enum {
-	/* Sentinel value; no data should have this trust level. */
-	dns_trust_none = 0,
-#define dns_trust_none			((dns_trust_t)dns_trust_none)
-
-	/*%
-	 * Subject to DNSSEC validation but has not yet been validated
-	 * dns_trust_pending_additional (from the additional section).
-	 */
-	dns_trust_pending_additional = 1,
-#define dns_trust_pending_additional \
-		 ((dns_trust_t)dns_trust_pending_additional)
-
-	dns_trust_pending_answer = 2,
-#define dns_trust_pending_answer	((dns_trust_t)dns_trust_pending_answer)
-
-	/*% Received in the additional section of a response. */
-	dns_trust_additional = 3,
-#define dns_trust_additional		((dns_trust_t)dns_trust_additional)
-
-	/* Received in a referral response. */
-	dns_trust_glue = 4,
-#define dns_trust_glue			((dns_trust_t)dns_trust_glue)
-
-	/* Answer from a non-authoritative server */
-	dns_trust_answer = 5,
-#define dns_trust_answer		((dns_trust_t)dns_trust_answer)
-
-	/*  Received in the authority section as part of an
-	    authoritative response */
-	dns_trust_authauthority = 6,
-#define dns_trust_authauthority		((dns_trust_t)dns_trust_authauthority)
-
-	/* Answer from an authoritative server */
-	dns_trust_authanswer = 7,
-#define dns_trust_authanswer		((dns_trust_t)dns_trust_authanswer)
-
-	/* Successfully DNSSEC validated */
-	dns_trust_secure = 8,
-#define dns_trust_secure		((dns_trust_t)dns_trust_secure)
-
-	/* This server is authoritative */
-	dns_trust_ultimate = 9
-#define dns_trust_ultimate		((dns_trust_t)dns_trust_ultimate)
-};
-
-#define DNS_TRUST_PENDING(x)		((x) == dns_trust_pending_answer || \
-					 (x) == dns_trust_pending_additional)
-#define DNS_TRUST_ADDITIONAL(x)		((x) == dns_trust_additional || \
-					 (x) == dns_trust_pending_additional)
-#define DNS_TRUST_GLUE(x)		((x) == dns_trust_glue)
-#define DNS_TRUST_ANSWER(x)		((x) == dns_trust_answer)
-
-
-/*%
- * Name checking severities.
- */
-typedef enum {
-	dns_severity_ignore,
-	dns_severity_warn,
-	dns_severity_fail
-} dns_severity_t;
-
-/*%
- * DNS Serial Number Update Method.
- *
- * \li	_increment:	Add one to the current serial, skipping 0.
- * \li	_unixtime:	Set to the seconds since 00:00 Jan 1, 1970,
- *			if possible.
- * \li	_yyyymmvv:	Set to Year, Month, Version, if possible.
- *			(Not yet implemented)
- */
-typedef enum {
-	dns_updatemethod_increment = 0,
-	dns_updatemethod_unixtime
-} dns_updatemethod_t;
-
-/*
- * Functions.
- */
-typedef void
-(*dns_dumpdonefunc_t)(void *, isc_result_t);
-
-typedef void
-(*dns_loaddonefunc_t)(void *, isc_result_t);
-
-typedef void
-(*dns_rawdatafunc_t)(dns_zone_t *, dns_masterrawheader_t *);
-
-typedef isc_result_t
-(*dns_addrdatasetfunc_t)(void *, dns_name_t *, dns_rdataset_t *);
-
-typedef isc_result_t
-(*dns_additionaldatafunc_t)(void *, dns_name_t *, dns_rdatatype_t);
-
-typedef isc_result_t
-(*dns_digestfunc_t)(void *, isc_region_t *);
-
-typedef void
-(*dns_xfrindone_t)(dns_zone_t *, isc_result_t);
-
-typedef void
-(*dns_updatecallback_t)(void *, isc_result_t, dns_message_t *);
-
-typedef int
-(*dns_rdatasetorderfunc_t)(const dns_rdata_t *, const void *);
-
-typedef isc_boolean_t
-(*dns_checkmxfunc_t)(dns_zone_t *, dns_name_t *, dns_name_t *);
-
-typedef isc_boolean_t
-(*dns_checksrvfunc_t)(dns_zone_t *, dns_name_t *, dns_name_t *);
-
-typedef isc_boolean_t
-(*dns_checknsfunc_t)(dns_zone_t *, dns_name_t *, dns_name_t *,
-		     dns_rdataset_t *, dns_rdataset_t *);
-
-typedef isc_boolean_t
-(*dns_isselffunc_t)(dns_view_t *, dns_tsigkey_t *, isc_sockaddr_t *,
-		    isc_sockaddr_t *, dns_rdataclass_t, void *);
-
-typedef void
-(*dns_nseclog_t)(void *val, int , const char *, ...);
-
-#endif /* DNS_TYPES_H */
diff --git a/contrib/bind9/lib/dns/include/dns/update.h b/contrib/bind9/lib/dns/include/dns/update.h
deleted file mode 100644
index 2d2c491..0000000
--- a/contrib/bind9/lib/dns/include/dns/update.h
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
- * Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: update.h,v 1.5 2011/08/30 23:46:53 tbox Exp $ */
-
-#ifndef DNS_UPDATE_H
-#define DNS_UPDATE_H 1
-
-/*! \file dns/update.h */
-
-/***
- ***	Imports
- ***/
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-#include <dns/diff.h>
-
-typedef struct {
-	void (*func)(void *arg, dns_zone_t *zone, int level,
-		     const char *message);
-	void *arg;
-} dns_update_log_t;
-
-ISC_LANG_BEGINDECLS
-
-/***
- ***	Functions
- ***/
-
-isc_uint32_t
-dns_update_soaserial(isc_uint32_t serial, dns_updatemethod_t method);
-/*%<
- * Return the next serial number after 'serial', depending on the
- * update method 'method':
- *
- *\li	* dns_updatemethod_increment increments the serial number by one
- *\li	* dns_updatemethod_unixtime sets the serial number to the current
- *	  time (seconds since UNIX epoch) if possible, or increments by one
- *	  if not.
- */
-
-isc_result_t
-dns_update_signatures(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
-		      dns_dbversion_t *oldver, dns_dbversion_t *newver,
-		      dns_diff_t *diff, isc_uint32_t sigvalidityinterval);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_UPDATE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/validator.h b/contrib/bind9/lib/dns/include/dns/validator.h
deleted file mode 100644
index b3cfe99..0000000
--- a/contrib/bind9/lib/dns/include/dns/validator.h
+++ /dev/null
@@ -1,261 +0,0 @@
-/*
- * Copyright (C) 2004-2010, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: validator.h,v 1.46 2010/02/25 05:08:01 tbox Exp $ */
-
-#ifndef DNS_VALIDATOR_H
-#define DNS_VALIDATOR_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/validator.h
- *
- * \brief
- * DNS Validator
- * This is the BIND 9 validator, the module responsible for validating the
- * rdatasets and negative responses (messages).  It makes use of zones in
- * the view and may fetch RRset to complete trust chains.  It implements
- * DNSSEC as specified in RFC 4033, 4034 and 4035.
- *
- * It can also optionally implement ISC's DNSSEC look-aside validation.
- *
- * Correct operation is critical to preventing spoofed answers from secure
- * zones being accepted.
- *
- * MP:
- *\li	The module ensures appropriate synchronization of data structures it
- *	creates and manipulates.
- *
- * Reliability:
- *\li	No anticipated impact.
- *
- * Resources:
- *\li	TBS
- *
- * Security:
- *\li	No anticipated impact.
- *
- * Standards:
- *\li	RFCs:	1034, 1035, 2181, 4033, 4034, 4035.
- */
-
-#include <isc/lang.h>
-#include <isc/event.h>
-#include <isc/mutex.h>
-
-#include <dns/fixedname.h>
-#include <dns/types.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h> /* for dns_rdata_rrsig_t */
-
-#include <dst/dst.h>
-
-/*%
- * A dns_validatorevent_t is sent when a 'validation' completes.
- * \brief
- * 'name', 'rdataset', 'sigrdataset', and 'message' are the values that were
- * supplied when dns_validator_create() was called.  They are returned to the
- * caller so that they may be freed.
- *
- * If the RESULT is ISC_R_SUCCESS and the answer is secure then
- * proofs[] will contain the names of the NSEC records that hold the
- * various proofs.  Note the same name may appear multiple times.
- */
-typedef struct dns_validatorevent {
-	ISC_EVENT_COMMON(struct dns_validatorevent);
-	dns_validator_t *		validator;
-	isc_result_t			result;
-	/*
-	 * Name and type of the response to be validated.
-	 */
-	dns_name_t *			name;
-	dns_rdatatype_t			type;
-	/*
-	 * Rdata and RRSIG (if any) for positive responses.
-	 */
-	dns_rdataset_t *		rdataset;
-	dns_rdataset_t *		sigrdataset;
-	/*
-	 * The full response.  Required for negative responses.
-	 * Also required for positive wildcard responses.
-	 */
-	dns_message_t *			message;
-	/*
-	 * Proofs to be cached.
-	 */
-	dns_name_t *			proofs[4];
-	/*
-	 * Optout proof seen.
-	 */
-	isc_boolean_t			optout;
-	/*
-	 * Answer is secure.
-	 */
-	isc_boolean_t			secure;
-} dns_validatorevent_t;
-
-#define DNS_VALIDATOR_NOQNAMEPROOF 0
-#define DNS_VALIDATOR_NODATAPROOF 1
-#define DNS_VALIDATOR_NOWILDCARDPROOF 2
-#define DNS_VALIDATOR_CLOSESTENCLOSER 3
-
-/*%
- * A validator object represents a validation in progress.
- * \brief
- * Clients are strongly discouraged from using this type directly, with
- * the exception of the 'link' field, which may be used directly for
- * whatever purpose the client desires.
- */
-struct dns_validator {
-	/* Unlocked. */
-	unsigned int			magic;
-	isc_mutex_t			lock;
-	dns_view_t *			view;
-	/* Locked by lock. */
-	unsigned int			options;
-	unsigned int			attributes;
-	dns_validatorevent_t *		event;
-	dns_fetch_t *			fetch;
-	dns_validator_t *		subvalidator;
-	dns_validator_t *		parent;
-	dns_keytable_t *		keytable;
-	dns_keynode_t *			keynode;
-	dst_key_t *			key;
-	dns_rdata_rrsig_t *		siginfo;
-	isc_task_t *			task;
-	isc_taskaction_t		action;
-	void *				arg;
-	unsigned int			labels;
-	dns_rdataset_t *		currentset;
-	isc_boolean_t			seensig;
-	dns_rdataset_t *		keyset;
-	dns_rdataset_t *		dsset;
-	dns_rdataset_t *		soaset;
-	dns_rdataset_t *		nsecset;
-	dns_rdataset_t *		nsec3set;
-	dns_name_t *			soaname;
-	dns_rdataset_t			frdataset;
-	dns_rdataset_t			fsigrdataset;
-	dns_fixedname_t			fname;
-	dns_fixedname_t			wild;
-	dns_fixedname_t			nearest;
-	dns_fixedname_t			closest;
-	ISC_LINK(dns_validator_t)	link;
-	dns_rdataset_t 			dlv;
-	dns_fixedname_t			dlvsep;
-	isc_boolean_t			havedlvsep;
-	isc_boolean_t			mustbesecure;
-	unsigned int			dlvlabels;
-	unsigned int			depth;
-	unsigned int			authcount;
-	unsigned int			authfail;
-};
-
-/*%
- * dns_validator_create() options.
- */
-#define DNS_VALIDATOR_DLV 1U
-#define DNS_VALIDATOR_DEFER 2U
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
-		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
-		     dns_message_t *message, unsigned int options,
-		     isc_task_t *task, isc_taskaction_t action, void *arg,
-		     dns_validator_t **validatorp);
-/*%<
- * Start a DNSSEC validation.
- *
- * This validates a response to the question given by
- * 'name' and 'type'.
- *
- * To validate a positive response, the response data is
- * given by 'rdataset' and 'sigrdataset'.  If 'sigrdataset'
- * is NULL, the data is presumed insecure and an attempt
- * is made to prove its insecurity by finding the appropriate
- * null key.
- *
- * The complete response message may be given in 'message',
- * to make available any authority section NSECs that may be
- * needed for validation of a response resulting from a
- * wildcard expansion (though no such wildcard validation
- * is implemented yet).  If the complete response message
- * is not available, 'message' is NULL.
- *
- * To validate a negative response, the complete negative response
- * message is given in 'message'.  The 'rdataset', and
- * 'sigrdataset' arguments must be NULL, but the 'name' and 'type'
- * arguments must be provided.
- *
- * The validation is performed in the context of 'view'.
- *
- * When the validation finishes, a dns_validatorevent_t with
- * the given 'action' and 'arg' are sent to 'task'.
- * Its 'result' field will be ISC_R_SUCCESS iff the
- * response was successfully proven to be either secure or
- * part of a known insecure domain.
- *
- * options:
- * If DNS_VALIDATOR_DLV is set the caller knows there is not a
- * trusted key and the validator should immediately attempt to validate
- * the answer by looking for an appropriate DLV RRset.
- */
-
-void
-dns_validator_send(dns_validator_t *validator);
-/*%<
- * Send a deferred validation request
- *
- * Requires:
- *	'validator' to points to a valid DNSSEC validator.
- */
-
-void
-dns_validator_cancel(dns_validator_t *validator);
-/*%<
- * Cancel a DNSSEC validation in progress.
- *
- * Requires:
- *\li	'validator' points to a valid DNSSEC validator, which
- *	may or may not already have completed.
- *
- * Ensures:
- *\li	It the validator has not already sent its completion
- *	event, it will send it with result code ISC_R_CANCELED.
- */
-
-void
-dns_validator_destroy(dns_validator_t **validatorp);
-/*%<
- * Destroy a DNSSEC validator.
- *
- * Requires:
- *\li	'*validatorp' points to a valid DNSSEC validator.
- * \li	The validator must have completed and sent its completion
- * 	event.
- *
- * Ensures:
- *\li	All resources used by the validator are freed.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_VALIDATOR_H */
diff --git a/contrib/bind9/lib/dns/include/dns/version.h b/contrib/bind9/lib/dns/include/dns/version.h
deleted file mode 100644
index 2a33dcf..0000000
--- a/contrib/bind9/lib/dns/include/dns/version.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: version.h,v 1.9 2007/06/19 23:47:17 tbox Exp $ */
-
-/*! \file dns/version.h */
-
-#include <isc/platform.h>
-
-LIBDNS_EXTERNAL_DATA extern const char dns_version[];
-
-LIBDNS_EXTERNAL_DATA extern const unsigned int dns_libinterface;
-LIBDNS_EXTERNAL_DATA extern const unsigned int dns_librevision;
-LIBDNS_EXTERNAL_DATA extern const unsigned int dns_libage;
diff --git a/contrib/bind9/lib/dns/include/dns/view.h b/contrib/bind9/lib/dns/include/dns/view.h
deleted file mode 100644
index d0c1931..0000000
--- a/contrib/bind9/lib/dns/include/dns/view.h
+++ /dev/null
@@ -1,1114 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef DNS_VIEW_H
-#define DNS_VIEW_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/view.h
- * \brief
- * DNS View
- *
- * A "view" is a DNS namespace, together with an optional resolver and a
- * forwarding policy.  A "DNS namespace" is a (possibly empty) set of
- * authoritative zones together with an optional cache and optional
- * "hints" information.
- *
- * Views start out "unfrozen".  In this state, core attributes like
- * the cache, set of zones, and forwarding policy may be set.  While
- * "unfrozen", the caller (e.g. nameserver configuration loading
- * code), must ensure exclusive access to the view.  When the view is
- * "frozen", the core attributes become immutable, and the view module
- * will ensure synchronization.  Freezing allows the view's core attributes
- * to be accessed without locking.
- *
- * MP:
- *\li	Before the view is frozen, the caller must ensure synchronization.
- *
- *\li	After the view is frozen, the module guarantees appropriate
- *	synchronization of any data structures it creates and manipulates.
- *
- * Reliability:
- *\li	No anticipated impact.
- *
- * Resources:
- *\li	TBS
- *
- * Security:
- *\li	No anticipated impact.
- *
- * Standards:
- *\li	None.
- */
-
-#include <stdio.h>
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-#include <isc/event.h>
-#include <isc/mutex.h>
-#include <isc/net.h>
-#include <isc/refcount.h>
-#include <isc/rwlock.h>
-#include <isc/stdtime.h>
-
-#include <dns/acl.h>
-#include <dns/fixedname.h>
-#include <dns/rdatastruct.h>
-#include <dns/rpz.h>
-#include <dns/types.h>
-#include <dns/zt.h>
-
-ISC_LANG_BEGINDECLS
-
-struct dns_view {
-	/* Unlocked. */
-	unsigned int			magic;
-	isc_mem_t *			mctx;
-	dns_rdataclass_t		rdclass;
-	char *				name;
-	dns_zt_t *			zonetable;
-	dns_dlzdb_t *			dlzdatabase;
-	dns_resolver_t *		resolver;
-	dns_adb_t *			adb;
-	dns_requestmgr_t *		requestmgr;
-	dns_acache_t *			acache;
-	dns_cache_t *			cache;
-	dns_db_t *			cachedb;
-	dns_db_t *			hints;
-
-	/*
-	 * security roots.
-	 * internal use only; access via * dns_view_getsecroots()
-	 */
-	dns_keytable_t *		secroots_priv;
-
-	isc_mutex_t			lock;
-	isc_boolean_t			frozen;
-	isc_task_t *			task;
-	isc_event_t			resevent;
-	isc_event_t			adbevent;
-	isc_event_t			reqevent;
-	isc_stats_t *			resstats;
-	dns_stats_t *			resquerystats;
-	isc_boolean_t			cacheshared;
-
-	/* Configurable data. */
-	dns_tsig_keyring_t *		statickeys;
-	dns_tsig_keyring_t *		dynamickeys;
-	dns_peerlist_t *		peers;
-	dns_order_t *			order;
-	dns_fwdtable_t *		fwdtable;
-	isc_boolean_t			recursion;
-	isc_boolean_t			auth_nxdomain;
-	isc_boolean_t			additionalfromcache;
-	isc_boolean_t			additionalfromauth;
-	isc_boolean_t			minimalresponses;
-	isc_boolean_t			enablednssec;
-	isc_boolean_t			enablevalidation;
-	isc_boolean_t			acceptexpired;
-	dns_transfer_format_t		transfer_format;
-	dns_acl_t *			cacheacl;
-	dns_acl_t *			cacheonacl;
-	dns_acl_t *			queryacl;
-	dns_acl_t *			queryonacl;
-	dns_acl_t *			recursionacl;
-	dns_acl_t *			recursiononacl;
-	dns_acl_t *			sortlist;
-	dns_acl_t *			notifyacl;
-	dns_acl_t *			transferacl;
-	dns_acl_t *			updateacl;
-	dns_acl_t *			upfwdacl;
-	dns_acl_t *			denyansweracl;
-	dns_rbt_t *			answeracl_exclude;
-	dns_rbt_t *			denyanswernames;
-	dns_rbt_t *			answernames_exclude;
-	isc_boolean_t			provideixfr;
-	isc_boolean_t			requestnsid;
-	dns_ttl_t			maxcachettl;
-	dns_ttl_t			maxncachettl;
-	in_port_t			dstport;
-	dns_aclenv_t			aclenv;
-	dns_rdatatype_t			preferred_glue;
-	isc_boolean_t			flush;
-	dns_namelist_t *		delonly;
-	isc_boolean_t			rootdelonly;
-	dns_namelist_t *		rootexclude;
-	isc_boolean_t			checknames;
-	dns_name_t *			dlv;
-	dns_fixedname_t			dlv_fixed;
-	isc_uint16_t			maxudp;
-	unsigned int			maxbits;
-	dns_v4_aaaa_t			v4_aaaa;
-	dns_acl_t *			v4_aaaa_acl;
-	dns_dns64list_t 		dns64;
-	unsigned int 			dns64cnt;
-	ISC_LIST(dns_rpz_zone_t)	rpz_zones;
-	isc_boolean_t			rpz_recursive_only;
-	isc_boolean_t			rpz_break_dnssec;
-	unsigned int			rpz_min_ns_labels;
-
-	/*
-	 * Configurable data for server use only,
-	 * locked by server configuration lock.
-	 */
-	dns_acl_t *			matchclients;
-	dns_acl_t *			matchdestinations;
-	isc_boolean_t			matchrecursiveonly;
-
-	/* Locked by themselves. */
-	isc_refcount_t			references;
-
-	/* Locked by lock. */
-	unsigned int			weakrefs;
-	unsigned int			attributes;
-	/* Under owner's locking control. */
-	ISC_LINK(struct dns_view)	link;
-	dns_viewlist_t *		viewlist;
-
-	dns_zone_t *			managed_keys;
-	dns_zone_t *			redirect;
-
-#ifdef BIND9
-	/* File in which to store configuration for newly added zones */
-	char *				new_zone_file;
-
-	void *				new_zone_config;
-	void				(*cfg_destroy)(void **);
-#endif
-};
-
-#define DNS_VIEW_MAGIC			ISC_MAGIC('V','i','e','w')
-#define DNS_VIEW_VALID(view)		ISC_MAGIC_VALID(view, DNS_VIEW_MAGIC)
-
-#define DNS_VIEWATTR_RESSHUTDOWN	0x01
-#define DNS_VIEWATTR_ADBSHUTDOWN	0x02
-#define DNS_VIEWATTR_REQSHUTDOWN	0x04
-
-isc_result_t
-dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
-		const char *name, dns_view_t **viewp);
-/*%<
- * Create a view.
- *
- * Notes:
- *
- *\li	The newly created view has no cache, no resolver, and an empty
- *	zone table.  The view is not frozen.
- *
- * Requires:
- *
- *\li	'mctx' is a valid memory context.
- *
- *\li	'rdclass' is a valid class.
- *
- *\li	'name' is a valid C string.
- *
- *\li	viewp != NULL && *viewp == NULL
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- *
- *\li	Other errors are possible.
- */
-
-void
-dns_view_attach(dns_view_t *source, dns_view_t **targetp);
-/*%<
- * Attach '*targetp' to 'source'.
- *
- * Requires:
- *
- *\li	'source' is a valid, frozen view.
- *
- *\li	'targetp' points to a NULL dns_view_t *.
- *
- * Ensures:
- *
- *\li	*targetp is attached to source.
- *
- *\li	While *targetp is attached, the view will not shut down.
- */
-
-void
-dns_view_detach(dns_view_t **viewp);
-/*%<
- * Detach '*viewp' from its view.
- *
- * Requires:
- *
- *\li	'viewp' points to a valid dns_view_t *
- *
- * Ensures:
- *
- *\li	*viewp is NULL.
- */
-
-void
-dns_view_flushanddetach(dns_view_t **viewp);
-/*%<
- * Detach '*viewp' from its view.  If this was the last reference
- * uncommitted changed in zones will be flushed to disk.
- *
- * Requires:
- *
- *\li	'viewp' points to a valid dns_view_t *
- *
- * Ensures:
- *
- *\li	*viewp is NULL.
- */
-
-void
-dns_view_weakattach(dns_view_t *source, dns_view_t **targetp);
-/*%<
- * Weakly attach '*targetp' to 'source'.
- *
- * Requires:
- *
- *\li	'source' is a valid, frozen view.
- *
- *\li	'targetp' points to a NULL dns_view_t *.
- *
- * Ensures:
- *
- *\li	*targetp is attached to source.
- *
- * \li	While *targetp is attached, the view will not be freed.
- */
-
-void
-dns_view_weakdetach(dns_view_t **targetp);
-/*%<
- * Detach '*viewp' from its view.
- *
- * Requires:
- *
- *\li	'viewp' points to a valid dns_view_t *.
- *
- * Ensures:
- *
- *\li	*viewp is NULL.
- */
-
-isc_result_t
-dns_view_createresolver(dns_view_t *view,
-			isc_taskmgr_t *taskmgr,
-			unsigned int ntasks, unsigned int ndisp,
-			isc_socketmgr_t *socketmgr,
-			isc_timermgr_t *timermgr,
-			unsigned int options,
-			dns_dispatchmgr_t *dispatchmgr,
-			dns_dispatch_t *dispatchv4,
-			dns_dispatch_t *dispatchv6);
-/*%<
- * Create a resolver and address database for the view.
- *
- * Requires:
- *
- *\li	'view' is a valid, unfrozen view.
- *
- *\li	'view' does not have a resolver already.
- *
- *\li	The requirements of dns_resolver_create() apply to 'taskmgr',
- *	'ntasks', 'socketmgr', 'timermgr', 'options', 'dispatchv4', and
- *	'dispatchv6'.
- *
- * Returns:
- *
- *\li   	#ISC_R_SUCCESS
- *
- *\li	Any error that dns_resolver_create() can return.
- */
-
-void
-dns_view_setcache(dns_view_t *view, dns_cache_t *cache);
-void
-dns_view_setcache2(dns_view_t *view, dns_cache_t *cache, isc_boolean_t shared);
-/*%<
- * Set the view's cache database.  If 'shared' is true, this means the cache
- * is created by another view and is shared with that view.  dns_view_setcache()
- * is a backward compatible version equivalent to setcache2(..., ISC_FALSE).
- *
- * Requires:
- *
- *\li	'view' is a valid, unfrozen view.
- *
- *\li	'cache' is a valid cache.
- *
- * Ensures:
- *
- * \li    	The cache of 'view' is 'cached.
- *
- *\li	If this is not the first call to dns_view_setcache() for this
- *	view, then previously set cache is detached.
- */
-
-void
-dns_view_sethints(dns_view_t *view, dns_db_t *hints);
-/*%<
- * Set the view's hints database.
- *
- * Requires:
- *
- *\li	'view' is a valid, unfrozen view, whose hints database has not been
- *	set.
- *
- *\li	'hints' is a valid zone database.
- *
- * Ensures:
- *
- * \li    	The hints database of 'view' is 'hints'.
- */
-
-void
-dns_view_setkeyring(dns_view_t *view, dns_tsig_keyring_t *ring);
-void
-dns_view_setdynamickeyring(dns_view_t *view, dns_tsig_keyring_t *ring);
-/*%<
- * Set the view's static TSIG keys
- *
- * Requires:
- *
- *   \li   'view' is a valid, unfrozen view, whose static TSIG keyring has not
- *	been set.
- *
- *\li      'ring' is a valid TSIG keyring
- *
- * Ensures:
- *
- *\li      The static TSIG keyring of 'view' is 'ring'.
- */
-
-void
-dns_view_getdynamickeyring(dns_view_t *view, dns_tsig_keyring_t **ringp);
-/*%<
- * Return the views dynamic keys.
- *
- *   \li  'view' is a valid, unfrozen view.
- *   \li  'ringp' != NULL && ringp == NULL.
- */
-
-void
-dns_view_setdstport(dns_view_t *view, in_port_t dstport);
-/*%<
- * Set the view's destination port.  This is the port to
- * which outgoing queries are sent.  The default is 53,
- * the standard DNS port.
- *
- * Requires:
- *
- *\li      'view' is a valid view.
- *
- *\li      'dstport' is a valid TCP/UDP port number.
- *
- * Ensures:
- *\li	External name servers will be assumed to be listening
- *	on 'dstport'.  For servers whose address has already
- *	obtained obtained at the time of the call, the view may
- *	continue to use the previously set port until the address
- *	times out from the view's address database.
- */
-
-
-isc_result_t
-dns_view_addzone(dns_view_t *view, dns_zone_t *zone);
-/*%<
- * Add zone 'zone' to 'view'.
- *
- * Requires:
- *
- *\li	'view' is a valid, unfrozen view.
- *
- *\li	'zone' is a valid zone.
- */
-
-void
-dns_view_freeze(dns_view_t *view);
-/*%<
- * Freeze view.  No changes can be made to view configuration while frozen.
- *
- * Requires:
- *
- *\li	'view' is a valid, unfrozen view.
- *
- * Ensures:
- *
- *\li	'view' is frozen.
- */
-
-void
-dns_view_thaw(dns_view_t *view);
-/*%<
- * Thaw view.  This allows zones to be added or removed at runtime.  This is
- * NOT thread-safe; the caller MUST have run isc_task_exclusive() prior to
- * thawing the view.
- *
- * Requires:
- *
- *\li	'view' is a valid, frozen view.
- *
- * Ensures:
- *
- *\li	'view' is no longer frozen.
- */
-isc_result_t
-dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
-	      isc_stdtime_t now, unsigned int options, isc_boolean_t use_hints,
-	      dns_db_t **dbp, dns_dbnode_t **nodep, dns_name_t *foundname,
-	      dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
-isc_result_t
-dns_view_find2(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
-	       isc_stdtime_t now, unsigned int options,
-	       isc_boolean_t use_hints, isc_boolean_t use_static_stub,
-	       dns_db_t **dbp, dns_dbnode_t **nodep, dns_name_t *foundname,
-	       dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
-/*%<
- * Find an rdataset whose owner name is 'name', and whose type is
- * 'type'.
- * In general, this function first searches view's zone and cache DBs for the
- * best match data against 'name'.  If nothing found there, and if 'use_hints'
- * is ISC_TRUE, the view's hint DB (if configured) is searched.
- * If the view is configured with a static-stub zone which gives the longest
- * match for 'name' among the zones, however, the cache DB is not consulted
- * unless 'use_static_stub' is ISC_FALSE (see below about this argument).
- *
- * dns_view_find() is a backward compatible version equivalent to
- * dns_view_find2() with use_static_stub argument being ISC_FALSE.
- *
- * Notes:
- *
- *\li	See the description of dns_db_find() for information about 'options'.
- *	If the caller sets #DNS_DBFIND_GLUEOK, it must ensure that 'name'
- *	and 'type' are appropriate for glue retrieval.
- *
- *\li	If 'now' is zero, then the current time will be used.
- *
- *\li	If 'use_hints' is ISC_TRUE, and the view has a hints database, then
- *	it will be searched last.  If the answer is found in the hints
- *	database, the result code will be DNS_R_HINT.  If the name is found
- *	in the hints database but not the type, the result code will be
- *	#DNS_R_HINTNXRRSET.
- *
- *\li	If 'use_static_stub' is ISC_FALSE and the longest match zone for 'name'
- *	is a static-stub zone, it's ignored and the cache and/or hints will be
- *	searched.  In the majority of the cases this argument should be
- *	ISC_FALSE.  The only known usage of this argument being ISC_TRUE is
- *	if this search is for a "bailiwick" glue A or AAAA RRset that may
- *	best match a static-stub zone.  Consider the following example:
- *	this view is configured with a static-stub zone "example.com",
- *	and an attempt of recursive resolution needs to send a query for the
- *	zone.  In this case it's quite likely that the resolver is trying to
- *	find A/AAAA RRs for the apex name "example.com".  And, to honor the
- *	static-stub configuration it needs to return the glue RRs in the
- *	static-stub zone even if that exact RRs coming from the authoritative
- *	zone has been cached.
- *	In other general cases, the requested data is better to be
- *	authoritative, either locally configured or retrieved from an external
- *	server, and the data in the static-stub zone should better be ignored.
- *
- *\li	'foundname' must meet the requirements of dns_db_find().
- *
- *\li	If 'sigrdataset' is not NULL, and there is a SIG rdataset which
- *	covers 'type', then 'sigrdataset' will be bound to it.
- *
- * Requires:
- *
- *\li	'view' is a valid, frozen view.
- *
- *\li	'name' is valid name.
- *
- *\li	'type' is a valid dns_rdatatype_t, and is not a meta query type
- *	except dns_rdatatype_any.
- *
- *\li	dbp == NULL || *dbp == NULL
- *
- *\li	nodep == NULL || *nodep == NULL.  If nodep != NULL, dbp != NULL.
- *
- *\li	'foundname' is a valid name with a dedicated buffer or NULL.
- *
- *\li	'rdataset' is a valid, disassociated rdataset.
- *
- *\li	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
- *
- * Ensures:
- *
- *\li	In successful cases, 'rdataset', and possibly 'sigrdataset', are
- *	bound to the found data.
- *
- *\li	If dbp != NULL, it points to the database containing the data.
- *
- *\li	If nodep != NULL, it points to the database node containing the data.
- *
- *\li	If foundname != NULL, it contains the full name of the found data.
- *
- * Returns:
- *
- *\li	Any result that dns_db_find() can return, with the exception of
- *	#DNS_R_DELEGATION.
- */
-
-isc_result_t
-dns_view_simplefind(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
-		    isc_stdtime_t now, unsigned int options,
-		    isc_boolean_t use_hints,
-		    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
-/*%<
- * Find an rdataset whose owner name is 'name', and whose type is
- * 'type'.
- *
- * Notes:
- *
- *\li	This routine is appropriate for simple, exact-match queries of the
- *	view.  'name' must be a canonical name; there is no DNAME or CNAME
- *	processing.
- *
- *\li	See the description of dns_db_find() for information about 'options'.
- *	If the caller sets DNS_DBFIND_GLUEOK, it must ensure that 'name'
- *	and 'type' are appropriate for glue retrieval.
- *
- *\li	If 'now' is zero, then the current time will be used.
- *
- *\li	If 'use_hints' is ISC_TRUE, and the view has a hints database, then
- *	it will be searched last.  If the answer is found in the hints
- *	database, the result code will be DNS_R_HINT.  If the name is found
- *	in the hints database but not the type, the result code will be
- *	DNS_R_HINTNXRRSET.
- *
- *\li	If 'sigrdataset' is not NULL, and there is a SIG rdataset which
- *	covers 'type', then 'sigrdataset' will be bound to it.
- *
- * Requires:
- *
- *\li	'view' is a valid, frozen view.
- *
- *\li	'name' is valid name.
- *
- *\li	'type' is a valid dns_rdatatype_t, and is not a meta query type
- *	(e.g. dns_rdatatype_any), or dns_rdatatype_rrsig.
- *
- *\li	'rdataset' is a valid, disassociated rdataset.
- *
- *\li	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
- *
- * Ensures:
- *
- *\li	In successful cases, 'rdataset', and possibly 'sigrdataset', are
- *	bound to the found data.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS			Success; result is desired type.
- *\li	DNS_R_GLUE			Success; result is glue.
- *\li	DNS_R_HINT			Success; result is a hint.
- *\li	DNS_R_NCACHENXDOMAIN		Success; result is a ncache entry.
- *\li	DNS_R_NCACHENXRRSET		Success; result is a ncache entry.
- *\li	DNS_R_NXDOMAIN			The name does not exist.
- *\li	DNS_R_NXRRSET			The rrset does not exist.
- *\li	#ISC_R_NOTFOUND			No matching data found,
- *					or an error occurred.
- */
-
-/*% See dns_view_findzonecut2() */
-isc_result_t
-dns_view_findzonecut(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
-		     isc_stdtime_t now, unsigned int options,
-		     isc_boolean_t use_hints,
-		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
-
-isc_result_t
-dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
-		      isc_stdtime_t now, unsigned int options,
-		      isc_boolean_t use_hints, isc_boolean_t use_cache,
-		      dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
-/*%<
- * Find the best known zonecut containing 'name'.
- *
- * This uses local authority, cache, and optionally hints data.
- * No external queries are performed.
- *
- * Notes:
- *
- *\li	If 'now' is zero, then the current time will be used.
- *
- *\li	If 'use_hints' is ISC_TRUE, and the view has a hints database, then
- *	it will be searched last.
- *
- *\li	If 'use_cache' is ISC_TRUE, and the view has a cache, then it will be
- *	searched.
- *
- *\li	If 'sigrdataset' is not NULL, and there is a SIG rdataset which
- *	covers 'type', then 'sigrdataset' will be bound to it.
- *
- *\li	If the DNS_DBFIND_NOEXACT option is set, then the zonecut returned
- *	(if any) will be the deepest known ancestor of 'name'.
- *
- * Requires:
- *
- *\li	'view' is a valid, frozen view.
- *
- *\li	'name' is valid name.
- *
- *\li	'rdataset' is a valid, disassociated rdataset.
- *
- *\li	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS				Success.
- *
- *\li	Many other results are possible.
- */
-
-isc_result_t
-dns_viewlist_find(dns_viewlist_t *list, const char *name,
-		  dns_rdataclass_t rdclass, dns_view_t **viewp);
-/*%<
- * Search for a view with name 'name' and class 'rdclass' in 'list'.
- * If found, '*viewp' is (strongly) attached to it.
- *
- * Requires:
- *
- *\li	'viewp' points to a NULL dns_view_t *.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS		A matching view was found.
- *\li	#ISC_R_NOTFOUND		No matching view was found.
- */
-
-isc_result_t
-dns_viewlist_findzone(dns_viewlist_t *list, dns_name_t *name, isc_boolean_t allclasses,
-		      dns_rdataclass_t rdclass, dns_zone_t **zonep);
-
-/*%<
- * Search zone with 'name' in view with 'rdclass' in viewlist 'list'
- * If found, zone is returned in *zonep. If allclasses is set rdclass is ignored
- *
- * Returns:
- *\li	#ISC_R_SUCCESS          A matching zone was found.
- *\li	#ISC_R_NOTFOUND         No matching zone was found.
- */
-
-isc_result_t
-dns_view_findzone(dns_view_t *view, dns_name_t *name, dns_zone_t **zonep);
-/*%<
- * Search for the zone 'name' in the zone table of 'view'.
- * If found, 'zonep' is (strongly) attached to it.  There
- * are no partial matches.
- *
- * Requires:
- *
- *\li	'zonep' points to a NULL dns_zone_t *.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		A matching zone was found.
- *\li	#ISC_R_NOTFOUND		No matching zone was found.
- *\li	others			An error occurred.
- */
-
-isc_result_t
-dns_view_load(dns_view_t *view, isc_boolean_t stop);
-
-isc_result_t
-dns_view_loadnew(dns_view_t *view, isc_boolean_t stop);
-
-isc_result_t
-dns_view_asyncload(dns_view_t *view, dns_zt_allloaded_t callback, void *arg);
-/*%<
- * Load zones attached to this view.  dns_view_load() loads
- * all zones whose master file has changed since the last
- * load; dns_view_loadnew() loads only zones that have never
- * been loaded.
- *
- * dns_view_asyncload() loads zones asynchronously.  When all zones
- * in the view have finished loading, 'callback' is called with argument
- * 'arg' to inform the caller.
- *
- * If 'stop' is ISC_TRUE, stop on the first error and return it.
- * If 'stop' is ISC_FALSE (or we are loading asynchronously), ignore errors.
- *
- * Requires:
- *
- *\li	'view' is valid.
- */
-
-isc_result_t
-dns_view_gettsig(dns_view_t *view, dns_name_t *keyname,
-		 dns_tsigkey_t **keyp);
-/*%<
- * Find the TSIG key configured in 'view' with name 'keyname',
- * if any.
- *
- * Requires:
- *\li	keyp points to a NULL dns_tsigkey_t *.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS	A key was found and '*keyp' now points to it.
- *\li	#ISC_R_NOTFOUND	No key was found.
- *\li	others		An error occurred.
- */
-
-isc_result_t
-dns_view_getpeertsig(dns_view_t *view, isc_netaddr_t *peeraddr,
-		     dns_tsigkey_t **keyp);
-/*%<
- * Find the TSIG key configured in 'view' for the server whose
- * address is 'peeraddr', if any.
- *
- * Requires:
- *	keyp points to a NULL dns_tsigkey_t *.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS	A key was found and '*keyp' now points to it.
- *\li	#ISC_R_NOTFOUND	No key was found.
- *\li	others		An error occurred.
- */
-
-isc_result_t
-dns_view_checksig(dns_view_t *view, isc_buffer_t *source, dns_message_t *msg);
-/*%<
- * Verifies the signature of a message.
- *
- * Requires:
- *
- *\li	'view' is a valid view.
- *\li	'source' is a valid buffer containing the message
- *\li	'msg' is a valid message
- *
- * Returns:
- *\li	see dns_tsig_verify()
- */
-
-void
-dns_view_dialup(dns_view_t *view);
-/*%<
- * Perform dialup-time maintenance on the zones of 'view'.
- */
-
-isc_result_t
-dns_view_dumpdbtostream(dns_view_t *view, FILE *fp);
-/*%<
- * Dump the current state of the view 'view' to the stream 'fp'
- * for purposes of analysis or debugging.
- *
- * Currently the dumped state includes the view's cache; in the future
- * it may also include other state such as the address database.
- * It will not not include authoritative data since it is voluminous and
- * easily obtainable by other means.
- *
- * Requires:
- *
- *\li	'view' is valid.
- *
- *\li	'fp' refers to a file open for writing.
- *
- * Returns:
- * \li	ISC_R_SUCCESS	The cache was successfully dumped.
- * \li	others		An error occurred (see dns_master_dump)
- */
-
-isc_result_t
-dns_view_flushcache(dns_view_t *view);
-isc_result_t
-dns_view_flushcache2(dns_view_t *view, isc_boolean_t fixuponly);
-/*%<
- * Flush the view's cache (and ADB).  If 'fixuponly' is true, it only updates
- * the internal reference to the cache DB with omitting actual flush operation.
- * 'fixuponly' is intended to be used for a view that shares a cache with
- * a different view.  dns_view_flushcache() is a backward compatible version
- * that always sets fixuponly to false.
- *
- * Requires:
- * 	'view' is valid.
- *
- * 	No other tasks are executing.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- */
-
-isc_result_t
-dns_view_flushnode(dns_view_t *view, dns_name_t *name, isc_boolean_t tree);
-/*%<
- * Flush the given name from the view's cache (and optionally ADB/badcache).
- *
- * If 'tree' is true, flush 'name' and all names below it
- * from the cache, but do not flush ADB.
- *
- * If 'tree' is false, flush 'name' frmo both the cache and ADB,
- * but do not touch any other nodes.
- *
- * Requires:
- *\li	'view' is valid.
- *\li	'name' is valid.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *	other returns are failures.
- */
-
-isc_result_t
-dns_view_flushname(dns_view_t *view, dns_name_t *name);
-/*%<
- * Flush the given name from the view's cache, ADB and badcache.
- * Equivalent to dns_view_flushnode(view, name, ISC_FALSE).
- *
- *
- * Requires:
- *\li	'view' is valid.
- *\li	'name' is valid.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *	other returns are failures.
- */
-
-isc_result_t
-dns_view_adddelegationonly(dns_view_t *view, dns_name_t *name);
-/*%<
- * Add the given name to the delegation only table.
- *
- * Requires:
- *\li	'view' is valid.
- *\li	'name' is valid.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- */
-
-isc_result_t
-dns_view_excludedelegationonly(dns_view_t *view, dns_name_t *name);
-/*%<
- * Add the given name to be excluded from the root-delegation-only.
- *
- *
- * Requires:
- *\li	'view' is valid.
- *\li	'name' is valid.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- */
-
-isc_boolean_t
-dns_view_isdelegationonly(dns_view_t *view, dns_name_t *name);
-/*%<
- * Check if 'name' is in the delegation only table or if
- * rootdelonly is set that name is not being excluded.
- *
- * Requires:
- *\li	'view' is valid.
- *\li	'name' is valid.
- *
- * Returns:
- *\li	#ISC_TRUE if the name is the table.
- *\li	#ISC_FALSE otherwise.
- */
-
-void
-dns_view_setrootdelonly(dns_view_t *view, isc_boolean_t value);
-/*%<
- * Set the root delegation only flag.
- *
- * Requires:
- *\li	'view' is valid.
- */
-
-isc_boolean_t
-dns_view_getrootdelonly(dns_view_t *view);
-/*%<
- * Get the root delegation only flag.
- *
- * Requires:
- *\li	'view' is valid.
- */
-
-isc_result_t
-dns_view_freezezones(dns_view_t *view, isc_boolean_t freeze);
-/*%<
- * Freeze/thaw updates to master zones.
- *
- * Requires:
- * \li	'view' is valid.
- */
-
-void
-dns_view_setresstats(dns_view_t *view, isc_stats_t *stats);
-/*%<
- * Set a general resolver statistics counter set 'stats' for 'view'.
- *
- * Requires:
- * \li	'view' is valid and is not frozen.
- *
- *\li	stats is a valid statistics supporting resolver statistics counters
- *	(see dns/stats.h).
- */
-
-void
-dns_view_getresstats(dns_view_t *view, isc_stats_t **statsp);
-/*%<
- * Get the general statistics counter set for 'view'.  If a statistics set is
- * set '*statsp' will be attached to the set; otherwise, '*statsp' will be
- * untouched.
- *
- * Requires:
- * \li	'view' is valid and is not frozen.
- *
- *\li	'statsp' != NULL && '*statsp' != NULL
- */
-
-void
-dns_view_setresquerystats(dns_view_t *view, dns_stats_t *stats);
-/*%<
- * Set a statistics counter set of rdata type, 'stats', for 'view'.  Once the
- * statistic set is installed, view's resolver will count outgoing queries
- * per rdata type.
- *
- * Requires:
- * \li	'view' is valid and is not frozen.
- *
- *\li	stats is a valid statistics created by dns_rdatatypestats_create().
- */
-
-void
-dns_view_getresquerystats(dns_view_t *view, dns_stats_t **statsp);
-/*%<
- * Get the rdatatype statistics counter set for 'view'.  If a statistics set is
- * set '*statsp' will be attached to the set; otherwise, '*statsp' will be
- * untouched.
- *
- * Requires:
- * \li	'view' is valid and is not frozen.
- *
- *\li	'statsp' != NULL && '*statsp' != NULL
- */
-
-isc_boolean_t
-dns_view_iscacheshared(dns_view_t *view);
-/*%<
- * Check if the view shares the cache created by another view.
- *
- * Requires:
- * \li	'view' is valid.
- *
- * Returns:
- *\li	#ISC_TRUE if the cache is shared.
- *\li	#ISC_FALSE otherwise.
- */
-
-isc_result_t
-dns_view_initsecroots(dns_view_t *view, isc_mem_t *mctx);
-/*%<
- * Initialize security roots for the view.  (Note that secroots is
- * NULL until this function is called, so any function using
- * secroots must check its validity first.  One way to do this is
- * use dns_view_getsecroots() and check its return value.)
- *
- * Requires:
- * \li	'view' is valid.
- * \li	'view->secroots' is NULL.
- *
- * Returns:
- *\li	ISC_R_SUCCESS
- *\li	Any other result indicates failure
- */
-
-isc_result_t
-dns_view_getsecroots(dns_view_t *view, dns_keytable_t **ktp);
-/*%<
- * Get the security roots for this view.  Returns ISC_R_NOTFOUND if
- * the security roots keytable has not been initialized for the view.
- *
- * '*ktp' is attached on success; the caller is responsible for
- * detaching it with dns_keytable_detach().
- *
- * Requires:
- * \li	'view' is valid.
- * \li	'ktp' is not NULL and '*ktp' is NULL.
- *
- * Returns:
- *\li	ISC_R_SUCCESS
- *\li	ISC_R_NOTFOUND
- */
-
-isc_result_t
-dns_view_issecuredomain(dns_view_t *view, dns_name_t *name,
-			 isc_boolean_t *secure_domain);
-/*%<
- * Is 'name' at or beneath a trusted key?  Put answer in
- * '*secure_domain'.
- *
- * Requires:
- * \li	'view' is valid.
- *
- * Returns:
- *\li	ISC_R_SUCCESS
- *\li	Any other value indicates failure
- */
-
-void
-dns_view_untrust(dns_view_t *view, dns_name_t *keyname,
-		 dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx);
-/*%<
- * Remove keys that match 'keyname' and 'dnskey' from the views trust
- * anchors.
- *
- * Requires:
- * \li	'view' is valid.
- * \li	'keyname' is valid.
- * \li	'mctx' is valid.
- * \li	'dnskey' is valid.
- */
-
-void
-dns_view_setnewzones(dns_view_t *view, isc_boolean_t allow, void *cfgctx,
-		     void (*cfg_destroy)(void **));
-/*%<
- * Set whether or not to allow zones to be created or deleted at runtime.
- *
- * If 'allow' is ISC_TRUE, determines the filename into which new zone
- * configuration will be written.  Preserves the configuration context
- * (a pointer to which is passed in 'cfgctx') for use when parsing new
- * zone configuration.  'cfg_destroy' points to a callback routine to
- * destroy the configuration context when the view is destroyed.  (This
- * roundabout method is used in order to avoid libdns having a dependency
- * on libisccfg and libbind9.)
- *
- * If 'allow' is ISC_FALSE, removes any existing references to
- * configuration context and frees any memory.
- *
- * Requires:
- * \li 'view' is valid.
- */
-
-void
-dns_view_restorekeyring(dns_view_t *view);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_VIEW_H */
diff --git a/contrib/bind9/lib/dns/include/dns/xfrin.h b/contrib/bind9/lib/dns/include/dns/xfrin.h
deleted file mode 100644
index 2f20c35..0000000
--- a/contrib/bind9/lib/dns/include/dns/xfrin.h
+++ /dev/null
@@ -1,111 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: xfrin.h,v 1.30 2009/01/17 23:47:43 tbox Exp $ */
-
-#ifndef DNS_XFRIN_H
-#define DNS_XFRIN_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file dns/xfrin.h
- * \brief
- * Incoming zone transfers (AXFR + IXFR).
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-/***
- *** Types
- ***/
-
-/*%
- * A transfer in progress.  This is an opaque type.
- */
-typedef struct dns_xfrin_ctx dns_xfrin_ctx_t;
-
-/***
- *** Functions
- ***/
-
-ISC_LANG_BEGINDECLS
-
-/*% see dns_xfrin_create2() */
-isc_result_t
-dns_xfrin_create(dns_zone_t *zone, dns_rdatatype_t xfrtype,
-		 isc_sockaddr_t *masteraddr, dns_tsigkey_t *tsigkey,
-		 isc_mem_t *mctx, isc_timermgr_t *timermgr,
-		 isc_socketmgr_t *socketmgr, isc_task_t *task,
-		 dns_xfrindone_t done, dns_xfrin_ctx_t **xfrp);
-
-isc_result_t
-dns_xfrin_create2(dns_zone_t *zone, dns_rdatatype_t xfrtype,
-		  isc_sockaddr_t *masteraddr, isc_sockaddr_t *sourceaddr,
-		  dns_tsigkey_t *tsigkey, isc_mem_t *mctx,
-		  isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
-		  isc_task_t *task, dns_xfrindone_t done,
-		  dns_xfrin_ctx_t **xfrp);
-/*%<
- * Attempt to start an incoming zone transfer of 'zone'
- * from 'masteraddr', creating a dns_xfrin_ctx_t object to
- * manage it.  Attach '*xfrp' to the newly created object.
- *
- * Iff ISC_R_SUCCESS is returned, '*done' is guaranteed to be
- * called in the context of 'task', with 'zone' and a result
- * code as arguments when the transfer finishes.
- *
- * Requires:
- *\li	'xfrtype' is dns_rdatatype_axfr, dns_rdatatype_ixfr
- *	or dns_rdatatype_soa (soa query followed by axfr if
- *	serial is greater than current serial).
- *
- *\li	If 'xfrtype' is dns_rdatatype_ixfr or dns_rdatatype_soa,
- *	the zone has a database.
- */
-
-void
-dns_xfrin_shutdown(dns_xfrin_ctx_t *xfr);
-/*%<
- * If the zone transfer 'xfr' has already finished,
- * do nothing.  Otherwise, abort it and cause it to call
- * its done callback with a status of ISC_R_CANCELED.
- */
-
-void
-dns_xfrin_detach(dns_xfrin_ctx_t **xfrp);
-/*%<
- * Detach a reference to a zone transfer object.
- * Caller to maintain external locking if required.
- */
-
-void
-dns_xfrin_attach(dns_xfrin_ctx_t *source, dns_xfrin_ctx_t **target);
-/*%<
- * Caller to maintain external locking if required.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_XFRIN_H */
diff --git a/contrib/bind9/lib/dns/include/dns/zone.h b/contrib/bind9/lib/dns/include/dns/zone.h
deleted file mode 100644
index f91801f..0000000
--- a/contrib/bind9/lib/dns/include/dns/zone.h
+++ /dev/null
@@ -1,2104 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef DNS_ZONE_H
-#define DNS_ZONE_H 1
-
-/*! \file dns/zone.h */
-
-/***
- ***	Imports
- ***/
-
-#include <stdio.h>
-
-#include <isc/formatcheck.h>
-#include <isc/lang.h>
-#include <isc/rwlock.h>
-
-#include <dns/master.h>
-#include <dns/masterdump.h>
-#include <dns/rdatastruct.h>
-#include <dns/rpz.h>
-#include <dns/types.h>
-#include <dns/zt.h>
-
-typedef enum {
-	dns_zone_none,
-	dns_zone_master,
-	dns_zone_slave,
-	dns_zone_stub,
-	dns_zone_staticstub,
-	dns_zone_key,
-	dns_zone_dlz,
-	dns_zone_redirect
-} dns_zonetype_t;
-
-typedef enum {
-	dns_zonestat_none = 0,
-	dns_zonestat_terse,
-	dns_zonestat_full
-} dns_zonestat_level_t;
-
-#define DNS_ZONEOPT_SERVERS	  0x00000001U	/*%< perform server checks */
-#define DNS_ZONEOPT_PARENTS	  0x00000002U	/*%< perform parent checks */
-#define DNS_ZONEOPT_CHILDREN	  0x00000004U	/*%< perform child checks */
-#define DNS_ZONEOPT_NOTIFY	  0x00000008U	/*%< perform NOTIFY */
-#define DNS_ZONEOPT_MANYERRORS	  0x00000010U	/*%< return many errors on load */
-#define DNS_ZONEOPT_IXFRFROMDIFFS 0x00000020U	/*%< calculate differences */
-#define DNS_ZONEOPT_NOMERGE	  0x00000040U	/*%< don't merge journal */
-#define DNS_ZONEOPT_CHECKNS	  0x00000080U	/*%< check if NS's are addresses */
-#define DNS_ZONEOPT_FATALNS	  0x00000100U	/*%< DNS_ZONEOPT_CHECKNS is fatal */
-#define DNS_ZONEOPT_MULTIMASTER	  0x00000200U	/*%< this zone has multiple masters */
-#define DNS_ZONEOPT_USEALTXFRSRC  0x00000400U	/*%< use alternate transfer sources */
-#define DNS_ZONEOPT_CHECKNAMES	  0x00000800U	/*%< check-names */
-#define DNS_ZONEOPT_CHECKNAMESFAIL 0x00001000U	/*%< fatal check-name failures */
-#define DNS_ZONEOPT_CHECKWILDCARD 0x00002000U	/*%< check for internal wildcards */
-#define DNS_ZONEOPT_CHECKMX	  0x00004000U	/*%< check-mx */
-#define DNS_ZONEOPT_CHECKMXFAIL   0x00008000U	/*%< fatal check-mx failures */
-#define DNS_ZONEOPT_CHECKINTEGRITY 0x00010000U	/*%< perform integrity checks */
-#define DNS_ZONEOPT_CHECKSIBLING  0x00020000U	/*%< perform sibling glue checks */
-#define DNS_ZONEOPT_NOCHECKNS	  0x00040000U	/*%< disable IN NS address checks */
-#define DNS_ZONEOPT_WARNMXCNAME	  0x00080000U	/*%< warn on MX CNAME check */
-#define DNS_ZONEOPT_IGNOREMXCNAME 0x00100000U	/*%< ignore MX CNAME check */
-#define DNS_ZONEOPT_WARNSRVCNAME  0x00200000U	/*%< warn on SRV CNAME check */
-#define DNS_ZONEOPT_IGNORESRVCNAME 0x00400000U	/*%< ignore SRV CNAME check */
-#define DNS_ZONEOPT_UPDATECHECKKSK 0x00800000U	/*%< check dnskey KSK flag */
-#define DNS_ZONEOPT_TRYTCPREFRESH 0x01000000U	/*%< try tcp refresh on udp failure */
-#define DNS_ZONEOPT_NOTIFYTOSOA	  0x02000000U	/*%< Notify the SOA MNAME */
-#define DNS_ZONEOPT_NSEC3TESTZONE 0x04000000U	/*%< nsec3-test-zone */
-#define DNS_ZONEOPT_SECURETOINSECURE 0x08000000U /*%< dnssec-secure-to-insecure */
-#define DNS_ZONEOPT_DNSKEYKSKONLY 0x10000000U	/*%< dnssec-dnskey-kskonly */
-#define DNS_ZONEOPT_CHECKDUPRR	  0x20000000U   /*%< check-dup-records */
-#define DNS_ZONEOPT_CHECKDUPRRFAIL 0x40000000U	/*%< fatal check-dup-records failures */
-#define DNS_ZONEOPT_CHECKSPF	  0x80000000U	/*%< check SPF records */
-
-#ifndef NOMINUM_PUBLIC
-/*
- * Nominum specific options build down.
- */
-#define DNS_ZONEOPT_NOTIFYFORWARD 0x80000000U	/* forward notify to master */
-#endif /* NOMINUM_PUBLIC */
-
-/*
- * Zone key maintenance options
- */
-#define DNS_ZONEKEY_ALLOW	0x00000001U	/*%< fetch keys on command */
-#define DNS_ZONEKEY_MAINTAIN	0x00000002U	/*%< publish/sign on schedule */
-#define DNS_ZONEKEY_CREATE	0x00000004U	/*%< make keys when needed */
-#define DNS_ZONEKEY_FULLSIGN    0x00000008U     /*%< roll to new keys immediately */
-#define DNS_ZONEKEY_NORESIGN	0x00000010U	/*%< no automatic resigning */
-
-#ifndef DNS_ZONE_MINREFRESH
-#define DNS_ZONE_MINREFRESH		    300	/*%< 5 minutes */
-#endif
-#ifndef DNS_ZONE_MAXREFRESH
-#define DNS_ZONE_MAXREFRESH		2419200	/*%< 4 weeks */
-#endif
-#ifndef DNS_ZONE_DEFAULTREFRESH
-#define DNS_ZONE_DEFAULTREFRESH		   3600	/*%< 1 hour */
-#endif
-#ifndef DNS_ZONE_MINRETRY
-#define DNS_ZONE_MINRETRY		    300	/*%< 5 minutes */
-#endif
-#ifndef DNS_ZONE_MAXRETRY
-#define DNS_ZONE_MAXRETRY		1209600	/*%< 2 weeks */
-#endif
-#ifndef DNS_ZONE_DEFAULTRETRY
-#define DNS_ZONE_DEFAULTRETRY		     60	/*%< 1 minute, subject to
-						   exponential backoff */
-#endif
-
-#define DNS_ZONESTATE_XFERRUNNING	1
-#define DNS_ZONESTATE_XFERDEFERRED	2
-#define DNS_ZONESTATE_SOAQUERY		3
-#define DNS_ZONESTATE_ANY		4
-
-ISC_LANG_BEGINDECLS
-
-/***
- ***	Functions
- ***/
-
-isc_result_t
-dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx);
-/*%<
- *	Creates a new empty zone and attach '*zonep' to it.
- *
- * Requires:
- *\li	'zonep' to point to a NULL pointer.
- *\li	'mctx' to be a valid memory context.
- *
- * Ensures:
- *\li	'*zonep' refers to a valid zone.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- *\li	#ISC_R_UNEXPECTED
- */
-
-void
-dns_zone_setclass(dns_zone_t *zone, dns_rdataclass_t rdclass);
-/*%<
- *	Sets the class of a zone.  This operation can only be performed
- *	once on a zone.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *\li	dns_zone_setclass() not to have been called since the zone was
- *	created.
- *\li	'rdclass' != dns_rdataclass_none.
- */
-
-dns_rdataclass_t
-dns_zone_getclass(dns_zone_t *zone);
-/*%<
- *	Returns the current zone class.
- *
- * Requires:
- *\li	'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zone_getserial2(dns_zone_t *zone, isc_uint32_t *serialp);
-
-isc_uint32_t
-dns_zone_getserial(dns_zone_t *zone);
-/*%<
- *	Returns the current serial number of the zone.  On success, the SOA
- *	serial of the zone will be copied into '*serialp'.
- *	dns_zone_getserial() cannot catch failure cases and is deprecated by
- *	dns_zone_getserial2().
- *
- * Requires:
- *\li	'zone' to be a valid zone.
- *\li	'serialp' to be non NULL
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#DNS_R_NOTLOADED	zone DB is not loaded
- */
-
-void
-dns_zone_settype(dns_zone_t *zone, dns_zonetype_t type);
-/*%<
- *	Sets the zone type. This operation can only be performed once on
- *	a zone.
- *
- * Requires:
- *\li	'zone' to be a valid zone.
- *\li	dns_zone_settype() not to have been called since the zone was
- *	created.
- *\li	'type' != dns_zone_none
- */
-
-void
-dns_zone_setview(dns_zone_t *zone, dns_view_t *view);
-/*%<
- *	Associate the zone with a view.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- */
-
-dns_view_t *
-dns_zone_getview(dns_zone_t *zone);
-/*%<
- *	Returns the zone's associated view.
- *
- * Requires:
- *\li	'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zone_setorigin(dns_zone_t *zone, const dns_name_t *origin);
-/*%<
- *	Sets the zones origin to 'origin'.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *\li	'origin' to be non NULL.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li 	#ISC_R_NOMEMORY
- */
-
-dns_name_t *
-dns_zone_getorigin(dns_zone_t *zone);
-/*%<
- *	Returns the value of the origin.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zone_setfile(dns_zone_t *zone, const char *file);
-
-isc_result_t
-dns_zone_setfile2(dns_zone_t *zone, const char *file,
-		  dns_masterformat_t format);
-/*%<
- *    Sets the name of the master file in the format of 'format' from which
- *    the zone loads its database to 'file'.
- *
- *    For zones that have no associated master file, 'file' will be NULL.
- *
- *	For zones with persistent databases, the file name
- *	setting is ignored.
- *
- *    dns_zone_setfile() is a backward-compatible form of
- *    dns_zone_setfile2(), which always specifies the
- *    dns_masterformat_text (RFC1035) format.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *
- * Returns:
- *\li	#ISC_R_NOMEMORY
- *\li	#ISC_R_SUCCESS
- */
-
-const char *
-dns_zone_getfile(dns_zone_t *zone);
-/*%<
- * 	Gets the name of the zone's master file, if any.
- *
- * Requires:
- *\li	'zone' to be valid initialised zone.
- *
- * Returns:
- *\li	Pointer to null-terminated file name, or NULL.
- */
-
-isc_result_t
-dns_zone_load(dns_zone_t *zone);
-
-isc_result_t
-dns_zone_loadnew(dns_zone_t *zone);
-
-isc_result_t
-dns_zone_loadandthaw(dns_zone_t *zone);
-
-/*%<
- *	Cause the database to be loaded from its backing store.
- *	Confirm that the minimum requirements for the zone type are
- *	met, otherwise DNS_R_BADZONE is returned.
- *
- *	dns_zone_loadnew() only loads zones that are not yet loaded.
- *	dns_zone_load() also loads zones that are already loaded and
- *	and whose master file has changed since the last load.
- *	dns_zone_loadandthaw() is similar to dns_zone_load() but will
- *	also re-enable DNS UPDATEs when the load completes.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *
- * Returns:
- *\li	#ISC_R_UNEXPECTED
- *\li	#ISC_R_SUCCESS
- *\li	DNS_R_CONTINUE	  Incremental load has been queued.
- *\li	DNS_R_UPTODATE	  The zone has already been loaded based on
- *			  file system timestamps.
- *\li	DNS_R_BADZONE
- *\li	Any result value from dns_db_load().
- */
-
-isc_result_t
-dns_zone_asyncload(dns_zone_t *zone, dns_zt_zoneloaded_t done, void *arg);
-/*%<
- * Cause the database to be loaded from its backing store asynchronously.
- * Other zone maintenance functions are suspended until this is complete.
- * When finished, 'done' is called to inform the caller, with 'arg' as
- * its first argument and 'zone' as its second.  (Normally, 'arg' is
- * expected to point to the zone table but is left undefined for testing
- * purposes.)
- */
-
-isc_boolean_t
-dns__zone_loadpending(dns_zone_t *zone);
-/*%<
- * Indicates whether the zone is waiting to be loaded asynchronously.
- * (Not currently intended for use outside of this module and associated
- * tests.)
- */
-
-void
-dns_zone_attach(dns_zone_t *source, dns_zone_t **target);
-/*%<
- *	Attach '*target' to 'source' incrementing its external
- * 	reference count.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *\li	'target' to be non NULL and '*target' to be NULL.
- */
-
-void
-dns_zone_detach(dns_zone_t **zonep);
-/*%<
- *	Detach from a zone decrementing its external reference count.
- *	If this was the last external reference to the zone it will be
- * 	shut down and eventually freed.
- *
- * Require:
- *\li	'zonep' to point to a valid zone.
- */
-
-void
-dns_zone_iattach(dns_zone_t *source, dns_zone_t **target);
-/*%<
- *	Attach '*target' to 'source' incrementing its internal
- * 	reference count.  This is intended for use by operations
- * 	such as zone transfers that need to prevent the zone
- * 	object from being freed but not from shutting down.
- *
- * Require:
- *\li	The caller is running in the context of the zone's task.
- *\li	'zone' to be a valid zone.
- *\li	'target' to be non NULL and '*target' to be NULL.
- */
-
-void
-dns_zone_idetach(dns_zone_t **zonep);
-/*%<
- *	Detach from a zone decrementing its internal reference count.
- *	If there are no more internal or external references to the
- * 	zone, it will be freed.
- *
- * Require:
- *\li	The caller is running in the context of the zone's task.
- *\li	'zonep' to point to a valid zone.
- */
-
-void
-dns_zone_setflag(dns_zone_t *zone, unsigned int flags, isc_boolean_t value);
-/*%<
- *	Sets ('value' == 'ISC_TRUE') / clears ('value' == 'IS_FALSE')
- *	zone flags.  Valid flag bits are DNS_ZONE_F_*.
- *
- * Requires
- *\li	'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zone_getdb(dns_zone_t *zone, dns_db_t **dbp);
-/*%<
- * 	Attach '*dbp' to the database to if it exists otherwise
- *	return DNS_R_NOTLOADED.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *\li	'dbp' to be != NULL && '*dbp' == NULL.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	DNS_R_NOTLOADED
- */
-
-void
-dns_zone_setdb(dns_zone_t *zone, dns_db_t *db);
-/*%<
- *	Sets the zone database to 'db'.
- *
- *	This function is expected to be used to configure a zone with a
- *	database which is not loaded from a file or zone transfer.
- *	It can be used for a general purpose zone, but right now its use
- *	is limited to static-stub zones to avoid possible undiscovered
- *	problems in the general cases.
- *
- * Require:
- *\li	'zone' to be a valid zone of static-stub.
- *\li	zone doesn't have a database.
- */
-
-isc_result_t
-dns_zone_setdbtype(dns_zone_t *zone,
-		   unsigned int dbargc, const char * const *dbargv);
-/*%<
- *	Sets the database type to dbargv[0] and database arguments
- *	to subsequent dbargv elements.
- *	'db_type' is not checked to see if it is a valid database type.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *\li	'database' to be non NULL.
- *\li	'dbargc' to be >= 1
- *\li	'dbargv' to point to dbargc NULL-terminated strings
- *
- * Returns:
- *\li	#ISC_R_NOMEMORY
- *\li	#ISC_R_SUCCESS
- */
-
-isc_result_t
-dns_zone_getdbtype(dns_zone_t *zone, char ***argv, isc_mem_t *mctx);
-/*%<
- *	Returns the current dbtype.  isc_mem_free() should be used
- * 	to free 'argv' after use.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *\li	'argv' to be non NULL and *argv to be NULL.
- *\li	'mctx' to be valid.
- *
- * Returns:
- *\li	#ISC_R_NOMEMORY
- *\li	#ISC_R_SUCCESS
- */
-
-void
-dns_zone_markdirty(dns_zone_t *zone);
-/*%<
- *	Mark a zone as 'dirty'.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- */
-
-void
-dns_zone_expire(dns_zone_t *zone);
-/*%<
- *	Mark the zone as expired.  If the zone requires dumping cause it to
- *	be initiated.  Set the refresh and retry intervals to there default
- *	values and unload the zone.
- *
- * Require
- *\li	'zone' to be a valid zone.
- */
-
-void
-dns_zone_refresh(dns_zone_t *zone);
-/*%<
- *	Initiate zone up to date checks.  The zone must already be being
- *	managed.
- *
- * Require
- *\li	'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zone_flush(dns_zone_t *zone);
-/*%<
- *	Write the zone to database if there are uncommitted changes.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zone_dump(dns_zone_t *zone);
-/*%<
- *	Write the zone to database.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zone_dumptostream(dns_zone_t *zone, FILE *fd);
-
-isc_result_t
-dns_zone_dumptostream2(dns_zone_t *zone, FILE *fd, dns_masterformat_t format,
-		       const dns_master_style_t *style);
-isc_result_t
-dns_zone_dumptostream3(dns_zone_t *zone, FILE *fd, dns_masterformat_t format,
-		       const dns_master_style_t *style,
-		       const isc_uint32_t rawversion);
-/*%<
- *    Write the zone to stream 'fd' in the specified 'format'.
- *    If the 'format' is dns_masterformat_text (RFC1035), 'style' also
- *    specifies the file style (e.g., &dns_master_style_default).
- *
- *    dns_zone_dumptostream() is a backward-compatible form of
- *    dns_zone_dumptostream2(), which always uses the dns_masterformat_text
- *    format and the dns_master_style_default style.
- *
- *    dns_zone_dumptostream2() is a backward-compatible form of
- *    dns_zone_dumptostream3(), which always uses the current
- *    default raw file format version.
- *
- *    Note that dns_zone_dumptostream3() is the most flexible form.  It
- *    can also provide the functionality of dns_zone_fulldumptostream().
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *\li	'fd' to be a stream open for writing.
- */
-
-isc_result_t
-dns_zone_fulldumptostream(dns_zone_t *zone, FILE *fd);
-/*%<
- *	The same as dns_zone_dumptostream, but dumps the zone with
- *	different dump settings (dns_master_style_full).
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *\li	'fd' to be a stream open for writing.
- */
-
-void
-dns_zone_maintenance(dns_zone_t *zone);
-/*%<
- *	Perform regular maintenance on the zone.  This is called as a
- *	result of a zone being managed.
- *
- * Require
- *\li	'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zone_setmasters(dns_zone_t *zone, const isc_sockaddr_t *masters,
-		    isc_uint32_t count);
-isc_result_t
-dns_zone_setmasterswithkeys(dns_zone_t *zone,
-			    const isc_sockaddr_t *masters,
-			    dns_name_t **keynames,
-			    isc_uint32_t count);
-/*%<
- *	Set the list of master servers for the zone.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *\li	'masters' array of isc_sockaddr_t with port set or NULL.
- *\li	'count' the number of masters.
- *\li      'keynames' array of dns_name_t's for tsig keys or NULL.
- *
- *  \li    dns_zone_setmasters() is just a wrapper to setmasterswithkeys(),
- *      passing NULL in the keynames field.
- *
- * \li	If 'masters' is NULL then 'count' must be zero.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- *\li      Any result dns_name_dup() can return, if keynames!=NULL
- */
-
-isc_result_t
-dns_zone_setalsonotify(dns_zone_t *zone, const isc_sockaddr_t *notify,
-		       isc_uint32_t count);
-isc_result_t
-dns_zone_setalsonotifywithkeys(dns_zone_t *zone, const isc_sockaddr_t *notify,
-							   dns_name_t **keynames, isc_uint32_t count);
-/*%<
- *	Set the list of additional servers to be notified when
- *	a zone changes.	 To clear the list use 'count = 0'.
- *
- *	dns_zone_alsonotifywithkeys() allows each notify address to
- *	be associated with a TSIG key.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *\li	'notify' to be non-NULL if count != 0.
- *\li	'count' to be the number of notifiees.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- */
-
-void
-dns_zone_unload(dns_zone_t *zone);
-/*%<
- *	detach the database from the zone structure.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- */
-
-void
-dns_zone_setoption(dns_zone_t *zone, unsigned int option, isc_boolean_t value);
-/*%<
- *	Set given options on ('value' == ISC_TRUE) or off ('value' ==
- *	#ISC_FALSE).
- *
- * Require:
- *\li	'zone' to be a valid zone.
- */
-
-unsigned int
-dns_zone_getoptions(dns_zone_t *zone);
-/*%<
- *	Returns the current zone options.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- */
-
-void
-dns_zone_setkeyopt(dns_zone_t *zone, unsigned int option, isc_boolean_t value);
-/*%<
- *	Set key options on ('value' == ISC_TRUE) or off ('value' ==
- *	#ISC_FALSE).
- *
- * Require:
- *\li	'zone' to be a valid zone.
- */
-
-unsigned int
-dns_zone_getkeyopts(dns_zone_t *zone);
-/*%<
- *	Returns the current zone key options.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- */
-
-void
-dns_zone_setminrefreshtime(dns_zone_t *zone, isc_uint32_t val);
-/*%<
- *	Set the minimum refresh time.
- *
- * Requires:
- *\li	'zone' is valid.
- *\li	val > 0.
- */
-
-void
-dns_zone_setmaxrefreshtime(dns_zone_t *zone, isc_uint32_t val);
-/*%<
- *	Set the maximum refresh time.
- *
- * Requires:
- *\li	'zone' is valid.
- *\li	val > 0.
- */
-
-void
-dns_zone_setminretrytime(dns_zone_t *zone, isc_uint32_t val);
-/*%<
- *	Set the minimum retry time.
- *
- * Requires:
- *\li	'zone' is valid.
- *\li	val > 0.
- */
-
-void
-dns_zone_setmaxretrytime(dns_zone_t *zone, isc_uint32_t val);
-/*%<
- *	Set the maximum retry time.
- *
- * Requires:
- *\li	'zone' is valid.
- *	val > 0.
- */
-
-isc_result_t
-dns_zone_setxfrsource4(dns_zone_t *zone, const isc_sockaddr_t *xfrsource);
-isc_result_t
-dns_zone_setaltxfrsource4(dns_zone_t *zone,
-			  const isc_sockaddr_t *xfrsource);
-/*%<
- * 	Set the source address to be used in IPv4 zone transfers.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *\li	'xfrsource' to contain the address.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- */
-
-isc_sockaddr_t *
-dns_zone_getxfrsource4(dns_zone_t *zone);
-isc_sockaddr_t *
-dns_zone_getaltxfrsource4(dns_zone_t *zone);
-/*%<
- *	Returns the source address set by a previous dns_zone_setxfrsource4
- *	call, or the default of inaddr_any, port 0.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zone_setxfrsource6(dns_zone_t *zone, const isc_sockaddr_t *xfrsource);
-isc_result_t
-dns_zone_setaltxfrsource6(dns_zone_t *zone,
-			  const isc_sockaddr_t *xfrsource);
-/*%<
- * 	Set the source address to be used in IPv6 zone transfers.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *\li	'xfrsource' to contain the address.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- */
-
-isc_sockaddr_t *
-dns_zone_getxfrsource6(dns_zone_t *zone);
-isc_sockaddr_t *
-dns_zone_getaltxfrsource6(dns_zone_t *zone);
-/*%<
- *	Returns the source address set by a previous dns_zone_setxfrsource6
- *	call, or the default of in6addr_any, port 0.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zone_setnotifysrc4(dns_zone_t *zone, const isc_sockaddr_t *notifysrc);
-/*%<
- * 	Set the source address to be used with IPv4 NOTIFY messages.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *\li	'notifysrc' to contain the address.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- */
-
-isc_sockaddr_t *
-dns_zone_getnotifysrc4(dns_zone_t *zone);
-/*%<
- *	Returns the source address set by a previous dns_zone_setnotifysrc4
- *	call, or the default of inaddr_any, port 0.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zone_setnotifysrc6(dns_zone_t *zone, const isc_sockaddr_t *notifysrc);
-/*%<
- * 	Set the source address to be used with IPv6 NOTIFY messages.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *\li	'notifysrc' to contain the address.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- */
-
-isc_sockaddr_t *
-dns_zone_getnotifysrc6(dns_zone_t *zone);
-/*%<
- *	Returns the source address set by a previous dns_zone_setnotifysrc6
- *	call, or the default of in6addr_any, port 0.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- */
-
-void
-dns_zone_setnotifyacl(dns_zone_t *zone, dns_acl_t *acl);
-/*%<
- *	Sets the notify acl list for the zone.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *\li	'acl' to be a valid acl.
- */
-
-void
-dns_zone_setqueryacl(dns_zone_t *zone, dns_acl_t *acl);
-/*%<
- *	Sets the query acl list for the zone.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *\li	'acl' to be a valid acl.
- */
-
-void
-dns_zone_setqueryonacl(dns_zone_t *zone, dns_acl_t *acl);
-/*%<
- *	Sets the query-on acl list for the zone.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *\li	'acl' to be a valid acl.
- */
-
-void
-dns_zone_setupdateacl(dns_zone_t *zone, dns_acl_t *acl);
-/*%<
- *	Sets the update acl list for the zone.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *\li	'acl' to be valid acl.
- */
-
-void
-dns_zone_setforwardacl(dns_zone_t *zone, dns_acl_t *acl);
-/*%<
- *	Sets the forward unsigned updates acl list for the zone.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *\li	'acl' to be valid acl.
- */
-
-void
-dns_zone_setxfracl(dns_zone_t *zone, dns_acl_t *acl);
-/*%<
- *	Sets the transfer acl list for the zone.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *\li	'acl' to be valid acl.
- */
-
-dns_acl_t *
-dns_zone_getnotifyacl(dns_zone_t *zone);
-/*%<
- * 	Returns the current notify acl or NULL.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *
- * Returns:
- *\li	acl a pointer to the acl.
- *\li	NULL
- */
-
-dns_acl_t *
-dns_zone_getqueryacl(dns_zone_t *zone);
-/*%<
- * 	Returns the current query acl or NULL.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *
- * Returns:
- *\li	acl a pointer to the acl.
- *\li	NULL
- */
-
-dns_acl_t *
-dns_zone_getqueryonacl(dns_zone_t *zone);
-/*%<
- * 	Returns the current query-on acl or NULL.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *
- * Returns:
- *\li	acl a pointer to the acl.
- *\li	NULL
- */
-
-dns_acl_t *
-dns_zone_getupdateacl(dns_zone_t *zone);
-/*%<
- * 	Returns the current update acl or NULL.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *
- * Returns:
- *\li	acl a pointer to the acl.
- *\li	NULL
- */
-
-dns_acl_t *
-dns_zone_getforwardacl(dns_zone_t *zone);
-/*%<
- * 	Returns the current forward unsigned updates acl or NULL.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *
- * Returns:
- *\li	acl a pointer to the acl.
- *\li	NULL
- */
-
-dns_acl_t *
-dns_zone_getxfracl(dns_zone_t *zone);
-/*%<
- * 	Returns the current transfer acl or NULL.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *
- * Returns:
- *\li	acl a pointer to the acl.
- *\li	NULL
- */
-
-void
-dns_zone_clearupdateacl(dns_zone_t *zone);
-/*%<
- *	Clear the current update acl.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- */
-
-void
-dns_zone_clearforwardacl(dns_zone_t *zone);
-/*%<
- *	Clear the current forward unsigned updates acl.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- */
-
-void
-dns_zone_clearnotifyacl(dns_zone_t *zone);
-/*%<
- *	Clear the current notify acl.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- */
-
-void
-dns_zone_clearqueryacl(dns_zone_t *zone);
-/*%<
- *	Clear the current query acl.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- */
-
-void
-dns_zone_clearqueryonacl(dns_zone_t *zone);
-/*%<
- *	Clear the current query-on acl.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- */
-
-void
-dns_zone_clearxfracl(dns_zone_t *zone);
-/*%<
- *	Clear the current transfer acl.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- */
-
-isc_boolean_t
-dns_zone_getupdatedisabled(dns_zone_t *zone);
-/*%<
- * Return update disabled.
- * Transient unless called when running in isc_task_exclusive() mode.
- */
-
-void
-dns_zone_setupdatedisabled(dns_zone_t *zone, isc_boolean_t state);
-/*%<
- * Set update disabled.
- * Should only be called only when running in isc_task_exclusive() mode.
- * Failure to do so may result in updates being committed after the
- * call has been made.
- */
-
-isc_boolean_t
-dns_zone_getzeronosoattl(dns_zone_t *zone);
-/*%<
- * Return zero-no-soa-ttl status.
- */
-
-void
-dns_zone_setzeronosoattl(dns_zone_t *zone, isc_boolean_t state);
-/*%<
- * Set zero-no-soa-ttl status.
- */
-
-void
-dns_zone_setchecknames(dns_zone_t *zone, dns_severity_t severity);
-/*%<
- * 	Set the severity of name checking when loading a zone.
- *
- * Require:
- * \li     'zone' to be a valid zone.
- */
-
-dns_severity_t
-dns_zone_getchecknames(dns_zone_t *zone);
-/*%<
- *	Return the current severity of name checking.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- */
-
-void
-dns_zone_setjournalsize(dns_zone_t *zone, isc_int32_t size);
-/*%<
- *	Sets the journal size for the zone.
- *
- * Requires:
- *\li	'zone' to be a valid zone.
- */
-
-isc_int32_t
-dns_zone_getjournalsize(dns_zone_t *zone);
-/*%<
- *	Return the journal size as set with a previous call to
- *	dns_zone_setjournalsize().
- *
- * Requires:
- *\li	'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
-		       dns_message_t *msg);
-/*%<
- *	Tell the zone that it has received a NOTIFY message from another
- *	server.  This may cause some zone maintenance activity to occur.
- *
- * Requires:
- *\li	'zone' to be a valid zone.
- *\li	'*from' to contain the address of the server from which 'msg'
- *		was received.
- *\li	'msg' a message with opcode NOTIFY and qr clear.
- *
- * Returns:
- *\li	DNS_R_REFUSED
- *\li	DNS_R_NOTIMP
- *\li	DNS_R_FORMERR
- *\li	DNS_R_SUCCESS
- */
-
-void
-dns_zone_setmaxxfrin(dns_zone_t *zone, isc_uint32_t maxxfrin);
-/*%<
- * Set the maximum time (in seconds) that a zone transfer in (AXFR/IXFR)
- * of this zone will use before being aborted.
- *
- * Requires:
- * \li	'zone' to be valid initialised zone.
- */
-
-isc_uint32_t
-dns_zone_getmaxxfrin(dns_zone_t *zone);
-/*%<
- * Returns the maximum transfer time for this zone.  This will be
- * either the value set by the last call to dns_zone_setmaxxfrin() or
- * the default value of 1 hour.
- *
- * Requires:
- *\li	'zone' to be valid initialised zone.
- */
-
-void
-dns_zone_setmaxxfrout(dns_zone_t *zone, isc_uint32_t maxxfrout);
-/*%<
- * Set the maximum time (in seconds) that a zone transfer out (AXFR/IXFR)
- * of this zone will use before being aborted.
- *
- * Requires:
- * \li	'zone' to be valid initialised zone.
- */
-
-isc_uint32_t
-dns_zone_getmaxxfrout(dns_zone_t *zone);
-/*%<
- * Returns the maximum transfer time for this zone.  This will be
- * either the value set by the last call to dns_zone_setmaxxfrout() or
- * the default value of 1 hour.
- *
- * Requires:
- *\li	'zone' to be valid initialised zone.
- */
-
-isc_result_t
-dns_zone_setjournal(dns_zone_t *zone, const char *journal);
-/*%<
- * Sets the filename used for journaling updates / IXFR transfers.
- * The default journal name is set by dns_zone_setfile() to be
- * "file.jnl".  If 'journal' is NULL, the zone will have no
- * journal name.
- *
- * Requires:
- *\li	'zone' to be a valid zone.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- */
-
-char *
-dns_zone_getjournal(dns_zone_t *zone);
-/*%<
- * Returns the journal name associated with this zone.
- * If no journal has been set this will be NULL.
- *
- * Requires:
- *\li	'zone' to be valid initialised zone.
- */
-
-dns_zonetype_t
-dns_zone_gettype(dns_zone_t *zone);
-/*%<
- * Returns the type of the zone (master/slave/etc.)
- *
- * Requires:
- *\li	'zone' to be valid initialised zone.
- */
-
-void
-dns_zone_settask(dns_zone_t *zone, isc_task_t *task);
-/*%<
- * Give a zone a task to work with.  Any current task will be detached.
- *
- * Requires:
- *\li	'zone' to be valid.
- *\li	'task' to be valid.
- */
-
-void
-dns_zone_gettask(dns_zone_t *zone, isc_task_t **target);
-/*%<
- * Attach '*target' to the zone's task.
- *
- * Requires:
- *\li	'zone' to be valid initialised zone.
- *\li	'zone' to have a task.
- *\li	'target' to be != NULL && '*target' == NULL.
- */
-
-void
-dns_zone_notify(dns_zone_t *zone);
-/*%<
- * Generate notify events for this zone.
- *
- * Requires:
- *\li	'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump);
-/*%<
- * Replace the database of "zone" with a new database "db".
- *
- * If "dump" is ISC_TRUE, then the new zone contents are dumped
- * into to the zone's master file for persistence.  When replacing
- * a zone database by one just loaded from a master file, set
- * "dump" to ISC_FALSE to avoid a redundant redump of the data just
- * loaded.  Otherwise, it should be set to ISC_TRUE.
- *
- * If the "diff-on-reload" option is enabled in the configuration file,
- * the differences between the old and the new database are added to the
- * journal file, and the master file dump is postponed.
- *
- * Requires:
- * \li	'zone' to be a valid zone.
- *
- * Returns:
- * \li	DNS_R_SUCCESS
- * \li	DNS_R_BADZONE	zone failed basic consistency checks:
- *			* a single SOA must exist
- *			* some NS records must exist.
- *	Others
- */
-
-isc_uint32_t
-dns_zone_getidlein(dns_zone_t *zone);
-/*%<
- * Requires:
- * \li	'zone' to be a valid zone.
- *
- * Returns:
- * \li	number of seconds of idle time before we abort the transfer in.
- */
-
-void
-dns_zone_setidlein(dns_zone_t *zone, isc_uint32_t idlein);
-/*%<
- * \li	Set the idle timeout for transfer the.
- * \li	Zero set the default value, 1 hour.
- *
- * Requires:
- * \li	'zone' to be a valid zone.
- */
-
-isc_uint32_t
-dns_zone_getidleout(dns_zone_t *zone);
-/*%<
- *
- * Requires:
- * \li	'zone' to be a valid zone.
- *
- * Returns:
- * \li	number of seconds of idle time before we abort a transfer out.
- */
-
-void
-dns_zone_setidleout(dns_zone_t *zone, isc_uint32_t idleout);
-/*%<
- * \li	Set the idle timeout for transfers out.
- * \li	Zero set the default value, 1 hour.
- *
- * Requires:
- * \li	'zone' to be a valid zone.
- */
-
-void
-dns_zone_getssutable(dns_zone_t *zone, dns_ssutable_t **table);
-/*%<
- * Get the simple-secure-update policy table.
- *
- * Requires:
- * \li	'zone' to be a valid zone.
- */
-
-void
-dns_zone_setssutable(dns_zone_t *zone, dns_ssutable_t *table);
-/*%<
- * Set / clear the simple-secure-update policy table.
- *
- * Requires:
- * \li	'zone' to be a valid zone.
- */
-
-isc_mem_t *
-dns_zone_getmctx(dns_zone_t *zone);
-/*%<
- * Get the memory context of a zone.
- *
- * Requires:
- * \li	'zone' to be a valid zone.
- */
-
-dns_zonemgr_t *
-dns_zone_getmgr(dns_zone_t *zone);
-/*%<
- *	If 'zone' is managed return the zone manager otherwise NULL.
- *
- * Requires:
- * \li	'zone' to be a valid zone.
- */
-
-void
-dns_zone_setsigvalidityinterval(dns_zone_t *zone, isc_uint32_t interval);
-/*%<
- * Set the zone's RRSIG validity interval.  This is the length of time
- * for which DNSSEC signatures created as a result of dynamic updates
- * to secure zones will remain valid, in seconds.
- *
- * Requires:
- * \li	'zone' to be a valid zone.
- */
-
-isc_uint32_t
-dns_zone_getsigvalidityinterval(dns_zone_t *zone);
-/*%<
- * Get the zone's RRSIG validity interval.
- *
- * Requires:
- * \li	'zone' to be a valid zone.
- */
-
-void
-dns_zone_setsigresigninginterval(dns_zone_t *zone, isc_uint32_t interval);
-/*%<
- * Set the zone's RRSIG re-signing interval.  A dynamic zone's RRSIG's
- * will be re-signed 'interval' amount of time before they expire.
- *
- * Requires:
- * \li	'zone' to be a valid zone.
- */
-
-isc_uint32_t
-dns_zone_getsigresigninginterval(dns_zone_t *zone);
-/*%<
- * Get the zone's RRSIG re-signing interval.
- *
- * Requires:
- * \li	'zone' to be a valid zone.
- */
-
-void
-dns_zone_setnotifytype(dns_zone_t *zone, dns_notifytype_t notifytype);
-/*%<
- * Sets zone notify method to "notifytype"
- */
-
-isc_result_t
-dns_zone_forwardupdate(dns_zone_t *zone, dns_message_t *msg,
-		       dns_updatecallback_t callback, void *callback_arg);
-/*%<
- * Forward 'msg' to each master in turn until we get an answer or we
- * have exhausted the list of masters. 'callback' will be called with
- * ISC_R_SUCCESS if we get an answer and the returned message will be
- * passed as 'answer_message', otherwise a non ISC_R_SUCCESS result code
- * will be passed and answer_message will be NULL.  The callback function
- * is responsible for destroying 'answer_message'.
- *		(callback)(callback_arg, result, answer_message);
- *
- * Require:
- *\li	'zone' to be valid
- *\li	'msg' to be valid.
- *\li	'callback' to be non NULL.
- * Returns:
- *\li	#ISC_R_SUCCESS if the message has been forwarded,
- *\li	#ISC_R_NOMEMORY
- *\li	Others
- */
-
-isc_result_t
-dns_zone_next(dns_zone_t *zone, dns_zone_t **next);
-/*%<
- * Find the next zone in the list of managed zones.
- *
- * Requires:
- *\li	'zone' to be valid
- *\li	The zone manager for the indicated zone MUST be locked
- *	by the caller.  This is not checked.
- *\li	'next' be non-NULL, and '*next' be NULL.
- *
- * Ensures:
- *\li	'next' points to a valid zone (result ISC_R_SUCCESS) or to NULL
- *	(result ISC_R_NOMORE).
- */
-
-
-
-isc_result_t
-dns_zone_first(dns_zonemgr_t *zmgr, dns_zone_t **first);
-/*%<
- * Find the first zone in the list of managed zones.
- *
- * Requires:
- *\li	'zonemgr' to be valid
- *\li	The zone manager for the indicated zone MUST be locked
- *	by the caller.  This is not checked.
- *\li	'first' be non-NULL, and '*first' be NULL
- *
- * Ensures:
- *\li	'first' points to a valid zone (result ISC_R_SUCCESS) or to NULL
- *	(result ISC_R_NOMORE).
- */
-
-isc_result_t
-dns_zone_setkeydirectory(dns_zone_t *zone, const char *directory);
-/*%<
- *	Sets the name of the directory where private keys used for
- *	online signing of dynamic zones are found.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *
- * Returns:
- *\li	#ISC_R_NOMEMORY
- *\li	#ISC_R_SUCCESS
- */
-
-const char *
-dns_zone_getkeydirectory(dns_zone_t *zone);
-/*%<
- * 	Gets the name of the directory where private keys used for
- *	online signing of dynamic zones are found.
- *
- * Requires:
- *\li	'zone' to be valid initialised zone.
- *
- * Returns:
- *	Pointer to null-terminated file name, or NULL.
- */
-
-
-isc_result_t
-dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
-		   isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
-		   dns_zonemgr_t **zmgrp);
-/*%<
- * Create a zone manager.  Note: the zone manager will not be able to
- * manage any zones until dns_zonemgr_setsize() has been run.
- *
- * Requires:
- *\li	'mctx' to be a valid memory context.
- *\li	'taskmgr' to be a valid task manager.
- *\li	'timermgr' to be a valid timer manager.
- *\li	'zmgrp'	to point to a NULL pointer.
- */
-
-isc_result_t
-dns_zonemgr_setsize(dns_zonemgr_t *zmgr, int num_zones);
-/*%<
- *	Set the size of the zone manager task pool.  This must be run
- *	before zmgr can be used for managing zones.  Currently, it can only
- *	be run once; the task pool cannot be resized.
- *
- * Requires:
- *\li	zmgr is a valid zone manager.
- *\li	zmgr->zonetasks has been initialized.
- */
-
-isc_result_t
-dns_zonemgr_createzone(dns_zonemgr_t *zmgr, dns_zone_t **zonep);
-/*%<
- *	Allocate a new zone using a memory context from the
- *	zone manager's memory context pool.
- *
- * Require:
- *\li	'zmgr' to be a valid zone manager.
- *\li	'zonep' != NULL and '*zonep' == NULL.
- */
-
-
-isc_result_t
-dns_zonemgr_managezone(dns_zonemgr_t *zmgr, dns_zone_t *zone);
-/*%<
- *	Bring the zone under control of a zone manager.
- *
- * Require:
- *\li	'zmgr' to be a valid zone manager.
- *\li	'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zonemgr_forcemaint(dns_zonemgr_t *zmgr);
-/*%<
- * Force zone maintenance of all zones managed by 'zmgr' at its
- * earliest convenience.
- */
-
-void
-dns__zonemgr_run(isc_task_t *task, isc_event_t *event);
-/*%<
- * Event handler to call dns_zonemgr_forcemaint(); used to start
- * zone operations from a unit test.  Not intended for use outside
- * libdns or related tests.
- */
-
-void
-dns_zonemgr_resumexfrs(dns_zonemgr_t *zmgr);
-/*%<
- * Attempt to start any stalled zone transfers.
- */
-
-void
-dns_zonemgr_shutdown(dns_zonemgr_t *zmgr);
-/*%<
- *	Shut down the zone manager.
- *
- * Requires:
- *\li	'zmgr' to be a valid zone manager.
- */
-
-void
-dns_zonemgr_attach(dns_zonemgr_t *source, dns_zonemgr_t **target);
-/*%<
- *	Attach '*target' to 'source' incrementing its external
- * 	reference count.
- *
- * Require:
- *\li	'zone' to be a valid zone.
- *\li	'target' to be non NULL and '*target' to be NULL.
- */
-
-void
-dns_zonemgr_detach(dns_zonemgr_t **zmgrp);
-/*%<
- *	 Detach from a zone manager.
- *
- * Requires:
- *\li	'*zmgrp' is a valid, non-NULL zone manager pointer.
- *
- * Ensures:
- *\li	'*zmgrp' is NULL.
- */
-
-void
-dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone);
-/*%<
- *	Release 'zone' from the managed by 'zmgr'.  'zmgr' is implicitly
- *	detached from 'zone'.
- *
- * Requires:
- *\li	'zmgr' to be a valid zone manager.
- *\li	'zone' to be a valid zone.
- *\li	'zmgr' == 'zone->zmgr'
- *
- * Ensures:
- *\li	'zone->zmgr' == NULL;
- */
-
-void
-dns_zonemgr_settransfersin(dns_zonemgr_t *zmgr, isc_uint32_t value);
-/*%<
- *	Set the maximum number of simultaneous transfers in allowed by
- *	the zone manager.
- *
- * Requires:
- *\li	'zmgr' to be a valid zone manager.
- */
-
-isc_uint32_t
-dns_zonemgr_getttransfersin(dns_zonemgr_t *zmgr);
-/*%<
- *	Return the maximum number of simultaneous transfers in allowed.
- *
- * Requires:
- *\li	'zmgr' to be a valid zone manager.
- */
-
-void
-dns_zonemgr_settransfersperns(dns_zonemgr_t *zmgr, isc_uint32_t value);
-/*%<
- *	Set the number of zone transfers allowed per nameserver.
- *
- * Requires:
- *\li	'zmgr' to be a valid zone manager
- */
-
-isc_uint32_t
-dns_zonemgr_getttransfersperns(dns_zonemgr_t *zmgr);
-/*%<
- *	Return the number of transfers allowed per nameserver.
- *
- * Requires:
- *\li	'zmgr' to be a valid zone manager.
- */
-
-void
-dns_zonemgr_setiolimit(dns_zonemgr_t *zmgr, isc_uint32_t iolimit);
-/*%<
- *	Set the number of simultaneous file descriptors available for
- *	reading and writing masterfiles.
- *
- * Requires:
- *\li	'zmgr' to be a valid zone manager.
- *\li	'iolimit' to be positive.
- */
-
-isc_uint32_t
-dns_zonemgr_getiolimit(dns_zonemgr_t *zmgr);
-/*%<
- *	Get the number of simultaneous file descriptors available for
- *	reading and writing masterfiles.
- *
- * Requires:
- *\li	'zmgr' to be a valid zone manager.
- */
-
-void
-dns_zonemgr_setserialqueryrate(dns_zonemgr_t *zmgr, unsigned int value);
-/*%<
- *	Set the number of SOA queries sent per second.
- *
- * Requires:
- *\li	'zmgr' to be a valid zone manager
- */
-
-unsigned int
-dns_zonemgr_getserialqueryrate(dns_zonemgr_t *zmgr);
-/*%<
- *	Return the number of SOA queries sent per second.
- *
- * Requires:
- *\li	'zmgr' to be a valid zone manager.
- */
-
-unsigned int
-dns_zonemgr_getcount(dns_zonemgr_t *zmgr, int state);
-/*%<
- *	Returns the number of zones in the specified state.
- *
- * Requires:
- *\li	'zmgr' to be a valid zone manager.
- *\li	'state' to be a valid DNS_ZONESTATE_ constant.
- */
-
-void
-dns_zonemgr_unreachableadd(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
-			   isc_sockaddr_t *local, isc_time_t *now);
-/*%<
- *	Add the pair of addresses to the unreachable cache.
- *
- * Requires:
- *\li	'zmgr' to be a valid zone manager.
- *\li	'remote' to be a valid sockaddr.
- *\li	'local' to be a valid sockaddr.
- */
-
-isc_boolean_t
-dns_zonemgr_unreachable(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
-			isc_sockaddr_t *local, isc_time_t *now);
-/*%<
- *	Returns ISC_TRUE if the given local/remote address pair
- *	is found in the zone maanger's unreachable cache.
- *
- * Requires:
- *\li	'zmgr' to be a valid zone manager.
- *\li	'remote' to be a valid sockaddr.
- *\li	'local' to be a valid sockaddr.
- *\li	'now' != NULL
- */
-
-void
-dns_zonemgr_unreachabledel(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
-			   isc_sockaddr_t *local);
-/*%<
- *	Remove the pair of addresses from the unreachable cache.
- *
- * Requires:
- *\li	'zmgr' to be a valid zone manager.
- *\li	'remote' to be a valid sockaddr.
- *\li	'local' to be a valid sockaddr.
- */
-
-void
-dns_zone_forcereload(dns_zone_t *zone);
-/*%<
- *      Force a reload of specified zone.
- *
- * Requires:
- *\li      'zone' to be a valid zone.
- */
-
-isc_boolean_t
-dns_zone_isforced(dns_zone_t *zone);
-/*%<
- *      Check if the zone is waiting a forced reload.
- *
- * Requires:
- * \li     'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zone_setstatistics(dns_zone_t *zone, isc_boolean_t on);
-/*%<
- * This function is obsoleted by dns_zone_setrequeststats().
- */
-
-isc_uint64_t *
-dns_zone_getstatscounters(dns_zone_t *zone);
-/*%<
- * This function is obsoleted by dns_zone_getrequeststats().
- */
-
-void
-dns_zone_setstats(dns_zone_t *zone, isc_stats_t *stats);
-/*%<
- * Set a general zone-maintenance statistics set 'stats' for 'zone'.  This
- * function is expected to be called only on zone creation (when necessary).
- * Once installed, it cannot be removed or replaced.  Also, there is no
- * interface to get the installed stats from the zone; the caller must keep the
- * stats to reference (e.g. dump) it later.
- *
- * Requires:
- * \li	'zone' to be a valid zone and does not have a statistics set already
- *	installed.
- *
- *\li	stats is a valid statistics supporting zone statistics counters
- *	(see dns/stats.h).
- */
-
-void
-dns_zone_setrequeststats(dns_zone_t *zone, isc_stats_t *stats);
-
-void
-dns_zone_setrcvquerystats(dns_zone_t *zone, dns_stats_t *stats);
-/*%<
- * Set additional statistics sets to zone.  These are attached to the zone
- * but are not counted in the zone module; only the caller updates the
- * counters.
- *
- * Requires:
- * \li	'zone' to be a valid zone.
- *
- *\li	stats is a valid statistics.
- */
-
-#ifdef NEWSTATS
-void
-dns_zone_setrcvquerystats(dns_zone_t *zone, dns_stats_t *stats);
-#endif
-
-isc_stats_t *
-dns_zone_getrequeststats(dns_zone_t *zone);
-
-#ifdef NEWSTATS
-dns_stats_t *
-dns_zone_getrcvquerystats(dns_zone_t *zone);
-#endif
-
-/*%<
- * Get the additional statistics for zone, if one is installed.
- *
- * Requires:
- * \li	'zone' to be a valid zone.
- *
- * Returns:
- * \li	when available, a pointer to the statistics set installed in zone;
- *	otherwise NULL.
- */
-
-void
-dns_zone_dialup(dns_zone_t *zone);
-/*%<
- * Perform dialup-time maintenance on 'zone'.
- */
-
-void
-dns_zone_setdialup(dns_zone_t *zone, dns_dialuptype_t dialup);
-/*%<
- * Set the dialup type of 'zone' to 'dialup'.
- *
- * Requires:
- * \li	'zone' to be valid initialised zone.
- *\li	'dialup' to be a valid dialup type.
- */
-
-void
-dns_zone_log(dns_zone_t *zone, int level, const char *msg, ...)
-	ISC_FORMAT_PRINTF(3, 4);
-/*%<
- * Log the message 'msg...' at 'level', including text that identifies
- * the message as applying to 'zone'.
- */
-
-void
-dns_zone_logc(dns_zone_t *zone, isc_logcategory_t *category, int level,
-	      const char *msg, ...) ISC_FORMAT_PRINTF(4, 5);
-/*%<
- * Log the message 'msg...' at 'level', including text that identifies
- * the message as applying to 'zone'.
- */
-
-void
-dns_zone_name(dns_zone_t *zone, char *buf, size_t len);
-/*%<
- * Return the name of the zone with class and view.
- *
- * Requires:
- *\li	'zone' to be valid.
- *\li	'buf' to be non NULL.
- */
-
-isc_result_t
-dns_zone_checknames(dns_zone_t *zone, dns_name_t *name, dns_rdata_t *rdata);
-/*%<
- * Check if this record meets the check-names policy.
- *
- * Requires:
- *	'zone' to be valid.
- *	'name' to be valid.
- *	'rdata' to be valid.
- *
- * Returns:
- *	DNS_R_SUCCESS		passed checks.
- *	DNS_R_BADOWNERNAME	failed ownername checks.
- *	DNS_R_BADNAME		failed rdata checks.
- */
-
-void
-dns_zone_setacache(dns_zone_t *zone, dns_acache_t *acache);
-/*%<
- *	Associate the zone with an additional cache.
- *
- * Require:
- *	'zone' to be a valid zone.
- *	'acache' to be a non NULL pointer.
- *
- * Ensures:
- *	'zone' will have a reference to 'acache'
- */
-
-void
-dns_zone_setcheckmx(dns_zone_t *zone, dns_checkmxfunc_t checkmx);
-/*%<
- *	Set the post load integrity callback function 'checkmx'.
- *	'checkmx' will be called if the MX TARGET is not within the zone.
- *
- * Require:
- *	'zone' to be a valid zone.
- */
-
-void
-dns_zone_setchecksrv(dns_zone_t *zone, dns_checkmxfunc_t checksrv);
-/*%<
- *	Set the post load integrity callback function 'checksrv'.
- *	'checksrv' will be called if the SRV TARGET is not within the zone.
- *
- * Require:
- *	'zone' to be a valid zone.
- */
-
-void
-dns_zone_setcheckns(dns_zone_t *zone, dns_checknsfunc_t checkns);
-/*%<
- *	Set the post load integrity callback function 'checkns'.
- *	'checkns' will be called if the NS TARGET is not within the zone.
- *
- * Require:
- *	'zone' to be a valid zone.
- */
-
-void
-dns_zone_setnotifydelay(dns_zone_t *zone, isc_uint32_t delay);
-/*%<
- * Set the minimum delay between sets of notify messages.
- *
- * Requires:
- *	'zone' to be valid.
- */
-
-isc_uint32_t
-dns_zone_getnotifydelay(dns_zone_t *zone);
-/*%<
- * Get the minimum delay between sets of notify messages.
- *
- * Requires:
- *	'zone' to be valid.
- */
-
-void
-dns_zone_setisself(dns_zone_t *zone, dns_isselffunc_t isself, void *arg);
-/*%<
- * Set the isself callback function and argument.
- *
- * isc_boolean_t
- * isself(dns_view_t *myview, dns_tsigkey_t *mykey, isc_netaddr_t *srcaddr,
- *	  isc_netaddr_t *destaddr, dns_rdataclass_t rdclass, void *arg);
- *
- * 'isself' returns ISC_TRUE if a non-recursive query from 'srcaddr' to
- * 'destaddr' with optional key 'mykey' for class 'rdclass' would be
- * delivered to 'myview'.
- */
-
-void
-dns_zone_setnodes(dns_zone_t *zone, isc_uint32_t nodes);
-/*%<
- * Set the number of nodes that will be checked per quantum.
- */
-
-void
-dns_zone_setsignatures(dns_zone_t *zone, isc_uint32_t signatures);
-/*%<
- * Set the number of signatures that will be generated per quantum.
- */
-
-isc_result_t
-dns_zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm,
-		     isc_uint16_t keyid, isc_boolean_t deleteit);
-/*%<
- * Initiate/resume signing of the entire zone with the zone DNSKEY(s)
- * that match the given algorithm and keyid.
- */
-
-isc_result_t
-dns_zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param);
-/*%<
- * Incrementally add a NSEC3 chain that corresponds to 'nsec3param'.
- */
-
-void
-dns_zone_setprivatetype(dns_zone_t *zone, dns_rdatatype_t type);
-dns_rdatatype_t
-dns_zone_getprivatetype(dns_zone_t *zone);
-/*
- * Get/Set the private record type.  It is expected that these interfaces
- * will not be permanent.
- */
-
-void
-dns_zone_rekey(dns_zone_t *zone, isc_boolean_t fullsign);
-/*%<
- * Update the zone's DNSKEY set from the key repository.
- *
- * If 'fullsign' is true, trigger an immediate full signing of
- * the zone with the new key.  Otherwise, if there are no keys or
- * if the new keys are for algorithms that have already signed the
- * zone, then the zone can be re-signed incrementally.
- */
-
-isc_result_t
-dns_zone_nscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
-		 unsigned int *errors);
-/*%
- * Check if the name servers for the zone are sane (have address, don't
- * refer to CNAMEs/DNAMEs.  The number of constiancy errors detected in
- * returned in '*errors'
- *
- * Requires:
- * \li	'zone' to be valid.
- * \li	'db' to be valid.
- * \li	'version' to be valid or NULL.
- * \li	'errors' to be non NULL.
- *
- * Returns:
- * 	ISC_R_SUCCESS if there were no errors examining the zone contents.
- */
-
-void
-dns_zone_setadded(dns_zone_t *zone, isc_boolean_t added);
-/*%
- * Sets the value of zone->added, which should be ISC_TRUE for
- * zones that were originally added by "rndc addzone".
- *
- * Requires:
- * \li	'zone' to be valid.
- */
-
-isc_boolean_t
-dns_zone_getadded(dns_zone_t *zone);
-/*%
- * Returns ISC_TRUE if the zone was originally added at runtime
- * using "rndc addzone".
- *
- * Requires:
- * \li	'zone' to be valid.
- */
-
-isc_result_t
-dns_zone_dlzpostload(dns_zone_t *zone, dns_db_t *db);
-/*%
- * Load the origin names for a writeable DLZ database.
- */
-
-isc_boolean_t
-dns_zone_isdynamic(dns_zone_t *zone, isc_boolean_t ignore_freeze);
-/*%
- * Return true iff the zone is "dynamic", in the sense that the zone's
- * master file (if any) is written by the server, rather than being
- * updated manually and read by the server.
- *
- * This is true for slave zones, stub zones, key zones, and zones that
- * allow dynamic updates either by having an update policy ("ssutable")
- * or an "allow-update" ACL with a value other than exactly "{ none; }".
- *
- * If 'ignore_freeze' is true, then the zone which has had updates disabled
- * will still report itself to be dynamic.
- *
- * Requires:
- * \li	'zone' to be valid.
- */
-
-isc_result_t
-dns_zone_setrefreshkeyinterval(dns_zone_t *zone, isc_uint32_t interval);
-/*%
- * Sets the frequency, in minutes, with which the key repository will be
- * checked to see if the keys for this zone have been updated.  Any value
- * higher than 1440 minutes (24 hours) will be silently reduced.  A
- * value of zero will return an out-of-range error.
- *
- * Requires:
- * \li	'zone' to be valid.
- */
-
-isc_boolean_t
-dns_zone_getrequestixfr(dns_zone_t *zone);
-/*%
- * Returns the true/false value of the request-ixfr option in the zone.
- *
- * Requires:
- * \li	'zone' to be valid.
- */
-
-void
-dns_zone_setrequestixfr(dns_zone_t *zone, isc_boolean_t flag);
-/*%
- * Sets the request-ixfr option for the zone. Either true or false. The
- * default value is determined by the setting of this option in the view.
- *
- * Requires:
- * \li	'zone' to be valid.
- */
-
-void
-dns_zone_setserialupdatemethod(dns_zone_t *zone, dns_updatemethod_t method);
-/*%
- * Sets the update method to use when incrementing the zone serial number
- * due to a DDNS update.  Valid options are dns_updatemethod_increment
- * and dns_updatemethod_unixtime.
- *
- * Requires:
- * \li	'zone' to be valid.
- */
-
-dns_updatemethod_t
-dns_zone_getserialupdatemethod(dns_zone_t *zone);
-/*%
- * Returns the update method to be used when incrementing the zone serial
- * number due to a DDNS update.
- *
- * Requires:
- * \li	'zone' to be valid.
- */
-
-isc_result_t
-dns_zone_link(dns_zone_t *zone, dns_zone_t *raw);
-
-void
-dns_zone_getraw(dns_zone_t *zone, dns_zone_t **raw);
-
-isc_result_t
-dns_zone_keydone(dns_zone_t *zone, const char *data);
-
-isc_result_t
-dns_zone_setnsec3param(dns_zone_t *zone, isc_uint8_t hash, isc_uint8_t flags,
-		       isc_uint16_t iter, isc_uint8_t saltlen,
-		       unsigned char *salt, isc_boolean_t replace);
-/*%
- * Set the NSEC3 parameters for the zone.
- *
- * If 'replace' is ISC_TRUE, then the existing NSEC3 chain, if any, will
- * be replaced with the new one.  If 'hash' is zero, then the replacement
- * chain will be NSEC rather than NSEC3.
- *
- * Requires:
- * \li	'zone' to be valid.
- */
-
-void
-dns_zone_setrawdata(dns_zone_t *zone, dns_masterrawheader_t *header);
-/*%
- * Set the data to be included in the header when the zone is dumped in
- * binary format.
- */
-
-isc_result_t
-dns_zone_synckeyzone(dns_zone_t *zone);
-/*%
- * Force the managed key zone to synchronize, and start the key
- * maintenance timer.
- */
-
-isc_result_t
-dns_zone_rpz_enable(dns_zone_t *zone);
-/*%
- * Set the response policy associated with a zone.
- */
-
-isc_boolean_t
-dns_zone_get_rpz(dns_zone_t *zone);
-
-void
-dns_zone_setstatlevel(dns_zone_t *zone, dns_zonestat_level_t level);
-
-dns_zonestat_level_t
-dns_zone_getstatlevel(dns_zone_t *zone);
-/*%
- * Set and get the statistics reporting level for the zone;
- * full, terse, or none.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_ZONE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/zonekey.h b/contrib/bind9/lib/dns/include/dns/zonekey.h
deleted file mode 100644
index d9ba862..0000000
--- a/contrib/bind9/lib/dns/include/dns/zonekey.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: zonekey.h,v 1.10 2007/06/19 23:47:17 tbox Exp $ */
-
-#ifndef DNS_ZONEKEY_H
-#define DNS_ZONEKEY_H 1
-
-/*! \file dns/zonekey.h */
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_boolean_t
-dns_zonekey_iszonekey(dns_rdata_t *keyrdata);
-/*%<
- *	Determines if the key record contained in the rdata is a zone key.
- *
- *	Requires:
- *		'keyrdata' is not NULL.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_ZONEKEY_H */
diff --git a/contrib/bind9/lib/dns/include/dns/zt.h b/contrib/bind9/lib/dns/include/dns/zt.h
deleted file mode 100644
index f91d7e8..0000000
--- a/contrib/bind9/lib/dns/include/dns/zt.h
+++ /dev/null
@@ -1,215 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2011  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: zt.h,v 1.40 2011/09/02 23:46:32 tbox Exp $ */
-
-#ifndef DNS_ZT_H
-#define DNS_ZT_H 1
-
-/*! \file dns/zt.h */
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-#define DNS_ZTFIND_NOEXACT		0x01
-
-ISC_LANG_BEGINDECLS
-
-typedef isc_result_t
-(*dns_zt_allloaded_t)(void *arg);
-/*%<
- * Method prototype: when all pending zone loads are complete,
- * the zone table can inform the caller via a callback function with
- * this signature.
- */
-
-typedef isc_result_t
-(*dns_zt_zoneloaded_t)(dns_zt_t *zt, dns_zone_t *zone, isc_task_t *task);
-/*%<
- * Method prototype: when a zone finishes loading, the zt object
- * can be informed via a callback function with this signature.
- */
-
-isc_result_t
-dns_zt_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_zt_t **zt);
-/*%<
- * Creates a new zone table.
- *
- * Requires:
- * \li	'mctx' to be initialized.
- *
- * Returns:
- * \li	#ISC_R_SUCCESS on success.
- * \li	#ISC_R_NOMEMORY
- */
-
-isc_result_t
-dns_zt_mount(dns_zt_t *zt, dns_zone_t *zone);
-/*%<
- * Mounts the zone on the zone table.
- *
- * Requires:
- * \li	'zt' to be valid
- * \li	'zone' to be valid
- *
- * Returns:
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_EXISTS
- * \li	#ISC_R_NOSPACE
- * \li	#ISC_R_NOMEMORY
- */
-
-isc_result_t
-dns_zt_unmount(dns_zt_t *zt, dns_zone_t *zone);
-/*%<
- * Unmount the given zone from the table.
- *
- * Requires:
- * 	'zt' to be valid
- * \li	'zone' to be valid
- *
- * Returns:
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_NOTFOUND
- * \li	#ISC_R_NOMEMORY
- */
-
-isc_result_t
-dns_zt_find(dns_zt_t *zt, dns_name_t *name, unsigned int options,
-	    dns_name_t *foundname, dns_zone_t **zone);
-/*%<
- * Find the best match for 'name' in 'zt'.  If foundname is non NULL
- * then the name of the zone found is returned.
- *
- * Notes:
- * \li	If the DNS_ZTFIND_NOEXACT is set, the best partial match (if any)
- *	to 'name' will be returned.
- *
- * Requires:
- * \li	'zt' to be valid
- * \li	'name' to be valid
- * \li	'foundname' to be initialized and associated with a fixedname or NULL
- * \li	'zone' to be non NULL and '*zone' to be NULL
- *
- * Returns:
- * \li	#ISC_R_SUCCESS
- * \li	#DNS_R_PARTIALMATCH
- * \li	#ISC_R_NOTFOUND
- * \li	#ISC_R_NOSPACE
- */
-
-void
-dns_zt_detach(dns_zt_t **ztp);
-/*%<
- * Detach the given zonetable, if the reference count goes to zero the
- * zonetable will be freed.  In either case 'ztp' is set to NULL.
- *
- * Requires:
- * \li	'*ztp' to be valid
- */
-
-void
-dns_zt_flushanddetach(dns_zt_t **ztp);
-/*%<
- * Detach the given zonetable, if the reference count goes to zero the
- * zonetable will be flushed and then freed.  In either case 'ztp' is
- * set to NULL.
- *
- * Requires:
- * \li	'*ztp' to be valid
- */
-
-void
-dns_zt_attach(dns_zt_t *zt, dns_zt_t **ztp);
-/*%<
- * Attach 'zt' to '*ztp'.
- *
- * Requires:
- * \li	'zt' to be valid
- * \li	'*ztp' to be NULL
- */
-
-isc_result_t
-dns_zt_load(dns_zt_t *zt, isc_boolean_t stop);
-
-isc_result_t
-dns_zt_loadnew(dns_zt_t *zt, isc_boolean_t stop);
-
-isc_result_t
-dns_zt_asyncload(dns_zt_t *zt, dns_zt_allloaded_t alldone, void *arg);
-/*%<
- * Load all zones in the table.  If 'stop' is ISC_TRUE,
- * stop on the first error and return it.  If 'stop'
- * is ISC_FALSE, ignore errors.
- *
- * dns_zt_loadnew() only loads zones that are not yet loaded.
- * dns_zt_load() also loads zones that are already loaded and
- * and whose master file has changed since the last load.
- * dns_zt_asyncload() loads zones asynchronously; when all
- * zones in the zone table have finished loaded (or failed due
- * to errors), the caller is informed by calling 'alldone'
- * with an argument of 'arg'.
- *
- * Requires:
- * \li	'zt' to be valid
- */
-
-isc_result_t
-dns_zt_freezezones(dns_zt_t *zt, isc_boolean_t freeze);
-/*%<
- * Freeze/thaw updates to master zones.
- * Any pending updates will be flushed.
- * Zones will be reloaded on thaw.
- */
-
-isc_result_t
-dns_zt_apply(dns_zt_t *zt, isc_boolean_t stop,
-	     isc_result_t (*action)(dns_zone_t *, void *), void *uap);
-
-isc_result_t
-dns_zt_apply2(dns_zt_t *zt, isc_boolean_t stop, isc_result_t *sub,
-	      isc_result_t (*action)(dns_zone_t *, void *), void *uap);
-/*%<
- * Apply a given 'action' to all zone zones in the table.
- * If 'stop' is 'ISC_TRUE' then walking the zone tree will stop if
- * 'action' does not return ISC_R_SUCCESS.
- *
- * Requires:
- * \li	'zt' to be valid.
- * \li	'action' to be non NULL.
- *
- * Returns:
- * \li	ISC_R_SUCCESS if action was applied to all nodes.  If 'stop' is
- *	ISC_FALSE and 'sub' is non NULL then the first error (if any)
- *	reported by 'action' is returned in '*sub';
- *	any error code from 'action'.
- */
-
-isc_boolean_t
-dns_zt_loadspending(dns_zt_t *zt);
-/*%<
- * Returns ISC_TRUE if and only if there are zones still waiting to
- * be loaded in zone table 'zt'.
- *
- * Requires:
- * \li	'zt' to be valid.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_ZT_H */
diff --git a/contrib/bind9/lib/dns/include/dst/Makefile.in b/contrib/bind9/lib/dns/include/dst/Makefile.in
deleted file mode 100644
index cece67d..0000000
--- a/contrib/bind9/lib/dns/include/dst/Makefile.in
+++ /dev/null
@@ -1,37 +0,0 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.4 2007/12/11 20:28:55 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-HEADERS =	dst.h gssapi.h lib.h result.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/dst
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/dst ; \
-	done
diff --git a/contrib/bind9/lib/dns/include/dst/dst.h b/contrib/bind9/lib/dns/include/dst/dst.h
deleted file mode 100644
index 4724fc6..0000000
--- a/contrib/bind9/lib/dns/include/dst/dst.h
+++ /dev/null
@@ -1,929 +0,0 @@
-/*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dst.h,v 1.34 2011/10/20 21:20:02 marka Exp $ */
-
-#ifndef DST_DST_H
-#define DST_DST_H 1
-
-/*! \file dst/dst.h */
-
-#include <isc/lang.h>
-#include <isc/stdtime.h>
-
-#include <dns/types.h>
-#include <dns/log.h>
-#include <dns/name.h>
-#include <dns/secalg.h>
-
-#include <dst/gssapi.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Types
- ***/
-
-/*%
- * The dst_key structure is opaque.  Applications should use the accessor
- * functions provided to retrieve key attributes.  If an application needs
- * to set attributes, new accessor functions will be written.
- */
-
-typedef struct dst_key		dst_key_t;
-typedef struct dst_context 	dst_context_t;
-
-/* DST algorithm codes */
-#define DST_ALG_UNKNOWN		0
-#define DST_ALG_RSAMD5		1
-#define DST_ALG_RSA		DST_ALG_RSAMD5	/*%< backwards compatibility */
-#define DST_ALG_DH		2
-#define DST_ALG_DSA		3
-#define DST_ALG_ECC		4
-#define DST_ALG_RSASHA1		5
-#define DST_ALG_NSEC3DSA	6
-#define DST_ALG_NSEC3RSASHA1	7
-#define DST_ALG_RSASHA256	8
-#define DST_ALG_RSASHA512	10
-#define DST_ALG_ECCGOST		12
-#define DST_ALG_ECDSA256	13
-#define DST_ALG_ECDSA384	14
-#define DST_ALG_HMACMD5		157
-#define DST_ALG_GSSAPI		160
-#define DST_ALG_HMACSHA1	161	/* XXXMPA */
-#define DST_ALG_HMACSHA224	162	/* XXXMPA */
-#define DST_ALG_HMACSHA256	163	/* XXXMPA */
-#define DST_ALG_HMACSHA384	164	/* XXXMPA */
-#define DST_ALG_HMACSHA512	165	/* XXXMPA */
-#define DST_ALG_PRIVATE		254
-#define DST_ALG_EXPAND		255
-#define DST_MAX_ALGS		255
-
-/*% A buffer of this size is large enough to hold any key */
-#define DST_KEY_MAXSIZE		1280
-
-/*%
- * A buffer of this size is large enough to hold the textual representation
- * of any key
- */
-#define DST_KEY_MAXTEXTSIZE	2048
-
-/*% 'Type' for dst_read_key() */
-#define DST_TYPE_KEY		0x1000000	/* KEY key */
-#define DST_TYPE_PRIVATE	0x2000000
-#define DST_TYPE_PUBLIC		0x4000000
-
-/* Key timing metadata definitions */
-#define DST_TIME_CREATED	0
-#define DST_TIME_PUBLISH	1
-#define DST_TIME_ACTIVATE	2
-#define DST_TIME_REVOKE 	3
-#define DST_TIME_INACTIVE	4
-#define DST_TIME_DELETE 	5
-#define DST_TIME_DSPUBLISH 	6
-#define DST_MAX_TIMES		6
-
-/* Numeric metadata definitions */
-#define DST_NUM_PREDECESSOR	0
-#define DST_NUM_SUCCESSOR	1
-#define DST_NUM_MAXTTL		2
-#define DST_NUM_ROLLPERIOD	3
-#define DST_MAX_NUMERIC		3
-
-/*
- * Current format version number of the private key parser.
- *
- * When parsing a key file with the same major number but a higher minor
- * number, the key parser will ignore any fields it does not recognize.
- * Thus, DST_MINOR_VERSION should be incremented whenever new
- * fields are added to the private key file (such as new metadata).
- *
- * When rewriting these keys, those fields will be dropped, and the
- * format version set back to the current one..
- *
- * When a key is seen with a higher major number, the key parser will
- * reject it as invalid.  Thus, DST_MAJOR_VERSION should be incremented
- * and DST_MINOR_VERSION set to zero whenever there is a format change
- * which is not backward compatible to previous versions of the dst_key
- * parser, such as change in the syntax of an existing field, the removal
- * of a currently mandatory field, or a new field added which would
- * alter the functioning of the key if it were absent.
- */
-#define DST_MAJOR_VERSION	1
-#define DST_MINOR_VERSION	3
-
-/***
- *** Functions
- ***/
-
-isc_result_t
-dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags);
-
-isc_result_t
-dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
-	      const char *engine, unsigned int eflags);
-/*%<
- * Initializes the DST subsystem.
- *
- * Requires:
- * \li 	"mctx" is a valid memory context
- * \li	"ectx" is a valid entropy context
- *
- * Returns:
- * \li	ISC_R_SUCCESS
- * \li	ISC_R_NOMEMORY
- * \li	DST_R_NOENGINE
- *
- * Ensures:
- * \li	DST is properly initialized.
- */
-
-void
-dst_lib_destroy(void);
-/*%<
- * Releases all resources allocated by DST.
- */
-
-isc_boolean_t
-dst_algorithm_supported(unsigned int alg);
-/*%<
- * Checks that a given algorithm is supported by DST.
- *
- * Returns:
- * \li	ISC_TRUE
- * \li	ISC_FALSE
- */
-
-isc_result_t
-dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp);
-
-isc_result_t
-dst_context_create2(dst_key_t *key, isc_mem_t *mctx,
-		    isc_logcategory_t *category, dst_context_t **dctxp);
-
-/*%<
- * Creates a context to be used for a sign or verify operation.
- *
- * Requires:
- * \li	"key" is a valid key.
- * \li	"mctx" is a valid memory context.
- * \li	dctxp != NULL && *dctxp == NULL
- *
- * Returns:
- * \li	ISC_R_SUCCESS
- * \li	ISC_R_NOMEMORY
- *
- * Ensures:
- * \li	*dctxp will contain a usable context.
- */
-
-void
-dst_context_destroy(dst_context_t **dctxp);
-/*%<
- * Destroys all memory associated with a context.
- *
- * Requires:
- * \li	*dctxp != NULL && *dctxp == NULL
- *
- * Ensures:
- * \li	*dctxp == NULL
- */
-
-isc_result_t
-dst_context_adddata(dst_context_t *dctx, const isc_region_t *data);
-/*%<
- * Incrementally adds data to the context to be used in a sign or verify
- * operation.
- *
- * Requires:
- * \li	"dctx" is a valid context
- * \li	"data" is a valid region
- *
- * Returns:
- * \li	ISC_R_SUCCESS
- * \li	DST_R_SIGNFAILURE
- * \li	all other errors indicate failure
- */
-
-isc_result_t
-dst_context_sign(dst_context_t *dctx, isc_buffer_t *sig);
-/*%<
- * Computes a signature using the data and key stored in the context.
- *
- * Requires:
- * \li	"dctx" is a valid context.
- * \li	"sig" is a valid buffer.
- *
- * Returns:
- * \li	ISC_R_SUCCESS
- * \li	DST_R_VERIFYFAILURE
- * \li	all other errors indicate failure
- *
- * Ensures:
- * \li	"sig" will contain the signature
- */
-
-isc_result_t
-dst_context_verify(dst_context_t *dctx, isc_region_t *sig);
-
-isc_result_t
-dst_context_verify2(dst_context_t *dctx, unsigned int maxbits,
-		    isc_region_t *sig);
-/*%<
- * Verifies the signature using the data and key stored in the context.
- *
- * 'maxbits' specifies the maximum number of bits permitted in the RSA
- * exponent.
- *
- * Requires:
- * \li	"dctx" is a valid context.
- * \li	"sig" is a valid region.
- *
- * Returns:
- * \li	ISC_R_SUCCESS
- * \li	all other errors indicate failure
- *
- * Ensures:
- * \li	"sig" will contain the signature
- */
-
-isc_result_t
-dst_key_computesecret(const dst_key_t *pub, const dst_key_t *priv,
-		      isc_buffer_t *secret);
-/*%<
- * Computes a shared secret from two (Diffie-Hellman) keys.
- *
- * Requires:
- * \li	"pub" is a valid key that can be used to derive a shared secret
- * \li	"priv" is a valid private key that can be used to derive a shared secret
- * \li	"secret" is a valid buffer
- *
- * Returns:
- * \li	ISC_R_SUCCESS
- * \li	any other result indicates failure
- *
- * Ensures:
- * \li	If successful, secret will contain the derived shared secret.
- */
-
-isc_result_t
-dst_key_fromfile(dns_name_t *name, dns_keytag_t id, unsigned int alg, int type,
-		 const char *directory, isc_mem_t *mctx, dst_key_t **keyp);
-/*%<
- * Reads a key from permanent storage.  The key can either be a public or
- * private key, and is specified by name, algorithm, and id.  If a private key
- * is specified, the public key must also be present.  If directory is NULL,
- * the current directory is assumed.
- *
- * Requires:
- * \li	"name" is a valid absolute dns name.
- * \li	"id" is a valid key tag identifier.
- * \li	"alg" is a supported key algorithm.
- * \li	"type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union.
- *		  DST_TYPE_KEY look for a KEY record otherwise DNSKEY
- * \li	"mctx" is a valid memory context.
- * \li	"keyp" is not NULL and "*keyp" is NULL.
- *
- * Returns:
- * \li	ISC_R_SUCCESS
- * \li	any other result indicates failure
- *
- * Ensures:
- * \li	If successful, *keyp will contain a valid key.
- */
-
-isc_result_t
-dst_key_fromnamedfile(const char *filename, const char *dirname,
-		      int type, isc_mem_t *mctx, dst_key_t **keyp);
-/*%<
- * Reads a key from permanent storage.  The key can either be a public or
- * key, and is specified by filename.  If a private key is specified, the
- * public key must also be present.
- *
- * If 'dirname' is not NULL, and 'filename' is a relative path,
- * then the file is looked up relative to the given directory.
- * If 'filename' is an absolute path, 'dirname' is ignored.
- *
- * Requires:
- * \li	"filename" is not NULL
- * \li	"type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union
- *		  DST_TYPE_KEY look for a KEY record otherwise DNSKEY
- * \li	"mctx" is a valid memory context
- * \li	"keyp" is not NULL and "*keyp" is NULL.
- *
- * Returns:
- * \li	ISC_R_SUCCESS
- * \li	any other result indicates failure
- *
- * Ensures:
- * \li	If successful, *keyp will contain a valid key.
- */
-
-
-isc_result_t
-dst_key_read_public(const char *filename, int type,
-		    isc_mem_t *mctx, dst_key_t **keyp);
-/*%<
- * Reads a public key from permanent storage.  The key must be a public key.
- *
- * Requires:
- * \li	"filename" is not NULL
- * \li	"type" is DST_TYPE_KEY look for a KEY record otherwise DNSKEY
- * \li	"mctx" is a valid memory context
- * \li	"keyp" is not NULL and "*keyp" is NULL.
- *
- * Returns:
- * \li	ISC_R_SUCCESS
- * \li	DST_R_BADKEYTYPE if the key type is not the expected one
- * \li	ISC_R_UNEXPECTEDTOKEN if the file can not be parsed as a public key
- * \li	any other result indicates failure
- *
- * Ensures:
- * \li	If successful, *keyp will contain a valid key.
- */
-
-isc_result_t
-dst_key_tofile(const dst_key_t *key, int type, const char *directory);
-/*%<
- * Writes a key to permanent storage.  The key can either be a public or
- * private key.  Public keys are written in DNS format and private keys
- * are written as a set of base64 encoded values.  If directory is NULL,
- * the current directory is assumed.
- *
- * Requires:
- * \li	"key" is a valid key.
- * \li	"type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union
- *
- * Returns:
- * \li	ISC_R_SUCCESS
- * \li	any other result indicates failure
- */
-
-isc_result_t
-dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass,
-		isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp);
-/*%<
- * Converts a DNS KEY record into a DST key.
- *
- * Requires:
- * \li	"name" is a valid absolute dns name.
- * \li	"source" is a valid buffer.  There must be at least 4 bytes available.
- * \li	"mctx" is a valid memory context.
- * \li	"keyp" is not NULL and "*keyp" is NULL.
- *
- * Returns:
- * \li	ISC_R_SUCCESS
- * \li	any other result indicates failure
- *
- * Ensures:
- * \li	If successful, *keyp will contain a valid key, and the consumed
- *	pointer in data will be advanced.
- */
-
-isc_result_t
-dst_key_todns(const dst_key_t *key, isc_buffer_t *target);
-/*%<
- * Converts a DST key into a DNS KEY record.
- *
- * Requires:
- * \li	"key" is a valid key.
- * \li	"target" is a valid buffer.  There must be at least 4 bytes unused.
- *
- * Returns:
- * \li	ISC_R_SUCCESS
- * \li	any other result indicates failure
- *
- * Ensures:
- * \li	If successful, the used pointer in 'target' is advanced by at least 4.
- */
-
-isc_result_t
-dst_key_frombuffer(dns_name_t *name, unsigned int alg,
-		   unsigned int flags, unsigned int protocol,
-		   dns_rdataclass_t rdclass,
-		   isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp);
-/*%<
- * Converts a buffer containing DNS KEY RDATA into a DST key.
- *
- * Requires:
- *\li	"name" is a valid absolute dns name.
- *\li	"alg" is a supported key algorithm.
- *\li	"source" is a valid buffer.
- *\li	"mctx" is a valid memory context.
- *\li	"keyp" is not NULL and "*keyp" is NULL.
- *
- * Returns:
- *\li 	ISC_R_SUCCESS
- * \li	any other result indicates failure
- *
- * Ensures:
- *\li	If successful, *keyp will contain a valid key, and the consumed
- *	pointer in source will be advanced.
- */
-
-isc_result_t
-dst_key_tobuffer(const dst_key_t *key, isc_buffer_t *target);
-/*%<
- * Converts a DST key into DNS KEY RDATA format.
- *
- * Requires:
- *\li	"key" is a valid key.
- *\li	"target" is a valid buffer.
- *
- * Returns:
- *\li 	ISC_R_SUCCESS
- * \li	any other result indicates failure
- *
- * Ensures:
- *\li	If successful, the used pointer in 'target' is advanced.
- */
-
-isc_result_t
-dst_key_privatefrombuffer(dst_key_t *key, isc_buffer_t *buffer);
-/*%<
- * Converts a public key into a private key, reading the private key
- * information from the buffer.  The buffer should contain the same data
- * as the .private key file would.
- *
- * Requires:
- *\li	"key" is a valid public key.
- *\li	"buffer" is not NULL.
- *
- * Returns:
- *\li 	ISC_R_SUCCESS
- * \li	any other result indicates failure
- *
- * Ensures:
- *\li	If successful, key will contain a valid private key.
- */
-
-gss_ctx_id_t
-dst_key_getgssctx(const dst_key_t *key);
-/*%<
- * Returns the opaque key data.
- * Be cautions when using this value unless you know what you are doing.
- *
- * Requires:
- *\li	"key" is not NULL.
- *
- * Returns:
- *\li	gssctx key data, possibly NULL.
- */
-
-isc_result_t
-dst_key_fromgssapi(dns_name_t *name, gss_ctx_id_t gssctx, isc_mem_t *mctx,
-		   dst_key_t **keyp, isc_region_t *intoken);
-/*%<
- * Converts a GSSAPI opaque context id into a DST key.
- *
- * Requires:
- *\li	"name" is a valid absolute dns name.
- *\li	"gssctx" is a GSSAPI context id.
- *\li	"mctx" is a valid memory context.
- *\li	"keyp" is not NULL and "*keyp" is NULL.
- *
- * Returns:
- *\li 	ISC_R_SUCCESS
- * \li	any other result indicates failure
- *
- * Ensures:
- *\li	If successful, *keyp will contain a valid key and be responsible for
- *	the context id.
- */
-
-#ifdef DST_KEY_INTERNAL
-isc_result_t
-dst_key_buildinternal(dns_name_t *name, unsigned int alg,
-		      unsigned int bits, unsigned int flags,
-		      unsigned int protocol, dns_rdataclass_t rdclass,
-		      void *data, isc_mem_t *mctx, dst_key_t **keyp);
-#endif
-
-isc_result_t
-dst_key_fromlabel(dns_name_t *name, int alg, unsigned int flags,
-		  unsigned int protocol, dns_rdataclass_t rdclass,
-		  const char *engine, const char *label, const char *pin,
-		  isc_mem_t *mctx, dst_key_t **keyp);
-
-isc_result_t
-dst_key_generate(dns_name_t *name, unsigned int alg,
-		 unsigned int bits, unsigned int param,
-		 unsigned int flags, unsigned int protocol,
-		 dns_rdataclass_t rdclass,
-		 isc_mem_t *mctx, dst_key_t **keyp);
-
-isc_result_t
-dst_key_generate2(dns_name_t *name, unsigned int alg,
-		  unsigned int bits, unsigned int param,
-		  unsigned int flags, unsigned int protocol,
-		  dns_rdataclass_t rdclass,
-		  isc_mem_t *mctx, dst_key_t **keyp,
-		  void (*callback)(int));
-
-/*%<
- * Generate a DST key (or keypair) with the supplied parameters.  The
- * interpretation of the "param" field depends on the algorithm:
- * \code
- * 	RSA:	exponent
- * 		0	use exponent 3
- * 		!0	use Fermat4 (2^16 + 1)
- * 	DH:	generator
- * 		0	default - use well known prime if bits == 768 or 1024,
- * 			otherwise use 2 as the generator.
- * 		!0	use this value as the generator.
- * 	DSA:	unused
- * 	HMACMD5: entropy
- *		0	default - require good entropy
- *		!0	lack of good entropy is ok
- *\endcode
- *
- * Requires:
- *\li	"name" is a valid absolute dns name.
- *\li	"keyp" is not NULL and "*keyp" is NULL.
- *
- * Returns:
- *\li 	ISC_R_SUCCESS
- * \li	any other result indicates failure
- *
- * Ensures:
- *\li	If successful, *keyp will contain a valid key.
- */
-
-isc_boolean_t
-dst_key_compare(const dst_key_t *key1, const dst_key_t *key2);
-/*%<
- * Compares two DST keys.  Returns true if they match, false otherwise.
- *
- * Keys ARE NOT considered to match if one of them is the revoked version
- * of the other.
- *
- * Requires:
- *\li	"key1" is a valid key.
- *\li	"key2" is a valid key.
- *
- * Returns:
- *\li 	ISC_TRUE
- * \li	ISC_FALSE
- */
-
-isc_boolean_t
-dst_key_pubcompare(const dst_key_t *key1, const dst_key_t *key2,
-		   isc_boolean_t match_revoked_key);
-/*%<
- * Compares only the public portions of two DST keys.  Returns true
- * if they match, false otherwise.  This allows us, for example, to
- * determine whether a public key found in a zone matches up with a
- * key pair found on disk.
- *
- * If match_revoked_key is TRUE, then keys ARE considered to match if one
- * of them is the revoked version of the other. Otherwise, they are not.
- *
- * Requires:
- *\li	"key1" is a valid key.
- *\li	"key2" is a valid key.
- *
- * Returns:
- *\li 	ISC_TRUE
- * \li	ISC_FALSE
- */
-
-isc_boolean_t
-dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2);
-/*%<
- * Compares the parameters of two DST keys.  This is used to determine if
- * two (Diffie-Hellman) keys can be used to derive a shared secret.
- *
- * Requires:
- *\li	"key1" is a valid key.
- *\li	"key2" is a valid key.
- *
- * Returns:
- *\li 	ISC_TRUE
- * \li	ISC_FALSE
- */
-
-void
-dst_key_attach(dst_key_t *source, dst_key_t **target);
-/*
- * Attach to a existing key increasing the reference count.
- *
- * Requires:
- *\li 'source' to be a valid key.
- *\li 'target' to be non-NULL and '*target' to be NULL.
- */
-
-void
-dst_key_free(dst_key_t **keyp);
-/*%<
- * Decrement the key's reference counter and, when it reaches zero,
- * release all memory associated with the key.
- *
- * Requires:
- *\li	"keyp" is not NULL and "*keyp" is a valid key.
- *\li	reference counter greater than zero.
- *
- * Ensures:
- *\li	All memory associated with "*keyp" will be freed.
- *\li	*keyp == NULL
- */
-
-/*%<
- * Accessor functions to obtain key fields.
- *
- * Require:
- *\li	"key" is a valid key.
- */
-dns_name_t *
-dst_key_name(const dst_key_t *key);
-
-unsigned int
-dst_key_size(const dst_key_t *key);
-
-unsigned int
-dst_key_proto(const dst_key_t *key);
-
-unsigned int
-dst_key_alg(const dst_key_t *key);
-
-isc_uint32_t
-dst_key_flags(const dst_key_t *key);
-
-dns_keytag_t
-dst_key_id(const dst_key_t *key);
-
-dns_keytag_t
-dst_key_rid(const dst_key_t *key);
-
-dns_rdataclass_t
-dst_key_class(const dst_key_t *key);
-
-isc_boolean_t
-dst_key_isprivate(const dst_key_t *key);
-
-isc_boolean_t
-dst_key_iszonekey(const dst_key_t *key);
-
-isc_boolean_t
-dst_key_isnullkey(const dst_key_t *key);
-
-isc_result_t
-dst_key_buildfilename(const dst_key_t *key, int type,
-		      const char *directory, isc_buffer_t *out);
-/*%<
- * Generates the filename used by dst to store the specified key.
- * If directory is NULL, the current directory is assumed.
- *
- * Requires:
- *\li	"key" is a valid key
- *\li	"type" is either DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or 0 for no suffix.
- *\li	"out" is a valid buffer
- *
- * Ensures:
- *\li	the file name will be written to "out", and the used pointer will
- *		be advanced.
- */
-
-isc_result_t
-dst_key_sigsize(const dst_key_t *key, unsigned int *n);
-/*%<
- * Computes the size of a signature generated by the given key.
- *
- * Requires:
- *\li	"key" is a valid key.
- *\li	"n" is not NULL
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	DST_R_UNSUPPORTEDALG
- *
- * Ensures:
- *\li	"n" stores the size of a generated signature
- */
-
-isc_result_t
-dst_key_secretsize(const dst_key_t *key, unsigned int *n);
-/*%<
- * Computes the size of a shared secret generated by the given key.
- *
- * Requires:
- *\li	"key" is a valid key.
- *\li	"n" is not NULL
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	DST_R_UNSUPPORTEDALG
- *
- * Ensures:
- *\li	"n" stores the size of a generated shared secret
- */
-
-isc_uint16_t
-dst_region_computeid(const isc_region_t *source, unsigned int alg);
-isc_uint16_t
-dst_region_computerid(const isc_region_t *source, unsigned int alg);
-/*%<
- * Computes the (revoked) key id of the key stored in the provided
- * region with the given algorithm.
- *
- * Requires:
- *\li	"source" contains a valid, non-NULL region.
- *
- * Returns:
- *\li 	the key id
- */
-
-isc_uint16_t
-dst_key_getbits(const dst_key_t *key);
-/*%<
- * Get the number of digest bits required (0 == MAX).
- *
- * Requires:
- *	"key" is a valid key.
- */
-
-void
-dst_key_setbits(dst_key_t *key, isc_uint16_t bits);
-/*%<
- * Set the number of digest bits required (0 == MAX).
- *
- * Requires:
- *	"key" is a valid key.
- */
-
-void
-dst_key_setttl(dst_key_t *key, dns_ttl_t ttl);
-/*%<
- * Set the default TTL to use when converting the key
- * to a KEY or DNSKEY RR.
- *
- * Requires:
- *	"key" is a valid key.
- */
-
-dns_ttl_t
-dst_key_getttl(const dst_key_t *key);
-/*%<
- * Get the default TTL to use when converting the key
- * to a KEY or DNSKEY RR.
- *
- * Requires:
- *	"key" is a valid key.
- */
-
-isc_result_t
-dst_key_setflags(dst_key_t *key, isc_uint32_t flags);
-/*
- * Set the key flags, and recompute the key ID.
- *
- * Requires:
- *	"key" is a valid key.
- */
-
-isc_result_t
-dst_key_getnum(const dst_key_t *key, int type, isc_uint32_t *valuep);
-/*%<
- * Get a member of the numeric metadata array and place it in '*valuep'.
- *
- * Requires:
- *	"key" is a valid key.
- *	"type" is no larger than DST_MAX_NUMERIC
- *	"timep" is not null.
- */
-
-void
-dst_key_setnum(dst_key_t *key, int type, isc_uint32_t value);
-/*%<
- * Set a member of the numeric metadata array.
- *
- * Requires:
- *	"key" is a valid key.
- *	"type" is no larger than DST_MAX_NUMERIC
- */
-
-void
-dst_key_unsetnum(dst_key_t *key, int type);
-/*%<
- * Flag a member of the numeric metadata array as "not set".
- *
- * Requires:
- *	"key" is a valid key.
- *	"type" is no larger than DST_MAX_NUMERIC
- */
-
-isc_result_t
-dst_key_gettime(const dst_key_t *key, int type, isc_stdtime_t *timep);
-/*%<
- * Get a member of the timing metadata array and place it in '*timep'.
- *
- * Requires:
- *	"key" is a valid key.
- *	"type" is no larger than DST_MAX_TIMES
- *	"timep" is not null.
- */
-
-void
-dst_key_settime(dst_key_t *key, int type, isc_stdtime_t when);
-/*%<
- * Set a member of the timing metadata array.
- *
- * Requires:
- *	"key" is a valid key.
- *	"type" is no larger than DST_MAX_TIMES
- */
-
-void
-dst_key_unsettime(dst_key_t *key, int type);
-/*%<
- * Flag a member of the timing metadata array as "not set".
- *
- * Requires:
- *	"key" is a valid key.
- *	"type" is no larger than DST_MAX_TIMES
- */
-
-isc_result_t
-dst_key_getprivateformat(const dst_key_t *key, int *majorp, int *minorp);
-/*%<
- * Get the private key format version number.  (If the key does not have
- * a private key associated with it, the version will be 0.0.)  The major
- * version number is placed in '*majorp', and the minor version number in
- * '*minorp'.
- *
- * Requires:
- *	"key" is a valid key.
- *	"majorp" is not NULL.
- *	"minorp" is not NULL.
- */
-
-void
-dst_key_setprivateformat(dst_key_t *key, int major, int minor);
-/*%<
- * Set the private key format version number.
- *
- * Requires:
- *	"key" is a valid key.
- */
-
-#define DST_KEY_FORMATSIZE (DNS_NAME_FORMATSIZE + DNS_SECALG_FORMATSIZE + 7)
-
-void
-dst_key_format(const dst_key_t *key, char *cp, unsigned int size);
-/*%<
- * Write the uniquely identifying information about the key (name,
- * algorithm, key ID) into a string 'cp' of size 'size'.
- */
-
-
-isc_buffer_t *
-dst_key_tkeytoken(const dst_key_t *key);
-/*%<
- * Return the token from the TKEY request, if any.  If this key was
- * not negotiated via TKEY, return NULL.
- *
- * Requires:
- *	"key" is a valid key.
- */
-
-
-isc_result_t
-dst_key_dump(dst_key_t *key, isc_mem_t *mctx, char **buffer, int *length);
-/*%<
- * Allocate 'buffer' and dump the key into it in base64 format. The buffer
- * is not NUL terminated. The length of the buffer is returned in *length.
- *
- * 'buffer' needs to be freed using isc_mem_put(mctx, buffer, length);
- *
- * Requires:
- *	'buffer' to be non NULL and *buffer to be NULL.
- *	'length' to be non NULL and *length to be zero.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_NOTIMPLEMENTED
- *	others.
- */
-
-isc_result_t
-dst_key_restore(dns_name_t *name, unsigned int alg, unsigned int flags,
-		unsigned int protocol, dns_rdataclass_t rdclass,
-		isc_mem_t *mctx, const char *keystr, dst_key_t **keyp);
-
-
-ISC_LANG_ENDDECLS
-
-#endif /* DST_DST_H */
diff --git a/contrib/bind9/lib/dns/include/dst/gssapi.h b/contrib/bind9/lib/dns/include/dst/gssapi.h
deleted file mode 100644
index 1e81a55..0000000
--- a/contrib/bind9/lib/dns/include/dst/gssapi.h
+++ /dev/null
@@ -1,214 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009-2011  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: gssapi.h,v 1.16 2011/01/08 23:47:01 tbox Exp $ */
-
-#ifndef DST_GSSAPI_H
-#define DST_GSSAPI_H 1
-
-/*! \file dst/gssapi.h */
-
-#include <isc/formatcheck.h>
-#include <isc/lang.h>
-#include <isc/platform.h>
-#include <isc/types.h>
-#include <dns/types.h>
-
-#ifdef GSSAPI
-#ifdef _WINDOWS
-/*
- * MSVC does not like macros in #include lines.
- */
-#include <gssapi/gssapi.h>
-#include <gssapi/gssapi_krb5.h>
-#else
-#include ISC_PLATFORM_GSSAPIHEADER
-#ifdef ISC_PLATFORM_GSSAPI_KRB5_HEADER
-#include ISC_PLATFORM_GSSAPI_KRB5_HEADER
-#endif
-#endif
-#ifndef GSS_SPNEGO_MECHANISM
-#define GSS_SPNEGO_MECHANISM ((void*)0)
-#endif
-#endif
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Types
- ***/
-
-/***
- *** Functions
- ***/
-
-isc_result_t
-dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
-		       gss_cred_id_t *cred);
-/*
- *	Acquires GSS credentials.
- *
- *	Requires:
- * 	'name' 	    is a valid name, preferably one known by the GSS provider
- * 	'initiate'  indicates whether the credentials are for initiating or
- *		    accepting contexts
- *      'cred'      is a pointer to NULL, which will be allocated with the
- *		    credential handle.  Call dst_gssapi_releasecred to free
- *		    the memory.
- *
- *	Returns:
- *		ISC_R_SUCCESS msg was successfully updated to include the
- *				      query to be sent
- *		other		  an error occurred while building the message
- */
-
-isc_result_t
-dst_gssapi_releasecred(gss_cred_id_t *cred);
-/*
- *	Releases GSS credentials.  Calling this function does release the
- *  memory allocated for the credential in dst_gssapi_acquirecred()
- *
- *	Requires:
- *      'mctx'  is a valid memory context
- *      'cred'  is a pointer to the credential to be released
- *
- *	Returns:
- *		ISC_R_SUCCESS 	credential was released successfully
- *		other		an error occurred while releaseing
- *				the credential
- */
-
-isc_result_t
-dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
-		   isc_buffer_t *outtoken, gss_ctx_id_t *gssctx,
-		   isc_mem_t *mctx, char **err_message);
-/*
- *	Initiates a GSS context.
- *
- *	Requires:
- * 	'name'     is a valid name, preferably one known by the GSS
- * 	provider
- * 	'intoken'  is a token received from the acceptor, or NULL if
- *		   there isn't one
- * 	'outtoken' is a buffer to receive the token generated by
- *		   gss_init_sec_context() to be sent to the acceptor
- *      'context'  is a pointer to a valid gss_ctx_id_t
- *                 (which may have the value GSS_C_NO_CONTEXT)
- *
- *	Returns:
- *		ISC_R_SUCCESS   msg was successfully updated to include the
- * 				query to be sent
- *		other		an error occurred while building the message
- *		*err_message	optional error message
- */
-
-isc_result_t
-dst_gssapi_acceptctx(gss_cred_id_t cred,
-		     const char *gssapi_keytab,
-		     isc_region_t *intoken, isc_buffer_t **outtoken,
-		     gss_ctx_id_t *context, dns_name_t *principal,
-		     isc_mem_t *mctx);
-/*
- *	Accepts a GSS context.
- *
- *	Requires:
- * 	'mctx'     is a valid memory context
- *      'cred'     is the acceptor's valid GSS credential handle
- * 	'intoken'  is a token received from the initiator
- * 	'outtoken' is a pointer a buffer pointer used to return the token
- *		   generated by gss_accept_sec_context() to be sent to the
- *		   initiator
- *      'context'  is a valid pointer to receive the generated context handle.
- *                 On the initial call, it should be a pointer to NULL, which
- *		   will be allocated as a gss_ctx_id_t.  Subsequent calls
- *		   should pass in the handle generated on the first call.
- *		   Call dst_gssapi_releasecred to delete the context and free
- *		   the memory.
- *
- *	Requires:
- *		'outtoken' to != NULL && *outtoken == NULL.
- *
- *	Returns:
- *		ISC_R_SUCCESS   msg was successfully updated to include the
- * 				query to be sent
- *		other 		an error occurred while building the message
- */
-
-isc_result_t
-dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx);
-/*
- *	Destroys a GSS context.  This function deletes the context from the GSS
- *  	provider and then frees the memory used by the context pointer.
- *
- *	Requires:
- *      'mctx'    is a valid memory context
- *	'context' is a valid GSS context
- *
- *	Returns:
- *		ISC_R_SUCCESS
- */
-
-
-void
-gss_log(int level, const char *fmt, ...)
-ISC_FORMAT_PRINTF(2, 3);
-/*
- * Logging function for GSS.
- *
- *  Requires
- *      'level' is the log level to be used, as an integer
- *      'fmt'   is a printf format specifier
- */
-
-char *
-gss_error_tostring(isc_uint32_t major, isc_uint32_t minor,
-		   char *buf, size_t buflen);
-/*
- *	Render a GSS major status/minor status pair into a string
- *
- *	Requires:
- *      'major' is a GSS major status code
- * 	'minor' is a GSS minor status code
- *
- *	Returns:
- *		A string containing the text representation of the error codes.
- *      	Users should copy the string if they wish to keep it.
- */
-
-isc_boolean_t
-dst_gssapi_identitymatchesrealmkrb5(dns_name_t *signer, dns_name_t *name,
-			      dns_name_t *realm);
-/*
- *	Compare a "signer" (in the format of a Kerberos-format Kerberos5
- *	principal: host/example.com@EXAMPLE.COM) to the realm name stored
- *	in "name" (which represents the realm name).
- *
- */
-
-isc_boolean_t
-dst_gssapi_identitymatchesrealmms(dns_name_t *signer, dns_name_t *name,
-			    dns_name_t *realm);
-/*
- *	Compare a "signer" (in the format of a Kerberos-format Kerberos5
- *	principal: host/example.com@EXAMPLE.COM) to the realm name stored
- *	in "name" (which represents the realm name).
- *
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DST_GSSAPI_H */
diff --git a/contrib/bind9/lib/dns/include/dst/lib.h b/contrib/bind9/lib/dns/include/dst/lib.h
deleted file mode 100644
index 886575e..0000000
--- a/contrib/bind9/lib/dns/include/dst/lib.h
+++ /dev/null
@@ -1,41 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lib.h,v 1.7 2007/06/19 23:47:17 tbox Exp $ */
-
-#ifndef DST_LIB_H
-#define DST_LIB_H 1
-
-/*! \file dst/lib.h */
-
-#include <isc/types.h>
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
-LIBDNS_EXTERNAL_DATA extern isc_msgcat_t *dst_msgcat;
-
-void
-dst_lib_initmsgcat(void);
-/*
- * Initialize the DST library's message catalog, dst_msgcat, if it
- * has not already been initialized.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DST_LIB_H */
diff --git a/contrib/bind9/lib/dns/include/dst/result.h b/contrib/bind9/lib/dns/include/dst/result.h
deleted file mode 100644
index 00640a1..0000000
--- a/contrib/bind9/lib/dns/include/dst/result.h
+++ /dev/null
@@ -1,73 +0,0 @@
-/*
- * Copyright (C) 2004-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: result.h,v 1.9 2008/04/01 23:47:10 tbox Exp $ */
-
-#ifndef DST_RESULT_H
-#define DST_RESULT_H 1
-
-/*! \file dst/result.h */
-
-#include <isc/lang.h>
-#include <isc/resultclass.h>
-
-/*
- * Nothing in this file truly depends on <isc/result.h>, but the
- * DST result codes are considered to be publicly derived from
- * the ISC result codes, so including this file buys you the ISC_R_
- * namespace too.
- */
-#include <isc/result.h>		/* Contractual promise. */
-
-#define DST_R_UNSUPPORTEDALG		(ISC_RESULTCLASS_DST + 0)
-#define DST_R_CRYPTOFAILURE		(ISC_RESULTCLASS_DST + 1)
-/* compat */
-#define DST_R_OPENSSLFAILURE		DST_R_CRYPTOFAILURE
-#define DST_R_NOCRYPTO			(ISC_RESULTCLASS_DST + 2)
-#define DST_R_NULLKEY			(ISC_RESULTCLASS_DST + 3)
-#define DST_R_INVALIDPUBLICKEY		(ISC_RESULTCLASS_DST + 4)
-#define DST_R_INVALIDPRIVATEKEY		(ISC_RESULTCLASS_DST + 5)
-/* 6 is unused */
-#define DST_R_WRITEERROR		(ISC_RESULTCLASS_DST + 7)
-#define DST_R_INVALIDPARAM		(ISC_RESULTCLASS_DST + 8)
-/* 9 is unused */
-/* 10 is unused */
-#define DST_R_SIGNFAILURE		(ISC_RESULTCLASS_DST + 11)
-/* 12 is unused */
-/* 13 is unused */
-#define DST_R_VERIFYFAILURE		(ISC_RESULTCLASS_DST + 14)
-#define DST_R_NOTPUBLICKEY		(ISC_RESULTCLASS_DST + 15)
-#define DST_R_NOTPRIVATEKEY		(ISC_RESULTCLASS_DST + 16)
-#define DST_R_KEYCANNOTCOMPUTESECRET	(ISC_RESULTCLASS_DST + 17)
-#define DST_R_COMPUTESECRETFAILURE	(ISC_RESULTCLASS_DST + 18)
-#define DST_R_NORANDOMNESS		(ISC_RESULTCLASS_DST + 19)
-#define DST_R_BADKEYTYPE		(ISC_RESULTCLASS_DST + 20)
-#define DST_R_NOENGINE			(ISC_RESULTCLASS_DST + 21)
-
-#define DST_R_NRESULTS			22	/* Number of results */
-
-ISC_LANG_BEGINDECLS
-
-const char *
-dst_result_totext(isc_result_t);
-
-void
-dst_result_register(void);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DST_RESULT_H */
diff --git a/contrib/bind9/lib/dns/iptable.c b/contrib/bind9/lib/dns/iptable.c
deleted file mode 100644
index 7019505..0000000
--- a/contrib/bind9/lib/dns/iptable.c
+++ /dev/null
@@ -1,189 +0,0 @@
-/*
- * Copyright (C) 2007-2009, 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: iptable.c,v 1.15 2009/02/18 23:47:48 tbox Exp $ */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/radix.h>
-
-#include <dns/acl.h>
-
-static void destroy_iptable(dns_iptable_t *dtab);
-
-/*
- * Create a new IP table and the underlying radix structure
- */
-isc_result_t
-dns_iptable_create(isc_mem_t *mctx, dns_iptable_t **target) {
-	isc_result_t result;
-	dns_iptable_t *tab;
-
-	tab = isc_mem_get(mctx, sizeof(*tab));
-	if (tab == NULL)
-		return (ISC_R_NOMEMORY);
-	tab->mctx = NULL;
-	isc_mem_attach(mctx, &tab->mctx);
-	isc_refcount_init(&tab->refcount, 1);
-	tab->radix = NULL;
-	tab->magic = DNS_IPTABLE_MAGIC;
-
-	result = isc_radix_create(mctx, &tab->radix, RADIX_MAXBITS);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	*target = tab;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	dns_iptable_detach(&tab);
-	return (result);
-}
-
-isc_boolean_t dns_iptable_neg = ISC_FALSE;
-isc_boolean_t dns_iptable_pos = ISC_TRUE;
-
-/*
- * Add an IP prefix to an existing IP table
- */
-isc_result_t
-dns_iptable_addprefix(dns_iptable_t *tab, isc_netaddr_t *addr,
-		      isc_uint16_t bitlen, isc_boolean_t pos)
-{
-	isc_result_t result;
-	isc_prefix_t pfx;
-	isc_radix_node_t *node = NULL;
-	int family;
-
-	INSIST(DNS_IPTABLE_VALID(tab));
-	INSIST(tab->radix);
-
-	NETADDR_TO_PREFIX_T(addr, pfx, bitlen);
-
-	result = isc_radix_insert(tab->radix, &node, NULL, &pfx);
-	if (result != ISC_R_SUCCESS) {
-		isc_refcount_destroy(&pfx.refcount);
-		return(result);
-	}
-
-	/* If a node already contains data, don't overwrite it */
-	family = pfx.family;
-	if (family == AF_UNSPEC) {
-		/* "any" or "none" */
-		INSIST(pfx.bitlen == 0);
-		if (pos) {
-			if (node->data[0] == NULL)
-				node->data[0] = &dns_iptable_pos;
-			if (node->data[1] == NULL)
-				node->data[1] = &dns_iptable_pos;
-		} else {
-			if (node->data[0] == NULL)
-				node->data[0] = &dns_iptable_neg;
-			if (node->data[1] == NULL)
-				node->data[1] = &dns_iptable_neg;
-		}
-	} else {
-		/* any other prefix */
-		if (node->data[ISC_IS6(family)] == NULL) {
-			if (pos)
-				node->data[ISC_IS6(family)] = &dns_iptable_pos;
-			else
-				node->data[ISC_IS6(family)] = &dns_iptable_neg;
-		}
-	}
-
-	isc_refcount_destroy(&pfx.refcount);
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Merge one IP table into another one.
- */
-isc_result_t
-dns_iptable_merge(dns_iptable_t *tab, dns_iptable_t *source, isc_boolean_t pos)
-{
-	isc_result_t result;
-	isc_radix_node_t *node, *new_node;
-	int max_node = 0;
-
-	RADIX_WALK (source->radix->head, node) {
-		new_node = NULL;
-		result = isc_radix_insert (tab->radix, &new_node, node, NULL);
-
-		if (result != ISC_R_SUCCESS)
-			return(result);
-
-		/*
-		 * If we're negating a nested ACL, then we should
-		 * reverse the sense of every node.  However, this
-		 * could lead to a negative node in a nested ACL
-		 * becoming a positive match in the parent, which
-		 * could be a security risk.  To prevent this, we
-		 * just leave the negative nodes negative.
-		 */
-		if (!pos) {
-			if (node->data[0] &&
-			    *(isc_boolean_t *) node->data[0] == ISC_TRUE)
-				new_node->data[0] = &dns_iptable_neg;
-
-			if (node->data[1] &&
-			    *(isc_boolean_t *) node->data[1] == ISC_TRUE)
-				new_node->data[1] = &dns_iptable_neg;
-		}
-
-		if (node->node_num[0] > max_node)
-			max_node = node->node_num[0];
-		if (node->node_num[1] > max_node)
-			max_node = node->node_num[1];
-	} RADIX_WALK_END;
-
-	tab->radix->num_added_node += max_node;
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_iptable_attach(dns_iptable_t *source, dns_iptable_t **target) {
-	REQUIRE(DNS_IPTABLE_VALID(source));
-	isc_refcount_increment(&source->refcount, NULL);
-	*target = source;
-}
-
-void
-dns_iptable_detach(dns_iptable_t **tabp) {
-	dns_iptable_t *tab = *tabp;
-	unsigned int refs;
-	REQUIRE(DNS_IPTABLE_VALID(tab));
-	isc_refcount_decrement(&tab->refcount, &refs);
-	if (refs == 0)
-		destroy_iptable(tab);
-	*tabp = NULL;
-}
-
-static void
-destroy_iptable(dns_iptable_t *dtab) {
-
-	REQUIRE(DNS_IPTABLE_VALID(dtab));
-
-	if (dtab->radix != NULL) {
-		isc_radix_destroy(dtab->radix, NULL);
-		dtab->radix = NULL;
-	}
-
-	isc_refcount_destroy(&dtab->refcount);
-	dtab->magic = 0;
-	isc_mem_putanddetach(&dtab->mctx, dtab, sizeof(*dtab));
-}
diff --git a/contrib/bind9/lib/dns/journal.c b/contrib/bind9/lib/dns/journal.c
deleted file mode 100644
index 022a3e2..0000000
--- a/contrib/bind9/lib/dns/journal.c
+++ /dev/null
@@ -1,2337 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007-2011, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: journal.c,v 1.120 2011/12/22 07:32:41 each Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <unistd.h>
-#include <errno.h>
-
-#include <isc/file.h>
-#include <isc/mem.h>
-#include <isc/stdio.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/compress.h>
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/diff.h>
-#include <dns/fixedname.h>
-#include <dns/journal.h>
-#include <dns/log.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/result.h>
-#include <dns/soa.h>
-
-/*! \file
- * \brief Journaling.
- *
- * A journal file consists of
- *
- *   \li A fixed-size header of type journal_rawheader_t.
- *
- *   \li The index.  This is an unordered array of index entries
- *     of type journal_rawpos_t giving the locations
- *     of some arbitrary subset of the journal's addressable
- *     transactions.  The index entries are used as hints to
- *     speed up the process of locating a transaction with a given
- *     serial number.  Unused index entries have an "offset"
- *     field of zero.  The size of the index can vary between
- *     journal files, but does not change during the lifetime
- *     of a file.  The size can be zero.
- *
- *   \li The journal data.  This  consists of one or more transactions.
- *     Each transaction begins with a transaction header of type
- *     journal_rawxhdr_t.  The transaction header is followed by a
- *     sequence of RRs, similar in structure to an IXFR difference
- *     sequence (RFC1995).  That is, the pre-transaction SOA,
- *     zero or more other deleted RRs, the post-transaction SOA,
- *     and zero or more other added RRs.  Unlike in IXFR, each RR
- *     is prefixed with a 32-bit length.
- *
- *     The journal data part grows as new transactions are
- *     appended to the file.  Only those transactions
- *     whose serial number is current-(2^31-1) to current
- *     are considered "addressable" and may be pointed
- *     to from the header or index.  They may be preceded
- *     by old transactions that are no longer addressable,
- *     and they may be followed by transactions that were
- *     appended to the journal but never committed by updating
- *     the "end" position in the header.  The latter will
- *     be overwritten when new transactions are added.
- */
-/*%
- * When true, accept IXFR difference sequences where the
- * SOA serial number does not change (BIND 8 sends such
- * sequences).
- */
-static isc_boolean_t bind8_compat = ISC_TRUE; /* XXX config */
-
-/**************************************************************************/
-/*
- * Miscellaneous utilities.
- */
-
-#define JOURNAL_COMMON_LOGARGS \
-	dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_JOURNAL
-
-#define JOURNAL_DEBUG_LOGARGS(n) \
-	JOURNAL_COMMON_LOGARGS, ISC_LOG_DEBUG(n)
-
-/*%
- * It would be non-sensical (or at least obtuse) to use FAIL() with an
- * ISC_R_SUCCESS code, but the test is there to keep the Solaris compiler
- * from complaining about "end-of-loop code not reached".
- */
-#define FAIL(code) \
-	do { result = (code);					\
-		if (result != ISC_R_SUCCESS) goto failure;	\
-	} while (0)
-
-#define CHECK(op) \
-	do { result = (op); 					\
-		if (result != ISC_R_SUCCESS) goto failure; 	\
-	} while (0)
-
-#define JOURNAL_SERIALSET	0x01U
-
-static isc_result_t index_to_disk(dns_journal_t *);
-
-static inline isc_uint32_t
-decode_uint32(unsigned char *p) {
-	return ((p[0] << 24) +
-		(p[1] << 16) +
-		(p[2] <<  8) +
-		(p[3] <<  0));
-}
-
-static inline void
-encode_uint32(isc_uint32_t val, unsigned char *p) {
-	p[0] = (isc_uint8_t)(val >> 24);
-	p[1] = (isc_uint8_t)(val >> 16);
-	p[2] = (isc_uint8_t)(val >>  8);
-	p[3] = (isc_uint8_t)(val >>  0);
-}
-
-isc_result_t
-dns_db_createsoatuple(dns_db_t *db, dns_dbversion_t *ver, isc_mem_t *mctx,
-		      dns_diffop_t op, dns_difftuple_t **tp)
-{
-	isc_result_t result;
-	dns_dbnode_t *node;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_name_t *zonename;
-
-	zonename = dns_db_origin(db);
-
-	node = NULL;
-	result = dns_db_findnode(db, zonename, ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS)
-		goto nonode;
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_soa, 0,
-				     (isc_stdtime_t)0, &rdataset, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto freenode;
-
-	result = dns_rdataset_first(&rdataset);
-	if (result != ISC_R_SUCCESS)
-		goto freenode;
-
-	dns_rdataset_current(&rdataset, &rdata);
-
-	result = dns_difftuple_create(mctx, op, zonename, rdataset.ttl,
-				      &rdata, tp);
-
-	dns_rdataset_disassociate(&rdataset);
-	dns_db_detachnode(db, &node);
-	return (result);
-
- freenode:
-	dns_db_detachnode(db, &node);
- nonode:
-	UNEXPECTED_ERROR(__FILE__, __LINE__, "missing SOA");
-	return (result);
-}
-
-/* Journaling */
-
-/*%
- * On-disk representation of a "pointer" to a journal entry.
- * These are used in the journal header to locate the beginning
- * and end of the journal, and in the journal index to locate
- * other transactions.
- */
-typedef struct {
-	unsigned char	serial[4];  /*%< SOA serial before update. */
-	/*
-	 * XXXRTH  Should offset be 8 bytes?
-	 * XXXDCL ... probably, since isc_offset_t is 8 bytes on many OSs.
-	 * XXXAG  ... but we will not be able to seek >2G anyway on many
-	 *            platforms as long as we are using fseek() rather
-	 *            than lseek().
-	 */
-	unsigned char	offset[4];  /*%< Offset from beginning of file. */
-} journal_rawpos_t;
-
-
-/*%
- * The header is of a fixed size, with some spare room for future
- * extensions.
- */
-#define JOURNAL_HEADER_SIZE 64 /* Bytes. */
-
-/*%
- * The on-disk representation of the journal header.
- * All numbers are stored in big-endian order.
- */
-typedef union {
-	struct {
-		/*% File format version ID. */
-		unsigned char 		format[16];
-		/*% Position of the first addressable transaction */
-		journal_rawpos_t 	begin;
-		/*% Position of the next (yet nonexistent) transaction. */
-		journal_rawpos_t 	end;
-		/*% Number of index entries following the header. */
-		unsigned char 		index_size[4];
-		/*% Source serial number. */
-		unsigned char           sourceserial[4];
-		unsigned char           flags;
-	} h;
-	/* Pad the header to a fixed size. */
-	unsigned char pad[JOURNAL_HEADER_SIZE];
-} journal_rawheader_t;
-
-/*%
- * The on-disk representation of the transaction header.
- * There is one of these at the beginning of each transaction.
- */
-typedef struct {
-	unsigned char	size[4]; 	/*%< In bytes, excluding header. */
-	unsigned char	serial0[4];	/*%< SOA serial before update. */
-	unsigned char	serial1[4];	/*%< SOA serial after update. */
-} journal_rawxhdr_t;
-
-/*%
- * The on-disk representation of the RR header.
- * There is one of these at the beginning of each RR.
- */
-typedef struct {
-	unsigned char	size[4]; 	/*%< In bytes, excluding header. */
-} journal_rawrrhdr_t;
-
-/*%
- * The in-core representation of the journal header.
- */
-typedef struct {
-	isc_uint32_t	serial;
-	isc_offset_t	offset;
-} journal_pos_t;
-
-#define POS_VALID(pos) 		((pos).offset != 0)
-#define POS_INVALIDATE(pos) 	((pos).offset = 0, (pos).serial = 0)
-
-typedef struct {
-	unsigned char 	format[16];
-	journal_pos_t 	begin;
-	journal_pos_t 	end;
-	isc_uint32_t	index_size;
-	isc_uint32_t	sourceserial;
-	isc_boolean_t	serialset;
-} journal_header_t;
-
-/*%
- * The in-core representation of the transaction header.
- */
-
-typedef struct {
-	isc_uint32_t	size;
-	isc_uint32_t	serial0;
-	isc_uint32_t	serial1;
-} journal_xhdr_t;
-
-/*%
- * The in-core representation of the RR header.
- */
-typedef struct {
-	isc_uint32_t	size;
-} journal_rrhdr_t;
-
-
-/*%
- * Initial contents to store in the header of a newly created
- * journal file.
- *
- * The header starts with the magic string ";BIND LOG V9\n"
- * to identify the file as a BIND 9 journal file.  An ASCII
- * identification string is used rather than a binary magic
- * number to be consistent with BIND 8 (BIND 8 journal files
- * are ASCII text files).
- */
-
-static journal_header_t
-initial_journal_header = { ";BIND LOG V9\n", { 0, 0 }, { 0, 0 }, 0, 0, 0 };
-
-#define JOURNAL_EMPTY(h) ((h)->begin.offset == (h)->end.offset)
-
-typedef enum {
-	JOURNAL_STATE_INVALID,
-	JOURNAL_STATE_READ,
-	JOURNAL_STATE_WRITE,
-	JOURNAL_STATE_TRANSACTION,
-	JOURNAL_STATE_INLINE
-} journal_state_t;
-
-struct dns_journal {
-	unsigned int		magic;		/*%< JOUR */
-	isc_mem_t		*mctx;		/*%< Memory context */
-	journal_state_t		state;
-	const char 		*filename;	/*%< Journal file name */
-	FILE *			fp;		/*%< File handle */
-	isc_offset_t		offset;		/*%< Current file offset */
-	journal_header_t 	header;		/*%< In-core journal header */
-	unsigned char		*rawindex;	/*%< In-core buffer for journal index in on-disk format */
-	journal_pos_t		*index;		/*%< In-core journal index */
-
-	/*% Current transaction state (when writing). */
-	struct {
-		unsigned int	n_soa;		/*%< Number of SOAs seen */
-		journal_pos_t	pos[2];		/*%< Begin/end position */
-	} x;
-
-	/*% Iteration state (when reading). */
-	struct {
-		/* These define the part of the journal we iterate over. */
-		journal_pos_t bpos;		/*%< Position before first, */
-		journal_pos_t epos;		/*%< and after last transaction */
-		/* The rest is iterator state. */
-		isc_uint32_t current_serial;	/*%< Current SOA serial */
-		isc_buffer_t source;		/*%< Data from disk */
-		isc_buffer_t target;		/*%< Data from _fromwire check */
-		dns_decompress_t dctx;		/*%< Dummy decompression ctx */
-		dns_name_t name;		/*%< Current domain name */
-		dns_rdata_t rdata;		/*%< Current rdata */
-		isc_uint32_t ttl;		/*%< Current TTL */
-		unsigned int xsize;		/*%< Size of transaction data */
-		unsigned int xpos;		/*%< Current position in it */
-		isc_result_t result;		/*%< Result of last call */
-	} it;
-};
-
-#define DNS_JOURNAL_MAGIC	ISC_MAGIC('J', 'O', 'U', 'R')
-#define DNS_JOURNAL_VALID(t)	ISC_MAGIC_VALID(t, DNS_JOURNAL_MAGIC)
-
-static void
-journal_pos_decode(journal_rawpos_t *raw, journal_pos_t *cooked) {
-	cooked->serial = decode_uint32(raw->serial);
-	cooked->offset = decode_uint32(raw->offset);
-}
-
-static void
-journal_pos_encode(journal_rawpos_t *raw, journal_pos_t *cooked) {
-	encode_uint32(cooked->serial, raw->serial);
-	encode_uint32(cooked->offset, raw->offset);
-}
-
-static void
-journal_header_decode(journal_rawheader_t *raw, journal_header_t *cooked) {
-	INSIST(sizeof(cooked->format) == sizeof(raw->h.format));
-	memcpy(cooked->format, raw->h.format, sizeof(cooked->format));
-	journal_pos_decode(&raw->h.begin, &cooked->begin);
-	journal_pos_decode(&raw->h.end, &cooked->end);
-	cooked->index_size = decode_uint32(raw->h.index_size);
-	cooked->sourceserial = decode_uint32(raw->h.sourceserial);
-	cooked->serialset = ISC_TF(raw->h.flags & JOURNAL_SERIALSET);
-}
-
-static void
-journal_header_encode(journal_header_t *cooked, journal_rawheader_t *raw) {
-	unsigned char flags = 0;
-
-	INSIST(sizeof(cooked->format) == sizeof(raw->h.format));
-	memset(raw->pad, 0, sizeof(raw->pad));
-	memcpy(raw->h.format, cooked->format, sizeof(raw->h.format));
-	journal_pos_encode(&raw->h.begin, &cooked->begin);
-	journal_pos_encode(&raw->h.end, &cooked->end);
-	encode_uint32(cooked->index_size, raw->h.index_size);
-	encode_uint32(cooked->sourceserial, raw->h.sourceserial);
-	if (cooked->serialset)
-		flags |= JOURNAL_SERIALSET;
-	raw->h.flags = flags;
-}
-
-/*
- * Journal file I/O subroutines, with error checking and reporting.
- */
-static isc_result_t
-journal_seek(dns_journal_t *j, isc_uint32_t offset) {
-	isc_result_t result;
-	result = isc_stdio_seek(j->fp, (long)offset, SEEK_SET);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "%s: seek: %s", j->filename,
-			      isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-	j->offset = offset;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-journal_read(dns_journal_t *j, void *mem, size_t nbytes) {
-	isc_result_t result;
-
-	result = isc_stdio_read(mem, 1, nbytes, j->fp, NULL);
-	if (result != ISC_R_SUCCESS) {
-		if (result == ISC_R_EOF)
-			return (ISC_R_NOMORE);
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "%s: read: %s",
-			      j->filename, isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-	j->offset += nbytes;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-journal_write(dns_journal_t *j, void *mem, size_t nbytes) {
-	isc_result_t result;
-
-	result = isc_stdio_write(mem, 1, nbytes, j->fp, NULL);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "%s: write: %s",
-			      j->filename, isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-	j->offset += nbytes;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-journal_fsync(dns_journal_t *j) {
-	isc_result_t result;
-	result = isc_stdio_flush(j->fp);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "%s: flush: %s",
-			      j->filename, isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-	result = isc_stdio_sync(j->fp);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "%s: fsync: %s",
-			      j->filename, isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Read/write a transaction header at the current file position.
- */
-
-static isc_result_t
-journal_read_xhdr(dns_journal_t *j, journal_xhdr_t *xhdr) {
-	journal_rawxhdr_t raw;
-	isc_result_t result;
-	result = journal_read(j, &raw, sizeof(raw));
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	xhdr->size = decode_uint32(raw.size);
-	xhdr->serial0 = decode_uint32(raw.serial0);
-	xhdr->serial1 = decode_uint32(raw.serial1);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-journal_write_xhdr(dns_journal_t *j, isc_uint32_t size,
-		   isc_uint32_t serial0, isc_uint32_t serial1)
-{
-	journal_rawxhdr_t raw;
-	encode_uint32(size, raw.size);
-	encode_uint32(serial0, raw.serial0);
-	encode_uint32(serial1, raw.serial1);
-	return (journal_write(j, &raw, sizeof(raw)));
-}
-
-
-/*
- * Read an RR header at the current file position.
- */
-
-static isc_result_t
-journal_read_rrhdr(dns_journal_t *j, journal_rrhdr_t *rrhdr) {
-	journal_rawrrhdr_t raw;
-	isc_result_t result;
-	result = journal_read(j, &raw, sizeof(raw));
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	rrhdr->size = decode_uint32(raw.size);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-journal_file_create(isc_mem_t *mctx, const char *filename) {
-	FILE *fp = NULL;
-	isc_result_t result;
-	journal_header_t header;
-	journal_rawheader_t rawheader;
-	int index_size = 56; /* XXX configurable */
-	int size;
-	void *mem; /* Memory for temporary index image. */
-
-	INSIST(sizeof(journal_rawheader_t) == JOURNAL_HEADER_SIZE);
-
-	result = isc_stdio_open(filename, "wb", &fp);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "%s: create: %s",
-			      filename, isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-
-	header = initial_journal_header;
-	header.index_size = index_size;
-	journal_header_encode(&header, &rawheader);
-
-	size = sizeof(journal_rawheader_t) +
-		index_size * sizeof(journal_rawpos_t);
-
-	mem = isc_mem_get(mctx, size);
-	if (mem == NULL) {
-		(void)isc_stdio_close(fp);
-		(void)isc_file_remove(filename);
-		return (ISC_R_NOMEMORY);
-	}
-	memset(mem, 0, size);
-	memcpy(mem, &rawheader, sizeof(rawheader));
-
-	result = isc_stdio_write(mem, 1, (size_t) size, fp, NULL);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-				 "%s: write: %s",
-				 filename, isc_result_totext(result));
-		(void)isc_stdio_close(fp);
-		(void)isc_file_remove(filename);
-		isc_mem_put(mctx, mem, size);
-		return (ISC_R_UNEXPECTED);
-	}
-	isc_mem_put(mctx, mem, size);
-
-	result = isc_stdio_close(fp);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-				 "%s: close: %s",
-				 filename, isc_result_totext(result));
-		(void)isc_file_remove(filename);
-		return (ISC_R_UNEXPECTED);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
-	     isc_boolean_t create, dns_journal_t **journalp)
-{
-	FILE *fp = NULL;
-	isc_result_t result;
-	journal_rawheader_t rawheader;
-	dns_journal_t *j;
-
-	INSIST(journalp != NULL && *journalp == NULL);
-	j = isc_mem_get(mctx, sizeof(*j));
-	if (j == NULL)
-		return (ISC_R_NOMEMORY);
-
-	j->mctx = NULL;
-	isc_mem_attach(mctx, &j->mctx);
-	j->state = JOURNAL_STATE_INVALID;
-	j->fp = NULL;
-	j->filename = filename;
-	j->index = NULL;
-	j->rawindex = NULL;
-
-	result = isc_stdio_open(j->filename, write ? "rb+" : "rb", &fp);
-
-	if (result == ISC_R_FILENOTFOUND) {
-		if (create) {
-			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_DEBUG(1),
-				      "journal file %s does not exist, "
-				      "creating it", j->filename);
-			CHECK(journal_file_create(mctx, filename));
-			/*
-			 * Retry.
-			 */
-			result = isc_stdio_open(j->filename, "rb+", &fp);
-		} else {
-			FAIL(ISC_R_NOTFOUND);
-		}
-	}
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "%s: open: %s",
-			      j->filename, isc_result_totext(result));
-		FAIL(ISC_R_UNEXPECTED);
-	}
-
-	j->fp = fp;
-
-	/*
-	 * Set magic early so that seek/read can succeed.
-	 */
-	j->magic = DNS_JOURNAL_MAGIC;
-
-	CHECK(journal_seek(j, 0));
-	CHECK(journal_read(j, &rawheader, sizeof(rawheader)));
-
-	if (memcmp(rawheader.h.format, initial_journal_header.format,
-		   sizeof(initial_journal_header.format)) != 0) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-				 "%s: journal format not recognized",
-				 j->filename);
-		FAIL(ISC_R_UNEXPECTED);
-	}
-	journal_header_decode(&rawheader, &j->header);
-
-	/*
-	 * If there is an index, read the raw index into a dynamically
-	 * allocated buffer and then convert it into a cooked index.
-	 */
-	if (j->header.index_size != 0) {
-		unsigned int i;
-		unsigned int rawbytes;
-		unsigned char *p;
-
-		rawbytes = j->header.index_size * sizeof(journal_rawpos_t);
-		j->rawindex = isc_mem_get(mctx, rawbytes);
-		if (j->rawindex == NULL)
-			FAIL(ISC_R_NOMEMORY);
-
-		CHECK(journal_read(j, j->rawindex, rawbytes));
-
-		j->index = isc_mem_get(mctx, j->header.index_size *
-				       sizeof(journal_pos_t));
-		if (j->index == NULL)
-			FAIL(ISC_R_NOMEMORY);
-
-		p = j->rawindex;
-		for (i = 0; i < j->header.index_size; i++) {
-			j->index[i].serial = decode_uint32(p);
-			p += 4;
-			j->index[i].offset = decode_uint32(p);
-			p += 4;
-		}
-		INSIST(p == j->rawindex + rawbytes);
-	}
-	j->offset = -1; /* Invalid, must seek explicitly. */
-
-	/*
-	 * Initialize the iterator.
-	 */
-	dns_name_init(&j->it.name, NULL);
-	dns_rdata_init(&j->it.rdata);
-
-	/*
-	 * Set up empty initial buffers for unchecked and checked
-	 * wire format RR data.  They will be reallocated
-	 * later.
-	 */
-	isc_buffer_init(&j->it.source, NULL, 0);
-	isc_buffer_init(&j->it.target, NULL, 0);
-	dns_decompress_init(&j->it.dctx, -1, DNS_DECOMPRESS_NONE);
-
-	j->state =
-		write ? JOURNAL_STATE_WRITE : JOURNAL_STATE_READ;
-
-	*journalp = j;
-	return (ISC_R_SUCCESS);
-
- failure:
-	j->magic = 0;
-	if (j->index != NULL) {
-		isc_mem_put(j->mctx, j->index, j->header.index_size *
-			    sizeof(journal_rawpos_t));
-		j->index = NULL;
-	}
-	if (j->fp != NULL)
-		(void)isc_stdio_close(j->fp);
-	isc_mem_putanddetach(&j->mctx, j, sizeof(*j));
-	return (result);
-}
-
-isc_result_t
-dns_journal_open(isc_mem_t *mctx, const char *filename, unsigned int mode,
-		 dns_journal_t **journalp)
-{
-	isc_result_t result;
-	int namelen;
-	char backup[1024];
-	isc_boolean_t write, create;
-
-	create = ISC_TF(mode & DNS_JOURNAL_CREATE);
-	write = ISC_TF(mode & (DNS_JOURNAL_WRITE|DNS_JOURNAL_CREATE));
-
-	result = journal_open(mctx, filename, write, create, journalp);
-	if (result == ISC_R_NOTFOUND) {
-		namelen = strlen(filename);
-		if (namelen > 4 && strcmp(filename + namelen - 4, ".jnl") == 0)
-			namelen -= 4;
-
-		result = isc_string_printf(backup, sizeof(backup), "%.*s.jbk",
-					   namelen, filename);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		result = journal_open(mctx, backup, write, write, journalp);
-	}
-	return (result);
-}
-
-/*
- * A comparison function defining the sorting order for
- * entries in the IXFR-style journal file.
- *
- * The IXFR format requires that deletions are sorted before
- * additions, and within either one, SOA records are sorted
- * before others.
- *
- * Also sort the non-SOA records by type as a courtesy to the
- * server receiving the IXFR - it may help reduce the amount of
- * rdataset merging it has to do.
- */
-static int
-ixfr_order(const void *av, const void *bv) {
-	dns_difftuple_t const * const *ap = av;
-	dns_difftuple_t const * const *bp = bv;
-	dns_difftuple_t const *a = *ap;
-	dns_difftuple_t const *b = *bp;
-	int r;
-	int bop = 0, aop = 0;
-
-	switch (a->op) {
-	case DNS_DIFFOP_DEL:
-	case DNS_DIFFOP_DELRESIGN:
-		aop = 1;
-		break;
-	case DNS_DIFFOP_ADD:
-	case DNS_DIFFOP_ADDRESIGN:
-		aop = 0;
-		break;
-	default:
-		INSIST(0);
-	}
-
-	switch (b->op) {
-	case DNS_DIFFOP_DEL:
-	case DNS_DIFFOP_DELRESIGN:
-		bop = 1;
-		break;
-	case DNS_DIFFOP_ADD:
-	case DNS_DIFFOP_ADDRESIGN:
-		bop = 0;
-		break;
-	default:
-		INSIST(0);
-	}
-
-	r = bop - aop;
-	if (r != 0)
-		return (r);
-
-	r = (b->rdata.type == dns_rdatatype_soa) -
-		(a->rdata.type == dns_rdatatype_soa);
-	if (r != 0)
-		return (r);
-
-	r = (a->rdata.type - b->rdata.type);
-	return (r);
-}
-
-/*
- * Advance '*pos' to the next journal transaction.
- *
- * Requires:
- *	*pos refers to a valid journal transaction.
- *
- * Ensures:
- *	When ISC_R_SUCCESS is returned,
- *	*pos refers to the next journal transaction.
- *
- * Returns one of:
- *
- *    ISC_R_SUCCESS
- *    ISC_R_NOMORE 	*pos pointed at the last transaction
- *    Other results due to file errors are possible.
- */
-static isc_result_t
-journal_next(dns_journal_t *j, journal_pos_t *pos) {
-	isc_result_t result;
-	journal_xhdr_t xhdr;
-	REQUIRE(DNS_JOURNAL_VALID(j));
-
-	result = journal_seek(j, pos->offset);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (pos->serial == j->header.end.serial)
-		return (ISC_R_NOMORE);
-	/*
-	 * Read the header of the current transaction.
-	 * This will return ISC_R_NOMORE if we are at EOF.
-	 */
-	result = journal_read_xhdr(j, &xhdr);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Check serial number consistency.
-	 */
-	if (xhdr.serial0 != pos->serial) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "%s: journal file corrupt: "
-			      "expected serial %u, got %u",
-			      j->filename, pos->serial, xhdr.serial0);
-		return (ISC_R_UNEXPECTED);
-	}
-
-	/*
-	 * Check for offset wraparound.
-	 */
-	if ((isc_offset_t)(pos->offset + sizeof(journal_rawxhdr_t) + xhdr.size)
-	    < pos->offset) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "%s: offset too large", j->filename);
-		return (ISC_R_UNEXPECTED);
-	}
-
-	pos->offset += sizeof(journal_rawxhdr_t) + xhdr.size;
-	pos->serial = xhdr.serial1;
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * If the index of the journal 'j' contains an entry "better"
- * than '*best_guess', replace '*best_guess' with it.
- *
- * "Better" means having a serial number closer to 'serial'
- * but not greater than 'serial'.
- */
-static void
-index_find(dns_journal_t *j, isc_uint32_t serial, journal_pos_t *best_guess) {
-	unsigned int i;
-	if (j->index == NULL)
-		return;
-	for (i = 0; i < j->header.index_size; i++) {
-		if (POS_VALID(j->index[i]) &&
-		    DNS_SERIAL_GE(serial, j->index[i].serial) &&
-		    DNS_SERIAL_GT(j->index[i].serial, best_guess->serial))
-			*best_guess = j->index[i];
-	}
-}
-
-/*
- * Add a new index entry.  If there is no room, make room by removing
- * the odd-numbered entries and compacting the others into the first
- * half of the index.  This decimates old index entries exponentially
- * over time, so that the index always contains a much larger fraction
- * of recent serial numbers than of old ones.  This is deliberate -
- * most index searches are for outgoing IXFR, and IXFR tends to request
- * recent versions more often than old ones.
- */
-static void
-index_add(dns_journal_t *j, journal_pos_t *pos) {
-	unsigned int i;
-	if (j->index == NULL)
-		return;
-	/*
-	 * Search for a vacant position.
-	 */
-	for (i = 0; i < j->header.index_size; i++) {
-		if (! POS_VALID(j->index[i]))
-			break;
-	}
-	if (i == j->header.index_size) {
-		unsigned int k = 0;
-		/*
-		 * Found no vacant position.  Make some room.
-		 */
-		for (i = 0; i < j->header.index_size; i += 2) {
-			j->index[k++] = j->index[i];
-		}
-		i = k; /* 'i' identifies the first vacant position. */
-		while (k < j->header.index_size) {
-			POS_INVALIDATE(j->index[k]);
-			k++;
-		}
-	}
-	INSIST(i < j->header.index_size);
-	INSIST(! POS_VALID(j->index[i]));
-
-	/*
-	 * Store the new index entry.
-	 */
-	j->index[i] = *pos;
-}
-
-/*
- * Invalidate any existing index entries that could become
- * ambiguous when a new transaction with number 'serial' is added.
- */
-static void
-index_invalidate(dns_journal_t *j, isc_uint32_t serial) {
-	unsigned int i;
-	if (j->index == NULL)
-		return;
-	for (i = 0; i < j->header.index_size; i++) {
-		if (! DNS_SERIAL_GT(serial, j->index[i].serial))
-			POS_INVALIDATE(j->index[i]);
-	}
-}
-
-/*
- * Try to find a transaction with initial serial number 'serial'
- * in the journal 'j'.
- *
- * If found, store its position at '*pos' and return ISC_R_SUCCESS.
- *
- * If 'serial' is current (= the ending serial number of the
- * last transaction in the journal), set '*pos' to
- * the position immediately following the last transaction and
- * return ISC_R_SUCCESS.
- *
- * If 'serial' is within the range of addressable serial numbers
- * covered by the journal but that particular serial number is missing
- * (from the journal, not just from the index), return ISC_R_NOTFOUND.
- *
- * If 'serial' is outside the range of addressable serial numbers
- * covered by the journal, return ISC_R_RANGE.
- *
- */
-static isc_result_t
-journal_find(dns_journal_t *j, isc_uint32_t serial, journal_pos_t *pos) {
-	isc_result_t result;
-	journal_pos_t current_pos;
-	REQUIRE(DNS_JOURNAL_VALID(j));
-
-	if (DNS_SERIAL_GT(j->header.begin.serial, serial))
-		return (ISC_R_RANGE);
-	if (DNS_SERIAL_GT(serial, j->header.end.serial))
-		return (ISC_R_RANGE);
-	if (serial == j->header.end.serial) {
-		*pos = j->header.end;
-		return (ISC_R_SUCCESS);
-	}
-
-	current_pos = j->header.begin;
-	index_find(j, serial, &current_pos);
-
-	while (current_pos.serial != serial) {
-		if (DNS_SERIAL_GT(current_pos.serial, serial))
-			return (ISC_R_NOTFOUND);
-		result = journal_next(j, &current_pos);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	*pos = current_pos;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_journal_begin_transaction(dns_journal_t *j) {
-	isc_uint32_t offset;
-	isc_result_t result;
-	journal_rawxhdr_t hdr;
-
-	REQUIRE(DNS_JOURNAL_VALID(j));
-	REQUIRE(j->state == JOURNAL_STATE_WRITE ||
-		j->state == JOURNAL_STATE_INLINE);
-
-	/*
-	 * Find the file offset where the new transaction should
-	 * be written, and seek there.
-	 */
-	if (JOURNAL_EMPTY(&j->header)) {
-		offset = sizeof(journal_rawheader_t) +
-			j->header.index_size * sizeof(journal_rawpos_t);
-	} else {
-		offset = j->header.end.offset;
-	}
-	j->x.pos[0].offset = offset;
-	j->x.pos[1].offset = offset; /* Initial value, will be incremented. */
-	j->x.n_soa = 0;
-
-	CHECK(journal_seek(j, offset));
-
-	/*
-	 * Write a dummy transaction header of all zeroes to reserve
-	 * space.  It will be filled in when the transaction is
-	 * finished.
-	 */
-	memset(&hdr, 0, sizeof(hdr));
-	CHECK(journal_write(j, &hdr, sizeof(hdr)));
-	j->x.pos[1].offset = j->offset;
-
-	j->state = JOURNAL_STATE_TRANSACTION;
-	result = ISC_R_SUCCESS;
- failure:
-	return (result);
-}
-
-isc_result_t
-dns_journal_writediff(dns_journal_t *j, dns_diff_t *diff) {
-	dns_difftuple_t *t;
-	isc_buffer_t buffer;
-	void *mem = NULL;
-	unsigned int size;
-	isc_result_t result;
-	isc_region_t used;
-
-	REQUIRE(DNS_DIFF_VALID(diff));
-	REQUIRE(j->state == JOURNAL_STATE_TRANSACTION);
-
-	isc_log_write(JOURNAL_DEBUG_LOGARGS(3), "writing to journal");
-	(void)dns_diff_print(diff, NULL);
-
-	/*
-	 * Pass 1: determine the buffer size needed, and
-	 * keep track of SOA serial numbers.
-	 */
-	size = 0;
-	for (t = ISC_LIST_HEAD(diff->tuples); t != NULL;
-	     t = ISC_LIST_NEXT(t, link))
-	{
-		if (t->rdata.type == dns_rdatatype_soa) {
-			if (j->x.n_soa < 2)
-				j->x.pos[j->x.n_soa].serial =
-					dns_soa_getserial(&t->rdata);
-			j->x.n_soa++;
-		}
-		size += sizeof(journal_rawrrhdr_t);
-		size += t->name.length; /* XXX should have access macro? */
-		size += 10;
-		size += t->rdata.length;
-	}
-
-	mem = isc_mem_get(j->mctx, size);
-	if (mem == NULL)
-		return (ISC_R_NOMEMORY);
-
-	isc_buffer_init(&buffer, mem, size);
-
-	/*
-	 * Pass 2.  Write RRs to buffer.
-	 */
-	for (t = ISC_LIST_HEAD(diff->tuples); t != NULL;
-	     t = ISC_LIST_NEXT(t, link))
-	{
-		/*
-		 * Write the RR header.
-		 */
-		isc_buffer_putuint32(&buffer, t->name.length + 10 +
-				     t->rdata.length);
-		/*
-		 * Write the owner name, RR header, and RR data.
-		 */
-		isc_buffer_putmem(&buffer, t->name.ndata, t->name.length);
-		isc_buffer_putuint16(&buffer, t->rdata.type);
-		isc_buffer_putuint16(&buffer, t->rdata.rdclass);
-		isc_buffer_putuint32(&buffer, t->ttl);
-		INSIST(t->rdata.length < 65536);
-		isc_buffer_putuint16(&buffer, (isc_uint16_t)t->rdata.length);
-		INSIST(isc_buffer_availablelength(&buffer) >= t->rdata.length);
-		isc_buffer_putmem(&buffer, t->rdata.data, t->rdata.length);
-	}
-
-	isc_buffer_usedregion(&buffer, &used);
-	INSIST(used.length == size);
-
-	j->x.pos[1].offset += used.length;
-
-	/*
-	 * Write the buffer contents to the journal file.
-	 */
-	CHECK(journal_write(j, used.base, used.length));
-
-	result = ISC_R_SUCCESS;
-
- failure:
-	if (mem != NULL)
-		isc_mem_put(j->mctx, mem, size);
-	return (result);
-
-}
-
-isc_result_t
-dns_journal_commit(dns_journal_t *j) {
-	isc_result_t result;
-	journal_rawheader_t rawheader;
-
-	REQUIRE(DNS_JOURNAL_VALID(j));
-	REQUIRE(j->state == JOURNAL_STATE_TRANSACTION ||
-		j->state == JOURNAL_STATE_INLINE);
-
-	/*
-	 * Just write out a updated header.
-	 */
-	if (j->state == JOURNAL_STATE_INLINE) {
-		CHECK(journal_fsync(j));
-		journal_header_encode(&j->header, &rawheader);
-		CHECK(journal_seek(j, 0));
-		CHECK(journal_write(j, &rawheader, sizeof(rawheader)));
-		CHECK(journal_fsync(j));
-		j->state = JOURNAL_STATE_WRITE;
-		return (ISC_R_SUCCESS);
-	}
-
-	/*
-	 * Perform some basic consistency checks.
-	 */
-	if (j->x.n_soa != 2) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "%s: malformed transaction: %d SOAs",
-			      j->filename, j->x.n_soa);
-		return (ISC_R_UNEXPECTED);
-	}
-	if (! (DNS_SERIAL_GT(j->x.pos[1].serial, j->x.pos[0].serial) ||
-	       (bind8_compat &&
-		j->x.pos[1].serial == j->x.pos[0].serial)))
-	{
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "%s: malformed transaction: serial number "
-			      "would decrease", j->filename);
-		return (ISC_R_UNEXPECTED);
-	}
-	if (! JOURNAL_EMPTY(&j->header)) {
-		if (j->x.pos[0].serial != j->header.end.serial) {
-			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-					 "malformed transaction: "
-					 "%s last serial %u != "
-					 "transaction first serial %u",
-					 j->filename,
-					 j->header.end.serial,
-					 j->x.pos[0].serial);
-			return (ISC_R_UNEXPECTED);
-		}
-	}
-
-	/*
-	 * Some old journal entries may become non-addressable
-	 * when we increment the current serial number.  Purge them
-	 * by stepping header.begin forward to the first addressable
-	 * transaction.  Also purge them from the index.
-	 */
-	if (! JOURNAL_EMPTY(&j->header)) {
-		while (! DNS_SERIAL_GT(j->x.pos[1].serial,
-				       j->header.begin.serial)) {
-			CHECK(journal_next(j, &j->header.begin));
-		}
-		index_invalidate(j, j->x.pos[1].serial);
-	}
-#ifdef notyet
-	if (DNS_SERIAL_GT(last_dumped_serial, j->x.pos[1].serial)) {
-		force_dump(...);
-	}
-#endif
-
-	/*
-	 * Commit the transaction data to stable storage.
-	 */
-	CHECK(journal_fsync(j));
-
-	if (j->state == JOURNAL_STATE_TRANSACTION) {
-		isc_offset_t offset;
-		offset = (j->x.pos[1].offset - j->x.pos[0].offset) -
-				 sizeof(journal_rawxhdr_t);
-		/*
-		 * Update the transaction header.
-		 */
-		CHECK(journal_seek(j, j->x.pos[0].offset));
-		CHECK(journal_write_xhdr(j, offset, j->x.pos[0].serial,
-					 j->x.pos[1].serial));
-	}
-
-	/*
-	 * Update the journal header.
-	 */
-	if (JOURNAL_EMPTY(&j->header))
-		j->header.begin = j->x.pos[0];
-	j->header.end = j->x.pos[1];
-	journal_header_encode(&j->header, &rawheader);
-	CHECK(journal_seek(j, 0));
-	CHECK(journal_write(j, &rawheader, sizeof(rawheader)));
-
-	/*
-	 * Update the index.
-	 */
-	index_add(j, &j->x.pos[0]);
-
-	/*
-	 * Convert the index into on-disk format and write
-	 * it to disk.
-	 */
-	CHECK(index_to_disk(j));
-
-	/*
-	 * Commit the header to stable storage.
-	 */
-	CHECK(journal_fsync(j));
-
-	/*
-	 * We no longer have a transaction open.
-	 */
-	j->state = JOURNAL_STATE_WRITE;
-
-	result = ISC_R_SUCCESS;
-
- failure:
-	return (result);
-}
-
-isc_result_t
-dns_journal_write_transaction(dns_journal_t *j, dns_diff_t *diff) {
-	isc_result_t result;
-	CHECK(dns_diff_sort(diff, ixfr_order));
-	CHECK(dns_journal_begin_transaction(j));
-	CHECK(dns_journal_writediff(j, diff));
-	CHECK(dns_journal_commit(j));
-	result = ISC_R_SUCCESS;
- failure:
-	return (result);
-}
-
-void
-dns_journal_destroy(dns_journal_t **journalp) {
-	dns_journal_t *j = *journalp;
-	REQUIRE(DNS_JOURNAL_VALID(j));
-
-	j->it.result = ISC_R_FAILURE;
-	dns_name_invalidate(&j->it.name);
-	dns_decompress_invalidate(&j->it.dctx);
-	if (j->rawindex != NULL)
-		isc_mem_put(j->mctx, j->rawindex, j->header.index_size *
-			    sizeof(journal_rawpos_t));
-	if (j->index != NULL)
-		isc_mem_put(j->mctx, j->index, j->header.index_size *
-			    sizeof(journal_pos_t));
-	if (j->it.target.base != NULL)
-		isc_mem_put(j->mctx, j->it.target.base, j->it.target.length);
-	if (j->it.source.base != NULL)
-		isc_mem_put(j->mctx, j->it.source.base, j->it.source.length);
-
-	if (j->fp != NULL)
-		(void)isc_stdio_close(j->fp);
-	j->magic = 0;
-	isc_mem_putanddetach(&j->mctx, j, sizeof(*j));
-	*journalp = NULL;
-}
-
-/*
- * Roll the open journal 'j' into the database 'db'.
- * A new database version will be created.
- */
-
-/* XXX Share code with incoming IXFR? */
-
-static isc_result_t
-roll_forward(dns_journal_t *j, dns_db_t *db, unsigned int options,
-	     isc_uint32_t resign)
-{
-	isc_buffer_t source;		/* Transaction data from disk */
-	isc_buffer_t target;		/* Ditto after _fromwire check */
-	isc_uint32_t db_serial;		/* Database SOA serial */
-	isc_uint32_t end_serial;	/* Last journal SOA serial */
-	isc_result_t result;
-	dns_dbversion_t *ver = NULL;
-	journal_pos_t pos;
-	dns_diff_t diff;
-	unsigned int n_soa = 0;
-	unsigned int n_put = 0;
-	dns_diffop_t op;
-
-	REQUIRE(DNS_JOURNAL_VALID(j));
-	REQUIRE(DNS_DB_VALID(db));
-
-	dns_diff_init(j->mctx, &diff);
-	diff.resign = resign;
-
-	/*
-	 * Set up empty initial buffers for unchecked and checked
-	 * wire format transaction data.  They will be reallocated
-	 * later.
-	 */
-	isc_buffer_init(&source, NULL, 0);
-	isc_buffer_init(&target, NULL, 0);
-
-	/*
-	 * Create the new database version.
-	 */
-	CHECK(dns_db_newversion(db, &ver));
-
-	/*
-	 * Get the current database SOA serial number.
-	 */
-	CHECK(dns_db_getsoaserial(db, ver, &db_serial));
-
-	/*
-	 * Locate a journal entry for the current database serial.
-	 */
-	CHECK(journal_find(j, db_serial, &pos));
-	/*
-	 * XXX do more drastic things, like marking zone stale,
-	 * if this fails?
-	 */
-	/*
-	 * XXXRTH  The zone code should probably mark the zone as bad and
-	 *         scream loudly into the log if this is a dynamic update
-	 *	   log reply that failed.
-	 */
-
-	end_serial = dns_journal_last_serial(j);
-	if (db_serial == end_serial)
-		CHECK(DNS_R_UPTODATE);
-
-	CHECK(dns_journal_iter_init(j, db_serial, end_serial));
-
-	for (result = dns_journal_first_rr(j);
-	     result == ISC_R_SUCCESS;
-	     result = dns_journal_next_rr(j))
-	{
-		dns_name_t *name;
-		isc_uint32_t ttl;
-		dns_rdata_t *rdata;
-		dns_difftuple_t *tuple = NULL;
-
-		name = NULL;
-		rdata = NULL;
-		dns_journal_current_rr(j, &name, &ttl, &rdata);
-
-		if (rdata->type == dns_rdatatype_soa) {
-			n_soa++;
-			if (n_soa == 2)
-				db_serial = j->it.current_serial;
-		}
-
-		if (n_soa == 3)
-			n_soa = 1;
-		if (n_soa == 0) {
-			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-					 "%s: journal file corrupt: missing "
-					 "initial SOA", j->filename);
-			FAIL(ISC_R_UNEXPECTED);
-		}
-		if ((options & DNS_JOURNALOPT_RESIGN) != 0)
-			op = (n_soa == 1) ? DNS_DIFFOP_DELRESIGN :
-					    DNS_DIFFOP_ADDRESIGN;
-		else
-			op = (n_soa == 1) ? DNS_DIFFOP_DEL : DNS_DIFFOP_ADD;
-
-		CHECK(dns_difftuple_create(diff.mctx, op, name, ttl, rdata,
-					   &tuple));
-		dns_diff_append(&diff, &tuple);
-
-		if (++n_put > 100)  {
-			isc_log_write(JOURNAL_DEBUG_LOGARGS(3),
-				      "%s: applying diff to database (%u)",
-				      j->filename, db_serial);
-			(void)dns_diff_print(&diff, NULL);
-			CHECK(dns_diff_apply(&diff, db, ver));
-			dns_diff_clear(&diff);
-			n_put = 0;
-		}
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	CHECK(result);
-
-	if (n_put != 0) {
-		isc_log_write(JOURNAL_DEBUG_LOGARGS(3),
-			      "%s: applying final diff to database (%u)",
-			      j->filename, db_serial);
-		(void)dns_diff_print(&diff, NULL);
-		CHECK(dns_diff_apply(&diff, db, ver));
-		dns_diff_clear(&diff);
-	}
-
- failure:
-	if (ver != NULL)
-		dns_db_closeversion(db, &ver, result == ISC_R_SUCCESS ?
-				    ISC_TRUE : ISC_FALSE);
-
-	if (source.base != NULL)
-		isc_mem_put(j->mctx, source.base, source.length);
-	if (target.base != NULL)
-		isc_mem_put(j->mctx, target.base, target.length);
-
-	dns_diff_clear(&diff);
-
-	return (result);
-}
-
-isc_result_t
-dns_journal_rollforward(isc_mem_t *mctx, dns_db_t *db,
-			unsigned int options, const char *filename)
-{
-	REQUIRE((options & DNS_JOURNALOPT_RESIGN) == 0);
-	return (dns_journal_rollforward2(mctx, db, options, 0, filename));
-}
-
-isc_result_t
-dns_journal_rollforward2(isc_mem_t *mctx, dns_db_t *db, unsigned int options,
-			 isc_uint32_t resign, const char *filename)
-{
-	dns_journal_t *j;
-	isc_result_t result;
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(filename != NULL);
-
-	j = NULL;
-	result = dns_journal_open(mctx, filename, DNS_JOURNAL_READ, &j);
-	if (result == ISC_R_NOTFOUND) {
-		isc_log_write(JOURNAL_DEBUG_LOGARGS(3),
-			      "no journal file, but that's OK");
-		return (DNS_R_NOJOURNAL);
-	}
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (JOURNAL_EMPTY(&j->header))
-		result = DNS_R_UPTODATE;
-	else
-		result = roll_forward(j, db, options, resign);
-
-	dns_journal_destroy(&j);
-
-	return (result);
-}
-
-isc_result_t
-dns_journal_print(isc_mem_t *mctx, const char *filename, FILE *file) {
-	dns_journal_t *j;
-	isc_buffer_t source;		/* Transaction data from disk */
-	isc_buffer_t target;		/* Ditto after _fromwire check */
-	isc_uint32_t start_serial;		/* Database SOA serial */
-	isc_uint32_t end_serial;	/* Last journal SOA serial */
-	isc_result_t result;
-	dns_diff_t diff;
-	unsigned int n_soa = 0;
-	unsigned int n_put = 0;
-
-	REQUIRE(filename != NULL);
-
-	j = NULL;
-	result = dns_journal_open(mctx, filename, DNS_JOURNAL_READ, &j);
-	if (result == ISC_R_NOTFOUND) {
-		isc_log_write(JOURNAL_DEBUG_LOGARGS(3), "no journal file");
-		return (DNS_R_NOJOURNAL);
-	}
-
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "journal open failure: %s: %s",
-			      isc_result_totext(result), filename);
-		return (result);
-	}
-
-	if (j->header.serialset)
-		fprintf(file, "Source serial = %u\n", j->header.sourceserial);
-	dns_diff_init(j->mctx, &diff);
-
-	/*
-	 * Set up empty initial buffers for unchecked and checked
-	 * wire format transaction data.  They will be reallocated
-	 * later.
-	 */
-	isc_buffer_init(&source, NULL, 0);
-	isc_buffer_init(&target, NULL, 0);
-
-	start_serial = dns_journal_first_serial(j);
-	end_serial = dns_journal_last_serial(j);
-
-	CHECK(dns_journal_iter_init(j, start_serial, end_serial));
-
-	for (result = dns_journal_first_rr(j);
-	     result == ISC_R_SUCCESS;
-	     result = dns_journal_next_rr(j))
-	{
-		dns_name_t *name;
-		isc_uint32_t ttl;
-		dns_rdata_t *rdata;
-		dns_difftuple_t *tuple = NULL;
-
-		name = NULL;
-		rdata = NULL;
-		dns_journal_current_rr(j, &name, &ttl, &rdata);
-
-		if (rdata->type == dns_rdatatype_soa)
-			n_soa++;
-
-		if (n_soa == 3)
-			n_soa = 1;
-		if (n_soa == 0) {
-			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-				      "%s: journal file corrupt: missing "
-				      "initial SOA", j->filename);
-			FAIL(ISC_R_UNEXPECTED);
-		}
-		CHECK(dns_difftuple_create(diff.mctx, n_soa == 1 ?
-					   DNS_DIFFOP_DEL : DNS_DIFFOP_ADD,
-					   name, ttl, rdata, &tuple));
-		dns_diff_append(&diff, &tuple);
-
-		if (++n_put > 100)  {
-			result = dns_diff_print(&diff, file);
-			dns_diff_clear(&diff);
-			n_put = 0;
-			if (result != ISC_R_SUCCESS)
-				break;
-		}
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	CHECK(result);
-
-	if (n_put != 0) {
-		result = dns_diff_print(&diff, file);
-		dns_diff_clear(&diff);
-	}
-	goto cleanup;
-
- failure:
-	isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-		      "%s: cannot print: journal file corrupt", j->filename);
-
- cleanup:
-	if (source.base != NULL)
-		isc_mem_put(j->mctx, source.base, source.length);
-	if (target.base != NULL)
-		isc_mem_put(j->mctx, target.base, target.length);
-
-	dns_diff_clear(&diff);
-	dns_journal_destroy(&j);
-
-	return (result);
-}
-
-/**************************************************************************/
-/*
- * Miscellaneous accessors.
- */
-isc_uint32_t
-dns_journal_first_serial(dns_journal_t *j) {
-	return (j->header.begin.serial);
-}
-
-isc_uint32_t
-dns_journal_last_serial(dns_journal_t *j) {
-	return (j->header.end.serial);
-}
-
-void
-dns_journal_set_sourceserial(dns_journal_t *j, isc_uint32_t sourceserial) {
-
-	REQUIRE(j->state == JOURNAL_STATE_WRITE ||
-		j->state == JOURNAL_STATE_INLINE ||
-		j->state == JOURNAL_STATE_TRANSACTION);
-
-	j->header.sourceserial = sourceserial;
-	j->header.serialset = ISC_TRUE;
-	if (j->state == JOURNAL_STATE_WRITE)
-		j->state = JOURNAL_STATE_INLINE;
-}
-
-isc_boolean_t
-dns_journal_get_sourceserial(dns_journal_t *j, isc_uint32_t *sourceserial) {
-	REQUIRE(sourceserial != NULL);
-
-	if (!j->header.serialset)
-		return (ISC_FALSE);
-	*sourceserial = j->header.sourceserial;
-	return (ISC_TRUE);
-}
-
-/**************************************************************************/
-/*
- * Iteration support.
- *
- * When serving an outgoing IXFR, we transmit a part the journal starting
- * at the serial number in the IXFR request and ending at the serial
- * number that is current when the IXFR request arrives.  The ending
- * serial number is not necessarily at the end of the journal:
- * the journal may grow while the IXFR is in progress, but we stop
- * when we reach the serial number that was current when the IXFR started.
- */
-
-static isc_result_t read_one_rr(dns_journal_t *j);
-
-/*
- * Make sure the buffer 'b' is has at least 'size' bytes
- * allocated, and clear it.
- *
- * Requires:
- *	Either b->base is NULL, or it points to b->length bytes of memory
- *	previously allocated by isc_mem_get().
- */
-
-static isc_result_t
-size_buffer(isc_mem_t *mctx, isc_buffer_t *b, unsigned size) {
-	if (b->length < size) {
-		void *mem = isc_mem_get(mctx, size);
-		if (mem == NULL)
-			return (ISC_R_NOMEMORY);
-		if (b->base != NULL)
-			isc_mem_put(mctx, b->base, b->length);
-		b->base = mem;
-		b->length = size;
-	}
-	isc_buffer_clear(b);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_journal_iter_init(dns_journal_t *j,
-		      isc_uint32_t begin_serial, isc_uint32_t end_serial)
-{
-	isc_result_t result;
-
-	CHECK(journal_find(j, begin_serial, &j->it.bpos));
-	INSIST(j->it.bpos.serial == begin_serial);
-
-	CHECK(journal_find(j, end_serial, &j->it.epos));
-	INSIST(j->it.epos.serial == end_serial);
-
-	result = ISC_R_SUCCESS;
- failure:
-	j->it.result = result;
-	return (j->it.result);
-}
-
-
-isc_result_t
-dns_journal_first_rr(dns_journal_t *j) {
-	isc_result_t result;
-
-	/*
-	 * Seek to the beginning of the first transaction we are
-	 * interested in.
-	 */
-	CHECK(journal_seek(j, j->it.bpos.offset));
-	j->it.current_serial = j->it.bpos.serial;
-
-	j->it.xsize = 0;  /* We have no transaction data yet... */
-	j->it.xpos = 0;	  /* ...and haven't used any of it. */
-
-	return (read_one_rr(j));
-
- failure:
-	return (result);
-}
-
-static isc_result_t
-read_one_rr(dns_journal_t *j) {
-	isc_result_t result;
-
-	dns_rdatatype_t rdtype;
-	dns_rdataclass_t rdclass;
-	unsigned int rdlen;
-	isc_uint32_t ttl;
-	journal_xhdr_t xhdr;
-	journal_rrhdr_t rrhdr;
-
-	INSIST(j->offset <= j->it.epos.offset);
-	if (j->offset == j->it.epos.offset)
-		return (ISC_R_NOMORE);
-	if (j->it.xpos == j->it.xsize) {
-		/*
-		 * We are at a transaction boundary.
-		 * Read another transaction header.
-		 */
-		CHECK(journal_read_xhdr(j, &xhdr));
-		if (xhdr.size == 0) {
-			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-				      "%s: journal corrupt: empty transaction",
-				      j->filename);
-			FAIL(ISC_R_UNEXPECTED);
-		}
-		if (xhdr.serial0 != j->it.current_serial) {
-			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-					 "%s: journal file corrupt: "
-					 "expected serial %u, got %u",
-					 j->filename,
-					 j->it.current_serial, xhdr.serial0);
-			FAIL(ISC_R_UNEXPECTED);
-		}
-		j->it.xsize = xhdr.size;
-		j->it.xpos = 0;
-	}
-	/*
-	 * Read an RR.
-	 */
-	CHECK(journal_read_rrhdr(j, &rrhdr));
-	/*
-	 * Perform a sanity check on the journal RR size.
-	 * The smallest possible RR has a 1-byte owner name
-	 * and a 10-byte header.  The largest possible
-	 * RR has 65535 bytes of data, a header, and a maximum-
-	 * size owner name, well below 70 k total.
-	 */
-	if (rrhdr.size < 1+10 || rrhdr.size > 70000) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-				 "%s: journal corrupt: impossible RR size "
-				 "(%d bytes)", j->filename, rrhdr.size);
-		FAIL(ISC_R_UNEXPECTED);
-	}
-
-	CHECK(size_buffer(j->mctx, &j->it.source, rrhdr.size));
-	CHECK(journal_read(j, j->it.source.base, rrhdr.size));
-	isc_buffer_add(&j->it.source, rrhdr.size);
-
-	/*
-	 * The target buffer is made the same size
-	 * as the source buffer, with the assumption that when
-	 * no compression in present, the output of dns_*_fromwire()
-	 * is no larger than the input.
-	 */
-	CHECK(size_buffer(j->mctx, &j->it.target, rrhdr.size));
-
-	/*
-	 * Parse the owner name.  We don't know where it
-	 * ends yet, so we make the entire "remaining"
-	 * part of the buffer "active".
-	 */
-	isc_buffer_setactive(&j->it.source,
-			     j->it.source.used - j->it.source.current);
-	CHECK(dns_name_fromwire(&j->it.name, &j->it.source,
-				&j->it.dctx, 0, &j->it.target));
-
-	/*
-	 * Check that the RR header is there, and parse it.
-	 */
-	if (isc_buffer_remaininglength(&j->it.source) < 10)
-		FAIL(DNS_R_FORMERR);
-
-	rdtype = isc_buffer_getuint16(&j->it.source);
-	rdclass = isc_buffer_getuint16(&j->it.source);
-	ttl = isc_buffer_getuint32(&j->it.source);
-	rdlen = isc_buffer_getuint16(&j->it.source);
-
-	/*
-	 * Parse the rdata.
-	 */
-	if (isc_buffer_remaininglength(&j->it.source) != rdlen)
-		FAIL(DNS_R_FORMERR);
-	isc_buffer_setactive(&j->it.source, rdlen);
-	dns_rdata_reset(&j->it.rdata);
-	CHECK(dns_rdata_fromwire(&j->it.rdata, rdclass,
-				 rdtype, &j->it.source, &j->it.dctx,
-				 0, &j->it.target));
-	j->it.ttl = ttl;
-
-	j->it.xpos += sizeof(journal_rawrrhdr_t) + rrhdr.size;
-	if (rdtype == dns_rdatatype_soa) {
-		/* XXX could do additional consistency checks here */
-		j->it.current_serial = dns_soa_getserial(&j->it.rdata);
-	}
-
-	result = ISC_R_SUCCESS;
-
- failure:
-	j->it.result = result;
-	return (result);
-}
-
-isc_result_t
-dns_journal_next_rr(dns_journal_t *j) {
-	j->it.result = read_one_rr(j);
-	return (j->it.result);
-}
-
-void
-dns_journal_current_rr(dns_journal_t *j, dns_name_t **name, isc_uint32_t *ttl,
-		   dns_rdata_t **rdata)
-{
-	REQUIRE(j->it.result == ISC_R_SUCCESS);
-	*name = &j->it.name;
-	*ttl = j->it.ttl;
-	*rdata = &j->it.rdata;
-}
-
-/**************************************************************************/
-/*
- * Generating diffs from databases
- */
-
-/*
- * Construct a diff containing all the RRs at the current name of the
- * database iterator 'dbit' in database 'db', version 'ver'.
- * Set '*name' to the current name, and append the diff to 'diff'.
- * All new tuples will have the operation 'op'.
- *
- * Requires: 'name' must have buffer large enough to hold the name.
- * Typically, a dns_fixedname_t would be used.
- */
-static isc_result_t
-get_name_diff(dns_db_t *db, dns_dbversion_t *ver, isc_stdtime_t now,
-	      dns_dbiterator_t *dbit, dns_name_t *name, dns_diffop_t op,
-	      dns_diff_t *diff)
-{
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	dns_rdatasetiter_t *rdsiter = NULL;
-	dns_difftuple_t *tuple = NULL;
-
-	result = dns_dbiterator_current(dbit, &node, name);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dns_db_allrdatasets(db, node, ver, now, &rdsiter);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_node;
-
-	for (result = dns_rdatasetiter_first(rdsiter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdatasetiter_next(rdsiter))
-	{
-		dns_rdataset_t rdataset;
-
-		dns_rdataset_init(&rdataset);
-		dns_rdatasetiter_current(rdsiter, &rdataset);
-
-		for (result = dns_rdataset_first(&rdataset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&rdataset))
-		{
-			dns_rdata_t rdata = DNS_RDATA_INIT;
-			dns_rdataset_current(&rdataset, &rdata);
-			result = dns_difftuple_create(diff->mctx, op, name,
-						      rdataset.ttl, &rdata,
-						      &tuple);
-			if (result != ISC_R_SUCCESS) {
-				dns_rdataset_disassociate(&rdataset);
-				goto cleanup_iterator;
-			}
-			dns_diff_append(diff, &tuple);
-		}
-		dns_rdataset_disassociate(&rdataset);
-		if (result != ISC_R_NOMORE)
-			goto cleanup_iterator;
-	}
-	if (result != ISC_R_NOMORE)
-		goto cleanup_iterator;
-
-	result = ISC_R_SUCCESS;
-
- cleanup_iterator:
-	dns_rdatasetiter_destroy(&rdsiter);
-
- cleanup_node:
-	dns_db_detachnode(db, &node);
-
-	return (result);
-}
-
-/*
- * Comparison function for use by dns_diff_subtract when sorting
- * the diffs to be subtracted.  The sort keys are the rdata type
- * and the rdata itself.  The owner name is ignored, because
- * it is known to be the same for all tuples.
- */
-static int
-rdata_order(const void *av, const void *bv) {
-	dns_difftuple_t const * const *ap = av;
-	dns_difftuple_t const * const *bp = bv;
-	dns_difftuple_t const *a = *ap;
-	dns_difftuple_t const *b = *bp;
-	int r;
-	r = (b->rdata.type - a->rdata.type);
-	if (r != 0)
-		return (r);
-	r = dns_rdata_compare(&a->rdata, &b->rdata);
-	return (r);
-}
-
-static isc_result_t
-dns_diff_subtract(dns_diff_t diff[2], dns_diff_t *r) {
-	isc_result_t result;
-	dns_difftuple_t *p[2];
-	int i, t;
-	isc_boolean_t append;
-
-	CHECK(dns_diff_sort(&diff[0], rdata_order));
-	CHECK(dns_diff_sort(&diff[1], rdata_order));
-
-	for (;;) {
-		p[0] = ISC_LIST_HEAD(diff[0].tuples);
-		p[1] = ISC_LIST_HEAD(diff[1].tuples);
-		if (p[0] == NULL && p[1] == NULL)
-			break;
-
-		for (i = 0; i < 2; i++)
-			if (p[!i] == NULL) {
-				ISC_LIST_UNLINK(diff[i].tuples, p[i], link);
-				ISC_LIST_APPEND(r->tuples, p[i], link);
-				goto next;
-			}
-		t = rdata_order(&p[0], &p[1]);
-		if (t < 0) {
-			ISC_LIST_UNLINK(diff[0].tuples, p[0], link);
-			ISC_LIST_APPEND(r->tuples, p[0], link);
-			goto next;
-		}
-		if (t > 0) {
-			ISC_LIST_UNLINK(diff[1].tuples, p[1], link);
-			ISC_LIST_APPEND(r->tuples, p[1], link);
-			goto next;
-		}
-		INSIST(t == 0);
-		/*
-		 * Identical RRs in both databases; skip them both
-		 * if the ttl differs.
-		 */
-		append = ISC_TF(p[0]->ttl != p[1]->ttl);
-		for (i = 0; i < 2; i++) {
-			ISC_LIST_UNLINK(diff[i].tuples, p[i], link);
-			if (append) {
-				ISC_LIST_APPEND(r->tuples, p[i], link);
-			} else {
-				dns_difftuple_free(&p[i]);
-			}
-		}
-	next: ;
-	}
-	result = ISC_R_SUCCESS;
- failure:
-	return (result);
-}
-
-static isc_result_t
-diff_namespace(dns_db_t *dba, dns_dbversion_t *dbvera,
-	       dns_db_t *dbb, dns_dbversion_t *dbverb,
-	       unsigned int options, dns_diff_t *resultdiff)
-{
-	dns_db_t *db[2];
-	dns_dbversion_t *ver[2];
-	dns_dbiterator_t *dbit[2] = { NULL, NULL };
-	isc_boolean_t have[2] = { ISC_FALSE, ISC_FALSE };
-	dns_fixedname_t fixname[2];
-	isc_result_t result, itresult[2];
-	dns_diff_t diff[2];
-	int i, t;
-
-	db[0] = dba, db[1] = dbb;
-	ver[0] = dbvera, ver[1] = dbverb;
-
-	dns_diff_init(resultdiff->mctx, &diff[0]);
-	dns_diff_init(resultdiff->mctx, &diff[1]);
-
-	dns_fixedname_init(&fixname[0]);
-	dns_fixedname_init(&fixname[1]);
-
-	result = dns_db_createiterator(db[0], options, &dbit[0]);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	result = dns_db_createiterator(db[1], options, &dbit[1]);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_iterator;
-
-	itresult[0] = dns_dbiterator_first(dbit[0]);
-	itresult[1] = dns_dbiterator_first(dbit[1]);
-
-	for (;;) {
-		for (i = 0; i < 2; i++) {
-			if (! have[i] && itresult[i] == ISC_R_SUCCESS) {
-				CHECK(get_name_diff(db[i], ver[i], 0, dbit[i],
-					    dns_fixedname_name(&fixname[i]),
-					    i == 0 ?
-					    DNS_DIFFOP_ADD :
-					    DNS_DIFFOP_DEL,
-					    &diff[i]));
-				itresult[i] = dns_dbiterator_next(dbit[i]);
-				have[i] = ISC_TRUE;
-			}
-		}
-
-		if (! have[0] && ! have[1]) {
-			INSIST(ISC_LIST_EMPTY(diff[0].tuples));
-			INSIST(ISC_LIST_EMPTY(diff[1].tuples));
-			break;
-		}
-
-		for (i = 0; i < 2; i++) {
-			if (! have[!i]) {
-				ISC_LIST_APPENDLIST(resultdiff->tuples,
-						    diff[i].tuples, link);
-				INSIST(ISC_LIST_EMPTY(diff[i].tuples));
-				have[i] = ISC_FALSE;
-				goto next;
-			}
-		}
-
-		t = dns_name_compare(dns_fixedname_name(&fixname[0]),
-				     dns_fixedname_name(&fixname[1]));
-		if (t < 0) {
-			ISC_LIST_APPENDLIST(resultdiff->tuples,
-					    diff[0].tuples, link);
-			INSIST(ISC_LIST_EMPTY(diff[0].tuples));
-			have[0] = ISC_FALSE;
-			continue;
-		}
-		if (t > 0) {
-			ISC_LIST_APPENDLIST(resultdiff->tuples,
-					    diff[1].tuples, link);
-			INSIST(ISC_LIST_EMPTY(diff[1].tuples));
-			have[1] = ISC_FALSE;
-			continue;
-		}
-		INSIST(t == 0);
-		CHECK(dns_diff_subtract(diff, resultdiff));
-		INSIST(ISC_LIST_EMPTY(diff[0].tuples));
-		INSIST(ISC_LIST_EMPTY(diff[1].tuples));
-		have[0] = have[1] = ISC_FALSE;
-	next: ;
-	}
-	if (itresult[0] != ISC_R_NOMORE)
-		FAIL(itresult[0]);
-	if (itresult[1] != ISC_R_NOMORE)
-		FAIL(itresult[1]);
-
-	INSIST(ISC_LIST_EMPTY(diff[0].tuples));
-	INSIST(ISC_LIST_EMPTY(diff[1].tuples));
-
- failure:
-	dns_dbiterator_destroy(&dbit[1]);
-
- cleanup_iterator:
-	dns_dbiterator_destroy(&dbit[0]);
-	dns_diff_clear(&diff[0]);
-	dns_diff_clear(&diff[1]);
-	return (result);
-}
-
-/*
- * Compare the databases 'dba' and 'dbb' and generate a journal
- * entry containing the changes to make 'dba' from 'dbb' (note
- * the order).  This journal entry will consist of a single,
- * possibly very large transaction.
- */
-isc_result_t
-dns_db_diff(isc_mem_t *mctx, dns_db_t *dba, dns_dbversion_t *dbvera,
-	    dns_db_t *dbb, dns_dbversion_t *dbverb, const char *filename)
-{
-	isc_result_t result;
-	dns_diff_t diff;
-
-	dns_diff_init(mctx, &diff);
-
-	result = dns_db_diffx(&diff, dba, dbvera, dbb, dbverb, filename);
-
-	dns_diff_clear(&diff);
-
-	return (result);
-}
-
-isc_result_t
-dns_db_diffx(dns_diff_t *diff, dns_db_t *dba, dns_dbversion_t *dbvera,
-	     dns_db_t *dbb, dns_dbversion_t *dbverb, const char *filename)
-{
-	isc_result_t result;
-	dns_journal_t *journal = NULL;
-
-	if (filename != NULL) {
-		result = dns_journal_open(diff->mctx, filename,
-					  DNS_JOURNAL_CREATE, &journal);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	CHECK(diff_namespace(dba, dbvera, dbb, dbverb, DNS_DB_NONSEC3, diff));
-	CHECK(diff_namespace(dba, dbvera, dbb, dbverb, DNS_DB_NSEC3ONLY, diff));
-
-	if (journal != NULL) {
-		if (ISC_LIST_EMPTY(diff->tuples))
-			isc_log_write(JOURNAL_DEBUG_LOGARGS(3), "no changes");
-		else
-			CHECK(dns_journal_write_transaction(journal, diff));
-	}
-
- failure:
-	if (journal != NULL)
-		dns_journal_destroy(&journal);
-	return (result);
-}
-
-isc_result_t
-dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial,
-		    isc_uint32_t target_size)
-{
-	unsigned int i;
-	journal_pos_t best_guess;
-	journal_pos_t current_pos;
-	dns_journal_t *j = NULL;
-	dns_journal_t *new = NULL;
-	journal_rawheader_t rawheader;
-	unsigned int copy_length;
-	int namelen;
-	char *buf = NULL;
-	unsigned int size = 0;
-	isc_result_t result;
-	unsigned int indexend;
-	char newname[1024];
-	char backup[1024];
-	isc_boolean_t is_backup = ISC_FALSE;
-
-	namelen = strlen(filename);
-	if (namelen > 4 && strcmp(filename + namelen - 4, ".jnl") == 0)
-		namelen -= 4;
-
-	result = isc_string_printf(newname, sizeof(newname), "%.*s.jnw",
-				   namelen, filename);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = isc_string_printf(backup, sizeof(backup), "%.*s.jbk",
-				   namelen, filename);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = journal_open(mctx, filename, ISC_FALSE, ISC_FALSE, &j);
-	if (result == ISC_R_NOTFOUND) {
-		is_backup = ISC_TRUE;
-		result = journal_open(mctx, backup, ISC_FALSE, ISC_FALSE, &j);
-	}
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (JOURNAL_EMPTY(&j->header)) {
-		dns_journal_destroy(&j);
-		return (ISC_R_SUCCESS);
-	}
-
-	if (DNS_SERIAL_GT(j->header.begin.serial, serial) ||
-	    DNS_SERIAL_GT(serial, j->header.end.serial)) {
-		dns_journal_destroy(&j);
-		return (ISC_R_RANGE);
-	}
-
-	/*
-	 * Cope with very small target sizes.
-	 */
-	indexend = sizeof(journal_rawheader_t) +
-		   j->header.index_size * sizeof(journal_rawpos_t);
-	if (target_size < indexend * 2)
-		target_size = target_size/2 + indexend;
-
-	/*
-	 * See if there is any work to do.
-	 */
-	if ((isc_uint32_t) j->header.end.offset < target_size) {
-		dns_journal_destroy(&j);
-		return (ISC_R_SUCCESS);
-	}
-
-	CHECK(journal_open(mctx, newname, ISC_TRUE, ISC_TRUE, &new));
-
-	/*
-	 * Remove overhead so space test below can succeed.
-	 */
-	if (target_size >= indexend)
-		target_size -= indexend;
-
-	/*
-	 * Find if we can create enough free space.
-	 */
-	best_guess = j->header.begin;
-	for (i = 0; i < j->header.index_size; i++) {
-		if (POS_VALID(j->index[i]) &&
-		    DNS_SERIAL_GE(serial, j->index[i].serial) &&
-		    ((isc_uint32_t)(j->header.end.offset - j->index[i].offset)
-		     >= target_size / 2) &&
-		    j->index[i].offset > best_guess.offset)
-			best_guess = j->index[i];
-	}
-
-	current_pos = best_guess;
-	while (current_pos.serial != serial) {
-		CHECK(journal_next(j, &current_pos));
-		if (current_pos.serial == j->header.end.serial)
-			break;
-
-		if (DNS_SERIAL_GE(serial, current_pos.serial) &&
-		   ((isc_uint32_t)(j->header.end.offset - current_pos.offset)
-		     >= (target_size / 2)) &&
-		    current_pos.offset > best_guess.offset)
-			best_guess = current_pos;
-		else
-			break;
-	}
-
-	INSIST(best_guess.serial != j->header.end.serial);
-	if (best_guess.serial != serial)
-		CHECK(journal_next(j, &best_guess));
-
-	/*
-	 * We should now be roughly half target_size provided
-	 * we did not reach 'serial'.  If not we will just copy
-	 * all uncommitted deltas regardless of the size.
-	 */
-	copy_length = j->header.end.offset - best_guess.offset;
-
-	if (copy_length != 0) {
-		/*
-		 * Copy best_guess to end into space just freed.
-		 */
-		size = 64*1024;
-		if (copy_length < size)
-			size = copy_length;
-		buf = isc_mem_get(mctx, size);
-		if (buf == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto failure;
-		}
-
-		CHECK(journal_seek(j, best_guess.offset));
-		CHECK(journal_seek(new, indexend));
-		for (i = 0; i < copy_length; i += size) {
-			unsigned int len = (copy_length - i) > size ? size :
-							 (copy_length - i);
-			CHECK(journal_read(j, buf, len));
-			CHECK(journal_write(new, buf, len));
-		}
-
-		CHECK(journal_fsync(new));
-
-		/*
-		 * Compute new header.
-		 */
-		new->header.begin.serial = best_guess.serial;
-		new->header.begin.offset = indexend;
-		new->header.end.serial = j->header.end.serial;
-		new->header.end.offset = indexend + copy_length;
-		new->header.sourceserial = j->header.sourceserial;
-		new->header.serialset = j->header.serialset;
-
-		/*
-		 * Update the journal header.
-		 */
-		journal_header_encode(&new->header, &rawheader);
-		CHECK(journal_seek(new, 0));
-		CHECK(journal_write(new, &rawheader, sizeof(rawheader)));
-		CHECK(journal_fsync(new));
-
-		/*
-		 * Build new index.
-		 */
-		current_pos = new->header.begin;
-		while (current_pos.serial != new->header.end.serial) {
-			index_add(new, &current_pos);
-			CHECK(journal_next(new, &current_pos));
-		}
-
-		/*
-		 * Write index.
-		 */
-		CHECK(index_to_disk(new));
-		CHECK(journal_fsync(new));
-
-		indexend = new->header.end.offset;
-		POST(indexend);
-	}
-
-	/*
-	 * Close both journals before trying to rename files (this is
-	 * necessary on WIN32).
-	 */
-	dns_journal_destroy(&j);
-	dns_journal_destroy(&new);
-
-	/*
-	 * With a UFS file system this should just succeed and be atomic.
-	 * Any IXFR outs will just continue and the old journal will be
-	 * removed on final close.
-	 *
-	 * With MSDOS / NTFS we need to do a two stage rename, triggered
-	 * by EEXIST.  (If any IXFR's are running in other threads, however,
-	 * this will fail, and the journal will not be compacted.  But
-	 * if so, hopefully they'll be finished by the next time we
-	 * compact.)
-	 */
-	if (rename(newname, filename) == -1) {
-		if (errno == EEXIST && !is_backup) {
-			result = isc_file_remove(backup);
-			if (result != ISC_R_SUCCESS &&
-			    result != ISC_R_FILENOTFOUND)
-				goto failure;
-			if (rename(filename, backup) == -1)
-				goto maperrno;
-			if (rename(newname, filename) == -1)
-				goto maperrno;
-			(void)isc_file_remove(backup);
-		} else {
- maperrno:
-			result = ISC_R_FAILURE;
-			goto failure;
-		}
-	}
-
-	result = ISC_R_SUCCESS;
-
- failure:
-	(void)isc_file_remove(newname);
-	if (buf != NULL)
-		isc_mem_put(mctx, buf, size);
-	if (j != NULL)
-		dns_journal_destroy(&j);
-	if (new != NULL)
-		dns_journal_destroy(&new);
-	return (result);
-}
-
-static isc_result_t
-index_to_disk(dns_journal_t *j) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	if (j->header.index_size != 0) {
-		unsigned int i;
-		unsigned char *p;
-		unsigned int rawbytes;
-
-		rawbytes = j->header.index_size * sizeof(journal_rawpos_t);
-
-		p = j->rawindex;
-		for (i = 0; i < j->header.index_size; i++) {
-			encode_uint32(j->index[i].serial, p);
-			p += 4;
-			encode_uint32(j->index[i].offset, p);
-			p += 4;
-		}
-		INSIST(p == j->rawindex + rawbytes);
-
-		CHECK(journal_seek(j, sizeof(journal_rawheader_t)));
-		CHECK(journal_write(j, j->rawindex, rawbytes));
-	}
-failure:
-	return (result);
-}
diff --git a/contrib/bind9/lib/dns/key.c b/contrib/bind9/lib/dns/key.c
deleted file mode 100644
index ccac157..0000000
--- a/contrib/bind9/lib/dns/key.c
+++ /dev/null
@@ -1,192 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2011  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: key.c,v 1.11 2011/10/20 21:20:02 marka Exp $ */
-
-#include <config.h>
-
-#include <stddef.h>
-#include <stdlib.h>
-
-#include <isc/region.h>
-#include <isc/util.h>
-
-#include <dns/keyvalues.h>
-
-#include <dst/dst.h>
-
-#include "dst_internal.h"
-
-isc_uint16_t
-dst_region_computeid(const isc_region_t *source, unsigned int alg) {
-	isc_uint32_t ac;
-	const unsigned char *p;
-	int size;
-
-	REQUIRE(source != NULL);
-	REQUIRE(source->length >= 4);
-
-	p = source->base;
-	size = source->length;
-
-	if (alg == DST_ALG_RSAMD5)
-		return ((p[size - 3] << 8) + p[size - 2]);
-
-	for (ac = 0; size > 1; size -= 2, p += 2)
-		ac += ((*p) << 8) + *(p + 1);
-
-	if (size > 0)
-		ac += ((*p) << 8);
-	ac += (ac >> 16) & 0xffff;
-
-	return ((isc_uint16_t)(ac & 0xffff));
-}
-
-isc_uint16_t
-dst_region_computerid(const isc_region_t *source, unsigned int alg) {
-	isc_uint32_t ac;
-	const unsigned char *p;
-	int size;
-
-	REQUIRE(source != NULL);
-	REQUIRE(source->length >= 4);
-
-	p = source->base;
-	size = source->length;
-
-	if (alg == DST_ALG_RSAMD5)
-		return ((p[size - 3] << 8) + p[size - 2]);
-
-	ac = ((*p) << 8) + *(p + 1);
-	ac |= DNS_KEYFLAG_REVOKE;
-	for (size -= 2, p +=2; size > 1; size -= 2, p += 2)
-		ac += ((*p) << 8) + *(p + 1);
-
-	if (size > 0)
-		ac += ((*p) << 8);
-	ac += (ac >> 16) & 0xffff;
-
-	return ((isc_uint16_t)(ac & 0xffff));
-}
-
-dns_name_t *
-dst_key_name(const dst_key_t *key) {
-	REQUIRE(VALID_KEY(key));
-	return (key->key_name);
-}
-
-unsigned int
-dst_key_size(const dst_key_t *key) {
-	REQUIRE(VALID_KEY(key));
-	return (key->key_size);
-}
-
-unsigned int
-dst_key_proto(const dst_key_t *key) {
-	REQUIRE(VALID_KEY(key));
-	return (key->key_proto);
-}
-
-unsigned int
-dst_key_alg(const dst_key_t *key) {
-	REQUIRE(VALID_KEY(key));
-	return (key->key_alg);
-}
-
-isc_uint32_t
-dst_key_flags(const dst_key_t *key) {
-	REQUIRE(VALID_KEY(key));
-	return (key->key_flags);
-}
-
-dns_keytag_t
-dst_key_id(const dst_key_t *key) {
-	REQUIRE(VALID_KEY(key));
-	return (key->key_id);
-}
-
-dns_keytag_t
-dst_key_rid(const dst_key_t *key) {
-	REQUIRE(VALID_KEY(key));
-	return (key->key_rid);
-}
-
-dns_rdataclass_t
-dst_key_class(const dst_key_t *key) {
-	REQUIRE(VALID_KEY(key));
-	return (key->key_class);
-}
-
-isc_boolean_t
-dst_key_iszonekey(const dst_key_t *key) {
-	REQUIRE(VALID_KEY(key));
-
-	if ((key->key_flags & DNS_KEYTYPE_NOAUTH) != 0)
-		return (ISC_FALSE);
-	if ((key->key_flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
-		return (ISC_FALSE);
-	if (key->key_proto != DNS_KEYPROTO_DNSSEC &&
-	    key->key_proto != DNS_KEYPROTO_ANY)
-		return (ISC_FALSE);
-	return (ISC_TRUE);
-}
-
-isc_boolean_t
-dst_key_isnullkey(const dst_key_t *key) {
-	REQUIRE(VALID_KEY(key));
-
-	if ((key->key_flags & DNS_KEYFLAG_TYPEMASK) != DNS_KEYTYPE_NOKEY)
-		return (ISC_FALSE);
-	if ((key->key_flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
-		return (ISC_FALSE);
-	if (key->key_proto != DNS_KEYPROTO_DNSSEC &&
-	    key->key_proto != DNS_KEYPROTO_ANY)
-		return (ISC_FALSE);
-	return (ISC_TRUE);
-}
-
-void
-dst_key_setbits(dst_key_t *key, isc_uint16_t bits) {
-	unsigned int maxbits;
-	REQUIRE(VALID_KEY(key));
-	if (bits != 0) {
-		RUNTIME_CHECK(dst_key_sigsize(key, &maxbits) == ISC_R_SUCCESS);
-		maxbits *= 8;
-		REQUIRE(bits <= maxbits);
-	}
-	key->key_bits = bits;
-}
-
-isc_uint16_t
-dst_key_getbits(const dst_key_t *key) {
-	REQUIRE(VALID_KEY(key));
-	return (key->key_bits);
-}
-
-void
-dst_key_setttl(dst_key_t *key, dns_ttl_t ttl) {
-	REQUIRE(VALID_KEY(key));
-	key->key_ttl = ttl;
-}
-
-dns_ttl_t
-dst_key_getttl(const dst_key_t *key) {
-	REQUIRE(VALID_KEY(key));
-	return (key->key_ttl);
-}
-
-/*! \file */
diff --git a/contrib/bind9/lib/dns/keydata.c b/contrib/bind9/lib/dns/keydata.c
deleted file mode 100644
index 822bd46..0000000
--- a/contrib/bind9/lib/dns/keydata.c
+++ /dev/null
@@ -1,89 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: keydata.c,v 1.3 2009/07/01 23:47:36 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-
-#include <isc/buffer.h>
-#include <isc/mem.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/rdata.h>
-#include <dns/rdatastruct.h>
-#include <dns/keydata.h>
-
-isc_result_t
-dns_keydata_todnskey(dns_rdata_keydata_t *keydata,
-		     dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx)
-{
-	REQUIRE(keydata != NULL && dnskey != NULL);
-
-	dnskey->common.rdtype = dns_rdatatype_dnskey;
-	dnskey->common.rdclass = keydata->common.rdclass;
-	dnskey->mctx = mctx;
-	dnskey->flags = keydata->flags;
-	dnskey->protocol = keydata->protocol;
-	dnskey->algorithm = keydata->algorithm;
-
-	dnskey->datalen = keydata->datalen;
-
-	if (mctx == NULL)
-		dnskey->data = keydata->data;
-	else {
-		dnskey->data = isc_mem_allocate(mctx, dnskey->datalen);
-		if (dnskey->data == NULL)
-			return (ISC_R_NOMEMORY);
-		memcpy(dnskey->data, keydata->data, dnskey->datalen);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_keydata_fromdnskey(dns_rdata_keydata_t *keydata,
-		       dns_rdata_dnskey_t *dnskey,
-		       isc_uint32_t refresh, isc_uint32_t addhd,
-		       isc_uint32_t removehd, isc_mem_t *mctx)
-{
-	REQUIRE(keydata != NULL && dnskey != NULL);
-
-	keydata->common.rdtype = dns_rdatatype_keydata;
-	keydata->common.rdclass = dnskey->common.rdclass;
-	keydata->mctx = mctx;
-	keydata->refresh = refresh;
-	keydata->addhd = addhd;
-	keydata->removehd = removehd;
-	keydata->flags = dnskey->flags;
-	keydata->protocol = dnskey->protocol;
-	keydata->algorithm = dnskey->algorithm;
-
-	keydata->datalen = dnskey->datalen;
-	if (mctx == NULL)
-		keydata->data = dnskey->data;
-	else {
-		keydata->data = isc_mem_allocate(mctx, keydata->datalen);
-		if (keydata->data == NULL)
-			return (ISC_R_NOMEMORY);
-		memcpy(keydata->data, dnskey->data, keydata->datalen);
-	}
-
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/dns/keytable.c b/contrib/bind9/lib/dns/keytable.c
deleted file mode 100644
index c49847f..0000000
--- a/contrib/bind9/lib/dns/keytable.c
+++ /dev/null
@@ -1,674 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009, 2010, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: keytable.c,v 1.41 2010/06/25 23:46:51 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/rwlock.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/util.h>
-
-#include <dns/keytable.h>
-#include <dns/fixedname.h>
-#include <dns/rbt.h>
-#include <dns/result.h>
-
-static void
-free_keynode(void *node, void *arg) {
-	dns_keynode_t *keynode = node;
-	isc_mem_t *mctx = arg;
-
-	dns_keynode_detachall(mctx, &keynode);
-}
-
-isc_result_t
-dns_keytable_create(isc_mem_t *mctx, dns_keytable_t **keytablep) {
-	dns_keytable_t *keytable;
-	isc_result_t result;
-
-	/*
-	 * Create a keytable.
-	 */
-
-	REQUIRE(keytablep != NULL && *keytablep == NULL);
-
-	keytable = isc_mem_get(mctx, sizeof(*keytable));
-	if (keytable == NULL)
-		return (ISC_R_NOMEMORY);
-
-	keytable->table = NULL;
-	result = dns_rbt_create(mctx, free_keynode, mctx, &keytable->table);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_keytable;
-
-	result = isc_mutex_init(&keytable->lock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_rbt;
-
-	result = isc_rwlock_init(&keytable->rwlock, 0, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_lock;
-
-	keytable->mctx = NULL;
-	isc_mem_attach(mctx, &keytable->mctx);
-	keytable->active_nodes = 0;
-	keytable->references = 1;
-	keytable->magic = KEYTABLE_MAGIC;
-	*keytablep = keytable;
-
-	return (ISC_R_SUCCESS);
-
-   cleanup_lock:
-	DESTROYLOCK(&keytable->lock);
-
-   cleanup_rbt:
-	dns_rbt_destroy(&keytable->table);
-
-   cleanup_keytable:
-	isc_mem_putanddetach(&mctx, keytable, sizeof(*keytable));
-
-	return (result);
-}
-
-void
-dns_keytable_attach(dns_keytable_t *source, dns_keytable_t **targetp) {
-
-	/*
-	 * Attach *targetp to source.
-	 */
-
-	REQUIRE(VALID_KEYTABLE(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	RWLOCK(&source->rwlock, isc_rwlocktype_write);
-
-	INSIST(source->references > 0);
-	source->references++;
-	INSIST(source->references != 0);
-
-	RWUNLOCK(&source->rwlock, isc_rwlocktype_write);
-
-	*targetp = source;
-}
-
-void
-dns_keytable_detach(dns_keytable_t **keytablep) {
-	isc_boolean_t destroy = ISC_FALSE;
-	dns_keytable_t *keytable;
-
-	/*
-	 * Detach *keytablep from its keytable.
-	 */
-
-	REQUIRE(keytablep != NULL && VALID_KEYTABLE(*keytablep));
-
-	keytable = *keytablep;
-
-	RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
-
-	INSIST(keytable->references > 0);
-	keytable->references--;
-	LOCK(&keytable->lock);
-	if (keytable->references == 0 && keytable->active_nodes == 0)
-		destroy = ISC_TRUE;
-	UNLOCK(&keytable->lock);
-
-	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_write);
-
-	if (destroy) {
-		dns_rbt_destroy(&keytable->table);
-		isc_rwlock_destroy(&keytable->rwlock);
-		DESTROYLOCK(&keytable->lock);
-		keytable->magic = 0;
-		isc_mem_putanddetach(&keytable->mctx,
-				     keytable, sizeof(*keytable));
-	}
-
-	*keytablep = NULL;
-}
-
-static isc_result_t
-insert(dns_keytable_t *keytable, isc_boolean_t managed,
-       dns_name_t *keyname, dst_key_t **keyp)
-{
-	isc_result_t result;
-	dns_keynode_t *knode = NULL;
-	dns_rbtnode_t *node;
-
-	REQUIRE(keyp == NULL || *keyp != NULL);
-	REQUIRE(VALID_KEYTABLE(keytable));
-
-	result = dns_keynode_create(keytable->mctx, &knode);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	knode->managed = managed;
-
-	RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
-
-	node = NULL;
-	result = dns_rbt_addnode(keytable->table, keyname, &node);
-
-	if (keyp != NULL) {
-		if (result == ISC_R_EXISTS) {
-			/* Key already in table? */
-			dns_keynode_t *k;
-			for (k = node->data; k != NULL; k = k->next) {
-				if (k->key == NULL) {
-					k->key = *keyp;
-					break;
-				}
-				if (dst_key_compare(k->key, *keyp) == ISC_TRUE)
-					break;
-			}
-
-			if (k == NULL)
-				result = ISC_R_SUCCESS;
-			else
-				dst_key_free(keyp);
-		}
-
-		if (result == ISC_R_SUCCESS) {
-			knode->key = *keyp;
-			knode->next = node->data;
-			*keyp = NULL;
-		}
-	}
-
-	if (result == ISC_R_SUCCESS) {
-		node->data = knode;
-		knode = NULL;
-	}
-
-	/* Key was already there?  That's the same as a success */
-	if (result == ISC_R_EXISTS)
-		result = ISC_R_SUCCESS;
-
-	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_write);
-
-	if (knode != NULL)
-		dns_keynode_detach(keytable->mctx, &knode);
-
-	return (result);
-}
-
-isc_result_t
-dns_keytable_add(dns_keytable_t *keytable, isc_boolean_t managed,
-		 dst_key_t **keyp)
-{
-	REQUIRE(keyp != NULL && *keyp != NULL);
-	return (insert(keytable, managed, dst_key_name(*keyp), keyp));
-}
-
-isc_result_t
-dns_keytable_marksecure(dns_keytable_t *keytable, dns_name_t *name) {
-	return (insert(keytable, ISC_TRUE, name, NULL));
-}
-
-isc_result_t
-dns_keytable_delete(dns_keytable_t *keytable, dns_name_t *keyname) {
-	isc_result_t result;
-	dns_rbtnode_t *node = NULL;
-
-	REQUIRE(VALID_KEYTABLE(keytable));
-	REQUIRE(keyname != NULL);
-
-	RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
-	result = dns_rbt_findnode(keytable->table, keyname, NULL, &node, NULL,
-				  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
-	if (result == ISC_R_SUCCESS) {
-		if (node->data != NULL)
-			result = dns_rbt_deletenode(keytable->table,
-						    node, ISC_FALSE);
-		else
-			result = ISC_R_NOTFOUND;
-	} else if (result == DNS_R_PARTIALMATCH)
-		result = ISC_R_NOTFOUND;
-	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_write);
-
-	return (result);
-}
-
-isc_result_t
-dns_keytable_deletekeynode(dns_keytable_t *keytable, dst_key_t *dstkey) {
-	isc_result_t result;
-	dns_name_t *keyname;
-	dns_rbtnode_t *node = NULL;
-	dns_keynode_t *knode = NULL, **kprev = NULL;
-
-	REQUIRE(VALID_KEYTABLE(keytable));
-	REQUIRE(dstkey != NULL);
-
-	keyname = dst_key_name(dstkey);
-
-	RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
-	result = dns_rbt_findnode(keytable->table, keyname, NULL, &node, NULL,
-				  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
-
-	if (result == DNS_R_PARTIALMATCH)
-		result = ISC_R_NOTFOUND;
-	if (result != ISC_R_SUCCESS)
-		goto finish;
-
-	if (node->data == NULL) {
-		result = ISC_R_NOTFOUND;
-		goto finish;
-	}
-
-	knode = node->data;
-	if (knode->next == NULL &&
-	    (knode->key == NULL ||
-	     dst_key_compare(knode->key, dstkey) == ISC_TRUE)) {
-		result = dns_rbt_deletenode(keytable->table, node, ISC_FALSE);
-		goto finish;
-	}
-
-	kprev = (dns_keynode_t **) &node->data;
-	while (knode != NULL) {
-		if (dst_key_compare(knode->key, dstkey) == ISC_TRUE)
-			break;
-		kprev = &knode->next;
-		knode = knode->next;
-	}
-
-	if (knode != NULL) {
-		if (knode->key != NULL)
-			dst_key_free(&knode->key);
-		/*
-		 * This is equivalent to:
-		 * dns_keynode_attach(knode->next, &tmp);
-		 * dns_keynode_detach(kprev);
-		 * dns_keynode_attach(tmp, &kprev);
-		 * dns_keynode_detach(&tmp);
-		 */
-		*kprev = knode->next;
-		knode->next = NULL;
-		dns_keynode_detach(keytable->mctx, &knode);
-	} else
-		result = DNS_R_PARTIALMATCH;
-  finish:
-	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_write);
-	return (result);
-}
-
-isc_result_t
-dns_keytable_find(dns_keytable_t *keytable, dns_name_t *keyname,
-		  dns_keynode_t **keynodep)
-{
-	isc_result_t result;
-	dns_rbtnode_t *node = NULL;
-
-	REQUIRE(VALID_KEYTABLE(keytable));
-	REQUIRE(keyname != NULL);
-	REQUIRE(keynodep != NULL && *keynodep == NULL);
-
-	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
-	result = dns_rbt_findnode(keytable->table, keyname, NULL, &node, NULL,
-				  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
-	if (result == ISC_R_SUCCESS) {
-		if (node->data != NULL) {
-			LOCK(&keytable->lock);
-			keytable->active_nodes++;
-			UNLOCK(&keytable->lock);
-			dns_keynode_attach(node->data, keynodep);
-		} else
-			result = ISC_R_NOTFOUND;
-	} else if (result == DNS_R_PARTIALMATCH)
-		result = ISC_R_NOTFOUND;
-	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
-
-	return (result);
-}
-
-isc_result_t
-dns_keytable_nextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
-			 dns_keynode_t **nextnodep)
-{
-	/*
-	 * Return the next key after 'keynode', regardless of
-	 * properties.
-	 */
-
-	REQUIRE(VALID_KEYTABLE(keytable));
-	REQUIRE(VALID_KEYNODE(keynode));
-	REQUIRE(nextnodep != NULL && *nextnodep == NULL);
-
-	if (keynode->next == NULL)
-		return (ISC_R_NOTFOUND);
-
-	dns_keynode_attach(keynode->next, nextnodep);
-	LOCK(&keytable->lock);
-	keytable->active_nodes++;
-	UNLOCK(&keytable->lock);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
-			 dns_secalg_t algorithm, dns_keytag_t tag,
-			 dns_keynode_t **keynodep)
-{
-	isc_result_t result;
-	dns_keynode_t *knode;
-	void *data;
-
-	/*
-	 * Search for a key named 'name', matching 'algorithm' and 'tag' in
-	 * 'keytable'.
-	 */
-
-	REQUIRE(VALID_KEYTABLE(keytable));
-	REQUIRE(dns_name_isabsolute(name));
-	REQUIRE(keynodep != NULL && *keynodep == NULL);
-
-	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
-
-	/*
-	 * Note we don't want the DNS_R_PARTIALMATCH from dns_rbt_findname()
-	 * as that indicates that 'name' was not found.
-	 *
-	 * DNS_R_PARTIALMATCH indicates that the name was found but we
-	 * didn't get a match on algorithm and key id arguments.
-	 */
-	knode = NULL;
-	data = NULL;
-	result = dns_rbt_findname(keytable->table, name, 0, NULL, &data);
-
-	if (result == ISC_R_SUCCESS) {
-		INSIST(data != NULL);
-		for (knode = data; knode != NULL; knode = knode->next) {
-			if (knode->key == NULL) {
-				knode = NULL;
-				break;
-			}
-			if (algorithm == dst_key_alg(knode->key)
-			    && tag == dst_key_id(knode->key))
-				break;
-		}
-		if (knode != NULL) {
-			LOCK(&keytable->lock);
-			keytable->active_nodes++;
-			UNLOCK(&keytable->lock);
-			dns_keynode_attach(knode, keynodep);
-		} else
-			result = DNS_R_PARTIALMATCH;
-	} else if (result == DNS_R_PARTIALMATCH)
-		result = ISC_R_NOTFOUND;
-
-	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
-
-	return (result);
-}
-
-isc_result_t
-dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
-			     dns_keynode_t **nextnodep)
-{
-	isc_result_t result;
-	dns_keynode_t *knode;
-
-	/*
-	 * Search for the next key with the same properties as 'keynode' in
-	 * 'keytable'.
-	 */
-
-	REQUIRE(VALID_KEYTABLE(keytable));
-	REQUIRE(VALID_KEYNODE(keynode));
-	REQUIRE(nextnodep != NULL && *nextnodep == NULL);
-
-	for (knode = keynode->next; knode != NULL; knode = knode->next) {
-		if (knode->key == NULL) {
-			knode = NULL;
-			break;
-		}
-		if (dst_key_alg(keynode->key) == dst_key_alg(knode->key) &&
-		    dst_key_id(keynode->key) == dst_key_id(knode->key))
-			break;
-	}
-	if (knode != NULL) {
-		LOCK(&keytable->lock);
-		keytable->active_nodes++;
-		UNLOCK(&keytable->lock);
-		result = ISC_R_SUCCESS;
-		dns_keynode_attach(knode, nextnodep);
-	} else
-		result = ISC_R_NOTFOUND;
-
-	return (result);
-}
-
-isc_result_t
-dns_keytable_finddeepestmatch(dns_keytable_t *keytable, dns_name_t *name,
-			      dns_name_t *foundname)
-{
-	isc_result_t result;
-	void *data;
-
-	/*
-	 * Search for the deepest match in 'keytable'.
-	 */
-
-	REQUIRE(VALID_KEYTABLE(keytable));
-	REQUIRE(dns_name_isabsolute(name));
-	REQUIRE(foundname != NULL);
-
-	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
-
-	data = NULL;
-	result = dns_rbt_findname(keytable->table, name, 0, foundname, &data);
-
-	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
-		result = ISC_R_SUCCESS;
-
-	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
-
-	return (result);
-}
-
-void
-dns_keytable_attachkeynode(dns_keytable_t *keytable, dns_keynode_t *source,
-			   dns_keynode_t **target)
-{
-	/*
-	 * Give back a keynode found via dns_keytable_findkeynode().
-	 */
-
-	REQUIRE(VALID_KEYTABLE(keytable));
-	REQUIRE(VALID_KEYNODE(source));
-	REQUIRE(target != NULL && *target == NULL);
-
-	LOCK(&keytable->lock);
-	keytable->active_nodes++;
-	UNLOCK(&keytable->lock);
-
-	dns_keynode_attach(source, target);
-}
-
-void
-dns_keytable_detachkeynode(dns_keytable_t *keytable, dns_keynode_t **keynodep)
-{
-	/*
-	 * Give back a keynode found via dns_keytable_findkeynode().
-	 */
-
-	REQUIRE(VALID_KEYTABLE(keytable));
-	REQUIRE(keynodep != NULL && VALID_KEYNODE(*keynodep));
-
-	LOCK(&keytable->lock);
-	INSIST(keytable->active_nodes > 0);
-	keytable->active_nodes--;
-	UNLOCK(&keytable->lock);
-
-	dns_keynode_detach(keytable->mctx, keynodep);
-}
-
-isc_result_t
-dns_keytable_issecuredomain(dns_keytable_t *keytable, dns_name_t *name,
-			    isc_boolean_t *wantdnssecp)
-{
-	isc_result_t result;
-	void *data;
-
-	/*
-	 * Is 'name' at or beneath a trusted key?
-	 */
-
-	REQUIRE(VALID_KEYTABLE(keytable));
-	REQUIRE(dns_name_isabsolute(name));
-	REQUIRE(wantdnssecp != NULL);
-
-	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
-
-	data = NULL;
-	result = dns_rbt_findname(keytable->table, name, 0, NULL, &data);
-
-	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
-		INSIST(data != NULL);
-		*wantdnssecp = ISC_TRUE;
-		result = ISC_R_SUCCESS;
-	} else if (result == ISC_R_NOTFOUND) {
-		*wantdnssecp = ISC_FALSE;
-		result = ISC_R_SUCCESS;
-	}
-
-	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
-
-	return (result);
-}
-
-isc_result_t
-dns_keytable_dump(dns_keytable_t *keytable, FILE *fp)
-{
-	isc_result_t result;
-	dns_keynode_t *knode;
-	dns_rbtnode_t *node;
-	dns_rbtnodechain_t chain;
-
-	REQUIRE(VALID_KEYTABLE(keytable));
-
-	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
-	dns_rbtnodechain_init(&chain, keytable->mctx);
-	result = dns_rbtnodechain_first(&chain, keytable->table, NULL, NULL);
-	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
-		goto cleanup;
-	for (;;) {
-		char pbuf[DST_KEY_FORMATSIZE];
-
-		dns_rbtnodechain_current(&chain, NULL, NULL, &node);
-		for (knode = node->data; knode != NULL; knode = knode->next) {
-			dst_key_format(knode->key, pbuf, sizeof(pbuf));
-			fprintf(fp, "%s ; %s\n", pbuf,
-				knode->managed ? "managed" : "trusted");
-		}
-		result = dns_rbtnodechain_next(&chain, NULL, NULL);
-		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
-			if (result == ISC_R_NOMORE)
-				result = ISC_R_SUCCESS;
-			break;
-		}
-	}
-
-   cleanup:
-	dns_rbtnodechain_invalidate(&chain);
-	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
-	return (result);
-}
-
-dst_key_t *
-dns_keynode_key(dns_keynode_t *keynode) {
-
-	/*
-	 * Get the DST key associated with keynode.
-	 */
-
-	REQUIRE(VALID_KEYNODE(keynode));
-
-	return (keynode->key);
-}
-
-isc_boolean_t
-dns_keynode_managed(dns_keynode_t *keynode) {
-	/*
-	 * Is this a managed key?
-	 */
-	REQUIRE(VALID_KEYNODE(keynode));
-
-	return (keynode->managed);
-}
-
-isc_result_t
-dns_keynode_create(isc_mem_t *mctx, dns_keynode_t **target) {
-	isc_result_t result;
-	dns_keynode_t *knode = NULL;
-
-	REQUIRE(target != NULL && *target == NULL);
-
-	knode = isc_mem_get(mctx, sizeof(dns_keynode_t));
-	if (knode == NULL)
-		return (ISC_R_NOMEMORY);
-
-	knode->magic = KEYNODE_MAGIC;
-	knode->managed = ISC_FALSE;
-	knode->key = NULL;
-	knode->next = NULL;
-
-	result = isc_refcount_init(&knode->refcount, 1);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	*target = knode;
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_keynode_attach(dns_keynode_t *source, dns_keynode_t **target) {
-	REQUIRE(VALID_KEYNODE(source));
-	isc_refcount_increment(&source->refcount, NULL);
-	*target = source;
-}
-
-void
-dns_keynode_detach(isc_mem_t *mctx, dns_keynode_t **keynode) {
-	unsigned int refs;
-	dns_keynode_t *node = *keynode;
-	REQUIRE(VALID_KEYNODE(node));
-	isc_refcount_decrement(&node->refcount, &refs);
-	if (refs == 0) {
-		if (node->key != NULL)
-			dst_key_free(&node->key);
-		isc_refcount_destroy(&node->refcount);
-		isc_mem_put(mctx, node, sizeof(dns_keynode_t));
-	}
-	*keynode = NULL;
-}
-
-void
-dns_keynode_detachall(isc_mem_t *mctx, dns_keynode_t **keynode) {
-	dns_keynode_t *next = NULL, *node = *keynode;
-	REQUIRE(VALID_KEYNODE(node));
-	while (node != NULL) {
-		next = node->next;
-		dns_keynode_detach(mctx, &node);
-		node = next;
-	}
-	*keynode = NULL;
-}
diff --git a/contrib/bind9/lib/dns/lib.c b/contrib/bind9/lib/dns/lib.c
deleted file mode 100644
index df16fa2..0000000
--- a/contrib/bind9/lib/dns/lib.c
+++ /dev/null
@@ -1,168 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lib.c,v 1.19 2009/09/03 00:12:23 each Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stddef.h>
-
-#include <isc/hash.h>
-#include <isc/mem.h>
-#include <isc/msgcat.h>
-#include <isc/mutex.h>
-#include <isc/once.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/ecdb.h>
-#include <dns/lib.h>
-#include <dns/result.h>
-
-#include <dst/dst.h>
-
-
-/***
- *** Globals
- ***/
-
-LIBDNS_EXTERNAL_DATA unsigned int			dns_pps = 0U;
-LIBDNS_EXTERNAL_DATA isc_msgcat_t *			dns_msgcat = NULL;
-
-
-/***
- *** Private
- ***/
-
-static isc_once_t		msgcat_once = ISC_ONCE_INIT;
-
-
-/***
- *** Functions
- ***/
-
-static void
-open_msgcat(void) {
-	isc_msgcat_open("libdns.cat", &dns_msgcat);
-}
-
-void
-dns_lib_initmsgcat(void) {
-
-	/*
-	 * Initialize the DNS library's message catalog, dns_msgcat, if it
-	 * has not already been initialized.
-	 */
-
-	RUNTIME_CHECK(isc_once_do(&msgcat_once, open_msgcat) == ISC_R_SUCCESS);
-}
-
-static isc_once_t init_once = ISC_ONCE_INIT;
-static isc_mem_t *dns_g_mctx = NULL;
-#ifndef BIND9
-static dns_dbimplementation_t *dbimp = NULL;
-#endif
-static isc_boolean_t initialize_done = ISC_FALSE;
-static isc_mutex_t reflock;
-static unsigned int references = 0;
-
-static void
-initialize(void) {
-	isc_result_t result;
-
-	REQUIRE(initialize_done == ISC_FALSE);
-
-	result = isc_mem_create(0, 0, &dns_g_mctx);
-	if (result != ISC_R_SUCCESS)
-		return;
-	dns_result_register();
-#ifndef BIND9
-	result = dns_ecdb_register(dns_g_mctx, &dbimp);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_mctx;
-#endif
-	result = isc_hash_create(dns_g_mctx, NULL, DNS_NAME_MAXWIRE);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_db;
-
-	result = dst_lib_init(dns_g_mctx, NULL, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_hash;
-
-	result = isc_mutex_init(&reflock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_dst;
-
-	initialize_done = ISC_TRUE;
-	return;
-
-  cleanup_dst:
-	dst_lib_destroy();
-  cleanup_hash:
-	isc_hash_destroy();
-  cleanup_db:
-#ifndef BIND9
-	dns_ecdb_unregister(&dbimp);
-  cleanup_mctx:
-#endif
-	isc_mem_detach(&dns_g_mctx);
-}
-
-isc_result_t
-dns_lib_init(void) {
-	isc_result_t result;
-
-	/*
-	 * Since this routine is expected to be used by a normal application,
-	 * it should be better to return an error, instead of an emergency
-	 * abort, on any failure.
-	 */
-	result = isc_once_do(&init_once, initialize);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (!initialize_done)
-		return (ISC_R_FAILURE);
-
-	LOCK(&reflock);
-	references++;
-	UNLOCK(&reflock);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_lib_shutdown(void) {
-	isc_boolean_t cleanup_ok = ISC_FALSE;
-
-	LOCK(&reflock);
-	if (--references == 0)
-		cleanup_ok = ISC_TRUE;
-	UNLOCK(&reflock);
-
-	if (!cleanup_ok)
-		return;
-
-	dst_lib_destroy();
-	isc_hash_destroy();
-#ifndef BIND9
-	dns_ecdb_unregister(&dbimp);
-#endif
-	isc_mem_detach(&dns_g_mctx);
-}
diff --git a/contrib/bind9/lib/dns/log.c b/contrib/bind9/lib/dns/log.c
deleted file mode 100644
index c4d644e..0000000
--- a/contrib/bind9/lib/dns/log.c
+++ /dev/null
@@ -1,101 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: log.c,v 1.49 2011/10/13 22:48:24 tbox Exp $ */
-
-/*! \file */
-
-/* Principal Authors: DCL */
-
-#include <config.h>
-
-#include <isc/util.h>
-
-#include <dns/log.h>
-
-/*%
- * When adding a new category, be sure to add the appropriate
- * \#define to <dns/log.h>.
- */
-LIBDNS_EXTERNAL_DATA isc_logcategory_t dns_categories[] = {
-	{ "notify", 	0 },
-	{ "database", 	0 },
-	{ "security", 	0 },
-	{ "_placeholder", 0 },
-	{ "dnssec",	0 },
-	{ "resolver",	0 },
-	{ "xfer-in",	0 },
-	{ "xfer-out",	0 },
-	{ "dispatch",	0 },
-	{ "lame-servers", 0 },
-	{ "delegation-only", 0 },
-	{ "edns-disabled", 0 },
-	{ "rpz",	0 },
-	{ NULL, 	0 }
-};
-
-/*%
- * When adding a new module, be sure to add the appropriate
- * \#define to <dns/log.h>.
- */
-LIBDNS_EXTERNAL_DATA isc_logmodule_t dns_modules[] = {
-	{ "dns/db",	 	0 },
-	{ "dns/rbtdb", 		0 },
-	{ "dns/rbtdb64", 	0 },
-	{ "dns/rbt", 		0 },
-	{ "dns/rdata", 		0 },
-	{ "dns/master", 	0 },
-	{ "dns/message", 	0 },
-	{ "dns/cache", 		0 },
-	{ "dns/config",		0 },
-	{ "dns/resolver",	0 },
-	{ "dns/zone",		0 },
-	{ "dns/journal",	0 },
-	{ "dns/adb",		0 },
-	{ "dns/xfrin",		0 },
-	{ "dns/xfrout",		0 },
-	{ "dns/acl",		0 },
-	{ "dns/validator",	0 },
-	{ "dns/dispatch",	0 },
-	{ "dns/request",	0 },
-	{ "dns/masterdump",	0 },
-	{ "dns/tsig",		0 },
-	{ "dns/tkey",		0 },
-	{ "dns/sdb",		0 },
-	{ "dns/diff",		0 },
-	{ "dns/hints",		0 },
-	{ "dns/acache",		0 },
-	{ "dns/dlz",		0 },
-	{ "dns/dnssec",		0 },
-	{ "dns/crypto",		0 },
-	{ NULL, 		0 }
-};
-
-LIBDNS_EXTERNAL_DATA isc_log_t *dns_lctx = NULL;
-
-void
-dns_log_init(isc_log_t *lctx) {
-	REQUIRE(lctx != NULL);
-
-	isc_log_registercategories(lctx, dns_categories);
-	isc_log_registermodules(lctx, dns_modules);
-}
-
-void
-dns_log_setcontext(isc_log_t *lctx) {
-	dns_lctx = lctx;
-}
diff --git a/contrib/bind9/lib/dns/lookup.c b/contrib/bind9/lib/dns/lookup.c
deleted file mode 100644
index 9387a95..0000000
--- a/contrib/bind9/lib/dns/lookup.c
+++ /dev/null
@@ -1,498 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lookup.c,v 1.21 2007/06/18 23:47:40 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/netaddr.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/task.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/events.h>
-#include <dns/lookup.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/resolver.h>
-#include <dns/result.h>
-#include <dns/view.h>
-
-struct dns_lookup {
-	/* Unlocked. */
-	unsigned int		magic;
-	isc_mem_t *		mctx;
-	isc_mutex_t		lock;
-	dns_rdatatype_t		type;
-	dns_fixedname_t		name;
-	/* Locked by lock. */
-	unsigned int		options;
-	isc_task_t *		task;
-	dns_view_t *		view;
-	dns_lookupevent_t *	event;
-	dns_fetch_t *		fetch;
-	unsigned int		restarts;
-	isc_boolean_t		canceled;
-	dns_rdataset_t		rdataset;
-	dns_rdataset_t		sigrdataset;
-};
-
-#define LOOKUP_MAGIC			ISC_MAGIC('l', 'o', 'o', 'k')
-#define VALID_LOOKUP(l)			ISC_MAGIC_VALID((l), LOOKUP_MAGIC)
-
-#define MAX_RESTARTS 16
-
-static void lookup_find(dns_lookup_t *lookup, dns_fetchevent_t *event);
-
-static void
-fetch_done(isc_task_t *task, isc_event_t *event) {
-	dns_lookup_t *lookup = event->ev_arg;
-	dns_fetchevent_t *fevent;
-
-	UNUSED(task);
-	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
-	REQUIRE(VALID_LOOKUP(lookup));
-	REQUIRE(lookup->task == task);
-	fevent = (dns_fetchevent_t *)event;
-	REQUIRE(fevent->fetch == lookup->fetch);
-
-	lookup_find(lookup, fevent);
-}
-
-static inline isc_result_t
-start_fetch(dns_lookup_t *lookup) {
-	isc_result_t result;
-
-	/*
-	 * The caller must be holding the lookup's lock.
-	 */
-
-	REQUIRE(lookup->fetch == NULL);
-
-	result = dns_resolver_createfetch(lookup->view->resolver,
-					  dns_fixedname_name(&lookup->name),
-					  lookup->type,
-					  NULL, NULL, NULL, 0,
-					  lookup->task, fetch_done, lookup,
-					  &lookup->rdataset,
-					  &lookup->sigrdataset,
-					  &lookup->fetch);
-
-	return (result);
-}
-
-static isc_result_t
-build_event(dns_lookup_t *lookup) {
-	dns_name_t *name = NULL;
-	dns_rdataset_t *rdataset = NULL;
-	dns_rdataset_t *sigrdataset = NULL;
-	isc_result_t result;
-
-	name = isc_mem_get(lookup->mctx, sizeof(dns_name_t));
-	if (name == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto fail;
-	}
-	dns_name_init(name, NULL);
-	result = dns_name_dup(dns_fixedname_name(&lookup->name),
-			      lookup->mctx, name);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	if (dns_rdataset_isassociated(&lookup->rdataset)) {
-		rdataset = isc_mem_get(lookup->mctx, sizeof(dns_rdataset_t));
-		if (rdataset == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto fail;
-		}
-		dns_rdataset_init(rdataset);
-		dns_rdataset_clone(&lookup->rdataset, rdataset);
-	}
-
-	if (dns_rdataset_isassociated(&lookup->sigrdataset)) {
-		sigrdataset = isc_mem_get(lookup->mctx,
-					  sizeof(dns_rdataset_t));
-		if (sigrdataset == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto fail;
-		}
-		dns_rdataset_init(sigrdataset);
-		dns_rdataset_clone(&lookup->sigrdataset, sigrdataset);
-	}
-
-	lookup->event->name = name;
-	lookup->event->rdataset = rdataset;
-	lookup->event->sigrdataset = sigrdataset;
-
-	return (ISC_R_SUCCESS);
-
- fail:
-	if (name != NULL) {
-		if (dns_name_dynamic(name))
-			dns_name_free(name, lookup->mctx);
-		isc_mem_put(lookup->mctx, name, sizeof(dns_name_t));
-	}
-	if (rdataset != NULL) {
-		if (dns_rdataset_isassociated(rdataset))
-			dns_rdataset_disassociate(rdataset);
-		isc_mem_put(lookup->mctx, rdataset, sizeof(dns_rdataset_t));
-	}
-	return (result);
-}
-
-static isc_result_t
-view_find(dns_lookup_t *lookup, dns_name_t *foundname) {
-	isc_result_t result;
-	dns_name_t *name = dns_fixedname_name(&lookup->name);
-	dns_rdatatype_t type;
-
-	if (lookup->type == dns_rdatatype_rrsig)
-		type = dns_rdatatype_any;
-	else
-		type = lookup->type;
-
-	result = dns_view_find(lookup->view, name, type, 0, 0, ISC_FALSE,
-			       &lookup->event->db, &lookup->event->node,
-			       foundname, &lookup->rdataset,
-			       &lookup->sigrdataset);
-	return (result);
-}
-
-static void
-lookup_find(dns_lookup_t *lookup, dns_fetchevent_t *event) {
-	isc_result_t result;
-	isc_boolean_t want_restart;
-	isc_boolean_t send_event;
-	dns_name_t *name, *fname, *prefix;
-	dns_fixedname_t foundname, fixed;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	unsigned int nlabels;
-	int order;
-	dns_namereln_t namereln;
-	dns_rdata_cname_t cname;
-	dns_rdata_dname_t dname;
-
-	REQUIRE(VALID_LOOKUP(lookup));
-
-	LOCK(&lookup->lock);
-
-	result = ISC_R_SUCCESS;
-	name = dns_fixedname_name(&lookup->name);
-
-	do {
-		lookup->restarts++;
-		want_restart = ISC_FALSE;
-		send_event = ISC_TRUE;
-
-		if (event == NULL && !lookup->canceled) {
-			dns_fixedname_init(&foundname);
-			fname = dns_fixedname_name(&foundname);
-			INSIST(!dns_rdataset_isassociated(&lookup->rdataset));
-			INSIST(!dns_rdataset_isassociated
-						(&lookup->sigrdataset));
-			/*
-			 * If we have restarted then clear the old node.				 */
-			if  (lookup->event->node != NULL) {
-				INSIST(lookup->event->db != NULL);
-				dns_db_detachnode(lookup->event->db,
-						 &lookup->event->node);
-			}
-			if (lookup->event->db != NULL)
-				dns_db_detach(&lookup->event->db);
-			result = view_find(lookup, fname);
-			if (result == ISC_R_NOTFOUND) {
-				/*
-				 * We don't know anything about the name.
-				 * Launch a fetch.
-				 */
-				if  (lookup->event->node != NULL) {
-					INSIST(lookup->event->db != NULL);
-					dns_db_detachnode(lookup->event->db,
-							 &lookup->event->node);
-				}
-				if (lookup->event->db != NULL)
-					dns_db_detach(&lookup->event->db);
-				result = start_fetch(lookup);
-				if (result == ISC_R_SUCCESS)
-					send_event = ISC_FALSE;
-				goto done;
-			}
-		} else if (event != NULL) {
-			result = event->result;
-			fname = dns_fixedname_name(&event->foundname);
-			dns_resolver_destroyfetch(&lookup->fetch);
-			INSIST(event->rdataset == &lookup->rdataset);
-			INSIST(event->sigrdataset == &lookup->sigrdataset);
-		} else
-			fname = NULL;	/* Silence compiler warning. */
-
-		/*
-		 * If we've been canceled, forget about the result.
-		 */
-		if (lookup->canceled)
-			result = ISC_R_CANCELED;
-
-		switch (result) {
-		case ISC_R_SUCCESS:
-			result = build_event(lookup);
-			if (event == NULL)
-				break;
-			if (event->db != NULL)
-				dns_db_attach(event->db, &lookup->event->db);
-			if (event->node != NULL)
-				dns_db_attachnode(lookup->event->db,
-						  event->node,
-						  &lookup->event->node);
-			break;
-		case DNS_R_CNAME:
-			/*
-			 * Copy the CNAME's target into the lookup's
-			 * query name and start over.
-			 */
-			result = dns_rdataset_first(&lookup->rdataset);
-			if (result != ISC_R_SUCCESS)
-				break;
-			dns_rdataset_current(&lookup->rdataset, &rdata);
-			result = dns_rdata_tostruct(&rdata, &cname, NULL);
-			dns_rdata_reset(&rdata);
-			if (result != ISC_R_SUCCESS)
-				break;
-			result = dns_name_copy(&cname.cname, name, NULL);
-			dns_rdata_freestruct(&cname);
-			if (result == ISC_R_SUCCESS) {
-				want_restart = ISC_TRUE;
-				send_event = ISC_FALSE;
-			}
-			break;
-		case DNS_R_DNAME:
-			namereln = dns_name_fullcompare(name, fname, &order,
-							&nlabels);
-			INSIST(namereln == dns_namereln_subdomain);
-			/*
-			 * Get the target name of the DNAME.
-			 */
-			result = dns_rdataset_first(&lookup->rdataset);
-			if (result != ISC_R_SUCCESS)
-				break;
-			dns_rdataset_current(&lookup->rdataset, &rdata);
-			result = dns_rdata_tostruct(&rdata, &dname, NULL);
-			dns_rdata_reset(&rdata);
-			if (result != ISC_R_SUCCESS)
-				break;
-			/*
-			 * Construct the new query name and start over.
-			 */
-			dns_fixedname_init(&fixed);
-			prefix = dns_fixedname_name(&fixed);
-			dns_name_split(name, nlabels, prefix, NULL);
-			result = dns_name_concatenate(prefix, &dname.dname,
-						      name, NULL);
-			dns_rdata_freestruct(&dname);
-			if (result == ISC_R_SUCCESS) {
-				want_restart = ISC_TRUE;
-				send_event = ISC_FALSE;
-			}
-			break;
-		default:
-			send_event = ISC_TRUE;
-		}
-
-		if (dns_rdataset_isassociated(&lookup->rdataset))
-			dns_rdataset_disassociate(&lookup->rdataset);
-		if (dns_rdataset_isassociated(&lookup->sigrdataset))
-			dns_rdataset_disassociate(&lookup->sigrdataset);
-
-	done:
-		if (event != NULL) {
-			if (event->node != NULL)
-				dns_db_detachnode(event->db, &event->node);
-			if (event->db != NULL)
-				dns_db_detach(&event->db);
-			isc_event_free(ISC_EVENT_PTR(&event));
-		}
-
-		/*
-		 * Limit the number of restarts.
-		 */
-		if (want_restart && lookup->restarts == MAX_RESTARTS) {
-			want_restart = ISC_FALSE;
-			result = ISC_R_QUOTA;
-			send_event = ISC_TRUE;
-		}
-
-	} while (want_restart);
-
-	if (send_event) {
-		lookup->event->result = result;
-		lookup->event->ev_sender = lookup;
-		isc_task_sendanddetach(&lookup->task,
-				       (isc_event_t **)&lookup->event);
-		dns_view_detach(&lookup->view);
-	}
-
-	UNLOCK(&lookup->lock);
-}
-
-static void
-levent_destroy(isc_event_t *event) {
-	dns_lookupevent_t *levent;
-	isc_mem_t *mctx;
-
-	REQUIRE(event->ev_type == DNS_EVENT_LOOKUPDONE);
-	mctx = event->ev_destroy_arg;
-	levent = (dns_lookupevent_t *)event;
-
-	if (levent->name != NULL) {
-		if (dns_name_dynamic(levent->name))
-			dns_name_free(levent->name, mctx);
-		isc_mem_put(mctx, levent->name, sizeof(dns_name_t));
-	}
-	if (levent->rdataset != NULL) {
-		dns_rdataset_disassociate(levent->rdataset);
-		isc_mem_put(mctx, levent->rdataset, sizeof(dns_rdataset_t));
-	}
-	if (levent->sigrdataset != NULL) {
-		dns_rdataset_disassociate(levent->sigrdataset);
-		isc_mem_put(mctx, levent->sigrdataset, sizeof(dns_rdataset_t));
-	}
-	if (levent->node != NULL)
-		dns_db_detachnode(levent->db, &levent->node);
-	if (levent->db != NULL)
-		dns_db_detach(&levent->db);
-	isc_mem_put(mctx, event, event->ev_size);
-}
-
-isc_result_t
-dns_lookup_create(isc_mem_t *mctx, dns_name_t *name, dns_rdatatype_t type,
-		  dns_view_t *view, unsigned int options, isc_task_t *task,
-		  isc_taskaction_t action, void *arg, dns_lookup_t **lookupp)
-{
-	isc_result_t result;
-	dns_lookup_t *lookup;
-	isc_event_t *ievent;
-
-	lookup = isc_mem_get(mctx, sizeof(*lookup));
-	if (lookup == NULL)
-		return (ISC_R_NOMEMORY);
-	lookup->mctx = NULL;
-	isc_mem_attach(mctx, &lookup->mctx);
-	lookup->options = options;
-
-	ievent = isc_event_allocate(mctx, lookup, DNS_EVENT_LOOKUPDONE,
-				    action, arg, sizeof(*lookup->event));
-	if (ievent == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_lookup;
-	}
-	lookup->event = (dns_lookupevent_t *)ievent;
-	lookup->event->ev_destroy = levent_destroy;
-	lookup->event->ev_destroy_arg = mctx;
-	lookup->event->result = ISC_R_FAILURE;
-	lookup->event->name = NULL;
-	lookup->event->rdataset = NULL;
-	lookup->event->sigrdataset = NULL;
-	lookup->event->db = NULL;
-	lookup->event->node = NULL;
-
-	lookup->task = NULL;
-	isc_task_attach(task, &lookup->task);
-
-	result = isc_mutex_init(&lookup->lock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_event;
-
-	dns_fixedname_init(&lookup->name);
-
-	result = dns_name_copy(name, dns_fixedname_name(&lookup->name), NULL);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_lock;
-
-	lookup->type = type;
-	lookup->view = NULL;
-	dns_view_attach(view, &lookup->view);
-	lookup->fetch = NULL;
-	lookup->restarts = 0;
-	lookup->canceled = ISC_FALSE;
-	dns_rdataset_init(&lookup->rdataset);
-	dns_rdataset_init(&lookup->sigrdataset);
-	lookup->magic = LOOKUP_MAGIC;
-
-	*lookupp = lookup;
-
-	lookup_find(lookup, NULL);
-
-	return (ISC_R_SUCCESS);
-
- cleanup_lock:
-	DESTROYLOCK(&lookup->lock);
-
- cleanup_event:
-	ievent = (isc_event_t *)lookup->event;
-	isc_event_free(&ievent);
-	lookup->event = NULL;
-
-	isc_task_detach(&lookup->task);
-
- cleanup_lookup:
-	isc_mem_putanddetach(&mctx, lookup, sizeof(*lookup));
-
-	return (result);
-}
-
-void
-dns_lookup_cancel(dns_lookup_t *lookup) {
-	REQUIRE(VALID_LOOKUP(lookup));
-
-	LOCK(&lookup->lock);
-
-	if (!lookup->canceled) {
-		lookup->canceled = ISC_TRUE;
-		if (lookup->fetch != NULL) {
-			INSIST(lookup->view != NULL);
-			dns_resolver_cancelfetch(lookup->fetch);
-		}
-	}
-
-	UNLOCK(&lookup->lock);
-}
-
-void
-dns_lookup_destroy(dns_lookup_t **lookupp) {
-	dns_lookup_t *lookup;
-
-	REQUIRE(lookupp != NULL);
-	lookup = *lookupp;
-	REQUIRE(VALID_LOOKUP(lookup));
-	REQUIRE(lookup->event == NULL);
-	REQUIRE(lookup->task == NULL);
-	REQUIRE(lookup->view == NULL);
-	if (dns_rdataset_isassociated(&lookup->rdataset))
-		dns_rdataset_disassociate(&lookup->rdataset);
-	if (dns_rdataset_isassociated(&lookup->sigrdataset))
-		dns_rdataset_disassociate(&lookup->sigrdataset);
-
-	DESTROYLOCK(&lookup->lock);
-	lookup->magic = 0;
-	isc_mem_putanddetach(&lookup->mctx, lookup, sizeof(*lookup));
-
-	*lookupp = NULL;
-}
diff --git a/contrib/bind9/lib/dns/master.c b/contrib/bind9/lib/dns/master.c
deleted file mode 100644
index d0c1758..0000000
--- a/contrib/bind9/lib/dns/master.c
+++ /dev/null
@@ -1,3005 +0,0 @@
-/*
- * Copyright (C) 2004-2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/event.h>
-#include <isc/lex.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/serial.h>
-#include <isc/stdio.h>
-#include <isc/stdtime.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/util.h>
-
-#include <dns/callbacks.h>
-#include <dns/events.h>
-#include <dns/fixedname.h>
-#include <dns/master.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/result.h>
-#include <dns/soa.h>
-#include <dns/time.h>
-#include <dns/ttl.h>
-
-/*!
- * Grow the number of dns_rdatalist_t (#RDLSZ) and dns_rdata_t (#RDSZ) structures
- * by these sizes when we need to.
- *
- */
-/*% RDLSZ reflects the number of different types with the same name expected. */
-#define RDLSZ 32
-/*%
- * RDSZ reflects the number of rdata expected at a give name that can fit into
- * 64k.
- */
-#define RDSZ 512
-
-#define NBUFS 4
-#define MAXWIRESZ 255
-
-/*%
- * Target buffer size and minimum target size.
- * MINTSIZ must be big enough to hold the largest rdata record.
- * \brief
- * TSIZ >= MINTSIZ
- */
-#define TSIZ (128*1024)
-/*%
- * max message size - header - root - type - class - ttl - rdlen
- */
-#define MINTSIZ DNS_RDATA_MAXLENGTH
-/*%
- * Size for tokens in the presentation format,
- * The largest tokens are the base64 blocks in KEY and CERT records,
- * Largest key allowed is about 1372 bytes but
- * there is no fixed upper bound on CERT records.
- * 2K is too small for some X.509s, 8K is overkill.
- */
-#define TOKENSIZ (8*1024)
-
-/*%
- * Buffers sizes for $GENERATE.
- */
-#define DNS_MASTER_LHS 2048
-#define DNS_MASTER_RHS MINTSIZ
-
-typedef ISC_LIST(dns_rdatalist_t) rdatalist_head_t;
-
-typedef struct dns_incctx dns_incctx_t;
-
-/*%
- * Master file load state.
- */
-
-struct dns_loadctx {
-	unsigned int		magic;
-	isc_mem_t		*mctx;
-	dns_masterformat_t	format;
-
-	dns_rdatacallbacks_t	*callbacks;
-	isc_task_t		*task;
-	dns_loaddonefunc_t	done;
-	void			*done_arg;
-
-	/* Common methods */
-	isc_result_t		(*openfile)(dns_loadctx_t *lctx,
-					    const char *filename);
-	isc_result_t		(*load)(dns_loadctx_t *lctx);
-
-	/* Members specific to the text format: */
-	isc_lex_t		*lex;
-	isc_boolean_t		keep_lex;
-	unsigned int		options;
-	isc_boolean_t		ttl_known;
-	isc_boolean_t		default_ttl_known;
-	isc_boolean_t		warn_1035;
-	isc_boolean_t		warn_tcr;
-	isc_boolean_t		warn_sigexpired;
-	isc_boolean_t		seen_include;
-	isc_uint32_t		ttl;
-	isc_uint32_t		default_ttl;
-	dns_rdataclass_t	zclass;
-	dns_fixedname_t		fixed_top;
-	dns_name_t		*top;			/*%< top of zone */
-
-	/* Members specific to the raw format: */
-	FILE			*f;
-	isc_boolean_t		first;
-	dns_masterrawheader_t	header;
-
-	/* Which fixed buffers we are using? */
-	unsigned int		loop_cnt;		/*% records per quantum,
-							 * 0 => all. */
-	isc_boolean_t		canceled;
-	isc_mutex_t		lock;
-	isc_result_t		result;
-	/* locked by lock */
-	isc_uint32_t		references;
-	dns_incctx_t		*inc;
-	isc_uint32_t		resign;
-};
-
-struct dns_incctx {
-	dns_incctx_t		*parent;
-	dns_name_t		*origin;
-	dns_name_t		*current;
-	dns_name_t		*glue;
-	dns_fixedname_t		fixed[NBUFS];		/* working buffers */
-	unsigned int		in_use[NBUFS];		/* covert to bitmap? */
-	int			glue_in_use;
-	int			current_in_use;
-	int			origin_in_use;
-	isc_boolean_t		origin_changed;
-	isc_boolean_t		drop;
-	unsigned int		glue_line;
-	unsigned int		current_line;
-};
-
-#define DNS_LCTX_MAGIC ISC_MAGIC('L','c','t','x')
-#define DNS_LCTX_VALID(lctx) ISC_MAGIC_VALID(lctx, DNS_LCTX_MAGIC)
-
-#define DNS_AS_STR(t) ((t).value.as_textregion.base)
-
-static isc_result_t
-openfile_text(dns_loadctx_t *lctx, const char *master_file);
-
-static isc_result_t
-openfile_raw(dns_loadctx_t *lctx, const char *master_file);
-
-static isc_result_t
-load_text(dns_loadctx_t *lctx);
-
-static isc_result_t
-load_raw(dns_loadctx_t *lctx);
-
-static isc_result_t
-pushfile(const char *master_file, dns_name_t *origin, dns_loadctx_t *lctx);
-
-static isc_result_t
-commit(dns_rdatacallbacks_t *, dns_loadctx_t *, rdatalist_head_t *,
-       dns_name_t *, const char *, unsigned int);
-
-static isc_boolean_t
-is_glue(rdatalist_head_t *, dns_name_t *);
-
-static dns_rdatalist_t *
-grow_rdatalist(int, dns_rdatalist_t *, int, rdatalist_head_t *,
-		rdatalist_head_t *, isc_mem_t *mctx);
-
-static dns_rdata_t *
-grow_rdata(int, dns_rdata_t *, int, rdatalist_head_t *, rdatalist_head_t *,
-	   isc_mem_t *);
-
-static void
-load_quantum(isc_task_t *task, isc_event_t *event);
-
-static isc_result_t
-task_send(dns_loadctx_t *lctx);
-
-static void
-loadctx_destroy(dns_loadctx_t *lctx);
-
-#define GETTOKEN(lexer, options, token, eol) \
-	do { \
-		result = gettoken(lexer, options, token, eol, callbacks); \
-		switch (result) { \
-		case ISC_R_SUCCESS: \
-			break; \
-		case ISC_R_UNEXPECTED: \
-			goto insist_and_cleanup; \
-		default: \
-			if (MANYERRS(lctx, result)) { \
-				SETRESULT(lctx, result); \
-				LOGIT(result); \
-				read_till_eol = ISC_TRUE; \
-				goto next_line; \
-			} else \
-				goto log_and_cleanup; \
-		} \
-		if ((token)->type == isc_tokentype_special) { \
-			result = DNS_R_SYNTAX; \
-			if (MANYERRS(lctx, result)) { \
-				SETRESULT(lctx, result); \
-				LOGIT(result); \
-				read_till_eol = ISC_TRUE; \
-				goto next_line; \
-			} else \
-				goto log_and_cleanup; \
-		} \
-	} while (0)
-
-#define COMMITALL \
-	do { \
-		result = commit(callbacks, lctx, &current_list, \
-				ictx->current, source, ictx->current_line); \
-		if (MANYERRS(lctx, result)) { \
-			SETRESULT(lctx, result); \
-		} else if (result != ISC_R_SUCCESS) \
-			goto insist_and_cleanup; \
-		result = commit(callbacks, lctx, &glue_list, \
-				ictx->glue, source, ictx->glue_line); \
-		if (MANYERRS(lctx, result)) { \
-			SETRESULT(lctx, result); \
-		} else if (result != ISC_R_SUCCESS) \
-			goto insist_and_cleanup; \
-		rdcount = 0; \
-		rdlcount = 0; \
-		isc_buffer_init(&target, target_mem, target_size); \
-		rdcount_save = rdcount; \
-		rdlcount_save = rdlcount; \
-	} while (0)
-
-#define WARNUNEXPECTEDEOF(lexer) \
-	do { \
-		if (isc_lex_isfile(lexer)) \
-			(*callbacks->warn)(callbacks, \
-				"%s: file does not end with newline", \
-				source); \
-	} while (0)
-
-#define EXPECTEOL \
-	do { \
-		GETTOKEN(lctx->lex, 0, &token, ISC_TRUE); \
-		if (token.type != isc_tokentype_eol) { \
-			isc_lex_ungettoken(lctx->lex, &token); \
-			result = DNS_R_EXTRATOKEN; \
-			if (MANYERRS(lctx, result)) { \
-				SETRESULT(lctx, result); \
-				LOGIT(result); \
-				read_till_eol = ISC_TRUE; \
-				continue; \
-			} else if (result != ISC_R_SUCCESS) \
-				goto log_and_cleanup; \
-		} \
-	} while (0)
-
-#define MANYERRS(lctx, result) \
-		((result != ISC_R_SUCCESS) && \
-		 (result != ISC_R_IOERROR) && \
-		 ((lctx)->options & DNS_MASTER_MANYERRORS) != 0)
-
-#define SETRESULT(lctx, r) \
-		do { \
-			if ((lctx)->result == ISC_R_SUCCESS) \
-				(lctx)->result = r; \
-		} while (0)
-
-#define LOGITFILE(result, filename) \
-	if (result == ISC_R_INVALIDFILE || result == ISC_R_FILENOTFOUND || \
-	    result == ISC_R_IOERROR || result == ISC_R_TOOMANYOPENFILES || \
-	    result == ISC_R_NOPERM) \
-		(*callbacks->error)(callbacks, "%s: %s:%lu: %s: %s", \
-				    "dns_master_load", source, line, \
-				    filename, dns_result_totext(result)); \
-	else LOGIT(result)
-
-#define LOGIT(result) \
-	if (result == ISC_R_NOMEMORY) \
-		(*callbacks->error)(callbacks, "dns_master_load: %s", \
-				    dns_result_totext(result)); \
-	else \
-		(*callbacks->error)(callbacks, "%s: %s:%lu: %s", \
-				    "dns_master_load", \
-				    source, line, dns_result_totext(result))
-
-
-static unsigned char in_addr_arpa_data[]  = "\007IN-ADDR\004ARPA";
-static unsigned char in_addr_arpa_offsets[] = { 0, 8, 13 };
-static const dns_name_t in_addr_arpa =
-{
-	DNS_NAME_MAGIC,
-	in_addr_arpa_data, 14, 3,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	in_addr_arpa_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
-static unsigned char ip6_int_data[]  = "\003IP6\003INT";
-static unsigned char ip6_int_offsets[] = { 0, 4, 8 };
-static const dns_name_t ip6_int =
-{
-	DNS_NAME_MAGIC,
-	ip6_int_data, 9, 3,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	ip6_int_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
-static unsigned char ip6_arpa_data[]  = "\003IP6\004ARPA";
-static unsigned char ip6_arpa_offsets[] = { 0, 4, 9 };
-static const dns_name_t ip6_arpa =
-{
-	DNS_NAME_MAGIC,
-	ip6_arpa_data, 10, 3,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	ip6_arpa_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
-
-static inline isc_result_t
-gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *token,
-	 isc_boolean_t eol, dns_rdatacallbacks_t *callbacks)
-{
-	isc_result_t result;
-
-	options |= ISC_LEXOPT_EOL | ISC_LEXOPT_EOF | ISC_LEXOPT_DNSMULTILINE |
-		ISC_LEXOPT_ESCAPE;
-	result = isc_lex_gettoken(lex, options, token);
-	if (result != ISC_R_SUCCESS) {
-		switch (result) {
-		case ISC_R_NOMEMORY:
-			return (ISC_R_NOMEMORY);
-		default:
-			(*callbacks->error)(callbacks,
-					    "dns_master_load: %s:%lu:"
-					    " isc_lex_gettoken() failed: %s",
-					    isc_lex_getsourcename(lex),
-					    isc_lex_getsourceline(lex),
-					    isc_result_totext(result));
-			return (result);
-		}
-		/*NOTREACHED*/
-	}
-	if (eol != ISC_TRUE)
-		if (token->type == isc_tokentype_eol ||
-		    token->type == isc_tokentype_eof) {
-			(*callbacks->error)(callbacks,
-			    "dns_master_load: %s:%lu: unexpected end of %s",
-					    isc_lex_getsourcename(lex),
-					    isc_lex_getsourceline(lex),
-					    (token->type ==
-					     isc_tokentype_eol) ?
-					    "line" : "file");
-			return (ISC_R_UNEXPECTEDEND);
-		}
-	return (ISC_R_SUCCESS);
-}
-
-
-void
-dns_loadctx_attach(dns_loadctx_t *source, dns_loadctx_t **target) {
-
-	REQUIRE(target != NULL && *target == NULL);
-	REQUIRE(DNS_LCTX_VALID(source));
-
-	LOCK(&source->lock);
-	INSIST(source->references > 0);
-	source->references++;
-	INSIST(source->references != 0);	/* Overflow? */
-	UNLOCK(&source->lock);
-
-	*target = source;
-}
-
-void
-dns_loadctx_detach(dns_loadctx_t **lctxp) {
-	dns_loadctx_t *lctx;
-	isc_boolean_t need_destroy = ISC_FALSE;
-
-	REQUIRE(lctxp != NULL);
-	lctx = *lctxp;
-	REQUIRE(DNS_LCTX_VALID(lctx));
-
-	LOCK(&lctx->lock);
-	INSIST(lctx->references > 0);
-	lctx->references--;
-	if (lctx->references == 0)
-		need_destroy = ISC_TRUE;
-	UNLOCK(&lctx->lock);
-
-	if (need_destroy)
-		loadctx_destroy(lctx);
-	*lctxp = NULL;
-}
-
-static void
-incctx_destroy(isc_mem_t *mctx, dns_incctx_t *ictx) {
-	dns_incctx_t *parent;
-
- again:
-	parent = ictx->parent;
-	ictx->parent = NULL;
-
-	isc_mem_put(mctx, ictx, sizeof(*ictx));
-
-	if (parent != NULL) {
-		ictx = parent;
-		goto again;
-	}
-}
-
-static void
-loadctx_destroy(dns_loadctx_t *lctx) {
-	isc_mem_t *mctx;
-	isc_result_t result;
-
-	REQUIRE(DNS_LCTX_VALID(lctx));
-
-	lctx->magic = 0;
-	if (lctx->inc != NULL)
-		incctx_destroy(lctx->mctx, lctx->inc);
-
-	if (lctx->f != NULL) {
-		result = isc_stdio_close(lctx->f);
-		if (result != ISC_R_SUCCESS) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_stdio_close() failed: %s",
-					 isc_result_totext(result));
-		}
-	}
-
-	/* isc_lex_destroy() will close all open streams */
-	if (lctx->lex != NULL && !lctx->keep_lex)
-		isc_lex_destroy(&lctx->lex);
-
-	if (lctx->task != NULL)
-		isc_task_detach(&lctx->task);
-	DESTROYLOCK(&lctx->lock);
-	mctx = NULL;
-	isc_mem_attach(lctx->mctx, &mctx);
-	isc_mem_detach(&lctx->mctx);
-	isc_mem_put(mctx, lctx, sizeof(*lctx));
-	isc_mem_detach(&mctx);
-}
-
-static isc_result_t
-incctx_create(isc_mem_t *mctx, dns_name_t *origin, dns_incctx_t **ictxp) {
-	dns_incctx_t *ictx;
-	isc_region_t r;
-	int i;
-
-	ictx = isc_mem_get(mctx, sizeof(*ictx));
-	if (ictx == NULL)
-		return (ISC_R_NOMEMORY);
-
-	for (i = 0; i < NBUFS; i++) {
-		dns_fixedname_init(&ictx->fixed[i]);
-		ictx->in_use[i] = ISC_FALSE;
-	}
-
-	ictx->origin_in_use = 0;
-	ictx->origin = dns_fixedname_name(&ictx->fixed[ictx->origin_in_use]);
-	ictx->in_use[ictx->origin_in_use] = ISC_TRUE;
-	dns_name_toregion(origin, &r);
-	dns_name_fromregion(ictx->origin, &r);
-
-	ictx->glue = NULL;
-	ictx->current = NULL;
-	ictx->glue_in_use = -1;
-	ictx->current_in_use = -1;
-	ictx->parent = NULL;
-	ictx->drop = ISC_FALSE;
-	ictx->glue_line = 0;
-	ictx->current_line = 0;
-
-	*ictxp = ictx;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-loadctx_create(dns_masterformat_t format, isc_mem_t *mctx,
-	       unsigned int options, isc_uint32_t resign, dns_name_t *top,
-	       dns_rdataclass_t zclass, dns_name_t *origin,
-	       dns_rdatacallbacks_t *callbacks, isc_task_t *task,
-	       dns_loaddonefunc_t done, void *done_arg, isc_lex_t *lex,
-	       dns_loadctx_t **lctxp)
-{
-	dns_loadctx_t *lctx;
-	isc_result_t result;
-	isc_region_t r;
-	isc_lexspecials_t specials;
-
-	REQUIRE(lctxp != NULL && *lctxp == NULL);
-	REQUIRE(callbacks != NULL);
-	REQUIRE(callbacks->add != NULL);
-	REQUIRE(callbacks->error != NULL);
-	REQUIRE(callbacks->warn != NULL);
-	REQUIRE(mctx != NULL);
-	REQUIRE(dns_name_isabsolute(top));
-	REQUIRE(dns_name_isabsolute(origin));
-	REQUIRE((task == NULL && done == NULL) ||
-		(task != NULL && done != NULL));
-
-	lctx = isc_mem_get(mctx, sizeof(*lctx));
-	if (lctx == NULL)
-		return (ISC_R_NOMEMORY);
-	result = isc_mutex_init(&lctx->lock);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, lctx, sizeof(*lctx));
-		return (result);
-	}
-
-	lctx->inc = NULL;
-	result = incctx_create(mctx, origin, &lctx->inc);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_ctx;
-
-	lctx->format = format;
-	switch (format) {
-	default:
-		INSIST(0);
-	case dns_masterformat_text:
-		lctx->openfile = openfile_text;
-		lctx->load = load_text;
-		break;
-	case dns_masterformat_raw:
-		lctx->openfile = openfile_raw;
-		lctx->load = load_raw;
-		break;
-	}
-
-	if (lex != NULL) {
-		lctx->lex = lex;
-		lctx->keep_lex = ISC_TRUE;
-	} else {
-		lctx->lex = NULL;
-		result = isc_lex_create(mctx, TOKENSIZ, &lctx->lex);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_inc;
-		lctx->keep_lex = ISC_FALSE;
-		memset(specials, 0, sizeof(specials));
-		specials[0] = 1;
-		specials['('] = 1;
-		specials[')'] = 1;
-		specials['"'] = 1;
-		isc_lex_setspecials(lctx->lex, specials);
-		isc_lex_setcomments(lctx->lex, ISC_LEXCOMMENT_DNSMASTERFILE);
-	}
-
-	lctx->ttl_known = ISC_FALSE;
-	lctx->ttl = 0;
-	lctx->default_ttl_known = ISC_FALSE;
-	lctx->default_ttl = 0;
-	lctx->warn_1035 = ISC_TRUE;	/* XXX Argument? */
-	lctx->warn_tcr = ISC_TRUE;	/* XXX Argument? */
-	lctx->warn_sigexpired = ISC_TRUE;	/* XXX Argument? */
-	lctx->options = options;
-	lctx->seen_include = ISC_FALSE;
-	lctx->zclass = zclass;
-	lctx->resign = resign;
-	lctx->result = ISC_R_SUCCESS;
-
-	dns_fixedname_init(&lctx->fixed_top);
-	lctx->top = dns_fixedname_name(&lctx->fixed_top);
-	dns_name_toregion(top, &r);
-	dns_name_fromregion(lctx->top, &r);
-
-	lctx->f = NULL;
-	lctx->first = ISC_TRUE;
-	dns_master_initrawheader(&lctx->header);
-
-	lctx->loop_cnt = (done != NULL) ? 100 : 0;
-	lctx->callbacks = callbacks;
-	lctx->task = NULL;
-	if (task != NULL)
-		isc_task_attach(task, &lctx->task);
-	lctx->done = done;
-	lctx->done_arg = done_arg;
-	lctx->canceled = ISC_FALSE;
-	lctx->mctx = NULL;
-	isc_mem_attach(mctx, &lctx->mctx);
-	lctx->references = 1;			/* Implicit attach. */
-	lctx->magic = DNS_LCTX_MAGIC;
-	*lctxp = lctx;
-	return (ISC_R_SUCCESS);
-
- cleanup_inc:
-	incctx_destroy(mctx, lctx->inc);
- cleanup_ctx:
-	isc_mem_put(mctx, lctx, sizeof(*lctx));
-	return (result);
-}
-
-static const char *hex = "0123456789abcdef0123456789ABCDEF";
-
-/*%
- * Convert value into a nibble sequence from least significant to most
- * significant nibble.  Zero fill upper most significant nibbles if
- * required to make the width.
- *
- * Returns the number of characters that should have been written without
- * counting the terminating NUL.
- */
-static unsigned int
-nibbles(char *numbuf, size_t length, unsigned int width, char mode, int value) {
-	unsigned int count = 0;
-
-	/*
-	 * This reserve space for the NUL string terminator.
-	 */
-	if (length > 0U) {
-		*numbuf = '\0';
-		length--;
-	}
-	do {
-		char val = hex[(value & 0x0f) + ((mode == 'n') ? 0 : 16)];
-		value >>= 4;
-		if (length > 0U) {
-			*numbuf++ = val;
-			*numbuf = '\0';
-			length--;
-		}
-		if (width > 0)
-			width--;
-		count++;
-		/*
-		 * If width is non zero then we need to add a label seperator.
-		 * If value is non zero then we need to add another label and
-		 * that requires a label seperator.
-		 */
-		if (width > 0 || value != 0) {
-			if (length > 0U) {
-				*numbuf++ = '.';
-				*numbuf = '\0';
-				length--;
-			}
-			if (width > 0)
-				width--;
-			count++;
-		}
-	} while (value != 0 || width > 0);
-	return (count);
-}
-
-static isc_result_t
-genname(char *name, int it, char *buffer, size_t length) {
-	char fmt[sizeof("%04000000000d")];
-	char numbuf[128];
-	char *cp;
-	char mode[2];
-	int delta = 0;
-	isc_textregion_t r;
-	unsigned int n;
-	unsigned int width;
-	isc_boolean_t nibblemode;
-
-	r.base = buffer;
-	r.length = length;
-
-	while (*name != '\0') {
-		if (*name == '$') {
-			name++;
-			if (*name == '$') {
-				if (r.length == 0)
-					return (ISC_R_NOSPACE);
-				r.base[0] = *name++;
-				isc_textregion_consume(&r, 1);
-				continue;
-			}
-			nibblemode = ISC_FALSE;
-			strcpy(fmt, "%d");
-			/* Get format specifier. */
-			if (*name == '{' ) {
-				n = sscanf(name, "{%d,%u,%1[doxXnN]}",
-					   &delta, &width, mode);
-				switch (n) {
-				case 1:
-					break;
-				case 2:
-					n = snprintf(fmt, sizeof(fmt),
-						     "%%0%ud", width);
-					break;
-				case 3:
-					if (mode[0] == 'n' || mode[0] == 'N')
-						nibblemode = ISC_TRUE;
-					n = snprintf(fmt, sizeof(fmt),
-						     "%%0%u%c", width, mode[0]);
-					break;
-				default:
-					return (DNS_R_SYNTAX);
-				}
-				if (n >= sizeof(fmt))
-					return (ISC_R_NOSPACE);
-				/* Skip past closing brace. */
-				while (*name != '\0' && *name++ != '}')
-					continue;
-			}
-			if (nibblemode)
-				n = nibbles(numbuf, sizeof(numbuf), width,
-					    mode[0], it + delta);
-			else
-				n = snprintf(numbuf, sizeof(numbuf), fmt,
-					     it + delta);
-			if (n >= sizeof(numbuf))
-				return (ISC_R_NOSPACE);
-			cp = numbuf;
-			while (*cp != '\0') {
-				if (r.length == 0)
-					return (ISC_R_NOSPACE);
-				r.base[0] = *cp++;
-				isc_textregion_consume(&r, 1);
-			}
-		} else if (*name == '\\') {
-			if (r.length == 0)
-				return (ISC_R_NOSPACE);
-			r.base[0] = *name++;
-			isc_textregion_consume(&r, 1);
-			if (*name == '\0')
-				continue;
-			if (r.length == 0)
-				return (ISC_R_NOSPACE);
-			r.base[0] = *name++;
-			isc_textregion_consume(&r, 1);
-		} else {
-			if (r.length == 0)
-				return (ISC_R_NOSPACE);
-			r.base[0] = *name++;
-			isc_textregion_consume(&r, 1);
-		}
-	}
-	if (r.length == 0)
-		return (ISC_R_NOSPACE);
-	r.base[0] = '\0';
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-openfile_text(dns_loadctx_t *lctx, const char *master_file) {
-	return (isc_lex_openfile(lctx->lex, master_file));
-}
-
-static isc_result_t
-openfile_raw(dns_loadctx_t *lctx, const char *master_file) {
-	isc_result_t result;
-
-	result = isc_stdio_open(master_file, "rb", &lctx->f);
-	if (result != ISC_R_SUCCESS && result != ISC_R_FILENOTFOUND) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_stdio_open() failed: %s",
-				 isc_result_totext(result));
-	}
-
-	return (result);
-}
-
-static isc_result_t
-generate(dns_loadctx_t *lctx, char *range, char *lhs, char *gtype, char *rhs,
-	 const char *source, unsigned int line)
-{
-	char *target_mem = NULL;
-	char *lhsbuf = NULL;
-	char *rhsbuf = NULL;
-	dns_fixedname_t ownerfixed;
-	dns_name_t *owner;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdatacallbacks_t *callbacks;
-	dns_rdatalist_t rdatalist;
-	dns_rdatatype_t type;
-	rdatalist_head_t head;
-	int n;
-	int target_size = MINTSIZ;	/* only one rdata at a time */
-	isc_buffer_t buffer;
-	isc_buffer_t target;
-	isc_result_t result;
-	isc_textregion_t r;
-	unsigned int start, stop, step, i;
-	dns_incctx_t *ictx;
-
-	ictx = lctx->inc;
-	callbacks = lctx->callbacks;
-	dns_fixedname_init(&ownerfixed);
-	owner = dns_fixedname_name(&ownerfixed);
-	ISC_LIST_INIT(head);
-
-	target_mem = isc_mem_get(lctx->mctx, target_size);
-	rhsbuf = isc_mem_get(lctx->mctx, DNS_MASTER_RHS);
-	lhsbuf = isc_mem_get(lctx->mctx, DNS_MASTER_LHS);
-	if (target_mem == NULL || rhsbuf == NULL || lhsbuf == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto error_cleanup;
-	}
-	isc_buffer_init(&target, target_mem, target_size);
-
-	n = sscanf(range, "%u-%u/%u", &start, &stop, &step);
-	if (n < 2 || stop < start) {
-	       (*callbacks->error)(callbacks,
-				  "%s: %s:%lu: invalid range '%s'",
-				  "$GENERATE", source, line, range);
-		result = DNS_R_SYNTAX;
-		goto insist_cleanup;
-	}
-	if (n == 2)
-		step = 1;
-
-	/*
-	 * Get type.
-	 */
-	r.base = gtype;
-	r.length = strlen(gtype);
-	result = dns_rdatatype_fromtext(&type, &r);
-	if (result != ISC_R_SUCCESS) {
-		(*callbacks->error)(callbacks,
-				   "%s: %s:%lu: unknown RR type '%s'",
-				   "$GENERATE", source, line, gtype);
-		goto insist_cleanup;
-	}
-
-	ISC_LIST_INIT(rdatalist.rdata);
-	ISC_LINK_INIT(&rdatalist, link);
-	for (i = start; i <= stop; i += step) {
-		result = genname(lhs, i, lhsbuf, DNS_MASTER_LHS);
-		if (result != ISC_R_SUCCESS)
-			goto error_cleanup;
-		result = genname(rhs, i, rhsbuf, DNS_MASTER_RHS);
-		if (result != ISC_R_SUCCESS)
-			goto error_cleanup;
-
-		isc_buffer_init(&buffer, lhsbuf, strlen(lhsbuf));
-		isc_buffer_add(&buffer, strlen(lhsbuf));
-		isc_buffer_setactive(&buffer, strlen(lhsbuf));
-		result = dns_name_fromtext(owner, &buffer, ictx->origin,
-					   0, NULL);
-		if (result != ISC_R_SUCCESS)
-			goto error_cleanup;
-
-		if ((lctx->options & DNS_MASTER_ZONE) != 0 &&
-		    (lctx->options & DNS_MASTER_SLAVE) == 0 &&
-		    (lctx->options & DNS_MASTER_KEY) == 0 &&
-		    !dns_name_issubdomain(owner, lctx->top))
-		{
-			char namebuf[DNS_NAME_FORMATSIZE];
-			dns_name_format(owner, namebuf, sizeof(namebuf));
-			/*
-			 * Ignore out-of-zone data.
-			 */
-			(*callbacks->warn)(callbacks,
-					   "%s:%lu: "
-					   "ignoring out-of-zone data (%s)",
-					   source, line, namebuf);
-			continue;
-		}
-
-		isc_buffer_init(&buffer, rhsbuf, strlen(rhsbuf));
-		isc_buffer_add(&buffer, strlen(rhsbuf));
-		isc_buffer_setactive(&buffer, strlen(rhsbuf));
-
-		result = isc_lex_openbuffer(lctx->lex, &buffer);
-		if (result != ISC_R_SUCCESS)
-			goto error_cleanup;
-
-		isc_buffer_init(&target, target_mem, target_size);
-		result = dns_rdata_fromtext(&rdata, lctx->zclass, type,
-					    lctx->lex, ictx->origin, 0,
-					    lctx->mctx, &target, callbacks);
-		RUNTIME_CHECK(isc_lex_close(lctx->lex) == ISC_R_SUCCESS);
-		if (result != ISC_R_SUCCESS)
-			goto error_cleanup;
-
-		rdatalist.type = type;
-		rdatalist.covers = 0;
-		rdatalist.rdclass = lctx->zclass;
-		rdatalist.ttl = lctx->ttl;
-		ISC_LIST_PREPEND(head, &rdatalist, link);
-		ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
-		result = commit(callbacks, lctx, &head, owner, source, line);
-		ISC_LIST_UNLINK(rdatalist.rdata, &rdata, link);
-		if (result != ISC_R_SUCCESS)
-			goto error_cleanup;
-		dns_rdata_reset(&rdata);
-	}
-	result = ISC_R_SUCCESS;
-	goto cleanup;
-
- error_cleanup:
-	if (result == ISC_R_NOMEMORY)
-		(*callbacks->error)(callbacks, "$GENERATE: %s",
-				    dns_result_totext(result));
-	else
-		(*callbacks->error)(callbacks, "$GENERATE: %s:%lu: %s",
-				    source, line, dns_result_totext(result));
-
- insist_cleanup:
-	INSIST(result != ISC_R_SUCCESS);
-
- cleanup:
-	if (target_mem != NULL)
-		isc_mem_put(lctx->mctx, target_mem, target_size);
-	if (lhsbuf != NULL)
-		isc_mem_put(lctx->mctx, lhsbuf, DNS_MASTER_LHS);
-	if (rhsbuf != NULL)
-		isc_mem_put(lctx->mctx, rhsbuf, DNS_MASTER_RHS);
-	return (result);
-}
-
-static void
-limit_ttl(dns_rdatacallbacks_t *callbacks, const char *source, unsigned int line,
-	  isc_uint32_t *ttlp)
-{
-	if (*ttlp > 0x7fffffffUL) {
-		(callbacks->warn)(callbacks,
-				  "%s: %s:%lu: "
-				  "$TTL %lu > MAXTTL, "
-				  "setting $TTL to 0",
-				  "dns_master_load",
-				  source, line,
-				  *ttlp);
-		*ttlp = 0;
-	}
-}
-
-static isc_result_t
-check_ns(dns_loadctx_t *lctx, isc_token_t *token, const char *source,
-	 unsigned long line)
-{
-	char *tmp = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
-	void (*callback)(struct dns_rdatacallbacks *, const char *, ...);
-
-	if ((lctx->options & DNS_MASTER_FATALNS) != 0)
-		callback = lctx->callbacks->error;
-	else
-		callback = lctx->callbacks->warn;
-
-	if (token->type == isc_tokentype_string) {
-		struct in_addr addr;
-		struct in6_addr addr6;
-
-		tmp = isc_mem_strdup(lctx->mctx, DNS_AS_STR(*token));
-		if (tmp == NULL)
-			return (ISC_R_NOMEMORY);
-		/*
-		 * Catch both "1.2.3.4" and "1.2.3.4."
-		 */
-		if (tmp[strlen(tmp) - 1] == '.')
-			tmp[strlen(tmp) - 1] = '\0';
-		if (inet_aton(tmp, &addr) == 1 ||
-		    inet_pton(AF_INET6, tmp, &addr6) == 1)
-			result = DNS_R_NSISADDRESS;
-	}
-	if (result != ISC_R_SUCCESS)
-		(*callback)(lctx->callbacks, "%s:%lu: NS record '%s' "
-			    "appears to be an address",
-			    source, line, DNS_AS_STR(*token));
-	if (tmp != NULL)
-		isc_mem_free(lctx->mctx, tmp);
-	return (result);
-}
-
-static void
-check_wildcard(dns_incctx_t *ictx, const char *source, unsigned long line,
-	       dns_rdatacallbacks_t *callbacks)
-{
-	dns_name_t *name;
-
-	name = (ictx->glue != NULL) ? ictx->glue : ictx->current;
-	if (dns_name_internalwildcard(name)) {
-		char namebuf[DNS_NAME_FORMATSIZE];
-
-		dns_name_format(name, namebuf, sizeof(namebuf));
-		(*callbacks->warn)(callbacks, "%s:%lu: warning: ownername "
-				   "'%s' contains an non-terminal wildcard",
-				   source, line, namebuf);
-	}
-}
-
-static isc_result_t
-load_text(dns_loadctx_t *lctx) {
-	dns_rdataclass_t rdclass;
-	dns_rdatatype_t type, covers;
-	isc_uint32_t ttl_offset = 0;
-	dns_name_t *new_name;
-	isc_boolean_t current_has_delegation = ISC_FALSE;
-	isc_boolean_t done = ISC_FALSE;
-	isc_boolean_t finish_origin = ISC_FALSE;
-	isc_boolean_t finish_include = ISC_FALSE;
-	isc_boolean_t read_till_eol = ISC_FALSE;
-	isc_boolean_t initialws;
-	char *include_file = NULL;
-	isc_token_t token;
-	isc_result_t result = ISC_R_UNEXPECTED;
-	rdatalist_head_t glue_list;
-	rdatalist_head_t current_list;
-	dns_rdatalist_t *this;
-	dns_rdatalist_t *rdatalist = NULL;
-	dns_rdatalist_t *new_rdatalist;
-	int rdlcount = 0;
-	int rdlcount_save = 0;
-	int rdatalist_size = 0;
-	isc_buffer_t buffer;
-	isc_buffer_t target;
-	isc_buffer_t target_ft;
-	isc_buffer_t target_save;
-	dns_rdata_t *rdata = NULL;
-	dns_rdata_t *new_rdata;
-	int rdcount = 0;
-	int rdcount_save = 0;
-	int rdata_size = 0;
-	unsigned char *target_mem = NULL;
-	int target_size = TSIZ;
-	int new_in_use;
-	unsigned int loop_cnt = 0;
-	isc_mem_t *mctx;
-	dns_rdatacallbacks_t *callbacks;
-	dns_incctx_t *ictx;
-	char *range = NULL;
-	char *lhs = NULL;
-	char *gtype = NULL;
-	char *rhs = NULL;
-	const char *source = "";
-	unsigned long line = 0;
-	isc_boolean_t explicit_ttl;
-	isc_stdtime_t now;
-	char classname1[DNS_RDATACLASS_FORMATSIZE];
-	char classname2[DNS_RDATACLASS_FORMATSIZE];
-	unsigned int options = 0;
-
-	REQUIRE(DNS_LCTX_VALID(lctx));
-	callbacks = lctx->callbacks;
-	mctx = lctx->mctx;
-	ictx = lctx->inc;
-
-	ISC_LIST_INIT(glue_list);
-	ISC_LIST_INIT(current_list);
-
-	isc_stdtime_get(&now);
-
-	/*
-	 * Allocate target_size of buffer space.  This is greater than twice
-	 * the maximum individual RR data size.
-	 */
-	target_mem = isc_mem_get(mctx, target_size);
-	if (target_mem == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto log_and_cleanup;
-	}
-	isc_buffer_init(&target, target_mem, target_size);
-	target_save = target;
-
-	if ((lctx->options & DNS_MASTER_CHECKNAMES) != 0)
-		options |= DNS_RDATA_CHECKNAMES;
-	if ((lctx->options & DNS_MASTER_CHECKNAMESFAIL) != 0)
-		options |= DNS_RDATA_CHECKNAMESFAIL;
-	if ((lctx->options & DNS_MASTER_CHECKMX) != 0)
-		options |= DNS_RDATA_CHECKMX;
-	if ((lctx->options & DNS_MASTER_CHECKMXFAIL) != 0)
-		options |= DNS_RDATA_CHECKMXFAIL;
-	source = isc_lex_getsourcename(lctx->lex);
-	do {
-		initialws = ISC_FALSE;
-		line = isc_lex_getsourceline(lctx->lex);
-		GETTOKEN(lctx->lex, ISC_LEXOPT_INITIALWS | ISC_LEXOPT_QSTRING,
-			 &token, ISC_TRUE);
-		line = isc_lex_getsourceline(lctx->lex);
-
-		if (token.type == isc_tokentype_eof) {
-			if (read_till_eol)
-				WARNUNEXPECTEDEOF(lctx->lex);
-			/* Pop the include stack? */
-			if (ictx->parent != NULL) {
-				COMMITALL;
-				lctx->inc = ictx->parent;
-				ictx->parent = NULL;
-				incctx_destroy(lctx->mctx, ictx);
-				RUNTIME_CHECK(isc_lex_close(lctx->lex) == ISC_R_SUCCESS);
-				line = isc_lex_getsourceline(lctx->lex);
-				source = isc_lex_getsourcename(lctx->lex);
-				ictx = lctx->inc;
-				EXPECTEOL;
-				continue;
-			}
-			done = ISC_TRUE;
-			continue;
-		}
-
-		if (token.type == isc_tokentype_eol) {
-			read_till_eol = ISC_FALSE;
-			continue;		/* blank line */
-		}
-
-		if (read_till_eol)
-			continue;
-
-		if (token.type == isc_tokentype_initialws) {
-			/*
-			 * Still working on the same name.
-			 */
-			initialws = ISC_TRUE;
-		} else if (token.type == isc_tokentype_string ||
-			   token.type == isc_tokentype_qstring) {
-
-			/*
-			 * "$" Support.
-			 *
-			 * "$ORIGIN" and "$INCLUDE" can both take domain names.
-			 * The processing of "$ORIGIN" and "$INCLUDE" extends
-			 * across the normal domain name processing.
-			 */
-
-			if (strcasecmp(DNS_AS_STR(token), "$ORIGIN") == 0) {
-				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
-				finish_origin = ISC_TRUE;
-			} else if (strcasecmp(DNS_AS_STR(token),
-					      "$TTL") == 0) {
-				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
-				result =
-				   dns_ttl_fromtext(&token.value.as_textregion,
-						    &lctx->ttl);
-				if (MANYERRS(lctx, result)) {
-					SETRESULT(lctx, result);
-					lctx->ttl = 0;
-				} else if (result != ISC_R_SUCCESS)
-					goto insist_and_cleanup;
-				limit_ttl(callbacks, source, line, &lctx->ttl);
-				lctx->default_ttl = lctx->ttl;
-				lctx->default_ttl_known = ISC_TRUE;
-				EXPECTEOL;
-				continue;
-			} else if (strcasecmp(DNS_AS_STR(token),
-					      "$INCLUDE") == 0) {
-				COMMITALL;
-				if ((lctx->options & DNS_MASTER_NOINCLUDE)
-				    != 0)
-				{
-					(callbacks->error)(callbacks,
-					   "%s: %s:%lu: $INCLUDE not allowed",
-					   "dns_master_load",
-					   source, line);
-					result = DNS_R_REFUSED;
-					goto insist_and_cleanup;
-				}
-				if (ttl_offset != 0) {
-					(callbacks->error)(callbacks,
-					   "%s: %s:%lu: $INCLUDE "
-					   "may not be used with $DATE",
-					   "dns_master_load",
-					   source, line);
-					result = DNS_R_SYNTAX;
-					goto insist_and_cleanup;
-				}
-				GETTOKEN(lctx->lex, ISC_LEXOPT_QSTRING, &token,
-					 ISC_FALSE);
-				if (include_file != NULL)
-					isc_mem_free(mctx, include_file);
-				include_file = isc_mem_strdup(mctx,
-							   DNS_AS_STR(token));
-				if (include_file == NULL) {
-					result = ISC_R_NOMEMORY;
-					goto log_and_cleanup;
-				}
-				GETTOKEN(lctx->lex, 0, &token, ISC_TRUE);
-
-				if (token.type == isc_tokentype_eol ||
-				    token.type == isc_tokentype_eof) {
-					if (token.type == isc_tokentype_eof)
-						WARNUNEXPECTEDEOF(lctx->lex);
-					isc_lex_ungettoken(lctx->lex, &token);
-					/*
-					 * No origin field.
-					 */
-					result = pushfile(include_file,
-							  ictx->origin, lctx);
-					if (MANYERRS(lctx, result)) {
-						SETRESULT(lctx, result);
-						LOGITFILE(result, include_file);
-						continue;
-					} else if (result != ISC_R_SUCCESS) {
-						LOGITFILE(result, include_file);
-						goto insist_and_cleanup;
-					}
-					ictx = lctx->inc;
-					source =
-					       isc_lex_getsourcename(lctx->lex);
-					line = isc_lex_getsourceline(lctx->lex);
-					POST(line);
-					continue;
-				}
-				/*
-				 * There is an origin field.  Fall through
-				 * to domain name processing code and do
-				 * the actual inclusion later.
-				 */
-				finish_include = ISC_TRUE;
-			} else if (strcasecmp(DNS_AS_STR(token),
-					      "$DATE") == 0) {
-				isc_int64_t dump_time64;
-				isc_stdtime_t dump_time, current_time;
-				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
-				isc_stdtime_get(&current_time);
-				result = dns_time64_fromtext(DNS_AS_STR(token),
-							     &dump_time64);
-				if (MANYERRS(lctx, result)) {
-					SETRESULT(lctx, result);
-					LOGIT(result);
-					dump_time64 = 0;
-				} else if (result != ISC_R_SUCCESS)
-					goto log_and_cleanup;
-				dump_time = (isc_stdtime_t)dump_time64;
-				if (dump_time != dump_time64) {
-					UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "%s: %s:%lu: $DATE outside epoch",
-					 "dns_master_load", source, line);
-					result = ISC_R_UNEXPECTED;
-					goto insist_and_cleanup;
-				}
-				if (dump_time > current_time) {
-					UNEXPECTED_ERROR(__FILE__, __LINE__,
-					"%s: %s:%lu: "
-					"$DATE in future, using current date",
-					"dns_master_load", source, line);
-					dump_time = current_time;
-				}
-				ttl_offset = current_time - dump_time;
-				EXPECTEOL;
-				continue;
-			} else if (strcasecmp(DNS_AS_STR(token),
-					      "$GENERATE") == 0) {
-				/*
-				 * Lazy cleanup.
-				 */
-				if (range != NULL)
-					isc_mem_free(mctx, range);
-				if (lhs != NULL)
-					isc_mem_free(mctx, lhs);
-				if (gtype != NULL)
-					isc_mem_free(mctx, gtype);
-				if (rhs != NULL)
-					isc_mem_free(mctx, rhs);
-				range = lhs = gtype = rhs = NULL;
-				/* RANGE */
-				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
-				range = isc_mem_strdup(mctx,
-						     DNS_AS_STR(token));
-				if (range == NULL) {
-					result = ISC_R_NOMEMORY;
-					goto log_and_cleanup;
-				}
-				/* LHS */
-				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
-				lhs = isc_mem_strdup(mctx, DNS_AS_STR(token));
-				if (lhs == NULL) {
-					result = ISC_R_NOMEMORY;
-					goto log_and_cleanup;
-				}
-				rdclass = 0;
-				explicit_ttl = ISC_FALSE;
-				/* CLASS? */
-				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
-				if (dns_rdataclass_fromtext(&rdclass,
-					    &token.value.as_textregion)
-						== ISC_R_SUCCESS) {
-					GETTOKEN(lctx->lex, 0, &token,
-						 ISC_FALSE);
-				}
-				/* TTL? */
-				if (dns_ttl_fromtext(&token.value.as_textregion,
-						     &lctx->ttl)
-						== ISC_R_SUCCESS) {
-					limit_ttl(callbacks, source, line,
-						  &lctx->ttl);
-					lctx->ttl_known = ISC_TRUE;
-					explicit_ttl = ISC_TRUE;
-					GETTOKEN(lctx->lex, 0, &token,
-						 ISC_FALSE);
-				}
-				/* CLASS? */
-				if (rdclass == 0 &&
-				    dns_rdataclass_fromtext(&rdclass,
-						    &token.value.as_textregion)
-						== ISC_R_SUCCESS)
-					GETTOKEN(lctx->lex, 0, &token,
-						 ISC_FALSE);
-				/* TYPE */
-				gtype = isc_mem_strdup(mctx,
-						       DNS_AS_STR(token));
-				if (gtype == NULL) {
-					result = ISC_R_NOMEMORY;
-					goto log_and_cleanup;
-				}
-				/* RHS */
-				GETTOKEN(lctx->lex, ISC_LEXOPT_QSTRING,
-					 &token, ISC_FALSE);
-				rhs = isc_mem_strdup(mctx, DNS_AS_STR(token));
-				if (rhs == NULL) {
-					result = ISC_R_NOMEMORY;
-					goto log_and_cleanup;
-				}
-				if (!lctx->ttl_known &&
-				    !lctx->default_ttl_known) {
-					(*callbacks->error)(callbacks,
-					    "%s: %s:%lu: no TTL specified",
-					    "dns_master_load", source, line);
-					result = DNS_R_NOTTL;
-					if (MANYERRS(lctx, result)) {
-						SETRESULT(lctx, result);
-						lctx->ttl = 0;
-					} else if (result != ISC_R_SUCCESS)
-						goto insist_and_cleanup;
-				} else if (!explicit_ttl &&
-					   lctx->default_ttl_known) {
-					lctx->ttl = lctx->default_ttl;
-				}
-				/*
-				 * If the class specified does not match the
-				 * zone's class print out a error message and
-				 * exit.
-				 */
-				if (rdclass != 0 && rdclass != lctx->zclass) {
-					goto bad_class;
-				}
-				result = generate(lctx, range, lhs, gtype, rhs,
-						  source, line);
-				if (MANYERRS(lctx, result)) {
-					SETRESULT(lctx, result);
-				} else if (result != ISC_R_SUCCESS)
-					goto insist_and_cleanup;
-				EXPECTEOL;
-				continue;
-			} else if (strncasecmp(DNS_AS_STR(token),
-					       "$", 1) == 0) {
-				(callbacks->error)(callbacks,
-					   "%s: %s:%lu: "
-					   "unknown $ directive '%s'",
-					   "dns_master_load", source, line,
-					   DNS_AS_STR(token));
-				result = DNS_R_SYNTAX;
-				if (MANYERRS(lctx, result)) {
-					SETRESULT(lctx, result);
-				} else if (result != ISC_R_SUCCESS)
-					goto insist_and_cleanup;
-			}
-
-			/*
-			 * Normal processing resumes.
-			 *
-			 * Find a free name buffer.
-			 */
-			for (new_in_use = 0; new_in_use < NBUFS; new_in_use++)
-				if (!ictx->in_use[new_in_use])
-					break;
-			INSIST(new_in_use < NBUFS);
-			dns_fixedname_init(&ictx->fixed[new_in_use]);
-			new_name = dns_fixedname_name(&ictx->fixed[new_in_use]);
-			isc_buffer_init(&buffer, token.value.as_region.base,
-					token.value.as_region.length);
-			isc_buffer_add(&buffer, token.value.as_region.length);
-			isc_buffer_setactive(&buffer,
-					     token.value.as_region.length);
-			result = dns_name_fromtext(new_name, &buffer,
-					  ictx->origin, 0, NULL);
-			if (MANYERRS(lctx, result)) {
-				SETRESULT(lctx, result);
-				LOGIT(result);
-				read_till_eol = ISC_TRUE;
-				continue;
-			} else if (result != ISC_R_SUCCESS)
-				goto log_and_cleanup;
-
-			/*
-			 * Finish $ORIGIN / $INCLUDE processing if required.
-			 */
-			if (finish_origin) {
-				if (ictx->origin_in_use != -1)
-					ictx->in_use[ictx->origin_in_use] =
-						ISC_FALSE;
-				ictx->origin_in_use = new_in_use;
-				ictx->in_use[ictx->origin_in_use] = ISC_TRUE;
-				ictx->origin = new_name;
-				ictx->origin_changed = ISC_TRUE;
-				finish_origin = ISC_FALSE;
-				EXPECTEOL;
-				continue;
-			}
-			if (finish_include) {
-				finish_include = ISC_FALSE;
-				result = pushfile(include_file, new_name, lctx);
-				if (MANYERRS(lctx, result)) {
-					SETRESULT(lctx, result);
-					LOGITFILE(result, include_file);
-					continue;
-				} else if (result != ISC_R_SUCCESS) {
-					LOGITFILE(result, include_file);
-					goto insist_and_cleanup;
-				}
-				ictx = lctx->inc;
-				source = isc_lex_getsourcename(lctx->lex);
-				line = isc_lex_getsourceline(lctx->lex);
-				POST(line);
-				continue;
-			}
-
-			/*
-			 * "$" Processing Finished
-			 */
-
-			/*
-			 * If we are processing glue and the new name does
-			 * not match the current glue name, commit the glue
-			 * and pop stacks leaving us in 'normal' processing
-			 * state.  Linked lists are undone by commit().
-			 */
-			if (ictx->glue != NULL &&
-			    dns_name_compare(ictx->glue, new_name) != 0) {
-				result = commit(callbacks, lctx, &glue_list,
-						ictx->glue, source,
-						ictx->glue_line);
-				if (MANYERRS(lctx, result)) {
-					SETRESULT(lctx, result);
-				} else if (result != ISC_R_SUCCESS)
-					goto insist_and_cleanup;
-				if (ictx->glue_in_use != -1)
-					ictx->in_use[ictx->glue_in_use] =
-						ISC_FALSE;
-				ictx->glue_in_use = -1;
-				ictx->glue = NULL;
-				rdcount = rdcount_save;
-				rdlcount = rdlcount_save;
-				target = target_save;
-			}
-
-			/*
-			 * If we are in 'normal' processing state and the new
-			 * name does not match the current name, see if the
-			 * new name is for glue and treat it as such,
-			 * otherwise we have a new name so commit what we
-			 * have.
-			 */
-			if ((ictx->glue == NULL) && (ictx->current == NULL ||
-			    dns_name_compare(ictx->current, new_name) != 0)) {
-				if (current_has_delegation &&
-					is_glue(&current_list, new_name)) {
-					rdcount_save = rdcount;
-					rdlcount_save = rdlcount;
-					target_save = target;
-					ictx->glue = new_name;
-					ictx->glue_in_use = new_in_use;
-					ictx->in_use[ictx->glue_in_use] =
-						ISC_TRUE;
-				} else {
-					result = commit(callbacks, lctx,
-							&current_list,
-							ictx->current,
-							source,
-							ictx->current_line);
-					if (MANYERRS(lctx, result)) {
-						SETRESULT(lctx, result);
-					} else if (result != ISC_R_SUCCESS)
-						goto insist_and_cleanup;
-					rdcount = 0;
-					rdlcount = 0;
-					if (ictx->current_in_use != -1)
-					    ictx->in_use[ictx->current_in_use] =
-						ISC_FALSE;
-					ictx->current_in_use = new_in_use;
-					ictx->in_use[ictx->current_in_use] =
-						ISC_TRUE;
-					ictx->current = new_name;
-					current_has_delegation = ISC_FALSE;
-					isc_buffer_init(&target, target_mem,
-							target_size);
-				}
-				/*
-				 * Check for internal wildcards.
-				 */
-				if ((lctx->options & DNS_MASTER_CHECKWILDCARD)
-						 != 0)
-					check_wildcard(ictx, source, line,
-						       callbacks);
-
-			}
-			if ((lctx->options & DNS_MASTER_ZONE) != 0 &&
-			    (lctx->options & DNS_MASTER_SLAVE) == 0 &&
-			    (lctx->options & DNS_MASTER_KEY) == 0 &&
-			    !dns_name_issubdomain(new_name, lctx->top))
-			{
-				char namebuf[DNS_NAME_FORMATSIZE];
-				dns_name_format(new_name, namebuf,
-						sizeof(namebuf));
-				/*
-				 * Ignore out-of-zone data.
-				 */
-				(*callbacks->warn)(callbacks,
-				       "%s:%lu: "
-				       "ignoring out-of-zone data (%s)",
-				       source, line, namebuf);
-				ictx->drop = ISC_TRUE;
-			} else
-				ictx->drop = ISC_FALSE;
-		} else {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "%s:%lu: isc_lex_gettoken() returned "
-					 "unexpected token type (%d)",
-					 source, line, token.type);
-			result = ISC_R_UNEXPECTED;
-			if (MANYERRS(lctx, result)) {
-				SETRESULT(lctx, result);
-				LOGIT(result);
-				continue;
-			} else if (result != ISC_R_SUCCESS)
-				goto insist_and_cleanup;
-		}
-
-		/*
-		 * Find TTL, class and type.  Both TTL and class are optional
-		 * and may occur in any order if they exist. TTL and class
-		 * come before type which must exist.
-		 *
-		 * [<TTL>] [<class>] <type> <RDATA>
-		 * [<class>] [<TTL>] <type> <RDATA>
-		 */
-
-		type = 0;
-		rdclass = 0;
-
-		GETTOKEN(lctx->lex, 0, &token, initialws);
-
-		if (initialws) {
-			if (token.type == isc_tokentype_eol) {
-				read_till_eol = ISC_FALSE;
-				continue;		/* blank line */
-			}
-
-			if (token.type == isc_tokentype_eof) {
-				WARNUNEXPECTEDEOF(lctx->lex);
-				read_till_eol = ISC_FALSE;
-				isc_lex_ungettoken(lctx->lex, &token);
-				continue;
-			}
-
-			if (ictx->current == NULL) {
-				(*callbacks->error)(callbacks,
-					"%s:%lu: no current owner name",
-					source, line);
-				result = DNS_R_NOOWNER;
-				if (MANYERRS(lctx, result)) {
-					SETRESULT(lctx, result);
-					read_till_eol = ISC_TRUE;
-					continue;
-				} else if (result != ISC_R_SUCCESS)
-					goto insist_and_cleanup;
-			}
-
-			if (ictx->origin_changed) {
-				char cbuf[DNS_NAME_FORMATSIZE];
-				char obuf[DNS_NAME_FORMATSIZE];
-				dns_name_format(ictx->current, cbuf,
-						sizeof(cbuf));
-				dns_name_format(ictx->origin, obuf,
-						sizeof(obuf));
-				(*callbacks->warn)(callbacks,
-					"%s:%lu: record with inherited "
-					"owner (%s) immediately after "
-					"$ORIGIN (%s)", source, line,
-					cbuf, obuf);
-			}
-		}
-
-		ictx->origin_changed = ISC_FALSE;
-
-		if (dns_rdataclass_fromtext(&rdclass,
-					    &token.value.as_textregion)
-				== ISC_R_SUCCESS)
-			GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
-
-		explicit_ttl = ISC_FALSE;
-		if (dns_ttl_fromtext(&token.value.as_textregion, &lctx->ttl)
-				== ISC_R_SUCCESS) {
-			limit_ttl(callbacks, source, line, &lctx->ttl);
-			explicit_ttl = ISC_TRUE;
-			lctx->ttl_known = ISC_TRUE;
-			GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
-		}
-
-		if (token.type != isc_tokentype_string) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-			"isc_lex_gettoken() returned unexpected token type");
-			result = ISC_R_UNEXPECTED;
-			if (MANYERRS(lctx, result)) {
-				SETRESULT(lctx, result);
-				read_till_eol = ISC_TRUE;
-				continue;
-			} else if (result != ISC_R_SUCCESS)
-				goto insist_and_cleanup;
-		}
-
-		if (rdclass == 0 &&
-		    dns_rdataclass_fromtext(&rdclass,
-					    &token.value.as_textregion)
-				== ISC_R_SUCCESS)
-			GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
-
-		if (token.type != isc_tokentype_string) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-			"isc_lex_gettoken() returned unexpected token type");
-			result = ISC_R_UNEXPECTED;
-			if (MANYERRS(lctx, result)) {
-				SETRESULT(lctx, result);
-				read_till_eol = ISC_TRUE;
-				continue;
-			} else if (result != ISC_R_SUCCESS)
-				goto insist_and_cleanup;
-		}
-
-		result = dns_rdatatype_fromtext(&type,
-						&token.value.as_textregion);
-		if (result != ISC_R_SUCCESS) {
-			(*callbacks->warn)(callbacks,
-				   "%s:%lu: unknown RR type '%.*s'",
-				   source, line,
-				   token.value.as_textregion.length,
-				   token.value.as_textregion.base);
-			if (MANYERRS(lctx, result)) {
-				SETRESULT(lctx, result);
-				read_till_eol = ISC_TRUE;
-				continue;
-			} else if (result != ISC_R_SUCCESS)
-				goto insist_and_cleanup;
-		}
-
-		/*
-		 * If the class specified does not match the zone's class
-		 * print out a error message and exit.
-		 */
-		if (rdclass != 0 && rdclass != lctx->zclass) {
-  bad_class:
-
-			dns_rdataclass_format(rdclass, classname1,
-					      sizeof(classname1));
-			dns_rdataclass_format(lctx->zclass, classname2,
-					      sizeof(classname2));
-			(*callbacks->error)(callbacks,
-					    "%s:%lu: class '%s' != "
-					    "zone class '%s'",
-					    source, line,
-					    classname1, classname2);
-			result = DNS_R_BADCLASS;
-			if (MANYERRS(lctx, result)) {
-				SETRESULT(lctx, result);
-				read_till_eol = ISC_TRUE;
-				continue;
-			} else if (result != ISC_R_SUCCESS)
-				goto insist_and_cleanup;
-		}
-
-		if (type == dns_rdatatype_ns && ictx->glue == NULL)
-			current_has_delegation = ISC_TRUE;
-
-		/*
-		 * RFC1123: MD and MF are not allowed to be loaded from
-		 * master files.
-		 */
-		if ((lctx->options & DNS_MASTER_ZONE) != 0 &&
-		    (lctx->options & DNS_MASTER_SLAVE) == 0 &&
-		    (type == dns_rdatatype_md || type == dns_rdatatype_mf)) {
-			char typename[DNS_RDATATYPE_FORMATSIZE];
-
-			result = DNS_R_OBSOLETE;
-
-			dns_rdatatype_format(type, typename, sizeof(typename));
-			(*callbacks->error)(callbacks,
-					    "%s:%lu: %s '%s': %s",
-					    source, line,
-					    "type", typename,
-					    dns_result_totext(result));
-			if (MANYERRS(lctx, result)) {
-				SETRESULT(lctx, result);
-			} else
-				goto insist_and_cleanup;
-		}
-
-		/*
-		 * Find a rdata structure.
-		 */
-		if (rdcount == rdata_size) {
-			new_rdata = grow_rdata(rdata_size + RDSZ, rdata,
-					       rdata_size, &current_list,
-					       &glue_list, mctx);
-			if (new_rdata == NULL) {
-				result = ISC_R_NOMEMORY;
-				goto log_and_cleanup;
-			}
-			rdata_size += RDSZ;
-			rdata = new_rdata;
-		}
-
-		/*
-		 * Peek at the NS record.
-		 */
-		if (type == dns_rdatatype_ns &&
-		    lctx->zclass == dns_rdataclass_in &&
-		    (lctx->options & DNS_MASTER_CHECKNS) != 0) {
-
-			GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
-			result = check_ns(lctx, &token, source, line);
-			isc_lex_ungettoken(lctx->lex, &token);
-			if ((lctx->options & DNS_MASTER_FATALNS) != 0) {
-				if (MANYERRS(lctx, result)) {
-					SETRESULT(lctx, result);
-				} else if (result != ISC_R_SUCCESS)
-					goto insist_and_cleanup;
-			}
-		}
-
-		/*
-		 * Check owner name.
-		 */
-		options &= ~DNS_RDATA_CHECKREVERSE;
-		if ((lctx->options & DNS_MASTER_CHECKNAMES) != 0) {
-			isc_boolean_t ok;
-			dns_name_t *name;
-
-			name = (ictx->glue != NULL) ? ictx->glue :
-						      ictx->current;
-			ok = dns_rdata_checkowner(name, lctx->zclass, type,
-						  ISC_TRUE);
-			if (!ok) {
-				char namebuf[DNS_NAME_FORMATSIZE];
-				const char *desc;
-				dns_name_format(name, namebuf, sizeof(namebuf));
-				result = DNS_R_BADOWNERNAME;
-				desc = dns_result_totext(result);
-				if ((lctx->options & DNS_MASTER_CHECKNAMESFAIL) != 0) {
-					(*callbacks->error)(callbacks,
-							    "%s:%lu: %s: %s",
-							    source, line,
-							    namebuf, desc);
-					if (MANYERRS(lctx, result)) {
-						SETRESULT(lctx, result);
-					} else if (result != ISC_R_SUCCESS)
-						goto cleanup;
-				} else {
-					(*callbacks->warn)(callbacks,
-							   "%s:%lu: %s: %s",
-							   source, line,
-							   namebuf, desc);
-				}
-			}
-			if (type == dns_rdatatype_ptr &&
-			    (dns_name_issubdomain(name, &in_addr_arpa) ||
-			     dns_name_issubdomain(name, &ip6_arpa) ||
-			     dns_name_issubdomain(name, &ip6_int)))
-				options |= DNS_RDATA_CHECKREVERSE;
-		}
-
-		/*
-		 * Read rdata contents.
-		 */
-		dns_rdata_init(&rdata[rdcount]);
-		target_ft = target;
-		result = dns_rdata_fromtext(&rdata[rdcount], lctx->zclass,
-					    type, lctx->lex, ictx->origin,
-					    options, lctx->mctx, &target,
-					    callbacks);
-		if (MANYERRS(lctx, result)) {
-			SETRESULT(lctx, result);
-			continue;
-		} else if (result != ISC_R_SUCCESS)
-			goto insist_and_cleanup;
-
-		if (ictx->drop) {
-			target = target_ft;
-			continue;
-		}
-
-		if (type == dns_rdatatype_soa &&
-		    (lctx->options & DNS_MASTER_ZONE) != 0 &&
-		    dns_name_compare(ictx->current, lctx->top) != 0) {
-			char namebuf[DNS_NAME_FORMATSIZE];
-			dns_name_format(ictx->current, namebuf,
-					sizeof(namebuf));
-			(*callbacks->error)(callbacks, "%s:%lu: SOA "
-					    "record not at top of zone (%s)",
-					    source, line, namebuf);
-			result = DNS_R_NOTZONETOP;
-			if (MANYERRS(lctx, result)) {
-				SETRESULT(lctx, result);
-				read_till_eol = ISC_TRUE;
-				target = target_ft;
-				continue;
-			} else if (result != ISC_R_SUCCESS)
-				goto insist_and_cleanup;
-		}
-
-
-		if (type == dns_rdatatype_rrsig ||
-		    type == dns_rdatatype_sig)
-			covers = dns_rdata_covers(&rdata[rdcount]);
-		else
-			covers = 0;
-
-		if (!lctx->ttl_known && !lctx->default_ttl_known) {
-			if (type == dns_rdatatype_soa) {
-				(*callbacks->warn)(callbacks,
-						   "%s:%lu: no TTL specified; "
-						   "using SOA MINTTL instead",
-						   source, line);
-				lctx->ttl = dns_soa_getminimum(&rdata[rdcount]);
-				limit_ttl(callbacks, source, line, &lctx->ttl);
-				lctx->default_ttl = lctx->ttl;
-				lctx->default_ttl_known = ISC_TRUE;
-			} else if ((lctx->options & DNS_MASTER_HINT) != 0) {
-				/*
-				 * Zero TTL's are fine for hints.
-				 */
-				lctx->ttl = 0;
-				lctx->default_ttl = lctx->ttl;
-				lctx->default_ttl_known = ISC_TRUE;
-			} else {
-				(*callbacks->warn)(callbacks,
-						   "%s:%lu: no TTL specified; "
-						   "zone rejected",
-						   source, line);
-				result = DNS_R_NOTTL;
-				if (MANYERRS(lctx, result)) {
-					SETRESULT(lctx, result);
-					lctx->ttl = 0;
-				} else {
-					goto insist_and_cleanup;
-				}
-			}
-		} else if (!explicit_ttl && lctx->default_ttl_known) {
-			lctx->ttl = lctx->default_ttl;
-		} else if (!explicit_ttl && lctx->warn_1035) {
-			(*callbacks->warn)(callbacks,
-					   "%s:%lu: "
-					   "using RFC1035 TTL semantics",
-					   source, line);
-			lctx->warn_1035 = ISC_FALSE;
-		}
-
-		if (type == dns_rdatatype_rrsig && lctx->warn_sigexpired) {
-			dns_rdata_rrsig_t sig;
-			result = dns_rdata_tostruct(&rdata[rdcount], &sig,
-						    NULL);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			if (isc_serial_lt(sig.timeexpire, now)) {
-				(*callbacks->warn)(callbacks,
-						   "%s:%lu: "
-						   "signature has expired",
-						   source, line);
-				lctx->warn_sigexpired = ISC_FALSE;
-			}
-		}
-
-		if ((type == dns_rdatatype_sig || type == dns_rdatatype_nxt) &&
-		    lctx->warn_tcr && (lctx->options & DNS_MASTER_ZONE) != 0 &&
-		    (lctx->options & DNS_MASTER_SLAVE) == 0) {
-			(*callbacks->warn)(callbacks, "%s:%lu: old style DNSSEC "
-					   " zone detected", source, line);
-			lctx->warn_tcr = ISC_FALSE;
-		}
-
-		if ((lctx->options & DNS_MASTER_AGETTL) != 0) {
-			/*
-			 * Adjust the TTL for $DATE.  If the RR has already
-			 * expired, ignore it.
-			 */
-			if (lctx->ttl < ttl_offset)
-				continue;
-			lctx->ttl -= ttl_offset;
-		}
-
-		/*
-		 * Find type in rdatalist.
-		 * If it does not exist create new one and prepend to list
-		 * as this will minimise list traversal.
-		 */
-		if (ictx->glue != NULL)
-			this = ISC_LIST_HEAD(glue_list);
-		else
-			this = ISC_LIST_HEAD(current_list);
-
-		while (this != NULL) {
-			if (this->type == type && this->covers == covers)
-				break;
-			this = ISC_LIST_NEXT(this, link);
-		}
-
-		if (this == NULL) {
-			if (rdlcount == rdatalist_size) {
-				new_rdatalist =
-					grow_rdatalist(rdatalist_size + RDLSZ,
-						       rdatalist,
-						       rdatalist_size,
-						       &current_list,
-						       &glue_list,
-						       mctx);
-				if (new_rdatalist == NULL) {
-					result = ISC_R_NOMEMORY;
-					goto log_and_cleanup;
-				}
-				rdatalist = new_rdatalist;
-				rdatalist_size += RDLSZ;
-			}
-			this = &rdatalist[rdlcount++];
-			this->type = type;
-			this->covers = covers;
-			this->rdclass = lctx->zclass;
-			this->ttl = lctx->ttl;
-			ISC_LIST_INIT(this->rdata);
-			if (ictx->glue != NULL)
-				ISC_LIST_INITANDPREPEND(glue_list, this, link);
-			else
-				ISC_LIST_INITANDPREPEND(current_list, this,
-							link);
-		} else if (this->ttl != lctx->ttl) {
-			(*callbacks->warn)(callbacks,
-					   "%s:%lu: "
-					   "TTL set to prior TTL (%lu)",
-					   source, line, this->ttl);
-			lctx->ttl = this->ttl;
-		}
-
-		ISC_LIST_APPEND(this->rdata, &rdata[rdcount], link);
-		if (ictx->glue != NULL)
-			ictx->glue_line = line;
-		else
-			ictx->current_line = line;
-		rdcount++;
-
-		/*
-		 * We must have at least 64k as rdlen is 16 bits.
-		 * If we don't commit everything we have so far.
-		 */
-		if ((target.length - target.used) < MINTSIZ)
-			COMMITALL;
- next_line:
-		;
-	} while (!done && (lctx->loop_cnt == 0 || loop_cnt++ < lctx->loop_cnt));
-
-	/*
-	 * Commit what has not yet been committed.
-	 */
-	result = commit(callbacks, lctx, &current_list, ictx->current,
-			source, ictx->current_line);
-	if (MANYERRS(lctx, result)) {
-		SETRESULT(lctx, result);
-	} else if (result != ISC_R_SUCCESS)
-		goto insist_and_cleanup;
-	result = commit(callbacks, lctx, &glue_list, ictx->glue,
-			source, ictx->glue_line);
-	if (MANYERRS(lctx, result)) {
-		SETRESULT(lctx, result);
-	} else if (result != ISC_R_SUCCESS)
-		goto insist_and_cleanup;
-
-	if (!done) {
-		INSIST(lctx->done != NULL && lctx->task != NULL);
-		result = DNS_R_CONTINUE;
-	} else if (result == ISC_R_SUCCESS && lctx->result != ISC_R_SUCCESS) {
-		result = lctx->result;
-	} else if (result == ISC_R_SUCCESS && lctx->seen_include)
-		result = DNS_R_SEENINCLUDE;
-	goto cleanup;
-
- log_and_cleanup:
-	LOGIT(result);
-
- insist_and_cleanup:
-	INSIST(result != ISC_R_SUCCESS);
-
- cleanup:
-	while ((this = ISC_LIST_HEAD(current_list)) != NULL)
-		ISC_LIST_UNLINK(current_list, this, link);
-	while ((this = ISC_LIST_HEAD(glue_list)) != NULL)
-		ISC_LIST_UNLINK(glue_list, this, link);
-	if (rdatalist != NULL)
-		isc_mem_put(mctx, rdatalist,
-			    rdatalist_size * sizeof(*rdatalist));
-	if (rdata != NULL)
-		isc_mem_put(mctx, rdata, rdata_size * sizeof(*rdata));
-	if (target_mem != NULL)
-		isc_mem_put(mctx, target_mem, target_size);
-	if (include_file != NULL)
-		isc_mem_free(mctx, include_file);
-	if (range != NULL)
-		isc_mem_free(mctx, range);
-	if (lhs != NULL)
-		isc_mem_free(mctx, lhs);
-	if (gtype != NULL)
-		isc_mem_free(mctx, gtype);
-	if (rhs != NULL)
-		isc_mem_free(mctx, rhs);
-	return (result);
-}
-
-static isc_result_t
-pushfile(const char *master_file, dns_name_t *origin, dns_loadctx_t *lctx) {
-	isc_result_t result;
-	dns_incctx_t *ictx;
-	dns_incctx_t *new = NULL;
-	isc_region_t r;
-	int new_in_use;
-
-	REQUIRE(master_file != NULL);
-	REQUIRE(DNS_LCTX_VALID(lctx));
-
-	ictx = lctx->inc;
-	lctx->seen_include = ISC_TRUE;
-
-	result = incctx_create(lctx->mctx, origin, &new);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/* Set current domain. */
-	if (ictx->glue != NULL || ictx->current != NULL) {
-		for (new_in_use = 0; new_in_use < NBUFS; new_in_use++)
-			if (!new->in_use[new_in_use])
-				break;
-		INSIST(new_in_use < NBUFS);
-		new->current_in_use = new_in_use;
-		new->current =
-			dns_fixedname_name(&new->fixed[new->current_in_use]);
-		new->in_use[new->current_in_use] = ISC_TRUE;
-		dns_name_toregion((ictx->glue != NULL) ?
-				   ictx->glue : ictx->current, &r);
-		dns_name_fromregion(new->current, &r);
-		new->drop = ictx->drop;
-	}
-
-	result = (lctx->openfile)(lctx, master_file);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	new->parent = ictx;
-	lctx->inc = new;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (new != NULL)
-		incctx_destroy(lctx->mctx, new);
-	return (result);
-}
-
-static inline isc_result_t
-read_and_check(isc_boolean_t do_read, isc_buffer_t *buffer,
-	       size_t len, FILE *f)
-{
-	isc_result_t result;
-
-	if (do_read) {
-		INSIST(isc_buffer_availablelength(buffer) >= len);
-		result = isc_stdio_read(isc_buffer_used(buffer), 1, len,
-					f, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		isc_buffer_add(buffer, len);
-	} else if (isc_buffer_remaininglength(buffer) < len)
-		return (ISC_R_RANGE);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-load_raw(dns_loadctx_t *lctx) {
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_boolean_t done = ISC_FALSE;
-	unsigned int loop_cnt = 0;
-	dns_rdatacallbacks_t *callbacks;
-	unsigned char namebuf[DNS_NAME_MAXWIRE];
-	dns_fixedname_t fixed;
-	dns_name_t *name;
-	rdatalist_head_t head, dummy;
-	dns_rdatalist_t rdatalist;
-	isc_mem_t *mctx = lctx->mctx;
-	dns_rdata_t *rdata = NULL;
-	unsigned int rdata_size = 0;
-	int target_size = TSIZ;
-	isc_buffer_t target, buf;
-	unsigned char *target_mem = NULL;
-	dns_masterrawheader_t header;
-	dns_decompress_t dctx;
-
-	REQUIRE(DNS_LCTX_VALID(lctx));
-	callbacks = lctx->callbacks;
-	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE);
-
-	dns_master_initrawheader(&header);
-
-	if (lctx->first) {
-		unsigned char data[sizeof(header)];
-		size_t commonlen =
-			sizeof(header.format) + sizeof(header.version);
-		size_t remainder;
-
-		INSIST(commonlen <= sizeof(header));
-		isc_buffer_init(&target, data, sizeof(data));
-
-		result = isc_stdio_read(data, 1, commonlen, lctx->f, NULL);
-		if (result != ISC_R_SUCCESS) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_stdio_read failed: %s",
-					 isc_result_totext(result));
-			return (result);
-		}
-		isc_buffer_add(&target, commonlen);
-		header.format = isc_buffer_getuint32(&target);
-		if (header.format != dns_masterformat_raw) {
-			(*callbacks->error)(callbacks,
-					    "dns_master_load: "
-					    "file format mismatch");
-			return (ISC_R_NOTIMPLEMENTED);
-		}
-
-		header.version = isc_buffer_getuint32(&target);
-		switch (header.version) {
-		case 0:
-			remainder = sizeof(header.dumptime);
-			break;
-		case DNS_RAWFORMAT_VERSION:
-			remainder = sizeof(header) - commonlen;
-			break;
-		default:
-			(*callbacks->error)(callbacks,
-					    "dns_master_load: "
-					    "unsupported file format version");
-			return (ISC_R_NOTIMPLEMENTED);
-		}
-
-		result = isc_stdio_read(data + commonlen, 1, remainder,
-					lctx->f, NULL);
-		if (result != ISC_R_SUCCESS) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_stdio_read failed: %s",
-					 isc_result_totext(result));
-			return (result);
-		}
-
-		isc_buffer_add(&target, remainder);
-		header.dumptime = isc_buffer_getuint32(&target);
-		if (header.version == DNS_RAWFORMAT_VERSION) {
-			header.flags = isc_buffer_getuint32(&target);
-			header.sourceserial = isc_buffer_getuint32(&target);
-			header.lastxfrin = isc_buffer_getuint32(&target);
-		}
-
-		lctx->first = ISC_FALSE;
-		lctx->header = header;
-	}
-
-	ISC_LIST_INIT(head);
-	ISC_LIST_INIT(dummy);
-	dns_rdatalist_init(&rdatalist);
-
-	/*
-	 * Allocate target_size of buffer space.  This is greater than twice
-	 * the maximum individual RR data size.
-	 */
-	target_mem = isc_mem_get(mctx, target_size);
-	if (target_mem == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
-	}
-	isc_buffer_init(&target, target_mem, target_size);
-
-	dns_fixedname_init(&fixed);
-	name = dns_fixedname_name(&fixed);
-
-	/*
-	 * In the following loop, we regard any error fatal regardless of
-	 * whether "MANYERRORS" is set in the context option.  This is because
-	 * normal errors should already have been checked at creation time.
-	 * Besides, it is very unlikely that we can recover from an error
-	 * in this format, and so trying to continue parsing erroneous data
-	 * does not really make sense.
-	 */
-	for (loop_cnt = 0;
-	     (lctx->loop_cnt == 0 || loop_cnt < lctx->loop_cnt);
-	     loop_cnt++) {
-		unsigned int i, rdcount;
-		isc_uint16_t namelen;
-		isc_uint32_t totallen;
-		size_t minlen, readlen;
-		isc_boolean_t sequential_read = ISC_FALSE;
-
-		/* Read the data length */
-		isc_buffer_clear(&target);
-		INSIST(isc_buffer_availablelength(&target) >=
-		       sizeof(totallen));
-		result = isc_stdio_read(target.base, 1, sizeof(totallen),
-					lctx->f, NULL);
-		if (result == ISC_R_EOF) {
-			result = ISC_R_SUCCESS;
-			done = ISC_TRUE;
-			break;
-		}
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		isc_buffer_add(&target, sizeof(totallen));
-		totallen = isc_buffer_getuint32(&target);
-		/*
-		 * Validation: the input data must at least contain the common
-		 * header.
-		 */
-		minlen = sizeof(totallen) + sizeof(isc_uint16_t) +
-			sizeof(isc_uint16_t) + sizeof(isc_uint16_t) +
-			sizeof(isc_uint32_t) + sizeof(isc_uint32_t);
-		if (totallen < minlen) {
-			result = ISC_R_RANGE;
-			goto cleanup;
-		}
-		totallen -= sizeof(totallen);
-
-		isc_buffer_clear(&target);
-		if (totallen > isc_buffer_availablelength(&target)) {
-			/*
-			 * The default buffer size should typically be large
-			 * enough to store the entire RRset.  We could try to
-			 * allocate enough space if this is not the case, but
-			 * it might cause a hazardous result when "totallen"
-			 * is forged.  Thus, we'd rather take an inefficient
-			 * but robust approach in this atypical case: read
-			 * data step by step, and commit partial data when
-			 * necessary.  Note that the buffer must be large
-			 * enough to store the "header part", owner name, and
-			 * at least one rdata (however large it is).
-			 */
-			sequential_read = ISC_TRUE;
-			readlen = minlen - sizeof(totallen);
-		} else {
-			/*
-			 * Typical case.  We can read the whole RRset at once
-			 * with the default buffer.
-			 */
-			readlen = totallen;
-		}
-		result = isc_stdio_read(target.base, 1, readlen,
-					lctx->f, NULL);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		isc_buffer_add(&target, readlen);
-
-		/* Construct RRset headers */
-		rdatalist.rdclass = isc_buffer_getuint16(&target);
-		rdatalist.type = isc_buffer_getuint16(&target);
-		rdatalist.covers = isc_buffer_getuint16(&target);
-		rdatalist.ttl =  isc_buffer_getuint32(&target);
-		rdcount = isc_buffer_getuint32(&target);
-		if (rdcount == 0) {
-			result = ISC_R_RANGE;
-			goto cleanup;
-		}
-		INSIST(isc_buffer_consumedlength(&target) <= readlen);
-
-		/* Owner name: length followed by name */
-		result = read_and_check(sequential_read, &target,
-					sizeof(namelen), lctx->f);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		namelen = isc_buffer_getuint16(&target);
-		if (namelen > sizeof(namebuf)) {
-			result = ISC_R_RANGE;
-			goto cleanup;
-		}
-
-		result = read_and_check(sequential_read, &target, namelen,
-					lctx->f);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-
-		isc_buffer_setactive(&target, (unsigned int)namelen);
-		result = dns_name_fromwire(name, &target, &dctx, 0, NULL);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-
-		/* Rdata contents. */
-		if (rdcount > rdata_size) {
-			dns_rdata_t *new_rdata = NULL;
-
-			new_rdata = grow_rdata(rdcount + RDSZ, rdata,
-					       rdata_size, &head,
-					       &dummy, mctx);
-			if (new_rdata == NULL) {
-				result = ISC_R_NOMEMORY;
-				goto cleanup;
-			}
-			rdata_size = rdcount + RDSZ;
-			rdata = new_rdata;
-		}
-
-	continue_read:
-		for (i = 0; i < rdcount; i++) {
-			isc_uint16_t rdlen;
-
-			dns_rdata_init(&rdata[i]);
-
-			if (sequential_read &&
-			    isc_buffer_availablelength(&target) < MINTSIZ) {
-				unsigned int j;
-
-				INSIST(i > 0); /* detect an infinite loop */
-
-				/* Partial Commit. */
-				ISC_LIST_APPEND(head, &rdatalist, link);
-				result = commit(callbacks, lctx, &head, name,
-						NULL, 0);
-				for (j = 0; j < i; j++) {
-					ISC_LIST_UNLINK(rdatalist.rdata,
-							&rdata[j], link);
-					dns_rdata_reset(&rdata[j]);
-				}
-				if (result != ISC_R_SUCCESS)
-					goto cleanup;
-
-				/* Rewind the buffer and continue */
-				isc_buffer_clear(&target);
-
-				rdcount -= i;
-
-				goto continue_read;
-			}
-
-			/* rdata length */
-			result = read_and_check(sequential_read, &target,
-						sizeof(rdlen), lctx->f);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-			rdlen = isc_buffer_getuint16(&target);
-
-			/* rdata */
-			result = read_and_check(sequential_read, &target,
-						rdlen, lctx->f);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-			isc_buffer_setactive(&target, (unsigned int)rdlen);
-			/*
-			 * It is safe to have the source active region and
-			 * the target available region be the same if
-			 * decompression is disabled (see dctx above) and we
-			 * are not downcasing names (options == 0).
-			 */
-			isc_buffer_init(&buf, isc_buffer_current(&target),
-					(unsigned int)rdlen);
-			result = dns_rdata_fromwire(&rdata[i],
-						    rdatalist.rdclass,
-						    rdatalist.type, &target,
-						    &dctx, 0, &buf);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-			ISC_LIST_APPEND(rdatalist.rdata, &rdata[i], link);
-		}
-
-		/*
-		 * Sanity check.  Still having remaining space is not
-		 * necessarily critical, but it very likely indicates broken
-		 * or malformed data.
-		 */
-		if (isc_buffer_remaininglength(&target) != 0) {
-			result = ISC_R_RANGE;
-			goto cleanup;
-		}
-
-		ISC_LIST_APPEND(head, &rdatalist, link);
-
-		/* Commit this RRset.  rdatalist will be unlinked. */
-		result = commit(callbacks, lctx, &head, name, NULL, 0);
-
-		for (i = 0; i < rdcount; i++) {
-			ISC_LIST_UNLINK(rdatalist.rdata, &rdata[i], link);
-			dns_rdata_reset(&rdata[i]);
-		}
-
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-	}
-
-	if (!done) {
-		INSIST(lctx->done != NULL && lctx->task != NULL);
-		result = DNS_R_CONTINUE;
-	} else if (result == ISC_R_SUCCESS && lctx->result != ISC_R_SUCCESS)
-		result = lctx->result;
-
-	if (result == ISC_R_SUCCESS && callbacks->rawdata != NULL)
-		(*callbacks->rawdata)(callbacks->zone, &header);
-
- cleanup:
-	if (rdata != NULL)
-		isc_mem_put(mctx, rdata, rdata_size * sizeof(*rdata));
-	if (target_mem != NULL)
-		isc_mem_put(mctx, target_mem, target_size);
-	if (result != ISC_R_SUCCESS && result != DNS_R_CONTINUE) {
-		(*callbacks->error)(callbacks, "dns_master_load: %s",
-				    dns_result_totext(result));
-	}
-
-	return (result);
-}
-
-isc_result_t
-dns_master_loadfile(const char *master_file, dns_name_t *top,
-		    dns_name_t *origin,
-		    dns_rdataclass_t zclass, unsigned int options,
-		    dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx)
-{
-	return (dns_master_loadfile3(master_file, top, origin, zclass, options,
-				     0, callbacks, mctx, dns_masterformat_text));
-}
-
-isc_result_t
-dns_master_loadfile2(const char *master_file, dns_name_t *top,
-		     dns_name_t *origin,
-		     dns_rdataclass_t zclass, unsigned int options,
-		     dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx,
-		     dns_masterformat_t format)
-{
-	return (dns_master_loadfile3(master_file, top, origin, zclass, options,
-				     0, callbacks, mctx, format));
-}
-
-isc_result_t
-dns_master_loadfile3(const char *master_file, dns_name_t *top,
-		     dns_name_t *origin, dns_rdataclass_t zclass,
-		     unsigned int options, isc_uint32_t resign,
-		     dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx,
-		     dns_masterformat_t format)
-{
-	dns_loadctx_t *lctx = NULL;
-	isc_result_t result;
-
-	result = loadctx_create(format, mctx, options, resign, top, zclass,
-				origin, callbacks, NULL, NULL, NULL, NULL,
-				&lctx);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = (lctx->openfile)(lctx, master_file);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = (lctx->load)(lctx);
-	INSIST(result != DNS_R_CONTINUE);
-
- cleanup:
-	dns_loadctx_detach(&lctx);
-	return (result);
-}
-
-isc_result_t
-dns_master_loadfileinc(const char *master_file, dns_name_t *top,
-		       dns_name_t *origin, dns_rdataclass_t zclass,
-		       unsigned int options, dns_rdatacallbacks_t *callbacks,
-		       isc_task_t *task, dns_loaddonefunc_t done,
-		       void *done_arg, dns_loadctx_t **lctxp, isc_mem_t *mctx)
-{
-	return (dns_master_loadfileinc3(master_file, top, origin, zclass,
-					options, 0, callbacks, task, done,
-					done_arg, lctxp, mctx,
-					dns_masterformat_text));
-}
-
-isc_result_t
-dns_master_loadfileinc2(const char *master_file, dns_name_t *top,
-			dns_name_t *origin, dns_rdataclass_t zclass,
-			unsigned int options, dns_rdatacallbacks_t *callbacks,
-			isc_task_t *task, dns_loaddonefunc_t done,
-			void *done_arg, dns_loadctx_t **lctxp, isc_mem_t *mctx,
-			dns_masterformat_t format)
-{
-	return (dns_master_loadfileinc3(master_file, top, origin, zclass,
-					options, 0, callbacks, task, done,
-					done_arg, lctxp, mctx, format));
-}
-
-isc_result_t
-dns_master_loadfileinc3(const char *master_file, dns_name_t *top,
-			dns_name_t *origin, dns_rdataclass_t zclass,
-			unsigned int options, isc_uint32_t resign,
-			dns_rdatacallbacks_t *callbacks, isc_task_t *task,
-			dns_loaddonefunc_t done, void *done_arg,
-			dns_loadctx_t **lctxp, isc_mem_t *mctx,
-			dns_masterformat_t format)
-{
-	dns_loadctx_t *lctx = NULL;
-	isc_result_t result;
-
-	REQUIRE(task != NULL);
-	REQUIRE(done != NULL);
-
-	result = loadctx_create(format, mctx, options, resign, top, zclass,
-				origin, callbacks, task, done, done_arg, NULL,
-				&lctx);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = (lctx->openfile)(lctx, master_file);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = task_send(lctx);
-	if (result == ISC_R_SUCCESS) {
-		dns_loadctx_attach(lctx, lctxp);
-		return (DNS_R_CONTINUE);
-	}
-
- cleanup:
-	dns_loadctx_detach(&lctx);
-	return (result);
-}
-
-isc_result_t
-dns_master_loadstream(FILE *stream, dns_name_t *top, dns_name_t *origin,
-		      dns_rdataclass_t zclass, unsigned int options,
-		      dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx)
-{
-	isc_result_t result;
-	dns_loadctx_t *lctx = NULL;
-
-	REQUIRE(stream != NULL);
-
-	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
-				zclass, origin, callbacks, NULL, NULL, NULL,
-				NULL, &lctx);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = isc_lex_openstream(lctx->lex, stream);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = (lctx->load)(lctx);
-	INSIST(result != DNS_R_CONTINUE);
-
- cleanup:
-	if (lctx != NULL)
-		dns_loadctx_detach(&lctx);
-	return (result);
-}
-
-isc_result_t
-dns_master_loadstreaminc(FILE *stream, dns_name_t *top, dns_name_t *origin,
-			 dns_rdataclass_t zclass, unsigned int options,
-			 dns_rdatacallbacks_t *callbacks, isc_task_t *task,
-			 dns_loaddonefunc_t done, void *done_arg,
-			 dns_loadctx_t **lctxp, isc_mem_t *mctx)
-{
-	isc_result_t result;
-	dns_loadctx_t *lctx = NULL;
-
-	REQUIRE(stream != NULL);
-	REQUIRE(task != NULL);
-	REQUIRE(done != NULL);
-
-	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
-				zclass, origin, callbacks, task, done,
-				done_arg, NULL, &lctx);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = isc_lex_openstream(lctx->lex, stream);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = task_send(lctx);
-	if (result == ISC_R_SUCCESS) {
-		dns_loadctx_attach(lctx, lctxp);
-		return (DNS_R_CONTINUE);
-	}
-
- cleanup:
-	if (lctx != NULL)
-		dns_loadctx_detach(&lctx);
-	return (result);
-}
-
-isc_result_t
-dns_master_loadbuffer(isc_buffer_t *buffer, dns_name_t *top,
-		      dns_name_t *origin, dns_rdataclass_t zclass,
-		      unsigned int options,
-		      dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx)
-{
-	isc_result_t result;
-	dns_loadctx_t *lctx = NULL;
-
-	REQUIRE(buffer != NULL);
-
-	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
-				zclass, origin, callbacks, NULL, NULL, NULL,
-				NULL, &lctx);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = isc_lex_openbuffer(lctx->lex, buffer);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = (lctx->load)(lctx);
-	INSIST(result != DNS_R_CONTINUE);
-
- cleanup:
-	dns_loadctx_detach(&lctx);
-	return (result);
-}
-
-isc_result_t
-dns_master_loadbufferinc(isc_buffer_t *buffer, dns_name_t *top,
-			 dns_name_t *origin, dns_rdataclass_t zclass,
-			 unsigned int options,
-			 dns_rdatacallbacks_t *callbacks, isc_task_t *task,
-			 dns_loaddonefunc_t done, void *done_arg,
-			 dns_loadctx_t **lctxp, isc_mem_t *mctx)
-{
-	isc_result_t result;
-	dns_loadctx_t *lctx = NULL;
-
-	REQUIRE(buffer != NULL);
-	REQUIRE(task != NULL);
-	REQUIRE(done != NULL);
-
-	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
-				zclass, origin, callbacks, task, done,
-				done_arg, NULL, &lctx);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = isc_lex_openbuffer(lctx->lex, buffer);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = task_send(lctx);
-	if (result == ISC_R_SUCCESS) {
-		dns_loadctx_attach(lctx, lctxp);
-		return (DNS_R_CONTINUE);
-	}
-
- cleanup:
-	dns_loadctx_detach(&lctx);
-	return (result);
-}
-
-isc_result_t
-dns_master_loadlexer(isc_lex_t *lex, dns_name_t *top,
-		     dns_name_t *origin, dns_rdataclass_t zclass,
-		     unsigned int options,
-		     dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx)
-{
-	isc_result_t result;
-	dns_loadctx_t *lctx = NULL;
-
-	REQUIRE(lex != NULL);
-
-	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
-				zclass, origin, callbacks, NULL, NULL, NULL,
-				lex, &lctx);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = (lctx->load)(lctx);
-	INSIST(result != DNS_R_CONTINUE);
-
-	dns_loadctx_detach(&lctx);
-	return (result);
-}
-
-isc_result_t
-dns_master_loadlexerinc(isc_lex_t *lex, dns_name_t *top,
-			dns_name_t *origin, dns_rdataclass_t zclass,
-			unsigned int options,
-			dns_rdatacallbacks_t *callbacks, isc_task_t *task,
-			dns_loaddonefunc_t done, void *done_arg,
-			dns_loadctx_t **lctxp, isc_mem_t *mctx)
-{
-	isc_result_t result;
-	dns_loadctx_t *lctx = NULL;
-
-	REQUIRE(lex != NULL);
-	REQUIRE(task != NULL);
-	REQUIRE(done != NULL);
-
-	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
-				zclass, origin, callbacks, task, done,
-				done_arg, lex, &lctx);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = task_send(lctx);
-	if (result == ISC_R_SUCCESS) {
-		dns_loadctx_attach(lctx, lctxp);
-		return (DNS_R_CONTINUE);
-	}
-
-	dns_loadctx_detach(&lctx);
-	return (result);
-}
-
-/*
- * Grow the slab of dns_rdatalist_t structures.
- * Re-link glue and current list.
- */
-static dns_rdatalist_t *
-grow_rdatalist(int new_len, dns_rdatalist_t *old, int old_len,
-	       rdatalist_head_t *current, rdatalist_head_t *glue,
-	       isc_mem_t *mctx)
-{
-	dns_rdatalist_t *new;
-	int rdlcount = 0;
-	ISC_LIST(dns_rdatalist_t) save;
-	dns_rdatalist_t *this;
-
-	new = isc_mem_get(mctx, new_len * sizeof(*new));
-	if (new == NULL)
-		return (NULL);
-
-	ISC_LIST_INIT(save);
-	while ((this = ISC_LIST_HEAD(*current)) != NULL) {
-		ISC_LIST_UNLINK(*current, this, link);
-		ISC_LIST_APPEND(save, this, link);
-	}
-	while ((this = ISC_LIST_HEAD(save)) != NULL) {
-		ISC_LIST_UNLINK(save, this, link);
-		INSIST(rdlcount < new_len);
-		new[rdlcount] = *this;
-		ISC_LIST_APPEND(*current, &new[rdlcount], link);
-		rdlcount++;
-	}
-
-	ISC_LIST_INIT(save);
-	while ((this = ISC_LIST_HEAD(*glue)) != NULL) {
-		ISC_LIST_UNLINK(*glue, this, link);
-		ISC_LIST_APPEND(save, this, link);
-	}
-	while ((this = ISC_LIST_HEAD(save)) != NULL) {
-		ISC_LIST_UNLINK(save, this, link);
-		INSIST(rdlcount < new_len);
-		new[rdlcount] = *this;
-		ISC_LIST_APPEND(*glue, &new[rdlcount], link);
-		rdlcount++;
-	}
-
-	INSIST(rdlcount == old_len);
-	if (old != NULL)
-		isc_mem_put(mctx, old, old_len * sizeof(*old));
-	return (new);
-}
-
-/*
- * Grow the slab of rdata structs.
- * Re-link the current and glue chains.
- */
-static dns_rdata_t *
-grow_rdata(int new_len, dns_rdata_t *old, int old_len,
-	   rdatalist_head_t *current, rdatalist_head_t *glue,
-	   isc_mem_t *mctx)
-{
-	dns_rdata_t *new;
-	int rdcount = 0;
-	ISC_LIST(dns_rdata_t) save;
-	dns_rdatalist_t *this;
-	dns_rdata_t *rdata;
-
-	new = isc_mem_get(mctx, new_len * sizeof(*new));
-	if (new == NULL)
-		return (NULL);
-	memset(new, 0, new_len * sizeof(*new));
-
-	/*
-	 * Copy current relinking.
-	 */
-	this = ISC_LIST_HEAD(*current);
-	while (this != NULL) {
-		ISC_LIST_INIT(save);
-		while ((rdata = ISC_LIST_HEAD(this->rdata)) != NULL) {
-			ISC_LIST_UNLINK(this->rdata, rdata, link);
-			ISC_LIST_APPEND(save, rdata, link);
-		}
-		while ((rdata = ISC_LIST_HEAD(save)) != NULL) {
-			ISC_LIST_UNLINK(save, rdata, link);
-			INSIST(rdcount < new_len);
-			new[rdcount] = *rdata;
-			ISC_LIST_APPEND(this->rdata, &new[rdcount], link);
-			rdcount++;
-		}
-		this = ISC_LIST_NEXT(this, link);
-	}
-
-	/*
-	 * Copy glue relinking.
-	 */
-	this = ISC_LIST_HEAD(*glue);
-	while (this != NULL) {
-		ISC_LIST_INIT(save);
-		while ((rdata = ISC_LIST_HEAD(this->rdata)) != NULL) {
-			ISC_LIST_UNLINK(this->rdata, rdata, link);
-			ISC_LIST_APPEND(save, rdata, link);
-		}
-		while ((rdata = ISC_LIST_HEAD(save)) != NULL) {
-			ISC_LIST_UNLINK(save, rdata, link);
-			INSIST(rdcount < new_len);
-			new[rdcount] = *rdata;
-			ISC_LIST_APPEND(this->rdata, &new[rdcount], link);
-			rdcount++;
-		}
-		this = ISC_LIST_NEXT(this, link);
-	}
-	INSIST(rdcount == old_len || rdcount == 0);
-	if (old != NULL)
-		isc_mem_put(mctx, old, old_len * sizeof(*old));
-	return (new);
-}
-
-static isc_uint32_t
-resign_fromlist(dns_rdatalist_t *this, isc_uint32_t resign) {
-	dns_rdata_t *rdata;
-	dns_rdata_rrsig_t sig;
-	isc_uint32_t when;
-
-	rdata = ISC_LIST_HEAD(this->rdata);
-	INSIST(rdata != NULL);
-	(void)dns_rdata_tostruct(rdata, &sig, NULL);
-	when = sig.timeexpire - resign;
-
-	rdata = ISC_LIST_NEXT(rdata, link);
-	while (rdata != NULL) {
-		(void)dns_rdata_tostruct(rdata, &sig, NULL);
-		if (sig.timeexpire - resign < when)
-			when = sig.timeexpire - resign;
-		rdata = ISC_LIST_NEXT(rdata, link);
-	}
-	return (when);
-}
-
-/*
- * Convert each element from a rdatalist_t to rdataset then call commit.
- * Unlink each element as we go.
- */
-
-static isc_result_t
-commit(dns_rdatacallbacks_t *callbacks, dns_loadctx_t *lctx,
-       rdatalist_head_t *head, dns_name_t *owner,
-       const char *source, unsigned int line)
-{
-	dns_rdatalist_t *this;
-	dns_rdataset_t dataset;
-	isc_result_t result;
-	char namebuf[DNS_NAME_FORMATSIZE];
-	void    (*error)(struct dns_rdatacallbacks *, const char *, ...);
-
-	this = ISC_LIST_HEAD(*head);
-	error = callbacks->error;
-
-	if (this == NULL)
-		return (ISC_R_SUCCESS);
-	do {
-		dns_rdataset_init(&dataset);
-		RUNTIME_CHECK(dns_rdatalist_tordataset(this, &dataset)
-			      == ISC_R_SUCCESS);
-		dataset.trust = dns_trust_ultimate;
-		/*
-		 * If this is a secure dynamic zone set the re-signing time.
-		 */
-		if (dataset.type == dns_rdatatype_rrsig &&
-		    (lctx->options & DNS_MASTER_RESIGN) != 0) {
-			dataset.attributes |= DNS_RDATASETATTR_RESIGN;
-			dns_name_format(owner, namebuf, sizeof(namebuf));
-			dataset.resign = resign_fromlist(this, lctx->resign);
-		}
-		result = ((*callbacks->add)(callbacks->add_private, owner,
-					    &dataset));
-		if (result == ISC_R_NOMEMORY) {
-			(*error)(callbacks, "dns_master_load: %s",
-				 dns_result_totext(result));
-		} else if (result != ISC_R_SUCCESS) {
-			dns_name_format(owner, namebuf, sizeof(namebuf));
-			if (source != NULL) {
-				(*error)(callbacks, "%s: %s:%lu: %s: %s",
-					 "dns_master_load", source, line,
-					 namebuf, dns_result_totext(result));
-			} else {
-				(*error)(callbacks, "%s: %s: %s",
-					 "dns_master_load", namebuf,
-					 dns_result_totext(result));
-			}
-		}
-		if (MANYERRS(lctx, result))
-			SETRESULT(lctx, result);
-		else if (result != ISC_R_SUCCESS)
-			return (result);
-		ISC_LIST_UNLINK(*head, this, link);
-		this = ISC_LIST_HEAD(*head);
-	} while (this != NULL);
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Returns ISC_TRUE if one of the NS rdata's contains 'owner'.
- */
-
-static isc_boolean_t
-is_glue(rdatalist_head_t *head, dns_name_t *owner) {
-	dns_rdatalist_t *this;
-	dns_rdata_t *rdata;
-	isc_region_t region;
-	dns_name_t name;
-
-	/*
-	 * Find NS rrset.
-	 */
-	this = ISC_LIST_HEAD(*head);
-	while (this != NULL) {
-		if (this->type == dns_rdatatype_ns)
-			break;
-		this = ISC_LIST_NEXT(this, link);
-	}
-	if (this == NULL)
-		return (ISC_FALSE);
-
-	rdata = ISC_LIST_HEAD(this->rdata);
-	while (rdata != NULL) {
-		dns_name_init(&name, NULL);
-		dns_rdata_toregion(rdata, &region);
-		dns_name_fromregion(&name, &region);
-		if (dns_name_compare(&name, owner) == 0)
-			return (ISC_TRUE);
-		rdata = ISC_LIST_NEXT(rdata, link);
-	}
-	return (ISC_FALSE);
-}
-
-static void
-load_quantum(isc_task_t *task, isc_event_t *event) {
-	isc_result_t result;
-	dns_loadctx_t *lctx;
-
-	REQUIRE(event != NULL);
-	lctx = event->ev_arg;
-	REQUIRE(DNS_LCTX_VALID(lctx));
-
-	if (lctx->canceled)
-		result = ISC_R_CANCELED;
-	else
-		result = (lctx->load)(lctx);
-	if (result == DNS_R_CONTINUE) {
-		event->ev_arg = lctx;
-		isc_task_send(task, &event);
-	} else {
-		(lctx->done)(lctx->done_arg, result);
-		isc_event_free(&event);
-		dns_loadctx_detach(&lctx);
-	}
-}
-
-static isc_result_t
-task_send(dns_loadctx_t *lctx) {
-	isc_event_t *event;
-
-	event = isc_event_allocate(lctx->mctx, NULL,
-				   DNS_EVENT_MASTERQUANTUM,
-				   load_quantum, lctx, sizeof(*event));
-	if (event == NULL)
-		return (ISC_R_NOMEMORY);
-	isc_task_send(lctx->task, &event);
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_loadctx_cancel(dns_loadctx_t *lctx) {
-	REQUIRE(DNS_LCTX_VALID(lctx));
-
-	LOCK(&lctx->lock);
-	lctx->canceled = ISC_TRUE;
-	UNLOCK(&lctx->lock);
-}
-
-void
-dns_master_initrawheader(dns_masterrawheader_t *header) {
-	memset(header, 0, sizeof(dns_masterrawheader_t));
-}
diff --git a/contrib/bind9/lib/dns/masterdump.c b/contrib/bind9/lib/dns/masterdump.c
deleted file mode 100644
index 2717658..0000000
--- a/contrib/bind9/lib/dns/masterdump.c
+++ /dev/null
@@ -1,1912 +0,0 @@
-/*
- * Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/event.h>
-#include <isc/file.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/stdio.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/time.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/events.h>
-#include <dns/fixedname.h>
-#include <dns/lib.h>
-#include <dns/log.h>
-#include <dns/master.h>
-#include <dns/masterdump.h>
-#include <dns/ncache.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatatype.h>
-#include <dns/result.h>
-#include <dns/time.h>
-#include <dns/ttl.h>
-
-#define DNS_DCTX_MAGIC		ISC_MAGIC('D', 'c', 't', 'x')
-#define DNS_DCTX_VALID(d)	ISC_MAGIC_VALID(d, DNS_DCTX_MAGIC)
-
-#define RETERR(x) do { \
-	isc_result_t _r = (x); \
-	if (_r != ISC_R_SUCCESS) \
-		return (_r); \
-	} while (0)
-
-#define CHECK(x) do { \
-	if ((x) != ISC_R_SUCCESS) \
-		goto cleanup; \
-	} while (0)
-
-struct dns_master_style {
-	unsigned int flags;		/* DNS_STYLEFLAG_* */
-	unsigned int ttl_column;
-	unsigned int class_column;
-	unsigned int type_column;
-	unsigned int rdata_column;
-	unsigned int line_length;
-	unsigned int tab_width;
-	unsigned int split_width;
-};
-
-/*%
- * The maximum length of the newline+indentation that is output
- * when inserting a line break in an RR.  This effectively puts an
- * upper limits on the value of "rdata_column", because if it is
- * very large, the tabs and spaces needed to reach it will not fit.
- */
-#define DNS_TOTEXT_LINEBREAK_MAXLEN 100
-
-/*%
- * Context structure for a masterfile dump in progress.
- */
-typedef struct dns_totext_ctx {
-	dns_master_style_t	style;
-	isc_boolean_t 		class_printed;
-	char *			linebreak;
-	char 			linebreak_buf[DNS_TOTEXT_LINEBREAK_MAXLEN];
-	dns_name_t *		origin;
-	dns_name_t *		neworigin;
-	dns_fixedname_t		origin_fixname;
-	isc_uint32_t 		current_ttl;
-	isc_boolean_t 		current_ttl_valid;
-} dns_totext_ctx_t;
-
-LIBDNS_EXTERNAL_DATA const dns_master_style_t
-dns_master_style_default = {
-	DNS_STYLEFLAG_OMIT_OWNER |
-	DNS_STYLEFLAG_OMIT_CLASS |
-	DNS_STYLEFLAG_REL_OWNER |
-	DNS_STYLEFLAG_REL_DATA |
-	DNS_STYLEFLAG_OMIT_TTL |
-	DNS_STYLEFLAG_TTL |
-	DNS_STYLEFLAG_COMMENT |
-	DNS_STYLEFLAG_RRCOMMENT |
-	DNS_STYLEFLAG_MULTILINE,
-	24, 24, 24, 32, 80, 8, UINT_MAX
-};
-
-LIBDNS_EXTERNAL_DATA const dns_master_style_t
-dns_master_style_full = {
-	DNS_STYLEFLAG_COMMENT |
-	DNS_STYLEFLAG_RESIGN,
-	46, 46, 46, 64, 120, 8, UINT_MAX
-};
-
-LIBDNS_EXTERNAL_DATA const dns_master_style_t
-dns_master_style_explicitttl = {
-	DNS_STYLEFLAG_OMIT_OWNER |
-	DNS_STYLEFLAG_OMIT_CLASS |
-	DNS_STYLEFLAG_REL_OWNER |
-	DNS_STYLEFLAG_REL_DATA |
-	DNS_STYLEFLAG_COMMENT |
-	DNS_STYLEFLAG_RRCOMMENT |
-	DNS_STYLEFLAG_MULTILINE,
-	24, 32, 32, 40, 80, 8, UINT_MAX
-};
-
-LIBDNS_EXTERNAL_DATA const dns_master_style_t
-dns_master_style_cache = {
-	DNS_STYLEFLAG_OMIT_OWNER |
-	DNS_STYLEFLAG_OMIT_CLASS |
-	DNS_STYLEFLAG_MULTILINE |
-	DNS_STYLEFLAG_TRUST |
-	DNS_STYLEFLAG_NCACHE,
-	24, 32, 32, 40, 80, 8, UINT_MAX
-};
-
-LIBDNS_EXTERNAL_DATA const dns_master_style_t
-dns_master_style_simple = {
-	0,
-	24, 32, 32, 40, 80, 8, UINT_MAX
-};
-
-/*%
- * A style suitable for dns_rdataset_totext().
- */
-LIBDNS_EXTERNAL_DATA const dns_master_style_t
-dns_master_style_debug = {
-	DNS_STYLEFLAG_REL_OWNER,
-	24, 32, 40, 48, 80, 8, UINT_MAX
-};
-
-
-#define N_SPACES 10
-static char spaces[N_SPACES+1] = "          ";
-
-#define N_TABS 10
-static char tabs[N_TABS+1] = "\t\t\t\t\t\t\t\t\t\t";
-
-#ifdef BIND9
-struct dns_dumpctx {
-	unsigned int		magic;
-	isc_mem_t		*mctx;
-	isc_mutex_t		lock;
-	unsigned int		references;
-	isc_boolean_t		canceled;
-	isc_boolean_t		first;
-	isc_boolean_t		do_date;
-	isc_stdtime_t		now;
-	FILE			*f;
-	dns_db_t		*db;
-	dns_dbversion_t		*version;
-	dns_dbiterator_t	*dbiter;
-	dns_totext_ctx_t	tctx;
-	isc_task_t		*task;
-	dns_dumpdonefunc_t	done;
-	void			*done_arg;
-	unsigned int		nodes;
-	/* dns_master_dumpinc() */
-	char			*file;
-	char 			*tmpfile;
-	dns_masterformat_t	format;
-	dns_masterrawheader_t	header;
-	isc_result_t		(*dumpsets)(isc_mem_t *mctx, dns_name_t *name,
-					    dns_rdatasetiter_t *rdsiter,
-					    dns_totext_ctx_t *ctx,
-					    isc_buffer_t *buffer, FILE *f);
-};
-#endif /* BIND9 */
-
-#define NXDOMAIN(x) (((x)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
-
-/*%
- * Output tabs and spaces to go from column '*current' to
- * column 'to', and update '*current' to reflect the new
- * current column.
- */
-static isc_result_t
-indent(unsigned int *current, unsigned int to, int tabwidth,
-       isc_buffer_t *target)
-{
-	isc_region_t r;
-	unsigned char *p;
-	unsigned int from;
-	int ntabs, nspaces, t;
-
-	from = *current;
-
-	if (to < from + 1)
-		to = from + 1;
-
-	ntabs = to / tabwidth - from / tabwidth;
-	if (ntabs < 0)
-		ntabs = 0;
-
-	if (ntabs > 0) {
-		isc_buffer_availableregion(target, &r);
-		if (r.length < (unsigned) ntabs)
-			return (ISC_R_NOSPACE);
-		p = r.base;
-
-		t = ntabs;
-		while (t) {
-			int n = t;
-			if (n > N_TABS)
-				n = N_TABS;
-			memcpy(p, tabs, n);
-			p += n;
-			t -= n;
-		}
-		isc_buffer_add(target, ntabs);
-		from = (to / tabwidth) * tabwidth;
-	}
-
-	nspaces = to - from;
-	INSIST(nspaces >= 0);
-
-	isc_buffer_availableregion(target, &r);
-	if (r.length < (unsigned) nspaces)
-		return (ISC_R_NOSPACE);
-	p = r.base;
-
-	t = nspaces;
-	while (t) {
-		int n = t;
-		if (n > N_SPACES)
-			n = N_SPACES;
-		memcpy(p, spaces, n);
-		p += n;
-		t -= n;
-	}
-	isc_buffer_add(target, nspaces);
-
-	*current = to;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-totext_ctx_init(const dns_master_style_t *style, dns_totext_ctx_t *ctx) {
-	isc_result_t result;
-
-	REQUIRE(style->tab_width != 0);
-
-	ctx->style = *style;
-	ctx->class_printed = ISC_FALSE;
-
-	dns_fixedname_init(&ctx->origin_fixname);
-
-	/*
-	 * Set up the line break string if needed.
-	 */
-	if ((ctx->style.flags & DNS_STYLEFLAG_MULTILINE) != 0) {
-		isc_buffer_t buf;
-		isc_region_t r;
-		unsigned int col = 0;
-
-		isc_buffer_init(&buf, ctx->linebreak_buf,
-				sizeof(ctx->linebreak_buf));
-
-		isc_buffer_availableregion(&buf, &r);
-		if (r.length < 1)
-			return (DNS_R_TEXTTOOLONG);
-		r.base[0] = '\n';
-		isc_buffer_add(&buf, 1);
-
-		result = indent(&col, ctx->style.rdata_column,
-				ctx->style.tab_width, &buf);
-		/*
-		 * Do not return ISC_R_NOSPACE if the line break string
-		 * buffer is too small, because that would just make
-		 * dump_rdataset() retry indefinitely with ever
-		 * bigger target buffers.  That's a different buffer,
-		 * so it won't help.  Use DNS_R_TEXTTOOLONG as a substitute.
-		 */
-		if (result == ISC_R_NOSPACE)
-			return (DNS_R_TEXTTOOLONG);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-
-		isc_buffer_availableregion(&buf, &r);
-		if (r.length < 1)
-			return (DNS_R_TEXTTOOLONG);
-		r.base[0] = '\0';
-		isc_buffer_add(&buf, 1);
-		ctx->linebreak = ctx->linebreak_buf;
-	} else {
-		ctx->linebreak = NULL;
-	}
-
-	ctx->origin = NULL;
-	ctx->neworigin = NULL;
-	ctx->current_ttl = 0;
-	ctx->current_ttl_valid = ISC_FALSE;
-
-	return (ISC_R_SUCCESS);
-}
-
-#define INDENT_TO(col) \
-	do { \
-		 if ((result = indent(&column, ctx->style.col, \
-				      ctx->style.tab_width, target)) \
-		     != ISC_R_SUCCESS) \
-			    return (result); \
-	} while (0)
-
-
-static isc_result_t
-str_totext(const char *source, isc_buffer_t *target) {
-	unsigned int l;
-	isc_region_t region;
-
-	isc_buffer_availableregion(target, &region);
-	l = strlen(source);
-
-	if (l > region.length)
-		return (ISC_R_NOSPACE);
-
-	memcpy(region.base, source, l);
-	isc_buffer_add(target, l);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-ncache_summary(dns_rdataset_t *rdataset, isc_boolean_t omit_final_dot,
-	       isc_buffer_t *target)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	dns_rdataset_t rds;
-	dns_name_t name;
-
-	dns_rdataset_init(&rds);
-	dns_name_init(&name, NULL);
-
-	do {
-		dns_ncache_current(rdataset, &name, &rds);
-		for (result = dns_rdataset_first(&rds);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&rds)) {
-			CHECK(str_totext("; ", target));
-			CHECK(dns_name_totext(&name, omit_final_dot, target));
-			CHECK(str_totext(" ", target));
-			CHECK(dns_rdatatype_totext(rds.type, target));
-			if (rds.type == dns_rdatatype_rrsig) {
-				CHECK(str_totext(" ", target));
-				CHECK(dns_rdatatype_totext(rds.covers, target));
-				CHECK(str_totext(" ...\n", target));
-			} else {
-				dns_rdata_t rdata = DNS_RDATA_INIT;
-				dns_rdataset_current(&rds, &rdata);
-				CHECK(str_totext(" ", target));
-				CHECK(dns_rdata_tofmttext(&rdata, dns_rootname,
-							  0, 0, 0, " ", target));
-				CHECK(str_totext("\n", target));
-			}
-		}
-		dns_rdataset_disassociate(&rds);
-		result = dns_rdataset_next(rdataset);
-	} while (result == ISC_R_SUCCESS);
-
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
- cleanup:
-	if (dns_rdataset_isassociated(&rds))
-		dns_rdataset_disassociate(&rds);
-
-	return (result);
-}
-
-/*
- * Convert 'rdataset' to master file text format according to 'ctx',
- * storing the result in 'target'.  If 'owner_name' is NULL, it
- * is omitted; otherwise 'owner_name' must be valid and have at least
- * one label.
- */
-
-static isc_result_t
-rdataset_totext(dns_rdataset_t *rdataset,
-		dns_name_t *owner_name,
-		dns_totext_ctx_t *ctx,
-		isc_boolean_t omit_final_dot,
-		isc_buffer_t *target)
-{
-	isc_result_t result;
-	unsigned int column;
-	isc_boolean_t first = ISC_TRUE;
-	isc_uint32_t current_ttl;
-	isc_boolean_t current_ttl_valid;
-	dns_rdatatype_t type;
-	unsigned int type_start;
-
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-
-	rdataset->attributes |= DNS_RDATASETATTR_LOADORDER;
-	result = dns_rdataset_first(rdataset);
-
-	current_ttl = ctx->current_ttl;
-	current_ttl_valid = ctx->current_ttl_valid;
-
-	while (result == ISC_R_SUCCESS) {
-		column = 0;
-
-		/*
-		 * Owner name.
-		 */
-		if (owner_name != NULL &&
-		    ! ((ctx->style.flags & DNS_STYLEFLAG_OMIT_OWNER) != 0 &&
-		       !first))
-		{
-			unsigned int name_start = target->used;
-			RETERR(dns_name_totext(owner_name,
-					       omit_final_dot,
-					       target));
-			column += target->used - name_start;
-		}
-
-		/*
-		 * TTL.
-		 */
-		if ((ctx->style.flags & DNS_STYLEFLAG_NO_TTL) == 0 &&
-		    !((ctx->style.flags & DNS_STYLEFLAG_OMIT_TTL) != 0 &&
-		      current_ttl_valid &&
-		      rdataset->ttl == current_ttl))
-		{
-			char ttlbuf[64];
-			isc_region_t r;
-			unsigned int length;
-
-			INDENT_TO(ttl_column);
-			length = snprintf(ttlbuf, sizeof(ttlbuf), "%u",
-					  rdataset->ttl);
-			INSIST(length <= sizeof(ttlbuf));
-			isc_buffer_availableregion(target, &r);
-			if (r.length < length)
-				return (ISC_R_NOSPACE);
-			memcpy(r.base, ttlbuf, length);
-			isc_buffer_add(target, length);
-			column += length;
-
-			/*
-			 * If the $TTL directive is not in use, the TTL we
-			 * just printed becomes the default for subsequent RRs.
-			 */
-			if ((ctx->style.flags & DNS_STYLEFLAG_TTL) == 0) {
-				current_ttl = rdataset->ttl;
-				current_ttl_valid = ISC_TRUE;
-			}
-		}
-
-		/*
-		 * Class.
-		 */
-		if ((ctx->style.flags & DNS_STYLEFLAG_NO_CLASS) == 0 &&
-		    ((ctx->style.flags & DNS_STYLEFLAG_OMIT_CLASS) == 0 ||
-		     ctx->class_printed == ISC_FALSE))
-		{
-			unsigned int class_start;
-			INDENT_TO(class_column);
-			class_start = target->used;
-			result = dns_rdataclass_totext(rdataset->rdclass,
-						       target);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-			column += (target->used - class_start);
-		}
-
-		/*
-		 * Type.
-		 */
-
-		if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
-			type = rdataset->covers;
-		} else {
-			type = rdataset->type;
-		}
-
-		INDENT_TO(type_column);
-		type_start = target->used;
-		if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
-			RETERR(str_totext("\\-", target));
-		result = dns_rdatatype_totext(type, target);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		column += (target->used - type_start);
-
-		/*
-		 * Rdata.
-		 */
-		INDENT_TO(rdata_column);
-		if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
-			if (NXDOMAIN(rdataset))
-				RETERR(str_totext(";-$NXDOMAIN\n", target));
-			else
-				RETERR(str_totext(";-$NXRRSET\n", target));
-			/*
-			 * Print a summary of the cached records which make
-			 * up the negative response.
-			 */
-			RETERR(ncache_summary(rdataset, omit_final_dot,
-					      target));
-			break;
-		} else {
-			dns_rdata_t rdata = DNS_RDATA_INIT;
-			isc_region_t r;
-
-			dns_rdataset_current(rdataset, &rdata);
-
-			RETERR(dns_rdata_tofmttext(&rdata,
-						   ctx->origin,
-						   ctx->style.flags,
-						   ctx->style.line_length -
-						       ctx->style.rdata_column,
-						   ctx->style.split_width,
-						   ctx->linebreak,
-						   target));
-
-			isc_buffer_availableregion(target, &r);
-			if (r.length < 1)
-				return (ISC_R_NOSPACE);
-			r.base[0] = '\n';
-			isc_buffer_add(target, 1);
-		}
-
-		first = ISC_FALSE;
-		result = dns_rdataset_next(rdataset);
-	}
-
-	if (result != ISC_R_NOMORE)
-		return (result);
-
-	/*
-	 * Update the ctx state to reflect what we just printed.
-	 * This is done last, only when we are sure we will return
-	 * success, because this function may be called multiple
-	 * times with increasing buffer sizes until it succeeds,
-	 * and failed attempts must not update the state prematurely.
-	 */
-	ctx->class_printed = ISC_TRUE;
-	ctx->current_ttl= current_ttl;
-	ctx->current_ttl_valid = current_ttl_valid;
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Print the name, type, and class of an empty rdataset,
- * such as those used to represent the question section
- * of a DNS message.
- */
-static isc_result_t
-question_totext(dns_rdataset_t *rdataset,
-		dns_name_t *owner_name,
-		dns_totext_ctx_t *ctx,
-		isc_boolean_t omit_final_dot,
-		isc_buffer_t *target)
-{
-	unsigned int column;
-	isc_result_t result;
-	isc_region_t r;
-
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	result = dns_rdataset_first(rdataset);
-	REQUIRE(result == ISC_R_NOMORE);
-
-	column = 0;
-
-	/* Owner name */
-	{
-		unsigned int name_start = target->used;
-		RETERR(dns_name_totext(owner_name,
-				       omit_final_dot,
-				       target));
-		column += target->used - name_start;
-	}
-
-	/* Class */
-	{
-		unsigned int class_start;
-		INDENT_TO(class_column);
-		class_start = target->used;
-		result = dns_rdataclass_totext(rdataset->rdclass, target);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		column += (target->used - class_start);
-	}
-
-	/* Type */
-	{
-		unsigned int type_start;
-		INDENT_TO(type_column);
-		type_start = target->used;
-		result = dns_rdatatype_totext(rdataset->type, target);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		column += (target->used - type_start);
-	}
-
-	isc_buffer_availableregion(target, &r);
-	if (r.length < 1)
-		return (ISC_R_NOSPACE);
-	r.base[0] = '\n';
-	isc_buffer_add(target, 1);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_rdataset_totext(dns_rdataset_t *rdataset,
-		    dns_name_t *owner_name,
-		    isc_boolean_t omit_final_dot,
-		    isc_boolean_t question,
-		    isc_buffer_t *target)
-{
-	dns_totext_ctx_t ctx;
-	isc_result_t result;
-	result = totext_ctx_init(&dns_master_style_debug, &ctx);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "could not set master file style");
-		return (ISC_R_UNEXPECTED);
-	}
-
-	/*
-	 * The caller might want to give us an empty owner
-	 * name (e.g. if they are outputting into a master
-	 * file and this rdataset has the same name as the
-	 * previous one.)
-	 */
-	if (dns_name_countlabels(owner_name) == 0)
-		owner_name = NULL;
-
-	if (question)
-		return (question_totext(rdataset, owner_name, &ctx,
-					omit_final_dot, target));
-	else
-		return (rdataset_totext(rdataset, owner_name, &ctx,
-					omit_final_dot, target));
-}
-
-isc_result_t
-dns_master_rdatasettotext(dns_name_t *owner_name,
-			  dns_rdataset_t *rdataset,
-			  const dns_master_style_t *style,
-			  isc_buffer_t *target)
-{
-	dns_totext_ctx_t ctx;
-	isc_result_t result;
-	result = totext_ctx_init(style, &ctx);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "could not set master file style");
-		return (ISC_R_UNEXPECTED);
-	}
-
-	return (rdataset_totext(rdataset, owner_name, &ctx,
-				ISC_FALSE, target));
-}
-
-isc_result_t
-dns_master_questiontotext(dns_name_t *owner_name,
-			  dns_rdataset_t *rdataset,
-			  const dns_master_style_t *style,
-			  isc_buffer_t *target)
-{
-	dns_totext_ctx_t ctx;
-	isc_result_t result;
-	result = totext_ctx_init(style, &ctx);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "could not set master file style");
-		return (ISC_R_UNEXPECTED);
-	}
-
-	return (question_totext(rdataset, owner_name, &ctx,
-				ISC_FALSE, target));
-}
-
-#ifdef BIND9
-/*
- * Print an rdataset.  'buffer' is a scratch buffer, which must have been
- * dynamically allocated by the caller.  It must be large enough to
- * hold the result from dns_ttl_totext().  If more than that is needed,
- * the buffer will be grown automatically.
- */
-
-static isc_result_t
-dump_rdataset(isc_mem_t *mctx, dns_name_t *name, dns_rdataset_t *rdataset,
-	      dns_totext_ctx_t *ctx,
-	      isc_buffer_t *buffer, FILE *f)
-{
-	isc_region_t r;
-	isc_result_t result;
-
-	REQUIRE(buffer->length > 0);
-
-	/*
-	 * Output a $TTL directive if needed.
-	 */
-
-	if ((ctx->style.flags & DNS_STYLEFLAG_TTL) != 0) {
-		if (ctx->current_ttl_valid == ISC_FALSE ||
-		    ctx->current_ttl != rdataset->ttl)
-		{
-			if ((ctx->style.flags & DNS_STYLEFLAG_COMMENT) != 0)
-			{
-				isc_buffer_clear(buffer);
-				result = dns_ttl_totext(rdataset->ttl,
-							ISC_TRUE, buffer);
-				INSIST(result == ISC_R_SUCCESS);
-				isc_buffer_usedregion(buffer, &r);
-				fprintf(f, "$TTL %u\t; %.*s\n", rdataset->ttl,
-					(int) r.length, (char *) r.base);
-			} else {
-				fprintf(f, "$TTL %u\n", rdataset->ttl);
-			}
-			ctx->current_ttl = rdataset->ttl;
-			ctx->current_ttl_valid = ISC_TRUE;
-		}
-	}
-
-	isc_buffer_clear(buffer);
-
-	/*
-	 * Generate the text representation of the rdataset into
-	 * the buffer.  If the buffer is too small, grow it.
-	 */
-	for (;;) {
-		int newlength;
-		void *newmem;
-		result = rdataset_totext(rdataset, name, ctx,
-					 ISC_FALSE, buffer);
-		if (result != ISC_R_NOSPACE)
-			break;
-
-		newlength = buffer->length * 2;
-		newmem = isc_mem_get(mctx, newlength);
-		if (newmem == NULL)
-			return (ISC_R_NOMEMORY);
-		isc_mem_put(mctx, buffer->base, buffer->length);
-		isc_buffer_init(buffer, newmem, newlength);
-	}
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Write the buffer contents to the master file.
-	 */
-	isc_buffer_usedregion(buffer, &r);
-	result = isc_stdio_write(r.base, 1, (size_t)r.length, f, NULL);
-
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "master file write failed: %s",
-				 isc_result_totext(result));
-		return (result);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Define the order in which rdatasets should be printed in zone
- * files.  We will print SOA and NS records before others, SIGs
- * immediately following the things they sign, and order everything
- * else by RR number.  This is all just for aesthetics and
- * compatibility with buggy software that expects the SOA to be first;
- * the DNS specifications allow any order.
- */
-
-static int
-dump_order(const dns_rdataset_t *rds) {
-	int t;
-	int sig;
-	if (rds->type == dns_rdatatype_rrsig) {
-		t = rds->covers;
-		sig = 1;
-	} else {
-		t = rds->type;
-		sig = 0;
-	}
-	switch (t) {
-	case dns_rdatatype_soa:
-		t = 0;
-		break;
-	case dns_rdatatype_ns:
-		t = 1;
-		break;
-	default:
-		t += 2;
-		break;
-	}
-	return (t << 1) + sig;
-}
-
-static int
-dump_order_compare(const void *a, const void *b) {
-	return (dump_order(*((const dns_rdataset_t * const *) a)) -
-		dump_order(*((const dns_rdataset_t * const *) b)));
-}
-
-/*
- * Dump all the rdatasets of a domain name to a master file.  We make
- * a "best effort" attempt to sort the RRsets in a nice order, but if
- * there are more than MAXSORT RRsets, we punt and only sort them in
- * groups of MAXSORT.  This is not expected to ever happen in practice
- * since much less than 64 RR types have been registered with the
- * IANA, so far, and the output will be correct (though not
- * aesthetically pleasing) even if it does happen.
- */
-
-#define MAXSORT 64
-
-static isc_result_t
-dump_rdatasets_text(isc_mem_t *mctx, dns_name_t *name,
-		    dns_rdatasetiter_t *rdsiter, dns_totext_ctx_t *ctx,
-		    isc_buffer_t *buffer, FILE *f)
-{
-	isc_result_t itresult, dumpresult;
-	isc_region_t r;
-	dns_rdataset_t rdatasets[MAXSORT];
-	dns_rdataset_t *sorted[MAXSORT];
-	int i, n;
-
-	itresult = dns_rdatasetiter_first(rdsiter);
-	dumpresult = ISC_R_SUCCESS;
-
-	if (itresult == ISC_R_SUCCESS && ctx->neworigin != NULL) {
-		isc_buffer_clear(buffer);
-		itresult = dns_name_totext(ctx->neworigin, ISC_FALSE, buffer);
-		RUNTIME_CHECK(itresult == ISC_R_SUCCESS);
-		isc_buffer_usedregion(buffer, &r);
-		fprintf(f, "$ORIGIN %.*s\n", (int) r.length, (char *) r.base);
-		ctx->neworigin = NULL;
-	}
-
- again:
-	for (i = 0;
-	     itresult == ISC_R_SUCCESS && i < MAXSORT;
-	     itresult = dns_rdatasetiter_next(rdsiter), i++) {
-		dns_rdataset_init(&rdatasets[i]);
-		dns_rdatasetiter_current(rdsiter, &rdatasets[i]);
-		sorted[i] = &rdatasets[i];
-	}
-	n = i;
-	INSIST(n <= MAXSORT);
-
-	qsort(sorted, n, sizeof(sorted[0]), dump_order_compare);
-
-	for (i = 0; i < n; i++) {
-		dns_rdataset_t *rds = sorted[i];
-		if (ctx->style.flags & DNS_STYLEFLAG_TRUST)
-			fprintf(f, "; %s\n", dns_trust_totext(rds->trust));
-		if (((rds->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) &&
-		    (ctx->style.flags & DNS_STYLEFLAG_NCACHE) == 0) {
-			/* Omit negative cache entries */
-		} else {
-			isc_result_t result =
-				dump_rdataset(mctx, name, rds, ctx,
-					       buffer, f);
-			if (result != ISC_R_SUCCESS)
-				dumpresult = result;
-			if ((ctx->style.flags & DNS_STYLEFLAG_OMIT_OWNER) != 0)
-				name = NULL;
-		}
-		if (ctx->style.flags & DNS_STYLEFLAG_RESIGN &&
-		    rds->attributes & DNS_RDATASETATTR_RESIGN) {
-			isc_buffer_t b;
-			char buf[sizeof("YYYYMMDDHHMMSS")];
-			memset(buf, 0, sizeof(buf));
-			isc_buffer_init(&b, buf, sizeof(buf) - 1);
-			dns_time64_totext((isc_uint64_t)rds->resign, &b);
-			fprintf(f, "; resign=%s\n", buf);
-		}
-		dns_rdataset_disassociate(rds);
-	}
-
-	if (dumpresult != ISC_R_SUCCESS)
-		return (dumpresult);
-
-	/*
-	 * If we got more data than could be sorted at once,
-	 * go handle the rest.
-	 */
-	if (itresult == ISC_R_SUCCESS)
-		goto again;
-
-	if (itresult == ISC_R_NOMORE)
-		itresult = ISC_R_SUCCESS;
-
-	return (itresult);
-}
-
-/*
- * Dump given RRsets in the "raw" format.
- */
-static isc_result_t
-dump_rdataset_raw(isc_mem_t *mctx, dns_name_t *name, dns_rdataset_t *rdataset,
-		  isc_buffer_t *buffer, FILE *f)
-{
-	isc_result_t result;
-	isc_uint32_t totallen;
-	isc_uint16_t dlen;
-	isc_region_t r, r_hdr;
-
-	REQUIRE(buffer->length > 0);
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-
-	rdataset->attributes |= DNS_RDATASETATTR_LOADORDER;
- restart:
-	totallen = 0;
-	result = dns_rdataset_first(rdataset);
-	REQUIRE(result == ISC_R_SUCCESS);
-
-	isc_buffer_clear(buffer);
-
-	/*
-	 * Common header and owner name (length followed by name)
-	 * These fields should be in a moderate length, so we assume we
-	 * can store all of them in the initial buffer.
-	 */
-	isc_buffer_availableregion(buffer, &r_hdr);
-	INSIST(r_hdr.length >= sizeof(dns_masterrawrdataset_t));
-	isc_buffer_putuint32(buffer, totallen);	/* XXX: leave space */
-	isc_buffer_putuint16(buffer, rdataset->rdclass); /* 16-bit class */
-	isc_buffer_putuint16(buffer, rdataset->type); /* 16-bit type */
-	isc_buffer_putuint16(buffer, rdataset->covers);	/* same as type */
-	isc_buffer_putuint32(buffer, rdataset->ttl); /* 32-bit TTL */
-	isc_buffer_putuint32(buffer, dns_rdataset_count(rdataset));
-	totallen = isc_buffer_usedlength(buffer);
-	INSIST(totallen <= sizeof(dns_masterrawrdataset_t));
-
-	dns_name_toregion(name, &r);
-	INSIST(isc_buffer_availablelength(buffer) >=
-	       (sizeof(dlen) + r.length));
-	dlen = (isc_uint16_t)r.length;
-	isc_buffer_putuint16(buffer, dlen);
-	isc_buffer_copyregion(buffer, &r);
-	totallen += sizeof(dlen) + r.length;
-
-	do {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		isc_region_t r;
-
-		dns_rdataset_current(rdataset, &rdata);
-		dns_rdata_toregion(&rdata, &r);
-		INSIST(r.length <= 0xffffU);
-		dlen = (isc_uint16_t)r.length;
-
-		/*
-		 * Copy the rdata into the buffer.  If the buffer is too small,
-		 * grow it.  This should be rare, so we'll simply restart the
-		 * entire procedure (or should we copy the old data and
-		 * continue?).
-		 */
-		if (isc_buffer_availablelength(buffer) <
-						 sizeof(dlen) + r.length) {
-			int newlength;
-			void *newmem;
-
-			newlength = buffer->length * 2;
-			newmem = isc_mem_get(mctx, newlength);
-			if (newmem == NULL)
-				return (ISC_R_NOMEMORY);
-			isc_mem_put(mctx, buffer->base, buffer->length);
-			isc_buffer_init(buffer, newmem, newlength);
-			goto restart;
-		}
-		isc_buffer_putuint16(buffer, dlen);
-		isc_buffer_copyregion(buffer, &r);
-		totallen += sizeof(dlen) + r.length;
-
-		result = dns_rdataset_next(rdataset);
-	} while (result == ISC_R_SUCCESS);
-
-	if (result != ISC_R_NOMORE)
-		return (result);
-
-	/*
-	 * Fill in the total length field.
-	 * XXX: this is a bit tricky.  Since we have already "used" the space
-	 * for the total length in the buffer, we first remember the entire
-	 * buffer length in the region, "rewind", and then write the value.
-	 */
-	isc_buffer_usedregion(buffer, &r);
-	isc_buffer_clear(buffer);
-	isc_buffer_putuint32(buffer, totallen);
-	INSIST(isc_buffer_usedlength(buffer) < totallen);
-
-	/*
-	 * Write the buffer contents to the raw master file.
-	 */
-	result = isc_stdio_write(r.base, 1, (size_t)r.length, f, NULL);
-
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "raw master file write failed: %s",
-				 isc_result_totext(result));
-		return (result);
-	}
-
-	return (result);
-}
-
-static isc_result_t
-dump_rdatasets_raw(isc_mem_t *mctx, dns_name_t *name,
-		   dns_rdatasetiter_t *rdsiter, dns_totext_ctx_t *ctx,
-		   isc_buffer_t *buffer, FILE *f)
-{
-	isc_result_t result;
-	dns_rdataset_t rdataset;
-
-	for (result = dns_rdatasetiter_first(rdsiter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdatasetiter_next(rdsiter)) {
-
-		dns_rdataset_init(&rdataset);
-		dns_rdatasetiter_current(rdsiter, &rdataset);
-
-		if (((rdataset.attributes & DNS_RDATASETATTR_NEGATIVE) != 0) &&
-		    (ctx->style.flags & DNS_STYLEFLAG_NCACHE) == 0) {
-			/* Omit negative cache entries */
-		} else {
-			result = dump_rdataset_raw(mctx, name, &rdataset,
-						   buffer, f);
-		}
-		dns_rdataset_disassociate(&rdataset);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
-	return (result);
-}
-
-/*
- * Initial size of text conversion buffer.  The buffer is used
- * for several purposes: converting origin names, rdatasets,
- * $DATE timestamps, and comment strings for $TTL directives.
- *
- * When converting rdatasets, it is dynamically resized, but
- * when converting origins, timestamps, etc it is not.  Therefore,
- * the initial size must large enough to hold the longest possible
- * text representation of any domain name (for $ORIGIN).
- */
-static const int initial_buffer_length = 1200;
-
-static isc_result_t
-dumptostreaminc(dns_dumpctx_t *dctx);
-
-static void
-dumpctx_destroy(dns_dumpctx_t *dctx) {
-
-	dctx->magic = 0;
-	DESTROYLOCK(&dctx->lock);
-	dns_dbiterator_destroy(&dctx->dbiter);
-	if (dctx->version != NULL)
-		dns_db_closeversion(dctx->db, &dctx->version, ISC_FALSE);
-	dns_db_detach(&dctx->db);
-	if (dctx->task != NULL)
-		isc_task_detach(&dctx->task);
-	if (dctx->file != NULL)
-		isc_mem_free(dctx->mctx, dctx->file);
-	if (dctx->tmpfile != NULL)
-		isc_mem_free(dctx->mctx, dctx->tmpfile);
-	isc_mem_putanddetach(&dctx->mctx, dctx, sizeof(*dctx));
-}
-
-void
-dns_dumpctx_attach(dns_dumpctx_t *source, dns_dumpctx_t **target) {
-
-	REQUIRE(DNS_DCTX_VALID(source));
-	REQUIRE(target != NULL && *target == NULL);
-
-	LOCK(&source->lock);
-	INSIST(source->references > 0);
-	source->references++;
-	INSIST(source->references != 0);	/* Overflow? */
-	UNLOCK(&source->lock);
-
-	*target = source;
-}
-
-void
-dns_dumpctx_detach(dns_dumpctx_t **dctxp) {
-	dns_dumpctx_t *dctx;
-	isc_boolean_t need_destroy = ISC_FALSE;
-
-	REQUIRE(dctxp != NULL);
-	dctx = *dctxp;
-	REQUIRE(DNS_DCTX_VALID(dctx));
-
-	*dctxp = NULL;
-
-	LOCK(&dctx->lock);
-	INSIST(dctx->references != 0);
-	dctx->references--;
-	if (dctx->references == 0)
-		need_destroy = ISC_TRUE;
-	UNLOCK(&dctx->lock);
-	if (need_destroy)
-		dumpctx_destroy(dctx);
-}
-
-dns_dbversion_t *
-dns_dumpctx_version(dns_dumpctx_t *dctx) {
-	REQUIRE(DNS_DCTX_VALID(dctx));
-	return (dctx->version);
-}
-
-dns_db_t *
-dns_dumpctx_db(dns_dumpctx_t *dctx) {
-	REQUIRE(DNS_DCTX_VALID(dctx));
-	return (dctx->db);
-}
-
-void
-dns_dumpctx_cancel(dns_dumpctx_t *dctx) {
-	REQUIRE(DNS_DCTX_VALID(dctx));
-
-	LOCK(&dctx->lock);
-	dctx->canceled = ISC_TRUE;
-	UNLOCK(&dctx->lock);
-}
-
-static isc_result_t
-flushandsync(FILE *f, isc_result_t result, const char *temp) {
-	isc_boolean_t logit = ISC_TF(result == ISC_R_SUCCESS);
-
-	if (result == ISC_R_SUCCESS)
-		result = isc_stdio_flush(f);
-	if (result != ISC_R_SUCCESS && logit) {
-		if (temp != NULL)
-			isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
-				      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
-				      "dumping to master file: %s: flush: %s",
-				      temp, isc_result_totext(result));
-		else
-			isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
-				      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
-				      "dumping to stream: flush: %s",
-				      isc_result_totext(result));
-		logit = ISC_FALSE;
-	}
-
-	if (result == ISC_R_SUCCESS)
-		result = isc_stdio_sync(f);
-	if (result != ISC_R_SUCCESS && logit) {
-		if (temp != NULL)
-			isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
-				      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
-				      "dumping to master file: %s: fsync: %s",
-				      temp, isc_result_totext(result));
-		else
-			isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
-				      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
-				      "dumping to stream: fsync: %s",
-				      isc_result_totext(result));
-	}
-	return (result);
-}
-
-static isc_result_t
-closeandrename(FILE *f, isc_result_t result, const char *temp, const char *file)
-{
-	isc_result_t tresult;
-	isc_boolean_t logit = ISC_TF(result == ISC_R_SUCCESS);
-
-	result = flushandsync(f, result, temp);
-	if (result != ISC_R_SUCCESS)
-		logit = ISC_FALSE;
-
-	tresult = isc_stdio_close(f);
-	if (result == ISC_R_SUCCESS)
-		result = tresult;
-	if (result != ISC_R_SUCCESS && logit) {
-		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
-			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
-			      "dumping master file: %s: fclose: %s",
-			      temp, isc_result_totext(result));
-		logit = ISC_FALSE;
-	}
-	if (result == ISC_R_SUCCESS)
-		result = isc_file_rename(temp, file);
-	else
-		(void)isc_file_remove(temp);
-	if (result != ISC_R_SUCCESS && logit) {
-		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
-			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
-			      "dumping master file: rename: %s: %s",
-			      file, isc_result_totext(result));
-	}
-	return (result);
-}
-
-static void
-dump_quantum(isc_task_t *task, isc_event_t *event) {
-	isc_result_t result;
-	isc_result_t tresult;
-	dns_dumpctx_t *dctx;
-
-	REQUIRE(event != NULL);
-	dctx = event->ev_arg;
-	REQUIRE(DNS_DCTX_VALID(dctx));
-	if (dctx->canceled)
-		result = ISC_R_CANCELED;
-	else
-		result = dumptostreaminc(dctx);
-	if (result == DNS_R_CONTINUE) {
-		event->ev_arg = dctx;
-		isc_task_send(task, &event);
-		return;
-	}
-
-	if (dctx->file != NULL) {
-		tresult = closeandrename(dctx->f, result,
-					 dctx->tmpfile, dctx->file);
-		if (tresult != ISC_R_SUCCESS && result == ISC_R_SUCCESS)
-			result = tresult;
-	} else
-		result = flushandsync(dctx->f, result, NULL);
-	(dctx->done)(dctx->done_arg, result);
-	isc_event_free(&event);
-	dns_dumpctx_detach(&dctx);
-}
-
-static isc_result_t
-task_send(dns_dumpctx_t *dctx) {
-	isc_event_t *event;
-
-	event = isc_event_allocate(dctx->mctx, NULL, DNS_EVENT_DUMPQUANTUM,
-				   dump_quantum, dctx, sizeof(*event));
-	if (event == NULL)
-		return (ISC_R_NOMEMORY);
-	isc_task_send(dctx->task, &event);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dumpctx_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
-	       const dns_master_style_t *style, FILE *f, dns_dumpctx_t **dctxp,
-	       dns_masterformat_t format, dns_masterrawheader_t *header)
-{
-	dns_dumpctx_t *dctx;
-	isc_result_t result;
-	unsigned int options;
-
-	dctx = isc_mem_get(mctx, sizeof(*dctx));
-	if (dctx == NULL)
-		return (ISC_R_NOMEMORY);
-
-	dctx->mctx = NULL;
-	dctx->f = f;
-	dctx->dbiter = NULL;
-	dctx->db = NULL;
-	dctx->version = NULL;
-	dctx->done = NULL;
-	dctx->done_arg = NULL;
-	dctx->task = NULL;
-	dctx->nodes = 0;
-	dctx->first = ISC_TRUE;
-	dctx->canceled = ISC_FALSE;
-	dctx->file = NULL;
-	dctx->tmpfile = NULL;
-	dctx->format = format;
-	if (header == NULL)
-		dns_master_initrawheader(&dctx->header);
-	else
-		dctx->header = *header;
-
-	switch (format) {
-	case dns_masterformat_text:
-		dctx->dumpsets = dump_rdatasets_text;
-		break;
-	case dns_masterformat_raw:
-		dctx->dumpsets = dump_rdatasets_raw;
-		break;
-	default:
-		INSIST(0);
-		break;
-	}
-
-	result = totext_ctx_init(style, &dctx->tctx);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "could not set master file style");
-		goto cleanup;
-	}
-
-	isc_stdtime_get(&dctx->now);
-	dns_db_attach(db, &dctx->db);
-
-	dctx->do_date = dns_db_iscache(dctx->db);
-
-	if (dctx->format == dns_masterformat_text &&
-	    (dctx->tctx.style.flags & DNS_STYLEFLAG_REL_OWNER) != 0) {
-		options = DNS_DB_RELATIVENAMES;
-	} else
-		options = 0;
-	result = dns_db_createiterator(dctx->db, options, &dctx->dbiter);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = isc_mutex_init(&dctx->lock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	if (version != NULL)
-		dns_db_attachversion(dctx->db, version, &dctx->version);
-	else if (!dns_db_iscache(db))
-		dns_db_currentversion(dctx->db, &dctx->version);
-	isc_mem_attach(mctx, &dctx->mctx);
-	dctx->references = 1;
-	dctx->magic = DNS_DCTX_MAGIC;
-	*dctxp = dctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (dctx->dbiter != NULL)
-		dns_dbiterator_destroy(&dctx->dbiter);
-	if (dctx->db != NULL)
-		dns_db_detach(&dctx->db);
-	if (dctx != NULL)
-		isc_mem_put(mctx, dctx, sizeof(*dctx));
-	return (result);
-}
-
-static isc_result_t
-dumptostreaminc(dns_dumpctx_t *dctx) {
-	isc_result_t result;
-	isc_buffer_t buffer;
-	char *bufmem;
-	isc_region_t r;
-	dns_name_t *name;
-	dns_fixedname_t fixname;
-	unsigned int nodes;
-	dns_masterrawheader_t rawheader;
-	isc_uint32_t rawversion, now32;
-	isc_time_t start;
-
-	bufmem = isc_mem_get(dctx->mctx, initial_buffer_length);
-	if (bufmem == NULL)
-		return (ISC_R_NOMEMORY);
-
-	isc_buffer_init(&buffer, bufmem, initial_buffer_length);
-
-	dns_fixedname_init(&fixname);
-	name = dns_fixedname_name(&fixname);
-
-	if (dctx->first) {
-		switch (dctx->format) {
-		case dns_masterformat_text:
-			/*
-			 * If the database has cache semantics, output an
-			 * RFC2540 $DATE directive so that the TTLs can be
-			 * adjusted when it is reloaded.  For zones it is not
-			 * really needed, and it would make the file
-			 * incompatible with pre-RFC2540 software, so we omit
-			 * it in the zone case.
-			 */
-			if (dctx->do_date) {
-				result = dns_time32_totext(dctx->now, &buffer);
-				RUNTIME_CHECK(result == ISC_R_SUCCESS);
-				isc_buffer_usedregion(&buffer, &r);
-				fprintf(dctx->f, "$DATE %.*s\n",
-					(int) r.length, (char *) r.base);
-			}
-			break;
-		case dns_masterformat_raw:
-			r.base = (unsigned char *)&rawheader;
-			r.length = sizeof(rawheader);
-			isc_buffer_region(&buffer, &r);
-#if !defined(STDTIME_ON_32BITS) || (STDTIME_ON_32BITS + 0) != 1
-			/*
-			 * We assume isc_stdtime_t is a 32-bit integer,
-			 * which should be the case on most cases.
-			 * If it turns out to be uncommon, we'll need
-			 * to bump the version number and revise the
-			 * header format.
-			 */
-			isc_log_write(dns_lctx,
-				      ISC_LOGCATEGORY_GENERAL,
-				      DNS_LOGMODULE_MASTERDUMP,
-				      ISC_LOG_INFO,
-				      "dumping master file in raw "
-				      "format: stdtime is not 32bits");
-			now32 = 0;
-#else
-			now32 = dctx->now;
-#endif
-			rawversion = 1;
-			if ((dctx->header.flags & DNS_MASTERRAW_COMPAT) != 0)
-				rawversion = 0;
-			isc_buffer_putuint32(&buffer, dns_masterformat_raw);
-			isc_buffer_putuint32(&buffer, rawversion);
-			isc_buffer_putuint32(&buffer, now32);
-
-			if (rawversion == 1) {
-				isc_buffer_putuint32(&buffer,
-						     dctx->header.flags);
-				isc_buffer_putuint32(&buffer,
-						     dctx->header.sourceserial);
-				isc_buffer_putuint32(&buffer,
-						     dctx->header.lastxfrin);
-			}
-
-			INSIST(isc_buffer_usedlength(&buffer) <=
-			       sizeof(rawheader));
-			result = isc_stdio_write(buffer.base, 1,
-						 isc_buffer_usedlength(&buffer),
-						 dctx->f, NULL);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-			isc_buffer_clear(&buffer);
-			break;
-		default:
-			INSIST(0);
-		}
-
-		result = dns_dbiterator_first(dctx->dbiter);
-		dctx->first = ISC_FALSE;
-	} else
-		result = ISC_R_SUCCESS;
-
-	nodes = dctx->nodes;
-	isc_time_now(&start);
-	while (result == ISC_R_SUCCESS && (dctx->nodes == 0 || nodes--)) {
-		dns_rdatasetiter_t *rdsiter = NULL;
-		dns_dbnode_t *node = NULL;
-
-		result = dns_dbiterator_current(dctx->dbiter, &node, name);
-		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
-			break;
-		if (result == DNS_R_NEWORIGIN) {
-			dns_name_t *origin =
-				dns_fixedname_name(&dctx->tctx.origin_fixname);
-			result = dns_dbiterator_origin(dctx->dbiter, origin);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			if ((dctx->tctx.style.flags & DNS_STYLEFLAG_REL_DATA) != 0)
-				dctx->tctx.origin = origin;
-			dctx->tctx.neworigin = origin;
-		}
-		result = dns_db_allrdatasets(dctx->db, node, dctx->version,
-					     dctx->now, &rdsiter);
-		if (result != ISC_R_SUCCESS) {
-			dns_db_detachnode(dctx->db, &node);
-			goto fail;
-		}
-		result = (dctx->dumpsets)(dctx->mctx, name, rdsiter,
-					  &dctx->tctx, &buffer, dctx->f);
-		dns_rdatasetiter_destroy(&rdsiter);
-		if (result != ISC_R_SUCCESS) {
-			dns_db_detachnode(dctx->db, &node);
-			goto fail;
-		}
-		dns_db_detachnode(dctx->db, &node);
-		result = dns_dbiterator_next(dctx->dbiter);
-	}
-
-	/*
-	 * Work out how many nodes can be written in the time between
-	 * two requests to the nameserver.  Smooth the resulting number and
-	 * use it as a estimate for the number of nodes to be written in the
-	 * next iteration.
-	 */
-	if (dctx->nodes != 0 && result == ISC_R_SUCCESS) {
-		unsigned int pps = dns_pps;	/* packets per second */
-		unsigned int interval;
-		isc_uint64_t usecs;
-		isc_time_t end;
-
-		isc_time_now(&end);
-		if (pps < 100)
-			pps = 100;
-		interval = 1000000 / pps;	/* interval in usecs */
-		if (interval == 0)
-			interval = 1;
-		usecs = isc_time_microdiff(&end, &start);
-		if (usecs == 0) {
-			dctx->nodes = dctx->nodes * 2;
-			if (dctx->nodes > 1000)
-				dctx->nodes = 1000;
-		} else {
-			nodes = dctx->nodes * interval;
-			nodes /= (unsigned int)usecs;
-			if (nodes == 0)
-				nodes = 1;
-			else if (nodes > 1000)
-				nodes = 1000;
-
-			/* Smooth and assign. */
-			dctx->nodes = (nodes + dctx->nodes * 7) / 8;
-
-			isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
-				      DNS_LOGMODULE_MASTERDUMP,
-				      ISC_LOG_DEBUG(1),
-				      "dumptostreaminc(%p) new nodes -> %d\n",
-				      dctx, dctx->nodes);
-		}
-		result = DNS_R_CONTINUE;
-	} else if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
- fail:
-	RUNTIME_CHECK(dns_dbiterator_pause(dctx->dbiter) == ISC_R_SUCCESS);
-	isc_mem_put(dctx->mctx, buffer.base, buffer.length);
-	return (result);
-}
-
-isc_result_t
-dns_master_dumptostreaminc(isc_mem_t *mctx, dns_db_t *db,
-			   dns_dbversion_t *version,
-			   const dns_master_style_t *style,
-			   FILE *f, isc_task_t *task,
-			   dns_dumpdonefunc_t done, void *done_arg,
-			   dns_dumpctx_t **dctxp)
-{
-	dns_dumpctx_t *dctx = NULL;
-	isc_result_t result;
-
-	REQUIRE(task != NULL);
-	REQUIRE(f != NULL);
-	REQUIRE(done != NULL);
-
-	result = dumpctx_create(mctx, db, version, style, f, &dctx,
-				dns_masterformat_text, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_task_attach(task, &dctx->task);
-	dctx->done = done;
-	dctx->done_arg = done_arg;
-	dctx->nodes = 100;
-
-	result = task_send(dctx);
-	if (result == ISC_R_SUCCESS) {
-		dns_dumpctx_attach(dctx, dctxp);
-		return (DNS_R_CONTINUE);
-	}
-
-	dns_dumpctx_detach(&dctx);
-	return (result);
-}
-
-/*
- * Dump an entire database into a master file.
- */
-isc_result_t
-dns_master_dumptostream(isc_mem_t *mctx, dns_db_t *db,
-			dns_dbversion_t *version,
-			const dns_master_style_t *style,
-			FILE *f)
-{
-	return (dns_master_dumptostream3(mctx, db, version, style,
-					 dns_masterformat_text, NULL, f));
-}
-
-isc_result_t
-dns_master_dumptostream2(isc_mem_t *mctx, dns_db_t *db,
-			 dns_dbversion_t *version,
-			 const dns_master_style_t *style,
-			 dns_masterformat_t format, FILE *f)
-{
-	return (dns_master_dumptostream3(mctx, db, version, style,
-					 format, NULL, f));
-}
-
-isc_result_t
-dns_master_dumptostream3(isc_mem_t *mctx, dns_db_t *db,
-			 dns_dbversion_t *version,
-			 const dns_master_style_t *style,
-			 dns_masterformat_t format,
-			 dns_masterrawheader_t *header, FILE *f)
-{
-	dns_dumpctx_t *dctx = NULL;
-	isc_result_t result;
-
-	result = dumpctx_create(mctx, db, version, style, f, &dctx,
-				format, header);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dumptostreaminc(dctx);
-	INSIST(result != DNS_R_CONTINUE);
-	dns_dumpctx_detach(&dctx);
-
-	result = flushandsync(f, result, NULL);
-	return (result);
-}
-
-static isc_result_t
-opentmp(isc_mem_t *mctx, dns_masterformat_t format, const char *file,
-	char **tempp, FILE **fp) {
-	FILE *f = NULL;
-	isc_result_t result;
-	char *tempname = NULL;
-	int tempnamelen;
-
-	tempnamelen = strlen(file) + 20;
-	tempname = isc_mem_allocate(mctx, tempnamelen);
-	if (tempname == NULL)
-		return (ISC_R_NOMEMORY);
-
-	result = isc_file_mktemplate(file, tempname, tempnamelen);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	if (format == dns_masterformat_text)
-		result = isc_file_openunique(tempname, &f);
-	else
-		result = isc_file_bopenunique(tempname, &f);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
-			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
-			      "dumping master file: %s: open: %s",
-			      tempname, isc_result_totext(result));
-		goto cleanup;
-	}
-	*tempp = tempname;
-	*fp = f;
-	return (ISC_R_SUCCESS);
-
-cleanup:
-	isc_mem_free(mctx, tempname);
-	return (result);
-}
-
-isc_result_t
-dns_master_dumpinc(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
-		   const dns_master_style_t *style, const char *filename,
-		   isc_task_t *task, dns_dumpdonefunc_t done, void *done_arg,
-		   dns_dumpctx_t **dctxp)
-{
-	return (dns_master_dumpinc3(mctx, db, version, style, filename, task,
-				    done, done_arg, dctxp,
-				    dns_masterformat_text, NULL));
-}
-
-isc_result_t
-dns_master_dumpinc2(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
-		    const dns_master_style_t *style, const char *filename,
-		    isc_task_t *task, dns_dumpdonefunc_t done, void *done_arg,
-		    dns_dumpctx_t **dctxp, dns_masterformat_t format)
-{
-	return (dns_master_dumpinc3(mctx, db, version, style, filename, task,
-				    done, done_arg, dctxp, format, NULL));
-}
-
-isc_result_t
-dns_master_dumpinc3(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
-		    const dns_master_style_t *style, const char *filename,
-		    isc_task_t *task, dns_dumpdonefunc_t done, void *done_arg,
-		    dns_dumpctx_t **dctxp, dns_masterformat_t format,
-		    dns_masterrawheader_t *header)
-{
-	FILE *f = NULL;
-	isc_result_t result;
-	char *tempname = NULL;
-	char *file = NULL;
-	dns_dumpctx_t *dctx = NULL;
-
-	file = isc_mem_strdup(mctx, filename);
-	if (file == NULL)
-		return (ISC_R_NOMEMORY);
-
-	result = opentmp(mctx, format, filename, &tempname, &f);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = dumpctx_create(mctx, db, version, style, f, &dctx,
-				format, header);
-	if (result != ISC_R_SUCCESS) {
-		(void)isc_stdio_close(f);
-		(void)isc_file_remove(tempname);
-		goto cleanup;
-	}
-
-	isc_task_attach(task, &dctx->task);
-	dctx->done = done;
-	dctx->done_arg = done_arg;
-	dctx->nodes = 100;
-	dctx->file = file;
-	file = NULL;
-	dctx->tmpfile = tempname;
-	tempname = NULL;
-
-	result = task_send(dctx);
-	if (result == ISC_R_SUCCESS) {
-		dns_dumpctx_attach(dctx, dctxp);
-		return (DNS_R_CONTINUE);
-	}
-
- cleanup:
-	if (dctx != NULL)
-		dns_dumpctx_detach(&dctx);
-	if (file != NULL)
-		isc_mem_free(mctx, file);
-	if (tempname != NULL)
-		isc_mem_free(mctx, tempname);
-	return (result);
-}
-
-isc_result_t
-dns_master_dump(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
-		const dns_master_style_t *style, const char *filename)
-{
-	return (dns_master_dump3(mctx, db, version, style, filename,
-				 dns_masterformat_text, NULL));
-}
-
-isc_result_t
-dns_master_dump2(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
-		 const dns_master_style_t *style, const char *filename,
-		 dns_masterformat_t format)
-{
-	return (dns_master_dump3(mctx, db, version, style, filename,
-				 format, NULL));
-}
-
-isc_result_t
-dns_master_dump3(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
-		 const dns_master_style_t *style, const char *filename,
-		 dns_masterformat_t format, dns_masterrawheader_t *header)
-{
-	FILE *f = NULL;
-	isc_result_t result;
-	char *tempname;
-	dns_dumpctx_t *dctx = NULL;
-
-	result = opentmp(mctx, format, filename, &tempname, &f);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dumpctx_create(mctx, db, version, style, f, &dctx,
-				format, header);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = dumptostreaminc(dctx);
-	INSIST(result != DNS_R_CONTINUE);
-	dns_dumpctx_detach(&dctx);
-
-	result = closeandrename(f, result, tempname, filename);
-
- cleanup:
-	isc_mem_free(mctx, tempname);
-	return (result);
-}
-
-/*
- * Dump a database node into a master file.
- * XXX: this function assumes the text format.
- */
-isc_result_t
-dns_master_dumpnodetostream(isc_mem_t *mctx, dns_db_t *db,
-			    dns_dbversion_t *version,
-			    dns_dbnode_t *node, dns_name_t *name,
-			    const dns_master_style_t *style,
-			    FILE *f)
-{
-	isc_result_t result;
-	isc_buffer_t buffer;
-	char *bufmem;
-	isc_stdtime_t now;
-	dns_totext_ctx_t ctx;
-	dns_rdatasetiter_t *rdsiter = NULL;
-
-	result = totext_ctx_init(style, &ctx);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "could not set master file style");
-		return (ISC_R_UNEXPECTED);
-	}
-
-	isc_stdtime_get(&now);
-
-	bufmem = isc_mem_get(mctx, initial_buffer_length);
-	if (bufmem == NULL)
-		return (ISC_R_NOMEMORY);
-
-	isc_buffer_init(&buffer, bufmem, initial_buffer_length);
-
-	result = dns_db_allrdatasets(db, node, version, now, &rdsiter);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-	result = dump_rdatasets_text(mctx, name, rdsiter, &ctx, &buffer, f);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-	dns_rdatasetiter_destroy(&rdsiter);
-
-	result = ISC_R_SUCCESS;
-
- failure:
-	isc_mem_put(mctx, buffer.base, buffer.length);
-	return (result);
-}
-
-isc_result_t
-dns_master_dumpnode(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
-		    dns_dbnode_t *node, dns_name_t *name,
-		    const dns_master_style_t *style, const char *filename)
-{
-	FILE *f = NULL;
-	isc_result_t result;
-
-	result = isc_stdio_open(filename, "w", &f);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
-			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
-			      "dumping node to file: %s: open: %s", filename,
-			      isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-
-	result = dns_master_dumpnodetostream(mctx, db, version, node, name,
-					     style, f);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
-			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
-			      "dumping master file: %s: dump: %s", filename,
-			      isc_result_totext(result));
-		(void)isc_stdio_close(f);
-		return (ISC_R_UNEXPECTED);
-	}
-
-	result = isc_stdio_close(f);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
-			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
-			      "dumping master file: %s: close: %s", filename,
-			      isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-
-	return (result);
-}
-#endif /* BIND9 */
-
-isc_result_t
-dns_master_stylecreate(dns_master_style_t **stylep, unsigned int flags,
-		       unsigned int ttl_column, unsigned int class_column,
-		       unsigned int type_column, unsigned int rdata_column,
-		       unsigned int line_length, unsigned int tab_width,
-		       isc_mem_t *mctx)
-{
-	return (dns_master_stylecreate2(stylep, flags, ttl_column,
-					class_column, type_column,
-					rdata_column, line_length,
-					tab_width, 0xffffffff, mctx));
-}
-
-isc_result_t
-dns_master_stylecreate2(dns_master_style_t **stylep, unsigned int flags,
-			unsigned int ttl_column, unsigned int class_column,
-			unsigned int type_column, unsigned int rdata_column,
-			unsigned int line_length, unsigned int tab_width,
-			unsigned int split_width, isc_mem_t *mctx)
-{
-	dns_master_style_t *style;
-
-	REQUIRE(stylep != NULL && *stylep == NULL);
-	style = isc_mem_get(mctx, sizeof(*style));
-	if (style == NULL)
-		return (ISC_R_NOMEMORY);
-
-	style->flags = flags;
-	style->ttl_column = ttl_column;
-	style->class_column = class_column;
-	style->type_column = type_column;
-	style->rdata_column = rdata_column;
-	style->line_length = line_length;
-	style->tab_width = tab_width;
-	style->split_width = split_width;
-
-	*stylep = style;
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_master_styledestroy(dns_master_style_t **stylep, isc_mem_t *mctx) {
-	dns_master_style_t *style;
-
-	REQUIRE(stylep != NULL && *stylep != NULL);
-	style = *stylep;
-	*stylep = NULL;
-	isc_mem_put(mctx, style, sizeof(*style));
-}
diff --git a/contrib/bind9/lib/dns/message.c b/contrib/bind9/lib/dns/message.c
deleted file mode 100644
index 53efc5a..0000000
--- a/contrib/bind9/lib/dns/message.c
+++ /dev/null
@@ -1,3552 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-/***
- *** Imports
- ***/
-
-#include <config.h>
-#include <ctype.h>
-
-#include <isc/buffer.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/util.h>
-
-#include <dns/dnssec.h>
-#include <dns/keyvalues.h>
-#include <dns/log.h>
-#include <dns/masterdump.h>
-#include <dns/message.h>
-#include <dns/opcode.h>
-#include <dns/rdata.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/result.h>
-#include <dns/tsig.h>
-#include <dns/view.h>
-
-#ifdef SKAN_MSG_DEBUG
-static void
-hexdump(const char *msg, const char *msg2, void *base, size_t len) {
-	unsigned char *p;
-	unsigned int cnt;
-
-	p = base;
-	cnt = 0;
-
-	printf("*** %s [%s] (%u bytes @ %p)\n", msg, msg2, len, base);
-
-	while (cnt < len) {
-		if (cnt % 16 == 0)
-			printf("%p: ", p);
-		else if (cnt % 8 == 0)
-			printf(" |");
-		printf(" %02x %c", *p, (isprint(*p) ? *p : ' '));
-		p++;
-		cnt++;
-
-		if (cnt % 16 == 0)
-			printf("\n");
-	}
-
-	if (cnt % 16 != 0)
-		printf("\n");
-}
-#endif
-
-#define DNS_MESSAGE_OPCODE_MASK		0x7800U
-#define DNS_MESSAGE_OPCODE_SHIFT	11
-#define DNS_MESSAGE_RCODE_MASK		0x000fU
-#define DNS_MESSAGE_FLAG_MASK		0x8ff0U
-#define DNS_MESSAGE_EDNSRCODE_MASK	0xff000000U
-#define DNS_MESSAGE_EDNSRCODE_SHIFT	24
-#define DNS_MESSAGE_EDNSVERSION_MASK	0x00ff0000U
-#define DNS_MESSAGE_EDNSVERSION_SHIFT	16
-
-#define VALID_NAMED_SECTION(s)  (((s) > DNS_SECTION_ANY) \
-				 && ((s) < DNS_SECTION_MAX))
-#define VALID_SECTION(s)	(((s) >= DNS_SECTION_ANY) \
-				 && ((s) < DNS_SECTION_MAX))
-#define ADD_STRING(b, s)	{if (strlen(s) >= \
-				   isc_buffer_availablelength(b)) \
-				       return(ISC_R_NOSPACE); else \
-				       isc_buffer_putstr(b, s);}
-#define VALID_PSEUDOSECTION(s)	(((s) >= DNS_PSEUDOSECTION_ANY) \
-				 && ((s) < DNS_PSEUDOSECTION_MAX))
-
-#define OPTOUT(x) (((x)->attributes & DNS_RDATASETATTR_OPTOUT) != 0)
-
-/*%
- * This is the size of each individual scratchpad buffer, and the numbers
- * of various block allocations used within the server.
- * XXXMLG These should come from a config setting.
- */
-#define SCRATCHPAD_SIZE		512
-#define NAME_COUNT		  8
-#define OFFSET_COUNT		  4
-#define RDATA_COUNT		  8
-#define RDATALIST_COUNT		  8
-#define RDATASET_COUNT		 RDATALIST_COUNT
-
-/*%
- * Text representation of the different items, for message_totext
- * functions.
- */
-static const char *sectiontext[] = {
-	"QUESTION",
-	"ANSWER",
-	"AUTHORITY",
-	"ADDITIONAL"
-};
-
-static const char *updsectiontext[] = {
-	"ZONE",
-	"PREREQUISITE",
-	"UPDATE",
-	"ADDITIONAL"
-};
-
-static const char *opcodetext[] = {
-	"QUERY",
-	"IQUERY",
-	"STATUS",
-	"RESERVED3",
-	"NOTIFY",
-	"UPDATE",
-	"RESERVED6",
-	"RESERVED7",
-	"RESERVED8",
-	"RESERVED9",
-	"RESERVED10",
-	"RESERVED11",
-	"RESERVED12",
-	"RESERVED13",
-	"RESERVED14",
-	"RESERVED15"
-};
-
-static const char *rcodetext[] = {
-	"NOERROR",
-	"FORMERR",
-	"SERVFAIL",
-	"NXDOMAIN",
-	"NOTIMP",
-	"REFUSED",
-	"YXDOMAIN",
-	"YXRRSET",
-	"NXRRSET",
-	"NOTAUTH",
-	"NOTZONE",
-	"RESERVED11",
-	"RESERVED12",
-	"RESERVED13",
-	"RESERVED14",
-	"RESERVED15",
-	"BADVERS"
-};
-
-
-/*%
- * "helper" type, which consists of a block of some type, and is linkable.
- * For it to work, sizeof(dns_msgblock_t) must be a multiple of the pointer
- * size, or the allocated elements will not be aligned correctly.
- */
-struct dns_msgblock {
-	unsigned int			count;
-	unsigned int			remaining;
-	ISC_LINK(dns_msgblock_t)	link;
-}; /* dynamically sized */
-
-static inline dns_msgblock_t *
-msgblock_allocate(isc_mem_t *, unsigned int, unsigned int);
-
-#define msgblock_get(block, type) \
-	((type *)msgblock_internalget(block, sizeof(type)))
-
-static inline void *
-msgblock_internalget(dns_msgblock_t *, unsigned int);
-
-static inline void
-msgblock_reset(dns_msgblock_t *);
-
-static inline void
-msgblock_free(isc_mem_t *, dns_msgblock_t *, unsigned int);
-
-/*
- * Allocate a new dns_msgblock_t, and return a pointer to it.  If no memory
- * is free, return NULL.
- */
-static inline dns_msgblock_t *
-msgblock_allocate(isc_mem_t *mctx, unsigned int sizeof_type,
-		  unsigned int count)
-{
-	dns_msgblock_t *block;
-	unsigned int length;
-
-	length = sizeof(dns_msgblock_t) + (sizeof_type * count);
-
-	block = isc_mem_get(mctx, length);
-	if (block == NULL)
-		return (NULL);
-
-	block->count = count;
-	block->remaining = count;
-
-	ISC_LINK_INIT(block, link);
-
-	return (block);
-}
-
-/*
- * Return an element from the msgblock.  If no more are available, return
- * NULL.
- */
-static inline void *
-msgblock_internalget(dns_msgblock_t *block, unsigned int sizeof_type) {
-	void *ptr;
-
-	if (block == NULL || block->remaining == 0)
-		return (NULL);
-
-	block->remaining--;
-
-	ptr = (((unsigned char *)block)
-	       + sizeof(dns_msgblock_t)
-	       + (sizeof_type * block->remaining));
-
-	return (ptr);
-}
-
-static inline void
-msgblock_reset(dns_msgblock_t *block) {
-	block->remaining = block->count;
-}
-
-/*
- * Release memory associated with a message block.
- */
-static inline void
-msgblock_free(isc_mem_t *mctx, dns_msgblock_t *block, unsigned int sizeof_type)
-{
-	unsigned int length;
-
-	length = sizeof(dns_msgblock_t) + (sizeof_type * block->count);
-
-	isc_mem_put(mctx, block, length);
-}
-
-/*
- * Allocate a new dynamic buffer, and attach it to this message as the
- * "current" buffer.  (which is always the last on the list, for our
- * uses)
- */
-static inline isc_result_t
-newbuffer(dns_message_t *msg, unsigned int size) {
-	isc_result_t result;
-	isc_buffer_t *dynbuf;
-
-	dynbuf = NULL;
-	result = isc_buffer_allocate(msg->mctx, &dynbuf, size);
-	if (result != ISC_R_SUCCESS)
-		return (ISC_R_NOMEMORY);
-
-	ISC_LIST_APPEND(msg->scratchpad, dynbuf, link);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_buffer_t *
-currentbuffer(dns_message_t *msg) {
-	isc_buffer_t *dynbuf;
-
-	dynbuf = ISC_LIST_TAIL(msg->scratchpad);
-	INSIST(dynbuf != NULL);
-
-	return (dynbuf);
-}
-
-static inline void
-releaserdata(dns_message_t *msg, dns_rdata_t *rdata) {
-	ISC_LIST_PREPEND(msg->freerdata, rdata, link);
-}
-
-static inline dns_rdata_t *
-newrdata(dns_message_t *msg) {
-	dns_msgblock_t *msgblock;
-	dns_rdata_t *rdata;
-
-	rdata = ISC_LIST_HEAD(msg->freerdata);
-	if (rdata != NULL) {
-		ISC_LIST_UNLINK(msg->freerdata, rdata, link);
-		return (rdata);
-	}
-
-	msgblock = ISC_LIST_TAIL(msg->rdatas);
-	rdata = msgblock_get(msgblock, dns_rdata_t);
-	if (rdata == NULL) {
-		msgblock = msgblock_allocate(msg->mctx, sizeof(dns_rdata_t),
-					     RDATA_COUNT);
-		if (msgblock == NULL)
-			return (NULL);
-
-		ISC_LIST_APPEND(msg->rdatas, msgblock, link);
-
-		rdata = msgblock_get(msgblock, dns_rdata_t);
-	}
-
-	dns_rdata_init(rdata);
-	return (rdata);
-}
-
-static inline void
-releaserdatalist(dns_message_t *msg, dns_rdatalist_t *rdatalist) {
-	ISC_LIST_PREPEND(msg->freerdatalist, rdatalist, link);
-}
-
-static inline dns_rdatalist_t *
-newrdatalist(dns_message_t *msg) {
-	dns_msgblock_t *msgblock;
-	dns_rdatalist_t *rdatalist;
-
-	rdatalist = ISC_LIST_HEAD(msg->freerdatalist);
-	if (rdatalist != NULL) {
-		ISC_LIST_UNLINK(msg->freerdatalist, rdatalist, link);
-		return (rdatalist);
-	}
-
-	msgblock = ISC_LIST_TAIL(msg->rdatalists);
-	rdatalist = msgblock_get(msgblock, dns_rdatalist_t);
-	if (rdatalist == NULL) {
-		msgblock = msgblock_allocate(msg->mctx,
-					     sizeof(dns_rdatalist_t),
-					     RDATALIST_COUNT);
-		if (msgblock == NULL)
-			return (NULL);
-
-		ISC_LIST_APPEND(msg->rdatalists, msgblock, link);
-
-		rdatalist = msgblock_get(msgblock, dns_rdatalist_t);
-	}
-
-	return (rdatalist);
-}
-
-static inline dns_offsets_t *
-newoffsets(dns_message_t *msg) {
-	dns_msgblock_t *msgblock;
-	dns_offsets_t *offsets;
-
-	msgblock = ISC_LIST_TAIL(msg->offsets);
-	offsets = msgblock_get(msgblock, dns_offsets_t);
-	if (offsets == NULL) {
-		msgblock = msgblock_allocate(msg->mctx,
-					     sizeof(dns_offsets_t),
-					     OFFSET_COUNT);
-		if (msgblock == NULL)
-			return (NULL);
-
-		ISC_LIST_APPEND(msg->offsets, msgblock, link);
-
-		offsets = msgblock_get(msgblock, dns_offsets_t);
-	}
-
-	return (offsets);
-}
-
-static inline void
-msginitheader(dns_message_t *m) {
-	m->id = 0;
-	m->flags = 0;
-	m->rcode = 0;
-	m->opcode = 0;
-	m->rdclass = 0;
-}
-
-static inline void
-msginitprivate(dns_message_t *m) {
-	unsigned int i;
-
-	for (i = 0; i < DNS_SECTION_MAX; i++) {
-		m->cursors[i] = NULL;
-		m->counts[i] = 0;
-	}
-	m->opt = NULL;
-	m->sig0 = NULL;
-	m->sig0name = NULL;
-	m->tsig = NULL;
-	m->tsigname = NULL;
-	m->state = DNS_SECTION_ANY;  /* indicate nothing parsed or rendered */
-	m->opt_reserved = 0;
-	m->sig_reserved = 0;
-	m->reserved = 0;
-	m->buffer = NULL;
-}
-
-static inline void
-msginittsig(dns_message_t *m) {
-	m->tsigstatus = dns_rcode_noerror;
-	m->querytsigstatus = dns_rcode_noerror;
-	m->tsigkey = NULL;
-	m->tsigctx = NULL;
-	m->sigstart = -1;
-	m->sig0key = NULL;
-	m->sig0status = dns_rcode_noerror;
-	m->timeadjust = 0;
-}
-
-/*
- * Init elements to default state.  Used both when allocating a new element
- * and when resetting one.
- */
-static inline void
-msginit(dns_message_t *m) {
-	msginitheader(m);
-	msginitprivate(m);
-	msginittsig(m);
-	m->header_ok = 0;
-	m->question_ok = 0;
-	m->tcp_continuation = 0;
-	m->verified_sig = 0;
-	m->verify_attempted = 0;
-	m->order = NULL;
-	m->order_arg = NULL;
-	m->query.base = NULL;
-	m->query.length = 0;
-	m->free_query = 0;
-	m->saved.base = NULL;
-	m->saved.length = 0;
-	m->free_saved = 0;
-	m->querytsig = NULL;
-}
-
-static inline void
-msgresetnames(dns_message_t *msg, unsigned int first_section) {
-	unsigned int i;
-	dns_name_t *name, *next_name;
-	dns_rdataset_t *rds, *next_rds;
-
-	/*
-	 * Clean up name lists by calling the rdataset disassociate function.
-	 */
-	for (i = first_section; i < DNS_SECTION_MAX; i++) {
-		name = ISC_LIST_HEAD(msg->sections[i]);
-		while (name != NULL) {
-			next_name = ISC_LIST_NEXT(name, link);
-			ISC_LIST_UNLINK(msg->sections[i], name, link);
-
-			rds = ISC_LIST_HEAD(name->list);
-			while (rds != NULL) {
-				next_rds = ISC_LIST_NEXT(rds, link);
-				ISC_LIST_UNLINK(name->list, rds, link);
-
-				INSIST(dns_rdataset_isassociated(rds));
-				dns_rdataset_disassociate(rds);
-				isc_mempool_put(msg->rdspool, rds);
-				rds = next_rds;
-			}
-			if (dns_name_dynamic(name))
-				dns_name_free(name, msg->mctx);
-			isc_mempool_put(msg->namepool, name);
-			name = next_name;
-		}
-	}
-}
-
-static void
-msgresetopt(dns_message_t *msg)
-{
-	if (msg->opt != NULL) {
-		if (msg->opt_reserved > 0) {
-			dns_message_renderrelease(msg, msg->opt_reserved);
-			msg->opt_reserved = 0;
-		}
-		INSIST(dns_rdataset_isassociated(msg->opt));
-		dns_rdataset_disassociate(msg->opt);
-		isc_mempool_put(msg->rdspool, msg->opt);
-		msg->opt = NULL;
-	}
-}
-
-static void
-msgresetsigs(dns_message_t *msg, isc_boolean_t replying) {
-	if (msg->sig_reserved > 0) {
-		dns_message_renderrelease(msg, msg->sig_reserved);
-		msg->sig_reserved = 0;
-	}
-	if (msg->tsig != NULL) {
-		INSIST(dns_rdataset_isassociated(msg->tsig));
-		INSIST(msg->namepool != NULL);
-		if (replying) {
-			INSIST(msg->querytsig == NULL);
-			msg->querytsig = msg->tsig;
-		} else {
-			dns_rdataset_disassociate(msg->tsig);
-			isc_mempool_put(msg->rdspool, msg->tsig);
-			if (msg->querytsig != NULL) {
-				dns_rdataset_disassociate(msg->querytsig);
-				isc_mempool_put(msg->rdspool, msg->querytsig);
-			}
-		}
-		if (dns_name_dynamic(msg->tsigname))
-			dns_name_free(msg->tsigname, msg->mctx);
-		isc_mempool_put(msg->namepool, msg->tsigname);
-		msg->tsig = NULL;
-		msg->tsigname = NULL;
-	} else if (msg->querytsig != NULL && !replying) {
-		dns_rdataset_disassociate(msg->querytsig);
-		isc_mempool_put(msg->rdspool, msg->querytsig);
-		msg->querytsig = NULL;
-	}
-	if (msg->sig0 != NULL) {
-		INSIST(dns_rdataset_isassociated(msg->sig0));
-		dns_rdataset_disassociate(msg->sig0);
-		isc_mempool_put(msg->rdspool, msg->sig0);
-		if (msg->sig0name != NULL) {
-			if (dns_name_dynamic(msg->sig0name))
-				dns_name_free(msg->sig0name, msg->mctx);
-			isc_mempool_put(msg->namepool, msg->sig0name);
-		}
-		msg->sig0 = NULL;
-		msg->sig0name = NULL;
-	}
-}
-
-/*
- * Free all but one (or everything) for this message.  This is used by
- * both dns_message_reset() and dns_message_destroy().
- */
-static void
-msgreset(dns_message_t *msg, isc_boolean_t everything) {
-	dns_msgblock_t *msgblock, *next_msgblock;
-	isc_buffer_t *dynbuf, *next_dynbuf;
-	dns_rdata_t *rdata;
-	dns_rdatalist_t *rdatalist;
-
-	msgresetnames(msg, 0);
-	msgresetopt(msg);
-	msgresetsigs(msg, ISC_FALSE);
-
-	/*
-	 * Clean up linked lists.
-	 */
-
-	/*
-	 * Run through the free lists, and just unlink anything found there.
-	 * The memory isn't lost since these are part of message blocks we
-	 * have allocated.
-	 */
-	rdata = ISC_LIST_HEAD(msg->freerdata);
-	while (rdata != NULL) {
-		ISC_LIST_UNLINK(msg->freerdata, rdata, link);
-		rdata = ISC_LIST_HEAD(msg->freerdata);
-	}
-	rdatalist = ISC_LIST_HEAD(msg->freerdatalist);
-	while (rdatalist != NULL) {
-		ISC_LIST_UNLINK(msg->freerdatalist, rdatalist, link);
-		rdatalist = ISC_LIST_HEAD(msg->freerdatalist);
-	}
-
-	dynbuf = ISC_LIST_HEAD(msg->scratchpad);
-	INSIST(dynbuf != NULL);
-	if (!everything) {
-		isc_buffer_clear(dynbuf);
-		dynbuf = ISC_LIST_NEXT(dynbuf, link);
-	}
-	while (dynbuf != NULL) {
-		next_dynbuf = ISC_LIST_NEXT(dynbuf, link);
-		ISC_LIST_UNLINK(msg->scratchpad, dynbuf, link);
-		isc_buffer_free(&dynbuf);
-		dynbuf = next_dynbuf;
-	}
-
-	msgblock = ISC_LIST_HEAD(msg->rdatas);
-	if (!everything && msgblock != NULL) {
-		msgblock_reset(msgblock);
-		msgblock = ISC_LIST_NEXT(msgblock, link);
-	}
-	while (msgblock != NULL) {
-		next_msgblock = ISC_LIST_NEXT(msgblock, link);
-		ISC_LIST_UNLINK(msg->rdatas, msgblock, link);
-		msgblock_free(msg->mctx, msgblock, sizeof(dns_rdata_t));
-		msgblock = next_msgblock;
-	}
-
-	/*
-	 * rdatalists could be empty.
-	 */
-
-	msgblock = ISC_LIST_HEAD(msg->rdatalists);
-	if (!everything && msgblock != NULL) {
-		msgblock_reset(msgblock);
-		msgblock = ISC_LIST_NEXT(msgblock, link);
-	}
-	while (msgblock != NULL) {
-		next_msgblock = ISC_LIST_NEXT(msgblock, link);
-		ISC_LIST_UNLINK(msg->rdatalists, msgblock, link);
-		msgblock_free(msg->mctx, msgblock, sizeof(dns_rdatalist_t));
-		msgblock = next_msgblock;
-	}
-
-	msgblock = ISC_LIST_HEAD(msg->offsets);
-	if (!everything && msgblock != NULL) {
-		msgblock_reset(msgblock);
-		msgblock = ISC_LIST_NEXT(msgblock, link);
-	}
-	while (msgblock != NULL) {
-		next_msgblock = ISC_LIST_NEXT(msgblock, link);
-		ISC_LIST_UNLINK(msg->offsets, msgblock, link);
-		msgblock_free(msg->mctx, msgblock, sizeof(dns_offsets_t));
-		msgblock = next_msgblock;
-	}
-
-	if (msg->tsigkey != NULL) {
-		dns_tsigkey_detach(&msg->tsigkey);
-		msg->tsigkey = NULL;
-	}
-
-	if (msg->tsigctx != NULL)
-		dst_context_destroy(&msg->tsigctx);
-
-	if (msg->query.base != NULL) {
-		if (msg->free_query != 0)
-			isc_mem_put(msg->mctx, msg->query.base,
-				    msg->query.length);
-		msg->query.base = NULL;
-		msg->query.length = 0;
-	}
-
-	if (msg->saved.base != NULL) {
-		if (msg->free_saved != 0)
-			isc_mem_put(msg->mctx, msg->saved.base,
-				    msg->saved.length);
-		msg->saved.base = NULL;
-		msg->saved.length = 0;
-	}
-
-	/*
-	 * cleanup the buffer cleanup list
-	 */
-	dynbuf = ISC_LIST_HEAD(msg->cleanup);
-	while (dynbuf != NULL) {
-		next_dynbuf = ISC_LIST_NEXT(dynbuf, link);
-		ISC_LIST_UNLINK(msg->cleanup, dynbuf, link);
-		isc_buffer_free(&dynbuf);
-		dynbuf = next_dynbuf;
-	}
-
-	/*
-	 * Set other bits to normal default values.
-	 */
-	if (!everything)
-		msginit(msg);
-
-	ENSURE(isc_mempool_getallocated(msg->namepool) == 0);
-	ENSURE(isc_mempool_getallocated(msg->rdspool) == 0);
-}
-
-static unsigned int
-spacefortsig(dns_tsigkey_t *key, int otherlen) {
-	isc_region_t r1, r2;
-	unsigned int x;
-	isc_result_t result;
-
-	/*
-	 * The space required for an TSIG record is:
-	 *
-	 *	n1 bytes for the name
-	 *	2 bytes for the type
-	 *	2 bytes for the class
-	 *	4 bytes for the ttl
-	 *	2 bytes for the rdlength
-	 *	n2 bytes for the algorithm name
-	 *	6 bytes for the time signed
-	 *	2 bytes for the fudge
-	 *	2 bytes for the MAC size
-	 *	x bytes for the MAC
-	 *	2 bytes for the original id
-	 *	2 bytes for the error
-	 *	2 bytes for the other data length
-	 *	y bytes for the other data (at most)
-	 * ---------------------------------
-	 *     26 + n1 + n2 + x + y bytes
-	 */
-
-	dns_name_toregion(&key->name, &r1);
-	dns_name_toregion(key->algorithm, &r2);
-	if (key->key == NULL)
-		x = 0;
-	else {
-		result = dst_key_sigsize(key->key, &x);
-		if (result != ISC_R_SUCCESS)
-			x = 0;
-	}
-	return (26 + r1.length + r2.length + x + otherlen);
-}
-
-isc_result_t
-dns_message_create(isc_mem_t *mctx, unsigned int intent, dns_message_t **msgp)
-{
-	dns_message_t *m;
-	isc_result_t result;
-	isc_buffer_t *dynbuf;
-	unsigned int i;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(msgp != NULL);
-	REQUIRE(*msgp == NULL);
-	REQUIRE(intent == DNS_MESSAGE_INTENTPARSE
-		|| intent == DNS_MESSAGE_INTENTRENDER);
-
-	m = isc_mem_get(mctx, sizeof(dns_message_t));
-	if (m == NULL)
-		return (ISC_R_NOMEMORY);
-
-	/*
-	 * No allocations until further notice.  Just initialize all lists
-	 * and other members that are freed in the cleanup phase here.
-	 */
-
-	m->magic = DNS_MESSAGE_MAGIC;
-	m->from_to_wire = intent;
-	msginit(m);
-
-	for (i = 0; i < DNS_SECTION_MAX; i++)
-		ISC_LIST_INIT(m->sections[i]);
-
-	m->mctx = NULL;
-	isc_mem_attach(mctx, &m->mctx);
-
-	ISC_LIST_INIT(m->scratchpad);
-	ISC_LIST_INIT(m->cleanup);
-	m->namepool = NULL;
-	m->rdspool = NULL;
-	ISC_LIST_INIT(m->rdatas);
-	ISC_LIST_INIT(m->rdatalists);
-	ISC_LIST_INIT(m->offsets);
-	ISC_LIST_INIT(m->freerdata);
-	ISC_LIST_INIT(m->freerdatalist);
-
-	/*
-	 * Ok, it is safe to allocate (and then "goto cleanup" if failure)
-	 */
-
-	result = isc_mempool_create(m->mctx, sizeof(dns_name_t), &m->namepool);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	isc_mempool_setfreemax(m->namepool, NAME_COUNT);
-	isc_mempool_setname(m->namepool, "msg:names");
-
-	result = isc_mempool_create(m->mctx, sizeof(dns_rdataset_t),
-				    &m->rdspool);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	isc_mempool_setfreemax(m->rdspool, NAME_COUNT);
-	isc_mempool_setname(m->rdspool, "msg:rdataset");
-
-	dynbuf = NULL;
-	result = isc_buffer_allocate(mctx, &dynbuf, SCRATCHPAD_SIZE);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	ISC_LIST_APPEND(m->scratchpad, dynbuf, link);
-
-	m->cctx = NULL;
-
-	*msgp = m;
-	return (ISC_R_SUCCESS);
-
-	/*
-	 * Cleanup for error returns.
-	 */
- cleanup:
-	dynbuf = ISC_LIST_HEAD(m->scratchpad);
-	if (dynbuf != NULL) {
-		ISC_LIST_UNLINK(m->scratchpad, dynbuf, link);
-		isc_buffer_free(&dynbuf);
-	}
-	if (m->namepool != NULL)
-		isc_mempool_destroy(&m->namepool);
-	if (m->rdspool != NULL)
-		isc_mempool_destroy(&m->rdspool);
-	m->magic = 0;
-	isc_mem_putanddetach(&mctx, m, sizeof(dns_message_t));
-
-	return (ISC_R_NOMEMORY);
-}
-
-void
-dns_message_reset(dns_message_t *msg, unsigned int intent) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(intent == DNS_MESSAGE_INTENTPARSE
-		|| intent == DNS_MESSAGE_INTENTRENDER);
-
-	msgreset(msg, ISC_FALSE);
-	msg->from_to_wire = intent;
-}
-
-void
-dns_message_destroy(dns_message_t **msgp) {
-	dns_message_t *msg;
-
-	REQUIRE(msgp != NULL);
-	REQUIRE(DNS_MESSAGE_VALID(*msgp));
-
-	msg = *msgp;
-	*msgp = NULL;
-
-	msgreset(msg, ISC_TRUE);
-	isc_mempool_destroy(&msg->namepool);
-	isc_mempool_destroy(&msg->rdspool);
-	msg->magic = 0;
-	isc_mem_putanddetach(&msg->mctx, msg, sizeof(dns_message_t));
-}
-
-static isc_result_t
-findname(dns_name_t **foundname, dns_name_t *target,
-	 dns_namelist_t *section)
-{
-	dns_name_t *curr;
-
-	for (curr = ISC_LIST_TAIL(*section);
-	     curr != NULL;
-	     curr = ISC_LIST_PREV(curr, link)) {
-		if (dns_name_equal(curr, target)) {
-			if (foundname != NULL)
-				*foundname = curr;
-			return (ISC_R_SUCCESS);
-		}
-	}
-
-	return (ISC_R_NOTFOUND);
-}
-
-isc_result_t
-dns_message_find(dns_name_t *name, dns_rdataclass_t rdclass,
-		 dns_rdatatype_t type, dns_rdatatype_t covers,
-		 dns_rdataset_t **rdataset)
-{
-	dns_rdataset_t *curr;
-
-	if (rdataset != NULL) {
-		REQUIRE(*rdataset == NULL);
-	}
-
-	for (curr = ISC_LIST_TAIL(name->list);
-	     curr != NULL;
-	     curr = ISC_LIST_PREV(curr, link)) {
-		if (curr->rdclass == rdclass &&
-		    curr->type == type && curr->covers == covers) {
-			if (rdataset != NULL)
-				*rdataset = curr;
-			return (ISC_R_SUCCESS);
-		}
-	}
-
-	return (ISC_R_NOTFOUND);
-}
-
-isc_result_t
-dns_message_findtype(dns_name_t *name, dns_rdatatype_t type,
-		     dns_rdatatype_t covers, dns_rdataset_t **rdataset)
-{
-	dns_rdataset_t *curr;
-
-	REQUIRE(name != NULL);
-	if (rdataset != NULL) {
-		REQUIRE(*rdataset == NULL);
-	}
-
-	for (curr = ISC_LIST_TAIL(name->list);
-	     curr != NULL;
-	     curr = ISC_LIST_PREV(curr, link)) {
-		if (curr->type == type && curr->covers == covers) {
-			if (rdataset != NULL)
-				*rdataset = curr;
-			return (ISC_R_SUCCESS);
-		}
-	}
-
-	return (ISC_R_NOTFOUND);
-}
-
-/*
- * Read a name from buffer "source".
- */
-static isc_result_t
-getname(dns_name_t *name, isc_buffer_t *source, dns_message_t *msg,
-	dns_decompress_t *dctx)
-{
-	isc_buffer_t *scratch;
-	isc_result_t result;
-	unsigned int tries;
-
-	scratch = currentbuffer(msg);
-
-	/*
-	 * First try:  use current buffer.
-	 * Second try:  allocate a new buffer and use that.
-	 */
-	tries = 0;
-	while (tries < 2) {
-		result = dns_name_fromwire(name, source, dctx, ISC_FALSE,
-					   scratch);
-
-		if (result == ISC_R_NOSPACE) {
-			tries++;
-
-			result = newbuffer(msg, SCRATCHPAD_SIZE);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-
-			scratch = currentbuffer(msg);
-			dns_name_reset(name);
-		} else {
-			return (result);
-		}
-	}
-
-	INSIST(0);  /* Cannot get here... */
-	return (ISC_R_UNEXPECTED);
-}
-
-static isc_result_t
-getrdata(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
-	 dns_rdataclass_t rdclass, dns_rdatatype_t rdtype,
-	 unsigned int rdatalen, dns_rdata_t *rdata)
-{
-	isc_buffer_t *scratch;
-	isc_result_t result;
-	unsigned int tries;
-	unsigned int trysize;
-
-	scratch = currentbuffer(msg);
-
-	isc_buffer_setactive(source, rdatalen);
-
-	/*
-	 * First try:  use current buffer.
-	 * Second try:  allocate a new buffer of size
-	 *     max(SCRATCHPAD_SIZE, 2 * compressed_rdatalen)
-	 *     (the data will fit if it was not more than 50% compressed)
-	 * Subsequent tries: double buffer size on each try.
-	 */
-	tries = 0;
-	trysize = 0;
-	/* XXX possibly change this to a while (tries < 2) loop */
-	for (;;) {
-		result = dns_rdata_fromwire(rdata, rdclass, rdtype,
-					    source, dctx, 0,
-					    scratch);
-
-		if (result == ISC_R_NOSPACE) {
-			if (tries == 0) {
-				trysize = 2 * rdatalen;
-				if (trysize < SCRATCHPAD_SIZE)
-					trysize = SCRATCHPAD_SIZE;
-			} else {
-				INSIST(trysize != 0);
-				if (trysize >= 65535)
-					return (ISC_R_NOSPACE);
-					/* XXX DNS_R_RRTOOLONG? */
-				trysize *= 2;
-			}
-			tries++;
-			result = newbuffer(msg, trysize);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-
-			scratch = currentbuffer(msg);
-		} else {
-			return (result);
-		}
-	}
-}
-
-#define DO_FORMERR					\
-	do {						\
-		if (best_effort)			\
-			seen_problem = ISC_TRUE;	\
-		else {					\
-			result = DNS_R_FORMERR;		\
-			goto cleanup;			\
-		}					\
-	} while (0)
-
-static isc_result_t
-getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
-	     unsigned int options)
-{
-	isc_region_t r;
-	unsigned int count;
-	dns_name_t *name;
-	dns_name_t *name2;
-	dns_offsets_t *offsets;
-	dns_rdataset_t *rdataset;
-	dns_rdatalist_t *rdatalist;
-	isc_result_t result;
-	dns_rdatatype_t rdtype;
-	dns_rdataclass_t rdclass;
-	dns_namelist_t *section;
-	isc_boolean_t free_name;
-	isc_boolean_t best_effort;
-	isc_boolean_t seen_problem;
-
-	section = &msg->sections[DNS_SECTION_QUESTION];
-
-	best_effort = ISC_TF(options & DNS_MESSAGEPARSE_BESTEFFORT);
-	seen_problem = ISC_FALSE;
-
-	name = NULL;
-	rdataset = NULL;
-	rdatalist = NULL;
-
-	for (count = 0; count < msg->counts[DNS_SECTION_QUESTION]; count++) {
-		name = isc_mempool_get(msg->namepool);
-		if (name == NULL)
-			return (ISC_R_NOMEMORY);
-		free_name = ISC_TRUE;
-
-		offsets = newoffsets(msg);
-		if (offsets == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup;
-		}
-		dns_name_init(name, *offsets);
-
-		/*
-		 * Parse the name out of this packet.
-		 */
-		isc_buffer_remainingregion(source, &r);
-		isc_buffer_setactive(source, r.length);
-		result = getname(name, source, msg, dctx);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-
-		/*
-		 * Run through the section, looking to see if this name
-		 * is already there.  If it is found, put back the allocated
-		 * name since we no longer need it, and set our name pointer
-		 * to point to the name we found.
-		 */
-		result = findname(&name2, name, section);
-
-		/*
-		 * If it is the first name in the section, accept it.
-		 *
-		 * If it is not, but is not the same as the name already
-		 * in the question section, append to the section.  Note that
-		 * here in the question section this is illegal, so return
-		 * FORMERR.  In the future, check the opcode to see if
-		 * this should be legal or not.  In either case we no longer
-		 * need this name pointer.
-		 */
-		if (result != ISC_R_SUCCESS) {
-			if (!ISC_LIST_EMPTY(*section))
-				DO_FORMERR;
-			ISC_LIST_APPEND(*section, name, link);
-			free_name = ISC_FALSE;
-		} else {
-			isc_mempool_put(msg->namepool, name);
-			name = name2;
-			name2 = NULL;
-			free_name = ISC_FALSE;
-		}
-
-		/*
-		 * Get type and class.
-		 */
-		isc_buffer_remainingregion(source, &r);
-		if (r.length < 4) {
-			result = ISC_R_UNEXPECTEDEND;
-			goto cleanup;
-		}
-		rdtype = isc_buffer_getuint16(source);
-		rdclass = isc_buffer_getuint16(source);
-
-		/*
-		 * If this class is different than the one we already read,
-		 * this is an error.
-		 */
-		if (msg->state == DNS_SECTION_ANY) {
-			msg->state = DNS_SECTION_QUESTION;
-			msg->rdclass = rdclass;
-		} else if (msg->rdclass != rdclass)
-			DO_FORMERR;
-
-		/*
-		 * Can't ask the same question twice.
-		 */
-		result = dns_message_find(name, rdclass, rdtype, 0, NULL);
-		if (result == ISC_R_SUCCESS)
-			DO_FORMERR;
-
-		/*
-		 * Allocate a new rdatalist.
-		 */
-		rdatalist = newrdatalist(msg);
-		if (rdatalist == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup;
-		}
-		rdataset =  isc_mempool_get(msg->rdspool);
-		if (rdataset == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup;
-		}
-
-		/*
-		 * Convert rdatalist to rdataset, and attach the latter to
-		 * the name.
-		 */
-		rdatalist->type = rdtype;
-		rdatalist->covers = 0;
-		rdatalist->rdclass = rdclass;
-		rdatalist->ttl = 0;
-		ISC_LIST_INIT(rdatalist->rdata);
-
-		dns_rdataset_init(rdataset);
-		result = dns_rdatalist_tordataset(rdatalist, rdataset);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-
-		rdataset->attributes |= DNS_RDATASETATTR_QUESTION;
-
-		ISC_LIST_APPEND(name->list, rdataset, link);
-		rdataset = NULL;
-	}
-
-	if (seen_problem)
-		return (DNS_R_RECOVERABLE);
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (rdataset != NULL) {
-		INSIST(!dns_rdataset_isassociated(rdataset));
-		isc_mempool_put(msg->rdspool, rdataset);
-	}
-#if 0
-	if (rdatalist != NULL)
-		isc_mempool_put(msg->rdlpool, rdatalist);
-#endif
-	if (free_name)
-		isc_mempool_put(msg->namepool, name);
-
-	return (result);
-}
-
-static isc_boolean_t
-update(dns_section_t section, dns_rdataclass_t rdclass) {
-	if (section == DNS_SECTION_PREREQUISITE)
-		return (ISC_TF(rdclass == dns_rdataclass_any ||
-			       rdclass == dns_rdataclass_none));
-	if (section == DNS_SECTION_UPDATE)
-		return (ISC_TF(rdclass == dns_rdataclass_any));
-	return (ISC_FALSE);
-}
-
-static isc_result_t
-getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
-	   dns_section_t sectionid, unsigned int options)
-{
-	isc_region_t r;
-	unsigned int count, rdatalen;
-	dns_name_t *name;
-	dns_name_t *name2;
-	dns_offsets_t *offsets;
-	dns_rdataset_t *rdataset;
-	dns_rdatalist_t *rdatalist;
-	isc_result_t result;
-	dns_rdatatype_t rdtype, covers;
-	dns_rdataclass_t rdclass;
-	dns_rdata_t *rdata;
-	dns_ttl_t ttl;
-	dns_namelist_t *section;
-	isc_boolean_t free_name, free_rdataset;
-	isc_boolean_t preserve_order, best_effort, seen_problem;
-	isc_boolean_t issigzero;
-
-	preserve_order = ISC_TF(options & DNS_MESSAGEPARSE_PRESERVEORDER);
-	best_effort = ISC_TF(options & DNS_MESSAGEPARSE_BESTEFFORT);
-	seen_problem = ISC_FALSE;
-
-	for (count = 0; count < msg->counts[sectionid]; count++) {
-		int recstart = source->current;
-		isc_boolean_t skip_name_search, skip_type_search;
-
-		section = &msg->sections[sectionid];
-
-		skip_name_search = ISC_FALSE;
-		skip_type_search = ISC_FALSE;
-		free_rdataset = ISC_FALSE;
-
-		name = isc_mempool_get(msg->namepool);
-		if (name == NULL)
-			return (ISC_R_NOMEMORY);
-		free_name = ISC_TRUE;
-
-		offsets = newoffsets(msg);
-		if (offsets == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup;
-		}
-		dns_name_init(name, *offsets);
-
-		/*
-		 * Parse the name out of this packet.
-		 */
-		isc_buffer_remainingregion(source, &r);
-		isc_buffer_setactive(source, r.length);
-		result = getname(name, source, msg, dctx);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-
-		/*
-		 * Get type, class, ttl, and rdatalen.  Verify that at least
-		 * rdatalen bytes remain.  (Some of this is deferred to
-		 * later.)
-		 */
-		isc_buffer_remainingregion(source, &r);
-		if (r.length < 2 + 2 + 4 + 2) {
-			result = ISC_R_UNEXPECTEDEND;
-			goto cleanup;
-		}
-		rdtype = isc_buffer_getuint16(source);
-		rdclass = isc_buffer_getuint16(source);
-
-		/*
-		 * If there was no question section, we may not yet have
-		 * established a class.  Do so now.
-		 */
-		if (msg->state == DNS_SECTION_ANY &&
-		    rdtype != dns_rdatatype_opt &&	/* class is UDP SIZE */
-		    rdtype != dns_rdatatype_tsig &&	/* class is ANY */
-		    rdtype != dns_rdatatype_tkey) {	/* class is undefined */
-			msg->rdclass = rdclass;
-			msg->state = DNS_SECTION_QUESTION;
-		}
-
-		/*
-		 * If this class is different than the one in the question
-		 * section, bail.
-		 */
-		if (msg->opcode != dns_opcode_update
-		    && rdtype != dns_rdatatype_tsig
-		    && rdtype != dns_rdatatype_opt
-		    && rdtype != dns_rdatatype_dnskey /* in a TKEY query */
-		    && rdtype != dns_rdatatype_sig /* SIG(0) */
-		    && rdtype != dns_rdatatype_tkey /* Win2000 TKEY */
-		    && msg->rdclass != dns_rdataclass_any
-		    && msg->rdclass != rdclass)
-			DO_FORMERR;
-
-		/*
-		 * Special type handling for TSIG, OPT, and TKEY.
-		 */
-		if (rdtype == dns_rdatatype_tsig) {
-			/*
-			 * If it is a tsig, verify that it is in the
-			 * additional data section.
-			 */
-			if (sectionid != DNS_SECTION_ADDITIONAL ||
-			    rdclass != dns_rdataclass_any ||
-			    count != msg->counts[sectionid]  - 1)
-				DO_FORMERR;
-			msg->sigstart = recstart;
-			skip_name_search = ISC_TRUE;
-			skip_type_search = ISC_TRUE;
-		} else if (rdtype == dns_rdatatype_opt) {
-			/*
-			 * The name of an OPT record must be ".", it
-			 * must be in the additional data section, and
-			 * it must be the first OPT we've seen.
-			 */
-			if (!dns_name_equal(dns_rootname, name) ||
-			    msg->opt != NULL)
-				DO_FORMERR;
-			skip_name_search = ISC_TRUE;
-			skip_type_search = ISC_TRUE;
-		} else if (rdtype == dns_rdatatype_tkey) {
-			/*
-			 * A TKEY must be in the additional section if this
-			 * is a query, and the answer section if this is a
-			 * response.  Unless it's a Win2000 client.
-			 *
-			 * Its class is ignored.
-			 */
-			dns_section_t tkeysection;
-
-			if ((msg->flags & DNS_MESSAGEFLAG_QR) == 0)
-				tkeysection = DNS_SECTION_ADDITIONAL;
-			else
-				tkeysection = DNS_SECTION_ANSWER;
-			if (sectionid != tkeysection &&
-			    sectionid != DNS_SECTION_ANSWER)
-				DO_FORMERR;
-		}
-
-		/*
-		 * ... now get ttl and rdatalen, and check buffer.
-		 */
-		ttl = isc_buffer_getuint32(source);
-		rdatalen = isc_buffer_getuint16(source);
-		r.length -= (2 + 2 + 4 + 2);
-		if (r.length < rdatalen) {
-			result = ISC_R_UNEXPECTEDEND;
-			goto cleanup;
-		}
-
-		/*
-		 * Read the rdata from the wire format.  Interpret the
-		 * rdata according to its actual class, even if it had a
-		 * DynDNS meta-class in the packet (unless this is a TSIG).
-		 * Then put the meta-class back into the finished rdata.
-		 */
-		rdata = newrdata(msg);
-		if (rdata == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup;
-		}
-		if (msg->opcode == dns_opcode_update &&
-		    update(sectionid, rdclass)) {
-			if (rdatalen != 0) {
-				result = DNS_R_FORMERR;
-				goto cleanup;
-			}
-			/*
-			 * When the rdata is empty, the data pointer is
-			 * never dereferenced, but it must still be non-NULL.
-			 * Casting 1 rather than "" avoids warnings about
-			 * discarding the const attribute of a string,
-			 * for compilers that would warn about such things.
-			 */
-			rdata->data = (unsigned char *)1;
-			rdata->length = 0;
-			rdata->rdclass = rdclass;
-			rdata->type = rdtype;
-			rdata->flags = DNS_RDATA_UPDATE;
-			result = ISC_R_SUCCESS;
-		} else if (rdclass == dns_rdataclass_none &&
-			   msg->opcode == dns_opcode_update &&
-			   sectionid == DNS_SECTION_UPDATE) {
-			result = getrdata(source, msg, dctx, msg->rdclass,
-					  rdtype, rdatalen, rdata);
-		} else
-			result = getrdata(source, msg, dctx, rdclass,
-					  rdtype, rdatalen, rdata);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		rdata->rdclass = rdclass;
-		issigzero = ISC_FALSE;
-		if (rdtype == dns_rdatatype_rrsig  &&
-		    rdata->flags == 0) {
-			covers = dns_rdata_covers(rdata);
-			if (covers == 0)
-				DO_FORMERR;
-		} else if (rdtype == dns_rdatatype_sig /* SIG(0) */ &&
-			   rdata->flags == 0) {
-			covers = dns_rdata_covers(rdata);
-			if (covers == 0) {
-				if (sectionid != DNS_SECTION_ADDITIONAL ||
-				    count != msg->counts[sectionid]  - 1)
-					DO_FORMERR;
-				msg->sigstart = recstart;
-				skip_name_search = ISC_TRUE;
-				skip_type_search = ISC_TRUE;
-				issigzero = ISC_TRUE;
-			}
-		} else
-			covers = 0;
-
-		/*
-		 * If we are doing a dynamic update or this is a meta-type,
-		 * don't bother searching for a name, just append this one
-		 * to the end of the message.
-		 */
-		if (preserve_order || msg->opcode == dns_opcode_update ||
-		    skip_name_search) {
-			if (rdtype != dns_rdatatype_opt &&
-			    rdtype != dns_rdatatype_tsig &&
-			    !issigzero)
-			{
-				ISC_LIST_APPEND(*section, name, link);
-				free_name = ISC_FALSE;
-			}
-		} else {
-			/*
-			 * Run through the section, looking to see if this name
-			 * is already there.  If it is found, put back the
-			 * allocated name since we no longer need it, and set
-			 * our name pointer to point to the name we found.
-			 */
-			result = findname(&name2, name, section);
-
-			/*
-			 * If it is a new name, append to the section.
-			 */
-			if (result == ISC_R_SUCCESS) {
-				isc_mempool_put(msg->namepool, name);
-				name = name2;
-			} else {
-				ISC_LIST_APPEND(*section, name, link);
-			}
-			free_name = ISC_FALSE;
-		}
-
-		/*
-		 * Search name for the particular type and class.
-		 * Skip this stage if in update mode or this is a meta-type.
-		 */
-		if (preserve_order || msg->opcode == dns_opcode_update ||
-		    skip_type_search)
-			result = ISC_R_NOTFOUND;
-		else {
-			/*
-			 * If this is a type that can only occur in
-			 * the question section, fail.
-			 */
-			if (dns_rdatatype_questiononly(rdtype))
-				DO_FORMERR;
-
-			rdataset = NULL;
-			result = dns_message_find(name, rdclass, rdtype,
-						   covers, &rdataset);
-		}
-
-		/*
-		 * If we found an rdataset that matches, we need to
-		 * append this rdata to that set.  If we did not, we need
-		 * to create a new rdatalist, store the important bits there,
-		 * convert it to an rdataset, and link the latter to the name.
-		 * Yuck.  When appending, make certain that the type isn't
-		 * a singleton type, such as SOA or CNAME.
-		 *
-		 * Note that this check will be bypassed when preserving order,
-		 * the opcode is an update, or the type search is skipped.
-		 */
-		if (result == ISC_R_SUCCESS) {
-			if (dns_rdatatype_issingleton(rdtype)) {
-				dns_rdata_t *first;
-				dns_rdatalist_fromrdataset(rdataset,
-							   &rdatalist);
-				first = ISC_LIST_HEAD(rdatalist->rdata);
-				INSIST(first != NULL);
-				if (dns_rdata_compare(rdata, first) != 0)
-					DO_FORMERR;
-			}
-		}
-
-		if (result == ISC_R_NOTFOUND) {
-			rdataset = isc_mempool_get(msg->rdspool);
-			if (rdataset == NULL) {
-				result = ISC_R_NOMEMORY;
-				goto cleanup;
-			}
-			free_rdataset = ISC_TRUE;
-
-			rdatalist = newrdatalist(msg);
-			if (rdatalist == NULL) {
-				result = ISC_R_NOMEMORY;
-				goto cleanup;
-			}
-
-			rdatalist->type = rdtype;
-			rdatalist->covers = covers;
-			rdatalist->rdclass = rdclass;
-			rdatalist->ttl = ttl;
-			ISC_LIST_INIT(rdatalist->rdata);
-
-			dns_rdataset_init(rdataset);
-			RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist,
-							       rdataset)
-				      == ISC_R_SUCCESS);
-
-			if (rdtype != dns_rdatatype_opt &&
-			    rdtype != dns_rdatatype_tsig &&
-			    !issigzero)
-			{
-				ISC_LIST_APPEND(name->list, rdataset, link);
-				free_rdataset = ISC_FALSE;
-			}
-		}
-
-		/*
-		 * Minimize TTLs.
-		 *
-		 * Section 5.2 of RFC2181 says we should drop
-		 * nonauthoritative rrsets where the TTLs differ, but we
-		 * currently treat them the as if they were authoritative and
-		 * minimize them.
-		 */
-		if (ttl != rdataset->ttl) {
-			rdataset->attributes |= DNS_RDATASETATTR_TTLADJUSTED;
-			if (ttl < rdataset->ttl)
-				rdataset->ttl = ttl;
-		}
-
-		/* Append this rdata to the rdataset. */
-		dns_rdatalist_fromrdataset(rdataset, &rdatalist);
-		ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-
-		/*
-		 * If this is an OPT record, remember it.  Also, set
-		 * the extended rcode.  Note that msg->opt will only be set
-		 * if best-effort parsing is enabled.
-		 */
-		if (rdtype == dns_rdatatype_opt && msg->opt == NULL) {
-			dns_rcode_t ercode;
-
-			msg->opt = rdataset;
-			rdataset = NULL;
-			free_rdataset = ISC_FALSE;
-			ercode = (dns_rcode_t)
-				((msg->opt->ttl & DNS_MESSAGE_EDNSRCODE_MASK)
-				 >> 20);
-			msg->rcode |= ercode;
-			isc_mempool_put(msg->namepool, name);
-			free_name = ISC_FALSE;
-		}
-
-		/*
-		 * If this is an SIG(0) or TSIG record, remember it.  Note
-		 * that msg->sig0 or msg->tsig will only be set if best-effort
-		 * parsing is enabled.
-		 */
-		if (issigzero && msg->sig0 == NULL) {
-			msg->sig0 = rdataset;
-			msg->sig0name = name;
-			rdataset = NULL;
-			free_rdataset = ISC_FALSE;
-			free_name = ISC_FALSE;
-		} else if (rdtype == dns_rdatatype_tsig && msg->tsig == NULL) {
-			msg->tsig = rdataset;
-			msg->tsigname = name;
-			/* Windows doesn't like TSIG names to be compressed. */
-			msg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
-			rdataset = NULL;
-			free_rdataset = ISC_FALSE;
-			free_name = ISC_FALSE;
-		}
-
-		if (seen_problem) {
-			if (free_name)
-				isc_mempool_put(msg->namepool, name);
-			if (free_rdataset)
-				isc_mempool_put(msg->rdspool, rdataset);
-			free_name = free_rdataset = ISC_FALSE;
-		}
-		INSIST(free_name == ISC_FALSE);
-		INSIST(free_rdataset == ISC_FALSE);
-	}
-
-	if (seen_problem)
-		return (DNS_R_RECOVERABLE);
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (free_name)
-		isc_mempool_put(msg->namepool, name);
-	if (free_rdataset)
-		isc_mempool_put(msg->rdspool, rdataset);
-
-	return (result);
-}
-
-isc_result_t
-dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
-		  unsigned int options)
-{
-	isc_region_t r;
-	dns_decompress_t dctx;
-	isc_result_t ret;
-	isc_uint16_t tmpflags;
-	isc_buffer_t origsource;
-	isc_boolean_t seen_problem;
-	isc_boolean_t ignore_tc;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(source != NULL);
-	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE);
-
-	seen_problem = ISC_FALSE;
-	ignore_tc = ISC_TF(options & DNS_MESSAGEPARSE_IGNORETRUNCATION);
-
-	origsource = *source;
-
-	msg->header_ok = 0;
-	msg->question_ok = 0;
-
-	isc_buffer_remainingregion(source, &r);
-	if (r.length < DNS_MESSAGE_HEADERLEN)
-		return (ISC_R_UNEXPECTEDEND);
-
-	msg->id = isc_buffer_getuint16(source);
-	tmpflags = isc_buffer_getuint16(source);
-	msg->opcode = ((tmpflags & DNS_MESSAGE_OPCODE_MASK)
-		       >> DNS_MESSAGE_OPCODE_SHIFT);
-	msg->rcode = (dns_rcode_t)(tmpflags & DNS_MESSAGE_RCODE_MASK);
-	msg->flags = (tmpflags & DNS_MESSAGE_FLAG_MASK);
-	msg->counts[DNS_SECTION_QUESTION] = isc_buffer_getuint16(source);
-	msg->counts[DNS_SECTION_ANSWER] = isc_buffer_getuint16(source);
-	msg->counts[DNS_SECTION_AUTHORITY] = isc_buffer_getuint16(source);
-	msg->counts[DNS_SECTION_ADDITIONAL] = isc_buffer_getuint16(source);
-
-	msg->header_ok = 1;
-
-	/*
-	 * -1 means no EDNS.
-	 */
-	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_ANY);
-
-	dns_decompress_setmethods(&dctx, DNS_COMPRESS_GLOBAL14);
-
-	ret = getquestions(source, msg, &dctx, options);
-	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
-		goto truncated;
-	if (ret == DNS_R_RECOVERABLE) {
-		seen_problem = ISC_TRUE;
-		ret = ISC_R_SUCCESS;
-	}
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-	msg->question_ok = 1;
-
-	ret = getsection(source, msg, &dctx, DNS_SECTION_ANSWER, options);
-	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
-		goto truncated;
-	if (ret == DNS_R_RECOVERABLE) {
-		seen_problem = ISC_TRUE;
-		ret = ISC_R_SUCCESS;
-	}
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	ret = getsection(source, msg, &dctx, DNS_SECTION_AUTHORITY, options);
-	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
-		goto truncated;
-	if (ret == DNS_R_RECOVERABLE) {
-		seen_problem = ISC_TRUE;
-		ret = ISC_R_SUCCESS;
-	}
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	ret = getsection(source, msg, &dctx, DNS_SECTION_ADDITIONAL, options);
-	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
-		goto truncated;
-	if (ret == DNS_R_RECOVERABLE) {
-		seen_problem = ISC_TRUE;
-		ret = ISC_R_SUCCESS;
-	}
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	isc_buffer_remainingregion(source, &r);
-	if (r.length != 0) {
-		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
-			      DNS_LOGMODULE_MESSAGE, ISC_LOG_DEBUG(3),
-			      "message has %u byte(s) of trailing garbage",
-			      r.length);
-	}
-
- truncated:
-	if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0)
-		isc_buffer_usedregion(&origsource, &msg->saved);
-	else {
-		msg->saved.length = isc_buffer_usedlength(&origsource);
-		msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
-		if (msg->saved.base == NULL)
-			return (ISC_R_NOMEMORY);
-		memcpy(msg->saved.base, isc_buffer_base(&origsource),
-		       msg->saved.length);
-		msg->free_saved = 1;
-	}
-
-	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
-		return (DNS_R_RECOVERABLE);
-	if (seen_problem == ISC_TRUE)
-		return (DNS_R_RECOVERABLE);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx,
-			isc_buffer_t *buffer)
-{
-	isc_region_t r;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(buffer != NULL);
-	REQUIRE(msg->buffer == NULL);
-	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
-
-	msg->cctx = cctx;
-
-	/*
-	 * Erase the contents of this buffer.
-	 */
-	isc_buffer_clear(buffer);
-
-	/*
-	 * Make certain there is enough for at least the header in this
-	 * buffer.
-	 */
-	isc_buffer_availableregion(buffer, &r);
-	if (r.length < DNS_MESSAGE_HEADERLEN)
-		return (ISC_R_NOSPACE);
-
-	if (r.length < msg->reserved)
-		return (ISC_R_NOSPACE);
-
-	/*
-	 * Reserve enough space for the header in this buffer.
-	 */
-	isc_buffer_add(buffer, DNS_MESSAGE_HEADERLEN);
-
-	msg->buffer = buffer;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_message_renderchangebuffer(dns_message_t *msg, isc_buffer_t *buffer) {
-	isc_region_t r, rn;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(buffer != NULL);
-	REQUIRE(msg->buffer != NULL);
-
-	/*
-	 * Ensure that the new buffer is empty, and has enough space to
-	 * hold the current contents.
-	 */
-	isc_buffer_clear(buffer);
-
-	isc_buffer_availableregion(buffer, &rn);
-	isc_buffer_usedregion(msg->buffer, &r);
-	REQUIRE(rn.length > r.length);
-
-	/*
-	 * Copy the contents from the old to the new buffer.
-	 */
-	isc_buffer_add(buffer, r.length);
-	memcpy(rn.base, r.base, r.length);
-
-	msg->buffer = buffer;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_message_renderrelease(dns_message_t *msg, unsigned int space) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(space <= msg->reserved);
-
-	msg->reserved -= space;
-}
-
-isc_result_t
-dns_message_renderreserve(dns_message_t *msg, unsigned int space) {
-	isc_region_t r;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-
-	if (msg->buffer != NULL) {
-		isc_buffer_availableregion(msg->buffer, &r);
-		if (r.length < (space + msg->reserved))
-			return (ISC_R_NOSPACE);
-	}
-
-	msg->reserved += space;
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_boolean_t
-wrong_priority(dns_rdataset_t *rds, int pass, dns_rdatatype_t preferred_glue) {
-	int pass_needed;
-
-	/*
-	 * If we are not rendering class IN, this ordering is bogus.
-	 */
-	if (rds->rdclass != dns_rdataclass_in)
-		return (ISC_FALSE);
-
-	switch (rds->type) {
-	case dns_rdatatype_a:
-	case dns_rdatatype_aaaa:
-		if (preferred_glue == rds->type)
-			pass_needed = 4;
-		else
-			pass_needed = 3;
-		break;
-	case dns_rdatatype_rrsig:
-	case dns_rdatatype_dnskey:
-		pass_needed = 2;
-		break;
-	default:
-		pass_needed = 1;
-	}
-
-	if (pass_needed >= pass)
-		return (ISC_FALSE);
-
-	return (ISC_TRUE);
-}
-
-#ifdef ALLOW_FILTER_AAAA_ON_V4
-/*
- * Decide whether to not answer with an AAAA record and its RRSIG
- */
-static inline isc_boolean_t
-norender_rdataset(const dns_rdataset_t *rdataset, unsigned int options)
-{
-	switch (rdataset->type) {
-	case dns_rdatatype_aaaa:
-		if ((options & DNS_MESSAGERENDER_FILTER_AAAA) == 0)
-			return (ISC_FALSE);
-		break;
-
-	case dns_rdatatype_rrsig:
-		if ((options & DNS_MESSAGERENDER_FILTER_AAAA) == 0 ||
-		    rdataset->covers != dns_rdatatype_aaaa)
-			return (ISC_FALSE);
-		break;
-
-	default:
-		return (ISC_FALSE);
-	}
-
-	if (rdataset->rdclass != dns_rdataclass_in)
-		return (ISC_FALSE);
-
-	return (ISC_TRUE);
-}
-
-#endif
-isc_result_t
-dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
-			  unsigned int options)
-{
-	dns_namelist_t *section;
-	dns_name_t *name, *next_name;
-	dns_rdataset_t *rdataset, *next_rdataset;
-	unsigned int count, total;
-	isc_result_t result;
-	isc_buffer_t st; /* for rollbacks */
-	int pass;
-	isc_boolean_t partial = ISC_FALSE;
-	unsigned int rd_options;
-	dns_rdatatype_t preferred_glue = 0;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(msg->buffer != NULL);
-	REQUIRE(VALID_NAMED_SECTION(sectionid));
-
-	section = &msg->sections[sectionid];
-
-	if ((sectionid == DNS_SECTION_ADDITIONAL)
-	    && (options & DNS_MESSAGERENDER_ORDERED) == 0) {
-		if ((options & DNS_MESSAGERENDER_PREFER_A) != 0) {
-			preferred_glue = dns_rdatatype_a;
-			pass = 4;
-		} else if ((options & DNS_MESSAGERENDER_PREFER_AAAA) != 0) {
-			preferred_glue = dns_rdatatype_aaaa;
-			pass = 4;
-		} else
-			pass = 3;
-	} else
-		pass = 1;
-
-	if ((options & DNS_MESSAGERENDER_OMITDNSSEC) == 0)
-		rd_options = 0;
-	else
-		rd_options = DNS_RDATASETTOWIRE_OMITDNSSEC;
-
-	/*
-	 * Shrink the space in the buffer by the reserved amount.
-	 */
-	msg->buffer->length -= msg->reserved;
-
-	total = 0;
-	if (msg->reserved == 0 && (options & DNS_MESSAGERENDER_PARTIAL) != 0)
-		partial = ISC_TRUE;
-
-	/*
-	 * Render required glue first.  Set TC if it won't fit.
-	 */
-	name = ISC_LIST_HEAD(*section);
-	if (name != NULL) {
-		rdataset = ISC_LIST_HEAD(name->list);
-		if (rdataset != NULL &&
-		    (rdataset->attributes & DNS_RDATASETATTR_REQUIREDGLUE) != 0 &&
-		    (rdataset->attributes & DNS_RDATASETATTR_RENDERED) == 0) {
-			const void *order_arg = msg->order_arg;
-			st = *(msg->buffer);
-			count = 0;
-			if (partial)
-				result = dns_rdataset_towirepartial(rdataset,
-								    name,
-								    msg->cctx,
-								    msg->buffer,
-								    msg->order,
-								    order_arg,
-								    rd_options,
-								    &count,
-								    NULL);
-			else
-				result = dns_rdataset_towiresorted(rdataset,
-								   name,
-								   msg->cctx,
-								   msg->buffer,
-								   msg->order,
-								   order_arg,
-								   rd_options,
-								   &count);
-			total += count;
-			if (partial && result == ISC_R_NOSPACE) {
-				msg->flags |= DNS_MESSAGEFLAG_TC;
-				msg->buffer->length += msg->reserved;
-				msg->counts[sectionid] += total;
-				return (result);
-			}
-			if (result == ISC_R_NOSPACE)
-				msg->flags |= DNS_MESSAGEFLAG_TC;
-			if (result != ISC_R_SUCCESS) {
-				INSIST(st.used < 65536);
-				dns_compress_rollback(msg->cctx,
-						      (isc_uint16_t)st.used);
-				*(msg->buffer) = st;  /* rollback */
-				msg->buffer->length += msg->reserved;
-				msg->counts[sectionid] += total;
-				return (result);
-			}
-			rdataset->attributes |= DNS_RDATASETATTR_RENDERED;
-		}
-	}
-
-	do {
-		name = ISC_LIST_HEAD(*section);
-		if (name == NULL) {
-			msg->buffer->length += msg->reserved;
-			msg->counts[sectionid] += total;
-			return (ISC_R_SUCCESS);
-		}
-
-		while (name != NULL) {
-			next_name = ISC_LIST_NEXT(name, link);
-
-			rdataset = ISC_LIST_HEAD(name->list);
-			while (rdataset != NULL) {
-				next_rdataset = ISC_LIST_NEXT(rdataset, link);
-
-				if ((rdataset->attributes &
-				     DNS_RDATASETATTR_RENDERED) != 0)
-					goto next;
-
-				if (((options & DNS_MESSAGERENDER_ORDERED)
-				     == 0)
-				    && (sectionid == DNS_SECTION_ADDITIONAL)
-				    && wrong_priority(rdataset, pass,
-						      preferred_glue))
-					goto next;
-
-#ifdef ALLOW_FILTER_AAAA_ON_V4
-				/*
-				 * Suppress AAAAs if asked and we are
-				 * not doing DNSSEC or are breaking DNSSEC.
-				 * Say so in the AD bit if we break DNSSEC.
-				 */
-				if (norender_rdataset(rdataset, options) &&
-				    sectionid != DNS_SECTION_QUESTION) {
-					if (sectionid == DNS_SECTION_ANSWER ||
-					    sectionid == DNS_SECTION_AUTHORITY)
-					    msg->flags &= ~DNS_MESSAGEFLAG_AD;
-					if (OPTOUT(rdataset))
-					    msg->flags &= ~DNS_MESSAGEFLAG_AD;
-					goto next;
-				}
-
-#endif
-				st = *(msg->buffer);
-
-				count = 0;
-				if (partial)
-					result = dns_rdataset_towirepartial(
-							  rdataset,
-							  name,
-							  msg->cctx,
-							  msg->buffer,
-							  msg->order,
-							  msg->order_arg,
-							  rd_options,
-							  &count,
-							  NULL);
-				else
-					result = dns_rdataset_towiresorted(
-							  rdataset,
-							  name,
-							  msg->cctx,
-							  msg->buffer,
-							  msg->order,
-							  msg->order_arg,
-							  rd_options,
-							  &count);
-
-				total += count;
-
-				/*
-				 * If out of space, record stats on what we
-				 * rendered so far, and return that status.
-				 *
-				 * XXXMLG Need to change this when
-				 * dns_rdataset_towire() can render partial
-				 * sets starting at some arbitrary point in the
-				 * set.  This will include setting a bit in the
-				 * rdataset to indicate that a partial
-				 * rendering was done, and some state saved
-				 * somewhere (probably in the message struct)
-				 * to indicate where to continue from.
-				 */
-				if (partial && result == ISC_R_NOSPACE) {
-					msg->buffer->length += msg->reserved;
-					msg->counts[sectionid] += total;
-					return (result);
-				}
-				if (result != ISC_R_SUCCESS) {
-					INSIST(st.used < 65536);
-					dns_compress_rollback(msg->cctx,
-							(isc_uint16_t)st.used);
-					*(msg->buffer) = st;  /* rollback */
-					msg->buffer->length += msg->reserved;
-					msg->counts[sectionid] += total;
-					return (result);
-				}
-
-				/*
-				 * If we have rendered non-validated data,
-				 * ensure that the AD bit is not set.
-				 */
-				if (rdataset->trust != dns_trust_secure &&
-				    (sectionid == DNS_SECTION_ANSWER ||
-				     sectionid == DNS_SECTION_AUTHORITY))
-					msg->flags &= ~DNS_MESSAGEFLAG_AD;
-				if (OPTOUT(rdataset))
-					msg->flags &= ~DNS_MESSAGEFLAG_AD;
-
-				rdataset->attributes |=
-					DNS_RDATASETATTR_RENDERED;
-
-			next:
-				rdataset = next_rdataset;
-			}
-
-			name = next_name;
-		}
-	} while (--pass != 0);
-
-	msg->buffer->length += msg->reserved;
-	msg->counts[sectionid] += total;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_message_renderheader(dns_message_t *msg, isc_buffer_t *target) {
-	isc_uint16_t tmp;
-	isc_region_t r;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(target != NULL);
-
-	isc_buffer_availableregion(target, &r);
-	REQUIRE(r.length >= DNS_MESSAGE_HEADERLEN);
-
-	isc_buffer_putuint16(target, msg->id);
-
-	tmp = ((msg->opcode << DNS_MESSAGE_OPCODE_SHIFT)
-	       & DNS_MESSAGE_OPCODE_MASK);
-	tmp |= (msg->rcode & DNS_MESSAGE_RCODE_MASK);
-	tmp |= (msg->flags & DNS_MESSAGE_FLAG_MASK);
-
-	INSIST(msg->counts[DNS_SECTION_QUESTION]  < 65536 &&
-	       msg->counts[DNS_SECTION_ANSWER]    < 65536 &&
-	       msg->counts[DNS_SECTION_AUTHORITY] < 65536 &&
-	       msg->counts[DNS_SECTION_ADDITIONAL] < 65536);
-
-	isc_buffer_putuint16(target, tmp);
-	isc_buffer_putuint16(target,
-			    (isc_uint16_t)msg->counts[DNS_SECTION_QUESTION]);
-	isc_buffer_putuint16(target,
-			    (isc_uint16_t)msg->counts[DNS_SECTION_ANSWER]);
-	isc_buffer_putuint16(target,
-			    (isc_uint16_t)msg->counts[DNS_SECTION_AUTHORITY]);
-	isc_buffer_putuint16(target,
-			    (isc_uint16_t)msg->counts[DNS_SECTION_ADDITIONAL]);
-}
-
-isc_result_t
-dns_message_renderend(dns_message_t *msg) {
-	isc_buffer_t tmpbuf;
-	isc_region_t r;
-	int result;
-	unsigned int count;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(msg->buffer != NULL);
-
-	if ((msg->rcode & ~DNS_MESSAGE_RCODE_MASK) != 0 && msg->opt == NULL) {
-		/*
-		 * We have an extended rcode but are not using EDNS.
-		 */
-		return (DNS_R_FORMERR);
-	}
-
-	/*
-	 * If we're adding a OPT, TSIG or SIG(0) to a truncated message,
-	 * clear all rdatasets from the message except for the question
-	 * before adding the OPT, TSIG or SIG(0).  If the question doesn't
-	 * fit, don't include it.
-	 */
-	if ((msg->tsigkey != NULL || msg->sig0key != NULL || msg->opt) &&
-	    (msg->flags & DNS_MESSAGEFLAG_TC) != 0)
-	{
-		isc_buffer_t *buf;
-
-		msgresetnames(msg, DNS_SECTION_ANSWER);
-		buf = msg->buffer;
-		dns_message_renderreset(msg);
-		msg->buffer = buf;
-		isc_buffer_clear(msg->buffer);
-		isc_buffer_add(msg->buffer, DNS_MESSAGE_HEADERLEN);
-		dns_compress_rollback(msg->cctx, 0);
-		result = dns_message_rendersection(msg, DNS_SECTION_QUESTION,
-						   0);
-		if (result != ISC_R_SUCCESS && result != ISC_R_NOSPACE)
-			return (result);
-	}
-
-	/*
-	 * If we've got an OPT record, render it.
-	 */
-	if (msg->opt != NULL) {
-		dns_message_renderrelease(msg, msg->opt_reserved);
-		msg->opt_reserved = 0;
-		/*
-		 * Set the extended rcode.
-		 */
-		msg->opt->ttl &= ~DNS_MESSAGE_EDNSRCODE_MASK;
-		msg->opt->ttl |= ((msg->rcode << 20) &
-				  DNS_MESSAGE_EDNSRCODE_MASK);
-		/*
-		 * Render.
-		 */
-		count = 0;
-		result = dns_rdataset_towire(msg->opt, dns_rootname,
-					     msg->cctx, msg->buffer, 0,
-					     &count);
-		msg->counts[DNS_SECTION_ADDITIONAL] += count;
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	/*
-	 * If we're adding a TSIG record, generate and render it.
-	 */
-	if (msg->tsigkey != NULL) {
-		dns_message_renderrelease(msg, msg->sig_reserved);
-		msg->sig_reserved = 0;
-		result = dns_tsig_sign(msg);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		count = 0;
-		result = dns_rdataset_towire(msg->tsig, msg->tsigname,
-					     msg->cctx, msg->buffer, 0,
-					     &count);
-		msg->counts[DNS_SECTION_ADDITIONAL] += count;
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	/*
-	 * If we're adding a SIG(0) record, generate and render it.
-	 */
-	if (msg->sig0key != NULL) {
-		dns_message_renderrelease(msg, msg->sig_reserved);
-		msg->sig_reserved = 0;
-		result = dns_dnssec_signmessage(msg, msg->sig0key);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		count = 0;
-		/*
-		 * Note: dns_rootname is used here, not msg->sig0name, since
-		 * the owner name of a SIG(0) is irrelevant, and will not
-		 * be set in a message being rendered.
-		 */
-		result = dns_rdataset_towire(msg->sig0, dns_rootname,
-					     msg->cctx, msg->buffer, 0,
-					     &count);
-		msg->counts[DNS_SECTION_ADDITIONAL] += count;
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	isc_buffer_usedregion(msg->buffer, &r);
-	isc_buffer_init(&tmpbuf, r.base, r.length);
-
-	dns_message_renderheader(msg, &tmpbuf);
-
-	msg->buffer = NULL;  /* forget about this buffer only on success XXX */
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_message_renderreset(dns_message_t *msg) {
-	unsigned int i;
-	dns_name_t *name;
-	dns_rdataset_t *rds;
-
-	/*
-	 * Reset the message so that it may be rendered again.
-	 */
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
-
-	msg->buffer = NULL;
-
-	for (i = 0; i < DNS_SECTION_MAX; i++) {
-		msg->cursors[i] = NULL;
-		msg->counts[i] = 0;
-		for (name = ISC_LIST_HEAD(msg->sections[i]);
-		     name != NULL;
-		     name = ISC_LIST_NEXT(name, link)) {
-			for (rds = ISC_LIST_HEAD(name->list);
-			     rds != NULL;
-			     rds = ISC_LIST_NEXT(rds, link)) {
-				rds->attributes &= ~DNS_RDATASETATTR_RENDERED;
-			}
-		}
-	}
-	if (msg->tsigname != NULL)
-		dns_message_puttempname(msg, &msg->tsigname);
-	if (msg->tsig != NULL) {
-		dns_rdataset_disassociate(msg->tsig);
-		dns_message_puttemprdataset(msg, &msg->tsig);
-	}
-	if (msg->sig0 != NULL) {
-		dns_rdataset_disassociate(msg->sig0);
-		dns_message_puttemprdataset(msg, &msg->sig0);
-	}
-}
-
-isc_result_t
-dns_message_firstname(dns_message_t *msg, dns_section_t section) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(VALID_NAMED_SECTION(section));
-
-	msg->cursors[section] = ISC_LIST_HEAD(msg->sections[section]);
-
-	if (msg->cursors[section] == NULL)
-		return (ISC_R_NOMORE);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_message_nextname(dns_message_t *msg, dns_section_t section) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(VALID_NAMED_SECTION(section));
-	REQUIRE(msg->cursors[section] != NULL);
-
-	msg->cursors[section] = ISC_LIST_NEXT(msg->cursors[section], link);
-
-	if (msg->cursors[section] == NULL)
-		return (ISC_R_NOMORE);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_message_currentname(dns_message_t *msg, dns_section_t section,
-			dns_name_t **name)
-{
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(VALID_NAMED_SECTION(section));
-	REQUIRE(name != NULL && *name == NULL);
-	REQUIRE(msg->cursors[section] != NULL);
-
-	*name = msg->cursors[section];
-}
-
-isc_result_t
-dns_message_findname(dns_message_t *msg, dns_section_t section,
-		     dns_name_t *target, dns_rdatatype_t type,
-		     dns_rdatatype_t covers, dns_name_t **name,
-		     dns_rdataset_t **rdataset)
-{
-	dns_name_t *foundname;
-	isc_result_t result;
-
-	/*
-	 * XXX These requirements are probably too intensive, especially
-	 * where things can be NULL, but as they are they ensure that if
-	 * something is NON-NULL, indicating that the caller expects it
-	 * to be filled in, that we can in fact fill it in.
-	 */
-	REQUIRE(msg != NULL);
-	REQUIRE(VALID_SECTION(section));
-	REQUIRE(target != NULL);
-	if (name != NULL)
-		REQUIRE(*name == NULL);
-	if (type == dns_rdatatype_any) {
-		REQUIRE(rdataset == NULL);
-	} else {
-		if (rdataset != NULL)
-			REQUIRE(*rdataset == NULL);
-	}
-
-	result = findname(&foundname, target,
-			  &msg->sections[section]);
-
-	if (result == ISC_R_NOTFOUND)
-		return (DNS_R_NXDOMAIN);
-	else if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (name != NULL)
-		*name = foundname;
-
-	/*
-	 * And now look for the type.
-	 */
-	if (type == dns_rdatatype_any)
-		return (ISC_R_SUCCESS);
-
-	result = dns_message_findtype(foundname, type, covers, rdataset);
-	if (result == ISC_R_NOTFOUND)
-		return (DNS_R_NXRRSET);
-
-	return (result);
-}
-
-void
-dns_message_movename(dns_message_t *msg, dns_name_t *name,
-		     dns_section_t fromsection,
-		     dns_section_t tosection)
-{
-	REQUIRE(msg != NULL);
-	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
-	REQUIRE(name != NULL);
-	REQUIRE(VALID_NAMED_SECTION(fromsection));
-	REQUIRE(VALID_NAMED_SECTION(tosection));
-
-	/*
-	 * Unlink the name from the old section
-	 */
-	ISC_LIST_UNLINK(msg->sections[fromsection], name, link);
-	ISC_LIST_APPEND(msg->sections[tosection], name, link);
-}
-
-void
-dns_message_addname(dns_message_t *msg, dns_name_t *name,
-		    dns_section_t section)
-{
-	REQUIRE(msg != NULL);
-	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
-	REQUIRE(name != NULL);
-	REQUIRE(VALID_NAMED_SECTION(section));
-
-	ISC_LIST_APPEND(msg->sections[section], name, link);
-}
-
-void
-dns_message_removename(dns_message_t *msg, dns_name_t *name,
-		       dns_section_t section)
-{
-	REQUIRE(msg != NULL);
-	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
-	REQUIRE(name != NULL);
-	REQUIRE(VALID_NAMED_SECTION(section));
-
-	ISC_LIST_UNLINK(msg->sections[section], name, link);
-}
-
-isc_result_t
-dns_message_gettempname(dns_message_t *msg, dns_name_t **item) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(item != NULL && *item == NULL);
-
-	*item = isc_mempool_get(msg->namepool);
-	if (*item == NULL)
-		return (ISC_R_NOMEMORY);
-	dns_name_init(*item, NULL);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_message_gettempoffsets(dns_message_t *msg, dns_offsets_t **item) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(item != NULL && *item == NULL);
-
-	*item = newoffsets(msg);
-	if (*item == NULL)
-		return (ISC_R_NOMEMORY);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_message_gettemprdata(dns_message_t *msg, dns_rdata_t **item) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(item != NULL && *item == NULL);
-
-	*item = newrdata(msg);
-	if (*item == NULL)
-		return (ISC_R_NOMEMORY);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_message_gettemprdataset(dns_message_t *msg, dns_rdataset_t **item) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(item != NULL && *item == NULL);
-
-	*item = isc_mempool_get(msg->rdspool);
-	if (*item == NULL)
-		return (ISC_R_NOMEMORY);
-
-	dns_rdataset_init(*item);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_message_gettemprdatalist(dns_message_t *msg, dns_rdatalist_t **item) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(item != NULL && *item == NULL);
-
-	*item = newrdatalist(msg);
-	if (*item == NULL)
-		return (ISC_R_NOMEMORY);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_message_puttempname(dns_message_t *msg, dns_name_t **item) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(item != NULL && *item != NULL);
-
-	if (dns_name_dynamic(*item))
-		dns_name_free(*item, msg->mctx);
-	isc_mempool_put(msg->namepool, *item);
-	*item = NULL;
-}
-
-void
-dns_message_puttemprdata(dns_message_t *msg, dns_rdata_t **item) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(item != NULL && *item != NULL);
-
-	releaserdata(msg, *item);
-	*item = NULL;
-}
-
-void
-dns_message_puttemprdataset(dns_message_t *msg, dns_rdataset_t **item) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(item != NULL && *item != NULL);
-
-	REQUIRE(!dns_rdataset_isassociated(*item));
-	isc_mempool_put(msg->rdspool, *item);
-	*item = NULL;
-}
-
-void
-dns_message_puttemprdatalist(dns_message_t *msg, dns_rdatalist_t **item) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(item != NULL && *item != NULL);
-
-	releaserdatalist(msg, *item);
-	*item = NULL;
-}
-
-isc_result_t
-dns_message_peekheader(isc_buffer_t *source, dns_messageid_t *idp,
-		       unsigned int *flagsp)
-{
-	isc_region_t r;
-	isc_buffer_t buffer;
-	dns_messageid_t id;
-	unsigned int flags;
-
-	REQUIRE(source != NULL);
-
-	buffer = *source;
-
-	isc_buffer_remainingregion(&buffer, &r);
-	if (r.length < DNS_MESSAGE_HEADERLEN)
-		return (ISC_R_UNEXPECTEDEND);
-
-	id = isc_buffer_getuint16(&buffer);
-	flags = isc_buffer_getuint16(&buffer);
-	flags &= DNS_MESSAGE_FLAG_MASK;
-
-	if (flagsp != NULL)
-		*flagsp = flags;
-	if (idp != NULL)
-		*idp = id;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section) {
-	unsigned int clear_after;
-	isc_result_t result;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE((msg->flags & DNS_MESSAGEFLAG_QR) == 0);
-
-	if (!msg->header_ok)
-		return (DNS_R_FORMERR);
-	if (msg->opcode != dns_opcode_query &&
-	    msg->opcode != dns_opcode_notify)
-		want_question_section = ISC_FALSE;
-	if (msg->opcode == dns_opcode_update)
-		clear_after = DNS_SECTION_PREREQUISITE;
-	else if (want_question_section) {
-		if (!msg->question_ok)
-			return (DNS_R_FORMERR);
-		clear_after = DNS_SECTION_ANSWER;
-	} else
-		clear_after = DNS_SECTION_QUESTION;
-	msg->from_to_wire = DNS_MESSAGE_INTENTRENDER;
-	msgresetnames(msg, clear_after);
-	msgresetopt(msg);
-	msgresetsigs(msg, ISC_TRUE);
-	msginitprivate(msg);
-	/*
-	 * We now clear most flags and then set QR, ensuring that the
-	 * reply's flags will be in a reasonable state.
-	 */
-	msg->flags &= DNS_MESSAGE_REPLYPRESERVE;
-	msg->flags |= DNS_MESSAGEFLAG_QR;
-
-	/*
-	 * This saves the query TSIG status, if the query was signed, and
-	 * reserves space in the reply for the TSIG.
-	 */
-	if (msg->tsigkey != NULL) {
-		unsigned int otherlen = 0;
-		msg->querytsigstatus = msg->tsigstatus;
-		msg->tsigstatus = dns_rcode_noerror;
-		if (msg->querytsigstatus == dns_tsigerror_badtime)
-			otherlen = 6;
-		msg->sig_reserved = spacefortsig(msg->tsigkey, otherlen);
-		result = dns_message_renderreserve(msg, msg->sig_reserved);
-		if (result != ISC_R_SUCCESS) {
-			msg->sig_reserved = 0;
-			return (result);
-		}
-	}
-	if (msg->saved.base != NULL) {
-		msg->query.base = msg->saved.base;
-		msg->query.length = msg->saved.length;
-		msg->free_query = msg->free_saved;
-		msg->saved.base = NULL;
-		msg->saved.length = 0;
-		msg->free_saved = 0;
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-dns_rdataset_t *
-dns_message_getopt(dns_message_t *msg) {
-
-	/*
-	 * Get the OPT record for 'msg'.
-	 */
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-
-	return (msg->opt);
-}
-
-isc_result_t
-dns_message_setopt(dns_message_t *msg, dns_rdataset_t *opt) {
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-
-	/*
-	 * Set the OPT record for 'msg'.
-	 */
-
-	/*
-	 * The space required for an OPT record is:
-	 *
-	 *	1 byte for the name
-	 *	2 bytes for the type
-	 *	2 bytes for the class
-	 *	4 bytes for the ttl
-	 *	2 bytes for the rdata length
-	 * ---------------------------------
-	 *     11 bytes
-	 *
-	 * plus the length of the rdata.
-	 */
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(opt->type == dns_rdatatype_opt);
-	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
-	REQUIRE(msg->state == DNS_SECTION_ANY);
-
-	msgresetopt(msg);
-
-	result = dns_rdataset_first(opt);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	dns_rdataset_current(opt, &rdata);
-	msg->opt_reserved = 11 + rdata.length;
-	result = dns_message_renderreserve(msg, msg->opt_reserved);
-	if (result != ISC_R_SUCCESS) {
-		msg->opt_reserved = 0;
-		goto cleanup;
-	}
-
-	msg->opt = opt;
-
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	dns_rdataset_disassociate(opt);
-	dns_message_puttemprdataset(msg, &opt);
-	return (result);
-}
-
-dns_rdataset_t *
-dns_message_gettsig(dns_message_t *msg, dns_name_t **owner) {
-
-	/*
-	 * Get the TSIG record and owner for 'msg'.
-	 */
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(owner == NULL || *owner == NULL);
-
-	if (owner != NULL)
-		*owner = msg->tsigname;
-	return (msg->tsig);
-}
-
-isc_result_t
-dns_message_settsigkey(dns_message_t *msg, dns_tsigkey_t *key) {
-	isc_result_t result;
-
-	/*
-	 * Set the TSIG key for 'msg'
-	 */
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(msg->state == DNS_SECTION_ANY);
-
-	if (key == NULL && msg->tsigkey != NULL) {
-		if (msg->sig_reserved != 0) {
-			dns_message_renderrelease(msg, msg->sig_reserved);
-			msg->sig_reserved = 0;
-		}
-		dns_tsigkey_detach(&msg->tsigkey);
-	}
-	if (key != NULL) {
-		REQUIRE(msg->tsigkey == NULL && msg->sig0key == NULL);
-		dns_tsigkey_attach(key, &msg->tsigkey);
-		if (msg->from_to_wire == DNS_MESSAGE_INTENTRENDER) {
-			msg->sig_reserved = spacefortsig(msg->tsigkey, 0);
-			result = dns_message_renderreserve(msg,
-							   msg->sig_reserved);
-			if (result != ISC_R_SUCCESS) {
-				dns_tsigkey_detach(&msg->tsigkey);
-				msg->sig_reserved = 0;
-				return (result);
-			}
-		}
-	}
-	return (ISC_R_SUCCESS);
-}
-
-dns_tsigkey_t *
-dns_message_gettsigkey(dns_message_t *msg) {
-
-	/*
-	 * Get the TSIG key for 'msg'
-	 */
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-
-	return (msg->tsigkey);
-}
-
-isc_result_t
-dns_message_setquerytsig(dns_message_t *msg, isc_buffer_t *querytsig) {
-	dns_rdata_t *rdata = NULL;
-	dns_rdatalist_t *list = NULL;
-	dns_rdataset_t *set = NULL;
-	isc_buffer_t *buf = NULL;
-	isc_region_t r;
-	isc_result_t result;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(msg->querytsig == NULL);
-
-	if (querytsig == NULL)
-		return (ISC_R_SUCCESS);
-
-	result = dns_message_gettemprdata(msg, &rdata);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = dns_message_gettemprdatalist(msg, &list);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_message_gettemprdataset(msg, &set);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	isc_buffer_usedregion(querytsig, &r);
-	result = isc_buffer_allocate(msg->mctx, &buf, r.length);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	isc_buffer_putmem(buf, r.base, r.length);
-	isc_buffer_usedregion(buf, &r);
-	dns_rdata_init(rdata);
-	dns_rdata_fromregion(rdata, dns_rdataclass_any, dns_rdatatype_tsig, &r);
-	dns_message_takebuffer(msg, &buf);
-	ISC_LIST_INIT(list->rdata);
-	ISC_LIST_APPEND(list->rdata, rdata, link);
-	result = dns_rdatalist_tordataset(list, set);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	msg->querytsig = set;
-
-	return (result);
-
- cleanup:
-	if (rdata != NULL)
-		dns_message_puttemprdata(msg, &rdata);
-	if (list != NULL)
-		dns_message_puttemprdatalist(msg, &list);
-	if (set != NULL)
-		dns_message_puttemprdataset(msg, &set);
-	return (ISC_R_NOMEMORY);
-}
-
-isc_result_t
-dns_message_getquerytsig(dns_message_t *msg, isc_mem_t *mctx,
-			 isc_buffer_t **querytsig) {
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_region_t r;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(mctx != NULL);
-	REQUIRE(querytsig != NULL && *querytsig == NULL);
-
-	if (msg->tsig == NULL)
-		return (ISC_R_SUCCESS);
-
-	result = dns_rdataset_first(msg->tsig);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_rdataset_current(msg->tsig, &rdata);
-	dns_rdata_toregion(&rdata, &r);
-
-	result = isc_buffer_allocate(mctx, querytsig, r.length);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_buffer_putmem(*querytsig, r.base, r.length);
-	return (ISC_R_SUCCESS);
-}
-
-dns_rdataset_t *
-dns_message_getsig0(dns_message_t *msg, dns_name_t **owner) {
-
-	/*
-	 * Get the SIG(0) record for 'msg'.
-	 */
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(owner == NULL || *owner == NULL);
-
-	if (msg->sig0 != NULL && owner != NULL) {
-		/* If dns_message_getsig0 is called on a rendered message
-		 * after the SIG(0) has been applied, we need to return the
-		 * root name, not NULL.
-		 */
-		if (msg->sig0name == NULL)
-			*owner = dns_rootname;
-		else
-			*owner = msg->sig0name;
-	}
-	return (msg->sig0);
-}
-
-isc_result_t
-dns_message_setsig0key(dns_message_t *msg, dst_key_t *key) {
-	isc_region_t r;
-	unsigned int x;
-	isc_result_t result;
-
-	/*
-	 * Set the SIG(0) key for 'msg'
-	 */
-
-	/*
-	 * The space required for an SIG(0) record is:
-	 *
-	 *	1 byte for the name
-	 *	2 bytes for the type
-	 *	2 bytes for the class
-	 *	4 bytes for the ttl
-	 *	2 bytes for the type covered
-	 *	1 byte for the algorithm
-	 *	1 bytes for the labels
-	 *	4 bytes for the original ttl
-	 *	4 bytes for the signature expiration
-	 *	4 bytes for the signature inception
-	 *	2 bytes for the key tag
-	 *	n bytes for the signer's name
-	 *	x bytes for the signature
-	 * ---------------------------------
-	 *     27 + n + x bytes
-	 */
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
-	REQUIRE(msg->state == DNS_SECTION_ANY);
-
-	if (key != NULL) {
-		REQUIRE(msg->sig0key == NULL && msg->tsigkey == NULL);
-		dns_name_toregion(dst_key_name(key), &r);
-		result = dst_key_sigsize(key, &x);
-		if (result != ISC_R_SUCCESS) {
-			msg->sig_reserved = 0;
-			return (result);
-		}
-		msg->sig_reserved = 27 + r.length + x;
-		result = dns_message_renderreserve(msg, msg->sig_reserved);
-		if (result != ISC_R_SUCCESS) {
-			msg->sig_reserved = 0;
-			return (result);
-		}
-		msg->sig0key = key;
-	}
-	return (ISC_R_SUCCESS);
-}
-
-dst_key_t *
-dns_message_getsig0key(dns_message_t *msg) {
-
-	/*
-	 * Get the SIG(0) key for 'msg'
-	 */
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-
-	return (msg->sig0key);
-}
-
-void
-dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(buffer != NULL);
-	REQUIRE(ISC_BUFFER_VALID(*buffer));
-
-	ISC_LIST_APPEND(msg->cleanup, *buffer, link);
-	*buffer = NULL;
-}
-
-isc_result_t
-dns_message_signer(dns_message_t *msg, dns_name_t *signer) {
-	isc_result_t result = ISC_R_SUCCESS;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(signer != NULL);
-	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE);
-
-	if (msg->tsig == NULL && msg->sig0 == NULL)
-		return (ISC_R_NOTFOUND);
-
-	if (msg->verify_attempted == 0)
-		return (DNS_R_NOTVERIFIEDYET);
-
-	if (!dns_name_hasbuffer(signer)) {
-		isc_buffer_t *dynbuf = NULL;
-		result = isc_buffer_allocate(msg->mctx, &dynbuf, 512);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		dns_name_setbuffer(signer, dynbuf);
-		dns_message_takebuffer(msg, &dynbuf);
-	}
-
-	if (msg->sig0 != NULL) {
-		dns_rdata_sig_t sig;
-
-		result = dns_rdataset_first(msg->sig0);
-		INSIST(result == ISC_R_SUCCESS);
-		dns_rdataset_current(msg->sig0, &rdata);
-
-		result = dns_rdata_tostruct(&rdata, &sig, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-
-		if (msg->verified_sig && msg->sig0status == dns_rcode_noerror)
-			result = ISC_R_SUCCESS;
-		else
-			result = DNS_R_SIGINVALID;
-		dns_name_clone(&sig.signer, signer);
-		dns_rdata_freestruct(&sig);
-	} else {
-		dns_name_t *identity;
-		dns_rdata_any_tsig_t tsig;
-
-		result = dns_rdataset_first(msg->tsig);
-		INSIST(result == ISC_R_SUCCESS);
-		dns_rdataset_current(msg->tsig, &rdata);
-
-		result = dns_rdata_tostruct(&rdata, &tsig, NULL);
-		INSIST(result == ISC_R_SUCCESS);
-		if (msg->tsigstatus != dns_rcode_noerror)
-			result = DNS_R_TSIGVERIFYFAILURE;
-		else if (tsig.error != dns_rcode_noerror)
-			result = DNS_R_TSIGERRORSET;
-		else
-			result = ISC_R_SUCCESS;
-		dns_rdata_freestruct(&tsig);
-
-		if (msg->tsigkey == NULL) {
-			/*
-			 * If msg->tsigstatus & tsig.error are both
-			 * dns_rcode_noerror, the message must have been
-			 * verified, which means msg->tsigkey will be
-			 * non-NULL.
-			 */
-			INSIST(result != ISC_R_SUCCESS);
-		} else {
-			identity = dns_tsigkey_identity(msg->tsigkey);
-			if (identity == NULL) {
-				if (result == ISC_R_SUCCESS)
-					result = DNS_R_NOIDENTITY;
-				identity = &msg->tsigkey->name;
-			}
-			dns_name_clone(identity, signer);
-		}
-	}
-
-	return (result);
-}
-
-void
-dns_message_resetsig(dns_message_t *msg) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	msg->verified_sig = 0;
-	msg->verify_attempted = 0;
-	msg->tsigstatus = dns_rcode_noerror;
-	msg->sig0status = dns_rcode_noerror;
-	msg->timeadjust = 0;
-	if (msg->tsigkey != NULL) {
-		dns_tsigkey_detach(&msg->tsigkey);
-		msg->tsigkey = NULL;
-	}
-}
-
-isc_result_t
-dns_message_rechecksig(dns_message_t *msg, dns_view_t *view) {
-	dns_message_resetsig(msg);
-	return (dns_message_checksig(msg, view));
-}
-
-#ifdef SKAN_MSG_DEBUG
-void
-dns_message_dumpsig(dns_message_t *msg, char *txt1) {
-	dns_rdata_t querytsigrdata = DNS_RDATA_INIT;
-	dns_rdata_any_tsig_t querytsig;
-	isc_result_t result;
-
-	if (msg->tsig != NULL) {
-		result = dns_rdataset_first(msg->tsig);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		dns_rdataset_current(msg->tsig, &querytsigrdata);
-		result = dns_rdata_tostruct(&querytsigrdata, &querytsig, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		hexdump(txt1, "TSIG", querytsig.signature,
-			querytsig.siglen);
-	}
-
-	if (msg->querytsig != NULL) {
-		result = dns_rdataset_first(msg->querytsig);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		dns_rdataset_current(msg->querytsig, &querytsigrdata);
-		result = dns_rdata_tostruct(&querytsigrdata, &querytsig, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		hexdump(txt1, "QUERYTSIG", querytsig.signature,
-			querytsig.siglen);
-	}
-}
-#endif
-
-isc_result_t
-dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
-	isc_buffer_t b, msgb;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-
-	if (msg->tsigkey == NULL && msg->tsig == NULL && msg->sig0 == NULL)
-		return (ISC_R_SUCCESS);
-
-	INSIST(msg->saved.base != NULL);
-	isc_buffer_init(&msgb, msg->saved.base, msg->saved.length);
-	isc_buffer_add(&msgb, msg->saved.length);
-	if (msg->tsigkey != NULL || msg->tsig != NULL) {
-#ifdef SKAN_MSG_DEBUG
-		dns_message_dumpsig(msg, "dns_message_checksig#1");
-#endif
-		if (view != NULL)
-			return (dns_view_checksig(view, &msgb, msg));
-		else
-			return (dns_tsig_verify(&msgb, msg, NULL, NULL));
-	} else {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		dns_rdata_sig_t sig;
-		dns_rdataset_t keyset;
-		isc_result_t result;
-
-		result = dns_rdataset_first(msg->sig0);
-		INSIST(result == ISC_R_SUCCESS);
-		dns_rdataset_current(msg->sig0, &rdata);
-
-		/*
-		 * This can occur when the message is a dynamic update, since
-		 * the rdata length checking is relaxed.  This should not
-		 * happen in a well-formed message, since the SIG(0) is only
-		 * looked for in the additional section, and the dynamic update
-		 * meta-records are in the prerequisite and update sections.
-		 */
-		if (rdata.length == 0)
-			return (ISC_R_UNEXPECTEDEND);
-
-		result = dns_rdata_tostruct(&rdata, &sig, msg->mctx);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-
-		dns_rdataset_init(&keyset);
-		if (view == NULL)
-			return (DNS_R_KEYUNAUTHORIZED);
-		result = dns_view_simplefind(view, &sig.signer,
-					     dns_rdatatype_key /* SIG(0) */,
-					     0, 0, ISC_FALSE, &keyset, NULL);
-
-		if (result != ISC_R_SUCCESS) {
-			/* XXXBEW Should possibly create a fetch here */
-			result = DNS_R_KEYUNAUTHORIZED;
-			goto freesig;
-		} else if (keyset.trust < dns_trust_secure) {
-			/* XXXBEW Should call a validator here */
-			result = DNS_R_KEYUNAUTHORIZED;
-			goto freesig;
-		}
-		result = dns_rdataset_first(&keyset);
-		INSIST(result == ISC_R_SUCCESS);
-		for (;
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&keyset))
-		{
-			dst_key_t *key = NULL;
-
-			dns_rdata_reset(&rdata);
-			dns_rdataset_current(&keyset, &rdata);
-			isc_buffer_init(&b, rdata.data, rdata.length);
-			isc_buffer_add(&b, rdata.length);
-
-			result = dst_key_fromdns(&sig.signer, rdata.rdclass,
-						 &b, view->mctx, &key);
-			if (result != ISC_R_SUCCESS)
-				continue;
-			if (dst_key_alg(key) != sig.algorithm ||
-			    dst_key_id(key) != sig.keyid ||
-			    !(dst_key_proto(key) == DNS_KEYPROTO_DNSSEC ||
-			      dst_key_proto(key) == DNS_KEYPROTO_ANY))
-			{
-				dst_key_free(&key);
-				continue;
-			}
-			result = dns_dnssec_verifymessage(&msgb, msg, key);
-			dst_key_free(&key);
-			if (result == ISC_R_SUCCESS)
-				break;
-		}
-		if (result == ISC_R_NOMORE)
-			result = DNS_R_KEYUNAUTHORIZED;
-
- freesig:
-		if (dns_rdataset_isassociated(&keyset))
-			dns_rdataset_disassociate(&keyset);
-		dns_rdata_freestruct(&sig);
-		return (result);
-	}
-}
-
-isc_result_t
-dns_message_sectiontotext(dns_message_t *msg, dns_section_t section,
-			  const dns_master_style_t *style,
-			  dns_messagetextflag_t flags,
-			  isc_buffer_t *target) {
-	dns_name_t *name, empty_name;
-	dns_rdataset_t *rdataset;
-	isc_result_t result;
-	isc_boolean_t seensoa = ISC_FALSE;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(target != NULL);
-	REQUIRE(VALID_SECTION(section));
-
-	if (ISC_LIST_EMPTY(msg->sections[section]))
-		return (ISC_R_SUCCESS);
-
-	if ((flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0) {
-		ADD_STRING(target, ";; ");
-		if (msg->opcode != dns_opcode_update) {
-			ADD_STRING(target, sectiontext[section]);
-		} else {
-			ADD_STRING(target, updsectiontext[section]);
-		}
-		ADD_STRING(target, " SECTION:\n");
-	}
-
-	dns_name_init(&empty_name, NULL);
-	result = dns_message_firstname(msg, section);
-	if (result != ISC_R_SUCCESS) {
-		return (result);
-	}
-	do {
-		name = NULL;
-		dns_message_currentname(msg, section, &name);
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			if (section == DNS_SECTION_ANSWER &&
-			    rdataset->type == dns_rdatatype_soa) {
-				if ((flags & DNS_MESSAGETEXTFLAG_OMITSOA) != 0)
-					continue;
-				if (seensoa &&
-				    (flags & DNS_MESSAGETEXTFLAG_ONESOA) != 0)
-					continue;
-				seensoa = ISC_TRUE;
-			}
-			if (section == DNS_SECTION_QUESTION) {
-				ADD_STRING(target, ";");
-				result = dns_master_questiontotext(name,
-								   rdataset,
-								   style,
-								   target);
-			} else {
-				result = dns_master_rdatasettotext(name,
-								   rdataset,
-								   style,
-								   target);
-			}
-			if (result != ISC_R_SUCCESS)
-				return (result);
-		}
-		result = dns_message_nextname(msg, section);
-	} while (result == ISC_R_SUCCESS);
-	if ((flags & DNS_MESSAGETEXTFLAG_NOHEADERS) == 0 &&
-	    (flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
-		ADD_STRING(target, "\n");
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	return (result);
-}
-
-isc_result_t
-dns_message_pseudosectiontotext(dns_message_t *msg,
-				dns_pseudosection_t section,
-				const dns_master_style_t *style,
-				dns_messagetextflag_t flags,
-				isc_buffer_t *target) {
-	dns_rdataset_t *ps = NULL;
-	dns_name_t *name = NULL;
-	isc_result_t result;
-	char buf[sizeof("1234567890")];
-	isc_uint32_t mbz;
-	dns_rdata_t rdata;
-	isc_buffer_t optbuf;
-	isc_uint16_t optcode, optlen;
-	unsigned char *optdata;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(target != NULL);
-	REQUIRE(VALID_PSEUDOSECTION(section));
-
-	switch (section) {
-	case DNS_PSEUDOSECTION_OPT:
-		ps = dns_message_getopt(msg);
-		if (ps == NULL)
-			return (ISC_R_SUCCESS);
-		if ((flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
-			ADD_STRING(target, ";; OPT PSEUDOSECTION:\n");
-		ADD_STRING(target, "; EDNS: version: ");
-		snprintf(buf, sizeof(buf), "%u",
-			 (unsigned int)((ps->ttl & 0x00ff0000) >> 16));
-		ADD_STRING(target, buf);
-		ADD_STRING(target, ", flags:");
-		if ((ps->ttl & DNS_MESSAGEEXTFLAG_DO) != 0)
-			ADD_STRING(target, " do");
-		mbz = ps->ttl & 0xffff;
-		mbz &= ~DNS_MESSAGEEXTFLAG_DO;		/* Known Flags. */
-		if (mbz != 0) {
-			ADD_STRING(target, "; MBZ: ");
-			snprintf(buf, sizeof(buf), "%.4x ", mbz);
-			ADD_STRING(target, buf);
-			ADD_STRING(target, ", udp: ");
-		} else
-			ADD_STRING(target, "; udp: ");
-		snprintf(buf, sizeof(buf), "%u\n", (unsigned int)ps->rdclass);
-		ADD_STRING(target, buf);
-
-		result = dns_rdataset_first(ps);
-		if (result != ISC_R_SUCCESS)
-			return (ISC_R_SUCCESS);
-
-		/* Print EDNS info, if any */
-		dns_rdata_init(&rdata);
-		dns_rdataset_current(ps, &rdata);
-
-		isc_buffer_init(&optbuf, rdata.data, rdata.length);
-		isc_buffer_add(&optbuf, rdata.length);
-		while (isc_buffer_remaininglength(&optbuf) != 0) {
-			INSIST(isc_buffer_remaininglength(&optbuf) >= 4U);
-			optcode = isc_buffer_getuint16(&optbuf);
-			optlen = isc_buffer_getuint16(&optbuf);
-			INSIST(isc_buffer_remaininglength(&optbuf) >= optlen);
-
-			if (optcode == DNS_OPT_NSID) {
-				ADD_STRING(target, "; NSID");
-			} else {
-				ADD_STRING(target, "; OPT=");
-				sprintf(buf, "%u", optcode);
-				ADD_STRING(target, buf);
-			}
-
-			if (optlen != 0) {
-				int i;
-				ADD_STRING(target, ": ");
-
-				optdata = isc_buffer_current(&optbuf);
-				for (i = 0; i < optlen; i++) {
-					sprintf(buf, "%02x ", optdata[i]);
-					ADD_STRING(target, buf);
-				}
-				for (i = 0; i < optlen; i++) {
-					ADD_STRING(target, " (");
-					if (isprint(optdata[i]))
-						isc_buffer_putmem(target,
-								  &optdata[i],
-								  1);
-					else
-						isc_buffer_putstr(target, ".");
-					ADD_STRING(target, ")");
-				}
-				isc_buffer_forward(&optbuf, optlen);
-			}
-			ADD_STRING(target, "\n");
-		}
-		return (ISC_R_SUCCESS);
-	case DNS_PSEUDOSECTION_TSIG:
-		ps = dns_message_gettsig(msg, &name);
-		if (ps == NULL)
-			return (ISC_R_SUCCESS);
-		if ((flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
-			ADD_STRING(target, ";; TSIG PSEUDOSECTION:\n");
-		result = dns_master_rdatasettotext(name, ps, style, target);
-		if ((flags & DNS_MESSAGETEXTFLAG_NOHEADERS) == 0 &&
-		    (flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
-			ADD_STRING(target, "\n");
-		return (result);
-	case DNS_PSEUDOSECTION_SIG0:
-		ps = dns_message_getsig0(msg, &name);
-		if (ps == NULL)
-			return (ISC_R_SUCCESS);
-		if ((flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
-			ADD_STRING(target, ";; SIG0 PSEUDOSECTION:\n");
-		result = dns_master_rdatasettotext(name, ps, style, target);
-		if ((flags & DNS_MESSAGETEXTFLAG_NOHEADERS) == 0 &&
-		    (flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
-			ADD_STRING(target, "\n");
-		return (result);
-	}
-	return (ISC_R_UNEXPECTED);
-}
-
-isc_result_t
-dns_message_totext(dns_message_t *msg, const dns_master_style_t *style,
-		   dns_messagetextflag_t flags, isc_buffer_t *target) {
-	char buf[sizeof("1234567890")];
-	isc_result_t result;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(target != NULL);
-
-	if ((flags & DNS_MESSAGETEXTFLAG_NOHEADERS) == 0) {
-		ADD_STRING(target, ";; ->>HEADER<<- opcode: ");
-		ADD_STRING(target, opcodetext[msg->opcode]);
-		ADD_STRING(target, ", status: ");
-		if (msg->rcode < (sizeof(rcodetext)/sizeof(rcodetext[0]))) {
-			ADD_STRING(target, rcodetext[msg->rcode]);
-		} else {
-			snprintf(buf, sizeof(buf), "%4u", msg->rcode);
-			ADD_STRING(target, buf);
-		}
-		ADD_STRING(target, ", id: ");
-		snprintf(buf, sizeof(buf), "%6u", msg->id);
-		ADD_STRING(target, buf);
-		ADD_STRING(target, "\n;; flags:");
-		if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0)
-			ADD_STRING(target, " qr");
-		if ((msg->flags & DNS_MESSAGEFLAG_AA) != 0)
-			ADD_STRING(target, " aa");
-		if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0)
-			ADD_STRING(target, " tc");
-		if ((msg->flags & DNS_MESSAGEFLAG_RD) != 0)
-			ADD_STRING(target, " rd");
-		if ((msg->flags & DNS_MESSAGEFLAG_RA) != 0)
-			ADD_STRING(target, " ra");
-		if ((msg->flags & DNS_MESSAGEFLAG_AD) != 0)
-			ADD_STRING(target, " ad");
-		if ((msg->flags & DNS_MESSAGEFLAG_CD) != 0)
-			ADD_STRING(target, " cd");
-		/*
-		 * The final unnamed flag must be zero.
-		 */
-		if ((msg->flags & 0x0040U) != 0)
-			ADD_STRING(target, "; MBZ: 0x4");
-		if (msg->opcode != dns_opcode_update) {
-			ADD_STRING(target, "; QUESTION: ");
-		} else {
-			ADD_STRING(target, "; ZONE: ");
-		}
-		snprintf(buf, sizeof(buf), "%1u",
-			 msg->counts[DNS_SECTION_QUESTION]);
-		ADD_STRING(target, buf);
-		if (msg->opcode != dns_opcode_update) {
-			ADD_STRING(target, ", ANSWER: ");
-		} else {
-			ADD_STRING(target, ", PREREQ: ");
-		}
-		snprintf(buf, sizeof(buf), "%1u",
-			 msg->counts[DNS_SECTION_ANSWER]);
-		ADD_STRING(target, buf);
-		if (msg->opcode != dns_opcode_update) {
-			ADD_STRING(target, ", AUTHORITY: ");
-		} else {
-			ADD_STRING(target, ", UPDATE: ");
-		}
-		snprintf(buf, sizeof(buf), "%1u",
-			msg->counts[DNS_SECTION_AUTHORITY]);
-		ADD_STRING(target, buf);
-		ADD_STRING(target, ", ADDITIONAL: ");
-		snprintf(buf, sizeof(buf), "%1u",
-			msg->counts[DNS_SECTION_ADDITIONAL]);
-		ADD_STRING(target, buf);
-		ADD_STRING(target, "\n");
-	}
-	result = dns_message_pseudosectiontotext(msg,
-						 DNS_PSEUDOSECTION_OPT,
-						 style, flags, target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dns_message_sectiontotext(msg, DNS_SECTION_QUESTION,
-					   style, flags, target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	result = dns_message_sectiontotext(msg, DNS_SECTION_ANSWER,
-					   style, flags, target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	result = dns_message_sectiontotext(msg, DNS_SECTION_AUTHORITY,
-					   style, flags, target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	result = dns_message_sectiontotext(msg, DNS_SECTION_ADDITIONAL,
-					   style, flags, target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dns_message_pseudosectiontotext(msg,
-						 DNS_PSEUDOSECTION_TSIG,
-						 style, flags, target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dns_message_pseudosectiontotext(msg,
-						 DNS_PSEUDOSECTION_SIG0,
-						 style, flags, target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_region_t *
-dns_message_getrawmessage(dns_message_t *msg) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	return (&msg->saved);
-}
-
-void
-dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
-			 const void *order_arg)
-{
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	msg->order = order;
-	msg->order_arg = order_arg;
-}
-
-void
-dns_message_settimeadjust(dns_message_t *msg, int timeadjust) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	msg->timeadjust = timeadjust;
-}
-
-int
-dns_message_gettimeadjust(dns_message_t *msg) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	return (msg->timeadjust);
-}
-
-isc_result_t
-dns_opcode_totext(dns_opcode_t opcode, isc_buffer_t *target) {
-
-	REQUIRE(opcode < 16);
-
-	if (isc_buffer_availablelength(target) < strlen(opcodetext[opcode]))
-		return (ISC_R_NOSPACE);
-	isc_buffer_putstr(target, opcodetext[opcode]);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_message_buildopt(dns_message_t *message, dns_rdataset_t **rdatasetp,
-		     unsigned int version, isc_uint16_t udpsize,
-		     unsigned int flags, dns_ednsopt_t *ednsopts, size_t count)
-{
-	dns_rdataset_t *rdataset = NULL;
-	dns_rdatalist_t *rdatalist = NULL;
-	dns_rdata_t *rdata = NULL;
-	isc_result_t result;
-	size_t len = 0, i;
-
-	REQUIRE(DNS_MESSAGE_VALID(message));
-	REQUIRE(rdatasetp != NULL && *rdatasetp == NULL);
-
-	result = dns_message_gettemprdatalist(message, &rdatalist);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	result = dns_message_gettemprdata(message, &rdata);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_message_gettemprdataset(message, &rdataset);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	dns_rdataset_init(rdataset);
-
-	rdatalist->type = dns_rdatatype_opt;
-	rdatalist->covers = 0;
-
-	/*
-	 * Set Maximum UDP buffer size.
-	 */
-	rdatalist->rdclass = udpsize;
-
-	/*
-	 * Set EXTENDED-RCODE and Z to 0.
-	 */
-	rdatalist->ttl = (version << 16);
-	rdatalist->ttl |= (flags & 0xffff);
-
-	/*
-	 * Set EDNS options if applicable
-	 */
-	if (count != 0U) {
-		isc_buffer_t *buf = NULL;
-		for (i = 0; i < count; i++)
-			len += ednsopts[i].length + 4;
-
-		if (len > 0xffffU) {
-			result = ISC_R_NOSPACE;
-			goto cleanup;
-		}
-
-		result = isc_buffer_allocate(message->mctx, &buf, len);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-
-		for (i = 0; i < count; i++)  {
-			isc_buffer_putuint16(buf, ednsopts[i].code);
-			isc_buffer_putuint16(buf, ednsopts[i].length);
-			isc_buffer_putmem(buf, ednsopts[i].value,
-					  ednsopts[i].length);
-		}
-		rdata->data = isc_buffer_base(buf);
-		rdata->length = len;
-		dns_message_takebuffer(message, &buf);
-	} else {
-		rdata->data = NULL;
-		rdata->length = 0;
-	}
-
-	rdata->rdclass = rdatalist->rdclass;
-	rdata->type = rdatalist->type;
-	rdata->flags = 0;
-
-	ISC_LIST_INIT(rdatalist->rdata);
-	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-	result = dns_rdatalist_tordataset(rdatalist, rdataset);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-	*rdatasetp = rdataset;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (rdata != NULL)
-		dns_message_puttemprdata(message, &rdata);
-	if (rdataset != NULL)
-		dns_message_puttemprdataset(message, &rdataset);
-	if (rdatalist != NULL)
-		dns_message_puttemprdatalist(message, &rdatalist);
-	return (result);
-}
diff --git a/contrib/bind9/lib/dns/name.c b/contrib/bind9/lib/dns/name.c
deleted file mode 100644
index 7fb21e1..0000000
--- a/contrib/bind9/lib/dns/name.c
+++ /dev/null
@@ -1,2506 +0,0 @@
-/*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <ctype.h>
-#include <stdlib.h>
-
-#include <isc/buffer.h>
-#include <isc/hash.h>
-#include <isc/mem.h>
-#include <isc/once.h>
-#include <isc/print.h>
-#include <isc/string.h>
-#include <isc/thread.h>
-#include <isc/util.h>
-
-#include <dns/compress.h>
-#include <dns/fixedname.h>
-#include <dns/name.h>
-#include <dns/result.h>
-
-#define VALID_NAME(n)	ISC_MAGIC_VALID(n, DNS_NAME_MAGIC)
-
-typedef enum {
-	ft_init = 0,
-	ft_start,
-	ft_ordinary,
-	ft_initialescape,
-	ft_escape,
-	ft_escdecimal,
-	ft_at
-} ft_state;
-
-typedef enum {
-	fw_start = 0,
-	fw_ordinary,
-	fw_copy,
-	fw_newcurrent
-} fw_state;
-
-static char digitvalue[256] = {
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,	/*16*/
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*32*/
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*48*/
-	 0,  1,  2,  3,  4,  5,  6,  7,  8,  9, -1, -1, -1, -1, -1, -1, /*64*/
-	-1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*80*/
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*96*/
-	-1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*112*/
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*128*/
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*256*/
-};
-
-static unsigned char maptolower[] = {
-	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-	0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
-	0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
-	0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
-	0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
-	0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
-	0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
-	0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
-	0x40, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
-	0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
-	0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
-	0x78, 0x79, 0x7a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
-	0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
-	0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
-	0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
-	0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
-	0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
-	0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
-	0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
-	0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
-	0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
-	0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf,
-	0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
-	0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
-	0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
-	0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
-	0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
-	0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
-	0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
-	0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
-	0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
-	0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
-};
-
-#define CONVERTTOASCII(c)
-#define CONVERTFROMASCII(c)
-
-#define INIT_OFFSETS(name, var, default) \
-	if (name->offsets != NULL) \
-		var = name->offsets; \
-	else \
-		var = default;
-
-#define SETUP_OFFSETS(name, var, default) \
-	if (name->offsets != NULL) \
-		var = name->offsets; \
-	else { \
-		var = default; \
-		set_offsets(name, var, NULL); \
-	}
-
-/*%
- * Note:  If additional attributes are added that should not be set for
- *	  empty names, MAKE_EMPTY() must be changed so it clears them.
- */
-#define MAKE_EMPTY(name) \
-do { \
-	name->ndata = NULL; \
-	name->length = 0; \
-	name->labels = 0; \
-	name->attributes &= ~DNS_NAMEATTR_ABSOLUTE; \
-} while (0);
-
-/*%
- * A name is "bindable" if it can be set to point to a new value, i.e.
- * name->ndata and name->length may be changed.
- */
-#define BINDABLE(name) \
-	((name->attributes & (DNS_NAMEATTR_READONLY|DNS_NAMEATTR_DYNAMIC)) \
-	 == 0)
-
-/*%
- * Note that the name data must be a char array, not a string
- * literal, to avoid compiler warnings about discarding
- * the const attribute of a string.
- */
-static unsigned char root_ndata[] = { '\0' };
-static unsigned char root_offsets[] = { 0 };
-
-static dns_name_t root =
-{
-	DNS_NAME_MAGIC,
-	root_ndata, 1, 1,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	root_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
-/* XXXDCL make const? */
-LIBDNS_EXTERNAL_DATA dns_name_t *dns_rootname = &root;
-
-static unsigned char wild_ndata[] = { '\001', '*' };
-static unsigned char wild_offsets[] = { 0 };
-
-static dns_name_t wild =
-{
-	DNS_NAME_MAGIC,
-	wild_ndata, 2, 1,
-	DNS_NAMEATTR_READONLY,
-	wild_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
-/* XXXDCL make const? */
-LIBDNS_EXTERNAL_DATA dns_name_t *dns_wildcardname = &wild;
-
-unsigned int
-dns_fullname_hash(dns_name_t *name, isc_boolean_t case_sensitive);
-
-/*
- * dns_name_t to text post-conversion procedure.
- */
-#ifdef ISC_PLATFORM_USETHREADS
-static int thread_key_initialized = 0;
-static isc_mutex_t thread_key_mutex;
-static isc_mem_t *thread_key_mctx = NULL;
-static isc_thread_key_t totext_filter_proc_key;
-static isc_once_t once = ISC_ONCE_INIT;
-#else
-static dns_name_totextfilter_t totext_filter_proc = NULL;
-#endif
-
-static void
-set_offsets(const dns_name_t *name, unsigned char *offsets,
-	    dns_name_t *set_name);
-
-void
-dns_name_init(dns_name_t *name, unsigned char *offsets) {
-	/*
-	 * Initialize 'name'.
-	 */
-	DNS_NAME_INIT(name, offsets);
-}
-
-void
-dns_name_reset(dns_name_t *name) {
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(BINDABLE(name));
-
-	DNS_NAME_RESET(name);
-}
-
-void
-dns_name_invalidate(dns_name_t *name) {
-	/*
-	 * Make 'name' invalid.
-	 */
-
-	REQUIRE(VALID_NAME(name));
-
-	name->magic = 0;
-	name->ndata = NULL;
-	name->length = 0;
-	name->labels = 0;
-	name->attributes = 0;
-	name->offsets = NULL;
-	name->buffer = NULL;
-	ISC_LINK_INIT(name, link);
-}
-
-void
-dns_name_setbuffer(dns_name_t *name, isc_buffer_t *buffer) {
-	/*
-	 * Dedicate a buffer for use with 'name'.
-	 */
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE((buffer != NULL && name->buffer == NULL) ||
-		(buffer == NULL));
-
-	name->buffer = buffer;
-}
-
-isc_boolean_t
-dns_name_hasbuffer(const dns_name_t *name) {
-	/*
-	 * Does 'name' have a dedicated buffer?
-	 */
-
-	REQUIRE(VALID_NAME(name));
-
-	if (name->buffer != NULL)
-		return (ISC_TRUE);
-
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-dns_name_isabsolute(const dns_name_t *name) {
-
-	/*
-	 * Does 'name' end in the root label?
-	 */
-
-	REQUIRE(VALID_NAME(name));
-
-	if ((name->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-#define hyphenchar(c) ((c) == 0x2d)
-#define asterchar(c) ((c) == 0x2a)
-#define alphachar(c) (((c) >= 0x41 && (c) <= 0x5a) \
-		      || ((c) >= 0x61 && (c) <= 0x7a))
-#define digitchar(c) ((c) >= 0x30 && (c) <= 0x39)
-#define borderchar(c) (alphachar(c) || digitchar(c))
-#define middlechar(c) (borderchar(c) || hyphenchar(c))
-#define domainchar(c) ((c) > 0x20 && (c) < 0x7f)
-
-isc_boolean_t
-dns_name_ismailbox(const dns_name_t *name) {
-	unsigned char *ndata, ch;
-	unsigned int n;
-	isc_boolean_t first;
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(name->labels > 0);
-	REQUIRE(name->attributes & DNS_NAMEATTR_ABSOLUTE);
-
-	/*
-	 * Root label.
-	 */
-	if (name->length == 1)
-		return (ISC_TRUE);
-
-	ndata = name->ndata;
-	n = *ndata++;
-	INSIST(n <= 63);
-	while (n--) {
-		ch = *ndata++;
-		if (!domainchar(ch))
-			return (ISC_FALSE);
-	}
-
-	if (ndata == name->ndata + name->length)
-		return (ISC_FALSE);
-
-	/*
-	 * RFC292/RFC1123 hostname.
-	 */
-	while (ndata < (name->ndata + name->length)) {
-		n = *ndata++;
-		INSIST(n <= 63);
-		first = ISC_TRUE;
-		while (n--) {
-			ch = *ndata++;
-			if (first || n == 0) {
-				if (!borderchar(ch))
-					return (ISC_FALSE);
-			} else {
-				if (!middlechar(ch))
-					return (ISC_FALSE);
-			}
-			first = ISC_FALSE;
-		}
-	}
-	return (ISC_TRUE);
-}
-
-isc_boolean_t
-dns_name_ishostname(const dns_name_t *name, isc_boolean_t wildcard) {
-	unsigned char *ndata, ch;
-	unsigned int n;
-	isc_boolean_t first;
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(name->labels > 0);
-	REQUIRE(name->attributes & DNS_NAMEATTR_ABSOLUTE);
-
-	/*
-	 * Root label.
-	 */
-	if (name->length == 1)
-		return (ISC_TRUE);
-
-	/*
-	 * Skip wildcard if this is a ownername.
-	 */
-	ndata = name->ndata;
-	if (wildcard && ndata[0] == 1 && ndata[1] == '*')
-		ndata += 2;
-
-	/*
-	 * RFC292/RFC1123 hostname.
-	 */
-	while (ndata < (name->ndata + name->length)) {
-		n = *ndata++;
-		INSIST(n <= 63);
-		first = ISC_TRUE;
-		while (n--) {
-			ch = *ndata++;
-			if (first || n == 0) {
-				if (!borderchar(ch))
-					return (ISC_FALSE);
-			} else {
-				if (!middlechar(ch))
-					return (ISC_FALSE);
-			}
-			first = ISC_FALSE;
-		}
-	}
-	return (ISC_TRUE);
-}
-
-isc_boolean_t
-dns_name_iswildcard(const dns_name_t *name) {
-	unsigned char *ndata;
-
-	/*
-	 * Is 'name' a wildcard name?
-	 */
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(name->labels > 0);
-
-	if (name->length >= 2) {
-		ndata = name->ndata;
-		if (ndata[0] == 1 && ndata[1] == '*')
-			return (ISC_TRUE);
-	}
-
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-dns_name_internalwildcard(const dns_name_t *name) {
-	unsigned char *ndata;
-	unsigned int count;
-	unsigned int label;
-
-	/*
-	 * Does 'name' contain a internal wildcard?
-	 */
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(name->labels > 0);
-
-	/*
-	 * Skip first label.
-	 */
-	ndata = name->ndata;
-	count = *ndata++;
-	INSIST(count <= 63);
-	ndata += count;
-	label = 1;
-	/*
-	 * Check all but the last of the remaining labels.
-	 */
-	while (label + 1 < name->labels) {
-		count = *ndata++;
-		INSIST(count <= 63);
-		if (count == 1 && *ndata == '*')
-			return (ISC_TRUE);
-		ndata += count;
-		label++;
-	}
-	return (ISC_FALSE);
-}
-
-static inline unsigned int
-name_hash(dns_name_t *name, isc_boolean_t case_sensitive) {
-	unsigned int length;
-	const unsigned char *s;
-	unsigned int h = 0;
-	unsigned char c;
-
-	length = name->length;
-	if (length > 16)
-		length = 16;
-
-	/*
-	 * This hash function is similar to the one Ousterhout
-	 * uses in Tcl.
-	 */
-	s = name->ndata;
-	if (case_sensitive) {
-		while (length > 0) {
-			h += ( h << 3 ) + *s;
-			s++;
-			length--;
-		}
-	} else {
-		while (length > 0) {
-			c = maptolower[*s];
-			h += ( h << 3 ) + c;
-			s++;
-			length--;
-		}
-	}
-
-	return (h);
-}
-
-unsigned int
-dns_name_hash(dns_name_t *name, isc_boolean_t case_sensitive) {
-	/*
-	 * Provide a hash value for 'name'.
-	 */
-	REQUIRE(VALID_NAME(name));
-
-	if (name->labels == 0)
-		return (0);
-
-	return (name_hash(name, case_sensitive));
-}
-
-unsigned int
-dns_name_fullhash(dns_name_t *name, isc_boolean_t case_sensitive) {
-	/*
-	 * Provide a hash value for 'name'.
-	 */
-	REQUIRE(VALID_NAME(name));
-
-	if (name->labels == 0)
-		return (0);
-
-	return (isc_hash_calc((const unsigned char *)name->ndata,
-			      name->length, case_sensitive));
-}
-
-unsigned int
-dns_fullname_hash(dns_name_t *name, isc_boolean_t case_sensitive) {
-	/*
-	 * This function was deprecated due to the breakage of the name space
-	 * convention.  We only keep this internally to provide binary backward
-	 * compatibility.
-	 */
-	REQUIRE(VALID_NAME(name));
-
-	return (dns_name_fullhash(name, case_sensitive));
-}
-
-unsigned int
-dns_name_hashbylabel(dns_name_t *name, isc_boolean_t case_sensitive) {
-	unsigned char *offsets;
-	dns_offsets_t odata;
-	dns_name_t tname;
-	unsigned int h = 0;
-	unsigned int i;
-
-	/*
-	 * Provide a hash value for 'name'.
-	 */
-	REQUIRE(VALID_NAME(name));
-
-	if (name->labels == 0)
-		return (0);
-	else if (name->labels == 1)
-		return (name_hash(name, case_sensitive));
-
-	SETUP_OFFSETS(name, offsets, odata);
-	DNS_NAME_INIT(&tname, NULL);
-	tname.labels = 1;
-	h = 0;
-	for (i = 0; i < name->labels; i++) {
-		tname.ndata = name->ndata + offsets[i];
-		if (i == name->labels - 1)
-			tname.length = name->length - offsets[i];
-		else
-			tname.length = offsets[i + 1] - offsets[i];
-		h += name_hash(&tname, case_sensitive);
-	}
-
-	return (h);
-}
-
-dns_namereln_t
-dns_name_fullcompare(const dns_name_t *name1, const dns_name_t *name2,
-		     int *orderp, unsigned int *nlabelsp)
-{
-	unsigned int l1, l2, l, count1, count2, count, nlabels;
-	int cdiff, ldiff, chdiff;
-	unsigned char *label1, *label2;
-	unsigned char *offsets1, *offsets2;
-	dns_offsets_t odata1, odata2;
-	dns_namereln_t namereln = dns_namereln_none;
-
-	/*
-	 * Determine the relative ordering under the DNSSEC order relation of
-	 * 'name1' and 'name2', and also determine the hierarchical
-	 * relationship of the names.
-	 *
-	 * Note: It makes no sense for one of the names to be relative and the
-	 * other absolute.  If both names are relative, then to be meaningfully
-	 * compared the caller must ensure that they are both relative to the
-	 * same domain.
-	 */
-
-	REQUIRE(VALID_NAME(name1));
-	REQUIRE(VALID_NAME(name2));
-	REQUIRE(orderp != NULL);
-	REQUIRE(nlabelsp != NULL);
-	/*
-	 * Either name1 is absolute and name2 is absolute, or neither is.
-	 */
-	REQUIRE((name1->attributes & DNS_NAMEATTR_ABSOLUTE) ==
-		(name2->attributes & DNS_NAMEATTR_ABSOLUTE));
-
-	SETUP_OFFSETS(name1, offsets1, odata1);
-	SETUP_OFFSETS(name2, offsets2, odata2);
-
-	nlabels = 0;
-	l1 = name1->labels;
-	l2 = name2->labels;
-	if (l2 > l1) {
-		l = l1;
-		ldiff = 0 - (l2 - l1);
-	} else {
-		l = l2;
-		ldiff = l1 - l2;
-	}
-
-	while (l > 0) {
-		l--;
-		l1--;
-		l2--;
-		label1 = &name1->ndata[offsets1[l1]];
-		label2 = &name2->ndata[offsets2[l2]];
-		count1 = *label1++;
-		count2 = *label2++;
-
-		/*
-		 * We dropped bitstring labels, and we don't support any
-		 * other extended label types.
-		 */
-		INSIST(count1 <= 63 && count2 <= 63);
-
-		cdiff = (int)count1 - (int)count2;
-		if (cdiff < 0)
-			count = count1;
-		else
-			count = count2;
-
-		while (count > 0) {
-			chdiff = (int)maptolower[*label1] -
-			    (int)maptolower[*label2];
-			if (chdiff != 0) {
-				*orderp = chdiff;
-				goto done;
-			}
-			count--;
-			label1++;
-			label2++;
-		}
-		if (cdiff != 0) {
-			*orderp = cdiff;
-			goto done;
-		}
-		nlabels++;
-	}
-
-	*orderp = ldiff;
-	if (ldiff < 0)
-		namereln = dns_namereln_contains;
-	else if (ldiff > 0)
-		namereln = dns_namereln_subdomain;
-	else
-		namereln = dns_namereln_equal;
-
- done:
-	*nlabelsp = nlabels;
-
-	if (nlabels > 0 && namereln == dns_namereln_none)
-		namereln = dns_namereln_commonancestor;
-
-	return (namereln);
-}
-
-int
-dns_name_compare(const dns_name_t *name1, const dns_name_t *name2) {
-	int order;
-	unsigned int nlabels;
-
-	/*
-	 * Determine the relative ordering under the DNSSEC order relation of
-	 * 'name1' and 'name2'.
-	 *
-	 * Note: It makes no sense for one of the names to be relative and the
-	 * other absolute.  If both names are relative, then to be meaningfully
-	 * compared the caller must ensure that they are both relative to the
-	 * same domain.
-	 */
-
-	(void)dns_name_fullcompare(name1, name2, &order, &nlabels);
-
-	return (order);
-}
-
-isc_boolean_t
-dns_name_equal(const dns_name_t *name1, const dns_name_t *name2) {
-	unsigned int l, count;
-	unsigned char c;
-	unsigned char *label1, *label2;
-
-	/*
-	 * Are 'name1' and 'name2' equal?
-	 *
-	 * Note: It makes no sense for one of the names to be relative and the
-	 * other absolute.  If both names are relative, then to be meaningfully
-	 * compared the caller must ensure that they are both relative to the
-	 * same domain.
-	 */
-
-	REQUIRE(VALID_NAME(name1));
-	REQUIRE(VALID_NAME(name2));
-	/*
-	 * Either name1 is absolute and name2 is absolute, or neither is.
-	 */
-	REQUIRE((name1->attributes & DNS_NAMEATTR_ABSOLUTE) ==
-		(name2->attributes & DNS_NAMEATTR_ABSOLUTE));
-
-	if (name1->length != name2->length)
-		return (ISC_FALSE);
-
-	l = name1->labels;
-
-	if (l != name2->labels)
-		return (ISC_FALSE);
-
-	label1 = name1->ndata;
-	label2 = name2->ndata;
-	while (l > 0) {
-		l--;
-		count = *label1++;
-		if (count != *label2++)
-			return (ISC_FALSE);
-
-		INSIST(count <= 63); /* no bitstring support */
-
-		while (count > 0) {
-			count--;
-			c = maptolower[*label1++];
-			if (c != maptolower[*label2++])
-				return (ISC_FALSE);
-		}
-	}
-
-	return (ISC_TRUE);
-}
-
-isc_boolean_t
-dns_name_caseequal(const dns_name_t *name1, const dns_name_t *name2) {
-
-	/*
-	 * Are 'name1' and 'name2' equal?
-	 *
-	 * Note: It makes no sense for one of the names to be relative and the
-	 * other absolute.  If both names are relative, then to be meaningfully
-	 * compared the caller must ensure that they are both relative to the
-	 * same domain.
-	 */
-
-	REQUIRE(VALID_NAME(name1));
-	REQUIRE(VALID_NAME(name2));
-	/*
-	 * Either name1 is absolute and name2 is absolute, or neither is.
-	 */
-	REQUIRE((name1->attributes & DNS_NAMEATTR_ABSOLUTE) ==
-		(name2->attributes & DNS_NAMEATTR_ABSOLUTE));
-
-	if (name1->length != name2->length)
-		return (ISC_FALSE);
-
-	if (memcmp(name1->ndata, name2->ndata, name1->length) != 0)
-		return (ISC_FALSE);
-
-	return (ISC_TRUE);
-}
-
-int
-dns_name_rdatacompare(const dns_name_t *name1, const dns_name_t *name2) {
-	unsigned int l1, l2, l, count1, count2, count;
-	unsigned char c1, c2;
-	unsigned char *label1, *label2;
-
-	/*
-	 * Compare two absolute names as rdata.
-	 */
-
-	REQUIRE(VALID_NAME(name1));
-	REQUIRE(name1->labels > 0);
-	REQUIRE((name1->attributes & DNS_NAMEATTR_ABSOLUTE) != 0);
-	REQUIRE(VALID_NAME(name2));
-	REQUIRE(name2->labels > 0);
-	REQUIRE((name2->attributes & DNS_NAMEATTR_ABSOLUTE) != 0);
-
-	l1 = name1->labels;
-	l2 = name2->labels;
-
-	l = (l1 < l2) ? l1 : l2;
-
-	label1 = name1->ndata;
-	label2 = name2->ndata;
-	while (l > 0) {
-		l--;
-		count1 = *label1++;
-		count2 = *label2++;
-
-		/* no bitstring support */
-		INSIST(count1 <= 63 && count2 <= 63);
-
-		if (count1 != count2)
-			return ((count1 < count2) ? -1 : 1);
-		count = count1;
-		while (count > 0) {
-			count--;
-			c1 = maptolower[*label1++];
-			c2 = maptolower[*label2++];
-			if (c1 < c2)
-				return (-1);
-			else if (c1 > c2)
-				return (1);
-		}
-	}
-
-	/*
-	 * If one name had more labels than the other, their common
-	 * prefix must have been different because the shorter name
-	 * ended with the root label and the longer one can't have
-	 * a root label in the middle of it.  Therefore, if we get
-	 * to this point, the lengths must be equal.
-	 */
-	INSIST(l1 == l2);
-
-	return (0);
-}
-
-isc_boolean_t
-dns_name_issubdomain(const dns_name_t *name1, const dns_name_t *name2) {
-	int order;
-	unsigned int nlabels;
-	dns_namereln_t namereln;
-
-	/*
-	 * Is 'name1' a subdomain of 'name2'?
-	 *
-	 * Note: It makes no sense for one of the names to be relative and the
-	 * other absolute.  If both names are relative, then to be meaningfully
-	 * compared the caller must ensure that they are both relative to the
-	 * same domain.
-	 */
-
-	namereln = dns_name_fullcompare(name1, name2, &order, &nlabels);
-	if (namereln == dns_namereln_subdomain ||
-	    namereln == dns_namereln_equal)
-		return (ISC_TRUE);
-
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-dns_name_matcheswildcard(const dns_name_t *name, const dns_name_t *wname) {
-	int order;
-	unsigned int nlabels, labels;
-	dns_name_t tname;
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(name->labels > 0);
-	REQUIRE(VALID_NAME(wname));
-	labels = wname->labels;
-	REQUIRE(labels > 0);
-	REQUIRE(dns_name_iswildcard(wname));
-
-#if defined(__clang__)  && \
-       ( __clang_major__ < 3 || (__clang_major__ == 3 && __clang_minor__ < 2))
-	memset(&tname, 0, sizeof(tname));
-#endif
-	DNS_NAME_INIT(&tname, NULL);
-	dns_name_getlabelsequence(wname, 1, labels - 1, &tname);
-	if (dns_name_fullcompare(name, &tname, &order, &nlabels) ==
-	    dns_namereln_subdomain)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-unsigned int
-dns_name_countlabels(const dns_name_t *name) {
-	/*
-	 * How many labels does 'name' have?
-	 */
-
-	REQUIRE(VALID_NAME(name));
-
-	ENSURE(name->labels <= 128);
-
-	return (name->labels);
-}
-
-void
-dns_name_getlabel(const dns_name_t *name, unsigned int n, dns_label_t *label) {
-	unsigned char *offsets;
-	dns_offsets_t odata;
-
-	/*
-	 * Make 'label' refer to the 'n'th least significant label of 'name'.
-	 */
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(name->labels > 0);
-	REQUIRE(n < name->labels);
-	REQUIRE(label != NULL);
-
-	SETUP_OFFSETS(name, offsets, odata);
-
-	label->base = &name->ndata[offsets[n]];
-	if (n == name->labels - 1)
-		label->length = name->length - offsets[n];
-	else
-		label->length = offsets[n + 1] - offsets[n];
-}
-
-void
-dns_name_getlabelsequence(const dns_name_t *source,
-			  unsigned int first, unsigned int n,
-			  dns_name_t *target)
-{
-	unsigned char *offsets;
-	dns_offsets_t odata;
-	unsigned int firstoffset, endoffset;
-
-	/*
-	 * Make 'target' refer to the 'n' labels including and following
-	 * 'first' in 'source'.
-	 */
-
-	REQUIRE(VALID_NAME(source));
-	REQUIRE(VALID_NAME(target));
-	REQUIRE(first <= source->labels);
-	REQUIRE(n <= source->labels - first); /* note first+n could overflow */
-	REQUIRE(BINDABLE(target));
-
-	SETUP_OFFSETS(source, offsets, odata);
-
-	if (first == source->labels)
-		firstoffset = source->length;
-	else
-		firstoffset = offsets[first];
-
-	if (first + n == source->labels)
-		endoffset = source->length;
-	else
-		endoffset = offsets[first + n];
-
-	target->ndata = &source->ndata[firstoffset];
-	target->length = endoffset - firstoffset;
-
-	if (first + n == source->labels && n > 0 &&
-	    (source->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
-		target->attributes |= DNS_NAMEATTR_ABSOLUTE;
-	else
-		target->attributes &= ~DNS_NAMEATTR_ABSOLUTE;
-
-	target->labels = n;
-
-	/*
-	 * If source and target are the same, and we're making target
-	 * a prefix of source, the offsets table is correct already
-	 * so we don't need to call set_offsets().
-	 */
-	if (target->offsets != NULL &&
-	    (target != source || first != 0))
-		set_offsets(target, target->offsets, NULL);
-}
-
-void
-dns_name_clone(const dns_name_t *source, dns_name_t *target) {
-
-	/*
-	 * Make 'target' refer to the same name as 'source'.
-	 */
-
-	REQUIRE(VALID_NAME(source));
-	REQUIRE(VALID_NAME(target));
-	REQUIRE(BINDABLE(target));
-
-	target->ndata = source->ndata;
-	target->length = source->length;
-	target->labels = source->labels;
-	target->attributes = source->attributes &
-		(unsigned int)~(DNS_NAMEATTR_READONLY | DNS_NAMEATTR_DYNAMIC |
-				DNS_NAMEATTR_DYNOFFSETS);
-	if (target->offsets != NULL && source->labels > 0) {
-		if (source->offsets != NULL)
-			memcpy(target->offsets, source->offsets,
-			       source->labels);
-		else
-			set_offsets(target, target->offsets, NULL);
-	}
-}
-
-void
-dns_name_fromregion(dns_name_t *name, const isc_region_t *r) {
-	unsigned char *offsets;
-	dns_offsets_t odata;
-	unsigned int len;
-	isc_region_t r2;
-
-	/*
-	 * Make 'name' refer to region 'r'.
-	 */
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(r != NULL);
-	REQUIRE(BINDABLE(name));
-
-	INIT_OFFSETS(name, offsets, odata);
-
-	if (name->buffer != NULL) {
-		isc_buffer_clear(name->buffer);
-		isc_buffer_availableregion(name->buffer, &r2);
-		len = (r->length < r2.length) ? r->length : r2.length;
-		if (len > DNS_NAME_MAXWIRE)
-			len = DNS_NAME_MAXWIRE;
-		memcpy(r2.base, r->base, len);
-		name->ndata = r2.base;
-		name->length = len;
-	} else {
-		name->ndata = r->base;
-		name->length = (r->length <= DNS_NAME_MAXWIRE) ?
-			r->length : DNS_NAME_MAXWIRE;
-	}
-
-	if (r->length > 0)
-		set_offsets(name, offsets, name);
-	else {
-		name->labels = 0;
-		name->attributes &= ~DNS_NAMEATTR_ABSOLUTE;
-	}
-
-	if (name->buffer != NULL)
-		isc_buffer_add(name->buffer, name->length);
-}
-
-void
-dns_name_toregion(dns_name_t *name, isc_region_t *r) {
-	/*
-	 * Make 'r' refer to 'name'.
-	 */
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(r != NULL);
-
-	DNS_NAME_TOREGION(name, r);
-}
-
-isc_result_t
-dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
-		  const dns_name_t *origin, unsigned int options,
-		  isc_buffer_t *target)
-{
-	unsigned char *ndata, *label = NULL;
-	char *tdata;
-	char c;
-	ft_state state;
-	unsigned int value = 0, count = 0;
-	unsigned int n1 = 0, n2 = 0;
-	unsigned int tlen, nrem, nused, digits = 0, labels, tused;
-	isc_boolean_t done;
-	unsigned char *offsets;
-	dns_offsets_t odata;
-	isc_boolean_t downcase;
-
-	/*
-	 * Convert the textual representation of a DNS name at source
-	 * into uncompressed wire form stored in target.
-	 *
-	 * Notes:
-	 *	Relative domain names will have 'origin' appended to them
-	 *	unless 'origin' is NULL, in which case relative domain names
-	 *	will remain relative.
-	 */
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(ISC_BUFFER_VALID(source));
-	REQUIRE((target != NULL && ISC_BUFFER_VALID(target)) ||
-		(target == NULL && ISC_BUFFER_VALID(name->buffer)));
-
-	downcase = ISC_TF((options & DNS_NAME_DOWNCASE) != 0);
-
-	if (target == NULL && name->buffer != NULL) {
-		target = name->buffer;
-		isc_buffer_clear(target);
-	}
-
-	REQUIRE(BINDABLE(name));
-
-	INIT_OFFSETS(name, offsets, odata);
-	offsets[0] = 0;
-
-	/*
-	 * Make 'name' empty in case of failure.
-	 */
-	MAKE_EMPTY(name);
-
-	/*
-	 * Set up the state machine.
-	 */
-	tdata = (char *)source->base + source->current;
-	tlen = isc_buffer_remaininglength(source);
-	tused = 0;
-	ndata = isc_buffer_used(target);
-	nrem = isc_buffer_availablelength(target);
-	if (nrem > 255)
-		nrem = 255;
-	nused = 0;
-	labels = 0;
-	done = ISC_FALSE;
-	state = ft_init;
-
-	while (nrem > 0 && tlen > 0 && !done) {
-		c = *tdata++;
-		tlen--;
-		tused++;
-
-		switch (state) {
-		case ft_init:
-			/*
-			 * Is this the root name?
-			 */
-			if (c == '.') {
-				if (tlen != 0)
-					return (DNS_R_EMPTYLABEL);
-				labels++;
-				*ndata++ = 0;
-				nrem--;
-				nused++;
-				done = ISC_TRUE;
-				break;
-			}
-			if (c == '@' && tlen == 0) {
-				state = ft_at;
-				break;
-			}
-
-			/* FALLTHROUGH */
-		case ft_start:
-			label = ndata;
-			ndata++;
-			nrem--;
-			nused++;
-			count = 0;
-			if (c == '\\') {
-				state = ft_initialescape;
-				break;
-			}
-			state = ft_ordinary;
-			if (nrem == 0)
-				return (ISC_R_NOSPACE);
-			/* FALLTHROUGH */
-		case ft_ordinary:
-			if (c == '.') {
-				if (count == 0)
-					return (DNS_R_EMPTYLABEL);
-				*label = count;
-				labels++;
-				INSIST(labels <= 127);
-				offsets[labels] = nused;
-				if (tlen == 0) {
-					labels++;
-					*ndata++ = 0;
-					nrem--;
-					nused++;
-					done = ISC_TRUE;
-				}
-				state = ft_start;
-			} else if (c == '\\') {
-				state = ft_escape;
-			} else {
-				if (count >= 63)
-					return (DNS_R_LABELTOOLONG);
-				count++;
-				CONVERTTOASCII(c);
-				if (downcase)
-					c = maptolower[(int)c];
-				*ndata++ = c;
-				nrem--;
-				nused++;
-			}
-			break;
-		case ft_initialescape:
-			if (c == '[') {
-				/*
-				 * This looks like a bitstring label, which
-				 * was deprecated.  Intentionally drop it.
-				 */
-				return (DNS_R_BADLABELTYPE);
-			}
-			state = ft_escape;
-			POST(state);
-			/* FALLTHROUGH */
-		case ft_escape:
-			if (!isdigit(c & 0xff)) {
-				if (count >= 63)
-					return (DNS_R_LABELTOOLONG);
-				count++;
-				CONVERTTOASCII(c);
-				if (downcase)
-					c = maptolower[(int)c];
-				*ndata++ = c;
-				nrem--;
-				nused++;
-				state = ft_ordinary;
-				break;
-			}
-			digits = 0;
-			value = 0;
-			state = ft_escdecimal;
-			/* FALLTHROUGH */
-		case ft_escdecimal:
-			if (!isdigit(c & 0xff))
-				return (DNS_R_BADESCAPE);
-			value *= 10;
-			value += digitvalue[(int)c];
-			digits++;
-			if (digits == 3) {
-				if (value > 255)
-					return (DNS_R_BADESCAPE);
-				if (count >= 63)
-					return (DNS_R_LABELTOOLONG);
-				count++;
-				if (downcase)
-					value = maptolower[value];
-				*ndata++ = value;
-				nrem--;
-				nused++;
-				state = ft_ordinary;
-			}
-			break;
-		default:
-			FATAL_ERROR(__FILE__, __LINE__,
-				    "Unexpected state %d", state);
-			/* Does not return. */
-		}
-	}
-
-	if (!done) {
-		if (nrem == 0)
-			return (ISC_R_NOSPACE);
-		INSIST(tlen == 0);
-		if (state != ft_ordinary && state != ft_at)
-			return (ISC_R_UNEXPECTEDEND);
-		if (state == ft_ordinary) {
-			INSIST(count != 0);
-			*label = count;
-			labels++;
-			INSIST(labels <= 127);
-			offsets[labels] = nused;
-		}
-		if (origin != NULL) {
-			if (nrem < origin->length)
-				return (ISC_R_NOSPACE);
-			label = origin->ndata;
-			n1 = origin->length;
-			nrem -= n1;
-			POST(nrem);
-			while (n1 > 0) {
-				n2 = *label++;
-				INSIST(n2 <= 63); /* no bitstring support */
-				*ndata++ = n2;
-				n1 -= n2 + 1;
-				nused += n2 + 1;
-				while (n2 > 0) {
-					c = *label++;
-					if (downcase)
-						c = maptolower[(int)c];
-					*ndata++ = c;
-					n2--;
-				}
-				labels++;
-				if (n1 > 0) {
-					INSIST(labels <= 127);
-					offsets[labels] = nused;
-				}
-			}
-			if ((origin->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
-				name->attributes |= DNS_NAMEATTR_ABSOLUTE;
-		}
-	} else
-		name->attributes |= DNS_NAMEATTR_ABSOLUTE;
-
-	name->ndata = (unsigned char *)target->base + target->used;
-	name->labels = labels;
-	name->length = nused;
-
-	isc_buffer_forward(source, tused);
-	isc_buffer_add(target, name->length);
-
-	return (ISC_R_SUCCESS);
-}
-
-#ifdef ISC_PLATFORM_USETHREADS
-static void
-free_specific(void *arg) {
-	dns_name_totextfilter_t *mem = arg;
-	isc_mem_put(thread_key_mctx, mem, sizeof(*mem));
-	/* Stop use being called again. */
-	(void)isc_thread_key_setspecific(totext_filter_proc_key, NULL);
-}
-
-static void
-thread_key_mutex_init(void) {
-	RUNTIME_CHECK(isc_mutex_init(&thread_key_mutex) == ISC_R_SUCCESS);
-}
-
-static isc_result_t
-totext_filter_proc_key_init(void) {
-	isc_result_t result;
-
-	/*
-	 * We need the call to isc_once_do() to support profiled mutex
-	 * otherwise thread_key_mutex could be initialized at compile time.
-	 */
-	result = isc_once_do(&once, thread_key_mutex_init);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (!thread_key_initialized) {
-		LOCK(&thread_key_mutex);
-		if (thread_key_mctx == NULL)
-			result = isc_mem_create2(0, 0, &thread_key_mctx, 0);
-		if (result != ISC_R_SUCCESS)
-			goto unlock;
-		isc_mem_setname(thread_key_mctx, "threadkey", NULL);
-		isc_mem_setdestroycheck(thread_key_mctx, ISC_FALSE);
-
-		if (!thread_key_initialized &&
-		     isc_thread_key_create(&totext_filter_proc_key,
-					   free_specific) != 0) {
-			result = ISC_R_FAILURE;
-			isc_mem_detach(&thread_key_mctx);
-		} else
-			thread_key_initialized = 1;
- unlock:
-		UNLOCK(&thread_key_mutex);
-	}
-	return (result);
-}
-#endif
-
-isc_result_t
-dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
-		isc_buffer_t *target)
-{
-	unsigned int options = DNS_NAME_MASTERFILE;
-
-	if (omit_final_dot)
-		options |= DNS_NAME_OMITFINALDOT;
-	return (dns_name_totext2(name, options, target));
-}
-
-isc_result_t
-dns_name_toprincipal(dns_name_t *name, isc_buffer_t *target) {
-	return (dns_name_totext2(name, DNS_NAME_OMITFINALDOT, target));
-}
-
-isc_result_t
-dns_name_totext2(dns_name_t *name, unsigned int options, isc_buffer_t *target)
-{
-	unsigned char *ndata;
-	char *tdata;
-	unsigned int nlen, tlen;
-	unsigned char c;
-	unsigned int trem, count;
-	unsigned int labels;
-	isc_boolean_t saw_root = ISC_FALSE;
-	unsigned int oused = target->used;
-#ifdef ISC_PLATFORM_USETHREADS
-	dns_name_totextfilter_t *mem;
-	dns_name_totextfilter_t totext_filter_proc = NULL;
-	isc_result_t result;
-#endif
-	isc_boolean_t omit_final_dot =
-		ISC_TF(options & DNS_NAME_OMITFINALDOT);
-
-	/*
-	 * This function assumes the name is in proper uncompressed
-	 * wire format.
-	 */
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(ISC_BUFFER_VALID(target));
-
-#ifdef ISC_PLATFORM_USETHREADS
-	result = totext_filter_proc_key_init();
-	if (result != ISC_R_SUCCESS)
-		return (result);
-#endif
-	ndata = name->ndata;
-	nlen = name->length;
-	labels = name->labels;
-	tdata = isc_buffer_used(target);
-	tlen = isc_buffer_availablelength(target);
-
-	trem = tlen;
-
-	if (labels == 0 && nlen == 0) {
-		/*
-		 * Special handling for an empty name.
-		 */
-		if (trem == 0)
-			return (ISC_R_NOSPACE);
-
-		/*
-		 * The names of these booleans are misleading in this case.
-		 * This empty name is not necessarily from the root node of
-		 * the DNS root zone, nor is a final dot going to be included.
-		 * They need to be set this way, though, to keep the "@"
-		 * from being trounced.
-		 */
-		saw_root = ISC_TRUE;
-		omit_final_dot = ISC_FALSE;
-		*tdata++ = '@';
-		trem--;
-
-		/*
-		 * Skip the while() loop.
-		 */
-		nlen = 0;
-	} else if (nlen == 1 && labels == 1 && *ndata == '\0') {
-		/*
-		 * Special handling for the root label.
-		 */
-		if (trem == 0)
-			return (ISC_R_NOSPACE);
-
-		saw_root = ISC_TRUE;
-		omit_final_dot = ISC_FALSE;
-		*tdata++ = '.';
-		trem--;
-
-		/*
-		 * Skip the while() loop.
-		 */
-		nlen = 0;
-	}
-
-	while (labels > 0 && nlen > 0 && trem > 0) {
-		labels--;
-		count = *ndata++;
-		nlen--;
-		if (count == 0) {
-			saw_root = ISC_TRUE;
-			break;
-		}
-		if (count < 64) {
-			INSIST(nlen >= count);
-			while (count > 0) {
-				c = *ndata;
-				switch (c) {
-				/* Special modifiers in zone files. */
-				case 0x40: /* '@' */
-				case 0x24: /* '$' */
-					if ((options & DNS_NAME_MASTERFILE) == 0)
-						goto no_escape;
-					/* FALLTHROUGH */
-				case 0x22: /* '"' */
-				case 0x28: /* '(' */
-				case 0x29: /* ')' */
-				case 0x2E: /* '.' */
-				case 0x3B: /* ';' */
-				case 0x5C: /* '\\' */
-					if (trem < 2)
-						return (ISC_R_NOSPACE);
-					*tdata++ = '\\';
-					CONVERTFROMASCII(c);
-					*tdata++ = c;
-					ndata++;
-					trem -= 2;
-					nlen--;
-					break;
-				no_escape:
-				default:
-					if (c > 0x20 && c < 0x7f) {
-						if (trem == 0)
-							return (ISC_R_NOSPACE);
-						CONVERTFROMASCII(c);
-						*tdata++ = c;
-						ndata++;
-						trem--;
-						nlen--;
-					} else {
-						if (trem < 4)
-							return (ISC_R_NOSPACE);
-						*tdata++ = 0x5c;
-						*tdata++ = 0x30 +
-							   ((c / 100) % 10);
-						*tdata++ = 0x30 +
-							   ((c / 10) % 10);
-						*tdata++ = 0x30 + (c % 10);
-						trem -= 4;
-						ndata++;
-						nlen--;
-					}
-				}
-				count--;
-			}
-		} else {
-			FATAL_ERROR(__FILE__, __LINE__,
-				    "Unexpected label type %02x", count);
-			/* NOTREACHED */
-		}
-
-		/*
-		 * The following assumes names are absolute.  If not, we
-		 * fix things up later.  Note that this means that in some
-		 * cases one more byte of text buffer is required than is
-		 * needed in the final output.
-		 */
-		if (trem == 0)
-			return (ISC_R_NOSPACE);
-		*tdata++ = '.';
-		trem--;
-	}
-
-	if (nlen != 0 && trem == 0)
-		return (ISC_R_NOSPACE);
-
-	if (!saw_root || omit_final_dot)
-		trem++;
-
-	isc_buffer_add(target, tlen - trem);
-
-#ifdef ISC_PLATFORM_USETHREADS
-	mem = isc_thread_key_getspecific(totext_filter_proc_key);
-	if (mem != NULL)
-		totext_filter_proc = *mem;
-#endif
-	if (totext_filter_proc != NULL)
-		return ((*totext_filter_proc)(target, oused, saw_root));
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_name_tofilenametext(dns_name_t *name, isc_boolean_t omit_final_dot,
-			isc_buffer_t *target)
-{
-	unsigned char *ndata;
-	char *tdata;
-	unsigned int nlen, tlen;
-	unsigned char c;
-	unsigned int trem, count;
-	unsigned int labels;
-
-	/*
-	 * This function assumes the name is in proper uncompressed
-	 * wire format.
-	 */
-	REQUIRE(VALID_NAME(name));
-	REQUIRE((name->attributes & DNS_NAMEATTR_ABSOLUTE) != 0);
-	REQUIRE(ISC_BUFFER_VALID(target));
-
-	ndata = name->ndata;
-	nlen = name->length;
-	labels = name->labels;
-	tdata = isc_buffer_used(target);
-	tlen = isc_buffer_availablelength(target);
-
-	trem = tlen;
-
-	if (nlen == 1 && labels == 1 && *ndata == '\0') {
-		/*
-		 * Special handling for the root label.
-		 */
-		if (trem == 0)
-			return (ISC_R_NOSPACE);
-
-		omit_final_dot = ISC_FALSE;
-		*tdata++ = '.';
-		trem--;
-
-		/*
-		 * Skip the while() loop.
-		 */
-		nlen = 0;
-	}
-
-	while (labels > 0 && nlen > 0 && trem > 0) {
-		labels--;
-		count = *ndata++;
-		nlen--;
-		if (count == 0)
-			break;
-		if (count < 64) {
-			INSIST(nlen >= count);
-			while (count > 0) {
-				c = *ndata;
-				if ((c >= 0x30 && c <= 0x39) || /* digit */
-				    (c >= 0x41 && c <= 0x5A) ||	/* uppercase */
-				    (c >= 0x61 && c <= 0x7A) || /* lowercase */
-				    c == 0x2D ||		/* hyphen */
-				    c == 0x5F)			/* underscore */
-				{
-					if (trem == 0)
-						return (ISC_R_NOSPACE);
-					/* downcase */
-					if (c >= 0x41 && c <= 0x5A)
-						c += 0x20;
-					CONVERTFROMASCII(c);
-					*tdata++ = c;
-					ndata++;
-					trem--;
-					nlen--;
-				} else {
-					if (trem < 3)
-						return (ISC_R_NOSPACE);
-					sprintf(tdata, "%%%02X", c);
-					tdata += 3;
-					trem -= 3;
-					ndata++;
-					nlen--;
-				}
-				count--;
-			}
-		} else {
-			FATAL_ERROR(__FILE__, __LINE__,
-				    "Unexpected label type %02x", count);
-			/* NOTREACHED */
-		}
-
-		/*
-		 * The following assumes names are absolute.  If not, we
-		 * fix things up later.  Note that this means that in some
-		 * cases one more byte of text buffer is required than is
-		 * needed in the final output.
-		 */
-		if (trem == 0)
-			return (ISC_R_NOSPACE);
-		*tdata++ = '.';
-		trem--;
-	}
-
-	if (nlen != 0 && trem == 0)
-		return (ISC_R_NOSPACE);
-
-	if (omit_final_dot)
-		trem++;
-
-	isc_buffer_add(target, tlen - trem);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_name_downcase(dns_name_t *source, dns_name_t *name, isc_buffer_t *target) {
-	unsigned char *sndata, *ndata;
-	unsigned int nlen, count, labels;
-	isc_buffer_t buffer;
-
-	/*
-	 * Downcase 'source'.
-	 */
-
-	REQUIRE(VALID_NAME(source));
-	REQUIRE(VALID_NAME(name));
-	if (source == name) {
-		REQUIRE((name->attributes & DNS_NAMEATTR_READONLY) == 0);
-		isc_buffer_init(&buffer, source->ndata, source->length);
-		target = &buffer;
-		ndata = source->ndata;
-	} else {
-		REQUIRE(BINDABLE(name));
-		REQUIRE((target != NULL && ISC_BUFFER_VALID(target)) ||
-			(target == NULL && ISC_BUFFER_VALID(name->buffer)));
-		if (target == NULL) {
-			target = name->buffer;
-			isc_buffer_clear(name->buffer);
-		}
-		ndata = (unsigned char *)target->base + target->used;
-		name->ndata = ndata;
-	}
-
-	sndata = source->ndata;
-	nlen = source->length;
-	labels = source->labels;
-
-	if (nlen > (target->length - target->used)) {
-		MAKE_EMPTY(name);
-		return (ISC_R_NOSPACE);
-	}
-
-	while (labels > 0 && nlen > 0) {
-		labels--;
-		count = *sndata++;
-		*ndata++ = count;
-		nlen--;
-		if (count < 64) {
-			INSIST(nlen >= count);
-			while (count > 0) {
-				*ndata++ = maptolower[(*sndata++)];
-				nlen--;
-				count--;
-			}
-		} else {
-			FATAL_ERROR(__FILE__, __LINE__,
-				    "Unexpected label type %02x", count);
-			/* Does not return. */
-		}
-	}
-
-	if (source != name) {
-		name->labels = source->labels;
-		name->length = source->length;
-		if ((source->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
-			name->attributes = DNS_NAMEATTR_ABSOLUTE;
-		else
-			name->attributes = 0;
-		if (name->labels > 0 && name->offsets != NULL)
-			set_offsets(name, name->offsets, NULL);
-	}
-
-	isc_buffer_add(target, name->length);
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-set_offsets(const dns_name_t *name, unsigned char *offsets,
-	    dns_name_t *set_name)
-{
-	unsigned int offset, count, length, nlabels;
-	unsigned char *ndata;
-	isc_boolean_t absolute;
-
-	ndata = name->ndata;
-	length = name->length;
-	offset = 0;
-	nlabels = 0;
-	absolute = ISC_FALSE;
-	while (offset != length) {
-		INSIST(nlabels < 128);
-		offsets[nlabels++] = offset;
-		count = *ndata++;
-		offset++;
-		INSIST(count <= 63);
-		offset += count;
-		ndata += count;
-		INSIST(offset <= length);
-		if (count == 0) {
-			absolute = ISC_TRUE;
-			break;
-		}
-	}
-	if (set_name != NULL) {
-		INSIST(set_name == name);
-
-		set_name->labels = nlabels;
-		set_name->length = offset;
-		if (absolute)
-			set_name->attributes |= DNS_NAMEATTR_ABSOLUTE;
-		else
-			set_name->attributes &= ~DNS_NAMEATTR_ABSOLUTE;
-	}
-	INSIST(nlabels == name->labels);
-	INSIST(offset == name->length);
-}
-
-isc_result_t
-dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
-		  dns_decompress_t *dctx, unsigned int options,
-		  isc_buffer_t *target)
-{
-	unsigned char *cdata, *ndata;
-	unsigned int cused; /* Bytes of compressed name data used */
-	unsigned int nused, labels, n, nmax;
-	unsigned int current, new_current, biggest_pointer;
-	isc_boolean_t done;
-	fw_state state = fw_start;
-	unsigned int c;
-	unsigned char *offsets;
-	dns_offsets_t odata;
-	isc_boolean_t downcase;
-	isc_boolean_t seen_pointer;
-
-	/*
-	 * Copy the possibly-compressed name at source into target,
-	 * decompressing it.  Loop prevention is performed by checking
-	 * the new pointer against biggest_pointer.
-	 */
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE((target != NULL && ISC_BUFFER_VALID(target)) ||
-		(target == NULL && ISC_BUFFER_VALID(name->buffer)));
-
-	downcase = ISC_TF((options & DNS_NAME_DOWNCASE) != 0);
-
-	if (target == NULL && name->buffer != NULL) {
-		target = name->buffer;
-		isc_buffer_clear(target);
-	}
-
-	REQUIRE(dctx != NULL);
-	REQUIRE(BINDABLE(name));
-
-	INIT_OFFSETS(name, offsets, odata);
-
-	/*
-	 * Make 'name' empty in case of failure.
-	 */
-	MAKE_EMPTY(name);
-
-	/*
-	 * Initialize things to make the compiler happy; they're not required.
-	 */
-	n = 0;
-	new_current = 0;
-
-	/*
-	 * Set up.
-	 */
-	labels = 0;
-	done = ISC_FALSE;
-
-	ndata = isc_buffer_used(target);
-	nused = 0;
-	seen_pointer = ISC_FALSE;
-
-	/*
-	 * Find the maximum number of uncompressed target name
-	 * bytes we are willing to generate.  This is the smaller
-	 * of the available target buffer length and the
-	 * maximum legal domain name length (255).
-	 */
-	nmax = isc_buffer_availablelength(target);
-	if (nmax > DNS_NAME_MAXWIRE)
-		nmax = DNS_NAME_MAXWIRE;
-
-	cdata = isc_buffer_current(source);
-	cused = 0;
-
-	current = source->current;
-	biggest_pointer = current;
-
-	/*
-	 * Note:  The following code is not optimized for speed, but
-	 * rather for correctness.  Speed will be addressed in the future.
-	 */
-
-	while (current < source->active && !done) {
-		c = *cdata++;
-		current++;
-		if (!seen_pointer)
-			cused++;
-
-		switch (state) {
-		case fw_start:
-			if (c < 64) {
-				offsets[labels] = nused;
-				labels++;
-				if (nused + c + 1 > nmax)
-					goto full;
-				nused += c + 1;
-				*ndata++ = c;
-				if (c == 0)
-					done = ISC_TRUE;
-				n = c;
-				state = fw_ordinary;
-			} else if (c >= 128 && c < 192) {
-				/*
-				 * 14 bit local compression pointer.
-				 * Local compression is no longer an
-				 * IETF draft.
-				 */
-				return (DNS_R_BADLABELTYPE);
-			} else if (c >= 192) {
-				/*
-				 * Ordinary 14-bit pointer.
-				 */
-				if ((dctx->allowed & DNS_COMPRESS_GLOBAL14) ==
-				    0)
-					return (DNS_R_DISALLOWED);
-				new_current = c & 0x3F;
-				n = 1;
-				state = fw_newcurrent;
-			} else
-				return (DNS_R_BADLABELTYPE);
-			break;
-		case fw_ordinary:
-			if (downcase)
-				c = maptolower[c];
-			/* FALLTHROUGH */
-		case fw_copy:
-			*ndata++ = c;
-			n--;
-			if (n == 0)
-				state = fw_start;
-			break;
-		case fw_newcurrent:
-			new_current *= 256;
-			new_current += c;
-			n--;
-			if (n != 0)
-				break;
-			if (new_current >= biggest_pointer)
-				return (DNS_R_BADPOINTER);
-			biggest_pointer = new_current;
-			current = new_current;
-			cdata = (unsigned char *)source->base + current;
-			seen_pointer = ISC_TRUE;
-			state = fw_start;
-			break;
-		default:
-			FATAL_ERROR(__FILE__, __LINE__,
-				    "Unknown state %d", state);
-			/* Does not return. */
-		}
-	}
-
-	if (!done)
-		return (ISC_R_UNEXPECTEDEND);
-
-	name->ndata = (unsigned char *)target->base + target->used;
-	name->labels = labels;
-	name->length = nused;
-	name->attributes |= DNS_NAMEATTR_ABSOLUTE;
-
-	isc_buffer_forward(source, cused);
-	isc_buffer_add(target, name->length);
-
-	return (ISC_R_SUCCESS);
-
- full:
-	if (nmax == DNS_NAME_MAXWIRE)
-		/*
-		 * The name did not fit even though we had a buffer
-		 * big enough to fit a maximum-length name.
-		 */
-		return (DNS_R_NAMETOOLONG);
-	else
-		/*
-		 * The name might fit if only the caller could give us a
-		 * big enough buffer.
-		 */
-		return (ISC_R_NOSPACE);
-}
-
-isc_result_t
-dns_name_towire(const dns_name_t *name, dns_compress_t *cctx,
-		isc_buffer_t *target)
-{
-	unsigned int methods;
-	isc_uint16_t offset;
-	dns_name_t gp;	/* Global compression prefix */
-	isc_boolean_t gf;	/* Global compression target found */
-	isc_uint16_t go;	/* Global compression offset */
-	dns_offsets_t clo;
-	dns_name_t clname;
-
-	/*
-	 * Convert 'name' into wire format, compressing it as specified by the
-	 * compression context 'cctx', and storing the result in 'target'.
-	 */
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(cctx != NULL);
-	REQUIRE(ISC_BUFFER_VALID(target));
-
-	/*
-	 * If 'name' doesn't have an offsets table, make a clone which
-	 * has one.
-	 */
-	if (name->offsets == NULL) {
-#if defined(__clang__)  && \
-       ( __clang_major__ < 3 || (__clang_major__ == 3 && __clang_minor__ < 2))
-		memset(&clname, 0, sizeof(clname));
-#endif
-		DNS_NAME_INIT(&clname, clo);
-		dns_name_clone(name, &clname);
-		name = &clname;
-	}
-	DNS_NAME_INIT(&gp, NULL);
-
-	offset = target->used;	/*XXX*/
-
-	methods = dns_compress_getmethods(cctx);
-
-	if ((name->attributes & DNS_NAMEATTR_NOCOMPRESS) == 0 &&
-	    (methods & DNS_COMPRESS_GLOBAL14) != 0)
-		gf = dns_compress_findglobal(cctx, name, &gp, &go);
-	else
-		gf = ISC_FALSE;
-
-	/*
-	 * If the offset is too high for 14 bit global compression, we're
-	 * out of luck.
-	 */
-	if (gf && go >= 0x4000)
-		gf = ISC_FALSE;
-
-	/*
-	 * Will the compression pointer reduce the message size?
-	 */
-	if (gf && (gp.length + 2) >= name->length)
-		gf = ISC_FALSE;
-
-	if (gf) {
-		if (target->length - target->used < gp.length)
-			return (ISC_R_NOSPACE);
-		(void)memcpy((unsigned char *)target->base + target->used,
-			     gp.ndata, (size_t)gp.length);
-		isc_buffer_add(target, gp.length);
-		go |= 0xc000;
-		if (target->length - target->used < 2)
-			return (ISC_R_NOSPACE);
-		isc_buffer_putuint16(target, go);
-		if (gp.length != 0)
-			dns_compress_add(cctx, name, &gp, offset);
-	} else {
-		if (target->length - target->used < name->length)
-			return (ISC_R_NOSPACE);
-		(void)memcpy((unsigned char *)target->base + target->used,
-			     name->ndata, (size_t)name->length);
-		isc_buffer_add(target, name->length);
-		dns_compress_add(cctx, name, name, offset);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_name_concatenate(dns_name_t *prefix, dns_name_t *suffix, dns_name_t *name,
-		     isc_buffer_t *target)
-{
-	unsigned char *ndata, *offsets;
-	unsigned int nrem, labels, prefix_length, length;
-	isc_boolean_t copy_prefix = ISC_TRUE;
-	isc_boolean_t copy_suffix = ISC_TRUE;
-	isc_boolean_t absolute = ISC_FALSE;
-	dns_name_t tmp_name;
-	dns_offsets_t odata;
-
-	/*
-	 * Concatenate 'prefix' and 'suffix'.
-	 */
-
-	REQUIRE(prefix == NULL || VALID_NAME(prefix));
-	REQUIRE(suffix == NULL || VALID_NAME(suffix));
-	REQUIRE(name == NULL || VALID_NAME(name));
-	REQUIRE((target != NULL && ISC_BUFFER_VALID(target)) ||
-		(target == NULL && name != NULL && ISC_BUFFER_VALID(name->buffer)));
-	if (prefix == NULL || prefix->labels == 0)
-		copy_prefix = ISC_FALSE;
-	if (suffix == NULL || suffix->labels == 0)
-		copy_suffix = ISC_FALSE;
-	if (copy_prefix &&
-	    (prefix->attributes & DNS_NAMEATTR_ABSOLUTE) != 0) {
-		absolute = ISC_TRUE;
-		REQUIRE(!copy_suffix);
-	}
-	if (name == NULL) {
-		DNS_NAME_INIT(&tmp_name, odata);
-		name = &tmp_name;
-	}
-	if (target == NULL) {
-		INSIST(name->buffer != NULL);
-		target = name->buffer;
-		isc_buffer_clear(name->buffer);
-	}
-
-	REQUIRE(BINDABLE(name));
-
-	/*
-	 * Set up.
-	 */
-	nrem = target->length - target->used;
-	ndata = (unsigned char *)target->base + target->used;
-	if (nrem > DNS_NAME_MAXWIRE)
-		nrem = DNS_NAME_MAXWIRE;
-	length = 0;
-	prefix_length = 0;
-	labels = 0;
-	if (copy_prefix) {
-		prefix_length = prefix->length;
-		length += prefix_length;
-		labels += prefix->labels;
-	}
-	if (copy_suffix) {
-		length += suffix->length;
-		labels += suffix->labels;
-	}
-	if (length > DNS_NAME_MAXWIRE) {
-		MAKE_EMPTY(name);
-		return (DNS_R_NAMETOOLONG);
-	}
-	if (length > nrem) {
-		MAKE_EMPTY(name);
-		return (ISC_R_NOSPACE);
-	}
-
-	if (copy_suffix) {
-		if ((suffix->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
-			absolute = ISC_TRUE;
-		if (suffix == name && suffix->buffer == target)
-			memmove(ndata + prefix_length, suffix->ndata,
-				suffix->length);
-		else
-			memcpy(ndata + prefix_length, suffix->ndata,
-			       suffix->length);
-	}
-
-	/*
-	 * If 'prefix' and 'name' are the same object, and the object has
-	 * a dedicated buffer, and we're using it, then we don't have to
-	 * copy anything.
-	 */
-	if (copy_prefix && (prefix != name || prefix->buffer != target))
-		memcpy(ndata, prefix->ndata, prefix_length);
-
-	name->ndata = ndata;
-	name->labels = labels;
-	name->length = length;
-	if (absolute)
-		name->attributes = DNS_NAMEATTR_ABSOLUTE;
-	else
-		name->attributes = 0;
-
-	if (name->labels > 0 && name->offsets != NULL) {
-		INIT_OFFSETS(name, offsets, odata);
-		set_offsets(name, offsets, NULL);
-	}
-
-	isc_buffer_add(target, name->length);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_name_split(dns_name_t *name, unsigned int suffixlabels,
-	       dns_name_t *prefix, dns_name_t *suffix)
-
-{
-	unsigned int splitlabel;
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(suffixlabels > 0);
-	REQUIRE(suffixlabels < name->labels);
-	REQUIRE(prefix != NULL || suffix != NULL);
-	REQUIRE(prefix == NULL ||
-		(VALID_NAME(prefix) &&
-		 prefix->buffer != NULL &&
-		 BINDABLE(prefix)));
-	REQUIRE(suffix == NULL ||
-		(VALID_NAME(suffix) &&
-		 suffix->buffer != NULL &&
-		 BINDABLE(suffix)));
-
-	splitlabel = name->labels - suffixlabels;
-
-	if (prefix != NULL)
-		dns_name_getlabelsequence(name, 0, splitlabel, prefix);
-
-	if (suffix != NULL)
-		dns_name_getlabelsequence(name, splitlabel,
-					  suffixlabels, suffix);
-
-	return;
-}
-
-isc_result_t
-dns_name_dup(const dns_name_t *source, isc_mem_t *mctx,
-	     dns_name_t *target)
-{
-	/*
-	 * Make 'target' a dynamically allocated copy of 'source'.
-	 */
-
-	REQUIRE(VALID_NAME(source));
-	REQUIRE(source->length > 0);
-	REQUIRE(VALID_NAME(target));
-	REQUIRE(BINDABLE(target));
-
-	/*
-	 * Make 'target' empty in case of failure.
-	 */
-	MAKE_EMPTY(target);
-
-	target->ndata = isc_mem_get(mctx, source->length);
-	if (target->ndata == NULL)
-		return (ISC_R_NOMEMORY);
-
-	memcpy(target->ndata, source->ndata, source->length);
-
-	target->length = source->length;
-	target->labels = source->labels;
-	target->attributes = DNS_NAMEATTR_DYNAMIC;
-	if ((source->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
-		target->attributes |= DNS_NAMEATTR_ABSOLUTE;
-	if (target->offsets != NULL) {
-		if (source->offsets != NULL)
-			memcpy(target->offsets, source->offsets,
-			       source->labels);
-		else
-			set_offsets(target, target->offsets, NULL);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_name_dupwithoffsets(dns_name_t *source, isc_mem_t *mctx,
-			dns_name_t *target)
-{
-	/*
-	 * Make 'target' a read-only dynamically allocated copy of 'source'.
-	 * 'target' will also have a dynamically allocated offsets table.
-	 */
-
-	REQUIRE(VALID_NAME(source));
-	REQUIRE(source->length > 0);
-	REQUIRE(VALID_NAME(target));
-	REQUIRE(BINDABLE(target));
-	REQUIRE(target->offsets == NULL);
-
-	/*
-	 * Make 'target' empty in case of failure.
-	 */
-	MAKE_EMPTY(target);
-
-	target->ndata = isc_mem_get(mctx, source->length + source->labels);
-	if (target->ndata == NULL)
-		return (ISC_R_NOMEMORY);
-
-	memcpy(target->ndata, source->ndata, source->length);
-
-	target->length = source->length;
-	target->labels = source->labels;
-	target->attributes = DNS_NAMEATTR_DYNAMIC | DNS_NAMEATTR_DYNOFFSETS |
-		DNS_NAMEATTR_READONLY;
-	if ((source->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
-		target->attributes |= DNS_NAMEATTR_ABSOLUTE;
-	target->offsets = target->ndata + source->length;
-	if (source->offsets != NULL)
-		memcpy(target->offsets, source->offsets, source->labels);
-	else
-		set_offsets(target, target->offsets, NULL);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_name_free(dns_name_t *name, isc_mem_t *mctx) {
-	size_t size;
-
-	/*
-	 * Free 'name'.
-	 */
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE((name->attributes & DNS_NAMEATTR_DYNAMIC) != 0);
-
-	size = name->length;
-	if ((name->attributes & DNS_NAMEATTR_DYNOFFSETS) != 0)
-		size += name->labels;
-	isc_mem_put(mctx, name->ndata, size);
-	dns_name_invalidate(name);
-}
-
-isc_result_t
-dns_name_digest(dns_name_t *name, dns_digestfunc_t digest, void *arg) {
-	dns_name_t downname;
-	unsigned char data[256];
-	isc_buffer_t buffer;
-	isc_result_t result;
-	isc_region_t r;
-
-	/*
-	 * Send 'name' in DNSSEC canonical form to 'digest'.
-	 */
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(digest != NULL);
-
-#if defined(__clang__)  && \
-       ( __clang_major__ < 3 || (__clang_major__ == 3 && __clang_minor__ < 2))
-	memset(&downname, 0, sizeof(downname));
-#endif
-	DNS_NAME_INIT(&downname, NULL);
-
-	isc_buffer_init(&buffer, data, sizeof(data));
-
-	result = dns_name_downcase(name, &downname, &buffer);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	isc_buffer_usedregion(&buffer, &r);
-
-	return ((digest)(arg, &r));
-}
-
-isc_boolean_t
-dns_name_dynamic(dns_name_t *name) {
-	REQUIRE(VALID_NAME(name));
-
-	/*
-	 * Returns whether there is dynamic memory associated with this name.
-	 */
-
-	return ((name->attributes & DNS_NAMEATTR_DYNAMIC) != 0 ?
-		ISC_TRUE : ISC_FALSE);
-}
-
-isc_result_t
-dns_name_print(dns_name_t *name, FILE *stream) {
-	isc_result_t result;
-	isc_buffer_t b;
-	isc_region_t r;
-	char t[1024];
-
-	/*
-	 * Print 'name' on 'stream'.
-	 */
-
-	REQUIRE(VALID_NAME(name));
-
-	isc_buffer_init(&b, t, sizeof(t));
-	result = dns_name_totext(name, ISC_FALSE, &b);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_buffer_usedregion(&b, &r);
-	fprintf(stream, "%.*s", (int)r.length, (char *)r.base);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_name_settotextfilter(dns_name_totextfilter_t proc) {
-#ifdef ISC_PLATFORM_USETHREADS
-	isc_result_t result;
-	dns_name_totextfilter_t *mem;
-	int res;
-
-	result = totext_filter_proc_key_init();
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * If we already have been here set / clear as appropriate.
-	 * Otherwise allocate memory.
-	 */
-	mem = isc_thread_key_getspecific(totext_filter_proc_key);
-	if (mem != NULL && proc != NULL) {
-		*mem = proc;
-		return (ISC_R_SUCCESS);
-	}
-	if (proc == NULL) {
-		isc_mem_put(thread_key_mctx, mem, sizeof(*mem));
-		res = isc_thread_key_setspecific(totext_filter_proc_key, NULL);
-		if (res != 0)
-			result = ISC_R_UNEXPECTED;
-		return (result);
-	}
-
-	mem = isc_mem_get(thread_key_mctx, sizeof(*mem));
-	if (mem == NULL)
-		return (ISC_R_NOMEMORY);
-	*mem = proc;
-	if (isc_thread_key_setspecific(totext_filter_proc_key, mem) != 0) {
-		isc_mem_put(thread_key_mctx, mem, sizeof(*mem));
-		result = ISC_R_UNEXPECTED;
-	}
-	return (result);
-#else
-	totext_filter_proc = proc;
-	return (ISC_R_SUCCESS);
-#endif
-}
-
-void
-dns_name_format(dns_name_t *name, char *cp, unsigned int size) {
-	isc_result_t result;
-	isc_buffer_t buf;
-
-	REQUIRE(size > 0);
-
-	/*
-	 * Leave room for null termination after buffer.
-	 */
-	isc_buffer_init(&buf, cp, size - 1);
-	result = dns_name_totext(name, ISC_TRUE, &buf);
-	if (result == ISC_R_SUCCESS) {
-		/*
-		 * Null terminate.
-		 */
-		isc_region_t r;
-		isc_buffer_usedregion(&buf, &r);
-		((char *) r.base)[r.length] = '\0';
-
-	} else
-		snprintf(cp, size, "<unknown>");
-}
-
-/*
- * dns_name_tostring() -- similar to dns_name_format() but allocates its own
- * memory.
- */
-isc_result_t
-dns_name_tostring(dns_name_t *name, char **target, isc_mem_t *mctx) {
-	isc_result_t result;
-	isc_buffer_t buf;
-	isc_region_t reg;
-	char *p, txt[DNS_NAME_FORMATSIZE];
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(target != NULL && *target == NULL);
-
-	isc_buffer_init(&buf, txt, sizeof(txt));
-	result = dns_name_totext(name, ISC_FALSE, &buf);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	isc_buffer_usedregion(&buf, &reg);
-	p = isc_mem_allocate(mctx, reg.length + 1);
-	memcpy(p, (char *) reg.base, (int) reg.length);
-	p[reg.length] = '\0';
-
-	*target = p;
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * dns_name_fromstring() -- convert directly from a string to a name,
- * allocating memory as needed
- */
-isc_result_t
-dns_name_fromstring(dns_name_t *target, const char *src, unsigned int options,
-		    isc_mem_t *mctx)
-{
-	return (dns_name_fromstring2(target, src, dns_rootname, options, mctx));
-}
-
-isc_result_t
-dns_name_fromstring2(dns_name_t *target, const char *src,
-		     const dns_name_t *origin, unsigned int options,
-		     isc_mem_t *mctx)
-{
-	isc_result_t result;
-	isc_buffer_t buf;
-	dns_fixedname_t fn;
-	dns_name_t *name;
-
-	REQUIRE(src != NULL);
-
-	isc_buffer_constinit(&buf, src, strlen(src));
-	isc_buffer_add(&buf, strlen(src));
-	if (BINDABLE(target) && target->buffer != NULL)
-		name = target;
-	else {
-		dns_fixedname_init(&fn);
-		name = dns_fixedname_name(&fn);
-	}
-
-	result = dns_name_fromtext(name, &buf, origin, options, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (name != target)
-		result = dns_name_dupwithoffsets(name, mctx, target);
-	return (result);
-}
-
-isc_result_t
-dns_name_copy(dns_name_t *source, dns_name_t *dest, isc_buffer_t *target) {
-	unsigned char *ndata;
-
-	/*
-	 * Make dest a copy of source.
-	 */
-
-	REQUIRE(VALID_NAME(source));
-	REQUIRE(VALID_NAME(dest));
-	REQUIRE(target != NULL || dest->buffer != NULL);
-
-	if (target == NULL) {
-		target = dest->buffer;
-		isc_buffer_clear(dest->buffer);
-	}
-
-	REQUIRE(BINDABLE(dest));
-
-	/*
-	 * Set up.
-	 */
-	if (target->length - target->used < source->length)
-		return (ISC_R_NOSPACE);
-
-	ndata = (unsigned char *)target->base + target->used;
-	dest->ndata = target->base;
-
-	memcpy(ndata, source->ndata, source->length);
-
-	dest->ndata = ndata;
-	dest->labels = source->labels;
-	dest->length = source->length;
-	if ((source->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
-		dest->attributes = DNS_NAMEATTR_ABSOLUTE;
-	else
-		dest->attributes = 0;
-
-	if (dest->labels > 0 && dest->offsets != NULL) {
-		if (source->offsets != NULL)
-			memcpy(dest->offsets, source->offsets, source->labels);
-		else
-			set_offsets(dest, dest->offsets, NULL);
-	}
-
-	isc_buffer_add(target, dest->length);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_name_destroy(void) {
-#ifdef ISC_PLATFORM_USETHREADS
-	RUNTIME_CHECK(isc_once_do(&once, thread_key_mutex_init)
-				  == ISC_R_SUCCESS);
-
-	LOCK(&thread_key_mutex);
-	if (thread_key_initialized) {
-		isc_mem_detach(&thread_key_mctx);
-		isc_thread_key_delete(totext_filter_proc_key);
-		thread_key_initialized = 0;
-	}
-	UNLOCK(&thread_key_mutex);
-
-#endif
-}
diff --git a/contrib/bind9/lib/dns/ncache.c b/contrib/bind9/lib/dns/ncache.c
deleted file mode 100644
index bcb3d05..0000000
--- a/contrib/bind9/lib/dns/ncache.c
+++ /dev/null
@@ -1,756 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2008, 2010-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/buffer.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/message.h>
-#include <dns/ncache.h>
-#include <dns/rdata.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-
-#define DNS_NCACHE_RDATA 20U
-
-/*
- * The format of an ncache rdata is a sequence of zero or more records of
- * the following format:
- *
- *	owner name
- *	type
- *	trust
- *	rdata count
- *		rdata length			These two occur 'rdata count'
- *		rdata				times.
- *
- */
-
-static isc_result_t
-addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
-	  dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
-	  isc_boolean_t optout, isc_boolean_t secure,
-	  dns_rdataset_t *addedrdataset);
-
-static inline isc_result_t
-copy_rdataset(dns_rdataset_t *rdataset, isc_buffer_t *buffer) {
-	isc_result_t result;
-	unsigned int count;
-	isc_region_t ar, r;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-
-	/*
-	 * Copy the rdataset count to the buffer.
-	 */
-	isc_buffer_availableregion(buffer, &ar);
-	if (ar.length < 2)
-		return (ISC_R_NOSPACE);
-	count = dns_rdataset_count(rdataset);
-	INSIST(count <= 65535);
-	isc_buffer_putuint16(buffer, (isc_uint16_t)count);
-
-	result = dns_rdataset_first(rdataset);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdataset_current(rdataset, &rdata);
-		dns_rdata_toregion(&rdata, &r);
-		INSIST(r.length <= 65535);
-		isc_buffer_availableregion(buffer, &ar);
-		if (ar.length < 2)
-			return (ISC_R_NOSPACE);
-		/*
-		 * Copy the rdata length to the buffer.
-		 */
-		isc_buffer_putuint16(buffer, (isc_uint16_t)r.length);
-		/*
-		 * Copy the rdata to the buffer.
-		 */
-		result = isc_buffer_copyregion(buffer, &r);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		dns_rdata_reset(&rdata);
-		result = dns_rdataset_next(rdataset);
-	}
-	if (result != ISC_R_NOMORE)
-		return (result);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
-	       dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
-	       dns_rdataset_t *addedrdataset)
-{
-	return (addoptout(message, cache, node, covers, now, maxttl,
-			  ISC_FALSE, ISC_FALSE, addedrdataset));
-}
-
-isc_result_t
-dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
-		     dns_dbnode_t *node, dns_rdatatype_t covers,
-		     isc_stdtime_t now, dns_ttl_t maxttl,
-		     isc_boolean_t optout, dns_rdataset_t *addedrdataset)
-{
-	return (addoptout(message, cache, node, covers, now, maxttl,
-			  optout, ISC_TRUE, addedrdataset));
-}
-
-static isc_result_t
-addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
-	  dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
-	  isc_boolean_t optout, isc_boolean_t secure,
-	  dns_rdataset_t *addedrdataset)
-{
-	isc_result_t result;
-	isc_buffer_t buffer;
-	isc_region_t r;
-	dns_rdataset_t *rdataset;
-	dns_rdatatype_t type;
-	dns_name_t *name;
-	dns_ttl_t ttl;
-	dns_trust_t trust;
-	dns_rdata_t rdata[DNS_NCACHE_RDATA];
-	dns_rdataset_t ncrdataset;
-	dns_rdatalist_t ncrdatalist;
-	unsigned char data[4096];
-	unsigned int next = 0;
-
-	/*
-	 * Convert the authority data from 'message' into a negative cache
-	 * rdataset, and store it in 'cache' at 'node'.
-	 */
-
-	REQUIRE(message != NULL);
-
-	/*
-	 * We assume that all data in the authority section has been
-	 * validated by the caller.
-	 */
-
-	/*
-	 * Initialize the list.
-	 */
-	ncrdatalist.rdclass = dns_db_class(cache);
-	ncrdatalist.type = 0;
-	ncrdatalist.covers = covers;
-	ncrdatalist.ttl = maxttl;
-	ISC_LIST_INIT(ncrdatalist.rdata);
-	ISC_LINK_INIT(&ncrdatalist, link);
-
-	/*
-	 * Build an ncache rdatas into buffer.
-	 */
-	ttl = maxttl;
-	trust = 0xffff;
-	isc_buffer_init(&buffer, data, sizeof(data));
-	if (message->counts[DNS_SECTION_AUTHORITY])
-		result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
-	else
-		result = ISC_R_NOMORE;
-	while (result == ISC_R_SUCCESS) {
-		name = NULL;
-		dns_message_currentname(message, DNS_SECTION_AUTHORITY,
-					&name);
-		if ((name->attributes & DNS_NAMEATTR_NCACHE) != 0) {
-			for (rdataset = ISC_LIST_HEAD(name->list);
-			     rdataset != NULL;
-			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-				if ((rdataset->attributes &
-				     DNS_RDATASETATTR_NCACHE) == 0)
-					continue;
-				type = rdataset->type;
-				if (type == dns_rdatatype_rrsig)
-					type = rdataset->covers;
-				if (type == dns_rdatatype_soa ||
-				    type == dns_rdatatype_nsec ||
-				    type == dns_rdatatype_nsec3) {
-					if (ttl > rdataset->ttl)
-						ttl = rdataset->ttl;
-					if (trust > rdataset->trust)
-						trust = rdataset->trust;
-					/*
-					 * Copy the owner name to the buffer.
-					 */
-					dns_name_toregion(name, &r);
-					result = isc_buffer_copyregion(&buffer,
-								       &r);
-					if (result != ISC_R_SUCCESS)
-						return (result);
-					/*
-					 * Copy the type to the buffer.
-					 */
-					isc_buffer_availableregion(&buffer,
-								   &r);
-					if (r.length < 3)
-						return (ISC_R_NOSPACE);
-					isc_buffer_putuint16(&buffer,
-							     rdataset->type);
-					isc_buffer_putuint8(&buffer,
-					       (unsigned char)rdataset->trust);
-					/*
-					 * Copy the rdataset into the buffer.
-					 */
-					result = copy_rdataset(rdataset,
-							       &buffer);
-					if (result != ISC_R_SUCCESS)
-						return (result);
-
-					if (next >= DNS_NCACHE_RDATA)
-						return (ISC_R_NOSPACE);
-					dns_rdata_init(&rdata[next]);
-					isc_buffer_remainingregion(&buffer, &r);
-					rdata[next].data = r.base;
-					rdata[next].length = r.length;
-					rdata[next].rdclass =
-						ncrdatalist.rdclass;
-					rdata[next].type = 0;
-					rdata[next].flags = 0;
-					ISC_LIST_APPEND(ncrdatalist.rdata,
-							&rdata[next], link);
-					isc_buffer_forward(&buffer, r.length);
-					next++;
-				}
-			}
-		}
-		result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
-	}
-	if (result != ISC_R_NOMORE)
-		return (result);
-
-	if (trust == 0xffff) {
-		if ((message->flags & DNS_MESSAGEFLAG_AA) != 0 &&
-		    message->counts[DNS_SECTION_ANSWER] == 0) {
-			/*
-			 * The response has aa set and we haven't followed
-			 * any CNAME or DNAME chains.
-			 */
-			trust = dns_trust_authauthority;
-		} else
-			trust = dns_trust_additional;
-		ttl = 0;
-	}
-
-	INSIST(trust != 0xffff);
-
-	ncrdatalist.ttl = ttl;
-
-	dns_rdataset_init(&ncrdataset);
-	RUNTIME_CHECK(dns_rdatalist_tordataset(&ncrdatalist, &ncrdataset)
-		      == ISC_R_SUCCESS);
-	if (!secure && trust > dns_trust_answer)
-		trust = dns_trust_answer;
-	ncrdataset.trust = trust;
-	ncrdataset.attributes |= DNS_RDATASETATTR_NEGATIVE;
-	if (message->rcode == dns_rcode_nxdomain)
-		ncrdataset.attributes |= DNS_RDATASETATTR_NXDOMAIN;
-	if (optout)
-		ncrdataset.attributes |= DNS_RDATASETATTR_OPTOUT;
-
-	return (dns_db_addrdataset(cache, node, NULL, now, &ncrdataset,
-				   0, addedrdataset));
-}
-
-isc_result_t
-dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
-		  isc_buffer_t *target, unsigned int options,
-		  unsigned int *countp)
-{
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_result_t result;
-	isc_region_t remaining, tavailable;
-	isc_buffer_t source, savedbuffer, rdlen;
-	dns_name_t name;
-	dns_rdatatype_t type;
-	unsigned int i, rcount, count;
-
-	/*
-	 * Convert the negative caching rdataset 'rdataset' to wire format,
-	 * compressing names as specified in 'cctx', and storing the result in
-	 * 'target'.
-	 */
-
-	REQUIRE(rdataset != NULL);
-	REQUIRE(rdataset->type == 0);
-	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
-
-	savedbuffer = *target;
-	count = 0;
-
-	result = dns_rdataset_first(rdataset);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdataset_current(rdataset, &rdata);
-		isc_buffer_init(&source, rdata.data, rdata.length);
-		isc_buffer_add(&source, rdata.length);
-		dns_name_init(&name, NULL);
-		isc_buffer_remainingregion(&source, &remaining);
-		dns_name_fromregion(&name, &remaining);
-		INSIST(remaining.length >= name.length);
-		isc_buffer_forward(&source, name.length);
-		remaining.length -= name.length;
-
-		INSIST(remaining.length >= 5);
-		type = isc_buffer_getuint16(&source);
-		isc_buffer_forward(&source, 1);
-		rcount = isc_buffer_getuint16(&source);
-
-		for (i = 0; i < rcount; i++) {
-			/*
-			 * Get the length of this rdata and set up an
-			 * rdata structure for it.
-			 */
-			isc_buffer_remainingregion(&source, &remaining);
-			INSIST(remaining.length >= 2);
-			dns_rdata_reset(&rdata);
-			rdata.length = isc_buffer_getuint16(&source);
-			isc_buffer_remainingregion(&source, &remaining);
-			rdata.data = remaining.base;
-			rdata.type = type;
-			rdata.rdclass = rdataset->rdclass;
-			INSIST(remaining.length >= rdata.length);
-			isc_buffer_forward(&source, rdata.length);
-
-			if ((options & DNS_NCACHETOWIRE_OMITDNSSEC) != 0 &&
-			    dns_rdatatype_isdnssec(type))
-				continue;
-
-			/*
-			 * Write the name.
-			 */
-			dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
-			result = dns_name_towire(&name, cctx, target);
-			if (result != ISC_R_SUCCESS)
-				goto rollback;
-
-			/*
-			 * See if we have space for type, class, ttl, and
-			 * rdata length.  Write the type, class, and ttl.
-			 */
-			isc_buffer_availableregion(target, &tavailable);
-			if (tavailable.length < 10) {
-				result = ISC_R_NOSPACE;
-				goto rollback;
-			}
-			isc_buffer_putuint16(target, type);
-			isc_buffer_putuint16(target, rdataset->rdclass);
-			isc_buffer_putuint32(target, rdataset->ttl);
-
-			/*
-			 * Save space for rdata length.
-			 */
-			rdlen = *target;
-			isc_buffer_add(target, 2);
-
-			/*
-			 * Write the rdata.
-			 */
-			result = dns_rdata_towire(&rdata, cctx, target);
-			if (result != ISC_R_SUCCESS)
-				goto rollback;
-
-			/*
-			 * Set the rdata length field to the compressed
-			 * length.
-			 */
-			INSIST((target->used >= rdlen.used + 2) &&
-			       (target->used - rdlen.used - 2 < 65536));
-			isc_buffer_putuint16(&rdlen,
-					     (isc_uint16_t)(target->used -
-							    rdlen.used - 2));
-
-			count++;
-		}
-		INSIST(isc_buffer_remaininglength(&source) == 0);
-		result = dns_rdataset_next(rdataset);
-		dns_rdata_reset(&rdata);
-	}
-	if (result != ISC_R_NOMORE)
-		goto rollback;
-
-	*countp = count;
-
-	return (ISC_R_SUCCESS);
-
- rollback:
-	INSIST(savedbuffer.used < 65536);
-	dns_compress_rollback(cctx, (isc_uint16_t)savedbuffer.used);
-	*countp = 0;
-	*target = savedbuffer;
-
-	return (result);
-}
-
-static void
-rdataset_disassociate(dns_rdataset_t *rdataset) {
-	UNUSED(rdataset);
-}
-
-static isc_result_t
-rdataset_first(dns_rdataset_t *rdataset) {
-	unsigned char *raw = rdataset->private3;
-	unsigned int count;
-
-	count = raw[0] * 256 + raw[1];
-	if (count == 0) {
-		rdataset->private5 = NULL;
-		return (ISC_R_NOMORE);
-	}
-	raw += 2;
-	/*
-	 * The privateuint4 field is the number of rdata beyond the cursor
-	 * position, so we decrement the total count by one before storing
-	 * it.
-	 */
-	count--;
-	rdataset->privateuint4 = count;
-	rdataset->private5 = raw;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-rdataset_next(dns_rdataset_t *rdataset) {
-	unsigned int count;
-	unsigned int length;
-	unsigned char *raw;
-
-	count = rdataset->privateuint4;
-	if (count == 0)
-		return (ISC_R_NOMORE);
-	count--;
-	rdataset->privateuint4 = count;
-	raw = rdataset->private5;
-	length = raw[0] * 256 + raw[1];
-	raw += length + 2;
-	rdataset->private5 = raw;
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
-	unsigned char *raw = rdataset->private5;
-	isc_region_t r;
-
-	REQUIRE(raw != NULL);
-
-	r.length = raw[0] * 256 + raw[1];
-	raw += 2;
-	r.base = raw;
-	dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r);
-}
-
-static void
-rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
-	*target = *source;
-
-	/*
-	 * Reset iterator state.
-	 */
-	target->privateuint4 = 0;
-	target->private5 = NULL;
-}
-
-static unsigned int
-rdataset_count(dns_rdataset_t *rdataset) {
-	unsigned char *raw = rdataset->private3;
-	unsigned int count;
-
-	count = raw[0] * 256 + raw[1];
-
-	return (count);
-}
-
-static void
-rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust) {
-	unsigned char *raw = rdataset->private3;
-
-	raw[-1] = (unsigned char)trust;
-}
-
-static dns_rdatasetmethods_t rdataset_methods = {
-	rdataset_disassociate,
-	rdataset_first,
-	rdataset_next,
-	rdataset_current,
-	rdataset_clone,
-	rdataset_count,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	rdataset_settrust,
-	NULL
-};
-
-isc_result_t
-dns_ncache_getrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
-		       dns_rdatatype_t type, dns_rdataset_t *rdataset)
-{
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_region_t remaining;
-	isc_buffer_t source;
-	dns_name_t tname;
-	dns_rdatatype_t ttype;
-	dns_trust_t trust = dns_trust_none;
-	dns_rdataset_t clone;
-
-	REQUIRE(ncacherdataset != NULL);
-	REQUIRE(ncacherdataset->type == 0);
-	REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
-	REQUIRE(name != NULL);
-	REQUIRE(!dns_rdataset_isassociated(rdataset));
-	REQUIRE(type != dns_rdatatype_rrsig);
-
-	dns_rdataset_init(&clone);
-	dns_rdataset_clone(ncacherdataset, &clone);
-	result = dns_rdataset_first(&clone);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdataset_current(&clone, &rdata);
-		isc_buffer_init(&source, rdata.data, rdata.length);
-		isc_buffer_add(&source, rdata.length);
-		dns_name_init(&tname, NULL);
-		isc_buffer_remainingregion(&source, &remaining);
-		dns_name_fromregion(&tname, &remaining);
-		INSIST(remaining.length >= tname.length);
-		isc_buffer_forward(&source, tname.length);
-		remaining.length -= tname.length;
-
-		INSIST(remaining.length >= 3);
-		ttype = isc_buffer_getuint16(&source);
-
-		if (ttype == type && dns_name_equal(&tname, name)) {
-			trust = isc_buffer_getuint8(&source);
-			INSIST(trust <= dns_trust_ultimate);
-			isc_buffer_remainingregion(&source, &remaining);
-			break;
-		}
-		result = dns_rdataset_next(&clone);
-		dns_rdata_reset(&rdata);
-	}
-	dns_rdataset_disassociate(&clone);
-	if (result == ISC_R_NOMORE)
-		return (ISC_R_NOTFOUND);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	INSIST(remaining.length != 0);
-
-	rdataset->methods = &rdataset_methods;
-	rdataset->rdclass = ncacherdataset->rdclass;
-	rdataset->type = type;
-	rdataset->covers = 0;
-	rdataset->ttl = ncacherdataset->ttl;
-	rdataset->trust = trust;
-	rdataset->private1 = NULL;
-	rdataset->private2 = NULL;
-
-	rdataset->private3 = remaining.base;
-
-	/*
-	 * Reset iterator state.
-	 */
-	rdataset->privateuint4 = 0;
-	rdataset->private5 = NULL;
-	rdataset->private6 = NULL;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_ncache_getsigrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
-			  dns_rdatatype_t covers, dns_rdataset_t *rdataset)
-{
-	dns_name_t tname;
-	dns_rdata_rrsig_t rrsig;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdataset_t clone;
-	dns_rdatatype_t type;
-	dns_trust_t trust = dns_trust_none;
-	isc_buffer_t source;
-	isc_region_t remaining, sigregion;
-	isc_result_t result;
-	unsigned char *raw;
-	unsigned int count;
-
-	REQUIRE(ncacherdataset != NULL);
-	REQUIRE(ncacherdataset->type == 0);
-	REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
-	REQUIRE(name != NULL);
-	REQUIRE(!dns_rdataset_isassociated(rdataset));
-
-	dns_rdataset_init(&clone);
-	dns_rdataset_clone(ncacherdataset, &clone);
-	result = dns_rdataset_first(&clone);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdataset_current(&clone, &rdata);
-		isc_buffer_init(&source, rdata.data, rdata.length);
-		isc_buffer_add(&source, rdata.length);
-		dns_name_init(&tname, NULL);
-		isc_buffer_remainingregion(&source, &remaining);
-		dns_name_fromregion(&tname, &remaining);
-		INSIST(remaining.length >= tname.length);
-		isc_buffer_forward(&source, tname.length);
-		remaining.length -= tname.length;
-		remaining.base += tname.length;
-
-		INSIST(remaining.length >= 2);
-		type = isc_buffer_getuint16(&source);
-		remaining.length -= 2;
-		remaining.base += 2;
-
-		if (type != dns_rdatatype_rrsig ||
-		    !dns_name_equal(&tname, name)) {
-			result = dns_rdataset_next(&clone);
-			dns_rdata_reset(&rdata);
-			continue;
-		}
-
-		INSIST(remaining.length >= 1);
-		trust = isc_buffer_getuint8(&source);
-		INSIST(trust <= dns_trust_ultimate);
-		remaining.length -= 1;
-		remaining.base += 1;
-
-		raw = remaining.base;
-		count = raw[0] * 256 + raw[1];
-		INSIST(count > 0);
-		raw += 2;
-		sigregion.length = raw[0] * 256 + raw[1];
-		raw += 2;
-		sigregion.base = raw;
-		dns_rdata_reset(&rdata);
-		dns_rdata_fromregion(&rdata, rdataset->rdclass,
-				     dns_rdatatype_rrsig, &sigregion);
-		(void)dns_rdata_tostruct(&rdata, &rrsig, NULL);
-		if (rrsig.covered == covers) {
-			isc_buffer_remainingregion(&source, &remaining);
-			break;
-		}
-
-		result = dns_rdataset_next(&clone);
-		dns_rdata_reset(&rdata);
-	}
-	dns_rdataset_disassociate(&clone);
-	if (result == ISC_R_NOMORE)
-		return (ISC_R_NOTFOUND);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	INSIST(remaining.length != 0);
-
-	rdataset->methods = &rdataset_methods;
-	rdataset->rdclass = ncacherdataset->rdclass;
-	rdataset->type = dns_rdatatype_rrsig;
-	rdataset->covers = covers;
-	rdataset->ttl = ncacherdataset->ttl;
-	rdataset->trust = trust;
-	rdataset->private1 = NULL;
-	rdataset->private2 = NULL;
-
-	rdataset->private3 = remaining.base;
-
-	/*
-	 * Reset iterator state.
-	 */
-	rdataset->privateuint4 = 0;
-	rdataset->private5 = NULL;
-	rdataset->private6 = NULL;
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_ncache_current(dns_rdataset_t *ncacherdataset, dns_name_t *found,
-		   dns_rdataset_t *rdataset)
-{
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_trust_t trust;
-	isc_region_t remaining, sigregion;
-	isc_buffer_t source;
-	dns_name_t tname;
-	dns_rdatatype_t type;
-	unsigned int count;
-	dns_rdata_rrsig_t rrsig;
-	unsigned char *raw;
-
-	REQUIRE(ncacherdataset != NULL);
-	REQUIRE(ncacherdataset->type == 0);
-	REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
-	REQUIRE(found != NULL);
-	REQUIRE(!dns_rdataset_isassociated(rdataset));
-
-	dns_rdataset_current(ncacherdataset, &rdata);
-	isc_buffer_init(&source, rdata.data, rdata.length);
-	isc_buffer_add(&source, rdata.length);
-
-	dns_name_init(&tname, NULL);
-	isc_buffer_remainingregion(&source, &remaining);
-	dns_name_fromregion(found, &remaining);
-	INSIST(remaining.length >= found->length);
-	isc_buffer_forward(&source, found->length);
-	remaining.length -= found->length;
-
-	INSIST(remaining.length >= 5);
-	type = isc_buffer_getuint16(&source);
-	trust = isc_buffer_getuint8(&source);
-	INSIST(trust <= dns_trust_ultimate);
-	isc_buffer_remainingregion(&source, &remaining);
-
-	rdataset->methods = &rdataset_methods;
-	rdataset->rdclass = ncacherdataset->rdclass;
-	rdataset->type = type;
-	if (type == dns_rdatatype_rrsig) {
-		/*
-		 * Extract covers from RRSIG.
-		 */
-		raw = remaining.base;
-		count = raw[0] * 256 + raw[1];
-		INSIST(count > 0);
-		raw += 2;
-		sigregion.length = raw[0] * 256 + raw[1];
-		raw += 2;
-		sigregion.base = raw;
-		dns_rdata_reset(&rdata);
-		dns_rdata_fromregion(&rdata, rdataset->rdclass,
-				     rdataset->type, &sigregion);
-		(void)dns_rdata_tostruct(&rdata, &rrsig, NULL);
-		rdataset->covers = rrsig.covered;
-	} else
-		rdataset->covers = 0;
-	rdataset->ttl = ncacherdataset->ttl;
-	rdataset->trust = trust;
-	rdataset->private1 = NULL;
-	rdataset->private2 = NULL;
-
-	rdataset->private3 = remaining.base;
-
-	/*
-	 * Reset iterator state.
-	 */
-	rdataset->privateuint4 = 0;
-	rdataset->private5 = NULL;
-	rdataset->private6 = NULL;
-}
diff --git a/contrib/bind9/lib/dns/nsec.c b/contrib/bind9/lib/dns/nsec.c
deleted file mode 100644
index e446806b..0000000
--- a/contrib/bind9/lib/dns/nsec.c
+++ /dev/null
@@ -1,451 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007-2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/log.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/nsec.h>
-#include <dns/rdata.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatastruct.h>
-#include <dns/result.h>
-
-#include <dst/dst.h>
-
-#define RETERR(x) do { \
-	result = (x); \
-	if (result != ISC_R_SUCCESS) \
-		goto failure; \
-	} while (0)
-
-void
-dns_nsec_setbit(unsigned char *array, unsigned int type, unsigned int bit) {
-	unsigned int shift, mask;
-
-	shift = 7 - (type % 8);
-	mask = 1 << shift;
-
-	if (bit != 0)
-		array[type / 8] |= mask;
-	else
-		array[type / 8] &= (~mask & 0xFF);
-}
-
-isc_boolean_t
-dns_nsec_isset(const unsigned char *array, unsigned int type) {
-	unsigned int byte, shift, mask;
-
-	byte = array[type / 8];
-	shift = 7 - (type % 8);
-	mask = 1 << shift;
-
-	return (ISC_TF(byte & mask));
-}
-
-unsigned int
-dns_nsec_compressbitmap(unsigned char *map, const unsigned char *raw,
-			unsigned int max_type)
-{
-	unsigned char *start = map;
-	unsigned int window;
-	int octet;
-
-	if (raw == NULL)
-		return (0);
-
-	for (window = 0; window < 256; window++) {
-		if (window * 256 > max_type)
-			break;
-		for (octet = 31; octet >= 0; octet--)
-			if (*(raw + octet) != 0)
-				break;
-		if (octet < 0) {
-			raw += 32;
-			continue;
-		}
-		*map++ = window;
-		*map++ = octet + 1;
-		/*
-		 * Note: potential overlapping move.
-		 */
-		memmove(map, raw, octet + 1);
-		map += octet + 1;
-		raw += 32;
-	}
-	return (map - start);
-}
-
-isc_result_t
-dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version,
-		    dns_dbnode_t *node, dns_name_t *target,
-		    unsigned char *buffer, dns_rdata_t *rdata)
-{
-	isc_result_t result;
-	dns_rdataset_t rdataset;
-	isc_region_t r;
-	unsigned int i;
-
-	unsigned char *nsec_bits, *bm;
-	unsigned int max_type;
-	dns_rdatasetiter_t *rdsiter;
-
-	memset(buffer, 0, DNS_NSEC_BUFFERSIZE);
-	dns_name_toregion(target, &r);
-	memcpy(buffer, r.base, r.length);
-	r.base = buffer;
-	/*
-	 * Use the end of the space for a raw bitmap leaving enough
-	 * space for the window identifiers and length octets.
-	 */
-	bm = r.base + r.length + 512;
-	nsec_bits = r.base + r.length;
-	dns_nsec_setbit(bm, dns_rdatatype_rrsig, 1);
-	dns_nsec_setbit(bm, dns_rdatatype_nsec, 1);
-	max_type = dns_rdatatype_nsec;
-	dns_rdataset_init(&rdataset);
-	rdsiter = NULL;
-	result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	for (result = dns_rdatasetiter_first(rdsiter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdatasetiter_next(rdsiter))
-	{
-		dns_rdatasetiter_current(rdsiter, &rdataset);
-		if (rdataset.type != dns_rdatatype_nsec &&
-		    rdataset.type != dns_rdatatype_nsec3 &&
-		    rdataset.type != dns_rdatatype_rrsig) {
-			if (rdataset.type > max_type)
-				max_type = rdataset.type;
-			dns_nsec_setbit(bm, rdataset.type, 1);
-		}
-		dns_rdataset_disassociate(&rdataset);
-	}
-
-	/*
-	 * At zone cuts, deny the existence of glue in the parent zone.
-	 */
-	if (dns_nsec_isset(bm, dns_rdatatype_ns) &&
-	    ! dns_nsec_isset(bm, dns_rdatatype_soa)) {
-		for (i = 0; i <= max_type; i++) {
-			if (dns_nsec_isset(bm, i) &&
-			    ! dns_rdatatype_iszonecutauth((dns_rdatatype_t)i))
-				dns_nsec_setbit(bm, i, 0);
-		}
-	}
-
-	dns_rdatasetiter_destroy(&rdsiter);
-	if (result != ISC_R_NOMORE)
-		return (result);
-
-	nsec_bits += dns_nsec_compressbitmap(nsec_bits, bm, max_type);
-
-	r.length = nsec_bits - r.base;
-	INSIST(r.length <= DNS_NSEC_BUFFERSIZE);
-	dns_rdata_fromregion(rdata,
-			     dns_db_class(db),
-			     dns_rdatatype_nsec,
-			     &r);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_nsec_build(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
-	       dns_name_t *target, dns_ttl_t ttl)
-{
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	unsigned char data[DNS_NSEC_BUFFERSIZE];
-	dns_rdatalist_t rdatalist;
-	dns_rdataset_t rdataset;
-
-	dns_rdataset_init(&rdataset);
-	dns_rdata_init(&rdata);
-
-	RETERR(dns_nsec_buildrdata(db, version, node, target, data, &rdata));
-
-	rdatalist.rdclass = dns_db_class(db);
-	rdatalist.type = dns_rdatatype_nsec;
-	rdatalist.covers = 0;
-	rdatalist.ttl = ttl;
-	ISC_LIST_INIT(rdatalist.rdata);
-	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
-	RETERR(dns_rdatalist_tordataset(&rdatalist, &rdataset));
-	result = dns_db_addrdataset(db, node, version, 0, &rdataset,
-				    0, NULL);
-	if (result == DNS_R_UNCHANGED)
-		result = ISC_R_SUCCESS;
-
- failure:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	return (result);
-}
-
-isc_boolean_t
-dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type) {
-	dns_rdata_nsec_t nsecstruct;
-	isc_result_t result;
-	isc_boolean_t present;
-	unsigned int i, len, window;
-
-	REQUIRE(nsec != NULL);
-	REQUIRE(nsec->type == dns_rdatatype_nsec);
-
-	/* This should never fail */
-	result = dns_rdata_tostruct(nsec, &nsecstruct, NULL);
-	INSIST(result == ISC_R_SUCCESS);
-
-	present = ISC_FALSE;
-	for (i = 0; i < nsecstruct.len; i += len) {
-		INSIST(i + 2 <= nsecstruct.len);
-		window = nsecstruct.typebits[i];
-		len = nsecstruct.typebits[i + 1];
-		INSIST(len > 0 && len <= 32);
-		i += 2;
-		INSIST(i + len <= nsecstruct.len);
-		if (window * 256 > type)
-			break;
-		if ((window + 1) * 256 <= type)
-			continue;
-		if (type < (window * 256) + len * 8)
-			present = ISC_TF(dns_nsec_isset(&nsecstruct.typebits[i],
-							type % 256));
-		break;
-	}
-	dns_rdata_freestruct(&nsecstruct);
-	return (present);
-}
-
-isc_result_t
-dns_nsec_nseconly(dns_db_t *db, dns_dbversion_t *version,
-		  isc_boolean_t *answer)
-{
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-	dns_rdata_dnskey_t dnskey;
-	isc_result_t result;
-
-	REQUIRE(answer != NULL);
-
-	dns_rdataset_init(&rdataset);
-
-	result = dns_db_getoriginnode(db, &node);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
-				     0, 0, &rdataset, NULL);
-	dns_db_detachnode(db, &node);
-
-	if (result == ISC_R_NOTFOUND)
-		*answer = ISC_FALSE;
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-
-		dns_rdataset_current(&rdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-		if (dnskey.algorithm == DST_ALG_RSAMD5 ||
-		    dnskey.algorithm == DST_ALG_RSASHA1 ||
-		    dnskey.algorithm == DST_ALG_DSA ||
-		    dnskey.algorithm == DST_ALG_ECC)
-			break;
-	}
-	dns_rdataset_disassociate(&rdataset);
-	if (result == ISC_R_SUCCESS)
-		*answer = ISC_TRUE;
-	if (result == ISC_R_NOMORE) {
-		*answer = ISC_FALSE;
-		result = ISC_R_SUCCESS;
-	}
-	return (result);
-}
-
-/*%
- * Return ISC_R_SUCCESS if we can determine that the name doesn't exist
- * or we can determine whether there is data or not at the name.
- * If the name does not exist return the wildcard name.
- *
- * Return ISC_R_IGNORE when the NSEC is not the appropriate one.
- */
-isc_result_t
-dns_nsec_noexistnodata(dns_rdatatype_t type, dns_name_t *name,
-		       dns_name_t *nsecname, dns_rdataset_t *nsecset,
-		       isc_boolean_t *exists, isc_boolean_t *data,
-		       dns_name_t *wild, dns_nseclog_t logit, void *arg)
-{
-	int order;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_result_t result;
-	dns_namereln_t relation;
-	unsigned int olabels, nlabels, labels;
-	dns_rdata_nsec_t nsec;
-	isc_boolean_t atparent;
-	isc_boolean_t ns;
-	isc_boolean_t soa;
-
-	REQUIRE(exists != NULL);
-	REQUIRE(data != NULL);
-	REQUIRE(nsecset != NULL &&
-		nsecset->type == dns_rdatatype_nsec);
-
-	result = dns_rdataset_first(nsecset);
-	if (result != ISC_R_SUCCESS) {
-		(*logit)(arg, ISC_LOG_DEBUG(3), "failure processing NSEC set");
-		return (result);
-	}
-	dns_rdataset_current(nsecset, &rdata);
-
-	(*logit)(arg, ISC_LOG_DEBUG(3), "looking for relevant NSEC");
-	relation = dns_name_fullcompare(name, nsecname, &order, &olabels);
-
-	if (order < 0) {
-		/*
-		 * The name is not within the NSEC range.
-		 */
-		(*logit)(arg, ISC_LOG_DEBUG(3),
-			      "NSEC does not cover name, before NSEC");
-		return (ISC_R_IGNORE);
-	}
-
-	if (order == 0) {
-		/*
-		 * The names are the same.   If we are validating "."
-		 * then atparent should not be set as there is no parent.
-		 */
-		atparent = (olabels != 1) && dns_rdatatype_atparent(type);
-		ns = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
-		soa = dns_nsec_typepresent(&rdata, dns_rdatatype_soa);
-		if (ns && !soa) {
-			if (!atparent) {
-				/*
-				 * This NSEC record is from somewhere higher in
-				 * the DNS, and at the parent of a delegation.
-				 * It can not be legitimately used here.
-				 */
-				(*logit)(arg, ISC_LOG_DEBUG(3),
-					      "ignoring parent nsec");
-				return (ISC_R_IGNORE);
-			}
-		} else if (atparent && ns && soa) {
-			/*
-			 * This NSEC record is from the child.
-			 * It can not be legitimately used here.
-			 */
-			(*logit)(arg, ISC_LOG_DEBUG(3),
-				      "ignoring child nsec");
-			return (ISC_R_IGNORE);
-		}
-		if (type == dns_rdatatype_cname || type == dns_rdatatype_nxt ||
-		    type == dns_rdatatype_nsec || type == dns_rdatatype_key ||
-		    !dns_nsec_typepresent(&rdata, dns_rdatatype_cname)) {
-			*exists = ISC_TRUE;
-			*data = dns_nsec_typepresent(&rdata, type);
-			(*logit)(arg, ISC_LOG_DEBUG(3),
-				      "nsec proves name exists (owner) data=%d",
-				      *data);
-			return (ISC_R_SUCCESS);
-		}
-		(*logit)(arg, ISC_LOG_DEBUG(3), "NSEC proves CNAME exists");
-		return (ISC_R_IGNORE);
-	}
-
-	if (relation == dns_namereln_subdomain &&
-	    dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
-	    !dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
-	{
-		/*
-		 * This NSEC record is from somewhere higher in
-		 * the DNS, and at the parent of a delegation.
-		 * It can not be legitimately used here.
-		 */
-		(*logit)(arg, ISC_LOG_DEBUG(3), "ignoring parent nsec");
-		return (ISC_R_IGNORE);
-	}
-
-	result = dns_rdata_tostruct(&rdata, &nsec, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	relation = dns_name_fullcompare(&nsec.next, name, &order, &nlabels);
-	if (order == 0) {
-		dns_rdata_freestruct(&nsec);
-		(*logit)(arg, ISC_LOG_DEBUG(3),
-			      "ignoring nsec matches next name");
-		return (ISC_R_IGNORE);
-	}
-
-	if (order < 0 && !dns_name_issubdomain(nsecname, &nsec.next)) {
-		/*
-		 * The name is not within the NSEC range.
-		 */
-		dns_rdata_freestruct(&nsec);
-		(*logit)(arg, ISC_LOG_DEBUG(3),
-			    "ignoring nsec because name is past end of range");
-		return (ISC_R_IGNORE);
-	}
-
-	if (order > 0 && relation == dns_namereln_subdomain) {
-		(*logit)(arg, ISC_LOG_DEBUG(3),
-			      "nsec proves name exist (empty)");
-		dns_rdata_freestruct(&nsec);
-		*exists = ISC_TRUE;
-		*data = ISC_FALSE;
-		return (ISC_R_SUCCESS);
-	}
-	if (wild != NULL) {
-		dns_name_t common;
-		dns_name_init(&common, NULL);
-		if (olabels > nlabels) {
-			labels = dns_name_countlabels(nsecname);
-			dns_name_getlabelsequence(nsecname, labels - olabels,
-						  olabels, &common);
-		} else {
-			labels = dns_name_countlabels(&nsec.next);
-			dns_name_getlabelsequence(&nsec.next, labels - nlabels,
-						  nlabels, &common);
-		}
-		result = dns_name_concatenate(dns_wildcardname, &common,
-					       wild, NULL);
-		if (result != ISC_R_SUCCESS) {
-			dns_rdata_freestruct(&nsec);
-			(*logit)(arg, ISC_LOG_DEBUG(3),
-				    "failure generating wildcard name");
-			return (result);
-		}
-	}
-	dns_rdata_freestruct(&nsec);
-	(*logit)(arg, ISC_LOG_DEBUG(3), "nsec range ok");
-	*exists = ISC_FALSE;
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/dns/nsec3.c b/contrib/bind9/lib/dns/nsec3.c
deleted file mode 100644
index 935f515..0000000
--- a/contrib/bind9/lib/dns/nsec3.c
+++ /dev/null
@@ -1,2087 +0,0 @@
-/*
- * Copyright (C) 2006, 2008-2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#include <config.h>
-
-#include <isc/base32.h>
-#include <isc/buffer.h>
-#include <isc/hex.h>
-#include <isc/iterated_hash.h>
-#include <isc/log.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dst/dst.h>
-
-#include <dns/db.h>
-#include <dns/zone.h>
-#include <dns/compress.h>
-#include <dns/dbiterator.h>
-#include <dns/diff.h>
-#include <dns/fixedname.h>
-#include <dns/nsec.h>
-#include <dns/nsec3.h>
-#include <dns/rdata.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatastruct.h>
-#include <dns/result.h>
-
-#define CHECK(x) do { \
-	result = (x); \
-	if (result != ISC_R_SUCCESS) \
-		goto failure; \
-	} while (0)
-
-#define OPTOUT(x) (((x) & DNS_NSEC3FLAG_OPTOUT) != 0)
-#define CREATE(x) (((x) & DNS_NSEC3FLAG_CREATE) != 0)
-#define INITIAL(x) (((x) & DNS_NSEC3FLAG_INITIAL) != 0)
-#define REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0)
-
-isc_result_t
-dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version,
-		     dns_dbnode_t *node, unsigned int hashalg,
-		     unsigned int flags, unsigned int iterations,
-		     const unsigned char *salt, size_t salt_length,
-		     const unsigned char *nexthash, size_t hash_length,
-		     unsigned char *buffer, dns_rdata_t *rdata)
-{
-	isc_result_t result;
-	dns_rdataset_t rdataset;
-	isc_region_t r;
-	unsigned int i;
-	isc_boolean_t found;
-	isc_boolean_t found_ns;
-	isc_boolean_t need_rrsig;
-
-	unsigned char *nsec_bits, *bm;
-	unsigned int max_type;
-	dns_rdatasetiter_t *rdsiter;
-	unsigned char *p;
-
-	REQUIRE(salt_length < 256U);
-	REQUIRE(hash_length < 256U);
-	REQUIRE(flags <= 0xffU);
-	REQUIRE(hashalg <= 0xffU);
-	REQUIRE(iterations <= 0xffffU);
-
-	switch (hashalg) {
-	case dns_hash_sha1:
-		REQUIRE(hash_length == ISC_SHA1_DIGESTLENGTH);
-		break;
-	}
-
-	memset(buffer, 0, DNS_NSEC3_BUFFERSIZE);
-
-	p = buffer;
-
-	*p++ = hashalg;
-	*p++ = flags;
-
-	*p++ = iterations >> 8;
-	*p++ = iterations;
-
-	*p++ = salt_length;
-	memcpy(p, salt, salt_length);
-	p += salt_length;
-
-	*p++ = hash_length;
-	memcpy(p, nexthash, hash_length);
-	p += hash_length;
-
-	r.length = p - buffer;
-	r.base = buffer;
-
-	/*
-	 * Use the end of the space for a raw bitmap leaving enough
-	 * space for the window identifiers and length octets.
-	 */
-	bm = r.base + r.length + 512;
-	nsec_bits = r.base + r.length;
-	max_type = 0;
-	if (node == NULL)
-		goto collapse_bitmap;
-	dns_rdataset_init(&rdataset);
-	rdsiter = NULL;
-	result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	found = found_ns = need_rrsig = ISC_FALSE;
-	for (result = dns_rdatasetiter_first(rdsiter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdatasetiter_next(rdsiter))
-	{
-		dns_rdatasetiter_current(rdsiter, &rdataset);
-		if (rdataset.type != dns_rdatatype_nsec &&
-		    rdataset.type != dns_rdatatype_nsec3 &&
-		    rdataset.type != dns_rdatatype_rrsig) {
-			if (rdataset.type > max_type)
-				max_type = rdataset.type;
-			dns_nsec_setbit(bm, rdataset.type, 1);
-			/*
-			 * Work out if we need to set the RRSIG bit for
-			 * this node.  We set the RRSIG bit if either of
-			 * the following conditions are met:
-			 * 1) We have a SOA or DS then we need to set
-			 *    the RRSIG bit as both always will be signed.
-			 * 2) We set the RRSIG bit if we don't have
-			 *    a NS record but do have other data.
-			 */
-			if (rdataset.type == dns_rdatatype_soa ||
-			    rdataset.type == dns_rdatatype_ds)
-				need_rrsig = ISC_TRUE;
-			else if (rdataset.type == dns_rdatatype_ns)
-				found_ns = ISC_TRUE;
-			else
-				found = ISC_TRUE;
-		}
-		dns_rdataset_disassociate(&rdataset);
-	}
-	if ((found && !found_ns) || need_rrsig) {
-		if (dns_rdatatype_rrsig > max_type)
-			max_type = dns_rdatatype_rrsig;
-		dns_nsec_setbit(bm, dns_rdatatype_rrsig, 1);
-	}
-
-	/*
-	 * At zone cuts, deny the existence of glue in the parent zone.
-	 */
-	if (dns_nsec_isset(bm, dns_rdatatype_ns) &&
-	    ! dns_nsec_isset(bm, dns_rdatatype_soa)) {
-		for (i = 0; i <= max_type; i++) {
-			if (dns_nsec_isset(bm, i) &&
-			    ! dns_rdatatype_iszonecutauth((dns_rdatatype_t)i))
-				dns_nsec_setbit(bm, i, 0);
-		}
-	}
-
-	dns_rdatasetiter_destroy(&rdsiter);
-	if (result != ISC_R_NOMORE)
-		return (result);
-
- collapse_bitmap:
-	nsec_bits += dns_nsec_compressbitmap(nsec_bits, bm, max_type);
-	r.length = nsec_bits - r.base;
-	INSIST(r.length <= DNS_NSEC3_BUFFERSIZE);
-	dns_rdata_fromregion(rdata, dns_db_class(db), dns_rdatatype_nsec3, &r);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_boolean_t
-dns_nsec3_typepresent(dns_rdata_t *rdata, dns_rdatatype_t type) {
-	dns_rdata_nsec3_t nsec3;
-	isc_result_t result;
-	isc_boolean_t present;
-	unsigned int i, len, window;
-
-	REQUIRE(rdata != NULL);
-	REQUIRE(rdata->type == dns_rdatatype_nsec3);
-
-	/* This should never fail */
-	result = dns_rdata_tostruct(rdata, &nsec3, NULL);
-	INSIST(result == ISC_R_SUCCESS);
-
-	present = ISC_FALSE;
-	for (i = 0; i < nsec3.len; i += len) {
-		INSIST(i + 2 <= nsec3.len);
-		window = nsec3.typebits[i];
-		len = nsec3.typebits[i + 1];
-		INSIST(len > 0 && len <= 32);
-		i += 2;
-		INSIST(i + len <= nsec3.len);
-		if (window * 256 > type)
-			break;
-		if ((window + 1) * 256 <= type)
-			continue;
-		if (type < (window * 256) + len * 8)
-			present = ISC_TF(dns_nsec_isset(&nsec3.typebits[i],
-							type % 256));
-		break;
-	}
-	dns_rdata_freestruct(&nsec3);
-	return (present);
-}
-
-isc_result_t
-dns_nsec3_hashname(dns_fixedname_t *result,
-		   unsigned char rethash[NSEC3_MAX_HASH_LENGTH],
-		   size_t *hash_length, dns_name_t *name, dns_name_t *origin,
-		   dns_hash_t hashalg, unsigned int iterations,
-		   const unsigned char *salt, size_t saltlength)
-{
-	unsigned char hash[NSEC3_MAX_HASH_LENGTH];
-	unsigned char nametext[DNS_NAME_FORMATSIZE];
-	dns_fixedname_t fixed;
-	dns_name_t *downcased;
-	isc_buffer_t namebuffer;
-	isc_region_t region;
-	size_t len;
-
-	if (rethash == NULL)
-		rethash = hash;
-
-	memset(rethash, 0, NSEC3_MAX_HASH_LENGTH);
-
-	dns_fixedname_init(&fixed);
-	downcased = dns_fixedname_name(&fixed);
-	dns_name_downcase(name, downcased, NULL);
-
-	/* hash the node name */
-	len = isc_iterated_hash(rethash, hashalg, iterations, salt, saltlength,
-				downcased->ndata, downcased->length);
-	if (len == 0U)
-		return (DNS_R_BADALG);
-
-	if (hash_length != NULL)
-		*hash_length = len;
-
-	/* convert the hash to base32hex */
-	region.base = rethash;
-	region.length = len;
-	isc_buffer_init(&namebuffer, nametext, sizeof nametext);
-	isc_base32hex_totext(&region, 1, "", &namebuffer);
-
-	/* convert the hex to a domain name */
-	dns_fixedname_init(result);
-	return (dns_name_fromtext(dns_fixedname_name(result), &namebuffer,
-				  origin, 0, NULL));
-}
-
-unsigned int
-dns_nsec3_hashlength(dns_hash_t hash) {
-
-	switch (hash) {
-	case dns_hash_sha1: return(ISC_SHA1_DIGESTLENGTH);
-	}
-	return (0);
-}
-
-isc_boolean_t
-dns_nsec3_supportedhash(dns_hash_t hash) {
-	switch (hash) {
-	case dns_hash_sha1: return (ISC_TRUE);
-	}
-	return (ISC_FALSE);
-}
-
-/*%
- * Update a single RR in version 'ver' of 'db' and log the
- * update in 'diff'.
- *
- * Ensures:
- * \li  '*tuple' == NULL.  Either the tuple is freed, or its
- *      ownership has been transferred to the diff.
- */
-static isc_result_t
-do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
-	     dns_diff_t *diff)
-{
-	dns_diff_t temp_diff;
-	isc_result_t result;
-
-	/*
-	 * Create a singleton diff.
-	 */
-	dns_diff_init(diff->mctx, &temp_diff);
-	temp_diff.resign = diff->resign;
-	ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
-
-	/*
-	 * Apply it to the database.
-	 */
-	result = dns_diff_apply(&temp_diff, db, ver);
-	ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link);
-	if (result != ISC_R_SUCCESS) {
-		dns_difftuple_free(tuple);
-		return (result);
-	}
-
-	/*
-	 * Merge it into the current pending journal entry.
-	 */
-	dns_diff_appendminimal(diff, tuple);
-
-	/*
-	 * Do not clear temp_diff.
-	 */
-	return (ISC_R_SUCCESS);
-}
-
-/*%
- * Set '*exists' to true iff the given name exists, to false otherwise.
- */
-static isc_result_t
-name_exists(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
-	    isc_boolean_t *exists)
-{
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	dns_rdatasetiter_t *iter = NULL;
-
-	result = dns_db_findnode(db, name, ISC_FALSE, &node);
-	if (result == ISC_R_NOTFOUND) {
-		*exists = ISC_FALSE;
-		return (ISC_R_SUCCESS);
-	}
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dns_db_allrdatasets(db, node, version,
-				     (isc_stdtime_t) 0, &iter);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_node;
-
-	result = dns_rdatasetiter_first(iter);
-	if (result == ISC_R_SUCCESS) {
-		*exists = ISC_TRUE;
-	} else if (result == ISC_R_NOMORE) {
-		*exists = ISC_FALSE;
-		result = ISC_R_SUCCESS;
-	} else
-		*exists = ISC_FALSE;
-	dns_rdatasetiter_destroy(&iter);
-
- cleanup_node:
-	dns_db_detachnode(db, &node);
-	return (result);
-}
-
-static isc_boolean_t
-match_nsec3param(const dns_rdata_nsec3_t *nsec3,
-		 const dns_rdata_nsec3param_t *nsec3param)
-{
-	if (nsec3->hash == nsec3param->hash &&
-	    nsec3->iterations == nsec3param->iterations &&
-	    nsec3->salt_length == nsec3param->salt_length &&
-	    !memcmp(nsec3->salt, nsec3param->salt, nsec3->salt_length))
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-/*%
- * Delete NSEC3 records at "name" which match "param", recording the
- * change in "diff".
- */
-static isc_result_t
-delete(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
-       const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff)
-{
-	dns_dbnode_t *node = NULL ;
-	dns_difftuple_t *tuple = NULL;
-	dns_rdata_nsec3_t nsec3;
-	dns_rdataset_t rdataset;
-	isc_result_t result;
-
-	result = dns_db_findnsec3node(db, name, ISC_FALSE, &node);
-	if (result == ISC_R_NOTFOUND)
-		return (ISC_R_SUCCESS);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, version, dns_rdatatype_nsec3, 0,
-				     (isc_stdtime_t) 0, &rdataset, NULL);
-
-	if (result == ISC_R_NOTFOUND) {
-		result = ISC_R_SUCCESS;
-		goto cleanup_node;
-	}
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_node;
-
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset))
-	{
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		dns_rdataset_current(&rdataset, &rdata);
-		CHECK(dns_rdata_tostruct(&rdata, &nsec3, NULL));
-
-		if (!match_nsec3param(&nsec3, nsec3param))
-			continue;
-
-		result = dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, name,
-					      rdataset.ttl, &rdata, &tuple);
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-		result = do_one_tuple(&tuple, db, version, diff);
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-	}
-	if (result != ISC_R_NOMORE)
-		goto failure;
-	result = ISC_R_SUCCESS;
-
- failure:
-	dns_rdataset_disassociate(&rdataset);
- cleanup_node:
-	dns_db_detachnode(db, &node);
-
-	return (result);
-}
-
-static isc_boolean_t
-better_param(dns_rdataset_t *nsec3paramset, dns_rdata_t *param) {
-	dns_rdataset_t rdataset;
-	isc_result_t result;
-
-	if (REMOVE(param->data[1]))
-		return (ISC_TRUE);
-
-	dns_rdataset_init(&rdataset);
-	dns_rdataset_clone(nsec3paramset, &rdataset);
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdata_t rdata =  DNS_RDATA_INIT;
-		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
-
-		if (rdataset.type != dns_rdatatype_nsec3param) {
-			dns_rdata_t tmprdata =  DNS_RDATA_INIT;
-			dns_rdataset_current(&rdataset, &tmprdata);
-			if (!dns_nsec3param_fromprivate(&tmprdata, &rdata,
-							buf, sizeof(buf)))
-				continue;
-		} else
-			dns_rdataset_current(&rdataset, &rdata);
-
-		if (rdata.length != param->length)
-			continue;
-		if (rdata.data[0] != param->data[0] ||
-		    REMOVE(rdata.data[1]) ||
-		    rdata.data[2] != param->data[2] ||
-		    rdata.data[3] != param->data[3] ||
-		    rdata.data[4] != param->data[4] ||
-		    memcmp(&rdata.data[5], &param->data[5], param->data[4]))
-			continue;
-		if (CREATE(rdata.data[1]) && !CREATE(param->data[1])) {
-			dns_rdataset_disassociate(&rdataset);
-			return (ISC_TRUE);
-		}
-	}
-	dns_rdataset_disassociate(&rdataset);
-	return (ISC_FALSE);
-}
-
-static isc_result_t
-find_nsec3(dns_rdata_nsec3_t *nsec3, dns_rdataset_t *rdataset,
-	   const dns_rdata_nsec3param_t *nsec3param)
-{
-	isc_result_t result;
-	for (result = dns_rdataset_first(rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(rdataset)) {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-
-		dns_rdataset_current(rdataset, &rdata);
-		CHECK(dns_rdata_tostruct(&rdata, nsec3, NULL));
-		dns_rdata_reset(&rdata);
-		if (match_nsec3param(nsec3, nsec3param))
-			break;
-	}
- failure:
-	return (result);
-}
-
-isc_result_t
-dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
-		   dns_name_t *name, const dns_rdata_nsec3param_t *nsec3param,
-		   dns_ttl_t nsecttl, isc_boolean_t unsecure, dns_diff_t *diff)
-{
-	dns_dbiterator_t *dbit = NULL;
-	dns_dbnode_t *node = NULL;
-	dns_dbnode_t *newnode = NULL;
-	dns_difftuple_t *tuple = NULL;
-	dns_fixedname_t fixed;
-	dns_fixedname_t fprev;
-	dns_hash_t hash;
-	dns_name_t *hashname;
-	dns_name_t *origin;
-	dns_name_t *prev;
-	dns_name_t empty;
-	dns_rdata_nsec3_t nsec3;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdataset_t rdataset;
-	int pass;
-	isc_boolean_t exists = ISC_FALSE;
-	isc_boolean_t maybe_remove_unsecure = ISC_FALSE;
-	isc_uint8_t flags;
-	isc_buffer_t buffer;
-	isc_result_t result;
-	unsigned char *old_next;
-	unsigned char *salt;
-	unsigned char nexthash[NSEC3_MAX_HASH_LENGTH];
-	unsigned char nsec3buf[DNS_NSEC3_BUFFERSIZE];
-	unsigned int iterations;
-	unsigned int labels;
-	size_t next_length;
-	unsigned int old_length;
-	unsigned int salt_length;
-
-	dns_fixedname_init(&fixed);
-	hashname = dns_fixedname_name(&fixed);
-	dns_fixedname_init(&fprev);
-	prev = dns_fixedname_name(&fprev);
-
-	dns_rdataset_init(&rdataset);
-
-	origin = dns_db_origin(db);
-
-	/*
-	 * Chain parameters.
-	 */
-	hash = nsec3param->hash;
-	iterations = nsec3param->iterations;
-	salt_length = nsec3param->salt_length;
-	salt = nsec3param->salt;
-
-	/*
-	 * Default flags for a new chain.
-	 */
-	flags = nsec3param->flags & DNS_NSEC3FLAG_OPTOUT;
-
-	/*
-	 * If this is the first NSEC3 in the chain nexthash will
-	 * remain pointing to itself.
-	 */
-	next_length = sizeof(nexthash);
-	CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length,
-				 name, origin, hash, iterations,
-				 salt, salt_length));
-
-	/*
-	 * Create the node if it doesn't exist and hold
-	 * a reference to it until we have added the NSEC3.
-	 */
-	CHECK(dns_db_findnsec3node(db, hashname, ISC_TRUE, &newnode));
-
-	/*
-	 * Seek the iterator to the 'newnode'.
-	 */
-	CHECK(dns_db_createiterator(db, DNS_DB_NSEC3ONLY, &dbit));
-	CHECK(dns_dbiterator_seek(dbit, hashname));
-	CHECK(dns_dbiterator_pause(dbit));
-	result = dns_db_findrdataset(db, newnode, version, dns_rdatatype_nsec3,
-				     0, (isc_stdtime_t) 0, &rdataset, NULL);
-	/*
-	 * If we updating a existing NSEC3 then find its
-	 * next field.
-	 */
-	if (result == ISC_R_SUCCESS) {
-		result = find_nsec3(&nsec3, &rdataset, nsec3param);
-		if (result == ISC_R_SUCCESS) {
-			if (!CREATE(nsec3param->flags))
-				flags = nsec3.flags;
-			next_length = nsec3.next_length;
-			INSIST(next_length <= sizeof(nexthash));
-			memcpy(nexthash, nsec3.next, next_length);
-			dns_rdataset_disassociate(&rdataset);
-			/*
-			 * If the NSEC3 is not for a unsecure delegation then
-			 * we are just updating it.  If it is for a unsecure
-			 * delegation then we need find out if we need to
-			 * remove the NSEC3 record or not by examining the
-			 * previous NSEC3 record.
-			 */
-			if (!unsecure)
-				goto addnsec3;
-			else if (CREATE(nsec3param->flags) && OPTOUT(flags)) {
-				result = dns_nsec3_delnsec3(db, version, name,
-							    nsec3param, diff);
-				goto failure;
-			} else
-				maybe_remove_unsecure = ISC_TRUE;
-		} else {
-			dns_rdataset_disassociate(&rdataset);
-			if (result != ISC_R_NOMORE)
-				goto failure;
-		}
-	}
-
-	/*
-	 * Find the previous NSEC3 (if any) and update it if required.
-	 */
-	pass = 0;
-	do {
-		result = dns_dbiterator_prev(dbit);
-		if (result == ISC_R_NOMORE) {
-			pass++;
-			CHECK(dns_dbiterator_last(dbit));
-		}
-		CHECK(dns_dbiterator_current(dbit, &node, prev));
-		CHECK(dns_dbiterator_pause(dbit));
-		result = dns_db_findrdataset(db, node, version,
-					     dns_rdatatype_nsec3, 0,
-					     (isc_stdtime_t) 0, &rdataset,
-					     NULL);
-		dns_db_detachnode(db, &node);
-		if (result != ISC_R_SUCCESS)
-			continue;
-
-		result = find_nsec3(&nsec3, &rdataset, nsec3param);
-		if (result == ISC_R_NOMORE) {
-			dns_rdataset_disassociate(&rdataset);
-			continue;
-		}
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-
-		if (maybe_remove_unsecure) {
-			dns_rdataset_disassociate(&rdataset);
-			/*
-			 * If we have OPTOUT set in the previous NSEC3 record
-			 * we actually need to delete the NSEC3 record.
-			 * Otherwise we just need to replace the NSEC3 record.
-			 */
-			if (OPTOUT(nsec3.flags)) {
-				result = dns_nsec3_delnsec3(db, version, name,
-							    nsec3param, diff);
-				goto failure;
-			}
-			goto addnsec3;
-		} else {
-			/*
-			 * Is this is a unsecure delegation we are adding?
-			 * If so no change is required.
-			 */
-			if (OPTOUT(nsec3.flags) && unsecure) {
-				dns_rdataset_disassociate(&rdataset);
-				goto failure;
-			}
-		}
-
-		old_next = nsec3.next;
-		old_length = nsec3.next_length;
-
-		/*
-		 * Delete the old previous NSEC3.
-		 */
-		CHECK(delete(db, version, prev, nsec3param, diff));
-
-		/*
-		 * Fixup the previous NSEC3.
-		 */
-		nsec3.next = nexthash;
-		nsec3.next_length = next_length;
-		isc_buffer_init(&buffer, nsec3buf, sizeof(nsec3buf));
-		CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass,
-					   dns_rdatatype_nsec3, &nsec3,
-					   &buffer));
-		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, prev,
-					   rdataset.ttl, &rdata, &tuple));
-		CHECK(do_one_tuple(&tuple, db, version, diff));
-		INSIST(old_length <= sizeof(nexthash));
-		memcpy(nexthash, old_next, old_length);
-		if (!CREATE(nsec3param->flags))
-			flags = nsec3.flags;
-		dns_rdata_reset(&rdata);
-		dns_rdataset_disassociate(&rdataset);
-		break;
-	} while (pass < 2);
-
- addnsec3:
-	/*
-	 * Create the NSEC3 RDATA.
-	 */
-	CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
-	CHECK(dns_nsec3_buildrdata(db, version, node, hash, flags, iterations,
-				   salt, salt_length, nexthash, next_length,
-				   nsec3buf, &rdata));
-	dns_db_detachnode(db, &node);
-
-	/*
-	 * Delete the old NSEC3 and record the change.
-	 */
-	CHECK(delete(db, version, hashname, nsec3param, diff));
-	/*
-	 * Add the new NSEC3 and record the change.
-	 */
-	CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
-				   hashname, nsecttl, &rdata, &tuple));
-	CHECK(do_one_tuple(&tuple, db, version, diff));
-	INSIST(tuple == NULL);
-	dns_rdata_reset(&rdata);
-	dns_db_detachnode(db, &newnode);
-
-	/*
-	 * Add missing NSEC3 records for empty nodes
-	 */
-	dns_name_init(&empty, NULL);
-	dns_name_clone(name, &empty);
-	do {
-		labels = dns_name_countlabels(&empty) - 1;
-		if (labels <= dns_name_countlabels(origin))
-			break;
-		dns_name_getlabelsequence(&empty, 1, labels, &empty);
-		CHECK(name_exists(db, version, &empty, &exists));
-		if (exists)
-			break;
-		CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length,
-					 &empty, origin, hash, iterations,
-					 salt, salt_length));
-
-		/*
-		 * Create the node if it doesn't exist and hold
-		 * a reference to it until we have added the NSEC3
-		 * or we discover we don't need to add make a change.
-		 */
-		CHECK(dns_db_findnsec3node(db, hashname, ISC_TRUE, &newnode));
-		result = dns_db_findrdataset(db, newnode, version,
-					     dns_rdatatype_nsec3, 0,
-					     (isc_stdtime_t) 0, &rdataset,
-					     NULL);
-		if (result == ISC_R_SUCCESS) {
-			result = find_nsec3(&nsec3, &rdataset, nsec3param);
-			dns_rdataset_disassociate(&rdataset);
-			if (result == ISC_R_SUCCESS) {
-				dns_db_detachnode(db, &newnode);
-				break;
-			}
-			if (result != ISC_R_NOMORE)
-				goto failure;
-		}
-
-		/*
-		 * Find the previous NSEC3 and update it.
-		 */
-		CHECK(dns_dbiterator_seek(dbit, hashname));
-		pass = 0;
-		do {
-			result = dns_dbiterator_prev(dbit);
-			if (result == ISC_R_NOMORE) {
-				pass++;
-				CHECK(dns_dbiterator_last(dbit));
-			}
-			CHECK(dns_dbiterator_current(dbit, &node, prev));
-			CHECK(dns_dbiterator_pause(dbit));
-			result = dns_db_findrdataset(db, node, version,
-						     dns_rdatatype_nsec3, 0,
-						     (isc_stdtime_t) 0,
-						     &rdataset, NULL);
-			dns_db_detachnode(db, &node);
-			if (result != ISC_R_SUCCESS)
-				continue;
-			result = find_nsec3(&nsec3, &rdataset, nsec3param);
-			if (result == ISC_R_NOMORE) {
-				dns_rdataset_disassociate(&rdataset);
-				continue;
-			}
-			if (result != ISC_R_SUCCESS)
-				goto failure;
-
-			old_next = nsec3.next;
-			old_length = nsec3.next_length;
-
-			/*
-			 * Delete the old previous NSEC3.
-			 */
-			CHECK(delete(db, version, prev, nsec3param, diff));
-
-			/*
-			 * Fixup the previous NSEC3.
-			 */
-			nsec3.next = nexthash;
-			nsec3.next_length = next_length;
-			isc_buffer_init(&buffer, nsec3buf,
-					sizeof(nsec3buf));
-			CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass,
-						   dns_rdatatype_nsec3, &nsec3,
-						   &buffer));
-			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
-						   prev, rdataset.ttl, &rdata,
-						   &tuple));
-			CHECK(do_one_tuple(&tuple, db, version, diff));
-			INSIST(old_length <= sizeof(nexthash));
-			memcpy(nexthash, old_next, old_length);
-			if (!CREATE(nsec3param->flags))
-				flags = nsec3.flags;
-			dns_rdata_reset(&rdata);
-			dns_rdataset_disassociate(&rdataset);
-			break;
-		} while (pass < 2);
-
-		INSIST(pass < 2);
-
-		/*
-		 * Create the NSEC3 RDATA for the empty node.
-		 */
-		CHECK(dns_nsec3_buildrdata(db, version, NULL, hash, flags,
-					   iterations, salt, salt_length,
-					   nexthash, next_length, nsec3buf,
-					   &rdata));
-		/*
-		 * Delete the old NSEC3 and record the change.
-		 */
-		CHECK(delete(db, version, hashname, nsec3param, diff));
-
-		/*
-		 * Add the new NSEC3 and record the change.
-		 */
-		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
-					   hashname, nsecttl, &rdata, &tuple));
-		CHECK(do_one_tuple(&tuple, db, version, diff));
-		INSIST(tuple == NULL);
-		dns_rdata_reset(&rdata);
-		dns_db_detachnode(db, &newnode);
-	} while (1);
-
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
- failure:
-	if (dbit != NULL)
-		dns_dbiterator_destroy(&dbit);
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	if (newnode != NULL)
-		dns_db_detachnode(db, &newnode);
-	return (result);
-}
-
-/*%
- * Add NSEC3 records for "name", recording the change in "diff".
- * The existing NSEC3 records are removed.
- */
-isc_result_t
-dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
-		    dns_name_t *name, dns_ttl_t nsecttl,
-		    isc_boolean_t unsecure, dns_diff_t *diff)
-{
-	dns_dbnode_t *node = NULL;
-	dns_rdata_nsec3param_t nsec3param;
-	dns_rdataset_t rdataset;
-	isc_result_t result;
-
-	dns_rdataset_init(&rdataset);
-
-	/*
-	 * Find the NSEC3 parameters for this zone.
-	 */
-	result = dns_db_getoriginnode(db, &node);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dns_db_findrdataset(db, node, version,
-				     dns_rdatatype_nsec3param, 0, 0,
-				     &rdataset, NULL);
-	dns_db_detachnode(db, &node);
-	if (result == ISC_R_NOTFOUND)
-		return (ISC_R_SUCCESS);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Update each active NSEC3 chain.
-	 */
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-
-		dns_rdataset_current(&rdataset, &rdata);
-		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
-
-		if (nsec3param.flags != 0)
-			continue;
-		/*
-		 * We have a active chain.  Update it.
-		 */
-		CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param,
-					 nsecttl, unsecure, diff));
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
- failure:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-
-	return (result);
-}
-
-isc_boolean_t
-dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target,
-			   unsigned char *buf, size_t buflen)
-{
-	dns_decompress_t dctx;
-	isc_result_t result;
-	isc_buffer_t buf1;
-	isc_buffer_t buf2;
-
-	/*
-	 * Algorithm 0 (reserved by RFC 4034) is used to identify
-	 * NSEC3PARAM records from DNSKEY pointers.
-	 */
-	if (src->length < 1 || src->data[0] != 0)
-		return (ISC_FALSE);
-
-	isc_buffer_init(&buf1, src->data + 1, src->length - 1);
-	isc_buffer_add(&buf1, src->length - 1);
-	isc_buffer_setactive(&buf1, src->length - 1);
-	isc_buffer_init(&buf2, buf, buflen);
-	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE);
-	result = dns_rdata_fromwire(target, src->rdclass,
-				    dns_rdatatype_nsec3param,
-				    &buf1, &dctx, 0, &buf2);
-	dns_decompress_invalidate(&dctx);
-
-	return (ISC_TF(result == ISC_R_SUCCESS));
-}
-
-void
-dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target,
-			 dns_rdatatype_t privatetype,
-			 unsigned char *buf, size_t buflen)
-{
-	REQUIRE(buflen >= src->length + 1);
-
-	REQUIRE(DNS_RDATA_INITIALIZED(target));
-
-	memcpy(buf + 1, src->data, src->length);
-	buf[0] = 0;
-	target->data = buf;
-	target->length = src->length + 1;
-	target->type = privatetype;
-	target->rdclass = src->rdclass;
-	target->flags = 0;
-	ISC_LINK_INIT(target, link);
-}
-
-#ifdef BIND9
-static isc_result_t
-rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	  const dns_rdata_t *rdata, isc_boolean_t *flag)
-{
-	dns_rdataset_t rdataset;
-	dns_dbnode_t *node = NULL;
-	isc_result_t result;
-
-	dns_rdataset_init(&rdataset);
-	if (rdata->type == dns_rdatatype_nsec3)
-		CHECK(dns_db_findnsec3node(db, name, ISC_FALSE, &node));
-	else
-		CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
-	result = dns_db_findrdataset(db, node, ver, rdata->type, 0,
-				     (isc_stdtime_t) 0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND) {
-		*flag = ISC_FALSE;
-		result = ISC_R_SUCCESS;
-		goto failure;
-	}
-
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdata_t myrdata = DNS_RDATA_INIT;
-		dns_rdataset_current(&rdataset, &myrdata);
-		if (!dns_rdata_casecompare(&myrdata, rdata))
-			break;
-	}
-	dns_rdataset_disassociate(&rdataset);
-	if (result == ISC_R_SUCCESS) {
-		*flag = ISC_TRUE;
-	} else if (result == ISC_R_NOMORE) {
-		*flag = ISC_FALSE;
-		result = ISC_R_SUCCESS;
-	}
-
- failure:
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	return (result);
-}
-#endif
-
-#ifdef BIND9
-isc_result_t
-dns_nsec3param_deletechains(dns_db_t *db, dns_dbversion_t *ver,
-			    dns_zone_t *zone, isc_boolean_t nonsec,
-			    dns_diff_t *diff)
-{
-	dns_dbnode_t *node = NULL;
-	dns_difftuple_t *tuple = NULL;
-	dns_name_t next;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdataset_t rdataset;
-	isc_boolean_t flag;
-	isc_result_t result = ISC_R_SUCCESS;
-	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE + 1];
-	dns_name_t *origin = dns_zone_getorigin(zone);
-	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
-
-	dns_name_init(&next, NULL);
-	dns_rdataset_init(&rdataset);
-
-	result = dns_db_getoriginnode(db, &node);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Cause all NSEC3 chains to be deleted.
-	 */
-	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
-				     0, (isc_stdtime_t) 0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND)
-		goto try_private;
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdata_t private = DNS_RDATA_INIT;
-
-		dns_rdataset_current(&rdataset, &rdata);
-
-		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, origin,
-					   rdataset.ttl, &rdata, &tuple));
-		CHECK(do_one_tuple(&tuple, db, ver, diff));
-		INSIST(tuple == NULL);
-
-		dns_nsec3param_toprivate(&rdata, &private, privatetype,
-					 buf, sizeof(buf));
-		buf[2] = DNS_NSEC3FLAG_REMOVE;
-		if (nonsec)
-			buf[2] |= DNS_NSEC3FLAG_NONSEC;
-
-		CHECK(rr_exists(db, ver, origin, &private, &flag));
-
-		if (!flag) {
-			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
-						   origin, 0, &private,
-						   &tuple));
-			CHECK(do_one_tuple(&tuple, db, ver, diff));
-			INSIST(tuple == NULL);
-		}
-		dns_rdata_reset(&rdata);
-	}
-	if (result != ISC_R_NOMORE)
-		goto failure;
-
-	dns_rdataset_disassociate(&rdataset);
-
- try_private:
-	if (privatetype == 0)
-		goto success;
-	result = dns_db_findrdataset(db, node, ver, privatetype, 0,
-				     (isc_stdtime_t) 0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND)
-		goto success;
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdata_reset(&rdata);
-		dns_rdataset_current(&rdataset, &rdata);
-		INSIST(rdata.length <= sizeof(buf));
-		memcpy(buf, rdata.data, rdata.length);
-
-		/*
-		 * Private NSEC3 record length >= 6.
-		 * <0(1), hash(1), flags(1), iterations(2), saltlen(1)>
-		 */
-		if (rdata.length < 6 || buf[0] != 0 ||
-		    (buf[2] & DNS_NSEC3FLAG_REMOVE) != 0 ||
-		    (nonsec && (buf[2] & DNS_NSEC3FLAG_NONSEC) != 0))
-			continue;
-
-		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, origin,
-					   0, &rdata, &tuple));
-		CHECK(do_one_tuple(&tuple, db, ver, diff));
-		INSIST(tuple == NULL);
-
-		rdata.data = buf;
-		buf[2] = DNS_NSEC3FLAG_REMOVE;
-		if (nonsec)
-			buf[2] |= DNS_NSEC3FLAG_NONSEC;
-
-		CHECK(rr_exists(db, ver, origin, &rdata, &flag));
-
-		if (!flag) {
-			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
-						   origin, 0, &rdata, &tuple));
-			CHECK(do_one_tuple(&tuple, db, ver, diff));
-			INSIST(tuple == NULL);
-		}
-	}
-	if (result != ISC_R_NOMORE)
-		goto failure;
- success:
-	result = ISC_R_SUCCESS;
-
- failure:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	dns_db_detachnode(db, &node);
-	return (result);
-}
-#endif
-
-isc_result_t
-dns_nsec3_addnsec3sx(dns_db_t *db, dns_dbversion_t *version,
-		     dns_name_t *name, dns_ttl_t nsecttl,
-		     isc_boolean_t unsecure, dns_rdatatype_t type,
-		     dns_diff_t *diff)
-{
-	dns_dbnode_t *node = NULL;
-	dns_rdata_nsec3param_t nsec3param;
-	dns_rdataset_t rdataset;
-	dns_rdataset_t prdataset;
-	isc_result_t result;
-
-	dns_rdataset_init(&rdataset);
-	dns_rdataset_init(&prdataset);
-
-	/*
-	 * Find the NSEC3 parameters for this zone.
-	 */
-	result = dns_db_getoriginnode(db, &node);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dns_db_findrdataset(db, node, version, type, 0, 0,
-				     &prdataset, NULL);
-	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
-		goto failure;
-
-	result = dns_db_findrdataset(db, node, version,
-				     dns_rdatatype_nsec3param, 0, 0,
-				     &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND)
-		goto try_private;
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	/*
-	 * Update each active NSEC3 chain.
-	 */
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-
-		dns_rdataset_current(&rdataset, &rdata);
-		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
-
-		if (nsec3param.flags != 0)
-			continue;
-
-		/*
-		 * We have a active chain.  Update it.
-		 */
-		CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param,
-					 nsecttl, unsecure, diff));
-	}
-	if (result != ISC_R_NOMORE)
-		goto failure;
-
-	dns_rdataset_disassociate(&rdataset);
-
- try_private:
-	if (!dns_rdataset_isassociated(&prdataset))
-		goto success;
-	/*
-	 * Update each active NSEC3 chain.
-	 */
-	for (result = dns_rdataset_first(&prdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&prdataset)) {
-		dns_rdata_t rdata1 = DNS_RDATA_INIT;
-		dns_rdata_t rdata2 = DNS_RDATA_INIT;
-		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
-
-		dns_rdataset_current(&prdataset, &rdata1);
-		if (!dns_nsec3param_fromprivate(&rdata1, &rdata2,
-						buf, sizeof(buf)))
-			continue;
-		CHECK(dns_rdata_tostruct(&rdata2, &nsec3param, NULL));
-
-		if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0)
-			continue;
-		if (better_param(&prdataset, &rdata2))
-			continue;
-
-		/*
-		 * We have a active chain.  Update it.
-		 */
-		CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param,
-					 nsecttl, unsecure, diff));
-	}
-	if (result == ISC_R_NOMORE)
- success:
-		result = ISC_R_SUCCESS;
- failure:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	if (dns_rdataset_isassociated(&prdataset))
-		dns_rdataset_disassociate(&prdataset);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-
-	return (result);
-}
-
-/*%
- * Determine whether any NSEC3 records that were associated with
- * 'name' should be deleted or if they should continue to exist.
- * ISC_TRUE indicates they should be deleted.
- * ISC_FALSE indicates they should be retained.
- */
-static isc_result_t
-deleteit(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	 isc_boolean_t *yesno)
-{
-	isc_result_t result;
-	dns_fixedname_t foundname;
-	dns_fixedname_init(&foundname);
-
-	result = dns_db_find(db, name, ver, dns_rdatatype_any,
-			     DNS_DBFIND_GLUEOK | DNS_DBFIND_NOWILD,
-			     (isc_stdtime_t) 0, NULL,
-			     dns_fixedname_name(&foundname),
-			     NULL, NULL);
-	if (result == DNS_R_EMPTYNAME || result == ISC_R_SUCCESS ||
-	    result ==  DNS_R_ZONECUT) {
-		*yesno = ISC_FALSE;
-		return (ISC_R_SUCCESS);
-	}
-	if (result == DNS_R_GLUE || result == DNS_R_DNAME ||
-	    result == DNS_R_DELEGATION || result == DNS_R_NXDOMAIN) {
-		*yesno = ISC_TRUE;
-		return (ISC_R_SUCCESS);
-	}
-	/*
-	 * Silence compiler.
-	 */
-	*yesno = ISC_TRUE;
-	return (result);
-}
-
-isc_result_t
-dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
-		   const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff)
-{
-	dns_dbiterator_t *dbit = NULL;
-	dns_dbnode_t *node = NULL;
-	dns_difftuple_t *tuple = NULL;
-	dns_fixedname_t fixed;
-	dns_fixedname_t fprev;
-	dns_hash_t hash;
-	dns_name_t *hashname;
-	dns_name_t *origin;
-	dns_name_t *prev;
-	dns_name_t empty;
-	dns_rdata_nsec3_t nsec3;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdataset_t rdataset;
-	int pass;
-	isc_boolean_t yesno;
-	isc_buffer_t buffer;
-	isc_result_t result;
-	unsigned char *salt;
-	unsigned char nexthash[NSEC3_MAX_HASH_LENGTH];
-	unsigned char nsec3buf[DNS_NSEC3_BUFFERSIZE];
-	unsigned int iterations;
-	unsigned int labels;
-	size_t next_length;
-	unsigned int salt_length;
-
-	dns_fixedname_init(&fixed);
-	hashname = dns_fixedname_name(&fixed);
-	dns_fixedname_init(&fprev);
-	prev = dns_fixedname_name(&fprev);
-
-	dns_rdataset_init(&rdataset);
-
-	origin = dns_db_origin(db);
-
-	/*
-	 * Chain parameters.
-	 */
-	hash = nsec3param->hash;
-	iterations = nsec3param->iterations;
-	salt_length = nsec3param->salt_length;
-	salt = nsec3param->salt;
-
-	/*
-	 * If this is the first NSEC3 in the chain nexthash will
-	 * remain pointing to itself.
-	 */
-	next_length = sizeof(nexthash);
-	CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length,
-				 name, origin, hash, iterations,
-				 salt, salt_length));
-
-	CHECK(dns_db_createiterator(db, DNS_DB_NSEC3ONLY, &dbit));
-
-	result = dns_dbiterator_seek(dbit, hashname);
-	if (result == ISC_R_NOTFOUND)
-		goto success;
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	CHECK(dns_dbiterator_current(dbit, &node, NULL));
-	CHECK(dns_dbiterator_pause(dbit));
-	result = dns_db_findrdataset(db, node, version, dns_rdatatype_nsec3,
-				     0, (isc_stdtime_t) 0, &rdataset, NULL);
-	dns_db_detachnode(db, &node);
-	if (result == ISC_R_NOTFOUND)
-		goto success;
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	/*
-	 * If we find a existing NSEC3 for this chain then save the
-	 * next field.
-	 */
-	result = find_nsec3(&nsec3, &rdataset, nsec3param);
-	if (result == ISC_R_SUCCESS) {
-		next_length = nsec3.next_length;
-		INSIST(next_length <= sizeof(nexthash));
-		memcpy(nexthash, nsec3.next, next_length);
-	}
-	dns_rdataset_disassociate(&rdataset);
-	if (result == ISC_R_NOMORE)
-		goto success;
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	/*
-	 * Find the previous NSEC3 and update it.
-	 */
-	pass = 0;
-	do {
-		result = dns_dbiterator_prev(dbit);
-		if (result == ISC_R_NOMORE) {
-			pass++;
-			CHECK(dns_dbiterator_last(dbit));
-		}
-		CHECK(dns_dbiterator_current(dbit, &node, prev));
-		CHECK(dns_dbiterator_pause(dbit));
-		result = dns_db_findrdataset(db, node, version,
-					     dns_rdatatype_nsec3, 0,
-					     (isc_stdtime_t) 0, &rdataset,
-					     NULL);
-		dns_db_detachnode(db, &node);
-		if (result != ISC_R_SUCCESS)
-			continue;
-		result = find_nsec3(&nsec3, &rdataset, nsec3param);
-		if (result == ISC_R_NOMORE) {
-			dns_rdataset_disassociate(&rdataset);
-			continue;
-		}
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-
-		/*
-		 * Delete the old previous NSEC3.
-		 */
-		CHECK(delete(db, version, prev, nsec3param, diff));
-
-		/*
-		 * Fixup the previous NSEC3.
-		 */
-		nsec3.next = nexthash;
-		nsec3.next_length = next_length;
-		if (CREATE(nsec3param->flags))
-			nsec3.flags = nsec3param->flags & DNS_NSEC3FLAG_OPTOUT;
-		isc_buffer_init(&buffer, nsec3buf, sizeof(nsec3buf));
-		CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass,
-					   dns_rdatatype_nsec3, &nsec3,
-					   &buffer));
-		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, prev,
-					   rdataset.ttl, &rdata, &tuple));
-		CHECK(do_one_tuple(&tuple, db, version, diff));
-		dns_rdata_reset(&rdata);
-		dns_rdataset_disassociate(&rdataset);
-		break;
-	} while (pass < 2);
-
-	/*
-	 * Delete the old NSEC3 and record the change.
-	 */
-	CHECK(delete(db, version, hashname, nsec3param, diff));
-
-	/*
-	 *  Delete NSEC3 records for now non active nodes.
-	 */
-	dns_name_init(&empty, NULL);
-	dns_name_clone(name, &empty);
-	do {
-		labels = dns_name_countlabels(&empty) - 1;
-		if (labels <= dns_name_countlabels(origin))
-			break;
-		dns_name_getlabelsequence(&empty, 1, labels, &empty);
-		CHECK(deleteit(db, version, &empty, &yesno));
-		if (!yesno)
-			break;
-
-		CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length,
-					 &empty, origin, hash, iterations,
-					 salt, salt_length));
-		result = dns_dbiterator_seek(dbit, hashname);
-		if (result == ISC_R_NOTFOUND)
-			goto success;
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-
-		CHECK(dns_dbiterator_current(dbit, &node, NULL));
-		CHECK(dns_dbiterator_pause(dbit));
-		result = dns_db_findrdataset(db, node, version,
-					     dns_rdatatype_nsec3, 0,
-					     (isc_stdtime_t) 0, &rdataset,
-					     NULL);
-		dns_db_detachnode(db, &node);
-		if (result == ISC_R_NOTFOUND)
-			goto success;
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-
-		result = find_nsec3(&nsec3, &rdataset, nsec3param);
-		if (result == ISC_R_SUCCESS) {
-			next_length = nsec3.next_length;
-			INSIST(next_length <= sizeof(nexthash));
-			memcpy(nexthash, nsec3.next, next_length);
-		}
-		dns_rdataset_disassociate(&rdataset);
-		if (result == ISC_R_NOMORE)
-			goto success;
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-
-		pass = 0;
-		do {
-			result = dns_dbiterator_prev(dbit);
-			if (result == ISC_R_NOMORE) {
-				pass++;
-				CHECK(dns_dbiterator_last(dbit));
-			}
-			CHECK(dns_dbiterator_current(dbit, &node, prev));
-			CHECK(dns_dbiterator_pause(dbit));
-			result = dns_db_findrdataset(db, node, version,
-						     dns_rdatatype_nsec3, 0,
-						     (isc_stdtime_t) 0,
-						     &rdataset, NULL);
-			dns_db_detachnode(db, &node);
-			if (result != ISC_R_SUCCESS)
-				continue;
-			result = find_nsec3(&nsec3, &rdataset, nsec3param);
-			if (result == ISC_R_NOMORE) {
-				dns_rdataset_disassociate(&rdataset);
-				continue;
-			}
-			if (result != ISC_R_SUCCESS)
-				goto failure;
-
-			/*
-			 * Delete the old previous NSEC3.
-			 */
-			CHECK(delete(db, version, prev, nsec3param, diff));
-
-			/*
-			 * Fixup the previous NSEC3.
-			 */
-			nsec3.next = nexthash;
-			nsec3.next_length = next_length;
-			isc_buffer_init(&buffer, nsec3buf,
-					sizeof(nsec3buf));
-			CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass,
-						   dns_rdatatype_nsec3, &nsec3,
-						   &buffer));
-			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
-						   prev, rdataset.ttl, &rdata,
-						   &tuple));
-			CHECK(do_one_tuple(&tuple, db, version, diff));
-			dns_rdata_reset(&rdata);
-			dns_rdataset_disassociate(&rdataset);
-			break;
-		} while (pass < 2);
-
-		INSIST(pass < 2);
-
-		/*
-		 * Delete the old NSEC3 and record the change.
-		 */
-		CHECK(delete(db, version, hashname, nsec3param, diff));
-	} while (1);
-
- success:
-	result = ISC_R_SUCCESS;
-
- failure:
-	if (dbit != NULL)
-		dns_dbiterator_destroy(&dbit);
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	return (result);
-}
-
-isc_result_t
-dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
-		    dns_diff_t *diff)
-{
-	return (dns_nsec3_delnsec3sx(db, version, name, 0, diff));
-}
-
-isc_result_t
-dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
-		     dns_rdatatype_t privatetype, dns_diff_t *diff)
-{
-	dns_dbnode_t *node = NULL;
-	dns_rdata_nsec3param_t nsec3param;
-	dns_rdataset_t rdataset;
-	isc_result_t result;
-
-	dns_rdataset_init(&rdataset);
-
-	/*
-	 * Find the NSEC3 parameters for this zone.
-	 */
-	result = dns_db_getoriginnode(db, &node);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dns_db_findrdataset(db, node, version,
-				     dns_rdatatype_nsec3param, 0, 0,
-				     &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND)
-		goto try_private;
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	/*
-	 * Update each active NSEC3 chain.
-	 */
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-
-		dns_rdataset_current(&rdataset, &rdata);
-		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
-
-		if (nsec3param.flags != 0)
-			continue;
-		/*
-		 * We have a active chain.  Update it.
-		 */
-		CHECK(dns_nsec3_delnsec3(db, version, name, &nsec3param, diff));
-	}
-	dns_rdataset_disassociate(&rdataset);
-
- try_private:
-	if (privatetype == 0)
-		goto success;
-	result = dns_db_findrdataset(db, node, version, privatetype, 0, 0,
-				     &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND)
-		goto success;
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	/*
-	 * Update each NSEC3 chain being built.
-	 */
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdata_t rdata1 = DNS_RDATA_INIT;
-		dns_rdata_t rdata2 = DNS_RDATA_INIT;
-		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
-
-		dns_rdataset_current(&rdataset, &rdata1);
-		if (!dns_nsec3param_fromprivate(&rdata1,  &rdata2,
-						buf, sizeof(buf)))
-			continue;
-		CHECK(dns_rdata_tostruct(&rdata2, &nsec3param, NULL));
-
-		if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0)
-			continue;
-		if (better_param(&rdataset, &rdata2))
-			continue;
-
-		/*
-		 * We have a active chain.  Update it.
-		 */
-		CHECK(dns_nsec3_delnsec3(db, version, name, &nsec3param, diff));
-	}
-	if (result == ISC_R_NOMORE)
- success:
-		result = ISC_R_SUCCESS;
-
- failure:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-
-	return (result);
-}
-
-isc_result_t
-dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version,
-		 isc_boolean_t complete, isc_boolean_t *answer)
-{
-	return (dns_nsec3_activex(db, version, complete, 0, answer));
-}
-
-isc_result_t
-dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version,
-		  isc_boolean_t complete, dns_rdatatype_t privatetype,
-		  isc_boolean_t *answer)
-{
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-	dns_rdata_nsec3param_t nsec3param;
-	isc_result_t result;
-
-	REQUIRE(answer != NULL);
-
-	dns_rdataset_init(&rdataset);
-
-	result = dns_db_getoriginnode(db, &node);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dns_db_findrdataset(db, node, version,
-				     dns_rdatatype_nsec3param, 0, 0,
-				     &rdataset, NULL);
-
-	if (result == ISC_R_NOTFOUND)
-		goto try_private;
-
-	if (result != ISC_R_SUCCESS) {
-		dns_db_detachnode(db, &node);
-		return (result);
-	}
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-
-		dns_rdataset_current(&rdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-		if (nsec3param.flags == 0)
-			break;
-	}
-	dns_rdataset_disassociate(&rdataset);
-	if (result == ISC_R_SUCCESS) {
-		dns_db_detachnode(db, &node);
-		*answer = ISC_TRUE;
-		return (ISC_R_SUCCESS);
-	}
-	if (result == ISC_R_NOMORE)
-		*answer = ISC_FALSE;
-
- try_private:
-	if (privatetype == 0 || complete) {
-		*answer = ISC_FALSE;
-		return (ISC_R_SUCCESS);
-	}
-	result = dns_db_findrdataset(db, node, version, privatetype, 0, 0,
-				     &rdataset, NULL);
-
-	dns_db_detachnode(db, &node);
-	if (result == ISC_R_NOTFOUND) {
-		*answer = ISC_FALSE;
-		return (ISC_R_SUCCESS);
-	}
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdata_t rdata1 = DNS_RDATA_INIT;
-		dns_rdata_t rdata2 = DNS_RDATA_INIT;
-		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
-
-		dns_rdataset_current(&rdataset, &rdata1);
-		if (!dns_nsec3param_fromprivate(&rdata1, &rdata2,
-						buf, sizeof(buf)))
-			continue;
-		result = dns_rdata_tostruct(&rdata2, &nsec3param, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-		if (!complete && CREATE(nsec3param.flags))
-			break;
-	}
-	dns_rdataset_disassociate(&rdataset);
-	if (result == ISC_R_SUCCESS) {
-		*answer = ISC_TRUE;
-		result = ISC_R_SUCCESS;
-	}
-	if (result == ISC_R_NOMORE) {
-		*answer = ISC_FALSE;
-		result = ISC_R_SUCCESS;
-	}
-
-	return (result);
-}
-
-isc_result_t
-dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
-			isc_mem_t *mctx, unsigned int *iterationsp)
-{
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-	dst_key_t *key = NULL;
-	isc_buffer_t buffer;
-	isc_result_t result;
-	unsigned int bits, minbits = 4096;
-
-	result = dns_db_getoriginnode(db, &node);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
-				     0, 0, &rdataset, NULL);
-	dns_db_detachnode(db, &node);
-	if (result == ISC_R_NOTFOUND) {
-		*iterationsp = 0;
-		return (ISC_R_SUCCESS);
-	}
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-
-		dns_rdataset_current(&rdataset, &rdata);
-		isc_buffer_init(&buffer, rdata.data, rdata.length);
-		isc_buffer_add(&buffer, rdata.length);
-		CHECK(dst_key_fromdns(dns_db_origin(db), rdataset.rdclass,
-				      &buffer, mctx, &key));
-		bits = dst_key_size(key);
-		dst_key_free(&key);
-		if (minbits > bits)
-			minbits = bits;
-	}
-	if (result != ISC_R_NOMORE)
-		goto failure;
-
-	if (minbits <= 1024)
-		*iterationsp = 150;
-	else if (minbits <= 2048)
-		*iterationsp = 500;
-	else
-		*iterationsp = 2500;
-	result = ISC_R_SUCCESS;
-
- failure:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	return (result);
-}
-
-isc_result_t
-dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
-			dns_name_t *nsec3name, dns_rdataset_t *nsec3set,
-			dns_name_t *zonename, isc_boolean_t *exists,
-			isc_boolean_t *data, isc_boolean_t *optout,
-			isc_boolean_t *unknown, isc_boolean_t *setclosest,
-			isc_boolean_t *setnearest, dns_name_t *closest,
-			dns_name_t *nearest, dns_nseclog_t logit, void *arg)
-{
-	char namebuf[DNS_NAME_FORMATSIZE];
-	dns_fixedname_t fzone;
-	dns_fixedname_t qfixed;
-	dns_label_t hashlabel;
-	dns_name_t *qname;
-	dns_name_t *zone;
-	dns_rdata_nsec3_t nsec3;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	int order;
-	int scope;
-	isc_boolean_t atparent;
-	isc_boolean_t first;
-	isc_boolean_t ns;
-	isc_boolean_t soa;
-	isc_buffer_t buffer;
-	isc_result_t answer = ISC_R_IGNORE;
-	isc_result_t result;
-	unsigned char hash[NSEC3_MAX_HASH_LENGTH];
-	unsigned char owner[NSEC3_MAX_HASH_LENGTH];
-	unsigned int length;
-	unsigned int qlabels;
-	unsigned int zlabels;
-
-	REQUIRE((exists == NULL && data == NULL) ||
-		(exists != NULL && data != NULL));
-	REQUIRE(nsec3set != NULL && nsec3set->type == dns_rdatatype_nsec3);
-	REQUIRE((setclosest == NULL && closest == NULL) ||
-		(setclosest != NULL && closest != NULL));
-	REQUIRE((setnearest == NULL && nearest == NULL) ||
-		(setnearest != NULL && nearest != NULL));
-
-	result = dns_rdataset_first(nsec3set);
-	if (result != ISC_R_SUCCESS) {
-		(*logit)(arg, ISC_LOG_DEBUG(3), "failure processing NSEC3 set");
-		return (result);
-	}
-
-	dns_rdataset_current(nsec3set, &rdata);
-
-	result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	(*logit)(arg, ISC_LOG_DEBUG(3), "looking for relevant NSEC3");
-
-	dns_fixedname_init(&fzone);
-	zone = dns_fixedname_name(&fzone);
-	zlabels = dns_name_countlabels(nsec3name);
-
-	/*
-	 * NSEC3 records must have two or more labels to be valid.
-	 */
-	if (zlabels < 2)
-		return (ISC_R_IGNORE);
-
-	/*
-	 * Strip off the NSEC3 hash to get the zone.
-	 */
-	zlabels--;
-	dns_name_split(nsec3name, zlabels, NULL, zone);
-
-	/*
-	 * If not below the zone name we can ignore this record.
-	 */
-	if (!dns_name_issubdomain(name, zone))
-		return (ISC_R_IGNORE);
-
-	/*
-	 * Is this zone the same or deeper than the current zone?
-	 */
-	if (dns_name_countlabels(zonename) == 0 ||
-	    dns_name_issubdomain(zone, zonename))
-		dns_name_copy(zone, zonename, NULL);
-
-	if (!dns_name_equal(zone, zonename))
-		return (ISC_R_IGNORE);
-
-	/*
-	 * Are we only looking for the most enclosing zone?
-	 */
-	if (exists == NULL || data == NULL)
-		return (ISC_R_SUCCESS);
-
-	/*
-	 * Only set unknown once we are sure that this NSEC3 is from
-	 * the deepest covering zone.
-	 */
-	if (!dns_nsec3_supportedhash(nsec3.hash)) {
-		if (unknown != NULL)
-			*unknown = ISC_TRUE;
-		return (ISC_R_IGNORE);
-	}
-
-	/*
-	 * Recover the hash from the first label.
-	 */
-	dns_name_getlabel(nsec3name, 0, &hashlabel);
-	isc_region_consume(&hashlabel, 1);
-	isc_buffer_init(&buffer, owner, sizeof(owner));
-	result = isc_base32hex_decoderegion(&hashlabel, &buffer);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * The hash lengths should match.  If not ignore the record.
-	 */
-	if (isc_buffer_usedlength(&buffer) != nsec3.next_length)
-		return (ISC_R_IGNORE);
-
-	/*
-	 * Work out what this NSEC3 covers.
-	 * Inside (<0) or outside (>=0).
-	 */
-	scope = memcmp(owner, nsec3.next, nsec3.next_length);
-
-	/*
-	 * Prepare to compute all the hashes.
-	 */
-	dns_fixedname_init(&qfixed);
-	qname = dns_fixedname_name(&qfixed);
-	dns_name_downcase(name, qname, NULL);
-	qlabels = dns_name_countlabels(qname);
-	first = ISC_TRUE;
-
-	while (qlabels >= zlabels) {
-		length = isc_iterated_hash(hash, nsec3.hash, nsec3.iterations,
-					   nsec3.salt, nsec3.salt_length,
-					   qname->ndata, qname->length);
-		/*
-		 * The computed hash length should match.
-		 */
-		if (length != nsec3.next_length) {
-			(*logit)(arg, ISC_LOG_DEBUG(3),
-				 "ignoring NSEC bad length %u vs %u",
-				 length, nsec3.next_length);
-			return (ISC_R_IGNORE);
-		}
-
-		order = memcmp(hash, owner, length);
-		if (first && order == 0) {
-			/*
-			 * The hashes are the same.
-			 */
-			atparent = dns_rdatatype_atparent(type);
-			ns = dns_nsec3_typepresent(&rdata, dns_rdatatype_ns);
-			soa = dns_nsec3_typepresent(&rdata, dns_rdatatype_soa);
-			if (ns && !soa) {
-				if (!atparent) {
-					/*
-					 * This NSEC3 record is from somewhere
-					 * higher in the DNS, and at the
-					 * parent of a delegation. It can not
-					 * be legitimately used here.
-					 */
-					(*logit)(arg, ISC_LOG_DEBUG(3),
-						 "ignoring parent NSEC3");
-					return (ISC_R_IGNORE);
-				}
-			} else if (atparent && ns && soa) {
-				/*
-				 * This NSEC3 record is from the child.
-				 * It can not be legitimately used here.
-				 */
-				(*logit)(arg, ISC_LOG_DEBUG(3),
-					 "ignoring child NSEC3");
-				return (ISC_R_IGNORE);
-			}
-			if (type == dns_rdatatype_cname ||
-			    type == dns_rdatatype_nxt ||
-			    type == dns_rdatatype_nsec ||
-			    type == dns_rdatatype_key ||
-			    !dns_nsec3_typepresent(&rdata, dns_rdatatype_cname)) {
-				*exists = ISC_TRUE;
-				*data = dns_nsec3_typepresent(&rdata, type);
-				(*logit)(arg, ISC_LOG_DEBUG(3),
-					 "NSEC3 proves name exists (owner) "
-					 "data=%d", *data);
-				return (ISC_R_SUCCESS);
-			}
-			(*logit)(arg, ISC_LOG_DEBUG(3),
-				 "NSEC3 proves CNAME exists");
-			return (ISC_R_IGNORE);
-		}
-
-		if (order == 0 &&
-		    dns_nsec3_typepresent(&rdata, dns_rdatatype_ns) &&
-		    !dns_nsec3_typepresent(&rdata, dns_rdatatype_soa))
-		{
-			/*
-			 * This NSEC3 record is from somewhere higher in
-			 * the DNS, and at the parent of a delegation.
-			 * It can not be legitimately used here.
-			 */
-			(*logit)(arg, ISC_LOG_DEBUG(3),
-				 "ignoring parent NSEC3");
-			return (ISC_R_IGNORE);
-		}
-
-		/*
-		 * Potential closest encloser.
-		 */
-		if (order == 0) {
-			if (closest != NULL &&
-			    (dns_name_countlabels(closest) == 0 ||
-			     dns_name_issubdomain(qname, closest)) &&
-			    !dns_nsec3_typepresent(&rdata, dns_rdatatype_ds) &&
-			    !dns_nsec3_typepresent(&rdata, dns_rdatatype_dname) &&
-			    (dns_nsec3_typepresent(&rdata, dns_rdatatype_soa) ||
-			     !dns_nsec3_typepresent(&rdata, dns_rdatatype_ns)))
-			{
-
-				dns_name_format(qname, namebuf,
-						sizeof(namebuf));
-				(*logit)(arg, ISC_LOG_DEBUG(3),
-					 "NSEC3 indicates potential closest "
-					 "encloser: '%s'", namebuf);
-				dns_name_copy(qname, closest, NULL);
-				*setclosest = ISC_TRUE;
-			}
-			dns_name_format(qname, namebuf, sizeof(namebuf));
-			(*logit)(arg, ISC_LOG_DEBUG(3),
-				 "NSEC3 at super-domain %s", namebuf);
-			return (answer);
-		}
-
-		/*
-		 * Find if the name does not exist.
-		 *
-		 * We continue as we need to find the name closest to the
-		 * closest encloser that doesn't exist.
-		 *
-		 * We also need to continue to ensure that we are not
-		 * proving the non-existence of a record in a sub-zone.
-		 * If that would be the case we will return ISC_R_IGNORE
-		 * above.
-		 */
-		if ((scope < 0 && order > 0 &&
-		     memcmp(hash, nsec3.next, length) < 0) ||
-		    (scope >= 0 && (order > 0 ||
-				    memcmp(hash, nsec3.next, length) < 0)))
-		{
-			char namebuf[DNS_NAME_FORMATSIZE];
-
-			dns_name_format(qname, namebuf, sizeof(namebuf));
-			(*logit)(arg, ISC_LOG_DEBUG(3), "NSEC3 proves "
-				 "name does not exist: '%s'", namebuf);
-			if (nearest != NULL &&
-			    (dns_name_countlabels(nearest) == 0 ||
-			     dns_name_issubdomain(nearest, qname))) {
-				dns_name_copy(qname, nearest, NULL);
-				*setnearest = ISC_TRUE;
-			}
-
-			*exists = ISC_FALSE;
-			*data = ISC_FALSE;
-			if (optout != NULL) {
-				if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0)
-					(*logit)(arg, ISC_LOG_DEBUG(3),
-						 "NSEC3 indicates optout");
-				*optout =
-				    ISC_TF(nsec3.flags & DNS_NSEC3FLAG_OPTOUT);
-			}
-			answer = ISC_R_SUCCESS;
-		}
-
-		qlabels--;
-		if (qlabels > 0)
-			dns_name_split(qname, qlabels, NULL, qname);
-		first = ISC_FALSE;
-	}
-	return (answer);
-}
diff --git a/contrib/bind9/lib/dns/openssl_link.c b/contrib/bind9/lib/dns/openssl_link.c
deleted file mode 100644
index 56465aa..0000000
--- a/contrib/bind9/lib/dns/openssl_link.c
+++ /dev/null
@@ -1,392 +0,0 @@
-/*
- * Portions Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Principal Author: Brian Wellington
- * $Id$
- */
-#ifdef OPENSSL
-
-#include <config.h>
-
-#include <isc/entropy.h>
-#include <isc/mem.h>
-#include <isc/mutex.h>
-#include <isc/mutexblock.h>
-#include <isc/string.h>
-#include <isc/thread.h>
-#include <isc/util.h>
-
-#include <dns/log.h>
-
-#include <dst/result.h>
-
-#include "dst_internal.h"
-#include "dst_openssl.h"
-
-#ifdef USE_ENGINE
-#include <openssl/engine.h>
-#endif
-
-static RAND_METHOD *rm = NULL;
-
-static isc_mutex_t *locks = NULL;
-static int nlocks;
-
-#ifdef USE_ENGINE
-static ENGINE *e = NULL;
-#endif
-
-static int
-entropy_get(unsigned char *buf, int num) {
-	isc_result_t result;
-	if (num < 0)
-		return (-1);
-	result = dst__entropy_getdata(buf, (unsigned int) num, ISC_FALSE);
-	return (result == ISC_R_SUCCESS ? 1 : -1);
-}
-
-static int
-entropy_status(void) {
-	return (dst__entropy_status() > 32);
-}
-
-static int
-entropy_getpseudo(unsigned char *buf, int num) {
-	isc_result_t result;
-	if (num < 0)
-		return (-1);
-	result = dst__entropy_getdata(buf, (unsigned int) num, ISC_TRUE);
-	return (result == ISC_R_SUCCESS ? 1 : -1);
-}
-
-static void
-entropy_add(const void *buf, int num, double entropy) {
-	/*
-	 * Do nothing.  The only call to this provides no useful data anyway.
-	 */
-	UNUSED(buf);
-	UNUSED(num);
-	UNUSED(entropy);
-}
-
-static void
-lock_callback(int mode, int type, const char *file, int line) {
-	UNUSED(file);
-	UNUSED(line);
-	if ((mode & CRYPTO_LOCK) != 0)
-		LOCK(&locks[type]);
-	else
-		UNLOCK(&locks[type]);
-}
-
-static unsigned long
-id_callback(void) {
-	return ((unsigned long)isc_thread_self());
-}
-
-static void *
-mem_alloc(size_t size) {
-#ifdef OPENSSL_LEAKS
-	void *ptr;
-
-	INSIST(dst__memory_pool != NULL);
-	ptr = isc_mem_allocate(dst__memory_pool, size);
-	return (ptr);
-#else
-	INSIST(dst__memory_pool != NULL);
-	return (isc_mem_allocate(dst__memory_pool, size));
-#endif
-}
-
-static void
-mem_free(void *ptr) {
-	INSIST(dst__memory_pool != NULL);
-	if (ptr != NULL)
-		isc_mem_free(dst__memory_pool, ptr);
-}
-
-static void *
-mem_realloc(void *ptr, size_t size) {
-#ifdef OPENSSL_LEAKS
-	void *rptr;
-
-	INSIST(dst__memory_pool != NULL);
-	rptr = isc_mem_reallocate(dst__memory_pool, ptr, size);
-	return (rptr);
-#else
-	INSIST(dst__memory_pool != NULL);
-	return (isc_mem_reallocate(dst__memory_pool, ptr, size));
-#endif
-}
-
-isc_result_t
-dst__openssl_init(const char *engine) {
-	isc_result_t result;
-#ifdef USE_ENGINE
-	ENGINE *re;
-#else
-
-	UNUSED(engine);
-#endif
-
-#ifdef  DNS_CRYPTO_LEAKS
-	CRYPTO_malloc_debug_init();
-	CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
-	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
-#endif
-	CRYPTO_set_mem_functions(mem_alloc, mem_realloc, mem_free);
-	nlocks = CRYPTO_num_locks();
-	locks = mem_alloc(sizeof(isc_mutex_t) * nlocks);
-	if (locks == NULL)
-		return (ISC_R_NOMEMORY);
-	result = isc_mutexblock_init(locks, nlocks);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_mutexalloc;
-	CRYPTO_set_locking_callback(lock_callback);
-	CRYPTO_set_id_callback(id_callback);
-
-	ERR_load_crypto_strings();
-
-	rm = mem_alloc(sizeof(RAND_METHOD));
-	if (rm == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_mutexinit;
-	}
-	rm->seed = NULL;
-	rm->bytes = entropy_get;
-	rm->cleanup = NULL;
-	rm->add = entropy_add;
-	rm->pseudorand = entropy_getpseudo;
-	rm->status = entropy_status;
-
-#ifdef USE_ENGINE
-	OPENSSL_config(NULL);
-
-	if (engine != NULL && *engine == '\0')
-		engine = NULL;
-
-	if (engine != NULL) {
-		e = ENGINE_by_id(engine);
-		if (e == NULL) {
-			result = DST_R_NOENGINE;
-			goto cleanup_rm;
-		}
-		/* This will init the engine. */
-		if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
-			result = DST_R_NOENGINE;
-			goto cleanup_rm;
-		}
-	}
-
-	re = ENGINE_get_default_RAND();
-	if (re == NULL) {
-		re = ENGINE_new();
-		if (re == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup_rm;
-		}
-		ENGINE_set_RAND(re, rm);
-		ENGINE_set_default_RAND(re);
-		ENGINE_free(re);
-	} else
-		ENGINE_finish(re);
-#else
-	RAND_set_rand_method(rm);
-#endif /* USE_ENGINE */
-	return (ISC_R_SUCCESS);
-
-#ifdef USE_ENGINE
- cleanup_rm:
-	if (e != NULL)
-		ENGINE_free(e);
-	e = NULL;
-	mem_free(rm);
-	rm = NULL;
-#endif
- cleanup_mutexinit:
-	CRYPTO_set_locking_callback(NULL);
-	DESTROYMUTEXBLOCK(locks, nlocks);
- cleanup_mutexalloc:
-	mem_free(locks);
-	locks = NULL;
-	return (result);
-}
-
-void
-dst__openssl_destroy() {
-
-	/*
-	 * Sequence taken from apps_shutdown() in <apps/apps.h>.
-	 */
-	if (rm != NULL) {
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
-		RAND_cleanup();
-#endif
-		mem_free(rm);
-		rm = NULL;
-	}
-#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
-	CONF_modules_free();
-#endif
-	OBJ_cleanup();
-	EVP_cleanup();
-#if defined(USE_ENGINE)
-	if (e != NULL)
-		ENGINE_free(e);
-	e = NULL;
-#if defined(USE_ENGINE) && OPENSSL_VERSION_NUMBER >= 0x00907000L
-	ENGINE_cleanup();
-#endif
-#endif
-#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
-	CRYPTO_cleanup_all_ex_data();
-#endif
-	ERR_clear_error();
-	ERR_remove_state(0);
-	ERR_free_strings();
-
-#ifdef  DNS_CRYPTO_LEAKS
-	CRYPTO_mem_leaks_fp(stderr);
-#endif
-
-	if (locks != NULL) {
-		CRYPTO_set_locking_callback(NULL);
-		DESTROYMUTEXBLOCK(locks, nlocks);
-		mem_free(locks);
-		locks = NULL;
-	}
-}
-
-static isc_result_t
-toresult(isc_result_t fallback) {
-	isc_result_t result = fallback;
-	unsigned long err = ERR_get_error();
-#ifdef HAVE_OPENSSL_ECDSA
-	int lib = ERR_GET_LIB(err);
-#endif
-	int reason = ERR_GET_REASON(err);
-
-	switch (reason) {
-	/*
-	 * ERR_* errors are globally unique; others
-	 * are unique per sublibrary
-	 */
-	case ERR_R_MALLOC_FAILURE:
-		result = ISC_R_NOMEMORY;
-		break;
-	default:
-#ifdef HAVE_OPENSSL_ECDSA
-		if (lib == ERR_R_ECDSA_LIB &&
-		    reason == ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) {
-			result = ISC_R_NOENTROPY;
-			break;
-		}
-#endif
-		break;
-	}
-
-	return (result);
-}
-
-isc_result_t
-dst__openssl_toresult(isc_result_t fallback) {
-	isc_result_t result;
-
-	result = toresult(fallback);
-
-	ERR_clear_error();
-	return (result);
-}
-
-isc_result_t
-dst__openssl_toresult2(const char *funcname, isc_result_t fallback) {
-	return (dst__openssl_toresult3(DNS_LOGCATEGORY_GENERAL,
-				       funcname, fallback));
-}
-
-isc_result_t
-dst__openssl_toresult3(isc_logcategory_t *category,
-		       const char *funcname, isc_result_t fallback) {
-	isc_result_t result;
-	unsigned long err;
-	const char *file, *data;
-	int line, flags;
-	char buf[256];
-
-	result = toresult(fallback);
-
-	isc_log_write(dns_lctx, category,
-		      DNS_LOGMODULE_CRYPTO, ISC_LOG_WARNING,
-		      "%s failed (%s)", funcname,
-		      isc_result_totext(result));
-
-	if (result == ISC_R_NOMEMORY)
-		goto done;
-
-	for (;;) {
-		err = ERR_get_error_line_data(&file, &line, &data, &flags);
-		if (err == 0U)
-			goto done;
-		ERR_error_string_n(err, buf, sizeof(buf));
-		isc_log_write(dns_lctx, category,
-			      DNS_LOGMODULE_CRYPTO, ISC_LOG_INFO,
-			      "%s:%s:%d:%s", buf, file, line,
-			      (flags & ERR_TXT_STRING) ? data : "");
-	}
-
-    done:
-	ERR_clear_error();
-	return (result);
-}
-
-#if defined(USE_ENGINE)
-ENGINE *
-dst__openssl_getengine(const char *engine) {
-
-	if (engine == NULL)
-		return (NULL);
-	if (e == NULL)
-		return (NULL);
-	if (strcmp(engine, ENGINE_get_id(e)) == 0)
-		return (e);
-	return (NULL);
-}
-#endif
-
-#else /* OPENSSL */
-
-#include <isc/util.h>
-
-EMPTY_TRANSLATION_UNIT
-
-#endif /* OPENSSL */
-/*! \file */
diff --git a/contrib/bind9/lib/dns/openssldh_link.c b/contrib/bind9/lib/dns/openssldh_link.c
deleted file mode 100644
index 36b8a41..0000000
--- a/contrib/bind9/lib/dns/openssldh_link.c
+++ /dev/null
@@ -1,678 +0,0 @@
-/*
- * Portions Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Principal Author: Brian Wellington
- * $Id: openssldh_link.c,v 1.20 2011/01/11 23:47:13 tbox Exp $
- */
-
-#ifdef OPENSSL
-
-#include <config.h>
-
-#include <ctype.h>
-
-#include <isc/mem.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dst/result.h>
-
-#include "dst_internal.h"
-#include "dst_openssl.h"
-#include "dst_parse.h"
-
-#define PRIME768 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088" \
-	"A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25" \
-	"F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A63A3620FFFFFFFFFFFFFFFF"
-
-#define PRIME1024 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08" \
-	"8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF2" \
-	"5F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406" \
-	"B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF"
-
-#define PRIME1536 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \
-	"29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \
-	"EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \
-	"E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \
-	"EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \
-	"C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \
-	"83655D23DCA3AD961C62F356208552BB9ED529077096966D" \
-	"670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF"
-
-
-static isc_result_t openssldh_todns(const dst_key_t *key, isc_buffer_t *data);
-
-static BIGNUM bn2, bn768, bn1024, bn1536;
-
-static isc_result_t
-openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
-			isc_buffer_t *secret)
-{
-	DH *dhpub, *dhpriv;
-	int ret;
-	isc_region_t r;
-	unsigned int len;
-
-	REQUIRE(pub->keydata.dh != NULL);
-	REQUIRE(priv->keydata.dh != NULL);
-
-	dhpub = pub->keydata.dh;
-	dhpriv = priv->keydata.dh;
-
-	len = DH_size(dhpriv);
-	isc_buffer_availableregion(secret, &r);
-	if (r.length < len)
-		return (ISC_R_NOSPACE);
-	ret = DH_compute_key(r.base, dhpub->pub_key, dhpriv);
-	if (ret == 0)
-		return (dst__openssl_toresult2("DH_compute_key",
-					       DST_R_COMPUTESECRETFAILURE));
-	isc_buffer_add(secret, len);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_boolean_t
-openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	int status;
-	DH *dh1, *dh2;
-
-	dh1 = key1->keydata.dh;
-	dh2 = key2->keydata.dh;
-
-	if (dh1 == NULL && dh2 == NULL)
-		return (ISC_TRUE);
-	else if (dh1 == NULL || dh2 == NULL)
-		return (ISC_FALSE);
-
-	status = BN_cmp(dh1->p, dh2->p) ||
-		 BN_cmp(dh1->g, dh2->g) ||
-		 BN_cmp(dh1->pub_key, dh2->pub_key);
-
-	if (status != 0)
-		return (ISC_FALSE);
-
-	if (dh1->priv_key != NULL || dh2->priv_key != NULL) {
-		if (dh1->priv_key == NULL || dh2->priv_key == NULL)
-			return (ISC_FALSE);
-		if (BN_cmp(dh1->priv_key, dh2->priv_key) != 0)
-			return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-static isc_boolean_t
-openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
-	int status;
-	DH *dh1, *dh2;
-
-	dh1 = key1->keydata.dh;
-	dh2 = key2->keydata.dh;
-
-	if (dh1 == NULL && dh2 == NULL)
-		return (ISC_TRUE);
-	else if (dh1 == NULL || dh2 == NULL)
-		return (ISC_FALSE);
-
-	status = BN_cmp(dh1->p, dh2->p) ||
-		 BN_cmp(dh1->g, dh2->g);
-
-	if (status != 0)
-		return (ISC_FALSE);
-	return (ISC_TRUE);
-}
-
-#if OPENSSL_VERSION_NUMBER > 0x00908000L
-static int
-progress_cb(int p, int n, BN_GENCB *cb)
-{
-	union {
-		void *dptr;
-		void (*fptr)(int);
-	} u;
-
-	UNUSED(n);
-
-	u.dptr = cb->arg;
-	if (u.fptr != NULL)
-		u.fptr(p);
-	return (1);
-}
-#endif
-
-static isc_result_t
-openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
-	DH *dh = NULL;
-#if OPENSSL_VERSION_NUMBER > 0x00908000L
-	BN_GENCB cb;
-	union {
-		void *dptr;
-		void (*fptr)(int);
-	} u;
-#else
-
-	UNUSED(callback);
-#endif
-
-	if (generator == 0) {
-		if (key->key_size == 768 ||
-		    key->key_size == 1024 ||
-		    key->key_size == 1536)
-		{
-			dh = DH_new();
-			if (dh == NULL)
-				return (dst__openssl_toresult(ISC_R_NOMEMORY));
-			if (key->key_size == 768)
-				dh->p = &bn768;
-			else if (key->key_size == 1024)
-				dh->p = &bn1024;
-			else
-				dh->p = &bn1536;
-			dh->g = &bn2;
-		} else
-			generator = 2;
-	}
-
-	if (generator != 0) {
-#if OPENSSL_VERSION_NUMBER > 0x00908000L
-		dh = DH_new();
-		if (dh == NULL)
-			return (dst__openssl_toresult(ISC_R_NOMEMORY));
-
-		if (callback == NULL) {
-			BN_GENCB_set_old(&cb, NULL, NULL);
-		} else {
-			u.fptr = callback;
-			BN_GENCB_set(&cb, &progress_cb, u.dptr);
-		}
-
-		if (!DH_generate_parameters_ex(dh, key->key_size, generator,
-					       &cb)) {
-			DH_free(dh);
-			return (dst__openssl_toresult2(
-					"DH_generate_parameters_ex",
-					DST_R_OPENSSLFAILURE));
-		}
-#else
-		dh = DH_generate_parameters(key->key_size, generator,
-					    NULL, NULL);
-#endif
-	}
-
-	if (dh == NULL)
-		return (dst__openssl_toresult2("DH_generate_parameters",
-					       DST_R_OPENSSLFAILURE));
-
-	if (DH_generate_key(dh) == 0) {
-		DH_free(dh);
-		return (dst__openssl_toresult2("DH_generate_key",
-					       DST_R_OPENSSLFAILURE));
-	}
-	dh->flags &= ~DH_FLAG_CACHE_MONT_P;
-
-	key->keydata.dh = dh;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_boolean_t
-openssldh_isprivate(const dst_key_t *key) {
-	DH *dh = key->keydata.dh;
-	return (ISC_TF(dh != NULL && dh->priv_key != NULL));
-}
-
-static void
-openssldh_destroy(dst_key_t *key) {
-	DH *dh = key->keydata.dh;
-
-	if (dh == NULL)
-		return;
-
-	if (dh->p == &bn768 || dh->p == &bn1024 || dh->p == &bn1536)
-		dh->p = NULL;
-	if (dh->g == &bn2)
-		dh->g = NULL;
-	DH_free(dh);
-	key->keydata.dh = NULL;
-}
-
-static void
-uint16_toregion(isc_uint16_t val, isc_region_t *region) {
-	*region->base++ = (val & 0xff00) >> 8;
-	*region->base++ = (val & 0x00ff);
-}
-
-static isc_uint16_t
-uint16_fromregion(isc_region_t *region) {
-	isc_uint16_t val;
-	unsigned char *cp = region->base;
-
-	val = ((unsigned int)(cp[0])) << 8;
-	val |= ((unsigned int)(cp[1]));
-
-	region->base += 2;
-	return (val);
-}
-
-static isc_result_t
-openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
-	DH *dh;
-	isc_region_t r;
-	isc_uint16_t dnslen, plen, glen, publen;
-
-	REQUIRE(key->keydata.dh != NULL);
-
-	dh = key->keydata.dh;
-
-	isc_buffer_availableregion(data, &r);
-
-	if (dh->g == &bn2 &&
-	    (dh->p == &bn768 || dh->p == &bn1024 || dh->p == &bn1536)) {
-		plen = 1;
-		glen = 0;
-	}
-	else {
-		plen = BN_num_bytes(dh->p);
-		glen = BN_num_bytes(dh->g);
-	}
-	publen = BN_num_bytes(dh->pub_key);
-	dnslen = plen + glen + publen + 6;
-	if (r.length < (unsigned int) dnslen)
-		return (ISC_R_NOSPACE);
-
-	uint16_toregion(plen, &r);
-	if (plen == 1) {
-		if (dh->p == &bn768)
-			*r.base = 1;
-		else if (dh->p == &bn1024)
-			*r.base = 2;
-		else
-			*r.base = 3;
-	}
-	else
-		BN_bn2bin(dh->p, r.base);
-	r.base += plen;
-
-	uint16_toregion(glen, &r);
-	if (glen > 0)
-		BN_bn2bin(dh->g, r.base);
-	r.base += glen;
-
-	uint16_toregion(publen, &r);
-	BN_bn2bin(dh->pub_key, r.base);
-	r.base += publen;
-
-	isc_buffer_add(data, dnslen);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	DH *dh;
-	isc_region_t r;
-	isc_uint16_t plen, glen, publen;
-	int special = 0;
-
-	isc_buffer_remainingregion(data, &r);
-	if (r.length == 0)
-		return (ISC_R_SUCCESS);
-
-	dh = DH_new();
-	if (dh == NULL)
-		return (dst__openssl_toresult(ISC_R_NOMEMORY));
-	dh->flags &= ~DH_FLAG_CACHE_MONT_P;
-
-	/*
-	 * Read the prime length.  1 & 2 are table entries, > 16 means a
-	 * prime follows, otherwise an error.
-	 */
-	if (r.length < 2) {
-		DH_free(dh);
-		return (DST_R_INVALIDPUBLICKEY);
-	}
-	plen = uint16_fromregion(&r);
-	if (plen < 16 && plen != 1 && plen != 2) {
-		DH_free(dh);
-		return (DST_R_INVALIDPUBLICKEY);
-	}
-	if (r.length < plen) {
-		DH_free(dh);
-		return (DST_R_INVALIDPUBLICKEY);
-	}
-	if (plen == 1 || plen == 2) {
-		if (plen == 1)
-			special = *r.base++;
-		else
-			special = uint16_fromregion(&r);
-		switch (special) {
-			case 1:
-				dh->p = &bn768;
-				break;
-			case 2:
-				dh->p = &bn1024;
-				break;
-			case 3:
-				dh->p = &bn1536;
-				break;
-			default:
-				DH_free(dh);
-				return (DST_R_INVALIDPUBLICKEY);
-		}
-	}
-	else {
-		dh->p = BN_bin2bn(r.base, plen, NULL);
-		r.base += plen;
-	}
-
-	/*
-	 * Read the generator length.  This should be 0 if the prime was
-	 * special, but it might not be.  If it's 0 and the prime is not
-	 * special, we have a problem.
-	 */
-	if (r.length < 2) {
-		DH_free(dh);
-		return (DST_R_INVALIDPUBLICKEY);
-	}
-	glen = uint16_fromregion(&r);
-	if (r.length < glen) {
-		DH_free(dh);
-		return (DST_R_INVALIDPUBLICKEY);
-	}
-	if (special != 0) {
-		if (glen == 0)
-			dh->g = &bn2;
-		else {
-			dh->g = BN_bin2bn(r.base, glen, NULL);
-			if (BN_cmp(dh->g, &bn2) == 0) {
-				BN_free(dh->g);
-				dh->g = &bn2;
-			}
-			else {
-				DH_free(dh);
-				return (DST_R_INVALIDPUBLICKEY);
-			}
-		}
-	}
-	else {
-		if (glen == 0) {
-			DH_free(dh);
-			return (DST_R_INVALIDPUBLICKEY);
-		}
-		dh->g = BN_bin2bn(r.base, glen, NULL);
-	}
-	r.base += glen;
-
-	if (r.length < 2) {
-		DH_free(dh);
-		return (DST_R_INVALIDPUBLICKEY);
-	}
-	publen = uint16_fromregion(&r);
-	if (r.length < publen) {
-		DH_free(dh);
-		return (DST_R_INVALIDPUBLICKEY);
-	}
-	dh->pub_key = BN_bin2bn(r.base, publen, NULL);
-	r.base += publen;
-
-	key->key_size = BN_num_bits(dh->p);
-
-	isc_buffer_forward(data, plen + glen + publen + 6);
-
-	key->keydata.dh = dh;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-openssldh_tofile(const dst_key_t *key, const char *directory) {
-	int i;
-	DH *dh;
-	dst_private_t priv;
-	unsigned char *bufs[4];
-	isc_result_t result;
-
-	if (key->keydata.dh == NULL)
-		return (DST_R_NULLKEY);
-
-	dh = key->keydata.dh;
-
-	memset(bufs, 0, sizeof(bufs));
-	for (i = 0; i < 4; i++) {
-		bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(dh->p));
-		if (bufs[i] == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto fail;
-		}
-	}
-
-	i = 0;
-
-	priv.elements[i].tag = TAG_DH_PRIME;
-	priv.elements[i].length = BN_num_bytes(dh->p);
-	BN_bn2bin(dh->p, bufs[i]);
-	priv.elements[i].data = bufs[i];
-	i++;
-
-	priv.elements[i].tag = TAG_DH_GENERATOR;
-	priv.elements[i].length = BN_num_bytes(dh->g);
-	BN_bn2bin(dh->g, bufs[i]);
-	priv.elements[i].data = bufs[i];
-	i++;
-
-	priv.elements[i].tag = TAG_DH_PRIVATE;
-	priv.elements[i].length = BN_num_bytes(dh->priv_key);
-	BN_bn2bin(dh->priv_key, bufs[i]);
-	priv.elements[i].data = bufs[i];
-	i++;
-
-	priv.elements[i].tag = TAG_DH_PUBLIC;
-	priv.elements[i].length = BN_num_bytes(dh->pub_key);
-	BN_bn2bin(dh->pub_key, bufs[i]);
-	priv.elements[i].data = bufs[i];
-	i++;
-
-	priv.nelements = i;
-	result = dst__privstruct_writefile(key, &priv, directory);
- fail:
-	for (i = 0; i < 4; i++) {
-		if (bufs[i] == NULL)
-			break;
-		isc_mem_put(key->mctx, bufs[i], BN_num_bytes(dh->p));
-	}
-	return (result);
-}
-
-static isc_result_t
-openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
-	dst_private_t priv;
-	isc_result_t ret;
-	int i;
-	DH *dh = NULL;
-	isc_mem_t *mctx;
-#define DST_RET(a) {ret = a; goto err;}
-
-	UNUSED(pub);
-	mctx = key->mctx;
-
-	/* read private key file */
-	ret = dst__privstruct_parse(key, DST_ALG_DH, lexer, mctx, &priv);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	dh = DH_new();
-	if (dh == NULL)
-		DST_RET(ISC_R_NOMEMORY);
-	dh->flags &= ~DH_FLAG_CACHE_MONT_P;
-	key->keydata.dh = dh;
-
-	for (i = 0; i < priv.nelements; i++) {
-		BIGNUM *bn;
-		bn = BN_bin2bn(priv.elements[i].data,
-			       priv.elements[i].length, NULL);
-		if (bn == NULL)
-			DST_RET(ISC_R_NOMEMORY);
-
-		switch (priv.elements[i].tag) {
-			case TAG_DH_PRIME:
-				dh->p = bn;
-				break;
-			case TAG_DH_GENERATOR:
-				dh->g = bn;
-				break;
-			case TAG_DH_PRIVATE:
-				dh->priv_key = bn;
-				break;
-			case TAG_DH_PUBLIC:
-				dh->pub_key = bn;
-				break;
-		}
-	}
-	dst__privstruct_free(&priv, mctx);
-
-	key->key_size = BN_num_bits(dh->p);
-
-	if ((key->key_size == 768 ||
-	     key->key_size == 1024 ||
-	     key->key_size == 1536) &&
-	    BN_cmp(dh->g, &bn2) == 0)
-	{
-		if (key->key_size == 768 && BN_cmp(dh->p, &bn768) == 0) {
-			BN_free(dh->p);
-			BN_free(dh->g);
-			dh->p = &bn768;
-			dh->g = &bn2;
-		} else if (key->key_size == 1024 &&
-			   BN_cmp(dh->p, &bn1024) == 0) {
-			BN_free(dh->p);
-			BN_free(dh->g);
-			dh->p = &bn1024;
-			dh->g = &bn2;
-		} else if (key->key_size == 1536 &&
-			   BN_cmp(dh->p, &bn1536) == 0) {
-			BN_free(dh->p);
-			BN_free(dh->g);
-			dh->p = &bn1536;
-			dh->g = &bn2;
-		}
-	}
-
-	return (ISC_R_SUCCESS);
-
- err:
-	openssldh_destroy(key);
-	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
-	return (ret);
-}
-
-static void
-BN_fromhex(BIGNUM *b, const char *str) {
-	static const char hexdigits[] = "0123456789abcdef";
-	unsigned char data[512];
-	unsigned int i;
-	BIGNUM *out;
-
-	RUNTIME_CHECK(strlen(str) < 1024U && strlen(str) % 2 == 0U);
-	for (i = 0; i < strlen(str); i += 2) {
-		char *s;
-		unsigned int high, low;
-
-		s = strchr(hexdigits, tolower((unsigned char)str[i]));
-		RUNTIME_CHECK(s != NULL);
-		high = s - hexdigits;
-
-		s = strchr(hexdigits, tolower((unsigned char)str[i + 1]));
-		RUNTIME_CHECK(s != NULL);
-		low = s - hexdigits;
-
-		data[i/2] = (unsigned char)((high << 4) + low);
-	}
-	out = BN_bin2bn(data, strlen(str)/2, b);
-	RUNTIME_CHECK(out != NULL);
-}
-
-static void
-openssldh_cleanup(void) {
-	BN_free(&bn2);
-	BN_free(&bn768);
-	BN_free(&bn1024);
-	BN_free(&bn1536);
-}
-
-static dst_func_t openssldh_functions = {
-	NULL, /*%< createctx */
-	NULL, /*%< destroyctx */
-	NULL, /*%< adddata */
-	NULL, /*%< openssldh_sign */
-	NULL, /*%< openssldh_verify */
-	NULL, /*%< openssldh_verify2 */
-	openssldh_computesecret,
-	openssldh_compare,
-	openssldh_paramcompare,
-	openssldh_generate,
-	openssldh_isprivate,
-	openssldh_destroy,
-	openssldh_todns,
-	openssldh_fromdns,
-	openssldh_tofile,
-	openssldh_parse,
-	openssldh_cleanup,
-	NULL, /*%< fromlabel */
-	NULL, /*%< dump */
-	NULL, /*%< restore */
-};
-
-isc_result_t
-dst__openssldh_init(dst_func_t **funcp) {
-	REQUIRE(funcp != NULL);
-	if (*funcp == NULL) {
-		BN_init(&bn2);
-		BN_init(&bn768);
-		BN_init(&bn1024);
-		BN_init(&bn1536);
-		BN_set_word(&bn2, 2);
-		BN_fromhex(&bn768, PRIME768);
-		BN_fromhex(&bn1024, PRIME1024);
-		BN_fromhex(&bn1536, PRIME1536);
-		*funcp = &openssldh_functions;
-	}
-	return (ISC_R_SUCCESS);
-}
-
-#else /* OPENSSL */
-
-#include <isc/util.h>
-
-EMPTY_TRANSLATION_UNIT
-
-#endif /* OPENSSL */
-/*! \file */
diff --git a/contrib/bind9/lib/dns/openssldsa_link.c b/contrib/bind9/lib/dns/openssldsa_link.c
deleted file mode 100644
index 8bea1c0..0000000
--- a/contrib/bind9/lib/dns/openssldsa_link.c
+++ /dev/null
@@ -1,659 +0,0 @@
-/*
- * Portions Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifdef OPENSSL
-#ifndef USE_EVP
-#define USE_EVP 1
-#endif
-
-#include <config.h>
-
-#include <string.h>
-
-#include <isc/entropy.h>
-#include <isc/mem.h>
-#include <isc/sha1.h>
-#include <isc/util.h>
-
-#include <dst/result.h>
-
-#include "dst_internal.h"
-#include "dst_openssl.h"
-#include "dst_parse.h"
-
-#include <openssl/dsa.h>
-
-static isc_result_t openssldsa_todns(const dst_key_t *key, isc_buffer_t *data);
-
-static isc_result_t
-openssldsa_createctx(dst_key_t *key, dst_context_t *dctx) {
-#if USE_EVP
-	EVP_MD_CTX *evp_md_ctx;
-
-	UNUSED(key);
-
-	evp_md_ctx = EVP_MD_CTX_create();
-	if (evp_md_ctx == NULL)
-		return (ISC_R_NOMEMORY);
-
-	if (!EVP_DigestInit_ex(evp_md_ctx, EVP_dss1(), NULL)) {
-		EVP_MD_CTX_destroy(evp_md_ctx);
-			return (ISC_R_FAILURE);
-	}
-
-	dctx->ctxdata.evp_md_ctx = evp_md_ctx;
-
-	return (ISC_R_SUCCESS);
-#else
-	isc_sha1_t *sha1ctx;
-
-	UNUSED(key);
-
-	sha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_sha1_t));
-	isc_sha1_init(sha1ctx);
-	dctx->ctxdata.sha1ctx = sha1ctx;
-	return (ISC_R_SUCCESS);
-#endif
-}
-
-static void
-openssldsa_destroyctx(dst_context_t *dctx) {
-#if USE_EVP
-	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-
-	if (evp_md_ctx != NULL) {
-		EVP_MD_CTX_destroy(evp_md_ctx);
-		dctx->ctxdata.evp_md_ctx = NULL;
-	}
-#else
-	isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
-
-	if (sha1ctx != NULL) {
-		isc_sha1_invalidate(sha1ctx);
-		isc_mem_put(dctx->mctx, sha1ctx, sizeof(isc_sha1_t));
-		dctx->ctxdata.sha1ctx = NULL;
-	}
-#endif
-}
-
-static isc_result_t
-openssldsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
-#if USE_EVP
-	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-
-	if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) {
-		return (ISC_R_FAILURE);
-	}
-#else
-	isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
-
-	isc_sha1_update(sha1ctx, data->base, data->length);
-#endif
-	return (ISC_R_SUCCESS);
-}
-
-static int
-BN_bn2bin_fixed(BIGNUM *bn, unsigned char *buf, int size) {
-	int bytes = size - BN_num_bytes(bn);
-	while (bytes-- > 0)
-		*buf++ = 0;
-	BN_bn2bin(bn, buf);
-	return (size);
-}
-
-static isc_result_t
-openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	dst_key_t *key = dctx->key;
-	DSA *dsa = key->keydata.dsa;
-	isc_region_t r;
-	DSA_SIG *dsasig;
-#if USE_EVP
-	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-	EVP_PKEY *pkey;
-	unsigned char *sigbuf;
-	const unsigned char *sb;
-	unsigned int siglen;
-#else
-	isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
-	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
-#endif
-
-	isc_buffer_availableregion(sig, &r);
-	if (r.length < ISC_SHA1_DIGESTLENGTH * 2 + 1)
-		return (ISC_R_NOSPACE);
-
-#if USE_EVP
-	pkey = EVP_PKEY_new();
-	if (pkey == NULL)
-		return (ISC_R_NOMEMORY);
-	if (!EVP_PKEY_set1_DSA(pkey, dsa)) {
-		EVP_PKEY_free(pkey);
-		return (ISC_R_FAILURE);
-	}
-	sigbuf = malloc(EVP_PKEY_size(pkey));
-	if (sigbuf == NULL) {
-		EVP_PKEY_free(pkey);
-		return (ISC_R_NOMEMORY);
-	}
-	if (!EVP_SignFinal(evp_md_ctx, sigbuf, &siglen, pkey)) {
-		EVP_PKEY_free(pkey);
-		free(sigbuf);
-		return (dst__openssl_toresult3(dctx->category,
-					       "EVP_SignFinal",
-					       ISC_R_FAILURE));
-	}
-	INSIST(EVP_PKEY_size(pkey) >= (int) siglen);
-	EVP_PKEY_free(pkey);
-	/* Convert from Dss-Sig-Value (RFC2459). */
-	dsasig = DSA_SIG_new();
-	if (dsasig == NULL) {
-		free(sigbuf);
-		return (ISC_R_NOMEMORY);
-	}
-	sb = sigbuf;
-	if (d2i_DSA_SIG(&dsasig, &sb, (long) siglen) == NULL) {
-		free(sigbuf);
-		return (dst__openssl_toresult3(dctx->category,
-					       "d2i_DSA_SIG",
-					       ISC_R_FAILURE));
-	}
-	free(sigbuf);
-#elif 0
-	/* Only use EVP for the Digest */
-	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) {
-		return (dst__openssl_toresult3(dctx->category,
-					       "EVP_DigestFinal_ex",
-					       ISC_R_FAILURE));
-	}
-	dsasig = DSA_do_sign(digest, ISC_SHA1_DIGESTLENGTH, dsa);
-	if (dsasig == NULL)
-		return (dst__openssl_toresult3(dctx->category,
-					       "DSA_do_sign",
-					       DST_R_SIGNFAILURE));
-#else
-	isc_sha1_final(sha1ctx, digest);
-
-	dsasig = DSA_do_sign(digest, ISC_SHA1_DIGESTLENGTH, dsa);
-	if (dsasig == NULL)
-		return (dst__openssl_toresult3(dctx->category,
-					       "DSA_do_sign",
-					       DST_R_SIGNFAILURE));
-#endif
-	*r.base++ = (key->key_size - 512)/64;
-	BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH);
-	r.base += ISC_SHA1_DIGESTLENGTH;
-	BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH);
-	r.base += ISC_SHA1_DIGESTLENGTH;
-	DSA_SIG_free(dsasig);
-	isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	dst_key_t *key = dctx->key;
-	DSA *dsa = key->keydata.dsa;
-	int status = 0;
-	unsigned char *cp = sig->base;
-	DSA_SIG *dsasig;
-#if USE_EVP
-	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-#if 0
-	EVP_PKEY *pkey;
-	unsigned char *sigbuf;
-#endif
-	unsigned int siglen;
-#else
-	isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
-#endif
-	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
-
-
-#if USE_EVP
-#if 1
-	/* Only use EVP for the digest */
-	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) {
-		return (ISC_R_FAILURE);
-	}
-#endif
-#else
-	isc_sha1_final(sha1ctx, digest);
-#endif
-
-	if (sig->length != 2 * ISC_SHA1_DIGESTLENGTH + 1) {
-		return (DST_R_VERIFYFAILURE);
-	}
-
-	cp++;	/*%< Skip T */
-	dsasig = DSA_SIG_new();
-	if (dsasig == NULL)
-		return (ISC_R_NOMEMORY);
-	dsasig->r = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL);
-	cp += ISC_SHA1_DIGESTLENGTH;
-	dsasig->s = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL);
-
-#if 0
-	pkey = EVP_PKEY_new();
-	if (pkey == NULL)
-		return (ISC_R_NOMEMORY);
-	if (!EVP_PKEY_set1_DSA(pkey, dsa)) {
-		EVP_PKEY_free(pkey);
-		return (ISC_R_FAILURE);
-	}
-	/* Convert to Dss-Sig-Value (RFC2459). */
-	sigbuf = malloc(EVP_PKEY_size(pkey) + 50);
-	if (sigbuf == NULL) {
-		EVP_PKEY_free(pkey);
-		return (ISC_R_NOMEMORY);
-	}
-	siglen = (unsigned) i2d_DSA_SIG(dsasig, &sigbuf);
-	INSIST(EVP_PKEY_size(pkey) >= (int) siglen);
-	status = EVP_VerifyFinal(evp_md_ctx, sigbuf, siglen, pkey);
-	EVP_PKEY_free(pkey);
-	free(sigbuf);
-#else
-	status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa);
-#endif
-	DSA_SIG_free(dsasig);
-	switch (status) {
-	case 1:
-		return (ISC_R_SUCCESS);
-	case 0:
-		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
-	default:
-		return (dst__openssl_toresult3(dctx->category,
-					       "DSA_do_verify",
-					       DST_R_VERIFYFAILURE));
-	}
-}
-
-static isc_boolean_t
-openssldsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	int status;
-	DSA *dsa1, *dsa2;
-
-	dsa1 = key1->keydata.dsa;
-	dsa2 = key2->keydata.dsa;
-
-	if (dsa1 == NULL && dsa2 == NULL)
-		return (ISC_TRUE);
-	else if (dsa1 == NULL || dsa2 == NULL)
-		return (ISC_FALSE);
-
-	status = BN_cmp(dsa1->p, dsa2->p) ||
-		 BN_cmp(dsa1->q, dsa2->q) ||
-		 BN_cmp(dsa1->g, dsa2->g) ||
-		 BN_cmp(dsa1->pub_key, dsa2->pub_key);
-
-	if (status != 0)
-		return (ISC_FALSE);
-
-	if (dsa1->priv_key != NULL || dsa2->priv_key != NULL) {
-		if (dsa1->priv_key == NULL || dsa2->priv_key == NULL)
-			return (ISC_FALSE);
-		if (BN_cmp(dsa1->priv_key, dsa2->priv_key))
-			return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-#if OPENSSL_VERSION_NUMBER > 0x00908000L
-static int
-progress_cb(int p, int n, BN_GENCB *cb)
-{
-	union {
-		void *dptr;
-		void (*fptr)(int);
-	} u;
-
-	UNUSED(n);
-
-	u.dptr = cb->arg;
-	if (u.fptr != NULL)
-		u.fptr(p);
-	return (1);
-}
-#endif
-
-static isc_result_t
-openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
-	DSA *dsa;
-	unsigned char rand_array[ISC_SHA1_DIGESTLENGTH];
-	isc_result_t result;
-#if OPENSSL_VERSION_NUMBER > 0x00908000L
-	BN_GENCB cb;
-	union {
-		void *dptr;
-		void (*fptr)(int);
-	} u;
-
-#else
-
-	UNUSED(callback);
-#endif
-	UNUSED(unused);
-
-	result = dst__entropy_getdata(rand_array, sizeof(rand_array),
-				      ISC_FALSE);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-#if OPENSSL_VERSION_NUMBER > 0x00908000L
-	dsa = DSA_new();
-	if (dsa == NULL)
-		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-
-	if (callback == NULL) {
-		BN_GENCB_set_old(&cb, NULL, NULL);
-	} else {
-		u.fptr = callback;
-		BN_GENCB_set(&cb, &progress_cb, u.dptr);
-	}
-
-	if (!DSA_generate_parameters_ex(dsa, key->key_size, rand_array,
-					ISC_SHA1_DIGESTLENGTH,  NULL, NULL,
-					&cb))
-	{
-		DSA_free(dsa);
-		return (dst__openssl_toresult2("DSA_generate_parameters_ex",
-					       DST_R_OPENSSLFAILURE));
-	}
-#else
-	dsa = DSA_generate_parameters(key->key_size, rand_array,
-				      ISC_SHA1_DIGESTLENGTH, NULL, NULL,
-				      NULL, NULL);
-	if (dsa == NULL)
-		return (dst__openssl_toresult2("DSA_generate_parameters",
-					       DST_R_OPENSSLFAILURE));
-#endif
-
-	if (DSA_generate_key(dsa) == 0) {
-		DSA_free(dsa);
-		return (dst__openssl_toresult2("DSA_generate_key",
-					       DST_R_OPENSSLFAILURE));
-	}
-	dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
-
-	key->keydata.dsa = dsa;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_boolean_t
-openssldsa_isprivate(const dst_key_t *key) {
-	DSA *dsa = key->keydata.dsa;
-	return (ISC_TF(dsa != NULL && dsa->priv_key != NULL));
-}
-
-static void
-openssldsa_destroy(dst_key_t *key) {
-	DSA *dsa = key->keydata.dsa;
-	DSA_free(dsa);
-	key->keydata.dsa = NULL;
-}
-
-
-static isc_result_t
-openssldsa_todns(const dst_key_t *key, isc_buffer_t *data) {
-	DSA *dsa;
-	isc_region_t r;
-	int dnslen;
-	unsigned int t, p_bytes;
-
-	REQUIRE(key->keydata.dsa != NULL);
-
-	dsa = key->keydata.dsa;
-
-	isc_buffer_availableregion(data, &r);
-
-	t = (BN_num_bytes(dsa->p) - 64) / 8;
-	if (t > 8)
-		return (DST_R_INVALIDPUBLICKEY);
-	p_bytes = 64 + 8 * t;
-
-	dnslen = 1 + (key->key_size * 3)/8 + ISC_SHA1_DIGESTLENGTH;
-	if (r.length < (unsigned int) dnslen)
-		return (ISC_R_NOSPACE);
-
-	*r.base++ = t;
-	BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH);
-	r.base += ISC_SHA1_DIGESTLENGTH;
-	BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8);
-	r.base += p_bytes;
-	BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8);
-	r.base += p_bytes;
-	BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8);
-	r.base += p_bytes;
-
-	isc_buffer_add(data, dnslen);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-openssldsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	DSA *dsa;
-	isc_region_t r;
-	unsigned int t, p_bytes;
-	isc_mem_t *mctx = key->mctx;
-
-	UNUSED(mctx);
-
-	isc_buffer_remainingregion(data, &r);
-	if (r.length == 0)
-		return (ISC_R_SUCCESS);
-
-	dsa = DSA_new();
-	if (dsa == NULL)
-		return (ISC_R_NOMEMORY);
-	dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
-
-	t = (unsigned int) *r.base++;
-	if (t > 8) {
-		DSA_free(dsa);
-		return (DST_R_INVALIDPUBLICKEY);
-	}
-	p_bytes = 64 + 8 * t;
-
-	if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
-		DSA_free(dsa);
-		return (DST_R_INVALIDPUBLICKEY);
-	}
-
-	dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL);
-	r.base += ISC_SHA1_DIGESTLENGTH;
-
-	dsa->p = BN_bin2bn(r.base, p_bytes, NULL);
-	r.base += p_bytes;
-
-	dsa->g = BN_bin2bn(r.base, p_bytes, NULL);
-	r.base += p_bytes;
-
-	dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL);
-	r.base += p_bytes;
-
-	key->key_size = p_bytes * 8;
-
-	isc_buffer_forward(data, 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes);
-
-	key->keydata.dsa = dsa;
-
-	return (ISC_R_SUCCESS);
-}
-
-
-static isc_result_t
-openssldsa_tofile(const dst_key_t *key, const char *directory) {
-	int cnt = 0;
-	DSA *dsa;
-	dst_private_t priv;
-	unsigned char bufs[5][128];
-
-	if (key->keydata.dsa == NULL)
-		return (DST_R_NULLKEY);
-
-	dsa = key->keydata.dsa;
-
-	priv.elements[cnt].tag = TAG_DSA_PRIME;
-	priv.elements[cnt].length = BN_num_bytes(dsa->p);
-	BN_bn2bin(dsa->p, bufs[cnt]);
-	priv.elements[cnt].data = bufs[cnt];
-	cnt++;
-
-	priv.elements[cnt].tag = TAG_DSA_SUBPRIME;
-	priv.elements[cnt].length = BN_num_bytes(dsa->q);
-	BN_bn2bin(dsa->q, bufs[cnt]);
-	priv.elements[cnt].data = bufs[cnt];
-	cnt++;
-
-	priv.elements[cnt].tag = TAG_DSA_BASE;
-	priv.elements[cnt].length = BN_num_bytes(dsa->g);
-	BN_bn2bin(dsa->g, bufs[cnt]);
-	priv.elements[cnt].data = bufs[cnt];
-	cnt++;
-
-	priv.elements[cnt].tag = TAG_DSA_PRIVATE;
-	priv.elements[cnt].length = BN_num_bytes(dsa->priv_key);
-	BN_bn2bin(dsa->priv_key, bufs[cnt]);
-	priv.elements[cnt].data = bufs[cnt];
-	cnt++;
-
-	priv.elements[cnt].tag = TAG_DSA_PUBLIC;
-	priv.elements[cnt].length = BN_num_bytes(dsa->pub_key);
-	BN_bn2bin(dsa->pub_key, bufs[cnt]);
-	priv.elements[cnt].data = bufs[cnt];
-	cnt++;
-
-	priv.nelements = cnt;
-	return (dst__privstruct_writefile(key, &priv, directory));
-}
-
-static isc_result_t
-openssldsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
-	dst_private_t priv;
-	isc_result_t ret;
-	int i;
-	DSA *dsa = NULL;
-	isc_mem_t *mctx = key->mctx;
-#define DST_RET(a) {ret = a; goto err;}
-
-	UNUSED(pub);
-	/* read private key file */
-	ret = dst__privstruct_parse(key, DST_ALG_DSA, lexer, mctx, &priv);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	dsa = DSA_new();
-	if (dsa == NULL)
-		DST_RET(ISC_R_NOMEMORY);
-	dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
-	key->keydata.dsa = dsa;
-
-	for (i=0; i < priv.nelements; i++) {
-		BIGNUM *bn;
-		bn = BN_bin2bn(priv.elements[i].data,
-			       priv.elements[i].length, NULL);
-		if (bn == NULL)
-			DST_RET(ISC_R_NOMEMORY);
-
-		switch (priv.elements[i].tag) {
-			case TAG_DSA_PRIME:
-				dsa->p = bn;
-				break;
-			case TAG_DSA_SUBPRIME:
-				dsa->q = bn;
-				break;
-			case TAG_DSA_BASE:
-				dsa->g = bn;
-				break;
-			case TAG_DSA_PRIVATE:
-				dsa->priv_key = bn;
-				break;
-			case TAG_DSA_PUBLIC:
-				dsa->pub_key = bn;
-				break;
-		}
-	}
-	dst__privstruct_free(&priv, mctx);
-
-	key->key_size = BN_num_bits(dsa->p);
-
-	return (ISC_R_SUCCESS);
-
- err:
-	openssldsa_destroy(key);
-	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
-	return (ret);
-}
-
-static dst_func_t openssldsa_functions = {
-	openssldsa_createctx,
-	openssldsa_destroyctx,
-	openssldsa_adddata,
-	openssldsa_sign,
-	openssldsa_verify,
-	NULL, /*%< verify2 */
-	NULL, /*%< computesecret */
-	openssldsa_compare,
-	NULL, /*%< paramcompare */
-	openssldsa_generate,
-	openssldsa_isprivate,
-	openssldsa_destroy,
-	openssldsa_todns,
-	openssldsa_fromdns,
-	openssldsa_tofile,
-	openssldsa_parse,
-	NULL, /*%< cleanup */
-	NULL, /*%< fromlabel */
-	NULL, /*%< dump */
-	NULL, /*%< restore */
-};
-
-isc_result_t
-dst__openssldsa_init(dst_func_t **funcp) {
-	REQUIRE(funcp != NULL);
-	if (*funcp == NULL)
-		*funcp = &openssldsa_functions;
-	return (ISC_R_SUCCESS);
-}
-
-#else /* OPENSSL */
-
-#include <isc/util.h>
-
-EMPTY_TRANSLATION_UNIT
-
-#endif /* OPENSSL */
-/*! \file */
diff --git a/contrib/bind9/lib/dns/opensslecdsa_link.c b/contrib/bind9/lib/dns/opensslecdsa_link.c
deleted file mode 100644
index c3f5061..0000000
--- a/contrib/bind9/lib/dns/opensslecdsa_link.c
+++ /dev/null
@@ -1,607 +0,0 @@
-/*
- * Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#include <config.h>
-
-#ifdef HAVE_OPENSSL_ECDSA
-
-#if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA384)
-#error "ECDSA without EVP for SHA2?"
-#endif
-
-#include <isc/entropy.h>
-#include <isc/mem.h>
-#include <isc/sha2.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/keyvalues.h>
-#include <dst/result.h>
-
-#include "dst_internal.h"
-#include "dst_openssl.h"
-#include "dst_parse.h"
-
-#include <openssl/err.h>
-#include <openssl/objects.h>
-#include <openssl/ecdsa.h>
-#include <openssl/bn.h>
-
-#ifndef NID_X9_62_prime256v1
-#error "P-256 group is not known (NID_X9_62_prime256v1)"
-#endif
-#ifndef NID_secp384r1
-#error "P-384 group is not known (NID_secp384r1)"
-#endif
-
-#define DST_RET(a) {ret = a; goto err;}
-
-static isc_result_t opensslecdsa_todns(const dst_key_t *key,
-				       isc_buffer_t *data);
-
-static isc_result_t
-opensslecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {
-	EVP_MD_CTX *evp_md_ctx;
-	const EVP_MD *type = NULL;
-
-	UNUSED(key);
-	REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
-		dctx->key->key_alg == DST_ALG_ECDSA384);
-
-	evp_md_ctx = EVP_MD_CTX_create();
-	if (evp_md_ctx == NULL)
-		return (ISC_R_NOMEMORY);
-	if (dctx->key->key_alg == DST_ALG_ECDSA256)
-		type = EVP_sha256();
-	else
-		type = EVP_sha384();
-
-	if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) {
-		EVP_MD_CTX_destroy(evp_md_ctx);
-		return (dst__openssl_toresult3(dctx->category,
-					       "EVP_DigestInit_ex",
-					       ISC_R_FAILURE));
-	}
-
-	dctx->ctxdata.evp_md_ctx = evp_md_ctx;
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-opensslecdsa_destroyctx(dst_context_t *dctx) {
-	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-
-	REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
-		dctx->key->key_alg == DST_ALG_ECDSA384);
-
-	if (evp_md_ctx != NULL) {
-		EVP_MD_CTX_destroy(evp_md_ctx);
-		dctx->ctxdata.evp_md_ctx = NULL;
-	}
-}
-
-static isc_result_t
-opensslecdsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-
-	REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
-		dctx->key->key_alg == DST_ALG_ECDSA384);
-
-	if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length))
-		return (dst__openssl_toresult3(dctx->category,
-					       "EVP_DigestUpdate",
-					       ISC_R_FAILURE));
-
-	return (ISC_R_SUCCESS);
-}
-
-static int
-BN_bn2bin_fixed(BIGNUM *bn, unsigned char *buf, int size) {
-	int bytes = size - BN_num_bytes(bn);
-
-	while (bytes-- > 0)
-		*buf++ = 0;
-	BN_bn2bin(bn, buf);
-	return (size);
-}
-
-static isc_result_t
-opensslecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	isc_result_t ret;
-	dst_key_t *key = dctx->key;
-	isc_region_t r;
-	ECDSA_SIG *ecdsasig;
-	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-	EVP_PKEY *pkey = key->keydata.pkey;
-	EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey);
-	unsigned int dgstlen, siglen;
-	unsigned char digest[EVP_MAX_MD_SIZE];
-
-	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
-		key->key_alg == DST_ALG_ECDSA384);
-
-	if (eckey == NULL)
-		return (ISC_R_FAILURE);
-
-	if (key->key_alg == DST_ALG_ECDSA256)
-		siglen = DNS_SIG_ECDSA256SIZE;
-	else
-		siglen = DNS_SIG_ECDSA384SIZE;
-
-	isc_buffer_availableregion(sig, &r);
-	if (r.length < siglen)
-		DST_RET(ISC_R_NOSPACE);
-
-	if (!EVP_DigestFinal(evp_md_ctx, digest, &dgstlen))
-		DST_RET(dst__openssl_toresult3(dctx->category,
-					       "EVP_DigestFinal",
-					       ISC_R_FAILURE));
-
-	ecdsasig = ECDSA_do_sign(digest, dgstlen, eckey);
-	if (ecdsasig == NULL)
-		DST_RET(dst__openssl_toresult3(dctx->category,
-					       "ECDSA_do_sign",
-					       DST_R_SIGNFAILURE));
-	BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2);
-	r.base += siglen / 2;
-	BN_bn2bin_fixed(ecdsasig->s, r.base, siglen / 2);
-	r.base += siglen / 2;
-	ECDSA_SIG_free(ecdsasig);
-	isc_buffer_add(sig, siglen);
-	ret = ISC_R_SUCCESS;
-
- err:
-	if (eckey != NULL)
-		EC_KEY_free(eckey);
-	return (ret);
-}
-
-static isc_result_t
-opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	isc_result_t ret;
-	dst_key_t *key = dctx->key;
-	int status;
-	unsigned char *cp = sig->base;
-	ECDSA_SIG *ecdsasig = NULL;
-	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-	EVP_PKEY *pkey = key->keydata.pkey;
-	EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey);
-	unsigned int dgstlen, siglen;
-	unsigned char digest[EVP_MAX_MD_SIZE];
-
-	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
-		key->key_alg == DST_ALG_ECDSA384);
-
-	if (eckey == NULL)
-		return (ISC_R_FAILURE);
-
-	if (key->key_alg == DST_ALG_ECDSA256)
-		siglen = DNS_SIG_ECDSA256SIZE;
-	else
-		siglen = DNS_SIG_ECDSA384SIZE;
-
-	if (sig->length != siglen)
-		return (DST_R_VERIFYFAILURE);
-
-	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen))
-		DST_RET (dst__openssl_toresult3(dctx->category,
-						"EVP_DigestFinal_ex",
-						ISC_R_FAILURE));
-
-	ecdsasig = ECDSA_SIG_new();
-	if (ecdsasig == NULL)
-		DST_RET (ISC_R_NOMEMORY);
-	if (ecdsasig->r != NULL)
-		BN_free(ecdsasig->r);
-	ecdsasig->r = BN_bin2bn(cp, siglen / 2, NULL);
-	cp += siglen / 2;
-	if (ecdsasig->s != NULL)
-		BN_free(ecdsasig->s);
-	ecdsasig->s = BN_bin2bn(cp, siglen / 2, NULL);
-	/* cp += siglen / 2; */
-
-	status = ECDSA_do_verify(digest, dgstlen, ecdsasig, eckey);
-	switch (status) {
-	case 1:
-		ret = ISC_R_SUCCESS;
-		break;
-	case 0:
-		ret = dst__openssl_toresult(DST_R_VERIFYFAILURE);
-		break;
-	default:
-		ret = dst__openssl_toresult3(dctx->category,
-					     "ECDSA_do_verify",
-					     DST_R_VERIFYFAILURE);
-		break;
-	}
-
- err:
-	if (ecdsasig != NULL)
-		ECDSA_SIG_free(ecdsasig);
-	if (eckey != NULL)
-		EC_KEY_free(eckey);
-	return (ret);
-}
-
-static isc_boolean_t
-opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	isc_boolean_t ret;
-	int status;
-	EVP_PKEY *pkey1 = key1->keydata.pkey;
-	EVP_PKEY *pkey2 = key2->keydata.pkey;
-	EC_KEY *eckey1 = NULL;
-	EC_KEY *eckey2 = NULL;
-	const BIGNUM *priv1, *priv2;
-
-	if (pkey1 == NULL && pkey2 == NULL)
-		return (ISC_TRUE);
-	else if (pkey1 == NULL || pkey2 == NULL)
-		return (ISC_FALSE);
-
-	eckey1 = EVP_PKEY_get1_EC_KEY(pkey1);
-	eckey2 = EVP_PKEY_get1_EC_KEY(pkey2);
-	if (eckey1 == NULL && eckey2 == NULL) {
-		DST_RET (ISC_TRUE);
-	} else if (eckey1 == NULL || eckey2 == NULL)
-		DST_RET (ISC_FALSE);
-
-	status = EVP_PKEY_cmp(pkey1, pkey2);
-	if (status != 1)
-		DST_RET (ISC_FALSE);
-
-	priv1 = EC_KEY_get0_private_key(eckey1);
-	priv2 = EC_KEY_get0_private_key(eckey2);
-	if (priv1 != NULL || priv2 != NULL) {
-		if (priv1 == NULL || priv2 == NULL)
-			DST_RET (ISC_FALSE);
-		if (BN_cmp(priv1, priv2) != 0)
-			DST_RET (ISC_FALSE);
-	}
-	ret = ISC_TRUE;
-
- err:
-	if (eckey1 != NULL)
-		EC_KEY_free(eckey1);
-	if (eckey2 != NULL)
-		EC_KEY_free(eckey2);
-	return (ret);
-}
-
-static isc_result_t
-opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
-	isc_result_t ret;
-	EVP_PKEY *pkey;
-	EC_KEY *eckey = NULL;
-	int group_nid;
-
-	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
-		key->key_alg == DST_ALG_ECDSA384);
-	UNUSED(unused);
-	UNUSED(callback);
-
-	if (key->key_alg == DST_ALG_ECDSA256)
-		group_nid = NID_X9_62_prime256v1;
-	else
-		group_nid = NID_secp384r1;
-
-	eckey = EC_KEY_new_by_curve_name(group_nid);
-	if (eckey == NULL)
-		return (dst__openssl_toresult2("EC_KEY_new_by_curve_name",
-					       DST_R_OPENSSLFAILURE));
-
-	if (EC_KEY_generate_key(eckey) != 1)
-		DST_RET (dst__openssl_toresult2("EC_KEY_generate_key",
-						DST_R_OPENSSLFAILURE));
-
-	pkey = EVP_PKEY_new();
-	if (pkey == NULL)
-		DST_RET (ISC_R_NOMEMORY);
-	if (!EVP_PKEY_set1_EC_KEY(pkey, eckey)) {
-		EVP_PKEY_free(pkey);
-		DST_RET (ISC_R_FAILURE);
-	}
-	key->keydata.pkey = pkey;
-	ret = ISC_R_SUCCESS;
-
- err:
-	if (eckey != NULL)
-		EC_KEY_free(eckey);
-	return (ret);
-}
-
-static isc_boolean_t
-opensslecdsa_isprivate(const dst_key_t *key) {
-	isc_boolean_t ret;
-	EVP_PKEY *pkey = key->keydata.pkey;
-	EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey);
-
-	ret = ISC_TF(eckey != NULL && EC_KEY_get0_private_key(eckey) != NULL);
-	if (eckey != NULL)
-		EC_KEY_free(eckey);
-	return (ret);
-}
-
-static void
-opensslecdsa_destroy(dst_key_t *key) {
-	EVP_PKEY *pkey = key->keydata.pkey;
-
-	EVP_PKEY_free(pkey);
-	key->keydata.pkey = NULL;
-}
-
-static isc_result_t
-opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
-	isc_result_t ret;
-	EVP_PKEY *pkey;
-	EC_KEY *eckey = NULL;
-	isc_region_t r;
-	int len;
-	unsigned char *cp;
-	unsigned char buf[DNS_KEY_ECDSA384SIZE + 1];
-
-	REQUIRE(key->keydata.pkey != NULL);
-
-	pkey = key->keydata.pkey;
-	eckey = EVP_PKEY_get1_EC_KEY(pkey);
-	if (eckey == NULL)
-		return (dst__openssl_toresult(ISC_R_FAILURE));
-	len = i2o_ECPublicKey(eckey, NULL);
-	/* skip form */
-	len--;
-
-	isc_buffer_availableregion(data, &r);
-	if (r.length < (unsigned int) len)
-		DST_RET (ISC_R_NOSPACE);
-	cp = buf;
-	if (!i2o_ECPublicKey(eckey, &cp))
-		DST_RET (dst__openssl_toresult(ISC_R_FAILURE));
-	memcpy(r.base, buf + 1, len);
-	isc_buffer_add(data, len);
-	ret = ISC_R_SUCCESS;
-
- err:
-	if (eckey != NULL)
-		EC_KEY_free(eckey);
-	return (ret);
-}
-
-static isc_result_t
-opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	isc_result_t ret;
-	EVP_PKEY *pkey;
-	EC_KEY *eckey = NULL;
-	isc_region_t r;
-	int group_nid;
-	unsigned int len;
-	const unsigned char *cp;
-	unsigned char buf[DNS_KEY_ECDSA384SIZE + 1];
-
-	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
-		key->key_alg == DST_ALG_ECDSA384);
-
-	if (key->key_alg == DST_ALG_ECDSA256) {
-		len = DNS_KEY_ECDSA256SIZE;
-		group_nid = NID_X9_62_prime256v1;
-	} else {
-		len = DNS_KEY_ECDSA384SIZE;
-		group_nid = NID_secp384r1;
-	}
-
-	isc_buffer_remainingregion(data, &r);
-	if (r.length == 0)
-		return (ISC_R_SUCCESS);
-	if (r.length < len)
-		return (DST_R_INVALIDPUBLICKEY);
-
-	eckey = EC_KEY_new_by_curve_name(group_nid);
-	if (eckey == NULL)
-		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-
-	buf[0] = POINT_CONVERSION_UNCOMPRESSED;
-	memcpy(buf + 1, r.base, len);
-	cp = buf;
-	if (o2i_ECPublicKey(&eckey,
-			    (const unsigned char **) &cp,
-			    (long) len + 1) == NULL)
-		DST_RET (dst__openssl_toresult(DST_R_INVALIDPUBLICKEY));
-	if (EC_KEY_check_key(eckey) != 1)
-		DST_RET (dst__openssl_toresult(DST_R_INVALIDPUBLICKEY));
-
-	pkey = EVP_PKEY_new();
-	if (pkey == NULL)
-		DST_RET (ISC_R_NOMEMORY);
-	if (!EVP_PKEY_set1_EC_KEY(pkey, eckey)) {
-		EVP_PKEY_free(pkey);
-		DST_RET (dst__openssl_toresult(ISC_R_FAILURE));
-	}
-
-	isc_buffer_forward(data, len);
-	key->keydata.pkey = pkey;
-	ret = ISC_R_SUCCESS;
-
- err:
-	if (eckey != NULL)
-		EC_KEY_free(eckey);
-	return (ret);
-}
-
-static isc_result_t
-opensslecdsa_tofile(const dst_key_t *key, const char *directory) {
-	isc_result_t ret;
-	EVP_PKEY *pkey;
-	EC_KEY *eckey = NULL;
-	const BIGNUM *privkey;
-	dst_private_t priv;
-	unsigned char *buf = NULL;
-
-	if (key->keydata.pkey == NULL)
-		return (DST_R_NULLKEY);
-
-	pkey = key->keydata.pkey;
-	eckey = EVP_PKEY_get1_EC_KEY(pkey);
-	if (eckey == NULL)
-		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-	privkey = EC_KEY_get0_private_key(eckey);
-	if (privkey == NULL)
-		DST_RET (ISC_R_FAILURE);
-
-	buf = isc_mem_get(key->mctx, BN_num_bytes(privkey));
-	if (buf == NULL)
-		DST_RET (ISC_R_NOMEMORY);
-
-	priv.elements[0].tag = TAG_ECDSA_PRIVATEKEY;
-	priv.elements[0].length = BN_num_bytes(privkey);
-	BN_bn2bin(privkey, buf);
-	priv.elements[0].data = buf;
-	priv.nelements = ECDSA_NTAGS;
-	ret = dst__privstruct_writefile(key, &priv, directory);
-
- err:
-	if (eckey != NULL)
-		EC_KEY_free(eckey);
-	if (buf != NULL)
-		isc_mem_put(key->mctx, buf, BN_num_bytes(privkey));
-	return (ret);
-}
-
-static isc_result_t
-ecdsa_check(EC_KEY *eckey, dst_key_t *pub)
-{
-	isc_result_t ret = ISC_R_FAILURE;
-	EVP_PKEY *pkey;
-	EC_KEY *pubeckey = NULL;
-	const EC_POINT *pubkey;
-
-	if (pub == NULL)
-		return (ISC_R_SUCCESS);
-	pkey = pub->keydata.pkey;
-	if (pkey == NULL)
-		return (ISC_R_SUCCESS);
-	pubeckey = EVP_PKEY_get1_EC_KEY(pkey);
-	if (pubeckey == NULL)
-		return (ISC_R_SUCCESS);
-	pubkey = EC_KEY_get0_public_key(pubeckey);
-	if (pubkey == NULL)
-		DST_RET (ISC_R_SUCCESS);
-	if (EC_KEY_set_public_key(eckey, pubkey) != 1)
-		DST_RET (ISC_R_SUCCESS);
-	if (EC_KEY_check_key(eckey) == 1)
-		DST_RET (ISC_R_SUCCESS);
-
- err:
-	if (pubeckey != NULL)
-		EC_KEY_free(pubeckey);
-	return (ret);
-}
-
-static isc_result_t
-opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
-	dst_private_t priv;
-	isc_result_t ret;
-	EVP_PKEY *pkey;
-	EC_KEY *eckey = NULL;
-	BIGNUM *privkey;
-	int group_nid;
-	isc_mem_t *mctx = key->mctx;
-
-	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
-		key->key_alg == DST_ALG_ECDSA384);
-
-	if (key->key_alg == DST_ALG_ECDSA256)
-		group_nid = NID_X9_62_prime256v1;
-	else
-		group_nid = NID_secp384r1;
-
-	eckey = EC_KEY_new_by_curve_name(group_nid);
-	if (eckey == NULL)
-		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-
-	/* read private key file */
-	ret = dst__privstruct_parse(key, DST_ALG_ECDSA256, lexer, mctx, &priv);
-	if (ret != ISC_R_SUCCESS)
-		goto err;
-
-	privkey = BN_bin2bn(priv.elements[0].data,
-			    priv.elements[0].length, NULL);
-	if (privkey == NULL)
-		DST_RET(ISC_R_NOMEMORY);
-	if (!EC_KEY_set_private_key(eckey, privkey))
-		DST_RET(ISC_R_NOMEMORY);
-	if (ecdsa_check(eckey, pub) != ISC_R_SUCCESS)
-		DST_RET(DST_R_INVALIDPRIVATEKEY);
-	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
-
-	pkey = EVP_PKEY_new();
-	if (pkey == NULL)
-		DST_RET (ISC_R_NOMEMORY);
-	if (!EVP_PKEY_set1_EC_KEY(pkey, eckey)) {
-		EVP_PKEY_free(pkey);
-		DST_RET (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-	}
-	key->keydata.pkey = pkey;
-	ret = ISC_R_SUCCESS;
-
- err:
-	if (eckey != NULL)
-		EC_KEY_free(eckey);
-	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
-	return (ret);
-}
-
-static dst_func_t opensslecdsa_functions = {
-	opensslecdsa_createctx,
-	opensslecdsa_destroyctx,
-	opensslecdsa_adddata,
-	opensslecdsa_sign,
-	opensslecdsa_verify,
-	NULL, /*%< verify2 */
-	NULL, /*%< computesecret */
-	opensslecdsa_compare,
-	NULL, /*%< paramcompare */
-	opensslecdsa_generate,
-	opensslecdsa_isprivate,
-	opensslecdsa_destroy,
-	opensslecdsa_todns,
-	opensslecdsa_fromdns,
-	opensslecdsa_tofile,
-	opensslecdsa_parse,
-	NULL, /*%< cleanup */
-	NULL, /*%< fromlabel */
-	NULL, /*%< dump */
-	NULL, /*%< restore */
-};
-
-isc_result_t
-dst__opensslecdsa_init(dst_func_t **funcp) {
-	REQUIRE(funcp != NULL);
-	if (*funcp == NULL)
-		*funcp = &opensslecdsa_functions;
-	return (ISC_R_SUCCESS);
-}
-
-#else /* HAVE_OPENSSL_ECDSA */
-
-#include <isc/util.h>
-
-EMPTY_TRANSLATION_UNIT
-
-#endif /* HAVE_OPENSSL_ECDSA */
-/*! \file */
diff --git a/contrib/bind9/lib/dns/opensslgost_link.c b/contrib/bind9/lib/dns/opensslgost_link.c
deleted file mode 100644
index 1ce4405..0000000
--- a/contrib/bind9/lib/dns/opensslgost_link.c
+++ /dev/null
@@ -1,445 +0,0 @@
-/*
- * Copyright (C) 2010-2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: opensslgost_link.c,v 1.5 2011/01/19 23:47:12 tbox Exp $ */
-
-#include <config.h>
-
-#ifdef HAVE_OPENSSL_GOST
-
-#include <isc/entropy.h>
-#include <isc/mem.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dst/result.h>
-
-#include "dst_internal.h"
-#include "dst_openssl.h"
-#include "dst_parse.h"
-
-#include <openssl/err.h>
-#include <openssl/objects.h>
-#include <openssl/rsa.h>
-#include <openssl/engine.h>
-
-static ENGINE *e = NULL;
-static const EVP_MD *opensslgost_digest;
-extern const EVP_MD *EVP_gost(void);
-
-const EVP_MD *EVP_gost(void) {
-	return (opensslgost_digest);
-}
-
-#define DST_RET(a) {ret = a; goto err;}
-
-static isc_result_t opensslgost_todns(const dst_key_t *key,
-				      isc_buffer_t *data);
-
-static isc_result_t
-opensslgost_createctx(dst_key_t *key, dst_context_t *dctx) {
-	EVP_MD_CTX *evp_md_ctx;
-	const EVP_MD *md = EVP_gost();
-
-	UNUSED(key);
-
-	if (md == NULL)
-		return (DST_R_OPENSSLFAILURE);
-
-	evp_md_ctx = EVP_MD_CTX_create();
-	if (evp_md_ctx == NULL)
-		return (ISC_R_NOMEMORY);
-
-	if (!EVP_DigestInit_ex(evp_md_ctx, md, NULL)) {
-		EVP_MD_CTX_destroy(evp_md_ctx);
-		return (ISC_R_FAILURE);
-	}
-	dctx->ctxdata.evp_md_ctx = evp_md_ctx;
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-opensslgost_destroyctx(dst_context_t *dctx) {
-	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-
-	if (evp_md_ctx != NULL) {
-		EVP_MD_CTX_destroy(evp_md_ctx);
-		dctx->ctxdata.evp_md_ctx = NULL;
-	}
-}
-
-static isc_result_t
-opensslgost_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-
-	if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length))
-		return (ISC_R_FAILURE);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-opensslgost_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	dst_key_t *key = dctx->key;
-	isc_region_t r;
-	unsigned int siglen = 0;
-	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-	EVP_PKEY *pkey = key->keydata.pkey;
-
-	isc_buffer_availableregion(sig, &r);
-
-	if (r.length < (unsigned int) EVP_PKEY_size(pkey))
-		return (ISC_R_NOSPACE);
-
-	if (!EVP_SignFinal(evp_md_ctx, r.base, &siglen, pkey))
-		return (ISC_R_FAILURE);
-
-	isc_buffer_add(sig, siglen);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-opensslgost_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	dst_key_t *key = dctx->key;
-	int status = 0;
-	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-	EVP_PKEY *pkey = key->keydata.pkey;
-
-	status = EVP_VerifyFinal(evp_md_ctx, sig->base, sig->length, pkey);
-	switch (status) {
-	case 1:
-		return (ISC_R_SUCCESS);
-	case 0:
-		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
-	default:
-		return (dst__openssl_toresult3(dctx->category,
-					       "EVP_VerifyFinal",
-					       DST_R_VERIFYFAILURE));
-	}
-}
-
-static isc_boolean_t
-opensslgost_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	EVP_PKEY *pkey1, *pkey2;
-
-	pkey1 = key1->keydata.pkey;
-	pkey2 = key2->keydata.pkey;
-
-	if (pkey1 == NULL && pkey2 == NULL)
-		return (ISC_TRUE);
-	else if (pkey1 == NULL || pkey2 == NULL)
-		return (ISC_FALSE);
-
-	if (EVP_PKEY_cmp(pkey1, pkey2) != 1)
-		return (ISC_FALSE);
-	return (ISC_TRUE);
-}
-
-static int
-progress_cb(EVP_PKEY_CTX *ctx)
-{
-	union {
-		void *dptr;
-		void (*fptr)(int);
-	} u;
-	int p;
-
-	u.dptr = EVP_PKEY_CTX_get_app_data(ctx);
-	p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
-	if (u.fptr != NULL)
-		u.fptr(p);
-	return (1);
-}
-
-static isc_result_t
-opensslgost_generate(dst_key_t *key, int unused, void (*callback)(int)) {
-	EVP_PKEY_CTX *ctx;
-	union {
-		void *dptr;
-		void (*fptr)(int);
-	} u;
-	EVP_PKEY *pkey = NULL;
-	isc_result_t ret;
-
-	UNUSED(unused);
-	ctx = EVP_PKEY_CTX_new_id(NID_id_GostR3410_2001, NULL);
-	if (ctx == NULL)
-		DST_RET(dst__openssl_toresult2("EVP_PKEY_CTX_new_id",
-					       DST_R_OPENSSLFAILURE));
-	if (callback != NULL) {
-		u.fptr = callback;
-		EVP_PKEY_CTX_set_app_data(ctx, u.dptr);
-		EVP_PKEY_CTX_set_cb(ctx, &progress_cb);
-	}
-	if (EVP_PKEY_keygen_init(ctx) <= 0)
-		DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen_init",
-					       DST_R_OPENSSLFAILURE));
-	if (EVP_PKEY_CTX_ctrl_str(ctx, "paramset", "A") <= 0)
-		DST_RET(dst__openssl_toresult2("EVP_PKEY_CTX_ctrl_str",
-					       DST_R_OPENSSLFAILURE));
-	if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
-		DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen",
-					       DST_R_OPENSSLFAILURE));
-	key->keydata.pkey = pkey;
-	EVP_PKEY_CTX_free(ctx);
-	return (ISC_R_SUCCESS);
-
-err:
-	if (pkey != NULL)
-		EVP_PKEY_free(pkey);
-	if (ctx != NULL)
-		EVP_PKEY_CTX_free(ctx);
-	return (ret);
-}
-
-static isc_boolean_t
-opensslgost_isprivate(const dst_key_t *key) {
-	EVP_PKEY *pkey = key->keydata.pkey;
-	EC_KEY *ec;
-
-	INSIST(pkey != NULL);
-
-	ec = EVP_PKEY_get0(pkey);
-	return (ISC_TF(ec != NULL && EC_KEY_get0_private_key(ec) != NULL));
-}
-
-static void
-opensslgost_destroy(dst_key_t *key) {
-	EVP_PKEY *pkey = key->keydata.pkey;
-
-	EVP_PKEY_free(pkey);
-	key->keydata.pkey = NULL;
-}
-
-unsigned char gost_prefix[37] = {
-	0x30, 0x63, 0x30, 0x1c, 0x06, 0x06, 0x2a, 0x85,
-	0x03, 0x02, 0x02, 0x13, 0x30, 0x12, 0x06, 0x07,
-	0x2a, 0x85, 0x03, 0x02, 0x02, 0x23, 0x01, 0x06,
-	0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x1e, 0x01,
-	0x03, 0x43, 0x00, 0x04, 0x40
-};
-
-static isc_result_t
-opensslgost_todns(const dst_key_t *key, isc_buffer_t *data) {
-	EVP_PKEY *pkey;
-	isc_region_t r;
-	unsigned char der[37 + 64], *p;
-	int len;
-
-	REQUIRE(key->keydata.pkey != NULL);
-
-	pkey = key->keydata.pkey;
-
-	isc_buffer_availableregion(data, &r);
-	if (r.length < 64)
-		return (ISC_R_NOSPACE);
-
-	p = der;
-	len = i2d_PUBKEY(pkey, &p);
-	INSIST(len == sizeof(der));
-	INSIST(memcmp(gost_prefix, der, 37) == 0);
-	memcpy(r.base, der + 37, 64);
-	isc_buffer_add(data, 64);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-opensslgost_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	isc_region_t r;
-	EVP_PKEY *pkey = NULL;
-	unsigned char der[37 + 64];
-	const unsigned char *p;
-
-	isc_buffer_remainingregion(data, &r);
-	if (r.length == 0)
-		return (ISC_R_SUCCESS);
-
-	if (r.length != 64)
-		return (DST_R_INVALIDPUBLICKEY);
-	memcpy(der, gost_prefix, 37);
-	memcpy(der + 37, r.base, 64);
-	isc_buffer_forward(data, 64);
-
-	p = der;
-	if (d2i_PUBKEY(&pkey, &p, (long) sizeof(der)) == NULL)
-		return (dst__openssl_toresult2("d2i_PUBKEY",
-					       DST_R_OPENSSLFAILURE));
-	key->keydata.pkey = pkey;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-opensslgost_tofile(const dst_key_t *key, const char *directory) {
-	EVP_PKEY *pkey;
-	dst_private_t priv;
-	isc_result_t result;
-	unsigned char *der, *p;
-	int len;
-
-	if (key->keydata.pkey == NULL)
-		return (DST_R_NULLKEY);
-
-	pkey = key->keydata.pkey;
-
-	len = i2d_PrivateKey(pkey, NULL);
-	der = isc_mem_get(key->mctx, (size_t) len);
-	if (der == NULL)
-		return (ISC_R_NOMEMORY);
-
-	p = der;
-	if (i2d_PrivateKey(pkey, &p) != len) {
-		result = dst__openssl_toresult2("i2d_PrivateKey",
-						DST_R_OPENSSLFAILURE);
-		goto fail;
-	}
-
-	priv.elements[0].tag = TAG_GOST_PRIVASN1;
-	priv.elements[0].length = len;
-	priv.elements[0].data = der;
-	priv.nelements = GOST_NTAGS;
-
-	result = dst__privstruct_writefile(key, &priv, directory);
- fail:
-	if (der != NULL)
-		isc_mem_put(key->mctx, der, (size_t) len);
-	return (result);
-}
-
-static isc_result_t
-opensslgost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
-	dst_private_t priv;
-	isc_result_t ret;
-	isc_mem_t *mctx = key->mctx;
-	EVP_PKEY *pkey = NULL;
-	const unsigned char *p;
-
-	UNUSED(pub);
-
-	/* read private key file */
-	ret = dst__privstruct_parse(key, DST_ALG_ECCGOST, lexer, mctx, &priv);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	INSIST(priv.elements[0].tag == TAG_GOST_PRIVASN1);
-	p = priv.elements[0].data;
-	if (d2i_PrivateKey(NID_id_GostR3410_2001, &pkey, &p,
-			   (long) priv.elements[0].length) == NULL)
-		DST_RET(dst__openssl_toresult2("d2i_PrivateKey",
-					       DST_R_INVALIDPRIVATEKEY));
-	key->keydata.pkey = pkey;
-	key->key_size = EVP_PKEY_bits(pkey);
-	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
-	return (ISC_R_SUCCESS);
-
- err:
-	if (pkey != NULL)
-		EVP_PKEY_free(pkey);
-	opensslgost_destroy(key);
-	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
-	return (ret);
-}
-
-static void
-opensslgost_cleanup(void) {
-	if (e != NULL) {
-		ENGINE_finish(e);
-		ENGINE_free(e);
-		e = NULL;
-	}
-}
-
-static dst_func_t opensslgost_functions = {
-	opensslgost_createctx,
-	opensslgost_destroyctx,
-	opensslgost_adddata,
-	opensslgost_sign,
-	opensslgost_verify,
-	NULL, /*%< verify2 */
-	NULL, /*%< computesecret */
-	opensslgost_compare,
-	NULL, /*%< paramcompare */
-	opensslgost_generate,
-	opensslgost_isprivate,
-	opensslgost_destroy,
-	opensslgost_todns,
-	opensslgost_fromdns,
-	opensslgost_tofile,
-	opensslgost_parse,
-	opensslgost_cleanup,
-	NULL, /*%< fromlabel */
-	NULL, /*%< dump */
-	NULL  /*%< restore */
-};
-
-isc_result_t
-dst__opensslgost_init(dst_func_t **funcp) {
-	isc_result_t ret;
-
-	REQUIRE(funcp != NULL);
-
-	/* check if the gost engine works properly */
-	e = ENGINE_by_id("gost");
-	if (e == NULL)
-		return (dst__openssl_toresult2("ENGINE_by_id",
-					       DST_R_OPENSSLFAILURE));
-	if (ENGINE_init(e) <= 0) {
-		ENGINE_free(e);
-		e = NULL;
-		return (dst__openssl_toresult2("ENGINE_init",
-					       DST_R_OPENSSLFAILURE));
-	}
-	/* better than to rely on digest_gost symbol */
-	opensslgost_digest = ENGINE_get_digest(e, NID_id_GostR3411_94);
-	if (opensslgost_digest == NULL)
-		DST_RET(dst__openssl_toresult2("ENGINE_get_digest",
-					       DST_R_OPENSSLFAILURE));
-	/* from openssl.cnf */
-	if (ENGINE_register_pkey_asn1_meths(e) <= 0)
-		DST_RET(dst__openssl_toresult2(
-				"ENGINE_register_pkey_asn1_meths",
-				DST_R_OPENSSLFAILURE));
-	if (ENGINE_ctrl_cmd_string(e,
-				   "CRYPT_PARAMS",
-				   "id-Gost28147-89-CryptoPro-A-ParamSet",
-				   0) <= 0)
-		DST_RET(dst__openssl_toresult2("ENGINE_ctrl_cmd_string",
-					       DST_R_OPENSSLFAILURE));
-
-	if (*funcp == NULL)
-		*funcp = &opensslgost_functions;
-	return (ISC_R_SUCCESS);
-
- err:
-	ENGINE_finish(e);
-	ENGINE_free(e);
-	e = NULL;
-	return (ret);
-}
-
-#else /* HAVE_OPENSSL_GOST */
-
-#include <isc/util.h>
-
-EMPTY_TRANSLATION_UNIT
-
-#endif /* HAVE_OPENSSL_GOST */
-/*! \file */
diff --git a/contrib/bind9/lib/dns/opensslrsa_link.c b/contrib/bind9/lib/dns/opensslrsa_link.c
deleted file mode 100644
index fa7412c..0000000
--- a/contrib/bind9/lib/dns/opensslrsa_link.c
+++ /dev/null
@@ -1,1491 +0,0 @@
-/*
- * Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Principal Author: Brian Wellington
- * $Id$
- */
-#ifdef OPENSSL
-#include <config.h>
-
-#ifndef USE_EVP
-#if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA512)
-#define USE_EVP 0
-#else
-#define USE_EVP 1
-#endif
-#endif
-
-
-#include <isc/entropy.h>
-#include <isc/md5.h>
-#include <isc/sha1.h>
-#include <isc/sha2.h>
-#include <isc/mem.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dst/result.h>
-
-#include "dst_internal.h"
-#include "dst_openssl.h"
-#include "dst_parse.h"
-
-#include <openssl/err.h>
-#include <openssl/objects.h>
-#include <openssl/rsa.h>
-#if OPENSSL_VERSION_NUMBER > 0x00908000L
-#include <openssl/bn.h>
-#endif
-#ifdef USE_ENGINE
-#include <openssl/engine.h>
-#endif
-
-/*
- * Limit the size of public exponents.
- */
-#ifndef RSA_MAX_PUBEXP_BITS
-#define RSA_MAX_PUBEXP_BITS    35
-#endif
-
-/*
- * We don't use configure for windows so enforce the OpenSSL version
- * here.  Unlike with configure we don't support overriding this test.
- */
-#ifdef WIN32
-#if !((OPENSSL_VERSION_NUMBER >= 0x009070cfL && \
-       OPENSSL_VERSION_NUMBER < 0x00908000L) || \
-      OPENSSL_VERSION_NUMBER >= 0x0090804fL)
-#error Please upgrade OpenSSL to 0.9.8d/0.9.7l or greater.
-#endif
-#endif
-
-
-	/*
-	 * XXXMPA  Temporarily disable RSA_BLINDING as it requires
-	 * good quality random data that cannot currently be guaranteed.
-	 * XXXMPA  Find which versions of openssl use pseudo random data
-	 * and set RSA_FLAG_BLINDING for those.
-	 */
-
-#if 0
-#if OPENSSL_VERSION_NUMBER < 0x0090601fL
-#define SET_FLAGS(rsa) \
-	do { \
-	(rsa)->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE); \
-	(rsa)->flags |= RSA_FLAG_BLINDING; \
-	} while (0)
-#else
-#define SET_FLAGS(rsa) \
-	do { \
-		(rsa)->flags |= RSA_FLAG_BLINDING; \
-	} while (0)
-#endif
-#endif
-
-#if OPENSSL_VERSION_NUMBER < 0x0090601fL
-#define SET_FLAGS(rsa) \
-	do { \
-	(rsa)->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE); \
-	(rsa)->flags &= ~RSA_FLAG_BLINDING; \
-	} while (0)
-#elif defined(RSA_FLAG_NO_BLINDING)
-#define SET_FLAGS(rsa) \
-	do { \
-		(rsa)->flags &= ~RSA_FLAG_BLINDING; \
-		(rsa)->flags |= RSA_FLAG_NO_BLINDING; \
-	} while (0)
-#else
-#define SET_FLAGS(rsa) \
-	do { \
-		(rsa)->flags &= ~RSA_FLAG_BLINDING; \
-	} while (0)
-#endif
-
-#define DST_RET(a) {ret = a; goto err;}
-
-static isc_result_t opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data);
-
-static isc_result_t
-opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
-#if USE_EVP
-	EVP_MD_CTX *evp_md_ctx;
-	const EVP_MD *type = NULL;
-#endif
-
-	UNUSED(key);
-	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
-		dctx->key->key_alg == DST_ALG_RSASHA1 ||
-		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
-		dctx->key->key_alg == DST_ALG_RSASHA256 ||
-		dctx->key->key_alg == DST_ALG_RSASHA512);
-
-#if USE_EVP
-	evp_md_ctx = EVP_MD_CTX_create();
-	if (evp_md_ctx == NULL)
-		return (ISC_R_NOMEMORY);
-
-	switch (dctx->key->key_alg) {
-	case DST_ALG_RSAMD5:
-		type = EVP_md5();	/* MD5 + RSA */
-		break;
-	case DST_ALG_RSASHA1:
-	case DST_ALG_NSEC3RSASHA1:
-		type = EVP_sha1();	/* SHA1 + RSA */
-		break;
-#ifdef HAVE_EVP_SHA256
-	case DST_ALG_RSASHA256:
-		type = EVP_sha256();	/* SHA256 + RSA */
-		break;
-#endif
-#ifdef HAVE_EVP_SHA512
-	case DST_ALG_RSASHA512:
-		type = EVP_sha512();
-		break;
-#endif
-	default:
-		INSIST(0);
-	}
-
-	if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) {
-		EVP_MD_CTX_destroy(evp_md_ctx);
-		return (dst__openssl_toresult3(dctx->category,
-					       "EVP_DigestInit_ex",
-					       ISC_R_FAILURE));
-	}
-	dctx->ctxdata.evp_md_ctx = evp_md_ctx;
-#else
-	switch (dctx->key->key_alg) {
-	case DST_ALG_RSAMD5:
-		{
-			isc_md5_t *md5ctx;
-
-			md5ctx = isc_mem_get(dctx->mctx, sizeof(isc_md5_t));
-			if (md5ctx == NULL)
-				return (ISC_R_NOMEMORY);
-			isc_md5_init(md5ctx);
-			dctx->ctxdata.md5ctx = md5ctx;
-		}
-		break;
-	case DST_ALG_RSASHA1:
-	case DST_ALG_NSEC3RSASHA1:
-		{
-			isc_sha1_t *sha1ctx;
-
-			sha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_sha1_t));
-			if (sha1ctx == NULL)
-				return (ISC_R_NOMEMORY);
-			isc_sha1_init(sha1ctx);
-			dctx->ctxdata.sha1ctx = sha1ctx;
-		}
-		break;
-	case DST_ALG_RSASHA256:
-		{
-			isc_sha256_t *sha256ctx;
-
-			sha256ctx = isc_mem_get(dctx->mctx,
-						sizeof(isc_sha256_t));
-			if (sha256ctx == NULL)
-				return (ISC_R_NOMEMORY);
-			isc_sha256_init(sha256ctx);
-			dctx->ctxdata.sha256ctx = sha256ctx;
-		}
-		break;
-	case DST_ALG_RSASHA512:
-		{
-			isc_sha512_t *sha512ctx;
-
-			sha512ctx = isc_mem_get(dctx->mctx,
-						sizeof(isc_sha512_t));
-			if (sha512ctx == NULL)
-				return (ISC_R_NOMEMORY);
-			isc_sha512_init(sha512ctx);
-			dctx->ctxdata.sha512ctx = sha512ctx;
-		}
-		break;
-	default:
-		INSIST(0);
-	}
-#endif
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-opensslrsa_destroyctx(dst_context_t *dctx) {
-#if USE_EVP
-	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-#endif
-
-	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
-		dctx->key->key_alg == DST_ALG_RSASHA1 ||
-		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
-		dctx->key->key_alg == DST_ALG_RSASHA256 ||
-		dctx->key->key_alg == DST_ALG_RSASHA512);
-
-#if USE_EVP
-	if (evp_md_ctx != NULL) {
-		EVP_MD_CTX_destroy(evp_md_ctx);
-		dctx->ctxdata.evp_md_ctx = NULL;
-	}
-#else
-	switch (dctx->key->key_alg) {
-	case DST_ALG_RSAMD5:
-		{
-			isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
-
-			if (md5ctx != NULL) {
-				isc_md5_invalidate(md5ctx);
-				isc_mem_put(dctx->mctx, md5ctx,
-					    sizeof(isc_md5_t));
-				dctx->ctxdata.md5ctx = NULL;
-			}
-		}
-		break;
-	case DST_ALG_RSASHA1:
-	case DST_ALG_NSEC3RSASHA1:
-		{
-			isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
-
-			if (sha1ctx != NULL) {
-				isc_sha1_invalidate(sha1ctx);
-				isc_mem_put(dctx->mctx, sha1ctx,
-					    sizeof(isc_sha1_t));
-				dctx->ctxdata.sha1ctx = NULL;
-			}
-		}
-		break;
-	case DST_ALG_RSASHA256:
-		{
-			isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
-
-			if (sha256ctx != NULL) {
-				isc_sha256_invalidate(sha256ctx);
-				isc_mem_put(dctx->mctx, sha256ctx,
-					    sizeof(isc_sha256_t));
-				dctx->ctxdata.sha256ctx = NULL;
-			}
-		}
-		break;
-	case DST_ALG_RSASHA512:
-		{
-			isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
-
-			if (sha512ctx != NULL) {
-				isc_sha512_invalidate(sha512ctx);
-				isc_mem_put(dctx->mctx, sha512ctx,
-					    sizeof(isc_sha512_t));
-				dctx->ctxdata.sha512ctx = NULL;
-			}
-		}
-		break;
-	default:
-		INSIST(0);
-	}
-#endif
-}
-
-static isc_result_t
-opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
-#if USE_EVP
-	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-#endif
-
-	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
-		dctx->key->key_alg == DST_ALG_RSASHA1 ||
-		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
-		dctx->key->key_alg == DST_ALG_RSASHA256 ||
-		dctx->key->key_alg == DST_ALG_RSASHA512);
-
-#if USE_EVP
-	if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) {
-		return (dst__openssl_toresult3(dctx->category,
-					       "EVP_DigestUpdate",
-					       ISC_R_FAILURE));
-	}
-#else
-	switch (dctx->key->key_alg) {
-	case DST_ALG_RSAMD5:
-		{
-			isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
-
-			isc_md5_update(md5ctx, data->base, data->length);
-		}
-		break;
-	case DST_ALG_RSASHA1:
-	case DST_ALG_NSEC3RSASHA1:
-		{
-			isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
-
-			isc_sha1_update(sha1ctx, data->base, data->length);
-		}
-		break;
-	case DST_ALG_RSASHA256:
-		{
-			isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
-
-			isc_sha256_update(sha256ctx, data->base, data->length);
-		}
-		break;
-	case DST_ALG_RSASHA512:
-		{
-			isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
-
-			isc_sha512_update(sha512ctx, data->base, data->length);
-		}
-		break;
-	default:
-		INSIST(0);
-	}
-#endif
-	return (ISC_R_SUCCESS);
-}
-
-#if ! USE_EVP && OPENSSL_VERSION_NUMBER < 0x00908000L
-/*
- * Digest prefixes from RFC 5702.
- */
-static unsigned char sha256_prefix[] =
-	 { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
-	   0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20};
-static unsigned char sha512_prefix[] =
-	 { 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
-	   0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40};
-#define PREFIXLEN sizeof(sha512_prefix)
-#else
-#define PREFIXLEN 0
-#endif
-
-static isc_result_t
-opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	dst_key_t *key = dctx->key;
-	isc_region_t r;
-	unsigned int siglen = 0;
-#if USE_EVP
-	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-	EVP_PKEY *pkey = key->keydata.pkey;
-#else
-	RSA *rsa = key->keydata.rsa;
-	/* note: ISC_SHA512_DIGESTLENGTH >= ISC_*_DIGESTLENGTH */
-	unsigned char digest[PREFIXLEN + ISC_SHA512_DIGESTLENGTH];
-	int status;
-	int type = 0;
-	unsigned int digestlen = 0;
-#if OPENSSL_VERSION_NUMBER < 0x00908000L
-	unsigned int prefixlen = 0;
-	const unsigned char *prefix = NULL;
-#endif
-#endif
-
-	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
-		dctx->key->key_alg == DST_ALG_RSASHA1 ||
-		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
-		dctx->key->key_alg == DST_ALG_RSASHA256 ||
-		dctx->key->key_alg == DST_ALG_RSASHA512);
-
-	isc_buffer_availableregion(sig, &r);
-
-#if USE_EVP
-	if (r.length < (unsigned int) EVP_PKEY_size(pkey))
-		return (ISC_R_NOSPACE);
-
-	if (!EVP_SignFinal(evp_md_ctx, r.base, &siglen, pkey)) {
-		return (dst__openssl_toresult3(dctx->category,
-					       "EVP_SignFinal",
-					       ISC_R_FAILURE));
-	}
-#else
-	if (r.length < (unsigned int) RSA_size(rsa))
-		return (ISC_R_NOSPACE);
-
-	switch (dctx->key->key_alg) {
-	case DST_ALG_RSAMD5:
-		{
-			isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
-
-			isc_md5_final(md5ctx, digest);
-			type = NID_md5;
-			digestlen = ISC_MD5_DIGESTLENGTH;
-		}
-		break;
-	case DST_ALG_RSASHA1:
-	case DST_ALG_NSEC3RSASHA1:
-		{
-			isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
-
-			isc_sha1_final(sha1ctx, digest);
-			type = NID_sha1;
-			digestlen = ISC_SHA1_DIGESTLENGTH;
-		}
-		break;
-	case DST_ALG_RSASHA256:
-		{
-			isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
-
-			isc_sha256_final(digest, sha256ctx);
-			digestlen = ISC_SHA256_DIGESTLENGTH;
-#if OPENSSL_VERSION_NUMBER < 0x00908000L
-			prefix = sha256_prefix;
-			prefixlen = sizeof(sha256_prefix);
-#else
-			type = NID_sha256;
-#endif
-		}
-		break;
-	case DST_ALG_RSASHA512:
-		{
-			isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
-
-			isc_sha512_final(digest, sha512ctx);
-			digestlen = ISC_SHA512_DIGESTLENGTH;
-#if OPENSSL_VERSION_NUMBER < 0x00908000L
-			prefix = sha512_prefix;
-			prefixlen = sizeof(sha512_prefix);
-#else
-			type = NID_sha512;
-#endif
-		}
-		break;
-	default:
-		INSIST(0);
-	}
-
-#if OPENSSL_VERSION_NUMBER < 0x00908000L
-	switch (dctx->key->key_alg) {
-	case DST_ALG_RSAMD5:
-	case DST_ALG_RSASHA1:
-	case DST_ALG_NSEC3RSASHA1:
-		INSIST(type != 0);
-		status = RSA_sign(type, digest, digestlen, r.base,
-				  &siglen, rsa);
-		break;
-
-	case DST_ALG_RSASHA256:
-	case DST_ALG_RSASHA512:
-		INSIST(prefix != NULL);
-		INSIST(prefixlen != 0);
-		INSIST(prefixlen + digestlen <= sizeof(digest));
-
-		memmove(digest + prefixlen, digest, digestlen);
-		memcpy(digest, prefix, prefixlen);
-		status = RSA_private_encrypt(digestlen + prefixlen,
-					     digest, r.base, rsa,
-					     RSA_PKCS1_PADDING);
-		if (status < 0)
-			status = 0;
-		else
-			siglen = status;
-		break;
-
-	default:
-		INSIST(0);
-	}
-#else
-	INSIST(type != 0);
-	status = RSA_sign(type, digest, digestlen, r.base, &siglen, rsa);
-#endif
-	if (status == 0)
-		return (dst__openssl_toresult3(dctx->category,
-					       "RSA_sign",
-					       DST_R_OPENSSLFAILURE));
-#endif
-
-	isc_buffer_add(sig, siglen);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
-	dst_key_t *key = dctx->key;
-	int status = 0;
-#if USE_EVP
-	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-	EVP_PKEY *pkey = key->keydata.pkey;
-	RSA *rsa;
-	int bits;
-#else
-	/* note: ISC_SHA512_DIGESTLENGTH >= ISC_*_DIGESTLENGTH */
-	unsigned char digest[ISC_SHA512_DIGESTLENGTH];
-	int type = 0;
-	unsigned int digestlen = 0;
-	RSA *rsa = key->keydata.rsa;
-#if OPENSSL_VERSION_NUMBER < 0x00908000L
-	unsigned int prefixlen = 0;
-	const unsigned char *prefix = NULL;
-#endif
-#endif
-
-	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
-		dctx->key->key_alg == DST_ALG_RSASHA1 ||
-		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
-		dctx->key->key_alg == DST_ALG_RSASHA256 ||
-		dctx->key->key_alg == DST_ALG_RSASHA512);
-
-#if USE_EVP
-	rsa = EVP_PKEY_get1_RSA(pkey);
-	if (rsa == NULL)
-		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-	bits = BN_num_bits(rsa->e);
-	RSA_free(rsa);
-	if (bits > maxbits && maxbits != 0)
-		return (DST_R_VERIFYFAILURE);
-
-	status = EVP_VerifyFinal(evp_md_ctx, sig->base, sig->length, pkey);
-	switch (status) {
-	case 1:
-		return (ISC_R_SUCCESS);
-	case 0:
-		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
-	default:
-		return (dst__openssl_toresult3(dctx->category,
-					       "EVP_VerifyFinal",
-					       DST_R_VERIFYFAILURE));
-	}
-#else
-	if (BN_num_bits(rsa->e) > maxbits && maxbits != 0)
-		return (DST_R_VERIFYFAILURE);
-
-	switch (dctx->key->key_alg) {
-	case DST_ALG_RSAMD5:
-		{
-			isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
-
-			isc_md5_final(md5ctx, digest);
-			type = NID_md5;
-			digestlen = ISC_MD5_DIGESTLENGTH;
-		}
-		break;
-	case DST_ALG_RSASHA1:
-	case DST_ALG_NSEC3RSASHA1:
-		{
-			isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
-
-			isc_sha1_final(sha1ctx, digest);
-			type = NID_sha1;
-			digestlen = ISC_SHA1_DIGESTLENGTH;
-		}
-		break;
-	case DST_ALG_RSASHA256:
-		{
-			isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
-
-			isc_sha256_final(digest, sha256ctx);
-			digestlen = ISC_SHA256_DIGESTLENGTH;
-#if OPENSSL_VERSION_NUMBER < 0x00908000L
-			prefix = sha256_prefix;
-			prefixlen = sizeof(sha256_prefix);
-#else
-			type = NID_sha256;
-#endif
-		}
-		break;
-	case DST_ALG_RSASHA512:
-		{
-			isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
-
-			isc_sha512_final(digest, sha512ctx);
-			digestlen = ISC_SHA512_DIGESTLENGTH;
-#if OPENSSL_VERSION_NUMBER < 0x00908000L
-			prefix = sha512_prefix;
-			prefixlen = sizeof(sha512_prefix);
-#else
-			type = NID_sha512;
-#endif
-		}
-		break;
-	default:
-		INSIST(0);
-	}
-
-	if (sig->length != (unsigned int) RSA_size(rsa))
-		return (DST_R_VERIFYFAILURE);
-
-#if OPENSSL_VERSION_NUMBER < 0x00908000L
-	switch (dctx->key->key_alg) {
-	case DST_ALG_RSAMD5:
-	case DST_ALG_RSASHA1:
-	case DST_ALG_NSEC3RSASHA1:
-		INSIST(type != 0);
-		status = RSA_verify(type, digest, digestlen, sig->base,
-				    RSA_size(rsa), rsa);
-		break;
-
-	case DST_ALG_RSASHA256:
-	case DST_ALG_RSASHA512:
-		{
-			/*
-			 * 1024 is big enough for all valid RSA bit sizes
-			 * for use with DNSSEC.
-			 */
-			unsigned char original[PREFIXLEN + 1024];
-
-			INSIST(prefix != NULL);
-			INSIST(prefixlen != 0U);
-
-			if (RSA_size(rsa) > (int)sizeof(original))
-				return (DST_R_VERIFYFAILURE);
-
-			status = RSA_public_decrypt(sig->length, sig->base,
-						    original, rsa,
-						    RSA_PKCS1_PADDING);
-			if (status <= 0)
-				return (dst__openssl_toresult3(
-						dctx->category,
-						"RSA_public_decrypt",
-						DST_R_VERIFYFAILURE));
-			if (status != (int)(prefixlen + digestlen))
-				return (DST_R_VERIFYFAILURE);
-			if (memcmp(original, prefix, prefixlen))
-				return (DST_R_VERIFYFAILURE);
-			if (memcmp(original + prefixlen, digest, digestlen))
-				return (DST_R_VERIFYFAILURE);
-			status = 1;
-		}
-		break;
-
-	default:
-		INSIST(0);
-	}
-#else
-	INSIST(type != 0);
-	status = RSA_verify(type, digest, digestlen, sig->base,
-			     RSA_size(rsa), rsa);
-#endif
-	if (status != 1)
-		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
-	return (ISC_R_SUCCESS);
-#endif
-}
-
-static isc_result_t
-opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	return (opensslrsa_verify2(dctx, 0, sig));
-}
-
-static isc_boolean_t
-opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	int status;
-	RSA *rsa1 = NULL, *rsa2 = NULL;
-#if USE_EVP
-	EVP_PKEY *pkey1, *pkey2;
-#endif
-
-#if USE_EVP
-	pkey1 = key1->keydata.pkey;
-	pkey2 = key2->keydata.pkey;
-	/*
-	 * The pkey reference will keep these around after
-	 * the RSA_free() call.
-	 */
-	if (pkey1 != NULL) {
-		rsa1 = EVP_PKEY_get1_RSA(pkey1);
-		RSA_free(rsa1);
-	}
-	if (pkey2 != NULL) {
-		rsa2 = EVP_PKEY_get1_RSA(pkey2);
-		RSA_free(rsa2);
-	}
-#else
-	rsa1 = key1->keydata.rsa;
-	rsa2 = key2->keydata.rsa;
-#endif
-
-	if (rsa1 == NULL && rsa2 == NULL)
-		return (ISC_TRUE);
-	else if (rsa1 == NULL || rsa2 == NULL)
-		return (ISC_FALSE);
-
-	status = BN_cmp(rsa1->n, rsa2->n) ||
-		 BN_cmp(rsa1->e, rsa2->e);
-
-	if (status != 0)
-		return (ISC_FALSE);
-
-#if USE_EVP
-	if ((rsa1->flags & RSA_FLAG_EXT_PKEY) != 0 ||
-	    (rsa2->flags & RSA_FLAG_EXT_PKEY) != 0) {
-		if ((rsa1->flags & RSA_FLAG_EXT_PKEY) == 0 ||
-		    (rsa2->flags & RSA_FLAG_EXT_PKEY) == 0)
-			return (ISC_FALSE);
-		/*
-		 * Can't compare private parameters, BTW does it make sense?
-		 */
-		return (ISC_TRUE);
-	}
-#endif
-
-	if (rsa1->d != NULL || rsa2->d != NULL) {
-		if (rsa1->d == NULL || rsa2->d == NULL)
-			return (ISC_FALSE);
-		status = BN_cmp(rsa1->d, rsa2->d) ||
-			 BN_cmp(rsa1->p, rsa2->p) ||
-			 BN_cmp(rsa1->q, rsa2->q);
-
-		if (status != 0)
-			return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-#if OPENSSL_VERSION_NUMBER > 0x00908000L
-static int
-progress_cb(int p, int n, BN_GENCB *cb)
-{
-	union {
-		void *dptr;
-		void (*fptr)(int);
-	} u;
-
-	UNUSED(n);
-
-	u.dptr = cb->arg;
-	if (u.fptr != NULL)
-		u.fptr(p);
-	return (1);
-}
-#endif
-
-static isc_result_t
-opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
-#if OPENSSL_VERSION_NUMBER > 0x00908000L
-	isc_result_t ret = DST_R_OPENSSLFAILURE;
-	BN_GENCB cb;
-	union {
-		void *dptr;
-		void (*fptr)(int);
-	} u;
-	RSA *rsa = RSA_new();
-	BIGNUM *e = BN_new();
-#if USE_EVP
-	EVP_PKEY *pkey = EVP_PKEY_new();
-#endif
-
-	if (rsa == NULL || e == NULL)
-		goto err;
-#if USE_EVP
-	if (pkey == NULL)
-		goto err;
-	if (!EVP_PKEY_set1_RSA(pkey, rsa))
-		goto err;
-#endif
-
-	if (exp == 0) {
-		/* RSA_F4 0x10001 */
-		BN_set_bit(e, 0);
-		BN_set_bit(e, 16);
-	} else {
-		/* (phased-out) F5 0x100000001 */
-		BN_set_bit(e, 0);
-		BN_set_bit(e, 32);
-	}
-
-	if (callback == NULL) {
-		BN_GENCB_set_old(&cb, NULL, NULL);
-	} else {
-		u.fptr = callback;
-		BN_GENCB_set(&cb, &progress_cb, u.dptr);
-	}
-
-	if (RSA_generate_key_ex(rsa, key->key_size, e, &cb)) {
-		BN_free(e);
-		SET_FLAGS(rsa);
-#if USE_EVP
-		key->keydata.pkey = pkey;
-
-		RSA_free(rsa);
-#else
-		key->keydata.rsa = rsa;
-#endif
-		return (ISC_R_SUCCESS);
-	}
-	ret = dst__openssl_toresult2("RSA_generate_key_ex",
-				     DST_R_OPENSSLFAILURE);
-
-err:
-#if USE_EVP
-	if (pkey != NULL)
-		EVP_PKEY_free(pkey);
-#endif
-	if (e != NULL)
-		BN_free(e);
-	if (rsa != NULL)
-		RSA_free(rsa);
-	return (dst__openssl_toresult(ret));
-#else
-	RSA *rsa;
-	unsigned long e;
-#if USE_EVP
-	EVP_PKEY *pkey = EVP_PKEY_new();
-
-	UNUSED(callback);
-
-	if (pkey == NULL)
-		return (ISC_R_NOMEMORY);
-#else
-	UNUSED(callback);
-#endif
-
-	if (exp == 0)
-	       e = RSA_F4;
-	else
-	       e = 0x40000003;
-	rsa = RSA_generate_key(key->key_size, e, NULL, NULL);
-	if (rsa == NULL) {
-#if USE_EVP
-		EVP_PKEY_free(pkey);
-#endif
-		return (dst__openssl_toresult2("RSA_generate_key",
-					       DST_R_OPENSSLFAILURE));
-	}
-	SET_FLAGS(rsa);
-#if USE_EVP
-	if (!EVP_PKEY_set1_RSA(pkey, rsa)) {
-		EVP_PKEY_free(pkey);
-		RSA_free(rsa);
-		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-	}
-	key->keydata.pkey = pkey;
-	RSA_free(rsa);
-#else
-	key->keydata.rsa = rsa;
-#endif
-
-	return (ISC_R_SUCCESS);
-#endif
-}
-
-static isc_boolean_t
-opensslrsa_isprivate(const dst_key_t *key) {
-#if USE_EVP
-	RSA *rsa = EVP_PKEY_get1_RSA(key->keydata.pkey);
-	INSIST(rsa != NULL);
-	RSA_free(rsa);
-	/* key->keydata.pkey still has a reference so rsa is still valid. */
-#else
-	RSA *rsa = key->keydata.rsa;
-#endif
-	if (rsa != NULL && (rsa->flags & RSA_FLAG_EXT_PKEY) != 0)
-		return (ISC_TRUE);
-	return (ISC_TF(rsa != NULL && rsa->d != NULL));
-}
-
-static void
-opensslrsa_destroy(dst_key_t *key) {
-#if USE_EVP
-	EVP_PKEY *pkey = key->keydata.pkey;
-	EVP_PKEY_free(pkey);
-	key->keydata.pkey = NULL;
-#else
-	RSA *rsa = key->keydata.rsa;
-	RSA_free(rsa);
-	key->keydata.rsa = NULL;
-#endif
-}
-
-
-static isc_result_t
-opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
-	isc_region_t r;
-	unsigned int e_bytes;
-	unsigned int mod_bytes;
-	isc_result_t ret;
-	RSA *rsa;
-#if USE_EVP
-	EVP_PKEY *pkey;
-#endif
-
-#if USE_EVP
-	REQUIRE(key->keydata.pkey != NULL);
-#else
-	REQUIRE(key->keydata.rsa != NULL);
-#endif
-
-#if USE_EVP
-	pkey = key->keydata.pkey;
-	rsa = EVP_PKEY_get1_RSA(pkey);
-	if (rsa == NULL)
-		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-#else
-	rsa = key->keydata.rsa;
-#endif
-
-	isc_buffer_availableregion(data, &r);
-
-	e_bytes = BN_num_bytes(rsa->e);
-	mod_bytes = BN_num_bytes(rsa->n);
-
-	if (e_bytes < 256) {	/*%< key exponent is <= 2040 bits */
-		if (r.length < 1)
-			DST_RET(ISC_R_NOSPACE);
-		isc_buffer_putuint8(data, (isc_uint8_t) e_bytes);
-		isc_region_consume(&r, 1);
-	} else {
-		if (r.length < 3)
-			DST_RET(ISC_R_NOSPACE);
-		isc_buffer_putuint8(data, 0);
-		isc_buffer_putuint16(data, (isc_uint16_t) e_bytes);
-		isc_region_consume(&r, 3);
-	}
-
-	if (r.length < e_bytes + mod_bytes)
-		DST_RET(ISC_R_NOSPACE);
-
-	BN_bn2bin(rsa->e, r.base);
-	isc_region_consume(&r, e_bytes);
-	BN_bn2bin(rsa->n, r.base);
-
-	isc_buffer_add(data, e_bytes + mod_bytes);
-
-	ret = ISC_R_SUCCESS;
- err:
-#if USE_EVP
-	if (rsa != NULL)
-		RSA_free(rsa);
-#endif
-	return (ret);
-}
-
-static isc_result_t
-opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	RSA *rsa;
-	isc_region_t r;
-	unsigned int e_bytes;
-#if USE_EVP
-	EVP_PKEY *pkey;
-#endif
-
-	isc_buffer_remainingregion(data, &r);
-	if (r.length == 0)
-		return (ISC_R_SUCCESS);
-
-	rsa = RSA_new();
-	if (rsa == NULL)
-		return (dst__openssl_toresult(ISC_R_NOMEMORY));
-	SET_FLAGS(rsa);
-
-	if (r.length < 1) {
-		RSA_free(rsa);
-		return (DST_R_INVALIDPUBLICKEY);
-	}
-	e_bytes = *r.base++;
-	r.length--;
-
-	if (e_bytes == 0) {
-		if (r.length < 2) {
-			RSA_free(rsa);
-			return (DST_R_INVALIDPUBLICKEY);
-		}
-		e_bytes = ((*r.base++) << 8);
-		e_bytes += *r.base++;
-		r.length -= 2;
-	}
-
-	if (r.length < e_bytes) {
-		RSA_free(rsa);
-		return (DST_R_INVALIDPUBLICKEY);
-	}
-	rsa->e = BN_bin2bn(r.base, e_bytes, NULL);
-	r.base += e_bytes;
-	r.length -= e_bytes;
-
-	rsa->n = BN_bin2bn(r.base, r.length, NULL);
-
-	key->key_size = BN_num_bits(rsa->n);
-
-	isc_buffer_forward(data, r.length);
-
-#if USE_EVP
-	pkey = EVP_PKEY_new();
-	if (pkey == NULL) {
-		RSA_free(rsa);
-		return (ISC_R_NOMEMORY);
-	}
-	if (!EVP_PKEY_set1_RSA(pkey, rsa)) {
-		EVP_PKEY_free(pkey);
-		RSA_free(rsa);
-		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-	}
-	key->keydata.pkey = pkey;
-	RSA_free(rsa);
-#else
-	key->keydata.rsa = rsa;
-#endif
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-opensslrsa_tofile(const dst_key_t *key, const char *directory) {
-	int i;
-	RSA *rsa;
-	dst_private_t priv;
-	unsigned char *bufs[8];
-	isc_result_t result;
-
-#if USE_EVP
-	if (key->keydata.pkey == NULL)
-		return (DST_R_NULLKEY);
-	rsa = EVP_PKEY_get1_RSA(key->keydata.pkey);
-	if (rsa == NULL)
-		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-#else
-	if (key->keydata.rsa == NULL)
-		return (DST_R_NULLKEY);
-	rsa = key->keydata.rsa;
-#endif
-
-	memset(bufs, 0, sizeof(bufs));
-	for (i = 0; i < 8; i++) {
-		bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(rsa->n));
-		if (bufs[i] == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto fail;
-		}
-	}
-
-	i = 0;
-
-	priv.elements[i].tag = TAG_RSA_MODULUS;
-	priv.elements[i].length = BN_num_bytes(rsa->n);
-	BN_bn2bin(rsa->n, bufs[i]);
-	priv.elements[i].data = bufs[i];
-	i++;
-
-	priv.elements[i].tag = TAG_RSA_PUBLICEXPONENT;
-	priv.elements[i].length = BN_num_bytes(rsa->e);
-	BN_bn2bin(rsa->e, bufs[i]);
-	priv.elements[i].data = bufs[i];
-	i++;
-
-	if (rsa->d != NULL) {
-		priv.elements[i].tag = TAG_RSA_PRIVATEEXPONENT;
-		priv.elements[i].length = BN_num_bytes(rsa->d);
-		BN_bn2bin(rsa->d, bufs[i]);
-		priv.elements[i].data = bufs[i];
-		i++;
-	}
-
-	if (rsa->p != NULL) {
-		priv.elements[i].tag = TAG_RSA_PRIME1;
-		priv.elements[i].length = BN_num_bytes(rsa->p);
-		BN_bn2bin(rsa->p, bufs[i]);
-		priv.elements[i].data = bufs[i];
-		i++;
-	}
-
-	if (rsa->q != NULL) {
-		priv.elements[i].tag = TAG_RSA_PRIME2;
-		priv.elements[i].length = BN_num_bytes(rsa->q);
-		BN_bn2bin(rsa->q, bufs[i]);
-		priv.elements[i].data = bufs[i];
-		i++;
-	}
-
-	if (rsa->dmp1 != NULL) {
-		priv.elements[i].tag = TAG_RSA_EXPONENT1;
-		priv.elements[i].length = BN_num_bytes(rsa->dmp1);
-		BN_bn2bin(rsa->dmp1, bufs[i]);
-		priv.elements[i].data = bufs[i];
-		i++;
-	}
-
-	if (rsa->dmq1 != NULL) {
-		priv.elements[i].tag = TAG_RSA_EXPONENT2;
-		priv.elements[i].length = BN_num_bytes(rsa->dmq1);
-		BN_bn2bin(rsa->dmq1, bufs[i]);
-		priv.elements[i].data = bufs[i];
-		i++;
-	}
-
-	if (rsa->iqmp != NULL) {
-		priv.elements[i].tag = TAG_RSA_COEFFICIENT;
-		priv.elements[i].length = BN_num_bytes(rsa->iqmp);
-		BN_bn2bin(rsa->iqmp, bufs[i]);
-		priv.elements[i].data = bufs[i];
-		i++;
-	}
-
-	if (key->engine != NULL) {
-		priv.elements[i].tag = TAG_RSA_ENGINE;
-		priv.elements[i].length = strlen(key->engine) + 1;
-		priv.elements[i].data = (unsigned char *)key->engine;
-		i++;
-	}
-
-	if (key->label != NULL) {
-		priv.elements[i].tag = TAG_RSA_LABEL;
-		priv.elements[i].length = strlen(key->label) + 1;
-		priv.elements[i].data = (unsigned char *)key->label;
-		i++;
-	}
-
-
-	priv.nelements = i;
-	result = dst__privstruct_writefile(key, &priv, directory);
- fail:
-#if USE_EVP
-	RSA_free(rsa);
-#endif
-	for (i = 0; i < 8; i++) {
-		if (bufs[i] == NULL)
-			break;
-		isc_mem_put(key->mctx, bufs[i], BN_num_bytes(rsa->n));
-	}
-	return (result);
-}
-
-static isc_result_t
-rsa_check(RSA *rsa, RSA *pub)
-{
-	/* Public parameters should be the same but if they are not set
-	 * copy them from the public key. */
-	if (pub != NULL) {
-		if (rsa->n != NULL) {
-			if (BN_cmp(rsa->n, pub->n) != 0)
-				return (DST_R_INVALIDPRIVATEKEY);
-		} else {
-			rsa->n = pub->n;
-			pub->n = NULL;
-		}
-		if (rsa->e != NULL) {
-			if (BN_cmp(rsa->e, pub->e) != 0)
-				return (DST_R_INVALIDPRIVATEKEY);
-		} else {
-			rsa->e = pub->e;
-			pub->e = NULL;
-		}
-	}
-	if (rsa->n == NULL || rsa->e == NULL)
-		return (DST_R_INVALIDPRIVATEKEY);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
-	dst_private_t priv;
-	isc_result_t ret;
-	int i;
-	RSA *rsa = NULL, *pubrsa = NULL;
-#ifdef USE_ENGINE
-	ENGINE *e = NULL;
-#endif
-	isc_mem_t *mctx = key->mctx;
-	const char *engine = NULL, *label = NULL;
-#if defined(USE_ENGINE) || USE_EVP
-	EVP_PKEY *pkey = NULL;
-#endif
-
-#if USE_EVP
-	if (pub != NULL && pub->keydata.pkey != NULL)
-		pubrsa = EVP_PKEY_get1_RSA(pub->keydata.pkey);
-#else
-	if (pub != NULL && pub->keydata.rsa != NULL) {
-		pubrsa = pub->keydata.rsa;
-		pub->keydata.rsa = NULL;
-	}
-#endif
-
-	/* read private key file */
-	ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
-	if (ret != ISC_R_SUCCESS)
-		goto err;
-
-	for (i = 0; i < priv.nelements; i++) {
-		switch (priv.elements[i].tag) {
-		case TAG_RSA_ENGINE:
-			engine = (char *)priv.elements[i].data;
-			break;
-		case TAG_RSA_LABEL:
-			label = (char *)priv.elements[i].data;
-			break;
-		default:
-			break;
-		}
-	}
-	/*
-	 * Is this key is stored in a HSM?
-	 * See if we can fetch it.
-	 */
-	if (label != NULL) {
-#ifdef USE_ENGINE
-		if (engine == NULL)
-			DST_RET(DST_R_NOENGINE);
-		e = dst__openssl_getengine(engine);
-		if (e == NULL)
-			DST_RET(DST_R_NOENGINE);
-		pkey = ENGINE_load_private_key(e, label, NULL, NULL);
-		if (pkey == NULL)
-			DST_RET(dst__openssl_toresult2(
-					"ENGINE_load_private_key",
-					ISC_R_NOTFOUND));
-		key->engine = isc_mem_strdup(key->mctx, engine);
-		if (key->engine == NULL)
-			DST_RET(ISC_R_NOMEMORY);
-		key->label = isc_mem_strdup(key->mctx, label);
-		if (key->label == NULL)
-			DST_RET(ISC_R_NOMEMORY);
-		rsa = EVP_PKEY_get1_RSA(pkey);
-		if (rsa == NULL)
-			DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-		if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS)
-			DST_RET(DST_R_INVALIDPRIVATEKEY);
-		if (BN_num_bits(rsa->e) > RSA_MAX_PUBEXP_BITS)
-			DST_RET(ISC_R_RANGE);
-		if (pubrsa != NULL)
-			RSA_free(pubrsa);
-		key->key_size = EVP_PKEY_bits(pkey);
-#if USE_EVP
-		key->keydata.pkey = pkey;
-		RSA_free(rsa);
-#else
-		key->keydata.rsa = rsa;
-		EVP_PKEY_free(pkey);
-#endif
-		dst__privstruct_free(&priv, mctx);
-		memset(&priv, 0, sizeof(priv));
-		return (ISC_R_SUCCESS);
-#else
-		DST_RET(DST_R_NOENGINE);
-#endif
-	}
-
-	rsa = RSA_new();
-	if (rsa == NULL)
-		DST_RET(ISC_R_NOMEMORY);
-	SET_FLAGS(rsa);
-
-#if USE_EVP
-	pkey = EVP_PKEY_new();
-	if (pkey == NULL)
-		DST_RET(ISC_R_NOMEMORY);
-	if (!EVP_PKEY_set1_RSA(pkey, rsa))
-		DST_RET(ISC_R_FAILURE);
-	key->keydata.pkey = pkey;
-#else
-	key->keydata.rsa = rsa;
-#endif
-
-	for (i = 0; i < priv.nelements; i++) {
-		BIGNUM *bn;
-		switch (priv.elements[i].tag) {
-		case TAG_RSA_ENGINE:
-			continue;
-		case TAG_RSA_LABEL:
-			continue;
-		case TAG_RSA_PIN:
-			continue;
-		default:
-			bn = BN_bin2bn(priv.elements[i].data,
-				       priv.elements[i].length, NULL);
-			if (bn == NULL)
-				DST_RET(ISC_R_NOMEMORY);
-		}
-
-		switch (priv.elements[i].tag) {
-			case TAG_RSA_MODULUS:
-				rsa->n = bn;
-				break;
-			case TAG_RSA_PUBLICEXPONENT:
-				rsa->e = bn;
-				break;
-			case TAG_RSA_PRIVATEEXPONENT:
-				rsa->d = bn;
-				break;
-			case TAG_RSA_PRIME1:
-				rsa->p = bn;
-				break;
-			case TAG_RSA_PRIME2:
-				rsa->q = bn;
-				break;
-			case TAG_RSA_EXPONENT1:
-				rsa->dmp1 = bn;
-				break;
-			case TAG_RSA_EXPONENT2:
-				rsa->dmq1 = bn;
-				break;
-			case TAG_RSA_COEFFICIENT:
-				rsa->iqmp = bn;
-				break;
-		}
-	}
-	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
-
-	if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS)
-		DST_RET(DST_R_INVALIDPRIVATEKEY);
-	if (BN_num_bits(rsa->e) > RSA_MAX_PUBEXP_BITS)
-		DST_RET(ISC_R_RANGE);
-	key->key_size = BN_num_bits(rsa->n);
-	if (pubrsa != NULL)
-		RSA_free(pubrsa);
-#if USE_EVP
-	RSA_free(rsa);
-#endif
-
-	return (ISC_R_SUCCESS);
-
- err:
-#if USE_EVP
-	if (pkey != NULL)
-		EVP_PKEY_free(pkey);
-#endif
-	if (rsa != NULL)
-		RSA_free(rsa);
-	if (pubrsa != NULL)
-		RSA_free(pubrsa);
-	key->keydata.generic = NULL;
-	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
-	return (ret);
-}
-
-static isc_result_t
-opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
-		     const char *pin)
-{
-#ifdef USE_ENGINE
-	ENGINE *e = NULL;
-	isc_result_t ret;
-	EVP_PKEY *pkey = NULL;
-	RSA *rsa = NULL, *pubrsa = NULL;
-	char *colon;
-
-	UNUSED(pin);
-
-	if (engine == NULL)
-		DST_RET(DST_R_NOENGINE);
-	e = dst__openssl_getengine(engine);
-	if (e == NULL)
-		DST_RET(DST_R_NOENGINE);
-	pkey = ENGINE_load_public_key(e, label, NULL, NULL);
-	if (pkey != NULL) {
-		pubrsa = EVP_PKEY_get1_RSA(pkey);
-		EVP_PKEY_free(pkey);
-		if (pubrsa == NULL)
-			DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-	}
-	pkey = ENGINE_load_private_key(e, label, NULL, NULL);
-	if (pkey == NULL)
-		DST_RET(dst__openssl_toresult2("ENGINE_load_private_key",
-					       ISC_R_NOTFOUND));
-	if (engine != NULL) {
-		key->engine = isc_mem_strdup(key->mctx, engine);
-		if (key->engine == NULL)
-			DST_RET(ISC_R_NOMEMORY);
-	} else {
-		key->engine = isc_mem_strdup(key->mctx, label);
-		if (key->engine == NULL)
-			DST_RET(ISC_R_NOMEMORY);
-		colon = strchr(key->engine, ':');
-		if (colon != NULL)
-			*colon = '\0';
-	}
-	key->label = isc_mem_strdup(key->mctx, label);
-	if (key->label == NULL)
-		DST_RET(ISC_R_NOMEMORY);
-	rsa = EVP_PKEY_get1_RSA(pkey);
-	if (rsa == NULL)
-		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-	if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS)
-		DST_RET(DST_R_INVALIDPRIVATEKEY);
-	if (BN_num_bits(rsa->e) > RSA_MAX_PUBEXP_BITS)
-		DST_RET(ISC_R_RANGE);
-	if (pubrsa != NULL)
-		RSA_free(pubrsa);
-	key->key_size = EVP_PKEY_bits(pkey);
-#if USE_EVP
-	key->keydata.pkey = pkey;
-	RSA_free(rsa);
-#else
-	key->keydata.rsa = rsa;
-	EVP_PKEY_free(pkey);
-#endif
-	return (ISC_R_SUCCESS);
-
- err:
-	if (rsa != NULL)
-		RSA_free(rsa);
-	if (pubrsa != NULL)
-		RSA_free(pubrsa);
-	if (pkey != NULL)
-		EVP_PKEY_free(pkey);
-	return (ret);
-#else
-	UNUSED(key);
-	UNUSED(engine);
-	UNUSED(label);
-	UNUSED(pin);
-	return(DST_R_NOENGINE);
-#endif
-}
-
-static dst_func_t opensslrsa_functions = {
-	opensslrsa_createctx,
-	opensslrsa_destroyctx,
-	opensslrsa_adddata,
-	opensslrsa_sign,
-	opensslrsa_verify,
-	opensslrsa_verify2,
-	NULL, /*%< computesecret */
-	opensslrsa_compare,
-	NULL, /*%< paramcompare */
-	opensslrsa_generate,
-	opensslrsa_isprivate,
-	opensslrsa_destroy,
-	opensslrsa_todns,
-	opensslrsa_fromdns,
-	opensslrsa_tofile,
-	opensslrsa_parse,
-	NULL, /*%< cleanup */
-	opensslrsa_fromlabel,
-	NULL, /*%< dump */
-	NULL, /*%< restore */
-};
-
-isc_result_t
-dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) {
-	REQUIRE(funcp != NULL);
-
-	if (*funcp == NULL) {
-		switch (algorithm) {
-		case DST_ALG_RSASHA256:
-#if defined(HAVE_EVP_SHA256) || !USE_EVP
-			*funcp = &opensslrsa_functions;
-#endif
-			break;
-		case DST_ALG_RSASHA512:
-#if defined(HAVE_EVP_SHA512) || !USE_EVP
-			*funcp = &opensslrsa_functions;
-#endif
-			break;
-		default:
-			*funcp = &opensslrsa_functions;
-			break;
-		}
-	}
-	return (ISC_R_SUCCESS);
-}
-
-#else /* OPENSSL */
-
-#include <isc/util.h>
-
-EMPTY_TRANSLATION_UNIT
-
-#endif /* OPENSSL */
-/*! \file */
diff --git a/contrib/bind9/lib/dns/order.c b/contrib/bind9/lib/dns/order.c
deleted file mode 100644
index 853b001..0000000
--- a/contrib/bind9/lib/dns/order.c
+++ /dev/null
@@ -1,167 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: order.c,v 1.10 2007/06/19 23:47:16 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/types.h>
-#include <isc/util.h>
-#include <isc/refcount.h>
-
-#include <dns/fixedname.h>
-#include <dns/name.h>
-#include <dns/order.h>
-#include <dns/rdataset.h>
-#include <dns/types.h>
-
-typedef struct dns_order_ent dns_order_ent_t;
-struct dns_order_ent {
-	dns_fixedname_t			name;
-	dns_rdataclass_t		rdclass;
-	dns_rdatatype_t			rdtype;
-	unsigned int			mode;
-	ISC_LINK(dns_order_ent_t)	link;
-};
-
-struct dns_order {
-	unsigned int			magic;
-	isc_refcount_t          	references;
-	ISC_LIST(dns_order_ent_t)	ents;
-	isc_mem_t			*mctx;
-};
-	
-#define DNS_ORDER_MAGIC ISC_MAGIC('O','r','d','r')
-#define DNS_ORDER_VALID(order)	ISC_MAGIC_VALID(order, DNS_ORDER_MAGIC)
-
-isc_result_t
-dns_order_create(isc_mem_t *mctx, dns_order_t **orderp) {
-	dns_order_t *order;
-	isc_result_t result;
-
-	REQUIRE(orderp != NULL && *orderp == NULL);
-
-	order = isc_mem_get(mctx, sizeof(*order));
-	if (order == NULL)
-		return (ISC_R_NOMEMORY);
-	
-	ISC_LIST_INIT(order->ents);
-
-	/* Implicit attach. */
-	result = isc_refcount_init(&order->references, 1);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, order, sizeof(*order));
-		return (result);
-	}
-
-	order->mctx = NULL;
-	isc_mem_attach(mctx, &order->mctx);
-	order->magic = DNS_ORDER_MAGIC;
-	*orderp = order;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_order_add(dns_order_t *order, dns_name_t *name,
-	      dns_rdatatype_t rdtype, dns_rdataclass_t rdclass,
-	      unsigned int mode)
-{
-	dns_order_ent_t *ent;
-
-	REQUIRE(DNS_ORDER_VALID(order));
-	REQUIRE(mode == DNS_RDATASETATTR_RANDOMIZE ||
-	        mode == DNS_RDATASETATTR_FIXEDORDER ||
-		mode == 0 /* DNS_RDATASETATTR_CYCLIC */ );
-
-	ent = isc_mem_get(order->mctx, sizeof(*ent));
-	if (ent == NULL)
-		return (ISC_R_NOMEMORY);
-
-	dns_fixedname_init(&ent->name);
-	RUNTIME_CHECK(dns_name_copy(name, dns_fixedname_name(&ent->name), NULL)
-		      == ISC_R_SUCCESS);
-	ent->rdtype = rdtype;
-	ent->rdclass = rdclass;
-	ent->mode = mode;
-	ISC_LINK_INIT(ent, link);
-	ISC_LIST_INITANDAPPEND(order->ents, ent, link);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_boolean_t
-match(dns_name_t *name1, dns_name_t *name2) {
-	
-	if (dns_name_iswildcard(name2))
-		return(dns_name_matcheswildcard(name1, name2));
-	return (dns_name_equal(name1, name2));
-}
-
-unsigned int
-dns_order_find(dns_order_t *order, dns_name_t *name,
-	       dns_rdatatype_t rdtype, dns_rdataclass_t rdclass)
-{
-	dns_order_ent_t *ent;
-	REQUIRE(DNS_ORDER_VALID(order));
-
-	for (ent = ISC_LIST_HEAD(order->ents);
-	     ent != NULL;
-	     ent = ISC_LIST_NEXT(ent, link)) {
-		if (ent->rdtype != rdtype && ent->rdtype != dns_rdatatype_any)
-			continue;
-		if (ent->rdclass != rdclass &&
-		    ent->rdclass != dns_rdataclass_any)
-			continue;
-		if (match(name, dns_fixedname_name(&ent->name)))
-			return (ent->mode);
-	}
-	return (0);
-}
-
-void
-dns_order_attach(dns_order_t *source, dns_order_t **target) {
-	REQUIRE(DNS_ORDER_VALID(source));
-	REQUIRE(target != NULL && *target == NULL);
-	isc_refcount_increment(&source->references, NULL);
-	*target = source;
-}
-
-void
-dns_order_detach(dns_order_t **orderp) {
-	dns_order_t *order;
-	dns_order_ent_t *ent;
-	unsigned int references;
-
-	REQUIRE(orderp != NULL);
-	order = *orderp;
-	REQUIRE(DNS_ORDER_VALID(order));
-	isc_refcount_decrement(&order->references, &references);
-	*orderp = NULL;
-	if (references != 0)
-		return;
-
-	order->magic = 0;
-	while ((ent = ISC_LIST_HEAD(order->ents)) != NULL) {
-		ISC_LIST_UNLINK(order->ents, ent, link);
-		isc_mem_put(order->mctx, ent, sizeof(*ent));
-	}
-	isc_refcount_destroy(&order->references);
-	isc_mem_putanddetach(&order->mctx, order, sizeof(*order));
-}
diff --git a/contrib/bind9/lib/dns/peer.c b/contrib/bind9/lib/dns/peer.c
deleted file mode 100644
index ec9e08c..0000000
--- a/contrib/bind9/lib/dns/peer.c
+++ /dev/null
@@ -1,712 +0,0 @@
-/*
- * Copyright (C) 2004-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: peer.c,v 1.33 2009/09/02 23:48:02 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/string.h>
-#include <isc/util.h>
-#include <isc/sockaddr.h>
-
-#include <dns/bit.h>
-#include <dns/fixedname.h>
-#include <dns/name.h>
-#include <dns/peer.h>
-
-/*%
- * Bit positions in the dns_peer_t structure flags field
- */
-#define BOGUS_BIT			0
-#define SERVER_TRANSFER_FORMAT_BIT	1
-#define TRANSFERS_BIT			2
-#define PROVIDE_IXFR_BIT		3
-#define REQUEST_IXFR_BIT		4
-#define SUPPORT_EDNS_BIT		5
-#define SERVER_UDPSIZE_BIT		6
-#define SERVER_MAXUDP_BIT		7
-#define REQUEST_NSID_BIT                8
-
-static void
-peerlist_delete(dns_peerlist_t **list);
-
-static void
-peer_delete(dns_peer_t **peer);
-
-isc_result_t
-dns_peerlist_new(isc_mem_t *mem, dns_peerlist_t **list) {
-	dns_peerlist_t *l;
-
-	REQUIRE(list != NULL);
-
-	l = isc_mem_get(mem, sizeof(*l));
-	if (l == NULL)
-		return (ISC_R_NOMEMORY);
-
-	ISC_LIST_INIT(l->elements);
-	l->mem = mem;
-	l->refs = 1;
-	l->magic = DNS_PEERLIST_MAGIC;
-
-	*list = l;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_peerlist_attach(dns_peerlist_t *source, dns_peerlist_t **target) {
-	REQUIRE(DNS_PEERLIST_VALID(source));
-	REQUIRE(target != NULL);
-	REQUIRE(*target == NULL);
-
-	source->refs++;
-
-	ENSURE(source->refs != 0xffffffffU);
-
-	*target = source;
-}
-
-void
-dns_peerlist_detach(dns_peerlist_t **list) {
-	dns_peerlist_t *plist;
-
-	REQUIRE(list != NULL);
-	REQUIRE(*list != NULL);
-	REQUIRE(DNS_PEERLIST_VALID(*list));
-
-	plist = *list;
-	*list = NULL;
-
-	REQUIRE(plist->refs > 0);
-
-	plist->refs--;
-
-	if (plist->refs == 0)
-		peerlist_delete(&plist);
-}
-
-static void
-peerlist_delete(dns_peerlist_t **list) {
-	dns_peerlist_t *l;
-	dns_peer_t *server, *stmp;
-
-	REQUIRE(list != NULL);
-	REQUIRE(DNS_PEERLIST_VALID(*list));
-
-	l = *list;
-
-	REQUIRE(l->refs == 0);
-
-	server = ISC_LIST_HEAD(l->elements);
-	while (server != NULL) {
-		stmp = ISC_LIST_NEXT(server, next);
-		ISC_LIST_UNLINK(l->elements, server, next);
-		dns_peer_detach(&server);
-		server = stmp;
-	}
-
-	l->magic = 0;
-	isc_mem_put(l->mem, l, sizeof(*l));
-
-	*list = NULL;
-}
-
-void
-dns_peerlist_addpeer(dns_peerlist_t *peers, dns_peer_t *peer) {
-	dns_peer_t *p = NULL;
-
-	dns_peer_attach(peer, &p);
-
-	/*
-	 * More specifics to front of list.
-	 */
-	for (p = ISC_LIST_HEAD(peers->elements);
-	     p != NULL;
-	     p = ISC_LIST_NEXT(p, next))
-		if (p->prefixlen < peer->prefixlen)
-			break;
-
-	if (p != NULL)
-		ISC_LIST_INSERTBEFORE(peers->elements, p, peer, next);
-	else
-		ISC_LIST_APPEND(peers->elements, peer, next);
-
-}
-
-isc_result_t
-dns_peerlist_peerbyaddr(dns_peerlist_t *servers,
-			isc_netaddr_t *addr, dns_peer_t **retval)
-{
-	dns_peer_t *server;
-	isc_result_t res;
-
-	REQUIRE(retval != NULL);
-	REQUIRE(DNS_PEERLIST_VALID(servers));
-
-	server = ISC_LIST_HEAD(servers->elements);
-	while (server != NULL) {
-		if (isc_netaddr_eqprefix(addr, &server->address,
-					 server->prefixlen))
-			break;
-
-		server = ISC_LIST_NEXT(server, next);
-	}
-
-	if (server != NULL) {
-		*retval = server;
-		res = ISC_R_SUCCESS;
-	} else {
-		res = ISC_R_NOTFOUND;
-	}
-
-	return (res);
-}
-
-
-
-isc_result_t
-dns_peerlist_currpeer(dns_peerlist_t *peers, dns_peer_t **retval) {
-	dns_peer_t *p = NULL;
-
-	p = ISC_LIST_TAIL(peers->elements);
-
-	dns_peer_attach(p, retval);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_new(isc_mem_t *mem, isc_netaddr_t *addr, dns_peer_t **peerptr) {
-	unsigned int prefixlen = 0;
-
-	REQUIRE(peerptr != NULL);
-	switch(addr->family) {
-	case AF_INET:
-		prefixlen = 32;
-		break;
-	case AF_INET6:
-		 prefixlen = 128;
-		break;
-	default:
-		INSIST(0);
-	}
-
-	return (dns_peer_newprefix(mem, addr, prefixlen, peerptr));
-}
-
-isc_result_t
-dns_peer_newprefix(isc_mem_t *mem, isc_netaddr_t *addr, unsigned int prefixlen,
-		   dns_peer_t **peerptr)
-{
-	dns_peer_t *peer;
-
-	REQUIRE(peerptr != NULL);
-
-	peer = isc_mem_get(mem, sizeof(*peer));
-	if (peer == NULL)
-		return (ISC_R_NOMEMORY);
-
-	peer->magic = DNS_PEER_MAGIC;
-	peer->address = *addr;
-	peer->prefixlen = prefixlen;
-	peer->mem = mem;
-	peer->bogus = ISC_FALSE;
-	peer->transfer_format = dns_one_answer;
-	peer->transfers = 0;
-	peer->request_ixfr = ISC_FALSE;
-	peer->provide_ixfr = ISC_FALSE;
-	peer->key = NULL;
-	peer->refs = 1;
-	peer->transfer_source = NULL;
-	peer->notify_source = NULL;
-	peer->query_source = NULL;
-
-	memset(&peer->bitflags, 0x0, sizeof(peer->bitflags));
-
-	ISC_LINK_INIT(peer, next);
-
-	*peerptr = peer;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_peer_attach(dns_peer_t *source, dns_peer_t **target) {
-	REQUIRE(DNS_PEER_VALID(source));
-	REQUIRE(target != NULL);
-	REQUIRE(*target == NULL);
-
-	source->refs++;
-
-	ENSURE(source->refs != 0xffffffffU);
-
-	*target = source;
-}
-
-void
-dns_peer_detach(dns_peer_t **peer) {
-	dns_peer_t *p;
-
-	REQUIRE(peer != NULL);
-	REQUIRE(*peer != NULL);
-	REQUIRE(DNS_PEER_VALID(*peer));
-
-	p = *peer;
-
-	REQUIRE(p->refs > 0);
-
-	*peer = NULL;
-	p->refs--;
-
-	if (p->refs == 0)
-		peer_delete(&p);
-}
-
-static void
-peer_delete(dns_peer_t **peer) {
-	dns_peer_t *p;
-	isc_mem_t *mem;
-
-	REQUIRE(peer != NULL);
-	REQUIRE(DNS_PEER_VALID(*peer));
-
-	p = *peer;
-
-	REQUIRE(p->refs == 0);
-
-	mem = p->mem;
-	p->mem = NULL;
-	p->magic = 0;
-
-	if (p->key != NULL) {
-		dns_name_free(p->key, mem);
-		isc_mem_put(mem, p->key, sizeof(dns_name_t));
-	}
-
-	if (p->transfer_source != NULL) {
-		isc_mem_put(mem, p->transfer_source,
-			    sizeof(*p->transfer_source));
-	}
-
-	isc_mem_put(mem, p, sizeof(*p));
-
-	*peer = NULL;
-}
-
-isc_result_t
-dns_peer_setbogus(dns_peer_t *peer, isc_boolean_t newval) {
-	isc_boolean_t existed;
-
-	REQUIRE(DNS_PEER_VALID(peer));
-
-	existed = DNS_BIT_CHECK(BOGUS_BIT, &peer->bitflags);
-
-	peer->bogus = newval;
-	DNS_BIT_SET(BOGUS_BIT, &peer->bitflags);
-
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_getbogus(dns_peer_t *peer, isc_boolean_t *retval) {
-	REQUIRE(DNS_PEER_VALID(peer));
-	REQUIRE(retval != NULL);
-
-	if (DNS_BIT_CHECK(BOGUS_BIT, &peer->bitflags)) {
-		*retval = peer->bogus;
-		return (ISC_R_SUCCESS);
-	} else
-		return (ISC_R_NOTFOUND);
-}
-
-
-isc_result_t
-dns_peer_setprovideixfr(dns_peer_t *peer, isc_boolean_t newval) {
-	isc_boolean_t existed;
-
-	REQUIRE(DNS_PEER_VALID(peer));
-
-	existed = DNS_BIT_CHECK(PROVIDE_IXFR_BIT, &peer->bitflags);
-
-	peer->provide_ixfr = newval;
-	DNS_BIT_SET(PROVIDE_IXFR_BIT, &peer->bitflags);
-
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_getprovideixfr(dns_peer_t *peer, isc_boolean_t *retval) {
-	REQUIRE(DNS_PEER_VALID(peer));
-	REQUIRE(retval != NULL);
-
-	if (DNS_BIT_CHECK(PROVIDE_IXFR_BIT, &peer->bitflags)) {
-		*retval = peer->provide_ixfr;
-		return (ISC_R_SUCCESS);
-	} else {
-		return (ISC_R_NOTFOUND);
-	}
-}
-
-isc_result_t
-dns_peer_setrequestixfr(dns_peer_t *peer, isc_boolean_t newval) {
-	isc_boolean_t existed;
-
-	REQUIRE(DNS_PEER_VALID(peer));
-
-	existed = DNS_BIT_CHECK(REQUEST_IXFR_BIT, &peer->bitflags);
-
-	peer->request_ixfr = newval;
-	DNS_BIT_SET(REQUEST_IXFR_BIT, &peer->bitflags);
-
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_getrequestixfr(dns_peer_t *peer, isc_boolean_t *retval) {
-	REQUIRE(DNS_PEER_VALID(peer));
-	REQUIRE(retval != NULL);
-
-	if (DNS_BIT_CHECK(REQUEST_IXFR_BIT, &peer->bitflags)) {
-		*retval = peer->request_ixfr;
-		return (ISC_R_SUCCESS);
-	} else
-		return (ISC_R_NOTFOUND);
-}
-
-isc_result_t
-dns_peer_setsupportedns(dns_peer_t *peer, isc_boolean_t newval) {
-	isc_boolean_t existed;
-
-	REQUIRE(DNS_PEER_VALID(peer));
-
-	existed = DNS_BIT_CHECK(SUPPORT_EDNS_BIT, &peer->bitflags);
-
-	peer->support_edns = newval;
-	DNS_BIT_SET(SUPPORT_EDNS_BIT, &peer->bitflags);
-
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_getsupportedns(dns_peer_t *peer, isc_boolean_t *retval) {
-	REQUIRE(DNS_PEER_VALID(peer));
-	REQUIRE(retval != NULL);
-
-	if (DNS_BIT_CHECK(SUPPORT_EDNS_BIT, &peer->bitflags)) {
-		*retval = peer->support_edns;
-		return (ISC_R_SUCCESS);
-	} else
-		return (ISC_R_NOTFOUND);
-}
-
-isc_result_t
-dns_peer_setrequestnsid(dns_peer_t *peer, isc_boolean_t newval) {
-	isc_boolean_t existed;
-
-	REQUIRE(DNS_PEER_VALID(peer));
-
-	existed = DNS_BIT_CHECK(REQUEST_NSID_BIT, &peer->bitflags);
-
-	peer->request_nsid = newval;
-	DNS_BIT_SET(REQUEST_NSID_BIT, &peer->bitflags);
-
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_getrequestnsid(dns_peer_t *peer, isc_boolean_t *retval) {
-	REQUIRE(DNS_PEER_VALID(peer));
-	REQUIRE(retval != NULL);
-
-	if (DNS_BIT_CHECK(REQUEST_NSID_BIT, &peer->bitflags)) {
-		*retval = peer->request_nsid;
-		return (ISC_R_SUCCESS);
-	} else
-		return (ISC_R_NOTFOUND);
-}
-
-isc_result_t
-dns_peer_settransfers(dns_peer_t *peer, isc_uint32_t newval) {
-	isc_boolean_t existed;
-
-	REQUIRE(DNS_PEER_VALID(peer));
-
-	existed = DNS_BIT_CHECK(TRANSFERS_BIT, &peer->bitflags);
-
-	peer->transfers = newval;
-	DNS_BIT_SET(TRANSFERS_BIT, &peer->bitflags);
-
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_gettransfers(dns_peer_t *peer, isc_uint32_t *retval) {
-	REQUIRE(DNS_PEER_VALID(peer));
-	REQUIRE(retval != NULL);
-
-	if (DNS_BIT_CHECK(TRANSFERS_BIT, &peer->bitflags)) {
-		*retval = peer->transfers;
-		return (ISC_R_SUCCESS);
-	} else {
-		return (ISC_R_NOTFOUND);
-	}
-}
-
-isc_result_t
-dns_peer_settransferformat(dns_peer_t *peer, dns_transfer_format_t newval) {
-	isc_boolean_t existed;
-
-	REQUIRE(DNS_PEER_VALID(peer));
-
-	existed = DNS_BIT_CHECK(SERVER_TRANSFER_FORMAT_BIT,
-				 &peer->bitflags);
-
-	peer->transfer_format = newval;
-	DNS_BIT_SET(SERVER_TRANSFER_FORMAT_BIT, &peer->bitflags);
-
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_gettransferformat(dns_peer_t *peer, dns_transfer_format_t *retval) {
-	REQUIRE(DNS_PEER_VALID(peer));
-	REQUIRE(retval != NULL);
-
-	if (DNS_BIT_CHECK(SERVER_TRANSFER_FORMAT_BIT, &peer->bitflags)) {
-		*retval = peer->transfer_format;
-		return (ISC_R_SUCCESS);
-	} else {
-		return (ISC_R_NOTFOUND);
-	}
-}
-
-isc_result_t
-dns_peer_getkey(dns_peer_t *peer, dns_name_t **retval) {
-	REQUIRE(DNS_PEER_VALID(peer));
-	REQUIRE(retval != NULL);
-
-	if (peer->key != NULL) {
-		*retval = peer->key;
-	}
-
-	return (peer->key == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_setkey(dns_peer_t *peer, dns_name_t **keyval) {
-	isc_boolean_t exists = ISC_FALSE;
-
-	if (peer->key != NULL) {
-		dns_name_free(peer->key, peer->mem);
-		isc_mem_put(peer->mem, peer->key, sizeof(dns_name_t));
-		exists = ISC_TRUE;
-	}
-
-	peer->key = *keyval;
-	*keyval = NULL;
-
-	return (exists ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_setkeybycharp(dns_peer_t *peer, const char *keyval) {
-	isc_buffer_t b;
-	dns_fixedname_t fname;
-	dns_name_t *name;
-	isc_result_t result;
-
-	dns_fixedname_init(&fname);
-	isc_buffer_constinit(&b, keyval, strlen(keyval));
-	isc_buffer_add(&b, strlen(keyval));
-	result = dns_name_fromtext(dns_fixedname_name(&fname), &b,
-				   dns_rootname, 0, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	name = isc_mem_get(peer->mem, sizeof(dns_name_t));
-	if (name == NULL)
-		return (ISC_R_NOMEMORY);
-
-	dns_name_init(name, NULL);
-	result = dns_name_dup(dns_fixedname_name(&fname), peer->mem, name);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(peer->mem, name, sizeof(dns_name_t));
-		return (result);
-	}
-
-	result = dns_peer_setkey(peer, &name);
-	if (result != ISC_R_SUCCESS)
-		isc_mem_put(peer->mem, name, sizeof(dns_name_t));
-
-	return (result);
-}
-
-isc_result_t
-dns_peer_settransfersource(dns_peer_t *peer,
-			   const isc_sockaddr_t *transfer_source)
-{
-	REQUIRE(DNS_PEER_VALID(peer));
-
-	if (peer->transfer_source != NULL) {
-		isc_mem_put(peer->mem, peer->transfer_source,
-			    sizeof(*peer->transfer_source));
-		peer->transfer_source = NULL;
-	}
-	if (transfer_source != NULL) {
-		peer->transfer_source = isc_mem_get(peer->mem,
-						sizeof(*peer->transfer_source));
-		if (peer->transfer_source == NULL)
-			return (ISC_R_NOMEMORY);
-
-		*peer->transfer_source = *transfer_source;
-	}
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_gettransfersource(dns_peer_t *peer, isc_sockaddr_t *transfer_source) {
-	REQUIRE(DNS_PEER_VALID(peer));
-	REQUIRE(transfer_source != NULL);
-
-	if (peer->transfer_source == NULL)
-		return (ISC_R_NOTFOUND);
-	*transfer_source = *peer->transfer_source;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_setnotifysource(dns_peer_t *peer,
-			 const isc_sockaddr_t *notify_source)
-{
-	REQUIRE(DNS_PEER_VALID(peer));
-
-	if (peer->notify_source != NULL) {
-		isc_mem_put(peer->mem, peer->notify_source,
-			    sizeof(*peer->notify_source));
-		peer->notify_source = NULL;
-	}
-	if (notify_source != NULL) {
-		peer->notify_source = isc_mem_get(peer->mem,
-						sizeof(*peer->notify_source));
-		if (peer->notify_source == NULL)
-			return (ISC_R_NOMEMORY);
-
-		*peer->notify_source = *notify_source;
-	}
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_getnotifysource(dns_peer_t *peer, isc_sockaddr_t *notify_source) {
-	REQUIRE(DNS_PEER_VALID(peer));
-	REQUIRE(notify_source != NULL);
-
-	if (peer->notify_source == NULL)
-		return (ISC_R_NOTFOUND);
-	*notify_source = *peer->notify_source;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_setquerysource(dns_peer_t *peer, const isc_sockaddr_t *query_source) {
-	REQUIRE(DNS_PEER_VALID(peer));
-
-	if (peer->query_source != NULL) {
-		isc_mem_put(peer->mem, peer->query_source,
-			    sizeof(*peer->query_source));
-		peer->query_source = NULL;
-	}
-	if (query_source != NULL) {
-		peer->query_source = isc_mem_get(peer->mem,
-						sizeof(*peer->query_source));
-		if (peer->query_source == NULL)
-			return (ISC_R_NOMEMORY);
-
-		*peer->query_source = *query_source;
-	}
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_getquerysource(dns_peer_t *peer, isc_sockaddr_t *query_source) {
-	REQUIRE(DNS_PEER_VALID(peer));
-	REQUIRE(query_source != NULL);
-
-	if (peer->query_source == NULL)
-		return (ISC_R_NOTFOUND);
-	*query_source = *peer->query_source;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_setudpsize(dns_peer_t *peer, isc_uint16_t udpsize) {
-	isc_boolean_t existed;
-
-	REQUIRE(DNS_PEER_VALID(peer));
-
-	existed = DNS_BIT_CHECK(SERVER_UDPSIZE_BIT, &peer->bitflags);
-
-	peer->udpsize = udpsize;
-	DNS_BIT_SET(SERVER_UDPSIZE_BIT, &peer->bitflags);
-
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_getudpsize(dns_peer_t *peer, isc_uint16_t *udpsize) {
-
-	REQUIRE(DNS_PEER_VALID(peer));
-	REQUIRE(udpsize != NULL);
-
-	if (DNS_BIT_CHECK(SERVER_UDPSIZE_BIT, &peer->bitflags)) {
-		*udpsize = peer->udpsize;
-		return (ISC_R_SUCCESS);
-	} else {
-		return (ISC_R_NOTFOUND);
-	}
-}
-
-isc_result_t
-dns_peer_setmaxudp(dns_peer_t *peer, isc_uint16_t maxudp) {
-	isc_boolean_t existed;
-
-	REQUIRE(DNS_PEER_VALID(peer));
-
-	existed = DNS_BIT_CHECK(SERVER_MAXUDP_BIT, &peer->bitflags);
-
-	peer->maxudp = maxudp;
-	DNS_BIT_SET(SERVER_MAXUDP_BIT, &peer->bitflags);
-
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_getmaxudp(dns_peer_t *peer, isc_uint16_t *maxudp) {
-
-	REQUIRE(DNS_PEER_VALID(peer));
-	REQUIRE(maxudp != NULL);
-
-	if (DNS_BIT_CHECK(SERVER_MAXUDP_BIT, &peer->bitflags)) {
-		*maxudp = peer->maxudp;
-		return (ISC_R_SUCCESS);
-	} else {
-		return (ISC_R_NOTFOUND);
-	}
-}
diff --git a/contrib/bind9/lib/dns/portlist.c b/contrib/bind9/lib/dns/portlist.c
deleted file mode 100644
index 5bc89f4..0000000
--- a/contrib/bind9/lib/dns/portlist.c
+++ /dev/null
@@ -1,266 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: portlist.c,v 1.13 2007/06/19 23:47:16 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/mutex.h>
-#include <isc/net.h>
-#include <isc/refcount.h>
-#include <isc/result.h>
-#include <isc/string.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-#include <dns/types.h>
-#include <dns/portlist.h>
-
-#define DNS_PORTLIST_MAGIC	ISC_MAGIC('P','L','S','T')
-#define DNS_VALID_PORTLIST(p)	ISC_MAGIC_VALID(p, DNS_PORTLIST_MAGIC)
-
-typedef struct dns_element {
-	in_port_t	port;
-	isc_uint16_t	flags;
-} dns_element_t;
-
-struct dns_portlist {
-	unsigned int	magic;
-	isc_mem_t	*mctx;
-	isc_refcount_t	refcount;
-	isc_mutex_t	lock;
-	dns_element_t 	*list;
-	unsigned int	allocated;
-	unsigned int	active;
-};
-
-#define DNS_PL_INET	0x0001
-#define DNS_PL_INET6	0x0002
-#define DNS_PL_ALLOCATE	16
-
-static int
-compare(const void *arg1, const void *arg2) {
-	const dns_element_t *e1 = (const dns_element_t *)arg1;
-	const dns_element_t *e2 = (const dns_element_t *)arg2;
-
-	if (e1->port < e2->port)
-		return (-1);
-	if (e1->port > e2->port)
-		return (1);
-	return (0);
-}
-
-isc_result_t
-dns_portlist_create(isc_mem_t *mctx, dns_portlist_t **portlistp) {
-	dns_portlist_t *portlist;
-	isc_result_t result;
-
-	REQUIRE(portlistp != NULL && *portlistp == NULL);
-
-	portlist = isc_mem_get(mctx, sizeof(*portlist));
-	if (portlist == NULL)
-		return (ISC_R_NOMEMORY);
-        result = isc_mutex_init(&portlist->lock);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, portlist, sizeof(*portlist));
-		return (result);
-	}
-	result = isc_refcount_init(&portlist->refcount, 1);
-	if (result != ISC_R_SUCCESS) {
-		DESTROYLOCK(&portlist->lock);
-		isc_mem_put(mctx, portlist, sizeof(*portlist));
-		return (result);
-	}
-	portlist->list = NULL;
-	portlist->allocated = 0;
-	portlist->active = 0;
-	portlist->mctx = NULL;
-	isc_mem_attach(mctx, &portlist->mctx);
-	portlist->magic = DNS_PORTLIST_MAGIC;
-	*portlistp = portlist;
-	return (ISC_R_SUCCESS);
-}
-
-static dns_element_t *
-find_port(dns_element_t *list, unsigned int len, in_port_t port) {
-	unsigned int xtry = len / 2;
-	unsigned int min = 0;
-	unsigned int max = len - 1;
-	unsigned int last = len;
-
-	for (;;) {
-		if (list[xtry].port == port)
-			return (&list[xtry]);
-	        if (port > list[xtry].port) {
-			if (xtry == max)
-				break;
-			min = xtry;
-			xtry = xtry + (max - xtry + 1) / 2;
-			INSIST(xtry <= max);
-			if (xtry == last)
-				break;
-			last = min;
-		} else {
-			if (xtry == min)
-				break;
-			max = xtry;
-			xtry = xtry - (xtry - min + 1) / 2;
-			INSIST(xtry >= min);
-			if (xtry == last)
-				break;
-			last = max;
-		}
-	}
-	return (NULL);
-}
-
-isc_result_t
-dns_portlist_add(dns_portlist_t *portlist, int af, in_port_t port) {
-	dns_element_t *el;
-	isc_result_t result;
-
-	REQUIRE(DNS_VALID_PORTLIST(portlist));
-	REQUIRE(af == AF_INET || af == AF_INET6);
-
-	LOCK(&portlist->lock);
-	if (portlist->active != 0) {
-		el = find_port(portlist->list, portlist->active, port);
-		if (el != NULL) {
-			if (af == AF_INET)
-				el->flags |= DNS_PL_INET;
-			else
-				el->flags |= DNS_PL_INET6;
-			result = ISC_R_SUCCESS;
-			goto unlock;
-		}
-	}
-
-	if (portlist->allocated <= portlist->active) {
-		unsigned int allocated;
-		allocated = portlist->allocated + DNS_PL_ALLOCATE;
-		el = isc_mem_get(portlist->mctx, sizeof(*el) * allocated);
-		if (el == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto unlock;
-		}
-		if (portlist->list != NULL) {
-			memcpy(el, portlist->list,
-			       portlist->allocated * sizeof(*el)); 
-			isc_mem_put(portlist->mctx, portlist->list,
-				    portlist->allocated * sizeof(*el));
-		}
-		portlist->list = el;
-		portlist->allocated = allocated;
-	}
-	portlist->list[portlist->active].port = port;
-	if (af == AF_INET)
-		portlist->list[portlist->active].flags = DNS_PL_INET;
-	else
-		portlist->list[portlist->active].flags = DNS_PL_INET6;
-	portlist->active++;
-	qsort(portlist->list, portlist->active, sizeof(*el), compare);
-	result = ISC_R_SUCCESS;
- unlock:
-	UNLOCK(&portlist->lock);
-	return (result);
-}
-
-void
-dns_portlist_remove(dns_portlist_t *portlist, int af, in_port_t port) {
-	dns_element_t *el;
-
-	REQUIRE(DNS_VALID_PORTLIST(portlist));
-	REQUIRE(af == AF_INET || af == AF_INET6);
-
-	LOCK(&portlist->lock);
-	if (portlist->active != 0) {
-		el = find_port(portlist->list, portlist->active, port);
-		if (el != NULL) {
-			if (af == AF_INET)
-				el->flags &= ~DNS_PL_INET;
-			else
-				el->flags &= ~DNS_PL_INET6;
-			if (el->flags == 0) {
-				*el = portlist->list[portlist->active];
-				portlist->active--;
-				qsort(portlist->list, portlist->active,
-				      sizeof(*el), compare);
-			}
-		}
-	}
-	UNLOCK(&portlist->lock);
-}
-
-isc_boolean_t
-dns_portlist_match(dns_portlist_t *portlist, int af, in_port_t port) {
-	dns_element_t *el;
-	isc_boolean_t result = ISC_FALSE;
-	
-	REQUIRE(DNS_VALID_PORTLIST(portlist));
-	REQUIRE(af == AF_INET || af == AF_INET6);
-	LOCK(&portlist->lock);
-	if (portlist->active != 0) {
-		el = find_port(portlist->list, portlist->active, port);
-		if (el != NULL) {
-			if (af == AF_INET && (el->flags & DNS_PL_INET) != 0)
-				result = ISC_TRUE;
-			if (af == AF_INET6 && (el->flags & DNS_PL_INET6) != 0)
-				result = ISC_TRUE;
-		}
-	}	
-	UNLOCK(&portlist->lock);
-	return (result);
-}
-
-void
-dns_portlist_attach(dns_portlist_t *portlist, dns_portlist_t **portlistp) {
-
-	REQUIRE(DNS_VALID_PORTLIST(portlist));
-	REQUIRE(portlistp != NULL && *portlistp == NULL);
-
-	isc_refcount_increment(&portlist->refcount, NULL);
-	*portlistp = portlist;
-}
-
-void
-dns_portlist_detach(dns_portlist_t **portlistp) {
-	dns_portlist_t *portlist;
-	unsigned int count;
-
-	REQUIRE(portlistp != NULL);
-	portlist = *portlistp;
-	REQUIRE(DNS_VALID_PORTLIST(portlist));
-	*portlistp = NULL;
-	isc_refcount_decrement(&portlist->refcount, &count);
-	if (count == 0) {
-		portlist->magic = 0;
-		isc_refcount_destroy(&portlist->refcount);
-		if (portlist->list != NULL)
-			isc_mem_put(portlist->mctx, portlist->list,
-				    portlist->allocated *
-				    sizeof(*portlist->list));
-		DESTROYLOCK(&portlist->lock);
-		isc_mem_putanddetach(&portlist->mctx, portlist,
-				     sizeof(*portlist));
-	}
-}
diff --git a/contrib/bind9/lib/dns/private.c b/contrib/bind9/lib/dns/private.c
deleted file mode 100644
index 6521279..0000000
--- a/contrib/bind9/lib/dns/private.c
+++ /dev/null
@@ -1,371 +0,0 @@
-/*
- * Copyright (C) 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#include "config.h"
-
-#include <isc/result.h>
-#include <isc/string.h>
-#include <isc/types.h>
-#include <isc/base64.h>
-
-#include <dns/nsec3.h>
-#include <dns/private.h>
-
-/*
- * We need to build the relevant chain if there exists a NSEC/NSEC3PARAM
- * at the apex; normally only one or the other of NSEC/NSEC3PARAM will exist.
- *
- * If a NSEC3PARAM RRset exists then we will need to build a NSEC chain
- * if all the NSEC3PARAM records (and associated chains) are slated for
- * destruction and we have not been told to NOT build the NSEC chain.
- *
- * If the NSEC set exist then check to see if there is a request to create
- * a NSEC3 chain.
- *
- * If neither NSEC/NSEC3PARAM RRsets exist at the origin and the private
- * type exists then we need to examine it to determine if NSEC3 chain has
- * been requested to be built otherwise a NSEC chain needs to be built.
- */
-
-#define REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0)
-#define CREATE(x) (((x) & DNS_NSEC3FLAG_CREATE) != 0)
-#define INITIAL(x) (((x) & DNS_NSEC3FLAG_INITIAL) != 0)
-#define NONSEC(x) (((x) & DNS_NSEC3FLAG_NONSEC) != 0)
-
-#define CHECK(x) do {					\
-			 result = (x);			\
-			 if (result != ISC_R_SUCCESS)	\
-				goto failure;		\
-		 } while (0)
-
-/*
- * Work out if 'param' should be ignored or not (i.e. it is in the process
- * of being removed).
- *
- * Note: we 'belt-and-braces' here by also checking for a CREATE private
- * record and keep the param record in this case.
- */
-
-static isc_boolean_t
-ignore(dns_rdata_t *param, dns_rdataset_t *privateset) {
-	isc_result_t result;
-
-	for (result = dns_rdataset_first(privateset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(privateset)) {
-		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
-		dns_rdata_t private = DNS_RDATA_INIT;
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-
-		dns_rdataset_current(privateset, &private);
-		if (!dns_nsec3param_fromprivate(&private, &rdata,
-						buf, sizeof(buf)))
-			continue;
-		/*
-		 * We are going to create a new NSEC3 chain so it
-		 * doesn't matter if we are removing this one.
-		 */
-		if (CREATE(rdata.data[1]))
-			return (ISC_FALSE);
-		if (rdata.data[0] != param->data[0] ||
-		    rdata.data[2] != param->data[2] ||
-		    rdata.data[3] != param->data[3] ||
-		    rdata.data[4] != param->data[4] ||
-		    memcmp(&rdata.data[5], &param->data[5], param->data[4]))
-			continue;
-		/*
-		 * The removal of this NSEC3 chain does NOT cause a
-		 * NSEC chain to be created so we don't need to tell
-		 * the caller that it will be removed.
-		 */
-		if (NONSEC(rdata.data[1]))
-			return (ISC_FALSE);
-		return (ISC_TRUE);
-	}
-	return (ISC_FALSE);
-}
-
-isc_result_t
-dns_private_chains(dns_db_t *db, dns_dbversion_t *ver,
-		   dns_rdatatype_t privatetype,
-		   isc_boolean_t *build_nsec, isc_boolean_t *build_nsec3)
-{
-	dns_dbnode_t *node;
-	dns_rdataset_t nsecset, nsec3paramset, privateset;
-	isc_boolean_t nsec3chain;
-	isc_boolean_t signing;
-	isc_result_t result;
-	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
-	unsigned int count;
-
-	node = NULL;
-	dns_rdataset_init(&nsecset);
-	dns_rdataset_init(&nsec3paramset);
-	dns_rdataset_init(&privateset);
-
-	CHECK(dns_db_getoriginnode(db, &node));
-
-	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec,
-				     0, (isc_stdtime_t) 0, &nsecset, NULL);
-
-	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
-		goto failure;
-
-	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
-				     0, (isc_stdtime_t) 0, &nsec3paramset,
-				     NULL);
-	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
-		goto failure;
-
-	if (dns_rdataset_isassociated(&nsecset) &&
-	    dns_rdataset_isassociated(&nsec3paramset)) {
-		if (build_nsec != NULL)
-			*build_nsec = ISC_TRUE;
-		if (build_nsec3 != NULL)
-			*build_nsec3 = ISC_TRUE;
-		goto success;
-	}
-
-	if (privatetype != (dns_rdatatype_t)0) {
-		result = dns_db_findrdataset(db, node, ver, privatetype,
-					     0, (isc_stdtime_t) 0,
-					     &privateset, NULL);
-		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
-			goto failure;
-	}
-
-	/*
-	 * Look to see if we also need to be creating a NSEC3 chain.
-	 */
-	if (dns_rdataset_isassociated(&nsecset)) {
-		if (build_nsec != NULL)
-			*build_nsec = ISC_TRUE;
-		if (build_nsec3 != NULL)
-			*build_nsec3 = ISC_FALSE;
-		if (!dns_rdataset_isassociated(&privateset))
-			goto success;
-		for (result = dns_rdataset_first(&privateset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&privateset)) {
-			unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
-			dns_rdata_t private = DNS_RDATA_INIT;
-			dns_rdata_t rdata = DNS_RDATA_INIT;
-
-			dns_rdataset_current(&privateset, &private);
-			if (!dns_nsec3param_fromprivate(&private, &rdata,
-							buf, sizeof(buf)))
-				continue;
-			if (REMOVE(rdata.data[1]))
-				continue;
-			if (build_nsec3 != NULL)
-				*build_nsec3 = ISC_TRUE;
-			break;
-		}
-		goto success;
-	}
-
-	if (dns_rdataset_isassociated(&nsec3paramset)) {
-		if (build_nsec3 != NULL)
-			*build_nsec3 = ISC_TRUE;
-		if (build_nsec != NULL)
-			*build_nsec = ISC_FALSE;
-		if (!dns_rdataset_isassociated(&privateset))
-			goto success;
-		/*
-		 * If we are in the process of building a new NSEC3 chain
-		 * then we don't need to build a NSEC chain.
-		 */
-		for (result = dns_rdataset_first(&privateset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&privateset)) {
-			dns_rdata_t private = DNS_RDATA_INIT;
-			dns_rdata_t rdata = DNS_RDATA_INIT;
-
-			dns_rdataset_current(&privateset, &private);
-			if (!dns_nsec3param_fromprivate(&private, &rdata,
-							buf, sizeof(buf)))
-				continue;
-			if (CREATE(rdata.data[1]))
-				goto success;
-		}
-
-		/*
-		 * Check to see if there will be a active NSEC3CHAIN once
-		 * the changes queued complete.
-		 */
-		count = 0;
-		for (result = dns_rdataset_first(&nsec3paramset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&nsec3paramset)) {
-			dns_rdata_t rdata = DNS_RDATA_INIT;
-
-			/*
-			 * If there is more that one NSEC3 chain present then
-			 * we don't need to construct a NSEC chain.
-			 */
-			if (++count > 1)
-				goto success;
-			dns_rdataset_current(&nsec3paramset, &rdata);
-			if (ignore(&rdata, &privateset))
-				continue;
-			/*
-			 * We still have a good NSEC3 chain or we are
-			 * not creating a NSEC chain as NONSEC is set.
-			 */
-			goto success;
-		}
-
-		/*
-		 * The last NSEC3 chain is being removed and does not have
-		 * have NONSEC set.
-		 */
-		if (build_nsec != NULL)
-			*build_nsec = ISC_TRUE;
-		goto success;
-	}
-
-	if (build_nsec != NULL)
-		*build_nsec = ISC_FALSE;
-	if (build_nsec3 != NULL)
-		*build_nsec3 = ISC_FALSE;
-	if (!dns_rdataset_isassociated(&privateset))
-		goto success;
-
-	signing = ISC_FALSE;
-	nsec3chain = ISC_FALSE;
-
-	for (result = dns_rdataset_first(&privateset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&privateset)) {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		dns_rdata_t private = DNS_RDATA_INIT;
-
-		dns_rdataset_current(&privateset, &private);
-		if (!dns_nsec3param_fromprivate(&private, &rdata,
-						buf, sizeof(buf))) {
-			/*
-			 * Look for record that says we are signing the
-			 * zone with a key.
-			 */
-			if (private.length == 5 && private.data[0] != 0 &&
-			    private.data[3] == 0 && private.data[4] == 0)
-				signing = ISC_TRUE;
-		} else {
-			if (CREATE(rdata.data[1]))
-				nsec3chain = ISC_TRUE;
-		}
-	}
-
-	if (signing) {
-		if (nsec3chain) {
-			if (build_nsec3 != NULL)
-				*build_nsec3 = ISC_TRUE;
-		} else {
-			if (build_nsec != NULL)
-				*build_nsec = ISC_TRUE;
-		}
-	}
-
- success:
-	result = ISC_R_SUCCESS;
- failure:
-	if (dns_rdataset_isassociated(&nsecset))
-		dns_rdataset_disassociate(&nsecset);
-	if (dns_rdataset_isassociated(&nsec3paramset))
-		dns_rdataset_disassociate(&nsec3paramset);
-	if (dns_rdataset_isassociated(&privateset))
-		dns_rdataset_disassociate(&privateset);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	return (result);
-}
-
-isc_result_t
-dns_private_totext(dns_rdata_t *private, isc_buffer_t *buf) {
-	isc_result_t result;
-
-	if (private->length < 5)
-		return (ISC_R_NOTFOUND);
-
-	if (private->data[0] == 0) {
-		unsigned char nsec3buf[DNS_NSEC3PARAM_BUFFERSIZE];
-		unsigned char newbuf[DNS_NSEC3PARAM_BUFFERSIZE];
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		dns_rdata_nsec3param_t nsec3param;
-		isc_boolean_t remove, init, nonsec;
-		isc_buffer_t b;
-
-		if (!dns_nsec3param_fromprivate(private, &rdata, nsec3buf,
-						sizeof(nsec3buf)))
-			CHECK(ISC_R_FAILURE);
-
-		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
-
-		remove = ISC_TF((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0);
-		init = ISC_TF((nsec3param.flags & DNS_NSEC3FLAG_INITIAL) != 0);
-		nonsec = ISC_TF((nsec3param.flags & DNS_NSEC3FLAG_NONSEC) != 0);
-
-		nsec3param.flags &= ~(DNS_NSEC3FLAG_CREATE|
-				      DNS_NSEC3FLAG_REMOVE|
-				      DNS_NSEC3FLAG_INITIAL|
-				      DNS_NSEC3FLAG_NONSEC);
-
-		if (init)
-			isc_buffer_putstr(buf, "Pending NSEC3 chain ");
-		else if (remove)
-			isc_buffer_putstr(buf, "Removing NSEC3 chain ");
-		else
-			isc_buffer_putstr(buf, "Creating NSEC3 chain ");
-
-		dns_rdata_reset(&rdata);
-		isc_buffer_init(&b, newbuf, sizeof(newbuf));
-		CHECK(dns_rdata_fromstruct(&rdata, dns_rdataclass_in,
-					   dns_rdatatype_nsec3param,
-					   &nsec3param, &b));
-
-		CHECK(dns_rdata_totext(&rdata, NULL, buf));
-
-		if (remove && !nonsec)
-			isc_buffer_putstr(buf, " / creating NSEC chain");
-	} else if (private->length == 5) {
-		unsigned char alg = private->data[0];
-		dns_keytag_t keyid = (private->data[2] | private->data[1] << 8);
-		char keybuf[BUFSIZ], algbuf[DNS_SECALG_FORMATSIZE];
-		isc_boolean_t remove = ISC_TF(private->data[3] != 0);
-		isc_boolean_t complete = ISC_TF(private->data[4] != 0);
-
-		if (remove && complete)
-			isc_buffer_putstr(buf, "Done removing signatures for ");
-		else if (remove)
-			isc_buffer_putstr(buf, "Removing signatures for ");
-		else if (complete)
-			isc_buffer_putstr(buf, "Done signing with ");
-		else
-			isc_buffer_putstr(buf, "Signing with ");
-
-		dns_secalg_format(alg, algbuf, sizeof(algbuf));
-		sprintf(keybuf, "key %d/%s", keyid, algbuf);
-		isc_buffer_putstr(buf, keybuf);
-	} else
-		return (ISC_R_NOTFOUND);
-
-	isc_buffer_putuint8(buf, 0);
-	result = ISC_R_SUCCESS;
- failure:
-	return (result);
-}
diff --git a/contrib/bind9/lib/dns/rbt.c b/contrib/bind9/lib/dns/rbt.c
deleted file mode 100644
index 7381b4a..0000000
--- a/contrib/bind9/lib/dns/rbt.c
+++ /dev/null
@@ -1,2679 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007-2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-/* Principal Authors: DCL */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/platform.h>
-#include <isc/print.h>
-#include <isc/refcount.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-/*%
- * This define is so dns/name.h (included by dns/fixedname.h) uses more
- * efficient macro calls instead of functions for a few operations.
- */
-#define DNS_NAME_USEINLINE 1
-
-#include <dns/fixedname.h>
-#include <dns/log.h>
-#include <dns/rbt.h>
-#include <dns/result.h>
-
-#define RBT_MAGIC               ISC_MAGIC('R', 'B', 'T', '+')
-#define VALID_RBT(rbt)          ISC_MAGIC_VALID(rbt, RBT_MAGIC)
-
-/*
- * XXXDCL Since parent pointers were added in again, I could remove all of the
- * chain junk, and replace with dns_rbt_firstnode, _previousnode, _nextnode,
- * _lastnode.  This would involve pretty major change to the API.
- */
-#define CHAIN_MAGIC             ISC_MAGIC('0', '-', '0', '-')
-#define VALID_CHAIN(chain)      ISC_MAGIC_VALID(chain, CHAIN_MAGIC)
-
-#define RBT_HASH_SIZE           64
-
-#ifdef RBT_MEM_TEST
-#undef RBT_HASH_SIZE
-#define RBT_HASH_SIZE 2 /*%< To give the reallocation code a workout. */
-#endif
-
-struct dns_rbt {
-	unsigned int            magic;
-	isc_mem_t *             mctx;
-	dns_rbtnode_t *         root;
-	void                    (*data_deleter)(void *, void *);
-	void *                  deleter_arg;
-	unsigned int            nodecount;
-	unsigned int            hashsize;
-	dns_rbtnode_t **        hashtable;
-};
-
-#define RED 0
-#define BLACK 1
-
-/*%
- * Elements of the rbtnode structure.
- */
-#define PARENT(node)            ((node)->parent)
-#define LEFT(node)              ((node)->left)
-#define RIGHT(node)             ((node)->right)
-#define DOWN(node)              ((node)->down)
-#define DATA(node)              ((node)->data)
-#define HASHNEXT(node)          ((node)->hashnext)
-#define HASHVAL(node)           ((node)->hashval)
-#define COLOR(node)             ((node)->color)
-#define NAMELEN(node)           ((node)->namelen)
-#define OLDNAMELEN(node)        ((node)->oldnamelen)
-#define OFFSETLEN(node)         ((node)->offsetlen)
-#define ATTRS(node)             ((node)->attributes)
-#define IS_ROOT(node)           ISC_TF((node)->is_root == 1)
-#define FINDCALLBACK(node)      ISC_TF((node)->find_callback == 1)
-
-/*%
- * Structure elements from the rbtdb.c, not
- * used as part of the rbt.c algorithms.
- */
-#define DIRTY(node)     ((node)->dirty)
-#define WILD(node)      ((node)->wild)
-#define LOCKNUM(node)   ((node)->locknum)
-
-/*%
- * The variable length stuff stored after the node has the following
- * structure.
- *
- *	<name_data>{1..255}<oldoffsetlen>{1}<offsets>{1..128}
- *
- * <name_data> contains the name of the node when it was created.
- * <oldoffsetlen> contains the length of <offsets> when the node was created.
- * <offsets> contains the offets into name for each label when the node was
- * created.
- */
-
-#define NAME(node)      ((unsigned char *)((node) + 1))
-#define OFFSETS(node)   (NAME(node) + OLDNAMELEN(node) + 1)
-#define OLDOFFSETLEN(node) (OFFSETS(node)[-1])
-
-#define NODE_SIZE(node) (sizeof(*node) + \
-			 OLDNAMELEN(node) + OLDOFFSETLEN(node) + 1)
-
-/*%
- * Color management.
- */
-#define IS_RED(node)            ((node) != NULL && (node)->color == RED)
-#define IS_BLACK(node)          ((node) == NULL || (node)->color == BLACK)
-#define MAKE_RED(node)          ((node)->color = RED)
-#define MAKE_BLACK(node)        ((node)->color = BLACK)
-
-/*%
- * Chain management.
- *
- * The "ancestors" member of chains were removed, with their job now
- * being wholly handled by parent pointers (which didn't exist, because
- * of memory concerns, when chains were first implemented).
- */
-#define ADD_LEVEL(chain, node) \
-			(chain)->levels[(chain)->level_count++] = (node)
-
-/*%
- * The following macros directly access normally private name variables.
- * These macros are used to avoid a lot of function calls in the critical
- * path of the tree traversal code.
- */
-
-#define NODENAME(node, name) \
-do { \
-	(name)->length = NAMELEN(node); \
-	(name)->labels = OFFSETLEN(node); \
-	(name)->ndata = NAME(node); \
-	(name)->offsets = OFFSETS(node); \
-	(name)->attributes = ATTRS(node); \
-	(name)->attributes |= DNS_NAMEATTR_READONLY; \
-} while (0)
-
-#ifdef DNS_RBT_USEHASH
-static isc_result_t
-inithash(dns_rbt_t *rbt);
-#endif
-
-#ifdef DEBUG
-#define inline
-/*
- * A little something to help out in GDB.
- */
-dns_name_t Name(dns_rbtnode_t *node);
-dns_name_t
-Name(dns_rbtnode_t *node) {
-	dns_name_t name;
-
-	dns_name_init(&name, NULL);
-	if (node != NULL)
-		NODENAME(node, &name);
-
-	return (name);
-}
-
-static void dns_rbt_printnodename(dns_rbtnode_t *node);
-#endif
-
-static inline dns_rbtnode_t *
-find_up(dns_rbtnode_t *node) {
-	dns_rbtnode_t *root;
-
-	/*
-	 * Return the node in the level above the argument node that points
-	 * to the level the argument node is in.  If the argument node is in
-	 * the top level, the return value is NULL.
-	 */
-	for (root = node; ! IS_ROOT(root); root = PARENT(root))
-		; /* Nothing. */
-
-	return (PARENT(root));
-}
-
-/*
- * Forward declarations.
- */
-static isc_result_t
-create_node(isc_mem_t *mctx, dns_name_t *name, dns_rbtnode_t **nodep);
-
-#ifdef DNS_RBT_USEHASH
-static inline void
-hash_node(dns_rbt_t *rbt, dns_rbtnode_t *node, dns_name_t *name);
-static inline void
-unhash_node(dns_rbt_t *rbt, dns_rbtnode_t *node);
-#else
-#define hash_node(rbt, node, name) (ISC_R_SUCCESS)
-#define unhash_node(rbt, node)
-#endif
-
-static inline void
-rotate_left(dns_rbtnode_t *node, dns_rbtnode_t **rootp);
-static inline void
-rotate_right(dns_rbtnode_t *node, dns_rbtnode_t **rootp);
-
-static void
-dns_rbt_addonlevel(dns_rbtnode_t *node, dns_rbtnode_t *current, int order,
-		   dns_rbtnode_t **rootp);
-
-static void
-dns_rbt_deletefromlevel(dns_rbtnode_t *delete, dns_rbtnode_t **rootp);
-
-static isc_result_t
-dns_rbt_deletetree(dns_rbt_t *rbt, dns_rbtnode_t *node);
-
-static void
-dns_rbt_deletetreeflat(dns_rbt_t *rbt, unsigned int quantum,
-		       dns_rbtnode_t **nodep);
-
-/*
- * Initialize a red/black tree of trees.
- */
-isc_result_t
-dns_rbt_create(isc_mem_t *mctx, void (*deleter)(void *, void *),
-	       void *deleter_arg, dns_rbt_t **rbtp)
-{
-#ifdef DNS_RBT_USEHASH
-	isc_result_t result;
-#endif
-	dns_rbt_t *rbt;
-
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(rbtp != NULL && *rbtp == NULL);
-	REQUIRE(deleter == NULL ? deleter_arg == NULL : 1);
-
-	rbt = (dns_rbt_t *)isc_mem_get(mctx, sizeof(*rbt));
-	if (rbt == NULL)
-		return (ISC_R_NOMEMORY);
-
-	rbt->mctx = NULL;
-	isc_mem_attach(mctx, &rbt->mctx);
-	rbt->data_deleter = deleter;
-	rbt->deleter_arg = deleter_arg;
-	rbt->root = NULL;
-	rbt->nodecount = 0;
-	rbt->hashtable = NULL;
-	rbt->hashsize = 0;
-
-#ifdef DNS_RBT_USEHASH
-	result = inithash(rbt);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_putanddetach(&rbt->mctx, rbt, sizeof(*rbt));
-		return (result);
-	}
-#endif
-
-	rbt->magic = RBT_MAGIC;
-
-	*rbtp = rbt;
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Deallocate a red/black tree of trees.
- */
-void
-dns_rbt_destroy(dns_rbt_t **rbtp) {
-	RUNTIME_CHECK(dns_rbt_destroy2(rbtp, 0) == ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_rbt_destroy2(dns_rbt_t **rbtp, unsigned int quantum) {
-	dns_rbt_t *rbt;
-
-	REQUIRE(rbtp != NULL && VALID_RBT(*rbtp));
-
-	rbt = *rbtp;
-
-	dns_rbt_deletetreeflat(rbt, quantum, &rbt->root);
-	if (rbt->root != NULL)
-		return (ISC_R_QUOTA);
-
-	INSIST(rbt->nodecount == 0);
-
-	if (rbt->hashtable != NULL)
-		isc_mem_put(rbt->mctx, rbt->hashtable,
-			    rbt->hashsize * sizeof(dns_rbtnode_t *));
-
-	rbt->magic = 0;
-
-	isc_mem_putanddetach(&rbt->mctx, rbt, sizeof(*rbt));
-	*rbtp = NULL;
-	return (ISC_R_SUCCESS);
-}
-
-unsigned int
-dns_rbt_nodecount(dns_rbt_t *rbt) {
-	REQUIRE(VALID_RBT(rbt));
-	return (rbt->nodecount);
-}
-
-static inline isc_result_t
-chain_name(dns_rbtnodechain_t *chain, dns_name_t *name,
-	   isc_boolean_t include_chain_end)
-{
-	dns_name_t nodename;
-	isc_result_t result = ISC_R_SUCCESS;
-	int i;
-
-	dns_name_init(&nodename, NULL);
-
-	if (include_chain_end && chain->end != NULL) {
-		NODENAME(chain->end, &nodename);
-		result = dns_name_copy(&nodename, name, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	} else
-		dns_name_reset(name);
-
-	for (i = (int)chain->level_count - 1; i >= 0; i--) {
-		NODENAME(chain->levels[i], &nodename);
-		result = dns_name_concatenate(name, &nodename, name, NULL);
-
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	return (result);
-}
-
-static inline isc_result_t
-move_chain_to_last(dns_rbtnodechain_t *chain, dns_rbtnode_t *node) {
-	do {
-		/*
-		 * Go as far right and then down as much as possible,
-		 * as long as the rightmost node has a down pointer.
-		 */
-		while (RIGHT(node) != NULL)
-			node = RIGHT(node);
-
-		if (DOWN(node) == NULL)
-			break;
-
-		ADD_LEVEL(chain, node);
-		node = DOWN(node);
-	} while (1);
-
-	chain->end = node;
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Add 'name' to tree, initializing its data pointer with 'data'.
- */
-
-isc_result_t
-dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
-	/*
-	 * Does this thing have too many variables or what?
-	 */
-	dns_rbtnode_t **root, *parent, *child, *current, *new_current;
-	dns_name_t *add_name, *new_name, current_name, *prefix, *suffix;
-	dns_fixedname_t fixedcopy, fixedprefix, fixedsuffix, fnewname;
-	dns_offsets_t current_offsets;
-	dns_namereln_t compared;
-	isc_result_t result = ISC_R_SUCCESS;
-	dns_rbtnodechain_t chain;
-	unsigned int common_labels;
-	unsigned int nlabels, hlabels;
-	int order;
-
-	REQUIRE(VALID_RBT(rbt));
-	REQUIRE(dns_name_isabsolute(name));
-	REQUIRE(nodep != NULL && *nodep == NULL);
-
-	/*
-	 * Create a copy of the name so the original name structure is
-	 * not modified.
-	 */
-	dns_fixedname_init(&fixedcopy);
-	add_name = dns_fixedname_name(&fixedcopy);
-	dns_name_clone(name, add_name);
-
-	if (rbt->root == NULL) {
-		result = create_node(rbt->mctx, add_name, &new_current);
-		if (result == ISC_R_SUCCESS) {
-			rbt->nodecount++;
-			new_current->is_root = 1;
-			rbt->root = new_current;
-			*nodep = new_current;
-			hash_node(rbt, new_current, name);
-		}
-		return (result);
-	}
-
-	dns_rbtnodechain_init(&chain, rbt->mctx);
-
-	dns_fixedname_init(&fixedprefix);
-	dns_fixedname_init(&fixedsuffix);
-	prefix = dns_fixedname_name(&fixedprefix);
-	suffix = dns_fixedname_name(&fixedsuffix);
-
-	root = &rbt->root;
-	INSIST(IS_ROOT(*root));
-	parent = NULL;
-	current = NULL;
-	child = *root;
-	dns_name_init(&current_name, current_offsets);
-	dns_fixedname_init(&fnewname);
-	new_name = dns_fixedname_name(&fnewname);
-	nlabels = dns_name_countlabels(name);
-	hlabels = 0;
-
-	do {
-		current = child;
-
-		NODENAME(current, &current_name);
-		compared = dns_name_fullcompare(add_name, &current_name,
-						&order, &common_labels);
-
-		if (compared == dns_namereln_equal) {
-			*nodep = current;
-			result = ISC_R_EXISTS;
-			break;
-
-		}
-
-		if (compared == dns_namereln_none) {
-
-			if (order < 0) {
-				parent = current;
-				child = LEFT(current);
-
-			} else if (order > 0) {
-				parent = current;
-				child = RIGHT(current);
-
-			}
-
-		} else {
-			/*
-			 * This name has some suffix in common with the
-			 * name at the current node.  If the name at
-			 * the current node is shorter, that means the
-			 * new name should be in a subtree.  If the
-			 * name at the current node is longer, that means
-			 * the down pointer to this tree should point
-			 * to a new tree that has the common suffix, and
-			 * the non-common parts of these two names should
-			 * start a new tree.
-			 */
-			hlabels += common_labels;
-			if (compared == dns_namereln_subdomain) {
-				/*
-				 * All of the existing labels are in common,
-				 * so the new name is in a subtree.
-				 * Whack off the common labels for the
-				 * not-in-common part to be searched for
-				 * in the next level.
-				 */
-				dns_name_split(add_name, common_labels,
-					       add_name, NULL);
-
-				/*
-				 * Follow the down pointer (possibly NULL).
-				 */
-				root = &DOWN(current);
-
-				INSIST(*root == NULL ||
-				       (IS_ROOT(*root) &&
-					PARENT(*root) == current));
-
-				parent = NULL;
-				child = DOWN(current);
-				ADD_LEVEL(&chain, current);
-
-			} else {
-				/*
-				 * The number of labels in common is fewer
-				 * than the number of labels at the current
-				 * node, so the current node must be adjusted
-				 * to have just the common suffix, and a down
-				 * pointer made to a new tree.
-				 */
-
-				INSIST(compared == dns_namereln_commonancestor
-				       || compared == dns_namereln_contains);
-
-				/*
-				 * Ensure the number of levels in the tree
-				 * does not exceed the number of logical
-				 * levels allowed by DNSSEC.
-				 *
-				 * XXXDCL need a better error result?
-				 *
-				 * XXXDCL Since chain ancestors were removed,
-				 * no longer used by dns_rbt_addonlevel(),
-				 * this is the only real use of chains in the
-				 * function.  It could be done instead with
-				 * a simple integer variable, but I am pressed
-				 * for time.
-				 */
-				if (chain.level_count ==
-				    (sizeof(chain.levels) /
-				     sizeof(*chain.levels))) {
-					result = ISC_R_NOSPACE;
-					break;
-				}
-
-				/*
-				 * Split the name into two parts, a prefix
-				 * which is the not-in-common parts of the
-				 * two names and a suffix that is the common
-				 * parts of them.
-				 */
-				dns_name_split(&current_name, common_labels,
-					       prefix, suffix);
-				result = create_node(rbt->mctx, suffix,
-						     &new_current);
-
-				if (result != ISC_R_SUCCESS)
-					break;
-
-				/*
-				 * Reproduce the tree attributes of the
-				 * current node.
-				 */
-				new_current->is_root = current->is_root;
-				if (current->nsec == DNS_RBT_NSEC_HAS_NSEC)
-					new_current->nsec = DNS_RBT_NSEC_NORMAL;
-				else
-					new_current->nsec = current->nsec;
-				PARENT(new_current)  = PARENT(current);
-				LEFT(new_current)    = LEFT(current);
-				RIGHT(new_current)   = RIGHT(current);
-				COLOR(new_current)   = COLOR(current);
-
-				/*
-				 * Fix pointers that were to the current node.
-				 */
-				if (parent != NULL) {
-					if (LEFT(parent) == current)
-						LEFT(parent) = new_current;
-					else
-						RIGHT(parent) = new_current;
-				}
-				if (LEFT(new_current) != NULL)
-					PARENT(LEFT(new_current)) =
-						new_current;
-				if (RIGHT(new_current) != NULL)
-					PARENT(RIGHT(new_current)) =
-						new_current;
-				if (*root == current)
-					*root = new_current;
-
-				NAMELEN(current) = prefix->length;
-				OFFSETLEN(current) = prefix->labels;
-
-				/*
-				 * Set up the new root of the next level.
-				 * By definition it will not be the top
-				 * level tree, so clear DNS_NAMEATTR_ABSOLUTE.
-				 */
-				current->is_root = 1;
-				PARENT(current) = new_current;
-				DOWN(new_current) = current;
-				root = &DOWN(new_current);
-
-				ADD_LEVEL(&chain, new_current);
-
-				LEFT(current) = NULL;
-				RIGHT(current) = NULL;
-
-				MAKE_BLACK(current);
-				ATTRS(current) &= ~DNS_NAMEATTR_ABSOLUTE;
-
-				rbt->nodecount++;
-				dns_name_getlabelsequence(name,
-							  nlabels - hlabels,
-							  hlabels, new_name);
-				hash_node(rbt, new_current, new_name);
-
-				if (common_labels ==
-				    dns_name_countlabels(add_name)) {
-					/*
-					 * The name has been added by pushing
-					 * the not-in-common parts down to
-					 * a new level.
-					 */
-					*nodep = new_current;
-					return (ISC_R_SUCCESS);
-
-				} else {
-					/*
-					 * The current node has no data,
-					 * because it is just a placeholder.
-					 * Its data pointer is already NULL
-					 * from create_node()), so there's
-					 * nothing more to do to it.
-					 */
-
-					/*
-					 * The not-in-common parts of the new
-					 * name will be inserted into the new
-					 * level following this loop (unless
-					 * result != ISC_R_SUCCESS, which
-					 * is tested after the loop ends).
-					 */
-					dns_name_split(add_name, common_labels,
-						       add_name, NULL);
-
-					break;
-				}
-
-			}
-
-		}
-
-	} while (child != NULL);
-
-	if (result == ISC_R_SUCCESS)
-		result = create_node(rbt->mctx, add_name, &new_current);
-
-	if (result == ISC_R_SUCCESS) {
-		dns_rbt_addonlevel(new_current, current, order, root);
-		rbt->nodecount++;
-		*nodep = new_current;
-		hash_node(rbt, new_current, name);
-	}
-
-	return (result);
-}
-
-/*
- * Add a name to the tree of trees, associating it with some data.
- */
-isc_result_t
-dns_rbt_addname(dns_rbt_t *rbt, dns_name_t *name, void *data) {
-	isc_result_t result;
-	dns_rbtnode_t *node;
-
-	REQUIRE(VALID_RBT(rbt));
-	REQUIRE(dns_name_isabsolute(name));
-
-	node = NULL;
-
-	result = dns_rbt_addnode(rbt, name, &node);
-
-	/*
-	 * dns_rbt_addnode will report the node exists even when
-	 * it does not have data associated with it, but the
-	 * dns_rbt_*name functions all behave depending on whether
-	 * there is data associated with a node.
-	 */
-	if (result == ISC_R_SUCCESS ||
-	    (result == ISC_R_EXISTS && DATA(node) == NULL)) {
-		DATA(node) = data;
-		result = ISC_R_SUCCESS;
-	}
-
-	return (result);
-}
-
-/*
- * Find the node for "name" in the tree of trees.
- */
-isc_result_t
-dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
-		 dns_rbtnode_t **node, dns_rbtnodechain_t *chain,
-		 unsigned int options, dns_rbtfindcallback_t callback,
-		 void *callback_arg)
-{
-	dns_rbtnode_t *current, *last_compared, *current_root;
-	dns_rbtnodechain_t localchain;
-	dns_name_t *search_name, current_name, *callback_name;
-	dns_fixedname_t fixedcallbackname, fixedsearchname;
-	dns_namereln_t compared;
-	isc_result_t result, saved_result;
-	unsigned int common_labels;
-	unsigned int hlabels = 0;
-	int order;
-
-	REQUIRE(VALID_RBT(rbt));
-	REQUIRE(dns_name_isabsolute(name));
-	REQUIRE(node != NULL && *node == NULL);
-	REQUIRE((options & (DNS_RBTFIND_NOEXACT | DNS_RBTFIND_NOPREDECESSOR))
-		!=         (DNS_RBTFIND_NOEXACT | DNS_RBTFIND_NOPREDECESSOR));
-
-	/*
-	 * If there is a chain it needs to appear to be in a sane state,
-	 * otherwise a chain is still needed to generate foundname and
-	 * callback_name.
-	 */
-	if (chain == NULL) {
-		options |= DNS_RBTFIND_NOPREDECESSOR;
-		chain = &localchain;
-		dns_rbtnodechain_init(chain, rbt->mctx);
-	} else
-		dns_rbtnodechain_reset(chain);
-
-	if (rbt->root == NULL)
-		return (ISC_R_NOTFOUND);
-	else {
-		/*
-		 * Appease GCC about variables it incorrectly thinks are
-		 * possibly used uninitialized.
-		 */
-		compared = dns_namereln_none;
-		last_compared = NULL;
-		order = 0;
-	}
-
-	dns_fixedname_init(&fixedcallbackname);
-	callback_name = dns_fixedname_name(&fixedcallbackname);
-
-	/*
-	 * search_name is the name segment being sought in each tree level.
-	 * By using a fixedname, the search_name will definitely have offsets
-	 * for use by any splitting.
-	 * By using dns_name_clone, no name data should be copied thanks to
-	 * the lack of bitstring labels.
-	 */
-	dns_fixedname_init(&fixedsearchname);
-	search_name = dns_fixedname_name(&fixedsearchname);
-	dns_name_clone(name, search_name);
-
-	dns_name_init(&current_name, NULL);
-
-	saved_result = ISC_R_SUCCESS;
-	current = rbt->root;
-	current_root = rbt->root;
-
-	while (current != NULL) {
-		NODENAME(current, &current_name);
-		compared = dns_name_fullcompare(search_name, &current_name,
-						&order, &common_labels);
-		last_compared = current;
-
-		if (compared == dns_namereln_equal)
-			break;
-
-		if (compared == dns_namereln_none) {
-#ifdef DNS_RBT_USEHASH
-			dns_name_t hash_name;
-			dns_rbtnode_t *hnode;
-			dns_rbtnode_t *up_current;
-			unsigned int nlabels;
-			unsigned int tlabels = 1;
-			unsigned int hash;
-
-			/*
-			 * If there is no hash table, hashing can't be done.
-			 */
-			if (rbt->hashtable == NULL)
-				goto nohash;
-
-			/*
-			 * The case of current != current_root, that
-			 * means a left or right pointer was followed,
-			 * only happens when the algorithm fell through to
-			 * the traditional binary search because of a
-			 * bitstring label.  Since we dropped the bitstring
-			 * support, this should not happen.
-			 */
-			INSIST(current == current_root);
-
-			nlabels = dns_name_countlabels(search_name);
-
-			/*
-			 * current_root is the root of the current level, so
-			 * it's parent is the same as it's "up" pointer.
-			 */
-			up_current = PARENT(current_root);
-			dns_name_init(&hash_name, NULL);
-
-		hashagain:
-			/*
-			 * Hash includes tail.
-			 */
-			dns_name_getlabelsequence(name,
-						  nlabels - tlabels,
-						  hlabels + tlabels,
-						  &hash_name);
-			hash = dns_name_fullhash(&hash_name, ISC_FALSE);
-			dns_name_getlabelsequence(search_name,
-						  nlabels - tlabels,
-						  tlabels, &hash_name);
-
-			for (hnode = rbt->hashtable[hash % rbt->hashsize];
-			     hnode != NULL;
-			     hnode = hnode->hashnext)
-			{
-				dns_name_t hnode_name;
-
-				if (hash != HASHVAL(hnode))
-					continue;
-				if (find_up(hnode) != up_current)
-					continue;
-				dns_name_init(&hnode_name, NULL);
-				NODENAME(hnode, &hnode_name);
-				if (dns_name_equal(&hnode_name, &hash_name))
-					break;
-			}
-
-			if (hnode != NULL) {
-				current = hnode;
-				/*
-				 * This is an optimization.  If hashing found
-				 * the right node, the next call to
-				 * dns_name_fullcompare() would obviously
-				 * return _equal or _subdomain.  Determine
-				 * which of those would be the case by
-				 * checking if the full name was hashed.  Then
-				 * make it look like dns_name_fullcompare
-				 * was called and jump to the right place.
-				 */
-				if (tlabels == nlabels) {
-					compared = dns_namereln_equal;
-					break;
-				} else {
-					common_labels = tlabels;
-					compared = dns_namereln_subdomain;
-					goto subdomain;
-				}
-			}
-
-			if (tlabels++ < nlabels)
-				goto hashagain;
-
-			/*
-			 * All of the labels have been tried against the hash
-			 * table.  Since we dropped the support of bitstring
-			 * labels, the name isn't in the table.
-			 */
-			current = NULL;
-			continue;
-
-		nohash:
-#endif /* DNS_RBT_USEHASH */
-			/*
-			 * Standard binary search tree movement.
-			 */
-			if (order < 0)
-				current = LEFT(current);
-			else
-				current = RIGHT(current);
-
-		} else {
-			/*
-			 * The names have some common suffix labels.
-			 *
-			 * If the number in common are equal in length to
-			 * the current node's name length, then follow the
-			 * down pointer and search in the new tree.
-			 */
-			if (compared == dns_namereln_subdomain) {
-		subdomain:
-				/*
-				 * Whack off the current node's common parts
-				 * for the name to search in the next level.
-				 */
-				dns_name_split(search_name, common_labels,
-					       search_name, NULL);
-				hlabels += common_labels;
-				/*
-				 * This might be the closest enclosing name.
-				 */
-				if (DATA(current) != NULL ||
-				    (options & DNS_RBTFIND_EMPTYDATA) != 0)
-					*node = current;
-
-				/*
-				 * Point the chain to the next level.   This
-				 * needs to be done before 'current' is pointed
-				 * there because the callback in the next
-				 * block of code needs the current 'current',
-				 * but in the event the callback requests that
-				 * the search be stopped then the
-				 * DNS_R_PARTIALMATCH code at the end of this
-				 * function needs the chain pointed to the
-				 * next level.
-				 */
-				ADD_LEVEL(chain, current);
-
-				/*
-				 * The caller may want to interrupt the
-				 * downward search when certain special nodes
-				 * are traversed.  If this is a special node,
-				 * the callback is used to learn what the
-				 * caller wants to do.
-				 */
-				if (callback != NULL &&
-				    FINDCALLBACK(current)) {
-					result = chain_name(chain,
-							    callback_name,
-							    ISC_FALSE);
-					if (result != ISC_R_SUCCESS) {
-						dns_rbtnodechain_reset(chain);
-						return (result);
-					}
-
-					result = (callback)(current,
-							    callback_name,
-							    callback_arg);
-					if (result != DNS_R_CONTINUE) {
-						saved_result = result;
-						/*
-						 * Treat this node as if it
-						 * had no down pointer.
-						 */
-						current = NULL;
-						break;
-					}
-				}
-
-				/*
-				 * Finally, head to the next tree level.
-				 */
-				current = DOWN(current);
-				current_root = current;
-
-			} else {
-				/*
-				 * Though there are labels in common, the
-				 * entire name at this node is not common
-				 * with the search name so the search
-				 * name does not exist in the tree.
-				 */
-				INSIST(compared == dns_namereln_commonancestor
-				       || compared == dns_namereln_contains);
-
-				current = NULL;
-			}
-		}
-	}
-
-	/*
-	 * If current is not NULL, NOEXACT is not disallowing exact matches,
-	 * and either the node has data or an empty node is ok, return
-	 * ISC_R_SUCCESS to indicate an exact match.
-	 */
-	if (current != NULL && (options & DNS_RBTFIND_NOEXACT) == 0 &&
-	    (DATA(current) != NULL ||
-	     (options & DNS_RBTFIND_EMPTYDATA) != 0)) {
-		/*
-		 * Found an exact match.
-		 */
-		chain->end = current;
-		chain->level_matches = chain->level_count;
-
-		if (foundname != NULL)
-			result = chain_name(chain, foundname, ISC_TRUE);
-		else
-			result = ISC_R_SUCCESS;
-
-		if (result == ISC_R_SUCCESS) {
-			*node = current;
-			result = saved_result;
-		} else
-			*node = NULL;
-	} else {
-		/*
-		 * Did not find an exact match (or did not want one).
-		 */
-		if (*node != NULL) {
-			/*
-			 * ... but found a partially matching superdomain.
-			 * Unwind the chain to the partial match node
-			 * to set level_matches to the level above the node,
-			 * and then to derive the name.
-			 *
-			 * chain->level_count is guaranteed to be at least 1
-			 * here because by definition of finding a superdomain,
-			 * the chain is pointed to at least the first subtree.
-			 */
-			chain->level_matches = chain->level_count - 1;
-
-			while (chain->levels[chain->level_matches] != *node) {
-				INSIST(chain->level_matches > 0);
-				chain->level_matches--;
-			}
-
-			if (foundname != NULL) {
-				unsigned int saved_count = chain->level_count;
-
-				chain->level_count = chain->level_matches + 1;
-
-				result = chain_name(chain, foundname,
-						    ISC_FALSE);
-
-				chain->level_count = saved_count;
-			} else
-				result = ISC_R_SUCCESS;
-
-			if (result == ISC_R_SUCCESS)
-				result = DNS_R_PARTIALMATCH;
-
-		} else
-			result = ISC_R_NOTFOUND;
-
-		if (current != NULL) {
-			/*
-			 * There was an exact match but either
-			 * DNS_RBTFIND_NOEXACT was set, or
-			 * DNS_RBTFIND_EMPTYDATA was set and the node had no
-			 * data.  A policy decision was made to set the
-			 * chain to the exact match, but this is subject
-			 * to change if it becomes apparent that something
-			 * else would be more useful.  It is important that
-			 * this case is handled here, because the predecessor
-			 * setting code below assumes the match was not exact.
-			 */
-			INSIST(((options & DNS_RBTFIND_NOEXACT) != 0) ||
-			       ((options & DNS_RBTFIND_EMPTYDATA) == 0 &&
-				DATA(current) == NULL));
-			chain->end = current;
-
-		} else if ((options & DNS_RBTFIND_NOPREDECESSOR) != 0) {
-			/*
-			 * Ensure the chain points nowhere.
-			 */
-			chain->end = NULL;
-
-		} else {
-			/*
-			 * Since there was no exact match, the chain argument
-			 * needs to be pointed at the DNSSEC predecessor of
-			 * the search name.
-			 */
-			if (compared == dns_namereln_subdomain) {
-				/*
-				 * Attempted to follow a down pointer that was
-				 * NULL, which means the searched for name was
-				 * a subdomain of a terminal name in the tree.
-				 * Since there are no existing subdomains to
-				 * order against, the terminal name is the
-				 * predecessor.
-				 */
-				INSIST(chain->level_count > 0);
-				INSIST(chain->level_matches <
-				       chain->level_count);
-				chain->end =
-					chain->levels[--chain->level_count];
-
-			} else {
-				isc_result_t result2;
-
-				/*
-				 * Point current to the node that stopped
-				 * the search.
-				 *
-				 * With the hashing modification that has been
-				 * added to the algorithm, the stop node of a
-				 * standard binary search is not known.  So it
-				 * has to be found.  There is probably a more
-				 * clever way of doing this.
-				 *
-				 * The assignment of current to NULL when
-				 * the relationship is *not* dns_namereln_none,
-				 * even though it later gets set to the same
-				 * last_compared anyway, is simply to not push
-				 * the while loop in one more level of
-				 * indentation.
-				 */
-				if (compared == dns_namereln_none)
-					current = last_compared;
-				else
-					current = NULL;
-
-				while (current != NULL) {
-					NODENAME(current, &current_name);
-					compared = dns_name_fullcompare(
-								search_name,
-								&current_name,
-								&order,
-								&common_labels);
-					POST(compared);
-
-					last_compared = current;
-
-					/*
-					 * Standard binary search movement.
-					 */
-					if (order < 0)
-						current = LEFT(current);
-					else
-						current = RIGHT(current);
-
-				}
-
-				current = last_compared;
-
-				/*
-				 * Reached a point within a level tree that
-				 * positively indicates the name is not
-				 * present, but the stop node could be either
-				 * less than the desired name (order > 0) or
-				 * greater than the desired name (order < 0).
-				 *
-				 * If the stop node is less, it is not
-				 * necessarily the predecessor.  If the stop
-				 * node has a down pointer, then the real
-				 * predecessor is at the end of a level below
-				 * (not necessarily the next level).
-				 * Move down levels until the rightmost node
-				 * does not have a down pointer.
-				 *
-				 * When the stop node is greater, it is
-				 * the successor.  All the logic for finding
-				 * the predecessor is handily encapsulated
-				 * in dns_rbtnodechain_prev.  In the event
-				 * that the search name is less than anything
-				 * else in the tree, the chain is reset.
-				 * XXX DCL What is the best way for the caller
-				 *         to know that the search name has
-				 *         no predecessor?
-				 */
-
-
-				if (order > 0) {
-					if (DOWN(current) != NULL) {
-						ADD_LEVEL(chain, current);
-
-						result2 =
-						      move_chain_to_last(chain,
-								DOWN(current));
-
-						if (result2 != ISC_R_SUCCESS)
-							result = result2;
-					} else
-						/*
-						 * Ah, the pure and simple
-						 * case.  The stop node is the
-						 * predecessor.
-						 */
-						chain->end = current;
-
-				} else {
-					INSIST(order < 0);
-
-					chain->end = current;
-
-					result2 = dns_rbtnodechain_prev(chain,
-									NULL,
-									NULL);
-					if (result2 == ISC_R_SUCCESS ||
-					    result2 == DNS_R_NEWORIGIN)
-						;       /* Nothing. */
-					else if (result2 == ISC_R_NOMORE)
-						/*
-						 * There is no predecessor.
-						 */
-						dns_rbtnodechain_reset(chain);
-					else
-						result = result2;
-				}
-
-			}
-		}
-	}
-
-	ENSURE(*node == NULL || DNS_RBTNODE_VALID(*node));
-
-	return (result);
-}
-
-/*
- * Get the data pointer associated with 'name'.
- */
-isc_result_t
-dns_rbt_findname(dns_rbt_t *rbt, dns_name_t *name, unsigned int options,
-		 dns_name_t *foundname, void **data) {
-	dns_rbtnode_t *node = NULL;
-	isc_result_t result;
-
-	REQUIRE(data != NULL && *data == NULL);
-
-	result = dns_rbt_findnode(rbt, name, foundname, &node, NULL,
-				  options, NULL, NULL);
-
-	if (node != NULL &&
-	    (DATA(node) != NULL || (options & DNS_RBTFIND_EMPTYDATA) != 0))
-		*data = DATA(node);
-	else
-		result = ISC_R_NOTFOUND;
-
-	return (result);
-}
-
-/*
- * Delete a name from the tree of trees.
- */
-isc_result_t
-dns_rbt_deletename(dns_rbt_t *rbt, dns_name_t *name, isc_boolean_t recurse) {
-	dns_rbtnode_t *node = NULL;
-	isc_result_t result;
-
-	REQUIRE(VALID_RBT(rbt));
-	REQUIRE(dns_name_isabsolute(name));
-
-	/*
-	 * First, find the node.
-	 *
-	 * When searching, the name might not have an exact match:
-	 * consider a.b.a.com, b.b.a.com and c.b.a.com as the only
-	 * elements of a tree, which would make layer 1 a single
-	 * node tree of "b.a.com" and layer 2 a three node tree of
-	 * a, b, and c.  Deleting a.com would find only a partial depth
-	 * match in the first layer.  Should it be a requirement that
-	 * that the name to be deleted have data?  For now, it is.
-	 *
-	 * ->dirty, ->locknum and ->references are ignored; they are
-	 * solely the province of rbtdb.c.
-	 */
-	result = dns_rbt_findnode(rbt, name, NULL, &node, NULL,
-				  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
-
-	if (result == ISC_R_SUCCESS) {
-		if (DATA(node) != NULL)
-			result = dns_rbt_deletenode(rbt, node, recurse);
-		else
-			result = ISC_R_NOTFOUND;
-
-	} else if (result == DNS_R_PARTIALMATCH)
-		result = ISC_R_NOTFOUND;
-
-	return (result);
-}
-
-/*
- * Remove a node from the tree of trees.
- *
- * NOTE WELL: deletion is *not* symmetric with addition; that is, reversing
- * a sequence of additions to be deletions will not generally get the
- * tree back to the state it started in.  For example, if the addition
- * of "b.c" caused the node "a.b.c" to be split, pushing "a" to its own level,
- * then the subsequent deletion of "b.c" will not cause "a" to be pulled up,
- * restoring "a.b.c".  The RBT *used* to do this kind of rejoining, but it
- * turned out to be a bad idea because it could corrupt an active nodechain
- * that had "b.c" as one of its levels -- and the RBT has no idea what
- * nodechains are in use by callers, so it can't even *try* to helpfully
- * fix them up (which would probably be doomed to failure anyway).
- *
- * Similarly, it is possible to leave the tree in a state where a supposedly
- * deleted node still exists.  The first case of this is obvious; take
- * the tree which has "b.c" on one level, pointing to "a".  Now deleted "b.c".
- * It was just established in the previous paragraph why we can't pull "a"
- * back up to its parent level.  But what happens when "a" then gets deleted?
- * "b.c" is left hanging around without data or children.  This condition
- * is actually pretty easy to detect, but ... should it really be removed?
- * Is a chain pointing to it?  An iterator?  Who knows!  (Note that the
- * references structure member cannot be looked at because it is private to
- * rbtdb.)  This is ugly and makes me unhappy, but after hours of trying to
- * make it more aesthetically proper and getting nowhere, this is the way it
- * is going to stay until such time as it proves to be a *real* problem.
- *
- * Finally, for reference, note that the original routine that did node
- * joining was called join_nodes().  It has been excised, living now only
- * in the CVS history, but comments have been left behind that point to it just
- * in case someone wants to muck with this some more.
- *
- * The one positive aspect of all of this is that joining used to have a
- * case where it might fail.  Without trying to join, now this function always
- * succeeds. It still returns isc_result_t, though, so the API wouldn't change.
- */
-isc_result_t
-dns_rbt_deletenode(dns_rbt_t *rbt, dns_rbtnode_t *node, isc_boolean_t recurse)
-{
-	dns_rbtnode_t *parent;
-
-	REQUIRE(VALID_RBT(rbt));
-	REQUIRE(DNS_RBTNODE_VALID(node));
-
-	if (DOWN(node) != NULL) {
-		if (recurse)
-			RUNTIME_CHECK(dns_rbt_deletetree(rbt, DOWN(node))
-				      == ISC_R_SUCCESS);
-		else {
-			if (DATA(node) != NULL && rbt->data_deleter != NULL)
-				rbt->data_deleter(DATA(node), rbt->deleter_arg);
-			DATA(node) = NULL;
-
-			/*
-			 * Since there is at least one node below this one and
-			 * no recursion was requested, the deletion is
-			 * complete.  The down node from this node might be all
-			 * by itself on a single level, so join_nodes() could
-			 * be used to collapse the tree (with all the caveats
-			 * of the comment at the start of this function).
-			 */
-			return (ISC_R_SUCCESS);
-		}
-	}
-
-	/*
-	 * Note the node that points to the level of the node that is being
-	 * deleted.  If the deleted node is the top level, parent will be set
-	 * to NULL.
-	 */
-	parent = find_up(node);
-
-	/*
-	 * This node now has no down pointer (either because it didn't
-	 * have one to start, or because it was recursively removed).
-	 * So now the node needs to be removed from this level.
-	 */
-	dns_rbt_deletefromlevel(node, parent == NULL ? &rbt->root :
-						       &DOWN(parent));
-
-	if (DATA(node) != NULL && rbt->data_deleter != NULL)
-		rbt->data_deleter(DATA(node), rbt->deleter_arg);
-
-	unhash_node(rbt, node);
-#if DNS_RBT_USEMAGIC
-	node->magic = 0;
-#endif
-	dns_rbtnode_refdestroy(node);
-	isc_mem_put(rbt->mctx, node, NODE_SIZE(node));
-	rbt->nodecount--;
-
-	/*
-	 * There are now two special cases that can exist that would
-	 * not have existed if the tree had been created using only
-	 * the names that now exist in it.  (This is all related to
-	 * join_nodes() as described in this function's introductory comment.)
-	 * Both cases exist when the deleted node's parent (the node
-	 * that pointed to the deleted node's level) is not null but
-	 * it has no data:  parent != NULL && DATA(parent) == NULL.
-	 *
-	 * The first case is that the deleted node was the last on its level:
-	 * DOWN(parent) == NULL.  This case can only exist if the parent was
-	 * previously deleted -- and so now, apparently, the parent should go
-	 * away.  That can't be done though because there might be external
-	 * references to it, such as through a nodechain.
-	 *
-	 * The other case also involves a parent with no data, but with the
-	 * deleted node being the next-to-last node instead of the last:
-	 * LEFT(DOWN(parent)) == NULL && RIGHT(DOWN(parent)) == NULL.
-	 * Presumably now the remaining node on the level should be joined
-	 * with the parent, but it's already been described why that can't be
-	 * done.
-	 */
-
-	/*
-	 * This function never fails.
-	 */
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_rbt_namefromnode(dns_rbtnode_t *node, dns_name_t *name) {
-
-	REQUIRE(DNS_RBTNODE_VALID(node));
-	REQUIRE(name != NULL);
-	REQUIRE(name->offsets == NULL);
-
-	NODENAME(node, name);
-}
-
-isc_result_t
-dns_rbt_fullnamefromnode(dns_rbtnode_t *node, dns_name_t *name) {
-	dns_name_t current;
-	isc_result_t result;
-
-	REQUIRE(DNS_RBTNODE_VALID(node));
-	REQUIRE(name != NULL);
-	REQUIRE(name->buffer != NULL);
-
-	dns_name_init(&current, NULL);
-	dns_name_reset(name);
-
-	do {
-		INSIST(node != NULL);
-
-		NODENAME(node, &current);
-
-		result = dns_name_concatenate(name, &current, name, NULL);
-		if (result != ISC_R_SUCCESS)
-			break;
-
-		node = find_up(node);
-	} while (! dns_name_isabsolute(name));
-
-	return (result);
-}
-
-char *
-dns_rbt_formatnodename(dns_rbtnode_t *node, char *printname, unsigned int size)
-{
-	dns_fixedname_t fixedname;
-	dns_name_t *name;
-	isc_result_t result;
-
-	REQUIRE(DNS_RBTNODE_VALID(node));
-	REQUIRE(printname != NULL);
-
-	dns_fixedname_init(&fixedname);
-	name = dns_fixedname_name(&fixedname);
-	result = dns_rbt_fullnamefromnode(node, name);
-	if (result == ISC_R_SUCCESS)
-		dns_name_format(name, printname, size);
-	else
-		snprintf(printname, size, "<error building name: %s>",
-			 dns_result_totext(result));
-
-	return (printname);
-}
-
-static isc_result_t
-create_node(isc_mem_t *mctx, dns_name_t *name, dns_rbtnode_t **nodep) {
-	dns_rbtnode_t *node;
-	isc_region_t region;
-	unsigned int labels;
-
-	REQUIRE(name->offsets != NULL);
-
-	dns_name_toregion(name, &region);
-	labels = dns_name_countlabels(name);
-	ENSURE(labels > 0);
-
-	/*
-	 * Allocate space for the node structure, the name, and the offsets.
-	 */
-	node = (dns_rbtnode_t *)isc_mem_get(mctx, sizeof(*node) +
-					    region.length + labels + 1);
-
-	if (node == NULL)
-		return (ISC_R_NOMEMORY);
-
-	node->is_root = 0;
-	PARENT(node) = NULL;
-	RIGHT(node) = NULL;
-	LEFT(node) = NULL;
-	DOWN(node) = NULL;
-	DATA(node) = NULL;
-#ifdef DNS_RBT_USEHASH
-	HASHNEXT(node) = NULL;
-	HASHVAL(node) = 0;
-#endif
-
-	ISC_LINK_INIT(node, deadlink);
-
-	LOCKNUM(node) = 0;
-	WILD(node) = 0;
-	DIRTY(node) = 0;
-	dns_rbtnode_refinit(node, 0);
-	node->find_callback = 0;
-	node->nsec = DNS_RBT_NSEC_NORMAL;
-
-	MAKE_BLACK(node);
-
-	/*
-	 * The following is stored to make reconstructing a name from the
-	 * stored value in the node easy:  the length of the name, the number
-	 * of labels, whether the name is absolute or not, the name itself,
-	 * and the name's offsets table.
-	 *
-	 * XXX RTH
-	 *      The offsets table could be made smaller by eliminating the
-	 *      first offset, which is always 0.  This requires changes to
-	 *      lib/dns/name.c.
-	 *
-	 * Note: OLDOFFSETLEN *must* be assigned *after* OLDNAMELEN is assigned
-	 * 	 as it uses OLDNAMELEN.
-	 */
-	OLDNAMELEN(node) = NAMELEN(node) = region.length;
-	OLDOFFSETLEN(node) = OFFSETLEN(node) = labels;
-	ATTRS(node) = name->attributes;
-
-	memcpy(NAME(node), region.base, region.length);
-	memcpy(OFFSETS(node), name->offsets, labels);
-
-#if DNS_RBT_USEMAGIC
-	node->magic = DNS_RBTNODE_MAGIC;
-#endif
-	*nodep = node;
-
-	return (ISC_R_SUCCESS);
-}
-
-#ifdef DNS_RBT_USEHASH
-static inline void
-hash_add_node(dns_rbt_t *rbt, dns_rbtnode_t *node, dns_name_t *name) {
-	unsigned int hash;
-
-	HASHVAL(node) = dns_name_fullhash(name, ISC_FALSE);
-
-	hash = HASHVAL(node) % rbt->hashsize;
-	HASHNEXT(node) = rbt->hashtable[hash];
-
-	rbt->hashtable[hash] = node;
-}
-
-static isc_result_t
-inithash(dns_rbt_t *rbt) {
-	unsigned int bytes;
-
-	rbt->hashsize = RBT_HASH_SIZE;
-	bytes = rbt->hashsize * sizeof(dns_rbtnode_t *);
-	rbt->hashtable = isc_mem_get(rbt->mctx, bytes);
-
-	if (rbt->hashtable == NULL)
-		return (ISC_R_NOMEMORY);
-
-	memset(rbt->hashtable, 0, bytes);
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-rehash(dns_rbt_t *rbt) {
-	unsigned int oldsize;
-	dns_rbtnode_t **oldtable;
-	dns_rbtnode_t *node;
-	unsigned int hash;
-	unsigned int i;
-
-	oldsize = rbt->hashsize;
-	oldtable = rbt->hashtable;
-	rbt->hashsize = rbt->hashsize * 2 + 1;
-	rbt->hashtable = isc_mem_get(rbt->mctx,
-				     rbt->hashsize * sizeof(dns_rbtnode_t *));
-	if (rbt->hashtable == NULL) {
-		rbt->hashtable = oldtable;
-		rbt->hashsize = oldsize;
-		return;
-	}
-
-	INSIST(rbt->hashsize > 0);
-
-	for (i = 0; i < rbt->hashsize; i++)
-		rbt->hashtable[i] = NULL;
-
-	for (i = 0; i < oldsize; i++) {
-		node = oldtable[i];
-		while (node != NULL) {
-			hash = HASHVAL(node) % rbt->hashsize;
-			oldtable[i] = HASHNEXT(node);
-			HASHNEXT(node) = rbt->hashtable[hash];
-			rbt->hashtable[hash] = node;
-			node = oldtable[i];
-		}
-	}
-
-	isc_mem_put(rbt->mctx, oldtable, oldsize * sizeof(dns_rbtnode_t *));
-}
-
-static inline void
-hash_node(dns_rbt_t *rbt, dns_rbtnode_t *node, dns_name_t *name) {
-
-	REQUIRE(DNS_RBTNODE_VALID(node));
-
-	if (rbt->nodecount >= (rbt->hashsize *3))
-		rehash(rbt);
-
-	hash_add_node(rbt, node, name);
-}
-
-static inline void
-unhash_node(dns_rbt_t *rbt, dns_rbtnode_t *node) {
-	unsigned int bucket;
-	dns_rbtnode_t *bucket_node;
-
-	REQUIRE(DNS_RBTNODE_VALID(node));
-
-	if (rbt->hashtable != NULL) {
-		bucket = HASHVAL(node) % rbt->hashsize;
-		bucket_node = rbt->hashtable[bucket];
-
-		if (bucket_node == node)
-			rbt->hashtable[bucket] = HASHNEXT(node);
-		else {
-			while (HASHNEXT(bucket_node) != node) {
-				INSIST(HASHNEXT(bucket_node) != NULL);
-				bucket_node = HASHNEXT(bucket_node);
-			}
-			HASHNEXT(bucket_node) = HASHNEXT(node);
-		}
-	}
-}
-#endif /* DNS_RBT_USEHASH */
-
-static inline void
-rotate_left(dns_rbtnode_t *node, dns_rbtnode_t **rootp) {
-	dns_rbtnode_t *child;
-
-	REQUIRE(DNS_RBTNODE_VALID(node));
-	REQUIRE(rootp != NULL);
-
-	child = RIGHT(node);
-	INSIST(child != NULL);
-
-	RIGHT(node) = LEFT(child);
-	if (LEFT(child) != NULL)
-		PARENT(LEFT(child)) = node;
-	LEFT(child) = node;
-
-	if (child != NULL)
-		PARENT(child) = PARENT(node);
-
-	if (IS_ROOT(node)) {
-		*rootp = child;
-		child->is_root = 1;
-		node->is_root = 0;
-
-	} else {
-		if (LEFT(PARENT(node)) == node)
-			LEFT(PARENT(node)) = child;
-		else
-			RIGHT(PARENT(node)) = child;
-	}
-
-	PARENT(node) = child;
-}
-
-static inline void
-rotate_right(dns_rbtnode_t *node, dns_rbtnode_t **rootp) {
-	dns_rbtnode_t *child;
-
-	REQUIRE(DNS_RBTNODE_VALID(node));
-	REQUIRE(rootp != NULL);
-
-	child = LEFT(node);
-	INSIST(child != NULL);
-
-	LEFT(node) = RIGHT(child);
-	if (RIGHT(child) != NULL)
-		PARENT(RIGHT(child)) = node;
-	RIGHT(child) = node;
-
-	if (child != NULL)
-		PARENT(child) = PARENT(node);
-
-	if (IS_ROOT(node)) {
-		*rootp = child;
-		child->is_root = 1;
-		node->is_root = 0;
-
-	} else {
-		if (LEFT(PARENT(node)) == node)
-			LEFT(PARENT(node)) = child;
-		else
-			RIGHT(PARENT(node)) = child;
-	}
-
-	PARENT(node) = child;
-}
-
-/*
- * This is the real workhorse of the insertion code, because it does the
- * true red/black tree on a single level.
- */
-static void
-dns_rbt_addonlevel(dns_rbtnode_t *node, dns_rbtnode_t *current, int order,
-		   dns_rbtnode_t **rootp)
-{
-	dns_rbtnode_t *child, *root, *parent, *grandparent;
-	dns_name_t add_name, current_name;
-	dns_offsets_t add_offsets, current_offsets;
-
-	REQUIRE(rootp != NULL);
-	REQUIRE(DNS_RBTNODE_VALID(node) && LEFT(node) == NULL &&
-		RIGHT(node) == NULL);
-	REQUIRE(current != NULL);
-
-	root = *rootp;
-	if (root == NULL) {
-		/*
-		 * First node of a level.
-		 */
-		MAKE_BLACK(node);
-		node->is_root = 1;
-		PARENT(node) = current;
-		*rootp = node;
-		return;
-	}
-
-	child = root;
-	POST(child);
-
-	dns_name_init(&add_name, add_offsets);
-	NODENAME(node, &add_name);
-
-	dns_name_init(&current_name, current_offsets);
-	NODENAME(current, &current_name);
-
-	if (order < 0) {
-		INSIST(LEFT(current) == NULL);
-		LEFT(current) = node;
-	} else {
-		INSIST(RIGHT(current) == NULL);
-		RIGHT(current) = node;
-	}
-
-	INSIST(PARENT(node) == NULL);
-	PARENT(node) = current;
-
-	MAKE_RED(node);
-
-	while (node != root && IS_RED(PARENT(node))) {
-		/*
-		 * XXXDCL could do away with separate parent and grandparent
-		 * variables.  They are vestiges of the days before parent
-		 * pointers.  However, they make the code a little clearer.
-		 */
-
-		parent = PARENT(node);
-		grandparent = PARENT(parent);
-
-		if (parent == LEFT(grandparent)) {
-			child = RIGHT(grandparent);
-			if (child != NULL && IS_RED(child)) {
-				MAKE_BLACK(parent);
-				MAKE_BLACK(child);
-				MAKE_RED(grandparent);
-				node = grandparent;
-			} else {
-				if (node == RIGHT(parent)) {
-					rotate_left(parent, &root);
-					node = parent;
-					parent = PARENT(node);
-					grandparent = PARENT(parent);
-				}
-				MAKE_BLACK(parent);
-				MAKE_RED(grandparent);
-				rotate_right(grandparent, &root);
-			}
-		} else {
-			child = LEFT(grandparent);
-			if (child != NULL && IS_RED(child)) {
-				MAKE_BLACK(parent);
-				MAKE_BLACK(child);
-				MAKE_RED(grandparent);
-				node = grandparent;
-			} else {
-				if (node == LEFT(parent)) {
-					rotate_right(parent, &root);
-					node = parent;
-					parent = PARENT(node);
-					grandparent = PARENT(parent);
-				}
-				MAKE_BLACK(parent);
-				MAKE_RED(grandparent);
-				rotate_left(grandparent, &root);
-			}
-		}
-	}
-
-	MAKE_BLACK(root);
-	ENSURE(IS_ROOT(root));
-	*rootp = root;
-
-	return;
-}
-
-/*
- * This is the real workhorse of the deletion code, because it does the
- * true red/black tree on a single level.
- */
-static void
-dns_rbt_deletefromlevel(dns_rbtnode_t *delete, dns_rbtnode_t **rootp) {
-	dns_rbtnode_t *child, *sibling, *parent;
-	dns_rbtnode_t *successor;
-
-	REQUIRE(delete != NULL);
-
-	/*
-	 * Verify that the parent history is (apparently) correct.
-	 */
-	INSIST((IS_ROOT(delete) && *rootp == delete) ||
-	       (! IS_ROOT(delete) &&
-		(LEFT(PARENT(delete)) == delete ||
-		 RIGHT(PARENT(delete)) == delete)));
-
-	child = NULL;
-
-	if (LEFT(delete) == NULL) {
-		if (RIGHT(delete) == NULL) {
-			if (IS_ROOT(delete)) {
-				/*
-				 * This is the only item in the tree.
-				 */
-				*rootp = NULL;
-				return;
-			}
-		} else
-			/*
-			 * This node has one child, on the right.
-			 */
-			child = RIGHT(delete);
-
-	} else if (RIGHT(delete) == NULL)
-		/*
-		 * This node has one child, on the left.
-		 */
-		child = LEFT(delete);
-	else {
-		dns_rbtnode_t holder, *tmp = &holder;
-
-		/*
-		 * This node has two children, so it cannot be directly
-		 * deleted.  Find its immediate in-order successor and
-		 * move it to this location, then do the deletion at the
-		 * old site of the successor.
-		 */
-		successor = RIGHT(delete);
-		while (LEFT(successor) != NULL)
-			successor = LEFT(successor);
-
-		/*
-		 * The successor cannot possibly have a left child;
-		 * if there is any child, it is on the right.
-		 */
-		if (RIGHT(successor) != NULL)
-			child = RIGHT(successor);
-
-		/*
-		 * Swap the two nodes; it would be simpler to just replace
-		 * the value being deleted with that of the successor,
-		 * but this rigamarole is done so the caller has complete
-		 * control over the pointers (and memory allocation) of
-		 * all of nodes.  If just the key value were removed from
-		 * the tree, the pointer to the node would be unchanged.
-		 */
-
-		/*
-		 * First, put the successor in the tree location of the
-		 * node to be deleted.  Save its existing tree pointer
-		 * information, which will be needed when linking up
-		 * delete to the successor's old location.
-		 */
-		memcpy(tmp, successor, sizeof(dns_rbtnode_t));
-
-		if (IS_ROOT(delete)) {
-			*rootp = successor;
-			successor->is_root = ISC_TRUE;
-			delete->is_root = ISC_FALSE;
-
-		} else
-			if (LEFT(PARENT(delete)) == delete)
-				LEFT(PARENT(delete)) = successor;
-			else
-				RIGHT(PARENT(delete)) = successor;
-
-		PARENT(successor) = PARENT(delete);
-		LEFT(successor)   = LEFT(delete);
-		RIGHT(successor)  = RIGHT(delete);
-		COLOR(successor)  = COLOR(delete);
-
-		if (LEFT(successor) != NULL)
-			PARENT(LEFT(successor)) = successor;
-		if (RIGHT(successor) != successor)
-			PARENT(RIGHT(successor)) = successor;
-
-		/*
-		 * Now relink the node to be deleted into the
-		 * successor's previous tree location.  PARENT(tmp)
-		 * is the successor's original parent.
-		 */
-		INSIST(! IS_ROOT(delete));
-
-		if (PARENT(tmp) == delete) {
-			/*
-			 * Node being deleted was successor's parent.
-			 */
-			RIGHT(successor) = delete;
-			PARENT(delete) = successor;
-
-		} else {
-			LEFT(PARENT(tmp)) = delete;
-			PARENT(delete) = PARENT(tmp);
-		}
-
-		/*
-		 * Original location of successor node has no left.
-		 */
-		LEFT(delete)   = NULL;
-		RIGHT(delete)  = RIGHT(tmp);
-		COLOR(delete)  = COLOR(tmp);
-	}
-
-	/*
-	 * Remove the node by removing the links from its parent.
-	 */
-	if (! IS_ROOT(delete)) {
-		if (LEFT(PARENT(delete)) == delete)
-			LEFT(PARENT(delete)) = child;
-		else
-			RIGHT(PARENT(delete)) = child;
-
-		if (child != NULL)
-			PARENT(child) = PARENT(delete);
-
-	} else {
-		/*
-		 * This is the root being deleted, and at this point
-		 * it is known to have just one child.
-		 */
-		*rootp = child;
-		child->is_root = 1;
-		PARENT(child) = PARENT(delete);
-	}
-
-	/*
-	 * Fix color violations.
-	 */
-	if (IS_BLACK(delete)) {
-		parent = PARENT(delete);
-
-		while (child != *rootp && IS_BLACK(child)) {
-			INSIST(child == NULL || ! IS_ROOT(child));
-
-			if (LEFT(parent) == child) {
-				sibling = RIGHT(parent);
-
-				if (IS_RED(sibling)) {
-					MAKE_BLACK(sibling);
-					MAKE_RED(parent);
-					rotate_left(parent, rootp);
-					sibling = RIGHT(parent);
-				}
-
-				INSIST(sibling != NULL);
-
-				if (IS_BLACK(LEFT(sibling)) &&
-				    IS_BLACK(RIGHT(sibling))) {
-					MAKE_RED(sibling);
-					child = parent;
-
-				} else {
-
-					if (IS_BLACK(RIGHT(sibling))) {
-						MAKE_BLACK(LEFT(sibling));
-						MAKE_RED(sibling);
-						rotate_right(sibling, rootp);
-						sibling = RIGHT(parent);
-					}
-
-					COLOR(sibling) = COLOR(parent);
-					MAKE_BLACK(parent);
-					INSIST(RIGHT(sibling) != NULL);
-					MAKE_BLACK(RIGHT(sibling));
-					rotate_left(parent, rootp);
-					child = *rootp;
-				}
-
-			} else {
-				/*
-				 * Child is parent's right child.
-				 * Everything is done the same as above,
-				 * except mirrored.
-				 */
-				sibling = LEFT(parent);
-
-				if (IS_RED(sibling)) {
-					MAKE_BLACK(sibling);
-					MAKE_RED(parent);
-					rotate_right(parent, rootp);
-					sibling = LEFT(parent);
-				}
-
-				INSIST(sibling != NULL);
-
-				if (IS_BLACK(LEFT(sibling)) &&
-				    IS_BLACK(RIGHT(sibling))) {
-					MAKE_RED(sibling);
-					child = parent;
-
-				} else {
-					if (IS_BLACK(LEFT(sibling))) {
-						MAKE_BLACK(RIGHT(sibling));
-						MAKE_RED(sibling);
-						rotate_left(sibling, rootp);
-						sibling = LEFT(parent);
-					}
-
-					COLOR(sibling) = COLOR(parent);
-					MAKE_BLACK(parent);
-					INSIST(LEFT(sibling) != NULL);
-					MAKE_BLACK(LEFT(sibling));
-					rotate_right(parent, rootp);
-					child = *rootp;
-				}
-			}
-
-			parent = PARENT(child);
-		}
-
-		if (IS_RED(child))
-			MAKE_BLACK(child);
-	}
-}
-
-/*
- * This should only be used on the root of a tree, because no color fixup
- * is done at all.
- *
- * NOTE: No root pointer maintenance is done, because the function is only
- * used for two cases:
- * + deleting everything DOWN from a node that is itself being deleted, and
- * + deleting the entire tree of trees from dns_rbt_destroy.
- * In each case, the root pointer is no longer relevant, so there
- * is no need for a root parameter to this function.
- *
- * If the function is ever intended to be used to delete something where
- * a pointer needs to be told that this tree no longer exists,
- * this function would need to adjusted accordingly.
- */
-static isc_result_t
-dns_rbt_deletetree(dns_rbt_t *rbt, dns_rbtnode_t *node) {
-	isc_result_t result = ISC_R_SUCCESS;
-	REQUIRE(VALID_RBT(rbt));
-
-	if (node == NULL)
-		return (result);
-
-	if (LEFT(node) != NULL) {
-		result = dns_rbt_deletetree(rbt, LEFT(node));
-		if (result != ISC_R_SUCCESS)
-			goto done;
-		LEFT(node) = NULL;
-	}
-	if (RIGHT(node) != NULL) {
-		result = dns_rbt_deletetree(rbt, RIGHT(node));
-		if (result != ISC_R_SUCCESS)
-			goto done;
-		RIGHT(node) = NULL;
-	}
-	if (DOWN(node) != NULL) {
-		result = dns_rbt_deletetree(rbt, DOWN(node));
-		if (result != ISC_R_SUCCESS)
-			goto done;
-		DOWN(node) = NULL;
-	}
- done:
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (DATA(node) != NULL && rbt->data_deleter != NULL)
-		rbt->data_deleter(DATA(node), rbt->deleter_arg);
-
-	unhash_node(rbt, node);
-#if DNS_RBT_USEMAGIC
-	node->magic = 0;
-#endif
-
-	isc_mem_put(rbt->mctx, node, NODE_SIZE(node));
-	rbt->nodecount--;
-	return (result);
-}
-
-static void
-dns_rbt_deletetreeflat(dns_rbt_t *rbt, unsigned int quantum,
-		       dns_rbtnode_t **nodep)
-{
-	dns_rbtnode_t *parent;
-	dns_rbtnode_t *node = *nodep;
-	REQUIRE(VALID_RBT(rbt));
-
- again:
-	if (node == NULL) {
-		*nodep = NULL;
-		return;
-	}
-
- traverse:
-	if (LEFT(node) != NULL) {
-		node = LEFT(node);
-		goto traverse;
-	}
-	if (DOWN(node) != NULL) {
-		node = DOWN(node);
-		goto traverse;
-	}
-
-	if (DATA(node) != NULL && rbt->data_deleter != NULL)
-		rbt->data_deleter(DATA(node), rbt->deleter_arg);
-
-	/*
-	 * Note: we don't call unhash_node() here as we are destroying
-	 * the complete rbt tree.
-	 */
-#if DNS_RBT_USEMAGIC
-	node->magic = 0;
-#endif
-	parent = PARENT(node);
-	if (RIGHT(node) != NULL)
-		PARENT(RIGHT(node)) = parent;
-	if (parent != NULL) {
-		if (LEFT(parent) == node)
-			LEFT(parent) = RIGHT(node);
-		else if (DOWN(parent) == node)
-			DOWN(parent) = RIGHT(node);
-	} else
-		parent = RIGHT(node);
-
-	isc_mem_put(rbt->mctx, node, NODE_SIZE(node));
-	rbt->nodecount--;
-	node = parent;
-	if (quantum != 0 && --quantum == 0) {
-		*nodep = node;
-		return;
-	}
-	goto again;
-}
-
-static void
-dns_rbt_indent(int depth) {
-	int i;
-
-	for (i = 0; i < depth; i++)
-		putchar('\t');
-}
-
-static void
-dns_rbt_printnodename(dns_rbtnode_t *node) {
-	isc_region_t r;
-	dns_name_t name;
-	char buffer[DNS_NAME_FORMATSIZE];
-	dns_offsets_t offsets;
-
-	r.length = NAMELEN(node);
-	r.base = NAME(node);
-
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &r);
-
-	dns_name_format(&name, buffer, sizeof(buffer));
-
-	printf("%s", buffer);
-}
-
-static void
-dns_rbt_printtree(dns_rbtnode_t *root, dns_rbtnode_t *parent, int depth) {
-	dns_rbt_indent(depth);
-
-	if (root != NULL) {
-		dns_rbt_printnodename(root);
-		printf(" (%s", IS_RED(root) ? "RED" : "black");
-		if (parent) {
-			printf(" from ");
-			dns_rbt_printnodename(parent);
-		}
-
-		if ((! IS_ROOT(root) && PARENT(root) != parent) ||
-		    (  IS_ROOT(root) && depth > 0 &&
-		       DOWN(PARENT(root)) != root)) {
-
-			printf(" (BAD parent pointer! -> ");
-			if (PARENT(root) != NULL)
-				dns_rbt_printnodename(PARENT(root));
-			else
-				printf("NULL");
-			printf(")");
-		}
-
-		printf(")\n");
-
-
-		depth++;
-
-		if (DOWN(root)) {
-			dns_rbt_indent(depth);
-			printf("++ BEG down from ");
-			dns_rbt_printnodename(root);
-			printf("\n");
-			dns_rbt_printtree(DOWN(root), NULL, depth);
-			dns_rbt_indent(depth);
-			printf("-- END down from ");
-			dns_rbt_printnodename(root);
-			printf("\n");
-		}
-
-		if (IS_RED(root) && IS_RED(LEFT(root)))
-		    printf("** Red/Red color violation on left\n");
-		dns_rbt_printtree(LEFT(root), root, depth);
-
-		if (IS_RED(root) && IS_RED(RIGHT(root)))
-		    printf("** Red/Red color violation on right\n");
-		dns_rbt_printtree(RIGHT(root), root, depth);
-
-	} else
-		printf("NULL\n");
-}
-
-void
-dns_rbt_printall(dns_rbt_t *rbt) {
-	REQUIRE(VALID_RBT(rbt));
-
-	dns_rbt_printtree(rbt->root, NULL, 0);
-}
-
-/*
- * Chain Functions
- */
-
-void
-dns_rbtnodechain_init(dns_rbtnodechain_t *chain, isc_mem_t *mctx) {
-	/*
-	 * Initialize 'chain'.
-	 */
-
-	REQUIRE(chain != NULL);
-
-	chain->mctx = mctx;
-	chain->end = NULL;
-	chain->level_count = 0;
-	chain->level_matches = 0;
-	memset(chain->levels, 0, sizeof(chain->levels));
-
-	chain->magic = CHAIN_MAGIC;
-}
-
-isc_result_t
-dns_rbtnodechain_current(dns_rbtnodechain_t *chain, dns_name_t *name,
-			 dns_name_t *origin, dns_rbtnode_t **node)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(VALID_CHAIN(chain));
-
-	if (node != NULL)
-		*node = chain->end;
-
-	if (chain->end == NULL)
-		return (ISC_R_NOTFOUND);
-
-	if (name != NULL) {
-		NODENAME(chain->end, name);
-
-		if (chain->level_count == 0) {
-			/*
-			 * Names in the top level tree are all absolute.
-			 * Always make 'name' relative.
-			 */
-			INSIST(dns_name_isabsolute(name));
-
-			/*
-			 * This is cheaper than dns_name_getlabelsequence().
-			 */
-			name->labels--;
-			name->length--;
-			name->attributes &= ~DNS_NAMEATTR_ABSOLUTE;
-		}
-	}
-
-	if (origin != NULL) {
-		if (chain->level_count > 0)
-			result = chain_name(chain, origin, ISC_FALSE);
-		else
-			result = dns_name_copy(dns_rootname, origin, NULL);
-	}
-
-	return (result);
-}
-
-isc_result_t
-dns_rbtnodechain_prev(dns_rbtnodechain_t *chain, dns_name_t *name,
-		      dns_name_t *origin)
-{
-	dns_rbtnode_t *current, *previous, *predecessor;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_boolean_t new_origin = ISC_FALSE;
-
-	REQUIRE(VALID_CHAIN(chain) && chain->end != NULL);
-
-	predecessor = NULL;
-
-	current = chain->end;
-
-	if (LEFT(current) != NULL) {
-		/*
-		 * Moving left one then right as far as possible is the
-		 * previous node, at least for this level.
-		 */
-		current = LEFT(current);
-
-		while (RIGHT(current) != NULL)
-			current = RIGHT(current);
-
-		predecessor = current;
-
-	} else {
-		/*
-		 * No left links, so move toward the root.  If at any point on
-		 * the way there the link from parent to child is a right
-		 * link, then the parent is the previous node, at least
-		 * for this level.
-		 */
-		while (! IS_ROOT(current)) {
-			previous = current;
-			current = PARENT(current);
-
-			if (RIGHT(current) == previous) {
-				predecessor = current;
-				break;
-			}
-		}
-	}
-
-	if (predecessor != NULL) {
-		/*
-		 * Found a predecessor node in this level.  It might not
-		 * really be the predecessor, however.
-		 */
-		if (DOWN(predecessor) != NULL) {
-			/*
-			 * The predecessor is really down at least one level.
-			 * Go down and as far right as possible, and repeat
-			 * as long as the rightmost node has a down pointer.
-			 */
-			do {
-				/*
-				 * XXX DCL Need to do something about origins
-				 * here. See whether to go down, and if so
-				 * whether it is truly what Bob calls a
-				 * new origin.
-				 */
-				ADD_LEVEL(chain, predecessor);
-				predecessor = DOWN(predecessor);
-
-				/* XXX DCL duplicated from above; clever
-				 * way to unduplicate? */
-
-				while (RIGHT(predecessor) != NULL)
-					predecessor = RIGHT(predecessor);
-			} while (DOWN(predecessor) != NULL);
-
-			/* XXX DCL probably needs work on the concept */
-			if (origin != NULL)
-				new_origin = ISC_TRUE;
-		}
-
-	} else if (chain->level_count > 0) {
-		/*
-		 * Dang, didn't find a predecessor in this level.
-		 * Got to the root of this level without having traversed
-		 * any right links.  Ascend the tree one level; the
-		 * node that points to this tree is the predecessor.
-		 */
-		INSIST(chain->level_count > 0 && IS_ROOT(current));
-		predecessor = chain->levels[--chain->level_count];
-
-		/* XXX DCL probably needs work on the concept */
-		/*
-		 * Don't declare an origin change when the new origin is "."
-		 * at the top level tree, because "." is declared as the origin
-		 * for the second level tree.
-		 */
-		if (origin != NULL &&
-		    (chain->level_count > 0 || OFFSETLEN(predecessor) > 1))
-			new_origin = ISC_TRUE;
-	}
-
-	if (predecessor != NULL) {
-		chain->end = predecessor;
-
-		if (new_origin) {
-			result = dns_rbtnodechain_current(chain, name, origin,
-							  NULL);
-			if (result == ISC_R_SUCCESS)
-				result = DNS_R_NEWORIGIN;
-
-		} else
-			result = dns_rbtnodechain_current(chain, name, NULL,
-							  NULL);
-
-	} else
-		result = ISC_R_NOMORE;
-
-	return (result);
-}
-
-isc_result_t
-dns_rbtnodechain_down(dns_rbtnodechain_t *chain, dns_name_t *name,
-		      dns_name_t *origin)
-{
-	dns_rbtnode_t *current, *successor;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_boolean_t new_origin = ISC_FALSE;
-
-	REQUIRE(VALID_CHAIN(chain) && chain->end != NULL);
-
-	successor = NULL;
-
-	current = chain->end;
-
-	if (DOWN(current) != NULL) {
-		/*
-		 * Don't declare an origin change when the new origin is "."
-		 * at the second level tree, because "." is already declared
-		 * as the origin for the top level tree.
-		 */
-		if (chain->level_count > 0 ||
-		    OFFSETLEN(current) > 1)
-			new_origin = ISC_TRUE;
-
-		ADD_LEVEL(chain, current);
-		current = DOWN(current);
-
-		while (LEFT(current) != NULL)
-			current = LEFT(current);
-
-		successor = current;
-	}
-
-	if (successor != NULL) {
-		chain->end = successor;
-
-		/*
-		 * It is not necessary to use dns_rbtnodechain_current like
-		 * the other functions because this function will never
-		 * find a node in the topmost level.  This is because the
-		 * root level will never be more than one name, and everything
-		 * in the megatree is a successor to that node, down at
-		 * the second level or below.
-		 */
-
-		if (name != NULL)
-			NODENAME(chain->end, name);
-
-		if (new_origin) {
-			if (origin != NULL)
-				result = chain_name(chain, origin, ISC_FALSE);
-
-			if (result == ISC_R_SUCCESS)
-				result = DNS_R_NEWORIGIN;
-
-		} else
-			result = ISC_R_SUCCESS;
-
-	} else
-		result = ISC_R_NOMORE;
-
-	return (result);
-}
-
-isc_result_t
-dns_rbtnodechain_nextflat(dns_rbtnodechain_t *chain, dns_name_t *name) {
-	dns_rbtnode_t *current, *previous, *successor;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(VALID_CHAIN(chain) && chain->end != NULL);
-
-	successor = NULL;
-
-	current = chain->end;
-
-	if (RIGHT(current) == NULL) {
-		while (! IS_ROOT(current)) {
-			previous = current;
-			current = PARENT(current);
-
-			if (LEFT(current) == previous) {
-				successor = current;
-				break;
-			}
-		}
-	} else {
-		current = RIGHT(current);
-
-		while (LEFT(current) != NULL)
-			current = LEFT(current);
-
-		successor = current;
-	}
-
-	if (successor != NULL) {
-		chain->end = successor;
-
-		if (name != NULL)
-			NODENAME(chain->end, name);
-
-		result = ISC_R_SUCCESS;
-	} else
-		result = ISC_R_NOMORE;
-
-	return (result);
-}
-
-isc_result_t
-dns_rbtnodechain_next(dns_rbtnodechain_t *chain, dns_name_t *name,
-		      dns_name_t *origin)
-{
-	dns_rbtnode_t *current, *previous, *successor;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_boolean_t new_origin = ISC_FALSE;
-
-	REQUIRE(VALID_CHAIN(chain) && chain->end != NULL);
-
-	successor = NULL;
-
-	current = chain->end;
-
-	/*
-	 * If there is a level below this node, the next node is the leftmost
-	 * node of the next level.
-	 */
-	if (DOWN(current) != NULL) {
-		/*
-		 * Don't declare an origin change when the new origin is "."
-		 * at the second level tree, because "." is already declared
-		 * as the origin for the top level tree.
-		 */
-		if (chain->level_count > 0 ||
-		    OFFSETLEN(current) > 1)
-			new_origin = ISC_TRUE;
-
-		ADD_LEVEL(chain, current);
-		current = DOWN(current);
-
-		while (LEFT(current) != NULL)
-			current = LEFT(current);
-
-		successor = current;
-
-	} else if (RIGHT(current) == NULL) {
-		/*
-		 * The successor is up, either in this level or a previous one.
-		 * Head back toward the root of the tree, looking for any path
-		 * that was via a left link; the successor is the node that has
-		 * that left link.  In the event the root of the level is
-		 * reached without having traversed any left links, ascend one
-		 * level and look for either a right link off the point of
-		 * ascent, or search for a left link upward again, repeating
-		 * ascends until either case is true.
-		 */
-		do {
-			while (! IS_ROOT(current)) {
-				previous = current;
-				current = PARENT(current);
-
-				if (LEFT(current) == previous) {
-					successor = current;
-					break;
-				}
-			}
-
-			if (successor == NULL) {
-				/*
-				 * Reached the root without having traversed
-				 * any left pointers, so this level is done.
-				 */
-				if (chain->level_count == 0)
-					break;
-
-				current = chain->levels[--chain->level_count];
-				new_origin = ISC_TRUE;
-
-				if (RIGHT(current) != NULL)
-					break;
-			}
-		} while (successor == NULL);
-	}
-
-	if (successor == NULL && RIGHT(current) != NULL) {
-		current = RIGHT(current);
-
-		while (LEFT(current) != NULL)
-			current = LEFT(current);
-
-		successor = current;
-	}
-
-	if (successor != NULL) {
-		chain->end = successor;
-
-		/*
-		 * It is not necessary to use dns_rbtnodechain_current like
-		 * the other functions because this function will never
-		 * find a node in the topmost level.  This is because the
-		 * root level will never be more than one name, and everything
-		 * in the megatree is a successor to that node, down at
-		 * the second level or below.
-		 */
-
-		if (name != NULL)
-			NODENAME(chain->end, name);
-
-		if (new_origin) {
-			if (origin != NULL)
-				result = chain_name(chain, origin, ISC_FALSE);
-
-			if (result == ISC_R_SUCCESS)
-				result = DNS_R_NEWORIGIN;
-
-		} else
-			result = ISC_R_SUCCESS;
-
-	} else
-		result = ISC_R_NOMORE;
-
-	return (result);
-}
-
-isc_result_t
-dns_rbtnodechain_first(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
-		       dns_name_t *name, dns_name_t *origin)
-
-{
-	isc_result_t result;
-
-	REQUIRE(VALID_RBT(rbt));
-	REQUIRE(VALID_CHAIN(chain));
-
-	dns_rbtnodechain_reset(chain);
-
-	chain->end = rbt->root;
-
-	result = dns_rbtnodechain_current(chain, name, origin, NULL);
-
-	if (result == ISC_R_SUCCESS)
-		result = DNS_R_NEWORIGIN;
-
-	return (result);
-}
-
-isc_result_t
-dns_rbtnodechain_last(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
-		       dns_name_t *name, dns_name_t *origin)
-
-{
-	isc_result_t result;
-
-	REQUIRE(VALID_RBT(rbt));
-	REQUIRE(VALID_CHAIN(chain));
-
-	dns_rbtnodechain_reset(chain);
-
-	result = move_chain_to_last(chain, rbt->root);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dns_rbtnodechain_current(chain, name, origin, NULL);
-
-	if (result == ISC_R_SUCCESS)
-		result = DNS_R_NEWORIGIN;
-
-	return (result);
-}
-
-
-void
-dns_rbtnodechain_reset(dns_rbtnodechain_t *chain) {
-	/*
-	 * Free any dynamic storage associated with 'chain', and then
-	 * reinitialize 'chain'.
-	 */
-
-	REQUIRE(VALID_CHAIN(chain));
-
-	chain->end = NULL;
-	chain->level_count = 0;
-	chain->level_matches = 0;
-}
-
-void
-dns_rbtnodechain_invalidate(dns_rbtnodechain_t *chain) {
-	/*
-	 * Free any dynamic storage associated with 'chain', and then
-	 * invalidate 'chain'.
-	 */
-
-	dns_rbtnodechain_reset(chain);
-
-	chain->magic = 0;
-}
diff --git a/contrib/bind9/lib/dns/rbtdb.c b/contrib/bind9/lib/dns/rbtdb.c
deleted file mode 100644
index bff52b8..0000000
--- a/contrib/bind9/lib/dns/rbtdb.c
+++ /dev/null
@@ -1,9343 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-/*
- * Principal Author: Bob Halley
- */
-
-#include <config.h>
-
-/* #define inline */
-
-#include <isc/event.h>
-#include <isc/heap.h>
-#include <isc/mem.h>
-#include <isc/mutex.h>
-#include <isc/platform.h>
-#include <isc/print.h>
-#include <isc/random.h>
-#include <isc/refcount.h>
-#include <isc/rwlock.h>
-#include <isc/serial.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/time.h>
-#include <isc/util.h>
-
-#include <dns/acache.h>
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/events.h>
-#include <dns/fixedname.h>
-#include <dns/lib.h>
-#include <dns/log.h>
-#include <dns/masterdump.h>
-#include <dns/nsec.h>
-#include <dns/nsec3.h>
-#include <dns/rbt.h>
-#include <dns/rpz.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdataslab.h>
-#include <dns/rdatastruct.h>
-#include <dns/result.h>
-#include <dns/stats.h>
-#include <dns/view.h>
-#include <dns/zone.h>
-#include <dns/zonekey.h>
-
-#ifdef DNS_RBTDB_VERSION64
-#include "rbtdb64.h"
-#else
-#include "rbtdb.h"
-#endif
-
-#ifdef DNS_RBTDB_VERSION64
-#define RBTDB_MAGIC                     ISC_MAGIC('R', 'B', 'D', '8')
-#else
-#define RBTDB_MAGIC                     ISC_MAGIC('R', 'B', 'D', '4')
-#endif
-
-/*%
- * Note that "impmagic" is not the first four bytes of the struct, so
- * ISC_MAGIC_VALID cannot be used.
- */
-#define VALID_RBTDB(rbtdb)      ((rbtdb) != NULL && \
-				 (rbtdb)->common.impmagic == RBTDB_MAGIC)
-
-#ifdef DNS_RBTDB_VERSION64
-typedef isc_uint64_t                    rbtdb_serial_t;
-/*%
- * Make casting easier in symbolic debuggers by using different names
- * for the 64 bit version.
- */
-#define dns_rbtdb_t dns_rbtdb64_t
-#define rdatasetheader_t rdatasetheader64_t
-#define rbtdb_version_t rbtdb_version64_t
-#else
-typedef isc_uint32_t                    rbtdb_serial_t;
-#endif
-
-typedef isc_uint32_t                    rbtdb_rdatatype_t;
-
-#define RBTDB_RDATATYPE_BASE(type)      ((dns_rdatatype_t)((type) & 0xFFFF))
-#define RBTDB_RDATATYPE_EXT(type)       ((dns_rdatatype_t)((type) >> 16))
-#define RBTDB_RDATATYPE_VALUE(b, e)     ((rbtdb_rdatatype_t)((e) << 16) | (b))
-
-#define RBTDB_RDATATYPE_SIGNSEC \
-		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec)
-#define RBTDB_RDATATYPE_SIGNSEC3 \
-		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec3)
-#define RBTDB_RDATATYPE_SIGNS \
-		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ns)
-#define RBTDB_RDATATYPE_SIGCNAME \
-		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname)
-#define RBTDB_RDATATYPE_SIGDNAME \
-		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dname)
-#define RBTDB_RDATATYPE_SIGDDS \
-		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ds)
-#define RBTDB_RDATATYPE_NCACHEANY \
-		RBTDB_RDATATYPE_VALUE(0, dns_rdatatype_any)
-
-/*
- * We use rwlock for DB lock only when ISC_RWLOCK_USEATOMIC is non 0.
- * Using rwlock is effective with regard to lookup performance only when
- * it is implemented in an efficient way.
- * Otherwise, it is generally wise to stick to the simple locking since rwlock
- * would require more memory or can even make lookups slower due to its own
- * overhead (when it internally calls mutex locks).
- */
-#ifdef ISC_RWLOCK_USEATOMIC
-#define DNS_RBTDB_USERWLOCK 1
-#else
-#define DNS_RBTDB_USERWLOCK 0
-#endif
-
-#if DNS_RBTDB_USERWLOCK
-#define RBTDB_INITLOCK(l)       isc_rwlock_init((l), 0, 0)
-#define RBTDB_DESTROYLOCK(l)    isc_rwlock_destroy(l)
-#define RBTDB_LOCK(l, t)        RWLOCK((l), (t))
-#define RBTDB_UNLOCK(l, t)      RWUNLOCK((l), (t))
-#else
-#define RBTDB_INITLOCK(l)       isc_mutex_init(l)
-#define RBTDB_DESTROYLOCK(l)    DESTROYLOCK(l)
-#define RBTDB_LOCK(l, t)        LOCK(l)
-#define RBTDB_UNLOCK(l, t)      UNLOCK(l)
-#endif
-
-/*
- * Since node locking is sensitive to both performance and memory footprint,
- * we need some trick here.  If we have both high-performance rwlock and
- * high performance and small-memory reference counters, we use rwlock for
- * node lock and isc_refcount for node references.  In this case, we don't have
- * to protect the access to the counters by locks.
- * Otherwise, we simply use ordinary mutex lock for node locking, and use
- * simple integers as reference counters which is protected by the lock.
- * In most cases, we can simply use wrapper macros such as NODE_LOCK and
- * NODE_UNLOCK.  In some other cases, however, we need to protect reference
- * counters first and then protect other parts of a node as read-only data.
- * Special additional macros, NODE_STRONGLOCK(), NODE_WEAKLOCK(), etc, are also
- * provided for these special cases.  When we can use the efficient backend
- * routines, we should only protect the "other members" by NODE_WEAKLOCK(read).
- * Otherwise, we should use NODE_STRONGLOCK() to protect the entire critical
- * section including the access to the reference counter.
- * Note that we cannot use NODE_LOCK()/NODE_UNLOCK() wherever the protected
- * section is also protected by NODE_STRONGLOCK().
- */
-#if defined(ISC_RWLOCK_USEATOMIC) && defined(DNS_RBT_USEISCREFCOUNT)
-typedef isc_rwlock_t nodelock_t;
-
-#define NODE_INITLOCK(l)        isc_rwlock_init((l), 0, 0)
-#define NODE_DESTROYLOCK(l)     isc_rwlock_destroy(l)
-#define NODE_LOCK(l, t)         RWLOCK((l), (t))
-#define NODE_UNLOCK(l, t)       RWUNLOCK((l), (t))
-#define NODE_TRYUPGRADE(l)      isc_rwlock_tryupgrade(l)
-
-#define NODE_STRONGLOCK(l)      ((void)0)
-#define NODE_STRONGUNLOCK(l)    ((void)0)
-#define NODE_WEAKLOCK(l, t)     NODE_LOCK(l, t)
-#define NODE_WEAKUNLOCK(l, t)   NODE_UNLOCK(l, t)
-#define NODE_WEAKDOWNGRADE(l)   isc_rwlock_downgrade(l)
-#else
-typedef isc_mutex_t nodelock_t;
-
-#define NODE_INITLOCK(l)        isc_mutex_init(l)
-#define NODE_DESTROYLOCK(l)     DESTROYLOCK(l)
-#define NODE_LOCK(l, t)         LOCK(l)
-#define NODE_UNLOCK(l, t)       UNLOCK(l)
-#define NODE_TRYUPGRADE(l)      ISC_R_SUCCESS
-
-#define NODE_STRONGLOCK(l)      LOCK(l)
-#define NODE_STRONGUNLOCK(l)    UNLOCK(l)
-#define NODE_WEAKLOCK(l, t)     ((void)0)
-#define NODE_WEAKUNLOCK(l, t)   ((void)0)
-#define NODE_WEAKDOWNGRADE(l)   ((void)0)
-#endif
-
-/*%
- * Whether to rate-limit updating the LRU to avoid possible thread contention.
- * Our performance measurement has shown the cost is marginal, so it's defined
- * to be 0 by default either with or without threads.
- */
-#ifndef DNS_RBTDB_LIMITLRUUPDATE
-#define DNS_RBTDB_LIMITLRUUPDATE 0
-#endif
-
-/*
- * Allow clients with a virtual time of up to 5 minutes in the past to see
- * records that would have otherwise have expired.
- */
-#define RBTDB_VIRTUAL 300
-
-struct noqname {
-	dns_name_t 	name;
-	void *     	neg;
-	void *     	negsig;
-	dns_rdatatype_t	type;
-};
-
-typedef struct acachectl acachectl_t;
-
-typedef struct rdatasetheader {
-	/*%
-	 * Locked by the owning node's lock.
-	 */
-	rbtdb_serial_t                  serial;
-	dns_ttl_t                       rdh_ttl;
-	rbtdb_rdatatype_t               type;
-	isc_uint16_t                    attributes;
-	dns_trust_t                     trust;
-	struct noqname                  *noqname;
-	struct noqname                  *closest;
-	/*%<
-	 * We don't use the LIST macros, because the LIST structure has
-	 * both head and tail pointers, and is doubly linked.
-	 */
-
-	struct rdatasetheader           *next;
-	/*%<
-	 * If this is the top header for an rdataset, 'next' points
-	 * to the top header for the next rdataset (i.e., the next type).
-	 * Otherwise, it points up to the header whose down pointer points
-	 * at this header.
-	 */
-
-	struct rdatasetheader           *down;
-	/*%<
-	 * Points to the header for the next older version of
-	 * this rdataset.
-	 */
-
-	isc_uint32_t                    count;
-	/*%<
-	 * Monotonously increased every time this rdataset is bound so that
-	 * it is used as the base of the starting point in DNS responses
-	 * when the "cyclic" rrset-order is required.  Since the ordering
-	 * should not be so crucial, no lock is set for the counter for
-	 * performance reasons.
-	 */
-
-	acachectl_t                     *additional_auth;
-	acachectl_t                     *additional_glue;
-
-	dns_rbtnode_t                   *node;
-	isc_stdtime_t                   last_used;
-	ISC_LINK(struct rdatasetheader) link;
-
-	unsigned int                    heap_index;
-	/*%<
-	 * Used for TTL-based cache cleaning.
-	 */
-	isc_stdtime_t                   resign;
-} rdatasetheader_t;
-
-typedef ISC_LIST(rdatasetheader_t)      rdatasetheaderlist_t;
-typedef ISC_LIST(dns_rbtnode_t)         rbtnodelist_t;
-
-#define RDATASET_ATTR_NONEXISTENT       0x0001
-#define RDATASET_ATTR_STALE             0x0002
-#define RDATASET_ATTR_IGNORE            0x0004
-#define RDATASET_ATTR_RETAIN            0x0008
-#define RDATASET_ATTR_NXDOMAIN          0x0010
-#define RDATASET_ATTR_RESIGN            0x0020
-#define RDATASET_ATTR_STATCOUNT         0x0040
-#define RDATASET_ATTR_OPTOUT		0x0080
-#define RDATASET_ATTR_NEGATIVE          0x0100
-
-typedef struct acache_cbarg {
-	dns_rdatasetadditional_t        type;
-	unsigned int                    count;
-	dns_db_t                        *db;
-	dns_dbnode_t                    *node;
-	rdatasetheader_t                *header;
-} acache_cbarg_t;
-
-struct acachectl {
-	dns_acacheentry_t               *entry;
-	acache_cbarg_t                  *cbarg;
-};
-
-/*
- * XXX
- * When the cache will pre-expire data (due to memory low or other
- * situations) before the rdataset's TTL has expired, it MUST
- * respect the RETAIN bit and not expire the data until its TTL is
- * expired.
- */
-
-#undef IGNORE                   /* WIN32 winbase.h defines this. */
-
-#define EXISTS(header) \
-	(((header)->attributes & RDATASET_ATTR_NONEXISTENT) == 0)
-#define NONEXISTENT(header) \
-	(((header)->attributes & RDATASET_ATTR_NONEXISTENT) != 0)
-#define IGNORE(header) \
-	(((header)->attributes & RDATASET_ATTR_IGNORE) != 0)
-#define RETAIN(header) \
-	(((header)->attributes & RDATASET_ATTR_RETAIN) != 0)
-#define NXDOMAIN(header) \
-	(((header)->attributes & RDATASET_ATTR_NXDOMAIN) != 0)
-#define RESIGN(header) \
-	(((header)->attributes & RDATASET_ATTR_RESIGN) != 0)
-#define OPTOUT(header) \
-	(((header)->attributes & RDATASET_ATTR_OPTOUT) != 0)
-#define NEGATIVE(header) \
-	(((header)->attributes & RDATASET_ATTR_NEGATIVE) != 0)
-
-#define DEFAULT_NODE_LOCK_COUNT         7       /*%< Should be prime. */
-
-/*%
- * Number of buckets for cache DB entries (locks, LRU lists, TTL heaps).
- * There is a tradeoff issue about configuring this value: if this is too
- * small, it may cause heavier contention between threads; if this is too large,
- * LRU purge algorithm won't work well (entries tend to be purged prematurely).
- * The default value should work well for most environments, but this can
- * also be configurable at compilation time via the
- * DNS_RBTDB_CACHE_NODE_LOCK_COUNT variable.  This value must be larger than
- * 1 due to the assumption of overmem_purge().
- */
-#ifdef DNS_RBTDB_CACHE_NODE_LOCK_COUNT
-#if DNS_RBTDB_CACHE_NODE_LOCK_COUNT <= 1
-#error "DNS_RBTDB_CACHE_NODE_LOCK_COUNT must be larger than 1"
-#else
-#define DEFAULT_CACHE_NODE_LOCK_COUNT DNS_RBTDB_CACHE_NODE_LOCK_COUNT
-#endif
-#else
-#define DEFAULT_CACHE_NODE_LOCK_COUNT   16
-#endif	/* DNS_RBTDB_CACHE_NODE_LOCK_COUNT */
-
-typedef struct {
-	nodelock_t                      lock;
-	/* Protected in the refcount routines. */
-	isc_refcount_t                  references;
-	/* Locked by lock. */
-	isc_boolean_t                   exiting;
-} rbtdb_nodelock_t;
-
-typedef struct rbtdb_changed {
-	dns_rbtnode_t *                 node;
-	isc_boolean_t                   dirty;
-	ISC_LINK(struct rbtdb_changed)  link;
-} rbtdb_changed_t;
-
-typedef ISC_LIST(rbtdb_changed_t)       rbtdb_changedlist_t;
-
-typedef enum {
-	dns_db_insecure,
-	dns_db_partial,
-	dns_db_secure
-} dns_db_secure_t;
-
-typedef struct dns_rbtdb dns_rbtdb_t;
-
-typedef struct rbtdb_version {
-	/* Not locked */
-	rbtdb_serial_t                  serial;
-	dns_rbtdb_t *			rbtdb;
-	/*
-	 * Protected in the refcount routines.
-	 * XXXJT: should we change the lock policy based on the refcount
-	 * performance?
-	 */
-	isc_refcount_t                  references;
-	/* Locked by database lock. */
-	isc_boolean_t                   writer;
-	isc_boolean_t                   commit_ok;
-	rbtdb_changedlist_t             changed_list;
-	rdatasetheaderlist_t		resigned_list;
-	ISC_LINK(struct rbtdb_version)  link;
-	dns_db_secure_t			secure;
-	isc_boolean_t			havensec3;
-	/* NSEC3 parameters */
-	dns_hash_t			hash;
-	isc_uint8_t			flags;
-	isc_uint16_t			iterations;
-	isc_uint8_t			salt_length;
-	unsigned char			salt[DNS_NSEC3_SALTSIZE];
-} rbtdb_version_t;
-
-typedef ISC_LIST(rbtdb_version_t)       rbtdb_versionlist_t;
-
-struct dns_rbtdb {
-	/* Unlocked. */
-	dns_db_t                        common;
-	/* Locks the data in this struct */
-#if DNS_RBTDB_USERWLOCK
-	isc_rwlock_t                    lock;
-#else
-	isc_mutex_t                     lock;
-#endif
-	/* Locks the tree structure (prevents nodes appearing/disappearing) */
-	isc_rwlock_t                    tree_lock;
-	/* Locks for individual tree nodes */
-	unsigned int                    node_lock_count;
-	rbtdb_nodelock_t *              node_locks;
-	dns_rbtnode_t *                 origin_node;
-	dns_stats_t *			rrsetstats; /* cache DB only */
-	/* Locked by lock. */
-	unsigned int                    active;
-	isc_refcount_t                  references;
-	unsigned int                    attributes;
-	rbtdb_serial_t                  current_serial;
-	rbtdb_serial_t                  least_serial;
-	rbtdb_serial_t                  next_serial;
-	rbtdb_version_t *               current_version;
-	rbtdb_version_t *               future_version;
-	rbtdb_versionlist_t             open_versions;
-	isc_task_t *                    task;
-	dns_dbnode_t                    *soanode;
-	dns_dbnode_t                    *nsnode;
-
-	/*
-	 * This is a linked list used to implement the LRU cache.  There will
-	 * be node_lock_count linked lists here.  Nodes in bucket 1 will be
-	 * placed on the linked list rdatasets[1].
-	 */
-	rdatasetheaderlist_t            *rdatasets;
-
-	/*%
-	 * Temporary storage for stale cache nodes and dynamically deleted
-	 * nodes that await being cleaned up.
-	 */
-	rbtnodelist_t                   *deadnodes;
-
-	/*
-	 * Heaps.  These are used for TTL based expiry in a cache,
-	 * or for zone resigning in a zone DB.  hmctx is the memory
-	 * context to use for the heap (which differs from the main
-	 * database memory context in the case of a cache).
-	 */
-	isc_mem_t *			hmctx;
-	isc_heap_t                      **heaps;
-
-	/* Locked by tree_lock. */
-	dns_rbt_t *                     tree;
-	dns_rbt_t *			nsec;
-	dns_rbt_t *			nsec3;
-	dns_rpz_cidr_t *		rpz_cidr;
-
-	/* Unlocked */
-	unsigned int                    quantum;
-};
-
-#define RBTDB_ATTR_LOADED               0x01
-#define RBTDB_ATTR_LOADING              0x02
-
-/*%
- * Search Context
- */
-typedef struct {
-	dns_rbtdb_t *           rbtdb;
-	rbtdb_version_t *       rbtversion;
-	rbtdb_serial_t          serial;
-	unsigned int            options;
-	dns_rbtnodechain_t      chain;
-	isc_boolean_t           copy_name;
-	isc_boolean_t           need_cleanup;
-	isc_boolean_t           wild;
-	dns_rbtnode_t *         zonecut;
-	rdatasetheader_t *      zonecut_rdataset;
-	rdatasetheader_t *      zonecut_sigrdataset;
-	dns_fixedname_t         zonecut_name;
-	isc_stdtime_t           now;
-} rbtdb_search_t;
-
-/*%
- * Load Context
- */
-typedef struct {
-	dns_rbtdb_t *           rbtdb;
-	isc_stdtime_t           now;
-} rbtdb_load_t;
-
-static void rdataset_disassociate(dns_rdataset_t *rdataset);
-static isc_result_t rdataset_first(dns_rdataset_t *rdataset);
-static isc_result_t rdataset_next(dns_rdataset_t *rdataset);
-static void rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata);
-static void rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target);
-static unsigned int rdataset_count(dns_rdataset_t *rdataset);
-static isc_result_t rdataset_getnoqname(dns_rdataset_t *rdataset,
-					dns_name_t *name,
-					dns_rdataset_t *neg,
-					dns_rdataset_t *negsig);
-static isc_result_t rdataset_getclosest(dns_rdataset_t *rdataset,
-					dns_name_t *name,
-					dns_rdataset_t *neg,
-					dns_rdataset_t *negsig);
-static isc_result_t rdataset_getadditional(dns_rdataset_t *rdataset,
-					   dns_rdatasetadditional_t type,
-					   dns_rdatatype_t qtype,
-					   dns_acache_t *acache,
-					   dns_zone_t **zonep,
-					   dns_db_t **dbp,
-					   dns_dbversion_t **versionp,
-					   dns_dbnode_t **nodep,
-					   dns_name_t *fname,
-					   dns_message_t *msg,
-					   isc_stdtime_t now);
-static isc_result_t rdataset_setadditional(dns_rdataset_t *rdataset,
-					   dns_rdatasetadditional_t type,
-					   dns_rdatatype_t qtype,
-					   dns_acache_t *acache,
-					   dns_zone_t *zone,
-					   dns_db_t *db,
-					   dns_dbversion_t *version,
-					   dns_dbnode_t *node,
-					   dns_name_t *fname);
-static isc_result_t rdataset_putadditional(dns_acache_t *acache,
-					   dns_rdataset_t *rdataset,
-					   dns_rdatasetadditional_t type,
-					   dns_rdatatype_t qtype);
-static inline isc_boolean_t need_headerupdate(rdatasetheader_t *header,
-					      isc_stdtime_t now);
-static void update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
-			  isc_stdtime_t now);
-static void expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
-			  isc_boolean_t tree_locked);
-static void overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
-			  isc_stdtime_t now, isc_boolean_t tree_locked);
-static isc_result_t resign_insert(dns_rbtdb_t *rbtdb, int idx,
-				  rdatasetheader_t *newheader);
-static void prune_tree(isc_task_t *task, isc_event_t *event);
-static void rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust);
-static void rdataset_expire(dns_rdataset_t *rdataset);
-
-static dns_rdatasetmethods_t rdataset_methods = {
-	rdataset_disassociate,
-	rdataset_first,
-	rdataset_next,
-	rdataset_current,
-	rdataset_clone,
-	rdataset_count,
-	NULL,
-	rdataset_getnoqname,
-	NULL,
-	rdataset_getclosest,
-	rdataset_getadditional,
-	rdataset_setadditional,
-	rdataset_putadditional,
-	rdataset_settrust,
-	rdataset_expire
-};
-
-static void rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp);
-static isc_result_t rdatasetiter_first(dns_rdatasetiter_t *iterator);
-static isc_result_t rdatasetiter_next(dns_rdatasetiter_t *iterator);
-static void rdatasetiter_current(dns_rdatasetiter_t *iterator,
-				 dns_rdataset_t *rdataset);
-
-static dns_rdatasetitermethods_t rdatasetiter_methods = {
-	rdatasetiter_destroy,
-	rdatasetiter_first,
-	rdatasetiter_next,
-	rdatasetiter_current
-};
-
-typedef struct rbtdb_rdatasetiter {
-	dns_rdatasetiter_t              common;
-	rdatasetheader_t *              current;
-} rbtdb_rdatasetiter_t;
-
-static void             dbiterator_destroy(dns_dbiterator_t **iteratorp);
-static isc_result_t     dbiterator_first(dns_dbiterator_t *iterator);
-static isc_result_t     dbiterator_last(dns_dbiterator_t *iterator);
-static isc_result_t     dbiterator_seek(dns_dbiterator_t *iterator,
-					dns_name_t *name);
-static isc_result_t     dbiterator_prev(dns_dbiterator_t *iterator);
-static isc_result_t     dbiterator_next(dns_dbiterator_t *iterator);
-static isc_result_t     dbiterator_current(dns_dbiterator_t *iterator,
-					   dns_dbnode_t **nodep,
-					   dns_name_t *name);
-static isc_result_t     dbiterator_pause(dns_dbiterator_t *iterator);
-static isc_result_t     dbiterator_origin(dns_dbiterator_t *iterator,
-					  dns_name_t *name);
-
-static dns_dbiteratormethods_t dbiterator_methods = {
-	dbiterator_destroy,
-	dbiterator_first,
-	dbiterator_last,
-	dbiterator_seek,
-	dbiterator_prev,
-	dbiterator_next,
-	dbiterator_current,
-	dbiterator_pause,
-	dbiterator_origin
-};
-
-#define DELETION_BATCH_MAX 64
-
-/*
- * If 'paused' is ISC_TRUE, then the tree lock is not being held.
- */
-typedef struct rbtdb_dbiterator {
-	dns_dbiterator_t                common;
-	isc_boolean_t                   paused;
-	isc_boolean_t                   new_origin;
-	isc_rwlocktype_t                tree_locked;
-	isc_result_t                    result;
-	dns_fixedname_t                 name;
-	dns_fixedname_t                 origin;
-	dns_rbtnodechain_t              chain;
-	dns_rbtnodechain_t		nsec3chain;
-	dns_rbtnodechain_t		*current;
-	dns_rbtnode_t                   *node;
-	dns_rbtnode_t                   *deletions[DELETION_BATCH_MAX];
-	int                             delete;
-	isc_boolean_t			nsec3only;
-	isc_boolean_t			nonsec3;
-} rbtdb_dbiterator_t;
-
-
-#define IS_STUB(rbtdb)  (((rbtdb)->common.attributes & DNS_DBATTR_STUB)  != 0)
-#define IS_CACHE(rbtdb) (((rbtdb)->common.attributes & DNS_DBATTR_CACHE) != 0)
-
-static void free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log,
-		       isc_event_t *event);
-static void overmem(dns_db_t *db, isc_boolean_t overmem);
-#ifdef BIND9
-static void setnsec3parameters(dns_db_t *db, rbtdb_version_t *version);
-#endif
-
-/*%
- * 'init_count' is used to initialize 'newheader->count' which inturn
- * is used to determine where in the cycle rrset-order cyclic starts.
- * We don't lock this as we don't care about simultaneous updates.
- *
- * Note:
- *      Both init_count and header->count can be ISC_UINT32_MAX.
- *      The count on the returned rdataset however can't be as
- *      that indicates that the database does not implement cyclic
- *      processing.
- */
-static unsigned int init_count;
-
-/*
- * Locking
- *
- * If a routine is going to lock more than one lock in this module, then
- * the locking must be done in the following order:
- *
- *      Tree Lock
- *
- *      Node Lock       (Only one from the set may be locked at one time by
- *                       any caller)
- *
- *      Database Lock
- *
- * Failure to follow this hierarchy can result in deadlock.
- */
-
-/*
- * Deleting Nodes
- *
- * For zone databases the node for the origin of the zone MUST NOT be deleted.
- */
-
-
-/*
- * DB Routines
- */
-
-static void
-attach(dns_db_t *source, dns_db_t **targetp) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)source;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	isc_refcount_increment(&rbtdb->references, NULL);
-
-	*targetp = source;
-}
-
-static void
-free_rbtdb_callback(isc_task_t *task, isc_event_t *event) {
-	dns_rbtdb_t *rbtdb = event->ev_arg;
-
-	UNUSED(task);
-
-	free_rbtdb(rbtdb, ISC_TRUE, event);
-}
-
-static void
-update_rrsetstats(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
-		  isc_boolean_t increment)
-{
-	dns_rdatastatstype_t statattributes = 0;
-	dns_rdatastatstype_t base = 0;
-	dns_rdatastatstype_t type;
-
-	/* At the moment we count statistics only for cache DB */
-	INSIST(IS_CACHE(rbtdb));
-
-	if (NEGATIVE(header)) {
-		if (NXDOMAIN(header))
-			statattributes = DNS_RDATASTATSTYPE_ATTR_NXDOMAIN;
-		else {
-			statattributes = DNS_RDATASTATSTYPE_ATTR_NXRRSET;
-			base = RBTDB_RDATATYPE_EXT(header->type);
-		}
-	} else
-		base = RBTDB_RDATATYPE_BASE(header->type);
-
-	type = DNS_RDATASTATSTYPE_VALUE(base, statattributes);
-	if (increment)
-		dns_rdatasetstats_increment(rbtdb->rrsetstats, type);
-	else
-		dns_rdatasetstats_decrement(rbtdb->rrsetstats, type);
-}
-
-static void
-set_ttl(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, dns_ttl_t newttl) {
-	int idx;
-	isc_heap_t *heap;
-	dns_ttl_t oldttl;
-
-	oldttl = header->rdh_ttl;
-	header->rdh_ttl = newttl;
-
-	if (!IS_CACHE(rbtdb))
-		return;
-
-	/*
-	 * It's possible the rbtdb is not a cache.  If this is the case,
-	 * we will not have a heap, and we move on.  If we do, though,
-	 * we might need to adjust things.
-	 */
-	if (header->heap_index == 0 || newttl == oldttl)
-		return;
-	idx = header->node->locknum;
-	if (rbtdb->heaps == NULL || rbtdb->heaps[idx] == NULL)
-	    return;
-	heap = rbtdb->heaps[idx];
-
-	if (newttl < oldttl)
-		isc_heap_increased(heap, header->heap_index);
-	else
-		isc_heap_decreased(heap, header->heap_index);
-}
-
-/*%
- * These functions allow the heap code to rank the priority of each
- * element.  It returns ISC_TRUE if v1 happens "sooner" than v2.
- */
-static isc_boolean_t
-ttl_sooner(void *v1, void *v2) {
-	rdatasetheader_t *h1 = v1;
-	rdatasetheader_t *h2 = v2;
-
-	if (h1->rdh_ttl < h2->rdh_ttl)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-static isc_boolean_t
-resign_sooner(void *v1, void *v2) {
-	rdatasetheader_t *h1 = v1;
-	rdatasetheader_t *h2 = v2;
-
-	if (h1->resign < h2->resign)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-/*%
- * This function sets the heap index into the header.
- */
-static void
-set_index(void *what, unsigned int index) {
-	rdatasetheader_t *h = what;
-
-	h->heap_index = index;
-}
-
-/*%
- * Work out how many nodes can be deleted in the time between two
- * requests to the nameserver.  Smooth the resulting number and use it
- * as a estimate for the number of nodes to be deleted in the next
- * iteration.
- */
-static unsigned int
-adjust_quantum(unsigned int old, isc_time_t *start) {
-	unsigned int pps = dns_pps;     /* packets per second */
-	unsigned int interval;
-	isc_uint64_t usecs;
-	isc_time_t end;
-	unsigned int new;
-
-	if (pps < 100)
-		pps = 100;
-	isc_time_now(&end);
-
-	interval = 1000000 / pps;       /* interval in usec */
-	if (interval == 0)
-		interval = 1;
-	usecs = isc_time_microdiff(&end, start);
-	if (usecs == 0) {
-		/*
-		 * We were unable to measure the amount of time taken.
-		 * Double the nodes deleted next time.
-		 */
-		old *= 2;
-		if (old > 1000)
-			old = 1000;
-		return (old);
-	}
-	new = old * interval;
-	new /= (unsigned int)usecs;
-	if (new == 0)
-		new = 1;
-	else if (new > 1000)
-		new = 1000;
-
-	/* Smooth */
-	new = (new + old * 3) / 4;
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
-		      ISC_LOG_DEBUG(1), "adjust_quantum -> %d", new);
-
-	return (new);
-}
-
-static void
-free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) {
-	unsigned int i;
-	isc_ondestroy_t ondest;
-	isc_result_t result;
-	char buf[DNS_NAME_FORMATSIZE];
-	dns_rbt_t **treep;
-	isc_time_t start;
-
-	if (IS_CACHE(rbtdb) && rbtdb->common.rdclass == dns_rdataclass_in)
-		overmem((dns_db_t *)rbtdb, (isc_boolean_t)-1);
-
-	REQUIRE(rbtdb->current_version != NULL || EMPTY(rbtdb->open_versions));
-	REQUIRE(rbtdb->future_version == NULL);
-
-	if (rbtdb->current_version != NULL) {
-		unsigned int refs;
-
-		isc_refcount_decrement(&rbtdb->current_version->references,
-				       &refs);
-		INSIST(refs == 0);
-		UNLINK(rbtdb->open_versions, rbtdb->current_version, link);
-		isc_refcount_destroy(&rbtdb->current_version->references);
-		isc_mem_put(rbtdb->common.mctx, rbtdb->current_version,
-			    sizeof(rbtdb_version_t));
-	}
-
-	/*
-	 * We assume the number of remaining dead nodes is reasonably small;
-	 * the overhead of unlinking all nodes here should be negligible.
-	 */
-	for (i = 0; i < rbtdb->node_lock_count; i++) {
-		dns_rbtnode_t *node;
-
-		node = ISC_LIST_HEAD(rbtdb->deadnodes[i]);
-		while (node != NULL) {
-			ISC_LIST_UNLINK(rbtdb->deadnodes[i], node, deadlink);
-			node = ISC_LIST_HEAD(rbtdb->deadnodes[i]);
-		}
-	}
-
-	if (event == NULL)
-		rbtdb->quantum = (rbtdb->task != NULL) ? 100 : 0;
-
-	for (;;) {
-		/*
-		 * pick the next tree to (start to) destroy
-		 */
-		treep = &rbtdb->tree;
-		if (*treep == NULL) {
-			treep = &rbtdb->nsec;
-			if (*treep == NULL) {
-				treep = &rbtdb->nsec3;
-				/*
-				 * we're finished after clear cutting
-				 */
-				if (*treep == NULL)
-					break;
-			}
-		}
-
-		isc_time_now(&start);
-		result = dns_rbt_destroy2(treep, rbtdb->quantum);
-		if (result == ISC_R_QUOTA) {
-			INSIST(rbtdb->task != NULL);
-			if (rbtdb->quantum != 0)
-				rbtdb->quantum = adjust_quantum(rbtdb->quantum,
-								&start);
-			if (event == NULL)
-				event = isc_event_allocate(rbtdb->common.mctx,
-							   NULL,
-							 DNS_EVENT_FREESTORAGE,
-							   free_rbtdb_callback,
-							   rbtdb,
-							   sizeof(isc_event_t));
-			if (event == NULL)
-				continue;
-			isc_task_send(rbtdb->task, &event);
-			return;
-		}
-		INSIST(result == ISC_R_SUCCESS && *treep == NULL);
-	}
-
-	if (event != NULL)
-		isc_event_free(&event);
-	if (log) {
-		if (dns_name_dynamic(&rbtdb->common.origin))
-			dns_name_format(&rbtdb->common.origin, buf,
-					sizeof(buf));
-		else
-			strcpy(buf, "<UNKNOWN>");
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-			      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
-			      "done free_rbtdb(%s)", buf);
-	}
-	if (dns_name_dynamic(&rbtdb->common.origin))
-		dns_name_free(&rbtdb->common.origin, rbtdb->common.mctx);
-	for (i = 0; i < rbtdb->node_lock_count; i++) {
-		isc_refcount_destroy(&rbtdb->node_locks[i].references);
-		NODE_DESTROYLOCK(&rbtdb->node_locks[i].lock);
-	}
-
-	/*
-	 * Clean up LRU / re-signing order lists.
-	 */
-	if (rbtdb->rdatasets != NULL) {
-		for (i = 0; i < rbtdb->node_lock_count; i++)
-			INSIST(ISC_LIST_EMPTY(rbtdb->rdatasets[i]));
-		isc_mem_put(rbtdb->common.mctx, rbtdb->rdatasets,
-			    rbtdb->node_lock_count *
-			    sizeof(rdatasetheaderlist_t));
-	}
-	/*
-	 * Clean up dead node buckets.
-	 */
-	if (rbtdb->deadnodes != NULL) {
-		for (i = 0; i < rbtdb->node_lock_count; i++)
-			INSIST(ISC_LIST_EMPTY(rbtdb->deadnodes[i]));
-		isc_mem_put(rbtdb->common.mctx, rbtdb->deadnodes,
-		    rbtdb->node_lock_count * sizeof(rbtnodelist_t));
-	}
-	/*
-	 * Clean up heap objects.
-	 */
-	if (rbtdb->heaps != NULL) {
-		for (i = 0; i < rbtdb->node_lock_count; i++)
-			isc_heap_destroy(&rbtdb->heaps[i]);
-		isc_mem_put(rbtdb->hmctx, rbtdb->heaps,
-			    rbtdb->node_lock_count * sizeof(isc_heap_t *));
-	}
-
-	if (rbtdb->rrsetstats != NULL)
-		dns_stats_detach(&rbtdb->rrsetstats);
-
-#ifdef BIND9
-	if (rbtdb->rpz_cidr != NULL)
-		dns_rpz_cidr_free(&rbtdb->rpz_cidr);
-#endif
-
-	isc_mem_put(rbtdb->common.mctx, rbtdb->node_locks,
-		    rbtdb->node_lock_count * sizeof(rbtdb_nodelock_t));
-	isc_rwlock_destroy(&rbtdb->tree_lock);
-	isc_refcount_destroy(&rbtdb->references);
-	if (rbtdb->task != NULL)
-		isc_task_detach(&rbtdb->task);
-
-	RBTDB_DESTROYLOCK(&rbtdb->lock);
-	rbtdb->common.magic = 0;
-	rbtdb->common.impmagic = 0;
-	ondest = rbtdb->common.ondest;
-	isc_mem_detach(&rbtdb->hmctx);
-	isc_mem_putanddetach(&rbtdb->common.mctx, rbtdb, sizeof(*rbtdb));
-	isc_ondestroy_notify(&ondest, rbtdb);
-}
-
-static inline void
-maybe_free_rbtdb(dns_rbtdb_t *rbtdb) {
-	isc_boolean_t want_free = ISC_FALSE;
-	unsigned int i;
-	unsigned int inactive = 0;
-
-	/* XXX check for open versions here */
-
-	if (rbtdb->soanode != NULL)
-		dns_db_detachnode((dns_db_t *)rbtdb, &rbtdb->soanode);
-	if (rbtdb->nsnode != NULL)
-		dns_db_detachnode((dns_db_t *)rbtdb, &rbtdb->nsnode);
-
-	/*
-	 * Even though there are no external direct references, there still
-	 * may be nodes in use.
-	 */
-	for (i = 0; i < rbtdb->node_lock_count; i++) {
-		NODE_LOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_write);
-		rbtdb->node_locks[i].exiting = ISC_TRUE;
-		NODE_UNLOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_write);
-		if (isc_refcount_current(&rbtdb->node_locks[i].references)
-		    == 0) {
-			inactive++;
-		}
-	}
-
-	if (inactive != 0) {
-		RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
-		rbtdb->active -= inactive;
-		if (rbtdb->active == 0)
-			want_free = ISC_TRUE;
-		RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
-		if (want_free) {
-			char buf[DNS_NAME_FORMATSIZE];
-			if (dns_name_dynamic(&rbtdb->common.origin))
-				dns_name_format(&rbtdb->common.origin, buf,
-						sizeof(buf));
-			else
-				strcpy(buf, "<UNKNOWN>");
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-				      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
-				      "calling free_rbtdb(%s)", buf);
-			free_rbtdb(rbtdb, ISC_TRUE, NULL);
-		}
-	}
-}
-
-static void
-detach(dns_db_t **dbp) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)(*dbp);
-	unsigned int refs;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	isc_refcount_decrement(&rbtdb->references, &refs);
-
-	if (refs == 0)
-		maybe_free_rbtdb(rbtdb);
-
-	*dbp = NULL;
-}
-
-static void
-currentversion(dns_db_t *db, dns_dbversion_t **versionp) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	rbtdb_version_t *version;
-	unsigned int refs;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read);
-	version = rbtdb->current_version;
-	isc_refcount_increment(&version->references, &refs);
-	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_read);
-
-	*versionp = (dns_dbversion_t *)version;
-}
-
-static inline rbtdb_version_t *
-allocate_version(isc_mem_t *mctx, rbtdb_serial_t serial,
-		 unsigned int references, isc_boolean_t writer)
-{
-	isc_result_t result;
-	rbtdb_version_t *version;
-
-	version = isc_mem_get(mctx, sizeof(*version));
-	if (version == NULL)
-		return (NULL);
-	version->serial = serial;
-	result = isc_refcount_init(&version->references, references);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, version, sizeof(*version));
-		return (NULL);
-	}
-	version->writer = writer;
-	version->commit_ok = ISC_FALSE;
-	ISC_LIST_INIT(version->changed_list);
-	ISC_LIST_INIT(version->resigned_list);
-	ISC_LINK_INIT(version, link);
-
-	return (version);
-}
-
-static isc_result_t
-newversion(dns_db_t *db, dns_dbversion_t **versionp) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	rbtdb_version_t *version;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-	REQUIRE(versionp != NULL && *versionp == NULL);
-	REQUIRE(rbtdb->future_version == NULL);
-
-	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
-	RUNTIME_CHECK(rbtdb->next_serial != 0);         /* XXX Error? */
-	version = allocate_version(rbtdb->common.mctx, rbtdb->next_serial, 1,
-				   ISC_TRUE);
-	if (version != NULL) {
-		version->rbtdb = rbtdb;
-		version->commit_ok = ISC_TRUE;
-		version->secure = rbtdb->current_version->secure;
-		version->havensec3 = rbtdb->current_version->havensec3;
-		if (version->havensec3) {
-			version->flags = rbtdb->current_version->flags;
-			version->iterations =
-				rbtdb->current_version->iterations;
-			version->hash = rbtdb->current_version->hash;
-			version->salt_length =
-				rbtdb->current_version->salt_length;
-			memcpy(version->salt, rbtdb->current_version->salt,
-			       version->salt_length);
-		} else {
-			version->flags = 0;
-			version->iterations = 0;
-			version->hash = 0;
-			version->salt_length = 0;
-			memset(version->salt, 0, sizeof(version->salt));
-		}
-		rbtdb->next_serial++;
-		rbtdb->future_version = version;
-	}
-	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
-
-	if (version == NULL)
-		return (ISC_R_NOMEMORY);
-
-	*versionp = version;
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-attachversion(dns_db_t *db, dns_dbversion_t *source,
-	      dns_dbversion_t **targetp)
-{
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	rbtdb_version_t *rbtversion = source;
-	unsigned int refs;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-	INSIST(rbtversion != NULL && rbtversion->rbtdb == rbtdb);
-
-	isc_refcount_increment(&rbtversion->references, &refs);
-	INSIST(refs > 1);
-
-	*targetp = rbtversion;
-}
-
-static rbtdb_changed_t *
-add_changed(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
-	    dns_rbtnode_t *node)
-{
-	rbtdb_changed_t *changed;
-	unsigned int refs;
-
-	/*
-	 * Caller must be holding the node lock if its reference must be
-	 * protected by the lock.
-	 */
-
-	changed = isc_mem_get(rbtdb->common.mctx, sizeof(*changed));
-
-	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
-
-	REQUIRE(version->writer);
-
-	if (changed != NULL) {
-		dns_rbtnode_refincrement(node, &refs);
-		INSIST(refs != 0);
-		changed->node = node;
-		changed->dirty = ISC_FALSE;
-		ISC_LIST_INITANDAPPEND(version->changed_list, changed, link);
-	} else
-		version->commit_ok = ISC_FALSE;
-
-	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
-
-	return (changed);
-}
-
-static void
-free_acachearray(isc_mem_t *mctx, rdatasetheader_t *header,
-		 acachectl_t *array)
-{
-	unsigned int count;
-	unsigned int i;
-	unsigned char *raw;     /* RDATASLAB */
-
-	/*
-	 * The caller must be holding the corresponding node lock.
-	 */
-
-	if (array == NULL)
-		return;
-
-	raw = (unsigned char *)header + sizeof(*header);
-	count = raw[0] * 256 + raw[1];
-
-	/*
-	 * Sanity check: since an additional cache entry has a reference to
-	 * the original DB node (in the callback arg), there should be no
-	 * acache entries when the node can be freed.
-	 */
-	for (i = 0; i < count; i++)
-		INSIST(array[i].entry == NULL && array[i].cbarg == NULL);
-
-	isc_mem_put(mctx, array, count * sizeof(acachectl_t));
-}
-
-static inline void
-free_noqname(isc_mem_t *mctx, struct noqname **noqname) {
-
-	if (dns_name_dynamic(&(*noqname)->name))
-		dns_name_free(&(*noqname)->name, mctx);
-	if ((*noqname)->neg != NULL)
-		isc_mem_put(mctx, (*noqname)->neg,
-			    dns_rdataslab_size((*noqname)->neg, 0));
-	if ((*noqname)->negsig != NULL)
-		isc_mem_put(mctx, (*noqname)->negsig,
-			    dns_rdataslab_size((*noqname)->negsig, 0));
-	isc_mem_put(mctx, *noqname, sizeof(**noqname));
-	*noqname = NULL;
-}
-
-static inline void
-init_rdataset(dns_rbtdb_t *rbtdb, rdatasetheader_t *h)
-{
-	ISC_LINK_INIT(h, link);
-	h->heap_index = 0;
-
-#if TRACE_HEADER
-	if (IS_CACHE(rbtdb) && rbtdb->common.rdclass == dns_rdataclass_in)
-		fprintf(stderr, "initialized header: %p\n", h);
-#else
-	UNUSED(rbtdb);
-#endif
-}
-
-static inline rdatasetheader_t *
-new_rdataset(dns_rbtdb_t *rbtdb, isc_mem_t *mctx)
-{
-	rdatasetheader_t *h;
-
-	h = isc_mem_get(mctx, sizeof(*h));
-	if (h == NULL)
-		return (NULL);
-
-#if TRACE_HEADER
-	if (IS_CACHE(rbtdb) && rbtdb->common.rdclass == dns_rdataclass_in)
-		fprintf(stderr, "allocated header: %p\n", h);
-#endif
-	init_rdataset(rbtdb, h);
-	return (h);
-}
-
-static inline void
-free_rdataset(dns_rbtdb_t *rbtdb, isc_mem_t *mctx, rdatasetheader_t *rdataset)
-{
-	unsigned int size;
-	int idx;
-
-	if (EXISTS(rdataset) &&
-	    (rdataset->attributes & RDATASET_ATTR_STATCOUNT) != 0) {
-		update_rrsetstats(rbtdb, rdataset, ISC_FALSE);
-	}
-
-	idx = rdataset->node->locknum;
-	if (ISC_LINK_LINKED(rdataset, link)) {
-		INSIST(IS_CACHE(rbtdb));
-		ISC_LIST_UNLINK(rbtdb->rdatasets[idx], rdataset, link);
-	}
-	if (rdataset->heap_index != 0)
-		isc_heap_delete(rbtdb->heaps[idx], rdataset->heap_index);
-	rdataset->heap_index = 0;
-
-	if (rdataset->noqname != NULL)
-		free_noqname(mctx, &rdataset->noqname);
-	if (rdataset->closest != NULL)
-		free_noqname(mctx, &rdataset->closest);
-
-	free_acachearray(mctx, rdataset, rdataset->additional_auth);
-	free_acachearray(mctx, rdataset, rdataset->additional_glue);
-
-	if ((rdataset->attributes & RDATASET_ATTR_NONEXISTENT) != 0)
-		size = sizeof(*rdataset);
-	else
-		size = dns_rdataslab_size((unsigned char *)rdataset,
-					  sizeof(*rdataset));
-	isc_mem_put(mctx, rdataset, size);
-}
-
-static inline void
-rollback_node(dns_rbtnode_t *node, rbtdb_serial_t serial) {
-	rdatasetheader_t *header, *dcurrent;
-	isc_boolean_t make_dirty = ISC_FALSE;
-
-	/*
-	 * Caller must hold the node lock.
-	 */
-
-	/*
-	 * We set the IGNORE attribute on rdatasets with serial number
-	 * 'serial'.  When the reference count goes to zero, these rdatasets
-	 * will be cleaned up; until that time, they will be ignored.
-	 */
-	for (header = node->data; header != NULL; header = header->next) {
-		if (header->serial == serial) {
-			header->attributes |= RDATASET_ATTR_IGNORE;
-			make_dirty = ISC_TRUE;
-		}
-		for (dcurrent = header->down;
-		     dcurrent != NULL;
-		     dcurrent = dcurrent->down) {
-			if (dcurrent->serial == serial) {
-				dcurrent->attributes |= RDATASET_ATTR_IGNORE;
-				make_dirty = ISC_TRUE;
-			}
-		}
-	}
-	if (make_dirty)
-		node->dirty = 1;
-}
-
-static inline void
-clean_stale_headers(dns_rbtdb_t *rbtdb, isc_mem_t *mctx, rdatasetheader_t *top)
-{
-	rdatasetheader_t *d, *down_next;
-
-	for (d = top->down; d != NULL; d = down_next) {
-		down_next = d->down;
-		free_rdataset(rbtdb, mctx, d);
-	}
-	top->down = NULL;
-}
-
-static inline void
-clean_cache_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
-	rdatasetheader_t *current, *top_prev, *top_next;
-	isc_mem_t *mctx = rbtdb->common.mctx;
-
-	/*
-	 * Caller must be holding the node lock.
-	 */
-
-	top_prev = NULL;
-	for (current = node->data; current != NULL; current = top_next) {
-		top_next = current->next;
-		clean_stale_headers(rbtdb, mctx, current);
-		/*
-		 * If current is nonexistent or stale, we can clean it up.
-		 */
-		if ((current->attributes &
-		     (RDATASET_ATTR_NONEXISTENT|RDATASET_ATTR_STALE)) != 0) {
-			if (top_prev != NULL)
-				top_prev->next = current->next;
-			else
-				node->data = current->next;
-			free_rdataset(rbtdb, mctx, current);
-		} else
-			top_prev = current;
-	}
-	node->dirty = 0;
-}
-
-static inline void
-clean_zone_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
-		rbtdb_serial_t least_serial)
-{
-	rdatasetheader_t *current, *dcurrent, *down_next, *dparent;
-	rdatasetheader_t *top_prev, *top_next;
-	isc_mem_t *mctx = rbtdb->common.mctx;
-	isc_boolean_t still_dirty = ISC_FALSE;
-
-	/*
-	 * Caller must be holding the node lock.
-	 */
-	REQUIRE(least_serial != 0);
-
-	top_prev = NULL;
-	for (current = node->data; current != NULL; current = top_next) {
-		top_next = current->next;
-
-		/*
-		 * First, we clean up any instances of multiple rdatasets
-		 * with the same serial number, or that have the IGNORE
-		 * attribute.
-		 */
-		dparent = current;
-		for (dcurrent = current->down;
-		     dcurrent != NULL;
-		     dcurrent = down_next) {
-			down_next = dcurrent->down;
-			INSIST(dcurrent->serial <= dparent->serial);
-			if (dcurrent->serial == dparent->serial ||
-			    IGNORE(dcurrent)) {
-				if (down_next != NULL)
-					down_next->next = dparent;
-				dparent->down = down_next;
-				free_rdataset(rbtdb, mctx, dcurrent);
-			} else
-				dparent = dcurrent;
-		}
-
-		/*
-		 * We've now eliminated all IGNORE datasets with the possible
-		 * exception of current, which we now check.
-		 */
-		if (IGNORE(current)) {
-			down_next = current->down;
-			if (down_next == NULL) {
-				if (top_prev != NULL)
-					top_prev->next = current->next;
-				else
-					node->data = current->next;
-				free_rdataset(rbtdb, mctx, current);
-				/*
-				 * current no longer exists, so we can
-				 * just continue with the loop.
-				 */
-				continue;
-			} else {
-				/*
-				 * Pull up current->down, making it the new
-				 * current.
-				 */
-				if (top_prev != NULL)
-					top_prev->next = down_next;
-				else
-					node->data = down_next;
-				down_next->next = top_next;
-				free_rdataset(rbtdb, mctx, current);
-				current = down_next;
-			}
-		}
-
-		/*
-		 * We now try to find the first down node less than the
-		 * least serial.
-		 */
-		dparent = current;
-		for (dcurrent = current->down;
-		     dcurrent != NULL;
-		     dcurrent = down_next) {
-			down_next = dcurrent->down;
-			if (dcurrent->serial < least_serial)
-				break;
-			dparent = dcurrent;
-		}
-
-		/*
-		 * If there is a such an rdataset, delete it and any older
-		 * versions.
-		 */
-		if (dcurrent != NULL) {
-			do {
-				down_next = dcurrent->down;
-				INSIST(dcurrent->serial <= least_serial);
-				free_rdataset(rbtdb, mctx, dcurrent);
-				dcurrent = down_next;
-			} while (dcurrent != NULL);
-			dparent->down = NULL;
-		}
-
-		/*
-		 * Note.  The serial number of 'current' might be less than
-		 * least_serial too, but we cannot delete it because it is
-		 * the most recent version, unless it is a NONEXISTENT
-		 * rdataset.
-		 */
-		if (current->down != NULL) {
-			still_dirty = ISC_TRUE;
-			top_prev = current;
-		} else {
-			/*
-			 * If this is a NONEXISTENT rdataset, we can delete it.
-			 */
-			if (NONEXISTENT(current)) {
-				if (top_prev != NULL)
-					top_prev->next = current->next;
-				else
-					node->data = current->next;
-				free_rdataset(rbtdb, mctx, current);
-			} else
-				top_prev = current;
-		}
-	}
-	if (!still_dirty)
-		node->dirty = 0;
-}
-
-static void
-delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node)
-{
-	dns_rbtnode_t *nsecnode;
-	dns_fixedname_t fname;
-	dns_name_t *name;
-	isc_result_t result = ISC_R_UNEXPECTED;
-
-	INSIST(!ISC_LINK_LINKED(node, deadlink));
-
-	switch (node->nsec) {
-	case DNS_RBT_NSEC_NORMAL:
-#ifdef BIND9
-		if (rbtdb->rpz_cidr != NULL) {
-			dns_fixedname_init(&fname);
-			name = dns_fixedname_name(&fname);
-			dns_rbt_fullnamefromnode(node, name);
-			dns_rpz_cidr_deleteip(rbtdb->rpz_cidr, name);
-		}
-#endif
-		result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE);
-		break;
-	case DNS_RBT_NSEC_HAS_NSEC:
-		dns_fixedname_init(&fname);
-		name = dns_fixedname_name(&fname);
-		dns_rbt_fullnamefromnode(node, name);
-		/*
-		 * Delete the corresponding node from the auxiliary NSEC
-		 * tree before deleting from the main tree.
-		 */
-		nsecnode = NULL;
-		result = dns_rbt_findnode(rbtdb->nsec, name, NULL, &nsecnode,
-					  NULL, DNS_RBTFIND_EMPTYDATA,
-					  NULL, NULL);
-		if (result != ISC_R_SUCCESS) {
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-				      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
-				      "delete_node: "
-				      "dns_rbt_findnode(nsec): %s",
-				      isc_result_totext(result));
-		} else {
-			result = dns_rbt_deletenode(rbtdb->nsec, nsecnode,
-						    ISC_FALSE);
-			if (result != ISC_R_SUCCESS) {
-				isc_log_write(dns_lctx,
-					      DNS_LOGCATEGORY_DATABASE,
-					      DNS_LOGMODULE_CACHE,
-					      ISC_LOG_WARNING,
-					      "delete_node(): "
-					      "dns_rbt_deletenode(nsecnode): %s",
-					      isc_result_totext(result));
-			}
-		}
-#ifdef BIND9
-		if (rbtdb->rpz_cidr != NULL)
-			dns_rpz_cidr_deleteip(rbtdb->rpz_cidr, name);
-#endif
-		result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE);
-		break;
-	case DNS_RBT_NSEC_NSEC:
-		result = dns_rbt_deletenode(rbtdb->nsec, node, ISC_FALSE);
-		break;
-	case DNS_RBT_NSEC_NSEC3:
-		result = dns_rbt_deletenode(rbtdb->nsec3, node, ISC_FALSE);
-		break;
-	}
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(dns_lctx,
-			      DNS_LOGCATEGORY_DATABASE,
-			      DNS_LOGMODULE_CACHE,
-			      ISC_LOG_WARNING,
-			      "delete_cnode(): "
-			      "dns_rbt_deletenode: %s",
-			      isc_result_totext(result));
-	}
-}
-
-/*%
- * Clean up dead nodes.  These are nodes which have no references, and
- * have no data.  They are dead but we could not or chose not to delete
- * them when we deleted all the data at that node because we did not want
- * to wait for the tree write lock.
- *
- * The caller must hold a tree write lock and bucketnum'th node (write) lock.
- */
-static void
-cleanup_dead_nodes(dns_rbtdb_t *rbtdb, int bucketnum) {
-	dns_rbtnode_t *node;
-	int count = 10;         /* XXXJT: should be adjustable */
-
-	node = ISC_LIST_HEAD(rbtdb->deadnodes[bucketnum]);
-	while (node != NULL && count > 0) {
-		ISC_LIST_UNLINK(rbtdb->deadnodes[bucketnum], node, deadlink);
-
-		/*
-		 * Since we're holding a tree write lock, it should be
-		 * impossible for this node to be referenced by others.
-		 */
-		INSIST(dns_rbtnode_refcurrent(node) == 0 &&
-		       node->data == NULL);
-
-		delete_node(rbtdb, node);
-
-		node = ISC_LIST_HEAD(rbtdb->deadnodes[bucketnum]);
-		count--;
-	}
-}
-
-/*
- * Caller must be holding the node lock.
- */
-static inline void
-new_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
-	unsigned int lockrefs, noderefs;
-	isc_refcount_t *lockref;
-
-	INSIST(!ISC_LINK_LINKED(node, deadlink));
-	dns_rbtnode_refincrement0(node, &noderefs);
-	if (noderefs == 1) {    /* this is the first reference to the node */
-		lockref = &rbtdb->node_locks[node->locknum].references;
-		isc_refcount_increment0(lockref, &lockrefs);
-		INSIST(lockrefs != 0);
-	}
-	INSIST(noderefs != 0);
-}
-
-/*
- * This function is assumed to be called when a node is newly referenced
- * and can be in the deadnode list.  In that case the node must be retrieved
- * from the list because it is going to be used.  In addition, if the caller
- * happens to hold a write lock on the tree, it's a good chance to purge dead
- * nodes.
- * Note: while a new reference is gained in multiple places, there are only very
- * few cases where the node can be in the deadnode list (only empty nodes can
- * have been added to the list).
- */
-static inline void
-reactivate_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
-		isc_rwlocktype_t treelocktype)
-{
-	isc_rwlocktype_t locktype = isc_rwlocktype_read;
-	nodelock_t *nodelock = &rbtdb->node_locks[node->locknum].lock;
-	isc_boolean_t maybe_cleanup = ISC_FALSE;
-
-	POST(locktype);
-
-	NODE_STRONGLOCK(nodelock);
-	NODE_WEAKLOCK(nodelock, locktype);
-
-	/*
-	 * Check if we can possibly cleanup the dead node.  If so, upgrade
-	 * the node lock below to perform the cleanup.
-	 */
-	if (!ISC_LIST_EMPTY(rbtdb->deadnodes[node->locknum]) &&
-	    treelocktype == isc_rwlocktype_write) {
-		maybe_cleanup = ISC_TRUE;
-	}
-
-	if (ISC_LINK_LINKED(node, deadlink) || maybe_cleanup) {
-		/*
-		 * Upgrade the lock and test if we still need to unlink.
-		 */
-		NODE_WEAKUNLOCK(nodelock, locktype);
-		locktype = isc_rwlocktype_write;
-		POST(locktype);
-		NODE_WEAKLOCK(nodelock, locktype);
-		if (ISC_LINK_LINKED(node, deadlink))
-			ISC_LIST_UNLINK(rbtdb->deadnodes[node->locknum],
-					node, deadlink);
-		if (maybe_cleanup)
-			cleanup_dead_nodes(rbtdb, node->locknum);
-	}
-
-	new_reference(rbtdb, node);
-
-	NODE_WEAKUNLOCK(nodelock, locktype);
-	NODE_STRONGUNLOCK(nodelock);
-}
-
-/*
- * Caller must be holding the node lock; either the "strong", read or write
- * lock.  Note that the lock must be held even when node references are
- * atomically modified; in that case the decrement operation itself does not
- * have to be protected, but we must avoid a race condition where multiple
- * threads are decreasing the reference to zero simultaneously and at least
- * one of them is going to free the node.
- * This function returns ISC_TRUE if and only if the node reference decreases
- * to zero.
- */
-static isc_boolean_t
-decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
-		    rbtdb_serial_t least_serial,
-		    isc_rwlocktype_t nlock, isc_rwlocktype_t tlock,
-		    isc_boolean_t pruning)
-{
-	isc_result_t result;
-	isc_boolean_t write_locked;
-	rbtdb_nodelock_t *nodelock;
-	unsigned int refs, nrefs;
-	int bucket = node->locknum;
-	isc_boolean_t no_reference = ISC_TRUE;
-
-	nodelock = &rbtdb->node_locks[bucket];
-
-	/* Handle easy and typical case first. */
-	if (!node->dirty && (node->data != NULL || node->down != NULL)) {
-		dns_rbtnode_refdecrement(node, &nrefs);
-		INSIST((int)nrefs >= 0);
-		if (nrefs == 0) {
-			isc_refcount_decrement(&nodelock->references, &refs);
-			INSIST((int)refs >= 0);
-		}
-		return ((nrefs == 0) ? ISC_TRUE : ISC_FALSE);
-	}
-
-	/* Upgrade the lock? */
-	if (nlock == isc_rwlocktype_read) {
-		NODE_WEAKUNLOCK(&nodelock->lock, isc_rwlocktype_read);
-		NODE_WEAKLOCK(&nodelock->lock, isc_rwlocktype_write);
-	}
-
-	dns_rbtnode_refdecrement(node, &nrefs);
-	INSIST((int)nrefs >= 0);
-	if (nrefs > 0) {
-		/* Restore the lock? */
-		if (nlock == isc_rwlocktype_read)
-			NODE_WEAKDOWNGRADE(&nodelock->lock);
-		return (ISC_FALSE);
-	}
-
-	if (node->dirty) {
-		if (IS_CACHE(rbtdb))
-			clean_cache_node(rbtdb, node);
-		else {
-			if (least_serial == 0) {
-				/*
-				 * Caller doesn't know the least serial.
-				 * Get it.
-				 */
-				RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read);
-				least_serial = rbtdb->least_serial;
-				RBTDB_UNLOCK(&rbtdb->lock,
-					     isc_rwlocktype_read);
-			}
-			clean_zone_node(rbtdb, node, least_serial);
-		}
-	}
-
-	/*
-	 * Attempt to switch to a write lock on the tree.  If this fails,
-	 * we will add this node to a linked list of nodes in this locking
-	 * bucket which we will free later.
-	 */
-	if (tlock != isc_rwlocktype_write) {
-		/*
-		 * Locking hierarchy notwithstanding, we don't need to free
-		 * the node lock before acquiring the tree write lock because
-		 * we only do a trylock.
-		 */
-		if (tlock == isc_rwlocktype_read)
-			result = isc_rwlock_tryupgrade(&rbtdb->tree_lock);
-		else
-			result = isc_rwlock_trylock(&rbtdb->tree_lock,
-						    isc_rwlocktype_write);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS ||
-			      result == ISC_R_LOCKBUSY);
-
-		write_locked = ISC_TF(result == ISC_R_SUCCESS);
-	} else
-		write_locked = ISC_TRUE;
-
-	isc_refcount_decrement(&nodelock->references, &refs);
-	INSIST((int)refs >= 0);
-
-	/*
-	 * XXXDCL should this only be done for cache zones?
-	 */
-	if (node->data != NULL || node->down != NULL)
-		goto restore_locks;
-
-	if (write_locked) {
-		/*
-		 * We can now delete the node.
-		 */
-
-		/*
-		 * If this node is the only one in the level it's in, deleting
-		 * this node may recursively make its parent the only node in
-		 * the parent level; if so, and if no one is currently using
-		 * the parent node, this is almost the only opportunity to
-		 * clean it up.  But the recursive cleanup is not that trivial
-		 * since the child and parent may be in different lock buckets,
-		 * which would cause a lock order reversal problem.  To avoid
-		 * the trouble, we'll dispatch a separate event for batch
-		 * cleaning.  We need to check whether we're deleting the node
-		 * as a result of pruning to avoid infinite dispatching.
-		 * Note: pruning happens only when a task has been set for the
-		 * rbtdb.  If the user of the rbtdb chooses not to set a task,
-		 * it's their responsibility to purge stale leaves (e.g. by
-		 * periodic walk-through).
-		 */
-		if (!pruning && node->parent != NULL &&
-		    node->parent->down == node && node->left == NULL &&
-		    node->right == NULL && rbtdb->task != NULL) {
-			isc_event_t *ev;
-			dns_db_t *db;
-
-			ev = isc_event_allocate(rbtdb->common.mctx, NULL,
-						DNS_EVENT_RBTPRUNE,
-						prune_tree, node,
-						sizeof(isc_event_t));
-			if (ev != NULL) {
-				new_reference(rbtdb, node);
-				db = NULL;
-				attach((dns_db_t *)rbtdb, &db);
-				ev->ev_sender = db;
-				isc_task_send(rbtdb->task, &ev);
-				no_reference = ISC_FALSE;
-			} else {
-				/*
-				 * XXX: this is a weird situation.  We could
-				 * ignore this error case, but then the stale
-				 * node will unlikely be purged except via a
-				 * rare condition such as manual cleanup.  So
-				 * we queue it in the deadnodes list, hoping
-				 * the memory shortage is temporary and the node
-				 * will be deleted later.
-				 */
-				isc_log_write(dns_lctx,
-					      DNS_LOGCATEGORY_DATABASE,
-					      DNS_LOGMODULE_CACHE,
-					      ISC_LOG_INFO,
-					      "decrement_reference: failed to "
-					      "allocate pruning event");
-				INSIST(node->data == NULL);
-				INSIST(!ISC_LINK_LINKED(node, deadlink));
-				ISC_LIST_APPEND(rbtdb->deadnodes[bucket], node,
-						deadlink);
-			}
-		} else {
-			if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(1))) {
-				char printname[DNS_NAME_FORMATSIZE];
-
-				isc_log_write(dns_lctx,
-					      DNS_LOGCATEGORY_DATABASE,
-					      DNS_LOGMODULE_CACHE,
-					      ISC_LOG_DEBUG(1),
-					      "decrement_reference: "
-					      "delete from rbt: %p %s",
-					      node,
-					      dns_rbt_formatnodename(node,
-							printname,
-							sizeof(printname)));
-			}
-
-			delete_node(rbtdb, node);
-		}
-	} else {
-		INSIST(node->data == NULL);
-		INSIST(!ISC_LINK_LINKED(node, deadlink));
-		ISC_LIST_APPEND(rbtdb->deadnodes[bucket], node, deadlink);
-	}
-
- restore_locks:
-	/* Restore the lock? */
-	if (nlock == isc_rwlocktype_read)
-		NODE_WEAKDOWNGRADE(&nodelock->lock);
-
-	/*
-	 * Relock a read lock, or unlock the write lock if no lock was held.
-	 */
-	if (tlock == isc_rwlocktype_none)
-		if (write_locked)
-			RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
-
-	if (tlock == isc_rwlocktype_read)
-		if (write_locked)
-			isc_rwlock_downgrade(&rbtdb->tree_lock);
-
-	return (no_reference);
-}
-
-/*
- * Prune the tree by recursively cleaning-up single leaves.  In the worst
- * case, the number of iteration is the number of tree levels, which is at
- * most the maximum number of domain name labels, i.e, 127.  In practice, this
- * should be much smaller (only a few times), and even the worst case would be
- * acceptable for a single event.
- */
-static void
-prune_tree(isc_task_t *task, isc_event_t *event) {
-	dns_rbtdb_t *rbtdb = event->ev_sender;
-	dns_rbtnode_t *node = event->ev_arg;
-	dns_rbtnode_t *parent;
-	unsigned int locknum;
-
-	UNUSED(task);
-
-	isc_event_free(&event);
-
-	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
-	locknum = node->locknum;
-	NODE_LOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write);
-	do {
-		parent = node->parent;
-		decrement_reference(rbtdb, node, 0, isc_rwlocktype_write,
-				    isc_rwlocktype_write, ISC_TRUE);
-
-		if (parent != NULL && parent->down == NULL) {
-			/*
-			 * node was the only down child of the parent and has
-			 * just been removed.  We'll then need to examine the
-			 * parent.  Keep the lock if possible; otherwise,
-			 * release the old lock and acquire one for the parent.
-			 */
-			if (parent->locknum != locknum) {
-				NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
-					    isc_rwlocktype_write);
-				locknum = parent->locknum;
-				NODE_LOCK(&rbtdb->node_locks[locknum].lock,
-					  isc_rwlocktype_write);
-			}
-
-			/*
-			 * We need to gain a reference to the node before
-			 * decrementing it in the next iteration.  In addition,
-			 * if the node is in the dead-nodes list, extract it
-			 * from the list beforehand as we do in
-			 * reactivate_node().
-			 */
-			if (ISC_LINK_LINKED(parent, deadlink))
-				ISC_LIST_UNLINK(rbtdb->deadnodes[locknum],
-						parent, deadlink);
-			new_reference(rbtdb, parent);
-		} else
-			parent = NULL;
-
-		node = parent;
-	} while (node != NULL);
-	NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write);
-	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
-
-	detach((dns_db_t **)&rbtdb);
-}
-
-static inline void
-make_least_version(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
-		   rbtdb_changedlist_t *cleanup_list)
-{
-	/*
-	 * Caller must be holding the database lock.
-	 */
-
-	rbtdb->least_serial = version->serial;
-	*cleanup_list = version->changed_list;
-	ISC_LIST_INIT(version->changed_list);
-}
-
-static inline void
-cleanup_nondirty(rbtdb_version_t *version, rbtdb_changedlist_t *cleanup_list) {
-	rbtdb_changed_t *changed, *next_changed;
-
-	/*
-	 * If the changed record is dirty, then
-	 * an update created multiple versions of
-	 * a given rdataset.  We keep this list
-	 * until we're the least open version, at
-	 * which point it's safe to get rid of any
-	 * older versions.
-	 *
-	 * If the changed record isn't dirty, then
-	 * we don't need it anymore since we're
-	 * committing and not rolling back.
-	 *
-	 * The caller must be holding the database lock.
-	 */
-	for (changed = HEAD(version->changed_list);
-	     changed != NULL;
-	     changed = next_changed) {
-		next_changed = NEXT(changed, link);
-		if (!changed->dirty) {
-			UNLINK(version->changed_list,
-			       changed, link);
-			APPEND(*cleanup_list,
-			       changed, link);
-		}
-	}
-}
-
-static void
-iszonesecure(dns_db_t *db, rbtdb_version_t *version, dns_dbnode_t *origin) {
-#ifndef BIND9
-	UNUSED(db);
-	UNUSED(version);
-	UNUSED(origin);
-
-	return;
-#else
-	dns_rdataset_t keyset;
-	dns_rdataset_t nsecset, signsecset;
-	isc_boolean_t haszonekey = ISC_FALSE;
-	isc_boolean_t hasnsec = ISC_FALSE;
-	isc_result_t result;
-
-	dns_rdataset_init(&keyset);
-	result = dns_db_findrdataset(db, origin, version, dns_rdatatype_dnskey,
-				     0, 0, &keyset, NULL);
-	if (result == ISC_R_SUCCESS) {
-		result = dns_rdataset_first(&keyset);
-		while (result == ISC_R_SUCCESS) {
-			dns_rdata_t keyrdata = DNS_RDATA_INIT;
-			dns_rdataset_current(&keyset, &keyrdata);
-			if (dns_zonekey_iszonekey(&keyrdata)) {
-				haszonekey = ISC_TRUE;
-				break;
-			}
-			result = dns_rdataset_next(&keyset);
-		}
-		dns_rdataset_disassociate(&keyset);
-	}
-	if (!haszonekey) {
-		version->secure = dns_db_insecure;
-		version->havensec3 = ISC_FALSE;
-		return;
-	}
-
-	dns_rdataset_init(&nsecset);
-	dns_rdataset_init(&signsecset);
-	result = dns_db_findrdataset(db, origin, version, dns_rdatatype_nsec,
-				     0, 0, &nsecset, &signsecset);
-	if (result == ISC_R_SUCCESS) {
-		if (dns_rdataset_isassociated(&signsecset)) {
-			hasnsec = ISC_TRUE;
-			dns_rdataset_disassociate(&signsecset);
-		}
-		dns_rdataset_disassociate(&nsecset);
-	}
-
-	setnsec3parameters(db, version);
-
-	/*
-	 * Do we have a valid NSEC/NSEC3 chain?
-	 */
-	if (version->havensec3 || hasnsec)
-		version->secure = dns_db_secure;
-	else
-		version->secure = dns_db_insecure;
-#endif
-}
-
-/*%<
- * Walk the origin node looking for NSEC3PARAM records.
- * Cache the nsec3 parameters.
- */
-#ifdef BIND9
-static void
-setnsec3parameters(dns_db_t *db, rbtdb_version_t *version) {
-	dns_rbtnode_t *node;
-	dns_rdata_nsec3param_t nsec3param;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_region_t region;
-	isc_result_t result;
-	rdatasetheader_t *header, *header_next;
-	unsigned char *raw;             /* RDATASLAB */
-	unsigned int count, length;
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-
-	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-	version->havensec3 = ISC_FALSE;
-	node = rbtdb->origin_node;
-	NODE_LOCK(&(rbtdb->node_locks[node->locknum].lock),
-		  isc_rwlocktype_read);
-	for (header = node->data;
-	     header != NULL;
-	     header = header_next) {
-		header_next = header->next;
-		do {
-			if (header->serial <= version->serial &&
-			    !IGNORE(header)) {
-				if (NONEXISTENT(header))
-					header = NULL;
-				break;
-			} else
-				header = header->down;
-		} while (header != NULL);
-
-		if (header != NULL &&
-		    (header->type == dns_rdatatype_nsec3param)) {
-			/*
-			 * Find A NSEC3PARAM with a supported algorithm.
-			 */
-			raw = (unsigned char *)header + sizeof(*header);
-			count = raw[0] * 256 + raw[1]; /* count */
-#if DNS_RDATASET_FIXED
-			raw += count * 4 + 2;
-#else
-			raw += 2;
-#endif
-			while (count-- > 0U) {
-				length = raw[0] * 256 + raw[1];
-#if DNS_RDATASET_FIXED
-				raw += 4;
-#else
-				raw += 2;
-#endif
-				region.base = raw;
-				region.length = length;
-				raw += length;
-				dns_rdata_fromregion(&rdata,
-						     rbtdb->common.rdclass,
-						     dns_rdatatype_nsec3param,
-						     &region);
-				result = dns_rdata_tostruct(&rdata,
-							    &nsec3param,
-							    NULL);
-				INSIST(result == ISC_R_SUCCESS);
-				dns_rdata_reset(&rdata);
-
-				if (nsec3param.hash != DNS_NSEC3_UNKNOWNALG &&
-				    !dns_nsec3_supportedhash(nsec3param.hash))
-					continue;
-
-				if (nsec3param.flags != 0)
-					continue;
-
-				memcpy(version->salt, nsec3param.salt,
-				       nsec3param.salt_length);
-				version->hash = nsec3param.hash;
-				version->salt_length = nsec3param.salt_length;
-				version->iterations = nsec3param.iterations;
-				version->flags = nsec3param.flags;
-				version->havensec3 = ISC_TRUE;
-				/*
-				 * Look for a better algorithm than the
-				 * unknown test algorithm.
-				 */
-				if (nsec3param.hash != DNS_NSEC3_UNKNOWNALG)
-					goto unlock;
-			}
-		}
-	}
- unlock:
-	NODE_UNLOCK(&(rbtdb->node_locks[node->locknum].lock),
-		    isc_rwlocktype_read);
-	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-}
-#endif
-
-static void
-cleanup_dead_nodes_callback(isc_task_t *task, isc_event_t *event) {
-	dns_rbtdb_t *rbtdb = event->ev_arg;
-	isc_boolean_t again = ISC_FALSE;
-	unsigned int locknum;
-	unsigned int refs;
-
-	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
-	for (locknum = 0; locknum < rbtdb->node_lock_count; locknum++) {
-		NODE_LOCK(&rbtdb->node_locks[locknum].lock,
-			  isc_rwlocktype_write);
-		cleanup_dead_nodes(rbtdb, locknum);
-		if (ISC_LIST_HEAD(rbtdb->deadnodes[locknum]) != NULL)
-			again = ISC_TRUE;
-		NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
-			    isc_rwlocktype_write);
-	}
-	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
-	if (again)
-		isc_task_send(task, &event);
-	else {
-		isc_event_free(&event);
-		isc_refcount_decrement(&rbtdb->references, &refs);
-		if (refs == 0)
-			maybe_free_rbtdb(rbtdb);
-	}
-}
-
-static void
-closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	rbtdb_version_t *version, *cleanup_version, *least_greater;
-	isc_boolean_t rollback = ISC_FALSE;
-	rbtdb_changedlist_t cleanup_list;
-	rdatasetheaderlist_t resigned_list;
-	rbtdb_changed_t *changed, *next_changed;
-	rbtdb_serial_t serial, least_serial;
-	dns_rbtnode_t *rbtnode;
-	unsigned int refs;
-	rdatasetheader_t *header;
-	isc_boolean_t writer;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-	version = (rbtdb_version_t *)*versionp;
-	INSIST(version->rbtdb == rbtdb);
-
-	cleanup_version = NULL;
-	ISC_LIST_INIT(cleanup_list);
-	ISC_LIST_INIT(resigned_list);
-
-	isc_refcount_decrement(&version->references, &refs);
-	if (refs > 0) {         /* typical and easy case first */
-		if (commit) {
-			RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read);
-			INSIST(!version->writer);
-			RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_read);
-		}
-		goto end;
-	}
-
-	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
-	serial = version->serial;
-	writer = version->writer;
-	if (version->writer) {
-		if (commit) {
-			unsigned cur_ref;
-			rbtdb_version_t *cur_version;
-
-			INSIST(version->commit_ok);
-			INSIST(version == rbtdb->future_version);
-			/*
-			 * The current version is going to be replaced.
-			 * Release the (likely last) reference to it from the
-			 * DB itself and unlink it from the open list.
-			 */
-			cur_version = rbtdb->current_version;
-			isc_refcount_decrement(&cur_version->references,
-					       &cur_ref);
-			if (cur_ref == 0) {
-				if (cur_version->serial == rbtdb->least_serial)
-					INSIST(EMPTY(cur_version->changed_list));
-				UNLINK(rbtdb->open_versions,
-				       cur_version, link);
-			}
-			if (EMPTY(rbtdb->open_versions)) {
-				/*
-				 * We're going to become the least open
-				 * version.
-				 */
-				make_least_version(rbtdb, version,
-						   &cleanup_list);
-			} else {
-				/*
-				 * Some other open version is the
-				 * least version.  We can't cleanup
-				 * records that were changed in this
-				 * version because the older versions
-				 * may still be in use by an open
-				 * version.
-				 *
-				 * We can, however, discard the
-				 * changed records for things that
-				 * we've added that didn't exist in
-				 * prior versions.
-				 */
-				cleanup_nondirty(version, &cleanup_list);
-			}
-			/*
-			 * If the (soon to be former) current version
-			 * isn't being used by anyone, we can clean
-			 * it up.
-			 */
-			if (cur_ref == 0) {
-				cleanup_version = cur_version;
-				APPENDLIST(version->changed_list,
-					   cleanup_version->changed_list,
-					   link);
-			}
-			/*
-			 * Become the current version.
-			 */
-			version->writer = ISC_FALSE;
-			rbtdb->current_version = version;
-			rbtdb->current_serial = version->serial;
-			rbtdb->future_version = NULL;
-
-			/*
-			 * Keep the current version in the open list, and
-			 * gain a reference for the DB itself (see the DB
-			 * creation function below).  This must be the only
-			 * case where we need to increment the counter from
-			 * zero and need to use isc_refcount_increment0().
-			 */
-			isc_refcount_increment0(&version->references,
-						&cur_ref);
-			INSIST(cur_ref == 1);
-			PREPEND(rbtdb->open_versions,
-				rbtdb->current_version, link);
-			resigned_list = version->resigned_list;
-			ISC_LIST_INIT(version->resigned_list);
-		} else {
-			/*
-			 * We're rolling back this transaction.
-			 */
-			cleanup_list = version->changed_list;
-			ISC_LIST_INIT(version->changed_list);
-			resigned_list = version->resigned_list;
-			ISC_LIST_INIT(version->resigned_list);
-			rollback = ISC_TRUE;
-			cleanup_version = version;
-			rbtdb->future_version = NULL;
-		}
-	} else {
-		if (version != rbtdb->current_version) {
-			/*
-			 * There are no external or internal references
-			 * to this version and it can be cleaned up.
-			 */
-			cleanup_version = version;
-
-			/*
-			 * Find the version with the least serial
-			 * number greater than ours.
-			 */
-			least_greater = PREV(version, link);
-			if (least_greater == NULL)
-				least_greater = rbtdb->current_version;
-
-			INSIST(version->serial < least_greater->serial);
-			/*
-			 * Is this the least open version?
-			 */
-			if (version->serial == rbtdb->least_serial) {
-				/*
-				 * Yes.  Install the new least open
-				 * version.
-				 */
-				make_least_version(rbtdb,
-						   least_greater,
-						   &cleanup_list);
-			} else {
-				/*
-				 * Add any unexecuted cleanups to
-				 * those of the least greater version.
-				 */
-				APPENDLIST(least_greater->changed_list,
-					   version->changed_list,
-					   link);
-			}
-		} else if (version->serial == rbtdb->least_serial)
-			INSIST(EMPTY(version->changed_list));
-		UNLINK(rbtdb->open_versions, version, link);
-	}
-	least_serial = rbtdb->least_serial;
-	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
-
-	/*
-	 * Update the zone's secure status.
-	 */
-	if (writer && commit && !IS_CACHE(rbtdb))
-		iszonesecure(db, version, rbtdb->origin_node);
-
-	if (cleanup_version != NULL) {
-		INSIST(EMPTY(cleanup_version->changed_list));
-		isc_mem_put(rbtdb->common.mctx, cleanup_version,
-			    sizeof(*cleanup_version));
-	}
-
-	/*
-	 * Commit/rollback re-signed headers.
-	 */
-	for (header = HEAD(resigned_list);
-	     header != NULL;
-	     header = HEAD(resigned_list)) {
-		nodelock_t *lock;
-
-		ISC_LIST_UNLINK(resigned_list, header, link);
-
-		lock = &rbtdb->node_locks[header->node->locknum].lock;
-		NODE_LOCK(lock, isc_rwlocktype_write);
-		if (rollback)
-			resign_insert(rbtdb, header->node->locknum, header);
-		decrement_reference(rbtdb, header->node, least_serial,
-				    isc_rwlocktype_write, isc_rwlocktype_none,
-				    ISC_FALSE);
-		NODE_UNLOCK(lock, isc_rwlocktype_write);
-	}
-
-	if (!EMPTY(cleanup_list)) {
-		isc_event_t *event = NULL;
-		isc_rwlocktype_t tlock = isc_rwlocktype_none;
-
-		if (rbtdb->task != NULL)
-			event = isc_event_allocate(rbtdb->common.mctx, NULL,
-						   DNS_EVENT_RBTDEADNODES,
-						   cleanup_dead_nodes_callback,
-						   rbtdb, sizeof(isc_event_t));
-		if (event == NULL) {
-			/*
-			 * We acquire a tree write lock here in order to make
-			 * sure that stale nodes will be removed in
-			 * decrement_reference().  If we didn't have the lock,
-			 * those nodes could miss the chance to be removed
-			 * until the server stops.  The write lock is
-			 * expensive, but this event should be rare enough
-			 * to justify the cost.
-			 */
-			RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
-			tlock = isc_rwlocktype_write;
-		}
-
-		for (changed = HEAD(cleanup_list);
-		     changed != NULL;
-		     changed = next_changed) {
-			nodelock_t *lock;
-
-			next_changed = NEXT(changed, link);
-			rbtnode = changed->node;
-			lock = &rbtdb->node_locks[rbtnode->locknum].lock;
-
-			NODE_LOCK(lock, isc_rwlocktype_write);
-			/*
-			 * This is a good opportunity to purge any dead nodes,
-			 * so use it.
-			 */
-			if (event == NULL)
-				cleanup_dead_nodes(rbtdb, rbtnode->locknum);
-
-			if (rollback)
-				rollback_node(rbtnode, serial);
-			decrement_reference(rbtdb, rbtnode, least_serial,
-					    isc_rwlocktype_write, tlock,
-					    ISC_FALSE);
-
-			NODE_UNLOCK(lock, isc_rwlocktype_write);
-
-			isc_mem_put(rbtdb->common.mctx, changed,
-				    sizeof(*changed));
-		}
-		if (event != NULL) {
-			isc_refcount_increment(&rbtdb->references, NULL);
-			isc_task_send(rbtdb->task, &event);
-		} else
-			RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
-	}
-
- end:
-	*versionp = NULL;
-}
-
-/*
- * Add the necessary magic for the wildcard name 'name'
- * to be found in 'rbtdb'.
- *
- * In order for wildcard matching to work correctly in
- * zone_find(), we must ensure that a node for the wildcarding
- * level exists in the database, and has its 'find_callback'
- * and 'wild' bits set.
- *
- * E.g. if the wildcard name is "*.sub.example." then we
- * must ensure that "sub.example." exists and is marked as
- * a wildcard level.
- */
-static isc_result_t
-add_wildcard_magic(dns_rbtdb_t *rbtdb, dns_name_t *name) {
-	isc_result_t result;
-	dns_name_t foundname;
-	dns_offsets_t offsets;
-	unsigned int n;
-	dns_rbtnode_t *node = NULL;
-
-	dns_name_init(&foundname, offsets);
-	n = dns_name_countlabels(name);
-	INSIST(n >= 2);
-	n--;
-	dns_name_getlabelsequence(name, 1, n, &foundname);
-	result = dns_rbt_addnode(rbtdb->tree, &foundname, &node);
-	if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
-		return (result);
-	if (result == ISC_R_SUCCESS)
-		node->nsec = DNS_RBT_NSEC_NORMAL;
-	node->find_callback = 1;
-	node->wild = 1;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-add_empty_wildcards(dns_rbtdb_t *rbtdb, dns_name_t *name) {
-	isc_result_t result;
-	dns_name_t foundname;
-	dns_offsets_t offsets;
-	unsigned int n, l, i;
-
-	dns_name_init(&foundname, offsets);
-	n = dns_name_countlabels(name);
-	l = dns_name_countlabels(&rbtdb->common.origin);
-	i = l + 1;
-	while (i < n) {
-		dns_rbtnode_t *node = NULL;     /* dummy */
-		dns_name_getlabelsequence(name, n - i, i, &foundname);
-		if (dns_name_iswildcard(&foundname)) {
-			result = add_wildcard_magic(rbtdb, &foundname);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-			result = dns_rbt_addnode(rbtdb->tree, &foundname,
-						 &node);
-			if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
-				return (result);
-			if (result == ISC_R_SUCCESS)
-				node->nsec = DNS_RBT_NSEC_NORMAL;
-		}
-		i++;
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-findnodeintree(dns_rbtdb_t *rbtdb, dns_rbt_t *tree, dns_name_t *name,
-	       isc_boolean_t create, dns_dbnode_t **nodep)
-{
-	dns_rbtnode_t *node = NULL;
-	dns_name_t nodename;
-	isc_result_t result;
-	isc_rwlocktype_t locktype = isc_rwlocktype_read;
-
-	INSIST(tree == rbtdb->tree || tree == rbtdb->nsec3);
-
-	dns_name_init(&nodename, NULL);
-	RWLOCK(&rbtdb->tree_lock, locktype);
-	result = dns_rbt_findnode(tree, name, NULL, &node, NULL,
-				  DNS_RBTFIND_EMPTYDATA, NULL, NULL);
-	if (result != ISC_R_SUCCESS) {
-		RWUNLOCK(&rbtdb->tree_lock, locktype);
-		if (!create) {
-			if (result == DNS_R_PARTIALMATCH)
-				result = ISC_R_NOTFOUND;
-			return (result);
-		}
-		/*
-		 * It would be nice to try to upgrade the lock instead of
-		 * unlocking then relocking.
-		 */
-		locktype = isc_rwlocktype_write;
-		RWLOCK(&rbtdb->tree_lock, locktype);
-		node = NULL;
-		result = dns_rbt_addnode(tree, name, &node);
-		if (result == ISC_R_SUCCESS) {
-#ifdef BIND9
-			if (tree == rbtdb->tree && rbtdb->rpz_cidr != NULL) {
-				dns_fixedname_t fnamef;
-				dns_name_t *fname;
-
-				dns_fixedname_init(&fnamef);
-				fname = dns_fixedname_name(&fnamef);
-				dns_rbt_fullnamefromnode(node, fname);
-				dns_rpz_cidr_addip(rbtdb->rpz_cidr, fname);
-			}
-#endif
-			dns_rbt_namefromnode(node, &nodename);
-#ifdef DNS_RBT_USEHASH
-			node->locknum = node->hashval % rbtdb->node_lock_count;
-#else
-			node->locknum = dns_name_hash(&nodename, ISC_TRUE) %
-				rbtdb->node_lock_count;
-#endif
-			if (tree == rbtdb->tree) {
-				add_empty_wildcards(rbtdb, name);
-
-				if (dns_name_iswildcard(name)) {
-					result = add_wildcard_magic(rbtdb, name);
-					if (result != ISC_R_SUCCESS) {
-						RWUNLOCK(&rbtdb->tree_lock, locktype);
-						return (result);
-					}
-				}
-			}
-			if (tree == rbtdb->nsec3)
-				node->nsec = DNS_RBT_NSEC_NSEC3;
-		} else if (result != ISC_R_EXISTS) {
-			RWUNLOCK(&rbtdb->tree_lock, locktype);
-			return (result);
-		}
-	}
-
-	if (tree == rbtdb->nsec3)
-		INSIST(node->nsec == DNS_RBT_NSEC_NSEC3);
-
-	reactivate_node(rbtdb, node, locktype);
-	RWUNLOCK(&rbtdb->tree_lock, locktype);
-
-	*nodep = (dns_dbnode_t *)node;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
-	 dns_dbnode_t **nodep)
-{
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	return (findnodeintree(rbtdb, rbtdb->tree, name, create, nodep));
-}
-
-static isc_result_t
-findnsec3node(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
-	      dns_dbnode_t **nodep)
-{
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	return (findnodeintree(rbtdb, rbtdb->nsec3, name, create, nodep));
-}
-
-static isc_result_t
-zone_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
-	rbtdb_search_t *search = arg;
-	rdatasetheader_t *header, *header_next;
-	rdatasetheader_t *dname_header, *sigdname_header, *ns_header;
-	rdatasetheader_t *found;
-	isc_result_t result;
-	dns_rbtnode_t *onode;
-
-	/*
-	 * We only want to remember the topmost zone cut, since it's the one
-	 * that counts, so we'll just continue if we've already found a
-	 * zonecut.
-	 */
-	if (search->zonecut != NULL)
-		return (DNS_R_CONTINUE);
-
-	found = NULL;
-	result = DNS_R_CONTINUE;
-	onode = search->rbtdb->origin_node;
-
-	NODE_LOCK(&(search->rbtdb->node_locks[node->locknum].lock),
-		  isc_rwlocktype_read);
-
-	/*
-	 * Look for an NS or DNAME rdataset active in our version.
-	 */
-	ns_header = NULL;
-	dname_header = NULL;
-	sigdname_header = NULL;
-	for (header = node->data; header != NULL; header = header_next) {
-		header_next = header->next;
-		if (header->type == dns_rdatatype_ns ||
-		    header->type == dns_rdatatype_dname ||
-		    header->type == RBTDB_RDATATYPE_SIGDNAME) {
-			do {
-				if (header->serial <= search->serial &&
-				    !IGNORE(header)) {
-					/*
-					 * Is this a "this rdataset doesn't
-					 * exist" record?
-					 */
-					if (NONEXISTENT(header))
-						header = NULL;
-					break;
-				} else
-					header = header->down;
-			} while (header != NULL);
-			if (header != NULL) {
-				if (header->type == dns_rdatatype_dname)
-					dname_header = header;
-				else if (header->type ==
-					   RBTDB_RDATATYPE_SIGDNAME)
-					sigdname_header = header;
-				else if (node != onode ||
-					 IS_STUB(search->rbtdb)) {
-					/*
-					 * We've found an NS rdataset that
-					 * isn't at the origin node.  We check
-					 * that they're not at the origin node,
-					 * because otherwise we'd erroneously
-					 * treat the zone top as if it were
-					 * a delegation.
-					 */
-					ns_header = header;
-				}
-			}
-		}
-	}
-
-	/*
-	 * Did we find anything?
-	 */
-	if (!IS_CACHE(search->rbtdb) && !IS_STUB(search->rbtdb) &&
-	    ns_header != NULL) {
-		/*
-		 * Note that NS has precedence over DNAME if both exist
-		 * in a zone.  Otherwise DNAME take precedence over NS.
-		 */
-		found = ns_header;
-		search->zonecut_sigrdataset = NULL;
-	} else if (dname_header != NULL) {
-		found = dname_header;
-		search->zonecut_sigrdataset = sigdname_header;
-	} else if (ns_header != NULL) {
-		found = ns_header;
-		search->zonecut_sigrdataset = NULL;
-	}
-
-	if (found != NULL) {
-		/*
-		 * We increment the reference count on node to ensure that
-		 * search->zonecut_rdataset will still be valid later.
-		 */
-		new_reference(search->rbtdb, node);
-		search->zonecut = node;
-		search->zonecut_rdataset = found;
-		search->need_cleanup = ISC_TRUE;
-		/*
-		 * Since we've found a zonecut, anything beneath it is
-		 * glue and is not subject to wildcard matching, so we
-		 * may clear search->wild.
-		 */
-		search->wild = ISC_FALSE;
-		if ((search->options & DNS_DBFIND_GLUEOK) == 0) {
-			/*
-			 * If the caller does not want to find glue, then
-			 * this is the best answer and the search should
-			 * stop now.
-			 */
-			result = DNS_R_PARTIALMATCH;
-		} else {
-			dns_name_t *zcname;
-
-			/*
-			 * The search will continue beneath the zone cut.
-			 * This may or may not be the best match.  In case it
-			 * is, we need to remember the node name.
-			 */
-			zcname = dns_fixedname_name(&search->zonecut_name);
-			RUNTIME_CHECK(dns_name_copy(name, zcname, NULL) ==
-				      ISC_R_SUCCESS);
-			search->copy_name = ISC_TRUE;
-		}
-	} else {
-		/*
-		 * There is no zonecut at this node which is active in this
-		 * version.
-		 *
-		 * If this is a "wild" node and the caller hasn't disabled
-		 * wildcard matching, remember that we've seen a wild node
-		 * in case we need to go searching for wildcard matches
-		 * later on.
-		 */
-		if (node->wild && (search->options & DNS_DBFIND_NOWILD) == 0)
-			search->wild = ISC_TRUE;
-	}
-
-	NODE_UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock),
-		    isc_rwlocktype_read);
-
-	return (result);
-}
-
-static inline void
-bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
-	      rdatasetheader_t *header, isc_stdtime_t now,
-	      dns_rdataset_t *rdataset)
-{
-	unsigned char *raw;     /* RDATASLAB */
-
-	/*
-	 * Caller must be holding the node reader lock.
-	 * XXXJT: technically, we need a writer lock, since we'll increment
-	 * the header count below.  However, since the actual counter value
-	 * doesn't matter, we prioritize performance here.  (We may want to
-	 * use atomic increment when available).
-	 */
-
-	if (rdataset == NULL)
-		return;
-
-	new_reference(rbtdb, node);
-
-	INSIST(rdataset->methods == NULL);      /* We must be disassociated. */
-
-	rdataset->methods = &rdataset_methods;
-	rdataset->rdclass = rbtdb->common.rdclass;
-	rdataset->type = RBTDB_RDATATYPE_BASE(header->type);
-	rdataset->covers = RBTDB_RDATATYPE_EXT(header->type);
-	rdataset->ttl = header->rdh_ttl - now;
-	rdataset->trust = header->trust;
-	if (NEGATIVE(header))
-		rdataset->attributes |= DNS_RDATASETATTR_NEGATIVE;
-	if (NXDOMAIN(header))
-		rdataset->attributes |= DNS_RDATASETATTR_NXDOMAIN;
-	if (OPTOUT(header))
-		rdataset->attributes |= DNS_RDATASETATTR_OPTOUT;
-	rdataset->private1 = rbtdb;
-	rdataset->private2 = node;
-	raw = (unsigned char *)header + sizeof(*header);
-	rdataset->private3 = raw;
-	rdataset->count = header->count++;
-	if (rdataset->count == ISC_UINT32_MAX)
-		rdataset->count = 0;
-
-	/*
-	 * Reset iterator state.
-	 */
-	rdataset->privateuint4 = 0;
-	rdataset->private5 = NULL;
-
-	/*
-	 * Add noqname proof.
-	 */
-	rdataset->private6 = header->noqname;
-	if (rdataset->private6 != NULL)
-		rdataset->attributes |=  DNS_RDATASETATTR_NOQNAME;
-	rdataset->private7 = header->closest;
-	if (rdataset->private7 != NULL)
-		rdataset->attributes |=  DNS_RDATASETATTR_CLOSEST;
-
-	/*
-	 * Copy out re-signing information.
-	 */
-	if (RESIGN(header)) {
-		rdataset->attributes |=  DNS_RDATASETATTR_RESIGN;
-		rdataset->resign = header->resign;
-	} else
-		rdataset->resign = 0;
-}
-
-static inline isc_result_t
-setup_delegation(rbtdb_search_t *search, dns_dbnode_t **nodep,
-		 dns_name_t *foundname, dns_rdataset_t *rdataset,
-		 dns_rdataset_t *sigrdataset)
-{
-	isc_result_t result;
-	dns_name_t *zcname;
-	rbtdb_rdatatype_t type;
-	dns_rbtnode_t *node;
-
-	/*
-	 * The caller MUST NOT be holding any node locks.
-	 */
-
-	node = search->zonecut;
-	type = search->zonecut_rdataset->type;
-
-	/*
-	 * If we have to set foundname, we do it before anything else.
-	 * If we were to set foundname after we had set nodep or bound the
-	 * rdataset, then we'd have to undo that work if dns_name_copy()
-	 * failed.  By setting foundname first, there's nothing to undo if
-	 * we have trouble.
-	 */
-	if (foundname != NULL && search->copy_name) {
-		zcname = dns_fixedname_name(&search->zonecut_name);
-		result = dns_name_copy(zcname, foundname, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	if (nodep != NULL) {
-		/*
-		 * Note that we don't have to increment the node's reference
-		 * count here because we're going to use the reference we
-		 * already have in the search block.
-		 */
-		*nodep = node;
-		search->need_cleanup = ISC_FALSE;
-	}
-	if (rdataset != NULL) {
-		NODE_LOCK(&(search->rbtdb->node_locks[node->locknum].lock),
-			  isc_rwlocktype_read);
-		bind_rdataset(search->rbtdb, node, search->zonecut_rdataset,
-			      search->now, rdataset);
-		if (sigrdataset != NULL && search->zonecut_sigrdataset != NULL)
-			bind_rdataset(search->rbtdb, node,
-				      search->zonecut_sigrdataset,
-				      search->now, sigrdataset);
-		NODE_UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock),
-			    isc_rwlocktype_read);
-	}
-
-	if (type == dns_rdatatype_dname)
-		return (DNS_R_DNAME);
-	return (DNS_R_DELEGATION);
-}
-
-static inline isc_boolean_t
-valid_glue(rbtdb_search_t *search, dns_name_t *name, rbtdb_rdatatype_t type,
-	   dns_rbtnode_t *node)
-{
-	unsigned char *raw;     /* RDATASLAB */
-	unsigned int count, size;
-	dns_name_t ns_name;
-	isc_boolean_t valid = ISC_FALSE;
-	dns_offsets_t offsets;
-	isc_region_t region;
-	rdatasetheader_t *header;
-
-	/*
-	 * No additional locking is required.
-	 */
-
-	/*
-	 * Valid glue types are A, AAAA, A6.  NS is also a valid glue type
-	 * if it occurs at a zone cut, but is not valid below it.
-	 */
-	if (type == dns_rdatatype_ns) {
-		if (node != search->zonecut) {
-			return (ISC_FALSE);
-		}
-	} else if (type != dns_rdatatype_a &&
-		   type != dns_rdatatype_aaaa &&
-		   type != dns_rdatatype_a6) {
-		return (ISC_FALSE);
-	}
-
-	header = search->zonecut_rdataset;
-	raw = (unsigned char *)header + sizeof(*header);
-	count = raw[0] * 256 + raw[1];
-#if DNS_RDATASET_FIXED
-	raw += 2 + (4 * count);
-#else
-	raw += 2;
-#endif
-
-	while (count > 0) {
-		count--;
-		size = raw[0] * 256 + raw[1];
-#if DNS_RDATASET_FIXED
-		raw += 4;
-#else
-		raw += 2;
-#endif
-		region.base = raw;
-		region.length = size;
-		raw += size;
-		/*
-		 * XXX Until we have rdata structures, we have no choice but
-		 * to directly access the rdata format.
-		 */
-		dns_name_init(&ns_name, offsets);
-		dns_name_fromregion(&ns_name, &region);
-		if (dns_name_compare(&ns_name, name) == 0) {
-			valid = ISC_TRUE;
-			break;
-		}
-	}
-
-	return (valid);
-}
-
-static inline isc_boolean_t
-activeempty(rbtdb_search_t *search, dns_rbtnodechain_t *chain,
-	    dns_name_t *name)
-{
-	dns_fixedname_t fnext;
-	dns_fixedname_t forigin;
-	dns_name_t *next;
-	dns_name_t *origin;
-	dns_name_t prefix;
-	dns_rbtdb_t *rbtdb;
-	dns_rbtnode_t *node;
-	isc_result_t result;
-	isc_boolean_t answer = ISC_FALSE;
-	rdatasetheader_t *header;
-
-	rbtdb = search->rbtdb;
-
-	dns_name_init(&prefix, NULL);
-	dns_fixedname_init(&fnext);
-	next = dns_fixedname_name(&fnext);
-	dns_fixedname_init(&forigin);
-	origin = dns_fixedname_name(&forigin);
-
-	result = dns_rbtnodechain_next(chain, NULL, NULL);
-	while (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
-		node = NULL;
-		result = dns_rbtnodechain_current(chain, &prefix,
-						  origin, &node);
-		if (result != ISC_R_SUCCESS)
-			break;
-		NODE_LOCK(&(rbtdb->node_locks[node->locknum].lock),
-			  isc_rwlocktype_read);
-		for (header = node->data;
-		     header != NULL;
-		     header = header->next) {
-			if (header->serial <= search->serial &&
-			    !IGNORE(header) && EXISTS(header))
-				break;
-		}
-		NODE_UNLOCK(&(rbtdb->node_locks[node->locknum].lock),
-			    isc_rwlocktype_read);
-		if (header != NULL)
-			break;
-		result = dns_rbtnodechain_next(chain, NULL, NULL);
-	}
-	if (result == ISC_R_SUCCESS)
-		result = dns_name_concatenate(&prefix, origin, next, NULL);
-	if (result == ISC_R_SUCCESS && dns_name_issubdomain(next, name))
-		answer = ISC_TRUE;
-	return (answer);
-}
-
-static inline isc_boolean_t
-activeemtpynode(rbtdb_search_t *search, dns_name_t *qname, dns_name_t *wname) {
-	dns_fixedname_t fnext;
-	dns_fixedname_t forigin;
-	dns_fixedname_t fprev;
-	dns_name_t *next;
-	dns_name_t *origin;
-	dns_name_t *prev;
-	dns_name_t name;
-	dns_name_t rname;
-	dns_name_t tname;
-	dns_rbtdb_t *rbtdb;
-	dns_rbtnode_t *node;
-	dns_rbtnodechain_t chain;
-	isc_boolean_t check_next = ISC_TRUE;
-	isc_boolean_t check_prev = ISC_TRUE;
-	isc_boolean_t answer = ISC_FALSE;
-	isc_result_t result;
-	rdatasetheader_t *header;
-	unsigned int n;
-
-	rbtdb = search->rbtdb;
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&tname, NULL);
-	dns_name_init(&rname, NULL);
-	dns_fixedname_init(&fnext);
-	next = dns_fixedname_name(&fnext);
-	dns_fixedname_init(&fprev);
-	prev = dns_fixedname_name(&fprev);
-	dns_fixedname_init(&forigin);
-	origin = dns_fixedname_name(&forigin);
-
-	/*
-	 * Find if qname is at or below a empty node.
-	 * Use our own copy of the chain.
-	 */
-
-	chain = search->chain;
-	do {
-		node = NULL;
-		result = dns_rbtnodechain_current(&chain, &name,
-						  origin, &node);
-		if (result != ISC_R_SUCCESS)
-			break;
-		NODE_LOCK(&(rbtdb->node_locks[node->locknum].lock),
-			  isc_rwlocktype_read);
-		for (header = node->data;
-		     header != NULL;
-		     header = header->next) {
-			if (header->serial <= search->serial &&
-			    !IGNORE(header) && EXISTS(header))
-				break;
-		}
-		NODE_UNLOCK(&(rbtdb->node_locks[node->locknum].lock),
-			    isc_rwlocktype_read);
-		if (header != NULL)
-			break;
-		result = dns_rbtnodechain_prev(&chain, NULL, NULL);
-	} while (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN);
-	if (result == ISC_R_SUCCESS)
-		result = dns_name_concatenate(&name, origin, prev, NULL);
-	if (result != ISC_R_SUCCESS)
-		check_prev = ISC_FALSE;
-
-	result = dns_rbtnodechain_next(&chain, NULL, NULL);
-	while (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
-		node = NULL;
-		result = dns_rbtnodechain_current(&chain, &name,
-						  origin, &node);
-		if (result != ISC_R_SUCCESS)
-			break;
-		NODE_LOCK(&(rbtdb->node_locks[node->locknum].lock),
-			  isc_rwlocktype_read);
-		for (header = node->data;
-		     header != NULL;
-		     header = header->next) {
-			if (header->serial <= search->serial &&
-			    !IGNORE(header) && EXISTS(header))
-				break;
-		}
-		NODE_UNLOCK(&(rbtdb->node_locks[node->locknum].lock),
-			    isc_rwlocktype_read);
-		if (header != NULL)
-			break;
-		result = dns_rbtnodechain_next(&chain, NULL, NULL);
-	}
-	if (result == ISC_R_SUCCESS)
-		result = dns_name_concatenate(&name, origin, next, NULL);
-	if (result != ISC_R_SUCCESS)
-		check_next = ISC_FALSE;
-
-	dns_name_clone(qname, &rname);
-
-	/*
-	 * Remove the wildcard label to find the terminal name.
-	 */
-	n = dns_name_countlabels(wname);
-	dns_name_getlabelsequence(wname, 1, n - 1, &tname);
-
-	do {
-		if ((check_prev && dns_name_issubdomain(prev, &rname)) ||
-		    (check_next && dns_name_issubdomain(next, &rname))) {
-			answer = ISC_TRUE;
-			break;
-		}
-		/*
-		 * Remove the left hand label.
-		 */
-		n = dns_name_countlabels(&rname);
-		dns_name_getlabelsequence(&rname, 1, n - 1, &rname);
-	} while (!dns_name_equal(&rname, &tname));
-	return (answer);
-}
-
-static inline isc_result_t
-find_wildcard(rbtdb_search_t *search, dns_rbtnode_t **nodep,
-	      dns_name_t *qname)
-{
-	unsigned int i, j;
-	dns_rbtnode_t *node, *level_node, *wnode;
-	rdatasetheader_t *header;
-	isc_result_t result = ISC_R_NOTFOUND;
-	dns_name_t name;
-	dns_name_t *wname;
-	dns_fixedname_t fwname;
-	dns_rbtdb_t *rbtdb;
-	isc_boolean_t done, wild, active;
-	dns_rbtnodechain_t wchain;
-
-	/*
-	 * Caller must be holding the tree lock and MUST NOT be holding
-	 * any node locks.
-	 */
-
-	/*
-	 * Examine each ancestor level.  If the level's wild bit
-	 * is set, then construct the corresponding wildcard name and
-	 * search for it.  If the wildcard node exists, and is active in
-	 * this version, we're done.  If not, then we next check to see
-	 * if the ancestor is active in this version.  If so, then there
-	 * can be no possible wildcard match and again we're done.  If not,
-	 * continue the search.
-	 */
-
-	rbtdb = search->rbtdb;
-	i = search->chain.level_matches;
-	done = ISC_FALSE;
-	node = *nodep;
-	do {
-		NODE_LOCK(&(rbtdb->node_locks[node->locknum].lock),
-			  isc_rwlocktype_read);
-
-		/*
-		 * First we try to figure out if this node is active in
-		 * the search's version.  We do this now, even though we
-		 * may not need the information, because it simplifies the
-		 * locking and code flow.
-		 */
-		for (header = node->data;
-		     header != NULL;
-		     header = header->next) {
-			if (header->serial <= search->serial &&
-			    !IGNORE(header) && EXISTS(header))
-				break;
-		}
-		if (header != NULL)
-			active = ISC_TRUE;
-		else
-			active = ISC_FALSE;
-
-		if (node->wild)
-			wild = ISC_TRUE;
-		else
-			wild = ISC_FALSE;
-
-		NODE_UNLOCK(&(rbtdb->node_locks[node->locknum].lock),
-			    isc_rwlocktype_read);
-
-		if (wild) {
-			/*
-			 * Construct the wildcard name for this level.
-			 */
-			dns_name_init(&name, NULL);
-			dns_rbt_namefromnode(node, &name);
-			dns_fixedname_init(&fwname);
-			wname = dns_fixedname_name(&fwname);
-			result = dns_name_concatenate(dns_wildcardname, &name,
-						      wname, NULL);
-			j = i;
-			while (result == ISC_R_SUCCESS && j != 0) {
-				j--;
-				level_node = search->chain.levels[j];
-				dns_name_init(&name, NULL);
-				dns_rbt_namefromnode(level_node, &name);
-				result = dns_name_concatenate(wname,
-							      &name,
-							      wname,
-							      NULL);
-			}
-			if (result != ISC_R_SUCCESS)
-				break;
-
-			wnode = NULL;
-			dns_rbtnodechain_init(&wchain, NULL);
-			result = dns_rbt_findnode(rbtdb->tree, wname,
-						  NULL, &wnode, &wchain,
-						  DNS_RBTFIND_EMPTYDATA,
-						  NULL, NULL);
-			if (result == ISC_R_SUCCESS) {
-				nodelock_t *lock;
-
-				/*
-				 * We have found the wildcard node.  If it
-				 * is active in the search's version, we're
-				 * done.
-				 */
-				lock = &rbtdb->node_locks[wnode->locknum].lock;
-				NODE_LOCK(lock, isc_rwlocktype_read);
-				for (header = wnode->data;
-				     header != NULL;
-				     header = header->next) {
-					if (header->serial <= search->serial &&
-					    !IGNORE(header) && EXISTS(header))
-						break;
-				}
-				NODE_UNLOCK(lock, isc_rwlocktype_read);
-				if (header != NULL ||
-				    activeempty(search, &wchain, wname)) {
-					if (activeemtpynode(search, qname,
-							    wname)) {
-						return (ISC_R_NOTFOUND);
-					}
-					/*
-					 * The wildcard node is active!
-					 *
-					 * Note: result is still ISC_R_SUCCESS
-					 * so we don't have to set it.
-					 */
-					*nodep = wnode;
-					break;
-				}
-			} else if (result != ISC_R_NOTFOUND &&
-				   result != DNS_R_PARTIALMATCH) {
-				/*
-				 * An error has occurred.  Bail out.
-				 */
-				break;
-			}
-		}
-
-		if (active) {
-			/*
-			 * The level node is active.  Any wildcarding
-			 * present at higher levels has no
-			 * effect and we're done.
-			 */
-			result = ISC_R_NOTFOUND;
-			break;
-		}
-
-		if (i > 0) {
-			i--;
-			node = search->chain.levels[i];
-		} else
-			done = ISC_TRUE;
-	} while (!done);
-
-	return (result);
-}
-
-static isc_boolean_t
-matchparams(rdatasetheader_t *header, rbtdb_search_t *search)
-{
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_nsec3_t nsec3;
-	unsigned char *raw;                     /* RDATASLAB */
-	unsigned int rdlen, count;
-	isc_region_t region;
-	isc_result_t result;
-
-	REQUIRE(header->type == dns_rdatatype_nsec3);
-
-	raw = (unsigned char *)header + sizeof(*header);
-	count = raw[0] * 256 + raw[1]; /* count */
-#if DNS_RDATASET_FIXED
-	raw += count * 4 + 2;
-#else
-	raw += 2;
-#endif
-	while (count-- > 0) {
-		rdlen = raw[0] * 256 + raw[1];
-#if DNS_RDATASET_FIXED
-		raw += 4;
-#else
-		raw += 2;
-#endif
-		region.base = raw;
-		region.length = rdlen;
-		dns_rdata_fromregion(&rdata, search->rbtdb->common.rdclass,
-				     dns_rdatatype_nsec3, &region);
-		raw += rdlen;
-		result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
-		INSIST(result == ISC_R_SUCCESS);
-		if (nsec3.hash == search->rbtversion->hash &&
-		    nsec3.iterations == search->rbtversion->iterations &&
-		    nsec3.salt_length == search->rbtversion->salt_length &&
-		    memcmp(nsec3.salt, search->rbtversion->salt,
-			   nsec3.salt_length) == 0)
-			return (ISC_TRUE);
-		dns_rdata_reset(&rdata);
-	}
-	return (ISC_FALSE);
-}
-
-/*
- * Find node of the NSEC/NSEC3 record that is 'name'.
- */
-static inline isc_result_t
-previous_closest_nsec(dns_rdatatype_t type, rbtdb_search_t *search,
-		    dns_name_t *name, dns_name_t *origin,
-		    dns_rbtnode_t **nodep, dns_rbtnodechain_t *nsecchain,
-		    isc_boolean_t *firstp)
-{
-	dns_fixedname_t ftarget;
-	dns_name_t *target;
-	dns_rbtnode_t *nsecnode;
-	isc_result_t result;
-
-	REQUIRE(nodep != NULL && *nodep == NULL);
-
-	if (type == dns_rdatatype_nsec3) {
-		result = dns_rbtnodechain_prev(&search->chain, NULL, NULL);
-		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
-			return (result);
-		result = dns_rbtnodechain_current(&search->chain, name, origin,
-						  nodep);
-		return (result);
-	}
-
-	dns_fixedname_init(&ftarget);
-	target = dns_fixedname_name(&ftarget);
-
-	for (;;) {
-		if (*firstp) {
-			/*
-			 * Construct the name of the second node to check.
-			 * It is the first node sought in the NSEC tree.
-			 */
-			*firstp = ISC_FALSE;
-			dns_rbtnodechain_init(nsecchain, NULL);
-			result = dns_name_concatenate(name, origin,
-						      target, NULL);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-			nsecnode = NULL;
-			result = dns_rbt_findnode(search->rbtdb->nsec,
-						  target, NULL,
-						  &nsecnode, nsecchain,
-						  DNS_RBTFIND_NOOPTIONS,
-						  NULL, NULL);
-			if (result == ISC_R_SUCCESS) {
-				/*
-				 * Since this was the first loop, finding the
-				 * name in the NSEC tree implies that the first
-				 * node checked in the main tree had an
-				 * unacceptable NSEC record.
-				 * Try the previous node in the NSEC tree.
-				 */
-				result = dns_rbtnodechain_prev(nsecchain,
-							       name, origin);
-				if (result == DNS_R_NEWORIGIN)
-					result = ISC_R_SUCCESS;
-			} else if (result == ISC_R_NOTFOUND ||
-				   result == DNS_R_PARTIALMATCH) {
-				result = dns_rbtnodechain_current(nsecchain,
-							name, origin, NULL);
-				if (result == ISC_R_NOTFOUND)
-					result = ISC_R_NOMORE;
-			}
-		} else {
-			/*
-			 * This is a second or later trip through the auxiliary
-			 * tree for the name of a third or earlier NSEC node in
-			 * the main tree.  Previous trips through the NSEC tree
-			 * must have found nodes in the main tree with NSEC
-			 * records.  Perhaps they lacked signature records.
-			 */
-			result = dns_rbtnodechain_prev(nsecchain, name, origin);
-			if (result == DNS_R_NEWORIGIN)
-				result = ISC_R_SUCCESS;
-		}
-		if (result != ISC_R_SUCCESS)
-			return (result);
-
-		/*
-		 * Construct the name to seek in the main tree.
-		 */
-		result = dns_name_concatenate(name, origin, target, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-
-		*nodep = NULL;
-		result = dns_rbt_findnode(search->rbtdb->tree, target, NULL,
-					  nodep, &search->chain,
-					  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
-		if (result == ISC_R_SUCCESS)
-			return (result);
-
-		/*
-		 * There should always be a node in the main tree with the
-		 * same name as the node in the auxiliary NSEC tree, except for
-		 * nodes in the auxiliary tree that are awaiting deletion.
-		 */
-		if (result != DNS_R_PARTIALMATCH && result != ISC_R_NOTFOUND) {
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-				      DNS_LOGMODULE_CACHE, ISC_LOG_ERROR,
-				      "previous_closest_nsec(): %s",
-				      isc_result_totext(result));
-			return (DNS_R_BADDB);
-		}
-	}
-}
-
-/*
- * Find the NSEC/NSEC3 which is or before the current point on the
- * search chain.  For NSEC3 records only NSEC3 records that match the
- * current NSEC3PARAM record are considered.
- */
-static inline isc_result_t
-find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
-		  dns_name_t *foundname, dns_rdataset_t *rdataset,
-		  dns_rdataset_t *sigrdataset, dns_rbt_t *tree,
-		  dns_db_secure_t secure)
-{
-	dns_rbtnode_t *node, *prevnode;
-	rdatasetheader_t *header, *header_next, *found, *foundsig;
-	dns_rbtnodechain_t nsecchain;
-	isc_boolean_t empty_node;
-	isc_result_t result;
-	dns_fixedname_t fname, forigin;
-	dns_name_t *name, *origin;
-	dns_rdatatype_t type;
-	rbtdb_rdatatype_t sigtype;
-	isc_boolean_t wraps;
-	isc_boolean_t first = ISC_TRUE;
-	isc_boolean_t need_sig = ISC_TF(secure == dns_db_secure);
-
-	if (tree == search->rbtdb->nsec3) {
-		type = dns_rdatatype_nsec3;
-		sigtype = RBTDB_RDATATYPE_SIGNSEC3;
-		wraps = ISC_TRUE;
-	} else {
-		type = dns_rdatatype_nsec;
-		sigtype = RBTDB_RDATATYPE_SIGNSEC;
-		wraps = ISC_FALSE;
-	}
-
-	/*
-	 * Use the auxiliary tree only starting with the second node in the
-	 * hope that the original node will be right much of the time.
-	 */
-	dns_fixedname_init(&fname);
-	name = dns_fixedname_name(&fname);
-	dns_fixedname_init(&forigin);
-	origin = dns_fixedname_name(&forigin);
- again:
-	node = NULL;
-	prevnode = NULL;
-	result = dns_rbtnodechain_current(&search->chain, name, origin, &node);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	do {
-		NODE_LOCK(&(search->rbtdb->node_locks[node->locknum].lock),
-			  isc_rwlocktype_read);
-		found = NULL;
-		foundsig = NULL;
-		empty_node = ISC_TRUE;
-		for (header = node->data;
-		     header != NULL;
-		     header = header_next) {
-			header_next = header->next;
-			/*
-			 * Look for an active, extant NSEC or RRSIG NSEC.
-			 */
-			do {
-				if (header->serial <= search->serial &&
-				    !IGNORE(header)) {
-					/*
-					 * Is this a "this rdataset doesn't
-					 * exist" record?
-					 */
-					if (NONEXISTENT(header))
-						header = NULL;
-					break;
-				} else
-					header = header->down;
-			} while (header != NULL);
-			if (header != NULL) {
-				/*
-				 * We now know that there is at least one
-				 * active rdataset at this node.
-				 */
-				empty_node = ISC_FALSE;
-				if (header->type == type) {
-					found = header;
-					if (foundsig != NULL)
-						break;
-				} else if (header->type == sigtype) {
-					foundsig = header;
-					if (found != NULL)
-						break;
-				}
-			}
-		}
-		if (!empty_node) {
-			if (found != NULL && search->rbtversion->havensec3 &&
-			    found->type == dns_rdatatype_nsec3 &&
-			    !matchparams(found, search)) {
-				empty_node = ISC_TRUE;
-				found = NULL;
-				foundsig = NULL;
-				result = previous_closest_nsec(type, search,
-							       name, origin,
-							       &prevnode, NULL,
-							       NULL);
-			} else if (found != NULL &&
-				   (foundsig != NULL || !need_sig)) {
-				/*
-				 * We've found the right NSEC/NSEC3 record.
-				 *
-				 * Note: for this to really be the right
-				 * NSEC record, it's essential that the NSEC
-				 * records of any nodes obscured by a zone
-				 * cut have been removed; we assume this is
-				 * the case.
-				 */
-				result = dns_name_concatenate(name, origin,
-							      foundname, NULL);
-				if (result == ISC_R_SUCCESS) {
-					if (nodep != NULL) {
-						new_reference(search->rbtdb,
-							      node);
-						*nodep = node;
-					}
-					bind_rdataset(search->rbtdb, node,
-						      found, search->now,
-						      rdataset);
-					if (foundsig != NULL)
-						bind_rdataset(search->rbtdb,
-							      node,
-							      foundsig,
-							      search->now,
-							      sigrdataset);
-				}
-			} else if (found == NULL && foundsig == NULL) {
-				/*
-				 * This node is active, but has no NSEC or
-				 * RRSIG NSEC.  That means it's glue or
-				 * other obscured zone data that isn't
-				 * relevant for our search.  Treat the
-				 * node as if it were empty and keep looking.
-				 */
-				empty_node = ISC_TRUE;
-				result = previous_closest_nsec(type, search,
-							       name, origin,
-							       &prevnode,
-							       &nsecchain,
-							       &first);
-			} else {
-				/*
-				 * We found an active node, but either the
-				 * NSEC or the RRSIG NSEC is missing.  This
-				 * shouldn't happen.
-				 */
-				result = DNS_R_BADDB;
-			}
-		} else {
-			/*
-			 * This node isn't active.  We've got to keep
-			 * looking.
-			 */
-			result = previous_closest_nsec(type, search,
-						       name, origin, &prevnode,
-						       &nsecchain, &first);
-		}
-		NODE_UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock),
-			    isc_rwlocktype_read);
-		node = prevnode;
-		prevnode = NULL;
-	} while (empty_node && result == ISC_R_SUCCESS);
-
-	if (!first)
-		dns_rbtnodechain_invalidate(&nsecchain);
-
-	if (result == ISC_R_NOMORE && wraps) {
-		result = dns_rbtnodechain_last(&search->chain, tree,
-					       NULL, NULL);
-		if (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
-			wraps = ISC_FALSE;
-			goto again;
-		}
-	}
-
-	/*
-	 * If the result is ISC_R_NOMORE, then we got to the beginning of
-	 * the database and didn't find a NSEC record.  This shouldn't
-	 * happen.
-	 */
-	if (result == ISC_R_NOMORE)
-		result = DNS_R_BADDB;
-
-	return (result);
-}
-
-static isc_result_t
-zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
-	  dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
-	  dns_dbnode_t **nodep, dns_name_t *foundname,
-	  dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	dns_rbtnode_t *node = NULL;
-	isc_result_t result;
-	rbtdb_search_t search;
-	isc_boolean_t cname_ok = ISC_TRUE;
-	isc_boolean_t close_version = ISC_FALSE;
-	isc_boolean_t maybe_zonecut = ISC_FALSE;
-	isc_boolean_t at_zonecut = ISC_FALSE;
-	isc_boolean_t wild;
-	isc_boolean_t empty_node;
-	rdatasetheader_t *header, *header_next, *found, *nsecheader;
-	rdatasetheader_t *foundsig, *cnamesig, *nsecsig;
-	rbtdb_rdatatype_t sigtype;
-	isc_boolean_t active;
-	dns_rbtnodechain_t chain;
-	nodelock_t *lock;
-	dns_rbt_t *tree;
-
-	search.rbtdb = (dns_rbtdb_t *)db;
-
-	REQUIRE(VALID_RBTDB(search.rbtdb));
-	INSIST(version == NULL ||
-	       ((rbtdb_version_t *)version)->rbtdb == (dns_rbtdb_t *)db);
-
-	/*
-	 * We don't care about 'now'.
-	 */
-	UNUSED(now);
-
-	/*
-	 * If the caller didn't supply a version, attach to the current
-	 * version.
-	 */
-	if (version == NULL) {
-		currentversion(db, &version);
-		close_version = ISC_TRUE;
-	}
-
-	search.rbtversion = version;
-	search.serial = search.rbtversion->serial;
-	search.options = options;
-	search.copy_name = ISC_FALSE;
-	search.need_cleanup = ISC_FALSE;
-	search.wild = ISC_FALSE;
-	search.zonecut = NULL;
-	dns_fixedname_init(&search.zonecut_name);
-	dns_rbtnodechain_init(&search.chain, search.rbtdb->common.mctx);
-	search.now = 0;
-
-	/*
-	 * 'wild' will be true iff. we've matched a wildcard.
-	 */
-	wild = ISC_FALSE;
-
-	RWLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
-
-	/*
-	 * Search down from the root of the tree.  If, while going down, we
-	 * encounter a callback node, zone_zonecut_callback() will search the
-	 * rdatasets at the zone cut for active DNAME or NS rdatasets.
-	 */
-	tree =  (options & DNS_DBFIND_FORCENSEC3) != 0 ? search.rbtdb->nsec3 :
-							 search.rbtdb->tree;
-	result = dns_rbt_findnode(tree, name, foundname, &node,
-				  &search.chain, DNS_RBTFIND_EMPTYDATA,
-				  zone_zonecut_callback, &search);
-
-	if (result == DNS_R_PARTIALMATCH) {
-	partial_match:
-		if (search.zonecut != NULL) {
-		    result = setup_delegation(&search, nodep, foundname,
-					      rdataset, sigrdataset);
-		    goto tree_exit;
-		}
-
-		if (search.wild) {
-			/*
-			 * At least one of the levels in the search chain
-			 * potentially has a wildcard.  For each such level,
-			 * we must see if there's a matching wildcard active
-			 * in the current version.
-			 */
-			result = find_wildcard(&search, &node, name);
-			if (result == ISC_R_SUCCESS) {
-				result = dns_name_copy(name, foundname, NULL);
-				if (result != ISC_R_SUCCESS)
-					goto tree_exit;
-				wild = ISC_TRUE;
-				goto found;
-			}
-			else if (result != ISC_R_NOTFOUND)
-				goto tree_exit;
-		}
-
-		chain = search.chain;
-		active = activeempty(&search, &chain, name);
-
-		/*
-		 * If we're here, then the name does not exist, is not
-		 * beneath a zonecut, and there's no matching wildcard.
-		 */
-		if ((search.rbtversion->secure == dns_db_secure &&
-		     !search.rbtversion->havensec3) ||
-		    (search.options & DNS_DBFIND_FORCENSEC) != 0 ||
-		    (search.options & DNS_DBFIND_FORCENSEC3) != 0)
-		{
-			result = find_closest_nsec(&search, nodep, foundname,
-						   rdataset, sigrdataset, tree,
-						   search.rbtversion->secure);
-			if (result == ISC_R_SUCCESS)
-				result = active ? DNS_R_EMPTYNAME :
-						  DNS_R_NXDOMAIN;
-		} else
-			result = active ? DNS_R_EMPTYNAME : DNS_R_NXDOMAIN;
-		goto tree_exit;
-	} else if (result != ISC_R_SUCCESS)
-		goto tree_exit;
-
- found:
-	/*
-	 * We have found a node whose name is the desired name, or we
-	 * have matched a wildcard.
-	 */
-
-	if (search.zonecut != NULL) {
-		/*
-		 * If we're beneath a zone cut, we don't want to look for
-		 * CNAMEs because they're not legitimate zone glue.
-		 */
-		cname_ok = ISC_FALSE;
-	} else {
-		/*
-		 * The node may be a zone cut itself.  If it might be one,
-		 * make sure we check for it later.
-		 *
-		 * DS records live above the zone cut in ordinary zone so
-		 * we want to ignore any referral.
-		 *
-		 * Stub zones don't have anything "above" the delgation so
-		 * we always return a referral.
-		 */
-		if (node->find_callback &&
-		    ((node != search.rbtdb->origin_node &&
-		      !dns_rdatatype_atparent(type)) ||
-		     IS_STUB(search.rbtdb)))
-			maybe_zonecut = ISC_TRUE;
-	}
-
-	/*
-	 * Certain DNSSEC types are not subject to CNAME matching
-	 * (RFC4035, section 2.5 and RFC3007).
-	 *
-	 * We don't check for RRSIG, because we don't store RRSIG records
-	 * directly.
-	 */
-	if (type == dns_rdatatype_key || type == dns_rdatatype_nsec)
-		cname_ok = ISC_FALSE;
-
-	/*
-	 * We now go looking for rdata...
-	 */
-
-	lock = &search.rbtdb->node_locks[node->locknum].lock;
-	NODE_LOCK(lock, isc_rwlocktype_read);
-
-	found = NULL;
-	foundsig = NULL;
-	sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type);
-	nsecheader = NULL;
-	nsecsig = NULL;
-	cnamesig = NULL;
-	empty_node = ISC_TRUE;
-	for (header = node->data; header != NULL; header = header_next) {
-		header_next = header->next;
-		/*
-		 * Look for an active, extant rdataset.
-		 */
-		do {
-			if (header->serial <= search.serial &&
-			    !IGNORE(header)) {
-				/*
-				 * Is this a "this rdataset doesn't
-				 * exist" record?
-				 */
-				if (NONEXISTENT(header))
-					header = NULL;
-				break;
-			} else
-				header = header->down;
-		} while (header != NULL);
-		if (header != NULL) {
-			/*
-			 * We now know that there is at least one active
-			 * rdataset at this node.
-			 */
-			empty_node = ISC_FALSE;
-
-			/*
-			 * Do special zone cut handling, if requested.
-			 */
-			if (maybe_zonecut &&
-			    header->type == dns_rdatatype_ns) {
-				/*
-				 * We increment the reference count on node to
-				 * ensure that search->zonecut_rdataset will
-				 * still be valid later.
-				 */
-				new_reference(search.rbtdb, node);
-				search.zonecut = node;
-				search.zonecut_rdataset = header;
-				search.zonecut_sigrdataset = NULL;
-				search.need_cleanup = ISC_TRUE;
-				maybe_zonecut = ISC_FALSE;
-				at_zonecut = ISC_TRUE;
-				/*
-				 * It is not clear if KEY should still be
-				 * allowed at the parent side of the zone
-				 * cut or not.  It is needed for RFC3007
-				 * validated updates.
-				 */
-				if ((search.options & DNS_DBFIND_GLUEOK) == 0
-				    && type != dns_rdatatype_nsec
-				    && type != dns_rdatatype_key) {
-					/*
-					 * Glue is not OK, but any answer we
-					 * could return would be glue.  Return
-					 * the delegation.
-					 */
-					found = NULL;
-					break;
-				}
-				if (found != NULL && foundsig != NULL)
-					break;
-			}
-
-
-			/*
-			 * If the NSEC3 record doesn't match the chain
-			 * we are using behave as if it isn't here.
-			 */
-			if (header->type == dns_rdatatype_nsec3 &&
-			   !matchparams(header, &search)) {
-				NODE_UNLOCK(lock, isc_rwlocktype_read);
-				goto partial_match;
-			}
-			/*
-			 * If we found a type we were looking for,
-			 * remember it.
-			 */
-			if (header->type == type ||
-			    type == dns_rdatatype_any ||
-			    (header->type == dns_rdatatype_cname &&
-			     cname_ok)) {
-				/*
-				 * We've found the answer!
-				 */
-				found = header;
-				if (header->type == dns_rdatatype_cname &&
-				    cname_ok) {
-					/*
-					 * We may be finding a CNAME instead
-					 * of the desired type.
-					 *
-					 * If we've already got the CNAME RRSIG,
-					 * use it, otherwise change sigtype
-					 * so that we find it.
-					 */
-					if (cnamesig != NULL)
-						foundsig = cnamesig;
-					else
-						sigtype =
-						    RBTDB_RDATATYPE_SIGCNAME;
-				}
-				/*
-				 * If we've got all we need, end the search.
-				 */
-				if (!maybe_zonecut && foundsig != NULL)
-					break;
-			} else if (header->type == sigtype) {
-				/*
-				 * We've found the RRSIG rdataset for our
-				 * target type.  Remember it.
-				 */
-				foundsig = header;
-				/*
-				 * If we've got all we need, end the search.
-				 */
-				if (!maybe_zonecut && found != NULL)
-					break;
-			} else if (header->type == dns_rdatatype_nsec &&
-				   !search.rbtversion->havensec3) {
-				/*
-				 * Remember a NSEC rdataset even if we're
-				 * not specifically looking for it, because
-				 * we might need it later.
-				 */
-				nsecheader = header;
-			} else if (header->type == RBTDB_RDATATYPE_SIGNSEC &&
-				   !search.rbtversion->havensec3) {
-				/*
-				 * If we need the NSEC rdataset, we'll also
-				 * need its signature.
-				 */
-				nsecsig = header;
-			} else if (cname_ok &&
-				   header->type == RBTDB_RDATATYPE_SIGCNAME) {
-				/*
-				 * If we get a CNAME match, we'll also need
-				 * its signature.
-				 */
-				cnamesig = header;
-			}
-		}
-	}
-
-	if (empty_node) {
-		/*
-		 * We have an exact match for the name, but there are no
-		 * active rdatasets in the desired version.  That means that
-		 * this node doesn't exist in the desired version, and that
-		 * we really have a partial match.
-		 */
-		if (!wild) {
-			NODE_UNLOCK(lock, isc_rwlocktype_read);
-			goto partial_match;
-		}
-	}
-
-	/*
-	 * If we didn't find what we were looking for...
-	 */
-	if (found == NULL) {
-		if (search.zonecut != NULL) {
-			/*
-			 * We were trying to find glue at a node beneath a
-			 * zone cut, but didn't.
-			 *
-			 * Return the delegation.
-			 */
-			NODE_UNLOCK(lock, isc_rwlocktype_read);
-			result = setup_delegation(&search, nodep, foundname,
-						  rdataset, sigrdataset);
-			goto tree_exit;
-		}
-		/*
-		 * The desired type doesn't exist.
-		 */
-		result = DNS_R_NXRRSET;
-		if (search.rbtversion->secure == dns_db_secure &&
-		    !search.rbtversion->havensec3 &&
-		    (nsecheader == NULL || nsecsig == NULL)) {
-			/*
-			 * The zone is secure but there's no NSEC,
-			 * or the NSEC has no signature!
-			 */
-			if (!wild) {
-				result = DNS_R_BADDB;
-				goto node_exit;
-			}
-
-			NODE_UNLOCK(lock, isc_rwlocktype_read);
-			result = find_closest_nsec(&search, nodep, foundname,
-						   rdataset, sigrdataset,
-						   search.rbtdb->tree,
-						   search.rbtversion->secure);
-			if (result == ISC_R_SUCCESS)
-				result = DNS_R_EMPTYWILD;
-			goto tree_exit;
-		}
-		if ((search.options & DNS_DBFIND_FORCENSEC) != 0 &&
-		    nsecheader == NULL)
-		{
-			/*
-			 * There's no NSEC record, and we were told
-			 * to find one.
-			 */
-			result = DNS_R_BADDB;
-			goto node_exit;
-		}
-		if (nodep != NULL) {
-			new_reference(search.rbtdb, node);
-			*nodep = node;
-		}
-		if ((search.rbtversion->secure == dns_db_secure &&
-		     !search.rbtversion->havensec3) ||
-		    (search.options & DNS_DBFIND_FORCENSEC) != 0)
-		{
-			bind_rdataset(search.rbtdb, node, nsecheader,
-				      0, rdataset);
-			if (nsecsig != NULL)
-				bind_rdataset(search.rbtdb, node,
-					      nsecsig, 0, sigrdataset);
-		}
-		if (wild)
-			foundname->attributes |= DNS_NAMEATTR_WILDCARD;
-		goto node_exit;
-	}
-
-	/*
-	 * We found what we were looking for, or we found a CNAME.
-	 */
-
-	if (type != found->type &&
-	    type != dns_rdatatype_any &&
-	    found->type == dns_rdatatype_cname) {
-		/*
-		 * We weren't doing an ANY query and we found a CNAME instead
-		 * of the type we were looking for, so we need to indicate
-		 * that result to the caller.
-		 */
-		result = DNS_R_CNAME;
-	} else if (search.zonecut != NULL) {
-		/*
-		 * If we're beneath a zone cut, we must indicate that the
-		 * result is glue, unless we're actually at the zone cut
-		 * and the type is NSEC or KEY.
-		 */
-		if (search.zonecut == node) {
-			/*
-			 * It is not clear if KEY should still be
-			 * allowed at the parent side of the zone
-			 * cut or not.  It is needed for RFC3007
-			 * validated updates.
-			 */
-			if (type == dns_rdatatype_nsec ||
-			    type == dns_rdatatype_nsec3 ||
-			    type == dns_rdatatype_key)
-				result = ISC_R_SUCCESS;
-			else if (type == dns_rdatatype_any)
-				result = DNS_R_ZONECUT;
-			else
-				result = DNS_R_GLUE;
-		} else
-			result = DNS_R_GLUE;
-		/*
-		 * We might have found data that isn't glue, but was occluded
-		 * by a dynamic update.  If the caller cares about this, they
-		 * will have told us to validate glue.
-		 *
-		 * XXX We should cache the glue validity state!
-		 */
-		if (result == DNS_R_GLUE &&
-		    (search.options & DNS_DBFIND_VALIDATEGLUE) != 0 &&
-		    !valid_glue(&search, foundname, type, node)) {
-			NODE_UNLOCK(lock, isc_rwlocktype_read);
-			result = setup_delegation(&search, nodep, foundname,
-						  rdataset, sigrdataset);
-		    goto tree_exit;
-		}
-	} else {
-		/*
-		 * An ordinary successful query!
-		 */
-		result = ISC_R_SUCCESS;
-	}
-
-	if (nodep != NULL) {
-		if (!at_zonecut)
-			new_reference(search.rbtdb, node);
-		else
-			search.need_cleanup = ISC_FALSE;
-		*nodep = node;
-	}
-
-	if (type != dns_rdatatype_any) {
-		bind_rdataset(search.rbtdb, node, found, 0, rdataset);
-		if (foundsig != NULL)
-			bind_rdataset(search.rbtdb, node, foundsig, 0,
-				      sigrdataset);
-	}
-
-	if (wild)
-		foundname->attributes |= DNS_NAMEATTR_WILDCARD;
-
- node_exit:
-	NODE_UNLOCK(lock, isc_rwlocktype_read);
-
- tree_exit:
-	RWUNLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
-
-	/*
-	 * If we found a zonecut but aren't going to use it, we have to
-	 * let go of it.
-	 */
-	if (search.need_cleanup) {
-		node = search.zonecut;
-		INSIST(node != NULL);
-		lock = &(search.rbtdb->node_locks[node->locknum].lock);
-
-		NODE_LOCK(lock, isc_rwlocktype_read);
-		decrement_reference(search.rbtdb, node, 0,
-				    isc_rwlocktype_read, isc_rwlocktype_none,
-				    ISC_FALSE);
-		NODE_UNLOCK(lock, isc_rwlocktype_read);
-	}
-
-	if (close_version)
-		closeversion(db, &version, ISC_FALSE);
-
-	dns_rbtnodechain_reset(&search.chain);
-
-	return (result);
-}
-
-static isc_result_t
-zone_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
-		 isc_stdtime_t now, dns_dbnode_t **nodep,
-		 dns_name_t *foundname,
-		 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	UNUSED(db);
-	UNUSED(name);
-	UNUSED(options);
-	UNUSED(now);
-	UNUSED(nodep);
-	UNUSED(foundname);
-	UNUSED(rdataset);
-	UNUSED(sigrdataset);
-
-	FATAL_ERROR(__FILE__, __LINE__, "zone_findzonecut() called!");
-
-	/* NOTREACHED */
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static isc_result_t
-cache_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
-	rbtdb_search_t *search = arg;
-	rdatasetheader_t *header, *header_prev, *header_next;
-	rdatasetheader_t *dname_header, *sigdname_header;
-	isc_result_t result;
-	nodelock_t *lock;
-	isc_rwlocktype_t locktype;
-
-	/* XXX comment */
-
-	REQUIRE(search->zonecut == NULL);
-
-	/*
-	 * Keep compiler silent.
-	 */
-	UNUSED(name);
-
-	lock = &(search->rbtdb->node_locks[node->locknum].lock);
-	locktype = isc_rwlocktype_read;
-	NODE_LOCK(lock, locktype);
-
-	/*
-	 * Look for a DNAME or RRSIG DNAME rdataset.
-	 */
-	dname_header = NULL;
-	sigdname_header = NULL;
-	header_prev = NULL;
-	for (header = node->data; header != NULL; header = header_next) {
-		header_next = header->next;
-		if (header->rdh_ttl <= search->now) {
-			/*
-			 * This rdataset is stale.  If no one else is
-			 * using the node, we can clean it up right
-			 * now, otherwise we mark it as stale, and
-			 * the node as dirty, so it will get cleaned
-			 * up later.
-			 */
-			if ((header->rdh_ttl <= search->now - RBTDB_VIRTUAL) &&
-			    (locktype == isc_rwlocktype_write ||
-			     NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS)) {
-				/*
-				 * We update the node's status only when we
-				 * can get write access; otherwise, we leave
-				 * others to this work.  Periodical cleaning
-				 * will eventually take the job as the last
-				 * resort.
-				 * We won't downgrade the lock, since other
-				 * rdatasets are probably stale, too.
-				 */
-				locktype = isc_rwlocktype_write;
-
-				if (dns_rbtnode_refcurrent(node) == 0) {
-					isc_mem_t *mctx;
-
-					/*
-					 * header->down can be non-NULL if the
-					 * refcount has just decremented to 0
-					 * but decrement_reference() has not
-					 * performed clean_cache_node(), in
-					 * which case we need to purge the
-					 * stale headers first.
-					 */
-					mctx = search->rbtdb->common.mctx;
-					clean_stale_headers(search->rbtdb,
-							    mctx,
-							    header);
-					if (header_prev != NULL)
-						header_prev->next =
-							header->next;
-					else
-						node->data = header->next;
-					free_rdataset(search->rbtdb, mctx,
-						      header);
-				} else {
-					header->attributes |=
-						RDATASET_ATTR_STALE;
-					node->dirty = 1;
-					header_prev = header;
-				}
-			} else
-				header_prev = header;
-		} else if (header->type == dns_rdatatype_dname &&
-			   EXISTS(header)) {
-			dname_header = header;
-			header_prev = header;
-		} else if (header->type == RBTDB_RDATATYPE_SIGDNAME &&
-			 EXISTS(header)) {
-			sigdname_header = header;
-			header_prev = header;
-		} else
-			header_prev = header;
-	}
-
-	if (dname_header != NULL &&
-	    (!DNS_TRUST_PENDING(dname_header->trust) ||
-	     (search->options & DNS_DBFIND_PENDINGOK) != 0)) {
-		/*
-		 * We increment the reference count on node to ensure that
-		 * search->zonecut_rdataset will still be valid later.
-		 */
-		new_reference(search->rbtdb, node);
-		INSIST(!ISC_LINK_LINKED(node, deadlink));
-		search->zonecut = node;
-		search->zonecut_rdataset = dname_header;
-		search->zonecut_sigrdataset = sigdname_header;
-		search->need_cleanup = ISC_TRUE;
-		result = DNS_R_PARTIALMATCH;
-	} else
-		result = DNS_R_CONTINUE;
-
-	NODE_UNLOCK(lock, locktype);
-
-	return (result);
-}
-
-static inline isc_result_t
-find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node,
-		     dns_dbnode_t **nodep, dns_name_t *foundname,
-		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	unsigned int i;
-	dns_rbtnode_t *level_node;
-	rdatasetheader_t *header, *header_prev, *header_next;
-	rdatasetheader_t *found, *foundsig;
-	isc_result_t result = ISC_R_NOTFOUND;
-	dns_name_t name;
-	dns_rbtdb_t *rbtdb;
-	isc_boolean_t done;
-	nodelock_t *lock;
-	isc_rwlocktype_t locktype;
-
-	/*
-	 * Caller must be holding the tree lock.
-	 */
-
-	rbtdb = search->rbtdb;
-	i = search->chain.level_matches;
-	done = ISC_FALSE;
-	do {
-		locktype = isc_rwlocktype_read;
-		lock = &rbtdb->node_locks[node->locknum].lock;
-		NODE_LOCK(lock, locktype);
-
-		/*
-		 * Look for NS and RRSIG NS rdatasets.
-		 */
-		found = NULL;
-		foundsig = NULL;
-		header_prev = NULL;
-		for (header = node->data;
-		     header != NULL;
-		     header = header_next) {
-			header_next = header->next;
-			if (header->rdh_ttl <= search->now) {
-				/*
-				 * This rdataset is stale.  If no one else is
-				 * using the node, we can clean it up right
-				 * now, otherwise we mark it as stale, and
-				 * the node as dirty, so it will get cleaned
-				 * up later.
-				 */
-				if ((header->rdh_ttl <= search->now -
-						    RBTDB_VIRTUAL) &&
-				    (locktype == isc_rwlocktype_write ||
-				     NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS)) {
-					/*
-					 * We update the node's status only
-					 * when we can get write access.
-					 */
-					locktype = isc_rwlocktype_write;
-
-					if (dns_rbtnode_refcurrent(node)
-					    == 0) {
-						isc_mem_t *m;
-
-						m = search->rbtdb->common.mctx;
-						clean_stale_headers(
-							search->rbtdb,
-							m, header);
-						if (header_prev != NULL)
-							header_prev->next =
-								header->next;
-						else
-							node->data =
-								header->next;
-						free_rdataset(rbtdb, m,
-							      header);
-					} else {
-						header->attributes |=
-							RDATASET_ATTR_STALE;
-						node->dirty = 1;
-						header_prev = header;
-					}
-				} else
-					header_prev = header;
-			} else if (EXISTS(header)) {
-				/*
-				 * We've found an extant rdataset.  See if
-				 * we're interested in it.
-				 */
-				if (header->type == dns_rdatatype_ns) {
-					found = header;
-					if (foundsig != NULL)
-						break;
-				} else if (header->type ==
-					   RBTDB_RDATATYPE_SIGNS) {
-					foundsig = header;
-					if (found != NULL)
-						break;
-				}
-				header_prev = header;
-			} else
-				header_prev = header;
-		}
-
-		if (found != NULL) {
-			/*
-			 * If we have to set foundname, we do it before
-			 * anything else.  If we were to set foundname after
-			 * we had set nodep or bound the rdataset, then we'd
-			 * have to undo that work if dns_name_concatenate()
-			 * failed.  By setting foundname first, there's
-			 * nothing to undo if we have trouble.
-			 */
-			if (foundname != NULL) {
-				dns_name_init(&name, NULL);
-				dns_rbt_namefromnode(node, &name);
-				result = dns_name_copy(&name, foundname, NULL);
-				while (result == ISC_R_SUCCESS && i > 0) {
-					i--;
-					level_node = search->chain.levels[i];
-					dns_name_init(&name, NULL);
-					dns_rbt_namefromnode(level_node,
-							     &name);
-					result =
-						dns_name_concatenate(foundname,
-								     &name,
-								     foundname,
-								     NULL);
-				}
-				if (result != ISC_R_SUCCESS) {
-					*nodep = NULL;
-					goto node_exit;
-				}
-			}
-			result = DNS_R_DELEGATION;
-			if (nodep != NULL) {
-				new_reference(search->rbtdb, node);
-				*nodep = node;
-			}
-			bind_rdataset(search->rbtdb, node, found, search->now,
-				      rdataset);
-			if (foundsig != NULL)
-				bind_rdataset(search->rbtdb, node, foundsig,
-					      search->now, sigrdataset);
-			if (need_headerupdate(found, search->now) ||
-			    (foundsig != NULL &&
-			     need_headerupdate(foundsig, search->now))) {
-				if (locktype != isc_rwlocktype_write) {
-					NODE_UNLOCK(lock, locktype);
-					NODE_LOCK(lock, isc_rwlocktype_write);
-					locktype = isc_rwlocktype_write;
-					POST(locktype);
-				}
-				if (need_headerupdate(found, search->now))
-					update_header(search->rbtdb, found,
-						      search->now);
-				if (foundsig != NULL &&
-				    need_headerupdate(foundsig, search->now)) {
-					update_header(search->rbtdb, foundsig,
-						      search->now);
-				}
-			}
-		}
-
-	node_exit:
-		NODE_UNLOCK(lock, locktype);
-
-		if (found == NULL && i > 0) {
-			i--;
-			node = search->chain.levels[i];
-		} else
-			done = ISC_TRUE;
-
-	} while (!done);
-
-	return (result);
-}
-
-static isc_result_t
-find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
-		  isc_stdtime_t now, dns_name_t *foundname,
-		  dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	dns_rbtnode_t *node;
-	rdatasetheader_t *header, *header_next, *header_prev;
-	rdatasetheader_t *found, *foundsig;
-	isc_boolean_t empty_node;
-	isc_result_t result;
-	dns_fixedname_t fname, forigin;
-	dns_name_t *name, *origin;
-	rbtdb_rdatatype_t matchtype, sigmatchtype;
-	nodelock_t *lock;
-	isc_rwlocktype_t locktype;
-
-	matchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_nsec, 0);
-	sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig,
-					     dns_rdatatype_nsec);
-
-	do {
-		node = NULL;
-		dns_fixedname_init(&fname);
-		name = dns_fixedname_name(&fname);
-		dns_fixedname_init(&forigin);
-		origin = dns_fixedname_name(&forigin);
-		result = dns_rbtnodechain_current(&search->chain, name,
-						  origin, &node);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		locktype = isc_rwlocktype_read;
-		lock = &(search->rbtdb->node_locks[node->locknum].lock);
-		NODE_LOCK(lock, locktype);
-		found = NULL;
-		foundsig = NULL;
-		empty_node = ISC_TRUE;
-		header_prev = NULL;
-		for (header = node->data;
-		     header != NULL;
-		     header = header_next) {
-			header_next = header->next;
-			if (header->rdh_ttl <= now) {
-				/*
-				 * This rdataset is stale.  If no one else is
-				 * using the node, we can clean it up right
-				 * now, otherwise we mark it as stale, and the
-				 * node as dirty, so it will get cleaned up
-				 * later.
-				 */
-				if ((header->rdh_ttl <= now - RBTDB_VIRTUAL) &&
-				    (locktype == isc_rwlocktype_write ||
-				     NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS)) {
-					/*
-					 * We update the node's status only
-					 * when we can get write access.
-					 */
-					locktype = isc_rwlocktype_write;
-
-					if (dns_rbtnode_refcurrent(node)
-					    == 0) {
-						isc_mem_t *m;
-
-						m = search->rbtdb->common.mctx;
-						clean_stale_headers(
-							search->rbtdb,
-							m, header);
-						if (header_prev != NULL)
-							header_prev->next =
-								header->next;
-						else
-							node->data = header->next;
-						free_rdataset(search->rbtdb, m,
-							      header);
-					} else {
-						header->attributes |=
-							RDATASET_ATTR_STALE;
-						node->dirty = 1;
-						header_prev = header;
-					}
-				} else
-					header_prev = header;
-				continue;
-			}
-			if (NONEXISTENT(header) ||
-			    RBTDB_RDATATYPE_BASE(header->type) == 0) {
-				header_prev = header;
-				continue;
-			}
-			empty_node = ISC_FALSE;
-			if (header->type == matchtype)
-				found = header;
-			else if (header->type == sigmatchtype)
-				foundsig = header;
-			header_prev = header;
-		}
-		if (found != NULL) {
-			result = dns_name_concatenate(name, origin,
-						      foundname, NULL);
-			if (result != ISC_R_SUCCESS)
-				goto unlock_node;
-			bind_rdataset(search->rbtdb, node, found,
-				      now, rdataset);
-			if (foundsig != NULL)
-				bind_rdataset(search->rbtdb, node, foundsig,
-					      now, sigrdataset);
-			new_reference(search->rbtdb, node);
-			*nodep = node;
-			result = DNS_R_COVERINGNSEC;
-		} else if (!empty_node) {
-			result = ISC_R_NOTFOUND;
-		} else
-			result = dns_rbtnodechain_prev(&search->chain, NULL,
-						       NULL);
- unlock_node:
-		NODE_UNLOCK(lock, locktype);
-	} while (empty_node && result == ISC_R_SUCCESS);
-	return (result);
-}
-
-/*
- * Mark a database for response policy rewriting
- * or find which RPZ data is available.
- */
-#ifdef BIND9
-static isc_result_t
-rpz_enabled(dns_db_t *db, dns_rpz_st_t *st)
-{
-	dns_rbtdb_t *rbtdb;
-	isc_result_t result;
-
-	result = ISC_R_SUCCESS;
-	rbtdb = (dns_rbtdb_t *)db;
-	REQUIRE(VALID_RBTDB(rbtdb));
-	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-	if (st != NULL) {
-		dns_rpz_enabled_get(rbtdb->rpz_cidr, st);
-	} else {
-		result = dns_rpz_new_cidr(rbtdb->common.mctx,
-					  &rbtdb->common.origin,
-					  &rbtdb->rpz_cidr);
-	}
-	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-	return (result);
-}
-
-/*
- * Search the CDIR block tree of a response policy tree of trees for all of
- * the IP addresses in an A or AAAA rdataset.
- * Among the policies for all IPv4 and IPv6 addresses for a name, choose
- *	the earliest configured policy,
- *	QNAME over IP over NSDNAME over NSIP,
- *	the longest prefix,
- *	the lexically smallest address.
- * The caller must have already checked that any existing policy was not
- * configured earlier than this policy zone and does not have a higher
- * precedence type.
- */
-static void
-rpz_findips(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type,
-	    dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
-	    dns_rdataset_t *ardataset, dns_rpz_st_t *st,
-	    dns_name_t *query_qname)
-{
-	dns_rbtdb_t *rbtdb;
-	struct in_addr ina;
-	struct in6_addr in6a;
-	isc_netaddr_t netaddr;
-	dns_fixedname_t selfnamef, qnamef;
-	dns_name_t *selfname, *qname;
-	dns_rbtnode_t *node;
-	dns_rdataset_t zrdataset;
-	dns_rpz_cidr_bits_t prefix;
-	isc_result_t result;
-	dns_rpz_policy_t rpz_policy;
-	dns_ttl_t ttl;
-
-	rbtdb = (dns_rbtdb_t *)db;
-	REQUIRE(VALID_RBTDB(rbtdb));
-	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-
-	if (rbtdb->rpz_cidr == NULL) {
-		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-		return;
-	}
-
-	dns_fixedname_init(&selfnamef);
-	dns_fixedname_init(&qnamef);
-	selfname = dns_fixedname_name(&selfnamef);
-	qname = dns_fixedname_name(&qnamef);
-
-	for (result = dns_rdataset_first(ardataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(ardataset)) {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		dns_rdataset_current(ardataset, &rdata);
-		switch (rdata.type) {
-		case dns_rdatatype_a:
-			INSIST(rdata.length == 4);
-			memcpy(&ina.s_addr, rdata.data, 4);
-			isc_netaddr_fromin(&netaddr, &ina);
-			break;
-		case dns_rdatatype_aaaa:
-			INSIST(rdata.length == 16);
-			memcpy(in6a.s6_addr, rdata.data, 16);
-			isc_netaddr_fromin6(&netaddr, &in6a);
-			break;
-		default:
-			continue;
-		}
-
-		result = dns_rpz_cidr_find(rbtdb->rpz_cidr, &netaddr, rpz_type,
-					   selfname, qname, &prefix);
-		if (result != ISC_R_SUCCESS)
-			continue;
-
-		/*
-		 * If we already have a rule, discard this new rule if
-		 * is not better.
-		 * The caller has checked that st->m.rpz->num > rpz->num
-		 * or st->m.rpz->num == rpz->num and st->m.type >= rpz_type
-		 */
-		if (st->m.policy != DNS_RPZ_POLICY_MISS &&
-		    st->m.rpz->num == rpz->num &&
-		    (st->m.type < rpz_type ||
-		     (st->m.type == rpz_type &&
-		      (st->m.prefix > prefix ||
-		       (st->m.prefix == prefix &&
-			0 > dns_name_rdatacompare(st->qname, qname))))))
-			continue;
-
-		/*
-		 * We have rpz_st an entry with a prefix at least as long as
-		 * the prefix of the entry we had before.  Find the node
-		 * corresponding to CDIR tree entry.
-		 */
-		node = NULL;
-		result = dns_rbt_findnode(rbtdb->tree, qname, NULL,
-					  &node, NULL, 0, NULL, NULL);
-		if (result != ISC_R_SUCCESS) {
-			char namebuf[DNS_NAME_FORMATSIZE];
-
-			dns_name_format(qname, namebuf, sizeof(namebuf));
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
-				      DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
-				      "rpz_findips findnode(%s) failed: %s",
-				      namebuf, isc_result_totext(result));
-			continue;
-		}
-		/*
-		 * First look for a simple rewrite of the IP address.
-		 * If that fails, look for a CNAME.  If we cannot find
-		 * a CNAME or the CNAME is neither of the special forms
-		 * "*" or ".", treat it like a real CNAME.
-		 */
-		dns_rdataset_init(&zrdataset);
-		result = dns_db_findrdataset(db, node, version, ardataset->type,
-					     0, 0, &zrdataset, NULL);
-		if (result != ISC_R_SUCCESS)
-			result = dns_db_findrdataset(db, node, version,
-						     dns_rdatatype_cname,
-						     0, 0, &zrdataset, NULL);
-		if (result == ISC_R_SUCCESS) {
-			if (zrdataset.type != dns_rdatatype_cname) {
-				rpz_policy = DNS_RPZ_POLICY_RECORD;
-			} else {
-				rpz_policy = dns_rpz_decode_cname(rpz,
-								  &zrdataset,
-								  selfname);
-				if (rpz_policy == DNS_RPZ_POLICY_RECORD ||
-				    rpz_policy == DNS_RPZ_POLICY_WILDCNAME)
-					result = DNS_R_CNAME;
-			}
-			ttl = zrdataset.ttl;
-		} else {
-			rpz_policy = DNS_RPZ_POLICY_RECORD;
-			result = DNS_R_NXRRSET;
-			ttl = DNS_RPZ_TTL_DEFAULT;
-		}
-
-		/*
-		 * Use an overriding action specified in the configuration file
-		 */
-		if (rpz->policy != DNS_RPZ_POLICY_GIVEN) {
-			/*
-			 * only log DNS_RPZ_POLICY_DISABLED hits
-			 */
-			if (rpz->policy == DNS_RPZ_POLICY_DISABLED) {
-				if (isc_log_wouldlog(dns_lctx,
-						     DNS_RPZ_INFO_LEVEL)) {
-					char qname_buf[DNS_NAME_FORMATSIZE];
-					char rpz_qname_buf[DNS_NAME_FORMATSIZE];
-					dns_name_format(query_qname, qname_buf,
-							sizeof(qname_buf));
-					dns_name_format(qname, rpz_qname_buf,
-							sizeof(rpz_qname_buf));
-
-					isc_log_write(dns_lctx,
-						DNS_LOGCATEGORY_RPZ,
-						DNS_LOGMODULE_RBTDB,
-						DNS_RPZ_INFO_LEVEL,
-						"disabled rpz %s %s rewrite"
-						" %s via %s",
-						dns_rpz_type2str(rpz_type),
-						dns_rpz_policy2str(rpz_policy),
-						qname_buf, rpz_qname_buf);
-				}
-				continue;
-			}
-
-			rpz_policy = rpz->policy;
-		}
-
-		if (dns_rdataset_isassociated(st->m.rdataset))
-			dns_rdataset_disassociate(st->m.rdataset);
-		if (st->m.node != NULL)
-			dns_db_detachnode(st->m.db, &st->m.node);
-		if (st->m.db != NULL)
-			dns_db_detach(&st->m.db);
-		if (st->m.zone != NULL)
-			dns_zone_detach(&st->m.zone);
-		st->m.rpz = rpz;
-		st->m.type = rpz_type;
-		st->m.prefix = prefix;
-		st->m.policy = rpz_policy;
-		st->m.ttl = ISC_MIN(ttl, rpz->max_policy_ttl);
-		st->m.result = result;
-		dns_name_copy(qname, st->qname, NULL);
-		if ((rpz_policy == DNS_RPZ_POLICY_RECORD ||
-		    rpz_policy == DNS_RPZ_POLICY_WILDCNAME) &&
-		    result != DNS_R_NXRRSET) {
-			dns_rdataset_clone(&zrdataset,st->m.rdataset);
-			dns_db_attachnode(db, node, &st->m.node);
-		}
-		dns_db_attach(db, &st->m.db);
-		st->m.version = version;
-		dns_zone_attach(zone, &st->m.zone);
-		if (dns_rdataset_isassociated(&zrdataset))
-			dns_rdataset_disassociate(&zrdataset);
-	}
-
-	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-}
-#endif
-
-static isc_result_t
-cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
-	   dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
-	   dns_dbnode_t **nodep, dns_name_t *foundname,
-	   dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	dns_rbtnode_t *node = NULL;
-	isc_result_t result;
-	rbtdb_search_t search;
-	isc_boolean_t cname_ok = ISC_TRUE;
-	isc_boolean_t empty_node;
-	nodelock_t *lock;
-	isc_rwlocktype_t locktype;
-	rdatasetheader_t *header, *header_prev, *header_next;
-	rdatasetheader_t *found, *nsheader;
-	rdatasetheader_t *foundsig, *nssig, *cnamesig;
-	rdatasetheader_t *update, *updatesig;
-	rbtdb_rdatatype_t sigtype, negtype;
-
-	UNUSED(version);
-
-	search.rbtdb = (dns_rbtdb_t *)db;
-
-	REQUIRE(VALID_RBTDB(search.rbtdb));
-	REQUIRE(version == NULL);
-
-	if (now == 0)
-		isc_stdtime_get(&now);
-
-	search.rbtversion = NULL;
-	search.serial = 1;
-	search.options = options;
-	search.copy_name = ISC_FALSE;
-	search.need_cleanup = ISC_FALSE;
-	search.wild = ISC_FALSE;
-	search.zonecut = NULL;
-	dns_fixedname_init(&search.zonecut_name);
-	dns_rbtnodechain_init(&search.chain, search.rbtdb->common.mctx);
-	search.now = now;
-	update = NULL;
-	updatesig = NULL;
-
-	RWLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
-
-	/*
-	 * Search down from the root of the tree.  If, while going down, we
-	 * encounter a callback node, cache_zonecut_callback() will search the
-	 * rdatasets at the zone cut for a DNAME rdataset.
-	 */
-	result = dns_rbt_findnode(search.rbtdb->tree, name, foundname, &node,
-				  &search.chain, DNS_RBTFIND_EMPTYDATA,
-				  cache_zonecut_callback, &search);
-
-	if (result == DNS_R_PARTIALMATCH) {
-		if ((search.options & DNS_DBFIND_COVERINGNSEC) != 0) {
-			result = find_coveringnsec(&search, nodep, now,
-						   foundname, rdataset,
-						   sigrdataset);
-			if (result == DNS_R_COVERINGNSEC)
-				goto tree_exit;
-		}
-		if (search.zonecut != NULL) {
-		    result = setup_delegation(&search, nodep, foundname,
-					      rdataset, sigrdataset);
-		    goto tree_exit;
-		} else {
-		find_ns:
-			result = find_deepest_zonecut(&search, node, nodep,
-						      foundname, rdataset,
-						      sigrdataset);
-			goto tree_exit;
-		}
-	} else if (result != ISC_R_SUCCESS)
-		goto tree_exit;
-
-	/*
-	 * Certain DNSSEC types are not subject to CNAME matching
-	 * (RFC4035, section 2.5 and RFC3007).
-	 *
-	 * We don't check for RRSIG, because we don't store RRSIG records
-	 * directly.
-	 */
-	if (type == dns_rdatatype_key || type == dns_rdatatype_nsec)
-		cname_ok = ISC_FALSE;
-
-	/*
-	 * We now go looking for rdata...
-	 */
-
-	lock = &(search.rbtdb->node_locks[node->locknum].lock);
-	locktype = isc_rwlocktype_read;
-	NODE_LOCK(lock, locktype);
-
-	found = NULL;
-	foundsig = NULL;
-	sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type);
-	negtype = RBTDB_RDATATYPE_VALUE(0, type);
-	nsheader = NULL;
-	nssig = NULL;
-	cnamesig = NULL;
-	empty_node = ISC_TRUE;
-	header_prev = NULL;
-	for (header = node->data; header != NULL; header = header_next) {
-		header_next = header->next;
-		if (header->rdh_ttl <= now) {
-			/*
-			 * This rdataset is stale.  If no one else is using the
-			 * node, we can clean it up right now, otherwise we
-			 * mark it as stale, and the node as dirty, so it will
-			 * get cleaned up later.
-			 */
-			if ((header->rdh_ttl <= now - RBTDB_VIRTUAL) &&
-			    (locktype == isc_rwlocktype_write ||
-			     NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS)) {
-				/*
-				 * We update the node's status only when we
-				 * can get write access.
-				 */
-				locktype = isc_rwlocktype_write;
-
-				if (dns_rbtnode_refcurrent(node) == 0) {
-					isc_mem_t *mctx;
-
-					mctx = search.rbtdb->common.mctx;
-					clean_stale_headers(search.rbtdb, mctx,
-							    header);
-					if (header_prev != NULL)
-						header_prev->next =
-							header->next;
-					else
-						node->data = header->next;
-					free_rdataset(search.rbtdb, mctx,
-						      header);
-				} else {
-					header->attributes |=
-						RDATASET_ATTR_STALE;
-					node->dirty = 1;
-					header_prev = header;
-				}
-			} else
-				header_prev = header;
-		} else if (EXISTS(header)) {
-			/*
-			 * We now know that there is at least one active
-			 * non-stale rdataset at this node.
-			 */
-			empty_node = ISC_FALSE;
-
-			/*
-			 * If we found a type we were looking for, remember
-			 * it.
-			 */
-			if (header->type == type ||
-			    (type == dns_rdatatype_any &&
-			     RBTDB_RDATATYPE_BASE(header->type) != 0) ||
-			    (cname_ok && header->type ==
-			     dns_rdatatype_cname)) {
-				/*
-				 * We've found the answer.
-				 */
-				found = header;
-				if (header->type == dns_rdatatype_cname &&
-				    cname_ok &&
-				    cnamesig != NULL) {
-					/*
-					 * If we've already got the
-					 * CNAME RRSIG, use it.
-					 */
-					foundsig = cnamesig;
-				}
-			} else if (header->type == sigtype) {
-				/*
-				 * We've found the RRSIG rdataset for our
-				 * target type.  Remember it.
-				 */
-				foundsig = header;
-			} else if (header->type == RBTDB_RDATATYPE_NCACHEANY ||
-				   header->type == negtype) {
-				/*
-				 * We've found a negative cache entry.
-				 */
-				found = header;
-			} else if (header->type == dns_rdatatype_ns) {
-				/*
-				 * Remember a NS rdataset even if we're
-				 * not specifically looking for it, because
-				 * we might need it later.
-				 */
-				nsheader = header;
-			} else if (header->type == RBTDB_RDATATYPE_SIGNS) {
-				/*
-				 * If we need the NS rdataset, we'll also
-				 * need its signature.
-				 */
-				nssig = header;
-			} else if (cname_ok &&
-				   header->type == RBTDB_RDATATYPE_SIGCNAME) {
-				/*
-				 * If we get a CNAME match, we'll also need
-				 * its signature.
-				 */
-				cnamesig = header;
-			}
-			header_prev = header;
-		} else
-			header_prev = header;
-	}
-
-	if (empty_node) {
-		/*
-		 * We have an exact match for the name, but there are no
-		 * extant rdatasets.  That means that this node doesn't
-		 * meaningfully exist, and that we really have a partial match.
-		 */
-		NODE_UNLOCK(lock, locktype);
-		goto find_ns;
-	}
-
-	/*
-	 * If we didn't find what we were looking for...
-	 */
-	if (found == NULL ||
-	    (DNS_TRUST_ADDITIONAL(found->trust) &&
-	     ((options & DNS_DBFIND_ADDITIONALOK) == 0)) ||
-	    (found->trust == dns_trust_glue &&
-	     ((options & DNS_DBFIND_GLUEOK) == 0)) ||
-	    (DNS_TRUST_PENDING(found->trust) &&
-	     ((options & DNS_DBFIND_PENDINGOK) == 0))) {
-		/*
-		 * If there is an NS rdataset at this node, then this is the
-		 * deepest zone cut.
-		 */
-		if (nsheader != NULL) {
-			if (nodep != NULL) {
-				new_reference(search.rbtdb, node);
-				INSIST(!ISC_LINK_LINKED(node, deadlink));
-				*nodep = node;
-			}
-			bind_rdataset(search.rbtdb, node, nsheader, search.now,
-				      rdataset);
-			if (need_headerupdate(nsheader, search.now))
-				update = nsheader;
-			if (nssig != NULL) {
-				bind_rdataset(search.rbtdb, node, nssig,
-					      search.now, sigrdataset);
-				if (need_headerupdate(nssig, search.now))
-					updatesig = nssig;
-			}
-			result = DNS_R_DELEGATION;
-			goto node_exit;
-		}
-
-		/*
-		 * Go find the deepest zone cut.
-		 */
-		NODE_UNLOCK(lock, locktype);
-		goto find_ns;
-	}
-
-	/*
-	 * We found what we were looking for, or we found a CNAME.
-	 */
-
-	if (nodep != NULL) {
-		new_reference(search.rbtdb, node);
-		INSIST(!ISC_LINK_LINKED(node, deadlink));
-		*nodep = node;
-	}
-
-	if (NEGATIVE(found)) {
-		/*
-		 * We found a negative cache entry.
-		 */
-		if (NXDOMAIN(found))
-			result = DNS_R_NCACHENXDOMAIN;
-		else
-			result = DNS_R_NCACHENXRRSET;
-	} else if (type != found->type &&
-		   type != dns_rdatatype_any &&
-		   found->type == dns_rdatatype_cname) {
-		/*
-		 * We weren't doing an ANY query and we found a CNAME instead
-		 * of the type we were looking for, so we need to indicate
-		 * that result to the caller.
-		 */
-		result = DNS_R_CNAME;
-	} else {
-		/*
-		 * An ordinary successful query!
-		 */
-		result = ISC_R_SUCCESS;
-	}
-
-	if (type != dns_rdatatype_any || result == DNS_R_NCACHENXDOMAIN ||
-	    result == DNS_R_NCACHENXRRSET) {
-		bind_rdataset(search.rbtdb, node, found, search.now,
-			      rdataset);
-		if (need_headerupdate(found, search.now))
-			update = found;
-		if (!NEGATIVE(found) && foundsig != NULL) {
-			bind_rdataset(search.rbtdb, node, foundsig, search.now,
-				      sigrdataset);
-			if (need_headerupdate(foundsig, search.now))
-				updatesig = foundsig;
-		}
-	}
-
- node_exit:
-	if ((update != NULL || updatesig != NULL) &&
-	    locktype != isc_rwlocktype_write) {
-		NODE_UNLOCK(lock, locktype);
-		NODE_LOCK(lock, isc_rwlocktype_write);
-		locktype = isc_rwlocktype_write;
-		POST(locktype);
-	}
-	if (update != NULL && need_headerupdate(update, search.now))
-		update_header(search.rbtdb, update, search.now);
-	if (updatesig != NULL && need_headerupdate(updatesig, search.now))
-		update_header(search.rbtdb, updatesig, search.now);
-
-	NODE_UNLOCK(lock, locktype);
-
- tree_exit:
-	RWUNLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
-
-	/*
-	 * If we found a zonecut but aren't going to use it, we have to
-	 * let go of it.
-	 */
-	if (search.need_cleanup) {
-		node = search.zonecut;
-		INSIST(node != NULL);
-		lock = &(search.rbtdb->node_locks[node->locknum].lock);
-
-		NODE_LOCK(lock, isc_rwlocktype_read);
-		decrement_reference(search.rbtdb, node, 0,
-				    isc_rwlocktype_read, isc_rwlocktype_none,
-				    ISC_FALSE);
-		NODE_UNLOCK(lock, isc_rwlocktype_read);
-	}
-
-	dns_rbtnodechain_reset(&search.chain);
-
-	return (result);
-}
-
-static isc_result_t
-cache_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
-		  isc_stdtime_t now, dns_dbnode_t **nodep,
-		  dns_name_t *foundname,
-		  dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	dns_rbtnode_t *node = NULL;
-	nodelock_t *lock;
-	isc_result_t result;
-	rbtdb_search_t search;
-	rdatasetheader_t *header, *header_prev, *header_next;
-	rdatasetheader_t *found, *foundsig;
-	unsigned int rbtoptions = DNS_RBTFIND_EMPTYDATA;
-	isc_rwlocktype_t locktype;
-
-	search.rbtdb = (dns_rbtdb_t *)db;
-
-	REQUIRE(VALID_RBTDB(search.rbtdb));
-
-	if (now == 0)
-		isc_stdtime_get(&now);
-
-	search.rbtversion = NULL;
-	search.serial = 1;
-	search.options = options;
-	search.copy_name = ISC_FALSE;
-	search.need_cleanup = ISC_FALSE;
-	search.wild = ISC_FALSE;
-	search.zonecut = NULL;
-	dns_fixedname_init(&search.zonecut_name);
-	dns_rbtnodechain_init(&search.chain, search.rbtdb->common.mctx);
-	search.now = now;
-
-	if ((options & DNS_DBFIND_NOEXACT) != 0)
-		rbtoptions |= DNS_RBTFIND_NOEXACT;
-
-	RWLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
-
-	/*
-	 * Search down from the root of the tree.
-	 */
-	result = dns_rbt_findnode(search.rbtdb->tree, name, foundname, &node,
-				  &search.chain, rbtoptions, NULL, &search);
-
-	if (result == DNS_R_PARTIALMATCH) {
-	find_ns:
-		result = find_deepest_zonecut(&search, node, nodep, foundname,
-					      rdataset, sigrdataset);
-		goto tree_exit;
-	} else if (result != ISC_R_SUCCESS)
-		goto tree_exit;
-
-	/*
-	 * We now go looking for an NS rdataset at the node.
-	 */
-
-	lock = &(search.rbtdb->node_locks[node->locknum].lock);
-	locktype = isc_rwlocktype_read;
-	NODE_LOCK(lock, locktype);
-
-	found = NULL;
-	foundsig = NULL;
-	header_prev = NULL;
-	for (header = node->data; header != NULL; header = header_next) {
-		header_next = header->next;
-		if (header->rdh_ttl <= now) {
-			/*
-			 * This rdataset is stale.  If no one else is using the
-			 * node, we can clean it up right now, otherwise we
-			 * mark it as stale, and the node as dirty, so it will
-			 * get cleaned up later.
-			 */
-			if ((header->rdh_ttl <= now - RBTDB_VIRTUAL) &&
-			    (locktype == isc_rwlocktype_write ||
-			     NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS)) {
-				/*
-				 * We update the node's status only when we
-				 * can get write access.
-				 */
-				locktype = isc_rwlocktype_write;
-
-				if (dns_rbtnode_refcurrent(node) == 0) {
-					isc_mem_t *mctx;
-
-					mctx = search.rbtdb->common.mctx;
-					clean_stale_headers(search.rbtdb, mctx,
-							    header);
-					if (header_prev != NULL)
-						header_prev->next =
-							header->next;
-					else
-						node->data = header->next;
-					free_rdataset(search.rbtdb, mctx,
-						      header);
-				} else {
-					header->attributes |=
-						RDATASET_ATTR_STALE;
-					node->dirty = 1;
-					header_prev = header;
-				}
-			} else
-				header_prev = header;
-		} else if (EXISTS(header)) {
-			/*
-			 * If we found a type we were looking for, remember
-			 * it.
-			 */
-			if (header->type == dns_rdatatype_ns) {
-				/*
-				 * Remember a NS rdataset even if we're
-				 * not specifically looking for it, because
-				 * we might need it later.
-				 */
-				found = header;
-			} else if (header->type == RBTDB_RDATATYPE_SIGNS) {
-				/*
-				 * If we need the NS rdataset, we'll also
-				 * need its signature.
-				 */
-				foundsig = header;
-			}
-			header_prev = header;
-		} else
-			header_prev = header;
-	}
-
-	if (found == NULL) {
-		/*
-		 * No NS records here.
-		 */
-		NODE_UNLOCK(lock, locktype);
-		goto find_ns;
-	}
-
-	if (nodep != NULL) {
-		new_reference(search.rbtdb, node);
-		INSIST(!ISC_LINK_LINKED(node, deadlink));
-		*nodep = node;
-	}
-
-	bind_rdataset(search.rbtdb, node, found, search.now, rdataset);
-	if (foundsig != NULL)
-		bind_rdataset(search.rbtdb, node, foundsig, search.now,
-			      sigrdataset);
-
-	if (need_headerupdate(found, search.now) ||
-	    (foundsig != NULL &&  need_headerupdate(foundsig, search.now))) {
-		if (locktype != isc_rwlocktype_write) {
-			NODE_UNLOCK(lock, locktype);
-			NODE_LOCK(lock, isc_rwlocktype_write);
-			locktype = isc_rwlocktype_write;
-			POST(locktype);
-		}
-		if (need_headerupdate(found, search.now))
-			update_header(search.rbtdb, found, search.now);
-		if (foundsig != NULL &&
-		    need_headerupdate(foundsig, search.now)) {
-			update_header(search.rbtdb, foundsig, search.now);
-		}
-	}
-
-	NODE_UNLOCK(lock, locktype);
-
- tree_exit:
-	RWUNLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
-
-	INSIST(!search.need_cleanup);
-
-	dns_rbtnodechain_reset(&search.chain);
-
-	if (result == DNS_R_DELEGATION)
-		result = ISC_R_SUCCESS;
-
-	return (result);
-}
-
-static void
-attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	dns_rbtnode_t *node = (dns_rbtnode_t *)source;
-	unsigned int refs;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	NODE_STRONGLOCK(&rbtdb->node_locks[node->locknum].lock);
-	dns_rbtnode_refincrement(node, &refs);
-	INSIST(refs != 0);
-	NODE_STRONGUNLOCK(&rbtdb->node_locks[node->locknum].lock);
-
-	*targetp = source;
-}
-
-static void
-detachnode(dns_db_t *db, dns_dbnode_t **targetp) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	dns_rbtnode_t *node;
-	isc_boolean_t want_free = ISC_FALSE;
-	isc_boolean_t inactive = ISC_FALSE;
-	rbtdb_nodelock_t *nodelock;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-	REQUIRE(targetp != NULL && *targetp != NULL);
-
-	node = (dns_rbtnode_t *)(*targetp);
-	nodelock = &rbtdb->node_locks[node->locknum];
-
-	NODE_LOCK(&nodelock->lock, isc_rwlocktype_read);
-
-	if (decrement_reference(rbtdb, node, 0, isc_rwlocktype_read,
-				isc_rwlocktype_none, ISC_FALSE)) {
-		if (isc_refcount_current(&nodelock->references) == 0 &&
-		    nodelock->exiting) {
-			inactive = ISC_TRUE;
-		}
-	}
-
-	NODE_UNLOCK(&nodelock->lock, isc_rwlocktype_read);
-
-	*targetp = NULL;
-
-	if (inactive) {
-		RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
-		rbtdb->active--;
-		if (rbtdb->active == 0)
-			want_free = ISC_TRUE;
-		RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
-		if (want_free) {
-			char buf[DNS_NAME_FORMATSIZE];
-			if (dns_name_dynamic(&rbtdb->common.origin))
-				dns_name_format(&rbtdb->common.origin, buf,
-						sizeof(buf));
-			else
-				strcpy(buf, "<UNKNOWN>");
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-				      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
-				      "calling free_rbtdb(%s)", buf);
-			free_rbtdb(rbtdb, ISC_TRUE, NULL);
-		}
-	}
-}
-
-static isc_result_t
-expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	dns_rbtnode_t *rbtnode = node;
-	rdatasetheader_t *header;
-	isc_boolean_t force_expire = ISC_FALSE;
-	/*
-	 * These are the category and module used by the cache cleaner.
-	 */
-	isc_boolean_t log = ISC_FALSE;
-	isc_logcategory_t *category = DNS_LOGCATEGORY_DATABASE;
-	isc_logmodule_t *module = DNS_LOGMODULE_CACHE;
-	int level = ISC_LOG_DEBUG(2);
-	char printname[DNS_NAME_FORMATSIZE];
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	/*
-	 * Caller must hold a tree lock.
-	 */
-
-	if (now == 0)
-		isc_stdtime_get(&now);
-
-	if (isc_mem_isovermem(rbtdb->common.mctx)) {
-		isc_uint32_t val;
-
-		isc_random_get(&val);
-		/*
-		 * XXXDCL Could stand to have a better policy, like LRU.
-		 */
-		force_expire = ISC_TF(rbtnode->down == NULL && val % 4 == 0);
-
-		/*
-		 * Note that 'log' can be true IFF overmem is also true.
-		 * overmem can currently only be true for cache
-		 * databases -- hence all of the "overmem cache" log strings.
-		 */
-		log = ISC_TF(isc_log_wouldlog(dns_lctx, level));
-		if (log)
-			isc_log_write(dns_lctx, category, module, level,
-				      "overmem cache: %s %s",
-				      force_expire ? "FORCE" : "check",
-				      dns_rbt_formatnodename(rbtnode,
-							   printname,
-							   sizeof(printname)));
-	}
-
-	/*
-	 * We may not need write access, but this code path is not performance
-	 * sensitive, so it should be okay to always lock as a writer.
-	 */
-	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
-		  isc_rwlocktype_write);
-
-	for (header = rbtnode->data; header != NULL; header = header->next)
-		if (header->rdh_ttl <= now - RBTDB_VIRTUAL) {
-			/*
-			 * We don't check if refcurrent(rbtnode) == 0 and try
-			 * to free like we do in cache_find(), because
-			 * refcurrent(rbtnode) must be non-zero.  This is so
-			 * because 'node' is an argument to the function.
-			 */
-			header->attributes |= RDATASET_ATTR_STALE;
-			rbtnode->dirty = 1;
-			if (log)
-				isc_log_write(dns_lctx, category, module,
-					      level, "overmem cache: stale %s",
-					      printname);
-		} else if (force_expire) {
-			if (! RETAIN(header)) {
-				set_ttl(rbtdb, header, 0);
-				header->attributes |= RDATASET_ATTR_STALE;
-				rbtnode->dirty = 1;
-			} else if (log) {
-				isc_log_write(dns_lctx, category, module,
-					      level, "overmem cache: "
-					      "reprieve by RETAIN() %s",
-					      printname);
-			}
-		} else if (isc_mem_isovermem(rbtdb->common.mctx) && log)
-			isc_log_write(dns_lctx, category, module, level,
-				      "overmem cache: saved %s", printname);
-
-	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
-		    isc_rwlocktype_write);
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-overmem(dns_db_t *db, isc_boolean_t overmem) {
-	/* This is an empty callback.  See adb.c:water() */
-
-	UNUSED(db);
-	UNUSED(overmem);
-
-	return;
-}
-
-static void
-printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	dns_rbtnode_t *rbtnode = node;
-	isc_boolean_t first;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
-		  isc_rwlocktype_read);
-
-	fprintf(out, "node %p, %u references, locknum = %u\n",
-		rbtnode, dns_rbtnode_refcurrent(rbtnode),
-		rbtnode->locknum);
-	if (rbtnode->data != NULL) {
-		rdatasetheader_t *current, *top_next;
-
-		for (current = rbtnode->data; current != NULL;
-		     current = top_next) {
-			top_next = current->next;
-			first = ISC_TRUE;
-			fprintf(out, "\ttype %u", current->type);
-			do {
-				if (!first)
-					fprintf(out, "\t");
-				first = ISC_FALSE;
-				fprintf(out,
-					"\tserial = %lu, ttl = %u, "
-					"trust = %u, attributes = %u, "
-					"resign = %u\n",
-					(unsigned long)current->serial,
-					current->rdh_ttl,
-					current->trust,
-					current->attributes,
-					current->resign);
-				current = current->down;
-			} while (current != NULL);
-		}
-	} else
-		fprintf(out, "(empty)\n");
-
-	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
-		    isc_rwlocktype_read);
-}
-
-static isc_result_t
-createiterator(dns_db_t *db, unsigned int options, dns_dbiterator_t **iteratorp)
-{
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	rbtdb_dbiterator_t *rbtdbiter;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	rbtdbiter = isc_mem_get(rbtdb->common.mctx, sizeof(*rbtdbiter));
-	if (rbtdbiter == NULL)
-		return (ISC_R_NOMEMORY);
-
-	rbtdbiter->common.methods = &dbiterator_methods;
-	rbtdbiter->common.db = NULL;
-	dns_db_attach(db, &rbtdbiter->common.db);
-	rbtdbiter->common.relative_names =
-			ISC_TF((options & DNS_DB_RELATIVENAMES) != 0);
-	rbtdbiter->common.magic = DNS_DBITERATOR_MAGIC;
-	rbtdbiter->common.cleaning = ISC_FALSE;
-	rbtdbiter->paused = ISC_TRUE;
-	rbtdbiter->tree_locked = isc_rwlocktype_none;
-	rbtdbiter->result = ISC_R_SUCCESS;
-	dns_fixedname_init(&rbtdbiter->name);
-	dns_fixedname_init(&rbtdbiter->origin);
-	rbtdbiter->node = NULL;
-	rbtdbiter->delete = 0;
-	rbtdbiter->nsec3only = ISC_TF((options & DNS_DB_NSEC3ONLY) != 0);
-	rbtdbiter->nonsec3 = ISC_TF((options & DNS_DB_NONSEC3) != 0);
-	memset(rbtdbiter->deletions, 0, sizeof(rbtdbiter->deletions));
-	dns_rbtnodechain_init(&rbtdbiter->chain, db->mctx);
-	dns_rbtnodechain_init(&rbtdbiter->nsec3chain, db->mctx);
-	if (rbtdbiter->nsec3only)
-		rbtdbiter->current = &rbtdbiter->nsec3chain;
-	else
-		rbtdbiter->current = &rbtdbiter->chain;
-
-	*iteratorp = (dns_dbiterator_t *)rbtdbiter;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-zone_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-		  dns_rdatatype_t type, dns_rdatatype_t covers,
-		  isc_stdtime_t now, dns_rdataset_t *rdataset,
-		  dns_rdataset_t *sigrdataset)
-{
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
-	rdatasetheader_t *header, *header_next, *found, *foundsig;
-	rbtdb_serial_t serial;
-	rbtdb_version_t *rbtversion = version;
-	isc_boolean_t close_version = ISC_FALSE;
-	rbtdb_rdatatype_t matchtype, sigmatchtype;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-	REQUIRE(type != dns_rdatatype_any);
-	INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb);
-
-	if (rbtversion == NULL) {
-		currentversion(db, (dns_dbversion_t **) (void *)(&rbtversion));
-		close_version = ISC_TRUE;
-	}
-	serial = rbtversion->serial;
-	now = 0;
-
-	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
-		  isc_rwlocktype_read);
-
-	found = NULL;
-	foundsig = NULL;
-	matchtype = RBTDB_RDATATYPE_VALUE(type, covers);
-	if (covers == 0)
-		sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type);
-	else
-		sigmatchtype = 0;
-
-	for (header = rbtnode->data; header != NULL; header = header_next) {
-		header_next = header->next;
-		do {
-			if (header->serial <= serial &&
-			    !IGNORE(header)) {
-				/*
-				 * Is this a "this rdataset doesn't
-				 * exist" record?
-				 */
-				if (NONEXISTENT(header))
-					header = NULL;
-				break;
-			} else
-				header = header->down;
-		} while (header != NULL);
-		if (header != NULL) {
-			/*
-			 * We have an active, extant rdataset.  If it's a
-			 * type we're looking for, remember it.
-			 */
-			if (header->type == matchtype) {
-				found = header;
-				if (foundsig != NULL)
-					break;
-			} else if (header->type == sigmatchtype) {
-				foundsig = header;
-				if (found != NULL)
-					break;
-			}
-		}
-	}
-	if (found != NULL) {
-		bind_rdataset(rbtdb, rbtnode, found, now, rdataset);
-		if (foundsig != NULL)
-			bind_rdataset(rbtdb, rbtnode, foundsig, now,
-				      sigrdataset);
-	}
-
-	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
-		    isc_rwlocktype_read);
-
-	if (close_version)
-		closeversion(db, (dns_dbversion_t **) (void *)(&rbtversion),
-			     ISC_FALSE);
-
-	if (found == NULL)
-		return (ISC_R_NOTFOUND);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-		   dns_rdatatype_t type, dns_rdatatype_t covers,
-		   isc_stdtime_t now, dns_rdataset_t *rdataset,
-		   dns_rdataset_t *sigrdataset)
-{
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
-	rdatasetheader_t *header, *header_next, *found, *foundsig;
-	rbtdb_rdatatype_t matchtype, sigmatchtype, negtype;
-	isc_result_t result;
-	nodelock_t *lock;
-	isc_rwlocktype_t locktype;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-	REQUIRE(type != dns_rdatatype_any);
-
-	UNUSED(version);
-
-	result = ISC_R_SUCCESS;
-
-	if (now == 0)
-		isc_stdtime_get(&now);
-
-	lock = &rbtdb->node_locks[rbtnode->locknum].lock;
-	locktype = isc_rwlocktype_read;
-	NODE_LOCK(lock, locktype);
-
-	found = NULL;
-	foundsig = NULL;
-	matchtype = RBTDB_RDATATYPE_VALUE(type, covers);
-	negtype = RBTDB_RDATATYPE_VALUE(0, type);
-	if (covers == 0)
-		sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type);
-	else
-		sigmatchtype = 0;
-
-	for (header = rbtnode->data; header != NULL; header = header_next) {
-		header_next = header->next;
-		if (header->rdh_ttl <= now) {
-			if ((header->rdh_ttl <= now - RBTDB_VIRTUAL) &&
-			    (locktype == isc_rwlocktype_write ||
-			     NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS)) {
-				/*
-				 * We update the node's status only when we
-				 * can get write access.
-				 */
-				locktype = isc_rwlocktype_write;
-
-				/*
-				 * We don't check if refcurrent(rbtnode) == 0
-				 * and try to free like we do in cache_find(),
-				 * because refcurrent(rbtnode) must be
-				 * non-zero.  This is so because 'node' is an
-				 * argument to the function.
-				 */
-				header->attributes |= RDATASET_ATTR_STALE;
-				rbtnode->dirty = 1;
-			}
-		} else if (EXISTS(header)) {
-			if (header->type == matchtype)
-				found = header;
-			else if (header->type == RBTDB_RDATATYPE_NCACHEANY ||
-				 header->type == negtype)
-				found = header;
-			else if (header->type == sigmatchtype)
-				foundsig = header;
-		}
-	}
-	if (found != NULL) {
-		bind_rdataset(rbtdb, rbtnode, found, now, rdataset);
-		if (!NEGATIVE(found) && foundsig != NULL)
-			bind_rdataset(rbtdb, rbtnode, foundsig, now,
-				      sigrdataset);
-	}
-
-	NODE_UNLOCK(lock, locktype);
-
-	if (found == NULL)
-		return (ISC_R_NOTFOUND);
-
-	if (NEGATIVE(found)) {
-		/*
-		 * We found a negative cache entry.
-		 */
-		if (NXDOMAIN(found))
-			result = DNS_R_NCACHENXDOMAIN;
-		else
-			result = DNS_R_NCACHENXRRSET;
-	}
-
-	return (result);
-}
-
-static isc_result_t
-allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-	     isc_stdtime_t now, dns_rdatasetiter_t **iteratorp)
-{
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
-	rbtdb_version_t *rbtversion = version;
-	rbtdb_rdatasetiter_t *iterator;
-	unsigned int refs;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	iterator = isc_mem_get(rbtdb->common.mctx, sizeof(*iterator));
-	if (iterator == NULL)
-		return (ISC_R_NOMEMORY);
-
-	if ((db->attributes & DNS_DBATTR_CACHE) == 0) {
-		now = 0;
-		if (rbtversion == NULL)
-			currentversion(db,
-				 (dns_dbversion_t **) (void *)(&rbtversion));
-		else {
-			unsigned int refs;
-
-			INSIST(rbtversion->rbtdb == rbtdb);
-
-			isc_refcount_increment(&rbtversion->references,
-					       &refs);
-			INSIST(refs > 1);
-		}
-	} else {
-		if (now == 0)
-			isc_stdtime_get(&now);
-		rbtversion = NULL;
-	}
-
-	iterator->common.magic = DNS_RDATASETITER_MAGIC;
-	iterator->common.methods = &rdatasetiter_methods;
-	iterator->common.db = db;
-	iterator->common.node = node;
-	iterator->common.version = (dns_dbversion_t *)rbtversion;
-	iterator->common.now = now;
-
-	NODE_STRONGLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
-
-	dns_rbtnode_refincrement(rbtnode, &refs);
-	INSIST(refs != 0);
-
-	iterator->current = NULL;
-
-	NODE_STRONGUNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
-
-	*iteratorp = (dns_rdatasetiter_t *)iterator;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_boolean_t
-cname_and_other_data(dns_rbtnode_t *node, rbtdb_serial_t serial) {
-	rdatasetheader_t *header, *header_next;
-	isc_boolean_t cname, other_data;
-	dns_rdatatype_t rdtype;
-
-	/*
-	 * The caller must hold the node lock.
-	 */
-
-	/*
-	 * Look for CNAME and "other data" rdatasets active in our version.
-	 */
-	cname = ISC_FALSE;
-	other_data = ISC_FALSE;
-	for (header = node->data; header != NULL; header = header_next) {
-		header_next = header->next;
-		if (header->type == dns_rdatatype_cname) {
-			/*
-			 * Look for an active extant CNAME.
-			 */
-			do {
-				if (header->serial <= serial &&
-				    !IGNORE(header)) {
-					/*
-					 * Is this a "this rdataset doesn't
-					 * exist" record?
-					 */
-					if (NONEXISTENT(header))
-						header = NULL;
-					break;
-				} else
-					header = header->down;
-			} while (header != NULL);
-			if (header != NULL)
-				cname = ISC_TRUE;
-		} else {
-			/*
-			 * Look for active extant "other data".
-			 *
-			 * "Other data" is any rdataset whose type is not
-			 * KEY, NSEC, SIG or RRSIG.
-			 */
-			rdtype = RBTDB_RDATATYPE_BASE(header->type);
-			if (rdtype != dns_rdatatype_key &&
-			    rdtype != dns_rdatatype_sig &&
-			    rdtype != dns_rdatatype_nsec &&
-			    rdtype != dns_rdatatype_rrsig) {
-				/*
-				 * Is it active and extant?
-				 */
-				do {
-					if (header->serial <= serial &&
-					    !IGNORE(header)) {
-						/*
-						 * Is this a "this rdataset
-						 * doesn't exist" record?
-						 */
-						if (NONEXISTENT(header))
-							header = NULL;
-						break;
-					} else
-						header = header->down;
-				} while (header != NULL);
-				if (header != NULL)
-					other_data = ISC_TRUE;
-			}
-		}
-	}
-
-	if (cname && other_data)
-		return (ISC_TRUE);
-
-	return (ISC_FALSE);
-}
-
-static isc_result_t
-resign_insert(dns_rbtdb_t *rbtdb, int idx, rdatasetheader_t *newheader) {
-	isc_result_t result;
-
-	INSIST(!IS_CACHE(rbtdb));
-	INSIST(newheader->heap_index == 0);
-	INSIST(!ISC_LINK_LINKED(newheader, link));
-
-	result = isc_heap_insert(rbtdb->heaps[idx], newheader);
-	return (result);
-}
-
-static isc_result_t
-add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
-    rdatasetheader_t *newheader, unsigned int options, isc_boolean_t loading,
-    dns_rdataset_t *addedrdataset, isc_stdtime_t now)
-{
-	rbtdb_changed_t *changed = NULL;
-	rdatasetheader_t *topheader, *topheader_prev, *header, *sigheader;
-	unsigned char *merged;
-	isc_result_t result;
-	isc_boolean_t header_nx;
-	isc_boolean_t newheader_nx;
-	isc_boolean_t merge;
-	dns_rdatatype_t rdtype, covers;
-	rbtdb_rdatatype_t negtype, sigtype;
-	dns_trust_t trust;
-	int idx;
-
-	/*
-	 * Add an rdatasetheader_t to a node.
-	 */
-
-	/*
-	 * Caller must be holding the node lock.
-	 */
-
-	if ((options & DNS_DBADD_MERGE) != 0) {
-		REQUIRE(rbtversion != NULL);
-		merge = ISC_TRUE;
-	} else
-		merge = ISC_FALSE;
-
-	if ((options & DNS_DBADD_FORCE) != 0)
-		trust = dns_trust_ultimate;
-	else
-		trust = newheader->trust;
-
-	if (rbtversion != NULL && !loading) {
-		/*
-		 * We always add a changed record, even if no changes end up
-		 * being made to this node, because it's harmless and
-		 * simplifies the code.
-		 */
-		changed = add_changed(rbtdb, rbtversion, rbtnode);
-		if (changed == NULL) {
-			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
-			return (ISC_R_NOMEMORY);
-		}
-	}
-
-	newheader_nx = NONEXISTENT(newheader) ? ISC_TRUE : ISC_FALSE;
-	topheader_prev = NULL;
-	sigheader = NULL;
-	negtype = 0;
-	if (rbtversion == NULL && !newheader_nx) {
-		rdtype = RBTDB_RDATATYPE_BASE(newheader->type);
-		covers = RBTDB_RDATATYPE_EXT(newheader->type);
-		sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, covers);
-		if (NEGATIVE(newheader)) {
-			/*
-			 * We're adding a negative cache entry.
-			 */
-			for (topheader = rbtnode->data;
-			     topheader != NULL;
-			     topheader = topheader->next) {
-				/*
-				 * If we're adding an negative cache entry
-				 * which covers all types (NXDOMAIN,
-				 * NODATA(QTYPE=ANY)).
-				 *
-				 * We make all other data stale so that the
-				 * only rdataset that can be found at this
-				 * node is the negative cache entry.
-				 *
-				 * Otherwise look for any RRSIGs of the
-				 * given type so they can be marked stale
-				 * later.
-				 */
-				if (covers == dns_rdatatype_any) {
-					set_ttl(rbtdb, topheader, 0);
-					topheader->attributes |=
-						RDATASET_ATTR_STALE;
-					rbtnode->dirty = 1;
-				} else if (topheader->type == sigtype)
-					sigheader = topheader;
-			}
-			if (covers == dns_rdatatype_any)
-				goto find_header;
-			negtype = RBTDB_RDATATYPE_VALUE(covers, 0);
-		} else {
-			/*
-			 * We're adding something that isn't a
-			 * negative cache entry.  Look for an extant
-			 * non-stale NXDOMAIN/NODATA(QTYPE=ANY) negative
-			 * cache entry.  If we're adding an RRSIG, also
-			 * check for an extant non-stale NODATA ncache
-			 * entry which covers the same type as the RRSIG.
-			 */
-			for (topheader = rbtnode->data;
-			     topheader != NULL;
-			     topheader = topheader->next) {
-				if ((topheader->type ==
-					RBTDB_RDATATYPE_NCACHEANY) ||
-					(newheader->type == sigtype &&
-					topheader->type ==
-					RBTDB_RDATATYPE_VALUE(0, covers))) {
-						break;
-					}
-			}
-			if (topheader != NULL && EXISTS(topheader) &&
-			    topheader->rdh_ttl > now) {
-				/*
-				 * Found one.
-				 */
-				if (trust < topheader->trust) {
-					/*
-					 * The NXDOMAIN/NODATA(QTYPE=ANY)
-					 * is more trusted.
-					 */
-					free_rdataset(rbtdb,
-						      rbtdb->common.mctx,
-						      newheader);
-					if (addedrdataset != NULL)
-						bind_rdataset(rbtdb, rbtnode,
-							      topheader, now,
-							      addedrdataset);
-					return (DNS_R_UNCHANGED);
-				}
-				/*
-				 * The new rdataset is better.  Expire the
-				 * ncache entry.
-				 */
-				set_ttl(rbtdb, topheader, 0);
-				topheader->attributes |= RDATASET_ATTR_STALE;
-				rbtnode->dirty = 1;
-				topheader = NULL;
-				goto find_header;
-			}
-			negtype = RBTDB_RDATATYPE_VALUE(0, rdtype);
-		}
-	}
-
-	for (topheader = rbtnode->data;
-	     topheader != NULL;
-	     topheader = topheader->next) {
-		if (topheader->type == newheader->type ||
-		    topheader->type == negtype)
-			break;
-		topheader_prev = topheader;
-	}
-
- find_header:
-	/*
-	 * If header isn't NULL, we've found the right type.  There may be
-	 * IGNORE rdatasets between the top of the chain and the first real
-	 * data.  We skip over them.
-	 */
-	header = topheader;
-	while (header != NULL && IGNORE(header))
-		header = header->down;
-	if (header != NULL) {
-		header_nx = NONEXISTENT(header) ? ISC_TRUE : ISC_FALSE;
-
-		/*
-		 * Deleting an already non-existent rdataset has no effect.
-		 */
-		if (header_nx && newheader_nx) {
-			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
-			return (DNS_R_UNCHANGED);
-		}
-
-		/*
-		 * Trying to add an rdataset with lower trust to a cache DB
-		 * has no effect, provided that the cache data isn't stale.
-		 */
-		if (rbtversion == NULL && trust < header->trust &&
-		    (header->rdh_ttl > now || header_nx)) {
-			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
-			if (addedrdataset != NULL)
-				bind_rdataset(rbtdb, rbtnode, header, now,
-					      addedrdataset);
-			return (DNS_R_UNCHANGED);
-		}
-
-		/*
-		 * Don't merge if a nonexistent rdataset is involved.
-		 */
-		if (merge && (header_nx || newheader_nx))
-			merge = ISC_FALSE;
-
-		/*
-		 * If 'merge' is ISC_TRUE, we'll try to create a new rdataset
-		 * that is the union of 'newheader' and 'header'.
-		 */
-		if (merge) {
-			unsigned int flags = 0;
-			INSIST(rbtversion->serial >= header->serial);
-			merged = NULL;
-			result = ISC_R_SUCCESS;
-
-			if ((options & DNS_DBADD_EXACT) != 0)
-				flags |= DNS_RDATASLAB_EXACT;
-			if ((options & DNS_DBADD_EXACTTTL) != 0 &&
-			     newheader->rdh_ttl != header->rdh_ttl)
-					result = DNS_R_NOTEXACT;
-			else if (newheader->rdh_ttl != header->rdh_ttl)
-				flags |= DNS_RDATASLAB_FORCE;
-			if (result == ISC_R_SUCCESS)
-				result = dns_rdataslab_merge(
-					     (unsigned char *)header,
-					     (unsigned char *)newheader,
-					     (unsigned int)(sizeof(*newheader)),
-					     rbtdb->common.mctx,
-					     rbtdb->common.rdclass,
-					     (dns_rdatatype_t)header->type,
-					     flags, &merged);
-			if (result == ISC_R_SUCCESS) {
-				/*
-				 * If 'header' has the same serial number as
-				 * we do, we could clean it up now if we knew
-				 * that our caller had no references to it.
-				 * We don't know this, however, so we leave it
-				 * alone.  It will get cleaned up when
-				 * clean_zone_node() runs.
-				 */
-				free_rdataset(rbtdb, rbtdb->common.mctx,
-					      newheader);
-				newheader = (rdatasetheader_t *)merged;
-				init_rdataset(rbtdb, newheader);
-				if (loading && RESIGN(newheader) &&
-				    RESIGN(header) &&
-				    header->resign < newheader->resign)
-					newheader->resign = header->resign;
-			} else {
-				free_rdataset(rbtdb, rbtdb->common.mctx,
-					      newheader);
-				return (result);
-			}
-		}
-		/*
-		 * Don't replace existing NS, A and AAAA RRsets
-		 * in the cache if they are already exist.  This
-		 * prevents named being locked to old servers.
-		 * Don't lower trust of existing record if the
-		 * update is forced.
-		 */
-		if (IS_CACHE(rbtdb) && header->rdh_ttl > now &&
-		    header->type == dns_rdatatype_ns &&
-		    !header_nx && !newheader_nx &&
-		    header->trust >= newheader->trust &&
-		    dns_rdataslab_equalx((unsigned char *)header,
-					 (unsigned char *)newheader,
-					 (unsigned int)(sizeof(*newheader)),
-					 rbtdb->common.rdclass,
-					 (dns_rdatatype_t)header->type)) {
-			/*
-			 * Honour the new ttl if it is less than the
-			 * older one.
-			 */
-			if (header->rdh_ttl > newheader->rdh_ttl)
-				set_ttl(rbtdb, header, newheader->rdh_ttl);
-			if (header->noqname == NULL &&
-			    newheader->noqname != NULL) {
-				header->noqname = newheader->noqname;
-				newheader->noqname = NULL;
-			}
-			if (header->closest == NULL &&
-			    newheader->closest != NULL) {
-				header->closest = newheader->closest;
-				newheader->closest = NULL;
-			}
-			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
-			if (addedrdataset != NULL)
-				bind_rdataset(rbtdb, rbtnode, header, now,
-					      addedrdataset);
-			return (ISC_R_SUCCESS);
-		}
-		/*
-		 * If we have will be replacing a NS RRset force its TTL
-		 * to be no more than the current NS RRset's TTL.  This
-		 * ensures the delegations that are withdrawn are honoured.
-		 */
-		if (IS_CACHE(rbtdb) && header->rdh_ttl > now &&
-		    header->type == dns_rdatatype_ns &&
-		    !header_nx && !newheader_nx &&
-		    header->trust <= newheader->trust) {
-			if (newheader->rdh_ttl > header->rdh_ttl) {
-				newheader->rdh_ttl = header->rdh_ttl;
-			}
-		}
-		if (IS_CACHE(rbtdb) && header->rdh_ttl > now &&
-		    (header->type == dns_rdatatype_a ||
-		     header->type == dns_rdatatype_aaaa ||
-		     header->type == dns_rdatatype_ds ||
-		     header->type == RBTDB_RDATATYPE_SIGDDS) &&
-		    !header_nx && !newheader_nx &&
-		    header->trust >= newheader->trust &&
-		    dns_rdataslab_equal((unsigned char *)header,
-					(unsigned char *)newheader,
-					(unsigned int)(sizeof(*newheader)))) {
-			/*
-			 * Honour the new ttl if it is less than the
-			 * older one.
-			 */
-			if (header->rdh_ttl > newheader->rdh_ttl)
-				set_ttl(rbtdb, header, newheader->rdh_ttl);
-			if (header->noqname == NULL &&
-			    newheader->noqname != NULL) {
-				header->noqname = newheader->noqname;
-				newheader->noqname = NULL;
-			}
-			if (header->closest == NULL &&
-			    newheader->closest != NULL) {
-				header->closest = newheader->closest;
-				newheader->closest = NULL;
-			}
-			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
-			if (addedrdataset != NULL)
-				bind_rdataset(rbtdb, rbtnode, header, now,
-					      addedrdataset);
-			return (ISC_R_SUCCESS);
-		}
-		INSIST(rbtversion == NULL ||
-		       rbtversion->serial >= topheader->serial);
-		if (topheader_prev != NULL)
-			topheader_prev->next = newheader;
-		else
-			rbtnode->data = newheader;
-		newheader->next = topheader->next;
-		if (loading) {
-			/*
-			 * There are no other references to 'header' when
-			 * loading, so we MAY clean up 'header' now.
-			 * Since we don't generate changed records when
-			 * loading, we MUST clean up 'header' now.
-			 */
-			newheader->down = NULL;
-			free_rdataset(rbtdb, rbtdb->common.mctx, header);
-		} else {
-			newheader->down = topheader;
-			topheader->next = newheader;
-			rbtnode->dirty = 1;
-			if (changed != NULL)
-				changed->dirty = ISC_TRUE;
-			if (rbtversion == NULL) {
-				set_ttl(rbtdb, header, 0);
-				header->attributes |= RDATASET_ATTR_STALE;
-				if (sigheader != NULL) {
-					set_ttl(rbtdb, sigheader, 0);
-					sigheader->attributes |=
-						 RDATASET_ATTR_STALE;
-				}
-			}
-			idx = newheader->node->locknum;
-			if (IS_CACHE(rbtdb)) {
-				ISC_LIST_PREPEND(rbtdb->rdatasets[idx],
-						 newheader, link);
-				/*
-				 * XXXMLG We don't check the return value
-				 * here.  If it fails, we will not do TTL
-				 * based expiry on this node.  However, we
-				 * will do it on the LRU side, so memory
-				 * will not leak... for long.
-				 */
-				INSIST(rbtdb->heaps != NULL);
-				isc_heap_insert(rbtdb->heaps[idx], newheader);
-			} else if (RESIGN(newheader))
-				resign_insert(rbtdb, idx, newheader);
-		}
-	} else {
-		/*
-		 * No non-IGNORED rdatasets of the given type exist at
-		 * this node.
-		 */
-
-		/*
-		 * If we're trying to delete the type, don't bother.
-		 */
-		if (newheader_nx) {
-			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
-			return (DNS_R_UNCHANGED);
-		}
-
-		if (topheader != NULL) {
-			/*
-			 * We have an list of rdatasets of the given type,
-			 * but they're all marked IGNORE.  We simply insert
-			 * the new rdataset at the head of the list.
-			 *
-			 * Ignored rdatasets cannot occur during loading, so
-			 * we INSIST on it.
-			 */
-			INSIST(!loading);
-			INSIST(rbtversion == NULL ||
-			       rbtversion->serial >= topheader->serial);
-			if (topheader_prev != NULL)
-				topheader_prev->next = newheader;
-			else
-				rbtnode->data = newheader;
-			newheader->next = topheader->next;
-			newheader->down = topheader;
-			topheader->next = newheader;
-			rbtnode->dirty = 1;
-			if (changed != NULL)
-				changed->dirty = ISC_TRUE;
-		} else {
-			/*
-			 * No rdatasets of the given type exist at the node.
-			 */
-			newheader->next = rbtnode->data;
-			newheader->down = NULL;
-			rbtnode->data = newheader;
-		}
-		idx = newheader->node->locknum;
-		if (IS_CACHE(rbtdb)) {
-			ISC_LIST_PREPEND(rbtdb->rdatasets[idx],
-					 newheader, link);
-			isc_heap_insert(rbtdb->heaps[idx], newheader);
-		} else if (RESIGN(newheader)) {
-			resign_insert(rbtdb, idx, newheader);
-		}
-	}
-
-	/*
-	 * Check if the node now contains CNAME and other data.
-	 */
-	if (rbtversion != NULL &&
-	    cname_and_other_data(rbtnode, rbtversion->serial))
-		return (DNS_R_CNAMEANDOTHER);
-
-	if (addedrdataset != NULL)
-		bind_rdataset(rbtdb, rbtnode, newheader, now, addedrdataset);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_boolean_t
-delegating_type(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
-		rbtdb_rdatatype_t type)
-{
-	if (IS_CACHE(rbtdb)) {
-		if (type == dns_rdatatype_dname)
-			return (ISC_TRUE);
-		else
-			return (ISC_FALSE);
-	} else if (type == dns_rdatatype_dname ||
-		   (type == dns_rdatatype_ns &&
-		    (node != rbtdb->origin_node || IS_STUB(rbtdb))))
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-static inline isc_result_t
-addnoqname(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader,
-	   dns_rdataset_t *rdataset)
-{
-	struct noqname *noqname;
-	isc_mem_t *mctx = rbtdb->common.mctx;
-	dns_name_t name;
-	dns_rdataset_t neg, negsig;
-	isc_result_t result;
-	isc_region_t r;
-
-	dns_name_init(&name, NULL);
-	dns_rdataset_init(&neg);
-	dns_rdataset_init(&negsig);
-
-	result = dns_rdataset_getnoqname(rdataset, &name, &neg, &negsig);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-	noqname = isc_mem_get(mctx, sizeof(*noqname));
-	if (noqname == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
-	}
-	dns_name_init(&noqname->name, NULL);
-	noqname->neg = NULL;
-	noqname->negsig = NULL;
-	noqname->type = neg.type;
-	result = dns_name_dup(&name, mctx, &noqname->name);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_rdataslab_fromrdataset(&neg, mctx, &r, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	noqname->neg = r.base;
-	result = dns_rdataslab_fromrdataset(&negsig, mctx, &r, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	noqname->negsig = r.base;
-	dns_rdataset_disassociate(&neg);
-	dns_rdataset_disassociate(&negsig);
-	newheader->noqname = noqname;
-	return (ISC_R_SUCCESS);
-
-cleanup:
-	dns_rdataset_disassociate(&neg);
-	dns_rdataset_disassociate(&negsig);
-	if (noqname != NULL)
-		free_noqname(mctx, &noqname);
-	return(result);
-}
-
-static inline isc_result_t
-addclosest(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader,
-	   dns_rdataset_t *rdataset)
-{
-	struct noqname *closest;
-	isc_mem_t *mctx = rbtdb->common.mctx;
-	dns_name_t name;
-	dns_rdataset_t neg, negsig;
-	isc_result_t result;
-	isc_region_t r;
-
-	dns_name_init(&name, NULL);
-	dns_rdataset_init(&neg);
-	dns_rdataset_init(&negsig);
-
-	result = dns_rdataset_getclosest(rdataset, &name, &neg, &negsig);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-	closest = isc_mem_get(mctx, sizeof(*closest));
-	if (closest == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
-	}
-	dns_name_init(&closest->name, NULL);
-	closest->neg = NULL;
-	closest->negsig = NULL;
-	closest->type = neg.type;
-	result = dns_name_dup(&name, mctx, &closest->name);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_rdataslab_fromrdataset(&neg, mctx, &r, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	closest->neg = r.base;
-	result = dns_rdataslab_fromrdataset(&negsig, mctx, &r, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	closest->negsig = r.base;
-	dns_rdataset_disassociate(&neg);
-	dns_rdataset_disassociate(&negsig);
-	newheader->closest = closest;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	dns_rdataset_disassociate(&neg);
-	dns_rdataset_disassociate(&negsig);
-	if (closest != NULL)
-		free_noqname(mctx, &closest);
-	return(result);
-}
-
-static dns_dbmethods_t zone_methods;
-
-static isc_result_t
-addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-	    isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
-	    dns_rdataset_t *addedrdataset)
-{
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
-	rbtdb_version_t *rbtversion = version;
-	isc_region_t region;
-	rdatasetheader_t *newheader;
-	rdatasetheader_t *header;
-	isc_result_t result;
-	isc_boolean_t delegating;
-	isc_boolean_t newnsec;
-	isc_boolean_t tree_locked = ISC_FALSE;
-	isc_boolean_t cache_is_overmem = ISC_FALSE;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-	INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb);
-
-	if (rbtdb->common.methods == &zone_methods)
-		REQUIRE(((rbtnode->nsec == DNS_RBT_NSEC_NSEC3 &&
-			  (rdataset->type == dns_rdatatype_nsec3 ||
-			   rdataset->covers == dns_rdatatype_nsec3)) ||
-			 (rbtnode->nsec != DNS_RBT_NSEC_NSEC3 &&
-			   rdataset->type != dns_rdatatype_nsec3 &&
-			   rdataset->covers != dns_rdatatype_nsec3)));
-
-	if (rbtversion == NULL) {
-		if (now == 0)
-			isc_stdtime_get(&now);
-	} else
-		now = 0;
-
-	result = dns_rdataslab_fromrdataset(rdataset, rbtdb->common.mctx,
-					    &region, sizeof(rdatasetheader_t));
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	newheader = (rdatasetheader_t *)region.base;
-	init_rdataset(rbtdb, newheader);
-	set_ttl(rbtdb, newheader, rdataset->ttl + now);
-	newheader->type = RBTDB_RDATATYPE_VALUE(rdataset->type,
-						rdataset->covers);
-	newheader->attributes = 0;
-	newheader->noqname = NULL;
-	newheader->closest = NULL;
-	newheader->count = init_count++;
-	newheader->trust = rdataset->trust;
-	newheader->additional_auth = NULL;
-	newheader->additional_glue = NULL;
-	newheader->last_used = now;
-	newheader->node = rbtnode;
-	if (rbtversion != NULL) {
-		newheader->serial = rbtversion->serial;
-		now = 0;
-
-		if ((rdataset->attributes & DNS_RDATASETATTR_RESIGN) != 0) {
-			newheader->attributes |= RDATASET_ATTR_RESIGN;
-			newheader->resign = rdataset->resign;
-		} else
-			newheader->resign = 0;
-	} else {
-		newheader->serial = 1;
-		newheader->resign = 0;
-		if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
-			newheader->attributes |= RDATASET_ATTR_NEGATIVE;
-		if ((rdataset->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
-			newheader->attributes |= RDATASET_ATTR_NXDOMAIN;
-		if ((rdataset->attributes & DNS_RDATASETATTR_OPTOUT) != 0)
-			newheader->attributes |= RDATASET_ATTR_OPTOUT;
-		if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0) {
-			result = addnoqname(rbtdb, newheader, rdataset);
-			if (result != ISC_R_SUCCESS) {
-				free_rdataset(rbtdb, rbtdb->common.mctx,
-					      newheader);
-				return (result);
-			}
-		}
-		if ((rdataset->attributes & DNS_RDATASETATTR_CLOSEST) != 0) {
-			result = addclosest(rbtdb, newheader, rdataset);
-			if (result != ISC_R_SUCCESS) {
-				free_rdataset(rbtdb, rbtdb->common.mctx,
-					      newheader);
-				return (result);
-			}
-		}
-	}
-
-	/*
-	 * If we're adding a delegation type (e.g. NS or DNAME for a zone,
-	 * just DNAME for the cache), then we need to set the callback bit
-	 * on the node.
-	 */
-	if (delegating_type(rbtdb, rbtnode, rdataset->type))
-		delegating = ISC_TRUE;
-	else
-		delegating = ISC_FALSE;
-
-	/*
-	 * Add to the auxiliary NSEC tree if we're adding an NSEC record.
-	 */
-	if (rbtnode->nsec != DNS_RBT_NSEC_HAS_NSEC &&
-	    rdataset->type == dns_rdatatype_nsec)
-		newnsec = ISC_TRUE;
-	else
-		newnsec = ISC_FALSE;
-
-	/*
-	 * If we're adding a delegation type, adding to the auxiliary NSEC tree,
-	 * or the DB is a cache in an overmem state, hold an exclusive lock on
-	 * the tree.  In the latter case the lock does not necessarily have to
-	 * be acquired but it will help purge stale entries more effectively.
-	 */
-	if (IS_CACHE(rbtdb) && isc_mem_isovermem(rbtdb->common.mctx))
-		cache_is_overmem = ISC_TRUE;
-	if (delegating || newnsec || cache_is_overmem) {
-		tree_locked = ISC_TRUE;
-		RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
-	}
-
-	if (cache_is_overmem)
-		overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked);
-
-	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
-		  isc_rwlocktype_write);
-
-	if (rbtdb->rrsetstats != NULL) {
-		newheader->attributes |= RDATASET_ATTR_STATCOUNT;
-		update_rrsetstats(rbtdb, newheader, ISC_TRUE);
-	}
-
-	if (IS_CACHE(rbtdb)) {
-		if (tree_locked)
-			cleanup_dead_nodes(rbtdb, rbtnode->locknum);
-
-		header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1);
-		if (header && header->rdh_ttl <= now - RBTDB_VIRTUAL)
-			expire_header(rbtdb, header, tree_locked);
-
-		/*
-		 * If we've been holding a write lock on the tree just for
-		 * cleaning, we can release it now.  However, we still need the
-		 * node lock.
-		 */
-		if (tree_locked && !delegating && !newnsec) {
-			RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
-			tree_locked = ISC_FALSE;
-		}
-	}
-
-	result = ISC_R_SUCCESS;
-	if (newnsec) {
-		dns_fixedname_t fname;
-		dns_name_t *name;
-		dns_rbtnode_t *nsecnode;
-
-		dns_fixedname_init(&fname);
-		name = dns_fixedname_name(&fname);
-		dns_rbt_fullnamefromnode(rbtnode, name);
-		nsecnode = NULL;
-		result = dns_rbt_addnode(rbtdb->nsec, name, &nsecnode);
-		if (result == ISC_R_SUCCESS) {
-			nsecnode->nsec = DNS_RBT_NSEC_NSEC;
-			rbtnode->nsec = DNS_RBT_NSEC_HAS_NSEC;
-		} else if (result == ISC_R_EXISTS) {
-			rbtnode->nsec = DNS_RBT_NSEC_HAS_NSEC;
-			result = ISC_R_SUCCESS;
-		}
-	}
-
-	if (result == ISC_R_SUCCESS)
-		result = add(rbtdb, rbtnode, rbtversion, newheader, options,
-			     ISC_FALSE, addedrdataset, now);
-	if (result == ISC_R_SUCCESS && delegating)
-		rbtnode->find_callback = 1;
-
-	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
-		    isc_rwlocktype_write);
-
-	if (tree_locked)
-		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
-
-	/*
-	 * Update the zone's secure status.  If version is non-NULL
-	 * this is deferred until closeversion() is called.
-	 */
-	if (result == ISC_R_SUCCESS && version == NULL && !IS_CACHE(rbtdb))
-		iszonesecure(db, version, rbtdb->origin_node);
-
-	return (result);
-}
-
-static isc_result_t
-subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-		 dns_rdataset_t *rdataset, unsigned int options,
-		 dns_rdataset_t *newrdataset)
-{
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
-	rbtdb_version_t *rbtversion = version;
-	rdatasetheader_t *topheader, *topheader_prev, *header, *newheader;
-	unsigned char *subresult;
-	isc_region_t region;
-	isc_result_t result;
-	rbtdb_changed_t *changed;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-	REQUIRE(rbtversion != NULL && rbtversion->rbtdb == rbtdb);
-
-	if (rbtdb->common.methods == &zone_methods)
-		REQUIRE(((rbtnode->nsec == DNS_RBT_NSEC_NSEC3 &&
-			  (rdataset->type == dns_rdatatype_nsec3 ||
-			   rdataset->covers == dns_rdatatype_nsec3)) ||
-			 (rbtnode->nsec != DNS_RBT_NSEC_NSEC3 &&
-			   rdataset->type != dns_rdatatype_nsec3 &&
-			   rdataset->covers != dns_rdatatype_nsec3)));
-
-	result = dns_rdataslab_fromrdataset(rdataset, rbtdb->common.mctx,
-					    &region,
-					    sizeof(rdatasetheader_t));
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	newheader = (rdatasetheader_t *)region.base;
-	init_rdataset(rbtdb, newheader);
-	set_ttl(rbtdb, newheader, rdataset->ttl);
-	newheader->type = RBTDB_RDATATYPE_VALUE(rdataset->type,
-						rdataset->covers);
-	newheader->attributes = 0;
-	newheader->serial = rbtversion->serial;
-	newheader->trust = 0;
-	newheader->noqname = NULL;
-	newheader->closest = NULL;
-	newheader->count = init_count++;
-	newheader->additional_auth = NULL;
-	newheader->additional_glue = NULL;
-	newheader->last_used = 0;
-	newheader->node = rbtnode;
-	if ((rdataset->attributes & DNS_RDATASETATTR_RESIGN) != 0) {
-		newheader->attributes |= RDATASET_ATTR_RESIGN;
-		newheader->resign = rdataset->resign;
-	} else
-		newheader->resign = 0;
-
-	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
-		  isc_rwlocktype_write);
-
-	changed = add_changed(rbtdb, rbtversion, rbtnode);
-	if (changed == NULL) {
-		free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
-		NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
-			    isc_rwlocktype_write);
-		return (ISC_R_NOMEMORY);
-	}
-
-	topheader_prev = NULL;
-	for (topheader = rbtnode->data;
-	     topheader != NULL;
-	     topheader = topheader->next) {
-		if (topheader->type == newheader->type)
-			break;
-		topheader_prev = topheader;
-	}
-	/*
-	 * If header isn't NULL, we've found the right type.  There may be
-	 * IGNORE rdatasets between the top of the chain and the first real
-	 * data.  We skip over them.
-	 */
-	header = topheader;
-	while (header != NULL && IGNORE(header))
-		header = header->down;
-	if (header != NULL && EXISTS(header)) {
-		unsigned int flags = 0;
-		subresult = NULL;
-		result = ISC_R_SUCCESS;
-		if ((options & DNS_DBSUB_EXACT) != 0) {
-			flags |= DNS_RDATASLAB_EXACT;
-			if (newheader->rdh_ttl != header->rdh_ttl)
-				result = DNS_R_NOTEXACT;
-		}
-		if (result == ISC_R_SUCCESS)
-			result = dns_rdataslab_subtract(
-					(unsigned char *)header,
-					(unsigned char *)newheader,
-					(unsigned int)(sizeof(*newheader)),
-					rbtdb->common.mctx,
-					rbtdb->common.rdclass,
-					(dns_rdatatype_t)header->type,
-					flags, &subresult);
-		if (result == ISC_R_SUCCESS) {
-			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
-			newheader = (rdatasetheader_t *)subresult;
-			init_rdataset(rbtdb, newheader);
-			/*
-			 * We have to set the serial since the rdataslab
-			 * subtraction routine copies the reserved portion of
-			 * header, not newheader.
-			 */
-			newheader->serial = rbtversion->serial;
-			/*
-			 * XXXJT: dns_rdataslab_subtract() copied the pointers
-			 * to additional info.  We need to clear these fields
-			 * to avoid having duplicated references.
-			 */
-			newheader->additional_auth = NULL;
-			newheader->additional_glue = NULL;
-		} else if (result == DNS_R_NXRRSET) {
-			/*
-			 * This subtraction would remove all of the rdata;
-			 * add a nonexistent header instead.
-			 */
-			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
-			newheader = new_rdataset(rbtdb, rbtdb->common.mctx);
-			if (newheader == NULL) {
-				result = ISC_R_NOMEMORY;
-				goto unlock;
-			}
-			set_ttl(rbtdb, newheader, 0);
-			newheader->type = topheader->type;
-			newheader->attributes = RDATASET_ATTR_NONEXISTENT;
-			newheader->trust = 0;
-			newheader->serial = rbtversion->serial;
-			newheader->noqname = NULL;
-			newheader->closest = NULL;
-			newheader->count = 0;
-			newheader->additional_auth = NULL;
-			newheader->additional_glue = NULL;
-			newheader->node = rbtnode;
-			newheader->resign = 0;
-			newheader->last_used = 0;
-		} else {
-			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
-			goto unlock;
-		}
-
-		/*
-		 * If we're here, we want to link newheader in front of
-		 * topheader.
-		 */
-		INSIST(rbtversion->serial >= topheader->serial);
-		if (topheader_prev != NULL)
-			topheader_prev->next = newheader;
-		else
-			rbtnode->data = newheader;
-		newheader->next = topheader->next;
-		newheader->down = topheader;
-		topheader->next = newheader;
-		rbtnode->dirty = 1;
-		changed->dirty = ISC_TRUE;
-	} else {
-		/*
-		 * The rdataset doesn't exist, so we don't need to do anything
-		 * to satisfy the deletion request.
-		 */
-		free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
-		if ((options & DNS_DBSUB_EXACT) != 0)
-			result = DNS_R_NOTEXACT;
-		else
-			result = DNS_R_UNCHANGED;
-	}
-
-	if (result == ISC_R_SUCCESS && newrdataset != NULL)
-		bind_rdataset(rbtdb, rbtnode, newheader, 0, newrdataset);
-
- unlock:
-	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
-		    isc_rwlocktype_write);
-
-	/*
-	 * Update the zone's secure status.  If version is non-NULL
-	 * this is deferred until closeversion() is called.
-	 */
-	if (result == ISC_R_SUCCESS && version == NULL && !IS_CACHE(rbtdb))
-		iszonesecure(db, rbtdb->current_version, rbtdb->origin_node);
-
-	return (result);
-}
-
-static isc_result_t
-deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-	       dns_rdatatype_t type, dns_rdatatype_t covers)
-{
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
-	rbtdb_version_t *rbtversion = version;
-	isc_result_t result;
-	rdatasetheader_t *newheader;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-	INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb);
-
-	if (type == dns_rdatatype_any)
-		return (ISC_R_NOTIMPLEMENTED);
-	if (type == dns_rdatatype_rrsig && covers == 0)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	newheader = new_rdataset(rbtdb, rbtdb->common.mctx);
-	if (newheader == NULL)
-		return (ISC_R_NOMEMORY);
-	set_ttl(rbtdb, newheader, 0);
-	newheader->type = RBTDB_RDATATYPE_VALUE(type, covers);
-	newheader->attributes = RDATASET_ATTR_NONEXISTENT;
-	newheader->trust = 0;
-	newheader->noqname = NULL;
-	newheader->closest = NULL;
-	newheader->additional_auth = NULL;
-	newheader->additional_glue = NULL;
-	if (rbtversion != NULL)
-		newheader->serial = rbtversion->serial;
-	else
-		newheader->serial = 0;
-	newheader->count = 0;
-	newheader->last_used = 0;
-	newheader->node = rbtnode;
-
-	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
-		  isc_rwlocktype_write);
-
-	result = add(rbtdb, rbtnode, rbtversion, newheader, DNS_DBADD_FORCE,
-		     ISC_FALSE, NULL, 0);
-
-	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
-		    isc_rwlocktype_write);
-
-	/*
-	 * Update the zone's secure status.  If version is non-NULL
-	 * this is deferred until closeversion() is called.
-	 */
-	if (result == ISC_R_SUCCESS && version == NULL && !IS_CACHE(rbtdb))
-		iszonesecure(db, rbtdb->current_version, rbtdb->origin_node);
-
-	return (result);
-}
-
-/*
- * load a non-NSEC3 node in the main tree and optionally to the auxiliary NSEC
- */
-static isc_result_t
-loadnode(dns_rbtdb_t *rbtdb, dns_name_t *name, dns_rbtnode_t **nodep,
-	 isc_boolean_t hasnsec)
-{
-	isc_result_t noderesult, nsecresult;
-	dns_rbtnode_t *nsecnode;
-
-	noderesult = dns_rbt_addnode(rbtdb->tree, name, nodep);
-
-#ifdef BIND9
-	if (noderesult == ISC_R_SUCCESS && rbtdb->rpz_cidr != NULL)
-		dns_rpz_cidr_addip(rbtdb->rpz_cidr, name);
-#endif
-
-	if (!hasnsec)
-		return (noderesult);
-	if (noderesult == ISC_R_EXISTS) {
-		/*
-		 * Add a node to the auxiliary NSEC tree for an old node
-		 * just now getting an NSEC record.
-		 */
-		if ((*nodep)->nsec == DNS_RBT_NSEC_HAS_NSEC)
-			return (noderesult);
-	} else if (noderesult != ISC_R_SUCCESS) {
-		return (noderesult);
-	}
-
-	/*
-	 * Build the auxiliary tree for NSECs as we go.
-	 * This tree speeds searches for closest NSECs that would otherwise
-	 * need to examine many irrelevant nodes in large TLDs.
-	 *
-	 * Add nodes to the auxiliary tree after corresponding nodes have
-	 * been added to the main tree.
-	 */
-	nsecnode = NULL;
-	nsecresult = dns_rbt_addnode(rbtdb->nsec, name, &nsecnode);
-	if (nsecresult == ISC_R_SUCCESS) {
-		nsecnode->nsec = DNS_RBT_NSEC_NSEC;
-		(*nodep)->nsec = DNS_RBT_NSEC_HAS_NSEC;
-		return (noderesult);
-	}
-
-	if (nsecresult == ISC_R_EXISTS) {
-#if 1 /* 0 */
-		isc_log_write(dns_lctx,
-			      DNS_LOGCATEGORY_DATABASE,
-			      DNS_LOGMODULE_CACHE,
-			      ISC_LOG_WARNING,
-			      "addnode: NSEC node already exists");
-#endif
-		(*nodep)->nsec = DNS_RBT_NSEC_HAS_NSEC;
-		return (noderesult);
-	}
-
-	nsecresult = dns_rbt_deletenode(rbtdb->tree, *nodep, ISC_FALSE);
-	if (nsecresult != ISC_R_SUCCESS)
-		isc_log_write(dns_lctx,
-			      DNS_LOGCATEGORY_DATABASE,
-			      DNS_LOGMODULE_CACHE,
-			      ISC_LOG_WARNING,
-			      "loading_addrdataset: "
-			      "dns_rbt_deletenode: %s after "
-			      "dns_rbt_addnode(NSEC): %s",
-			      isc_result_totext(nsecresult),
-			      isc_result_totext(noderesult));
-	return (noderesult);
-}
-
-static isc_result_t
-loading_addrdataset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset) {
-	rbtdb_load_t *loadctx = arg;
-	dns_rbtdb_t *rbtdb = loadctx->rbtdb;
-	dns_rbtnode_t *node;
-	isc_result_t result;
-	isc_region_t region;
-	rdatasetheader_t *newheader;
-
-	/*
-	 * This routine does no node locking.  See comments in
-	 * 'load' below for more information on loading and
-	 * locking.
-	 */
-
-
-	/*
-	 * SOA records are only allowed at top of zone.
-	 */
-	if (rdataset->type == dns_rdatatype_soa &&
-	    !IS_CACHE(rbtdb) && !dns_name_equal(name, &rbtdb->common.origin))
-		return (DNS_R_NOTZONETOP);
-
-	if (rdataset->type != dns_rdatatype_nsec3 &&
-	    rdataset->covers != dns_rdatatype_nsec3)
-		add_empty_wildcards(rbtdb, name);
-
-	if (dns_name_iswildcard(name)) {
-		/*
-		 * NS record owners cannot legally be wild cards.
-		 */
-		if (rdataset->type == dns_rdatatype_ns)
-			return (DNS_R_INVALIDNS);
-		/*
-		 * NSEC3 record owners cannot legally be wild cards.
-		 */
-		if (rdataset->type == dns_rdatatype_nsec3)
-			return (DNS_R_INVALIDNSEC3);
-		result = add_wildcard_magic(rbtdb, name);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	node = NULL;
-	if (rdataset->type == dns_rdatatype_nsec3 ||
-	    rdataset->covers == dns_rdatatype_nsec3) {
-		result = dns_rbt_addnode(rbtdb->nsec3, name, &node);
-		if (result == ISC_R_SUCCESS)
-			node->nsec = DNS_RBT_NSEC_NSEC3;
-	} else if (rdataset->type == dns_rdatatype_nsec) {
-		result = loadnode(rbtdb, name, &node, ISC_TRUE);
-	} else {
-		result = loadnode(rbtdb, name, &node, ISC_FALSE);
-	}
-	if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
-		return (result);
-	if (result == ISC_R_SUCCESS) {
-		dns_name_t foundname;
-		dns_name_init(&foundname, NULL);
-		dns_rbt_namefromnode(node, &foundname);
-#ifdef DNS_RBT_USEHASH
-		node->locknum = node->hashval % rbtdb->node_lock_count;
-#else
-		node->locknum = dns_name_hash(&foundname, ISC_TRUE) %
-			rbtdb->node_lock_count;
-#endif
-	}
-
-	result = dns_rdataslab_fromrdataset(rdataset, rbtdb->common.mctx,
-					    &region,
-					    sizeof(rdatasetheader_t));
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	newheader = (rdatasetheader_t *)region.base;
-	init_rdataset(rbtdb, newheader);
-	set_ttl(rbtdb, newheader,
-		rdataset->ttl + loadctx->now); /* XXX overflow check */
-	newheader->type = RBTDB_RDATATYPE_VALUE(rdataset->type,
-						rdataset->covers);
-	newheader->attributes = 0;
-	newheader->trust = rdataset->trust;
-	newheader->serial = 1;
-	newheader->noqname = NULL;
-	newheader->closest = NULL;
-	newheader->count = init_count++;
-	newheader->additional_auth = NULL;
-	newheader->additional_glue = NULL;
-	newheader->last_used = 0;
-	newheader->node = node;
-	if ((rdataset->attributes & DNS_RDATASETATTR_RESIGN) != 0) {
-		newheader->attributes |= RDATASET_ATTR_RESIGN;
-		newheader->resign = rdataset->resign;
-	} else
-		newheader->resign = 0;
-
-	result = add(rbtdb, node, rbtdb->current_version, newheader,
-		     DNS_DBADD_MERGE, ISC_TRUE, NULL, 0);
-	if (result == ISC_R_SUCCESS &&
-	    delegating_type(rbtdb, node, rdataset->type))
-		node->find_callback = 1;
-	else if (result == DNS_R_UNCHANGED)
-		result = ISC_R_SUCCESS;
-
-	return (result);
-}
-
-static isc_result_t
-beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp, dns_dbload_t **dbloadp) {
-	rbtdb_load_t *loadctx;
-	dns_rbtdb_t *rbtdb;
-
-	rbtdb = (dns_rbtdb_t *)db;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	loadctx = isc_mem_get(rbtdb->common.mctx, sizeof(*loadctx));
-	if (loadctx == NULL)
-		return (ISC_R_NOMEMORY);
-
-	loadctx->rbtdb = rbtdb;
-	if (IS_CACHE(rbtdb))
-		isc_stdtime_get(&loadctx->now);
-	else
-		loadctx->now = 0;
-
-	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
-
-	REQUIRE((rbtdb->attributes & (RBTDB_ATTR_LOADED|RBTDB_ATTR_LOADING))
-		== 0);
-	rbtdb->attributes |= RBTDB_ATTR_LOADING;
-
-	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
-
-	*addp = loading_addrdataset;
-	*dbloadp = loadctx;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-endload(dns_db_t *db, dns_dbload_t **dbloadp) {
-	rbtdb_load_t *loadctx;
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-	REQUIRE(dbloadp != NULL);
-	loadctx = *dbloadp;
-	REQUIRE(loadctx->rbtdb == rbtdb);
-
-	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
-
-	REQUIRE((rbtdb->attributes & RBTDB_ATTR_LOADING) != 0);
-	REQUIRE((rbtdb->attributes & RBTDB_ATTR_LOADED) == 0);
-
-	rbtdb->attributes &= ~RBTDB_ATTR_LOADING;
-	rbtdb->attributes |= RBTDB_ATTR_LOADED;
-
-	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
-
-	/*
-	 * If there's a KEY rdataset at the zone origin containing a
-	 * zone key, we consider the zone secure.
-	 */
-	if (! IS_CACHE(rbtdb))
-		iszonesecure(db, rbtdb->current_version, rbtdb->origin_node);
-
-	*dbloadp = NULL;
-
-	isc_mem_put(rbtdb->common.mctx, loadctx, sizeof(*loadctx));
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dump(dns_db_t *db, dns_dbversion_t *version, const char *filename,
-     dns_masterformat_t masterformat) {
-	dns_rbtdb_t *rbtdb;
-	rbtdb_version_t *rbtversion = version;
-
-	rbtdb = (dns_rbtdb_t *)db;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-	INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb);
-
-#ifdef BIND9
-	return (dns_master_dump2(rbtdb->common.mctx, db, version,
-				 &dns_master_style_default,
-				 filename, masterformat));
-#else
-	UNUSED(version);
-	UNUSED(filename);
-	UNUSED(masterformat);
-
-	return (ISC_R_NOTIMPLEMENTED);
-#endif /* BIND9 */
-}
-
-static void
-delete_callback(void *data, void *arg) {
-	dns_rbtdb_t *rbtdb = arg;
-	rdatasetheader_t *current, *next;
-	unsigned int locknum;
-
-	current = data;
-	locknum = current->node->locknum;
-	NODE_LOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write);
-	while (current != NULL) {
-		next = current->next;
-		free_rdataset(rbtdb, rbtdb->common.mctx, current);
-		current = next;
-	}
-	NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write);
-}
-
-static isc_boolean_t
-issecure(dns_db_t *db) {
-	dns_rbtdb_t *rbtdb;
-	isc_boolean_t secure;
-
-	rbtdb = (dns_rbtdb_t *)db;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-	secure = ISC_TF(rbtdb->current_version->secure == dns_db_secure);
-	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-
-	return (secure);
-}
-
-static isc_boolean_t
-isdnssec(dns_db_t *db) {
-	dns_rbtdb_t *rbtdb;
-	isc_boolean_t dnssec;
-
-	rbtdb = (dns_rbtdb_t *)db;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-	dnssec = ISC_TF(rbtdb->current_version->secure != dns_db_insecure);
-	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-
-	return (dnssec);
-}
-
-static unsigned int
-nodecount(dns_db_t *db) {
-	dns_rbtdb_t *rbtdb;
-	unsigned int count;
-
-	rbtdb = (dns_rbtdb_t *)db;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-	count = dns_rbt_nodecount(rbtdb->tree);
-	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-
-	return (count);
-}
-
-static void
-settask(dns_db_t *db, isc_task_t *task) {
-	dns_rbtdb_t *rbtdb;
-
-	rbtdb = (dns_rbtdb_t *)db;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
-	if (rbtdb->task != NULL)
-		isc_task_detach(&rbtdb->task);
-	if (task != NULL)
-		isc_task_attach(task, &rbtdb->task);
-	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
-}
-
-static isc_boolean_t
-ispersistent(dns_db_t *db) {
-	UNUSED(db);
-	return (ISC_FALSE);
-}
-
-static isc_result_t
-getoriginnode(dns_db_t *db, dns_dbnode_t **nodep) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	dns_rbtnode_t *onode;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-	REQUIRE(nodep != NULL && *nodep == NULL);
-
-	/* Note that the access to origin_node doesn't require a DB lock */
-	onode = (dns_rbtnode_t *)rbtdb->origin_node;
-	if (onode != NULL) {
-		NODE_STRONGLOCK(&rbtdb->node_locks[onode->locknum].lock);
-		new_reference(rbtdb, onode);
-		NODE_STRONGUNLOCK(&rbtdb->node_locks[onode->locknum].lock);
-
-		*nodep = rbtdb->origin_node;
-	} else {
-		INSIST(IS_CACHE(rbtdb));
-		result = ISC_R_NOTFOUND;
-	}
-
-	return (result);
-}
-
-static isc_result_t
-getnsec3parameters(dns_db_t *db, dns_dbversion_t *version, dns_hash_t *hash,
-		   isc_uint8_t *flags, isc_uint16_t *iterations,
-		   unsigned char *salt, size_t *salt_length)
-{
-	dns_rbtdb_t *rbtdb;
-	isc_result_t result = ISC_R_NOTFOUND;
-	rbtdb_version_t *rbtversion = version;
-
-	rbtdb = (dns_rbtdb_t *)db;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-	INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb);
-
-	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-
-	if (rbtversion == NULL)
-		rbtversion = rbtdb->current_version;
-
-	if (rbtversion->havensec3) {
-		if (hash != NULL)
-			*hash = rbtversion->hash;
-		if (salt != NULL && salt_length != NULL) {
-			REQUIRE(*salt_length >= rbtversion->salt_length);
-			memcpy(salt, rbtversion->salt, rbtversion->salt_length);
-		}
-		if (salt_length != NULL)
-			*salt_length = rbtversion->salt_length;
-		if (iterations != NULL)
-			*iterations = rbtversion->iterations;
-		if (flags != NULL)
-			*flags = rbtversion->flags;
-		result = ISC_R_SUCCESS;
-	}
-	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-
-	return (result);
-}
-
-static isc_result_t
-setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, isc_stdtime_t resign) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	isc_stdtime_t oldresign;
-	isc_result_t result = ISC_R_SUCCESS;
-	rdatasetheader_t *header;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-	REQUIRE(!IS_CACHE(rbtdb));
-	REQUIRE(rdataset != NULL);
-
-	header = rdataset->private3;
-	header--;
-
-	NODE_LOCK(&rbtdb->node_locks[header->node->locknum].lock,
-		  isc_rwlocktype_write);
-
-	oldresign = header->resign;
-	header->resign = resign;
-	if (header->heap_index != 0) {
-		INSIST(RESIGN(header));
-		if (resign == 0) {
-			isc_heap_delete(rbtdb->heaps[header->node->locknum],
-					header->heap_index);
-			header->heap_index = 0;
-		} else if (resign < oldresign)
-			isc_heap_increased(rbtdb->heaps[header->node->locknum],
-					   header->heap_index);
-		else if (resign > oldresign)
-			isc_heap_decreased(rbtdb->heaps[header->node->locknum],
-					   header->heap_index);
-	} else if (resign && header->heap_index == 0) {
-		header->attributes |= RDATASET_ATTR_RESIGN;
-		result = resign_insert(rbtdb, header->node->locknum, header);
-	}
-	NODE_UNLOCK(&rbtdb->node_locks[header->node->locknum].lock,
-		    isc_rwlocktype_write);
-	return (result);
-}
-
-static isc_result_t
-getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset,
-	       dns_name_t *foundname)
-{
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	rdatasetheader_t *header = NULL, *this;
-	unsigned int i;
-	isc_result_t result = ISC_R_NOTFOUND;
-	unsigned int locknum;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-
-	for (i = 0; i < rbtdb->node_lock_count; i++) {
-		NODE_LOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_read);
-		this = isc_heap_element(rbtdb->heaps[i], 1);
-		if (this == NULL) {
-			NODE_UNLOCK(&rbtdb->node_locks[i].lock,
-				    isc_rwlocktype_read);
-			continue;
-		}
-		if (header == NULL)
-			header = this;
-		else if (isc_serial_lt(this->resign, header->resign)) {
-			locknum = header->node->locknum;
-			NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
-				    isc_rwlocktype_read);
-			header = this;
-		} else
-			NODE_UNLOCK(&rbtdb->node_locks[i].lock,
-				    isc_rwlocktype_read);
-	}
-
-	if (header == NULL)
-		goto unlock;
-
-	bind_rdataset(rbtdb, header->node, header, 0, rdataset);
-
-	if (foundname != NULL)
-		dns_rbt_fullnamefromnode(header->node, foundname);
-
-	NODE_UNLOCK(&rbtdb->node_locks[header->node->locknum].lock,
-		    isc_rwlocktype_read);
-
-	result = ISC_R_SUCCESS;
-
- unlock:
-	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-
-	return (result);
-}
-
-static void
-resigned(dns_db_t *db, dns_rdataset_t *rdataset, dns_dbversion_t *version)
-{
-	rbtdb_version_t *rbtversion = (rbtdb_version_t *)version;
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	dns_rbtnode_t *node;
-	rdatasetheader_t *header;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-	REQUIRE(rdataset != NULL);
-	REQUIRE(rdataset->methods == &rdataset_methods);
-	REQUIRE(rbtdb->future_version == rbtversion);
-	REQUIRE(rbtversion != NULL);
-	REQUIRE(rbtversion->writer);
-	REQUIRE(rbtversion->rbtdb == rbtdb);
-
-	node = rdataset->private2;
-	INSIST(node != NULL);
-	header = rdataset->private3;
-	INSIST(header != NULL);
-	header--;
-
-	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
-	NODE_LOCK(&rbtdb->node_locks[node->locknum].lock,
-		  isc_rwlocktype_write);
-	/*
-	 * Delete from heap and save to re-signed list so that it can
-	 * be restored if we backout of this change.
-	 */
-	new_reference(rbtdb, node);
-	isc_heap_delete(rbtdb->heaps[node->locknum], header->heap_index);
-	header->heap_index = 0;
-	ISC_LIST_APPEND(rbtversion->resigned_list, header, link);
-
-	NODE_UNLOCK(&rbtdb->node_locks[node->locknum].lock,
-		    isc_rwlocktype_write);
-	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
-}
-
-static dns_stats_t *
-getrrsetstats(dns_db_t *db) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-	REQUIRE(IS_CACHE(rbtdb)); /* current restriction */
-
-	return (rbtdb->rrsetstats);
-}
-
-static dns_dbmethods_t zone_methods = {
-	attach,
-	detach,
-	beginload,
-	endload,
-	dump,
-	currentversion,
-	newversion,
-	attachversion,
-	closeversion,
-	findnode,
-	zone_find,
-	zone_findzonecut,
-	attachnode,
-	detachnode,
-	expirenode,
-	printnode,
-	createiterator,
-	zone_findrdataset,
-	allrdatasets,
-	addrdataset,
-	subtractrdataset,
-	deleterdataset,
-	issecure,
-	nodecount,
-	ispersistent,
-	overmem,
-	settask,
-	getoriginnode,
-	NULL,
-	getnsec3parameters,
-	findnsec3node,
-	setsigningtime,
-	getsigningtime,
-	resigned,
-	isdnssec,
-	NULL,
-#ifdef BIND9
-	rpz_enabled,
-	rpz_findips,
-#else
-	NULL,
-	NULL,
-#endif
-	NULL,
-	NULL
-};
-
-static dns_dbmethods_t cache_methods = {
-	attach,
-	detach,
-	beginload,
-	endload,
-	dump,
-	currentversion,
-	newversion,
-	attachversion,
-	closeversion,
-	findnode,
-	cache_find,
-	cache_findzonecut,
-	attachnode,
-	detachnode,
-	expirenode,
-	printnode,
-	createiterator,
-	cache_findrdataset,
-	allrdatasets,
-	addrdataset,
-	subtractrdataset,
-	deleterdataset,
-	issecure,
-	nodecount,
-	ispersistent,
-	overmem,
-	settask,
-	getoriginnode,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	isdnssec,
-	getrrsetstats,
-	NULL,
-	NULL,
-	NULL,
-	NULL
-};
-
-isc_result_t
-#ifdef DNS_RBTDB_VERSION64
-dns_rbtdb64_create
-#else
-dns_rbtdb_create
-#endif
-		(isc_mem_t *mctx, dns_name_t *origin, dns_dbtype_t type,
-		 dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
-		 void *driverarg, dns_db_t **dbp)
-{
-	dns_rbtdb_t *rbtdb;
-	isc_result_t result;
-	int i;
-	dns_name_t name;
-	isc_boolean_t (*sooner)(void *, void *);
-	isc_mem_t *hmctx = mctx;
-
-	/* Keep the compiler happy. */
-	UNUSED(driverarg);
-
-	rbtdb = isc_mem_get(mctx, sizeof(*rbtdb));
-	if (rbtdb == NULL)
-		return (ISC_R_NOMEMORY);
-
-	/*
-	 * If argv[0] exists, it points to a memory context to use for heap
-	 */
-	if (argc != 0)
-		hmctx = (isc_mem_t *) argv[0];
-
-	memset(rbtdb, '\0', sizeof(*rbtdb));
-	dns_name_init(&rbtdb->common.origin, NULL);
-	rbtdb->common.attributes = 0;
-	if (type == dns_dbtype_cache) {
-		rbtdb->common.methods = &cache_methods;
-		rbtdb->common.attributes |= DNS_DBATTR_CACHE;
-	} else if (type == dns_dbtype_stub) {
-		rbtdb->common.methods = &zone_methods;
-		rbtdb->common.attributes |= DNS_DBATTR_STUB;
-	} else
-		rbtdb->common.methods = &zone_methods;
-	rbtdb->common.rdclass = rdclass;
-	rbtdb->common.mctx = NULL;
-
-	result = RBTDB_INITLOCK(&rbtdb->lock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_rbtdb;
-
-	result = isc_rwlock_init(&rbtdb->tree_lock, 0, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_lock;
-
-	/*
-	 * Initialize node_lock_count in a generic way to support future
-	 * extension which allows the user to specify this value on creation.
-	 * Note that when specified for a cache DB it must be larger than 1
-	 * as commented with the definition of DEFAULT_CACHE_NODE_LOCK_COUNT.
-	 */
-	if (rbtdb->node_lock_count == 0) {
-		if (IS_CACHE(rbtdb))
-			rbtdb->node_lock_count = DEFAULT_CACHE_NODE_LOCK_COUNT;
-		else
-			rbtdb->node_lock_count = DEFAULT_NODE_LOCK_COUNT;
-	} else if (rbtdb->node_lock_count < 2 && IS_CACHE(rbtdb)) {
-		result = ISC_R_RANGE;
-		goto cleanup_tree_lock;
-	}
-	INSIST(rbtdb->node_lock_count < (1 << DNS_RBT_LOCKLENGTH));
-	rbtdb->node_locks = isc_mem_get(mctx, rbtdb->node_lock_count *
-					sizeof(rbtdb_nodelock_t));
-	if (rbtdb->node_locks == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_tree_lock;
-	}
-
-	rbtdb->rrsetstats = NULL;
-	if (IS_CACHE(rbtdb)) {
-		result = dns_rdatasetstats_create(mctx, &rbtdb->rrsetstats);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_node_locks;
-		rbtdb->rdatasets = isc_mem_get(mctx, rbtdb->node_lock_count *
-					       sizeof(rdatasetheaderlist_t));
-		if (rbtdb->rdatasets == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup_rrsetstats;
-		}
-		for (i = 0; i < (int)rbtdb->node_lock_count; i++)
-			ISC_LIST_INIT(rbtdb->rdatasets[i]);
-	} else
-		rbtdb->rdatasets = NULL;
-
-	/*
-	 * Create the heaps.
-	 */
-	rbtdb->heaps = isc_mem_get(hmctx, rbtdb->node_lock_count *
-				   sizeof(isc_heap_t *));
-	if (rbtdb->heaps == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_rdatasets;
-	}
-	for (i = 0; i < (int)rbtdb->node_lock_count; i++)
-		rbtdb->heaps[i] = NULL;
-	sooner = IS_CACHE(rbtdb) ? ttl_sooner : resign_sooner;
-	for (i = 0; i < (int)rbtdb->node_lock_count; i++) {
-		result = isc_heap_create(hmctx, sooner, set_index, 0,
-					 &rbtdb->heaps[i]);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_heaps;
-	}
-
-	/*
-	 * Create deadnode lists.
-	 */
-	rbtdb->deadnodes = isc_mem_get(mctx, rbtdb->node_lock_count *
-				       sizeof(rbtnodelist_t));
-	if (rbtdb->deadnodes == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_heaps;
-	}
-	for (i = 0; i < (int)rbtdb->node_lock_count; i++)
-		ISC_LIST_INIT(rbtdb->deadnodes[i]);
-
-	rbtdb->active = rbtdb->node_lock_count;
-
-	for (i = 0; i < (int)(rbtdb->node_lock_count); i++) {
-		result = NODE_INITLOCK(&rbtdb->node_locks[i].lock);
-		if (result == ISC_R_SUCCESS) {
-			result = isc_refcount_init(&rbtdb->node_locks[i].references, 0);
-			if (result != ISC_R_SUCCESS)
-				NODE_DESTROYLOCK(&rbtdb->node_locks[i].lock);
-		}
-		if (result != ISC_R_SUCCESS) {
-			while (i-- > 0) {
-				NODE_DESTROYLOCK(&rbtdb->node_locks[i].lock);
-				isc_refcount_decrement(&rbtdb->node_locks[i].references, NULL);
-				isc_refcount_destroy(&rbtdb->node_locks[i].references);
-			}
-			goto cleanup_deadnodes;
-		}
-		rbtdb->node_locks[i].exiting = ISC_FALSE;
-	}
-
-	/*
-	 * Attach to the mctx.  The database will persist so long as there
-	 * are references to it, and attaching to the mctx ensures that our
-	 * mctx won't disappear out from under us.
-	 */
-	isc_mem_attach(mctx, &rbtdb->common.mctx);
-	isc_mem_attach(hmctx, &rbtdb->hmctx);
-
-	/*
-	 * Must be initialized before free_rbtdb() is called.
-	 */
-	isc_ondestroy_init(&rbtdb->common.ondest);
-
-	/*
-	 * Make a copy of the origin name.
-	 */
-	result = dns_name_dupwithoffsets(origin, mctx, &rbtdb->common.origin);
-	if (result != ISC_R_SUCCESS) {
-		free_rbtdb(rbtdb, ISC_FALSE, NULL);
-		return (result);
-	}
-
-	/*
-	 * Make the Red-Black Trees.
-	 */
-	result = dns_rbt_create(mctx, delete_callback, rbtdb, &rbtdb->tree);
-	if (result != ISC_R_SUCCESS) {
-		free_rbtdb(rbtdb, ISC_FALSE, NULL);
-		return (result);
-	}
-
-	result = dns_rbt_create(mctx, delete_callback, rbtdb, &rbtdb->nsec);
-	if (result != ISC_R_SUCCESS) {
-		free_rbtdb(rbtdb, ISC_FALSE, NULL);
-		return (result);
-	}
-
-	result = dns_rbt_create(mctx, delete_callback, rbtdb, &rbtdb->nsec3);
-	if (result != ISC_R_SUCCESS) {
-		free_rbtdb(rbtdb, ISC_FALSE, NULL);
-		return (result);
-	}
-
-	/*
-	 * In order to set the node callback bit correctly in zone databases,
-	 * we need to know if the node has the origin name of the zone.
-	 * In loading_addrdataset() we could simply compare the new name
-	 * to the origin name, but this is expensive.  Also, we don't know the
-	 * node name in addrdataset(), so we need another way of knowing the
-	 * zone's top.
-	 *
-	 * We now explicitly create a node for the zone's origin, and then
-	 * we simply remember the node's address.  This is safe, because
-	 * the top-of-zone node can never be deleted, nor can its address
-	 * change.
-	 */
-	if (!IS_CACHE(rbtdb)) {
-		dns_rbtnode_t *nsec3node;
-
-		rbtdb->origin_node = NULL;
-		result = dns_rbt_addnode(rbtdb->tree, &rbtdb->common.origin,
-					 &rbtdb->origin_node);
-		if (result != ISC_R_SUCCESS) {
-			INSIST(result != ISC_R_EXISTS);
-			free_rbtdb(rbtdb, ISC_FALSE, NULL);
-			return (result);
-		}
-		rbtdb->origin_node->nsec = DNS_RBT_NSEC_NORMAL;
-		/*
-		 * We need to give the origin node the right locknum.
-		 */
-		dns_name_init(&name, NULL);
-		dns_rbt_namefromnode(rbtdb->origin_node, &name);
-#ifdef DNS_RBT_USEHASH
-		rbtdb->origin_node->locknum =
-			rbtdb->origin_node->hashval %
-			rbtdb->node_lock_count;
-#else
-		rbtdb->origin_node->locknum =
-			dns_name_hash(&name, ISC_TRUE) %
-			rbtdb->node_lock_count;
-#endif
-		/*
-		 * Add an apex node to the NSEC3 tree so that NSEC3 searches
-		 * return partial matches when there is only a single NSEC3
-		 * record in the tree.
-		 */
-		nsec3node = NULL;
-		result = dns_rbt_addnode(rbtdb->nsec3, &rbtdb->common.origin,
-					 &nsec3node);
-		if (result != ISC_R_SUCCESS) {
-			INSIST(result != ISC_R_EXISTS);
-			free_rbtdb(rbtdb, ISC_FALSE, NULL);
-			return (result);
-		}
-		nsec3node->nsec = DNS_RBT_NSEC_NSEC3;
-		/*
-		 * We need to give the nsec3 origin node the right locknum.
-		 */
-		dns_name_init(&name, NULL);
-		dns_rbt_namefromnode(nsec3node, &name);
-#ifdef DNS_RBT_USEHASH
-		nsec3node->locknum = nsec3node->hashval %
-			rbtdb->node_lock_count;
-#else
-		nsec3node->locknum = dns_name_hash(&name, ISC_TRUE) %
-			rbtdb->node_lock_count;
-#endif
-	}
-
-	/*
-	 * Misc. Initialization.
-	 */
-	result = isc_refcount_init(&rbtdb->references, 1);
-	if (result != ISC_R_SUCCESS) {
-		free_rbtdb(rbtdb, ISC_FALSE, NULL);
-		return (result);
-	}
-	rbtdb->attributes = 0;
-	rbtdb->task = NULL;
-
-	/*
-	 * Version Initialization.
-	 */
-	rbtdb->current_serial = 1;
-	rbtdb->least_serial = 1;
-	rbtdb->next_serial = 2;
-	rbtdb->current_version = allocate_version(mctx, 1, 1, ISC_FALSE);
-	if (rbtdb->current_version == NULL) {
-		isc_refcount_decrement(&rbtdb->references, NULL);
-		isc_refcount_destroy(&rbtdb->references);
-		free_rbtdb(rbtdb, ISC_FALSE, NULL);
-		return (ISC_R_NOMEMORY);
-	}
-	rbtdb->current_version->rbtdb = rbtdb;
-	rbtdb->current_version->secure = dns_db_insecure;
-	rbtdb->current_version->havensec3 = ISC_FALSE;
-	rbtdb->current_version->flags = 0;
-	rbtdb->current_version->iterations = 0;
-	rbtdb->current_version->hash = 0;
-	rbtdb->current_version->salt_length = 0;
-	memset(rbtdb->current_version->salt, 0,
-	       sizeof(rbtdb->current_version->salt));
-	rbtdb->future_version = NULL;
-	ISC_LIST_INIT(rbtdb->open_versions);
-	/*
-	 * Keep the current version in the open list so that list operation
-	 * won't happen in normal lookup operations.
-	 */
-	PREPEND(rbtdb->open_versions, rbtdb->current_version, link);
-
-	rbtdb->common.magic = DNS_DB_MAGIC;
-	rbtdb->common.impmagic = RBTDB_MAGIC;
-
-	*dbp = (dns_db_t *)rbtdb;
-
-	return (ISC_R_SUCCESS);
-
- cleanup_deadnodes:
-	isc_mem_put(mctx, rbtdb->deadnodes,
-		    rbtdb->node_lock_count * sizeof(rbtnodelist_t));
-
- cleanup_heaps:
-	if (rbtdb->heaps != NULL) {
-		for (i = 0 ; i < (int)rbtdb->node_lock_count ; i++)
-			if (rbtdb->heaps[i] != NULL)
-				isc_heap_destroy(&rbtdb->heaps[i]);
-		isc_mem_put(hmctx, rbtdb->heaps,
-			    rbtdb->node_lock_count * sizeof(isc_heap_t *));
-	}
-
- cleanup_rdatasets:
-	if (rbtdb->rdatasets != NULL)
-		isc_mem_put(mctx, rbtdb->rdatasets, rbtdb->node_lock_count *
-			    sizeof(rdatasetheaderlist_t));
- cleanup_rrsetstats:
-	if (rbtdb->rrsetstats != NULL)
-		dns_stats_detach(&rbtdb->rrsetstats);
-
- cleanup_node_locks:
-	isc_mem_put(mctx, rbtdb->node_locks,
-		    rbtdb->node_lock_count * sizeof(rbtdb_nodelock_t));
-
- cleanup_tree_lock:
-	isc_rwlock_destroy(&rbtdb->tree_lock);
-
- cleanup_lock:
-	RBTDB_DESTROYLOCK(&rbtdb->lock);
-
- cleanup_rbtdb:
-	isc_mem_put(mctx, rbtdb,  sizeof(*rbtdb));
-	return (result);
-}
-
-
-/*
- * Slabbed Rdataset Methods
- */
-
-static void
-rdataset_disassociate(dns_rdataset_t *rdataset) {
-	dns_db_t *db = rdataset->private1;
-	dns_dbnode_t *node = rdataset->private2;
-
-	detachnode(db, &node);
-}
-
-static isc_result_t
-rdataset_first(dns_rdataset_t *rdataset) {
-	unsigned char *raw = rdataset->private3;        /* RDATASLAB */
-	unsigned int count;
-
-	count = raw[0] * 256 + raw[1];
-	if (count == 0) {
-		rdataset->private5 = NULL;
-		return (ISC_R_NOMORE);
-	}
-
-#if DNS_RDATASET_FIXED
-	if ((rdataset->attributes & DNS_RDATASETATTR_LOADORDER) == 0)
-		raw += 2 + (4 * count);
-	else
-#endif
-		raw += 2;
-
-	/*
-	 * The privateuint4 field is the number of rdata beyond the
-	 * cursor position, so we decrement the total count by one
-	 * before storing it.
-	 *
-	 * If DNS_RDATASETATTR_LOADORDER is not set 'raw' points to the
-	 * first record.  If DNS_RDATASETATTR_LOADORDER is set 'raw' points
-	 * to the first entry in the offset table.
-	 */
-	count--;
-	rdataset->privateuint4 = count;
-	rdataset->private5 = raw;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-rdataset_next(dns_rdataset_t *rdataset) {
-	unsigned int count;
-	unsigned int length;
-	unsigned char *raw;     /* RDATASLAB */
-
-	count = rdataset->privateuint4;
-	if (count == 0)
-		return (ISC_R_NOMORE);
-	count--;
-	rdataset->privateuint4 = count;
-
-	/*
-	 * Skip forward one record (length + 4) or one offset (4).
-	 */
-	raw = rdataset->private5;
-#if DNS_RDATASET_FIXED
-	if ((rdataset->attributes & DNS_RDATASETATTR_LOADORDER) == 0) {
-#endif
-		length = raw[0] * 256 + raw[1];
-		raw += length;
-#if DNS_RDATASET_FIXED
-	}
-	rdataset->private5 = raw + 4;           /* length(2) + order(2) */
-#else
-	rdataset->private5 = raw + 2;           /* length(2) */
-#endif
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
-	unsigned char *raw = rdataset->private5;        /* RDATASLAB */
-#if DNS_RDATASET_FIXED
-	unsigned int offset;
-#endif
-	unsigned int length;
-	isc_region_t r;
-	unsigned int flags = 0;
-
-	REQUIRE(raw != NULL);
-
-	/*
-	 * Find the start of the record if not already in private5
-	 * then skip the length and order fields.
-	 */
-#if DNS_RDATASET_FIXED
-	if ((rdataset->attributes & DNS_RDATASETATTR_LOADORDER) != 0) {
-		offset = (raw[0] << 24) + (raw[1] << 16) +
-			 (raw[2] << 8) + raw[3];
-		raw = rdataset->private3;
-		raw += offset;
-	}
-#endif
-	length = raw[0] * 256 + raw[1];
-#if DNS_RDATASET_FIXED
-	raw += 4;
-#else
-	raw += 2;
-#endif
-	if (rdataset->type == dns_rdatatype_rrsig) {
-		if (*raw & DNS_RDATASLAB_OFFLINE)
-			flags |= DNS_RDATA_OFFLINE;
-		length--;
-		raw++;
-	}
-	r.length = length;
-	r.base = raw;
-	dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r);
-	rdata->flags |= flags;
-}
-
-static void
-rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
-	dns_db_t *db = source->private1;
-	dns_dbnode_t *node = source->private2;
-	dns_dbnode_t *cloned_node = NULL;
-
-	attachnode(db, node, &cloned_node);
-	INSIST(!ISC_LINK_LINKED(target, link));
-	*target = *source;
-	ISC_LINK_INIT(target, link);
-
-	/*
-	 * Reset iterator state.
-	 */
-	target->privateuint4 = 0;
-	target->private5 = NULL;
-}
-
-static unsigned int
-rdataset_count(dns_rdataset_t *rdataset) {
-	unsigned char *raw = rdataset->private3;        /* RDATASLAB */
-	unsigned int count;
-
-	count = raw[0] * 256 + raw[1];
-
-	return (count);
-}
-
-static isc_result_t
-rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
-		    dns_rdataset_t *nsec, dns_rdataset_t *nsecsig)
-{
-	dns_db_t *db = rdataset->private1;
-	dns_dbnode_t *node = rdataset->private2;
-	dns_dbnode_t *cloned_node;
-	struct noqname *noqname = rdataset->private6;
-
-	cloned_node = NULL;
-	attachnode(db, node, &cloned_node);
-	nsec->methods = &rdataset_methods;
-	nsec->rdclass = db->rdclass;
-	nsec->type = noqname->type;
-	nsec->covers = 0;
-	nsec->ttl = rdataset->ttl;
-	nsec->trust = rdataset->trust;
-	nsec->private1 = rdataset->private1;
-	nsec->private2 = rdataset->private2;
-	nsec->private3 = noqname->neg;
-	nsec->privateuint4 = 0;
-	nsec->private5 = NULL;
-	nsec->private6 = NULL;
-	nsec->private7 = NULL;
-
-	cloned_node = NULL;
-	attachnode(db, node, &cloned_node);
-	nsecsig->methods = &rdataset_methods;
-	nsecsig->rdclass = db->rdclass;
-	nsecsig->type = dns_rdatatype_rrsig;
-	nsecsig->covers = noqname->type;
-	nsecsig->ttl = rdataset->ttl;
-	nsecsig->trust = rdataset->trust;
-	nsecsig->private1 = rdataset->private1;
-	nsecsig->private2 = rdataset->private2;
-	nsecsig->private3 = noqname->negsig;
-	nsecsig->privateuint4 = 0;
-	nsecsig->private5 = NULL;
-	nsec->private6 = NULL;
-	nsec->private7 = NULL;
-
-	dns_name_clone(&noqname->name, name);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-rdataset_getclosest(dns_rdataset_t *rdataset, dns_name_t *name,
-		    dns_rdataset_t *nsec, dns_rdataset_t *nsecsig)
-{
-	dns_db_t *db = rdataset->private1;
-	dns_dbnode_t *node = rdataset->private2;
-	dns_dbnode_t *cloned_node;
-	struct noqname *closest = rdataset->private7;
-
-	cloned_node = NULL;
-	attachnode(db, node, &cloned_node);
-	nsec->methods = &rdataset_methods;
-	nsec->rdclass = db->rdclass;
-	nsec->type = closest->type;
-	nsec->covers = 0;
-	nsec->ttl = rdataset->ttl;
-	nsec->trust = rdataset->trust;
-	nsec->private1 = rdataset->private1;
-	nsec->private2 = rdataset->private2;
-	nsec->private3 = closest->neg;
-	nsec->privateuint4 = 0;
-	nsec->private5 = NULL;
-	nsec->private6 = NULL;
-	nsec->private7 = NULL;
-
-	cloned_node = NULL;
-	attachnode(db, node, &cloned_node);
-	nsecsig->methods = &rdataset_methods;
-	nsecsig->rdclass = db->rdclass;
-	nsecsig->type = dns_rdatatype_rrsig;
-	nsecsig->covers = closest->type;
-	nsecsig->ttl = rdataset->ttl;
-	nsecsig->trust = rdataset->trust;
-	nsecsig->private1 = rdataset->private1;
-	nsecsig->private2 = rdataset->private2;
-	nsecsig->private3 = closest->negsig;
-	nsecsig->privateuint4 = 0;
-	nsecsig->private5 = NULL;
-	nsec->private6 = NULL;
-	nsec->private7 = NULL;
-
-	dns_name_clone(&closest->name, name);
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust) {
-	dns_rbtdb_t *rbtdb = rdataset->private1;
-	dns_rbtnode_t *rbtnode = rdataset->private2;
-	rdatasetheader_t *header = rdataset->private3;
-
-	header--;
-	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
-		  isc_rwlocktype_write);
-	header->trust = rdataset->trust = trust;
-	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
-		  isc_rwlocktype_write);
-}
-
-static void
-rdataset_expire(dns_rdataset_t *rdataset) {
-	dns_rbtdb_t *rbtdb = rdataset->private1;
-	dns_rbtnode_t *rbtnode = rdataset->private2;
-	rdatasetheader_t *header = rdataset->private3;
-
-	header--;
-	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
-		  isc_rwlocktype_write);
-	expire_header(rbtdb, header, ISC_FALSE);
-	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
-		  isc_rwlocktype_write);
-}
-
-/*
- * Rdataset Iterator Methods
- */
-
-static void
-rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) {
-	rbtdb_rdatasetiter_t *rbtiterator;
-
-	rbtiterator = (rbtdb_rdatasetiter_t *)(*iteratorp);
-
-	if (rbtiterator->common.version != NULL)
-		closeversion(rbtiterator->common.db,
-			     &rbtiterator->common.version, ISC_FALSE);
-	detachnode(rbtiterator->common.db, &rbtiterator->common.node);
-	isc_mem_put(rbtiterator->common.db->mctx, rbtiterator,
-		    sizeof(*rbtiterator));
-
-	*iteratorp = NULL;
-}
-
-static isc_result_t
-rdatasetiter_first(dns_rdatasetiter_t *iterator) {
-	rbtdb_rdatasetiter_t *rbtiterator = (rbtdb_rdatasetiter_t *)iterator;
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)(rbtiterator->common.db);
-	dns_rbtnode_t *rbtnode = rbtiterator->common.node;
-	rbtdb_version_t *rbtversion = rbtiterator->common.version;
-	rdatasetheader_t *header, *top_next;
-	rbtdb_serial_t serial;
-	isc_stdtime_t now;
-
-	if (IS_CACHE(rbtdb)) {
-		serial = 1;
-		now = rbtiterator->common.now;
-	} else {
-		serial = rbtversion->serial;
-		now = 0;
-	}
-
-	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
-		  isc_rwlocktype_read);
-
-	for (header = rbtnode->data; header != NULL; header = top_next) {
-		top_next = header->next;
-		do {
-			if (header->serial <= serial && !IGNORE(header)) {
-				/*
-				 * Is this a "this rdataset doesn't exist"
-				 * record?  Or is it too old in the cache?
-				 *
-				 * Note: unlike everywhere else, we
-				 * check for now > header->rdh_ttl instead
-				 * of now >= header->rdh_ttl.  This allows
-				 * ANY and RRSIG queries for 0 TTL
-				 * rdatasets to work.
-				 */
-				if (NONEXISTENT(header) ||
-				    (now != 0 && now > header->rdh_ttl))
-					header = NULL;
-				break;
-			} else
-				header = header->down;
-		} while (header != NULL);
-		if (header != NULL)
-			break;
-	}
-
-	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
-		    isc_rwlocktype_read);
-
-	rbtiterator->current = header;
-
-	if (header == NULL)
-		return (ISC_R_NOMORE);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-rdatasetiter_next(dns_rdatasetiter_t *iterator) {
-	rbtdb_rdatasetiter_t *rbtiterator = (rbtdb_rdatasetiter_t *)iterator;
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)(rbtiterator->common.db);
-	dns_rbtnode_t *rbtnode = rbtiterator->common.node;
-	rbtdb_version_t *rbtversion = rbtiterator->common.version;
-	rdatasetheader_t *header, *top_next;
-	rbtdb_serial_t serial;
-	isc_stdtime_t now;
-	rbtdb_rdatatype_t type, negtype;
-	dns_rdatatype_t rdtype, covers;
-
-	header = rbtiterator->current;
-	if (header == NULL)
-		return (ISC_R_NOMORE);
-
-	if (IS_CACHE(rbtdb)) {
-		serial = 1;
-		now = rbtiterator->common.now;
-	} else {
-		serial = rbtversion->serial;
-		now = 0;
-	}
-
-	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
-		  isc_rwlocktype_read);
-
-	type = header->type;
-	rdtype = RBTDB_RDATATYPE_BASE(header->type);
-	if (NEGATIVE(header)) {
-		covers = RBTDB_RDATATYPE_EXT(header->type);
-		negtype = RBTDB_RDATATYPE_VALUE(covers, 0);
-	} else
-		negtype = RBTDB_RDATATYPE_VALUE(0, rdtype);
-	for (header = header->next; header != NULL; header = top_next) {
-		top_next = header->next;
-		/*
-		 * If not walking back up the down list.
-		 */
-		if (header->type != type && header->type != negtype) {
-			do {
-				if (header->serial <= serial &&
-				    !IGNORE(header)) {
-					/*
-					 * Is this a "this rdataset doesn't
-					 * exist" record?
-					 *
-					 * Note: unlike everywhere else, we
-					 * check for now > header->ttl instead
-					 * of now >= header->ttl.  This allows
-					 * ANY and RRSIG queries for 0 TTL
-					 * rdatasets to work.
-					 */
-					if ((header->attributes &
-					     RDATASET_ATTR_NONEXISTENT) != 0 ||
-					    (now != 0 && now > header->rdh_ttl))
-						header = NULL;
-					break;
-				} else
-					header = header->down;
-			} while (header != NULL);
-			if (header != NULL)
-				break;
-		}
-	}
-
-	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
-		    isc_rwlocktype_read);
-
-	rbtiterator->current = header;
-
-	if (header == NULL)
-		return (ISC_R_NOMORE);
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) {
-	rbtdb_rdatasetiter_t *rbtiterator = (rbtdb_rdatasetiter_t *)iterator;
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)(rbtiterator->common.db);
-	dns_rbtnode_t *rbtnode = rbtiterator->common.node;
-	rdatasetheader_t *header;
-
-	header = rbtiterator->current;
-	REQUIRE(header != NULL);
-
-	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
-		  isc_rwlocktype_read);
-
-	bind_rdataset(rbtdb, rbtnode, header, rbtiterator->common.now,
-		      rdataset);
-
-	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
-		    isc_rwlocktype_read);
-}
-
-
-/*
- * Database Iterator Methods
- */
-
-static inline void
-reference_iter_node(rbtdb_dbiterator_t *rbtdbiter) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db;
-	dns_rbtnode_t *node = rbtdbiter->node;
-
-	if (node == NULL)
-		return;
-
-	INSIST(rbtdbiter->tree_locked != isc_rwlocktype_none);
-	reactivate_node(rbtdb, node, rbtdbiter->tree_locked);
-}
-
-static inline void
-dereference_iter_node(rbtdb_dbiterator_t *rbtdbiter) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db;
-	dns_rbtnode_t *node = rbtdbiter->node;
-	nodelock_t *lock;
-
-	if (node == NULL)
-		return;
-
-	lock = &rbtdb->node_locks[node->locknum].lock;
-	NODE_LOCK(lock, isc_rwlocktype_read);
-	decrement_reference(rbtdb, node, 0, isc_rwlocktype_read,
-			    rbtdbiter->tree_locked, ISC_FALSE);
-	NODE_UNLOCK(lock, isc_rwlocktype_read);
-
-	rbtdbiter->node = NULL;
-}
-
-static void
-flush_deletions(rbtdb_dbiterator_t *rbtdbiter) {
-	dns_rbtnode_t *node;
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db;
-	isc_boolean_t was_read_locked = ISC_FALSE;
-	nodelock_t *lock;
-	int i;
-
-	if (rbtdbiter->delete != 0) {
-		/*
-		 * Note that "%d node of %d in tree" can report things like
-		 * "flush_deletions: 59 nodes of 41 in tree".  This means
-		 * That some nodes appear on the deletions list more than
-		 * once.  Only the last occurence will actually be deleted.
-		 */
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-			      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
-			      "flush_deletions: %d nodes of %d in tree",
-			      rbtdbiter->delete,
-			      dns_rbt_nodecount(rbtdb->tree));
-
-		if (rbtdbiter->tree_locked == isc_rwlocktype_read) {
-			RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-			was_read_locked = ISC_TRUE;
-		}
-		RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
-		rbtdbiter->tree_locked = isc_rwlocktype_write;
-
-		for (i = 0; i < rbtdbiter->delete; i++) {
-			node = rbtdbiter->deletions[i];
-			lock = &rbtdb->node_locks[node->locknum].lock;
-
-			NODE_LOCK(lock, isc_rwlocktype_read);
-			decrement_reference(rbtdb, node, 0,
-					    isc_rwlocktype_read,
-					    rbtdbiter->tree_locked, ISC_FALSE);
-			NODE_UNLOCK(lock, isc_rwlocktype_read);
-		}
-
-		rbtdbiter->delete = 0;
-
-		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
-		if (was_read_locked) {
-			RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-			rbtdbiter->tree_locked = isc_rwlocktype_read;
-
-		} else {
-			rbtdbiter->tree_locked = isc_rwlocktype_none;
-		}
-	}
-}
-
-static inline void
-resume_iteration(rbtdb_dbiterator_t *rbtdbiter) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db;
-
-	REQUIRE(rbtdbiter->paused);
-	REQUIRE(rbtdbiter->tree_locked == isc_rwlocktype_none);
-
-	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-	rbtdbiter->tree_locked = isc_rwlocktype_read;
-
-	rbtdbiter->paused = ISC_FALSE;
-}
-
-static void
-dbiterator_destroy(dns_dbiterator_t **iteratorp) {
-	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)(*iteratorp);
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db;
-	dns_db_t *db = NULL;
-
-	if (rbtdbiter->tree_locked == isc_rwlocktype_read) {
-		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-		rbtdbiter->tree_locked = isc_rwlocktype_none;
-	} else
-		INSIST(rbtdbiter->tree_locked == isc_rwlocktype_none);
-
-	dereference_iter_node(rbtdbiter);
-
-	flush_deletions(rbtdbiter);
-
-	dns_db_attach(rbtdbiter->common.db, &db);
-	dns_db_detach(&rbtdbiter->common.db);
-
-	dns_rbtnodechain_reset(&rbtdbiter->chain);
-	dns_rbtnodechain_reset(&rbtdbiter->nsec3chain);
-	isc_mem_put(db->mctx, rbtdbiter, sizeof(*rbtdbiter));
-	dns_db_detach(&db);
-
-	*iteratorp = NULL;
-}
-
-static isc_result_t
-dbiterator_first(dns_dbiterator_t *iterator) {
-	isc_result_t result;
-	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
-	dns_name_t *name, *origin;
-
-	if (rbtdbiter->result != ISC_R_SUCCESS &&
-	    rbtdbiter->result != ISC_R_NOMORE)
-		return (rbtdbiter->result);
-
-	if (rbtdbiter->paused)
-		resume_iteration(rbtdbiter);
-
-	dereference_iter_node(rbtdbiter);
-
-	name = dns_fixedname_name(&rbtdbiter->name);
-	origin = dns_fixedname_name(&rbtdbiter->origin);
-	dns_rbtnodechain_reset(&rbtdbiter->chain);
-	dns_rbtnodechain_reset(&rbtdbiter->nsec3chain);
-
-	if (rbtdbiter->nsec3only) {
-		rbtdbiter->current = &rbtdbiter->nsec3chain;
-		result = dns_rbtnodechain_first(rbtdbiter->current,
-						rbtdb->nsec3, name, origin);
-	} else {
-		rbtdbiter->current = &rbtdbiter->chain;
-		result = dns_rbtnodechain_first(rbtdbiter->current,
-						rbtdb->tree, name, origin);
-		if (!rbtdbiter->nonsec3 && result == ISC_R_NOTFOUND) {
-			rbtdbiter->current = &rbtdbiter->nsec3chain;
-			result = dns_rbtnodechain_first(rbtdbiter->current,
-							rbtdb->nsec3, name,
-							origin);
-		}
-	}
-	if (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
-		result = dns_rbtnodechain_current(rbtdbiter->current, NULL,
-						  NULL, &rbtdbiter->node);
-		if (result == ISC_R_SUCCESS) {
-			rbtdbiter->new_origin = ISC_TRUE;
-			reference_iter_node(rbtdbiter);
-		}
-	} else {
-		INSIST(result == ISC_R_NOTFOUND);
-		result = ISC_R_NOMORE; /* The tree is empty. */
-	}
-
-	rbtdbiter->result = result;
-
-	return (result);
-}
-
-static isc_result_t
-dbiterator_last(dns_dbiterator_t *iterator) {
-	isc_result_t result;
-	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
-	dns_name_t *name, *origin;
-
-	if (rbtdbiter->result != ISC_R_SUCCESS &&
-	    rbtdbiter->result != ISC_R_NOMORE)
-		return (rbtdbiter->result);
-
-	if (rbtdbiter->paused)
-		resume_iteration(rbtdbiter);
-
-	dereference_iter_node(rbtdbiter);
-
-	name = dns_fixedname_name(&rbtdbiter->name);
-	origin = dns_fixedname_name(&rbtdbiter->origin);
-	dns_rbtnodechain_reset(&rbtdbiter->chain);
-	dns_rbtnodechain_reset(&rbtdbiter->nsec3chain);
-
-	result = ISC_R_NOTFOUND;
-	if (rbtdbiter->nsec3only && !rbtdbiter->nonsec3) {
-		rbtdbiter->current = &rbtdbiter->nsec3chain;
-		result = dns_rbtnodechain_last(rbtdbiter->current,
-					       rbtdb->nsec3, name, origin);
-	}
-	if (!rbtdbiter->nsec3only && result == ISC_R_NOTFOUND) {
-		rbtdbiter->current = &rbtdbiter->chain;
-		result = dns_rbtnodechain_last(rbtdbiter->current, rbtdb->tree,
-					       name, origin);
-	}
-	if (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
-		result = dns_rbtnodechain_current(rbtdbiter->current, NULL,
-						  NULL, &rbtdbiter->node);
-		if (result == ISC_R_SUCCESS) {
-			rbtdbiter->new_origin = ISC_TRUE;
-			reference_iter_node(rbtdbiter);
-		}
-	} else {
-		INSIST(result == ISC_R_NOTFOUND);
-		result = ISC_R_NOMORE; /* The tree is empty. */
-	}
-
-	rbtdbiter->result = result;
-
-	return (result);
-}
-
-static isc_result_t
-dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name) {
-	isc_result_t result, tresult;
-	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
-	dns_name_t *iname, *origin;
-
-	if (rbtdbiter->result != ISC_R_SUCCESS &&
-	    rbtdbiter->result != ISC_R_NOTFOUND &&
-	    rbtdbiter->result != ISC_R_NOMORE)
-		return (rbtdbiter->result);
-
-	if (rbtdbiter->paused)
-		resume_iteration(rbtdbiter);
-
-	dereference_iter_node(rbtdbiter);
-
-	iname = dns_fixedname_name(&rbtdbiter->name);
-	origin = dns_fixedname_name(&rbtdbiter->origin);
-	dns_rbtnodechain_reset(&rbtdbiter->chain);
-	dns_rbtnodechain_reset(&rbtdbiter->nsec3chain);
-
-	if (rbtdbiter->nsec3only) {
-		rbtdbiter->current = &rbtdbiter->nsec3chain;
-		result = dns_rbt_findnode(rbtdb->nsec3, name, NULL,
-					  &rbtdbiter->node,
-					  rbtdbiter->current,
-					  DNS_RBTFIND_EMPTYDATA, NULL, NULL);
-	} else if (rbtdbiter->nonsec3) {
-		rbtdbiter->current = &rbtdbiter->chain;
-		result = dns_rbt_findnode(rbtdb->tree, name, NULL,
-					  &rbtdbiter->node,
-					  rbtdbiter->current,
-					  DNS_RBTFIND_EMPTYDATA, NULL, NULL);
-	} else {
-		/*
-		 * Stay on main chain if not found on either chain.
-		 */
-		rbtdbiter->current = &rbtdbiter->chain;
-		result = dns_rbt_findnode(rbtdb->tree, name, NULL,
-					  &rbtdbiter->node,
-					  rbtdbiter->current,
-					  DNS_RBTFIND_EMPTYDATA, NULL, NULL);
-		if (result == DNS_R_PARTIALMATCH) {
-			dns_rbtnode_t *node = NULL;
-			tresult = dns_rbt_findnode(rbtdb->nsec3, name, NULL,
-						  &node, &rbtdbiter->nsec3chain,
-						  DNS_RBTFIND_EMPTYDATA,
-						  NULL, NULL);
-			if (tresult == ISC_R_SUCCESS) {
-				rbtdbiter->node = node;
-				rbtdbiter->current = &rbtdbiter->nsec3chain;
-				result = tresult;
-			}
-		}
-	}
-
-#if 1
-	if (result == ISC_R_SUCCESS) {
-		result = dns_rbtnodechain_current(rbtdbiter->current, iname,
-						  origin, NULL);
-		if (result == ISC_R_SUCCESS) {
-			rbtdbiter->new_origin = ISC_TRUE;
-			reference_iter_node(rbtdbiter);
-		}
-	} else if (result == DNS_R_PARTIALMATCH) {
-		result = ISC_R_NOTFOUND;
-		rbtdbiter->node = NULL;
-	}
-
-	rbtdbiter->result = result;
-#else
-	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
-		isc_result_t tresult;
-		tresult = dns_rbtnodechain_current(rbtdbiter->current, iname,
-						   origin, NULL);
-		if (tresult == ISC_R_SUCCESS) {
-			rbtdbiter->new_origin = ISC_TRUE;
-			reference_iter_node(rbtdbiter);
-		} else {
-			result = tresult;
-			rbtdbiter->node = NULL;
-		}
-	} else
-		rbtdbiter->node = NULL;
-
-	rbtdbiter->result = (result == DNS_R_PARTIALMATCH) ?
-			    ISC_R_SUCCESS : result;
-#endif
-
-	return (result);
-}
-
-static isc_result_t
-dbiterator_prev(dns_dbiterator_t *iterator) {
-	isc_result_t result;
-	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
-	dns_name_t *name, *origin;
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
-
-	REQUIRE(rbtdbiter->node != NULL);
-
-	if (rbtdbiter->result != ISC_R_SUCCESS)
-		return (rbtdbiter->result);
-
-	if (rbtdbiter->paused)
-		resume_iteration(rbtdbiter);
-
-	name = dns_fixedname_name(&rbtdbiter->name);
-	origin = dns_fixedname_name(&rbtdbiter->origin);
-	result = dns_rbtnodechain_prev(rbtdbiter->current, name, origin);
-	if (result == ISC_R_NOMORE && !rbtdbiter->nsec3only &&
-	    !rbtdbiter->nonsec3 &&
-	    &rbtdbiter->nsec3chain == rbtdbiter->current) {
-		rbtdbiter->current = &rbtdbiter->chain;
-		dns_rbtnodechain_reset(rbtdbiter->current);
-		result = dns_rbtnodechain_last(rbtdbiter->current, rbtdb->tree,
-					       name, origin);
-		if (result == ISC_R_NOTFOUND)
-			result = ISC_R_NOMORE;
-	}
-
-	dereference_iter_node(rbtdbiter);
-
-	if (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
-		rbtdbiter->new_origin = ISC_TF(result == DNS_R_NEWORIGIN);
-		result = dns_rbtnodechain_current(rbtdbiter->current, NULL,
-						  NULL, &rbtdbiter->node);
-	}
-
-	if (result == ISC_R_SUCCESS)
-		reference_iter_node(rbtdbiter);
-
-	rbtdbiter->result = result;
-
-	return (result);
-}
-
-static isc_result_t
-dbiterator_next(dns_dbiterator_t *iterator) {
-	isc_result_t result;
-	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
-	dns_name_t *name, *origin;
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
-
-	REQUIRE(rbtdbiter->node != NULL);
-
-	if (rbtdbiter->result != ISC_R_SUCCESS)
-		return (rbtdbiter->result);
-
-	if (rbtdbiter->paused)
-		resume_iteration(rbtdbiter);
-
-	name = dns_fixedname_name(&rbtdbiter->name);
-	origin = dns_fixedname_name(&rbtdbiter->origin);
-	result = dns_rbtnodechain_next(rbtdbiter->current, name, origin);
-	if (result == ISC_R_NOMORE && !rbtdbiter->nsec3only &&
-	    !rbtdbiter->nonsec3 && &rbtdbiter->chain == rbtdbiter->current) {
-		rbtdbiter->current = &rbtdbiter->nsec3chain;
-		dns_rbtnodechain_reset(rbtdbiter->current);
-		result = dns_rbtnodechain_first(rbtdbiter->current,
-						rbtdb->nsec3, name, origin);
-		if (result == ISC_R_NOTFOUND)
-			result = ISC_R_NOMORE;
-	}
-
-	dereference_iter_node(rbtdbiter);
-
-	if (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
-		rbtdbiter->new_origin = ISC_TF(result == DNS_R_NEWORIGIN);
-		result = dns_rbtnodechain_current(rbtdbiter->current, NULL,
-						  NULL, &rbtdbiter->node);
-	}
-	if (result == ISC_R_SUCCESS)
-		reference_iter_node(rbtdbiter);
-
-	rbtdbiter->result = result;
-
-	return (result);
-}
-
-static isc_result_t
-dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
-		   dns_name_t *name)
-{
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
-	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
-	dns_rbtnode_t *node = rbtdbiter->node;
-	isc_result_t result;
-	dns_name_t *nodename = dns_fixedname_name(&rbtdbiter->name);
-	dns_name_t *origin = dns_fixedname_name(&rbtdbiter->origin);
-
-	REQUIRE(rbtdbiter->result == ISC_R_SUCCESS);
-	REQUIRE(rbtdbiter->node != NULL);
-
-	if (rbtdbiter->paused)
-		resume_iteration(rbtdbiter);
-
-	if (name != NULL) {
-		if (rbtdbiter->common.relative_names)
-			origin = NULL;
-		result = dns_name_concatenate(nodename, origin, name, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		if (rbtdbiter->common.relative_names && rbtdbiter->new_origin)
-			result = DNS_R_NEWORIGIN;
-	} else
-		result = ISC_R_SUCCESS;
-
-	NODE_STRONGLOCK(&rbtdb->node_locks[node->locknum].lock);
-	new_reference(rbtdb, node);
-	NODE_STRONGUNLOCK(&rbtdb->node_locks[node->locknum].lock);
-
-	*nodep = rbtdbiter->node;
-
-	if (iterator->cleaning && result == ISC_R_SUCCESS) {
-		isc_result_t expire_result;
-
-		/*
-		 * If the deletion array is full, flush it before trying
-		 * to expire the current node.  The current node can't
-		 * fully deleted while the iteration cursor is still on it.
-		 */
-		if (rbtdbiter->delete == DELETION_BATCH_MAX)
-			flush_deletions(rbtdbiter);
-
-		expire_result = expirenode(iterator->db, *nodep, 0);
-
-		/*
-		 * expirenode() currently always returns success.
-		 */
-		if (expire_result == ISC_R_SUCCESS && node->down == NULL) {
-			unsigned int refs;
-
-			rbtdbiter->deletions[rbtdbiter->delete++] = node;
-			NODE_STRONGLOCK(&rbtdb->node_locks[node->locknum].lock);
-			dns_rbtnode_refincrement(node, &refs);
-			INSIST(refs != 0);
-			NODE_STRONGUNLOCK(&rbtdb->node_locks[node->locknum].lock);
-		}
-	}
-
-	return (result);
-}
-
-static isc_result_t
-dbiterator_pause(dns_dbiterator_t *iterator) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
-	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
-
-	if (rbtdbiter->result != ISC_R_SUCCESS &&
-	    rbtdbiter->result != ISC_R_NOMORE)
-		return (rbtdbiter->result);
-
-	if (rbtdbiter->paused)
-		return (ISC_R_SUCCESS);
-
-	rbtdbiter->paused = ISC_TRUE;
-
-	if (rbtdbiter->tree_locked != isc_rwlocktype_none) {
-		INSIST(rbtdbiter->tree_locked == isc_rwlocktype_read);
-		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-		rbtdbiter->tree_locked = isc_rwlocktype_none;
-	}
-
-	flush_deletions(rbtdbiter);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name) {
-	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
-	dns_name_t *origin = dns_fixedname_name(&rbtdbiter->origin);
-
-	if (rbtdbiter->result != ISC_R_SUCCESS)
-		return (rbtdbiter->result);
-
-	return (dns_name_copy(origin, name, NULL));
-}
-
-/*%
- * Additional cache routines.
- */
-static isc_result_t
-rdataset_getadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type,
-		       dns_rdatatype_t qtype, dns_acache_t *acache,
-		       dns_zone_t **zonep, dns_db_t **dbp,
-		       dns_dbversion_t **versionp, dns_dbnode_t **nodep,
-		       dns_name_t *fname, dns_message_t *msg,
-		       isc_stdtime_t now)
-{
-#ifndef BIND9
-	UNUSED(rdataset);
-	UNUSED(type);
-	UNUSED(qtype);
-	UNUSED(acache);
-	UNUSED(zonep);
-	UNUSED(dbp);
-	UNUSED(versionp);
-	UNUSED(nodep);
-	UNUSED(fname);
-	UNUSED(msg);
-	UNUSED(now);
-
-	return (ISC_R_NOTIMPLEMENTED);
-#else
-	dns_rbtdb_t *rbtdb = rdataset->private1;
-	dns_rbtnode_t *rbtnode = rdataset->private2;
-	unsigned char *raw = rdataset->private3;        /* RDATASLAB */
-	unsigned int current_count = rdataset->privateuint4;
-	unsigned int count;
-	rdatasetheader_t *header;
-	nodelock_t *nodelock;
-	unsigned int total_count;
-	acachectl_t *acarray;
-	dns_acacheentry_t *entry;
-	isc_result_t result;
-
-	UNUSED(qtype); /* we do not use this value at least for now */
-	UNUSED(acache);
-
-	header = (struct rdatasetheader *)(raw - sizeof(*header));
-
-	total_count = raw[0] * 256 + raw[1];
-	INSIST(total_count > current_count);
-	count = total_count - current_count - 1;
-
-	acarray = NULL;
-
-	nodelock = &rbtdb->node_locks[rbtnode->locknum].lock;
-	NODE_LOCK(nodelock, isc_rwlocktype_read);
-
-	switch (type) {
-	case dns_rdatasetadditional_fromauth:
-		acarray = header->additional_auth;
-		break;
-	case dns_rdatasetadditional_fromcache:
-		acarray = NULL;
-		break;
-	case dns_rdatasetadditional_fromglue:
-		acarray = header->additional_glue;
-		break;
-	default:
-		INSIST(0);
-	}
-
-	if (acarray == NULL) {
-		if (type != dns_rdatasetadditional_fromcache)
-			dns_acache_countquerymiss(acache);
-		NODE_UNLOCK(nodelock, isc_rwlocktype_read);
-		return (ISC_R_NOTFOUND);
-	}
-
-	if (acarray[count].entry == NULL) {
-		dns_acache_countquerymiss(acache);
-		NODE_UNLOCK(nodelock, isc_rwlocktype_read);
-		return (ISC_R_NOTFOUND);
-	}
-
-	entry = NULL;
-	dns_acache_attachentry(acarray[count].entry, &entry);
-
-	NODE_UNLOCK(nodelock, isc_rwlocktype_read);
-
-	result = dns_acache_getentry(entry, zonep, dbp, versionp,
-				     nodep, fname, msg, now);
-
-	dns_acache_detachentry(&entry);
-
-	return (result);
-}
-
-static void
-acache_callback(dns_acacheentry_t *entry, void **arg) {
-	dns_rbtdb_t *rbtdb;
-	dns_rbtnode_t *rbtnode;
-	nodelock_t *nodelock;
-	acachectl_t *acarray = NULL;
-	acache_cbarg_t *cbarg;
-	unsigned int count;
-
-	REQUIRE(arg != NULL);
-	cbarg = *arg;
-
-	/*
-	 * The caller must hold the entry lock.
-	 */
-
-	rbtdb = (dns_rbtdb_t *)cbarg->db;
-	rbtnode = (dns_rbtnode_t *)cbarg->node;
-
-	nodelock = &rbtdb->node_locks[rbtnode->locknum].lock;
-	NODE_LOCK(nodelock, isc_rwlocktype_write);
-
-	switch (cbarg->type) {
-	case dns_rdatasetadditional_fromauth:
-		acarray = cbarg->header->additional_auth;
-		break;
-	case dns_rdatasetadditional_fromglue:
-		acarray = cbarg->header->additional_glue;
-		break;
-	default:
-		INSIST(0);
-	}
-
-	count = cbarg->count;
-	if (acarray != NULL && acarray[count].entry == entry) {
-		acarray[count].entry = NULL;
-		INSIST(acarray[count].cbarg == cbarg);
-		acarray[count].cbarg = NULL;
-		isc_mem_put(rbtdb->common.mctx, cbarg, sizeof(acache_cbarg_t));
-		dns_acache_detachentry(&entry);
-	}
-
-	NODE_UNLOCK(nodelock, isc_rwlocktype_write);
-
-	dns_db_detachnode((dns_db_t *)rbtdb, (dns_dbnode_t **)(void*)&rbtnode);
-	dns_db_detach((dns_db_t **)(void*)&rbtdb);
-
-	*arg = NULL;
-#endif /* BIND9 */
-}
-
-#ifdef BIND9
-static void
-acache_cancelentry(isc_mem_t *mctx, dns_acacheentry_t *entry,
-		      acache_cbarg_t **cbargp)
-{
-	acache_cbarg_t *cbarg;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(entry != NULL);
-	REQUIRE(cbargp != NULL && *cbargp != NULL);
-
-	cbarg = *cbargp;
-
-	if (dns_acache_cancelentry(entry)) {
-		dns_db_detachnode(cbarg->db, &cbarg->node);
-		dns_db_detach(&cbarg->db);
-	}
-
-	isc_mem_put(mctx, cbarg, sizeof(acache_cbarg_t));
-
-	*cbargp = NULL;
-}
-#endif /* BIND9 */
-
-static isc_result_t
-rdataset_setadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type,
-		       dns_rdatatype_t qtype, dns_acache_t *acache,
-		       dns_zone_t *zone, dns_db_t *db,
-		       dns_dbversion_t *version, dns_dbnode_t *node,
-		       dns_name_t *fname)
-{
-#ifndef BIND9
-	UNUSED(rdataset);
-	UNUSED(type);
-	UNUSED(qtype);
-	UNUSED(acache);
-	UNUSED(zone);
-	UNUSED(db);
-	UNUSED(version);
-	UNUSED(node);
-	UNUSED(fname);
-
-	return (ISC_R_NOTIMPLEMENTED);
-#else
-	dns_rbtdb_t *rbtdb = rdataset->private1;
-	dns_rbtnode_t *rbtnode = rdataset->private2;
-	unsigned char *raw = rdataset->private3;        /* RDATASLAB */
-	unsigned int current_count = rdataset->privateuint4;
-	rdatasetheader_t *header;
-	unsigned int total_count, count;
-	nodelock_t *nodelock;
-	isc_result_t result;
-	acachectl_t *acarray;
-	dns_acacheentry_t *newentry, *oldentry = NULL;
-	acache_cbarg_t *newcbarg, *oldcbarg = NULL;
-
-	UNUSED(qtype);
-
-	if (type == dns_rdatasetadditional_fromcache)
-		return (ISC_R_SUCCESS);
-
-	header = (struct rdatasetheader *)(raw - sizeof(*header));
-
-	total_count = raw[0] * 256 + raw[1];
-	INSIST(total_count > current_count);
-	count = total_count - current_count - 1; /* should be private data */
-
-	newcbarg = isc_mem_get(rbtdb->common.mctx, sizeof(*newcbarg));
-	if (newcbarg == NULL)
-		return (ISC_R_NOMEMORY);
-	newcbarg->type = type;
-	newcbarg->count = count;
-	newcbarg->header = header;
-	newcbarg->db = NULL;
-	dns_db_attach((dns_db_t *)rbtdb, &newcbarg->db);
-	newcbarg->node = NULL;
-	dns_db_attachnode((dns_db_t *)rbtdb, (dns_dbnode_t *)rbtnode,
-			  &newcbarg->node);
-	newentry = NULL;
-	result = dns_acache_createentry(acache, (dns_db_t *)rbtdb,
-					acache_callback, newcbarg, &newentry);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	/* Set cache data in the new entry. */
-	result = dns_acache_setentry(acache, newentry, zone, db,
-				     version, node, fname);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	nodelock = &rbtdb->node_locks[rbtnode->locknum].lock;
-	NODE_LOCK(nodelock, isc_rwlocktype_write);
-
-	acarray = NULL;
-	switch (type) {
-	case dns_rdatasetadditional_fromauth:
-		acarray = header->additional_auth;
-		break;
-	case dns_rdatasetadditional_fromglue:
-		acarray = header->additional_glue;
-		break;
-	default:
-		INSIST(0);
-	}
-
-	if (acarray == NULL) {
-		unsigned int i;
-
-		acarray = isc_mem_get(rbtdb->common.mctx, total_count *
-				      sizeof(acachectl_t));
-
-		if (acarray == NULL) {
-			NODE_UNLOCK(nodelock, isc_rwlocktype_write);
-			goto fail;
-		}
-
-		for (i = 0; i < total_count; i++) {
-			acarray[i].entry = NULL;
-			acarray[i].cbarg = NULL;
-		}
-	}
-	switch (type) {
-	case dns_rdatasetadditional_fromauth:
-		header->additional_auth = acarray;
-		break;
-	case dns_rdatasetadditional_fromglue:
-		header->additional_glue = acarray;
-		break;
-	default:
-		INSIST(0);
-	}
-
-	if (acarray[count].entry != NULL) {
-		/*
-		 * Swap the entry.  Delay cleaning-up the old entry since
-		 * it would require a node lock.
-		 */
-		oldentry = acarray[count].entry;
-		INSIST(acarray[count].cbarg != NULL);
-		oldcbarg = acarray[count].cbarg;
-	}
-	acarray[count].entry = newentry;
-	acarray[count].cbarg = newcbarg;
-
-	NODE_UNLOCK(nodelock, isc_rwlocktype_write);
-
-	if (oldentry != NULL) {
-		acache_cancelentry(rbtdb->common.mctx, oldentry, &oldcbarg);
-		dns_acache_detachentry(&oldentry);
-	}
-
-	return (ISC_R_SUCCESS);
-
- fail:
-	if (newcbarg != NULL) {
-		if (newentry != NULL) {
-			acache_cancelentry(rbtdb->common.mctx, newentry,
-					   &newcbarg);
-			dns_acache_detachentry(&newentry);
-		} else {
-			dns_db_detachnode((dns_db_t *)rbtdb, &newcbarg->node);
-			dns_db_detach(&newcbarg->db);
-			isc_mem_put(rbtdb->common.mctx, newcbarg,
-			    sizeof(*newcbarg));
-		}
-	}
-
-	return (result);
-#endif
-}
-
-static isc_result_t
-rdataset_putadditional(dns_acache_t *acache, dns_rdataset_t *rdataset,
-		       dns_rdatasetadditional_t type, dns_rdatatype_t qtype)
-{
-#ifndef BIND9
-	UNUSED(acache);
-	UNUSED(rdataset);
-	UNUSED(type);
-	UNUSED(qtype);
-
-	return (ISC_R_NOTIMPLEMENTED);
-#else
-	dns_rbtdb_t *rbtdb = rdataset->private1;
-	dns_rbtnode_t *rbtnode = rdataset->private2;
-	unsigned char *raw = rdataset->private3;        /* RDATASLAB */
-	unsigned int current_count = rdataset->privateuint4;
-	rdatasetheader_t *header;
-	nodelock_t *nodelock;
-	unsigned int total_count, count;
-	acachectl_t *acarray;
-	dns_acacheentry_t *entry;
-	acache_cbarg_t *cbarg;
-
-	UNUSED(qtype);          /* we do not use this value at least for now */
-	UNUSED(acache);
-
-	if (type == dns_rdatasetadditional_fromcache)
-		return (ISC_R_SUCCESS);
-
-	header = (struct rdatasetheader *)(raw - sizeof(*header));
-
-	total_count = raw[0] * 256 + raw[1];
-	INSIST(total_count > current_count);
-	count = total_count - current_count - 1;
-
-	acarray = NULL;
-	entry = NULL;
-
-	nodelock = &rbtdb->node_locks[rbtnode->locknum].lock;
-	NODE_LOCK(nodelock, isc_rwlocktype_write);
-
-	switch (type) {
-	case dns_rdatasetadditional_fromauth:
-		acarray = header->additional_auth;
-		break;
-	case dns_rdatasetadditional_fromglue:
-		acarray = header->additional_glue;
-		break;
-	default:
-		INSIST(0);
-	}
-
-	if (acarray == NULL) {
-		NODE_UNLOCK(nodelock, isc_rwlocktype_write);
-		return (ISC_R_NOTFOUND);
-	}
-
-	entry = acarray[count].entry;
-	if (entry == NULL) {
-		NODE_UNLOCK(nodelock, isc_rwlocktype_write);
-		return (ISC_R_NOTFOUND);
-	}
-
-	acarray[count].entry = NULL;
-	cbarg = acarray[count].cbarg;
-	acarray[count].cbarg = NULL;
-
-	NODE_UNLOCK(nodelock, isc_rwlocktype_write);
-
-	if (entry != NULL) {
-		if (cbarg != NULL)
-			acache_cancelentry(rbtdb->common.mctx, entry, &cbarg);
-		dns_acache_detachentry(&entry);
-	}
-
-	return (ISC_R_SUCCESS);
-#endif
-}
-
-/*%
- * Routines for LRU-based cache management.
- */
-
-/*%
- * See if a given cache entry that is being reused needs to be updated
- * in the LRU-list.  From the LRU management point of view, this function is
- * expected to return true for almost all cases.  When used with threads,
- * however, this may cause a non-negligible performance penalty because a
- * writer lock will have to be acquired before updating the list.
- * If DNS_RBTDB_LIMITLRUUPDATE is defined to be non 0 at compilation time, this
- * function returns true if the entry has not been updated for some period of
- * time.  We differentiate the NS or glue address case and the others since
- * experiments have shown that the former tends to be accessed relatively
- * infrequently and the cost of cache miss is higher (e.g., a missing NS records
- * may cause external queries at a higher level zone, involving more
- * transactions).
- *
- * Caller must hold the node (read or write) lock.
- */
-static inline isc_boolean_t
-need_headerupdate(rdatasetheader_t *header, isc_stdtime_t now) {
-	if ((header->attributes &
-	     (RDATASET_ATTR_NONEXISTENT|RDATASET_ATTR_STALE)) != 0)
-		return (ISC_FALSE);
-
-#if DNS_RBTDB_LIMITLRUUPDATE
-	if (header->type == dns_rdatatype_ns ||
-	    (header->trust == dns_trust_glue &&
-	     (header->type == dns_rdatatype_a ||
-	      header->type == dns_rdatatype_aaaa))) {
-		/*
-		 * Glue records are updated if at least 60 seconds have passed
-		 * since the previous update time.
-		 */
-		return (header->last_used + 60 <= now);
-	}
-
-	/* Other records are updated if 5 minutes have passed. */
-	return (header->last_used + 300 <= now);
-#else
-	UNUSED(now);
-
-	return (ISC_TRUE);
-#endif
-}
-
-/*%
- * Update the timestamp of a given cache entry and move it to the head
- * of the corresponding LRU list.
- *
- * Caller must hold the node (write) lock.
- *
- * Note that the we do NOT touch the heap here, as the TTL has not changed.
- */
-static void
-update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
-	      isc_stdtime_t now)
-{
-	INSIST(IS_CACHE(rbtdb));
-
-	/* To be checked: can we really assume this? XXXMLG */
-	INSIST(ISC_LINK_LINKED(header, link));
-
-	ISC_LIST_UNLINK(rbtdb->rdatasets[header->node->locknum], header, link);
-	header->last_used = now;
-	ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], header, link);
-}
-
-/*%
- * Purge some expired and/or stale (i.e. unused for some period) cache entries
- * under an overmem condition.  To recover from this condition quickly, up to
- * 2 entries will be purged.  This process is triggered while adding a new
- * entry, and we specifically avoid purging entries in the same LRU bucket as
- * the one to which the new entry will belong.  Otherwise, we might purge
- * entries of the same name of different RR types while adding RRsets from a
- * single response (consider the case where we're adding A and AAAA glue records
- * of the same NS name).
- */
-static void
-overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
-	      isc_stdtime_t now, isc_boolean_t tree_locked)
-{
-	rdatasetheader_t *header, *header_prev;
-	unsigned int locknum;
-	int purgecount = 2;
-
-	for (locknum = (locknum_start + 1) % rbtdb->node_lock_count;
-	     locknum != locknum_start && purgecount > 0;
-	     locknum = (locknum + 1) % rbtdb->node_lock_count) {
-		NODE_LOCK(&rbtdb->node_locks[locknum].lock,
-			  isc_rwlocktype_write);
-
-		header = isc_heap_element(rbtdb->heaps[locknum], 1);
-		if (header && header->rdh_ttl <= now - RBTDB_VIRTUAL) {
-			expire_header(rbtdb, header, tree_locked);
-			purgecount--;
-		}
-
-		for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
-		     header != NULL && purgecount > 0;
-		     header = header_prev) {
-			header_prev = ISC_LIST_PREV(header, link);
-			/*
-			 * Unlink the entry at this point to avoid checking it
-			 * again even if it's currently used someone else and
-			 * cannot be purged at this moment.  This entry won't be
-			 * referenced any more (so unlinking is safe) since the
-			 * TTL was reset to 0.
-			 */
-			ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header,
-					link);
-			expire_header(rbtdb, header, tree_locked);
-			purgecount--;
-		}
-
-		NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
-				    isc_rwlocktype_write);
-	}
-}
-
-static void
-expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
-	      isc_boolean_t tree_locked)
-{
-	set_ttl(rbtdb, header, 0);
-	header->attributes |= RDATASET_ATTR_STALE;
-	header->node->dirty = 1;
-
-	/*
-	 * Caller must hold the node (write) lock.
-	 */
-
-	if (dns_rbtnode_refcurrent(header->node) == 0) {
-		/*
-		 * If no one else is using the node, we can clean it up now.
-		 * We first need to gain a new reference to the node to meet a
-		 * requirement of decrement_reference().
-		 */
-		new_reference(rbtdb, header->node);
-		decrement_reference(rbtdb, header->node, 0,
-				    isc_rwlocktype_write,
-				    tree_locked ? isc_rwlocktype_write :
-				    isc_rwlocktype_none, ISC_FALSE);
-	}
-}
diff --git a/contrib/bind9/lib/dns/rbtdb.h b/contrib/bind9/lib/dns/rbtdb.h
deleted file mode 100644
index 9eb9c5c..0000000
--- a/contrib/bind9/lib/dns/rbtdb.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef DNS_RBTDB_H
-#define DNS_RBTDB_H 1
-
-#include <isc/lang.h>
-#include <dns/types.h>
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file
- * \brief
- * DNS Red-Black Tree DB Implementation
- */
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_rbtdb_create(isc_mem_t *mctx, dns_name_t *base, dns_dbtype_t type,
-		 dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
-		 void *driverarg, dns_db_t **dbp);
-
-/*%<
- * Create a new database of type "rbt" (or "rbt64").  Called via
- * dns_db_create(); see documentation for that function for more details.
- *
- * If argv[0] is set, it points to a valid memory context to be used for
- * allocation of heap memory.  Generally this is used for cache databases
- * only.
- *
- * Requires:
- *
- * \li argc == 0 or argv[0] is a valid memory context.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RBTDB_H */
diff --git a/contrib/bind9/lib/dns/rbtdb64.c b/contrib/bind9/lib/dns/rbtdb64.c
deleted file mode 100644
index 5e325fa..0000000
--- a/contrib/bind9/lib/dns/rbtdb64.c
+++ /dev/null
@@ -1,23 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rbtdb64.c,v 1.11 2007/06/19 23:47:16 tbox Exp $ */
-
-/*! \file */
-
-#define DNS_RBTDB_VERSION64 1
-#include "rbtdb.c"
diff --git a/contrib/bind9/lib/dns/rbtdb64.h b/contrib/bind9/lib/dns/rbtdb64.h
deleted file mode 100644
index fe11622..0000000
--- a/contrib/bind9/lib/dns/rbtdb64.h
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rbtdb64.h,v 1.17 2007/06/19 23:47:16 tbox Exp $ */
-
-#ifndef DNS_RBTDB64_H
-#define DNS_RBTDB64_H 1
-
-#include <isc/lang.h>
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file
- * \brief
- * DNS Red-Black Tree DB Implementation with 64-bit version numbers
- */
-
-#include <dns/db.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_rbtdb64_create(isc_mem_t *mctx, dns_name_t *base, dns_dbtype_t type,
-		   dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
-		   void *driverarg, dns_db_t **dbp);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RBTDB64_H */
diff --git a/contrib/bind9/lib/dns/rcode.c b/contrib/bind9/lib/dns/rcode.c
deleted file mode 100644
index 0b7fe8c..0000000
--- a/contrib/bind9/lib/dns/rcode.c
+++ /dev/null
@@ -1,515 +0,0 @@
-/*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#include <config.h>
-#include <ctype.h>
-
-#include <isc/buffer.h>
-#include <isc/parseint.h>
-#include <isc/print.h>
-#include <isc/region.h>
-#include <isc/result.h>
-#include <isc/stdio.h>
-#include <isc/stdlib.h>
-#include <isc/string.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-#include <dns/cert.h>
-#include <dns/keyflags.h>
-#include <dns/keyvalues.h>
-#include <dns/rcode.h>
-#include <dns/rdataclass.h>
-#include <dns/result.h>
-#include <dns/secalg.h>
-#include <dns/secproto.h>
-
-#define RETERR(x) \
-	do { \
-		isc_result_t _r = (x); \
-		if (_r != ISC_R_SUCCESS) \
-			return (_r); \
-	} while (0)
-
-#define NUMBERSIZE sizeof("037777777777") /* 2^32-1 octal + NUL */
-
-#define RCODENAMES \
-	/* standard rcodes */ \
-	{ dns_rcode_noerror, "NOERROR", 0}, \
-	{ dns_rcode_formerr, "FORMERR", 0}, \
-	{ dns_rcode_servfail, "SERVFAIL", 0}, \
-	{ dns_rcode_nxdomain, "NXDOMAIN", 0}, \
-	{ dns_rcode_notimp, "NOTIMP", 0}, \
-	{ dns_rcode_refused, "REFUSED", 0}, \
-	{ dns_rcode_yxdomain, "YXDOMAIN", 0}, \
-	{ dns_rcode_yxrrset, "YXRRSET", 0}, \
-	{ dns_rcode_nxrrset, "NXRRSET", 0}, \
-	{ dns_rcode_notauth, "NOTAUTH", 0}, \
-	{ dns_rcode_notzone, "NOTZONE", 0},
-
-#define ERCODENAMES \
-	/* extended rcodes */ \
-	{ dns_rcode_badvers, "BADVERS", 0}, \
-	{ 0, NULL, 0 }
-
-#define TSIGRCODENAMES \
-	/* extended rcodes */ \
-	{ dns_tsigerror_badsig, "BADSIG", 0}, \
-	{ dns_tsigerror_badkey, "BADKEY", 0}, \
-	{ dns_tsigerror_badtime, "BADTIME", 0}, \
-	{ dns_tsigerror_badmode, "BADMODE", 0}, \
-	{ dns_tsigerror_badname, "BADNAME", 0}, \
-	{ dns_tsigerror_badalg, "BADALG", 0}, \
-	{ dns_tsigerror_badtrunc, "BADTRUNC", 0}, \
-	{ 0, NULL, 0 }
-
-/* RFC4398 section 2.1 */
-
-#define CERTNAMES \
-	{ 1, "PKIX", 0}, \
-	{ 2, "SPKI", 0}, \
-	{ 3, "PGP", 0}, \
-	{ 4, "IPKIX", 0}, \
-	{ 5, "ISPKI", 0}, \
-	{ 6, "IPGP", 0}, \
-	{ 7, "ACPKIX", 0}, \
-	{ 8, "IACPKIX", 0}, \
-	{ 253, "URI", 0}, \
-	{ 254, "OID", 0}, \
-	{ 0, NULL, 0}
-
-/* RFC2535 section 7, RFC3110 */
-
-#define SECALGNAMES \
-	{ DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \
-	{ DNS_KEYALG_RSAMD5, "RSA", 0 }, \
-	{ DNS_KEYALG_DH, "DH", 0 }, \
-	{ DNS_KEYALG_DSA, "DSA", 0 }, \
-	{ DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 }, \
-	{ DNS_KEYALG_ECC, "ECC", 0 }, \
-	{ DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \
-	{ DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \
-	{ DNS_KEYALG_RSASHA256, "RSASHA256", 0 }, \
-	{ DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \
-	{ DNS_KEYALG_ECCGOST, "ECCGOST", 0 }, \
-	{ DNS_KEYALG_ECDSA256, "ECDSAP256SHA256", 0 }, \
-	{ DNS_KEYALG_ECDSA384, "ECDSAP384SHA384", 0 }, \
-	{ DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \
-	{ DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \
-	{ DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, \
-	{ 0, NULL, 0}
-
-/* RFC2535 section 7.1 */
-
-#define SECPROTONAMES \
-	{   0,    "NONE", 0 }, \
-	{   1,    "TLS", 0 }, \
-	{   2,    "EMAIL", 0 }, \
-	{   3,    "DNSSEC", 0 }, \
-	{   4,    "IPSEC", 0 }, \
-	{ 255,    "ALL", 0 }, \
-	{ 0, NULL, 0}
-
-#define HASHALGNAMES \
-	{ 1, "SHA-1", 0 }, \
-	{ 0, NULL, 0 }
-
-struct tbl {
-	unsigned int    value;
-	const char      *name;
-	int             flags;
-};
-
-static struct tbl rcodes[] = { RCODENAMES ERCODENAMES };
-static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES };
-static struct tbl certs[] = { CERTNAMES };
-static struct tbl secalgs[] = { SECALGNAMES };
-static struct tbl secprotos[] = { SECPROTONAMES };
-static struct tbl hashalgs[] = { HASHALGNAMES };
-
-static struct keyflag {
-	const char *name;
-	unsigned int value;
-	unsigned int mask;
-} keyflags[] = {
-	{ "NOCONF", 0x4000, 0xC000 },
-	{ "NOAUTH", 0x8000, 0xC000 },
-	{ "NOKEY",  0xC000, 0xC000 },
-	{ "FLAG2",  0x2000, 0x2000 },
-	{ "EXTEND", 0x1000, 0x1000 },
-	{ "FLAG4",  0x0800, 0x0800 },
-	{ "FLAG5",  0x0400, 0x0400 },
-	{ "USER",   0x0000, 0x0300 },
-	{ "ZONE",   0x0100, 0x0300 },
-	{ "HOST",   0x0200, 0x0300 },
-	{ "NTYP3",  0x0300, 0x0300 },
-	{ "FLAG8",  0x0080, 0x0080 },
-	{ "FLAG9",  0x0040, 0x0040 },
-	{ "FLAG10", 0x0020, 0x0020 },
-	{ "FLAG11", 0x0010, 0x0010 },
-	{ "SIG0",   0x0000, 0x000F },
-	{ "SIG1",   0x0001, 0x000F },
-	{ "SIG2",   0x0002, 0x000F },
-	{ "SIG3",   0x0003, 0x000F },
-	{ "SIG4",   0x0004, 0x000F },
-	{ "SIG5",   0x0005, 0x000F },
-	{ "SIG6",   0x0006, 0x000F },
-	{ "SIG7",   0x0007, 0x000F },
-	{ "SIG8",   0x0008, 0x000F },
-	{ "SIG9",   0x0009, 0x000F },
-	{ "SIG10",  0x000A, 0x000F },
-	{ "SIG11",  0x000B, 0x000F },
-	{ "SIG12",  0x000C, 0x000F },
-	{ "SIG13",  0x000D, 0x000F },
-	{ "SIG14",  0x000E, 0x000F },
-	{ "SIG15",  0x000F, 0x000F },
-	{ "KSK",  DNS_KEYFLAG_KSK, DNS_KEYFLAG_KSK },
-	{ NULL,     0, 0 }
-};
-
-static isc_result_t
-str_totext(const char *source, isc_buffer_t *target) {
-	unsigned int l;
-	isc_region_t region;
-
-	isc_buffer_availableregion(target, &region);
-	l = strlen(source);
-
-	if (l > region.length)
-		return (ISC_R_NOSPACE);
-
-	memcpy(region.base, source, l);
-	isc_buffer_add(target, l);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-maybe_numeric(unsigned int *valuep, isc_textregion_t *source,
-	      unsigned int max, isc_boolean_t hex_allowed)
-{
-	isc_result_t result;
-	isc_uint32_t n;
-	char buffer[NUMBERSIZE];
-
-	if (! isdigit(source->base[0] & 0xff) ||
-	    source->length > NUMBERSIZE - 1)
-		return (ISC_R_BADNUMBER);
-
-	/*
-	 * We have a potential number.  Try to parse it with
-	 * isc_parse_uint32().  isc_parse_uint32() requires
-	 * null termination, so we must make a copy.
-	 */
-	strncpy(buffer, source->base, NUMBERSIZE);
-	INSIST(buffer[source->length] == '\0');
-
-	result = isc_parse_uint32(&n, buffer, 10);
-	if (result == ISC_R_BADNUMBER && hex_allowed)
-		result = isc_parse_uint32(&n, buffer, 16);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (n > max)
-		return (ISC_R_RANGE);
-	*valuep = n;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dns_mnemonic_fromtext(unsigned int *valuep, isc_textregion_t *source,
-		      struct tbl *table, unsigned int max)
-{
-	isc_result_t result;
-	int i;
-
-	result = maybe_numeric(valuep, source, max, ISC_FALSE);
-	if (result != ISC_R_BADNUMBER)
-		return (result);
-
-	for (i = 0; table[i].name != NULL; i++) {
-		unsigned int n;
-		n = strlen(table[i].name);
-		if (n == source->length &&
-		    strncasecmp(source->base, table[i].name, n) == 0) {
-			*valuep = table[i].value;
-			return (ISC_R_SUCCESS);
-		}
-	}
-	return (DNS_R_UNKNOWN);
-}
-
-static isc_result_t
-dns_mnemonic_totext(unsigned int value, isc_buffer_t *target,
-		    struct tbl *table)
-{
-	int i = 0;
-	char buf[sizeof("4294967296")];
-	while (table[i].name != NULL) {
-		if (table[i].value == value) {
-			return (str_totext(table[i].name, target));
-		}
-		i++;
-	}
-	snprintf(buf, sizeof(buf), "%u", value);
-	return (str_totext(buf, target));
-}
-
-isc_result_t
-dns_rcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source) {
-	unsigned int value;
-	RETERR(dns_mnemonic_fromtext(&value, source, rcodes, 0xffff));
-	*rcodep = value;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_rcode_totext(dns_rcode_t rcode, isc_buffer_t *target) {
-	return (dns_mnemonic_totext(rcode, target, rcodes));
-}
-
-isc_result_t
-dns_tsigrcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source) {
-	unsigned int value;
-	RETERR(dns_mnemonic_fromtext(&value, source, tsigrcodes, 0xffff));
-	*rcodep = value;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_tsigrcode_totext(dns_rcode_t rcode, isc_buffer_t *target) {
-	return (dns_mnemonic_totext(rcode, target, tsigrcodes));
-}
-
-isc_result_t
-dns_cert_fromtext(dns_cert_t *certp, isc_textregion_t *source) {
-	unsigned int value;
-	RETERR(dns_mnemonic_fromtext(&value, source, certs, 0xffff));
-	*certp = value;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) {
-	return (dns_mnemonic_totext(cert, target, certs));
-}
-
-isc_result_t
-dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) {
-	unsigned int value;
-	RETERR(dns_mnemonic_fromtext(&value, source, secalgs, 0xff));
-	*secalgp = value;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) {
-	return (dns_mnemonic_totext(secalg, target, secalgs));
-}
-
-void
-dns_secalg_format(dns_secalg_t alg, char *cp, unsigned int size) {
-	isc_buffer_t b;
-	isc_region_t r;
-	isc_result_t result;
-
-	REQUIRE(cp != NULL && size > 0);
-	isc_buffer_init(&b, cp, size - 1);
-	result = dns_secalg_totext(alg, &b);
-	isc_buffer_usedregion(&b, &r);
-	r.base[r.length] = 0;
-	if (result != ISC_R_SUCCESS)
-		r.base[0] = 0;
-}
-
-isc_result_t
-dns_secproto_fromtext(dns_secproto_t *secprotop, isc_textregion_t *source) {
-	unsigned int value;
-	RETERR(dns_mnemonic_fromtext(&value, source, secprotos, 0xff));
-	*secprotop = value;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_secproto_totext(dns_secproto_t secproto, isc_buffer_t *target) {
-	return (dns_mnemonic_totext(secproto, target, secprotos));
-}
-
-isc_result_t
-dns_hashalg_fromtext(unsigned char *hashalg, isc_textregion_t *source) {
-	unsigned int value;
-	RETERR(dns_mnemonic_fromtext(&value, source, hashalgs, 0xff));
-	*hashalg = value;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_keyflags_fromtext(dns_keyflags_t *flagsp, isc_textregion_t *source)
-{
-	isc_result_t result;
-	char *text, *end;
-	unsigned int value, mask;
-
-	result = maybe_numeric(&value, source, 0xffff, ISC_TRUE);
-	if (result == ISC_R_SUCCESS) {
-		*flagsp = value;
-		return (ISC_R_SUCCESS);
-	}
-	if (result != ISC_R_BADNUMBER)
-		return (result);
-
-	text = source->base;
-	end = source->base + source->length;
-	value = mask = 0;
-
-	while (text < end) {
-		struct keyflag *p;
-		unsigned int len;
-		char *delim = memchr(text, '|', end - text);
-		if (delim != NULL)
-			len = delim - text;
-		else
-			len = end - text;
-		for (p = keyflags; p->name != NULL; p++) {
-			if (strncasecmp(p->name, text, len) == 0)
-				break;
-		}
-		if (p->name == NULL)
-			return (DNS_R_UNKNOWNFLAG);
-		value |= p->value;
-#ifdef notyet
-		if ((mask & p->mask) != 0)
-			warn("overlapping key flags");
-#endif
-		mask |= p->mask;
-		text += len;
-		if (delim != NULL)
-			text++; /* Skip "|" */
-	}
-	*flagsp = value;
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * This uses lots of hard coded values, but how often do we actually
- * add classes?
- */
-isc_result_t
-dns_rdataclass_fromtext(dns_rdataclass_t *classp, isc_textregion_t *source) {
-#define COMPARE(string, rdclass) \
-	if (((sizeof(string) - 1) == source->length) \
-	    && (strncasecmp(source->base, string, source->length) == 0)) { \
-		*classp = rdclass; \
-		return (ISC_R_SUCCESS); \
-	}
-
-	switch (tolower((unsigned char)source->base[0])) {
-	case 'a':
-		COMPARE("any", dns_rdataclass_any);
-		break;
-	case 'c':
-		/*
-		 * RFC1035 says the mnemonic for the CHAOS class is CH,
-		 * but historical BIND practice is to call it CHAOS.
-		 * We will accept both forms, but only generate CH.
-		 */
-		COMPARE("ch", dns_rdataclass_chaos);
-		COMPARE("chaos", dns_rdataclass_chaos);
-
-		if (source->length > 5 &&
-		    source->length < (5 + sizeof("65000")) &&
-		    strncasecmp("class", source->base, 5) == 0) {
-			char buf[sizeof("65000")];
-			char *endp;
-			unsigned int val;
-
-			strncpy(buf, source->base + 5, source->length - 5);
-			buf[source->length - 5] = '\0';
-			val = strtoul(buf, &endp, 10);
-			if (*endp == '\0' && val <= 0xffff) {
-				*classp = (dns_rdataclass_t)val;
-				return (ISC_R_SUCCESS);
-			}
-		}
-		break;
-	case 'h':
-		COMPARE("hs", dns_rdataclass_hs);
-		COMPARE("hesiod", dns_rdataclass_hs);
-		break;
-	case 'i':
-		COMPARE("in", dns_rdataclass_in);
-		break;
-	case 'n':
-		COMPARE("none", dns_rdataclass_none);
-		break;
-	case 'r':
-		COMPARE("reserved0", dns_rdataclass_reserved0);
-		break;
-	}
-
-#undef COMPARE
-
-	return (DNS_R_UNKNOWN);
-}
-
-isc_result_t
-dns_rdataclass_totext(dns_rdataclass_t rdclass, isc_buffer_t *target) {
-	char buf[sizeof("CLASS65535")];
-
-	switch (rdclass) {
-	case dns_rdataclass_any:
-		return (str_totext("ANY", target));
-	case dns_rdataclass_chaos:
-		return (str_totext("CH", target));
-	case dns_rdataclass_hs:
-		return (str_totext("HS", target));
-	case dns_rdataclass_in:
-		return (str_totext("IN", target));
-	case dns_rdataclass_none:
-		return (str_totext("NONE", target));
-	case dns_rdataclass_reserved0:
-		return (str_totext("RESERVED0", target));
-	default:
-		snprintf(buf, sizeof(buf), "CLASS%u", rdclass);
-		return (str_totext(buf, target));
-	}
-}
-
-void
-dns_rdataclass_format(dns_rdataclass_t rdclass,
-		      char *array, unsigned int size)
-{
-	isc_result_t result;
-	isc_buffer_t buf;
-
-	if (size == 0U)
-		return;
-
-	isc_buffer_init(&buf, array, size);
-	result = dns_rdataclass_totext(rdclass, &buf);
-	/*
-	 * Null terminate.
-	 */
-	if (result == ISC_R_SUCCESS) {
-		if (isc_buffer_availablelength(&buf) >= 1)
-			isc_buffer_putuint8(&buf, 0);
-		else
-			result = ISC_R_NOSPACE;
-	}
-	if (result != ISC_R_SUCCESS)
-		strlcpy(array, "<unknown>", size);
-}
diff --git a/contrib/bind9/lib/dns/rdata.c b/contrib/bind9/lib/dns/rdata.c
deleted file mode 100644
index a83dab4..0000000
--- a/contrib/bind9/lib/dns/rdata.c
+++ /dev/null
@@ -1,2175 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-#include <ctype.h>
-
-#include <isc/base64.h>
-#include <isc/hex.h>
-#include <isc/lex.h>
-#include <isc/mem.h>
-#include <isc/parseint.h>
-#include <isc/print.h>
-#include <isc/string.h>
-#include <isc/stdlib.h>
-#include <isc/util.h>
-
-#include <dns/callbacks.h>
-#include <dns/cert.h>
-#include <dns/compress.h>
-#include <dns/enumtype.h>
-#include <dns/keyflags.h>
-#include <dns/keyvalues.h>
-#include <dns/message.h>
-#include <dns/rcode.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/result.h>
-#include <dns/secalg.h>
-#include <dns/secproto.h>
-#include <dns/time.h>
-#include <dns/ttl.h>
-
-#define RETERR(x) \
-	do { \
-		isc_result_t _r = (x); \
-		if (_r != ISC_R_SUCCESS) \
-			return (_r); \
-	} while (0)
-
-#define RETTOK(x) \
-	do { \
-		isc_result_t _r = (x); \
-		if (_r != ISC_R_SUCCESS) { \
-			isc_lex_ungettoken(lexer, &token); \
-			return (_r); \
-		} \
-	} while (0)
-
-#define DNS_AS_STR(t) ((t).value.as_textregion.base)
-
-#define ARGS_FROMTEXT	int rdclass, dns_rdatatype_t type, \
-			isc_lex_t *lexer, dns_name_t *origin, \
-			unsigned int options, isc_buffer_t *target, \
-			dns_rdatacallbacks_t *callbacks
-
-#define ARGS_TOTEXT	dns_rdata_t *rdata, dns_rdata_textctx_t *tctx, \
-			isc_buffer_t *target
-
-#define ARGS_FROMWIRE	int rdclass, dns_rdatatype_t type, \
-			isc_buffer_t *source, dns_decompress_t *dctx, \
-			unsigned int options, isc_buffer_t *target
-
-#define ARGS_TOWIRE	dns_rdata_t *rdata, dns_compress_t *cctx, \
-			isc_buffer_t *target
-
-#define ARGS_COMPARE	const dns_rdata_t *rdata1, const dns_rdata_t *rdata2
-
-#define ARGS_FROMSTRUCT	int rdclass, dns_rdatatype_t type, \
-			void *source, isc_buffer_t *target
-
-#define ARGS_TOSTRUCT	dns_rdata_t *rdata, void *target, isc_mem_t *mctx
-
-#define ARGS_FREESTRUCT void *source
-
-#define ARGS_ADDLDATA	dns_rdata_t *rdata, dns_additionaldatafunc_t add, \
-			void *arg
-
-#define ARGS_DIGEST	dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg
-
-#define ARGS_CHECKOWNER dns_name_t *name, dns_rdataclass_t rdclass, \
-			dns_rdatatype_t type, isc_boolean_t wildcard
-
-#define ARGS_CHECKNAMES dns_rdata_t *rdata, dns_name_t *owner, dns_name_t *bad
-
-
-/*%
- * Context structure for the totext_ functions.
- * Contains formatting options for rdata-to-text
- * conversion.
- */
-typedef struct dns_rdata_textctx {
-	dns_name_t *origin;	/*%< Current origin, or NULL. */
-	unsigned int flags;	/*%< DNS_STYLEFLAG_*  */
-	unsigned int width;	/*%< Width of rdata column. */
-	const char *linebreak;	/*%< Line break string. */
-} dns_rdata_textctx_t;
-
-static isc_result_t
-txt_totext(isc_region_t *source, isc_buffer_t *target);
-
-static isc_result_t
-txt_fromtext(isc_textregion_t *source, isc_buffer_t *target);
-
-static isc_result_t
-txt_fromwire(isc_buffer_t *source, isc_buffer_t *target);
-
-static isc_result_t
-multitxt_totext(isc_region_t *source, isc_buffer_t *target);
-
-static isc_result_t
-multitxt_fromtext(isc_textregion_t *source, isc_buffer_t *target);
-
-static isc_result_t
-multitxt_fromwire(isc_buffer_t *source, isc_buffer_t *target);
-
-static isc_boolean_t
-name_prefix(dns_name_t *name, dns_name_t *origin, dns_name_t *target);
-
-static unsigned int
-name_length(dns_name_t *name);
-
-static isc_result_t
-str_totext(const char *source, isc_buffer_t *target);
-
-static isc_result_t
-inet_totext(int af, isc_region_t *src, isc_buffer_t *target);
-
-static isc_boolean_t
-buffer_empty(isc_buffer_t *source);
-
-static void
-buffer_fromregion(isc_buffer_t *buffer, isc_region_t *region);
-
-static isc_result_t
-uint32_tobuffer(isc_uint32_t, isc_buffer_t *target);
-
-static isc_result_t
-uint16_tobuffer(isc_uint32_t, isc_buffer_t *target);
-
-static isc_result_t
-uint8_tobuffer(isc_uint32_t, isc_buffer_t *target);
-
-static isc_result_t
-name_tobuffer(dns_name_t *name, isc_buffer_t *target);
-
-static isc_uint32_t
-uint32_fromregion(isc_region_t *region);
-
-static isc_uint16_t
-uint16_fromregion(isc_region_t *region);
-
-static isc_uint8_t
-uint8_fromregion(isc_region_t *region);
-
-static isc_uint8_t
-uint8_consume_fromregion(isc_region_t *region);
-
-static isc_result_t
-mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length);
-
-static int
-hexvalue(char value);
-
-static int
-decvalue(char value);
-
-static isc_result_t
-btoa_totext(unsigned char *inbuf, int inbuflen, isc_buffer_t *target);
-
-static isc_result_t
-atob_tobuffer(isc_lex_t *lexer, isc_buffer_t *target);
-
-static void
-default_fromtext_callback(dns_rdatacallbacks_t *callbacks, const char *, ...)
-     ISC_FORMAT_PRINTF(2, 3);
-
-static void
-fromtext_error(void (*callback)(dns_rdatacallbacks_t *, const char *, ...),
-	       dns_rdatacallbacks_t *callbacks, const char *name,
-	       unsigned long line, isc_token_t *token, isc_result_t result);
-
-static void
-fromtext_warneof(isc_lex_t *lexer, dns_rdatacallbacks_t *callbacks);
-
-static isc_result_t
-rdata_totext(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
-	     isc_buffer_t *target);
-
-static void
-warn_badname(dns_name_t *name, isc_lex_t *lexer,
-	     dns_rdatacallbacks_t *callbacks);
-
-static void
-warn_badmx(isc_token_t *token, isc_lex_t *lexer,
-	   dns_rdatacallbacks_t *callbacks);
-
-static isc_uint16_t
-uint16_consume_fromregion(isc_region_t *region);
-
-static isc_result_t
-unknown_totext(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
-	       isc_buffer_t *target);
-
-/*% INT16 Size */
-#define NS_INT16SZ	2
-/*% IPv6 Address Size */
-#define NS_LOCATORSZ	8
-
-/*%
- *	convert presentation level address to network order binary form.
- * \return
- *	1 if `src' is a valid [RFC1884 2.2] address, else 0.
- * \note
- *	(1) does not touch `dst' unless it's returning 1.
- */
-static inline int
-locator_pton(const char *src, unsigned char *dst) {
-	static const char xdigits_l[] = "0123456789abcdef",
-			  xdigits_u[] = "0123456789ABCDEF";
-	unsigned char tmp[NS_LOCATORSZ];
-	unsigned char *tp = tmp, *endp;
-	const char *xdigits;
-	int ch, seen_xdigits;
-	unsigned int val;
-
-	memset(tp, '\0', NS_LOCATORSZ);
-	endp = tp + NS_LOCATORSZ;
-	seen_xdigits = 0;
-	val = 0;
-	while ((ch = *src++) != '\0') {
-		const char *pch;
-
-		pch = strchr((xdigits = xdigits_l), ch);
-		if (pch == NULL)
-			pch = strchr((xdigits = xdigits_u), ch);
-		if (pch != NULL) {
-			val <<= 4;
-			val |= (pch - xdigits);
-			if (++seen_xdigits > 4)
-				return (0);
-			continue;
-		}
-		if (ch == ':') {
-			if (!seen_xdigits)
-				return (0);
-			if (tp + NS_INT16SZ > endp)
-				return (0);
-			*tp++ = (unsigned char) (val >> 8) & 0xff;
-			*tp++ = (unsigned char) val & 0xff;
-			seen_xdigits = 0;
-			val = 0;
-			continue;
-		}
-		return (0);
-	}
-	if (seen_xdigits) {
-		if (tp + NS_INT16SZ > endp)
-			return (0);
-		*tp++ = (unsigned char) (val >> 8) & 0xff;
-		*tp++ = (unsigned char) val & 0xff;
-	}
-	if (tp != endp)
-		return (0);
-	memcpy(dst, tmp, NS_LOCATORSZ);
-	return (1);
-}
-
-static inline int
-getquad(const void *src, struct in_addr *dst,
-	isc_lex_t *lexer, dns_rdatacallbacks_t *callbacks)
-{
-	int result;
-	struct in_addr *tmp;
-
-	result = inet_aton(src, dst);
-	if (result == 1 && callbacks != NULL &&
-	    inet_pton(AF_INET, src, &tmp) != 1) {
-		const char *name = isc_lex_getsourcename(lexer);
-		if (name == NULL)
-			name = "UNKNOWN";
-		(*callbacks->warn)(callbacks, "%s:%lu: \"%s\" "
-				   "is not a decimal dotted quad", name,
-				   isc_lex_getsourceline(lexer), src);
-	}
-	return (result);
-}
-
-static inline isc_result_t
-name_duporclone(dns_name_t *source, isc_mem_t *mctx, dns_name_t *target) {
-
-	if (mctx != NULL)
-		return (dns_name_dup(source, mctx, target));
-	dns_name_clone(source, target);
-	return (ISC_R_SUCCESS);
-}
-
-static inline void *
-mem_maybedup(isc_mem_t *mctx, void *source, size_t length) {
-	void *new;
-
-	if (mctx == NULL)
-		return (source);
-	new = isc_mem_allocate(mctx, length);
-	if (new != NULL)
-		memcpy(new, source, length);
-
-	return (new);
-}
-
-static const char hexdigits[] = "0123456789abcdef";
-static const char decdigits[] = "0123456789";
-
-#include "code.h"
-
-#define META 0x0001
-#define RESERVED 0x0002
-
-/***
- *** Initialization
- ***/
-
-void
-dns_rdata_init(dns_rdata_t *rdata) {
-
-	REQUIRE(rdata != NULL);
-
-	rdata->data = NULL;
-	rdata->length = 0;
-	rdata->rdclass = 0;
-	rdata->type = 0;
-	rdata->flags = 0;
-	ISC_LINK_INIT(rdata, link);
-	/* ISC_LIST_INIT(rdata->list); */
-}
-
-void
-dns_rdata_reset(dns_rdata_t *rdata) {
-
-	REQUIRE(rdata != NULL);
-
-	REQUIRE(!ISC_LINK_LINKED(rdata, link));
-	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
-
-	rdata->data = NULL;
-	rdata->length = 0;
-	rdata->rdclass = 0;
-	rdata->type = 0;
-	rdata->flags = 0;
-}
-
-/***
- ***
- ***/
-
-void
-dns_rdata_clone(const dns_rdata_t *src, dns_rdata_t *target) {
-
-	REQUIRE(src != NULL);
-	REQUIRE(target != NULL);
-
-	REQUIRE(DNS_RDATA_INITIALIZED(target));
-
-	REQUIRE(DNS_RDATA_VALIDFLAGS(src));
-	REQUIRE(DNS_RDATA_VALIDFLAGS(target));
-
-	target->data = src->data;
-	target->length = src->length;
-	target->rdclass = src->rdclass;
-	target->type = src->type;
-	target->flags = src->flags;
-}
-
-
-/***
- *** Comparisons
- ***/
-
-int
-dns_rdata_compare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2) {
-	int result = 0;
-	isc_boolean_t use_default = ISC_FALSE;
-
-	REQUIRE(rdata1 != NULL);
-	REQUIRE(rdata2 != NULL);
-	REQUIRE(rdata1->length == 0 || rdata1->data != NULL);
-	REQUIRE(rdata2->length == 0 || rdata2->data != NULL);
-	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1));
-	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2));
-
-	if (rdata1->rdclass != rdata2->rdclass)
-		return (rdata1->rdclass < rdata2->rdclass ? -1 : 1);
-
-	if (rdata1->type != rdata2->type)
-		return (rdata1->type < rdata2->type ? -1 : 1);
-
-	COMPARESWITCH
-
-	if (use_default) {
-		isc_region_t r1;
-		isc_region_t r2;
-
-		dns_rdata_toregion(rdata1, &r1);
-		dns_rdata_toregion(rdata2, &r2);
-		result = isc_region_compare(&r1, &r2);
-	}
-	return (result);
-}
-
-int
-dns_rdata_casecompare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2) {
-	int result = 0;
-	isc_boolean_t use_default = ISC_FALSE;
-
-	REQUIRE(rdata1 != NULL);
-	REQUIRE(rdata2 != NULL);
-	REQUIRE(rdata1->length == 0 || rdata1->data != NULL);
-	REQUIRE(rdata2->length == 0 || rdata2->data != NULL);
-	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1));
-	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2));
-
-	if (rdata1->rdclass != rdata2->rdclass)
-		return (rdata1->rdclass < rdata2->rdclass ? -1 : 1);
-
-	if (rdata1->type != rdata2->type)
-		return (rdata1->type < rdata2->type ? -1 : 1);
-
-	CASECOMPARESWITCH
-
-	if (use_default) {
-		isc_region_t r1;
-		isc_region_t r2;
-
-		dns_rdata_toregion(rdata1, &r1);
-		dns_rdata_toregion(rdata2, &r2);
-		result = isc_region_compare(&r1, &r2);
-	}
-	return (result);
-}
-
-/***
- *** Conversions
- ***/
-
-void
-dns_rdata_fromregion(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
-		     dns_rdatatype_t type, isc_region_t *r)
-{
-
-	REQUIRE(rdata != NULL);
-	REQUIRE(DNS_RDATA_INITIALIZED(rdata));
-	REQUIRE(r != NULL);
-
-	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
-
-	rdata->data = r->base;
-	rdata->length = r->length;
-	rdata->rdclass = rdclass;
-	rdata->type = type;
-	rdata->flags = 0;
-}
-
-void
-dns_rdata_toregion(const dns_rdata_t *rdata, isc_region_t *r) {
-
-	REQUIRE(rdata != NULL);
-	REQUIRE(r != NULL);
-	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
-
-	r->base = rdata->data;
-	r->length = rdata->length;
-}
-
-isc_result_t
-dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
-		   dns_rdatatype_t type, isc_buffer_t *source,
-		   dns_decompress_t *dctx, unsigned int options,
-		   isc_buffer_t *target)
-{
-	isc_result_t result = ISC_R_NOTIMPLEMENTED;
-	isc_region_t region;
-	isc_buffer_t ss;
-	isc_buffer_t st;
-	isc_boolean_t use_default = ISC_FALSE;
-	isc_uint32_t activelength;
-	size_t length;
-
-	REQUIRE(dctx != NULL);
-	if (rdata != NULL) {
-		REQUIRE(DNS_RDATA_INITIALIZED(rdata));
-		REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
-	}
-	REQUIRE(source != NULL);
-	REQUIRE(target != NULL);
-
-	if (type == 0)
-		return (DNS_R_FORMERR);
-
-	ss = *source;
-	st = *target;
-
-	activelength = isc_buffer_activelength(source);
-	INSIST(activelength < 65536);
-
-	FROMWIRESWITCH
-
-	if (use_default) {
-		if (activelength > isc_buffer_availablelength(target))
-			result = ISC_R_NOSPACE;
-		else {
-			isc_buffer_putmem(target, isc_buffer_current(source),
-					  activelength);
-			isc_buffer_forward(source, activelength);
-			result = ISC_R_SUCCESS;
-		}
-	}
-
-	/*
-	 * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH
-	 * as we cannot transmit it.
-	 */
-	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
-	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
-		result = DNS_R_FORMERR;
-
-	/*
-	 * We should have consumed all of our buffer.
-	 */
-	if (result == ISC_R_SUCCESS && !buffer_empty(source))
-		result = DNS_R_EXTRADATA;
-
-	if (rdata != NULL && result == ISC_R_SUCCESS) {
-		region.base = isc_buffer_used(&st);
-		region.length = length;
-		dns_rdata_fromregion(rdata, rdclass, type, &region);
-	}
-
-	if (result != ISC_R_SUCCESS) {
-		*source = ss;
-		*target = st;
-	}
-	return (result);
-}
-
-isc_result_t
-dns_rdata_towire(dns_rdata_t *rdata, dns_compress_t *cctx,
-		 isc_buffer_t *target)
-{
-	isc_result_t result = ISC_R_NOTIMPLEMENTED;
-	isc_boolean_t use_default = ISC_FALSE;
-	isc_region_t tr;
-	isc_buffer_t st;
-
-	REQUIRE(rdata != NULL);
-	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
-
-	/*
-	 * Some DynDNS meta-RRs have empty rdata.
-	 */
-	if ((rdata->flags & DNS_RDATA_UPDATE) != 0) {
-		INSIST(rdata->length == 0);
-		return (ISC_R_SUCCESS);
-	}
-
-	st = *target;
-
-	TOWIRESWITCH
-
-	if (use_default) {
-		isc_buffer_availableregion(target, &tr);
-		if (tr.length < rdata->length)
-			return (ISC_R_NOSPACE);
-		memcpy(tr.base, rdata->data, rdata->length);
-		isc_buffer_add(target, rdata->length);
-		return (ISC_R_SUCCESS);
-	}
-	if (result != ISC_R_SUCCESS) {
-		*target = st;
-		INSIST(target->used < 65536);
-		dns_compress_rollback(cctx, (isc_uint16_t)target->used);
-	}
-	return (result);
-}
-
-/*
- * If the binary data in 'src' is valid uncompressed wire format
- * rdata of class 'rdclass' and type 'type', return ISC_R_SUCCESS
- * and copy the validated rdata to 'dest'.  Otherwise return an error.
- */
-static isc_result_t
-rdata_validate(isc_buffer_t *src, isc_buffer_t *dest, dns_rdataclass_t rdclass,
-	    dns_rdatatype_t type)
-{
-	dns_decompress_t dctx;
-	isc_result_t result;
-
-	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE);
-	isc_buffer_setactive(src, isc_buffer_usedlength(src));
-	result = dns_rdata_fromwire(NULL, rdclass, type, src, &dctx, 0, dest);
-	dns_decompress_invalidate(&dctx);
-
-	return (result);
-}
-
-static isc_result_t
-unknown_fromtext(dns_rdataclass_t rdclass, dns_rdatatype_t type,
-		 isc_lex_t *lexer, isc_mem_t *mctx, isc_buffer_t *target)
-{
-	isc_result_t result;
-	isc_buffer_t *buf = NULL;
-	isc_token_t token;
-
-	if (type == 0 || dns_rdatatype_ismeta(type))
-		return (DNS_R_METATYPE);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-					ISC_FALSE));
-	if (token.value.as_ulong > 65535U)
-		return (ISC_R_RANGE);
-	result = isc_buffer_allocate(mctx, &buf, token.value.as_ulong);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = isc_hex_tobuffer(lexer, buf,
-				  (unsigned int)token.value.as_ulong);
-	if (result != ISC_R_SUCCESS)
-	       goto failure;
-	if (isc_buffer_usedlength(buf) != token.value.as_ulong) {
-		result = ISC_R_UNEXPECTEDEND;
-		goto failure;
-	}
-
-	if (dns_rdatatype_isknown(type)) {
-		result = rdata_validate(buf, target, rdclass, type);
-	} else {
-		isc_region_t r;
-		isc_buffer_usedregion(buf, &r);
-		result = isc_buffer_copyregion(target, &r);
-	}
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	isc_buffer_free(&buf);
-	return (ISC_R_SUCCESS);
-
- failure:
-	isc_buffer_free(&buf);
-	return (result);
-}
-
-isc_result_t
-dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
-		   dns_rdatatype_t type, isc_lex_t *lexer,
-		   dns_name_t *origin, unsigned int options, isc_mem_t *mctx,
-		   isc_buffer_t *target, dns_rdatacallbacks_t *callbacks)
-{
-	isc_result_t result = ISC_R_NOTIMPLEMENTED;
-	isc_region_t region;
-	isc_buffer_t st;
-	isc_token_t token;
-	unsigned int lexoptions = ISC_LEXOPT_EOL | ISC_LEXOPT_EOF |
-				  ISC_LEXOPT_DNSMULTILINE | ISC_LEXOPT_ESCAPE;
-	char *name;
-	unsigned long line;
-	void (*callback)(dns_rdatacallbacks_t *, const char *, ...);
-	isc_result_t tresult;
-	size_t length;
-	isc_boolean_t unknown;
-
-	REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE);
-	if (rdata != NULL) {
-		REQUIRE(DNS_RDATA_INITIALIZED(rdata));
-		REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
-	}
-	if (callbacks != NULL) {
-		REQUIRE(callbacks->warn != NULL);
-		REQUIRE(callbacks->error != NULL);
-	}
-
-	st = *target;
-
-	if (callbacks != NULL)
-		callback = callbacks->error;
-	else
-		callback = default_fromtext_callback;
-
-	result = isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
-					ISC_FALSE);
-	if (result != ISC_R_SUCCESS) {
-		name = isc_lex_getsourcename(lexer);
-		line = isc_lex_getsourceline(lexer);
-		fromtext_error(callback, callbacks, name, line, NULL, result);
-		return (result);
-	}
-
-	unknown = ISC_FALSE;
-	if (token.type == isc_tokentype_string &&
-	    strcmp(DNS_AS_STR(token), "\\#") == 0) {
-		/*
-		 * If this is a TXT record '\#' could be a escaped '#'.
-		 * Look to see if the next token is a number and if so
-		 * treat it as a unknown record format.
-		 */
-		if (type == dns_rdatatype_txt) {
-			result = isc_lex_getmastertoken(lexer, &token,
-							isc_tokentype_number,
-							ISC_FALSE);
-			if (result == ISC_R_SUCCESS)
-				isc_lex_ungettoken(lexer, &token);
-		}
-
-		if (result == ISC_R_SUCCESS) {
-			unknown = ISC_TRUE;
-			result = unknown_fromtext(rdclass, type, lexer,
-						  mctx, target);
-		} else
-			options |= DNS_RDATA_UNKNOWNESCAPE;
-	} else
-		isc_lex_ungettoken(lexer, &token);
-
-	if (!unknown)
-		FROMTEXTSWITCH
-
-	/*
-	 * Consume to end of line / file.
-	 * If not at end of line initially set error code.
-	 * Call callback via fromtext_error once if there was an error.
-	 */
-	do {
-		name = isc_lex_getsourcename(lexer);
-		line = isc_lex_getsourceline(lexer);
-		tresult = isc_lex_gettoken(lexer, lexoptions, &token);
-		if (tresult != ISC_R_SUCCESS) {
-			if (result == ISC_R_SUCCESS)
-				result = tresult;
-			if (callback != NULL)
-				fromtext_error(callback, callbacks, name,
-					       line, NULL, result);
-			break;
-		} else if (token.type != isc_tokentype_eol &&
-			   token.type != isc_tokentype_eof) {
-			if (result == ISC_R_SUCCESS)
-				result = DNS_R_EXTRATOKEN;
-			if (callback != NULL) {
-				fromtext_error(callback, callbacks, name,
-					       line, &token, result);
-				callback = NULL;
-			}
-		} else if (result != ISC_R_SUCCESS && callback != NULL) {
-			fromtext_error(callback, callbacks, name, line,
-				       &token, result);
-			break;
-		} else {
-			if (token.type == isc_tokentype_eof)
-				fromtext_warneof(lexer, callbacks);
-			break;
-		}
-	} while (1);
-
-	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
-	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
-		result = ISC_R_NOSPACE;
-
-	if (rdata != NULL && result == ISC_R_SUCCESS) {
-		region.base = isc_buffer_used(&st);
-		region.length = length;
-		dns_rdata_fromregion(rdata, rdclass, type, &region);
-	}
-	if (result != ISC_R_SUCCESS) {
-		*target = st;
-	}
-	return (result);
-}
-
-static isc_result_t
-unknown_totext(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
-	       isc_buffer_t *target)
-{
-	isc_result_t result;
-	char buf[sizeof("65535")];
-	isc_region_t sr;
-
-	strlcpy(buf, "\\# ", sizeof(buf));
-	result = str_totext(buf, target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	dns_rdata_toregion(rdata, &sr);
-	INSIST(sr.length < 65536);
-	snprintf(buf, sizeof(buf), "%u", sr.length);
-	result = str_totext(buf, target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (sr.length != 0U) {
-		if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-			result = str_totext(" ( ", target);
-		else
-			result = str_totext(" ", target);
-
-		if (result != ISC_R_SUCCESS)
-			return (result);
-
-		if (tctx->width == 0) /* No splitting */
-			result = isc_hex_totext(&sr, 0, "", target);
-		else
-			result = isc_hex_totext(&sr, tctx->width - 2,
-						tctx->linebreak,
-						target);
-		if (result == ISC_R_SUCCESS &&
-		    (tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-			result = str_totext(" )", target);
-	}
-	return (result);
-}
-
-static isc_result_t
-rdata_totext(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
-	     isc_buffer_t *target)
-{
-	isc_result_t result = ISC_R_NOTIMPLEMENTED;
-	isc_boolean_t use_default = ISC_FALSE;
-
-	REQUIRE(rdata != NULL);
-	REQUIRE(tctx->origin == NULL ||
-		dns_name_isabsolute(tctx->origin) == ISC_TRUE);
-
-	/*
-	 * Some DynDNS meta-RRs have empty rdata.
-	 */
-	if ((rdata->flags & DNS_RDATA_UPDATE) != 0) {
-		INSIST(rdata->length == 0);
-		return (ISC_R_SUCCESS);
-	}
-
-	TOTEXTSWITCH
-
-	if (use_default)
-		result = unknown_totext(rdata, tctx, target);
-
-	return (result);
-}
-
-isc_result_t
-dns_rdata_totext(dns_rdata_t *rdata, dns_name_t *origin, isc_buffer_t *target)
-{
-	dns_rdata_textctx_t tctx;
-
-	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
-
-	/*
-	 * Set up formatting options for single-line output.
-	 */
-	tctx.origin = origin;
-	tctx.flags = 0;
-	tctx.width = 60;
-	tctx.linebreak = " ";
-	return (rdata_totext(rdata, &tctx, target));
-}
-
-isc_result_t
-dns_rdata_tofmttext(dns_rdata_t *rdata, dns_name_t *origin,
-		    unsigned int flags, unsigned int width,
-		    unsigned int split_width, const char *linebreak,
-		    isc_buffer_t *target)
-{
-	dns_rdata_textctx_t tctx;
-
-	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
-
-	/*
-	 * Set up formatting options for formatted output.
-	 */
-	tctx.origin = origin;
-	tctx.flags = flags;
-	if (split_width == 0xffffffff)
-		tctx.width = width;
-	else
-		tctx.width = split_width;
-
-	if ((flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		tctx.linebreak = linebreak;
-	else {
-		if (split_width == 0xffffffff)
-			tctx.width = 60; /* Used for hex word length only. */
-		tctx.linebreak = " ";
-	}
-	return (rdata_totext(rdata, &tctx, target));
-}
-
-isc_result_t
-dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
-		     dns_rdatatype_t type, void *source,
-		     isc_buffer_t *target)
-{
-	isc_result_t result = ISC_R_NOTIMPLEMENTED;
-	isc_buffer_t st;
-	isc_region_t region;
-	isc_boolean_t use_default = ISC_FALSE;
-	size_t length;
-
-	REQUIRE(source != NULL);
-	if (rdata != NULL) {
-		REQUIRE(DNS_RDATA_INITIALIZED(rdata));
-		REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
-	}
-
-	st = *target;
-
-	FROMSTRUCTSWITCH
-
-	if (use_default)
-		(void)NULL;
-
-	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
-	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
-		result = ISC_R_NOSPACE;
-
-	if (rdata != NULL && result == ISC_R_SUCCESS) {
-		region.base = isc_buffer_used(&st);
-		region.length = length;
-		dns_rdata_fromregion(rdata, rdclass, type, &region);
-	}
-	if (result != ISC_R_SUCCESS)
-		*target = st;
-	return (result);
-}
-
-isc_result_t
-dns_rdata_tostruct(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
-	isc_result_t result = ISC_R_NOTIMPLEMENTED;
-	isc_boolean_t use_default = ISC_FALSE;
-
-	REQUIRE(rdata != NULL);
-	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
-
-	TOSTRUCTSWITCH
-
-	if (use_default)
-		(void)NULL;
-
-	return (result);
-}
-
-void
-dns_rdata_freestruct(void *source) {
-	dns_rdatacommon_t *common = source;
-	REQUIRE(source != NULL);
-
-	FREESTRUCTSWITCH
-}
-
-isc_result_t
-dns_rdata_additionaldata(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
-			 void *arg)
-{
-	isc_result_t result = ISC_R_NOTIMPLEMENTED;
-	isc_boolean_t use_default = ISC_FALSE;
-
-	/*
-	 * Call 'add' for each name and type from 'rdata' which is subject to
-	 * additional section processing.
-	 */
-
-	REQUIRE(rdata != NULL);
-	REQUIRE(add != NULL);
-	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
-
-	ADDITIONALDATASWITCH
-
-	/* No additional processing for unknown types */
-	if (use_default)
-		result = ISC_R_SUCCESS;
-
-	return (result);
-}
-
-isc_result_t
-dns_rdata_digest(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg) {
-	isc_result_t result = ISC_R_NOTIMPLEMENTED;
-	isc_boolean_t use_default = ISC_FALSE;
-	isc_region_t r;
-
-	/*
-	 * Send 'rdata' in DNSSEC canonical form to 'digest'.
-	 */
-
-	REQUIRE(rdata != NULL);
-	REQUIRE(digest != NULL);
-	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
-
-	DIGESTSWITCH
-
-	if (use_default) {
-		dns_rdata_toregion(rdata, &r);
-		result = (digest)(arg, &r);
-	}
-
-	return (result);
-}
-
-isc_boolean_t
-dns_rdata_checkowner(dns_name_t *name, dns_rdataclass_t rdclass,
-		     dns_rdatatype_t type, isc_boolean_t wildcard)
-{
-	isc_boolean_t result;
-
-	CHECKOWNERSWITCH
-	return (result);
-}
-
-isc_boolean_t
-dns_rdata_checknames(dns_rdata_t *rdata, dns_name_t *owner, dns_name_t *bad)
-{
-	isc_boolean_t result;
-
-	CHECKNAMESSWITCH
-	return (result);
-}
-
-unsigned int
-dns_rdatatype_attributes(dns_rdatatype_t type)
-{
-	RDATATYPE_ATTRIBUTE_SW
-	if (type >= (dns_rdatatype_t)128 && type < (dns_rdatatype_t)255)
-		return (DNS_RDATATYPEATTR_UNKNOWN | DNS_RDATATYPEATTR_META);
-	return (DNS_RDATATYPEATTR_UNKNOWN);
-}
-
-isc_result_t
-dns_rdatatype_fromtext(dns_rdatatype_t *typep, isc_textregion_t *source) {
-	unsigned int hash;
-	unsigned int n;
-	unsigned char a, b;
-
-	n = source->length;
-
-	if (n == 0)
-		return (DNS_R_UNKNOWN);
-
-	a = tolower((unsigned char)source->base[0]);
-	b = tolower((unsigned char)source->base[n - 1]);
-
-	hash = ((a + n) * b) % 256;
-
-	/*
-	 * This switch block is inlined via \#define, and will use "return"
-	 * to return a result to the caller if it is a valid (known)
-	 * rdatatype name.
-	 */
-	RDATATYPE_FROMTEXT_SW(hash, source->base, n, typep);
-
-	if (source->length > 4 && source->length < (4 + sizeof("65000")) &&
-	    strncasecmp("type", source->base, 4) == 0) {
-		char buf[sizeof("65000")];
-		char *endp;
-		unsigned int val;
-
-		strncpy(buf, source->base + 4, source->length - 4);
-		buf[source->length - 4] = '\0';
-		val = strtoul(buf, &endp, 10);
-		if (*endp == '\0' && val <= 0xffff) {
-			*typep = (dns_rdatatype_t)val;
-			return (ISC_R_SUCCESS);
-		}
-	}
-
-	return (DNS_R_UNKNOWN);
-}
-
-isc_result_t
-dns_rdatatype_totext(dns_rdatatype_t type, isc_buffer_t *target) {
-	char buf[sizeof("TYPE65535")];
-
-	RDATATYPE_TOTEXT_SW
-	snprintf(buf, sizeof(buf), "TYPE%u", type);
-	return (str_totext(buf, target));
-}
-
-void
-dns_rdatatype_format(dns_rdatatype_t rdtype,
-		     char *array, unsigned int size)
-{
-	isc_result_t result;
-	isc_buffer_t buf;
-
-	if (size == 0U)
-		return;
-
-	isc_buffer_init(&buf, array, size);
-	result = dns_rdatatype_totext(rdtype, &buf);
-	/*
-	 * Null terminate.
-	 */
-	if (result == ISC_R_SUCCESS) {
-		if (isc_buffer_availablelength(&buf) >= 1)
-			isc_buffer_putuint8(&buf, 0);
-		else
-			result = ISC_R_NOSPACE;
-	}
-	if (result != ISC_R_SUCCESS)
-		strlcpy(array, "<unknown>", size);
-}
-
-/*
- * Private function.
- */
-
-static unsigned int
-name_length(dns_name_t *name) {
-	return (name->length);
-}
-
-static isc_result_t
-txt_totext(isc_region_t *source, isc_buffer_t *target) {
-	unsigned int tl;
-	unsigned int n;
-	unsigned char *sp;
-	char *tp;
-	isc_region_t region;
-
-	isc_buffer_availableregion(target, &region);
-	sp = source->base;
-	tp = (char *)region.base;
-	tl = region.length;
-
-	n = *sp++;
-
-	REQUIRE(n + 1 <= source->length);
-
-	if (tl < 1)
-		return (ISC_R_NOSPACE);
-	*tp++ = '"';
-	tl--;
-	while (n--) {
-		if (*sp < 0x20 || *sp >= 0x7f) {
-			if (tl < 4)
-				return (ISC_R_NOSPACE);
-			*tp++ = 0x5c;
-			*tp++ = 0x30 + ((*sp / 100) % 10);
-			*tp++ = 0x30 + ((*sp / 10) % 10);
-			*tp++ = 0x30 + (*sp % 10);
-			sp++;
-			tl -= 4;
-			continue;
-		}
-		/* double quote, semi-colon, backslash */
-		if (*sp == 0x22 || *sp == 0x3b || *sp == 0x5c) {
-			if (tl < 2)
-				return (ISC_R_NOSPACE);
-			*tp++ = '\\';
-			tl--;
-		}
-		if (tl < 1)
-			return (ISC_R_NOSPACE);
-		*tp++ = *sp++;
-		tl--;
-	}
-	if (tl < 1)
-		return (ISC_R_NOSPACE);
-	*tp++ = '"';
-	tl--;
-	isc_buffer_add(target, tp - (char *)region.base);
-	isc_region_consume(source, *source->base + 1);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-txt_fromtext(isc_textregion_t *source, isc_buffer_t *target) {
-	isc_region_t tregion;
-	isc_boolean_t escape;
-	unsigned int n, nrem;
-	char *s;
-	unsigned char *t;
-	int d;
-	int c;
-
-	isc_buffer_availableregion(target, &tregion);
-	s = source->base;
-	n = source->length;
-	t = tregion.base;
-	nrem = tregion.length;
-	escape = ISC_FALSE;
-	if (nrem < 1)
-		return (ISC_R_NOSPACE);
-	/*
-	 * Length byte.
-	 */
-	nrem--;
-	t++;
-	/*
-	 * Maximum text string length.
-	 */
-	if (nrem > 255)
-		nrem = 255;
-	while (n-- != 0) {
-		c = (*s++) & 0xff;
-		if (escape && (d = decvalue((char)c)) != -1) {
-			c = d;
-			if (n == 0)
-				return (DNS_R_SYNTAX);
-			n--;
-			if ((d = decvalue(*s++)) != -1)
-				c = c * 10 + d;
-			else
-				return (DNS_R_SYNTAX);
-			if (n == 0)
-				return (DNS_R_SYNTAX);
-			n--;
-			if ((d = decvalue(*s++)) != -1)
-				c = c * 10 + d;
-			else
-				return (DNS_R_SYNTAX);
-			if (c > 255)
-				return (DNS_R_SYNTAX);
-		} else if (!escape && c == '\\') {
-			escape = ISC_TRUE;
-			continue;
-		}
-		escape = ISC_FALSE;
-		if (nrem == 0)
-			return ((tregion.length <= 256U) ?
-				ISC_R_NOSPACE : DNS_R_SYNTAX);
-		*t++ = c;
-		nrem--;
-	}
-	if (escape)
-		return (DNS_R_SYNTAX);
-	*tregion.base = t - tregion.base - 1;
-	isc_buffer_add(target, *tregion.base + 1);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-txt_fromwire(isc_buffer_t *source, isc_buffer_t *target) {
-	unsigned int n;
-	isc_region_t sregion;
-	isc_region_t tregion;
-
-	isc_buffer_activeregion(source, &sregion);
-	if (sregion.length == 0)
-		return(ISC_R_UNEXPECTEDEND);
-	n = *sregion.base + 1;
-	if (n > sregion.length)
-		return (ISC_R_UNEXPECTEDEND);
-
-	isc_buffer_availableregion(target, &tregion);
-	if (n > tregion.length)
-		return (ISC_R_NOSPACE);
-
-	if (tregion.base != sregion.base)
-		memcpy(tregion.base, sregion.base, n);
-	isc_buffer_forward(source, n);
-	isc_buffer_add(target, n);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-multitxt_totext(isc_region_t *source, isc_buffer_t *target) {
-	unsigned int tl;
-	unsigned int n0, n;
-	unsigned char *sp;
-	char *tp;
-	isc_region_t region;
-
-	isc_buffer_availableregion(target, &region);
-	sp = source->base;
-	tp = (char *)region.base;
-	tl = region.length;
-
-	if (tl < 1)
-		return (ISC_R_NOSPACE);
-	*tp++ = '"';
-	tl--;
-	do {
-		n0 = n = *sp++;
-
-		REQUIRE(n0 + 1 <= source->length);
-
-		while (n--) {
-			if (*sp < 0x20 || *sp >= 0x7f) {
-				if (tl < 4)
-					return (ISC_R_NOSPACE);
-				*tp++ = 0x5c;
-				*tp++ = 0x30 + ((*sp / 100) % 10);
-				*tp++ = 0x30 + ((*sp / 10) % 10);
-				*tp++ = 0x30 + (*sp % 10);
-				sp++;
-				tl -= 4;
-				continue;
-			}
-			/* double quote, semi-colon, backslash */
-			if (*sp == 0x22 || *sp == 0x3b || *sp == 0x5c) {
-				if (tl < 2)
-					return (ISC_R_NOSPACE);
-				*tp++ = '\\';
-				tl--;
-			}
-			if (tl < 1)
-				return (ISC_R_NOSPACE);
-			*tp++ = *sp++;
-			tl--;
-		}
-		isc_region_consume(source, n0 + 1);
-	} while (source->length != 0);
-	if (tl < 1)
-		return (ISC_R_NOSPACE);
-	*tp++ = '"';
-	tl--;
-	isc_buffer_add(target, tp - (char *)region.base);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-multitxt_fromtext(isc_textregion_t *source, isc_buffer_t *target) {
-	isc_region_t tregion;
-	isc_boolean_t escape;
-	unsigned int n, nrem;
-	char *s;
-	unsigned char *t0, *t;
-	int d;
-	int c;
-
-	s = source->base;
-	n = source->length;
-	escape = ISC_FALSE;
-
-	do {
-		isc_buffer_availableregion(target, &tregion);
-		t0 = tregion.base;
-		nrem = tregion.length;
-		if (nrem < 1)
-			return (ISC_R_NOSPACE);
-		/* length byte */
-		t = t0;
-		nrem--;
-		t++;
-		/* 255 byte character-string slice */
-		if (nrem > 255)
-			nrem = 255;
-		while (n != 0) {
-			--n;
-			c = (*s++) & 0xff;
-			if (escape && (d = decvalue((char)c)) != -1) {
-				c = d;
-				if (n == 0)
-					return (DNS_R_SYNTAX);
-				n--;
-				if ((d = decvalue(*s++)) != -1)
-					c = c * 10 + d;
-				else
-					return (DNS_R_SYNTAX);
-				if (n == 0)
-					return (DNS_R_SYNTAX);
-				n--;
-				if ((d = decvalue(*s++)) != -1)
-					c = c * 10 + d;
-				else
-					return (DNS_R_SYNTAX);
-				if (c > 255)
-					return (DNS_R_SYNTAX);
-			} else if (!escape && c == '\\') {
-				escape = ISC_TRUE;
-				continue;
-			}
-			escape = ISC_FALSE;
-			*t++ = c;
-			nrem--;
-			if (nrem == 0)
-				break;
-		}
-		if (escape)
-			return (DNS_R_SYNTAX);
-		*t0 = t - t0 - 1;
-		isc_buffer_add(target, *t0 + 1);
-	} while (n != 0);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-multitxt_fromwire(isc_buffer_t *source, isc_buffer_t *target) {
-	unsigned int n;
-	isc_region_t sregion;
-	isc_region_t tregion;
-
-	isc_buffer_activeregion(source, &sregion);
-	if (sregion.length == 0)
-		return(ISC_R_UNEXPECTEDEND);
-	n = 256U;
-	do {
-		if (n != 256U)
-			return (DNS_R_SYNTAX);
-		n = *sregion.base + 1;
-		if (n > sregion.length)
-			return (ISC_R_UNEXPECTEDEND);
-
-		isc_buffer_availableregion(target, &tregion);
-		if (n > tregion.length)
-			return (ISC_R_NOSPACE);
-
-		if (tregion.base != sregion.base)
-			memcpy(tregion.base, sregion.base, n);
-		isc_buffer_forward(source, n);
-		isc_buffer_add(target, n);
-		isc_buffer_activeregion(source, &sregion);
-	} while (sregion.length != 0);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_boolean_t
-name_prefix(dns_name_t *name, dns_name_t *origin, dns_name_t *target) {
-	int l1, l2;
-
-	if (origin == NULL)
-		goto return_false;
-
-	if (dns_name_compare(origin, dns_rootname) == 0)
-		goto return_false;
-
-	if (!dns_name_issubdomain(name, origin))
-		goto return_false;
-
-	l1 = dns_name_countlabels(name);
-	l2 = dns_name_countlabels(origin);
-
-	if (l1 == l2)
-		goto return_false;
-
-	/* Master files should be case preserving. */
-	dns_name_getlabelsequence(name, l1 - l2, l2, target);
-	if (!dns_name_caseequal(origin, target))
-		goto return_false;
-
-	dns_name_getlabelsequence(name, 0, l1 - l2, target);
-	return (ISC_TRUE);
-
-return_false:
-	*target = *name;
-	return (ISC_FALSE);
-}
-
-static isc_result_t
-str_totext(const char *source, isc_buffer_t *target) {
-	unsigned int l;
-	isc_region_t region;
-
-	isc_buffer_availableregion(target, &region);
-	l = strlen(source);
-
-	if (l > region.length)
-		return (ISC_R_NOSPACE);
-
-	memcpy(region.base, source, l);
-	isc_buffer_add(target, l);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-inet_totext(int af, isc_region_t *src, isc_buffer_t *target) {
-	char tmpbuf[64];
-
-	/* Note - inet_ntop doesn't do size checking on its input. */
-	if (inet_ntop(af, src->base, tmpbuf, sizeof(tmpbuf)) == NULL)
-		return (ISC_R_NOSPACE);
-	if (strlen(tmpbuf) > isc_buffer_availablelength(target))
-		return (ISC_R_NOSPACE);
-	isc_buffer_putstr(target, tmpbuf);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_boolean_t
-buffer_empty(isc_buffer_t *source) {
-	return((source->current == source->active) ? ISC_TRUE : ISC_FALSE);
-}
-
-static void
-buffer_fromregion(isc_buffer_t *buffer, isc_region_t *region) {
-	isc_buffer_init(buffer, region->base, region->length);
-	isc_buffer_add(buffer, region->length);
-	isc_buffer_setactive(buffer, region->length);
-}
-
-static isc_result_t
-uint32_tobuffer(isc_uint32_t value, isc_buffer_t *target) {
-	isc_region_t region;
-
-	isc_buffer_availableregion(target, &region);
-	if (region.length < 4)
-		return (ISC_R_NOSPACE);
-	isc_buffer_putuint32(target, value);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-uint16_tobuffer(isc_uint32_t value, isc_buffer_t *target) {
-	isc_region_t region;
-
-	if (value > 0xffff)
-		return (ISC_R_RANGE);
-	isc_buffer_availableregion(target, &region);
-	if (region.length < 2)
-		return (ISC_R_NOSPACE);
-	isc_buffer_putuint16(target, (isc_uint16_t)value);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-uint8_tobuffer(isc_uint32_t value, isc_buffer_t *target) {
-	isc_region_t region;
-
-	if (value > 0xff)
-		return (ISC_R_RANGE);
-	isc_buffer_availableregion(target, &region);
-	if (region.length < 1)
-		return (ISC_R_NOSPACE);
-	isc_buffer_putuint8(target, (isc_uint8_t)value);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-name_tobuffer(dns_name_t *name, isc_buffer_t *target) {
-	isc_region_t r;
-	dns_name_toregion(name, &r);
-	return (isc_buffer_copyregion(target, &r));
-}
-
-static isc_uint32_t
-uint32_fromregion(isc_region_t *region) {
-	isc_uint32_t value;
-
-	REQUIRE(region->length >= 4);
-	value = region->base[0] << 24;
-	value |= region->base[1] << 16;
-	value |= region->base[2] << 8;
-	value |= region->base[3];
-	return(value);
-}
-
-static isc_uint16_t
-uint16_consume_fromregion(isc_region_t *region) {
-	isc_uint16_t r = uint16_fromregion(region);
-
-	isc_region_consume(region, 2);
-	return r;
-}
-
-static isc_uint16_t
-uint16_fromregion(isc_region_t *region) {
-
-	REQUIRE(region->length >= 2);
-
-	return ((region->base[0] << 8) | region->base[1]);
-}
-
-static isc_uint8_t
-uint8_fromregion(isc_region_t *region) {
-
-	REQUIRE(region->length >= 1);
-
-	return (region->base[0]);
-}
-
-static isc_uint8_t
-uint8_consume_fromregion(isc_region_t *region) {
-	isc_uint8_t r = uint8_fromregion(region);
-
-	isc_region_consume(region, 1);
-	return r;
-}
-
-static isc_result_t
-mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length) {
-	isc_region_t tr;
-
-	isc_buffer_availableregion(target, &tr);
-	if (length > tr.length)
-		return (ISC_R_NOSPACE);
-	if (tr.base != base)
-		memcpy(tr.base, base, length);
-	isc_buffer_add(target, length);
-	return (ISC_R_SUCCESS);
-}
-
-static int
-hexvalue(char value) {
-	char *s;
-	unsigned char c;
-
-	c = (unsigned char)value;
-
-	if (!isascii(c))
-		return (-1);
-	if (isupper(c))
-		c = tolower(c);
-	if ((s = strchr(hexdigits, c)) == NULL)
-		return (-1);
-	return (s - hexdigits);
-}
-
-static int
-decvalue(char value) {
-	char *s;
-
-	/*
-	 * isascii() is valid for full range of int values, no need to
-	 * mask or cast.
-	 */
-	if (!isascii(value))
-		return (-1);
-	if ((s = strchr(decdigits, value)) == NULL)
-		return (-1);
-	return (s - decdigits);
-}
-
-static const char atob_digits[86] =
-	"!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`" \
-	"abcdefghijklmnopqrstu";
-/*
- * Subroutines to convert between 8 bit binary bytes and printable ASCII.
- * Computes the number of bytes, and three kinds of simple checksums.
- * Incoming bytes are collected into 32-bit words, then printed in base 85:
- *	exp(85,5) > exp(2,32)
- * The ASCII characters used are between '!' and 'u';
- * 'z' encodes 32-bit zero; 'x' is used to mark the end of encoded data.
- *
- * Originally by Paul Rutter (philabs!per) and Joe Orost (petsd!joe) for
- * the atob/btoa programs, released with the compress program, in mod.sources.
- * Modified by Mike Schwartz 8/19/86 for use in BIND.
- * Modified to be re-entrant 3/2/99.
- */
-
-
-struct state {
-	isc_int32_t Ceor;
-	isc_int32_t Csum;
-	isc_int32_t Crot;
-	isc_int32_t word;
-	isc_int32_t bcount;
-};
-
-#define Ceor state->Ceor
-#define Csum state->Csum
-#define Crot state->Crot
-#define word state->word
-#define bcount state->bcount
-
-#define times85(x)	((((((x<<2)+x)<<2)+x)<<2)+x)
-
-static isc_result_t	byte_atob(int c, isc_buffer_t *target,
-				  struct state *state);
-static isc_result_t	putbyte(int c, isc_buffer_t *, struct state *state);
-static isc_result_t	byte_btoa(int c, isc_buffer_t *, struct state *state);
-
-/*
- * Decode ASCII-encoded byte c into binary representation and
- * place into *bufp, advancing bufp.
- */
-static isc_result_t
-byte_atob(int c, isc_buffer_t *target, struct state *state) {
-	char *s;
-	if (c == 'z') {
-		if (bcount != 0)
-			return(DNS_R_SYNTAX);
-		else {
-			RETERR(putbyte(0, target, state));
-			RETERR(putbyte(0, target, state));
-			RETERR(putbyte(0, target, state));
-			RETERR(putbyte(0, target, state));
-		}
-	} else if ((s = strchr(atob_digits, c)) != NULL) {
-		if (bcount == 0) {
-			word = s - atob_digits;
-			++bcount;
-		} else if (bcount < 4) {
-			word = times85(word);
-			word += s - atob_digits;
-			++bcount;
-		} else {
-			word = times85(word);
-			word += s - atob_digits;
-			RETERR(putbyte((word >> 24) & 0xff, target, state));
-			RETERR(putbyte((word >> 16) & 0xff, target, state));
-			RETERR(putbyte((word >> 8) & 0xff, target, state));
-			RETERR(putbyte(word & 0xff, target, state));
-			word = 0;
-			bcount = 0;
-		}
-	} else
-		return(DNS_R_SYNTAX);
-	return(ISC_R_SUCCESS);
-}
-
-/*
- * Compute checksum info and place c into target.
- */
-static isc_result_t
-putbyte(int c, isc_buffer_t *target, struct state *state) {
-	isc_region_t tr;
-
-	Ceor ^= c;
-	Csum += c;
-	Csum += 1;
-	if ((Crot & 0x80000000)) {
-		Crot <<= 1;
-		Crot += 1;
-	} else {
-		Crot <<= 1;
-	}
-	Crot += c;
-	isc_buffer_availableregion(target, &tr);
-	if (tr.length < 1)
-		return (ISC_R_NOSPACE);
-	tr.base[0] = c;
-	isc_buffer_add(target, 1);
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Read the ASCII-encoded data from inbuf, of length inbuflen, and convert
- * it into T_UNSPEC (binary data) in outbuf, not to exceed outbuflen bytes;
- * outbuflen must be divisible by 4.  (Note: this is because outbuf is filled
- * in 4 bytes at a time.  If the actual data doesn't end on an even 4-byte
- * boundary, there will be no problem...it will be padded with 0 bytes, and
- * numbytes will indicate the correct number of bytes.  The main point is
- * that since the buffer is filled in 4 bytes at a time, even if there is
- * not a full 4 bytes of data at the end, there has to be room to 0-pad the
- * data, so the buffer must be of size divisible by 4).  Place the number of
- * output bytes in numbytes, and return a failure/success status.
- */
-
-static isc_result_t
-atob_tobuffer(isc_lex_t *lexer, isc_buffer_t *target) {
-	long oeor, osum, orot;
-	struct state statebuf, *state= &statebuf;
-	isc_token_t token;
-	char c;
-	char *e;
-
-	Ceor = Csum = Crot = word = bcount = 0;
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	while (token.value.as_textregion.length != 0) {
-		if ((c = token.value.as_textregion.base[0]) == 'x') {
-			break;
-		} else
-			RETERR(byte_atob(c, target, state));
-		isc_textregion_consume(&token.value.as_textregion, 1);
-	}
-
-	/*
-	 * Number of bytes.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if ((token.value.as_ulong % 4) != 0U)
-		isc_buffer_subtract(target,  4 - (token.value.as_ulong % 4));
-
-	/*
-	 * Checksum.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	oeor = strtol(DNS_AS_STR(token), &e, 16);
-	if (*e != 0)
-		return (DNS_R_SYNTAX);
-
-	/*
-	 * Checksum.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	osum = strtol(DNS_AS_STR(token), &e, 16);
-	if (*e != 0)
-		return (DNS_R_SYNTAX);
-
-	/*
-	 * Checksum.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	orot = strtol(DNS_AS_STR(token), &e, 16);
-	if (*e != 0)
-		return (DNS_R_SYNTAX);
-
-	if ((oeor != Ceor) || (osum != Csum) || (orot != Crot))
-		return(DNS_R_BADCKSUM);
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Encode binary byte c into ASCII representation and place into *bufp,
- * advancing bufp.
- */
-static isc_result_t
-byte_btoa(int c, isc_buffer_t *target, struct state *state) {
-	isc_region_t tr;
-
-	isc_buffer_availableregion(target, &tr);
-	Ceor ^= c;
-	Csum += c;
-	Csum += 1;
-	if ((Crot & 0x80000000)) {
-		Crot <<= 1;
-		Crot += 1;
-	} else {
-		Crot <<= 1;
-	}
-	Crot += c;
-
-	word <<= 8;
-	word |= c;
-	if (bcount == 3) {
-		if (word == 0) {
-			if (tr.length < 1)
-				return (ISC_R_NOSPACE);
-			tr.base[0] = 'z';
-			isc_buffer_add(target, 1);
-		} else {
-		    register int tmp = 0;
-		    register isc_int32_t tmpword = word;
-
-		    if (tmpword < 0) {
-			   /*
-			    * Because some don't support u_long.
-			    */
-			tmp = 32;
-			tmpword -= (isc_int32_t)(85 * 85 * 85 * 85 * 32);
-		    }
-		    if (tmpword < 0) {
-			tmp = 64;
-			tmpword -= (isc_int32_t)(85 * 85 * 85 * 85 * 32);
-		    }
-			if (tr.length < 5)
-				return (ISC_R_NOSPACE);
-			tr.base[0] = atob_digits[(tmpword /
-					      (isc_int32_t)(85 * 85 * 85 * 85))
-						+ tmp];
-			tmpword %= (isc_int32_t)(85 * 85 * 85 * 85);
-			tr.base[1] = atob_digits[tmpword / (85 * 85 * 85)];
-			tmpword %= (85 * 85 * 85);
-			tr.base[2] = atob_digits[tmpword / (85 * 85)];
-			tmpword %= (85 * 85);
-			tr.base[3] = atob_digits[tmpword / 85];
-			tmpword %= 85;
-			tr.base[4] = atob_digits[tmpword];
-			isc_buffer_add(target, 5);
-		}
-		bcount = 0;
-	} else {
-		bcount += 1;
-	}
-	return (ISC_R_SUCCESS);
-}
-
-
-/*
- * Encode the binary data from inbuf, of length inbuflen, into a
- * target.  Return success/failure status
- */
-static isc_result_t
-btoa_totext(unsigned char *inbuf, int inbuflen, isc_buffer_t *target) {
-	int inc;
-	struct state statebuf, *state = &statebuf;
-	char buf[sizeof("x 2000000000 ffffffff ffffffff ffffffff")];
-
-	Ceor = Csum = Crot = word = bcount = 0;
-	for (inc = 0; inc < inbuflen; inbuf++, inc++)
-		RETERR(byte_btoa(*inbuf, target, state));
-
-	while (bcount != 0)
-		RETERR(byte_btoa(0, target, state));
-
-	/*
-	 * Put byte count and checksum information at end of buffer,
-	 * delimited by 'x'
-	 */
-	snprintf(buf, sizeof(buf), "x %d %x %x %x", inbuflen, Ceor, Csum, Crot);
-	return (str_totext(buf, target));
-}
-
-
-static void
-default_fromtext_callback(dns_rdatacallbacks_t *callbacks, const char *fmt,
-			  ...)
-{
-	va_list ap;
-
-	UNUSED(callbacks);
-
-	va_start(ap, fmt);
-	vfprintf(stderr, fmt, ap);
-	va_end(ap);
-	fprintf(stderr, "\n");
-}
-
-static void
-fromtext_warneof(isc_lex_t *lexer, dns_rdatacallbacks_t *callbacks) {
-	if (isc_lex_isfile(lexer) && callbacks != NULL) {
-		const char *name = isc_lex_getsourcename(lexer);
-		if (name == NULL)
-			name = "UNKNOWN";
-		(*callbacks->warn)(callbacks,
-				   "%s:%lu: file does not end with newline",
-				   name, isc_lex_getsourceline(lexer));
-	}
-}
-
-static void
-warn_badmx(isc_token_t *token, isc_lex_t *lexer,
-	   dns_rdatacallbacks_t *callbacks)
-{
-	const char *file;
-	unsigned long line;
-
-	if (lexer != NULL) {
-		file = isc_lex_getsourcename(lexer);
-		line = isc_lex_getsourceline(lexer);
-		(*callbacks->warn)(callbacks, "%s:%u: warning: '%s': %s",
-				   file, line, DNS_AS_STR(*token),
-				   dns_result_totext(DNS_R_MXISADDRESS));
-	}
-}
-
-static void
-warn_badname(dns_name_t *name, isc_lex_t *lexer,
-	     dns_rdatacallbacks_t *callbacks)
-{
-	const char *file;
-	unsigned long line;
-	char namebuf[DNS_NAME_FORMATSIZE];
-
-	if (lexer != NULL) {
-		file = isc_lex_getsourcename(lexer);
-		line = isc_lex_getsourceline(lexer);
-		dns_name_format(name, namebuf, sizeof(namebuf));
-		(*callbacks->warn)(callbacks, "%s:%u: warning: %s: %s",
-				   file, line, namebuf,
-				   dns_result_totext(DNS_R_BADNAME));
-	}
-}
-
-static void
-fromtext_error(void (*callback)(dns_rdatacallbacks_t *, const char *, ...),
-	       dns_rdatacallbacks_t *callbacks, const char *name,
-	       unsigned long line, isc_token_t *token, isc_result_t result)
-{
-	if (name == NULL)
-		name = "UNKNOWN";
-
-	if (token != NULL) {
-		switch (token->type) {
-		case isc_tokentype_eol:
-			(*callback)(callbacks, "%s: %s:%lu: near eol: %s",
-				    "dns_rdata_fromtext", name, line,
-				    dns_result_totext(result));
-			break;
-		case isc_tokentype_eof:
-			(*callback)(callbacks, "%s: %s:%lu: near eof: %s",
-				    "dns_rdata_fromtext", name, line,
-				    dns_result_totext(result));
-			break;
-		case isc_tokentype_number:
-			(*callback)(callbacks, "%s: %s:%lu: near %lu: %s",
-				    "dns_rdata_fromtext", name, line,
-				    token->value.as_ulong,
-				    dns_result_totext(result));
-			break;
-		case isc_tokentype_string:
-		case isc_tokentype_qstring:
-			(*callback)(callbacks, "%s: %s:%lu: near '%s': %s",
-				    "dns_rdata_fromtext", name, line,
-				    DNS_AS_STR(*token),
-				    dns_result_totext(result));
-			break;
-		default:
-			(*callback)(callbacks, "%s: %s:%lu: %s",
-				    "dns_rdata_fromtext", name, line,
-				    dns_result_totext(result));
-			break;
-		}
-	} else {
-		(*callback)(callbacks, "dns_rdata_fromtext: %s:%lu: %s",
-			    name, line, dns_result_totext(result));
-	}
-}
-
-dns_rdatatype_t
-dns_rdata_covers(dns_rdata_t *rdata) {
-	if (rdata->type == 46)
-		return (covers_rrsig(rdata));
-	return (covers_sig(rdata));
-}
-
-isc_boolean_t
-dns_rdatatype_ismeta(dns_rdatatype_t type) {
-	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_META) != 0)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-dns_rdatatype_issingleton(dns_rdatatype_t type) {
-	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_SINGLETON)
-	    != 0)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-dns_rdatatype_notquestion(dns_rdatatype_t type) {
-	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_NOTQUESTION)
-	    != 0)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-dns_rdatatype_questiononly(dns_rdatatype_t type) {
-	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_QUESTIONONLY)
-	    != 0)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-dns_rdatatype_atparent(dns_rdatatype_t type) {
-	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_ATPARENT) != 0)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-dns_rdataclass_ismeta(dns_rdataclass_t rdclass) {
-
-	if (rdclass == dns_rdataclass_reserved0
-	    || rdclass == dns_rdataclass_none
-	    || rdclass == dns_rdataclass_any)
-		return (ISC_TRUE);
-
-	return (ISC_FALSE);  /* Assume it is not a meta class. */
-}
-
-isc_boolean_t
-dns_rdatatype_isdnssec(dns_rdatatype_t type) {
-	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_DNSSEC) != 0)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-dns_rdatatype_iszonecutauth(dns_rdatatype_t type) {
-	if ((dns_rdatatype_attributes(type)
-	     & (DNS_RDATATYPEATTR_DNSSEC | DNS_RDATATYPEATTR_ZONECUTAUTH))
-	    != 0)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-dns_rdatatype_isknown(dns_rdatatype_t type) {
-	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_UNKNOWN)
-	    == 0)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-void
-dns_rdata_exists(dns_rdata_t *rdata, dns_rdatatype_t type) {
-
-	REQUIRE(rdata != NULL);
-	REQUIRE(DNS_RDATA_INITIALIZED(rdata));
-
-	rdata->data = NULL;
-	rdata->length = 0;
-	rdata->flags = DNS_RDATA_UPDATE;
-	rdata->type = type;
-	rdata->rdclass = dns_rdataclass_any;
-}
-
-void
-dns_rdata_notexist(dns_rdata_t *rdata, dns_rdatatype_t type) {
-
-	REQUIRE(rdata != NULL);
-	REQUIRE(DNS_RDATA_INITIALIZED(rdata));
-
-	rdata->data = NULL;
-	rdata->length = 0;
-	rdata->flags = DNS_RDATA_UPDATE;
-	rdata->type = type;
-	rdata->rdclass = dns_rdataclass_none;
-}
-
-void
-dns_rdata_deleterrset(dns_rdata_t *rdata, dns_rdatatype_t type) {
-
-	REQUIRE(rdata != NULL);
-	REQUIRE(DNS_RDATA_INITIALIZED(rdata));
-
-	rdata->data = NULL;
-	rdata->length = 0;
-	rdata->flags = DNS_RDATA_UPDATE;
-	rdata->type = type;
-	rdata->rdclass = dns_rdataclass_any;
-}
-
-void
-dns_rdata_makedelete(dns_rdata_t *rdata) {
-	REQUIRE(rdata != NULL);
-
-	rdata->rdclass = dns_rdataclass_none;
-}
-
-const char *
-dns_rdata_updateop(dns_rdata_t *rdata, dns_section_t section) {
-
-	REQUIRE(rdata != NULL);
-	REQUIRE(DNS_RDATA_INITIALIZED(rdata));
-
-	switch (section) {
-	case DNS_SECTION_PREREQUISITE:
-		switch (rdata->rdclass) {
-		case dns_rdataclass_none:
-			switch (rdata->type) {
-			case dns_rdatatype_any:
-				return ("domain doesn't exist");
-			default:
-				return ("rrset doesn't exist");
-			}
-		case dns_rdataclass_any:
-			switch (rdata->type) {
-			case dns_rdatatype_any:
-				return ("domain exists");
-			default:
-				return ("rrset exists (value independent)");
-			}
-		default:
-			return ("rrset exists (value dependent)");
-		}
-	case DNS_SECTION_UPDATE:
-		switch (rdata->rdclass) {
-		case dns_rdataclass_none:
-			return ("delete");
-		case dns_rdataclass_any:
-			switch (rdata->type) {
-			case dns_rdatatype_any:
-				return ("delete all rrsets");
-			default:
-				return ("delete rrset");
-			}
-		default:
-			return ("add");
-		}
-	}
-	return ("invalid");
-}
diff --git a/contrib/bind9/lib/dns/rdata/any_255/tsig_250.c b/contrib/bind9/lib/dns/rdata/any_255/tsig_250.c
deleted file mode 100644
index 3f91f91..0000000
--- a/contrib/bind9/lib/dns/rdata/any_255/tsig_250.c
+++ /dev/null
@@ -1,603 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/* Reviewed: Thu Mar 16 13:39:43 PST 2000 by gson */
-
-#ifndef RDATA_ANY_255_TSIG_250_C
-#define RDATA_ANY_255_TSIG_250_C
-
-#define RRTYPE_TSIG_ATTRIBUTES \
-	(DNS_RDATATYPEATTR_META | DNS_RDATATYPEATTR_NOTQUESTION)
-
-static inline isc_result_t
-fromtext_any_tsig(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_uint64_t sigtime;
-	isc_buffer_t buffer;
-	dns_rcode_t rcode;
-	long i;
-	char *e;
-
-	REQUIRE(type == 250);
-	REQUIRE(rdclass == 255);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	/*
-	 * Algorithm Name.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-
-	/*
-	 * Time Signed: 48 bits.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	sigtime = isc_string_touint64(DNS_AS_STR(token), &e, 10);
-	if (*e != 0)
-		RETTOK(DNS_R_SYNTAX);
-	if ((sigtime >> 48) != 0)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer((isc_uint16_t)(sigtime >> 32), target));
-	RETERR(uint32_tobuffer((isc_uint32_t)(sigtime & 0xffffffffU), target));
-
-	/*
-	 * Fudge.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Signature Size.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Signature.
-	 */
-	RETERR(isc_base64_tobuffer(lexer, target, (int)token.value.as_ulong));
-
-	/*
-	 * Original ID.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Error.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	if (dns_tsigrcode_fromtext(&rcode, &token.value.as_textregion)
-				!= ISC_R_SUCCESS)
-	{
-		i = strtol(DNS_AS_STR(token), &e, 10);
-		if (*e != 0)
-			RETTOK(DNS_R_UNKNOWN);
-		if (i < 0 || i > 0xffff)
-			RETTOK(ISC_R_RANGE);
-		rcode = (dns_rcode_t)i;
-	}
-	RETERR(uint16_tobuffer(rcode, target));
-
-	/*
-	 * Other Len.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Other Data.
-	 */
-	return (isc_base64_tobuffer(lexer, target, (int)token.value.as_ulong));
-}
-
-static inline isc_result_t
-totext_any_tsig(ARGS_TOTEXT) {
-	isc_region_t sr;
-	isc_region_t sigr;
-	char buf[sizeof(" 281474976710655 ")];
-	char *bufp;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-	isc_uint64_t sigtime;
-	unsigned short n;
-
-	REQUIRE(rdata->type == 250);
-	REQUIRE(rdata->rdclass == 255);
-	REQUIRE(rdata->length != 0);
-
-	dns_rdata_toregion(rdata, &sr);
-	/*
-	 * Algorithm Name.
-	 */
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-	dns_name_fromregion(&name, &sr);
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	RETERR(dns_name_totext(&prefix, sub, target));
-	RETERR(str_totext(" ", target));
-	isc_region_consume(&sr, name_length(&name));
-
-	/*
-	 * Time Signed.
-	 */
-	sigtime = ((isc_uint64_t)sr.base[0] << 40) |
-		  ((isc_uint64_t)sr.base[1] << 32) |
-		  ((isc_uint64_t)sr.base[2] << 24) |
-		  ((isc_uint64_t)sr.base[3] << 16) |
-		  ((isc_uint64_t)sr.base[4] << 8) |
-		  (isc_uint64_t)sr.base[5];
-	isc_region_consume(&sr, 6);
-	bufp = &buf[sizeof(buf) - 1];
-	*bufp-- = 0;
-	*bufp-- = ' ';
-	do {
-		*bufp-- = decdigits[sigtime % 10];
-		sigtime /= 10;
-	} while (sigtime != 0);
-	bufp++;
-	RETERR(str_totext(bufp, target));
-
-	/*
-	 * Fudge.
-	 */
-	n = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%u ", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Signature Size.
-	 */
-	n = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%u", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Signature.
-	 */
-	REQUIRE(n <= sr.length);
-	sigr = sr;
-	sigr.length = n;
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" (", target));
-	RETERR(str_totext(tctx->linebreak, target));
-	if (tctx->width == 0)   /* No splitting */
-		RETERR(isc_base64_totext(&sigr, 60, "", target));
-	else
-		RETERR(isc_base64_totext(&sigr, tctx->width - 2,
-					 tctx->linebreak, target));
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" ) ", target));
-	else
-		RETERR(str_totext(" ", target));
-	isc_region_consume(&sr, n);
-
-	/*
-	 * Original ID.
-	 */
-	n = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%u ", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Error.
-	 */
-	n = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	RETERR(dns_tsigrcode_totext((dns_rcode_t)n, target));
-
-	/*
-	 * Other Size.
-	 */
-	n = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, " %u ", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Other.
-	 */
-	if (tctx->width == 0)   /* No splitting */
-		return (isc_base64_totext(&sr, 60, "", target));
-	else
-		return (isc_base64_totext(&sr, 60, " ", target));
-}
-
-static inline isc_result_t
-fromwire_any_tsig(ARGS_FROMWIRE) {
-	isc_region_t sr;
-	dns_name_t name;
-	unsigned long n;
-
-	REQUIRE(type == 250);
-	REQUIRE(rdclass == 255);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-	/*
-	 * Algorithm Name.
-	 */
-	dns_name_init(&name, NULL);
-	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
-
-	isc_buffer_activeregion(source, &sr);
-	/*
-	 * Time Signed + Fudge.
-	 */
-	if (sr.length < 8)
-		return (ISC_R_UNEXPECTEDEND);
-	RETERR(mem_tobuffer(target, sr.base, 8));
-	isc_region_consume(&sr, 8);
-	isc_buffer_forward(source, 8);
-
-	/*
-	 * Signature Length + Signature.
-	 */
-	if (sr.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
-	n = uint16_fromregion(&sr);
-	if (sr.length < n + 2)
-		return (ISC_R_UNEXPECTEDEND);
-	RETERR(mem_tobuffer(target, sr.base, n + 2));
-	isc_region_consume(&sr, n + 2);
-	isc_buffer_forward(source, n + 2);
-
-	/*
-	 * Original ID + Error.
-	 */
-	if (sr.length < 4)
-		return (ISC_R_UNEXPECTEDEND);
-	RETERR(mem_tobuffer(target, sr.base,  4));
-	isc_region_consume(&sr, 4);
-	isc_buffer_forward(source, 4);
-
-	/*
-	 * Other Length + Other.
-	 */
-	if (sr.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
-	n = uint16_fromregion(&sr);
-	if (sr.length < n + 2)
-		return (ISC_R_UNEXPECTEDEND);
-	isc_buffer_forward(source, n + 2);
-	return (mem_tobuffer(target, sr.base, n + 2));
-}
-
-static inline isc_result_t
-towire_any_tsig(ARGS_TOWIRE) {
-	isc_region_t sr;
-	dns_name_t name;
-	dns_offsets_t offsets;
-
-	REQUIRE(rdata->type == 250);
-	REQUIRE(rdata->rdclass == 255);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	dns_rdata_toregion(rdata, &sr);
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &sr);
-	RETERR(dns_name_towire(&name, cctx, target));
-	isc_region_consume(&sr, name_length(&name));
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_any_tsig(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-	dns_name_t name1;
-	dns_name_t name2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 250);
-	REQUIRE(rdata1->rdclass == 255);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-	dns_name_fromregion(&name1, &r1);
-	dns_name_fromregion(&name2, &r2);
-	order = dns_name_rdatacompare(&name1, &name2);
-	if (order != 0)
-		return (order);
-	isc_region_consume(&r1, name_length(&name1));
-	isc_region_consume(&r2, name_length(&name2));
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_any_tsig(ARGS_FROMSTRUCT) {
-	dns_rdata_any_tsig_t *tsig = source;
-	isc_region_t tr;
-
-	REQUIRE(type == 250);
-	REQUIRE(rdclass == 255);
-	REQUIRE(source != NULL);
-	REQUIRE(tsig->common.rdclass == rdclass);
-	REQUIRE(tsig->common.rdtype == type);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	/*
-	 * Algorithm Name.
-	 */
-	RETERR(name_tobuffer(&tsig->algorithm, target));
-
-	isc_buffer_availableregion(target, &tr);
-	if (tr.length < 6 + 2 + 2)
-		return (ISC_R_NOSPACE);
-
-	/*
-	 * Time Signed: 48 bits.
-	 */
-	RETERR(uint16_tobuffer((isc_uint16_t)(tsig->timesigned >> 32),
-			       target));
-	RETERR(uint32_tobuffer((isc_uint32_t)(tsig->timesigned & 0xffffffffU),
-			       target));
-
-	/*
-	 * Fudge.
-	 */
-	RETERR(uint16_tobuffer(tsig->fudge, target));
-
-	/*
-	 * Signature Size.
-	 */
-	RETERR(uint16_tobuffer(tsig->siglen, target));
-
-	/*
-	 * Signature.
-	 */
-	RETERR(mem_tobuffer(target, tsig->signature, tsig->siglen));
-
-	isc_buffer_availableregion(target, &tr);
-	if (tr.length < 2 + 2 + 2)
-		return (ISC_R_NOSPACE);
-
-	/*
-	 * Original ID.
-	 */
-	RETERR(uint16_tobuffer(tsig->originalid, target));
-
-	/*
-	 * Error.
-	 */
-	RETERR(uint16_tobuffer(tsig->error, target));
-
-	/*
-	 * Other Len.
-	 */
-	RETERR(uint16_tobuffer(tsig->otherlen, target));
-
-	/*
-	 * Other Data.
-	 */
-	return (mem_tobuffer(target, tsig->other, tsig->otherlen));
-}
-
-static inline isc_result_t
-tostruct_any_tsig(ARGS_TOSTRUCT) {
-	dns_rdata_any_tsig_t *tsig;
-	dns_name_t alg;
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 250);
-	REQUIRE(rdata->rdclass == 255);
-	REQUIRE(rdata->length != 0);
-
-	tsig = (dns_rdata_any_tsig_t *) target;
-	tsig->common.rdclass = rdata->rdclass;
-	tsig->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&tsig->common, link);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/*
-	 * Algorithm Name.
-	 */
-	dns_name_init(&alg, NULL);
-	dns_name_fromregion(&alg, &sr);
-	dns_name_init(&tsig->algorithm, NULL);
-	RETERR(name_duporclone(&alg, mctx, &tsig->algorithm));
-
-	isc_region_consume(&sr, name_length(&tsig->algorithm));
-
-	/*
-	 * Time Signed.
-	 */
-	INSIST(sr.length >= 6);
-	tsig->timesigned = ((isc_uint64_t)sr.base[0] << 40) |
-			   ((isc_uint64_t)sr.base[1] << 32) |
-			   ((isc_uint64_t)sr.base[2] << 24) |
-			   ((isc_uint64_t)sr.base[3] << 16) |
-			   ((isc_uint64_t)sr.base[4] << 8) |
-			   (isc_uint64_t)sr.base[5];
-	isc_region_consume(&sr, 6);
-
-	/*
-	 * Fudge.
-	 */
-	tsig->fudge = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/*
-	 * Signature Size.
-	 */
-	tsig->siglen = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/*
-	 * Signature.
-	 */
-	INSIST(sr.length >= tsig->siglen);
-	tsig->signature = mem_maybedup(mctx, sr.base, tsig->siglen);
-	if (tsig->signature == NULL)
-		goto cleanup;
-	isc_region_consume(&sr, tsig->siglen);
-
-	/*
-	 * Original ID.
-	 */
-	tsig->originalid = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/*
-	 * Error.
-	 */
-	tsig->error = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/*
-	 * Other Size.
-	 */
-	tsig->otherlen = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/*
-	 * Other.
-	 */
-	INSIST(sr.length == tsig->otherlen);
-	tsig->other = mem_maybedup(mctx, sr.base, tsig->otherlen);
-	if (tsig->other == NULL)
-		goto cleanup;
-
-	tsig->mctx = mctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (mctx != NULL)
-		dns_name_free(&tsig->algorithm, tsig->mctx);
-	if (mctx != NULL && tsig->signature != NULL)
-		isc_mem_free(mctx, tsig->signature);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_any_tsig(ARGS_FREESTRUCT) {
-	dns_rdata_any_tsig_t *tsig = (dns_rdata_any_tsig_t *) source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(tsig->common.rdclass == 255);
-	REQUIRE(tsig->common.rdtype == 250);
-
-	if (tsig->mctx == NULL)
-		return;
-
-	dns_name_free(&tsig->algorithm, tsig->mctx);
-	if (tsig->signature != NULL)
-		isc_mem_free(tsig->mctx, tsig->signature);
-	if (tsig->other != NULL)
-		isc_mem_free(tsig->mctx, tsig->other);
-	tsig->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_any_tsig(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 250);
-	REQUIRE(rdata->rdclass == 255);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_any_tsig(ARGS_DIGEST) {
-
-	REQUIRE(rdata->type == 250);
-	REQUIRE(rdata->rdclass == 255);
-
-	UNUSED(rdata);
-	UNUSED(digest);
-	UNUSED(arg);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static inline isc_boolean_t
-checkowner_any_tsig(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 250);
-	REQUIRE(rdclass == 255);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_any_tsig(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 250);
-	REQUIRE(rdata->rdclass == 250);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_any_tsig(ARGS_COMPARE) {
-	return (compare_any_tsig(rdata1, rdata2));
-}
-
-#endif	/* RDATA_ANY_255_TSIG_250_C */
diff --git a/contrib/bind9/lib/dns/rdata/any_255/tsig_250.h b/contrib/bind9/lib/dns/rdata/any_255/tsig_250.h
deleted file mode 100644
index 0c01667..0000000
--- a/contrib/bind9/lib/dns/rdata/any_255/tsig_250.h
+++ /dev/null
@@ -1,38 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: tsig_250.h,v 1.25 2007/06/19 23:47:17 tbox Exp $ */
-
-#ifndef ANY_255_TSIG_250_H
-#define ANY_255_TSIG_250_H 1
-
-/*% RFC2845 */
-typedef struct dns_rdata_any_tsig {
-	dns_rdatacommon_t	common;
-	isc_mem_t *		mctx;
-	dns_name_t		algorithm;
-	isc_uint64_t		timesigned;
-	isc_uint16_t		fudge;
-	isc_uint16_t		siglen;
-	unsigned char *		signature;
-	isc_uint16_t		originalid;
-	isc_uint16_t		error;
-	isc_uint16_t		otherlen;
-	unsigned char *		other;
-} dns_rdata_any_tsig_t;
-
-#endif /* ANY_255_TSIG_250_H */
diff --git a/contrib/bind9/lib/dns/rdata/ch_3/a_1.c b/contrib/bind9/lib/dns/rdata/ch_3/a_1.c
deleted file mode 100644
index e3f9810..0000000
--- a/contrib/bind9/lib/dns/rdata/ch_3/a_1.c
+++ /dev/null
@@ -1,320 +0,0 @@
-/*
- * Copyright (C) 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: a_1.c,v 1.8 2009/12/04 22:06:37 tbox Exp $ */
-
-/* by Bjorn.Victor@it.uu.se, 2005-05-07 */
-/* Based on generic/soa_6.c and generic/mx_15.c */
-
-#ifndef RDATA_CH_3_A_1_C
-#define RDATA_CH_3_A_1_C
-
-#include <isc/net.h>
-
-#define RRTYPE_A_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_ch_a(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-
-	REQUIRE(type == 1);
-	REQUIRE(rdclass == dns_rdataclass_ch); /* 3 */
-
-	UNUSED(type);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	/* get domain name */
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	if ((options & DNS_RDATA_CHECKNAMES) != 0 &&
-	    (options & DNS_RDATA_CHECKREVERSE) != 0) {
-		isc_boolean_t ok;
-		ok = dns_name_ishostname(&name, ISC_FALSE);
-		if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
-			RETTOK(DNS_R_BADNAME);
-		if (!ok && callbacks != NULL)
-			warn_badname(&name, lexer, callbacks);
-	}
-
-	/* 16-bit octal address */
-	RETERR(isc_lex_getoctaltoken(lexer, &token, ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	return (uint16_tobuffer(token.value.as_ulong, target));
-}
-
-static inline isc_result_t
-totext_ch_a(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-	char buf[sizeof("0177777")];
-	isc_uint16_t addr;
-
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == dns_rdataclass_ch); /* 3 */
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-	isc_region_consume(&region, name_length(&name));
-	addr = uint16_fromregion(&region);
-
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	RETERR(dns_name_totext(&prefix, sub, target));
-
-	sprintf(buf, "%o", addr); /* note octal */
-	RETERR(str_totext(" ", target));
-	return (str_totext(buf, target));
-}
-
-static inline isc_result_t
-fromwire_ch_a(ARGS_FROMWIRE) {
-	isc_region_t sregion;
-	isc_region_t tregion;
-	dns_name_t name;
-
-	REQUIRE(type == 1);
-	REQUIRE(rdclass == dns_rdataclass_ch);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, NULL);
-
-	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
-
-	isc_buffer_activeregion(source, &sregion);
-	isc_buffer_availableregion(target, &tregion);
-	if (sregion.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
-	if (tregion.length < 2)
-		return (ISC_R_NOSPACE);
-
-	memcpy(tregion.base, sregion.base, 2);
-	isc_buffer_forward(source, 2);
-	isc_buffer_add(target, 2);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-towire_ch_a(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t sregion;
-	isc_region_t tregion;
-
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == dns_rdataclass_ch);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, offsets);
-
-	dns_rdata_toregion(rdata, &sregion);
-
-	dns_name_fromregion(&name, &sregion);
-	isc_region_consume(&sregion, name_length(&name));
-	RETERR(dns_name_towire(&name, cctx, target));
-
-	isc_buffer_availableregion(target, &tregion);
-	if (tregion.length < 2)
-		return (ISC_R_NOSPACE);
-
-	memcpy(tregion.base, sregion.base, 2);
-	isc_buffer_add(target, 2);
-	return (ISC_R_SUCCESS);
-}
-
-static inline int
-compare_ch_a(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 1);
-	REQUIRE(rdata1->rdclass == dns_rdataclass_ch);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-	isc_region_consume(&region1, name_length(&name1));
-	isc_region_consume(&region2, name_length(&name2));
-
-	order = dns_name_rdatacompare(&name1, &name2);
-	if (order != 0)
-		return (order);
-
-	order = memcmp(rdata1->data, rdata2->data, 2);
-	if (order != 0)
-		order = (order < 0) ? -1 : 1;
-	return (order);
-}
-
-static inline isc_result_t
-fromstruct_ch_a(ARGS_FROMSTRUCT) {
-	dns_rdata_ch_a_t *a = source;
-	isc_region_t region;
-
-	REQUIRE(type == 1);
-	REQUIRE(source != NULL);
-	REQUIRE(a->common.rdtype == type);
-	REQUIRE(a->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&a->ch_addr_dom, &region);
-	RETERR(isc_buffer_copyregion(target, &region));
-
-	return (uint16_tobuffer(ntohs(a->ch_addr), target));
-}
-
-static inline isc_result_t
-tostruct_ch_a(ARGS_TOSTRUCT) {
-	dns_rdata_ch_a_t *a = target;
-	isc_region_t region;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == dns_rdataclass_ch);
-	REQUIRE(rdata->length != 0);
-
-	a->common.rdclass = rdata->rdclass;
-	a->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&a->common, link);
-
-	dns_rdata_toregion(rdata, &region);
-
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &region);
-	isc_region_consume(&region, name_length(&name));
-
-	dns_name_init(&a->ch_addr_dom, NULL);
-	RETERR(name_duporclone(&name, mctx, &a->ch_addr_dom));
-	a->ch_addr = htons(uint16_fromregion(&region));
-	a->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_ch_a(ARGS_FREESTRUCT) {
-	dns_rdata_ch_a_t *a = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(a->common.rdtype == 1);
-
-	if (a->mctx == NULL)
-		return;
-
-	dns_name_free(&a->ch_addr_dom, a->mctx);
-	a->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_ch_a(ARGS_ADDLDATA) {
-
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == dns_rdataclass_ch);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_ch_a(ARGS_DIGEST) {
-	isc_region_t r;
-
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == dns_rdataclass_ch);
-
-	dns_rdata_toregion(rdata, &r);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-	isc_region_consume(&r, name_length(&name));
-	RETERR(dns_name_digest(&name, digest, arg));
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_ch_a(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 1);
-	REQUIRE(rdclass == dns_rdataclass_ch);
-
-	UNUSED(type);
-
-	return (dns_name_ishostname(name, wildcard));
-}
-
-static inline isc_boolean_t
-checknames_ch_a(ARGS_CHECKNAMES) {
-	isc_region_t region;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == dns_rdataclass_ch);
-
-	UNUSED(owner);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &region);
-	if (!dns_name_ishostname(&name, ISC_FALSE)) {
-		if (bad != NULL)
-			dns_name_clone(&name, bad);
-		return (ISC_FALSE);
-	}
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_ch_a(ARGS_COMPARE) {
-	return (compare_ch_a(rdata1, rdata2));
-}
-#endif	/* RDATA_CH_3_A_1_C */
diff --git a/contrib/bind9/lib/dns/rdata/ch_3/a_1.h b/contrib/bind9/lib/dns/rdata/ch_3/a_1.h
deleted file mode 100644
index a279d0e..0000000
--- a/contrib/bind9/lib/dns/rdata/ch_3/a_1.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (C) 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: a_1.h,v 1.5 2007/06/19 23:47:17 tbox Exp $ */
-
-/* by Bjorn.Victor@it.uu.se, 2005-05-07 */
-/* Based on generic/mx_15.h */
-
-#ifndef CH_3_A_1_H
-#define CH_3_A_1_H 1
-
-typedef isc_uint16_t ch_addr_t;
-
-typedef struct dns_rdata_ch_a {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-  	dns_name_t		ch_addr_dom; /* ch-addr domain for back mapping */
-	ch_addr_t		ch_addr; /* chaos address (16 bit) network order */
-} dns_rdata_ch_a_t;
-
-#endif /* CH_3_A_1_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/afsdb_18.c b/contrib/bind9/lib/dns/rdata/generic/afsdb_18.c
deleted file mode 100644
index 279f86c..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/afsdb_18.c
+++ /dev/null
@@ -1,313 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: afsdb_18.c,v 1.49 2009/12/04 22:06:37 tbox Exp $ */
-
-/* Reviewed: Wed Mar 15 14:59:00 PST 2000 by explorer */
-
-/* RFC1183 */
-
-#ifndef RDATA_GENERIC_AFSDB_18_C
-#define RDATA_GENERIC_AFSDB_18_C
-
-#define RRTYPE_AFSDB_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_afsdb(ARGS_FROMTEXT) {
-	isc_token_t token;
-	isc_buffer_t buffer;
-	dns_name_t name;
-	isc_boolean_t ok;
-
-	REQUIRE(type == 18);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	/*
-	 * Subtype.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Hostname.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	ok = ISC_TRUE;
-	if ((options & DNS_RDATA_CHECKNAMES) != 0)
-		ok = dns_name_ishostname(&name, ISC_FALSE);
-	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
-		RETTOK(DNS_R_BADNAME);
-	if (!ok && callbacks != NULL)
-		warn_badname(&name, lexer, callbacks);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_afsdb(ARGS_TOTEXT) {
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_region_t region;
-	char buf[sizeof("64000 ")];
-	isc_boolean_t sub;
-	unsigned int num;
-
-	REQUIRE(rdata->type == 18);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	num = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	sprintf(buf, "%u ", num);
-	RETERR(str_totext(buf, target));
-	dns_name_fromregion(&name, &region);
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_afsdb(ARGS_FROMWIRE) {
-	dns_name_t name;
-	isc_region_t sr;
-	isc_region_t tr;
-
-	REQUIRE(type == 18);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-	dns_name_init(&name, NULL);
-
-	isc_buffer_activeregion(source, &sr);
-	isc_buffer_availableregion(target, &tr);
-	if (tr.length < 2)
-		return (ISC_R_NOSPACE);
-	if (sr.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
-	memcpy(tr.base, sr.base, 2);
-	isc_buffer_forward(source, 2);
-	isc_buffer_add(target, 2);
-	return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_afsdb(ARGS_TOWIRE) {
-	isc_region_t tr;
-	isc_region_t sr;
-	dns_name_t name;
-	dns_offsets_t offsets;
-
-	REQUIRE(rdata->type == 18);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	isc_buffer_availableregion(target, &tr);
-	dns_rdata_toregion(rdata, &sr);
-	if (tr.length < 2)
-		return (ISC_R_NOSPACE);
-	memcpy(tr.base, sr.base, 2);
-	isc_region_consume(&sr, 2);
-	isc_buffer_add(target, 2);
-
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &sr);
-
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_afsdb(ARGS_COMPARE) {
-	int result;
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 18);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	result = memcmp(rdata1->data, rdata2->data, 2);
-	if (result != 0)
-		return (result < 0 ? -1 : 1);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	isc_region_consume(&region1, 2);
-	isc_region_consume(&region2, 2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_afsdb(ARGS_FROMSTRUCT) {
-	dns_rdata_afsdb_t *afsdb = source;
-	isc_region_t region;
-
-	REQUIRE(type == 18);
-	REQUIRE(source != NULL);
-	REQUIRE(afsdb->common.rdclass == rdclass);
-	REQUIRE(afsdb->common.rdtype == type);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint16_tobuffer(afsdb->subtype, target));
-	dns_name_toregion(&afsdb->server, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_afsdb(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_afsdb_t *afsdb = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 18);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	afsdb->common.rdclass = rdata->rdclass;
-	afsdb->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&afsdb->common, link);
-
-	dns_name_init(&afsdb->server, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-
-	afsdb->subtype = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &region);
-
-	RETERR(name_duporclone(&name, mctx, &afsdb->server));
-	afsdb->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_afsdb(ARGS_FREESTRUCT) {
-	dns_rdata_afsdb_t *afsdb = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(afsdb->common.rdtype == 18);
-
-	if (afsdb->mctx == NULL)
-		return;
-
-	dns_name_free(&afsdb->server, afsdb->mctx);
-	afsdb->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_afsdb(ARGS_ADDLDATA) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 18);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	isc_region_consume(&region, 2);
-	dns_name_fromregion(&name, &region);
-
-	return ((add)(arg, &name, dns_rdatatype_a));
-}
-
-static inline isc_result_t
-digest_afsdb(ARGS_DIGEST) {
-	isc_region_t r1, r2;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 18);
-
-	dns_rdata_toregion(rdata, &r1);
-	r2 = r1;
-	isc_region_consume(&r2, 2);
-	r1.length = 2;
-	RETERR((digest)(arg, &r1));
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r2);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_afsdb(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 18);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_afsdb(ARGS_CHECKNAMES) {
-	isc_region_t region;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 18);
-
-	UNUSED(owner);
-
-	dns_rdata_toregion(rdata, &region);
-	isc_region_consume(&region, 2);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &region);
-	if (!dns_name_ishostname(&name, ISC_FALSE)) {
-		if (bad != NULL)
-			dns_name_clone(&name, bad);
-		return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_afsdb(ARGS_COMPARE) {
-	return (compare_afsdb(rdata1, rdata2));
-}
-#endif	/* RDATA_GENERIC_AFSDB_18_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/afsdb_18.h b/contrib/bind9/lib/dns/rdata/generic/afsdb_18.h
deleted file mode 100644
index ccccc11..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/afsdb_18.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_AFSDB_18_H
-#define GENERIC_AFSDB_18_H 1
-
-/* $Id: afsdb_18.h,v 1.20 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- *  \brief Per RFC1183 */
-
-typedef struct dns_rdata_afsdb {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		subtype;
-	dns_name_t		server;
-} dns_rdata_afsdb_t;
-
-#endif /* GENERIC_AFSDB_18_H */
-
diff --git a/contrib/bind9/lib/dns/rdata/generic/cert_37.c b/contrib/bind9/lib/dns/rdata/generic/cert_37.c
deleted file mode 100644
index a03290a..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/cert_37.c
+++ /dev/null
@@ -1,287 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/* Reviewed: Wed Mar 15 21:14:32 EST 2000 by tale */
-
-/* RFC2538 */
-
-#ifndef RDATA_GENERIC_CERT_37_C
-#define RDATA_GENERIC_CERT_37_C
-
-#define RRTYPE_CERT_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_cert(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_secalg_t secalg;
-	dns_cert_t cert;
-
-	REQUIRE(type == 37);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	/*
-	 * Cert type.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_cert_fromtext(&cert, &token.value.as_textregion));
-	RETERR(uint16_tobuffer(cert, target));
-
-	/*
-	 * Key tag.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Algorithm.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_secalg_fromtext(&secalg, &token.value.as_textregion));
-	RETERR(mem_tobuffer(target, &secalg, 1));
-
-	return (isc_base64_tobuffer(lexer, target, -1));
-}
-
-static inline isc_result_t
-totext_cert(ARGS_TOTEXT) {
-	isc_region_t sr;
-	char buf[sizeof("64000 ")];
-	unsigned int n;
-
-	REQUIRE(rdata->type == 37);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(tctx);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/*
-	 * Type.
-	 */
-	n = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	RETERR(dns_cert_totext((dns_cert_t)n, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Key tag.
-	 */
-	n = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%u ", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Algorithm.
-	 */
-	RETERR(dns_secalg_totext(sr.base[0], target));
-	isc_region_consume(&sr, 1);
-
-	/*
-	 * Cert.
-	 */
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" (", target));
-	RETERR(str_totext(tctx->linebreak, target));
-	if (tctx->width == 0)   /* No splitting */
-		RETERR(isc_base64_totext(&sr, 60, "", target));
-	else
-		RETERR(isc_base64_totext(&sr, tctx->width - 2,
-					 tctx->linebreak, target));
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" )", target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_cert(ARGS_FROMWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(type == 37);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-	UNUSED(options);
-
-	isc_buffer_activeregion(source, &sr);
-	if (sr.length < 5)
-		return (ISC_R_UNEXPECTEDEND);
-
-	isc_buffer_forward(source, sr.length);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline isc_result_t
-towire_cert(ARGS_TOWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 37);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(cctx);
-
-	dns_rdata_toregion(rdata, &sr);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_cert(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 37);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_cert(ARGS_FROMSTRUCT) {
-	dns_rdata_cert_t *cert = source;
-
-	REQUIRE(type == 37);
-	REQUIRE(source != NULL);
-	REQUIRE(cert->common.rdtype == type);
-	REQUIRE(cert->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint16_tobuffer(cert->type, target));
-	RETERR(uint16_tobuffer(cert->key_tag, target));
-	RETERR(uint8_tobuffer(cert->algorithm, target));
-
-	return (mem_tobuffer(target, cert->certificate, cert->length));
-}
-
-static inline isc_result_t
-tostruct_cert(ARGS_TOSTRUCT) {
-	dns_rdata_cert_t *cert = target;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 37);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	cert->common.rdclass = rdata->rdclass;
-	cert->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&cert->common, link);
-
-	dns_rdata_toregion(rdata, &region);
-
-	cert->type = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	cert->key_tag = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	cert->algorithm = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	cert->length = region.length;
-
-	cert->certificate = mem_maybedup(mctx, region.base, region.length);
-	if (cert->certificate == NULL)
-		return (ISC_R_NOMEMORY);
-
-	cert->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_cert(ARGS_FREESTRUCT) {
-	dns_rdata_cert_t *cert = source;
-
-	REQUIRE(cert != NULL);
-	REQUIRE(cert->common.rdtype == 37);
-
-	if (cert->mctx == NULL)
-		return;
-
-	if (cert->certificate != NULL)
-		isc_mem_free(cert->mctx, cert->certificate);
-	cert->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_cert(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 37);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_cert(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 37);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_cert(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 37);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_cert(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 37);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-
-static inline int
-casecompare_cert(ARGS_COMPARE) {
-	return (compare_cert(rdata1, rdata2));
-}
-#endif	/* RDATA_GENERIC_CERT_37_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/cert_37.h b/contrib/bind9/lib/dns/rdata/generic/cert_37.h
deleted file mode 100644
index ddfaa4f..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/cert_37.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: cert_37.h,v 1.20 2007/06/19 23:47:17 tbox Exp $ */
-
-#ifndef GENERIC_CERT_37_H
-#define GENERIC_CERT_37_H 1
-
-/*% RFC2538 */
-typedef struct dns_rdata_cert {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		type;
-	isc_uint16_t		key_tag;
-	isc_uint8_t		algorithm;
-	isc_uint16_t		length;
-	unsigned char		*certificate;
-} dns_rdata_cert_t;
-
-#endif /* GENERIC_CERT_37_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/cname_5.c b/contrib/bind9/lib/dns/rdata/generic/cname_5.c
deleted file mode 100644
index 45a48a8..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/cname_5.c
+++ /dev/null
@@ -1,237 +0,0 @@
-/*
- * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: cname_5.c,v 1.49 2009/12/04 22:06:37 tbox Exp $ */
-
-/* reviewed: Wed Mar 15 16:48:45 PST 2000 by brister */
-
-#ifndef RDATA_GENERIC_CNAME_5_C
-#define RDATA_GENERIC_CNAME_5_C
-
-#define RRTYPE_CNAME_ATTRIBUTES \
-	(DNS_RDATATYPEATTR_EXCLUSIVE | DNS_RDATATYPEATTR_SINGLETON)
-
-static inline isc_result_t
-fromtext_cname(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-
-	REQUIRE(type == 5);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_cname(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 5);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	sub = name_prefix(&name, tctx->origin, &prefix);
-
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_cname(ARGS_FROMWIRE) {
-	dns_name_t name;
-
-	REQUIRE(type == 5);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, NULL);
-	return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_cname(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 5);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_cname(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 5);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_cname(ARGS_FROMSTRUCT) {
-	dns_rdata_cname_t *cname = source;
-	isc_region_t region;
-
-	REQUIRE(type == 5);
-	REQUIRE(source != NULL);
-	REQUIRE(cname->common.rdtype == type);
-	REQUIRE(cname->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&cname->cname, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_cname(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_cname_t *cname = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 5);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	cname->common.rdclass = rdata->rdclass;
-	cname->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&cname->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&cname->cname, NULL);
-	RETERR(name_duporclone(&name, mctx, &cname->cname));
-	cname->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_cname(ARGS_FREESTRUCT) {
-	dns_rdata_cname_t *cname = source;
-
-	REQUIRE(source != NULL);
-
-	if (cname->mctx == NULL)
-		return;
-
-	dns_name_free(&cname->cname, cname->mctx);
-	cname->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_cname(ARGS_ADDLDATA) {
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	REQUIRE(rdata->type == 5);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_cname(ARGS_DIGEST) {
-	isc_region_t r;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 5);
-
-	dns_rdata_toregion(rdata, &r);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_cname(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 5);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_cname(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 5);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_cname(ARGS_COMPARE) {
-	return (compare_cname(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_CNAME_5_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/cname_5.h b/contrib/bind9/lib/dns/rdata/generic/cname_5.h
deleted file mode 100644
index 516f8d3..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/cname_5.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: cname_5.h,v 1.26 2007/06/19 23:47:17 tbox Exp $ */
-
-#ifndef GENERIC_CNAME_5_H
-#define GENERIC_CNAME_5_H 1
-
-typedef struct dns_rdata_cname {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		cname;
-} dns_rdata_cname_t;
-
-#endif /* GENERIC_CNAME_5_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/dlv_32769.c b/contrib/bind9/lib/dns/rdata/generic/dlv_32769.c
deleted file mode 100644
index 5751ad8..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/dlv_32769.c
+++ /dev/null
@@ -1,355 +0,0 @@
-/*
- * Copyright (C) 2004, 2006, 2007, 2009-2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/* draft-ietf-dnsext-delegation-signer-05.txt */
-
-#ifndef RDATA_GENERIC_DLV_32769_C
-#define RDATA_GENERIC_DLV_32769_C
-
-#define RRTYPE_DLV_ATTRIBUTES 0
-
-#include <isc/sha1.h>
-#include <isc/sha2.h>
-
-#include <dns/ds.h>
-
-
-static inline isc_result_t
-fromtext_dlv(ARGS_FROMTEXT) {
-	isc_token_t token;
-	unsigned char c;
-	int length;
-
-	REQUIRE(type == 32769);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	/*
-	 * Key tag.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Algorithm.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint8_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Digest type.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint8_tobuffer(token.value.as_ulong, target));
-	c = (unsigned char) token.value.as_ulong;
-
-	/*
-	 * Digest.
-	 */
-	switch (c) {
-	case DNS_DSDIGEST_SHA1:
-		length = ISC_SHA1_DIGESTLENGTH;
-		break;
-	case DNS_DSDIGEST_SHA256:
-		length = ISC_SHA256_DIGESTLENGTH;
-		break;
-	case DNS_DSDIGEST_GOST:
-		length = ISC_GOST_DIGESTLENGTH;
-		break;
-	case DNS_DSDIGEST_SHA384:
-		length = ISC_SHA384_DIGESTLENGTH;
-		break;
-	default:
-		length = -1;
-		break;
-	}
-	return (isc_hex_tobuffer(lexer, target, length));
-}
-
-static inline isc_result_t
-totext_dlv(ARGS_TOTEXT) {
-	isc_region_t sr;
-	char buf[sizeof("64000 ")];
-	unsigned int n;
-
-	REQUIRE(rdata->type == 32769);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(tctx);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/*
-	 * Key tag.
-	 */
-	n = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%u ", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Algorithm.
-	 */
-	n = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u ", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Digest type.
-	 */
-	n = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Digest.
-	 */
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" (", target));
-	RETERR(str_totext(tctx->linebreak, target));
-	if (tctx->width == 0) /* No splitting */
-		RETERR(isc_hex_totext(&sr, 0, "", target));
-	else
-		RETERR(isc_hex_totext(&sr, tctx->width - 2,
-				      tctx->linebreak, target));
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" )", target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_dlv(ARGS_FROMWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(type == 32769);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-	UNUSED(options);
-
-	isc_buffer_activeregion(source, &sr);
-
-	/*
-	 * Check digest lengths if we know them.
-	 */
-	if (sr.length < 4 ||
-	    (sr.base[3] == DNS_DSDIGEST_SHA1 &&
-	     sr.length < 4 + ISC_SHA1_DIGESTLENGTH) ||
-	    (sr.base[3] == DNS_DSDIGEST_SHA256 &&
-	     sr.length < 4 + ISC_SHA256_DIGESTLENGTH) ||
-	    (sr.base[3] == DNS_DSDIGEST_GOST &&
-	     sr.length < 4 + ISC_GOST_DIGESTLENGTH) ||
-	    (sr.base[3] == DNS_DSDIGEST_SHA384 &&
-	     sr.length < 4 + ISC_SHA384_DIGESTLENGTH))
-		return (ISC_R_UNEXPECTEDEND);
-
-	/*
-	 * Only copy digest lengths if we know them.
-	 * If there is extra data dns_rdata_fromwire() will
-	 * detect that.
-	 */
-	if (sr.base[3] == DNS_DSDIGEST_SHA1)
-		sr.length = 4 + ISC_SHA1_DIGESTLENGTH;
-	else if (sr.base[3] == DNS_DSDIGEST_SHA256)
-		sr.length = 4 + ISC_SHA256_DIGESTLENGTH;
-	else if (sr.base[3] == DNS_DSDIGEST_GOST)
-		sr.length = 4 + ISC_GOST_DIGESTLENGTH;
-	else if (sr.base[3] == DNS_DSDIGEST_SHA384)
-		sr.length = 4 + ISC_SHA384_DIGESTLENGTH;
-
-	isc_buffer_forward(source, sr.length);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline isc_result_t
-towire_dlv(ARGS_TOWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 32769);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(cctx);
-
-	dns_rdata_toregion(rdata, &sr);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_dlv(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 32769);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_dlv(ARGS_FROMSTRUCT) {
-	dns_rdata_dlv_t *dlv = source;
-
-	REQUIRE(type == 32769);
-	REQUIRE(source != NULL);
-	REQUIRE(dlv->common.rdtype == type);
-	REQUIRE(dlv->common.rdclass == rdclass);
-	switch (dlv->digest_type) {
-	case DNS_DSDIGEST_SHA1:
-		REQUIRE(dlv->length == ISC_SHA1_DIGESTLENGTH);
-		break;
-	case DNS_DSDIGEST_SHA256:
-		REQUIRE(dlv->length == ISC_SHA256_DIGESTLENGTH);
-		break;
-	case DNS_DSDIGEST_GOST:
-		REQUIRE(dlv->length == ISC_GOST_DIGESTLENGTH);
-		break;
-	case DNS_DSDIGEST_SHA384:
-		REQUIRE(dlv->length == ISC_SHA384_DIGESTLENGTH);
-		break;
-	}
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint16_tobuffer(dlv->key_tag, target));
-	RETERR(uint8_tobuffer(dlv->algorithm, target));
-	RETERR(uint8_tobuffer(dlv->digest_type, target));
-
-	return (mem_tobuffer(target, dlv->digest, dlv->length));
-}
-
-static inline isc_result_t
-tostruct_dlv(ARGS_TOSTRUCT) {
-	dns_rdata_dlv_t *dlv = target;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 32769);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	dlv->common.rdclass = rdata->rdclass;
-	dlv->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&dlv->common, link);
-
-	dns_rdata_toregion(rdata, &region);
-
-	dlv->key_tag = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	dlv->algorithm = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	dlv->digest_type = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	dlv->length = region.length;
-
-	dlv->digest = mem_maybedup(mctx, region.base, region.length);
-	if (dlv->digest == NULL)
-		return (ISC_R_NOMEMORY);
-
-	dlv->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_dlv(ARGS_FREESTRUCT) {
-	dns_rdata_dlv_t *dlv = source;
-
-	REQUIRE(dlv != NULL);
-	REQUIRE(dlv->common.rdtype == 32769);
-
-	if (dlv->mctx == NULL)
-		return;
-
-	if (dlv->digest != NULL)
-		isc_mem_free(dlv->mctx, dlv->digest);
-	dlv->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_dlv(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 32769);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_dlv(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 32769);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_dlv(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 32769);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_dlv(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 32769);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_dlv(ARGS_COMPARE) {
-	return (compare_dlv(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_DLV_32769_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/dlv_32769.h b/contrib/bind9/lib/dns/rdata/generic/dlv_32769.h
deleted file mode 100644
index 2313c57..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/dlv_32769.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (C) 2004, 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dlv_32769.h,v 1.5 2007/06/19 23:47:17 tbox Exp $ */
-
-/* draft-ietf-dnsext-delegation-signer-05.txt */
-#ifndef GENERIC_DLV_32769_H
-#define GENERIC_DLV_32769_H 1
-
-typedef struct dns_rdata_dlv {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		key_tag;
-	isc_uint8_t		algorithm;
-	isc_uint8_t		digest_type;
-	isc_uint16_t		length;
-	unsigned char		*digest;
-} dns_rdata_dlv_t;
-
-#endif /* GENERIC_DLV_32769_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/dname_39.c b/contrib/bind9/lib/dns/rdata/generic/dname_39.c
deleted file mode 100644
index d899494..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/dname_39.c
+++ /dev/null
@@ -1,237 +0,0 @@
-/*
- * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dname_39.c,v 1.40 2009/12/04 22:06:37 tbox Exp $ */
-
-/* Reviewed: Wed Mar 15 16:52:38 PST 2000 by explorer */
-
-/* RFC2672 */
-
-#ifndef RDATA_GENERIC_DNAME_39_C
-#define RDATA_GENERIC_DNAME_39_C
-
-#define RRTYPE_DNAME_ATTRIBUTES (DNS_RDATATYPEATTR_SINGLETON)
-
-static inline isc_result_t
-fromtext_dname(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-
-	REQUIRE(type == 39);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_dname(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 39);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	sub = name_prefix(&name, tctx->origin, &prefix);
-
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_dname(ARGS_FROMWIRE) {
-	dns_name_t name;
-
-	REQUIRE(type == 39);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-	dns_name_init(&name, NULL);
-	return(dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_dname(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 39);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_dname(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 39);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_dname(ARGS_FROMSTRUCT) {
-	dns_rdata_dname_t *dname = source;
-	isc_region_t region;
-
-	REQUIRE(type == 39);
-	REQUIRE(source != NULL);
-	REQUIRE(dname->common.rdtype == type);
-	REQUIRE(dname->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&dname->dname, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_dname(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_dname_t *dname = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 39);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	dname->common.rdclass = rdata->rdclass;
-	dname->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&dname->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&dname->dname, NULL);
-	RETERR(name_duporclone(&name, mctx, &dname->dname));
-	dname->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_dname(ARGS_FREESTRUCT) {
-	dns_rdata_dname_t *dname = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(dname->common.rdtype == 39);
-
-	if (dname->mctx == NULL)
-		return;
-
-	dns_name_free(&dname->dname, dname->mctx);
-	dname->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_dname(ARGS_ADDLDATA) {
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	REQUIRE(rdata->type == 39);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_dname(ARGS_DIGEST) {
-	isc_region_t r;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 39);
-
-	dns_rdata_toregion(rdata, &r);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_dname(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 39);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_dname(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 39);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_dname(ARGS_COMPARE) {
-	return (compare_dname(rdata1, rdata2));
-}
-#endif	/* RDATA_GENERIC_DNAME_39_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/dname_39.h b/contrib/bind9/lib/dns/rdata/generic/dname_39.h
deleted file mode 100644
index f8aca27..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/dname_39.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_DNAME_39_H
-#define GENERIC_DNAME_39_H 1
-
-/* $Id: dname_39.h,v 1.21 2007/06/19 23:47:17 tbox Exp $ */
-
-/*! 
- *  \brief per RFC2672 */
-
-typedef struct dns_rdata_dname {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		dname;
-} dns_rdata_dname_t;
-
-#endif /* GENERIC_DNAME_39_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/dnskey_48.c b/contrib/bind9/lib/dns/rdata/generic/dnskey_48.c
deleted file mode 100644
index 688e7ac..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/dnskey_48.c
+++ /dev/null
@@ -1,361 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*
- * Reviewed: Wed Mar 15 16:47:10 PST 2000 by halley.
- */
-
-/* RFC2535 */
-
-#ifndef RDATA_GENERIC_DNSKEY_48_C
-#define RDATA_GENERIC_DNSKEY_48_C
-
-#include <dst/dst.h>
-
-#define RRTYPE_DNSKEY_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
-
-static inline isc_result_t
-fromtext_dnskey(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_secalg_t alg;
-	dns_secproto_t proto;
-	dns_keyflags_t flags;
-
-	REQUIRE(type == 48);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	/* flags */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_keyflags_fromtext(&flags, &token.value.as_textregion));
-	RETERR(uint16_tobuffer(flags, target));
-
-	/* protocol */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_secproto_fromtext(&proto, &token.value.as_textregion));
-	RETERR(mem_tobuffer(target, &proto, 1));
-
-	/* algorithm */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_secalg_fromtext(&alg, &token.value.as_textregion));
-	RETERR(mem_tobuffer(target, &alg, 1));
-
-	/* No Key? */
-	if ((flags & 0xc000) == 0xc000)
-		return (ISC_R_SUCCESS);
-
-	return (isc_base64_tobuffer(lexer, target, -1));
-}
-
-static inline isc_result_t
-totext_dnskey(ARGS_TOTEXT) {
-	isc_region_t sr;
-	char buf[sizeof("64000")];
-	unsigned int flags;
-	unsigned char algorithm;
-	char algbuf[DNS_NAME_FORMATSIZE];
-	const char *keyinfo;
-
-	REQUIRE(rdata->type == 48);
-	REQUIRE(rdata->length != 0);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/* flags */
-	flags = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%u", flags);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-	if ((flags & DNS_KEYFLAG_KSK) != 0) {
-		if (flags & DNS_KEYFLAG_REVOKE)
-			keyinfo = "revoked KSK";
-		else
-			keyinfo = "KSK";
-	} else
-		keyinfo = "ZSK";
-
-	/* protocol */
-	sprintf(buf, "%u", sr.base[0]);
-	isc_region_consume(&sr, 1);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/* algorithm */
-	algorithm = sr.base[0];
-	sprintf(buf, "%u", algorithm);
-	isc_region_consume(&sr, 1);
-	RETERR(str_totext(buf, target));
-
-	/* No Key? */
-	if ((flags & 0xc000) == 0xc000)
-		return (ISC_R_SUCCESS);
-
-	if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0 &&
-	     algorithm == DNS_KEYALG_PRIVATEDNS) {
-		dns_name_t name;
-		dns_name_init(&name, NULL);
-		dns_name_fromregion(&name, &sr);
-		dns_name_format(&name, algbuf, sizeof(algbuf));
-	} else {
-		dns_secalg_format((dns_secalg_t) algorithm, algbuf,
-				  sizeof(algbuf));
-	}
-
-	/* key */
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" (", target));
-	RETERR(str_totext(tctx->linebreak, target));
-	if (tctx->width == 0)   /* No splitting */
-		RETERR(isc_base64_totext(&sr, 0, "", target));
-	else
-		RETERR(isc_base64_totext(&sr, tctx->width - 2,
-					 tctx->linebreak, target));
-
-	if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0)
-		RETERR(str_totext(tctx->linebreak, target));
-	else if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" ", target));
-
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(")", target));
-
-	if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0) {
-		isc_region_t tmpr;
-
-		RETERR(str_totext(" ; ", target));
-		RETERR(str_totext(keyinfo, target));
-		RETERR(str_totext("; alg = ", target));
-		RETERR(str_totext(algbuf, target));
-		RETERR(str_totext("; key id = ", target));
-		dns_rdata_toregion(rdata, &tmpr);
-		sprintf(buf, "%u", dst_region_computeid(&tmpr, algorithm));
-		RETERR(str_totext(buf, target));
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_dnskey(ARGS_FROMWIRE) {
-	unsigned char algorithm;
-	isc_region_t sr;
-
-	REQUIRE(type == 48);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-	UNUSED(options);
-
-	isc_buffer_activeregion(source, &sr);
-	if (sr.length < 4)
-		return (ISC_R_UNEXPECTEDEND);
-
-	algorithm = sr.base[3];
-	RETERR(mem_tobuffer(target, sr.base, 4));
-	isc_region_consume(&sr, 4);
-	isc_buffer_forward(source, 4);
-
-	if (algorithm == DNS_KEYALG_PRIVATEDNS) {
-		dns_name_t name;
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-		dns_name_init(&name, NULL);
-		RETERR(dns_name_fromwire(&name, source, dctx, options, target));
-	}
-	isc_buffer_activeregion(source, &sr);
-	isc_buffer_forward(source, sr.length);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline isc_result_t
-towire_dnskey(ARGS_TOWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 48);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(cctx);
-
-	dns_rdata_toregion(rdata, &sr);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_dnskey(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 48);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_dnskey(ARGS_FROMSTRUCT) {
-	dns_rdata_dnskey_t *dnskey = source;
-
-	REQUIRE(type == 48);
-	REQUIRE(source != NULL);
-	REQUIRE(dnskey->common.rdtype == type);
-	REQUIRE(dnskey->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	/* Flags */
-	RETERR(uint16_tobuffer(dnskey->flags, target));
-
-	/* Protocol */
-	RETERR(uint8_tobuffer(dnskey->protocol, target));
-
-	/* Algorithm */
-	RETERR(uint8_tobuffer(dnskey->algorithm, target));
-
-	/* Data */
-	return (mem_tobuffer(target, dnskey->data, dnskey->datalen));
-}
-
-static inline isc_result_t
-tostruct_dnskey(ARGS_TOSTRUCT) {
-	dns_rdata_dnskey_t *dnskey = target;
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 48);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	dnskey->common.rdclass = rdata->rdclass;
-	dnskey->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&dnskey->common, link);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/* Flags */
-	if (sr.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
-	dnskey->flags = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/* Protocol */
-	if (sr.length < 1)
-		return (ISC_R_UNEXPECTEDEND);
-	dnskey->protocol = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-
-	/* Algorithm */
-	if (sr.length < 1)
-		return (ISC_R_UNEXPECTEDEND);
-	dnskey->algorithm = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-
-	/* Data */
-	dnskey->datalen = sr.length;
-	dnskey->data = mem_maybedup(mctx, sr.base, dnskey->datalen);
-	if (dnskey->data == NULL)
-		return (ISC_R_NOMEMORY);
-
-	dnskey->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_dnskey(ARGS_FREESTRUCT) {
-	dns_rdata_dnskey_t *dnskey = (dns_rdata_dnskey_t *) source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(dnskey->common.rdtype == 48);
-
-	if (dnskey->mctx == NULL)
-		return;
-
-	if (dnskey->data != NULL)
-		isc_mem_free(dnskey->mctx, dnskey->data);
-	dnskey->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_dnskey(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 48);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_dnskey(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 48);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_dnskey(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 48);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_dnskey(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 48);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_dnskey(ARGS_COMPARE) {
-
-	/*
-	 * Treat ALG 253 (private DNS) subtype name case sensistively.
-	 */
-	return (compare_dnskey(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_DNSKEY_48_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/dnskey_48.h b/contrib/bind9/lib/dns/rdata/generic/dnskey_48.h
deleted file mode 100644
index ce88cd1..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/dnskey_48.h
+++ /dev/null
@@ -1,37 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_DNSKEY_48_H
-#define GENERIC_DNSKEY_48_H 1
-
-/* $Id: dnskey_48.h,v 1.7 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- *  \brief per RFC2535 */
-
-typedef struct dns_rdata_dnskey {
-        dns_rdatacommon_t	common;
-        isc_mem_t *		mctx;
-        isc_uint16_t		flags;
-        isc_uint8_t		protocol;
-        isc_uint8_t		algorithm;
-        isc_uint16_t		datalen;
-        unsigned char *		data;
-} dns_rdata_dnskey_t;
-
-
-#endif /* GENERIC_DNSKEY_48_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/ds_43.c b/contrib/bind9/lib/dns/rdata/generic/ds_43.c
deleted file mode 100644
index dd47c8d..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/ds_43.c
+++ /dev/null
@@ -1,355 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/* draft-ietf-dnsext-delegation-signer-05.txt */
-
-#ifndef RDATA_GENERIC_DS_43_C
-#define RDATA_GENERIC_DS_43_C
-
-#define RRTYPE_DS_ATTRIBUTES \
-	(DNS_RDATATYPEATTR_DNSSEC|DNS_RDATATYPEATTR_ATPARENT)
-
-#include <isc/sha1.h>
-#include <isc/sha2.h>
-
-#include <dns/ds.h>
-
-static inline isc_result_t
-fromtext_ds(ARGS_FROMTEXT) {
-	isc_token_t token;
-	unsigned char c;
-	int length;
-
-	REQUIRE(type == 43);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	/*
-	 * Key tag.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Algorithm.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_secalg_fromtext(&c, &token.value.as_textregion));
-	RETERR(mem_tobuffer(target, &c, 1));
-
-	/*
-	 * Digest type.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint8_tobuffer(token.value.as_ulong, target));
-	c = (unsigned char) token.value.as_ulong;
-
-	/*
-	 * Digest.
-	 */
-	switch (c) {
-	case DNS_DSDIGEST_SHA1:
-		length = ISC_SHA1_DIGESTLENGTH;
-		break;
-	case DNS_DSDIGEST_SHA256:
-		length = ISC_SHA256_DIGESTLENGTH;
-		break;
-	case DNS_DSDIGEST_GOST:
-		length = ISC_GOST_DIGESTLENGTH;
-		break;
-	case DNS_DSDIGEST_SHA384:
-		length = ISC_SHA384_DIGESTLENGTH;
-		break;
-	default:
-		length = -1;
-		break;
-	}
-	return (isc_hex_tobuffer(lexer, target, length));
-}
-
-static inline isc_result_t
-totext_ds(ARGS_TOTEXT) {
-	isc_region_t sr;
-	char buf[sizeof("64000 ")];
-	unsigned int n;
-
-	REQUIRE(rdata->type == 43);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(tctx);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/*
-	 * Key tag.
-	 */
-	n = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%u ", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Algorithm.
-	 */
-	n = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u ", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Digest type.
-	 */
-	n = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Digest.
-	 */
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" (", target));
-	RETERR(str_totext(tctx->linebreak, target));
-	if (tctx->width == 0) /* No splitting */
-		RETERR(isc_hex_totext(&sr, 0, "", target));
-	else
-		RETERR(isc_hex_totext(&sr, tctx->width - 2,
-				      tctx->linebreak, target));
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" )", target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_ds(ARGS_FROMWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(type == 43);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-	UNUSED(options);
-
-	isc_buffer_activeregion(source, &sr);
-
-	/*
-	 * Check digest lengths if we know them.
-	 */
-	if (sr.length < 4 ||
-	    (sr.base[3] == DNS_DSDIGEST_SHA1 &&
-	     sr.length < 4 + ISC_SHA1_DIGESTLENGTH) ||
-	    (sr.base[3] == DNS_DSDIGEST_SHA256 &&
-	     sr.length < 4 + ISC_SHA256_DIGESTLENGTH) ||
-	    (sr.base[3] == DNS_DSDIGEST_GOST &&
-	     sr.length < 4 + ISC_GOST_DIGESTLENGTH) ||
-	    (sr.base[3] == DNS_DSDIGEST_SHA384 &&
-	     sr.length < 4 + ISC_SHA384_DIGESTLENGTH))
-		return (ISC_R_UNEXPECTEDEND);
-
-	/*
-	 * Only copy digest lengths if we know them.
-	 * If there is extra data dns_rdata_fromwire() will
-	 * detect that.
-	 */
-	if (sr.base[3] == DNS_DSDIGEST_SHA1)
-		sr.length = 4 + ISC_SHA1_DIGESTLENGTH;
-	else if (sr.base[3] == DNS_DSDIGEST_SHA256)
-		sr.length = 4 + ISC_SHA256_DIGESTLENGTH;
-	else if (sr.base[3] == DNS_DSDIGEST_GOST)
-		sr.length = 4 + ISC_GOST_DIGESTLENGTH;
-	else if (sr.base[3] == DNS_DSDIGEST_SHA384)
-		sr.length = 4 + ISC_SHA384_DIGESTLENGTH;
-
-	isc_buffer_forward(source, sr.length);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline isc_result_t
-towire_ds(ARGS_TOWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 43);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(cctx);
-
-	dns_rdata_toregion(rdata, &sr);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_ds(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 43);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_ds(ARGS_FROMSTRUCT) {
-	dns_rdata_ds_t *ds = source;
-
-	REQUIRE(type == 43);
-	REQUIRE(source != NULL);
-	REQUIRE(ds->common.rdtype == type);
-	REQUIRE(ds->common.rdclass == rdclass);
-	switch (ds->digest_type) {
-	case DNS_DSDIGEST_SHA1:
-		REQUIRE(ds->length == ISC_SHA1_DIGESTLENGTH);
-		break;
-	case DNS_DSDIGEST_SHA256:
-		REQUIRE(ds->length == ISC_SHA256_DIGESTLENGTH);
-		break;
-	case DNS_DSDIGEST_GOST:
-		REQUIRE(ds->length == ISC_GOST_DIGESTLENGTH);
-		break;
-	case DNS_DSDIGEST_SHA384:
-		REQUIRE(ds->length == ISC_SHA384_DIGESTLENGTH);
-		break;
-	}
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint16_tobuffer(ds->key_tag, target));
-	RETERR(uint8_tobuffer(ds->algorithm, target));
-	RETERR(uint8_tobuffer(ds->digest_type, target));
-
-	return (mem_tobuffer(target, ds->digest, ds->length));
-}
-
-static inline isc_result_t
-tostruct_ds(ARGS_TOSTRUCT) {
-	dns_rdata_ds_t *ds = target;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 43);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	ds->common.rdclass = rdata->rdclass;
-	ds->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&ds->common, link);
-
-	dns_rdata_toregion(rdata, &region);
-
-	ds->key_tag = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	ds->algorithm = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	ds->digest_type = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	ds->length = region.length;
-
-	ds->digest = mem_maybedup(mctx, region.base, region.length);
-	if (ds->digest == NULL)
-		return (ISC_R_NOMEMORY);
-
-	ds->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_ds(ARGS_FREESTRUCT) {
-	dns_rdata_ds_t *ds = source;
-
-	REQUIRE(ds != NULL);
-	REQUIRE(ds->common.rdtype == 43);
-
-	if (ds->mctx == NULL)
-		return;
-
-	if (ds->digest != NULL)
-		isc_mem_free(ds->mctx, ds->digest);
-	ds->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_ds(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 43);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_ds(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 43);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_ds(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 43);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_ds(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 43);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_ds(ARGS_COMPARE) {
-	return (compare_ds(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_DS_43_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/ds_43.h b/contrib/bind9/lib/dns/rdata/generic/ds_43.h
deleted file mode 100644
index 3a409a1..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/ds_43.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ds_43.h,v 1.7 2007/06/19 23:47:17 tbox Exp $ */
-
-#ifndef GENERIC_DS_43_H
-#define GENERIC_DS_43_H 1
-
-/*!
- *  \brief per draft-ietf-dnsext-delegation-signer-05.txt */
-typedef struct dns_rdata_ds {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		key_tag;
-	isc_uint8_t		algorithm;
-	isc_uint8_t		digest_type;
-	isc_uint16_t		length;
-	unsigned char		*digest;
-} dns_rdata_ds_t;
-
-#endif /* GENERIC_DS_43_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/eui48_108.c b/contrib/bind9/lib/dns/rdata/generic/eui48_108.c
deleted file mode 100644
index 3e52fec..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/eui48_108.c
+++ /dev/null
@@ -1,215 +0,0 @@
-/*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef RDATA_GENERIC_EUI48_108_C
-#define RDATA_GENERIC_EUI48_108_C
-
-#include <string.h>
-
-#define RRTYPE_EUI48_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_eui48(ARGS_FROMTEXT) {
-	isc_token_t token;
-	unsigned char eui48[6];
-	unsigned int l0, l1, l2, l3, l4, l5;
-	int n;
-
-	REQUIRE(type == 108);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	n = sscanf(DNS_AS_STR(token), "%2x-%2x-%2x-%2x-%2x-%2x",
-		   &l0, &l1, &l2, &l3, &l4, &l5);
-	if (n != 6 || l0 > 255U || l1 > 255U || l2 > 255U || l3 > 255U ||
-	    l4 > 255U || l5 > 255U)
-		return (DNS_R_BADEUI);
-
-	eui48[0] = l0;
-	eui48[1] = l1;
-	eui48[2] = l2;
-	eui48[3] = l3;
-	eui48[4] = l4;
-	eui48[5] = l5;
-	return (mem_tobuffer(target, eui48, sizeof(eui48)));
-}
-
-static inline isc_result_t
-totext_eui48(ARGS_TOTEXT) {
-	char buf[sizeof("xx-xx-xx-xx-xx-xx")];
-
-	REQUIRE(rdata->type == 108);
-	REQUIRE(rdata->length == 6);
-
-	UNUSED(tctx);
-
-	(void)snprintf(buf, sizeof(buf), "%02x-%02x-%02x-%02x-%02x-%02x",
-		       rdata->data[0], rdata->data[1], rdata->data[2],
-		       rdata->data[3], rdata->data[4], rdata->data[5]);
-	return (str_totext(buf, target));
-}
-
-static inline isc_result_t
-fromwire_eui48(ARGS_FROMWIRE) {
-	isc_region_t sregion;
-
-	REQUIRE(type == 108);
-
-	UNUSED(type);
-	UNUSED(options);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-
-	isc_buffer_activeregion(source, &sregion);
-	if (sregion.length != 6)
-		return (DNS_R_FORMERR);
-	isc_buffer_forward(source, sregion.length);
-	return (mem_tobuffer(target, sregion.base, sregion.length));
-}
-
-static inline isc_result_t
-towire_eui48(ARGS_TOWIRE) {
-
-	REQUIRE(rdata->type == 108);
-	REQUIRE(rdata->length == 6);
-
-	UNUSED(cctx);
-
-	return (mem_tobuffer(target, rdata->data, rdata->length));
-}
-
-static inline int
-compare_eui48(ARGS_COMPARE) {
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 108);
-	REQUIRE(rdata1->length == 6);
-	REQUIRE(rdata2->length == 6);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-	return (isc_region_compare(&region1, &region2));
-}
-
-static inline isc_result_t
-fromstruct_eui48(ARGS_FROMSTRUCT) {
-	dns_rdata_eui48_t *eui48 = source;
-
-	REQUIRE(type == 108);
-	REQUIRE(source != NULL);
-	REQUIRE(eui48->common.rdtype == type);
-	REQUIRE(eui48->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	return (mem_tobuffer(target, eui48->eui48, sizeof(eui48->eui48)));
-}
-
-static inline isc_result_t
-tostruct_eui48(ARGS_TOSTRUCT) {
-	dns_rdata_eui48_t *eui48 = target;
-
-	REQUIRE(rdata->type == 108);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length == 6);
-
-	UNUSED(mctx);
-
-	eui48->common.rdclass = rdata->rdclass;
-	eui48->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&eui48->common, link);
-
-	memcpy(eui48->eui48, rdata->data, rdata->length);
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_eui48(ARGS_FREESTRUCT) {
-	dns_rdata_eui48_t *eui48 = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(eui48->common.rdtype == 108);
-
-	return;
-}
-
-static inline isc_result_t
-additionaldata_eui48(ARGS_ADDLDATA) {
-
-	REQUIRE(rdata->type == 108);
-	REQUIRE(rdata->length == 6);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_eui48(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 108);
-	REQUIRE(rdata->length == 6);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_eui48(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 108);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_eui48(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 108);
-	REQUIRE(rdata->length == 6);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_eui48(ARGS_COMPARE) {
-	return (compare_eui48(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_EUI48_108_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/eui48_108.h b/contrib/bind9/lib/dns/rdata/generic/eui48_108.h
deleted file mode 100644
index 508c61f..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/eui48_108.h
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_EUI48_108_H
-#define GENERIC_EUI48_108_H 1
-
-typedef struct dns_rdata_eui48 {
-	dns_rdatacommon_t	common;
-	unsigned char		eui48[6];
-} dns_rdata_eui48_t;
-
-#endif /* GENERIC_EUI48_10k_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/eui64_109.c b/contrib/bind9/lib/dns/rdata/generic/eui64_109.c
deleted file mode 100644
index 245994f..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/eui64_109.c
+++ /dev/null
@@ -1,220 +0,0 @@
-/*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef RDATA_GENERIC_EUI64_109_C
-#define RDATA_GENERIC_EUI64_109_C
-
-#include <string.h>
-
-#define RRTYPE_EUI64_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_eui64(ARGS_FROMTEXT) {
-	isc_token_t token;
-	unsigned char eui64[8];
-	unsigned int l0, l1, l2, l3, l4, l5, l6, l7;
-	int n;
-
-	REQUIRE(type == 109);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	n = sscanf(DNS_AS_STR(token), "%2x-%2x-%2x-%2x-%2x-%2x-%2x-%2x",
-		   &l0, &l1, &l2, &l3, &l4, &l5, &l6, &l7);
-	if (n != 8 || l0 > 255U || l1 > 255U || l2 > 255U || l3 > 255U ||
-	    l4 > 255U || l5 > 255U || l6 > 255U || l7 > 255U)
-		return (DNS_R_BADEUI);
-
-	eui64[0] = l0;
-	eui64[1] = l1;
-	eui64[2] = l2;
-	eui64[3] = l3;
-	eui64[4] = l4;
-	eui64[5] = l5;
-	eui64[6] = l6;
-	eui64[7] = l7;
-	return (mem_tobuffer(target, eui64, sizeof(eui64)));
-}
-
-static inline isc_result_t
-totext_eui64(ARGS_TOTEXT) {
-	char buf[sizeof("xx-xx-xx-xx-xx-xx-xx-xx")];
-
-	REQUIRE(rdata->type == 109);
-	REQUIRE(rdata->length == 8);
-
-	UNUSED(tctx);
-
-	(void)snprintf(buf, sizeof(buf),
-		       "%02x-%02x-%02x-%02x-%02x-%02x-%02x-%02x",
-		       rdata->data[0], rdata->data[1],
-		       rdata->data[2], rdata->data[3],
-		       rdata->data[4], rdata->data[5],
-		       rdata->data[6], rdata->data[7]);
-	return (str_totext(buf, target));
-}
-
-static inline isc_result_t
-fromwire_eui64(ARGS_FROMWIRE) {
-	isc_region_t sregion;
-
-	REQUIRE(type == 109);
-
-	UNUSED(type);
-	UNUSED(options);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-
-	isc_buffer_activeregion(source, &sregion);
-	if (sregion.length != 8)
-		return (DNS_R_FORMERR);
-	isc_buffer_forward(source, sregion.length);
-	return (mem_tobuffer(target, sregion.base, sregion.length));
-}
-
-static inline isc_result_t
-towire_eui64(ARGS_TOWIRE) {
-
-	REQUIRE(rdata->type == 109);
-	REQUIRE(rdata->length == 8);
-
-	UNUSED(cctx);
-
-	return (mem_tobuffer(target, rdata->data, rdata->length));
-}
-
-static inline int
-compare_eui64(ARGS_COMPARE) {
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 109);
-	REQUIRE(rdata1->length == 8);
-	REQUIRE(rdata2->length == 8);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-	return (isc_region_compare(&region1, &region2));
-}
-
-static inline isc_result_t
-fromstruct_eui64(ARGS_FROMSTRUCT) {
-	dns_rdata_eui64_t *eui64 = source;
-
-	REQUIRE(type == 109);
-	REQUIRE(source != NULL);
-	REQUIRE(eui64->common.rdtype == type);
-	REQUIRE(eui64->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	return (mem_tobuffer(target, eui64->eui64, sizeof(eui64->eui64)));
-}
-
-static inline isc_result_t
-tostruct_eui64(ARGS_TOSTRUCT) {
-	dns_rdata_eui64_t *eui64 = target;
-
-	REQUIRE(rdata->type == 109);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length == 8);
-
-	UNUSED(mctx);
-
-	eui64->common.rdclass = rdata->rdclass;
-	eui64->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&eui64->common, link);
-
-	memcpy(eui64->eui64, rdata->data, rdata->length);
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_eui64(ARGS_FREESTRUCT) {
-	dns_rdata_eui64_t *eui64 = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(eui64->common.rdtype == 109);
-
-	return;
-}
-
-static inline isc_result_t
-additionaldata_eui64(ARGS_ADDLDATA) {
-
-	REQUIRE(rdata->type == 109);
-	REQUIRE(rdata->length == 8);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_eui64(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 109);
-	REQUIRE(rdata->length == 8);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_eui64(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 109);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_eui64(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 109);
-	REQUIRE(rdata->length == 8);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_eui64(ARGS_COMPARE) {
-	return (compare_eui64(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_EUI64_109_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/eui64_109.h b/contrib/bind9/lib/dns/rdata/generic/eui64_109.h
deleted file mode 100644
index 56996f8..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/eui64_109.h
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_EUI64_109_H
-#define GENERIC_EUI64_109_H 1
-
-typedef struct dns_rdata_eui64 {
-	dns_rdatacommon_t	common;
-	unsigned char		eui64[8];
-} dns_rdata_eui64_t;
-
-#endif /* GENERIC_EUI64_10k_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/gpos_27.c b/contrib/bind9/lib/dns/rdata/generic/gpos_27.c
deleted file mode 100644
index ce71822..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/gpos_27.c
+++ /dev/null
@@ -1,257 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: gpos_27.c,v 1.43 2009/12/04 22:06:37 tbox Exp $ */
-
-/* reviewed: Wed Mar 15 16:48:45 PST 2000 by brister */
-
-/* RFC1712 */
-
-#ifndef RDATA_GENERIC_GPOS_27_C
-#define RDATA_GENERIC_GPOS_27_C
-
-#define RRTYPE_GPOS_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_gpos(ARGS_FROMTEXT) {
-	isc_token_t token;
-	int i;
-
-	REQUIRE(type == 27);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	for (i = 0; i < 3; i++) {
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_qstring,
-					      ISC_FALSE));
-		RETTOK(txt_fromtext(&token.value.as_textregion, target));
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_gpos(ARGS_TOTEXT) {
-	isc_region_t region;
-	int i;
-
-	REQUIRE(rdata->type == 27);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(tctx);
-
-	dns_rdata_toregion(rdata, &region);
-
-	for (i = 0; i < 3; i++) {
-		RETERR(txt_totext(&region, target));
-		if (i != 2)
-			RETERR(str_totext(" ", target));
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_gpos(ARGS_FROMWIRE) {
-	int i;
-
-	REQUIRE(type == 27);
-
-	UNUSED(type);
-	UNUSED(dctx);
-	UNUSED(rdclass);
-	UNUSED(options);
-
-	for (i = 0; i < 3; i++)
-		RETERR(txt_fromwire(source, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-towire_gpos(ARGS_TOWIRE) {
-
-	REQUIRE(rdata->type == 27);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(cctx);
-
-	return (mem_tobuffer(target, rdata->data, rdata->length));
-}
-
-static inline int
-compare_gpos(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 27);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_gpos(ARGS_FROMSTRUCT) {
-	dns_rdata_gpos_t *gpos = source;
-
-	REQUIRE(type == 27);
-	REQUIRE(source != NULL);
-	REQUIRE(gpos->common.rdtype == type);
-	REQUIRE(gpos->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint8_tobuffer(gpos->long_len, target));
-	RETERR(mem_tobuffer(target, gpos->longitude, gpos->long_len));
-	RETERR(uint8_tobuffer(gpos->lat_len, target));
-	RETERR(mem_tobuffer(target, gpos->latitude, gpos->lat_len));
-	RETERR(uint8_tobuffer(gpos->alt_len, target));
-	return (mem_tobuffer(target, gpos->altitude, gpos->alt_len));
-}
-
-static inline isc_result_t
-tostruct_gpos(ARGS_TOSTRUCT) {
-	dns_rdata_gpos_t *gpos = target;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 27);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	gpos->common.rdclass = rdata->rdclass;
-	gpos->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&gpos->common, link);
-
-	dns_rdata_toregion(rdata, &region);
-	gpos->long_len = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	gpos->longitude = mem_maybedup(mctx, region.base, gpos->long_len);
-	if (gpos->longitude == NULL)
-		return (ISC_R_NOMEMORY);
-	isc_region_consume(&region, gpos->long_len);
-
-	gpos->lat_len = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	gpos->latitude = mem_maybedup(mctx, region.base, gpos->lat_len);
-	if (gpos->latitude == NULL)
-		goto cleanup_longitude;
-	isc_region_consume(&region, gpos->lat_len);
-
-	gpos->alt_len = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	if (gpos->lat_len > 0) {
-		gpos->altitude =
-			mem_maybedup(mctx, region.base, gpos->alt_len);
-		if (gpos->altitude == NULL)
-			goto cleanup_latitude;
-	} else
-		gpos->altitude = NULL;
-
-	gpos->mctx = mctx;
-	return (ISC_R_SUCCESS);
-
- cleanup_latitude:
-	if (mctx != NULL && gpos->longitude != NULL)
-		isc_mem_free(mctx, gpos->longitude);
-
- cleanup_longitude:
-	if (mctx != NULL && gpos->latitude != NULL)
-		isc_mem_free(mctx, gpos->latitude);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_gpos(ARGS_FREESTRUCT) {
-	dns_rdata_gpos_t *gpos = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(gpos->common.rdtype == 27);
-
-	if (gpos->mctx == NULL)
-		return;
-
-	if (gpos->longitude != NULL)
-		isc_mem_free(gpos->mctx, gpos->longitude);
-	if (gpos->latitude != NULL)
-		isc_mem_free(gpos->mctx, gpos->latitude);
-	if (gpos->altitude != NULL)
-		isc_mem_free(gpos->mctx, gpos->altitude);
-	gpos->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_gpos(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 27);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_gpos(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 27);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_gpos(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 27);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_gpos(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 27);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_gpos(ARGS_COMPARE) {
-	return (compare_gpos(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_GPOS_27_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/gpos_27.h b/contrib/bind9/lib/dns/rdata/generic/gpos_27.h
deleted file mode 100644
index f5df4fa..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/gpos_27.h
+++ /dev/null
@@ -1,37 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_GPOS_27_H
-#define GENERIC_GPOS_27_H 1
-
-/* $Id: gpos_27.h,v 1.17 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- *  \brief per RFC1712 */
-
-typedef struct dns_rdata_gpos {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	char			*longitude;
-	char			*latitude;
-	char			*altitude;
-	isc_uint8_t		long_len;
-	isc_uint8_t		lat_len;
-	isc_uint8_t		alt_len;
-} dns_rdata_gpos_t;
-
-#endif /* GENERIC_GPOS_27_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/hinfo_13.c b/contrib/bind9/lib/dns/rdata/generic/hinfo_13.c
deleted file mode 100644
index 10b4fec..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/hinfo_13.c
+++ /dev/null
@@ -1,228 +0,0 @@
-/*
- * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: hinfo_13.c,v 1.46 2009/12/04 22:06:37 tbox Exp $ */
-
-/*
- * Reviewed: Wed Mar 15 16:47:10 PST 2000 by halley.
- */
-
-#ifndef RDATA_GENERIC_HINFO_13_C
-#define RDATA_GENERIC_HINFO_13_C
-
-#define RRTYPE_HINFO_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_hinfo(ARGS_FROMTEXT) {
-	isc_token_t token;
-	int i;
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	REQUIRE(type == 13);
-
-	for (i = 0; i < 2; i++) {
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_qstring,
-					      ISC_FALSE));
-		RETTOK(txt_fromtext(&token.value.as_textregion, target));
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_hinfo(ARGS_TOTEXT) {
-	isc_region_t region;
-
-	UNUSED(tctx);
-
-	REQUIRE(rdata->type == 13);
-	REQUIRE(rdata->length != 0);
-
-	dns_rdata_toregion(rdata, &region);
-	RETERR(txt_totext(&region, target));
-	RETERR(str_totext(" ", target));
-	return (txt_totext(&region, target));
-}
-
-static inline isc_result_t
-fromwire_hinfo(ARGS_FROMWIRE) {
-
-	REQUIRE(type == 13);
-
-	UNUSED(type);
-	UNUSED(dctx);
-	UNUSED(rdclass);
-	UNUSED(options);
-
-	RETERR(txt_fromwire(source, target));
-	return (txt_fromwire(source, target));
-}
-
-static inline isc_result_t
-towire_hinfo(ARGS_TOWIRE) {
-
-	UNUSED(cctx);
-
-	REQUIRE(rdata->type == 13);
-	REQUIRE(rdata->length != 0);
-
-	return (mem_tobuffer(target, rdata->data, rdata->length));
-}
-
-static inline int
-compare_hinfo(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 13);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_hinfo(ARGS_FROMSTRUCT) {
-	dns_rdata_hinfo_t *hinfo = source;
-
-	REQUIRE(type == 13);
-	REQUIRE(source != NULL);
-	REQUIRE(hinfo->common.rdtype == type);
-	REQUIRE(hinfo->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint8_tobuffer(hinfo->cpu_len, target));
-	RETERR(mem_tobuffer(target, hinfo->cpu, hinfo->cpu_len));
-	RETERR(uint8_tobuffer(hinfo->os_len, target));
-	return (mem_tobuffer(target, hinfo->os, hinfo->os_len));
-}
-
-static inline isc_result_t
-tostruct_hinfo(ARGS_TOSTRUCT) {
-	dns_rdata_hinfo_t *hinfo = target;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 13);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	hinfo->common.rdclass = rdata->rdclass;
-	hinfo->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&hinfo->common, link);
-
-	dns_rdata_toregion(rdata, &region);
-	hinfo->cpu_len = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	hinfo->cpu = mem_maybedup(mctx, region.base, hinfo->cpu_len);
-	if (hinfo->cpu == NULL)
-		return (ISC_R_NOMEMORY);
-	isc_region_consume(&region, hinfo->cpu_len);
-
-	hinfo->os_len = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	hinfo->os = mem_maybedup(mctx, region.base, hinfo->os_len);
-	if (hinfo->os == NULL)
-		goto cleanup;
-
-	hinfo->mctx = mctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (mctx != NULL && hinfo->cpu != NULL)
-		isc_mem_free(mctx, hinfo->cpu);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_hinfo(ARGS_FREESTRUCT) {
-	dns_rdata_hinfo_t *hinfo = source;
-
-	REQUIRE(source != NULL);
-
-	if (hinfo->mctx == NULL)
-		return;
-
-	if (hinfo->cpu != NULL)
-		isc_mem_free(hinfo->mctx, hinfo->cpu);
-	if (hinfo->os != NULL)
-		isc_mem_free(hinfo->mctx, hinfo->os);
-	hinfo->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_hinfo(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 13);
-
-	UNUSED(add);
-	UNUSED(arg);
-	UNUSED(rdata);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_hinfo(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 13);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_hinfo(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 13);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_hinfo(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 13);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_hinfo(ARGS_COMPARE) {
-	return (compare_hinfo(rdata1, rdata2));
-}
-#endif	/* RDATA_GENERIC_HINFO_13_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/hinfo_13.h b/contrib/bind9/lib/dns/rdata/generic/hinfo_13.h
deleted file mode 100644
index 66766df..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/hinfo_13.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_HINFO_13_H
-#define GENERIC_HINFO_13_H 1
-
-/* $Id: hinfo_13.h,v 1.25 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_hinfo {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	char			*cpu;
-	char			*os;
-	isc_uint8_t		cpu_len;
-	isc_uint8_t		os_len;
-} dns_rdata_hinfo_t;
-
-#endif /* GENERIC_HINFO_13_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/hip_55.c b/contrib/bind9/lib/dns/rdata/generic/hip_55.c
deleted file mode 100644
index 5a5140f..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/hip_55.c
+++ /dev/null
@@ -1,506 +0,0 @@
-/*
- * Copyright (C) 2009, 2011  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: hip_55.c,v 1.8 2011/01/13 04:59:26 tbox Exp $ */
-
-/* reviewed: TBC */
-
-/* RFC 5205 */
-
-#ifndef RDATA_GENERIC_HIP_5_C
-#define RDATA_GENERIC_HIP_5_C
-
-#define RRTYPE_HIP_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_hip(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	isc_buffer_t hit_len;
-	isc_buffer_t key_len;
-	unsigned char *start;
-	size_t len;
-
-	REQUIRE(type == 55);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	/*
-	 * Dummy HIT len.
-	 */
-	hit_len = *target;
-	RETERR(uint8_tobuffer(0, target));
-
-	/*
-	 * Algorithm.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint8_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Dummy KEY len.
-	 */
-	key_len = *target;
-	RETERR(uint16_tobuffer(0, target));
-
-	/*
-	 * HIT (base16).
-	 */
-	start = isc_buffer_used(target);
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(isc_hex_decodestring(DNS_AS_STR(token), target));
-
-	/*
-	 * Fill in HIT len.
-	 */
-	len = (unsigned char *)isc_buffer_used(target) - start;
-	if (len > 0xffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint8_tobuffer(len, &hit_len));
-
-	/*
-	 * Public key (base64).
-	 */
-	start = isc_buffer_used(target);
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(isc_base64_decodestring(DNS_AS_STR(token), target));
-
-	/*
-	 * Fill in KEY len.
-	 */
-	len = (unsigned char *)isc_buffer_used(target) - start;
-	if (len > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(len, &key_len));
-
-	/*
-	 * Rendezvous Servers.
-	 */
-	dns_name_init(&name, NULL);
-	do {
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_string,
-					      ISC_TRUE));
-		if (token.type != isc_tokentype_string)
-			break;
-		buffer_fromregion(&buffer, &token.value.as_region);
-		origin = (origin != NULL) ? origin : dns_rootname;
-		RETTOK(dns_name_fromtext(&name, &buffer, origin, options,
-					 target));
-	} while (1);
-
-	/*
-	 * Let upper layer handle eol/eof.
-	 */
-	isc_lex_ungettoken(lexer, &token);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_hip(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	size_t length, key_len, hit_len;
-	unsigned char algorithm;
-	char buf[sizeof("225 ")];
-
-	REQUIRE(rdata->type == 55);
-	REQUIRE(rdata->length != 0);
-
-	dns_rdata_toregion(rdata, &region);
-
-	hit_len = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-
-	algorithm = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-
-	key_len = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext("( ", target));
-
-	/*
-	 * Algorithm
-	 */
-	sprintf(buf, "%u ", algorithm);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * HIT.
-	 */
-	INSIST(hit_len < region.length);
-	length = region.length;
-	region.length = hit_len;
-	RETERR(isc_hex_totext(&region, 1, "", target));
-	region.length = length - hit_len;
-	RETERR(str_totext(tctx->linebreak, target));
-
-	/*
-	 * Public KEY.
-	 */
-	INSIST(key_len <= region.length);
-	length = region.length;
-	region.length = key_len;
-	RETERR(isc_base64_totext(&region, 1, "", target));
-	region.length = length - key_len;
-	RETERR(str_totext(tctx->linebreak, target));
-
-	/*
-	 * Rendezvous Servers.
-	 */
-	dns_name_init(&name, NULL);
-	while (region.length > 0) {
-		dns_name_fromregion(&name, &region);
-
-		RETERR(dns_name_totext(&name, ISC_FALSE, target));
-		isc_region_consume(&region, name.length);
-		if (region.length > 0)
-			RETERR(str_totext(tctx->linebreak, target));
-	}
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" )", target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_hip(ARGS_FROMWIRE) {
-	isc_region_t region, rr;
-	dns_name_t name;
-	isc_uint8_t hit_len;
-	isc_uint16_t key_len;
-
-	REQUIRE(type == 55);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	isc_buffer_activeregion(source, &region);
-	if (region.length < 4U)
-		RETERR(DNS_R_FORMERR);
-
-	rr = region;
-	hit_len = uint8_fromregion(&region);
-	if (hit_len == 0)
-		RETERR(DNS_R_FORMERR);
-	isc_region_consume(&region, 2);  	/* hit length + algorithm */
-	key_len = uint16_fromregion(&region);
-	if (key_len == 0)
-		RETERR(DNS_R_FORMERR);
-	isc_region_consume(&region, 2);
-	if (region.length < (unsigned) (hit_len + key_len))
-		RETERR(DNS_R_FORMERR);
-
-	RETERR(mem_tobuffer(target, rr.base, 4 + hit_len + key_len));
-	isc_buffer_forward(source, 4 + hit_len + key_len);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-	while (isc_buffer_activelength(source) > 0) {
-		dns_name_init(&name, NULL);
-		RETERR(dns_name_fromwire(&name, source, dctx, options, target));
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-towire_hip(ARGS_TOWIRE) {
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 55);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(cctx);
-
-	dns_rdata_toregion(rdata, &region);
-	return (mem_tobuffer(target, region.base, region.length));
-}
-
-static inline int
-compare_hip(ARGS_COMPARE) {
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 55);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-	return (isc_region_compare(&region1, &region2));
-}
-
-static inline isc_result_t
-fromstruct_hip(ARGS_FROMSTRUCT) {
-	dns_rdata_hip_t *hip = source;
-	dns_rdata_hip_t myhip;
-	isc_result_t result;
-
-	REQUIRE(type == 55);
-	REQUIRE(source != NULL);
-	REQUIRE(hip->common.rdtype == type);
-	REQUIRE(hip->common.rdclass == rdclass);
-	REQUIRE(hip->hit_len > 0 && hip->hit != NULL);
-	REQUIRE(hip->key_len > 0 && hip->key != NULL);
-	REQUIRE((hip->servers == NULL && hip->servers_len == 0) ||
-		 (hip->servers != NULL && hip->servers_len != 0));
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint8_tobuffer(hip->hit_len, target));
-	RETERR(uint8_tobuffer(hip->algorithm, target));
-	RETERR(uint16_tobuffer(hip->key_len, target));
-	RETERR(mem_tobuffer(target, hip->hit, hip->hit_len));
-	RETERR(mem_tobuffer(target, hip->key, hip->key_len));
-
-	myhip = *hip;
-	for (result = dns_rdata_hip_first(&myhip);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdata_hip_next(&myhip))
-		/* empty */;
-
-	return(mem_tobuffer(target, hip->servers, hip->servers_len));
-}
-
-static inline isc_result_t
-tostruct_hip(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_hip_t *hip = target;
-
-	REQUIRE(rdata->type == 55);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	hip->common.rdclass = rdata->rdclass;
-	hip->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&hip->common, link);
-
-	dns_rdata_toregion(rdata, &region);
-
-	hip->hit_len = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-
-	hip->algorithm = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-
-	hip->key_len = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-
-	hip->hit = hip->key = hip->servers = NULL;
-
-	hip->hit = mem_maybedup(mctx, region.base, hip->hit_len);
-	if (hip->hit == NULL)
-		goto cleanup;
-	isc_region_consume(&region, hip->hit_len);
-
-	hip->key = mem_maybedup(mctx, region.base, hip->key_len);
-	if (hip->key == NULL)
-		goto cleanup;
-	isc_region_consume(&region, hip->key_len);
-
-	hip->servers_len = region.length;
-	if (hip->servers_len != 0) {
-		hip->servers = mem_maybedup(mctx, region.base, region.length);
-		if (hip->servers == NULL)
-			goto cleanup;
-	}
-
-	hip->offset = hip->servers_len;
-	hip->mctx = mctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (hip->hit != NULL)
-		isc_mem_free(mctx, hip->hit);
-	if (hip->key != NULL)
-		isc_mem_free(mctx, hip->key);
-	if (hip->servers != NULL)
-		isc_mem_free(mctx, hip->servers);
-	return (ISC_R_NOMEMORY);
-
-}
-
-static inline void
-freestruct_hip(ARGS_FREESTRUCT) {
-	dns_rdata_hip_t *hip = source;
-
-	REQUIRE(source != NULL);
-
-	if (hip->mctx == NULL)
-		return;
-
-	isc_mem_free(hip->mctx, hip->hit);
-	isc_mem_free(hip->mctx, hip->key);
-	if (hip->servers != NULL)
-		isc_mem_free(hip->mctx, hip->servers);
-	hip->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_hip(ARGS_ADDLDATA) {
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	REQUIRE(rdata->type == 55);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_hip(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 55);
-
-	dns_rdata_toregion(rdata, &r);
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_hip(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 55);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_hip(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 55);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-isc_result_t
-dns_rdata_hip_first(dns_rdata_hip_t *hip) {
-	if (hip->servers_len == 0)
-		return (ISC_R_NOMORE);
-	hip->offset = 0;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_rdata_hip_next(dns_rdata_hip_t *hip) {
-	isc_region_t region;
-	dns_name_t name;
-
-	if (hip->offset >= hip->servers_len)
-		return (ISC_R_NOMORE);
-
-	region.base = hip->servers + hip->offset;
-	region.length = hip->servers_len - hip->offset;
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &region);
-	hip->offset += name.length;
-	INSIST(hip->offset <= hip->servers_len);
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_rdata_hip_current(dns_rdata_hip_t *hip, dns_name_t *name) {
-	isc_region_t region;
-
-	REQUIRE(hip->offset < hip->servers_len);
-
-	region.base = hip->servers + hip->offset;
-	region.length = hip->servers_len - hip->offset;
-	dns_name_fromregion(name, &region);
-
-	INSIST(name->length + hip->offset <= hip->servers_len);
-}
-
-static inline int
-casecompare_hip(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-	dns_name_t name1;
-	dns_name_t name2;
-	int order;
-	isc_uint8_t hit_len;
-	isc_uint16_t key_len;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 55);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-
-	INSIST(r1.length > 4);
-	INSIST(r2.length > 4);
-	r1.length = 4;
-	r2.length = 4;
-	order = isc_region_compare(&r1, &r2);
-	if (order != 0)
-		return (order);
-
-	hit_len = uint8_fromregion(&r1);
-	isc_region_consume(&r1, 2);         /* hit length + algorithm */
-	key_len = uint16_fromregion(&r1);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	isc_region_consume(&r1, 4);
-	isc_region_consume(&r2, 4);
-	INSIST(r1.length >= (unsigned) (hit_len + key_len));
-	INSIST(r2.length >= (unsigned) (hit_len + key_len));
-	order = isc_region_compare(&r1, &r2);
-	if (order != 0)
-		return (order);
-	isc_region_consume(&r1, hit_len + key_len);
-	isc_region_consume(&r2, hit_len + key_len);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-	while (r1.length != 0 && r2.length != 0) {
-		dns_name_fromregion(&name1, &r1);
-		dns_name_fromregion(&name2, &r2);
-		order = dns_name_rdatacompare(&name1, &name2);
-		if (order != 0)
-			return (order);
-
-		isc_region_consume(&r1, name_length(&name1));
-		isc_region_consume(&r2, name_length(&name2));
-	}
-	return (isc_region_compare(&r1, &r2));
-}
-
-#endif	/* RDATA_GENERIC_HIP_5_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/hip_55.h b/contrib/bind9/lib/dns/rdata/generic/hip_55.h
deleted file mode 100644
index 69f2eba..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/hip_55.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: hip_55.h,v 1.2 2009/02/26 06:09:19 marka Exp $ */
-
-#ifndef GENERIC_HIP_5_H
-#define GENERIC_HIP_5_H 1
-
-/* RFC 5205 */
-
-typedef struct dns_rdata_hip {
-	dns_rdatacommon_t	common;
-	isc_mem_t *		mctx;
-	unsigned char *		hit;
-	unsigned char *		key;
-	unsigned char *		servers;
-	isc_uint8_t		algorithm;
-	isc_uint8_t		hit_len;
-	isc_uint16_t		key_len;
-	isc_uint16_t		servers_len;
-	/* Private */
-	isc_uint16_t		offset;
-} dns_rdata_hip_t;
-
-isc_result_t
-dns_rdata_hip_first(dns_rdata_hip_t *);
-
-isc_result_t
-dns_rdata_hip_next(dns_rdata_hip_t *);
-
-void
-dns_rdata_hip_current(dns_rdata_hip_t *, dns_name_t *);
-
-#endif /* GENERIC_HIP_5_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/ipseckey_45.c b/contrib/bind9/lib/dns/rdata/generic/ipseckey_45.c
deleted file mode 100644
index 1d2508c..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/ipseckey_45.c
+++ /dev/null
@@ -1,501 +0,0 @@
-/*
- * Copyright (C) 2005, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef RDATA_GENERIC_IPSECKEY_45_C
-#define RDATA_GENERIC_IPSECKEY_45_C
-
-#include <string.h>
-
-#include <isc/net.h>
-
-#define RRTYPE_IPSECKEY_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_ipseckey(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	unsigned int gateway;
-	struct in_addr addr;
-	unsigned char addr6[16];
-	isc_region_t region;
-
-	REQUIRE(type == 45);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	/*
-	 * Precedence.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint8_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Gateway type.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0x3U)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint8_tobuffer(token.value.as_ulong, target));
-	gateway = token.value.as_ulong;
-
-	/*
-	 * Algorithm.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint8_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Gateway.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	switch (gateway) {
-	case 0:
-		if (strcmp(DNS_AS_STR(token), ".") != 0)
-			RETTOK(DNS_R_SYNTAX);
-		break;
-
-	case 1:
-		if (getquad(DNS_AS_STR(token), &addr, lexer, callbacks) != 1)
-			RETTOK(DNS_R_BADDOTTEDQUAD);
-		isc_buffer_availableregion(target, &region);
-		if (region.length < 4)
-			return (ISC_R_NOSPACE);
-		memcpy(region.base, &addr, 4);
-		isc_buffer_add(target, 4);
-		break;
-
-	case 2:
-		if (inet_pton(AF_INET6, DNS_AS_STR(token), addr6) != 1)
-			RETTOK(DNS_R_BADAAAA);
-		isc_buffer_availableregion(target, &region);
-		if (region.length < 16)
-			return (ISC_R_NOSPACE);
-		memcpy(region.base, addr6, 16);
-		isc_buffer_add(target, 16);
-		break;
-
-	case 3:
-		dns_name_init(&name, NULL);
-		buffer_fromregion(&buffer, &token.value.as_region);
-		origin = (origin != NULL) ? origin : dns_rootname;
-		RETTOK(dns_name_fromtext(&name, &buffer, origin,
-					 options, target));
-		break;
-	}
-
-	/*
-	 * Public key.
-	 */
-	return (isc_base64_tobuffer(lexer, target, -1));
-}
-
-static inline isc_result_t
-totext_ipseckey(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	char buf[sizeof("255 ")];
-	unsigned short num;
-	unsigned short gateway;
-
-	REQUIRE(rdata->type == 45);
-	REQUIRE(rdata->length >= 3);
-
-	dns_name_init(&name, NULL);
-
-	if (rdata->data[1] > 3U)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext("( ", target));
-
-	/*
-	 * Precedence.
-	 */
-	dns_rdata_toregion(rdata, &region);
-	num = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	sprintf(buf, "%u ", num);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Gateway type.
-	 */
-	gateway = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	sprintf(buf, "%u ", gateway);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Algorithm.
-	 */
-	num = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	sprintf(buf, "%u ", num);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Gateway.
-	 */
-	switch (gateway) {
-	case 0:
-		RETERR(str_totext(".", target));
-		break;
-
-	case 1:
-		RETERR(inet_totext(AF_INET, &region, target));
-		isc_region_consume(&region, 4);
-		break;
-
-	case 2:
-		RETERR(inet_totext(AF_INET6, &region, target));
-		isc_region_consume(&region, 16);
-		break;
-
-	case 3:
-		dns_name_fromregion(&name, &region);
-		RETERR(dns_name_totext(&name, ISC_FALSE, target));
-		isc_region_consume(&region, name_length(&name));
-		break;
-	}
-
-	/*
-	 * Key.
-	 */
-	if (region.length > 0U) {
-		RETERR(str_totext(tctx->linebreak, target));
-		if (tctx->width == 0)   /* No splitting */
-			RETERR(isc_base64_totext(&region, 60, "", target));
-		else
-			RETERR(isc_base64_totext(&region, tctx->width - 2,
-						 tctx->linebreak, target));
-	}
-
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" )", target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_ipseckey(ARGS_FROMWIRE) {
-	dns_name_t name;
-	isc_region_t region;
-
-	REQUIRE(type == 45);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-	dns_name_init(&name, NULL);
-
-	isc_buffer_activeregion(source, &region);
-	if (region.length < 3)
-		return (ISC_R_UNEXPECTEDEND);
-
-	switch (region.base[1]) {
-	case 0:
-		isc_buffer_forward(source, region.length);
-		return (mem_tobuffer(target, region.base, region.length));
-
-	case 1:
-		if (region.length < 7)
-			return (ISC_R_UNEXPECTEDEND);
-		isc_buffer_forward(source, region.length);
-		return (mem_tobuffer(target, region.base, region.length));
-
-	case 2:
-		if (region.length < 19)
-			return (ISC_R_UNEXPECTEDEND);
-		isc_buffer_forward(source, region.length);
-		return (mem_tobuffer(target, region.base, region.length));
-
-	case 3:
-		RETERR(mem_tobuffer(target, region.base, 3));
-		isc_buffer_forward(source, 3);
-		RETERR(dns_name_fromwire(&name, source, dctx, options, target));
-		isc_buffer_activeregion(source, &region);
-		isc_buffer_forward(source, region.length);
-		return(mem_tobuffer(target, region.base, region.length));
-
-	default:
-		return (ISC_R_NOTIMPLEMENTED);
-	}
-}
-
-static inline isc_result_t
-towire_ipseckey(ARGS_TOWIRE) {
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 45);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(cctx);
-
-	dns_rdata_toregion(rdata, &region);
-	return (mem_tobuffer(target, region.base, region.length));
-}
-
-static inline int
-compare_ipseckey(ARGS_COMPARE) {
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 45);
-	REQUIRE(rdata1->length >= 3);
-	REQUIRE(rdata2->length >= 3);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	return (isc_region_compare(&region1, &region2));
-}
-
-static inline isc_result_t
-fromstruct_ipseckey(ARGS_FROMSTRUCT) {
-	dns_rdata_ipseckey_t *ipseckey = source;
-	isc_region_t region;
-	isc_uint32_t n;
-
-	REQUIRE(type == 45);
-	REQUIRE(source != NULL);
-	REQUIRE(ipseckey->common.rdtype == type);
-	REQUIRE(ipseckey->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	if (ipseckey->gateway_type > 3U)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	RETERR(uint8_tobuffer(ipseckey->precedence, target));
-	RETERR(uint8_tobuffer(ipseckey->gateway_type, target));
-	RETERR(uint8_tobuffer(ipseckey->algorithm, target));
-
-	switch  (ipseckey->gateway_type) {
-	case 0:
-		break;
-
-	case 1:
-		n = ntohl(ipseckey->in_addr.s_addr);
-		RETERR(uint32_tobuffer(n, target));
-		break;
-
-	case 2:
-		RETERR(mem_tobuffer(target, ipseckey->in6_addr.s6_addr, 16));
-		break;
-
-	case 3:
-		dns_name_toregion(&ipseckey->gateway, &region);
-		RETERR(isc_buffer_copyregion(target, &region));
-		break;
-	}
-
-	return (mem_tobuffer(target, ipseckey->key, ipseckey->keylength));
-}
-
-static inline isc_result_t
-tostruct_ipseckey(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_ipseckey_t *ipseckey = target;
-	dns_name_t name;
-	isc_uint32_t n;
-
-	REQUIRE(rdata->type == 45);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length >= 3);
-
-	if (rdata->data[1] > 3U)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	ipseckey->common.rdclass = rdata->rdclass;
-	ipseckey->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&ipseckey->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-
-	ipseckey->precedence = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-
-	ipseckey->gateway_type = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-
-	ipseckey->algorithm = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-
-	switch (ipseckey->gateway_type) {
-	case 0:
-		break;
-
-	case 1:
-		n = uint32_fromregion(&region);
-		ipseckey->in_addr.s_addr = htonl(n);
-		isc_region_consume(&region, 4);
-		break;
-
-	case 2:
-		memcpy(ipseckey->in6_addr.s6_addr, region.base, 16);
-		isc_region_consume(&region, 16);
-		break;
-
-	case 3:
-		dns_name_init(&ipseckey->gateway, NULL);
-		dns_name_fromregion(&name, &region);
-		RETERR(name_duporclone(&name, mctx, &ipseckey->gateway));
-		isc_region_consume(&region, name_length(&name));
-		break;
-	}
-
-	ipseckey->keylength = region.length;
-	if (ipseckey->keylength != 0U) {
-		ipseckey->key = mem_maybedup(mctx, region.base,
-					     ipseckey->keylength);
-		if (ipseckey->key == NULL) {
-			if (ipseckey->gateway_type == 3)
-				dns_name_free(&ipseckey->gateway,
-					      ipseckey->mctx);
-			return (ISC_R_NOMEMORY);
-		}
-	} else
-		ipseckey->key = NULL;
-
-	ipseckey->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_ipseckey(ARGS_FREESTRUCT) {
-	dns_rdata_ipseckey_t *ipseckey = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(ipseckey->common.rdtype == 45);
-
-	if (ipseckey->mctx == NULL)
-		return;
-
-	if (ipseckey->gateway_type == 3)
-		dns_name_free(&ipseckey->gateway, ipseckey->mctx);
-
-	if (ipseckey->key != NULL)
-		isc_mem_free(ipseckey->mctx, ipseckey->key);
-
-	ipseckey->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_ipseckey(ARGS_ADDLDATA) {
-
-	REQUIRE(rdata->type == 45);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_ipseckey(ARGS_DIGEST) {
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 45);
-
-	dns_rdata_toregion(rdata, &region);
-	return ((digest)(arg, &region));
-}
-
-static inline isc_boolean_t
-checkowner_ipseckey(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 45);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_ipseckey(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 45);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_ipseckey(ARGS_COMPARE) {
-	isc_region_t region1;
-	isc_region_t region2;
-	dns_name_t name1;
-	dns_name_t name2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 45);
-	REQUIRE(rdata1->length >= 3);
-	REQUIRE(rdata2->length >= 3);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	if (memcmp(region1.base, region2.base, 3) != 0 || region1.base[1] != 3)
-		return (isc_region_compare(&region1, &region2));
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	isc_region_consume(&region1, 3);
-	isc_region_consume(&region2, 3);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	order = dns_name_rdatacompare(&name1, &name2);
-	if (order != 0)
-		return (order);
-
-	isc_region_consume(&region1, name_length(&name1));
-	isc_region_consume(&region2, name_length(&name2));
-
-	return (isc_region_compare(&region1, &region2));
-}
-
-#endif	/* RDATA_GENERIC_IPSECKEY_45_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/ipseckey_45.h b/contrib/bind9/lib/dns/rdata/generic/ipseckey_45.h
deleted file mode 100644
index 2a6201f..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/ipseckey_45.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Copyright (C) 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ipseckey_45.h,v 1.4 2007/06/19 23:47:17 tbox Exp $ */
-
-#ifndef GENERIC_IPSECKEY_45_H
-#define GENERIC_IPSECKEY_45_H 1
-
-typedef struct dns_rdata_ipseckey {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint8_t		precedence;
-	isc_uint8_t		gateway_type;
-	isc_uint8_t		algorithm;
-	struct in_addr		in_addr;	/* gateway type 1 */
-	struct in6_addr		in6_addr;	/* gateway type 2 */
-	dns_name_t		gateway;	/* gateway type 3 */
-	unsigned char		*key;
-	isc_uint16_t		keylength;
-} dns_rdata_ipseckey_t;
-
-#endif /* GENERIC_IPSECKEY_45_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/isdn_20.c b/contrib/bind9/lib/dns/rdata/generic/isdn_20.c
deleted file mode 100644
index 5aac73f..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/isdn_20.c
+++ /dev/null
@@ -1,239 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: isdn_20.c,v 1.40 2009/12/04 22:06:37 tbox Exp $ */
-
-/* Reviewed: Wed Mar 15 16:53:11 PST 2000 by bwelling */
-
-/* RFC1183 */
-
-#ifndef RDATA_GENERIC_ISDN_20_C
-#define RDATA_GENERIC_ISDN_20_C
-
-#define RRTYPE_ISDN_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_isdn(ARGS_FROMTEXT) {
-	isc_token_t token;
-
-	REQUIRE(type == 20);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	/* ISDN-address */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
-				      ISC_FALSE));
-	RETTOK(txt_fromtext(&token.value.as_textregion, target));
-
-	/* sa: optional */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
-				      ISC_TRUE));
-	if (token.type != isc_tokentype_string &&
-	    token.type != isc_tokentype_qstring) {
-		isc_lex_ungettoken(lexer, &token);
-		return (ISC_R_SUCCESS);
-	}
-	RETTOK(txt_fromtext(&token.value.as_textregion, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_isdn(ARGS_TOTEXT) {
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 20);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(tctx);
-
-	dns_rdata_toregion(rdata, &region);
-	RETERR(txt_totext(&region, target));
-	if (region.length == 0)
-		return (ISC_R_SUCCESS);
-	RETERR(str_totext(" ", target));
-	return (txt_totext(&region, target));
-}
-
-static inline isc_result_t
-fromwire_isdn(ARGS_FROMWIRE) {
-	REQUIRE(type == 20);
-
-	UNUSED(type);
-	UNUSED(dctx);
-	UNUSED(rdclass);
-	UNUSED(options);
-
-	RETERR(txt_fromwire(source, target));
-	if (buffer_empty(source))
-		return (ISC_R_SUCCESS);
-	return (txt_fromwire(source, target));
-}
-
-static inline isc_result_t
-towire_isdn(ARGS_TOWIRE) {
-	UNUSED(cctx);
-
-	REQUIRE(rdata->type == 20);
-	REQUIRE(rdata->length != 0);
-
-	return (mem_tobuffer(target, rdata->data, rdata->length));
-}
-
-static inline int
-compare_isdn(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 20);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_isdn(ARGS_FROMSTRUCT) {
-	dns_rdata_isdn_t *isdn = source;
-
-	REQUIRE(type == 20);
-	REQUIRE(source != NULL);
-	REQUIRE(isdn->common.rdtype == type);
-	REQUIRE(isdn->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint8_tobuffer(isdn->isdn_len, target));
-	RETERR(mem_tobuffer(target, isdn->isdn, isdn->isdn_len));
-	RETERR(uint8_tobuffer(isdn->subaddress_len, target));
-	return (mem_tobuffer(target, isdn->subaddress, isdn->subaddress_len));
-}
-
-static inline isc_result_t
-tostruct_isdn(ARGS_TOSTRUCT) {
-	dns_rdata_isdn_t *isdn = target;
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 20);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	isdn->common.rdclass = rdata->rdclass;
-	isdn->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&isdn->common, link);
-
-	dns_rdata_toregion(rdata, &r);
-
-	isdn->isdn_len = uint8_fromregion(&r);
-	isc_region_consume(&r, 1);
-	isdn->isdn = mem_maybedup(mctx, r.base, isdn->isdn_len);
-	if (isdn->isdn == NULL)
-		return (ISC_R_NOMEMORY);
-	isc_region_consume(&r, isdn->isdn_len);
-
-	isdn->subaddress_len = uint8_fromregion(&r);
-	isc_region_consume(&r, 1);
-	isdn->subaddress = mem_maybedup(mctx, r.base, isdn->subaddress_len);
-	if (isdn->subaddress == NULL)
-		goto cleanup;
-
-	isdn->mctx = mctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (mctx != NULL && isdn->isdn != NULL)
-		isc_mem_free(mctx, isdn->isdn);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_isdn(ARGS_FREESTRUCT) {
-	dns_rdata_isdn_t *isdn = source;
-
-	REQUIRE(source != NULL);
-
-	if (isdn->mctx == NULL)
-		return;
-
-	if (isdn->isdn != NULL)
-		isc_mem_free(isdn->mctx, isdn->isdn);
-	if (isdn->subaddress != NULL)
-		isc_mem_free(isdn->mctx, isdn->subaddress);
-	isdn->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_isdn(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 20);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_isdn(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 20);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_isdn(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 20);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_isdn(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 20);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_isdn(ARGS_COMPARE) {
-	return (compare_isdn(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_ISDN_20_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/isdn_20.h b/contrib/bind9/lib/dns/rdata/generic/isdn_20.h
deleted file mode 100644
index a1f65ca..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/isdn_20.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_ISDN_20_H
-#define GENERIC_ISDN_20_H 1
-
-/* $Id: isdn_20.h,v 1.18 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- * \brief Per RFC1183 */
-
-typedef struct dns_rdata_isdn {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	char			*isdn;
-	char			*subaddress;
-	isc_uint8_t		isdn_len;
-	isc_uint8_t		subaddress_len;
-} dns_rdata_isdn_t;
-
-#endif /* GENERIC_ISDN_20_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/key_25.c b/contrib/bind9/lib/dns/rdata/generic/key_25.c
deleted file mode 100644
index 1d0ba83..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/key_25.c
+++ /dev/null
@@ -1,348 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*
- * Reviewed: Wed Mar 15 16:47:10 PST 2000 by halley.
- */
-
-/* RFC2535 */
-
-#ifndef RDATA_GENERIC_KEY_25_C
-#define RDATA_GENERIC_KEY_25_C
-
-#include <dst/dst.h>
-
-#define RRTYPE_KEY_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_key(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_secalg_t alg;
-	dns_secproto_t proto;
-	dns_keyflags_t flags;
-
-	REQUIRE(type == 25);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	/* flags */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_keyflags_fromtext(&flags, &token.value.as_textregion));
-	RETERR(uint16_tobuffer(flags, target));
-
-	/* protocol */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_secproto_fromtext(&proto, &token.value.as_textregion));
-	RETERR(mem_tobuffer(target, &proto, 1));
-
-	/* algorithm */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_secalg_fromtext(&alg, &token.value.as_textregion));
-	RETERR(mem_tobuffer(target, &alg, 1));
-
-	/* No Key? */
-	if ((flags & 0xc000) == 0xc000)
-		return (ISC_R_SUCCESS);
-
-	return (isc_base64_tobuffer(lexer, target, -1));
-}
-
-static inline isc_result_t
-totext_key(ARGS_TOTEXT) {
-	isc_region_t sr;
-	char buf[sizeof("64000")];
-	unsigned int flags;
-	unsigned char algorithm;
-	char namebuf[DNS_NAME_FORMATSIZE];
-
-	REQUIRE(rdata->type == 25);
-	REQUIRE(rdata->length != 0);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/* flags */
-	flags = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%u", flags);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/* protocol */
-	sprintf(buf, "%u", sr.base[0]);
-	isc_region_consume(&sr, 1);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/* algorithm */
-	algorithm = sr.base[0];
-	sprintf(buf, "%u", algorithm);
-	isc_region_consume(&sr, 1);
-	RETERR(str_totext(buf, target));
-
-	/* No Key? */
-	if ((flags & 0xc000) == 0xc000)
-		return (ISC_R_SUCCESS);
-
-	if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0 &&
-	     algorithm == DNS_KEYALG_PRIVATEDNS) {
-		dns_name_t name;
-		dns_name_init(&name, NULL);
-		dns_name_fromregion(&name, &sr);
-		dns_name_format(&name, namebuf, sizeof(namebuf));
-	} else
-		namebuf[0] = 0;
-
-	/* key */
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" (", target));
-	RETERR(str_totext(tctx->linebreak, target));
-	if (tctx->width == 0)   /* No splitting */
-		RETERR(isc_base64_totext(&sr, 60, "", target));
-	else
-		RETERR(isc_base64_totext(&sr, tctx->width - 2,
-					 tctx->linebreak, target));
-
-	if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0)
-		RETERR(str_totext(tctx->linebreak, target));
-	else if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" ", target));
-
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(")", target));
-
-	if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0) {
-		isc_region_t tmpr;
-
-		RETERR(str_totext(" ; key id = ", target));
-		dns_rdata_toregion(rdata, &tmpr);
-		sprintf(buf, "%u", dst_region_computeid(&tmpr, algorithm));
-		RETERR(str_totext(buf, target));
-		if (algorithm == DNS_KEYALG_PRIVATEDNS) {
-			RETERR(str_totext(tctx->linebreak, target));
-			RETERR(str_totext("; alg = ", target));
-			RETERR(str_totext(namebuf, target));
-		}
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_key(ARGS_FROMWIRE) {
-	unsigned char algorithm;
-	isc_region_t sr;
-
-	REQUIRE(type == 25);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-	UNUSED(options);
-
-	isc_buffer_activeregion(source, &sr);
-	if (sr.length < 4)
-		return (ISC_R_UNEXPECTEDEND);
-
-	algorithm = sr.base[3];
-	RETERR(mem_tobuffer(target, sr.base, 4));
-	isc_region_consume(&sr, 4);
-	isc_buffer_forward(source, 4);
-
-	if (algorithm == DNS_KEYALG_PRIVATEDNS) {
-		dns_name_t name;
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-		dns_name_init(&name, NULL);
-		RETERR(dns_name_fromwire(&name, source, dctx, options, target));
-	}
-	isc_buffer_activeregion(source, &sr);
-	isc_buffer_forward(source, sr.length);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline isc_result_t
-towire_key(ARGS_TOWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 25);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(cctx);
-
-	dns_rdata_toregion(rdata, &sr);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_key(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 25);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_key(ARGS_FROMSTRUCT) {
-	dns_rdata_key_t *key = source;
-
-	REQUIRE(type == 25);
-	REQUIRE(source != NULL);
-	REQUIRE(key->common.rdtype == type);
-	REQUIRE(key->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	/* Flags */
-	RETERR(uint16_tobuffer(key->flags, target));
-
-	/* Protocol */
-	RETERR(uint8_tobuffer(key->protocol, target));
-
-	/* Algorithm */
-	RETERR(uint8_tobuffer(key->algorithm, target));
-
-	/* Data */
-	return (mem_tobuffer(target, key->data, key->datalen));
-}
-
-static inline isc_result_t
-tostruct_key(ARGS_TOSTRUCT) {
-	dns_rdata_key_t *key = target;
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 25);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	key->common.rdclass = rdata->rdclass;
-	key->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&key->common, link);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/* Flags */
-	if (sr.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
-	key->flags = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/* Protocol */
-	if (sr.length < 1)
-		return (ISC_R_UNEXPECTEDEND);
-	key->protocol = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-
-	/* Algorithm */
-	if (sr.length < 1)
-		return (ISC_R_UNEXPECTEDEND);
-	key->algorithm = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-
-	/* Data */
-	key->datalen = sr.length;
-	key->data = mem_maybedup(mctx, sr.base, key->datalen);
-	if (key->data == NULL)
-		return (ISC_R_NOMEMORY);
-
-	key->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_key(ARGS_FREESTRUCT) {
-	dns_rdata_key_t *key = (dns_rdata_key_t *) source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(key->common.rdtype == 25);
-
-	if (key->mctx == NULL)
-		return;
-
-	if (key->data != NULL)
-		isc_mem_free(key->mctx, key->data);
-	key->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_key(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 25);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_key(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 25);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_key(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 25);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_key(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 25);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_key(ARGS_COMPARE) {
-	return (compare_key(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_KEY_25_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/key_25.h b/contrib/bind9/lib/dns/rdata/generic/key_25.h
deleted file mode 100644
index bcf9cb6..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/key_25.h
+++ /dev/null
@@ -1,37 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_KEY_25_H
-#define GENERIC_KEY_25_H 1
-
-/* $Id: key_25.h,v 1.19 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- * \brief Per RFC2535 */
-
-typedef struct dns_rdata_key_t {
-        dns_rdatacommon_t	common;
-        isc_mem_t *		mctx;
-        isc_uint16_t		flags;
-        isc_uint8_t		protocol;
-        isc_uint8_t		algorithm;
-        isc_uint16_t		datalen;
-        unsigned char *		data;
-} dns_rdata_key_t;
-
-
-#endif /* GENERIC_KEY_25_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/keydata_65533.c b/contrib/bind9/lib/dns/rdata/generic/keydata_65533.c
deleted file mode 100644
index a2d83f4..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/keydata_65533.c
+++ /dev/null
@@ -1,395 +0,0 @@
-/*
- * Copyright (C) 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef GENERIC_KEYDATA_65533_C
-#define GENERIC_KEYDATA_65533_C 1
-
-#include <dst/dst.h>
-
-#define RRTYPE_KEYDATA_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
-
-static inline isc_result_t
-fromtext_keydata(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_secalg_t alg;
-	dns_secproto_t proto;
-	dns_keyflags_t flags;
-	isc_uint32_t refresh, addhd, removehd;
-
-	REQUIRE(type == 65533);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	/* refresh timer */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &refresh));
-	RETERR(uint32_tobuffer(refresh, target));
-
-	/* add hold-down */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &addhd));
-	RETERR(uint32_tobuffer(addhd, target));
-
-	/* remove hold-down */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &removehd));
-	RETERR(uint32_tobuffer(removehd, target));
-
-	/* flags */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_keyflags_fromtext(&flags, &token.value.as_textregion));
-	RETERR(uint16_tobuffer(flags, target));
-
-	/* protocol */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_secproto_fromtext(&proto, &token.value.as_textregion));
-	RETERR(mem_tobuffer(target, &proto, 1));
-
-	/* algorithm */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_secalg_fromtext(&alg, &token.value.as_textregion));
-	RETERR(mem_tobuffer(target, &alg, 1));
-
-	/* No Key? */
-	if ((flags & 0xc000) == 0xc000)
-		return (ISC_R_SUCCESS);
-
-	return (isc_base64_tobuffer(lexer, target, -1));
-}
-
-static inline isc_result_t
-totext_keydata(ARGS_TOTEXT) {
-	isc_region_t sr;
-	char buf[sizeof("64000")];
-	unsigned int flags;
-	unsigned char algorithm;
-	unsigned long when;
-	char algbuf[DNS_NAME_FORMATSIZE];
-	const char *keyinfo;
-
-	REQUIRE(rdata->type == 65533);
-	REQUIRE(rdata->length != 0);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/* refresh timer */
-	when = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-	RETERR(dns_time32_totext(when, target));
-	RETERR(str_totext(" ", target));
-
-	/* add hold-down */
-	when = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-	RETERR(dns_time32_totext(when, target));
-	RETERR(str_totext(" ", target));
-
-	/* remove hold-down */
-	when = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-	RETERR(dns_time32_totext(when, target));
-	RETERR(str_totext(" ", target));
-
-	/* flags */
-	flags = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%u", flags);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-	if ((flags & DNS_KEYFLAG_KSK) != 0) {
-		if (flags & DNS_KEYFLAG_REVOKE)
-			keyinfo = "revoked KSK";
-		else
-			keyinfo = "KSK";
-	} else
-		keyinfo = "ZSK";
-
-	/* protocol */
-	sprintf(buf, "%u", sr.base[0]);
-	isc_region_consume(&sr, 1);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/* algorithm */
-	algorithm = sr.base[0];
-	sprintf(buf, "%u", algorithm);
-	isc_region_consume(&sr, 1);
-	RETERR(str_totext(buf, target));
-
-	/* No Key? */
-	if ((flags & 0xc000) == 0xc000)
-		return (ISC_R_SUCCESS);
-
-	/* key */
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" (", target));
-	RETERR(str_totext(tctx->linebreak, target));
-	if (tctx->width == 0)   /* No splitting */
-		RETERR(isc_base64_totext(&sr, 60, "", target));
-	else
-		RETERR(isc_base64_totext(&sr, tctx->width - 2,
-					 tctx->linebreak, target));
-
-	if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0)
-		RETERR(str_totext(tctx->linebreak, target));
-	else if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" ", target));
-
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(")", target));
-
-	if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0) {
-		isc_region_t tmpr;
-
-		RETERR(str_totext(" ; ", target));
-		RETERR(str_totext(keyinfo, target));
-		dns_secalg_format((dns_secalg_t) algorithm, algbuf,
-				  sizeof(algbuf));
-		RETERR(str_totext("; alg = ", target));
-		RETERR(str_totext(algbuf, target));
-		RETERR(str_totext("; key id = ", target));
-		dns_rdata_toregion(rdata, &tmpr);
-		/* Skip over refresh, addhd, and removehd */
-		isc_region_consume(&tmpr, 12);
-		sprintf(buf, "%u", dst_region_computeid(&tmpr, algorithm));
-		RETERR(str_totext(buf, target));
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_keydata(ARGS_FROMWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(type == 65533);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-	UNUSED(options);
-
-	isc_buffer_activeregion(source, &sr);
-	if (sr.length < 16)
-		return (ISC_R_UNEXPECTEDEND);
-
-	isc_buffer_forward(source, sr.length);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline isc_result_t
-towire_keydata(ARGS_TOWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 65533);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(cctx);
-
-	dns_rdata_toregion(rdata, &sr);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_keydata(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 65533);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_keydata(ARGS_FROMSTRUCT) {
-	dns_rdata_keydata_t *keydata = source;
-
-	REQUIRE(type == 65533);
-	REQUIRE(source != NULL);
-	REQUIRE(keydata->common.rdtype == type);
-	REQUIRE(keydata->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	/* Refresh timer */
-	RETERR(uint32_tobuffer(keydata->refresh, target));
-
-	/* Add hold-down */
-	RETERR(uint32_tobuffer(keydata->addhd, target));
-
-	/* Remove hold-down */
-	RETERR(uint32_tobuffer(keydata->removehd, target));
-
-	/* Flags */
-	RETERR(uint16_tobuffer(keydata->flags, target));
-
-	/* Protocol */
-	RETERR(uint8_tobuffer(keydata->protocol, target));
-
-	/* Algorithm */
-	RETERR(uint8_tobuffer(keydata->algorithm, target));
-
-	/* Data */
-	return (mem_tobuffer(target, keydata->data, keydata->datalen));
-}
-
-static inline isc_result_t
-tostruct_keydata(ARGS_TOSTRUCT) {
-	dns_rdata_keydata_t *keydata = target;
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 65533);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	keydata->common.rdclass = rdata->rdclass;
-	keydata->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&keydata->common, link);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/* Refresh timer */
-	if (sr.length < 4)
-		return (ISC_R_UNEXPECTEDEND);
-	keydata->refresh = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-
-	/* Add hold-down */
-	if (sr.length < 4)
-		return (ISC_R_UNEXPECTEDEND);
-	keydata->addhd = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-
-	/* Remove hold-down */
-	if (sr.length < 4)
-		return (ISC_R_UNEXPECTEDEND);
-	keydata->removehd = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-
-	/* Flags */
-	if (sr.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
-	keydata->flags = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/* Protocol */
-	if (sr.length < 1)
-		return (ISC_R_UNEXPECTEDEND);
-	keydata->protocol = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-
-	/* Algorithm */
-	if (sr.length < 1)
-		return (ISC_R_UNEXPECTEDEND);
-	keydata->algorithm = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-
-	/* Data */
-	keydata->datalen = sr.length;
-	keydata->data = mem_maybedup(mctx, sr.base, keydata->datalen);
-	if (keydata->data == NULL)
-		return (ISC_R_NOMEMORY);
-
-	keydata->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_keydata(ARGS_FREESTRUCT) {
-	dns_rdata_keydata_t *keydata = (dns_rdata_keydata_t *) source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(keydata->common.rdtype == 65533);
-
-	if (keydata->mctx == NULL)
-		return;
-
-	if (keydata->data != NULL)
-		isc_mem_free(keydata->mctx, keydata->data);
-	keydata->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_keydata(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 65533);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_keydata(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 65533);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_keydata(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 65533);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_keydata(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 65533);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_keydata(ARGS_COMPARE) {
-	return (compare_keydata(rdata1, rdata2));
-}
-
-#endif /* GENERIC_KEYDATA_65533_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/keydata_65533.h b/contrib/bind9/lib/dns/rdata/generic/keydata_65533.h
deleted file mode 100644
index 8db827e..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/keydata_65533.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_KEYDATA_65533_H
-#define GENERIC_KEYDATA_65533_H 1
-
-/* $Id: keydata_65533.h,v 1.2 2009/06/30 02:52:32 each Exp $ */
-
-typedef struct dns_rdata_keydata {
-	dns_rdatacommon_t	common;
-	isc_mem_t *		mctx;
-	isc_uint32_t		refresh;      /* Timer for refreshing data */
-	isc_uint32_t		addhd;	      /* Hold-down timer for adding */
-	isc_uint32_t		removehd;     /* Hold-down timer for removing */
-	isc_uint16_t		flags;	      /* Copy of DNSKEY_48 */
-	isc_uint8_t		protocol;
-	isc_uint8_t		algorithm;
-	isc_uint16_t		datalen;
-	unsigned char *		data;
-} dns_rdata_keydata_t;
-
-#endif /* GENERIC_KEYDATA_65533_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/l32_105.c b/contrib/bind9/lib/dns/rdata/generic/l32_105.c
deleted file mode 100644
index 763ddb9..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/l32_105.c
+++ /dev/null
@@ -1,233 +0,0 @@
-/*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef RDATA_GENERIC_L32_105_C
-#define RDATA_GENERIC_L32_105_C
-
-#include <string.h>
-
-#include <isc/net.h>
-
-#define RRTYPE_L32_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_l32(ARGS_FROMTEXT) {
-	isc_token_t token;
-	struct in_addr addr;
-	isc_region_t region;
-
-	REQUIRE(type == 105);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	if (getquad(DNS_AS_STR(token), &addr, lexer, callbacks) != 1)
-		RETTOK(DNS_R_BADDOTTEDQUAD);
-	isc_buffer_availableregion(target, &region);
-	if (region.length < 4)
-		return (ISC_R_NOSPACE);
-	memcpy(region.base, &addr, 4);
-	isc_buffer_add(target, 4);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_l32(ARGS_TOTEXT) {
-	isc_region_t region;
-	char buf[sizeof("65000")];
-	unsigned short num;
-
-	REQUIRE(rdata->type == 105);
-	REQUIRE(rdata->length == 6);
-
-	UNUSED(tctx);
-
-	dns_rdata_toregion(rdata, &region);
-	num = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
-	RETERR(str_totext(buf, target));
-
-	RETERR(str_totext(" ", target));
-
-	return (inet_totext(AF_INET, &region, target));
-}
-
-static inline isc_result_t
-fromwire_l32(ARGS_FROMWIRE) {
-	isc_region_t sregion;
-
-	REQUIRE(type == 105);
-
-	UNUSED(type);
-	UNUSED(options);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-
-	isc_buffer_activeregion(source, &sregion);
-	if (sregion.length != 6)
-		return (DNS_R_FORMERR);
-	isc_buffer_forward(source, sregion.length);
-	return (mem_tobuffer(target, sregion.base, sregion.length));
-}
-
-static inline isc_result_t
-towire_l32(ARGS_TOWIRE) {
-
-	REQUIRE(rdata->type == 105);
-	REQUIRE(rdata->length == 6);
-
-	UNUSED(cctx);
-
-	return (mem_tobuffer(target, rdata->data, rdata->length));
-}
-
-static inline int
-compare_l32(ARGS_COMPARE) {
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 105);
-	REQUIRE(rdata1->length == 6);
-	REQUIRE(rdata2->length == 6);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-	return (isc_region_compare(&region1, &region2));
-}
-
-static inline isc_result_t
-fromstruct_l32(ARGS_FROMSTRUCT) {
-	dns_rdata_l32_t *l32 = source;
-	isc_uint32_t n;
-
-	REQUIRE(type == 105);
-	REQUIRE(source != NULL);
-	REQUIRE(l32->common.rdtype == type);
-	REQUIRE(l32->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint16_tobuffer(l32->pref, target));
-	n = ntohl(l32->l32.s_addr);
-	return (uint32_tobuffer(n, target));
-}
-
-static inline isc_result_t
-tostruct_l32(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_l32_t *l32 = target;
-	isc_uint32_t n;
-
-	REQUIRE(rdata->type == 105);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length == 6);
-
-	UNUSED(mctx);
-
-	l32->common.rdclass = rdata->rdclass;
-	l32->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&l32->common, link);
-
-	dns_rdata_toregion(rdata, &region);
-	l32->pref = uint16_fromregion(&region);
-	n = uint32_fromregion(&region);
-	l32->l32.s_addr = htonl(n);
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_l32(ARGS_FREESTRUCT) {
-	dns_rdata_l32_t *l32 = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(l32->common.rdtype == 105);
-
-	return;
-}
-
-static inline isc_result_t
-additionaldata_l32(ARGS_ADDLDATA) {
-
-	REQUIRE(rdata->type == 105);
-	REQUIRE(rdata->length == 6);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_l32(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 105);
-	REQUIRE(rdata->length == 6);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_l32(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 105);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_l32(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 105);
-	REQUIRE(rdata->length == 6);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_l32(ARGS_COMPARE) {
-	return (compare_l32(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_L32_105_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/l32_105.h b/contrib/bind9/lib/dns/rdata/generic/l32_105.h
deleted file mode 100644
index f95db22..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/l32_105.h
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_L32_105_H
-#define GENERIC_L32_105_H 1
-
-typedef struct dns_rdata_l32 {
-	dns_rdatacommon_t	common;
-	isc_uint16_t		pref;
-	struct in_addr		l32;
-} dns_rdata_l32_t;
-
-#endif /* GENERIC_L32_105_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/l64_106.c b/contrib/bind9/lib/dns/rdata/generic/l64_106.c
deleted file mode 100644
index ff20663..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/l64_106.c
+++ /dev/null
@@ -1,228 +0,0 @@
-/*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef RDATA_GENERIC_L64_106_C
-#define RDATA_GENERIC_L64_106_C
-
-#include <string.h>
-
-#include <isc/net.h>
-
-#define RRTYPE_L64_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_l64(ARGS_FROMTEXT) {
-	isc_token_t token;
-	unsigned char locator[NS_LOCATORSZ];
-
-	REQUIRE(type == 106);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	if (locator_pton(DNS_AS_STR(token), locator) != 1)
-		RETTOK(DNS_R_SYNTAX);
-	return (mem_tobuffer(target, locator, NS_LOCATORSZ));
-}
-
-static inline isc_result_t
-totext_l64(ARGS_TOTEXT) {
-	isc_region_t region;
-	char buf[sizeof("xxxx:xxxx:xxxx:xxxx")];
-	unsigned short num;
-
-	REQUIRE(rdata->type == 106);
-	REQUIRE(rdata->length == 10);
-
-	UNUSED(tctx);
-
-	dns_rdata_toregion(rdata, &region);
-	num = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
-	RETERR(str_totext(buf, target));
-
-	RETERR(str_totext(" ", target));
-
-	sprintf(buf, "%x:%x:%x:%x",
-		region.base[0]<<8 | region.base[1],
-		region.base[2]<<8 | region.base[3],
-		region.base[4]<<8 | region.base[5],
-		region.base[6]<<8 | region.base[7]);
-	return (str_totext(buf, target));
-}
-
-static inline isc_result_t
-fromwire_l64(ARGS_FROMWIRE) {
-	isc_region_t sregion;
-
-	REQUIRE(type == 106);
-
-	UNUSED(type);
-	UNUSED(options);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-
-	isc_buffer_activeregion(source, &sregion);
-	if (sregion.length != 10)
-		return (DNS_R_FORMERR);
-	isc_buffer_forward(source, sregion.length);
-	return (mem_tobuffer(target, sregion.base, sregion.length));
-}
-
-static inline isc_result_t
-towire_l64(ARGS_TOWIRE) {
-
-	REQUIRE(rdata->type == 106);
-	REQUIRE(rdata->length == 10);
-
-	UNUSED(cctx);
-
-	return (mem_tobuffer(target, rdata->data, rdata->length));
-}
-
-static inline int
-compare_l64(ARGS_COMPARE) {
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 106);
-	REQUIRE(rdata1->length == 10);
-	REQUIRE(rdata2->length == 10);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-	return (isc_region_compare(&region1, &region2));
-}
-
-static inline isc_result_t
-fromstruct_l64(ARGS_FROMSTRUCT) {
-	dns_rdata_l64_t *l64 = source;
-
-	REQUIRE(type == 106);
-	REQUIRE(source != NULL);
-	REQUIRE(l64->common.rdtype == type);
-	REQUIRE(l64->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint16_tobuffer(l64->pref, target));
-	return (mem_tobuffer(target, l64->l64, sizeof(l64->l64)));
-}
-
-static inline isc_result_t
-tostruct_l64(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_l64_t *l64 = target;
-
-	REQUIRE(rdata->type == 106);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length == 10);
-
-	UNUSED(mctx);
-
-	l64->common.rdclass = rdata->rdclass;
-	l64->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&l64->common, link);
-
-	dns_rdata_toregion(rdata, &region);
-	l64->pref = uint16_fromregion(&region);
-	memcpy(l64->l64, region.base, region.length);
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_l64(ARGS_FREESTRUCT) {
-	dns_rdata_l64_t *l64 = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(l64->common.rdtype == 106);
-
-	return;
-}
-
-static inline isc_result_t
-additionaldata_l64(ARGS_ADDLDATA) {
-
-	REQUIRE(rdata->type == 106);
-	REQUIRE(rdata->length == 10);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_l64(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 106);
-	REQUIRE(rdata->length == 10);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_l64(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 106);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_l64(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 106);
-	REQUIRE(rdata->length == 10);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_l64(ARGS_COMPARE) {
-	return (compare_l64(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_L64_106_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/l64_106.h b/contrib/bind9/lib/dns/rdata/generic/l64_106.h
deleted file mode 100644
index 8f93fc5..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/l64_106.h
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_L64_106_H
-#define GENERIC_L64_106_H 1
-
-typedef struct dns_rdata_l64 {
-	dns_rdatacommon_t	common;
-	isc_uint16_t		pref;
-	unsigned char		l64[8];
-} dns_rdata_l64_t;
-
-#endif /* GENERIC_L64_106_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/loc_29.c b/contrib/bind9/lib/dns/rdata/generic/loc_29.c
deleted file mode 100644
index 904dbb4..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/loc_29.c
+++ /dev/null
@@ -1,804 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: loc_29.c,v 1.50 2009/12/04 21:09:33 marka Exp $ */
-
-/* Reviewed: Wed Mar 15 18:13:09 PST 2000 by explorer */
-
-/* RFC1876 */
-
-#ifndef RDATA_GENERIC_LOC_29_C
-#define RDATA_GENERIC_LOC_29_C
-
-#define RRTYPE_LOC_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_loc(ARGS_FROMTEXT) {
-	isc_token_t token;
-	int d1, m1, s1;
-	int d2, m2, s2;
-	unsigned char size;
-	unsigned char hp;
-	unsigned char vp;
-	unsigned char version;
-	isc_boolean_t east = ISC_FALSE;
-	isc_boolean_t north = ISC_FALSE;
-	long tmp;
-	long m;
-	long cm;
-	long poweroften[8] = { 1, 10, 100, 1000,
-			       10000, 100000, 1000000, 10000000 };
-	int man;
-	int exp;
-	char *e;
-	int i;
-	unsigned long latitude;
-	unsigned long longitude;
-	unsigned long altitude;
-
-	REQUIRE(type == 29);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-
-	/*
-	 * Defaults.
-	 */
-	m1 = s1 = 0;
-	m2 = s2 = 0;
-	size = 0x12;	/* 1.00m */
-	hp = 0x16;	/* 10000.00 m */
-	vp = 0x13;	/* 10.00 m */
-	version = 0;
-
-	/*
-	 * Degrees.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 90U)
-		RETTOK(ISC_R_RANGE);
-	d1 = (int)token.value.as_ulong;
-	/*
-	 * Minutes.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	if (strcasecmp(DNS_AS_STR(token), "N") == 0)
-		north = ISC_TRUE;
-	if (north || strcasecmp(DNS_AS_STR(token), "S") == 0)
-		goto getlong;
-	m1 = strtol(DNS_AS_STR(token), &e, 10);
-	if (*e != 0)
-		RETTOK(DNS_R_SYNTAX);
-	if (m1 < 0 || m1 > 59)
-		RETTOK(ISC_R_RANGE);
-	if (d1 == 90 && m1 != 0)
-		RETTOK(ISC_R_RANGE);
-
-	/*
-	 * Seconds.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	if (strcasecmp(DNS_AS_STR(token), "N") == 0)
-		north = ISC_TRUE;
-	if (north || strcasecmp(DNS_AS_STR(token), "S") == 0)
-		goto getlong;
-	s1 = strtol(DNS_AS_STR(token), &e, 10);
-	if (*e != 0 && *e != '.')
-		RETTOK(DNS_R_SYNTAX);
-	if (s1 < 0 || s1 > 59)
-		RETTOK(ISC_R_RANGE);
-	if (*e == '.') {
-		const char *l;
-		e++;
-		for (i = 0; i < 3; i++) {
-			if (*e == 0)
-				break;
-			if ((tmp = decvalue(*e++)) < 0)
-				RETTOK(DNS_R_SYNTAX);
-			s1 *= 10;
-			s1 += tmp;
-		}
-		for (; i < 3; i++)
-			s1 *= 10;
-		l = e;
-		while (*e != 0) {
-			if (decvalue(*e++) < 0)
-				RETTOK(DNS_R_SYNTAX);
-		}
-		if (*l != '\0' && callbacks != NULL) {
-			const char *file = isc_lex_getsourcename(lexer);
-			unsigned long line = isc_lex_getsourceline(lexer);
-
-			if (file == NULL)
-				file = "UNKNOWN";
-			(*callbacks->warn)(callbacks, "%s: %s:%u: '%s' extra "
-					   "precision digits ignored",
-					   "dns_rdata_fromtext", file, line,
-					   DNS_AS_STR(token));
-		}
-	} else
-		s1 *= 1000;
-	if (d1 == 90 && s1 != 0)
-		RETTOK(ISC_R_RANGE);
-
-	/*
-	 * Direction.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	if (strcasecmp(DNS_AS_STR(token), "N") == 0)
-		north = ISC_TRUE;
-	if (!north && strcasecmp(DNS_AS_STR(token), "S") != 0)
-		RETTOK(DNS_R_SYNTAX);
-
- getlong:
-	/*
-	 * Degrees.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 180U)
-		RETTOK(ISC_R_RANGE);
-	d2 = (int)token.value.as_ulong;
-
-	/*
-	 * Minutes.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	if (strcasecmp(DNS_AS_STR(token), "E") == 0)
-		east = ISC_TRUE;
-	if (east || strcasecmp(DNS_AS_STR(token), "W") == 0)
-		goto getalt;
-	m2 = strtol(DNS_AS_STR(token), &e, 10);
-	if (*e != 0)
-		RETTOK(DNS_R_SYNTAX);
-	if (m2 < 0 || m2 > 59)
-		RETTOK(ISC_R_RANGE);
-	if (d2 == 180 && m2 != 0)
-		RETTOK(ISC_R_RANGE);
-
-	/*
-	 * Seconds.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	if (strcasecmp(DNS_AS_STR(token), "E") == 0)
-		east = ISC_TRUE;
-	if (east || strcasecmp(DNS_AS_STR(token), "W") == 0)
-		goto getalt;
-	s2 = strtol(DNS_AS_STR(token), &e, 10);
-	if (*e != 0 && *e != '.')
-		RETTOK(DNS_R_SYNTAX);
-	if (s2 < 0 || s2 > 59)
-		RETTOK(ISC_R_RANGE);
-	if (*e == '.') {
-		const char *l;
-		e++;
-		for (i = 0; i < 3; i++) {
-			if (*e == 0)
-				break;
-			if ((tmp = decvalue(*e++)) < 0)
-				RETTOK(DNS_R_SYNTAX);
-			s2 *= 10;
-			s2 += tmp;
-		}
-		for (; i < 3; i++)
-			s2 *= 10;
-		l = e;
-		while (*e != 0) {
-			if (decvalue(*e++) < 0)
-				RETTOK(DNS_R_SYNTAX);
-		}
-		if (*l != '\0' && callbacks != NULL) {
-			const char *file = isc_lex_getsourcename(lexer);
-			unsigned long line = isc_lex_getsourceline(lexer);
-
-			if (file == NULL)
-				file = "UNKNOWN";
-			(*callbacks->warn)(callbacks, "%s: %s:%u: '%s' extra "
-					   "precision digits ignored",
-					   "dns_rdata_fromtext",
-					   file, line, DNS_AS_STR(token));
-		}
-	} else
-		s2 *= 1000;
-	if (d2 == 180 && s2 != 0)
-		RETTOK(ISC_R_RANGE);
-
-	/*
-	 * Direction.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	if (strcasecmp(DNS_AS_STR(token), "E") == 0)
-		east = ISC_TRUE;
-	if (!east && strcasecmp(DNS_AS_STR(token), "W") != 0)
-		RETTOK(DNS_R_SYNTAX);
-
- getalt:
-	/*
-	 * Altitude.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	m = strtol(DNS_AS_STR(token), &e, 10);
-	if (*e != 0 && *e != '.' && *e != 'm')
-		RETTOK(DNS_R_SYNTAX);
-	if (m < -100000 || m > 42849672)
-		RETTOK(ISC_R_RANGE);
-	cm = 0;
-	if (*e == '.') {
-		e++;
-		for (i = 0; i < 2; i++) {
-			if (*e == 0 || *e == 'm')
-				break;
-			if ((tmp = decvalue(*e++)) < 0)
-				return (DNS_R_SYNTAX);
-			cm *= 10;
-			if (m < 0)
-				cm -= tmp;
-			else
-				cm += tmp;
-		}
-		for (; i < 2; i++)
-			cm *= 10;
-	}
-	if (*e == 'm')
-		e++;
-	if (*e != 0)
-		RETTOK(DNS_R_SYNTAX);
-	if (m == -100000 && cm != 0)
-		RETTOK(ISC_R_RANGE);
-	if (m == 42849672 && cm > 95)
-		RETTOK(ISC_R_RANGE);
-	/*
-	 * Adjust base.
-	 */
-	altitude = m + 100000;
-	altitude *= 100;
-	altitude += cm;
-
-	/*
-	 * Size: optional.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_TRUE));
-	if (token.type == isc_tokentype_eol ||
-	    token.type == isc_tokentype_eof) {
-		isc_lex_ungettoken(lexer, &token);
-		goto encode;
-	}
-	m = strtol(DNS_AS_STR(token), &e, 10);
-	if (*e != 0 && *e != '.' && *e != 'm')
-		RETTOK(DNS_R_SYNTAX);
-	if (m < 0 || m > 90000000)
-		RETTOK(ISC_R_RANGE);
-	cm = 0;
-	if (*e == '.') {
-		e++;
-		for (i = 0; i < 2; i++) {
-			if (*e == 0 || *e == 'm')
-				break;
-			if ((tmp = decvalue(*e++)) < 0)
-				RETTOK(DNS_R_SYNTAX);
-			cm *= 10;
-			cm += tmp;
-		}
-		for (; i < 2; i++)
-			cm *= 10;
-	}
-	if (*e == 'm')
-		e++;
-	if (*e != 0)
-		RETTOK(DNS_R_SYNTAX);
-	/*
-	 * We don't just multiply out as we will overflow.
-	 */
-	if (m > 0) {
-		for (exp = 0; exp < 7; exp++)
-			if (m < poweroften[exp+1])
-				break;
-		man = m / poweroften[exp];
-		exp += 2;
-	} else {
-		if (cm >= 10) {
-			man = cm / 10;
-			exp = 1;
-		} else {
-			man = cm;
-			exp = 0;
-		}
-	}
-	size = (man << 4) + exp;
-
-	/*
-	 * Horizontal precision: optional.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_TRUE));
-	if (token.type == isc_tokentype_eol ||
-	    token.type == isc_tokentype_eof) {
-		isc_lex_ungettoken(lexer, &token);
-		goto encode;
-	}
-	m = strtol(DNS_AS_STR(token), &e, 10);
-	if (*e != 0 && *e != '.' && *e != 'm')
-		RETTOK(DNS_R_SYNTAX);
-	if (m < 0 || m > 90000000)
-		RETTOK(ISC_R_RANGE);
-	cm = 0;
-	if (*e == '.') {
-		e++;
-		for (i = 0; i < 2; i++) {
-			if (*e == 0 || *e == 'm')
-				break;
-			if ((tmp = decvalue(*e++)) < 0)
-				RETTOK(DNS_R_SYNTAX);
-			cm *= 10;
-			cm += tmp;
-		}
-		for (; i < 2; i++)
-			cm *= 10;
-	}
-	if (*e == 'm')
-		e++;
-	if (*e != 0)
-		RETTOK(DNS_R_SYNTAX);
-	/*
-	 * We don't just multiply out as we will overflow.
-	 */
-	if (m > 0) {
-		for (exp = 0; exp < 7; exp++)
-			if (m < poweroften[exp+1])
-				break;
-		man = m / poweroften[exp];
-		exp += 2;
-	} else if (cm >= 10) {
-		man = cm / 10;
-		exp = 1;
-	} else  {
-		man = cm;
-		exp = 0;
-	}
-	hp = (man << 4) + exp;
-
-	/*
-	 * Vertical precision: optional.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_TRUE));
-	if (token.type == isc_tokentype_eol ||
-	    token.type == isc_tokentype_eof) {
-		isc_lex_ungettoken(lexer, &token);
-		goto encode;
-	}
-	m = strtol(DNS_AS_STR(token), &e, 10);
-	if (*e != 0 && *e != '.' && *e != 'm')
-		RETTOK(DNS_R_SYNTAX);
-	if (m < 0 || m > 90000000)
-		RETTOK(ISC_R_RANGE);
-	cm = 0;
-	if (*e == '.') {
-		e++;
-		for (i = 0; i < 2; i++) {
-			if (*e == 0 || *e == 'm')
-				break;
-			if ((tmp = decvalue(*e++)) < 0)
-				RETTOK(DNS_R_SYNTAX);
-			cm *= 10;
-			cm += tmp;
-		}
-		for (; i < 2; i++)
-			cm *= 10;
-	}
-	if (*e == 'm')
-		e++;
-	if (*e != 0)
-		RETTOK(DNS_R_SYNTAX);
-	/*
-	 * We don't just multiply out as we will overflow.
-	 */
-	if (m > 0) {
-		for (exp = 0; exp < 7; exp++)
-			if (m < poweroften[exp+1])
-				break;
-		man = m / poweroften[exp];
-		exp += 2;
-	} else if (cm >= 10) {
-		man = cm / 10;
-		exp = 1;
-	} else {
-		man = cm;
-		exp = 0;
-	}
-	vp = (man << 4) + exp;
-
- encode:
-	RETERR(mem_tobuffer(target, &version, 1));
-	RETERR(mem_tobuffer(target, &size, 1));
-	RETERR(mem_tobuffer(target, &hp, 1));
-	RETERR(mem_tobuffer(target, &vp, 1));
-	if (north)
-		latitude = 0x80000000 + ( d1 * 3600 + m1 * 60 ) * 1000 + s1;
-	else
-		latitude = 0x80000000 - ( d1 * 3600 + m1 * 60 ) * 1000 - s1;
-	RETERR(uint32_tobuffer(latitude, target));
-
-	if (east)
-		longitude = 0x80000000 + ( d2 * 3600 + m2 * 60 ) * 1000 + s2;
-	else
-		longitude = 0x80000000 - ( d2 * 3600 + m2 * 60 ) * 1000 - s2;
-	RETERR(uint32_tobuffer(longitude, target));
-
-	return (uint32_tobuffer(altitude, target));
-}
-
-static inline isc_result_t
-totext_loc(ARGS_TOTEXT) {
-	int d1, m1, s1, fs1;
-	int d2, m2, s2, fs2;
-	unsigned long latitude;
-	unsigned long longitude;
-	unsigned long altitude;
-	isc_boolean_t north;
-	isc_boolean_t east;
-	isc_boolean_t below;
-	isc_region_t sr;
-	char buf[sizeof("89 59 59.999 N 179 59 59.999 E "
-			"42849672.95m 90000000m 90000000m 90000000m")];
-	char sbuf[sizeof("90000000m")];
-	char hbuf[sizeof("90000000m")];
-	char vbuf[sizeof("90000000m")];
-	unsigned char size, hp, vp;
-	unsigned long poweroften[8] = { 1, 10, 100, 1000,
-					10000, 100000, 1000000, 10000000 };
-
-	UNUSED(tctx);
-
-	REQUIRE(rdata->type == 29);
-	REQUIRE(rdata->length != 0);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/* version = sr.base[0]; */
-	size = sr.base[1];
-	INSIST((size&0x0f) < 10 && (size>>4) < 10);
-	if ((size&0x0f)> 1)
-		sprintf(sbuf, "%lum", (size>>4) * poweroften[(size&0x0f)-2]);
-	else
-		sprintf(sbuf, "0.%02lum", (size>>4) * poweroften[(size&0x0f)]);
-	hp = sr.base[2];
-	INSIST((hp&0x0f) < 10 && (hp>>4) < 10);
-	if ((hp&0x0f)> 1)
-		sprintf(hbuf, "%lum", (hp>>4) * poweroften[(hp&0x0f)-2]);
-	else
-		sprintf(hbuf, "0.%02lum", (hp>>4) * poweroften[(hp&0x0f)]);
-	vp = sr.base[3];
-	INSIST((vp&0x0f) < 10 && (vp>>4) < 10);
-	if ((vp&0x0f)> 1)
-		sprintf(vbuf, "%lum", (vp>>4) * poweroften[(vp&0x0f)-2]);
-	else
-		sprintf(vbuf, "0.%02lum", (vp>>4) * poweroften[(vp&0x0f)]);
-	isc_region_consume(&sr, 4);
-
-	latitude = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-	if (latitude >= 0x80000000) {
-		north = ISC_TRUE;
-		latitude -= 0x80000000;
-	} else {
-		north = ISC_FALSE;
-		latitude = 0x80000000 - latitude;
-	}
-	fs1 = (int)(latitude % 1000);
-	latitude /= 1000;
-	s1 = (int)(latitude % 60);
-	latitude /= 60;
-	m1 = (int)(latitude % 60);
-	latitude /= 60;
-	d1 = (int)latitude;
-	INSIST(latitude <= 90U);
-
-	longitude = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-	if (longitude >= 0x80000000) {
-		east = ISC_TRUE;
-		longitude -= 0x80000000;
-	} else {
-		east = ISC_FALSE;
-		longitude = 0x80000000 - longitude;
-	}
-	fs2 = (int)(longitude % 1000);
-	longitude /= 1000;
-	s2 = (int)(longitude % 60);
-	longitude /= 60;
-	m2 = (int)(longitude % 60);
-	longitude /= 60;
-	d2 = (int)longitude;
-	INSIST(longitude <= 180U);
-
-	altitude = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-	if (altitude < 10000000U) {
-		below = ISC_TRUE;
-		altitude = 10000000 - altitude;
-	} else {
-		below =ISC_FALSE;
-		altitude -= 10000000;
-	}
-
-	sprintf(buf, "%d %d %d.%03d %s %d %d %d.%03d %s %s%ld.%02ldm %s %s %s",
-		d1, m1, s1, fs1, north ? "N" : "S",
-		d2, m2, s2, fs2, east ? "E" : "W",
-		below ? "-" : "", altitude/100, altitude % 100,
-		sbuf, hbuf, vbuf);
-
-	return (str_totext(buf, target));
-}
-
-static inline isc_result_t
-fromwire_loc(ARGS_FROMWIRE) {
-	isc_region_t sr;
-	unsigned char c;
-	unsigned long latitude;
-	unsigned long longitude;
-
-	REQUIRE(type == 29);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-	UNUSED(options);
-
-	isc_buffer_activeregion(source, &sr);
-	if (sr.length < 1)
-		return (ISC_R_UNEXPECTEDEND);
-	if (sr.base[0] != 0)
-		return (ISC_R_NOTIMPLEMENTED);
-	if (sr.length < 16)
-		return (ISC_R_UNEXPECTEDEND);
-
-	/*
-	 * Size.
-	 */
-	c = sr.base[1];
-	if (c != 0)
-		if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0)
-			return (ISC_R_RANGE);
-
-	/*
-	 * Horizontal precision.
-	 */
-	c = sr.base[2];
-	if (c != 0)
-		if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0)
-			return (ISC_R_RANGE);
-
-	/*
-	 * Vertical precision.
-	 */
-	c = sr.base[3];
-	if (c != 0)
-		if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0)
-			return (ISC_R_RANGE);
-	isc_region_consume(&sr, 4);
-
-	/*
-	 * Latitude.
-	 */
-	latitude = uint32_fromregion(&sr);
-	if (latitude < (0x80000000UL - 90 * 3600000) ||
-	    latitude > (0x80000000UL + 90 * 3600000))
-		return (ISC_R_RANGE);
-	isc_region_consume(&sr, 4);
-
-	/*
-	 * Longitude.
-	 */
-	longitude = uint32_fromregion(&sr);
-	if (longitude < (0x80000000UL - 180 * 3600000) ||
-	    longitude > (0x80000000UL + 180 * 3600000))
-		return (ISC_R_RANGE);
-
-	/*
-	 * Altitude.
-	 * All values possible.
-	 */
-
-	isc_buffer_activeregion(source, &sr);
-	isc_buffer_forward(source, 16);
-	return (mem_tobuffer(target, sr.base, 16));
-}
-
-static inline isc_result_t
-towire_loc(ARGS_TOWIRE) {
-	UNUSED(cctx);
-
-	REQUIRE(rdata->type == 29);
-	REQUIRE(rdata->length != 0);
-
-	return (mem_tobuffer(target, rdata->data, rdata->length));
-}
-
-static inline int
-compare_loc(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 29);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_loc(ARGS_FROMSTRUCT) {
-	dns_rdata_loc_t *loc = source;
-	isc_uint8_t c;
-
-	REQUIRE(type == 29);
-	REQUIRE(source != NULL);
-	REQUIRE(loc->common.rdtype == type);
-	REQUIRE(loc->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	if (loc->v.v0.version != 0)
-		return (ISC_R_NOTIMPLEMENTED);
-	RETERR(uint8_tobuffer(loc->v.v0.version, target));
-
-	c = loc->v.v0.size;
-	if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0)
-		return (ISC_R_RANGE);
-	RETERR(uint8_tobuffer(loc->v.v0.size, target));
-
-	c = loc->v.v0.horizontal;
-	if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0)
-		return (ISC_R_RANGE);
-	RETERR(uint8_tobuffer(loc->v.v0.horizontal, target));
-
-	c = loc->v.v0.vertical;
-	if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0)
-		return (ISC_R_RANGE);
-	RETERR(uint8_tobuffer(loc->v.v0.vertical, target));
-
-	if (loc->v.v0.latitude < (0x80000000UL - 90 * 3600000) ||
-	    loc->v.v0.latitude > (0x80000000UL + 90 * 3600000))
-		return (ISC_R_RANGE);
-	RETERR(uint32_tobuffer(loc->v.v0.latitude, target));
-
-	if (loc->v.v0.longitude < (0x80000000UL - 180 * 3600000) ||
-	    loc->v.v0.longitude > (0x80000000UL + 180 * 3600000))
-		return (ISC_R_RANGE);
-	RETERR(uint32_tobuffer(loc->v.v0.longitude, target));
-	return (uint32_tobuffer(loc->v.v0.altitude, target));
-}
-
-static inline isc_result_t
-tostruct_loc(ARGS_TOSTRUCT) {
-	dns_rdata_loc_t *loc = target;
-	isc_region_t r;
-	isc_uint8_t version;
-
-	REQUIRE(rdata->type == 29);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(mctx);
-
-	dns_rdata_toregion(rdata, &r);
-	version = uint8_fromregion(&r);
-	if (version != 0)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	loc->common.rdclass = rdata->rdclass;
-	loc->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&loc->common, link);
-
-	loc->v.v0.version = version;
-	isc_region_consume(&r, 1);
-	loc->v.v0.size = uint8_fromregion(&r);
-	isc_region_consume(&r, 1);
-	loc->v.v0.horizontal = uint8_fromregion(&r);
-	isc_region_consume(&r, 1);
-	loc->v.v0.vertical = uint8_fromregion(&r);
-	isc_region_consume(&r, 1);
-	loc->v.v0.latitude = uint32_fromregion(&r);
-	isc_region_consume(&r, 4);
-	loc->v.v0.longitude = uint32_fromregion(&r);
-	isc_region_consume(&r, 4);
-	loc->v.v0.altitude = uint32_fromregion(&r);
-	isc_region_consume(&r, 4);
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_loc(ARGS_FREESTRUCT) {
-	dns_rdata_loc_t *loc = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(loc->common.rdtype == 29);
-
-	UNUSED(source);
-	UNUSED(loc);
-}
-
-static inline isc_result_t
-additionaldata_loc(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 29);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_loc(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 29);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_loc(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 29);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_loc(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 29);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_loc(ARGS_COMPARE) {
-	return (compare_loc(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_LOC_29_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/loc_29.h b/contrib/bind9/lib/dns/rdata/generic/loc_29.h
deleted file mode 100644
index f053c60..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/loc_29.h
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_LOC_29_H
-#define GENERIC_LOC_29_H 1
-
-/* $Id: loc_29.h,v 1.19 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- * \brief Per RFC1876 */
-
-typedef struct dns_rdata_loc_0 {
-	isc_uint8_t	version;	/* must be first and zero */
-	isc_uint8_t	size;
-	isc_uint8_t	horizontal;
-	isc_uint8_t	vertical;
-	isc_uint32_t	latitude;
-	isc_uint32_t	longitude;
-	isc_uint32_t	altitude;
-} dns_rdata_loc_0_t;
-
-typedef struct dns_rdata_loc {
-	dns_rdatacommon_t	common;
-	union {
-		dns_rdata_loc_0_t v0;
-	} v;
-} dns_rdata_loc_t;
-
-#endif /* GENERIC_LOC_29_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/lp_107.c b/contrib/bind9/lib/dns/rdata/generic/lp_107.c
deleted file mode 100644
index 732ef7f..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/lp_107.c
+++ /dev/null
@@ -1,275 +0,0 @@
-/*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef RDATA_GENERIC_LP_107_C
-#define RDATA_GENERIC_LP_107_C
-
-#include <string.h>
-
-#include <isc/net.h>
-
-#define RRTYPE_LP_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_lp(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-
-	REQUIRE(type == 107);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	return (dns_name_fromtext(&name, &buffer, origin, options, target));
-}
-
-static inline isc_result_t
-totext_lp(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-	char buf[sizeof("64000")];
-	unsigned short num;
-
-	REQUIRE(rdata->type == 107);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	num = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
-	RETERR(str_totext(buf, target));
-
-	RETERR(str_totext(" ", target));
-
-	dns_name_fromregion(&name, &region);
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_lp(ARGS_FROMWIRE) {
-	dns_name_t name;
-	isc_region_t sregion;
-
-	REQUIRE(type == 107);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, NULL);
-
-	isc_buffer_activeregion(source, &sregion);
-	if (sregion.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
-	RETERR(mem_tobuffer(target, sregion.base, 2));
-	isc_buffer_forward(source, 2);
-	return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_lp(ARGS_TOWIRE) {
-
-	REQUIRE(rdata->type == 107);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(cctx);
-
-	return (mem_tobuffer(target, rdata->data, rdata->length));
-}
-
-static inline int
-compare_lp(ARGS_COMPARE) {
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 107);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	return (isc_region_compare(&region1, &region2));
-}
-
-static inline isc_result_t
-fromstruct_lp(ARGS_FROMSTRUCT) {
-	dns_rdata_lp_t *lp = source;
-	isc_region_t region;
-
-	REQUIRE(type == 107);
-	REQUIRE(source != NULL);
-	REQUIRE(lp->common.rdtype == type);
-	REQUIRE(lp->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint16_tobuffer(lp->pref, target));
-	dns_name_toregion(&lp->lp, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_lp(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_lp_t *lp = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 107);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	lp->common.rdclass = rdata->rdclass;
-	lp->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&lp->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	lp->pref = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&lp->lp, NULL);
-	RETERR(name_duporclone(&name, mctx, &lp->lp));
-	lp->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_lp(ARGS_FREESTRUCT) {
-	dns_rdata_lp_t *lp = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(lp->common.rdtype == 107);
-
-	if (lp->mctx == NULL)
-		return;
-
-	dns_name_free(&lp->lp, lp->mctx);
-	lp->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_lp(ARGS_ADDLDATA) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-	isc_result_t result;
-
-	REQUIRE(rdata->type == 107);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	isc_region_consume(&region, 2);
-	dns_name_fromregion(&name, &region);
-
-	result = (add)(arg, &name, dns_rdatatype_l32);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	return ((add)(arg, &name, dns_rdatatype_l64));
-}
-
-static inline isc_result_t
-digest_lp(ARGS_DIGEST) {
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 107);
-
-	dns_rdata_toregion(rdata, &region);
-	return ((digest)(arg, &region));
-}
-
-static inline isc_boolean_t
-checkowner_lp(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 107);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(name);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_lp(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 107);
-
-	UNUSED(bad);
-	UNUSED(owner);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_lp(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 107);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	order = memcmp(rdata1->data, rdata2->data, 2);
-	if (order != 0)
-		return (order < 0 ? -1 : 1);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	isc_region_consume(&region1, 2);
-	isc_region_consume(&region2, 2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-#endif	/* RDATA_GENERIC_LP_107_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/lp_107.h b/contrib/bind9/lib/dns/rdata/generic/lp_107.h
deleted file mode 100644
index cbfee8a..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/lp_107.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_LP_107_H
-#define GENERIC_LP_107_H 1
-
-typedef struct dns_rdata_lp {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		pref;
-	dns_name_t		lp;
-} dns_rdata_lp_t;
-
-#endif /* GENERIC_LP_107_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mb_7.c b/contrib/bind9/lib/dns/rdata/generic/mb_7.c
deleted file mode 100644
index 8e588fc..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/mb_7.c
+++ /dev/null
@@ -1,239 +0,0 @@
-/*
- * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: mb_7.c,v 1.47 2009/12/04 22:06:37 tbox Exp $ */
-
-/* Reviewed: Wed Mar 15 17:31:26 PST 2000 by bwelling */
-
-#ifndef RDATA_GENERIC_MB_7_C
-#define RDATA_GENERIC_MB_7_C
-
-#define RRTYPE_MB_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_mb(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-
-	REQUIRE(type == 7);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_mb(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 7);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	sub = name_prefix(&name, tctx->origin, &prefix);
-
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_mb(ARGS_FROMWIRE) {
-	dns_name_t name;
-
-	REQUIRE(type == 7);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, NULL);
-	return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_mb(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 7);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_mb(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 7);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_mb(ARGS_FROMSTRUCT) {
-	dns_rdata_mb_t *mb = source;
-	isc_region_t region;
-
-	REQUIRE(type == 7);
-	REQUIRE(source != NULL);
-	REQUIRE(mb->common.rdtype == type);
-	REQUIRE(mb->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&mb->mb, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_mb(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_mb_t *mb = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 7);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	mb->common.rdclass = rdata->rdclass;
-	mb->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&mb->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&mb->mb, NULL);
-	RETERR(name_duporclone(&name, mctx, &mb->mb));
-	mb->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_mb(ARGS_FREESTRUCT) {
-	dns_rdata_mb_t *mb = source;
-
-	REQUIRE(source != NULL);
-
-	if (mb->mctx == NULL)
-		return;
-
-	dns_name_free(&mb->mb, mb->mctx);
-	mb->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_mb(ARGS_ADDLDATA) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 7);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	return ((add)(arg, &name, dns_rdatatype_a));
-}
-
-static inline isc_result_t
-digest_mb(ARGS_DIGEST) {
-	isc_region_t r;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 7);
-
-	dns_rdata_toregion(rdata, &r);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_mb(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 7);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (dns_name_ismailbox(name));
-}
-
-static inline isc_boolean_t
-checknames_mb(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 7);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_mb(ARGS_COMPARE) {
-	return (compare_mb(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_MB_7_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mb_7.h b/contrib/bind9/lib/dns/rdata/generic/mb_7.h
deleted file mode 100644
index b427ee9..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/mb_7.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_MB_7_H
-#define GENERIC_MB_7_H 1
-
-/* $Id: mb_7.h,v 1.27 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_mb {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		mb;
-} dns_rdata_mb_t;
-
-#endif /* GENERIC_MB_7_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/md_3.c b/contrib/bind9/lib/dns/rdata/generic/md_3.c
deleted file mode 100644
index e00f1f6..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/md_3.c
+++ /dev/null
@@ -1,241 +0,0 @@
-/*
- * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: md_3.c,v 1.49 2009/12/04 22:06:37 tbox Exp $ */
-
-/* Reviewed: Wed Mar 15 17:48:20 PST 2000 by bwelling */
-
-#ifndef RDATA_GENERIC_MD_3_C
-#define RDATA_GENERIC_MD_3_C
-
-#define RRTYPE_MD_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_md(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-
-	REQUIRE(type == 3);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_md(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 3);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	sub = name_prefix(&name, tctx->origin, &prefix);
-
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_md(ARGS_FROMWIRE) {
-	dns_name_t name;
-
-	REQUIRE(type == 3);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, NULL);
-	return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_md(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 3);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_md(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 3);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_md(ARGS_FROMSTRUCT) {
-	dns_rdata_md_t *md = source;
-	isc_region_t region;
-
-	REQUIRE(type == 3);
-	REQUIRE(source != NULL);
-	REQUIRE(md->common.rdtype == type);
-	REQUIRE(md->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&md->md, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_md(ARGS_TOSTRUCT) {
-	dns_rdata_md_t *md = target;
-	isc_region_t r;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 3);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	md->common.rdclass = rdata->rdclass;
-	md->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&md->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &r);
-	dns_name_fromregion(&name, &r);
-	dns_name_init(&md->md, NULL);
-	RETERR(name_duporclone(&name, mctx, &md->md));
-	md->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_md(ARGS_FREESTRUCT) {
-	dns_rdata_md_t *md = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(md->common.rdtype == 3);
-
-	if (md->mctx == NULL)
-		return;
-
-	dns_name_free(&md->md, md->mctx);
-	md->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_md(ARGS_ADDLDATA) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 3);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	return ((add)(arg, &name, dns_rdatatype_a));
-}
-
-static inline isc_result_t
-digest_md(ARGS_DIGEST) {
-	isc_region_t r;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 3);
-
-	dns_rdata_toregion(rdata, &r);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_md(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 3);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_md(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 3);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_md(ARGS_COMPARE) {
-	return (compare_md(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_MD_3_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/md_3.h b/contrib/bind9/lib/dns/rdata/generic/md_3.h
deleted file mode 100644
index ba70d18..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/md_3.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_MD_3_H
-#define GENERIC_MD_3_H 1
-
-/* $Id: md_3.h,v 1.28 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_md {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		md;
-} dns_rdata_md_t;
-
-
-#endif /* GENERIC_MD_3_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mf_4.c b/contrib/bind9/lib/dns/rdata/generic/mf_4.c
deleted file mode 100644
index a85809a..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/mf_4.c
+++ /dev/null
@@ -1,240 +0,0 @@
-/*
- * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: mf_4.c,v 1.47 2009/12/04 22:06:37 tbox Exp $ */
-
-/* reviewed: Wed Mar 15 17:47:33 PST 2000 by brister */
-
-#ifndef RDATA_GENERIC_MF_4_C
-#define RDATA_GENERIC_MF_4_C
-
-#define RRTYPE_MF_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_mf(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-
-	REQUIRE(type == 4);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_mf(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 4);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	sub = name_prefix(&name, tctx->origin, &prefix);
-
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_mf(ARGS_FROMWIRE) {
-	dns_name_t name;
-
-	REQUIRE(type == 4);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, NULL);
-	return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_mf(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 4);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_mf(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 4);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_mf(ARGS_FROMSTRUCT) {
-	dns_rdata_mf_t *mf = source;
-	isc_region_t region;
-
-	REQUIRE(type == 4);
-	REQUIRE(source != NULL);
-	REQUIRE(mf->common.rdtype == type);
-	REQUIRE(mf->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&mf->mf, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_mf(ARGS_TOSTRUCT) {
-	dns_rdata_mf_t *mf = target;
-	isc_region_t r;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 4);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	mf->common.rdclass = rdata->rdclass;
-	mf->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&mf->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &r);
-	dns_name_fromregion(&name, &r);
-	dns_name_init(&mf->mf, NULL);
-	RETERR(name_duporclone(&name, mctx, &mf->mf));
-	mf->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_mf(ARGS_FREESTRUCT) {
-	dns_rdata_mf_t *mf = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(mf->common.rdtype == 4);
-
-	if (mf->mctx == NULL)
-		return;
-	dns_name_free(&mf->mf, mf->mctx);
-	mf->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_mf(ARGS_ADDLDATA) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 4);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	return ((add)(arg, &name, dns_rdatatype_a));
-}
-
-static inline isc_result_t
-digest_mf(ARGS_DIGEST) {
-	isc_region_t r;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 4);
-
-	dns_rdata_toregion(rdata, &r);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_mf(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 4);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_mf(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 4);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_mf(ARGS_COMPARE) {
-	return (compare_mf(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_MF_4_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mf_4.h b/contrib/bind9/lib/dns/rdata/generic/mf_4.h
deleted file mode 100644
index 32d2493..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/mf_4.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_MF_4_H
-#define GENERIC_MF_4_H 1
-
-/* $Id: mf_4.h,v 1.26 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_mf {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		mf;
-} dns_rdata_mf_t;
-
-#endif /* GENERIC_MF_4_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mg_8.c b/contrib/bind9/lib/dns/rdata/generic/mg_8.c
deleted file mode 100644
index d0af188..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/mg_8.c
+++ /dev/null
@@ -1,235 +0,0 @@
-/*
- * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: mg_8.c,v 1.45 2009/12/04 22:06:37 tbox Exp $ */
-
-/* reviewed: Wed Mar 15 17:49:21 PST 2000 by brister */
-
-#ifndef RDATA_GENERIC_MG_8_C
-#define RDATA_GENERIC_MG_8_C
-
-#define RRTYPE_MG_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_mg(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-
-	REQUIRE(type == 8);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_mg(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 8);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	sub = name_prefix(&name, tctx->origin, &prefix);
-
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_mg(ARGS_FROMWIRE) {
-	dns_name_t name;
-
-	REQUIRE(type == 8);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, NULL);
-	return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_mg(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 8);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_mg(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 8);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_mg(ARGS_FROMSTRUCT) {
-	dns_rdata_mg_t *mg = source;
-	isc_region_t region;
-
-	REQUIRE(type == 8);
-	REQUIRE(source != NULL);
-	REQUIRE(mg->common.rdtype == type);
-	REQUIRE(mg->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&mg->mg, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_mg(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_mg_t *mg = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 8);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	mg->common.rdclass = rdata->rdclass;
-	mg->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&mg->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&mg->mg, NULL);
-	RETERR(name_duporclone(&name, mctx, &mg->mg));
-	mg->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_mg(ARGS_FREESTRUCT) {
-	dns_rdata_mg_t *mg = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(mg->common.rdtype == 8);
-
-	if (mg->mctx == NULL)
-		return;
-	dns_name_free(&mg->mg, mg->mctx);
-	mg->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_mg(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 8);
-
-	UNUSED(add);
-	UNUSED(arg);
-	UNUSED(rdata);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_mg(ARGS_DIGEST) {
-	isc_region_t r;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 8);
-
-	dns_rdata_toregion(rdata, &r);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_mg(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 8);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (dns_name_ismailbox(name));
-}
-
-static inline isc_boolean_t
-checknames_mg(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 8);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_mg(ARGS_COMPARE) {
-	return (compare_mg(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_MG_8_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mg_8.h b/contrib/bind9/lib/dns/rdata/generic/mg_8.h
deleted file mode 100644
index 8fa143a..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/mg_8.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_MG_8_H
-#define GENERIC_MG_8_H 1
-
-/* $Id: mg_8.h,v 1.26 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_mg {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		mg;
-} dns_rdata_mg_t;
-
-#endif /* GENERIC_MG_8_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/minfo_14.c b/contrib/bind9/lib/dns/rdata/generic/minfo_14.c
deleted file mode 100644
index 9e2214c..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/minfo_14.c
+++ /dev/null
@@ -1,329 +0,0 @@
-/*
- * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: minfo_14.c,v 1.47 2009/12/04 22:06:37 tbox Exp $ */
-
-/* reviewed: Wed Mar 15 17:45:32 PST 2000 by brister */
-
-#ifndef RDATA_GENERIC_MINFO_14_C
-#define RDATA_GENERIC_MINFO_14_C
-
-#define RRTYPE_MINFO_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_minfo(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	int i;
-	isc_boolean_t ok;
-
-	REQUIRE(type == 14);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	for (i = 0; i < 2; i++) {
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_string,
-					      ISC_FALSE));
-		dns_name_init(&name, NULL);
-		buffer_fromregion(&buffer, &token.value.as_region);
-		origin = (origin != NULL) ? origin : dns_rootname;
-		RETTOK(dns_name_fromtext(&name, &buffer, origin,
-					 options, target));
-		ok = ISC_TRUE;
-		if ((options & DNS_RDATA_CHECKNAMES) != 0)
-			ok = dns_name_ismailbox(&name);
-		if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
-			RETTOK(DNS_R_BADNAME);
-		if (!ok && callbacks != NULL)
-			warn_badname(&name, lexer, callbacks);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_minfo(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t rmail;
-	dns_name_t email;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 14);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&rmail, NULL);
-	dns_name_init(&email, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-
-	dns_name_fromregion(&rmail, &region);
-	isc_region_consume(&region, rmail.length);
-
-	dns_name_fromregion(&email, &region);
-	isc_region_consume(&region, email.length);
-
-	sub = name_prefix(&rmail, tctx->origin, &prefix);
-
-	RETERR(dns_name_totext(&prefix, sub, target));
-
-	RETERR(str_totext(" ", target));
-
-	sub = name_prefix(&email, tctx->origin, &prefix);
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_minfo(ARGS_FROMWIRE) {
-	dns_name_t rmail;
-	dns_name_t email;
-
-	REQUIRE(type == 14);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&rmail, NULL);
-	dns_name_init(&email, NULL);
-
-	RETERR(dns_name_fromwire(&rmail, source, dctx, options, target));
-	return (dns_name_fromwire(&email, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_minfo(ARGS_TOWIRE) {
-	isc_region_t region;
-	dns_name_t rmail;
-	dns_name_t email;
-	dns_offsets_t roffsets;
-	dns_offsets_t eoffsets;
-
-	REQUIRE(rdata->type == 14);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&rmail, roffsets);
-	dns_name_init(&email, eoffsets);
-
-	dns_rdata_toregion(rdata, &region);
-
-	dns_name_fromregion(&rmail, &region);
-	isc_region_consume(&region, name_length(&rmail));
-
-	RETERR(dns_name_towire(&rmail, cctx, target));
-
-	dns_name_fromregion(&rmail, &region);
-	isc_region_consume(&region, rmail.length);
-
-	return (dns_name_towire(&rmail, cctx, target));
-}
-
-static inline int
-compare_minfo(ARGS_COMPARE) {
-	isc_region_t region1;
-	isc_region_t region2;
-	dns_name_t name1;
-	dns_name_t name2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 14);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	order = dns_name_rdatacompare(&name1, &name2);
-	if (order != 0)
-		return (order);
-
-	isc_region_consume(&region1, name_length(&name1));
-	isc_region_consume(&region2, name_length(&name2));
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	order = dns_name_rdatacompare(&name1, &name2);
-	return (order);
-}
-
-static inline isc_result_t
-fromstruct_minfo(ARGS_FROMSTRUCT) {
-	dns_rdata_minfo_t *minfo = source;
-	isc_region_t region;
-
-	REQUIRE(type == 14);
-	REQUIRE(source != NULL);
-	REQUIRE(minfo->common.rdtype == type);
-	REQUIRE(minfo->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&minfo->rmailbox, &region);
-	RETERR(isc_buffer_copyregion(target, &region));
-	dns_name_toregion(&minfo->emailbox, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_minfo(ARGS_TOSTRUCT) {
-	dns_rdata_minfo_t *minfo = target;
-	isc_region_t region;
-	dns_name_t name;
-	isc_result_t result;
-
-	REQUIRE(rdata->type == 14);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	minfo->common.rdclass = rdata->rdclass;
-	minfo->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&minfo->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&minfo->rmailbox, NULL);
-	RETERR(name_duporclone(&name, mctx, &minfo->rmailbox));
-	isc_region_consume(&region, name_length(&name));
-
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&minfo->emailbox, NULL);
-	result = name_duporclone(&name, mctx, &minfo->emailbox);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	minfo->mctx = mctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (mctx != NULL)
-		dns_name_free(&minfo->rmailbox, mctx);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_minfo(ARGS_FREESTRUCT) {
-	dns_rdata_minfo_t *minfo = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(minfo->common.rdtype == 14);
-
-	if (minfo->mctx == NULL)
-		return;
-
-	dns_name_free(&minfo->rmailbox, minfo->mctx);
-	dns_name_free(&minfo->emailbox, minfo->mctx);
-	minfo->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_minfo(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 14);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_minfo(ARGS_DIGEST) {
-	isc_region_t r;
-	dns_name_t name;
-	isc_result_t result;
-
-	REQUIRE(rdata->type == 14);
-
-	dns_rdata_toregion(rdata, &r);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-	result = dns_name_digest(&name, digest, arg);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_region_consume(&r, name_length(&name));
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_minfo(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 14);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_minfo(ARGS_CHECKNAMES) {
-	isc_region_t region;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 14);
-
-	UNUSED(owner);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &region);
-	if (!dns_name_ismailbox(&name)) {
-		if (bad != NULL)
-			dns_name_clone(&name, bad);
-		return (ISC_FALSE);
-	}
-	isc_region_consume(&region, name_length(&name));
-	dns_name_fromregion(&name, &region);
-	if (!dns_name_ismailbox(&name)) {
-		if (bad != NULL)
-			dns_name_clone(&name, bad);
-		return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_minfo(ARGS_COMPARE) {
-	return (compare_minfo(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_MINFO_14_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/minfo_14.h b/contrib/bind9/lib/dns/rdata/generic/minfo_14.h
deleted file mode 100644
index 76195c5..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/minfo_14.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_MINFO_14_H
-#define GENERIC_MINFO_14_H 1
-
-/* $Id: minfo_14.h,v 1.27 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_minfo {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		rmailbox;
-	dns_name_t		emailbox;
-} dns_rdata_minfo_t;
-
-#endif /* GENERIC_MINFO_14_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mr_9.c b/contrib/bind9/lib/dns/rdata/generic/mr_9.c
deleted file mode 100644
index 590235d..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/mr_9.c
+++ /dev/null
@@ -1,236 +0,0 @@
-/*
- * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: mr_9.c,v 1.44 2009/12/04 22:06:37 tbox Exp $ */
-
-/* Reviewed: Wed Mar 15 21:30:35 EST 2000 by tale */
-
-#ifndef RDATA_GENERIC_MR_9_C
-#define RDATA_GENERIC_MR_9_C
-
-#define RRTYPE_MR_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_mr(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-
-	REQUIRE(type == 9);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_mr(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 9);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	sub = name_prefix(&name, tctx->origin, &prefix);
-
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_mr(ARGS_FROMWIRE) {
-	dns_name_t name;
-
-	REQUIRE(type == 9);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, NULL);
-	return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_mr(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 9);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_mr(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 9);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_mr(ARGS_FROMSTRUCT) {
-	dns_rdata_mr_t *mr = source;
-	isc_region_t region;
-
-	REQUIRE(type == 9);
-	REQUIRE(source != NULL);
-	REQUIRE(mr->common.rdtype == type);
-	REQUIRE(mr->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&mr->mr, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_mr(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_mr_t *mr = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 9);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	mr->common.rdclass = rdata->rdclass;
-	mr->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&mr->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&mr->mr, NULL);
-	RETERR(name_duporclone(&name, mctx, &mr->mr));
-	mr->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_mr(ARGS_FREESTRUCT) {
-	dns_rdata_mr_t *mr = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(mr->common.rdtype == 9);
-
-	if (mr->mctx == NULL)
-		return;
-	dns_name_free(&mr->mr, mr->mctx);
-	mr->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_mr(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 9);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_mr(ARGS_DIGEST) {
-	isc_region_t r;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 9);
-
-	dns_rdata_toregion(rdata, &r);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_mr(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 9);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_mr(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 9);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_mr(ARGS_COMPARE) {
-	return (compare_mr(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_MR_9_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mr_9.h b/contrib/bind9/lib/dns/rdata/generic/mr_9.h
deleted file mode 100644
index 3d81bdd..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/mr_9.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_MR_9_H
-#define GENERIC_MR_9_H 1
-
-/* $Id: mr_9.h,v 1.26 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_mr {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		mr;
-} dns_rdata_mr_t;
-
-#endif /* GENERIC_MR_9_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mx_15.c b/contrib/bind9/lib/dns/rdata/generic/mx_15.c
deleted file mode 100644
index 77eee15..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/mx_15.c
+++ /dev/null
@@ -1,323 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: mx_15.c,v 1.58 2009/12/04 22:06:37 tbox Exp $ */
-
-/* reviewed: Wed Mar 15 18:05:46 PST 2000 by brister */
-
-#ifndef RDATA_GENERIC_MX_15_C
-#define RDATA_GENERIC_MX_15_C
-
-#include <string.h>
-
-#include <isc/net.h>
-
-#define RRTYPE_MX_ATTRIBUTES (0)
-
-static isc_boolean_t
-check_mx(isc_token_t *token) {
-	char tmp[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123.")];
-	struct in_addr addr;
-	struct in6_addr addr6;
-
-	if (strlcpy(tmp, DNS_AS_STR(*token), sizeof(tmp)) >= sizeof(tmp))
-		return (ISC_TRUE);
-
-	if (tmp[strlen(tmp) - 1] == '.')
-		tmp[strlen(tmp) - 1] = '\0';
-	if (inet_aton(tmp, &addr) == 1 ||
-	    inet_pton(AF_INET6, tmp, &addr6) == 1)
-		return (ISC_FALSE);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_result_t
-fromtext_mx(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	isc_boolean_t ok;
-
-	REQUIRE(type == 15);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	ok = ISC_TRUE;
-	if ((options & DNS_RDATA_CHECKMX) != 0)
-		ok = check_mx(&token);
-	if (!ok && (options & DNS_RDATA_CHECKMXFAIL) != 0)
-		RETTOK(DNS_R_MXISADDRESS);
-	if (!ok && callbacks != NULL)
-		warn_badmx(&token, lexer, callbacks);
-
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	ok = ISC_TRUE;
-	if ((options & DNS_RDATA_CHECKNAMES) != 0)
-		ok = dns_name_ishostname(&name, ISC_FALSE);
-	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
-		RETTOK(DNS_R_BADNAME);
-	if (!ok && callbacks != NULL)
-		warn_badname(&name, lexer, callbacks);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_mx(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-	char buf[sizeof("64000")];
-	unsigned short num;
-
-	REQUIRE(rdata->type == 15);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	num = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
-	RETERR(str_totext(buf, target));
-
-	RETERR(str_totext(" ", target));
-
-	dns_name_fromregion(&name, &region);
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_mx(ARGS_FROMWIRE) {
-	dns_name_t name;
-	isc_region_t sregion;
-
-	REQUIRE(type == 15);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, NULL);
-
-	isc_buffer_activeregion(source, &sregion);
-	if (sregion.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
-	RETERR(mem_tobuffer(target, sregion.base, 2));
-	isc_buffer_forward(source, 2);
-	return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_mx(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 15);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_rdata_toregion(rdata, &region);
-	RETERR(mem_tobuffer(target, region.base, 2));
-	isc_region_consume(&region, 2);
-
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &region);
-
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_mx(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 15);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	order = memcmp(rdata1->data, rdata2->data, 2);
-	if (order != 0)
-		return (order < 0 ? -1 : 1);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	isc_region_consume(&region1, 2);
-	isc_region_consume(&region2, 2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_mx(ARGS_FROMSTRUCT) {
-	dns_rdata_mx_t *mx = source;
-	isc_region_t region;
-
-	REQUIRE(type == 15);
-	REQUIRE(source != NULL);
-	REQUIRE(mx->common.rdtype == type);
-	REQUIRE(mx->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint16_tobuffer(mx->pref, target));
-	dns_name_toregion(&mx->mx, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_mx(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_mx_t *mx = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 15);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	mx->common.rdclass = rdata->rdclass;
-	mx->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&mx->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	mx->pref = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&mx->mx, NULL);
-	RETERR(name_duporclone(&name, mctx, &mx->mx));
-	mx->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_mx(ARGS_FREESTRUCT) {
-	dns_rdata_mx_t *mx = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(mx->common.rdtype == 15);
-
-	if (mx->mctx == NULL)
-		return;
-
-	dns_name_free(&mx->mx, mx->mctx);
-	mx->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_mx(ARGS_ADDLDATA) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 15);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	isc_region_consume(&region, 2);
-	dns_name_fromregion(&name, &region);
-
-	return ((add)(arg, &name, dns_rdatatype_a));
-}
-
-static inline isc_result_t
-digest_mx(ARGS_DIGEST) {
-	isc_region_t r1, r2;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 15);
-
-	dns_rdata_toregion(rdata, &r1);
-	r2 = r1;
-	isc_region_consume(&r2, 2);
-	r1.length = 2;
-	RETERR((digest)(arg, &r1));
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r2);
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_mx(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 15);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	return (dns_name_ishostname(name, wildcard));
-}
-
-static inline isc_boolean_t
-checknames_mx(ARGS_CHECKNAMES) {
-	isc_region_t region;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 15);
-
-	UNUSED(owner);
-
-	dns_rdata_toregion(rdata, &region);
-	isc_region_consume(&region, 2);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &region);
-	if (!dns_name_ishostname(&name, ISC_FALSE)) {
-		if (bad != NULL)
-			dns_name_clone(&name, bad);
-		return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_mx(ARGS_COMPARE) {
-	return (compare_mx(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_MX_15_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mx_15.h b/contrib/bind9/lib/dns/rdata/generic/mx_15.h
deleted file mode 100644
index 25d5ac5..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/mx_15.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_MX_15_H
-#define GENERIC_MX_15_H 1
-
-/* $Id: mx_15.h,v 1.29 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_mx {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		pref;
-	dns_name_t		mx;
-} dns_rdata_mx_t;
-
-#endif /* GENERIC_MX_15_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/naptr_35.c b/contrib/bind9/lib/dns/rdata/generic/naptr_35.c
deleted file mode 100644
index 83439a5..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/naptr_35.c
+++ /dev/null
@@ -1,671 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007-2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
-
-/* RFC2915 */
-
-#ifndef RDATA_GENERIC_NAPTR_35_C
-#define RDATA_GENERIC_NAPTR_35_C
-
-#define RRTYPE_NAPTR_ATTRIBUTES (0)
-
-#include <isc/regex.h>
-
-/*
- * Check the wire format of the Regexp field.
- * Don't allow embeded NUL's.
- */
-static inline isc_result_t
-txt_valid_regex(const unsigned char *txt) {
-	unsigned int nsub = 0;
-	char regex[256];
-	char *cp;
-	isc_boolean_t flags = ISC_FALSE;
-	isc_boolean_t replace = ISC_FALSE;
-	unsigned char c;
-	unsigned char delim;
-	unsigned int len;
-	int n;
-
-	len = *txt++;
-	if (len == 0U)
-		return (ISC_R_SUCCESS);
-
-	delim = *txt++;
-	len--;
-
-	/*
-	 * Digits, backslash and flags can't be delimiters.
-	 */
-	switch (delim) {
-	case '0': case '1': case '2': case '3': case '4':
-	case '5': case '6': case '7': case '8': case '9':
-	case '\\': case 'i': case 0:
-		return (DNS_R_SYNTAX);
-	}
-
-	cp = regex;
-	while (len-- > 0) {
-		c = *txt++;
-		if (c == 0)
-			return (DNS_R_SYNTAX);
-		if (c == delim && !replace) {
-			replace = ISC_TRUE;
-			continue;
-		} else if (c == delim && !flags) {
-			flags = ISC_TRUE;
-			continue;
-		} else if (c == delim)
-			return (DNS_R_SYNTAX);
-		/*
-		 * Flags are not escaped.
-		 */
-		if (flags) {
-			switch (c) {
-			case 'i':
-				continue;
-			default:
-				return (DNS_R_SYNTAX);
-			}
-		}
-		if (!replace)
-			*cp++ = c;
-		if (c == '\\') {
-			if (len == 0)
-				return (DNS_R_SYNTAX);
-			c = *txt++;
-			if (c == 0)
-				return (DNS_R_SYNTAX);
-			len--;
-			if (replace)
-				switch (c) {
-				case '0': return (DNS_R_SYNTAX);
-				case '1': if (nsub < 1) nsub = 1; break;
-				case '2': if (nsub < 2) nsub = 2; break;
-				case '3': if (nsub < 3) nsub = 3; break;
-				case '4': if (nsub < 4) nsub = 4; break;
-				case '5': if (nsub < 5) nsub = 5; break;
-				case '6': if (nsub < 6) nsub = 6; break;
-				case '7': if (nsub < 7) nsub = 7; break;
-				case '8': if (nsub < 8) nsub = 8; break;
-				case '9': if (nsub < 9) nsub = 9; break;
-				}
-			if (!replace)
-				*cp++ = c;
-		}
-	}
-	if (!flags)
-		return (DNS_R_SYNTAX);
-	*cp = '\0';
-	n = isc_regex_validate(regex);
-	if (n < 0 || nsub > (unsigned int)n)
-		return (DNS_R_SYNTAX);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromtext_naptr(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	unsigned char *regex;
-
-	REQUIRE(type == 35);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	/*
-	 * Order.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Preference.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Flags.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
-				      ISC_FALSE));
-	RETTOK(txt_fromtext(&token.value.as_textregion, target));
-
-	/*
-	 * Service.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
-				      ISC_FALSE));
-	RETTOK(txt_fromtext(&token.value.as_textregion, target));
-
-	/*
-	 * Regexp.
-	 */
-	regex = isc_buffer_used(target);
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
-				      ISC_FALSE));
-	RETTOK(txt_fromtext(&token.value.as_textregion, target));
-	RETTOK(txt_valid_regex(regex));
-
-	/*
-	 * Replacement.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_naptr(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-	char buf[sizeof("64000")];
-	unsigned short num;
-
-	REQUIRE(rdata->type == 35);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-
-	/*
-	 * Order.
-	 */
-	num = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Preference.
-	 */
-	num = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Flags.
-	 */
-	RETERR(txt_totext(&region, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Service.
-	 */
-	RETERR(txt_totext(&region, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Regexp.
-	 */
-	RETERR(txt_totext(&region, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Replacement.
-	 */
-	dns_name_fromregion(&name, &region);
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_naptr(ARGS_FROMWIRE) {
-	dns_name_t name;
-	isc_region_t sr;
-	unsigned char *regex;
-
-	REQUIRE(type == 35);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-	dns_name_init(&name, NULL);
-
-	/*
-	 * Order, preference.
-	 */
-	isc_buffer_activeregion(source, &sr);
-	if (sr.length < 4)
-		return (ISC_R_UNEXPECTEDEND);
-	RETERR(mem_tobuffer(target, sr.base, 4));
-	isc_buffer_forward(source, 4);
-
-	/*
-	 * Flags.
-	 */
-	RETERR(txt_fromwire(source, target));
-
-	/*
-	 * Service.
-	 */
-	RETERR(txt_fromwire(source, target));
-
-	/*
-	 * Regexp.
-	 */
-	regex = isc_buffer_used(target);
-	RETERR(txt_fromwire(source, target));
-	RETERR(txt_valid_regex(regex));
-
-	/*
-	 * Replacement.
-	 */
-	return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_naptr(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 35);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	/*
-	 * Order, preference.
-	 */
-	dns_rdata_toregion(rdata, &sr);
-	RETERR(mem_tobuffer(target, sr.base, 4));
-	isc_region_consume(&sr, 4);
-
-	/*
-	 * Flags.
-	 */
-	RETERR(mem_tobuffer(target, sr.base, sr.base[0] + 1));
-	isc_region_consume(&sr, sr.base[0] + 1);
-
-	/*
-	 * Service.
-	 */
-	RETERR(mem_tobuffer(target, sr.base, sr.base[0] + 1));
-	isc_region_consume(&sr, sr.base[0] + 1);
-
-	/*
-	 * Regexp.
-	 */
-	RETERR(mem_tobuffer(target, sr.base, sr.base[0] + 1));
-	isc_region_consume(&sr, sr.base[0] + 1);
-
-	/*
-	 * Replacement.
-	 */
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &sr);
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_naptr(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-	int order, len;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 35);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	/*
-	 * Order, preference.
-	 */
-	order = memcmp(region1.base, region2.base, 4);
-	if (order != 0)
-		return (order < 0 ? -1 : 1);
-	isc_region_consume(&region1, 4);
-	isc_region_consume(&region2, 4);
-
-	/*
-	 * Flags.
-	 */
-	len = ISC_MIN(region1.base[0], region2.base[0]);
-	order = memcmp(region1.base, region2.base, len + 1);
-	if (order != 0)
-		return (order < 0 ? -1 : 1);
-	isc_region_consume(&region1, region1.base[0] + 1);
-	isc_region_consume(&region2, region2.base[0] + 1);
-
-	/*
-	 * Service.
-	 */
-	len = ISC_MIN(region1.base[0], region2.base[0]);
-	order = memcmp(region1.base, region2.base, len + 1);
-	if (order != 0)
-		return (order < 0 ? -1 : 1);
-	isc_region_consume(&region1, region1.base[0] + 1);
-	isc_region_consume(&region2, region2.base[0] + 1);
-
-	/*
-	 * Regexp.
-	 */
-	len = ISC_MIN(region1.base[0], region2.base[0]);
-	order = memcmp(region1.base, region2.base, len + 1);
-	if (order != 0)
-		return (order < 0 ? -1 : 1);
-	isc_region_consume(&region1, region1.base[0] + 1);
-	isc_region_consume(&region2, region2.base[0] + 1);
-
-	/*
-	 * Replacement.
-	 */
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_naptr(ARGS_FROMSTRUCT) {
-	dns_rdata_naptr_t *naptr = source;
-	isc_region_t region;
-
-	REQUIRE(type == 35);
-	REQUIRE(source != NULL);
-	REQUIRE(naptr->common.rdtype == type);
-	REQUIRE(naptr->common.rdclass == rdclass);
-	REQUIRE(naptr->flags != NULL || naptr->flags_len == 0);
-	REQUIRE(naptr->service != NULL || naptr->service_len == 0);
-	REQUIRE(naptr->regexp != NULL || naptr->regexp_len == 0);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint16_tobuffer(naptr->order, target));
-	RETERR(uint16_tobuffer(naptr->preference, target));
-	RETERR(uint8_tobuffer(naptr->flags_len, target));
-	RETERR(mem_tobuffer(target, naptr->flags, naptr->flags_len));
-	RETERR(uint8_tobuffer(naptr->service_len, target));
-	RETERR(mem_tobuffer(target, naptr->service, naptr->service_len));
-	RETERR(uint8_tobuffer(naptr->regexp_len, target));
-	RETERR(mem_tobuffer(target, naptr->regexp, naptr->regexp_len));
-	dns_name_toregion(&naptr->replacement, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_naptr(ARGS_TOSTRUCT) {
-	dns_rdata_naptr_t *naptr = target;
-	isc_region_t r;
-	isc_result_t result;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 35);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	naptr->common.rdclass = rdata->rdclass;
-	naptr->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&naptr->common, link);
-
-	naptr->flags = NULL;
-	naptr->service = NULL;
-	naptr->regexp = NULL;
-
-	dns_rdata_toregion(rdata, &r);
-
-	naptr->order = uint16_fromregion(&r);
-	isc_region_consume(&r, 2);
-
-	naptr->preference = uint16_fromregion(&r);
-	isc_region_consume(&r, 2);
-
-	naptr->flags_len = uint8_fromregion(&r);
-	isc_region_consume(&r, 1);
-	INSIST(naptr->flags_len <= r.length);
-	naptr->flags = mem_maybedup(mctx, r.base, naptr->flags_len);
-	if (naptr->flags == NULL)
-		goto cleanup;
-	isc_region_consume(&r, naptr->flags_len);
-
-	naptr->service_len = uint8_fromregion(&r);
-	isc_region_consume(&r, 1);
-	INSIST(naptr->service_len <= r.length);
-	naptr->service = mem_maybedup(mctx, r.base, naptr->service_len);
-	if (naptr->service == NULL)
-		goto cleanup;
-	isc_region_consume(&r, naptr->service_len);
-
-	naptr->regexp_len = uint8_fromregion(&r);
-	isc_region_consume(&r, 1);
-	INSIST(naptr->regexp_len <= r.length);
-	naptr->regexp = mem_maybedup(mctx, r.base, naptr->regexp_len);
-	if (naptr->regexp == NULL)
-		goto cleanup;
-	isc_region_consume(&r, naptr->regexp_len);
-
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-	dns_name_init(&naptr->replacement, NULL);
-	result = name_duporclone(&name, mctx, &naptr->replacement);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	naptr->mctx = mctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (mctx != NULL && naptr->flags != NULL)
-		isc_mem_free(mctx, naptr->flags);
-	if (mctx != NULL && naptr->service != NULL)
-		isc_mem_free(mctx, naptr->service);
-	if (mctx != NULL && naptr->regexp != NULL)
-		isc_mem_free(mctx, naptr->regexp);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_naptr(ARGS_FREESTRUCT) {
-	dns_rdata_naptr_t *naptr = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(naptr->common.rdtype == 35);
-
-	if (naptr->mctx == NULL)
-		return;
-
-	if (naptr->flags != NULL)
-		isc_mem_free(naptr->mctx, naptr->flags);
-	if (naptr->service != NULL)
-		isc_mem_free(naptr->mctx, naptr->service);
-	if (naptr->regexp != NULL)
-		isc_mem_free(naptr->mctx, naptr->regexp);
-	dns_name_free(&naptr->replacement, naptr->mctx);
-	naptr->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_naptr(ARGS_ADDLDATA) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t sr;
-	dns_rdatatype_t atype;
-	unsigned int i, flagslen;
-	char *cp;
-
-	REQUIRE(rdata->type == 35);
-
-	/*
-	 * Order, preference.
-	 */
-	dns_rdata_toregion(rdata, &sr);
-	isc_region_consume(&sr, 4);
-
-	/*
-	 * Flags.
-	 */
-	atype = 0;
-	flagslen = sr.base[0];
-	cp = (char *)&sr.base[1];
-	for (i = 0; i < flagslen; i++, cp++) {
-		if (*cp == 'S' || *cp == 's') {
-			atype = dns_rdatatype_srv;
-			break;
-		}
-		if (*cp == 'A' || *cp == 'a') {
-			atype = dns_rdatatype_a;
-			break;
-		}
-	}
-	isc_region_consume(&sr, flagslen + 1);
-
-	/*
-	 * Service.
-	 */
-	isc_region_consume(&sr, sr.base[0] + 1);
-
-	/*
-	 * Regexp.
-	 */
-	isc_region_consume(&sr, sr.base[0] + 1);
-
-	/*
-	 * Replacement.
-	 */
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &sr);
-
-	if (atype != 0)
-		return ((add)(arg, &name, atype));
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_naptr(ARGS_DIGEST) {
-	isc_region_t r1, r2;
-	unsigned int length, n;
-	isc_result_t result;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 35);
-
-	dns_rdata_toregion(rdata, &r1);
-	r2 = r1;
-	length = 0;
-
-	/*
-	 * Order, preference.
-	 */
-	length += 4;
-	isc_region_consume(&r2, 4);
-
-	/*
-	 * Flags.
-	 */
-	n = r2.base[0] + 1;
-	length += n;
-	isc_region_consume(&r2, n);
-
-	/*
-	 * Service.
-	 */
-	n = r2.base[0] + 1;
-	length += n;
-	isc_region_consume(&r2, n);
-
-	/*
-	 * Regexp.
-	 */
-	n = r2.base[0] + 1;
-	length += n;
-	isc_region_consume(&r2, n);
-
-	/*
-	 * Digest the RR up to the replacement name.
-	 */
-	r1.length = length;
-	result = (digest)(arg, &r1);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Replacement.
-	 */
-
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r2);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_naptr(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 35);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_naptr(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 35);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_naptr(ARGS_COMPARE) {
-	return (compare_naptr(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_NAPTR_35_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/naptr_35.h b/contrib/bind9/lib/dns/rdata/generic/naptr_35.h
deleted file mode 100644
index f88c523..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/naptr_35.h
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_NAPTR_35_H
-#define GENERIC_NAPTR_35_H 1
-
-/* $Id$ */
-
-/*!
- *  \brief Per RFC2915 */
-
-typedef struct dns_rdata_naptr {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		order;
-	isc_uint16_t		preference;
-	char			*flags;
-	isc_uint8_t		flags_len;
-	char			*service;
-	isc_uint8_t		service_len;
-	char			*regexp;
-	isc_uint8_t		regexp_len;
-	dns_name_t		replacement;
-} dns_rdata_naptr_t;
-
-#endif /* GENERIC_NAPTR_35_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/nid_104.c b/contrib/bind9/lib/dns/rdata/generic/nid_104.c
deleted file mode 100644
index c96b0bf..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/nid_104.c
+++ /dev/null
@@ -1,228 +0,0 @@
-/*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef RDATA_GENERIC_NID_104_C
-#define RDATA_GENERIC_NID_104_C
-
-#include <string.h>
-
-#include <isc/net.h>
-
-#define RRTYPE_NID_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_nid(ARGS_FROMTEXT) {
-	isc_token_t token;
-	unsigned char locator[NS_LOCATORSZ];
-
-	REQUIRE(type == 104);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	if (locator_pton(DNS_AS_STR(token), locator) != 1)
-		RETTOK(DNS_R_SYNTAX);
-	return (mem_tobuffer(target, locator, NS_LOCATORSZ));
-}
-
-static inline isc_result_t
-totext_nid(ARGS_TOTEXT) {
-	isc_region_t region;
-	char buf[sizeof("xxxx:xxxx:xxxx:xxxx")];
-	unsigned short num;
-
-	REQUIRE(rdata->type == 104);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(tctx);
-
-	dns_rdata_toregion(rdata, &region);
-	num = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
-	RETERR(str_totext(buf, target));
-
-	RETERR(str_totext(" ", target));
-
-	sprintf(buf, "%x:%x:%x:%x",
-		region.base[0]<<8 | region.base[1],
-		region.base[2]<<8 | region.base[3],
-		region.base[4]<<8 | region.base[5],
-		region.base[6]<<8 | region.base[7]);
-	return (str_totext(buf, target));
-}
-
-static inline isc_result_t
-fromwire_nid(ARGS_FROMWIRE) {
-	isc_region_t sregion;
-
-	REQUIRE(type == 104);
-
-	UNUSED(type);
-	UNUSED(options);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-
-	isc_buffer_activeregion(source, &sregion);
-	if (sregion.length != 10)
-		return (DNS_R_FORMERR);
-	isc_buffer_forward(source, sregion.length);
-	return (mem_tobuffer(target, sregion.base, sregion.length));
-}
-
-static inline isc_result_t
-towire_nid(ARGS_TOWIRE) {
-
-	REQUIRE(rdata->type == 104);
-	REQUIRE(rdata->length == 10);
-
-	UNUSED(cctx);
-
-	return (mem_tobuffer(target, rdata->data, rdata->length));
-}
-
-static inline int
-compare_nid(ARGS_COMPARE) {
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 104);
-	REQUIRE(rdata1->length == 10);
-	REQUIRE(rdata2->length == 10);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-	return (isc_region_compare(&region1, &region2));
-}
-
-static inline isc_result_t
-fromstruct_nid(ARGS_FROMSTRUCT) {
-	dns_rdata_nid_t *nid = source;
-
-	REQUIRE(type == 104);
-	REQUIRE(source != NULL);
-	REQUIRE(nid->common.rdtype == type);
-	REQUIRE(nid->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint16_tobuffer(nid->pref, target));
-	return (mem_tobuffer(target, nid->nid, sizeof(nid->nid)));
-}
-
-static inline isc_result_t
-tostruct_nid(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_nid_t *nid = target;
-
-	REQUIRE(rdata->type == 104);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length == 10);
-
-	UNUSED(mctx);
-
-	nid->common.rdclass = rdata->rdclass;
-	nid->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&nid->common, link);
-
-	dns_rdata_toregion(rdata, &region);
-	nid->pref = uint16_fromregion(&region);
-	memcpy(nid->nid, region.base, region.length);
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_nid(ARGS_FREESTRUCT) {
-	dns_rdata_nid_t *nid = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(nid->common.rdtype == 104);
-
-	return;
-}
-
-static inline isc_result_t
-additionaldata_nid(ARGS_ADDLDATA) {
-
-	REQUIRE(rdata->type == 104);
-	REQUIRE(rdata->length == 10);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_nid(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 104);
-	REQUIRE(rdata->length == 10);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_nid(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 104);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_nid(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 104);
-	REQUIRE(rdata->length == 10);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_nid(ARGS_COMPARE) {
-	return (compare_nid(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_NID_104_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/nid_104.h b/contrib/bind9/lib/dns/rdata/generic/nid_104.h
deleted file mode 100644
index 64a3ba4..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/nid_104.h
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_NID_104_H
-#define GENERIC_NID_104_H 1
-
-typedef struct dns_rdata_nid {
-	dns_rdatacommon_t	common;
-	isc_uint16_t		pref;
-	unsigned char		nid[8];
-} dns_rdata_nid_t;
-
-#endif /* GENERIC_NID_104_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/ns_2.c b/contrib/bind9/lib/dns/rdata/generic/ns_2.c
deleted file mode 100644
index 5db81e7..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/ns_2.c
+++ /dev/null
@@ -1,256 +0,0 @@
-/*
- * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ns_2.c,v 1.48 2009/12/04 22:06:37 tbox Exp $ */
-
-/* Reviewed: Wed Mar 15 18:15:00 PST 2000 by bwelling */
-
-#ifndef RDATA_GENERIC_NS_2_C
-#define RDATA_GENERIC_NS_2_C
-
-#define RRTYPE_NS_ATTRIBUTES (DNS_RDATATYPEATTR_ZONECUTAUTH)
-
-static inline isc_result_t
-fromtext_ns(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	isc_boolean_t ok;
-
-	REQUIRE(type == 2);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token,isc_tokentype_string,
-				      ISC_FALSE));
-
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	ok = ISC_TRUE;
-	if ((options & DNS_RDATA_CHECKNAMES) != 0)
-		ok = dns_name_ishostname(&name, ISC_FALSE);
-	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
-		RETTOK(DNS_R_BADNAME);
-	if (!ok && callbacks != NULL)
-		warn_badname(&name, lexer, callbacks);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_ns(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 2);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	sub = name_prefix(&name, tctx->origin, &prefix);
-
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_ns(ARGS_FROMWIRE) {
-	dns_name_t name;
-
-	REQUIRE(type == 2);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, NULL);
-	return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_ns(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 2);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_ns(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 2);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_ns(ARGS_FROMSTRUCT) {
-	dns_rdata_ns_t *ns = source;
-	isc_region_t region;
-
-	REQUIRE(type == 2);
-	REQUIRE(source != NULL);
-	REQUIRE(ns->common.rdtype == type);
-	REQUIRE(ns->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&ns->name, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_ns(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_ns_t *ns = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 2);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	ns->common.rdclass = rdata->rdclass;
-	ns->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&ns->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&ns->name, NULL);
-	RETERR(name_duporclone(&name, mctx, &ns->name));
-	ns->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_ns(ARGS_FREESTRUCT) {
-	dns_rdata_ns_t *ns = source;
-
-	REQUIRE(source != NULL);
-
-	if (ns->mctx == NULL)
-		return;
-
-	dns_name_free(&ns->name, ns->mctx);
-	ns->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_ns(ARGS_ADDLDATA) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 2);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	return ((add)(arg, &name, dns_rdatatype_a));
-}
-
-static inline isc_result_t
-digest_ns(ARGS_DIGEST) {
-	isc_region_t r;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 2);
-
-	dns_rdata_toregion(rdata, &r);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_ns(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 2);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_ns(ARGS_CHECKNAMES) {
-	isc_region_t region;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 2);
-
-	UNUSED(owner);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &region);
-	if (!dns_name_ishostname(&name, ISC_FALSE)) {
-		if (bad != NULL)
-			dns_name_clone(&name, bad);
-		return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_ns(ARGS_COMPARE) {
-	return (compare_ns(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_NS_2_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/ns_2.h b/contrib/bind9/lib/dns/rdata/generic/ns_2.h
deleted file mode 100644
index 546e71a..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/ns_2.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_NS_2_H
-#define GENERIC_NS_2_H 1
-
-/* $Id: ns_2.h,v 1.27 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_ns {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		name;
-} dns_rdata_ns_t;
-
-
-#endif /* GENERIC_NS_2_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/nsec3_50.c b/contrib/bind9/lib/dns/rdata/generic/nsec3_50.c
deleted file mode 100644
index 19b94ef..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/nsec3_50.c
+++ /dev/null
@@ -1,505 +0,0 @@
-/*
- * Copyright (C) 2008, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*
- * Copyright (C) 2004  Nominet, Ltd.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND NOMINET DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* RFC 5155 */
-
-#ifndef RDATA_GENERIC_NSEC3_50_C
-#define RDATA_GENERIC_NSEC3_50_C
-
-#include <isc/iterated_hash.h>
-#include <isc/base32.h>
-
-#define RRTYPE_NSEC3_ATTRIBUTES DNS_RDATATYPEATTR_DNSSEC
-
-static inline isc_result_t
-fromtext_nsec3(ARGS_FROMTEXT) {
-	isc_token_t token;
-	unsigned char bm[8*1024]; /* 64k bits */
-	dns_rdatatype_t covered;
-	int octet;
-	int window;
-	unsigned int flags;
-	unsigned char hashalg;
-	isc_buffer_t b;
-
-	REQUIRE(type == 50);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-	UNUSED(origin);
-	UNUSED(options);
-
-	/* Hash. */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_hashalg_fromtext(&hashalg, &token.value.as_textregion));
-	RETERR(uint8_tobuffer(hashalg, target));
-
-	/* Flags. */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	flags = token.value.as_ulong;
-	if (flags > 255U)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint8_tobuffer(flags, target));
-
-	/* Iterations. */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/* salt */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	if (token.value.as_textregion.length > (255*2))
-		RETTOK(DNS_R_TEXTTOOLONG);
-	if (strcmp(DNS_AS_STR(token), "-") == 0) {
-		RETERR(uint8_tobuffer(0, target));
-	} else {
-		RETERR(uint8_tobuffer(strlen(DNS_AS_STR(token)) / 2, target));
-		RETERR(isc_hex_decodestring(DNS_AS_STR(token), target));
-	}
-
-	/*
-	 * Next hash a single base32hex word.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	isc_buffer_init(&b, bm, sizeof(bm));
-	RETTOK(isc_base32hex_decodestring(DNS_AS_STR(token), &b));
-	if (isc_buffer_usedlength(&b) > 0xffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint8_tobuffer(isc_buffer_usedlength(&b), target));
-	RETERR(mem_tobuffer(target, &bm, isc_buffer_usedlength(&b)));
-
-	memset(bm, 0, sizeof(bm));
-	do {
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_string, ISC_TRUE));
-		if (token.type != isc_tokentype_string)
-			break;
-		RETTOK(dns_rdatatype_fromtext(&covered,
-					      &token.value.as_textregion));
-		bm[covered/8] |= (0x80>>(covered%8));
-	} while (1);
-	isc_lex_ungettoken(lexer, &token);
-	for (window = 0; window < 256 ; window++) {
-		/*
-		 * Find if we have a type in this window.
-		 */
-		for (octet = 31; octet >= 0; octet--)
-			if (bm[window * 32 + octet] != 0)
-				break;
-		if (octet < 0)
-			continue;
-		RETERR(uint8_tobuffer(window, target));
-		RETERR(uint8_tobuffer(octet + 1, target));
-		RETERR(mem_tobuffer(target, &bm[window * 32], octet + 1));
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_nsec3(ARGS_TOTEXT) {
-	isc_region_t sr;
-	unsigned int i, j, k;
-	unsigned int window, len;
-	unsigned char hash;
-	unsigned char flags;
-	char buf[sizeof("65535 ")];
-	isc_uint32_t iterations;
-	isc_boolean_t first;
-
-	REQUIRE(rdata->type == 50);
-	REQUIRE(rdata->length != 0);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/* Hash */
-	hash = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u ", hash);
-	RETERR(str_totext(buf, target));
-
-	/* Flags */
-	flags = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u ", flags);
-	RETERR(str_totext(buf, target));
-
-	/* Iterations */
-	iterations = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%u ", iterations);
-	RETERR(str_totext(buf, target));
-
-	/* Salt */
-	j = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-	INSIST(j <= sr.length);
-
-	if (j != 0) {
-		i = sr.length;
-		sr.length = j;
-		RETERR(isc_hex_totext(&sr, 1, "", target));
-		sr.length = i - j;
-	} else
-		RETERR(str_totext("-", target));
-
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" (", target));
-	RETERR(str_totext(tctx->linebreak, target));
-
-	/* Next hash */
-	j = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-	INSIST(j <= sr.length);
-
-	i = sr.length;
-	sr.length = j;
-	RETERR(isc_base32hex_totext(&sr, 1, "", target));
-	sr.length = i - j;
-
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) == 0)
-		RETERR(str_totext(" ", target));
-
-	/* Types covered */
-	first = ISC_TRUE;
-	for (i = 0; i < sr.length; i += len) {
-		if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
-			RETERR(str_totext(tctx->linebreak, target));
-			first = ISC_TRUE;
-		}
-		INSIST(i + 2 <= sr.length);
-		window = sr.base[i];
-		len = sr.base[i + 1];
-		INSIST(len > 0 && len <= 32);
-		i += 2;
-		INSIST(i + len <= sr.length);
-		for (j = 0; j < len; j++) {
-			dns_rdatatype_t t;
-			if (sr.base[i + j] == 0)
-				continue;
-			for (k = 0; k < 8; k++) {
-				if ((sr.base[i + j] & (0x80 >> k)) == 0)
-					continue;
-				t = window * 256 + j * 8 + k;
-				if (!first)
-					RETERR(str_totext(" ", target));
-				first = ISC_FALSE;
-				if (dns_rdatatype_isknown(t)) {
-					RETERR(dns_rdatatype_totext(t, target));
-				} else {
-					char buf[sizeof("TYPE65535")];
-					sprintf(buf, "TYPE%u", t);
-					RETERR(str_totext(buf, target));
-				}
-			}
-		}
-	}
-
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" )", target));
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_nsec3(ARGS_FROMWIRE) {
-	isc_region_t sr, rr;
-	unsigned int window, lastwindow = 0;
-	unsigned int len;
-	unsigned int saltlen, hashlen;
-	isc_boolean_t first = ISC_TRUE;
-	unsigned int i;
-
-	REQUIRE(type == 50);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(options);
-	UNUSED(dctx);
-
-	isc_buffer_activeregion(source, &sr);
-	rr = sr;
-
-	/* hash(1), flags(1), iteration(2), saltlen(1) */
-	if (sr.length < 5U)
-		RETERR(DNS_R_FORMERR);
-	saltlen = sr.base[4];
-	isc_region_consume(&sr, 5);
-
-	if (sr.length < saltlen)
-		RETERR(DNS_R_FORMERR);
-	isc_region_consume(&sr, saltlen);
-
-	if (sr.length < 1U)
-		RETERR(DNS_R_FORMERR);
-	hashlen = sr.base[0];
-	isc_region_consume(&sr, 1);
-
-	if (sr.length < hashlen)
-		RETERR(DNS_R_FORMERR);
-	isc_region_consume(&sr, hashlen);
-
-	for (i = 0; i < sr.length; i += len) {
-		/*
-		 * Check for overflow.
-		 */
-		if (i + 2 > sr.length)
-			RETERR(DNS_R_FORMERR);
-		window = sr.base[i];
-		len = sr.base[i + 1];
-		i += 2;
-		/*
-		 * Check that bitmap windows are in the correct order.
-		 */
-		if (!first && window <= lastwindow)
-			RETERR(DNS_R_FORMERR);
-		/*
-		 * Check for legal lengths.
-		 */
-		if (len < 1 || len > 32)
-			RETERR(DNS_R_FORMERR);
-		/*
-		 * Check for overflow.
-		 */
-		if (i + len > sr.length)
-			RETERR(DNS_R_FORMERR);
-		/*
-		 * The last octet of the bitmap must be non zero.
-		 */
-		if (sr.base[i + len - 1] == 0)
-			RETERR(DNS_R_FORMERR);
-		lastwindow = window;
-		first = ISC_FALSE;
-	}
-	if (i != sr.length)
-		return (DNS_R_EXTRADATA);
-	RETERR(mem_tobuffer(target, rr.base, rr.length));
-	isc_buffer_forward(source, rr.length);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-towire_nsec3(ARGS_TOWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 50);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(cctx);
-
-	dns_rdata_toregion(rdata, &sr);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_nsec3(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 50);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_nsec3(ARGS_FROMSTRUCT) {
-	dns_rdata_nsec3_t *nsec3 = source;
-	unsigned int i, len, window, lastwindow = 0;
-	isc_boolean_t first = ISC_TRUE;
-
-	REQUIRE(type == 50);
-	REQUIRE(source != NULL);
-	REQUIRE(nsec3->common.rdtype == type);
-	REQUIRE(nsec3->common.rdclass == rdclass);
-	REQUIRE(nsec3->typebits != NULL || nsec3->len == 0);
-	REQUIRE(nsec3->hash == dns_hash_sha1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint8_tobuffer(nsec3->hash, target));
-	RETERR(uint8_tobuffer(nsec3->flags, target));
-	RETERR(uint16_tobuffer(nsec3->iterations, target));
-	RETERR(uint8_tobuffer(nsec3->salt_length, target));
-	RETERR(mem_tobuffer(target, nsec3->salt, nsec3->salt_length));
-	RETERR(uint8_tobuffer(nsec3->next_length, target));
-	RETERR(mem_tobuffer(target, nsec3->next, nsec3->next_length));
-
-	/*
-	 * Perform sanity check.
-	 */
-	for (i = 0; i < nsec3->len ; i += len) {
-		INSIST(i + 2 <= nsec3->len);
-		window = nsec3->typebits[i];
-		len = nsec3->typebits[i+1];
-		i += 2;
-		INSIST(first || window > lastwindow);
-		INSIST(len > 0 && len <= 32);
-		INSIST(i + len <= nsec3->len);
-		INSIST(nsec3->typebits[i + len - 1] != 0);
-		lastwindow = window;
-		first = ISC_FALSE;
-	}
-	return (mem_tobuffer(target, nsec3->typebits, nsec3->len));
-}
-
-static inline isc_result_t
-tostruct_nsec3(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_nsec3_t *nsec3 = target;
-
-	REQUIRE(rdata->type == 50);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	nsec3->common.rdclass = rdata->rdclass;
-	nsec3->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&nsec3->common, link);
-
-	region.base = rdata->data;
-	region.length = rdata->length;
-	nsec3->hash = uint8_consume_fromregion(&region);
-	nsec3->flags = uint8_consume_fromregion(&region);
-	nsec3->iterations = uint16_consume_fromregion(&region);
-
-	nsec3->salt_length = uint8_consume_fromregion(&region);
-	nsec3->salt = mem_maybedup(mctx, region.base, nsec3->salt_length);
-	if (nsec3->salt == NULL)
-		return (ISC_R_NOMEMORY);
-	isc_region_consume(&region, nsec3->salt_length);
-
-	nsec3->next_length = uint8_consume_fromregion(&region);
-	nsec3->next = mem_maybedup(mctx, region.base, nsec3->next_length);
-	if (nsec3->next == NULL)
-		goto cleanup;
-	isc_region_consume(&region, nsec3->next_length);
-
-	nsec3->len = region.length;
-	nsec3->typebits = mem_maybedup(mctx, region.base, region.length);
-	if (nsec3->typebits == NULL)
-		goto cleanup;
-
-	nsec3->mctx = mctx;
-	return (ISC_R_SUCCESS);
-
-  cleanup:
-	if (nsec3->next != NULL)
-		isc_mem_free(mctx, nsec3->next);
-	isc_mem_free(mctx, nsec3->salt);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_nsec3(ARGS_FREESTRUCT) {
-	dns_rdata_nsec3_t *nsec3 = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(nsec3->common.rdtype == 50);
-
-	if (nsec3->mctx == NULL)
-		return;
-
-	if (nsec3->salt != NULL)
-		isc_mem_free(nsec3->mctx, nsec3->salt);
-	if (nsec3->next != NULL)
-		isc_mem_free(nsec3->mctx, nsec3->next);
-	if (nsec3->typebits != NULL)
-		isc_mem_free(nsec3->mctx, nsec3->typebits);
-	nsec3->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_nsec3(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 50);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_nsec3(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 50);
-
-	dns_rdata_toregion(rdata, &r);
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_nsec3(ARGS_CHECKOWNER) {
-
-       REQUIRE(type == 50);
-
-       UNUSED(name);
-       UNUSED(type);
-       UNUSED(rdclass);
-       UNUSED(wildcard);
-
-       return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_nsec3(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 50);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_nsec3(ARGS_COMPARE) {
-	return (compare_nsec3(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_NSEC3_50_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/nsec3_50.h b/contrib/bind9/lib/dns/rdata/generic/nsec3_50.h
deleted file mode 100644
index 5f2afb8..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/nsec3_50.h
+++ /dev/null
@@ -1,118 +0,0 @@
-/*
- * Copyright (C) 2008, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-
-#ifndef GENERIC_NSEC3_50_H
-#define GENERIC_NSEC3_50_H 1
-
-/* $Id$ */
-
-/*!
- * \brief Per RFC 5155 */
-
-#include <isc/iterated_hash.h>
-
-typedef struct dns_rdata_nsec3 {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_hash_t		hash;
-	unsigned char		flags;
-	dns_iterations_t	iterations;
-	unsigned char		salt_length;
-	unsigned char		next_length;
-	isc_uint16_t		len;
-	unsigned char		*salt;
-	unsigned char		*next;
-	unsigned char		*typebits;
-} dns_rdata_nsec3_t;
-
-/*
- * The corresponding NSEC3 interval is OPTOUT indicating possible
- * insecure delegations.
- */
-#define DNS_NSEC3FLAG_OPTOUT 0x01U
-
-/*%
- * The following flags are used in the private-type record (implemented in
- * lib/dns/private.c) which is used to store NSEC3PARAM data during the
- * time when it is not legal to have an actual NSEC3PARAM record in the
- * zone.  They are defined here because the private-type record uses the
- * same flags field for the OPTOUT flag above and for the private flags
- * below.  XXX: This should be considered for refactoring.
- */
-
-/*%
- * Non-standard, private type only.
- *
- * Create a corresponding NSEC3 chain.
- * Once the NSEC3 chain is complete this flag will be removed to signal
- * that there is a complete chain.
- *
- * This flag is automatically set when a NSEC3PARAM record is added to
- * the zone via UPDATE.
- *
- * NSEC3PARAM records containing this flag should never be published,
- * but if they are, they should be ignored by RFC 5155 compliant
- * nameservers.
- */
-#define DNS_NSEC3FLAG_CREATE 0x80U
-
-/*%
- * Non-standard, private type only.
- *
- * The corresponding NSEC3 set is to be removed once the NSEC chain
- * has been generated.
- *
- * This flag is automatically set when the last active NSEC3PARAM record
- * is removed from the zone via UPDATE.
- *
- * NSEC3PARAM records containing this flag should never be published,
- * but if they are, they should be ignored by RFC 5155 compliant
- * nameservers.
- */
-#define DNS_NSEC3FLAG_REMOVE 0x40U
-
-/*%
- * Non-standard, private type only.
- *
- * When set with the CREATE flag, a corresponding NSEC3 chain will be
- * created when the zone becomes capable of supporting one (i.e., when it
- * has a DNSKEY RRset containing at least one NSEC3-capable algorithm).
- * Without this flag, NSEC3 chain creation would be attempted immediately,
- * fail, and the private type record would be removed.  With it, the NSEC3
- * parameters are stored until they can be used.  When the zone has the
- * necessary prerequisites for NSEC3, then the INITIAL flag can be cleared,
- * and the record will be cleaned up normally.
- *
- * NSEC3PARAM records containing this flag should never be published, but
- * if they are, they should be ignored by RFC 5155 compliant nameservers.
- */
-#define DNS_NSEC3FLAG_INITIAL 0x20U
-
-/*%
- * Non-standard, private type only.
- *
- * Prevent the creation of a NSEC chain before the last NSEC3 chain
- * is removed.  This will normally only be set when the zone is
- * transitioning from secure with NSEC3 chains to insecure.
- *
- * NSEC3PARAM records containing this flag should never be published,
- * but if they are, they should be ignored by RFC 5155 compliant
- * nameservers.
- */
-#define DNS_NSEC3FLAG_NONSEC 0x10U
-
-#endif /* GENERIC_NSEC3_50_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/nsec3param_51.c b/contrib/bind9/lib/dns/rdata/generic/nsec3param_51.c
deleted file mode 100644
index 379a46b..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/nsec3param_51.c
+++ /dev/null
@@ -1,319 +0,0 @@
-/*
- * Copyright (C) 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: nsec3param_51.c,v 1.7 2009/12/04 21:09:34 marka Exp $ */
-
-/*
- * Copyright (C) 2004  Nominet, Ltd.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND NOMINET DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* RFC 5155 */
-
-#ifndef RDATA_GENERIC_NSEC3PARAM_51_C
-#define RDATA_GENERIC_NSEC3PARAM_51_C
-
-#include <isc/iterated_hash.h>
-#include <isc/base32.h>
-
-#define RRTYPE_NSEC3PARAM_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
-
-static inline isc_result_t
-fromtext_nsec3param(ARGS_FROMTEXT) {
-	isc_token_t token;
-	unsigned int flags = 0;
-	unsigned char hashalg;
-
-	REQUIRE(type == 51);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-	UNUSED(origin);
-	UNUSED(options);
-
-	/* Hash. */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_hashalg_fromtext(&hashalg, &token.value.as_textregion));
-	RETERR(uint8_tobuffer(hashalg, target));
-
-	/* Flags. */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	flags = token.value.as_ulong;
-	if (flags > 255U)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint8_tobuffer(flags, target));
-
-	/* Iterations. */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/* Salt. */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	if (token.value.as_textregion.length > (255*2))
-		RETTOK(DNS_R_TEXTTOOLONG);
-	if (strcmp(DNS_AS_STR(token), "-") == 0) {
-		RETERR(uint8_tobuffer(0, target));
-	} else {
-		RETERR(uint8_tobuffer(strlen(DNS_AS_STR(token)) / 2, target));
-		RETERR(isc_hex_decodestring(DNS_AS_STR(token), target));
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_nsec3param(ARGS_TOTEXT) {
-	isc_region_t sr;
-	unsigned int i, j;
-	unsigned char hash;
-	unsigned char flags;
-	char buf[sizeof("65535 ")];
-	isc_uint32_t iterations;
-
-	REQUIRE(rdata->type == 51);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(tctx);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	hash = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-
-	flags = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-
-	iterations = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	sprintf(buf, "%u ", hash);
-	RETERR(str_totext(buf, target));
-
-	sprintf(buf, "%u ", flags);
-	RETERR(str_totext(buf, target));
-
-	sprintf(buf, "%u ", iterations);
-	RETERR(str_totext(buf, target));
-
-	j = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-	INSIST(j <= sr.length);
-
-	if (j != 0) {
-		i = sr.length;
-		sr.length = j;
-		RETERR(isc_hex_totext(&sr, 1, "", target));
-		sr.length = i - j;
-	} else
-		RETERR(str_totext("-", target));
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_nsec3param(ARGS_FROMWIRE) {
-	isc_region_t sr, rr;
-	unsigned int saltlen;
-
-	REQUIRE(type == 51);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(options);
-	UNUSED(dctx);
-
-	isc_buffer_activeregion(source, &sr);
-	rr = sr;
-
-	/* hash(1), flags(1), iterations(2), saltlen(1) */
-	if (sr.length < 5U)
-		RETERR(DNS_R_FORMERR);
-	saltlen = sr.base[4];
-	isc_region_consume(&sr, 5);
-
-	if (sr.length < saltlen)
-		RETERR(DNS_R_FORMERR);
-	isc_region_consume(&sr, saltlen);
-	RETERR(mem_tobuffer(target, rr.base, rr.length));
-	isc_buffer_forward(source, rr.length);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-towire_nsec3param(ARGS_TOWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 51);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(cctx);
-
-	dns_rdata_toregion(rdata, &sr);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_nsec3param(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 51);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_nsec3param(ARGS_FROMSTRUCT) {
-	dns_rdata_nsec3param_t *nsec3param = source;
-
-	REQUIRE(type == 51);
-	REQUIRE(source != NULL);
-	REQUIRE(nsec3param->common.rdtype == type);
-	REQUIRE(nsec3param->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint8_tobuffer(nsec3param->hash, target));
-	RETERR(uint8_tobuffer(nsec3param->flags, target));
-	RETERR(uint16_tobuffer(nsec3param->iterations, target));
-	RETERR(uint8_tobuffer(nsec3param->salt_length, target));
-	RETERR(mem_tobuffer(target, nsec3param->salt,
-			    nsec3param->salt_length));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-tostruct_nsec3param(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_nsec3param_t *nsec3param = target;
-
-	REQUIRE(rdata->type == 51);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	nsec3param->common.rdclass = rdata->rdclass;
-	nsec3param->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&nsec3param->common, link);
-
-	region.base = rdata->data;
-	region.length = rdata->length;
-	nsec3param->hash = uint8_consume_fromregion(&region);
-	nsec3param->flags = uint8_consume_fromregion(&region);
-	nsec3param->iterations = uint16_consume_fromregion(&region);
-
-	nsec3param->salt_length = uint8_consume_fromregion(&region);
-	nsec3param->salt = mem_maybedup(mctx, region.base,
-					nsec3param->salt_length);
-	if (nsec3param->salt == NULL)
-		return (ISC_R_NOMEMORY);
-	isc_region_consume(&region, nsec3param->salt_length);
-
-	nsec3param->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_nsec3param(ARGS_FREESTRUCT) {
-	dns_rdata_nsec3param_t *nsec3param = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(nsec3param->common.rdtype == 51);
-
-	if (nsec3param->mctx == NULL)
-		return;
-
-	if (nsec3param->salt != NULL)
-		isc_mem_free(nsec3param->mctx, nsec3param->salt);
-	nsec3param->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_nsec3param(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 51);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_nsec3param(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 51);
-
-	dns_rdata_toregion(rdata, &r);
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_nsec3param(ARGS_CHECKOWNER) {
-
-       REQUIRE(type == 51);
-
-       UNUSED(name);
-       UNUSED(type);
-       UNUSED(rdclass);
-       UNUSED(wildcard);
-
-       return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_nsec3param(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 51);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_nsec3param(ARGS_COMPARE) {
-	return (compare_nsec3param(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_NSEC3PARAM_51_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/nsec3param_51.h b/contrib/bind9/lib/dns/rdata/generic/nsec3param_51.h
deleted file mode 100644
index 2efd7e6..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/nsec3param_51.h
+++ /dev/null
@@ -1,38 +0,0 @@
-/*
- * Copyright (C) 2008  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-
-#ifndef GENERIC_NSEC3PARAM_51_H
-#define GENERIC_NSEC3PARAM_51_H 1
-
-/* $Id: nsec3param_51.h,v 1.4 2008/09/25 04:02:39 tbox Exp $ */
-
-/*!
- * \brief Per RFC 5155 */
-
-#include <isc/iterated_hash.h>
-
-typedef struct dns_rdata_nsec3param {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_hash_t		hash;
-	unsigned char		flags;		/* DNS_NSEC3FLAG_* */
-	dns_iterations_t	iterations;
-	unsigned char		salt_length;
-	unsigned char		*salt;
-} dns_rdata_nsec3param_t;
-
-#endif /* GENERIC_NSEC3PARAM_51_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/nsec_47.c b/contrib/bind9/lib/dns/rdata/generic/nsec_47.c
deleted file mode 100644
index 095f42e..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/nsec_47.c
+++ /dev/null
@@ -1,396 +0,0 @@
-/*
- * Copyright (C) 2004, 2007-2009, 2011  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: nsec_47.c,v 1.15 2011/01/13 04:59:26 tbox Exp $ */
-
-/* reviewed: Wed Mar 15 18:21:15 PST 2000 by brister */
-
-/* RFC 3845 */
-
-#ifndef RDATA_GENERIC_NSEC_47_C
-#define RDATA_GENERIC_NSEC_47_C
-
-/*
- * The attributes do not include DNS_RDATATYPEATTR_SINGLETON
- * because we must be able to handle a parent/child NSEC pair.
- */
-#define RRTYPE_NSEC_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
-
-static inline isc_result_t
-fromtext_nsec(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	unsigned char bm[8*1024]; /* 64k bits */
-	dns_rdatatype_t covered;
-	int octet;
-	int window;
-
-	REQUIRE(type == 47);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	/*
-	 * Next domain.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-
-	memset(bm, 0, sizeof(bm));
-	do {
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_string, ISC_TRUE));
-		if (token.type != isc_tokentype_string)
-			break;
-		RETTOK(dns_rdatatype_fromtext(&covered,
-					      &token.value.as_textregion));
-		bm[covered/8] |= (0x80>>(covered%8));
-	} while (1);
-	isc_lex_ungettoken(lexer, &token);
-	for (window = 0; window < 256 ; window++) {
-		/*
-		 * Find if we have a type in this window.
-		 */
-		for (octet = 31; octet >= 0; octet--)
-			if (bm[window * 32 + octet] != 0)
-				break;
-		if (octet < 0)
-			continue;
-		RETERR(uint8_tobuffer(window, target));
-		RETERR(uint8_tobuffer(octet + 1, target));
-		RETERR(mem_tobuffer(target, &bm[window * 32], octet + 1));
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_nsec(ARGS_TOTEXT) {
-	isc_region_t sr;
-	unsigned int i, j, k;
-	dns_name_t name;
-	unsigned int window, len;
-
-	REQUIRE(rdata->type == 47);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(tctx);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &sr);
-	dns_name_fromregion(&name, &sr);
-	isc_region_consume(&sr, name_length(&name));
-	RETERR(dns_name_totext(&name, ISC_FALSE, target));
-
-
-	for (i = 0; i < sr.length; i += len) {
-		INSIST(i + 2 <= sr.length);
-		window = sr.base[i];
-		len = sr.base[i + 1];
-		INSIST(len > 0 && len <= 32);
-		i += 2;
-		INSIST(i + len <= sr.length);
-		for (j = 0; j < len; j++) {
-			dns_rdatatype_t t;
-			if (sr.base[i + j] == 0)
-				continue;
-			for (k = 0; k < 8; k++) {
-				if ((sr.base[i + j] & (0x80 >> k)) == 0)
-					continue;
-				t = window * 256 + j * 8 + k;
-				RETERR(str_totext(" ", target));
-				if (dns_rdatatype_isknown(t)) {
-					RETERR(dns_rdatatype_totext(t, target));
-				} else {
-					char buf[sizeof("TYPE65535")];
-					sprintf(buf, "TYPE%u", t);
-					RETERR(str_totext(buf, target));
-				}
-			}
-		}
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static /* inline */ isc_result_t
-fromwire_nsec(ARGS_FROMWIRE) {
-	isc_region_t sr;
-	dns_name_t name;
-	unsigned int window, lastwindow = 0;
-	unsigned int len;
-	isc_boolean_t first = ISC_TRUE;
-	unsigned int i;
-
-	REQUIRE(type == 47);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-	dns_name_init(&name, NULL);
-	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
-
-	isc_buffer_activeregion(source, &sr);
-	for (i = 0; i < sr.length; i += len) {
-		/*
-		 * Check for overflow.
-		 */
-		if (i + 2 > sr.length)
-			RETERR(DNS_R_FORMERR);
-		window = sr.base[i];
-		len = sr.base[i + 1];
-		i += 2;
-		/*
-		 * Check that bitmap windows are in the correct order.
-		 */
-		if (!first && window <= lastwindow)
-			RETERR(DNS_R_FORMERR);
-		/*
-		 * Check for legal lengths.
-		 */
-		if (len < 1 || len > 32)
-			RETERR(DNS_R_FORMERR);
-		/*
-		 * Check for overflow.
-		 */
-		if (i + len > sr.length)
-			RETERR(DNS_R_FORMERR);
-		/*
-		 * The last octet of the bitmap must be non zero.
-		 */
-		if (sr.base[i + len - 1] == 0)
-			RETERR(DNS_R_FORMERR);
-		lastwindow = window;
-		first = ISC_FALSE;
-	}
-	if (i != sr.length)
-		return (DNS_R_EXTRADATA);
-	if (first)
-		RETERR(DNS_R_FORMERR);
-	RETERR(mem_tobuffer(target, sr.base, sr.length));
-	isc_buffer_forward(source, sr.length);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-towire_nsec(ARGS_TOWIRE) {
-	isc_region_t sr;
-	dns_name_t name;
-	dns_offsets_t offsets;
-
-	REQUIRE(rdata->type == 47);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &sr);
-	dns_name_fromregion(&name, &sr);
-	isc_region_consume(&sr, name_length(&name));
-	RETERR(dns_name_towire(&name, cctx, target));
-
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_nsec(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 47);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_nsec(ARGS_FROMSTRUCT) {
-	dns_rdata_nsec_t *nsec = source;
-	isc_region_t region;
-	unsigned int i, len, window, lastwindow = 0;
-	isc_boolean_t first = ISC_TRUE;
-
-	REQUIRE(type == 47);
-	REQUIRE(source != NULL);
-	REQUIRE(nsec->common.rdtype == type);
-	REQUIRE(nsec->common.rdclass == rdclass);
-	REQUIRE(nsec->typebits != NULL || nsec->len == 0);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&nsec->next, &region);
-	RETERR(isc_buffer_copyregion(target, &region));
-	/*
-	 * Perform sanity check.
-	 */
-	for (i = 0; i < nsec->len ; i += len) {
-		INSIST(i + 2 <= nsec->len);
-		window = nsec->typebits[i];
-		len = nsec->typebits[i+1];
-		i += 2;
-		INSIST(first || window > lastwindow);
-		INSIST(len > 0 && len <= 32);
-		INSIST(i + len <= nsec->len);
-		INSIST(nsec->typebits[i + len - 1] != 0);
-		lastwindow = window;
-		first = ISC_FALSE;
-	}
-	INSIST(!first);
-	return (mem_tobuffer(target, nsec->typebits, nsec->len));
-}
-
-static inline isc_result_t
-tostruct_nsec(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_nsec_t *nsec = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 47);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	nsec->common.rdclass = rdata->rdclass;
-	nsec->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&nsec->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-	isc_region_consume(&region, name_length(&name));
-	dns_name_init(&nsec->next, NULL);
-	RETERR(name_duporclone(&name, mctx, &nsec->next));
-
-	nsec->len = region.length;
-	nsec->typebits = mem_maybedup(mctx, region.base, region.length);
-	if (nsec->typebits == NULL)
-		goto cleanup;
-
-	nsec->mctx = mctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (mctx != NULL)
-		dns_name_free(&nsec->next, mctx);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_nsec(ARGS_FREESTRUCT) {
-	dns_rdata_nsec_t *nsec = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(nsec->common.rdtype == 47);
-
-	if (nsec->mctx == NULL)
-		return;
-
-	dns_name_free(&nsec->next, nsec->mctx);
-	if (nsec->typebits != NULL)
-		isc_mem_free(nsec->mctx, nsec->typebits);
-	nsec->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_nsec(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 47);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_nsec(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 47);
-
-	dns_rdata_toregion(rdata, &r);
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_nsec(ARGS_CHECKOWNER) {
-
-       REQUIRE(type == 47);
-
-       UNUSED(name);
-       UNUSED(type);
-       UNUSED(rdclass);
-       UNUSED(wildcard);
-
-       return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_nsec(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 47);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_nsec(ARGS_COMPARE) {
-	isc_region_t region1;
-	isc_region_t region2;
-	dns_name_t name1;
-	dns_name_t name2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 47);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	order = dns_name_rdatacompare(&name1, &name2);
-	if (order != 0)
-		return (order);
-
-	isc_region_consume(&region1, name_length(&name1));
-	isc_region_consume(&region2, name_length(&name2));
-
-	return (isc_region_compare(&region1, &region2));
-}
-#endif	/* RDATA_GENERIC_NSEC_47_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/nsec_47.h b/contrib/bind9/lib/dns/rdata/generic/nsec_47.h
deleted file mode 100644
index 2b3c6b6..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/nsec_47.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_NSEC_47_H
-#define GENERIC_NSEC_47_H 1
-
-/* $Id: nsec_47.h,v 1.10 2008/07/15 23:47:21 tbox Exp $ */
-
-/*!
- * \brief Per RFC 3845 */
-
-typedef struct dns_rdata_nsec {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		next;
-	unsigned char		*typebits;
-	isc_uint16_t		len;
-} dns_rdata_nsec_t;
-
-#endif /* GENERIC_NSEC_47_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/null_10.c b/contrib/bind9/lib/dns/rdata/generic/null_10.c
deleted file mode 100644
index 8ba86fb..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/null_10.c
+++ /dev/null
@@ -1,193 +0,0 @@
-/*
- * Copyright (C) 2004, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/* Reviewed: Thu Mar 16 13:57:50 PST 2000 by explorer */
-
-#ifndef RDATA_GENERIC_NULL_10_C
-#define RDATA_GENERIC_NULL_10_C
-
-#define RRTYPE_NULL_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_null(ARGS_FROMTEXT) {
-	REQUIRE(type == 10);
-
-	UNUSED(rdclass);
-	UNUSED(type);
-	UNUSED(lexer);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(target);
-	UNUSED(callbacks);
-
-	return (DNS_R_SYNTAX);
-}
-
-static inline isc_result_t
-totext_null(ARGS_TOTEXT) {
-	REQUIRE(rdata->type == 10);
-
-	return (unknown_totext(rdata, tctx, target));
-}
-
-static inline isc_result_t
-fromwire_null(ARGS_FROMWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(type == 10);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-	UNUSED(options);
-
-	isc_buffer_activeregion(source, &sr);
-	isc_buffer_forward(source, sr.length);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline isc_result_t
-towire_null(ARGS_TOWIRE) {
-	REQUIRE(rdata->type == 10);
-
-	UNUSED(cctx);
-
-	return (mem_tobuffer(target, rdata->data, rdata->length));
-}
-
-static inline int
-compare_null(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 10);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_null(ARGS_FROMSTRUCT) {
-	dns_rdata_null_t *null = source;
-
-	REQUIRE(type == 10);
-	REQUIRE(source != NULL);
-	REQUIRE(null->common.rdtype == type);
-	REQUIRE(null->common.rdclass == rdclass);
-	REQUIRE(null->data != NULL || null->length == 0);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	return (mem_tobuffer(target, null->data, null->length));
-}
-
-static inline isc_result_t
-tostruct_null(ARGS_TOSTRUCT) {
-	dns_rdata_null_t *null = target;
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 10);
-	REQUIRE(target != NULL);
-
-	null->common.rdclass = rdata->rdclass;
-	null->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&null->common, link);
-
-	dns_rdata_toregion(rdata, &r);
-	null->length = r.length;
-	null->data = mem_maybedup(mctx, r.base, r.length);
-	if (null->data == NULL)
-		return (ISC_R_NOMEMORY);
-
-	null->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_null(ARGS_FREESTRUCT) {
-	dns_rdata_null_t *null = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(null->common.rdtype == 10);
-
-	if (null->mctx == NULL)
-		return;
-
-	if (null->data != NULL)
-		isc_mem_free(null->mctx, null->data);
-	null->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_null(ARGS_ADDLDATA) {
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	REQUIRE(rdata->type == 10);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_null(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 10);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_null(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 10);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_null(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 10);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_null(ARGS_COMPARE) {
-	return (compare_null(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_NULL_10_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/null_10.h b/contrib/bind9/lib/dns/rdata/generic/null_10.h
deleted file mode 100644
index ceeb018..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/null_10.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_NULL_10_H
-#define GENERIC_NULL_10_H 1
-
-/* $Id: null_10.h,v 1.25 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_null {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		length;
-	unsigned char		*data;
-} dns_rdata_null_t;
-
-
-#endif /* GENERIC_NULL_10_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/nxt_30.c b/contrib/bind9/lib/dns/rdata/generic/nxt_30.c
deleted file mode 100644
index 4d291a8..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/nxt_30.c
+++ /dev/null
@@ -1,333 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: nxt_30.c,v 1.65 2009/12/04 22:06:37 tbox Exp $ */
-
-/* reviewed: Wed Mar 15 18:21:15 PST 2000 by brister */
-
-/* RFC2535 */
-
-#ifndef RDATA_GENERIC_NXT_30_C
-#define RDATA_GENERIC_NXT_30_C
-
-/*
- * The attributes do not include DNS_RDATATYPEATTR_SINGLETON
- * because we must be able to handle a parent/child NXT pair.
- */
-#define RRTYPE_NXT_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_nxt(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	char *e;
-	unsigned char bm[8*1024]; /* 64k bits */
-	dns_rdatatype_t covered;
-	dns_rdatatype_t maxcovered = 0;
-	isc_boolean_t first = ISC_TRUE;
-	long n;
-
-	REQUIRE(type == 30);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	/*
-	 * Next domain.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-
-	memset(bm, 0, sizeof(bm));
-	do {
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_string, ISC_TRUE));
-		if (token.type != isc_tokentype_string)
-			break;
-		n = strtol(DNS_AS_STR(token), &e, 10);
-		if (e != DNS_AS_STR(token) && *e == '\0') {
-			covered = (dns_rdatatype_t)n;
-		} else if (dns_rdatatype_fromtext(&covered,
-				&token.value.as_textregion) == DNS_R_UNKNOWN)
-			RETTOK(DNS_R_UNKNOWN);
-		/*
-		 * NXT is only specified for types 1..127.
-		 */
-		if (covered < 1 || covered > 127)
-			return (ISC_R_RANGE);
-		if (first || covered > maxcovered)
-			maxcovered = covered;
-		first = ISC_FALSE;
-		bm[covered/8] |= (0x80>>(covered%8));
-	} while (1);
-	isc_lex_ungettoken(lexer, &token);
-	if (first)
-		return (ISC_R_SUCCESS);
-	n = (maxcovered + 8) / 8;
-	return (mem_tobuffer(target, bm, n));
-}
-
-static inline isc_result_t
-totext_nxt(ARGS_TOTEXT) {
-	isc_region_t sr;
-	unsigned int i, j;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 30);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-	dns_rdata_toregion(rdata, &sr);
-	dns_name_fromregion(&name, &sr);
-	isc_region_consume(&sr, name_length(&name));
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	RETERR(dns_name_totext(&prefix, sub, target));
-
-	for (i = 0; i < sr.length; i++) {
-		if (sr.base[i] != 0)
-			for (j = 0; j < 8; j++)
-				if ((sr.base[i] & (0x80 >> j)) != 0) {
-					dns_rdatatype_t t = i * 8 + j;
-					RETERR(str_totext(" ", target));
-					if (dns_rdatatype_isknown(t)) {
-						RETERR(dns_rdatatype_totext(t,
-								      target));
-					} else {
-						char buf[sizeof("65535")];
-						sprintf(buf, "%u", t);
-						RETERR(str_totext(buf,
-								  target));
-					}
-				}
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_nxt(ARGS_FROMWIRE) {
-	isc_region_t sr;
-	dns_name_t name;
-
-	REQUIRE(type == 30);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-	dns_name_init(&name, NULL);
-	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
-
-	isc_buffer_activeregion(source, &sr);
-	if (sr.length > 0 && (sr.base[0] & 0x80) == 0 &&
-	    ((sr.length > 16) || sr.base[sr.length - 1] == 0))
-		return (DNS_R_BADBITMAP);
-	RETERR(mem_tobuffer(target, sr.base, sr.length));
-	isc_buffer_forward(source, sr.length);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-towire_nxt(ARGS_TOWIRE) {
-	isc_region_t sr;
-	dns_name_t name;
-	dns_offsets_t offsets;
-
-	REQUIRE(rdata->type == 30);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &sr);
-	dns_name_fromregion(&name, &sr);
-	isc_region_consume(&sr, name_length(&name));
-	RETERR(dns_name_towire(&name, cctx, target));
-
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_nxt(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-	dns_name_t name1;
-	dns_name_t name2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 30);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	dns_name_fromregion(&name1, &r1);
-	dns_name_fromregion(&name2, &r2);
-	order = dns_name_rdatacompare(&name1, &name2);
-	if (order != 0)
-		return (order);
-
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_nxt(ARGS_FROMSTRUCT) {
-	dns_rdata_nxt_t *nxt = source;
-	isc_region_t region;
-
-	REQUIRE(type == 30);
-	REQUIRE(source != NULL);
-	REQUIRE(nxt->common.rdtype == type);
-	REQUIRE(nxt->common.rdclass == rdclass);
-	REQUIRE(nxt->typebits != NULL || nxt->len == 0);
-	if (nxt->typebits != NULL && (nxt->typebits[0] & 0x80) == 0) {
-		REQUIRE(nxt->len <= 16);
-		REQUIRE(nxt->typebits[nxt->len - 1] != 0);
-	}
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&nxt->next, &region);
-	RETERR(isc_buffer_copyregion(target, &region));
-
-	return (mem_tobuffer(target, nxt->typebits, nxt->len));
-}
-
-static inline isc_result_t
-tostruct_nxt(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_nxt_t *nxt = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 30);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	nxt->common.rdclass = rdata->rdclass;
-	nxt->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&nxt->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-	isc_region_consume(&region, name_length(&name));
-	dns_name_init(&nxt->next, NULL);
-	RETERR(name_duporclone(&name, mctx, &nxt->next));
-
-	nxt->len = region.length;
-	nxt->typebits = mem_maybedup(mctx, region.base, region.length);
-	if (nxt->typebits == NULL)
-		goto cleanup;
-
-	nxt->mctx = mctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (mctx != NULL)
-		dns_name_free(&nxt->next, mctx);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_nxt(ARGS_FREESTRUCT) {
-	dns_rdata_nxt_t *nxt = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(nxt->common.rdtype == 30);
-
-	if (nxt->mctx == NULL)
-		return;
-
-	dns_name_free(&nxt->next, nxt->mctx);
-	if (nxt->typebits != NULL)
-		isc_mem_free(nxt->mctx, nxt->typebits);
-	nxt->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_nxt(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 30);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_nxt(ARGS_DIGEST) {
-	isc_region_t r;
-	dns_name_t name;
-	isc_result_t result;
-
-	REQUIRE(rdata->type == 30);
-
-	dns_rdata_toregion(rdata, &r);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-	result = dns_name_digest(&name, digest, arg);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_region_consume(&r, name_length(&name));
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_nxt(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 30);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_nxt(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 30);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_nxt(ARGS_COMPARE) {
-	return (compare_nxt(rdata1, rdata2));
-}
-#endif	/* RDATA_GENERIC_NXT_30_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/nxt_30.h b/contrib/bind9/lib/dns/rdata/generic/nxt_30.h
deleted file mode 100644
index e2e8688..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/nxt_30.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_NXT_30_H
-#define GENERIC_NXT_30_H 1
-
-/* $Id: nxt_30.h,v 1.25 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- *  \brief RFC2535 */
-
-typedef struct dns_rdata_nxt {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		next;
-	unsigned char		*typebits;
-	isc_uint16_t		len;
-} dns_rdata_nxt_t;
-
-#endif /* GENERIC_NXT_30_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/opt_41.c b/contrib/bind9/lib/dns/rdata/generic/opt_41.c
deleted file mode 100644
index 4b51804..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/opt_41.c
+++ /dev/null
@@ -1,289 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/* Reviewed: Thu Mar 16 14:06:44 PST 2000 by gson */
-
-/* RFC2671 */
-
-#ifndef RDATA_GENERIC_OPT_41_C
-#define RDATA_GENERIC_OPT_41_C
-
-#define RRTYPE_OPT_ATTRIBUTES (DNS_RDATATYPEATTR_SINGLETON | \
-			       DNS_RDATATYPEATTR_META | \
-			       DNS_RDATATYPEATTR_NOTQUESTION)
-
-static inline isc_result_t
-fromtext_opt(ARGS_FROMTEXT) {
-	/*
-	 * OPT records do not have a text format.
-	 */
-
-	REQUIRE(type == 41);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(lexer);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(target);
-	UNUSED(callbacks);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static inline isc_result_t
-totext_opt(ARGS_TOTEXT) {
-	isc_region_t r;
-	isc_region_t or;
-	isc_uint16_t option;
-	isc_uint16_t length;
-	char buf[sizeof("64000 64000")];
-
-	/*
-	 * OPT records do not have a text format.
-	 */
-
-	REQUIRE(rdata->type == 41);
-
-	dns_rdata_toregion(rdata, &r);
-	while (r.length > 0) {
-		option = uint16_fromregion(&r);
-		isc_region_consume(&r, 2);
-		length = uint16_fromregion(&r);
-		isc_region_consume(&r, 2);
-		sprintf(buf, "%u %u", option, length);
-		RETERR(str_totext(buf, target));
-		INSIST(r.length >= length);
-		if (length > 0) {
-			if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-				RETERR(str_totext(" (", target));
-			RETERR(str_totext(tctx->linebreak, target));
-			or = r;
-			or.length = length;
-			if (tctx->width == 0)   /* No splitting */
-				RETERR(isc_base64_totext(&or, 60, "", target));
-			else
-				RETERR(isc_base64_totext(&or, tctx->width - 2,
-							 tctx->linebreak,
-							 target));
-			isc_region_consume(&r, length);
-			if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-				RETERR(str_totext(" )", target));
-		}
-		if (r.length > 0)
-			RETERR(str_totext(" ", target));
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_opt(ARGS_FROMWIRE) {
-	isc_region_t sregion;
-	isc_region_t tregion;
-	isc_uint16_t length;
-	unsigned int total;
-
-	REQUIRE(type == 41);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-	UNUSED(options);
-
-	isc_buffer_activeregion(source, &sregion);
-	total = 0;
-	while (sregion.length != 0) {
-		if (sregion.length < 4)
-			return (ISC_R_UNEXPECTEDEND);
-		/*
-		 * Eat the 16bit option code.  There is nothing to
-		 * be done with it currently.
-		 */
-		isc_region_consume(&sregion, 2);
-		length = uint16_fromregion(&sregion);
-		isc_region_consume(&sregion, 2);
-		total += 4;
-		if (sregion.length < length)
-			return (ISC_R_UNEXPECTEDEND);
-		isc_region_consume(&sregion, length);
-		total += length;
-	}
-
-	isc_buffer_activeregion(source, &sregion);
-	isc_buffer_availableregion(target, &tregion);
-	if (tregion.length < total)
-		return (ISC_R_NOSPACE);
-	memcpy(tregion.base, sregion.base, total);
-	isc_buffer_forward(source, total);
-	isc_buffer_add(target, total);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-towire_opt(ARGS_TOWIRE) {
-
-	REQUIRE(rdata->type == 41);
-
-	UNUSED(cctx);
-
-	return (mem_tobuffer(target, rdata->data, rdata->length));
-}
-
-static inline int
-compare_opt(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 41);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_opt(ARGS_FROMSTRUCT) {
-	dns_rdata_opt_t *opt = source;
-	isc_region_t region;
-	isc_uint16_t length;
-
-	REQUIRE(type == 41);
-	REQUIRE(source != NULL);
-	REQUIRE(opt->common.rdtype == type);
-	REQUIRE(opt->common.rdclass == rdclass);
-	REQUIRE(opt->options != NULL || opt->length == 0);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	region.base = opt->options;
-	region.length = opt->length;
-	while (region.length >= 4) {
-		isc_region_consume(&region, 2);	/* opt */
-		length = uint16_fromregion(&region);
-		isc_region_consume(&region, 2);
-		if (region.length < length)
-			return (ISC_R_UNEXPECTEDEND);
-		isc_region_consume(&region, length);
-	}
-	if (region.length != 0)
-		return (ISC_R_UNEXPECTEDEND);
-
-	return (mem_tobuffer(target, opt->options, opt->length));
-}
-
-static inline isc_result_t
-tostruct_opt(ARGS_TOSTRUCT) {
-	dns_rdata_opt_t *opt = target;
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 41);
-	REQUIRE(target != NULL);
-
-	opt->common.rdclass = rdata->rdclass;
-	opt->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&opt->common, link);
-
-	dns_rdata_toregion(rdata, &r);
-	opt->length = r.length;
-	opt->options = mem_maybedup(mctx, r.base, r.length);
-	if (opt->options == NULL)
-		return (ISC_R_NOMEMORY);
-
-	opt->offset = 0;
-	opt->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_opt(ARGS_FREESTRUCT) {
-	dns_rdata_opt_t *opt = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(opt->common.rdtype == 41);
-
-	if (opt->mctx == NULL)
-		return;
-
-	if (opt->options != NULL)
-		isc_mem_free(opt->mctx, opt->options);
-	opt->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_opt(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 41);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_opt(ARGS_DIGEST) {
-
-	/*
-	 * OPT records are not digested.
-	 */
-
-	REQUIRE(rdata->type == 41);
-
-	UNUSED(rdata);
-	UNUSED(digest);
-	UNUSED(arg);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static inline isc_boolean_t
-checkowner_opt(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 41);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (dns_name_equal(name, dns_rootname));
-}
-
-static inline isc_boolean_t
-checknames_opt(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 41);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_opt(ARGS_COMPARE) {
-	return (compare_opt(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_OPT_41_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/opt_41.h b/contrib/bind9/lib/dns/rdata/generic/opt_41.h
deleted file mode 100644
index d6539cf..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/opt_41.h
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_OPT_41_H
-#define GENERIC_OPT_41_H 1
-
-/* $Id: opt_41.h,v 1.18 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- *  \brief Per RFC2671 */
-
-typedef struct dns_rdata_opt_opcode {
-		isc_uint16_t	opcode;
-		isc_uint16_t	length;
-		unsigned char	*data;
-} dns_rdata_opt_opcode_t;
-
-typedef struct dns_rdata_opt {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	unsigned char		*options;
-	isc_uint16_t		length;
-	/* private */
-	isc_uint16_t		offset;
-} dns_rdata_opt_t;
-
-/*
- * ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS are already done
- * via rdatastructpre.h and rdatastructsuf.h.
- */
-
-isc_result_t
-dns_rdata_opt_first(dns_rdata_opt_t *);
-
-isc_result_t
-dns_rdata_opt_next(dns_rdata_opt_t *);
-
-isc_result_t
-dns_rdata_opt_current(dns_rdata_opt_t *, dns_rdata_opt_opcode_t *);
-
-#endif /* GENERIC_OPT_41_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/proforma.c b/contrib/bind9/lib/dns/rdata/generic/proforma.c
deleted file mode 100644
index d1a5ecd..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/proforma.c
+++ /dev/null
@@ -1,190 +0,0 @@
-/*
- * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: proforma.c,v 1.38 2009/12/04 22:06:37 tbox Exp $ */
-
-#ifndef RDATA_GENERIC_#_#_C
-#define RDATA_GENERIC_#_#_C
-
-#define RRTYPE_#_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_#(ARGS_FROMTEXT) {
-	isc_token_t token;
-
-	REQUIRE(type == #);
-	REQUIRE(rdclass == #);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static inline isc_result_t
-totext_#(ARGS_TOTEXT) {
-
-	REQUIRE(rdata->type == #);
-	REQUIRE(rdata->rdclass == #);
-	REQUIRE(rdata->length != 0);	/* XXX */
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static inline isc_result_t
-fromwire_#(ARGS_FROMWIRE) {
-
-	REQUIRE(type == #);
-	REQUIRE(rdclass == #);
-
-	/* NONE or GLOBAL14 */
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static inline isc_result_t
-towire_#(ARGS_TOWIRE) {
-
-	REQUIRE(rdata->type == #);
-	REQUIRE(rdata->rdclass == #);
-	REQUIRE(rdata->length != 0);	/* XXX */
-
-	/* NONE or GLOBAL14 */
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static inline int
-compare_#(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == #);
-	REQUIRE(rdata1->rdclass == #);
-	REQUIRE(rdata1->length != 0);	/* XXX */
-	REQUIRE(rdata2->length != 0);	/* XXX */
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_#(ARGS_FROMSTRUCT) {
-	dns_rdata_#_t *# = source;
-
-	REQUIRE(type == #);
-	REQUIRE(rdclass == #);
-	REQUIRE(source != NULL);
-	REQUIRE(#->common.rdtype == type);
-	REQUIRE(#->common.rdclass == rdclass);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static inline isc_result_t
-tostruct_#(ARGS_TOSTRUCT) {
-
-	REQUIRE(rdata->type == #);
-	REQUIRE(rdata->rdclass == #);
-	REQUIRE(rdata->length != 0);	/* XXX */
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static inline void
-freestruct_#(ARGS_FREESTRUCT) {
-	dns_rdata_#_t *# = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(#->common.rdtype == #);
-	REQUIRE(#->common.rdclass == #);
-
-}
-
-static inline isc_result_t
-additionaldata_#(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == #);
-	REQUIRE(rdata->rdclass == #);
-
-	(void)add;
-	(void)arg;
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_#(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == #);
-	REQUIRE(rdata->rdclass == #);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_#(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == #);
-	REQUIRE(rdclass == #);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_#(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == #);
-	REQUIRE(rdata->rdclass == #);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_#(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == #);
-	REQUIRE(rdata1->rdclass == #);
-	REQUIRE(rdata1->length != 0);	/* XXX */
-	REQUIRE(rdata2->length != 0);	/* XXX */
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-#endif	/* RDATA_GENERIC_#_#_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/proforma.h b/contrib/bind9/lib/dns/rdata/generic/proforma.h
deleted file mode 100644
index e5c420a..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/proforma.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_PROFORMA_H
-#define GENERIC_PROFORMA_H 1
-
-/* $Id: proforma.h,v 1.23 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_# {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;	/* if required */
-	/* type & class specific elements */
-} dns_rdata_#_t;
-
-#endif /* GENERIC_PROFORMA_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/ptr_12.c b/contrib/bind9/lib/dns/rdata/generic/ptr_12.c
deleted file mode 100644
index a619f13..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/ptr_12.c
+++ /dev/null
@@ -1,295 +0,0 @@
-/*
- * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ptr_12.c,v 1.45 2009/12/04 22:06:37 tbox Exp $ */
-
-/* Reviewed: Thu Mar 16 14:05:12 PST 2000 by explorer */
-
-#ifndef RDATA_GENERIC_PTR_12_C
-#define RDATA_GENERIC_PTR_12_C
-
-#define RRTYPE_PTR_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_ptr(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-
-	REQUIRE(type == 12);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	if (rdclass == dns_rdataclass_in &&
-	    (options & DNS_RDATA_CHECKNAMES) != 0 &&
-	    (options & DNS_RDATA_CHECKREVERSE) != 0) {
-		isc_boolean_t ok;
-		ok = dns_name_ishostname(&name, ISC_FALSE);
-		if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
-			RETTOK(DNS_R_BADNAME);
-		if (!ok && callbacks != NULL)
-			warn_badname(&name, lexer, callbacks);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_ptr(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 12);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	sub = name_prefix(&name, tctx->origin, &prefix);
-
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_ptr(ARGS_FROMWIRE) {
-	dns_name_t name;
-
-	REQUIRE(type == 12);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, NULL);
-	return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_ptr(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 12);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_ptr(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 12);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_ptr(ARGS_FROMSTRUCT) {
-	dns_rdata_ptr_t *ptr = source;
-	isc_region_t region;
-
-	REQUIRE(type == 12);
-	REQUIRE(source != NULL);
-	REQUIRE(ptr->common.rdtype == type);
-	REQUIRE(ptr->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&ptr->ptr, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_ptr(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_ptr_t *ptr = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 12);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	ptr->common.rdclass = rdata->rdclass;
-	ptr->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&ptr->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&ptr->ptr, NULL);
-	RETERR(name_duporclone(&name, mctx, &ptr->ptr));
-	ptr->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_ptr(ARGS_FREESTRUCT) {
-	dns_rdata_ptr_t *ptr = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(ptr->common.rdtype == 12);
-
-	if (ptr->mctx == NULL)
-		return;
-
-	dns_name_free(&ptr->ptr, ptr->mctx);
-	ptr->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_ptr(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 12);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_ptr(ARGS_DIGEST) {
-	isc_region_t r;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 12);
-
-	dns_rdata_toregion(rdata, &r);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_ptr(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 12);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static unsigned char ip6_arpa_data[]  = "\003IP6\004ARPA";
-static unsigned char ip6_arpa_offsets[] = { 0, 4, 9 };
-static const dns_name_t ip6_arpa =
-{
-	DNS_NAME_MAGIC,
-	ip6_arpa_data, 10, 3,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	ip6_arpa_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
-static unsigned char ip6_int_data[]  = "\003IP6\003INT";
-static unsigned char ip6_int_offsets[] = { 0, 4, 8 };
-static const dns_name_t ip6_int =
-{
-	DNS_NAME_MAGIC,
-	ip6_int_data, 9, 3,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	ip6_int_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
-static unsigned char in_addr_arpa_data[]  = "\007IN-ADDR\004ARPA";
-static unsigned char in_addr_arpa_offsets[] = { 0, 8, 13 };
-static const dns_name_t in_addr_arpa =
-{
-	DNS_NAME_MAGIC,
-	in_addr_arpa_data, 14, 3,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	in_addr_arpa_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
-static inline isc_boolean_t
-checknames_ptr(ARGS_CHECKNAMES) {
-	isc_region_t region;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 12);
-
-	if (rdata->rdclass != dns_rdataclass_in)
-	    return (ISC_TRUE);
-
-	if (dns_name_issubdomain(owner, &in_addr_arpa) ||
-	    dns_name_issubdomain(owner, &ip6_arpa) ||
-	    dns_name_issubdomain(owner, &ip6_int)) {
-		dns_rdata_toregion(rdata, &region);
-		dns_name_init(&name, NULL);
-		dns_name_fromregion(&name, &region);
-		if (!dns_name_ishostname(&name, ISC_FALSE)) {
-			if (bad != NULL)
-				dns_name_clone(&name, bad);
-			return (ISC_FALSE);
-		}
-	}
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_ptr(ARGS_COMPARE) {
-	return (compare_ptr(rdata1, rdata2));
-}
-#endif	/* RDATA_GENERIC_PTR_12_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/ptr_12.h b/contrib/bind9/lib/dns/rdata/generic/ptr_12.h
deleted file mode 100644
index 304dcc4..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/ptr_12.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_PTR_12_H
-#define GENERIC_PTR_12_H 1
-
-/* $Id: ptr_12.h,v 1.27 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_ptr {
-        dns_rdatacommon_t       common;
-        isc_mem_t               *mctx;
-        dns_name_t              ptr;
-} dns_rdata_ptr_t;
-
-#endif /* GENERIC_PTR_12_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/rp_17.c b/contrib/bind9/lib/dns/rdata/generic/rp_17.c
deleted file mode 100644
index 3291f7b..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/rp_17.c
+++ /dev/null
@@ -1,318 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rp_17.c,v 1.44 2009/12/04 22:06:37 tbox Exp $ */
-
-/* RFC1183 */
-
-#ifndef RDATA_GENERIC_RP_17_C
-#define RDATA_GENERIC_RP_17_C
-
-#define RRTYPE_RP_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_rp(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	int i;
-	isc_boolean_t ok;
-
-	REQUIRE(type == 17);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	origin = (origin != NULL) ? origin : dns_rootname;
-
-	for (i = 0; i < 2; i++) {
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_string,
-					      ISC_FALSE));
-		dns_name_init(&name, NULL);
-		buffer_fromregion(&buffer, &token.value.as_region);
-		RETTOK(dns_name_fromtext(&name, &buffer, origin,
-					 options, target));
-		ok = ISC_TRUE;
-		if ((options & DNS_RDATA_CHECKNAMES) != 0 && i == 0)
-			ok = dns_name_ismailbox(&name);
-		if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
-			RETTOK(DNS_R_BADNAME);
-		if (!ok && callbacks != NULL)
-			warn_badname(&name, lexer, callbacks);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_rp(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t rmail;
-	dns_name_t email;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 17);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&rmail, NULL);
-	dns_name_init(&email, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-
-	dns_name_fromregion(&rmail, &region);
-	isc_region_consume(&region, rmail.length);
-
-	dns_name_fromregion(&email, &region);
-	isc_region_consume(&region, email.length);
-
-	sub = name_prefix(&rmail, tctx->origin, &prefix);
-	RETERR(dns_name_totext(&prefix, sub, target));
-
-	RETERR(str_totext(" ", target));
-
-	sub = name_prefix(&email, tctx->origin, &prefix);
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_rp(ARGS_FROMWIRE) {
-	dns_name_t rmail;
-	dns_name_t email;
-
-	REQUIRE(type == 17);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-	dns_name_init(&rmail, NULL);
-	dns_name_init(&email, NULL);
-
-	RETERR(dns_name_fromwire(&rmail, source, dctx, options, target));
-	return (dns_name_fromwire(&email, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_rp(ARGS_TOWIRE) {
-	isc_region_t region;
-	dns_name_t rmail;
-	dns_name_t email;
-	dns_offsets_t roffsets;
-	dns_offsets_t eoffsets;
-
-	REQUIRE(rdata->type == 17);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	dns_name_init(&rmail, roffsets);
-	dns_name_init(&email, eoffsets);
-
-	dns_rdata_toregion(rdata, &region);
-
-	dns_name_fromregion(&rmail, &region);
-	isc_region_consume(&region, rmail.length);
-
-	RETERR(dns_name_towire(&rmail, cctx, target));
-
-	dns_name_fromregion(&rmail, &region);
-	isc_region_consume(&region, rmail.length);
-
-	return (dns_name_towire(&rmail, cctx, target));
-}
-
-static inline int
-compare_rp(ARGS_COMPARE) {
-	isc_region_t region1;
-	isc_region_t region2;
-	dns_name_t name1;
-	dns_name_t name2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 17);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	order = dns_name_rdatacompare(&name1, &name2);
-	if (order != 0)
-		return (order);
-
-	isc_region_consume(&region1, name_length(&name1));
-	isc_region_consume(&region2, name_length(&name2));
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_rp(ARGS_FROMSTRUCT) {
-	dns_rdata_rp_t *rp = source;
-	isc_region_t region;
-
-	REQUIRE(type == 17);
-	REQUIRE(source != NULL);
-	REQUIRE(rp->common.rdtype == type);
-	REQUIRE(rp->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&rp->mail, &region);
-	RETERR(isc_buffer_copyregion(target, &region));
-	dns_name_toregion(&rp->text, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_rp(ARGS_TOSTRUCT) {
-	isc_result_t result;
-	isc_region_t region;
-	dns_rdata_rp_t *rp = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 17);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	rp->common.rdclass = rdata->rdclass;
-	rp->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&rp->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&rp->mail, NULL);
-	RETERR(name_duporclone(&name, mctx, &rp->mail));
-	isc_region_consume(&region, name_length(&name));
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&rp->text, NULL);
-	result = name_duporclone(&name, mctx, &rp->text);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	rp->mctx = mctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (mctx != NULL)
-		dns_name_free(&rp->mail, mctx);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_rp(ARGS_FREESTRUCT) {
-	dns_rdata_rp_t *rp = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(rp->common.rdtype == 17);
-
-	if (rp->mctx == NULL)
-		return;
-
-	dns_name_free(&rp->mail, rp->mctx);
-	dns_name_free(&rp->text, rp->mctx);
-	rp->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_rp(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 17);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_rp(ARGS_DIGEST) {
-	isc_region_t r;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 17);
-
-	dns_rdata_toregion(rdata, &r);
-	dns_name_init(&name, NULL);
-
-	dns_name_fromregion(&name, &r);
-	RETERR(dns_name_digest(&name, digest, arg));
-	isc_region_consume(&r, name_length(&name));
-
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_rp(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 17);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_rp(ARGS_CHECKNAMES) {
-	isc_region_t region;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 17);
-
-	UNUSED(owner);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &region);
-	if (!dns_name_ismailbox(&name)) {
-		if (bad != NULL)
-				dns_name_clone(&name, bad);
-		return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_rp(ARGS_COMPARE) {
-	return (compare_rp(rdata1, rdata2));
-}
-#endif	/* RDATA_GENERIC_RP_17_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/rp_17.h b/contrib/bind9/lib/dns/rdata/generic/rp_17.h
deleted file mode 100644
index 6223038..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/rp_17.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_RP_17_H
-#define GENERIC_RP_17_H 1
-
-/* $Id: rp_17.h,v 1.21 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- *  \brief Per RFC1183 */
-
-typedef struct dns_rdata_rp {
-        dns_rdatacommon_t       common;
-        isc_mem_t               *mctx;
-        dns_name_t              mail;
-        dns_name_t              text;
-} dns_rdata_rp_t;
-
-
-#endif /* GENERIC_RP_17_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/rrsig_46.c b/contrib/bind9/lib/dns/rdata/generic/rrsig_46.c
deleted file mode 100644
index 58a327c..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/rrsig_46.c
+++ /dev/null
@@ -1,593 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/* Reviewed: Fri Mar 17 09:05:02 PST 2000 by gson */
-
-/* RFC2535 */
-
-#ifndef RDATA_GENERIC_RRSIG_46_C
-#define RDATA_GENERIC_RRSIG_46_C
-
-#define RRTYPE_RRSIG_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
-
-static inline isc_result_t
-fromtext_rrsig(ARGS_FROMTEXT) {
-	isc_token_t token;
-	unsigned char c;
-	long i;
-	dns_rdatatype_t covered;
-	char *e;
-	isc_result_t result;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	isc_uint32_t time_signed, time_expire;
-
-	REQUIRE(type == 46);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	/*
-	 * Type covered.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	result = dns_rdatatype_fromtext(&covered, &token.value.as_textregion);
-	if (result != ISC_R_SUCCESS && result != ISC_R_NOTIMPLEMENTED) {
-		i = strtol(DNS_AS_STR(token), &e, 10);
-		if (i < 0 || i > 65535)
-			RETTOK(ISC_R_RANGE);
-		if (*e != 0)
-			RETTOK(result);
-		covered = (dns_rdatatype_t)i;
-	}
-	RETERR(uint16_tobuffer(covered, target));
-
-	/*
-	 * Algorithm.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_secalg_fromtext(&c, &token.value.as_textregion));
-	RETERR(mem_tobuffer(target, &c, 1));
-
-	/*
-	 * Labels.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffU)
-		RETTOK(ISC_R_RANGE);
-	c = (unsigned char)token.value.as_ulong;
-	RETERR(mem_tobuffer(target, &c, 1));
-
-	/*
-	 * Original ttl.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	RETERR(uint32_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Signature expiration.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &time_expire));
-	RETERR(uint32_tobuffer(time_expire, target));
-
-	/*
-	 * Time signed.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &time_signed));
-	RETERR(uint32_tobuffer(time_signed, target));
-
-	/*
-	 * Key footprint.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Signer.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-
-	/*
-	 * Sig.
-	 */
-	return (isc_base64_tobuffer(lexer, target, -1));
-}
-
-static inline isc_result_t
-totext_rrsig(ARGS_TOTEXT) {
-	isc_region_t sr;
-	char buf[sizeof("4294967295")];
-	dns_rdatatype_t covered;
-	unsigned long ttl;
-	unsigned long when;
-	unsigned long exp;
-	unsigned long foot;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 46);
-	REQUIRE(rdata->length != 0);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/*
-	 * Type covered.
-	 */
-	covered = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	/*
-	 * XXXAG We should have something like dns_rdatatype_isknown()
-	 * that does the right thing with type 0.
-	 */
-	if (dns_rdatatype_isknown(covered) && covered != 0) {
-		RETERR(dns_rdatatype_totext(covered, target));
-	} else {
-		char buf[sizeof("TYPE65535")];
-		sprintf(buf, "TYPE%u", covered);
-		RETERR(str_totext(buf, target));
-	}
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Algorithm.
-	 */
-	sprintf(buf, "%u", sr.base[0]);
-	isc_region_consume(&sr, 1);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Labels.
-	 */
-	sprintf(buf, "%u", sr.base[0]);
-	isc_region_consume(&sr, 1);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Ttl.
-	 */
-	ttl = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-	sprintf(buf, "%lu", ttl);
-	RETERR(str_totext(buf, target));
-
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" (", target));
-	RETERR(str_totext(tctx->linebreak, target));
-
-	/*
-	 * Sig exp.
-	 */
-	exp = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-	RETERR(dns_time32_totext(exp, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Time signed.
-	 */
-	when = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-	RETERR(dns_time32_totext(when, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Footprint.
-	 */
-	foot = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%lu", foot);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Signer.
-	 */
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &sr);
-	isc_region_consume(&sr, name_length(&name));
-	RETERR(dns_name_totext(&name, ISC_FALSE, target));
-
-	/*
-	 * Sig.
-	 */
-	RETERR(str_totext(tctx->linebreak, target));
-	if (tctx->width == 0)   /* No splitting */
-		RETERR(isc_base64_totext(&sr, 60, "", target));
-	else
-		RETERR(isc_base64_totext(&sr, tctx->width - 2,
-					 tctx->linebreak, target));
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" )", target));
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_rrsig(ARGS_FROMWIRE) {
-	isc_region_t sr;
-	dns_name_t name;
-
-	REQUIRE(type == 46);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-	isc_buffer_activeregion(source, &sr);
-	/*
-	 * type covered: 2
-	 * algorithm: 1
-	 * labels: 1
-	 * original ttl: 4
-	 * signature expiration: 4
-	 * time signed: 4
-	 * key footprint: 2
-	 */
-	if (sr.length < 18)
-		return (ISC_R_UNEXPECTEDEND);
-
-	isc_buffer_forward(source, 18);
-	RETERR(mem_tobuffer(target, sr.base, 18));
-
-	/*
-	 * Signer.
-	 */
-	dns_name_init(&name, NULL);
-	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
-
-	/*
-	 * Sig.
-	 */
-	isc_buffer_activeregion(source, &sr);
-	isc_buffer_forward(source, sr.length);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline isc_result_t
-towire_rrsig(ARGS_TOWIRE) {
-	isc_region_t sr;
-	dns_name_t name;
-	dns_offsets_t offsets;
-
-	REQUIRE(rdata->type == 46);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	dns_rdata_toregion(rdata, &sr);
-	/*
-	 * type covered: 2
-	 * algorithm: 1
-	 * labels: 1
-	 * original ttl: 4
-	 * signature expiration: 4
-	 * time signed: 4
-	 * key footprint: 2
-	 */
-	RETERR(mem_tobuffer(target, sr.base, 18));
-	isc_region_consume(&sr, 18);
-
-	/*
-	 * Signer.
-	 */
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &sr);
-	isc_region_consume(&sr, name_length(&name));
-	RETERR(dns_name_towire(&name, cctx, target));
-
-	/*
-	 * Signature.
-	 */
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_rrsig(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 46);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_rrsig(ARGS_FROMSTRUCT) {
-	dns_rdata_rrsig_t *sig = source;
-
-	REQUIRE(type == 46);
-	REQUIRE(source != NULL);
-	REQUIRE(sig->common.rdtype == type);
-	REQUIRE(sig->common.rdclass == rdclass);
-	REQUIRE(sig->signature != NULL || sig->siglen == 0);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	/*
-	 * Type covered.
-	 */
-	RETERR(uint16_tobuffer(sig->covered, target));
-
-	/*
-	 * Algorithm.
-	 */
-	RETERR(uint8_tobuffer(sig->algorithm, target));
-
-	/*
-	 * Labels.
-	 */
-	RETERR(uint8_tobuffer(sig->labels, target));
-
-	/*
-	 * Original TTL.
-	 */
-	RETERR(uint32_tobuffer(sig->originalttl, target));
-
-	/*
-	 * Expire time.
-	 */
-	RETERR(uint32_tobuffer(sig->timeexpire, target));
-
-	/*
-	 * Time signed.
-	 */
-	RETERR(uint32_tobuffer(sig->timesigned, target));
-
-	/*
-	 * Key ID.
-	 */
-	RETERR(uint16_tobuffer(sig->keyid, target));
-
-	/*
-	 * Signer name.
-	 */
-	RETERR(name_tobuffer(&sig->signer, target));
-
-	/*
-	 * Signature.
-	 */
-	return (mem_tobuffer(target, sig->signature, sig->siglen));
-}
-
-static inline isc_result_t
-tostruct_rrsig(ARGS_TOSTRUCT) {
-	isc_region_t sr;
-	dns_rdata_rrsig_t *sig = target;
-	dns_name_t signer;
-
-	REQUIRE(rdata->type == 46);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	sig->common.rdclass = rdata->rdclass;
-	sig->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&sig->common, link);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/*
-	 * Type covered.
-	 */
-	sig->covered = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/*
-	 * Algorithm.
-	 */
-	sig->algorithm = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-
-	/*
-	 * Labels.
-	 */
-	sig->labels = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-
-	/*
-	 * Original TTL.
-	 */
-	sig->originalttl = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-
-	/*
-	 * Expire time.
-	 */
-	sig->timeexpire = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-
-	/*
-	 * Time signed.
-	 */
-	sig->timesigned = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-
-	/*
-	 * Key ID.
-	 */
-	sig->keyid = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	dns_name_init(&signer, NULL);
-	dns_name_fromregion(&signer, &sr);
-	dns_name_init(&sig->signer, NULL);
-	RETERR(name_duporclone(&signer, mctx, &sig->signer));
-	isc_region_consume(&sr, name_length(&sig->signer));
-
-	/*
-	 * Signature.
-	 */
-	sig->siglen = sr.length;
-	sig->signature = mem_maybedup(mctx, sr.base, sig->siglen);
-	if (sig->signature == NULL)
-		goto cleanup;
-
-
-	sig->mctx = mctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (mctx != NULL)
-		dns_name_free(&sig->signer, mctx);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_rrsig(ARGS_FREESTRUCT) {
-	dns_rdata_rrsig_t *sig = (dns_rdata_rrsig_t *) source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(sig->common.rdtype == 46);
-
-	if (sig->mctx == NULL)
-		return;
-
-	dns_name_free(&sig->signer, sig->mctx);
-	if (sig->signature != NULL)
-		isc_mem_free(sig->mctx, sig->signature);
-	sig->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_rrsig(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 46);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_rrsig(ARGS_DIGEST) {
-
-	REQUIRE(rdata->type == 46);
-
-	UNUSED(rdata);
-	UNUSED(digest);
-	UNUSED(arg);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static inline dns_rdatatype_t
-covers_rrsig(dns_rdata_t *rdata) {
-	dns_rdatatype_t type;
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 46);
-
-	dns_rdata_toregion(rdata, &r);
-	type = uint16_fromregion(&r);
-
-	return (type);
-}
-
-static inline isc_boolean_t
-checkowner_rrsig(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 46);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_rrsig(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 46);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_rrsig(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-	dns_name_t name1;
-	dns_name_t name2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 46);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-
-	INSIST(r1.length > 18);
-	INSIST(r2.length > 18);
-	r1.length = 18;
-	r2.length = 18;
-	order = isc_region_compare(&r1, &r2);
-	if (order != 0)
-		return (order);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	isc_region_consume(&r1, 18);
-	isc_region_consume(&r2, 18);
-	dns_name_fromregion(&name1, &r1);
-	dns_name_fromregion(&name2, &r2);
-	order = dns_name_rdatacompare(&name1, &name2);
-	if (order != 0)
-		return (order);
-
-	isc_region_consume(&r1, name_length(&name1));
-	isc_region_consume(&r2, name_length(&name2));
-
-	return (isc_region_compare(&r1, &r2));
-}
-
-#endif	/* RDATA_GENERIC_RRSIG_46_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/rrsig_46.h b/contrib/bind9/lib/dns/rdata/generic/rrsig_46.h
deleted file mode 100644
index 8e8dc4e..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/rrsig_46.h
+++ /dev/null
@@ -1,41 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_DNSSIG_46_H
-#define GENERIC_DNSSIG_46_H 1
-
-/* $Id: rrsig_46.h,v 1.7 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- *  \brief Per RFC2535 */
-typedef struct dns_rdata_rrsig {
-	dns_rdatacommon_t	common;
-	isc_mem_t *		mctx;
-	dns_rdatatype_t		covered;
-	dns_secalg_t		algorithm;
-	isc_uint8_t		labels;
-	isc_uint32_t		originalttl;
-	isc_uint32_t		timeexpire;
-	isc_uint32_t		timesigned;
-	isc_uint16_t		keyid;
-        dns_name_t		signer;
-	isc_uint16_t		siglen;
-	unsigned char *		signature;
-} dns_rdata_rrsig_t;
-
-
-#endif /* GENERIC_DNSSIG_46_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/rt_21.c b/contrib/bind9/lib/dns/rdata/generic/rt_21.c
deleted file mode 100644
index 8f71a2a..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/rt_21.c
+++ /dev/null
@@ -1,316 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rt_21.c,v 1.48 2009/12/04 22:06:37 tbox Exp $ */
-
-/* reviewed: Thu Mar 16 15:02:31 PST 2000 by brister */
-
-/* RFC1183 */
-
-#ifndef RDATA_GENERIC_RT_21_C
-#define RDATA_GENERIC_RT_21_C
-
-#define RRTYPE_RT_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_rt(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	isc_boolean_t ok;
-
-	REQUIRE(type == 21);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	ok = ISC_TRUE;
-	if ((options & DNS_RDATA_CHECKNAMES) != 0)
-		ok = dns_name_ishostname(&name, ISC_FALSE);
-	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
-		RETTOK(DNS_R_BADNAME);
-	if (!ok && callbacks != NULL)
-		warn_badname(&name, lexer, callbacks);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_rt(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-	char buf[sizeof("64000")];
-	unsigned short num;
-
-	REQUIRE(rdata->type == 21);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	num = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-	dns_name_fromregion(&name, &region);
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_rt(ARGS_FROMWIRE) {
-	dns_name_t name;
-	isc_region_t sregion;
-	isc_region_t tregion;
-
-	REQUIRE(type == 21);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-	dns_name_init(&name, NULL);
-
-	isc_buffer_activeregion(source, &sregion);
-	isc_buffer_availableregion(target, &tregion);
-	if (tregion.length < 2)
-		return (ISC_R_NOSPACE);
-	if (sregion.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
-	memcpy(tregion.base, sregion.base, 2);
-	isc_buffer_forward(source, 2);
-	isc_buffer_add(target, 2);
-	return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_rt(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-	isc_region_t tr;
-
-	REQUIRE(rdata->type == 21);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	isc_buffer_availableregion(target, &tr);
-	dns_rdata_toregion(rdata, &region);
-	if (tr.length < 2)
-		return (ISC_R_NOSPACE);
-	memcpy(tr.base, region.base, 2);
-	isc_region_consume(&region, 2);
-	isc_buffer_add(target, 2);
-
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &region);
-
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_rt(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 21);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	order = memcmp(rdata1->data, rdata2->data, 2);
-	if (order != 0)
-		return (order < 0 ? -1 : 1);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	isc_region_consume(&region1, 2);
-	isc_region_consume(&region2, 2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_rt(ARGS_FROMSTRUCT) {
-	dns_rdata_rt_t *rt = source;
-	isc_region_t region;
-
-	REQUIRE(type == 21);
-	REQUIRE(source != NULL);
-	REQUIRE(rt->common.rdtype == type);
-	REQUIRE(rt->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint16_tobuffer(rt->preference, target));
-	dns_name_toregion(&rt->host, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_rt(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_rt_t *rt = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 21);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	rt->common.rdclass = rdata->rdclass;
-	rt->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&rt->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	rt->preference = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&rt->host, NULL);
-	RETERR(name_duporclone(&name, mctx, &rt->host));
-
-	rt->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_rt(ARGS_FREESTRUCT) {
-	dns_rdata_rt_t *rt = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(rt->common.rdtype == 21);
-
-	if (rt->mctx == NULL)
-		return;
-
-	dns_name_free(&rt->host, rt->mctx);
-	rt->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_rt(ARGS_ADDLDATA) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-	isc_result_t result;
-
-	REQUIRE(rdata->type == 21);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	isc_region_consume(&region, 2);
-	dns_name_fromregion(&name, &region);
-
-	result = (add)(arg, &name, dns_rdatatype_x25);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	result = (add)(arg, &name, dns_rdatatype_isdn);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	return ((add)(arg, &name, dns_rdatatype_a));
-}
-
-static inline isc_result_t
-digest_rt(ARGS_DIGEST) {
-	isc_region_t r1, r2;
-	isc_result_t result;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 21);
-
-	dns_rdata_toregion(rdata, &r1);
-	r2 = r1;
-	isc_region_consume(&r2, 2);
-	r1.length = 2;
-	result = (digest)(arg, &r1);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r2);
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_rt(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 21);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_rt(ARGS_CHECKNAMES) {
-	isc_region_t region;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 21);
-
-	UNUSED(owner);
-
-	dns_rdata_toregion(rdata, &region);
-	isc_region_consume(&region, 2);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &region);
-	if (!dns_name_ishostname(&name, ISC_FALSE)) {
-		if (bad != NULL)
-			dns_name_clone(&name, bad);
-		return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_rt(ARGS_COMPARE) {
-	return (compare_rt(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_RT_21_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/rt_21.h b/contrib/bind9/lib/dns/rdata/generic/rt_21.h
deleted file mode 100644
index 2c0e9fc..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/rt_21.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_RT_21_H
-#define GENERIC_RT_21_H 1
-
-/* $Id: rt_21.h,v 1.21 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- *  \brief Per RFC1183 */
-
-typedef struct dns_rdata_rt {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		preference;
-	dns_name_t		host;
-} dns_rdata_rt_t;
-
-#endif /* GENERIC_RT_21_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/sig_24.c b/contrib/bind9/lib/dns/rdata/generic/sig_24.c
deleted file mode 100644
index 803a864..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/sig_24.c
+++ /dev/null
@@ -1,585 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/* Reviewed: Fri Mar 17 09:05:02 PST 2000 by gson */
-
-/* RFC2535 */
-
-#ifndef RDATA_GENERIC_SIG_24_C
-#define RDATA_GENERIC_SIG_24_C
-
-#define RRTYPE_SIG_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_sig(ARGS_FROMTEXT) {
-	isc_token_t token;
-	unsigned char c;
-	long i;
-	dns_rdatatype_t covered;
-	char *e;
-	isc_result_t result;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	isc_uint32_t time_signed, time_expire;
-
-	REQUIRE(type == 24);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	/*
-	 * Type covered.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	result = dns_rdatatype_fromtext(&covered, &token.value.as_textregion);
-	if (result != ISC_R_SUCCESS && result != ISC_R_NOTIMPLEMENTED) {
-		i = strtol(DNS_AS_STR(token), &e, 10);
-		if (i < 0 || i > 65535)
-			RETTOK(ISC_R_RANGE);
-		if (*e != 0)
-			RETTOK(result);
-		covered = (dns_rdatatype_t)i;
-	}
-	RETERR(uint16_tobuffer(covered, target));
-
-	/*
-	 * Algorithm.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_secalg_fromtext(&c, &token.value.as_textregion));
-	RETERR(mem_tobuffer(target, &c, 1));
-
-	/*
-	 * Labels.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffU)
-		RETTOK(ISC_R_RANGE);
-	c = (unsigned char)token.value.as_ulong;
-	RETERR(mem_tobuffer(target, &c, 1));
-
-	/*
-	 * Original ttl.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	RETERR(uint32_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Signature expiration.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &time_expire));
-	RETERR(uint32_tobuffer(time_expire, target));
-
-	/*
-	 * Time signed.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &time_signed));
-	RETERR(uint32_tobuffer(time_signed, target));
-
-	/*
-	 * Key footprint.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Signer.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-
-	/*
-	 * Sig.
-	 */
-	return (isc_base64_tobuffer(lexer, target, -1));
-}
-
-static inline isc_result_t
-totext_sig(ARGS_TOTEXT) {
-	isc_region_t sr;
-	char buf[sizeof("4294967295")];
-	dns_rdatatype_t covered;
-	unsigned long ttl;
-	unsigned long when;
-	unsigned long exp;
-	unsigned long foot;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 24);
-	REQUIRE(rdata->length != 0);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/*
-	 * Type covered.
-	 */
-	covered = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	/*
-	 * XXXAG We should have something like dns_rdatatype_isknown()
-	 * that does the right thing with type 0.
-	 */
-	if (dns_rdatatype_isknown(covered) && covered != 0) {
-		RETERR(dns_rdatatype_totext(covered, target));
-	} else {
-		char buf[sizeof("65535")];
-		sprintf(buf, "%u", covered);
-		RETERR(str_totext(buf, target));
-	}
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Algorithm.
-	 */
-	sprintf(buf, "%u", sr.base[0]);
-	isc_region_consume(&sr, 1);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Labels.
-	 */
-	sprintf(buf, "%u", sr.base[0]);
-	isc_region_consume(&sr, 1);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Ttl.
-	 */
-	ttl = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-	sprintf(buf, "%lu", ttl);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Sig exp.
-	 */
-	exp = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-	RETERR(dns_time32_totext(exp, target));
-
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" (", target));
-	RETERR(str_totext(tctx->linebreak, target));
-
-	/*
-	 * Time signed.
-	 */
-	when = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-	RETERR(dns_time32_totext(when, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Footprint.
-	 */
-	foot = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%lu", foot);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Signer.
-	 */
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-	dns_name_fromregion(&name, &sr);
-	isc_region_consume(&sr, name_length(&name));
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	RETERR(dns_name_totext(&prefix, sub, target));
-
-	/*
-	 * Sig.
-	 */
-	RETERR(str_totext(tctx->linebreak, target));
-	if (tctx->width == 0)   /* No splitting */
-		RETERR(isc_base64_totext(&sr, 60, "", target));
-	else
-		RETERR(isc_base64_totext(&sr, tctx->width - 2,
-					 tctx->linebreak, target));
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" )", target));
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_sig(ARGS_FROMWIRE) {
-	isc_region_t sr;
-	dns_name_t name;
-
-	REQUIRE(type == 24);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-	isc_buffer_activeregion(source, &sr);
-	/*
-	 * type covered: 2
-	 * algorithm: 1
-	 * labels: 1
-	 * original ttl: 4
-	 * signature expiration: 4
-	 * time signed: 4
-	 * key footprint: 2
-	 */
-	if (sr.length < 18)
-		return (ISC_R_UNEXPECTEDEND);
-
-	isc_buffer_forward(source, 18);
-	RETERR(mem_tobuffer(target, sr.base, 18));
-
-	/*
-	 * Signer.
-	 */
-	dns_name_init(&name, NULL);
-	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
-
-	/*
-	 * Sig.
-	 */
-	isc_buffer_activeregion(source, &sr);
-	isc_buffer_forward(source, sr.length);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline isc_result_t
-towire_sig(ARGS_TOWIRE) {
-	isc_region_t sr;
-	dns_name_t name;
-	dns_offsets_t offsets;
-
-	REQUIRE(rdata->type == 24);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	dns_rdata_toregion(rdata, &sr);
-	/*
-	 * type covered: 2
-	 * algorithm: 1
-	 * labels: 1
-	 * original ttl: 4
-	 * signature expiration: 4
-	 * time signed: 4
-	 * key footprint: 2
-	 */
-	RETERR(mem_tobuffer(target, sr.base, 18));
-	isc_region_consume(&sr, 18);
-
-	/*
-	 * Signer.
-	 */
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &sr);
-	isc_region_consume(&sr, name_length(&name));
-	RETERR(dns_name_towire(&name, cctx, target));
-
-	/*
-	 * Signature.
-	 */
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_sig(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-	dns_name_t name1;
-	dns_name_t name2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 24);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-
-	INSIST(r1.length > 18);
-	INSIST(r2.length > 18);
-	r1.length = 18;
-	r2.length = 18;
-	order = isc_region_compare(&r1, &r2);
-	if (order != 0)
-		return (order);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	isc_region_consume(&r1, 18);
-	isc_region_consume(&r2, 18);
-	dns_name_fromregion(&name1, &r1);
-	dns_name_fromregion(&name2, &r2);
-	order = dns_name_rdatacompare(&name1, &name2);
-	if (order != 0)
-		return (order);
-
-	isc_region_consume(&r1, name_length(&name1));
-	isc_region_consume(&r2, name_length(&name2));
-
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_sig(ARGS_FROMSTRUCT) {
-	dns_rdata_sig_t *sig = source;
-
-	REQUIRE(type == 24);
-	REQUIRE(source != NULL);
-	REQUIRE(sig->common.rdtype == type);
-	REQUIRE(sig->common.rdclass == rdclass);
-	REQUIRE(sig->signature != NULL || sig->siglen == 0);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	/*
-	 * Type covered.
-	 */
-	RETERR(uint16_tobuffer(sig->covered, target));
-
-	/*
-	 * Algorithm.
-	 */
-	RETERR(uint8_tobuffer(sig->algorithm, target));
-
-	/*
-	 * Labels.
-	 */
-	RETERR(uint8_tobuffer(sig->labels, target));
-
-	/*
-	 * Original TTL.
-	 */
-	RETERR(uint32_tobuffer(sig->originalttl, target));
-
-	/*
-	 * Expire time.
-	 */
-	RETERR(uint32_tobuffer(sig->timeexpire, target));
-
-	/*
-	 * Time signed.
-	 */
-	RETERR(uint32_tobuffer(sig->timesigned, target));
-
-	/*
-	 * Key ID.
-	 */
-	RETERR(uint16_tobuffer(sig->keyid, target));
-
-	/*
-	 * Signer name.
-	 */
-	RETERR(name_tobuffer(&sig->signer, target));
-
-	/*
-	 * Signature.
-	 */
-	return (mem_tobuffer(target, sig->signature, sig->siglen));
-}
-
-static inline isc_result_t
-tostruct_sig(ARGS_TOSTRUCT) {
-	isc_region_t sr;
-	dns_rdata_sig_t *sig = target;
-	dns_name_t signer;
-
-	REQUIRE(rdata->type == 24);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	sig->common.rdclass = rdata->rdclass;
-	sig->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&sig->common, link);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/*
-	 * Type covered.
-	 */
-	sig->covered = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/*
-	 * Algorithm.
-	 */
-	sig->algorithm = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-
-	/*
-	 * Labels.
-	 */
-	sig->labels = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-
-	/*
-	 * Original TTL.
-	 */
-	sig->originalttl = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-
-	/*
-	 * Expire time.
-	 */
-	sig->timeexpire = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-
-	/*
-	 * Time signed.
-	 */
-	sig->timesigned = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-
-	/*
-	 * Key ID.
-	 */
-	sig->keyid = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	dns_name_init(&signer, NULL);
-	dns_name_fromregion(&signer, &sr);
-	dns_name_init(&sig->signer, NULL);
-	RETERR(name_duporclone(&signer, mctx, &sig->signer));
-	isc_region_consume(&sr, name_length(&sig->signer));
-
-	/*
-	 * Signature.
-	 */
-	sig->siglen = sr.length;
-	sig->signature = mem_maybedup(mctx, sr.base, sig->siglen);
-	if (sig->signature == NULL)
-		goto cleanup;
-
-
-	sig->mctx = mctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (mctx != NULL)
-		dns_name_free(&sig->signer, mctx);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_sig(ARGS_FREESTRUCT) {
-	dns_rdata_sig_t *sig = (dns_rdata_sig_t *) source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(sig->common.rdtype == 24);
-
-	if (sig->mctx == NULL)
-		return;
-
-	dns_name_free(&sig->signer, sig->mctx);
-	if (sig->signature != NULL)
-		isc_mem_free(sig->mctx, sig->signature);
-	sig->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_sig(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 24);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_sig(ARGS_DIGEST) {
-
-	REQUIRE(rdata->type == 24);
-
-	UNUSED(rdata);
-	UNUSED(digest);
-	UNUSED(arg);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static inline dns_rdatatype_t
-covers_sig(dns_rdata_t *rdata) {
-	dns_rdatatype_t type;
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 24);
-
-	dns_rdata_toregion(rdata, &r);
-	type = uint16_fromregion(&r);
-
-	return (type);
-}
-
-static inline isc_boolean_t
-checkowner_sig(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 24);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_sig(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 24);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_sig(ARGS_COMPARE) {
-	return (compare_sig(rdata1, rdata2));
-}
-#endif	/* RDATA_GENERIC_SIG_24_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/sig_24.h b/contrib/bind9/lib/dns/rdata/generic/sig_24.h
deleted file mode 100644
index 7212d4d..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/sig_24.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_SIG_24_H
-#define GENERIC_SIG_24_H 1
-
-/* $Id: sig_24.h,v 1.26 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- *  \brief Per RFC2535 */
-
-typedef struct dns_rdata_sig_t {
-	dns_rdatacommon_t	common;
-	isc_mem_t *		mctx;
-	dns_rdatatype_t		covered;
-	dns_secalg_t		algorithm;
-	isc_uint8_t		labels;
-	isc_uint32_t		originalttl;
-	isc_uint32_t		timeexpire;
-	isc_uint32_t		timesigned;
-	isc_uint16_t		keyid;
-        dns_name_t		signer;
-	isc_uint16_t		siglen;
-	unsigned char *		signature;
-} dns_rdata_sig_t;
-
-
-#endif /* GENERIC_SIG_24_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/soa_6.c b/contrib/bind9/lib/dns/rdata/generic/soa_6.c
deleted file mode 100644
index ac0a38f..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/soa_6.c
+++ /dev/null
@@ -1,449 +0,0 @@
-/*
- * Copyright (C) 2004, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/* Reviewed: Thu Mar 16 15:18:32 PST 2000 by explorer */
-
-#ifndef RDATA_GENERIC_SOA_6_C
-#define RDATA_GENERIC_SOA_6_C
-
-#define RRTYPE_SOA_ATTRIBUTES (DNS_RDATATYPEATTR_SINGLETON)
-
-static inline isc_result_t
-fromtext_soa(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	int i;
-	isc_uint32_t n;
-	isc_boolean_t ok;
-
-	REQUIRE(type == 6);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	origin = (origin != NULL) ? origin : dns_rootname;
-
-	for (i = 0; i < 2; i++) {
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_string,
-					      ISC_FALSE));
-
-		dns_name_init(&name, NULL);
-		buffer_fromregion(&buffer, &token.value.as_region);
-		RETTOK(dns_name_fromtext(&name, &buffer, origin,
-					 options, target));
-		ok = ISC_TRUE;
-		if ((options & DNS_RDATA_CHECKNAMES) != 0)
-			switch (i) {
-			case 0:
-				ok = dns_name_ishostname(&name, ISC_FALSE);
-				break;
-			case 1:
-				ok = dns_name_ismailbox(&name);
-				break;
-
-			}
-		if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
-			RETTOK(DNS_R_BADNAME);
-		if (!ok && callbacks != NULL)
-			warn_badname(&name, lexer, callbacks);
-	}
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	RETERR(uint32_tobuffer(token.value.as_ulong, target));
-
-	for (i = 0; i < 4; i++) {
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_string,
-					      ISC_FALSE));
-		RETTOK(dns_counter_fromtext(&token.value.as_textregion, &n));
-		RETERR(uint32_tobuffer(n, target));
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static const char *soa_fieldnames[5] = {
-	"serial", "refresh", "retry", "expire", "minimum"
-};
-
-static inline isc_result_t
-totext_soa(ARGS_TOTEXT) {
-	isc_region_t dregion;
-	dns_name_t mname;
-	dns_name_t rname;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-	int i;
-	isc_boolean_t multiline;
-	isc_boolean_t comment;
-
-	REQUIRE(rdata->type == 6);
-	REQUIRE(rdata->length != 0);
-
-	multiline = ISC_TF((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0);
-	if (multiline)
-		comment = ISC_TF((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0);
-	else
-		comment = ISC_FALSE;
-
-
-	dns_name_init(&mname, NULL);
-	dns_name_init(&rname, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &dregion);
-
-	dns_name_fromregion(&mname, &dregion);
-	isc_region_consume(&dregion, name_length(&mname));
-
-	dns_name_fromregion(&rname, &dregion);
-	isc_region_consume(&dregion, name_length(&rname));
-
-	sub = name_prefix(&mname, tctx->origin, &prefix);
-	RETERR(dns_name_totext(&prefix, sub, target));
-
-	RETERR(str_totext(" ", target));
-
-	sub = name_prefix(&rname, tctx->origin, &prefix);
-	RETERR(dns_name_totext(&prefix, sub, target));
-
-	if (multiline)
-		RETERR(str_totext(" (" , target));
-	RETERR(str_totext(tctx->linebreak, target));
-
-	for (i = 0; i < 5; i++) {
-		char buf[sizeof("0123456789 ; ")];
-		unsigned long num;
-		num = uint32_fromregion(&dregion);
-		isc_region_consume(&dregion, 4);
-		sprintf(buf, comment ? "%-10lu ; " : "%lu", num);
-		RETERR(str_totext(buf, target));
-		if (comment) {
-			RETERR(str_totext(soa_fieldnames[i], target));
-			/* Print times in week/day/hour/minute/second form */
-			if (i >= 1) {
-				RETERR(str_totext(" (", target));
-				RETERR(dns_ttl_totext(num, ISC_TRUE, target));
-				RETERR(str_totext(")", target));
-			}
-			RETERR(str_totext(tctx->linebreak, target));
-		} else if (i < 4) {
-			RETERR(str_totext(tctx->linebreak, target));
-		}
-	}
-
-	if (multiline)
-		RETERR(str_totext(")", target));
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_soa(ARGS_FROMWIRE) {
-	dns_name_t mname;
-	dns_name_t rname;
-	isc_region_t sregion;
-	isc_region_t tregion;
-
-	REQUIRE(type == 6);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&mname, NULL);
-	dns_name_init(&rname, NULL);
-
-	RETERR(dns_name_fromwire(&mname, source, dctx, options, target));
-	RETERR(dns_name_fromwire(&rname, source, dctx, options, target));
-
-	isc_buffer_activeregion(source, &sregion);
-	isc_buffer_availableregion(target, &tregion);
-
-	if (sregion.length < 20)
-		return (ISC_R_UNEXPECTEDEND);
-	if (tregion.length < 20)
-		return (ISC_R_NOSPACE);
-
-	memcpy(tregion.base, sregion.base, 20);
-	isc_buffer_forward(source, 20);
-	isc_buffer_add(target, 20);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-towire_soa(ARGS_TOWIRE) {
-	isc_region_t sregion;
-	isc_region_t tregion;
-	dns_name_t mname;
-	dns_name_t rname;
-	dns_offsets_t moffsets;
-	dns_offsets_t roffsets;
-
-	REQUIRE(rdata->type == 6);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&mname, moffsets);
-	dns_name_init(&rname, roffsets);
-
-	dns_rdata_toregion(rdata, &sregion);
-
-	dns_name_fromregion(&mname, &sregion);
-	isc_region_consume(&sregion, name_length(&mname));
-	RETERR(dns_name_towire(&mname, cctx, target));
-
-	dns_name_fromregion(&rname, &sregion);
-	isc_region_consume(&sregion, name_length(&rname));
-	RETERR(dns_name_towire(&rname, cctx, target));
-
-	isc_buffer_availableregion(target, &tregion);
-	if (tregion.length < 20)
-		return (ISC_R_NOSPACE);
-
-	memcpy(tregion.base, sregion.base, 20);
-	isc_buffer_add(target, 20);
-	return (ISC_R_SUCCESS);
-}
-
-static inline int
-compare_soa(ARGS_COMPARE) {
-	isc_region_t region1;
-	isc_region_t region2;
-	dns_name_t name1;
-	dns_name_t name2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 6);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	order = dns_name_rdatacompare(&name1, &name2);
-	if (order != 0)
-		return (order);
-
-	isc_region_consume(&region1, name_length(&name1));
-	isc_region_consume(&region2, name_length(&name2));
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	order = dns_name_rdatacompare(&name1, &name2);
-	if (order != 0)
-		return (order);
-
-	isc_region_consume(&region1, name_length(&name1));
-	isc_region_consume(&region2, name_length(&name2));
-
-	return (isc_region_compare(&region1, &region2));
-}
-
-static inline isc_result_t
-fromstruct_soa(ARGS_FROMSTRUCT) {
-	dns_rdata_soa_t *soa = source;
-	isc_region_t region;
-
-	REQUIRE(type == 6);
-	REQUIRE(source != NULL);
-	REQUIRE(soa->common.rdtype == type);
-	REQUIRE(soa->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&soa->origin, &region);
-	RETERR(isc_buffer_copyregion(target, &region));
-	dns_name_toregion(&soa->contact, &region);
-	RETERR(isc_buffer_copyregion(target, &region));
-	RETERR(uint32_tobuffer(soa->serial, target));
-	RETERR(uint32_tobuffer(soa->refresh, target));
-	RETERR(uint32_tobuffer(soa->retry, target));
-	RETERR(uint32_tobuffer(soa->expire, target));
-	return (uint32_tobuffer(soa->minimum, target));
-}
-
-static inline isc_result_t
-tostruct_soa(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_soa_t *soa = target;
-	dns_name_t name;
-	isc_result_t result;
-
-	REQUIRE(rdata->type == 6);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	soa->common.rdclass = rdata->rdclass;
-	soa->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&soa->common, link);
-
-
-	dns_rdata_toregion(rdata, &region);
-
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &region);
-	isc_region_consume(&region, name_length(&name));
-	dns_name_init(&soa->origin, NULL);
-	RETERR(name_duporclone(&name, mctx, &soa->origin));
-
-	dns_name_fromregion(&name, &region);
-	isc_region_consume(&region, name_length(&name));
-	dns_name_init(&soa->contact, NULL);
-	result = name_duporclone(&name, mctx, &soa->contact);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	soa->serial = uint32_fromregion(&region);
-	isc_region_consume(&region, 4);
-
-	soa->refresh = uint32_fromregion(&region);
-	isc_region_consume(&region, 4);
-
-	soa->retry = uint32_fromregion(&region);
-	isc_region_consume(&region, 4);
-
-	soa->expire = uint32_fromregion(&region);
-	isc_region_consume(&region, 4);
-
-	soa->minimum = uint32_fromregion(&region);
-
-	soa->mctx = mctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (mctx != NULL)
-		dns_name_free(&soa->origin, mctx);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_soa(ARGS_FREESTRUCT) {
-	dns_rdata_soa_t *soa = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(soa->common.rdtype == 6);
-
-	if (soa->mctx == NULL)
-		return;
-
-	dns_name_free(&soa->origin, soa->mctx);
-	dns_name_free(&soa->contact, soa->mctx);
-	soa->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_soa(ARGS_ADDLDATA) {
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	REQUIRE(rdata->type == 6);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_soa(ARGS_DIGEST) {
-	isc_region_t r;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 6);
-
-	dns_rdata_toregion(rdata, &r);
-
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-	RETERR(dns_name_digest(&name, digest, arg));
-	isc_region_consume(&r, name_length(&name));
-
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-	RETERR(dns_name_digest(&name, digest, arg));
-	isc_region_consume(&r, name_length(&name));
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_soa(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 6);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_soa(ARGS_CHECKNAMES) {
-	isc_region_t region;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 6);
-
-	UNUSED(owner);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &region);
-	if (!dns_name_ishostname(&name, ISC_FALSE)) {
-		if (bad != NULL)
-			dns_name_clone(&name, bad);
-		return (ISC_FALSE);
-	}
-	isc_region_consume(&region, name_length(&name));
-	dns_name_fromregion(&name, &region);
-	if (!dns_name_ismailbox(&name)) {
-		if (bad != NULL)
-			dns_name_clone(&name, bad);
-		return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_soa(ARGS_COMPARE) {
-	return (compare_soa(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_SOA_6_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/soa_6.h b/contrib/bind9/lib/dns/rdata/generic/soa_6.h
deleted file mode 100644
index 7443b04..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/soa_6.h
+++ /dev/null
@@ -1,37 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_SOA_6_H
-#define GENERIC_SOA_6_H 1
-
-/* $Id: soa_6.h,v 1.32 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_soa {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		origin;
-	dns_name_t		contact;
-	isc_uint32_t		serial;		/*%< host order */
-	isc_uint32_t		refresh;	/*%< host order */
-	isc_uint32_t		retry;		/*%< host order */
-	isc_uint32_t		expire;		/*%< host order */
-	isc_uint32_t		minimum;	/*%< host order */
-} dns_rdata_soa_t;
-
-
-#endif /* GENERIC_SOA_6_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/spf_99.c b/contrib/bind9/lib/dns/rdata/generic/spf_99.c
deleted file mode 100644
index 492e315..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/spf_99.c
+++ /dev/null
@@ -1,242 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: spf_99.c,v 1.6 2009/12/04 22:06:37 tbox Exp $ */
-
-/* Reviewed: Thu Mar 16 15:40:00 PST 2000 by bwelling */
-
-#ifndef RDATA_GENERIC_SPF_99_C
-#define RDATA_GENERIC_SPF_99_C
-
-#define RRTYPE_SPF_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_spf(ARGS_FROMTEXT) {
-	isc_token_t token;
-	int strings;
-
-	REQUIRE(type == 99);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	strings = 0;
-	for (;;) {
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_qstring,
-					      ISC_TRUE));
-		if (token.type != isc_tokentype_qstring &&
-		    token.type != isc_tokentype_string)
-			break;
-		RETTOK(txt_fromtext(&token.value.as_textregion, target));
-		strings++;
-	}
-	/* Let upper layer handle eol/eof. */
-	isc_lex_ungettoken(lexer, &token);
-	return (strings == 0 ? ISC_R_UNEXPECTEDEND : ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_spf(ARGS_TOTEXT) {
-	isc_region_t region;
-
-	UNUSED(tctx);
-
-	REQUIRE(rdata->type == 99);
-
-	dns_rdata_toregion(rdata, &region);
-
-	while (region.length > 0) {
-		RETERR(txt_totext(&region, target));
-		if (region.length > 0)
-			RETERR(str_totext(" ", target));
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_spf(ARGS_FROMWIRE) {
-	isc_result_t result;
-
-	REQUIRE(type == 99);
-
-	UNUSED(type);
-	UNUSED(dctx);
-	UNUSED(rdclass);
-	UNUSED(options);
-
-	do {
-		result = txt_fromwire(source, target);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	} while (!buffer_empty(source));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-towire_spf(ARGS_TOWIRE) {
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 99);
-
-	UNUSED(cctx);
-
-	isc_buffer_availableregion(target, &region);
-	if (region.length < rdata->length)
-		return (ISC_R_NOSPACE);
-
-	memcpy(region.base, rdata->data, rdata->length);
-	isc_buffer_add(target, rdata->length);
-	return (ISC_R_SUCCESS);
-}
-
-static inline int
-compare_spf(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 99);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_spf(ARGS_FROMSTRUCT) {
-	dns_rdata_spf_t *txt = source;
-	isc_region_t region;
-	isc_uint8_t length;
-
-	REQUIRE(type == 99);
-	REQUIRE(source != NULL);
-	REQUIRE(txt->common.rdtype == type);
-	REQUIRE(txt->common.rdclass == rdclass);
-	REQUIRE(txt->txt != NULL && txt->txt_len != 0);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	region.base = txt->txt;
-	region.length = txt->txt_len;
-	while (region.length > 0) {
-		length = uint8_fromregion(&region);
-		isc_region_consume(&region, 1);
-		if (region.length <= length)
-			return (ISC_R_UNEXPECTEDEND);
-		isc_region_consume(&region, length);
-	}
-
-	return (mem_tobuffer(target, txt->txt, txt->txt_len));
-}
-
-static inline isc_result_t
-tostruct_spf(ARGS_TOSTRUCT) {
-	dns_rdata_spf_t *txt = target;
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 99);
-	REQUIRE(target != NULL);
-
-	txt->common.rdclass = rdata->rdclass;
-	txt->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&txt->common, link);
-
-	dns_rdata_toregion(rdata, &r);
-	txt->txt_len = r.length;
-	txt->txt = mem_maybedup(mctx, r.base, r.length);
-	if (txt->txt == NULL)
-		return (ISC_R_NOMEMORY);
-
-	txt->offset = 0;
-	txt->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_spf(ARGS_FREESTRUCT) {
-	dns_rdata_spf_t *txt = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(txt->common.rdtype == 99);
-
-	if (txt->mctx == NULL)
-		return;
-
-	if (txt->txt != NULL)
-		isc_mem_free(txt->mctx, txt->txt);
-	txt->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_spf(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 99);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_spf(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 99);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_spf(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 99);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_spf(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 99);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_spf(ARGS_COMPARE) {
-	return (compare_spf(rdata1, rdata2));
-}
-#endif	/* RDATA_GENERIC_SPF_99_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/spf_99.h b/contrib/bind9/lib/dns/rdata/generic/spf_99.h
deleted file mode 100644
index be5e978..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/spf_99.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_SPF_99_H
-#define GENERIC_SPF_99_H 1
-
-/* $Id: spf_99.h,v 1.4 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_spf_string {
-                isc_uint8_t    length;
-                unsigned char   *data;
-} dns_rdata_spf_string_t;
-
-typedef struct dns_rdata_spf {
-        dns_rdatacommon_t       common;
-        isc_mem_t               *mctx;
-        unsigned char           *txt;
-        isc_uint16_t            txt_len;
-        /* private */
-        isc_uint16_t            offset;
-} dns_rdata_spf_t;
-
-/*
- * ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS are already done
- * via rdatastructpre.h and rdatastructsuf.h.
- */
-
-isc_result_t
-dns_rdata_spf_first(dns_rdata_spf_t *);
-
-isc_result_t
-dns_rdata_spf_next(dns_rdata_spf_t *);
-
-isc_result_t
-dns_rdata_spf_current(dns_rdata_spf_t *, dns_rdata_spf_string_t *);
-
-#endif /* GENERIC_SPF_99_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/sshfp_44.c b/contrib/bind9/lib/dns/rdata/generic/sshfp_44.c
deleted file mode 100644
index d553cd4..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/sshfp_44.c
+++ /dev/null
@@ -1,270 +0,0 @@
-/*
- * Copyright (C) 2004, 2006, 2007, 2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/* RFC 4255 */
-
-#ifndef RDATA_GENERIC_SSHFP_44_C
-#define RDATA_GENERIC_SSHFP_44_C
-
-#define RRTYPE_SSHFP_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_sshfp(ARGS_FROMTEXT) {
-	isc_token_t token;
-
-	REQUIRE(type == 44);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	/*
-	 * Algorithm.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint8_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Digest type.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint8_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Digest.
-	 */
-	return (isc_hex_tobuffer(lexer, target, -1));
-}
-
-static inline isc_result_t
-totext_sshfp(ARGS_TOTEXT) {
-	isc_region_t sr;
-	char buf[sizeof("64000 ")];
-	unsigned int n;
-
-	REQUIRE(rdata->type == 44);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(tctx);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/*
-	 * Algorithm.
-	 */
-	n = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u ", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Digest type.
-	 */
-	n = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Digest.
-	 */
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" (", target));
-	RETERR(str_totext(tctx->linebreak, target));
-	if (tctx->width == 0) /* No splitting */
-		RETERR(isc_hex_totext(&sr, 0, "", target));
-	else
-		RETERR(isc_hex_totext(&sr, tctx->width - 2,
-				      tctx->linebreak, target));
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" )", target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_sshfp(ARGS_FROMWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(type == 44);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-	UNUSED(options);
-
-	isc_buffer_activeregion(source, &sr);
-	if (sr.length < 4)
-		return (ISC_R_UNEXPECTEDEND);
-
-	isc_buffer_forward(source, sr.length);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline isc_result_t
-towire_sshfp(ARGS_TOWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 44);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(cctx);
-
-	dns_rdata_toregion(rdata, &sr);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_sshfp(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 44);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_sshfp(ARGS_FROMSTRUCT) {
-	dns_rdata_sshfp_t *sshfp = source;
-
-	REQUIRE(type == 44);
-	REQUIRE(source != NULL);
-	REQUIRE(sshfp->common.rdtype == type);
-	REQUIRE(sshfp->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint8_tobuffer(sshfp->algorithm, target));
-	RETERR(uint8_tobuffer(sshfp->digest_type, target));
-
-	return (mem_tobuffer(target, sshfp->digest, sshfp->length));
-}
-
-static inline isc_result_t
-tostruct_sshfp(ARGS_TOSTRUCT) {
-	dns_rdata_sshfp_t *sshfp = target;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 44);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	sshfp->common.rdclass = rdata->rdclass;
-	sshfp->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&sshfp->common, link);
-
-	dns_rdata_toregion(rdata, &region);
-
-	sshfp->algorithm = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	sshfp->digest_type = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	sshfp->length = region.length;
-
-	sshfp->digest = mem_maybedup(mctx, region.base, region.length);
-	if (sshfp->digest == NULL)
-		return (ISC_R_NOMEMORY);
-
-	sshfp->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_sshfp(ARGS_FREESTRUCT) {
-	dns_rdata_sshfp_t *sshfp = source;
-
-	REQUIRE(sshfp != NULL);
-	REQUIRE(sshfp->common.rdtype == 44);
-
-	if (sshfp->mctx == NULL)
-		return;
-
-	if (sshfp->digest != NULL)
-		isc_mem_free(sshfp->mctx, sshfp->digest);
-	sshfp->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_sshfp(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 44);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_sshfp(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 44);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_sshfp(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 44);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_sshfp(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 44);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_sshfp(ARGS_COMPARE) {
-	return (compare_sshfp(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_SSHFP_44_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/sshfp_44.h b/contrib/bind9/lib/dns/rdata/generic/sshfp_44.h
deleted file mode 100644
index daea74c..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/sshfp_44.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: sshfp_44.h,v 1.8 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- *  \brief Per RFC 4255 */
-
-#ifndef GENERIC_SSHFP_44_H
-#define GENERIC_SSHFP_44_H 1
-
-typedef struct dns_rdata_sshfp {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint8_t		algorithm;
-	isc_uint8_t		digest_type;
-	isc_uint16_t		length;
-	unsigned char		*digest;
-} dns_rdata_sshfp_t;
-
-#endif /* GENERIC_SSHFP_44_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/tkey_249.c b/contrib/bind9/lib/dns/rdata/generic/tkey_249.c
deleted file mode 100644
index 6f1ec02..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/tkey_249.c
+++ /dev/null
@@ -1,565 +0,0 @@
-/*
- * Copyright (C) 2004, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*
- * Reviewed: Thu Mar 16 17:35:30 PST 2000 by halley.
- */
-
-/* draft-ietf-dnsext-tkey-01.txt */
-
-#ifndef RDATA_GENERIC_TKEY_249_C
-#define RDATA_GENERIC_TKEY_249_C
-
-#define RRTYPE_TKEY_ATTRIBUTES (DNS_RDATATYPEATTR_META)
-
-static inline isc_result_t
-fromtext_tkey(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_rcode_t rcode;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	long i;
-	char *e;
-
-	REQUIRE(type == 249);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	/*
-	 * Algorithm.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-
-
-	/*
-	 * Inception.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	RETERR(uint32_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Expiration.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	RETERR(uint32_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Mode.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Error.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	if (dns_tsigrcode_fromtext(&rcode, &token.value.as_textregion)
-				!= ISC_R_SUCCESS)
-	{
-		i = strtol(DNS_AS_STR(token), &e, 10);
-		if (*e != 0)
-			RETTOK(DNS_R_UNKNOWN);
-		if (i < 0 || i > 0xffff)
-			RETTOK(ISC_R_RANGE);
-		rcode = (dns_rcode_t)i;
-	}
-	RETERR(uint16_tobuffer(rcode, target));
-
-	/*
-	 * Key Size.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Key Data.
-	 */
-	RETERR(isc_base64_tobuffer(lexer, target, (int)token.value.as_ulong));
-
-	/*
-	 * Other Size.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Other Data.
-	 */
-	return (isc_base64_tobuffer(lexer, target, (int)token.value.as_ulong));
-}
-
-static inline isc_result_t
-totext_tkey(ARGS_TOTEXT) {
-	isc_region_t sr, dr;
-	char buf[sizeof("4294967295 ")];
-	unsigned long n;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 249);
-	REQUIRE(rdata->length != 0);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/*
-	 * Algorithm.
-	 */
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-	dns_name_fromregion(&name, &sr);
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	RETERR(dns_name_totext(&prefix, sub, target));
-	RETERR(str_totext(" ", target));
-	isc_region_consume(&sr, name_length(&name));
-
-	/*
-	 * Inception.
-	 */
-	n = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-	sprintf(buf, "%lu ", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Expiration.
-	 */
-	n = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-	sprintf(buf, "%lu ", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Mode.
-	 */
-	n = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%lu ", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Error.
-	 */
-	n = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	if (dns_tsigrcode_totext((dns_rcode_t)n, target) == ISC_R_SUCCESS)
-		RETERR(str_totext(" ", target));
-	else {
-		sprintf(buf, "%lu ", n);
-		RETERR(str_totext(buf, target));
-	}
-
-	/*
-	 * Key Size.
-	 */
-	n = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%lu", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Key Data.
-	 */
-	REQUIRE(n <= sr.length);
-	dr = sr;
-	dr.length = n;
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" (", target));
-	RETERR(str_totext(tctx->linebreak, target));
-	if (tctx->width == 0)   /* No splitting */
-		RETERR(isc_base64_totext(&dr, 60, "", target));
-	else
-		RETERR(isc_base64_totext(&dr, tctx->width - 2,
-					 tctx->linebreak, target));
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" ) ", target));
-	else
-		RETERR(str_totext(" ", target));
-	isc_region_consume(&sr, n);
-
-	/*
-	 * Other Size.
-	 */
-	n = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%lu", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Other Data.
-	 */
-	REQUIRE(n <= sr.length);
-	if (n != 0U) {
-	    dr = sr;
-	    dr.length = n;
-	    if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		    RETERR(str_totext(" (", target));
-	    RETERR(str_totext(tctx->linebreak, target));
-		if (tctx->width == 0)   /* No splitting */
-			RETERR(isc_base64_totext(&dr, 60, "", target));
-		else
-			RETERR(isc_base64_totext(&dr, tctx->width - 2,
-						 tctx->linebreak, target));
-	    if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		    RETERR(str_totext(" )", target));
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_tkey(ARGS_FROMWIRE) {
-	isc_region_t sr;
-	unsigned long n;
-	dns_name_t name;
-
-	REQUIRE(type == 249);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-	/*
-	 * Algorithm.
-	 */
-	dns_name_init(&name, NULL);
-	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
-
-	/*
-	 * Inception: 4
-	 * Expiration: 4
-	 * Mode: 2
-	 * Error: 2
-	 */
-	isc_buffer_activeregion(source, &sr);
-	if (sr.length < 12)
-		return (ISC_R_UNEXPECTEDEND);
-	RETERR(mem_tobuffer(target, sr.base, 12));
-	isc_region_consume(&sr, 12);
-	isc_buffer_forward(source, 12);
-
-	/*
-	 * Key Length + Key Data.
-	 */
-	if (sr.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
-	n = uint16_fromregion(&sr);
-	if (sr.length < n + 2)
-		return (ISC_R_UNEXPECTEDEND);
-	RETERR(mem_tobuffer(target, sr.base, n + 2));
-	isc_region_consume(&sr, n + 2);
-	isc_buffer_forward(source, n + 2);
-
-	/*
-	 * Other Length + Other Data.
-	 */
-	if (sr.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
-	n = uint16_fromregion(&sr);
-	if (sr.length < n + 2)
-		return (ISC_R_UNEXPECTEDEND);
-	isc_buffer_forward(source, n + 2);
-	return (mem_tobuffer(target, sr.base, n + 2));
-}
-
-static inline isc_result_t
-towire_tkey(ARGS_TOWIRE) {
-	isc_region_t sr;
-	dns_name_t name;
-	dns_offsets_t offsets;
-
-	REQUIRE(rdata->type == 249);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	/*
-	 * Algorithm.
-	 */
-	dns_rdata_toregion(rdata, &sr);
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &sr);
-	RETERR(dns_name_towire(&name, cctx, target));
-	isc_region_consume(&sr, name_length(&name));
-
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_tkey(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-	dns_name_t name1;
-	dns_name_t name2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 249);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	/*
-	 * Algorithm.
-	 */
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-	dns_name_fromregion(&name1, &r1);
-	dns_name_fromregion(&name2, &r2);
-	if ((order = dns_name_rdatacompare(&name1, &name2)) != 0)
-		return (order);
-	isc_region_consume(&r1, name_length(&name1));
-	isc_region_consume(&r2, name_length(&name2));
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_tkey(ARGS_FROMSTRUCT) {
-	dns_rdata_tkey_t *tkey = source;
-
-	REQUIRE(type == 249);
-	REQUIRE(source != NULL);
-	REQUIRE(tkey->common.rdtype == type);
-	REQUIRE(tkey->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	/*
-	 * Algorithm Name.
-	 */
-	RETERR(name_tobuffer(&tkey->algorithm, target));
-
-	/*
-	 * Inception: 32 bits.
-	 */
-	RETERR(uint32_tobuffer(tkey->inception, target));
-
-	/*
-	 * Expire: 32 bits.
-	 */
-	RETERR(uint32_tobuffer(tkey->expire, target));
-
-	/*
-	 * Mode: 16 bits.
-	 */
-	RETERR(uint16_tobuffer(tkey->mode, target));
-
-	/*
-	 * Error: 16 bits.
-	 */
-	RETERR(uint16_tobuffer(tkey->error, target));
-
-	/*
-	 * Key size: 16 bits.
-	 */
-	RETERR(uint16_tobuffer(tkey->keylen, target));
-
-	/*
-	 * Key.
-	 */
-	RETERR(mem_tobuffer(target, tkey->key, tkey->keylen));
-
-	/*
-	 * Other size: 16 bits.
-	 */
-	RETERR(uint16_tobuffer(tkey->otherlen, target));
-
-	/*
-	 * Other data.
-	 */
-	return (mem_tobuffer(target, tkey->other, tkey->otherlen));
-}
-
-static inline isc_result_t
-tostruct_tkey(ARGS_TOSTRUCT) {
-	dns_rdata_tkey_t *tkey = target;
-	dns_name_t alg;
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 249);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	tkey->common.rdclass = rdata->rdclass;
-	tkey->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&tkey->common, link);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/*
-	 * Algorithm Name.
-	 */
-	dns_name_init(&alg, NULL);
-	dns_name_fromregion(&alg, &sr);
-	dns_name_init(&tkey->algorithm, NULL);
-	RETERR(name_duporclone(&alg, mctx, &tkey->algorithm));
-	isc_region_consume(&sr, name_length(&tkey->algorithm));
-
-	/*
-	 * Inception.
-	 */
-	tkey->inception = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-
-	/*
-	 * Expire.
-	 */
-	tkey->expire = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-
-	/*
-	 * Mode.
-	 */
-	tkey->mode = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/*
-	 * Error.
-	 */
-	tkey->error = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/*
-	 * Key size.
-	 */
-	tkey->keylen = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/*
-	 * Key.
-	 */
-	tkey->key = mem_maybedup(mctx, sr.base, tkey->keylen);
-	if (tkey->key == NULL)
-		goto cleanup;
-	isc_region_consume(&sr, tkey->keylen);
-
-	/*
-	 * Other size.
-	 */
-	tkey->otherlen = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/*
-	 * Other.
-	 */
-	tkey->other = mem_maybedup(mctx, sr.base, tkey->otherlen);
-	if (tkey->other == NULL)
-		goto cleanup;
-
-	tkey->mctx = mctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (mctx != NULL)
-		dns_name_free(&tkey->algorithm, mctx);
-	if (mctx != NULL && tkey->key != NULL)
-		isc_mem_free(mctx, tkey->key);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_tkey(ARGS_FREESTRUCT) {
-	dns_rdata_tkey_t *tkey = (dns_rdata_tkey_t *) source;
-
-	REQUIRE(source != NULL);
-
-	if (tkey->mctx == NULL)
-		return;
-
-	dns_name_free(&tkey->algorithm, tkey->mctx);
-	if (tkey->key != NULL)
-		isc_mem_free(tkey->mctx, tkey->key);
-	if (tkey->other != NULL)
-		isc_mem_free(tkey->mctx, tkey->other);
-	tkey->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_tkey(ARGS_ADDLDATA) {
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	REQUIRE(rdata->type == 249);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_tkey(ARGS_DIGEST) {
-	UNUSED(rdata);
-	UNUSED(digest);
-	UNUSED(arg);
-
-	REQUIRE(rdata->type == 249);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static inline isc_boolean_t
-checkowner_tkey(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 249);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_tkey(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 249);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_result_t
-casecompare_tkey(ARGS_COMPARE) {
-	return (compare_tkey(rdata1, rdata2));
-}
-#endif	/* RDATA_GENERIC_TKEY_249_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/tkey_249.h b/contrib/bind9/lib/dns/rdata/generic/tkey_249.h
deleted file mode 100644
index 34d5646..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/tkey_249.h
+++ /dev/null
@@ -1,41 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_TKEY_249_H
-#define GENERIC_TKEY_249_H 1
-
-/* $Id: tkey_249.h,v 1.24 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- *  \brief Per draft-ietf-dnsind-tkey-00.txt */
-
-typedef struct dns_rdata_tkey {
-        dns_rdatacommon_t	common;
-        isc_mem_t *		mctx;
-        dns_name_t		algorithm;
-        isc_uint32_t		inception;
-        isc_uint32_t		expire;
-        isc_uint16_t		mode;
-        isc_uint16_t		error;
-        isc_uint16_t		keylen;
-        unsigned char *		key;
-        isc_uint16_t		otherlen;
-        unsigned char *		other;
-} dns_rdata_tkey_t;
-
-
-#endif /* GENERIC_TKEY_249_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/tlsa_52.c b/contrib/bind9/lib/dns/rdata/generic/tlsa_52.c
deleted file mode 100644
index 11c6d75..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/tlsa_52.c
+++ /dev/null
@@ -1,290 +0,0 @@
-/*
- * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/* draft-ietf-dane-protocol-19.txt */
-
-#ifndef RDATA_GENERIC_TLSA_52_C
-#define RDATA_GENERIC_TLSA_52_C
-
-#define RRTYPE_TLSA_ATTRIBUTES 0
-
-static inline isc_result_t
-fromtext_tlsa(ARGS_FROMTEXT) {
-	isc_token_t token;
-
-	REQUIRE(type == 52);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	/*
-	 * Certificate Usage.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint8_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Selector.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint8_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Matching type.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint8_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Certificate Association Data.
-	 */
-	return (isc_hex_tobuffer(lexer, target, -1));
-}
-
-static inline isc_result_t
-totext_tlsa(ARGS_TOTEXT) {
-	isc_region_t sr;
-	char buf[sizeof("64000 ")];
-	unsigned int n;
-
-	REQUIRE(rdata->type == 52);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(tctx);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/*
-	 * Certificate Usage.
-	 */
-	n = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u ", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Selector.
-	 */
-	n = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u ", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Matching type.
-	 */
-	n = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Certificate Association Data.
-	 */
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" (", target));
-	RETERR(str_totext(tctx->linebreak, target));
-	if (tctx->width == 0) /* No splitting */
-		RETERR(isc_hex_totext(&sr, 0, "", target));
-	else
-		RETERR(isc_hex_totext(&sr, tctx->width - 2,
-				      tctx->linebreak, target));
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" )", target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_tlsa(ARGS_FROMWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(type == 52);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-	UNUSED(options);
-
-	isc_buffer_activeregion(source, &sr);
-
-	if (sr.length < 3)
-		return (ISC_R_UNEXPECTEDEND);
-
-	isc_buffer_forward(source, sr.length);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline isc_result_t
-towire_tlsa(ARGS_TOWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 52);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(cctx);
-
-	dns_rdata_toregion(rdata, &sr);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_tlsa(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 52);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_tlsa(ARGS_FROMSTRUCT) {
-	dns_rdata_tlsa_t *tlsa = source;
-
-	REQUIRE(type == 52);
-	REQUIRE(source != NULL);
-	REQUIRE(tlsa->common.rdtype == type);
-	REQUIRE(tlsa->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint8_tobuffer(tlsa->usage, target));
-	RETERR(uint8_tobuffer(tlsa->selector, target));
-	RETERR(uint8_tobuffer(tlsa->match, target));
-
-	return (mem_tobuffer(target, tlsa->data, tlsa->length));
-}
-
-static inline isc_result_t
-tostruct_tlsa(ARGS_TOSTRUCT) {
-	dns_rdata_tlsa_t *tlsa = target;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 52);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	tlsa->common.rdclass = rdata->rdclass;
-	tlsa->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&tlsa->common, link);
-
-	dns_rdata_toregion(rdata, &region);
-
-	tlsa->usage = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	tlsa->selector = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	tlsa->match = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	tlsa->length = region.length;
-
-	tlsa->data = mem_maybedup(mctx, region.base, region.length);
-	if (tlsa->data == NULL)
-		return (ISC_R_NOMEMORY);
-
-	tlsa->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_tlsa(ARGS_FREESTRUCT) {
-	dns_rdata_tlsa_t *tlsa = source;
-
-	REQUIRE(tlsa != NULL);
-	REQUIRE(tlsa->common.rdtype == 52);
-
-	if (tlsa->mctx == NULL)
-		return;
-
-	if (tlsa->data != NULL)
-		isc_mem_free(tlsa->mctx, tlsa->data);
-	tlsa->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_tlsa(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 52);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_tlsa(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 52);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_tlsa(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 52);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_tlsa(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 52);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_tlsa(ARGS_COMPARE) {
-	return (compare_tlsa(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_TLSA_52_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/tlsa_52.h b/contrib/bind9/lib/dns/rdata/generic/tlsa_52.h
deleted file mode 100644
index 83ce952..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/tlsa_52.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef GENERIC_TLSA_52_H
-#define GENERIC_TLSA_52_H 1
-
-/*!
- *  \brief per draft-ietf-dane-protocol-19.txt
- */
-typedef struct dns_rdata_tlsa {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint8_t		usage;
-	isc_uint8_t		selector;
-	isc_uint8_t		match;
-	isc_uint16_t		length;
-	unsigned char		*data;
-} dns_rdata_tlsa_t;
-
-#endif /* GENERIC_TLSA_52_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/txt_16.c b/contrib/bind9/lib/dns/rdata/generic/txt_16.c
deleted file mode 100644
index e1bce6a..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/txt_16.c
+++ /dev/null
@@ -1,250 +0,0 @@
-/*
- * Copyright (C) 2004, 2007-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: txt_16.c,v 1.47 2009/12/04 22:06:37 tbox Exp $ */
-
-/* Reviewed: Thu Mar 16 15:40:00 PST 2000 by bwelling */
-
-#ifndef RDATA_GENERIC_TXT_16_C
-#define RDATA_GENERIC_TXT_16_C
-
-#define RRTYPE_TXT_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_txt(ARGS_FROMTEXT) {
-	isc_token_t token;
-	int strings;
-
-	REQUIRE(type == 16);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	strings = 0;
-	if ((options & DNS_RDATA_UNKNOWNESCAPE) != 0) {
-		isc_textregion_t r;
-		DE_CONST("#", r.base);
-		r.length = 1;
-		RETERR(txt_fromtext(&r, target));
-		strings++;
-	}
-	for (;;) {
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_qstring,
-					      ISC_TRUE));
-		if (token.type != isc_tokentype_qstring &&
-		    token.type != isc_tokentype_string)
-			break;
-		RETTOK(txt_fromtext(&token.value.as_textregion, target));
-		strings++;
-	}
-	/* Let upper layer handle eol/eof. */
-	isc_lex_ungettoken(lexer, &token);
-	return (strings == 0 ? ISC_R_UNEXPECTEDEND : ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_txt(ARGS_TOTEXT) {
-	isc_region_t region;
-
-	UNUSED(tctx);
-
-	REQUIRE(rdata->type == 16);
-
-	dns_rdata_toregion(rdata, &region);
-
-	while (region.length > 0) {
-		RETERR(txt_totext(&region, target));
-		if (region.length > 0)
-			RETERR(str_totext(" ", target));
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_txt(ARGS_FROMWIRE) {
-	isc_result_t result;
-
-	REQUIRE(type == 16);
-
-	UNUSED(type);
-	UNUSED(dctx);
-	UNUSED(rdclass);
-	UNUSED(options);
-
-	do {
-		result = txt_fromwire(source, target);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	} while (!buffer_empty(source));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-towire_txt(ARGS_TOWIRE) {
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 16);
-
-	UNUSED(cctx);
-
-	isc_buffer_availableregion(target, &region);
-	if (region.length < rdata->length)
-		return (ISC_R_NOSPACE);
-
-	memcpy(region.base, rdata->data, rdata->length);
-	isc_buffer_add(target, rdata->length);
-	return (ISC_R_SUCCESS);
-}
-
-static inline int
-compare_txt(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 16);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_txt(ARGS_FROMSTRUCT) {
-	dns_rdata_txt_t *txt = source;
-	isc_region_t region;
-	isc_uint8_t length;
-
-	REQUIRE(type == 16);
-	REQUIRE(source != NULL);
-	REQUIRE(txt->common.rdtype == type);
-	REQUIRE(txt->common.rdclass == rdclass);
-	REQUIRE(txt->txt != NULL && txt->txt_len != 0);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	region.base = txt->txt;
-	region.length = txt->txt_len;
-	while (region.length > 0) {
-		length = uint8_fromregion(&region);
-		isc_region_consume(&region, 1);
-		if (region.length < length)
-			return (ISC_R_UNEXPECTEDEND);
-		isc_region_consume(&region, length);
-	}
-
-	return (mem_tobuffer(target, txt->txt, txt->txt_len));
-}
-
-static inline isc_result_t
-tostruct_txt(ARGS_TOSTRUCT) {
-	dns_rdata_txt_t *txt = target;
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 16);
-	REQUIRE(target != NULL);
-
-	txt->common.rdclass = rdata->rdclass;
-	txt->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&txt->common, link);
-
-	dns_rdata_toregion(rdata, &r);
-	txt->txt_len = r.length;
-	txt->txt = mem_maybedup(mctx, r.base, r.length);
-	if (txt->txt == NULL)
-		return (ISC_R_NOMEMORY);
-
-	txt->offset = 0;
-	txt->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_txt(ARGS_FREESTRUCT) {
-	dns_rdata_txt_t *txt = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(txt->common.rdtype == 16);
-
-	if (txt->mctx == NULL)
-		return;
-
-	if (txt->txt != NULL)
-		isc_mem_free(txt->mctx, txt->txt);
-	txt->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_txt(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 16);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_txt(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 16);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_txt(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 16);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_txt(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 16);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_result_t
-casecompare_txt(ARGS_COMPARE) {
-	return (compare_txt(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_TXT_16_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/txt_16.h b/contrib/bind9/lib/dns/rdata/generic/txt_16.h
deleted file mode 100644
index fc46486..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/txt_16.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_TXT_16_H
-#define GENERIC_TXT_16_H 1
-
-/* $Id: txt_16.h,v 1.28 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_txt_string {
-                isc_uint8_t    length;
-                unsigned char   *data;
-} dns_rdata_txt_string_t;
-
-typedef struct dns_rdata_txt {
-        dns_rdatacommon_t       common;
-        isc_mem_t               *mctx;
-        unsigned char           *txt;
-        isc_uint16_t            txt_len;
-        /* private */
-        isc_uint16_t            offset;
-} dns_rdata_txt_t;
-
-/*
- * ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS are already done
- * via rdatastructpre.h and rdatastructsuf.h.
- */
-
-isc_result_t
-dns_rdata_txt_first(dns_rdata_txt_t *);
-
-isc_result_t
-dns_rdata_txt_next(dns_rdata_txt_t *);
-
-isc_result_t
-dns_rdata_txt_current(dns_rdata_txt_t *, dns_rdata_txt_string_t *);
-
-#endif /* GENERIC_TXT_16_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/unspec_103.c b/contrib/bind9/lib/dns/rdata/generic/unspec_103.c
deleted file mode 100644
index c335c67..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/unspec_103.c
+++ /dev/null
@@ -1,194 +0,0 @@
-/*
- * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: unspec_103.c,v 1.37 2009/12/04 22:06:37 tbox Exp $ */
-
-#ifndef RDATA_GENERIC_UNSPEC_103_C
-#define RDATA_GENERIC_UNSPEC_103_C
-
-#define RRTYPE_UNSPEC_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_unspec(ARGS_FROMTEXT) {
-
-	REQUIRE(type == 103);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	return (atob_tobuffer(lexer, target));
-}
-
-static inline isc_result_t
-totext_unspec(ARGS_TOTEXT) {
-
-	REQUIRE(rdata->type == 103);
-
-	UNUSED(tctx);
-
-	return (btoa_totext(rdata->data, rdata->length, target));
-}
-
-static inline isc_result_t
-fromwire_unspec(ARGS_FROMWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(type == 103);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-	UNUSED(options);
-
-	isc_buffer_activeregion(source, &sr);
-	isc_buffer_forward(source, sr.length);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline isc_result_t
-towire_unspec(ARGS_TOWIRE) {
-
-	REQUIRE(rdata->type == 103);
-
-	UNUSED(cctx);
-
-	return (mem_tobuffer(target, rdata->data, rdata->length));
-}
-
-static inline int
-compare_unspec(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 103);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_unspec(ARGS_FROMSTRUCT) {
-	dns_rdata_unspec_t *unspec = source;
-
-	REQUIRE(type == 103);
-	REQUIRE(source != NULL);
-	REQUIRE(unspec->common.rdtype == type);
-	REQUIRE(unspec->common.rdclass == rdclass);
-	REQUIRE(unspec->data != NULL || unspec->datalen == 0);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	return (mem_tobuffer(target, unspec->data, unspec->datalen));
-}
-
-static inline isc_result_t
-tostruct_unspec(ARGS_TOSTRUCT) {
-	dns_rdata_unspec_t *unspec = target;
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 103);
-	REQUIRE(target != NULL);
-
-	unspec->common.rdclass = rdata->rdclass;
-	unspec->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&unspec->common, link);
-
-	dns_rdata_toregion(rdata, &r);
-	unspec->datalen = r.length;
-	unspec->data = mem_maybedup(mctx, r.base, r.length);
-	if (unspec->data == NULL)
-		return (ISC_R_NOMEMORY);
-
-	unspec->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_unspec(ARGS_FREESTRUCT) {
-	dns_rdata_unspec_t *unspec = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(unspec->common.rdtype == 103);
-
-	if (unspec->mctx == NULL)
-		return;
-
-	if (unspec->data != NULL)
-		isc_mem_free(unspec->mctx, unspec->data);
-	unspec->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_unspec(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 103);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_unspec(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 103);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_unspec(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 103);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_unspec(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 103);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_unspec(ARGS_COMPARE) {
-	return (compare_unspec(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_UNSPEC_103_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/unspec_103.h b/contrib/bind9/lib/dns/rdata/generic/unspec_103.h
deleted file mode 100644
index 4b2d310..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/unspec_103.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_UNSPEC_103_H
-#define GENERIC_UNSPEC_103_H 1
-
-/* $Id: unspec_103.h,v 1.17 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_unspec_t {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	unsigned char		*data;
-	isc_uint16_t		datalen;
-} dns_rdata_unspec_t;
-
-#endif /* GENERIC_UNSPEC_103_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/uri_256.c b/contrib/bind9/lib/dns/rdata/generic/uri_256.c
deleted file mode 100644
index 799eb69..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/uri_256.c
+++ /dev/null
@@ -1,331 +0,0 @@
-/*
- * Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef GENERIC_URI_256_C
-#define GENERIC_URI_256_C 1
-
-#define RRTYPE_URI_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_uri(ARGS_FROMTEXT) {
-	isc_token_t token;
-
-	REQUIRE(type == 256);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	/*
-	 * Priority
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Weight
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Target URI
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token,
-				      isc_tokentype_qstring, ISC_FALSE));
-	if (token.type != isc_tokentype_qstring)
-		RETTOK(DNS_R_SYNTAX);
-	RETTOK(multitxt_fromtext(&token.value.as_textregion, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_uri(ARGS_TOTEXT) {
-	isc_region_t region;
-	unsigned short priority, weight;
-	char buf[sizeof("65000 ")];
-
-	UNUSED(tctx);
-
-	REQUIRE(rdata->type == 256);
-	REQUIRE(rdata->length != 0);
-
-	dns_rdata_toregion(rdata, &region);
-
-	/*
-	 * Priority
-	 */
-	priority = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	sprintf(buf, "%u ", priority);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Weight
-	 */
-	weight = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	sprintf(buf, "%u ", weight);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Target URI
-	 */
-	RETERR(multitxt_totext(&region, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_uri(ARGS_FROMWIRE) {
-	isc_region_t region;
-
-	REQUIRE(type == 256);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-	UNUSED(options);
-
-	/*
-	 * Priority, weight
-	 */
-	isc_buffer_activeregion(source, &region);
-	if (region.length < 4)
-		return (ISC_R_UNEXPECTEDEND);
-	RETERR(mem_tobuffer(target, region.base, 4));
-	isc_buffer_forward(source, 4);
-
-	/*
-	 * Target URI
-	 */
-	RETERR(multitxt_fromwire(source, target));
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-towire_uri(ARGS_TOWIRE) {
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 256);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(cctx);
-
-	dns_rdata_toregion(rdata, &region);
-	return (mem_tobuffer(target, region.base, region.length));
-}
-
-static inline int
-compare_uri(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 256);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-
-	/*
-	 * Priority
-	 */
-	order = memcmp(r1.base, r2.base, 2);
-	if (order != 0)
-		return (order < 0 ? -1 : 1);
-	isc_region_consume(&r1, 2);
-	isc_region_consume(&r2, 2);
-
-	/*
-	 * Weight
-	 */
-	order = memcmp(r1.base, r2.base, 2);
-	if (order != 0)
-		return (order < 0 ? -1 : 1);
-	isc_region_consume(&r1, 2);
-	isc_region_consume(&r2, 2);
-
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_uri(ARGS_FROMSTRUCT) {
-	dns_rdata_uri_t *uri = source;
-	isc_region_t region;
-	isc_uint8_t len;
-
-	REQUIRE(type == 256);
-	REQUIRE(source != NULL);
-	REQUIRE(uri->common.rdtype == type);
-	REQUIRE(uri->common.rdclass == rdclass);
-	REQUIRE(uri->target != NULL && uri->tgt_len != 0);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	/*
-	 * Priority
-	 */
-	RETERR(uint16_tobuffer(uri->priority, target));
-
-	/*
-	 * Weight
-	 */
-	RETERR(uint16_tobuffer(uri->weight, target));
-
-	/*
-	 * Target URI
-	 */
-	len = 255U;
-	region.base = uri->target;
-	region.length = uri->tgt_len;
-	while (region.length > 0) {
-		REQUIRE(len == 255U);
-		len = uint8_fromregion(&region);
-		isc_region_consume(&region, 1);
-		if (region.length < len)
-			return (ISC_R_UNEXPECTEDEND);
-		isc_region_consume(&region, len);
-	}
-
-	return (mem_tobuffer(target, uri->target, uri->tgt_len));
-}
-
-static inline isc_result_t
-tostruct_uri(ARGS_TOSTRUCT) {
-	dns_rdata_uri_t *uri = target;
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 256);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	uri->common.rdclass = rdata->rdclass;
-	uri->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&uri->common, link);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/*
-	 * Priority
-	 */
-	if (sr.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
-	uri->priority = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/*
-	 * Weight
-	 */
-	if (sr.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
-	uri->weight = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/*
-	 * Target URI
-	 */
-	uri->tgt_len = sr.length;
-	uri->target = mem_maybedup(mctx, sr.base, sr.length);
-	if (uri->target == NULL)
-		return (ISC_R_NOMEMORY);
-
-	uri->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_uri(ARGS_FREESTRUCT) {
-	dns_rdata_uri_t *uri = (dns_rdata_uri_t *) source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(uri->common.rdtype == 256);
-
-	if (uri->mctx == NULL)
-		return;
-
-	if (uri->target != NULL)
-		isc_mem_free(uri->mctx, uri->target);
-	uri->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_uri(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 256);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_uri(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 256);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_uri(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 256);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_uri(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 256);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_uri(ARGS_COMPARE) {
-	return (compare_uri(rdata1, rdata2));
-}
-
-#endif /* GENERIC_URI_256_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/uri_256.h b/contrib/bind9/lib/dns/rdata/generic/uri_256.h
deleted file mode 100644
index 13c8fd2..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/uri_256.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_URI_256_H
-#define GENERIC_URI_256_H 1
-
-/* $Id$ */
-
-typedef struct dns_rdata_uri {
-	dns_rdatacommon_t	common;
-	isc_mem_t *		mctx;
-	isc_uint16_t		priority;
-	isc_uint16_t		weight;
-	unsigned char *		target;
-	isc_uint16_t		tgt_len;
-} dns_rdata_uri_t;
-
-#endif /* GENERIC_URI_256_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/x25_19.c b/contrib/bind9/lib/dns/rdata/generic/x25_19.c
deleted file mode 100644
index 6867fec..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/x25_19.c
+++ /dev/null
@@ -1,224 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: x25_19.c,v 1.41 2009/12/04 22:06:37 tbox Exp $ */
-
-/* Reviewed: Thu Mar 16 16:15:57 PST 2000 by bwelling */
-
-/* RFC1183 */
-
-#ifndef RDATA_GENERIC_X25_19_C
-#define RDATA_GENERIC_X25_19_C
-
-#define RRTYPE_X25_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_x25(ARGS_FROMTEXT) {
-	isc_token_t token;
-	unsigned int i;
-
-	REQUIRE(type == 19);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
-				      ISC_FALSE));
-	if (token.value.as_textregion.length < 4)
-		RETTOK(DNS_R_SYNTAX);
-	for (i = 0; i < token.value.as_textregion.length; i++)
-		if (!isdigit(token.value.as_textregion.base[i] & 0xff))
-			RETTOK(ISC_R_RANGE);
-	RETTOK(txt_fromtext(&token.value.as_textregion, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_x25(ARGS_TOTEXT) {
-	isc_region_t region;
-
-	UNUSED(tctx);
-
-	REQUIRE(rdata->type == 19);
-	REQUIRE(rdata->length != 0);
-
-	dns_rdata_toregion(rdata, &region);
-	return (txt_totext(&region, target));
-}
-
-static inline isc_result_t
-fromwire_x25(ARGS_FROMWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(type == 19);
-
-	UNUSED(type);
-	UNUSED(dctx);
-	UNUSED(rdclass);
-	UNUSED(options);
-
-	isc_buffer_activeregion(source, &sr);
-	if (sr.length < 5)
-		return (DNS_R_FORMERR);
-	return (txt_fromwire(source, target));
-}
-
-static inline isc_result_t
-towire_x25(ARGS_TOWIRE) {
-	UNUSED(cctx);
-
-	REQUIRE(rdata->type == 19);
-	REQUIRE(rdata->length != 0);
-
-	return (mem_tobuffer(target, rdata->data, rdata->length));
-}
-
-static inline int
-compare_x25(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 19);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_x25(ARGS_FROMSTRUCT) {
-	dns_rdata_x25_t *x25 = source;
-	isc_uint8_t i;
-
-	REQUIRE(type == 19);
-	REQUIRE(source != NULL);
-	REQUIRE(x25->common.rdtype == type);
-	REQUIRE(x25->common.rdclass == rdclass);
-	REQUIRE(x25->x25 != NULL && x25->x25_len != 0);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	if (x25->x25_len < 4)
-		return (ISC_R_RANGE);
-
-	for (i = 0; i < x25->x25_len; i++)
-		if (!isdigit(x25->x25[i] & 0xff))
-			return (ISC_R_RANGE);
-
-	RETERR(uint8_tobuffer(x25->x25_len, target));
-	return (mem_tobuffer(target, x25->x25, x25->x25_len));
-}
-
-static inline isc_result_t
-tostruct_x25(ARGS_TOSTRUCT) {
-	dns_rdata_x25_t *x25 = target;
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 19);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	x25->common.rdclass = rdata->rdclass;
-	x25->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&x25->common, link);
-
-	dns_rdata_toregion(rdata, &r);
-	x25->x25_len = uint8_fromregion(&r);
-	isc_region_consume(&r, 1);
-	x25->x25 = mem_maybedup(mctx, r.base, x25->x25_len);
-	if (x25->x25 == NULL)
-		return (ISC_R_NOMEMORY);
-
-	x25->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_x25(ARGS_FREESTRUCT) {
-	dns_rdata_x25_t *x25 = source;
-	REQUIRE(source != NULL);
-	REQUIRE(x25->common.rdtype == 19);
-
-	if (x25->mctx == NULL)
-		return;
-
-	if (x25->x25 != NULL)
-		isc_mem_free(x25->mctx, x25->x25);
-	x25->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_x25(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 19);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_x25(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 19);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_x25(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 19);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_x25(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 19);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_x25(ARGS_COMPARE) {
-	return (compare_x25(rdata1, rdata2));
-}
-
-#endif	/* RDATA_GENERIC_X25_19_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/x25_19.h b/contrib/bind9/lib/dns/rdata/generic/x25_19.h
deleted file mode 100644
index 5ebc230..0000000
--- a/contrib/bind9/lib/dns/rdata/generic/x25_19.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_X25_19_H
-#define GENERIC_X25_19_H 1
-
-/* $Id: x25_19.h,v 1.18 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- *  \brief Per RFC1183 */
-
-typedef struct dns_rdata_x25 {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	unsigned char		*x25;
-	isc_uint8_t		x25_len;
-} dns_rdata_x25_t;
-
-#endif /* GENERIC_X25_19_H */
diff --git a/contrib/bind9/lib/dns/rdata/hs_4/a_1.c b/contrib/bind9/lib/dns/rdata/hs_4/a_1.c
deleted file mode 100644
index 50ae25d..0000000
--- a/contrib/bind9/lib/dns/rdata/hs_4/a_1.c
+++ /dev/null
@@ -1,237 +0,0 @@
-/*
- * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: a_1.c,v 1.33 2009/12/04 22:06:37 tbox Exp $ */
-
-/* reviewed: Thu Mar 16 15:58:36 PST 2000 by brister */
-
-#ifndef RDATA_HS_4_A_1_C
-#define RDATA_HS_4_A_1_C
-
-#include <isc/net.h>
-
-#define RRTYPE_A_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_hs_a(ARGS_FROMTEXT) {
-	isc_token_t token;
-	struct in_addr addr;
-	isc_region_t region;
-
-	REQUIRE(type == 1);
-	REQUIRE(rdclass == 4);
-
-	UNUSED(type);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(rdclass);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	if (getquad(DNS_AS_STR(token), &addr, lexer, callbacks) != 1)
-		RETTOK(DNS_R_BADDOTTEDQUAD);
-	isc_buffer_availableregion(target, &region);
-	if (region.length < 4)
-		return (ISC_R_NOSPACE);
-	memcpy(region.base, &addr, 4);
-	isc_buffer_add(target, 4);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_hs_a(ARGS_TOTEXT) {
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == 4);
-	REQUIRE(rdata->length == 4);
-
-	UNUSED(tctx);
-
-	dns_rdata_toregion(rdata, &region);
-	return (inet_totext(AF_INET, &region, target));
-}
-
-static inline isc_result_t
-fromwire_hs_a(ARGS_FROMWIRE) {
-	isc_region_t sregion;
-	isc_region_t tregion;
-
-	REQUIRE(type == 1);
-	REQUIRE(rdclass == 4);
-
-	UNUSED(type);
-	UNUSED(dctx);
-	UNUSED(options);
-	UNUSED(rdclass);
-
-	isc_buffer_activeregion(source, &sregion);
-	isc_buffer_availableregion(target, &tregion);
-	if (sregion.length < 4)
-		return (ISC_R_UNEXPECTEDEND);
-	if (tregion.length < 4)
-		return (ISC_R_NOSPACE);
-
-	memcpy(tregion.base, sregion.base, 4);
-	isc_buffer_forward(source, 4);
-	isc_buffer_add(target, 4);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-towire_hs_a(ARGS_TOWIRE) {
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == 4);
-	REQUIRE(rdata->length == 4);
-
-	UNUSED(cctx);
-
-	isc_buffer_availableregion(target, &region);
-	if (region.length < rdata->length)
-		return (ISC_R_NOSPACE);
-	memcpy(region.base, rdata->data, rdata->length);
-	isc_buffer_add(target, 4);
-	return (ISC_R_SUCCESS);
-}
-
-static inline int
-compare_hs_a(ARGS_COMPARE) {
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 1);
-	REQUIRE(rdata1->rdclass == 4);
-	REQUIRE(rdata1->length == 4);
-	REQUIRE(rdata2->length == 4);
-
-	order = memcmp(rdata1->data, rdata2->data, 4);
-	if (order != 0)
-		order = (order < 0) ? -1 : 1;
-
-	return (order);
-}
-
-static inline isc_result_t
-fromstruct_hs_a(ARGS_FROMSTRUCT) {
-	dns_rdata_hs_a_t *a = source;
-	isc_uint32_t n;
-
-	REQUIRE(type == 1);
-	REQUIRE(rdclass == 4);
-	REQUIRE(source != NULL);
-	REQUIRE(a->common.rdtype == type);
-	REQUIRE(a->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	n = ntohl(a->in_addr.s_addr);
-
-	return (uint32_tobuffer(n, target));
-}
-
-static inline isc_result_t
-tostruct_hs_a(ARGS_TOSTRUCT) {
-	dns_rdata_hs_a_t *a = target;
-	isc_uint32_t n;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == 4);
-	REQUIRE(rdata->length == 4);
-
-	UNUSED(mctx);
-
-	a->common.rdclass = rdata->rdclass;
-	a->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&a->common, link);
-
-	dns_rdata_toregion(rdata, &region);
-	n = uint32_fromregion(&region);
-	a->in_addr.s_addr = htonl(n);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_hs_a(ARGS_FREESTRUCT) {
-	UNUSED(source);
-
-	REQUIRE(source != NULL);
-}
-
-static inline isc_result_t
-additionaldata_hs_a(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == 4);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_hs_a(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == 4);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_hs_a(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 1);
-	REQUIRE(rdclass == 4);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_hs_a(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == 4);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_hs_a(ARGS_COMPARE) {
-	return (compare_hs_a(rdata1, rdata2));
-}
-
-#endif	/* RDATA_HS_4_A_1_C */
diff --git a/contrib/bind9/lib/dns/rdata/hs_4/a_1.h b/contrib/bind9/lib/dns/rdata/hs_4/a_1.h
deleted file mode 100644
index dee812f..0000000
--- a/contrib/bind9/lib/dns/rdata/hs_4/a_1.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef HS_4_A_1_H
-#define HS_4_A_1_H 1
-
-/* $Id: a_1.h,v 1.12 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_hs_a {
-	dns_rdatacommon_t	common;
-	struct in_addr          in_addr;
-} dns_rdata_hs_a_t;
-
-#endif /* HS_4_A_1_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/a6_38.c b/contrib/bind9/lib/dns/rdata/in_1/a6_38.c
deleted file mode 100644
index 8619f8a..0000000
--- a/contrib/bind9/lib/dns/rdata/in_1/a6_38.c
+++ /dev/null
@@ -1,466 +0,0 @@
-/*
- * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: a6_38.c,v 1.56 2009/12/04 22:06:37 tbox Exp $ */
-
-/* RFC2874 */
-
-#ifndef RDATA_IN_1_A6_28_C
-#define RDATA_IN_1_A6_28_C
-
-#include <isc/net.h>
-
-#define RRTYPE_A6_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_in_a6(ARGS_FROMTEXT) {
-	isc_token_t token;
-	unsigned char addr[16];
-	unsigned char prefixlen;
-	unsigned char octets;
-	unsigned char mask;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	isc_boolean_t ok;
-
-	REQUIRE(type == 38);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	/*
-	 * Prefix length.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 128U)
-		RETTOK(ISC_R_RANGE);
-
-	prefixlen = (unsigned char)token.value.as_ulong;
-	RETERR(mem_tobuffer(target, &prefixlen, 1));
-
-	/*
-	 * Suffix.
-	 */
-	if (prefixlen != 128) {
-		/*
-		 * Prefix 0..127.
-		 */
-		octets = prefixlen/8;
-		/*
-		 * Octets 0..15.
-		 */
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_string,
-					      ISC_FALSE));
-		if (inet_pton(AF_INET6, DNS_AS_STR(token), addr) != 1)
-			RETTOK(DNS_R_BADAAAA);
-		mask = 0xff >> (prefixlen % 8);
-		addr[octets] &= mask;
-		RETERR(mem_tobuffer(target, &addr[octets], 16 - octets));
-	}
-
-	if (prefixlen == 0)
-		return (ISC_R_SUCCESS);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	ok = ISC_TRUE;
-	if ((options & DNS_RDATA_CHECKNAMES) != 0)
-		ok = dns_name_ishostname(&name, ISC_FALSE);
-	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
-		RETTOK(DNS_R_BADNAME);
-	if (!ok && callbacks != NULL)
-		warn_badname(&name, lexer, callbacks);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_in_a6(ARGS_TOTEXT) {
-	isc_region_t sr, ar;
-	unsigned char addr[16];
-	unsigned char prefixlen;
-	unsigned char octets;
-	unsigned char mask;
-	char buf[sizeof("128")];
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 38);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	dns_rdata_toregion(rdata, &sr);
-	prefixlen = sr.base[0];
-	INSIST(prefixlen <= 128);
-	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u", prefixlen);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	if (prefixlen != 128) {
-		octets = prefixlen/8;
-		memset(addr, 0, sizeof(addr));
-		memcpy(&addr[octets], sr.base, 16 - octets);
-		mask = 0xff >> (prefixlen % 8);
-		addr[octets] &= mask;
-		ar.base = addr;
-		ar.length = sizeof(addr);
-		RETERR(inet_totext(AF_INET6, &ar, target));
-		isc_region_consume(&sr, 16 - octets);
-	}
-
-	if (prefixlen == 0)
-		return (ISC_R_SUCCESS);
-
-	RETERR(str_totext(" ", target));
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-	dns_name_fromregion(&name, &sr);
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_in_a6(ARGS_FROMWIRE) {
-	isc_region_t sr;
-	unsigned char prefixlen;
-	unsigned char octets;
-	unsigned char mask;
-	dns_name_t name;
-
-	REQUIRE(type == 38);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-	isc_buffer_activeregion(source, &sr);
-	/*
-	 * Prefix length.
-	 */
-	if (sr.length < 1)
-		return (ISC_R_UNEXPECTEDEND);
-	prefixlen = sr.base[0];
-	if (prefixlen > 128)
-		return (ISC_R_RANGE);
-	isc_region_consume(&sr, 1);
-	RETERR(mem_tobuffer(target, &prefixlen, 1));
-	isc_buffer_forward(source, 1);
-
-	/*
-	 * Suffix.
-	 */
-	if (prefixlen != 128) {
-		octets = 16 - prefixlen / 8;
-		if (sr.length < octets)
-			return (ISC_R_UNEXPECTEDEND);
-		mask = 0xff >> (prefixlen % 8);
-		sr.base[0] &= mask;	/* Ensure pad bits are zero. */
-		RETERR(mem_tobuffer(target, sr.base, octets));
-		isc_buffer_forward(source, octets);
-	}
-
-	if (prefixlen == 0)
-		return (ISC_R_SUCCESS);
-
-	dns_name_init(&name, NULL);
-	return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_in_a6(ARGS_TOWIRE) {
-	isc_region_t sr;
-	dns_name_t name;
-	dns_offsets_t offsets;
-	unsigned char prefixlen;
-	unsigned char octets;
-
-	REQUIRE(rdata->type == 38);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	dns_rdata_toregion(rdata, &sr);
-	prefixlen = sr.base[0];
-	INSIST(prefixlen <= 128);
-
-	octets = 1 + 16 - prefixlen / 8;
-	RETERR(mem_tobuffer(target, sr.base, octets));
-	isc_region_consume(&sr, octets);
-
-	if (prefixlen == 0)
-		return (ISC_R_SUCCESS);
-
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &sr);
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_in_a6(ARGS_COMPARE) {
-	int order;
-	unsigned char prefixlen1, prefixlen2;
-	unsigned char octets;
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 38);
-	REQUIRE(rdata1->rdclass == 1);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-	prefixlen1 = region1.base[0];
-	prefixlen2 = region2.base[0];
-	isc_region_consume(&region1, 1);
-	isc_region_consume(&region2, 1);
-	if (prefixlen1 < prefixlen2)
-		return (-1);
-	else if (prefixlen1 > prefixlen2)
-		return (1);
-	/*
-	 * Prefix lengths are equal.
-	 */
-	octets = 16 - prefixlen1 / 8;
-
-	if (octets > 0) {
-		order = memcmp(region1.base, region2.base, octets);
-		if (order < 0)
-			return (-1);
-		else if (order > 0)
-			return (1);
-		/*
-		 * Address suffixes are equal.
-		 */
-		if (prefixlen1 == 0)
-			return (order);
-		isc_region_consume(&region1, octets);
-		isc_region_consume(&region2, octets);
-	}
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_in_a6(ARGS_FROMSTRUCT) {
-	dns_rdata_in_a6_t *a6 = source;
-	isc_region_t region;
-	int octets;
-	isc_uint8_t bits;
-	isc_uint8_t first;
-	isc_uint8_t mask;
-
-	REQUIRE(type == 38);
-	REQUIRE(rdclass == 1);
-	REQUIRE(source != NULL);
-	REQUIRE(a6->common.rdtype == type);
-	REQUIRE(a6->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	if (a6->prefixlen > 128)
-		return (ISC_R_RANGE);
-
-	RETERR(uint8_tobuffer(a6->prefixlen, target));
-
-	/* Suffix */
-	if (a6->prefixlen != 128) {
-		octets = 16 - a6->prefixlen / 8;
-		bits = a6->prefixlen % 8;
-		if (bits != 0) {
-			mask = 0xffU >> bits;
-			first = a6->in6_addr.s6_addr[16 - octets] & mask;
-			RETERR(uint8_tobuffer(first, target));
-			octets--;
-		}
-		if (octets > 0)
-			RETERR(mem_tobuffer(target,
-					    a6->in6_addr.s6_addr + 16 - octets,
-					    octets));
-	}
-
-	if (a6->prefixlen == 0)
-		return (ISC_R_SUCCESS);
-	dns_name_toregion(&a6->prefix, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_in_a6(ARGS_TOSTRUCT) {
-	dns_rdata_in_a6_t *a6 = target;
-	unsigned char octets;
-	dns_name_t name;
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 38);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	a6->common.rdclass = rdata->rdclass;
-	a6->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&a6->common, link);
-
-	dns_rdata_toregion(rdata, &r);
-
-	a6->prefixlen = uint8_fromregion(&r);
-	isc_region_consume(&r, 1);
-	memset(a6->in6_addr.s6_addr, 0, sizeof(a6->in6_addr.s6_addr));
-
-	/*
-	 * Suffix.
-	 */
-	if (a6->prefixlen != 128) {
-		octets = 16 - a6->prefixlen / 8;
-		INSIST(r.length >= octets);
-		memcpy(a6->in6_addr.s6_addr + 16 - octets, r.base, octets);
-		isc_region_consume(&r, octets);
-	}
-
-	/*
-	 * Prefix.
-	 */
-	dns_name_init(&a6->prefix, NULL);
-	if (a6->prefixlen != 0) {
-		dns_name_init(&name, NULL);
-		dns_name_fromregion(&name, &r);
-		RETERR(name_duporclone(&name, mctx, &a6->prefix));
-	}
-	a6->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_in_a6(ARGS_FREESTRUCT) {
-	dns_rdata_in_a6_t *a6 = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(a6->common.rdclass == 1);
-	REQUIRE(a6->common.rdtype == 38);
-
-	if (a6->mctx == NULL)
-		return;
-
-	if (dns_name_dynamic(&a6->prefix))
-		dns_name_free(&a6->prefix, a6->mctx);
-	a6->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_in_a6(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 38);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_in_a6(ARGS_DIGEST) {
-	isc_region_t r1, r2;
-	unsigned char prefixlen, octets;
-	isc_result_t result;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 38);
-	REQUIRE(rdata->rdclass == 1);
-
-	dns_rdata_toregion(rdata, &r1);
-	r2 = r1;
-	prefixlen = r1.base[0];
-	octets = 1 + 16 - prefixlen / 8;
-
-	r1.length = octets;
-	result = (digest)(arg, &r1);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (prefixlen == 0)
-		return (ISC_R_SUCCESS);
-
-	isc_region_consume(&r2, octets);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r2);
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_in_a6(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 38);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	return (dns_name_ishostname(name, wildcard));
-}
-
-static inline isc_boolean_t
-checknames_in_a6(ARGS_CHECKNAMES) {
-	isc_region_t region;
-	dns_name_t name;
-	unsigned int prefixlen;
-
-	REQUIRE(rdata->type == 38);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(owner);
-
-	dns_rdata_toregion(rdata, &region);
-	prefixlen = uint8_fromregion(&region);
-	if (prefixlen == 0)
-		return (ISC_TRUE);
-	isc_region_consume(&region, 1 + 16 - prefixlen / 8);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &region);
-	if (!dns_name_ishostname(&name, ISC_FALSE)) {
-		if (bad != NULL)
-			dns_name_clone(&name, bad);
-		return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_in_a6(ARGS_COMPARE) {
-	return (compare_in_a6(rdata1, rdata2));
-}
-
-#endif	/* RDATA_IN_1_A6_38_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/a6_38.h b/contrib/bind9/lib/dns/rdata/in_1/a6_38.h
deleted file mode 100644
index 75e53f1..0000000
--- a/contrib/bind9/lib/dns/rdata/in_1/a6_38.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef IN_1_A6_38_H
-#define IN_1_A6_38_H 1
-
-/* $Id: a6_38.h,v 1.24 2007/06/19 23:47:17 tbox Exp $ */
-
-/*! 
- *  \brief Per RFC2874 */
-
-typedef struct dns_rdata_in_a6 {
-        dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		prefix;
-	isc_uint8_t		prefixlen;
-	struct in6_addr		in6_addr;
-} dns_rdata_in_a6_t;
-
-#endif /* IN_1_A6_38_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/a_1.c b/contrib/bind9/lib/dns/rdata/in_1/a_1.c
deleted file mode 100644
index 902932e..0000000
--- a/contrib/bind9/lib/dns/rdata/in_1/a_1.c
+++ /dev/null
@@ -1,241 +0,0 @@
-/*
- * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: a_1.c,v 1.55 2009/12/04 22:06:37 tbox Exp $ */
-
-/* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
-
-#ifndef RDATA_IN_1_A_1_C
-#define RDATA_IN_1_A_1_C
-
-#include <string.h>
-
-#include <isc/net.h>
-
-#define RRTYPE_A_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_in_a(ARGS_FROMTEXT) {
-	isc_token_t token;
-	struct in_addr addr;
-	isc_region_t region;
-
-	REQUIRE(type == 1);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(rdclass);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	if (getquad(DNS_AS_STR(token), &addr, lexer, callbacks) != 1)
-		RETTOK(DNS_R_BADDOTTEDQUAD);
-	isc_buffer_availableregion(target, &region);
-	if (region.length < 4)
-		return (ISC_R_NOSPACE);
-	memcpy(region.base, &addr, 4);
-	isc_buffer_add(target, 4);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_in_a(ARGS_TOTEXT) {
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length == 4);
-
-	UNUSED(tctx);
-
-	dns_rdata_toregion(rdata, &region);
-	return (inet_totext(AF_INET, &region, target));
-}
-
-static inline isc_result_t
-fromwire_in_a(ARGS_FROMWIRE) {
-	isc_region_t sregion;
-	isc_region_t tregion;
-
-	REQUIRE(type == 1);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(dctx);
-	UNUSED(options);
-	UNUSED(rdclass);
-
-	isc_buffer_activeregion(source, &sregion);
-	isc_buffer_availableregion(target, &tregion);
-	if (sregion.length < 4)
-		return (ISC_R_UNEXPECTEDEND);
-	if (tregion.length < 4)
-		return (ISC_R_NOSPACE);
-
-	memcpy(tregion.base, sregion.base, 4);
-	isc_buffer_forward(source, 4);
-	isc_buffer_add(target, 4);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-towire_in_a(ARGS_TOWIRE) {
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length == 4);
-
-	UNUSED(cctx);
-
-	isc_buffer_availableregion(target, &region);
-	if (region.length < rdata->length)
-		return (ISC_R_NOSPACE);
-	memcpy(region.base, rdata->data, rdata->length);
-	isc_buffer_add(target, 4);
-	return (ISC_R_SUCCESS);
-}
-
-static inline int
-compare_in_a(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 1);
-	REQUIRE(rdata1->rdclass == 1);
-	REQUIRE(rdata1->length == 4);
-	REQUIRE(rdata2->length == 4);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_in_a(ARGS_FROMSTRUCT) {
-	dns_rdata_in_a_t *a = source;
-	isc_uint32_t n;
-
-	REQUIRE(type == 1);
-	REQUIRE(rdclass == 1);
-	REQUIRE(source != NULL);
-	REQUIRE(a->common.rdtype == type);
-	REQUIRE(a->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	n = ntohl(a->in_addr.s_addr);
-
-	return (uint32_tobuffer(n, target));
-}
-
-
-static inline isc_result_t
-tostruct_in_a(ARGS_TOSTRUCT) {
-	dns_rdata_in_a_t *a = target;
-	isc_uint32_t n;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length == 4);
-
-	UNUSED(mctx);
-
-	a->common.rdclass = rdata->rdclass;
-	a->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&a->common, link);
-
-	dns_rdata_toregion(rdata, &region);
-	n = uint32_fromregion(&region);
-	a->in_addr.s_addr = htonl(n);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_in_a(ARGS_FREESTRUCT) {
-	dns_rdata_in_a_t *a = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(a->common.rdtype == 1);
-	REQUIRE(a->common.rdclass == 1);
-
-	UNUSED(a);
-}
-
-static inline isc_result_t
-additionaldata_in_a(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_in_a(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == 1);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_in_a(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 1);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	return (dns_name_ishostname(name, wildcard));
-}
-
-static inline isc_boolean_t
-checknames_in_a(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_in_a(ARGS_COMPARE) {
-	return (compare_in_a(rdata1, rdata2));
-}
-
-#endif	/* RDATA_IN_1_A_1_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/a_1.h b/contrib/bind9/lib/dns/rdata/in_1/a_1.h
deleted file mode 100644
index c192d1a..0000000
--- a/contrib/bind9/lib/dns/rdata/in_1/a_1.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef IN_1_A_1_H
-#define IN_1_A_1_H 1
-
-/* $Id: a_1.h,v 1.28 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_in_a {
-	dns_rdatacommon_t	common;
-	struct in_addr          in_addr;
-} dns_rdata_in_a_t;
-
-#endif /* IN_1_A_1_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.c b/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.c
deleted file mode 100644
index 5aa59b2..0000000
--- a/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.c
+++ /dev/null
@@ -1,237 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: aaaa_28.c,v 1.47 2009/12/04 22:06:37 tbox Exp $ */
-
-/* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
-
-/* RFC1886 */
-
-#ifndef RDATA_IN_1_AAAA_28_C
-#define RDATA_IN_1_AAAA_28_C
-
-#include <isc/net.h>
-
-#define RRTYPE_AAAA_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_in_aaaa(ARGS_FROMTEXT) {
-	isc_token_t token;
-	unsigned char addr[16];
-	isc_region_t region;
-
-	REQUIRE(type == 28);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	if (inet_pton(AF_INET6, DNS_AS_STR(token), addr) != 1)
-		RETTOK(DNS_R_BADAAAA);
-	isc_buffer_availableregion(target, &region);
-	if (region.length < 16)
-		return (ISC_R_NOSPACE);
-	memcpy(region.base, addr, 16);
-	isc_buffer_add(target, 16);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_in_aaaa(ARGS_TOTEXT) {
-	isc_region_t region;
-
-	UNUSED(tctx);
-
-	REQUIRE(rdata->type == 28);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length == 16);
-
-	dns_rdata_toregion(rdata, &region);
-	return (inet_totext(AF_INET6, &region, target));
-}
-
-static inline isc_result_t
-fromwire_in_aaaa(ARGS_FROMWIRE) {
-	isc_region_t sregion;
-	isc_region_t tregion;
-
-	REQUIRE(type == 28);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(dctx);
-	UNUSED(options);
-	UNUSED(rdclass);
-
-	isc_buffer_activeregion(source, &sregion);
-	isc_buffer_availableregion(target, &tregion);
-	if (sregion.length < 16)
-		return (ISC_R_UNEXPECTEDEND);
-	if (tregion.length < 16)
-		return (ISC_R_NOSPACE);
-
-	memcpy(tregion.base, sregion.base, 16);
-	isc_buffer_forward(source, 16);
-	isc_buffer_add(target, 16);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-towire_in_aaaa(ARGS_TOWIRE) {
-	isc_region_t region;
-
-	UNUSED(cctx);
-
-	REQUIRE(rdata->type == 28);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length == 16);
-
-	isc_buffer_availableregion(target, &region);
-	if (region.length < rdata->length)
-		return (ISC_R_NOSPACE);
-	memcpy(region.base, rdata->data, rdata->length);
-	isc_buffer_add(target, 16);
-	return (ISC_R_SUCCESS);
-}
-
-static inline int
-compare_in_aaaa(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 28);
-	REQUIRE(rdata1->rdclass == 1);
-	REQUIRE(rdata1->length == 16);
-	REQUIRE(rdata2->length == 16);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_in_aaaa(ARGS_FROMSTRUCT) {
-	dns_rdata_in_aaaa_t *aaaa = source;
-
-	REQUIRE(type == 28);
-	REQUIRE(rdclass == 1);
-	REQUIRE(source != NULL);
-	REQUIRE(aaaa->common.rdtype == type);
-	REQUIRE(aaaa->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	return (mem_tobuffer(target, aaaa->in6_addr.s6_addr, 16));
-}
-
-static inline isc_result_t
-tostruct_in_aaaa(ARGS_TOSTRUCT) {
-	dns_rdata_in_aaaa_t *aaaa = target;
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 28);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length == 16);
-
-	UNUSED(mctx);
-
-	aaaa->common.rdclass = rdata->rdclass;
-	aaaa->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&aaaa->common, link);
-
-	dns_rdata_toregion(rdata, &r);
-	INSIST(r.length == 16);
-	memcpy(aaaa->in6_addr.s6_addr, r.base, 16);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_in_aaaa(ARGS_FREESTRUCT) {
-	dns_rdata_in_aaaa_t *aaaa = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(aaaa->common.rdclass == 1);
-	REQUIRE(aaaa->common.rdtype == 28);
-
-	UNUSED(aaaa);
-}
-
-static inline isc_result_t
-additionaldata_in_aaaa(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 28);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_in_aaaa(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 28);
-	REQUIRE(rdata->rdclass == 1);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_in_aaaa(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 28);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	return (dns_name_ishostname(name, wildcard));
-}
-
-static inline isc_boolean_t
-checknames_in_aaaa(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 28);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_in_aaaa(ARGS_COMPARE) {
-	return (compare_in_aaaa(rdata1, rdata2));
-}
-#endif	/* RDATA_IN_1_AAAA_28_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.h b/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.h
deleted file mode 100644
index 54a0cb3..0000000
--- a/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef IN_1_AAAA_28_H
-#define IN_1_AAAA_28_H 1
-
-/* $Id: aaaa_28.h,v 1.21 2007/06/19 23:47:17 tbox Exp $ */
-
-/*! 
- *  \brief Per RFC1886 */
-
-typedef struct dns_rdata_in_aaaa {
-	dns_rdatacommon_t	common;
-	struct in6_addr		in6_addr;
-} dns_rdata_in_aaaa_t;
-
-#endif /* IN_1_AAAA_28_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/apl_42.c b/contrib/bind9/lib/dns/rdata/in_1/apl_42.c
deleted file mode 100644
index eb927b9..0000000
--- a/contrib/bind9/lib/dns/rdata/in_1/apl_42.c
+++ /dev/null
@@ -1,458 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: apl_42.c,v 1.16 2009/12/04 22:06:37 tbox Exp $ */
-
-/* RFC3123 */
-
-#ifndef RDATA_IN_1_APL_42_C
-#define RDATA_IN_1_APL_42_C
-
-#define RRTYPE_APL_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_in_apl(ARGS_FROMTEXT) {
-	isc_token_t token;
-	unsigned char addr[16];
-	unsigned long afi;
-	isc_uint8_t prefix;
-	isc_uint8_t len;
-	isc_boolean_t neg;
-	char *cp, *ap, *slash;
-	int n;
-
-	REQUIRE(type == 42);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	do {
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_string, ISC_TRUE));
-		if (token.type != isc_tokentype_string)
-			break;
-
-		cp = DNS_AS_STR(token);
-		neg = ISC_TF(*cp == '!');
-		if (neg)
-			cp++;
-		afi = strtoul(cp, &ap, 10);
-		if (*ap++ != ':' || cp == ap)
-			RETTOK(DNS_R_SYNTAX);
-		if (afi > 0xffffU)
-			RETTOK(ISC_R_RANGE);
-		slash = strchr(ap, '/');
-		if (slash == NULL || slash == ap)
-			RETTOK(DNS_R_SYNTAX);
-		RETTOK(isc_parse_uint8(&prefix, slash + 1, 10));
-		switch (afi) {
-		case 1:
-			*slash = '\0';
-			n = inet_pton(AF_INET, ap, addr);
-			*slash = '/';
-			if (n != 1)
-				RETTOK(DNS_R_BADDOTTEDQUAD);
-			if (prefix > 32)
-				RETTOK(ISC_R_RANGE);
-			for (len = 4; len > 0; len--)
-				if (addr[len - 1] != 0)
-					break;
-			break;
-
-		case 2:
-			*slash = '\0';
-			n = inet_pton(AF_INET6, ap, addr);
-			*slash = '/';
-			if (n != 1)
-				RETTOK(DNS_R_BADAAAA);
-			if (prefix > 128)
-				RETTOK(ISC_R_RANGE);
-			for (len = 16; len > 0; len--)
-				if (addr[len - 1] != 0)
-					break;
-			break;
-
-		default:
-			RETTOK(ISC_R_NOTIMPLEMENTED);
-		}
-		RETERR(uint16_tobuffer(afi, target));
-		RETERR(uint8_tobuffer(prefix, target));
-		RETERR(uint8_tobuffer(len | ((neg) ? 0x80 : 0), target));
-		RETERR(mem_tobuffer(target, addr, len));
-	} while (1);
-
-	/*
-	 * Let upper layer handle eol/eof.
-	 */
-	isc_lex_ungettoken(lexer, &token);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_in_apl(ARGS_TOTEXT) {
-	isc_region_t sr;
-	isc_region_t ir;
-	isc_uint16_t afi;
-	isc_uint8_t prefix;
-	isc_uint8_t len;
-	isc_boolean_t neg;
-	unsigned char buf[16];
-	char txt[sizeof(" !64000")];
-	const char *sep = "";
-	int n;
-
-	REQUIRE(rdata->type == 42);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(tctx);
-
-	dns_rdata_toregion(rdata, &sr);
-	ir.base = buf;
-	ir.length = sizeof(buf);
-
-	while (sr.length > 0) {
-		INSIST(sr.length >= 4);
-		afi = uint16_fromregion(&sr);
-		isc_region_consume(&sr, 2);
-		prefix = *sr.base;
-		isc_region_consume(&sr, 1);
-		len = (*sr.base & 0x7f);
-		neg = ISC_TF((*sr.base & 0x80) != 0);
-		isc_region_consume(&sr, 1);
-		INSIST(len <= sr.length);
-		n = snprintf(txt, sizeof(txt), "%s%s%u:", sep,
-			     neg ? "!": "", afi);
-		INSIST(n < (int)sizeof(txt));
-		RETERR(str_totext(txt, target));
-		switch (afi) {
-		case 1:
-			INSIST(len <= 4);
-			INSIST(prefix <= 32);
-			memset(buf, 0, sizeof(buf));
-			memcpy(buf, sr.base, len);
-			RETERR(inet_totext(AF_INET, &ir, target));
-			break;
-
-		case 2:
-			INSIST(len <= 16);
-			INSIST(prefix <= 128);
-			memset(buf, 0, sizeof(buf));
-			memcpy(buf, sr.base, len);
-			RETERR(inet_totext(AF_INET6, &ir, target));
-			break;
-
-		default:
-			return (ISC_R_NOTIMPLEMENTED);
-		}
-		n = snprintf(txt, sizeof(txt), "/%u", prefix);
-		INSIST(n < (int)sizeof(txt));
-		RETERR(str_totext(txt, target));
-		isc_region_consume(&sr, len);
-		sep = " ";
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_in_apl(ARGS_FROMWIRE) {
-	isc_region_t sr, sr2;
-	isc_region_t tr;
-	isc_uint16_t afi;
-	isc_uint8_t prefix;
-	isc_uint8_t len;
-
-	REQUIRE(type == 42);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(dctx);
-	UNUSED(rdclass);
-	UNUSED(options);
-
-	isc_buffer_activeregion(source, &sr);
-	isc_buffer_availableregion(target, &tr);
-	if (sr.length > tr.length)
-		return (ISC_R_NOSPACE);
-	sr2 = sr;
-
-	/* Zero or more items */
-	while (sr.length > 0) {
-		if (sr.length < 4)
-			return (ISC_R_UNEXPECTEDEND);
-		afi = uint16_fromregion(&sr);
-		isc_region_consume(&sr, 2);
-		prefix = *sr.base;
-		isc_region_consume(&sr, 1);
-		len = (*sr.base & 0x7f);
-		isc_region_consume(&sr, 1);
-		if (len > sr.length)
-			return (ISC_R_UNEXPECTEDEND);
-		switch (afi) {
-		case 1:
-			if (prefix > 32 || len > 4)
-				return (ISC_R_RANGE);
-			break;
-		case 2:
-			if (prefix > 128 || len > 16)
-				return (ISC_R_RANGE);
-		}
-		if (len > 0 && sr.base[len - 1] == 0)
-			return (DNS_R_FORMERR);
-		isc_region_consume(&sr, len);
-	}
-	isc_buffer_forward(source, sr2.length);
-	return (mem_tobuffer(target, sr2.base, sr2.length));
-}
-
-static inline isc_result_t
-towire_in_apl(ARGS_TOWIRE) {
-	UNUSED(cctx);
-
-	REQUIRE(rdata->type == 42);
-	REQUIRE(rdata->rdclass == 1);
-
-	return (mem_tobuffer(target, rdata->data, rdata->length));
-}
-
-static inline int
-compare_in_apl(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 42);
-	REQUIRE(rdata1->rdclass == 1);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_in_apl(ARGS_FROMSTRUCT) {
-	dns_rdata_in_apl_t *apl = source;
-	isc_buffer_t b;
-
-	REQUIRE(type == 42);
-	REQUIRE(rdclass == 1);
-	REQUIRE(source != NULL);
-	REQUIRE(apl->common.rdtype == type);
-	REQUIRE(apl->common.rdclass == rdclass);
-	REQUIRE(apl->apl != NULL || apl->apl_len == 0);
-
-	isc_buffer_init(&b, apl->apl, apl->apl_len);
-	isc_buffer_add(&b, apl->apl_len);
-	isc_buffer_setactive(&b, apl->apl_len);
-	return(fromwire_in_apl(rdclass, type, &b, NULL, ISC_FALSE, target));
-}
-
-static inline isc_result_t
-tostruct_in_apl(ARGS_TOSTRUCT) {
-	dns_rdata_in_apl_t *apl = target;
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 42);
-	REQUIRE(rdata->rdclass == 1);
-
-	apl->common.rdclass = rdata->rdclass;
-	apl->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&apl->common, link);
-
-	dns_rdata_toregion(rdata, &r);
-	apl->apl_len = r.length;
-	apl->apl = mem_maybedup(mctx, r.base, r.length);
-	if (apl->apl == NULL)
-		return (ISC_R_NOMEMORY);
-
-	apl->offset = 0;
-	apl->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_in_apl(ARGS_FREESTRUCT) {
-	dns_rdata_in_apl_t *apl = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(apl->common.rdtype == 42);
-	REQUIRE(apl->common.rdclass == 1);
-
-	if (apl->mctx == NULL)
-		return;
-	if (apl->apl != NULL)
-		isc_mem_free(apl->mctx, apl->apl);
-	apl->mctx = NULL;
-}
-
-isc_result_t
-dns_rdata_apl_first(dns_rdata_in_apl_t *apl) {
-	isc_uint32_t length;
-
-	REQUIRE(apl != NULL);
-	REQUIRE(apl->common.rdtype == 42);
-	REQUIRE(apl->common.rdclass == 1);
-	REQUIRE(apl->apl != NULL || apl->apl_len == 0);
-
-	/*
-	 * If no APL return ISC_R_NOMORE.
-	 */
-	if (apl->apl == NULL)
-		return (ISC_R_NOMORE);
-
-	/*
-	 * Sanity check data.
-	 */
-	INSIST(apl->apl_len > 3U);
-	length = apl->apl[apl->offset + 3] & 0x7f;
-	INSIST(length <= apl->apl_len);
-
-	apl->offset = 0;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_rdata_apl_next(dns_rdata_in_apl_t *apl) {
-	isc_uint32_t length;
-
-	REQUIRE(apl != NULL);
-	REQUIRE(apl->common.rdtype == 42);
-	REQUIRE(apl->common.rdclass == 1);
-	REQUIRE(apl->apl != NULL || apl->apl_len == 0);
-
-	/*
-	 * No APL or have already reached the end return ISC_R_NOMORE.
-	 */
-	if (apl->apl == NULL || apl->offset == apl->apl_len)
-		return (ISC_R_NOMORE);
-
-	/*
-	 * Sanity check data.
-	 */
-	INSIST(apl->offset < apl->apl_len);
-	INSIST(apl->apl_len > 3U);
-	INSIST(apl->offset <= apl->apl_len - 4U);
-	length = apl->apl[apl->offset + 3] & 0x7f;
-	/*
-	 * 16 to 32 bits promotion as 'length' is 32 bits so there is
-	 * no overflow problems.
-	 */
-	INSIST(length + apl->offset <= apl->apl_len);
-
-	apl->offset += apl->apl[apl->offset + 3] & 0x7f;
-	return ((apl->offset >= apl->apl_len) ? ISC_R_SUCCESS : ISC_R_NOMORE);
-}
-
-isc_result_t
-dns_rdata_apl_current(dns_rdata_in_apl_t *apl, dns_rdata_apl_ent_t *ent) {
-	isc_uint32_t length;
-
-	REQUIRE(apl != NULL);
-	REQUIRE(apl->common.rdtype == 42);
-	REQUIRE(apl->common.rdclass == 1);
-	REQUIRE(ent != NULL);
-	REQUIRE(apl->apl != NULL || apl->apl_len == 0);
-	REQUIRE(apl->offset <= apl->apl_len);
-
-	if (apl->offset == apl->apl_len)
-		return (ISC_R_NOMORE);
-
-	/*
-	 * Sanity check data.
-	 */
-	INSIST(apl->apl_len > 3U);
-	INSIST(apl->offset <= apl->apl_len - 4U);
-	length = apl->apl[apl->offset + 3] & 0x7f;
-	/*
-	 * 16 to 32 bits promotion as 'length' is 32 bits so there is
-	 * no overflow problems.
-	 */
-	INSIST(length + apl->offset <= apl->apl_len);
-
-	ent->family = (apl->apl[apl->offset] << 8) + apl->apl[apl->offset + 1];
-	ent->prefix = apl->apl[apl->offset + 2];
-	ent->length = apl->apl[apl->offset + 3] & 0x7f;
-	ent->negative = ISC_TF((apl->apl[apl->offset + 3] & 0x80) != 0);
-	if (ent->length != 0)
-		ent->data = &apl->apl[apl->offset + 4];
-	else
-		ent->data = NULL;
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-additionaldata_in_apl(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 42);
-	REQUIRE(rdata->rdclass == 1);
-
-	(void)add;
-	(void)arg;
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_in_apl(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 42);
-	REQUIRE(rdata->rdclass == 1);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_in_apl(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 42);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-
-static inline isc_boolean_t
-checknames_in_apl(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 42);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_in_apl(ARGS_COMPARE) {
-	return (compare_in_apl(rdata1, rdata2));
-}
-
-#endif	/* RDATA_IN_1_APL_42_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/apl_42.h b/contrib/bind9/lib/dns/rdata/in_1/apl_42.h
deleted file mode 100644
index 2d01040..0000000
--- a/contrib/bind9/lib/dns/rdata/in_1/apl_42.h
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef IN_1_APL_42_H
-#define IN_1_APL_42_H 1
-
-/* $Id: apl_42.h,v 1.6 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_apl_ent {
-	isc_boolean_t	negative;
-	isc_uint16_t	family;
-	isc_uint8_t	prefix;
-	isc_uint8_t	length;
-	unsigned char	*data;
-} dns_rdata_apl_ent_t;
-
-typedef struct dns_rdata_in_apl {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	/* type & class specific elements */
-	unsigned char           *apl;
-        isc_uint16_t            apl_len;
-        /* private */
-        isc_uint16_t            offset;
-} dns_rdata_in_apl_t;
-
-/*
- * ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS are already done
- * via rdatastructpre.h and rdatastructsuf.h.
- */
-
-isc_result_t
-dns_rdata_apl_first(dns_rdata_in_apl_t *);
-
-isc_result_t
-dns_rdata_apl_next(dns_rdata_in_apl_t *);
-
-isc_result_t
-dns_rdata_apl_current(dns_rdata_in_apl_t *, dns_rdata_apl_ent_t *);
-
-#endif /* IN_1_APL_42_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/dhcid_49.c b/contrib/bind9/lib/dns/rdata/in_1/dhcid_49.c
deleted file mode 100644
index 7575da0..0000000
--- a/contrib/bind9/lib/dns/rdata/in_1/dhcid_49.c
+++ /dev/null
@@ -1,237 +0,0 @@
-/*
- * Copyright (C) 2006, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/* RFC 4701 */
-
-#ifndef RDATA_IN_1_DHCID_49_C
-#define RDATA_IN_1_DHCID_49_C 1
-
-#define RRTYPE_DHCID_ATTRIBUTES 0
-
-static inline isc_result_t
-fromtext_in_dhcid(ARGS_FROMTEXT) {
-
-	REQUIRE(type == 49);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	return (isc_base64_tobuffer(lexer, target, -1));
-}
-
-static inline isc_result_t
-totext_in_dhcid(ARGS_TOTEXT) {
-	isc_region_t sr;
-	char buf[sizeof(" ; 64000 255 64000")];
-	size_t n;
-
-	REQUIRE(rdata->type == 49);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext("( " /*)*/, target));
-	if (tctx->width == 0)   /* No splitting */
-		RETERR(isc_base64_totext(&sr, 60, "", target));
-	else
-		RETERR(isc_base64_totext(&sr, tctx->width - 2,
-					 tctx->linebreak, target));
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
-		RETERR(str_totext(/* ( */ " )", target));
-		if (rdata->length > 2) {
-			n = snprintf(buf, sizeof(buf), " ; %u %u %u",
-				     sr.base[0] * 256 + sr.base[1],
-				     sr.base[2], rdata->length - 3);
-			INSIST(n < sizeof(buf));
-			RETERR(str_totext(buf, target));
-		}
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_in_dhcid(ARGS_FROMWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(type == 49);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-	UNUSED(options);
-
-	isc_buffer_activeregion(source, &sr);
-	if (sr.length == 0)
-		return (ISC_R_UNEXPECTEDEND);
-
-	isc_buffer_forward(source, sr.length);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline isc_result_t
-towire_in_dhcid(ARGS_TOWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 49);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(cctx);
-
-	dns_rdata_toregion(rdata, &sr);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_in_dhcid(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 49);
-	REQUIRE(rdata1->rdclass == 1);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_in_dhcid(ARGS_FROMSTRUCT) {
-	dns_rdata_in_dhcid_t *dhcid = source;
-
-	REQUIRE(type == 49);
-	REQUIRE(rdclass == 1);
-	REQUIRE(source != NULL);
-	REQUIRE(dhcid->common.rdtype == type);
-	REQUIRE(dhcid->common.rdclass == rdclass);
-	REQUIRE(dhcid->length != 0);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	return (mem_tobuffer(target, dhcid->dhcid, dhcid->length));
-}
-
-static inline isc_result_t
-tostruct_in_dhcid(ARGS_TOSTRUCT) {
-	dns_rdata_in_dhcid_t *dhcid = target;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 49);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	dhcid->common.rdclass = rdata->rdclass;
-	dhcid->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&dhcid->common, link);
-
-	dns_rdata_toregion(rdata, &region);
-
-	dhcid->dhcid = mem_maybedup(mctx, region.base, region.length);
-	if (dhcid->dhcid == NULL)
-		return (ISC_R_NOMEMORY);
-
-	dhcid->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_in_dhcid(ARGS_FREESTRUCT) {
-	dns_rdata_in_dhcid_t *dhcid = source;
-
-	REQUIRE(dhcid != NULL);
-	REQUIRE(dhcid->common.rdtype == 49);
-	REQUIRE(dhcid->common.rdclass == 1);
-
-	if (dhcid->mctx == NULL)
-		return;
-
-	if (dhcid->dhcid != NULL)
-		isc_mem_free(dhcid->mctx, dhcid->dhcid);
-	dhcid->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_in_dhcid(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 49);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_in_dhcid(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 49);
-	REQUIRE(rdata->rdclass == 1);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_in_dhcid(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 49);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_in_dhcid(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 49);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_in_dhcid(ARGS_COMPARE) {
-	return (compare_in_dhcid(rdata1, rdata2));
-}
-
-#endif	/* RDATA_IN_1_DHCID_49_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/dhcid_49.h b/contrib/bind9/lib/dns/rdata/in_1/dhcid_49.h
deleted file mode 100644
index 2797192..0000000
--- a/contrib/bind9/lib/dns/rdata/in_1/dhcid_49.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright (C) 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef IN_1_DHCID_49_H
-#define IN_1_DHCID_49_H 1
-
-/* $Id: dhcid_49.h,v 1.5 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_in_dhcid {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	unsigned char		*dhcid;
-	unsigned int		length;
-} dns_rdata_in_dhcid_t;
-
-#endif /* IN_1_DHCID_49_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/kx_36.c b/contrib/bind9/lib/dns/rdata/in_1/kx_36.c
deleted file mode 100644
index fbe3b71..0000000
--- a/contrib/bind9/lib/dns/rdata/in_1/kx_36.c
+++ /dev/null
@@ -1,293 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: kx_36.c,v 1.47 2009/12/04 22:06:37 tbox Exp $ */
-
-/* Reviewed: Thu Mar 16 17:24:54 PST 2000 by explorer */
-
-/* RFC2230 */
-
-#ifndef RDATA_IN_1_KX_36_C
-#define RDATA_IN_1_KX_36_C
-
-#define RRTYPE_KX_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_in_kx(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-
-	REQUIRE(type == 36);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_in_kx(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-	char buf[sizeof("64000")];
-	unsigned short num;
-
-	REQUIRE(rdata->type == 36);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	num = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
-	RETERR(str_totext(buf, target));
-
-	RETERR(str_totext(" ", target));
-
-	dns_name_fromregion(&name, &region);
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_in_kx(ARGS_FROMWIRE) {
-	dns_name_t name;
-	isc_region_t sregion;
-
-	REQUIRE(type == 36);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-	dns_name_init(&name, NULL);
-
-	isc_buffer_activeregion(source, &sregion);
-	if (sregion.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
-	RETERR(mem_tobuffer(target, sregion.base, 2));
-	isc_buffer_forward(source, 2);
-	return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_in_kx(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 36);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	dns_rdata_toregion(rdata, &region);
-	RETERR(mem_tobuffer(target, region.base, 2));
-	isc_region_consume(&region, 2);
-
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &region);
-
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_in_kx(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 36);
-	REQUIRE(rdata1->rdclass == 1);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	order = memcmp(rdata1->data, rdata2->data, 2);
-	if (order != 0)
-		return (order < 0 ? -1 : 1);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	isc_region_consume(&region1, 2);
-	isc_region_consume(&region2, 2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_in_kx(ARGS_FROMSTRUCT) {
-	dns_rdata_in_kx_t *kx = source;
-	isc_region_t region;
-
-	REQUIRE(type == 36);
-	REQUIRE(rdclass == 1);
-	REQUIRE(source != NULL);
-	REQUIRE(kx->common.rdtype == type);
-	REQUIRE(kx->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint16_tobuffer(kx->preference, target));
-	dns_name_toregion(&kx->exchange, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_in_kx(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_in_kx_t *kx = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 36);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	kx->common.rdclass = rdata->rdclass;
-	kx->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&kx->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-
-	kx->preference = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&kx->exchange, NULL);
-	RETERR(name_duporclone(&name, mctx, &kx->exchange));
-	kx->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_in_kx(ARGS_FREESTRUCT) {
-	dns_rdata_in_kx_t *kx = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(kx->common.rdclass == 1);
-	REQUIRE(kx->common.rdtype == 36);
-
-	if (kx->mctx == NULL)
-		return;
-
-	dns_name_free(&kx->exchange, kx->mctx);
-	kx->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_in_kx(ARGS_ADDLDATA) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 36);
-	REQUIRE(rdata->rdclass == 1);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	isc_region_consume(&region, 2);
-	dns_name_fromregion(&name, &region);
-
-	return ((add)(arg, &name, dns_rdatatype_a));
-}
-
-static inline isc_result_t
-digest_in_kx(ARGS_DIGEST) {
-	isc_region_t r1, r2;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 36);
-	REQUIRE(rdata->rdclass == 1);
-
-	dns_rdata_toregion(rdata, &r1);
-	r2 = r1;
-	isc_region_consume(&r2, 2);
-	r1.length = 2;
-	RETERR((digest)(arg, &r1));
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r2);
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_in_kx(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 36);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_in_kx(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 36);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_in_kx(ARGS_COMPARE) {
-	return (compare_in_kx(rdata1, rdata2));
-}
-
-#endif	/* RDATA_IN_1_KX_36_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/kx_36.h b/contrib/bind9/lib/dns/rdata/in_1/kx_36.h
deleted file mode 100644
index 391ae27..0000000
--- a/contrib/bind9/lib/dns/rdata/in_1/kx_36.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef IN_1_KX_36_H
-#define IN_1_KX_36_H 1
-
-/* $Id: kx_36.h,v 1.20 2007/06/19 23:47:17 tbox Exp $ */
-
-/*! 
- *  \brief Per RFC2230 */
-
-typedef struct dns_rdata_in_kx {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		preference;
-	dns_name_t		exchange;
-} dns_rdata_in_kx_t;
-
-#endif /* IN_1_KX_36_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.c b/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.c
deleted file mode 100644
index 78df645..0000000
--- a/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.c
+++ /dev/null
@@ -1,250 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: nsap-ptr_23.c,v 1.40 2009/12/04 22:06:37 tbox Exp $ */
-
-/* Reviewed: Fri Mar 17 10:16:02 PST 2000 by gson */
-
-/* RFC1348.  Obsoleted in RFC 1706 - use PTR instead. */
-
-#ifndef RDATA_IN_1_NSAP_PTR_23_C
-#define RDATA_IN_1_NSAP_PTR_23_C
-
-#define RRTYPE_NSAP_PTR_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_in_nsap_ptr(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-
-	REQUIRE(type == 23);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_in_nsap_ptr(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 23);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	sub = name_prefix(&name, tctx->origin, &prefix);
-
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_in_nsap_ptr(ARGS_FROMWIRE) {
-	dns_name_t name;
-
-	REQUIRE(type == 23);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-	dns_name_init(&name, NULL);
-	return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_in_nsap_ptr(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 23);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_in_nsap_ptr(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 23);
-	REQUIRE(rdata1->rdclass == 1);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_in_nsap_ptr(ARGS_FROMSTRUCT) {
-	dns_rdata_in_nsap_ptr_t *nsap_ptr = source;
-	isc_region_t region;
-
-	REQUIRE(type == 23);
-	REQUIRE(rdclass == 1);
-	REQUIRE(source != NULL);
-	REQUIRE(nsap_ptr->common.rdtype == type);
-	REQUIRE(nsap_ptr->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&nsap_ptr->owner, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_in_nsap_ptr(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_in_nsap_ptr_t *nsap_ptr = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 23);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	nsap_ptr->common.rdclass = rdata->rdclass;
-	nsap_ptr->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&nsap_ptr->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&nsap_ptr->owner, NULL);
-	RETERR(name_duporclone(&name, mctx, &nsap_ptr->owner));
-	nsap_ptr->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_in_nsap_ptr(ARGS_FREESTRUCT) {
-	dns_rdata_in_nsap_ptr_t *nsap_ptr = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(nsap_ptr->common.rdclass == 1);
-	REQUIRE(nsap_ptr->common.rdtype == 23);
-
-	if (nsap_ptr->mctx == NULL)
-		return;
-
-	dns_name_free(&nsap_ptr->owner, nsap_ptr->mctx);
-	nsap_ptr->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_in_nsap_ptr(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 23);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_in_nsap_ptr(ARGS_DIGEST) {
-	isc_region_t r;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 23);
-	REQUIRE(rdata->rdclass == 1);
-
-	dns_rdata_toregion(rdata, &r);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_in_nsap_ptr(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 23);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_in_nsap_ptr(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 23);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_in_nsap_ptr(ARGS_COMPARE) {
-	return (compare_in_nsap_ptr(rdata1, rdata2));
-}
-
-#endif	/* RDATA_IN_1_NSAP_PTR_23_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.h b/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.h
deleted file mode 100644
index 14a8b19..0000000
--- a/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef IN_1_NSAP_PTR_23_H
-#define IN_1_NSAP_PTR_23_H 1
-
-/* $Id: nsap-ptr_23.h,v 1.19 2007/06/19 23:47:17 tbox Exp $ */
-
-/*! 
- *  \brief Per RFC1348.  Obsoleted in RFC 1706 - use PTR instead. */
-
-typedef struct dns_rdata_in_nsap_ptr {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		owner;
-} dns_rdata_in_nsap_ptr_t;
-
-#endif /* IN_1_NSAP_PTR_23_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/nsap_22.c b/contrib/bind9/lib/dns/rdata/in_1/nsap_22.c
deleted file mode 100644
index 66129fe..0000000
--- a/contrib/bind9/lib/dns/rdata/in_1/nsap_22.c
+++ /dev/null
@@ -1,259 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: nsap_22.c,v 1.44 2009/12/04 22:06:37 tbox Exp $ */
-
-/* Reviewed: Fri Mar 17 10:41:07 PST 2000 by gson */
-
-/* RFC1706 */
-
-#ifndef RDATA_IN_1_NSAP_22_C
-#define RDATA_IN_1_NSAP_22_C
-
-#define RRTYPE_NSAP_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_in_nsap(ARGS_FROMTEXT) {
-	isc_token_t token;
-	isc_textregion_t *sr;
-	int n;
-	int digits;
-	unsigned char c = 0;
-
-	REQUIRE(type == 22);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	/* 0x<hex.string.with.periods> */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	sr = &token.value.as_textregion;
-	if (sr->length < 2)
-		RETTOK(ISC_R_UNEXPECTEDEND);
-	if (sr->base[0] != '0' || (sr->base[1] != 'x' && sr->base[1] != 'X'))
-		RETTOK(DNS_R_SYNTAX);
-	isc_textregion_consume(sr, 2);
-	digits = 0;
-	while (sr->length > 0) {
-		if (sr->base[0] == '.') {
-			isc_textregion_consume(sr, 1);
-			continue;
-		}
-		if ((n = hexvalue(sr->base[0])) == -1)
-			RETTOK(DNS_R_SYNTAX);
-		c <<= 4;
-		c += n;
-		if (++digits == 2) {
-			RETERR(mem_tobuffer(target, &c, 1));
-			digits = 0;
-		}
-		isc_textregion_consume(sr, 1);
-	}
-	if (digits)
-		RETTOK(ISC_R_UNEXPECTEDEND);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_in_nsap(ARGS_TOTEXT) {
-	isc_region_t region;
-	char buf[sizeof("xx")];
-
-	REQUIRE(rdata->type == 22);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(tctx);
-
-	dns_rdata_toregion(rdata, &region);
-	RETERR(str_totext("0x", target));
-	while (region.length != 0) {
-		sprintf(buf, "%02x", region.base[0]);
-		isc_region_consume(&region, 1);
-		RETERR(str_totext(buf, target));
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_in_nsap(ARGS_FROMWIRE) {
-	isc_region_t region;
-
-	REQUIRE(type == 22);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(dctx);
-	UNUSED(options);
-	UNUSED(rdclass);
-
-	isc_buffer_activeregion(source, &region);
-	if (region.length < 1)
-		return (ISC_R_UNEXPECTEDEND);
-
-	RETERR(mem_tobuffer(target, region.base, region.length));
-	isc_buffer_forward(source, region.length);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-towire_in_nsap(ARGS_TOWIRE) {
-	REQUIRE(rdata->type == 22);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(cctx);
-
-	return (mem_tobuffer(target, rdata->data, rdata->length));
-}
-
-static inline int
-compare_in_nsap(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 22);
-	REQUIRE(rdata1->rdclass == 1);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_in_nsap(ARGS_FROMSTRUCT) {
-	dns_rdata_in_nsap_t *nsap = source;
-
-	REQUIRE(type == 22);
-	REQUIRE(rdclass == 1);
-	REQUIRE(source != NULL);
-	REQUIRE(nsap->common.rdtype == type);
-	REQUIRE(nsap->common.rdclass == rdclass);
-	REQUIRE(nsap->nsap != NULL || nsap->nsap_len == 0);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	return (mem_tobuffer(target, nsap->nsap, nsap->nsap_len));
-}
-
-static inline isc_result_t
-tostruct_in_nsap(ARGS_TOSTRUCT) {
-	dns_rdata_in_nsap_t *nsap = target;
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 22);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	nsap->common.rdclass = rdata->rdclass;
-	nsap->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&nsap->common, link);
-
-	dns_rdata_toregion(rdata, &r);
-	nsap->nsap_len = r.length;
-	nsap->nsap = mem_maybedup(mctx, r.base, r.length);
-	if (nsap->nsap == NULL)
-		return (ISC_R_NOMEMORY);
-
-	nsap->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_in_nsap(ARGS_FREESTRUCT) {
-	dns_rdata_in_nsap_t *nsap = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(nsap->common.rdclass == 1);
-	REQUIRE(nsap->common.rdtype == 22);
-
-	if (nsap->mctx == NULL)
-		return;
-
-	if (nsap->nsap != NULL)
-		isc_mem_free(nsap->mctx, nsap->nsap);
-	nsap->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_in_nsap(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 22);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_in_nsap(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 22);
-	REQUIRE(rdata->rdclass == 1);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_in_nsap(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 22);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_in_nsap(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 22);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_in_nsap(ARGS_COMPARE) {
-	return (compare_in_nsap(rdata1, rdata2));
-}
-
-#endif	/* RDATA_IN_1_NSAP_22_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/nsap_22.h b/contrib/bind9/lib/dns/rdata/in_1/nsap_22.h
deleted file mode 100644
index 11e3f66..0000000
--- a/contrib/bind9/lib/dns/rdata/in_1/nsap_22.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef IN_1_NSAP_22_H
-#define IN_1_NSAP_22_H 1
-
-/* $Id: nsap_22.h,v 1.18 2007/06/19 23:47:17 tbox Exp $ */
-
-/*! 
- *  \brief Per RFC1706 */
-
-typedef struct dns_rdata_in_nsap {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	unsigned char		*nsap;
-	isc_uint16_t		nsap_len;
-} dns_rdata_in_nsap_t;
-
-#endif /* IN_1_NSAP_22_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/px_26.c b/contrib/bind9/lib/dns/rdata/in_1/px_26.c
deleted file mode 100644
index a4111ad..0000000
--- a/contrib/bind9/lib/dns/rdata/in_1/px_26.c
+++ /dev/null
@@ -1,379 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: px_26.c,v 1.45 2009/12/04 22:06:37 tbox Exp $ */
-
-/* Reviewed: Mon Mar 20 10:44:27 PST 2000 */
-
-/* RFC2163 */
-
-#ifndef RDATA_IN_1_PX_26_C
-#define RDATA_IN_1_PX_26_C
-
-#define RRTYPE_PX_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_in_px(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-
-	REQUIRE(type == 26);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	/*
-	 * Preference.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * MAP822.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-
-	/*
-	 * MAPX400.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_in_px(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-	char buf[sizeof("64000")];
-	unsigned short num;
-
-	REQUIRE(rdata->type == 26);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	/*
-	 * Preference.
-	 */
-	dns_rdata_toregion(rdata, &region);
-	num = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * MAP822.
-	 */
-	dns_name_fromregion(&name, &region);
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	isc_region_consume(&region, name_length(&name));
-	RETERR(dns_name_totext(&prefix, sub, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * MAPX400.
-	 */
-	dns_name_fromregion(&name, &region);
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	return(dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_in_px(ARGS_FROMWIRE) {
-	dns_name_t name;
-	isc_region_t sregion;
-
-	REQUIRE(type == 26);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-	dns_name_init(&name, NULL);
-
-	/*
-	 * Preference.
-	 */
-	isc_buffer_activeregion(source, &sregion);
-	if (sregion.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
-	RETERR(mem_tobuffer(target, sregion.base, 2));
-	isc_buffer_forward(source, 2);
-
-	/*
-	 * MAP822.
-	 */
-	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
-
-	/*
-	 * MAPX400.
-	 */
-	return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_in_px(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 26);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	/*
-	 * Preference.
-	 */
-	dns_rdata_toregion(rdata, &region);
-	RETERR(mem_tobuffer(target, region.base, 2));
-	isc_region_consume(&region, 2);
-
-	/*
-	 * MAP822.
-	 */
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &region);
-	RETERR(dns_name_towire(&name, cctx, target));
-	isc_region_consume(&region, name_length(&name));
-
-	/*
-	 * MAPX400.
-	 */
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &region);
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_in_px(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 26);
-	REQUIRE(rdata1->rdclass == 1);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	order = memcmp(rdata1->data, rdata2->data, 2);
-	if (order != 0)
-		return (order < 0 ? -1 : 1);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	isc_region_consume(&region1, 2);
-	isc_region_consume(&region2, 2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	order = dns_name_rdatacompare(&name1, &name2);
-	if (order != 0)
-		return (order);
-
-	isc_region_consume(&region1, name_length(&name1));
-	isc_region_consume(&region2, name_length(&name2));
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_in_px(ARGS_FROMSTRUCT) {
-	dns_rdata_in_px_t *px = source;
-	isc_region_t region;
-
-	REQUIRE(type == 26);
-	REQUIRE(rdclass == 1);
-	REQUIRE(source != NULL);
-	REQUIRE(px->common.rdtype == type);
-	REQUIRE(px->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint16_tobuffer(px->preference, target));
-	dns_name_toregion(&px->map822, &region);
-	RETERR(isc_buffer_copyregion(target, &region));
-	dns_name_toregion(&px->mapx400, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_in_px(ARGS_TOSTRUCT) {
-	dns_rdata_in_px_t *px = target;
-	dns_name_t name;
-	isc_region_t region;
-	isc_result_t result;
-
-	REQUIRE(rdata->type == 26);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	px->common.rdclass = rdata->rdclass;
-	px->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&px->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-
-	px->preference = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-
-	dns_name_fromregion(&name, &region);
-
-	dns_name_init(&px->map822, NULL);
-	RETERR(name_duporclone(&name, mctx, &px->map822));
-	isc_region_consume(&region, name_length(&px->map822));
-
-	dns_name_init(&px->mapx400, NULL);
-	result = name_duporclone(&name, mctx, &px->mapx400);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	px->mctx = mctx;
-	return (result);
-
- cleanup:
-	dns_name_free(&px->map822, mctx);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_in_px(ARGS_FREESTRUCT) {
-	dns_rdata_in_px_t *px = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(px->common.rdclass == 1);
-	REQUIRE(px->common.rdtype == 26);
-
-	if (px->mctx == NULL)
-		return;
-
-	dns_name_free(&px->map822, px->mctx);
-	dns_name_free(&px->mapx400, px->mctx);
-	px->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_in_px(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 26);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_in_px(ARGS_DIGEST) {
-	isc_region_t r1, r2;
-	dns_name_t name;
-	isc_result_t result;
-
-	REQUIRE(rdata->type == 26);
-	REQUIRE(rdata->rdclass == 1);
-
-	dns_rdata_toregion(rdata, &r1);
-	r2 = r1;
-	isc_region_consume(&r2, 2);
-	r1.length = 2;
-	result = (digest)(arg, &r1);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r2);
-	result = dns_name_digest(&name, digest, arg);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_region_consume(&r2, name_length(&name));
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r2);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_in_px(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 26);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_in_px(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 26);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_in_px(ARGS_COMPARE) {
-	return (compare_in_px(rdata1, rdata2));
-}
-
-#endif	/* RDATA_IN_1_PX_26_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/px_26.h b/contrib/bind9/lib/dns/rdata/in_1/px_26.h
deleted file mode 100644
index 69a7bae..0000000
--- a/contrib/bind9/lib/dns/rdata/in_1/px_26.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef IN_1_PX_26_H
-#define IN_1_PX_26_H 1
-
-/* $Id: px_26.h,v 1.19 2007/06/19 23:47:17 tbox Exp $ */
-
-/*! 
- *  \brief Per RFC2163 */
-
-typedef struct dns_rdata_in_px {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		preference;
-	dns_name_t		map822;
-	dns_name_t		mapx400;
-} dns_rdata_in_px_t;
-
-#endif /* IN_1_PX_26_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/srv_33.c b/contrib/bind9/lib/dns/rdata/in_1/srv_33.c
deleted file mode 100644
index ea4f3ed..0000000
--- a/contrib/bind9/lib/dns/rdata/in_1/srv_33.c
+++ /dev/null
@@ -1,378 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: srv_33.c,v 1.47 2009/12/04 22:06:37 tbox Exp $ */
-
-/* Reviewed: Fri Mar 17 13:01:00 PST 2000 by bwelling */
-
-/* RFC2782 */
-
-#ifndef RDATA_IN_1_SRV_33_C
-#define RDATA_IN_1_SRV_33_C
-
-#define RRTYPE_SRV_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_in_srv(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	isc_boolean_t ok;
-
-	REQUIRE(type == 33);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	/*
-	 * Priority.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Weight.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Port.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Target.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	ok = ISC_TRUE;
-	if ((options & DNS_RDATA_CHECKNAMES) != 0)
-		ok = dns_name_ishostname(&name, ISC_FALSE);
-	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
-		RETTOK(DNS_R_BADNAME);
-	if (!ok && callbacks != NULL)
-		warn_badname(&name, lexer, callbacks);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_in_srv(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-	char buf[sizeof("64000")];
-	unsigned short num;
-
-	REQUIRE(rdata->type == 33);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	/*
-	 * Priority.
-	 */
-	dns_rdata_toregion(rdata, &region);
-	num = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Weight.
-	 */
-	num = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Port.
-	 */
-	num = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Target.
-	 */
-	dns_name_fromregion(&name, &region);
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_in_srv(ARGS_FROMWIRE) {
-	dns_name_t name;
-	isc_region_t sr;
-
-	REQUIRE(type == 33);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-	dns_name_init(&name, NULL);
-
-	/*
-	 * Priority, weight, port.
-	 */
-	isc_buffer_activeregion(source, &sr);
-	if (sr.length < 6)
-		return (ISC_R_UNEXPECTEDEND);
-	RETERR(mem_tobuffer(target, sr.base, 6));
-	isc_buffer_forward(source, 6);
-
-	/*
-	 * Target.
-	 */
-	return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_in_srv(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 33);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	/*
-	 * Priority, weight, port.
-	 */
-	dns_rdata_toregion(rdata, &sr);
-	RETERR(mem_tobuffer(target, sr.base, 6));
-	isc_region_consume(&sr, 6);
-
-	/*
-	 * Target.
-	 */
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &sr);
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_in_srv(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 33);
-	REQUIRE(rdata1->rdclass == 1);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	/*
-	 * Priority, weight, port.
-	 */
-	order = memcmp(rdata1->data, rdata2->data, 6);
-	if (order != 0)
-		return (order < 0 ? -1 : 1);
-
-	/*
-	 * Target.
-	 */
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	isc_region_consume(&region1, 6);
-	isc_region_consume(&region2, 6);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_in_srv(ARGS_FROMSTRUCT) {
-	dns_rdata_in_srv_t *srv = source;
-	isc_region_t region;
-
-	REQUIRE(type == 33);
-	REQUIRE(rdclass == 1);
-	REQUIRE(source != NULL);
-	REQUIRE(srv->common.rdtype == type);
-	REQUIRE(srv->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint16_tobuffer(srv->priority, target));
-	RETERR(uint16_tobuffer(srv->weight, target));
-	RETERR(uint16_tobuffer(srv->port, target));
-	dns_name_toregion(&srv->target, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_in_srv(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_in_srv_t *srv = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->type == 33);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	srv->common.rdclass = rdata->rdclass;
-	srv->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&srv->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	srv->priority = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	srv->weight = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	srv->port = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&srv->target, NULL);
-	RETERR(name_duporclone(&name, mctx, &srv->target));
-	srv->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_in_srv(ARGS_FREESTRUCT) {
-	dns_rdata_in_srv_t *srv = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(srv->common.rdclass == 1);
-	REQUIRE(srv->common.rdtype == 33);
-
-	if (srv->mctx == NULL)
-		return;
-
-	dns_name_free(&srv->target, srv->mctx);
-	srv->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_in_srv(ARGS_ADDLDATA) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 33);
-	REQUIRE(rdata->rdclass == 1);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	isc_region_consume(&region, 6);
-	dns_name_fromregion(&name, &region);
-
-	return ((add)(arg, &name, dns_rdatatype_a));
-}
-
-static inline isc_result_t
-digest_in_srv(ARGS_DIGEST) {
-	isc_region_t r1, r2;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 33);
-	REQUIRE(rdata->rdclass == 1);
-
-	dns_rdata_toregion(rdata, &r1);
-	r2 = r1;
-	isc_region_consume(&r2, 6);
-	r1.length = 6;
-	RETERR((digest)(arg, &r1));
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r2);
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_in_srv(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 33);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_in_srv(ARGS_CHECKNAMES) {
-	isc_region_t region;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 33);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(owner);
-
-	dns_rdata_toregion(rdata, &region);
-	isc_region_consume(&region, 6);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &region);
-	if (!dns_name_ishostname(&name, ISC_FALSE)) {
-		if (bad != NULL)
-			dns_name_clone(&name, bad);
-		return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_in_srv(ARGS_COMPARE) {
-	return (compare_in_srv(rdata1, rdata2));
-}
-
-#endif	/* RDATA_IN_1_SRV_33_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/srv_33.h b/contrib/bind9/lib/dns/rdata/in_1/srv_33.h
deleted file mode 100644
index e019698..0000000
--- a/contrib/bind9/lib/dns/rdata/in_1/srv_33.h
+++ /dev/null
@@ -1,37 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef IN_1_SRV_33_H
-#define IN_1_SRV_33_H 1
-
-/* $Id: srv_33.h,v 1.19 2007/06/19 23:47:17 tbox Exp $ */
-
-/* Reviewed: Fri Mar 17 13:01:00 PST 2000 by bwelling */
-
-/*! 
- *  \brief Per RFC2782 */
-
-typedef struct dns_rdata_in_srv {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		priority;
-	isc_uint16_t		weight;
-	isc_uint16_t		port;
-	dns_name_t		target;
-} dns_rdata_in_srv_t;
-
-#endif /* IN_1_SRV_33_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/wks_11.c b/contrib/bind9/lib/dns/rdata/in_1/wks_11.c
deleted file mode 100644
index 1da2611..0000000
--- a/contrib/bind9/lib/dns/rdata/in_1/wks_11.c
+++ /dev/null
@@ -1,383 +0,0 @@
-/*
- * Copyright (C) 2004, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/* Reviewed: Fri Mar 17 15:01:49 PST 2000 by explorer */
-
-#ifndef RDATA_IN_1_WKS_11_C
-#define RDATA_IN_1_WKS_11_C
-
-#include <limits.h>
-#include <stdlib.h>
-
-#include <isc/net.h>
-#include <isc/netdb.h>
-#include <isc/once.h>
-
-#define RRTYPE_WKS_ATTRIBUTES (0)
-
-static isc_mutex_t wks_lock;
-
-static void init_lock(void) {
-	RUNTIME_CHECK(isc_mutex_init(&wks_lock) == ISC_R_SUCCESS);
-}
-
-static isc_boolean_t
-mygetprotobyname(const char *name, long *proto) {
-	struct protoent *pe;
-
-	LOCK(&wks_lock);
-	pe = getprotobyname(name);
-	if (pe != NULL)
-		*proto = pe->p_proto;
-	UNLOCK(&wks_lock);
-	return (ISC_TF(pe != NULL));
-}
-
-static isc_boolean_t
-mygetservbyname(const char *name, const char *proto, long *port) {
-	struct servent *se;
-
-	LOCK(&wks_lock);
-	se = getservbyname(name, proto);
-	if (se != NULL)
-		*port = ntohs(se->s_port);
-	UNLOCK(&wks_lock);
-	return (ISC_TF(se != NULL));
-}
-
-static inline isc_result_t
-fromtext_in_wks(ARGS_FROMTEXT) {
-	static isc_once_t once = ISC_ONCE_INIT;
-	isc_token_t token;
-	isc_region_t region;
-	struct in_addr addr;
-	char *e;
-	long proto;
-	unsigned char bm[8*1024]; /* 64k bits */
-	long port;
-	long maxport = -1;
-	const char *ps = NULL;
-	unsigned int n;
-	char service[32];
-	int i;
-
-	REQUIRE(type == 11);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(rdclass);
-
-	RUNTIME_CHECK(isc_once_do(&once, init_lock) == ISC_R_SUCCESS);
-
-	/*
-	 * IPv4 dotted quad.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	isc_buffer_availableregion(target, &region);
-	if (getquad(DNS_AS_STR(token), &addr, lexer, callbacks) != 1)
-		RETTOK(DNS_R_BADDOTTEDQUAD);
-	if (region.length < 4)
-		return (ISC_R_NOSPACE);
-	memcpy(region.base, &addr, 4);
-	isc_buffer_add(target, 4);
-
-	/*
-	 * Protocol.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	proto = strtol(DNS_AS_STR(token), &e, 10);
-	if (*e == 0)
-		;
-	else if (!mygetprotobyname(DNS_AS_STR(token), &proto))
-		RETTOK(DNS_R_UNKNOWNPROTO);
-
-	if (proto < 0 || proto > 0xff)
-		RETTOK(ISC_R_RANGE);
-
-	if (proto == IPPROTO_TCP)
-		ps = "tcp";
-	else if (proto == IPPROTO_UDP)
-		ps = "udp";
-
-	RETERR(uint8_tobuffer(proto, target));
-
-	memset(bm, 0, sizeof(bm));
-	do {
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_string, ISC_TRUE));
-		if (token.type != isc_tokentype_string)
-			break;
-
-		/*
-		 * Lowercase the service string as some getservbyname() are
-		 * case sensitive and the database is usually in lowercase.
-		 */
-		strncpy(service, DNS_AS_STR(token), sizeof(service));
-		service[sizeof(service)-1] = '\0';
-		for (i = strlen(service) - 1; i >= 0; i--)
-			if (isupper(service[i]&0xff))
-				service[i] = tolower(service[i]&0xff);
-
-		port = strtol(DNS_AS_STR(token), &e, 10);
-		if (*e == 0)
-			;
-		else if (!mygetservbyname(service, ps, &port) &&
-			 !mygetservbyname(DNS_AS_STR(token), ps, &port))
-			RETTOK(DNS_R_UNKNOWNSERVICE);
-		if (port < 0 || port > 0xffff)
-			RETTOK(ISC_R_RANGE);
-		if (port > maxport)
-			maxport = port;
-		bm[port / 8] |= (0x80 >> (port % 8));
-	} while (1);
-
-	/*
-	 * Let upper layer handle eol/eof.
-	 */
-	isc_lex_ungettoken(lexer, &token);
-
-	n = (maxport + 8) / 8;
-	return (mem_tobuffer(target, bm, n));
-}
-
-static inline isc_result_t
-totext_in_wks(ARGS_TOTEXT) {
-	isc_region_t sr;
-	unsigned short proto;
-	char buf[sizeof("65535")];
-	unsigned int i, j;
-
-	UNUSED(tctx);
-
-	REQUIRE(rdata->type == 11);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length >= 5);
-
-	dns_rdata_toregion(rdata, &sr);
-	RETERR(inet_totext(AF_INET, &sr, target));
-	isc_region_consume(&sr, 4);
-
-	proto = uint8_fromregion(&sr);
-	sprintf(buf, "%u", proto);
-	RETERR(str_totext(" ", target));
-	RETERR(str_totext(buf, target));
-	isc_region_consume(&sr, 1);
-
-	INSIST(sr.length <= 8*1024);
-	for (i = 0; i < sr.length; i++) {
-		if (sr.base[i] != 0)
-			for (j = 0; j < 8; j++)
-				if ((sr.base[i] & (0x80 >> j)) != 0) {
-					sprintf(buf, "%u", i * 8 + j);
-					RETERR(str_totext(" ", target));
-					RETERR(str_totext(buf, target));
-				}
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_in_wks(ARGS_FROMWIRE) {
-	isc_region_t sr;
-	isc_region_t tr;
-
-	REQUIRE(type == 11);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(dctx);
-	UNUSED(options);
-	UNUSED(rdclass);
-
-	isc_buffer_activeregion(source, &sr);
-	isc_buffer_availableregion(target, &tr);
-
-	if (sr.length < 5)
-		return (ISC_R_UNEXPECTEDEND);
-	if (sr.length > 8 * 1024 + 5)
-		return (DNS_R_EXTRADATA);
-	if (tr.length < sr.length)
-		return (ISC_R_NOSPACE);
-
-	memcpy(tr.base, sr.base, sr.length);
-	isc_buffer_add(target, sr.length);
-	isc_buffer_forward(source, sr.length);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-towire_in_wks(ARGS_TOWIRE) {
-	isc_region_t sr;
-
-	UNUSED(cctx);
-
-	REQUIRE(rdata->type == 11);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	dns_rdata_toregion(rdata, &sr);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_in_wks(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 11);
-	REQUIRE(rdata1->rdclass == 1);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_in_wks(ARGS_FROMSTRUCT) {
-	dns_rdata_in_wks_t *wks = source;
-	isc_uint32_t a;
-
-	REQUIRE(type == 11);
-	REQUIRE(rdclass == 1);
-	REQUIRE(source != NULL);
-	REQUIRE(wks->common.rdtype == type);
-	REQUIRE(wks->common.rdclass == rdclass);
-	REQUIRE((wks->map != NULL && wks->map_len <= 8*1024) ||
-		 wks->map_len == 0);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	a = ntohl(wks->in_addr.s_addr);
-	RETERR(uint32_tobuffer(a, target));
-	RETERR(uint16_tobuffer(wks->protocol, target));
-	return (mem_tobuffer(target, wks->map, wks->map_len));
-}
-
-static inline isc_result_t
-tostruct_in_wks(ARGS_TOSTRUCT) {
-	dns_rdata_in_wks_t *wks = target;
-	isc_uint32_t n;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 11);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	wks->common.rdclass = rdata->rdclass;
-	wks->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&wks->common, link);
-
-	dns_rdata_toregion(rdata, &region);
-	n = uint32_fromregion(&region);
-	wks->in_addr.s_addr = htonl(n);
-	isc_region_consume(&region, 4);
-	wks->protocol = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	wks->map_len = region.length;
-	wks->map = mem_maybedup(mctx, region.base, region.length);
-	if (wks->map == NULL)
-		return (ISC_R_NOMEMORY);
-	wks->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_in_wks(ARGS_FREESTRUCT) {
-	dns_rdata_in_wks_t *wks = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(wks->common.rdtype == 11);
-	REQUIRE(wks->common.rdclass == 1);
-
-	if (wks->mctx == NULL)
-		return;
-
-	if (wks->map != NULL)
-		isc_mem_free(wks->mctx, wks->map);
-	wks->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_in_wks(ARGS_ADDLDATA) {
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	REQUIRE(rdata->type == 11);
-	REQUIRE(rdata->rdclass == 1);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_in_wks(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 11);
-	REQUIRE(rdata->rdclass == 1);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_in_wks(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 11);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	return (dns_name_ishostname(name, wildcard));
-}
-
-static inline isc_boolean_t
-checknames_in_wks(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 11);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-static inline int
-casecompare_in_wks(ARGS_COMPARE) {
-	return (compare_in_wks(rdata1, rdata2));
-}
-
-#endif	/* RDATA_IN_1_WKS_11_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/wks_11.h b/contrib/bind9/lib/dns/rdata/in_1/wks_11.h
deleted file mode 100644
index 2fd26e8..0000000
--- a/contrib/bind9/lib/dns/rdata/in_1/wks_11.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef IN_1_WKS_11_H
-#define IN_1_WKS_11_H 1
-
-/* $Id: wks_11.h,v 1.22 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef	struct dns_rdata_in_wks {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	struct in_addr		in_addr;
-	isc_uint16_t		protocol;
-	unsigned char		*map;
-	isc_uint16_t		map_len;
-} dns_rdata_in_wks_t;
-
-#endif /* IN_1_WKS_11_H */
diff --git a/contrib/bind9/lib/dns/rdata/rdatastructpre.h b/contrib/bind9/lib/dns/rdata/rdatastructpre.h
deleted file mode 100644
index ab7e051..0000000
--- a/contrib/bind9/lib/dns/rdata/rdatastructpre.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rdatastructpre.h,v 1.16 2007/06/19 23:47:17 tbox Exp $ */
-
-#ifndef DNS_RDATASTRUCT_H
-#define DNS_RDATASTRUCT_H 1
-
-#include <isc/lang.h>
-#include <isc/sockaddr.h>
-
-#include <dns/name.h>
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-typedef struct dns_rdatacommon {
-	dns_rdataclass_t			rdclass;
-	dns_rdatatype_t				rdtype;
-	ISC_LINK(struct dns_rdatacommon)	link;
-} dns_rdatacommon_t;
-
-#define DNS_RDATACOMMON_INIT(_data, _rdtype, _rdclass) \
-	do { \
-		(_data)->common.rdtype = (_rdtype); \
-		(_data)->common.rdclass = (_rdclass); \
-		ISC_LINK_INIT(&(_data)->common, link); \
-	} while (0)
diff --git a/contrib/bind9/lib/dns/rdata/rdatastructsuf.h b/contrib/bind9/lib/dns/rdata/rdatastructsuf.h
deleted file mode 100644
index 3ba1275..0000000
--- a/contrib/bind9/lib/dns/rdata/rdatastructsuf.h
+++ /dev/null
@@ -1,22 +0,0 @@
-/*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rdatastructsuf.h,v 1.10 2007/06/19 23:47:17 tbox Exp $ */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RDATASTRUCT_H */
diff --git a/contrib/bind9/lib/dns/rdatalist.c b/contrib/bind9/lib/dns/rdatalist.c
deleted file mode 100644
index 63d8b11..0000000
--- a/contrib/bind9/lib/dns/rdatalist.c
+++ /dev/null
@@ -1,369 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2008, 2010-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stddef.h>
-
-#include <isc/util.h>
-
-#include <dns/name.h>
-#include <dns/nsec3.h>
-#include <dns/rdata.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-
-#include "rdatalist_p.h"
-
-static dns_rdatasetmethods_t methods = {
-	isc__rdatalist_disassociate,
-	isc__rdatalist_first,
-	isc__rdatalist_next,
-	isc__rdatalist_current,
-	isc__rdatalist_clone,
-	isc__rdatalist_count,
-	isc__rdatalist_addnoqname,
-	isc__rdatalist_getnoqname,
-	isc__rdatalist_addclosest,
-	isc__rdatalist_getclosest,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL
-};
-
-void
-dns_rdatalist_init(dns_rdatalist_t *rdatalist) {
-
-	REQUIRE(rdatalist != NULL);
-
-	/*
-	 * Initialize rdatalist.
-	 */
-
-	rdatalist->rdclass = 0;
-	rdatalist->type = 0;
-	rdatalist->covers = 0;
-	rdatalist->ttl = 0;
-	ISC_LIST_INIT(rdatalist->rdata);
-	ISC_LINK_INIT(rdatalist, link);
-}
-
-isc_result_t
-dns_rdatalist_tordataset(dns_rdatalist_t *rdatalist,
-			 dns_rdataset_t *rdataset)
-{
-	/*
-	 * Make 'rdataset' refer to the rdata in 'rdatalist'.
-	 */
-
-	REQUIRE(rdatalist != NULL);
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(! dns_rdataset_isassociated(rdataset));
-
-	rdataset->methods = &methods;
-	rdataset->rdclass = rdatalist->rdclass;
-	rdataset->type = rdatalist->type;
-	rdataset->covers = rdatalist->covers;
-	rdataset->ttl = rdatalist->ttl;
-	rdataset->trust = 0;
-	rdataset->private1 = rdatalist;
-	rdataset->private2 = NULL;
-	rdataset->private3 = NULL;
-	rdataset->privateuint4 = 0;
-	rdataset->private5 = NULL;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_rdatalist_fromrdataset(dns_rdataset_t *rdataset,
-			   dns_rdatalist_t **rdatalist)
-{
-	REQUIRE(rdatalist != NULL && rdataset != NULL);
-	*rdatalist = rdataset->private1;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc__rdatalist_disassociate(dns_rdataset_t *rdataset) {
-	UNUSED(rdataset);
-}
-
-isc_result_t
-isc__rdatalist_first(dns_rdataset_t *rdataset) {
-	dns_rdatalist_t *rdatalist;
-
-	rdatalist = rdataset->private1;
-	rdataset->private2 = ISC_LIST_HEAD(rdatalist->rdata);
-
-	if (rdataset->private2 == NULL)
-		return (ISC_R_NOMORE);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc__rdatalist_next(dns_rdataset_t *rdataset) {
-	dns_rdata_t *rdata;
-
-	REQUIRE(rdataset != NULL);
-
-	rdata = rdataset->private2;
-	if (rdata == NULL)
-		return (ISC_R_NOMORE);
-
-	rdataset->private2 = ISC_LIST_NEXT(rdata, link);
-
-	if (rdataset->private2 == NULL)
-		return (ISC_R_NOMORE);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc__rdatalist_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
-	dns_rdata_t *list_rdata;
-
-	REQUIRE(rdataset != NULL);
-
-	list_rdata = rdataset->private2;
-	INSIST(list_rdata != NULL);
-
-	dns_rdata_clone(list_rdata, rdata);
-}
-
-void
-isc__rdatalist_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
-
-	REQUIRE(source != NULL);
-	REQUIRE(target != NULL);
-
-	*target = *source;
-
-	/*
-	 * Reset iterator state.
-	 */
-	target->private2 = NULL;
-}
-
-unsigned int
-isc__rdatalist_count(dns_rdataset_t *rdataset) {
-	dns_rdatalist_t *rdatalist;
-	dns_rdata_t *rdata;
-	unsigned int count;
-
-	REQUIRE(rdataset != NULL);
-
-	rdatalist = rdataset->private1;
-
-	count = 0;
-	for (rdata = ISC_LIST_HEAD(rdatalist->rdata);
-	     rdata != NULL;
-	     rdata = ISC_LIST_NEXT(rdata, link))
-		count++;
-
-	return (count);
-}
-
-isc_result_t
-isc__rdatalist_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name) {
-	dns_rdataset_t *neg = NULL;
-	dns_rdataset_t *negsig = NULL;
-	dns_rdataset_t *rdset;
-	dns_ttl_t ttl;
-
-	REQUIRE(rdataset != NULL);
-
-	for (rdset = ISC_LIST_HEAD(name->list);
-	     rdset != NULL;
-	     rdset = ISC_LIST_NEXT(rdset, link))
-	{
-		if (rdset->rdclass != rdataset->rdclass)
-			continue;
-		if (rdset->type == dns_rdatatype_nsec ||
-		    rdset->type == dns_rdatatype_nsec3)
-			neg = rdset;
-	}
-	if (neg == NULL)
-		return (ISC_R_NOTFOUND);
-
-	for (rdset = ISC_LIST_HEAD(name->list);
-	     rdset != NULL;
-	     rdset = ISC_LIST_NEXT(rdset, link))
-	{
-		if (rdset->type == dns_rdatatype_rrsig &&
-		    rdset->covers == neg->type)
-			negsig = rdset;
-	}
-
-	if (negsig == NULL)
-		return (ISC_R_NOTFOUND);
-	/*
-	 * Minimise ttl.
-	 */
-	ttl = rdataset->ttl;
-	if (neg->ttl < ttl)
-		ttl = neg->ttl;
-	if (negsig->ttl < ttl)
-		ttl = negsig->ttl;
-	rdataset->ttl = neg->ttl = negsig->ttl = ttl;
-	rdataset->attributes |= DNS_RDATASETATTR_NOQNAME;
-	rdataset->private6 = name;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc__rdatalist_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
-			  dns_rdataset_t *neg, dns_rdataset_t *negsig)
-{
-	dns_rdataclass_t rdclass = rdataset->rdclass;
-	dns_rdataset_t *tneg = NULL;
-	dns_rdataset_t *tnegsig = NULL;
-	dns_name_t *noqname = rdataset->private6;
-
-	REQUIRE(rdataset != NULL);
-	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0);
-
-	(void)dns_name_dynamic(noqname);	/* Sanity Check. */
-
-	for (rdataset = ISC_LIST_HEAD(noqname->list);
-	     rdataset != NULL;
-	     rdataset = ISC_LIST_NEXT(rdataset, link))
-	{
-		if (rdataset->rdclass != rdclass)
-			continue;
-		if (rdataset->type == dns_rdatatype_nsec ||
-		    rdataset->type == dns_rdatatype_nsec3)
-			tneg = rdataset;
-	}
-	if (tneg == NULL)
-		return (ISC_R_NOTFOUND);
-
-	for (rdataset = ISC_LIST_HEAD(noqname->list);
-	     rdataset != NULL;
-	     rdataset = ISC_LIST_NEXT(rdataset, link))
-	{
-		if (rdataset->type == dns_rdatatype_rrsig &&
-		    rdataset->covers == tneg->type)
-			tnegsig = rdataset;
-	}
-	if (tnegsig == NULL)
-		return (ISC_R_NOTFOUND);
-
-	dns_name_clone(noqname, name);
-	dns_rdataset_clone(tneg, neg);
-	dns_rdataset_clone(tnegsig, negsig);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc__rdatalist_addclosest(dns_rdataset_t *rdataset, dns_name_t *name) {
-	dns_rdataset_t *neg = NULL;
-	dns_rdataset_t *negsig = NULL;
-	dns_rdataset_t *rdset;
-	dns_ttl_t ttl;
-
-	REQUIRE(rdataset != NULL);
-
-	for (rdset = ISC_LIST_HEAD(name->list);
-	     rdset != NULL;
-	     rdset = ISC_LIST_NEXT(rdset, link))
-	{
-		if (rdset->rdclass != rdataset->rdclass)
-			continue;
-		if (rdset->type == dns_rdatatype_nsec ||
-		    rdset->type == dns_rdatatype_nsec3)
-			neg = rdset;
-	}
-	if (neg == NULL)
-		return (ISC_R_NOTFOUND);
-
-	for (rdset = ISC_LIST_HEAD(name->list);
-	     rdset != NULL;
-	     rdset = ISC_LIST_NEXT(rdset, link))
-	{
-		if (rdset->type == dns_rdatatype_rrsig &&
-		    rdset->covers == neg->type)
-			negsig = rdset;
-	}
-
-	if (negsig == NULL)
-		return (ISC_R_NOTFOUND);
-	/*
-	 * Minimise ttl.
-	 */
-	ttl = rdataset->ttl;
-	if (neg->ttl < ttl)
-		ttl = neg->ttl;
-	if (negsig->ttl < ttl)
-		ttl = negsig->ttl;
-	rdataset->ttl = neg->ttl = negsig->ttl = ttl;
-	rdataset->attributes |= DNS_RDATASETATTR_CLOSEST;
-	rdataset->private7 = name;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc__rdatalist_getclosest(dns_rdataset_t *rdataset, dns_name_t *name,
-			  dns_rdataset_t *neg, dns_rdataset_t *negsig)
-{
-	dns_rdataclass_t rdclass = rdataset->rdclass;
-	dns_rdataset_t *tneg = NULL;
-	dns_rdataset_t *tnegsig = NULL;
-	dns_name_t *closest = rdataset->private7;
-
-	REQUIRE(rdataset != NULL);
-	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_CLOSEST) != 0);
-
-	(void)dns_name_dynamic(closest);	/* Sanity Check. */
-
-	for (rdataset = ISC_LIST_HEAD(closest->list);
-	     rdataset != NULL;
-	     rdataset = ISC_LIST_NEXT(rdataset, link))
-	{
-		if (rdataset->rdclass != rdclass)
-			continue;
-		if (rdataset->type == dns_rdatatype_nsec ||
-		    rdataset->type == dns_rdatatype_nsec3)
-			tneg = rdataset;
-	}
-	if (tneg == NULL)
-		return (ISC_R_NOTFOUND);
-
-	for (rdataset = ISC_LIST_HEAD(closest->list);
-	     rdataset != NULL;
-	     rdataset = ISC_LIST_NEXT(rdataset, link))
-	{
-		if (rdataset->type == dns_rdatatype_rrsig &&
-		    rdataset->covers == tneg->type)
-			tnegsig = rdataset;
-	}
-	if (tnegsig == NULL)
-		return (ISC_R_NOTFOUND);
-
-	dns_name_clone(closest, name);
-	dns_rdataset_clone(tneg, neg);
-	dns_rdataset_clone(tnegsig, negsig);
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/dns/rdatalist_p.h b/contrib/bind9/lib/dns/rdatalist_p.h
deleted file mode 100644
index 3e73e20..0000000
--- a/contrib/bind9/lib/dns/rdatalist_p.h
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rdatalist_p.h,v 1.11 2008/09/25 04:02:38 tbox Exp $ */
-
-#ifndef DNS_RDATALIST_P_H
-#define DNS_RDATALIST_P_H
-
-/*! \file */
-
-#include <isc/result.h>
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-void
-isc__rdatalist_disassociate(dns_rdataset_t *rdatasetp);
-
-isc_result_t
-isc__rdatalist_first(dns_rdataset_t *rdataset);
-
-isc_result_t
-isc__rdatalist_next(dns_rdataset_t *rdataset);
-
-void
-isc__rdatalist_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata);
-
-void
-isc__rdatalist_clone(dns_rdataset_t *source, dns_rdataset_t *target);
-
-unsigned int
-isc__rdatalist_count(dns_rdataset_t *rdataset);
-
-isc_result_t
-isc__rdatalist_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name);
-
-isc_result_t
-isc__rdatalist_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
-			  dns_rdataset_t *neg, dns_rdataset_t *negsig);
-
-isc_result_t
-isc__rdatalist_addclosest(dns_rdataset_t *rdataset, dns_name_t *name);
-
-isc_result_t
-isc__rdatalist_getclosest(dns_rdataset_t *rdataset, dns_name_t *name,
-			  dns_rdataset_t *neg, dns_rdataset_t *negsig);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RDATALIST_P_H */
diff --git a/contrib/bind9/lib/dns/rdataset.c b/contrib/bind9/lib/dns/rdataset.c
deleted file mode 100644
index 026d771..0000000
--- a/contrib/bind9/lib/dns/rdataset.c
+++ /dev/null
@@ -1,802 +0,0 @@
-/*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/buffer.h>
-#include <isc/mem.h>
-#include <isc/random.h>
-#include <isc/serial.h>
-#include <isc/util.h>
-
-#include <dns/name.h>
-#include <dns/ncache.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/compress.h>
-
-static const char *trustnames[] = {
-	"none",
-	"pending-additional",
-	"pending-answer",
-	"additional",
-	"glue",
-	"answer",
-	"authauthority",
-	"authanswer",
-	"secure",
-	"local" /* aka ultimate */
-};
-
-const char *
-dns_trust_totext(dns_trust_t trust) {
-	if (trust >= sizeof(trustnames)/sizeof(*trustnames))
-		return ("bad");
-	return (trustnames[trust]);
-}
-
-void
-dns_rdataset_init(dns_rdataset_t *rdataset) {
-
-	/*
-	 * Make 'rdataset' a valid, disassociated rdataset.
-	 */
-
-	REQUIRE(rdataset != NULL);
-
-	rdataset->magic = DNS_RDATASET_MAGIC;
-	rdataset->methods = NULL;
-	ISC_LINK_INIT(rdataset, link);
-	rdataset->rdclass = 0;
-	rdataset->type = 0;
-	rdataset->ttl = 0;
-	rdataset->trust = 0;
-	rdataset->covers = 0;
-	rdataset->attributes = 0;
-	rdataset->count = ISC_UINT32_MAX;
-	rdataset->private1 = NULL;
-	rdataset->private2 = NULL;
-	rdataset->private3 = NULL;
-	rdataset->privateuint4 = 0;
-	rdataset->private5 = NULL;
-	rdataset->private6 = NULL;
-	rdataset->resign = 0;
-}
-
-void
-dns_rdataset_invalidate(dns_rdataset_t *rdataset) {
-
-	/*
-	 * Invalidate 'rdataset'.
-	 */
-
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods == NULL);
-
-	rdataset->magic = 0;
-	ISC_LINK_INIT(rdataset, link);
-	rdataset->rdclass = 0;
-	rdataset->type = 0;
-	rdataset->ttl = 0;
-	rdataset->trust = 0;
-	rdataset->covers = 0;
-	rdataset->attributes = 0;
-	rdataset->count = ISC_UINT32_MAX;
-	rdataset->private1 = NULL;
-	rdataset->private2 = NULL;
-	rdataset->private3 = NULL;
-	rdataset->privateuint4 = 0;
-	rdataset->private5 = NULL;
-}
-
-void
-dns_rdataset_disassociate(dns_rdataset_t *rdataset) {
-
-	/*
-	 * Disassociate 'rdataset' from its rdata, allowing it to be reused.
-	 */
-
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods != NULL);
-
-	(rdataset->methods->disassociate)(rdataset);
-	rdataset->methods = NULL;
-	ISC_LINK_INIT(rdataset, link);
-	rdataset->rdclass = 0;
-	rdataset->type = 0;
-	rdataset->ttl = 0;
-	rdataset->trust = 0;
-	rdataset->covers = 0;
-	rdataset->attributes = 0;
-	rdataset->count = ISC_UINT32_MAX;
-	rdataset->private1 = NULL;
-	rdataset->private2 = NULL;
-	rdataset->private3 = NULL;
-	rdataset->privateuint4 = 0;
-	rdataset->private5 = NULL;
-	rdataset->private6 = NULL;
-}
-
-isc_boolean_t
-dns_rdataset_isassociated(dns_rdataset_t *rdataset) {
-	/*
-	 * Is 'rdataset' associated?
-	 */
-
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-
-	if (rdataset->methods != NULL)
-		return (ISC_TRUE);
-
-	return (ISC_FALSE);
-}
-
-static void
-question_disassociate(dns_rdataset_t *rdataset) {
-	UNUSED(rdataset);
-}
-
-static isc_result_t
-question_cursor(dns_rdataset_t *rdataset) {
-	UNUSED(rdataset);
-
-	return (ISC_R_NOMORE);
-}
-
-static void
-question_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
-	/*
-	 * This routine should never be called.
-	 */
-	UNUSED(rdataset);
-	UNUSED(rdata);
-
-	REQUIRE(0);
-}
-
-static void
-question_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
-	*target = *source;
-}
-
-static unsigned int
-question_count(dns_rdataset_t *rdataset) {
-	/*
-	 * This routine should never be called.
-	 */
-	UNUSED(rdataset);
-	REQUIRE(0);
-
-	return (0);
-}
-
-static dns_rdatasetmethods_t question_methods = {
-	question_disassociate,
-	question_cursor,
-	question_cursor,
-	question_current,
-	question_clone,
-	question_count,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL
-};
-
-void
-dns_rdataset_makequestion(dns_rdataset_t *rdataset, dns_rdataclass_t rdclass,
-			  dns_rdatatype_t type)
-{
-
-	/*
-	 * Make 'rdataset' a valid, associated, question rdataset, with a
-	 * question class of 'rdclass' and type 'type'.
-	 */
-
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods == NULL);
-
-	rdataset->methods = &question_methods;
-	rdataset->rdclass = rdclass;
-	rdataset->type = type;
-	rdataset->attributes |= DNS_RDATASETATTR_QUESTION;
-}
-
-unsigned int
-dns_rdataset_count(dns_rdataset_t *rdataset) {
-
-	/*
-	 * Return the number of records in 'rdataset'.
-	 */
-
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods != NULL);
-
-	return ((rdataset->methods->count)(rdataset));
-}
-
-void
-dns_rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
-
-	/*
-	 * Make 'target' refer to the same rdataset as 'source'.
-	 */
-
-	REQUIRE(DNS_RDATASET_VALID(source));
-	REQUIRE(source->methods != NULL);
-	REQUIRE(DNS_RDATASET_VALID(target));
-	REQUIRE(target->methods == NULL);
-
-	(source->methods->clone)(source, target);
-}
-
-isc_result_t
-dns_rdataset_first(dns_rdataset_t *rdataset) {
-
-	/*
-	 * Move the rdata cursor to the first rdata in the rdataset (if any).
-	 */
-
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods != NULL);
-
-	return ((rdataset->methods->first)(rdataset));
-}
-
-isc_result_t
-dns_rdataset_next(dns_rdataset_t *rdataset) {
-
-	/*
-	 * Move the rdata cursor to the next rdata in the rdataset (if any).
-	 */
-
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods != NULL);
-
-	return ((rdataset->methods->next)(rdataset));
-}
-
-void
-dns_rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
-
-	/*
-	 * Make 'rdata' refer to the current rdata.
-	 */
-
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods != NULL);
-
-	(rdataset->methods->current)(rdataset, rdata);
-}
-
-#define MAX_SHUFFLE	32
-#define WANT_FIXED(r)	(((r)->attributes & DNS_RDATASETATTR_FIXEDORDER) != 0)
-#define WANT_RANDOM(r)	(((r)->attributes & DNS_RDATASETATTR_RANDOMIZE) != 0)
-
-struct towire_sort {
-	int key;
-	dns_rdata_t *rdata;
-};
-
-static int
-towire_compare(const void *av, const void *bv) {
-	const struct towire_sort *a = (const struct towire_sort *) av;
-	const struct towire_sort *b = (const struct towire_sort *) bv;
-	return (a->key - b->key);
-}
-
-static isc_result_t
-towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
-	     dns_compress_t *cctx, isc_buffer_t *target,
-	     dns_rdatasetorderfunc_t order, const void *order_arg,
-	     isc_boolean_t partial, unsigned int options,
-	     unsigned int *countp, void **state)
-{
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_region_t r;
-	isc_result_t result;
-	unsigned int i, count = 0, added, choice;
-	isc_buffer_t savedbuffer, rdlen, rrbuffer;
-	unsigned int headlen;
-	isc_boolean_t question = ISC_FALSE;
-	isc_boolean_t shuffle = ISC_FALSE;
-	dns_rdata_t *shuffled = NULL, shuffled_fixed[MAX_SHUFFLE];
-	struct towire_sort *sorted = NULL, sorted_fixed[MAX_SHUFFLE];
-
-	UNUSED(state);
-
-	/*
-	 * Convert 'rdataset' to wire format, compressing names as specified
-	 * in cctx, and storing the result in 'target'.
-	 */
-
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(countp != NULL);
-	REQUIRE((order == NULL) == (order_arg == NULL));
-	REQUIRE(cctx != NULL && cctx->mctx != NULL);
-
-	if ((rdataset->attributes & DNS_RDATASETATTR_QUESTION) != 0) {
-		question = ISC_TRUE;
-		count = 1;
-		result = dns_rdataset_first(rdataset);
-		INSIST(result == ISC_R_NOMORE);
-	} else if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
-		/*
-		 * This is a negative caching rdataset.
-		 */
-		unsigned int ncache_opts = 0;
-		if ((options & DNS_RDATASETTOWIRE_OMITDNSSEC) != 0)
-			ncache_opts |= DNS_NCACHETOWIRE_OMITDNSSEC;
-		return (dns_ncache_towire(rdataset, cctx, target, ncache_opts,
-					  countp));
-	} else {
-		count = (rdataset->methods->count)(rdataset);
-		result = dns_rdataset_first(rdataset);
-		if (result == ISC_R_NOMORE)
-			return (ISC_R_SUCCESS);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	/*
-	 * Do we want to shuffle this answer?
-	 */
-	if (!question && count > 1 &&
-	    (!WANT_FIXED(rdataset) || order != NULL) &&
-	    rdataset->type != dns_rdatatype_rrsig)
-		shuffle = ISC_TRUE;
-
-	if (shuffle && count > MAX_SHUFFLE) {
-		shuffled = isc_mem_get(cctx->mctx, count * sizeof(*shuffled));
-		sorted = isc_mem_get(cctx->mctx, count * sizeof(*sorted));
-		if (shuffled == NULL || sorted == NULL)
-			shuffle = ISC_FALSE;
-	} else {
-		shuffled = shuffled_fixed;
-		sorted = sorted_fixed;
-	}
-
-	if (shuffle) {
-		/*
-		 * First we get handles to all of the rdata.
-		 */
-		i = 0;
-		do {
-			INSIST(i < count);
-			dns_rdata_init(&shuffled[i]);
-			dns_rdataset_current(rdataset, &shuffled[i]);
-			i++;
-			result = dns_rdataset_next(rdataset);
-		} while (result == ISC_R_SUCCESS);
-		if (result != ISC_R_NOMORE)
-			goto cleanup;
-		INSIST(i == count);
-
-		/*
-		 * Now we shuffle.
-		 */
-		if (WANT_FIXED(rdataset)) {
-			/*
-			 * 'Fixed' order.
-			 */
-			INSIST(order != NULL);
-			for (i = 0; i < count; i++) {
-				sorted[i].key = (*order)(&shuffled[i],
-							 order_arg);
-				sorted[i].rdata = &shuffled[i];
-			}
-		} else if (WANT_RANDOM(rdataset)) {
-			/*
-			 * 'Random' order.
-			 */
-			for (i = 0; i < count; i++) {
-				dns_rdata_t rdata;
-				isc_uint32_t val;
-
-				isc_random_get(&val);
-				choice = i + (val % (count - i));
-				rdata = shuffled[i];
-				shuffled[i] = shuffled[choice];
-				shuffled[choice] = rdata;
-				if (order != NULL)
-					sorted[i].key = (*order)(&shuffled[i],
-								 order_arg);
-				else
-					sorted[i].key = 0; /* Unused */
-				sorted[i].rdata = &shuffled[i];
-			}
-		} else {
-			/*
-			 * "Cyclic" order.
-			 */
-			isc_uint32_t val;
-			unsigned int j;
-
-			val = rdataset->count;
-			if (val == ISC_UINT32_MAX)
-				isc_random_get(&val);
-			j = val % count;
-			for (i = 0; i < count; i++) {
-				if (order != NULL)
-					sorted[i].key = (*order)(&shuffled[j],
-								 order_arg);
-				else
-					sorted[i].key = 0; /* Unused */
-				sorted[i].rdata = &shuffled[j];
-				j++;
-				if (j == count)
-					j = 0; /* Wrap around. */
-			}
-		}
-
-		/*
-		 * Sorted order.
-		 */
-		if (order != NULL)
-			qsort(sorted, count, sizeof(sorted[0]),
-			      towire_compare);
-	}
-
-	savedbuffer = *target;
-	i = 0;
-	added = 0;
-
-	do {
-		/*
-		 * Copy out the name, type, class, ttl.
-		 */
-
-		rrbuffer = *target;
-		dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
-		result = dns_name_towire(owner_name, cctx, target);
-		if (result != ISC_R_SUCCESS)
-			goto rollback;
-		headlen = sizeof(dns_rdataclass_t) + sizeof(dns_rdatatype_t);
-		if (!question)
-			headlen += sizeof(dns_ttl_t)
-				+ 2;  /* XXX 2 for rdata len */
-		isc_buffer_availableregion(target, &r);
-		if (r.length < headlen) {
-			result = ISC_R_NOSPACE;
-			goto rollback;
-		}
-		isc_buffer_putuint16(target, rdataset->type);
-		isc_buffer_putuint16(target, rdataset->rdclass);
-		if (!question) {
-			isc_buffer_putuint32(target, rdataset->ttl);
-
-			/*
-			 * Save space for rdlen.
-			 */
-			rdlen = *target;
-			isc_buffer_add(target, 2);
-
-			/*
-			 * Copy out the rdata
-			 */
-			if (shuffle)
-				rdata = *(sorted[i].rdata);
-			else {
-				dns_rdata_reset(&rdata);
-				dns_rdataset_current(rdataset, &rdata);
-			}
-			result = dns_rdata_towire(&rdata, cctx, target);
-			if (result != ISC_R_SUCCESS)
-				goto rollback;
-			INSIST((target->used >= rdlen.used + 2) &&
-			       (target->used - rdlen.used - 2 < 65536));
-			isc_buffer_putuint16(&rdlen,
-					     (isc_uint16_t)(target->used -
-							    rdlen.used - 2));
-			added++;
-		}
-
-		if (shuffle) {
-			i++;
-			if (i == count)
-				result = ISC_R_NOMORE;
-			else
-				result = ISC_R_SUCCESS;
-		} else {
-			result = dns_rdataset_next(rdataset);
-		}
-	} while (result == ISC_R_SUCCESS);
-
-	if (result != ISC_R_NOMORE)
-		goto rollback;
-
-	*countp += count;
-
-	result = ISC_R_SUCCESS;
-	goto cleanup;
-
- rollback:
-	if (partial && result == ISC_R_NOSPACE) {
-		INSIST(rrbuffer.used < 65536);
-		dns_compress_rollback(cctx, (isc_uint16_t)rrbuffer.used);
-		*countp += added;
-		*target = rrbuffer;
-		goto cleanup;
-	}
-	INSIST(savedbuffer.used < 65536);
-	dns_compress_rollback(cctx, (isc_uint16_t)savedbuffer.used);
-	*countp = 0;
-	*target = savedbuffer;
-
- cleanup:
-	if (sorted != NULL && sorted != sorted_fixed)
-		isc_mem_put(cctx->mctx, sorted, count * sizeof(*sorted));
-	if (shuffled != NULL && shuffled != shuffled_fixed)
-		isc_mem_put(cctx->mctx, shuffled, count * sizeof(*shuffled));
-	return (result);
-}
-
-isc_result_t
-dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
-			  const dns_name_t *owner_name,
-			  dns_compress_t *cctx,
-			  isc_buffer_t *target,
-			  dns_rdatasetorderfunc_t order,
-			  const void *order_arg,
-			  unsigned int options,
-			  unsigned int *countp)
-{
-	return (towiresorted(rdataset, owner_name, cctx, target,
-			     order, order_arg, ISC_FALSE, options,
-			     countp, NULL));
-}
-
-isc_result_t
-dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
-			   const dns_name_t *owner_name,
-			   dns_compress_t *cctx,
-			   isc_buffer_t *target,
-			   dns_rdatasetorderfunc_t order,
-			   const void *order_arg,
-			   unsigned int options,
-			   unsigned int *countp,
-			   void **state)
-{
-	REQUIRE(state == NULL);	/* XXX remove when implemented */
-	return (towiresorted(rdataset, owner_name, cctx, target,
-			     order, order_arg, ISC_TRUE, options,
-			     countp, state));
-}
-
-isc_result_t
-dns_rdataset_towire(dns_rdataset_t *rdataset,
-		    dns_name_t *owner_name,
-		    dns_compress_t *cctx,
-		    isc_buffer_t *target,
-		    unsigned int options,
-		    unsigned int *countp)
-{
-	return (towiresorted(rdataset, owner_name, cctx, target,
-			     NULL, NULL, ISC_FALSE, options, countp, NULL));
-}
-
-isc_result_t
-dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
-			    dns_additionaldatafunc_t add, void *arg)
-{
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_result_t result;
-
-	/*
-	 * For each rdata in rdataset, call 'add' for each name and type in the
-	 * rdata which is subject to additional section processing.
-	 */
-
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0);
-
-	result = dns_rdataset_first(rdataset);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	do {
-		dns_rdataset_current(rdataset, &rdata);
-		result = dns_rdata_additionaldata(&rdata, add, arg);
-		if (result == ISC_R_SUCCESS)
-			result = dns_rdataset_next(rdataset);
-		dns_rdata_reset(&rdata);
-	} while (result == ISC_R_SUCCESS);
-
-	if (result != ISC_R_NOMORE)
-		return (result);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_rdataset_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name) {
-
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods != NULL);
-	if (rdataset->methods->addnoqname == NULL)
-		return (ISC_R_NOTIMPLEMENTED);
-	return((rdataset->methods->addnoqname)(rdataset, name));
-}
-
-isc_result_t
-dns_rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
-			dns_rdataset_t *neg, dns_rdataset_t *negsig)
-{
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods != NULL);
-
-	if (rdataset->methods->getnoqname == NULL)
-		return (ISC_R_NOTIMPLEMENTED);
-	return((rdataset->methods->getnoqname)(rdataset, name, neg, negsig));
-}
-
-isc_result_t
-dns_rdataset_addclosest(dns_rdataset_t *rdataset, dns_name_t *name) {
-
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods != NULL);
-	if (rdataset->methods->addclosest == NULL)
-		return (ISC_R_NOTIMPLEMENTED);
-	return((rdataset->methods->addclosest)(rdataset, name));
-}
-
-isc_result_t
-dns_rdataset_getclosest(dns_rdataset_t *rdataset, dns_name_t *name,
-			dns_rdataset_t *neg, dns_rdataset_t *negsig)
-{
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods != NULL);
-
-	if (rdataset->methods->getclosest == NULL)
-		return (ISC_R_NOTIMPLEMENTED);
-	return((rdataset->methods->getclosest)(rdataset, name, neg, negsig));
-}
-
-/*
- * Additional cache stuff
- */
-isc_result_t
-dns_rdataset_getadditional(dns_rdataset_t *rdataset,
-			   dns_rdatasetadditional_t type,
-			   dns_rdatatype_t qtype,
-			   dns_acache_t *acache,
-			   dns_zone_t **zonep,
-			   dns_db_t **dbp,
-			   dns_dbversion_t **versionp,
-			   dns_dbnode_t **nodep,
-			   dns_name_t *fname,
-			   dns_message_t *msg,
-			   isc_stdtime_t now)
-{
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods != NULL);
-	REQUIRE(zonep == NULL || *zonep == NULL);
-	REQUIRE(dbp != NULL && *dbp == NULL);
-	REQUIRE(versionp != NULL && *versionp == NULL);
-	REQUIRE(nodep != NULL && *nodep == NULL);
-	REQUIRE(fname != NULL);
-	REQUIRE(msg != NULL);
-
-	if (acache != NULL && rdataset->methods->getadditional != NULL) {
-		return ((rdataset->methods->getadditional)(rdataset, type,
-							   qtype, acache,
-							   zonep, dbp,
-							   versionp, nodep,
-							   fname, msg, now));
-	}
-
-	return (ISC_R_FAILURE);
-}
-
-isc_result_t
-dns_rdataset_setadditional(dns_rdataset_t *rdataset,
-			   dns_rdatasetadditional_t type,
-			   dns_rdatatype_t qtype,
-			   dns_acache_t *acache,
-			   dns_zone_t *zone,
-			   dns_db_t *db,
-			   dns_dbversion_t *version,
-			   dns_dbnode_t *node,
-			   dns_name_t *fname)
-{
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods != NULL);
-
-	if (acache != NULL && rdataset->methods->setadditional != NULL) {
-		return ((rdataset->methods->setadditional)(rdataset, type,
-							   qtype, acache, zone,
-							   db, version,
-							   node, fname));
-	}
-
-	return (ISC_R_FAILURE);
-}
-
-isc_result_t
-dns_rdataset_putadditional(dns_acache_t *acache,
-			   dns_rdataset_t *rdataset,
-			   dns_rdatasetadditional_t type,
-			   dns_rdatatype_t qtype)
-{
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods != NULL);
-
-	if (acache != NULL && rdataset->methods->putadditional != NULL) {
-		return ((rdataset->methods->putadditional)(acache, rdataset,
-							   type, qtype));
-	}
-
-	return (ISC_R_FAILURE);
-}
-
-void
-dns_rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust) {
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods != NULL);
-
-	if (rdataset->methods->settrust != NULL)
-		(rdataset->methods->settrust)(rdataset, trust);
-	else
-		rdataset->trust = trust;
-}
-
-void
-dns_rdataset_expire(dns_rdataset_t *rdataset) {
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods != NULL);
-
-	if (rdataset->methods->expire != NULL)
-		(rdataset->methods->expire)(rdataset);
-}
-
-void
-dns_rdataset_trimttl(dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
-		     dns_rdata_rrsig_t *rrsig, isc_stdtime_t now,
-		     isc_boolean_t acceptexpired)
-{
-	isc_uint32_t ttl = 0;
-
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(DNS_RDATASET_VALID(sigrdataset));
-	REQUIRE(rrsig != NULL);
-
-	/*
-	 * If we accept expired RRsets keep them for no more than 120 seconds.
-	 */
-	if (acceptexpired &&
-	    (isc_serial_le(rrsig->timeexpire, ((now + 120) & 0xffffffff)) ||
-	     isc_serial_le(rrsig->timeexpire, now)))
-		ttl = 120;
-	else if (isc_serial_ge(rrsig->timeexpire, now))
-		ttl = rrsig->timeexpire - now;
-
-	ttl = ISC_MIN(ISC_MIN(rdataset->ttl, sigrdataset->ttl),
-		      ISC_MIN(rrsig->originalttl, ttl));
-	rdataset->ttl = ttl;
-	sigrdataset->ttl = ttl;
-}
diff --git a/contrib/bind9/lib/dns/rdatasetiter.c b/contrib/bind9/lib/dns/rdatasetiter.c
deleted file mode 100644
index 7ed3030..0000000
--- a/contrib/bind9/lib/dns/rdatasetiter.c
+++ /dev/null
@@ -1,80 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rdatasetiter.c,v 1.16 2007/06/19 23:47:16 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stddef.h>
-
-#include <isc/util.h>
-
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-
-void
-dns_rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) {
-	/*
-	 * Destroy '*iteratorp'.
-	 */
-
-	REQUIRE(iteratorp != NULL);
-	REQUIRE(DNS_RDATASETITER_VALID(*iteratorp));
-
-	(*iteratorp)->methods->destroy(iteratorp);
-
-	ENSURE(*iteratorp == NULL);
-}
-
-isc_result_t
-dns_rdatasetiter_first(dns_rdatasetiter_t *iterator) {
-	/*
-	 * Move the rdataset cursor to the first rdataset at the node (if any).
-	 */
-
-	REQUIRE(DNS_RDATASETITER_VALID(iterator));
-
-	return (iterator->methods->first(iterator));
-}
-
-isc_result_t
-dns_rdatasetiter_next(dns_rdatasetiter_t *iterator) {
-	/*
-	 * Move the rdataset cursor to the next rdataset at the node (if any).
-	 */
-
-	REQUIRE(DNS_RDATASETITER_VALID(iterator));
-
-	return (iterator->methods->next(iterator));
-}
-
-void
-dns_rdatasetiter_current(dns_rdatasetiter_t *iterator,
-			 dns_rdataset_t *rdataset)
-{
-	/*
-	 * Return the current rdataset.
-	 */
-
-	REQUIRE(DNS_RDATASETITER_VALID(iterator));
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(! dns_rdataset_isassociated(rdataset));
-
-	iterator->methods->current(iterator, rdataset);
-}
diff --git a/contrib/bind9/lib/dns/rdataslab.c b/contrib/bind9/lib/dns/rdataslab.c
deleted file mode 100644
index cb9ae54..0000000
--- a/contrib/bind9/lib/dns/rdataslab.c
+++ /dev/null
@@ -1,1109 +0,0 @@
-/*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/mem.h>
-#include <isc/region.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/util.h>
-
-#include <dns/result.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdataslab.h>
-
-/*
- * The rdataslab structure allows iteration to occur in both load order
- * and DNSSEC order.  The structure is as follows:
- *
- *	header		(reservelen bytes)
- *	record count	(2 bytes)
- *	offset table	(4 x record count bytes in load order)
- *	data records
- *		data length	(2 bytes)
- *		order		(2 bytes)
- *		meta data	(1 byte for RRSIG's)
- *		data		(data length bytes)
- *
- * If DNS_RDATASET_FIXED is defined to be zero (0) the format of a
- * rdataslab is as follows:
- *
- *	header		(reservelen bytes)
- *	record count	(2 bytes)
- *	data records
- *		data length	(2 bytes)
- *		meta data	(1 byte for RRSIG's)
- *		data		(data length bytes)
- *
- * Offsets are from the end of the header.
- *
- * Load order traversal is performed by walking the offset table to find
- * the start of the record (DNS_RDATASET_FIXED = 1).
- *
- * DNSSEC order traversal is performed by walking the data records.
- *
- * The order is stored with record to allow for efficient reconstruction
- * of the offset table following a merge or subtraction.
- *
- * The iterator methods here currently only support DNSSEC order iteration.
- *
- * The iterator methods in rbtdb support both load order and DNSSEC order
- * iteration.
- *
- * WARNING:
- *	rbtdb.c directly interacts with the slab's raw structures.  If the
- *	structure changes then rbtdb.c also needs to be updated to reflect
- *	the changes.  See the areas tagged with "RDATASLAB".
- */
-
-struct xrdata {
-	dns_rdata_t	rdata;
-	unsigned int	order;
-};
-
-/*% Note: the "const void *" are just to make qsort happy.  */
-static int
-compare_rdata(const void *p1, const void *p2) {
-	const struct xrdata *x1 = p1;
-	const struct xrdata *x2 = p2;
-	return (dns_rdata_compare(&x1->rdata, &x2->rdata));
-}
-
-#if DNS_RDATASET_FIXED
-static void
-fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
-	       unsigned length)
-{
-	unsigned int i, j;
-	unsigned char *raw;
-
-	for (i = 0, j = 0; i < length; i++) {
-
-		if (offsettable[i] == 0)
-			continue;
-
-		/*
-		 * Fill in offset table.
-		 */
-		raw = &offsetbase[j*4 + 2];
-		*raw++ = (offsettable[i] & 0xff000000) >> 24;
-		*raw++ = (offsettable[i] & 0xff0000) >> 16;
-		*raw++ = (offsettable[i] & 0xff00) >> 8;
-		*raw = offsettable[i] & 0xff;
-
-		/*
-		 * Fill in table index.
-		 */
-		raw = offsetbase + offsettable[i] + 2;
-		*raw++ = (j & 0xff00) >> 8;
-		*raw = j++ & 0xff;
-	}
-}
-#endif
-
-isc_result_t
-dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
-			   isc_region_t *region, unsigned int reservelen)
-{
-	/*
-	 * Use &removed as a sentinal pointer for duplicate
-	 * rdata as rdata.data == NULL is valid.
-	 */
-	static unsigned char removed;
-	struct xrdata  *x;
-	unsigned char  *rawbuf;
-#if DNS_RDATASET_FIXED
-	unsigned char  *offsetbase;
-#endif
-	unsigned int	buflen;
-	isc_result_t	result;
-	unsigned int	nitems;
-	unsigned int	nalloc;
-	unsigned int	i;
-#if DNS_RDATASET_FIXED
-	unsigned int   *offsettable;
-#endif
-	unsigned int	length;
-
-	buflen = reservelen + 2;
-
-	nalloc = dns_rdataset_count(rdataset);
-	nitems = nalloc;
-	if (nitems == 0 && rdataset->type != 0)
-		return (ISC_R_FAILURE);
-
-	if (nalloc > 0xffff)
-		return (ISC_R_NOSPACE);
-
-
-	if (nalloc != 0) {
-		x = isc_mem_get(mctx, nalloc * sizeof(struct xrdata));
-		if (x == NULL)
-			return (ISC_R_NOMEMORY);
-	} else
-		x = NULL;
-
-	/*
-	 * Save all of the rdata members into an array.
-	 */
-	result = dns_rdataset_first(rdataset);
-	if (result != ISC_R_SUCCESS && result != ISC_R_NOMORE)
-		goto free_rdatas;
-	for (i = 0; i < nalloc && result == ISC_R_SUCCESS; i++) {
-		INSIST(result == ISC_R_SUCCESS);
-		dns_rdata_init(&x[i].rdata);
-		dns_rdataset_current(rdataset, &x[i].rdata);
-		INSIST(x[i].rdata.data != &removed);
-#if DNS_RDATASET_FIXED
-		x[i].order = i;
-#endif
-		result = dns_rdataset_next(rdataset);
-	}
-	if (result != ISC_R_NOMORE)
-		goto free_rdatas;
-	if (i != nalloc) {
-		/*
-		 * Somehow we iterated over fewer rdatas than
-		 * dns_rdataset_count() said there were!
-		 */
-		result = ISC_R_FAILURE;
-		goto free_rdatas;
-	}
-
-	/*
-	 * Put into DNSSEC order.
-	 */
-	qsort(x, nalloc, sizeof(struct xrdata), compare_rdata);
-
-	/*
-	 * Remove duplicates and compute the total storage required.
-	 *
-	 * If an rdata is not a duplicate, accumulate the storage size
-	 * required for the rdata.  We do not store the class, type, etc,
-	 * just the rdata, so our overhead is 2 bytes for the number of
-	 * records, and 8 for each rdata, (length(2), offset(4) and order(2))
-	 * and then the rdata itself.
-	 */
-	for (i = 1; i < nalloc; i++) {
-		if (compare_rdata(&x[i-1].rdata, &x[i].rdata) == 0) {
-			x[i-1].rdata.data = &removed;
-#if DNS_RDATASET_FIXED
-			/*
-			 * Preserve the least order so A, B, A -> A, B
-			 * after duplicate removal.
-			 */
-			if (x[i-1].order < x[i].order)
-				x[i].order = x[i-1].order;
-#endif
-			nitems--;
-		} else {
-#if DNS_RDATASET_FIXED
-			buflen += (8 + x[i-1].rdata.length);
-#else
-			buflen += (2 + x[i-1].rdata.length);
-#endif
-			/*
-			 * Provide space to store the per RR meta data.
-			 */
-			if (rdataset->type == dns_rdatatype_rrsig)
-				buflen++;
-		}
-	}
-	/*
-	 * Don't forget the last item!
-	 */
-	if (nalloc != 0) {
-#if DNS_RDATASET_FIXED
-		buflen += (8 + x[i-1].rdata.length);
-#else
-		buflen += (2 + x[i-1].rdata.length);
-#endif
-	}
-
-	/*
-	 * Provide space to store the per RR meta data.
-	 */
-	if (rdataset->type == dns_rdatatype_rrsig)
-		buflen++;
-
-	/*
-	 * Ensure that singleton types are actually singletons.
-	 */
-	if (nitems > 1 && dns_rdatatype_issingleton(rdataset->type)) {
-		/*
-		 * We have a singleton type, but there's more than one
-		 * RR in the rdataset.
-		 */
-		result = DNS_R_SINGLETON;
-		goto free_rdatas;
-	}
-
-	/*
-	 * Allocate the memory, set up a buffer, start copying in
-	 * data.
-	 */
-	rawbuf = isc_mem_get(mctx, buflen);
-	if (rawbuf == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto free_rdatas;
-	}
-
-#if DNS_RDATASET_FIXED
-	/* Allocate temporary offset table. */
-	offsettable = isc_mem_get(mctx, nalloc * sizeof(unsigned int));
-	if (offsettable == NULL) {
-		isc_mem_put(mctx, rawbuf, buflen);
-		result = ISC_R_NOMEMORY;
-		goto free_rdatas;
-	}
-	memset(offsettable, 0, nalloc * sizeof(unsigned int));
-#endif
-
-	region->base = rawbuf;
-	region->length = buflen;
-
-	rawbuf += reservelen;
-#if DNS_RDATASET_FIXED
-	offsetbase = rawbuf;
-#endif
-
-	*rawbuf++ = (nitems & 0xff00) >> 8;
-	*rawbuf++ = (nitems & 0x00ff);
-
-#if DNS_RDATASET_FIXED
-	/* Skip load order table.  Filled in later. */
-	rawbuf += nitems * 4;
-#endif
-
-	for (i = 0; i < nalloc; i++) {
-		if (x[i].rdata.data == &removed)
-			continue;
-#if DNS_RDATASET_FIXED
-		offsettable[x[i].order] = rawbuf - offsetbase;
-#endif
-		length = x[i].rdata.length;
-		if (rdataset->type == dns_rdatatype_rrsig)
-			length++;
-		INSIST(length <= 0xffff);
-		*rawbuf++ = (length & 0xff00) >> 8;
-		*rawbuf++ = (length & 0x00ff);
-#if DNS_RDATASET_FIXED
-		rawbuf += 2;	/* filled in later */
-#endif
-		/*
-		 * Store the per RR meta data.
-		 */
-		if (rdataset->type == dns_rdatatype_rrsig) {
-			*rawbuf++ |= (x[i].rdata.flags & DNS_RDATA_OFFLINE) ?
-					    DNS_RDATASLAB_OFFLINE : 0;
-		}
-		memcpy(rawbuf, x[i].rdata.data, x[i].rdata.length);
-		rawbuf += x[i].rdata.length;
-	}
-
-#if DNS_RDATASET_FIXED
-	fillin_offsets(offsetbase, offsettable, nalloc);
-	isc_mem_put(mctx, offsettable, nalloc * sizeof(unsigned int));
-#endif
-
-	result = ISC_R_SUCCESS;
-
- free_rdatas:
-	if (x != NULL)
-		isc_mem_put(mctx, x, nalloc * sizeof(struct xrdata));
-	return (result);
-}
-
-static void
-rdataset_disassociate(dns_rdataset_t *rdataset) {
-	UNUSED(rdataset);
-}
-
-static isc_result_t
-rdataset_first(dns_rdataset_t *rdataset) {
-	unsigned char *raw = rdataset->private3;
-	unsigned int count;
-
-	count = raw[0] * 256 + raw[1];
-	if (count == 0) {
-		rdataset->private5 = NULL;
-		return (ISC_R_NOMORE);
-	}
-#if DNS_RDATASET_FIXED
-	raw += 2 + (4 * count);
-#else
-	raw += 2;
-#endif
-	/*
-	 * The privateuint4 field is the number of rdata beyond the cursor
-	 * position, so we decrement the total count by one before storing
-	 * it.
-	 */
-	count--;
-	rdataset->privateuint4 = count;
-	rdataset->private5 = raw;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-rdataset_next(dns_rdataset_t *rdataset) {
-	unsigned int count;
-	unsigned int length;
-	unsigned char *raw;
-
-	count = rdataset->privateuint4;
-	if (count == 0)
-		return (ISC_R_NOMORE);
-	count--;
-	rdataset->privateuint4 = count;
-	raw = rdataset->private5;
-	length = raw[0] * 256 + raw[1];
-#if DNS_RDATASET_FIXED
-	raw += length + 4;
-#else
-	raw += length + 2;
-#endif
-	rdataset->private5 = raw;
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
-	unsigned char *raw = rdataset->private5;
-	isc_region_t r;
-	unsigned int length;
-	unsigned int flags = 0;
-
-	REQUIRE(raw != NULL);
-
-	length = raw[0] * 256 + raw[1];
-#if DNS_RDATASET_FIXED
-	raw += 4;
-#else
-	raw += 2;
-#endif
-	if (rdataset->type == dns_rdatatype_rrsig) {
-		if (*raw & DNS_RDATASLAB_OFFLINE)
-			flags |= DNS_RDATA_OFFLINE;
-		length--;
-		raw++;
-	}
-	r.length = length;
-	r.base = raw;
-	dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r);
-	rdata->flags |= flags;
-}
-
-static void
-rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
-	*target = *source;
-
-	/*
-	 * Reset iterator state.
-	 */
-	target->privateuint4 = 0;
-	target->private5 = NULL;
-}
-
-static unsigned int
-rdataset_count(dns_rdataset_t *rdataset) {
-	unsigned char *raw = rdataset->private3;
-	unsigned int count;
-
-	count = raw[0] * 256 + raw[1];
-
-	return (count);
-}
-
-static dns_rdatasetmethods_t rdataset_methods = {
-	rdataset_disassociate,
-	rdataset_first,
-	rdataset_next,
-	rdataset_current,
-	rdataset_clone,
-	rdataset_count,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL
-};
-
-void
-dns_rdataslab_tordataset(unsigned char *slab, unsigned int reservelen,
-			 dns_rdataclass_t rdclass, dns_rdatatype_t rdtype,
-			 dns_rdatatype_t covers, dns_ttl_t ttl,
-			 dns_rdataset_t *rdataset)
-{
-	REQUIRE(slab != NULL);
-	REQUIRE(!dns_rdataset_isassociated(rdataset));
-
-	rdataset->methods = &rdataset_methods;
-	rdataset->rdclass = rdclass;
-	rdataset->type = rdtype;
-	rdataset->covers = covers;
-	rdataset->ttl = ttl;
-	rdataset->trust = 0;
-	rdataset->private1 = NULL;
-	rdataset->private2 = NULL;
-	rdataset->private3 = slab + reservelen;
-
-	/*
-	 * Reset iterator state.
-	 */
-	rdataset->privateuint4 = 0;
-	rdataset->private5 = NULL;
-}
-
-unsigned int
-dns_rdataslab_size(unsigned char *slab, unsigned int reservelen) {
-	unsigned int count, length;
-	unsigned char *current;
-
-	REQUIRE(slab != NULL);
-
-	current = slab + reservelen;
-	count = *current++ * 256;
-	count += *current++;
-#if DNS_RDATASET_FIXED
-	current += (4 * count);
-#endif
-	while (count > 0) {
-		count--;
-		length = *current++ * 256;
-		length += *current++;
-#if DNS_RDATASET_FIXED
-		current += length + 2;
-#else
-		current += length;
-#endif
-	}
-
-	return ((unsigned int)(current - slab));
-}
-
-/*
- * Make the dns_rdata_t 'rdata' refer to the slab item
- * beginning at '*current', which is part of a slab of type
- * 'type' and class 'rdclass', and advance '*current' to
- * point to the next item in the slab.
- */
-static inline void
-rdata_from_slab(unsigned char **current,
-	      dns_rdataclass_t rdclass, dns_rdatatype_t type,
-	      dns_rdata_t *rdata)
-{
-	unsigned char *tcurrent = *current;
-	isc_region_t region;
-	unsigned int length;
-	isc_boolean_t offline = ISC_FALSE;
-
-	length = *tcurrent++ * 256;
-	length += *tcurrent++;
-
-	if (type == dns_rdatatype_rrsig) {
-		if ((*tcurrent & DNS_RDATASLAB_OFFLINE) != 0)
-			offline = ISC_TRUE;
-		length--;
-		tcurrent++;
-	}
-	region.length = length;
-#if DNS_RDATASET_FIXED
-	tcurrent += 2;
-#endif
-	region.base = tcurrent;
-	tcurrent += region.length;
-	dns_rdata_fromregion(rdata, rdclass, type, &region);
-	if (offline)
-		rdata->flags |= DNS_RDATA_OFFLINE;
-	*current = tcurrent;
-}
-
-/*
- * Return true iff 'slab' (slab data of type 'type' and class 'rdclass')
- * contains an rdata identical to 'rdata'.  This does case insensitive
- * comparisons per DNSSEC.
- */
-static inline isc_boolean_t
-rdata_in_slab(unsigned char *slab, unsigned int reservelen,
-	      dns_rdataclass_t rdclass, dns_rdatatype_t type,
-	      dns_rdata_t *rdata)
-{
-	unsigned int count, i;
-	unsigned char *current;
-	dns_rdata_t trdata = DNS_RDATA_INIT;
-	int n;
-
-	current = slab + reservelen;
-	count = *current++ * 256;
-	count += *current++;
-
-#if DNS_RDATASET_FIXED
-	current += (4 * count);
-#endif
-
-	for (i = 0; i < count; i++) {
-		rdata_from_slab(&current, rdclass, type, &trdata);
-
-		n = dns_rdata_compare(&trdata, rdata);
-		if (n == 0)
-			return (ISC_TRUE);
-		if (n > 0)	/* In DNSSEC order. */
-			break;
-		dns_rdata_reset(&trdata);
-	}
-	return (ISC_FALSE);
-}
-
-isc_result_t
-dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
-		    unsigned int reservelen, isc_mem_t *mctx,
-		    dns_rdataclass_t rdclass, dns_rdatatype_t type,
-		    unsigned int flags, unsigned char **tslabp)
-{
-	unsigned char *ocurrent, *ostart, *ncurrent, *tstart, *tcurrent, *data;
-	unsigned int ocount, ncount, count, olength, tlength, tcount, length;
-	dns_rdata_t ordata = DNS_RDATA_INIT;
-	dns_rdata_t nrdata = DNS_RDATA_INIT;
-	isc_boolean_t added_something = ISC_FALSE;
-	unsigned int oadded = 0;
-	unsigned int nadded = 0;
-	unsigned int nncount = 0;
-#if DNS_RDATASET_FIXED
-	unsigned int oncount;
-	unsigned int norder = 0;
-	unsigned int oorder = 0;
-	unsigned char *offsetbase;
-	unsigned int *offsettable;
-#endif
-
-	/*
-	 * XXX  Need parameter to allow "delete rdatasets in nslab" merge,
-	 * or perhaps another merge routine for this purpose.
-	 */
-
-	REQUIRE(tslabp != NULL && *tslabp == NULL);
-	REQUIRE(oslab != NULL && nslab != NULL);
-
-	ocurrent = oslab + reservelen;
-	ocount = *ocurrent++ * 256;
-	ocount += *ocurrent++;
-#if DNS_RDATASET_FIXED
-	ocurrent += (4 * ocount);
-#endif
-	ostart = ocurrent;
-	ncurrent = nslab + reservelen;
-	ncount = *ncurrent++ * 256;
-	ncount += *ncurrent++;
-#if DNS_RDATASET_FIXED
-	ncurrent += (4 * ncount);
-#endif
-	INSIST(ocount > 0 && ncount > 0);
-
-#if DNS_RDATASET_FIXED
-	oncount = ncount;
-#endif
-
-	/*
-	 * Yes, this is inefficient!
-	 */
-
-	/*
-	 * Figure out the length of the old slab's data.
-	 */
-	olength = 0;
-	for (count = 0; count < ocount; count++) {
-		length = *ocurrent++ * 256;
-		length += *ocurrent++;
-#if DNS_RDATASET_FIXED
-		olength += length + 8;
-		ocurrent += length + 2;
-#else
-		olength += length + 2;
-		ocurrent += length;
-#endif
-	}
-
-	/*
-	 * Start figuring out the target length and count.
-	 */
-	tlength = reservelen + 2 + olength;
-	tcount = ocount;
-
-	/*
-	 * Add in the length of rdata in the new slab that aren't in
-	 * the old slab.
-	 */
-	do {
-		dns_rdata_init(&nrdata);
-		rdata_from_slab(&ncurrent, rdclass, type, &nrdata);
-		if (!rdata_in_slab(oslab, reservelen, rdclass, type, &nrdata))
-		{
-			/*
-			 * This rdata isn't in the old slab.
-			 */
-#if DNS_RDATASET_FIXED
-			tlength += nrdata.length + 8;
-#else
-			tlength += nrdata.length + 2;
-#endif
-			if (type == dns_rdatatype_rrsig)
-				tlength++;
-			tcount++;
-			nncount++;
-			added_something = ISC_TRUE;
-		}
-		ncount--;
-	} while (ncount > 0);
-	ncount = nncount;
-
-	if (((flags & DNS_RDATASLAB_EXACT) != 0) &&
-	    (tcount != ncount + ocount))
-		return (DNS_R_NOTEXACT);
-
-	if (!added_something && (flags & DNS_RDATASLAB_FORCE) == 0)
-		return (DNS_R_UNCHANGED);
-
-	/*
-	 * Ensure that singleton types are actually singletons.
-	 */
-	if (tcount > 1 && dns_rdatatype_issingleton(type)) {
-		/*
-		 * We have a singleton type, but there's more than one
-		 * RR in the rdataset.
-		 */
-		return (DNS_R_SINGLETON);
-	}
-
-	if (tcount > 0xffff)
-		return (ISC_R_NOSPACE);
-
-	/*
-	 * Copy the reserved area from the new slab.
-	 */
-	tstart = isc_mem_get(mctx, tlength);
-	if (tstart == NULL)
-		return (ISC_R_NOMEMORY);
-	memcpy(tstart, nslab, reservelen);
-	tcurrent = tstart + reservelen;
-#if DNS_RDATASET_FIXED
-	offsetbase = tcurrent;
-#endif
-
-	/*
-	 * Write the new count.
-	 */
-	*tcurrent++ = (tcount & 0xff00) >> 8;
-	*tcurrent++ = (tcount & 0x00ff);
-
-#if DNS_RDATASET_FIXED
-	/*
-	 * Skip offset table.
-	 */
-	tcurrent += (tcount * 4);
-
-	offsettable = isc_mem_get(mctx,
-				  (ocount + oncount) * sizeof(unsigned int));
-	if (offsettable == NULL) {
-		isc_mem_put(mctx, tstart, tlength);
-		return (ISC_R_NOMEMORY);
-	}
-	memset(offsettable, 0, (ocount + oncount) * sizeof(unsigned int));
-#endif
-
-	/*
-	 * Merge the two slabs.
-	 */
-	ocurrent = ostart;
-	INSIST(ocount != 0);
-#if DNS_RDATASET_FIXED
-	oorder = ocurrent[2] * 256 + ocurrent[3];
-	INSIST(oorder < ocount);
-#endif
-	rdata_from_slab(&ocurrent, rdclass, type, &ordata);
-
-	ncurrent = nslab + reservelen + 2;
-#if DNS_RDATASET_FIXED
-	ncurrent += (4 * oncount);
-#endif
-
-	if (ncount > 0) {
-		do {
-			dns_rdata_reset(&nrdata);
-#if DNS_RDATASET_FIXED
-			norder = ncurrent[2] * 256 + ncurrent[3];
-
-			INSIST(norder < oncount);
-#endif
-			rdata_from_slab(&ncurrent, rdclass, type, &nrdata);
-		} while (rdata_in_slab(oslab, reservelen, rdclass,
-				       type, &nrdata));
-	}
-
-	while (oadded < ocount || nadded < ncount) {
-		isc_boolean_t fromold;
-		if (oadded == ocount)
-			fromold = ISC_FALSE;
-		else if (nadded == ncount)
-			fromold = ISC_TRUE;
-		else
-			fromold = ISC_TF(compare_rdata(&ordata, &nrdata) < 0);
-		if (fromold) {
-#if DNS_RDATASET_FIXED
-			offsettable[oorder] = tcurrent - offsetbase;
-#endif
-			length = ordata.length;
-			data = ordata.data;
-			if (type == dns_rdatatype_rrsig) {
-				length++;
-				data--;
-			}
-			*tcurrent++ = (length & 0xff00) >> 8;
-			*tcurrent++ = (length & 0x00ff);
-#if DNS_RDATASET_FIXED
-			tcurrent += 2;	/* fill in later */
-#endif
-			memcpy(tcurrent, data, length);
-			tcurrent += length;
-			oadded++;
-			if (oadded < ocount) {
-				dns_rdata_reset(&ordata);
-#if DNS_RDATASET_FIXED
-				oorder = ocurrent[2] * 256 + ocurrent[3];
-				INSIST(oorder < ocount);
-#endif
-				rdata_from_slab(&ocurrent, rdclass, type,
-						&ordata);
-			}
-		} else {
-#if DNS_RDATASET_FIXED
-			offsettable[ocount + norder] = tcurrent - offsetbase;
-#endif
-			length = nrdata.length;
-			data = nrdata.data;
-			if (type == dns_rdatatype_rrsig) {
-				length++;
-				data--;
-			}
-			*tcurrent++ = (length & 0xff00) >> 8;
-			*tcurrent++ = (length & 0x00ff);
-#if DNS_RDATASET_FIXED
-			tcurrent += 2;	/* fill in later */
-#endif
-			memcpy(tcurrent, data, length);
-			tcurrent += length;
-			nadded++;
-			if (nadded < ncount) {
-				do {
-					dns_rdata_reset(&nrdata);
-#if DNS_RDATASET_FIXED
-					norder = ncurrent[2] * 256 + ncurrent[3];
-					INSIST(norder < oncount);
-#endif
-					rdata_from_slab(&ncurrent, rdclass,
-							type, &nrdata);
-				} while (rdata_in_slab(oslab, reservelen,
-						       rdclass, type,
-						       &nrdata));
-			}
-		}
-	}
-
-#if DNS_RDATASET_FIXED
-	fillin_offsets(offsetbase, offsettable, ocount + oncount);
-
-	isc_mem_put(mctx, offsettable,
-		    (ocount + oncount) * sizeof(unsigned int));
-#endif
-
-	INSIST(tcurrent == tstart + tlength);
-
-	*tslabp = tstart;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
-		       unsigned int reservelen, isc_mem_t *mctx,
-		       dns_rdataclass_t rdclass, dns_rdatatype_t type,
-		       unsigned int flags, unsigned char **tslabp)
-{
-	unsigned char *mcurrent, *sstart, *scurrent, *tstart, *tcurrent;
-	unsigned int mcount, scount, rcount ,count, tlength, tcount, i;
-	dns_rdata_t srdata = DNS_RDATA_INIT;
-	dns_rdata_t mrdata = DNS_RDATA_INIT;
-#if DNS_RDATASET_FIXED
-	unsigned char *offsetbase;
-	unsigned int *offsettable;
-	unsigned int order;
-#endif
-
-	REQUIRE(tslabp != NULL && *tslabp == NULL);
-	REQUIRE(mslab != NULL && sslab != NULL);
-
-	mcurrent = mslab + reservelen;
-	mcount = *mcurrent++ * 256;
-	mcount += *mcurrent++;
-	scurrent = sslab + reservelen;
-	scount = *scurrent++ * 256;
-	scount += *scurrent++;
-	INSIST(mcount > 0 && scount > 0);
-
-	/*
-	 * Yes, this is inefficient!
-	 */
-
-	/*
-	 * Start figuring out the target length and count.
-	 */
-	tlength = reservelen + 2;
-	tcount = 0;
-	rcount = 0;
-
-#if DNS_RDATASET_FIXED
-	mcurrent += 4 * mcount;
-	scurrent += 4 * scount;
-#endif
-	sstart = scurrent;
-
-	/*
-	 * Add in the length of rdata in the mslab that aren't in
-	 * the sslab.
-	 */
-	for (i = 0; i < mcount; i++) {
-		unsigned char *mrdatabegin = mcurrent;
-		rdata_from_slab(&mcurrent, rdclass, type, &mrdata);
-		scurrent = sstart;
-		for (count = 0; count < scount; count++) {
-			dns_rdata_reset(&srdata);
-			rdata_from_slab(&scurrent, rdclass, type, &srdata);
-			if (dns_rdata_compare(&mrdata, &srdata) == 0)
-				break;
-		}
-		if (count == scount) {
-			/*
-			 * This rdata isn't in the sslab, and thus isn't
-			 * being subtracted.
-			 */
-			tlength += mcurrent - mrdatabegin;
-			tcount++;
-		} else
-			rcount++;
-		dns_rdata_reset(&mrdata);
-	}
-
-#if DNS_RDATASET_FIXED
-	tlength += (4 * tcount);
-#endif
-
-	/*
-	 * Check that all the records originally existed.  The numeric
-	 * check only works as rdataslabs do not contain duplicates.
-	 */
-	if (((flags & DNS_RDATASLAB_EXACT) != 0) && (rcount != scount))
-		return (DNS_R_NOTEXACT);
-
-	/*
-	 * Don't continue if the new rdataslab would be empty.
-	 */
-	if (tcount == 0)
-		return (DNS_R_NXRRSET);
-
-	/*
-	 * If nothing is going to change, we can stop.
-	 */
-	if (rcount == 0)
-		return (DNS_R_UNCHANGED);
-
-	/*
-	 * Copy the reserved area from the mslab.
-	 */
-	tstart = isc_mem_get(mctx, tlength);
-	if (tstart == NULL)
-		return (ISC_R_NOMEMORY);
-	memcpy(tstart, mslab, reservelen);
-	tcurrent = tstart + reservelen;
-#if DNS_RDATASET_FIXED
-	offsetbase = tcurrent;
-
-	offsettable = isc_mem_get(mctx, mcount * sizeof(unsigned int));
-	if (offsettable == NULL) {
-		isc_mem_put(mctx, tstart, tlength);
-		return (ISC_R_NOMEMORY);
-	}
-	memset(offsettable, 0, mcount * sizeof(unsigned int));
-#endif
-
-	/*
-	 * Write the new count.
-	 */
-	*tcurrent++ = (tcount & 0xff00) >> 8;
-	*tcurrent++ = (tcount & 0x00ff);
-
-#if DNS_RDATASET_FIXED
-	tcurrent += (4 * tcount);
-#endif
-
-	/*
-	 * Copy the parts of mslab not in sslab.
-	 */
-	mcurrent = mslab + reservelen;
-	mcount = *mcurrent++ * 256;
-	mcount += *mcurrent++;
-#if DNS_RDATASET_FIXED
-	mcurrent += (4 * mcount);
-#endif
-	for (i = 0; i < mcount; i++) {
-		unsigned char *mrdatabegin = mcurrent;
-#if DNS_RDATASET_FIXED
-		order = mcurrent[2] * 256 + mcurrent[3];
-		INSIST(order < mcount);
-#endif
-		rdata_from_slab(&mcurrent, rdclass, type, &mrdata);
-		scurrent = sstart;
-		for (count = 0; count < scount; count++) {
-			dns_rdata_reset(&srdata);
-			rdata_from_slab(&scurrent, rdclass, type, &srdata);
-			if (dns_rdata_compare(&mrdata, &srdata) == 0)
-				break;
-		}
-		if (count == scount) {
-			/*
-			 * This rdata isn't in the sslab, and thus should be
-			 * copied to the tslab.
-			 */
-			unsigned int length = mcurrent - mrdatabegin;
-#if DNS_RDATASET_FIXED
-			offsettable[order] = tcurrent - offsetbase;
-#endif
-			memcpy(tcurrent, mrdatabegin, length);
-			tcurrent += length;
-		}
-		dns_rdata_reset(&mrdata);
-	}
-
-#if DNS_RDATASET_FIXED
-	fillin_offsets(offsetbase, offsettable, mcount);
-
-	isc_mem_put(mctx, offsettable, mcount * sizeof(unsigned int));
-#endif
-
-	INSIST(tcurrent == tstart + tlength);
-
-	*tslabp = tstart;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_boolean_t
-dns_rdataslab_equal(unsigned char *slab1, unsigned char *slab2,
-		    unsigned int reservelen)
-{
-	unsigned char *current1, *current2;
-	unsigned int count1, count2;
-	unsigned int length1, length2;
-
-	current1 = slab1 + reservelen;
-	count1 = *current1++ * 256;
-	count1 += *current1++;
-
-	current2 = slab2 + reservelen;
-	count2 = *current2++ * 256;
-	count2 += *current2++;
-
-	if (count1 != count2)
-		return (ISC_FALSE);
-
-#if DNS_RDATASET_FIXED
-	current1 += (4 * count1);
-	current2 += (4 * count2);
-#endif
-
-	while (count1 > 0) {
-		length1 = *current1++ * 256;
-		length1 += *current1++;
-
-		length2 = *current2++ * 256;
-		length2 += *current2++;
-
-#if DNS_RDATASET_FIXED
-		current1 += 2;
-		current2 += 2;
-#endif
-
-		if (length1 != length2 ||
-		    memcmp(current1, current2, length1) != 0)
-			return (ISC_FALSE);
-
-		current1 += length1;
-		current2 += length1;
-
-		count1--;
-	}
-	return (ISC_TRUE);
-}
-
-isc_boolean_t
-dns_rdataslab_equalx(unsigned char *slab1, unsigned char *slab2,
-		     unsigned int reservelen, dns_rdataclass_t rdclass,
-		     dns_rdatatype_t type)
-{
-	unsigned char *current1, *current2;
-	unsigned int count1, count2;
-	dns_rdata_t rdata1 = DNS_RDATA_INIT;
-	dns_rdata_t rdata2 = DNS_RDATA_INIT;
-
-	current1 = slab1 + reservelen;
-	count1 = *current1++ * 256;
-	count1 += *current1++;
-
-	current2 = slab2 + reservelen;
-	count2 = *current2++ * 256;
-	count2 += *current2++;
-
-	if (count1 != count2)
-		return (ISC_FALSE);
-
-#if DNS_RDATASET_FIXED
-	current1 += (4 * count1);
-	current2 += (4 * count2);
-#endif
-
-	while (count1-- > 0) {
-		rdata_from_slab(&current1, rdclass, type, &rdata1);
-		rdata_from_slab(&current2, rdclass, type, &rdata2);
-		if (dns_rdata_compare(&rdata1, &rdata2) != 0)
-			return (ISC_FALSE);
-		dns_rdata_reset(&rdata1);
-		dns_rdata_reset(&rdata2);
-	}
-	return (ISC_TRUE);
-}
diff --git a/contrib/bind9/lib/dns/request.c b/contrib/bind9/lib/dns/request.c
deleted file mode 100644
index 1316e69..0000000
--- a/contrib/bind9/lib/dns/request.c
+++ /dev/null
@@ -1,1499 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/task.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#include <dns/acl.h>
-#include <dns/compress.h>
-#include <dns/dispatch.h>
-#include <dns/events.h>
-#include <dns/log.h>
-#include <dns/message.h>
-#include <dns/rdata.h>
-#include <dns/rdatastruct.h>
-#include <dns/request.h>
-#include <dns/result.h>
-#include <dns/tsig.h>
-
-#define REQUESTMGR_MAGIC	ISC_MAGIC('R', 'q', 'u', 'M')
-#define VALID_REQUESTMGR(mgr)	ISC_MAGIC_VALID(mgr, REQUESTMGR_MAGIC)
-
-#define REQUEST_MAGIC		ISC_MAGIC('R', 'q', 'u', '!')
-#define VALID_REQUEST(request)	ISC_MAGIC_VALID(request, REQUEST_MAGIC)
-
-typedef ISC_LIST(dns_request_t) dns_requestlist_t;
-
-#define DNS_REQUEST_NLOCKS 7
-
-struct dns_requestmgr {
-	unsigned int			magic;
-	isc_mutex_t			lock;
-	isc_mem_t		       *mctx;
-
-	/* locked */
-	isc_int32_t			eref;
-	isc_int32_t			iref;
-	isc_timermgr_t		       *timermgr;
-	isc_socketmgr_t		       *socketmgr;
-	isc_taskmgr_t		       *taskmgr;
-	dns_dispatchmgr_t	       *dispatchmgr;
-	dns_dispatch_t		       *dispatchv4;
-	dns_dispatch_t		       *dispatchv6;
-	isc_boolean_t			exiting;
-	isc_eventlist_t			whenshutdown;
-	unsigned int			hash;
-	isc_mutex_t			locks[DNS_REQUEST_NLOCKS];
-	dns_requestlist_t 		requests;
-};
-
-struct dns_request {
-	unsigned int			magic;
-	unsigned int			hash;
-	isc_mem_t		       *mctx;
-	isc_int32_t			flags;
-	ISC_LINK(dns_request_t) 	link;
-	isc_buffer_t		       *query;
-	isc_buffer_t		       *answer;
-	dns_requestevent_t	       *event;
-	dns_dispatch_t		       *dispatch;
-	dns_dispentry_t		       *dispentry;
-	isc_timer_t		       *timer;
-	dns_requestmgr_t	       *requestmgr;
-	isc_buffer_t		       *tsig;
-	dns_tsigkey_t		       *tsigkey;
-	isc_event_t			ctlevent;
-	isc_boolean_t			canceling; /* ctlevent outstanding */
-	isc_sockaddr_t			destaddr;
-	unsigned int			udpcount;
-};
-
-#define DNS_REQUEST_F_CONNECTING 0x0001
-#define DNS_REQUEST_F_SENDING 0x0002
-#define DNS_REQUEST_F_CANCELED 0x0004	/*%< ctlevent received, or otherwise
-					   synchronously canceled */
-#define DNS_REQUEST_F_TIMEDOUT 0x0008	/*%< canceled due to a timeout */
-#define DNS_REQUEST_F_TCP 0x0010	/*%< This request used TCP */
-#define DNS_REQUEST_CANCELED(r) \
-	(((r)->flags & DNS_REQUEST_F_CANCELED) != 0)
-#define DNS_REQUEST_CONNECTING(r) \
-	(((r)->flags & DNS_REQUEST_F_CONNECTING) != 0)
-#define DNS_REQUEST_SENDING(r) \
-	(((r)->flags & DNS_REQUEST_F_SENDING) != 0)
-#define DNS_REQUEST_TIMEDOUT(r) \
-	(((r)->flags & DNS_REQUEST_F_TIMEDOUT) != 0)
-
-
-/***
- *** Forward
- ***/
-
-static void mgr_destroy(dns_requestmgr_t *requestmgr);
-static void mgr_shutdown(dns_requestmgr_t *requestmgr);
-static unsigned int mgr_gethash(dns_requestmgr_t *requestmgr);
-static void send_shutdown_events(dns_requestmgr_t *requestmgr);
-
-static isc_result_t req_render(dns_message_t *message, isc_buffer_t **buffer,
-			       unsigned int options, isc_mem_t *mctx);
-static void req_senddone(isc_task_t *task, isc_event_t *event);
-static void req_response(isc_task_t *task, isc_event_t *event);
-static void req_timeout(isc_task_t *task, isc_event_t *event);
-static isc_socket_t * req_getsocket(dns_request_t *request);
-static void req_connected(isc_task_t *task, isc_event_t *event);
-static void req_sendevent(dns_request_t *request, isc_result_t result);
-static void req_cancel(dns_request_t *request);
-static void req_destroy(dns_request_t *request);
-static void req_log(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
-static void do_cancel(isc_task_t *task, isc_event_t *event);
-
-/***
- *** Public
- ***/
-
-isc_result_t
-dns_requestmgr_create(isc_mem_t *mctx,
-		      isc_timermgr_t *timermgr,
-		      isc_socketmgr_t *socketmgr,
-		      isc_taskmgr_t *taskmgr,
-		      dns_dispatchmgr_t *dispatchmgr,
-		      dns_dispatch_t *dispatchv4,
-		      dns_dispatch_t *dispatchv6,
-		      dns_requestmgr_t **requestmgrp)
-{
-	dns_requestmgr_t *requestmgr;
-	isc_socket_t *socket;
-	isc_result_t result;
-	int i;
-	unsigned int dispattr;
-
-	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_create");
-
-	REQUIRE(requestmgrp != NULL && *requestmgrp == NULL);
-	REQUIRE(timermgr != NULL);
-	REQUIRE(socketmgr != NULL);
-	REQUIRE(taskmgr != NULL);
-	REQUIRE(dispatchmgr != NULL);
-	UNUSED(socket);
-	if (dispatchv4 != NULL) {
-		dispattr = dns_dispatch_getattributes(dispatchv4);
-		REQUIRE((dispattr & DNS_DISPATCHATTR_UDP) != 0);
-	}
-	if (dispatchv6 != NULL) {
-		dispattr = dns_dispatch_getattributes(dispatchv6);
-		REQUIRE((dispattr & DNS_DISPATCHATTR_UDP) != 0);
-	}
-
-	requestmgr = isc_mem_get(mctx, sizeof(*requestmgr));
-	if (requestmgr == NULL)
-		return (ISC_R_NOMEMORY);
-
-	result = isc_mutex_init(&requestmgr->lock);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, requestmgr, sizeof(*requestmgr));
-		return (result);
-	}
-	for (i = 0; i < DNS_REQUEST_NLOCKS; i++) {
-		result = isc_mutex_init(&requestmgr->locks[i]);
-		if (result != ISC_R_SUCCESS) {
-			while (--i >= 0)
-				DESTROYLOCK(&requestmgr->locks[i]);
-			DESTROYLOCK(&requestmgr->lock);
-			isc_mem_put(mctx, requestmgr, sizeof(*requestmgr));
-			return (result);
-		}
-	}
-	requestmgr->timermgr = timermgr;
-	requestmgr->socketmgr = socketmgr;
-	requestmgr->taskmgr = taskmgr;
-	requestmgr->dispatchmgr = dispatchmgr;
-	requestmgr->dispatchv4 = NULL;
-	if (dispatchv4 != NULL)
-		dns_dispatch_attach(dispatchv4, &requestmgr->dispatchv4);
-	requestmgr->dispatchv6 = NULL;
-	if (dispatchv6 != NULL)
-		dns_dispatch_attach(dispatchv6, &requestmgr->dispatchv6);
-	requestmgr->mctx = NULL;
-	isc_mem_attach(mctx, &requestmgr->mctx);
-	requestmgr->eref = 1;	/* implicit attach */
-	requestmgr->iref = 0;
-	ISC_LIST_INIT(requestmgr->whenshutdown);
-	ISC_LIST_INIT(requestmgr->requests);
-	requestmgr->exiting = ISC_FALSE;
-	requestmgr->hash = 0;
-	requestmgr->magic = REQUESTMGR_MAGIC;
-
-	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_create: %p", requestmgr);
-
-	*requestmgrp = requestmgr;
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_requestmgr_whenshutdown(dns_requestmgr_t *requestmgr, isc_task_t *task,
-			    isc_event_t **eventp)
-{
-	isc_task_t *clone;
-	isc_event_t *event;
-
-	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_whenshutdown");
-
-	REQUIRE(VALID_REQUESTMGR(requestmgr));
-	REQUIRE(eventp != NULL);
-
-	event = *eventp;
-	*eventp = NULL;
-
-	LOCK(&requestmgr->lock);
-
-	if (requestmgr->exiting) {
-		/*
-		 * We're already shutdown.  Send the event.
-		 */
-		event->ev_sender = requestmgr;
-		isc_task_send(task, &event);
-	} else {
-		clone = NULL;
-		isc_task_attach(task, &clone);
-		event->ev_sender = clone;
-		ISC_LIST_APPEND(requestmgr->whenshutdown, event, ev_link);
-	}
-	UNLOCK(&requestmgr->lock);
-}
-
-void
-dns_requestmgr_shutdown(dns_requestmgr_t *requestmgr) {
-
-	REQUIRE(VALID_REQUESTMGR(requestmgr));
-
-	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_shutdown: %p", requestmgr);
-
-	LOCK(&requestmgr->lock);
-	mgr_shutdown(requestmgr);
-	UNLOCK(&requestmgr->lock);
-}
-
-static void
-mgr_shutdown(dns_requestmgr_t *requestmgr) {
-	dns_request_t *request;
-
-	/*
-	 * Caller holds lock.
-	 */
-	if (!requestmgr->exiting) {
-		requestmgr->exiting = ISC_TRUE;
-		for (request = ISC_LIST_HEAD(requestmgr->requests);
-		     request != NULL;
-		     request = ISC_LIST_NEXT(request, link)) {
-			dns_request_cancel(request);
-		}
-		if (requestmgr->iref == 0) {
-			INSIST(ISC_LIST_EMPTY(requestmgr->requests));
-			send_shutdown_events(requestmgr);
-		}
-	}
-}
-
-static void
-requestmgr_attach(dns_requestmgr_t *source, dns_requestmgr_t **targetp) {
-
-	/*
-	 * Locked by caller.
-	 */
-
-	REQUIRE(VALID_REQUESTMGR(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	REQUIRE(!source->exiting);
-
-	source->iref++;
-	*targetp = source;
-
-	req_log(ISC_LOG_DEBUG(3), "requestmgr_attach: %p: eref %d iref %d",
-		source, source->eref, source->iref);
-}
-
-static void
-requestmgr_detach(dns_requestmgr_t **requestmgrp) {
-	dns_requestmgr_t *requestmgr;
-	isc_boolean_t need_destroy = ISC_FALSE;
-
-	REQUIRE(requestmgrp != NULL);
-	requestmgr = *requestmgrp;
-	REQUIRE(VALID_REQUESTMGR(requestmgr));
-
-	*requestmgrp = NULL;
-	LOCK(&requestmgr->lock);
-	INSIST(requestmgr->iref > 0);
-	requestmgr->iref--;
-
-	req_log(ISC_LOG_DEBUG(3), "requestmgr_detach: %p: eref %d iref %d",
-		requestmgr, requestmgr->eref, requestmgr->iref);
-
-	if (requestmgr->iref == 0 && requestmgr->exiting) {
-		INSIST(ISC_LIST_HEAD(requestmgr->requests) == NULL);
-		send_shutdown_events(requestmgr);
-		if (requestmgr->eref == 0)
-			need_destroy = ISC_TRUE;
-	}
-	UNLOCK(&requestmgr->lock);
-
-	if (need_destroy)
-		mgr_destroy(requestmgr);
-}
-
-void
-dns_requestmgr_attach(dns_requestmgr_t *source, dns_requestmgr_t **targetp) {
-
-	REQUIRE(VALID_REQUESTMGR(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-	REQUIRE(!source->exiting);
-
-	LOCK(&source->lock);
-	source->eref++;
-	*targetp = source;
-	UNLOCK(&source->lock);
-
-	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_attach: %p: eref %d iref %d",
-		source, source->eref, source->iref);
-}
-
-void
-dns_requestmgr_detach(dns_requestmgr_t **requestmgrp) {
-	dns_requestmgr_t *requestmgr;
-	isc_boolean_t need_destroy = ISC_FALSE;
-
-	REQUIRE(requestmgrp != NULL);
-	requestmgr = *requestmgrp;
-	REQUIRE(VALID_REQUESTMGR(requestmgr));
-
-	LOCK(&requestmgr->lock);
-	INSIST(requestmgr->eref > 0);
-	requestmgr->eref--;
-
-	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_detach: %p: eref %d iref %d",
-		requestmgr, requestmgr->eref, requestmgr->iref);
-
-	if (requestmgr->eref == 0 && requestmgr->iref == 0) {
-		INSIST(requestmgr->exiting &&
-		       ISC_LIST_HEAD(requestmgr->requests) == NULL);
-		need_destroy = ISC_TRUE;
-	}
-	UNLOCK(&requestmgr->lock);
-
-	if (need_destroy)
-		mgr_destroy(requestmgr);
-
-	*requestmgrp = NULL;
-}
-
-static void
-send_shutdown_events(dns_requestmgr_t *requestmgr) {
-	isc_event_t *event, *next_event;
-	isc_task_t *etask;
-
-	req_log(ISC_LOG_DEBUG(3), "send_shutdown_events: %p", requestmgr);
-
-	/*
-	 * Caller must be holding the manager lock.
-	 */
-	for (event = ISC_LIST_HEAD(requestmgr->whenshutdown);
-	     event != NULL;
-	     event = next_event) {
-		next_event = ISC_LIST_NEXT(event, ev_link);
-		ISC_LIST_UNLINK(requestmgr->whenshutdown, event, ev_link);
-		etask = event->ev_sender;
-		event->ev_sender = requestmgr;
-		isc_task_sendanddetach(&etask, &event);
-	}
-}
-
-static void
-mgr_destroy(dns_requestmgr_t *requestmgr) {
-	int i;
-	isc_mem_t *mctx;
-
-	req_log(ISC_LOG_DEBUG(3), "mgr_destroy");
-
-	REQUIRE(requestmgr->eref == 0);
-	REQUIRE(requestmgr->iref == 0);
-
-	DESTROYLOCK(&requestmgr->lock);
-	for (i = 0; i < DNS_REQUEST_NLOCKS; i++)
-		DESTROYLOCK(&requestmgr->locks[i]);
-	if (requestmgr->dispatchv4 != NULL)
-		dns_dispatch_detach(&requestmgr->dispatchv4);
-	if (requestmgr->dispatchv6 != NULL)
-		dns_dispatch_detach(&requestmgr->dispatchv6);
-	requestmgr->magic = 0;
-	mctx = requestmgr->mctx;
-	isc_mem_put(mctx, requestmgr, sizeof(*requestmgr));
-	isc_mem_detach(&mctx);
-}
-
-static unsigned int
-mgr_gethash(dns_requestmgr_t *requestmgr) {
-	req_log(ISC_LOG_DEBUG(3), "mgr_gethash");
-	/*
-	 * Locked by caller.
-	 */
-	requestmgr->hash++;
-	return (requestmgr->hash % DNS_REQUEST_NLOCKS);
-}
-
-static inline isc_result_t
-req_send(dns_request_t *request, isc_task_t *task, isc_sockaddr_t *address) {
-	isc_region_t r;
-	isc_socket_t *socket;
-	isc_result_t result;
-
-	req_log(ISC_LOG_DEBUG(3), "req_send: request %p", request);
-
-	REQUIRE(VALID_REQUEST(request));
-	socket = req_getsocket(request);
-	isc_buffer_usedregion(request->query, &r);
-	/*
-	 * We could connect the socket when we are using an exclusive dispatch
-	 * as we do in resolver.c, but we prefer implementation simplicity
-	 * at this moment.
-	 */
-	result = isc_socket_sendto(socket, &r, task, req_senddone,
-				  request, address, NULL);
-	if (result == ISC_R_SUCCESS)
-		request->flags |= DNS_REQUEST_F_SENDING;
-	return (result);
-}
-
-static isc_result_t
-new_request(isc_mem_t *mctx, dns_request_t **requestp)
-{
-	dns_request_t *request;
-
-	request = isc_mem_get(mctx, sizeof(*request));
-	if (request == NULL)
-		return (ISC_R_NOMEMORY);
-
-	/*
-	 * Zero structure.
-	 */
-	request->magic = 0;
-	request->mctx = NULL;
-	request->flags = 0;
-	ISC_LINK_INIT(request, link);
-	request->query = NULL;
-	request->answer = NULL;
-	request->event = NULL;
-	request->dispatch = NULL;
-	request->dispentry = NULL;
-	request->timer = NULL;
-	request->requestmgr = NULL;
-	request->tsig = NULL;
-	request->tsigkey = NULL;
-	ISC_EVENT_INIT(&request->ctlevent, sizeof(request->ctlevent), 0, NULL,
-		       DNS_EVENT_REQUESTCONTROL, do_cancel, request, NULL,
-		       NULL, NULL);
-	request->canceling = ISC_FALSE;
-	request->udpcount = 0;
-
-	isc_mem_attach(mctx, &request->mctx);
-
-	request->magic = REQUEST_MAGIC;
-	*requestp = request;
-	return (ISC_R_SUCCESS);
-}
-
-
-static isc_boolean_t
-isblackholed(dns_dispatchmgr_t *dispatchmgr, isc_sockaddr_t *destaddr) {
-	dns_acl_t *blackhole;
-	isc_netaddr_t netaddr;
-	int match;
-	isc_boolean_t drop = ISC_FALSE;
-	char netaddrstr[ISC_NETADDR_FORMATSIZE];
-
-	blackhole = dns_dispatchmgr_getblackhole(dispatchmgr);
-	if (blackhole != NULL) {
-		isc_netaddr_fromsockaddr(&netaddr, destaddr);
-		if (dns_acl_match(&netaddr, NULL, blackhole,
-				  NULL, &match, NULL) == ISC_R_SUCCESS &&
-		    match > 0)
-			drop = ISC_TRUE;
-	}
-	if (drop) {
-		isc_netaddr_format(&netaddr, netaddrstr, sizeof(netaddrstr));
-		req_log(ISC_LOG_DEBUG(10), "blackholed address %s", netaddrstr);
-	}
-	return (drop);
-}
-
-static isc_result_t
-create_tcp_dispatch(dns_requestmgr_t *requestmgr, isc_sockaddr_t *srcaddr,
-		    isc_sockaddr_t *destaddr, dns_dispatch_t **dispatchp)
-{
-	isc_result_t result;
-	isc_socket_t *socket = NULL;
-	isc_sockaddr_t src;
-	unsigned int attrs;
-	isc_sockaddr_t bind_any;
-
-	result = isc_socket_create(requestmgr->socketmgr,
-				   isc_sockaddr_pf(destaddr),
-				   isc_sockettype_tcp, &socket);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-#ifndef BROKEN_TCP_BIND_BEFORE_CONNECT
-	if (srcaddr == NULL) {
-		isc_sockaddr_anyofpf(&bind_any,
-				     isc_sockaddr_pf(destaddr));
-		result = isc_socket_bind(socket, &bind_any, 0);
-	} else {
-		src = *srcaddr;
-		isc_sockaddr_setport(&src, 0);
-		result = isc_socket_bind(socket, &src, 0);
-	}
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-#endif
-	attrs = 0;
-	attrs |= DNS_DISPATCHATTR_TCP;
-	attrs |= DNS_DISPATCHATTR_PRIVATE;
-	if (isc_sockaddr_pf(destaddr) == AF_INET)
-		attrs |= DNS_DISPATCHATTR_IPV4;
-	else
-		attrs |= DNS_DISPATCHATTR_IPV6;
-	attrs |= DNS_DISPATCHATTR_MAKEQUERY;
-	result = dns_dispatch_createtcp(requestmgr->dispatchmgr,
-					socket, requestmgr->taskmgr,
-					4096, 2, 1, 1, 3, attrs,
-					dispatchp);
-cleanup:
-	isc_socket_detach(&socket);
-	return (result);
-}
-
-static isc_result_t
-find_udp_dispatch(dns_requestmgr_t *requestmgr, isc_sockaddr_t *srcaddr,
-		  isc_sockaddr_t *destaddr, dns_dispatch_t **dispatchp)
-{
-	dns_dispatch_t *disp = NULL;
-	unsigned int attrs, attrmask;
-
-	if (srcaddr == NULL) {
-		switch (isc_sockaddr_pf(destaddr)) {
-		case PF_INET:
-			disp = requestmgr->dispatchv4;
-			break;
-
-		case PF_INET6:
-			disp = requestmgr->dispatchv6;
-			break;
-
-		default:
-			return (ISC_R_NOTIMPLEMENTED);
-		}
-		if (disp == NULL)
-			return (ISC_R_FAMILYNOSUPPORT);
-		dns_dispatch_attach(disp, dispatchp);
-		return (ISC_R_SUCCESS);
-	}
-	attrs = 0;
-	attrs |= DNS_DISPATCHATTR_UDP;
-	switch (isc_sockaddr_pf(srcaddr)) {
-	case PF_INET:
-		attrs |= DNS_DISPATCHATTR_IPV4;
-		break;
-
-	case PF_INET6:
-		attrs |= DNS_DISPATCHATTR_IPV6;
-		break;
-
-	default:
-		return (ISC_R_NOTIMPLEMENTED);
-	}
-	attrmask = 0;
-	attrmask |= DNS_DISPATCHATTR_UDP;
-	attrmask |= DNS_DISPATCHATTR_TCP;
-	attrmask |= DNS_DISPATCHATTR_IPV4;
-	attrmask |= DNS_DISPATCHATTR_IPV6;
-	return (dns_dispatch_getudp(requestmgr->dispatchmgr,
-				    requestmgr->socketmgr,
-				    requestmgr->taskmgr,
-				    srcaddr, 4096,
-				    1000, 32768, 16411, 16433,
-				    attrs, attrmask,
-				    dispatchp));
-}
-
-static isc_result_t
-get_dispatch(isc_boolean_t tcp, dns_requestmgr_t *requestmgr,
-	     isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-	     dns_dispatch_t **dispatchp)
-{
-	isc_result_t result;
-	if (tcp)
-		result = create_tcp_dispatch(requestmgr, srcaddr,
-					     destaddr, dispatchp);
-	else
-		result = find_udp_dispatch(requestmgr, srcaddr,
-					   destaddr, dispatchp);
-	return (result);
-}
-
-static isc_result_t
-set_timer(isc_timer_t *timer, unsigned int timeout, unsigned int udpresend) {
-	isc_time_t expires;
-	isc_interval_t interval;
-	isc_result_t result;
-	isc_timertype_t timertype;
-
-	isc_interval_set(&interval, timeout, 0);
-	result = isc_time_nowplusinterval(&expires, &interval);
-	isc_interval_set(&interval, udpresend, 0);
-
-	timertype = udpresend != 0 ? isc_timertype_limited : isc_timertype_once;
-	if (result == ISC_R_SUCCESS)
-		result = isc_timer_reset(timer, timertype, &expires,
-					 &interval, ISC_FALSE);
-	return (result);
-}
-
-isc_result_t
-dns_request_createraw(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
-		      isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		      unsigned int options, unsigned int timeout,
-		      isc_task_t *task, isc_taskaction_t action, void *arg,
-		      dns_request_t **requestp)
-{
-	return(dns_request_createraw3(requestmgr, msgbuf, srcaddr, destaddr,
-				      options, timeout, 0, 0, task, action,
-				      arg, requestp));
-}
-
-isc_result_t
-dns_request_createraw2(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
-		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		       unsigned int options, unsigned int timeout,
-		       unsigned int udptimeout, isc_task_t *task,
-		       isc_taskaction_t action, void *arg,
-		       dns_request_t **requestp)
-{
-	unsigned int udpretries = 0;
-
-	if (udptimeout != 0)
-		udpretries = timeout / udptimeout;
-
-	return (dns_request_createraw3(requestmgr, msgbuf, srcaddr, destaddr,
-				       options, timeout, udptimeout,
-				       udpretries, task, action, arg,
-				       requestp));
-}
-
-isc_result_t
-dns_request_createraw3(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
-		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		       unsigned int options, unsigned int timeout,
-		       unsigned int udptimeout, unsigned int udpretries,
-		       isc_task_t *task, isc_taskaction_t action, void *arg,
-		       dns_request_t **requestp)
-{
-	dns_request_t *request = NULL;
-	isc_task_t *tclone = NULL;
-	isc_socket_t *socket = NULL;
-	isc_result_t result;
-	isc_mem_t *mctx;
-	dns_messageid_t	id;
-	isc_boolean_t tcp = ISC_FALSE;
-	isc_region_t r;
-
-	REQUIRE(VALID_REQUESTMGR(requestmgr));
-	REQUIRE(msgbuf != NULL);
-	REQUIRE(destaddr != NULL);
-	REQUIRE(task != NULL);
-	REQUIRE(action != NULL);
-	REQUIRE(requestp != NULL && *requestp == NULL);
-	REQUIRE(timeout > 0);
-	if (srcaddr != NULL)
-		REQUIRE(isc_sockaddr_pf(srcaddr) == isc_sockaddr_pf(destaddr));
-
-	mctx = requestmgr->mctx;
-
-	req_log(ISC_LOG_DEBUG(3), "dns_request_createraw");
-
-	if (isblackholed(requestmgr->dispatchmgr, destaddr))
-		return (DNS_R_BLACKHOLED);
-
-	request = NULL;
-	result = new_request(mctx, &request);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (udptimeout == 0 && udpretries != 0) {
-		udptimeout = timeout / (udpretries + 1);
-		if (udptimeout == 0)
-			udptimeout = 1;
-	}
-	request->udpcount = udpretries;
-
-	/*
-	 * Create timer now.  We will set it below once.
-	 */
-	result = isc_timer_create(requestmgr->timermgr, isc_timertype_inactive,
-				  NULL, NULL, task, req_timeout, request,
-				  &request->timer);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	request->event = (dns_requestevent_t *)
-		isc_event_allocate(mctx, task, DNS_EVENT_REQUESTDONE,
-				   action, arg, sizeof(dns_requestevent_t));
-	if (request->event == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
-	}
-	isc_task_attach(task, &tclone);
-	request->event->ev_sender = task;
-	request->event->request = request;
-	request->event->result = ISC_R_FAILURE;
-
-	isc_buffer_usedregion(msgbuf, &r);
-	if (r.length < DNS_MESSAGE_HEADERLEN || r.length > 65535) {
-		result = DNS_R_FORMERR;
-		goto cleanup;
-	}
-
-	if ((options & DNS_REQUESTOPT_TCP) != 0 || r.length > 512)
-		tcp = ISC_TRUE;
-
-	result = get_dispatch(tcp, requestmgr, srcaddr, destaddr,
-			      &request->dispatch);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = dns_dispatch_addresponse2(request->dispatch, destaddr, task,
-					   req_response, request, &id,
-					   &request->dispentry,
-					   requestmgr->socketmgr);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	socket = req_getsocket(request);
-	INSIST(socket != NULL);
-
-	result = isc_buffer_allocate(mctx, &request->query,
-				     r.length + (tcp ? 2 : 0));
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	if (tcp)
-		isc_buffer_putuint16(request->query, (isc_uint16_t)r.length);
-	result = isc_buffer_copyregion(request->query, &r);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	/* Add message ID. */
-	isc_buffer_usedregion(request->query, &r);
-	if (tcp)
-		isc_region_consume(&r, 2);
-	r.base[0] = (id>>8) & 0xff;
-	r.base[1] = id & 0xff;
-
-	LOCK(&requestmgr->lock);
-	if (requestmgr->exiting) {
-		UNLOCK(&requestmgr->lock);
-		result = ISC_R_SHUTTINGDOWN;
-		goto cleanup;
-	}
-	requestmgr_attach(requestmgr, &request->requestmgr);
-	request->hash = mgr_gethash(requestmgr);
-	ISC_LIST_APPEND(requestmgr->requests, request, link);
-	UNLOCK(&requestmgr->lock);
-
-	result = set_timer(request->timer, timeout, tcp ? 0 : udptimeout);
-	if (result != ISC_R_SUCCESS)
-		goto unlink;
-
-	request->destaddr = *destaddr;
-	if (tcp) {
-		result = isc_socket_connect(socket, destaddr, task,
-					    req_connected, request);
-		if (result != ISC_R_SUCCESS)
-			goto unlink;
-		request->flags |= DNS_REQUEST_F_CONNECTING|DNS_REQUEST_F_TCP;
-	} else {
-		result = req_send(request, task, destaddr);
-		if (result != ISC_R_SUCCESS)
-			goto unlink;
-	}
-
-	req_log(ISC_LOG_DEBUG(3), "dns_request_createraw: request %p",
-		request);
-	*requestp = request;
-	return (ISC_R_SUCCESS);
-
- unlink:
-	LOCK(&requestmgr->lock);
-	ISC_LIST_UNLINK(requestmgr->requests, request, link);
-	UNLOCK(&requestmgr->lock);
-
- cleanup:
-	if (tclone != NULL)
-		isc_task_detach(&tclone);
-	req_destroy(request);
-	req_log(ISC_LOG_DEBUG(3), "dns_request_createraw: failed %s",
-		dns_result_totext(result));
-	return (result);
-}
-
-isc_result_t
-dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message,
-		   isc_sockaddr_t *address, unsigned int options,
-		   dns_tsigkey_t *key,
-		   unsigned int timeout, isc_task_t *task,
-		   isc_taskaction_t action, void *arg,
-		   dns_request_t **requestp)
-{
-	return (dns_request_createvia3(requestmgr, message, NULL, address,
-				       options, key, timeout, 0, 0, task,
-				       action, arg, requestp));
-}
-
-isc_result_t
-dns_request_createvia(dns_requestmgr_t *requestmgr, dns_message_t *message,
-		      isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		      unsigned int options, dns_tsigkey_t *key,
-		      unsigned int timeout, isc_task_t *task,
-		      isc_taskaction_t action, void *arg,
-		      dns_request_t **requestp)
-{
-	return(dns_request_createvia3(requestmgr, message, srcaddr, destaddr,
-				      options, key, timeout, 0, 0, task,
-				      action, arg, requestp));
-}
-
-isc_result_t
-dns_request_createvia2(dns_requestmgr_t *requestmgr, dns_message_t *message,
-		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		       unsigned int options, dns_tsigkey_t *key,
-		       unsigned int timeout, unsigned int udptimeout,
-		       isc_task_t *task, isc_taskaction_t action, void *arg,
-		       dns_request_t **requestp)
-{
-	unsigned int udpretries = 0;
-
-	if (udptimeout != 0)
-		udpretries = timeout / udptimeout;
-	return (dns_request_createvia3(requestmgr, message, srcaddr, destaddr,
-				       options, key, timeout, udptimeout,
-				       udpretries, task, action, arg,
-				       requestp));
-}
-
-isc_result_t
-dns_request_createvia3(dns_requestmgr_t *requestmgr, dns_message_t *message,
-		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		       unsigned int options, dns_tsigkey_t *key,
-		       unsigned int timeout, unsigned int udptimeout,
-		       unsigned int udpretries, isc_task_t *task,
-		       isc_taskaction_t action, void *arg,
-		       dns_request_t **requestp)
-{
-	dns_request_t *request = NULL;
-	isc_task_t *tclone = NULL;
-	isc_socket_t *socket = NULL;
-	isc_result_t result;
-	isc_mem_t *mctx;
-	dns_messageid_t	id;
-	isc_boolean_t tcp;
-	isc_boolean_t setkey = ISC_TRUE;
-
-	REQUIRE(VALID_REQUESTMGR(requestmgr));
-	REQUIRE(message != NULL);
-	REQUIRE(destaddr != NULL);
-	REQUIRE(task != NULL);
-	REQUIRE(action != NULL);
-	REQUIRE(requestp != NULL && *requestp == NULL);
-	REQUIRE(timeout > 0);
-
-	mctx = requestmgr->mctx;
-
-	req_log(ISC_LOG_DEBUG(3), "dns_request_createvia");
-
-	if (srcaddr != NULL &&
-	    isc_sockaddr_pf(srcaddr) != isc_sockaddr_pf(destaddr))
-		return (ISC_R_FAMILYMISMATCH);
-
-	if (isblackholed(requestmgr->dispatchmgr, destaddr))
-		return (DNS_R_BLACKHOLED);
-
-	request = NULL;
-	result = new_request(mctx, &request);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (udptimeout == 0 && udpretries != 0) {
-		udptimeout = timeout / (udpretries + 1);
-		if (udptimeout == 0)
-			udptimeout = 1;
-	}
-	request->udpcount = udpretries;
-
-	/*
-	 * Create timer now.  We will set it below once.
-	 */
-	result = isc_timer_create(requestmgr->timermgr, isc_timertype_inactive,
-				  NULL, NULL, task, req_timeout, request,
-				  &request->timer);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	request->event = (dns_requestevent_t *)
-		isc_event_allocate(mctx, task, DNS_EVENT_REQUESTDONE,
-				   action, arg, sizeof(dns_requestevent_t));
-	if (request->event == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
-	}
-	isc_task_attach(task, &tclone);
-	request->event->ev_sender = task;
-	request->event->request = request;
-	request->event->result = ISC_R_FAILURE;
-	if (key != NULL)
-		dns_tsigkey_attach(key, &request->tsigkey);
-
- use_tcp:
-	tcp = ISC_TF((options & DNS_REQUESTOPT_TCP) != 0);
-	result = get_dispatch(tcp, requestmgr, srcaddr, destaddr,
-			      &request->dispatch);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = dns_dispatch_addresponse2(request->dispatch, destaddr, task,
-					   req_response, request, &id,
-					   &request->dispentry,
-					   requestmgr->socketmgr);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	socket = req_getsocket(request);
-	INSIST(socket != NULL);
-
-	message->id = id;
-	if (setkey) {
-		result = dns_message_settsigkey(message, request->tsigkey);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-	}
-	result = req_render(message, &request->query, options, mctx);
-	if (result == DNS_R_USETCP &&
-	    (options & DNS_REQUESTOPT_TCP) == 0) {
-		/*
-		 * Try again using TCP.
-		 */
-		dns_message_renderreset(message);
-		dns_dispatch_removeresponse(&request->dispentry, NULL);
-		dns_dispatch_detach(&request->dispatch);
-		socket = NULL;
-		options |= DNS_REQUESTOPT_TCP;
-		setkey = ISC_FALSE;
-		goto use_tcp;
-	}
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = dns_message_getquerytsig(message, mctx, &request->tsig);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	LOCK(&requestmgr->lock);
-	if (requestmgr->exiting) {
-		UNLOCK(&requestmgr->lock);
-		result = ISC_R_SHUTTINGDOWN;
-		goto cleanup;
-	}
-	requestmgr_attach(requestmgr, &request->requestmgr);
-	request->hash = mgr_gethash(requestmgr);
-	ISC_LIST_APPEND(requestmgr->requests, request, link);
-	UNLOCK(&requestmgr->lock);
-
-	result = set_timer(request->timer, timeout, tcp ? 0 : udptimeout);
-	if (result != ISC_R_SUCCESS)
-		goto unlink;
-
-	request->destaddr = *destaddr;
-	if (tcp) {
-		result = isc_socket_connect(socket, destaddr, task,
-					    req_connected, request);
-		if (result != ISC_R_SUCCESS)
-			goto unlink;
-		request->flags |= DNS_REQUEST_F_CONNECTING|DNS_REQUEST_F_TCP;
-	} else {
-		result = req_send(request, task, destaddr);
-		if (result != ISC_R_SUCCESS)
-			goto unlink;
-	}
-
-	req_log(ISC_LOG_DEBUG(3), "dns_request_createvia: request %p",
-		request);
-	*requestp = request;
-	return (ISC_R_SUCCESS);
-
- unlink:
-	LOCK(&requestmgr->lock);
-	ISC_LIST_UNLINK(requestmgr->requests, request, link);
-	UNLOCK(&requestmgr->lock);
-
- cleanup:
-	if (tclone != NULL)
-		isc_task_detach(&tclone);
-	req_destroy(request);
-	req_log(ISC_LOG_DEBUG(3), "dns_request_createvia: failed %s",
-		dns_result_totext(result));
-	return (result);
-}
-
-static isc_result_t
-req_render(dns_message_t *message, isc_buffer_t **bufferp,
-	   unsigned int options, isc_mem_t *mctx)
-{
-	isc_buffer_t *buf1 = NULL;
-	isc_buffer_t *buf2 = NULL;
-	isc_result_t result;
-	isc_region_t r;
-	isc_boolean_t tcp = ISC_FALSE;
-	dns_compress_t cctx;
-	isc_boolean_t cleanup_cctx = ISC_FALSE;
-
-	REQUIRE(bufferp != NULL && *bufferp == NULL);
-
-	req_log(ISC_LOG_DEBUG(3), "request_render");
-
-	/*
-	 * Create buffer able to hold largest possible message.
-	 */
-	result = isc_buffer_allocate(mctx, &buf1, 65535);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dns_compress_init(&cctx, -1, mctx);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	cleanup_cctx = ISC_TRUE;
-
-	if ((options & DNS_REQUESTOPT_CASE) != 0)
-		dns_compress_setsensitive(&cctx, ISC_TRUE);
-
-	/*
-	 * Render message.
-	 */
-	result = dns_message_renderbegin(message, &cctx, buf1);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_message_rendersection(message, DNS_SECTION_QUESTION, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_message_rendersection(message, DNS_SECTION_ANSWER, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_message_rendersection(message, DNS_SECTION_AUTHORITY, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_message_rendersection(message, DNS_SECTION_ADDITIONAL, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_message_renderend(message);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	dns_compress_invalidate(&cctx);
-	cleanup_cctx = ISC_FALSE;
-
-	/*
-	 * Copy rendered message to exact sized buffer.
-	 */
-	isc_buffer_usedregion(buf1, &r);
-	if ((options & DNS_REQUESTOPT_TCP) != 0) {
-		tcp = ISC_TRUE;
-	} else if (r.length > 512) {
-		result = DNS_R_USETCP;
-		goto cleanup;
-	}
-	result = isc_buffer_allocate(mctx, &buf2, r.length + (tcp ? 2 : 0));
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	if (tcp)
-		isc_buffer_putuint16(buf2, (isc_uint16_t)r.length);
-	result = isc_buffer_copyregion(buf2, &r);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	/*
-	 * Cleanup and return.
-	 */
-	isc_buffer_free(&buf1);
-	*bufferp = buf2;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	dns_message_renderreset(message);
-	if (buf1 != NULL)
-		isc_buffer_free(&buf1);
-	if (buf2 != NULL)
-		isc_buffer_free(&buf2);
-	if (cleanup_cctx)
-		dns_compress_invalidate(&cctx);
-	return (result);
-}
-
-
-/*
- * If this request is no longer waiting for events,
- * send the completion event.  This will ultimately
- * cause the request to be destroyed.
- *
- * Requires:
- *	'request' is locked by the caller.
- */
-static void
-send_if_done(dns_request_t *request, isc_result_t result) {
-	if (request->event != NULL && !request->canceling)
-		req_sendevent(request, result);
-}
-
-/*
- * Handle the control event.
- */
-static void
-do_cancel(isc_task_t *task, isc_event_t *event) {
-	dns_request_t *request = event->ev_arg;
-	UNUSED(task);
-	INSIST(event->ev_type == DNS_EVENT_REQUESTCONTROL);
-	LOCK(&request->requestmgr->locks[request->hash]);
-	request->canceling = ISC_FALSE;
-	if (!DNS_REQUEST_CANCELED(request))
-		req_cancel(request);
-	send_if_done(request, ISC_R_CANCELED);
-	UNLOCK(&request->requestmgr->locks[request->hash]);
-}
-
-void
-dns_request_cancel(dns_request_t *request) {
-	REQUIRE(VALID_REQUEST(request));
-
-	req_log(ISC_LOG_DEBUG(3), "dns_request_cancel: request %p", request);
-
-	REQUIRE(VALID_REQUEST(request));
-
-	LOCK(&request->requestmgr->locks[request->hash]);
-	if (!request->canceling && !DNS_REQUEST_CANCELED(request)) {
-		isc_event_t *ev =  &request->ctlevent;
-		isc_task_send(request->event->ev_sender, &ev);
-		request->canceling = ISC_TRUE;
-	}
-	UNLOCK(&request->requestmgr->locks[request->hash]);
-}
-
-isc_result_t
-dns_request_getresponse(dns_request_t *request, dns_message_t *message,
-			unsigned int options)
-{
-	isc_result_t result;
-
-	REQUIRE(VALID_REQUEST(request));
-	REQUIRE(request->answer != NULL);
-
-	req_log(ISC_LOG_DEBUG(3), "dns_request_getresponse: request %p",
-		request);
-
-	result = dns_message_setquerytsig(message, request->tsig);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	result = dns_message_settsigkey(message, request->tsigkey);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	result = dns_message_parse(message, request->answer, options);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (request->tsigkey != NULL)
-		result = dns_tsig_verify(request->answer, message, NULL, NULL);
-	return (result);
-}
-
-isc_boolean_t
-dns_request_usedtcp(dns_request_t *request) {
-	REQUIRE(VALID_REQUEST(request));
-
-	return (ISC_TF((request->flags & DNS_REQUEST_F_TCP) != 0));
-}
-
-void
-dns_request_destroy(dns_request_t **requestp) {
-	dns_request_t *request;
-
-	REQUIRE(requestp != NULL && VALID_REQUEST(*requestp));
-
-	request = *requestp;
-
-	req_log(ISC_LOG_DEBUG(3), "dns_request_destroy: request %p", request);
-
-	LOCK(&request->requestmgr->lock);
-	LOCK(&request->requestmgr->locks[request->hash]);
-	ISC_LIST_UNLINK(request->requestmgr->requests, request, link);
-	INSIST(!DNS_REQUEST_CONNECTING(request));
-	INSIST(!DNS_REQUEST_SENDING(request));
-	UNLOCK(&request->requestmgr->locks[request->hash]);
-	UNLOCK(&request->requestmgr->lock);
-
-	/*
-	 * These should have been cleaned up by req_cancel() before
-	 * the completion event was sent.
-	 */
-	INSIST(!ISC_LINK_LINKED(request, link));
-	INSIST(request->dispentry == NULL);
-	INSIST(request->dispatch == NULL);
-	INSIST(request->timer == NULL);
-
-	req_destroy(request);
-
-	*requestp = NULL;
-}
-
-/***
- *** Private: request.
- ***/
-
-static isc_socket_t *
-req_getsocket(dns_request_t *request) {
-	unsigned int dispattr;
-	isc_socket_t *socket;
-
-	dispattr = dns_dispatch_getattributes(request->dispatch);
-	if ((dispattr & DNS_DISPATCHATTR_EXCLUSIVE) != 0) {
-		INSIST(request->dispentry != NULL);
-		socket = dns_dispatch_getentrysocket(request->dispentry);
-	} else
-		socket = dns_dispatch_getsocket(request->dispatch);
-
-	return (socket);
-}
-
-static void
-req_connected(isc_task_t *task, isc_event_t *event) {
-	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
-	isc_result_t result;
-	dns_request_t *request = event->ev_arg;
-
-	REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT);
-	REQUIRE(VALID_REQUEST(request));
-	REQUIRE(DNS_REQUEST_CONNECTING(request));
-
-	req_log(ISC_LOG_DEBUG(3), "req_connected: request %p", request);
-
-	LOCK(&request->requestmgr->locks[request->hash]);
-	request->flags &= ~DNS_REQUEST_F_CONNECTING;
-
-	if (DNS_REQUEST_CANCELED(request)) {
-		/*
-		 * Send delayed event.
-		 */
-		if (DNS_REQUEST_TIMEDOUT(request))
-			send_if_done(request, ISC_R_TIMEDOUT);
-		else
-			send_if_done(request, ISC_R_CANCELED);
-	} else {
-		dns_dispatch_starttcp(request->dispatch);
-		result = sevent->result;
-		if (result == ISC_R_SUCCESS)
-			result = req_send(request, task, NULL);
-
-		if (result != ISC_R_SUCCESS) {
-			req_cancel(request);
-			send_if_done(request, ISC_R_CANCELED);
-		}
-	}
-	UNLOCK(&request->requestmgr->locks[request->hash]);
-	isc_event_free(&event);
-}
-
-static void
-req_senddone(isc_task_t *task, isc_event_t *event) {
-	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
-	dns_request_t *request = event->ev_arg;
-
-	REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE);
-	REQUIRE(VALID_REQUEST(request));
-	REQUIRE(DNS_REQUEST_SENDING(request));
-
-	req_log(ISC_LOG_DEBUG(3), "req_senddone: request %p", request);
-
-	UNUSED(task);
-
-	LOCK(&request->requestmgr->locks[request->hash]);
-	request->flags &= ~DNS_REQUEST_F_SENDING;
-
-	if (DNS_REQUEST_CANCELED(request)) {
-		/*
-		 * Send delayed event.
-		 */
-		if (DNS_REQUEST_TIMEDOUT(request))
-			send_if_done(request, ISC_R_TIMEDOUT);
-		else
-			send_if_done(request, ISC_R_CANCELED);
-	} else if (sevent->result != ISC_R_SUCCESS) {
-		req_cancel(request);
-		send_if_done(request, ISC_R_CANCELED);
-	}
-	UNLOCK(&request->requestmgr->locks[request->hash]);
-
-	isc_event_free(&event);
-}
-
-static void
-req_response(isc_task_t *task, isc_event_t *event) {
-	isc_result_t result;
-	dns_request_t *request = event->ev_arg;
-	dns_dispatchevent_t *devent = (dns_dispatchevent_t *)event;
-	isc_region_t r;
-
-	REQUIRE(VALID_REQUEST(request));
-	REQUIRE(event->ev_type == DNS_EVENT_DISPATCH);
-
-	UNUSED(task);
-
-	req_log(ISC_LOG_DEBUG(3), "req_response: request %p: %s", request,
-		dns_result_totext(devent->result));
-
-	LOCK(&request->requestmgr->locks[request->hash]);
-	result = devent->result;
-	if (result != ISC_R_SUCCESS)
-		goto done;
-
-	/*
-	 * Copy buffer to request.
-	 */
-	isc_buffer_usedregion(&devent->buffer, &r);
-	result = isc_buffer_allocate(request->mctx, &request->answer,
-				     r.length);
-	if (result != ISC_R_SUCCESS)
-		goto done;
-	result = isc_buffer_copyregion(request->answer, &r);
-	if (result != ISC_R_SUCCESS)
-		isc_buffer_free(&request->answer);
- done:
-	/*
-	 * Cleanup.
-	 */
-	dns_dispatch_removeresponse(&request->dispentry, &devent);
-	req_cancel(request);
-	/*
-	 * Send completion event.
-	 */
-	send_if_done(request, result);
-	UNLOCK(&request->requestmgr->locks[request->hash]);
-}
-
-static void
-req_timeout(isc_task_t *task, isc_event_t *event) {
-	dns_request_t *request = event->ev_arg;
-	isc_result_t result;
-
-	REQUIRE(VALID_REQUEST(request));
-
-	req_log(ISC_LOG_DEBUG(3), "req_timeout: request %p", request);
-
-	UNUSED(task);
-	LOCK(&request->requestmgr->locks[request->hash]);
-	if (event->ev_type == ISC_TIMEREVENT_TICK &&
-	    request->udpcount-- != 0) {
-		if (! DNS_REQUEST_SENDING(request)) {
-			result = req_send(request, task, &request->destaddr);
-			if (result != ISC_R_SUCCESS) {
-				req_cancel(request);
-				send_if_done(request, result);
-			}
-		}
-	} else {
-		request->flags |= DNS_REQUEST_F_TIMEDOUT;
-		req_cancel(request);
-		send_if_done(request, ISC_R_TIMEDOUT);
-	}
-	UNLOCK(&request->requestmgr->locks[request->hash]);
-	isc_event_free(&event);
-}
-
-static void
-req_sendevent(dns_request_t *request, isc_result_t result) {
-	isc_task_t *task;
-
-	REQUIRE(VALID_REQUEST(request));
-
-	req_log(ISC_LOG_DEBUG(3), "req_sendevent: request %p", request);
-
-	/*
-	 * Lock held by caller.
-	 */
-	task = request->event->ev_sender;
-	request->event->ev_sender = request;
-	request->event->result = result;
-	isc_task_sendanddetach(&task, (isc_event_t **)&request->event);
-}
-
-static void
-req_destroy(dns_request_t *request) {
-	isc_mem_t *mctx;
-
-	REQUIRE(VALID_REQUEST(request));
-
-	req_log(ISC_LOG_DEBUG(3), "req_destroy: request %p", request);
-
-	request->magic = 0;
-	if (request->query != NULL)
-		isc_buffer_free(&request->query);
-	if (request->answer != NULL)
-		isc_buffer_free(&request->answer);
-	if (request->event != NULL)
-		isc_event_free((isc_event_t **)&request->event);
-	if (request->dispentry != NULL)
-		dns_dispatch_removeresponse(&request->dispentry, NULL);
-	if (request->dispatch != NULL)
-		dns_dispatch_detach(&request->dispatch);
-	if (request->timer != NULL)
-		isc_timer_detach(&request->timer);
-	if (request->tsig != NULL)
-		isc_buffer_free(&request->tsig);
-	if (request->tsigkey != NULL)
-		dns_tsigkey_detach(&request->tsigkey);
-	if (request->requestmgr != NULL)
-		requestmgr_detach(&request->requestmgr);
-	mctx = request->mctx;
-	isc_mem_put(mctx, request, sizeof(*request));
-	isc_mem_detach(&mctx);
-}
-
-/*
- * Stop the current request.  Must be called from the request's task.
- */
-static void
-req_cancel(dns_request_t *request) {
-	isc_socket_t *socket;
-	unsigned int dispattr;
-
-	REQUIRE(VALID_REQUEST(request));
-
-	req_log(ISC_LOG_DEBUG(3), "req_cancel: request %p", request);
-
-	/*
-	 * Lock held by caller.
-	 */
-	request->flags |= DNS_REQUEST_F_CANCELED;
-
-	if (request->timer != NULL)
-		isc_timer_detach(&request->timer);
-	dispattr = dns_dispatch_getattributes(request->dispatch);
-	socket = NULL;
-	if (DNS_REQUEST_CONNECTING(request) || DNS_REQUEST_SENDING(request)) {
-		if ((dispattr & DNS_DISPATCHATTR_EXCLUSIVE) != 0) {
-			if (request->dispentry != NULL) {
-				socket = dns_dispatch_getentrysocket(
-					request->dispentry);
-			}
-		} else
-			socket = dns_dispatch_getsocket(request->dispatch);
-		if (DNS_REQUEST_CONNECTING(request) && socket != NULL)
-			isc_socket_cancel(socket, NULL, ISC_SOCKCANCEL_CONNECT);
-		if (DNS_REQUEST_SENDING(request) && socket != NULL)
-			isc_socket_cancel(socket, NULL, ISC_SOCKCANCEL_SEND);
-	}
-	if (request->dispentry != NULL)
-		dns_dispatch_removeresponse(&request->dispentry, NULL);
-	dns_dispatch_detach(&request->dispatch);
-}
-
-static void
-req_log(int level, const char *fmt, ...) {
-	va_list ap;
-
-	va_start(ap, fmt);
-	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-		       DNS_LOGMODULE_REQUEST, level, fmt, ap);
-	va_end(ap);
-}
diff --git a/contrib/bind9/lib/dns/resolver.c b/contrib/bind9/lib/dns/resolver.c
deleted file mode 100644
index 27d15b9..0000000
--- a/contrib/bind9/lib/dns/resolver.c
+++ /dev/null
@@ -1,9040 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/log.h>
-#include <isc/platform.h>
-#include <isc/print.h>
-#include <isc/string.h>
-#include <isc/random.h>
-#include <isc/socket.h>
-#include <isc/stats.h>
-#include <isc/task.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#include <dns/acl.h>
-#include <dns/adb.h>
-#include <dns/cache.h>
-#include <dns/db.h>
-#include <dns/dispatch.h>
-#include <dns/ds.h>
-#include <dns/events.h>
-#include <dns/forward.h>
-#include <dns/keytable.h>
-#include <dns/log.h>
-#include <dns/message.h>
-#include <dns/ncache.h>
-#include <dns/nsec.h>
-#include <dns/nsec3.h>
-#include <dns/opcode.h>
-#include <dns/peer.h>
-#include <dns/rbt.h>
-#include <dns/rcode.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/resolver.h>
-#include <dns/result.h>
-#include <dns/rootns.h>
-#include <dns/stats.h>
-#include <dns/tsig.h>
-#include <dns/validator.h>
-
-#define DNS_RESOLVER_TRACE
-#ifdef DNS_RESOLVER_TRACE
-#define RTRACE(m)       isc_log_write(dns_lctx, \
-				      DNS_LOGCATEGORY_RESOLVER, \
-				      DNS_LOGMODULE_RESOLVER, \
-				      ISC_LOG_DEBUG(3), \
-				      "res %p: %s", res, (m))
-#define RRTRACE(r, m)   isc_log_write(dns_lctx, \
-				      DNS_LOGCATEGORY_RESOLVER, \
-				      DNS_LOGMODULE_RESOLVER, \
-				      ISC_LOG_DEBUG(3), \
-				      "res %p: %s", (r), (m))
-#define FCTXTRACE(m)    isc_log_write(dns_lctx, \
-				      DNS_LOGCATEGORY_RESOLVER, \
-				      DNS_LOGMODULE_RESOLVER, \
-				      ISC_LOG_DEBUG(3), \
-				      "fctx %p(%s): %s", fctx, fctx->info, (m))
-#define FCTXTRACE2(m1, m2) \
-			isc_log_write(dns_lctx, \
-				      DNS_LOGCATEGORY_RESOLVER, \
-				      DNS_LOGMODULE_RESOLVER, \
-				      ISC_LOG_DEBUG(3), \
-				      "fctx %p(%s): %s %s", \
-				      fctx, fctx->info, (m1), (m2))
-#define FTRACE(m)       isc_log_write(dns_lctx, \
-				      DNS_LOGCATEGORY_RESOLVER, \
-				      DNS_LOGMODULE_RESOLVER, \
-				      ISC_LOG_DEBUG(3), \
-				      "fetch %p (fctx %p(%s)): %s", \
-				      fetch, fetch->private, \
-				      fetch->private->info, (m))
-#define QTRACE(m)       isc_log_write(dns_lctx, \
-				      DNS_LOGCATEGORY_RESOLVER, \
-				      DNS_LOGMODULE_RESOLVER, \
-				      ISC_LOG_DEBUG(3), \
-				      "resquery %p (fctx %p(%s)): %s", \
-				      query, query->fctx, \
-				      query->fctx->info, (m))
-#else
-#define RTRACE(m)
-#define RRTRACE(r, m)
-#define FCTXTRACE(m)
-#define FTRACE(m)
-#define QTRACE(m)
-#endif
-
-#define US_PER_SEC 1000000U
-/*
- * The maximum time we will wait for a single query.
- */
-#define MAX_SINGLE_QUERY_TIMEOUT 9U
-#define MAX_SINGLE_QUERY_TIMEOUT_US (MAX_SINGLE_QUERY_TIMEOUT*US_PER_SEC)
-
-/*
- * We need to allow a individual query time to complete / timeout.
- */
-#define MINIMUM_QUERY_TIMEOUT (MAX_SINGLE_QUERY_TIMEOUT + 1U)
-
-/* The default time in seconds for the whole query to live. */
-#ifndef DEFAULT_QUERY_TIMEOUT
-#define DEFAULT_QUERY_TIMEOUT MINIMUM_QUERY_TIMEOUT
-#endif
-
-#ifndef MAXIMUM_QUERY_TIMEOUT
-#define MAXIMUM_QUERY_TIMEOUT 30 /* The maximum time in seconds for the whole query to live. */
-#endif
-
-/*%
- * Maximum EDNS0 input packet size.
- */
-#define RECV_BUFFER_SIZE                4096            /* XXXRTH  Constant. */
-#define EDNSOPTS			2
-
-/*%
- * This defines the maximum number of timeouts we will permit before we
- * disable EDNS0 on the query.
- */
-#define MAX_EDNS0_TIMEOUTS      3
-
-typedef struct fetchctx fetchctx_t;
-
-typedef struct query {
-	/* Locked by task event serialization. */
-	unsigned int			magic;
-	fetchctx_t *			fctx;
-	isc_mem_t *			mctx;
-	dns_dispatchmgr_t *		dispatchmgr;
-	dns_dispatch_t *		dispatch;
-	isc_boolean_t			exclusivesocket;
-	dns_adbaddrinfo_t *		addrinfo;
-	isc_socket_t *			tcpsocket;
-	isc_time_t			start;
-	dns_messageid_t			id;
-	dns_dispentry_t *		dispentry;
-	ISC_LINK(struct query)		link;
-	isc_buffer_t			buffer;
-	isc_buffer_t			*tsig;
-	dns_tsigkey_t			*tsigkey;
-	isc_socketevent_t		sendevent;
-	unsigned int			options;
-	unsigned int			attributes;
-	unsigned int			sends;
-	unsigned int			connects;
-	unsigned char			data[512];
-} resquery_t;
-
-#define QUERY_MAGIC			ISC_MAGIC('Q', '!', '!', '!')
-#define VALID_QUERY(query)		ISC_MAGIC_VALID(query, QUERY_MAGIC)
-
-#define RESQUERY_ATTR_CANCELED          0x02
-
-#define RESQUERY_CONNECTING(q)          ((q)->connects > 0)
-#define RESQUERY_CANCELED(q)            (((q)->attributes & \
-					  RESQUERY_ATTR_CANCELED) != 0)
-#define RESQUERY_SENDING(q)             ((q)->sends > 0)
-
-typedef enum {
-	fetchstate_init = 0,            /*%< Start event has not run yet. */
-	fetchstate_active,
-	fetchstate_done                 /*%< FETCHDONE events posted. */
-} fetchstate;
-
-typedef enum {
-	badns_unreachable = 0,
-	badns_response,
-	badns_validation
-} badnstype_t;
-
-struct fetchctx {
-	/*% Not locked. */
-	unsigned int			magic;
-	dns_resolver_t *		res;
-	dns_name_t			name;
-	dns_rdatatype_t			type;
-	unsigned int			options;
-	unsigned int			bucketnum;
-	char *				info;
-	isc_mem_t *			mctx;
-
-	/*% Locked by appropriate bucket lock. */
-	fetchstate			state;
-	isc_boolean_t			want_shutdown;
-	isc_boolean_t			cloned;
-	isc_boolean_t			spilled;
-	unsigned int			references;
-	isc_event_t			control_event;
-	ISC_LINK(struct fetchctx)       link;
-	ISC_LIST(dns_fetchevent_t)      events;
-	/*% Locked by task event serialization. */
-	dns_name_t			domain;
-	dns_rdataset_t			nameservers;
-	unsigned int			attributes;
-	isc_timer_t *			timer;
-	isc_time_t			expires;
-	isc_interval_t			interval;
-	dns_message_t *			qmessage;
-	dns_message_t *			rmessage;
-	ISC_LIST(resquery_t)		queries;
-	dns_adbfindlist_t		finds;
-	dns_adbfind_t *			find;
-	dns_adbfindlist_t		altfinds;
-	dns_adbfind_t *			altfind;
-	dns_adbaddrinfolist_t		forwaddrs;
-	dns_adbaddrinfolist_t		altaddrs;
-	isc_sockaddrlist_t		forwarders;
-	dns_fwdpolicy_t			fwdpolicy;
-	isc_sockaddrlist_t		bad;
-	isc_sockaddrlist_t		edns;
-	isc_sockaddrlist_t		edns512;
-	isc_sockaddrlist_t		bad_edns;
-	dns_validator_t			*validator;
-	ISC_LIST(dns_validator_t)       validators;
-	dns_db_t *			cache;
-	dns_adb_t *			adb;
-	isc_boolean_t			ns_ttl_ok;
-	isc_uint32_t			ns_ttl;
-
-	/*%
-	 * The number of events we're waiting for.
-	 */
-	unsigned int			pending;
-
-	/*%
-	 * The number of times we've "restarted" the current
-	 * nameserver set.  This acts as a failsafe to prevent
-	 * us from pounding constantly on a particular set of
-	 * servers that, for whatever reason, are not giving
-	 * us useful responses, but are responding in such a
-	 * way that they are not marked "bad".
-	 */
-	unsigned int			restarts;
-
-	/*%
-	 * The number of timeouts that have occurred since we
-	 * last successfully received a response packet.  This
-	 * is used for EDNS0 black hole detection.
-	 */
-	unsigned int			timeouts;
-
-	/*%
-	 * Look aside state for DS lookups.
-	 */
-	dns_name_t 			nsname;
-	dns_fetch_t *			nsfetch;
-	dns_rdataset_t			nsrrset;
-
-	/*%
-	 * Number of queries that reference this context.
-	 */
-	unsigned int			nqueries;
-
-	/*%
-	 * The reason to print when logging a successful
-	 * response to a query.
-	 */
-	const char *			reason;
-
-	/*%
-	 * Random numbers to use for mixing up server addresses.
-	 */
-	isc_uint32_t                    rand_buf;
-	isc_uint32_t                    rand_bits;
-
-	/*%
-	 * Fetch-local statistics for detailed logging.
-	 */
-	isc_result_t			result; /*%< fetch result  */
-	isc_result_t			vresult; /*%< validation result  */
-	int				exitline;
-	isc_time_t			start;
-	isc_uint64_t			duration;
-	isc_boolean_t			logged;
-	unsigned int			querysent;
-	unsigned int			referrals;
-	unsigned int			lamecount;
-	unsigned int			neterr;
-	unsigned int			badresp;
-	unsigned int			adberr;
-	unsigned int			findfail;
-	unsigned int			valfail;
-	isc_boolean_t			timeout;
-	dns_adbaddrinfo_t 		*addrinfo;
-	isc_sockaddr_t			*client;
-};
-
-#define FCTX_MAGIC			ISC_MAGIC('F', '!', '!', '!')
-#define VALID_FCTX(fctx)		ISC_MAGIC_VALID(fctx, FCTX_MAGIC)
-
-#define FCTX_ATTR_HAVEANSWER            0x0001
-#define FCTX_ATTR_GLUING                0x0002
-#define FCTX_ATTR_ADDRWAIT              0x0004
-#define FCTX_ATTR_SHUTTINGDOWN          0x0008
-#define FCTX_ATTR_WANTCACHE             0x0010
-#define FCTX_ATTR_WANTNCACHE            0x0020
-#define FCTX_ATTR_NEEDEDNS0             0x0040
-#define FCTX_ATTR_TRIEDFIND             0x0080
-#define FCTX_ATTR_TRIEDALT              0x0100
-
-#define HAVE_ANSWER(f)          (((f)->attributes & FCTX_ATTR_HAVEANSWER) != \
-				 0)
-#define GLUING(f)               (((f)->attributes & FCTX_ATTR_GLUING) != \
-				 0)
-#define ADDRWAIT(f)             (((f)->attributes & FCTX_ATTR_ADDRWAIT) != \
-				 0)
-#define SHUTTINGDOWN(f)         (((f)->attributes & FCTX_ATTR_SHUTTINGDOWN) \
-				 != 0)
-#define WANTCACHE(f)            (((f)->attributes & FCTX_ATTR_WANTCACHE) != 0)
-#define WANTNCACHE(f)           (((f)->attributes & FCTX_ATTR_WANTNCACHE) != 0)
-#define NEEDEDNS0(f)            (((f)->attributes & FCTX_ATTR_NEEDEDNS0) != 0)
-#define TRIEDFIND(f)            (((f)->attributes & FCTX_ATTR_TRIEDFIND) != 0)
-#define TRIEDALT(f)             (((f)->attributes & FCTX_ATTR_TRIEDALT) != 0)
-
-typedef struct {
-	dns_adbaddrinfo_t *		addrinfo;
-	fetchctx_t *			fctx;
-} dns_valarg_t;
-
-struct dns_fetch {
-	unsigned int			magic;
-	fetchctx_t *			private;
-};
-
-#define DNS_FETCH_MAGIC			ISC_MAGIC('F', 't', 'c', 'h')
-#define DNS_FETCH_VALID(fetch)		ISC_MAGIC_VALID(fetch, DNS_FETCH_MAGIC)
-
-typedef struct fctxbucket {
-	isc_task_t *			task;
-	isc_mutex_t			lock;
-	ISC_LIST(fetchctx_t)		fctxs;
-	isc_boolean_t			exiting;
-	isc_mem_t *			mctx;
-} fctxbucket_t;
-
-typedef struct alternate {
-	isc_boolean_t			isaddress;
-	union   {
-		isc_sockaddr_t		addr;
-		struct {
-			dns_name_t      name;
-			in_port_t       port;
-		} _n;
-	} _u;
-	ISC_LINK(struct alternate)      link;
-} alternate_t;
-
-typedef struct dns_badcache dns_badcache_t;
-struct dns_badcache {
-	dns_badcache_t *	next;
-	dns_rdatatype_t 	type;
-	isc_time_t		expire;
-	unsigned int		hashval;
-	dns_name_t		name;
-};
-#define DNS_BADCACHE_SIZE 1021
-#define DNS_BADCACHE_TTL(fctx) \
-	(((fctx)->res->lame_ttl > 30 ) ? (fctx)->res->lame_ttl : 30)
-
-struct dns_resolver {
-	/* Unlocked. */
-	unsigned int			magic;
-	isc_mem_t *			mctx;
-	isc_mutex_t			lock;
-	isc_mutex_t			nlock;
-	isc_mutex_t			primelock;
-	dns_rdataclass_t		rdclass;
-	isc_socketmgr_t *		socketmgr;
-	isc_timermgr_t *		timermgr;
-	isc_taskmgr_t *			taskmgr;
-	dns_view_t *			view;
-	isc_boolean_t			frozen;
-	unsigned int			options;
-	dns_dispatchmgr_t *		dispatchmgr;
-	dns_dispatchset_t *		dispatches4;
-	isc_boolean_t			exclusivev4;
-	dns_dispatchset_t *		dispatches6;
-	isc_boolean_t			exclusivev6;
-	unsigned int			nbuckets;
-	fctxbucket_t *			buckets;
-	isc_uint32_t			lame_ttl;
-	ISC_LIST(alternate_t)		alternates;
-	isc_uint16_t			udpsize;
-#if USE_ALGLOCK
-	isc_rwlock_t			alglock;
-#endif
-	dns_rbt_t *			algorithms;
-#if USE_MBSLOCK
-	isc_rwlock_t			mbslock;
-#endif
-	dns_rbt_t *			mustbesecure;
-	unsigned int			spillatmax;
-	unsigned int			spillatmin;
-	isc_timer_t *			spillattimer;
-	isc_boolean_t			zero_no_soa_ttl;
-	unsigned int			query_timeout;
-
-	/* Locked by lock. */
-	unsigned int			references;
-	isc_boolean_t			exiting;
-	isc_eventlist_t			whenshutdown;
-	unsigned int			activebuckets;
-	isc_boolean_t			priming;
-	unsigned int			spillat;	/* clients-per-query */
-
-	/* Bad cache. */
-	dns_badcache_t  ** 		badcache;
-	unsigned int 			badcount;
-	unsigned int 			badhash;
-	unsigned int 			badsweep;
-
-	/* Locked by primelock. */
-	dns_fetch_t *			primefetch;
-	/* Locked by nlock. */
-	unsigned int			nfctx;
-};
-
-#define RES_MAGIC			ISC_MAGIC('R', 'e', 's', '!')
-#define VALID_RESOLVER(res)		ISC_MAGIC_VALID(res, RES_MAGIC)
-
-/*%
- * Private addrinfo flags.  These must not conflict with DNS_FETCHOPT_NOEDNS0,
- * which we also use as an addrinfo flag.
- */
-#define FCTX_ADDRINFO_MARK              0x0001
-#define FCTX_ADDRINFO_FORWARDER         0x1000
-#define FCTX_ADDRINFO_TRIED             0x2000
-#define UNMARKED(a)                     (((a)->flags & FCTX_ADDRINFO_MARK) \
-					 == 0)
-#define ISFORWARDER(a)                  (((a)->flags & \
-					 FCTX_ADDRINFO_FORWARDER) != 0)
-#define TRIED(a)                        (((a)->flags & \
-					 FCTX_ADDRINFO_TRIED) != 0)
-
-#define NXDOMAIN(r) (((r)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
-#define NEGATIVE(r) (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
-
-static void destroy(dns_resolver_t *res);
-static void empty_bucket(dns_resolver_t *res);
-static isc_result_t resquery_send(resquery_t *query);
-static void resquery_response(isc_task_t *task, isc_event_t *event);
-static void resquery_connected(isc_task_t *task, isc_event_t *event);
-static void fctx_try(fetchctx_t *fctx, isc_boolean_t retrying,
-		     isc_boolean_t badcache);
-static void fctx_destroy(fetchctx_t *fctx);
-static isc_boolean_t fctx_unlink(fetchctx_t *fctx);
-static isc_result_t ncache_adderesult(dns_message_t *message,
-				      dns_db_t *cache, dns_dbnode_t *node,
-				      dns_rdatatype_t covers,
-				      isc_stdtime_t now, dns_ttl_t maxttl,
-				      isc_boolean_t optout,
-				      isc_boolean_t secure,
-				      dns_rdataset_t *ardataset,
-				      isc_result_t *eresultp);
-static void validated(isc_task_t *task, isc_event_t *event);
-static isc_boolean_t maybe_destroy(fetchctx_t *fctx, isc_boolean_t locked);
-static void add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
-		    isc_result_t reason, badnstype_t badtype);
-static inline isc_result_t findnoqname(fetchctx_t *fctx, dns_name_t *name,
-				       dns_rdatatype_t type,
-				       dns_name_t **noqname);
-
-/*%
- * Increment resolver-related statistics counters.
- */
-static inline void
-inc_stats(dns_resolver_t *res, isc_statscounter_t counter) {
-	if (res->view->resstats != NULL)
-		isc_stats_increment(res->view->resstats, counter);
-}
-
-static isc_result_t
-valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
-	  dns_rdatatype_t type, dns_rdataset_t *rdataset,
-	  dns_rdataset_t *sigrdataset, unsigned int valoptions,
-	  isc_task_t *task)
-{
-	dns_validator_t *validator = NULL;
-	dns_valarg_t *valarg;
-	isc_result_t result;
-
-	valarg = isc_mem_get(fctx->mctx, sizeof(*valarg));
-	if (valarg == NULL)
-		return (ISC_R_NOMEMORY);
-
-	valarg->fctx = fctx;
-	valarg->addrinfo = addrinfo;
-
-	if (!ISC_LIST_EMPTY(fctx->validators))
-		INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
-
-	result = dns_validator_create(fctx->res->view, name, type, rdataset,
-				      sigrdataset, fctx->rmessage,
-				      valoptions, task, validated, valarg,
-				      &validator);
-	if (result == ISC_R_SUCCESS) {
-		inc_stats(fctx->res, dns_resstatscounter_val);
-		if ((valoptions & DNS_VALIDATOR_DEFER) == 0) {
-			INSIST(fctx->validator == NULL);
-			fctx->validator = validator;
-		}
-		ISC_LIST_APPEND(fctx->validators, validator, link);
-	} else
-		isc_mem_put(fctx->mctx, valarg, sizeof(*valarg));
-	return (result);
-}
-
-static isc_boolean_t
-rrsig_fromchildzone(fetchctx_t *fctx, dns_rdataset_t *rdataset) {
-	dns_namereln_t namereln;
-	dns_rdata_rrsig_t rrsig;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	int order;
-	isc_result_t result;
-	unsigned int labels;
-
-	for (result = dns_rdataset_first(rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(rdataset)) {
-		dns_rdataset_current(rdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		namereln = dns_name_fullcompare(&rrsig.signer, &fctx->domain,
-						&order, &labels);
-		if (namereln == dns_namereln_subdomain)
-			return (ISC_TRUE);
-		dns_rdata_reset(&rdata);
-	}
-	return (ISC_FALSE);
-}
-
-static isc_boolean_t
-fix_mustbedelegationornxdomain(dns_message_t *message, fetchctx_t *fctx) {
-	dns_name_t *name;
-	dns_name_t *domain = &fctx->domain;
-	dns_rdataset_t *rdataset;
-	dns_rdatatype_t type;
-	isc_result_t result;
-	isc_boolean_t keep_auth = ISC_FALSE;
-
-	if (message->rcode == dns_rcode_nxdomain)
-		return (ISC_FALSE);
-
-	/*
-	 * A DS RRset can appear anywhere in a zone, even for a delegation-only
-	 * zone.  So a response to an explicit query for this type should be
-	 * excluded from delegation-only fixup.
-	 *
-	 * SOA, NS, and DNSKEY can only exist at a zone apex, so a postive
-	 * response to a query for these types can never violate the
-	 * delegation-only assumption: if the query name is below a
-	 * zone cut, the response should normally be a referral, which should
-	 * be accepted; if the query name is below a zone cut but the server
-	 * happens to have authority for the zone of the query name, the
-	 * response is a (non-referral) answer.  But this does not violate
-	 * delegation-only because the query name must be in a different zone
-	 * due to the "apex-only" nature of these types.  Note that if the
-	 * remote server happens to have authority for a child zone of a
-	 * delegation-only zone, we may still incorrectly "fix" the response
-	 * with NXDOMAIN for queries for other types.  Unfortunately it's
-	 * generally impossible to differentiate this case from violation of
-	 * the delegation-only assumption.  Once the resolver learns the
-	 * correct zone cut, possibly via a separate query for an "apex-only"
-	 * type, queries for other types will be resolved correctly.
-	 *
-	 * A query for type ANY will be accepted if it hits an exceptional
-	 * type above in the answer section as it should be from a child
-	 * zone.
-	 *
-	 * Also accept answers with RRSIG records from the child zone.
-	 * Direct queries for RRSIG records should not be answered from
-	 * the parent zone.
-	 */
-
-	if (message->counts[DNS_SECTION_ANSWER] != 0 &&
-	    (fctx->type == dns_rdatatype_ns ||
-	     fctx->type == dns_rdatatype_ds ||
-	     fctx->type == dns_rdatatype_soa ||
-	     fctx->type == dns_rdatatype_any ||
-	     fctx->type == dns_rdatatype_rrsig ||
-	     fctx->type == dns_rdatatype_dnskey)) {
-		result = dns_message_firstname(message, DNS_SECTION_ANSWER);
-		while (result == ISC_R_SUCCESS) {
-			name = NULL;
-			dns_message_currentname(message, DNS_SECTION_ANSWER,
-						&name);
-			for (rdataset = ISC_LIST_HEAD(name->list);
-			     rdataset != NULL;
-			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-				if (!dns_name_equal(name, &fctx->name))
-					continue;
-				type = rdataset->type;
-				/*
-				 * RRsig from child?
-				 */
-				if (type == dns_rdatatype_rrsig &&
-				    rrsig_fromchildzone(fctx, rdataset))
-					return (ISC_FALSE);
-				/*
-				 * Direct query for apex records or DS.
-				 */
-				if (fctx->type == type &&
-				    (type == dns_rdatatype_ds ||
-				     type == dns_rdatatype_ns ||
-				     type == dns_rdatatype_soa ||
-				     type == dns_rdatatype_dnskey))
-					return (ISC_FALSE);
-				/*
-				 * Indirect query for apex records or DS.
-				 */
-				if (fctx->type == dns_rdatatype_any &&
-				    (type == dns_rdatatype_ns ||
-				     type == dns_rdatatype_ds ||
-				     type == dns_rdatatype_soa ||
-				     type == dns_rdatatype_dnskey))
-					return (ISC_FALSE);
-			}
-			result = dns_message_nextname(message,
-						      DNS_SECTION_ANSWER);
-		}
-	}
-
-	/*
-	 * A NODATA response to a DS query?
-	 */
-	if (fctx->type == dns_rdatatype_ds &&
-	    message->counts[DNS_SECTION_ANSWER] == 0)
-		return (ISC_FALSE);
-
-	/* Look for referral or indication of answer from child zone? */
-	if (message->counts[DNS_SECTION_AUTHORITY] == 0)
-		goto munge;
-
-	result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
-	while (result == ISC_R_SUCCESS) {
-		name = NULL;
-		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			type = rdataset->type;
-			if (type == dns_rdatatype_soa &&
-			    dns_name_equal(name, domain))
-				keep_auth = ISC_TRUE;
-
-			if (type != dns_rdatatype_ns &&
-			    type != dns_rdatatype_soa &&
-			    type != dns_rdatatype_rrsig)
-				continue;
-
-			if (type == dns_rdatatype_rrsig) {
-				if (rrsig_fromchildzone(fctx, rdataset))
-					return (ISC_FALSE);
-				else
-					continue;
-			}
-
-			/* NS or SOA records. */
-			if (dns_name_equal(name, domain)) {
-				/*
-				 * If a query for ANY causes a negative
-				 * response, we can be sure that this is
-				 * an empty node.  For other type of queries
-				 * we cannot differentiate an empty node
-				 * from a node that just doesn't have that
-				 * type of record.  We only accept the former
-				 * case.
-				 */
-				if (message->counts[DNS_SECTION_ANSWER] == 0 &&
-				    fctx->type == dns_rdatatype_any)
-					return (ISC_FALSE);
-			} else if (dns_name_issubdomain(name, domain)) {
-				/* Referral or answer from child zone. */
-				return (ISC_FALSE);
-			}
-		}
-		result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
-	}
-
- munge:
-	message->rcode = dns_rcode_nxdomain;
-	message->counts[DNS_SECTION_ANSWER] = 0;
-	if (!keep_auth)
-		message->counts[DNS_SECTION_AUTHORITY] = 0;
-	message->counts[DNS_SECTION_ADDITIONAL] = 0;
-	return (ISC_TRUE);
-}
-
-static inline isc_result_t
-fctx_starttimer(fetchctx_t *fctx) {
-	/*
-	 * Start the lifetime timer for fctx.
-	 *
-	 * This is also used for stopping the idle timer; in that
-	 * case we must purge events already posted to ensure that
-	 * no further idle events are delivered.
-	 */
-	return (isc_timer_reset(fctx->timer, isc_timertype_once,
-				&fctx->expires, NULL, ISC_TRUE));
-}
-
-static inline void
-fctx_stoptimer(fetchctx_t *fctx) {
-	isc_result_t result;
-
-	/*
-	 * We don't return a result if resetting the timer to inactive fails
-	 * since there's nothing to be done about it.  Resetting to inactive
-	 * should never fail anyway, since the code as currently written
-	 * cannot fail in that case.
-	 */
-	result = isc_timer_reset(fctx->timer, isc_timertype_inactive,
-				  NULL, NULL, ISC_TRUE);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_timer_reset(): %s",
-				 isc_result_totext(result));
-	}
-}
-
-
-static inline isc_result_t
-fctx_startidletimer(fetchctx_t *fctx, isc_interval_t *interval) {
-	/*
-	 * Start the idle timer for fctx.  The lifetime timer continues
-	 * to be in effect.
-	 */
-	return (isc_timer_reset(fctx->timer, isc_timertype_once,
-				&fctx->expires, interval, ISC_FALSE));
-}
-
-/*
- * Stopping the idle timer is equivalent to calling fctx_starttimer(), but
- * we use fctx_stopidletimer for readability in the code below.
- */
-#define fctx_stopidletimer      fctx_starttimer
-
-
-static inline void
-resquery_destroy(resquery_t **queryp) {
-	resquery_t *query;
-
-	REQUIRE(queryp != NULL);
-	query = *queryp;
-	REQUIRE(!ISC_LINK_LINKED(query, link));
-
-	INSIST(query->tcpsocket == NULL);
-
-	query->fctx->nqueries--;
-	if (SHUTTINGDOWN(query->fctx)) {
-		dns_resolver_t *res = query->fctx->res;
-		if (maybe_destroy(query->fctx, ISC_FALSE))
-			empty_bucket(res);
-	}
-	query->magic = 0;
-	isc_mem_put(query->mctx, query, sizeof(*query));
-	*queryp = NULL;
-}
-
-static void
-fctx_cancelquery(resquery_t **queryp, dns_dispatchevent_t **deventp,
-		 isc_time_t *finish, isc_boolean_t no_response)
-{
-	fetchctx_t *fctx;
-	resquery_t *query;
-	unsigned int rtt, rttms;
-	unsigned int factor;
-	dns_adbfind_t *find;
-	dns_adbaddrinfo_t *addrinfo;
-	isc_socket_t *socket;
-
-	query = *queryp;
-	fctx = query->fctx;
-
-	FCTXTRACE("cancelquery");
-
-	REQUIRE(!RESQUERY_CANCELED(query));
-
-	query->attributes |= RESQUERY_ATTR_CANCELED;
-
-	/*
-	 * Should we update the RTT?
-	 */
-	if (finish != NULL || no_response) {
-		if (finish != NULL) {
-			/*
-			 * We have both the start and finish times for this
-			 * packet, so we can compute a real RTT.
-			 */
-			rtt = (unsigned int)isc_time_microdiff(finish,
-							       &query->start);
-			factor = DNS_ADB_RTTADJDEFAULT;
-
-			rttms = rtt / 1000;
-			if (rttms < DNS_RESOLVER_QRYRTTCLASS0) {
-				inc_stats(fctx->res,
-					  dns_resstatscounter_queryrtt0);
-			} else if (rttms < DNS_RESOLVER_QRYRTTCLASS1) {
-				inc_stats(fctx->res,
-					  dns_resstatscounter_queryrtt1);
-			} else if (rttms < DNS_RESOLVER_QRYRTTCLASS2) {
-				inc_stats(fctx->res,
-					  dns_resstatscounter_queryrtt2);
-			} else if (rttms < DNS_RESOLVER_QRYRTTCLASS3) {
-				inc_stats(fctx->res,
-					  dns_resstatscounter_queryrtt3);
-			} else if (rttms < DNS_RESOLVER_QRYRTTCLASS4) {
-				inc_stats(fctx->res,
-					  dns_resstatscounter_queryrtt4);
-			} else {
-				inc_stats(fctx->res,
-					  dns_resstatscounter_queryrtt5);
-			}
-		} else {
-			/*
-			 * We don't have an RTT for this query.  Maybe the
-			 * packet was lost, or maybe this server is very
-			 * slow.  We don't know.  Increase the RTT.
-			 */
-			INSIST(no_response);
-			rtt = query->addrinfo->srtt + 200000;
-			if (rtt > MAX_SINGLE_QUERY_TIMEOUT_US)
-				rtt = MAX_SINGLE_QUERY_TIMEOUT_US;
-			/*
-			 * Replace the current RTT with our value.
-			 */
-			factor = DNS_ADB_RTTADJREPLACE;
-		}
-		dns_adb_adjustsrtt(fctx->adb, query->addrinfo, rtt, factor);
-	}
-
-	/* Remember that the server has been tried. */
-	if (!TRIED(query->addrinfo)) {
-		dns_adb_changeflags(fctx->adb, query->addrinfo,
-				    FCTX_ADDRINFO_TRIED, FCTX_ADDRINFO_TRIED);
-	}
-
-	/*
-	 * Age RTTs of servers not tried.
-	 */
-	factor = DNS_ADB_RTTADJAGE;
-	if (finish != NULL)
-		for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs);
-		     addrinfo != NULL;
-		     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
-			if (UNMARKED(addrinfo))
-				dns_adb_adjustsrtt(fctx->adb, addrinfo,
-						   0, factor);
-
-	if (finish != NULL && TRIEDFIND(fctx))
-		for (find = ISC_LIST_HEAD(fctx->finds);
-		     find != NULL;
-		     find = ISC_LIST_NEXT(find, publink))
-			for (addrinfo = ISC_LIST_HEAD(find->list);
-			     addrinfo != NULL;
-			     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
-				if (UNMARKED(addrinfo))
-					dns_adb_adjustsrtt(fctx->adb, addrinfo,
-							   0, factor);
-
-	if (finish != NULL && TRIEDALT(fctx)) {
-		for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs);
-		     addrinfo != NULL;
-		     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
-			if (UNMARKED(addrinfo))
-				dns_adb_adjustsrtt(fctx->adb, addrinfo,
-						   0, factor);
-		for (find = ISC_LIST_HEAD(fctx->altfinds);
-		     find != NULL;
-		     find = ISC_LIST_NEXT(find, publink))
-			for (addrinfo = ISC_LIST_HEAD(find->list);
-			     addrinfo != NULL;
-			     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
-				if (UNMARKED(addrinfo))
-					dns_adb_adjustsrtt(fctx->adb, addrinfo,
-							   0, factor);
-	}
-
-	/*
-	 * Check for any outstanding socket events.  If they exist, cancel
-	 * them and let the event handlers finish the cleanup.  The resolver
-	 * only needs to worry about managing the connect and send events;
-	 * the dispatcher manages the recv events.
-	 */
-	if (RESQUERY_CONNECTING(query)) {
-		/*
-		 * Cancel the connect.
-		 */
-		if (query->tcpsocket != NULL) {
-			isc_socket_cancel(query->tcpsocket, NULL,
-					  ISC_SOCKCANCEL_CONNECT);
-		} else if (query->dispentry != NULL) {
-			INSIST(query->exclusivesocket);
-			socket = dns_dispatch_getentrysocket(query->dispentry);
-			if (socket != NULL)
-				isc_socket_cancel(socket, NULL,
-						  ISC_SOCKCANCEL_CONNECT);
-		}
-	} else if (RESQUERY_SENDING(query)) {
-		/*
-		 * Cancel the pending send.
-		 */
-		if (query->exclusivesocket && query->dispentry != NULL)
-			socket = dns_dispatch_getentrysocket(query->dispentry);
-		else
-			socket = dns_dispatch_getsocket(query->dispatch);
-		if (socket != NULL)
-			isc_socket_cancel(socket, NULL, ISC_SOCKCANCEL_SEND);
-	}
-
-	if (query->dispentry != NULL)
-		dns_dispatch_removeresponse(&query->dispentry, deventp);
-
-	ISC_LIST_UNLINK(fctx->queries, query, link);
-
-	if (query->tsig != NULL)
-		isc_buffer_free(&query->tsig);
-
-	if (query->tsigkey != NULL)
-		dns_tsigkey_detach(&query->tsigkey);
-
-	if (query->dispatch != NULL)
-		dns_dispatch_detach(&query->dispatch);
-
-	if (! (RESQUERY_CONNECTING(query) || RESQUERY_SENDING(query)))
-		/*
-		 * It's safe to destroy the query now.
-		 */
-		resquery_destroy(&query);
-}
-
-static void
-fctx_cancelqueries(fetchctx_t *fctx, isc_boolean_t no_response) {
-	resquery_t *query, *next_query;
-
-	FCTXTRACE("cancelqueries");
-
-	for (query = ISC_LIST_HEAD(fctx->queries);
-	     query != NULL;
-	     query = next_query) {
-		next_query = ISC_LIST_NEXT(query, link);
-		fctx_cancelquery(&query, NULL, NULL, no_response);
-	}
-}
-
-static void
-fctx_cleanupfinds(fetchctx_t *fctx) {
-	dns_adbfind_t *find, *next_find;
-
-	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
-
-	for (find = ISC_LIST_HEAD(fctx->finds);
-	     find != NULL;
-	     find = next_find) {
-		next_find = ISC_LIST_NEXT(find, publink);
-		ISC_LIST_UNLINK(fctx->finds, find, publink);
-		dns_adb_destroyfind(&find);
-	}
-	fctx->find = NULL;
-}
-
-static void
-fctx_cleanupaltfinds(fetchctx_t *fctx) {
-	dns_adbfind_t *find, *next_find;
-
-	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
-
-	for (find = ISC_LIST_HEAD(fctx->altfinds);
-	     find != NULL;
-	     find = next_find) {
-		next_find = ISC_LIST_NEXT(find, publink);
-		ISC_LIST_UNLINK(fctx->altfinds, find, publink);
-		dns_adb_destroyfind(&find);
-	}
-	fctx->altfind = NULL;
-}
-
-static void
-fctx_cleanupforwaddrs(fetchctx_t *fctx) {
-	dns_adbaddrinfo_t *addr, *next_addr;
-
-	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
-
-	for (addr = ISC_LIST_HEAD(fctx->forwaddrs);
-	     addr != NULL;
-	     addr = next_addr) {
-		next_addr = ISC_LIST_NEXT(addr, publink);
-		ISC_LIST_UNLINK(fctx->forwaddrs, addr, publink);
-		dns_adb_freeaddrinfo(fctx->adb, &addr);
-	}
-}
-
-static void
-fctx_cleanupaltaddrs(fetchctx_t *fctx) {
-	dns_adbaddrinfo_t *addr, *next_addr;
-
-	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
-
-	for (addr = ISC_LIST_HEAD(fctx->altaddrs);
-	     addr != NULL;
-	     addr = next_addr) {
-		next_addr = ISC_LIST_NEXT(addr, publink);
-		ISC_LIST_UNLINK(fctx->altaddrs, addr, publink);
-		dns_adb_freeaddrinfo(fctx->adb, &addr);
-	}
-}
-
-static inline void
-fctx_stopeverything(fetchctx_t *fctx, isc_boolean_t no_response) {
-	FCTXTRACE("stopeverything");
-	fctx_cancelqueries(fctx, no_response);
-	fctx_cleanupfinds(fctx);
-	fctx_cleanupaltfinds(fctx);
-	fctx_cleanupforwaddrs(fctx);
-	fctx_cleanupaltaddrs(fctx);
-	fctx_stoptimer(fctx);
-}
-
-static inline void
-fctx_sendevents(fetchctx_t *fctx, isc_result_t result, int line) {
-	dns_fetchevent_t *event, *next_event;
-	isc_task_t *task;
-	unsigned int count = 0;
-	isc_interval_t i;
-	isc_boolean_t logit = ISC_FALSE;
-	isc_time_t now;
-	unsigned int old_spillat;
-	unsigned int new_spillat = 0;	/* initialized to silence
-					   compiler warnings */
-
-	/*
-	 * Caller must be holding the appropriate bucket lock.
-	 */
-	REQUIRE(fctx->state == fetchstate_done);
-
-	FCTXTRACE("sendevents");
-
-	/*
-	 * Keep some record of fetch result for logging later (if required).
-	 */
-	fctx->result = result;
-	fctx->exitline = line;
-	TIME_NOW(&now);
-	fctx->duration = isc_time_microdiff(&now, &fctx->start);
-
-	for (event = ISC_LIST_HEAD(fctx->events);
-	     event != NULL;
-	     event = next_event) {
-		next_event = ISC_LIST_NEXT(event, ev_link);
-		ISC_LIST_UNLINK(fctx->events, event, ev_link);
-		task = event->ev_sender;
-		event->ev_sender = fctx;
-		event->vresult = fctx->vresult;
-		if (!HAVE_ANSWER(fctx))
-			event->result = result;
-
-		INSIST(result != ISC_R_SUCCESS ||
-		       dns_rdataset_isassociated(event->rdataset) ||
-		       fctx->type == dns_rdatatype_any ||
-		       fctx->type == dns_rdatatype_rrsig ||
-		       fctx->type == dns_rdatatype_sig);
-
-		/*
-		 * Negative results must be indicated in event->result.
-		 */
-		if (dns_rdataset_isassociated(event->rdataset) &&
-		    NEGATIVE(event->rdataset)) {
-			INSIST(event->result == DNS_R_NCACHENXDOMAIN ||
-			       event->result == DNS_R_NCACHENXRRSET);
-		}
-
-		isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event));
-		count++;
-	}
-
-	if ((fctx->attributes & FCTX_ATTR_HAVEANSWER) != 0 &&
-	    fctx->spilled &&
-	    (count < fctx->res->spillatmax || fctx->res->spillatmax == 0)) {
-		LOCK(&fctx->res->lock);
-		if (count == fctx->res->spillat && !fctx->res->exiting) {
-			old_spillat = fctx->res->spillat;
-			fctx->res->spillat += 5;
-			if (fctx->res->spillat > fctx->res->spillatmax &&
-			    fctx->res->spillatmax != 0)
-				fctx->res->spillat = fctx->res->spillatmax;
-			new_spillat = fctx->res->spillat;
-			if (new_spillat != old_spillat) {
-				logit = ISC_TRUE;
-			}
-			isc_interval_set(&i, 20 * 60, 0);
-			result = isc_timer_reset(fctx->res->spillattimer,
-						 isc_timertype_ticker, NULL,
-						 &i, ISC_TRUE);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		}
-		UNLOCK(&fctx->res->lock);
-		if (logit)
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
-				      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
-				      "clients-per-query increased to %u",
-				      new_spillat);
-	}
-}
-
-static inline void
-log_edns(fetchctx_t *fctx) {
-	char domainbuf[DNS_NAME_FORMATSIZE];
-
-	if (fctx->reason == NULL)
-		return;
-
-	dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED,
-		      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
-		      "success resolving '%s' (in '%s'?) after %s",
-		      fctx->info, domainbuf, fctx->reason);
-
-	fctx->reason = NULL;
-}
-
-static void
-fctx_done(fetchctx_t *fctx, isc_result_t result, int line) {
-	dns_resolver_t *res;
-	isc_boolean_t no_response;
-
-	REQUIRE(line >= 0);
-
-	FCTXTRACE("done");
-
-	res = fctx->res;
-
-	if (result == ISC_R_SUCCESS) {
-		/*%
-		 * Log any deferred EDNS timeout messages.
-		 */
-		log_edns(fctx);
-		no_response = ISC_TRUE;
-	 } else
-		no_response = ISC_FALSE;
-
-	fctx->reason = NULL;
-	fctx_stopeverything(fctx, no_response);
-
-	LOCK(&res->buckets[fctx->bucketnum].lock);
-
-	fctx->state = fetchstate_done;
-	fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
-	fctx_sendevents(fctx, result, line);
-
-	UNLOCK(&res->buckets[fctx->bucketnum].lock);
-}
-
-static void
-process_sendevent(resquery_t *query, isc_event_t *event) {
-	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
-	isc_boolean_t retry = ISC_FALSE;
-	isc_result_t result;
-	fetchctx_t *fctx;
-
-	fctx = query->fctx;
-
-	if (RESQUERY_CANCELED(query)) {
-		if (query->sends == 0 && query->connects == 0) {
-			/*
-			 * This query was canceled while the
-			 * isc_socket_sendto/connect() was in progress.
-			 */
-			if (query->tcpsocket != NULL)
-				isc_socket_detach(&query->tcpsocket);
-			resquery_destroy(&query);
-		}
-	} else {
-		switch (sevent->result) {
-		case ISC_R_SUCCESS:
-			break;
-
-		case ISC_R_HOSTUNREACH:
-		case ISC_R_NETUNREACH:
-		case ISC_R_NOPERM:
-		case ISC_R_ADDRNOTAVAIL:
-		case ISC_R_CONNREFUSED:
-
-			/*
-			 * No route to remote.
-			 */
-			add_bad(fctx, query->addrinfo, sevent->result,
-				badns_unreachable);
-			fctx_cancelquery(&query, NULL, NULL, ISC_TRUE);
-			retry = ISC_TRUE;
-			break;
-
-		default:
-			fctx_cancelquery(&query, NULL, NULL, ISC_FALSE);
-			break;
-		}
-	}
-
-	if (event->ev_type == ISC_SOCKEVENT_CONNECT)
-		isc_event_free(&event);
-
-	if (retry) {
-		/*
-		 * Behave as if the idle timer has expired.  For TCP
-		 * this may not actually reflect the latest timer.
-		 */
-		fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
-		result = fctx_stopidletimer(fctx);
-		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result, __LINE__);
-		else
-			fctx_try(fctx, ISC_TRUE, ISC_FALSE);
-	}
-}
-
-static void
-resquery_udpconnected(isc_task_t *task, isc_event_t *event) {
-	resquery_t *query = event->ev_arg;
-
-	REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT);
-
-	QTRACE("udpconnected");
-
-	UNUSED(task);
-
-	INSIST(RESQUERY_CONNECTING(query));
-
-	query->connects--;
-
-	process_sendevent(query, event);
-}
-
-static void
-resquery_senddone(isc_task_t *task, isc_event_t *event) {
-	resquery_t *query = event->ev_arg;
-
-	REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE);
-
-	QTRACE("senddone");
-
-	/*
-	 * XXXRTH
-	 *
-	 * Currently we don't wait for the senddone event before retrying
-	 * a query.  This means that if we get really behind, we may end
-	 * up doing extra work!
-	 */
-
-	UNUSED(task);
-
-	INSIST(RESQUERY_SENDING(query));
-
-	query->sends--;
-
-	process_sendevent(query, event);
-}
-
-static inline isc_result_t
-fctx_addopt(dns_message_t *message, unsigned int version,
-	    isc_uint16_t udpsize, dns_ednsopt_t *ednsopts, size_t count)
-{
-	dns_rdataset_t *rdataset = NULL;
-	isc_result_t result;
-
-	result = dns_message_buildopt(message, &rdataset, version, udpsize,
-				      DNS_MESSAGEEXTFLAG_DO, ednsopts, count);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	return (dns_message_setopt(message, rdataset));
-}
-
-static inline void
-fctx_setretryinterval(fetchctx_t *fctx, unsigned int rtt) {
-	unsigned int seconds;
-	unsigned int us;
-
-	/*
-	 * We retry every .8 seconds the first two times through the address
-	 * list, and then we do exponential back-off.
-	 */
-	if (fctx->restarts < 3)
-		us = 800000;
-	else
-		us = (800000 << (fctx->restarts - 2));
-
-	/*
-	 * Add a fudge factor to the expected rtt based on the current
-	 * estimate.
-	 */
-	if (rtt < 50000)
-		rtt += 50000;
-	else if (rtt < 100000)
-		rtt += 100000;
-	else
-		rtt += 200000;
-
-	/*
-	 * Always wait for at least the expected rtt.
-	 */
-	if (us < rtt)
-		us = rtt;
-
-	/*
-	 * But don't ever wait for more than 10 seconds.
-	 */
-	if (us > MAX_SINGLE_QUERY_TIMEOUT_US)
-		us = MAX_SINGLE_QUERY_TIMEOUT_US;
-
-	seconds = us / US_PER_SEC;
-	us -= seconds * US_PER_SEC;
-	isc_interval_set(&fctx->interval, seconds, us * 1000);
-}
-
-static isc_result_t
-fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
-	   unsigned int options)
-{
-	dns_resolver_t *res;
-	isc_task_t *task;
-	isc_result_t result;
-	resquery_t *query;
-	isc_sockaddr_t addr;
-	isc_boolean_t have_addr = ISC_FALSE;
-	unsigned int srtt;
-
-	FCTXTRACE("query");
-
-	res = fctx->res;
-	task = res->buckets[fctx->bucketnum].task;
-
-	srtt = addrinfo->srtt;
-
-	/*
-	 * A forwarder needs to make multiple queries. Give it at least
-	 * a second to do these in.
-	 */
-	if (ISFORWARDER(addrinfo) && srtt < 1000000)
-		srtt = 1000000;
-
-	fctx_setretryinterval(fctx, srtt);
-	result = fctx_startidletimer(fctx, &fctx->interval);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	INSIST(ISC_LIST_EMPTY(fctx->validators));
-
-	dns_message_reset(fctx->rmessage, DNS_MESSAGE_INTENTPARSE);
-
-	query = isc_mem_get(fctx->mctx, sizeof(*query));
-	if (query == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto stop_idle_timer;
-	}
-	query->mctx = fctx->mctx;
-	query->options = options;
-	query->attributes = 0;
-	query->sends = 0;
-	query->connects = 0;
-	/*
-	 * Note that the caller MUST guarantee that 'addrinfo' will remain
-	 * valid until this query is canceled.
-	 */
-	query->addrinfo = addrinfo;
-	TIME_NOW(&query->start);
-
-	/*
-	 * If this is a TCP query, then we need to make a socket and
-	 * a dispatch for it here.  Otherwise we use the resolver's
-	 * shared dispatch.
-	 */
-	query->dispatchmgr = res->dispatchmgr;
-	query->dispatch = NULL;
-	query->exclusivesocket = ISC_FALSE;
-	query->tcpsocket = NULL;
-	if (res->view->peers != NULL) {
-		dns_peer_t *peer = NULL;
-		isc_netaddr_t dstip;
-		isc_netaddr_fromsockaddr(&dstip, &addrinfo->sockaddr);
-		result = dns_peerlist_peerbyaddr(res->view->peers,
-						 &dstip, &peer);
-		if (result == ISC_R_SUCCESS) {
-			result = dns_peer_getquerysource(peer, &addr);
-			if (result == ISC_R_SUCCESS)
-				have_addr = ISC_TRUE;
-		}
-	}
-
-	if ((query->options & DNS_FETCHOPT_TCP) != 0) {
-		int pf;
-
-		pf = isc_sockaddr_pf(&addrinfo->sockaddr);
-		if (!have_addr) {
-			switch (pf) {
-			case PF_INET:
-				result = dns_dispatch_getlocaladdress(
-					      res->dispatches4->dispatches[0],
-					      &addr);
-				break;
-			case PF_INET6:
-				result = dns_dispatch_getlocaladdress(
-					      res->dispatches6->dispatches[0],
-					      &addr);
-				break;
-			default:
-				result = ISC_R_NOTIMPLEMENTED;
-				break;
-			}
-			if (result != ISC_R_SUCCESS)
-				goto cleanup_query;
-		}
-		isc_sockaddr_setport(&addr, 0);
-
-		result = isc_socket_create(res->socketmgr, pf,
-					   isc_sockettype_tcp,
-					   &query->tcpsocket);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_query;
-
-#ifndef BROKEN_TCP_BIND_BEFORE_CONNECT
-		result = isc_socket_bind(query->tcpsocket, &addr, 0);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_socket;
-#endif
-
-		/*
-		 * A dispatch will be created once the connect succeeds.
-		 */
-	} else {
-		if (have_addr) {
-			unsigned int attrs, attrmask;
-			attrs = DNS_DISPATCHATTR_UDP;
-			switch (isc_sockaddr_pf(&addr)) {
-			case AF_INET:
-				attrs |= DNS_DISPATCHATTR_IPV4;
-				break;
-			case AF_INET6:
-				attrs |= DNS_DISPATCHATTR_IPV6;
-				break;
-			default:
-				result = ISC_R_NOTIMPLEMENTED;
-				goto cleanup_query;
-			}
-			attrmask = DNS_DISPATCHATTR_UDP;
-			attrmask |= DNS_DISPATCHATTR_TCP;
-			attrmask |= DNS_DISPATCHATTR_IPV4;
-			attrmask |= DNS_DISPATCHATTR_IPV6;
-			result = dns_dispatch_getudp(res->dispatchmgr,
-						     res->socketmgr,
-						     res->taskmgr, &addr,
-						     4096, 1000, 32768, 16411,
-						     16433, attrs, attrmask,
-						     &query->dispatch);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup_query;
-		} else {
-			switch (isc_sockaddr_pf(&addrinfo->sockaddr)) {
-			case PF_INET:
-				dns_dispatch_attach(
-				    dns_resolver_dispatchv4(res),
-				    &query->dispatch);
-				query->exclusivesocket = res->exclusivev4;
-				break;
-			case PF_INET6:
-				dns_dispatch_attach(
-				    dns_resolver_dispatchv6(res),
-				    &query->dispatch);
-				query->exclusivesocket = res->exclusivev6;
-				break;
-			default:
-				result = ISC_R_NOTIMPLEMENTED;
-				goto cleanup_query;
-			}
-		}
-		/*
-		 * We should always have a valid dispatcher here.  If we
-		 * don't support a protocol family, then its dispatcher
-		 * will be NULL, but we shouldn't be finding addresses for
-		 * protocol types we don't support, so the dispatcher
-		 * we found should never be NULL.
-		 */
-		INSIST(query->dispatch != NULL);
-	}
-
-	query->dispentry = NULL;
-	query->fctx = fctx;
-	query->tsig = NULL;
-	query->tsigkey = NULL;
-	ISC_LINK_INIT(query, link);
-	query->magic = QUERY_MAGIC;
-
-	if ((query->options & DNS_FETCHOPT_TCP) != 0) {
-		/*
-		 * Connect to the remote server.
-		 *
-		 * XXXRTH  Should we attach to the socket?
-		 */
-		result = isc_socket_connect(query->tcpsocket,
-					    &addrinfo->sockaddr, task,
-					    resquery_connected, query);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_socket;
-		query->connects++;
-		QTRACE("connecting via TCP");
-	} else {
-		result = resquery_send(query);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_dispatch;
-	}
-	fctx->querysent++;
-
-	ISC_LIST_APPEND(fctx->queries, query, link);
-	query->fctx->nqueries++;
-	if (isc_sockaddr_pf(&addrinfo->sockaddr) == PF_INET)
-		inc_stats(res, dns_resstatscounter_queryv4);
-	else
-		inc_stats(res, dns_resstatscounter_queryv6);
-	if (res->view->resquerystats != NULL)
-		dns_rdatatypestats_increment(res->view->resquerystats,
-					     fctx->type);
-
-	return (ISC_R_SUCCESS);
-
- cleanup_socket:
-	isc_socket_detach(&query->tcpsocket);
-
- cleanup_dispatch:
-	if (query->dispatch != NULL)
-		dns_dispatch_detach(&query->dispatch);
-
- cleanup_query:
-	if (query->connects == 0) {
-		query->magic = 0;
-		isc_mem_put(fctx->mctx, query, sizeof(*query));
-	}
-
- stop_idle_timer:
-	RUNTIME_CHECK(fctx_stopidletimer(fctx) == ISC_R_SUCCESS);
-
-	return (result);
-}
-
-static isc_boolean_t
-bad_edns(fetchctx_t *fctx, isc_sockaddr_t *address) {
-	isc_sockaddr_t *sa;
-
-	for (sa = ISC_LIST_HEAD(fctx->bad_edns);
-	     sa != NULL;
-	     sa = ISC_LIST_NEXT(sa, link)) {
-		if (isc_sockaddr_equal(sa, address))
-			return (ISC_TRUE);
-	}
-
-	return (ISC_FALSE);
-}
-
-static void
-add_bad_edns(fetchctx_t *fctx, isc_sockaddr_t *address) {
-	isc_sockaddr_t *sa;
-
-	if (bad_edns(fctx, address))
-		return;
-
-	sa = isc_mem_get(fctx->mctx, sizeof(*sa));
-	if (sa == NULL)
-		return;
-
-	*sa = *address;
-	ISC_LIST_INITANDAPPEND(fctx->bad_edns, sa, link);
-}
-
-static isc_boolean_t
-triededns(fetchctx_t *fctx, isc_sockaddr_t *address) {
-	isc_sockaddr_t *sa;
-
-	for (sa = ISC_LIST_HEAD(fctx->edns);
-	     sa != NULL;
-	     sa = ISC_LIST_NEXT(sa, link)) {
-		if (isc_sockaddr_equal(sa, address))
-			return (ISC_TRUE);
-	}
-
-	return (ISC_FALSE);
-}
-
-static void
-add_triededns(fetchctx_t *fctx, isc_sockaddr_t *address) {
-	isc_sockaddr_t *sa;
-
-	if (triededns(fctx, address))
-		return;
-
-	sa = isc_mem_get(fctx->mctx, sizeof(*sa));
-	if (sa == NULL)
-		return;
-
-	*sa = *address;
-	ISC_LIST_INITANDAPPEND(fctx->edns, sa, link);
-}
-
-static isc_boolean_t
-triededns512(fetchctx_t *fctx, isc_sockaddr_t *address) {
-	isc_sockaddr_t *sa;
-
-	for (sa = ISC_LIST_HEAD(fctx->edns512);
-	     sa != NULL;
-	     sa = ISC_LIST_NEXT(sa, link)) {
-		if (isc_sockaddr_equal(sa, address))
-			return (ISC_TRUE);
-	}
-
-	return (ISC_FALSE);
-}
-
-static void
-add_triededns512(fetchctx_t *fctx, isc_sockaddr_t *address) {
-	isc_sockaddr_t *sa;
-
-	if (triededns512(fctx, address))
-		return;
-
-	sa = isc_mem_get(fctx->mctx, sizeof(*sa));
-	if (sa == NULL)
-		return;
-
-	*sa = *address;
-	ISC_LIST_INITANDAPPEND(fctx->edns512, sa, link);
-}
-
-static isc_result_t
-resquery_send(resquery_t *query) {
-	fetchctx_t *fctx;
-	isc_result_t result;
-	dns_name_t *qname = NULL;
-	dns_rdataset_t *qrdataset = NULL;
-	isc_region_t r;
-	dns_resolver_t *res;
-	isc_task_t *task;
-	isc_socket_t *socket;
-	isc_buffer_t tcpbuffer;
-	isc_sockaddr_t *address;
-	isc_buffer_t *buffer;
-	isc_netaddr_t ipaddr;
-	dns_tsigkey_t *tsigkey = NULL;
-	dns_peer_t *peer = NULL;
-	isc_boolean_t useedns;
-	dns_compress_t cctx;
-	isc_boolean_t cleanup_cctx = ISC_FALSE;
-	isc_boolean_t secure_domain;
-	isc_boolean_t connecting = ISC_FALSE;
-	dns_ednsopt_t ednsopts[EDNSOPTS];
-	unsigned ednsopt = 0;
-
-	fctx = query->fctx;
-	QTRACE("send");
-
-	res = fctx->res;
-	task = res->buckets[fctx->bucketnum].task;
-	address = NULL;
-
-	if ((query->options & DNS_FETCHOPT_TCP) != 0) {
-		/*
-		 * Reserve space for the TCP message length.
-		 */
-		isc_buffer_init(&tcpbuffer, query->data, sizeof(query->data));
-		isc_buffer_init(&query->buffer, query->data + 2,
-				sizeof(query->data) - 2);
-		buffer = &tcpbuffer;
-	} else {
-		isc_buffer_init(&query->buffer, query->data,
-				sizeof(query->data));
-		buffer = &query->buffer;
-	}
-
-	result = dns_message_gettempname(fctx->qmessage, &qname);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_temps;
-	result = dns_message_gettemprdataset(fctx->qmessage, &qrdataset);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_temps;
-
-	/*
-	 * Get a query id from the dispatch.
-	 */
-	result = dns_dispatch_addresponse2(query->dispatch,
-					   &query->addrinfo->sockaddr,
-					   task,
-					   resquery_response,
-					   query,
-					   &query->id,
-					   &query->dispentry,
-					   res->socketmgr);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_temps;
-
-	fctx->qmessage->opcode = dns_opcode_query;
-
-	/*
-	 * Set up question.
-	 */
-	dns_name_init(qname, NULL);
-	dns_name_clone(&fctx->name, qname);
-	dns_rdataset_init(qrdataset);
-	dns_rdataset_makequestion(qrdataset, res->rdclass, fctx->type);
-	ISC_LIST_APPEND(qname->list, qrdataset, link);
-	dns_message_addname(fctx->qmessage, qname, DNS_SECTION_QUESTION);
-	qname = NULL;
-	qrdataset = NULL;
-
-	/*
-	 * Set RD if the client has requested that we do a recursive query,
-	 * or if we're sending to a forwarder.
-	 */
-	if ((query->options & DNS_FETCHOPT_RECURSIVE) != 0 ||
-	    ISFORWARDER(query->addrinfo))
-		fctx->qmessage->flags |= DNS_MESSAGEFLAG_RD;
-
-	/*
-	 * Set CD if the client says don't validate or the question is
-	 * under a secure entry point.
-	 */
-	if ((query->options & DNS_FETCHOPT_NOVALIDATE) != 0) {
-		fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
-	} else if (res->view->enablevalidation) {
-		result = dns_view_issecuredomain(res->view, &fctx->name,
-						 &secure_domain);
-		if (result != ISC_R_SUCCESS)
-			secure_domain = ISC_FALSE;
-		if (res->view->dlv != NULL)
-			secure_domain = ISC_TRUE;
-		if (secure_domain)
-			fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
-	}
-
-	/*
-	 * We don't have to set opcode because it defaults to query.
-	 */
-	fctx->qmessage->id = query->id;
-
-	/*
-	 * Convert the question to wire format.
-	 */
-	result = dns_compress_init(&cctx, -1, fctx->res->mctx);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_message;
-	cleanup_cctx = ISC_TRUE;
-
-	result = dns_message_renderbegin(fctx->qmessage, &cctx,
-					 &query->buffer);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_message;
-
-	result = dns_message_rendersection(fctx->qmessage,
-					   DNS_SECTION_QUESTION, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_message;
-
-	peer = NULL;
-	isc_netaddr_fromsockaddr(&ipaddr, &query->addrinfo->sockaddr);
-	(void) dns_peerlist_peerbyaddr(fctx->res->view->peers, &ipaddr, &peer);
-
-	/*
-	 * The ADB does not know about servers with "edns no".  Check this,
-	 * and then inform the ADB for future use.
-	 */
-	if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0 &&
-	    peer != NULL &&
-	    dns_peer_getsupportedns(peer, &useedns) == ISC_R_SUCCESS &&
-	    !useedns)
-	{
-		query->options |= DNS_FETCHOPT_NOEDNS0;
-		dns_adb_changeflags(fctx->adb, query->addrinfo,
-				    DNS_FETCHOPT_NOEDNS0,
-				    DNS_FETCHOPT_NOEDNS0);
-	}
-
-	/* Sync NOEDNS0 flag in addrinfo->flags and options now. */
-	if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) != 0)
-		query->options |= DNS_FETCHOPT_NOEDNS0;
-
-	/*
-	 * Handle timeouts by reducing the UDP response size to 512 bytes
-	 * then if that doesn't work disabling EDNS (includes DO) and CD.
-	 *
-	 * These timeout can be due to:
-	 *	* broken nameservers that don't respond to EDNS queries.
-	 *	* broken/misconfigured firewalls and NAT implementations
-	 *	  that don't handle IP fragmentation.
-	 *	* broken/misconfigured firewalls that don't handle responses
-	 *	  greater than 512 bytes.
-	 *	* broken/misconfigured firewalls that don't handle EDNS, DO
-	 *	  or CD.
-	 *	* packet loss / link outage.
-	 */
-	if (fctx->timeout) {
-		if ((triededns512(fctx, &query->addrinfo->sockaddr) ||
-		     fctx->timeouts >= (MAX_EDNS0_TIMEOUTS * 2)) &&
-		    (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
-			query->options |= DNS_FETCHOPT_NOEDNS0;
-			fctx->reason = "disabling EDNS";
-		} else if ((triededns(fctx, &query->addrinfo->sockaddr) ||
-			    fctx->timeouts >= MAX_EDNS0_TIMEOUTS) &&
-			   (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
-			query->options |= DNS_FETCHOPT_EDNS512;
-			fctx->reason = "reducing the advertised EDNS UDP "
-				       "packet size to 512 octets";
-		}
-		fctx->timeout = ISC_FALSE;
-	}
-
-	/*
-	 * Use EDNS0, unless the caller doesn't want it, or we know that
-	 * the remote server doesn't like it.
-	 */
-	if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
-		if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0) {
-			unsigned int version = 0;       /* Default version. */
-			unsigned int flags;
-			isc_uint16_t udpsize = res->udpsize;
-			isc_boolean_t reqnsid = res->view->requestnsid;
-
-			flags = query->addrinfo->flags;
-			if ((flags & DNS_FETCHOPT_EDNSVERSIONSET) != 0) {
-				version = flags & DNS_FETCHOPT_EDNSVERSIONMASK;
-				version >>= DNS_FETCHOPT_EDNSVERSIONSHIFT;
-			}
-			if ((query->options & DNS_FETCHOPT_EDNS512) != 0)
-				udpsize = 512;
-			else if (peer != NULL)
-				(void)dns_peer_getudpsize(peer, &udpsize);
-
-			/* request NSID for current view or peer? */
-			if (peer != NULL)
-				(void) dns_peer_getrequestnsid(peer, &reqnsid);
-			if (reqnsid) {
-				INSIST(ednsopt < EDNSOPTS);
-				ednsopts[ednsopt].code = DNS_OPT_NSID;
-				ednsopts[ednsopt].length = 0;
-				ednsopts[ednsopt].value = NULL;
-				ednsopt++;
-			}
-			result = fctx_addopt(fctx->qmessage, version,
-					     udpsize, ednsopts, ednsopt);
-			if (reqnsid && result == ISC_R_SUCCESS) {
-				query->options |= DNS_FETCHOPT_WANTNSID;
-			} else if (result != ISC_R_SUCCESS) {
-				/*
-				 * We couldn't add the OPT, but we'll press on.
-				 * We're not using EDNS0, so set the NOEDNS0
-				 * bit.
-				 */
-				query->options |= DNS_FETCHOPT_NOEDNS0;
-			}
-		} else {
-			/*
-			 * We know this server doesn't like EDNS0, so we
-			 * won't use it.  Set the NOEDNS0 bit since we're
-			 * not using EDNS0.
-			 */
-			query->options |= DNS_FETCHOPT_NOEDNS0;
-		}
-	}
-
-	/*
-	 * If we need EDNS0 to do this query and aren't using it, we lose.
-	 */
-	if (NEEDEDNS0(fctx) && (query->options & DNS_FETCHOPT_NOEDNS0) != 0) {
-		result = DNS_R_SERVFAIL;
-		goto cleanup_message;
-	}
-
-	if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0)
-		add_triededns(fctx, &query->addrinfo->sockaddr);
-
-	if ((query->options & DNS_FETCHOPT_EDNS512) != 0)
-		add_triededns512(fctx, &query->addrinfo->sockaddr);
-
-	/*
-	 * Clear CD if EDNS is not in use.
-	 */
-	if ((query->options & DNS_FETCHOPT_NOEDNS0) != 0)
-		fctx->qmessage->flags &= ~DNS_MESSAGEFLAG_CD;
-
-	/*
-	 * Add TSIG record tailored to the current recipient.
-	 */
-	result = dns_view_getpeertsig(fctx->res->view, &ipaddr, &tsigkey);
-	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
-		goto cleanup_message;
-
-	if (tsigkey != NULL) {
-		result = dns_message_settsigkey(fctx->qmessage, tsigkey);
-		dns_tsigkey_detach(&tsigkey);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_message;
-	}
-
-	result = dns_message_rendersection(fctx->qmessage,
-					   DNS_SECTION_ADDITIONAL, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_message;
-
-	result = dns_message_renderend(fctx->qmessage);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_message;
-
-	dns_compress_invalidate(&cctx);
-	cleanup_cctx = ISC_FALSE;
-
-	if (dns_message_gettsigkey(fctx->qmessage) != NULL) {
-		dns_tsigkey_attach(dns_message_gettsigkey(fctx->qmessage),
-				   &query->tsigkey);
-		result = dns_message_getquerytsig(fctx->qmessage,
-						  fctx->res->mctx,
-						  &query->tsig);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_message;
-	}
-
-	/*
-	 * If using TCP, write the length of the message at the beginning
-	 * of the buffer.
-	 */
-	if ((query->options & DNS_FETCHOPT_TCP) != 0) {
-		isc_buffer_usedregion(&query->buffer, &r);
-		isc_buffer_putuint16(&tcpbuffer, (isc_uint16_t)r.length);
-		isc_buffer_add(&tcpbuffer, r.length);
-	}
-
-	/*
-	 * We're now done with the query message.
-	 */
-	dns_message_reset(fctx->qmessage, DNS_MESSAGE_INTENTRENDER);
-
-	if (query->exclusivesocket)
-		socket = dns_dispatch_getentrysocket(query->dispentry);
-	else
-		socket = dns_dispatch_getsocket(query->dispatch);
-	/*
-	 * Send the query!
-	 */
-	if ((query->options & DNS_FETCHOPT_TCP) == 0) {
-		address = &query->addrinfo->sockaddr;
-		if (query->exclusivesocket) {
-			result = isc_socket_connect(socket, address, task,
-						    resquery_udpconnected,
-						    query);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup_message;
-			connecting = ISC_TRUE;
-			query->connects++;
-		}
-	}
-	isc_buffer_usedregion(buffer, &r);
-
-	/*
-	 * XXXRTH  Make sure we don't send to ourselves!  We should probably
-	 *		prune out these addresses when we get them from the ADB.
-	 */
-	ISC_EVENT_INIT(&query->sendevent, sizeof(query->sendevent), 0, NULL,
-		       ISC_SOCKEVENT_SENDDONE, resquery_senddone, query,
-		       NULL, NULL, NULL);
-	result = isc_socket_sendto2(socket, &r, task, address, NULL,
-				    &query->sendevent, 0);
-	if (result != ISC_R_SUCCESS) {
-		if (connecting) {
-			/*
-			 * This query is still connecting.
-			 * Mark it as canceled so that it will just be
-			 * cleaned up when the connected event is received.
-			 * Keep fctx around until the event is processed.
-			 */
-			query->fctx->nqueries++;
-			query->attributes |= RESQUERY_ATTR_CANCELED;
-		}
-		goto cleanup_message;
-	}
-
-	query->sends++;
-
-	QTRACE("sent");
-
-	return (ISC_R_SUCCESS);
-
- cleanup_message:
-	if (cleanup_cctx)
-		dns_compress_invalidate(&cctx);
-
-	dns_message_reset(fctx->qmessage, DNS_MESSAGE_INTENTRENDER);
-
-	/*
-	 * Stop the dispatcher from listening.
-	 */
-	dns_dispatch_removeresponse(&query->dispentry, NULL);
-
- cleanup_temps:
-	if (qname != NULL)
-		dns_message_puttempname(fctx->qmessage, &qname);
-	if (qrdataset != NULL)
-		dns_message_puttemprdataset(fctx->qmessage, &qrdataset);
-
-	return (result);
-}
-
-static void
-resquery_connected(isc_task_t *task, isc_event_t *event) {
-	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
-	resquery_t *query = event->ev_arg;
-	isc_boolean_t retry = ISC_FALSE;
-	isc_interval_t interval;
-	isc_result_t result;
-	unsigned int attrs;
-	fetchctx_t *fctx;
-
-	REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT);
-	REQUIRE(VALID_QUERY(query));
-
-	QTRACE("connected");
-
-	UNUSED(task);
-
-	/*
-	 * XXXRTH
-	 *
-	 * Currently we don't wait for the connect event before retrying
-	 * a query.  This means that if we get really behind, we may end
-	 * up doing extra work!
-	 */
-
-	query->connects--;
-	fctx = query->fctx;
-
-	if (RESQUERY_CANCELED(query)) {
-		/*
-		 * This query was canceled while the connect() was in
-		 * progress.
-		 */
-		isc_socket_detach(&query->tcpsocket);
-		resquery_destroy(&query);
-	} else {
-		switch (sevent->result) {
-		case ISC_R_SUCCESS:
-
-			/*
-			 * Extend the idle timer for TCP.  20 seconds
-			 * should be long enough for a TCP connection to be
-			 * established, a single DNS request to be sent,
-			 * and the response received.
-			 */
-			isc_interval_set(&interval, 20, 0);
-			result = fctx_startidletimer(query->fctx, &interval);
-			if (result != ISC_R_SUCCESS) {
-				fctx_cancelquery(&query, NULL, NULL, ISC_FALSE);
-				fctx_done(fctx, result, __LINE__);
-				break;
-			}
-			/*
-			 * We are connected.  Create a dispatcher and
-			 * send the query.
-			 */
-			attrs = 0;
-			attrs |= DNS_DISPATCHATTR_TCP;
-			attrs |= DNS_DISPATCHATTR_PRIVATE;
-			attrs |= DNS_DISPATCHATTR_CONNECTED;
-			if (isc_sockaddr_pf(&query->addrinfo->sockaddr) ==
-			    AF_INET)
-				attrs |= DNS_DISPATCHATTR_IPV4;
-			else
-				attrs |= DNS_DISPATCHATTR_IPV6;
-			attrs |= DNS_DISPATCHATTR_MAKEQUERY;
-
-			result = dns_dispatch_createtcp(query->dispatchmgr,
-						     query->tcpsocket,
-						     query->fctx->res->taskmgr,
-						     4096, 2, 1, 1, 3, attrs,
-						     &query->dispatch);
-
-			/*
-			 * Regardless of whether dns_dispatch_create()
-			 * succeeded or not, we don't need our reference
-			 * to the socket anymore.
-			 */
-			isc_socket_detach(&query->tcpsocket);
-
-			if (result == ISC_R_SUCCESS)
-				result = resquery_send(query);
-
-			if (result != ISC_R_SUCCESS) {
-				fctx_cancelquery(&query, NULL, NULL, ISC_FALSE);
-				fctx_done(fctx, result, __LINE__);
-			}
-			break;
-
-		case ISC_R_NETUNREACH:
-		case ISC_R_HOSTUNREACH:
-		case ISC_R_CONNREFUSED:
-		case ISC_R_NOPERM:
-		case ISC_R_ADDRNOTAVAIL:
-		case ISC_R_CONNECTIONRESET:
-			/*
-			 * No route to remote.
-			 */
-			isc_socket_detach(&query->tcpsocket);
-			fctx_cancelquery(&query, NULL, NULL, ISC_TRUE);
-			retry = ISC_TRUE;
-			break;
-
-		default:
-			isc_socket_detach(&query->tcpsocket);
-			fctx_cancelquery(&query, NULL, NULL, ISC_FALSE);
-			break;
-		}
-	}
-
-	isc_event_free(&event);
-
-	if (retry) {
-		/*
-		 * Behave as if the idle timer has expired.  For TCP
-		 * connections this may not actually reflect the latest timer.
-		 */
-		fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
-		result = fctx_stopidletimer(fctx);
-		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result, __LINE__);
-		else
-			fctx_try(fctx, ISC_TRUE, ISC_FALSE);
-	}
-}
-
-static void
-fctx_finddone(isc_task_t *task, isc_event_t *event) {
-	fetchctx_t *fctx;
-	dns_adbfind_t *find;
-	dns_resolver_t *res;
-	isc_boolean_t want_try = ISC_FALSE;
-	isc_boolean_t want_done = ISC_FALSE;
-	isc_boolean_t bucket_empty = ISC_FALSE;
-	unsigned int bucketnum;
-	isc_boolean_t destroy = ISC_FALSE;
-
-	find = event->ev_sender;
-	fctx = event->ev_arg;
-	REQUIRE(VALID_FCTX(fctx));
-	res = fctx->res;
-
-	UNUSED(task);
-
-	FCTXTRACE("finddone");
-
-	bucketnum = fctx->bucketnum;
-	LOCK(&res->buckets[bucketnum].lock);
-
-	INSIST(fctx->pending > 0);
-	fctx->pending--;
-
-	if (ADDRWAIT(fctx)) {
-		/*
-		 * The fetch is waiting for a name to be found.
-		 */
-		INSIST(!SHUTTINGDOWN(fctx));
-		fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
-		if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES)
-			want_try = ISC_TRUE;
-		else {
-			fctx->findfail++;
-			if (fctx->pending == 0) {
-				/*
-				 * We've got nothing else to wait for and don't
-				 * know the answer.  There's nothing to do but
-				 * fail the fctx.
-				 */
-				want_done = ISC_TRUE;
-			}
-		}
-	} else if (SHUTTINGDOWN(fctx) && fctx->pending == 0 &&
-		   fctx->nqueries == 0 && ISC_LIST_EMPTY(fctx->validators)) {
-
-		if (fctx->references == 0) {
-			bucket_empty = fctx_unlink(fctx);
-			destroy = ISC_TRUE;
-		}
-	}
-	UNLOCK(&res->buckets[bucketnum].lock);
-
-	isc_event_free(&event);
-	dns_adb_destroyfind(&find);
-
-	if (want_try)
-		fctx_try(fctx, ISC_TRUE, ISC_FALSE);
-	else if (want_done)
-		fctx_done(fctx, ISC_R_FAILURE, __LINE__);
-	else if (destroy) {
-			fctx_destroy(fctx);
-		if (bucket_empty)
-			empty_bucket(res);
-	}
-}
-
-
-static inline isc_boolean_t
-bad_server(fetchctx_t *fctx, isc_sockaddr_t *address) {
-	isc_sockaddr_t *sa;
-
-	for (sa = ISC_LIST_HEAD(fctx->bad);
-	     sa != NULL;
-	     sa = ISC_LIST_NEXT(sa, link)) {
-		if (isc_sockaddr_equal(sa, address))
-			return (ISC_TRUE);
-	}
-
-	return (ISC_FALSE);
-}
-
-static inline isc_boolean_t
-mark_bad(fetchctx_t *fctx) {
-	dns_adbfind_t *curr;
-	dns_adbaddrinfo_t *addrinfo;
-	isc_boolean_t all_bad = ISC_TRUE;
-
-	/*
-	 * Mark all known bad servers, so we don't try to talk to them
-	 * again.
-	 */
-
-	/*
-	 * Mark any bad nameservers.
-	 */
-	for (curr = ISC_LIST_HEAD(fctx->finds);
-	     curr != NULL;
-	     curr = ISC_LIST_NEXT(curr, publink)) {
-		for (addrinfo = ISC_LIST_HEAD(curr->list);
-		     addrinfo != NULL;
-		     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
-			if (bad_server(fctx, &addrinfo->sockaddr))
-				addrinfo->flags |= FCTX_ADDRINFO_MARK;
-			else
-				all_bad = ISC_FALSE;
-		}
-	}
-
-	/*
-	 * Mark any bad forwarders.
-	 */
-	for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs);
-	     addrinfo != NULL;
-	     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
-		if (bad_server(fctx, &addrinfo->sockaddr))
-			addrinfo->flags |= FCTX_ADDRINFO_MARK;
-		else
-			all_bad = ISC_FALSE;
-	}
-
-	/*
-	 * Mark any bad alternates.
-	 */
-	for (curr = ISC_LIST_HEAD(fctx->altfinds);
-	     curr != NULL;
-	     curr = ISC_LIST_NEXT(curr, publink)) {
-		for (addrinfo = ISC_LIST_HEAD(curr->list);
-		     addrinfo != NULL;
-		     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
-			if (bad_server(fctx, &addrinfo->sockaddr))
-				addrinfo->flags |= FCTX_ADDRINFO_MARK;
-			else
-				all_bad = ISC_FALSE;
-		}
-	}
-
-	for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs);
-	     addrinfo != NULL;
-	     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
-		if (bad_server(fctx, &addrinfo->sockaddr))
-			addrinfo->flags |= FCTX_ADDRINFO_MARK;
-		else
-			all_bad = ISC_FALSE;
-	}
-
-	return (all_bad);
-}
-
-static void
-add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason,
-	badnstype_t badtype)
-{
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
-	char classbuf[64];
-	char typebuf[64];
-	char code[64];
-	isc_buffer_t b;
-	isc_sockaddr_t *sa;
-	const char *spc = "";
-	isc_sockaddr_t *address = &addrinfo->sockaddr;
-
-	if (reason == DNS_R_LAME)
-		fctx->lamecount++;
-	else {
-		switch (badtype) {
-		case badns_unreachable:
-			fctx->neterr++;
-			break;
-		case badns_response:
-			fctx->badresp++;
-			break;
-		case badns_validation:
-			break;	/* counted as 'valfail' */
-		}
-	}
-
-	if (bad_server(fctx, address)) {
-		/*
-		 * We already know this server is bad.
-		 */
-		return;
-	}
-
-	FCTXTRACE("add_bad");
-
-	sa = isc_mem_get(fctx->mctx, sizeof(*sa));
-	if (sa == NULL)
-		return;
-	*sa = *address;
-	ISC_LIST_INITANDAPPEND(fctx->bad, sa, link);
-
-	if (reason == DNS_R_LAME)       /* already logged */
-		return;
-
-	if (reason == DNS_R_UNEXPECTEDRCODE &&
-	    fctx->rmessage->rcode == dns_rcode_servfail &&
-	    ISFORWARDER(addrinfo))
-		return;
-
-	if (reason == DNS_R_UNEXPECTEDRCODE) {
-		isc_buffer_init(&b, code, sizeof(code) - 1);
-		dns_rcode_totext(fctx->rmessage->rcode, &b);
-		code[isc_buffer_usedlength(&b)] = '\0';
-		spc = " ";
-	} else if (reason == DNS_R_UNEXPECTEDOPCODE) {
-		isc_buffer_init(&b, code, sizeof(code) - 1);
-		dns_opcode_totext((dns_opcode_t)fctx->rmessage->opcode, &b);
-		code[isc_buffer_usedlength(&b)] = '\0';
-		spc = " ";
-	} else {
-		code[0] = '\0';
-	}
-	dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
-	dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf));
-	dns_rdataclass_format(fctx->res->rdclass, classbuf, sizeof(classbuf));
-	isc_sockaddr_format(address, addrbuf, sizeof(addrbuf));
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
-		      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
-		      "error (%s%s%s) resolving '%s/%s/%s': %s",
-		      dns_result_totext(reason), spc, code,
-		      namebuf, typebuf, classbuf, addrbuf);
-}
-
-/*
- * Sort addrinfo list by RTT.
- */
-static void
-sort_adbfind(dns_adbfind_t *find) {
-	dns_adbaddrinfo_t *best, *curr;
-	dns_adbaddrinfolist_t sorted;
-
-	/* Lame N^2 bubble sort. */
-	ISC_LIST_INIT(sorted);
-	while (!ISC_LIST_EMPTY(find->list)) {
-		best = ISC_LIST_HEAD(find->list);
-		curr = ISC_LIST_NEXT(best, publink);
-		while (curr != NULL) {
-			if (curr->srtt < best->srtt)
-				best = curr;
-			curr = ISC_LIST_NEXT(curr, publink);
-		}
-		ISC_LIST_UNLINK(find->list, best, publink);
-		ISC_LIST_APPEND(sorted, best, publink);
-	}
-	find->list = sorted;
-}
-
-/*
- * Sort a list of finds by server RTT.
- */
-static void
-sort_finds(dns_adbfindlist_t *findlist) {
-	dns_adbfind_t *best, *curr;
-	dns_adbfindlist_t sorted;
-	dns_adbaddrinfo_t *addrinfo, *bestaddrinfo;
-
-	/* Sort each find's addrinfo list by SRTT. */
-	for (curr = ISC_LIST_HEAD(*findlist);
-	     curr != NULL;
-	     curr = ISC_LIST_NEXT(curr, publink))
-		sort_adbfind(curr);
-
-	/* Lame N^2 bubble sort. */
-	ISC_LIST_INIT(sorted);
-	while (!ISC_LIST_EMPTY(*findlist)) {
-		best = ISC_LIST_HEAD(*findlist);
-		bestaddrinfo = ISC_LIST_HEAD(best->list);
-		INSIST(bestaddrinfo != NULL);
-		curr = ISC_LIST_NEXT(best, publink);
-		while (curr != NULL) {
-			addrinfo = ISC_LIST_HEAD(curr->list);
-			INSIST(addrinfo != NULL);
-			if (addrinfo->srtt < bestaddrinfo->srtt) {
-				best = curr;
-				bestaddrinfo = addrinfo;
-			}
-			curr = ISC_LIST_NEXT(curr, publink);
-		}
-		ISC_LIST_UNLINK(*findlist, best, publink);
-		ISC_LIST_APPEND(sorted, best, publink);
-	}
-	*findlist = sorted;
-}
-
-static void
-findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
-	 unsigned int options, unsigned int flags, isc_stdtime_t now,
-	 isc_boolean_t *need_alternate)
-{
-	dns_adbaddrinfo_t *ai;
-	dns_adbfind_t *find;
-	dns_resolver_t *res;
-	isc_boolean_t unshared;
-	isc_result_t result;
-
-	res = fctx->res;
-	unshared = ISC_TF((fctx->options & DNS_FETCHOPT_UNSHARED) != 0);
-	/*
-	 * If this name is a subdomain of the query domain, tell
-	 * the ADB to start looking using zone/hint data. This keeps us
-	 * from getting stuck if the nameserver is beneath the zone cut
-	 * and we don't know its address (e.g. because the A record has
-	 * expired).
-	 */
-	if (dns_name_issubdomain(name, &fctx->domain))
-		options |= DNS_ADBFIND_STARTATZONE;
-	options |= DNS_ADBFIND_GLUEOK;
-	options |= DNS_ADBFIND_HINTOK;
-
-	/*
-	 * See what we know about this address.
-	 */
-	find = NULL;
-	result = dns_adb_createfind(fctx->adb,
-				    res->buckets[fctx->bucketnum].task,
-				    fctx_finddone, fctx, name,
-				    &fctx->name, fctx->type,
-				    options, now, NULL,
-				    res->view->dstport, &find);
-	if (result != ISC_R_SUCCESS) {
-		if (result == DNS_R_ALIAS) {
-			/*
-			 * XXXRTH  Follow the CNAME/DNAME chain?
-			 */
-			dns_adb_destroyfind(&find);
-			fctx->adberr++;
-		}
-	} else if (!ISC_LIST_EMPTY(find->list)) {
-		/*
-		 * We have at least some of the addresses for the
-		 * name.
-		 */
-		INSIST((find->options & DNS_ADBFIND_WANTEVENT) == 0);
-		if (flags != 0 || port != 0) {
-			for (ai = ISC_LIST_HEAD(find->list);
-			     ai != NULL;
-			     ai = ISC_LIST_NEXT(ai, publink)) {
-				ai->flags |= flags;
-				if (port != 0)
-					isc_sockaddr_setport(&ai->sockaddr,
-							     port);
-			}
-		}
-		if ((flags & FCTX_ADDRINFO_FORWARDER) != 0)
-			ISC_LIST_APPEND(fctx->altfinds, find, publink);
-		else
-			ISC_LIST_APPEND(fctx->finds, find, publink);
-	} else {
-		/*
-		 * We don't know any of the addresses for this
-		 * name.
-		 */
-		if ((find->options & DNS_ADBFIND_WANTEVENT) != 0) {
-			/*
-			 * We're looking for them and will get an
-			 * event about it later.
-			 */
-			fctx->pending++;
-			/*
-			 * Bootstrap.
-			 */
-			if (need_alternate != NULL &&
-			    !*need_alternate && unshared &&
-			    ((res->dispatches4 == NULL &&
-			      find->result_v6 != DNS_R_NXDOMAIN) ||
-			     (res->dispatches6 == NULL &&
-			      find->result_v4 != DNS_R_NXDOMAIN)))
-				*need_alternate = ISC_TRUE;
-		} else {
-			if ((find->options & DNS_ADBFIND_LAMEPRUNED) != 0)
-				fctx->lamecount++; /* cached lame server */
-			else
-				fctx->adberr++; /* unreachable server, etc. */
-
-			/*
-			 * If we know there are no addresses for
-			 * the family we are using then try to add
-			 * an alternative server.
-			 */
-			if (need_alternate != NULL && !*need_alternate &&
-			    ((res->dispatches4 == NULL &&
-			      find->result_v6 == DNS_R_NXRRSET) ||
-			     (res->dispatches6 == NULL &&
-			      find->result_v4 == DNS_R_NXRRSET)))
-				*need_alternate = ISC_TRUE;
-			dns_adb_destroyfind(&find);
-		}
-	}
-}
-
-static isc_boolean_t
-isstrictsubdomain(dns_name_t *name1, dns_name_t *name2) {
-	int order;
-	unsigned int nlabels;
-	dns_namereln_t namereln;
-
-	namereln = dns_name_fullcompare(name1, name2, &order, &nlabels);
-	return (ISC_TF(namereln == dns_namereln_subdomain));
-}
-
-static isc_result_t
-fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) {
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_result_t result;
-	dns_resolver_t *res;
-	isc_stdtime_t now;
-	unsigned int stdoptions = 0;
-	isc_sockaddr_t *sa;
-	dns_adbaddrinfo_t *ai;
-	isc_boolean_t all_bad;
-	dns_rdata_ns_t ns;
-	isc_boolean_t need_alternate = ISC_FALSE;
-
-	FCTXTRACE("getaddresses");
-
-	/*
-	 * Don't pound on remote servers.  (Failsafe!)
-	 */
-	fctx->restarts++;
-	if (fctx->restarts > 10) {
-		FCTXTRACE("too many restarts");
-		return (DNS_R_SERVFAIL);
-	}
-
-	res = fctx->res;
-
-	/*
-	 * Forwarders.
-	 */
-
-	INSIST(ISC_LIST_EMPTY(fctx->forwaddrs));
-	INSIST(ISC_LIST_EMPTY(fctx->altaddrs));
-
-	/*
-	 * If this fctx has forwarders, use them; otherwise use any
-	 * selective forwarders specified in the view; otherwise use the
-	 * resolver's forwarders (if any).
-	 */
-	sa = ISC_LIST_HEAD(fctx->forwarders);
-	if (sa == NULL) {
-		dns_forwarders_t *forwarders = NULL;
-		dns_name_t *name = &fctx->name;
-		dns_name_t suffix;
-		unsigned int labels;
-		dns_fixedname_t fixed;
-		dns_name_t *domain;
-
-		/*
-		 * DS records are found in the parent server.
-		 * Strip label to get the correct forwarder (if any).
-		 */
-		if (dns_rdatatype_atparent(fctx->type) &&
-		    dns_name_countlabels(name) > 1) {
-			dns_name_init(&suffix, NULL);
-			labels = dns_name_countlabels(name);
-			dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
-			name = &suffix;
-		}
-
-		dns_fixedname_init(&fixed);
-		domain = dns_fixedname_name(&fixed);
-		result = dns_fwdtable_find2(fctx->res->view->fwdtable, name,
-					    domain, &forwarders);
-		if (result == ISC_R_SUCCESS) {
-			sa = ISC_LIST_HEAD(forwarders->addrs);
-			fctx->fwdpolicy = forwarders->fwdpolicy;
-			if (fctx->fwdpolicy == dns_fwdpolicy_only &&
-			    isstrictsubdomain(domain, &fctx->domain)) {
-				dns_name_free(&fctx->domain, fctx->mctx);
-				dns_name_init(&fctx->domain, NULL);
-				result = dns_name_dup(domain, fctx->mctx,
-						      &fctx->domain);
-				if (result != ISC_R_SUCCESS)
-					return (result);
-			}
-		}
-	}
-
-	while (sa != NULL) {
-		if ((isc_sockaddr_pf(sa) == AF_INET &&
-			 fctx->res->dispatches4 == NULL) ||
-		    (isc_sockaddr_pf(sa) == AF_INET6 &&
-			fctx->res->dispatches6 == NULL)) {
-				sa = ISC_LIST_NEXT(sa, link);
-				continue;
-		}
-		ai = NULL;
-		result = dns_adb_findaddrinfo(fctx->adb,
-					      sa, &ai, 0);  /* XXXMLG */
-		if (result == ISC_R_SUCCESS) {
-			dns_adbaddrinfo_t *cur;
-			ai->flags |= FCTX_ADDRINFO_FORWARDER;
-			cur = ISC_LIST_HEAD(fctx->forwaddrs);
-			while (cur != NULL && cur->srtt < ai->srtt)
-				cur = ISC_LIST_NEXT(cur, publink);
-			if (cur != NULL)
-				ISC_LIST_INSERTBEFORE(fctx->forwaddrs, cur,
-						      ai, publink);
-			else
-				ISC_LIST_APPEND(fctx->forwaddrs, ai, publink);
-		}
-		sa = ISC_LIST_NEXT(sa, link);
-	}
-
-	/*
-	 * If the forwarding policy is "only", we don't need the addresses
-	 * of the nameservers.
-	 */
-	if (fctx->fwdpolicy == dns_fwdpolicy_only)
-		goto out;
-
-	/*
-	 * Normal nameservers.
-	 */
-
-	stdoptions = DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_EMPTYEVENT;
-	if (fctx->restarts == 1) {
-		/*
-		 * To avoid sending out a flood of queries likely to
-		 * result in NXRRSET, we suppress fetches for address
-		 * families we don't have the first time through,
-		 * provided that we have addresses in some family we
-		 * can use.
-		 *
-		 * We don't want to set this option all the time, since
-		 * if fctx->restarts > 1, we've clearly been having trouble
-		 * with the addresses we had, so getting more could help.
-		 */
-		stdoptions |= DNS_ADBFIND_AVOIDFETCHES;
-	}
-	if (res->dispatches4 != NULL)
-		stdoptions |= DNS_ADBFIND_INET;
-	if (res->dispatches6 != NULL)
-		stdoptions |= DNS_ADBFIND_INET6;
-	isc_stdtime_get(&now);
-
-	INSIST(ISC_LIST_EMPTY(fctx->finds));
-	INSIST(ISC_LIST_EMPTY(fctx->altfinds));
-
-	for (result = dns_rdataset_first(&fctx->nameservers);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&fctx->nameservers))
-	{
-		dns_rdataset_current(&fctx->nameservers, &rdata);
-		/*
-		 * Extract the name from the NS record.
-		 */
-		result = dns_rdata_tostruct(&rdata, &ns, NULL);
-		if (result != ISC_R_SUCCESS)
-			continue;
-
-		findname(fctx, &ns.name, 0, stdoptions, 0, now,
-			 &need_alternate);
-		dns_rdata_reset(&rdata);
-		dns_rdata_freestruct(&ns);
-	}
-	if (result != ISC_R_NOMORE)
-		return (result);
-
-	/*
-	 * Do we need to use 6 to 4?
-	 */
-	if (need_alternate) {
-		int family;
-		alternate_t *a;
-		family = (res->dispatches6 != NULL) ? AF_INET6 : AF_INET;
-		for (a = ISC_LIST_HEAD(fctx->res->alternates);
-		     a != NULL;
-		     a = ISC_LIST_NEXT(a, link)) {
-			if (!a->isaddress) {
-				findname(fctx, &a->_u._n.name, a->_u._n.port,
-					 stdoptions, FCTX_ADDRINFO_FORWARDER,
-					 now, NULL);
-				continue;
-			}
-			if (isc_sockaddr_pf(&a->_u.addr) != family)
-				continue;
-			ai = NULL;
-			result = dns_adb_findaddrinfo(fctx->adb, &a->_u.addr,
-						      &ai, 0);
-			if (result == ISC_R_SUCCESS) {
-				dns_adbaddrinfo_t *cur;
-				ai->flags |= FCTX_ADDRINFO_FORWARDER;
-				cur = ISC_LIST_HEAD(fctx->altaddrs);
-				while (cur != NULL && cur->srtt < ai->srtt)
-					cur = ISC_LIST_NEXT(cur, publink);
-				if (cur != NULL)
-					ISC_LIST_INSERTBEFORE(fctx->altaddrs,
-							      cur, ai, publink);
-				else
-					ISC_LIST_APPEND(fctx->altaddrs, ai,
-							publink);
-			}
-		}
-	}
-
- out:
-	/*
-	 * Mark all known bad servers.
-	 */
-	all_bad = mark_bad(fctx);
-
-	/*
-	 * How are we doing?
-	 */
-	if (all_bad) {
-		/*
-		 * We've got no addresses.
-		 */
-		if (fctx->pending > 0) {
-			/*
-			 * We're fetching the addresses, but don't have any
-			 * yet.   Tell the caller to wait for an answer.
-			 */
-			result = DNS_R_WAIT;
-		} else {
-			isc_time_t expire;
-			isc_interval_t i;
-			/*
-			 * We've lost completely.  We don't know any
-			 * addresses, and the ADB has told us it can't get
-			 * them.
-			 */
-			FCTXTRACE("no addresses");
-			isc_interval_set(&i, DNS_BADCACHE_TTL(fctx), 0);
-			result = isc_time_nowplusinterval(&expire, &i);
-			if (badcache &&
-			    (fctx->type == dns_rdatatype_dnskey ||
-			     fctx->type == dns_rdatatype_dlv ||
-			     fctx->type == dns_rdatatype_ds) &&
-			     result == ISC_R_SUCCESS)
-				dns_resolver_addbadcache(fctx->res,
-							 &fctx->name,
-							 fctx->type, &expire);
-			result = ISC_R_FAILURE;
-		}
-	} else {
-		/*
-		 * We've found some addresses.  We might still be looking
-		 * for more addresses.
-		 */
-		sort_finds(&fctx->finds);
-		sort_finds(&fctx->altfinds);
-		result = ISC_R_SUCCESS;
-	}
-
-	return (result);
-}
-
-static inline void
-possibly_mark(fetchctx_t *fctx, dns_adbaddrinfo_t *addr)
-{
-	isc_netaddr_t na;
-	char buf[ISC_NETADDR_FORMATSIZE];
-	isc_sockaddr_t *sa;
-	isc_boolean_t aborted = ISC_FALSE;
-	isc_boolean_t bogus;
-	dns_acl_t *blackhole;
-	isc_netaddr_t ipaddr;
-	dns_peer_t *peer = NULL;
-	dns_resolver_t *res;
-	const char *msg = NULL;
-
-	sa = &addr->sockaddr;
-
-	res = fctx->res;
-	isc_netaddr_fromsockaddr(&ipaddr, sa);
-	blackhole = dns_dispatchmgr_getblackhole(res->dispatchmgr);
-	(void) dns_peerlist_peerbyaddr(res->view->peers, &ipaddr, &peer);
-
-	if (blackhole != NULL) {
-		int match;
-
-		if (dns_acl_match(&ipaddr, NULL, blackhole,
-				  &res->view->aclenv,
-				  &match, NULL) == ISC_R_SUCCESS &&
-		    match > 0)
-			aborted = ISC_TRUE;
-	}
-
-	if (peer != NULL &&
-	    dns_peer_getbogus(peer, &bogus) == ISC_R_SUCCESS &&
-	    bogus)
-		aborted = ISC_TRUE;
-
-	if (aborted) {
-		addr->flags |= FCTX_ADDRINFO_MARK;
-		msg = "ignoring blackholed / bogus server: ";
-	} else if (isc_sockaddr_ismulticast(sa)) {
-		addr->flags |= FCTX_ADDRINFO_MARK;
-		msg = "ignoring multicast address: ";
-	} else if (isc_sockaddr_isexperimental(sa)) {
-		addr->flags |= FCTX_ADDRINFO_MARK;
-		msg = "ignoring experimental address: ";
-	} else if (sa->type.sa.sa_family != AF_INET6) {
-		return;
-	} else if (IN6_IS_ADDR_V4MAPPED(&sa->type.sin6.sin6_addr)) {
-		addr->flags |= FCTX_ADDRINFO_MARK;
-		msg = "ignoring IPv6 mapped IPV4 address: ";
-	} else if (IN6_IS_ADDR_V4COMPAT(&sa->type.sin6.sin6_addr)) {
-		addr->flags |= FCTX_ADDRINFO_MARK;
-		msg = "ignoring IPv6 compatibility IPV4 address: ";
-	} else
-		return;
-
-	if (!isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3)))
-		return;
-
-	isc_netaddr_fromsockaddr(&na, sa);
-	isc_netaddr_format(&na, buf, sizeof(buf));
-	FCTXTRACE2(msg, buf);
-}
-
-static inline dns_adbaddrinfo_t *
-fctx_nextaddress(fetchctx_t *fctx) {
-	dns_adbfind_t *find, *start;
-	dns_adbaddrinfo_t *addrinfo;
-	dns_adbaddrinfo_t *faddrinfo;
-
-	/*
-	 * Return the next untried address, if any.
-	 */
-
-	/*
-	 * Find the first unmarked forwarder (if any).
-	 */
-	for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs);
-	     addrinfo != NULL;
-	     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
-		if (!UNMARKED(addrinfo))
-			continue;
-		possibly_mark(fctx, addrinfo);
-		if (UNMARKED(addrinfo)) {
-			addrinfo->flags |= FCTX_ADDRINFO_MARK;
-			fctx->find = NULL;
-			return (addrinfo);
-		}
-	}
-
-	/*
-	 * No forwarders.  Move to the next find.
-	 */
-
-	fctx->attributes |= FCTX_ATTR_TRIEDFIND;
-
-	find = fctx->find;
-	if (find == NULL)
-		find = ISC_LIST_HEAD(fctx->finds);
-	else {
-		find = ISC_LIST_NEXT(find, publink);
-		if (find == NULL)
-			find = ISC_LIST_HEAD(fctx->finds);
-	}
-
-	/*
-	 * Find the first unmarked addrinfo.
-	 */
-	addrinfo = NULL;
-	if (find != NULL) {
-		start = find;
-		do {
-			for (addrinfo = ISC_LIST_HEAD(find->list);
-			     addrinfo != NULL;
-			     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
-				if (!UNMARKED(addrinfo))
-					continue;
-				possibly_mark(fctx, addrinfo);
-				if (UNMARKED(addrinfo)) {
-					addrinfo->flags |= FCTX_ADDRINFO_MARK;
-					break;
-				}
-			}
-			if (addrinfo != NULL)
-				break;
-			find = ISC_LIST_NEXT(find, publink);
-			if (find == NULL)
-				find = ISC_LIST_HEAD(fctx->finds);
-		} while (find != start);
-	}
-
-	fctx->find = find;
-	if (addrinfo != NULL)
-		return (addrinfo);
-
-	/*
-	 * No nameservers left.  Try alternates.
-	 */
-
-	fctx->attributes |= FCTX_ATTR_TRIEDALT;
-
-	find = fctx->altfind;
-	if (find == NULL)
-		find = ISC_LIST_HEAD(fctx->altfinds);
-	else {
-		find = ISC_LIST_NEXT(find, publink);
-		if (find == NULL)
-			find = ISC_LIST_HEAD(fctx->altfinds);
-	}
-
-	/*
-	 * Find the first unmarked addrinfo.
-	 */
-	addrinfo = NULL;
-	if (find != NULL) {
-		start = find;
-		do {
-			for (addrinfo = ISC_LIST_HEAD(find->list);
-			     addrinfo != NULL;
-			     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
-				if (!UNMARKED(addrinfo))
-					continue;
-				possibly_mark(fctx, addrinfo);
-				if (UNMARKED(addrinfo)) {
-					addrinfo->flags |= FCTX_ADDRINFO_MARK;
-					break;
-				}
-			}
-			if (addrinfo != NULL)
-				break;
-			find = ISC_LIST_NEXT(find, publink);
-			if (find == NULL)
-				find = ISC_LIST_HEAD(fctx->altfinds);
-		} while (find != start);
-	}
-
-	faddrinfo = addrinfo;
-
-	/*
-	 * See if we have a better alternate server by address.
-	 */
-
-	for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs);
-	     addrinfo != NULL;
-	     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
-		if (!UNMARKED(addrinfo))
-			continue;
-		possibly_mark(fctx, addrinfo);
-		if (UNMARKED(addrinfo) &&
-		    (faddrinfo == NULL ||
-		     addrinfo->srtt < faddrinfo->srtt)) {
-			if (faddrinfo != NULL)
-				faddrinfo->flags &= ~FCTX_ADDRINFO_MARK;
-			addrinfo->flags |= FCTX_ADDRINFO_MARK;
-			break;
-		}
-	}
-
-	if (addrinfo == NULL) {
-		addrinfo = faddrinfo;
-		fctx->altfind = find;
-	}
-
-	return (addrinfo);
-}
-
-static void
-fctx_try(fetchctx_t *fctx, isc_boolean_t retrying, isc_boolean_t badcache) {
-	isc_result_t result;
-	dns_adbaddrinfo_t *addrinfo;
-
-	FCTXTRACE("try");
-
-	REQUIRE(!ADDRWAIT(fctx));
-
-	addrinfo = fctx_nextaddress(fctx);
-	if (addrinfo == NULL) {
-		/*
-		 * We have no more addresses.  Start over.
-		 */
-		fctx_cancelqueries(fctx, ISC_TRUE);
-		fctx_cleanupfinds(fctx);
-		fctx_cleanupaltfinds(fctx);
-		fctx_cleanupforwaddrs(fctx);
-		fctx_cleanupaltaddrs(fctx);
-		result = fctx_getaddresses(fctx, badcache);
-		if (result == DNS_R_WAIT) {
-			/*
-			 * Sleep waiting for addresses.
-			 */
-			FCTXTRACE("addrwait");
-			fctx->attributes |= FCTX_ATTR_ADDRWAIT;
-			return;
-		} else if (result != ISC_R_SUCCESS) {
-			/*
-			 * Something bad happened.
-			 */
-			fctx_done(fctx, result, __LINE__);
-			return;
-		}
-
-		addrinfo = fctx_nextaddress(fctx);
-		/*
-		 * While we may have addresses from the ADB, they
-		 * might be bad ones.  In this case, return SERVFAIL.
-		 */
-		if (addrinfo == NULL) {
-			fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
-			return;
-		}
-	}
-
-	result = fctx_query(fctx, addrinfo, fctx->options);
-	if (result != ISC_R_SUCCESS)
-		fctx_done(fctx, result, __LINE__);
-	else if (retrying)
-		inc_stats(fctx->res, dns_resstatscounter_retry);
-}
-
-static isc_boolean_t
-fctx_unlink(fetchctx_t *fctx) {
-	dns_resolver_t *res;
-	unsigned int bucketnum;
-
-	/*
-	 * Caller must be holding the bucket lock.
-	 */
-
-	REQUIRE(VALID_FCTX(fctx));
-	REQUIRE(fctx->state == fetchstate_done ||
-		fctx->state == fetchstate_init);
-	REQUIRE(ISC_LIST_EMPTY(fctx->events));
-	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
-	REQUIRE(ISC_LIST_EMPTY(fctx->finds));
-	REQUIRE(ISC_LIST_EMPTY(fctx->altfinds));
-	REQUIRE(fctx->pending == 0);
-	REQUIRE(fctx->references == 0);
-	REQUIRE(ISC_LIST_EMPTY(fctx->validators));
-
-	FCTXTRACE("unlink");
-
-	res = fctx->res;
-	bucketnum = fctx->bucketnum;
-
-	ISC_LIST_UNLINK(res->buckets[bucketnum].fctxs, fctx, link);
-
-	LOCK(&res->nlock);
-	res->nfctx--;
-	UNLOCK(&res->nlock);
-
-	if (res->buckets[bucketnum].exiting &&
-	    ISC_LIST_EMPTY(res->buckets[bucketnum].fctxs))
-		return (ISC_TRUE);
-
-	return (ISC_FALSE);
-}
-
-static void
-fctx_destroy(fetchctx_t *fctx) {
-	isc_sockaddr_t *sa, *next_sa;
-
-	REQUIRE(VALID_FCTX(fctx));
-	REQUIRE(fctx->state == fetchstate_done ||
-		fctx->state == fetchstate_init);
-	REQUIRE(ISC_LIST_EMPTY(fctx->events));
-	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
-	REQUIRE(ISC_LIST_EMPTY(fctx->finds));
-	REQUIRE(ISC_LIST_EMPTY(fctx->altfinds));
-	REQUIRE(fctx->pending == 0);
-	REQUIRE(fctx->references == 0);
-	REQUIRE(ISC_LIST_EMPTY(fctx->validators));
-	REQUIRE(!ISC_LINK_LINKED(fctx, link));
-
-	FCTXTRACE("destroy");
-
-	/*
-	 * Free bad.
-	 */
-	for (sa = ISC_LIST_HEAD(fctx->bad);
-	     sa != NULL;
-	     sa = next_sa) {
-		next_sa = ISC_LIST_NEXT(sa, link);
-		ISC_LIST_UNLINK(fctx->bad, sa, link);
-		isc_mem_put(fctx->mctx, sa, sizeof(*sa));
-	}
-
-	for (sa = ISC_LIST_HEAD(fctx->edns);
-	     sa != NULL;
-	     sa = next_sa) {
-		next_sa = ISC_LIST_NEXT(sa, link);
-		ISC_LIST_UNLINK(fctx->edns, sa, link);
-		isc_mem_put(fctx->mctx, sa, sizeof(*sa));
-	}
-
-	for (sa = ISC_LIST_HEAD(fctx->edns512);
-	     sa != NULL;
-	     sa = next_sa) {
-		next_sa = ISC_LIST_NEXT(sa, link);
-		ISC_LIST_UNLINK(fctx->edns512, sa, link);
-		isc_mem_put(fctx->mctx, sa, sizeof(*sa));
-	}
-
-	for (sa = ISC_LIST_HEAD(fctx->bad_edns);
-	     sa != NULL;
-	     sa = next_sa) {
-		next_sa = ISC_LIST_NEXT(sa, link);
-		ISC_LIST_UNLINK(fctx->bad_edns, sa, link);
-		isc_mem_put(fctx->mctx, sa, sizeof(*sa));
-	}
-
-	isc_timer_detach(&fctx->timer);
-	dns_message_destroy(&fctx->rmessage);
-	dns_message_destroy(&fctx->qmessage);
-	if (dns_name_countlabels(&fctx->domain) > 0)
-		dns_name_free(&fctx->domain, fctx->mctx);
-	if (dns_rdataset_isassociated(&fctx->nameservers))
-		dns_rdataset_disassociate(&fctx->nameservers);
-	dns_name_free(&fctx->name, fctx->mctx);
-	dns_db_detach(&fctx->cache);
-	dns_adb_detach(&fctx->adb);
-	isc_mem_free(fctx->mctx, fctx->info);
-	isc_mem_putanddetach(&fctx->mctx, fctx, sizeof(*fctx));
-}
-
-/*
- * Fetch event handlers.
- */
-
-static void
-fctx_timeout(isc_task_t *task, isc_event_t *event) {
-	fetchctx_t *fctx = event->ev_arg;
-	isc_timerevent_t *tevent = (isc_timerevent_t *)event;
-	resquery_t *query;
-
-	REQUIRE(VALID_FCTX(fctx));
-
-	UNUSED(task);
-
-	FCTXTRACE("timeout");
-
-	inc_stats(fctx->res, dns_resstatscounter_querytimeout);
-
-	if (event->ev_type == ISC_TIMEREVENT_LIFE) {
-		fctx->reason = NULL;
-		fctx_done(fctx, ISC_R_TIMEDOUT, __LINE__);
-	} else {
-		isc_result_t result;
-
-		fctx->timeouts++;
-		fctx->timeout = ISC_TRUE;
-		/*
-		 * We could cancel the running queries here, or we could let
-		 * them keep going.  Since we normally use separate sockets for
-		 * different queries, we adopt the former approach to reduce
-		 * the number of open sockets: cancel the oldest query if it
-		 * expired after the query had started (this is usually the
-		 * case but is not always so, depending on the task schedule
-		 * timing).
-		 */
-		query = ISC_LIST_HEAD(fctx->queries);
-		if (query != NULL &&
-		    isc_time_compare(&tevent->due, &query->start) >= 0) {
-			fctx_cancelquery(&query, NULL, NULL, ISC_TRUE);
-		}
-		fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
-		/*
-		 * Our timer has triggered.  Reestablish the fctx lifetime
-		 * timer.
-		 */
-		result = fctx_starttimer(fctx);
-		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result, __LINE__);
-		else
-			/*
-			 * Keep trying.
-			 */
-			fctx_try(fctx, ISC_TRUE, ISC_FALSE);
-	}
-
-	isc_event_free(&event);
-}
-
-static void
-fctx_shutdown(fetchctx_t *fctx) {
-	isc_event_t *cevent;
-
-	/*
-	 * Start the shutdown process for fctx, if it isn't already underway.
-	 */
-
-	FCTXTRACE("shutdown");
-
-	/*
-	 * The caller must be holding the appropriate bucket lock.
-	 */
-
-	if (fctx->want_shutdown)
-		return;
-
-	fctx->want_shutdown = ISC_TRUE;
-
-	/*
-	 * Unless we're still initializing (in which case the
-	 * control event is still outstanding), we need to post
-	 * the control event to tell the fetch we want it to
-	 * exit.
-	 */
-	if (fctx->state != fetchstate_init) {
-		cevent = &fctx->control_event;
-		isc_task_send(fctx->res->buckets[fctx->bucketnum].task,
-			      &cevent);
-	}
-}
-
-static void
-fctx_doshutdown(isc_task_t *task, isc_event_t *event) {
-	fetchctx_t *fctx = event->ev_arg;
-	isc_boolean_t bucket_empty = ISC_FALSE;
-	dns_resolver_t *res;
-	unsigned int bucketnum;
-	dns_validator_t *validator;
-	isc_boolean_t destroy = ISC_FALSE;
-
-	REQUIRE(VALID_FCTX(fctx));
-
-	UNUSED(task);
-
-	res = fctx->res;
-	bucketnum = fctx->bucketnum;
-
-	FCTXTRACE("doshutdown");
-
-	/*
-	 * An fctx that is shutting down is no longer in ADDRWAIT mode.
-	 */
-	fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
-
-	/*
-	 * Cancel all pending validators.  Note that this must be done
-	 * without the bucket lock held, since that could cause deadlock.
-	 */
-	validator = ISC_LIST_HEAD(fctx->validators);
-	while (validator != NULL) {
-		dns_validator_cancel(validator);
-		validator = ISC_LIST_NEXT(validator, link);
-	}
-
-	if (fctx->nsfetch != NULL)
-		dns_resolver_cancelfetch(fctx->nsfetch);
-
-	/*
-	 * Shut down anything that is still running on behalf of this
-	 * fetch.  To avoid deadlock with the ADB, we must do this
-	 * before we lock the bucket lock.
-	 */
-	fctx_stopeverything(fctx, ISC_FALSE);
-
-	LOCK(&res->buckets[bucketnum].lock);
-
-	fctx->attributes |= FCTX_ATTR_SHUTTINGDOWN;
-
-	INSIST(fctx->state == fetchstate_active ||
-	       fctx->state == fetchstate_done);
-	INSIST(fctx->want_shutdown);
-
-	if (fctx->state != fetchstate_done) {
-		fctx->state = fetchstate_done;
-		fctx_sendevents(fctx, ISC_R_CANCELED, __LINE__);
-	}
-
-	if (fctx->references == 0 && fctx->pending == 0 &&
-	    fctx->nqueries == 0 && ISC_LIST_EMPTY(fctx->validators)) {
-		bucket_empty = fctx_unlink(fctx);
-		destroy = ISC_TRUE;
-	}
-
-	UNLOCK(&res->buckets[bucketnum].lock);
-
-	if (destroy) {
-		fctx_destroy(fctx);
-		if (bucket_empty)
-			empty_bucket(res);
-	}
-}
-
-static void
-fctx_start(isc_task_t *task, isc_event_t *event) {
-	fetchctx_t *fctx = event->ev_arg;
-	isc_boolean_t done = ISC_FALSE, bucket_empty = ISC_FALSE;
-	dns_resolver_t *res;
-	unsigned int bucketnum;
-	isc_boolean_t destroy = ISC_FALSE;
-
-	REQUIRE(VALID_FCTX(fctx));
-
-	UNUSED(task);
-
-	res = fctx->res;
-	bucketnum = fctx->bucketnum;
-
-	FCTXTRACE("start");
-
-	LOCK(&res->buckets[bucketnum].lock);
-
-	INSIST(fctx->state == fetchstate_init);
-	if (fctx->want_shutdown) {
-		/*
-		 * We haven't started this fctx yet, and we've been requested
-		 * to shut it down.
-		 */
-		fctx->attributes |= FCTX_ATTR_SHUTTINGDOWN;
-		fctx->state = fetchstate_done;
-		fctx_sendevents(fctx, ISC_R_CANCELED, __LINE__);
-		/*
-		 * Since we haven't started, we INSIST that we have no
-		 * pending ADB finds and no pending validations.
-		 */
-		INSIST(fctx->pending == 0);
-		INSIST(fctx->nqueries == 0);
-		INSIST(ISC_LIST_EMPTY(fctx->validators));
-		if (fctx->references == 0) {
-			/*
-			 * It's now safe to destroy this fctx.
-			 */
-			bucket_empty = fctx_unlink(fctx);
-			destroy = ISC_TRUE;
-		}
-		done = ISC_TRUE;
-	} else {
-		/*
-		 * Normal fctx startup.
-		 */
-		fctx->state = fetchstate_active;
-		/*
-		 * Reset the control event for later use in shutting down
-		 * the fctx.
-		 */
-		ISC_EVENT_INIT(event, sizeof(*event), 0, NULL,
-			       DNS_EVENT_FETCHCONTROL, fctx_doshutdown, fctx,
-			       NULL, NULL, NULL);
-	}
-
-	UNLOCK(&res->buckets[bucketnum].lock);
-
-	if (!done) {
-		isc_result_t result;
-
-		INSIST(!destroy);
-
-		/*
-		 * All is well.  Start working on the fetch.
-		 */
-		result = fctx_starttimer(fctx);
-		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result, __LINE__);
-		else
-			fctx_try(fctx, ISC_FALSE, ISC_FALSE);
-	} else if (destroy) {
-			fctx_destroy(fctx);
-		if (bucket_empty)
-			empty_bucket(res);
-	}
-}
-
-/*
- * Fetch Creation, Joining, and Cancelation.
- */
-
-static inline isc_result_t
-fctx_join(fetchctx_t *fctx, isc_task_t *task, isc_sockaddr_t *client,
-	  dns_messageid_t id, isc_taskaction_t action, void *arg,
-	  dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
-	  dns_fetch_t *fetch)
-{
-	isc_task_t *clone;
-	dns_fetchevent_t *event;
-
-	FCTXTRACE("join");
-
-	/*
-	 * We store the task we're going to send this event to in the
-	 * sender field.  We'll make the fetch the sender when we actually
-	 * send the event.
-	 */
-	clone = NULL;
-	isc_task_attach(task, &clone);
-	event = (dns_fetchevent_t *)
-		isc_event_allocate(fctx->res->mctx, clone, DNS_EVENT_FETCHDONE,
-				   action, arg, sizeof(*event));
-	if (event == NULL) {
-		isc_task_detach(&clone);
-		return (ISC_R_NOMEMORY);
-	}
-	event->result = DNS_R_SERVFAIL;
-	event->qtype = fctx->type;
-	event->db = NULL;
-	event->node = NULL;
-	event->rdataset = rdataset;
-	event->sigrdataset = sigrdataset;
-	event->fetch = fetch;
-	event->client = client;
-	event->id = id;
-	dns_fixedname_init(&event->foundname);
-
-	/*
-	 * Make sure that we can store the sigrdataset in the
-	 * first event if it is needed by any of the events.
-	 */
-	if (event->sigrdataset != NULL)
-		ISC_LIST_PREPEND(fctx->events, event, ev_link);
-	else
-		ISC_LIST_APPEND(fctx->events, event, ev_link);
-	fctx->references++;
-	fctx->client = client;
-
-	fetch->magic = DNS_FETCH_MAGIC;
-	fetch->private = fctx;
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-log_ns_ttl(fetchctx_t *fctx, const char *where) {
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char domainbuf[DNS_NAME_FORMATSIZE];
-
-	dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
-	dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
-		      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(10),
-		      "log_ns_ttl: fctx %p: %s: %s (in '%s'?): %u %u",
-		      fctx, where, namebuf, domainbuf,
-		      fctx->ns_ttl_ok, fctx->ns_ttl);
-}
-
-static isc_result_t
-fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
-	    dns_name_t *domain, dns_rdataset_t *nameservers,
-	    unsigned int options, unsigned int bucketnum, fetchctx_t **fctxp)
-{
-	fetchctx_t *fctx;
-	isc_result_t result;
-	isc_result_t iresult;
-	isc_interval_t interval;
-	dns_fixedname_t fixed;
-	unsigned int findoptions = 0;
-	char buf[DNS_NAME_FORMATSIZE + DNS_RDATATYPE_FORMATSIZE];
-	char typebuf[DNS_RDATATYPE_FORMATSIZE];
-	dns_name_t suffix;
-	isc_mem_t *mctx;
-
-	/*
-	 * Caller must be holding the lock for bucket number 'bucketnum'.
-	 */
-	REQUIRE(fctxp != NULL && *fctxp == NULL);
-
-	mctx = res->buckets[bucketnum].mctx;
-	fctx = isc_mem_get(mctx, sizeof(*fctx));
-	if (fctx == NULL)
-		return (ISC_R_NOMEMORY);
-	dns_name_format(name, buf, sizeof(buf));
-	dns_rdatatype_format(type, typebuf, sizeof(typebuf));
-	strcat(buf, "/");       /* checked */
-	strcat(buf, typebuf);   /* checked */
-	fctx->info = isc_mem_strdup(mctx, buf);
-	if (fctx->info == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_fetch;
-	}
-	FCTXTRACE("create");
-	dns_name_init(&fctx->name, NULL);
-	result = dns_name_dup(name, mctx, &fctx->name);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_info;
-	dns_name_init(&fctx->domain, NULL);
-	dns_rdataset_init(&fctx->nameservers);
-
-	fctx->type = type;
-	fctx->options = options;
-	/*
-	 * Note!  We do not attach to the task.  We are relying on the
-	 * resolver to ensure that this task doesn't go away while we are
-	 * using it.
-	 */
-	fctx->res = res;
-	fctx->references = 0;
-	fctx->bucketnum = bucketnum;
-	fctx->state = fetchstate_init;
-	fctx->want_shutdown = ISC_FALSE;
-	fctx->cloned = ISC_FALSE;
-	ISC_LIST_INIT(fctx->queries);
-	ISC_LIST_INIT(fctx->finds);
-	ISC_LIST_INIT(fctx->altfinds);
-	ISC_LIST_INIT(fctx->forwaddrs);
-	ISC_LIST_INIT(fctx->altaddrs);
-	ISC_LIST_INIT(fctx->forwarders);
-	fctx->fwdpolicy = dns_fwdpolicy_none;
-	ISC_LIST_INIT(fctx->bad);
-	ISC_LIST_INIT(fctx->edns);
-	ISC_LIST_INIT(fctx->edns512);
-	ISC_LIST_INIT(fctx->bad_edns);
-	ISC_LIST_INIT(fctx->validators);
-	fctx->validator = NULL;
-	fctx->find = NULL;
-	fctx->altfind = NULL;
-	fctx->pending = 0;
-	fctx->restarts = 0;
-	fctx->querysent = 0;
-	fctx->referrals = 0;
-	TIME_NOW(&fctx->start);
-	fctx->timeouts = 0;
-	fctx->lamecount = 0;
-	fctx->adberr = 0;
-	fctx->neterr = 0;
-	fctx->badresp = 0;
-	fctx->findfail = 0;
-	fctx->valfail = 0;
-	fctx->result = ISC_R_FAILURE;
-	fctx->vresult = ISC_R_SUCCESS;
-	fctx->exitline = -1;	/* sentinel */
-	fctx->logged = ISC_FALSE;
-	fctx->attributes = 0;
-	fctx->spilled = ISC_FALSE;
-	fctx->nqueries = 0;
-	fctx->reason = NULL;
-	fctx->rand_buf = 0;
-	fctx->rand_bits = 0;
-	fctx->timeout = ISC_FALSE;
-	fctx->addrinfo = NULL;
-	fctx->client = NULL;
-	fctx->ns_ttl = 0;
-	fctx->ns_ttl_ok = ISC_FALSE;
-
-	dns_name_init(&fctx->nsname, NULL);
-	fctx->nsfetch = NULL;
-	dns_rdataset_init(&fctx->nsrrset);
-
-	if (domain == NULL) {
-		dns_forwarders_t *forwarders = NULL;
-		unsigned int labels;
-		dns_name_t *fwdname = name;
-
-		/*
-		 * DS records are found in the parent server.
-		 * Strip label to get the correct forwarder (if any).
-		 */
-		if (dns_rdatatype_atparent(fctx->type) &&
-		    dns_name_countlabels(name) > 1) {
-			dns_name_init(&suffix, NULL);
-			labels = dns_name_countlabels(name);
-			dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
-			fwdname = &suffix;
-		}
-		dns_fixedname_init(&fixed);
-		domain = dns_fixedname_name(&fixed);
-		result = dns_fwdtable_find2(fctx->res->view->fwdtable, fwdname,
-					    domain, &forwarders);
-		if (result == ISC_R_SUCCESS)
-			fctx->fwdpolicy = forwarders->fwdpolicy;
-
-		if (fctx->fwdpolicy != dns_fwdpolicy_only) {
-			/*
-			 * The caller didn't supply a query domain and
-			 * nameservers, and we're not in forward-only mode,
-			 * so find the best nameservers to use.
-			 */
-			if (dns_rdatatype_atparent(fctx->type))
-				findoptions |= DNS_DBFIND_NOEXACT;
-			result = dns_view_findzonecut(res->view, name, domain,
-						      0, findoptions, ISC_TRUE,
-						      &fctx->nameservers,
-						      NULL);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup_name;
-			result = dns_name_dup(domain, mctx, &fctx->domain);
-			if (result != ISC_R_SUCCESS) {
-				dns_rdataset_disassociate(&fctx->nameservers);
-				goto cleanup_name;
-			}
-			fctx->ns_ttl = fctx->nameservers.ttl;
-			fctx->ns_ttl_ok = ISC_TRUE;
-		} else {
-			/*
-			 * We're in forward-only mode.  Set the query domain.
-			 */
-			result = dns_name_dup(domain, mctx, &fctx->domain);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup_name;
-		}
-	} else {
-		result = dns_name_dup(domain, mctx, &fctx->domain);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_name;
-		dns_rdataset_clone(nameservers, &fctx->nameservers);
-		fctx->ns_ttl = fctx->nameservers.ttl;
-		fctx->ns_ttl_ok = ISC_TRUE;
-	}
-
-	log_ns_ttl(fctx, "fctx_create");
-
-	INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain));
-
-	fctx->qmessage = NULL;
-	result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER,
-				    &fctx->qmessage);
-
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_domain;
-
-	fctx->rmessage = NULL;
-	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE,
-				    &fctx->rmessage);
-
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_qmessage;
-
-	/*
-	 * Compute an expiration time for the entire fetch.
-	 */
-	isc_interval_set(&interval, res->query_timeout, 0);
-	iresult = isc_time_nowplusinterval(&fctx->expires, &interval);
-	if (iresult != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_time_nowplusinterval: %s",
-				 isc_result_totext(iresult));
-		result = ISC_R_UNEXPECTED;
-		goto cleanup_rmessage;
-	}
-
-	/*
-	 * Default retry interval initialization.  We set the interval now
-	 * mostly so it won't be uninitialized.  It will be set to the
-	 * correct value before a query is issued.
-	 */
-	isc_interval_set(&fctx->interval, 2, 0);
-
-	/*
-	 * Create an inactive timer.  It will be made active when the fetch
-	 * is actually started.
-	 */
-	fctx->timer = NULL;
-	iresult = isc_timer_create(res->timermgr, isc_timertype_inactive,
-				   NULL, NULL,
-				   res->buckets[bucketnum].task, fctx_timeout,
-				   fctx, &fctx->timer);
-	if (iresult != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_timer_create: %s",
-				 isc_result_totext(iresult));
-		result = ISC_R_UNEXPECTED;
-		goto cleanup_rmessage;
-	}
-
-	/*
-	 * Attach to the view's cache and adb.
-	 */
-	fctx->cache = NULL;
-	dns_db_attach(res->view->cachedb, &fctx->cache);
-	fctx->adb = NULL;
-	dns_adb_attach(res->view->adb, &fctx->adb);
-	fctx->mctx = NULL;
-	isc_mem_attach(mctx, &fctx->mctx);
-
-	ISC_LIST_INIT(fctx->events);
-	ISC_LINK_INIT(fctx, link);
-	fctx->magic = FCTX_MAGIC;
-
-	ISC_LIST_APPEND(res->buckets[bucketnum].fctxs, fctx, link);
-
-	LOCK(&res->nlock);
-	res->nfctx++;
-	UNLOCK(&res->nlock);
-
-	*fctxp = fctx;
-
-	return (ISC_R_SUCCESS);
-
- cleanup_rmessage:
-	dns_message_destroy(&fctx->rmessage);
-
- cleanup_qmessage:
-	dns_message_destroy(&fctx->qmessage);
-
- cleanup_domain:
-	if (dns_name_countlabels(&fctx->domain) > 0)
-		dns_name_free(&fctx->domain, mctx);
-	if (dns_rdataset_isassociated(&fctx->nameservers))
-		dns_rdataset_disassociate(&fctx->nameservers);
-
- cleanup_name:
-	dns_name_free(&fctx->name, mctx);
-
- cleanup_info:
-	isc_mem_free(mctx, fctx->info);
-
- cleanup_fetch:
-	isc_mem_put(mctx, fctx, sizeof(*fctx));
-
-	return (result);
-}
-
-/*
- * Handle Responses
- */
-static inline isc_boolean_t
-is_lame(fetchctx_t *fctx) {
-	dns_message_t *message = fctx->rmessage;
-	dns_name_t *name;
-	dns_rdataset_t *rdataset;
-	isc_result_t result;
-
-	if (message->rcode != dns_rcode_noerror &&
-	    message->rcode != dns_rcode_nxdomain)
-		return (ISC_FALSE);
-
-	if (message->counts[DNS_SECTION_ANSWER] != 0)
-		return (ISC_FALSE);
-
-	if (message->counts[DNS_SECTION_AUTHORITY] == 0)
-		return (ISC_FALSE);
-
-	result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
-	while (result == ISC_R_SUCCESS) {
-		name = NULL;
-		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			dns_namereln_t namereln;
-			int order;
-			unsigned int labels;
-			if (rdataset->type != dns_rdatatype_ns)
-				continue;
-			namereln = dns_name_fullcompare(name, &fctx->domain,
-							&order, &labels);
-			if (namereln == dns_namereln_equal &&
-			    (message->flags & DNS_MESSAGEFLAG_AA) != 0)
-				return (ISC_FALSE);
-			if (namereln == dns_namereln_subdomain)
-				return (ISC_FALSE);
-			return (ISC_TRUE);
-		}
-		result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
-	}
-
-	return (ISC_FALSE);
-}
-
-static inline void
-log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) {
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char domainbuf[DNS_NAME_FORMATSIZE];
-	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
-
-	dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
-	dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
-	isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf));
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
-		      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
-		      "lame server resolving '%s' (in '%s'?): %s",
-		      namebuf, domainbuf, addrbuf);
-}
-
-static inline void
-log_formerr(fetchctx_t *fctx, const char *format, ...) {
-	char nsbuf[ISC_SOCKADDR_FORMATSIZE];
-	char clbuf[ISC_SOCKADDR_FORMATSIZE];
-	const char *clmsg = "";
-	char msgbuf[2048];
-	va_list args;
-
-	va_start(args, format);
-	vsnprintf(msgbuf, sizeof(msgbuf), format, args);
-	va_end(args);
-
-	isc_sockaddr_format(&fctx->addrinfo->sockaddr, nsbuf, sizeof(nsbuf));
-
-	if (fctx->client != NULL) {
-		clmsg = " for client ";
-		isc_sockaddr_format(fctx->client, clbuf, sizeof(clbuf));
-	} else {
-		clbuf[0] = '\0';
-	}
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
-		      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
-		      "DNS format error from %s resolving %s%s%s: %s",
-		      nsbuf, fctx->info, clmsg, clbuf, msgbuf);
-}
-
-static inline isc_result_t
-same_question(fetchctx_t *fctx) {
-	isc_result_t result;
-	dns_message_t *message = fctx->rmessage;
-	dns_name_t *name;
-	dns_rdataset_t *rdataset;
-
-	/*
-	 * Caller must be holding the fctx lock.
-	 */
-
-	/*
-	 * XXXRTH  Currently we support only one question.
-	 */
-	if (message->counts[DNS_SECTION_QUESTION] != 1) {
-		log_formerr(fctx, "too many questions");
-		return (DNS_R_FORMERR);
-	}
-
-	result = dns_message_firstname(message, DNS_SECTION_QUESTION);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	name = NULL;
-	dns_message_currentname(message, DNS_SECTION_QUESTION, &name);
-	rdataset = ISC_LIST_HEAD(name->list);
-	INSIST(rdataset != NULL);
-	INSIST(ISC_LIST_NEXT(rdataset, link) == NULL);
-
-	if (fctx->type != rdataset->type ||
-	    fctx->res->rdclass != rdataset->rdclass ||
-	    !dns_name_equal(&fctx->name, name)) {
-		char namebuf[DNS_NAME_FORMATSIZE];
-		char class[DNS_RDATACLASS_FORMATSIZE];
-		char type[DNS_RDATATYPE_FORMATSIZE];
-
-		dns_name_format(name, namebuf, sizeof(namebuf));
-		dns_rdataclass_format(rdataset->rdclass, class, sizeof(class));
-		dns_rdatatype_format(rdataset->type, type, sizeof(type));
-		log_formerr(fctx, "question section mismatch: got %s/%s/%s",
-			    namebuf, class, type);
-		return (DNS_R_FORMERR);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-clone_results(fetchctx_t *fctx) {
-	dns_fetchevent_t *event, *hevent;
-	isc_result_t result;
-	dns_name_t *name, *hname;
-
-	FCTXTRACE("clone_results");
-
-	/*
-	 * Set up any other events to have the same data as the first
-	 * event.
-	 *
-	 * Caller must be holding the appropriate lock.
-	 */
-
-	fctx->cloned = ISC_TRUE;
-	hevent = ISC_LIST_HEAD(fctx->events);
-	if (hevent == NULL)
-		return;
-	hname = dns_fixedname_name(&hevent->foundname);
-	for (event = ISC_LIST_NEXT(hevent, ev_link);
-	     event != NULL;
-	     event = ISC_LIST_NEXT(event, ev_link)) {
-		name = dns_fixedname_name(&event->foundname);
-		result = dns_name_copy(hname, name, NULL);
-		if (result != ISC_R_SUCCESS)
-			event->result = result;
-		else
-			event->result = hevent->result;
-		dns_db_attach(hevent->db, &event->db);
-		dns_db_attachnode(hevent->db, hevent->node, &event->node);
-		INSIST(hevent->rdataset != NULL);
-		INSIST(event->rdataset != NULL);
-		if (dns_rdataset_isassociated(hevent->rdataset))
-			dns_rdataset_clone(hevent->rdataset, event->rdataset);
-		INSIST(! (hevent->sigrdataset == NULL &&
-			  event->sigrdataset != NULL));
-		if (hevent->sigrdataset != NULL &&
-		    dns_rdataset_isassociated(hevent->sigrdataset) &&
-		    event->sigrdataset != NULL)
-			dns_rdataset_clone(hevent->sigrdataset,
-					   event->sigrdataset);
-	}
-}
-
-#define CACHE(r)        (((r)->attributes & DNS_RDATASETATTR_CACHE) != 0)
-#define ANSWER(r)       (((r)->attributes & DNS_RDATASETATTR_ANSWER) != 0)
-#define ANSWERSIG(r)    (((r)->attributes & DNS_RDATASETATTR_ANSWERSIG) != 0)
-#define EXTERNAL(r)     (((r)->attributes & DNS_RDATASETATTR_EXTERNAL) != 0)
-#define CHAINING(r)     (((r)->attributes & DNS_RDATASETATTR_CHAINING) != 0)
-#define CHASE(r)        (((r)->attributes & DNS_RDATASETATTR_CHASE) != 0)
-#define CHECKNAMES(r)   (((r)->attributes & DNS_RDATASETATTR_CHECKNAMES) != 0)
-
-
-/*
- * Destroy '*fctx' if it is ready to be destroyed (i.e., if it has
- * no references and is no longer waiting for any events).
- *
- * Requires:
- *      '*fctx' is shutting down.
- *
- * Returns:
- *	true if the resolver is exiting and this is the last fctx in the bucket.
- */
-static isc_boolean_t
-maybe_destroy(fetchctx_t *fctx, isc_boolean_t locked) {
-	unsigned int bucketnum;
-	isc_boolean_t bucket_empty = ISC_FALSE;
-	dns_resolver_t *res = fctx->res;
-	dns_validator_t *validator, *next_validator;
-	isc_boolean_t destroy = ISC_FALSE;
-
-	REQUIRE(SHUTTINGDOWN(fctx));
-
-	bucketnum = fctx->bucketnum;
-	if (!locked)
-		LOCK(&res->buckets[bucketnum].lock);
-	if (fctx->pending != 0 || fctx->nqueries != 0)
-		goto unlock;
-
-	for (validator = ISC_LIST_HEAD(fctx->validators);
-	     validator != NULL; validator = next_validator) {
-		next_validator = ISC_LIST_NEXT(validator, link);
-		dns_validator_cancel(validator);
-	}
-
-	if (fctx->references == 0 && ISC_LIST_EMPTY(fctx->validators)) {
-		bucket_empty = fctx_unlink(fctx);
-		destroy = ISC_TRUE;
-	}
- unlock:
-	if (!locked)
-		UNLOCK(&res->buckets[bucketnum].lock);
-	if (destroy)
-		fctx_destroy(fctx);
-	return (bucket_empty);
-}
-
-/*
- * The validator has finished.
- */
-static void
-validated(isc_task_t *task, isc_event_t *event) {
-	dns_adbaddrinfo_t *addrinfo;
-	dns_dbnode_t *node = NULL;
-	dns_dbnode_t *nsnode = NULL;
-	dns_fetchevent_t *hevent;
-	dns_name_t *name;
-	dns_rdataset_t *ardataset = NULL;
-	dns_rdataset_t *asigrdataset = NULL;
-	dns_rdataset_t *rdataset;
-	dns_rdataset_t *sigrdataset;
-	dns_resolver_t *res;
-	dns_valarg_t *valarg;
-	dns_validatorevent_t *vevent;
-	fetchctx_t *fctx;
-	isc_boolean_t chaining;
-	isc_boolean_t negative;
-	isc_boolean_t sentresponse;
-	isc_result_t eresult = ISC_R_SUCCESS;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_stdtime_t now;
-	isc_uint32_t ttl;
-
-	UNUSED(task); /* for now */
-
-	REQUIRE(event->ev_type == DNS_EVENT_VALIDATORDONE);
-	valarg = event->ev_arg;
-	fctx = valarg->fctx;
-	res = fctx->res;
-	addrinfo = valarg->addrinfo;
-	REQUIRE(VALID_FCTX(fctx));
-	REQUIRE(!ISC_LIST_EMPTY(fctx->validators));
-
-	vevent = (dns_validatorevent_t *)event;
-	fctx->vresult = vevent->result;
-
-	FCTXTRACE("received validation completion event");
-
-	LOCK(&res->buckets[fctx->bucketnum].lock);
-
-	ISC_LIST_UNLINK(fctx->validators, vevent->validator, link);
-	fctx->validator = NULL;
-
-	/*
-	 * Destroy the validator early so that we can
-	 * destroy the fctx if necessary.
-	 */
-	dns_validator_destroy(&vevent->validator);
-	isc_mem_put(fctx->mctx, valarg, sizeof(*valarg));
-
-	negative = ISC_TF(vevent->rdataset == NULL);
-
-	sentresponse = ISC_TF((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0);
-
-	/*
-	 * If shutting down, ignore the results.  Check to see if we're
-	 * done waiting for validator completions and ADB pending events; if
-	 * so, destroy the fctx.
-	 */
-	if (SHUTTINGDOWN(fctx) && !sentresponse) {
-		isc_uint32_t bucketnum = fctx->bucketnum;
-		isc_boolean_t bucket_empty;
-		bucket_empty = maybe_destroy(fctx, ISC_TRUE);
-		UNLOCK(&res->buckets[bucketnum].lock);
-		if (bucket_empty)
-			empty_bucket(res);
-		goto cleanup_event;
-	}
-
-	isc_stdtime_get(&now);
-
-	/*
-	 * If chaining, we need to make sure that the right result code is
-	 * returned, and that the rdatasets are bound.
-	 */
-	if (vevent->result == ISC_R_SUCCESS &&
-	    !negative &&
-	    vevent->rdataset != NULL &&
-	    CHAINING(vevent->rdataset))
-	{
-		if (vevent->rdataset->type == dns_rdatatype_cname)
-			eresult = DNS_R_CNAME;
-		else {
-			INSIST(vevent->rdataset->type == dns_rdatatype_dname);
-			eresult = DNS_R_DNAME;
-		}
-		chaining = ISC_TRUE;
-	} else
-		chaining = ISC_FALSE;
-
-	/*
-	 * Either we're not shutting down, or we are shutting down but want
-	 * to cache the result anyway (if this was a validation started by
-	 * a query with cd set)
-	 */
-
-	hevent = ISC_LIST_HEAD(fctx->events);
-	if (hevent != NULL) {
-		if (!negative && !chaining &&
-		    (fctx->type == dns_rdatatype_any ||
-		     fctx->type == dns_rdatatype_rrsig ||
-		     fctx->type == dns_rdatatype_sig)) {
-			/*
-			 * Don't bind rdatasets; the caller
-			 * will iterate the node.
-			 */
-		} else {
-			ardataset = hevent->rdataset;
-			asigrdataset = hevent->sigrdataset;
-		}
-	}
-
-	if (vevent->result != ISC_R_SUCCESS) {
-		FCTXTRACE("validation failed");
-		inc_stats(res, dns_resstatscounter_valfail);
-		fctx->valfail++;
-		fctx->vresult = vevent->result;
-		if (fctx->vresult != DNS_R_BROKENCHAIN) {
-			result = ISC_R_NOTFOUND;
-			if (vevent->rdataset != NULL)
-				result = dns_db_findnode(fctx->cache,
-							 vevent->name,
-							 ISC_TRUE, &node);
-			if (result == ISC_R_SUCCESS)
-				(void)dns_db_deleterdataset(fctx->cache, node,
-							     NULL,
-							    vevent->type, 0);
-			if (result == ISC_R_SUCCESS &&
-			     vevent->sigrdataset != NULL)
-				(void)dns_db_deleterdataset(fctx->cache, node,
-							    NULL,
-							    dns_rdatatype_rrsig,
-							    vevent->type);
-			if (result == ISC_R_SUCCESS)
-				dns_db_detachnode(fctx->cache, &node);
-		}
-		if (fctx->vresult == DNS_R_BROKENCHAIN && !negative) {
-			/*
-			 * Cache the data as pending for later validation.
-			 */
-			result = ISC_R_NOTFOUND;
-			if (vevent->rdataset != NULL)
-				result = dns_db_findnode(fctx->cache,
-							 vevent->name,
-							 ISC_TRUE, &node);
-			if (result == ISC_R_SUCCESS) {
-				(void)dns_db_addrdataset(fctx->cache, node,
-							 NULL, now,
-							 vevent->rdataset, 0,
-							 NULL);
-			}
-			if (result == ISC_R_SUCCESS &&
-			    vevent->sigrdataset != NULL)
-				(void)dns_db_addrdataset(fctx->cache, node,
-							 NULL, now,
-							 vevent->sigrdataset,
-							 0, NULL);
-			if (result == ISC_R_SUCCESS)
-				dns_db_detachnode(fctx->cache, &node);
-		}
-		result = fctx->vresult;
-		add_bad(fctx, addrinfo, result, badns_validation);
-		isc_event_free(&event);
-		UNLOCK(&res->buckets[fctx->bucketnum].lock);
-		INSIST(fctx->validator == NULL);
-		fctx->validator = ISC_LIST_HEAD(fctx->validators);
-		if (fctx->validator != NULL)
-			dns_validator_send(fctx->validator);
-		else if (sentresponse)
-			fctx_done(fctx, result, __LINE__); /* Locks bucket. */
-		else if (result == DNS_R_BROKENCHAIN) {
-			isc_result_t tresult;
-			isc_time_t expire;
-			isc_interval_t i;
-
-			isc_interval_set(&i, DNS_BADCACHE_TTL(fctx), 0);
-			tresult = isc_time_nowplusinterval(&expire, &i);
-			if (negative &&
-			    (fctx->type == dns_rdatatype_dnskey ||
-			     fctx->type == dns_rdatatype_dlv ||
-			     fctx->type == dns_rdatatype_ds) &&
-			     tresult == ISC_R_SUCCESS)
-				dns_resolver_addbadcache(res, &fctx->name,
-							 fctx->type, &expire);
-			fctx_done(fctx, result, __LINE__); /* Locks bucket. */
-		} else
-			fctx_try(fctx, ISC_TRUE, ISC_TRUE); /* Locks bucket. */
-		return;
-	}
-
-
-	if (negative) {
-		dns_rdatatype_t covers;
-		FCTXTRACE("nonexistence validation OK");
-
-		inc_stats(res, dns_resstatscounter_valnegsuccess);
-
-		if (fctx->rmessage->rcode == dns_rcode_nxdomain)
-			covers = dns_rdatatype_any;
-		else
-			covers = fctx->type;
-
-		result = dns_db_findnode(fctx->cache, vevent->name, ISC_TRUE,
-					 &node);
-		if (result != ISC_R_SUCCESS)
-			goto noanswer_response;
-
-		/*
-		 * If we are asking for a SOA record set the cache time
-		 * to zero to facilitate locating the containing zone of
-		 * a arbitrary zone.
-		 */
-		ttl = res->view->maxncachettl;
-		if (fctx->type == dns_rdatatype_soa &&
-		    covers == dns_rdatatype_any && res->zero_no_soa_ttl)
-			ttl = 0;
-
-		result = ncache_adderesult(fctx->rmessage, fctx->cache, node,
-					   covers, now, ttl, vevent->optout,
-					   vevent->secure, ardataset, &eresult);
-		if (result != ISC_R_SUCCESS)
-			goto noanswer_response;
-		goto answer_response;
-	} else
-		inc_stats(res, dns_resstatscounter_valsuccess);
-
-	FCTXTRACE("validation OK");
-
-	if (vevent->proofs[DNS_VALIDATOR_NOQNAMEPROOF] != NULL) {
-		result = dns_rdataset_addnoqname(vevent->rdataset,
-				   vevent->proofs[DNS_VALIDATOR_NOQNAMEPROOF]);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		INSIST(vevent->sigrdataset != NULL);
-		vevent->sigrdataset->ttl = vevent->rdataset->ttl;
-		if (vevent->proofs[DNS_VALIDATOR_CLOSESTENCLOSER] != NULL) {
-			result = dns_rdataset_addclosest(vevent->rdataset,
-				 vevent->proofs[DNS_VALIDATOR_CLOSESTENCLOSER]);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		}
-	} else if (vevent->rdataset->trust == dns_trust_answer &&
-		   vevent->rdataset->type != dns_rdatatype_rrsig)
-	{
-		isc_result_t tresult;
-		dns_name_t *noqname = NULL;
-		tresult = findnoqname(fctx, vevent->name,
-				      vevent->rdataset->type, &noqname);
-		if (tresult == ISC_R_SUCCESS && noqname != NULL) {
-			tresult = dns_rdataset_addnoqname(vevent->rdataset,
-							  noqname);
-			RUNTIME_CHECK(tresult == ISC_R_SUCCESS);
-		}
-	}
-
-	/*
-	 * The data was already cached as pending data.
-	 * Re-cache it as secure and bind the cached
-	 * rdatasets to the first event on the fetch
-	 * event list.
-	 */
-	result = dns_db_findnode(fctx->cache, vevent->name, ISC_TRUE, &node);
-	if (result != ISC_R_SUCCESS)
-		goto noanswer_response;
-
-	result = dns_db_addrdataset(fctx->cache, node, NULL, now,
-				    vevent->rdataset, 0, ardataset);
-	if (result != ISC_R_SUCCESS &&
-	    result != DNS_R_UNCHANGED)
-		goto noanswer_response;
-	if (ardataset != NULL && NEGATIVE(ardataset)) {
-		if (NXDOMAIN(ardataset))
-			eresult = DNS_R_NCACHENXDOMAIN;
-		else
-			eresult = DNS_R_NCACHENXRRSET;
-	} else if (vevent->sigrdataset != NULL) {
-		result = dns_db_addrdataset(fctx->cache, node, NULL, now,
-					    vevent->sigrdataset, 0,
-					    asigrdataset);
-		if (result != ISC_R_SUCCESS &&
-		    result != DNS_R_UNCHANGED)
-			goto noanswer_response;
-	}
-
-	if (sentresponse) {
-		isc_boolean_t bucket_empty = ISC_FALSE;
-		/*
-		 * If we only deferred the destroy because we wanted to cache
-		 * the data, destroy now.
-		 */
-		dns_db_detachnode(fctx->cache, &node);
-		if (SHUTTINGDOWN(fctx))
-			bucket_empty = maybe_destroy(fctx, ISC_TRUE);
-		UNLOCK(&res->buckets[fctx->bucketnum].lock);
-		if (bucket_empty)
-			empty_bucket(res);
-		goto cleanup_event;
-	}
-
-	if (!ISC_LIST_EMPTY(fctx->validators)) {
-		INSIST(!negative);
-		INSIST(fctx->type == dns_rdatatype_any ||
-		       fctx->type == dns_rdatatype_rrsig ||
-		       fctx->type == dns_rdatatype_sig);
-		/*
-		 * Don't send a response yet - we have
-		 * more rdatasets that still need to
-		 * be validated.
-		 */
-		dns_db_detachnode(fctx->cache, &node);
-		UNLOCK(&res->buckets[fctx->bucketnum].lock);
-		dns_validator_send(ISC_LIST_HEAD(fctx->validators));
-		goto cleanup_event;
-	}
-
- answer_response:
-	/*
-	 * Cache any NS/NSEC records that happened to be validated.
-	 */
-	result = dns_message_firstname(fctx->rmessage, DNS_SECTION_AUTHORITY);
-	while (result == ISC_R_SUCCESS) {
-		name = NULL;
-		dns_message_currentname(fctx->rmessage, DNS_SECTION_AUTHORITY,
-					&name);
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			if ((rdataset->type != dns_rdatatype_ns &&
-			     rdataset->type != dns_rdatatype_nsec) ||
-			    rdataset->trust != dns_trust_secure)
-				continue;
-			for (sigrdataset = ISC_LIST_HEAD(name->list);
-			     sigrdataset != NULL;
-			     sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
-				if (sigrdataset->type != dns_rdatatype_rrsig ||
-				    sigrdataset->covers != rdataset->type)
-					continue;
-				break;
-			}
-			if (sigrdataset == NULL ||
-			    sigrdataset->trust != dns_trust_secure)
-				continue;
-			result = dns_db_findnode(fctx->cache, name, ISC_TRUE,
-						 &nsnode);
-			if (result != ISC_R_SUCCESS)
-				continue;
-
-			result = dns_db_addrdataset(fctx->cache, nsnode, NULL,
-						    now, rdataset, 0, NULL);
-			if (result == ISC_R_SUCCESS)
-				result = dns_db_addrdataset(fctx->cache, nsnode,
-							    NULL, now,
-							    sigrdataset, 0,
-							    NULL);
-			dns_db_detachnode(fctx->cache, &nsnode);
-			if (result != ISC_R_SUCCESS)
-				continue;
-		}
-		result = dns_message_nextname(fctx->rmessage,
-					      DNS_SECTION_AUTHORITY);
-	}
-
-	result = ISC_R_SUCCESS;
-
-	/*
-	 * Respond with an answer, positive or negative,
-	 * as opposed to an error.  'node' must be non-NULL.
-	 */
-
-	fctx->attributes |= FCTX_ATTR_HAVEANSWER;
-
-	if (hevent != NULL) {
-		/*
-		 * Negative results must be indicated in event->result.
-		 */
-		if (dns_rdataset_isassociated(hevent->rdataset) &&
-		    NEGATIVE(hevent->rdataset)) {
-			INSIST(eresult == DNS_R_NCACHENXDOMAIN ||
-			       eresult == DNS_R_NCACHENXRRSET);
-		}
-		hevent->result = eresult;
-		RUNTIME_CHECK(dns_name_copy(vevent->name,
-			      dns_fixedname_name(&hevent->foundname), NULL)
-			      == ISC_R_SUCCESS);
-		dns_db_attach(fctx->cache, &hevent->db);
-		dns_db_transfernode(fctx->cache, &node, &hevent->node);
-		clone_results(fctx);
-	}
-
- noanswer_response:
-	if (node != NULL)
-		dns_db_detachnode(fctx->cache, &node);
-
-	UNLOCK(&res->buckets[fctx->bucketnum].lock);
-	fctx_done(fctx, result, __LINE__); /* Locks bucket. */
-
- cleanup_event:
-	INSIST(node == NULL);
-	isc_event_free(&event);
-}
-
-static void
-fctx_log(void *arg, int level, const char *fmt, ...) {
-	char msgbuf[2048];
-	va_list args;
-	fetchctx_t *fctx = arg;
-
-	va_start(args, fmt);
-	vsnprintf(msgbuf, sizeof(msgbuf), fmt, args);
-	va_end(args);
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
-		      DNS_LOGMODULE_RESOLVER, level,
-		      "fctx %p(%s): %s", fctx, fctx->info, msgbuf);
-}
-
-static inline isc_result_t
-findnoqname(fetchctx_t *fctx, dns_name_t *name, dns_rdatatype_t type,
-	    dns_name_t **noqnamep)
-{
-	dns_rdataset_t *nrdataset, *next, *sigrdataset;
-	dns_rdata_rrsig_t rrsig;
-	isc_result_t result;
-	unsigned int labels;
-	dns_section_t section;
-	dns_name_t *zonename;
-	dns_fixedname_t fzonename;
-	dns_name_t *closest;
-	dns_fixedname_t fclosest;
-	dns_name_t *nearest;
-	dns_fixedname_t fnearest;
-	dns_rdatatype_t found = dns_rdatatype_none;
-	dns_name_t *noqname = NULL;
-
-	FCTXTRACE("findnoqname");
-
-	REQUIRE(noqnamep != NULL && *noqnamep == NULL);
-
-	/*
-	 * Find the SIG for this rdataset, if we have it.
-	 */
-	for (sigrdataset = ISC_LIST_HEAD(name->list);
-	     sigrdataset != NULL;
-	     sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
-		if (sigrdataset->type == dns_rdatatype_rrsig &&
-		    sigrdataset->covers == type)
-			break;
-	}
-
-	if (sigrdataset == NULL)
-		return (ISC_R_NOTFOUND);
-
-	labels = dns_name_countlabels(name);
-
-	for (result = dns_rdataset_first(sigrdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(sigrdataset)) {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		dns_rdataset_current(sigrdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		/* Wildcard has rrsig.labels < labels - 1. */
-		if (rrsig.labels + 1U >= labels)
-			continue;
-		break;
-	}
-
-	if (result == ISC_R_NOMORE)
-		return (ISC_R_NOTFOUND);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	dns_fixedname_init(&fzonename);
-	zonename = dns_fixedname_name(&fzonename);
-	dns_fixedname_init(&fclosest);
-	closest = dns_fixedname_name(&fclosest);
-	dns_fixedname_init(&fnearest);
-	nearest = dns_fixedname_name(&fnearest);
-
-#define NXND(x) ((x) == ISC_R_SUCCESS)
-
-	section = DNS_SECTION_AUTHORITY;
-	for (result = dns_message_firstname(fctx->rmessage, section);
-	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(fctx->rmessage, section)) {
-		dns_name_t *nsec = NULL;
-		dns_message_currentname(fctx->rmessage, section, &nsec);
-		for (nrdataset = ISC_LIST_HEAD(nsec->list);
-		      nrdataset != NULL; nrdataset = next) {
-			isc_boolean_t data = ISC_FALSE, exists = ISC_FALSE;
-			isc_boolean_t optout = ISC_FALSE, unknown = ISC_FALSE;
-			isc_boolean_t setclosest = ISC_FALSE;
-			isc_boolean_t setnearest = ISC_FALSE;
-
-			next = ISC_LIST_NEXT(nrdataset, link);
-			if (nrdataset->type != dns_rdatatype_nsec &&
-			    nrdataset->type != dns_rdatatype_nsec3)
-				continue;
-
-			if (nrdataset->type == dns_rdatatype_nsec &&
-			    NXND(dns_nsec_noexistnodata(type, name, nsec,
-							nrdataset, &exists,
-							&data, NULL, fctx_log,
-							fctx)))
-			{
-				if (!exists) {
-					noqname = nsec;
-					found = dns_rdatatype_nsec;
-				}
-			}
-
-			if (nrdataset->type == dns_rdatatype_nsec3 &&
-			    NXND(dns_nsec3_noexistnodata(type, name, nsec,
-							 nrdataset, zonename,
-							 &exists, &data,
-							 &optout, &unknown,
-							 &setclosest,
-							 &setnearest,
-							 closest, nearest,
-							 fctx_log, fctx)))
-			{
-				if (!exists && setnearest) {
-					noqname = nsec;
-					found = dns_rdatatype_nsec3;
-				}
-			}
-		}
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	if (noqname != NULL) {
-		for (sigrdataset = ISC_LIST_HEAD(noqname->list);
-		     sigrdataset != NULL;
-		     sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
-			if (sigrdataset->type == dns_rdatatype_rrsig &&
-			    sigrdataset->covers == found)
-				break;
-		}
-		if (sigrdataset != NULL)
-			*noqnamep = noqname;
-	}
-	return (result);
-}
-
-static inline isc_result_t
-cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
-	   isc_stdtime_t now)
-{
-	dns_rdataset_t *rdataset, *sigrdataset;
-	dns_rdataset_t *addedrdataset, *ardataset, *asigrdataset;
-	dns_rdataset_t *valrdataset = NULL, *valsigrdataset = NULL;
-	dns_dbnode_t *node, **anodep;
-	dns_db_t **adbp;
-	dns_name_t *aname;
-	dns_resolver_t *res;
-	isc_boolean_t need_validation, secure_domain, have_answer;
-	isc_result_t result, eresult;
-	dns_fetchevent_t *event;
-	unsigned int options;
-	isc_task_t *task;
-	isc_boolean_t fail;
-	unsigned int valoptions = 0;
-
-	/*
-	 * The appropriate bucket lock must be held.
-	 */
-
-	res = fctx->res;
-	need_validation = ISC_FALSE;
-	POST(need_validation);
-	secure_domain = ISC_FALSE;
-	have_answer = ISC_FALSE;
-	eresult = ISC_R_SUCCESS;
-	task = res->buckets[fctx->bucketnum].task;
-
-	/*
-	 * Is DNSSEC validation required for this name?
-	 */
-	if (res->view->enablevalidation) {
-		result = dns_view_issecuredomain(res->view, name,
-						 &secure_domain);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-
-		if (!secure_domain && res->view->dlv != NULL) {
-			valoptions = DNS_VALIDATOR_DLV;
-			secure_domain = ISC_TRUE;
-		}
-	}
-
-	if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0)
-		need_validation = ISC_FALSE;
-	else
-		need_validation = secure_domain;
-
-	adbp = NULL;
-	aname = NULL;
-	anodep = NULL;
-	ardataset = NULL;
-	asigrdataset = NULL;
-	event = NULL;
-	if ((name->attributes & DNS_NAMEATTR_ANSWER) != 0 &&
-	    !need_validation) {
-		have_answer = ISC_TRUE;
-		event = ISC_LIST_HEAD(fctx->events);
-		if (event != NULL) {
-			adbp = &event->db;
-			aname = dns_fixedname_name(&event->foundname);
-			result = dns_name_copy(name, aname, NULL);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-			anodep = &event->node;
-			/*
-			 * If this is an ANY, SIG or RRSIG query, we're not
-			 * going to return any rdatasets, unless we encountered
-			 * a CNAME or DNAME as "the answer".  In this case,
-			 * we're going to return DNS_R_CNAME or DNS_R_DNAME
-			 * and we must set up the rdatasets.
-			 */
-			if ((fctx->type != dns_rdatatype_any &&
-			     fctx->type != dns_rdatatype_rrsig &&
-			     fctx->type != dns_rdatatype_sig) ||
-			    (name->attributes & DNS_NAMEATTR_CHAINING) != 0) {
-				ardataset = event->rdataset;
-				asigrdataset = event->sigrdataset;
-			}
-		}
-	}
-
-	/*
-	 * Find or create the cache node.
-	 */
-	node = NULL;
-	result = dns_db_findnode(fctx->cache, name, ISC_TRUE, &node);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Cache or validate each cacheable rdataset.
-	 */
-	fail = ISC_TF((fctx->res->options & DNS_RESOLVER_CHECKNAMESFAIL) != 0);
-	for (rdataset = ISC_LIST_HEAD(name->list);
-	     rdataset != NULL;
-	     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-		if (!CACHE(rdataset))
-			continue;
-		if (CHECKNAMES(rdataset)) {
-			char namebuf[DNS_NAME_FORMATSIZE];
-			char typebuf[DNS_RDATATYPE_FORMATSIZE];
-			char classbuf[DNS_RDATATYPE_FORMATSIZE];
-
-			dns_name_format(name, namebuf, sizeof(namebuf));
-			dns_rdatatype_format(rdataset->type, typebuf,
-					     sizeof(typebuf));
-			dns_rdataclass_format(rdataset->rdclass, classbuf,
-					      sizeof(classbuf));
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
-				      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
-				      "check-names %s %s/%s/%s",
-				      fail ? "failure" : "warning",
-				      namebuf, typebuf, classbuf);
-			if (fail) {
-				if (ANSWER(rdataset)) {
-					dns_db_detachnode(fctx->cache, &node);
-					return (DNS_R_BADNAME);
-				}
-				continue;
-			}
-		}
-
-		/*
-		 * Enforce the configure maximum cache TTL.
-		 */
-		if (rdataset->ttl > res->view->maxcachettl)
-			rdataset->ttl = res->view->maxcachettl;
-
-		/*
-		 * Find the SIG for this rdataset, if we have it.
-		 */
-		for (sigrdataset = ISC_LIST_HEAD(name->list);
-		     sigrdataset != NULL;
-		     sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
-			if (sigrdataset->type == dns_rdatatype_rrsig &&
-			    sigrdataset->covers == rdataset->type)
-				break;
-		}
-
-		/*
-		 * If this RRset is in a secure domain, is in bailiwick,
-		 * and is not glue, attempt DNSSEC validation.	(We do not
-		 * attempt to validate glue or out-of-bailiwick data--even
-		 * though there might be some performance benefit to doing
-		 * so--because it makes it simpler and safer to ensure that
-		 * records from a secure domain are only cached if validated
-		 * within the context of a query to the domain that owns
-		 * them.)
-		 */
-		if (secure_domain && rdataset->trust != dns_trust_glue &&
-		    !EXTERNAL(rdataset)) {
-			dns_trust_t trust;
-
-			/*
-			 * RRSIGs are validated as part of validating the
-			 * type they cover.
-			 */
-			if (rdataset->type == dns_rdatatype_rrsig)
-				continue;
-
-			if (sigrdataset == NULL) {
-				if (!ANSWER(rdataset) && need_validation) {
-					/*
-					 * Ignore non-answer rdatasets that
-					 * are missing signatures.
-					 */
-					continue;
-				}
-			}
-
-			/*
-			 * Normalize the rdataset and sigrdataset TTLs.
-			 */
-			if (sigrdataset != NULL) {
-				rdataset->ttl = ISC_MIN(rdataset->ttl,
-							sigrdataset->ttl);
-				sigrdataset->ttl = rdataset->ttl;
-			}
-
-			/*
-			 * Cache this rdataset/sigrdataset pair as
-			 * pending data.  Track whether it was additional
-			 * or not.
-			 */
-			if (rdataset->trust == dns_trust_additional)
-				trust = dns_trust_pending_additional;
-			else
-				trust = dns_trust_pending_answer;
-
-			rdataset->trust = trust;
-			if (sigrdataset != NULL)
-				sigrdataset->trust = trust;
-			if (!need_validation || !ANSWER(rdataset)) {
-				if (ANSWER(rdataset) &&
-				   rdataset->type != dns_rdatatype_rrsig) {
-					isc_result_t tresult;
-					dns_name_t *noqname = NULL;
-					tresult = findnoqname(fctx, name,
-							      rdataset->type,
-							      &noqname);
-					if (tresult == ISC_R_SUCCESS &&
-					    noqname != NULL) {
-						tresult =
-						     dns_rdataset_addnoqname(
-							    rdataset, noqname);
-						RUNTIME_CHECK(tresult ==
-							      ISC_R_SUCCESS);
-					}
-				}
-				addedrdataset = ardataset;
-				result = dns_db_addrdataset(fctx->cache, node,
-							    NULL, now, rdataset,
-							    0, addedrdataset);
-				if (result == DNS_R_UNCHANGED) {
-					result = ISC_R_SUCCESS;
-					if (!need_validation &&
-					    ardataset != NULL &&
-					    NEGATIVE(ardataset)) {
-						/*
-						 * The answer in the cache is
-						 * better than the answer we
-						 * found, and is a negative
-						 * cache entry, so we must set
-						 * eresult appropriately.
-						 */
-						if (NXDOMAIN(ardataset))
-							eresult =
-							   DNS_R_NCACHENXDOMAIN;
-						else
-							eresult =
-							   DNS_R_NCACHENXRRSET;
-						/*
-						 * We have a negative response
-						 * from the cache so don't
-						 * attempt to add the RRSIG
-						 * rrset.
-						 */
-						continue;
-					}
-				}
-				if (result != ISC_R_SUCCESS)
-					break;
-				if (sigrdataset != NULL) {
-					addedrdataset = asigrdataset;
-					result = dns_db_addrdataset(fctx->cache,
-								node, NULL, now,
-								sigrdataset, 0,
-								addedrdataset);
-					if (result == DNS_R_UNCHANGED)
-						result = ISC_R_SUCCESS;
-					if (result != ISC_R_SUCCESS)
-						break;
-				} else if (!ANSWER(rdataset))
-					continue;
-			}
-
-			if (ANSWER(rdataset) && need_validation) {
-				if (fctx->type != dns_rdatatype_any &&
-				    fctx->type != dns_rdatatype_rrsig &&
-				    fctx->type != dns_rdatatype_sig) {
-					/*
-					 * This is The Answer.  We will
-					 * validate it, but first we cache
-					 * the rest of the response - it may
-					 * contain useful keys.
-					 */
-					INSIST(valrdataset == NULL &&
-					       valsigrdataset == NULL);
-					valrdataset = rdataset;
-					valsigrdataset = sigrdataset;
-				} else {
-					/*
-					 * This is one of (potentially)
-					 * multiple answers to an ANY
-					 * or SIG query.  To keep things
-					 * simple, we just start the
-					 * validator right away rather
-					 * than caching first and
-					 * having to remember which
-					 * rdatasets needed validation.
-					 */
-					result = valcreate(fctx, addrinfo,
-							   name, rdataset->type,
-							   rdataset,
-							   sigrdataset,
-							   valoptions, task);
-					/*
-					 * Defer any further validations.
-					 * This prevents multiple validators
-					 * from manipulating fctx->rmessage
-					 * simultaneously.
-					 */
-					valoptions |= DNS_VALIDATOR_DEFER;
-				}
-			} else if (CHAINING(rdataset)) {
-				if (rdataset->type == dns_rdatatype_cname)
-					eresult = DNS_R_CNAME;
-				else {
-					INSIST(rdataset->type ==
-					       dns_rdatatype_dname);
-					eresult = DNS_R_DNAME;
-				}
-			}
-		} else if (!EXTERNAL(rdataset)) {
-			/*
-			 * It's OK to cache this rdataset now.
-			 */
-			if (ANSWER(rdataset))
-				addedrdataset = ardataset;
-			else if (ANSWERSIG(rdataset))
-				addedrdataset = asigrdataset;
-			else
-				addedrdataset = NULL;
-			if (CHAINING(rdataset)) {
-				if (rdataset->type == dns_rdatatype_cname)
-					eresult = DNS_R_CNAME;
-				else {
-					INSIST(rdataset->type ==
-					       dns_rdatatype_dname);
-					eresult = DNS_R_DNAME;
-				}
-			}
-			if (rdataset->trust == dns_trust_glue &&
-			    (rdataset->type == dns_rdatatype_ns ||
-			     (rdataset->type == dns_rdatatype_rrsig &&
-			      rdataset->covers == dns_rdatatype_ns))) {
-				/*
-				 * If the trust level is 'dns_trust_glue'
-				 * then we are adding data from a referral
-				 * we got while executing the search algorithm.
-				 * New referral data always takes precedence
-				 * over the existing cache contents.
-				 */
-				options = DNS_DBADD_FORCE;
-			} else
-				options = 0;
-
-			if (ANSWER(rdataset) &&
-			   rdataset->type != dns_rdatatype_rrsig) {
-				isc_result_t tresult;
-				dns_name_t *noqname = NULL;
-				tresult = findnoqname(fctx, name,
-						      rdataset->type, &noqname);
-				if (tresult == ISC_R_SUCCESS &&
-				    noqname != NULL) {
-					tresult = dns_rdataset_addnoqname(
-							    rdataset, noqname);
-					RUNTIME_CHECK(tresult == ISC_R_SUCCESS);
-				}
-			}
-
-			/*
-			 * Now we can add the rdataset.
-			 */
-			result = dns_db_addrdataset(fctx->cache,
-						    node, NULL, now,
-						    rdataset,
-						    options,
-						    addedrdataset);
-
-			if (result == DNS_R_UNCHANGED) {
-				if (ANSWER(rdataset) &&
-				    ardataset != NULL &&
-				    NEGATIVE(ardataset)) {
-					/*
-					 * The answer in the cache is better
-					 * than the answer we found, and is
-					 * a negative cache entry, so we
-					 * must set eresult appropriately.
-					 */
-					if (NXDOMAIN(ardataset))
-						eresult = DNS_R_NCACHENXDOMAIN;
-					else
-						eresult = DNS_R_NCACHENXRRSET;
-				}
-				result = ISC_R_SUCCESS;
-			} else if (result != ISC_R_SUCCESS)
-				break;
-		}
-	}
-
-	if (valrdataset != NULL)
-		result = valcreate(fctx, addrinfo, name, fctx->type,
-				   valrdataset, valsigrdataset, valoptions,
-				   task);
-
-	if (result == ISC_R_SUCCESS && have_answer) {
-		fctx->attributes |= FCTX_ATTR_HAVEANSWER;
-		if (event != NULL) {
-			/*
-			 * Negative results must be indicated in event->result.
-			 */
-			if (dns_rdataset_isassociated(event->rdataset) &&
-			    NEGATIVE(event->rdataset)) {
-				INSIST(eresult == DNS_R_NCACHENXDOMAIN ||
-				       eresult == DNS_R_NCACHENXRRSET);
-			}
-			event->result = eresult;
-			dns_db_attach(fctx->cache, adbp);
-			dns_db_transfernode(fctx->cache, &node, anodep);
-			clone_results(fctx);
-		}
-	}
-
-	if (node != NULL)
-		dns_db_detachnode(fctx->cache, &node);
-
-	return (result);
-}
-
-static inline isc_result_t
-cache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_stdtime_t now)
-{
-	isc_result_t result;
-	dns_section_t section;
-	dns_name_t *name;
-
-	FCTXTRACE("cache_message");
-
-	fctx->attributes &= ~FCTX_ATTR_WANTCACHE;
-
-	LOCK(&fctx->res->buckets[fctx->bucketnum].lock);
-
-	for (section = DNS_SECTION_ANSWER;
-	     section <= DNS_SECTION_ADDITIONAL;
-	     section++) {
-		result = dns_message_firstname(fctx->rmessage, section);
-		while (result == ISC_R_SUCCESS) {
-			name = NULL;
-			dns_message_currentname(fctx->rmessage, section,
-						&name);
-			if ((name->attributes & DNS_NAMEATTR_CACHE) != 0) {
-				result = cache_name(fctx, name, addrinfo, now);
-				if (result != ISC_R_SUCCESS)
-					break;
-			}
-			result = dns_message_nextname(fctx->rmessage, section);
-		}
-		if (result != ISC_R_NOMORE)
-			break;
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
-	UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
-
-	return (result);
-}
-
-/*
- * Do what dns_ncache_addoptout() does, and then compute an appropriate eresult.
- */
-static isc_result_t
-ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
-		  dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
-		  isc_boolean_t optout, isc_boolean_t secure,
-		  dns_rdataset_t *ardataset, isc_result_t *eresultp)
-{
-	isc_result_t result;
-	dns_rdataset_t rdataset;
-
-	if (ardataset == NULL) {
-		dns_rdataset_init(&rdataset);
-		ardataset = &rdataset;
-	}
-	if (secure)
-		result = dns_ncache_addoptout(message, cache, node, covers,
-					      now, maxttl, optout, ardataset);
-	else
-		result = dns_ncache_add(message, cache, node, covers, now,
-					maxttl, ardataset);
-	if (result == DNS_R_UNCHANGED || result == ISC_R_SUCCESS) {
-		/*
-		 * If the cache now contains a negative entry and we
-		 * care about whether it is DNS_R_NCACHENXDOMAIN or
-		 * DNS_R_NCACHENXRRSET then extract it.
-		 */
-		if (NEGATIVE(ardataset)) {
-			/*
-			 * The cache data is a negative cache entry.
-			 */
-			if (NXDOMAIN(ardataset))
-				*eresultp = DNS_R_NCACHENXDOMAIN;
-			else
-				*eresultp = DNS_R_NCACHENXRRSET;
-		} else {
-			/*
-			 * Either we don't care about the nature of the
-			 * cache rdataset (because no fetch is interested
-			 * in the outcome), or the cache rdataset is not
-			 * a negative cache entry.  Whichever case it is,
-			 * we can return success.
-			 *
-			 * XXXRTH  There's a CNAME/DNAME problem here.
-			 */
-			*eresultp = ISC_R_SUCCESS;
-		}
-		result = ISC_R_SUCCESS;
-	}
-	if (ardataset == &rdataset && dns_rdataset_isassociated(ardataset))
-		dns_rdataset_disassociate(ardataset);
-
-	return (result);
-}
-
-static inline isc_result_t
-ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
-	       dns_rdatatype_t covers, isc_stdtime_t now)
-{
-	isc_result_t result, eresult;
-	dns_name_t *name;
-	dns_resolver_t *res;
-	dns_db_t **adbp;
-	dns_dbnode_t *node, **anodep;
-	dns_rdataset_t *ardataset;
-	isc_boolean_t need_validation, secure_domain;
-	dns_name_t *aname;
-	dns_fetchevent_t *event;
-	isc_uint32_t ttl;
-	unsigned int valoptions = 0;
-
-	FCTXTRACE("ncache_message");
-
-	fctx->attributes &= ~FCTX_ATTR_WANTNCACHE;
-
-	res = fctx->res;
-	need_validation = ISC_FALSE;
-	POST(need_validation);
-	secure_domain = ISC_FALSE;
-	eresult = ISC_R_SUCCESS;
-	name = &fctx->name;
-	node = NULL;
-
-	/*
-	 * XXXMPA remove when we follow cnames and adjust the setting
-	 * of FCTX_ATTR_WANTNCACHE in noanswer_response().
-	 */
-	INSIST(fctx->rmessage->counts[DNS_SECTION_ANSWER] == 0);
-
-	/*
-	 * Is DNSSEC validation required for this name?
-	 */
-	if (fctx->res->view->enablevalidation) {
-		result = dns_view_issecuredomain(res->view, name,
-						 &secure_domain);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-
-		if (!secure_domain && res->view->dlv != NULL) {
-			valoptions = DNS_VALIDATOR_DLV;
-			secure_domain = ISC_TRUE;
-		}
-	}
-
-	if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0)
-		need_validation = ISC_FALSE;
-	else
-		need_validation = secure_domain;
-
-	if (secure_domain) {
-		/*
-		 * Mark all rdatasets as pending.
-		 */
-		dns_rdataset_t *trdataset;
-		dns_name_t *tname;
-
-		result = dns_message_firstname(fctx->rmessage,
-					       DNS_SECTION_AUTHORITY);
-		while (result == ISC_R_SUCCESS) {
-			tname = NULL;
-			dns_message_currentname(fctx->rmessage,
-						DNS_SECTION_AUTHORITY,
-						&tname);
-			for (trdataset = ISC_LIST_HEAD(tname->list);
-			     trdataset != NULL;
-			     trdataset = ISC_LIST_NEXT(trdataset, link))
-				trdataset->trust = dns_trust_pending_answer;
-			result = dns_message_nextname(fctx->rmessage,
-						      DNS_SECTION_AUTHORITY);
-		}
-		if (result != ISC_R_NOMORE)
-			return (result);
-
-	}
-
-	if (need_validation) {
-		/*
-		 * Do negative response validation.
-		 */
-		result = valcreate(fctx, addrinfo, name, fctx->type,
-				   NULL, NULL, valoptions,
-				   res->buckets[fctx->bucketnum].task);
-		/*
-		 * If validation is necessary, return now.  Otherwise continue
-		 * to process the message, letting the validation complete
-		 * in its own good time.
-		 */
-		return (result);
-	}
-
-	LOCK(&res->buckets[fctx->bucketnum].lock);
-
-	adbp = NULL;
-	aname = NULL;
-	anodep = NULL;
-	ardataset = NULL;
-	if (!HAVE_ANSWER(fctx)) {
-		event = ISC_LIST_HEAD(fctx->events);
-		if (event != NULL) {
-			adbp = &event->db;
-			aname = dns_fixedname_name(&event->foundname);
-			result = dns_name_copy(name, aname, NULL);
-			if (result != ISC_R_SUCCESS)
-				goto unlock;
-			anodep = &event->node;
-			ardataset = event->rdataset;
-		}
-	} else
-		event = NULL;
-
-	result = dns_db_findnode(fctx->cache, name, ISC_TRUE, &node);
-	if (result != ISC_R_SUCCESS)
-		goto unlock;
-
-	/*
-	 * If we are asking for a SOA record set the cache time
-	 * to zero to facilitate locating the containing zone of
-	 * a arbitrary zone.
-	 */
-	ttl = fctx->res->view->maxncachettl;
-	if (fctx->type == dns_rdatatype_soa &&
-	    covers == dns_rdatatype_any &&
-	    fctx->res->zero_no_soa_ttl)
-		ttl = 0;
-
-	result = ncache_adderesult(fctx->rmessage, fctx->cache, node,
-				   covers, now, ttl, ISC_FALSE,
-				   ISC_FALSE, ardataset, &eresult);
-	if (result != ISC_R_SUCCESS)
-		goto unlock;
-
-	if (!HAVE_ANSWER(fctx)) {
-		fctx->attributes |= FCTX_ATTR_HAVEANSWER;
-		if (event != NULL) {
-			event->result = eresult;
-			dns_db_attach(fctx->cache, adbp);
-			dns_db_transfernode(fctx->cache, &node, anodep);
-			clone_results(fctx);
-		}
-	}
-
- unlock:
-	UNLOCK(&res->buckets[fctx->bucketnum].lock);
-
-	if (node != NULL)
-		dns_db_detachnode(fctx->cache, &node);
-
-	return (result);
-}
-
-static inline void
-mark_related(dns_name_t *name, dns_rdataset_t *rdataset,
-	     isc_boolean_t external, isc_boolean_t gluing)
-{
-	name->attributes |= DNS_NAMEATTR_CACHE;
-	if (gluing) {
-		rdataset->trust = dns_trust_glue;
-		/*
-		 * Glue with 0 TTL causes problems.  We force the TTL to
-		 * 1 second to prevent this.
-		 */
-		if (rdataset->ttl == 0)
-			rdataset->ttl = 1;
-	} else
-		rdataset->trust = dns_trust_additional;
-	/*
-	 * Avoid infinite loops by only marking new rdatasets.
-	 */
-	if (!CACHE(rdataset)) {
-		name->attributes |= DNS_NAMEATTR_CHASE;
-		rdataset->attributes |= DNS_RDATASETATTR_CHASE;
-	}
-	rdataset->attributes |= DNS_RDATASETATTR_CACHE;
-	if (external)
-		rdataset->attributes |= DNS_RDATASETATTR_EXTERNAL;
-}
-
-static isc_result_t
-check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
-	      dns_section_t section)
-{
-	fetchctx_t *fctx = arg;
-	isc_result_t result;
-	dns_name_t *name;
-	dns_rdataset_t *rdataset;
-	isc_boolean_t external;
-	dns_rdatatype_t rtype;
-	isc_boolean_t gluing;
-
-	REQUIRE(VALID_FCTX(fctx));
-
-#if CHECK_FOR_GLUE_IN_ANSWER
-	if (section == DNS_SECTION_ANSWER && type != dns_rdatatype_a)
-		return (ISC_R_SUCCESS);
-#endif
-
-	if (GLUING(fctx))
-		gluing = ISC_TRUE;
-	else
-		gluing = ISC_FALSE;
-	name = NULL;
-	rdataset = NULL;
-	result = dns_message_findname(fctx->rmessage, section, addname,
-				      dns_rdatatype_any, 0, &name, NULL);
-	if (result == ISC_R_SUCCESS) {
-		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
-		if (type == dns_rdatatype_a) {
-			for (rdataset = ISC_LIST_HEAD(name->list);
-			     rdataset != NULL;
-			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-				if (rdataset->type == dns_rdatatype_rrsig)
-					rtype = rdataset->covers;
-				else
-					rtype = rdataset->type;
-				if (rtype == dns_rdatatype_a ||
-				    rtype == dns_rdatatype_aaaa)
-					mark_related(name, rdataset, external,
-						     gluing);
-			}
-		} else {
-			result = dns_message_findtype(name, type, 0,
-						      &rdataset);
-			if (result == ISC_R_SUCCESS) {
-				mark_related(name, rdataset, external, gluing);
-				/*
-				 * Do we have its SIG too?
-				 */
-				rdataset = NULL;
-				result = dns_message_findtype(name,
-						      dns_rdatatype_rrsig,
-						      type, &rdataset);
-				if (result == ISC_R_SUCCESS)
-					mark_related(name, rdataset, external,
-						     gluing);
-			}
-		}
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-check_related(void *arg, dns_name_t *addname, dns_rdatatype_t type) {
-	return (check_section(arg, addname, type, DNS_SECTION_ADDITIONAL));
-}
-
-#ifndef CHECK_FOR_GLUE_IN_ANSWER
-#define CHECK_FOR_GLUE_IN_ANSWER 0
-#endif
-#if CHECK_FOR_GLUE_IN_ANSWER
-static isc_result_t
-check_answer(void *arg, dns_name_t *addname, dns_rdatatype_t type) {
-	return (check_section(arg, addname, type, DNS_SECTION_ANSWER));
-}
-#endif
-
-static void
-chase_additional(fetchctx_t *fctx) {
-	isc_boolean_t rescan;
-	dns_section_t section = DNS_SECTION_ADDITIONAL;
-	isc_result_t result;
-
- again:
-	rescan = ISC_FALSE;
-
-	for (result = dns_message_firstname(fctx->rmessage, section);
-	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(fctx->rmessage, section)) {
-		dns_name_t *name = NULL;
-		dns_rdataset_t *rdataset;
-		dns_message_currentname(fctx->rmessage, DNS_SECTION_ADDITIONAL,
-					&name);
-		if ((name->attributes & DNS_NAMEATTR_CHASE) == 0)
-			continue;
-		name->attributes &= ~DNS_NAMEATTR_CHASE;
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			if (CHASE(rdataset)) {
-				rdataset->attributes &= ~DNS_RDATASETATTR_CHASE;
-				(void)dns_rdataset_additionaldata(rdataset,
-								  check_related,
-								  fctx);
-				rescan = ISC_TRUE;
-			}
-		}
-	}
-	if (rescan)
-		goto again;
-}
-
-static inline isc_result_t
-cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) {
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_cname_t cname;
-
-	result = dns_rdataset_first(rdataset);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_rdataset_current(rdataset, &rdata);
-	result = dns_rdata_tostruct(&rdata, &cname, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_name_init(tname, NULL);
-	dns_name_clone(&cname.cname, tname);
-	dns_rdata_freestruct(&cname);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname,
-	     dns_name_t *oname, dns_fixedname_t *fixeddname)
-{
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	unsigned int nlabels;
-	int order;
-	dns_namereln_t namereln;
-	dns_rdata_dname_t dname;
-	dns_fixedname_t prefix;
-
-	/*
-	 * Get the target name of the DNAME.
-	 */
-	result = dns_rdataset_first(rdataset);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_rdataset_current(rdataset, &rdata);
-	result = dns_rdata_tostruct(&rdata, &dname, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Get the prefix of qname.
-	 */
-	namereln = dns_name_fullcompare(qname, oname, &order, &nlabels);
-	if (namereln != dns_namereln_subdomain) {
-		char qbuf[DNS_NAME_FORMATSIZE];
-		char obuf[DNS_NAME_FORMATSIZE];
-
-		dns_rdata_freestruct(&dname);
-		dns_name_format(qname, qbuf, sizeof(qbuf));
-		dns_name_format(oname, obuf, sizeof(obuf));
-		log_formerr(fctx, "unrelated DNAME in answer: "
-				   "%s is not in %s", qbuf, obuf);
-		return (DNS_R_FORMERR);
-	}
-	dns_fixedname_init(&prefix);
-	dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL);
-	dns_fixedname_init(fixeddname);
-	result = dns_name_concatenate(dns_fixedname_name(&prefix),
-				      &dname.dname,
-				      dns_fixedname_name(fixeddname), NULL);
-	dns_rdata_freestruct(&dname);
-	return (result);
-}
-
-static isc_boolean_t
-is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
-			 dns_rdataset_t *rdataset)
-{
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	struct in_addr ina;
-	struct in6_addr in6a;
-	isc_netaddr_t netaddr;
-	char addrbuf[ISC_NETADDR_FORMATSIZE];
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char classbuf[64];
-	char typebuf[64];
-	int match;
-
-	/* By default, we allow any addresses. */
-	if (view->denyansweracl == NULL)
-		return (ISC_TRUE);
-
-	/*
-	 * If the owner name matches one in the exclusion list, either exactly
-	 * or partially, allow it.
-	 */
-	if (view->answeracl_exclude != NULL) {
-		dns_rbtnode_t *node = NULL;
-
-		result = dns_rbt_findnode(view->answeracl_exclude, name, NULL,
-					  &node, NULL, 0, NULL, NULL);
-
-		if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
-			return (ISC_TRUE);
-	}
-
-	/*
-	 * Otherwise, search the filter list for a match for each address
-	 * record.  If a match is found, the address should be filtered,
-	 * so should the entire answer.
-	 */
-	for (result = dns_rdataset_first(rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(rdataset)) {
-		dns_rdata_reset(&rdata);
-		dns_rdataset_current(rdataset, &rdata);
-		if (rdataset->type == dns_rdatatype_a) {
-			INSIST(rdata.length == sizeof(ina.s_addr));
-			memcpy(&ina.s_addr, rdata.data, sizeof(ina.s_addr));
-			isc_netaddr_fromin(&netaddr, &ina);
-		} else {
-			INSIST(rdata.length == sizeof(in6a.s6_addr));
-			memcpy(in6a.s6_addr, rdata.data, sizeof(in6a.s6_addr));
-			isc_netaddr_fromin6(&netaddr, &in6a);
-		}
-
-		result = dns_acl_match(&netaddr, NULL, view->denyansweracl,
-				       &view->aclenv, &match, NULL);
-
-		if (result == ISC_R_SUCCESS && match > 0) {
-			isc_netaddr_format(&netaddr, addrbuf, sizeof(addrbuf));
-			dns_name_format(name, namebuf, sizeof(namebuf));
-			dns_rdatatype_format(rdataset->type, typebuf,
-					     sizeof(typebuf));
-			dns_rdataclass_format(rdataset->rdclass, classbuf,
-					      sizeof(classbuf));
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
-				      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
-				      "answer address %s denied for %s/%s/%s",
-				      addrbuf, namebuf, typebuf, classbuf);
-			return (ISC_FALSE);
-		}
-	}
-
-	return (ISC_TRUE);
-}
-
-static isc_boolean_t
-is_answertarget_allowed(dns_view_t *view, dns_name_t *name,
-			dns_rdatatype_t type, dns_name_t *tname,
-			dns_name_t *domain)
-{
-	isc_result_t result;
-	dns_rbtnode_t *node = NULL;
-	char qnamebuf[DNS_NAME_FORMATSIZE];
-	char tnamebuf[DNS_NAME_FORMATSIZE];
-	char classbuf[64];
-	char typebuf[64];
-
-	/* By default, we allow any target name. */
-	if (view->denyanswernames == NULL)
-		return (ISC_TRUE);
-
-	/*
-	 * If the owner name matches one in the exclusion list, either exactly
-	 * or partially, allow it.
-	 */
-	if (view->answernames_exclude != NULL) {
-		result = dns_rbt_findnode(view->answernames_exclude, name, NULL,
-					  &node, NULL, 0, NULL, NULL);
-		if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
-			return (ISC_TRUE);
-	}
-
-	/*
-	 * If the target name is a subdomain of the search domain, allow it.
-	 */
-	if (dns_name_issubdomain(tname, domain))
-		return (ISC_TRUE);
-
-	/*
-	 * Otherwise, apply filters.
-	 */
-	result = dns_rbt_findnode(view->denyanswernames, tname, NULL, &node,
-				  NULL, 0, NULL, NULL);
-	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
-		dns_name_format(name, qnamebuf, sizeof(qnamebuf));
-		dns_name_format(tname, tnamebuf, sizeof(tnamebuf));
-		dns_rdatatype_format(type, typebuf, sizeof(typebuf));
-		dns_rdataclass_format(view->rdclass, classbuf,
-				      sizeof(classbuf));
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
-			      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
-			      "%s target %s denied for %s/%s",
-			      typebuf, tnamebuf, qnamebuf, classbuf);
-		return (ISC_FALSE);
-	}
-
-	return (ISC_TRUE);
-}
-
-static void
-trim_ns_ttl(fetchctx_t *fctx, dns_name_t *name, dns_rdataset_t *rdataset) {
-	char ns_namebuf[DNS_NAME_FORMATSIZE];
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char tbuf[DNS_RDATATYPE_FORMATSIZE];
-
-	if (fctx->ns_ttl_ok && rdataset->ttl > fctx->ns_ttl) {
-		dns_name_format(name, ns_namebuf, sizeof(ns_namebuf));
-		dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
-		dns_rdatatype_format(fctx->type, tbuf, sizeof(tbuf));
-
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
-			      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(10),
-			      "fctx %p: trimming ttl of %s/NS for %s/%s: "
-			      "%u -> %u", fctx, ns_namebuf, namebuf, tbuf,
-			      rdataset->ttl, fctx->ns_ttl);
-		rdataset->ttl = fctx->ns_ttl;
-	}
-}
-
-/*
- * Handle a no-answer response (NXDOMAIN, NXRRSET, or referral).
- * If look_in_options has LOOK_FOR_NS_IN_ANSWER then we look in the answer
- * section for the NS RRset if the query type is NS; if it has
- * LOOK_FOR_GLUE_IN_ANSWER we look for glue incorrectly returned in the answer
- * section for A and AAAA queries.
- */
-#define LOOK_FOR_NS_IN_ANSWER 0x1
-#define LOOK_FOR_GLUE_IN_ANSWER 0x2
-
-static isc_result_t
-noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
-		  unsigned int look_in_options)
-{
-	isc_result_t result;
-	dns_message_t *message;
-	dns_name_t *name, *qname, *ns_name, *soa_name, *ds_name, *save_name;
-	dns_rdataset_t *rdataset, *ns_rdataset;
-	isc_boolean_t aa, negative_response;
-	dns_rdatatype_t type, save_type;
-	dns_section_t section;
-
-	FCTXTRACE("noanswer_response");
-
-	if ((look_in_options & LOOK_FOR_NS_IN_ANSWER) != 0) {
-		INSIST(fctx->type == dns_rdatatype_ns);
-		section = DNS_SECTION_ANSWER;
-	} else
-		section = DNS_SECTION_AUTHORITY;
-
-	message = fctx->rmessage;
-
-	/*
-	 * Setup qname.
-	 */
-	if (oqname == NULL) {
-		/*
-		 * We have a normal, non-chained negative response or
-		 * referral.
-		 */
-		if ((message->flags & DNS_MESSAGEFLAG_AA) != 0)
-			aa = ISC_TRUE;
-		else
-			aa = ISC_FALSE;
-		qname = &fctx->name;
-	} else {
-		/*
-		 * We're being invoked by answer_response() after it has
-		 * followed a CNAME/DNAME chain.
-		 */
-		qname = oqname;
-		aa = ISC_FALSE;
-		/*
-		 * If the current qname is not a subdomain of the query
-		 * domain, there's no point in looking at the authority
-		 * section without doing DNSSEC validation.
-		 *
-		 * Until we do that validation, we'll just return success
-		 * in this case.
-		 */
-		if (!dns_name_issubdomain(qname, &fctx->domain))
-			return (ISC_R_SUCCESS);
-	}
-
-	/*
-	 * We have to figure out if this is a negative response, or a
-	 * referral.
-	 */
-
-	/*
-	 * Sometimes we can tell if its a negative response by looking at
-	 * the message header.
-	 */
-	negative_response = ISC_FALSE;
-	if (message->rcode == dns_rcode_nxdomain ||
-	    (message->counts[DNS_SECTION_ANSWER] == 0 &&
-	     message->counts[DNS_SECTION_AUTHORITY] == 0))
-		negative_response = ISC_TRUE;
-
-	/*
-	 * Process the authority section.
-	 */
-	ns_name = NULL;
-	ns_rdataset = NULL;
-	soa_name = NULL;
-	ds_name = NULL;
-	save_name = NULL;
-	save_type = dns_rdatatype_none;
-	result = dns_message_firstname(message, section);
-	while (result == ISC_R_SUCCESS) {
-		name = NULL;
-		dns_message_currentname(message, section, &name);
-		if (dns_name_issubdomain(name, &fctx->domain)) {
-			/*
-			 * Look for NS/SOA RRsets first.
-			 */
-			for (rdataset = ISC_LIST_HEAD(name->list);
-			     rdataset != NULL;
-			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-				type = rdataset->type;
-				if (type == dns_rdatatype_rrsig)
-					type = rdataset->covers;
-				if (((type == dns_rdatatype_ns ||
-				      type == dns_rdatatype_soa) &&
-				     !dns_name_issubdomain(qname, name))) {
-					char qbuf[DNS_NAME_FORMATSIZE];
-					char nbuf[DNS_NAME_FORMATSIZE];
-					char tbuf[DNS_RDATATYPE_FORMATSIZE];
-					dns_rdatatype_format(fctx->type, tbuf,
-							     sizeof(tbuf));
-					dns_name_format(name, nbuf,
-							     sizeof(nbuf));
-					dns_name_format(qname, qbuf,
-							     sizeof(qbuf));
-					log_formerr(fctx,
-						    "unrelated %s %s in "
-						    "%s authority section",
-						    tbuf, qbuf, nbuf);
-					return (DNS_R_FORMERR);
-				}
-				if (type == dns_rdatatype_ns) {
-					/*
-					 * NS or RRSIG NS.
-					 *
-					 * Only one set of NS RRs is allowed.
-					 */
-					if (rdataset->type ==
-					    dns_rdatatype_ns) {
-						if (ns_name != NULL &&
-						    name != ns_name) {
-							log_formerr(fctx,
-								"multiple NS "
-								"RRsets in "
-								"authority "
-								"section");
-							return (DNS_R_FORMERR);
-						}
-						ns_name = name;
-						ns_rdataset = rdataset;
-					}
-					name->attributes |=
-						DNS_NAMEATTR_CACHE;
-					rdataset->attributes |=
-						DNS_RDATASETATTR_CACHE;
-					rdataset->trust = dns_trust_glue;
-				}
-				if (type == dns_rdatatype_soa) {
-					/*
-					 * SOA, or RRSIG SOA.
-					 *
-					 * Only one SOA is allowed.
-					 */
-					if (rdataset->type ==
-					    dns_rdatatype_soa) {
-						if (soa_name != NULL &&
-						    name != soa_name) {
-							log_formerr(fctx,
-								"multiple SOA "
-								"RRs in "
-								"authority "
-								"section");
-							return (DNS_R_FORMERR);
-						}
-						soa_name = name;
-					}
-					name->attributes |=
-						DNS_NAMEATTR_NCACHE;
-					rdataset->attributes |=
-						DNS_RDATASETATTR_NCACHE;
-					if (aa)
-						rdataset->trust =
-						    dns_trust_authauthority;
-					else if (ISFORWARDER(fctx->addrinfo))
-						rdataset->trust =
-							dns_trust_answer;
-					else
-						rdataset->trust =
-							dns_trust_additional;
-				}
-			}
-		}
-		result = dns_message_nextname(message, section);
-		if (result == ISC_R_NOMORE)
-			break;
-		else if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	log_ns_ttl(fctx, "noanswer_response");
-
-	if (ns_rdataset != NULL && dns_name_equal(&fctx->domain, ns_name) &&
-	    !dns_name_equal(ns_name, dns_rootname))
-		trim_ns_ttl(fctx, ns_name, ns_rdataset);
-
-	/*
-	 * A negative response has a SOA record (Type 2)
-	 * and a optional NS RRset (Type 1) or it has neither
-	 * a SOA or a NS RRset (Type 3, handled above) or
-	 * rcode is NXDOMAIN (handled above) in which case
-	 * the NS RRset is allowed (Type 4).
-	 */
-	if (soa_name != NULL)
-		negative_response = ISC_TRUE;
-
-	result = dns_message_firstname(message, section);
-	while (result == ISC_R_SUCCESS) {
-		name = NULL;
-		dns_message_currentname(message, section, &name);
-		if (dns_name_issubdomain(name, &fctx->domain)) {
-			for (rdataset = ISC_LIST_HEAD(name->list);
-			     rdataset != NULL;
-			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-				type = rdataset->type;
-				if (type == dns_rdatatype_rrsig)
-					type = rdataset->covers;
-				if (type == dns_rdatatype_nsec ||
-				    type == dns_rdatatype_nsec3) {
-					/*
-					 * NSEC or RRSIG NSEC.
-					 */
-					if (negative_response) {
-						name->attributes |=
-							DNS_NAMEATTR_NCACHE;
-						rdataset->attributes |=
-							DNS_RDATASETATTR_NCACHE;
-					} else if (type == dns_rdatatype_nsec) {
-						name->attributes |=
-							DNS_NAMEATTR_CACHE;
-						rdataset->attributes |=
-							DNS_RDATASETATTR_CACHE;
-					}
-					if (aa)
-						rdataset->trust =
-						    dns_trust_authauthority;
-					else if (ISFORWARDER(fctx->addrinfo))
-						rdataset->trust =
-							dns_trust_answer;
-					else
-						rdataset->trust =
-							dns_trust_additional;
-					/*
-					 * No additional data needs to be
-					 * marked.
-					 */
-				} else if (type == dns_rdatatype_ds) {
-					/*
-					 * DS or SIG DS.
-					 *
-					 * These should only be here if
-					 * this is a referral, and there
-					 * should only be one DS RRset.
-					 */
-					if (ns_name == NULL) {
-						log_formerr(fctx,
-							    "DS with no "
-							    "referral");
-						return (DNS_R_FORMERR);
-					}
-					if (rdataset->type ==
-					    dns_rdatatype_ds) {
-						if (ds_name != NULL &&
-						    name != ds_name) {
-							log_formerr(fctx,
-								"DS doesn't "
-								"match "
-								"referral "
-								"(NS)");
-							return (DNS_R_FORMERR);
-						}
-						ds_name = name;
-					}
-					name->attributes |=
-						DNS_NAMEATTR_CACHE;
-					rdataset->attributes |=
-						DNS_RDATASETATTR_CACHE;
-					if (aa)
-						rdataset->trust =
-						    dns_trust_authauthority;
-					else if (ISFORWARDER(fctx->addrinfo))
-						rdataset->trust =
-							dns_trust_answer;
-					else
-						rdataset->trust =
-							dns_trust_additional;
-				}
-			}
-		} else {
-			save_name = name;
-			save_type = ISC_LIST_HEAD(name->list)->type;
-		}
-		result = dns_message_nextname(message, section);
-		if (result == ISC_R_NOMORE)
-			break;
-		else if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	/*
-	 * Trigger lookups for DNS nameservers.
-	 */
-	if (negative_response && message->rcode == dns_rcode_noerror &&
-	    fctx->type == dns_rdatatype_ds && soa_name != NULL &&
-	    dns_name_equal(soa_name, qname) &&
-	    !dns_name_equal(qname, dns_rootname))
-		return (DNS_R_CHASEDSSERVERS);
-
-	/*
-	 * Did we find anything?
-	 */
-	if (!negative_response && ns_name == NULL) {
-		/*
-		 * Nope.
-		 */
-		if (oqname != NULL) {
-			/*
-			 * We've already got a partial CNAME/DNAME chain,
-			 * and haven't found else anything useful here, but
-			 * no error has occurred since we have an answer.
-			 */
-			return (ISC_R_SUCCESS);
-		} else {
-			/*
-			 * The responder is insane.
-			 */
-			if (save_name == NULL) {
-				log_formerr(fctx, "invalid response");
-				return (DNS_R_FORMERR);
-			}
-			if (!dns_name_issubdomain(save_name, &fctx->domain)) {
-				char nbuf[DNS_NAME_FORMATSIZE];
-				char dbuf[DNS_NAME_FORMATSIZE];
-				char tbuf[DNS_RDATATYPE_FORMATSIZE];
-
-				dns_rdatatype_format(save_type, tbuf,
-					sizeof(tbuf));
-				dns_name_format(save_name, nbuf, sizeof(nbuf));
-				dns_name_format(&fctx->domain, dbuf,
-					sizeof(dbuf));
-
-				log_formerr(fctx, "Name %s (%s) not subdomain"
-					" of zone %s -- invalid response",
-					nbuf, tbuf, dbuf);
-			} else {
-				log_formerr(fctx, "invalid response");
-			}
-			return (DNS_R_FORMERR);
-		}
-	}
-
-	/*
-	 * If we found both NS and SOA, they should be the same name.
-	 */
-	if (ns_name != NULL && soa_name != NULL && ns_name != soa_name) {
-		log_formerr(fctx, "NS/SOA mismatch");
-		return (DNS_R_FORMERR);
-	}
-
-	/*
-	 * Do we have a referral?  (We only want to follow a referral if
-	 * we're not following a chain.)
-	 */
-	if (!negative_response && ns_name != NULL && oqname == NULL) {
-		/*
-		 * We already know ns_name is a subdomain of fctx->domain.
-		 * If ns_name is equal to fctx->domain, we're not making
-		 * progress.  We return DNS_R_FORMERR so that we'll keep
-		 * trying other servers.
-		 */
-		if (dns_name_equal(ns_name, &fctx->domain)) {
-			log_formerr(fctx, "non-improving referral");
-			return (DNS_R_FORMERR);
-		}
-
-		/*
-		 * If the referral name is not a parent of the query
-		 * name, consider the responder insane.
-		 */
-		if (! dns_name_issubdomain(&fctx->name, ns_name)) {
-			/* Logged twice */
-			log_formerr(fctx, "referral to non-parent");
-			FCTXTRACE("referral to non-parent");
-			return (DNS_R_FORMERR);
-		}
-
-		/*
-		 * Mark any additional data related to this rdataset.
-		 * It's important that we do this before we change the
-		 * query domain.
-		 */
-		INSIST(ns_rdataset != NULL);
-		fctx->attributes |= FCTX_ATTR_GLUING;
-		(void)dns_rdataset_additionaldata(ns_rdataset, check_related,
-						  fctx);
-#if CHECK_FOR_GLUE_IN_ANSWER
-		/*
-		 * Look in the answer section for "glue" that is incorrectly
-		 * returned as a answer.  This is needed if the server also
-		 * minimizes the response size by not adding records to the
-		 * additional section that are in the answer section or if
-		 * the record gets dropped due to message size constraints.
-		 */
-		if ((look_in_options & LOOK_FOR_GLUE_IN_ANSWER) != 0 &&
-		    (fctx->type == dns_rdatatype_aaaa ||
-		     fctx->type == dns_rdatatype_a))
-			(void)dns_rdataset_additionaldata(ns_rdataset,
-							  check_answer, fctx);
-#endif
-		fctx->attributes &= ~FCTX_ATTR_GLUING;
-		/*
-		 * NS rdatasets with 0 TTL cause problems.
-		 * dns_view_findzonecut() will not find them when we
-		 * try to follow the referral, and we'll SERVFAIL
-		 * because the best nameservers are now above QDOMAIN.
-		 * We force the TTL to 1 second to prevent this.
-		 */
-		if (ns_rdataset->ttl == 0)
-			ns_rdataset->ttl = 1;
-		/*
-		 * Set the current query domain to the referral name.
-		 *
-		 * XXXRTH  We should check if we're in forward-only mode, and
-		 *		if so we should bail out.
-		 */
-		INSIST(dns_name_countlabels(&fctx->domain) > 0);
-		dns_name_free(&fctx->domain, fctx->mctx);
-		if (dns_rdataset_isassociated(&fctx->nameservers))
-			dns_rdataset_disassociate(&fctx->nameservers);
-		dns_name_init(&fctx->domain, NULL);
-		result = dns_name_dup(ns_name, fctx->mctx, &fctx->domain);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		fctx->attributes |= FCTX_ATTR_WANTCACHE;
-		fctx->ns_ttl_ok = ISC_FALSE;
-		log_ns_ttl(fctx, "DELEGATION");
-		return (DNS_R_DELEGATION);
-	}
-
-	/*
-	 * Since we're not doing a referral, we don't want to cache any
-	 * NS RRs we may have found.
-	 */
-	if (ns_name != NULL)
-		ns_name->attributes &= ~DNS_NAMEATTR_CACHE;
-
-	if (negative_response && oqname == NULL)
-		fctx->attributes |= FCTX_ATTR_WANTNCACHE;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-answer_response(fetchctx_t *fctx) {
-	isc_result_t result;
-	dns_message_t *message;
-	dns_name_t *name, *qname, tname, *ns_name;
-	dns_rdataset_t *rdataset, *ns_rdataset;
-	isc_boolean_t done, external, chaining, aa, found, want_chaining;
-	isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
-	unsigned int aflag;
-	dns_rdatatype_t type;
-	dns_fixedname_t dname, fqname;
-	dns_view_t *view;
-
-	FCTXTRACE("answer_response");
-
-	message = fctx->rmessage;
-
-	/*
-	 * Examine the answer section, marking those rdatasets which are
-	 * part of the answer and should be cached.
-	 */
-
-	done = ISC_FALSE;
-	found_cname = ISC_FALSE;
-	found_type = ISC_FALSE;
-	chaining = ISC_FALSE;
-	have_answer = ISC_FALSE;
-	want_chaining = ISC_FALSE;
-	POST(want_chaining);
-	if ((message->flags & DNS_MESSAGEFLAG_AA) != 0)
-		aa = ISC_TRUE;
-	else
-		aa = ISC_FALSE;
-	qname = &fctx->name;
-	type = fctx->type;
-	view = fctx->res->view;
-	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
-	while (!done && result == ISC_R_SUCCESS) {
-		name = NULL;
-		dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
-		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
-		if (dns_name_equal(name, qname)) {
-			wanted_chaining = ISC_FALSE;
-			for (rdataset = ISC_LIST_HEAD(name->list);
-			     rdataset != NULL;
-			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-				found = ISC_FALSE;
-				want_chaining = ISC_FALSE;
-				aflag = 0;
-				if (rdataset->type == dns_rdatatype_nsec3) {
-					/*
-					 * NSEC3 records are not allowed to
-					 * appear in the answer section.
-					 */
-					log_formerr(fctx, "NSEC3 in answer");
-					return (DNS_R_FORMERR);
-				}
-
-				/*
-				 * Apply filters, if given, on answers to reject
-				 * a malicious attempt of rebinding.
-				 */
-				if ((rdataset->type == dns_rdatatype_a ||
-				     rdataset->type == dns_rdatatype_aaaa) &&
-				    !is_answeraddress_allowed(view, name,
-							      rdataset)) {
-					return (DNS_R_SERVFAIL);
-				}
-
-				if (rdataset->type == type && !found_cname) {
-					/*
-					 * We've found an ordinary answer.
-					 */
-					found = ISC_TRUE;
-					found_type = ISC_TRUE;
-					done = ISC_TRUE;
-					aflag = DNS_RDATASETATTR_ANSWER;
-				} else if (type == dns_rdatatype_any) {
-					/*
-					 * We've found an answer matching
-					 * an ANY query.  There may be
-					 * more.
-					 */
-					found = ISC_TRUE;
-					aflag = DNS_RDATASETATTR_ANSWER;
-				} else if (rdataset->type == dns_rdatatype_rrsig
-					   && rdataset->covers == type
-					   && !found_cname) {
-					/*
-					 * We've found a signature that
-					 * covers the type we're looking for.
-					 */
-					found = ISC_TRUE;
-					found_type = ISC_TRUE;
-					aflag = DNS_RDATASETATTR_ANSWERSIG;
-				} else if (rdataset->type ==
-					   dns_rdatatype_cname
-					   && !found_type) {
-					/*
-					 * We're looking for something else,
-					 * but we found a CNAME.
-					 *
-					 * Getting a CNAME response for some
-					 * query types is an error, see
-					 * RFC 4035, Section 2.5.
-					 */
-					if (type == dns_rdatatype_rrsig ||
-					    type == dns_rdatatype_key ||
-					    type == dns_rdatatype_nsec) {
-						char buf[DNS_RDATATYPE_FORMATSIZE];
-						dns_rdatatype_format(fctx->type,
-							      buf, sizeof(buf));
-						log_formerr(fctx,
-							    "CNAME response "
-							    "for %s RR", buf);
-						return (DNS_R_FORMERR);
-					}
-					found = ISC_TRUE;
-					found_cname = ISC_TRUE;
-					want_chaining = ISC_TRUE;
-					aflag = DNS_RDATASETATTR_ANSWER;
-					result = cname_target(rdataset,
-							      &tname);
-					if (result != ISC_R_SUCCESS)
-						return (result);
-					/* Apply filters on the target name. */
-					if (!is_answertarget_allowed(view,
-							name,
-							rdataset->type,
-							&tname,
-							&fctx->domain)) {
-						return (DNS_R_SERVFAIL);
-					}
-				} else if (rdataset->type == dns_rdatatype_rrsig
-					   && rdataset->covers ==
-					   dns_rdatatype_cname
-					   && !found_type) {
-					/*
-					 * We're looking for something else,
-					 * but we found a SIG CNAME.
-					 */
-					found = ISC_TRUE;
-					found_cname = ISC_TRUE;
-					aflag = DNS_RDATASETATTR_ANSWERSIG;
-				}
-
-				if (found) {
-					/*
-					 * We've found an answer to our
-					 * question.
-					 */
-					name->attributes |=
-						DNS_NAMEATTR_CACHE;
-					rdataset->attributes |=
-						DNS_RDATASETATTR_CACHE;
-					rdataset->trust = dns_trust_answer;
-					if (!chaining) {
-						/*
-						 * This data is "the" answer
-						 * to our question only if
-						 * we're not chaining (i.e.
-						 * if we haven't followed
-						 * a CNAME or DNAME).
-						 */
-						INSIST(!external);
-						if (aflag ==
-						    DNS_RDATASETATTR_ANSWER)
-							have_answer = ISC_TRUE;
-						name->attributes |=
-							DNS_NAMEATTR_ANSWER;
-						rdataset->attributes |= aflag;
-						if (aa)
-							rdataset->trust =
-							  dns_trust_authanswer;
-					} else if (external) {
-						/*
-						 * This data is outside of
-						 * our query domain, and
-						 * may not be cached.
-						 */
-						rdataset->attributes |=
-						    DNS_RDATASETATTR_EXTERNAL;
-					}
-
-					/*
-					 * Mark any additional data related
-					 * to this rdataset.
-					 */
-					(void)dns_rdataset_additionaldata(
-							rdataset,
-							check_related,
-							fctx);
-
-					/*
-					 * CNAME chaining.
-					 */
-					if (want_chaining) {
-						wanted_chaining = ISC_TRUE;
-						name->attributes |=
-							DNS_NAMEATTR_CHAINING;
-						rdataset->attributes |=
-						    DNS_RDATASETATTR_CHAINING;
-						qname = &tname;
-					}
-				}
-				/*
-				 * We could add an "else" clause here and
-				 * log that we're ignoring this rdataset.
-				 */
-			}
-			/*
-			 * If wanted_chaining is true, we've done
-			 * some chaining as the result of processing
-			 * this node, and thus we need to set
-			 * chaining to true.
-			 *
-			 * We don't set chaining inside of the
-			 * rdataset loop because doing that would
-			 * cause us to ignore the signatures of
-			 * CNAMEs.
-			 */
-			if (wanted_chaining)
-				chaining = ISC_TRUE;
-		} else {
-			/*
-			 * Look for a DNAME (or its SIG).  Anything else is
-			 * ignored.
-			 */
-			wanted_chaining = ISC_FALSE;
-			for (rdataset = ISC_LIST_HEAD(name->list);
-			     rdataset != NULL;
-			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-				isc_boolean_t found_dname = ISC_FALSE;
-				dns_name_t *dname_name;
-
-				found = ISC_FALSE;
-				aflag = 0;
-				if (rdataset->type == dns_rdatatype_dname) {
-					/*
-					 * We're looking for something else,
-					 * but we found a DNAME.
-					 *
-					 * If we're not chaining, then the
-					 * DNAME should not be external.
-					 */
-					if (!chaining && external) {
-						log_formerr(fctx,
-							    "external DNAME");
-						return (DNS_R_FORMERR);
-					}
-					found = ISC_TRUE;
-					want_chaining = ISC_TRUE;
-					POST(want_chaining);
-					aflag = DNS_RDATASETATTR_ANSWER;
-					result = dname_target(fctx, rdataset,
-							      qname, name,
-							      &dname);
-					if (result == ISC_R_NOSPACE) {
-						/*
-						 * We can't construct the
-						 * DNAME target.  Do not
-						 * try to continue.
-						 */
-						want_chaining = ISC_FALSE;
-						POST(want_chaining);
-					} else if (result != ISC_R_SUCCESS)
-						return (result);
-					else
-						found_dname = ISC_TRUE;
-
-					dname_name = dns_fixedname_name(&dname);
-					if (!is_answertarget_allowed(view,
-							qname,
-							rdataset->type,
-							dname_name,
-							&fctx->domain)) {
-						return (DNS_R_SERVFAIL);
-					}
-				} else if (rdataset->type == dns_rdatatype_rrsig
-					   && rdataset->covers ==
-					   dns_rdatatype_dname) {
-					/*
-					 * We've found a signature that
-					 * covers the DNAME.
-					 */
-					found = ISC_TRUE;
-					aflag = DNS_RDATASETATTR_ANSWERSIG;
-				}
-
-				if (found) {
-					/*
-					 * We've found an answer to our
-					 * question.
-					 */
-					name->attributes |=
-						DNS_NAMEATTR_CACHE;
-					rdataset->attributes |=
-						DNS_RDATASETATTR_CACHE;
-					rdataset->trust = dns_trust_answer;
-					if (!chaining) {
-						/*
-						 * This data is "the" answer
-						 * to our question only if
-						 * we're not chaining.
-						 */
-						INSIST(!external);
-						if (aflag ==
-						    DNS_RDATASETATTR_ANSWER)
-							have_answer = ISC_TRUE;
-						name->attributes |=
-							DNS_NAMEATTR_ANSWER;
-						rdataset->attributes |= aflag;
-						if (aa)
-							rdataset->trust =
-							  dns_trust_authanswer;
-					} else if (external) {
-						rdataset->attributes |=
-						    DNS_RDATASETATTR_EXTERNAL;
-					}
-
-					/*
-					 * DNAME chaining.
-					 */
-					if (found_dname) {
-						/*
-						 * Copy the dname into the
-						 * qname fixed name.
-						 *
-						 * Although we check for
-						 * failure of the copy
-						 * operation, in practice it
-						 * should never fail since
-						 * we already know that the
-						 * result fits in a fixedname.
-						 */
-						dns_fixedname_init(&fqname);
-						result = dns_name_copy(
-						  dns_fixedname_name(&dname),
-						  dns_fixedname_name(&fqname),
-						  NULL);
-						if (result != ISC_R_SUCCESS)
-							return (result);
-						wanted_chaining = ISC_TRUE;
-						name->attributes |=
-							DNS_NAMEATTR_CHAINING;
-						rdataset->attributes |=
-						    DNS_RDATASETATTR_CHAINING;
-						qname = dns_fixedname_name(
-								   &fqname);
-					}
-				}
-			}
-			if (wanted_chaining)
-				chaining = ISC_TRUE;
-		}
-		result = dns_message_nextname(message, DNS_SECTION_ANSWER);
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * We should have found an answer.
-	 */
-	if (!have_answer) {
-		log_formerr(fctx, "reply has no answer");
-		return (DNS_R_FORMERR);
-	}
-
-	/*
-	 * This response is now potentially cacheable.
-	 */
-	fctx->attributes |= FCTX_ATTR_WANTCACHE;
-
-	/*
-	 * Did chaining end before we got the final answer?
-	 */
-	if (chaining) {
-		/*
-		 * Yes.  This may be a negative reply, so hand off
-		 * authority section processing to the noanswer code.
-		 * If it isn't a noanswer response, no harm will be
-		 * done.
-		 */
-		return (noanswer_response(fctx, qname, 0));
-	}
-
-	/*
-	 * We didn't end with an incomplete chain, so the rcode should be
-	 * "no error".
-	 */
-	if (message->rcode != dns_rcode_noerror) {
-		log_formerr(fctx, "CNAME/DNAME chain complete, but RCODE "
-				  "indicates error");
-		return (DNS_R_FORMERR);
-	}
-
-	/*
-	 * Examine the authority section (if there is one).
-	 *
-	 * We expect there to be only one owner name for all the rdatasets
-	 * in this section, and we expect that it is not external.
-	 */
-	done = ISC_FALSE;
-	ns_name = NULL;
-	ns_rdataset = NULL;
-	result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
-	while (!done && result == ISC_R_SUCCESS) {
-		name = NULL;
-		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
-		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
-		if (!external) {
-			/*
-			 * We expect to find NS or SIG NS rdatasets, and
-			 * nothing else.
-			 */
-			for (rdataset = ISC_LIST_HEAD(name->list);
-			     rdataset != NULL;
-			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-				if (rdataset->type == dns_rdatatype_ns ||
-				    (rdataset->type == dns_rdatatype_rrsig &&
-				     rdataset->covers == dns_rdatatype_ns)) {
-					name->attributes |=
-						DNS_NAMEATTR_CACHE;
-					rdataset->attributes |=
-						DNS_RDATASETATTR_CACHE;
-					if (aa && !chaining)
-						rdataset->trust =
-						    dns_trust_authauthority;
-					else
-						rdataset->trust =
-						    dns_trust_additional;
-
-					if (rdataset->type == dns_rdatatype_ns) {
-						ns_name = name;
-						ns_rdataset = rdataset;
-					}
-					/*
-					 * Mark any additional data related
-					 * to this rdataset.
-					 */
-					(void)dns_rdataset_additionaldata(
-							rdataset,
-							check_related,
-							fctx);
-					done = ISC_TRUE;
-				}
-			}
-		}
-		result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
-	log_ns_ttl(fctx, "answer_response");
-
-	if (ns_rdataset != NULL && dns_name_equal(&fctx->domain, ns_name) &&
-	    !dns_name_equal(ns_name, dns_rootname))
-		trim_ns_ttl(fctx, ns_name, ns_rdataset);
-
-	return (result);
-}
-
-static isc_boolean_t
-fctx_decreference(fetchctx_t *fctx) {
-	isc_boolean_t bucket_empty = ISC_FALSE;
-
-	INSIST(fctx->references > 0);
-	fctx->references--;
-	if (fctx->references == 0) {
-		/*
-		 * No one cares about the result of this fetch anymore.
-		 */
-		if (fctx->pending == 0 && fctx->nqueries == 0 &&
-		    ISC_LIST_EMPTY(fctx->validators) && SHUTTINGDOWN(fctx)) {
-			/*
-			 * This fctx is already shutdown; we were just
-			 * waiting for the last reference to go away.
-			 */
-			bucket_empty = fctx_unlink(fctx);
-			fctx_destroy(fctx);
-		} else {
-			/*
-			 * Initiate shutdown.
-			 */
-			fctx_shutdown(fctx);
-		}
-	}
-	return (bucket_empty);
-}
-
-static void
-resume_dslookup(isc_task_t *task, isc_event_t *event) {
-	dns_fetchevent_t *fevent;
-	dns_resolver_t *res;
-	fetchctx_t *fctx;
-	isc_result_t result;
-	isc_boolean_t bucket_empty;
-	isc_boolean_t locked = ISC_FALSE;
-	unsigned int bucketnum;
-	dns_rdataset_t nameservers;
-	dns_fixedname_t fixed;
-	dns_name_t *domain;
-
-	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
-	fevent = (dns_fetchevent_t *)event;
-	fctx = event->ev_arg;
-	REQUIRE(VALID_FCTX(fctx));
-	res = fctx->res;
-
-	UNUSED(task);
-	FCTXTRACE("resume_dslookup");
-
-	if (fevent->node != NULL)
-		dns_db_detachnode(fevent->db, &fevent->node);
-	if (fevent->db != NULL)
-		dns_db_detach(&fevent->db);
-
-	dns_rdataset_init(&nameservers);
-
-	bucketnum = fctx->bucketnum;
-	if (fevent->result == ISC_R_CANCELED) {
-		dns_resolver_destroyfetch(&fctx->nsfetch);
-		fctx_done(fctx, ISC_R_CANCELED, __LINE__);
-	} else if (fevent->result == ISC_R_SUCCESS) {
-
-		FCTXTRACE("resuming DS lookup");
-
-		dns_resolver_destroyfetch(&fctx->nsfetch);
-		if (dns_rdataset_isassociated(&fctx->nameservers))
-			dns_rdataset_disassociate(&fctx->nameservers);
-		dns_rdataset_clone(fevent->rdataset, &fctx->nameservers);
-		fctx->ns_ttl = fctx->nameservers.ttl;
-		fctx->ns_ttl_ok = ISC_TRUE;
-		log_ns_ttl(fctx, "resume_dslookup");
-		dns_name_free(&fctx->domain, fctx->mctx);
-		dns_name_init(&fctx->domain, NULL);
-		result = dns_name_dup(&fctx->nsname, fctx->mctx, &fctx->domain);
-		if (result != ISC_R_SUCCESS) {
-			fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
-			goto cleanup;
-		}
-		/*
-		 * Try again.
-		 */
-		fctx_try(fctx, ISC_TRUE, ISC_FALSE);
-	} else {
-		unsigned int n;
-		dns_rdataset_t *nsrdataset = NULL;
-
-		/*
-		 * Retrieve state from fctx->nsfetch before we destroy it.
-		 */
-		dns_fixedname_init(&fixed);
-		domain = dns_fixedname_name(&fixed);
-		dns_name_copy(&fctx->nsfetch->private->domain, domain, NULL);
-		if (dns_name_equal(&fctx->nsname, domain)) {
-			fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
-			dns_resolver_destroyfetch(&fctx->nsfetch);
-			goto cleanup;
-		}
-		if (dns_rdataset_isassociated(
-		    &fctx->nsfetch->private->nameservers)) {
-			dns_rdataset_clone(
-			    &fctx->nsfetch->private->nameservers,
-			    &nameservers);
-			nsrdataset = &nameservers;
-		} else
-			domain = NULL;
-		dns_resolver_destroyfetch(&fctx->nsfetch);
-		n = dns_name_countlabels(&fctx->nsname);
-		dns_name_getlabelsequence(&fctx->nsname, 1, n - 1,
-					  &fctx->nsname);
-
-		if (dns_rdataset_isassociated(fevent->rdataset))
-			dns_rdataset_disassociate(fevent->rdataset);
-		FCTXTRACE("continuing to look for parent's NS records");
-		result = dns_resolver_createfetch(fctx->res, &fctx->nsname,
-						  dns_rdatatype_ns, domain,
-						  nsrdataset, NULL, 0, task,
-						  resume_dslookup, fctx,
-						  &fctx->nsrrset, NULL,
-						  &fctx->nsfetch);
-		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result, __LINE__);
-		else {
-			LOCK(&res->buckets[bucketnum].lock);
-			locked = ISC_TRUE;
-			fctx->references++;
-		}
-	}
-
- cleanup:
-	if (dns_rdataset_isassociated(&nameservers))
-		dns_rdataset_disassociate(&nameservers);
-	if (dns_rdataset_isassociated(fevent->rdataset))
-		dns_rdataset_disassociate(fevent->rdataset);
-	INSIST(fevent->sigrdataset == NULL);
-	isc_event_free(&event);
-	if (!locked)
-		LOCK(&res->buckets[bucketnum].lock);
-	bucket_empty = fctx_decreference(fctx);
-	UNLOCK(&res->buckets[bucketnum].lock);
-	if (bucket_empty)
-		empty_bucket(res);
-}
-
-static inline void
-checknamessection(dns_message_t *message, dns_section_t section) {
-	isc_result_t result;
-	dns_name_t *name;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdataset_t *rdataset;
-
-	for (result = dns_message_firstname(message, section);
-	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(message, section))
-	{
-		name = NULL;
-		dns_message_currentname(message, section, &name);
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			for (result = dns_rdataset_first(rdataset);
-			     result == ISC_R_SUCCESS;
-			     result = dns_rdataset_next(rdataset)) {
-				dns_rdataset_current(rdataset, &rdata);
-				if (!dns_rdata_checkowner(name, rdata.rdclass,
-							  rdata.type,
-							  ISC_FALSE) ||
-				    !dns_rdata_checknames(&rdata, name, NULL))
-				{
-					rdataset->attributes |=
-						DNS_RDATASETATTR_CHECKNAMES;
-				}
-				dns_rdata_reset(&rdata);
-			}
-		}
-	}
-}
-
-static void
-checknames(dns_message_t *message) {
-
-	checknamessection(message, DNS_SECTION_ANSWER);
-	checknamessection(message, DNS_SECTION_AUTHORITY);
-	checknamessection(message, DNS_SECTION_ADDITIONAL);
-}
-
-/*
- * Log server NSID at log level 'level'
- */
-static void
-log_nsid(isc_buffer_t *opt, size_t nsid_len, resquery_t *query,
-	 int level, isc_mem_t *mctx)
-{
-	static const char hex[17] = "0123456789abcdef";
-	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
-	isc_uint16_t buflen, i;
-	unsigned char *p, *buf, *nsid;
-
-	/* Allocate buffer for storing hex version of the NSID */
-	buflen = nsid_len * 2 + 1;
-	buf = isc_mem_get(mctx, buflen);
-	if (buf == NULL)
-		return;
-
-	/* Convert to hex */
-	p = buf;
-	nsid = isc_buffer_current(opt);
-	for (i = 0; i < nsid_len; i++) {
-		*p++ = hex[(nsid[0] >> 4) & 0xf];
-		*p++ = hex[nsid[0] & 0xf];
-		nsid++;
-	}
-	*p = '\0';
-
-	isc_sockaddr_format(&query->addrinfo->sockaddr, addrbuf,
-			    sizeof(addrbuf));
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
-		      DNS_LOGMODULE_RESOLVER, level,
-		      "received NSID '%s' from %s", buf, addrbuf);
-
-	/* Clean up */
-	isc_mem_put(mctx, buf, buflen);
-	return;
-}
-
-static void
-log_packet(dns_message_t *message, int level, isc_mem_t *mctx) {
-	isc_buffer_t buffer;
-	char *buf = NULL;
-	int len = 1024;
-	isc_result_t result;
-
-	if (! isc_log_wouldlog(dns_lctx, level))
-		return;
-
-	/*
-	 * Note that these are multiline debug messages.  We want a newline
-	 * to appear in the log after each message.
-	 */
-
-	do {
-		buf = isc_mem_get(mctx, len);
-		if (buf == NULL)
-			break;
-		isc_buffer_init(&buffer, buf, len);
-		result = dns_message_totext(message, &dns_master_style_debug,
-					    0, &buffer);
-		if (result == ISC_R_NOSPACE) {
-			isc_mem_put(mctx, buf, len);
-			len += 1024;
-		} else if (result == ISC_R_SUCCESS)
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
-				      DNS_LOGMODULE_RESOLVER, level,
-				      "received packet:\n%.*s",
-				      (int)isc_buffer_usedlength(&buffer),
-				      buf);
-	} while (result == ISC_R_NOSPACE);
-
-	if (buf != NULL)
-		isc_mem_put(mctx, buf, len);
-}
-
-static isc_boolean_t
-iscname(fetchctx_t *fctx) {
-	isc_result_t result;
-
-	result = dns_message_findname(fctx->rmessage, DNS_SECTION_ANSWER,
-				      &fctx->name, dns_rdatatype_cname, 0,
-				      NULL, NULL);
-	return (result == ISC_R_SUCCESS ? ISC_TRUE : ISC_FALSE);
-}
-
-static isc_boolean_t
-betterreferral(fetchctx_t *fctx) {
-	isc_result_t result;
-	dns_name_t *name;
-	dns_rdataset_t *rdataset;
-	dns_message_t *message = fctx->rmessage;
-
-	for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
-	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(message, DNS_SECTION_AUTHORITY)) {
-		name = NULL;
-		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
-		if (!isstrictsubdomain(name, &fctx->domain))
-			continue;
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link))
-			if (rdataset->type == dns_rdatatype_ns)
-				return (ISC_TRUE);
-	}
-	return (ISC_FALSE);
-}
-
-static void
-process_opt(resquery_t *query, dns_rdataset_t *opt) {
-	dns_rdata_t rdata;
-	isc_buffer_t optbuf;
-	isc_result_t result;
-	isc_uint16_t optcode;
-	isc_uint16_t optlen;
-
-	result = dns_rdataset_first(opt);
-	if (result == ISC_R_SUCCESS) {
-		dns_rdata_init(&rdata);
-		dns_rdataset_current(opt, &rdata);
-		isc_buffer_init(&optbuf, rdata.data, rdata.length);
-		isc_buffer_add(&optbuf, rdata.length);
-		while (isc_buffer_remaininglength(&optbuf) >= 4) {
-			optcode = isc_buffer_getuint16(&optbuf);
-			optlen = isc_buffer_getuint16(&optbuf);
-			INSIST(optlen <= isc_buffer_remaininglength(&optbuf));
-			switch (optcode) {
-			case DNS_OPT_NSID:
-				if (query->options & DNS_FETCHOPT_WANTNSID)
-					log_nsid(&optbuf, optlen, query,
-						 ISC_LOG_INFO,
-						 query->fctx->res->mctx);
-				isc_buffer_forward(&optbuf, optlen);
-				break;
-			default:
-				isc_buffer_forward(&optbuf, optlen);
-				break;
-			}
-		}
-		INSIST(isc_buffer_remaininglength(&optbuf) == 0U);
-	}
-}
-
-static void
-resquery_response(isc_task_t *task, isc_event_t *event) {
-	isc_result_t result = ISC_R_SUCCESS;
-	resquery_t *query = event->ev_arg;
-	dns_dispatchevent_t *devent = (dns_dispatchevent_t *)event;
-	isc_boolean_t keep_trying, get_nameservers, resend;
-	isc_boolean_t truncated;
-	dns_message_t *message;
-	dns_rdataset_t *opt;
-	fetchctx_t *fctx;
-	dns_name_t *fname;
-	dns_fixedname_t foundname;
-	isc_stdtime_t now;
-	isc_time_t tnow, *finish;
-	dns_adbaddrinfo_t *addrinfo;
-	unsigned int options;
-	unsigned int findoptions;
-	isc_result_t broken_server;
-	badnstype_t broken_type = badns_response;
-	isc_boolean_t no_response;
-
-	REQUIRE(VALID_QUERY(query));
-	fctx = query->fctx;
-	options = query->options;
-	REQUIRE(VALID_FCTX(fctx));
-	REQUIRE(event->ev_type == DNS_EVENT_DISPATCH);
-
-	QTRACE("response");
-
-	if (isc_sockaddr_pf(&query->addrinfo->sockaddr) == PF_INET)
-		inc_stats(fctx->res, dns_resstatscounter_responsev4);
-	else
-		inc_stats(fctx->res, dns_resstatscounter_responsev6);
-
-	(void)isc_timer_touch(fctx->timer);
-
-	keep_trying = ISC_FALSE;
-	broken_server = ISC_R_SUCCESS;
-	get_nameservers = ISC_FALSE;
-	resend = ISC_FALSE;
-	truncated = ISC_FALSE;
-	finish = NULL;
-	no_response = ISC_FALSE;
-
-	if (fctx->res->exiting) {
-		result = ISC_R_SHUTTINGDOWN;
-		goto done;
-	}
-
-	fctx->timeouts = 0;
-	fctx->timeout = ISC_FALSE;
-	fctx->addrinfo = query->addrinfo;
-
-	/*
-	 * XXXRTH  We should really get the current time just once.  We
-	 *		need a routine to convert from an isc_time_t to an
-	 *		isc_stdtime_t.
-	 */
-	TIME_NOW(&tnow);
-	finish = &tnow;
-	isc_stdtime_get(&now);
-
-	/*
-	 * Did the dispatcher have a problem?
-	 */
-	if (devent->result != ISC_R_SUCCESS) {
-		if (devent->result == ISC_R_EOF &&
-		    (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
-			/*
-			 * The problem might be that they
-			 * don't understand EDNS0.  Turn it
-			 * off and try again.
-			 */
-			options |= DNS_FETCHOPT_NOEDNS0;
-			resend = ISC_TRUE;
-			add_bad_edns(fctx, &query->addrinfo->sockaddr);
-		} else {
-			/*
-			 * There's no hope for this query.
-			 */
-			keep_trying = ISC_TRUE;
-
-			/*
-			 * If this is a network error on an exclusive query
-			 * socket, mark the server as bad so that we won't try
-			 * it for this fetch again.  Also adjust finish and
-			 * no_response so that we penalize this address in SRTT
-			 * adjustment later.
-			 */
-			if (query->exclusivesocket &&
-			    (devent->result == ISC_R_HOSTUNREACH ||
-			     devent->result == ISC_R_NETUNREACH ||
-			     devent->result == ISC_R_CONNREFUSED ||
-			     devent->result == ISC_R_CANCELED)) {
-				    broken_server = devent->result;
-				    broken_type = badns_unreachable;
-				    finish = NULL;
-				    no_response = ISC_TRUE;
-			}
-		}
-		goto done;
-	}
-
-	message = fctx->rmessage;
-
-	if (query->tsig != NULL) {
-		result = dns_message_setquerytsig(message, query->tsig);
-		if (result != ISC_R_SUCCESS)
-			goto done;
-	}
-
-	if (query->tsigkey) {
-		result = dns_message_settsigkey(message, query->tsigkey);
-		if (result != ISC_R_SUCCESS)
-			goto done;
-	}
-
-	result = dns_message_parse(message, &devent->buffer, 0);
-	if (result != ISC_R_SUCCESS) {
-		switch (result) {
-		case ISC_R_UNEXPECTEDEND:
-			if (!message->question_ok ||
-			    (message->flags & DNS_MESSAGEFLAG_TC) == 0 ||
-			    (options & DNS_FETCHOPT_TCP) != 0) {
-				/*
-				 * Either the message ended prematurely,
-				 * and/or wasn't marked as being truncated,
-				 * and/or this is a response to a query we
-				 * sent over TCP.  In all of these cases,
-				 * something is wrong with the remote
-				 * server and we don't want to retry using
-				 * TCP.
-				 */
-				if ((query->options & DNS_FETCHOPT_NOEDNS0)
-				    == 0) {
-					/*
-					 * The problem might be that they
-					 * don't understand EDNS0.  Turn it
-					 * off and try again.
-					 */
-					options |= DNS_FETCHOPT_NOEDNS0;
-					resend = ISC_TRUE;
-					add_bad_edns(fctx,
-						    &query->addrinfo->sockaddr);
-					inc_stats(fctx->res,
-						 dns_resstatscounter_edns0fail);
-				} else {
-					broken_server = result;
-					keep_trying = ISC_TRUE;
-				}
-				goto done;
-			}
-			/*
-			 * We defer retrying via TCP for a bit so we can
-			 * check out this message further.
-			 */
-			truncated = ISC_TRUE;
-			break;
-		case DNS_R_FORMERR:
-			if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
-				/*
-				 * The problem might be that they
-				 * don't understand EDNS0.  Turn it
-				 * off and try again.
-				 */
-				options |= DNS_FETCHOPT_NOEDNS0;
-				resend = ISC_TRUE;
-				add_bad_edns(fctx, &query->addrinfo->sockaddr);
-				inc_stats(fctx->res,
-						 dns_resstatscounter_edns0fail);
-			} else {
-				broken_server = DNS_R_UNEXPECTEDRCODE;
-				keep_trying = ISC_TRUE;
-			}
-			goto done;
-		default:
-			/*
-			 * Something bad has happened.
-			 */
-			goto done;
-		}
-	}
-
-
-	/*
-	 * Log the incoming packet.
-	 */
-	log_packet(message, ISC_LOG_DEBUG(10), fctx->res->mctx);
-
-	/*
-	 * Process receive opt record.
-	 */
-	opt = dns_message_getopt(message);
-	if (opt != NULL)
-		process_opt(query, opt);
-
-	/*
-	 * If the message is signed, check the signature.  If not, this
-	 * returns success anyway.
-	 */
-	result = dns_message_checksig(message, fctx->res->view);
-	if (result != ISC_R_SUCCESS)
-		goto done;
-
-	/*
-	 * The dispatcher should ensure we only get responses with QR set.
-	 */
-	INSIST((message->flags & DNS_MESSAGEFLAG_QR) != 0);
-	/*
-	 * INSIST() that the message comes from the place we sent it to,
-	 * since the dispatch code should ensure this.
-	 *
-	 * INSIST() that the message id is correct (this should also be
-	 * ensured by the dispatch code).
-	 */
-
-	/*
-	 * We have an affirmative response to the query and we have
-	 * previously got a response from this server which indicated
-	 * EDNS may not be supported so we can now cache the lack of
-	 * EDNS support.
-	 */
-	if (opt == NULL &&
-	    (message->rcode == dns_rcode_noerror ||
-	     message->rcode == dns_rcode_nxdomain ||
-	     message->rcode == dns_rcode_refused ||
-	     message->rcode == dns_rcode_yxdomain) &&
-	     bad_edns(fctx, &query->addrinfo->sockaddr)) {
-		char addrbuf[ISC_SOCKADDR_FORMATSIZE];
-		isc_sockaddr_format(&query->addrinfo->sockaddr, addrbuf,
-				    sizeof(addrbuf));
-		dns_adb_changeflags(fctx->adb, query->addrinfo,
-				    DNS_FETCHOPT_NOEDNS0,
-				    DNS_FETCHOPT_NOEDNS0);
-	}
-
-	/*
-	 * Deal with truncated responses by retrying using TCP.
-	 */
-	if ((message->flags & DNS_MESSAGEFLAG_TC) != 0)
-		truncated = ISC_TRUE;
-
-	if (truncated) {
-		inc_stats(fctx->res, dns_resstatscounter_truncated);
-		if ((options & DNS_FETCHOPT_TCP) != 0) {
-			broken_server = DNS_R_TRUNCATEDTCP;
-			keep_trying = ISC_TRUE;
-		} else {
-			options |= DNS_FETCHOPT_TCP;
-			resend = ISC_TRUE;
-		}
-		goto done;
-	}
-
-	/*
-	 * Is it a query response?
-	 */
-	if (message->opcode != dns_opcode_query) {
-		/* XXXRTH Log */
-		broken_server = DNS_R_UNEXPECTEDOPCODE;
-		keep_trying = ISC_TRUE;
-		goto done;
-	}
-
-	/*
-	 * Update statistics about erroneous responses.
-	 */
-	if (message->rcode != dns_rcode_noerror) {
-		switch (message->rcode) {
-		case dns_rcode_nxdomain:
-			inc_stats(fctx->res, dns_resstatscounter_nxdomain);
-			break;
-		case dns_rcode_servfail:
-			inc_stats(fctx->res, dns_resstatscounter_servfail);
-			break;
-		case dns_rcode_formerr:
-			inc_stats(fctx->res, dns_resstatscounter_formerr);
-			break;
-		default:
-			inc_stats(fctx->res, dns_resstatscounter_othererror);
-			break;
-		}
-	}
-
-	/*
-	 * Is the remote server broken, or does it dislike us?
-	 */
-	if (message->rcode != dns_rcode_noerror &&
-	    message->rcode != dns_rcode_nxdomain) {
-		if (((message->rcode == dns_rcode_formerr ||
-		      message->rcode == dns_rcode_notimp) ||
-		     (message->rcode == dns_rcode_servfail &&
-		      dns_message_getopt(message) == NULL)) &&
-		    (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
-			/*
-			 * It's very likely they don't like EDNS0.
-			 * If the response code is SERVFAIL, also check if the
-			 * response contains an OPT RR and don't cache the
-			 * failure since it can be returned for various other
-			 * reasons.
-			 *
-			 * XXXRTH  We should check if the question
-			 *		we're asking requires EDNS0, and
-			 *		if so, we should bail out.
-			 */
-			options |= DNS_FETCHOPT_NOEDNS0;
-			resend = ISC_TRUE;
-			/*
-			 * Remember that they may not like EDNS0.
-			 */
-			add_bad_edns(fctx, &query->addrinfo->sockaddr);
-			inc_stats(fctx->res, dns_resstatscounter_edns0fail);
-		} else if (message->rcode == dns_rcode_formerr) {
-			if (ISFORWARDER(query->addrinfo)) {
-				/*
-				 * This forwarder doesn't understand us,
-				 * but other forwarders might.  Keep trying.
-				 */
-				broken_server = DNS_R_REMOTEFORMERR;
-				keep_trying = ISC_TRUE;
-			} else {
-				/*
-				 * The server doesn't understand us.  Since
-				 * all servers for a zone need similar
-				 * capabilities, we assume that we will get
-				 * FORMERR from all servers, and thus we
-				 * cannot make any more progress with this
-				 * fetch.
-				 */
-				log_formerr(fctx, "server sent FORMERR");
-				result = DNS_R_FORMERR;
-			}
-		} else if (message->rcode == dns_rcode_yxdomain) {
-			/*
-			 * DNAME mapping failed because the new name
-			 * was too long.  There's no chance of success
-			 * for this fetch.
-			 */
-			result = DNS_R_YXDOMAIN;
-		} else if (message->rcode == dns_rcode_badvers) {
-			unsigned int flags, mask;
-			unsigned int version;
-
-			resend = ISC_TRUE;
-			INSIST(opt != NULL);
-			version = (opt->ttl >> 16) & 0xff;
-			flags = (version << DNS_FETCHOPT_EDNSVERSIONSHIFT) |
-				DNS_FETCHOPT_EDNSVERSIONSET;
-			mask = DNS_FETCHOPT_EDNSVERSIONMASK |
-			       DNS_FETCHOPT_EDNSVERSIONSET;
-			switch (version) {
-			case 0:
-				dns_adb_changeflags(fctx->adb, query->addrinfo,
-						    flags, mask);
-				break;
-			default:
-				broken_server = DNS_R_BADVERS;
-				keep_trying = ISC_TRUE;
-				break;
-			}
-		} else {
-			/*
-			 * XXXRTH log.
-			 */
-			broken_server = DNS_R_UNEXPECTEDRCODE;
-			INSIST(broken_server != ISC_R_SUCCESS);
-			keep_trying = ISC_TRUE;
-		}
-		goto done;
-	}
-
-	/*
-	 * Is the question the same as the one we asked?
-	 */
-	result = same_question(fctx);
-	if (result != ISC_R_SUCCESS) {
-		/* XXXRTH Log */
-		if (result == DNS_R_FORMERR)
-			keep_trying = ISC_TRUE;
-		goto done;
-	}
-
-	/*
-	 * Is the server lame?
-	 */
-	if (fctx->res->lame_ttl != 0 && !ISFORWARDER(query->addrinfo) &&
-	    is_lame(fctx)) {
-		inc_stats(fctx->res, dns_resstatscounter_lame);
-		log_lame(fctx, query->addrinfo);
-		result = dns_adb_marklame(fctx->adb, query->addrinfo,
-					  &fctx->name, fctx->type,
-					  now + fctx->res->lame_ttl);
-		if (result != ISC_R_SUCCESS)
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
-				      DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
-				      "could not mark server as lame: %s",
-				      isc_result_totext(result));
-		broken_server = DNS_R_LAME;
-		keep_trying = ISC_TRUE;
-		goto done;
-	}
-
-	/*
-	 * Enforce delegations only zones like NET and COM.
-	 */
-	if (!ISFORWARDER(query->addrinfo) &&
-	    dns_view_isdelegationonly(fctx->res->view, &fctx->domain) &&
-	    !dns_name_equal(&fctx->domain, &fctx->name) &&
-	    fix_mustbedelegationornxdomain(message, fctx)) {
-		char namebuf[DNS_NAME_FORMATSIZE];
-		char domainbuf[DNS_NAME_FORMATSIZE];
-		char addrbuf[ISC_SOCKADDR_FORMATSIZE];
-		char classbuf[64];
-		char typebuf[64];
-
-		dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
-		dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
-		dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf));
-		dns_rdataclass_format(fctx->res->rdclass, classbuf,
-				      sizeof(classbuf));
-		isc_sockaddr_format(&query->addrinfo->sockaddr, addrbuf,
-				    sizeof(addrbuf));
-
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DELEGATION_ONLY,
-			     DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
-			     "enforced delegation-only for '%s' (%s/%s/%s) "
-			     "from %s",
-			     domainbuf, namebuf, typebuf, classbuf, addrbuf);
-	}
-
-	if ((fctx->res->options & DNS_RESOLVER_CHECKNAMES) != 0)
-		checknames(message);
-
-	/*
-	 * Clear cache bits.
-	 */
-	fctx->attributes &= ~(FCTX_ATTR_WANTNCACHE | FCTX_ATTR_WANTCACHE);
-
-	/*
-	 * Did we get any answers?
-	 */
-	if (message->counts[DNS_SECTION_ANSWER] > 0 &&
-	    (message->rcode == dns_rcode_noerror ||
-	     message->rcode == dns_rcode_nxdomain)) {
-		/*
-		 * [normal case]
-		 * We've got answers.  If it has an authoritative answer or an
-		 * answer from a forwarder, we're done.
-		 */
-		if ((message->flags & DNS_MESSAGEFLAG_AA) != 0 ||
-		    ISFORWARDER(query->addrinfo))
-			result = answer_response(fctx);
-		else if (iscname(fctx) &&
-			 fctx->type != dns_rdatatype_any &&
-			 fctx->type != dns_rdatatype_cname) {
-			/*
-			 * A BIND8 server could return a non-authoritative
-			 * answer when a CNAME is followed.  We should treat
-			 * it as a valid answer.
-			 */
-			result = answer_response(fctx);
-		} else if (fctx->type != dns_rdatatype_ns &&
-			   !betterreferral(fctx)) {
-			/*
-			 * Lame response !!!.
-			 */
-			result = answer_response(fctx);
-		} else {
-			if (fctx->type == dns_rdatatype_ns) {
-				/*
-				 * A BIND 8 server could incorrectly return a
-				 * non-authoritative answer to an NS query
-				 * instead of a referral. Since this answer
-				 * lacks the SIGs necessary to do DNSSEC
-				 * validation, we must invoke the following
-				 * special kludge to treat it as a referral.
-				 */
-				result = noanswer_response(fctx, NULL,
-						   LOOK_FOR_NS_IN_ANSWER);
-			} else {
-				/*
-				 * Some other servers may still somehow include
-				 * an answer when it should return a referral
-				 * with an empty answer.  Check to see if we can
-				 * treat this as a referral by ignoring the
-				 * answer.  Further more, there may be an
-				 * implementation that moves A/AAAA glue records
-				 * to the answer section for that type of
-				 * delegation when the query is for that glue
-				 * record.  LOOK_FOR_GLUE_IN_ANSWER will handle
-				 * such a corner case.
-				 */
-				result = noanswer_response(fctx, NULL,
-						   LOOK_FOR_GLUE_IN_ANSWER);
-			}
-			if (result != DNS_R_DELEGATION) {
-				/*
-				 * At this point, AA is not set, the response
-				 * is not a referral, and the server is not a
-				 * forwarder.  It is technically lame and it's
-				 * easier to treat it as such than to figure out
-				 * some more elaborate course of action.
-				 */
-				broken_server = DNS_R_LAME;
-				keep_trying = ISC_TRUE;
-				goto done;
-			}
-			goto force_referral;
-		}
-		if (result != ISC_R_SUCCESS) {
-			if (result == DNS_R_FORMERR)
-				keep_trying = ISC_TRUE;
-			goto done;
-		}
-	} else if (message->counts[DNS_SECTION_AUTHORITY] > 0 ||
-		   message->rcode == dns_rcode_noerror ||
-		   message->rcode == dns_rcode_nxdomain) {
-		/*
-		 * NXDOMAIN, NXRDATASET, or referral.
-		 */
-		result = noanswer_response(fctx, NULL, 0);
-		if (result == DNS_R_CHASEDSSERVERS) {
-		} else if (result == DNS_R_DELEGATION) {
-		force_referral:
-			/*
-			 * We don't have the answer, but we know a better
-			 * place to look.
-			 */
-			get_nameservers = ISC_TRUE;
-			keep_trying = ISC_TRUE;
-			/*
-			 * We have a new set of name servers, and it
-			 * has not experienced any restarts yet.
-			 */
-			fctx->restarts = 0;
-
-			/*
-			 * Update local statistics counters collected for each
-			 * new zone.
-			 */
-			fctx->referrals++;
-			fctx->querysent = 0;
-			fctx->lamecount = 0;
-			fctx->neterr = 0;
-			fctx->badresp = 0;
-			fctx->adberr = 0;
-
-			result = ISC_R_SUCCESS;
-		} else if (result != ISC_R_SUCCESS) {
-			/*
-			 * Something has gone wrong.
-			 */
-			if (result == DNS_R_FORMERR)
-				keep_trying = ISC_TRUE;
-			goto done;
-		}
-	} else {
-		/*
-		 * The server is insane.
-		 */
-		/* XXXRTH Log */
-		broken_server = DNS_R_UNEXPECTEDRCODE;
-		keep_trying = ISC_TRUE;
-		goto done;
-	}
-
-	/*
-	 * Follow additional section data chains.
-	 */
-	chase_additional(fctx);
-
-	/*
-	 * Cache the cacheable parts of the message.  This may also cause
-	 * work to be queued to the DNSSEC validator.
-	 */
-	if (WANTCACHE(fctx)) {
-		result = cache_message(fctx, query->addrinfo, now);
-		if (result != ISC_R_SUCCESS)
-			goto done;
-	}
-
-	/*
-	 * Ncache the negatively cacheable parts of the message.  This may
-	 * also cause work to be queued to the DNSSEC validator.
-	 */
-	if (WANTNCACHE(fctx)) {
-		dns_rdatatype_t covers;
-		if (message->rcode == dns_rcode_nxdomain)
-			covers = dns_rdatatype_any;
-		else
-			covers = fctx->type;
-
-		/*
-		 * Cache any negative cache entries in the message.
-		 */
-		result = ncache_message(fctx, query->addrinfo, covers, now);
-	}
-
- done:
-	/*
-	 * Remember the query's addrinfo, in case we need to mark the
-	 * server as broken.
-	 */
-	addrinfo = query->addrinfo;
-
-	/*
-	 * Cancel the query.
-	 *
-	 * XXXRTH  Don't cancel the query if waiting for validation?
-	 */
-	fctx_cancelquery(&query, &devent, finish, no_response);
-
-	if (keep_trying) {
-		if (result == DNS_R_FORMERR)
-			broken_server = DNS_R_FORMERR;
-		if (broken_server != ISC_R_SUCCESS) {
-			/*
-			 * Add this server to the list of bad servers for
-			 * this fctx.
-			 */
-			add_bad(fctx, addrinfo, broken_server, broken_type);
-		}
-
-		if (get_nameservers) {
-			dns_name_t *name;
-			dns_fixedname_init(&foundname);
-			fname = dns_fixedname_name(&foundname);
-			if (result != ISC_R_SUCCESS) {
-				fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
-				return;
-			}
-			findoptions = 0;
-			if (dns_rdatatype_atparent(fctx->type))
-				findoptions |= DNS_DBFIND_NOEXACT;
-			if ((options & DNS_FETCHOPT_UNSHARED) == 0)
-				name = &fctx->name;
-			else
-				name = &fctx->domain;
-			result = dns_view_findzonecut(fctx->res->view,
-						      name, fname,
-						      now, findoptions,
-						      ISC_TRUE,
-						      &fctx->nameservers,
-						      NULL);
-			if (result != ISC_R_SUCCESS) {
-				FCTXTRACE("couldn't find a zonecut");
-				fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
-				return;
-			}
-			if (!dns_name_issubdomain(fname, &fctx->domain)) {
-				/*
-				 * The best nameservers are now above our
-				 * QDOMAIN.
-				 */
-				FCTXTRACE("nameservers now above QDOMAIN");
-				fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
-				return;
-			}
-			dns_name_free(&fctx->domain, fctx->mctx);
-			dns_name_init(&fctx->domain, NULL);
-			result = dns_name_dup(fname, fctx->mctx, &fctx->domain);
-			if (result != ISC_R_SUCCESS) {
-				fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
-				return;
-			}
-			fctx->ns_ttl = fctx->nameservers.ttl;
-			fctx->ns_ttl_ok = ISC_TRUE;
-			fctx_cancelqueries(fctx, ISC_TRUE);
-			fctx_cleanupfinds(fctx);
-			fctx_cleanupaltfinds(fctx);
-			fctx_cleanupforwaddrs(fctx);
-			fctx_cleanupaltaddrs(fctx);
-		}
-		/*
-		 * Try again.
-		 */
-		fctx_try(fctx, !get_nameservers, ISC_FALSE);
-	} else if (resend) {
-		/*
-		 * Resend (probably with changed options).
-		 */
-		FCTXTRACE("resend");
-		inc_stats(fctx->res, dns_resstatscounter_retry);
-		result = fctx_query(fctx, addrinfo, options);
-		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result, __LINE__);
-	} else if (result == ISC_R_SUCCESS && !HAVE_ANSWER(fctx)) {
-		/*
-		 * All has gone well so far, but we are waiting for the
-		 * DNSSEC validator to validate the answer.
-		 */
-		FCTXTRACE("wait for validator");
-		fctx_cancelqueries(fctx, ISC_TRUE);
-		/*
-		 * We must not retransmit while the validator is working;
-		 * it has references to the current rmessage.
-		 */
-		result = fctx_stopidletimer(fctx);
-		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result, __LINE__);
-	} else if (result == DNS_R_CHASEDSSERVERS) {
-		unsigned int n;
-		add_bad(fctx, addrinfo, result, broken_type);
-		fctx_cancelqueries(fctx, ISC_TRUE);
-		fctx_cleanupfinds(fctx);
-		fctx_cleanupforwaddrs(fctx);
-
-		n = dns_name_countlabels(&fctx->name);
-		dns_name_getlabelsequence(&fctx->name, 1, n - 1, &fctx->nsname);
-
-		FCTXTRACE("suspending DS lookup to find parent's NS records");
-
-		result = dns_resolver_createfetch(fctx->res, &fctx->nsname,
-						  dns_rdatatype_ns,
-						  NULL, NULL, NULL, 0, task,
-						  resume_dslookup, fctx,
-						  &fctx->nsrrset, NULL,
-						  &fctx->nsfetch);
-		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result, __LINE__);
-		else {
-			LOCK(&fctx->res->buckets[fctx->bucketnum].lock);
-			fctx->references++;
-			UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
-			result = fctx_stopidletimer(fctx);
-			if (result != ISC_R_SUCCESS)
-				fctx_done(fctx, result, __LINE__);
-		}
-	} else {
-		/*
-		 * We're done.
-		 */
-		fctx_done(fctx, result, __LINE__);
-	}
-}
-
-
-/***
- *** Resolver Methods
- ***/
-static void
-destroy_badcache(dns_resolver_t *res) {
-	dns_badcache_t *bad, *next;
-	unsigned int i;
-
-	if (res->badcache != NULL) {
-		for (i = 0; i < res->badhash; i++)
-			for (bad = res->badcache[i]; bad != NULL;
-			     bad = next) {
-				next = bad->next;
-				isc_mem_put(res->mctx, bad, sizeof(*bad) +
-					    bad->name.length);
-				res->badcount--;
-			}
-		isc_mem_put(res->mctx, res->badcache,
-			    sizeof(*res->badcache) * res->badhash);
-		res->badcache = NULL;
-		res->badhash = 0;
-		INSIST(res->badcount == 0);
-	}
-}
-
-static void
-destroy(dns_resolver_t *res) {
-	unsigned int i;
-	alternate_t *a;
-
-	REQUIRE(res->references == 0);
-	REQUIRE(!res->priming);
-	REQUIRE(res->primefetch == NULL);
-
-	RTRACE("destroy");
-
-	INSIST(res->nfctx == 0);
-
-	DESTROYLOCK(&res->primelock);
-	DESTROYLOCK(&res->nlock);
-	DESTROYLOCK(&res->lock);
-	for (i = 0; i < res->nbuckets; i++) {
-		INSIST(ISC_LIST_EMPTY(res->buckets[i].fctxs));
-		isc_task_shutdown(res->buckets[i].task);
-		isc_task_detach(&res->buckets[i].task);
-		DESTROYLOCK(&res->buckets[i].lock);
-		isc_mem_detach(&res->buckets[i].mctx);
-	}
-	isc_mem_put(res->mctx, res->buckets,
-		    res->nbuckets * sizeof(fctxbucket_t));
-	if (res->dispatches4 != NULL)
-		dns_dispatchset_destroy(&res->dispatches4);
-	if (res->dispatches6 != NULL)
-		dns_dispatchset_destroy(&res->dispatches6);
-	while ((a = ISC_LIST_HEAD(res->alternates)) != NULL) {
-		ISC_LIST_UNLINK(res->alternates, a, link);
-		if (!a->isaddress)
-			dns_name_free(&a->_u._n.name, res->mctx);
-		isc_mem_put(res->mctx, a, sizeof(*a));
-	}
-	dns_resolver_reset_algorithms(res);
-	destroy_badcache(res);
-	dns_resolver_resetmustbesecure(res);
-#if USE_ALGLOCK
-	isc_rwlock_destroy(&res->alglock);
-#endif
-#if USE_MBSLOCK
-	isc_rwlock_destroy(&res->mbslock);
-#endif
-	isc_timer_detach(&res->spillattimer);
-	res->magic = 0;
-	isc_mem_put(res->mctx, res, sizeof(*res));
-}
-
-static void
-send_shutdown_events(dns_resolver_t *res) {
-	isc_event_t *event, *next_event;
-	isc_task_t *etask;
-
-	/*
-	 * Caller must be holding the resolver lock.
-	 */
-
-	for (event = ISC_LIST_HEAD(res->whenshutdown);
-	     event != NULL;
-	     event = next_event) {
-		next_event = ISC_LIST_NEXT(event, ev_link);
-		ISC_LIST_UNLINK(res->whenshutdown, event, ev_link);
-		etask = event->ev_sender;
-		event->ev_sender = res;
-		isc_task_sendanddetach(&etask, &event);
-	}
-}
-
-static void
-empty_bucket(dns_resolver_t *res) {
-	RTRACE("empty_bucket");
-
-	LOCK(&res->lock);
-
-	INSIST(res->activebuckets > 0);
-	res->activebuckets--;
-	if (res->activebuckets == 0)
-		send_shutdown_events(res);
-
-	UNLOCK(&res->lock);
-}
-
-static void
-spillattimer_countdown(isc_task_t *task, isc_event_t *event) {
-	dns_resolver_t *res = event->ev_arg;
-	isc_result_t result;
-	unsigned int count;
-	isc_boolean_t logit = ISC_FALSE;
-
-	REQUIRE(VALID_RESOLVER(res));
-
-	UNUSED(task);
-
-	LOCK(&res->lock);
-	INSIST(!res->exiting);
-	if (res->spillat > res->spillatmin) {
-		res->spillat--;
-		logit = ISC_TRUE;
-	}
-	if (res->spillat <= res->spillatmin) {
-		result = isc_timer_reset(res->spillattimer,
-					 isc_timertype_inactive, NULL,
-					 NULL, ISC_TRUE);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	}
-	count = res->spillat;
-	UNLOCK(&res->lock);
-	if (logit)
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
-			      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
-			      "clients-per-query decreased to %u", count);
-
-	isc_event_free(&event);
-}
-
-isc_result_t
-dns_resolver_create(dns_view_t *view,
-		    isc_taskmgr_t *taskmgr,
-		    unsigned int ntasks, unsigned int ndisp,
-		    isc_socketmgr_t *socketmgr,
-		    isc_timermgr_t *timermgr,
-		    unsigned int options,
-		    dns_dispatchmgr_t *dispatchmgr,
-		    dns_dispatch_t *dispatchv4,
-		    dns_dispatch_t *dispatchv6,
-		    dns_resolver_t **resp)
-{
-	dns_resolver_t *res;
-	isc_result_t result = ISC_R_SUCCESS;
-	unsigned int i, buckets_created = 0;
-	isc_task_t *task = NULL;
-	char name[16];
-	unsigned dispattr;
-
-	/*
-	 * Create a resolver.
-	 */
-
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(ntasks > 0);
-	REQUIRE(ndisp > 0);
-	REQUIRE(resp != NULL && *resp == NULL);
-	REQUIRE(dispatchmgr != NULL);
-	REQUIRE(dispatchv4 != NULL || dispatchv6 != NULL);
-
-	res = isc_mem_get(view->mctx, sizeof(*res));
-	if (res == NULL)
-		return (ISC_R_NOMEMORY);
-	RTRACE("create");
-	res->mctx = view->mctx;
-	res->rdclass = view->rdclass;
-	res->socketmgr = socketmgr;
-	res->timermgr = timermgr;
-	res->taskmgr = taskmgr;
-	res->dispatchmgr = dispatchmgr;
-	res->view = view;
-	res->options = options;
-	res->lame_ttl = 0;
-	ISC_LIST_INIT(res->alternates);
-	res->udpsize = RECV_BUFFER_SIZE;
-	res->algorithms = NULL;
-	res->badcache = NULL;
-	res->badcount = 0;
-	res->badhash = 0;
-	res->badsweep = 0;
-	res->mustbesecure = NULL;
-	res->spillatmin = res->spillat = 10;
-	res->spillatmax = 100;
-	res->spillattimer = NULL;
-	res->zero_no_soa_ttl = ISC_FALSE;
-	res->query_timeout = DEFAULT_QUERY_TIMEOUT;
-	res->nbuckets = ntasks;
-	res->activebuckets = ntasks;
-	res->buckets = isc_mem_get(view->mctx,
-				   ntasks * sizeof(fctxbucket_t));
-	if (res->buckets == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_res;
-	}
-	for (i = 0; i < ntasks; i++) {
-		result = isc_mutex_init(&res->buckets[i].lock);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_buckets;
-		res->buckets[i].task = NULL;
-		result = isc_task_create(taskmgr, 0, &res->buckets[i].task);
-		if (result != ISC_R_SUCCESS) {
-			DESTROYLOCK(&res->buckets[i].lock);
-			goto cleanup_buckets;
-		}
-		res->buckets[i].mctx = NULL;
-		snprintf(name, sizeof(name), "res%u", i);
-#ifdef ISC_PLATFORM_USETHREADS
-		/*
-		 * Use a separate memory context for each bucket to reduce
-		 * contention among multiple threads.  Do this only when
-		 * enabling threads because it will be require more memory.
-		 */
-		result = isc_mem_create(0, 0, &res->buckets[i].mctx);
-		if (result != ISC_R_SUCCESS) {
-			isc_task_detach(&res->buckets[i].task);
-			DESTROYLOCK(&res->buckets[i].lock);
-			goto cleanup_buckets;
-		}
-		isc_mem_setname(res->buckets[i].mctx, name, NULL);
-#else
-		isc_mem_attach(view->mctx, &res->buckets[i].mctx);
-#endif
-		isc_task_setname(res->buckets[i].task, name, res);
-		ISC_LIST_INIT(res->buckets[i].fctxs);
-		res->buckets[i].exiting = ISC_FALSE;
-		buckets_created++;
-	}
-
-	res->dispatches4 = NULL;
-	if (dispatchv4 != NULL) {
-		dns_dispatchset_create(view->mctx, socketmgr, taskmgr,
-				       dispatchv4, &res->dispatches4, ndisp);
-		dispattr = dns_dispatch_getattributes(dispatchv4);
-		res->exclusivev4 =
-			ISC_TF((dispattr & DNS_DISPATCHATTR_EXCLUSIVE) != 0);
-	}
-
-	res->dispatches6 = NULL;
-	if (dispatchv6 != NULL) {
-		dns_dispatchset_create(view->mctx, socketmgr, taskmgr,
-				       dispatchv6, &res->dispatches6, ndisp);
-		dispattr = dns_dispatch_getattributes(dispatchv6);
-		res->exclusivev6 =
-			ISC_TF((dispattr & DNS_DISPATCHATTR_EXCLUSIVE) != 0);
-	}
-
-	res->references = 1;
-	res->exiting = ISC_FALSE;
-	res->frozen = ISC_FALSE;
-	ISC_LIST_INIT(res->whenshutdown);
-	res->priming = ISC_FALSE;
-	res->primefetch = NULL;
-	res->nfctx = 0;
-
-	result = isc_mutex_init(&res->lock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_dispatches;
-
-	result = isc_mutex_init(&res->nlock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_lock;
-
-	result = isc_mutex_init(&res->primelock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_nlock;
-
-	task = NULL;
-	result = isc_task_create(taskmgr, 0, &task);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_primelock;
-
-	result = isc_timer_create(timermgr, isc_timertype_inactive, NULL, NULL,
-				  task, spillattimer_countdown, res,
-				  &res->spillattimer);
-	isc_task_detach(&task);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_primelock;
-
-#if USE_ALGLOCK
-	result = isc_rwlock_init(&res->alglock, 0, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_spillattimer;
-#endif
-#if USE_MBSLOCK
-	result = isc_rwlock_init(&res->mbslock, 0, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_alglock;
-#endif
-
-	res->magic = RES_MAGIC;
-
-	*resp = res;
-
-	return (ISC_R_SUCCESS);
-
-#if USE_MBSLOCK
- cleanup_alglock:
-#if USE_ALGLOCK
-	isc_rwlock_destroy(&res->alglock);
-#endif
-#endif
-#if USE_ALGLOCK || USE_MBSLOCK
- cleanup_spillattimer:
-	isc_timer_detach(&res->spillattimer);
-#endif
-
- cleanup_primelock:
-	DESTROYLOCK(&res->primelock);
-
- cleanup_nlock:
-	DESTROYLOCK(&res->nlock);
-
- cleanup_lock:
-	DESTROYLOCK(&res->lock);
-
- cleanup_dispatches:
-	if (res->dispatches6 != NULL)
-		dns_dispatchset_destroy(&res->dispatches6);
-	if (res->dispatches4 != NULL)
-		dns_dispatchset_destroy(&res->dispatches4);
-
- cleanup_buckets:
-	for (i = 0; i < buckets_created; i++) {
-		isc_mem_detach(&res->buckets[i].mctx);
-		DESTROYLOCK(&res->buckets[i].lock);
-		isc_task_shutdown(res->buckets[i].task);
-		isc_task_detach(&res->buckets[i].task);
-	}
-	isc_mem_put(view->mctx, res->buckets,
-		    res->nbuckets * sizeof(fctxbucket_t));
-
- cleanup_res:
-	isc_mem_put(view->mctx, res, sizeof(*res));
-
-	return (result);
-}
-
-#ifdef BIND9
-static void
-prime_done(isc_task_t *task, isc_event_t *event) {
-	dns_resolver_t *res;
-	dns_fetchevent_t *fevent;
-	dns_fetch_t *fetch;
-	dns_db_t *db = NULL;
-
-	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
-	fevent = (dns_fetchevent_t *)event;
-	res = event->ev_arg;
-	REQUIRE(VALID_RESOLVER(res));
-
-	UNUSED(task);
-
-	LOCK(&res->lock);
-
-	INSIST(res->priming);
-	res->priming = ISC_FALSE;
-	LOCK(&res->primelock);
-	fetch = res->primefetch;
-	res->primefetch = NULL;
-	UNLOCK(&res->primelock);
-
-	UNLOCK(&res->lock);
-
-	if (fevent->result == ISC_R_SUCCESS &&
-	    res->view->cache != NULL && res->view->hints != NULL) {
-		dns_cache_attachdb(res->view->cache, &db);
-		dns_root_checkhints(res->view, res->view->hints, db);
-		dns_db_detach(&db);
-	}
-
-	if (fevent->node != NULL)
-		dns_db_detachnode(fevent->db, &fevent->node);
-	if (fevent->db != NULL)
-		dns_db_detach(&fevent->db);
-	if (dns_rdataset_isassociated(fevent->rdataset))
-		dns_rdataset_disassociate(fevent->rdataset);
-	INSIST(fevent->sigrdataset == NULL);
-
-	isc_mem_put(res->mctx, fevent->rdataset, sizeof(*fevent->rdataset));
-
-	isc_event_free(&event);
-	dns_resolver_destroyfetch(&fetch);
-}
-
-void
-dns_resolver_prime(dns_resolver_t *res) {
-	isc_boolean_t want_priming = ISC_FALSE;
-	dns_rdataset_t *rdataset;
-	isc_result_t result;
-
-	REQUIRE(VALID_RESOLVER(res));
-	REQUIRE(res->frozen);
-
-	RTRACE("dns_resolver_prime");
-
-	LOCK(&res->lock);
-
-	if (!res->exiting && !res->priming) {
-		INSIST(res->primefetch == NULL);
-		res->priming = ISC_TRUE;
-		want_priming = ISC_TRUE;
-	}
-
-	UNLOCK(&res->lock);
-
-	if (want_priming) {
-		/*
-		 * To avoid any possible recursive locking problems, we
-		 * start the priming fetch like any other fetch, and holding
-		 * no resolver locks.  No one else will try to start it
-		 * because we're the ones who set res->priming to true.
-		 * Any other callers of dns_resolver_prime() while we're
-		 * running will see that res->priming is already true and
-		 * do nothing.
-		 */
-		RTRACE("priming");
-		rdataset = isc_mem_get(res->mctx, sizeof(*rdataset));
-		if (rdataset == NULL) {
-			LOCK(&res->lock);
-			INSIST(res->priming);
-			INSIST(res->primefetch == NULL);
-			res->priming = ISC_FALSE;
-			UNLOCK(&res->lock);
-			return;
-		}
-		dns_rdataset_init(rdataset);
-		LOCK(&res->primelock);
-		result = dns_resolver_createfetch(res, dns_rootname,
-						  dns_rdatatype_ns,
-						  NULL, NULL, NULL, 0,
-						  res->buckets[0].task,
-						  prime_done,
-						  res, rdataset, NULL,
-						  &res->primefetch);
-		UNLOCK(&res->primelock);
-		if (result != ISC_R_SUCCESS) {
-			LOCK(&res->lock);
-			INSIST(res->priming);
-			res->priming = ISC_FALSE;
-			UNLOCK(&res->lock);
-		}
-	}
-}
-#endif /* BIND9 */
-
-void
-dns_resolver_freeze(dns_resolver_t *res) {
-	/*
-	 * Freeze resolver.
-	 */
-
-	REQUIRE(VALID_RESOLVER(res));
-
-	res->frozen = ISC_TRUE;
-}
-
-void
-dns_resolver_attach(dns_resolver_t *source, dns_resolver_t **targetp) {
-	REQUIRE(VALID_RESOLVER(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	RRTRACE(source, "attach");
-	LOCK(&source->lock);
-	REQUIRE(!source->exiting);
-
-	INSIST(source->references > 0);
-	source->references++;
-	INSIST(source->references != 0);
-	UNLOCK(&source->lock);
-
-	*targetp = source;
-}
-
-void
-dns_resolver_whenshutdown(dns_resolver_t *res, isc_task_t *task,
-			  isc_event_t **eventp)
-{
-	isc_task_t *clone;
-	isc_event_t *event;
-
-	REQUIRE(VALID_RESOLVER(res));
-	REQUIRE(eventp != NULL);
-
-	event = *eventp;
-	*eventp = NULL;
-
-	LOCK(&res->lock);
-
-	if (res->exiting && res->activebuckets == 0) {
-		/*
-		 * We're already shutdown.  Send the event.
-		 */
-		event->ev_sender = res;
-		isc_task_send(task, &event);
-	} else {
-		clone = NULL;
-		isc_task_attach(task, &clone);
-		event->ev_sender = clone;
-		ISC_LIST_APPEND(res->whenshutdown, event, ev_link);
-	}
-
-	UNLOCK(&res->lock);
-}
-
-void
-dns_resolver_shutdown(dns_resolver_t *res) {
-	unsigned int i;
-	fetchctx_t *fctx;
-	isc_result_t result;
-
-	REQUIRE(VALID_RESOLVER(res));
-
-	RTRACE("shutdown");
-
-	LOCK(&res->lock);
-
-	if (!res->exiting) {
-		RTRACE("exiting");
-		res->exiting = ISC_TRUE;
-
-		for (i = 0; i < res->nbuckets; i++) {
-			LOCK(&res->buckets[i].lock);
-			for (fctx = ISC_LIST_HEAD(res->buckets[i].fctxs);
-			     fctx != NULL;
-			     fctx = ISC_LIST_NEXT(fctx, link))
-				fctx_shutdown(fctx);
-			if (res->dispatches4 != NULL && !res->exclusivev4) {
-				dns_dispatchset_cancelall(res->dispatches4,
-							  res->buckets[i].task);
-			}
-			if (res->dispatches6 != NULL && !res->exclusivev6) {
-				dns_dispatchset_cancelall(res->dispatches6,
-							  res->buckets[i].task);
-			}
-			res->buckets[i].exiting = ISC_TRUE;
-			if (ISC_LIST_EMPTY(res->buckets[i].fctxs)) {
-				INSIST(res->activebuckets > 0);
-				res->activebuckets--;
-			}
-			UNLOCK(&res->buckets[i].lock);
-		}
-		if (res->activebuckets == 0)
-			send_shutdown_events(res);
-		result = isc_timer_reset(res->spillattimer,
-					 isc_timertype_inactive, NULL,
-					 NULL, ISC_TRUE);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	}
-
-	UNLOCK(&res->lock);
-}
-
-void
-dns_resolver_detach(dns_resolver_t **resp) {
-	dns_resolver_t *res;
-	isc_boolean_t need_destroy = ISC_FALSE;
-
-	REQUIRE(resp != NULL);
-	res = *resp;
-	REQUIRE(VALID_RESOLVER(res));
-
-	RTRACE("detach");
-
-	LOCK(&res->lock);
-
-	INSIST(res->references > 0);
-	res->references--;
-	if (res->references == 0) {
-		INSIST(res->exiting && res->activebuckets == 0);
-		need_destroy = ISC_TRUE;
-	}
-
-	UNLOCK(&res->lock);
-
-	if (need_destroy)
-		destroy(res);
-
-	*resp = NULL;
-}
-
-static inline isc_boolean_t
-fctx_match(fetchctx_t *fctx, dns_name_t *name, dns_rdatatype_t type,
-	   unsigned int options)
-{
-	/*
-	 * Don't match fetch contexts that are shutting down.
-	 */
-	if (fctx->cloned || fctx->state == fetchstate_done ||
-	    ISC_LIST_EMPTY(fctx->events))
-		return (ISC_FALSE);
-
-	if (fctx->type != type || fctx->options != options)
-		return (ISC_FALSE);
-	return (dns_name_equal(&fctx->name, name));
-}
-
-static inline void
-log_fetch(dns_name_t *name, dns_rdatatype_t type) {
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char typebuf[DNS_RDATATYPE_FORMATSIZE];
-	int level = ISC_LOG_DEBUG(1);
-
-	if (! isc_log_wouldlog(dns_lctx, level))
-		return;
-
-	dns_name_format(name, namebuf, sizeof(namebuf));
-	dns_rdatatype_format(type, typebuf, sizeof(typebuf));
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
-		      DNS_LOGMODULE_RESOLVER, level,
-		      "createfetch: %s %s", namebuf, typebuf);
-}
-
-isc_result_t
-dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name,
-			 dns_rdatatype_t type,
-			 dns_name_t *domain, dns_rdataset_t *nameservers,
-			 dns_forwarders_t *forwarders,
-			 unsigned int options, isc_task_t *task,
-			 isc_taskaction_t action, void *arg,
-			 dns_rdataset_t *rdataset,
-			 dns_rdataset_t *sigrdataset,
-			 dns_fetch_t **fetchp)
-{
-	return (dns_resolver_createfetch2(res, name, type, domain,
-					  nameservers, forwarders, NULL, 0,
-					  options, task, action, arg,
-					  rdataset, sigrdataset, fetchp));
-}
-
-isc_result_t
-dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name,
-			  dns_rdatatype_t type,
-			  dns_name_t *domain, dns_rdataset_t *nameservers,
-			  dns_forwarders_t *forwarders,
-			  isc_sockaddr_t *client, dns_messageid_t id,
-			  unsigned int options, isc_task_t *task,
-			  isc_taskaction_t action, void *arg,
-			  dns_rdataset_t *rdataset,
-			  dns_rdataset_t *sigrdataset,
-			  dns_fetch_t **fetchp)
-{
-	dns_fetch_t *fetch;
-	fetchctx_t *fctx = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
-	unsigned int bucketnum;
-	isc_boolean_t new_fctx = ISC_FALSE;
-	isc_event_t *event;
-	unsigned int count = 0;
-	unsigned int spillat;
-	unsigned int spillatmin;
-	isc_boolean_t destroy = ISC_FALSE;
-
-	UNUSED(forwarders);
-
-	REQUIRE(VALID_RESOLVER(res));
-	REQUIRE(res->frozen);
-	/* XXXRTH  Check for meta type */
-	if (domain != NULL) {
-		REQUIRE(DNS_RDATASET_VALID(nameservers));
-		REQUIRE(nameservers->type == dns_rdatatype_ns);
-	} else
-		REQUIRE(nameservers == NULL);
-	REQUIRE(forwarders == NULL);
-	REQUIRE(!dns_rdataset_isassociated(rdataset));
-	REQUIRE(sigrdataset == NULL ||
-		!dns_rdataset_isassociated(sigrdataset));
-	REQUIRE(fetchp != NULL && *fetchp == NULL);
-
-	log_fetch(name, type);
-
-	/*
-	 * XXXRTH  use a mempool?
-	 */
-	fetch = isc_mem_get(res->mctx, sizeof(*fetch));
-	if (fetch == NULL)
-		return (ISC_R_NOMEMORY);
-
-	bucketnum = dns_name_fullhash(name, ISC_FALSE) % res->nbuckets;
-
-	LOCK(&res->lock);
-	spillat = res->spillat;
-	spillatmin = res->spillatmin;
-	UNLOCK(&res->lock);
-	LOCK(&res->buckets[bucketnum].lock);
-
-	if (res->buckets[bucketnum].exiting) {
-		result = ISC_R_SHUTTINGDOWN;
-		goto unlock;
-	}
-
-	if ((options & DNS_FETCHOPT_UNSHARED) == 0) {
-		for (fctx = ISC_LIST_HEAD(res->buckets[bucketnum].fctxs);
-		     fctx != NULL;
-		     fctx = ISC_LIST_NEXT(fctx, link)) {
-			if (fctx_match(fctx, name, type, options))
-				break;
-		}
-	}
-
-	/*
-	 * Is this a duplicate?
-	 */
-	if (fctx != NULL && client != NULL) {
-		dns_fetchevent_t *fevent;
-		for (fevent = ISC_LIST_HEAD(fctx->events);
-		     fevent != NULL;
-		     fevent = ISC_LIST_NEXT(fevent, ev_link)) {
-			if (fevent->client != NULL && fevent->id == id &&
-			    isc_sockaddr_equal(fevent->client, client)) {
-				result = DNS_R_DUPLICATE;
-				goto unlock;
-			}
-			count++;
-		}
-	}
-	if (count >= spillatmin && spillatmin != 0) {
-		INSIST(fctx != NULL);
-		if (count >= spillat)
-			fctx->spilled = ISC_TRUE;
-		if (fctx->spilled) {
-			result = DNS_R_DROP;
-			goto unlock;
-		}
-	}
-
-	if (fctx == NULL) {
-		result = fctx_create(res, name, type, domain, nameservers,
-				     options, bucketnum, &fctx);
-		if (result != ISC_R_SUCCESS)
-			goto unlock;
-		new_fctx = ISC_TRUE;
-	}
-
-	result = fctx_join(fctx, task, client, id, action, arg,
-			   rdataset, sigrdataset, fetch);
-	if (new_fctx) {
-		if (result == ISC_R_SUCCESS) {
-			/*
-			 * Launch this fctx.
-			 */
-			event = &fctx->control_event;
-			ISC_EVENT_INIT(event, sizeof(*event), 0, NULL,
-				       DNS_EVENT_FETCHCONTROL,
-				       fctx_start, fctx, NULL,
-				       NULL, NULL);
-			isc_task_send(res->buckets[bucketnum].task, &event);
-		} else {
-			/*
-			 * We don't care about the result of fctx_unlink()
-			 * since we know we're not exiting.
-			 */
-			(void)fctx_unlink(fctx);
-			destroy = ISC_TRUE;
-		}
-	}
-
- unlock:
-	UNLOCK(&res->buckets[bucketnum].lock);
-
-	if (destroy)
-		fctx_destroy(fctx);
-
-	if (result == ISC_R_SUCCESS) {
-		FTRACE("created");
-		*fetchp = fetch;
-	} else
-		isc_mem_put(res->mctx, fetch, sizeof(*fetch));
-
-	return (result);
-}
-
-void
-dns_resolver_cancelfetch(dns_fetch_t *fetch) {
-	fetchctx_t *fctx;
-	dns_resolver_t *res;
-	dns_fetchevent_t *event, *next_event;
-	isc_task_t *etask;
-
-	REQUIRE(DNS_FETCH_VALID(fetch));
-	fctx = fetch->private;
-	REQUIRE(VALID_FCTX(fctx));
-	res = fctx->res;
-
-	FTRACE("cancelfetch");
-
-	LOCK(&res->buckets[fctx->bucketnum].lock);
-
-	/*
-	 * Find the completion event for this fetch (as opposed
-	 * to those for other fetches that have joined the same
-	 * fctx) and send it with result = ISC_R_CANCELED.
-	 */
-	event = NULL;
-	if (fctx->state != fetchstate_done) {
-		for (event = ISC_LIST_HEAD(fctx->events);
-		     event != NULL;
-		     event = next_event) {
-			next_event = ISC_LIST_NEXT(event, ev_link);
-			if (event->fetch == fetch) {
-				ISC_LIST_UNLINK(fctx->events, event, ev_link);
-				break;
-			}
-		}
-	}
-	if (event != NULL) {
-		etask = event->ev_sender;
-		event->ev_sender = fctx;
-		event->result = ISC_R_CANCELED;
-		isc_task_sendanddetach(&etask, ISC_EVENT_PTR(&event));
-	}
-	/*
-	 * The fctx continues running even if no fetches remain;
-	 * the answer is still cached.
-	 */
-
-	UNLOCK(&res->buckets[fctx->bucketnum].lock);
-}
-
-void
-dns_resolver_destroyfetch(dns_fetch_t **fetchp) {
-	dns_fetch_t *fetch;
-	dns_resolver_t *res;
-	dns_fetchevent_t *event, *next_event;
-	fetchctx_t *fctx;
-	unsigned int bucketnum;
-	isc_boolean_t bucket_empty;
-
-	REQUIRE(fetchp != NULL);
-	fetch = *fetchp;
-	REQUIRE(DNS_FETCH_VALID(fetch));
-	fctx = fetch->private;
-	REQUIRE(VALID_FCTX(fctx));
-	res = fctx->res;
-
-	FTRACE("destroyfetch");
-
-	bucketnum = fctx->bucketnum;
-	LOCK(&res->buckets[bucketnum].lock);
-
-	/*
-	 * Sanity check: the caller should have gotten its event before
-	 * trying to destroy the fetch.
-	 */
-	event = NULL;
-	if (fctx->state != fetchstate_done) {
-		for (event = ISC_LIST_HEAD(fctx->events);
-		     event != NULL;
-		     event = next_event) {
-			next_event = ISC_LIST_NEXT(event, ev_link);
-			RUNTIME_CHECK(event->fetch != fetch);
-		}
-	}
-
-	bucket_empty = fctx_decreference(fctx);
-
-	UNLOCK(&res->buckets[bucketnum].lock);
-
-	isc_mem_put(res->mctx, fetch, sizeof(*fetch));
-	*fetchp = NULL;
-
-	if (bucket_empty)
-		empty_bucket(res);
-}
-
-void
-dns_resolver_logfetch(dns_fetch_t *fetch, isc_log_t *lctx,
-		      isc_logcategory_t *category, isc_logmodule_t *module,
-		      int level, isc_boolean_t duplicateok)
-{
-	fetchctx_t *fctx;
-	dns_resolver_t *res;
-	char domainbuf[DNS_NAME_FORMATSIZE];
-
-	REQUIRE(DNS_FETCH_VALID(fetch));
-	fctx = fetch->private;
-	REQUIRE(VALID_FCTX(fctx));
-	res = fctx->res;
-
-	LOCK(&res->buckets[fctx->bucketnum].lock);
-
-	INSIST(fctx->exitline >= 0);
-	if (!fctx->logged || duplicateok) {
-		dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
-		isc_log_write(lctx, category, module, level,
-			      "fetch completed at %s:%d for %s in "
-			      "%" ISC_PRINT_QUADFORMAT "u."
-			      "%06" ISC_PRINT_QUADFORMAT "u: %s/%s "
-			      "[domain:%s,referral:%u,restart:%u,qrysent:%u,"
-			      "timeout:%u,lame:%u,neterr:%u,badresp:%u,"
-			      "adberr:%u,findfail:%u,valfail:%u]",
-			      __FILE__, fctx->exitline, fctx->info,
-			      fctx->duration / US_PER_SEC,
-			      fctx->duration % US_PER_SEC,
-			      isc_result_totext(fctx->result),
-			      isc_result_totext(fctx->vresult), domainbuf,
-			      fctx->referrals, fctx->restarts,
-			      fctx->querysent, fctx->timeouts, fctx->lamecount,
-			      fctx->neterr, fctx->badresp, fctx->adberr,
-			      fctx->findfail, fctx->valfail);
-		fctx->logged = ISC_TRUE;
-	}
-
-	UNLOCK(&res->buckets[fctx->bucketnum].lock);
-}
-
-dns_dispatchmgr_t *
-dns_resolver_dispatchmgr(dns_resolver_t *resolver) {
-	REQUIRE(VALID_RESOLVER(resolver));
-	return (resolver->dispatchmgr);
-}
-
-dns_dispatch_t *
-dns_resolver_dispatchv4(dns_resolver_t *resolver) {
-	REQUIRE(VALID_RESOLVER(resolver));
-	return (dns_dispatchset_get(resolver->dispatches4));
-}
-
-dns_dispatch_t *
-dns_resolver_dispatchv6(dns_resolver_t *resolver) {
-	REQUIRE(VALID_RESOLVER(resolver));
-	return (dns_dispatchset_get(resolver->dispatches6));
-}
-
-isc_socketmgr_t *
-dns_resolver_socketmgr(dns_resolver_t *resolver) {
-	REQUIRE(VALID_RESOLVER(resolver));
-	return (resolver->socketmgr);
-}
-
-isc_taskmgr_t *
-dns_resolver_taskmgr(dns_resolver_t *resolver) {
-	REQUIRE(VALID_RESOLVER(resolver));
-	return (resolver->taskmgr);
-}
-
-isc_uint32_t
-dns_resolver_getlamettl(dns_resolver_t *resolver) {
-	REQUIRE(VALID_RESOLVER(resolver));
-	return (resolver->lame_ttl);
-}
-
-void
-dns_resolver_setlamettl(dns_resolver_t *resolver, isc_uint32_t lame_ttl) {
-	REQUIRE(VALID_RESOLVER(resolver));
-	resolver->lame_ttl = lame_ttl;
-}
-
-unsigned int
-dns_resolver_nrunning(dns_resolver_t *resolver) {
-	unsigned int n;
-	LOCK(&resolver->nlock);
-	n = resolver->nfctx;
-	UNLOCK(&resolver->nlock);
-	return (n);
-}
-
-isc_result_t
-dns_resolver_addalternate(dns_resolver_t *resolver, isc_sockaddr_t *alt,
-			  dns_name_t *name, in_port_t port) {
-	alternate_t *a;
-	isc_result_t result;
-
-	REQUIRE(VALID_RESOLVER(resolver));
-	REQUIRE(!resolver->frozen);
-	REQUIRE((alt == NULL) ^ (name == NULL));
-
-	a = isc_mem_get(resolver->mctx, sizeof(*a));
-	if (a == NULL)
-		return (ISC_R_NOMEMORY);
-	if (alt != NULL) {
-		a->isaddress = ISC_TRUE;
-		a->_u.addr = *alt;
-	} else {
-		a->isaddress = ISC_FALSE;
-		a->_u._n.port = port;
-		dns_name_init(&a->_u._n.name, NULL);
-		result = dns_name_dup(name, resolver->mctx, &a->_u._n.name);
-		if (result != ISC_R_SUCCESS) {
-			isc_mem_put(resolver->mctx, a, sizeof(*a));
-			return (result);
-		}
-	}
-	ISC_LINK_INIT(a, link);
-	ISC_LIST_APPEND(resolver->alternates, a, link);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_resolver_setudpsize(dns_resolver_t *resolver, isc_uint16_t udpsize) {
-	REQUIRE(VALID_RESOLVER(resolver));
-	resolver->udpsize = udpsize;
-}
-
-isc_uint16_t
-dns_resolver_getudpsize(dns_resolver_t *resolver) {
-	REQUIRE(VALID_RESOLVER(resolver));
-	return (resolver->udpsize);
-}
-
-void
-dns_resolver_flushbadcache(dns_resolver_t *resolver, dns_name_t *name) {
-	unsigned int i;
-	dns_badcache_t *bad, *prev, *next;
-
-	REQUIRE(VALID_RESOLVER(resolver));
-
-	LOCK(&resolver->lock);
-	if (resolver->badcache == NULL)
-		goto unlock;
-
-	if (name != NULL) {
-		isc_time_t now;
-		isc_result_t result;
-		result = isc_time_now(&now);
-		if (result != ISC_R_SUCCESS)
-			isc_time_settoepoch(&now);
-		i = dns_name_hash(name, ISC_FALSE) % resolver->badhash;
-		prev = NULL;
-		for (bad = resolver->badcache[i]; bad != NULL; bad = next) {
-			int n;
-			next = bad->next;
-			n = isc_time_compare(&bad->expire, &now);
-			if (n < 0 || dns_name_equal(name, &bad->name)) {
-				if (prev == NULL)
-					resolver->badcache[i] = bad->next;
-				else
-					prev->next = bad->next;
-				isc_mem_put(resolver->mctx, bad, sizeof(*bad) +
-					    bad->name.length);
-				resolver->badcount--;
-			} else
-				prev = bad;
-		}
-	} else
-		destroy_badcache(resolver);
-
- unlock:
-	UNLOCK(&resolver->lock);
-
-}
-
-static void
-resizehash(dns_resolver_t *resolver, isc_time_t *now, isc_boolean_t grow) {
-	unsigned int newsize;
-	dns_badcache_t **new, *bad, *next;
-	unsigned int i;
-
-	if (grow)
-		newsize = resolver->badhash * 2 + 1;
-	else
-		newsize = (resolver->badhash - 1) / 2;
-
-	new = isc_mem_get(resolver->mctx,
-			  sizeof(*resolver->badcache) * newsize);
-	if (new == NULL)
-		return;
-	memset(new, 0, sizeof(*resolver->badcache) * newsize);
-	for (i = 0; i < resolver->badhash; i++) {
-		for (bad = resolver->badcache[i]; bad != NULL; bad = next) {
-			next = bad->next;
-			if (isc_time_compare(&bad->expire, now) < 0) {
-				isc_mem_put(resolver->mctx, bad, sizeof(*bad) +
-					    bad->name.length);
-				resolver->badcount--;
-			} else {
-				bad->next = new[bad->hashval % newsize];
-				new[bad->hashval % newsize] = bad;
-			}
-		}
-	}
-	isc_mem_put(resolver->mctx, resolver->badcache,
-		    sizeof(*resolver->badcache) * resolver->badhash);
-	resolver->badhash = newsize;
-	resolver->badcache = new;
-}
-
-void
-dns_resolver_addbadcache(dns_resolver_t *resolver, dns_name_t *name,
-			 dns_rdatatype_t type, isc_time_t *expire)
-{
-	isc_time_t now;
-	isc_result_t result = ISC_R_SUCCESS;
-	unsigned int i, hashval;
-	dns_badcache_t *bad, *prev, *next;
-
-	REQUIRE(VALID_RESOLVER(resolver));
-
-	LOCK(&resolver->lock);
-	if (resolver->badcache == NULL) {
-		resolver->badcache = isc_mem_get(resolver->mctx,
-						 sizeof(*resolver->badcache) *
-						 DNS_BADCACHE_SIZE);
-		if (resolver->badcache == NULL)
-			goto cleanup;
-		resolver->badhash = DNS_BADCACHE_SIZE;
-		memset(resolver->badcache, 0, sizeof(*resolver->badcache) *
-		       resolver->badhash);
-	}
-
-	result = isc_time_now(&now);
-	if (result != ISC_R_SUCCESS)
-		isc_time_settoepoch(&now);
-	hashval = dns_name_hash(name, ISC_FALSE);
-	i = hashval % resolver->badhash;
-	prev = NULL;
-	for (bad = resolver->badcache[i]; bad != NULL; bad = next) {
-		next = bad->next;
-		if (bad->type == type && dns_name_equal(name, &bad->name))
-			break;
-		if (isc_time_compare(&bad->expire, &now) < 0) {
-			if (prev == NULL)
-				resolver->badcache[i] = bad->next;
-			else
-				prev->next = bad->next;
-			isc_mem_put(resolver->mctx, bad, sizeof(*bad) +
-				    bad->name.length);
-			resolver->badcount--;
-		} else
-			prev = bad;
-	}
-	if (bad == NULL) {
-		isc_buffer_t buffer;
-		bad = isc_mem_get(resolver->mctx, sizeof(*bad) + name->length);
-		if (bad == NULL)
-			goto cleanup;
-		bad->type = type;
-		bad->hashval = hashval;
-		bad->expire = *expire;
-		isc_buffer_init(&buffer, bad + 1, name->length);
-		dns_name_init(&bad->name, NULL);
-		dns_name_copy(name, &bad->name, &buffer);
-		bad->next = resolver->badcache[i];
-		resolver->badcache[i] = bad;
-		resolver->badcount++;
-		if (resolver->badcount > resolver->badhash * 8)
-			resizehash(resolver, &now, ISC_TRUE);
-		if (resolver->badcount < resolver->badhash * 2 &&
-		    resolver->badhash > DNS_BADCACHE_SIZE)
-			resizehash(resolver, &now, ISC_FALSE);
-	} else
-		bad->expire = *expire;
- cleanup:
-	UNLOCK(&resolver->lock);
-}
-
-isc_boolean_t
-dns_resolver_getbadcache(dns_resolver_t *resolver, dns_name_t *name,
-			 dns_rdatatype_t type, isc_time_t *now)
-{
-	dns_badcache_t *bad, *prev, *next;
-	isc_boolean_t answer = ISC_FALSE;
-	unsigned int i;
-
-	REQUIRE(VALID_RESOLVER(resolver));
-
-	LOCK(&resolver->lock);
-	if (resolver->badcache == NULL)
-		goto unlock;
-
-	i = dns_name_hash(name, ISC_FALSE) % resolver->badhash;
-	prev = NULL;
-	for (bad = resolver->badcache[i]; bad != NULL; bad = next) {
-		next = bad->next;
-		/*
-		 * Search the hash list. Clean out expired records as we go.
-		 */
-		if (isc_time_compare(&bad->expire, now) < 0) {
-			if (prev != NULL)
-				prev->next = bad->next;
-			else
-				resolver->badcache[i] = bad->next;
-			isc_mem_put(resolver->mctx, bad, sizeof(*bad) +
-				    bad->name.length);
-			resolver->badcount--;
-			continue;
-		}
-		if (bad->type == type && dns_name_equal(name, &bad->name)) {
-			answer = ISC_TRUE;
-			break;
-		}
-		prev = bad;
-	}
-
-	/*
-	 * Slow sweep to clean out stale records.
-	 */
-	i = resolver->badsweep++ % resolver->badhash;
-	bad = resolver->badcache[i];
-	if (bad != NULL && isc_time_compare(&bad->expire, now) < 0) {
-		resolver->badcache[i] = bad->next;
-		isc_mem_put(resolver->mctx, bad, sizeof(*bad) +
-			    bad->name.length);
-		resolver->badcount--;
-	}
-
- unlock:
-	UNLOCK(&resolver->lock);
-	return (answer);
-}
-
-void
-dns_resolver_printbadcache(dns_resolver_t *resolver, FILE *fp) {
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char typebuf[DNS_RDATATYPE_FORMATSIZE];
-	dns_badcache_t *bad, *next, *prev;
-	isc_time_t now;
-	unsigned int i;
-	isc_uint64_t t;
-
-	LOCK(&resolver->lock);
-	fprintf(fp, ";\n; Bad cache\n;\n");
-
-	if (resolver->badcache == NULL)
-		goto unlock;
-
-	TIME_NOW(&now);
-	for (i = 0; i < resolver->badhash; i++) {
-		prev = NULL;
-		for (bad = resolver->badcache[i]; bad != NULL; bad = next) {
-			next = bad->next;
-			if (isc_time_compare(&bad->expire, &now) < 0) {
-				if (prev != NULL)
-					prev->next = bad->next;
-				else
-					resolver->badcache[i] = bad->next;
-				isc_mem_put(resolver->mctx, bad, sizeof(*bad) +
-					    bad->name.length);
-				resolver->badcount--;
-				continue;
-			}
-			prev = bad;
-			dns_name_format(&bad->name, namebuf, sizeof(namebuf));
-			dns_rdatatype_format(bad->type, typebuf,
-					     sizeof(typebuf));
-			t = isc_time_microdiff(&bad->expire, &now);
-			t /= 1000;
-			fprintf(fp, "; %s/%s [ttl "
-				"%" ISC_PLATFORM_QUADFORMAT "u]\n",
-				namebuf, typebuf, t);
-		}
-	}
-
- unlock:
-	UNLOCK(&resolver->lock);
-}
-
-static void
-free_algorithm(void *node, void *arg) {
-	unsigned char *algorithms = node;
-	isc_mem_t *mctx = arg;
-
-	isc_mem_put(mctx, algorithms, *algorithms);
-}
-
-void
-dns_resolver_reset_algorithms(dns_resolver_t *resolver) {
-
-	REQUIRE(VALID_RESOLVER(resolver));
-
-#if USE_ALGLOCK
-	RWLOCK(&resolver->alglock, isc_rwlocktype_write);
-#endif
-	if (resolver->algorithms != NULL)
-		dns_rbt_destroy(&resolver->algorithms);
-#if USE_ALGLOCK
-	RWUNLOCK(&resolver->alglock, isc_rwlocktype_write);
-#endif
-}
-
-isc_result_t
-dns_resolver_disable_algorithm(dns_resolver_t *resolver, dns_name_t *name,
-			       unsigned int alg)
-{
-	unsigned int len, mask;
-	unsigned char *new;
-	unsigned char *algorithms;
-	isc_result_t result;
-	dns_rbtnode_t *node = NULL;
-
-	REQUIRE(VALID_RESOLVER(resolver));
-	if (alg > 255)
-		return (ISC_R_RANGE);
-
-#if USE_ALGLOCK
-	RWLOCK(&resolver->alglock, isc_rwlocktype_write);
-#endif
-	if (resolver->algorithms == NULL) {
-		result = dns_rbt_create(resolver->mctx, free_algorithm,
-					resolver->mctx, &resolver->algorithms);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-	}
-
-	len = alg/8 + 2;
-	mask = 1 << (alg%8);
-
-	result = dns_rbt_addnode(resolver->algorithms, name, &node);
-
-	if (result == ISC_R_SUCCESS || result == ISC_R_EXISTS) {
-		algorithms = node->data;
-		if (algorithms == NULL || len > *algorithms) {
-			new = isc_mem_get(resolver->mctx, len);
-			if (new == NULL) {
-				result = ISC_R_NOMEMORY;
-				goto cleanup;
-			}
-			memset(new, 0, len);
-			if (algorithms != NULL)
-				memcpy(new, algorithms, *algorithms);
-			new[len-1] |= mask;
-			*new = len;
-			node->data = new;
-			if (algorithms != NULL)
-				isc_mem_put(resolver->mctx, algorithms,
-					    *algorithms);
-		} else
-			algorithms[len-1] |= mask;
-	}
-	result = ISC_R_SUCCESS;
- cleanup:
-#if USE_ALGLOCK
-	RWUNLOCK(&resolver->alglock, isc_rwlocktype_write);
-#endif
-	return (result);
-}
-
-isc_boolean_t
-dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
-				 unsigned int alg)
-{
-	unsigned int len, mask;
-	unsigned char *algorithms;
-	void *data = NULL;
-	isc_result_t result;
-	isc_boolean_t found = ISC_FALSE;
-
-	REQUIRE(VALID_RESOLVER(resolver));
-
-#if USE_ALGLOCK
-	RWLOCK(&resolver->alglock, isc_rwlocktype_read);
-#endif
-	if (resolver->algorithms == NULL)
-		goto unlock;
-	result = dns_rbt_findname(resolver->algorithms, name, 0, NULL, &data);
-	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
-		len = alg/8 + 2;
-		mask = 1 << (alg%8);
-		algorithms = data;
-		if (len <= *algorithms && (algorithms[len-1] & mask) != 0)
-			found = ISC_TRUE;
-	}
- unlock:
-#if USE_ALGLOCK
-	RWUNLOCK(&resolver->alglock, isc_rwlocktype_read);
-#endif
-	if (found)
-		return (ISC_FALSE);
-	return (dst_algorithm_supported(alg));
-}
-
-isc_boolean_t
-dns_resolver_digest_supported(dns_resolver_t *resolver, unsigned int digest) {
-
-	UNUSED(resolver);
-	return (dns_ds_digest_supported(digest));
-}
-
-void
-dns_resolver_resetmustbesecure(dns_resolver_t *resolver) {
-
-	REQUIRE(VALID_RESOLVER(resolver));
-
-#if USE_MBSLOCK
-	RWLOCK(&resolver->mbslock, isc_rwlocktype_write);
-#endif
-	if (resolver->mustbesecure != NULL)
-		dns_rbt_destroy(&resolver->mustbesecure);
-#if USE_MBSLOCK
-	RWUNLOCK(&resolver->mbslock, isc_rwlocktype_write);
-#endif
-}
-
-static isc_boolean_t yes = ISC_TRUE, no = ISC_FALSE;
-
-isc_result_t
-dns_resolver_setmustbesecure(dns_resolver_t *resolver, dns_name_t *name,
-			     isc_boolean_t value)
-{
-	isc_result_t result;
-
-	REQUIRE(VALID_RESOLVER(resolver));
-
-#if USE_MBSLOCK
-	RWLOCK(&resolver->mbslock, isc_rwlocktype_write);
-#endif
-	if (resolver->mustbesecure == NULL) {
-		result = dns_rbt_create(resolver->mctx, NULL, NULL,
-					&resolver->mustbesecure);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-	}
-	result = dns_rbt_addname(resolver->mustbesecure, name,
-				 value ? &yes : &no);
- cleanup:
-#if USE_MBSLOCK
-	RWUNLOCK(&resolver->mbslock, isc_rwlocktype_write);
-#endif
-	return (result);
-}
-
-isc_boolean_t
-dns_resolver_getmustbesecure(dns_resolver_t *resolver, dns_name_t *name) {
-	void *data = NULL;
-	isc_boolean_t value = ISC_FALSE;
-	isc_result_t result;
-
-	REQUIRE(VALID_RESOLVER(resolver));
-
-#if USE_MBSLOCK
-	RWLOCK(&resolver->mbslock, isc_rwlocktype_read);
-#endif
-	if (resolver->mustbesecure == NULL)
-		goto unlock;
-	result = dns_rbt_findname(resolver->mustbesecure, name, 0, NULL, &data);
-	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
-		value = *(isc_boolean_t*)data;
- unlock:
-#if USE_MBSLOCK
-	RWUNLOCK(&resolver->mbslock, isc_rwlocktype_read);
-#endif
-	return (value);
-}
-
-void
-dns_resolver_getclientsperquery(dns_resolver_t *resolver, isc_uint32_t *cur,
-				isc_uint32_t *min, isc_uint32_t *max)
-{
-	REQUIRE(VALID_RESOLVER(resolver));
-
-	LOCK(&resolver->lock);
-	if (cur != NULL)
-		*cur = resolver->spillat;
-	if (min != NULL)
-		*min = resolver->spillatmin;
-	if (max != NULL)
-		*max = resolver->spillatmax;
-	UNLOCK(&resolver->lock);
-}
-
-void
-dns_resolver_setclientsperquery(dns_resolver_t *resolver, isc_uint32_t min,
-				isc_uint32_t max)
-{
-	REQUIRE(VALID_RESOLVER(resolver));
-
-	LOCK(&resolver->lock);
-	resolver->spillatmin = resolver->spillat = min;
-	resolver->spillatmax = max;
-	UNLOCK(&resolver->lock);
-}
-
-isc_boolean_t
-dns_resolver_getzeronosoattl(dns_resolver_t *resolver) {
-	REQUIRE(VALID_RESOLVER(resolver));
-
-	return (resolver->zero_no_soa_ttl);
-}
-
-void
-dns_resolver_setzeronosoattl(dns_resolver_t *resolver, isc_boolean_t state) {
-	REQUIRE(VALID_RESOLVER(resolver));
-
-	resolver->zero_no_soa_ttl = state;
-}
-
-unsigned int
-dns_resolver_getoptions(dns_resolver_t *resolver) {
-	REQUIRE(VALID_RESOLVER(resolver));
-
-	return (resolver->options);
-}
-
-unsigned int
-dns_resolver_gettimeout(dns_resolver_t *resolver) {
-	REQUIRE(VALID_RESOLVER(resolver));
-
-	return (resolver->query_timeout);
-}
-
-void
-dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int seconds) {
-	REQUIRE(VALID_RESOLVER(resolver));
-
-	if (seconds == 0)
-		seconds = DEFAULT_QUERY_TIMEOUT;
-	if (seconds > MAXIMUM_QUERY_TIMEOUT)
-		seconds = MAXIMUM_QUERY_TIMEOUT;
-	if (seconds < MINIMUM_QUERY_TIMEOUT)
-		seconds =  MINIMUM_QUERY_TIMEOUT;
-
-	resolver->query_timeout = seconds;
-}
diff --git a/contrib/bind9/lib/dns/result.c b/contrib/bind9/lib/dns/result.c
deleted file mode 100644
index 3987953..0000000
--- a/contrib/bind9/lib/dns/result.c
+++ /dev/null
@@ -1,284 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/once.h>
-#include <isc/util.h>
-
-#include <dns/result.h>
-#include <dns/lib.h>
-
-static const char *text[DNS_R_NRESULTS] = {
-	"label too long",		       /*%< 0 DNS_R_LABELTOOLONG */
-	"bad escape",			       /*%< 1 DNS_R_BADESCAPE */
-	/*!
-	 * Note that DNS_R_BADBITSTRING and DNS_R_BITSTRINGTOOLONG are
-	 * deprecated.
-	 */
-	"bad bitstring",		       /*%< 2 DNS_R_BADBITSTRING */
-	"bitstring too long",		       /*%< 3 DNS_R_BITSTRINGTOOLONG */
-	"empty label",			       /*%< 4 DNS_R_EMPTYLABEL */
-
-	"bad dotted quad",		       /*%< 5 DNS_R_BADDOTTEDQUAD */
-	"invalid NS owner name (wildcard)",    /*%< 6 DNS_R_INVALIDNS */
-	"unknown class/type",		       /*%< 7 DNS_R_UNKNOWN */
-	"bad label type",		       /*%< 8 DNS_R_BADLABELTYPE */
-	"bad compression pointer",	       /*%< 9 DNS_R_BADPOINTER */
-
-	"too many hops",		       /*%< 10 DNS_R_TOOMANYHOPS */
-	"disallowed (by application policy)",  /*%< 11 DNS_R_DISALLOWED */
-	"extra input text",		       /*%< 12 DNS_R_EXTRATOKEN */
-	"extra input data",		       /*%< 13 DNS_R_EXTRADATA */
-	"text too long",		       /*%< 14 DNS_R_TEXTTOOLONG */
-
-	"not at top of zone",		       /*%< 15 DNS_R_NOTZONETOP */
-	"syntax error",			       /*%< 16 DNS_R_SYNTAX */
-	"bad checksum",			       /*%< 17 DNS_R_BADCKSUM */
-	"bad IPv6 address",		       /*%< 18 DNS_R_BADAAAA */
-	"no owner",			       /*%< 19 DNS_R_NOOWNER */
-
-	"no ttl",			       /*%< 20 DNS_R_NOTTL */
-	"bad class",			       /*%< 21 DNS_R_BADCLASS */
-	"name too long",		       /*%< 22 DNS_R_NAMETOOLONG */
-	"partial match",		       /*%< 23 DNS_R_PARTIALMATCH */
-	"new origin",			       /*%< 24 DNS_R_NEWORIGIN */
-
-	"unchanged",			       /*%< 25 DNS_R_UNCHANGED */
-	"bad ttl",			       /*%< 26 DNS_R_BADTTL */
-	"more data needed/to be rendered",     /*%< 27 DNS_R_NOREDATA */
-	"continue",			       /*%< 28 DNS_R_CONTINUE */
-	"delegation",			       /*%< 29 DNS_R_DELEGATION */
-
-	"glue",				       /*%< 30 DNS_R_GLUE */
-	"dname",			       /*%< 31 DNS_R_DNAME */
-	"cname",			       /*%< 32 DNS_R_CNAME */
-	"bad database",			       /*%< 33 DNS_R_BADDB */
-	"zonecut",			       /*%< 34 DNS_R_ZONECUT */
-
-	"bad zone",			       /*%< 35 DNS_R_BADZONE */
-	"more data",			       /*%< 36 DNS_R_MOREDATA */
-	"up to date",			       /*%< 37 DNS_R_UPTODATE */
-	"tsig verify failure",		       /*%< 38 DNS_R_TSIGVERIFYFAILURE */
-	"tsig indicates error",		       /*%< 39 DNS_R_TSIGERRORSET */
-
-	"RRSIG failed to verify",	       /*%< 40 DNS_R_SIGINVALID */
-	"RRSIG has expired",		       /*%< 41 DNS_R_SIGEXPIRED */
-	"RRSIG validity period has not begun", /*%< 42 DNS_R_SIGFUTURE */
-	"key is unauthorized to sign data",    /*%< 43 DNS_R_KEYUNAUTHORIZED */
-	"invalid time",			       /*%< 44 DNS_R_INVALIDTIME */
-
-	"expected a TSIG or SIG(0)",	       /*%< 45 DNS_R_EXPECTEDTSIG */
-	"did not expect a TSIG or SIG(0)",     /*%< 46 DNS_R_UNEXPECTEDTSIG */
-	"TKEY is unacceptable",		       /*%< 47 DNS_R_INVALIDTKEY */
-	"hint",				       /*%< 48 DNS_R_HINT */
-	"drop",				       /*%< 49 DNS_R_DROP */
-
-	"zone not loaded",		       /*%< 50 DNS_R_NOTLOADED */
-	"ncache nxdomain",		       /*%< 51 DNS_R_NCACHENXDOMAIN */
-	"ncache nxrrset",		       /*%< 52 DNS_R_NCACHENXRRSET */
-	"wait",				       /*%< 53 DNS_R_WAIT */
-	"not verified yet",		       /*%< 54 DNS_R_NOTVERIFIEDYET */
-
-	"no identity",			       /*%< 55 DNS_R_NOIDENTITY */
-	"no journal",			       /*%< 56 DNS_R_NOJOURNAL */
-	"alias",			       /*%< 57 DNS_R_ALIAS */
-	"use TCP",			       /*%< 58 DNS_R_USETCP */
-	"no valid RRSIG",		       /*%< 59 DNS_R_NOVALIDSIG */
-
-	"no valid NSEC",		       /*%< 60 DNS_R_NOVALIDNSEC */
-	"insecurity proof failed",	       /*%< 61 DNS_R_NOTINSECURE */
-	"unknown service",		       /*%< 62 DNS_R_UNKNOWNSERVICE */
-	"recoverable error occurred",	       /*%< 63 DNS_R_RECOVERABLE */
-	"unknown opt attribute record",	       /*%< 64 DNS_R_UNKNOWNOPT */
-
-	"unexpected message id",	       /*%< 65 DNS_R_UNEXPECTEDID */
-	"seen include file",		       /*%< 66 DNS_R_SEENINCLUDE */
-	"not exact",		       	       /*%< 67 DNS_R_NOTEXACT */
-	"address blackholed",	       	       /*%< 68 DNS_R_BLACKHOLED */
-	"bad algorithm",		       /*%< 69 DNS_R_BADALG */
-
-	"invalid use of a meta type",	       /*%< 70 DNS_R_METATYPE */
-	"CNAME and other data",		       /*%< 71 DNS_R_CNAMEANDOTHER */
-	"multiple RRs of singleton type",      /*%< 72 DNS_R_SINGLETON */
-	"hint nxrrset",			       /*%< 73 DNS_R_HINTNXRRSET */
-	"no master file configured",	       /*%< 74 DNS_R_NOMASTERFILE */
-
-	"unknown protocol",		       /*%< 75 DNS_R_UNKNOWNPROTO */
-	"clocks are unsynchronized",	       /*%< 76 DNS_R_CLOCKSKEW */
-	"IXFR failed",			       /*%< 77 DNS_R_BADIXFR */
-	"not authoritative",		       /*%< 78 DNS_R_NOTAUTHORITATIVE */
-	"no valid KEY",		       	       /*%< 79 DNS_R_NOVALIDKEY */
-
-	"obsolete",			       /*%< 80 DNS_R_OBSOLETE */
-	"already frozen",		       /*%< 81 DNS_R_FROZEN */
-	"unknown flag",			       /*%< 82 DNS_R_UNKNOWNFLAG */
-	"expected a response",		       /*%< 83 DNS_R_EXPECTEDRESPONSE */
-	"no valid DS",			       /*%< 84 DNS_R_NOVALIDDS */
-
-	"NS is an address",		       /*%< 85 DNS_R_NSISADDRESS */
-	"received FORMERR",		       /*%< 86 DNS_R_REMOTEFORMERR */
-	"truncated TCP response",	       /*%< 87 DNS_R_TRUNCATEDTCP */
-	"lame server detected",		       /*%< 88 DNS_R_LAME */
-	"unexpected RCODE",		       /*%< 89 DNS_R_UNEXPECTEDRCODE */
-
-	"unexpected OPCODE",		       /*%< 90 DNS_R_UNEXPECTEDOPCODE */
-	"chase DS servers",		       /*%< 91 DNS_R_CHASEDSSERVERS */
-	"empty name",			       /*%< 92 DNS_R_EMPTYNAME */
-	"empty wild",			       /*%< 93 DNS_R_EMPTYWILD */
-	"bad bitmap",			       /*%< 94 DNS_R_BADBITMAP */
-
-	"from wildcard",		       /*%< 95 DNS_R_FROMWILDCARD */
-	"bad owner name (check-names)",	       /*%< 96 DNS_R_BADOWNERNAME */
-	"bad name (check-names)",	       /*%< 97 DNS_R_BADNAME */
-	"dynamic zone",			       /*%< 98 DNS_R_DYNAMIC */
-	"unknown command",		       /*%< 99 DNS_R_UNKNOWNCOMMAND */
-
-	"must-be-secure",		       /*%< 100 DNS_R_MUSTBESECURE */
-	"covering NSEC record returned",       /*%< 101 DNS_R_COVERINGNSEC */
-	"MX is an address",		       /*%< 102 DNS_R_MXISADDRESS */
-	"duplicate query",		       /*%< 103 DNS_R_DUPLICATE */
-	"invalid NSEC3 owner name (wildcard)", /*%< 104 DNS_R_INVALIDNSEC3 */
-
-	"not master",			       /*%< 105 DNS_R_NOTMASTER */
-	"broken trust chain",		       /*%< 106 DNS_R_BROKENCHAIN */
-	"expired",			       /*%< 107 DNS_R_EXPIRED */
-	"not dynamic",			       /*%< 108 DNS_R_NOTDYNAMIC */
-	"bad EUI"			       /*%< 109 DNS_R_BADEUI */
-};
-
-static const char *rcode_text[DNS_R_NRCODERESULTS] = {
-	"NOERROR",				/*%< 0 DNS_R_NOEROR */
-	"FORMERR",				/*%< 1 DNS_R_FORMERR */
-	"SERVFAIL",				/*%< 2 DNS_R_SERVFAIL */
-	"NXDOMAIN",				/*%< 3 DNS_R_NXDOMAIN */
-	"NOTIMP",				/*%< 4 DNS_R_NOTIMP */
-
-	"REFUSED",				/*%< 5 DNS_R_REFUSED */
-	"YXDOMAIN",				/*%< 6 DNS_R_YXDOMAIN */
-	"YXRRSET",				/*%< 7 DNS_R_YXRRSET */
-	"NXRRSET",				/*%< 8 DNS_R_NXRRSET */
-	"NOTAUTH",				/*%< 9 DNS_R_NOTAUTH */
-
-	"NOTZONE",				/*%< 10 DNS_R_NOTZONE */
-	"<rcode 11>",				/*%< 11 has no macro */
-	"<rcode 12>",				/*%< 12 has no macro */
-	"<rcode 13>",				/*%< 13 has no macro */
-	"<rcode 14>",				/*%< 14 has no macro */
-
-	"<rcode 15>",				/*%< 15 has no macro */
-	"BADVERS",				/*%< 16 DNS_R_BADVERS */
-};
-
-#define DNS_RESULT_RESULTSET			2
-#define DNS_RESULT_RCODERESULTSET		3
-
-static isc_once_t		once = ISC_ONCE_INIT;
-
-static void
-initialize_action(void) {
-	isc_result_t result;
-
-	result = isc_result_register(ISC_RESULTCLASS_DNS, DNS_R_NRESULTS,
-				     text, dns_msgcat, DNS_RESULT_RESULTSET);
-	if (result == ISC_R_SUCCESS)
-		result = isc_result_register(ISC_RESULTCLASS_DNSRCODE,
-					     DNS_R_NRCODERESULTS,
-					     rcode_text, dns_msgcat,
-					     DNS_RESULT_RCODERESULTSET);
-	if (result != ISC_R_SUCCESS)
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_result_register() failed: %u", result);
-}
-
-static void
-initialize(void) {
-	dns_lib_initmsgcat();
-	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
-}
-
-const char *
-dns_result_totext(isc_result_t result) {
-	initialize();
-
-	return (isc_result_totext(result));
-}
-
-void
-dns_result_register(void) {
-	initialize();
-}
-
-dns_rcode_t
-dns_result_torcode(isc_result_t result) {
-	dns_rcode_t rcode = dns_rcode_servfail;
-
-	if (DNS_RESULT_ISRCODE(result)) {
-		/*
-		 * Rcodes can't be bigger than 12 bits, which is why we
-		 * AND with 0xFFF instead of 0xFFFF.
-		 */
-		return ((dns_rcode_t)((result) & 0xFFF));
-	}
-	/*
-	 * Try to supply an appropriate rcode.
-	 */
-	switch (result) {
-	case ISC_R_SUCCESS:
-		rcode = dns_rcode_noerror;
-		break;
-	case ISC_R_BADBASE64:
-	case ISC_R_NOSPACE:
-	case ISC_R_RANGE:
-	case ISC_R_UNEXPECTEDEND:
-	case DNS_R_BADAAAA:
-	/* case DNS_R_BADBITSTRING: deprecated */
-	case DNS_R_BADCKSUM:
-	case DNS_R_BADCLASS:
-	case DNS_R_BADLABELTYPE:
-	case DNS_R_BADPOINTER:
-	case DNS_R_BADTTL:
-	case DNS_R_BADZONE:
-	/* case DNS_R_BITSTRINGTOOLONG: deprecated */
-	case DNS_R_EXTRADATA:
-	case DNS_R_LABELTOOLONG:
-	case DNS_R_NOREDATA:
-	case DNS_R_SYNTAX:
-	case DNS_R_TEXTTOOLONG:
-	case DNS_R_TOOMANYHOPS:
-	case DNS_R_TSIGERRORSET:
-	case DNS_R_UNKNOWN:
-	case DNS_R_NAMETOOLONG:
-		rcode = dns_rcode_formerr;
-		break;
-	case DNS_R_DISALLOWED:
-		rcode = dns_rcode_refused;
-		break;
-	case DNS_R_TSIGVERIFYFAILURE:
-	case DNS_R_CLOCKSKEW:
-		rcode = dns_rcode_notauth;
-		break;
-	default:
-		rcode = dns_rcode_servfail;
-	}
-
-	return (rcode);
-}
diff --git a/contrib/bind9/lib/dns/rootns.c b/contrib/bind9/lib/dns/rootns.c
deleted file mode 100644
index 3502022..0000000
--- a/contrib/bind9/lib/dns/rootns.c
+++ /dev/null
@@ -1,528 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2008, 2010, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rootns.c,v 1.40 2010/06/18 05:36:24 marka Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/buffer.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/util.h>
-
-#include <dns/callbacks.h>
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/fixedname.h>
-#include <dns/log.h>
-#include <dns/master.h>
-#include <dns/rdata.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/result.h>
-#include <dns/rootns.h>
-#include <dns/view.h>
-
-static char root_ns[] =
-";\n"
-"; Internet Root Nameservers\n"
-";\n"
-"$TTL 518400\n"
-".                       518400  IN      NS      A.ROOT-SERVERS.NET.\n"
-".                       518400  IN      NS      B.ROOT-SERVERS.NET.\n"
-".                       518400  IN      NS      C.ROOT-SERVERS.NET.\n"
-".                       518400  IN      NS      D.ROOT-SERVERS.NET.\n"
-".                       518400  IN      NS      E.ROOT-SERVERS.NET.\n"
-".                       518400  IN      NS      F.ROOT-SERVERS.NET.\n"
-".                       518400  IN      NS      G.ROOT-SERVERS.NET.\n"
-".                       518400  IN      NS      H.ROOT-SERVERS.NET.\n"
-".                       518400  IN      NS      I.ROOT-SERVERS.NET.\n"
-".                       518400  IN      NS      J.ROOT-SERVERS.NET.\n"
-".                       518400  IN      NS      K.ROOT-SERVERS.NET.\n"
-".                       518400  IN      NS      L.ROOT-SERVERS.NET.\n"
-".                       518400  IN      NS      M.ROOT-SERVERS.NET.\n"
-"A.ROOT-SERVERS.NET.     3600000 IN      A       198.41.0.4\n"
-"A.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:503:BA3E::2:30\n"
-"B.ROOT-SERVERS.NET.     3600000 IN      A       192.228.79.201\n"
-"C.ROOT-SERVERS.NET.     3600000 IN      A       192.33.4.12\n"
-"D.ROOT-SERVERS.NET.     3600000 IN      A       199.7.91.13\n"
-"D.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:2d::d\n"
-"E.ROOT-SERVERS.NET.     3600000 IN      A       192.203.230.10\n"
-"F.ROOT-SERVERS.NET.     3600000 IN      A       192.5.5.241\n"
-"F.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:2F::F\n"
-"G.ROOT-SERVERS.NET.     3600000 IN      A       192.112.36.4\n"
-"H.ROOT-SERVERS.NET.     3600000 IN      A       128.63.2.53\n"
-"H.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:1::803F:235\n"
-"I.ROOT-SERVERS.NET.     3600000 IN      A       192.36.148.17\n"
-"I.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:7fe::53\n"
-"J.ROOT-SERVERS.NET.     3600000 IN      A       192.58.128.30\n"
-"J.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:503:C27::2:30\n"
-"K.ROOT-SERVERS.NET.     3600000 IN      A       193.0.14.129\n"
-"K.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:7FD::1\n"
-"L.ROOT-SERVERS.NET.     3600000 IN      A       199.7.83.42\n"
-"L.ROOT-SERVERS.NET.     604800  IN      AAAA    2001:500:3::42\n"
-"M.ROOT-SERVERS.NET.     3600000 IN      A       202.12.27.33\n"
-"M.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:DC3::35\n";
-
-static isc_result_t
-in_rootns(dns_rdataset_t *rootns, dns_name_t *name) {
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_ns_t ns;
-
-	if (!dns_rdataset_isassociated(rootns))
-		return (ISC_R_NOTFOUND);
-
-	result = dns_rdataset_first(rootns);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdataset_current(rootns, &rdata);
-		result = dns_rdata_tostruct(&rdata, &ns, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		if (dns_name_compare(name, &ns.name) == 0)
-			return (ISC_R_SUCCESS);
-		result = dns_rdataset_next(rootns);
-		dns_rdata_reset(&rdata);
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_NOTFOUND;
-	return (result);
-}
-
-static isc_result_t
-check_node(dns_rdataset_t *rootns, dns_name_t *name,
-	   dns_rdatasetiter_t *rdsiter) {
-	isc_result_t result;
-	dns_rdataset_t rdataset;
-
-	dns_rdataset_init(&rdataset);
-	result = dns_rdatasetiter_first(rdsiter);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdatasetiter_current(rdsiter, &rdataset);
-		switch (rdataset.type) {
-		case dns_rdatatype_a:
-		case dns_rdatatype_aaaa:
-			result = in_rootns(rootns, name);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-			break;
-		case dns_rdatatype_ns:
-			if (dns_name_compare(name, dns_rootname) == 0)
-				break;
-			/*FALLTHROUGH*/
-		default:
-			result = ISC_R_FAILURE;
-			goto cleanup;
-		}
-		dns_rdataset_disassociate(&rdataset);
-		result = dns_rdatasetiter_next(rdsiter);
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
- cleanup:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	return (result);
-}
-
-static isc_result_t
-check_hints(dns_db_t *db) {
-	isc_result_t result;
-	dns_rdataset_t rootns;
-	dns_dbiterator_t *dbiter = NULL;
-	dns_dbnode_t *node = NULL;
-	isc_stdtime_t now;
-	dns_fixedname_t fixname;
-	dns_name_t *name;
-	dns_rdatasetiter_t *rdsiter = NULL;
-
-	isc_stdtime_get(&now);
-
-	dns_fixedname_init(&fixname);
-	name = dns_fixedname_name(&fixname);
-
-	dns_rdataset_init(&rootns);
-	(void)dns_db_find(db, dns_rootname, NULL, dns_rdatatype_ns, 0,
-			  now, NULL, name, &rootns, NULL);
-	result = dns_db_createiterator(db, 0, &dbiter);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_dbiterator_first(dbiter);
-	while (result == ISC_R_SUCCESS) {
-		result = dns_dbiterator_current(dbiter, &node, name);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		result = dns_db_allrdatasets(db, node, NULL, now, &rdsiter);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		result = check_node(&rootns, name, rdsiter);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		dns_rdatasetiter_destroy(&rdsiter);
-		dns_db_detachnode(db, &node);
-		result = dns_dbiterator_next(dbiter);
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
- cleanup:
-	if (dns_rdataset_isassociated(&rootns))
-		dns_rdataset_disassociate(&rootns);
-	if (rdsiter != NULL)
-		dns_rdatasetiter_destroy(&rdsiter);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	if (dbiter != NULL)
-		dns_dbiterator_destroy(&dbiter);
-	return (result);
-}
-
-isc_result_t
-dns_rootns_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
-		  const char *filename, dns_db_t **target)
-{
-	isc_result_t result, eresult;
-	isc_buffer_t source;
-	size_t len;
-	dns_rdatacallbacks_t callbacks;
-	dns_db_t *db = NULL;
-
-	REQUIRE(target != NULL && *target == NULL);
-
-	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
-			       rdclass, 0, NULL, &db);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	dns_rdatacallbacks_init(&callbacks);
-
-	len = strlen(root_ns);
-	isc_buffer_init(&source, root_ns, len);
-	isc_buffer_add(&source, len);
-
-	result = dns_db_beginload(db, &callbacks.add,
-				  &callbacks.add_private);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (filename != NULL) {
-		/*
-		 * Load the hints from the specified filename.
-		 */
-		result = dns_master_loadfile(filename, &db->origin,
-					     &db->origin, db->rdclass,
-					     DNS_MASTER_HINT,
-					     &callbacks, db->mctx);
-	} else if (rdclass == dns_rdataclass_in) {
-		/*
-		 * Default to using the Internet root servers.
-		 */
-		result = dns_master_loadbuffer(&source, &db->origin,
-					       &db->origin, db->rdclass,
-					       DNS_MASTER_HINT,
-					       &callbacks, db->mctx);
-	} else
-		result = ISC_R_NOTFOUND;
-	eresult = dns_db_endload(db, &callbacks.add_private);
-	if (result == ISC_R_SUCCESS || result == DNS_R_SEENINCLUDE)
-		result = eresult;
-	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
-		goto db_detach;
-	if (check_hints(db) != ISC_R_SUCCESS)
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-			      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
-			      "extra data in root hints '%s'",
-			      (filename != NULL) ? filename : "<BUILT-IN>");
-	*target = db;
-	return (ISC_R_SUCCESS);
-
- db_detach:
-	dns_db_detach(&db);
-
-	return (result);
-}
-
-static void
-report(dns_view_t *view, dns_name_t *name, isc_boolean_t missing,
-       dns_rdata_t *rdata)
-{
-	const char *viewname = "", *sep = "";
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char typebuf[DNS_RDATATYPE_FORMATSIZE];
-	char databuf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123")];
-	isc_buffer_t buffer;
-	isc_result_t result;
-
-	if (strcmp(view->name, "_bind") != 0 &&
-	    strcmp(view->name, "_default") != 0) {
-		viewname = view->name;
-		sep = ": view ";
-	}
-
-	dns_name_format(name, namebuf, sizeof(namebuf));
-	dns_rdatatype_format(rdata->type, typebuf, sizeof(typebuf));
-	isc_buffer_init(&buffer, databuf, sizeof(databuf) - 1);
-	result = dns_rdata_totext(rdata, NULL, &buffer);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	databuf[isc_buffer_usedlength(&buffer)] = '\0';
-
-	if (missing)
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-			      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
-			      "checkhints%s%s: %s/%s (%s) missing from hints",
-			      sep, viewname, namebuf, typebuf, databuf);
-	else
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-			      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
-			      "checkhints%s%s: %s/%s (%s) extra record "
-			      "in hints", sep, viewname, namebuf, typebuf,
-			      databuf);
-}
-
-static isc_boolean_t
-inrrset(dns_rdataset_t *rrset, dns_rdata_t *rdata) {
-	isc_result_t result;
-	dns_rdata_t current = DNS_RDATA_INIT;
-
-	result = dns_rdataset_first(rrset);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdataset_current(rrset, &current);
-		if (dns_rdata_compare(rdata, &current) == 0)
-			return (ISC_TRUE);
-		dns_rdata_reset(&current);
-		result = dns_rdataset_next(rrset);
-	}
-	return (ISC_FALSE);
-}
-
-/*
- * Check that the address RRsets match.
- *
- * Note we don't complain about missing glue records.
- */
-
-static void
-check_address_records(dns_view_t *view, dns_db_t *hints, dns_db_t *db,
-		      dns_name_t *name, isc_stdtime_t now)
-{
-	isc_result_t hresult, rresult, result;
-	dns_rdataset_t hintrrset, rootrrset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_name_t *foundname;
-	dns_fixedname_t fixed;
-
-	dns_rdataset_init(&hintrrset);
-	dns_rdataset_init(&rootrrset);
-	dns_fixedname_init(&fixed);
-	foundname = dns_fixedname_name(&fixed);
-
-	hresult = dns_db_find(hints, name, NULL, dns_rdatatype_a, 0,
-			      now, NULL, foundname, &hintrrset, NULL);
-	rresult = dns_db_find(db, name, NULL, dns_rdatatype_a,
-			      DNS_DBFIND_GLUEOK, now, NULL, foundname,
-			      &rootrrset, NULL);
-	if (hresult == ISC_R_SUCCESS &&
-	    (rresult == ISC_R_SUCCESS || rresult == DNS_R_GLUE)) {
-		result = dns_rdataset_first(&rootrrset);
-		while (result == ISC_R_SUCCESS) {
-			dns_rdata_reset(&rdata);
-			dns_rdataset_current(&rootrrset, &rdata);
-			if (!inrrset(&hintrrset, &rdata))
-				report(view, name, ISC_TRUE, &rdata);
-			result = dns_rdataset_next(&rootrrset);
-		}
-		result = dns_rdataset_first(&hintrrset);
-		while (result == ISC_R_SUCCESS) {
-			dns_rdata_reset(&rdata);
-			dns_rdataset_current(&hintrrset, &rdata);
-			if (!inrrset(&rootrrset, &rdata))
-				report(view, name, ISC_FALSE, &rdata);
-			result = dns_rdataset_next(&hintrrset);
-		}
-	}
-	if (hresult == ISC_R_NOTFOUND &&
-	    (rresult == ISC_R_SUCCESS || rresult == DNS_R_GLUE)) {
-		result = dns_rdataset_first(&rootrrset);
-		while (result == ISC_R_SUCCESS) {
-			dns_rdata_reset(&rdata);
-			dns_rdataset_current(&rootrrset, &rdata);
-			report(view, name, ISC_TRUE, &rdata);
-			result = dns_rdataset_next(&rootrrset);
-		}
-	}
-	if (dns_rdataset_isassociated(&rootrrset))
-		dns_rdataset_disassociate(&rootrrset);
-	if (dns_rdataset_isassociated(&hintrrset))
-		dns_rdataset_disassociate(&hintrrset);
-
-	/*
-	 * Check AAAA records.
-	 */
-	hresult = dns_db_find(hints, name, NULL, dns_rdatatype_aaaa, 0,
-			      now, NULL, foundname, &hintrrset, NULL);
-	rresult = dns_db_find(db, name, NULL, dns_rdatatype_aaaa,
-			      DNS_DBFIND_GLUEOK, now, NULL, foundname,
-			      &rootrrset, NULL);
-	if (hresult == ISC_R_SUCCESS &&
-	    (rresult == ISC_R_SUCCESS || rresult == DNS_R_GLUE)) {
-		result = dns_rdataset_first(&rootrrset);
-		while (result == ISC_R_SUCCESS) {
-			dns_rdata_reset(&rdata);
-			dns_rdataset_current(&rootrrset, &rdata);
-			if (!inrrset(&hintrrset, &rdata))
-				report(view, name, ISC_TRUE, &rdata);
-			dns_rdata_reset(&rdata);
-			result = dns_rdataset_next(&rootrrset);
-		}
-		result = dns_rdataset_first(&hintrrset);
-		while (result == ISC_R_SUCCESS) {
-			dns_rdata_reset(&rdata);
-			dns_rdataset_current(&hintrrset, &rdata);
-			if (!inrrset(&rootrrset, &rdata))
-				report(view, name, ISC_FALSE, &rdata);
-			dns_rdata_reset(&rdata);
-			result = dns_rdataset_next(&hintrrset);
-		}
-	}
-	if (hresult == ISC_R_NOTFOUND &&
-	    (rresult == ISC_R_SUCCESS || rresult == DNS_R_GLUE)) {
-		result = dns_rdataset_first(&rootrrset);
-		while (result == ISC_R_SUCCESS) {
-			dns_rdata_reset(&rdata);
-			dns_rdataset_current(&rootrrset, &rdata);
-			report(view, name, ISC_TRUE, &rdata);
-			dns_rdata_reset(&rdata);
-			result = dns_rdataset_next(&rootrrset);
-		}
-	}
-	if (dns_rdataset_isassociated(&rootrrset))
-		dns_rdataset_disassociate(&rootrrset);
-	if (dns_rdataset_isassociated(&hintrrset))
-		dns_rdataset_disassociate(&hintrrset);
-}
-
-void
-dns_root_checkhints(dns_view_t *view, dns_db_t *hints, dns_db_t *db) {
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_ns_t ns;
-	dns_rdataset_t hintns, rootns;
-	const char *viewname = "", *sep = "";
-	isc_stdtime_t now;
-	dns_name_t *name;
-	dns_fixedname_t fixed;
-
-	REQUIRE(hints != NULL);
-	REQUIRE(db != NULL);
-	REQUIRE(view != NULL);
-
-	isc_stdtime_get(&now);
-
-	if (strcmp(view->name, "_bind") != 0 &&
-	    strcmp(view->name, "_default") != 0) {
-		viewname = view->name;
-		sep = ": view ";
-	}
-
-	dns_rdataset_init(&hintns);
-	dns_rdataset_init(&rootns);
-	dns_fixedname_init(&fixed);
-	name = dns_fixedname_name(&fixed);
-
-	result = dns_db_find(hints, dns_rootname, NULL, dns_rdatatype_ns, 0,
-			     now, NULL, name, &hintns, NULL);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-			      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
-			      "checkhints%s%s: unable to get root NS rrset "
-			      "from hints: %s", sep, viewname,
-			      dns_result_totext(result));
-		goto cleanup;
-	}
-
-	result = dns_db_find(db, dns_rootname, NULL, dns_rdatatype_ns, 0,
-			     now, NULL, name, &rootns, NULL);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-			      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
-			      "checkhints%s%s: unable to get root NS rrset "
-			      "from cache: %s", sep, viewname,
-			      dns_result_totext(result));
-		goto cleanup;
-	}
-
-	/*
-	 * Look for missing root NS names.
-	 */
-	result = dns_rdataset_first(&rootns);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdataset_current(&rootns, &rdata);
-		result = dns_rdata_tostruct(&rdata, &ns, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		result = in_rootns(&hintns, &ns.name);
-		if (result != ISC_R_SUCCESS) {
-			char namebuf[DNS_NAME_FORMATSIZE];
-			/* missing from hints */
-			dns_name_format(&ns.name, namebuf, sizeof(namebuf));
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-				      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
-				      "checkhints%s%s: unable to find root "
-				      "NS '%s' in hints", sep, viewname,
-				      namebuf);
-		} else
-			check_address_records(view, hints, db, &ns.name, now);
-		dns_rdata_reset(&rdata);
-		result = dns_rdataset_next(&rootns);
-	}
-	if (result != ISC_R_NOMORE) {
-		goto cleanup;
-	}
-
-	/*
-	 * Look for extra root NS names.
-	 */
-	result = dns_rdataset_first(&hintns);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdataset_current(&hintns, &rdata);
-		result = dns_rdata_tostruct(&rdata, &ns, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		result = in_rootns(&rootns, &ns.name);
-		if (result != ISC_R_SUCCESS) {
-			char namebuf[DNS_NAME_FORMATSIZE];
-			/* extra entry in hints */
-			dns_name_format(&ns.name, namebuf, sizeof(namebuf));
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-				      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
-				      "checkhints%s%s: extra NS '%s' in hints",
-				      sep, viewname, namebuf);
-		}
-		dns_rdata_reset(&rdata);
-		result = dns_rdataset_next(&hintns);
-	}
-	if (result != ISC_R_NOMORE) {
-		goto cleanup;
-	}
-
- cleanup:
-	if (dns_rdataset_isassociated(&rootns))
-		dns_rdataset_disassociate(&rootns);
-	if (dns_rdataset_isassociated(&hintns))
-		dns_rdataset_disassociate(&hintns);
-}
diff --git a/contrib/bind9/lib/dns/rpz.c b/contrib/bind9/lib/dns/rpz.c
deleted file mode 100644
index 2d689e7..0000000
--- a/contrib/bind9/lib/dns/rpz.c
+++ /dev/null
@@ -1,1192 +0,0 @@
-/*
- * Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/buffer.h>
-#include <isc/mem.h>
-#include <isc/net.h>
-#include <isc/netaddr.h>
-#include <isc/print.h>
-#include <isc/stdlib.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/fixedname.h>
-#include <dns/log.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/result.h>
-#include <dns/rpz.h>
-#include <dns/view.h>
-
-
-/*
- * Parallel radix trees for databases of response policy IP addresses
- *
- * The radix or Patricia trees are somewhat specialized to handle response
- * policy addresses by representing the two test of IP IP addresses and name
- * server IP addresses in a single tree.
- *
- * Each leaf indicates that an IP address is listed in the IP address or the
- * name server IP address policy sub-zone (or both) of the corresponding
- * response response zone.  The policy data such as a CNAME or an A record
- * is kept in the policy zone.  After an IP address has been found in a radix
- * tree, the node in the policy zone's database is found by converting
- * the IP address to a domain name in a canonical form.
- *
- * The response policy zone canonical form of IPv6 addresses is one of:
- *	prefix.W.W.W.W.W.W.W.W
- *	prefix.WORDS.zz
- *	prefix.WORDS.zz.WORDS
- *	prefix.zz.WORDS
- *  where
- *	prefix	is the prefix length of the IPv6 address between 1 and 128
- *	W	is a number between 0 and 65535
- *	WORDS	is one or more numbers W separated with "."
- *	zz	corresponds to :: in the standard IPv6 text representation
- *
- * The canonical form of IPv4 addresses is:
- *	prefix.B.B.B.B
- *  where
- *	prefix	is the prefix length of the address between 1 and 32
- *	B	is a number between 0 and 255
- *
- * IPv4 addresses are distinguished from IPv6 addresses by having
- * 5 labels all of which are numbers, and a prefix between 1 and 32.
- */
-
-
-/*
- * Use a private definition of IPv6 addresses because s6_addr32 is not
- * always defined and our IPv6 addresses are in non-standard byte order
- */
-typedef isc_uint32_t		dns_rpz_cidr_word_t;
-#define DNS_RPZ_CIDR_WORD_BITS	((int)sizeof(dns_rpz_cidr_word_t)*8)
-#define DNS_RPZ_CIDR_KEY_BITS	((int)sizeof(dns_rpz_cidr_key_t)*8)
-#define DNS_RPZ_CIDR_WORDS	(128/DNS_RPZ_CIDR_WORD_BITS)
-typedef struct {
-	dns_rpz_cidr_word_t	w[DNS_RPZ_CIDR_WORDS];
-} dns_rpz_cidr_key_t;
-
-#define ADDR_V4MAPPED		0xffff
-
-#define DNS_RPZ_WORD_MASK(b)				\
-	((b) == 0 ? (dns_rpz_cidr_word_t)(-1)		\
-		  : ((dns_rpz_cidr_word_t)(-1)		\
-		    << (DNS_RPZ_CIDR_WORD_BITS - (b))))
-
-#define DNS_RPZ_IP_BIT(ip, bitno) \
-	(1 & ((ip)->w[(bitno)/DNS_RPZ_CIDR_WORD_BITS] >> \
-	    (DNS_RPZ_CIDR_WORD_BITS - 1 - ((bitno) % DNS_RPZ_CIDR_WORD_BITS))))
-
-typedef struct dns_rpz_cidr_node	dns_rpz_cidr_node_t;
-typedef isc_uint8_t			dns_rpz_cidr_flags_t;
-struct dns_rpz_cidr_node {
-	dns_rpz_cidr_node_t		*parent;
-	dns_rpz_cidr_node_t		*child[2];
-	dns_rpz_cidr_key_t		ip;
-	dns_rpz_cidr_bits_t		bits;
-	dns_rpz_cidr_flags_t		flags;
-#define	DNS_RPZ_CIDR_FG_IP	 0x01	/* has IP data or is parent of IP */
-#define	DNS_RPZ_CIDR_FG_IP_DATA	 0x02	/* has IP data */
-#define	DNS_RPZ_CIDR_FG_NSIPv4	 0x04	/* has or is parent of NSIPv4 data */
-#define	DNS_RPZ_CIDR_FG_NSIPv6	 0x08	/* has or is parent of NSIPv6 data */
-#define	DNS_RPZ_CIDR_FG_NSIP_DATA 0x10	/* has NSIP data */
-};
-
-struct dns_rpz_cidr {
-	isc_mem_t		*mctx;
-	isc_boolean_t		have_nsdname;	/* zone has NSDNAME record */
-	dns_rpz_cidr_node_t	*root;
-	dns_name_t		ip_name;	/* RPZ_IP_ZONE.origin. */
-	dns_name_t		nsip_name;      /* RPZ_NSIP_ZONE.origin. */
-	dns_name_t		nsdname_name;	/* RPZ_NSDNAME_ZONE.origin */
-};
-
-const char *
-dns_rpz_type2str(dns_rpz_type_t type) {
-	switch (type) {
-	case DNS_RPZ_TYPE_QNAME:
-		return ("QNAME");
-	case DNS_RPZ_TYPE_IP:
-		return ("IP");
-	case DNS_RPZ_TYPE_NSIP:
-		return ("NSIP");
-	case DNS_RPZ_TYPE_NSDNAME:
-		return ("NSDNAME");
-	case DNS_RPZ_TYPE_BAD:
-		break;
-	}
-	FATAL_ERROR(__FILE__, __LINE__,
-		    "impossible rpz type %d", type);
-	return ("impossible");
-}
-
-dns_rpz_policy_t
-dns_rpz_str2policy(const char *str) {
-	if (str == NULL)
-		return (DNS_RPZ_POLICY_ERROR);
-	if (!strcasecmp(str, "given"))
-		return (DNS_RPZ_POLICY_GIVEN);
-	if (!strcasecmp(str, "disabled"))
-		return (DNS_RPZ_POLICY_DISABLED);
-	if (!strcasecmp(str, "passthru"))
-		return (DNS_RPZ_POLICY_PASSTHRU);
-	if (!strcasecmp(str, "nxdomain"))
-		return (DNS_RPZ_POLICY_NXDOMAIN);
-	if (!strcasecmp(str, "nodata"))
-		return (DNS_RPZ_POLICY_NODATA);
-	if (!strcasecmp(str, "cname"))
-		return (DNS_RPZ_POLICY_CNAME);
-	/*
-	 * Obsolete
-	 */
-	if (!strcasecmp(str, "no-op"))
-		return (DNS_RPZ_POLICY_PASSTHRU);
-	return (DNS_RPZ_POLICY_ERROR);
-}
-
-const char *
-dns_rpz_policy2str(dns_rpz_policy_t policy) {
-	const char *str;
-
-	switch (policy) {
-	case DNS_RPZ_POLICY_PASSTHRU:
-		str = "PASSTHRU";
-		break;
-	case DNS_RPZ_POLICY_NXDOMAIN:
-		str = "NXDOMAIN";
-		break;
-	case DNS_RPZ_POLICY_NODATA:
-		str = "NODATA";
-		break;
-	case DNS_RPZ_POLICY_RECORD:
-		str = "Local-Data";
-		break;
-	case DNS_RPZ_POLICY_CNAME:
-	case DNS_RPZ_POLICY_WILDCNAME:
-		str = "CNAME";
-		break;
-	default:
-		str = "";
-		POST(str);
-		INSIST(0);
-	}
-	return (str);
-}
-
-/*
- * Free the radix tree of a response policy database.
- */
-void
-dns_rpz_cidr_free(dns_rpz_cidr_t **cidrp) {
-	dns_rpz_cidr_node_t *cur, *child, *parent;
-	dns_rpz_cidr_t *cidr;
-
-	REQUIRE(cidrp != NULL);
-
-	cidr = *cidrp;
-	if (cidr == NULL)
-		return;
-
-	cur = cidr->root;
-	while (cur != NULL) {
-		/* Depth first. */
-		child = cur->child[0];
-		if (child != NULL) {
-			cur = child;
-			continue;
-		}
-		child = cur->child[1];
-		if (child != NULL) {
-			cur = child;
-			continue;
-		}
-
-		/* Delete this leaf and go up. */
-		parent = cur->parent;
-		if (parent == NULL)
-			cidr->root = NULL;
-		else
-			parent->child[parent->child[1] == cur] = NULL;
-		isc_mem_put(cidr->mctx, cur, sizeof(*cur));
-		cur = parent;
-	}
-
-	dns_name_free(&cidr->ip_name, cidr->mctx);
-	dns_name_free(&cidr->nsip_name, cidr->mctx);
-	dns_name_free(&cidr->nsdname_name, cidr->mctx);
-	isc_mem_put(cidr->mctx, cidr, sizeof(*cidr));
-	*cidrp = NULL;
-}
-
-/*
- * Forget a view's list of policy zones.
- */
-void
-dns_rpz_view_destroy(dns_view_t *view) {
-	dns_rpz_zone_t *zone;
-
-	REQUIRE(view != NULL);
-
-	while (!ISC_LIST_EMPTY(view->rpz_zones)) {
-		zone = ISC_LIST_HEAD(view->rpz_zones);
-		ISC_LIST_UNLINK(view->rpz_zones, zone, link);
-		if (dns_name_dynamic(&zone->origin))
-			dns_name_free(&zone->origin, view->mctx);
-		if (dns_name_dynamic(&zone->passthru))
-			dns_name_free(&zone->passthru, view->mctx);
-		if (dns_name_dynamic(&zone->nsdname))
-			dns_name_free(&zone->nsdname, view->mctx);
-		if (dns_name_dynamic(&zone->cname))
-			dns_name_free(&zone->cname, view->mctx);
-		isc_mem_put(view->mctx, zone, sizeof(*zone));
-	}
-}
-
-/*
- * Start a new radix tree for a response policy zone.
- */
-isc_result_t
-dns_rpz_new_cidr(isc_mem_t *mctx, dns_name_t *origin,
-		 dns_rpz_cidr_t **rbtdb_cidr)
-{
-	isc_result_t result;
-	dns_rpz_cidr_t *cidr;
-
-	REQUIRE(rbtdb_cidr != NULL && *rbtdb_cidr == NULL);
-
-	cidr = isc_mem_get(mctx, sizeof(*cidr));
-	if (cidr == NULL)
-		return (ISC_R_NOMEMORY);
-	memset(cidr, 0, sizeof(*cidr));
-	cidr->mctx = mctx;
-
-	dns_name_init(&cidr->ip_name, NULL);
-	result = dns_name_fromstring2(&cidr->ip_name, DNS_RPZ_IP_ZONE, origin,
-				      DNS_NAME_DOWNCASE, mctx);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, cidr, sizeof(*cidr));
-		return (result);
-	}
-
-	dns_name_init(&cidr->nsip_name, NULL);
-	result = dns_name_fromstring2(&cidr->nsip_name, DNS_RPZ_NSIP_ZONE,
-				      origin, DNS_NAME_DOWNCASE, mctx);
-	if (result != ISC_R_SUCCESS) {
-		dns_name_free(&cidr->ip_name, mctx);
-		isc_mem_put(mctx, cidr, sizeof(*cidr));
-		return (result);
-	}
-
-	dns_name_init(&cidr->nsdname_name, NULL);
-	result = dns_name_fromstring2(&cidr->nsdname_name, DNS_RPZ_NSDNAME_ZONE,
-				      origin, DNS_NAME_DOWNCASE, mctx);
-	if (result != ISC_R_SUCCESS) {
-		dns_name_free(&cidr->nsip_name, mctx);
-		dns_name_free(&cidr->ip_name, mctx);
-		isc_mem_put(mctx, cidr, sizeof(*cidr));
-		return (result);
-	}
-
-	*rbtdb_cidr = cidr;
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * See if a policy zone has IP, NSIP, or NSDNAME rules or records.
- */
-void
-dns_rpz_enabled_get(dns_rpz_cidr_t *cidr, dns_rpz_st_t *st) {
-	if (cidr == NULL)
-		return;
-	if (cidr->root != NULL &&
-	    (cidr->root->flags & DNS_RPZ_CIDR_FG_IP) != 0)
-		st->state |= DNS_RPZ_HAVE_IP;
-	if (cidr->root != NULL &&
-	    (cidr->root->flags & DNS_RPZ_CIDR_FG_NSIPv4) != 0)
-		st->state |= DNS_RPZ_HAVE_NSIPv4;
-	if (cidr->root != NULL &&
-	    (cidr->root->flags & DNS_RPZ_CIDR_FG_NSIPv6) != 0)
-		st->state |= DNS_RPZ_HAVE_NSIPv6;
-	if (cidr->have_nsdname)
-		st->state |= DNS_RPZ_HAVE_NSDNAME;
-}
-
-static inline dns_rpz_cidr_flags_t
-get_flags(const dns_rpz_cidr_key_t *ip, dns_rpz_cidr_bits_t prefix,
-	dns_rpz_type_t rpz_type)
-{
-	if (rpz_type == DNS_RPZ_TYPE_NSIP) {
-		if (prefix >= 96 &&
-		    ip->w[0] == 0 && ip->w[1] == 0 &&
-		    ip->w[2] == ADDR_V4MAPPED)
-			return (DNS_RPZ_CIDR_FG_NSIP_DATA |
-				DNS_RPZ_CIDR_FG_NSIPv4);
-		else
-			return (DNS_RPZ_CIDR_FG_NSIP_DATA |
-				DNS_RPZ_CIDR_FG_NSIPv6);
-	} else {
-		return (DNS_RPZ_CIDR_FG_IP | DNS_RPZ_CIDR_FG_IP_DATA);
-	}
-}
-
-/*
- * Mark a node as having IP or NSIP data and all of its parents
- * as members of the IP or NSIP tree.
- */
-static void
-set_node_flags(dns_rpz_cidr_node_t *node, dns_rpz_type_t rpz_type) {
-	dns_rpz_cidr_flags_t flags;
-
-	flags = get_flags(&node->ip, node->bits, rpz_type);
-	node->flags |= flags;
-	flags &= ~(DNS_RPZ_CIDR_FG_NSIP_DATA | DNS_RPZ_CIDR_FG_IP_DATA);
-	for (;;) {
-		node = node->parent;
-		if (node == NULL)
-			return;
-		node->flags |= flags;
-	}
-}
-
-/*
- * Make a radix tree node.
- */
-static dns_rpz_cidr_node_t *
-new_node(dns_rpz_cidr_t *cidr, const dns_rpz_cidr_key_t *ip,
-	 dns_rpz_cidr_bits_t bits, dns_rpz_cidr_flags_t flags)
-{
-	dns_rpz_cidr_node_t *node;
-	int i, words, wlen;
-
-	node = isc_mem_get(cidr->mctx, sizeof(*node));
-	if (node == NULL)
-		return (NULL);
-	memset(node, 0, sizeof(*node));
-
-	node->flags = flags & ~(DNS_RPZ_CIDR_FG_IP_DATA |
-				DNS_RPZ_CIDR_FG_NSIP_DATA);
-
-	node->bits = bits;
-	words = bits / DNS_RPZ_CIDR_WORD_BITS;
-	wlen = bits % DNS_RPZ_CIDR_WORD_BITS;
-	i = 0;
-	while (i < words) {
-		node->ip.w[i] = ip->w[i];
-		++i;
-	}
-	if (wlen != 0) {
-		node->ip.w[i] = ip->w[i] & DNS_RPZ_WORD_MASK(wlen);
-		++i;
-	}
-	while (i < DNS_RPZ_CIDR_WORDS)
-		node->ip.w[i++] = 0;
-
-	return (node);
-}
-
-static void
-badname(int level, dns_name_t *name, const char *str1, const char *str2) {
-	char printname[DNS_NAME_FORMATSIZE];
-
-	/*
-	 * bin/tests/system/rpz/tests.sh looks for "invalid rpz".
-	 */
-	if (level < DNS_RPZ_DEBUG_QUIET
-	    && isc_log_wouldlog(dns_lctx, level)) {
-		dns_name_format(name, printname, sizeof(printname));
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
-			      DNS_LOGMODULE_RBTDB, level,
-			      "invalid rpz IP address \"%s\"%s%s",
-			      printname, str1, str2);
-	}
-}
-
-/*
- * Convert an IP address from radix tree binary (host byte order) to
- * to its canonical response policy domain name and its name in the
- * policy zone.
- */
-static isc_result_t
-ip2name(dns_rpz_cidr_t *cidr, const dns_rpz_cidr_key_t *tgt_ip,
-	dns_rpz_cidr_bits_t tgt_prefix, dns_rpz_type_t type,
-	dns_name_t *canon_name, dns_name_t *search_name)
-{
-#ifndef INET6_ADDRSTRLEN
-#define INET6_ADDRSTRLEN 46
-#endif
-	int w[DNS_RPZ_CIDR_WORDS*2];
-	char str[1+8+1+INET6_ADDRSTRLEN+1];
-	isc_buffer_t buffer;
-	dns_name_t *name;
-	isc_result_t result;
-	isc_boolean_t zeros;
-	int i, n, len;
-
-	if (tgt_prefix > 96 &&
-	    tgt_ip->w[0] == 0 &&
-	    tgt_ip->w[1] == 0 &&
-	    tgt_ip->w[2] == ADDR_V4MAPPED) {
-		len = snprintf(str, sizeof(str), "%d.%d.%d.%d.%d",
-			       tgt_prefix - 96,
-			       tgt_ip->w[3] & 0xff,
-			       (tgt_ip->w[3]>>8) & 0xff,
-			       (tgt_ip->w[3]>>16) & 0xff,
-			       (tgt_ip->w[3]>>24) & 0xff);
-		if (len == -1 || len > (int)sizeof(str))
-			return (ISC_R_FAILURE);
-	} else {
-		for (i = 0; i < DNS_RPZ_CIDR_WORDS; i++) {
-			w[i*2+1] = ((tgt_ip->w[DNS_RPZ_CIDR_WORDS-1-i] >> 16)
-				    & 0xffff);
-			w[i*2] = tgt_ip->w[DNS_RPZ_CIDR_WORDS-1-i] & 0xffff;
-		}
-		zeros = ISC_FALSE;
-		len = snprintf(str, sizeof(str), "%d", tgt_prefix);
-		if (len == -1)
-			return (ISC_R_FAILURE);
-		i = 0;
-		while (i < DNS_RPZ_CIDR_WORDS * 2) {
-			if (w[i] != 0 || zeros
-			    || i >= DNS_RPZ_CIDR_WORDS * 2 - 1
-			    || w[i+1] != 0) {
-				INSIST((size_t)len <= sizeof(str));
-				n = snprintf(&str[len], sizeof(str) - len,
-					     ".%x", w[i++]);
-				if (n < 0)
-					return (ISC_R_FAILURE);
-				len += n;
-			} else {
-				zeros = ISC_TRUE;
-				INSIST((size_t)len <= sizeof(str));
-				n = snprintf(&str[len], sizeof(str) - len,
-					     ".zz");
-				if (n < 0)
-					return (ISC_R_FAILURE);
-				len += n;
-				i += 2;
-				while (i < DNS_RPZ_CIDR_WORDS * 2 && w[i] == 0)
-					++i;
-			}
-			if (len >= (int)sizeof(str))
-				return (ISC_R_FAILURE);
-		}
-	}
-
-	if (canon_name != NULL) {
-		isc__buffer_init(&buffer, str, sizeof(str));
-		isc__buffer_add(&buffer, len);
-		result = dns_name_fromtext(canon_name, &buffer,
-					   dns_rootname, 0, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	if (search_name != NULL) {
-		isc__buffer_init(&buffer, str, sizeof(str));
-		isc__buffer_add(&buffer, len);
-		if (type == DNS_RPZ_TYPE_NSIP)
-			name = &cidr->nsip_name;
-		else
-			name = &cidr->ip_name;
-		result = dns_name_fromtext(search_name, &buffer, name, 0, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Decide which kind of IP address response policy zone a name is in.
- */
-static dns_rpz_type_t
-set_type(dns_rpz_cidr_t *cidr, dns_name_t *name) {
-
-	if (dns_name_issubdomain(name, &cidr->ip_name))
-		return (DNS_RPZ_TYPE_IP);
-
-	/*
-	 * Require `./configure --enable-rpz-nsip` and nsdname
-	 * until consistency problems are resolved.
-	 */
-#ifdef ENABLE_RPZ_NSIP
-	if (dns_name_issubdomain(name, &cidr->nsip_name))
-		return (DNS_RPZ_TYPE_NSIP);
-#endif
-
-#ifdef ENABLE_RPZ_NSDNAME
-	if (dns_name_issubdomain(name, &cidr->nsdname_name))
-		return (DNS_RPZ_TYPE_NSDNAME);
-#endif
-
-	return (DNS_RPZ_TYPE_QNAME);
-}
-
-/*
- * Convert an IP address from canonical response policy domain name form
- * to radix tree binary (host byte order).
- */
-static isc_result_t
-name2ipkey(dns_rpz_cidr_t *cidr, int level, dns_name_t *src_name,
-	   dns_rpz_type_t type, dns_rpz_cidr_key_t *tgt_ip,
-	   dns_rpz_cidr_bits_t *tgt_prefix)
-{
-	isc_result_t result;
-	dns_fixedname_t fname;
-	dns_name_t *ipname;
-	char ipstr[DNS_NAME_FORMATSIZE];
-	const char *prefix_str, *cp, *end;
-	char *cp2;
-	int ip_labels;
-	dns_rpz_cidr_bits_t bits;
-	unsigned long prefix, l;
-	int i;
-
-	/*
-	 * Need at least enough labels for the shortest name,
-	 * :: or 128.*.RPZ_x_ZONE.rpz.LOCALHOST.
-	 */
-	ip_labels = dns_name_countlabels(src_name);
-	ip_labels -= dns_name_countlabels(&cidr->ip_name);
-	ip_labels--;
-	if (ip_labels < 1) {
-		badname(level, src_name, "; too short", "");
-		return (ISC_R_FAILURE);
-	}
-
-	/*
-	 * Get text for the IP address
-	 */
-	dns_fixedname_init(&fname);
-	ipname = dns_fixedname_name(&fname);
-	dns_name_split(src_name, dns_name_countlabels(&cidr->ip_name),
-		       ipname, NULL);
-	dns_name_format(ipname, ipstr, sizeof(ipstr));
-	end = &ipstr[strlen(ipstr)+1];
-	prefix_str = ipstr;
-
-	prefix = strtoul(prefix_str, &cp2, 10);
-	if (*cp2 != '.') {
-		badname(level, src_name,
-			"; invalid leading prefix length", "");
-		return (ISC_R_FAILURE);
-	}
-	*cp2 = '\0';
-	if (prefix < 1U || prefix > 128U) {
-		badname(level, src_name,
-			"; invalid prefix length of ", prefix_str);
-		return (ISC_R_FAILURE);
-	}
-	cp = cp2+1;
-
-	if (ip_labels == 4 && !strchr(cp, 'z')) {
-		/*
-		 * Convert an IPv4 address
-		 * from the form "prefix.w.z.y.x"
-		 */
-		if (prefix > 32U) {
-			badname(level, src_name,
-				"; invalid IPv4 prefix length of ", prefix_str);
-			return (ISC_R_FAILURE);
-		}
-		prefix += 96;
-		*tgt_prefix = (dns_rpz_cidr_bits_t)prefix;
-		tgt_ip->w[0] = 0;
-		tgt_ip->w[1] = 0;
-		tgt_ip->w[2] = ADDR_V4MAPPED;
-		tgt_ip->w[3] = 0;
-		for (i = 0; i < 32; i += 8) {
-			l = strtoul(cp, &cp2, 10);
-			if (l > 255U || (*cp2 != '.' && *cp2 != '\0')) {
-				if (*cp2 == '.')
-					*cp2 = '\0';
-				badname(level, src_name,
-					"; invalid IPv4 octet ", cp);
-				return (ISC_R_FAILURE);
-			}
-			tgt_ip->w[3] |= l << i;
-			cp = cp2 + 1;
-		}
-	} else {
-		/*
-		 * Convert a text IPv6 address.
-		 */
-		*tgt_prefix = (dns_rpz_cidr_bits_t)prefix;
-		for (i = 0;
-		     ip_labels > 0 && i < DNS_RPZ_CIDR_WORDS * 2;
-		     ip_labels--) {
-			if (cp[0] == 'z' && cp[1] == 'z' &&
-			    (cp[2] == '.' || cp[2] == '\0') &&
-			    i <= 6) {
-				do {
-					if ((i & 1) == 0)
-					    tgt_ip->w[3-i/2] = 0;
-					++i;
-				} while (ip_labels + i <= 8);
-				cp += 3;
-			} else {
-				l = strtoul(cp, &cp2, 16);
-				if (l > 0xffffu ||
-				    (*cp2 != '.' && *cp2 != '\0')) {
-					if (*cp2 == '.')
-					    *cp2 = '\0';
-					badname(level, src_name,
-						"; invalid IPv6 word ", cp);
-					return (ISC_R_FAILURE);
-				}
-				if ((i & 1) == 0)
-					tgt_ip->w[3-i/2] = l;
-				else
-					tgt_ip->w[3-i/2] |= l << 16;
-				i++;
-				cp = cp2 + 1;
-			}
-		}
-	}
-	if (cp != end) {
-		badname(level, src_name, "", "");
-		return (ISC_R_FAILURE);
-	}
-
-	/*
-	 * Check for 1s after the prefix length.
-	 */
-	bits = (dns_rpz_cidr_bits_t)prefix;
-	while (bits < DNS_RPZ_CIDR_KEY_BITS) {
-		dns_rpz_cidr_word_t aword;
-
-		i = bits % DNS_RPZ_CIDR_WORD_BITS;
-		aword = tgt_ip->w[bits / DNS_RPZ_CIDR_WORD_BITS];
-		if ((aword & ~DNS_RPZ_WORD_MASK(i)) != 0) {
-			badname(level, src_name,
-				"; too small prefix length of ", prefix_str);
-			return (ISC_R_FAILURE);
-		}
-		bits -= i;
-		bits += DNS_RPZ_CIDR_WORD_BITS;
-	}
-
-	/*
-	 * Convert the address back to a canonical policy domain name
-	 * to ensure that it is in canonical form.
-	 */
-	result = ip2name(cidr, tgt_ip, (dns_rpz_cidr_bits_t) prefix,
-			 type, NULL, ipname);
-	if (result != ISC_R_SUCCESS || !dns_name_equal(src_name, ipname)) {
-		badname(level, src_name, "; not canonical", "");
-		return (ISC_R_FAILURE);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Find first differing bit.
- */
-static int
-ffbit(dns_rpz_cidr_word_t w) {
-	int bit;
-
-	bit = DNS_RPZ_CIDR_WORD_BITS-1;
-	if ((w & 0xffff0000) != 0) {
-		w >>= 16;
-		bit -= 16;
-	}
-	if ((w & 0xff00) != 0) {
-		w >>= 8;
-		bit -= 8;
-	}
-	if ((w & 0xf0) != 0) {
-		w >>= 4;
-		bit -= 4;
-	}
-	if ((w & 0xc) != 0) {
-		w >>= 2;
-		bit -= 2;
-	}
-	if ((w & 2) != 0)
-		--bit;
-	return (bit);
-}
-
-/*
- * Find the first differing bit in two keys.
- */
-static int
-diff_keys(const dns_rpz_cidr_key_t *key1, dns_rpz_cidr_bits_t bits1,
-	  const dns_rpz_cidr_key_t *key2, dns_rpz_cidr_bits_t bits2)
-{
-	dns_rpz_cidr_word_t delta;
-	dns_rpz_cidr_bits_t maxbit, bit;
-	int i;
-
-	maxbit = ISC_MIN(bits1, bits2);
-
-	/*
-	 * find the first differing words
-	 */
-	for (i = 0, bit = 0;
-	     bit <= maxbit;
-	     i++, bit += DNS_RPZ_CIDR_WORD_BITS) {
-		delta = key1->w[i] ^ key2->w[i];
-		if (delta != 0) {
-			bit += ffbit(delta);
-			break;
-		}
-	}
-	return (ISC_MIN(bit, maxbit));
-}
-
-/*
- * Search a radix tree for an IP address for ordinary lookup
- *	or for a CIDR block adding or deleting an entry
- * The tree read (for simple search) or write lock must be held by the caller.
- *
- * Return ISC_R_SUCCESS, ISC_R_NOTFOUND, DNS_R_PARTIALMATCH, ISC_R_EXISTS,
- *	ISC_R_NOMEMORY
- */
-static isc_result_t
-search(dns_rpz_cidr_t *cidr, const dns_rpz_cidr_key_t *tgt_ip,
-       dns_rpz_cidr_bits_t tgt_prefix, dns_rpz_type_t type,
-       isc_boolean_t create,
-       dns_rpz_cidr_node_t **found)		/* NULL or longest match node */
-{
-	dns_rpz_cidr_node_t *cur, *parent, *child, *new_parent, *sibling;
-	int cur_num, child_num;
-	dns_rpz_cidr_bits_t dbit;
-	dns_rpz_cidr_flags_t flags, data_flag;
-	isc_result_t find_result;
-
-	flags = get_flags(tgt_ip, tgt_prefix, type);
-	data_flag = flags & (DNS_RPZ_CIDR_FG_IP_DATA |
-			     DNS_RPZ_CIDR_FG_NSIP_DATA);
-
-	find_result = ISC_R_NOTFOUND;
-	if (found != NULL)
-		*found = NULL;
-	cur = cidr->root;
-	parent = NULL;
-	cur_num = 0;
-	for (;;) {
-		if (cur == NULL) {
-			/*
-			 * No child so we cannot go down.  Fail or
-			 * add the target as a child of the current parent.
-			 */
-			if (!create)
-				return (find_result);
-			child = new_node(cidr, tgt_ip, tgt_prefix, 0);
-			if (child == NULL)
-				return (ISC_R_NOMEMORY);
-			if (parent == NULL)
-				cidr->root = child;
-			else
-				parent->child[cur_num] = child;
-			child->parent = parent;
-			set_node_flags(child, type);
-			if (found != NULL)
-				*found = cur;
-			return (ISC_R_SUCCESS);
-		}
-
-		/*
-		 * Pretend a node not in the correct tree does not exist
-		 * if we are not adding to the tree,
-		 * If we are adding, then continue down to eventually
-		 * add a node and mark/put this node in the correct tree.
-		 */
-		if ((cur->flags & flags) == 0 && !create)
-			return (find_result);
-
-		dbit = diff_keys(tgt_ip, tgt_prefix, &cur->ip, cur->bits);
-		/*
-		 * dbit <= tgt_prefix and dbit <= cur->bits always.
-		 * We are finished searching if we matched all of the target.
-		 */
-		if (dbit == tgt_prefix) {
-			if (tgt_prefix == cur->bits) {
-				/*
-				 * The current node matches the target exactly.
-				 * It is the answer if it has data.
-				 */
-				if ((cur->flags & data_flag) != 0) {
-					if (create)
-						return (ISC_R_EXISTS);
-					if (found != NULL)
-						*found = cur;
-					return (ISC_R_SUCCESS);
-				} else if (create) {
-					/*
-					 * The node had no data but does now.
-					 */
-					set_node_flags(cur, type);
-					if (found != NULL)
-						*found = cur;
-					return (ISC_R_SUCCESS);
-				}
-				return (find_result);
-			}
-
-			/*
-			 * We know tgt_prefix < cur_bits which means that
-			 * the target is shorter than the current node.
-			 * Add the target as the current node's parent.
-			 */
-			if (!create)
-				return (find_result);
-
-			new_parent = new_node(cidr, tgt_ip, tgt_prefix,
-					      cur->flags);
-			if (new_parent == NULL)
-				return (ISC_R_NOMEMORY);
-			new_parent->parent = parent;
-			if (parent == NULL)
-				cidr->root = new_parent;
-			else
-				parent->child[cur_num] = new_parent;
-			child_num = DNS_RPZ_IP_BIT(&cur->ip, tgt_prefix+1);
-			new_parent->child[child_num] = cur;
-			cur->parent = new_parent;
-			set_node_flags(new_parent, type);
-			if (found != NULL)
-				*found = new_parent;
-			return (ISC_R_SUCCESS);
-		}
-
-		if (dbit == cur->bits) {
-			/*
-			 * We have a partial match by matching of all of the
-			 * current node but only part of the target.
-			 * Try to go down.
-			 */
-			if ((cur->flags & data_flag) != 0) {
-				find_result = DNS_R_PARTIALMATCH;
-				if (found != NULL)
-					*found = cur;
-			}
-
-			parent = cur;
-			cur_num = DNS_RPZ_IP_BIT(tgt_ip, dbit);
-			cur = cur->child[cur_num];
-			continue;
-		}
-
-
-		/*
-		 * dbit < tgt_prefix and dbit < cur->bits,
-		 * so we failed to match both the target and the current node.
-		 * Insert a fork of a parent above the current node and
-		 * add the target as a sibling of the current node
-		 */
-		if (!create)
-			return (find_result);
-
-		sibling = new_node(cidr, tgt_ip, tgt_prefix, 0);
-		if (sibling == NULL)
-			return (ISC_R_NOMEMORY);
-		new_parent = new_node(cidr, tgt_ip, dbit, cur->flags);
-		if (new_parent == NULL) {
-			isc_mem_put(cidr->mctx, sibling, sizeof(*sibling));
-			return (ISC_R_NOMEMORY);
-		}
-		new_parent->parent = parent;
-		if (parent == NULL)
-			cidr->root = new_parent;
-		else
-			parent->child[cur_num] = new_parent;
-		child_num = DNS_RPZ_IP_BIT(tgt_ip, dbit);
-		new_parent->child[child_num] = sibling;
-		new_parent->child[1-child_num] = cur;
-		cur->parent = new_parent;
-		sibling->parent = new_parent;
-		set_node_flags(sibling, type);
-		if (found != NULL)
-			*found = sibling;
-		return (ISC_R_SUCCESS);
-	}
-}
-
-/*
- * Add an IP address to the radix tree of a response policy database.
- *	The tree write lock must be held by the caller.
- */
-void
-dns_rpz_cidr_addip(dns_rpz_cidr_t *cidr, dns_name_t *name) {
-	isc_result_t result;
-	dns_rpz_cidr_key_t tgt_ip;
-	dns_rpz_cidr_bits_t tgt_prefix;
-	dns_rpz_type_t type;
-
-	REQUIRE(cidr != NULL);
-
-	/*
-	 * No worries if the new name is not an IP address.
-	 */
-	type = set_type(cidr, name);
-	switch (type) {
-	case DNS_RPZ_TYPE_IP:
-	case DNS_RPZ_TYPE_NSIP:
-		break;
-	case DNS_RPZ_TYPE_NSDNAME:
-		cidr->have_nsdname = ISC_TRUE;
-		return;
-	case DNS_RPZ_TYPE_QNAME:
-	case DNS_RPZ_TYPE_BAD:
-		return;
-	}
-	result = name2ipkey(cidr, DNS_RPZ_ERROR_LEVEL, name,
-			    type, &tgt_ip, &tgt_prefix);
-	if (result != ISC_R_SUCCESS)
-		return;
-
-	result = search(cidr, &tgt_ip, tgt_prefix, type, ISC_TRUE, NULL);
-	if (result == ISC_R_EXISTS &&
-	    isc_log_wouldlog(dns_lctx, DNS_RPZ_ERROR_LEVEL))
-	{
-		char printname[DNS_NAME_FORMATSIZE];
-
-		/*
-		 * bin/tests/system/rpz/tests.sh looks for "rpz.*failed".
-		 */
-		dns_name_format(name, printname, sizeof(printname));
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
-			      DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
-			      "rpz add failed; \"%s\" is a duplicate name",
-			      printname);
-	}
-}
-
-/*
- * Delete an IP address from the radix tree of a response policy database.
- *	The tree write lock must be held by the caller.
- */
-void
-dns_rpz_cidr_deleteip(dns_rpz_cidr_t *cidr, dns_name_t *name) {
-	isc_result_t result;
-	dns_rpz_cidr_key_t tgt_ip;
-	dns_rpz_cidr_bits_t tgt_prefix;
-	dns_rpz_type_t type;
-	dns_rpz_cidr_node_t *tgt = NULL, *parent, *child;
-	dns_rpz_cidr_flags_t flags, data_flag;
-
-	if (cidr == NULL)
-		return;
-
-	/*
-	 * Decide which kind of policy zone IP address it is, if either
-	 * and then find its node.
-	 */
-	type = set_type(cidr, name);
-	switch (type) {
-	case DNS_RPZ_TYPE_IP:
-	case DNS_RPZ_TYPE_NSIP:
-		break;
-	case DNS_RPZ_TYPE_NSDNAME:
-		/*
-		 * We cannot easily count nsdnames because
-		 * internal rbt nodes get deleted.
-		 */
-		return;
-	case DNS_RPZ_TYPE_QNAME:
-	case DNS_RPZ_TYPE_BAD:
-		return;
-	}
-
-	/*
-	 * Do not get excited about the deletion of interior rbt nodes.
-	 */
-	result = name2ipkey(cidr, DNS_RPZ_DEBUG_QUIET, name,
-			    type, &tgt_ip, &tgt_prefix);
-	if (result != ISC_R_SUCCESS)
-		return;
-
-	result = search(cidr, &tgt_ip, tgt_prefix, type, ISC_FALSE, &tgt);
-	if (result != ISC_R_SUCCESS) {
-		badname(DNS_RPZ_ERROR_LEVEL, name, "; missing rpz node", "");
-		return;
-	}
-
-	/*
-	 * Mark the node and its parents to reflect the deleted IP address.
-	 */
-	flags = get_flags(&tgt_ip, tgt_prefix, type);
-	data_flag = flags & (DNS_RPZ_CIDR_FG_IP_DATA |
-			      DNS_RPZ_CIDR_FG_NSIP_DATA);
-	tgt->flags &= ~data_flag;
-	for (parent = tgt; parent != NULL; parent = parent->parent) {
-		if ((parent->flags & data_flag) != 0 ||
-		    (parent->child[0] != NULL &&
-		     (parent->child[0]->flags & flags) != 0) ||
-		    (parent->child[1] != NULL &&
-		     (parent->child[1]->flags & flags) != 0))
-			break;
-		parent->flags &= ~flags;
-	}
-
-	/*
-	 * We might need to delete 2 nodes.
-	 */
-	do {
-		/*
-		 * The node is now useless if it has no data of its own
-		 * and 0 or 1 children.  We are finished if it is not useless.
-		 */
-		if ((child = tgt->child[0]) != NULL) {
-			if (tgt->child[1] != NULL)
-				return;
-		} else {
-			child = tgt->child[1];
-		}
-		if ((tgt->flags & (DNS_RPZ_CIDR_FG_IP_DATA |
-				 DNS_RPZ_CIDR_FG_NSIP_DATA)) != 0)
-			return;
-
-		/*
-		 * Replace the pointer to this node in the parent with
-		 * the remaining child or NULL.
-		 */
-		parent = tgt->parent;
-		if (parent == NULL) {
-			cidr->root = child;
-		} else {
-			parent->child[parent->child[1] == tgt] = child;
-		}
-		/*
-		 * If the child exists fix up its parent pointer.
-		 */
-		if (child != NULL)
-			child->parent = parent;
-		isc_mem_put(cidr->mctx, tgt, sizeof(*tgt));
-
-		tgt = parent;
-	} while (tgt != NULL);
-}
-
-/*
- * Caller must hold tree lock.
- * Return  ISC_R_NOTFOUND
- *	or ISC_R_SUCCESS and the found entry's canonical and search names
- *	    and its prefix length
- */
-isc_result_t
-dns_rpz_cidr_find(dns_rpz_cidr_t *cidr, const isc_netaddr_t *netaddr,
-		  dns_rpz_type_t type, dns_name_t *canon_name,
-		  dns_name_t *search_name, dns_rpz_cidr_bits_t *prefix)
-{
-	dns_rpz_cidr_key_t tgt_ip;
-	isc_result_t result;
-	dns_rpz_cidr_node_t *found;
-	int i;
-
-	/*
-	 * Convert IP address to CIDR tree key.
-	 */
-	if (netaddr->family == AF_INET) {
-		tgt_ip.w[0] = 0;
-		tgt_ip.w[1] = 0;
-		tgt_ip.w[2] = ADDR_V4MAPPED;
-		tgt_ip.w[3] = ntohl(netaddr->type.in.s_addr);
-	} else if (netaddr->family == AF_INET6) {
-		dns_rpz_cidr_key_t src_ip6;
-
-		/*
-		 * Given the int aligned struct in_addr member of netaddr->type
-		 * one could cast netaddr->type.in6 to dns_rpz_cidr_key_t *,
-		 * but there are objections.
-		 */
-		memcpy(src_ip6.w, &netaddr->type.in6, sizeof(src_ip6.w));
-		for (i = 0; i < 4; i++) {
-			tgt_ip.w[i] = ntohl(src_ip6.w[i]);
-		}
-	} else {
-		return (ISC_R_NOTFOUND);
-	}
-
-	result = search(cidr, &tgt_ip, 128, type, ISC_FALSE, &found);
-	if (result != ISC_R_SUCCESS && result != DNS_R_PARTIALMATCH)
-		return (result);
-
-	*prefix = found->bits;
-	return (ip2name(cidr, &found->ip, found->bits, type,
-			canon_name, search_name));
-}
-
-/*
- * Translate CNAME rdata to a QNAME response policy action.
- */
-dns_rpz_policy_t
-dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset,
-		     dns_name_t *selfname)
-{
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_cname_t cname;
-	isc_result_t result;
-
-	result = dns_rdataset_first(rdataset);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	dns_rdataset_current(rdataset, &rdata);
-	result = dns_rdata_tostruct(&rdata, &cname, NULL);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	dns_rdata_reset(&rdata);
-
-	/*
-	 * CNAME . means NXDOMAIN
-	 */
-	if (dns_name_equal(&cname.cname, dns_rootname))
-		return (DNS_RPZ_POLICY_NXDOMAIN);
-
-	if (dns_name_iswildcard(&cname.cname)) {
-		/*
-		 * CNAME *. means NODATA
-		 */
-		if (dns_name_countlabels(&cname.cname) == 2)
-			return (DNS_RPZ_POLICY_NODATA);
-
-		/*
-		 * A qname of www.evil.com and a policy of
-		 *	*.evil.com    CNAME   *.garden.net
-		 * gives a result of
-		 *	evil.com    CNAME   evil.com.garden.net
-		 */
-		if (dns_name_countlabels(&cname.cname) > 2)
-			return (DNS_RPZ_POLICY_WILDCNAME);
-	}
-
-	/*
-	 * CNAME PASSTHRU.origin means "do not rewrite.
-	 */
-	if (dns_name_equal(&cname.cname, &rpz->passthru))
-		return (DNS_RPZ_POLICY_PASSTHRU);
-
-	/*
-	 * 128.1.0.127.rpz-ip CNAME  128.1.0.0.127. is obsolete PASSTHRU
-	 */
-	if (selfname != NULL && dns_name_equal(&cname.cname, selfname))
-		return (DNS_RPZ_POLICY_PASSTHRU);
-
-	/*
-	 * Any other rdata gives a response consisting of the rdata.
-	 */
-	return (DNS_RPZ_POLICY_RECORD);
-}
diff --git a/contrib/bind9/lib/dns/rriterator.c b/contrib/bind9/lib/dns/rriterator.c
deleted file mode 100644
index 509fb42..0000000
--- a/contrib/bind9/lib/dns/rriterator.c
+++ /dev/null
@@ -1,204 +0,0 @@
-/*
- * Copyright (C) 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-/***
- *** Imports
- ***/
-
-#include <config.h>
-
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/result.h>
-#include <dns/rriterator.h>
-
-/***
- *** RRiterator methods
- ***/
-
-isc_result_t
-dns_rriterator_init(dns_rriterator_t *it, dns_db_t *db, dns_dbversion_t *ver,
-		    isc_stdtime_t now)
-{
-	isc_result_t result;
-	it->magic = RRITERATOR_MAGIC;
-	it->db = db;
-	it->dbit = NULL;
-	it->ver = ver;
-	it->now = now;
-	it->node = NULL;
-	result = dns_db_createiterator(it->db, 0, &it->dbit);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	it->rdatasetit = NULL;
-	dns_rdata_init(&it->rdata);
-	dns_rdataset_init(&it->rdataset);
-	dns_fixedname_init(&it->fixedname);
-	INSIST(! dns_rdataset_isassociated(&it->rdataset));
-	it->result = ISC_R_SUCCESS;
-	return (it->result);
-}
-
-isc_result_t
-dns_rriterator_first(dns_rriterator_t *it) {
-	REQUIRE(VALID_RRITERATOR(it));
-	/* Reset state */
-	if (dns_rdataset_isassociated(&it->rdataset))
-		dns_rdataset_disassociate(&it->rdataset);
-	if (it->rdatasetit != NULL)
-		dns_rdatasetiter_destroy(&it->rdatasetit);
-	if (it->node != NULL)
-		dns_db_detachnode(it->db, &it->node);
-	it->result = dns_dbiterator_first(it->dbit);
-
-	/*
-	 * The top node may be empty when out of zone glue exists.
-	 * Walk the tree to find the first node with data.
-	 */
-	while (it->result == ISC_R_SUCCESS) {
-		it->result = dns_dbiterator_current(it->dbit, &it->node,
-					   dns_fixedname_name(&it->fixedname));
-		if (it->result != ISC_R_SUCCESS)
-			return (it->result);
-
-		it->result = dns_db_allrdatasets(it->db, it->node, it->ver,
-						 it->now, &it->rdatasetit);
-		if (it->result != ISC_R_SUCCESS)
-			return (it->result);
-
-		it->result = dns_rdatasetiter_first(it->rdatasetit);
-		if (it->result != ISC_R_SUCCESS) {
-			/*
-			 * This node is empty. Try next node.
-			 */
-			dns_rdatasetiter_destroy(&it->rdatasetit);
-			dns_db_detachnode(it->db, &it->node);
-			it->result = dns_dbiterator_next(it->dbit);
-			continue;
-		}
-		dns_rdatasetiter_current(it->rdatasetit, &it->rdataset);
-		it->rdataset.attributes |= DNS_RDATASETATTR_LOADORDER;
-		it->result = dns_rdataset_first(&it->rdataset);
-		return (it->result);
-	}
-	return (it->result);
-}
-
-isc_result_t
-dns_rriterator_nextrrset(dns_rriterator_t *it) {
-	REQUIRE(VALID_RRITERATOR(it));
-	if (dns_rdataset_isassociated(&it->rdataset))
-		dns_rdataset_disassociate(&it->rdataset);
-	it->result = dns_rdatasetiter_next(it->rdatasetit);
-	/*
-	 * The while loop body is executed more than once
-	 * only when an empty dbnode needs to be skipped.
-	 */
-	while (it->result == ISC_R_NOMORE) {
-		dns_rdatasetiter_destroy(&it->rdatasetit);
-		dns_db_detachnode(it->db, &it->node);
-		it->result = dns_dbiterator_next(it->dbit);
-		if (it->result == ISC_R_NOMORE) {
-			/* We are at the end of the entire database. */
-			return (it->result);
-		}
-		if (it->result != ISC_R_SUCCESS)
-			return (it->result);
-		it->result = dns_dbiterator_current(it->dbit, &it->node,
-					   dns_fixedname_name(&it->fixedname));
-		if (it->result != ISC_R_SUCCESS)
-			return (it->result);
-		it->result = dns_db_allrdatasets(it->db, it->node, it->ver,
-						 it->now, &it->rdatasetit);
-		if (it->result != ISC_R_SUCCESS)
-			return (it->result);
-		it->result = dns_rdatasetiter_first(it->rdatasetit);
-	}
-	if (it->result != ISC_R_SUCCESS)
-		return (it->result);
-	dns_rdatasetiter_current(it->rdatasetit, &it->rdataset);
-	it->rdataset.attributes |= DNS_RDATASETATTR_LOADORDER;
-	it->result = dns_rdataset_first(&it->rdataset);
-	return (it->result);
-}
-
-isc_result_t
-dns_rriterator_next(dns_rriterator_t *it) {
-	REQUIRE(VALID_RRITERATOR(it));
-	if (it->result != ISC_R_SUCCESS)
-		return (it->result);
-
-	INSIST(it->dbit != NULL);
-	INSIST(it->node != NULL);
-	INSIST(it->rdatasetit != NULL);
-
-	it->result = dns_rdataset_next(&it->rdataset);
-	if (it->result == ISC_R_NOMORE)
-		return (dns_rriterator_nextrrset(it));
-	return (it->result);
-}
-
-void
-dns_rriterator_pause(dns_rriterator_t *it) {
-	REQUIRE(VALID_RRITERATOR(it));
-	RUNTIME_CHECK(dns_dbiterator_pause(it->dbit) == ISC_R_SUCCESS);
-}
-
-void
-dns_rriterator_destroy(dns_rriterator_t *it) {
-	REQUIRE(VALID_RRITERATOR(it));
-	if (dns_rdataset_isassociated(&it->rdataset))
-		dns_rdataset_disassociate(&it->rdataset);
-	if (it->rdatasetit != NULL)
-		dns_rdatasetiter_destroy(&it->rdatasetit);
-	if (it->node != NULL)
-		dns_db_detachnode(it->db, &it->node);
-	dns_dbiterator_destroy(&it->dbit);
-}
-
-void
-dns_rriterator_current(dns_rriterator_t *it, dns_name_t **name,
-		       isc_uint32_t *ttl, dns_rdataset_t **rdataset,
-		       dns_rdata_t **rdata)
-{
-	REQUIRE(name != NULL && *name == NULL);
-	REQUIRE(VALID_RRITERATOR(it));
-	REQUIRE(it->result == ISC_R_SUCCESS);
-	REQUIRE(rdataset == NULL || *rdataset == NULL);
-	REQUIRE(rdata == NULL || *rdata == NULL);
-
-	*name = dns_fixedname_name(&it->fixedname);
-	*ttl = it->rdataset.ttl;
-
-	dns_rdata_reset(&it->rdata);
-	dns_rdataset_current(&it->rdataset, &it->rdata);
-
-	if (rdataset != NULL)
-		*rdataset = &it->rdataset;
-
-	if (rdata != NULL)
-		*rdata = &it->rdata;
-}
diff --git a/contrib/bind9/lib/dns/sdb.c b/contrib/bind9/lib/dns/sdb.c
deleted file mode 100644
index 191fda2..0000000
--- a/contrib/bind9/lib/dns/sdb.c
+++ /dev/null
@@ -1,1596 +0,0 @@
-/*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <string.h>
-
-#include <isc/buffer.h>
-#include <isc/lex.h>
-#include <isc/log.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/once.h>
-#include <isc/print.h>
-#include <isc/region.h>
-#include <isc/util.h>
-
-#include <dns/callbacks.h>
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/fixedname.h>
-#include <dns/log.h>
-#include <dns/rdata.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatatype.h>
-#include <dns/result.h>
-#include <dns/sdb.h>
-#include <dns/types.h>
-
-#include "rdatalist_p.h"
-
-struct dns_sdbimplementation {
-	const dns_sdbmethods_t		*methods;
-	void				*driverdata;
-	unsigned int			flags;
-	isc_mem_t			*mctx;
-	isc_mutex_t			driverlock;
-	dns_dbimplementation_t		*dbimp;
-};
-
-struct dns_sdb {
-	/* Unlocked */
-	dns_db_t			common;
-	char				*zone;
-	dns_sdbimplementation_t		*implementation;
-	void				*dbdata;
-	isc_mutex_t			lock;
-	/* Locked */
-	unsigned int			references;
-};
-
-struct dns_sdblookup {
-	/* Unlocked */
-	unsigned int			magic;
-	dns_sdb_t			*sdb;
-	ISC_LIST(dns_rdatalist_t)	lists;
-	ISC_LIST(isc_buffer_t)		buffers;
-	dns_name_t			*name;
-	ISC_LINK(dns_sdblookup_t)	link;
-	isc_mutex_t			lock;
-	dns_rdatacallbacks_t		callbacks;
-	/* Locked */
-	unsigned int			references;
-};
-
-typedef struct dns_sdblookup dns_sdbnode_t;
-
-struct dns_sdballnodes {
-	dns_dbiterator_t		common;
-	ISC_LIST(dns_sdbnode_t)		nodelist;
-	dns_sdbnode_t			*current;
-	dns_sdbnode_t			*origin;
-};
-
-typedef dns_sdballnodes_t sdb_dbiterator_t;
-
-typedef struct sdb_rdatasetiter {
-	dns_rdatasetiter_t		common;
-	dns_rdatalist_t			*current;
-} sdb_rdatasetiter_t;
-
-#define SDB_MAGIC		ISC_MAGIC('S', 'D', 'B', '-')
-
-/*%
- * Note that "impmagic" is not the first four bytes of the struct, so
- * ISC_MAGIC_VALID cannot be used.
- */
-#define VALID_SDB(sdb)		((sdb) != NULL && \
-				 (sdb)->common.impmagic == SDB_MAGIC)
-
-#define SDBLOOKUP_MAGIC		ISC_MAGIC('S','D','B','L')
-#define VALID_SDBLOOKUP(sdbl)	ISC_MAGIC_VALID(sdbl, SDBLOOKUP_MAGIC)
-#define VALID_SDBNODE(sdbn)	VALID_SDBLOOKUP(sdbn)
-
-/* These values are taken from RFC1537 */
-#define SDB_DEFAULT_REFRESH	(60 * 60 * 8)
-#define SDB_DEFAULT_RETRY	(60 * 60 * 2)
-#define SDB_DEFAULT_EXPIRE	(60 * 60 * 24 * 7)
-#define SDB_DEFAULT_MINIMUM	(60 * 60 * 24)
-
-/* This is a reasonable value */
-#define SDB_DEFAULT_TTL		(60 * 60 * 24)
-
-#ifdef __COVERITY__
-#define MAYBE_LOCK(sdb) LOCK(&sdb->implementation->driverlock)
-#define MAYBE_UNLOCK(sdb) UNLOCK(&sdb->implementation->driverlock)
-#else
-#define MAYBE_LOCK(sdb)							\
-	do {								\
-		unsigned int flags = sdb->implementation->flags;	\
-		if ((flags & DNS_SDBFLAG_THREADSAFE) == 0)		\
-			LOCK(&sdb->implementation->driverlock);		\
-	} while (0)
-
-#define MAYBE_UNLOCK(sdb)						\
-	do {								\
-		unsigned int flags = sdb->implementation->flags;	\
-		if ((flags & DNS_SDBFLAG_THREADSAFE) == 0)		\
-			UNLOCK(&sdb->implementation->driverlock);	\
-	} while (0)
-#endif
-
-static int dummy;
-
-static isc_result_t dns_sdb_create(isc_mem_t *mctx, dns_name_t *origin,
-				   dns_dbtype_t type, dns_rdataclass_t rdclass,
-				   unsigned int argc, char *argv[],
-				   void *driverarg, dns_db_t **dbp);
-
-static isc_result_t findrdataset(dns_db_t *db, dns_dbnode_t *node,
-				 dns_dbversion_t *version,
-				 dns_rdatatype_t type, dns_rdatatype_t covers,
-				 isc_stdtime_t now, dns_rdataset_t *rdataset,
-				 dns_rdataset_t *sigrdataset);
-
-static isc_result_t createnode(dns_sdb_t *sdb, dns_sdbnode_t **nodep);
-
-static void destroynode(dns_sdbnode_t *node);
-
-static void detachnode(dns_db_t *db, dns_dbnode_t **targetp);
-
-
-static void list_tordataset(dns_rdatalist_t *rdatalist,
-			    dns_db_t *db, dns_dbnode_t *node,
-			    dns_rdataset_t *rdataset);
-
-static void		dbiterator_destroy(dns_dbiterator_t **iteratorp);
-static isc_result_t	dbiterator_first(dns_dbiterator_t *iterator);
-static isc_result_t	dbiterator_last(dns_dbiterator_t *iterator);
-static isc_result_t	dbiterator_seek(dns_dbiterator_t *iterator,
-					dns_name_t *name);
-static isc_result_t	dbiterator_prev(dns_dbiterator_t *iterator);
-static isc_result_t	dbiterator_next(dns_dbiterator_t *iterator);
-static isc_result_t	dbiterator_current(dns_dbiterator_t *iterator,
-					   dns_dbnode_t **nodep,
-					   dns_name_t *name);
-static isc_result_t	dbiterator_pause(dns_dbiterator_t *iterator);
-static isc_result_t	dbiterator_origin(dns_dbiterator_t *iterator,
-					  dns_name_t *name);
-
-static dns_dbiteratormethods_t dbiterator_methods = {
-	dbiterator_destroy,
-	dbiterator_first,
-	dbiterator_last,
-	dbiterator_seek,
-	dbiterator_prev,
-	dbiterator_next,
-	dbiterator_current,
-	dbiterator_pause,
-	dbiterator_origin
-};
-
-static void		rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp);
-static isc_result_t	rdatasetiter_first(dns_rdatasetiter_t *iterator);
-static isc_result_t	rdatasetiter_next(dns_rdatasetiter_t *iterator);
-static void		rdatasetiter_current(dns_rdatasetiter_t *iterator,
-					     dns_rdataset_t *rdataset);
-
-static dns_rdatasetitermethods_t rdatasetiter_methods = {
-	rdatasetiter_destroy,
-	rdatasetiter_first,
-	rdatasetiter_next,
-	rdatasetiter_current
-};
-
-/*
- * Functions used by implementors of simple databases
- */
-isc_result_t
-dns_sdb_register(const char *drivername, const dns_sdbmethods_t *methods,
-		 void *driverdata, unsigned int flags, isc_mem_t *mctx,
-		 dns_sdbimplementation_t **sdbimp)
-{
-	dns_sdbimplementation_t *imp;
-	isc_result_t result;
-
-	REQUIRE(drivername != NULL);
-	REQUIRE(methods != NULL);
-	REQUIRE(methods->lookup != NULL || methods->lookup2 != NULL);
-	REQUIRE(mctx != NULL);
-	REQUIRE(sdbimp != NULL && *sdbimp == NULL);
-	REQUIRE((flags & ~(DNS_SDBFLAG_RELATIVEOWNER |
-			   DNS_SDBFLAG_RELATIVERDATA |
-			   DNS_SDBFLAG_THREADSAFE|
-			   DNS_SDBFLAG_DNS64)) == 0);
-
-	imp = isc_mem_get(mctx, sizeof(dns_sdbimplementation_t));
-	if (imp == NULL)
-		return (ISC_R_NOMEMORY);
-	imp->methods = methods;
-	imp->driverdata = driverdata;
-	imp->flags = flags;
-	imp->mctx = NULL;
-	isc_mem_attach(mctx, &imp->mctx);
-	result = isc_mutex_init(&imp->driverlock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_mctx;
-
-	imp->dbimp = NULL;
-	result = dns_db_register(drivername, dns_sdb_create, imp, mctx,
-				 &imp->dbimp);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_mutex;
-	*sdbimp = imp;
-
-	return (ISC_R_SUCCESS);
-
- cleanup_mutex:
-	DESTROYLOCK(&imp->driverlock);
- cleanup_mctx:
-	isc_mem_put(mctx, imp, sizeof(dns_sdbimplementation_t));
-	return (result);
-}
-
-void
-dns_sdb_unregister(dns_sdbimplementation_t **sdbimp) {
-	dns_sdbimplementation_t *imp;
-	isc_mem_t *mctx;
-
-	REQUIRE(sdbimp != NULL && *sdbimp != NULL);
-
-	imp = *sdbimp;
-	dns_db_unregister(&imp->dbimp);
-	DESTROYLOCK(&imp->driverlock);
-
-	mctx = imp->mctx;
-	isc_mem_put(mctx, imp, sizeof(dns_sdbimplementation_t));
-	isc_mem_detach(&mctx);
-
-	*sdbimp = NULL;
-}
-
-static inline unsigned int
-initial_size(unsigned int len) {
-	unsigned int size;
-
-	for (size = 1024; size < (64 * 1024); size *= 2)
-		if (len < size)
-			return (size);
-	return (65535);
-}
-
-isc_result_t
-dns_sdb_putrdata(dns_sdblookup_t *lookup, dns_rdatatype_t typeval,
-		 dns_ttl_t ttl, const unsigned char *rdatap,
-		 unsigned int rdlen)
-{
-	dns_rdatalist_t *rdatalist;
-	dns_rdata_t *rdata;
-	isc_buffer_t *rdatabuf = NULL;
-	isc_result_t result;
-	isc_mem_t *mctx;
-	isc_region_t region;
-
-	mctx = lookup->sdb->common.mctx;
-
-	rdatalist = ISC_LIST_HEAD(lookup->lists);
-	while (rdatalist != NULL) {
-		if (rdatalist->type == typeval)
-			break;
-		rdatalist = ISC_LIST_NEXT(rdatalist, link);
-	}
-
-	if (rdatalist == NULL) {
-		rdatalist = isc_mem_get(mctx, sizeof(dns_rdatalist_t));
-		if (rdatalist == NULL)
-			return (ISC_R_NOMEMORY);
-		rdatalist->rdclass = lookup->sdb->common.rdclass;
-		rdatalist->type = typeval;
-		rdatalist->covers = 0;
-		rdatalist->ttl = ttl;
-		ISC_LIST_INIT(rdatalist->rdata);
-		ISC_LINK_INIT(rdatalist, link);
-		ISC_LIST_APPEND(lookup->lists, rdatalist, link);
-	} else
-		if (rdatalist->ttl != ttl)
-			return (DNS_R_BADTTL);
-
-	rdata = isc_mem_get(mctx, sizeof(dns_rdata_t));
-	if (rdata == NULL)
-		return (ISC_R_NOMEMORY);
-
-	result = isc_buffer_allocate(mctx, &rdatabuf, rdlen);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-	DE_CONST(rdatap, region.base);
-	region.length = rdlen;
-	isc_buffer_copyregion(rdatabuf, &region);
-	isc_buffer_usedregion(rdatabuf, &region);
-	dns_rdata_init(rdata);
-	dns_rdata_fromregion(rdata, rdatalist->rdclass, rdatalist->type,
-			     &region);
-	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-	ISC_LIST_APPEND(lookup->buffers, rdatabuf, link);
-	rdata = NULL;
-
- failure:
-	if (rdata != NULL)
-		isc_mem_put(mctx, rdata, sizeof(dns_rdata_t));
-	return (result);
-}
-
-isc_result_t
-dns_sdb_putrr(dns_sdblookup_t *lookup, const char *type, dns_ttl_t ttl,
-	      const char *data)
-{
-	unsigned int datalen;
-	dns_rdatatype_t typeval;
-	isc_textregion_t r;
-	isc_lex_t *lex = NULL;
-	isc_result_t result;
-	unsigned char *p = NULL;
-	unsigned int size = 0; /* Init to suppress compiler warning */
-	isc_mem_t *mctx;
-	dns_sdbimplementation_t *imp;
-	dns_name_t *origin;
-	isc_buffer_t b;
-	isc_buffer_t rb;
-
-	REQUIRE(VALID_SDBLOOKUP(lookup));
-	REQUIRE(type != NULL);
-	REQUIRE(data != NULL);
-
-	mctx = lookup->sdb->common.mctx;
-
-	DE_CONST(type, r.base);
-	r.length = strlen(type);
-	result = dns_rdatatype_fromtext(&typeval, &r);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	imp = lookup->sdb->implementation;
-	if ((imp->flags & DNS_SDBFLAG_RELATIVERDATA) != 0)
-		origin = &lookup->sdb->common.origin;
-	else
-		origin = dns_rootname;
-
-	result = isc_lex_create(mctx, 64, &lex);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	datalen = strlen(data);
-	size = initial_size(datalen);
-	do {
-		isc_buffer_constinit(&b, data, datalen);
-		isc_buffer_add(&b, datalen);
-		result = isc_lex_openbuffer(lex, &b);
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-
-		if (size >= 65535)
-			size = 65535;
-		p = isc_mem_get(mctx, size);
-		if (p == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto failure;
-		}
-		isc_buffer_init(&rb, p, size);
-		result = dns_rdata_fromtext(NULL,
-					    lookup->sdb->common.rdclass,
-					    typeval, lex,
-					    origin, 0,
-					    mctx, &rb,
-					    &lookup->callbacks);
-		if (result != ISC_R_NOSPACE)
-			break;
-
-		/*
-		 * Is the RR too big?
-		 */
-		if (size >= 65535)
-			break;
-		isc_mem_put(mctx, p, size);
-		p = NULL;
-		size *= 2;
-	} while (result == ISC_R_NOSPACE);
-
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	result = dns_sdb_putrdata(lookup, typeval, ttl,
-				  isc_buffer_base(&rb),
-				  isc_buffer_usedlength(&rb));
- failure:
-	if (p != NULL)
-		isc_mem_put(mctx, p, size);
-	if (lex != NULL)
-		isc_lex_destroy(&lex);
-
-	return (result);
-}
-
-static isc_result_t
-getnode(dns_sdballnodes_t *allnodes, const char *name, dns_sdbnode_t **nodep) {
-	dns_name_t *newname, *origin;
-	dns_fixedname_t fnewname;
-	dns_sdb_t *sdb = (dns_sdb_t *)allnodes->common.db;
-	dns_sdbimplementation_t *imp = sdb->implementation;
-	dns_sdbnode_t *sdbnode;
-	isc_mem_t *mctx = sdb->common.mctx;
-	isc_buffer_t b;
-	isc_result_t result;
-
-	dns_fixedname_init(&fnewname);
-	newname = dns_fixedname_name(&fnewname);
-
-	if ((imp->flags & DNS_SDBFLAG_RELATIVERDATA) != 0)
-		origin = &sdb->common.origin;
-	else
-		origin = dns_rootname;
-	isc_buffer_constinit(&b, name, strlen(name));
-	isc_buffer_add(&b, strlen(name));
-
-	result = dns_name_fromtext(newname, &b, origin, 0, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (allnodes->common.relative_names) {
-		/* All names are relative to the root */
-		unsigned int nlabels = dns_name_countlabels(newname);
-		dns_name_getlabelsequence(newname, 0, nlabels - 1, newname);
-	}
-
-	sdbnode = ISC_LIST_HEAD(allnodes->nodelist);
-	if (sdbnode == NULL || !dns_name_equal(sdbnode->name, newname)) {
-		sdbnode = NULL;
-		result = createnode(sdb, &sdbnode);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		sdbnode->name = isc_mem_get(mctx, sizeof(dns_name_t));
-		if (sdbnode->name == NULL) {
-			destroynode(sdbnode);
-			return (ISC_R_NOMEMORY);
-		}
-		dns_name_init(sdbnode->name, NULL);
-		result = dns_name_dup(newname, mctx, sdbnode->name);
-		if (result != ISC_R_SUCCESS) {
-			isc_mem_put(mctx, sdbnode->name, sizeof(dns_name_t));
-			destroynode(sdbnode);
-			return (result);
-		}
-		ISC_LIST_PREPEND(allnodes->nodelist, sdbnode, link);
-		if (allnodes->origin == NULL &&
-		    dns_name_equal(newname, &sdb->common.origin))
-			allnodes->origin = sdbnode;
-	}
-	*nodep = sdbnode;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_sdb_putnamedrr(dns_sdballnodes_t *allnodes, const char *name,
-		   const char *type, dns_ttl_t ttl, const char *data)
-{
-	isc_result_t result;
-	dns_sdbnode_t *sdbnode = NULL;
-	result = getnode(allnodes, name, &sdbnode);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	return (dns_sdb_putrr(sdbnode, type, ttl, data));
-}
-
-isc_result_t
-dns_sdb_putnamedrdata(dns_sdballnodes_t *allnodes, const char *name,
-		      dns_rdatatype_t type, dns_ttl_t ttl,
-		      const void *rdata, unsigned int rdlen)
-{
-	isc_result_t result;
-	dns_sdbnode_t *sdbnode = NULL;
-	result = getnode(allnodes, name, &sdbnode);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	return (dns_sdb_putrdata(sdbnode, type, ttl, rdata, rdlen));
-}
-
-isc_result_t
-dns_sdb_putsoa(dns_sdblookup_t *lookup, const char *mname, const char *rname,
-	       isc_uint32_t serial)
-{
-	char str[2 * DNS_NAME_MAXTEXT + 5 * (sizeof("2147483647")) + 7];
-	int n;
-
-	REQUIRE(mname != NULL);
-	REQUIRE(rname != NULL);
-
-	n = snprintf(str, sizeof(str), "%s %s %u %u %u %u %u",
-		     mname, rname, serial,
-		     SDB_DEFAULT_REFRESH, SDB_DEFAULT_RETRY,
-		     SDB_DEFAULT_EXPIRE, SDB_DEFAULT_MINIMUM);
-	if (n >= (int)sizeof(str) || n < 0)
-		return (ISC_R_NOSPACE);
-	return (dns_sdb_putrr(lookup, "SOA", SDB_DEFAULT_TTL, str));
-}
-
-/*
- * DB routines
- */
-
-static void
-attach(dns_db_t *source, dns_db_t **targetp) {
-	dns_sdb_t *sdb = (dns_sdb_t *) source;
-
-	REQUIRE(VALID_SDB(sdb));
-
-	LOCK(&sdb->lock);
-	REQUIRE(sdb->references > 0);
-	sdb->references++;
-	UNLOCK(&sdb->lock);
-
-	*targetp = source;
-}
-
-static void
-destroy(dns_sdb_t *sdb) {
-	isc_mem_t *mctx;
-	dns_sdbimplementation_t *imp = sdb->implementation;
-
-	mctx = sdb->common.mctx;
-
-	if (imp->methods->destroy != NULL) {
-		MAYBE_LOCK(sdb);
-		imp->methods->destroy(sdb->zone, imp->driverdata,
-				      &sdb->dbdata);
-		MAYBE_UNLOCK(sdb);
-	}
-
-	isc_mem_free(mctx, sdb->zone);
-	DESTROYLOCK(&sdb->lock);
-
-	sdb->common.magic = 0;
-	sdb->common.impmagic = 0;
-
-	dns_name_free(&sdb->common.origin, mctx);
-
-	isc_mem_put(mctx, sdb, sizeof(dns_sdb_t));
-	isc_mem_detach(&mctx);
-}
-
-static void
-detach(dns_db_t **dbp) {
-	dns_sdb_t *sdb = (dns_sdb_t *)(*dbp);
-	isc_boolean_t need_destroy = ISC_FALSE;
-
-	REQUIRE(VALID_SDB(sdb));
-	LOCK(&sdb->lock);
-	REQUIRE(sdb->references > 0);
-	sdb->references--;
-	if (sdb->references == 0)
-		need_destroy = ISC_TRUE;
-	UNLOCK(&sdb->lock);
-
-	if (need_destroy)
-		destroy(sdb);
-
-	*dbp = NULL;
-}
-
-static isc_result_t
-beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp, dns_dbload_t **dbloadp) {
-	UNUSED(db);
-	UNUSED(addp);
-	UNUSED(dbloadp);
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static isc_result_t
-endload(dns_db_t *db, dns_dbload_t **dbloadp) {
-	UNUSED(db);
-	UNUSED(dbloadp);
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static isc_result_t
-dump(dns_db_t *db, dns_dbversion_t *version, const char *filename,
-     dns_masterformat_t masterformat) {
-	UNUSED(db);
-	UNUSED(version);
-	UNUSED(filename);
-	UNUSED(masterformat);
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static void
-currentversion(dns_db_t *db, dns_dbversion_t **versionp) {
-	REQUIRE(versionp != NULL && *versionp == NULL);
-
-	UNUSED(db);
-
-	*versionp = (void *) &dummy;
-	return;
-}
-
-static isc_result_t
-newversion(dns_db_t *db, dns_dbversion_t **versionp) {
-	UNUSED(db);
-	UNUSED(versionp);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static void
-attachversion(dns_db_t *db, dns_dbversion_t *source,
-	      dns_dbversion_t **targetp)
-{
-	REQUIRE(source != NULL && source == (void *) &dummy);
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	UNUSED(db);
-	*targetp = source;
-	return;
-}
-
-static void
-closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
-	REQUIRE(versionp != NULL && *versionp == (void *) &dummy);
-	REQUIRE(commit == ISC_FALSE);
-
-	UNUSED(db);
-	UNUSED(commit);
-
-	*versionp = NULL;
-}
-
-static isc_result_t
-createnode(dns_sdb_t *sdb, dns_sdbnode_t **nodep) {
-	dns_sdbnode_t *node;
-	isc_result_t result;
-
-	node = isc_mem_get(sdb->common.mctx, sizeof(dns_sdbnode_t));
-	if (node == NULL)
-		return (ISC_R_NOMEMORY);
-
-	node->sdb = NULL;
-	attach((dns_db_t *)sdb, (dns_db_t **)&node->sdb);
-	ISC_LIST_INIT(node->lists);
-	ISC_LIST_INIT(node->buffers);
-	ISC_LINK_INIT(node, link);
-	node->name = NULL;
-	result = isc_mutex_init(&node->lock);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(sdb->common.mctx, node, sizeof(dns_sdbnode_t));
-		return (result);
-	}
-	dns_rdatacallbacks_init(&node->callbacks);
-	node->references = 1;
-	node->magic = SDBLOOKUP_MAGIC;
-
-	*nodep = node;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-destroynode(dns_sdbnode_t *node) {
-	dns_rdatalist_t *list;
-	dns_rdata_t *rdata;
-	isc_buffer_t *b;
-	dns_sdb_t *sdb;
-	isc_mem_t *mctx;
-
-	sdb = node->sdb;
-	mctx = sdb->common.mctx;
-
-	while (!ISC_LIST_EMPTY(node->lists)) {
-		list = ISC_LIST_HEAD(node->lists);
-		while (!ISC_LIST_EMPTY(list->rdata)) {
-			rdata = ISC_LIST_HEAD(list->rdata);
-			ISC_LIST_UNLINK(list->rdata, rdata, link);
-			isc_mem_put(mctx, rdata, sizeof(dns_rdata_t));
-		}
-		ISC_LIST_UNLINK(node->lists, list, link);
-		isc_mem_put(mctx, list, sizeof(dns_rdatalist_t));
-	}
-
-	while (!ISC_LIST_EMPTY(node->buffers)) {
-		b = ISC_LIST_HEAD(node->buffers);
-		ISC_LIST_UNLINK(node->buffers, b, link);
-		isc_buffer_free(&b);
-	}
-
-	if (node->name != NULL) {
-		dns_name_free(node->name, mctx);
-		isc_mem_put(mctx, node->name, sizeof(dns_name_t));
-	}
-	DESTROYLOCK(&node->lock);
-	node->magic = 0;
-	isc_mem_put(mctx, node, sizeof(dns_sdbnode_t));
-	detach((dns_db_t **) (void *)&sdb);
-}
-
-static isc_result_t
-findnodeext(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
-	    dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo,
-	    dns_dbnode_t **nodep)
-{
-	dns_sdb_t *sdb = (dns_sdb_t *)db;
-	dns_sdbnode_t *node = NULL;
-	isc_result_t result;
-	isc_buffer_t b;
-	char namestr[DNS_NAME_MAXTEXT + 1];
-	isc_boolean_t isorigin;
-	dns_sdbimplementation_t *imp;
-	dns_name_t relname;
-	unsigned int labels;
-
-	REQUIRE(VALID_SDB(sdb));
-	REQUIRE(create == ISC_FALSE);
-	REQUIRE(nodep != NULL && *nodep == NULL);
-
-	UNUSED(name);
-	UNUSED(create);
-
-	imp = sdb->implementation;
-
-	isorigin = dns_name_equal(name, &sdb->common.origin);
-
-	if (imp->methods->lookup2 != NULL) {
-		if ((imp->flags & DNS_SDBFLAG_RELATIVEOWNER) != 0) {
-			labels = dns_name_countlabels(name) -
-				 dns_name_countlabels(&db->origin);
-			dns_name_init(&relname, NULL);
-			dns_name_getlabelsequence(name, 0, labels, &relname);
-			name = &relname;
-		}
-	} else {
-		isc_buffer_init(&b, namestr, sizeof(namestr));
-		if ((imp->flags & DNS_SDBFLAG_RELATIVEOWNER) != 0) {
-
-			labels = dns_name_countlabels(name) -
-				 dns_name_countlabels(&db->origin);
-			dns_name_init(&relname, NULL);
-			dns_name_getlabelsequence(name, 0, labels, &relname);
-			result = dns_name_totext(&relname, ISC_TRUE, &b);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-		} else {
-			result = dns_name_totext(name, ISC_TRUE, &b);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-		}
-		isc_buffer_putuint8(&b, 0);
-	}
-
-	result = createnode(sdb, &node);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	MAYBE_LOCK(sdb);
-	if (imp->methods->lookup2 != NULL)
-		result = imp->methods->lookup2(&sdb->common.origin, name,
-					       sdb->dbdata, node, methods,
-					       clientinfo);
-	else
-		result = imp->methods->lookup(sdb->zone, namestr, sdb->dbdata,
-					      node, methods, clientinfo);
-	MAYBE_UNLOCK(sdb);
-	if (result != ISC_R_SUCCESS &&
-	    !(result == ISC_R_NOTFOUND &&
-	      isorigin && imp->methods->authority != NULL))
-	{
-		destroynode(node);
-		return (result);
-	}
-
-	if (isorigin && imp->methods->authority != NULL) {
-		MAYBE_LOCK(sdb);
-		result = imp->methods->authority(sdb->zone, sdb->dbdata, node);
-		MAYBE_UNLOCK(sdb);
-		if (result != ISC_R_SUCCESS) {
-			destroynode(node);
-			return (result);
-		}
-	}
-
-	*nodep = node;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-findext(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
-	dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
-	dns_dbnode_t **nodep, dns_name_t *foundname,
-	dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo,
-	dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	dns_sdb_t *sdb = (dns_sdb_t *)db;
-	dns_dbnode_t *node = NULL;
-	dns_fixedname_t fname;
-	dns_rdataset_t xrdataset;
-	dns_name_t *xname;
-	unsigned int nlabels, olabels;
-	isc_result_t result;
-	unsigned int i;
-	unsigned int flags;
-
-	REQUIRE(VALID_SDB(sdb));
-	REQUIRE(nodep == NULL || *nodep == NULL);
-	REQUIRE(version == NULL || version == (void *) &dummy);
-
-	UNUSED(options);
-
-	if (!dns_name_issubdomain(name, &db->origin))
-		return (DNS_R_NXDOMAIN);
-
-	olabels = dns_name_countlabels(&db->origin);
-	nlabels = dns_name_countlabels(name);
-
-	dns_fixedname_init(&fname);
-	xname = dns_fixedname_name(&fname);
-
-	if (rdataset == NULL) {
-		dns_rdataset_init(&xrdataset);
-		rdataset = &xrdataset;
-	}
-
-	result = DNS_R_NXDOMAIN;
-	flags = sdb->implementation->flags;
-	i = (flags & DNS_SDBFLAG_DNS64) != 0 ? nlabels : olabels;
-	for (; i <= nlabels; i++) {
-		/*
-		 * Look up the next label.
-		 */
-		dns_name_getlabelsequence(name, nlabels - i, i, xname);
-		result = findnodeext(db, xname, ISC_FALSE, methods,
-				     clientinfo, &node);
-		if (result == ISC_R_NOTFOUND) {
-			/*
-			 * No data at zone apex?
-			 */
-			if (i == olabels)
-				return (DNS_R_BADDB);
-			result = DNS_R_NXDOMAIN;
-			continue;
-		}
-		if (result != ISC_R_SUCCESS)
-			return (result);
-
-		/*
-		 * DNS64 zone's don't have DNAME or NS records.
-		 */
-		if ((flags & DNS_SDBFLAG_DNS64) != 0)
-			goto skip;
-
-		/*
-		 * DNS64 zone's don't have DNAME or NS records.
-		 */
-		if ((flags & DNS_SDBFLAG_DNS64) != 0)
-			goto skip;
-
-		/*
-		 * Look for a DNAME at the current label, unless this is
-		 * the qname.
-		 */
-		if (i < nlabels) {
-			result = findrdataset(db, node, version,
-					      dns_rdatatype_dname,
-					      0, now, rdataset, sigrdataset);
-			if (result == ISC_R_SUCCESS) {
-				result = DNS_R_DNAME;
-				break;
-			}
-		}
-
-		/*
-		 * Look for an NS at the current label, unless this is the
-		 * origin or glue is ok.
-		 */
-		if (i != olabels && (options & DNS_DBFIND_GLUEOK) == 0) {
-			result = findrdataset(db, node, version,
-					      dns_rdatatype_ns,
-					      0, now, rdataset, sigrdataset);
-			if (result == ISC_R_SUCCESS) {
-				if (i == nlabels && type == dns_rdatatype_any)
-				{
-					result = DNS_R_ZONECUT;
-					dns_rdataset_disassociate(rdataset);
-					if (sigrdataset != NULL &&
-					    dns_rdataset_isassociated
-							(sigrdataset)) {
-						dns_rdataset_disassociate
-								(sigrdataset);
-					}
-				} else
-					result = DNS_R_DELEGATION;
-				break;
-			}
-		}
-
-		/*
-		 * If the current name is not the qname, add another label
-		 * and try again.
-		 */
-		if (i < nlabels) {
-			destroynode(node);
-			node = NULL;
-			continue;
-		}
-
- skip:
-		/*
-		 * If we're looking for ANY, we're done.
-		 */
-		if (type == dns_rdatatype_any) {
-			result = ISC_R_SUCCESS;
-			break;
-		}
-
-		/*
-		 * Look for the qtype.
-		 */
-		result = findrdataset(db, node, version, type,
-				      0, now, rdataset, sigrdataset);
-		if (result == ISC_R_SUCCESS)
-			break;
-
-		/*
-		 * Look for a CNAME
-		 */
-		if (type != dns_rdatatype_cname) {
-			result = findrdataset(db, node, version,
-					      dns_rdatatype_cname,
-					      0, now, rdataset, sigrdataset);
-			if (result == ISC_R_SUCCESS) {
-				result = DNS_R_CNAME;
-				break;
-			}
-		}
-
-		result = DNS_R_NXRRSET;
-		break;
-	}
-
-	if (rdataset == &xrdataset && dns_rdataset_isassociated(rdataset))
-		dns_rdataset_disassociate(rdataset);
-
-	if (foundname != NULL) {
-		isc_result_t xresult;
-
-		xresult = dns_name_copy(xname, foundname, NULL);
-		if (xresult != ISC_R_SUCCESS) {
-			if (node != NULL)
-				destroynode(node);
-			if (dns_rdataset_isassociated(rdataset))
-				dns_rdataset_disassociate(rdataset);
-			return (DNS_R_BADDB);
-		}
-	}
-
-	if (nodep != NULL)
-		*nodep = node;
-	else if (node != NULL)
-		detachnode(db, &node);
-
-	return (result);
-}
-
-static isc_result_t
-findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
-	    isc_stdtime_t now, dns_dbnode_t **nodep, dns_name_t *foundname,
-	    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	UNUSED(db);
-	UNUSED(name);
-	UNUSED(options);
-	UNUSED(now);
-	UNUSED(nodep);
-	UNUSED(foundname);
-	UNUSED(rdataset);
-	UNUSED(sigrdataset);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static void
-attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) {
-	dns_sdb_t *sdb = (dns_sdb_t *)db;
-	dns_sdbnode_t *node = (dns_sdbnode_t *)source;
-
-	REQUIRE(VALID_SDB(sdb));
-
-	UNUSED(sdb);
-
-	LOCK(&node->lock);
-	INSIST(node->references > 0);
-	node->references++;
-	INSIST(node->references != 0);		/* Catch overflow. */
-	UNLOCK(&node->lock);
-
-	*targetp = source;
-}
-
-static void
-detachnode(dns_db_t *db, dns_dbnode_t **targetp) {
-	dns_sdb_t *sdb = (dns_sdb_t *)db;
-	dns_sdbnode_t *node;
-	isc_boolean_t need_destroy = ISC_FALSE;
-
-	REQUIRE(VALID_SDB(sdb));
-	REQUIRE(targetp != NULL && *targetp != NULL);
-
-	UNUSED(sdb);
-
-	node = (dns_sdbnode_t *)(*targetp);
-
-	LOCK(&node->lock);
-	INSIST(node->references > 0);
-	node->references--;
-	if (node->references == 0)
-		need_destroy = ISC_TRUE;
-	UNLOCK(&node->lock);
-
-	if (need_destroy)
-		destroynode(node);
-
-	*targetp = NULL;
-}
-
-static isc_result_t
-expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
-	UNUSED(db);
-	UNUSED(node);
-	UNUSED(now);
-	INSIST(0);
-	return (ISC_R_UNEXPECTED);
-}
-
-static void
-printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) {
-	UNUSED(db);
-	UNUSED(node);
-	UNUSED(out);
-	return;
-}
-
-static isc_result_t
-createiterator(dns_db_t *db, unsigned int options, dns_dbiterator_t **iteratorp)
-{
-	dns_sdb_t *sdb = (dns_sdb_t *)db;
-	sdb_dbiterator_t *sdbiter;
-	dns_sdbimplementation_t *imp = sdb->implementation;
-	isc_result_t result;
-
-	REQUIRE(VALID_SDB(sdb));
-
-	if (imp->methods->allnodes == NULL)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	if ((options & DNS_DB_NSEC3ONLY) != 0 ||
-	    (options & DNS_DB_NONSEC3) != 0)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	sdbiter = isc_mem_get(sdb->common.mctx, sizeof(sdb_dbiterator_t));
-	if (sdbiter == NULL)
-		return (ISC_R_NOMEMORY);
-
-	sdbiter->common.methods = &dbiterator_methods;
-	sdbiter->common.db = NULL;
-	dns_db_attach(db, &sdbiter->common.db);
-	sdbiter->common.relative_names = ISC_TF(options & DNS_DB_RELATIVENAMES);
-	sdbiter->common.magic = DNS_DBITERATOR_MAGIC;
-	ISC_LIST_INIT(sdbiter->nodelist);
-	sdbiter->current = NULL;
-	sdbiter->origin = NULL;
-
-	MAYBE_LOCK(sdb);
-	result = imp->methods->allnodes(sdb->zone, sdb->dbdata, sdbiter);
-	MAYBE_UNLOCK(sdb);
-	if (result != ISC_R_SUCCESS) {
-		dbiterator_destroy((dns_dbiterator_t **) (void *)&sdbiter);
-		return (result);
-	}
-
-	if (sdbiter->origin != NULL) {
-		ISC_LIST_UNLINK(sdbiter->nodelist, sdbiter->origin, link);
-		ISC_LIST_PREPEND(sdbiter->nodelist, sdbiter->origin, link);
-	}
-
-	*iteratorp = (dns_dbiterator_t *)sdbiter;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-	     dns_rdatatype_t type, dns_rdatatype_t covers,
-	     isc_stdtime_t now, dns_rdataset_t *rdataset,
-	     dns_rdataset_t *sigrdataset)
-{
-	dns_rdatalist_t *list;
-	dns_sdbnode_t *sdbnode = (dns_sdbnode_t *)node;
-
-	REQUIRE(VALID_SDBNODE(node));
-
-	UNUSED(db);
-	UNUSED(version);
-	UNUSED(covers);
-	UNUSED(now);
-	UNUSED(sigrdataset);
-
-	if (type == dns_rdatatype_rrsig)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	list = ISC_LIST_HEAD(sdbnode->lists);
-	while (list != NULL) {
-		if (list->type == type)
-			break;
-		list = ISC_LIST_NEXT(list, link);
-	}
-	if (list == NULL)
-		return (ISC_R_NOTFOUND);
-
-	list_tordataset(list, db, node, rdataset);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-	     isc_stdtime_t now, dns_rdatasetiter_t **iteratorp)
-{
-	sdb_rdatasetiter_t *iterator;
-
-	REQUIRE(version == NULL || version == &dummy);
-
-	UNUSED(version);
-	UNUSED(now);
-
-	iterator = isc_mem_get(db->mctx, sizeof(sdb_rdatasetiter_t));
-	if (iterator == NULL)
-		return (ISC_R_NOMEMORY);
-
-	iterator->common.magic = DNS_RDATASETITER_MAGIC;
-	iterator->common.methods = &rdatasetiter_methods;
-	iterator->common.db = db;
-	iterator->common.node = NULL;
-	attachnode(db, node, &iterator->common.node);
-	iterator->common.version = version;
-	iterator->common.now = now;
-
-	*iteratorp = (dns_rdatasetiter_t *)iterator;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-	    isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
-	    dns_rdataset_t *addedrdataset)
-{
-	UNUSED(db);
-	UNUSED(node);
-	UNUSED(version);
-	UNUSED(now);
-	UNUSED(rdataset);
-	UNUSED(options);
-	UNUSED(addedrdataset);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static isc_result_t
-subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-		 dns_rdataset_t *rdataset, unsigned int options,
-		 dns_rdataset_t *newrdataset)
-{
-	UNUSED(db);
-	UNUSED(node);
-	UNUSED(version);
-	UNUSED(rdataset);
-	UNUSED(options);
-	UNUSED(newrdataset);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static isc_result_t
-deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-	       dns_rdatatype_t type, dns_rdatatype_t covers)
-{
-	UNUSED(db);
-	UNUSED(node);
-	UNUSED(version);
-	UNUSED(type);
-	UNUSED(covers);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static isc_boolean_t
-issecure(dns_db_t *db) {
-	UNUSED(db);
-
-	return (ISC_FALSE);
-}
-
-static unsigned int
-nodecount(dns_db_t *db) {
-	UNUSED(db);
-
-	return (0);
-}
-
-static isc_boolean_t
-ispersistent(dns_db_t *db) {
-	UNUSED(db);
-	return (ISC_TRUE);
-}
-
-static void
-overmem(dns_db_t *db, isc_boolean_t overmem) {
-	UNUSED(db);
-	UNUSED(overmem);
-}
-
-static void
-settask(dns_db_t *db, isc_task_t *task) {
-	UNUSED(db);
-	UNUSED(task);
-}
-
-
-static dns_dbmethods_t sdb_methods = {
-	attach,
-	detach,
-	beginload,
-	endload,
-	dump,
-	currentversion,
-	newversion,
-	attachversion,
-	closeversion,
-	NULL,
-	NULL,
-	findzonecut,
-	attachnode,
-	detachnode,
-	expirenode,
-	printnode,
-	createiterator,
-	findrdataset,
-	allrdatasets,
-	addrdataset,
-	subtractrdataset,
-	deleterdataset,
-	issecure,
-	nodecount,
-	ispersistent,
-	overmem,
-	settask,
-	NULL,			/* getoriginnode */
-	NULL,			/* transfernode */
-	NULL,			/* getnsec3parameters */
-	NULL,			/* findnsec3node */
-	NULL,			/* setsigningtime */
-	NULL,			/* getsigningtime */
-	NULL,			/* resigned */
-	NULL,			/* isdnssec */
-	NULL,			/* getrrsetstats */
-	NULL,			/* rpz_enabled */
-	NULL,			/* rpz_findips */
-	findnodeext,
-	findext
-};
-
-static isc_result_t
-dns_sdb_create(isc_mem_t *mctx, dns_name_t *origin, dns_dbtype_t type,
-	       dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
-	       void *driverarg, dns_db_t **dbp)
-{
-	dns_sdb_t *sdb;
-	isc_result_t result;
-	char zonestr[DNS_NAME_MAXTEXT + 1];
-	isc_buffer_t b;
-	dns_sdbimplementation_t *imp;
-
-	REQUIRE(driverarg != NULL);
-
-	imp = driverarg;
-
-	if (type != dns_dbtype_zone)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	sdb = isc_mem_get(mctx, sizeof(dns_sdb_t));
-	if (sdb == NULL)
-		return (ISC_R_NOMEMORY);
-	memset(sdb, 0, sizeof(dns_sdb_t));
-
-	dns_name_init(&sdb->common.origin, NULL);
-	sdb->common.attributes = 0;
-	sdb->common.methods = &sdb_methods;
-	sdb->common.rdclass = rdclass;
-	sdb->common.mctx = NULL;
-	sdb->implementation = imp;
-
-	isc_mem_attach(mctx, &sdb->common.mctx);
-
-	result = isc_mutex_init(&sdb->lock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_mctx;
-
-	result = dns_name_dupwithoffsets(origin, mctx, &sdb->common.origin);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_lock;
-
-	isc_buffer_init(&b, zonestr, sizeof(zonestr));
-	result = dns_name_totext(origin, ISC_TRUE, &b);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_origin;
-	isc_buffer_putuint8(&b, 0);
-
-	sdb->zone = isc_mem_strdup(mctx, zonestr);
-	if (sdb->zone == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_origin;
-	}
-
-	sdb->dbdata = NULL;
-	if (imp->methods->create != NULL) {
-		MAYBE_LOCK(sdb);
-		result = imp->methods->create(sdb->zone, argc, argv,
-					      imp->driverdata, &sdb->dbdata);
-		MAYBE_UNLOCK(sdb);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_zonestr;
-	}
-
-	sdb->references = 1;
-
-	sdb->common.magic = DNS_DB_MAGIC;
-	sdb->common.impmagic = SDB_MAGIC;
-
-	*dbp = (dns_db_t *)sdb;
-
-	return (ISC_R_SUCCESS);
-
- cleanup_zonestr:
-	isc_mem_free(mctx, sdb->zone);
- cleanup_origin:
-	dns_name_free(&sdb->common.origin, mctx);
- cleanup_lock:
-	(void)isc_mutex_destroy(&sdb->lock);
- cleanup_mctx:
-	isc_mem_put(mctx, sdb, sizeof(dns_sdb_t));
-	isc_mem_detach(&mctx);
-
-	return (result);
-}
-
-
-/*
- * Rdataset Methods
- */
-
-static void
-disassociate(dns_rdataset_t *rdataset) {
-	dns_dbnode_t *node = rdataset->private5;
-	dns_sdbnode_t *sdbnode = (dns_sdbnode_t *) node;
-	dns_db_t *db = (dns_db_t *) sdbnode->sdb;
-
-	detachnode(db, &node);
-	isc__rdatalist_disassociate(rdataset);
-}
-
-static void
-rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
-	dns_dbnode_t *node = source->private5;
-	dns_sdbnode_t *sdbnode = (dns_sdbnode_t *) node;
-	dns_db_t *db = (dns_db_t *) sdbnode->sdb;
-	dns_dbnode_t *tempdb = NULL;
-
-	isc__rdatalist_clone(source, target);
-	attachnode(db, node, &tempdb);
-	source->private5 = tempdb;
-}
-
-static dns_rdatasetmethods_t methods = {
-	disassociate,
-	isc__rdatalist_first,
-	isc__rdatalist_next,
-	isc__rdatalist_current,
-	rdataset_clone,
-	isc__rdatalist_count,
-	isc__rdatalist_addnoqname,
-	isc__rdatalist_getnoqname,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL
-};
-
-static void
-list_tordataset(dns_rdatalist_t *rdatalist,
-		dns_db_t *db, dns_dbnode_t *node,
-		dns_rdataset_t *rdataset)
-{
-	/*
-	 * The sdb rdataset is an rdatalist with some additions.
-	 *	- private1 & private2 are used by the rdatalist.
-	 *	- private3 & private 4 are unused.
-	 *	- private5 is the node.
-	 */
-
-	/* This should never fail. */
-	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset) ==
-		      ISC_R_SUCCESS);
-
-	rdataset->methods = &methods;
-	dns_db_attachnode(db, node, &rdataset->private5);
-}
-
-/*
- * Database Iterator Methods
- */
-static void
-dbiterator_destroy(dns_dbiterator_t **iteratorp) {
-	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)(*iteratorp);
-	dns_sdb_t *sdb = (dns_sdb_t *)sdbiter->common.db;
-
-	while (!ISC_LIST_EMPTY(sdbiter->nodelist)) {
-		dns_sdbnode_t *node;
-		node = ISC_LIST_HEAD(sdbiter->nodelist);
-		ISC_LIST_UNLINK(sdbiter->nodelist, node, link);
-		destroynode(node);
-	}
-
-	dns_db_detach(&sdbiter->common.db);
-	isc_mem_put(sdb->common.mctx, sdbiter, sizeof(sdb_dbiterator_t));
-
-	*iteratorp = NULL;
-}
-
-static isc_result_t
-dbiterator_first(dns_dbiterator_t *iterator) {
-	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
-
-	sdbiter->current = ISC_LIST_HEAD(sdbiter->nodelist);
-	if (sdbiter->current == NULL)
-		return (ISC_R_NOMORE);
-	else
-		return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dbiterator_last(dns_dbiterator_t *iterator) {
-	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
-
-	sdbiter->current = ISC_LIST_TAIL(sdbiter->nodelist);
-	if (sdbiter->current == NULL)
-		return (ISC_R_NOMORE);
-	else
-		return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name) {
-	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
-
-	sdbiter->current = ISC_LIST_HEAD(sdbiter->nodelist);
-	while (sdbiter->current != NULL) {
-		if (dns_name_equal(sdbiter->current->name, name))
-			return (ISC_R_SUCCESS);
-		sdbiter->current = ISC_LIST_NEXT(sdbiter->current, link);
-	}
-	return (ISC_R_NOTFOUND);
-}
-
-static isc_result_t
-dbiterator_prev(dns_dbiterator_t *iterator) {
-	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
-
-	sdbiter->current = ISC_LIST_PREV(sdbiter->current, link);
-	if (sdbiter->current == NULL)
-		return (ISC_R_NOMORE);
-	else
-		return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dbiterator_next(dns_dbiterator_t *iterator) {
-	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
-
-	sdbiter->current = ISC_LIST_NEXT(sdbiter->current, link);
-	if (sdbiter->current == NULL)
-		return (ISC_R_NOMORE);
-	else
-		return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
-		   dns_name_t *name)
-{
-	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
-
-	attachnode(iterator->db, sdbiter->current, nodep);
-	if (name != NULL)
-		return (dns_name_copy(sdbiter->current->name, name, NULL));
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dbiterator_pause(dns_dbiterator_t *iterator) {
-	UNUSED(iterator);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name) {
-	UNUSED(iterator);
-	return (dns_name_copy(dns_rootname, name, NULL));
-}
-
-/*
- * Rdataset Iterator Methods
- */
-
-static void
-rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) {
-	sdb_rdatasetiter_t *sdbiterator = (sdb_rdatasetiter_t *)(*iteratorp);
-	detachnode(sdbiterator->common.db, &sdbiterator->common.node);
-	isc_mem_put(sdbiterator->common.db->mctx, sdbiterator,
-		    sizeof(sdb_rdatasetiter_t));
-	*iteratorp = NULL;
-}
-
-static isc_result_t
-rdatasetiter_first(dns_rdatasetiter_t *iterator) {
-	sdb_rdatasetiter_t *sdbiterator = (sdb_rdatasetiter_t *)iterator;
-	dns_sdbnode_t *sdbnode = (dns_sdbnode_t *)iterator->node;
-
-	if (ISC_LIST_EMPTY(sdbnode->lists))
-		return (ISC_R_NOMORE);
-	sdbiterator->current = ISC_LIST_HEAD(sdbnode->lists);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-rdatasetiter_next(dns_rdatasetiter_t *iterator) {
-	sdb_rdatasetiter_t *sdbiterator = (sdb_rdatasetiter_t *)iterator;
-
-	sdbiterator->current = ISC_LIST_NEXT(sdbiterator->current, link);
-	if (sdbiterator->current == NULL)
-		return (ISC_R_NOMORE);
-	else
-		return (ISC_R_SUCCESS);
-}
-
-static void
-rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) {
-	sdb_rdatasetiter_t *sdbiterator = (sdb_rdatasetiter_t *)iterator;
-
-	list_tordataset(sdbiterator->current, iterator->db, iterator->node,
-			rdataset);
-}
diff --git a/contrib/bind9/lib/dns/sdlz.c b/contrib/bind9/lib/dns/sdlz.c
deleted file mode 100644
index 9d4e615..0000000
--- a/contrib/bind9/lib/dns/sdlz.c
+++ /dev/null
@@ -1,2103 +0,0 @@
-/*
- * Portions Copyright (C) 2005-2012  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the
- * above copyright notice and this permission notice appear in all
- * copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * STICHTING NLNET BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
- * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
- * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
- * USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
- * conceived and contributed by Rob Butler.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the
- * above copyright notice and this permission notice appear in all
- * copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ROB BUTLER
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * ROB BUTLER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
- * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
- * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
- * USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-#include <string.h>
-
-#include <isc/buffer.h>
-#include <isc/lex.h>
-#include <isc/log.h>
-#include <isc/rwlock.h>
-#include <isc/string.h>
-#include <isc/util.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/once.h>
-#include <isc/print.h>
-#include <isc/region.h>
-
-#include <dns/callbacks.h>
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/dlz.h>
-#include <dns/fixedname.h>
-#include <dns/log.h>
-#include <dns/rdata.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatatype.h>
-#include <dns/result.h>
-#include <dns/master.h>
-#include <dns/sdlz.h>
-#include <dns/types.h>
-
-#include "rdatalist_p.h"
-
-/*
- * Private Types
- */
-
-struct dns_sdlzimplementation {
-	const dns_sdlzmethods_t		*methods;
-	isc_mem_t			*mctx;
-	void				*driverarg;
-	unsigned int			flags;
-	isc_mutex_t			driverlock;
-	dns_dlzimplementation_t		*dlz_imp;
-};
-
-struct dns_sdlz_db {
-	/* Unlocked */
-	dns_db_t			common;
-	void				*dbdata;
-	dns_sdlzimplementation_t	*dlzimp;
-	isc_mutex_t			refcnt_lock;
-	/* Locked */
-	unsigned int			references;
-	dns_dbversion_t			*future_version;
-	int				dummy_version;
-};
-
-struct dns_sdlzlookup {
-	/* Unlocked */
-	unsigned int			magic;
-	dns_sdlz_db_t			*sdlz;
-	ISC_LIST(dns_rdatalist_t)	lists;
-	ISC_LIST(isc_buffer_t)		buffers;
-	dns_name_t			*name;
-	ISC_LINK(dns_sdlzlookup_t)	link;
-	isc_mutex_t			lock;
-	dns_rdatacallbacks_t		callbacks;
-	/* Locked */
-	unsigned int			references;
-};
-
-typedef struct dns_sdlzlookup dns_sdlznode_t;
-
-struct dns_sdlzallnodes {
-	dns_dbiterator_t		common;
-	ISC_LIST(dns_sdlznode_t)	nodelist;
-	dns_sdlznode_t			*current;
-	dns_sdlznode_t			*origin;
-};
-
-typedef dns_sdlzallnodes_t sdlz_dbiterator_t;
-
-typedef struct sdlz_rdatasetiter {
-	dns_rdatasetiter_t		common;
-	dns_rdatalist_t			*current;
-} sdlz_rdatasetiter_t;
-
-
-#define SDLZDB_MAGIC		ISC_MAGIC('D', 'L', 'Z', 'S')
-
-/*
- * Note that "impmagic" is not the first four bytes of the struct, so
- * ISC_MAGIC_VALID cannot be used.
- */
-
-#define VALID_SDLZDB(sdlzdb)	((sdlzdb) != NULL && \
-				 (sdlzdb)->common.impmagic == SDLZDB_MAGIC)
-
-#define SDLZLOOKUP_MAGIC	ISC_MAGIC('D','L','Z','L')
-#define VALID_SDLZLOOKUP(sdlzl)	ISC_MAGIC_VALID(sdlzl, SDLZLOOKUP_MAGIC)
-#define VALID_SDLZNODE(sdlzn)	VALID_SDLZLOOKUP(sdlzn)
-
-/* These values are taken from RFC 1537 */
-#define SDLZ_DEFAULT_REFRESH	(60 * 60 * 8)
-#define SDLZ_DEFAULT_RETRY	(60 * 60 * 2)
-#define SDLZ_DEFAULT_EXPIRE	(60 * 60 * 24 * 7)
-#define SDLZ_DEFAULT_MINIMUM	(60 * 60 * 24)
-
-/* This is a reasonable value */
-#define SDLZ_DEFAULT_TTL	(60 * 60 * 24)
-
-#ifdef __COVERITY__
-#define MAYBE_LOCK(imp) LOCK(&imp->driverlock)
-#define MAYBE_UNLOCK(imp) UNLOCK(&imp->driverlock)
-#else
-#define MAYBE_LOCK(imp) \
-	do { \
-		unsigned int flags = imp->flags; \
-		if ((flags & DNS_SDLZFLAG_THREADSAFE) == 0) \
-			LOCK(&imp->driverlock); \
-	} while (0)
-
-#define MAYBE_UNLOCK(imp) \
-	do { \
-		unsigned int flags = imp->flags; \
-		if ((flags & DNS_SDLZFLAG_THREADSAFE) == 0) \
-			UNLOCK(&imp->driverlock); \
-	} while (0)
-#endif
-
-/*
- * Forward references.  Try to keep these to a minimum.
- */
-
-static void list_tordataset(dns_rdatalist_t *rdatalist,
-			    dns_db_t *db, dns_dbnode_t *node,
-			    dns_rdataset_t *rdataset);
-
-static void detachnode(dns_db_t *db, dns_dbnode_t **targetp);
-
-static void		dbiterator_destroy(dns_dbiterator_t **iteratorp);
-static isc_result_t	dbiterator_first(dns_dbiterator_t *iterator);
-static isc_result_t	dbiterator_last(dns_dbiterator_t *iterator);
-static isc_result_t	dbiterator_seek(dns_dbiterator_t *iterator,
-					dns_name_t *name);
-static isc_result_t	dbiterator_prev(dns_dbiterator_t *iterator);
-static isc_result_t	dbiterator_next(dns_dbiterator_t *iterator);
-static isc_result_t	dbiterator_current(dns_dbiterator_t *iterator,
-					   dns_dbnode_t **nodep,
-					   dns_name_t *name);
-static isc_result_t	dbiterator_pause(dns_dbiterator_t *iterator);
-static isc_result_t	dbiterator_origin(dns_dbiterator_t *iterator,
-					  dns_name_t *name);
-
-static dns_dbiteratormethods_t dbiterator_methods = {
-	dbiterator_destroy,
-	dbiterator_first,
-	dbiterator_last,
-	dbiterator_seek,
-	dbiterator_prev,
-	dbiterator_next,
-	dbiterator_current,
-	dbiterator_pause,
-	dbiterator_origin
-};
-
-/*
- * Utility functions
- */
-
-/*
- * Log a message at the given level
- */
-static void
-sdlz_log(int level, const char *fmt, ...) {
-	va_list ap;
-	va_start(ap, fmt);
-	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-		       DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(level),
-		       fmt, ap);
-	va_end(ap);
-}
-
-/*% Converts the input string to lowercase, in place. */
-static void
-dns_sdlz_tolower(char *str) {
-	unsigned int len = strlen(str);
-	unsigned int i;
-
-	for (i = 0; i < len; i++) {
-		if (str[i] >= 'A' && str[i] <= 'Z')
-			str[i] += 32;
-	}
-}
-
-static inline unsigned int
-initial_size(const char *data) {
-	unsigned int len = (strlen(data) / 64) + 1;
-	return (len * 64 + 64);
-}
-
-/*
- * Rdataset Iterator Methods. These methods were "borrowed" from the SDB
- * driver interface.  See the SDB driver interface documentation for more info.
- */
-
-static void
-rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) {
-	sdlz_rdatasetiter_t *sdlziterator =
-		(sdlz_rdatasetiter_t *)(*iteratorp);
-
-	detachnode(sdlziterator->common.db, &sdlziterator->common.node);
-	isc_mem_put(sdlziterator->common.db->mctx, sdlziterator,
-		    sizeof(sdlz_rdatasetiter_t));
-	*iteratorp = NULL;
-}
-
-static isc_result_t
-rdatasetiter_first(dns_rdatasetiter_t *iterator) {
-	sdlz_rdatasetiter_t *sdlziterator = (sdlz_rdatasetiter_t *)iterator;
-	dns_sdlznode_t *sdlznode = (dns_sdlznode_t *)iterator->node;
-
-	if (ISC_LIST_EMPTY(sdlznode->lists))
-		return (ISC_R_NOMORE);
-	sdlziterator->current = ISC_LIST_HEAD(sdlznode->lists);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-rdatasetiter_next(dns_rdatasetiter_t *iterator) {
-	sdlz_rdatasetiter_t *sdlziterator = (sdlz_rdatasetiter_t *)iterator;
-
-	sdlziterator->current = ISC_LIST_NEXT(sdlziterator->current, link);
-	if (sdlziterator->current == NULL)
-		return (ISC_R_NOMORE);
-	else
-		return (ISC_R_SUCCESS);
-}
-
-static void
-rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) {
-	sdlz_rdatasetiter_t *sdlziterator = (sdlz_rdatasetiter_t *)iterator;
-
-	list_tordataset(sdlziterator->current, iterator->db, iterator->node,
-			rdataset);
-}
-
-static dns_rdatasetitermethods_t rdatasetiter_methods = {
-	rdatasetiter_destroy,
-	rdatasetiter_first,
-	rdatasetiter_next,
-	rdatasetiter_current
-};
-
-/*
- * DB routines. These methods were "borrowed" from the SDB driver interface.
- * See the SDB driver interface documentation for more info.
- */
-
-static void
-attach(dns_db_t *source, dns_db_t **targetp) {
-	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *) source;
-
-	REQUIRE(VALID_SDLZDB(sdlz));
-
-	LOCK(&sdlz->refcnt_lock);
-	REQUIRE(sdlz->references > 0);
-	sdlz->references++;
-	UNLOCK(&sdlz->refcnt_lock);
-
-	*targetp = source;
-}
-
-static void
-destroy(dns_sdlz_db_t *sdlz) {
-	isc_mem_t *mctx;
-	mctx = sdlz->common.mctx;
-
-	sdlz->common.magic = 0;
-	sdlz->common.impmagic = 0;
-
-	(void)isc_mutex_destroy(&sdlz->refcnt_lock);
-
-	dns_name_free(&sdlz->common.origin, mctx);
-
-	isc_mem_put(mctx, sdlz, sizeof(dns_sdlz_db_t));
-	isc_mem_detach(&mctx);
-}
-
-static void
-detach(dns_db_t **dbp) {
-	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)(*dbp);
-	isc_boolean_t need_destroy = ISC_FALSE;
-
-	REQUIRE(VALID_SDLZDB(sdlz));
-	LOCK(&sdlz->refcnt_lock);
-	REQUIRE(sdlz->references > 0);
-	sdlz->references--;
-	if (sdlz->references == 0)
-		need_destroy = ISC_TRUE;
-	UNLOCK(&sdlz->refcnt_lock);
-
-	if (need_destroy)
-		destroy(sdlz);
-
-	*dbp = NULL;
-}
-
-static isc_result_t
-beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp, dns_dbload_t **dbloadp) {
-	UNUSED(db);
-	UNUSED(addp);
-	UNUSED(dbloadp);
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static isc_result_t
-endload(dns_db_t *db, dns_dbload_t **dbloadp) {
-	UNUSED(db);
-	UNUSED(dbloadp);
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static isc_result_t
-dump(dns_db_t *db, dns_dbversion_t *version, const char *filename,
-     dns_masterformat_t masterformat)
-{
-	UNUSED(db);
-	UNUSED(version);
-	UNUSED(filename);
-	UNUSED(masterformat);
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static void
-currentversion(dns_db_t *db, dns_dbversion_t **versionp) {
-	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
-	REQUIRE(VALID_SDLZDB(sdlz));
-	REQUIRE(versionp != NULL && *versionp == NULL);
-
-	*versionp = (void *) &sdlz->dummy_version;
-	return;
-}
-
-static isc_result_t
-newversion(dns_db_t *db, dns_dbversion_t **versionp) {
-	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
-	char origin[DNS_NAME_MAXTEXT + 1];
-	isc_result_t result;
-
-	REQUIRE(VALID_SDLZDB(sdlz));
-
-	if (sdlz->dlzimp->methods->newversion == NULL)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	dns_name_format(&sdlz->common.origin, origin, sizeof(origin));
-
-	result = sdlz->dlzimp->methods->newversion(origin,
-						   sdlz->dlzimp->driverarg,
-						   sdlz->dbdata, versionp);
-	if (result != ISC_R_SUCCESS) {
-		sdlz_log(ISC_LOG_ERROR,
-			 "sdlz newversion on origin %s failed : %s",
-			 origin, isc_result_totext(result));
-		return (result);
-	}
-
-	sdlz->future_version = *versionp;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-attachversion(dns_db_t *db, dns_dbversion_t *source,
-	      dns_dbversion_t **targetp)
-{
-	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
-
-	REQUIRE(VALID_SDLZDB(sdlz));
-	REQUIRE(source != NULL && source == (void *)&sdlz->dummy_version);
-
-	*targetp = source;
-}
-
-static void
-closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
-	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
-	char origin[DNS_NAME_MAXTEXT + 1];
-
-	REQUIRE(VALID_SDLZDB(sdlz));
-	REQUIRE(versionp != NULL);
-
-	if (*versionp == (void *)&sdlz->dummy_version) {
-		*versionp = NULL;
-		return;
-	}
-
-	REQUIRE(*versionp == sdlz->future_version);
-	REQUIRE(sdlz->dlzimp->methods->closeversion != NULL);
-
-	dns_name_format(&sdlz->common.origin, origin, sizeof(origin));
-
-	sdlz->dlzimp->methods->closeversion(origin, commit,
-					    sdlz->dlzimp->driverarg,
-					    sdlz->dbdata, versionp);
-	if (*versionp != NULL)
-		sdlz_log(ISC_LOG_ERROR,
-			"sdlz closeversion on origin %s failed", origin);
-
-	sdlz->future_version = NULL;
-}
-
-static isc_result_t
-createnode(dns_sdlz_db_t *sdlz, dns_sdlznode_t **nodep) {
-	dns_sdlznode_t *node;
-	isc_result_t result;
-
-	node = isc_mem_get(sdlz->common.mctx, sizeof(dns_sdlznode_t));
-	if (node == NULL)
-		return (ISC_R_NOMEMORY);
-
-	node->sdlz = NULL;
-	attach((dns_db_t *)sdlz, (dns_db_t **)&node->sdlz);
-	ISC_LIST_INIT(node->lists);
-	ISC_LIST_INIT(node->buffers);
-	ISC_LINK_INIT(node, link);
-	node->name = NULL;
-	result = isc_mutex_init(&node->lock);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 isc_result_totext(result));
-		isc_mem_put(sdlz->common.mctx, node, sizeof(dns_sdlznode_t));
-		return (ISC_R_UNEXPECTED);
-	}
-	dns_rdatacallbacks_init(&node->callbacks);
-	node->references = 1;
-	node->magic = SDLZLOOKUP_MAGIC;
-
-	*nodep = node;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-destroynode(dns_sdlznode_t *node) {
-	dns_rdatalist_t *list;
-	dns_rdata_t *rdata;
-	isc_buffer_t *b;
-	dns_sdlz_db_t *sdlz;
-	dns_db_t *db;
-	isc_mem_t *mctx;
-
-	sdlz = node->sdlz;
-	mctx = sdlz->common.mctx;
-
-	while (!ISC_LIST_EMPTY(node->lists)) {
-		list = ISC_LIST_HEAD(node->lists);
-		while (!ISC_LIST_EMPTY(list->rdata)) {
-			rdata = ISC_LIST_HEAD(list->rdata);
-			ISC_LIST_UNLINK(list->rdata, rdata, link);
-			isc_mem_put(mctx, rdata, sizeof(dns_rdata_t));
-		}
-		ISC_LIST_UNLINK(node->lists, list, link);
-		isc_mem_put(mctx, list, sizeof(dns_rdatalist_t));
-	}
-
-	while (!ISC_LIST_EMPTY(node->buffers)) {
-		b = ISC_LIST_HEAD(node->buffers);
-		ISC_LIST_UNLINK(node->buffers, b, link);
-		isc_buffer_free(&b);
-	}
-
-	if (node->name != NULL) {
-		dns_name_free(node->name, mctx);
-		isc_mem_put(mctx, node->name, sizeof(dns_name_t));
-	}
-	DESTROYLOCK(&node->lock);
-	node->magic = 0;
-	isc_mem_put(mctx, node, sizeof(dns_sdlznode_t));
-	db = &sdlz->common;
-	detach(&db);
-}
-
-static isc_result_t
-findnodeext(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
-	    dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo,
-	    dns_dbnode_t **nodep)
-{
-	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
-	dns_sdlznode_t *node = NULL;
-	isc_result_t result;
-	isc_buffer_t b;
-	char namestr[DNS_NAME_MAXTEXT + 1];
-	isc_buffer_t b2;
-	char zonestr[DNS_NAME_MAXTEXT + 1];
-	isc_boolean_t isorigin;
-	dns_sdlzauthorityfunc_t authority;
-
-	REQUIRE(VALID_SDLZDB(sdlz));
-	REQUIRE(nodep != NULL && *nodep == NULL);
-
-	if (sdlz->dlzimp->methods->newversion == NULL) {
-		REQUIRE(create == ISC_FALSE);
-	}
-
-	isc_buffer_init(&b, namestr, sizeof(namestr));
-	if ((sdlz->dlzimp->flags & DNS_SDLZFLAG_RELATIVEOWNER) != 0) {
-		dns_name_t relname;
-		unsigned int labels;
-
-		labels = dns_name_countlabels(name) -
-			 dns_name_countlabels(&db->origin);
-		dns_name_init(&relname, NULL);
-		dns_name_getlabelsequence(name, 0, labels, &relname);
-		result = dns_name_totext(&relname, ISC_TRUE, &b);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	} else {
-		result = dns_name_totext(name, ISC_TRUE, &b);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	isc_buffer_putuint8(&b, 0);
-
-	isc_buffer_init(&b2, zonestr, sizeof(zonestr));
-	result = dns_name_totext(&sdlz->common.origin, ISC_TRUE, &b2);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_buffer_putuint8(&b2, 0);
-
-	result = createnode(sdlz, &node);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	isorigin = dns_name_equal(name, &sdlz->common.origin);
-
-	/* make sure strings are always lowercase */
-	dns_sdlz_tolower(zonestr);
-	dns_sdlz_tolower(namestr);
-
-	MAYBE_LOCK(sdlz->dlzimp);
-
-	/* try to lookup the host (namestr) */
-	result = sdlz->dlzimp->methods->lookup(zonestr, namestr,
-					       sdlz->dlzimp->driverarg,
-					       sdlz->dbdata, node,
-					       methods, clientinfo);
-
-	/*
-	 * if the host (namestr) was not found, try to lookup a
-	 * "wildcard" host.
-	 */
-	if (result != ISC_R_SUCCESS && !create)
-		result = sdlz->dlzimp->methods->lookup(zonestr, "*",
-						       sdlz->dlzimp->driverarg,
-						       sdlz->dbdata, node,
-						       methods, clientinfo);
-
-	MAYBE_UNLOCK(sdlz->dlzimp);
-
-	if (result != ISC_R_SUCCESS && !isorigin && !create) {
-		destroynode(node);
-		return (result);
-	}
-
-	if (isorigin && sdlz->dlzimp->methods->authority != NULL) {
-		MAYBE_LOCK(sdlz->dlzimp);
-		authority = sdlz->dlzimp->methods->authority;
-		result = (*authority)(zonestr, sdlz->dlzimp->driverarg,
-				      sdlz->dbdata, node);
-		MAYBE_UNLOCK(sdlz->dlzimp);
-		if (result != ISC_R_SUCCESS &&
-		    result != ISC_R_NOTIMPLEMENTED) {
-			destroynode(node);
-			return (result);
-		}
-	}
-
-	if (node->name == NULL) {
-		node->name = isc_mem_get(sdlz->common.mctx,
-					 sizeof(dns_name_t));
-		if (node->name == NULL) {
-			destroynode(node);
-			return (ISC_R_NOMEMORY);
-		}
-		dns_name_init(node->name, NULL);
-		result = dns_name_dup(name, sdlz->common.mctx, node->name);
-		if (result != ISC_R_SUCCESS) {
-			isc_mem_put(sdlz->common.mctx, node->name,
-				    sizeof(dns_name_t));
-			destroynode(node);
-			return (result);
-		}
-	}
-
-	*nodep = node;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
-	 dns_dbnode_t **nodep)
-{
-	return (findnodeext(db, name, create, NULL, NULL, nodep));
-}
-
-static isc_result_t
-findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
-	    isc_stdtime_t now, dns_dbnode_t **nodep, dns_name_t *foundname,
-	    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	UNUSED(db);
-	UNUSED(name);
-	UNUSED(options);
-	UNUSED(now);
-	UNUSED(nodep);
-	UNUSED(foundname);
-	UNUSED(rdataset);
-	UNUSED(sigrdataset);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static void
-attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) {
-	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
-	dns_sdlznode_t *node = (dns_sdlznode_t *)source;
-
-	REQUIRE(VALID_SDLZDB(sdlz));
-
-	UNUSED(sdlz);
-
-	LOCK(&node->lock);
-	INSIST(node->references > 0);
-	node->references++;
-	INSIST(node->references != 0);		/* Catch overflow. */
-	UNLOCK(&node->lock);
-
-	*targetp = source;
-}
-
-static void
-detachnode(dns_db_t *db, dns_dbnode_t **targetp) {
-	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
-	dns_sdlznode_t *node;
-	isc_boolean_t need_destroy = ISC_FALSE;
-
-	REQUIRE(VALID_SDLZDB(sdlz));
-	REQUIRE(targetp != NULL && *targetp != NULL);
-
-	UNUSED(sdlz);
-
-	node = (dns_sdlznode_t *)(*targetp);
-
-	LOCK(&node->lock);
-	INSIST(node->references > 0);
-	node->references--;
-	if (node->references == 0)
-		need_destroy = ISC_TRUE;
-	UNLOCK(&node->lock);
-
-	if (need_destroy)
-		destroynode(node);
-
-	*targetp = NULL;
-}
-
-static isc_result_t
-expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
-	UNUSED(db);
-	UNUSED(node);
-	UNUSED(now);
-	INSIST(0);
-	return (ISC_R_UNEXPECTED);
-}
-
-static void
-printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) {
-	UNUSED(db);
-	UNUSED(node);
-	UNUSED(out);
-	return;
-}
-
-static isc_result_t
-createiterator(dns_db_t *db, unsigned int options, dns_dbiterator_t **iteratorp)
-{
-	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
-	sdlz_dbiterator_t *sdlziter;
-	isc_result_t result;
-	isc_buffer_t b;
-	char zonestr[DNS_NAME_MAXTEXT + 1];
-
-	REQUIRE(VALID_SDLZDB(sdlz));
-
-	if (sdlz->dlzimp->methods->allnodes == NULL)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	if ((options & DNS_DB_NSEC3ONLY) != 0 ||
-	    (options & DNS_DB_NONSEC3) != 0)
-		 return (ISC_R_NOTIMPLEMENTED);
-
-	isc_buffer_init(&b, zonestr, sizeof(zonestr));
-	result = dns_name_totext(&sdlz->common.origin, ISC_TRUE, &b);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_buffer_putuint8(&b, 0);
-
-	sdlziter = isc_mem_get(sdlz->common.mctx, sizeof(sdlz_dbiterator_t));
-	if (sdlziter == NULL)
-		return (ISC_R_NOMEMORY);
-
-	sdlziter->common.methods = &dbiterator_methods;
-	sdlziter->common.db = NULL;
-	dns_db_attach(db, &sdlziter->common.db);
-	sdlziter->common.relative_names = ISC_TF(options & DNS_DB_RELATIVENAMES);
-	sdlziter->common.magic = DNS_DBITERATOR_MAGIC;
-	ISC_LIST_INIT(sdlziter->nodelist);
-	sdlziter->current = NULL;
-	sdlziter->origin = NULL;
-
-	/* make sure strings are always lowercase */
-	dns_sdlz_tolower(zonestr);
-
-	MAYBE_LOCK(sdlz->dlzimp);
-	result = sdlz->dlzimp->methods->allnodes(zonestr,
-						 sdlz->dlzimp->driverarg,
-						 sdlz->dbdata, sdlziter);
-	MAYBE_UNLOCK(sdlz->dlzimp);
-	if (result != ISC_R_SUCCESS) {
-		dns_dbiterator_t *iter = &sdlziter->common;
-		dbiterator_destroy(&iter);
-		return (result);
-	}
-
-	if (sdlziter->origin != NULL) {
-		ISC_LIST_UNLINK(sdlziter->nodelist, sdlziter->origin, link);
-		ISC_LIST_PREPEND(sdlziter->nodelist, sdlziter->origin, link);
-	}
-
-	*iteratorp = (dns_dbiterator_t *)sdlziter;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-	     dns_rdatatype_t type, dns_rdatatype_t covers,
-	     isc_stdtime_t now, dns_rdataset_t *rdataset,
-	     dns_rdataset_t *sigrdataset)
-{
-	dns_rdatalist_t *list;
-	dns_sdlznode_t *sdlznode = (dns_sdlznode_t *)node;
-
-	REQUIRE(VALID_SDLZNODE(node));
-
-	UNUSED(db);
-	UNUSED(version);
-	UNUSED(covers);
-	UNUSED(now);
-	UNUSED(sigrdataset);
-
-	if (type == dns_rdatatype_sig || type == dns_rdatatype_rrsig)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	list = ISC_LIST_HEAD(sdlznode->lists);
-	while (list != NULL) {
-		if (list->type == type)
-			break;
-		list = ISC_LIST_NEXT(list, link);
-	}
-	if (list == NULL)
-		return (ISC_R_NOTFOUND);
-
-	list_tordataset(list, db, node, rdataset);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-findext(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
-	dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
-	dns_dbnode_t **nodep, dns_name_t *foundname,
-	dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo,
-	dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
-	dns_dbnode_t *node = NULL;
-	dns_fixedname_t fname;
-	dns_rdataset_t xrdataset;
-	dns_name_t *xname;
-	unsigned int nlabels, olabels;
-	isc_result_t result;
-	unsigned int i;
-
-	REQUIRE(VALID_SDLZDB(sdlz));
-	REQUIRE(nodep == NULL || *nodep == NULL);
-	REQUIRE(version == NULL || version == (void*)&sdlz->dummy_version);
-
-	UNUSED(options);
-	UNUSED(sdlz);
-
-	if (!dns_name_issubdomain(name, &db->origin))
-		return (DNS_R_NXDOMAIN);
-
-	olabels = dns_name_countlabels(&db->origin);
-	nlabels = dns_name_countlabels(name);
-
-	dns_fixedname_init(&fname);
-	xname = dns_fixedname_name(&fname);
-
-	if (rdataset == NULL) {
-		dns_rdataset_init(&xrdataset);
-		rdataset = &xrdataset;
-	}
-
-	result = DNS_R_NXDOMAIN;
-
-	for (i = olabels; i <= nlabels; i++) {
-		/*
-		 * Look up the next label.
-		 */
-		dns_name_getlabelsequence(name, nlabels - i, i, xname);
-		result = findnodeext(db, xname, ISC_FALSE,
-				     methods, clientinfo, &node);
-		if (result != ISC_R_SUCCESS) {
-			result = DNS_R_NXDOMAIN;
-			continue;
-		}
-
-		/*
-		 * Look for a DNAME at the current label, unless this is
-		 * the qname.
-		 */
-		if (i < nlabels) {
-			result = findrdataset(db, node, version,
-					      dns_rdatatype_dname, 0, now,
-					      rdataset, sigrdataset);
-			if (result == ISC_R_SUCCESS) {
-				result = DNS_R_DNAME;
-				break;
-			}
-		}
-
-		/*
-		 * Look for an NS at the current label, unless this is the
-		 * origin or glue is ok.
-		 */
-		if (i != olabels && (options & DNS_DBFIND_GLUEOK) == 0) {
-			result = findrdataset(db, node, version,
-					      dns_rdatatype_ns, 0, now,
-					      rdataset, sigrdataset);
-			if (result == ISC_R_SUCCESS) {
-				if (i == nlabels && type == dns_rdatatype_any)
-				{
-					result = DNS_R_ZONECUT;
-					dns_rdataset_disassociate(rdataset);
-					if (sigrdataset != NULL &&
-					    dns_rdataset_isassociated
-							(sigrdataset)) {
-						dns_rdataset_disassociate
-							(sigrdataset);
-					}
-				} else
-					result = DNS_R_DELEGATION;
-				break;
-			}
-		}
-
-		/*
-		 * If the current name is not the qname, add another label
-		 * and try again.
-		 */
-		if (i < nlabels) {
-			destroynode(node);
-			node = NULL;
-			continue;
-		}
-
-		/*
-		 * If we're looking for ANY, we're done.
-		 */
-		if (type == dns_rdatatype_any) {
-			result = ISC_R_SUCCESS;
-			break;
-		}
-
-		/*
-		 * Look for the qtype.
-		 */
-		result = findrdataset(db, node, version, type, 0, now,
-				      rdataset, sigrdataset);
-		if (result == ISC_R_SUCCESS)
-			break;
-
-		/*
-		 * Look for a CNAME
-		 */
-		if (type != dns_rdatatype_cname) {
-			result = findrdataset(db, node, version,
-					      dns_rdatatype_cname, 0, now,
-					      rdataset, sigrdataset);
-			if (result == ISC_R_SUCCESS) {
-				result = DNS_R_CNAME;
-				break;
-			}
-		}
-
-		result = DNS_R_NXRRSET;
-		break;
-	}
-
-	if (rdataset == &xrdataset && dns_rdataset_isassociated(rdataset))
-		dns_rdataset_disassociate(rdataset);
-
-	if (foundname != NULL) {
-		isc_result_t xresult;
-
-		xresult = dns_name_copy(xname, foundname, NULL);
-		if (xresult != ISC_R_SUCCESS) {
-			if (node != NULL)
-				destroynode(node);
-			if (dns_rdataset_isassociated(rdataset))
-				dns_rdataset_disassociate(rdataset);
-			return (DNS_R_BADDB);
-		}
-	}
-
-	if (nodep != NULL)
-		*nodep = node;
-	else if (node != NULL)
-		detachnode(db, &node);
-
-	return (result);
-}
-
-static isc_result_t
-find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
-     dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
-     dns_dbnode_t **nodep, dns_name_t *foundname,
-     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	return (findext(db, name, version, type, options, now, nodep,
-			foundname, NULL, NULL, rdataset, sigrdataset));
-}
-
-static isc_result_t
-allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-	     isc_stdtime_t now, dns_rdatasetiter_t **iteratorp)
-{
-	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *) db;
-	sdlz_rdatasetiter_t *iterator;
-
-	REQUIRE(VALID_SDLZDB(sdlz));
-
-	REQUIRE(version == NULL ||
-		version == (void*)&sdlz->dummy_version ||
-		version == sdlz->future_version);
-
-	UNUSED(version);
-	UNUSED(now);
-
-	iterator = isc_mem_get(db->mctx, sizeof(sdlz_rdatasetiter_t));
-	if (iterator == NULL)
-		return (ISC_R_NOMEMORY);
-
-	iterator->common.magic = DNS_RDATASETITER_MAGIC;
-	iterator->common.methods = &rdatasetiter_methods;
-	iterator->common.db = db;
-	iterator->common.node = NULL;
-	attachnode(db, node, &iterator->common.node);
-	iterator->common.version = version;
-	iterator->common.now = now;
-
-	*iteratorp = (dns_rdatasetiter_t *)iterator;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-modrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-	    dns_rdataset_t *rdataset, unsigned int options,
-	    dns_sdlzmodrdataset_t mod_function)
-{
-	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
-	dns_master_style_t *style = NULL;
-	isc_result_t result;
-	isc_buffer_t *buffer = NULL;
-	isc_mem_t *mctx;
-	dns_sdlznode_t *sdlznode;
-	char *rdatastr = NULL;
-	char name[DNS_NAME_MAXTEXT + 1];
-
-	REQUIRE(VALID_SDLZDB(sdlz));
-
-	if (mod_function == NULL)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	sdlznode = (dns_sdlznode_t *)node;
-
-	UNUSED(options);
-
-	dns_name_format(sdlznode->name, name, sizeof(name));
-
-	mctx = sdlz->common.mctx;
-
-	result = isc_buffer_allocate(mctx, &buffer, 1024);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dns_master_stylecreate(&style, 0, 0, 0, 0, 0, 0, 1, mctx);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = dns_master_rdatasettotext(sdlznode->name, rdataset,
-					   style, buffer);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	if (isc_buffer_usedlength(buffer) < 1) {
-		result = ISC_R_BADADDRESSFORM;
-		goto cleanup;
-	}
-
-	rdatastr = isc_buffer_base(buffer);
-	if (rdatastr == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
-	}
-	rdatastr[isc_buffer_usedlength(buffer) - 1] = 0;
-
-	MAYBE_LOCK(sdlz->dlzimp);
-	result = mod_function(name, rdatastr, sdlz->dlzimp->driverarg,
-			      sdlz->dbdata, version);
-	MAYBE_UNLOCK(sdlz->dlzimp);
-
-cleanup:
-	isc_buffer_free(&buffer);
-	if (style != NULL)
-		dns_master_styledestroy(&style, mctx);
-
-	return (result);
-}
-
-static isc_result_t
-addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-	    isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
-	    dns_rdataset_t *addedrdataset)
-{
-	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
-	isc_result_t result;
-
-	UNUSED(now);
-	UNUSED(addedrdataset);
-	REQUIRE(VALID_SDLZDB(sdlz));
-
-	if (sdlz->dlzimp->methods->addrdataset == NULL)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	result = modrdataset(db, node, version, rdataset, options,
-			     sdlz->dlzimp->methods->addrdataset);
-	return (result);
-}
-
-
-static isc_result_t
-subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-		 dns_rdataset_t *rdataset, unsigned int options,
-		 dns_rdataset_t *newrdataset)
-{
-	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
-	isc_result_t result;
-
-	UNUSED(newrdataset);
-	REQUIRE(VALID_SDLZDB(sdlz));
-
-	if (sdlz->dlzimp->methods->subtractrdataset == NULL) {
-		return (ISC_R_NOTIMPLEMENTED);
-	}
-
-	result = modrdataset(db, node, version, rdataset, options,
-			     sdlz->dlzimp->methods->subtractrdataset);
-	return (result);
-}
-
-static isc_result_t
-deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-	       dns_rdatatype_t type, dns_rdatatype_t covers)
-{
-	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
-	char name[DNS_NAME_MAXTEXT + 1];
-	char b_type[DNS_RDATATYPE_FORMATSIZE];
-	dns_sdlznode_t *sdlznode;
-	isc_result_t result;
-
-	UNUSED(covers);
-
-	REQUIRE(VALID_SDLZDB(sdlz));
-
-	if (sdlz->dlzimp->methods->delrdataset == NULL)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	sdlznode = (dns_sdlznode_t *)node;
-	dns_name_format(sdlznode->name, name, sizeof(name));
-	dns_rdatatype_format(type, b_type, sizeof(b_type));
-
-	MAYBE_LOCK(sdlz->dlzimp);
-	result = sdlz->dlzimp->methods->delrdataset(name, b_type,
-						    sdlz->dlzimp->driverarg,
-						    sdlz->dbdata, version);
-	MAYBE_UNLOCK(sdlz->dlzimp);
-
-	return (result);
-}
-
-static isc_boolean_t
-issecure(dns_db_t *db) {
-	UNUSED(db);
-
-	return (ISC_FALSE);
-}
-
-static unsigned int
-nodecount(dns_db_t *db) {
-	UNUSED(db);
-
-	return (0);
-}
-
-static isc_boolean_t
-ispersistent(dns_db_t *db) {
-	UNUSED(db);
-	return (ISC_TRUE);
-}
-
-static void
-overmem(dns_db_t *db, isc_boolean_t overmem) {
-	UNUSED(db);
-	UNUSED(overmem);
-}
-
-static void
-settask(dns_db_t *db, isc_task_t *task) {
-	UNUSED(db);
-	UNUSED(task);
-}
-
-
-/*
- * getoriginnode() is used by the update code to find the
- * dns_rdatatype_dnskey record for a zone
- */
-static isc_result_t
-getoriginnode(dns_db_t *db, dns_dbnode_t **nodep) {
-	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
-	isc_result_t result;
-
-	REQUIRE(VALID_SDLZDB(sdlz));
-	if (sdlz->dlzimp->methods->newversion == NULL)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	result = findnodeext(db, &sdlz->common.origin, ISC_FALSE,
-			     NULL, NULL, nodep);
-	if (result != ISC_R_SUCCESS)
-		sdlz_log(ISC_LOG_ERROR, "sdlz getoriginnode failed : %s",
-			 isc_result_totext(result));
-	return (result);
-}
-
-static dns_dbmethods_t sdlzdb_methods = {
-	attach,
-	detach,
-	beginload,
-	endload,
-	dump,
-	currentversion,
-	newversion,
-	attachversion,
-	closeversion,
-	findnode,
-	find,
-	findzonecut,
-	attachnode,
-	detachnode,
-	expirenode,
-	printnode,
-	createiterator,
-	findrdataset,
-	allrdatasets,
-	addrdataset,
-	subtractrdataset,
-	deleterdataset,
-	issecure,
-	nodecount,
-	ispersistent,
-	overmem,
-	settask,
-	getoriginnode,
-	NULL,			/* transfernode */
-	NULL,			/* getnsec3parameters */
-	NULL,			/* findnsec3node */
-	NULL,			/* setsigningtime */
-	NULL,			/* getsigningtime */
-	NULL,			/* resigned */
-	NULL,			/* isdnssec */
-	NULL,			/* getrrsetstats */
-	NULL,			/* rpz_enabled */
-	NULL,			/* rpz_findips */
-	findnodeext,
-	findext
-};
-
-/*
- * Database Iterator Methods.  These methods were "borrowed" from the SDB
- * driver interface.  See the SDB driver interface documentation for more info.
- */
-
-static void
-dbiterator_destroy(dns_dbiterator_t **iteratorp) {
-	sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)(*iteratorp);
-	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)sdlziter->common.db;
-
-	while (!ISC_LIST_EMPTY(sdlziter->nodelist)) {
-		dns_sdlznode_t *node;
-		node = ISC_LIST_HEAD(sdlziter->nodelist);
-		ISC_LIST_UNLINK(sdlziter->nodelist, node, link);
-		destroynode(node);
-	}
-
-	dns_db_detach(&sdlziter->common.db);
-	isc_mem_put(sdlz->common.mctx, sdlziter, sizeof(sdlz_dbiterator_t));
-
-	*iteratorp = NULL;
-}
-
-static isc_result_t
-dbiterator_first(dns_dbiterator_t *iterator) {
-	sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator;
-
-	sdlziter->current = ISC_LIST_HEAD(sdlziter->nodelist);
-	if (sdlziter->current == NULL)
-		return (ISC_R_NOMORE);
-	else
-		return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dbiterator_last(dns_dbiterator_t *iterator) {
-	sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator;
-
-	sdlziter->current = ISC_LIST_TAIL(sdlziter->nodelist);
-	if (sdlziter->current == NULL)
-		return (ISC_R_NOMORE);
-	else
-		return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name) {
-	sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator;
-
-	sdlziter->current = ISC_LIST_HEAD(sdlziter->nodelist);
-	while (sdlziter->current != NULL) {
-		if (dns_name_equal(sdlziter->current->name, name))
-			return (ISC_R_SUCCESS);
-		sdlziter->current = ISC_LIST_NEXT(sdlziter->current, link);
-	}
-	return (ISC_R_NOTFOUND);
-}
-
-static isc_result_t
-dbiterator_prev(dns_dbiterator_t *iterator) {
-	sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator;
-
-	sdlziter->current = ISC_LIST_PREV(sdlziter->current, link);
-	if (sdlziter->current == NULL)
-		return (ISC_R_NOMORE);
-	else
-		return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dbiterator_next(dns_dbiterator_t *iterator) {
-	sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator;
-
-	sdlziter->current = ISC_LIST_NEXT(sdlziter->current, link);
-	if (sdlziter->current == NULL)
-		return (ISC_R_NOMORE);
-	else
-		return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
-		   dns_name_t *name)
-{
-	sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator;
-
-	attachnode(iterator->db, sdlziter->current, nodep);
-	if (name != NULL)
-		return (dns_name_copy(sdlziter->current->name, name, NULL));
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dbiterator_pause(dns_dbiterator_t *iterator) {
-	UNUSED(iterator);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name) {
-	UNUSED(iterator);
-	return (dns_name_copy(dns_rootname, name, NULL));
-}
-
-/*
- * Rdataset Methods. These methods were "borrowed" from the SDB driver
- * interface.  See the SDB driver interface documentation for more info.
- */
-
-static void
-disassociate(dns_rdataset_t *rdataset) {
-	dns_dbnode_t *node = rdataset->private5;
-	dns_sdlznode_t *sdlznode = (dns_sdlznode_t *) node;
-	dns_db_t *db = (dns_db_t *) sdlznode->sdlz;
-
-	detachnode(db, &node);
-	isc__rdatalist_disassociate(rdataset);
-}
-
-static void
-rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
-	dns_dbnode_t *node = source->private5;
-	dns_sdlznode_t *sdlznode = (dns_sdlznode_t *) node;
-	dns_db_t *db = (dns_db_t *) sdlznode->sdlz;
-	dns_dbnode_t *tempdb = NULL;
-
-	isc__rdatalist_clone(source, target);
-	attachnode(db, node, &tempdb);
-	source->private5 = tempdb;
-}
-
-static dns_rdatasetmethods_t rdataset_methods = {
-	disassociate,
-	isc__rdatalist_first,
-	isc__rdatalist_next,
-	isc__rdatalist_current,
-	rdataset_clone,
-	isc__rdatalist_count,
-	isc__rdatalist_addnoqname,
-	isc__rdatalist_getnoqname,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL
-};
-
-static void
-list_tordataset(dns_rdatalist_t *rdatalist,
-		dns_db_t *db, dns_dbnode_t *node,
-		dns_rdataset_t *rdataset)
-{
-	/*
-	 * The sdlz rdataset is an rdatalist with some additions.
-	 *	- private1 & private2 are used by the rdatalist.
-	 *	- private3 & private 4 are unused.
-	 *	- private5 is the node.
-	 */
-
-	/* This should never fail. */
-	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset) ==
-		      ISC_R_SUCCESS);
-
-	rdataset->methods = &rdataset_methods;
-	dns_db_attachnode(db, node, &rdataset->private5);
-}
-
-/*
- * SDLZ core methods. This is the core of the new DLZ functionality.
- */
-
-/*%
- * Build a 'bind' database driver structure to be returned by
- * either the find zone or the allow zone transfer method.
- * This method is only available in this source file, it is
- * not made available anywhere else.
- */
-
-static isc_result_t
-dns_sdlzcreateDBP(isc_mem_t *mctx, void *driverarg, void *dbdata,
-		  dns_name_t *name, dns_rdataclass_t rdclass, dns_db_t **dbp)
-{
-	isc_result_t result;
-	dns_sdlz_db_t *sdlzdb;
-	dns_sdlzimplementation_t *imp;
-
-	/* check that things are as we expect */
-	REQUIRE(dbp != NULL && *dbp == NULL);
-	REQUIRE(name != NULL);
-
-	imp = (dns_sdlzimplementation_t *) driverarg;
-
-	/* allocate and zero memory for driver structure */
-	sdlzdb = isc_mem_get(mctx, sizeof(dns_sdlz_db_t));
-	if (sdlzdb == NULL)
-		return (ISC_R_NOMEMORY);
-	memset(sdlzdb, 0, sizeof(dns_sdlz_db_t));
-
-	/* initialize and set origin */
-	dns_name_init(&sdlzdb->common.origin, NULL);
-	result = dns_name_dupwithoffsets(name, mctx, &sdlzdb->common.origin);
-	if (result != ISC_R_SUCCESS)
-		goto mem_cleanup;
-
-	/* initialize the reference count mutex */
-	result = isc_mutex_init(&sdlzdb->refcnt_lock);
-	if (result != ISC_R_SUCCESS)
-		goto name_cleanup;
-
-	/* set the rest of the database structure attributes */
-	sdlzdb->dlzimp = imp;
-	sdlzdb->common.methods = &sdlzdb_methods;
-	sdlzdb->common.attributes = 0;
-	sdlzdb->common.rdclass = rdclass;
-	sdlzdb->common.mctx = NULL;
-	sdlzdb->dbdata = dbdata;
-	sdlzdb->references = 1;
-
-	/* attach to the memory context */
-	isc_mem_attach(mctx, &sdlzdb->common.mctx);
-
-	/* mark structure as valid */
-	sdlzdb->common.magic = DNS_DB_MAGIC;
-	sdlzdb->common.impmagic = SDLZDB_MAGIC;
-	*dbp = (dns_db_t *) sdlzdb;
-
-	return (result);
-
-	/*
-	 * reference count mutex could not be initialized, clean up
-	 * name memory
-	 */
- name_cleanup:
-	dns_name_free(&sdlzdb->common.origin, mctx);
- mem_cleanup:
-	isc_mem_put(mctx, sdlzdb, sizeof(dns_sdlz_db_t));
-	return (result);
-}
-
-static isc_result_t
-dns_sdlzallowzonexfr(void *driverarg, void *dbdata, isc_mem_t *mctx,
-		     dns_rdataclass_t rdclass, dns_name_t *name,
-		     isc_sockaddr_t *clientaddr, dns_db_t **dbp)
-{
-	isc_buffer_t b;
-	isc_buffer_t b2;
-	char namestr[DNS_NAME_MAXTEXT + 1];
-	char clientstr[(sizeof "xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:255.255.255.255")
-		       + 1];
-	isc_netaddr_t netaddr;
-	isc_result_t result;
-	dns_sdlzimplementation_t *imp;
-
-	/*
-	 * Perform checks to make sure data is as we expect it to be.
-	 */
-	REQUIRE(driverarg != NULL);
-	REQUIRE(name != NULL);
-	REQUIRE(clientaddr != NULL);
-	REQUIRE(dbp != NULL && *dbp == NULL);
-
-	imp = (dns_sdlzimplementation_t *) driverarg;
-
-	/* Convert DNS name to ascii text */
-	isc_buffer_init(&b, namestr, sizeof(namestr));
-	result = dns_name_totext(name, ISC_TRUE, &b);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_buffer_putuint8(&b, 0);
-
-	/* convert client address to ascii text */
-	isc_buffer_init(&b2, clientstr, sizeof(clientstr));
-	isc_netaddr_fromsockaddr(&netaddr, clientaddr);
-	result = isc_netaddr_totext(&netaddr, &b2);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_buffer_putuint8(&b2, 0);
-
-	/* make sure strings are always lowercase */
-	dns_sdlz_tolower(namestr);
-	dns_sdlz_tolower(clientstr);
-
-	/* Call SDLZ driver's find zone method */
-	if (imp->methods->allowzonexfr != NULL) {
-		MAYBE_LOCK(imp);
-		result = imp->methods->allowzonexfr(imp->driverarg, dbdata,
-						    namestr, clientstr);
-		MAYBE_UNLOCK(imp);
-		/*
-		 * if zone is supported and transfers allowed build a 'bind'
-		 * database driver
-		 */
-		if (result == ISC_R_SUCCESS)
-			result = dns_sdlzcreateDBP(mctx, driverarg, dbdata,
-						   name, rdclass, dbp);
-		return (result);
-	}
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static isc_result_t
-dns_sdlzcreate(isc_mem_t *mctx, const char *dlzname, unsigned int argc,
-	       char *argv[], void *driverarg, void **dbdata)
-{
-	dns_sdlzimplementation_t *imp;
-	isc_result_t result = ISC_R_NOTFOUND;
-
-	/* Write debugging message to log */
-	sdlz_log(ISC_LOG_DEBUG(2), "Loading SDLZ driver.");
-
-	/*
-	 * Performs checks to make sure data is as we expect it to be.
-	 */
-	REQUIRE(driverarg != NULL);
-	REQUIRE(dlzname != NULL);
-	REQUIRE(dbdata != NULL);
-	UNUSED(mctx);
-
-	imp = driverarg;
-
-	/* If the create method exists, call it. */
-	if (imp->methods->create != NULL) {
-		MAYBE_LOCK(imp);
-		result = imp->methods->create(dlzname, argc, argv,
-					      imp->driverarg, dbdata);
-		MAYBE_UNLOCK(imp);
-	}
-
-	/* Write debugging message to log */
-	if (result == ISC_R_SUCCESS) {
-		sdlz_log(ISC_LOG_DEBUG(2), "SDLZ driver loaded successfully.");
-	} else {
-		sdlz_log(ISC_LOG_ERROR, "SDLZ driver failed to load.");
-	}
-
-	return (result);
-}
-
-static void
-dns_sdlzdestroy(void *driverdata, void **dbdata)
-{
-
-	dns_sdlzimplementation_t *imp;
-
-	/* Write debugging message to log */
-	sdlz_log(ISC_LOG_DEBUG(2), "Unloading SDLZ driver.");
-
-	imp = driverdata;
-
-	/* If the destroy method exists, call it. */
-	if (imp->methods->destroy != NULL) {
-		MAYBE_LOCK(imp);
-		imp->methods->destroy(imp->driverarg, dbdata);
-		MAYBE_UNLOCK(imp);
-	}
-}
-
-static isc_result_t
-dns_sdlzfindzone(void *driverarg, void *dbdata, isc_mem_t *mctx,
-		 dns_rdataclass_t rdclass, dns_name_t *name, dns_db_t **dbp)
-{
-	isc_buffer_t b;
-	char namestr[DNS_NAME_MAXTEXT + 1];
-	isc_result_t result;
-	dns_sdlzimplementation_t *imp;
-
-	/*
-	 * Perform checks to make sure data is as we expect it to be.
-	 */
-	REQUIRE(driverarg != NULL);
-	REQUIRE(name != NULL);
-	REQUIRE(dbp != NULL && *dbp == NULL);
-
-	imp = (dns_sdlzimplementation_t *) driverarg;
-
-	/* Convert DNS name to ascii text */
-	isc_buffer_init(&b, namestr, sizeof(namestr));
-	result = dns_name_totext(name, ISC_TRUE, &b);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_buffer_putuint8(&b, 0);
-
-	/* make sure strings are always lowercase */
-	dns_sdlz_tolower(namestr);
-
-	/* Call SDLZ driver's find zone method */
-	MAYBE_LOCK(imp);
-	result = imp->methods->findzone(imp->driverarg, dbdata, namestr);
-	MAYBE_UNLOCK(imp);
-
-	/*
-	 * if zone is supported build a 'bind' database driver
-	 * structure to return
-	 */
-	if (result == ISC_R_SUCCESS)
-		result = dns_sdlzcreateDBP(mctx, driverarg, dbdata, name,
-					   rdclass, dbp);
-
-	return (result);
-}
-
-
-static isc_result_t
-dns_sdlzconfigure(void *driverarg, void *dbdata, dns_view_t *view)
-{
-	isc_result_t result;
-	dns_sdlzimplementation_t *imp;
-
-	REQUIRE(driverarg != NULL);
-
-	imp = (dns_sdlzimplementation_t *) driverarg;
-
-	/* Call SDLZ driver's configure method */
-	if (imp->methods->configure != NULL) {
-		MAYBE_LOCK(imp);
-		result = imp->methods->configure(view, imp->driverarg, dbdata);
-		MAYBE_UNLOCK(imp);
-	} else {
-		result = ISC_R_SUCCESS;
-	}
-
-	return (result);
-}
-
-static isc_boolean_t
-dns_sdlzssumatch(dns_name_t *signer, dns_name_t *name, isc_netaddr_t *tcpaddr,
-		 dns_rdatatype_t type, const dst_key_t *key, void *driverarg,
-		 void *dbdata)
-{
-	dns_sdlzimplementation_t *imp;
-	char b_signer[DNS_NAME_FORMATSIZE];
-	char b_name[DNS_NAME_FORMATSIZE];
-	char b_addr[ISC_NETADDR_FORMATSIZE];
-	char b_type[DNS_RDATATYPE_FORMATSIZE];
-	char b_key[DST_KEY_FORMATSIZE];
-	isc_buffer_t *tkey_token = NULL;
-	isc_region_t token_region;
-	isc_uint32_t token_len = 0;
-	isc_boolean_t ret;
-
-	REQUIRE(driverarg != NULL);
-
-	imp = (dns_sdlzimplementation_t *) driverarg;
-	if (imp->methods->ssumatch == NULL)
-		return (ISC_FALSE);
-
-	/*
-	 * Format the request elements. sdlz operates on strings, not
-	 * structures
-	 */
-	if (signer != NULL)
-		dns_name_format(signer, b_signer, sizeof(b_signer));
-	else
-		b_signer[0] = 0;
-
-	dns_name_format(name, b_name, sizeof(b_name));
-
-	if (tcpaddr != NULL)
-		isc_netaddr_format(tcpaddr, b_addr, sizeof(b_addr));
-	else
-		b_addr[0] = 0;
-
-	dns_rdatatype_format(type, b_type, sizeof(b_type));
-
-	if (key != NULL) {
-		dst_key_format(key, b_key, sizeof(b_key));
-		tkey_token = dst_key_tkeytoken(key);
-	} else
-		b_key[0] = 0;
-
-	if (tkey_token != NULL) {
-		isc_buffer_region(tkey_token, &token_region);
-		token_len = token_region.length;
-	}
-
-	MAYBE_LOCK(imp);
-	ret = imp->methods->ssumatch(b_signer, b_name, b_addr, b_type, b_key,
-				     token_len,
-				     token_len != 0 ? token_region.base : NULL,
-				     imp->driverarg, dbdata);
-	MAYBE_UNLOCK(imp);
-	return (ret);
-}
-
-static dns_dlzmethods_t sdlzmethods = {
-	dns_sdlzcreate,
-	dns_sdlzdestroy,
-	dns_sdlzfindzone,
-	dns_sdlzallowzonexfr,
-	dns_sdlzconfigure,
-	dns_sdlzssumatch
-};
-
-/*
- * Public functions.
- */
-
-isc_result_t
-dns_sdlz_putrr(dns_sdlzlookup_t *lookup, const char *type, dns_ttl_t ttl,
-	       const char *data)
-{
-	dns_rdatalist_t *rdatalist;
-	dns_rdata_t *rdata;
-	dns_rdatatype_t typeval;
-	isc_consttextregion_t r;
-	isc_buffer_t b;
-	isc_buffer_t *rdatabuf = NULL;
-	isc_lex_t *lex;
-	isc_result_t result;
-	unsigned int size;
-	isc_mem_t *mctx;
-	dns_name_t *origin;
-
-	REQUIRE(VALID_SDLZLOOKUP(lookup));
-	REQUIRE(type != NULL);
-	REQUIRE(data != NULL);
-
-	mctx = lookup->sdlz->common.mctx;
-
-	r.base = type;
-	r.length = strlen(type);
-	result = dns_rdatatype_fromtext(&typeval, (void *) &r);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	rdatalist = ISC_LIST_HEAD(lookup->lists);
-	while (rdatalist != NULL) {
-		if (rdatalist->type == typeval)
-			break;
-		rdatalist = ISC_LIST_NEXT(rdatalist, link);
-	}
-
-	if (rdatalist == NULL) {
-		rdatalist = isc_mem_get(mctx, sizeof(dns_rdatalist_t));
-		if (rdatalist == NULL)
-			return (ISC_R_NOMEMORY);
-		rdatalist->rdclass = lookup->sdlz->common.rdclass;
-		rdatalist->type = typeval;
-		rdatalist->covers = 0;
-		rdatalist->ttl = ttl;
-		ISC_LIST_INIT(rdatalist->rdata);
-		ISC_LINK_INIT(rdatalist, link);
-		ISC_LIST_APPEND(lookup->lists, rdatalist, link);
-	} else
-		if (rdatalist->ttl > ttl) {
-			/*
-			 * BIND9 doesn't enforce all RRs in an RRset
-			 * having the same TTL, as per RFC 2136,
-			 * section 7.12. If a DLZ backend has
-			 * different TTLs, then the best
-			 * we can do is return the lowest.
-			*/
-			rdatalist->ttl = ttl;
-		}
-
-	rdata = isc_mem_get(mctx, sizeof(dns_rdata_t));
-	if (rdata == NULL)
-		return (ISC_R_NOMEMORY);
-	dns_rdata_init(rdata);
-
-	if ((lookup->sdlz->dlzimp->flags & DNS_SDLZFLAG_RELATIVERDATA) != 0)
-		origin = &lookup->sdlz->common.origin;
-	else
-		origin = dns_rootname;
-
-	lex = NULL;
-	result = isc_lex_create(mctx, 64, &lex);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	size = initial_size(data);
-	do {
-		isc_buffer_constinit(&b, data, strlen(data));
-		isc_buffer_add(&b, strlen(data));
-
-		result = isc_lex_openbuffer(lex, &b);
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-
-		rdatabuf = NULL;
-		result = isc_buffer_allocate(mctx, &rdatabuf, size);
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-
-		result = dns_rdata_fromtext(rdata, rdatalist->rdclass,
-					    rdatalist->type, lex,
-					    origin, ISC_FALSE,
-					    mctx, rdatabuf,
-					    &lookup->callbacks);
-		if (result != ISC_R_SUCCESS)
-			isc_buffer_free(&rdatabuf);
-		if (size >= 65535)
-			break;
-		size *= 2;
-		if (size >= 65535)
-			size = 65535;
-	} while (result == ISC_R_NOSPACE);
-
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-	ISC_LIST_APPEND(lookup->buffers, rdatabuf, link);
-
-	if (lex != NULL)
-		isc_lex_destroy(&lex);
-
-	return (ISC_R_SUCCESS);
-
- failure:
-	if (rdatabuf != NULL)
-		isc_buffer_free(&rdatabuf);
-	if (lex != NULL)
-		isc_lex_destroy(&lex);
-	isc_mem_put(mctx, rdata, sizeof(dns_rdata_t));
-
-	return (result);
-}
-
-isc_result_t
-dns_sdlz_putnamedrr(dns_sdlzallnodes_t *allnodes, const char *name,
-		    const char *type, dns_ttl_t ttl, const char *data)
-{
-	dns_name_t *newname, *origin;
-	dns_fixedname_t fnewname;
-	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)allnodes->common.db;
-	dns_sdlznode_t *sdlznode;
-	isc_mem_t *mctx = sdlz->common.mctx;
-	isc_buffer_t b;
-	isc_result_t result;
-
-	dns_fixedname_init(&fnewname);
-	newname = dns_fixedname_name(&fnewname);
-
-	if ((sdlz->dlzimp->flags & DNS_SDLZFLAG_RELATIVERDATA) != 0)
-		origin = &sdlz->common.origin;
-	else
-		origin = dns_rootname;
-	isc_buffer_constinit(&b, name, strlen(name));
-	isc_buffer_add(&b, strlen(name));
-
-	result = dns_name_fromtext(newname, &b, origin, 0, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (allnodes->common.relative_names) {
-		/* All names are relative to the root */
-		unsigned int nlabels = dns_name_countlabels(newname);
-		dns_name_getlabelsequence(newname, 0, nlabels - 1, newname);
-	}
-
-	sdlznode = ISC_LIST_HEAD(allnodes->nodelist);
-	if (sdlznode == NULL || !dns_name_equal(sdlznode->name, newname)) {
-		sdlznode = NULL;
-		result = createnode(sdlz, &sdlznode);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		sdlznode->name = isc_mem_get(mctx, sizeof(dns_name_t));
-		if (sdlznode->name == NULL) {
-			destroynode(sdlznode);
-			return (ISC_R_NOMEMORY);
-		}
-		dns_name_init(sdlznode->name, NULL);
-		result = dns_name_dup(newname, mctx, sdlznode->name);
-		if (result != ISC_R_SUCCESS) {
-			isc_mem_put(mctx, sdlznode->name, sizeof(dns_name_t));
-			destroynode(sdlznode);
-			return (result);
-		}
-		ISC_LIST_PREPEND(allnodes->nodelist, sdlznode, link);
-		if (allnodes->origin == NULL &&
-		    dns_name_equal(newname, &sdlz->common.origin))
-			allnodes->origin = sdlznode;
-	}
-	return (dns_sdlz_putrr(sdlznode, type, ttl, data));
-
-}
-
-isc_result_t
-dns_sdlz_putsoa(dns_sdlzlookup_t *lookup, const char *mname, const char *rname,
-		isc_uint32_t serial)
-{
-	char str[2 * DNS_NAME_MAXTEXT + 5 * (sizeof("2147483647")) + 7];
-	int n;
-
-	REQUIRE(mname != NULL);
-	REQUIRE(rname != NULL);
-
-	n = snprintf(str, sizeof str, "%s %s %u %u %u %u %u",
-		     mname, rname, serial,
-		     SDLZ_DEFAULT_REFRESH, SDLZ_DEFAULT_RETRY,
-		     SDLZ_DEFAULT_EXPIRE, SDLZ_DEFAULT_MINIMUM);
-	if (n >= (int)sizeof(str) || n < 0)
-		return (ISC_R_NOSPACE);
-	return (dns_sdlz_putrr(lookup, "SOA", SDLZ_DEFAULT_TTL, str));
-}
-
-isc_result_t
-dns_sdlzregister(const char *drivername, const dns_sdlzmethods_t *methods,
-		 void *driverarg, unsigned int flags, isc_mem_t *mctx,
-		 dns_sdlzimplementation_t **sdlzimp)
-{
-
-	dns_sdlzimplementation_t *imp;
-	isc_result_t result;
-
-	/*
-	 * Performs checks to make sure data is as we expect it to be.
-	 */
-	REQUIRE(drivername != NULL);
-	REQUIRE(methods != NULL);
-	REQUIRE(methods->findzone != NULL);
-	REQUIRE(methods->lookup != NULL);
-	REQUIRE(mctx != NULL);
-	REQUIRE(sdlzimp != NULL && *sdlzimp == NULL);
-	REQUIRE((flags & ~(DNS_SDLZFLAG_RELATIVEOWNER |
-			   DNS_SDLZFLAG_RELATIVERDATA |
-			   DNS_SDLZFLAG_THREADSAFE)) == 0);
-
-	/* Write debugging message to log */
-	sdlz_log(ISC_LOG_DEBUG(2), "Registering SDLZ driver '%s'", drivername);
-
-	/*
-	 * Allocate memory for a sdlz_implementation object.  Error if
-	 * we cannot.
-	 */
-	imp = isc_mem_get(mctx, sizeof(dns_sdlzimplementation_t));
-	if (imp == NULL)
-		return (ISC_R_NOMEMORY);
-
-	/* Make sure memory region is set to all 0's */
-	memset(imp, 0, sizeof(dns_sdlzimplementation_t));
-
-	/* Store the data passed into this method */
-	imp->methods = methods;
-	imp->driverarg = driverarg;
-	imp->flags = flags;
-	imp->mctx = NULL;
-
-	/* attach the new sdlz_implementation object to a memory context */
-	isc_mem_attach(mctx, &imp->mctx);
-
-	/*
-	 * initialize the driver lock, error if we cannot
-	 * (used if a driver does not support multiple threads)
-	 */
-	result = isc_mutex_init(&imp->driverlock);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 isc_result_totext(result));
-		goto cleanup_mctx;
-	}
-
-	imp->dlz_imp = NULL;
-
-	/*
-	 * register the DLZ driver.  Pass in our "extra" sdlz information as
-	 * a driverarg.  (that's why we stored the passed in driver arg in our
-	 * sdlz_implementation structure)  Also, store the dlz_implementation
-	 * structure in our sdlz_implementation.
-	 */
-	result = dns_dlzregister(drivername, &sdlzmethods, imp, mctx,
-				 &imp->dlz_imp);
-
-	/* if registration fails, cleanup and get outta here. */
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_mutex;
-
-	*sdlzimp = imp;
-
-	return (ISC_R_SUCCESS);
-
- cleanup_mutex:
-	/* destroy the driver lock, we don't need it anymore */
-	DESTROYLOCK(&imp->driverlock);
-
- cleanup_mctx:
-	/*
-	 * return the memory back to the available memory pool and
-	 * remove it from the memory context.
-	 */
-	isc_mem_put(mctx, imp, sizeof(dns_sdlzimplementation_t));
-	isc_mem_detach(&mctx);
-	return (result);
-}
-
-void
-dns_sdlzunregister(dns_sdlzimplementation_t **sdlzimp) {
-	dns_sdlzimplementation_t *imp;
-	isc_mem_t *mctx;
-
-	/* Write debugging message to log */
-	sdlz_log(ISC_LOG_DEBUG(2), "Unregistering SDLZ driver.");
-
-	/*
-	 * Performs checks to make sure data is as we expect it to be.
-	 */
-	REQUIRE(sdlzimp != NULL && *sdlzimp != NULL);
-
-	imp = *sdlzimp;
-
-	/* Unregister the DLZ driver implementation */
-	dns_dlzunregister(&imp->dlz_imp);
-
-	/* destroy the driver lock, we don't need it anymore */
-	DESTROYLOCK(&imp->driverlock);
-
-	mctx = imp->mctx;
-
-	/*
-	 * return the memory back to the available memory pool and
-	 * remove it from the memory context.
-	 */
-	isc_mem_put(mctx, imp, sizeof(dns_sdlzimplementation_t));
-	isc_mem_detach(&mctx);
-
-	*sdlzimp = NULL;
-}
-
-
-isc_result_t
-dns_sdlz_setdb(dns_dlzdb_t *dlzdatabase, dns_rdataclass_t rdclass,
-	       dns_name_t *name, dns_db_t **dbp)
-{
-	isc_result_t result;
-
-	result = dns_sdlzcreateDBP(dlzdatabase->mctx,
-				   dlzdatabase->implementation->driverarg,
-				   dlzdatabase->dbdata, name, rdclass, dbp);
-	return (result);
-}
diff --git a/contrib/bind9/lib/dns/soa.c b/contrib/bind9/lib/dns/soa.c
deleted file mode 100644
index 1b58bfe..0000000
--- a/contrib/bind9/lib/dns/soa.c
+++ /dev/null
@@ -1,147 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: soa.c,v 1.12 2009/09/10 02:18:40 each Exp $ */
-
-/*! \file */
-
-#include <config.h>
-#include <string.h>
-
-#include <isc/buffer.h>
-#include <isc/util.h>
-
-#include <dns/rdata.h>
-#include <dns/rdatastruct.h>
-#include <dns/soa.h>
-
-static inline isc_uint32_t
-decode_uint32(unsigned char *p) {
-	return ((p[0] << 24) +
-		(p[1] << 16) +
-		(p[2] <<  8) +
-		(p[3] <<  0));
-}
-
-static inline void
-encode_uint32(isc_uint32_t val, unsigned char *p) {
-	p[0] = (isc_uint8_t)(val >> 24);
-	p[1] = (isc_uint8_t)(val >> 16);
-	p[2] = (isc_uint8_t)(val >>  8);
-	p[3] = (isc_uint8_t)(val >>  0);
-}
-
-static isc_uint32_t
-soa_get(dns_rdata_t *rdata, int offset) {
-	INSIST(rdata->type == dns_rdatatype_soa);
-	/*
-	 * Locate the field within the SOA RDATA based
-	 * on its position relative to the end of the data.
-	 *
-	 * This is a bit of a kludge, but the alternative approach of
-	 * using dns_rdata_tostruct() and dns_rdata_fromstruct() would
-	 * involve a lot of unnecessary work (like building domain
-	 * names and allocating temporary memory) when all we really
-	 * want to do is to get 32 bits of fixed-sized data.
-	 */
-	INSIST(rdata->length >= 20);
-	INSIST(offset >= 0 && offset <= 16);
-	return (decode_uint32(rdata->data + rdata->length - 20 + offset));
-}
-
-isc_result_t
-dns_soa_buildrdata(dns_name_t *origin, dns_name_t *contact,
-		   dns_rdataclass_t rdclass,
-		   isc_uint32_t serial, isc_uint32_t refresh,
-		   isc_uint32_t retry, isc_uint32_t expire,
-		   isc_uint32_t minimum, unsigned char *buffer,
-		   dns_rdata_t *rdata) {
-	dns_rdata_soa_t soa;
-	isc_buffer_t rdatabuf;
-
-	REQUIRE(origin != NULL);
-	REQUIRE(contact != NULL);
-
-	memset(buffer, 0, DNS_SOA_BUFFERSIZE);
-	isc_buffer_init(&rdatabuf, buffer, DNS_SOA_BUFFERSIZE);
-
-	soa.common.rdtype = dns_rdatatype_soa;
-	soa.common.rdclass = rdclass;
-	soa.mctx = NULL;
-	soa.serial = serial;
-	soa.refresh = refresh;
-	soa.retry = retry;
-	soa.expire = expire;
-	soa.minimum = minimum;
-	dns_name_init(&soa.origin, NULL);
-	dns_name_clone(origin, &soa.origin);
-	dns_name_init(&soa.contact, NULL);
-	dns_name_clone(contact, &soa.contact);
-
-	return (dns_rdata_fromstruct(rdata, rdclass, dns_rdatatype_soa,
-				      &soa, &rdatabuf));
-}
-
-isc_uint32_t
-dns_soa_getserial(dns_rdata_t *rdata) {
-	return soa_get(rdata, 0);
-}
-isc_uint32_t
-dns_soa_getrefresh(dns_rdata_t *rdata) {
-	return soa_get(rdata, 4);
-}
-isc_uint32_t
-dns_soa_getretry(dns_rdata_t *rdata) {
-	return soa_get(rdata, 8);
-}
-isc_uint32_t
-dns_soa_getexpire(dns_rdata_t *rdata) {
-	return soa_get(rdata, 12);
-}
-isc_uint32_t
-dns_soa_getminimum(dns_rdata_t *rdata) {
-	return soa_get(rdata, 16);
-}
-
-static void
-soa_set(dns_rdata_t *rdata, isc_uint32_t val, int offset) {
-	INSIST(rdata->type == dns_rdatatype_soa);
-	INSIST(rdata->length >= 20);
-	INSIST(offset >= 0 && offset <= 16);
-	encode_uint32(val, rdata->data + rdata->length - 20 + offset);
-}
-
-void
-dns_soa_setserial(isc_uint32_t val, dns_rdata_t *rdata) {
-	soa_set(rdata, val, 0);
-}
-void
-dns_soa_setrefresh(isc_uint32_t val, dns_rdata_t *rdata) {
-	soa_set(rdata, val, 4);
-}
-void
-dns_soa_setretry(isc_uint32_t val, dns_rdata_t *rdata) {
-	soa_set(rdata, val, 8);
-}
-void
-dns_soa_setexpire(isc_uint32_t val, dns_rdata_t *rdata) {
-	soa_set(rdata, val, 12);
-}
-void
-dns_soa_setminimum(isc_uint32_t val, dns_rdata_t *rdata) {
-	soa_set(rdata, val, 16);
-}
diff --git a/contrib/bind9/lib/dns/spnego.asn1 b/contrib/bind9/lib/dns/spnego.asn1
deleted file mode 100644
index 43d152b..0000000
--- a/contrib/bind9/lib/dns/spnego.asn1
+++ /dev/null
@@ -1,52 +0,0 @@
--- Copyright (C) The Internet Society 2005.  This version of
--- this module is part of RFC 4178; see the RFC itself for
--- full legal notices.
-
--- (The above copyright notice is per RFC 3978 5.6 (a), q.v.)
-
--- $Id: spnego.asn1,v 1.2 2006/12/04 01:52:46 marka Exp $
-
--- This is the SPNEGO ASN.1 module from RFC 4178, tweaked
--- to get the Heimdal ASN.1 compiler to accept it.
-
-SPNEGOASNOneSpec DEFINITIONS ::= BEGIN
-
-MechType ::= OBJECT IDENTIFIER
-
-MechTypeList ::= SEQUENCE OF MechType
-
-ContextFlags ::= BIT STRING {
-    delegFlag       (0),
-    mutualFlag      (1),
-    replayFlag      (2),
-    sequenceFlag    (3),
-    anonFlag        (4),
-    confFlag        (5),
-    integFlag       (6)
-}
-
-NegTokenInit ::= SEQUENCE {
-    mechTypes       [0] MechTypeList,
-    reqFlags        [1] ContextFlags  OPTIONAL,
-    mechToken       [2] OCTET STRING  OPTIONAL,
-    mechListMIC     [3] OCTET STRING  OPTIONAL
-}
-
-NegTokenResp ::= SEQUENCE {
-    negState       [0] ENUMERATED {
-	accept-completed    (0),
-	accept-incomplete   (1),
-	reject              (2),
-	request-mic         (3)
-    }                                 OPTIONAL,
-    supportedMech   [1] MechType      OPTIONAL,
-    responseToken   [2] OCTET STRING  OPTIONAL,
-    mechListMIC     [3] OCTET STRING  OPTIONAL
-}
-
-NegotiationToken ::= CHOICE {
-    negTokenInit    [0] NegTokenInit,
-    negTokenResp    [1] NegTokenResp
-}
-
-END
diff --git a/contrib/bind9/lib/dns/spnego.c b/contrib/bind9/lib/dns/spnego.c
deleted file mode 100644
index 0c1c858..0000000
--- a/contrib/bind9/lib/dns/spnego.c
+++ /dev/null
@@ -1,1820 +0,0 @@
-/*
- * Copyright (C) 2006-2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file
- * \brief
- * Portable SPNEGO implementation.
- *
- * This is part of a portable implementation of the SPNEGO protocol
- * (RFCs 2478 and 4178).  This implementation uses the RFC 4178 ASN.1
- * module but is not a full implementation of the RFC 4178 protocol;
- * at the moment, we only support GSS-TSIG with Kerberos
- * authentication, so we only need enough of the SPNEGO protocol to
- * support that.
- *
- * The files that make up this portable SPNEGO implementation are:
- * \li	spnego.c	(this file)
- * \li	spnego.h	(API SPNEGO exports to the rest of lib/dns)
- * \li	spnego.asn1	(SPNEGO ASN.1 module)
- * \li	spnego_asn1.c	(routines generated from spngo.asn1)
- * \li	spnego_asn1.pl	(perl script to generate spnego_asn1.c)
- *
- * Everything but the functions exported in spnego.h is static, to
- * avoid possible conflicts with other libraries (particularly Heimdal,
- * since much of this code comes from Heimdal by way of mod_auth_kerb).
- *
- * spnego_asn1.c is shipped as part of lib/dns because generating it
- * requires both Perl and the Heimdal ASN.1 compiler.  See
- * spnego_asn1.pl for further details.  We've tried to eliminate all
- * compiler warnings from the generated code, but you may see a few
- * when using a compiler version we haven't tested yet.
- */
-
-/*
- * Portions of this code were derived from mod_auth_kerb and Heimdal.
- * These packages are available from:
- *
- *   http://modauthkerb.sourceforge.net/
- *   http://www.pdc.kth.se/heimdal/
- *
- * and were released under the following licenses:
- *
- * ----------------------------------------------------------------
- *
- * Copyright (c) 2004 Masarykova universita
- * (Masaryk University, Brno, Czech Republic)
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the University nor the names of its contributors may
- *    be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- *
- * ----------------------------------------------------------------
- *
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * XXXSRA We should omit this file entirely in Makefile.in via autoconf,
- * but this will keep it from generating errors until that's written.
- */
-
-#ifdef GSSAPI
-
-/*
- * XXXSRA Some of the following files are almost certainly unnecessary,
- * but using this list (borrowed from gssapictx.c) gets rid of some
- * whacky compilation errors when building with MSVC and should be
- * harmless in any case.
- */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <errno.h>
-
-#include <isc/buffer.h>
-#include <isc/dir.h>
-#include <isc/entropy.h>
-#include <isc/lex.h>
-#include <isc/mem.h>
-#include <isc/once.h>
-#include <isc/random.h>
-#include <isc/string.h>
-#include <isc/time.h>
-#include <isc/util.h>
-
-#include <dns/fixedname.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/result.h>
-#include <dns/types.h>
-#include <dns/keyvalues.h>
-#include <dns/log.h>
-
-#include <dst/gssapi.h>
-#include <dst/result.h>
-
-#include "dst_internal.h"
-
-/*
- * The API we export
- */
-#include "spnego.h"
-
-/* asn1_err.h */
-/* Generated from ../../../lib/asn1/asn1_err.et */
-
-#ifndef ERROR_TABLE_BASE_asn1
-/* these may be brought in already via gssapi_krb5.h */
-typedef enum asn1_error_number {
-	ASN1_BAD_TIMEFORMAT = 1859794432,
-	ASN1_MISSING_FIELD = 1859794433,
-	ASN1_MISPLACED_FIELD = 1859794434,
-	ASN1_TYPE_MISMATCH = 1859794435,
-	ASN1_OVERFLOW = 1859794436,
-	ASN1_OVERRUN = 1859794437,
-	ASN1_BAD_ID = 1859794438,
-	ASN1_BAD_LENGTH = 1859794439,
-	ASN1_BAD_FORMAT = 1859794440,
-	ASN1_PARSE_ERROR = 1859794441
-} asn1_error_number;
-
-#define ERROR_TABLE_BASE_asn1 1859794432
-#endif
-
-#define __asn1_common_definitions__
-
-typedef struct octet_string {
-	size_t length;
-	void *data;
-} octet_string;
-
-typedef char *general_string;
-
-typedef char *utf8_string;
-
-typedef struct oid {
-	size_t length;
-	unsigned *components;
-} oid;
-
-/* der.h */
-
-typedef enum {
-	ASN1_C_UNIV = 0, ASN1_C_APPL = 1,
-	ASN1_C_CONTEXT = 2, ASN1_C_PRIVATE = 3
-} Der_class;
-
-typedef enum {
-	PRIM = 0, CONS = 1
-} Der_type;
-
-/* Universal tags */
-
-enum {
-	UT_Boolean = 1,
-	UT_Integer = 2,
-	UT_BitString = 3,
-	UT_OctetString = 4,
-	UT_Null = 5,
-	UT_OID = 6,
-	UT_Enumerated = 10,
-	UT_Sequence = 16,
-	UT_Set = 17,
-	UT_PrintableString = 19,
-	UT_IA5String = 22,
-	UT_UTCTime = 23,
-	UT_GeneralizedTime = 24,
-	UT_VisibleString = 26,
-	UT_GeneralString = 27
-};
-
-#define ASN1_INDEFINITE 0xdce0deed
-
-static int
-der_get_length(const unsigned char *p, size_t len,
-	       size_t * val, size_t * size);
-
-static int
-der_get_octet_string(const unsigned char *p, size_t len,
-		     octet_string * data, size_t * size);
-static int
-der_get_oid(const unsigned char *p, size_t len,
-	    oid * data, size_t * size);
-static int
-der_get_tag(const unsigned char *p, size_t len,
-	    Der_class * class, Der_type * type,
-	    int *tag, size_t * size);
-
-static int
-der_match_tag(const unsigned char *p, size_t len,
-	      Der_class class, Der_type type,
-	      int tag, size_t * size);
-static int
-der_match_tag_and_length(const unsigned char *p, size_t len,
-			 Der_class class, Der_type type, int tag,
-			 size_t * length_ret, size_t * size);
-
-static int
-decode_oid(const unsigned char *p, size_t len,
-	   oid * k, size_t * size);
-
-static int
-decode_enumerated(const unsigned char *p, size_t len, void *num, size_t *size);
-
-static int
-decode_octet_string(const unsigned char *, size_t, octet_string *, size_t *);
-
-static int
-der_put_int(unsigned char *p, size_t len, int val, size_t *);
-
-static int
-der_put_length(unsigned char *p, size_t len, size_t val, size_t *);
-
-static int
-der_put_octet_string(unsigned char *p, size_t len,
-		     const octet_string * data, size_t *);
-static int
-der_put_oid(unsigned char *p, size_t len,
-	    const oid * data, size_t * size);
-static int
-der_put_tag(unsigned char *p, size_t len, Der_class class, Der_type type,
-	    int tag, size_t *);
-static int
-der_put_length_and_tag(unsigned char *, size_t, size_t,
-		       Der_class, Der_type, int, size_t *);
-
-static int
-encode_enumerated(unsigned char *p, size_t len, const void *data, size_t *);
-
-static int
-encode_octet_string(unsigned char *p, size_t len,
-		    const octet_string * k, size_t *);
-static int
-encode_oid(unsigned char *p, size_t len,
-	   const oid * k, size_t *);
-
-static void
-free_octet_string(octet_string * k);
-
-static void
-free_oid  (oid * k);
-
-static size_t
-length_len(size_t len);
-
-static int
-fix_dce(size_t reallen, size_t * len);
-
-/*
- * Include stuff generated by the ASN.1 compiler.
- */
-
-#include "spnego_asn1.c"
-
-static unsigned char gss_krb5_mech_oid_bytes[] = {
-	0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02
-};
-
-static gss_OID_desc gss_krb5_mech_oid_desc = {
-	sizeof(gss_krb5_mech_oid_bytes),
-	gss_krb5_mech_oid_bytes
-};
-
-static gss_OID GSS_KRB5_MECH = &gss_krb5_mech_oid_desc;
-
-static unsigned char gss_mskrb5_mech_oid_bytes[] = {
-	0x2a, 0x86, 0x48, 0x82, 0xf7, 0x12, 0x01, 0x02, 0x02
-};
-
-static gss_OID_desc gss_mskrb5_mech_oid_desc = {
-	sizeof(gss_mskrb5_mech_oid_bytes),
-	gss_mskrb5_mech_oid_bytes
-};
-
-static gss_OID GSS_MSKRB5_MECH = &gss_mskrb5_mech_oid_desc;
-
-static unsigned char gss_spnego_mech_oid_bytes[] = {
-	0x2b, 0x06, 0x01, 0x05, 0x05, 0x02
-};
-
-static gss_OID_desc gss_spnego_mech_oid_desc = {
-	sizeof(gss_spnego_mech_oid_bytes),
-	gss_spnego_mech_oid_bytes
-};
-
-static gss_OID GSS_SPNEGO_MECH = &gss_spnego_mech_oid_desc;
-
-/* spnegokrb5_locl.h */
-
-static OM_uint32
-gssapi_spnego_encapsulate(OM_uint32 *,
-			  unsigned char *,
-			  size_t,
-			  gss_buffer_t,
-			  const gss_OID);
-
-static OM_uint32
-gssapi_spnego_decapsulate(OM_uint32 *,
-			  gss_buffer_t,
-			  unsigned char **,
-			  size_t *,
-			  const gss_OID);
-
-/* mod_auth_kerb.c */
-
-static int
-cmp_gss_type(gss_buffer_t token, gss_OID oid)
-{
-	unsigned char *p;
-	size_t len;
-
-	if (token->length == 0U)
-		return (GSS_S_DEFECTIVE_TOKEN);
-
-	p = token->value;
-	if (*p++ != 0x60)
-		return (GSS_S_DEFECTIVE_TOKEN);
-	len = *p++;
-	if (len & 0x80) {
-		if ((len & 0x7f) > 4U)
-			return (GSS_S_DEFECTIVE_TOKEN);
-		p += len & 0x7f;
-	}
-	if (*p++ != 0x06)
-		return (GSS_S_DEFECTIVE_TOKEN);
-
-	if (((OM_uint32) *p++) != oid->length)
-		return (GSS_S_DEFECTIVE_TOKEN);
-
-	return (memcmp(p, oid->elements, oid->length));
-}
-
-/* accept_sec_context.c */
-/*
- * SPNEGO wrapper for Kerberos5 GSS-API kouril@ics.muni.cz, 2003 (mostly
- * based on Heimdal code)
- */
-
-static OM_uint32
-code_NegTokenArg(OM_uint32 * minor_status,
-		 const NegTokenResp * resp,
-		 unsigned char **outbuf,
-		 size_t * outbuf_size)
-{
-	OM_uint32 ret;
-	u_char *buf;
-	size_t buf_size, buf_len = 0;
-
-	buf_size = 1024;
-	buf = malloc(buf_size);
-	if (buf == NULL) {
-		*minor_status = ENOMEM;
-		return (GSS_S_FAILURE);
-	}
-	do {
-		ret = encode_NegTokenResp(buf + buf_size - 1,
-					  buf_size,
-					  resp, &buf_len);
-		if (ret == 0) {
-			size_t tmp;
-
-			ret = der_put_length_and_tag(buf + buf_size - buf_len - 1,
-						     buf_size - buf_len,
-						     buf_len,
-						     ASN1_C_CONTEXT,
-						     CONS,
-						     1,
-						     &tmp);
-			if (ret == 0)
-				buf_len += tmp;
-		}
-		if (ret) {
-			if (ret == ASN1_OVERFLOW) {
-				u_char *tmp;
-
-				buf_size *= 2;
-				tmp = realloc(buf, buf_size);
-				if (tmp == NULL) {
-					*minor_status = ENOMEM;
-					free(buf);
-					return (GSS_S_FAILURE);
-				}
-				buf = tmp;
-			} else {
-				*minor_status = ret;
-				free(buf);
-				return (GSS_S_FAILURE);
-			}
-		}
-	} while (ret == ASN1_OVERFLOW);
-
-	*outbuf = malloc(buf_len);
-	if (*outbuf == NULL) {
-		*minor_status = ENOMEM;
-		free(buf);
-		return (GSS_S_FAILURE);
-	}
-	memcpy(*outbuf, buf + buf_size - buf_len, buf_len);
-	*outbuf_size = buf_len;
-
-	free(buf);
-
-	return (GSS_S_COMPLETE);
-}
-
-static OM_uint32
-send_reject(OM_uint32 * minor_status,
-	    gss_buffer_t output_token)
-{
-	NegTokenResp resp;
-	OM_uint32 ret;
-
-	resp.negState = malloc(sizeof(*resp.negState));
-	if (resp.negState == NULL) {
-		*minor_status = ENOMEM;
-		return (GSS_S_FAILURE);
-	}
-	*(resp.negState) = reject;
-
-	resp.supportedMech = NULL;
-	resp.responseToken = NULL;
-	resp.mechListMIC = NULL;
-
-	ret = code_NegTokenArg(minor_status, &resp,
-			       (unsigned char **)&output_token->value,
-			       &output_token->length);
-	free_NegTokenResp(&resp);
-	if (ret)
-		return (ret);
-
-	return (GSS_S_BAD_MECH);
-}
-
-static OM_uint32
-send_accept(OM_uint32 * minor_status,
-	    gss_buffer_t output_token,
-	    gss_buffer_t mech_token,
-	    const gss_OID pref)
-{
-	NegTokenResp resp;
-	OM_uint32 ret;
-
-	memset(&resp, 0, sizeof(resp));
-	resp.negState = malloc(sizeof(*resp.negState));
-	if (resp.negState == NULL) {
-		*minor_status = ENOMEM;
-		return (GSS_S_FAILURE);
-	}
-	*(resp.negState) = accept_completed;
-
-	resp.supportedMech = malloc(sizeof(*resp.supportedMech));
-	if (resp.supportedMech == NULL) {
-		free_NegTokenResp(&resp);
-		*minor_status = ENOMEM;
-		return (GSS_S_FAILURE);
-	}
-	ret = der_get_oid(pref->elements,
-			  pref->length,
-			  resp.supportedMech,
-			  NULL);
-	if (ret) {
-		free_NegTokenResp(&resp);
-		*minor_status = ENOMEM;
-		return (GSS_S_FAILURE);
-	}
-	if (mech_token != NULL && mech_token->length != 0U) {
-		resp.responseToken = malloc(sizeof(*resp.responseToken));
-		if (resp.responseToken == NULL) {
-			free_NegTokenResp(&resp);
-			*minor_status = ENOMEM;
-			return (GSS_S_FAILURE);
-		}
-		resp.responseToken->length = mech_token->length;
-		resp.responseToken->data = mech_token->value;
-	}
-
-	ret = code_NegTokenArg(minor_status, &resp,
-			       (unsigned char **)&output_token->value,
-			       &output_token->length);
-	if (resp.responseToken != NULL) {
-		free(resp.responseToken);
-		resp.responseToken = NULL;
-	}
-	free_NegTokenResp(&resp);
-	if (ret)
-		return (ret);
-
-	return (GSS_S_COMPLETE);
-}
-
-OM_uint32
-gss_accept_sec_context_spnego(OM_uint32 *minor_status,
-			      gss_ctx_id_t *context_handle,
-			      const gss_cred_id_t acceptor_cred_handle,
-			      const gss_buffer_t input_token_buffer,
-			      const gss_channel_bindings_t input_chan_bindings,
-			      gss_name_t *src_name,
-			      gss_OID *mech_type,
-			      gss_buffer_t output_token,
-			      OM_uint32 *ret_flags,
-			      OM_uint32 *time_rec,
-			      gss_cred_id_t *delegated_cred_handle)
-{
-	NegTokenInit init_token;
-	OM_uint32 major_status;
-	OM_uint32 minor_status2;
-	gss_buffer_desc ibuf, obuf;
-	gss_buffer_t ot = NULL;
-	gss_OID pref = GSS_KRB5_MECH;
-	unsigned char *buf;
-	size_t buf_size;
-	size_t len, taglen, ni_len;
-	int found = 0;
-	int ret;
-	unsigned i;
-
-	/*
-	 * Before doing anything else, see whether this is a SPNEGO
-	 * PDU.  If not, dispatch to the GSSAPI library and get out.
-	 */
-
-	if (cmp_gss_type(input_token_buffer, GSS_SPNEGO_MECH))
-		return (gss_accept_sec_context(minor_status,
-					       context_handle,
-					       acceptor_cred_handle,
-					       input_token_buffer,
-					       input_chan_bindings,
-					       src_name,
-					       mech_type,
-					       output_token,
-					       ret_flags,
-					       time_rec,
-					       delegated_cred_handle));
-
-	/*
-	 * If we get here, it's SPNEGO.
-	 */
-
-	memset(&init_token, 0, sizeof(init_token));
-
-	ret = gssapi_spnego_decapsulate(minor_status, input_token_buffer,
-					&buf, &buf_size, GSS_SPNEGO_MECH);
-	if (ret)
-		return (ret);
-
-	ret = der_match_tag_and_length(buf, buf_size, ASN1_C_CONTEXT, CONS,
-				       0, &len, &taglen);
-	if (ret)
-		return (ret);
-
-	ret = decode_NegTokenInit(buf + taglen, len, &init_token, &ni_len);
-	if (ret) {
-		*minor_status = EINVAL;	/* XXX */
-		return (GSS_S_DEFECTIVE_TOKEN);
-	}
-
-	for (i = 0; !found && i < init_token.mechTypes.len; ++i) {
-		unsigned char mechbuf[17];
-		size_t mech_len;
-
-		ret = der_put_oid(mechbuf + sizeof(mechbuf) - 1,
-				  sizeof(mechbuf),
-				  &init_token.mechTypes.val[i],
-				  &mech_len);
-		if (ret) {
-			free_NegTokenInit(&init_token);
-			return (GSS_S_DEFECTIVE_TOKEN);
-		}
-		if (mech_len == GSS_KRB5_MECH->length &&
-		    memcmp(GSS_KRB5_MECH->elements,
-			   mechbuf + sizeof(mechbuf) - mech_len,
-			   mech_len) == 0) {
-			found = 1;
-			break;
-		}
-		if (mech_len == GSS_MSKRB5_MECH->length &&
-		    memcmp(GSS_MSKRB5_MECH->elements,
-			   mechbuf + sizeof(mechbuf) - mech_len,
-			   mech_len) == 0) {
-			found = 1;
-			if (i == 0)
-				pref = GSS_MSKRB5_MECH;
-			break;
-		}
-	}
-
-	if (!found) {
-		free_NegTokenInit(&init_token);
-		return (send_reject(minor_status, output_token));
-	}
-
-	if (i == 0 && init_token.mechToken != NULL) {
-		ibuf.length = init_token.mechToken->length;
-		ibuf.value = init_token.mechToken->data;
-
-		major_status = gss_accept_sec_context(minor_status,
-						      context_handle,
-						      acceptor_cred_handle,
-						      &ibuf,
-						      input_chan_bindings,
-						      src_name,
-						      mech_type,
-						      &obuf,
-						      ret_flags,
-						      time_rec,
-						      delegated_cred_handle);
-		if (GSS_ERROR(major_status)) {
-			free_NegTokenInit(&init_token);
-			send_reject(&minor_status2, output_token);
-			return (major_status);
-		}
-		ot = &obuf;
-	}
-	ret = send_accept(&minor_status2, output_token, ot, pref);
-	free_NegTokenInit(&init_token);
-	if (ot != NULL && ot->length != 0U)
-		gss_release_buffer(&minor_status2, ot);
-
-	return (ret);
-}
-
-/* decapsulate.c */
-
-static OM_uint32
-gssapi_verify_mech_header(u_char ** str,
-			  size_t total_len,
-			  const gss_OID mech)
-{
-	size_t len, len_len, mech_len, foo;
-	int e;
-	u_char *p = *str;
-
-	if (total_len < 1U)
-		return (GSS_S_DEFECTIVE_TOKEN);
-	if (*p++ != 0x60)
-		return (GSS_S_DEFECTIVE_TOKEN);
-	e = der_get_length(p, total_len - 1, &len, &len_len);
-	if (e || 1 + len_len + len != total_len)
-		return (GSS_S_DEFECTIVE_TOKEN);
-	p += len_len;
-	if (*p++ != 0x06)
-		return (GSS_S_DEFECTIVE_TOKEN);
-	e = der_get_length(p, total_len - 1 - len_len - 1,
-			   &mech_len, &foo);
-	if (e)
-		return (GSS_S_DEFECTIVE_TOKEN);
-	p += foo;
-	if (mech_len != mech->length)
-		return (GSS_S_BAD_MECH);
-	if (memcmp(p, mech->elements, mech->length) != 0)
-		return (GSS_S_BAD_MECH);
-	p += mech_len;
-	*str = p;
-	return (GSS_S_COMPLETE);
-}
-
-/*
- * Remove the GSS-API wrapping from `in_token' giving `buf and buf_size' Does
- * not copy data, so just free `in_token'.
- */
-
-static OM_uint32
-gssapi_spnego_decapsulate(OM_uint32 *minor_status,
-			  gss_buffer_t input_token_buffer,
-			  unsigned char **buf,
-			  size_t *buf_len,
-			  const gss_OID mech)
-{
-	u_char *p;
-	OM_uint32 ret;
-
-	p = input_token_buffer->value;
-	ret = gssapi_verify_mech_header(&p,
-					input_token_buffer->length,
-					mech);
-	if (ret) {
-		*minor_status = ret;
-		return (GSS_S_FAILURE);
-	}
-	*buf_len = input_token_buffer->length -
-		(p - (u_char *) input_token_buffer->value);
-	*buf = p;
-	return (GSS_S_COMPLETE);
-}
-
-/* der_free.c */
-
-static void
-free_octet_string(octet_string *k)
-{
-	free(k->data);
-	k->data = NULL;
-}
-
-static void
-free_oid(oid *k)
-{
-	free(k->components);
-	k->components = NULL;
-}
-
-/* der_get.c */
-
-/*
- * All decoding functions take a pointer `p' to first position in which to
- * read, from the left, `len' which means the maximum number of characters we
- * are able to read, `ret' were the value will be returned and `size' where
- * the number of used bytes is stored. Either 0 or an error code is returned.
- */
-
-static int
-der_get_unsigned(const unsigned char *p, size_t len,
-		 unsigned *ret, size_t *size)
-{
-	unsigned val = 0;
-	size_t oldlen = len;
-
-	while (len--)
-		val = val * 256 + *p++;
-	*ret = val;
-	if (size)
-		*size = oldlen;
-	return (0);
-}
-
-static int
-der_get_int(const unsigned char *p, size_t len,
-	    int *ret, size_t *size)
-{
-	int val = 0;
-	size_t oldlen = len;
-
-	if (len > 0U) {
-		val = (signed char)*p++;
-		while (--len)
-			val = val * 256 + *p++;
-	}
-	*ret = val;
-	if (size)
-		*size = oldlen;
-	return (0);
-}
-
-static int
-der_get_length(const unsigned char *p, size_t len,
-	       size_t *val, size_t *size)
-{
-	size_t v;
-
-	if (len <= 0U)
-		return (ASN1_OVERRUN);
-	--len;
-	v = *p++;
-	if (v < 128U) {
-		*val = v;
-		if (size)
-			*size = 1;
-	} else {
-		int e;
-		size_t l;
-		unsigned tmp;
-
-		if (v == 0x80U) {
-			*val = ASN1_INDEFINITE;
-			if (size)
-				*size = 1;
-			return (0);
-		}
-		v &= 0x7F;
-		if (len < v)
-			return (ASN1_OVERRUN);
-		e = der_get_unsigned(p, v, &tmp, &l);
-		if (e)
-			return (e);
-		*val = tmp;
-		if (size)
-			*size = l + 1;
-	}
-	return (0);
-}
-
-static int
-der_get_octet_string(const unsigned char *p, size_t len,
-		     octet_string *data, size_t *size)
-{
-	data->length = len;
-	if (len != 0U) {
-		data->data = malloc(len);
-		if (data->data == NULL)
-			return (ENOMEM);
-		memcpy(data->data, p, len);
-	} else
-		data->data = NULL;
-	if (size)
-		*size = len;
-	return (0);
-}
-
-static int
-der_get_oid(const unsigned char *p, size_t len,
-	    oid *data, size_t *size)
-{
-	int n;
-	size_t oldlen = len;
-
-	data->components = NULL;
-	data->length = 0;
-	if (len < 1U)
-		return (ASN1_OVERRUN);
-
-	data->components = malloc(len * sizeof(*data->components));
-	if (data->components == NULL && len != 0U)
-		return (ENOMEM);
-	data->components[0] = (*p) / 40;
-	data->components[1] = (*p) % 40;
-	--len;
-	++p;
-	for (n = 2; len > 0U; ++n) {
-		unsigned u = 0;
-
-		do {
-			--len;
-			u = u * 128 + (*p++ % 128);
-		} while (len > 0U && p[-1] & 0x80);
-		data->components[n] = u;
-	}
-	if (p[-1] & 0x80) {
-		free_oid(data);
-		return (ASN1_OVERRUN);
-	}
-	data->length = n;
-	if (size)
-		*size = oldlen;
-	return (0);
-}
-
-static int
-der_get_tag(const unsigned char *p, size_t len,
-	    Der_class *class, Der_type *type,
-	    int *tag, size_t *size)
-{
-	if (len < 1U)
-		return (ASN1_OVERRUN);
-	*class = (Der_class) (((*p) >> 6) & 0x03);
-	*type = (Der_type) (((*p) >> 5) & 0x01);
-	*tag = (*p) & 0x1F;
-	if (size)
-		*size = 1;
-	return (0);
-}
-
-static int
-der_match_tag(const unsigned char *p, size_t len,
-	      Der_class class, Der_type type,
-	      int tag, size_t *size)
-{
-	size_t l;
-	Der_class thisclass;
-	Der_type thistype;
-	int thistag;
-	int e;
-
-	e = der_get_tag(p, len, &thisclass, &thistype, &thistag, &l);
-	if (e)
-		return (e);
-	if (class != thisclass || type != thistype)
-		return (ASN1_BAD_ID);
-	if (tag > thistag)
-		return (ASN1_MISPLACED_FIELD);
-	if (tag < thistag)
-		return (ASN1_MISSING_FIELD);
-	if (size)
-		*size = l;
-	return (0);
-}
-
-static int
-der_match_tag_and_length(const unsigned char *p, size_t len,
-			 Der_class class, Der_type type, int tag,
-			 size_t *length_ret, size_t *size)
-{
-	size_t l, ret = 0;
-	int e;
-
-	e = der_match_tag(p, len, class, type, tag, &l);
-	if (e)
-		return (e);
-	p += l;
-	len -= l;
-	ret += l;
-	e = der_get_length(p, len, length_ret, &l);
-	if (e)
-		return (e);
-	/* p += l; */
-	len -= l;
-	POST(len);
-	ret += l;
-	if (size)
-		*size = ret;
-	return (0);
-}
-
-static int
-decode_enumerated(const unsigned char *p, size_t len, void *num, size_t *size)
-{
-	size_t ret = 0;
-	size_t l, reallen;
-	int e;
-
-	e = der_match_tag(p, len, ASN1_C_UNIV, PRIM, UT_Enumerated, &l);
-	if (e)
-		return (e);
-	p += l;
-	len -= l;
-	ret += l;
-	e = der_get_length(p, len, &reallen, &l);
-	if (e)
-		return (e);
-	p += l;
-	len -= l;
-	ret += l;
-	e = der_get_int(p, reallen, num, &l);
-	if (e)
-		return (e);
-	p += l;
-	len -= l;
-	POST(p); POST(len);
-	ret += l;
-	if (size)
-		*size = ret;
-	return (0);
-}
-
-static int
-decode_octet_string(const unsigned char *p, size_t len,
-		    octet_string *k, size_t *size)
-{
-	size_t ret = 0;
-	size_t l;
-	int e;
-	size_t slen;
-
-	k->data = NULL;
-	k->length = 0;
-
-	e = der_match_tag(p, len, ASN1_C_UNIV, PRIM, UT_OctetString, &l);
-	if (e)
-		return (e);
-	p += l;
-	len -= l;
-	ret += l;
-
-	e = der_get_length(p, len, &slen, &l);
-	if (e)
-		return (e);
-	p += l;
-	len -= l;
-	ret += l;
-	if (len < slen)
-		return (ASN1_OVERRUN);
-
-	e = der_get_octet_string(p, slen, k, &l);
-	if (e)
-		return (e);
-	p += l;
-	len -= l;
-	POST(p); POST(len);
-	ret += l;
-	if (size)
-		*size = ret;
-	return (0);
-}
-
-static int
-decode_oid(const unsigned char *p, size_t len,
-	   oid *k, size_t *size)
-{
-	size_t ret = 0;
-	size_t l;
-	int e;
-	size_t slen;
-
-	e = der_match_tag(p, len, ASN1_C_UNIV, PRIM, UT_OID, &l);
-	if (e)
-		return (e);
-	p += l;
-	len -= l;
-	ret += l;
-
-	e = der_get_length(p, len, &slen, &l);
-	if (e)
-		return (e);
-	p += l;
-	len -= l;
-	ret += l;
-	if (len < slen)
-		return (ASN1_OVERRUN);
-
-	e = der_get_oid(p, slen, k, &l);
-	if (e)
-		return (e);
-	p += l;
-	len -= l;
-	POST(p); POST(len);
-	ret += l;
-	if (size)
-		*size = ret;
-	return (0);
-}
-
-static int
-fix_dce(size_t reallen, size_t *len)
-{
-	if (reallen == ASN1_INDEFINITE)
-		return (1);
-	if (*len < reallen)
-		return (-1);
-	*len = reallen;
-	return (0);
-}
-
-/* der_length.c */
-
-static size_t
-len_unsigned(unsigned val)
-{
-	size_t ret = 0;
-
-	do {
-		++ret;
-		val /= 256;
-	} while (val);
-	return (ret);
-}
-
-static size_t
-length_len(size_t len)
-{
-	if (len < 128U)
-		return (1);
-	else
-		return (len_unsigned(len) + 1);
-}
-
-
-/* der_put.c */
-
-/*
- * All encoding functions take a pointer `p' to first position in which to
- * write, from the right, `len' which means the maximum number of characters
- * we are able to write.  The function returns the number of characters
- * written in `size' (if non-NULL). The return value is 0 or an error.
- */
-
-static int
-der_put_unsigned(unsigned char *p, size_t len, unsigned val, size_t *size)
-{
-	unsigned char *base = p;
-
-	if (val) {
-		while (len > 0U && val) {
-			*p-- = val % 256;
-			val /= 256;
-			--len;
-		}
-		if (val != 0)
-			return (ASN1_OVERFLOW);
-		else {
-			*size = base - p;
-			return (0);
-		}
-	} else if (len < 1U)
-		return (ASN1_OVERFLOW);
-	else {
-		*p = 0;
-		*size = 1;
-		return (0);
-	}
-}
-
-static int
-der_put_int(unsigned char *p, size_t len, int val, size_t *size)
-{
-	unsigned char *base = p;
-
-	if (val >= 0) {
-		do {
-			if (len < 1U)
-				return (ASN1_OVERFLOW);
-			*p-- = val % 256;
-			len--;
-			val /= 256;
-		} while (val);
-		if (p[1] >= 128) {
-			if (len < 1U)
-				return (ASN1_OVERFLOW);
-			*p-- = 0;
-			len--;
-		}
-	} else {
-		val = ~val;
-		do {
-			if (len < 1U)
-				return (ASN1_OVERFLOW);
-			*p-- = ~(val % 256);
-			len--;
-			val /= 256;
-		} while (val);
-		if (p[1] < 128) {
-			if (len < 1U)
-				return (ASN1_OVERFLOW);
-			*p-- = 0xff;
-			len--;
-		}
-	}
-	*size = base - p;
-	return (0);
-}
-
-static int
-der_put_length(unsigned char *p, size_t len, size_t val, size_t *size)
-{
-	if (len < 1U)
-		return (ASN1_OVERFLOW);
-	if (val < 128U) {
-		*p = val;
-		*size = 1;
-		return (0);
-	} else {
-		size_t l;
-		int e;
-
-		e = der_put_unsigned(p, len - 1, val, &l);
-		if (e)
-			return (e);
-		p -= l;
-		*p = 0x80 | l;
-		*size = l + 1;
-		return (0);
-	}
-}
-
-static int
-der_put_octet_string(unsigned char *p, size_t len,
-		     const octet_string *data, size_t *size)
-{
-	if (len < data->length)
-		return (ASN1_OVERFLOW);
-	p -= data->length;
-	len -= data->length;
-	POST(len);
-	memcpy(p + 1, data->data, data->length);
-	*size = data->length;
-	return (0);
-}
-
-static int
-der_put_oid(unsigned char *p, size_t len,
-	    const oid *data, size_t *size)
-{
-	unsigned char *base = p;
-	int n;
-
-	for (n = data->length - 1; n >= 2; --n) {
-		unsigned	u = data->components[n];
-
-		if (len < 1U)
-			return (ASN1_OVERFLOW);
-		*p-- = u % 128;
-		u /= 128;
-		--len;
-		while (u > 0) {
-			if (len < 1U)
-				return (ASN1_OVERFLOW);
-			*p-- = 128 + u % 128;
-			u /= 128;
-			--len;
-		}
-	}
-	if (len < 1U)
-		return (ASN1_OVERFLOW);
-	*p-- = 40 * data->components[0] + data->components[1];
-	*size = base - p;
-	return (0);
-}
-
-static int
-der_put_tag(unsigned char *p, size_t len, Der_class class, Der_type type,
-	    int tag, size_t *size)
-{
-	if (len < 1U)
-		return (ASN1_OVERFLOW);
-	*p = (class << 6) | (type << 5) | tag;	/* XXX */
-	*size = 1;
-	return (0);
-}
-
-static int
-der_put_length_and_tag(unsigned char *p, size_t len, size_t len_val,
-		       Der_class class, Der_type type, int tag, size_t *size)
-{
-	size_t ret = 0;
-	size_t l;
-	int e;
-
-	e = der_put_length(p, len, len_val, &l);
-	if (e)
-		return (e);
-	p -= l;
-	len -= l;
-	ret += l;
-	e = der_put_tag(p, len, class, type, tag, &l);
-	if (e)
-		return (e);
-	p -= l;
-	len -= l;
-	POST(p); POST(len);
-	ret += l;
-	*size = ret;
-	return (0);
-}
-
-static int
-encode_enumerated(unsigned char *p, size_t len, const void *data, size_t *size)
-{
-	unsigned num = *(const unsigned *)data;
-	size_t ret = 0;
-	size_t l;
-	int e;
-
-	e = der_put_int(p, len, num, &l);
-	if (e)
-		return (e);
-	p -= l;
-	len -= l;
-	ret += l;
-	e = der_put_length_and_tag(p, len, l, ASN1_C_UNIV, PRIM, UT_Enumerated, &l);
-	if (e)
-		return (e);
-	p -= l;
-	len -= l;
-	POST(p); POST(len);
-	ret += l;
-	*size = ret;
-	return (0);
-}
-
-static int
-encode_octet_string(unsigned char *p, size_t len,
-		    const octet_string *k, size_t *size)
-{
-	size_t ret = 0;
-	size_t l;
-	int e;
-
-	e = der_put_octet_string(p, len, k, &l);
-	if (e)
-		return (e);
-	p -= l;
-	len -= l;
-	ret += l;
-	e = der_put_length_and_tag(p, len, l, ASN1_C_UNIV, PRIM, UT_OctetString, &l);
-	if (e)
-		return (e);
-	p -= l;
-	len -= l;
-	POST(p); POST(len);
-	ret += l;
-	*size = ret;
-	return (0);
-}
-
-static int
-encode_oid(unsigned char *p, size_t len,
-	   const oid *k, size_t *size)
-{
-	size_t ret = 0;
-	size_t l;
-	int e;
-
-	e = der_put_oid(p, len, k, &l);
-	if (e)
-		return (e);
-	p -= l;
-	len -= l;
-	ret += l;
-	e = der_put_length_and_tag(p, len, l, ASN1_C_UNIV, PRIM, UT_OID, &l);
-	if (e)
-		return (e);
-	p -= l;
-	len -= l;
-	POST(p); POST(len);
-	ret += l;
-	*size = ret;
-	return (0);
-}
-
-
-/* encapsulate.c */
-
-static void
-gssapi_encap_length(size_t data_len,
-		    size_t *len,
-		    size_t *total_len,
-		    const gss_OID mech)
-{
-	size_t len_len;
-
-	*len = 1 + 1 + mech->length + data_len;
-
-	len_len = length_len(*len);
-
-	*total_len = 1 + len_len + *len;
-}
-
-static u_char *
-gssapi_mech_make_header(u_char *p,
-			size_t len,
-			const gss_OID mech)
-{
-	int e;
-	size_t len_len, foo;
-
-	*p++ = 0x60;
-	len_len = length_len(len);
-	e = der_put_length(p + len_len - 1, len_len, len, &foo);
-	if (e || foo != len_len)
-		return (NULL);
-	p += len_len;
-	*p++ = 0x06;
-	*p++ = mech->length;
-	memcpy(p, mech->elements, mech->length);
-	p += mech->length;
-	return (p);
-}
-
-/*
- * Give it a krb5_data and it will encapsulate with extra GSS-API wrappings.
- */
-
-static OM_uint32
-gssapi_spnego_encapsulate(OM_uint32 * minor_status,
-			  unsigned char *buf,
-			  size_t buf_size,
-			  gss_buffer_t output_token,
-			  const gss_OID mech)
-{
-	size_t len, outer_len;
-	u_char *p;
-
-	gssapi_encap_length(buf_size, &len, &outer_len, mech);
-
-	output_token->length = outer_len;
-	output_token->value = malloc(outer_len);
-	if (output_token->value == NULL) {
-		*minor_status = ENOMEM;
-		return (GSS_S_FAILURE);
-	}
-	p = gssapi_mech_make_header(output_token->value, len, mech);
-	if (p == NULL) {
-		if (output_token->length != 0U)
-			gss_release_buffer(minor_status, output_token);
-		return (GSS_S_FAILURE);
-	}
-	memcpy(p, buf, buf_size);
-	return (GSS_S_COMPLETE);
-}
-
-/* init_sec_context.c */
-/*
- * SPNEGO wrapper for Kerberos5 GSS-API kouril@ics.muni.cz, 2003 (mostly
- * based on Heimdal code)
- */
-
-static int
-add_mech(MechTypeList * mech_list, gss_OID mech)
-{
-	MechType *tmp;
-	int ret;
-
-	tmp = realloc(mech_list->val, (mech_list->len + 1) * sizeof(*tmp));
-	if (tmp == NULL)
-		return (ENOMEM);
-	mech_list->val = tmp;
-
-	ret = der_get_oid(mech->elements, mech->length,
-			  &mech_list->val[mech_list->len], NULL);
-	if (ret)
-		return (ret);
-
-	mech_list->len++;
-	return (0);
-}
-
-/*
- * return the length of the mechanism in token or -1
- * (which implies that the token was bad - GSS_S_DEFECTIVE_TOKEN
- */
-
-static ssize_t
-gssapi_krb5_get_mech(const u_char *ptr,
-		     size_t total_len,
-		     const u_char **mech_ret)
-{
-	size_t len, len_len, mech_len, foo;
-	const u_char *p = ptr;
-	int e;
-
-	if (total_len < 1U)
-		return (-1);
-	if (*p++ != 0x60)
-		return (-1);
-	e = der_get_length (p, total_len - 1, &len, &len_len);
-	if (e || 1 + len_len + len != total_len)
-		return (-1);
-	p += len_len;
-	if (*p++ != 0x06)
-		return (-1);
-	e = der_get_length (p, total_len - 1 - len_len - 1,
-			    &mech_len, &foo);
-	if (e)
-		return (-1);
-	p += foo;
-	*mech_ret = p;
-	return (mech_len);
-}
-
-static OM_uint32
-spnego_initial(OM_uint32 *minor_status,
-	       const gss_cred_id_t initiator_cred_handle,
-	       gss_ctx_id_t *context_handle,
-	       const gss_name_t target_name,
-	       const gss_OID mech_type,
-	       OM_uint32 req_flags,
-	       OM_uint32 time_req,
-	       const gss_channel_bindings_t input_chan_bindings,
-	       const gss_buffer_t input_token,
-	       gss_OID *actual_mech_type,
-	       gss_buffer_t output_token,
-	       OM_uint32 *ret_flags,
-	       OM_uint32 *time_rec)
-{
-	NegTokenInit token_init;
-	OM_uint32 major_status, minor_status2;
-	gss_buffer_desc	krb5_output_token = GSS_C_EMPTY_BUFFER;
-	unsigned char *buf = NULL;
-	size_t buf_size;
-	size_t len;
-	int ret;
-
-	(void)mech_type;
-
-	memset(&token_init, 0, sizeof(token_init));
-
-	ret = add_mech(&token_init.mechTypes, GSS_KRB5_MECH);
-	if (ret) {
-		*minor_status = ret;
-		ret = GSS_S_FAILURE;
-		goto end;
-	}
-
-	major_status = gss_init_sec_context(minor_status,
-					    initiator_cred_handle,
-					    context_handle,
-					    target_name,
-					    GSS_KRB5_MECH,
-					    req_flags,
-					    time_req,
-					    input_chan_bindings,
-					    input_token,
-					    actual_mech_type,
-					    &krb5_output_token,
-					    ret_flags,
-					    time_rec);
-	if (GSS_ERROR(major_status)) {
-		ret = major_status;
-		goto end;
-	}
-	if (krb5_output_token.length > 0U) {
-		token_init.mechToken = malloc(sizeof(*token_init.mechToken));
-		if (token_init.mechToken == NULL) {
-			*minor_status = ENOMEM;
-			ret = GSS_S_FAILURE;
-			goto end;
-		}
-		token_init.mechToken->data = krb5_output_token.value;
-		token_init.mechToken->length = krb5_output_token.length;
-	}
-	/*
-	 * The MS implementation of SPNEGO seems to not like the mechListMIC
-	 * field, so we omit it (it's optional anyway)
-	 */
-
-	buf_size = 1024;
-	buf = malloc(buf_size);
-	if (buf == NULL) {
-		*minor_status = ENOMEM;
-		ret = GSS_S_FAILURE;
-		goto end;
-	}
-
-	do {
-		ret = encode_NegTokenInit(buf + buf_size - 1,
-					  buf_size,
-					  &token_init, &len);
-		if (ret == 0) {
-			size_t tmp;
-
-			ret = der_put_length_and_tag(buf + buf_size - len - 1,
-						     buf_size - len,
-						     len,
-						     ASN1_C_CONTEXT,
-						     CONS,
-						     0,
-						     &tmp);
-			if (ret == 0)
-				len += tmp;
-		}
-		if (ret) {
-			if (ret == ASN1_OVERFLOW) {
-				u_char *tmp;
-
-				buf_size *= 2;
-				tmp = realloc(buf, buf_size);
-				if (tmp == NULL) {
-					*minor_status = ENOMEM;
-					ret = GSS_S_FAILURE;
-					goto end;
-				}
-				buf = tmp;
-			} else {
-				*minor_status = ret;
-				ret = GSS_S_FAILURE;
-				goto end;
-			}
-		}
-	} while (ret == ASN1_OVERFLOW);
-
-	ret = gssapi_spnego_encapsulate(minor_status,
-					buf + buf_size - len, len,
-					output_token, GSS_SPNEGO_MECH);
-	if (ret == GSS_S_COMPLETE)
-		ret = major_status;
-
-end:
-	if (token_init.mechToken != NULL) {
-		free(token_init.mechToken);
-		token_init.mechToken = NULL;
-	}
-	free_NegTokenInit(&token_init);
-	if (krb5_output_token.length != 0U)
-		gss_release_buffer(&minor_status2, &krb5_output_token);
-	if (buf)
-		free(buf);
-
-	return (ret);
-}
-
-static OM_uint32
-spnego_reply(OM_uint32 *minor_status,
-	     const gss_cred_id_t initiator_cred_handle,
-	     gss_ctx_id_t *context_handle,
-	     const gss_name_t target_name,
-	     const gss_OID mech_type,
-	     OM_uint32 req_flags,
-	     OM_uint32 time_req,
-	     const gss_channel_bindings_t input_chan_bindings,
-	     const gss_buffer_t input_token,
-	     gss_OID *actual_mech_type,
-	     gss_buffer_t output_token,
-	     OM_uint32 *ret_flags,
-	     OM_uint32 *time_rec)
-{
-	OM_uint32 ret;
-	NegTokenResp resp;
-	unsigned char *buf;
-	size_t buf_size;
-	u_char oidbuf[17];
-	size_t oidlen;
-	gss_buffer_desc sub_token;
-	ssize_t mech_len;
-	const u_char *p;
-	size_t len, taglen;
-
-	(void)mech_type;
-
-	output_token->length = 0;
-	output_token->value  = NULL;
-
-	/*
-	 * SPNEGO doesn't include gss wrapping on SubsequentContextToken
-	 * like the Kerberos 5 mech does. But lets check for it anyway.
-	 */
-
-	mech_len = gssapi_krb5_get_mech(input_token->value,
-					input_token->length,
-					&p);
-
-	if (mech_len < 0) {
-		buf = input_token->value;
-		buf_size = input_token->length;
-	} else if ((size_t)mech_len == GSS_KRB5_MECH->length &&
-		   memcmp(GSS_KRB5_MECH->elements, p, mech_len) == 0)
-		return (gss_init_sec_context(minor_status,
-					     initiator_cred_handle,
-					     context_handle,
-					     target_name,
-					     GSS_KRB5_MECH,
-					     req_flags,
-					     time_req,
-					     input_chan_bindings,
-					     input_token,
-					     actual_mech_type,
-					     output_token,
-					     ret_flags,
-					     time_rec));
-	else if ((size_t)mech_len == GSS_SPNEGO_MECH->length &&
-		 memcmp(GSS_SPNEGO_MECH->elements, p, mech_len) == 0) {
-		ret = gssapi_spnego_decapsulate(minor_status,
-						input_token,
-						&buf,
-						&buf_size,
-						GSS_SPNEGO_MECH);
-		if (ret)
-			return (ret);
-	} else
-		return (GSS_S_BAD_MECH);
-
-	ret = der_match_tag_and_length(buf, buf_size,
-				       ASN1_C_CONTEXT, CONS, 1, &len, &taglen);
-	if (ret)
-		return (ret);
-
-	if(len > buf_size - taglen)
-		return (ASN1_OVERRUN);
-
-	ret = decode_NegTokenResp(buf + taglen, len, &resp, NULL);
-	if (ret) {
-		free_NegTokenResp(&resp);
-		*minor_status = ENOMEM;
-		return (GSS_S_FAILURE);
-	}
-
-	if (resp.negState == NULL ||
-	    *(resp.negState) == reject ||
-	    resp.supportedMech == NULL) {
-		free_NegTokenResp(&resp);
-		return (GSS_S_BAD_MECH);
-	}
-
-	ret = der_put_oid(oidbuf + sizeof(oidbuf) - 1,
-			  sizeof(oidbuf),
-			  resp.supportedMech,
-			  &oidlen);
-	if (ret || oidlen != GSS_KRB5_MECH->length ||
-	    memcmp(oidbuf + sizeof(oidbuf) - oidlen,
-		   GSS_KRB5_MECH->elements,
-		   oidlen) != 0) {
-		free_NegTokenResp(&resp);
-		return GSS_S_BAD_MECH;
-	}
-
-	if (resp.responseToken != NULL) {
-		sub_token.length = resp.responseToken->length;
-		sub_token.value  = resp.responseToken->data;
-	} else {
-		sub_token.length = 0;
-		sub_token.value  = NULL;
-	}
-
-	ret = gss_init_sec_context(minor_status,
-				   initiator_cred_handle,
-				   context_handle,
-				   target_name,
-				   GSS_KRB5_MECH,
-				   req_flags,
-				   time_req,
-				   input_chan_bindings,
-				   &sub_token,
-				   actual_mech_type,
-				   output_token,
-				   ret_flags,
-				   time_rec);
-	if (ret) {
-		free_NegTokenResp(&resp);
-		return (ret);
-	}
-
-	/*
-	 * XXXSRA I don't think this limited implementation ever needs
-	 * to check the MIC -- our preferred mechanism (Kerberos)
-	 * authenticates its own messages and is the only mechanism
-	 * we'll accept, so if the mechanism negotiation completes
-	 * successfully, we don't need the MIC.  See RFC 4178.
-	 */
-
-	free_NegTokenResp(&resp);
-	return (ret);
-}
-
-
-
-OM_uint32
-gss_init_sec_context_spnego(OM_uint32 *minor_status,
-			    const gss_cred_id_t initiator_cred_handle,
-			    gss_ctx_id_t *context_handle,
-			    const gss_name_t target_name,
-			    const gss_OID mech_type,
-			    OM_uint32 req_flags,
-			    OM_uint32 time_req,
-			    const gss_channel_bindings_t input_chan_bindings,
-			    const gss_buffer_t input_token,
-			    gss_OID *actual_mech_type,
-			    gss_buffer_t output_token,
-			    OM_uint32 *ret_flags,
-			    OM_uint32 *time_rec)
-{
-	/* Dirty trick to suppress compiler warnings */
-
-	/* Figure out whether we're starting over or processing a reply */
-
-	if (input_token == GSS_C_NO_BUFFER || input_token->length == 0U)
-		return (spnego_initial(minor_status,
-				       initiator_cred_handle,
-				       context_handle,
-				       target_name,
-				       mech_type,
-				       req_flags,
-				       time_req,
-				       input_chan_bindings,
-				       input_token,
-				       actual_mech_type,
-				       output_token,
-				       ret_flags,
-				       time_rec));
-	else
-		return (spnego_reply(minor_status,
-				     initiator_cred_handle,
-				     context_handle,
-				     target_name,
-				     mech_type,
-				     req_flags,
-				     time_req,
-				     input_chan_bindings,
-				     input_token,
-				     actual_mech_type,
-				     output_token,
-				     ret_flags,
-				     time_rec));
-}
-
-#endif /* GSSAPI */
diff --git a/contrib/bind9/lib/dns/spnego.h b/contrib/bind9/lib/dns/spnego.h
deleted file mode 100644
index c44614b..0000000
--- a/contrib/bind9/lib/dns/spnego.h
+++ /dev/null
@@ -1,71 +0,0 @@
-/*
- * Copyright (C) 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: spnego.h,v 1.4 2007/06/19 23:47:16 tbox Exp $ */
-
-/*! \file
- * \brief
- * Entry points into portable SPNEGO implementation.
- * See spnego.c for information on the SPNEGO implementation itself.
- */
-
-#ifndef _SPNEGO_H_
-#define _SPNEGO_H_
-
-/*%
- * Wrapper for GSSAPI gss_init_sec_context(), using portable SPNEGO
- * implementation instead of the one that's part of the GSSAPI
- * library.  Takes arguments identical to the standard GSSAPI
- * function, uses standard gss_init_sec_context() to handle
- * everything inside the SPNEGO wrapper.
- */
-OM_uint32
-gss_init_sec_context_spnego(OM_uint32 *,
-			    const gss_cred_id_t,
-			    gss_ctx_id_t *,
-			    const gss_name_t,
-			    const gss_OID,
-			    OM_uint32,
-			    OM_uint32,
-			    const gss_channel_bindings_t,
-			    const gss_buffer_t,
-			    gss_OID *,
-			    gss_buffer_t,
-			    OM_uint32 *,
-			    OM_uint32 *);
-
-/*%
- * Wrapper for GSSAPI gss_accept_sec_context(), using portable SPNEGO
- * implementation instead of the one that's part of the GSSAPI
- * library.  Takes arguments identical to the standard GSSAPI
- * function.  Checks the OID of the input token to see if it's SPNEGO;
- * if so, processes it, otherwise hands the call off to the standard
- * gss_accept_sec_context() function.
- */
-OM_uint32 gss_accept_sec_context_spnego(OM_uint32 *,
-					gss_ctx_id_t *,
-					const gss_cred_id_t,
-					const gss_buffer_t,
-					const gss_channel_bindings_t,
-					gss_name_t *,
-					gss_OID *,
-					gss_buffer_t,
-					OM_uint32 *,
-					OM_uint32 *,
-					gss_cred_id_t *);
-
-
-#endif
diff --git a/contrib/bind9/lib/dns/spnego_asn1.c b/contrib/bind9/lib/dns/spnego_asn1.c
deleted file mode 100644
index b506054..0000000
--- a/contrib/bind9/lib/dns/spnego_asn1.c
+++ /dev/null
@@ -1,867 +0,0 @@
-/*
- * Copyright (C) 2006, 2007, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: spnego_asn1.c,v 1.4 2007/06/19 23:47:16 tbox Exp $ */
-
-/*! \file
- * \brief Method routines generated from SPNEGO ASN.1 module.
- * See spnego_asn1.pl for details.  Do not edit.
- */
-
-/* Generated from spnego.asn1 */
-/* Do not edit */
-
-#ifndef __asn1_h__
-#define __asn1_h__
-
-
-#ifndef __asn1_common_definitions__
-#define __asn1_common_definitions__
-
-typedef struct octet_string {
-	size_t length;
-	void *data;
-} octet_string;
-
-typedef char *general_string;
-
-typedef char *utf8_string;
-
-typedef struct oid {
-	size_t length;
-	unsigned *components;
-} oid;
-
-#define ASN1_MALLOC_ENCODE(T, B, BL, S, L, R)                  \
-  do {                                                         \
-    (BL) = length_##T((S));                                    \
-    (B) = malloc((BL));                                        \
-    if((B) == NULL) {                                          \
-      (R) = ENOMEM;                                            \
-    } else {                                                   \
-      (R) = encode_##T(((unsigned char*)(B)) + (BL) - 1, (BL), \
-		       (S), (L));                              \
-      if((R) != 0) {                                           \
-	free((B));                                             \
-	(B) = NULL;                                            \
-      }                                                        \
-    }                                                          \
-  } while (0)
-
-#endif
-
-/*
- * MechType ::= OBJECT IDENTIFIER
- */
-
-typedef oid MechType;
-
-static int encode_MechType(unsigned char *, size_t, const MechType *, size_t *);
-static int decode_MechType(const unsigned char *, size_t, MechType *, size_t *);
-static void free_MechType(MechType *);
-/* unused declaration: length_MechType */
-/* unused declaration: copy_MechType */
-
-
-/*
- * MechTypeList ::= SEQUENCE OF MechType
- */
-
-typedef struct MechTypeList {
-	unsigned int len;
-	MechType *val;
-} MechTypeList;
-
-static int encode_MechTypeList(unsigned char *, size_t, const MechTypeList *, size_t *);
-static int decode_MechTypeList(const unsigned char *, size_t, MechTypeList *, size_t *);
-static void free_MechTypeList(MechTypeList *);
-/* unused declaration: length_MechTypeList */
-/* unused declaration: copy_MechTypeList */
-
-
-/*
- * ContextFlags ::= BIT STRING { delegFlag(0), mutualFlag(1), replayFlag(2),
- * sequenceFlag(3), anonFlag(4), confFlag(5), integFlag(6) }
- */
-
-typedef struct ContextFlags {
-	unsigned int delegFlag:1;
-	unsigned int mutualFlag:1;
-	unsigned int replayFlag:1;
-	unsigned int sequenceFlag:1;
-	unsigned int anonFlag:1;
-	unsigned int confFlag:1;
-	unsigned int integFlag:1;
-} ContextFlags;
-
-
-static int encode_ContextFlags(unsigned char *, size_t, const ContextFlags *, size_t *);
-static int decode_ContextFlags(const unsigned char *, size_t, ContextFlags *, size_t *);
-static void free_ContextFlags(ContextFlags *);
-/* unused declaration: length_ContextFlags */
-/* unused declaration: copy_ContextFlags */
-/* unused declaration: ContextFlags2int */
-/* unused declaration: int2ContextFlags */
-/* unused declaration: asn1_ContextFlags_units */
-
-/*
- * NegTokenInit ::= SEQUENCE { mechTypes[0]    MechTypeList, reqFlags[1]
- * ContextFlags OPTIONAL, mechToken[2]    OCTET STRING OPTIONAL,
- * mechListMIC[3]  OCTET STRING OPTIONAL }
- */
-
-typedef struct NegTokenInit {
-	MechTypeList mechTypes;
-	ContextFlags *reqFlags;
-	octet_string *mechToken;
-	octet_string *mechListMIC;
-} NegTokenInit;
-
-static int encode_NegTokenInit(unsigned char *, size_t, const NegTokenInit *, size_t *);
-static int decode_NegTokenInit(const unsigned char *, size_t, NegTokenInit *, size_t *);
-static void free_NegTokenInit(NegTokenInit *);
-/* unused declaration: length_NegTokenInit */
-/* unused declaration: copy_NegTokenInit */
-
-
-/*
- * NegTokenResp ::= SEQUENCE { negState[0]       ENUMERATED {
- * accept-completed(0), accept-incomplete(1), reject(2), request-mic(3) }
- * OPTIONAL, supportedMech[1]  MechType OPTIONAL, responseToken[2]  OCTET
- * STRING OPTIONAL, mechListMIC[3]    OCTET STRING OPTIONAL }
- */
-
-typedef struct NegTokenResp {
-	enum {
-		accept_completed = 0,
-		accept_incomplete = 1,
-		reject = 2,
-		request_mic = 3
-	} *negState;
-
-	MechType *supportedMech;
-	octet_string *responseToken;
-	octet_string *mechListMIC;
-} NegTokenResp;
-
-static int encode_NegTokenResp(unsigned char *, size_t, const NegTokenResp *, size_t *);
-static int decode_NegTokenResp(const unsigned char *, size_t, NegTokenResp *, size_t *);
-static void free_NegTokenResp(NegTokenResp *);
-/* unused declaration: length_NegTokenResp */
-/* unused declaration: copy_NegTokenResp */
-
-
-
-
-#endif				/* __asn1_h__ */
-/* Generated from spnego.asn1 */
-/* Do not edit */
-
-
-#define BACK if (e) return e; p -= l; len -= l; ret += l; POST(p); POST(len); POST(ret)
-
-static int
-encode_MechType(unsigned char *p, size_t len, const MechType * data, size_t * size)
-{
-	size_t ret = 0;
-	size_t l;
-	int e;
-
-	e = encode_oid(p, len, data, &l);
-	BACK;
-	*size = ret;
-	return 0;
-}
-
-#define FORW if(e) goto fail; p += l; len -= l; ret += l; POST(p); POST(len); POST(ret)
-
-static int
-decode_MechType(const unsigned char *p, size_t len, MechType * data, size_t * size)
-{
-	size_t ret = 0;
-	size_t l;
-	int e;
-
-	memset(data, 0, sizeof(*data));
-	e = decode_oid(p, len, data, &l);
-	FORW;
-	if (size)
-		*size = ret;
-	return 0;
-fail:
-	free_MechType(data);
-	return e;
-}
-
-static void
-free_MechType(MechType * data)
-{
-	free_oid(data);
-}
-
-/* unused function: length_MechType */
-
-
-/* unused function: copy_MechType */
-
-/* Generated from spnego.asn1 */
-/* Do not edit */
-
-
-static int
-encode_MechTypeList(unsigned char *p, size_t len, const MechTypeList * data, size_t * size)
-{
-	size_t ret = 0;
-	size_t l;
-	int i, e;
-
-	for (i = (data)->len - 1; i >= 0; --i) {
-		int oldret = ret;
-		ret = 0;
-		e = encode_MechType(p, len, &(data)->val[i], &l);
-		BACK;
-		ret += oldret;
-	}
-	e = der_put_length_and_tag(p, len, ret, ASN1_C_UNIV, CONS, UT_Sequence, &l);
-	BACK;
-	*size = ret;
-	return 0;
-}
-
-static int
-decode_MechTypeList(const unsigned char *p, size_t len, MechTypeList * data, size_t * size)
-{
-	size_t ret = 0, reallen;
-	size_t l;
-	int e;
-
-	memset(data, 0, sizeof(*data));
-	reallen = 0;
-	e = der_match_tag_and_length(p, len, ASN1_C_UNIV, CONS, UT_Sequence, &reallen, &l);
-	FORW;
-	if (len < reallen)
-		return ASN1_OVERRUN;
-	len = reallen;
-	{
-		size_t origlen = len;
-		int oldret = ret;
-		ret = 0;
-		(data)->len = 0;
-		(data)->val = NULL;
-		while (ret < origlen) {
-			void *old = (data)->val;
-			(data)->len++;
-			(data)->val = realloc((data)->val, sizeof(*((data)->val)) * (data)->len);
-			if ((data)->val == NULL) {
-				(data)->val = old;
-				(data)->len--;
-				return ENOMEM;
-			}
-			e = decode_MechType(p, len, &(data)->val[(data)->len - 1], &l);
-			FORW;
-			len = origlen - ret;
-		}
-		ret += oldret;
-	}
-	if (size)
-		*size = ret;
-	return 0;
-fail:
-	free_MechTypeList(data);
-	return e;
-}
-
-static void
-free_MechTypeList(MechTypeList * data)
-{
-	while ((data)->len) {
-		free_MechType(&(data)->val[(data)->len - 1]);
-		(data)->len--;
-	}
-	free((data)->val);
-	(data)->val = NULL;
-}
-
-/* unused function: length_MechTypeList */
-
-
-/* unused function: copy_MechTypeList */
-
-/* Generated from spnego.asn1 */
-/* Do not edit */
-
-
-static int
-encode_ContextFlags(unsigned char *p, size_t len, const ContextFlags * data, size_t * size)
-{
-	size_t ret = 0;
-	size_t l;
-	int e;
-
-	{
-		unsigned char c = 0;
-		*p-- = c;
-		len--;
-		ret++;
-		c = 0;
-		*p-- = c;
-		len--;
-		ret++;
-		c = 0;
-		*p-- = c;
-		len--;
-		ret++;
-		c = 0;
-		if (data->integFlag)
-			c |= 1 << 1;
-		if (data->confFlag)
-			c |= 1 << 2;
-		if (data->anonFlag)
-			c |= 1 << 3;
-		if (data->sequenceFlag)
-			c |= 1 << 4;
-		if (data->replayFlag)
-			c |= 1 << 5;
-		if (data->mutualFlag)
-			c |= 1 << 6;
-		if (data->delegFlag)
-			c |= 1 << 7;
-		*p-- = c;
-		*p-- = 0;
-		len -= 2;
-		ret += 2;
-	}
-
-	e = der_put_length_and_tag(p, len, ret, ASN1_C_UNIV, PRIM, UT_BitString, &l);
-	BACK;
-	*size = ret;
-	return 0;
-}
-
-static int
-decode_ContextFlags(const unsigned char *p, size_t len, ContextFlags * data, size_t * size)
-{
-	size_t ret = 0, reallen;
-	size_t l;
-	int e;
-
-	memset(data, 0, sizeof(*data));
-	reallen = 0;
-	e = der_match_tag_and_length(p, len, ASN1_C_UNIV, PRIM, UT_BitString, &reallen, &l);
-	FORW;
-	if (len < reallen)
-		return ASN1_OVERRUN;
-	p++;
-	len--;
-	reallen--;
-	ret++;
-	data->delegFlag = (*p >> 7) & 1;
-	data->mutualFlag = (*p >> 6) & 1;
-	data->replayFlag = (*p >> 5) & 1;
-	data->sequenceFlag = (*p >> 4) & 1;
-	data->anonFlag = (*p >> 3) & 1;
-	data->confFlag = (*p >> 2) & 1;
-	data->integFlag = (*p >> 1) & 1;
-	ret += reallen;
-	if (size)
-		*size = ret;
-	return 0;
-fail:
-	free_ContextFlags(data);
-	return e;
-}
-
-static void
-free_ContextFlags(ContextFlags * data)
-{
-	(void)data;
-}
-
-/* unused function: length_ContextFlags */
-
-
-/* unused function: copy_ContextFlags */
-
-
-/* unused function: ContextFlags2int */
-
-
-/* unused function: int2ContextFlags */
-
-
-/* unused variable: ContextFlags_units */
-
-/* unused function: asn1_ContextFlags_units */
-
-/* Generated from spnego.asn1 */
-/* Do not edit */
-
-
-static int
-encode_NegTokenInit(unsigned char *p, size_t len, const NegTokenInit * data, size_t * size)
-{
-	size_t ret = 0;
-	size_t l;
-	int e;
-
-	if ((data)->mechListMIC) {
-		int oldret = ret;
-		ret = 0;
-		e = encode_octet_string(p, len, (data)->mechListMIC, &l);
-		BACK;
-		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 3, &l);
-		BACK;
-		ret += oldret;
-	}
-	if ((data)->mechToken) {
-		int oldret = ret;
-		ret = 0;
-		e = encode_octet_string(p, len, (data)->mechToken, &l);
-		BACK;
-		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 2, &l);
-		BACK;
-		ret += oldret;
-	}
-	if ((data)->reqFlags) {
-		int oldret = ret;
-		ret = 0;
-		e = encode_ContextFlags(p, len, (data)->reqFlags, &l);
-		BACK;
-		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 1, &l);
-		BACK;
-		ret += oldret;
-	} {
-		int oldret = ret;
-		ret = 0;
-		e = encode_MechTypeList(p, len, &(data)->mechTypes, &l);
-		BACK;
-		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 0, &l);
-		BACK;
-		ret += oldret;
-	}
-	e = der_put_length_and_tag(p, len, ret, ASN1_C_UNIV, CONS, UT_Sequence, &l);
-	BACK;
-	*size = ret;
-	return 0;
-}
-
-static int
-decode_NegTokenInit(const unsigned char *p, size_t len, NegTokenInit * data, size_t * size)
-{
-	size_t ret = 0, reallen;
-	size_t l;
-	int e;
-
-	memset(data, 0, sizeof(*data));
-	reallen = 0;
-	e = der_match_tag_and_length(p, len, ASN1_C_UNIV, CONS, UT_Sequence, &reallen, &l);
-	FORW;
-	{
-		int dce_fix;
-		if ((dce_fix = fix_dce(reallen, &len)) < 0)
-			return ASN1_BAD_FORMAT;
-		{
-			size_t newlen, oldlen;
-
-			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 0, &l);
-			if (e)
-				return e;
-			else {
-				p += l;
-				len -= l;
-				ret += l;
-				e = der_get_length(p, len, &newlen, &l);
-				FORW;
-				{
-					int dce_fix;
-					oldlen = len;
-					if ((dce_fix = fix_dce(newlen, &len)) < 0)
-						return ASN1_BAD_FORMAT;
-					e = decode_MechTypeList(p, len, &(data)->mechTypes, &l);
-					FORW;
-					if (dce_fix) {
-						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
-						FORW;
-					} else
-						len = oldlen - newlen;
-				}
-			}
-		}
-		{
-			size_t newlen, oldlen;
-
-			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 1, &l);
-			if (e)
-				(data)->reqFlags = NULL;
-			else {
-				p += l;
-				len -= l;
-				ret += l;
-				e = der_get_length(p, len, &newlen, &l);
-				FORW;
-				{
-					int dce_fix;
-					oldlen = len;
-					if ((dce_fix = fix_dce(newlen, &len)) < 0)
-						return ASN1_BAD_FORMAT;
-					(data)->reqFlags = malloc(sizeof(*(data)->reqFlags));
-					if ((data)->reqFlags == NULL)
-						return ENOMEM;
-					e = decode_ContextFlags(p, len, (data)->reqFlags, &l);
-					FORW;
-					if (dce_fix) {
-						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
-						FORW;
-					} else
-						len = oldlen - newlen;
-				}
-			}
-		}
-		{
-			size_t newlen, oldlen;
-
-			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 2, &l);
-			if (e)
-				(data)->mechToken = NULL;
-			else {
-				p += l;
-				len -= l;
-				ret += l;
-				e = der_get_length(p, len, &newlen, &l);
-				FORW;
-				{
-					int dce_fix;
-					oldlen = len;
-					if ((dce_fix = fix_dce(newlen, &len)) < 0)
-						return ASN1_BAD_FORMAT;
-					(data)->mechToken = malloc(sizeof(*(data)->mechToken));
-					if ((data)->mechToken == NULL)
-						return ENOMEM;
-					e = decode_octet_string(p, len, (data)->mechToken, &l);
-					FORW;
-					if (dce_fix) {
-						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
-						FORW;
-					} else
-						len = oldlen - newlen;
-				}
-			}
-		}
-		{
-			size_t newlen, oldlen;
-
-			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 3, &l);
-			if (e)
-				(data)->mechListMIC = NULL;
-			else {
-				p += l;
-				len -= l;
-				ret += l;
-				e = der_get_length(p, len, &newlen, &l);
-				FORW;
-				{
-					int dce_fix;
-					oldlen = len;
-					if ((dce_fix = fix_dce(newlen, &len)) < 0)
-						return ASN1_BAD_FORMAT;
-					(data)->mechListMIC = malloc(sizeof(*(data)->mechListMIC));
-					if ((data)->mechListMIC == NULL)
-						return ENOMEM;
-					e = decode_octet_string(p, len, (data)->mechListMIC, &l);
-					FORW;
-					if (dce_fix) {
-						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
-						FORW;
-					} else
-						len = oldlen - newlen;
-				}
-			}
-		}
-		if (dce_fix) {
-			e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
-			FORW;
-		}
-	}
-	if (size)
-		*size = ret;
-	return 0;
-fail:
-	free_NegTokenInit(data);
-	return e;
-}
-
-static void
-free_NegTokenInit(NegTokenInit * data)
-{
-	free_MechTypeList(&(data)->mechTypes);
-	if ((data)->reqFlags) {
-		free_ContextFlags((data)->reqFlags);
-		free((data)->reqFlags);
-		(data)->reqFlags = NULL;
-	}
-	if ((data)->mechToken) {
-		free_octet_string((data)->mechToken);
-		free((data)->mechToken);
-		(data)->mechToken = NULL;
-	}
-	if ((data)->mechListMIC) {
-		free_octet_string((data)->mechListMIC);
-		free((data)->mechListMIC);
-		(data)->mechListMIC = NULL;
-	}
-}
-
-/* unused function: length_NegTokenInit */
-
-
-/* unused function: copy_NegTokenInit */
-
-/* Generated from spnego.asn1 */
-/* Do not edit */
-
-
-static int
-encode_NegTokenResp(unsigned char *p, size_t len, const NegTokenResp * data, size_t * size)
-{
-	size_t ret = 0;
-	size_t l;
-	int e;
-
-	if ((data)->mechListMIC) {
-		int oldret = ret;
-		ret = 0;
-		e = encode_octet_string(p, len, (data)->mechListMIC, &l);
-		BACK;
-		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 3, &l);
-		BACK;
-		ret += oldret;
-	}
-	if ((data)->responseToken) {
-		int oldret = ret;
-		ret = 0;
-		e = encode_octet_string(p, len, (data)->responseToken, &l);
-		BACK;
-		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 2, &l);
-		BACK;
-		ret += oldret;
-	}
-	if ((data)->supportedMech) {
-		int oldret = ret;
-		ret = 0;
-		e = encode_MechType(p, len, (data)->supportedMech, &l);
-		BACK;
-		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 1, &l);
-		BACK;
-		ret += oldret;
-	}
-	if ((data)->negState) {
-		int oldret = ret;
-		ret = 0;
-		e = encode_enumerated(p, len, (data)->negState, &l);
-		BACK;
-		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 0, &l);
-		BACK;
-		ret += oldret;
-	}
-	e = der_put_length_and_tag(p, len, ret, ASN1_C_UNIV, CONS, UT_Sequence, &l);
-	BACK;
-	*size = ret;
-	return 0;
-}
-
-static int
-decode_NegTokenResp(const unsigned char *p, size_t len, NegTokenResp * data, size_t * size)
-{
-	size_t ret = 0, reallen;
-	size_t l;
-	int e;
-
-	memset(data, 0, sizeof(*data));
-	reallen = 0;
-	e = der_match_tag_and_length(p, len, ASN1_C_UNIV, CONS, UT_Sequence, &reallen, &l);
-	FORW;
-	{
-		int dce_fix;
-		if ((dce_fix = fix_dce(reallen, &len)) < 0)
-			return ASN1_BAD_FORMAT;
-		{
-			size_t newlen, oldlen;
-
-			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 0, &l);
-			if (e)
-				(data)->negState = NULL;
-			else {
-				p += l;
-				len -= l;
-				ret += l;
-				e = der_get_length(p, len, &newlen, &l);
-				FORW;
-				{
-					int dce_fix;
-					oldlen = len;
-					if ((dce_fix = fix_dce(newlen, &len)) < 0)
-						return ASN1_BAD_FORMAT;
-					(data)->negState = malloc(sizeof(*(data)->negState));
-					if ((data)->negState == NULL)
-						return ENOMEM;
-					e = decode_enumerated(p, len, (data)->negState, &l);
-					FORW;
-					if (dce_fix) {
-						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
-						FORW;
-					} else
-						len = oldlen - newlen;
-				}
-			}
-		}
-		{
-			size_t newlen, oldlen;
-
-			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 1, &l);
-			if (e)
-				(data)->supportedMech = NULL;
-			else {
-				p += l;
-				len -= l;
-				ret += l;
-				e = der_get_length(p, len, &newlen, &l);
-				FORW;
-				{
-					int dce_fix;
-					oldlen = len;
-					if ((dce_fix = fix_dce(newlen, &len)) < 0)
-						return ASN1_BAD_FORMAT;
-					(data)->supportedMech = malloc(sizeof(*(data)->supportedMech));
-					if ((data)->supportedMech == NULL)
-						return ENOMEM;
-					e = decode_MechType(p, len, (data)->supportedMech, &l);
-					FORW;
-					if (dce_fix) {
-						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
-						FORW;
-					} else
-						len = oldlen - newlen;
-				}
-			}
-		}
-		{
-			size_t newlen, oldlen;
-
-			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 2, &l);
-			if (e)
-				(data)->responseToken = NULL;
-			else {
-				p += l;
-				len -= l;
-				ret += l;
-				e = der_get_length(p, len, &newlen, &l);
-				FORW;
-				{
-					int dce_fix;
-					oldlen = len;
-					if ((dce_fix = fix_dce(newlen, &len)) < 0)
-						return ASN1_BAD_FORMAT;
-					(data)->responseToken = malloc(sizeof(*(data)->responseToken));
-					if ((data)->responseToken == NULL)
-						return ENOMEM;
-					e = decode_octet_string(p, len, (data)->responseToken, &l);
-					FORW;
-					if (dce_fix) {
-						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
-						FORW;
-					} else
-						len = oldlen - newlen;
-				}
-			}
-		}
-		{
-			size_t newlen, oldlen;
-
-			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 3, &l);
-			if (e)
-				(data)->mechListMIC = NULL;
-			else {
-				p += l;
-				len -= l;
-				ret += l;
-				e = der_get_length(p, len, &newlen, &l);
-				FORW;
-				{
-					int dce_fix;
-					oldlen = len;
-					if ((dce_fix = fix_dce(newlen, &len)) < 0)
-						return ASN1_BAD_FORMAT;
-					(data)->mechListMIC = malloc(sizeof(*(data)->mechListMIC));
-					if ((data)->mechListMIC == NULL)
-						return ENOMEM;
-					e = decode_octet_string(p, len, (data)->mechListMIC, &l);
-					FORW;
-					if (dce_fix) {
-						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
-						FORW;
-					} else
-						len = oldlen - newlen;
-				}
-			}
-		}
-		if (dce_fix) {
-			e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
-			FORW;
-		}
-	}
-	if (size)
-		*size = ret;
-	return 0;
-fail:
-	free_NegTokenResp(data);
-	return e;
-}
-
-static void
-free_NegTokenResp(NegTokenResp * data)
-{
-	if ((data)->negState) {
-		free((data)->negState);
-		(data)->negState = NULL;
-	}
-	if ((data)->supportedMech) {
-		free_MechType((data)->supportedMech);
-		free((data)->supportedMech);
-		(data)->supportedMech = NULL;
-	}
-	if ((data)->responseToken) {
-		free_octet_string((data)->responseToken);
-		free((data)->responseToken);
-		(data)->responseToken = NULL;
-	}
-	if ((data)->mechListMIC) {
-		free_octet_string((data)->mechListMIC);
-		free((data)->mechListMIC);
-		(data)->mechListMIC = NULL;
-	}
-}
-
-/* unused function: length_NegTokenResp */
-
-
-/* unused function: copy_NegTokenResp */
-
-/* Generated from spnego.asn1 */
-/* Do not edit */
-
-
-/* CHOICE */
-/* unused variable: asn1_NegotiationToken_dummy_holder */
diff --git a/contrib/bind9/lib/dns/spnego_asn1.pl b/contrib/bind9/lib/dns/spnego_asn1.pl
deleted file mode 100755
index 0aaa57f..0000000
--- a/contrib/bind9/lib/dns/spnego_asn1.pl
+++ /dev/null
@@ -1,200 +0,0 @@
-#!/bin/bin/perl -w
-#
-# Copyright (C) 2006, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: spnego_asn1.pl,v 1.4 2007/06/19 23:47:16 tbox Exp $
-
-# Our SPNEGO implementation uses some functions generated by the
-# Heimdal ASN.1 compiler, which this script then whacks a bit to make
-# them work properly in this stripped down implementation.  We don't
-# want to require our users to have a copy of the compiler, so we ship
-# the output of this script, but we need to keep the script around in
-# any case to cope with future changes to the SPNEGO ASN.1 code, so we
-# might as well supply the script for users who want it.
-
-# Overall plan: run the ASN.1 compiler, run each of its output files
-# through indent, fix up symbols and whack everything to be static.
-# We use indent for two reasons: (1) to whack the Heimdal compiler's
-# output into something closer to ISC's coding standard, and (2) to
-# make it easier for this script to parse the result.
-
-# Output from this script is C code which we expect to be #included
-# into another C file, which is why everything generated by this
-# script is marked "static".  The intent is to minimize the number of
-# extern symbols exported by the SPNEGO implementation, to avoid
-# potential conflicts with the GSSAPI libraries.
-
-###
-
-# Filename of the ASN.1 specification.  Hardcoded for the moment
-# since this script is intended for compiling exactly one module.
-
-my $asn1_source = $ENV{ASN1_SOURCE} || "spnego.asn1";
-
-# Heimdal ASN.1 compiler.  This script was written using the version
-# from Heimdal 0.7.1.  To build this, download a copy of
-# heimdal-0.7.1.tar.gz, configure and build with the default options,
-# then look for the compiler in heimdal-0.7.1/lib/asn1/asn1_compile.
-
-my $asn1_compile = $ENV{ASN1_COMPILE} || "asn1_compile";
-
-# BSD indent program.  This script was written using the version of
-# indent that comes with FreeBSD 4.11-STABLE.  The GNU project, as
-# usual, couldn't resist the temptation to monkey with indent's
-# command line syntax, so this probably won't work with GNU indent.
-
-my $indent = $ENV{INDENT} || "indent";
-
-###
-
-# Step 1: run the compiler.  Input is the ASN.1 file.  Outputs are a
-# header file (name specified on command line without the .h suffix),
-# a file called "asn1_files" listing the names of the other output
-# files, and a set of files containing C code generated by the
-# compiler for each data type that the compiler found.
-
-if (! -r $asn1_source || system($asn1_compile, $asn1_source, "asn1")) {
-    die("Couldn't compile ASN.1 source file $asn1_source\n");
-}
-
-my @files = ("asn1.h");
-
-open(F, "asn1_files")
-    or die("Couldn't open asn1_files: $!\n");
-push(@files, split)
-    while (<F>);
-close(F);
-
-unlink("asn1_files");
-
-###
-
-# Step 2: generate header block.
-
-print(q~/*
- * Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: spnego_asn1.pl,v 1.4 2007/06/19 23:47:16 tbox Exp $ */
-
-/*! \file
- * \brief Method routines generated from SPNEGO ASN.1 module.
- * See spnego_asn1.pl for details.  Do not edit.
- */
-
-~);
-
-###
-
-# Step 3: read and process each generated file, then delete it.
-
-my $output;
-
-for my $file (@files) {
-
-    my $is_static = 0;
-
-    system($indent, "-di1", "-ldi1", $file) == 0
-	or die("Couldn't indent $file");
-
-    unlink("$file.BAK");
-
-    open(F, $file)
-	or die("Couldn't open $file: $!");
-
-    while (<F>) {
-
-	# Symbol name fixups
-
-	s/heim_general_string/general_string/g;
-	s/heim_octet_string/octet_string/g;
-	s/heim_oid/oid/g;
-	s/heim_utf8_string/utf8_string/g;
-
-	# Convert all externs to statics
-
-	if (/^static/) {
-	    $is_static = 1;
-	}
-
-	if (!/^typedef/ &&
-	    !$is_static &&
-	    /^[A-Za-z_][0-9A-Za-z_]*[ \t]*($|[^:0-9A-Za-z_])/) {
-	    $_ = "static " . $_;
-	    $is_static = 1;
-	}
-
-	if (/[{};]/) {
-	    $is_static = 0;
-	}
-
-	# Suppress file inclusion, pass anything else through
-
-	if (!/#include/) {
-	    $output .= $_;
-	}
-    }
-
-    close(F);
-    unlink($file);
-}
-
-# Step 4: Delete unused stuff to avoid code bloat and compiler warnings.
-
-my @unused_functions = qw(ContextFlags2int
-			  int2ContextFlags
-			  asn1_ContextFlags_units
-			  length_NegTokenInit
-			  copy_NegTokenInit
-			  length_NegTokenResp
-			  copy_NegTokenResp
-			  length_MechTypeList
-			  length_MechType
-			  copy_MechTypeList
-			  length_ContextFlags
-			  copy_ContextFlags
-			  copy_MechType);
-
-$output =~ s<^static [^\n]+\n$_\(.+?^}></* unused function: $_ */\n>ms
-    foreach (@unused_functions);
-
-$output =~ s<^static .+$_\(.*\);$></* unused declaration: $_ */>m
-    foreach (@unused_functions);
-
-$output =~ s<^static struct units ContextFlags_units\[\].+?^};>
-            </* unused variable: ContextFlags_units */>ms;
-
-$output =~ s<^static int asn1_NegotiationToken_dummy_holder = 1;>
-            </* unused variable: asn1_NegotiationToken_dummy_holder */>ms;
-
-$output =~ s<^static void\nfree_ContextFlags\(ContextFlags \* data\)\n{\n>
-            <$&\t(void)data;\n>ms;
-
-# Step 5: Write the result.
-
-print($output);
-
diff --git a/contrib/bind9/lib/dns/ssu.c b/contrib/bind9/lib/dns/ssu.c
deleted file mode 100644
index 49a777a..0000000
--- a/contrib/bind9/lib/dns/ssu.c
+++ /dev/null
@@ -1,613 +0,0 @@
-/*
- * Copyright (C) 2004-2008, 2010, 2011, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*! \file */
-/*
- * $Id: ssu.c,v 1.38 2011/01/06 23:47:00 tbox Exp $
- * Principal Author: Brian Wellington
- */
-
-#include <config.h>
-
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/netaddr.h>
-#include <isc/result.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/dlz.h>
-#include <dns/fixedname.h>
-#include <dns/name.h>
-#include <dns/ssu.h>
-
-#include <dst/gssapi.h>
-#include <dst/dst.h>
-
-#define SSUTABLEMAGIC		ISC_MAGIC('S', 'S', 'U', 'T')
-#define VALID_SSUTABLE(table)	ISC_MAGIC_VALID(table, SSUTABLEMAGIC)
-
-#define SSURULEMAGIC		ISC_MAGIC('S', 'S', 'U', 'R')
-#define VALID_SSURULE(table)	ISC_MAGIC_VALID(table, SSURULEMAGIC)
-
-struct dns_ssurule {
-	unsigned int magic;
-	isc_boolean_t grant;	/*%< is this a grant or a deny? */
-	unsigned int matchtype;	/*%< which type of pattern match? */
-	dns_name_t *identity;	/*%< the identity to match */
-	dns_name_t *name;	/*%< the name being updated */
-	unsigned int ntypes;	/*%< number of data types covered */
-	dns_rdatatype_t *types;	/*%< the data types.  Can include ANY, */
-				/*%< defaults to all but SIG,SOA,NS if NULL */
-	ISC_LINK(dns_ssurule_t) link;
-};
-
-struct dns_ssutable {
-	unsigned int magic;
-	isc_mem_t *mctx;
-	unsigned int references;
-	isc_mutex_t lock;
-	dns_dlzdb_t *dlzdatabase;
-	ISC_LIST(dns_ssurule_t) rules;
-};
-
-isc_result_t
-dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **tablep) {
-	isc_result_t result;
-	dns_ssutable_t *table;
-
-	REQUIRE(tablep != NULL && *tablep == NULL);
-	REQUIRE(mctx != NULL);
-
-	table = isc_mem_get(mctx, sizeof(dns_ssutable_t));
-	if (table == NULL)
-		return (ISC_R_NOMEMORY);
-	result = isc_mutex_init(&table->lock);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, table, sizeof(dns_ssutable_t));
-		return (result);
-	}
-	table->references = 1;
-	table->mctx = NULL;
-	isc_mem_attach(mctx, &table->mctx);
-	ISC_LIST_INIT(table->rules);
-	table->magic = SSUTABLEMAGIC;
-	*tablep = table;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-destroy(dns_ssutable_t *table) {
-	isc_mem_t *mctx;
-
-	REQUIRE(VALID_SSUTABLE(table));
-
-	mctx = table->mctx;
-	while (!ISC_LIST_EMPTY(table->rules)) {
-		dns_ssurule_t *rule = ISC_LIST_HEAD(table->rules);
-		if (rule->identity != NULL) {
-			dns_name_free(rule->identity, mctx);
-			isc_mem_put(mctx, rule->identity, sizeof(dns_name_t));
-		}
-		if (rule->name != NULL) {
-			dns_name_free(rule->name, mctx);
-			isc_mem_put(mctx, rule->name, sizeof(dns_name_t));
-		}
-		if (rule->types != NULL)
-			isc_mem_put(mctx, rule->types,
-				    rule->ntypes * sizeof(dns_rdatatype_t));
-		ISC_LIST_UNLINK(table->rules, rule, link);
-		rule->magic = 0;
-		isc_mem_put(mctx, rule, sizeof(dns_ssurule_t));
-	}
-	DESTROYLOCK(&table->lock);
-	table->magic = 0;
-	isc_mem_putanddetach(&table->mctx, table, sizeof(dns_ssutable_t));
-}
-
-void
-dns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp) {
-	REQUIRE(VALID_SSUTABLE(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	LOCK(&source->lock);
-
-	INSIST(source->references > 0);
-	source->references++;
-	INSIST(source->references != 0);
-
-	UNLOCK(&source->lock);
-
-	*targetp = source;
-}
-
-void
-dns_ssutable_detach(dns_ssutable_t **tablep) {
-	dns_ssutable_t *table;
-	isc_boolean_t done = ISC_FALSE;
-
-	REQUIRE(tablep != NULL);
-	table = *tablep;
-	REQUIRE(VALID_SSUTABLE(table));
-
-	LOCK(&table->lock);
-
-	INSIST(table->references > 0);
-	if (--table->references == 0)
-		done = ISC_TRUE;
-	UNLOCK(&table->lock);
-
-	*tablep = NULL;
-
-	if (done)
-		destroy(table);
-}
-
-isc_result_t
-dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
-		     dns_name_t *identity, unsigned int matchtype,
-		     dns_name_t *name, unsigned int ntypes,
-		     dns_rdatatype_t *types)
-{
-	dns_ssurule_t *rule;
-	isc_mem_t *mctx;
-	isc_result_t result;
-
-	REQUIRE(VALID_SSUTABLE(table));
-	REQUIRE(dns_name_isabsolute(identity));
-	REQUIRE(dns_name_isabsolute(name));
-	REQUIRE(matchtype <= DNS_SSUMATCHTYPE_MAX);
-	if (matchtype == DNS_SSUMATCHTYPE_WILDCARD)
-		REQUIRE(dns_name_iswildcard(name));
-	if (ntypes > 0)
-		REQUIRE(types != NULL);
-
-	mctx = table->mctx;
-	rule = isc_mem_get(mctx, sizeof(dns_ssurule_t));
-	if (rule == NULL)
-		return (ISC_R_NOMEMORY);
-
-	rule->identity = NULL;
-	rule->name = NULL;
-	rule->types = NULL;
-
-	rule->grant = grant;
-
-	rule->identity = isc_mem_get(mctx, sizeof(dns_name_t));
-	if (rule->identity == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto failure;
-	}
-	dns_name_init(rule->identity, NULL);
-	result = dns_name_dup(identity, mctx, rule->identity);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	rule->name = isc_mem_get(mctx, sizeof(dns_name_t));
-	if (rule->name == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto failure;
-	}
-	dns_name_init(rule->name, NULL);
-	result = dns_name_dup(name, mctx, rule->name);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	rule->matchtype = matchtype;
-
-	rule->ntypes = ntypes;
-	if (ntypes > 0) {
-		rule->types = isc_mem_get(mctx,
-					  ntypes * sizeof(dns_rdatatype_t));
-		if (rule->types == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto failure;
-		}
-		memcpy(rule->types, types, ntypes * sizeof(dns_rdatatype_t));
-	} else
-		rule->types = NULL;
-
-	rule->magic = SSURULEMAGIC;
-	ISC_LIST_INITANDAPPEND(table->rules, rule, link);
-
-	return (ISC_R_SUCCESS);
-
- failure:
-	if (rule->identity != NULL) {
-		if (dns_name_dynamic(rule->identity))
-			dns_name_free(rule->identity, mctx);
-		isc_mem_put(mctx, rule->identity, sizeof(dns_name_t));
-	}
-	if (rule->name != NULL) {
-		if (dns_name_dynamic(rule->name))
-			dns_name_free(rule->name, mctx);
-		isc_mem_put(mctx, rule->name, sizeof(dns_name_t));
-	}
-	if (rule->types != NULL)
-		isc_mem_put(mctx, rule->types,
-			    ntypes * sizeof(dns_rdatatype_t));
-	isc_mem_put(mctx, rule, sizeof(dns_ssurule_t));
-
-	return (result);
-}
-
-static inline isc_boolean_t
-isusertype(dns_rdatatype_t type) {
-	return (ISC_TF(type != dns_rdatatype_ns &&
-		       type != dns_rdatatype_soa &&
-		       type != dns_rdatatype_rrsig));
-}
-
-static void
-reverse_from_address(dns_name_t *tcpself, isc_netaddr_t *tcpaddr) {
-	char buf[16 * 4 + sizeof("IP6.ARPA.")];
-	isc_result_t result;
-	unsigned char *ap;
-	isc_buffer_t b;
-	unsigned long l;
-
-	switch (tcpaddr->family) {
-	case AF_INET:
-		l = ntohl(tcpaddr->type.in.s_addr);
-		result = isc_string_printf(buf, sizeof(buf),
-					   "%lu.%lu.%lu.%lu.IN-ADDR.ARPA.",
-					   (l >> 0) & 0xff, (l >> 8) & 0xff,
-					   (l >> 16) & 0xff, (l >> 24) & 0xff);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		break;
-	case AF_INET6:
-		ap = tcpaddr->type.in6.s6_addr;
-		result = isc_string_printf(buf, sizeof(buf),
-					   "%x.%x.%x.%x.%x.%x.%x.%x."
-					   "%x.%x.%x.%x.%x.%x.%x.%x."
-					   "%x.%x.%x.%x.%x.%x.%x.%x."
-					   "%x.%x.%x.%x.%x.%x.%x.%x."
-					   "IP6.ARPA.",
-					   ap[15] & 0x0f, (ap[15] >> 4) & 0x0f,
-					   ap[14] & 0x0f, (ap[14] >> 4) & 0x0f,
-					   ap[13] & 0x0f, (ap[13] >> 4) & 0x0f,
-					   ap[12] & 0x0f, (ap[12] >> 4) & 0x0f,
-					   ap[11] & 0x0f, (ap[11] >> 4) & 0x0f,
-					   ap[10] & 0x0f, (ap[10] >> 4) & 0x0f,
-					   ap[9] & 0x0f, (ap[9] >> 4) & 0x0f,
-					   ap[8] & 0x0f, (ap[8] >> 4) & 0x0f,
-					   ap[7] & 0x0f, (ap[7] >> 4) & 0x0f,
-					   ap[6] & 0x0f, (ap[6] >> 4) & 0x0f,
-					   ap[5] & 0x0f, (ap[5] >> 4) & 0x0f,
-					   ap[4] & 0x0f, (ap[4] >> 4) & 0x0f,
-					   ap[3] & 0x0f, (ap[3] >> 4) & 0x0f,
-					   ap[2] & 0x0f, (ap[2] >> 4) & 0x0f,
-					   ap[1] & 0x0f, (ap[1] >> 4) & 0x0f,
-					   ap[0] & 0x0f, (ap[0] >> 4) & 0x0f);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		break;
-	default:
-		INSIST(0);
-	}
-	isc_buffer_init(&b, buf, strlen(buf));
-	isc_buffer_add(&b, strlen(buf));
-	result = dns_name_fromtext(tcpself, &b, dns_rootname, 0, NULL);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-}
-
-static void
-stf_from_address(dns_name_t *stfself, isc_netaddr_t *tcpaddr) {
-	char buf[sizeof("X.X.X.X.Y.Y.Y.Y.2.0.0.2.IP6.ARPA.")];
-	isc_result_t result;
-	unsigned char *ap;
-	isc_buffer_t b;
-	unsigned long l;
-
-	switch(tcpaddr->family) {
-	case AF_INET:
-		l = ntohl(tcpaddr->type.in.s_addr);
-		result = isc_string_printf(buf, sizeof(buf),
-					   "%lx.%lx.%lx.%lx.%lx.%lx.%lx.%lx"
-					   "2.0.0.2.IP6.ARPA.",
-					   l & 0xf, (l >> 4) & 0xf,
-					   (l >> 8) & 0xf, (l >> 12) & 0xf,
-					   (l >> 16) & 0xf, (l >> 20) & 0xf,
-					   (l >> 24) & 0xf, (l >> 28) & 0xf);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		break;
-	case AF_INET6:
-		ap = tcpaddr->type.in6.s6_addr;
-		result = isc_string_printf(buf, sizeof(buf),
-					   "%x.%x.%x.%x.%x.%x.%x.%x."
-					   "%x.%x.%x.%x.IP6.ARPA.",
-					   ap[5] & 0x0f, (ap[5] >> 4) & 0x0f,
-					   ap[4] & 0x0f, (ap[4] >> 4) & 0x0f,
-					   ap[3] & 0x0f, (ap[3] >> 4) & 0x0f,
-					   ap[2] & 0x0f, (ap[2] >> 4) & 0x0f,
-					   ap[1] & 0x0f, (ap[1] >> 4) & 0x0f,
-					   ap[0] & 0x0f, (ap[0] >> 4) & 0x0f);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		break;
-	default:
-		INSIST(0);
-	}
-	isc_buffer_init(&b, buf, strlen(buf));
-	isc_buffer_add(&b, strlen(buf));
-	result = dns_name_fromtext(stfself, &b, dns_rootname, 0, NULL);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-}
-
-isc_boolean_t
-dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
-			dns_name_t *name, isc_netaddr_t *tcpaddr,
-			dns_rdatatype_t type,
-			const dst_key_t *key)
-{
-	dns_ssurule_t *rule;
-	unsigned int i;
-	dns_fixedname_t fixed;
-	dns_name_t *wildcard;
-	dns_name_t *tcpself;
-	dns_name_t *stfself;
-	isc_result_t result;
-
-	REQUIRE(VALID_SSUTABLE(table));
-	REQUIRE(signer == NULL || dns_name_isabsolute(signer));
-	REQUIRE(dns_name_isabsolute(name));
-
-	if (signer == NULL && tcpaddr == NULL)
-		return (ISC_FALSE);
-
-	for (rule = ISC_LIST_HEAD(table->rules);
-	     rule != NULL;
-	     rule = ISC_LIST_NEXT(rule, link))
-	{
-		switch (rule->matchtype) {
-		case DNS_SSUMATCHTYPE_NAME:
-		case DNS_SSUMATCHTYPE_SUBDOMAIN:
-		case DNS_SSUMATCHTYPE_WILDCARD:
-		case DNS_SSUMATCHTYPE_SELF:
-		case DNS_SSUMATCHTYPE_SELFSUB:
-		case DNS_SSUMATCHTYPE_SELFWILD:
-			if (signer == NULL)
-				continue;
-			if (dns_name_iswildcard(rule->identity)) {
-				if (!dns_name_matcheswildcard(signer,
-							      rule->identity))
-					continue;
-			} else {
-				if (!dns_name_equal(signer, rule->identity))
-					continue;
-			}
-			break;
-		case DNS_SSUMATCHTYPE_SELFKRB5:
-		case DNS_SSUMATCHTYPE_SELFMS:
-		case DNS_SSUMATCHTYPE_SUBDOMAINKRB5:
-		case DNS_SSUMATCHTYPE_SUBDOMAINMS:
-			if (signer == NULL)
-				continue;
-			break;
-		case DNS_SSUMATCHTYPE_TCPSELF:
-		case DNS_SSUMATCHTYPE_6TO4SELF:
-			if (tcpaddr == NULL)
-				continue;
-			break;
-		}
-
-		switch (rule->matchtype) {
-		case DNS_SSUMATCHTYPE_NAME:
-			if (!dns_name_equal(name, rule->name))
-				continue;
-			break;
-		case DNS_SSUMATCHTYPE_SUBDOMAIN:
-			if (!dns_name_issubdomain(name, rule->name))
-				continue;
-			break;
-		case DNS_SSUMATCHTYPE_WILDCARD:
-			if (!dns_name_matcheswildcard(name, rule->name))
-				continue;
-			break;
-		case DNS_SSUMATCHTYPE_SELF:
-			if (!dns_name_equal(signer, name))
-				continue;
-			break;
-		case DNS_SSUMATCHTYPE_SELFSUB:
-			if (!dns_name_issubdomain(name, signer))
-				continue;
-			break;
-		case DNS_SSUMATCHTYPE_SELFWILD:
-			dns_fixedname_init(&fixed);
-			wildcard = dns_fixedname_name(&fixed);
-			result = dns_name_concatenate(dns_wildcardname, signer,
-						      wildcard, NULL);
-			if (result != ISC_R_SUCCESS)
-				continue;
-			if (!dns_name_matcheswildcard(name, wildcard))
-				continue;
-			break;
-		case DNS_SSUMATCHTYPE_SELFKRB5:
-			if (!dst_gssapi_identitymatchesrealmkrb5(signer, name,
-							       rule->identity))
-				continue;
-			break;
-		case DNS_SSUMATCHTYPE_SELFMS:
-			if (!dst_gssapi_identitymatchesrealmms(signer, name,
-							       rule->identity))
-				continue;
-			break;
-		case DNS_SSUMATCHTYPE_SUBDOMAINKRB5:
-			if (!dns_name_issubdomain(name, rule->name))
-				continue;
-			if (!dst_gssapi_identitymatchesrealmkrb5(signer, NULL,
-							       rule->identity))
-				continue;
-			break;
-		case DNS_SSUMATCHTYPE_SUBDOMAINMS:
-			if (!dns_name_issubdomain(name, rule->name))
-				continue;
-			if (!dst_gssapi_identitymatchesrealmms(signer, NULL,
-							       rule->identity))
-				continue;
-			break;
-		case DNS_SSUMATCHTYPE_TCPSELF:
-			dns_fixedname_init(&fixed);
-			tcpself = dns_fixedname_name(&fixed);
-			reverse_from_address(tcpself, tcpaddr);
-			if (dns_name_iswildcard(rule->identity)) {
-				if (!dns_name_matcheswildcard(tcpself,
-							      rule->identity))
-					continue;
-			} else {
-				if (!dns_name_equal(tcpself, rule->identity))
-					continue;
-			}
-			if (!dns_name_equal(tcpself, name))
-				continue;
-			break;
-		case DNS_SSUMATCHTYPE_6TO4SELF:
-			dns_fixedname_init(&fixed);
-			stfself = dns_fixedname_name(&fixed);
-			stf_from_address(stfself, tcpaddr);
-			if (dns_name_iswildcard(rule->identity)) {
-				if (!dns_name_matcheswildcard(stfself,
-							      rule->identity))
-					continue;
-			} else {
-				if (!dns_name_equal(stfself, rule->identity))
-					continue;
-			}
-			if (!dns_name_equal(stfself, name))
-				continue;
-			break;
-		case DNS_SSUMATCHTYPE_EXTERNAL:
-			if (!dns_ssu_external_match(rule->identity, signer,
-						    name, tcpaddr, type, key,
-						    table->mctx))
-				continue;
-			break;
-		case DNS_SSUMATCHTYPE_DLZ:
-			if (!dns_dlz_ssumatch(table->dlzdatabase, signer,
-					      name, tcpaddr, type, key))
-				continue;
-			break;
-		}
-
-		if (rule->ntypes == 0) {
-			/*
-			 * If this is a DLZ rule, then the DLZ ssu
-			 * checks will have already checked
-			 * the type.
-			 */
-			if (rule->matchtype != DNS_SSUMATCHTYPE_DLZ &&
-			    !isusertype(type))
-				continue;
-		} else {
-			for (i = 0; i < rule->ntypes; i++) {
-				if (rule->types[i] == dns_rdatatype_any ||
-				    rule->types[i] == type)
-					break;
-			}
-			if (i == rule->ntypes)
-				continue;
-		}
-		return (rule->grant);
-	}
-
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-dns_ssurule_isgrant(const dns_ssurule_t *rule) {
-	REQUIRE(VALID_SSURULE(rule));
-	return (rule->grant);
-}
-
-dns_name_t *
-dns_ssurule_identity(const dns_ssurule_t *rule) {
-	REQUIRE(VALID_SSURULE(rule));
-	return (rule->identity);
-}
-
-unsigned int
-dns_ssurule_matchtype(const dns_ssurule_t *rule) {
-	REQUIRE(VALID_SSURULE(rule));
-	return (rule->matchtype);
-}
-
-dns_name_t *
-dns_ssurule_name(const dns_ssurule_t *rule) {
-	REQUIRE(VALID_SSURULE(rule));
-	return (rule->name);
-}
-
-unsigned int
-dns_ssurule_types(const dns_ssurule_t *rule, dns_rdatatype_t **types) {
-	REQUIRE(VALID_SSURULE(rule));
-	REQUIRE(types != NULL && *types != NULL);
-	*types = rule->types;
-	return (rule->ntypes);
-}
-
-isc_result_t
-dns_ssutable_firstrule(const dns_ssutable_t *table, dns_ssurule_t **rule) {
-	REQUIRE(VALID_SSUTABLE(table));
-	REQUIRE(rule != NULL && *rule == NULL);
-	*rule = ISC_LIST_HEAD(table->rules);
-	return (*rule != NULL ? ISC_R_SUCCESS : ISC_R_NOMORE);
-}
-
-isc_result_t
-dns_ssutable_nextrule(dns_ssurule_t *rule, dns_ssurule_t **nextrule) {
-	REQUIRE(VALID_SSURULE(rule));
-	REQUIRE(nextrule != NULL && *nextrule == NULL);
-	*nextrule = ISC_LIST_NEXT(rule, link);
-	return (*nextrule != NULL ? ISC_R_SUCCESS : ISC_R_NOMORE);
-}
-
-/*
- * Create a specialised SSU table that points at an external DLZ database
- */
-isc_result_t
-dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep,
-		       dns_dlzdb_t *dlzdatabase)
-{
-	isc_result_t result;
-	dns_ssurule_t *rule;
-	dns_ssutable_t *table = NULL;
-
-	REQUIRE(tablep != NULL && *tablep == NULL);
-
-	result = dns_ssutable_create(mctx, &table);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	table->dlzdatabase = dlzdatabase;
-
-	rule = isc_mem_get(table->mctx, sizeof(dns_ssurule_t));
-	if (rule == NULL) {
-		dns_ssutable_detach(&table);
-		return (ISC_R_NOMEMORY);
-	}
-
-	rule->identity = NULL;
-	rule->name = NULL;
-	rule->types = NULL;
-	rule->grant = ISC_TRUE;
-	rule->matchtype = DNS_SSUMATCHTYPE_DLZ;
-	rule->ntypes = 0;
-	rule->types = NULL;
-	rule->magic = SSURULEMAGIC;
-
-	ISC_LIST_INITANDAPPEND(table->rules, rule, link);
-	*tablep = table;
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/dns/ssu_external.c b/contrib/bind9/lib/dns/ssu_external.c
deleted file mode 100644
index 43d231d..0000000
--- a/contrib/bind9/lib/dns/ssu_external.c
+++ /dev/null
@@ -1,264 +0,0 @@
-/*
- * Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*
- * This implements external update-policy rules.  This allows permission
- * to update a zone to be checked by consulting an external daemon (e.g.,
- * kerberos).
- */
-
-#include <config.h>
-#include <errno.h>
-#include <unistd.h>
-
-#ifdef ISC_PLATFORM_HAVESYSUNH
-#include <sys/socket.h>
-#include <sys/un.h>
-#endif
-
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/netaddr.h>
-#include <isc/result.h>
-#include <isc/string.h>
-#include <isc/util.h>
-#include <isc/strerror.h>
-
-#include <dns/fixedname.h>
-#include <dns/name.h>
-#include <dns/ssu.h>
-#include <dns/log.h>
-#include <dns/rdatatype.h>
-
-#include <dst/dst.h>
-
-
-static void
-ssu_e_log(int level, const char *fmt, ...) {
-	va_list ap;
-
-	va_start(ap, fmt);
-	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_SECURITY,
-		       DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(level), fmt, ap);
-	va_end(ap);
-}
-
-
-/*
- * Connect to a UNIX domain socket.
- */
-static int
-ux_socket_connect(const char *path) {
-	int fd = -1;
-#ifdef ISC_PLATFORM_HAVESYSUNH
-	struct sockaddr_un addr;
-
-	REQUIRE(path != NULL);
-
-	if (strlen(path) > sizeof(addr.sun_path)) {
-		ssu_e_log(3, "ssu_external: socket path '%s' "
-			     "longer than system maximum %u",
-			  path, sizeof(addr.sun_path));
-		return (-1);
-	}
-
-	memset(&addr, 0, sizeof(addr));
-	addr.sun_family = AF_UNIX;
-	strlcpy(addr.sun_path, path, sizeof(addr.sun_path));
-
-	fd = socket(AF_UNIX, SOCK_STREAM, 0);
-	if (fd == -1) {
-		char strbuf[ISC_STRERRORSIZE];
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		ssu_e_log(3, "ssu_external: unable to create socket - %s",
-			  strbuf);
-		return (-1);
-	}
-
-	if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) == -1) {
-		char strbuf[ISC_STRERRORSIZE];
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		ssu_e_log(3, "ssu_external: unable to connect to "
-			     "socket '%s' - %s",
-			  path, strbuf);
-		close(fd);
-		return (-1);
-	}
-#endif
-	return (fd);
-}
-
-/* Change this version if you update the format of the request */
-#define SSU_EXTERNAL_VERSION 1
-
-/*
- * Perform an update-policy rule check against an external application
- * over a socket.
- *
- * This currently only supports local: for unix domain datagram sockets.
- *
- * Note that by using a datagram socket and creating a new socket each
- * time we avoid the need for locking and allow for parallel access to
- * the authorization server.
- */
-isc_boolean_t
-dns_ssu_external_match(dns_name_t *identity,
-		       dns_name_t *signer, dns_name_t *name,
-		       isc_netaddr_t *tcpaddr, dns_rdatatype_t type,
-		       const dst_key_t *key, isc_mem_t *mctx)
-{
-	char b_identity[DNS_NAME_FORMATSIZE];
-	char b_signer[DNS_NAME_FORMATSIZE];
-	char b_name[DNS_NAME_FORMATSIZE];
-	char b_addr[ISC_NETADDR_FORMATSIZE];
-	char b_type[DNS_RDATATYPE_FORMATSIZE];
-	char b_key[DST_KEY_FORMATSIZE];
-	isc_buffer_t *tkey_token = NULL;
-	int fd;
-	const char *sock_path;
-	size_t req_len;
-	isc_region_t token_region;
-	unsigned char *data;
-	isc_buffer_t buf;
-	isc_uint32_t token_len = 0;
-	isc_uint32_t reply;
-	ssize_t ret;
-
-	/* The identity contains local:/path/to/socket */
-	dns_name_format(identity, b_identity, sizeof(b_identity));
-
-	/* For now only local: is supported */
-	if (strncmp(b_identity, "local:", 6) != 0) {
-		ssu_e_log(3, "ssu_external: invalid socket path '%s'",
-			  b_identity);
-		return (ISC_FALSE);
-	}
-	sock_path = &b_identity[6];
-
-	fd = ux_socket_connect(sock_path);
-	if (fd == -1)
-		return (ISC_FALSE);
-
-	if (key != NULL) {
-		dst_key_format(key, b_key, sizeof(b_key));
-		tkey_token = dst_key_tkeytoken(key);
-	} else
-		b_key[0] = 0;
-
-	if (tkey_token != NULL) {
-		isc_buffer_region(tkey_token, &token_region);
-		token_len = token_region.length;
-	}
-
-	/* Format the request elements */
-	if (signer != NULL)
-		dns_name_format(signer, b_signer, sizeof(b_signer));
-	else
-		b_signer[0] = 0;
-
-	dns_name_format(name, b_name, sizeof(b_name));
-
-	if (tcpaddr != NULL)
-		isc_netaddr_format(tcpaddr, b_addr, sizeof(b_addr));
-	else
-		b_addr[0] = 0;
-
-	dns_rdatatype_format(type, b_type, sizeof(b_type));
-
-	/* Work out how big the request will be */
-	req_len = sizeof(isc_uint32_t)     + /* Format version */
-		  sizeof(isc_uint32_t)     + /* Length */
-		  strlen(b_signer) + 1 + /* Signer */
-		  strlen(b_name) + 1   + /* Name */
-		  strlen(b_addr) + 1   + /* Address */
-		  strlen(b_type) + 1   + /* Type */
-		  strlen(b_key) + 1    + /* Key */
-		  sizeof(isc_uint32_t)     + /* tkey_token length */
-		  token_len;             /* tkey_token */
-
-
-	/* format the buffer */
-	data = isc_mem_allocate(mctx, req_len);
-	if (data == NULL) {
-		close(fd);
-		return (ISC_FALSE);
-	}
-
-	isc_buffer_init(&buf, data, req_len);
-	isc_buffer_putuint32(&buf, SSU_EXTERNAL_VERSION);
-	isc_buffer_putuint32(&buf, req_len);
-
-	/* Strings must be null-terminated */
-	isc_buffer_putstr(&buf, b_signer);
-	isc_buffer_putuint8(&buf, 0);
-	isc_buffer_putstr(&buf, b_name);
-	isc_buffer_putuint8(&buf, 0);
-	isc_buffer_putstr(&buf, b_addr);
-	isc_buffer_putuint8(&buf, 0);
-	isc_buffer_putstr(&buf, b_type);
-	isc_buffer_putuint8(&buf, 0);
-	isc_buffer_putstr(&buf, b_key);
-	isc_buffer_putuint8(&buf, 0);
-
-	isc_buffer_putuint32(&buf, token_len);
-	if (tkey_token && token_len != 0)
-		isc_buffer_putmem(&buf, token_region.base, token_len);
-
-	ENSURE(isc_buffer_availablelength(&buf) == 0);
-
-	/* Send the request */
-	ret = write(fd, data, req_len);
-	isc_mem_free(mctx, data);
-	if (ret != (ssize_t) req_len) {
-		char strbuf[ISC_STRERRORSIZE];
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		ssu_e_log(3, "ssu_external: unable to send request - %s",
-			  strbuf);
-		close(fd);
-		return (ISC_FALSE);
-	}
-
-	/* Receive the reply */
-	ret = read(fd, &reply, sizeof(isc_uint32_t));
-	if (ret != (ssize_t) sizeof(isc_uint32_t)) {
-		char strbuf[ISC_STRERRORSIZE];
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		ssu_e_log(3, "ssu_external: unable to receive reply - %s",
-			  strbuf);
-		close(fd);
-		return (ISC_FALSE);
-	}
-
-	close(fd);
-
-	reply = ntohl(reply);
-
-	if (reply == 0) {
-		ssu_e_log(3, "ssu_external: denied external auth for '%s'",
-			  b_name);
-		return (ISC_FALSE);
-	} else if (reply == 1) {
-		ssu_e_log(3, "ssu_external: allowed external auth for '%s'",
-			  b_name);
-		return (ISC_TRUE);
-	}
-
-	ssu_e_log(3, "ssu_external: invalid reply 0x%08x", reply);
-
-	return (ISC_FALSE);
-}
diff --git a/contrib/bind9/lib/dns/stats.c b/contrib/bind9/lib/dns/stats.c
deleted file mode 100644
index a59dde6..0000000
--- a/contrib/bind9/lib/dns/stats.c
+++ /dev/null
@@ -1,404 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: stats.c,v 1.18 2009/01/27 23:47:54 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/stats.h>
-#include <isc/util.h>
-
-#include <dns/opcode.h>
-#include <dns/rdatatype.h>
-#include <dns/stats.h>
-
-#define DNS_STATS_MAGIC			ISC_MAGIC('D', 's', 't', 't')
-#define DNS_STATS_VALID(x)		ISC_MAGIC_VALID(x, DNS_STATS_MAGIC)
-
-/*%
- * Statistics types.
- */
-typedef enum {
-	dns_statstype_general = 0,
-	dns_statstype_rdtype = 1,
-	dns_statstype_rdataset = 2,
-	dns_statstype_opcode = 3
-} dns_statstype_t;
-
-/*%
- * It doesn't make sense to have 2^16 counters for all possible types since
- * most of them won't be used.  We have counters for the first 256 types and
- * those explicitly supported in the rdata implementation.
- * XXXJT: this introduces tight coupling with the rdata implementation.
- * Ideally, we should have rdata handle this type of details.
- */
-enum {
-	/* For 0-255, we use the rdtype value as counter indices */
-	rdtypecounter_dlv = 256,	/* for dns_rdatatype_dlv */
-	rdtypecounter_others = 257,	/* anything else */
-	rdtypecounter_max = 258,
-	/* The following are used for rdataset */
-	rdtypenxcounter_max = rdtypecounter_max * 2,
-	rdtypecounter_nxdomain = rdtypenxcounter_max,
-	rdatasettypecounter_max = rdtypecounter_nxdomain + 1
-};
-
-struct dns_stats {
-	/*% Unlocked */
-	unsigned int	magic;
-	dns_statstype_t	type;
-	isc_mem_t	*mctx;
-	isc_mutex_t	lock;
-	isc_stats_t	*counters;
-
-	/*%  Locked by lock */
-	unsigned int	references;
-};
-
-typedef struct rdatadumparg {
-	dns_rdatatypestats_dumper_t	fn;
-	void				*arg;
-} rdatadumparg_t;
-
-typedef struct opcodedumparg {
-	dns_opcodestats_dumper_t	fn;
-	void				*arg;
-} opcodedumparg_t;
-
-void
-dns_stats_attach(dns_stats_t *stats, dns_stats_t **statsp) {
-	REQUIRE(DNS_STATS_VALID(stats));
-	REQUIRE(statsp != NULL && *statsp == NULL);
-
-	LOCK(&stats->lock);
-	stats->references++;
-	UNLOCK(&stats->lock);
-
-	*statsp = stats;
-}
-
-void
-dns_stats_detach(dns_stats_t **statsp) {
-	dns_stats_t *stats;
-
-	REQUIRE(statsp != NULL && DNS_STATS_VALID(*statsp));
-
-	stats = *statsp;
-	*statsp = NULL;
-
-	LOCK(&stats->lock);
-	stats->references--;
-	UNLOCK(&stats->lock);
-
-	if (stats->references == 0) {
-		isc_stats_detach(&stats->counters);
-		DESTROYLOCK(&stats->lock);
-		isc_mem_putanddetach(&stats->mctx, stats, sizeof(*stats));
-	}
-}
-
-/*%
- * Create methods
- */
-static isc_result_t
-create_stats(isc_mem_t *mctx, dns_statstype_t	type, int ncounters,
-	     dns_stats_t **statsp)
-{
-	dns_stats_t *stats;
-	isc_result_t result;
-
-	stats = isc_mem_get(mctx, sizeof(*stats));
-	if (stats == NULL)
-		return (ISC_R_NOMEMORY);
-
-	stats->counters = NULL;
-	stats->references = 1;
-
-	result = isc_mutex_init(&stats->lock);
-	if (result != ISC_R_SUCCESS)
-		goto clean_stats;
-
-	result = isc_stats_create(mctx, &stats->counters, ncounters);
-	if (result != ISC_R_SUCCESS)
-		goto clean_mutex;
-
-	stats->magic = DNS_STATS_MAGIC;
-	stats->type = type;
-	stats->mctx = NULL;
-	isc_mem_attach(mctx, &stats->mctx);
-	*statsp = stats;
-
-	return (ISC_R_SUCCESS);
-
-  clean_mutex:
-	DESTROYLOCK(&stats->lock);
-  clean_stats:
-	isc_mem_put(mctx, stats, sizeof(*stats));
-
-	return (result);
-}
-
-isc_result_t
-dns_generalstats_create(isc_mem_t *mctx, dns_stats_t **statsp, int ncounters) {
-	REQUIRE(statsp != NULL && *statsp == NULL);
-
-	return (create_stats(mctx, dns_statstype_general, ncounters, statsp));
-}
-
-isc_result_t
-dns_rdatatypestats_create(isc_mem_t *mctx, dns_stats_t **statsp) {
-	REQUIRE(statsp != NULL && *statsp == NULL);
-
-	return (create_stats(mctx, dns_statstype_rdtype, rdtypecounter_max,
-			     statsp));
-}
-
-isc_result_t
-dns_rdatasetstats_create(isc_mem_t *mctx, dns_stats_t **statsp) {
-	REQUIRE(statsp != NULL && *statsp == NULL);
-
-	return (create_stats(mctx, dns_statstype_rdataset,
-			     (rdtypecounter_max * 2) + 1, statsp));
-}
-
-isc_result_t
-dns_opcodestats_create(isc_mem_t *mctx, dns_stats_t **statsp) {
-	REQUIRE(statsp != NULL && *statsp == NULL);
-
-	return (create_stats(mctx, dns_statstype_opcode, 16, statsp));
-}
-
-/*%
- * Increment/Decrement methods
- */
-void
-dns_generalstats_increment(dns_stats_t *stats, isc_statscounter_t counter) {
-	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_general);
-
-	isc_stats_increment(stats->counters, counter);
-}
-
-void
-dns_rdatatypestats_increment(dns_stats_t *stats, dns_rdatatype_t type) {
-	int counter;
-
-	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_rdtype);
-
-	if (type == dns_rdatatype_dlv)
-		counter = rdtypecounter_dlv;
-	else if (type > dns_rdatatype_any)
-		counter = rdtypecounter_others;
-	else
-		counter = (int)type;
-
-	isc_stats_increment(stats->counters, (isc_statscounter_t)counter);
-}
-
-static inline void
-update_rdatasetstats(dns_stats_t *stats, dns_rdatastatstype_t rrsettype,
-		     isc_boolean_t increment)
-{
-	int counter;
-	dns_rdatatype_t rdtype;
-
-	if ((DNS_RDATASTATSTYPE_ATTR(rrsettype) &
-	     DNS_RDATASTATSTYPE_ATTR_NXDOMAIN) != 0) {
-		counter = rdtypecounter_nxdomain;
-	} else {
-		rdtype = DNS_RDATASTATSTYPE_BASE(rrsettype);
-		if (rdtype == dns_rdatatype_dlv)
-			counter = (int)rdtypecounter_dlv;
-		else if (rdtype > dns_rdatatype_any)
-			counter = (int)rdtypecounter_others;
-		else
-			counter = (int)rdtype;
-
-		if ((DNS_RDATASTATSTYPE_ATTR(rrsettype) &
-		     DNS_RDATASTATSTYPE_ATTR_NXRRSET) != 0)
-			counter += rdtypecounter_max;
-	}
-
-	if (increment)
-		isc_stats_increment(stats->counters, counter);
-	else
-		isc_stats_decrement(stats->counters, counter);
-}
-
-void
-dns_rdatasetstats_increment(dns_stats_t *stats, dns_rdatastatstype_t rrsettype)
-{
-	REQUIRE(DNS_STATS_VALID(stats) &&
-		stats->type == dns_statstype_rdataset);
-
-	update_rdatasetstats(stats, rrsettype, ISC_TRUE);
-}
-
-void
-dns_rdatasetstats_decrement(dns_stats_t *stats, dns_rdatastatstype_t rrsettype)
-{
-	REQUIRE(DNS_STATS_VALID(stats) &&
-		stats->type == dns_statstype_rdataset);
-
-	update_rdatasetstats(stats, rrsettype, ISC_FALSE);
-}
-void
-dns_opcodestats_increment(dns_stats_t *stats, dns_opcode_t code) {
-	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_opcode);
-
-	isc_stats_increment(stats->counters, (isc_statscounter_t)code);
-}
-
-/*%
- * Dump methods
- */
-void
-dns_generalstats_dump(dns_stats_t *stats, dns_generalstats_dumper_t dump_fn,
-		      void *arg, unsigned int options)
-{
-	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_general);
-
-	isc_stats_dump(stats->counters, (isc_stats_dumper_t)dump_fn,
-		       arg, options);
-}
-
-static void
-dump_rdentry(int rdcounter, isc_uint64_t value, dns_rdatastatstype_t attributes,
-	     dns_rdatatypestats_dumper_t dump_fn, void * arg)
-{
-	dns_rdatatype_t rdtype = dns_rdatatype_none; /* sentinel */
-	dns_rdatastatstype_t type;
-
-	if (rdcounter == rdtypecounter_others)
-		attributes |= DNS_RDATASTATSTYPE_ATTR_OTHERTYPE;
-	else {
-		if (rdcounter == rdtypecounter_dlv)
-			rdtype = dns_rdatatype_dlv;
-		else
-			rdtype = (dns_rdatatype_t)rdcounter;
-	}
-	type = DNS_RDATASTATSTYPE_VALUE((dns_rdatastatstype_t)rdtype,
-					attributes);
-	dump_fn(type, value, arg);
-}
-
-static void
-rdatatype_dumpcb(isc_statscounter_t counter, isc_uint64_t value, void *arg) {
-	rdatadumparg_t *rdatadumparg = arg;
-
-	dump_rdentry(counter, value, 0, rdatadumparg->fn, rdatadumparg->arg);
-}
-
-void
-dns_rdatatypestats_dump(dns_stats_t *stats, dns_rdatatypestats_dumper_t dump_fn,
-			void *arg0, unsigned int options)
-{
-	rdatadumparg_t arg;
-	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_rdtype);
-
-	arg.fn = dump_fn;
-	arg.arg = arg0;
-	isc_stats_dump(stats->counters, rdatatype_dumpcb, &arg, options);
-}
-
-static void
-rdataset_dumpcb(isc_statscounter_t counter, isc_uint64_t value, void *arg) {
-	rdatadumparg_t *rdatadumparg = arg;
-
-	if (counter < rdtypecounter_max) {
-		dump_rdentry(counter, value, 0, rdatadumparg->fn,
-			     rdatadumparg->arg);
-	} else if (counter < rdtypenxcounter_max) {
-		dump_rdentry(counter - rdtypecounter_max, value,
-			     DNS_RDATASTATSTYPE_ATTR_NXRRSET,
-			     rdatadumparg->fn, rdatadumparg->arg);
-	} else {
-		dump_rdentry(0, value, DNS_RDATASTATSTYPE_ATTR_NXDOMAIN,
-			     rdatadumparg->fn, rdatadumparg->arg);
-	}
-}
-
-void
-dns_rdatasetstats_dump(dns_stats_t *stats, dns_rdatatypestats_dumper_t dump_fn,
-		       void *arg0, unsigned int options)
-{
-	rdatadumparg_t arg;
-
-	REQUIRE(DNS_STATS_VALID(stats) &&
-		stats->type == dns_statstype_rdataset);
-
-	arg.fn = dump_fn;
-	arg.arg = arg0;
-	isc_stats_dump(stats->counters, rdataset_dumpcb, &arg, options);
-}
-
-static void
-opcode_dumpcb(isc_statscounter_t counter, isc_uint64_t value, void *arg) {
-	opcodedumparg_t *opcodearg = arg;
-
-	opcodearg->fn((dns_opcode_t)counter, value, opcodearg->arg);
-}
-
-void
-dns_opcodestats_dump(dns_stats_t *stats, dns_opcodestats_dumper_t dump_fn,
-		     void *arg0, unsigned int options)
-{
-	opcodedumparg_t arg;
-
-	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_opcode);
-
-	arg.fn = dump_fn;
-	arg.arg = arg0;
-	isc_stats_dump(stats->counters, opcode_dumpcb, &arg, options);
-}
-
-/***
- *** Obsolete variables and functions follow:
- ***/
-LIBDNS_EXTERNAL_DATA const char *dns_statscounter_names[DNS_STATS_NCOUNTERS] =
-	{
-	"success",
-	"referral",
-	"nxrrset",
-	"nxdomain",
-	"recursion",
-	"failure",
-	"duplicate",
-	"dropped"
-	};
-
-isc_result_t
-dns_stats_alloccounters(isc_mem_t *mctx, isc_uint64_t **ctrp) {
-	int i;
-	isc_uint64_t *p =
-		isc_mem_get(mctx, DNS_STATS_NCOUNTERS * sizeof(isc_uint64_t));
-	if (p == NULL)
-		return (ISC_R_NOMEMORY);
-	for (i = 0; i < DNS_STATS_NCOUNTERS; i++)
-		p[i] = 0;
-	*ctrp = p;
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_stats_freecounters(isc_mem_t *mctx, isc_uint64_t **ctrp) {
-	isc_mem_put(mctx, *ctrp, DNS_STATS_NCOUNTERS * sizeof(isc_uint64_t));
-	*ctrp = NULL;
-}
diff --git a/contrib/bind9/lib/dns/tcpmsg.c b/contrib/bind9/lib/dns/tcpmsg.c
deleted file mode 100644
index 49add56..0000000
--- a/contrib/bind9/lib/dns/tcpmsg.c
+++ /dev/null
@@ -1,243 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: tcpmsg.c,v 1.31 2007/06/19 23:47:16 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/task.h>
-#include <isc/util.h>
-
-#include <dns/events.h>
-#include <dns/result.h>
-#include <dns/tcpmsg.h>
-
-#ifdef TCPMSG_DEBUG
-#include <stdio.h>		/* Required for printf. */
-#define XDEBUG(x) printf x
-#else
-#define XDEBUG(x)
-#endif
-
-#define TCPMSG_MAGIC		ISC_MAGIC('T', 'C', 'P', 'm')
-#define VALID_TCPMSG(foo)	ISC_MAGIC_VALID(foo, TCPMSG_MAGIC)
-
-static void recv_length(isc_task_t *, isc_event_t *);
-static void recv_message(isc_task_t *, isc_event_t *);
-
-
-static void
-recv_length(isc_task_t *task, isc_event_t *ev_in) {
-	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
-	isc_event_t *dev;
-	dns_tcpmsg_t *tcpmsg = ev_in->ev_arg;
-	isc_region_t region;
-	isc_result_t result;
-
-	INSIST(VALID_TCPMSG(tcpmsg));
-
-	dev = &tcpmsg->event;
-	tcpmsg->address = ev->address;
-
-	if (ev->result != ISC_R_SUCCESS) {
-		tcpmsg->result = ev->result;
-		goto send_and_free;
-	}
-
-	/*
-	 * Success.
-	 */
-	tcpmsg->size = ntohs(tcpmsg->size);
-	if (tcpmsg->size == 0) {
-		tcpmsg->result = ISC_R_UNEXPECTEDEND;
-		goto send_and_free;
-	}
-	if (tcpmsg->size > tcpmsg->maxsize) {
-		tcpmsg->result = ISC_R_RANGE;
-		goto send_and_free;
-	}
-
-	region.base = isc_mem_get(tcpmsg->mctx, tcpmsg->size);
-	region.length = tcpmsg->size;
-	if (region.base == NULL) {
-		tcpmsg->result = ISC_R_NOMEMORY;
-		goto send_and_free;
-	}
-	XDEBUG(("Allocated %d bytes\n", tcpmsg->size));
-
-	isc_buffer_init(&tcpmsg->buffer, region.base, region.length);
-	result = isc_socket_recv(tcpmsg->sock, &region, 0,
-				 task, recv_message, tcpmsg);
-	if (result != ISC_R_SUCCESS) {
-		tcpmsg->result = result;
-		goto send_and_free;
-	}
-
-	isc_event_free(&ev_in);
-	return;
-
- send_and_free:
-	isc_task_send(tcpmsg->task, &dev);
-	tcpmsg->task = NULL;
-	isc_event_free(&ev_in);
-	return;
-}
-
-static void
-recv_message(isc_task_t *task, isc_event_t *ev_in) {
-	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
-	isc_event_t *dev;
-	dns_tcpmsg_t *tcpmsg = ev_in->ev_arg;
-
-	(void)task;
-
-	INSIST(VALID_TCPMSG(tcpmsg));
-
-	dev = &tcpmsg->event;
-	tcpmsg->address = ev->address;
-
-	if (ev->result != ISC_R_SUCCESS) {
-		tcpmsg->result = ev->result;
-		goto send_and_free;
-	}
-
-	tcpmsg->result = ISC_R_SUCCESS;
-	isc_buffer_add(&tcpmsg->buffer, ev->n);
-
-	XDEBUG(("Received %d bytes (of %d)\n", ev->n, tcpmsg->size));
-
- send_and_free:
-	isc_task_send(tcpmsg->task, &dev);
-	tcpmsg->task = NULL;
-	isc_event_free(&ev_in);
-}
-
-void
-dns_tcpmsg_init(isc_mem_t *mctx, isc_socket_t *sock, dns_tcpmsg_t *tcpmsg) {
-	REQUIRE(mctx != NULL);
-	REQUIRE(sock != NULL);
-	REQUIRE(tcpmsg != NULL);
-
-	tcpmsg->magic = TCPMSG_MAGIC;
-	tcpmsg->size = 0;
-	tcpmsg->buffer.base = NULL;
-	tcpmsg->buffer.length = 0;
-	tcpmsg->maxsize = 65535;		/* Largest message possible. */
-	tcpmsg->mctx = mctx;
-	tcpmsg->sock = sock;
-	tcpmsg->task = NULL;			/* None yet. */
-	tcpmsg->result = ISC_R_UNEXPECTED;	/* None yet. */
-	/*
-	 * Should probably initialize the event here, but it can wait.
-	 */
-}
-
-
-void
-dns_tcpmsg_setmaxsize(dns_tcpmsg_t *tcpmsg, unsigned int maxsize) {
-	REQUIRE(VALID_TCPMSG(tcpmsg));
-	REQUIRE(maxsize < 65536);
-
-	tcpmsg->maxsize = maxsize;
-}
-
-
-isc_result_t
-dns_tcpmsg_readmessage(dns_tcpmsg_t *tcpmsg,
-		       isc_task_t *task, isc_taskaction_t action, void *arg)
-{
-	isc_result_t result;
-	isc_region_t region;
-
-	REQUIRE(VALID_TCPMSG(tcpmsg));
-	REQUIRE(task != NULL);
-	REQUIRE(tcpmsg->task == NULL);  /* not currently in use */
-
-	if (tcpmsg->buffer.base != NULL) {
-		isc_mem_put(tcpmsg->mctx, tcpmsg->buffer.base,
-			    tcpmsg->buffer.length);
-		tcpmsg->buffer.base = NULL;
-		tcpmsg->buffer.length = 0;
-	}
-
-	tcpmsg->task = task;
-	tcpmsg->action = action;
-	tcpmsg->arg = arg;
-	tcpmsg->result = ISC_R_UNEXPECTED;  /* unknown right now */
-
-	ISC_EVENT_INIT(&tcpmsg->event, sizeof(isc_event_t), 0, 0,
-		       DNS_EVENT_TCPMSG, action, arg, tcpmsg,
-		       NULL, NULL);
-
-	region.base = (unsigned char *)&tcpmsg->size;
-	region.length = 2;  /* isc_uint16_t */
-	result = isc_socket_recv(tcpmsg->sock, &region, 0,
-				 tcpmsg->task, recv_length, tcpmsg);
-
-	if (result != ISC_R_SUCCESS)
-		tcpmsg->task = NULL;
-
-	return (result);
-}
-
-void
-dns_tcpmsg_cancelread(dns_tcpmsg_t *tcpmsg) {
-	REQUIRE(VALID_TCPMSG(tcpmsg));
-
-	isc_socket_cancel(tcpmsg->sock, NULL, ISC_SOCKCANCEL_RECV);
-}
-
-void
-dns_tcpmsg_keepbuffer(dns_tcpmsg_t *tcpmsg, isc_buffer_t *buffer) {
-	REQUIRE(VALID_TCPMSG(tcpmsg));
-	REQUIRE(buffer != NULL);
-
-	*buffer = tcpmsg->buffer;
-	tcpmsg->buffer.base = NULL;
-	tcpmsg->buffer.length = 0;
-}
-
-#if 0
-void
-dns_tcpmsg_freebuffer(dns_tcpmsg_t *tcpmsg) {
-	REQUIRE(VALID_TCPMSG(tcpmsg));
-
-	if (tcpmsg->buffer.base == NULL)
-		return;
-
-	isc_mem_put(tcpmsg->mctx, tcpmsg->buffer.base, tcpmsg->buffer.length);
-	tcpmsg->buffer.base = NULL;
-	tcpmsg->buffer.length = 0;
-}
-#endif
-
-void
-dns_tcpmsg_invalidate(dns_tcpmsg_t *tcpmsg) {
-	REQUIRE(VALID_TCPMSG(tcpmsg));
-
-	tcpmsg->magic = 0;
-
-	if (tcpmsg->buffer.base != NULL) {
-		isc_mem_put(tcpmsg->mctx, tcpmsg->buffer.base,
-			    tcpmsg->buffer.length);
-		tcpmsg->buffer.base = NULL;
-		tcpmsg->buffer.length = 0;
-	}
-}
diff --git a/contrib/bind9/lib/dns/time.c b/contrib/bind9/lib/dns/time.c
deleted file mode 100644
index 0f245a2..0000000
--- a/contrib/bind9/lib/dns/time.c
+++ /dev/null
@@ -1,203 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <time.h>
-#include <ctype.h>
-
-#include <isc/print.h>
-#include <isc/region.h>
-#include <isc/serial.h>
-#include <isc/stdtime.h>
-#include <isc/util.h>
-
-#include <dns/result.h>
-#include <dns/time.h>
-
-static int days[12] = { 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 };
-
-isc_result_t
-dns_time64_totext(isc_int64_t t, isc_buffer_t *target) {
-	struct tm tm;
-	char buf[sizeof("YYYYMMDDHHMMSS")];
-	int secs;
-	unsigned int l;
-	isc_region_t region;
-
-/*
- * Warning. Do NOT use arguments with side effects with these macros.
- */
-#define is_leap(y) ((((y) % 4) == 0 && ((y) % 100) != 0) || ((y) % 400) == 0)
-#define year_secs(y) ((is_leap(y) ? 366 : 365 ) * 86400)
-#define month_secs(m,y) ((days[m] + ((m == 1 && is_leap(y)) ? 1 : 0 )) * 86400)
-
-	tm.tm_year = 70;
-	while (t < 0) {
-		if (tm.tm_year == 0)
-			return (ISC_R_RANGE);
-		tm.tm_year--;
-		secs = year_secs(tm.tm_year + 1900);
-		t += secs;
-	}
-	while ((secs = year_secs(tm.tm_year + 1900)) <= t) {
-		t -= secs;
-		tm.tm_year++;
-		if (tm.tm_year + 1900 > 9999)
-			return (ISC_R_RANGE);
-	}
-	tm.tm_mon = 0;
-	while ((secs = month_secs(tm.tm_mon, tm.tm_year + 1900)) <= t) {
-		t -= secs;
-		tm.tm_mon++;
-	}
-	tm.tm_mday = 1;
-	while (86400 <= t) {
-		t -= 86400;
-		tm.tm_mday++;
-	}
-	tm.tm_hour = 0;
-	while (3600 <= t) {
-		t -= 3600;
-		tm.tm_hour++;
-	}
-	tm.tm_min = 0;
-	while (60 <= t) {
-		t -= 60;
-		tm.tm_min++;
-	}
-	tm.tm_sec = (int)t;
-				 /* yyyy  mm  dd  HH  MM  SS */
-	snprintf(buf, sizeof(buf), "%04d%02d%02d%02d%02d%02d",
-		 tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday,
-		 tm.tm_hour, tm.tm_min, tm.tm_sec);
-
-	isc_buffer_availableregion(target, &region);
-	l = strlen(buf);
-
-	if (l > region.length)
-		return (ISC_R_NOSPACE);
-
-	memcpy(region.base, buf, l);
-	isc_buffer_add(target, l);
-	return (ISC_R_SUCCESS);
-}
-
-isc_int64_t
-dns_time64_from32(isc_uint32_t value) {
-	isc_stdtime_t now;
-	isc_int64_t start;
-	isc_int64_t t;
-
-	/*
-	 * Adjust the time to the closest epoch.  This should be changed
-	 * to use a 64-bit counterpart to isc_stdtime_get() if one ever
-	 * is defined, but even the current code is good until the year
-	 * 2106.
-	 */
-	isc_stdtime_get(&now);
-	start = (isc_int64_t) now;
-	if (isc_serial_gt(value, now))
-		t = start + (value - now);
-	else
-		t = start - (now - value);
-
-	return (t);
-}
-
-isc_result_t
-dns_time32_totext(isc_uint32_t value, isc_buffer_t *target) {
-	return (dns_time64_totext(dns_time64_from32(value), target));
-}
-
-isc_result_t
-dns_time64_fromtext(const char *source, isc_int64_t *target) {
-	int year, month, day, hour, minute, second;
-	isc_int64_t value;
-	int secs;
-	int i;
-
-#define RANGE(min, max, value) \
-	do { \
-		if (value < (min) || value > (max)) \
-			return (ISC_R_RANGE); \
-	} while (0)
-
-	if (strlen(source) != 14U)
-		return (DNS_R_SYNTAX);
-	/*
-	 * Confirm the source only consists digits.  sscanf() allows some
-	 * minor exceptions.
-	 */
-	for (i = 0; i < 14; i++) {
-		if (!isdigit((unsigned char)source[i]))
-			return (DNS_R_SYNTAX);
-	}
-	if (sscanf(source, "%4d%2d%2d%2d%2d%2d",
-		   &year, &month, &day, &hour, &minute, &second) != 6)
-		return (DNS_R_SYNTAX);
-
-	RANGE(0, 9999, year);
-	RANGE(1, 12, month);
-	RANGE(1, days[month - 1] +
-		 ((month == 2 && is_leap(year)) ? 1 : 0), day);
-	RANGE(0, 23, hour);
-	RANGE(0, 59, minute);
-	RANGE(0, 60, second);		/* 60 == leap second. */
-
-	/*
-	 * Calculate seconds from epoch.
-	 * Note: this uses a idealized calendar.
-	 */
-	value = second + (60 * minute) + (3600 * hour) + ((day - 1) * 86400);
-	for (i = 0; i < (month - 1); i++)
-		value += days[i] * 86400;
-	if (is_leap(year) && month > 2)
-		value += 86400;
-	if (year < 1970) {
-		for (i = 1969; i >= year; i--) {
-			secs = (is_leap(i) ? 366 : 365) * 86400;
-			value -= secs;
-		}
-	} else {
-		for (i = 1970; i < year; i++) {
-			secs = (is_leap(i) ? 366 : 365) * 86400;
-			value += secs;
-		}
-	}
-
-	*target = value;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_time32_fromtext(const char *source, isc_uint32_t *target) {
-	isc_int64_t value64;
-	isc_result_t result;
-	result = dns_time64_fromtext(source, &value64);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	*target = (isc_uint32_t)value64;
-
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/dns/timer.c b/contrib/bind9/lib/dns/timer.c
deleted file mode 100644
index 39e4551..0000000
--- a/contrib/bind9/lib/dns/timer.c
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: timer.c,v 1.7 2007/06/19 23:47:16 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/result.h>
-#include <isc/time.h>
-#include <isc/timer.h>
-
-#include <dns/types.h>
-#include <dns/timer.h>
-
-#define CHECK(op) \
-	do { result = (op);					\
-		if (result != ISC_R_SUCCESS) goto failure;	\
-	} while (0)
-
-isc_result_t
-dns_timer_setidle(isc_timer_t *timer, unsigned int maxtime,
-		  unsigned int idletime, isc_boolean_t purge)
-{
-	isc_result_t result;
-	isc_interval_t maxinterval, idleinterval;
-	isc_time_t expires;
-
-	/* Compute the time of expiry. */
-	isc_interval_set(&maxinterval, maxtime, 0);
-	CHECK(isc_time_nowplusinterval(&expires, &maxinterval));
-
-	/*
-	 * Compute the idle interval, and add a spare nanosecond to
-	 * work around the silly limitation of the ISC timer interface
-	 * that you cannot specify an idle interval of zero.
-	 */
-	isc_interval_set(&idleinterval, idletime, 1);
-
-	CHECK(isc_timer_reset(timer, isc_timertype_once,
-			      &expires, &idleinterval,
-			      purge));
- failure:
-	return (result);
-}
diff --git a/contrib/bind9/lib/dns/tkey.c b/contrib/bind9/lib/dns/tkey.c
deleted file mode 100644
index 161c188..0000000
--- a/contrib/bind9/lib/dns/tkey.c
+++ /dev/null
@@ -1,1460 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * $Id$
- */
-/*! \file */
-#include <config.h>
-
-#include <isc/buffer.h>
-#include <isc/entropy.h>
-#include <isc/md5.h>
-#include <isc/mem.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/dnssec.h>
-#include <dns/fixedname.h>
-#include <dns/keyvalues.h>
-#include <dns/log.h>
-#include <dns/message.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/result.h>
-#include <dns/tkey.h>
-#include <dns/tsig.h>
-
-#include <dst/dst.h>
-#include <dst/gssapi.h>
-
-#define TKEY_RANDOM_AMOUNT 16
-
-#define RETERR(x) do { \
-	result = (x); \
-	if (result != ISC_R_SUCCESS) \
-		goto failure; \
-	} while (0)
-
-static void
-tkey_log(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
-
-static void
-tkey_log(const char *fmt, ...) {
-	va_list ap;
-
-	va_start(ap, fmt);
-	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-		       DNS_LOGMODULE_REQUEST, ISC_LOG_DEBUG(4), fmt, ap);
-	va_end(ap);
-}
-
-static void
-_dns_tkey_dumpmessage(dns_message_t *msg) {
-	isc_buffer_t outbuf;
-	unsigned char output[4096];
-	isc_result_t result;
-
-	isc_buffer_init(&outbuf, output, sizeof(output));
-	result = dns_message_totext(msg, &dns_master_style_debug, 0,
-				    &outbuf);
-	if (result != ISC_R_SUCCESS)
-		fprintf(stderr, "Warning: dns_message_totext returned: %s\n",
-			dns_result_totext(result));
-	fprintf(stderr, "%.*s\n", (int)isc_buffer_usedlength(&outbuf),
-		(char *)isc_buffer_base(&outbuf));
-}
-
-isc_result_t
-dns_tkeyctx_create(isc_mem_t *mctx, isc_entropy_t *ectx, dns_tkeyctx_t **tctxp)
-{
-	dns_tkeyctx_t *tctx;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(ectx != NULL);
-	REQUIRE(tctxp != NULL && *tctxp == NULL);
-
-	tctx = isc_mem_get(mctx, sizeof(dns_tkeyctx_t));
-	if (tctx == NULL)
-		return (ISC_R_NOMEMORY);
-	tctx->mctx = NULL;
-	isc_mem_attach(mctx, &tctx->mctx);
-	tctx->ectx = NULL;
-	isc_entropy_attach(ectx, &tctx->ectx);
-	tctx->dhkey = NULL;
-	tctx->domain = NULL;
-	tctx->gsscred = NULL;
-	tctx->gssapi_keytab = NULL;
-
-	*tctxp = tctx;
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_tkeyctx_destroy(dns_tkeyctx_t **tctxp) {
-	isc_mem_t *mctx;
-	dns_tkeyctx_t *tctx;
-
-	REQUIRE(tctxp != NULL && *tctxp != NULL);
-
-	tctx = *tctxp;
-	mctx = tctx->mctx;
-
-	if (tctx->dhkey != NULL)
-		dst_key_free(&tctx->dhkey);
-	if (tctx->domain != NULL) {
-		if (dns_name_dynamic(tctx->domain))
-			dns_name_free(tctx->domain, mctx);
-		isc_mem_put(mctx, tctx->domain, sizeof(dns_name_t));
-	}
-	if (tctx->gssapi_keytab != NULL) {
-		isc_mem_free(mctx, tctx->gssapi_keytab);
-	}
-	if (tctx->gsscred != NULL)
-		dst_gssapi_releasecred(&tctx->gsscred);
-	isc_entropy_detach(&tctx->ectx);
-	isc_mem_put(mctx, tctx, sizeof(dns_tkeyctx_t));
-	isc_mem_detach(&mctx);
-	*tctxp = NULL;
-}
-
-static isc_result_t
-add_rdata_to_list(dns_message_t *msg, dns_name_t *name, dns_rdata_t *rdata,
-		isc_uint32_t ttl, dns_namelist_t *namelist)
-{
-	isc_result_t result;
-	isc_region_t r, newr;
-	dns_rdata_t *newrdata = NULL;
-	dns_name_t *newname = NULL;
-	dns_rdatalist_t *newlist = NULL;
-	dns_rdataset_t *newset = NULL;
-	isc_buffer_t *tmprdatabuf = NULL;
-
-	RETERR(dns_message_gettemprdata(msg, &newrdata));
-
-	dns_rdata_toregion(rdata, &r);
-	RETERR(isc_buffer_allocate(msg->mctx, &tmprdatabuf, r.length));
-	isc_buffer_availableregion(tmprdatabuf, &newr);
-	memcpy(newr.base, r.base, r.length);
-	dns_rdata_fromregion(newrdata, rdata->rdclass, rdata->type, &newr);
-	dns_message_takebuffer(msg, &tmprdatabuf);
-
-	RETERR(dns_message_gettempname(msg, &newname));
-	dns_name_init(newname, NULL);
-	RETERR(dns_name_dup(name, msg->mctx, newname));
-
-	RETERR(dns_message_gettemprdatalist(msg, &newlist));
-	newlist->rdclass = newrdata->rdclass;
-	newlist->type = newrdata->type;
-	newlist->covers = 0;
-	newlist->ttl = ttl;
-	ISC_LIST_INIT(newlist->rdata);
-	ISC_LIST_APPEND(newlist->rdata, newrdata, link);
-
-	RETERR(dns_message_gettemprdataset(msg, &newset));
-	dns_rdataset_init(newset);
-	RETERR(dns_rdatalist_tordataset(newlist, newset));
-
-	ISC_LIST_INIT(newname->list);
-	ISC_LIST_APPEND(newname->list, newset, link);
-
-	ISC_LIST_APPEND(*namelist, newname, link);
-
-	return (ISC_R_SUCCESS);
-
- failure:
-	if (newrdata != NULL) {
-		if (ISC_LINK_LINKED(newrdata, link)) {
-			INSIST(newlist != NULL);
-			ISC_LIST_UNLINK(newlist->rdata, newrdata, link);
-		}
-		dns_message_puttemprdata(msg, &newrdata);
-	}
-	if (newname != NULL)
-		dns_message_puttempname(msg, &newname);
-	if (newset != NULL) {
-		dns_rdataset_disassociate(newset);
-		dns_message_puttemprdataset(msg, &newset);
-	}
-	if (newlist != NULL)
-		dns_message_puttemprdatalist(msg, &newlist);
-	return (result);
-}
-
-static void
-free_namelist(dns_message_t *msg, dns_namelist_t *namelist) {
-	dns_name_t *name;
-	dns_rdataset_t *set;
-
-	while (!ISC_LIST_EMPTY(*namelist)) {
-		name = ISC_LIST_HEAD(*namelist);
-		ISC_LIST_UNLINK(*namelist, name, link);
-		while (!ISC_LIST_EMPTY(name->list)) {
-			set = ISC_LIST_HEAD(name->list);
-			ISC_LIST_UNLINK(name->list, set, link);
-			dns_message_puttemprdataset(msg, &set);
-		}
-		dns_message_puttempname(msg, &name);
-	}
-}
-
-static isc_result_t
-compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
-	       isc_region_t *serverrandomness, isc_buffer_t *secret)
-{
-	isc_md5_t md5ctx;
-	isc_region_t r, r2;
-	unsigned char digests[32];
-	unsigned int i;
-
-	isc_buffer_usedregion(shared, &r);
-
-	/*
-	 * MD5 ( query data | DH value ).
-	 */
-	isc_md5_init(&md5ctx);
-	isc_md5_update(&md5ctx, queryrandomness->base,
-		       queryrandomness->length);
-	isc_md5_update(&md5ctx, r.base, r.length);
-	isc_md5_final(&md5ctx, digests);
-
-	/*
-	 * MD5 ( server data | DH value ).
-	 */
-	isc_md5_init(&md5ctx);
-	isc_md5_update(&md5ctx, serverrandomness->base,
-		       serverrandomness->length);
-	isc_md5_update(&md5ctx, r.base, r.length);
-	isc_md5_final(&md5ctx, &digests[ISC_MD5_DIGESTLENGTH]);
-
-	/*
-	 * XOR ( DH value, MD5-1 | MD5-2).
-	 */
-	isc_buffer_availableregion(secret, &r);
-	isc_buffer_usedregion(shared, &r2);
-	if (r.length < sizeof(digests) || r.length < r2.length)
-		return (ISC_R_NOSPACE);
-	if (r2.length > sizeof(digests)) {
-		memcpy(r.base, r2.base, r2.length);
-		for (i = 0; i < sizeof(digests); i++)
-			r.base[i] ^= digests[i];
-		isc_buffer_add(secret, r2.length);
-	} else {
-		memcpy(r.base, digests, sizeof(digests));
-		for (i = 0; i < r2.length; i++)
-			r.base[i] ^= r2.base[i];
-		isc_buffer_add(secret, sizeof(digests));
-	}
-	return (ISC_R_SUCCESS);
-
-}
-
-static isc_result_t
-process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
-	       dns_rdata_tkey_t *tkeyin, dns_tkeyctx_t *tctx,
-	       dns_rdata_tkey_t *tkeyout,
-	       dns_tsig_keyring_t *ring, dns_namelist_t *namelist)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	dns_name_t *keyname, ourname;
-	dns_rdataset_t *keyset = NULL;
-	dns_rdata_t keyrdata = DNS_RDATA_INIT, ourkeyrdata = DNS_RDATA_INIT;
-	isc_boolean_t found_key = ISC_FALSE, found_incompatible = ISC_FALSE;
-	dst_key_t *pubkey = NULL;
-	isc_buffer_t ourkeybuf, *shared = NULL;
-	isc_region_t r, r2, ourkeyr;
-	unsigned char keydata[DST_KEY_MAXSIZE];
-	unsigned int sharedsize;
-	isc_buffer_t secret;
-	unsigned char *randomdata = NULL, secretdata[256];
-	dns_ttl_t ttl = 0;
-
-	if (tctx->dhkey == NULL) {
-		tkey_log("process_dhtkey: tkey-dhkey not defined");
-		tkeyout->error = dns_tsigerror_badalg;
-		return (DNS_R_REFUSED);
-	}
-
-	if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) {
-		tkey_log("process_dhtkey: algorithms other than "
-			 "hmac-md5 are not supported");
-		tkeyout->error = dns_tsigerror_badalg;
-		return (ISC_R_SUCCESS);
-	}
-
-	/*
-	 * Look for a DH KEY record that will work with ours.
-	 */
-	for (result = dns_message_firstname(msg, DNS_SECTION_ADDITIONAL);
-	     result == ISC_R_SUCCESS && !found_key;
-	     result = dns_message_nextname(msg, DNS_SECTION_ADDITIONAL)) {
-		keyname = NULL;
-		dns_message_currentname(msg, DNS_SECTION_ADDITIONAL, &keyname);
-		keyset = NULL;
-		result = dns_message_findtype(keyname, dns_rdatatype_key, 0,
-					      &keyset);
-		if (result != ISC_R_SUCCESS)
-			continue;
-
-		for (result = dns_rdataset_first(keyset);
-		     result == ISC_R_SUCCESS && !found_key;
-		     result = dns_rdataset_next(keyset)) {
-			dns_rdataset_current(keyset, &keyrdata);
-			pubkey = NULL;
-			result = dns_dnssec_keyfromrdata(keyname, &keyrdata,
-							 msg->mctx, &pubkey);
-			if (result != ISC_R_SUCCESS) {
-				dns_rdata_reset(&keyrdata);
-				continue;
-			}
-			if (dst_key_alg(pubkey) == DNS_KEYALG_DH) {
-				if (dst_key_paramcompare(pubkey, tctx->dhkey))
-				{
-					found_key = ISC_TRUE;
-					ttl = keyset->ttl;
-					break;
-				} else
-					found_incompatible = ISC_TRUE;
-			}
-			dst_key_free(&pubkey);
-			dns_rdata_reset(&keyrdata);
-		}
-	}
-
-	if (!found_key) {
-		if (found_incompatible) {
-			tkey_log("process_dhtkey: found an incompatible key");
-			tkeyout->error = dns_tsigerror_badkey;
-			return (ISC_R_SUCCESS);
-		} else {
-			tkey_log("process_dhtkey: failed to find a key");
-			return (DNS_R_FORMERR);
-		}
-	}
-
-	RETERR(add_rdata_to_list(msg, keyname, &keyrdata, ttl, namelist));
-
-	isc_buffer_init(&ourkeybuf, keydata, sizeof(keydata));
-	RETERR(dst_key_todns(tctx->dhkey, &ourkeybuf));
-	isc_buffer_usedregion(&ourkeybuf, &ourkeyr);
-	dns_rdata_fromregion(&ourkeyrdata, dns_rdataclass_any,
-			     dns_rdatatype_key, &ourkeyr);
-
-	dns_name_init(&ourname, NULL);
-	dns_name_clone(dst_key_name(tctx->dhkey), &ourname);
-
-	/*
-	 * XXXBEW The TTL should be obtained from the database, if it exists.
-	 */
-	RETERR(add_rdata_to_list(msg, &ourname, &ourkeyrdata, 0, namelist));
-
-	RETERR(dst_key_secretsize(tctx->dhkey, &sharedsize));
-	RETERR(isc_buffer_allocate(msg->mctx, &shared, sharedsize));
-
-	result = dst_key_computesecret(pubkey, tctx->dhkey, shared);
-	if (result != ISC_R_SUCCESS) {
-		tkey_log("process_dhtkey: failed to compute shared secret: %s",
-			 isc_result_totext(result));
-		goto failure;
-	}
-	dst_key_free(&pubkey);
-
-	isc_buffer_init(&secret, secretdata, sizeof(secretdata));
-
-	randomdata = isc_mem_get(tkeyout->mctx, TKEY_RANDOM_AMOUNT);
-	if (randomdata == NULL)
-		goto failure;
-
-	result = isc_entropy_getdata(tctx->ectx, randomdata,
-				     TKEY_RANDOM_AMOUNT, NULL, 0);
-	if (result != ISC_R_SUCCESS) {
-		tkey_log("process_dhtkey: failed to obtain entropy: %s",
-			 isc_result_totext(result));
-		goto failure;
-	}
-
-	r.base = randomdata;
-	r.length = TKEY_RANDOM_AMOUNT;
-	r2.base = tkeyin->key;
-	r2.length = tkeyin->keylen;
-	RETERR(compute_secret(shared, &r2, &r, &secret));
-	isc_buffer_free(&shared);
-
-	RETERR(dns_tsigkey_create(name, &tkeyin->algorithm,
-				  isc_buffer_base(&secret),
-				  isc_buffer_usedlength(&secret),
-				  ISC_TRUE, signer, tkeyin->inception,
-				  tkeyin->expire, ring->mctx, ring, NULL));
-
-	/* This key is good for a long time */
-	tkeyout->inception = tkeyin->inception;
-	tkeyout->expire = tkeyin->expire;
-
-	tkeyout->key = randomdata;
-	tkeyout->keylen = TKEY_RANDOM_AMOUNT;
-
-	return (ISC_R_SUCCESS);
-
- failure:
-	if (!ISC_LIST_EMPTY(*namelist))
-		free_namelist(msg, namelist);
-	if (shared != NULL)
-		isc_buffer_free(&shared);
-	if (pubkey != NULL)
-		dst_key_free(&pubkey);
-	if (randomdata != NULL)
-		isc_mem_put(tkeyout->mctx, randomdata, TKEY_RANDOM_AMOUNT);
-	return (result);
-}
-
-static isc_result_t
-process_gsstkey(dns_name_t *name, dns_rdata_tkey_t *tkeyin,
-		dns_tkeyctx_t *tctx, dns_rdata_tkey_t *tkeyout,
-		dns_tsig_keyring_t *ring)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	dst_key_t *dstkey = NULL;
-	dns_tsigkey_t *tsigkey = NULL;
-	dns_fixedname_t principal;
-	isc_stdtime_t now;
-	isc_region_t intoken;
-	isc_buffer_t *outtoken = NULL;
-	gss_ctx_id_t gss_ctx = NULL;
-
-	/*
-	 * You have to define either a gss credential (principal) to
-	 * accept with tkey-gssapi-credential, or you have to
-	 * configure a specific keytab (with tkey-gssapi-keytab) in
-	 * order to use gsstkey
-	 */
-	if (tctx->gsscred == NULL && tctx->gssapi_keytab == NULL) {
-		tkey_log("process_gsstkey(): no tkey-gssapi-credential "
-			 "or tkey-gssapi-keytab configured");
-		return (ISC_R_NOPERM);
-	}
-
-	if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPI_NAME) &&
-	    !dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPIMS_NAME)) {
-		tkeyout->error = dns_tsigerror_badalg;
-		tkey_log("process_gsstkey(): dns_tsigerror_badalg");	/* XXXSRA */
-		return (ISC_R_SUCCESS);
-	}
-
-	/*
-	 * XXXDCL need to check for key expiry per 4.1.1
-	 * XXXDCL need a way to check fully established, perhaps w/key_flags
-	 */
-
-	intoken.base = tkeyin->key;
-	intoken.length = tkeyin->keylen;
-
-	result = dns_tsigkey_find(&tsigkey, name, &tkeyin->algorithm, ring);
-	if (result == ISC_R_SUCCESS)
-		gss_ctx = dst_key_getgssctx(tsigkey->key);
-
-	dns_fixedname_init(&principal);
-
-	/*
-	 * Note that tctx->gsscred may be NULL if tctx->gssapi_keytab is set
-	 */
-	result = dst_gssapi_acceptctx(tctx->gsscred, tctx->gssapi_keytab,
-				      &intoken,
-				      &outtoken, &gss_ctx,
-				      dns_fixedname_name(&principal),
-				      tctx->mctx);
-	if (result == DNS_R_INVALIDTKEY) {
-		if (tsigkey != NULL)
-			dns_tsigkey_detach(&tsigkey);
-		tkeyout->error = dns_tsigerror_badkey;
-		tkey_log("process_gsstkey(): dns_tsigerror_badkey");    /* XXXSRA */
-		return (ISC_R_SUCCESS);
-	}
-	if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS)
-		goto failure;
-	/*
-	 * XXXDCL Section 4.1.3: Limit GSS_S_CONTINUE_NEEDED to 10 times.
-	 */
-
-	isc_stdtime_get(&now);
-
-	if (tsigkey == NULL) {
-#ifdef GSSAPI
-		OM_uint32 gret, minor, lifetime;
-#endif
-		isc_uint32_t expire;
-
-		RETERR(dst_key_fromgssapi(name, gss_ctx, ring->mctx,
-					  &dstkey, &intoken));
-		/*
-		 * Limit keys to 1 hour or the context's lifetime whichever
-		 * is smaller.
-		 */
-		expire = now + 3600;
-#ifdef GSSAPI
-		gret = gss_context_time(&minor, gss_ctx, &lifetime);
-		if (gret == GSS_S_COMPLETE && now + lifetime < expire)
-			expire = now + lifetime;
-#endif
-		RETERR(dns_tsigkey_createfromkey(name, &tkeyin->algorithm,
-						 dstkey, ISC_TRUE,
-						 dns_fixedname_name(&principal),
-						 now, expire, ring->mctx, ring,
-						 NULL));
-		dst_key_free(&dstkey);
-		tkeyout->inception = now;
-		tkeyout->expire = expire;
-	} else {
-		tkeyout->inception = tsigkey->inception;
-		tkeyout->expire = tsigkey->expire;
-		dns_tsigkey_detach(&tsigkey);
-	}
-
-	if (outtoken) {
-		tkeyout->key = isc_mem_get(tkeyout->mctx,
-					   isc_buffer_usedlength(outtoken));
-		if (tkeyout->key == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto failure;
-		}
-		tkeyout->keylen = isc_buffer_usedlength(outtoken);
-		memcpy(tkeyout->key, isc_buffer_base(outtoken),
-		       isc_buffer_usedlength(outtoken));
-		isc_buffer_free(&outtoken);
-	} else {
-		tkeyout->key = isc_mem_get(tkeyout->mctx, tkeyin->keylen);
-		if (tkeyout->key == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto failure;
-		}
-		tkeyout->keylen = tkeyin->keylen;
-		memcpy(tkeyout->key, tkeyin->key, tkeyin->keylen);
-	}
-
-	tkeyout->error = dns_rcode_noerror;
-
-	tkey_log("process_gsstkey(): dns_tsigerror_noerror");   /* XXXSRA */
-
-	return (ISC_R_SUCCESS);
-
-failure:
-	if (tsigkey != NULL)
-		dns_tsigkey_detach(&tsigkey);
-
-	if (dstkey != NULL)
-		dst_key_free(&dstkey);
-
-	if (outtoken != NULL)
-		isc_buffer_free(&outtoken);
-
-	tkey_log("process_gsstkey(): %s",
-		isc_result_totext(result));	/* XXXSRA */
-
-	return (result);
-}
-
-static isc_result_t
-process_deletetkey(dns_name_t *signer, dns_name_t *name,
-		   dns_rdata_tkey_t *tkeyin, dns_rdata_tkey_t *tkeyout,
-		   dns_tsig_keyring_t *ring)
-{
-	isc_result_t result;
-	dns_tsigkey_t *tsigkey = NULL;
-	dns_name_t *identity;
-
-	result = dns_tsigkey_find(&tsigkey, name, &tkeyin->algorithm, ring);
-	if (result != ISC_R_SUCCESS) {
-		tkeyout->error = dns_tsigerror_badname;
-		return (ISC_R_SUCCESS);
-	}
-
-	/*
-	 * Only allow a delete if the identity that created the key is the
-	 * same as the identity that signed the message.
-	 */
-	identity = dns_tsigkey_identity(tsigkey);
-	if (identity == NULL || !dns_name_equal(identity, signer)) {
-		dns_tsigkey_detach(&tsigkey);
-		return (DNS_R_REFUSED);
-	}
-
-	/*
-	 * Set the key to be deleted when no references are left.  If the key
-	 * was not generated with TKEY and is in the config file, it may be
-	 * reloaded later.
-	 */
-	dns_tsigkey_setdeleted(tsigkey);
-
-	/* Release the reference */
-	dns_tsigkey_detach(&tsigkey);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
-		      dns_tsig_keyring_t *ring)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	dns_rdata_tkey_t tkeyin, tkeyout;
-	isc_boolean_t freetkeyin = ISC_FALSE;
-	dns_name_t *qname, *name, *keyname, *signer, tsigner;
-	dns_fixedname_t fkeyname;
-	dns_rdataset_t *tkeyset;
-	dns_rdata_t rdata;
-	dns_namelist_t namelist;
-	char tkeyoutdata[512];
-	isc_buffer_t tkeyoutbuf;
-
-	REQUIRE(msg != NULL);
-	REQUIRE(tctx != NULL);
-	REQUIRE(ring != NULL);
-
-	ISC_LIST_INIT(namelist);
-
-	/*
-	 * Interpret the question section.
-	 */
-	result = dns_message_firstname(msg, DNS_SECTION_QUESTION);
-	if (result != ISC_R_SUCCESS)
-		return (DNS_R_FORMERR);
-
-	qname = NULL;
-	dns_message_currentname(msg, DNS_SECTION_QUESTION, &qname);
-
-	/*
-	 * Look for a TKEY record that matches the question.
-	 */
-	tkeyset = NULL;
-	name = NULL;
-	result = dns_message_findname(msg, DNS_SECTION_ADDITIONAL, qname,
-				      dns_rdatatype_tkey, 0, &name, &tkeyset);
-	if (result != ISC_R_SUCCESS) {
-		/*
-		 * Try the answer section, since that's where Win2000
-		 * puts it.
-		 */
-		if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
-					 dns_rdatatype_tkey, 0, &name,
-					 &tkeyset) != ISC_R_SUCCESS) {
-			result = DNS_R_FORMERR;
-			tkey_log("dns_tkey_processquery: couldn't find a TKEY "
-				 "matching the question");
-			goto failure;
-		}
-	}
-	result = dns_rdataset_first(tkeyset);
-	if (result != ISC_R_SUCCESS) {
-		result = DNS_R_FORMERR;
-		goto failure;
-	}
-	dns_rdata_init(&rdata);
-	dns_rdataset_current(tkeyset, &rdata);
-
-	RETERR(dns_rdata_tostruct(&rdata, &tkeyin, NULL));
-	freetkeyin = ISC_TRUE;
-
-	if (tkeyin.error != dns_rcode_noerror) {
-		result = DNS_R_FORMERR;
-		goto failure;
-	}
-
-	/*
-	 * Before we go any farther, verify that the message was signed.
-	 * GSSAPI TKEY doesn't require a signature, the rest do.
-	 */
-	dns_name_init(&tsigner, NULL);
-	result = dns_message_signer(msg, &tsigner);
-	if (result != ISC_R_SUCCESS) {
-		if (tkeyin.mode == DNS_TKEYMODE_GSSAPI &&
-		    result == ISC_R_NOTFOUND)
-		       signer = NULL;
-		else {
-			tkey_log("dns_tkey_processquery: query was not "
-				 "properly signed - rejecting");
-			result = DNS_R_FORMERR;
-			goto failure;
-		}
-	} else
-		signer = &tsigner;
-
-	tkeyout.common.rdclass = tkeyin.common.rdclass;
-	tkeyout.common.rdtype = tkeyin.common.rdtype;
-	ISC_LINK_INIT(&tkeyout.common, link);
-	tkeyout.mctx = msg->mctx;
-
-	dns_name_init(&tkeyout.algorithm, NULL);
-	dns_name_clone(&tkeyin.algorithm, &tkeyout.algorithm);
-
-	tkeyout.inception = tkeyout.expire = 0;
-	tkeyout.mode = tkeyin.mode;
-	tkeyout.error = 0;
-	tkeyout.keylen = tkeyout.otherlen = 0;
-	tkeyout.key = tkeyout.other = NULL;
-
-	/*
-	 * A delete operation must have a fully specified key name.  If this
-	 * is not a delete, we do the following:
-	 * if (qname != ".")
-	 *	keyname = qname + defaultdomain
-	 * else
-	 *	keyname = <random hex> + defaultdomain
-	 */
-	if (tkeyin.mode != DNS_TKEYMODE_DELETE) {
-		dns_tsigkey_t *tsigkey = NULL;
-
-		if (tctx->domain == NULL && tkeyin.mode != DNS_TKEYMODE_GSSAPI) {
-			tkey_log("dns_tkey_processquery: tkey-domain not set");
-			result = DNS_R_REFUSED;
-			goto failure;
-		}
-
-		dns_fixedname_init(&fkeyname);
-		keyname = dns_fixedname_name(&fkeyname);
-
-		if (!dns_name_equal(qname, dns_rootname)) {
-			unsigned int n = dns_name_countlabels(qname);
-			RUNTIME_CHECK(dns_name_copy(qname, keyname, NULL)
-				      == ISC_R_SUCCESS);
-			dns_name_getlabelsequence(keyname, 0, n - 1, keyname);
-		} else {
-			static char hexdigits[16] = {
-				'0', '1', '2', '3', '4', '5', '6', '7',
-				'8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
-			unsigned char randomdata[16];
-			char randomtext[32];
-			isc_buffer_t b;
-			unsigned int i, j;
-
-			result = isc_entropy_getdata(tctx->ectx,
-						     randomdata,
-						     sizeof(randomdata),
-						     NULL, 0);
-			if (result != ISC_R_SUCCESS)
-				goto failure;
-
-			for (i = 0, j = 0; i < sizeof(randomdata); i++) {
-				unsigned char val = randomdata[i];
-				randomtext[j++] = hexdigits[val >> 4];
-				randomtext[j++] = hexdigits[val & 0xF];
-			}
-			isc_buffer_init(&b, randomtext, sizeof(randomtext));
-			isc_buffer_add(&b, sizeof(randomtext));
-			result = dns_name_fromtext(keyname, &b, NULL, 0, NULL);
-			if (result != ISC_R_SUCCESS)
-				goto failure;
-		}
-
-		if (tkeyin.mode == DNS_TKEYMODE_GSSAPI) {
-			/* Yup.  This is a hack */
-			result = dns_name_concatenate(keyname, dns_rootname,
-						      keyname, NULL);
-			if (result != ISC_R_SUCCESS)
-				goto failure;
-		} else {
-			result = dns_name_concatenate(keyname, tctx->domain,
-						      keyname, NULL);
-			if (result != ISC_R_SUCCESS)
-				goto failure;
-		}
-
-		result = dns_tsigkey_find(&tsigkey, keyname, NULL, ring);
-
-		if (result == ISC_R_SUCCESS) {
-			tkeyout.error = dns_tsigerror_badname;
-			dns_tsigkey_detach(&tsigkey);
-			goto failure_with_tkey;
-		} else if (result != ISC_R_NOTFOUND)
-			goto failure;
-	} else
-		keyname = qname;
-
-	switch (tkeyin.mode) {
-		case DNS_TKEYMODE_DIFFIEHELLMAN:
-			tkeyout.error = dns_rcode_noerror;
-			RETERR(process_dhtkey(msg, signer, keyname, &tkeyin,
-					      tctx, &tkeyout, ring,
-					      &namelist));
-			break;
-		case DNS_TKEYMODE_GSSAPI:
-			tkeyout.error = dns_rcode_noerror;
-			RETERR(process_gsstkey(keyname, &tkeyin, tctx,
-					       &tkeyout, ring));
-			break;
-		case DNS_TKEYMODE_DELETE:
-			tkeyout.error = dns_rcode_noerror;
-			RETERR(process_deletetkey(signer, keyname, &tkeyin,
-						  &tkeyout, ring));
-			break;
-		case DNS_TKEYMODE_SERVERASSIGNED:
-		case DNS_TKEYMODE_RESOLVERASSIGNED:
-			result = DNS_R_NOTIMP;
-			goto failure;
-		default:
-			tkeyout.error = dns_tsigerror_badmode;
-	}
-
- failure_with_tkey:
-	dns_rdata_init(&rdata);
-	isc_buffer_init(&tkeyoutbuf, tkeyoutdata, sizeof(tkeyoutdata));
-	result = dns_rdata_fromstruct(&rdata, tkeyout.common.rdclass,
-				      tkeyout.common.rdtype, &tkeyout,
-				      &tkeyoutbuf);
-
-	if (freetkeyin) {
-		dns_rdata_freestruct(&tkeyin);
-		freetkeyin = ISC_FALSE;
-	}
-
-	if (tkeyout.key != NULL)
-		isc_mem_put(tkeyout.mctx, tkeyout.key, tkeyout.keylen);
-	if (tkeyout.other != NULL)
-		isc_mem_put(tkeyout.mctx, tkeyout.other, tkeyout.otherlen);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	RETERR(add_rdata_to_list(msg, keyname, &rdata, 0, &namelist));
-
-	RETERR(dns_message_reply(msg, ISC_TRUE));
-
-	name = ISC_LIST_HEAD(namelist);
-	while (name != NULL) {
-		dns_name_t *next = ISC_LIST_NEXT(name, link);
-		ISC_LIST_UNLINK(namelist, name, link);
-		dns_message_addname(msg, name, DNS_SECTION_ANSWER);
-		name = next;
-	}
-
-	return (ISC_R_SUCCESS);
-
- failure:
-	if (freetkeyin)
-		dns_rdata_freestruct(&tkeyin);
-	if (!ISC_LIST_EMPTY(namelist))
-		free_namelist(msg, &namelist);
-	return (result);
-}
-
-static isc_result_t
-buildquery(dns_message_t *msg, dns_name_t *name,
-	   dns_rdata_tkey_t *tkey, isc_boolean_t win2k)
-{
-	dns_name_t *qname = NULL, *aname = NULL;
-	dns_rdataset_t *question = NULL, *tkeyset = NULL;
-	dns_rdatalist_t *tkeylist = NULL;
-	dns_rdata_t *rdata = NULL;
-	isc_buffer_t *dynbuf = NULL;
-	isc_result_t result;
-
-	REQUIRE(msg != NULL);
-	REQUIRE(name != NULL);
-	REQUIRE(tkey != NULL);
-
-	RETERR(dns_message_gettempname(msg, &qname));
-	RETERR(dns_message_gettempname(msg, &aname));
-
-	RETERR(dns_message_gettemprdataset(msg, &question));
-	dns_rdataset_init(question);
-	dns_rdataset_makequestion(question, dns_rdataclass_any,
-				  dns_rdatatype_tkey);
-
-	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 4096));
-	RETERR(dns_message_gettemprdata(msg, &rdata));
-
-	RETERR(dns_rdata_fromstruct(rdata, dns_rdataclass_any,
-				    dns_rdatatype_tkey, tkey, dynbuf));
-	dns_message_takebuffer(msg, &dynbuf);
-
-	RETERR(dns_message_gettemprdatalist(msg, &tkeylist));
-	tkeylist->rdclass = dns_rdataclass_any;
-	tkeylist->type = dns_rdatatype_tkey;
-	tkeylist->covers = 0;
-	tkeylist->ttl = 0;
-	ISC_LIST_INIT(tkeylist->rdata);
-	ISC_LIST_APPEND(tkeylist->rdata, rdata, link);
-
-	RETERR(dns_message_gettemprdataset(msg, &tkeyset));
-	dns_rdataset_init(tkeyset);
-	RETERR(dns_rdatalist_tordataset(tkeylist, tkeyset));
-
-	dns_name_init(qname, NULL);
-	dns_name_clone(name, qname);
-
-	dns_name_init(aname, NULL);
-	dns_name_clone(name, aname);
-
-	ISC_LIST_APPEND(qname->list, question, link);
-	ISC_LIST_APPEND(aname->list, tkeyset, link);
-
-	dns_message_addname(msg, qname, DNS_SECTION_QUESTION);
-
-	/*
-	 * Windows 2000 needs this in the answer section, not the additional
-	 * section where the RFC specifies.
-	 */
-	if (win2k)
-		dns_message_addname(msg, aname, DNS_SECTION_ANSWER);
-	else
-		dns_message_addname(msg, aname, DNS_SECTION_ADDITIONAL);
-
-	return (ISC_R_SUCCESS);
-
- failure:
-	if (qname != NULL)
-		dns_message_puttempname(msg, &qname);
-	if (aname != NULL)
-		dns_message_puttempname(msg, &aname);
-	if (question != NULL) {
-		dns_rdataset_disassociate(question);
-		dns_message_puttemprdataset(msg, &question);
-	}
-	if (dynbuf != NULL)
-		isc_buffer_free(&dynbuf);
-	printf("buildquery error\n");
-	return (result);
-}
-
-isc_result_t
-dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
-		      dns_name_t *algorithm, isc_buffer_t *nonce,
-		      isc_uint32_t lifetime)
-{
-	dns_rdata_tkey_t tkey;
-	dns_rdata_t *rdata = NULL;
-	isc_buffer_t *dynbuf = NULL;
-	isc_region_t r;
-	dns_name_t keyname;
-	dns_namelist_t namelist;
-	isc_result_t result;
-	isc_stdtime_t now;
-
-	REQUIRE(msg != NULL);
-	REQUIRE(key != NULL);
-	REQUIRE(dst_key_alg(key) == DNS_KEYALG_DH);
-	REQUIRE(dst_key_isprivate(key));
-	REQUIRE(name != NULL);
-	REQUIRE(algorithm != NULL);
-
-	tkey.common.rdclass = dns_rdataclass_any;
-	tkey.common.rdtype = dns_rdatatype_tkey;
-	ISC_LINK_INIT(&tkey.common, link);
-	tkey.mctx = msg->mctx;
-	dns_name_init(&tkey.algorithm, NULL);
-	dns_name_clone(algorithm, &tkey.algorithm);
-	isc_stdtime_get(&now);
-	tkey.inception = now;
-	tkey.expire = now + lifetime;
-	tkey.mode = DNS_TKEYMODE_DIFFIEHELLMAN;
-	if (nonce != NULL)
-		isc_buffer_usedregion(nonce, &r);
-	else {
-		r.base = isc_mem_get(msg->mctx, 0);
-		r.length = 0;
-	}
-	tkey.error = 0;
-	tkey.key = r.base;
-	tkey.keylen =  r.length;
-	tkey.other = NULL;
-	tkey.otherlen = 0;
-
-	RETERR(buildquery(msg, name, &tkey, ISC_FALSE));
-
-	if (nonce == NULL)
-		isc_mem_put(msg->mctx, r.base, 0);
-
-	RETERR(dns_message_gettemprdata(msg, &rdata));
-	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 1024));
-	RETERR(dst_key_todns(key, dynbuf));
-	isc_buffer_usedregion(dynbuf, &r);
-	dns_rdata_fromregion(rdata, dns_rdataclass_any,
-			     dns_rdatatype_key, &r);
-	dns_message_takebuffer(msg, &dynbuf);
-
-	dns_name_init(&keyname, NULL);
-	dns_name_clone(dst_key_name(key), &keyname);
-
-	ISC_LIST_INIT(namelist);
-	RETERR(add_rdata_to_list(msg, &keyname, rdata, 0, &namelist));
-	name = ISC_LIST_HEAD(namelist);
-	while (name != NULL) {
-		dns_name_t *next = ISC_LIST_NEXT(name, link);
-		ISC_LIST_UNLINK(namelist, name, link);
-		dns_message_addname(msg, name, DNS_SECTION_ADDITIONAL);
-		name = next;
-	}
-
-	return (ISC_R_SUCCESS);
-
- failure:
-
-	if (dynbuf != NULL)
-		isc_buffer_free(&dynbuf);
-	return (result);
-}
-
-isc_result_t
-dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name, dns_name_t *gname,
-		       isc_buffer_t *intoken, isc_uint32_t lifetime,
-		       gss_ctx_id_t *context, isc_boolean_t win2k,
-		       isc_mem_t *mctx, char **err_message)
-{
-	dns_rdata_tkey_t tkey;
-	isc_result_t result;
-	isc_stdtime_t now;
-	isc_buffer_t token;
-	unsigned char array[4096];
-
-	UNUSED(intoken);
-
-	REQUIRE(msg != NULL);
-	REQUIRE(name != NULL);
-	REQUIRE(gname != NULL);
-	REQUIRE(context != NULL);
-	REQUIRE(mctx != NULL);
-
-	isc_buffer_init(&token, array, sizeof(array));
-	result = dst_gssapi_initctx(gname, NULL, &token, context,
-				    mctx, err_message);
-	if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS)
-		return (result);
-
-	tkey.common.rdclass = dns_rdataclass_any;
-	tkey.common.rdtype = dns_rdatatype_tkey;
-	ISC_LINK_INIT(&tkey.common, link);
-	tkey.mctx = NULL;
-	dns_name_init(&tkey.algorithm, NULL);
-
-	if (win2k)
-		dns_name_clone(DNS_TSIG_GSSAPIMS_NAME, &tkey.algorithm);
-	else
-		dns_name_clone(DNS_TSIG_GSSAPI_NAME, &tkey.algorithm);
-
-	isc_stdtime_get(&now);
-	tkey.inception = now;
-	tkey.expire = now + lifetime;
-	tkey.mode = DNS_TKEYMODE_GSSAPI;
-	tkey.error = 0;
-	tkey.key = isc_buffer_base(&token);
-	tkey.keylen = isc_buffer_usedlength(&token);
-	tkey.other = NULL;
-	tkey.otherlen = 0;
-
-	RETERR(buildquery(msg, name, &tkey, win2k));
-
-	return (ISC_R_SUCCESS);
-
- failure:
-	return (result);
-}
-
-isc_result_t
-dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key) {
-	dns_rdata_tkey_t tkey;
-
-	REQUIRE(msg != NULL);
-	REQUIRE(key != NULL);
-
-	tkey.common.rdclass = dns_rdataclass_any;
-	tkey.common.rdtype = dns_rdatatype_tkey;
-	ISC_LINK_INIT(&tkey.common, link);
-	tkey.mctx = msg->mctx;
-	dns_name_init(&tkey.algorithm, NULL);
-	dns_name_clone(key->algorithm, &tkey.algorithm);
-	tkey.inception = tkey.expire = 0;
-	tkey.mode = DNS_TKEYMODE_DELETE;
-	tkey.error = 0;
-	tkey.keylen = tkey.otherlen = 0;
-	tkey.key = tkey.other = NULL;
-
-	return (buildquery(msg, &key->name, &tkey, ISC_FALSE));
-}
-
-static isc_result_t
-find_tkey(dns_message_t *msg, dns_name_t **name, dns_rdata_t *rdata,
-	  int section)
-{
-	dns_rdataset_t *tkeyset;
-	isc_result_t result;
-
-	result = dns_message_firstname(msg, section);
-	while (result == ISC_R_SUCCESS) {
-		*name = NULL;
-		dns_message_currentname(msg, section, name);
-		tkeyset = NULL;
-		result = dns_message_findtype(*name, dns_rdatatype_tkey, 0,
-					      &tkeyset);
-		if (result == ISC_R_SUCCESS) {
-			result = dns_rdataset_first(tkeyset);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-			dns_rdataset_current(tkeyset, rdata);
-			return (ISC_R_SUCCESS);
-		}
-		result = dns_message_nextname(msg, section);
-	}
-	if (result == ISC_R_NOMORE)
-		return (ISC_R_NOTFOUND);
-	return (result);
-}
-
-isc_result_t
-dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
-			   dst_key_t *key, isc_buffer_t *nonce,
-			   dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring)
-{
-	dns_rdata_t qtkeyrdata = DNS_RDATA_INIT, rtkeyrdata = DNS_RDATA_INIT;
-	dns_name_t keyname, *tkeyname, *theirkeyname, *ourkeyname, *tempname;
-	dns_rdataset_t *theirkeyset = NULL, *ourkeyset = NULL;
-	dns_rdata_t theirkeyrdata = DNS_RDATA_INIT;
-	dst_key_t *theirkey = NULL;
-	dns_rdata_tkey_t qtkey, rtkey;
-	unsigned char secretdata[256];
-	unsigned int sharedsize;
-	isc_buffer_t *shared = NULL, secret;
-	isc_region_t r, r2;
-	isc_result_t result;
-	isc_boolean_t freertkey = ISC_FALSE;
-
-	REQUIRE(qmsg != NULL);
-	REQUIRE(rmsg != NULL);
-	REQUIRE(key != NULL);
-	REQUIRE(dst_key_alg(key) == DNS_KEYALG_DH);
-	REQUIRE(dst_key_isprivate(key));
-	if (outkey != NULL)
-		REQUIRE(*outkey == NULL);
-
-	if (rmsg->rcode != dns_rcode_noerror)
-		return (ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
-	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
-	RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
-	freertkey = ISC_TRUE;
-
-	RETERR(find_tkey(qmsg, &tempname, &qtkeyrdata,
-			 DNS_SECTION_ADDITIONAL));
-	RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
-
-	if (rtkey.error != dns_rcode_noerror ||
-	    rtkey.mode != DNS_TKEYMODE_DIFFIEHELLMAN ||
-	    rtkey.mode != qtkey.mode ||
-	    !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm) ||
-	    rmsg->rcode != dns_rcode_noerror) {
-		tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
-			 "or error set(1)");
-		result = DNS_R_INVALIDTKEY;
-		dns_rdata_freestruct(&qtkey);
-		goto failure;
-	}
-
-	dns_rdata_freestruct(&qtkey);
-
-	dns_name_init(&keyname, NULL);
-	dns_name_clone(dst_key_name(key), &keyname);
-
-	ourkeyname = NULL;
-	ourkeyset = NULL;
-	RETERR(dns_message_findname(rmsg, DNS_SECTION_ANSWER, &keyname,
-				    dns_rdatatype_key, 0, &ourkeyname,
-				    &ourkeyset));
-
-	result = dns_message_firstname(rmsg, DNS_SECTION_ANSWER);
-	while (result == ISC_R_SUCCESS) {
-		theirkeyname = NULL;
-		dns_message_currentname(rmsg, DNS_SECTION_ANSWER,
-					&theirkeyname);
-		if (dns_name_equal(theirkeyname, ourkeyname))
-			goto next;
-		theirkeyset = NULL;
-		result = dns_message_findtype(theirkeyname, dns_rdatatype_key,
-					      0, &theirkeyset);
-		if (result == ISC_R_SUCCESS) {
-			RETERR(dns_rdataset_first(theirkeyset));
-			break;
-		}
- next:
-		result = dns_message_nextname(rmsg, DNS_SECTION_ANSWER);
-	}
-
-	if (theirkeyset == NULL) {
-		tkey_log("dns_tkey_processdhresponse: failed to find server "
-			 "key");
-		result = ISC_R_NOTFOUND;
-		goto failure;
-	}
-
-	dns_rdataset_current(theirkeyset, &theirkeyrdata);
-	RETERR(dns_dnssec_keyfromrdata(theirkeyname, &theirkeyrdata,
-				       rmsg->mctx, &theirkey));
-
-	RETERR(dst_key_secretsize(key, &sharedsize));
-	RETERR(isc_buffer_allocate(rmsg->mctx, &shared, sharedsize));
-
-	RETERR(dst_key_computesecret(theirkey, key, shared));
-
-	isc_buffer_init(&secret, secretdata, sizeof(secretdata));
-
-	r.base = rtkey.key;
-	r.length = rtkey.keylen;
-	if (nonce != NULL)
-		isc_buffer_usedregion(nonce, &r2);
-	else {
-		r2.base = isc_mem_get(rmsg->mctx, 0);
-		r2.length = 0;
-	}
-	RETERR(compute_secret(shared, &r2, &r, &secret));
-	if (nonce == NULL)
-		isc_mem_put(rmsg->mctx, r2.base, 0);
-
-	isc_buffer_usedregion(&secret, &r);
-	result = dns_tsigkey_create(tkeyname, &rtkey.algorithm,
-				    r.base, r.length, ISC_TRUE,
-				    NULL, rtkey.inception, rtkey.expire,
-				    rmsg->mctx, ring, outkey);
-	isc_buffer_free(&shared);
-	dns_rdata_freestruct(&rtkey);
-	dst_key_free(&theirkey);
-	return (result);
-
- failure:
-	if (shared != NULL)
-		isc_buffer_free(&shared);
-
-	if (theirkey != NULL)
-		dst_key_free(&theirkey);
-
-	if (freertkey)
-		dns_rdata_freestruct(&rtkey);
-
-	return (result);
-}
-
-isc_result_t
-dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
-			    dns_name_t *gname, gss_ctx_id_t *context,
-			    isc_buffer_t *outtoken, dns_tsigkey_t **outkey,
-			    dns_tsig_keyring_t *ring, char **err_message)
-{
-	dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;
-	dns_name_t *tkeyname;
-	dns_rdata_tkey_t rtkey, qtkey;
-	dst_key_t *dstkey = NULL;
-	isc_buffer_t intoken;
-	isc_result_t result;
-	unsigned char array[1024];
-
-	REQUIRE(outtoken != NULL);
-	REQUIRE(qmsg != NULL);
-	REQUIRE(rmsg != NULL);
-	REQUIRE(gname != NULL);
-	REQUIRE(ring != NULL);
-	if (outkey != NULL)
-		REQUIRE(*outkey == NULL);
-
-	if (rmsg->rcode != dns_rcode_noerror)
-		return (ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
-	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
-	RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
-
-	/*
-	 * Win2k puts the item in the ANSWER section, while the RFC
-	 * specifies it should be in the ADDITIONAL section.  Check first
-	 * where it should be, and then where it may be.
-	 */
-	result = find_tkey(qmsg, &tkeyname, &qtkeyrdata,
-			   DNS_SECTION_ADDITIONAL);
-	if (result == ISC_R_NOTFOUND)
-		result = find_tkey(qmsg, &tkeyname, &qtkeyrdata,
-				   DNS_SECTION_ANSWER);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
-
-	if (rtkey.error != dns_rcode_noerror ||
-	    rtkey.mode != DNS_TKEYMODE_GSSAPI ||
-	    !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm)) {
-		tkey_log("dns_tkey_processgssresponse: tkey mode invalid "
-			 "or error set(2) %d", rtkey.error);
-		_dns_tkey_dumpmessage(qmsg);
-		_dns_tkey_dumpmessage(rmsg);
-		result = DNS_R_INVALIDTKEY;
-		goto failure;
-	}
-
-	isc_buffer_init(outtoken, array, sizeof(array));
-	isc_buffer_init(&intoken, rtkey.key, rtkey.keylen);
-	RETERR(dst_gssapi_initctx(gname, &intoken, outtoken, context,
-				  ring->mctx, err_message));
-
-	RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx,
-				  &dstkey, NULL));
-
-	RETERR(dns_tsigkey_createfromkey(tkeyname, DNS_TSIG_GSSAPI_NAME,
-					 dstkey, ISC_FALSE, NULL,
-					 rtkey.inception, rtkey.expire,
-					 ring->mctx, ring, outkey));
-	dst_key_free(&dstkey);
-	dns_rdata_freestruct(&rtkey);
-	return (result);
-
- failure:
-	/*
-	 * XXXSRA This probably leaks memory from rtkey and qtkey.
-	 */
-	if (dstkey != NULL)
-		dst_key_free(&dstkey);
-	return (result);
-}
-
-isc_result_t
-dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
-			       dns_tsig_keyring_t *ring)
-{
-	dns_rdata_t qtkeyrdata = DNS_RDATA_INIT, rtkeyrdata = DNS_RDATA_INIT;
-	dns_name_t *tkeyname, *tempname;
-	dns_rdata_tkey_t qtkey, rtkey;
-	dns_tsigkey_t *tsigkey = NULL;
-	isc_result_t result;
-
-	REQUIRE(qmsg != NULL);
-	REQUIRE(rmsg != NULL);
-
-	if (rmsg->rcode != dns_rcode_noerror)
-		return(ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
-
-	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
-	RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
-
-	RETERR(find_tkey(qmsg, &tempname, &qtkeyrdata,
-			 DNS_SECTION_ADDITIONAL));
-	RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
-
-	if (rtkey.error != dns_rcode_noerror ||
-	    rtkey.mode != DNS_TKEYMODE_DELETE ||
-	    rtkey.mode != qtkey.mode ||
-	    !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm) ||
-	    rmsg->rcode != dns_rcode_noerror) {
-		tkey_log("dns_tkey_processdeleteresponse: tkey mode invalid "
-			 "or error set(3)");
-		result = DNS_R_INVALIDTKEY;
-		dns_rdata_freestruct(&qtkey);
-		dns_rdata_freestruct(&rtkey);
-		goto failure;
-	}
-
-	dns_rdata_freestruct(&qtkey);
-
-	RETERR(dns_tsigkey_find(&tsigkey, tkeyname, &rtkey.algorithm, ring));
-
-	dns_rdata_freestruct(&rtkey);
-
-	/*
-	 * Mark the key as deleted.
-	 */
-	dns_tsigkey_setdeleted(tsigkey);
-	/*
-	 * Release the reference.
-	 */
-	dns_tsigkey_detach(&tsigkey);
-
- failure:
-	return (result);
-}
-
-isc_result_t
-dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
-		      dns_name_t *server, gss_ctx_id_t *context,
-		      dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring,
-		      isc_boolean_t win2k, char **err_message)
-{
-	dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;
-	dns_name_t *tkeyname;
-	dns_rdata_tkey_t rtkey, qtkey;
-	isc_buffer_t intoken, outtoken;
-	dst_key_t *dstkey = NULL;
-	isc_result_t result;
-	unsigned char array[1024];
-
-	REQUIRE(qmsg != NULL);
-	REQUIRE(rmsg != NULL);
-	REQUIRE(server != NULL);
-	if (outkey != NULL)
-		REQUIRE(*outkey == NULL);
-
-	if (rmsg->rcode != dns_rcode_noerror)
-		return (ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
-
-	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
-	RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
-
-	if (win2k == ISC_TRUE)
-		RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata,
-				 DNS_SECTION_ANSWER));
-	else
-		RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata,
-				 DNS_SECTION_ADDITIONAL));
-
-	RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
-
-	if (rtkey.error != dns_rcode_noerror ||
-	    rtkey.mode != DNS_TKEYMODE_GSSAPI ||
-	    !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm))
-	{
-		tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
-			 "or error set(4)");
-		result = DNS_R_INVALIDTKEY;
-		goto failure;
-	}
-
-	isc_buffer_init(&intoken, rtkey.key, rtkey.keylen);
-	isc_buffer_init(&outtoken, array, sizeof(array));
-
-	result = dst_gssapi_initctx(server, &intoken, &outtoken, context,
-				    ring->mctx, err_message);
-	if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS)
-		return (result);
-
-	RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx,
-				  &dstkey, NULL));
-
-	/*
-	 * XXXSRA This seems confused.  If we got CONTINUE from initctx,
-	 * the GSS negotiation hasn't completed yet, so we can't sign
-	 * anything yet.
-	 */
-
-	RETERR(dns_tsigkey_createfromkey(tkeyname,
-					 (win2k
-					  ? DNS_TSIG_GSSAPIMS_NAME
-					  : DNS_TSIG_GSSAPI_NAME),
-					 dstkey, ISC_TRUE, NULL,
-					 rtkey.inception, rtkey.expire,
-					 ring->mctx, ring, outkey));
-	dst_key_free(&dstkey);
-	dns_rdata_freestruct(&rtkey);
-	return (result);
-
- failure:
-	/*
-	 * XXXSRA This probably leaks memory from qtkey.
-	 */
-	dns_rdata_freestruct(&rtkey);
-	if (dstkey != NULL)
-		dst_key_free(&dstkey);
-	return (result);
-}
diff --git a/contrib/bind9/lib/dns/tsec.c b/contrib/bind9/lib/dns/tsec.c
deleted file mode 100644
index bfa6195..0000000
--- a/contrib/bind9/lib/dns/tsec.c
+++ /dev/null
@@ -1,160 +0,0 @@
-/*
- * Copyright (C) 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: tsec.c,v 1.7 2010/12/09 00:54:34 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/mem.h>
-
-#include <dns/tsec.h>
-#include <dns/tsig.h>
-#include <dns/result.h>
-
-#include <dst/dst.h>
-
-#define DNS_TSEC_MAGIC			ISC_MAGIC('T', 's', 'e', 'c')
-#define DNS_TSEC_VALID(t)		ISC_MAGIC_VALID(t, DNS_TSEC_MAGIC)
-
-/*%
- * DNS Transaction Security object.  We assume this is not shared by
- * multiple threads, and so the structure does not contain a lock.
- */
-struct dns_tsec {
-	unsigned int		magic;
-	dns_tsectype_t		type;
-	isc_mem_t		*mctx;
-	union {
-		dns_tsigkey_t	*tsigkey;
-		dst_key_t	*key;
-	} ukey;
-};
-
-isc_result_t
-dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key,
-		dns_tsec_t **tsecp)
-{
-	isc_result_t result;
-	dns_tsec_t *tsec;
-	dns_tsigkey_t *tsigkey = NULL;
-	dns_name_t *algname;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(tsecp != NULL && *tsecp == NULL);
-
-	tsec = isc_mem_get(mctx, sizeof(*tsec));
-	if (tsec == NULL)
-		return (ISC_R_NOMEMORY);
-
-	tsec->type = type;
-	tsec->mctx = mctx;
-
-	switch (type) {
-	case dns_tsectype_tsig:
-		switch (dst_key_alg(key)) {
-		case DST_ALG_HMACMD5:
-			algname = dns_tsig_hmacmd5_name;
-			break;
-		case DST_ALG_HMACSHA1:
-			algname = dns_tsig_hmacsha1_name;
-			break;
-		case DST_ALG_HMACSHA224:
-			algname = dns_tsig_hmacsha224_name;
-			break;
-		case DST_ALG_HMACSHA256:
-			algname = dns_tsig_hmacsha256_name;
-			break;
-		case DST_ALG_HMACSHA384:
-			algname = dns_tsig_hmacsha384_name;
-			break;
-		case DST_ALG_HMACSHA512:
-			algname = dns_tsig_hmacsha512_name;
-			break;
-		default:
-			isc_mem_put(mctx, tsec, sizeof(*tsec));
-			return (DNS_R_BADALG);
-		}
-		result = dns_tsigkey_createfromkey(dst_key_name(key),
-						   algname, key, ISC_FALSE,
-						   NULL, 0, 0, mctx, NULL,
-						   &tsigkey);
-		if (result != ISC_R_SUCCESS) {
-			isc_mem_put(mctx, tsec, sizeof(*tsec));
-			return (result);
-		}
-		tsec->ukey.tsigkey = tsigkey;
-		break;
-	case dns_tsectype_sig0:
-		tsec->ukey.key = key;
-		break;
-	default:
-		INSIST(0);
-	}
-
-	tsec->magic = DNS_TSEC_MAGIC;
-
-	*tsecp = tsec;
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_tsec_destroy(dns_tsec_t **tsecp) {
-	dns_tsec_t *tsec;
-
-	REQUIRE(tsecp != NULL && *tsecp != NULL);
-	tsec = *tsecp;
-	REQUIRE(DNS_TSEC_VALID(tsec));
-
-	switch (tsec->type) {
-	case dns_tsectype_tsig:
-		dns_tsigkey_detach(&tsec->ukey.tsigkey);
-		break;
-	case dns_tsectype_sig0:
-		dst_key_free(&tsec->ukey.key);
-		break;
-	default:
-		INSIST(0);
-	}
-
-	tsec->magic = 0;
-	isc_mem_put(tsec->mctx, tsec, sizeof(*tsec));
-
-	*tsecp = NULL;
-}
-
-dns_tsectype_t
-dns_tsec_gettype(dns_tsec_t *tsec) {
-	REQUIRE(DNS_TSEC_VALID(tsec));
-
-	return (tsec->type);
-}
-
-void
-dns_tsec_getkey(dns_tsec_t *tsec, void *keyp) {
-	REQUIRE(DNS_TSEC_VALID(tsec));
-	REQUIRE(keyp != NULL);
-
-	switch (tsec->type) {
-	case dns_tsectype_tsig:
-		dns_tsigkey_attach(tsec->ukey.tsigkey, (dns_tsigkey_t **)keyp);
-		break;
-	case dns_tsectype_sig0:
-		*(dst_key_t **)keyp = tsec->ukey.key;
-		break;
-	default:
-		INSIST(0);
-	}
-}
diff --git a/contrib/bind9/lib/dns/tsig.c b/contrib/bind9/lib/dns/tsig.c
deleted file mode 100644
index c7768f4..0000000
--- a/contrib/bind9/lib/dns/tsig.c
+++ /dev/null
@@ -1,1883 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * $Id$
- */
-/*! \file */
-#include <config.h>
-#include <stdlib.h>
-
-#include <isc/buffer.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/refcount.h>
-#include <isc/serial.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/util.h>
-#include <isc/time.h>
-
-#include <dns/keyvalues.h>
-#include <dns/log.h>
-#include <dns/message.h>
-#include <dns/fixedname.h>
-#include <dns/rbt.h>
-#include <dns/rdata.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/result.h>
-#include <dns/tsig.h>
-
-#include <dst/result.h>
-
-#define TSIG_MAGIC		ISC_MAGIC('T', 'S', 'I', 'G')
-#define VALID_TSIG_KEY(x)	ISC_MAGIC_VALID(x, TSIG_MAGIC)
-
-#ifndef DNS_TSIG_MAXGENERATEDKEYS
-#define DNS_TSIG_MAXGENERATEDKEYS 4096
-#endif
-
-#define is_response(msg) (msg->flags & DNS_MESSAGEFLAG_QR)
-#define algname_is_allocated(algname) \
-	((algname) != dns_tsig_hmacmd5_name && \
-	 (algname) != dns_tsig_hmacsha1_name && \
-	 (algname) != dns_tsig_hmacsha224_name && \
-	 (algname) != dns_tsig_hmacsha256_name && \
-	 (algname) != dns_tsig_hmacsha384_name && \
-	 (algname) != dns_tsig_hmacsha512_name && \
-	 (algname) != dns_tsig_gssapi_name && \
-	 (algname) != dns_tsig_gssapims_name)
-
-#define BADTIMELEN 6
-
-static unsigned char hmacmd5_ndata[] = "\010hmac-md5\007sig-alg\003reg\003int";
-static unsigned char hmacmd5_offsets[] = { 0, 9, 17, 21, 25 };
-
-static dns_name_t hmacmd5 = {
-	DNS_NAME_MAGIC,
-	hmacmd5_ndata, 26, 5,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	hmacmd5_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
-dns_name_t *dns_tsig_hmacmd5_name = &hmacmd5;
-
-static unsigned char gsstsig_ndata[] = "\010gss-tsig";
-static unsigned char gsstsig_offsets[] = { 0, 9 };
-static dns_name_t gsstsig = {
-	DNS_NAME_MAGIC,
-	gsstsig_ndata, 10, 2,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	gsstsig_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_gssapi_name = &gsstsig;
-
-/*
- * Since Microsoft doesn't follow its own standard, we will use this
- * alternate name as a second guess.
- */
-static unsigned char gsstsigms_ndata[] = "\003gss\011microsoft\003com";
-static unsigned char gsstsigms_offsets[] = { 0, 4, 14, 18 };
-static dns_name_t gsstsigms = {
-	DNS_NAME_MAGIC,
-	gsstsigms_ndata, 19, 4,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	gsstsigms_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_gssapims_name = &gsstsigms;
-
-static unsigned char hmacsha1_ndata[] = "\011hmac-sha1";
-static unsigned char hmacsha1_offsets[] = { 0, 10 };
-
-static dns_name_t  hmacsha1 = {
-	DNS_NAME_MAGIC,
-	hmacsha1_ndata, 11, 2,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	hmacsha1_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
-LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha1_name = &hmacsha1;
-
-static unsigned char hmacsha224_ndata[] = "\013hmac-sha224";
-static unsigned char hmacsha224_offsets[] = { 0, 12 };
-
-static dns_name_t hmacsha224 = {
-	DNS_NAME_MAGIC,
-	hmacsha224_ndata, 13, 2,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	hmacsha224_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
-LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha224_name = &hmacsha224;
-
-static unsigned char hmacsha256_ndata[] = "\013hmac-sha256";
-static unsigned char hmacsha256_offsets[] = { 0, 12 };
-
-static dns_name_t hmacsha256 = {
-	DNS_NAME_MAGIC,
-	hmacsha256_ndata, 13, 2,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	hmacsha256_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
-LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha256_name = &hmacsha256;
-
-static unsigned char hmacsha384_ndata[] = "\013hmac-sha384";
-static unsigned char hmacsha384_offsets[] = { 0, 12 };
-
-static dns_name_t hmacsha384 = {
-	DNS_NAME_MAGIC,
-	hmacsha384_ndata, 13, 2,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	hmacsha384_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
-LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha384_name = &hmacsha384;
-
-static unsigned char hmacsha512_ndata[] = "\013hmac-sha512";
-static unsigned char hmacsha512_offsets[] = { 0, 12 };
-
-static dns_name_t hmacsha512 = {
-	DNS_NAME_MAGIC,
-	hmacsha512_ndata, 13, 2,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	hmacsha512_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
-LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha512_name = &hmacsha512;
-
-static isc_result_t
-tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg);
-
-static void
-tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...)
-     ISC_FORMAT_PRINTF(3, 4);
-
-static void
-cleanup_ring(dns_tsig_keyring_t *ring);
-static void
-tsigkey_free(dns_tsigkey_t *key);
-
-static void
-tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...) {
-	va_list ap;
-	char message[4096];
-	char namestr[DNS_NAME_FORMATSIZE];
-	char creatorstr[DNS_NAME_FORMATSIZE];
-
-	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
-		return;
-	if (key != NULL)
-		dns_name_format(&key->name, namestr, sizeof(namestr));
-	else
-		strcpy(namestr, "<null>");
-
-	if (key != NULL && key->generated && key->creator)
-		dns_name_format(key->creator, creatorstr, sizeof(creatorstr));
-	else
-		strcpy(creatorstr, "<null>");
-
-	va_start(ap, fmt);
-	vsnprintf(message, sizeof(message), fmt, ap);
-	va_end(ap);
-	if (key != NULL && key->generated)
-		isc_log_write(dns_lctx,
-			      DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_TSIG,
-			      level, "tsig key '%s' (%s): %s",
-			      namestr, creatorstr, message);
-	else
-		isc_log_write(dns_lctx,
-			      DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_TSIG,
-			      level, "tsig key '%s': %s", namestr, message);
-}
-
-static void
-remove_fromring(dns_tsigkey_t *tkey) {
-	if (tkey->generated) {
-		ISC_LIST_UNLINK(tkey->ring->lru, tkey, link);
-		tkey->ring->generated--;
-	}
-	(void)dns_rbt_deletename(tkey->ring->keys, &tkey->name, ISC_FALSE);
-}
-
-static void
-adjust_lru(dns_tsigkey_t *tkey) {
-	if (tkey->generated) {
-		RWLOCK(&tkey->ring->lock, isc_rwlocktype_write);
-		/*
-		 * We may have been removed from the LRU list between
-		 * removing the read lock and aquiring the write lock.
-		 */
-		if (ISC_LINK_LINKED(tkey, link) &&
-		    tkey->ring->lru.tail != tkey)
-		{
-			ISC_LIST_UNLINK(tkey->ring->lru, tkey, link);
-			ISC_LIST_APPEND(tkey->ring->lru, tkey, link);
-		}
-		RWUNLOCK(&tkey->ring->lock, isc_rwlocktype_write);
-	}
-}
-
-/*
- * A supplemental routine just to add a key to ring.  Note that reference
- * counter should be counted separately because we may be adding the key
- * as part of creation of the key, in which case the reference counter was
- * already initialized.  Also note we don't need RWLOCK for the reference
- * counter: it's protected by a separate lock.
- */
-static isc_result_t
-keyring_add(dns_tsig_keyring_t *ring, dns_name_t *name,
-	    dns_tsigkey_t *tkey)
-{
-	isc_result_t result;
-
-	RWLOCK(&ring->lock, isc_rwlocktype_write);
-	ring->writecount++;
-
-	/*
-	 * Do on the fly cleaning.  Find some nodes we might not
-	 * want around any more.
-	 */
-	if (ring->writecount > 10) {
-		cleanup_ring(ring);
-		ring->writecount = 0;
-	}
-
-	result = dns_rbt_addname(ring->keys, name, tkey);
-	if (tkey->generated) {
-		/*
-		 * Add the new key to the LRU list and remove the least
-		 * recently used key if there are too many keys on the list.
-		 */
-		ISC_LIST_INITANDAPPEND(ring->lru, tkey, link);
-		if (ring->generated++ > ring->maxgenerated)
-			remove_fromring(ISC_LIST_HEAD(ring->lru));
-	}
-	RWUNLOCK(&ring->lock, isc_rwlocktype_write);
-
-	return (result);
-}
-
-isc_result_t
-dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
-			  dst_key_t *dstkey, isc_boolean_t generated,
-			  dns_name_t *creator, isc_stdtime_t inception,
-			  isc_stdtime_t expire, isc_mem_t *mctx,
-			  dns_tsig_keyring_t *ring, dns_tsigkey_t **key)
-{
-	dns_tsigkey_t *tkey;
-	isc_result_t ret;
-	unsigned int refs = 0;
-
-	REQUIRE(key == NULL || *key == NULL);
-	REQUIRE(name != NULL);
-	REQUIRE(algorithm != NULL);
-	REQUIRE(mctx != NULL);
-	REQUIRE(key != NULL || ring != NULL);
-
-	tkey = (dns_tsigkey_t *) isc_mem_get(mctx, sizeof(dns_tsigkey_t));
-	if (tkey == NULL)
-		return (ISC_R_NOMEMORY);
-
-	dns_name_init(&tkey->name, NULL);
-	ret = dns_name_dup(name, mctx, &tkey->name);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_key;
-	(void)dns_name_downcase(&tkey->name, &tkey->name, NULL);
-
-	if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) {
-		tkey->algorithm = DNS_TSIG_HMACMD5_NAME;
-		if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_HMACMD5) {
-			ret = DNS_R_BADALG;
-			goto cleanup_name;
-		}
-	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA1_NAME)) {
-		tkey->algorithm = DNS_TSIG_HMACSHA1_NAME;
-		if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_HMACSHA1) {
-			ret = DNS_R_BADALG;
-			goto cleanup_name;
-		}
-	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA224_NAME)) {
-		tkey->algorithm = DNS_TSIG_HMACSHA224_NAME;
-		if (dstkey != NULL &&
-		    dst_key_alg(dstkey) != DST_ALG_HMACSHA224) {
-			ret = DNS_R_BADALG;
-			goto cleanup_name;
-		}
-	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA256_NAME)) {
-		tkey->algorithm = DNS_TSIG_HMACSHA256_NAME;
-		if (dstkey != NULL &&
-		    dst_key_alg(dstkey) != DST_ALG_HMACSHA256) {
-			ret = DNS_R_BADALG;
-			goto cleanup_name;
-		}
-	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA384_NAME)) {
-		tkey->algorithm = DNS_TSIG_HMACSHA384_NAME;
-		if (dstkey != NULL &&
-		    dst_key_alg(dstkey) != DST_ALG_HMACSHA384) {
-			ret = DNS_R_BADALG;
-			goto cleanup_name;
-		}
-	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA512_NAME)) {
-		tkey->algorithm = DNS_TSIG_HMACSHA512_NAME;
-		if (dstkey != NULL &&
-		    dst_key_alg(dstkey) != DST_ALG_HMACSHA512) {
-			ret = DNS_R_BADALG;
-			goto cleanup_name;
-		}
-	} else if (dns_name_equal(algorithm, DNS_TSIG_GSSAPI_NAME)) {
-		tkey->algorithm = DNS_TSIG_GSSAPI_NAME;
-		if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_GSSAPI) {
-			ret = DNS_R_BADALG;
-			goto cleanup_name;
-		}
-	} else if (dns_name_equal(algorithm, DNS_TSIG_GSSAPIMS_NAME)) {
-		tkey->algorithm = DNS_TSIG_GSSAPIMS_NAME;
-		if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_GSSAPI) {
-			ret = DNS_R_BADALG;
-			goto cleanup_name;
-		}
-	} else {
-		if (dstkey != NULL) {
-			ret = DNS_R_BADALG;
-			goto cleanup_name;
-		}
-		tkey->algorithm = isc_mem_get(mctx, sizeof(dns_name_t));
-		if (tkey->algorithm == NULL) {
-			ret = ISC_R_NOMEMORY;
-			goto cleanup_name;
-		}
-		dns_name_init(tkey->algorithm, NULL);
-		ret = dns_name_dup(algorithm, mctx, tkey->algorithm);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_algorithm;
-		(void)dns_name_downcase(tkey->algorithm, tkey->algorithm,
-					NULL);
-	}
-
-	if (creator != NULL) {
-		tkey->creator = isc_mem_get(mctx, sizeof(dns_name_t));
-		if (tkey->creator == NULL) {
-			ret = ISC_R_NOMEMORY;
-			goto cleanup_algorithm;
-		}
-		dns_name_init(tkey->creator, NULL);
-		ret = dns_name_dup(creator, mctx, tkey->creator);
-		if (ret != ISC_R_SUCCESS) {
-			isc_mem_put(mctx, tkey->creator, sizeof(dns_name_t));
-			goto cleanup_algorithm;
-		}
-	} else
-		tkey->creator = NULL;
-
-	tkey->key = NULL;
-	if (dstkey != NULL)
-		dst_key_attach(dstkey, &tkey->key);
-	tkey->ring = ring;
-
-	if (key != NULL)
-		refs = 1;
-	if (ring != NULL)
-		refs++;
-	ret = isc_refcount_init(&tkey->refs, refs);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_creator;
-
-	tkey->generated = generated;
-	tkey->inception = inception;
-	tkey->expire = expire;
-	tkey->mctx = NULL;
-	isc_mem_attach(mctx, &tkey->mctx);
-
-	tkey->magic = TSIG_MAGIC;
-
-	if (ring != NULL) {
-		ret = keyring_add(ring, name, tkey);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_refs;
-	}
-
-	/*
-	 * Ignore this if it's a GSS key, since the key size is meaningless.
-	 */
-	if (dstkey != NULL && dst_key_size(dstkey) < 64 &&
-	    !dns_name_equal(algorithm, DNS_TSIG_GSSAPI_NAME) &&
-	    !dns_name_equal(algorithm, DNS_TSIG_GSSAPIMS_NAME)) {
-		char namestr[DNS_NAME_FORMATSIZE];
-		dns_name_format(name, namestr, sizeof(namestr));
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
-			      DNS_LOGMODULE_TSIG, ISC_LOG_INFO,
-			      "the key '%s' is too short to be secure",
-			      namestr);
-	}
-
-	if (key != NULL)
-		*key = tkey;
-
-	return (ISC_R_SUCCESS);
-
- cleanup_refs:
-	tkey->magic = 0;
-	while (refs-- > 0)
-		isc_refcount_decrement(&tkey->refs, NULL);
-	isc_refcount_destroy(&tkey->refs);
- cleanup_creator:
-	if (tkey->key != NULL)
-		dst_key_free(&tkey->key);
-	if (tkey->creator != NULL) {
-		dns_name_free(tkey->creator, mctx);
-		isc_mem_put(mctx, tkey->creator, sizeof(dns_name_t));
-	}
- cleanup_algorithm:
-	if (algname_is_allocated(tkey->algorithm)) {
-		if (dns_name_dynamic(tkey->algorithm))
-			dns_name_free(tkey->algorithm, mctx);
-		isc_mem_put(mctx, tkey->algorithm, sizeof(dns_name_t));
-	}
- cleanup_name:
-	dns_name_free(&tkey->name, mctx);
- cleanup_key:
-	isc_mem_put(mctx, tkey, sizeof(dns_tsigkey_t));
-
-	return (ret);
-}
-
-/*
- * Find a few nodes to destroy if possible.
- */
-static void
-cleanup_ring(dns_tsig_keyring_t *ring)
-{
-	isc_result_t result;
-	dns_rbtnodechain_t chain;
-	dns_name_t foundname;
-	dns_fixedname_t fixedorigin;
-	dns_name_t *origin;
-	isc_stdtime_t now;
-	dns_rbtnode_t *node;
-	dns_tsigkey_t *tkey;
-
-	/*
-	 * Start up a new iterator each time.
-	 */
-	isc_stdtime_get(&now);
-	dns_name_init(&foundname, NULL);
-	dns_fixedname_init(&fixedorigin);
-	origin = dns_fixedname_name(&fixedorigin);
-
- again:
-	dns_rbtnodechain_init(&chain, ring->mctx);
-	result = dns_rbtnodechain_first(&chain, ring->keys, &foundname,
-					origin);
-	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
-		dns_rbtnodechain_invalidate(&chain);
-		return;
-	}
-
-	for (;;) {
-		node = NULL;
-		dns_rbtnodechain_current(&chain, &foundname, origin, &node);
-		tkey = node->data;
-		if (tkey != NULL) {
-			if (tkey->generated
-			    && isc_refcount_current(&tkey->refs) == 1
-			    && tkey->inception != tkey->expire
-			    && tkey->expire < now) {
-				tsig_log(tkey, 2, "tsig expire: deleting");
-				/* delete the key */
-				dns_rbtnodechain_invalidate(&chain);
-				remove_fromring(tkey);
-				goto again;
-			}
-		}
-		result = dns_rbtnodechain_next(&chain, &foundname,
-					       origin);
-		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
-			dns_rbtnodechain_invalidate(&chain);
-			return;
-		}
-	}
-}
-
-static void
-destroyring(dns_tsig_keyring_t *ring) {
-	dns_rbt_destroy(&ring->keys);
-	isc_rwlock_destroy(&ring->lock);
-	isc_mem_putanddetach(&ring->mctx, ring, sizeof(dns_tsig_keyring_t));
-}
-
-static unsigned int
-dst_alg_fromname(dns_name_t *algorithm) {
-	if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) {
-		return (DST_ALG_HMACMD5);
-	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA1_NAME)) {
-		return (DST_ALG_HMACSHA1);
-	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA224_NAME)) {
-		return (DST_ALG_HMACSHA224);
-	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA256_NAME)) {
-		return (DST_ALG_HMACSHA256);
-	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA384_NAME)) {
-		return (DST_ALG_HMACSHA384);
-	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA512_NAME)) {
-		return (DST_ALG_HMACSHA512);
-	} else if (dns_name_equal(algorithm, DNS_TSIG_GSSAPI_NAME)) {
-		return (DST_ALG_GSSAPI);
-	} else if (dns_name_equal(algorithm, DNS_TSIG_GSSAPIMS_NAME)) {
-		return (DST_ALG_GSSAPI);
-	} else
-		return (0);
-}
-
-static isc_result_t
-restore_key(dns_tsig_keyring_t *ring, isc_stdtime_t now, FILE *fp) {
-	dst_key_t *dstkey = NULL;
-	char namestr[1024];
-	char creatorstr[1024];
-	char algorithmstr[1024];
-	char keystr[4096];
-	unsigned int inception, expire;
-	int n;
-	isc_buffer_t b;
-	dns_name_t *name, *creator, *algorithm;
-	dns_fixedname_t fname, fcreator, falgorithm;
-	isc_result_t result;
-	unsigned int dstalg;
-
-	n = fscanf(fp, "%1023s %1023s %u %u %1023s %4095s\n", namestr,
-		   creatorstr, &inception, &expire, algorithmstr, keystr);
-	if (n == EOF)
-		return (ISC_R_NOMORE);
-	if (n != 6)
-		return (ISC_R_FAILURE);
-
-	if (isc_serial_lt(expire, now))
-		return (DNS_R_EXPIRED);
-
-	dns_fixedname_init(&fname);
-	name = dns_fixedname_name(&fname);
-	isc_buffer_init(&b, namestr, strlen(namestr));
-	isc_buffer_add(&b, strlen(namestr));
-	result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	dns_fixedname_init(&fcreator);
-	creator = dns_fixedname_name(&fcreator);
-	isc_buffer_init(&b, creatorstr, strlen(creatorstr));
-	isc_buffer_add(&b, strlen(creatorstr));
-	result = dns_name_fromtext(creator, &b, dns_rootname, 0, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	dns_fixedname_init(&falgorithm);
-	algorithm = dns_fixedname_name(&falgorithm);
-	isc_buffer_init(&b, algorithmstr, strlen(algorithmstr));
-	isc_buffer_add(&b, strlen(algorithmstr));
-	result = dns_name_fromtext(algorithm, &b, dns_rootname, 0, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	dstalg = dst_alg_fromname(algorithm);
-	if (dstalg == 0)
-		return (DNS_R_BADALG);
-
-	result = dst_key_restore(name, dstalg, DNS_KEYOWNER_ENTITY,
-				 DNS_KEYPROTO_DNSSEC, dns_rdataclass_in,
-				 ring->mctx, keystr, &dstkey);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dns_tsigkey_createfromkey(name, algorithm, dstkey,
-					   ISC_TRUE, creator, inception,
-					   expire, ring->mctx, ring, NULL);
-	if (dstkey != NULL)
-		dst_key_free(&dstkey);
-	return (result);
-}
-
-static void
-dump_key(dns_tsigkey_t *tkey, FILE *fp) {
-	char *buffer = NULL;
-	int length = 0;
-	char namestr[DNS_NAME_FORMATSIZE];
-	char creatorstr[DNS_NAME_FORMATSIZE];
-	char algorithmstr[DNS_NAME_FORMATSIZE];
-	isc_result_t result;
-
-	REQUIRE(tkey != NULL);
-	REQUIRE(fp != NULL);
-
-	dns_name_format(&tkey->name, namestr, sizeof(namestr));
-	dns_name_format(tkey->creator, creatorstr, sizeof(creatorstr));
-	dns_name_format(tkey->algorithm, algorithmstr, sizeof(algorithmstr));
-	result = dst_key_dump(tkey->key, tkey->mctx, &buffer, &length);
-	if (result == ISC_R_SUCCESS)
-		fprintf(fp, "%s %s %u %u %s %.*s\n", namestr, creatorstr,
-			tkey->inception, tkey->expire, algorithmstr,
-			length, buffer);
-	if (buffer != NULL)
-		isc_mem_put(tkey->mctx, buffer, length);
-}
-
-isc_result_t
-dns_tsigkeyring_dumpanddetach(dns_tsig_keyring_t **ringp, FILE *fp) {
-	isc_result_t result;
-	dns_rbtnodechain_t chain;
-	dns_name_t foundname;
-	dns_fixedname_t fixedorigin;
-	dns_name_t *origin;
-	isc_stdtime_t now;
-	dns_rbtnode_t *node;
-	dns_tsigkey_t *tkey;
-	dns_tsig_keyring_t *ring;
-	unsigned int references;
-
-	REQUIRE(ringp != NULL && *ringp != NULL);
-
-	ring = *ringp;
-	*ringp = NULL;
-
-	RWLOCK(&ring->lock, isc_rwlocktype_write);
-	INSIST(ring->references > 0);
-	ring->references--;
-	references = ring->references;
-	RWUNLOCK(&ring->lock, isc_rwlocktype_write);
-
-	if (references != 0)
-		return (DNS_R_CONTINUE);
-
-	isc_stdtime_get(&now);
-	dns_name_init(&foundname, NULL);
-	dns_fixedname_init(&fixedorigin);
-	origin = dns_fixedname_name(&fixedorigin);
-	dns_rbtnodechain_init(&chain, ring->mctx);
-	result = dns_rbtnodechain_first(&chain, ring->keys, &foundname,
-					origin);
-	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
-		dns_rbtnodechain_invalidate(&chain);
-		goto destroy;
-	}
-
-	for (;;) {
-		node = NULL;
-		dns_rbtnodechain_current(&chain, &foundname, origin, &node);
-		tkey = node->data;
-		if (tkey != NULL && tkey->generated && tkey->expire >= now)
-			dump_key(tkey, fp);
-		result = dns_rbtnodechain_next(&chain, &foundname,
-					       origin);
-		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
-			dns_rbtnodechain_invalidate(&chain);
-			if (result == ISC_R_NOMORE)
-				result = ISC_R_SUCCESS;
-			goto destroy;
-		}
-	}
-
- destroy:
-	destroyring(ring);
-	return (result);
-}
-
-isc_result_t
-dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
-		   unsigned char *secret, int length, isc_boolean_t generated,
-		   dns_name_t *creator, isc_stdtime_t inception,
-		   isc_stdtime_t expire, isc_mem_t *mctx,
-		   dns_tsig_keyring_t *ring, dns_tsigkey_t **key)
-{
-	dst_key_t *dstkey = NULL;
-	isc_result_t result;
-
-	REQUIRE(length >= 0);
-	if (length > 0)
-		REQUIRE(secret != NULL);
-
-	if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) {
-		if (secret != NULL) {
-			isc_buffer_t b;
-
-			isc_buffer_init(&b, secret, length);
-			isc_buffer_add(&b, length);
-			result = dst_key_frombuffer(name, DST_ALG_HMACMD5,
-						    DNS_KEYOWNER_ENTITY,
-						    DNS_KEYPROTO_DNSSEC,
-						    dns_rdataclass_in,
-						    &b, mctx, &dstkey);
-				if (result != ISC_R_SUCCESS)
-					return (result);
-		}
-	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA1_NAME)) {
-		if (secret != NULL) {
-			isc_buffer_t b;
-
-			isc_buffer_init(&b, secret, length);
-			isc_buffer_add(&b, length);
-			result = dst_key_frombuffer(name, DST_ALG_HMACSHA1,
-						    DNS_KEYOWNER_ENTITY,
-						    DNS_KEYPROTO_DNSSEC,
-						    dns_rdataclass_in,
-						    &b, mctx, &dstkey);
-				if (result != ISC_R_SUCCESS)
-					return (result);
-		}
-	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA224_NAME)) {
-		if (secret != NULL) {
-			isc_buffer_t b;
-
-			isc_buffer_init(&b, secret, length);
-			isc_buffer_add(&b, length);
-			result = dst_key_frombuffer(name, DST_ALG_HMACSHA224,
-						    DNS_KEYOWNER_ENTITY,
-						    DNS_KEYPROTO_DNSSEC,
-						    dns_rdataclass_in,
-						    &b, mctx, &dstkey);
-				if (result != ISC_R_SUCCESS)
-					return (result);
-		}
-	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA256_NAME)) {
-		if (secret != NULL) {
-			isc_buffer_t b;
-
-			isc_buffer_init(&b, secret, length);
-			isc_buffer_add(&b, length);
-			result = dst_key_frombuffer(name, DST_ALG_HMACSHA256,
-						    DNS_KEYOWNER_ENTITY,
-						    DNS_KEYPROTO_DNSSEC,
-						    dns_rdataclass_in,
-						    &b, mctx, &dstkey);
-				if (result != ISC_R_SUCCESS)
-					return (result);
-		}
-	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA384_NAME)) {
-		if (secret != NULL) {
-			isc_buffer_t b;
-
-			isc_buffer_init(&b, secret, length);
-			isc_buffer_add(&b, length);
-			result = dst_key_frombuffer(name, DST_ALG_HMACSHA384,
-						    DNS_KEYOWNER_ENTITY,
-						    DNS_KEYPROTO_DNSSEC,
-						    dns_rdataclass_in,
-						    &b, mctx, &dstkey);
-				if (result != ISC_R_SUCCESS)
-					return (result);
-		}
-	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA512_NAME)) {
-		if (secret != NULL) {
-			isc_buffer_t b;
-
-			isc_buffer_init(&b, secret, length);
-			isc_buffer_add(&b, length);
-			result = dst_key_frombuffer(name, DST_ALG_HMACSHA512,
-						    DNS_KEYOWNER_ENTITY,
-						    DNS_KEYPROTO_DNSSEC,
-						    dns_rdataclass_in,
-						    &b, mctx, &dstkey);
-				if (result != ISC_R_SUCCESS)
-					return (result);
-		}
-	} else if (length > 0)
-		return (DNS_R_BADALG);
-
-	result = dns_tsigkey_createfromkey(name, algorithm, dstkey,
-					   generated, creator,
-					   inception, expire, mctx, ring, key);
-	if (dstkey != NULL)
-		dst_key_free(&dstkey);
-	return (result);
-}
-
-void
-dns_tsigkey_attach(dns_tsigkey_t *source, dns_tsigkey_t **targetp) {
-	REQUIRE(VALID_TSIG_KEY(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	isc_refcount_increment(&source->refs, NULL);
-	*targetp = source;
-}
-
-static void
-tsigkey_free(dns_tsigkey_t *key) {
-	REQUIRE(VALID_TSIG_KEY(key));
-
-	key->magic = 0;
-	dns_name_free(&key->name, key->mctx);
-	if (algname_is_allocated(key->algorithm)) {
-		dns_name_free(key->algorithm, key->mctx);
-		isc_mem_put(key->mctx, key->algorithm, sizeof(dns_name_t));
-	}
-	if (key->key != NULL)
-		dst_key_free(&key->key);
-	if (key->creator != NULL) {
-		dns_name_free(key->creator, key->mctx);
-		isc_mem_put(key->mctx, key->creator, sizeof(dns_name_t));
-	}
-	isc_refcount_destroy(&key->refs);
-	isc_mem_putanddetach(&key->mctx, key, sizeof(dns_tsigkey_t));
-}
-
-void
-dns_tsigkey_detach(dns_tsigkey_t **keyp) {
-	dns_tsigkey_t *key;
-	unsigned int refs;
-
-	REQUIRE(keyp != NULL);
-	REQUIRE(VALID_TSIG_KEY(*keyp));
-
-	key = *keyp;
-	isc_refcount_decrement(&key->refs, &refs);
-
-	if (refs == 0)
-		tsigkey_free(key);
-
-	*keyp = NULL;
-}
-
-void
-dns_tsigkey_setdeleted(dns_tsigkey_t *key) {
-	REQUIRE(VALID_TSIG_KEY(key));
-	REQUIRE(key->ring != NULL);
-
-	RWLOCK(&key->ring->lock, isc_rwlocktype_write);
-	remove_fromring(key);
-	RWUNLOCK(&key->ring->lock, isc_rwlocktype_write);
-}
-
-isc_result_t
-dns_tsig_sign(dns_message_t *msg) {
-	dns_tsigkey_t *key;
-	dns_rdata_any_tsig_t tsig, querytsig;
-	unsigned char data[128];
-	isc_buffer_t databuf, sigbuf;
-	isc_buffer_t *dynbuf;
-	dns_name_t *owner;
-	dns_rdata_t *rdata = NULL;
-	dns_rdatalist_t *datalist;
-	dns_rdataset_t *dataset;
-	isc_region_t r;
-	isc_stdtime_t now;
-	isc_mem_t *mctx;
-	dst_context_t *ctx = NULL;
-	isc_result_t ret;
-	unsigned char badtimedata[BADTIMELEN];
-	unsigned int sigsize = 0;
-	isc_boolean_t response = is_response(msg);
-
-	REQUIRE(msg != NULL);
-	REQUIRE(VALID_TSIG_KEY(dns_message_gettsigkey(msg)));
-
-	/*
-	 * If this is a response, there should be a query tsig.
-	 */
-	if (response && msg->querytsig == NULL)
-		return (DNS_R_EXPECTEDTSIG);
-
-	dynbuf = NULL;
-
-	mctx = msg->mctx;
-	key = dns_message_gettsigkey(msg);
-
-	tsig.mctx = mctx;
-	tsig.common.rdclass = dns_rdataclass_any;
-	tsig.common.rdtype = dns_rdatatype_tsig;
-	ISC_LINK_INIT(&tsig.common, link);
-	dns_name_init(&tsig.algorithm, NULL);
-	dns_name_clone(key->algorithm, &tsig.algorithm);
-
-	isc_stdtime_get(&now);
-	tsig.timesigned = now + msg->timeadjust;
-	tsig.fudge = DNS_TSIG_FUDGE;
-
-	tsig.originalid = msg->id;
-
-	isc_buffer_init(&databuf, data, sizeof(data));
-
-	if (response)
-		tsig.error = msg->querytsigstatus;
-	else
-		tsig.error = dns_rcode_noerror;
-
-	if (tsig.error != dns_tsigerror_badtime) {
-		tsig.otherlen = 0;
-		tsig.other = NULL;
-	} else {
-		isc_buffer_t otherbuf;
-
-		tsig.otherlen = BADTIMELEN;
-		tsig.other = badtimedata;
-		isc_buffer_init(&otherbuf, tsig.other, tsig.otherlen);
-		isc_buffer_putuint48(&otherbuf, tsig.timesigned);
-	}
-
-	if (key->key != NULL && tsig.error != dns_tsigerror_badsig) {
-		unsigned char header[DNS_MESSAGE_HEADERLEN];
-		isc_buffer_t headerbuf;
-		isc_uint16_t digestbits;
-
-		ret = dst_context_create2(key->key, mctx,
-					  DNS_LOGCATEGORY_DNSSEC, &ctx);
-		if (ret != ISC_R_SUCCESS)
-			return (ret);
-
-		/*
-		 * If this is a response, digest the query signature.
-		 */
-		if (response) {
-			dns_rdata_t querytsigrdata = DNS_RDATA_INIT;
-
-			ret = dns_rdataset_first(msg->querytsig);
-			if (ret != ISC_R_SUCCESS)
-				goto cleanup_context;
-			dns_rdataset_current(msg->querytsig, &querytsigrdata);
-			ret = dns_rdata_tostruct(&querytsigrdata, &querytsig,
-						 NULL);
-			if (ret != ISC_R_SUCCESS)
-				goto cleanup_context;
-			isc_buffer_putuint16(&databuf, querytsig.siglen);
-			if (isc_buffer_availablelength(&databuf) <
-			    querytsig.siglen) {
-				ret = ISC_R_NOSPACE;
-				goto cleanup_context;
-			}
-			isc_buffer_putmem(&databuf, querytsig.signature,
-					  querytsig.siglen);
-			isc_buffer_usedregion(&databuf, &r);
-			ret = dst_context_adddata(ctx, &r);
-			if (ret != ISC_R_SUCCESS)
-				goto cleanup_context;
-		}
-#if defined(__clang__)  && \
-       ( __clang_major__ < 3 || \
-	(__clang_major__ == 3 && __clang_minor__ < 2) || \
-	(__clang_major__ == 4 && __clang_minor__ < 2))
-	/* false positive: http://llvm.org/bugs/show_bug.cgi?id=14461 */
-		else memset(&querytsig, 0, sizeof(querytsig));
-#endif
-
-		/*
-		 * Digest the header.
-		 */
-		isc_buffer_init(&headerbuf, header, sizeof(header));
-		dns_message_renderheader(msg, &headerbuf);
-		isc_buffer_usedregion(&headerbuf, &r);
-		ret = dst_context_adddata(ctx, &r);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_context;
-
-		/*
-		 * Digest the remainder of the message.
-		 */
-		isc_buffer_usedregion(msg->buffer, &r);
-		isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
-		ret = dst_context_adddata(ctx, &r);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_context;
-
-		if (msg->tcp_continuation == 0) {
-			/*
-			 * Digest the name, class, ttl, alg.
-			 */
-			dns_name_toregion(&key->name, &r);
-			ret = dst_context_adddata(ctx, &r);
-			if (ret != ISC_R_SUCCESS)
-				goto cleanup_context;
-
-			isc_buffer_clear(&databuf);
-			isc_buffer_putuint16(&databuf, dns_rdataclass_any);
-			isc_buffer_putuint32(&databuf, 0); /* ttl */
-			isc_buffer_usedregion(&databuf, &r);
-			ret = dst_context_adddata(ctx, &r);
-			if (ret != ISC_R_SUCCESS)
-				goto cleanup_context;
-
-			dns_name_toregion(&tsig.algorithm, &r);
-			ret = dst_context_adddata(ctx, &r);
-			if (ret != ISC_R_SUCCESS)
-				goto cleanup_context;
-
-		}
-		/* Digest the timesigned and fudge */
-		isc_buffer_clear(&databuf);
-		if (tsig.error == dns_tsigerror_badtime) {
-			INSIST(response);
-			tsig.timesigned = querytsig.timesigned;
-		}
-		isc_buffer_putuint48(&databuf, tsig.timesigned);
-		isc_buffer_putuint16(&databuf, tsig.fudge);
-		isc_buffer_usedregion(&databuf, &r);
-		ret = dst_context_adddata(ctx, &r);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_context;
-
-		if (msg->tcp_continuation == 0) {
-			/*
-			 * Digest the error and other data length.
-			 */
-			isc_buffer_clear(&databuf);
-			isc_buffer_putuint16(&databuf, tsig.error);
-			isc_buffer_putuint16(&databuf, tsig.otherlen);
-
-			isc_buffer_usedregion(&databuf, &r);
-			ret = dst_context_adddata(ctx, &r);
-			if (ret != ISC_R_SUCCESS)
-				goto cleanup_context;
-
-			/*
-			 * Digest other data.
-			 */
-			if (tsig.otherlen > 0) {
-				r.length = tsig.otherlen;
-				r.base = tsig.other;
-				ret = dst_context_adddata(ctx, &r);
-				if (ret != ISC_R_SUCCESS)
-					goto cleanup_context;
-			}
-		}
-
-		ret = dst_key_sigsize(key->key, &sigsize);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_context;
-		tsig.signature = (unsigned char *) isc_mem_get(mctx, sigsize);
-		if (tsig.signature == NULL) {
-			ret = ISC_R_NOMEMORY;
-			goto cleanup_context;
-		}
-
-		isc_buffer_init(&sigbuf, tsig.signature, sigsize);
-		ret = dst_context_sign(ctx, &sigbuf);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_signature;
-		dst_context_destroy(&ctx);
-		digestbits = dst_key_getbits(key->key);
-		if (digestbits != 0) {
-			unsigned int bytes = (digestbits + 1) / 8;
-			if (response && bytes < querytsig.siglen)
-				bytes = querytsig.siglen;
-			if (bytes > isc_buffer_usedlength(&sigbuf))
-				bytes = isc_buffer_usedlength(&sigbuf);
-			tsig.siglen = bytes;
-		} else
-			tsig.siglen = isc_buffer_usedlength(&sigbuf);
-	} else {
-		tsig.siglen = 0;
-		tsig.signature = NULL;
-	}
-
-	ret = dns_message_gettemprdata(msg, &rdata);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_signature;
-	ret = isc_buffer_allocate(msg->mctx, &dynbuf, 512);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_rdata;
-	ret = dns_rdata_fromstruct(rdata, dns_rdataclass_any,
-				   dns_rdatatype_tsig, &tsig, dynbuf);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_dynbuf;
-
-	dns_message_takebuffer(msg, &dynbuf);
-
-	if (tsig.signature != NULL) {
-		isc_mem_put(mctx, tsig.signature, sigsize);
-		tsig.signature = NULL;
-	}
-
-	owner = NULL;
-	ret = dns_message_gettempname(msg, &owner);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_rdata;
-	dns_name_init(owner, NULL);
-	ret = dns_name_dup(&key->name, msg->mctx, owner);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_owner;
-
-	datalist = NULL;
-	ret = dns_message_gettemprdatalist(msg, &datalist);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_owner;
-	dataset = NULL;
-	ret = dns_message_gettemprdataset(msg, &dataset);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_rdatalist;
-	datalist->rdclass = dns_rdataclass_any;
-	datalist->type = dns_rdatatype_tsig;
-	datalist->covers = 0;
-	datalist->ttl = 0;
-	ISC_LIST_INIT(datalist->rdata);
-	ISC_LIST_APPEND(datalist->rdata, rdata, link);
-	dns_rdataset_init(dataset);
-	RUNTIME_CHECK(dns_rdatalist_tordataset(datalist, dataset)
-		      == ISC_R_SUCCESS);
-	msg->tsig = dataset;
-	msg->tsigname = owner;
-
-	/* Windows does not like the tsig name being compressed. */
-	msg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
-
-	return (ISC_R_SUCCESS);
-
- cleanup_rdatalist:
-	dns_message_puttemprdatalist(msg, &datalist);
- cleanup_owner:
-	dns_message_puttempname(msg, &owner);
-	goto cleanup_rdata;
- cleanup_dynbuf:
-	isc_buffer_free(&dynbuf);
- cleanup_rdata:
-	dns_message_puttemprdata(msg, &rdata);
- cleanup_signature:
-	if (tsig.signature != NULL)
-		isc_mem_put(mctx, tsig.signature, sigsize);
- cleanup_context:
-	if (ctx != NULL)
-		dst_context_destroy(&ctx);
-	return (ret);
-}
-
-isc_result_t
-dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
-		dns_tsig_keyring_t *ring1, dns_tsig_keyring_t *ring2)
-{
-	dns_rdata_any_tsig_t tsig, querytsig;
-	isc_region_t r, source_r, header_r, sig_r;
-	isc_buffer_t databuf;
-	unsigned char data[32];
-	dns_name_t *keyname;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_stdtime_t now;
-	isc_result_t ret;
-	dns_tsigkey_t *tsigkey;
-	dst_key_t *key = NULL;
-	unsigned char header[DNS_MESSAGE_HEADERLEN];
-	dst_context_t *ctx = NULL;
-	isc_mem_t *mctx;
-	isc_uint16_t addcount, id;
-	unsigned int siglen;
-	unsigned int alg;
-	isc_boolean_t response;
-
-	REQUIRE(source != NULL);
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	tsigkey = dns_message_gettsigkey(msg);
-	response = is_response(msg);
-
-	REQUIRE(tsigkey == NULL || VALID_TSIG_KEY(tsigkey));
-
-	msg->verify_attempted = 1;
-
-	if (msg->tcp_continuation) {
-		if (tsigkey == NULL || msg->querytsig == NULL)
-			return (DNS_R_UNEXPECTEDTSIG);
-		return (tsig_verify_tcp(source, msg));
-	}
-
-	/*
-	 * There should be a TSIG record...
-	 */
-	if (msg->tsig == NULL)
-		return (DNS_R_EXPECTEDTSIG);
-
-	/*
-	 * If this is a response and there's no key or query TSIG, there
-	 * shouldn't be one on the response.
-	 */
-	if (response && (tsigkey == NULL || msg->querytsig == NULL))
-		return (DNS_R_UNEXPECTEDTSIG);
-
-	mctx = msg->mctx;
-
-	/*
-	 * If we're here, we know the message is well formed and contains a
-	 * TSIG record.
-	 */
-
-	keyname = msg->tsigname;
-	ret = dns_rdataset_first(msg->tsig);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-	dns_rdataset_current(msg->tsig, &rdata);
-	ret = dns_rdata_tostruct(&rdata, &tsig, NULL);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-	dns_rdata_reset(&rdata);
-	if (response) {
-		ret = dns_rdataset_first(msg->querytsig);
-		if (ret != ISC_R_SUCCESS)
-			return (ret);
-		dns_rdataset_current(msg->querytsig, &rdata);
-		ret = dns_rdata_tostruct(&rdata, &querytsig, NULL);
-		if (ret != ISC_R_SUCCESS)
-			return (ret);
-	}
-#if defined(__clang__) && \
-       ( __clang_major__ < 3 || \
-	(__clang_major__ == 3 && __clang_minor__ < 2) || \
-	(__clang_major__ == 4 && __clang_minor__ < 2))
-	/* false positive: http://llvm.org/bugs/show_bug.cgi?id=14461 */
-		else memset(&querytsig, 0, sizeof(querytsig));
-#endif
-
-	/*
-	 * Do the key name and algorithm match that of the query?
-	 */
-	if (response &&
-	    (!dns_name_equal(keyname, &tsigkey->name) ||
-	     !dns_name_equal(&tsig.algorithm, &querytsig.algorithm))) {
-		msg->tsigstatus = dns_tsigerror_badkey;
-		tsig_log(msg->tsigkey, 2,
-			 "key name and algorithm do not match");
-		return (DNS_R_TSIGVERIFYFAILURE);
-	}
-
-	/*
-	 * Get the current time.
-	 */
-	isc_stdtime_get(&now);
-
-	/*
-	 * Find dns_tsigkey_t based on keyname.
-	 */
-	if (tsigkey == NULL) {
-		ret = ISC_R_NOTFOUND;
-		if (ring1 != NULL)
-			ret = dns_tsigkey_find(&tsigkey, keyname,
-					       &tsig.algorithm, ring1);
-		if (ret == ISC_R_NOTFOUND && ring2 != NULL)
-			ret = dns_tsigkey_find(&tsigkey, keyname,
-					       &tsig.algorithm, ring2);
-		if (ret != ISC_R_SUCCESS) {
-			msg->tsigstatus = dns_tsigerror_badkey;
-			ret = dns_tsigkey_create(keyname, &tsig.algorithm,
-						 NULL, 0, ISC_FALSE, NULL,
-						 now, now,
-						 mctx, NULL, &msg->tsigkey);
-			if (ret != ISC_R_SUCCESS)
-				return (ret);
-			tsig_log(msg->tsigkey, 2, "unknown key");
-			return (DNS_R_TSIGVERIFYFAILURE);
-		}
-		msg->tsigkey = tsigkey;
-	}
-
-	key = tsigkey->key;
-
-	/*
-	 * Is the time ok?
-	 */
-	if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
-		msg->tsigstatus = dns_tsigerror_badtime;
-		tsig_log(msg->tsigkey, 2, "signature has expired");
-		return (DNS_R_CLOCKSKEW);
-	} else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) {
-		msg->tsigstatus = dns_tsigerror_badtime;
-		tsig_log(msg->tsigkey, 2, "signature is in the future");
-		return (DNS_R_CLOCKSKEW);
-	}
-
-	/*
-	 * Check digest length.
-	 */
-	alg = dst_key_alg(key);
-	ret = dst_key_sigsize(key, &siglen);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-	if (alg == DST_ALG_HMACMD5 || alg == DST_ALG_HMACSHA1 ||
-	    alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
-	    alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) {
-		isc_uint16_t digestbits = dst_key_getbits(key);
-		if (tsig.siglen > siglen) {
-			tsig_log(msg->tsigkey, 2, "signature length to big");
-			return (DNS_R_FORMERR);
-		}
-		if (tsig.siglen > 0 &&
-		    (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2))) {
-			tsig_log(msg->tsigkey, 2,
-				 "signature length below minimum");
-			return (DNS_R_FORMERR);
-		}
-		if (tsig.siglen > 0 && digestbits != 0 &&
-		    tsig.siglen < ((digestbits + 1) / 8)) {
-			msg->tsigstatus = dns_tsigerror_badtrunc;
-			tsig_log(msg->tsigkey, 2,
-				 "truncated signature length too small");
-			return (DNS_R_TSIGVERIFYFAILURE);
-		}
-		if (tsig.siglen > 0 && digestbits == 0 &&
-		    tsig.siglen < siglen) {
-			msg->tsigstatus = dns_tsigerror_badtrunc;
-			tsig_log(msg->tsigkey, 2, "signature length too small");
-			return (DNS_R_TSIGVERIFYFAILURE);
-		}
-	}
-
-	if (tsig.siglen > 0) {
-		sig_r.base = tsig.signature;
-		sig_r.length = tsig.siglen;
-
-		ret = dst_context_create2(key, mctx,
-					  DNS_LOGCATEGORY_DNSSEC, &ctx);
-		if (ret != ISC_R_SUCCESS)
-			return (ret);
-
-		if (response) {
-			isc_buffer_init(&databuf, data, sizeof(data));
-			isc_buffer_putuint16(&databuf, querytsig.siglen);
-			isc_buffer_usedregion(&databuf, &r);
-			ret = dst_context_adddata(ctx, &r);
-			if (ret != ISC_R_SUCCESS)
-				goto cleanup_context;
-			if (querytsig.siglen > 0) {
-				r.length = querytsig.siglen;
-				r.base = querytsig.signature;
-				ret = dst_context_adddata(ctx, &r);
-				if (ret != ISC_R_SUCCESS)
-					goto cleanup_context;
-			}
-		}
-
-		/*
-		 * Extract the header.
-		 */
-		isc_buffer_usedregion(source, &r);
-		memcpy(header, r.base, DNS_MESSAGE_HEADERLEN);
-		isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
-
-		/*
-		 * Decrement the additional field counter.
-		 */
-		memcpy(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
-		addcount = htons((isc_uint16_t)(ntohs(addcount) - 1));
-		memcpy(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
-
-		/*
-		 * Put in the original id.
-		 */
-		id = htons(tsig.originalid);
-		memcpy(&header[0], &id, 2);
-
-		/*
-		 * Digest the modified header.
-		 */
-		header_r.base = (unsigned char *) header;
-		header_r.length = DNS_MESSAGE_HEADERLEN;
-		ret = dst_context_adddata(ctx, &header_r);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_context;
-
-		/*
-		 * Digest all non-TSIG records.
-		 */
-		isc_buffer_usedregion(source, &source_r);
-		r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
-		r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
-		ret = dst_context_adddata(ctx, &r);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_context;
-
-		/*
-		 * Digest the key name.
-		 */
-		dns_name_toregion(&tsigkey->name, &r);
-		ret = dst_context_adddata(ctx, &r);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_context;
-
-		isc_buffer_init(&databuf, data, sizeof(data));
-		isc_buffer_putuint16(&databuf, tsig.common.rdclass);
-		isc_buffer_putuint32(&databuf, msg->tsig->ttl);
-		isc_buffer_usedregion(&databuf, &r);
-		ret = dst_context_adddata(ctx, &r);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_context;
-
-		/*
-		 * Digest the key algorithm.
-		 */
-		dns_name_toregion(tsigkey->algorithm, &r);
-		ret = dst_context_adddata(ctx, &r);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_context;
-
-		isc_buffer_clear(&databuf);
-		isc_buffer_putuint48(&databuf, tsig.timesigned);
-		isc_buffer_putuint16(&databuf, tsig.fudge);
-		isc_buffer_putuint16(&databuf, tsig.error);
-		isc_buffer_putuint16(&databuf, tsig.otherlen);
-		isc_buffer_usedregion(&databuf, &r);
-		ret = dst_context_adddata(ctx, &r);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_context;
-
-		if (tsig.otherlen > 0) {
-			r.base = tsig.other;
-			r.length = tsig.otherlen;
-			ret = dst_context_adddata(ctx, &r);
-			if (ret != ISC_R_SUCCESS)
-				goto cleanup_context;
-		}
-
-		ret = dst_context_verify(ctx, &sig_r);
-		if (ret == DST_R_VERIFYFAILURE) {
-			msg->tsigstatus = dns_tsigerror_badsig;
-			ret = DNS_R_TSIGVERIFYFAILURE;
-			tsig_log(msg->tsigkey, 2,
-				 "signature failed to verify(1)");
-			goto cleanup_context;
-		} else if (ret != ISC_R_SUCCESS)
-			goto cleanup_context;
-
-		dst_context_destroy(&ctx);
-	} else if (tsig.error != dns_tsigerror_badsig &&
-		   tsig.error != dns_tsigerror_badkey) {
-		msg->tsigstatus = dns_tsigerror_badsig;
-		tsig_log(msg->tsigkey, 2, "signature was empty");
-		return (DNS_R_TSIGVERIFYFAILURE);
-	}
-
-	msg->tsigstatus = dns_rcode_noerror;
-
-	if (tsig.error != dns_rcode_noerror) {
-		if (tsig.error == dns_tsigerror_badtime)
-			return (DNS_R_CLOCKSKEW);
-		else
-			return (DNS_R_TSIGERRORSET);
-	}
-
-	msg->verified_sig = 1;
-
-	return (ISC_R_SUCCESS);
-
-cleanup_context:
-	if (ctx != NULL)
-		dst_context_destroy(&ctx);
-
-	return (ret);
-}
-
-static isc_result_t
-tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
-	dns_rdata_any_tsig_t tsig, querytsig;
-	isc_region_t r, source_r, header_r, sig_r;
-	isc_buffer_t databuf;
-	unsigned char data[32];
-	dns_name_t *keyname;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_stdtime_t now;
-	isc_result_t ret;
-	dns_tsigkey_t *tsigkey;
-	dst_key_t *key = NULL;
-	unsigned char header[DNS_MESSAGE_HEADERLEN];
-	isc_uint16_t addcount, id;
-	isc_boolean_t has_tsig = ISC_FALSE;
-	isc_mem_t *mctx;
-
-	REQUIRE(source != NULL);
-	REQUIRE(msg != NULL);
-	REQUIRE(dns_message_gettsigkey(msg) != NULL);
-	REQUIRE(msg->tcp_continuation == 1);
-	REQUIRE(msg->querytsig != NULL);
-
-	if (!is_response(msg))
-		return (DNS_R_EXPECTEDRESPONSE);
-
-	mctx = msg->mctx;
-
-	tsigkey = dns_message_gettsigkey(msg);
-
-	/*
-	 * Extract and parse the previous TSIG
-	 */
-	ret = dns_rdataset_first(msg->querytsig);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-	dns_rdataset_current(msg->querytsig, &rdata);
-	ret = dns_rdata_tostruct(&rdata, &querytsig, NULL);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-	dns_rdata_reset(&rdata);
-
-	/*
-	 * If there is a TSIG in this message, do some checks.
-	 */
-	if (msg->tsig != NULL) {
-		has_tsig = ISC_TRUE;
-
-		keyname = msg->tsigname;
-		ret = dns_rdataset_first(msg->tsig);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_querystruct;
-		dns_rdataset_current(msg->tsig, &rdata);
-		ret = dns_rdata_tostruct(&rdata, &tsig, NULL);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_querystruct;
-
-		/*
-		 * Do the key name and algorithm match that of the query?
-		 */
-		if (!dns_name_equal(keyname, &tsigkey->name) ||
-		    !dns_name_equal(&tsig.algorithm, &querytsig.algorithm)) {
-			msg->tsigstatus = dns_tsigerror_badkey;
-			ret = DNS_R_TSIGVERIFYFAILURE;
-			tsig_log(msg->tsigkey, 2,
-				 "key name and algorithm do not match");
-			goto cleanup_querystruct;
-		}
-
-		/*
-		 * Is the time ok?
-		 */
-		isc_stdtime_get(&now);
-
-		if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
-			msg->tsigstatus = dns_tsigerror_badtime;
-			tsig_log(msg->tsigkey, 2, "signature has expired");
-			ret = DNS_R_CLOCKSKEW;
-			goto cleanup_querystruct;
-		} else if (now + msg->timeadjust <
-			   tsig.timesigned - tsig.fudge) {
-			msg->tsigstatus = dns_tsigerror_badtime;
-			tsig_log(msg->tsigkey, 2,
-				 "signature is in the future");
-			ret = DNS_R_CLOCKSKEW;
-			goto cleanup_querystruct;
-		}
-	}
-
-	key = tsigkey->key;
-
-	if (msg->tsigctx == NULL) {
-		ret = dst_context_create2(key, mctx,
-					  DNS_LOGCATEGORY_DNSSEC,
-					  &msg->tsigctx);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_querystruct;
-
-		/*
-		 * Digest the length of the query signature
-		 */
-		isc_buffer_init(&databuf, data, sizeof(data));
-		isc_buffer_putuint16(&databuf, querytsig.siglen);
-		isc_buffer_usedregion(&databuf, &r);
-		ret = dst_context_adddata(msg->tsigctx, &r);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_context;
-
-		/*
-		 * Digest the data of the query signature
-		 */
-		if (querytsig.siglen > 0) {
-			r.length = querytsig.siglen;
-			r.base = querytsig.signature;
-			ret = dst_context_adddata(msg->tsigctx, &r);
-			if (ret != ISC_R_SUCCESS)
-				goto cleanup_context;
-		}
-	}
-
-	/*
-	 * Extract the header.
-	 */
-	isc_buffer_usedregion(source, &r);
-	memcpy(header, r.base, DNS_MESSAGE_HEADERLEN);
-	isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
-
-	/*
-	 * Decrement the additional field counter if necessary.
-	 */
-	if (has_tsig) {
-		memcpy(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
-		addcount = htons((isc_uint16_t)(ntohs(addcount) - 1));
-		memcpy(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
-	}
-
-	/*
-	 * Put in the original id.
-	 */
-	/* XXX Can TCP transfers be forwarded?  How would that work? */
-	if (has_tsig) {
-		id = htons(tsig.originalid);
-		memcpy(&header[0], &id, 2);
-	}
-
-	/*
-	 * Digest the modified header.
-	 */
-	header_r.base = (unsigned char *) header;
-	header_r.length = DNS_MESSAGE_HEADERLEN;
-	ret = dst_context_adddata(msg->tsigctx, &header_r);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_context;
-
-	/*
-	 * Digest all non-TSIG records.
-	 */
-	isc_buffer_usedregion(source, &source_r);
-	r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
-	if (has_tsig)
-		r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
-	else
-		r.length = source_r.length - DNS_MESSAGE_HEADERLEN;
-	ret = dst_context_adddata(msg->tsigctx, &r);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_context;
-
-	/*
-	 * Digest the time signed and fudge.
-	 */
-	if (has_tsig) {
-		isc_buffer_init(&databuf, data, sizeof(data));
-		isc_buffer_putuint48(&databuf, tsig.timesigned);
-		isc_buffer_putuint16(&databuf, tsig.fudge);
-		isc_buffer_usedregion(&databuf, &r);
-		ret = dst_context_adddata(msg->tsigctx, &r);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_context;
-
-		sig_r.base = tsig.signature;
-		sig_r.length = tsig.siglen;
-		if (tsig.siglen == 0) {
-			if (tsig.error != dns_rcode_noerror) {
-				if (tsig.error == dns_tsigerror_badtime)
-					ret = DNS_R_CLOCKSKEW;
-				else
-					ret = DNS_R_TSIGERRORSET;
-			} else {
-				tsig_log(msg->tsigkey, 2,
-					 "signature is empty");
-				ret = DNS_R_TSIGVERIFYFAILURE;
-			}
-			goto cleanup_context;
-		}
-
-		ret = dst_context_verify(msg->tsigctx, &sig_r);
-		if (ret == DST_R_VERIFYFAILURE) {
-			msg->tsigstatus = dns_tsigerror_badsig;
-			tsig_log(msg->tsigkey, 2,
-				 "signature failed to verify(2)");
-			ret = DNS_R_TSIGVERIFYFAILURE;
-			goto cleanup_context;
-		}
-		else if (ret != ISC_R_SUCCESS)
-			goto cleanup_context;
-
-		dst_context_destroy(&msg->tsigctx);
-	}
-
-	msg->tsigstatus = dns_rcode_noerror;
-	return (ISC_R_SUCCESS);
-
- cleanup_context:
-	dst_context_destroy(&msg->tsigctx);
-
- cleanup_querystruct:
-	dns_rdata_freestruct(&querytsig);
-
-	return (ret);
-
-}
-
-isc_result_t
-dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name,
-		 dns_name_t *algorithm, dns_tsig_keyring_t *ring)
-{
-	dns_tsigkey_t *key;
-	isc_stdtime_t now;
-	isc_result_t result;
-
-	REQUIRE(tsigkey != NULL);
-	REQUIRE(*tsigkey == NULL);
-	REQUIRE(name != NULL);
-	REQUIRE(ring != NULL);
-
-	RWLOCK(&ring->lock, isc_rwlocktype_write);
-	cleanup_ring(ring);
-	RWUNLOCK(&ring->lock, isc_rwlocktype_write);
-
-	isc_stdtime_get(&now);
-	RWLOCK(&ring->lock, isc_rwlocktype_read);
-	key = NULL;
-	result = dns_rbt_findname(ring->keys, name, 0, NULL, (void *)&key);
-	if (result == DNS_R_PARTIALMATCH || result == ISC_R_NOTFOUND) {
-		RWUNLOCK(&ring->lock, isc_rwlocktype_read);
-		return (ISC_R_NOTFOUND);
-	}
-	if (algorithm != NULL && !dns_name_equal(key->algorithm, algorithm)) {
-		RWUNLOCK(&ring->lock, isc_rwlocktype_read);
-		return (ISC_R_NOTFOUND);
-	}
-	if (key->inception != key->expire && isc_serial_lt(key->expire, now)) {
-		/*
-		 * The key has expired.
-		 */
-		RWUNLOCK(&ring->lock, isc_rwlocktype_read);
-		RWLOCK(&ring->lock, isc_rwlocktype_write);
-		remove_fromring(key);
-		RWUNLOCK(&ring->lock, isc_rwlocktype_write);
-		return (ISC_R_NOTFOUND);
-	}
-#if 0
-	/*
-	 * MPAXXX We really should look at the inception time.
-	 */
-	if (key->inception != key->expire &&
-	    isc_serial_lt(key->inception, now)) {
-		RWUNLOCK(&ring->lock, isc_rwlocktype_read);
-		adjust_lru(key);
-		return (ISC_R_NOTFOUND);
-	}
-#endif
-	isc_refcount_increment(&key->refs, NULL);
-	RWUNLOCK(&ring->lock, isc_rwlocktype_read);
-	adjust_lru(key);
-	*tsigkey = key;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-free_tsignode(void *node, void *_unused) {
-	dns_tsigkey_t *key;
-
-	REQUIRE(node != NULL);
-
-	UNUSED(_unused);
-
-	key = node;
-	if (key->generated) {
-		if (ISC_LINK_LINKED(key, link))
-			ISC_LIST_UNLINK(key->ring->lru, key, link);
-	}
-	dns_tsigkey_detach(&key);
-}
-
-isc_result_t
-dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp) {
-	isc_result_t result;
-	dns_tsig_keyring_t *ring;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(ringp != NULL);
-	REQUIRE(*ringp == NULL);
-
-	ring = isc_mem_get(mctx, sizeof(dns_tsig_keyring_t));
-	if (ring == NULL)
-		return (ISC_R_NOMEMORY);
-
-	result = isc_rwlock_init(&ring->lock, 0, 0);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, ring, sizeof(dns_tsig_keyring_t));
-		return (result);
-	}
-
-	ring->keys = NULL;
-	result = dns_rbt_create(mctx, free_tsignode, NULL, &ring->keys);
-	if (result != ISC_R_SUCCESS) {
-		isc_rwlock_destroy(&ring->lock);
-		isc_mem_put(mctx, ring, sizeof(dns_tsig_keyring_t));
-		return (result);
-	}
-
-	ring->writecount = 0;
-	ring->mctx = NULL;
-	ring->generated = 0;
-	ring->maxgenerated = DNS_TSIG_MAXGENERATEDKEYS;
-	ISC_LIST_INIT(ring->lru);
-	isc_mem_attach(mctx, &ring->mctx);
-	ring->references = 1;
-
-	*ringp = ring;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_tsigkeyring_add(dns_tsig_keyring_t *ring, dns_name_t *name,
-		    dns_tsigkey_t *tkey)
-{
-	isc_result_t result;
-
-	result = keyring_add(ring, name, tkey);
-	if (result == ISC_R_SUCCESS)
-		isc_refcount_increment(&tkey->refs, NULL);
-
-	return (result);
-}
-
-void
-dns_tsigkeyring_attach(dns_tsig_keyring_t *source, dns_tsig_keyring_t **target)
-{
-	REQUIRE(source != NULL);
-	REQUIRE(target != NULL && *target == NULL);
-
-	RWLOCK(&source->lock, isc_rwlocktype_write);
-	INSIST(source->references > 0);
-	source->references++;
-	INSIST(source->references > 0);
-	*target = source;
-	RWUNLOCK(&source->lock, isc_rwlocktype_write);
-}
-
-void
-dns_tsigkeyring_detach(dns_tsig_keyring_t **ringp) {
-	dns_tsig_keyring_t *ring;
-	unsigned int references;
-
-	REQUIRE(ringp != NULL);
-	REQUIRE(*ringp != NULL);
-
-	ring = *ringp;
-	*ringp = NULL;
-
-	RWLOCK(&ring->lock, isc_rwlocktype_write);
-	INSIST(ring->references > 0);
-	ring->references--;
-	references = ring->references;
-	RWUNLOCK(&ring->lock, isc_rwlocktype_write);
-
-	if (references == 0)
-		destroyring(ring);
-}
-
-void
-dns_keyring_restore(dns_tsig_keyring_t *ring, FILE *fp) {
-	isc_stdtime_t now;
-	isc_result_t result;
-
-	isc_stdtime_get(&now);
-	do {
-		result = restore_key(ring, now, fp);
-		if (result == ISC_R_NOMORE)
-			return;
-		if (result == DNS_R_BADALG || result == DNS_R_EXPIRED)
-			result = ISC_R_SUCCESS;
-	} while (result == ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/dns/ttl.c b/contrib/bind9/lib/dns/ttl.c
deleted file mode 100644
index d3cf024..0000000
--- a/contrib/bind9/lib/dns/ttl.c
+++ /dev/null
@@ -1,217 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <stdio.h>
-#include <stdlib.h>
-
-#include <isc/buffer.h>
-#include <isc/parseint.h>
-#include <isc/print.h>
-#include <isc/region.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/result.h>
-#include <dns/ttl.h>
-
-#define RETERR(x) do { \
-	isc_result_t _r = (x); \
-	if (_r != ISC_R_SUCCESS) \
-		return (_r); \
-	} while (0)
-
-
-static isc_result_t bind_ttl(isc_textregion_t *source, isc_uint32_t *ttl);
-
-/*
- * Helper for dns_ttl_totext().
- */
-static isc_result_t
-ttlfmt(unsigned int t, const char *s, isc_boolean_t verbose,
-       isc_boolean_t space, isc_buffer_t *target)
-{
-	char tmp[60];
-	size_t len;
-	isc_region_t region;
-
-	if (verbose)
-		len = snprintf(tmp, sizeof(tmp), "%s%u %s%s",
-			       space ? " " : "",
-			       t, s,
-			       t == 1 ? "" : "s");
-	else
-		len = snprintf(tmp, sizeof(tmp), "%u%c", t, s[0]);
-
-	INSIST(len + 1 <= sizeof(tmp));
-	isc_buffer_availableregion(target, &region);
-	if (len > region.length)
-		return (ISC_R_NOSPACE);
-	memcpy(region.base, tmp, len);
-	isc_buffer_add(target, len);
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Derived from bind8 ns_format_ttl().
- */
-isc_result_t
-dns_ttl_totext(isc_uint32_t src, isc_boolean_t verbose, isc_buffer_t *target) {
-	unsigned secs, mins, hours, days, weeks, x;
-
-	secs = src % 60;   src /= 60;
-	mins = src % 60;   src /= 60;
-	hours = src % 24;  src /= 24;
-	days = src % 7;    src /= 7;
-	weeks = src;       src = 0;
-	POST(src);
-
-	x = 0;
-	if (weeks != 0) {
-		RETERR(ttlfmt(weeks, "week", verbose, ISC_TF(x > 0), target));
-		x++;
-	}
-	if (days != 0) {
-		RETERR(ttlfmt(days, "day", verbose, ISC_TF(x > 0), target));
-		x++;
-	}
-	if (hours != 0) {
-		RETERR(ttlfmt(hours, "hour", verbose, ISC_TF(x > 0), target));
-		x++;
-	}
-	if (mins != 0) {
-		RETERR(ttlfmt(mins, "minute", verbose, ISC_TF(x > 0), target));
-		x++;
-	}
-	if (secs != 0 ||
-	    (weeks == 0 && days == 0 && hours == 0 && mins == 0)) {
-		RETERR(ttlfmt(secs, "second", verbose, ISC_TF(x > 0), target));
-		x++;
-	}
-	INSIST (x > 0);
-	/*
-	 * If only a single unit letter is printed, print it
-	 * in upper case. (Why?  Because BIND 8 does that.
-	 * Presumably it has a reason.)
-	 */
-	if (x == 1 && !verbose) {
-		isc_region_t region;
-		/*
-		 * The unit letter is the last character in the
-		 * used region of the buffer.
-		 *
-		 * toupper() does not need its argument to be masked of cast
-		 * here because region.base is type unsigned char *.
-		 */
-		isc_buffer_usedregion(target, &region);
-		region.base[region.length - 1] =
-			toupper(region.base[region.length - 1]);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_counter_fromtext(isc_textregion_t *source, isc_uint32_t *ttl) {
-	return (bind_ttl(source, ttl));
-}
-
-isc_result_t
-dns_ttl_fromtext(isc_textregion_t *source, isc_uint32_t *ttl) {
-	isc_result_t result;
-
-	result = bind_ttl(source, ttl);
-	if (result != ISC_R_SUCCESS)
-		result = DNS_R_BADTTL;
-	return (result);
-}
-
-static isc_result_t
-bind_ttl(isc_textregion_t *source, isc_uint32_t *ttl) {
-	isc_uint32_t tmp = 0;
-	isc_uint32_t n;
-	char *s;
-	char buf[64];
-	char nbuf[64]; /* Number buffer */
-
-	/*
-	 * Copy the buffer as it may not be NULL terminated.
-	 * No legal counter / ttl is longer that 63 characters.
-	 */
-	if (source->length > sizeof(buf) - 1)
-		return (DNS_R_SYNTAX);
-	strncpy(buf, source->base, source->length);
-	buf[source->length] = '\0';
-	s = buf;
-
-	do {
-		isc_result_t result;
-
-		char *np = nbuf;
-		while (*s != '\0' && isdigit((unsigned char)*s))
-			*np++ = *s++;
-		*np++ = '\0';
-		INSIST(np - nbuf <= (int)sizeof(nbuf));
-		result = isc_parse_uint32(&n, nbuf, 10);
-		if (result != ISC_R_SUCCESS)
-			return (DNS_R_SYNTAX);
-		switch (*s) {
-		case 'w':
-		case 'W':
-			tmp += n * 7 * 24 * 3600;
-			s++;
-			break;
-		case 'd':
-		case 'D':
-			tmp += n * 24 * 3600;
-			s++;
-			break;
-		case 'h':
-		case 'H':
-			tmp += n * 3600;
-			s++;
-			break;
-		case 'm':
-		case 'M':
-			tmp += n * 60;
-			s++;
-			break;
-		case 's':
-		case 'S':
-			tmp += n;
-			s++;
-			break;
-		case '\0':
-			/* Plain number? */
-			if (tmp != 0)
-				return (DNS_R_SYNTAX);
-			tmp = n;
-			break;
-		default:
-			return (DNS_R_SYNTAX);
-		}
-	} while (*s != '\0');
-	*ttl = tmp;
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/dns/update.c b/contrib/bind9/lib/dns/update.c
deleted file mode 100644
index 14ffcc2..0000000
--- a/contrib/bind9/lib/dns/update.c
+++ /dev/null
@@ -1,1865 +0,0 @@
-/*
- * Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#include <config.h>
-
-#include <isc/log.h>
-#include <isc/netaddr.h>
-#include <isc/print.h>
-#include <isc/serial.h>
-#include <isc/stats.h>
-#include <isc/stdtime.h>
-#include <isc/string.h>
-#include <isc/taskpool.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/diff.h>
-#include <dns/dnssec.h>
-#include <dns/events.h>
-#include <dns/fixedname.h>
-#include <dns/journal.h>
-#include <dns/keyvalues.h>
-#include <dns/log.h>
-#include <dns/message.h>
-#include <dns/nsec.h>
-#include <dns/nsec3.h>
-#include <dns/private.h>
-#include <dns/rdataclass.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/result.h>
-#include <dns/soa.h>
-#include <dns/ssu.h>
-#include <dns/tsig.h>
-#include <dns/update.h>
-#include <dns/view.h>
-#include <dns/zone.h>
-#include <dns/zt.h>
-
-
-/**************************************************************************/
-
-/*%
- * Log level for tracing dynamic update protocol requests.
- */
-#define LOGLEVEL_PROTOCOL	ISC_LOG_INFO
-
-/*%
- * Log level for low-level debug tracing.
- */
-#define LOGLEVEL_DEBUG		ISC_LOG_DEBUG(8)
-
-/*%
- * Check an operation for failure.  These macros all assume that
- * the function using them has a 'result' variable and a 'failure'
- * label.
- */
-#define CHECK(op) \
-	do { result = (op); \
-		if (result != ISC_R_SUCCESS) goto failure; \
-	} while (0)
-
-/*%
- * Fail unconditionally with result 'code', which must not
- * be ISC_R_SUCCESS.  The reason for failure presumably has
- * been logged already.
- *
- * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
- * from complaining about "end-of-loop code not reached".
- */
-
-#define FAIL(code) \
-	do {							\
-		result = (code);				\
-		if (result != ISC_R_SUCCESS) goto failure;	\
-	} while (0)
-
-/*%
- * Fail unconditionally and log as a client error.
- * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
- * from complaining about "end-of-loop code not reached".
- */
-#define FAILC(code, msg) \
-	do {							\
-		const char *_what = "failed";			\
-		result = (code);				\
-		switch (result) {				\
-		case DNS_R_NXDOMAIN:				\
-		case DNS_R_YXDOMAIN:				\
-		case DNS_R_YXRRSET:				\
-		case DNS_R_NXRRSET:				\
-			_what = "unsuccessful";			\
-		}						\
-		update_log(log, zone, LOGLEVEL_PROTOCOL,	\
-			   "update %s: %s (%s)", _what,		\
-			   msg, isc_result_totext(result));	\
-		if (result != ISC_R_SUCCESS) goto failure;	\
-	} while (0)
-
-#define FAILN(code, name, msg) \
-	do {								\
-		const char *_what = "failed";				\
-		result = (code);					\
-		switch (result) {					\
-		case DNS_R_NXDOMAIN:					\
-		case DNS_R_YXDOMAIN:					\
-		case DNS_R_YXRRSET:					\
-		case DNS_R_NXRRSET:					\
-			_what = "unsuccessful";				\
-		}							\
-		if (isc_log_wouldlog(dns_lctx, LOGLEVEL_PROTOCOL)) {	\
-			char _nbuf[DNS_NAME_FORMATSIZE];		\
-			dns_name_format(name, _nbuf, sizeof(_nbuf));	\
-			update_log(log, zone, LOGLEVEL_PROTOCOL,	\
-				   "update %s: %s: %s (%s)", _what, _nbuf, \
-				   msg, isc_result_totext(result));	\
-		}							\
-		if (result != ISC_R_SUCCESS) goto failure;		\
-	} while (0)
-
-#define FAILNT(code, name, type, msg) \
-	do {								\
-		const char *_what = "failed";				\
-		result = (code);					\
-		switch (result) {					\
-		case DNS_R_NXDOMAIN:					\
-		case DNS_R_YXDOMAIN:					\
-		case DNS_R_YXRRSET:					\
-		case DNS_R_NXRRSET:					\
-			_what = "unsuccessful";				\
-		}							\
-		if (isc_log_wouldlog(dns_lctx, LOGLEVEL_PROTOCOL)) {	\
-			char _nbuf[DNS_NAME_FORMATSIZE];		\
-			char _tbuf[DNS_RDATATYPE_FORMATSIZE];		\
-			dns_name_format(name, _nbuf, sizeof(_nbuf));	\
-			dns_rdatatype_format(type, _tbuf, sizeof(_tbuf)); \
-			update_log(log, zone, LOGLEVEL_PROTOCOL,	\
-				   "update %s: %s/%s: %s (%s)",		\
-				   _what, _nbuf, _tbuf, msg,		\
-				   isc_result_totext(result));		\
-		}							\
-		if (result != ISC_R_SUCCESS) goto failure;		\
-	} while (0)
-
-/*%
- * Fail unconditionally and log as a server error.
- * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
- * from complaining about "end-of-loop code not reached".
- */
-#define FAILS(code, msg) \
-	do {							\
-		result = (code);				\
-		update_log(log, zone, LOGLEVEL_PROTOCOL,	\
-			   "error: %s: %s",			\
-			   msg, isc_result_totext(result));	\
-		if (result != ISC_R_SUCCESS) goto failure;	\
-	} while (0)
-
-/**************************************************************************/
-
-typedef struct rr rr_t;
-
-struct rr {
-	/* dns_name_t name; */
-	isc_uint32_t		ttl;
-	dns_rdata_t		rdata;
-};
-
-typedef struct update_event update_event_t;
-
-/**************************************************************************/
-
-static void
-update_log(dns_update_log_t *callback, dns_zone_t *zone,
-	   int level, const char *fmt, ...) ISC_FORMAT_PRINTF(4, 5);
-
-static void
-update_log(dns_update_log_t *callback, dns_zone_t *zone,
-	   int level, const char *fmt, ...)
-{
-	va_list ap;
-	char message[4096];
-
-	if (callback == NULL)
-		return;
-
-	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
-		return;
-
-
-	va_start(ap, fmt);
-	vsnprintf(message, sizeof(message), fmt, ap);
-	va_end(ap);
-
-	(callback->func)(callback->arg, zone, level, message);
-}
-
-/*%
- * Update a single RR in version 'ver' of 'db' and log the
- * update in 'diff'.
- *
- * Ensures:
- * \li	'*tuple' == NULL.  Either the tuple is freed, or its
- *	ownership has been transferred to the diff.
- */
-static isc_result_t
-do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
-	     dns_diff_t *diff)
-{
-	dns_diff_t temp_diff;
-	isc_result_t result;
-
-	/*
-	 * Create a singleton diff.
-	 */
-	dns_diff_init(diff->mctx, &temp_diff);
-	temp_diff.resign = diff->resign;
-	ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
-
-	/*
-	 * Apply it to the database.
-	 */
-	result = dns_diff_apply(&temp_diff, db, ver);
-	ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link);
-	if (result != ISC_R_SUCCESS) {
-		dns_difftuple_free(tuple);
-		return (result);
-	}
-
-	/*
-	 * Merge it into the current pending journal entry.
-	 */
-	dns_diff_appendminimal(diff, tuple);
-
-	/*
-	 * Do not clear temp_diff.
-	 */
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
-	      dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
-	      dns_rdata_t *rdata)
-{
-	dns_difftuple_t *tuple = NULL;
-	isc_result_t result;
-	result = dns_difftuple_create(diff->mctx, op,
-				      name, ttl, rdata, &tuple);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	return (do_one_tuple(&tuple, db, ver, diff));
-}
-
-/**************************************************************************/
-/*
- * Callback-style iteration over rdatasets and rdatas.
- *
- * foreach_rrset() can be used to iterate over the RRsets
- * of a name and call a callback function with each
- * one.  Similarly, foreach_rr() can be used to iterate
- * over the individual RRs at name, optionally restricted
- * to RRs of a given type.
- *
- * The callback functions are called "actions" and take
- * two arguments: a void pointer for passing arbitrary
- * context information, and a pointer to the current RRset
- * or RR.  By convention, their names end in "_action".
- */
-
-/*
- * XXXRTH  We might want to make this public somewhere in libdns.
- */
-
-/*%
- * Function type for foreach_rrset() iterator actions.
- */
-typedef isc_result_t rrset_func(void *data, dns_rdataset_t *rrset);
-
-/*%
- * Function type for foreach_rr() iterator actions.
- */
-typedef isc_result_t rr_func(void *data, rr_t *rr);
-
-/*%
- * Internal context struct for foreach_node_rr().
- */
-typedef struct {
-	rr_func *	rr_action;
-	void *		rr_action_data;
-} foreach_node_rr_ctx_t;
-
-/*%
- * Internal helper function for foreach_node_rr().
- */
-static isc_result_t
-foreach_node_rr_action(void *data, dns_rdataset_t *rdataset) {
-	isc_result_t result;
-	foreach_node_rr_ctx_t *ctx = data;
-	for (result = dns_rdataset_first(rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(rdataset))
-	{
-		rr_t rr = { 0, DNS_RDATA_INIT };
-
-		dns_rdataset_current(rdataset, &rr.rdata);
-		rr.ttl = rdataset->ttl;
-		result = (*ctx->rr_action)(ctx->rr_action_data, &rr);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	if (result != ISC_R_NOMORE)
-		return (result);
-	return (ISC_R_SUCCESS);
-}
-
-/*%
- * For each rdataset of 'name' in 'ver' of 'db', call 'action'
- * with the rdataset and 'action_data' as arguments.  If the name
- * does not exist, do nothing.
- *
- * If 'action' returns an error, abort iteration and return the error.
- */
-static isc_result_t
-foreach_rrset(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	      rrset_func *action, void *action_data)
-{
-	isc_result_t result;
-	dns_dbnode_t *node;
-	dns_rdatasetiter_t *iter;
-
-	node = NULL;
-	result = dns_db_findnode(db, name, ISC_FALSE, &node);
-	if (result == ISC_R_NOTFOUND)
-		return (ISC_R_SUCCESS);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	iter = NULL;
-	result = dns_db_allrdatasets(db, node, ver,
-				     (isc_stdtime_t) 0, &iter);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_node;
-
-	for (result = dns_rdatasetiter_first(iter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdatasetiter_next(iter))
-	{
-		dns_rdataset_t rdataset;
-
-		dns_rdataset_init(&rdataset);
-		dns_rdatasetiter_current(iter, &rdataset);
-
-		result = (*action)(action_data, &rdataset);
-
-		dns_rdataset_disassociate(&rdataset);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_iterator;
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
- cleanup_iterator:
-	dns_rdatasetiter_destroy(&iter);
-
- cleanup_node:
-	dns_db_detachnode(db, &node);
-
-	return (result);
-}
-
-/*%
- * For each RR of 'name' in 'ver' of 'db', call 'action'
- * with the RR and 'action_data' as arguments.  If the name
- * does not exist, do nothing.
- *
- * If 'action' returns an error, abort iteration
- * and return the error.
- */
-static isc_result_t
-foreach_node_rr(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-		rr_func *rr_action, void *rr_action_data)
-{
-	foreach_node_rr_ctx_t ctx;
-	ctx.rr_action = rr_action;
-	ctx.rr_action_data = rr_action_data;
-	return (foreach_rrset(db, ver, name,
-			      foreach_node_rr_action, &ctx));
-}
-
-
-/*%
- * For each of the RRs specified by 'db', 'ver', 'name', 'type',
- * (which can be dns_rdatatype_any to match any type), and 'covers', call
- * 'action' with the RR and 'action_data' as arguments. If the name
- * does not exist, or if no RRset of the given type exists at the name,
- * do nothing.
- *
- * If 'action' returns an error, abort iteration and return the error.
- */
-static isc_result_t
-foreach_rr(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	   dns_rdatatype_t type, dns_rdatatype_t covers, rr_func *rr_action,
-	   void *rr_action_data)
-{
-
-	isc_result_t result;
-	dns_dbnode_t *node;
-	dns_rdataset_t rdataset;
-
-	if (type == dns_rdatatype_any)
-		return (foreach_node_rr(db, ver, name,
-					rr_action, rr_action_data));
-
-	node = NULL;
-	if (type == dns_rdatatype_nsec3 ||
-	    (type == dns_rdatatype_rrsig && covers == dns_rdatatype_nsec3))
-		result = dns_db_findnsec3node(db, name, ISC_FALSE, &node);
-	else
-		result = dns_db_findnode(db, name, ISC_FALSE, &node);
-	if (result == ISC_R_NOTFOUND)
-		return (ISC_R_SUCCESS);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, ver, type, covers,
-				     (isc_stdtime_t) 0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND) {
-		result = ISC_R_SUCCESS;
-		goto cleanup_node;
-	}
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_node;
-
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset))
-	{
-		rr_t rr = { 0, DNS_RDATA_INIT };
-		dns_rdataset_current(&rdataset, &rr.rdata);
-		rr.ttl = rdataset.ttl;
-		result = (*rr_action)(rr_action_data, &rr);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_rdataset;
-	}
-	if (result != ISC_R_NOMORE)
-		goto cleanup_rdataset;
-	result = ISC_R_SUCCESS;
-
- cleanup_rdataset:
-	dns_rdataset_disassociate(&rdataset);
- cleanup_node:
-	dns_db_detachnode(db, &node);
-
-	return (result);
-}
-
-/**************************************************************************/
-/*
- * Various tests on the database contents (for prerequisites, etc).
- */
-
-/*%
- * Function type for predicate functions that compare a database RR 'db_rr'
- * against an update RR 'update_rr'.
- */
-typedef isc_boolean_t rr_predicate(dns_rdata_t *update_rr, dns_rdata_t *db_rr);
-
-/*%
- * Helper function for rrset_exists().
- */
-static isc_result_t
-rrset_exists_action(void *data, rr_t *rr) {
-	UNUSED(data);
-	UNUSED(rr);
-	return (ISC_R_EXISTS);
-}
-
-/*%
- * Utility macro for RR existence checking functions.
- *
- * If the variable 'result' has the value ISC_R_EXISTS or
- * ISC_R_SUCCESS, set *exists to ISC_TRUE or ISC_FALSE,
- * respectively, and return success.
- *
- * If 'result' has any other value, there was a failure.
- * Return the failure result code and do not set *exists.
- *
- * This would be more readable as "do { if ... } while(0)",
- * but that form generates tons of warnings on Solaris 2.6.
- */
-#define RETURN_EXISTENCE_FLAG				\
-	return ((result == ISC_R_EXISTS) ?		\
-		(*exists = ISC_TRUE, ISC_R_SUCCESS) :	\
-		((result == ISC_R_SUCCESS) ?		\
-		 (*exists = ISC_FALSE, ISC_R_SUCCESS) :	\
-		 result))
-
-/*%
- * Set '*exists' to true iff an rrset of the given type exists,
- * to false otherwise.
- */
-static isc_result_t
-rrset_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	     dns_rdatatype_t type, dns_rdatatype_t covers,
-	     isc_boolean_t *exists)
-{
-	isc_result_t result;
-	result = foreach_rr(db, ver, name, type, covers,
-			    rrset_exists_action, NULL);
-	RETURN_EXISTENCE_FLAG;
-}
-
-/*%
- * Set '*visible' to true if the RRset exists and is part of the
- * visible zone.  Otherwise '*visible' is set to false unless a
- * error occurs.
- */
-static isc_result_t
-rrset_visible(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	      dns_rdatatype_t type, isc_boolean_t *visible)
-{
-	isc_result_t result;
-	dns_fixedname_t fixed;
-
-	dns_fixedname_init(&fixed);
-	result = dns_db_find(db, name, ver, type, DNS_DBFIND_NOWILD,
-			     (isc_stdtime_t) 0, NULL,
-			     dns_fixedname_name(&fixed), NULL, NULL);
-	switch (result) {
-	case ISC_R_SUCCESS:
-		*visible = ISC_TRUE;
-		break;
-	/*
-	 * Glue, obscured, deleted or replaced records.
-	 */
-	case DNS_R_DELEGATION:
-	case DNS_R_DNAME:
-	case DNS_R_CNAME:
-	case DNS_R_NXDOMAIN:
-	case DNS_R_NXRRSET:
-	case DNS_R_EMPTYNAME:
-	case DNS_R_COVERINGNSEC:
-		*visible = ISC_FALSE;
-		result = ISC_R_SUCCESS;
-		break;
-	default:
-		break;
-	}
-	return (result);
-}
-
-/*%
- * Context struct and helper function for name_exists().
- */
-
-static isc_result_t
-name_exists_action(void *data, dns_rdataset_t *rrset) {
-	UNUSED(data);
-	UNUSED(rrset);
-	return (ISC_R_EXISTS);
-}
-
-/*%
- * Set '*exists' to true iff the given name exists, to false otherwise.
- */
-static isc_result_t
-name_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	    isc_boolean_t *exists)
-{
-	isc_result_t result;
-	result = foreach_rrset(db, ver, name,
-			       name_exists_action, NULL);
-	RETURN_EXISTENCE_FLAG;
-}
-
-/**************************************************************************/
-/*
- * Checking of "RRset exists (value dependent)" prerequisites.
- *
- * In the RFC2136 section 3.2.5, this is the pseudocode involving
- * a variable called "temp", a mapping of <name, type> tuples to rrsets.
- *
- * Here, we represent the "temp" data structure as (non-minimal) "dns_diff_t"
- * where each tuple has op==DNS_DIFFOP_EXISTS.
- */
-
-/*%
- * A comparison function defining the sorting order for the entries
- * in the "temp" data structure.  The major sort key is the owner name,
- * followed by the type and rdata.
- */
-static int
-temp_order(const void *av, const void *bv) {
-	dns_difftuple_t const * const *ap = av;
-	dns_difftuple_t const * const *bp = bv;
-	dns_difftuple_t const *a = *ap;
-	dns_difftuple_t const *b = *bp;
-	int r;
-	r = dns_name_compare(&a->name, &b->name);
-	if (r != 0)
-		return (r);
-	r = (b->rdata.type - a->rdata.type);
-	if (r != 0)
-		return (r);
-	r = dns_rdata_casecompare(&a->rdata, &b->rdata);
-	return (r);
-}
-
-/**************************************************************************/
-/*
- * Conditional deletion of RRs.
- */
-
-/*%
- * Context structure for delete_if().
- */
-
-typedef struct {
-	rr_predicate *predicate;
-	dns_db_t *db;
-	dns_dbversion_t *ver;
-	dns_diff_t *diff;
-	dns_name_t *name;
-	dns_rdata_t *update_rr;
-} conditional_delete_ctx_t;
-
-/*%
- * Predicate functions for delete_if().
- */
-
-/*%
- * Return true always.
- */
-static isc_boolean_t
-true_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
-	UNUSED(update_rr);
-	UNUSED(db_rr);
-	return (ISC_TRUE);
-}
-
-/*%
- * Return true if the record is a RRSIG.
- */
-static isc_boolean_t
-rrsig_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
-	UNUSED(update_rr);
-	return ((db_rr->type == dns_rdatatype_rrsig) ?
-		ISC_TRUE : ISC_FALSE);
-}
-
-/*%
- * Internal helper function for delete_if().
- */
-static isc_result_t
-delete_if_action(void *data, rr_t *rr) {
-	conditional_delete_ctx_t *ctx = data;
-	if ((*ctx->predicate)(ctx->update_rr, &rr->rdata)) {
-		isc_result_t result;
-		result = update_one_rr(ctx->db, ctx->ver, ctx->diff,
-				       DNS_DIFFOP_DEL, ctx->name,
-				       rr->ttl, &rr->rdata);
-		return (result);
-	} else {
-		return (ISC_R_SUCCESS);
-	}
-}
-
-/*%
- * Conditionally delete RRs.  Apply 'predicate' to the RRs
- * specified by 'db', 'ver', 'name', and 'type' (which can
- * be dns_rdatatype_any to match any type).  Delete those
- * RRs for which the predicate returns true, and log the
- * deletions in 'diff'.
- */
-static isc_result_t
-delete_if(rr_predicate *predicate, dns_db_t *db, dns_dbversion_t *ver,
-	  dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers,
-	  dns_rdata_t *update_rr, dns_diff_t *diff)
-{
-	conditional_delete_ctx_t ctx;
-	ctx.predicate = predicate;
-	ctx.db = db;
-	ctx.ver = ver;
-	ctx.diff = diff;
-	ctx.name = name;
-	ctx.update_rr = update_rr;
-	return (foreach_rr(db, ver, name, type, covers,
-			   delete_if_action, &ctx));
-}
-
-/**************************************************************************/
-/*
- * Incremental updating of NSECs and RRSIGs.
- */
-
-/*%
- * We abuse the dns_diff_t type to represent a set of domain names
- * affected by the update.
- */
-static isc_result_t
-namelist_append_name(dns_diff_t *list, dns_name_t *name) {
-	isc_result_t result;
-	dns_difftuple_t *tuple = NULL;
-	static dns_rdata_t dummy_rdata = DNS_RDATA_INIT;
-
-	CHECK(dns_difftuple_create(list->mctx, DNS_DIFFOP_EXISTS, name, 0,
-				   &dummy_rdata, &tuple));
-	dns_diff_append(list, &tuple);
- failure:
-	return (result);
-}
-
-static isc_result_t
-namelist_append_subdomain(dns_db_t *db, dns_name_t *name, dns_diff_t *affected)
-{
-	isc_result_t result;
-	dns_fixedname_t fixedname;
-	dns_name_t *child;
-	dns_dbiterator_t *dbit = NULL;
-
-	dns_fixedname_init(&fixedname);
-	child = dns_fixedname_name(&fixedname);
-
-	CHECK(dns_db_createiterator(db, DNS_DB_NONSEC3, &dbit));
-
-	for (result = dns_dbiterator_seek(dbit, name);
-	     result == ISC_R_SUCCESS;
-	     result = dns_dbiterator_next(dbit))
-	{
-		dns_dbnode_t *node = NULL;
-		CHECK(dns_dbiterator_current(dbit, &node, child));
-		dns_db_detachnode(db, &node);
-		if (! dns_name_issubdomain(child, name))
-			break;
-		CHECK(namelist_append_name(affected, child));
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
- failure:
-	if (dbit != NULL)
-		dns_dbiterator_destroy(&dbit);
-	return (result);
-}
-
-
-
-/*%
- * Helper function for non_nsec_rrset_exists().
- */
-static isc_result_t
-is_non_nsec_action(void *data, dns_rdataset_t *rrset) {
-	UNUSED(data);
-	if (!(rrset->type == dns_rdatatype_nsec ||
-	      rrset->type == dns_rdatatype_nsec3 ||
-	      (rrset->type == dns_rdatatype_rrsig &&
-	       (rrset->covers == dns_rdatatype_nsec ||
-		rrset->covers == dns_rdatatype_nsec3))))
-		return (ISC_R_EXISTS);
-	return (ISC_R_SUCCESS);
-}
-
-/*%
- * Check whether there is an rrset other than a NSEC or RRSIG NSEC,
- * i.e., anything that justifies the continued existence of a name
- * after a secure update.
- *
- * If such an rrset exists, set '*exists' to ISC_TRUE.
- * Otherwise, set it to ISC_FALSE.
- */
-static isc_result_t
-non_nsec_rrset_exists(dns_db_t *db, dns_dbversion_t *ver,
-		     dns_name_t *name, isc_boolean_t *exists)
-{
-	isc_result_t result;
-	result = foreach_rrset(db, ver, name, is_non_nsec_action, NULL);
-	RETURN_EXISTENCE_FLAG;
-}
-
-/*%
- * A comparison function for sorting dns_diff_t:s by name.
- */
-static int
-name_order(const void *av, const void *bv) {
-	dns_difftuple_t const * const *ap = av;
-	dns_difftuple_t const * const *bp = bv;
-	dns_difftuple_t const *a = *ap;
-	dns_difftuple_t const *b = *bp;
-	return (dns_name_compare(&a->name, &b->name));
-}
-
-static isc_result_t
-uniqify_name_list(dns_diff_t *list) {
-	isc_result_t result;
-	dns_difftuple_t *p, *q;
-
-	CHECK(dns_diff_sort(list, name_order));
-
-	p = ISC_LIST_HEAD(list->tuples);
-	while (p != NULL) {
-		do {
-			q = ISC_LIST_NEXT(p, link);
-			if (q == NULL || ! dns_name_equal(&p->name, &q->name))
-				break;
-			ISC_LIST_UNLINK(list->tuples, q, link);
-			dns_difftuple_free(&q);
-		} while (1);
-		p = ISC_LIST_NEXT(p, link);
-	}
- failure:
-	return (result);
-}
-
-static isc_result_t
-is_active(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	  isc_boolean_t *flag, isc_boolean_t *cut, isc_boolean_t *unsecure)
-{
-	isc_result_t result;
-	dns_fixedname_t foundname;
-	dns_fixedname_init(&foundname);
-	result = dns_db_find(db, name, ver, dns_rdatatype_any,
-			     DNS_DBFIND_GLUEOK | DNS_DBFIND_NOWILD,
-			     (isc_stdtime_t) 0, NULL,
-			     dns_fixedname_name(&foundname),
-			     NULL, NULL);
-	if (result == ISC_R_SUCCESS || result == DNS_R_EMPTYNAME) {
-		*flag = ISC_TRUE;
-		*cut = ISC_FALSE;
-		if (unsecure != NULL)
-			*unsecure = ISC_FALSE;
-		return (ISC_R_SUCCESS);
-	} else if (result == DNS_R_ZONECUT) {
-		*flag = ISC_TRUE;
-		*cut = ISC_TRUE;
-		if (unsecure != NULL) {
-			/*
-			 * We are at the zonecut.  Check to see if there
-			 * is a DS RRset.
-			 */
-			if (dns_db_find(db, name, ver, dns_rdatatype_ds, 0,
-					(isc_stdtime_t) 0, NULL,
-					dns_fixedname_name(&foundname),
-					NULL, NULL) == DNS_R_NXRRSET)
-				*unsecure = ISC_TRUE;
-			else
-				*unsecure = ISC_FALSE;
-		}
-		return (ISC_R_SUCCESS);
-	} else if (result == DNS_R_GLUE || result == DNS_R_DNAME ||
-		   result == DNS_R_DELEGATION || result == DNS_R_NXDOMAIN) {
-		*flag = ISC_FALSE;
-		*cut = ISC_FALSE;
-		if (unsecure != NULL)
-			*unsecure = ISC_FALSE;
-		return (ISC_R_SUCCESS);
-	} else {
-		/*
-		 * Silence compiler.
-		 */
-		*flag = ISC_FALSE;
-		*cut = ISC_FALSE;
-		if (unsecure != NULL)
-			*unsecure = ISC_FALSE;
-		return (result);
-	}
-}
-
-/*%
- * Find the next/previous name that has a NSEC record.
- * In other words, skip empty database nodes and names that
- * have had their NSECs removed because they are obscured by
- * a zone cut.
- */
-static isc_result_t
-next_active(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
-	    dns_dbversion_t *ver, dns_name_t *oldname, dns_name_t *newname,
-	    isc_boolean_t forward)
-{
-	isc_result_t result;
-	dns_dbiterator_t *dbit = NULL;
-	isc_boolean_t has_nsec = ISC_FALSE;
-	unsigned int wraps = 0;
-	isc_boolean_t secure = dns_db_issecure(db);
-
-	CHECK(dns_db_createiterator(db, 0, &dbit));
-
-	CHECK(dns_dbiterator_seek(dbit, oldname));
-	do {
-		dns_dbnode_t *node = NULL;
-
-		if (forward)
-			result = dns_dbiterator_next(dbit);
-		else
-			result = dns_dbiterator_prev(dbit);
-		if (result == ISC_R_NOMORE) {
-			/*
-			 * Wrap around.
-			 */
-			if (forward)
-				CHECK(dns_dbiterator_first(dbit));
-			else
-				CHECK(dns_dbiterator_last(dbit));
-			wraps++;
-			if (wraps == 2) {
-				update_log(log, zone, ISC_LOG_ERROR,
-					   "secure zone with no NSECs");
-				result = DNS_R_BADZONE;
-				goto failure;
-			}
-		}
-		CHECK(dns_dbiterator_current(dbit, &node, newname));
-		dns_db_detachnode(db, &node);
-
-		/*
-		 * The iterator may hold the tree lock, and
-		 * rrset_exists() calls dns_db_findnode() which
-		 * may try to reacquire it.  To avoid deadlock
-		 * we must pause the iterator first.
-		 */
-		CHECK(dns_dbiterator_pause(dbit));
-		if (secure) {
-			CHECK(rrset_exists(db, ver, newname,
-					   dns_rdatatype_nsec, 0, &has_nsec));
-		} else {
-			dns_fixedname_t ffound;
-			dns_name_t *found;
-			dns_fixedname_init(&ffound);
-			found = dns_fixedname_name(&ffound);
-			result = dns_db_find(db, newname, ver,
-					     dns_rdatatype_soa,
-					     DNS_DBFIND_NOWILD, 0, NULL, found,
-					     NULL, NULL);
-			if (result == ISC_R_SUCCESS ||
-			    result == DNS_R_EMPTYNAME ||
-			    result == DNS_R_NXRRSET ||
-			    result == DNS_R_CNAME ||
-			    (result == DNS_R_DELEGATION &&
-			     dns_name_equal(newname, found))) {
-				has_nsec = ISC_TRUE;
-				result = ISC_R_SUCCESS;
-			} else if (result != DNS_R_NXDOMAIN)
-				break;
-		}
-	} while (! has_nsec);
- failure:
-	if (dbit != NULL)
-		dns_dbiterator_destroy(&dbit);
-
-	return (result);
-}
-
-/*%
- * Add a NSEC record for "name", recording the change in "diff".
- * The existing NSEC is removed.
- */
-static isc_result_t
-add_nsec(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
-	 dns_dbversion_t *ver, dns_name_t *name, dns_ttl_t nsecttl,
-	 dns_diff_t *diff)
-{
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	unsigned char buffer[DNS_NSEC_BUFFERSIZE];
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_difftuple_t *tuple = NULL;
-	dns_fixedname_t fixedname;
-	dns_name_t *target;
-
-	dns_fixedname_init(&fixedname);
-	target = dns_fixedname_name(&fixedname);
-
-	/*
-	 * Find the successor name, aka NSEC target.
-	 */
-	CHECK(next_active(log, zone, db, ver, name, target, ISC_TRUE));
-
-	/*
-	 * Create the NSEC RDATA.
-	 */
-	CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
-	dns_rdata_init(&rdata);
-	CHECK(dns_nsec_buildrdata(db, ver, node, target, buffer, &rdata));
-	dns_db_detachnode(db, &node);
-
-	/*
-	 * Delete the old NSEC and record the change.
-	 */
-	CHECK(delete_if(true_p, db, ver, name, dns_rdatatype_nsec, 0,
-			NULL, diff));
-	/*
-	 * Add the new NSEC and record the change.
-	 */
-	CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name,
-				   nsecttl, &rdata, &tuple));
-	CHECK(do_one_tuple(&tuple, db, ver, diff));
-	INSIST(tuple == NULL);
-
- failure:
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	return (result);
-}
-
-/*%
- * Add a placeholder NSEC record for "name", recording the change in "diff".
- */
-static isc_result_t
-add_placeholder_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-		     dns_diff_t *diff)
-{
-	isc_result_t result;
-	dns_difftuple_t *tuple = NULL;
-	isc_region_t r;
-	unsigned char data[1] = { 0 }; /* The root domain, no bits. */
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-
-	r.base = data;
-	r.length = sizeof(data);
-	dns_rdata_fromregion(&rdata, dns_db_class(db), dns_rdatatype_nsec, &r);
-	CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name, 0,
-				   &rdata, &tuple));
-	CHECK(do_one_tuple(&tuple, db, ver, diff));
- failure:
-	return (result);
-}
-
-static isc_result_t
-find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
-	       isc_mem_t *mctx, unsigned int maxkeys,
-	       dst_key_t **keys, unsigned int *nkeys)
-{
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	const char *directory = dns_zone_getkeydirectory(zone);
-	CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
-	CHECK(dns_dnssec_findzonekeys2(db, ver, node, dns_db_origin(db),
-				       directory, mctx, maxkeys, keys, nkeys));
- failure:
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	return (result);
-}
-
-/*%
- * Add RRSIG records for an RRset, recording the change in "diff".
- */
-static isc_result_t
-add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
-	 dns_dbversion_t *ver, dns_name_t *name, dns_rdatatype_t type,
-	 dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys,
-	 isc_stdtime_t inception, isc_stdtime_t expire,
-	 isc_boolean_t check_ksk, isc_boolean_t keyset_kskonly)
-{
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-	dns_rdata_t sig_rdata = DNS_RDATA_INIT;
-	isc_buffer_t buffer;
-	unsigned char data[1024]; /* XXX */
-	unsigned int i, j;
-	isc_boolean_t added_sig = ISC_FALSE;
-	isc_mem_t *mctx = diff->mctx;
-
-	dns_rdataset_init(&rdataset);
-	isc_buffer_init(&buffer, data, sizeof(data));
-
-	/* Get the rdataset to sign. */
-	if (type == dns_rdatatype_nsec3)
-		CHECK(dns_db_findnsec3node(db, name, ISC_FALSE, &node));
-	else
-		CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
-	CHECK(dns_db_findrdataset(db, node, ver, type, 0,
-				  (isc_stdtime_t) 0, &rdataset, NULL));
-	dns_db_detachnode(db, &node);
-
-#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)
-#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0)
-#define ALG(x) dst_key_alg(x)
-
-	/*
-	 * If we are honoring KSK flags then we need to check that we
-	 * have both KSK and non-KSK keys that are not revoked per
-	 * algorithm.
-	 */
-	for (i = 0; i < nkeys; i++) {
-		isc_boolean_t both = ISC_FALSE;
-
-		if (!dst_key_isprivate(keys[i]))
-			continue;
-
-		if (check_ksk && !REVOKE(keys[i])) {
-			isc_boolean_t have_ksk, have_nonksk;
-			if (KSK(keys[i])) {
-				have_ksk = ISC_TRUE;
-				have_nonksk = ISC_FALSE;
-			} else {
-				have_ksk = ISC_FALSE;
-				have_nonksk = ISC_TRUE;
-			}
-			for (j = 0; j < nkeys; j++) {
-				if (j == i || ALG(keys[i]) != ALG(keys[j]))
-					continue;
-				if (REVOKE(keys[j]))
-					continue;
-				if (KSK(keys[j]))
-					have_ksk = ISC_TRUE;
-				else
-					have_nonksk = ISC_TRUE;
-				both = have_ksk && have_nonksk;
-				if (both)
-					break;
-			}
-		}
-
-		if (both) {
-			if (type == dns_rdatatype_dnskey) {
-				if (!KSK(keys[i]) && keyset_kskonly)
-					continue;
-			} else if (KSK(keys[i]))
-				continue;
-		} else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey)
-			continue;
-
-		/* Calculate the signature, creating a RRSIG RDATA. */
-		CHECK(dns_dnssec_sign(name, &rdataset, keys[i],
-				      &inception, &expire,
-				      mctx, &buffer, &sig_rdata));
-
-		/* Update the database and journal with the RRSIG. */
-		/* XXX inefficient - will cause dataset merging */
-		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADDRESIGN, name,
-				    rdataset.ttl, &sig_rdata));
-		dns_rdata_reset(&sig_rdata);
-		isc_buffer_init(&buffer, data, sizeof(data));
-		added_sig = ISC_TRUE;
-	}
-	if (!added_sig) {
-		update_log(log, zone, ISC_LOG_ERROR,
-			   "found no active private keys, "
-			   "unable to generate any signatures");
-		result = ISC_R_NOTFOUND;
-	}
-
- failure:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	return (result);
-}
-
-/*
- * Delete expired RRsigs and any RRsigs we are about to re-sign.
- * See also zone.c:del_sigs().
- */
-static isc_result_t
-del_keysigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	    dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys)
-{
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	unsigned int i;
-	dns_rdata_rrsig_t rrsig;
-	isc_boolean_t found;
-
-	dns_rdataset_init(&rdataset);
-
-	result = dns_db_findnode(db, name, ISC_FALSE, &node);
-	if (result == ISC_R_NOTFOUND)
-		return (ISC_R_SUCCESS);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_rrsig,
-				     dns_rdatatype_dnskey, (isc_stdtime_t) 0,
-				     &rdataset, NULL);
-	dns_db_detachnode(db, &node);
-
-	if (result == ISC_R_NOTFOUND)
-		return (ISC_R_SUCCESS);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdataset_current(&rdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		found = ISC_FALSE;
-		for (i = 0; i < nkeys; i++) {
-			if (rrsig.keyid == dst_key_id(keys[i])) {
-				found = ISC_TRUE;
-				if (!dst_key_isprivate(keys[i])) {
-					/*
-					 * The re-signing code in zone.c
-					 * will mark this as offline.
-					 * Just skip the record for now.
-					 */
-					break;
-				}
-				result = update_one_rr(db, ver, diff,
-						       DNS_DIFFOP_DEL, name,
-						       rdataset.ttl, &rdata);
-				break;
-			}
-		}
-		/*
-		 * If there is not a matching DNSKEY then delete the RRSIG.
-		 */
-		if (!found)
-			result = update_one_rr(db, ver, diff, DNS_DIFFOP_DEL,
-					       name, rdataset.ttl, &rdata);
-		dns_rdata_reset(&rdata);
-		if (result != ISC_R_SUCCESS)
-			break;
-	}
-	dns_rdataset_disassociate(&rdataset);
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-failure:
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	return (result);
-}
-
-static isc_result_t
-add_exposed_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
-		 dns_dbversion_t *ver, dns_name_t *name, isc_boolean_t cut,
-		 dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys,
-		 isc_stdtime_t inception, isc_stdtime_t expire,
-		 isc_boolean_t check_ksk, isc_boolean_t keyset_kskonly)
-{
-	isc_result_t result;
-	dns_dbnode_t *node;
-	dns_rdatasetiter_t *iter;
-
-	node = NULL;
-	result = dns_db_findnode(db, name, ISC_FALSE, &node);
-	if (result == ISC_R_NOTFOUND)
-		return (ISC_R_SUCCESS);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	iter = NULL;
-	result = dns_db_allrdatasets(db, node, ver,
-				     (isc_stdtime_t) 0, &iter);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_node;
-
-	for (result = dns_rdatasetiter_first(iter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdatasetiter_next(iter))
-	{
-		dns_rdataset_t rdataset;
-		dns_rdatatype_t type;
-		isc_boolean_t flag;
-
-		dns_rdataset_init(&rdataset);
-		dns_rdatasetiter_current(iter, &rdataset);
-		type = rdataset.type;
-		dns_rdataset_disassociate(&rdataset);
-
-		/*
-		 * We don't need to sign unsigned NSEC records at the cut
-		 * as they are handled elsewhere.
-		 */
-		if ((type == dns_rdatatype_rrsig) ||
-		    (cut && type != dns_rdatatype_ds))
-			continue;
-		result = rrset_exists(db, ver, name, dns_rdatatype_rrsig,
-				      type, &flag);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_iterator;
-		if (flag)
-			continue;;
-		result = add_sigs(log, zone, db, ver, name, type, diff,
-					  keys, nkeys, inception, expire,
-					  check_ksk, keyset_kskonly);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_iterator;
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
- cleanup_iterator:
-	dns_rdatasetiter_destroy(&iter);
-
- cleanup_node:
-	dns_db_detachnode(db, &node);
-
-	return (result);
-}
-
-/*%
- * Update RRSIG, NSEC and NSEC3 records affected by an update.  The original
- * update, including the SOA serial update but excluding the RRSIG & NSEC
- * changes, is in "diff" and has already been applied to "newver" of "db".
- * The database version prior to the update is "oldver".
- *
- * The necessary RRSIG, NSEC and NSEC3 changes will be applied to "newver"
- * and added (as a minimal diff) to "diff".
- *
- * The RRSIGs generated will be valid for 'sigvalidityinterval' seconds.
- */
-isc_result_t
-dns_update_signatures(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
-		      dns_dbversion_t *oldver, dns_dbversion_t *newver,
-		      dns_diff_t *diff, isc_uint32_t sigvalidityinterval)
-{
-	isc_result_t result;
-	dns_difftuple_t *t;
-	dns_diff_t diffnames;
-	dns_diff_t affected;
-	dns_diff_t sig_diff;
-	dns_diff_t nsec_diff;
-	dns_diff_t nsec_mindiff;
-	isc_boolean_t flag, build_nsec, build_nsec3;
-	dst_key_t *zone_keys[DNS_MAXZONEKEYS];
-	unsigned int nkeys = 0;
-	unsigned int i;
-	isc_stdtime_t now, inception, expire;
-	dns_ttl_t nsecttl;
-	dns_rdata_soa_t soa;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdataset_t rdataset;
-	dns_dbnode_t *node = NULL;
-	isc_boolean_t check_ksk, keyset_kskonly;
-	isc_boolean_t unsecure;
-	isc_boolean_t cut;
-	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
-
-	dns_diff_init(diff->mctx, &diffnames);
-	dns_diff_init(diff->mctx, &affected);
-
-	dns_diff_init(diff->mctx, &sig_diff);
-	sig_diff.resign = dns_zone_getsigresigninginterval(zone);
-	dns_diff_init(diff->mctx, &nsec_diff);
-	dns_diff_init(diff->mctx, &nsec_mindiff);
-
-	result = find_zone_keys(zone, db, newver, diff->mctx,
-				DNS_MAXZONEKEYS, zone_keys, &nkeys);
-	if (result != ISC_R_SUCCESS) {
-		update_log(log, zone, ISC_LOG_ERROR,
-			   "could not get zone keys for secure dynamic update");
-		goto failure;
-	}
-
-	isc_stdtime_get(&now);
-	inception = now - 3600; /* Allow for some clock skew. */
-	expire = now + sigvalidityinterval;
-
-	/*
-	 * Do we look at the KSK flag on the DNSKEY to determining which
-	 * keys sign which RRsets?  First check the zone option then
-	 * check the keys flags to make sure at least one has a ksk set
-	 * and one doesn't.
-	 */
-	check_ksk = ISC_TF((dns_zone_getoptions(zone) &
-			    DNS_ZONEOPT_UPDATECHECKKSK) != 0);
-	keyset_kskonly = ISC_TF((dns_zone_getoptions(zone) &
-				DNS_ZONEOPT_DNSKEYKSKONLY) != 0);
-
-	/*
-	 * Get the NSEC/NSEC3 TTL from the SOA MINIMUM field.
-	 */
-	CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
-	dns_rdataset_init(&rdataset);
-	CHECK(dns_db_findrdataset(db, node, newver, dns_rdatatype_soa, 0,
-				  (isc_stdtime_t) 0, &rdataset, NULL));
-	CHECK(dns_rdataset_first(&rdataset));
-	dns_rdataset_current(&rdataset, &rdata);
-	CHECK(dns_rdata_tostruct(&rdata, &soa, NULL));
-	nsecttl = soa.minimum;
-	dns_rdataset_disassociate(&rdataset);
-	dns_db_detachnode(db, &node);
-
-	/*
-	 * Find all RRsets directly affected by the update, and
-	 * update their RRSIGs.  Also build a list of names affected
-	 * by the update in "diffnames".
-	 */
-	CHECK(dns_diff_sort(diff, temp_order));
-
-	t = ISC_LIST_HEAD(diff->tuples);
-	while (t != NULL) {
-		dns_name_t *name = &t->name;
-		/* Now "name" is a new, unique name affected by the update. */
-
-		CHECK(namelist_append_name(&diffnames, name));
-
-		while (t != NULL && dns_name_equal(&t->name, name)) {
-			dns_rdatatype_t type;
-			type = t->rdata.type;
-
-			/*
-			 * Now "name" and "type" denote a new unique RRset
-			 * affected by the update.
-			 */
-
-			/* Don't sign RRSIGs. */
-			if (type == dns_rdatatype_rrsig)
-				goto skip;
-
-			/*
-			 * Delete all old RRSIGs covering this type, since they
-			 * are all invalid when the signed RRset has changed.
-			 * We may not be able to recreate all of them - tough.
-			 * Special case changes to the zone's DNSKEY records
-			 * to support offline KSKs.
-			 */
-			if (type == dns_rdatatype_dnskey)
-				del_keysigs(db, newver, name, &sig_diff,
-					    zone_keys, nkeys);
-			else
-				CHECK(delete_if(true_p, db, newver, name,
-						dns_rdatatype_rrsig, type,
-						NULL, &sig_diff));
-
-			/*
-			 * If this RRset is still visible after the update,
-			 * add a new signature for it.
-			 */
-			CHECK(rrset_visible(db, newver, name, type, &flag));
-			if (flag) {
-				CHECK(add_sigs(log, zone, db, newver, name,
-					       type, &sig_diff, zone_keys,
-					       nkeys, inception, expire,
-					       check_ksk, keyset_kskonly));
-			}
-		skip:
-			/* Skip any other updates to the same RRset. */
-			while (t != NULL &&
-			       dns_name_equal(&t->name, name) &&
-			       t->rdata.type == type)
-			{
-				t = ISC_LIST_NEXT(t, link);
-			}
-		}
-	}
-	update_log(log, zone, ISC_LOG_DEBUG(3), "updated data signatures");
-
-	/* Remove orphaned NSECs and RRSIG NSECs. */
-	for (t = ISC_LIST_HEAD(diffnames.tuples);
-	     t != NULL;
-	     t = ISC_LIST_NEXT(t, link))
-	{
-		CHECK(non_nsec_rrset_exists(db, newver, &t->name, &flag));
-		if (! flag) {
-			CHECK(delete_if(true_p, db, newver, &t->name,
-					dns_rdatatype_any, 0,
-					NULL, &sig_diff));
-		}
-	}
-	update_log(log, zone, ISC_LOG_DEBUG(3),
-		   "removed any orphaned NSEC records");
-
-	/*
-	 * See if we need to build NSEC or NSEC3 chains.
-	 */
-	CHECK(dns_private_chains(db, newver, privatetype, &build_nsec,
-				 &build_nsec3));
-	if (!build_nsec)
-		goto update_nsec3;
-
-	update_log(log, zone, ISC_LOG_DEBUG(3), "rebuilding NSEC chain");
-
-	/*
-	 * When a name is created or deleted, its predecessor needs to
-	 * have its NSEC updated.
-	 */
-	for (t = ISC_LIST_HEAD(diffnames.tuples);
-	     t != NULL;
-	     t = ISC_LIST_NEXT(t, link))
-	{
-		isc_boolean_t existed, exists;
-		dns_fixedname_t fixedname;
-		dns_name_t *prevname;
-
-		dns_fixedname_init(&fixedname);
-		prevname = dns_fixedname_name(&fixedname);
-
-		if (oldver != NULL)
-			CHECK(name_exists(db, oldver, &t->name, &existed));
-		else
-			existed = ISC_FALSE;
-		CHECK(name_exists(db, newver, &t->name, &exists));
-		if (exists == existed)
-			continue;
-
-		/*
-		 * Find the predecessor.
-		 * When names become obscured or unobscured in this update
-		 * transaction, we may find the wrong predecessor because
-		 * the NSECs have not yet been updated to reflect the delegation
-		 * change.  This should not matter because in this case,
-		 * the correct predecessor is either the delegation node or
-		 * a newly unobscured node, and those nodes are on the
-		 * "affected" list in any case.
-		 */
-		CHECK(next_active(log, zone, db, newver,
-				  &t->name, prevname, ISC_FALSE));
-		CHECK(namelist_append_name(&affected, prevname));
-	}
-
-	/*
-	 * Find names potentially affected by delegation changes
-	 * (obscured by adding an NS or DNAME, or unobscured by
-	 * removing one).
-	 */
-	for (t = ISC_LIST_HEAD(diffnames.tuples);
-	     t != NULL;
-	     t = ISC_LIST_NEXT(t, link))
-	{
-		isc_boolean_t ns_existed, dname_existed;
-		isc_boolean_t ns_exists, dname_exists;
-
-		if (oldver != NULL)
-			CHECK(rrset_exists(db, oldver, &t->name,
-					  dns_rdatatype_ns, 0, &ns_existed));
-		else
-			ns_existed = ISC_FALSE;
-		if (oldver != NULL)
-			CHECK(rrset_exists(db, oldver, &t->name,
-					   dns_rdatatype_dname, 0,
-					   &dname_existed));
-		else
-			dname_existed = ISC_FALSE;
-		CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_ns, 0,
-				   &ns_exists));
-		CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_dname, 0,
-				   &dname_exists));
-		if ((ns_exists || dname_exists) == (ns_existed || dname_existed))
-			continue;
-		/*
-		 * There was a delegation change.  Mark all subdomains
-		 * of t->name as potentially needing a NSEC update.
-		 */
-		CHECK(namelist_append_subdomain(db, &t->name, &affected));
-	}
-
-	ISC_LIST_APPENDLIST(affected.tuples, diffnames.tuples, link);
-	INSIST(ISC_LIST_EMPTY(diffnames.tuples));
-
-	CHECK(uniqify_name_list(&affected));
-
-	/*
-	 * Determine which names should have NSECs, and delete/create
-	 * NSECs to make it so.  We don't know the final NSEC targets yet,
-	 * so we just create placeholder NSECs with arbitrary contents
-	 * to indicate that their respective owner names should be part of
-	 * the NSEC chain.
-	 */
-	for (t = ISC_LIST_HEAD(affected.tuples);
-	     t != NULL;
-	     t = ISC_LIST_NEXT(t, link))
-	{
-		isc_boolean_t exists;
-		dns_name_t *name = &t->name;
-
-		CHECK(name_exists(db, newver, name, &exists));
-		if (! exists)
-			continue;
-		CHECK(is_active(db, newver, name, &flag, &cut, NULL));
-		if (!flag) {
-			/*
-			 * This name is obscured.  Delete any
-			 * existing NSEC record.
-			 */
-			CHECK(delete_if(true_p, db, newver, name,
-					dns_rdatatype_nsec, 0,
-					NULL, &nsec_diff));
-			CHECK(delete_if(rrsig_p, db, newver, name,
-					dns_rdatatype_any, 0, NULL, diff));
-		} else {
-			/*
-			 * This name is not obscured.  It needs to have a
-			 * NSEC unless it is the at the origin, in which
-			 * case it should already exist if there is a complete
-			 * NSEC chain and if there isn't a complete NSEC chain
-			 * we don't want to add one as that would signal that
-			 * there is a complete NSEC chain.
-			 */
-			if (!dns_name_equal(name, dns_db_origin(db))) {
-				CHECK(rrset_exists(db, newver, name,
-						   dns_rdatatype_nsec, 0,
-						   &flag));
-				if (!flag)
-					CHECK(add_placeholder_nsec(db, newver,
-								   name, diff));
-			}
-			CHECK(add_exposed_sigs(log, zone, db, newver, name,
-					       cut, &sig_diff, zone_keys, nkeys,
-					       inception, expire, check_ksk,
-					       keyset_kskonly));
-		}
-	}
-
-	/*
-	 * Now we know which names are part of the NSEC chain.
-	 * Make them all point at their correct targets.
-	 */
-	for (t = ISC_LIST_HEAD(affected.tuples);
-	     t != NULL;
-	     t = ISC_LIST_NEXT(t, link))
-	{
-		CHECK(rrset_exists(db, newver, &t->name,
-				   dns_rdatatype_nsec, 0, &flag));
-		if (flag) {
-			/*
-			 * There is a NSEC, but we don't know if it is correct.
-			 * Delete it and create a correct one to be sure.
-			 * If the update was unnecessary, the diff minimization
-			 * will take care of eliminating it from the journal,
-			 * IXFRs, etc.
-			 *
-			 * The RRSIG bit should always be set in the NSECs
-			 * we generate, because they will all get RRSIG NSECs.
-			 * (XXX what if the zone keys are missing?).
-			 * Because the RRSIG NSECs have not necessarily been
-			 * created yet, the correctness of the bit mask relies
-			 * on the assumption that NSECs are only created if
-			 * there is other data, and if there is other data,
-			 * there are other RRSIGs.
-			 */
-			CHECK(add_nsec(log, zone, db, newver, &t->name,
-				       nsecttl, &nsec_diff));
-		}
-	}
-
-	/*
-	 * Minimize the set of NSEC updates so that we don't
-	 * have to regenerate the RRSIG NSECs for NSECs that were
-	 * replaced with identical ones.
-	 */
-	while ((t = ISC_LIST_HEAD(nsec_diff.tuples)) != NULL) {
-		ISC_LIST_UNLINK(nsec_diff.tuples, t, link);
-		dns_diff_appendminimal(&nsec_mindiff, &t);
-	}
-
-	update_log(log, zone, ISC_LOG_DEBUG(3), "signing rebuilt NSEC chain");
-
-	/* Update RRSIG NSECs. */
-	for (t = ISC_LIST_HEAD(nsec_mindiff.tuples);
-	     t != NULL;
-	     t = ISC_LIST_NEXT(t, link))
-	{
-		if (t->op == DNS_DIFFOP_DEL) {
-			CHECK(delete_if(true_p, db, newver, &t->name,
-					dns_rdatatype_rrsig, dns_rdatatype_nsec,
-					NULL, &sig_diff));
-		} else if (t->op == DNS_DIFFOP_ADD) {
-			CHECK(add_sigs(log, zone, db, newver, &t->name,
-				       dns_rdatatype_nsec, &sig_diff,
-				       zone_keys, nkeys, inception, expire,
-				       check_ksk, keyset_kskonly));
-		} else {
-			INSIST(0);
-		}
-	}
-
- update_nsec3:
-
-	/* Record our changes for the journal. */
-	while ((t = ISC_LIST_HEAD(sig_diff.tuples)) != NULL) {
-		ISC_LIST_UNLINK(sig_diff.tuples, t, link);
-		dns_diff_appendminimal(diff, &t);
-	}
-	while ((t = ISC_LIST_HEAD(nsec_mindiff.tuples)) != NULL) {
-		ISC_LIST_UNLINK(nsec_mindiff.tuples, t, link);
-		dns_diff_appendminimal(diff, &t);
-	}
-
-	INSIST(ISC_LIST_EMPTY(sig_diff.tuples));
-	INSIST(ISC_LIST_EMPTY(nsec_diff.tuples));
-	INSIST(ISC_LIST_EMPTY(nsec_mindiff.tuples));
-
-	if (!build_nsec3) {
-		update_log(log, zone, ISC_LOG_DEBUG(3),
-			   "no NSEC3 chains to rebuild");
-		goto failure;
-	}
-
-	update_log(log, zone, ISC_LOG_DEBUG(3), "rebuilding NSEC3 chains");
-
-	dns_diff_clear(&diffnames);
-	dns_diff_clear(&affected);
-
-	CHECK(dns_diff_sort(diff, temp_order));
-
-	/*
-	 * Find names potentially affected by delegation changes
-	 * (obscured by adding an NS or DNAME, or unobscured by
-	 * removing one).
-	 */
-	t = ISC_LIST_HEAD(diff->tuples);
-	while (t != NULL) {
-		dns_name_t *name = &t->name;
-
-		isc_boolean_t ns_existed, dname_existed;
-		isc_boolean_t ns_exists, dname_exists;
-		isc_boolean_t exists, existed;
-
-		if (t->rdata.type == dns_rdatatype_nsec ||
-		    t->rdata.type == dns_rdatatype_rrsig) {
-			t = ISC_LIST_NEXT(t, link);
-			continue;
-		}
-
-		CHECK(namelist_append_name(&affected, name));
-
-		if (oldver != NULL)
-			CHECK(rrset_exists(db, oldver, name, dns_rdatatype_ns,
-					   0, &ns_existed));
-		else
-			ns_existed = ISC_FALSE;
-		if (oldver != NULL)
-			CHECK(rrset_exists(db, oldver, name,
-					   dns_rdatatype_dname, 0,
-					   &dname_existed));
-		else
-			dname_existed = ISC_FALSE;
-		CHECK(rrset_exists(db, newver, name, dns_rdatatype_ns, 0,
-				   &ns_exists));
-		CHECK(rrset_exists(db, newver, name, dns_rdatatype_dname, 0,
-				   &dname_exists));
-
-		exists = ns_exists || dname_exists;
-		existed = ns_existed || dname_existed;
-		if (exists == existed)
-			goto nextname;
-		/*
-		 * There was a delegation change.  Mark all subdomains
-		 * of t->name as potentially needing a NSEC3 update.
-		 */
-		CHECK(namelist_append_subdomain(db, name, &affected));
-
-	nextname:
-		while (t != NULL && dns_name_equal(&t->name, name))
-			t = ISC_LIST_NEXT(t, link);
-	}
-
-	for (t = ISC_LIST_HEAD(affected.tuples);
-	     t != NULL;
-	     t = ISC_LIST_NEXT(t, link)) {
-		dns_name_t *name = &t->name;
-
-		unsecure = ISC_FALSE;	/* Silence compiler warning. */
-		CHECK(is_active(db, newver, name, &flag, &cut, &unsecure));
-
-		if (!flag) {
-			CHECK(delete_if(rrsig_p, db, newver, name,
-					dns_rdatatype_any, 0, NULL, diff));
-			CHECK(dns_nsec3_delnsec3sx(db, newver, name,
-						   privatetype, &nsec_diff));
-		} else {
-			CHECK(add_exposed_sigs(log, zone, db, newver, name,
-					       cut, &sig_diff, zone_keys, nkeys,
-					       inception, expire, check_ksk,
-					       keyset_kskonly));
-			CHECK(dns_nsec3_addnsec3sx(db, newver, name, nsecttl,
-						   unsecure, privatetype,
-						   &nsec_diff));
-		}
-	}
-
-	/*
-	 * Minimize the set of NSEC3 updates so that we don't
-	 * have to regenerate the RRSIG NSEC3s for NSEC3s that were
-	 * replaced with identical ones.
-	 */
-	while ((t = ISC_LIST_HEAD(nsec_diff.tuples)) != NULL) {
-		ISC_LIST_UNLINK(nsec_diff.tuples, t, link);
-		dns_diff_appendminimal(&nsec_mindiff, &t);
-	}
-
-	update_log(log, zone, ISC_LOG_DEBUG(3),
-		   "signing rebuilt NSEC3 chain");
-
-	/* Update RRSIG NSEC3s. */
-	for (t = ISC_LIST_HEAD(nsec_mindiff.tuples);
-	     t != NULL;
-	     t = ISC_LIST_NEXT(t, link))
-	{
-		if (t->op == DNS_DIFFOP_DEL) {
-			CHECK(delete_if(true_p, db, newver, &t->name,
-					dns_rdatatype_rrsig,
-					dns_rdatatype_nsec3,
-					NULL, &sig_diff));
-		} else if (t->op == DNS_DIFFOP_ADD) {
-			CHECK(add_sigs(log, zone, db, newver, &t->name,
-				       dns_rdatatype_nsec3,
-				       &sig_diff, zone_keys, nkeys,
-				       inception, expire, check_ksk,
-				       keyset_kskonly));
-		} else {
-			INSIST(0);
-		}
-	}
-
-	/* Record our changes for the journal. */
-	while ((t = ISC_LIST_HEAD(sig_diff.tuples)) != NULL) {
-		ISC_LIST_UNLINK(sig_diff.tuples, t, link);
-		dns_diff_appendminimal(diff, &t);
-	}
-	while ((t = ISC_LIST_HEAD(nsec_mindiff.tuples)) != NULL) {
-		ISC_LIST_UNLINK(nsec_mindiff.tuples, t, link);
-		dns_diff_appendminimal(diff, &t);
-	}
-
-	INSIST(ISC_LIST_EMPTY(sig_diff.tuples));
-	INSIST(ISC_LIST_EMPTY(nsec_diff.tuples));
-	INSIST(ISC_LIST_EMPTY(nsec_mindiff.tuples));
-
- failure:
-	dns_diff_clear(&sig_diff);
-	dns_diff_clear(&nsec_diff);
-	dns_diff_clear(&nsec_mindiff);
-
-	dns_diff_clear(&affected);
-	dns_diff_clear(&diffnames);
-
-	for (i = 0; i < nkeys; i++)
-		dst_key_free(&zone_keys[i]);
-
-	return (result);
-}
-
-isc_uint32_t
-dns_update_soaserial(isc_uint32_t serial, dns_updatemethod_t method) {
-	isc_stdtime_t now;
-
-	if (method == dns_updatemethod_unixtime) {
-		isc_stdtime_get(&now);
-		if (now != 0 && isc_serial_gt(now, serial))
-			return (now);
-	}
-
-	/* RFC1982 */
-	serial = (serial + 1) & 0xFFFFFFFF;
-	if (serial == 0)
-		serial = 1;
-
-	return (serial);
-}
diff --git a/contrib/bind9/lib/dns/validator.c b/contrib/bind9/lib/dns/validator.c
deleted file mode 100644
index 8cf7f66..0000000
--- a/contrib/bind9/lib/dns/validator.c
+++ /dev/null
@@ -1,3960 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#include <config.h>
-
-#include <isc/base32.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/sha2.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/dnssec.h>
-#include <dns/ds.h>
-#include <dns/events.h>
-#include <dns/keytable.h>
-#include <dns/keyvalues.h>
-#include <dns/log.h>
-#include <dns/message.h>
-#include <dns/ncache.h>
-#include <dns/nsec.h>
-#include <dns/nsec3.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdatatype.h>
-#include <dns/resolver.h>
-#include <dns/result.h>
-#include <dns/validator.h>
-#include <dns/view.h>
-
-/*! \file
- * \brief
- * Basic processing sequences.
- *
- * \li When called with rdataset and sigrdataset:
- * validator_start -> validate -> proveunsecure -> startfinddlvsep ->
- *	dlv_validator_start -> validator_start -> validate -> proveunsecure
- *
- * validator_start -> validate -> nsecvalidate	(secure wildcard answer)
- *
- * \li When called with rdataset, sigrdataset and with DNS_VALIDATOR_DLV:
- * validator_start -> startfinddlvsep -> dlv_validator_start ->
- *	validator_start -> validate -> proveunsecure
- *
- * \li When called with rdataset:
- * validator_start -> proveunsecure -> startfinddlvsep ->
- *	dlv_validator_start -> validator_start -> proveunsecure
- *
- * \li When called with rdataset and with DNS_VALIDATOR_DLV:
- * validator_start -> startfinddlvsep -> dlv_validator_start ->
- *	validator_start -> proveunsecure
- *
- * \li When called without a rdataset:
- * validator_start -> nsecvalidate -> proveunsecure -> startfinddlvsep ->
- *	dlv_validator_start -> validator_start -> nsecvalidate -> proveunsecure
- *
- * Note: there isn't a case for DNS_VALIDATOR_DLV here as we want nsecvalidate()
- * to always validate the authority section even when it does not contain
- * signatures.
- *
- * validator_start: determines what type of validation to do.
- * validate: attempts to perform a positive validation.
- * proveunsecure: attempts to prove the answer comes from a unsecure zone.
- * nsecvalidate: attempts to prove a negative response.
- * startfinddlvsep: starts the DLV record lookup.
- * dlv_validator_start: resets state and restarts the lookup using the
- *	DLV RRset found by startfinddlvsep.
- */
-
-#define VALIDATOR_MAGIC			ISC_MAGIC('V', 'a', 'l', '?')
-#define VALID_VALIDATOR(v)		ISC_MAGIC_VALID(v, VALIDATOR_MAGIC)
-
-#define VALATTR_SHUTDOWN		0x0001	/*%< Shutting down. */
-#define VALATTR_CANCELED		0x0002	/*%< Canceled. */
-#define VALATTR_TRIEDVERIFY		0x0004  /*%< We have found a key and
-						 * have attempted a verify. */
-#define VALATTR_INSECURITY		0x0010	/*%< Attempting proveunsecure. */
-#define VALATTR_DLVTRIED		0x0020	/*%< Looked for a DLV record. */
-
-/*!
- * NSEC proofs to be looked for.
- */
-#define VALATTR_NEEDNOQNAME		0x00000100
-#define VALATTR_NEEDNOWILDCARD		0x00000200
-#define VALATTR_NEEDNODATA		0x00000400
-
-/*!
- * NSEC proofs that have been found.
- */
-#define VALATTR_FOUNDNOQNAME		0x00001000
-#define VALATTR_FOUNDNOWILDCARD		0x00002000
-#define VALATTR_FOUNDNODATA		0x00004000
-#define VALATTR_FOUNDCLOSEST		0x00008000
-
-/*
- *
- */
-#define VALATTR_FOUNDOPTOUT		0x00010000
-#define VALATTR_FOUNDUNKNOWN		0x00020000
-
-#define NEEDNODATA(val) ((val->attributes & VALATTR_NEEDNODATA) != 0)
-#define NEEDNOQNAME(val) ((val->attributes & VALATTR_NEEDNOQNAME) != 0)
-#define NEEDNOWILDCARD(val) ((val->attributes & VALATTR_NEEDNOWILDCARD) != 0)
-#define DLVTRIED(val) ((val->attributes & VALATTR_DLVTRIED) != 0)
-#define FOUNDNODATA(val) ((val->attributes & VALATTR_FOUNDNODATA) != 0)
-#define FOUNDNOQNAME(val) ((val->attributes & VALATTR_FOUNDNOQNAME) != 0)
-#define FOUNDNOWILDCARD(val) ((val->attributes & VALATTR_FOUNDNOWILDCARD) != 0)
-#define FOUNDCLOSEST(val) ((val->attributes & VALATTR_FOUNDCLOSEST) != 0)
-#define FOUNDOPTOUT(val) ((val->attributes & VALATTR_FOUNDOPTOUT) != 0)
-
-#define SHUTDOWN(v)		(((v)->attributes & VALATTR_SHUTDOWN) != 0)
-#define CANCELED(v)		(((v)->attributes & VALATTR_CANCELED) != 0)
-
-#define NEGATIVE(r)	(((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
-
-static void
-destroy(dns_validator_t *val);
-
-static isc_result_t
-get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
-	    dns_rdataset_t *rdataset);
-
-static isc_result_t
-validate(dns_validator_t *val, isc_boolean_t resume);
-
-static isc_result_t
-validatezonekey(dns_validator_t *val);
-
-static isc_result_t
-nsecvalidate(dns_validator_t *val, isc_boolean_t resume);
-
-static isc_result_t
-proveunsecure(dns_validator_t *val, isc_boolean_t have_ds,
-	      isc_boolean_t resume);
-
-static void
-validator_logv(dns_validator_t *val, isc_logcategory_t *category,
-	       isc_logmodule_t *module, int level, const char *fmt, va_list ap)
-     ISC_FORMAT_PRINTF(5, 0);
-
-static void
-validator_log(void *val, int level, const char *fmt, ...)
-     ISC_FORMAT_PRINTF(3, 4);
-
-static void
-validator_logcreate(dns_validator_t *val,
-		    dns_name_t *name, dns_rdatatype_t type,
-		    const char *caller, const char *operation);
-
-static isc_result_t
-dlv_validatezonekey(dns_validator_t *val);
-
-static void
-dlv_validator_start(dns_validator_t *val);
-
-static isc_result_t
-finddlvsep(dns_validator_t *val, isc_boolean_t resume);
-
-static isc_result_t
-startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure);
-
-/*%
- * Mark the RRsets as a answer.
- */
-static inline void
-markanswer(dns_validator_t *val, const char *where) {
-	validator_log(val, ISC_LOG_DEBUG(3), "marking as answer (%s)", where);
-	if (val->event->rdataset != NULL)
-		dns_rdataset_settrust(val->event->rdataset, dns_trust_answer);
-	if (val->event->sigrdataset != NULL)
-		dns_rdataset_settrust(val->event->sigrdataset,
-				      dns_trust_answer);
-}
-
-static inline void
-marksecure(dns_validatorevent_t *event) {
-	dns_rdataset_settrust(event->rdataset, dns_trust_secure);
-	if (event->sigrdataset != NULL)
-		dns_rdataset_settrust(event->sigrdataset, dns_trust_secure);
-	event->secure = ISC_TRUE;
-}
-
-static void
-validator_done(dns_validator_t *val, isc_result_t result) {
-	isc_task_t *task;
-
-	if (val->event == NULL)
-		return;
-
-	/*
-	 * Caller must be holding the lock.
-	 */
-
-	val->event->result = result;
-	task = val->event->ev_sender;
-	val->event->ev_sender = val;
-	val->event->ev_type = DNS_EVENT_VALIDATORDONE;
-	val->event->ev_action = val->action;
-	val->event->ev_arg = val->arg;
-	isc_task_sendanddetach(&task, (isc_event_t **)&val->event);
-}
-
-static inline isc_boolean_t
-exit_check(dns_validator_t *val) {
-	/*
-	 * Caller must be holding the lock.
-	 */
-	if (!SHUTDOWN(val))
-		return (ISC_FALSE);
-
-	INSIST(val->event == NULL);
-
-	if (val->fetch != NULL || val->subvalidator != NULL)
-		return (ISC_FALSE);
-
-	return (ISC_TRUE);
-}
-
-/*
- * Check that we have atleast one supported algorithm in the DLV RRset.
- */
-static inline isc_boolean_t
-dlv_algorithm_supported(dns_validator_t *val) {
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_dlv_t dlv;
-	isc_result_t result;
-
-	for (result = dns_rdataset_first(&val->dlv);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&val->dlv)) {
-		dns_rdata_reset(&rdata);
-		dns_rdataset_current(&val->dlv, &rdata);
-		result = dns_rdata_tostruct(&rdata, &dlv, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-		if (!dns_resolver_algorithm_supported(val->view->resolver,
-						      val->event->name,
-						      dlv.algorithm))
-			continue;
-
-#ifdef HAVE_OPENSSL_GOST
-		if (dlv.digest_type != DNS_DSDIGEST_SHA256 &&
-		    dlv.digest_type != DNS_DSDIGEST_SHA1 &&
-		    dlv.digest_type != DNS_DSDIGEST_GOST)
-			continue;
-#else
-		if (dlv.digest_type != DNS_DSDIGEST_SHA256 &&
-		    dlv.digest_type != DNS_DSDIGEST_SHA1)
-			continue;
-#endif
-
-
-		return (ISC_TRUE);
-	}
-	return (ISC_FALSE);
-}
-
-/*%
- * Look in the NSEC record returned from a DS query to see if there is
- * a NS RRset at this name.  If it is found we are at a delegation point.
- */
-static isc_boolean_t
-isdelegation(dns_name_t *name, dns_rdataset_t *rdataset,
-	     isc_result_t dbresult)
-{
-	dns_fixedname_t fixed;
-	dns_label_t hashlabel;
-	dns_name_t nsec3name;
-	dns_rdata_nsec3_t nsec3;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdataset_t set;
-	int order;
-	int scope;
-	isc_boolean_t found;
-	isc_buffer_t buffer;
-	isc_result_t result;
-	unsigned char hash[NSEC3_MAX_HASH_LENGTH];
-	unsigned char owner[NSEC3_MAX_HASH_LENGTH];
-	unsigned int length;
-
-	REQUIRE(dbresult == DNS_R_NXRRSET || dbresult == DNS_R_NCACHENXRRSET);
-
-	dns_rdataset_init(&set);
-	if (dbresult == DNS_R_NXRRSET)
-		dns_rdataset_clone(rdataset, &set);
-	else {
-		result = dns_ncache_getrdataset(rdataset, name,
-						dns_rdatatype_nsec, &set);
-		if (result == ISC_R_NOTFOUND)
-			goto trynsec3;
-		if (result != ISC_R_SUCCESS)
-			return (ISC_FALSE);
-	}
-
-	INSIST(set.type == dns_rdatatype_nsec);
-
-	found = ISC_FALSE;
-	result = dns_rdataset_first(&set);
-	if (result == ISC_R_SUCCESS) {
-		dns_rdataset_current(&set, &rdata);
-		found = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
-		dns_rdata_reset(&rdata);
-	}
-	dns_rdataset_disassociate(&set);
-	return (found);
-
- trynsec3:
-	/*
-	 * Iterate over the ncache entry.
-	 */
-	found = ISC_FALSE;
-	dns_name_init(&nsec3name, NULL);
-	dns_fixedname_init(&fixed);
-	dns_name_downcase(name, dns_fixedname_name(&fixed), NULL);
-	name = dns_fixedname_name(&fixed);
-	for (result = dns_rdataset_first(rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(rdataset))
-	{
-		dns_ncache_current(rdataset, &nsec3name, &set);
-		if (set.type != dns_rdatatype_nsec3) {
-			dns_rdataset_disassociate(&set);
-			continue;
-		}
-		dns_name_getlabel(&nsec3name, 0, &hashlabel);
-		isc_region_consume(&hashlabel, 1);
-		isc_buffer_init(&buffer, owner, sizeof(owner));
-		result = isc_base32hex_decoderegion(&hashlabel, &buffer);
-		if (result != ISC_R_SUCCESS) {
-			dns_rdataset_disassociate(&set);
-			continue;
-		}
-		for (result = dns_rdataset_first(&set);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&set))
-		{
-			dns_rdata_reset(&rdata);
-			dns_rdataset_current(&set, &rdata);
-			(void)dns_rdata_tostruct(&rdata, &nsec3, NULL);
-			if (nsec3.hash != 1)
-				continue;
-			length = isc_iterated_hash(hash, nsec3.hash,
-						   nsec3.iterations, nsec3.salt,
-						   nsec3.salt_length,
-						   name->ndata, name->length);
-			if (length != isc_buffer_usedlength(&buffer))
-				continue;
-			order = memcmp(hash, owner, length);
-			if (order == 0) {
-				found = dns_nsec3_typepresent(&rdata,
-							      dns_rdatatype_ns);
-				dns_rdataset_disassociate(&set);
-				return (found);
-			}
-			if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) == 0)
-				continue;
-			/*
-			 * Does this optout span cover the name?
-			 */
-			scope = memcmp(owner, nsec3.next, nsec3.next_length);
-			if ((scope < 0 && order > 0 &&
-			     memcmp(hash, nsec3.next, length) < 0) ||
-			    (scope >= 0 && (order > 0 ||
-					memcmp(hash, nsec3.next, length) < 0)))
-			{
-				dns_rdataset_disassociate(&set);
-				return (ISC_TRUE);
-			}
-		}
-		dns_rdataset_disassociate(&set);
-	}
-	return (found);
-}
-
-/*%
- * We have been asked to look for a key.
- * If found resume the validation process.
- * If not found fail the validation process.
- */
-static void
-fetch_callback_validator(isc_task_t *task, isc_event_t *event) {
-	dns_fetchevent_t *devent;
-	dns_validator_t *val;
-	dns_rdataset_t *rdataset;
-	isc_boolean_t want_destroy;
-	isc_result_t result;
-	isc_result_t eresult;
-	isc_result_t saved_result;
-	dns_fetch_t *fetch;
-
-	UNUSED(task);
-	INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
-	devent = (dns_fetchevent_t *)event;
-	val = devent->ev_arg;
-	rdataset = &val->frdataset;
-	eresult = devent->result;
-
-	/* Free resources which are not of interest. */
-	if (devent->node != NULL)
-		dns_db_detachnode(devent->db, &devent->node);
-	if (devent->db != NULL)
-		dns_db_detach(&devent->db);
-	if (dns_rdataset_isassociated(&val->fsigrdataset))
-		dns_rdataset_disassociate(&val->fsigrdataset);
-	isc_event_free(&event);
-
-	INSIST(val->event != NULL);
-
-	validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_validator");
-	LOCK(&val->lock);
-	fetch = val->fetch;
-	val->fetch = NULL;
-	if (CANCELED(val)) {
-		validator_done(val, ISC_R_CANCELED);
-	} else if (eresult == ISC_R_SUCCESS) {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "keyset with trust %s",
-			      dns_trust_totext(rdataset->trust));
-		/*
-		 * Only extract the dst key if the keyset is secure.
-		 */
-		if (rdataset->trust >= dns_trust_secure) {
-			result = get_dst_key(val, val->siginfo, rdataset);
-			if (result == ISC_R_SUCCESS)
-				val->keyset = &val->frdataset;
-		}
-		result = validate(val, ISC_TRUE);
-		if (result == DNS_R_NOVALIDSIG &&
-		    (val->attributes & VALATTR_TRIEDVERIFY) == 0)
-		{
-			saved_result = result;
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "falling back to insecurity proof");
-			val->attributes |= VALATTR_INSECURITY;
-			result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
-			if (result == DNS_R_NOTINSECURE)
-				result = saved_result;
-		}
-		if (result != DNS_R_WAIT)
-			validator_done(val, result);
-	} else {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "fetch_callback_validator: got %s",
-			      isc_result_totext(eresult));
-		if (eresult == ISC_R_CANCELED)
-			validator_done(val, eresult);
-		else
-			validator_done(val, DNS_R_BROKENCHAIN);
-	}
-	want_destroy = exit_check(val);
-	UNLOCK(&val->lock);
-	if (fetch != NULL)
-		dns_resolver_destroyfetch(&fetch);
-	if (want_destroy)
-		destroy(val);
-}
-
-/*%
- * We were asked to look for a DS record as part of following a key chain
- * upwards.  If found resume the validation process.  If not found fail the
- * validation process.
- */
-static void
-dsfetched(isc_task_t *task, isc_event_t *event) {
-	dns_fetchevent_t *devent;
-	dns_validator_t *val;
-	dns_rdataset_t *rdataset;
-	isc_boolean_t want_destroy;
-	isc_result_t result;
-	isc_result_t eresult;
-	dns_fetch_t *fetch;
-
-	UNUSED(task);
-	INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
-	devent = (dns_fetchevent_t *)event;
-	val = devent->ev_arg;
-	rdataset = &val->frdataset;
-	eresult = devent->result;
-
-	/* Free resources which are not of interest. */
-	if (devent->node != NULL)
-		dns_db_detachnode(devent->db, &devent->node);
-	if (devent->db != NULL)
-		dns_db_detach(&devent->db);
-	if (dns_rdataset_isassociated(&val->fsigrdataset))
-		dns_rdataset_disassociate(&val->fsigrdataset);
-	isc_event_free(&event);
-
-	INSIST(val->event != NULL);
-
-	validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched");
-	LOCK(&val->lock);
-	fetch = val->fetch;
-	val->fetch = NULL;
-	if (CANCELED(val)) {
-		validator_done(val, ISC_R_CANCELED);
-	} else if (eresult == ISC_R_SUCCESS) {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "dsset with trust %s",
-			       dns_trust_totext(rdataset->trust));
-		val->dsset = &val->frdataset;
-		result = validatezonekey(val);
-		if (result != DNS_R_WAIT)
-			validator_done(val, result);
-	} else if (eresult == DNS_R_CNAME ||
-		   eresult == DNS_R_NXRRSET ||
-		   eresult == DNS_R_NCACHENXRRSET ||
-		   eresult == DNS_R_SERVFAIL)	/* RFC 1034 parent? */
-	{
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "falling back to insecurity proof (%s)",
-			      dns_result_totext(eresult));
-		val->attributes |= VALATTR_INSECURITY;
-		result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
-		if (result != DNS_R_WAIT)
-			validator_done(val, result);
-	} else {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "dsfetched: got %s",
-			      isc_result_totext(eresult));
-		if (eresult == ISC_R_CANCELED)
-			validator_done(val, eresult);
-		else
-			validator_done(val, DNS_R_BROKENCHAIN);
-	}
-	want_destroy = exit_check(val);
-	UNLOCK(&val->lock);
-	if (fetch != NULL)
-		dns_resolver_destroyfetch(&fetch);
-	if (want_destroy)
-		destroy(val);
-}
-
-/*%
- * We were asked to look for the DS record as part of proving that a
- * name is unsecure.
- *
- * If the DS record doesn't exist and the query name corresponds to
- * a delegation point we are transitioning from a secure zone to a
- * unsecure zone.
- *
- * If the DS record exists it will be secure.  We can continue looking
- * for the break point in the chain of trust.
- */
-static void
-dsfetched2(isc_task_t *task, isc_event_t *event) {
-	dns_fetchevent_t *devent;
-	dns_validator_t *val;
-	dns_name_t *tname;
-	isc_boolean_t want_destroy;
-	isc_result_t result;
-	isc_result_t eresult;
-	dns_fetch_t *fetch;
-
-	UNUSED(task);
-	INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
-	devent = (dns_fetchevent_t *)event;
-	val = devent->ev_arg;
-	eresult = devent->result;
-
-	/* Free resources which are not of interest. */
-	if (devent->node != NULL)
-		dns_db_detachnode(devent->db, &devent->node);
-	if (devent->db != NULL)
-		dns_db_detach(&devent->db);
-	if (dns_rdataset_isassociated(&val->fsigrdataset))
-		dns_rdataset_disassociate(&val->fsigrdataset);
-
-	INSIST(val->event != NULL);
-
-	validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched2: %s",
-		      dns_result_totext(eresult));
-	LOCK(&val->lock);
-	fetch = val->fetch;
-	val->fetch = NULL;
-	if (CANCELED(val)) {
-		validator_done(val, ISC_R_CANCELED);
-	} else if (eresult == DNS_R_CNAME ||
-		   eresult == DNS_R_NXRRSET ||
-		   eresult == DNS_R_NCACHENXRRSET)
-	{
-		/*
-		 * There is no DS.  If this is a delegation, we're done.
-		 */
-		tname = dns_fixedname_name(&devent->foundname);
-		if (eresult != DNS_R_CNAME &&
-		    isdelegation(tname, &val->frdataset, eresult)) {
-			if (val->mustbesecure) {
-				validator_log(val, ISC_LOG_WARNING,
-					      "must be secure failure, no DS"
-					      " and this is a delegation");
-				validator_done(val, DNS_R_MUSTBESECURE);
-			} else if (val->view->dlv == NULL || DLVTRIED(val)) {
-				markanswer(val, "dsfetched2");
-				validator_done(val, ISC_R_SUCCESS);
-			} else {
-				result = startfinddlvsep(val, tname);
-				if (result != DNS_R_WAIT)
-					validator_done(val, result);
-			}
-		} else {
-			result = proveunsecure(val, ISC_FALSE, ISC_TRUE);
-			if (result != DNS_R_WAIT)
-				validator_done(val, result);
-		}
-	} else if (eresult == ISC_R_SUCCESS ||
-		   eresult == DNS_R_NXDOMAIN ||
-		   eresult == DNS_R_NCACHENXDOMAIN)
-	{
-		/*
-		 * There is a DS which may or may not be a zone cut.
-		 * In either case we are still in a secure zone resume
-		 * validation.
-		 */
-		result = proveunsecure(val, ISC_TF(eresult == ISC_R_SUCCESS),
-				       ISC_TRUE);
-		if (result != DNS_R_WAIT)
-			validator_done(val, result);
-	} else {
-		if (eresult == ISC_R_CANCELED)
-			validator_done(val, eresult);
-		else
-			validator_done(val, DNS_R_NOVALIDDS);
-	}
-	isc_event_free(&event);
-	want_destroy = exit_check(val);
-	UNLOCK(&val->lock);
-	if (fetch != NULL)
-		dns_resolver_destroyfetch(&fetch);
-	if (want_destroy)
-		destroy(val);
-}
-
-/*%
- * Callback from when a DNSKEY RRset has been validated.
- *
- * Resumes the stalled validation process.
- */
-static void
-keyvalidated(isc_task_t *task, isc_event_t *event) {
-	dns_validatorevent_t *devent;
-	dns_validator_t *val;
-	isc_boolean_t want_destroy;
-	isc_result_t result;
-	isc_result_t eresult;
-	isc_result_t saved_result;
-
-	UNUSED(task);
-	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
-
-	devent = (dns_validatorevent_t *)event;
-	val = devent->ev_arg;
-	eresult = devent->result;
-
-	isc_event_free(&event);
-	dns_validator_destroy(&val->subvalidator);
-
-	INSIST(val->event != NULL);
-
-	validator_log(val, ISC_LOG_DEBUG(3), "in keyvalidated");
-	LOCK(&val->lock);
-	if (CANCELED(val)) {
-		validator_done(val, ISC_R_CANCELED);
-	} else if (eresult == ISC_R_SUCCESS) {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "keyset with trust %s",
-			      dns_trust_totext(val->frdataset.trust));
-		/*
-		 * Only extract the dst key if the keyset is secure.
-		 */
-		if (val->frdataset.trust >= dns_trust_secure)
-			(void) get_dst_key(val, val->siginfo, &val->frdataset);
-		result = validate(val, ISC_TRUE);
-		if (result == DNS_R_NOVALIDSIG &&
-		    (val->attributes & VALATTR_TRIEDVERIFY) == 0)
-		{
-			saved_result = result;
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "falling back to insecurity proof");
-			val->attributes |= VALATTR_INSECURITY;
-			result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
-			if (result == DNS_R_NOTINSECURE)
-				result = saved_result;
-		}
-		if (result != DNS_R_WAIT)
-			validator_done(val, result);
-	} else {
-		if (eresult != DNS_R_BROKENCHAIN) {
-			if (dns_rdataset_isassociated(&val->frdataset))
-				dns_rdataset_expire(&val->frdataset);
-			if (dns_rdataset_isassociated(&val->fsigrdataset))
-				dns_rdataset_expire(&val->fsigrdataset);
-		}
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "keyvalidated: got %s",
-			      isc_result_totext(eresult));
-		validator_done(val, DNS_R_BROKENCHAIN);
-	}
-	want_destroy = exit_check(val);
-	UNLOCK(&val->lock);
-	if (want_destroy)
-		destroy(val);
-}
-
-/*%
- * Callback when the DS record has been validated.
- *
- * Resumes validation of the zone key or the unsecure zone proof.
- */
-static void
-dsvalidated(isc_task_t *task, isc_event_t *event) {
-	dns_validatorevent_t *devent;
-	dns_validator_t *val;
-	isc_boolean_t want_destroy;
-	isc_result_t result;
-	isc_result_t eresult;
-
-	UNUSED(task);
-	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
-
-	devent = (dns_validatorevent_t *)event;
-	val = devent->ev_arg;
-	eresult = devent->result;
-
-	isc_event_free(&event);
-	dns_validator_destroy(&val->subvalidator);
-
-	INSIST(val->event != NULL);
-
-	validator_log(val, ISC_LOG_DEBUG(3), "in dsvalidated");
-	LOCK(&val->lock);
-	if (CANCELED(val)) {
-		validator_done(val, ISC_R_CANCELED);
-	} else if (eresult == ISC_R_SUCCESS) {
-		isc_boolean_t have_dsset;
-		dns_name_t *name;
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "%s with trust %s",
-			      val->frdataset.type == dns_rdatatype_ds ?
-			      "dsset" : "ds non-existance",
-			      dns_trust_totext(val->frdataset.trust));
-		have_dsset = ISC_TF(val->frdataset.type == dns_rdatatype_ds);
-		name = dns_fixedname_name(&val->fname);
-		if ((val->attributes & VALATTR_INSECURITY) != 0 &&
-		    val->frdataset.covers == dns_rdatatype_ds &&
-		    NEGATIVE(&val->frdataset) &&
-		    isdelegation(name, &val->frdataset, DNS_R_NCACHENXRRSET)) {
-			if (val->mustbesecure) {
-				validator_log(val, ISC_LOG_WARNING,
-					      "must be secure failure, no DS "
-					      "and this is a delegation");
-				result = DNS_R_MUSTBESECURE;
-			} else if (val->view->dlv == NULL || DLVTRIED(val)) {
-				markanswer(val, "dsvalidated");
-				result = ISC_R_SUCCESS;;
-			} else
-				result = startfinddlvsep(val, name);
-		} else if ((val->attributes & VALATTR_INSECURITY) != 0) {
-			result = proveunsecure(val, have_dsset, ISC_TRUE);
-		} else
-			result = validatezonekey(val);
-		if (result != DNS_R_WAIT)
-			validator_done(val, result);
-	} else {
-		if (eresult != DNS_R_BROKENCHAIN) {
-			if (dns_rdataset_isassociated(&val->frdataset))
-				dns_rdataset_expire(&val->frdataset);
-			if (dns_rdataset_isassociated(&val->fsigrdataset))
-				dns_rdataset_expire(&val->fsigrdataset);
-		}
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "dsvalidated: got %s",
-			      isc_result_totext(eresult));
-		validator_done(val, DNS_R_BROKENCHAIN);
-	}
-	want_destroy = exit_check(val);
-	UNLOCK(&val->lock);
-	if (want_destroy)
-		destroy(val);
-}
-
-/*%
- * Callback when the CNAME record has been validated.
- *
- * Resumes validation of the unsecure zone proof.
- */
-static void
-cnamevalidated(isc_task_t *task, isc_event_t *event) {
-	dns_validatorevent_t *devent;
-	dns_validator_t *val;
-	isc_boolean_t want_destroy;
-	isc_result_t result;
-	isc_result_t eresult;
-
-	UNUSED(task);
-	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
-
-	devent = (dns_validatorevent_t *)event;
-	val = devent->ev_arg;
-	eresult = devent->result;
-
-	isc_event_free(&event);
-	dns_validator_destroy(&val->subvalidator);
-
-	INSIST(val->event != NULL);
-	INSIST((val->attributes & VALATTR_INSECURITY) != 0);
-
-	validator_log(val, ISC_LOG_DEBUG(3), "in cnamevalidated");
-	LOCK(&val->lock);
-	if (CANCELED(val)) {
-		validator_done(val, ISC_R_CANCELED);
-	} else if (eresult == ISC_R_SUCCESS) {
-		validator_log(val, ISC_LOG_DEBUG(3), "cname with trust %s",
-			      dns_trust_totext(val->frdataset.trust));
-		result = proveunsecure(val, ISC_FALSE, ISC_TRUE);
-		if (result != DNS_R_WAIT)
-			validator_done(val, result);
-	} else {
-		if (eresult != DNS_R_BROKENCHAIN) {
-			if (dns_rdataset_isassociated(&val->frdataset))
-				dns_rdataset_expire(&val->frdataset);
-			if (dns_rdataset_isassociated(&val->fsigrdataset))
-				dns_rdataset_expire(&val->fsigrdataset);
-		}
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "cnamevalidated: got %s",
-			      isc_result_totext(eresult));
-		validator_done(val, DNS_R_BROKENCHAIN);
-	}
-	want_destroy = exit_check(val);
-	UNLOCK(&val->lock);
-	if (want_destroy)
-		destroy(val);
-}
-
-/*%
- * Callback for when NSEC records have been validated.
- *
- * Looks for NOQNAME, NODATA and OPTOUT proofs.
- *
- * Resumes nsecvalidate.
- */
-static void
-authvalidated(isc_task_t *task, isc_event_t *event) {
-	dns_validatorevent_t *devent;
-	dns_validator_t *val;
-	dns_rdataset_t *rdataset;
-	isc_boolean_t want_destroy;
-	isc_result_t result;
-	isc_boolean_t exists, data;
-
-	UNUSED(task);
-	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
-
-	devent = (dns_validatorevent_t *)event;
-	rdataset = devent->rdataset;
-	val = devent->ev_arg;
-	result = devent->result;
-	dns_validator_destroy(&val->subvalidator);
-
-	INSIST(val->event != NULL);
-
-	validator_log(val, ISC_LOG_DEBUG(3), "in authvalidated");
-	LOCK(&val->lock);
-	if (CANCELED(val)) {
-		validator_done(val, ISC_R_CANCELED);
-	} else if (result != ISC_R_SUCCESS) {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "authvalidated: got %s",
-			      isc_result_totext(result));
-		if (result == DNS_R_BROKENCHAIN)
-			val->authfail++;
-		if (result == ISC_R_CANCELED)
-			validator_done(val, result);
-		else {
-			result = nsecvalidate(val, ISC_TRUE);
-			if (result != DNS_R_WAIT)
-				validator_done(val, result);
-		}
-	} else {
-		dns_name_t **proofs = val->event->proofs;
-		dns_name_t *wild = dns_fixedname_name(&val->wild);
-
-		if (rdataset->trust == dns_trust_secure)
-			val->seensig = ISC_TRUE;
-
-		if (rdataset->type == dns_rdatatype_nsec &&
-		    rdataset->trust == dns_trust_secure &&
-		    (NEEDNODATA(val) || NEEDNOQNAME(val)) &&
-		    !FOUNDNODATA(val) && !FOUNDNOQNAME(val) &&
-		    dns_nsec_noexistnodata(val->event->type, val->event->name,
-					   devent->name, rdataset, &exists,
-					   &data, wild, validator_log, val)
-				      == ISC_R_SUCCESS)
-		{
-			if (exists && !data) {
-				val->attributes |= VALATTR_FOUNDNODATA;
-				if (NEEDNODATA(val))
-					proofs[DNS_VALIDATOR_NODATAPROOF] =
-						devent->name;
-			}
-			if (!exists) {
-				val->attributes |= VALATTR_FOUNDNOQNAME;
-				val->attributes |= VALATTR_FOUNDCLOSEST;
-				/*
-				 * The NSEC noqname proof also contains
-				 * the closest encloser.
-
-				 */
-				if (NEEDNOQNAME(val))
-					proofs[DNS_VALIDATOR_NOQNAMEPROOF] =
-						devent->name;
-			}
-		}
-
-		result = nsecvalidate(val, ISC_TRUE);
-		if (result != DNS_R_WAIT)
-			validator_done(val, result);
-	}
-	want_destroy = exit_check(val);
-	UNLOCK(&val->lock);
-	if (want_destroy)
-		destroy(val);
-
-	/*
-	 * Free stuff from the event.
-	 */
-	isc_event_free(&event);
-}
-
-/*%
- * Looks for the requested name and type in the view (zones and cache).
- *
- * When looking for a DLV record also checks to make sure the NSEC record
- * returns covers the query name as part of aggressive negative caching.
- *
- * Returns:
- * \li	ISC_R_SUCCESS
- * \li	ISC_R_NOTFOUND
- * \li	DNS_R_NCACHENXDOMAIN
- * \li	DNS_R_NCACHENXRRSET
- * \li	DNS_R_NXRRSET
- * \li	DNS_R_NXDOMAIN
- * \li	DNS_R_BROKENCHAIN
- */
-static inline isc_result_t
-view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
-	dns_fixedname_t fixedname;
-	dns_name_t *foundname;
-	dns_rdata_nsec_t nsec;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_result_t result;
-	unsigned int options;
-	isc_time_t now;
-	char buf1[DNS_NAME_FORMATSIZE];
-	char buf2[DNS_NAME_FORMATSIZE];
-	char buf3[DNS_NAME_FORMATSIZE];
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char typebuf[DNS_RDATATYPE_FORMATSIZE];
-
-	if (dns_rdataset_isassociated(&val->frdataset))
-		dns_rdataset_disassociate(&val->frdataset);
-	if (dns_rdataset_isassociated(&val->fsigrdataset))
-		dns_rdataset_disassociate(&val->fsigrdataset);
-
-	if (isc_time_now(&now) == ISC_R_SUCCESS &&
-	    dns_resolver_getbadcache(val->view->resolver, name, type, &now)) {
-
-		dns_name_format(name, namebuf, sizeof(namebuf));
-		dns_rdatatype_format(type, typebuf, sizeof(typebuf));
-		validator_log(val, ISC_LOG_INFO, "bad cache hit (%s/%s)",
-			      namebuf, typebuf);
-		return (DNS_R_BROKENCHAIN);
-	}
-
-	options = DNS_DBFIND_PENDINGOK;
-	if (type == dns_rdatatype_dlv)
-		options |= DNS_DBFIND_COVERINGNSEC;
-	dns_fixedname_init(&fixedname);
-	foundname = dns_fixedname_name(&fixedname);
-	result = dns_view_find(val->view, name, type, 0, options,
-			       ISC_FALSE, NULL, NULL, foundname,
-			       &val->frdataset, &val->fsigrdataset);
-
-	if (result == DNS_R_NXDOMAIN) {
-		if (dns_rdataset_isassociated(&val->frdataset))
-			dns_rdataset_disassociate(&val->frdataset);
-		if (dns_rdataset_isassociated(&val->fsigrdataset))
-			dns_rdataset_disassociate(&val->fsigrdataset);
-	} else if (result == DNS_R_COVERINGNSEC) {
-		validator_log(val, ISC_LOG_DEBUG(3), "DNS_R_COVERINGNSEC");
-		/*
-		 * Check if the returned NSEC covers the name.
-		 */
-		INSIST(type == dns_rdatatype_dlv);
-		if (val->frdataset.trust != dns_trust_secure) {
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "covering nsec: trust %s",
-				      dns_trust_totext(val->frdataset.trust));
-			goto notfound;
-		}
-		result = dns_rdataset_first(&val->frdataset);
-		if (result != ISC_R_SUCCESS)
-			goto notfound;
-		dns_rdataset_current(&val->frdataset, &rdata);
-		if (dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
-		    !dns_nsec_typepresent(&rdata, dns_rdatatype_soa)) {
-			/* Parent NSEC record. */
-			if (dns_name_issubdomain(name, foundname)) {
-				validator_log(val, ISC_LOG_DEBUG(3),
-					      "covering nsec: for parent");
-				goto notfound;
-			}
-		}
-		result = dns_rdata_tostruct(&rdata, &nsec, NULL);
-		if (result != ISC_R_SUCCESS)
-			goto notfound;
-		if (dns_name_compare(foundname, &nsec.next) >= 0) {
-			/* End of zone chain. */
-			if (!dns_name_issubdomain(name, &nsec.next)) {
-				/*
-				 * XXXMPA We could look for a parent NSEC
-				 * at nsec.next and if found retest with
-				 * this NSEC.
-				 */
-				dns_rdata_freestruct(&nsec);
-				validator_log(val, ISC_LOG_DEBUG(3),
-					      "covering nsec: not in zone");
-				goto notfound;
-			}
-		} else if (dns_name_compare(name, &nsec.next) >= 0) {
-			/*
-			 * XXXMPA We could check if this NSEC is at a zone
-			 * apex and if the qname is not below it and look for
-			 * a parent NSEC with the same name.  This requires
-			 * that we can cache both NSEC records which we
-			 * currently don't support.
-			 */
-			dns_rdata_freestruct(&nsec);
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "covering nsec: not in range");
-			goto notfound;
-		}
-		if (isc_log_wouldlog(dns_lctx,ISC_LOG_DEBUG(3))) {
-			dns_name_format(name, buf1, sizeof buf1);
-			dns_name_format(foundname, buf2, sizeof buf2);
-			dns_name_format(&nsec.next, buf3, sizeof buf3);
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "covering nsec found: '%s' '%s' '%s'",
-				      buf1, buf2, buf3);
-		}
-		if (dns_rdataset_isassociated(&val->frdataset))
-			dns_rdataset_disassociate(&val->frdataset);
-		if (dns_rdataset_isassociated(&val->fsigrdataset))
-			dns_rdataset_disassociate(&val->fsigrdataset);
-		dns_rdata_freestruct(&nsec);
-		result = DNS_R_NCACHENXDOMAIN;
-	} else if (result != ISC_R_SUCCESS &&
-		   result != DNS_R_NCACHENXDOMAIN &&
-		   result != DNS_R_NCACHENXRRSET &&
-		   result != DNS_R_EMPTYNAME &&
-		   result != DNS_R_NXRRSET &&
-		   result != ISC_R_NOTFOUND) {
-		goto  notfound;
-	}
-	return (result);
-
- notfound:
-	if (dns_rdataset_isassociated(&val->frdataset))
-		dns_rdataset_disassociate(&val->frdataset);
-	if (dns_rdataset_isassociated(&val->fsigrdataset))
-		dns_rdataset_disassociate(&val->fsigrdataset);
-	return (ISC_R_NOTFOUND);
-}
-
-/*%
- * Checks to make sure we are not going to loop.  As we use a SHARED fetch
- * the validation process will stall if looping was to occur.
- */
-static inline isc_boolean_t
-check_deadlock(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
-	       dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	dns_validator_t *parent;
-
-	for (parent = val; parent != NULL; parent = parent->parent) {
-		if (parent->event != NULL &&
-		    parent->event->type == type &&
-		    dns_name_equal(parent->event->name, name) &&
-		    /*
-		     * As NSEC3 records are meta data you sometimes
-		     * need to prove a NSEC3 record which says that
-		     * itself doesn't exist.
-		     */
-		    (parent->event->type != dns_rdatatype_nsec3 ||
-		     rdataset == NULL || sigrdataset == NULL ||
-		     parent->event->message == NULL ||
-		     parent->event->rdataset != NULL ||
-		     parent->event->sigrdataset != NULL))
-		{
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "continuing validation would lead to "
-				      "deadlock: aborting validation");
-			return (ISC_TRUE);
-		}
-	}
-	return (ISC_FALSE);
-}
-
-/*%
- * Start a fetch for the requested name and type.
- */
-static inline isc_result_t
-create_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
-	     isc_taskaction_t callback, const char *caller)
-{
-	if (dns_rdataset_isassociated(&val->frdataset))
-		dns_rdataset_disassociate(&val->frdataset);
-	if (dns_rdataset_isassociated(&val->fsigrdataset))
-		dns_rdataset_disassociate(&val->fsigrdataset);
-
-	if (check_deadlock(val, name, type, NULL, NULL)) {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "deadlock found (create_fetch)");
-		return (DNS_R_NOVALIDSIG);
-	}
-
-	validator_logcreate(val, name, type, caller, "fetch");
-	return (dns_resolver_createfetch(val->view->resolver, name, type,
-					 NULL, NULL, NULL, 0,
-					 val->event->ev_sender,
-					 callback, val,
-					 &val->frdataset,
-					 &val->fsigrdataset,
-					 &val->fetch));
-}
-
-/*%
- * Start a subvalidation process.
- */
-static inline isc_result_t
-create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
-		 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
-		 isc_taskaction_t action, const char *caller)
-{
-	isc_result_t result;
-
-	if (check_deadlock(val, name, type, rdataset, sigrdataset)) {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "deadlock found (create_validator)");
-		return (DNS_R_NOVALIDSIG);
-	}
-
-	validator_logcreate(val, name, type, caller, "validator");
-	result = dns_validator_create(val->view, name, type,
-				      rdataset, sigrdataset, NULL, 0,
-				      val->task, action, val,
-				      &val->subvalidator);
-	if (result == ISC_R_SUCCESS) {
-		val->subvalidator->parent = val;
-		val->subvalidator->depth = val->depth + 1;
-	}
-	return (result);
-}
-
-/*%
- * Try to find a key that could have signed 'siginfo' among those
- * in 'rdataset'.  If found, build a dst_key_t for it and point
- * val->key at it.
- *
- * If val->key is non-NULL, this returns the next matching key.
- */
-static isc_result_t
-get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
-	    dns_rdataset_t *rdataset)
-{
-	isc_result_t result;
-	isc_buffer_t b;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dst_key_t *oldkey = val->key;
-	isc_boolean_t foundold;
-
-	if (oldkey == NULL)
-		foundold = ISC_TRUE;
-	else {
-		foundold = ISC_FALSE;
-		val->key = NULL;
-	}
-
-	result = dns_rdataset_first(rdataset);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-	do {
-		dns_rdataset_current(rdataset, &rdata);
-
-		isc_buffer_init(&b, rdata.data, rdata.length);
-		isc_buffer_add(&b, rdata.length);
-		INSIST(val->key == NULL);
-		result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b,
-					 val->view->mctx, &val->key);
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-		if (siginfo->algorithm ==
-		    (dns_secalg_t)dst_key_alg(val->key) &&
-		    siginfo->keyid ==
-		    (dns_keytag_t)dst_key_id(val->key) &&
-		    dst_key_iszonekey(val->key))
-		{
-			if (foundold)
-				/*
-				 * This is the key we're looking for.
-				 */
-				return (ISC_R_SUCCESS);
-			else if (dst_key_compare(oldkey, val->key) == ISC_TRUE)
-			{
-				foundold = ISC_TRUE;
-				dst_key_free(&oldkey);
-			}
-		}
-		dst_key_free(&val->key);
-		dns_rdata_reset(&rdata);
-		result = dns_rdataset_next(rdataset);
-	} while (result == ISC_R_SUCCESS);
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_NOTFOUND;
-
- failure:
-	if (oldkey != NULL)
-		dst_key_free(&oldkey);
-
-	return (result);
-}
-
-/*%
- * Get the key that generated this signature.
- */
-static isc_result_t
-get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) {
-	isc_result_t result;
-	unsigned int nlabels;
-	int order;
-	dns_namereln_t namereln;
-
-	/*
-	 * Is the signer name appropriate for this signature?
-	 *
-	 * The signer name must be at the same level as the owner name
-	 * or closer to the DNS root.
-	 */
-	namereln = dns_name_fullcompare(val->event->name, &siginfo->signer,
-					&order, &nlabels);
-	if (namereln != dns_namereln_subdomain &&
-	    namereln != dns_namereln_equal)
-		return (DNS_R_CONTINUE);
-
-	if (namereln == dns_namereln_equal) {
-		/*
-		 * If this is a self-signed keyset, it must not be a zone key
-		 * (since get_key is not called from validatezonekey).
-		 */
-		if (val->event->rdataset->type == dns_rdatatype_dnskey)
-			return (DNS_R_CONTINUE);
-
-		/*
-		 * Records appearing in the parent zone at delegation
-		 * points cannot be self-signed.
-		 */
-		if (dns_rdatatype_atparent(val->event->rdataset->type))
-			return (DNS_R_CONTINUE);
-	} else {
-		/*
-		 * SOA and NS RRsets can only be signed by a key with
-		 * the same name.
-		 */
-		if (val->event->rdataset->type == dns_rdatatype_soa ||
-		    val->event->rdataset->type == dns_rdatatype_ns) {
-			const char *typename;
-
-			if (val->event->rdataset->type == dns_rdatatype_soa)
-				typename = "SOA";
-			else
-				typename = "NS";
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "%s signer mismatch", typename);
-			return (DNS_R_CONTINUE);
-		}
-	}
-
-	/*
-	 * Do we know about this key?
-	 */
-	result = view_find(val, &siginfo->signer, dns_rdatatype_dnskey);
-	if (result == ISC_R_SUCCESS) {
-		/*
-		 * We have an rrset for the given keyname.
-		 */
-		val->keyset = &val->frdataset;
-		if ((DNS_TRUST_PENDING(val->frdataset.trust) ||
-		     DNS_TRUST_ANSWER(val->frdataset.trust)) &&
-		    dns_rdataset_isassociated(&val->fsigrdataset))
-		{
-			/*
-			 * We know the key but haven't validated it yet or
-			 * we have a key of trust answer but a DS/DLV
-			 * record for the zone may have been added.
-			 */
-			result = create_validator(val, &siginfo->signer,
-						  dns_rdatatype_dnskey,
-						  &val->frdataset,
-						  &val->fsigrdataset,
-						  keyvalidated,
-						  "get_key");
-			if (result != ISC_R_SUCCESS)
-				return (result);
-			return (DNS_R_WAIT);
-		} else if (DNS_TRUST_PENDING(val->frdataset.trust)) {
-			/*
-			 * Having a pending key with no signature means that
-			 * something is broken.
-			 */
-			result = DNS_R_CONTINUE;
-		} else if (val->frdataset.trust < dns_trust_secure) {
-			/*
-			 * The key is legitimately insecure.  There's no
-			 * point in even attempting verification.
-			 */
-			val->key = NULL;
-			result = ISC_R_SUCCESS;
-		} else {
-			/*
-			 * See if we've got the key used in the signature.
-			 */
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "keyset with trust %s",
-				      dns_trust_totext(val->frdataset.trust));
-			result = get_dst_key(val, siginfo, val->keyset);
-			if (result != ISC_R_SUCCESS) {
-				/*
-				 * Either the key we're looking for is not
-				 * in the rrset, or something bad happened.
-				 * Give up.
-				 */
-				result = DNS_R_CONTINUE;
-			}
-		}
-	} else if (result == ISC_R_NOTFOUND) {
-		/*
-		 * We don't know anything about this key.
-		 */
-		result = create_fetch(val, &siginfo->signer,
-				      dns_rdatatype_dnskey,
-				      fetch_callback_validator, "get_key");
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		return (DNS_R_WAIT);
-	} else if (result ==  DNS_R_NCACHENXDOMAIN ||
-		   result == DNS_R_NCACHENXRRSET ||
-		   result == DNS_R_EMPTYNAME ||
-		   result == DNS_R_NXDOMAIN ||
-		   result == DNS_R_NXRRSET)
-	{
-		/*
-		 * This key doesn't exist.
-		 */
-		result = DNS_R_CONTINUE;
-	} else if (result == DNS_R_BROKENCHAIN)
-		return (result);
-
-	if (dns_rdataset_isassociated(&val->frdataset) &&
-	    val->keyset != &val->frdataset)
-		dns_rdataset_disassociate(&val->frdataset);
-	if (dns_rdataset_isassociated(&val->fsigrdataset))
-		dns_rdataset_disassociate(&val->fsigrdataset);
-
-	return (result);
-}
-
-static dns_keytag_t
-compute_keytag(dns_rdata_t *rdata, dns_rdata_dnskey_t *key) {
-	isc_region_t r;
-
-	dns_rdata_toregion(rdata, &r);
-	return (dst_region_computeid(&r, key->algorithm));
-}
-
-/*%
- * Is this keyset self-signed?
- */
-static isc_boolean_t
-isselfsigned(dns_validator_t *val) {
-	dns_fixedname_t fixed;
-	dns_rdataset_t *rdataset, *sigrdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_t sigrdata = DNS_RDATA_INIT;
-	dns_rdata_dnskey_t key;
-	dns_rdata_rrsig_t sig;
-	dns_keytag_t keytag;
-	dns_name_t *name;
-	isc_result_t result;
-	dst_key_t *dstkey;
-	isc_mem_t *mctx;
-	isc_boolean_t answer = ISC_FALSE;
-
-	rdataset = val->event->rdataset;
-	sigrdataset = val->event->sigrdataset;
-	name = val->event->name;
-	mctx = val->view->mctx;
-
-	if (rdataset->type == dns_rdatatype_cname ||
-	    rdataset->type == dns_rdatatype_dname)
-		return (answer);
-
-	INSIST(rdataset->type == dns_rdatatype_dnskey);
-
-	for (result = dns_rdataset_first(rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(rdataset))
-	{
-		dns_rdata_reset(&rdata);
-		dns_rdataset_current(rdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &key, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		keytag = compute_keytag(&rdata, &key);
-		for (result = dns_rdataset_first(sigrdataset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(sigrdataset))
-		{
-			dns_rdata_reset(&sigrdata);
-			dns_rdataset_current(sigrdataset, &sigrdata);
-			result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-			if (sig.algorithm != key.algorithm ||
-			    sig.keyid != keytag ||
-			    !dns_name_equal(name, &sig.signer))
-				continue;
-
-			dstkey = NULL;
-			result = dns_dnssec_keyfromrdata(name, &rdata, mctx,
-							 &dstkey);
-			if (result != ISC_R_SUCCESS)
-				continue;
-
-			result = dns_dnssec_verify3(name, rdataset, dstkey,
-						    ISC_TRUE,
-						    val->view->maxbits,
-						    mctx, &sigrdata,
-						    dns_fixedname_name(&fixed));
-			dst_key_free(&dstkey);
-			if (result != ISC_R_SUCCESS)
-				continue;
-			if ((key.flags & DNS_KEYFLAG_REVOKE) == 0) {
-				answer = ISC_TRUE;
-				continue;
-			}
-			dns_view_untrust(val->view, name, &key, mctx);
-		}
-	}
-	return (answer);
-}
-
-/*%
- * Attempt to verify the rdataset using the given key and rdata (RRSIG).
- * The signature was good and from a wildcard record and the QNAME does
- * not match the wildcard we need to look for a NOQNAME proof.
- *
- * Returns:
- * \li	ISC_R_SUCCESS if the verification succeeds.
- * \li	Others if the verification fails.
- */
-static isc_result_t
-verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
-       isc_uint16_t keyid)
-{
-	isc_result_t result;
-	dns_fixedname_t fixed;
-	isc_boolean_t ignore = ISC_FALSE;
-	dns_name_t *wild;
-
-	val->attributes |= VALATTR_TRIEDVERIFY;
-	dns_fixedname_init(&fixed);
-	wild = dns_fixedname_name(&fixed);
- again:
-	result = dns_dnssec_verify3(val->event->name, val->event->rdataset,
-				    key, ignore, val->view->maxbits,
-				    val->view->mctx, rdata, wild);
-	if ((result == DNS_R_SIGEXPIRED || result == DNS_R_SIGFUTURE) &&
-	    val->view->acceptexpired)
-	{
-		ignore = ISC_TRUE;
-		goto again;
-	}
-	if (ignore && (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD))
-		validator_log(val, ISC_LOG_INFO,
-			      "accepted expired %sRRSIG (keyid=%u)",
-			      (result == DNS_R_FROMWILDCARD) ?
-			      "wildcard " : "", keyid);
-	else if (result == DNS_R_SIGEXPIRED || result == DNS_R_SIGFUTURE)
-		validator_log(val, ISC_LOG_INFO,
-			      "verify failed due to bad signature (keyid=%u): "
-			      "%s", keyid, isc_result_totext(result));
-	else
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "verify rdataset (keyid=%u): %s",
-			      keyid, isc_result_totext(result));
-	if (result == DNS_R_FROMWILDCARD) {
-		if (!dns_name_equal(val->event->name, wild)) {
-			dns_name_t *closest;
-			unsigned int labels;
-
-			/*
-			 * Compute the closest encloser in case we need it
-			 * for the NSEC3 NOQNAME proof.
-			 */
-			closest = dns_fixedname_name(&val->closest);
-			dns_name_copy(wild, closest, NULL);
-			labels = dns_name_countlabels(closest) - 1;
-			dns_name_getlabelsequence(closest, 1, labels, closest);
-			val->attributes |= VALATTR_NEEDNOQNAME;
-		}
-		result = ISC_R_SUCCESS;
-	}
-	return (result);
-}
-
-/*%
- * Attempts positive response validation of a normal RRset.
- *
- * Returns:
- * \li	ISC_R_SUCCESS	Validation completed successfully
- * \li	DNS_R_WAIT	Validation has started but is waiting
- *			for an event.
- * \li	Other return codes are possible and all indicate failure.
- */
-static isc_result_t
-validate(dns_validator_t *val, isc_boolean_t resume) {
-	isc_result_t result;
-	dns_validatorevent_t *event;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-
-	/*
-	 * Caller must be holding the validator lock.
-	 */
-
-	event = val->event;
-
-	if (resume) {
-		/*
-		 * We already have a sigrdataset.
-		 */
-		result = ISC_R_SUCCESS;
-		validator_log(val, ISC_LOG_DEBUG(3), "resuming validate");
-	} else {
-		result = dns_rdataset_first(event->sigrdataset);
-	}
-
-	for (;
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(event->sigrdataset))
-	{
-		dns_rdata_reset(&rdata);
-		dns_rdataset_current(event->sigrdataset, &rdata);
-		if (val->siginfo == NULL) {
-			val->siginfo = isc_mem_get(val->view->mctx,
-						   sizeof(*val->siginfo));
-			if (val->siginfo == NULL)
-				return (ISC_R_NOMEMORY);
-		}
-		result = dns_rdata_tostruct(&rdata, val->siginfo, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-
-		/*
-		 * At this point we could check that the signature algorithm
-		 * was known and "sufficiently good".
-		 */
-		if (!dns_resolver_algorithm_supported(val->view->resolver,
-						    event->name,
-						    val->siginfo->algorithm)) {
-			resume = ISC_FALSE;
-			continue;
-		}
-
-		if (!resume) {
-			result = get_key(val, val->siginfo);
-			if (result == DNS_R_CONTINUE)
-				continue; /* Try the next SIG RR. */
-			if (result != ISC_R_SUCCESS)
-				return (result);
-		}
-
-		/*
-		 * There isn't a secure DNSKEY for this signature so move
-		 * onto the next RRSIG.
-		 */
-		if (val->key == NULL) {
-			resume = ISC_FALSE;
-			continue;
-		}
-
-		do {
-			result = verify(val, val->key, &rdata,
-					val->siginfo->keyid);
-			if (result == ISC_R_SUCCESS)
-				break;
-			if (val->keynode != NULL) {
-				dns_keynode_t *nextnode = NULL;
-				result = dns_keytable_findnextkeynode(
-							val->keytable,
-							val->keynode,
-							&nextnode);
-				dns_keytable_detachkeynode(val->keytable,
-							   &val->keynode);
-				val->keynode = nextnode;
-				if (result != ISC_R_SUCCESS) {
-					val->key = NULL;
-					break;
-				}
-				val->key = dns_keynode_key(val->keynode);
-				if (val->key == NULL)
-					break;
-			} else {
-				if (get_dst_key(val, val->siginfo, val->keyset)
-				    != ISC_R_SUCCESS)
-					break;
-			}
-		} while (1);
-		if (result != ISC_R_SUCCESS)
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "failed to verify rdataset");
-		else {
-			isc_stdtime_t now;
-
-			isc_stdtime_get(&now);
-			dns_rdataset_trimttl(event->rdataset,
-					     event->sigrdataset,
-					     val->siginfo, now,
-					     val->view->acceptexpired);
-		}
-
-		if (val->keynode != NULL)
-			dns_keytable_detachkeynode(val->keytable,
-						   &val->keynode);
-		else {
-			if (val->key != NULL)
-				dst_key_free(&val->key);
-			if (val->keyset != NULL) {
-				dns_rdataset_disassociate(val->keyset);
-				val->keyset = NULL;
-			}
-		}
-		val->key = NULL;
-		if (NEEDNOQNAME(val)) {
-			if (val->event->message == NULL) {
-				validator_log(val, ISC_LOG_DEBUG(3),
-				      "no message available for noqname proof");
-				return (DNS_R_NOVALIDSIG);
-			}
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "looking for noqname proof");
-			return (nsecvalidate(val, ISC_FALSE));
-		} else if (result == ISC_R_SUCCESS) {
-			marksecure(event);
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "marking as secure, "
-				      "noqname proof not needed");
-			return (result);
-		} else {
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "verify failure: %s",
-				      isc_result_totext(result));
-			resume = ISC_FALSE;
-		}
-	}
-	if (result != ISC_R_NOMORE) {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "failed to iterate signatures: %s",
-			      isc_result_totext(result));
-		return (result);
-	}
-
-	validator_log(val, ISC_LOG_INFO, "no valid signature found");
-	return (DNS_R_NOVALIDSIG);
-}
-
-/*%
- * Check whether this DNSKEY (keyrdata) signed the DNSKEY RRset
- * (val->event->rdataset).
- */
-static isc_result_t
-checkkey(dns_validator_t *val, dns_rdata_t *keyrdata, isc_uint16_t keyid,
-	 dns_secalg_t algorithm)
-{
-	dns_rdata_rrsig_t sig;
-	dst_key_t *dstkey = NULL;
-	isc_result_t result;
-
-	for (result = dns_rdataset_first(val->event->sigrdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(val->event->sigrdataset))
-	{
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-
-		dns_rdataset_current(val->event->sigrdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &sig, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		if (keyid != sig.keyid || algorithm != sig.algorithm)
-			continue;
-		if (dstkey == NULL) {
-			result = dns_dnssec_keyfromrdata(val->event->name,
-							 keyrdata,
-							 val->view->mctx,
-							 &dstkey);
-			if (result != ISC_R_SUCCESS)
-				/*
-				 * This really shouldn't happen, but...
-				 */
-				continue;
-		}
-		result = verify(val, dstkey, &rdata, sig.keyid);
-		if (result == ISC_R_SUCCESS)
-			break;
-	}
-	if (dstkey != NULL)
-		dst_key_free(&dstkey);
-	return (result);
-}
-
-/*%
- * Find the DNSKEY that corresponds to the DS.
- */
-static isc_result_t
-keyfromds(dns_validator_t *val, dns_rdataset_t *rdataset, dns_rdata_t *dsrdata,
-	  isc_uint8_t digest, isc_uint16_t keyid, dns_secalg_t algorithm,
-	  dns_rdata_t *keyrdata)
-{
-	dns_keytag_t keytag;
-	dns_rdata_dnskey_t key;
-	isc_result_t result;
-	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
-
-	for (result = dns_rdataset_first(rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(rdataset))
-	{
-		dns_rdata_t newdsrdata = DNS_RDATA_INIT;
-
-		dns_rdata_reset(keyrdata);
-		dns_rdataset_current(rdataset, keyrdata);
-		result = dns_rdata_tostruct(keyrdata, &key, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		keytag = compute_keytag(keyrdata, &key);
-		if (keyid != keytag || algorithm != key.algorithm)
-			continue;
-		dns_rdata_reset(&newdsrdata);
-		result = dns_ds_buildrdata(val->event->name, keyrdata, digest,
-					   dsbuf, &newdsrdata);
-		if (result != ISC_R_SUCCESS) {
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "dns_ds_buildrdata() -> %s",
-				      dns_result_totext(result));
-			continue;
-		}
-		if (dns_rdata_compare(dsrdata, &newdsrdata) == 0)
-			break;
-	}
-	return (result);
-}
-
-/*%
- * Validate the DNSKEY RRset by looking for a DNSKEY that matches a
- * DLV record and that also verifies the DNSKEY RRset.
- */
-static isc_result_t
-dlv_validatezonekey(dns_validator_t *val) {
-	dns_rdata_dlv_t dlv;
-	dns_rdata_t dlvrdata = DNS_RDATA_INIT;
-	dns_rdata_t keyrdata = DNS_RDATA_INIT;
-	dns_rdataset_t trdataset;
-	isc_boolean_t supported_algorithm;
-	isc_result_t result;
-	char digest_types[256];
-
-	validator_log(val, ISC_LOG_DEBUG(3), "dlv_validatezonekey");
-
-	/*
-	 * Look through the DLV record and find the keys that can sign the
-	 * key set and the matching signature.  For each such key, attempt
-	 * verification.
-	 */
-	supported_algorithm = ISC_FALSE;
-
-	/*
-	 * If DNS_DSDIGEST_SHA256 is present we are required to prefer
-	 * it over DNS_DSDIGEST_SHA1.  This in practice means that we
-	 * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
-	 * is present.
-	 */
-	memset(digest_types, 1, sizeof(digest_types));
-	for (result = dns_rdataset_first(&val->dlv);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&val->dlv)) {
-		dns_rdata_reset(&dlvrdata);
-		dns_rdataset_current(&val->dlv, &dlvrdata);
-		result = dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-		if (!dns_resolver_algorithm_supported(val->view->resolver,
-						      val->event->name,
-						      dlv.algorithm))
-			continue;
-
-		if (dlv.digest_type == DNS_DSDIGEST_SHA256 &&
-		    dlv.length == ISC_SHA256_DIGESTLENGTH) {
-			digest_types[DNS_DSDIGEST_SHA1] = 0;
-			break;
-		}
-	}
-
-	for (result = dns_rdataset_first(&val->dlv);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&val->dlv))
-	{
-		dns_rdata_reset(&dlvrdata);
-		dns_rdataset_current(&val->dlv, &dlvrdata);
-		result = dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-		if (!dns_resolver_digest_supported(val->view->resolver,
-						   dlv.digest_type))
-			continue;
-
-		if (digest_types[dlv.digest_type] == 0)
-			continue;
-
-		if (!dns_resolver_algorithm_supported(val->view->resolver,
-						      val->event->name,
-						      dlv.algorithm))
-			continue;
-
-		supported_algorithm = ISC_TRUE;
-
-		dns_rdataset_init(&trdataset);
-		dns_rdataset_clone(val->event->rdataset, &trdataset);
-
-		/*
-		 * Convert to DLV to DS and find matching DNSKEY.
-		 */
-		dlvrdata.type = dns_rdatatype_ds;
-		result = keyfromds(val, &trdataset, &dlvrdata,
-				   dlv.digest_type, dlv.key_tag,
-				   dlv.algorithm, &keyrdata);
-		if (result != ISC_R_SUCCESS) {
-			dns_rdataset_disassociate(&trdataset);
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "no DNSKEY matching DLV");
-			continue;
-		}
-
-		validator_log(val, ISC_LOG_DEBUG(3),
-		      "Found matching DLV record: checking for signature");
-		/*
-		 * Check that this DNSKEY signed the DNSKEY rrset.
-		 */
-		result = checkkey(val, &keyrdata, dlv.key_tag, dlv.algorithm);
-
-		dns_rdataset_disassociate(&trdataset);
-		if (result == ISC_R_SUCCESS)
-			break;
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "no RRSIG matching DLV key");
-	}
-	if (result == ISC_R_SUCCESS) {
-		marksecure(val->event);
-		validator_log(val, ISC_LOG_DEBUG(3), "marking as secure (dlv)");
-		return (result);
-	} else if (result == ISC_R_NOMORE && !supported_algorithm) {
-		if (val->mustbesecure) {
-			validator_log(val, ISC_LOG_WARNING,
-				      "must be secure failure,"
-				      "no supported algorithm/digest (dlv)");
-			return (DNS_R_MUSTBESECURE);
-		}
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "no supported algorithm/digest (dlv)");
-		markanswer(val, "dlv_validatezonekey (2)");
-		return (ISC_R_SUCCESS);
-	} else
-		return (DNS_R_NOVALIDSIG);
-}
-
-/*%
- * Attempts positive response validation of an RRset containing zone keys
- * (i.e. a DNSKEY rrset).
- *
- * Returns:
- * \li	ISC_R_SUCCESS	Validation completed successfully
- * \li	DNS_R_WAIT	Validation has started but is waiting
- *			for an event.
- * \li	Other return codes are possible and all indicate failure.
- */
-static isc_result_t
-validatezonekey(dns_validator_t *val) {
-	isc_result_t result;
-	dns_validatorevent_t *event;
-	dns_rdataset_t trdataset;
-	dns_rdata_t dsrdata = DNS_RDATA_INIT;
-	dns_rdata_t keyrdata = DNS_RDATA_INIT;
-	dns_rdata_t sigrdata = DNS_RDATA_INIT;
-	char namebuf[DNS_NAME_FORMATSIZE];
-	dns_rdata_ds_t ds;
-	dns_rdata_rrsig_t sig;
-	dst_key_t *dstkey;
-	isc_boolean_t supported_algorithm;
-	isc_boolean_t atsep = ISC_FALSE;
-	char digest_types[256];
-
-	/*
-	 * Caller must be holding the validator lock.
-	 */
-
-	event = val->event;
-
-	if (val->havedlvsep && val->dlv.trust >= dns_trust_secure &&
-	    dns_name_equal(event->name, dns_fixedname_name(&val->dlvsep)))
-		return (dlv_validatezonekey(val));
-
-	if (val->dsset == NULL) {
-
-		/*
-		 * We have a dlv sep.  Skip looking up the SEP from
-		 * {trusted,managed}-keys.  If the dlv sep is for the
-		 * root then it will have been handled above so we don't
-		 * need to check whether val->event->name is "." prior to
-		 * looking up the DS.
-		 */
-		if (val->havedlvsep)
-			goto find_ds;
-
-		/*
-		 * First, see if this key was signed by a trusted key.
-		 */
-		for (result = dns_rdataset_first(val->event->sigrdataset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(val->event->sigrdataset))
-		{
-			dns_keynode_t *keynode = NULL;
-			dns_fixedname_t fixed;
-			dns_name_t *found;
-
-			dns_fixedname_init(&fixed);
-			found = dns_fixedname_name(&fixed);
-			dns_rdata_reset(&sigrdata);
-			dns_rdataset_current(val->event->sigrdataset,
-					     &sigrdata);
-			result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-			if (!dns_name_equal(val->event->name, &sig.signer))
-				continue;
-
-			result = dns_keytable_findkeynode(val->keytable,
-							  val->event->name,
-							  sig.algorithm,
-							  sig.keyid, &keynode);
-			if (result == ISC_R_NOTFOUND &&
-			    dns_keytable_finddeepestmatch(val->keytable,
-				  val->event->name, found) != ISC_R_SUCCESS) {
-				if (val->mustbesecure) {
-					validator_log(val, ISC_LOG_WARNING,
-						     "must be secure failure, "
-						     "not beneath secure root");
-					return (DNS_R_MUSTBESECURE);
-				} else
-					validator_log(val, ISC_LOG_DEBUG(3),
-						     "not beneath secure root");
-				if (val->view->dlv == NULL) {
-					markanswer(val, "validatezonekey (1)");
-					return (ISC_R_SUCCESS);
-				}
-				return (startfinddlvsep(val, dns_rootname));
-			}
-			if (result == DNS_R_PARTIALMATCH ||
-			    result == ISC_R_SUCCESS)
-				atsep = ISC_TRUE;
-			while (result == ISC_R_SUCCESS) {
-				dns_keynode_t *nextnode = NULL;
-				dstkey = dns_keynode_key(keynode);
-				if (dstkey == NULL) {
-					dns_keytable_detachkeynode(
-								val->keytable,
-								&keynode);
-					break;
-				}
-				result = verify(val, dstkey, &sigrdata,
-						sig.keyid);
-				if (result == ISC_R_SUCCESS) {
-					dns_keytable_detachkeynode(
-								val->keytable,
-								&keynode);
-					break;
-				}
-				result = dns_keytable_findnextkeynode(
-								val->keytable,
-								keynode,
-								&nextnode);
-				dns_keytable_detachkeynode(val->keytable,
-							   &keynode);
-				keynode = nextnode;
-			}
-			if (result == ISC_R_SUCCESS) {
-				marksecure(event);
-				validator_log(val, ISC_LOG_DEBUG(3),
-					      "signed by trusted key; "
-					      "marking as secure");
-				return (result);
-			}
-		}
-
-		if (atsep) {
-			/*
-			 * We have not found a key to verify this DNSKEY
-			 * RRset.  As this is a SEP we have to assume that
-			 * the RRset is invalid.
-			 */
-			dns_name_format(val->event->name, namebuf,
-					sizeof(namebuf));
-			validator_log(val, ISC_LOG_NOTICE,
-				      "unable to find a DNSKEY which verifies "
-				      "the DNSKEY RRset and also matches a "
-				      "trusted key for '%s'",
-				      namebuf);
-			validator_log(val, ISC_LOG_NOTICE,
-				      "please check the 'trusted-keys' for "
-				      "'%s' in named.conf.", namebuf);
-			return (DNS_R_NOVALIDKEY);
-		}
-
-		/*
-		 * If this is the root name and there was no trusted key,
-		 * give up, since there's no DS at the root.
-		 */
-		if (dns_name_equal(event->name, dns_rootname)) {
-			if ((val->attributes & VALATTR_TRIEDVERIFY) != 0) {
-				validator_log(val, ISC_LOG_DEBUG(3),
-					      "root key failed to validate");
-				return (DNS_R_NOVALIDSIG);
-			} else {
-				validator_log(val, ISC_LOG_DEBUG(3),
-					      "no trusted root key");
-				return (DNS_R_NOVALIDDS);
-			}
-		}
- find_ds:
-		/*
-		 * Otherwise, try to find the DS record.
-		 */
-		result = view_find(val, val->event->name, dns_rdatatype_ds);
-		if (result == ISC_R_SUCCESS) {
-			/*
-			 * We have DS records.
-			 */
-			val->dsset = &val->frdataset;
-			if ((DNS_TRUST_PENDING(val->frdataset.trust) ||
-			     DNS_TRUST_ANSWER(val->frdataset.trust)) &&
-			    dns_rdataset_isassociated(&val->fsigrdataset))
-			{
-				result = create_validator(val,
-							  val->event->name,
-							  dns_rdatatype_ds,
-							  &val->frdataset,
-							  &val->fsigrdataset,
-							  dsvalidated,
-							  "validatezonekey");
-				if (result != ISC_R_SUCCESS)
-					return (result);
-				return (DNS_R_WAIT);
-			} else if (DNS_TRUST_PENDING(val->frdataset.trust)) {
-				/*
-				 * There should never be an unsigned DS.
-				 */
-				dns_rdataset_disassociate(&val->frdataset);
-				validator_log(val, ISC_LOG_DEBUG(2),
-					      "unsigned DS record");
-				return (DNS_R_NOVALIDSIG);
-			} else {
-				result = ISC_R_SUCCESS;
-				POST(result);
-			}
-		} else if (result == ISC_R_NOTFOUND) {
-			/*
-			 * We don't have the DS.  Find it.
-			 */
-			result = create_fetch(val, val->event->name,
-					      dns_rdatatype_ds, dsfetched,
-					      "validatezonekey");
-			if (result != ISC_R_SUCCESS)
-				return (result);
-			return (DNS_R_WAIT);
-		} else if (result == DNS_R_NCACHENXDOMAIN ||
-			   result == DNS_R_NCACHENXRRSET ||
-			   result == DNS_R_EMPTYNAME ||
-			   result == DNS_R_NXDOMAIN ||
-			   result == DNS_R_NXRRSET ||
-			   result == DNS_R_CNAME)
-		{
-			/*
-			 * The DS does not exist.
-			 */
-			if (dns_rdataset_isassociated(&val->frdataset))
-				dns_rdataset_disassociate(&val->frdataset);
-			if (dns_rdataset_isassociated(&val->fsigrdataset))
-				dns_rdataset_disassociate(&val->fsigrdataset);
-			validator_log(val, ISC_LOG_DEBUG(2), "no DS record");
-			return (DNS_R_NOVALIDSIG);
-		} else if (result == DNS_R_BROKENCHAIN)
-			return (result);
-	}
-
-	/*
-	 * We have a DS set.
-	 */
-	INSIST(val->dsset != NULL);
-
-	if (val->dsset->trust < dns_trust_secure) {
-		if (val->mustbesecure) {
-			validator_log(val, ISC_LOG_WARNING,
-				      "must be secure failure,"
-				      " insecure DS");
-			return (DNS_R_MUSTBESECURE);
-		}
-		if (val->view->dlv == NULL || DLVTRIED(val)) {
-			markanswer(val, "validatezonekey (2)");
-			return (ISC_R_SUCCESS);
-		}
-		return (startfinddlvsep(val, val->event->name));
-	}
-
-	/*
-	 * Look through the DS record and find the keys that can sign the
-	 * key set and the matching signature.  For each such key, attempt
-	 * verification.
-	 */
-
-	supported_algorithm = ISC_FALSE;
-
-	/*
-	 * If DNS_DSDIGEST_SHA256 is present we are required to prefer
-	 * it over DNS_DSDIGEST_SHA1.  This in practice means that we
-	 * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
-	 * is present.
-	 */
-	memset(digest_types, 1, sizeof(digest_types));
-	for (result = dns_rdataset_first(val->dsset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(val->dsset)) {
-		dns_rdata_reset(&dsrdata);
-		dns_rdataset_current(val->dsset, &dsrdata);
-		result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-		if (!dns_resolver_algorithm_supported(val->view->resolver,
-						      val->event->name,
-						      ds.algorithm))
-			continue;
-
-		if (ds.digest_type == DNS_DSDIGEST_SHA256 &&
-		    ds.length == ISC_SHA256_DIGESTLENGTH) {
-			digest_types[DNS_DSDIGEST_SHA1] = 0;
-			break;
-		}
-	}
-
-	for (result = dns_rdataset_first(val->dsset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(val->dsset))
-	{
-		dns_rdata_reset(&dsrdata);
-		dns_rdataset_current(val->dsset, &dsrdata);
-		result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-		if (!dns_resolver_digest_supported(val->view->resolver,
-						   ds.digest_type))
-			continue;
-
-		if (digest_types[ds.digest_type] == 0)
-			continue;
-
-		if (!dns_resolver_algorithm_supported(val->view->resolver,
-						      val->event->name,
-						      ds.algorithm))
-			continue;
-
-		supported_algorithm = ISC_TRUE;
-
-		dns_rdataset_init(&trdataset);
-		dns_rdataset_clone(val->event->rdataset, &trdataset);
-
-		/*
-		 * Find matching DNSKEY from DS.
-		 */
-		result = keyfromds(val, &trdataset, &dsrdata, ds.digest_type,
-				   ds.key_tag, ds.algorithm, &keyrdata);
-		if (result != ISC_R_SUCCESS) {
-			dns_rdataset_disassociate(&trdataset);
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "no DNSKEY matching DS");
-			continue;
-		}
-
-		/*
-		 * Check that this DNSKEY signed the DNSKEY rrset.
-		 */
-		result = checkkey(val, &keyrdata, ds.key_tag, ds.algorithm);
-
-		dns_rdataset_disassociate(&trdataset);
-		if (result == ISC_R_SUCCESS)
-			break;
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "no RRSIG matching DS key");
-	}
-	if (result == ISC_R_SUCCESS) {
-		marksecure(event);
-		validator_log(val, ISC_LOG_DEBUG(3), "marking as secure (DS)");
-		return (result);
-	} else if (result == ISC_R_NOMORE && !supported_algorithm) {
-		if (val->mustbesecure) {
-			validator_log(val, ISC_LOG_WARNING,
-				      "must be secure failure, "
-				      "no supported algorithm/digest (DS)");
-			return (DNS_R_MUSTBESECURE);
-		}
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "no supported algorithm/digest (DS)");
-		markanswer(val, "validatezonekey (3)");
-		return (ISC_R_SUCCESS);
-	} else {
-		validator_log(val, ISC_LOG_INFO,
-			      "no valid signature found (DS)");
-		return (DNS_R_NOVALIDSIG);
-	}
-}
-
-/*%
- * Starts a positive response validation.
- *
- * Returns:
- * \li	ISC_R_SUCCESS	Validation completed successfully
- * \li	DNS_R_WAIT	Validation has started but is waiting
- *			for an event.
- * \li	Other return codes are possible and all indicate failure.
- */
-static isc_result_t
-start_positive_validation(dns_validator_t *val) {
-	/*
-	 * If this is not a key, go straight into validate().
-	 */
-	if (val->event->type != dns_rdatatype_dnskey || !isselfsigned(val))
-		return (validate(val, ISC_FALSE));
-
-	return (validatezonekey(val));
-}
-
-/*%
- * val_rdataset_first and val_rdataset_next provide iteration methods
- * that hide whether we are iterating across a message or a  negative
- * cache rdataset.
- */
-static isc_result_t
-val_rdataset_first(dns_validator_t *val, dns_name_t **namep,
-		   dns_rdataset_t **rdatasetp)
-{
-	dns_message_t *message = val->event->message;
-	isc_result_t result;
-
-	REQUIRE(rdatasetp != NULL);
-	REQUIRE(namep != NULL);
-	if (message == NULL) {
-		REQUIRE(*rdatasetp != NULL);
-		REQUIRE(*namep != NULL);
-	} else {
-		REQUIRE(*rdatasetp == NULL);
-		REQUIRE(*namep == NULL);
-	}
-
-	if (message != NULL) {
-		result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		dns_message_currentname(message, DNS_SECTION_AUTHORITY, namep);
-		*rdatasetp = ISC_LIST_HEAD((*namep)->list);
-		INSIST(*rdatasetp != NULL);
-	} else {
-		result = dns_rdataset_first(val->event->rdataset);
-		if (result == ISC_R_SUCCESS)
-			dns_ncache_current(val->event->rdataset, *namep,
-					   *rdatasetp);
-	}
-	return (result);
-}
-
-static isc_result_t
-val_rdataset_next(dns_validator_t *val, dns_name_t **namep,
-		  dns_rdataset_t **rdatasetp)
-{
-	dns_message_t *message = val->event->message;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(rdatasetp != NULL && *rdatasetp != NULL);
-	REQUIRE(namep != NULL && *namep != NULL);
-
-	if (message != NULL) {
-		dns_rdataset_t *rdataset = *rdatasetp;
-		rdataset = ISC_LIST_NEXT(rdataset, link);
-		if (rdataset == NULL) {
-			*namep = NULL;
-			result = dns_message_nextname(message,
-						      DNS_SECTION_AUTHORITY);
-			if (result == ISC_R_SUCCESS) {
-				dns_message_currentname(message,
-							DNS_SECTION_AUTHORITY,
-							namep);
-				rdataset = ISC_LIST_HEAD((*namep)->list);
-				INSIST(rdataset != NULL);
-			}
-		}
-		*rdatasetp = rdataset;
-	} else {
-		dns_rdataset_disassociate(*rdatasetp);
-		result = dns_rdataset_next(val->event->rdataset);
-		if (result == ISC_R_SUCCESS)
-			dns_ncache_current(val->event->rdataset, *namep,
-					   *rdatasetp);
-	}
-	return (result);
-}
-
-/*%
- * Look for NODATA at the wildcard and NOWILDCARD proofs in the
- * previously validated NSEC records.  As these proofs are mutually
- * exclusive we stop when one is found.
- *
- * Returns
- * \li	ISC_R_SUCCESS
- */
-static isc_result_t
-checkwildcard(dns_validator_t *val, dns_rdatatype_t type, dns_name_t *zonename)
-{
-	dns_name_t *name, *wild, tname;
-	isc_result_t result;
-	isc_boolean_t exists, data;
-	char namebuf[DNS_NAME_FORMATSIZE];
-	dns_rdataset_t *rdataset, trdataset;
-
-	dns_name_init(&tname, NULL);
-	dns_rdataset_init(&trdataset);
-	wild = dns_fixedname_name(&val->wild);
-
-	if (dns_name_countlabels(wild) == 0) {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "in checkwildcard: no wildcard to check");
-		return (ISC_R_SUCCESS);
-	}
-
-	dns_name_format(wild, namebuf, sizeof(namebuf));
-	validator_log(val, ISC_LOG_DEBUG(3), "in checkwildcard: %s", namebuf);
-
-	if (val->event->message == NULL) {
-		name = &tname;
-		rdataset = &trdataset;
-	} else {
-		name = NULL;
-		rdataset = NULL;
-	}
-
-	for (result = val_rdataset_first(val, &name, &rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = val_rdataset_next(val, &name, &rdataset))
-	{
-		if (rdataset->type != type ||
-		    rdataset->trust != dns_trust_secure)
-			continue;
-
-		if (rdataset->type == dns_rdatatype_nsec &&
-		    (NEEDNODATA(val) || NEEDNOWILDCARD(val)) &&
-		    !FOUNDNODATA(val) && !FOUNDNOWILDCARD(val) &&
-		    dns_nsec_noexistnodata(val->event->type, wild, name,
-					   rdataset, &exists, &data, NULL,
-					   validator_log, val)
-				       == ISC_R_SUCCESS)
-		{
-			dns_name_t **proofs = val->event->proofs;
-			if (exists && !data)
-				val->attributes |= VALATTR_FOUNDNODATA;
-			if (exists && !data && NEEDNODATA(val))
-				proofs[DNS_VALIDATOR_NODATAPROOF] =
-						 name;
-			if (!exists)
-				val->attributes |=
-					 VALATTR_FOUNDNOWILDCARD;
-			if (!exists && NEEDNOQNAME(val))
-				proofs[DNS_VALIDATOR_NOWILDCARDPROOF] =
-						 name;
-			if (dns_rdataset_isassociated(&trdataset))
-				dns_rdataset_disassociate(&trdataset);
-			return (ISC_R_SUCCESS);
-		}
-
-		if (rdataset->type == dns_rdatatype_nsec3 &&
-		    (NEEDNODATA(val) || NEEDNOWILDCARD(val)) &&
-		    !FOUNDNODATA(val) && !FOUNDNOWILDCARD(val) &&
-		    dns_nsec3_noexistnodata(val->event->type, wild, name,
-					    rdataset, zonename, &exists, &data,
-					    NULL, NULL, NULL, NULL, NULL, NULL,
-					    validator_log, val)
-					    == ISC_R_SUCCESS)
-		{
-			dns_name_t **proofs = val->event->proofs;
-			if (exists && !data)
-				val->attributes |= VALATTR_FOUNDNODATA;
-			if (exists && !data && NEEDNODATA(val))
-				proofs[DNS_VALIDATOR_NODATAPROOF] =
-						 name;
-			if (!exists)
-				val->attributes |=
-					 VALATTR_FOUNDNOWILDCARD;
-			if (!exists && NEEDNOQNAME(val))
-				proofs[DNS_VALIDATOR_NOWILDCARDPROOF] =
-						 name;
-			if (dns_rdataset_isassociated(&trdataset))
-				dns_rdataset_disassociate(&trdataset);
-			return (ISC_R_SUCCESS);
-		}
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	if (dns_rdataset_isassociated(&trdataset))
-		dns_rdataset_disassociate(&trdataset);
-	return (result);
-}
-
-static isc_result_t
-findnsec3proofs(dns_validator_t *val) {
-	dns_name_t *name, tname;
-	isc_result_t result;
-	isc_boolean_t exists, data, optout, unknown;
-	isc_boolean_t setclosest, setnearest, *setclosestp;
-	dns_fixedname_t fclosest, fnearest, fzonename;
-	dns_name_t *closest, *nearest, *zonename, *closestp;
-	dns_name_t **proofs = val->event->proofs;
-	dns_rdataset_t *rdataset, trdataset;
-
-	dns_name_init(&tname, NULL);
-	dns_rdataset_init(&trdataset);
-	dns_fixedname_init(&fclosest);
-	dns_fixedname_init(&fnearest);
-	dns_fixedname_init(&fzonename);
-	closest = dns_fixedname_name(&fclosest);
-	nearest = dns_fixedname_name(&fnearest);
-	zonename = dns_fixedname_name(&fzonename);
-
-	if (val->event->message == NULL) {
-		name = &tname;
-		rdataset = &trdataset;
-	} else {
-		name = NULL;
-		rdataset = NULL;
-	}
-
-	for (result = val_rdataset_first(val, &name, &rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = val_rdataset_next(val, &name, &rdataset))
-	{
-		if (rdataset->type != dns_rdatatype_nsec3 ||
-		    rdataset->trust != dns_trust_secure)
-			continue;
-
-		result = dns_nsec3_noexistnodata(val->event->type,
-						 val->event->name, name,
-						 rdataset, zonename, NULL,
-						 NULL, NULL, NULL, NULL, NULL,
-						 NULL, NULL, validator_log,
-						 val);
-		if (result != ISC_R_IGNORE && result != ISC_R_SUCCESS) {
-			if (dns_rdataset_isassociated(&trdataset))
-				dns_rdataset_disassociate(&trdataset);
-			return (result);
-		}
-	}
-	if (result != ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	POST(result);
-
-	if (dns_name_countlabels(zonename) == 0)
-		return (ISC_R_SUCCESS);
-
-	/*
-	 * If the val->closest is set then we want to use it otherwise
-	 * we need to discover it.
-	 */
-	if (dns_name_countlabels(dns_fixedname_name(&val->closest)) != 0) {
-		char namebuf[DNS_NAME_FORMATSIZE];
-
-		dns_name_format(dns_fixedname_name(&val->closest),
-				 namebuf, sizeof(namebuf));
-		validator_log(val, ISC_LOG_DEBUG(3), "closest encloser from "
-			      "wildcard signature '%s'", namebuf);
-		dns_name_copy(dns_fixedname_name(&val->closest), closest, NULL);
-		closestp = NULL;
-		setclosestp = NULL;
-	} else {
-		closestp = closest;
-		setclosestp = &setclosest;
-	}
-
-	for (result = val_rdataset_first(val, &name, &rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = val_rdataset_next(val, &name, &rdataset))
-	{
-		if (rdataset->type != dns_rdatatype_nsec3 ||
-		    rdataset->trust != dns_trust_secure)
-			continue;
-
-		/*
-		 * We process all NSEC3 records to find the closest
-		 * encloser and nearest name to the closest encloser.
-		 */
-		setclosest = setnearest = ISC_FALSE;
-		optout = ISC_FALSE;
-		unknown = ISC_FALSE;
-		result = dns_nsec3_noexistnodata(val->event->type,
-						 val->event->name,
-						 name, rdataset, zonename,
-						 &exists, &data, &optout,
-						 &unknown, setclosestp,
-						 &setnearest, closestp,
-						 nearest, validator_log, val);
-		if (unknown)
-			val->attributes |= VALATTR_FOUNDUNKNOWN;
-		if (result != ISC_R_SUCCESS)
-			continue;
-		if (setclosest)
-			proofs[DNS_VALIDATOR_CLOSESTENCLOSER] = name;
-		if (exists && !data && NEEDNODATA(val)) {
-			val->attributes |= VALATTR_FOUNDNODATA;
-			proofs[DNS_VALIDATOR_NODATAPROOF] = name;
-		}
-		if (!exists && setnearest) {
-			val->attributes |= VALATTR_FOUNDNOQNAME;
-			proofs[DNS_VALIDATOR_NOQNAMEPROOF] = name;
-			if (optout)
-				val->attributes |= VALATTR_FOUNDOPTOUT;
-		}
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
-	/*
-	 * To know we have a valid noqname and optout proofs we need to also
-	 * have a valid closest encloser.  Otherwise we could still be looking
-	 * at proofs from the parent zone.
-	 */
-	if (dns_name_countlabels(closest) > 0 &&
-	    dns_name_countlabels(nearest) ==
-	    dns_name_countlabels(closest) + 1 &&
-	    dns_name_issubdomain(nearest, closest))
-	{
-		val->attributes |= VALATTR_FOUNDCLOSEST;
-		result = dns_name_concatenate(dns_wildcardname, closest,
-					      dns_fixedname_name(&val->wild),
-					      NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	} else {
-		val->attributes &= ~VALATTR_FOUNDNOQNAME;
-		val->attributes &= ~VALATTR_FOUNDOPTOUT;
-		proofs[DNS_VALIDATOR_NOQNAMEPROOF] = NULL;
-	}
-
-	/*
-	 * Do we need to check for the wildcard?
-	 */
-	if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) &&
-	    ((NEEDNODATA(val) && !FOUNDNODATA(val)) || NEEDNOWILDCARD(val))) {
-		result = checkwildcard(val, dns_rdatatype_nsec3, zonename);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	return (result);
-}
-
-/*%
- * Validate the authority section records.
- */
-static isc_result_t
-validate_authority(dns_validator_t *val, isc_boolean_t resume) {
-	dns_name_t *name;
-	dns_message_t *message = val->event->message;
-	isc_result_t result;
-
-	if (!resume)
-		result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
-	else
-		result = ISC_R_SUCCESS;
-
-	for (;
-	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
-	{
-		dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
-
-		name = NULL;
-		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
-		if (resume) {
-			rdataset = ISC_LIST_NEXT(val->currentset, link);
-			val->currentset = NULL;
-			resume = ISC_FALSE;
-		} else
-			rdataset = ISC_LIST_HEAD(name->list);
-
-		for (;
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link))
-		{
-			if (rdataset->type == dns_rdatatype_rrsig)
-				continue;
-
-			for (sigrdataset = ISC_LIST_HEAD(name->list);
-			     sigrdataset != NULL;
-			     sigrdataset = ISC_LIST_NEXT(sigrdataset,
-							 link))
-			{
-				if (sigrdataset->type == dns_rdatatype_rrsig &&
-				    sigrdataset->covers == rdataset->type)
-					break;
-			}
-			/*
-			 * If a signed zone is missing the zone key, bad
-			 * things could happen.  A query for data in the zone
-			 * would lead to a query for the zone key, which
-			 * would return a negative answer, which would contain
-			 * an SOA and an NSEC signed by the missing key, which
-			 * would trigger another query for the DNSKEY (since
-			 * the first one is still in progress), and go into an
-			 * infinite loop.  Avoid that.
-			 */
-			if (val->event->type == dns_rdatatype_dnskey &&
-			    rdataset->type == dns_rdatatype_nsec &&
-			    dns_name_equal(name, val->event->name))
-			{
-				dns_rdata_t nsec = DNS_RDATA_INIT;
-
-				result = dns_rdataset_first(rdataset);
-				if (result != ISC_R_SUCCESS)
-					return (result);
-				dns_rdataset_current(rdataset, &nsec);
-				if (dns_nsec_typepresent(&nsec,
-							dns_rdatatype_soa))
-					continue;
-			}
-			val->currentset = rdataset;
-			result = create_validator(val, name, rdataset->type,
-						  rdataset, sigrdataset,
-						  authvalidated,
-						  "validate_authority");
-			if (result != ISC_R_SUCCESS)
-				return (result);
-			val->authcount++;
-			return (DNS_R_WAIT);
-		}
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	return (result);
-}
-
-/*%
- * Validate the ncache elements.
- */
-static isc_result_t
-validate_ncache(dns_validator_t *val, isc_boolean_t resume) {
-	dns_name_t *name;
-	isc_result_t result;
-
-	if (!resume)
-		result = dns_rdataset_first(val->event->rdataset);
-	else
-		result = dns_rdataset_next(val->event->rdataset);
-
-	for (;
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(val->event->rdataset))
-	{
-		dns_rdataset_t *rdataset, *sigrdataset = NULL;
-
-		if (dns_rdataset_isassociated(&val->frdataset))
-			dns_rdataset_disassociate(&val->frdataset);
-		if (dns_rdataset_isassociated(&val->fsigrdataset))
-			dns_rdataset_disassociate(&val->fsigrdataset);
-
-		dns_fixedname_init(&val->fname);
-		name = dns_fixedname_name(&val->fname);
-		rdataset = &val->frdataset;
-		dns_ncache_current(val->event->rdataset, name, rdataset);
-
-		if (val->frdataset.type == dns_rdatatype_rrsig)
-			continue;
-
-		result = dns_ncache_getsigrdataset(val->event->rdataset, name,
-						   rdataset->type,
-						   &val->fsigrdataset);
-		if (result == ISC_R_SUCCESS)
-			sigrdataset = &val->fsigrdataset;
-
-		/*
-		 * If a signed zone is missing the zone key, bad
-		 * things could happen.  A query for data in the zone
-		 * would lead to a query for the zone key, which
-		 * would return a negative answer, which would contain
-		 * an SOA and an NSEC signed by the missing key, which
-		 * would trigger another query for the DNSKEY (since
-		 * the first one is still in progress), and go into an
-		 * infinite loop.  Avoid that.
-		 */
-		if (val->event->type == dns_rdatatype_dnskey &&
-		    rdataset->type == dns_rdatatype_nsec &&
-		    dns_name_equal(name, val->event->name))
-		{
-			dns_rdata_t nsec = DNS_RDATA_INIT;
-
-			result = dns_rdataset_first(rdataset);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-			dns_rdataset_current(rdataset, &nsec);
-			if (dns_nsec_typepresent(&nsec,
-						dns_rdatatype_soa))
-				continue;
-		}
-		val->currentset = rdataset;
-		result = create_validator(val, name, rdataset->type,
-					  rdataset, sigrdataset,
-					  authvalidated,
-					  "validate_ncache");
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		val->authcount++;
-		return (DNS_R_WAIT);
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	return (result);
-}
-
-/*%
- * Prove a negative answer is good or that there is a NOQNAME when the
- * answer is from a wildcard.
- *
- * Loop through the authority section looking for NODATA, NOWILDCARD
- * and NOQNAME proofs in the NSEC records by calling authvalidated().
- *
- * If the required proofs are found we are done.
- *
- * If the proofs are not found attempt to prove this is a unsecure
- * response.
- */
-static isc_result_t
-nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
-	isc_result_t result;
-
-	if (resume)
-		validator_log(val, ISC_LOG_DEBUG(3), "resuming nsecvalidate");
-
-	if (val->event->message == NULL)
-		result = validate_ncache(val, resume);
-	else
-		result = validate_authority(val, resume);
-
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Do we only need to check for NOQNAME?  To get here we must have
-	 * had a secure wildcard answer.
-	 */
-	if (!NEEDNODATA(val) && !NEEDNOWILDCARD(val) && NEEDNOQNAME(val)) {
-		if (!FOUNDNOQNAME(val))
-			findnsec3proofs(val);
-		if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val)) {
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "marking as secure, noqname proof found");
-			marksecure(val->event);
-			return (ISC_R_SUCCESS);
-		} else if (FOUNDOPTOUT(val) &&
-			   dns_name_countlabels(dns_fixedname_name(&val->wild))
-					 != 0) {
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "optout proof found");
-			val->event->optout = ISC_TRUE;
-			markanswer(val, "nsecvalidate (1)");
-			return (ISC_R_SUCCESS);
-		} else if ((val->attributes & VALATTR_FOUNDUNKNOWN) != 0) {
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "unknown NSEC3 hash algorithm found");
-			markanswer(val, "nsecvalidate (2)");
-			return (ISC_R_SUCCESS);
-		}
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "noqname proof not found");
-		return (DNS_R_NOVALIDNSEC);
-	}
-
-	if (!FOUNDNOQNAME(val) && !FOUNDNODATA(val))
-		findnsec3proofs(val);
-
-	/*
-	 * Do we need to check for the wildcard?
-	 */
-	if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) &&
-	    ((NEEDNODATA(val) && !FOUNDNODATA(val)) || NEEDNOWILDCARD(val))) {
-		result = checkwildcard(val, dns_rdatatype_nsec, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	if ((NEEDNODATA(val) && (FOUNDNODATA(val) || FOUNDOPTOUT(val))) ||
-	    (NEEDNOQNAME(val) && FOUNDNOQNAME(val) &&
-	     NEEDNOWILDCARD(val) && FOUNDNOWILDCARD(val) &&
-	     FOUNDCLOSEST(val))) {
-		if ((val->attributes & VALATTR_FOUNDOPTOUT) != 0)
-			val->event->optout = ISC_TRUE;
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "nonexistence proof(s) found");
-		if (val->event->message == NULL)
-			marksecure(val->event);
-		else
-			val->event->secure = ISC_TRUE;
-		return (ISC_R_SUCCESS);
-	}
-
-	if (val->authfail != 0 && val->authcount == val->authfail)
-		return (DNS_R_BROKENCHAIN);
-	validator_log(val, ISC_LOG_DEBUG(3),
-		      "nonexistence proof(s) not found");
-	val->attributes |= VALATTR_INSECURITY;
-	return (proveunsecure(val, ISC_FALSE, ISC_FALSE));
-}
-
-static isc_boolean_t
-check_ds(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset) {
-	dns_rdata_t dsrdata = DNS_RDATA_INIT;
-	dns_rdata_ds_t ds;
-	isc_result_t result;
-
-	for (result = dns_rdataset_first(rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(rdataset)) {
-		dns_rdataset_current(rdataset, &dsrdata);
-		result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-		if (dns_resolver_digest_supported(val->view->resolver,
-						  ds.digest_type) &&
-		    dns_resolver_algorithm_supported(val->view->resolver,
-						     name, ds.algorithm)) {
-			dns_rdata_reset(&dsrdata);
-			return (ISC_TRUE);
-		}
-		dns_rdata_reset(&dsrdata);
-	}
-	return (ISC_FALSE);
-}
-
-static void
-dlvvalidated(isc_task_t *task, isc_event_t *event) {
-	dns_validatorevent_t *devent;
-	dns_validator_t *val;
-	isc_result_t eresult;
-	isc_boolean_t want_destroy;
-
-	UNUSED(task);
-	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
-
-	devent = (dns_validatorevent_t *)event;
-	val = devent->ev_arg;
-	eresult = devent->result;
-
-	isc_event_free(&event);
-	dns_validator_destroy(&val->subvalidator);
-
-	INSIST(val->event != NULL);
-
-	validator_log(val, ISC_LOG_DEBUG(3), "in dlvvalidated");
-	LOCK(&val->lock);
-	if (CANCELED(val)) {
-		validator_done(val, ISC_R_CANCELED);
-	} else if (eresult == ISC_R_SUCCESS) {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "dlvset with trust %s",
-			      dns_trust_totext(val->frdataset.trust));
-		dns_rdataset_clone(&val->frdataset, &val->dlv);
-		val->havedlvsep = ISC_TRUE;
-		if (dlv_algorithm_supported(val))
-			dlv_validator_start(val);
-		else {
-			markanswer(val, "dlvvalidated");
-			validator_done(val, ISC_R_SUCCESS);
-		}
-	} else {
-		if (eresult != DNS_R_BROKENCHAIN) {
-			if (dns_rdataset_isassociated(&val->frdataset))
-				dns_rdataset_expire(&val->frdataset);
-			if (dns_rdataset_isassociated(&val->fsigrdataset))
-				dns_rdataset_expire(&val->fsigrdataset);
-		}
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "dlvvalidated: got %s",
-			      isc_result_totext(eresult));
-		validator_done(val, DNS_R_BROKENCHAIN);
-	}
-	want_destroy = exit_check(val);
-	UNLOCK(&val->lock);
-	if (want_destroy)
-		destroy(val);
-}
-
-/*%
- * Callback from fetching a DLV record.
- *
- * Resumes the DLV lookup process.
- */
-static void
-dlvfetched(isc_task_t *task, isc_event_t *event) {
-	char namebuf[DNS_NAME_FORMATSIZE];
-	dns_fetchevent_t *devent;
-	dns_validator_t *val;
-	isc_boolean_t want_destroy;
-	isc_result_t eresult;
-	isc_result_t result;
-	dns_fetch_t *fetch;
-
-	UNUSED(task);
-	INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
-	devent = (dns_fetchevent_t *)event;
-	val = devent->ev_arg;
-	eresult = devent->result;
-
-	/* Free resources which are not of interest. */
-	if (devent->node != NULL)
-		dns_db_detachnode(devent->db, &devent->node);
-	if (devent->db != NULL)
-		dns_db_detach(&devent->db);
-	if (dns_rdataset_isassociated(&val->fsigrdataset))
-		dns_rdataset_disassociate(&val->fsigrdataset);
-	isc_event_free(&event);
-
-	INSIST(val->event != NULL);
-	validator_log(val, ISC_LOG_DEBUG(3), "in dlvfetched: %s",
-		      dns_result_totext(eresult));
-
-	LOCK(&val->lock);
-	fetch = val->fetch;
-	val->fetch = NULL;
-	if (eresult == ISC_R_SUCCESS) {
-		dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
-				sizeof(namebuf));
-		dns_rdataset_clone(&val->frdataset, &val->dlv);
-		val->havedlvsep = ISC_TRUE;
-		if (dlv_algorithm_supported(val)) {
-			validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
-				      namebuf);
-			dlv_validator_start(val);
-		} else {
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "DLV %s found with no supported algorithms",
-				      namebuf);
-			markanswer(val, "dlvfetched (1)");
-			validator_done(val, ISC_R_SUCCESS);
-		}
-	} else if (eresult == DNS_R_NXRRSET ||
-		   eresult == DNS_R_NXDOMAIN ||
-		   eresult == DNS_R_NCACHENXRRSET ||
-		   eresult == DNS_R_NCACHENXDOMAIN) {
-		result = finddlvsep(val, ISC_TRUE);
-		if (result == ISC_R_SUCCESS) {
-			if (dlv_algorithm_supported(val)) {
-				dns_name_format(dns_fixedname_name(&val->dlvsep),
-						namebuf, sizeof(namebuf));
-				validator_log(val, ISC_LOG_DEBUG(3),
-					      "DLV %s found", namebuf);
-				dlv_validator_start(val);
-			} else {
-				validator_log(val, ISC_LOG_DEBUG(3),
-					      "DLV %s found with no supported "
-					      "algorithms", namebuf);
-				markanswer(val, "dlvfetched (2)");
-				validator_done(val, ISC_R_SUCCESS);
-			}
-		} else if (result == ISC_R_NOTFOUND) {
-			validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
-			markanswer(val, "dlvfetched (3)");
-			validator_done(val, ISC_R_SUCCESS);
-		} else {
-			validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
-				      dns_result_totext(result));
-			if (result != DNS_R_WAIT)
-				validator_done(val, result);
-		}
-	} else {
-		validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
-			      dns_result_totext(eresult));
-		validator_done(val, eresult);
-	}
-	want_destroy = exit_check(val);
-	UNLOCK(&val->lock);
-	if (fetch != NULL)
-		dns_resolver_destroyfetch(&fetch);
-	if (want_destroy)
-		destroy(val);
-}
-
-/*%
- * Start the DLV lookup process.
- *
- * Returns
- * \li	ISC_R_SUCCESS
- * \li	DNS_R_WAIT
- * \li	Others on validation failures.
- */
-static isc_result_t
-startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure) {
-	char namebuf[DNS_NAME_FORMATSIZE];
-	isc_result_t result;
-
-	INSIST(!DLVTRIED(val));
-
-	val->attributes |= VALATTR_DLVTRIED;
-
-	dns_name_format(unsecure, namebuf, sizeof(namebuf));
-	validator_log(val, ISC_LOG_DEBUG(3),
-		      "plain DNSSEC returns unsecure (%s): looking for DLV",
-		      namebuf);
-
-	if (dns_name_issubdomain(val->event->name, val->view->dlv)) {
-		validator_log(val, ISC_LOG_WARNING, "must be secure failure, "
-			      " %s is under DLV (startfinddlvsep)", namebuf);
-		return (DNS_R_MUSTBESECURE);
-	}
-
-	val->dlvlabels = dns_name_countlabels(unsecure) - 1;
-	result = finddlvsep(val, ISC_FALSE);
-	if (result == ISC_R_NOTFOUND) {
-		validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
-		markanswer(val, "startfinddlvsep (1)");
-		return (ISC_R_SUCCESS);
-	}
-	if (result != ISC_R_SUCCESS) {
-		validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
-			      dns_result_totext(result));
-		return (result);
-	}
-	dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
-			sizeof(namebuf));
-	if (dlv_algorithm_supported(val)) {
-		validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
-		dlv_validator_start(val);
-		return (DNS_R_WAIT);
-	}
-	validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found with no supported "
-		      "algorithms", namebuf);
-	markanswer(val, "startfinddlvsep (2)");
-	validator_done(val, ISC_R_SUCCESS);
-	return (ISC_R_SUCCESS);
-}
-
-/*%
- * Continue the DLV lookup process.
- *
- * Returns
- * \li	ISC_R_SUCCESS
- * \li	ISC_R_NOTFOUND
- * \li	DNS_R_WAIT
- * \li	Others on validation failure.
- */
-static isc_result_t
-finddlvsep(dns_validator_t *val, isc_boolean_t resume) {
-	char namebuf[DNS_NAME_FORMATSIZE];
-	dns_fixedname_t dlvfixed;
-	dns_name_t *dlvname;
-	dns_name_t *dlvsep;
-	dns_name_t noroot;
-	isc_result_t result;
-	unsigned int labels;
-
-	INSIST(val->view->dlv != NULL);
-
-	if (!resume) {
-		if (dns_name_issubdomain(val->event->name, val->view->dlv)) {
-			dns_name_format(val->event->name, namebuf,
-					sizeof(namebuf));
-			validator_log(val, ISC_LOG_WARNING,
-				      "must be secure failure, "
-				      "%s is under DLV (finddlvsep)", namebuf);
-			return (DNS_R_MUSTBESECURE);
-		}
-
-		dns_fixedname_init(&val->dlvsep);
-		dlvsep = dns_fixedname_name(&val->dlvsep);
-		dns_name_copy(val->event->name, dlvsep, NULL);
-		/*
-		 * If this is a response to a DS query, we need to look in
-		 * the parent zone for the trust anchor.
-		 */
-		if (val->event->type == dns_rdatatype_ds) {
-			labels = dns_name_countlabels(dlvsep);
-			if (labels == 0)
-				return (ISC_R_NOTFOUND);
-			dns_name_getlabelsequence(dlvsep, 1, labels - 1,
-						  dlvsep);
-		}
-	} else {
-		dlvsep = dns_fixedname_name(&val->dlvsep);
-		labels = dns_name_countlabels(dlvsep);
-		dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
-	}
-	dns_name_init(&noroot, NULL);
-	dns_fixedname_init(&dlvfixed);
-	dlvname = dns_fixedname_name(&dlvfixed);
-	labels = dns_name_countlabels(dlvsep);
-	if (labels == 0)
-		return (ISC_R_NOTFOUND);
-	dns_name_getlabelsequence(dlvsep, 0, labels - 1, &noroot);
-	result = dns_name_concatenate(&noroot, val->view->dlv, dlvname, NULL);
-	while (result == ISC_R_NOSPACE) {
-		labels = dns_name_countlabels(dlvsep);
-		dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
-		dns_name_getlabelsequence(dlvsep, 0, labels - 2, &noroot);
-		result = dns_name_concatenate(&noroot, val->view->dlv,
-					      dlvname, NULL);
-	}
-	if (result != ISC_R_SUCCESS) {
-		validator_log(val, ISC_LOG_DEBUG(2), "DLV concatenate failed");
-		return (DNS_R_NOVALIDSIG);
-	}
-
-	while (dns_name_countlabels(dlvname) >=
-	       dns_name_countlabels(val->view->dlv) + val->dlvlabels) {
-		dns_name_format(dlvname, namebuf, sizeof(namebuf));
-		validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV %s",
-			      namebuf);
-		result = view_find(val, dlvname, dns_rdatatype_dlv);
-		if (result == ISC_R_SUCCESS) {
-			if (DNS_TRUST_PENDING(val->frdataset.trust) &&
-			    dns_rdataset_isassociated(&val->fsigrdataset))
-			{
-				dns_fixedname_init(&val->fname);
-				dns_name_copy(dlvname,
-					      dns_fixedname_name(&val->fname),
-					      NULL);
-				result = create_validator(val,
-						dns_fixedname_name(&val->fname),
-							  dns_rdatatype_dlv,
-							  &val->frdataset,
-							  &val->fsigrdataset,
-							  dlvvalidated,
-							  "finddlvsep");
-				if (result != ISC_R_SUCCESS)
-					return (result);
-				return (DNS_R_WAIT);
-			}
-			if (val->frdataset.trust < dns_trust_secure) {
-				validator_log(val, ISC_LOG_DEBUG(3),
-					      "DLV not validated");
-				return (DNS_R_NOVALIDSIG);
-			}
-			val->havedlvsep = ISC_TRUE;
-			dns_rdataset_clone(&val->frdataset, &val->dlv);
-			return (ISC_R_SUCCESS);
-		}
-		if (result == ISC_R_NOTFOUND) {
-			result = create_fetch(val, dlvname, dns_rdatatype_dlv,
-					      dlvfetched, "finddlvsep");
-			if (result != ISC_R_SUCCESS)
-				return (result);
-			return (DNS_R_WAIT);
-		}
-		if (result != DNS_R_NXRRSET &&
-		    result != DNS_R_NXDOMAIN &&
-		    result != DNS_R_EMPTYNAME &&
-		    result != DNS_R_NCACHENXRRSET &&
-		    result != DNS_R_NCACHENXDOMAIN)
-			return (result);
-		/*
-		 * Strip first labels from both dlvsep and dlvname.
-		 */
-		labels = dns_name_countlabels(dlvsep);
-		if (labels == 0)
-			break;
-		dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
-		labels = dns_name_countlabels(dlvname);
-		dns_name_getlabelsequence(dlvname, 1, labels - 1, dlvname);
-	}
-	return (ISC_R_NOTFOUND);
-}
-
-/*%
- * proveunsecure walks down from the SEP looking for a break in the
- * chain of trust.  That occurs when we can prove the DS record does
- * not exist at a delegation point or the DS exists at a delegation
- * but we don't support the algorithm/digest.
- *
- * If DLV is active and we look for a DLV record at or below the
- * point we go insecure.  If found we restart the validation process.
- * If not found or DLV isn't active we mark the response as a answer.
- *
- * Returns:
- * \li	ISC_R_SUCCESS		val->event->name is in a unsecure zone
- * \li	DNS_R_WAIT		validation is in progress.
- * \li	DNS_R_MUSTBESECURE	val->event->name is supposed to be secure
- *				(policy) but we proved that it is unsecure.
- * \li	DNS_R_NOVALIDSIG
- * \li	DNS_R_NOVALIDNSEC
- * \li	DNS_R_NOTINSECURE
- * \li	DNS_R_BROKENCHAIN
- */
-static isc_result_t
-proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
-{
-	isc_result_t result;
-	dns_fixedname_t fixedsecroot;
-	dns_name_t *secroot;
-	dns_name_t *tname;
-	char namebuf[DNS_NAME_FORMATSIZE];
-	dns_name_t *found;
-	dns_fixedname_t fixedfound;
-
-	dns_fixedname_init(&fixedsecroot);
-	secroot = dns_fixedname_name(&fixedsecroot);
-	dns_fixedname_init(&fixedfound);
-	found = dns_fixedname_name(&fixedfound);
-	if (val->havedlvsep)
-		dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL);
-	else {
-		unsigned int labels;
-		dns_name_copy(val->event->name, secroot, NULL);
-		/*
-		 * If this is a response to a DS query, we need to look in
-		 * the parent zone for the trust anchor.
-		 */
-
-		labels = dns_name_countlabels(secroot);
-		if (val->event->type == dns_rdatatype_ds && labels > 1U)
-			dns_name_getlabelsequence(secroot, 1, labels - 1,
-						  secroot);
-		result = dns_keytable_finddeepestmatch(val->keytable,
-						       secroot, secroot);
-		if (result == ISC_R_NOTFOUND) {
-			if (val->mustbesecure) {
-				validator_log(val, ISC_LOG_WARNING,
-					      "must be secure failure, "
-					      "not beneath secure root");
-				result = DNS_R_MUSTBESECURE;
-				goto out;
-			} else
-				validator_log(val, ISC_LOG_DEBUG(3),
-					      "not beneath secure root");
-			if (val->view->dlv == NULL || DLVTRIED(val)) {
-				markanswer(val, "proveunsecure (1)");
-				return (ISC_R_SUCCESS);
-			}
-			return (startfinddlvsep(val, dns_rootname));
-		} else if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	if (!resume) {
-		/*
-		 * We are looking for breaks below the SEP so add a label.
-		 */
-		val->labels = dns_name_countlabels(secroot) + 1;
-	} else {
-		validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure");
-		/*
-		 * If we have a DS rdataset and it is secure then check if
-		 * the DS rdataset has a supported algorithm combination.
-		 * If not this is an insecure delegation as far as this
-		 * resolver is concerned.  Fall back to DLV if available.
-		 */
-		if (have_ds && val->frdataset.trust >= dns_trust_secure &&
-		    !check_ds(val, dns_fixedname_name(&val->fname),
-			      &val->frdataset)) {
-			dns_name_format(dns_fixedname_name(&val->fname),
-					namebuf, sizeof(namebuf));
-			if ((val->view->dlv == NULL || DLVTRIED(val)) &&
-			    val->mustbesecure) {
-				validator_log(val, ISC_LOG_WARNING,
-					      "must be secure failure at '%s', "
-					      "can't fall back to DLV",
-					      namebuf);
-				result = DNS_R_MUSTBESECURE;
-				goto out;
-			}
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "no supported algorithm/digest (%s/DS)",
-				      namebuf);
-			if (val->view->dlv == NULL || DLVTRIED(val)) {
-				markanswer(val, "proveunsecure (2)");
-				result = ISC_R_SUCCESS;
-				goto out;
-			}
-			return(startfinddlvsep(val,
-					      dns_fixedname_name(&val->fname)));
-		}
-		val->labels++;
-	}
-
-	for (;
-	     val->labels <= dns_name_countlabels(val->event->name);
-	     val->labels++)
-	{
-
-		dns_fixedname_init(&val->fname);
-		tname = dns_fixedname_name(&val->fname);
-		if (val->labels == dns_name_countlabels(val->event->name))
-			dns_name_copy(val->event->name, tname, NULL);
-		else
-			dns_name_split(val->event->name, val->labels,
-				       NULL, tname);
-
-		dns_name_format(tname, namebuf, sizeof(namebuf));
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "checking existence of DS at '%s'",
-			      namebuf);
-
-		result = view_find(val, tname, dns_rdatatype_ds);
-		if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) {
-			/*
-			 * There is no DS.  If this is a delegation,
-			 * we may be done.
-			 */
-			/*
-			 * If we have "trust == answer" then this namespace
-			 * has switched from insecure to should be secure.
-			 */
-			if (DNS_TRUST_PENDING(val->frdataset.trust) ||
-			    DNS_TRUST_ANSWER(val->frdataset.trust)) {
-				result = create_validator(val, tname,
-							  dns_rdatatype_ds,
-							  &val->frdataset,
-							  NULL, dsvalidated,
-							  "proveunsecure");
-				if (result != ISC_R_SUCCESS)
-					goto out;
-				return (DNS_R_WAIT);
-			}
-			/*
-			 * Zones using NSEC3 don't return a NSEC RRset so
-			 * we need to use dns_view_findzonecut2 to find
-			 * the zone cut.
-			 */
-			if (result == DNS_R_NXRRSET &&
-			    !dns_rdataset_isassociated(&val->frdataset) &&
-			    dns_view_findzonecut2(val->view, tname, found,
-						 0, 0, ISC_FALSE, ISC_FALSE,
-						 NULL, NULL) == ISC_R_SUCCESS &&
-			    dns_name_equal(tname, found)) {
-				if (val->mustbesecure) {
-					validator_log(val, ISC_LOG_WARNING,
-						      "must be secure failure, "
-						      "no DS at zone cut");
-					return (DNS_R_MUSTBESECURE);
-				}
-				if (val->view->dlv == NULL || DLVTRIED(val)) {
-					markanswer(val, "proveunsecure (3)");
-					return (ISC_R_SUCCESS);
-				}
-				return (startfinddlvsep(val, tname));
-			}
-			if (val->frdataset.trust < dns_trust_secure) {
-				/*
-				 * This shouldn't happen, since the negative
-				 * response should have been validated.  Since
-				 * there's no way of validating existing
-				 * negative response blobs, give up.
-				 */
-				validator_log(val, ISC_LOG_WARNING,
-					      "can't validate existing "
-					      "negative responses (no DS)");
-				result = DNS_R_NOVALIDSIG;
-				goto out;
-			}
-			if (isdelegation(tname, &val->frdataset, result)) {
-				if (val->mustbesecure) {
-					validator_log(val, ISC_LOG_WARNING,
-						      "must be secure failure, "
-						      "%s is a delegation",
-						      namebuf);
-					return (DNS_R_MUSTBESECURE);
-				}
-				if (val->view->dlv == NULL || DLVTRIED(val)) {
-					markanswer(val, "proveunsecure (4)");
-					return (ISC_R_SUCCESS);
-				}
-				return (startfinddlvsep(val, tname));
-			}
-			continue;
-		} else if (result == DNS_R_CNAME) {
-			if (DNS_TRUST_PENDING(val->frdataset.trust) ||
-			    DNS_TRUST_ANSWER(val->frdataset.trust)) {
-				result = create_validator(val, tname,
-							  dns_rdatatype_cname,
-							  &val->frdataset,
-							  NULL, cnamevalidated,
-							  "proveunsecure "
-							  "(cname)");
-				if (result != ISC_R_SUCCESS)
-					goto out;
-				return (DNS_R_WAIT);
-			}
-			continue;
-		} else if (result == ISC_R_SUCCESS) {
-			/*
-			 * There is a DS here.  Verify that it's secure and
-			 * continue.
-			 */
-			if (val->frdataset.trust >= dns_trust_secure) {
-				if (!check_ds(val, tname, &val->frdataset)) {
-					validator_log(val, ISC_LOG_DEBUG(3),
-						     "no supported algorithm/"
-						     "digest (%s/DS)", namebuf);
-					if (val->mustbesecure) {
-						validator_log(val,
-							      ISC_LOG_WARNING,
-						      "must be secure failure, "
-						      "no supported algorithm/"
-						      "digest (%s/DS)",
-						      namebuf);
-						result = DNS_R_MUSTBESECURE;
-						goto out;
-					}
-					if (val->view->dlv == NULL ||
-					    DLVTRIED(val)) {
-						markanswer(val,
-							   "proveunsecure (5)");
-						result = ISC_R_SUCCESS;
-						goto out;
-					}
-					return(startfinddlvsep(val, tname));
-				}
-				continue;
-			}
-			else if (!dns_rdataset_isassociated(&val->fsigrdataset))
-			{
-				validator_log(val, ISC_LOG_DEBUG(3),
-					      "DS is unsigned");
-				result = DNS_R_NOVALIDSIG;
-				goto out;
-			}
-			/*
-			 * Validate / re-validate answer.
-			 */
-			result = create_validator(val, tname, dns_rdatatype_ds,
-						  &val->frdataset,
-						  &val->fsigrdataset,
-						  dsvalidated,
-						  "proveunsecure");
-			if (result != ISC_R_SUCCESS)
-				goto out;
-			return (DNS_R_WAIT);
-		} else if (result == DNS_R_NXDOMAIN ||
-			   result == DNS_R_NCACHENXDOMAIN) {
-			/*
-			 * This is not a zone cut.  Assuming things are
-			 * as expected, continue.
-			 */
-			if (!dns_rdataset_isassociated(&val->frdataset)) {
-				/*
-				 * There should be an NSEC here, since we
-				 * are still in a secure zone.
-				 */
-				result = DNS_R_NOVALIDNSEC;
-				goto out;
-			} else if (DNS_TRUST_PENDING(val->frdataset.trust) ||
-				   DNS_TRUST_ANSWER(val->frdataset.trust)) {
-				/*
-				 * If we have "trust == answer" then this namespace
-				 * has switched from insecure to should be secure.
-				 */
-				result = create_validator(val, tname,
-							  dns_rdatatype_ds,
-							  &val->frdataset,
-							  NULL, dsvalidated,
-							  "proveunsecure");
-				if (result != ISC_R_SUCCESS)
-					goto out;
-				return (DNS_R_WAIT);
-			} else if (val->frdataset.trust < dns_trust_secure) {
-				/*
-				 * This shouldn't happen, since the negative
-				 * response should have been validated.  Since
-				 * there's no way of validating existing
-				 * negative response blobs, give up.
-				 */
-				validator_log(val, ISC_LOG_WARNING,
-					      "can't validate existing "
-					      "negative responses "
-					      "(not a zone cut)");
-				result = DNS_R_NOVALIDSIG;
-				goto out;
-			}
-			continue;
-		} else if (result == ISC_R_NOTFOUND) {
-			/*
-			 * We don't know anything about the DS.  Find it.
-			 */
-			result = create_fetch(val, tname, dns_rdatatype_ds,
-					      dsfetched2, "proveunsecure");
-			if (result != ISC_R_SUCCESS)
-				goto out;
-			return (DNS_R_WAIT);
-		} else if (result == DNS_R_BROKENCHAIN)
-			return (result);
-	}
-
-	/* Couldn't complete insecurity proof */
-	validator_log(val, ISC_LOG_DEBUG(3), "insecurity proof failed");
-	return (DNS_R_NOTINSECURE);
-
- out:
-	if (dns_rdataset_isassociated(&val->frdataset))
-		dns_rdataset_disassociate(&val->frdataset);
-	if (dns_rdataset_isassociated(&val->fsigrdataset))
-		dns_rdataset_disassociate(&val->fsigrdataset);
-	return (result);
-}
-
-/*%
- * Reset state and revalidate the answer using DLV.
- */
-static void
-dlv_validator_start(dns_validator_t *val) {
-	isc_event_t *event;
-
-	validator_log(val, ISC_LOG_DEBUG(3), "dlv_validator_start");
-
-	/*
-	 * Reset state and try again.
-	 */
-	val->attributes &= VALATTR_DLVTRIED;
-	val->options &= ~DNS_VALIDATOR_DLV;
-
-	event = (isc_event_t *)val->event;
-	isc_task_send(val->task, &event);
-}
-
-/*%
- * Start the validation process.
- *
- * Attempt to validate the answer based on the category it appears to
- * fall in.
- * \li	1. secure positive answer.
- * \li	2. unsecure positive answer.
- * \li	3. a negative answer (secure or unsecure).
- *
- * Note a answer that appears to be a secure positive answer may actually
- * be an unsecure positive answer.
- */
-static void
-validator_start(isc_task_t *task, isc_event_t *event) {
-	dns_validator_t *val;
-	dns_validatorevent_t *vevent;
-	isc_boolean_t want_destroy = ISC_FALSE;
-	isc_result_t result = ISC_R_FAILURE;
-
-	UNUSED(task);
-	REQUIRE(event->ev_type == DNS_EVENT_VALIDATORSTART);
-	vevent = (dns_validatorevent_t *)event;
-	val = vevent->validator;
-
-	/* If the validator has been canceled, val->event == NULL */
-	if (val->event == NULL)
-		return;
-
-	if (DLVTRIED(val))
-		validator_log(val, ISC_LOG_DEBUG(3), "restarting using DLV");
-	else
-		validator_log(val, ISC_LOG_DEBUG(3), "starting");
-
-	LOCK(&val->lock);
-
-	if ((val->options & DNS_VALIDATOR_DLV) != 0 &&
-	     val->event->rdataset != NULL) {
-		validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV");
-		result = startfinddlvsep(val, dns_rootname);
-	} else if (val->event->rdataset != NULL &&
-		   val->event->sigrdataset != NULL) {
-		isc_result_t saved_result;
-
-		/*
-		 * This looks like a simple validation.  We say "looks like"
-		 * because it might end up requiring an insecurity proof.
-		 */
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "attempting positive response validation");
-
-		INSIST(dns_rdataset_isassociated(val->event->rdataset));
-		INSIST(dns_rdataset_isassociated(val->event->sigrdataset));
-		result = start_positive_validation(val);
-		if (result == DNS_R_NOVALIDSIG &&
-		    (val->attributes & VALATTR_TRIEDVERIFY) == 0)
-		{
-			saved_result = result;
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "falling back to insecurity proof");
-			val->attributes |= VALATTR_INSECURITY;
-			result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
-			if (result == DNS_R_NOTINSECURE)
-				result = saved_result;
-		}
-	} else if (val->event->rdataset != NULL &&
-		   val->event->rdataset->type != 0) {
-		/*
-		 * This is either an unsecure subdomain or a response from
-		 * a broken server.
-		 */
-		INSIST(dns_rdataset_isassociated(val->event->rdataset));
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "attempting insecurity proof");
-
-		val->attributes |= VALATTR_INSECURITY;
-		result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
-		if (result == DNS_R_NOTINSECURE)
-			validator_log(val, ISC_LOG_INFO,
-				      "got insecure response; "
-				      "parent indicates it should be secure");
-	} else if (val->event->rdataset == NULL &&
-		   val->event->sigrdataset == NULL)
-	{
-		/*
-		 * This is a nonexistence validation.
-		 */
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "attempting negative response validation");
-
-		if (val->event->message->rcode == dns_rcode_nxdomain) {
-			val->attributes |= VALATTR_NEEDNOQNAME;
-			val->attributes |= VALATTR_NEEDNOWILDCARD;
-		} else
-			val->attributes |= VALATTR_NEEDNODATA;
-		result = nsecvalidate(val, ISC_FALSE);
-	} else if (val->event->rdataset != NULL &&
-		    NEGATIVE(val->event->rdataset))
-	{
-		/*
-		 * This is a nonexistence validation.
-		 */
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "attempting negative response validation");
-
-		if (val->event->rdataset->covers == dns_rdatatype_any) {
-			val->attributes |= VALATTR_NEEDNOQNAME;
-			val->attributes |= VALATTR_NEEDNOWILDCARD;
-		} else
-			val->attributes |= VALATTR_NEEDNODATA;
-		result = nsecvalidate(val, ISC_FALSE);
-	} else {
-		/*
-		 * This shouldn't happen.
-		 */
-		INSIST(0);
-	}
-
-	if (result != DNS_R_WAIT) {
-		want_destroy = exit_check(val);
-		validator_done(val, result);
-	}
-
-	UNLOCK(&val->lock);
-	if (want_destroy)
-		destroy(val);
-}
-
-isc_result_t
-dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
-		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
-		     dns_message_t *message, unsigned int options,
-		     isc_task_t *task, isc_taskaction_t action, void *arg,
-		     dns_validator_t **validatorp)
-{
-	isc_result_t result = ISC_R_FAILURE;
-	dns_validator_t *val;
-	isc_task_t *tclone = NULL;
-	dns_validatorevent_t *event;
-
-	REQUIRE(name != NULL);
-	REQUIRE(rdataset != NULL ||
-		(rdataset == NULL && sigrdataset == NULL && message != NULL));
-	REQUIRE(validatorp != NULL && *validatorp == NULL);
-
-	val = isc_mem_get(view->mctx, sizeof(*val));
-	if (val == NULL)
-		return (ISC_R_NOMEMORY);
-	val->view = NULL;
-	dns_view_weakattach(view, &val->view);
-
-	event = (dns_validatorevent_t *)
-		isc_event_allocate(view->mctx, task,
-				   DNS_EVENT_VALIDATORSTART,
-				   validator_start, NULL,
-				   sizeof(dns_validatorevent_t));
-	if (event == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_val;
-	}
-	isc_task_attach(task, &tclone);
-	event->validator = val;
-	event->result = ISC_R_FAILURE;
-	event->name = name;
-	event->type = type;
-	event->rdataset = rdataset;
-	event->sigrdataset = sigrdataset;
-	event->message = message;
-	memset(event->proofs, 0, sizeof(event->proofs));
-	event->optout = ISC_FALSE;
-	event->secure = ISC_FALSE;
-	result = isc_mutex_init(&val->lock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_event;
-	val->event = event;
-	val->options = options;
-	val->attributes = 0;
-	val->fetch = NULL;
-	val->subvalidator = NULL;
-	val->parent = NULL;
-
-	val->keytable = NULL;
-	result = dns_view_getsecroots(val->view, &val->keytable);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	val->keynode = NULL;
-	val->key = NULL;
-	val->siginfo = NULL;
-	val->task = task;
-	val->action = action;
-	val->arg = arg;
-	val->labels = 0;
-	val->currentset = NULL;
-	val->keyset = NULL;
-	val->dsset = NULL;
-	dns_rdataset_init(&val->dlv);
-	val->seensig = ISC_FALSE;
-	val->havedlvsep = ISC_FALSE;
-	val->depth = 0;
-	val->authcount = 0;
-	val->authfail = 0;
-	val->mustbesecure = dns_resolver_getmustbesecure(view->resolver, name);
-	dns_rdataset_init(&val->frdataset);
-	dns_rdataset_init(&val->fsigrdataset);
-	dns_fixedname_init(&val->wild);
-	dns_fixedname_init(&val->nearest);
-	dns_fixedname_init(&val->closest);
-	ISC_LINK_INIT(val, link);
-	val->magic = VALIDATOR_MAGIC;
-
-	if ((options & DNS_VALIDATOR_DEFER) == 0)
-		isc_task_send(task, ISC_EVENT_PTR(&event));
-
-	*validatorp = val;
-
-	return (ISC_R_SUCCESS);
-
- cleanup_event:
-	isc_task_detach(&tclone);
-	isc_event_free(ISC_EVENT_PTR(&event));
-
- cleanup_val:
-	dns_view_weakdetach(&val->view);
-	isc_mem_put(view->mctx, val, sizeof(*val));
-
-	return (result);
-}
-
-void
-dns_validator_send(dns_validator_t *validator) {
-	isc_event_t *event;
-	REQUIRE(VALID_VALIDATOR(validator));
-
-	LOCK(&validator->lock);
-
-	INSIST((validator->options & DNS_VALIDATOR_DEFER) != 0);
-	event = (isc_event_t *)validator->event;
-	validator->options &= ~DNS_VALIDATOR_DEFER;
-	UNLOCK(&validator->lock);
-
-	isc_task_send(validator->task, ISC_EVENT_PTR(&event));
-}
-
-void
-dns_validator_cancel(dns_validator_t *validator) {
-	dns_fetch_t *fetch = NULL;
-
-	REQUIRE(VALID_VALIDATOR(validator));
-
-	LOCK(&validator->lock);
-
-	validator_log(validator, ISC_LOG_DEBUG(3), "dns_validator_cancel");
-
-	if ((validator->attributes & VALATTR_CANCELED) == 0) {
-		validator->attributes |= VALATTR_CANCELED;
-		if (validator->event != NULL) {
-			fetch = validator->fetch;
-			validator->fetch = NULL;
-
-			if (validator->subvalidator != NULL)
-				dns_validator_cancel(validator->subvalidator);
-			if ((validator->options & DNS_VALIDATOR_DEFER) != 0) {
-				validator->options &= ~DNS_VALIDATOR_DEFER;
-				validator_done(validator, ISC_R_CANCELED);
-			}
-		}
-	}
-	UNLOCK(&validator->lock);
-
-	/* Need to cancel and destroy the fetch outside validator lock */
-	if (fetch != NULL) {
-		dns_resolver_cancelfetch(fetch);
-		dns_resolver_destroyfetch(&fetch);
-	}
-}
-
-static void
-destroy(dns_validator_t *val) {
-	isc_mem_t *mctx;
-
-	REQUIRE(SHUTDOWN(val));
-	REQUIRE(val->event == NULL);
-	REQUIRE(val->fetch == NULL);
-
-	if (val->keynode != NULL)
-		dns_keytable_detachkeynode(val->keytable, &val->keynode);
-	else if (val->key != NULL)
-		dst_key_free(&val->key);
-	if (val->keytable != NULL)
-		dns_keytable_detach(&val->keytable);
-	if (val->subvalidator != NULL)
-		dns_validator_destroy(&val->subvalidator);
-	if (val->havedlvsep)
-		dns_rdataset_disassociate(&val->dlv);
-	if (dns_rdataset_isassociated(&val->frdataset))
-		dns_rdataset_disassociate(&val->frdataset);
-	if (dns_rdataset_isassociated(&val->fsigrdataset))
-		dns_rdataset_disassociate(&val->fsigrdataset);
-	mctx = val->view->mctx;
-	if (val->siginfo != NULL)
-		isc_mem_put(mctx, val->siginfo, sizeof(*val->siginfo));
-	DESTROYLOCK(&val->lock);
-	dns_view_weakdetach(&val->view);
-	val->magic = 0;
-	isc_mem_put(mctx, val, sizeof(*val));
-}
-
-void
-dns_validator_destroy(dns_validator_t **validatorp) {
-	dns_validator_t *val;
-	isc_boolean_t want_destroy = ISC_FALSE;
-
-	REQUIRE(validatorp != NULL);
-	val = *validatorp;
-	REQUIRE(VALID_VALIDATOR(val));
-
-	LOCK(&val->lock);
-
-	val->attributes |= VALATTR_SHUTDOWN;
-	validator_log(val, ISC_LOG_DEBUG(3), "dns_validator_destroy");
-
-	want_destroy = exit_check(val);
-
-	UNLOCK(&val->lock);
-
-	if (want_destroy)
-		destroy(val);
-
-	*validatorp = NULL;
-}
-
-static void
-validator_logv(dns_validator_t *val, isc_logcategory_t *category,
-	       isc_logmodule_t *module, int level, const char *fmt, va_list ap)
-{
-	char msgbuf[2048];
-	static const char spaces[] = "        *";
-	int depth = val->depth * 2;
-
-	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
-
-	if ((unsigned int) depth >= sizeof spaces)
-		depth = sizeof spaces - 1;
-
-	if (val->event != NULL && val->event->name != NULL) {
-		char namebuf[DNS_NAME_FORMATSIZE];
-		char typebuf[DNS_RDATATYPE_FORMATSIZE];
-
-		dns_name_format(val->event->name, namebuf, sizeof(namebuf));
-		dns_rdatatype_format(val->event->type, typebuf,
-				     sizeof(typebuf));
-		isc_log_write(dns_lctx, category, module, level,
-			      "%.*svalidating @%p: %s %s: %s", depth, spaces,
-			      val, namebuf, typebuf, msgbuf);
-	} else {
-		isc_log_write(dns_lctx, category, module, level,
-			      "%.*svalidator @%p: %s", depth, spaces,
-			       val, msgbuf);
-	}
-}
-
-static void
-validator_log(void *val, int level, const char *fmt, ...) {
-	va_list ap;
-
-	if (! isc_log_wouldlog(dns_lctx, level))
-		return;
-
-	va_start(ap, fmt);
-
-	validator_logv(val, DNS_LOGCATEGORY_DNSSEC,
-		       DNS_LOGMODULE_VALIDATOR, level, fmt, ap);
-	va_end(ap);
-}
-
-static void
-validator_logcreate(dns_validator_t *val,
-		    dns_name_t *name, dns_rdatatype_t type,
-		    const char *caller, const char *operation)
-{
-	char namestr[DNS_NAME_FORMATSIZE];
-	char typestr[DNS_RDATATYPE_FORMATSIZE];
-
-	dns_name_format(name, namestr, sizeof(namestr));
-	dns_rdatatype_format(type, typestr, sizeof(typestr));
-	validator_log(val, ISC_LOG_DEBUG(9), "%s: creating %s for %s %s",
-		      caller, operation, namestr, typestr);
-}
diff --git a/contrib/bind9/lib/dns/version.c b/contrib/bind9/lib/dns/version.c
deleted file mode 100644
index fbc8889..0000000
--- a/contrib/bind9/lib/dns/version.c
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: version.c,v 1.15 2007/06/19 23:47:16 tbox Exp $ */
-
-/*! \file */
-
-#include <dns/version.h>
-
-const char dns_version[] = VERSION;
-
-const unsigned int dns_libinterface = LIBINTERFACE;
-const unsigned int dns_librevision = LIBREVISION;
-const unsigned int dns_libage = LIBAGE;
diff --git a/contrib/bind9/lib/dns/view.c b/contrib/bind9/lib/dns/view.c
deleted file mode 100644
index 9c1a201..0000000
--- a/contrib/bind9/lib/dns/view.c
+++ /dev/null
@@ -1,1845 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/file.h>
-#include <isc/hash.h>
-#include <isc/print.h>
-#include <isc/sha2.h>
-#include <isc/stats.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/task.h>
-#include <isc/util.h>
-
-#include <dns/acache.h>
-#include <dns/acl.h>
-#include <dns/adb.h>
-#include <dns/cache.h>
-#include <dns/db.h>
-#include <dns/dispatch.h>
-#include <dns/dlz.h>
-#ifdef BIND9
-#include <dns/dns64.h>
-#endif
-#include <dns/dnssec.h>
-#include <dns/events.h>
-#include <dns/forward.h>
-#include <dns/keytable.h>
-#include <dns/keyvalues.h>
-#include <dns/master.h>
-#include <dns/masterdump.h>
-#include <dns/order.h>
-#include <dns/peer.h>
-#include <dns/rbt.h>
-#include <dns/rdataset.h>
-#include <dns/request.h>
-#include <dns/resolver.h>
-#include <dns/result.h>
-#include <dns/rpz.h>
-#include <dns/stats.h>
-#include <dns/tsig.h>
-#include <dns/zone.h>
-#include <dns/zt.h>
-
-#define RESSHUTDOWN(v)	(((v)->attributes & DNS_VIEWATTR_RESSHUTDOWN) != 0)
-#define ADBSHUTDOWN(v)	(((v)->attributes & DNS_VIEWATTR_ADBSHUTDOWN) != 0)
-#define REQSHUTDOWN(v)	(((v)->attributes & DNS_VIEWATTR_REQSHUTDOWN) != 0)
-
-#define DNS_VIEW_DELONLYHASH 111
-
-static void resolver_shutdown(isc_task_t *task, isc_event_t *event);
-static void adb_shutdown(isc_task_t *task, isc_event_t *event);
-static void req_shutdown(isc_task_t *task, isc_event_t *event);
-
-isc_result_t
-dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
-		const char *name, dns_view_t **viewp)
-{
-	dns_view_t *view;
-	isc_result_t result;
-
-	/*
-	 * Create a view.
-	 */
-
-	REQUIRE(name != NULL);
-	REQUIRE(viewp != NULL && *viewp == NULL);
-
-	view = isc_mem_get(mctx, sizeof(*view));
-	if (view == NULL)
-		return (ISC_R_NOMEMORY);
-
-	view->mctx = NULL;
-	isc_mem_attach(mctx, &view->mctx);
-	view->name = isc_mem_strdup(mctx, name);
-	if (view->name == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_view;
-	}
-	result = isc_mutex_init(&view->lock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_name;
-
-	view->zonetable = NULL;
-#ifdef BIND9
-	result = dns_zt_create(mctx, rdclass, &view->zonetable);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "dns_zt_create() failed: %s",
-				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
-		goto cleanup_mutex;
-	}
-#endif
-	view->secroots_priv = NULL;
-	view->fwdtable = NULL;
-	result = dns_fwdtable_create(mctx, &view->fwdtable);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "dns_fwdtable_create() failed: %s",
-				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
-		goto cleanup_zt;
-	}
-
-	view->acache = NULL;
-	view->cache = NULL;
-	view->cachedb = NULL;
-	view->dlzdatabase = NULL;
-	view->hints = NULL;
-	view->resolver = NULL;
-	view->adb = NULL;
-	view->requestmgr = NULL;
-	view->rdclass = rdclass;
-	view->frozen = ISC_FALSE;
-	view->task = NULL;
-	result = isc_refcount_init(&view->references, 1);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_fwdtable;
-	view->weakrefs = 0;
-	view->attributes = (DNS_VIEWATTR_RESSHUTDOWN|DNS_VIEWATTR_ADBSHUTDOWN|
-			    DNS_VIEWATTR_REQSHUTDOWN);
-	view->statickeys = NULL;
-	view->dynamickeys = NULL;
-	view->matchclients = NULL;
-	view->matchdestinations = NULL;
-	view->matchrecursiveonly = ISC_FALSE;
-	result = dns_tsigkeyring_create(view->mctx, &view->dynamickeys);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_references;
-	view->peers = NULL;
-	view->order = NULL;
-	view->delonly = NULL;
-	view->rootdelonly = ISC_FALSE;
-	view->rootexclude = NULL;
-	view->resstats = NULL;
-	view->resquerystats = NULL;
-	view->cacheshared = ISC_FALSE;
-	ISC_LIST_INIT(view->dns64);
-	view->dns64cnt = 0;
-
-	/*
-	 * Initialize configuration data with default values.
-	 */
-	view->recursion = ISC_TRUE;
-	view->auth_nxdomain = ISC_FALSE; /* Was true in BIND 8 */
-	view->additionalfromcache = ISC_TRUE;
-	view->additionalfromauth = ISC_TRUE;
-	view->enablednssec = ISC_TRUE;
-	view->enablevalidation = ISC_TRUE;
-	view->acceptexpired = ISC_FALSE;
-	view->minimalresponses = ISC_FALSE;
-	view->transfer_format = dns_one_answer;
-	view->cacheacl = NULL;
-	view->cacheonacl = NULL;
-	view->queryacl = NULL;
-	view->queryonacl = NULL;
-	view->recursionacl = NULL;
-	view->recursiononacl = NULL;
-	view->sortlist = NULL;
-	view->transferacl = NULL;
-	view->notifyacl = NULL;
-	view->updateacl = NULL;
-	view->upfwdacl = NULL;
-	view->denyansweracl = NULL;
-	view->answeracl_exclude = NULL;
-	view->denyanswernames = NULL;
-	view->answernames_exclude = NULL;
-	view->provideixfr = ISC_TRUE;
-	view->maxcachettl = 7 * 24 * 3600;
-	view->maxncachettl = 3 * 3600;
-	view->dstport = 53;
-	view->preferred_glue = 0;
-	view->flush = ISC_FALSE;
-	view->dlv = NULL;
-	view->maxudp = 0;
-	view->maxbits = 0;
-	view->v4_aaaa = dns_v4_aaaa_ok;
-	view->v4_aaaa_acl = NULL;
-	ISC_LIST_INIT(view->rpz_zones);
-	view->rpz_recursive_only = ISC_TRUE;
-	view->rpz_break_dnssec = ISC_FALSE;
-	dns_fixedname_init(&view->dlv_fixed);
-	view->managed_keys = NULL;
-	view->redirect = NULL;
-#ifdef BIND9
-	view->new_zone_file = NULL;
-	view->new_zone_config = NULL;
-	view->cfg_destroy = NULL;
-
-	result = dns_order_create(view->mctx, &view->order);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_dynkeys;
-#endif
-
-	result = dns_peerlist_new(view->mctx, &view->peers);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_order;
-
-	result = dns_aclenv_init(view->mctx, &view->aclenv);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_peerlist;
-
-	ISC_LINK_INIT(view, link);
-	ISC_EVENT_INIT(&view->resevent, sizeof(view->resevent), 0, NULL,
-		       DNS_EVENT_VIEWRESSHUTDOWN, resolver_shutdown,
-		       view, NULL, NULL, NULL);
-	ISC_EVENT_INIT(&view->adbevent, sizeof(view->adbevent), 0, NULL,
-		       DNS_EVENT_VIEWADBSHUTDOWN, adb_shutdown,
-		       view, NULL, NULL, NULL);
-	ISC_EVENT_INIT(&view->reqevent, sizeof(view->reqevent), 0, NULL,
-		       DNS_EVENT_VIEWREQSHUTDOWN, req_shutdown,
-		       view, NULL, NULL, NULL);
-	view->viewlist = NULL;
-	view->magic = DNS_VIEW_MAGIC;
-
-	*viewp = view;
-
-	return (ISC_R_SUCCESS);
-
- cleanup_peerlist:
-	dns_peerlist_detach(&view->peers);
-
- cleanup_order:
-#ifdef BIND9
-	dns_order_detach(&view->order);
-
- cleanup_dynkeys:
-#endif
-	dns_tsigkeyring_detach(&view->dynamickeys);
-
- cleanup_references:
-	isc_refcount_destroy(&view->references);
-
- cleanup_fwdtable:
-	dns_fwdtable_destroy(&view->fwdtable);
-
- cleanup_zt:
-#ifdef BIND9
-	dns_zt_detach(&view->zonetable);
-
- cleanup_mutex:
-#endif
-	DESTROYLOCK(&view->lock);
-
- cleanup_name:
-	isc_mem_free(mctx, view->name);
-
- cleanup_view:
-	isc_mem_putanddetach(&view->mctx, view, sizeof(*view));
-
-	return (result);
-}
-
-static inline void
-destroy(dns_view_t *view) {
-#ifdef BIND9
-	dns_dns64_t *dns64;
-#endif
-
-	REQUIRE(!ISC_LINK_LINKED(view, link));
-	REQUIRE(isc_refcount_current(&view->references) == 0);
-	REQUIRE(view->weakrefs == 0);
-	REQUIRE(RESSHUTDOWN(view));
-	REQUIRE(ADBSHUTDOWN(view));
-	REQUIRE(REQSHUTDOWN(view));
-
-#ifdef BIND9
-	if (view->order != NULL)
-		dns_order_detach(&view->order);
-#endif
-	if (view->peers != NULL)
-		dns_peerlist_detach(&view->peers);
-
-	if (view->dynamickeys != NULL) {
-		isc_result_t result;
-		char template[20];
-		char keyfile[20];
-		FILE *fp = NULL;
-		int n;
-
-		n = snprintf(keyfile, sizeof(keyfile), "%s.tsigkeys",
-			     view->name);
-		if (n > 0 && (size_t)n < sizeof(keyfile)) {
-			result = isc_file_mktemplate(keyfile, template,
-						     sizeof(template));
-			if (result == ISC_R_SUCCESS)
-				(void)isc_file_openuniqueprivate(template, &fp);
-		}
-		if (fp == NULL)
-			dns_tsigkeyring_detach(&view->dynamickeys);
-		else {
-			result = dns_tsigkeyring_dumpanddetach(
-							&view->dynamickeys, fp);
-			if (result == ISC_R_SUCCESS) {
-				if (fclose(fp) == 0)
-					result = isc_file_rename(template,
-								 keyfile);
-				if (result != ISC_R_SUCCESS)
-					(void)remove(template);
-			} else {
-				(void)fclose(fp);
-				(void)remove(template);
-			}
-		}
-	}
-	if (view->statickeys != NULL)
-		dns_tsigkeyring_detach(&view->statickeys);
-	if (view->adb != NULL)
-		dns_adb_detach(&view->adb);
-	if (view->resolver != NULL)
-		dns_resolver_detach(&view->resolver);
-#ifdef BIND9
-	if (view->acache != NULL) {
-		if (view->cachedb != NULL)
-			dns_acache_putdb(view->acache, view->cachedb);
-		dns_acache_detach(&view->acache);
-	}
-	dns_rpz_view_destroy(view);
-#else
-	INSIST(view->acache == NULL);
-	INSIST(ISC_LIST_EMPTY(view->rpz_zones));
-#endif
-	if (view->requestmgr != NULL)
-		dns_requestmgr_detach(&view->requestmgr);
-	if (view->task != NULL)
-		isc_task_detach(&view->task);
-	if (view->hints != NULL)
-		dns_db_detach(&view->hints);
-	if (view->dlzdatabase != NULL)
-		dns_dlzdestroy(&view->dlzdatabase);
-	if (view->cachedb != NULL)
-		dns_db_detach(&view->cachedb);
-	if (view->cache != NULL)
-		dns_cache_detach(&view->cache);
-	if (view->matchclients != NULL)
-		dns_acl_detach(&view->matchclients);
-	if (view->matchdestinations != NULL)
-		dns_acl_detach(&view->matchdestinations);
-	if (view->cacheacl != NULL)
-		dns_acl_detach(&view->cacheacl);
-	if (view->cacheonacl != NULL)
-		dns_acl_detach(&view->cacheonacl);
-	if (view->queryacl != NULL)
-		dns_acl_detach(&view->queryacl);
-	if (view->queryonacl != NULL)
-		dns_acl_detach(&view->queryonacl);
-	if (view->recursionacl != NULL)
-		dns_acl_detach(&view->recursionacl);
-	if (view->recursiononacl != NULL)
-		dns_acl_detach(&view->recursiononacl);
-	if (view->sortlist != NULL)
-		dns_acl_detach(&view->sortlist);
-	if (view->transferacl != NULL)
-		dns_acl_detach(&view->transferacl);
-	if (view->notifyacl != NULL)
-		dns_acl_detach(&view->notifyacl);
-	if (view->updateacl != NULL)
-		dns_acl_detach(&view->updateacl);
-	if (view->upfwdacl != NULL)
-		dns_acl_detach(&view->upfwdacl);
-	if (view->denyansweracl != NULL)
-		dns_acl_detach(&view->denyansweracl);
-	if (view->v4_aaaa_acl != NULL)
-		dns_acl_detach(&view->v4_aaaa_acl);
-	if (view->answeracl_exclude != NULL)
-		dns_rbt_destroy(&view->answeracl_exclude);
-	if (view->denyanswernames != NULL)
-		dns_rbt_destroy(&view->denyanswernames);
-	if (view->answernames_exclude != NULL)
-		dns_rbt_destroy(&view->answernames_exclude);
-	if (view->delonly != NULL) {
-		dns_name_t *name;
-		int i;
-
-		for (i = 0; i < DNS_VIEW_DELONLYHASH; i++) {
-			name = ISC_LIST_HEAD(view->delonly[i]);
-			while (name != NULL) {
-				ISC_LIST_UNLINK(view->delonly[i], name, link);
-				dns_name_free(name, view->mctx);
-				isc_mem_put(view->mctx, name, sizeof(*name));
-				name = ISC_LIST_HEAD(view->delonly[i]);
-			}
-		}
-		isc_mem_put(view->mctx, view->delonly, sizeof(dns_namelist_t) *
-			    DNS_VIEW_DELONLYHASH);
-		view->delonly = NULL;
-	}
-	if (view->rootexclude != NULL) {
-		dns_name_t *name;
-		int i;
-
-		for (i = 0; i < DNS_VIEW_DELONLYHASH; i++) {
-			name = ISC_LIST_HEAD(view->rootexclude[i]);
-			while (name != NULL) {
-				ISC_LIST_UNLINK(view->rootexclude[i],
-						name, link);
-				dns_name_free(name, view->mctx);
-				isc_mem_put(view->mctx, name, sizeof(*name));
-				name = ISC_LIST_HEAD(view->rootexclude[i]);
-			}
-		}
-		isc_mem_put(view->mctx, view->rootexclude,
-			    sizeof(dns_namelist_t) * DNS_VIEW_DELONLYHASH);
-		view->rootexclude = NULL;
-	}
-	if (view->resstats != NULL)
-		isc_stats_detach(&view->resstats);
-	if (view->resquerystats != NULL)
-		dns_stats_detach(&view->resquerystats);
-	if (view->secroots_priv != NULL)
-		dns_keytable_detach(&view->secroots_priv);
-#ifdef BIND9
-	for (dns64 = ISC_LIST_HEAD(view->dns64);
-	     dns64 != NULL;
-	     dns64 = ISC_LIST_HEAD(view->dns64)) {
-		dns_dns64_unlink(&view->dns64, dns64);
-		dns_dns64_destroy(&dns64);
-	}
-	if (view->managed_keys != NULL)
-		dns_zone_detach(&view->managed_keys);
-	if (view->redirect != NULL)
-		dns_zone_detach(&view->redirect);
-	dns_view_setnewzones(view, ISC_FALSE, NULL, NULL);
-#endif
-	dns_fwdtable_destroy(&view->fwdtable);
-	dns_aclenv_destroy(&view->aclenv);
-	DESTROYLOCK(&view->lock);
-	isc_refcount_destroy(&view->references);
-	isc_mem_free(view->mctx, view->name);
-	isc_mem_putanddetach(&view->mctx, view, sizeof(*view));
-}
-
-/*
- * Return true iff 'view' may be freed.
- * The caller must be holding the view lock.
- */
-static isc_boolean_t
-all_done(dns_view_t *view) {
-
-	if (isc_refcount_current(&view->references) == 0 &&
-	    view->weakrefs == 0 &&
-	    RESSHUTDOWN(view) && ADBSHUTDOWN(view) && REQSHUTDOWN(view))
-		return (ISC_TRUE);
-
-	return (ISC_FALSE);
-}
-
-void
-dns_view_attach(dns_view_t *source, dns_view_t **targetp) {
-
-	REQUIRE(DNS_VIEW_VALID(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	isc_refcount_increment(&source->references, NULL);
-
-	*targetp = source;
-}
-
-static void
-view_flushanddetach(dns_view_t **viewp, isc_boolean_t flush) {
-	dns_view_t *view;
-	unsigned int refs;
-	isc_boolean_t done = ISC_FALSE;
-
-	REQUIRE(viewp != NULL);
-	view = *viewp;
-	REQUIRE(DNS_VIEW_VALID(view));
-
-	if (flush)
-		view->flush = ISC_TRUE;
-	isc_refcount_decrement(&view->references, &refs);
-	if (refs == 0) {
-#ifdef BIND9
-		dns_zone_t *mkzone = NULL, *rdzone = NULL;
-#endif
-
-		LOCK(&view->lock);
-		if (!RESSHUTDOWN(view))
-			dns_resolver_shutdown(view->resolver);
-		if (!ADBSHUTDOWN(view))
-			dns_adb_shutdown(view->adb);
-		if (!REQSHUTDOWN(view))
-			dns_requestmgr_shutdown(view->requestmgr);
-#ifdef BIND9
-		if (view->acache != NULL)
-			dns_acache_shutdown(view->acache);
-		if (view->flush)
-			dns_zt_flushanddetach(&view->zonetable);
-		else
-			dns_zt_detach(&view->zonetable);
-		if (view->managed_keys != NULL) {
-			mkzone = view->managed_keys;
-			view->managed_keys = NULL;
-			if (view->flush)
-				dns_zone_flush(mkzone);
-		}
-		if (view->redirect != NULL) {
-			rdzone = view->redirect;
-			view->redirect = NULL;
-			if (view->flush)
-				dns_zone_flush(rdzone);
-		}
-#endif
-		done = all_done(view);
-		UNLOCK(&view->lock);
-
-#ifdef BIND9
-		/* Need to detach zones outside view lock */
-		if (mkzone != NULL)
-			dns_zone_detach(&mkzone);
-
-		if (rdzone != NULL)
-			dns_zone_detach(&rdzone);
-#endif
-	}
-
-	*viewp = NULL;
-
-	if (done)
-		destroy(view);
-}
-
-void
-dns_view_flushanddetach(dns_view_t **viewp) {
-	view_flushanddetach(viewp, ISC_TRUE);
-}
-
-void
-dns_view_detach(dns_view_t **viewp) {
-	view_flushanddetach(viewp, ISC_FALSE);
-}
-
-#ifdef BIND9
-static isc_result_t
-dialup(dns_zone_t *zone, void *dummy) {
-	UNUSED(dummy);
-	dns_zone_dialup(zone);
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_view_dialup(dns_view_t *view) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	(void)dns_zt_apply(view->zonetable, ISC_FALSE, dialup, NULL);
-}
-#endif
-
-void
-dns_view_weakattach(dns_view_t *source, dns_view_t **targetp) {
-
-	REQUIRE(DNS_VIEW_VALID(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	LOCK(&source->lock);
-	source->weakrefs++;
-	UNLOCK(&source->lock);
-
-	*targetp = source;
-}
-
-void
-dns_view_weakdetach(dns_view_t **viewp) {
-	dns_view_t *view;
-	isc_boolean_t done = ISC_FALSE;
-
-	REQUIRE(viewp != NULL);
-	view = *viewp;
-	REQUIRE(DNS_VIEW_VALID(view));
-
-	LOCK(&view->lock);
-
-	INSIST(view->weakrefs > 0);
-	view->weakrefs--;
-	done = all_done(view);
-
-	UNLOCK(&view->lock);
-
-	*viewp = NULL;
-
-	if (done)
-		destroy(view);
-}
-
-static void
-resolver_shutdown(isc_task_t *task, isc_event_t *event) {
-	dns_view_t *view = event->ev_arg;
-	isc_boolean_t done;
-
-	REQUIRE(event->ev_type == DNS_EVENT_VIEWRESSHUTDOWN);
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(view->task == task);
-
-	UNUSED(task);
-
-	LOCK(&view->lock);
-
-	view->attributes |= DNS_VIEWATTR_RESSHUTDOWN;
-	done = all_done(view);
-
-	UNLOCK(&view->lock);
-
-	isc_event_free(&event);
-
-	if (done)
-		destroy(view);
-}
-
-static void
-adb_shutdown(isc_task_t *task, isc_event_t *event) {
-	dns_view_t *view = event->ev_arg;
-	isc_boolean_t done;
-
-	REQUIRE(event->ev_type == DNS_EVENT_VIEWADBSHUTDOWN);
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(view->task == task);
-
-	UNUSED(task);
-
-	LOCK(&view->lock);
-
-	view->attributes |= DNS_VIEWATTR_ADBSHUTDOWN;
-	done = all_done(view);
-
-	UNLOCK(&view->lock);
-
-	isc_event_free(&event);
-
-	if (done)
-		destroy(view);
-}
-
-static void
-req_shutdown(isc_task_t *task, isc_event_t *event) {
-	dns_view_t *view = event->ev_arg;
-	isc_boolean_t done;
-
-	REQUIRE(event->ev_type == DNS_EVENT_VIEWREQSHUTDOWN);
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(view->task == task);
-
-	UNUSED(task);
-
-	LOCK(&view->lock);
-
-	view->attributes |= DNS_VIEWATTR_REQSHUTDOWN;
-	done = all_done(view);
-
-	UNLOCK(&view->lock);
-
-	isc_event_free(&event);
-
-	if (done)
-		destroy(view);
-}
-
-isc_result_t
-dns_view_createresolver(dns_view_t *view,
-			isc_taskmgr_t *taskmgr,
-			unsigned int ntasks, unsigned int ndisp,
-			isc_socketmgr_t *socketmgr,
-			isc_timermgr_t *timermgr,
-			unsigned int options,
-			dns_dispatchmgr_t *dispatchmgr,
-			dns_dispatch_t *dispatchv4,
-			dns_dispatch_t *dispatchv6)
-{
-	isc_result_t result;
-	isc_event_t *event;
-	isc_mem_t *mctx = NULL;
-
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(!view->frozen);
-	REQUIRE(view->resolver == NULL);
-
-	result = isc_task_create(taskmgr, 0, &view->task);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_task_setname(view->task, "view", view);
-
-	result = dns_resolver_create(view, taskmgr, ntasks, ndisp, socketmgr,
-				     timermgr, options, dispatchmgr,
-				     dispatchv4, dispatchv6,
-				     &view->resolver);
-	if (result != ISC_R_SUCCESS) {
-		isc_task_detach(&view->task);
-		return (result);
-	}
-	event = &view->resevent;
-	dns_resolver_whenshutdown(view->resolver, view->task, &event);
-	view->attributes &= ~DNS_VIEWATTR_RESSHUTDOWN;
-
-	result = isc_mem_create(0, 0, &mctx);
-	if (result != ISC_R_SUCCESS) {
-		dns_resolver_shutdown(view->resolver);
-		return (result);
-	}
-
-	result = dns_adb_create(mctx, view, timermgr, taskmgr, &view->adb);
-	isc_mem_setname(mctx, "ADB", NULL);
-	isc_mem_detach(&mctx);
-	if (result != ISC_R_SUCCESS) {
-		dns_resolver_shutdown(view->resolver);
-		return (result);
-	}
-	event = &view->adbevent;
-	dns_adb_whenshutdown(view->adb, view->task, &event);
-	view->attributes &= ~DNS_VIEWATTR_ADBSHUTDOWN;
-
-	result = dns_requestmgr_create(view->mctx, timermgr, socketmgr,
-				      dns_resolver_taskmgr(view->resolver),
-				      dns_resolver_dispatchmgr(view->resolver),
-				      dispatchv4, dispatchv6,
-				      &view->requestmgr);
-	if (result != ISC_R_SUCCESS) {
-		dns_adb_shutdown(view->adb);
-		dns_resolver_shutdown(view->resolver);
-		return (result);
-	}
-	event = &view->reqevent;
-	dns_requestmgr_whenshutdown(view->requestmgr, view->task, &event);
-	view->attributes &= ~DNS_VIEWATTR_REQSHUTDOWN;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_view_setcache(dns_view_t *view, dns_cache_t *cache) {
-	dns_view_setcache2(view, cache, ISC_FALSE);
-}
-
-void
-dns_view_setcache2(dns_view_t *view, dns_cache_t *cache, isc_boolean_t shared) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(!view->frozen);
-
-	view->cacheshared = shared;
-	if (view->cache != NULL) {
-#ifdef BIND9
-		if (view->acache != NULL)
-			dns_acache_putdb(view->acache, view->cachedb);
-#endif
-		dns_db_detach(&view->cachedb);
-		dns_cache_detach(&view->cache);
-	}
-	dns_cache_attach(cache, &view->cache);
-	dns_cache_attachdb(cache, &view->cachedb);
-	INSIST(DNS_DB_VALID(view->cachedb));
-
-#ifdef BIND9
-	if (view->acache != NULL)
-		dns_acache_setdb(view->acache, view->cachedb);
-#endif
-}
-
-isc_boolean_t
-dns_view_iscacheshared(dns_view_t *view) {
-	REQUIRE(DNS_VIEW_VALID(view));
-
-	return (view->cacheshared);
-}
-
-void
-dns_view_sethints(dns_view_t *view, dns_db_t *hints) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(!view->frozen);
-	REQUIRE(view->hints == NULL);
-	REQUIRE(dns_db_iszone(hints));
-
-	dns_db_attach(hints, &view->hints);
-}
-
-void
-dns_view_setkeyring(dns_view_t *view, dns_tsig_keyring_t *ring) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(ring != NULL);
-	if (view->statickeys != NULL)
-		dns_tsigkeyring_detach(&view->statickeys);
-	dns_tsigkeyring_attach(ring, &view->statickeys);
-}
-
-void
-dns_view_setdynamickeyring(dns_view_t *view, dns_tsig_keyring_t *ring) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(ring != NULL);
-	if (view->dynamickeys != NULL)
-		dns_tsigkeyring_detach(&view->dynamickeys);
-	dns_tsigkeyring_attach(ring, &view->dynamickeys);
-}
-
-void
-dns_view_getdynamickeyring(dns_view_t *view, dns_tsig_keyring_t **ringp) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(ringp != NULL && *ringp == NULL);
-	if (view->dynamickeys != NULL)
-		dns_tsigkeyring_attach(view->dynamickeys, ringp);
-}
-
-void
-dns_view_restorekeyring(dns_view_t *view) {
-	FILE *fp;
-	char keyfile[20];
-	int n;
-
-	REQUIRE(DNS_VIEW_VALID(view));
-
-	if (view->dynamickeys != NULL) {
-		n = snprintf(keyfile, sizeof(keyfile), "%s.tsigkeys",
-			     view->name);
-		if (n > 0 && (size_t)n < sizeof(keyfile)) {
-			fp = fopen(keyfile, "r");
-			if (fp != NULL) {
-				dns_keyring_restore(view->dynamickeys, fp);
-				(void)fclose(fp);
-			}
-		}
-	}
-}
-
-void
-dns_view_setdstport(dns_view_t *view, in_port_t dstport) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	view->dstport = dstport;
-}
-
-void
-dns_view_freeze(dns_view_t *view) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(!view->frozen);
-
-	if (view->resolver != NULL) {
-		INSIST(view->cachedb != NULL);
-		dns_resolver_freeze(view->resolver);
-	}
-	view->frozen = ISC_TRUE;
-}
-
-#ifdef BIND9
-void
-dns_view_thaw(dns_view_t *view) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(view->frozen);
-
-	view->frozen = ISC_FALSE;
-}
-
-isc_result_t
-dns_view_addzone(dns_view_t *view, dns_zone_t *zone) {
-	isc_result_t result;
-
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(!view->frozen);
-
-	result = dns_zt_mount(view->zonetable, zone);
-
-	return (result);
-}
-#endif
-
-#ifdef BIND9
-isc_result_t
-dns_view_findzone(dns_view_t *view, dns_name_t *name, dns_zone_t **zonep) {
-	isc_result_t result;
-
-	REQUIRE(DNS_VIEW_VALID(view));
-
-	if (view->zonetable != NULL) {
-		result = dns_zt_find(view->zonetable, name, 0, NULL, zonep);
-		if (result == DNS_R_PARTIALMATCH) {
-			dns_zone_detach(zonep);
-			result = ISC_R_NOTFOUND;
-		}
-	} else
-		result = ISC_R_NOTFOUND;
-
-	return (result);
-}
-#endif
-
-isc_result_t
-dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
-	      isc_stdtime_t now, unsigned int options, isc_boolean_t use_hints,
-	      dns_db_t **dbp, dns_dbnode_t **nodep, dns_name_t *foundname,
-	      dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) {
-	return (dns_view_find2(view, name, type, now, options, use_hints,
-			       ISC_FALSE, dbp, nodep, foundname, rdataset,
-			       sigrdataset));
-}
-
-isc_result_t
-dns_view_find2(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
-	       isc_stdtime_t now, unsigned int options,
-	       isc_boolean_t use_hints, isc_boolean_t use_static_stub,
-	       dns_db_t **dbp, dns_dbnode_t **nodep, dns_name_t *foundname,
-	       dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	isc_result_t result;
-	dns_db_t *db, *zdb;
-	dns_dbnode_t *node, *znode;
-	isc_boolean_t is_cache, is_staticstub_zone;
-	dns_rdataset_t zrdataset, zsigrdataset;
-	dns_zone_t *zone;
-
-#ifndef BIND9
-	UNUSED(use_hints);
-	UNUSED(use_static_stub);
-	UNUSED(zone);
-#endif
-
-	/*
-	 * Find an rdataset whose owner name is 'name', and whose type is
-	 * 'type'.
-	 */
-
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(view->frozen);
-	REQUIRE(type != dns_rdatatype_rrsig);
-	REQUIRE(rdataset != NULL);  /* XXXBEW - remove this */
-	REQUIRE(nodep == NULL || *nodep == NULL);
-
-	/*
-	 * Initialize.
-	 */
-	dns_rdataset_init(&zrdataset);
-	dns_rdataset_init(&zsigrdataset);
-	zdb = NULL;
-	znode = NULL;
-
-	/*
-	 * Find a database to answer the query.
-	 */
-	db = NULL;
-	node = NULL;
-	is_staticstub_zone = ISC_FALSE;
-#ifdef BIND9
-	zone = NULL;
-	result = dns_zt_find(view->zonetable, name, 0, NULL, &zone);
-	if (zone != NULL && dns_zone_gettype(zone) == dns_zone_staticstub &&
-	    !use_static_stub) {
-		result = ISC_R_NOTFOUND;
-	}
-	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
-		result = dns_zone_getdb(zone, &db);
-		if (result != ISC_R_SUCCESS && view->cachedb != NULL)
-			dns_db_attach(view->cachedb, &db);
-		else if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		if (dns_zone_gettype(zone) == dns_zone_staticstub &&
-		    dns_name_equal(name, dns_zone_getorigin(zone))) {
-			is_staticstub_zone = ISC_TRUE;
-		}
-	} else if (result == ISC_R_NOTFOUND && view->cachedb != NULL)
-		dns_db_attach(view->cachedb, &db);
-#else
-	result = ISC_R_NOTFOUND;
-	if (view->cachedb != NULL)
-		dns_db_attach(view->cachedb, &db);
-#endif /* BIND9 */
-	else
-		goto cleanup;
-
-	is_cache = dns_db_iscache(db);
-
- db_find:
-	/*
-	 * Now look for an answer in the database.
-	 */
-	result = dns_db_find(db, name, NULL, type, options,
-			     now, &node, foundname, rdataset, sigrdataset);
-
-	if (result == DNS_R_DELEGATION || result == ISC_R_NOTFOUND) {
-		if (dns_rdataset_isassociated(rdataset))
-			dns_rdataset_disassociate(rdataset);
-		if (sigrdataset != NULL &&
-		    dns_rdataset_isassociated(sigrdataset))
-			dns_rdataset_disassociate(sigrdataset);
-		if (node != NULL)
-			dns_db_detachnode(db, &node);
-		if (!is_cache) {
-			dns_db_detach(&db);
-			if (view->cachedb != NULL && !is_staticstub_zone) {
-				/*
-				 * Either the answer is in the cache, or we
-				 * don't know it.
-				 * Note that if the result comes from a
-				 * static-stub zone we stop the search here
-				 * (see the function description in view.h).
-				 */
-				is_cache = ISC_TRUE;
-				dns_db_attach(view->cachedb, &db);
-				goto db_find;
-			}
-		} else {
-			/*
-			 * We don't have the data in the cache.  If we've got
-			 * glue from the zone, use it.
-			 */
-			if (dns_rdataset_isassociated(&zrdataset)) {
-				dns_rdataset_clone(&zrdataset, rdataset);
-				if (sigrdataset != NULL &&
-				    dns_rdataset_isassociated(&zsigrdataset))
-					dns_rdataset_clone(&zsigrdataset,
-							   sigrdataset);
-				result = DNS_R_GLUE;
-				if (db != NULL)
-					dns_db_detach(&db);
-				dns_db_attach(zdb, &db);
-				dns_db_attachnode(db, znode, &node);
-				goto cleanup;
-			}
-		}
-		/*
-		 * We don't know the answer.
-		 */
-		result = ISC_R_NOTFOUND;
-	} else if (result == DNS_R_GLUE) {
-		if (view->cachedb != NULL && !is_staticstub_zone) {
-			/*
-			 * We found an answer, but the cache may be better.
-			 * Remember what we've got and go look in the cache.
-			 */
-			is_cache = ISC_TRUE;
-			dns_rdataset_clone(rdataset, &zrdataset);
-			dns_rdataset_disassociate(rdataset);
-			if (sigrdataset != NULL &&
-			    dns_rdataset_isassociated(sigrdataset)) {
-				dns_rdataset_clone(sigrdataset, &zsigrdataset);
-				dns_rdataset_disassociate(sigrdataset);
-			}
-			dns_db_attach(db, &zdb);
-			dns_db_attachnode(zdb, node, &znode);
-			dns_db_detachnode(db, &node);
-			dns_db_detach(&db);
-			dns_db_attach(view->cachedb, &db);
-			goto db_find;
-		}
-		/*
-		 * Otherwise, the glue is the best answer.
-		 */
-		result = ISC_R_SUCCESS;
-	}
-
-#ifdef BIND9
-	if (result == ISC_R_NOTFOUND && use_hints && view->hints != NULL) {
-		if (dns_rdataset_isassociated(rdataset))
-			dns_rdataset_disassociate(rdataset);
-		if (sigrdataset != NULL &&
-		    dns_rdataset_isassociated(sigrdataset))
-			dns_rdataset_disassociate(sigrdataset);
-		if (db != NULL) {
-			if (node != NULL)
-				dns_db_detachnode(db, &node);
-			dns_db_detach(&db);
-		}
-		result = dns_db_find(view->hints, name, NULL, type, options,
-				     now, &node, foundname,
-				     rdataset, sigrdataset);
-		if (result == ISC_R_SUCCESS || result == DNS_R_GLUE) {
-			/*
-			 * We just used a hint.  Let the resolver know it
-			 * should consider priming.
-			 */
-			dns_resolver_prime(view->resolver);
-			dns_db_attach(view->hints, &db);
-			result = DNS_R_HINT;
-		} else if (result == DNS_R_NXRRSET) {
-			dns_db_attach(view->hints, &db);
-			result = DNS_R_HINTNXRRSET;
-		} else if (result == DNS_R_NXDOMAIN)
-			result = ISC_R_NOTFOUND;
-
-		/*
-		 * Cleanup if non-standard hints are used.
-		 */
-		if (db == NULL && node != NULL)
-			dns_db_detachnode(view->hints, &node);
-	}
-#endif /* BIND9 */
-
- cleanup:
-	if (dns_rdataset_isassociated(&zrdataset)) {
-		dns_rdataset_disassociate(&zrdataset);
-		if (dns_rdataset_isassociated(&zsigrdataset))
-			dns_rdataset_disassociate(&zsigrdataset);
-	}
-
-	if (zdb != NULL) {
-		if (znode != NULL)
-			dns_db_detachnode(zdb, &znode);
-		dns_db_detach(&zdb);
-	}
-
-	if (db != NULL) {
-		if (node != NULL) {
-			if (nodep != NULL)
-				*nodep = node;
-			else
-				dns_db_detachnode(db, &node);
-		}
-		if (dbp != NULL)
-			*dbp = db;
-		else
-			dns_db_detach(&db);
-	} else
-		INSIST(node == NULL);
-
-#ifdef BIND9
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-#endif
-
-	return (result);
-}
-
-isc_result_t
-dns_view_simplefind(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
-		    isc_stdtime_t now, unsigned int options,
-		    isc_boolean_t use_hints,
-		    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	isc_result_t result;
-	dns_fixedname_t foundname;
-
-	dns_fixedname_init(&foundname);
-	result = dns_view_find(view, name, type, now, options, use_hints,
-			       NULL, NULL, dns_fixedname_name(&foundname),
-			       rdataset, sigrdataset);
-	if (result == DNS_R_NXDOMAIN) {
-		/*
-		 * The rdataset and sigrdataset of the relevant NSEC record
-		 * may be returned, but the caller cannot use them because
-		 * foundname is not returned by this simplified API.  We
-		 * disassociate them here to prevent any misuse by the caller.
-		 */
-		if (dns_rdataset_isassociated(rdataset))
-			dns_rdataset_disassociate(rdataset);
-		if (sigrdataset != NULL &&
-		    dns_rdataset_isassociated(sigrdataset))
-			dns_rdataset_disassociate(sigrdataset);
-	} else if (result != ISC_R_SUCCESS &&
-		   result != DNS_R_GLUE &&
-		   result != DNS_R_HINT &&
-		   result != DNS_R_NCACHENXDOMAIN &&
-		   result != DNS_R_NCACHENXRRSET &&
-		   result != DNS_R_NXRRSET &&
-		   result != DNS_R_HINTNXRRSET &&
-		   result != ISC_R_NOTFOUND) {
-		if (dns_rdataset_isassociated(rdataset))
-			dns_rdataset_disassociate(rdataset);
-		if (sigrdataset != NULL &&
-		    dns_rdataset_isassociated(sigrdataset))
-			dns_rdataset_disassociate(sigrdataset);
-		result = ISC_R_NOTFOUND;
-	}
-
-	return (result);
-}
-
-isc_result_t
-dns_view_findzonecut(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
-		     isc_stdtime_t now, unsigned int options,
-		     isc_boolean_t use_hints,
-		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	return(dns_view_findzonecut2(view, name, fname, now, options,
-				     use_hints, ISC_TRUE,
-				     rdataset, sigrdataset));
-}
-
-isc_result_t
-dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
-		      isc_stdtime_t now, unsigned int options,
-		      isc_boolean_t use_hints,	isc_boolean_t use_cache,
-		      dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	isc_result_t result;
-	dns_db_t *db;
-	isc_boolean_t is_cache, use_zone, try_hints;
-	dns_zone_t *zone;
-	dns_name_t *zfname;
-	dns_rdataset_t zrdataset, zsigrdataset;
-	dns_fixedname_t zfixedname;
-
-#ifndef BIND9
-	UNUSED(zone);
-#endif
-
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(view->frozen);
-
-	db = NULL;
-	use_zone = ISC_FALSE;
-	try_hints = ISC_FALSE;
-	zfname = NULL;
-
-	/*
-	 * Initialize.
-	 */
-	dns_fixedname_init(&zfixedname);
-	dns_rdataset_init(&zrdataset);
-	dns_rdataset_init(&zsigrdataset);
-
-	/*
-	 * Find the right database.
-	 */
-#ifdef BIND9
-	zone = NULL;
-	result = dns_zt_find(view->zonetable, name, 0, NULL, &zone);
-	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
-		result = dns_zone_getdb(zone, &db);
-#else
-	result = ISC_R_NOTFOUND;
-#endif
-	if (result == ISC_R_NOTFOUND) {
-		/*
-		 * We're not directly authoritative for this query name, nor
-		 * is it a subdomain of any zone for which we're
-		 * authoritative.
-		 */
-		if (use_cache && view->cachedb != NULL) {
-			/*
-			 * We have a cache; try it.
-			 */
-			dns_db_attach(view->cachedb, &db);
-		} else {
-			/*
-			 * Maybe we have hints...
-			 */
-			try_hints = ISC_TRUE;
-			goto finish;
-		}
-	} else if (result != ISC_R_SUCCESS) {
-		/*
-		 * Something is broken.
-		 */
-		goto cleanup;
-	}
-	is_cache = dns_db_iscache(db);
-
- db_find:
-	/*
-	 * Look for the zonecut.
-	 */
-	if (!is_cache) {
-		result = dns_db_find(db, name, NULL, dns_rdatatype_ns, options,
-				     now, NULL, fname, rdataset, sigrdataset);
-		if (result == DNS_R_DELEGATION)
-			result = ISC_R_SUCCESS;
-		else if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		if (use_cache && view->cachedb != NULL && db != view->hints) {
-			/*
-			 * We found an answer, but the cache may be better.
-			 */
-			zfname = dns_fixedname_name(&zfixedname);
-			result = dns_name_copy(fname, zfname, NULL);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-			dns_rdataset_clone(rdataset, &zrdataset);
-			dns_rdataset_disassociate(rdataset);
-			if (sigrdataset != NULL &&
-			    dns_rdataset_isassociated(sigrdataset)) {
-				dns_rdataset_clone(sigrdataset, &zsigrdataset);
-				dns_rdataset_disassociate(sigrdataset);
-			}
-			dns_db_detach(&db);
-			dns_db_attach(view->cachedb, &db);
-			is_cache = ISC_TRUE;
-			goto db_find;
-		}
-	} else {
-		result = dns_db_findzonecut(db, name, options, now, NULL,
-					    fname, rdataset, sigrdataset);
-		if (result == ISC_R_SUCCESS) {
-			if (zfname != NULL &&
-			    (!dns_name_issubdomain(fname, zfname) ||
-			     (dns_zone_staticstub &&
-			      dns_name_equal(fname, zfname)))) {
-				/*
-				 * We found a zonecut in the cache, but our
-				 * zone delegation is better.
-				 */
-				use_zone = ISC_TRUE;
-			}
-		} else if (result == ISC_R_NOTFOUND) {
-			if (zfname != NULL) {
-				/*
-				 * We didn't find anything in the cache, but we
-				 * have a zone delegation, so use it.
-				 */
-				use_zone = ISC_TRUE;
-			} else {
-				/*
-				 * Maybe we have hints...
-				 */
-				try_hints = ISC_TRUE;
-			}
-		} else {
-			/*
-			 * Something bad happened.
-			 */
-			goto cleanup;
-		}
-	}
-
- finish:
-	if (use_zone) {
-		if (dns_rdataset_isassociated(rdataset)) {
-			dns_rdataset_disassociate(rdataset);
-			if (sigrdataset != NULL &&
-			    dns_rdataset_isassociated(sigrdataset))
-				dns_rdataset_disassociate(sigrdataset);
-		}
-		result = dns_name_copy(zfname, fname, NULL);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		dns_rdataset_clone(&zrdataset, rdataset);
-		if (sigrdataset != NULL &&
-		    dns_rdataset_isassociated(&zrdataset))
-			dns_rdataset_clone(&zsigrdataset, sigrdataset);
-	} else if (try_hints && use_hints && view->hints != NULL) {
-		/*
-		 * We've found nothing so far, but we have hints.
-		 */
-		result = dns_db_find(view->hints, dns_rootname, NULL,
-				     dns_rdatatype_ns, 0, now, NULL, fname,
-				     rdataset, NULL);
-		if (result != ISC_R_SUCCESS) {
-			/*
-			 * We can't even find the hints for the root
-			 * nameservers!
-			 */
-			if (dns_rdataset_isassociated(rdataset))
-				dns_rdataset_disassociate(rdataset);
-			result = ISC_R_NOTFOUND;
-		}
-	}
-
- cleanup:
-	if (dns_rdataset_isassociated(&zrdataset)) {
-		dns_rdataset_disassociate(&zrdataset);
-		if (dns_rdataset_isassociated(&zsigrdataset))
-			dns_rdataset_disassociate(&zsigrdataset);
-	}
-	if (db != NULL)
-		dns_db_detach(&db);
-#ifdef BIND9
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-#endif
-
-	return (result);
-}
-
-isc_result_t
-dns_viewlist_find(dns_viewlist_t *list, const char *name,
-		  dns_rdataclass_t rdclass, dns_view_t **viewp)
-{
-	dns_view_t *view;
-
-	REQUIRE(list != NULL);
-
-	for (view = ISC_LIST_HEAD(*list);
-	     view != NULL;
-	     view = ISC_LIST_NEXT(view, link)) {
-		if (strcmp(view->name, name) == 0 && view->rdclass == rdclass)
-			break;
-	}
-	if (view == NULL)
-		return (ISC_R_NOTFOUND);
-
-	dns_view_attach(view, viewp);
-
-	return (ISC_R_SUCCESS);
-}
-
-#ifdef BIND9
-isc_result_t
-dns_viewlist_findzone(dns_viewlist_t *list, dns_name_t *name,
-		      isc_boolean_t allclasses, dns_rdataclass_t rdclass,
-		      dns_zone_t **zonep)
-{
-	dns_view_t *view;
-	isc_result_t result;
-	dns_zone_t *zone1 = NULL, *zone2 = NULL;
-	dns_zone_t **zp = NULL;;
-
-	REQUIRE(list != NULL);
-	for (view = ISC_LIST_HEAD(*list);
-	     view != NULL;
-	     view = ISC_LIST_NEXT(view, link)) {
-		if (allclasses == ISC_FALSE && view->rdclass != rdclass)
-			continue;
-
-		/*
-		 * If the zone is defined in more than one view,
-		 * treat it as not found.
-		 */
-		zp = (zone1 == NULL) ? &zone1 : &zone2;
-		result = dns_zt_find(view->zonetable, name, 0, NULL, zp);
-		INSIST(result == ISC_R_SUCCESS ||
-		       result == ISC_R_NOTFOUND ||
-		       result == DNS_R_PARTIALMATCH);
-
-		/* Treat a partial match as no match */
-		if (result == DNS_R_PARTIALMATCH) {
-			dns_zone_detach(zp);
-			result = ISC_R_NOTFOUND;
-			POST(result);
-		}
-
-		if (zone2 != NULL) {
-			dns_zone_detach(&zone1);
-			dns_zone_detach(&zone2);
-			return (ISC_R_NOTFOUND);
-		}
-	}
-
-	if (zone1 != NULL) {
-		dns_zone_attach(zone1, zonep);
-		dns_zone_detach(&zone1);
-		return (ISC_R_SUCCESS);
-	}
-
-	return (ISC_R_NOTFOUND);
-}
-
-isc_result_t
-dns_view_load(dns_view_t *view, isc_boolean_t stop) {
-
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(view->zonetable != NULL);
-
-	return (dns_zt_load(view->zonetable, stop));
-}
-
-isc_result_t
-dns_view_loadnew(dns_view_t *view, isc_boolean_t stop) {
-
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(view->zonetable != NULL);
-
-	return (dns_zt_loadnew(view->zonetable, stop));
-}
-
-isc_result_t
-dns_view_asyncload(dns_view_t *view, dns_zt_allloaded_t callback, void *arg) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(view->zonetable != NULL);
-
-	return (dns_zt_asyncload(view->zonetable, callback, arg));
-}
-
-
-#endif /* BIND9 */
-
-isc_result_t
-dns_view_gettsig(dns_view_t *view, dns_name_t *keyname, dns_tsigkey_t **keyp)
-{
-	isc_result_t result;
-	REQUIRE(keyp != NULL && *keyp == NULL);
-
-	result = dns_tsigkey_find(keyp, keyname, NULL,
-				  view->statickeys);
-	if (result == ISC_R_NOTFOUND)
-		result = dns_tsigkey_find(keyp, keyname, NULL,
-					  view->dynamickeys);
-	return (result);
-}
-
-isc_result_t
-dns_view_getpeertsig(dns_view_t *view, isc_netaddr_t *peeraddr,
-		     dns_tsigkey_t **keyp)
-{
-	isc_result_t result;
-	dns_name_t *keyname = NULL;
-	dns_peer_t *peer = NULL;
-
-	result = dns_peerlist_peerbyaddr(view->peers, peeraddr, &peer);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dns_peer_getkey(peer, &keyname);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dns_view_gettsig(view, keyname, keyp);
-	return ((result == ISC_R_NOTFOUND) ? ISC_R_FAILURE : result);
-}
-
-isc_result_t
-dns_view_checksig(dns_view_t *view, isc_buffer_t *source, dns_message_t *msg) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(source != NULL);
-
-	return (dns_tsig_verify(source, msg, view->statickeys,
-				view->dynamickeys));
-}
-
-#ifdef BIND9
-isc_result_t
-dns_view_dumpdbtostream(dns_view_t *view, FILE *fp) {
-	isc_result_t result;
-
-	REQUIRE(DNS_VIEW_VALID(view));
-
-	(void)fprintf(fp, ";\n; Cache dump of view '%s'\n;\n", view->name);
-	result = dns_master_dumptostream(view->mctx, view->cachedb, NULL,
-					 &dns_master_style_cache, fp);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_adb_dump(view->adb, fp);
-	dns_resolver_printbadcache(view->resolver, fp);
-	return (ISC_R_SUCCESS);
-}
-#endif
-
-isc_result_t
-dns_view_flushcache(dns_view_t *view) {
-	return (dns_view_flushcache2(view, ISC_FALSE));
-}
-
-isc_result_t
-dns_view_flushcache2(dns_view_t *view, isc_boolean_t fixuponly) {
-	isc_result_t result;
-
-	REQUIRE(DNS_VIEW_VALID(view));
-
-	if (view->cachedb == NULL)
-		return (ISC_R_SUCCESS);
-	if (!fixuponly) {
-		result = dns_cache_flush(view->cache);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-#ifdef BIND9
-	if (view->acache != NULL)
-		dns_acache_putdb(view->acache, view->cachedb);
-#endif
-	dns_db_detach(&view->cachedb);
-	dns_cache_attachdb(view->cache, &view->cachedb);
-#ifdef BIND9
-	if (view->acache != NULL)
-		dns_acache_setdb(view->acache, view->cachedb);
-	if (view->resolver != NULL)
-		dns_resolver_flushbadcache(view->resolver, NULL);
-#endif
-
-	dns_adb_flush(view->adb);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_view_flushname(dns_view_t *view, dns_name_t *name) {
-	return (dns_view_flushnode(view, name, ISC_FALSE));
-}
-
-isc_result_t
-dns_view_flushnode(dns_view_t *view, dns_name_t *name, isc_boolean_t tree) {
-
-	REQUIRE(DNS_VIEW_VALID(view));
-
-	if (!tree) {
-		if (view->adb != NULL)
-			dns_adb_flushname(view->adb, name);
-		if (view->cache == NULL)
-			return (ISC_R_SUCCESS);
-		if (view->resolver != NULL)
-			dns_resolver_flushbadcache(view->resolver, name);
-	}
-	return (dns_cache_flushnode(view->cache, name, tree));
-}
-
-isc_result_t
-dns_view_adddelegationonly(dns_view_t *view, dns_name_t *name) {
-	isc_result_t result;
-	dns_name_t *new;
-	isc_uint32_t hash;
-
-	REQUIRE(DNS_VIEW_VALID(view));
-
-	if (view->delonly == NULL) {
-		view->delonly = isc_mem_get(view->mctx,
-					    sizeof(dns_namelist_t) *
-					    DNS_VIEW_DELONLYHASH);
-		if (view->delonly == NULL)
-			return (ISC_R_NOMEMORY);
-		for (hash = 0; hash < DNS_VIEW_DELONLYHASH; hash++)
-			ISC_LIST_INIT(view->delonly[hash]);
-	}
-	hash = dns_name_hash(name, ISC_FALSE) % DNS_VIEW_DELONLYHASH;
-	new = ISC_LIST_HEAD(view->delonly[hash]);
-	while (new != NULL && !dns_name_equal(new, name))
-		new = ISC_LIST_NEXT(new, link);
-	if (new != NULL)
-		return (ISC_R_SUCCESS);
-	new = isc_mem_get(view->mctx, sizeof(*new));
-	if (new == NULL)
-		return (ISC_R_NOMEMORY);
-	dns_name_init(new, NULL);
-	result = dns_name_dup(name, view->mctx, new);
-	if (result == ISC_R_SUCCESS)
-		ISC_LIST_APPEND(view->delonly[hash], new, link);
-	else
-		isc_mem_put(view->mctx, new, sizeof(*new));
-	return (result);
-}
-
-isc_result_t
-dns_view_excludedelegationonly(dns_view_t *view, dns_name_t *name) {
-	isc_result_t result;
-	dns_name_t *new;
-	isc_uint32_t hash;
-
-	REQUIRE(DNS_VIEW_VALID(view));
-
-	if (view->rootexclude == NULL) {
-		view->rootexclude = isc_mem_get(view->mctx,
-					    sizeof(dns_namelist_t) *
-					    DNS_VIEW_DELONLYHASH);
-		if (view->rootexclude == NULL)
-			return (ISC_R_NOMEMORY);
-		for (hash = 0; hash < DNS_VIEW_DELONLYHASH; hash++)
-			ISC_LIST_INIT(view->rootexclude[hash]);
-	}
-	hash = dns_name_hash(name, ISC_FALSE) % DNS_VIEW_DELONLYHASH;
-	new = ISC_LIST_HEAD(view->rootexclude[hash]);
-	while (new != NULL && !dns_name_equal(new, name))
-		new = ISC_LIST_NEXT(new, link);
-	if (new != NULL)
-		return (ISC_R_SUCCESS);
-	new = isc_mem_get(view->mctx, sizeof(*new));
-	if (new == NULL)
-		return (ISC_R_NOMEMORY);
-	dns_name_init(new, NULL);
-	result = dns_name_dup(name, view->mctx, new);
-	if (result == ISC_R_SUCCESS)
-		ISC_LIST_APPEND(view->rootexclude[hash], new, link);
-	else
-		isc_mem_put(view->mctx, new, sizeof(*new));
-	return (result);
-}
-
-isc_boolean_t
-dns_view_isdelegationonly(dns_view_t *view, dns_name_t *name) {
-	dns_name_t *new;
-	isc_uint32_t hash;
-
-	REQUIRE(DNS_VIEW_VALID(view));
-
-	if (!view->rootdelonly && view->delonly == NULL)
-		return (ISC_FALSE);
-
-	hash = dns_name_hash(name, ISC_FALSE) % DNS_VIEW_DELONLYHASH;
-	if (view->rootdelonly && dns_name_countlabels(name) <= 2) {
-		if (view->rootexclude == NULL)
-			return (ISC_TRUE);
-		new = ISC_LIST_HEAD(view->rootexclude[hash]);
-		while (new != NULL && !dns_name_equal(new, name))
-			new = ISC_LIST_NEXT(new, link);
-		if (new == NULL)
-			return (ISC_TRUE);
-	}
-
-	if (view->delonly == NULL)
-		return (ISC_FALSE);
-
-	new = ISC_LIST_HEAD(view->delonly[hash]);
-	while (new != NULL && !dns_name_equal(new, name))
-		new = ISC_LIST_NEXT(new, link);
-	if (new == NULL)
-		return (ISC_FALSE);
-	return (ISC_TRUE);
-}
-
-void
-dns_view_setrootdelonly(dns_view_t *view, isc_boolean_t value) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	view->rootdelonly = value;
-}
-
-isc_boolean_t
-dns_view_getrootdelonly(dns_view_t *view) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	return (view->rootdelonly);
-}
-
-#ifdef BIND9
-isc_result_t
-dns_view_freezezones(dns_view_t *view, isc_boolean_t value) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	return (dns_zt_freezezones(view->zonetable, value));
-}
-#endif
-
-void
-dns_view_setresstats(dns_view_t *view, isc_stats_t *stats) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(!view->frozen);
-	REQUIRE(view->resstats == NULL);
-
-	isc_stats_attach(stats, &view->resstats);
-}
-
-void
-dns_view_getresstats(dns_view_t *view, isc_stats_t **statsp) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(statsp != NULL && *statsp == NULL);
-
-	if (view->resstats != NULL)
-		isc_stats_attach(view->resstats, statsp);
-}
-
-void
-dns_view_setresquerystats(dns_view_t *view, dns_stats_t *stats) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(!view->frozen);
-	REQUIRE(view->resquerystats == NULL);
-
-	dns_stats_attach(stats, &view->resquerystats);
-}
-
-void
-dns_view_getresquerystats(dns_view_t *view, dns_stats_t **statsp) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(statsp != NULL && *statsp == NULL);
-
-	if (view->resquerystats != NULL)
-		dns_stats_attach(view->resquerystats, statsp);
-}
-
-isc_result_t
-dns_view_initsecroots(dns_view_t *view, isc_mem_t *mctx) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	if (view->secroots_priv != NULL)
-		dns_keytable_detach(&view->secroots_priv);
-	return (dns_keytable_create(mctx, &view->secroots_priv));
-}
-
-isc_result_t
-dns_view_getsecroots(dns_view_t *view, dns_keytable_t **ktp) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(ktp != NULL && *ktp == NULL);
-	if (view->secroots_priv == NULL)
-		return (ISC_R_NOTFOUND);
-	dns_keytable_attach(view->secroots_priv, ktp);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_view_issecuredomain(dns_view_t *view, dns_name_t *name,
-			 isc_boolean_t *secure_domain) {
-	REQUIRE(DNS_VIEW_VALID(view));
-
-	if (view->secroots_priv == NULL)
-		return (ISC_R_NOTFOUND);
-	return (dns_keytable_issecuredomain(view->secroots_priv, name,
-					    secure_domain));
-}
-
-void
-dns_view_untrust(dns_view_t *view, dns_name_t *keyname,
-		 dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx)
-{
-	isc_result_t result;
-	unsigned char data[4096];
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_buffer_t buffer;
-	dst_key_t *key = NULL;
-	dns_keytable_t *sr = NULL;
-
-	/*
-	 * Clear the revoke bit, if set, so that the key will match what's
-	 * in secroots now.
-	 */
-	dnskey->flags &= ~DNS_KEYFLAG_REVOKE;
-
-	/* Convert dnskey to DST key. */
-	isc_buffer_init(&buffer, data, sizeof(data));
-	dns_rdata_fromstruct(&rdata, dnskey->common.rdclass,
-			     dns_rdatatype_dnskey, dnskey, &buffer);
-	result = dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &key);
-	if (result != ISC_R_SUCCESS)
-		return;
-	result = dns_view_getsecroots(view, &sr);
-	if (result == ISC_R_SUCCESS) {
-		dns_keytable_deletekeynode(sr, key);
-		dns_keytable_detach(&sr);
-	}
-	dst_key_free(&key);
-}
-
-#define NZF ".nzf"
-
-void
-dns_view_setnewzones(dns_view_t *view, isc_boolean_t allow, void *cfgctx,
-		     void (*cfg_destroy)(void **))
-{
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE((cfgctx != NULL && cfg_destroy != NULL) || !allow);
-
-#ifdef BIND9
-	if (view->new_zone_file != NULL) {
-		isc_mem_free(view->mctx, view->new_zone_file);
-		view->new_zone_file = NULL;
-	}
-
-	if (view->new_zone_config != NULL) {
-		view->cfg_destroy(&view->new_zone_config);
-		view->cfg_destroy = NULL;
-	}
-
-	if (allow) {
-		char buffer[ISC_SHA256_DIGESTSTRINGLENGTH + sizeof(NZF)];
-		isc_sha256_data((void *)view->name, strlen(view->name), buffer);
-		/* Truncate the hash at 16 chars; full length is overkill */
-		isc_string_printf(buffer + 16, sizeof(NZF), "%s", NZF);
-		view->new_zone_file = isc_mem_strdup(view->mctx, buffer);
-		view->new_zone_config = cfgctx;
-		view->cfg_destroy = cfg_destroy;
-	}
-#else
-	UNUSED(allow);
-	UNUSED(cfgctx);
-	UNUSED(cfg_destroy);
-#endif
-}
diff --git a/contrib/bind9/lib/dns/xfrin.c b/contrib/bind9/lib/dns/xfrin.c
deleted file mode 100644
index 813f616..0000000
--- a/contrib/bind9/lib/dns/xfrin.c
+++ /dev/null
@@ -1,1556 +0,0 @@
-/*
- * Copyright (C) 2004-2008, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/random.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/task.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/diff.h>
-#include <dns/events.h>
-#include <dns/journal.h>
-#include <dns/log.h>
-#include <dns/message.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/result.h>
-#include <dns/soa.h>
-#include <dns/tcpmsg.h>
-#include <dns/timer.h>
-#include <dns/tsig.h>
-#include <dns/view.h>
-#include <dns/xfrin.h>
-#include <dns/zone.h>
-
-#include <dst/dst.h>
-
-/*
- * Incoming AXFR and IXFR.
- */
-
-/*%
- * It would be non-sensical (or at least obtuse) to use FAIL() with an
- * ISC_R_SUCCESS code, but the test is there to keep the Solaris compiler
- * from complaining about "end-of-loop code not reached".
- */
-#define FAIL(code) \
-	do { result = (code);					\
-		if (result != ISC_R_SUCCESS) goto failure;	\
-	} while (0)
-
-#define CHECK(op) \
-	do { result = (op);					\
-		if (result != ISC_R_SUCCESS) goto failure;	\
-	} while (0)
-
-/*%
- * The states of the *XFR state machine.  We handle both IXFR and AXFR
- * with a single integrated state machine because they cannot be distinguished
- * immediately - an AXFR response to an IXFR request can only be detected
- * when the first two (2) response RRs have already been received.
- */
-typedef enum {
-	XFRST_SOAQUERY,
-	XFRST_GOTSOA,
-	XFRST_INITIALSOA,
-	XFRST_FIRSTDATA,
-	XFRST_IXFR_DELSOA,
-	XFRST_IXFR_DEL,
-	XFRST_IXFR_ADDSOA,
-	XFRST_IXFR_ADD,
-	XFRST_IXFR_END,
-	XFRST_AXFR,
-	XFRST_AXFR_END
-} xfrin_state_t;
-
-/*%
- * Incoming zone transfer context.
- */
-
-struct dns_xfrin_ctx {
-	unsigned int		magic;
-	isc_mem_t		*mctx;
-	dns_zone_t		*zone;
-
-	int			refcount;
-
-	isc_task_t 		*task;
-	isc_timer_t		*timer;
-	isc_socketmgr_t 	*socketmgr;
-
-	int			connects; 	/*%< Connect in progress */
-	int			sends;		/*%< Send in progress */
-	int			recvs;	  	/*%< Receive in progress */
-	isc_boolean_t		shuttingdown;
-
-	dns_name_t 		name; 		/*%< Name of zone to transfer */
-	dns_rdataclass_t 	rdclass;
-
-	isc_boolean_t		checkid;
-	dns_messageid_t		id;
-
-	/*%
-	 * Requested transfer type (dns_rdatatype_axfr or
-	 * dns_rdatatype_ixfr).  The actual transfer type
-	 * may differ due to IXFR->AXFR fallback.
-	 */
-	dns_rdatatype_t 	reqtype;
-
-	isc_sockaddr_t 		masteraddr;
-	isc_sockaddr_t		sourceaddr;
-	isc_socket_t 		*socket;
-
-	/*% Buffer for IXFR/AXFR request message */
-	isc_buffer_t 		qbuffer;
-	unsigned char 		qbuffer_data[512];
-
-	/*% Incoming reply TCP message */
-	dns_tcpmsg_t		tcpmsg;
-	isc_boolean_t		tcpmsg_valid;
-
-	dns_db_t 		*db;
-	dns_dbversion_t 	*ver;
-	dns_diff_t 		diff;		/*%< Pending database changes */
-	int 			difflen;	/*%< Number of pending tuples */
-
-	xfrin_state_t 		state;
-	isc_uint32_t 		end_serial;
-	isc_boolean_t 		is_ixfr;
-
-	unsigned int		nmsg;		/*%< Number of messages recvd */
-	unsigned int		nrecs;		/*%< Number of records recvd */
-	isc_uint64_t		nbytes;		/*%< Number of bytes received */
-
-	isc_time_t		start;		/*%< Start time of the transfer */
-	isc_time_t		end;		/*%< End time of the transfer */
-
-	dns_tsigkey_t		*tsigkey;	/*%< Key used to create TSIG */
-	isc_buffer_t		*lasttsig;	/*%< The last TSIG */
-	dst_context_t		*tsigctx;	/*%< TSIG verification context */
-	unsigned int		sincetsig;	/*%< recvd since the last TSIG */
-	dns_xfrindone_t		done;
-
-	/*%
-	 * AXFR- and IXFR-specific data.  Only one is used at a time
-	 * according to the is_ixfr flag, so this could be a union,
-	 * but keeping them separate makes it a bit simpler to clean
-	 * things up when destroying the context.
-	 */
-	struct {
-		dns_addrdatasetfunc_t add_func;
-		dns_dbload_t	      *add_private;
-	} axfr;
-
-	struct {
-		isc_uint32_t 	request_serial;
-		isc_uint32_t 	current_serial;
-		dns_journal_t	*journal;
-
-	} ixfr;
-};
-
-#define XFRIN_MAGIC		  ISC_MAGIC('X', 'f', 'r', 'I')
-#define VALID_XFRIN(x)		  ISC_MAGIC_VALID(x, XFRIN_MAGIC)
-
-/**************************************************************************/
-/*
- * Forward declarations.
- */
-
-static isc_result_t
-xfrin_create(isc_mem_t *mctx,
-	     dns_zone_t *zone,
-	     dns_db_t *db,
-	     isc_task_t *task,
-	     isc_timermgr_t *timermgr,
-	     isc_socketmgr_t *socketmgr,
-	     dns_name_t *zonename,
-	     dns_rdataclass_t rdclass,
-	     dns_rdatatype_t reqtype,
-	     isc_sockaddr_t *masteraddr,
-	     isc_sockaddr_t *sourceaddr,
-	     dns_tsigkey_t *tsigkey,
-	     dns_xfrin_ctx_t **xfrp);
-
-static isc_result_t axfr_init(dns_xfrin_ctx_t *xfr);
-static isc_result_t axfr_makedb(dns_xfrin_ctx_t *xfr, dns_db_t **dbp);
-static isc_result_t axfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op,
-				   dns_name_t *name, dns_ttl_t ttl,
-				   dns_rdata_t *rdata);
-static isc_result_t axfr_apply(dns_xfrin_ctx_t *xfr);
-static isc_result_t axfr_commit(dns_xfrin_ctx_t *xfr);
-static isc_result_t axfr_finalize(dns_xfrin_ctx_t *xfr);
-
-static isc_result_t ixfr_init(dns_xfrin_ctx_t *xfr);
-static isc_result_t ixfr_apply(dns_xfrin_ctx_t *xfr);
-static isc_result_t ixfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op,
-				 dns_name_t *name, dns_ttl_t ttl,
-				 dns_rdata_t *rdata);
-static isc_result_t ixfr_commit(dns_xfrin_ctx_t *xfr);
-
-static isc_result_t xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name,
-			   isc_uint32_t ttl, dns_rdata_t *rdata);
-
-static isc_result_t xfrin_start(dns_xfrin_ctx_t *xfr);
-
-static void xfrin_connect_done(isc_task_t *task, isc_event_t *event);
-static isc_result_t xfrin_send_request(dns_xfrin_ctx_t *xfr);
-static void xfrin_send_done(isc_task_t *task, isc_event_t *event);
-static void xfrin_sendlen_done(isc_task_t *task, isc_event_t *event);
-static void xfrin_recv_done(isc_task_t *task, isc_event_t *event);
-static void xfrin_timeout(isc_task_t *task, isc_event_t *event);
-
-static void maybe_free(dns_xfrin_ctx_t *xfr);
-
-static void
-xfrin_fail(dns_xfrin_ctx_t *xfr, isc_result_t result, const char *msg);
-static isc_result_t
-render(dns_message_t *msg, isc_mem_t *mctx, isc_buffer_t *buf);
-
-static void
-xfrin_logv(int level, const char *zonetext, isc_sockaddr_t *masteraddr,
-	   const char *fmt, va_list ap)
-     ISC_FORMAT_PRINTF(4, 0);
-
-static void
-xfrin_log1(int level, const char *zonetext, isc_sockaddr_t *masteraddr,
-	   const char *fmt, ...)
-     ISC_FORMAT_PRINTF(4, 5);
-
-static void
-xfrin_log(dns_xfrin_ctx_t *xfr, int level, const char *fmt, ...)
-     ISC_FORMAT_PRINTF(3, 4);
-
-/**************************************************************************/
-/*
- * AXFR handling
- */
-
-static isc_result_t
-axfr_init(dns_xfrin_ctx_t *xfr) {
-	isc_result_t result;
-
-	xfr->is_ixfr = ISC_FALSE;
-
-	if (xfr->db != NULL)
-		dns_db_detach(&xfr->db);
-
-	CHECK(axfr_makedb(xfr, &xfr->db));
-	CHECK(dns_db_beginload(xfr->db, &xfr->axfr.add_func,
-			       &xfr->axfr.add_private));
-	result = ISC_R_SUCCESS;
- failure:
-	return (result);
-}
-
-static isc_result_t
-axfr_makedb(dns_xfrin_ctx_t *xfr, dns_db_t **dbp) {
-	return (dns_db_create(xfr->mctx, /* XXX */
-			      "rbt", /* XXX guess */
-			      &xfr->name,
-			      dns_dbtype_zone,
-			      xfr->rdclass,
-			      0, NULL, /* XXX guess */
-			      dbp));
-}
-
-static isc_result_t
-axfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op,
-	     dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata)
-{
-	isc_result_t result;
-
-	dns_difftuple_t *tuple = NULL;
-
-	CHECK(dns_zone_checknames(xfr->zone, name, rdata));
-	CHECK(dns_difftuple_create(xfr->diff.mctx, op,
-				   name, ttl, rdata, &tuple));
-	dns_diff_append(&xfr->diff, &tuple);
-	if (++xfr->difflen > 100)
-		CHECK(axfr_apply(xfr));
-	result = ISC_R_SUCCESS;
- failure:
-	return (result);
-}
-
-/*
- * Store a set of AXFR RRs in the database.
- */
-static isc_result_t
-axfr_apply(dns_xfrin_ctx_t *xfr) {
-	isc_result_t result;
-
-	CHECK(dns_diff_load(&xfr->diff,
-			    xfr->axfr.add_func, xfr->axfr.add_private));
-	xfr->difflen = 0;
-	dns_diff_clear(&xfr->diff);
-	result = ISC_R_SUCCESS;
- failure:
-	return (result);
-}
-
-static isc_result_t
-axfr_commit(dns_xfrin_ctx_t *xfr) {
-	isc_result_t result;
-
-	CHECK(axfr_apply(xfr));
-	CHECK(dns_db_endload(xfr->db, &xfr->axfr.add_private));
-
-	result = ISC_R_SUCCESS;
- failure:
-	return (result);
-}
-
-static isc_result_t
-axfr_finalize(dns_xfrin_ctx_t *xfr) {
-	isc_result_t result;
-
-	CHECK(dns_zone_replacedb(xfr->zone, xfr->db, ISC_TRUE));
-
-	result = ISC_R_SUCCESS;
- failure:
-	return (result);
-}
-
-/**************************************************************************/
-/*
- * IXFR handling
- */
-
-static isc_result_t
-ixfr_init(dns_xfrin_ctx_t *xfr) {
-	isc_result_t result;
-	char *journalfile;
-
-	if (xfr->reqtype != dns_rdatatype_ixfr) {
-		xfrin_log(xfr, ISC_LOG_ERROR,
-			  "got incremental response to AXFR request");
-		return (DNS_R_FORMERR);
-	}
-
-	xfr->is_ixfr = ISC_TRUE;
-	INSIST(xfr->db != NULL);
-	xfr->difflen = 0;
-
-	journalfile = dns_zone_getjournal(xfr->zone);
-	if (journalfile != NULL)
-		CHECK(dns_journal_open(xfr->mctx, journalfile,
-				       DNS_JOURNAL_CREATE, &xfr->ixfr.journal));
-
-	result = ISC_R_SUCCESS;
- failure:
-	return (result);
-}
-
-static isc_result_t
-ixfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op,
-	     dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata)
-{
-	isc_result_t result;
-
-	dns_difftuple_t *tuple = NULL;
-	if (op == DNS_DIFFOP_ADD)
-		CHECK(dns_zone_checknames(xfr->zone, name, rdata));
-	CHECK(dns_difftuple_create(xfr->diff.mctx, op,
-				   name, ttl, rdata, &tuple));
-	dns_diff_append(&xfr->diff, &tuple);
-	if (++xfr->difflen > 100)
-		CHECK(ixfr_apply(xfr));
-	result = ISC_R_SUCCESS;
- failure:
-	return (result);
-}
-
-/*
- * Apply a set of IXFR changes to the database.
- */
-static isc_result_t
-ixfr_apply(dns_xfrin_ctx_t *xfr) {
-	isc_result_t result;
-
-	if (xfr->ver == NULL) {
-		CHECK(dns_db_newversion(xfr->db, &xfr->ver));
-		if (xfr->ixfr.journal != NULL)
-			CHECK(dns_journal_begin_transaction(xfr->ixfr.journal));
-	}
-	CHECK(dns_diff_apply(&xfr->diff, xfr->db, xfr->ver));
-	if (xfr->ixfr.journal != NULL) {
-		result = dns_journal_writediff(xfr->ixfr.journal, &xfr->diff);
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-	}
-	dns_diff_clear(&xfr->diff);
-	xfr->difflen = 0;
-	result = ISC_R_SUCCESS;
- failure:
-	return (result);
-}
-
-static isc_result_t
-ixfr_commit(dns_xfrin_ctx_t *xfr) {
-	isc_result_t result;
-
-	CHECK(ixfr_apply(xfr));
-	if (xfr->ver != NULL) {
-		/* XXX enter ready-to-commit state here */
-		if (xfr->ixfr.journal != NULL)
-			CHECK(dns_journal_commit(xfr->ixfr.journal));
-		dns_db_closeversion(xfr->db, &xfr->ver, ISC_TRUE);
-		dns_zone_markdirty(xfr->zone);
-	}
-	result = ISC_R_SUCCESS;
- failure:
-	return (result);
-}
-
-/**************************************************************************/
-/*
- * Common AXFR/IXFR protocol code
- */
-
-/*
- * Handle a single incoming resource record according to the current
- * state.
- */
-static isc_result_t
-xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, isc_uint32_t ttl,
-       dns_rdata_t *rdata)
-{
-	isc_result_t result;
-
-	xfr->nrecs++;
-
-	if (rdata->type == dns_rdatatype_none ||
-	    dns_rdatatype_ismeta(rdata->type))
-		FAIL(DNS_R_FORMERR);
-
- redo:
-	switch (xfr->state) {
-	case XFRST_SOAQUERY:
-		if (rdata->type != dns_rdatatype_soa) {
-			xfrin_log(xfr, ISC_LOG_ERROR,
-				  "non-SOA response to SOA query");
-			FAIL(DNS_R_FORMERR);
-		}
-		xfr->end_serial = dns_soa_getserial(rdata);
-		if (!DNS_SERIAL_GT(xfr->end_serial, xfr->ixfr.request_serial) &&
-		    !dns_zone_isforced(xfr->zone)) {
-			xfrin_log(xfr, ISC_LOG_DEBUG(3),
-				  "requested serial %u, "
-				  "master has %u, not updating",
-				  xfr->ixfr.request_serial, xfr->end_serial);
-			FAIL(DNS_R_UPTODATE);
-		}
-		xfr->state = XFRST_GOTSOA;
-		break;
-
-	case XFRST_GOTSOA:
-		/*
-		 * Skip other records in the answer section.
-		 */
-		break;
-
-	case XFRST_INITIALSOA:
-		if (rdata->type != dns_rdatatype_soa) {
-			xfrin_log(xfr, ISC_LOG_ERROR,
-				  "first RR in zone transfer must be SOA");
-			FAIL(DNS_R_FORMERR);
-		}
-		/*
-		 * Remember the serial number in the initial SOA.
-		 * We need it to recognize the end of an IXFR.
-		 */
-		xfr->end_serial = dns_soa_getserial(rdata);
-		if (xfr->reqtype == dns_rdatatype_ixfr &&
-		    ! DNS_SERIAL_GT(xfr->end_serial, xfr->ixfr.request_serial)
-		    && !dns_zone_isforced(xfr->zone))
-		{
-			/*
-			 * This must be the single SOA record that is
-			 * sent when the current version on the master
-			 * is not newer than the version in the request.
-			 */
-			xfrin_log(xfr, ISC_LOG_DEBUG(3),
-				  "requested serial %u, "
-				  "master has %u, not updating",
-				  xfr->ixfr.request_serial, xfr->end_serial);
-			FAIL(DNS_R_UPTODATE);
-		}
-		if (xfr->reqtype == dns_rdatatype_axfr)
-			xfr->checkid = ISC_FALSE;
-		xfr->state = XFRST_FIRSTDATA;
-		break;
-
-	case XFRST_FIRSTDATA:
-		/*
-		 * If the transfer begins with one SOA record, it is an AXFR,
-		 * if it begins with two SOAs, it is an IXFR.
-		 */
-		if (xfr->reqtype == dns_rdatatype_ixfr &&
-		    rdata->type == dns_rdatatype_soa &&
-		    xfr->ixfr.request_serial == dns_soa_getserial(rdata)) {
-			xfrin_log(xfr, ISC_LOG_DEBUG(3),
-				  "got incremental response");
-			CHECK(ixfr_init(xfr));
-			xfr->state = XFRST_IXFR_DELSOA;
-		} else {
-			xfrin_log(xfr, ISC_LOG_DEBUG(3),
-				  "got nonincremental response");
-			CHECK(axfr_init(xfr));
-			xfr->state = XFRST_AXFR;
-		}
-		goto redo;
-
-	case XFRST_IXFR_DELSOA:
-		INSIST(rdata->type == dns_rdatatype_soa);
-		CHECK(ixfr_putdata(xfr, DNS_DIFFOP_DEL, name, ttl, rdata));
-		xfr->state = XFRST_IXFR_DEL;
-		break;
-
-	case XFRST_IXFR_DEL:
-		if (rdata->type == dns_rdatatype_soa) {
-			isc_uint32_t soa_serial = dns_soa_getserial(rdata);
-			xfr->state = XFRST_IXFR_ADDSOA;
-			xfr->ixfr.current_serial = soa_serial;
-			goto redo;
-		}
-		CHECK(ixfr_putdata(xfr, DNS_DIFFOP_DEL, name, ttl, rdata));
-		break;
-
-	case XFRST_IXFR_ADDSOA:
-		INSIST(rdata->type == dns_rdatatype_soa);
-		CHECK(ixfr_putdata(xfr, DNS_DIFFOP_ADD, name, ttl, rdata));
-		xfr->state = XFRST_IXFR_ADD;
-		break;
-
-	case XFRST_IXFR_ADD:
-		if (rdata->type == dns_rdatatype_soa) {
-			isc_uint32_t soa_serial = dns_soa_getserial(rdata);
-			if (soa_serial == xfr->end_serial) {
-				CHECK(ixfr_commit(xfr));
-				xfr->state = XFRST_IXFR_END;
-				break;
-			} else if (soa_serial != xfr->ixfr.current_serial) {
-				xfrin_log(xfr, ISC_LOG_ERROR,
-					  "IXFR out of sync: "
-					  "expected serial %u, got %u",
-					  xfr->ixfr.current_serial, soa_serial);
-				FAIL(DNS_R_FORMERR);
-			} else {
-				CHECK(ixfr_commit(xfr));
-				xfr->state = XFRST_IXFR_DELSOA;
-				goto redo;
-			}
-		}
-		if (rdata->type == dns_rdatatype_ns &&
-		    dns_name_iswildcard(name))
-			FAIL(DNS_R_INVALIDNS);
-		CHECK(ixfr_putdata(xfr, DNS_DIFFOP_ADD, name, ttl, rdata));
-		break;
-
-	case XFRST_AXFR:
-		/*
-		 * Old BINDs sent cross class A records for non IN classes.
-		 */
-		if (rdata->type == dns_rdatatype_a &&
-		    rdata->rdclass != xfr->rdclass &&
-		    xfr->rdclass != dns_rdataclass_in)
-			break;
-		CHECK(axfr_putdata(xfr, DNS_DIFFOP_ADD, name, ttl, rdata));
-		if (rdata->type == dns_rdatatype_soa) {
-			CHECK(axfr_commit(xfr));
-			xfr->state = XFRST_AXFR_END;
-			break;
-		}
-		break;
-	case XFRST_AXFR_END:
-	case XFRST_IXFR_END:
-		FAIL(DNS_R_EXTRADATA);
-		/* NOTREACHED */
-	default:
-		INSIST(0);
-		break;
-	}
-	result = ISC_R_SUCCESS;
- failure:
-	return (result);
-}
-
-isc_result_t
-dns_xfrin_create(dns_zone_t *zone, dns_rdatatype_t xfrtype,
-		 isc_sockaddr_t *masteraddr, dns_tsigkey_t *tsigkey,
-		 isc_mem_t *mctx, isc_timermgr_t *timermgr,
-		 isc_socketmgr_t *socketmgr, isc_task_t *task,
-		 dns_xfrindone_t done, dns_xfrin_ctx_t **xfrp)
-{
-	isc_sockaddr_t sourceaddr;
-
-	switch (isc_sockaddr_pf(masteraddr)) {
-	case PF_INET:
-		sourceaddr = *dns_zone_getxfrsource4(zone);
-		break;
-	case PF_INET6:
-		sourceaddr = *dns_zone_getxfrsource6(zone);
-		break;
-	default:
-		INSIST(0);
-	}
-
-	return(dns_xfrin_create2(zone, xfrtype, masteraddr, &sourceaddr,
-				 tsigkey, mctx, timermgr, socketmgr,
-				 task, done, xfrp));
-}
-
-isc_result_t
-dns_xfrin_create2(dns_zone_t *zone, dns_rdatatype_t xfrtype,
-		  isc_sockaddr_t *masteraddr, isc_sockaddr_t *sourceaddr,
-		  dns_tsigkey_t *tsigkey, isc_mem_t *mctx,
-		  isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
-		  isc_task_t *task, dns_xfrindone_t done,
-		  dns_xfrin_ctx_t **xfrp)
-{
-	dns_name_t *zonename = dns_zone_getorigin(zone);
-	dns_xfrin_ctx_t *xfr = NULL;
-	isc_result_t result;
-	dns_db_t *db = NULL;
-
-	REQUIRE(xfrp != NULL && *xfrp == NULL);
-
-	(void)dns_zone_getdb(zone, &db);
-
-	if (xfrtype == dns_rdatatype_soa || xfrtype == dns_rdatatype_ixfr)
-		REQUIRE(db != NULL);
-
-	CHECK(xfrin_create(mctx, zone, db, task, timermgr, socketmgr, zonename,
-			   dns_zone_getclass(zone), xfrtype, masteraddr,
-			   sourceaddr, tsigkey, &xfr));
-
-	CHECK(xfrin_start(xfr));
-
-	xfr->done = done;
-	xfr->refcount++;
-	*xfrp = xfr;
-
- failure:
-	if (db != NULL)
-		dns_db_detach(&db);
-	if (result != ISC_R_SUCCESS) {
-		char zonetext[DNS_NAME_MAXTEXT+32];
-		dns_zone_name(zone, zonetext, sizeof(zonetext));
-		xfrin_log1(ISC_LOG_ERROR, zonetext, masteraddr,
-			   "zone transfer setup failed");
-	}
-	return (result);
-}
-
-void
-dns_xfrin_shutdown(dns_xfrin_ctx_t *xfr) {
-	if (! xfr->shuttingdown)
-		xfrin_fail(xfr, ISC_R_CANCELED, "shut down");
-}
-
-void
-dns_xfrin_attach(dns_xfrin_ctx_t *source, dns_xfrin_ctx_t **target) {
-	REQUIRE(target != NULL && *target == NULL);
-	source->refcount++;
-	*target = source;
-}
-
-void
-dns_xfrin_detach(dns_xfrin_ctx_t **xfrp) {
-	dns_xfrin_ctx_t *xfr = *xfrp;
-	INSIST(xfr->refcount > 0);
-	xfr->refcount--;
-	maybe_free(xfr);
-	*xfrp = NULL;
-}
-
-static void
-xfrin_cancelio(dns_xfrin_ctx_t *xfr) {
-	if (xfr->connects > 0) {
-		isc_socket_cancel(xfr->socket, xfr->task,
-				  ISC_SOCKCANCEL_CONNECT);
-	} else if (xfr->recvs > 0) {
-		dns_tcpmsg_cancelread(&xfr->tcpmsg);
-	} else if (xfr->sends > 0) {
-		isc_socket_cancel(xfr->socket, xfr->task,
-				  ISC_SOCKCANCEL_SEND);
-	}
-}
-
-static void
-xfrin_reset(dns_xfrin_ctx_t *xfr) {
-	REQUIRE(VALID_XFRIN(xfr));
-
-	xfrin_log(xfr, ISC_LOG_INFO, "resetting");
-
-	xfrin_cancelio(xfr);
-
-	if (xfr->socket != NULL)
-		isc_socket_detach(&xfr->socket);
-
-	if (xfr->lasttsig != NULL)
-		isc_buffer_free(&xfr->lasttsig);
-
-	dns_diff_clear(&xfr->diff);
-	xfr->difflen = 0;
-
-	if (xfr->ixfr.journal != NULL)
-		dns_journal_destroy(&xfr->ixfr.journal);
-
-	if (xfr->axfr.add_private != NULL) {
-		(void)dns_db_endload(xfr->db, &xfr->axfr.add_private);
-		xfr->axfr.add_func = NULL;
-	}
-
-	if (xfr->tcpmsg_valid) {
-		dns_tcpmsg_invalidate(&xfr->tcpmsg);
-		xfr->tcpmsg_valid = ISC_FALSE;
-	}
-
-	if (xfr->ver != NULL)
-		dns_db_closeversion(xfr->db, &xfr->ver, ISC_FALSE);
-}
-
-
-static void
-xfrin_fail(dns_xfrin_ctx_t *xfr, isc_result_t result, const char *msg) {
-	if (result != DNS_R_UPTODATE) {
-		xfrin_log(xfr, ISC_LOG_ERROR, "%s: %s",
-			  msg, isc_result_totext(result));
-		if (xfr->is_ixfr)
-			/* Pass special result code to force AXFR retry */
-			result = DNS_R_BADIXFR;
-	}
-	xfrin_cancelio(xfr);
-	/*
-	 * Close the journal.
-	 */
-	if (xfr->ixfr.journal != NULL)
-		dns_journal_destroy(&xfr->ixfr.journal);
-	if (xfr->done != NULL) {
-		(xfr->done)(xfr->zone, result);
-		xfr->done = NULL;
-	}
-	xfr->shuttingdown = ISC_TRUE;
-	maybe_free(xfr);
-}
-
-static isc_result_t
-xfrin_create(isc_mem_t *mctx,
-	     dns_zone_t *zone,
-	     dns_db_t *db,
-	     isc_task_t *task,
-	     isc_timermgr_t *timermgr,
-	     isc_socketmgr_t *socketmgr,
-	     dns_name_t *zonename,
-	     dns_rdataclass_t rdclass,
-	     dns_rdatatype_t reqtype,
-	     isc_sockaddr_t *masteraddr,
-	     isc_sockaddr_t *sourceaddr,
-	     dns_tsigkey_t *tsigkey,
-	     dns_xfrin_ctx_t **xfrp)
-{
-	dns_xfrin_ctx_t *xfr = NULL;
-	isc_result_t result;
-	isc_uint32_t tmp;
-
-	xfr = isc_mem_get(mctx, sizeof(*xfr));
-	if (xfr == NULL)
-		return (ISC_R_NOMEMORY);
-	xfr->mctx = NULL;
-	isc_mem_attach(mctx, &xfr->mctx);
-	xfr->refcount = 0;
-	xfr->zone = NULL;
-	dns_zone_iattach(zone, &xfr->zone);
-	xfr->task = NULL;
-	isc_task_attach(task, &xfr->task);
-	xfr->timer = NULL;
-	xfr->socketmgr = socketmgr;
-	xfr->done = NULL;
-
-	xfr->connects = 0;
-	xfr->sends = 0;
-	xfr->recvs = 0;
-	xfr->shuttingdown = ISC_FALSE;
-
-	dns_name_init(&xfr->name, NULL);
-	xfr->rdclass = rdclass;
-	isc_random_get(&tmp);
-	xfr->checkid = ISC_TRUE;
-	xfr->id	= (isc_uint16_t)(tmp & 0xffff);
-	xfr->reqtype = reqtype;
-
-	/* sockaddr */
-	xfr->socket = NULL;
-	/* qbuffer */
-	/* qbuffer_data */
-	/* tcpmsg */
-	xfr->tcpmsg_valid = ISC_FALSE;
-
-	xfr->db = NULL;
-	if (db != NULL)
-		dns_db_attach(db, &xfr->db);
-	xfr->ver = NULL;
-	dns_diff_init(xfr->mctx, &xfr->diff);
-	xfr->difflen = 0;
-
-	if (reqtype == dns_rdatatype_soa)
-		xfr->state = XFRST_SOAQUERY;
-	else
-		xfr->state = XFRST_INITIALSOA;
-	/* end_serial */
-
-	xfr->nmsg = 0;
-	xfr->nrecs = 0;
-	xfr->nbytes = 0;
-	isc_time_now(&xfr->start);
-
-	xfr->tsigkey = NULL;
-	if (tsigkey != NULL)
-		dns_tsigkey_attach(tsigkey, &xfr->tsigkey);
-	xfr->lasttsig = NULL;
-	xfr->tsigctx = NULL;
-	xfr->sincetsig = 0;
-	xfr->is_ixfr = ISC_FALSE;
-
-	/* ixfr.request_serial */
-	/* ixfr.current_serial */
-	xfr->ixfr.journal = NULL;
-
-	xfr->axfr.add_func = NULL;
-	xfr->axfr.add_private = NULL;
-
-	CHECK(dns_name_dup(zonename, mctx, &xfr->name));
-
-	CHECK(isc_timer_create(timermgr, isc_timertype_inactive, NULL, NULL,
-			       task, xfrin_timeout, xfr, &xfr->timer));
-	CHECK(dns_timer_setidle(xfr->timer,
-				dns_zone_getmaxxfrin(xfr->zone),
-				dns_zone_getidlein(xfr->zone),
-				ISC_FALSE));
-
-	xfr->masteraddr = *masteraddr;
-
-	INSIST(isc_sockaddr_pf(masteraddr) == isc_sockaddr_pf(sourceaddr));
-	xfr->sourceaddr = *sourceaddr;
-	isc_sockaddr_setport(&xfr->sourceaddr, 0);
-
-	isc_buffer_init(&xfr->qbuffer, xfr->qbuffer_data,
-			sizeof(xfr->qbuffer_data));
-
-	xfr->magic = XFRIN_MAGIC;
-	*xfrp = xfr;
-	return (ISC_R_SUCCESS);
-
- failure:
-	if (xfr->timer != NULL)
-		isc_timer_detach(&xfr->timer);
-	if (dns_name_dynamic(&xfr->name))
-		dns_name_free(&xfr->name, xfr->mctx);
-	if (xfr->tsigkey != NULL)
-		dns_tsigkey_detach(&xfr->tsigkey);
-	if (xfr->db != NULL)
-		dns_db_detach(&xfr->db);
-	isc_task_detach(&xfr->task);
-	dns_zone_idetach(&xfr->zone);
-	isc_mem_putanddetach(&xfr->mctx, xfr, sizeof(*xfr));
-
-	return (result);
-}
-
-static isc_result_t
-xfrin_start(dns_xfrin_ctx_t *xfr) {
-	isc_result_t result;
-	CHECK(isc_socket_create(xfr->socketmgr,
-				isc_sockaddr_pf(&xfr->sourceaddr),
-				isc_sockettype_tcp,
-				&xfr->socket));
-	isc_socket_setname(xfr->socket, "xfrin", NULL);
-#ifndef BROKEN_TCP_BIND_BEFORE_CONNECT
-	CHECK(isc_socket_bind(xfr->socket, &xfr->sourceaddr,
-			      ISC_SOCKET_REUSEADDRESS));
-#endif
-	CHECK(isc_socket_connect(xfr->socket, &xfr->masteraddr, xfr->task,
-				 xfrin_connect_done, xfr));
-	xfr->connects++;
-	return (ISC_R_SUCCESS);
- failure:
-	xfrin_fail(xfr, result, "failed setting up socket");
-	return (result);
-}
-
-/* XXX the resolver could use this, too */
-
-static isc_result_t
-render(dns_message_t *msg, isc_mem_t *mctx, isc_buffer_t *buf) {
-	dns_compress_t cctx;
-	isc_boolean_t cleanup_cctx = ISC_FALSE;
-	isc_result_t result;
-
-	CHECK(dns_compress_init(&cctx, -1, mctx));
-	cleanup_cctx = ISC_TRUE;
-	CHECK(dns_message_renderbegin(msg, &cctx, buf));
-	CHECK(dns_message_rendersection(msg, DNS_SECTION_QUESTION, 0));
-	CHECK(dns_message_rendersection(msg, DNS_SECTION_ANSWER, 0));
-	CHECK(dns_message_rendersection(msg, DNS_SECTION_AUTHORITY, 0));
-	CHECK(dns_message_rendersection(msg, DNS_SECTION_ADDITIONAL, 0));
-	CHECK(dns_message_renderend(msg));
-	result = ISC_R_SUCCESS;
- failure:
-	if (cleanup_cctx)
-		dns_compress_invalidate(&cctx);
-	return (result);
-}
-
-/*
- * A connection has been established.
- */
-static void
-xfrin_connect_done(isc_task_t *task, isc_event_t *event) {
-	isc_socket_connev_t *cev = (isc_socket_connev_t *) event;
-	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) event->ev_arg;
-	isc_result_t result = cev->result;
-	char sourcetext[ISC_SOCKADDR_FORMATSIZE];
-	isc_sockaddr_t sockaddr;
-
-	REQUIRE(VALID_XFRIN(xfr));
-
-	UNUSED(task);
-
-	INSIST(event->ev_type == ISC_SOCKEVENT_CONNECT);
-	isc_event_free(&event);
-
-	xfr->connects--;
-	if (xfr->shuttingdown) {
-		maybe_free(xfr);
-		return;
-	}
-
-	if (result != ISC_R_SUCCESS) {
-		dns_zonemgr_t * zmgr = dns_zone_getmgr(xfr->zone);
-		isc_time_t now;
-
-		if (zmgr != NULL) {
-			TIME_NOW(&now);
-			dns_zonemgr_unreachableadd(zmgr, &xfr->masteraddr,
-						   &xfr->sourceaddr, &now);
-		}
-		goto failure;
-	}
-
-	result = isc_socket_getsockname(xfr->socket, &sockaddr);
-	if (result == ISC_R_SUCCESS) {
-		isc_sockaddr_format(&sockaddr, sourcetext, sizeof(sourcetext));
-	} else
-		strcpy(sourcetext, "<UNKNOWN>");
-	xfrin_log(xfr, ISC_LOG_INFO, "connected using %s", sourcetext);
-
-	dns_tcpmsg_init(xfr->mctx, xfr->socket, &xfr->tcpmsg);
-	xfr->tcpmsg_valid = ISC_TRUE;
-
-	CHECK(xfrin_send_request(xfr));
- failure:
-	if (result != ISC_R_SUCCESS)
-		xfrin_fail(xfr, result, "failed to connect");
-}
-
-/*
- * Convert a tuple into a dns_name_t suitable for inserting
- * into the given dns_message_t.
- */
-static isc_result_t
-tuple2msgname(dns_difftuple_t *tuple, dns_message_t *msg, dns_name_t **target)
-{
-	isc_result_t result;
-	dns_rdata_t *rdata = NULL;
-	dns_rdatalist_t *rdl = NULL;
-	dns_rdataset_t *rds = NULL;
-	dns_name_t *name = NULL;
-
-	REQUIRE(target != NULL && *target == NULL);
-
-	CHECK(dns_message_gettemprdata(msg, &rdata));
-	dns_rdata_init(rdata);
-	dns_rdata_clone(&tuple->rdata, rdata);
-
-	CHECK(dns_message_gettemprdatalist(msg, &rdl));
-	dns_rdatalist_init(rdl);
-	rdl->type = tuple->rdata.type;
-	rdl->rdclass = tuple->rdata.rdclass;
-	rdl->ttl = tuple->ttl;
-	ISC_LIST_APPEND(rdl->rdata, rdata, link);
-
-	CHECK(dns_message_gettemprdataset(msg, &rds));
-	dns_rdataset_init(rds);
-	CHECK(dns_rdatalist_tordataset(rdl, rds));
-
-	CHECK(dns_message_gettempname(msg, &name));
-	dns_name_init(name, NULL);
-	dns_name_clone(&tuple->name, name);
-	ISC_LIST_APPEND(name->list, rds, link);
-
-	*target = name;
-	return (ISC_R_SUCCESS);
-
- failure:
-
-	if (rds != NULL) {
-		dns_rdataset_disassociate(rds);
-		dns_message_puttemprdataset(msg, &rds);
-	}
-	if (rdl != NULL) {
-		ISC_LIST_UNLINK(rdl->rdata, rdata, link);
-		dns_message_puttemprdatalist(msg, &rdl);
-	}
-	if (rdata != NULL)
-		dns_message_puttemprdata(msg, &rdata);
-
-	return (result);
-}
-
-
-/*
- * Build an *XFR request and send its length prefix.
- */
-static isc_result_t
-xfrin_send_request(dns_xfrin_ctx_t *xfr) {
-	isc_result_t result;
-	isc_region_t region;
-	isc_region_t lregion;
-	dns_rdataset_t *qrdataset = NULL;
-	dns_message_t *msg = NULL;
-	unsigned char length[2];
-	dns_difftuple_t *soatuple = NULL;
-	dns_name_t *qname = NULL;
-	dns_dbversion_t *ver = NULL;
-	dns_name_t *msgsoaname = NULL;
-
-	/* Create the request message */
-	CHECK(dns_message_create(xfr->mctx, DNS_MESSAGE_INTENTRENDER, &msg));
-	CHECK(dns_message_settsigkey(msg, xfr->tsigkey));
-
-	/* Create a name for the question section. */
-	CHECK(dns_message_gettempname(msg, &qname));
-	dns_name_init(qname, NULL);
-	dns_name_clone(&xfr->name, qname);
-
-	/* Formulate the question and attach it to the question name. */
-	CHECK(dns_message_gettemprdataset(msg, &qrdataset));
-	dns_rdataset_init(qrdataset);
-	dns_rdataset_makequestion(qrdataset, xfr->rdclass, xfr->reqtype);
-	ISC_LIST_APPEND(qname->list, qrdataset, link);
-	qrdataset = NULL;
-
-	dns_message_addname(msg, qname, DNS_SECTION_QUESTION);
-	qname = NULL;
-
-	if (xfr->reqtype == dns_rdatatype_ixfr) {
-		/* Get the SOA and add it to the authority section. */
-		/* XXX is using the current version the right thing? */
-		dns_db_currentversion(xfr->db, &ver);
-		CHECK(dns_db_createsoatuple(xfr->db, ver, xfr->mctx,
-					    DNS_DIFFOP_EXISTS, &soatuple));
-		xfr->ixfr.request_serial = dns_soa_getserial(&soatuple->rdata);
-		xfr->ixfr.current_serial = xfr->ixfr.request_serial;
-		xfrin_log(xfr, ISC_LOG_DEBUG(3),
-			  "requesting IXFR for serial %u",
-			  xfr->ixfr.request_serial);
-
-		CHECK(tuple2msgname(soatuple, msg, &msgsoaname));
-		dns_message_addname(msg, msgsoaname, DNS_SECTION_AUTHORITY);
-	} else if (xfr->reqtype == dns_rdatatype_soa)
-		CHECK(dns_db_getsoaserial(xfr->db, NULL,
-					  &xfr->ixfr.request_serial));
-
-	xfr->checkid = ISC_TRUE;
-	xfr->id++;
-	xfr->nmsg = 0;
-	xfr->nrecs = 0;
-	xfr->nbytes = 0;
-	isc_time_now(&xfr->start);
-	msg->id = xfr->id;
-	if (xfr->tsigctx != NULL)
-		dst_context_destroy(&xfr->tsigctx);
-
-	CHECK(render(msg, xfr->mctx, &xfr->qbuffer));
-
-	/*
-	 * Free the last tsig, if there is one.
-	 */
-	if (xfr->lasttsig != NULL)
-		isc_buffer_free(&xfr->lasttsig);
-
-	/*
-	 * Save the query TSIG and don't let message_destroy free it.
-	 */
-	CHECK(dns_message_getquerytsig(msg, xfr->mctx, &xfr->lasttsig));
-
-	isc_buffer_usedregion(&xfr->qbuffer, &region);
-	INSIST(region.length <= 65535);
-
-	length[0] = region.length >> 8;
-	length[1] = region.length & 0xFF;
-	lregion.base = length;
-	lregion.length = 2;
-	CHECK(isc_socket_send(xfr->socket, &lregion, xfr->task,
-			      xfrin_sendlen_done, xfr));
-	xfr->sends++;
-
- failure:
-	if (qname != NULL)
-		dns_message_puttempname(msg, &qname);
-	if (qrdataset != NULL)
-		dns_message_puttemprdataset(msg, &qrdataset);
-	if (msg != NULL)
-		dns_message_destroy(&msg);
-	if (soatuple != NULL)
-		dns_difftuple_free(&soatuple);
-	if (ver != NULL)
-		dns_db_closeversion(xfr->db, &ver, ISC_FALSE);
-	return (result);
-}
-
-/* XXX there should be library support for sending DNS TCP messages */
-
-static void
-xfrin_sendlen_done(isc_task_t *task, isc_event_t *event) {
-	isc_socketevent_t *sev = (isc_socketevent_t *) event;
-	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) event->ev_arg;
-	isc_result_t evresult = sev->result;
-	isc_result_t result;
-	isc_region_t region;
-
-	REQUIRE(VALID_XFRIN(xfr));
-
-	UNUSED(task);
-
-	INSIST(event->ev_type == ISC_SOCKEVENT_SENDDONE);
-	isc_event_free(&event);
-
-	xfr->sends--;
-	if (xfr->shuttingdown) {
-		maybe_free(xfr);
-		return;
-	}
-
-	xfrin_log(xfr, ISC_LOG_DEBUG(3), "sent request length prefix");
-	CHECK(evresult);
-
-	isc_buffer_usedregion(&xfr->qbuffer, &region);
-	CHECK(isc_socket_send(xfr->socket, &region, xfr->task,
-			      xfrin_send_done, xfr));
-	xfr->sends++;
- failure:
-	if (result != ISC_R_SUCCESS)
-		xfrin_fail(xfr, result, "failed sending request length prefix");
-}
-
-
-static void
-xfrin_send_done(isc_task_t *task, isc_event_t *event) {
-	isc_socketevent_t *sev = (isc_socketevent_t *) event;
-	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) event->ev_arg;
-	isc_result_t result;
-
-	REQUIRE(VALID_XFRIN(xfr));
-
-	UNUSED(task);
-
-	INSIST(event->ev_type == ISC_SOCKEVENT_SENDDONE);
-
-	xfr->sends--;
-	xfrin_log(xfr, ISC_LOG_DEBUG(3), "sent request data");
-	CHECK(sev->result);
-
-	CHECK(dns_tcpmsg_readmessage(&xfr->tcpmsg, xfr->task,
-				     xfrin_recv_done, xfr));
-	xfr->recvs++;
- failure:
-	isc_event_free(&event);
-	if (result != ISC_R_SUCCESS)
-		xfrin_fail(xfr, result, "failed sending request data");
-}
-
-
-static void
-xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
-	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) ev->ev_arg;
-	isc_result_t result;
-	dns_message_t *msg = NULL;
-	dns_name_t *name;
-	dns_tcpmsg_t *tcpmsg;
-	dns_name_t *tsigowner = NULL;
-
-	REQUIRE(VALID_XFRIN(xfr));
-
-	UNUSED(task);
-
-	INSIST(ev->ev_type == DNS_EVENT_TCPMSG);
-	tcpmsg = ev->ev_sender;
-	isc_event_free(&ev);
-
-	xfr->recvs--;
-	if (xfr->shuttingdown) {
-		maybe_free(xfr);
-		return;
-	}
-
-	CHECK(tcpmsg->result);
-
-	xfrin_log(xfr, ISC_LOG_DEBUG(7), "received %u bytes",
-		  tcpmsg->buffer.used);
-
-	CHECK(isc_timer_touch(xfr->timer));
-
-	CHECK(dns_message_create(xfr->mctx, DNS_MESSAGE_INTENTPARSE, &msg));
-
-	CHECK(dns_message_settsigkey(msg, xfr->tsigkey));
-	CHECK(dns_message_setquerytsig(msg, xfr->lasttsig));
-
-	msg->tsigctx = xfr->tsigctx;
-	xfr->tsigctx = NULL;
-
-	if (xfr->nmsg > 0)
-		msg->tcp_continuation = 1;
-
-	result = dns_message_parse(msg, &tcpmsg->buffer,
-				   DNS_MESSAGEPARSE_PRESERVEORDER);
-
-	if (result != ISC_R_SUCCESS || msg->rcode != dns_rcode_noerror ||
-	    (xfr->checkid && msg->id != xfr->id)) {
-		if (result == ISC_R_SUCCESS)
-			result = ISC_RESULTCLASS_DNSRCODE + msg->rcode; /*XXX*/
-		if (result == ISC_R_SUCCESS || result == DNS_R_NOERROR)
-			result = DNS_R_UNEXPECTEDID;
-		if (xfr->reqtype == dns_rdatatype_axfr ||
-		    xfr->reqtype == dns_rdatatype_soa)
-			goto failure;
-		xfrin_log(xfr, ISC_LOG_DEBUG(3), "got %s, retrying with AXFR",
-		       isc_result_totext(result));
- try_axfr:
-		dns_message_destroy(&msg);
-		xfrin_reset(xfr);
-		xfr->reqtype = dns_rdatatype_soa;
-		xfr->state = XFRST_SOAQUERY;
-		(void)xfrin_start(xfr);
-		return;
-	}
-
-	/*
-	 * Does the server know about IXFR?  If it doesn't we will get
-	 * a message with a empty answer section or a potentially a CNAME /
-	 * DNAME, the later is handled by xfr_rr() which will return FORMERR
-	 * if the first RR in the answer section is not a SOA record.
-	 */
-	if (xfr->reqtype == dns_rdatatype_ixfr &&
-	    xfr->state == XFRST_INITIALSOA &&
-	    msg->counts[DNS_SECTION_ANSWER] == 0) {
-		xfrin_log(xfr, ISC_LOG_DEBUG(3),
-			  "empty answer section, retrying with AXFR");
-		goto try_axfr;
-	}
-
-	if (xfr->reqtype == dns_rdatatype_soa &&
-	    (msg->flags & DNS_MESSAGEFLAG_AA) == 0) {
-		FAIL(DNS_R_NOTAUTHORITATIVE);
-	}
-
-
-	result = dns_message_checksig(msg, dns_zone_getview(xfr->zone));
-	if (result != ISC_R_SUCCESS) {
-		xfrin_log(xfr, ISC_LOG_DEBUG(3), "TSIG check failed: %s",
-		       isc_result_totext(result));
-		goto failure;
-	}
-
-	for (result = dns_message_firstname(msg, DNS_SECTION_ANSWER);
-	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(msg, DNS_SECTION_ANSWER))
-	{
-		dns_rdataset_t *rds;
-
-		name = NULL;
-		dns_message_currentname(msg, DNS_SECTION_ANSWER, &name);
-		for (rds = ISC_LIST_HEAD(name->list);
-		     rds != NULL;
-		     rds = ISC_LIST_NEXT(rds, link))
-		{
-			for (result = dns_rdataset_first(rds);
-			     result == ISC_R_SUCCESS;
-			     result = dns_rdataset_next(rds))
-			{
-				dns_rdata_t rdata = DNS_RDATA_INIT;
-				dns_rdataset_current(rds, &rdata);
-				CHECK(xfr_rr(xfr, name, rds->ttl, &rdata));
-			}
-		}
-	}
-	if (result != ISC_R_NOMORE)
-		goto failure;
-
-	if (dns_message_gettsig(msg, &tsigowner) != NULL) {
-		/*
-		 * Reset the counter.
-		 */
-		xfr->sincetsig = 0;
-
-		/*
-		 * Free the last tsig, if there is one.
-		 */
-		if (xfr->lasttsig != NULL)
-			isc_buffer_free(&xfr->lasttsig);
-
-		/*
-		 * Update the last tsig pointer.
-		 */
-		CHECK(dns_message_getquerytsig(msg, xfr->mctx,
-					       &xfr->lasttsig));
-
-	} else if (dns_message_gettsigkey(msg) != NULL) {
-		xfr->sincetsig++;
-		if (xfr->sincetsig > 100 || xfr->nmsg == 0 ||
-		    xfr->state == XFRST_AXFR_END ||
-		    xfr->state == XFRST_IXFR_END)
-		{
-			result = DNS_R_EXPECTEDTSIG;
-			goto failure;
-		}
-	}
-
-	/*
-	 * Update the number of messages received.
-	 */
-	xfr->nmsg++;
-
-	/*
-	 * Update the number of bytes received.
-	 */
-	xfr->nbytes += tcpmsg->buffer.used;
-
-	/*
-	 * Take the context back.
-	 */
-	INSIST(xfr->tsigctx == NULL);
-	xfr->tsigctx = msg->tsigctx;
-	msg->tsigctx = NULL;
-
-	dns_message_destroy(&msg);
-
-	switch (xfr->state) {
-	case XFRST_GOTSOA:
-		xfr->reqtype = dns_rdatatype_axfr;
-		xfr->state = XFRST_INITIALSOA;
-		CHECK(xfrin_send_request(xfr));
-		break;
-	case XFRST_AXFR_END:
-		CHECK(axfr_finalize(xfr));
-		/* FALLTHROUGH */
-	case XFRST_IXFR_END:
-		/*
-		 * Close the journal.
-		 */
-		if (xfr->ixfr.journal != NULL)
-			dns_journal_destroy(&xfr->ixfr.journal);
-
-		/*
-		 * Inform the caller we succeeded.
-		 */
-		if (xfr->done != NULL) {
-			(xfr->done)(xfr->zone, ISC_R_SUCCESS);
-			xfr->done = NULL;
-		}
-		/*
-		 * We should have no outstanding events at this
-		 * point, thus maybe_free() should succeed.
-		 */
-		xfr->shuttingdown = ISC_TRUE;
-		maybe_free(xfr);
-		break;
-	default:
-		/*
-		 * Read the next message.
-		 */
-		CHECK(dns_tcpmsg_readmessage(&xfr->tcpmsg, xfr->task,
-					     xfrin_recv_done, xfr));
-		xfr->recvs++;
-	}
-	return;
-
- failure:
-	if (msg != NULL)
-		dns_message_destroy(&msg);
-	if (result != ISC_R_SUCCESS)
-		xfrin_fail(xfr, result, "failed while receiving responses");
-}
-
-static void
-xfrin_timeout(isc_task_t *task, isc_event_t *event) {
-	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) event->ev_arg;
-
-	REQUIRE(VALID_XFRIN(xfr));
-
-	UNUSED(task);
-
-	isc_event_free(&event);
-	/*
-	 * This will log "giving up: timeout".
-	 */
-	xfrin_fail(xfr, ISC_R_TIMEDOUT, "giving up");
-}
-
-static void
-maybe_free(dns_xfrin_ctx_t *xfr) {
-	isc_uint64_t msecs;
-	isc_uint64_t persec;
-
-	REQUIRE(VALID_XFRIN(xfr));
-
-	if (! xfr->shuttingdown || xfr->refcount != 0 ||
-	    xfr->connects != 0 || xfr->sends != 0 ||
-	    xfr->recvs != 0)
-		return;
-
-	/*
-	 * Calculate the length of time the transfer took,
-	 * and print a log message with the bytes and rate.
-	 */
-	isc_time_now(&xfr->end);
-	msecs = isc_time_microdiff(&xfr->end, &xfr->start) / 1000;
-	if (msecs == 0)
-		msecs = 1;
-	persec = (xfr->nbytes * 1000) / msecs;
-	xfrin_log(xfr, ISC_LOG_INFO,
-		  "Transfer completed: %d messages, %d records, "
-		  "%" ISC_PRINT_QUADFORMAT "u bytes, "
-		  "%u.%03u secs (%u bytes/sec)",
-		  xfr->nmsg, xfr->nrecs, xfr->nbytes,
-		  (unsigned int) (msecs / 1000), (unsigned int) (msecs % 1000),
-		  (unsigned int) persec);
-
-	if (xfr->socket != NULL)
-		isc_socket_detach(&xfr->socket);
-
-	if (xfr->timer != NULL)
-		isc_timer_detach(&xfr->timer);
-
-	if (xfr->task != NULL)
-		isc_task_detach(&xfr->task);
-
-	if (xfr->tsigkey != NULL)
-		dns_tsigkey_detach(&xfr->tsigkey);
-
-	if (xfr->lasttsig != NULL)
-		isc_buffer_free(&xfr->lasttsig);
-
-	dns_diff_clear(&xfr->diff);
-
-	if (xfr->ixfr.journal != NULL)
-		dns_journal_destroy(&xfr->ixfr.journal);
-
-	if (xfr->axfr.add_private != NULL)
-		(void)dns_db_endload(xfr->db, &xfr->axfr.add_private);
-
-	if (xfr->tcpmsg_valid)
-		dns_tcpmsg_invalidate(&xfr->tcpmsg);
-
-	if (xfr->tsigctx != NULL)
-		dst_context_destroy(&xfr->tsigctx);
-
-	if ((xfr->name.attributes & DNS_NAMEATTR_DYNAMIC) != 0)
-		dns_name_free(&xfr->name, xfr->mctx);
-
-	if (xfr->ver != NULL)
-		dns_db_closeversion(xfr->db, &xfr->ver, ISC_FALSE);
-
-	if (xfr->db != NULL)
-		dns_db_detach(&xfr->db);
-
-	if (xfr->zone != NULL)
-		dns_zone_idetach(&xfr->zone);
-
-	isc_mem_putanddetach(&xfr->mctx, xfr, sizeof(*xfr));
-}
-
-/*
- * Log incoming zone transfer messages in a format like
- * transfer of <zone> from <address>: <message>
- */
-static void
-xfrin_logv(int level, const char *zonetext, isc_sockaddr_t *masteraddr,
-	   const char *fmt, va_list ap)
-{
-	char mastertext[ISC_SOCKADDR_FORMATSIZE];
-	char msgtext[2048];
-
-	isc_sockaddr_format(masteraddr, mastertext, sizeof(mastertext));
-	vsnprintf(msgtext, sizeof(msgtext), fmt, ap);
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_XFER_IN,
-		      DNS_LOGMODULE_XFER_IN, level,
-		      "transfer of '%s' from %s: %s",
-		      zonetext, mastertext, msgtext);
-}
-
-/*
- * Logging function for use when a xfrin_ctx_t has not yet been created.
- */
-
-static void
-xfrin_log1(int level, const char *zonetext, isc_sockaddr_t *masteraddr,
-	   const char *fmt, ...)
-{
-	va_list ap;
-
-	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
-		return;
-
-	va_start(ap, fmt);
-	xfrin_logv(level, zonetext, masteraddr, fmt, ap);
-	va_end(ap);
-}
-
-/*
- * Logging function for use when there is a xfrin_ctx_t.
- */
-
-static void
-xfrin_log(dns_xfrin_ctx_t *xfr, int level, const char *fmt, ...)
-{
-	va_list ap;
-	char zonetext[DNS_NAME_MAXTEXT+32];
-
-	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
-		return;
-
-	dns_zone_name(xfr->zone, zonetext, sizeof(zonetext));
-
-	va_start(ap, fmt);
-	xfrin_logv(level, zonetext, &xfr->masteraddr, fmt, ap);
-	va_end(ap);
-}
diff --git a/contrib/bind9/lib/dns/zone.c b/contrib/bind9/lib/dns/zone.c
deleted file mode 100644
index 10ba807..0000000
--- a/contrib/bind9/lib/dns/zone.c
+++ /dev/null
@@ -1,16753 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-#include <errno.h>
-
-#include <isc/file.h>
-#include <isc/hex.h>
-#include <isc/mutex.h>
-#include <isc/pool.h>
-#include <isc/print.h>
-#include <isc/random.h>
-#include <isc/ratelimiter.h>
-#include <isc/refcount.h>
-#include <isc/rwlock.h>
-#include <isc/serial.h>
-#include <isc/stats.h>
-#include <isc/stdtime.h>
-#include <isc/strerror.h>
-#include <isc/string.h>
-#include <isc/taskpool.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#include <dns/acache.h>
-#include <dns/acl.h>
-#include <dns/adb.h>
-#include <dns/callbacks.h>
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/dnssec.h>
-#include <dns/events.h>
-#include <dns/journal.h>
-#include <dns/keydata.h>
-#include <dns/keytable.h>
-#include <dns/keyvalues.h>
-#include <dns/log.h>
-#include <dns/master.h>
-#include <dns/masterdump.h>
-#include <dns/message.h>
-#include <dns/name.h>
-#include <dns/nsec.h>
-#include <dns/nsec3.h>
-#include <dns/peer.h>
-#include <dns/private.h>
-#include <dns/rbt.h>
-#include <dns/rcode.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/request.h>
-#include <dns/resolver.h>
-#include <dns/result.h>
-#include <dns/rriterator.h>
-#include <dns/soa.h>
-#include <dns/ssu.h>
-#include <dns/stats.h>
-#include <dns/time.h>
-#include <dns/tsig.h>
-#include <dns/update.h>
-#include <dns/xfrin.h>
-#include <dns/zone.h>
-#include <dns/zt.h>
-
-#include <dst/dst.h>
-
-#define ZONE_MAGIC			ISC_MAGIC('Z', 'O', 'N', 'E')
-#define DNS_ZONE_VALID(zone)		ISC_MAGIC_VALID(zone, ZONE_MAGIC)
-
-#define NOTIFY_MAGIC			ISC_MAGIC('N', 't', 'f', 'y')
-#define DNS_NOTIFY_VALID(notify)	ISC_MAGIC_VALID(notify, NOTIFY_MAGIC)
-
-#define STUB_MAGIC			ISC_MAGIC('S', 't', 'u', 'b')
-#define DNS_STUB_VALID(stub)		ISC_MAGIC_VALID(stub, STUB_MAGIC)
-
-#define ZONEMGR_MAGIC			ISC_MAGIC('Z', 'm', 'g', 'r')
-#define DNS_ZONEMGR_VALID(stub)		ISC_MAGIC_VALID(stub, ZONEMGR_MAGIC)
-
-#define LOAD_MAGIC			ISC_MAGIC('L', 'o', 'a', 'd')
-#define DNS_LOAD_VALID(load)		ISC_MAGIC_VALID(load, LOAD_MAGIC)
-
-#define FORWARD_MAGIC			ISC_MAGIC('F', 'o', 'r', 'w')
-#define DNS_FORWARD_VALID(load)		ISC_MAGIC_VALID(load, FORWARD_MAGIC)
-
-#define IO_MAGIC			ISC_MAGIC('Z', 'm', 'I', 'O')
-#define DNS_IO_VALID(load)		ISC_MAGIC_VALID(load, IO_MAGIC)
-
-/*%
- * Ensure 'a' is at least 'min' but not more than 'max'.
- */
-#define RANGE(a, min, max) \
-		(((a) < (min)) ? (min) : ((a) < (max) ? (a) : (max)))
-
-#define NSEC3REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0)
-
-/*%
- * Key flags
- */
-#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)
-#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0)
-#define ALG(x) dst_key_alg(x)
-
-/*
- * Default values.
- */
-#define DNS_DEFAULT_IDLEIN 3600		/*%< 1 hour */
-#define DNS_DEFAULT_IDLEOUT 3600	/*%< 1 hour */
-#define MAX_XFER_TIME (2*3600)		/*%< Documented default is 2 hours */
-#define RESIGN_DELAY 3600		/*%< 1 hour */
-
-#ifndef DNS_MAX_EXPIRE
-#define DNS_MAX_EXPIRE	14515200	/*%< 24 weeks */
-#endif
-
-#ifndef DNS_DUMP_DELAY
-#define DNS_DUMP_DELAY 900		/*%< 15 minutes */
-#endif
-
-typedef struct dns_notify dns_notify_t;
-typedef struct dns_stub dns_stub_t;
-typedef struct dns_load dns_load_t;
-typedef struct dns_forward dns_forward_t;
-typedef ISC_LIST(dns_forward_t) dns_forwardlist_t;
-typedef struct dns_io dns_io_t;
-typedef ISC_LIST(dns_io_t) dns_iolist_t;
-typedef struct dns_signing dns_signing_t;
-typedef ISC_LIST(dns_signing_t) dns_signinglist_t;
-typedef struct dns_nsec3chain dns_nsec3chain_t;
-typedef ISC_LIST(dns_nsec3chain_t) dns_nsec3chainlist_t;
-typedef struct dns_keyfetch dns_keyfetch_t;
-typedef struct dns_asyncload dns_asyncload_t;
-
-#define DNS_ZONE_CHECKLOCK
-#ifdef DNS_ZONE_CHECKLOCK
-#define LOCK_ZONE(z) \
-	 do { LOCK(&(z)->lock); \
-	      INSIST((z)->locked == ISC_FALSE); \
-	     (z)->locked = ISC_TRUE; \
-		} while (0)
-#define UNLOCK_ZONE(z) \
-	do { (z)->locked = ISC_FALSE; UNLOCK(&(z)->lock); } while (0)
-#define LOCKED_ZONE(z) ((z)->locked)
-#else
-#define LOCK_ZONE(z) LOCK(&(z)->lock)
-#define UNLOCK_ZONE(z) UNLOCK(&(z)->lock)
-#define LOCKED_ZONE(z) ISC_TRUE
-#endif
-
-#ifdef ISC_RWLOCK_USEATOMIC
-#define ZONEDB_INITLOCK(l)	isc_rwlock_init((l), 0, 0)
-#define ZONEDB_DESTROYLOCK(l)	isc_rwlock_destroy(l)
-#define ZONEDB_LOCK(l, t)	RWLOCK((l), (t))
-#define ZONEDB_UNLOCK(l, t)	RWUNLOCK((l), (t))
-#else
-#define ZONEDB_INITLOCK(l)	isc_mutex_init(l)
-#define ZONEDB_DESTROYLOCK(l)	DESTROYLOCK(l)
-#define ZONEDB_LOCK(l, t)	LOCK(l)
-#define ZONEDB_UNLOCK(l, t)	UNLOCK(l)
-#endif
-
-struct dns_zone {
-	/* Unlocked */
-	unsigned int		magic;
-	isc_mutex_t		lock;
-#ifdef DNS_ZONE_CHECKLOCK
-	isc_boolean_t		locked;
-#endif
-	isc_mem_t		*mctx;
-	isc_refcount_t		erefs;
-
-#ifdef ISC_RWLOCK_USEATOMIC
-	isc_rwlock_t		dblock;
-#else
-	isc_mutex_t		dblock;
-#endif
-	dns_db_t		*db;		/* Locked by dblock */
-
-	/* Locked */
-	dns_zonemgr_t		*zmgr;
-	ISC_LINK(dns_zone_t)	link;		/* Used by zmgr. */
-	isc_timer_t		*timer;
-	unsigned int		irefs;
-	dns_name_t		origin;
-	char			*masterfile;
-	dns_masterformat_t	masterformat;
-	char			*journal;
-	isc_int32_t		journalsize;
-	dns_rdataclass_t	rdclass;
-	dns_zonetype_t		type;
-	unsigned int		flags;
-	unsigned int		options;
-	unsigned int		db_argc;
-	char			**db_argv;
-	isc_time_t		expiretime;
-	isc_time_t		refreshtime;
-	isc_time_t		dumptime;
-	isc_time_t		loadtime;
-	isc_time_t		notifytime;
-	isc_time_t		resigntime;
-	isc_time_t		keywarntime;
-	isc_time_t		signingtime;
-	isc_time_t		nsec3chaintime;
-	isc_time_t		refreshkeytime;
-	isc_uint32_t		refreshkeyinterval;
-	isc_uint32_t		refreshkeycount;
-	isc_uint32_t		refresh;
-	isc_uint32_t		retry;
-	isc_uint32_t		expire;
-	isc_uint32_t		minimum;
-	isc_stdtime_t		key_expiry;
-	isc_stdtime_t		log_key_expired_timer;
-	char			*keydirectory;
-
-	isc_uint32_t		maxrefresh;
-	isc_uint32_t		minrefresh;
-	isc_uint32_t		maxretry;
-	isc_uint32_t		minretry;
-
-	isc_sockaddr_t		*masters;
-	dns_name_t		**masterkeynames;
-	isc_boolean_t		*mastersok;
-	unsigned int		masterscnt;
-	unsigned int		curmaster;
-	isc_sockaddr_t		masteraddr;
-	dns_notifytype_t	notifytype;
-	isc_sockaddr_t		*notify;
-	dns_name_t		**notifykeynames;
-	unsigned int		notifycnt;
-	isc_sockaddr_t		notifyfrom;
-	isc_task_t		*task;
-	isc_task_t		*loadtask;
-	isc_sockaddr_t		notifysrc4;
-	isc_sockaddr_t		notifysrc6;
-	isc_sockaddr_t		xfrsource4;
-	isc_sockaddr_t		xfrsource6;
-	isc_sockaddr_t		altxfrsource4;
-	isc_sockaddr_t		altxfrsource6;
-	isc_sockaddr_t		sourceaddr;
-	dns_xfrin_ctx_t		*xfr;		/* task locked */
-	dns_tsigkey_t		*tsigkey;	/* key used for xfr */
-	/* Access Control Lists */
-	dns_acl_t		*update_acl;
-	dns_acl_t		*forward_acl;
-	dns_acl_t		*notify_acl;
-	dns_acl_t		*query_acl;
-	dns_acl_t		*queryon_acl;
-	dns_acl_t		*xfr_acl;
-	isc_boolean_t		update_disabled;
-	isc_boolean_t		zero_no_soa_ttl;
-	dns_severity_t		check_names;
-	ISC_LIST(dns_notify_t)	notifies;
-	dns_request_t		*request;
-	dns_loadctx_t		*lctx;
-	dns_io_t		*readio;
-	dns_dumpctx_t		*dctx;
-	dns_io_t		*writeio;
-	isc_uint32_t		maxxfrin;
-	isc_uint32_t		maxxfrout;
-	isc_uint32_t		idlein;
-	isc_uint32_t		idleout;
-	isc_event_t		ctlevent;
-	dns_ssutable_t		*ssutable;
-	isc_uint32_t		sigvalidityinterval;
-	isc_uint32_t		sigresigninginterval;
-	dns_view_t		*view;
-	dns_acache_t		*acache;
-	dns_checkmxfunc_t	checkmx;
-	dns_checksrvfunc_t	checksrv;
-	dns_checknsfunc_t	checkns;
-	/*%
-	 * Zones in certain states such as "waiting for zone transfer"
-	 * or "zone transfer in progress" are kept on per-state linked lists
-	 * in the zone manager using the 'statelink' field.  The 'statelist'
-	 * field points at the list the zone is currently on.  It the zone
-	 * is not on any such list, statelist is NULL.
-	 */
-	ISC_LINK(dns_zone_t)	statelink;
-	dns_zonelist_t		*statelist;
-	/*%
-	 * Statistics counters about zone management.
-	 */
-	isc_stats_t		*stats;
-	/*%
-	 * Optional per-zone statistics counters.  Counted outside of this
-	 * module.
-	 */
-	dns_zonestat_level_t	statlevel;
-	isc_boolean_t		requeststats_on;
-	isc_stats_t		*requeststats;
-	dns_stats_t		*rcvquerystats;
-	isc_uint32_t		notifydelay;
-	dns_isselffunc_t	isself;
-	void			*isselfarg;
-
-	char *			strnamerd;
-	char *			strname;
-	char *			strrdclass;
-	char *			strviewname;
-
-	/*%
-	 * Serial number for deferred journal compaction.
-	 */
-	isc_uint32_t		compact_serial;
-	/*%
-	 * Keys that are signing the zone for the first time.
-	 */
-	dns_signinglist_t	signing;
-	dns_nsec3chainlist_t	nsec3chain;
-	/*%
-	 * Signing / re-signing quantum stopping parameters.
-	 */
-	isc_uint32_t		signatures;
-	isc_uint32_t		nodes;
-	dns_rdatatype_t		privatetype;
-
-	/*%
-	 * Autosigning/key-maintenance options
-	 */
-	isc_uint32_t		keyopts;
-
-	/*%
-	 * True if added by "rndc addzone"
-	 */
-	isc_boolean_t           added;
-
-	/*%
-	 * whether this is a response policy zone
-	 */
-	isc_boolean_t           is_rpz;
-
-	/*%
-	 * Serial number update method.
-	 */
-	dns_updatemethod_t	updatemethod;
-
-	/*%
-	 * whether ixfr is requested
-	 */
-	isc_boolean_t		requestixfr;
-
-	/*%
-	 * Outstanding forwarded UPDATE requests.
-	 */
-	dns_forwardlist_t	forwards;
-
-	dns_zone_t		*raw;
-	dns_zone_t		*secure;
-
-	isc_boolean_t		sourceserialset;
-	isc_uint32_t		sourceserial;
-};
-
-typedef struct {
-	dns_diff_t	*diff;
-	isc_boolean_t	offline;
-} zonediff_t;
-
-#define zonediff_init(z, d) \
-	do { \
-		zonediff_t *_z = (z); \
-		(_z)->diff = (d); \
-		(_z)->offline = ISC_FALSE; \
-	} while (0)
-
-#define DNS_ZONE_FLAG(z,f) (ISC_TF(((z)->flags & (f)) != 0))
-#define DNS_ZONE_SETFLAG(z,f) do { \
-		INSIST(LOCKED_ZONE(z)); \
-		(z)->flags |= (f); \
-		} while (0)
-#define DNS_ZONE_CLRFLAG(z,f) do { \
-		INSIST(LOCKED_ZONE(z)); \
-		(z)->flags &= ~(f); \
-		} while (0)
-	/* XXX MPA these may need to go back into zone.h */
-#define DNS_ZONEFLG_REFRESH	0x00000001U	/*%< refresh check in progress */
-#define DNS_ZONEFLG_NEEDDUMP	0x00000002U	/*%< zone need consolidation */
-#define DNS_ZONEFLG_USEVC	0x00000004U	/*%< use tcp for refresh query */
-#define DNS_ZONEFLG_DUMPING	0x00000008U	/*%< a dump is in progress */
-#define DNS_ZONEFLG_HASINCLUDE	0x00000010U	/*%< $INCLUDE in zone file */
-#define DNS_ZONEFLG_LOADED	0x00000020U	/*%< database has loaded */
-#define DNS_ZONEFLG_EXITING	0x00000040U	/*%< zone is being destroyed */
-#define DNS_ZONEFLG_EXPIRED	0x00000080U	/*%< zone has expired */
-#define DNS_ZONEFLG_NEEDREFRESH	0x00000100U	/*%< refresh check needed */
-#define DNS_ZONEFLG_UPTODATE	0x00000200U	/*%< zone contents are
-						 * uptodate */
-#define DNS_ZONEFLG_NEEDNOTIFY	0x00000400U	/*%< need to send out notify
-						 * messages */
-#define DNS_ZONEFLG_DIFFONRELOAD 0x00000800U	/*%< generate a journal diff on
-						 * reload */
-#define DNS_ZONEFLG_NOMASTERS	0x00001000U	/*%< an attempt to refresh a
-						 * zone with no masters
-						 * occurred */
-#define DNS_ZONEFLG_LOADING	0x00002000U	/*%< load from disk in progress*/
-#define DNS_ZONEFLG_HAVETIMERS	0x00004000U	/*%< timer values have been set
-						 * from SOA (if not set, we
-						 * are still using
-						 * default timer values) */
-#define DNS_ZONEFLG_FORCEXFER	0x00008000U	/*%< Force a zone xfer */
-#define DNS_ZONEFLG_NOREFRESH	0x00010000U
-#define DNS_ZONEFLG_DIALNOTIFY	0x00020000U
-#define DNS_ZONEFLG_DIALREFRESH	0x00040000U
-#define DNS_ZONEFLG_SHUTDOWN	0x00080000U
-#define DNS_ZONEFLAG_NOIXFR	0x00100000U	/*%< IXFR failed, force AXFR */
-#define DNS_ZONEFLG_FLUSH	0x00200000U
-#define DNS_ZONEFLG_NOEDNS	0x00400000U
-#define DNS_ZONEFLG_USEALTXFRSRC 0x00800000U
-#define DNS_ZONEFLG_SOABEFOREAXFR 0x01000000U
-#define DNS_ZONEFLG_NEEDCOMPACT 0x02000000U
-#define DNS_ZONEFLG_REFRESHING	0x04000000U	/*%< Refreshing keydata */
-#define DNS_ZONEFLG_THAW	0x08000000U
-#define DNS_ZONEFLG_LOADPENDING	0x10000000U	/*%< Loading scheduled */
-#define DNS_ZONEFLG_NODELAY	0x20000000U
-#define DNS_ZONEFLG_SENDSECURE  0x40000000U
-
-#define DNS_ZONE_OPTION(z,o) (((z)->options & (o)) != 0)
-#define DNS_ZONEKEY_OPTION(z,o) (((z)->keyopts & (o)) != 0)
-
-/* Flags for zone_load() */
-#define DNS_ZONELOADFLAG_NOSTAT	0x00000001U	/* Do not stat() master files */
-#define DNS_ZONELOADFLAG_THAW	0x00000002U	/* Thaw the zone on successful
-						   load. */
-
-#define UNREACH_CHACHE_SIZE	10U
-#define UNREACH_HOLD_TIME	600	/* 10 minutes */
-
-#define CHECK(op) \
-	do { result = (op); \
-		if (result != ISC_R_SUCCESS) goto failure; \
-	} while (0)
-
-struct dns_unreachable {
-	isc_sockaddr_t	remote;
-	isc_sockaddr_t	local;
-	isc_uint32_t	expire;
-	isc_uint32_t	last;
-};
-
-struct dns_zonemgr {
-	unsigned int		magic;
-	isc_mem_t *		mctx;
-	int			refs;		/* Locked by rwlock */
-	isc_taskmgr_t *		taskmgr;
-	isc_timermgr_t *	timermgr;
-	isc_socketmgr_t *	socketmgr;
-	isc_taskpool_t *	zonetasks;
-	isc_taskpool_t *	loadtasks;
-	isc_task_t *		task;
-	isc_pool_t *		mctxpool;
-	isc_ratelimiter_t *	rl;
-	isc_rwlock_t		rwlock;
-	isc_mutex_t		iolock;
-	isc_rwlock_t		urlock;
-
-	/* Locked by rwlock. */
-	dns_zonelist_t		zones;
-	dns_zonelist_t		waiting_for_xfrin;
-	dns_zonelist_t		xfrin_in_progress;
-
-	/* Configuration data. */
-	isc_uint32_t		transfersin;
-	isc_uint32_t		transfersperns;
-	unsigned int		serialqueryrate;
-
-	/* Locked by iolock */
-	isc_uint32_t		iolimit;
-	isc_uint32_t		ioactive;
-	dns_iolist_t		high;
-	dns_iolist_t		low;
-
-	/* Locked by urlock. */
-	/* LRU cache */
-	struct dns_unreachable	unreachable[UNREACH_CHACHE_SIZE];
-};
-
-/*%
- * Hold notify state.
- */
-struct dns_notify {
-	unsigned int		magic;
-	unsigned int		flags;
-	isc_mem_t		*mctx;
-	dns_zone_t		*zone;
-	dns_adbfind_t		*find;
-	dns_request_t		*request;
-	dns_name_t		ns;
-	isc_sockaddr_t		dst;
-	dns_tsigkey_t		*key;
-	ISC_LINK(dns_notify_t)	link;
-};
-
-#define DNS_NOTIFY_NOSOA	0x0001U
-
-/*%
- *	dns_stub holds state while performing a 'stub' transfer.
- *	'db' is the zone's 'db' or a new one if this is the initial
- *	transfer.
- */
-
-struct dns_stub {
-	unsigned int		magic;
-	isc_mem_t		*mctx;
-	dns_zone_t		*zone;
-	dns_db_t		*db;
-	dns_dbversion_t		*version;
-};
-
-/*%
- *	Hold load state.
- */
-struct dns_load {
-	unsigned int		magic;
-	isc_mem_t		*mctx;
-	dns_zone_t		*zone;
-	dns_db_t		*db;
-	isc_time_t		loadtime;
-	dns_rdatacallbacks_t	callbacks;
-};
-
-/*%
- *	Hold forward state.
- */
-struct dns_forward {
-	unsigned int		magic;
-	isc_mem_t		*mctx;
-	dns_zone_t		*zone;
-	isc_buffer_t		*msgbuf;
-	dns_request_t		*request;
-	isc_uint32_t		which;
-	isc_sockaddr_t		addr;
-	dns_updatecallback_t	callback;
-	void			*callback_arg;
-	ISC_LINK(dns_forward_t)	link;
-};
-
-/*%
- *	Hold IO request state.
- */
-struct dns_io {
-	unsigned int	magic;
-	dns_zonemgr_t	*zmgr;
-	isc_boolean_t	high;
-	isc_task_t	*task;
-	ISC_LINK(dns_io_t) link;
-	isc_event_t	*event;
-};
-
-/*%
- *	Hold state for when we are signing a zone with a new
- *	DNSKEY as result of an update.
- */
-struct dns_signing {
-	unsigned int		magic;
-	dns_db_t		*db;
-	dns_dbiterator_t	*dbiterator;
-	dns_secalg_t		algorithm;
-	isc_uint16_t		keyid;
-	isc_boolean_t		delete;
-	isc_boolean_t		done;
-	ISC_LINK(dns_signing_t)	link;
-};
-
-struct dns_nsec3chain {
-	unsigned int			magic;
-	dns_db_t			*db;
-	dns_dbiterator_t		*dbiterator;
-	dns_rdata_nsec3param_t		nsec3param;
-	unsigned char			salt[255];
-	isc_boolean_t			done;
-	isc_boolean_t			seen_nsec;
-	isc_boolean_t			delete_nsec;
-	isc_boolean_t			save_delete_nsec;
-	ISC_LINK(dns_nsec3chain_t)	link;
-};
-/*%<
- * 'dbiterator' contains a iterator for the database.  If we are creating
- * a NSEC3 chain only the non-NSEC3 nodes will be iterated.  If we are
- * removing a NSEC3 chain then both NSEC3 and non-NSEC3 nodes will be
- * iterated.
- *
- * 'nsec3param' contains the parameters of the NSEC3 chain being created
- * or removed.
- *
- * 'salt' is buffer space and is referenced via 'nsec3param.salt'.
- *
- * 'seen_nsec' will be set to true if, while iterating the zone to create a
- * NSEC3 chain, a NSEC record is seen.
- *
- * 'delete_nsec' will be set to true if, at the completion of the creation
- * of a NSEC3 chain, 'seen_nsec' is true.  If 'delete_nsec' is true then we
- * are in the process of deleting the NSEC chain.
- *
- * 'save_delete_nsec' is used to store the initial state of 'delete_nsec'
- * so it can be recovered in the event of a error.
- */
-
-struct dns_keyfetch {
-	dns_fixedname_t name;
-	dns_rdataset_t keydataset;
-	dns_rdataset_t dnskeyset;
-	dns_rdataset_t dnskeysigset;
-	dns_zone_t *zone;
-	dns_db_t *db;
-	dns_fetch_t *fetch;
-};
-
-/*%
- * Hold state for an asynchronous load
- */
-struct dns_asyncload {
-	dns_zone_t *zone;
-	dns_zt_zoneloaded_t loaded;
-	void *loaded_arg;
-};
-
-#define HOUR 3600
-#define DAY (24*HOUR)
-#define MONTH (30*DAY)
-
-#define SEND_BUFFER_SIZE 2048
-
-static void zone_settimer(dns_zone_t *, isc_time_t *);
-static void cancel_refresh(dns_zone_t *);
-static void zone_debuglog(dns_zone_t *zone, const char *, int debuglevel,
-			  const char *msg, ...) ISC_FORMAT_PRINTF(4, 5);
-static void notify_log(dns_zone_t *zone, int level, const char *fmt, ...)
-     ISC_FORMAT_PRINTF(3, 4);
-static void queue_xfrin(dns_zone_t *zone);
-static isc_result_t update_one_rr(dns_db_t *db, dns_dbversion_t *ver,
-				  dns_diff_t *diff, dns_diffop_t op,
-				  dns_name_t *name, dns_ttl_t ttl,
-				  dns_rdata_t *rdata);
-static void zone_unload(dns_zone_t *zone);
-static void zone_expire(dns_zone_t *zone);
-static void zone_iattach(dns_zone_t *source, dns_zone_t **target);
-static void zone_idetach(dns_zone_t **zonep);
-static isc_result_t zone_replacedb(dns_zone_t *zone, dns_db_t *db,
-				   isc_boolean_t dump);
-static inline void zone_attachdb(dns_zone_t *zone, dns_db_t *db);
-static inline void zone_detachdb(dns_zone_t *zone);
-static isc_result_t default_journal(dns_zone_t *zone);
-static void zone_xfrdone(dns_zone_t *zone, isc_result_t result);
-static isc_result_t zone_postload(dns_zone_t *zone, dns_db_t *db,
-				  isc_time_t loadtime, isc_result_t result);
-static void zone_needdump(dns_zone_t *zone, unsigned int delay);
-static void zone_shutdown(isc_task_t *, isc_event_t *);
-static void zone_loaddone(void *arg, isc_result_t result);
-static isc_result_t zone_startload(dns_db_t *db, dns_zone_t *zone,
-				   isc_time_t loadtime);
-static void zone_namerd_tostr(dns_zone_t *zone, char *buf, size_t length);
-static void zone_name_tostr(dns_zone_t *zone, char *buf, size_t length);
-static void zone_rdclass_tostr(dns_zone_t *zone, char *buf, size_t length);
-static void zone_viewname_tostr(dns_zone_t *zone, char *buf, size_t length);
-static isc_result_t zone_send_secureserial(dns_zone_t *zone,
-					   isc_boolean_t secure_locked,
-					   isc_uint32_t serial);
-
-#if 0
-/* ondestroy example */
-static void dns_zonemgr_dbdestroyed(isc_task_t *task, isc_event_t *event);
-#endif
-
-static void refresh_callback(isc_task_t *, isc_event_t *);
-static void stub_callback(isc_task_t *, isc_event_t *);
-static void queue_soa_query(dns_zone_t *zone);
-static void soa_query(isc_task_t *, isc_event_t *);
-static void ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset,
-		     dns_stub_t *stub);
-static int message_count(dns_message_t *msg, dns_section_t section,
-			 dns_rdatatype_t type);
-static void notify_cancel(dns_zone_t *zone);
-static void notify_find_address(dns_notify_t *notify);
-static void notify_send(dns_notify_t *notify);
-static isc_result_t notify_createmessage(dns_zone_t *zone,
-					 unsigned int flags,
-					 dns_message_t **messagep);
-static void notify_done(isc_task_t *task, isc_event_t *event);
-static void notify_send_toaddr(isc_task_t *task, isc_event_t *event);
-static isc_result_t zone_dump(dns_zone_t *, isc_boolean_t);
-static void got_transfer_quota(isc_task_t *task, isc_event_t *event);
-static isc_result_t zmgr_start_xfrin_ifquota(dns_zonemgr_t *zmgr,
-					     dns_zone_t *zone);
-static void zmgr_resume_xfrs(dns_zonemgr_t *zmgr, isc_boolean_t multi);
-static void zonemgr_free(dns_zonemgr_t *zmgr);
-static isc_result_t zonemgr_getio(dns_zonemgr_t *zmgr, isc_boolean_t high,
-				  isc_task_t *task, isc_taskaction_t action,
-				  void *arg, dns_io_t **iop);
-static void zonemgr_putio(dns_io_t **iop);
-static void zonemgr_cancelio(dns_io_t *io);
-
-static isc_result_t
-zone_get_from_db(dns_zone_t *zone, dns_db_t *db, unsigned int *nscount,
-		 unsigned int *soacount, isc_uint32_t *serial,
-		 isc_uint32_t *refresh, isc_uint32_t *retry,
-		 isc_uint32_t *expire, isc_uint32_t *minimum,
-		 unsigned int *errors);
-
-static void zone_freedbargs(dns_zone_t *zone);
-static void forward_callback(isc_task_t *task, isc_event_t *event);
-static void zone_saveunique(dns_zone_t *zone, const char *path,
-			    const char *templat);
-static void zone_maintenance(dns_zone_t *zone);
-static void zone_notify(dns_zone_t *zone, isc_time_t *now);
-static void dump_done(void *arg, isc_result_t result);
-static isc_result_t zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm,
-				     isc_uint16_t keyid, isc_boolean_t delete);
-static isc_result_t delete_nsec(dns_db_t *db, dns_dbversion_t *ver,
-				dns_dbnode_t *node, dns_name_t *name,
-				dns_diff_t *diff);
-static void zone_rekey(dns_zone_t *zone);
-static isc_boolean_t delsig_ok(dns_rdata_rrsig_t *rrsig_ptr,
-			       dst_key_t **keys, unsigned int nkeys);
-static isc_result_t zone_send_securedb(dns_zone_t *zone, isc_boolean_t locked,
-				       dns_db_t *db);
-
-#define ENTER zone_debuglog(zone, me, 1, "enter")
-
-static const unsigned int dbargc_default = 1;
-static const char *dbargv_default[] = { "rbt" };
-
-#define DNS_ZONE_JITTER_ADD(a, b, c) \
-	do { \
-		isc_interval_t _i; \
-		isc_uint32_t _j; \
-		_j = isc_random_jitter((b), (b)/4); \
-		isc_interval_set(&_i, _j, 0); \
-		if (isc_time_add((a), &_i, (c)) != ISC_R_SUCCESS) { \
-			dns_zone_log(zone, ISC_LOG_WARNING, \
-				     "epoch approaching: upgrade required: " \
-				     "now + %s failed", #b); \
-			isc_interval_set(&_i, _j/2, 0); \
-			(void)isc_time_add((a), &_i, (c)); \
-		} \
-	} while (0)
-
-#define DNS_ZONE_TIME_ADD(a, b, c) \
-	do { \
-		isc_interval_t _i; \
-		isc_interval_set(&_i, (b), 0); \
-		if (isc_time_add((a), &_i, (c)) != ISC_R_SUCCESS) { \
-			dns_zone_log(zone, ISC_LOG_WARNING, \
-				     "epoch approaching: upgrade required: " \
-				     "now + %s failed", #b); \
-			isc_interval_set(&_i, (b)/2, 0); \
-			(void)isc_time_add((a), &_i, (c)); \
-		} \
-	} while (0)
-
-/*%
- * Increment resolver-related statistics counters.  Zone must be locked.
- */
-static inline void
-inc_stats(dns_zone_t *zone, isc_statscounter_t counter) {
-	if (zone->stats != NULL)
-		isc_stats_increment(zone->stats, counter);
-}
-
-/***
- ***	Public functions.
- ***/
-
-isc_result_t
-dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
-	isc_result_t result;
-	dns_zone_t *zone;
-	isc_time_t now;
-
-	REQUIRE(zonep != NULL && *zonep == NULL);
-	REQUIRE(mctx != NULL);
-
-	TIME_NOW(&now);
-	zone = isc_mem_get(mctx, sizeof(*zone));
-	if (zone == NULL)
-		return (ISC_R_NOMEMORY);
-
-	zone->mctx = NULL;
-	isc_mem_attach(mctx, &zone->mctx);
-
-	result = isc_mutex_init(&zone->lock);
-	if (result != ISC_R_SUCCESS)
-		goto free_zone;
-
-	result = ZONEDB_INITLOCK(&zone->dblock);
-	if (result != ISC_R_SUCCESS)
-		goto free_mutex;
-
-	/* XXX MPA check that all elements are initialised */
-#ifdef DNS_ZONE_CHECKLOCK
-	zone->locked = ISC_FALSE;
-#endif
-	zone->db = NULL;
-	zone->zmgr = NULL;
-	ISC_LINK_INIT(zone, link);
-	result = isc_refcount_init(&zone->erefs, 1);	/* Implicit attach. */
-	if (result != ISC_R_SUCCESS)
-		goto free_dblock;
-	zone->irefs = 0;
-	dns_name_init(&zone->origin, NULL);
-	zone->strnamerd = NULL;
-	zone->strname = NULL;
-	zone->strrdclass = NULL;
-	zone->strviewname = NULL;
-	zone->masterfile = NULL;
-	zone->masterformat = dns_masterformat_none;
-	zone->keydirectory = NULL;
-	zone->journalsize = -1;
-	zone->journal = NULL;
-	zone->rdclass = dns_rdataclass_none;
-	zone->type = dns_zone_none;
-	zone->flags = 0;
-	zone->options = 0;
-	zone->keyopts = 0;
-	zone->db_argc = 0;
-	zone->db_argv = NULL;
-	isc_time_settoepoch(&zone->expiretime);
-	isc_time_settoepoch(&zone->refreshtime);
-	isc_time_settoepoch(&zone->dumptime);
-	isc_time_settoepoch(&zone->loadtime);
-	zone->notifytime = now;
-	isc_time_settoepoch(&zone->resigntime);
-	isc_time_settoepoch(&zone->keywarntime);
-	isc_time_settoepoch(&zone->signingtime);
-	isc_time_settoepoch(&zone->nsec3chaintime);
-	isc_time_settoepoch(&zone->refreshkeytime);
-	zone->refreshkeyinterval = 0;
-	zone->refreshkeycount = 0;
-	zone->refresh = DNS_ZONE_DEFAULTREFRESH;
-	zone->retry = DNS_ZONE_DEFAULTRETRY;
-	zone->expire = 0;
-	zone->minimum = 0;
-	zone->maxrefresh = DNS_ZONE_MAXREFRESH;
-	zone->minrefresh = DNS_ZONE_MINREFRESH;
-	zone->maxretry = DNS_ZONE_MAXRETRY;
-	zone->minretry = DNS_ZONE_MINRETRY;
-	zone->masters = NULL;
-	zone->masterkeynames = NULL;
-	zone->mastersok = NULL;
-	zone->masterscnt = 0;
-	zone->curmaster = 0;
-	zone->notify = NULL;
-	zone->notifykeynames = NULL;
-	zone->notifytype = dns_notifytype_yes;
-	zone->notifycnt = 0;
-	zone->task = NULL;
-	zone->loadtask = NULL;
-	zone->update_acl = NULL;
-	zone->forward_acl = NULL;
-	zone->notify_acl = NULL;
-	zone->query_acl = NULL;
-	zone->queryon_acl = NULL;
-	zone->xfr_acl = NULL;
-	zone->update_disabled = ISC_FALSE;
-	zone->zero_no_soa_ttl = ISC_TRUE;
-	zone->check_names = dns_severity_ignore;
-	zone->request = NULL;
-	zone->lctx = NULL;
-	zone->readio = NULL;
-	zone->dctx = NULL;
-	zone->writeio = NULL;
-	zone->timer = NULL;
-	zone->idlein = DNS_DEFAULT_IDLEIN;
-	zone->idleout = DNS_DEFAULT_IDLEOUT;
-	zone->log_key_expired_timer = 0;
-	ISC_LIST_INIT(zone->notifies);
-	isc_sockaddr_any(&zone->notifysrc4);
-	isc_sockaddr_any6(&zone->notifysrc6);
-	isc_sockaddr_any(&zone->xfrsource4);
-	isc_sockaddr_any6(&zone->xfrsource6);
-	isc_sockaddr_any(&zone->altxfrsource4);
-	isc_sockaddr_any6(&zone->altxfrsource6);
-	zone->xfr = NULL;
-	zone->tsigkey = NULL;
-	zone->maxxfrin = MAX_XFER_TIME;
-	zone->maxxfrout = MAX_XFER_TIME;
-	zone->ssutable = NULL;
-	zone->sigvalidityinterval = 30 * 24 * 3600;
-	zone->sigresigninginterval = 7 * 24 * 3600;
-	zone->view = NULL;
-	zone->acache = NULL;
-	zone->checkmx = NULL;
-	zone->checksrv = NULL;
-	zone->checkns = NULL;
-	ISC_LINK_INIT(zone, statelink);
-	zone->statelist = NULL;
-	zone->stats = NULL;
-	zone->requeststats_on = ISC_FALSE;
-	zone->statlevel = dns_zonestat_none;
-	zone->requeststats = NULL;
-	zone->rcvquerystats = NULL;
-	zone->notifydelay = 5;
-	zone->isself = NULL;
-	zone->isselfarg = NULL;
-	ISC_LIST_INIT(zone->signing);
-	ISC_LIST_INIT(zone->nsec3chain);
-	zone->signatures = 10;
-	zone->nodes = 100;
-	zone->privatetype = (dns_rdatatype_t)0xffffU;
-	zone->added = ISC_FALSE;
-	zone->is_rpz = ISC_FALSE;
-	ISC_LIST_INIT(zone->forwards);
-	zone->raw = NULL;
-	zone->secure = NULL;
-	zone->sourceserial = 0;
-	zone->sourceserialset = ISC_FALSE;
-
-	zone->magic = ZONE_MAGIC;
-
-	/* Must be after magic is set. */
-	result = dns_zone_setdbtype(zone, dbargc_default, dbargv_default);
-	if (result != ISC_R_SUCCESS)
-		goto free_erefs;
-
-	ISC_EVENT_INIT(&zone->ctlevent, sizeof(zone->ctlevent), 0, NULL,
-		       DNS_EVENT_ZONECONTROL, zone_shutdown, zone, zone,
-		       NULL, NULL);
-	*zonep = zone;
-	return (ISC_R_SUCCESS);
-
- free_erefs:
-	isc_refcount_decrement(&zone->erefs, NULL);
-	isc_refcount_destroy(&zone->erefs);
-
- free_dblock:
-	ZONEDB_DESTROYLOCK(&zone->dblock);
-
- free_mutex:
-	DESTROYLOCK(&zone->lock);
-
- free_zone:
-	isc_mem_putanddetach(&zone->mctx, zone, sizeof(*zone));
-	return (result);
-}
-
-/*
- * Free a zone.  Because we require that there be no more
- * outstanding events or references, no locking is necessary.
- */
-static void
-zone_free(dns_zone_t *zone) {
-	isc_mem_t *mctx = NULL;
-	dns_signing_t *signing;
-	dns_nsec3chain_t *nsec3chain;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(isc_refcount_current(&zone->erefs) == 0);
-	REQUIRE(zone->irefs == 0);
-	REQUIRE(!LOCKED_ZONE(zone));
-	REQUIRE(zone->timer == NULL);
-
-	/*
-	 * Managed objects.  Order is important.
-	 */
-	if (zone->request != NULL)
-		dns_request_destroy(&zone->request); /* XXXMPA */
-	INSIST(zone->readio == NULL);
-	INSIST(zone->statelist == NULL);
-	INSIST(zone->writeio == NULL);
-
-	if (zone->task != NULL)
-		isc_task_detach(&zone->task);
-	if (zone->loadtask != NULL)
-		isc_task_detach(&zone->loadtask);
-	if (zone->zmgr != NULL)
-		dns_zonemgr_releasezone(zone->zmgr, zone);
-
-	/* Unmanaged objects */
-	for (signing = ISC_LIST_HEAD(zone->signing);
-	     signing != NULL;
-	     signing = ISC_LIST_HEAD(zone->signing)) {
-		ISC_LIST_UNLINK(zone->signing, signing, link);
-		dns_db_detach(&signing->db);
-		dns_dbiterator_destroy(&signing->dbiterator);
-		isc_mem_put(zone->mctx, signing, sizeof *signing);
-	}
-	for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
-	     nsec3chain != NULL;
-	     nsec3chain = ISC_LIST_HEAD(zone->nsec3chain)) {
-		ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain, link);
-		dns_db_detach(&nsec3chain->db);
-		dns_dbiterator_destroy(&nsec3chain->dbiterator);
-		isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
-	}
-	if (zone->masterfile != NULL)
-		isc_mem_free(zone->mctx, zone->masterfile);
-	zone->masterfile = NULL;
-	if (zone->keydirectory != NULL)
-		isc_mem_free(zone->mctx, zone->keydirectory);
-	zone->keydirectory = NULL;
-	zone->journalsize = -1;
-	if (zone->journal != NULL)
-		isc_mem_free(zone->mctx, zone->journal);
-	zone->journal = NULL;
-	if (zone->stats != NULL)
-		isc_stats_detach(&zone->stats);
-	if (zone->requeststats != NULL)
-		isc_stats_detach(&zone->requeststats);
-	if(zone->rcvquerystats != NULL )
-		dns_stats_detach(&zone->rcvquerystats);
-	if (zone->db != NULL)
-		zone_detachdb(zone);
-	if (zone->acache != NULL)
-		dns_acache_detach(&zone->acache);
-	zone_freedbargs(zone);
-	RUNTIME_CHECK(dns_zone_setmasterswithkeys(zone, NULL, NULL, 0)
-		      == ISC_R_SUCCESS);
-	RUNTIME_CHECK(dns_zone_setalsonotify(zone, NULL, 0)
-		      == ISC_R_SUCCESS);
-	zone->check_names = dns_severity_ignore;
-	if (zone->update_acl != NULL)
-		dns_acl_detach(&zone->update_acl);
-	if (zone->forward_acl != NULL)
-		dns_acl_detach(&zone->forward_acl);
-	if (zone->notify_acl != NULL)
-		dns_acl_detach(&zone->notify_acl);
-	if (zone->query_acl != NULL)
-		dns_acl_detach(&zone->query_acl);
-	if (zone->queryon_acl != NULL)
-		dns_acl_detach(&zone->queryon_acl);
-	if (zone->xfr_acl != NULL)
-		dns_acl_detach(&zone->xfr_acl);
-	if (dns_name_dynamic(&zone->origin))
-		dns_name_free(&zone->origin, zone->mctx);
-	if (zone->strnamerd != NULL)
-		isc_mem_free(zone->mctx, zone->strnamerd);
-	if (zone->strname != NULL)
-		isc_mem_free(zone->mctx, zone->strname);
-	if (zone->strrdclass != NULL)
-		isc_mem_free(zone->mctx, zone->strrdclass);
-	if (zone->strviewname != NULL)
-		isc_mem_free(zone->mctx, zone->strviewname);
-	if (zone->ssutable != NULL)
-		dns_ssutable_detach(&zone->ssutable);
-
-	/* last stuff */
-	ZONEDB_DESTROYLOCK(&zone->dblock);
-	DESTROYLOCK(&zone->lock);
-	isc_refcount_destroy(&zone->erefs);
-	zone->magic = 0;
-	mctx = zone->mctx;
-	isc_mem_put(mctx, zone, sizeof(*zone));
-	isc_mem_detach(&mctx);
-}
-
-/*
- * Returns ISC_TRUE iff this the signed side of an inline-signing zone.
- * Caller should hold zone lock.
- */
-static inline isc_boolean_t
-inline_secure(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	if (zone->raw != NULL)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-/*
- * Returns ISC_TRUE iff this the unsigned side of an inline-signing zone
- * Caller should hold zone lock.
- */
-static inline isc_boolean_t
-inline_raw(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	if (zone->secure != NULL)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-/*
- *	Single shot.
- */
-void
-dns_zone_setclass(dns_zone_t *zone, dns_rdataclass_t rdclass) {
-	char namebuf[1024];
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(rdclass != dns_rdataclass_none);
-
-	/*
-	 * Test and set.
-	 */
-	LOCK_ZONE(zone);
-	REQUIRE(zone->rdclass == dns_rdataclass_none ||
-		zone->rdclass == rdclass);
-	zone->rdclass = rdclass;
-
-	if (zone->strnamerd != NULL)
-		isc_mem_free(zone->mctx, zone->strnamerd);
-	if (zone->strrdclass != NULL)
-		isc_mem_free(zone->mctx, zone->strrdclass);
-
-	zone_namerd_tostr(zone, namebuf, sizeof namebuf);
-	zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
-	zone_rdclass_tostr(zone, namebuf, sizeof namebuf);
-	zone->strrdclass = isc_mem_strdup(zone->mctx, namebuf);
-
-	if (inline_secure(zone))
-		dns_zone_setclass(zone->raw, rdclass);
-	UNLOCK_ZONE(zone);
-}
-
-dns_rdataclass_t
-dns_zone_getclass(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->rdclass);
-}
-
-void
-dns_zone_setnotifytype(dns_zone_t *zone, dns_notifytype_t notifytype) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	zone->notifytype = notifytype;
-	UNLOCK_ZONE(zone);
-}
-
-isc_result_t
-dns_zone_getserial2(dns_zone_t *zone, isc_uint32_t *serialp) {
-	isc_result_t result;
-	unsigned int soacount;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(serialp != NULL);
-
-	LOCK_ZONE(zone);
-	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
-	if (zone->db != NULL) {
-		result = zone_get_from_db(zone, zone->db, NULL, &soacount,
-					  serialp, NULL, NULL, NULL, NULL,
-					  NULL);
-		if (result == ISC_R_SUCCESS && soacount == 0)
-			result = ISC_R_FAILURE;
-	} else
-		result = DNS_R_NOTLOADED;
-	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
-	UNLOCK_ZONE(zone);
-
-	return (result);
-}
-
-isc_uint32_t
-dns_zone_getserial(dns_zone_t *zone) {
-	isc_result_t result;
-	isc_uint32_t serial;
-
-	result = dns_zone_getserial2(zone, &serial);
-	if (result != ISC_R_SUCCESS)
-		serial = 0; /* XXX: not really correct, but no other choice */
-
-	return (serial);
-}
-
-/*
- *	Single shot.
- */
-void
-dns_zone_settype(dns_zone_t *zone, dns_zonetype_t type) {
-	char namebuf[1024];
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(type != dns_zone_none);
-
-	/*
-	 * Test and set.
-	 */
-	LOCK_ZONE(zone);
-	REQUIRE(zone->type == dns_zone_none || zone->type == type);
-	zone->type = type;
-
-	if (zone->strnamerd != NULL)
-		isc_mem_free(zone->mctx, zone->strnamerd);
-
-	zone_namerd_tostr(zone, namebuf, sizeof namebuf);
-	zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
-	UNLOCK_ZONE(zone);
-}
-
-static void
-zone_freedbargs(dns_zone_t *zone) {
-	unsigned int i;
-
-	/* Free the old database argument list. */
-	if (zone->db_argv != NULL) {
-		for (i = 0; i < zone->db_argc; i++)
-			isc_mem_free(zone->mctx, zone->db_argv[i]);
-		isc_mem_put(zone->mctx, zone->db_argv,
-			    zone->db_argc * sizeof(*zone->db_argv));
-	}
-	zone->db_argc = 0;
-	zone->db_argv = NULL;
-}
-
-isc_result_t
-dns_zone_getdbtype(dns_zone_t *zone, char ***argv, isc_mem_t *mctx) {
-	size_t size = 0;
-	unsigned int i;
-	isc_result_t result = ISC_R_SUCCESS;
-	void *mem;
-	char **tmp, *tmp2;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(argv != NULL && *argv == NULL);
-
-	LOCK_ZONE(zone);
-	size = (zone->db_argc + 1) * sizeof(char *);
-	for (i = 0; i < zone->db_argc; i++)
-		size += strlen(zone->db_argv[i]) + 1;
-	mem = isc_mem_allocate(mctx, size);
-	if (mem != NULL) {
-		tmp = mem;
-		tmp2 = mem;
-		tmp2 += (zone->db_argc + 1) * sizeof(char *);
-		for (i = 0; i < zone->db_argc; i++) {
-			*tmp++ = tmp2;
-			strcpy(tmp2, zone->db_argv[i]);
-			tmp2 += strlen(tmp2) + 1;
-		}
-		*tmp = NULL;
-	} else
-		result = ISC_R_NOMEMORY;
-	UNLOCK_ZONE(zone);
-	*argv = mem;
-	return (result);
-}
-
-isc_result_t
-dns_zone_setdbtype(dns_zone_t *zone,
-		   unsigned int dbargc, const char * const *dbargv) {
-	isc_result_t result = ISC_R_SUCCESS;
-	char **new = NULL;
-	unsigned int i;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(dbargc >= 1);
-	REQUIRE(dbargv != NULL);
-
-	LOCK_ZONE(zone);
-
-	/* Set up a new database argument list. */
-	new = isc_mem_get(zone->mctx, dbargc * sizeof(*new));
-	if (new == NULL)
-		goto nomem;
-	for (i = 0; i < dbargc; i++)
-		new[i] = NULL;
-	for (i = 0; i < dbargc; i++) {
-		new[i] = isc_mem_strdup(zone->mctx, dbargv[i]);
-		if (new[i] == NULL)
-			goto nomem;
-	}
-
-	/* Free the old list. */
-	zone_freedbargs(zone);
-
-	zone->db_argc = dbargc;
-	zone->db_argv = new;
-	result = ISC_R_SUCCESS;
-	goto unlock;
-
- nomem:
-	if (new != NULL) {
-		for (i = 0; i < dbargc; i++)
-			if (new[i] != NULL)
-				isc_mem_free(zone->mctx, new[i]);
-		isc_mem_put(zone->mctx, new, dbargc * sizeof(*new));
-	}
-	result = ISC_R_NOMEMORY;
-
- unlock:
-	UNLOCK_ZONE(zone);
-	return (result);
-}
-
-void
-dns_zone_setview(dns_zone_t *zone, dns_view_t *view) {
-	char namebuf[1024];
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->view != NULL)
-		dns_view_weakdetach(&zone->view);
-	dns_view_weakattach(view, &zone->view);
-
-	if (zone->strviewname != NULL)
-		isc_mem_free(zone->mctx, zone->strviewname);
-	if (zone->strnamerd != NULL)
-		isc_mem_free(zone->mctx, zone->strnamerd);
-
-	zone_namerd_tostr(zone, namebuf, sizeof namebuf);
-	zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
-	zone_viewname_tostr(zone, namebuf, sizeof namebuf);
-	zone->strviewname = isc_mem_strdup(zone->mctx, namebuf);
-
-	if (inline_secure(zone))
-		dns_zone_setview(zone->raw, view);
-
-	UNLOCK_ZONE(zone);
-}
-
-dns_view_t *
-dns_zone_getview(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->view);
-}
-
-
-isc_result_t
-dns_zone_setorigin(dns_zone_t *zone, const dns_name_t *origin) {
-	isc_result_t result;
-	char namebuf[1024];
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(origin != NULL);
-
-	LOCK_ZONE(zone);
-	if (dns_name_dynamic(&zone->origin)) {
-		dns_name_free(&zone->origin, zone->mctx);
-		dns_name_init(&zone->origin, NULL);
-	}
-	result = dns_name_dup(origin, zone->mctx, &zone->origin);
-
-	if (zone->strnamerd != NULL)
-		isc_mem_free(zone->mctx, zone->strnamerd);
-	if (zone->strname != NULL)
-		isc_mem_free(zone->mctx, zone->strname);
-
-	zone_namerd_tostr(zone, namebuf, sizeof namebuf);
-	zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
-	zone_name_tostr(zone, namebuf, sizeof namebuf);
-	zone->strname = isc_mem_strdup(zone->mctx, namebuf);
-
-	if (result == ISC_R_SUCCESS && inline_secure(zone))
-		result = dns_zone_setorigin(zone->raw, origin);
-	UNLOCK_ZONE(zone);
-	return (result);
-}
-
-void
-dns_zone_setacache(dns_zone_t *zone, dns_acache_t *acache) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(acache != NULL);
-
-	LOCK_ZONE(zone);
-	if (zone->acache != NULL)
-		dns_acache_detach(&zone->acache);
-	dns_acache_attach(acache, &zone->acache);
-	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
-	if (zone->db != NULL) {
-		isc_result_t result;
-
-		/*
-		 * If the zone reuses an existing DB, the DB needs to be
-		 * set in the acache explicitly.  We can safely ignore the
-		 * case where the DB is already set.  If other error happens,
-		 * the acache will not work effectively.
-		 */
-		result = dns_acache_setdb(acache, zone->db);
-		if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "dns_acache_setdb() failed: %s",
-					 isc_result_totext(result));
-		}
-	}
-	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
-	UNLOCK_ZONE(zone);
-}
-
-static isc_result_t
-dns_zone_setstring(dns_zone_t *zone, char **field, const char *value) {
-	char *copy;
-
-	if (value != NULL) {
-		copy = isc_mem_strdup(zone->mctx, value);
-		if (copy == NULL)
-			return (ISC_R_NOMEMORY);
-	} else {
-		copy = NULL;
-	}
-
-	if (*field != NULL)
-		isc_mem_free(zone->mctx, *field);
-
-	*field = copy;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_zone_setfile(dns_zone_t *zone, const char *file) {
-	return (dns_zone_setfile2(zone, file, dns_masterformat_text));
-}
-
-isc_result_t
-dns_zone_setfile2(dns_zone_t *zone, const char *file,
-		  dns_masterformat_t format) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	result = dns_zone_setstring(zone, &zone->masterfile, file);
-	if (result == ISC_R_SUCCESS) {
-		zone->masterformat = format;
-		result = default_journal(zone);
-	}
-	UNLOCK_ZONE(zone);
-
-	return (result);
-}
-
-const char *
-dns_zone_getfile(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->masterfile);
-}
-
-static isc_result_t
-default_journal(dns_zone_t *zone) {
-	isc_result_t result;
-	char *journal;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(LOCKED_ZONE(zone));
-
-	if (zone->masterfile != NULL) {
-		/* Calculate string length including '\0'. */
-		int len = strlen(zone->masterfile) + sizeof(".jnl");
-		journal = isc_mem_allocate(zone->mctx, len);
-		if (journal == NULL)
-			return (ISC_R_NOMEMORY);
-		strcpy(journal, zone->masterfile);
-		strcat(journal, ".jnl");
-	} else {
-		journal = NULL;
-	}
-	result = dns_zone_setstring(zone, &zone->journal, journal);
-	if (journal != NULL)
-		isc_mem_free(zone->mctx, journal);
-	return (result);
-}
-
-isc_result_t
-dns_zone_setjournal(dns_zone_t *zone, const char *journal) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	result = dns_zone_setstring(zone, &zone->journal, journal);
-	UNLOCK_ZONE(zone);
-
-	return (result);
-}
-
-char *
-dns_zone_getjournal(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->journal);
-}
-
-/*
- * Return true iff the zone is "dynamic", in the sense that the zone's
- * master file (if any) is written by the server, rather than being
- * updated manually and read by the server.
- *
- * This is true for slave zones, stub zones, key zones, and zones that
- * allow dynamic updates either by having an update policy ("ssutable")
- * or an "allow-update" ACL with a value other than exactly "{ none; }".
- */
-isc_boolean_t
-dns_zone_isdynamic(dns_zone_t *zone, isc_boolean_t ignore_freeze) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	if (zone->type == dns_zone_slave || zone->type == dns_zone_stub ||
-	    zone->type == dns_zone_key ||
-	    (zone->type == dns_zone_redirect && zone->masters != NULL))
-		return (ISC_TRUE);
-
-	/* If !ignore_freeze, we need check whether updates are disabled.  */
-	if (zone->type == dns_zone_master &&
-	    (!zone->update_disabled || ignore_freeze) &&
-	    ((zone->ssutable != NULL) ||
-	     (zone->update_acl != NULL && !dns_acl_isnone(zone->update_acl))))
-		return (ISC_TRUE);
-
-	return (ISC_FALSE);
-
-}
-
-/*
- * Set the response policy index and information for a zone.
- */
-isc_result_t
-dns_zone_rpz_enable(dns_zone_t *zone) {
-	/*
-	 * Only RBTDB zones can be used for response policy zones,
-	 * because only they have the code to load the create the summary data.
-	 * Only zones that are loaded instead of mmap()ed create the
-	 * summary data and so can be policy zones.
-	 */
-	if (strcmp(zone->db_argv[0], "rbt") != 0 &&
-	    strcmp(zone->db_argv[0], "rbt64") != 0)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	zone->is_rpz = ISC_TRUE;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_boolean_t
-dns_zone_get_rpz(dns_zone_t *zone) {
-	return (zone->is_rpz);
-}
-
-static isc_result_t
-zone_load(dns_zone_t *zone, unsigned int flags) {
-	isc_result_t result;
-	isc_time_t now;
-	isc_time_t loadtime, filetime;
-	dns_db_t *db = NULL;
-	isc_boolean_t rbt, hasraw;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	hasraw = inline_secure(zone);
-	if (hasraw) {
-		result = zone_load(zone->raw, flags);
-		if (result != ISC_R_SUCCESS) {
-			UNLOCK_ZONE(zone);
-			return(result);
-		}
-		LOCK_ZONE(zone->raw);
-	}
-
-	TIME_NOW(&now);
-
-	INSIST(zone->type != dns_zone_none);
-
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADING)) {
-		if ((flags & DNS_ZONELOADFLAG_THAW) != 0)
-			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_THAW);
-		result = DNS_R_CONTINUE;
-		goto cleanup;
-	}
-
-	INSIST(zone->db_argc >= 1);
-
-	rbt = strcmp(zone->db_argv[0], "rbt") == 0 ||
-	      strcmp(zone->db_argv[0], "rbt64") == 0;
-
-	if (zone->db != NULL && zone->masterfile == NULL && rbt) {
-		/*
-		 * The zone has no master file configured.
-		 */
-		result = ISC_R_SUCCESS;
-		goto cleanup;
-	}
-
-	if (zone->db != NULL && dns_zone_isdynamic(zone, ISC_FALSE)) {
-		/*
-		 * This is a slave, stub, or dynamically updated
-		 * zone being reloaded.  Do nothing - the database
-		 * we already have is guaranteed to be up-to-date.
-		 */
-		if (zone->type == dns_zone_master)
-			result = DNS_R_DYNAMIC;
-		else
-			result = ISC_R_SUCCESS;
-		goto cleanup;
-	}
-
-	/*
-	 * Store the current time before the zone is loaded, so that if the
-	 * file changes between the time of the load and the time that
-	 * zone->loadtime is set, then the file will still be reloaded
-	 * the next time dns_zone_load is called.
-	 */
-	TIME_NOW(&loadtime);
-
-	/*
-	 * Don't do the load if the file that stores the zone is older
-	 * than the last time the zone was loaded.  If the zone has not
-	 * been loaded yet, zone->loadtime will be the epoch.
-	 */
-	if (zone->masterfile != NULL) {
-		/*
-		 * The file is already loaded.	If we are just doing a
-		 * "rndc reconfig", we are done.
-		 */
-		if (!isc_time_isepoch(&zone->loadtime) &&
-		    (flags & DNS_ZONELOADFLAG_NOSTAT) != 0) {
-			result = ISC_R_SUCCESS;
-			goto cleanup;
-		}
-
-		result = isc_file_getmodtime(zone->masterfile, &filetime);
-		if (result == ISC_R_SUCCESS) {
-			if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
-			    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HASINCLUDE) &&
-			    isc_time_compare(&filetime, &zone->loadtime) <= 0) {
-				dns_zone_log(zone, ISC_LOG_DEBUG(1),
-					     "skipping load: master file "
-					     "older than last load");
-				result = DNS_R_UPTODATE;
-				goto cleanup;
-			}
-			loadtime = filetime;
-		}
-	}
-
-	/*
-	 * Built in zones (with the exception of empty zones) don't need
-	 * to be reloaded.
-	 */
-	if (zone->type == dns_zone_master &&
-	    strcmp(zone->db_argv[0], "_builtin") == 0 &&
-	    (zone->db_argc < 2 || strcmp(zone->db_argv[1], "empty") != 0) &&
-	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
-		result = ISC_R_SUCCESS;
-		goto cleanup;
-	}
-
-	if ((zone->type == dns_zone_slave || zone->type == dns_zone_stub ||
-	     (zone->type == dns_zone_redirect && zone->masters != NULL)) &&
-	    rbt) {
-		if (zone->masterfile == NULL ||
-		    !isc_file_exists(zone->masterfile)) {
-			if (zone->masterfile != NULL) {
-				dns_zone_log(zone, ISC_LOG_DEBUG(1),
-					     "no master file");
-			}
-			zone->refreshtime = now;
-			if (zone->task != NULL)
-				zone_settimer(zone, &now);
-			result = ISC_R_SUCCESS;
-			goto cleanup;
-		}
-	}
-
-	dns_zone_log(zone, ISC_LOG_DEBUG(1), "starting load");
-
-	result = dns_db_create(zone->mctx, zone->db_argv[0],
-			       &zone->origin, (zone->type == dns_zone_stub) ?
-			       dns_dbtype_stub : dns_dbtype_zone,
-			       zone->rdclass,
-			       zone->db_argc - 1, zone->db_argv + 1,
-			       &db);
-
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "loading zone: creating database: %s",
-			     isc_result_totext(result));
-		goto cleanup;
-	}
-	dns_db_settask(db, zone->task);
-
-	if (! dns_db_ispersistent(db)) {
-		if (zone->masterfile != NULL) {
-			result = zone_startload(db, zone, loadtime);
-		} else {
-			result = DNS_R_NOMASTERFILE;
-			if (zone->type == dns_zone_master ||
-			    (zone->type == dns_zone_redirect &&
-			     zone->masters == NULL)) {
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "loading zone: "
-					     "no master file configured");
-				goto cleanup;
-			}
-			dns_zone_log(zone, ISC_LOG_INFO, "loading zone: "
-				     "no master file configured: continuing");
-		}
-	}
-
-	if (result == DNS_R_CONTINUE) {
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADING);
-		if ((flags & DNS_ZONELOADFLAG_THAW) != 0)
-			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_THAW);
-		goto cleanup;
-	}
-
-	result = zone_postload(zone, db, loadtime, result);
-
- cleanup:
-	if (hasraw)
-		UNLOCK_ZONE(zone->raw);
-	UNLOCK_ZONE(zone);
-	if (db != NULL)
-		dns_db_detach(&db);
-	return (result);
-}
-
-isc_result_t
-dns_zone_load(dns_zone_t *zone) {
-	return (zone_load(zone, 0));
-}
-
-isc_result_t
-dns_zone_loadnew(dns_zone_t *zone) {
-	return (zone_load(zone, DNS_ZONELOADFLAG_NOSTAT));
-}
-
-static void
-zone_asyncload(isc_task_t *task, isc_event_t *event) {
-	dns_asyncload_t *asl = event->ev_arg;
-	dns_zone_t *zone = asl->zone;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	UNUSED(task);
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	if ((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0)
-		result = ISC_R_CANCELED;
-	isc_event_free(&event);
-	if (result == ISC_R_CANCELED ||
-	    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING))
-		goto cleanup;
-
-	zone_load(zone, 0);
-
-	LOCK_ZONE(zone);
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADPENDING);
-	UNLOCK_ZONE(zone);
-
-	/* Inform the zone table we've finished loading */
-	if (asl->loaded != NULL)
-		(asl->loaded)(asl->loaded_arg, zone, task);
-
- cleanup:
-	isc_mem_put(zone->mctx, asl, sizeof (*asl));
-	dns_zone_idetach(&zone);
-}
-
-isc_result_t
-dns_zone_asyncload(dns_zone_t *zone, dns_zt_zoneloaded_t done, void *arg) {
-	isc_event_t *e;
-	dns_asyncload_t *asl = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	if (zone->zmgr == NULL)
-		return (ISC_R_FAILURE);
-
-	asl = isc_mem_get(zone->mctx, sizeof (*asl));
-	if (asl == NULL)
-		CHECK(ISC_R_NOMEMORY);
-
-	asl->zone = NULL;
-	asl->loaded = done;
-	asl->loaded_arg = arg;
-
-	e = isc_event_allocate(zone->zmgr->mctx, zone->zmgr,
-			       DNS_EVENT_ZONELOAD,
-			       zone_asyncload, asl,
-			       sizeof(isc_event_t));
-	if (e == NULL)
-		CHECK(ISC_R_NOMEMORY);
-
-	LOCK_ZONE(zone);
-	zone_iattach(zone, &asl->zone);
-	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADPENDING);
-	isc_task_send(zone->loadtask, &e);
-	UNLOCK_ZONE(zone);
-
-	return (ISC_R_SUCCESS);
-
-  failure:
-	if (asl != NULL)
-		isc_mem_put(zone->mctx, asl, sizeof (*asl));
-	return (result);
-}
-
-isc_boolean_t
-dns__zone_loadpending(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (ISC_TF(DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING)));
-}
-
-isc_result_t
-dns_zone_loadandthaw(dns_zone_t *zone) {
-	isc_result_t result;
-
-	if (inline_raw(zone))
-		result = zone_load(zone->secure, DNS_ZONELOADFLAG_THAW);
-	else
-		result = zone_load(zone, DNS_ZONELOADFLAG_THAW);
-
-	switch (result) {
-	case DNS_R_CONTINUE:
-		/* Deferred thaw. */
-		break;
-	case DNS_R_UPTODATE:
-	case ISC_R_SUCCESS:
-	case DNS_R_SEENINCLUDE:
-		zone->update_disabled = ISC_FALSE;
-		break;
-	case DNS_R_NOMASTERFILE:
-		zone->update_disabled = ISC_FALSE;
-		break;
-	default:
-		/* Error, remain in disabled state. */
-		break;
-	}
-	return (result);
-}
-
-static unsigned int
-get_master_options(dns_zone_t *zone) {
-	unsigned int options;
-
-	options = DNS_MASTER_ZONE;
-	if (zone->type == dns_zone_slave ||
-	    (zone->type == dns_zone_redirect && zone->masters == NULL))
-		options |= DNS_MASTER_SLAVE;
-	if (zone->type == dns_zone_key)
-		options |= DNS_MASTER_KEY;
-	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNS))
-		options |= DNS_MASTER_CHECKNS;
-	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_FATALNS))
-		options |= DNS_MASTER_FATALNS;
-	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMES))
-		options |= DNS_MASTER_CHECKNAMES;
-	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMESFAIL))
-		options |= DNS_MASTER_CHECKNAMESFAIL;
-	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMX))
-		options |= DNS_MASTER_CHECKMX;
-	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMXFAIL))
-		options |= DNS_MASTER_CHECKMXFAIL;
-	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKWILDCARD))
-		options |= DNS_MASTER_CHECKWILDCARD;
-	if (inline_secure(zone) || (zone->type == dns_zone_master &&
-	    ((zone->update_acl != NULL && !dns_acl_isnone(zone->update_acl)) ||
-	      zone->ssutable != NULL)))
-		options |= DNS_MASTER_RESIGN;
-	return (options);
-}
-
-static void
-zone_gotreadhandle(isc_task_t *task, isc_event_t *event) {
-	dns_load_t *load = event->ev_arg;
-	isc_result_t result = ISC_R_SUCCESS;
-	unsigned int options;
-
-	REQUIRE(DNS_LOAD_VALID(load));
-
-	if ((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0)
-		result = ISC_R_CANCELED;
-	isc_event_free(&event);
-	if (result == ISC_R_CANCELED)
-		goto fail;
-
-	options = get_master_options(load->zone);
-
-	result = dns_master_loadfileinc3(load->zone->masterfile,
-					 dns_db_origin(load->db),
-					 dns_db_origin(load->db),
-					 load->zone->rdclass, options,
-					 load->zone->sigresigninginterval,
-					 &load->callbacks, task,
-					 zone_loaddone, load,
-					 &load->zone->lctx, load->zone->mctx,
-					 load->zone->masterformat);
-	if (result != ISC_R_SUCCESS && result != DNS_R_CONTINUE &&
-	    result != DNS_R_SEENINCLUDE)
-		goto fail;
-	return;
-
- fail:
-	zone_loaddone(load, result);
-}
-
-static void
-get_raw_serial(dns_zone_t *raw, dns_masterrawheader_t *rawdata) {
-	isc_result_t result;
-	unsigned int soacount;
-
-	LOCK(&raw->lock);
-	if (raw->db != NULL) {
-		result = zone_get_from_db(raw, raw->db, NULL, &soacount,
-					  &rawdata->sourceserial,
-					  NULL, NULL, NULL, NULL,
-					  NULL);
-		if (result == ISC_R_SUCCESS && soacount > 0U)
-			rawdata->flags |= DNS_MASTERRAW_SOURCESERIALSET;
-	}
-	UNLOCK(&raw->lock);
-}
-
-static void
-zone_gotwritehandle(isc_task_t *task, isc_event_t *event) {
-	const char me[] = "zone_gotwritehandle";
-	dns_zone_t *zone = event->ev_arg;
-	isc_result_t result = ISC_R_SUCCESS;
-	dns_dbversion_t *version = NULL;
-	dns_masterrawheader_t rawdata;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	INSIST(task == zone->task);
-	ENTER;
-
-	if ((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0)
-		result = ISC_R_CANCELED;
-	isc_event_free(&event);
-	if (result == ISC_R_CANCELED)
-		goto fail;
-
-	LOCK_ZONE(zone);
-	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
-	if (zone->db != NULL) {
-		dns_db_currentversion(zone->db, &version);
-		dns_master_initrawheader(&rawdata);
-		if (inline_secure(zone))
-			get_raw_serial(zone->raw, &rawdata);
-		result = dns_master_dumpinc3(zone->mctx, zone->db, version,
-					     &dns_master_style_default,
-					     zone->masterfile, zone->task,
-					     dump_done, zone, &zone->dctx,
-					     zone->masterformat, &rawdata);
-		dns_db_closeversion(zone->db, &version, ISC_FALSE);
-	} else
-		result = ISC_R_CANCELED;
-	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
-	UNLOCK_ZONE(zone);
-	if (result != DNS_R_CONTINUE)
-		goto fail;
-	return;
-
- fail:
-	dump_done(zone, result);
-}
-
-/*
- * Save the raw serial number for inline-signing zones.
- * (XXX: Other information from the header will be used
- * for other purposes in the future, but for now this is
- * all we're interested in.)
- */
-static void
-zone_setrawdata(dns_zone_t *zone, dns_masterrawheader_t *header) {
-	if ((header->flags & DNS_MASTERRAW_SOURCESERIALSET) == 0)
-		return;
-
-	zone->sourceserial = header->sourceserial;
-	zone->sourceserialset = ISC_TRUE;
-}
-
-void
-dns_zone_setrawdata(dns_zone_t *zone, dns_masterrawheader_t *header) {
-	if (zone == NULL)
-		return;
-
-	LOCK_ZONE(zone);
-	zone_setrawdata(zone, header);
-	UNLOCK_ZONE(zone);
-}
-
-static isc_result_t
-zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) {
-	dns_load_t *load;
-	isc_result_t result;
-	isc_result_t tresult;
-	unsigned int options;
-
-#ifdef BIND9
-	if (zone->is_rpz) {
-		result = dns_db_rpz_enabled(db, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-#endif
-
-	options = get_master_options(zone);
-	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MANYERRORS))
-		options |= DNS_MASTER_MANYERRORS;
-
-	if (zone->zmgr != NULL && zone->db != NULL && zone->loadtask != NULL) {
-		load = isc_mem_get(zone->mctx, sizeof(*load));
-		if (load == NULL)
-			return (ISC_R_NOMEMORY);
-
-		load->mctx = NULL;
-		load->zone = NULL;
-		load->db = NULL;
-		load->loadtime = loadtime;
-		load->magic = LOAD_MAGIC;
-
-		isc_mem_attach(zone->mctx, &load->mctx);
-		zone_iattach(zone, &load->zone);
-		dns_db_attach(db, &load->db);
-		dns_rdatacallbacks_init(&load->callbacks);
-		load->callbacks.rawdata = zone_setrawdata;
-		zone_iattach(zone, &load->callbacks.zone);
-		result = dns_db_beginload(db, &load->callbacks.add,
-					  &load->callbacks.add_private);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		result = zonemgr_getio(zone->zmgr, ISC_TRUE, zone->loadtask,
-				       zone_gotreadhandle, load,
-				       &zone->readio);
-		if (result != ISC_R_SUCCESS) {
-			/*
-			 * We can't report multiple errors so ignore
-			 * the result of dns_db_endload().
-			 */
-			(void)dns_db_endload(load->db,
-					     &load->callbacks.add_private);
-			goto cleanup;
-		} else
-			result = DNS_R_CONTINUE;
-	} else {
-		dns_rdatacallbacks_t callbacks;
-
-		dns_rdatacallbacks_init(&callbacks);
-		callbacks.rawdata = zone_setrawdata;
-		zone_iattach(zone, &callbacks.zone);
-		result = dns_db_beginload(db, &callbacks.add,
-					  &callbacks.add_private);
-		if (result != ISC_R_SUCCESS) {
-			zone_idetach(&callbacks.zone);
-			return (result);
-		}
-		result = dns_master_loadfile3(zone->masterfile,
-					      &zone->origin, &zone->origin,
-					      zone->rdclass, options,
-					      zone->sigresigninginterval,
-					      &callbacks, zone->mctx,
-					      zone->masterformat);
-		tresult = dns_db_endload(db, &callbacks.add_private);
-		if (result == ISC_R_SUCCESS)
-			result = tresult;
-		zone_idetach(&callbacks.zone);
-	}
-
-	return (result);
-
- cleanup:
-	load->magic = 0;
-	dns_db_detach(&load->db);
-	zone_idetach(&load->zone);
-	zone_idetach(&load->callbacks.zone);
-	isc_mem_detach(&load->mctx);
-	isc_mem_put(zone->mctx, load, sizeof(*load));
-	return (result);
-}
-
-static isc_boolean_t
-zone_check_mx(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
-	      dns_name_t *owner)
-{
-	isc_result_t result;
-	char ownerbuf[DNS_NAME_FORMATSIZE];
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char altbuf[DNS_NAME_FORMATSIZE];
-	dns_fixedname_t fixed;
-	dns_name_t *foundname;
-	int level;
-
-	/*
-	 * "." means the services does not exist.
-	 */
-	if (dns_name_equal(name, dns_rootname))
-		return (ISC_TRUE);
-
-	/*
-	 * Outside of zone.
-	 */
-	if (!dns_name_issubdomain(name, &zone->origin)) {
-		if (zone->checkmx != NULL)
-			return ((zone->checkmx)(zone, name, owner));
-		return (ISC_TRUE);
-	}
-
-	if (zone->type == dns_zone_master)
-		level = ISC_LOG_ERROR;
-	else
-		level = ISC_LOG_WARNING;
-
-	dns_fixedname_init(&fixed);
-	foundname = dns_fixedname_name(&fixed);
-
-	result = dns_db_find(db, name, NULL, dns_rdatatype_a,
-			     0, 0, NULL, foundname, NULL, NULL);
-	if (result == ISC_R_SUCCESS)
-		return (ISC_TRUE);
-
-	if (result == DNS_R_NXRRSET) {
-		result = dns_db_find(db, name, NULL, dns_rdatatype_aaaa,
-				     0, 0, NULL, foundname, NULL, NULL);
-		if (result == ISC_R_SUCCESS)
-			return (ISC_TRUE);
-	}
-
-	dns_name_format(owner, ownerbuf, sizeof ownerbuf);
-	dns_name_format(name, namebuf, sizeof namebuf);
-	if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
-	    result == DNS_R_EMPTYNAME) {
-		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMXFAIL))
-			level = ISC_LOG_WARNING;
-		dns_zone_log(zone, level,
-			     "%s/MX '%s' has no address records (A or AAAA)",
-			     ownerbuf, namebuf);
-		return ((level == ISC_LOG_WARNING) ? ISC_TRUE : ISC_FALSE);
-	}
-
-	if (result == DNS_R_CNAME) {
-		if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNMXCNAME) ||
-		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME))
-			level = ISC_LOG_WARNING;
-		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME))
-			dns_zone_log(zone, level,
-				     "%s/MX '%s' is a CNAME (illegal)",
-				     ownerbuf, namebuf);
-		return ((level == ISC_LOG_WARNING) ? ISC_TRUE : ISC_FALSE);
-	}
-
-	if (result == DNS_R_DNAME) {
-		if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNMXCNAME) ||
-		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME))
-			level = ISC_LOG_WARNING;
-		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME)) {
-			dns_name_format(foundname, altbuf, sizeof altbuf);
-			dns_zone_log(zone, level, "%s/MX '%s' is below a DNAME"
-				     " '%s' (illegal)", ownerbuf, namebuf,
-				     altbuf);
-		}
-		return ((level == ISC_LOG_WARNING) ? ISC_TRUE : ISC_FALSE);
-	}
-
-	if (zone->checkmx != NULL && result == DNS_R_DELEGATION)
-		return ((zone->checkmx)(zone, name, owner));
-
-	return (ISC_TRUE);
-}
-
-static isc_boolean_t
-zone_check_srv(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
-	       dns_name_t *owner)
-{
-	isc_result_t result;
-	char ownerbuf[DNS_NAME_FORMATSIZE];
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char altbuf[DNS_NAME_FORMATSIZE];
-	dns_fixedname_t fixed;
-	dns_name_t *foundname;
-	int level;
-
-	/*
-	 * "." means the services does not exist.
-	 */
-	if (dns_name_equal(name, dns_rootname))
-		return (ISC_TRUE);
-
-	/*
-	 * Outside of zone.
-	 */
-	if (!dns_name_issubdomain(name, &zone->origin)) {
-		if (zone->checksrv != NULL)
-			return ((zone->checksrv)(zone, name, owner));
-		return (ISC_TRUE);
-	}
-
-	if (zone->type == dns_zone_master)
-		level = ISC_LOG_ERROR;
-	else
-		level = ISC_LOG_WARNING;
-
-	dns_fixedname_init(&fixed);
-	foundname = dns_fixedname_name(&fixed);
-
-	result = dns_db_find(db, name, NULL, dns_rdatatype_a,
-			     0, 0, NULL, foundname, NULL, NULL);
-	if (result == ISC_R_SUCCESS)
-		return (ISC_TRUE);
-
-	if (result == DNS_R_NXRRSET) {
-		result = dns_db_find(db, name, NULL, dns_rdatatype_aaaa,
-				     0, 0, NULL, foundname, NULL, NULL);
-		if (result == ISC_R_SUCCESS)
-			return (ISC_TRUE);
-	}
-
-	dns_name_format(owner, ownerbuf, sizeof ownerbuf);
-	dns_name_format(name, namebuf, sizeof namebuf);
-	if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
-	    result == DNS_R_EMPTYNAME) {
-		dns_zone_log(zone, level,
-			     "%s/SRV '%s' has no address records (A or AAAA)",
-			     ownerbuf, namebuf);
-		/* XXX950 make fatal for 9.5.0. */
-		return (ISC_TRUE);
-	}
-
-	if (result == DNS_R_CNAME) {
-		if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNSRVCNAME) ||
-		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME))
-			level = ISC_LOG_WARNING;
-		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME))
-			dns_zone_log(zone, level,
-				     "%s/SRV '%s' is a CNAME (illegal)",
-				     ownerbuf, namebuf);
-		return ((level == ISC_LOG_WARNING) ? ISC_TRUE : ISC_FALSE);
-	}
-
-	if (result == DNS_R_DNAME) {
-		if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNSRVCNAME) ||
-		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME))
-			level = ISC_LOG_WARNING;
-		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME)) {
-			dns_name_format(foundname, altbuf, sizeof altbuf);
-			dns_zone_log(zone, level, "%s/SRV '%s' is below a "
-				     "DNAME '%s' (illegal)", ownerbuf, namebuf,
-				     altbuf);
-		}
-		return ((level == ISC_LOG_WARNING) ? ISC_TRUE : ISC_FALSE);
-	}
-
-	if (zone->checksrv != NULL && result == DNS_R_DELEGATION)
-		return ((zone->checksrv)(zone, name, owner));
-
-	return (ISC_TRUE);
-}
-
-static isc_boolean_t
-zone_check_glue(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
-		dns_name_t *owner)
-{
-	isc_boolean_t answer = ISC_TRUE;
-	isc_result_t result, tresult;
-	char ownerbuf[DNS_NAME_FORMATSIZE];
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char altbuf[DNS_NAME_FORMATSIZE];
-	dns_fixedname_t fixed;
-	dns_name_t *foundname;
-	dns_rdataset_t a;
-	dns_rdataset_t aaaa;
-	int level;
-
-	/*
-	 * Outside of zone.
-	 */
-	if (!dns_name_issubdomain(name, &zone->origin)) {
-		if (zone->checkns != NULL)
-			return ((zone->checkns)(zone, name, owner, NULL, NULL));
-		return (ISC_TRUE);
-	}
-
-	if (zone->type == dns_zone_master)
-		level = ISC_LOG_ERROR;
-	else
-		level = ISC_LOG_WARNING;
-
-	dns_fixedname_init(&fixed);
-	foundname = dns_fixedname_name(&fixed);
-	dns_rdataset_init(&a);
-	dns_rdataset_init(&aaaa);
-
-	result = dns_db_find(db, name, NULL, dns_rdatatype_a,
-			     DNS_DBFIND_GLUEOK, 0, NULL,
-			     foundname, &a, NULL);
-
-	if (result == ISC_R_SUCCESS) {
-		dns_rdataset_disassociate(&a);
-		return (ISC_TRUE);
-	} else if (result == DNS_R_DELEGATION)
-		dns_rdataset_disassociate(&a);
-
-	if (result == DNS_R_NXRRSET || result == DNS_R_DELEGATION ||
-	    result == DNS_R_GLUE) {
-		tresult = dns_db_find(db, name, NULL, dns_rdatatype_aaaa,
-				     DNS_DBFIND_GLUEOK, 0, NULL,
-				     foundname, &aaaa, NULL);
-		if (tresult == ISC_R_SUCCESS) {
-			dns_rdataset_disassociate(&aaaa);
-			return (ISC_TRUE);
-		}
-		if (tresult == DNS_R_DELEGATION)
-			dns_rdataset_disassociate(&aaaa);
-		if (result == DNS_R_GLUE || tresult == DNS_R_GLUE) {
-			/*
-			 * Check glue against child zone.
-			 */
-			if (zone->checkns != NULL)
-				answer = (zone->checkns)(zone, name, owner,
-							 &a, &aaaa);
-			if (dns_rdataset_isassociated(&a))
-				dns_rdataset_disassociate(&a);
-			if (dns_rdataset_isassociated(&aaaa))
-				dns_rdataset_disassociate(&aaaa);
-			return (answer);
-		}
-	}
-
-	dns_name_format(owner, ownerbuf, sizeof ownerbuf);
-	dns_name_format(name, namebuf, sizeof namebuf);
-	if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
-	    result == DNS_R_EMPTYNAME || result == DNS_R_DELEGATION) {
-		const char *what;
-		isc_boolean_t required = ISC_FALSE;
-		if (dns_name_issubdomain(name, owner)) {
-			what = "REQUIRED GLUE ";
-			required = ISC_TRUE;
-		 } else if (result == DNS_R_DELEGATION)
-			what = "SIBLING GLUE ";
-		else
-			what = "";
-
-		if (result != DNS_R_DELEGATION || required ||
-		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKSIBLING)) {
-			dns_zone_log(zone, level, "%s/NS '%s' has no %s"
-				     "address records (A or AAAA)",
-				     ownerbuf, namebuf, what);
-			/*
-			 * Log missing address record.
-			 */
-			if (result == DNS_R_DELEGATION && zone->checkns != NULL)
-				(void)(zone->checkns)(zone, name, owner,
-						      &a, &aaaa);
-			/* XXX950 make fatal for 9.5.0. */
-			/* answer = ISC_FALSE; */
-		}
-	} else if (result == DNS_R_CNAME) {
-		dns_zone_log(zone, level, "%s/NS '%s' is a CNAME (illegal)",
-			     ownerbuf, namebuf);
-		/* XXX950 make fatal for 9.5.0. */
-		/* answer = ISC_FALSE; */
-	} else if (result == DNS_R_DNAME) {
-		dns_name_format(foundname, altbuf, sizeof altbuf);
-		dns_zone_log(zone, level,
-			     "%s/NS '%s' is below a DNAME '%s' (illegal)",
-			     ownerbuf, namebuf, altbuf);
-		/* XXX950 make fatal for 9.5.0. */
-		/* answer = ISC_FALSE; */
-	}
-
-	if (dns_rdataset_isassociated(&a))
-		dns_rdataset_disassociate(&a);
-	if (dns_rdataset_isassociated(&aaaa))
-		dns_rdataset_disassociate(&aaaa);
-	return (answer);
-}
-
-static isc_boolean_t
-zone_rrset_check_dup(dns_zone_t *zone, dns_name_t *owner,
-		     dns_rdataset_t *rdataset)
-{
-	dns_rdataset_t tmprdataset;
-	isc_result_t result;
-	isc_boolean_t answer = ISC_TRUE;
-	isc_boolean_t format = ISC_TRUE;
-	int level = ISC_LOG_WARNING;
-	char ownerbuf[DNS_NAME_FORMATSIZE];
-	char typebuf[DNS_RDATATYPE_FORMATSIZE];
-	unsigned int count1 = 0;
-
-	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKDUPRRFAIL))
-		level = ISC_LOG_ERROR;
-
-	dns_rdataset_init(&tmprdataset);
-	for (result = dns_rdataset_first(rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(rdataset)) {
-		dns_rdata_t rdata1 = DNS_RDATA_INIT;
-		unsigned int count2 = 0;
-
-		count1++;
-		dns_rdataset_current(rdataset, &rdata1);
-		dns_rdataset_clone(rdataset, &tmprdataset);
-		for (result = dns_rdataset_first(&tmprdataset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&tmprdataset)) {
-			dns_rdata_t rdata2 = DNS_RDATA_INIT;
-			count2++;
-			if (count1 >= count2)
-				continue;
-			dns_rdataset_current(&tmprdataset, &rdata2);
-			if (dns_rdata_casecompare(&rdata1, &rdata2) == 0) {
-				if (format) {
-					dns_name_format(owner, ownerbuf,
-							sizeof ownerbuf);
-					dns_rdatatype_format(rdata1.type,
-							     typebuf,
-							     sizeof(typebuf));
-					format = ISC_FALSE;
-				}
-				dns_zone_log(zone, level, "%s/%s has "
-					     "semantically identical records",
-					     ownerbuf, typebuf);
-				if (level == ISC_LOG_ERROR)
-					answer = ISC_FALSE;
-				break;
-			}
-		}
-		dns_rdataset_disassociate(&tmprdataset);
-		if (!format)
-			break;
-	}
-	return (answer);
-}
-
-static isc_boolean_t
-zone_check_dup(dns_zone_t *zone, dns_db_t *db) {
-	dns_dbiterator_t *dbiterator = NULL;
-	dns_dbnode_t *node = NULL;
-	dns_fixedname_t fixed;
-	dns_name_t *name;
-	dns_rdataset_t rdataset;
-	dns_rdatasetiter_t *rdsit = NULL;
-	isc_boolean_t ok = ISC_TRUE;
-	isc_result_t result;
-
-	dns_fixedname_init(&fixed);
-	name = dns_fixedname_name(&fixed);
-	dns_rdataset_init(&rdataset);
-
-	result = dns_db_createiterator(db, 0, &dbiterator);
-	if (result != ISC_R_SUCCESS)
-		return (ISC_TRUE);
-
-	for (result = dns_dbiterator_first(dbiterator);
-	     result == ISC_R_SUCCESS;
-	     result = dns_dbiterator_next(dbiterator)) {
-		result = dns_dbiterator_current(dbiterator, &node, name);
-		if (result != ISC_R_SUCCESS)
-			continue;
-
-		result = dns_db_allrdatasets(db, node, NULL, 0, &rdsit);
-		if (result != ISC_R_SUCCESS)
-			continue;
-
-		for (result = dns_rdatasetiter_first(rdsit);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdatasetiter_next(rdsit)) {
-			dns_rdatasetiter_current(rdsit, &rdataset);
-			if (!zone_rrset_check_dup(zone, name, &rdataset))
-				ok = ISC_FALSE;
-			dns_rdataset_disassociate(&rdataset);
-		}
-		dns_rdatasetiter_destroy(&rdsit);
-		dns_db_detachnode(db, &node);
-	}
-
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	dns_dbiterator_destroy(&dbiterator);
-
-	return (ok);
-}
-
-static isc_boolean_t
-isspf(const dns_rdata_t *rdata) {
-	char buf[1024];
-	const unsigned char *data = rdata->data;
-	unsigned int rdl = rdata->length, i = 0, tl, len;
-
-	while (rdl > 0U) {
-		len = tl = *data;
-		++data;
-		--rdl;
-		INSIST(tl <= rdl);
-		if (len > sizeof(buf) - i - 1)
-			len = sizeof(buf) - i - 1;
-		memcpy(buf + i, data, len);
-		i += len;
-		data += tl;
-		rdl -= tl;
-	}
-
-	if (i < 6U)
-		return(ISC_FALSE);
-
-	buf[i] = 0;
-	if (strncmp(buf, "v=spf1", 6) == 0 && (buf[6] == 0 || buf[6] == ' '))
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-static isc_boolean_t
-integrity_checks(dns_zone_t *zone, dns_db_t *db) {
-	dns_dbiterator_t *dbiterator = NULL;
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-	dns_fixedname_t fixed;
-	dns_fixedname_t fixedbottom;
-	dns_rdata_mx_t mx;
-	dns_rdata_ns_t ns;
-	dns_rdata_in_srv_t srv;
-	dns_rdata_t rdata;
-	dns_name_t *name;
-	dns_name_t *bottom;
-	isc_result_t result;
-	isc_boolean_t ok = ISC_TRUE, have_spf, have_txt;
-
-	dns_fixedname_init(&fixed);
-	name = dns_fixedname_name(&fixed);
-	dns_fixedname_init(&fixedbottom);
-	bottom = dns_fixedname_name(&fixedbottom);
-	dns_rdataset_init(&rdataset);
-	dns_rdata_init(&rdata);
-
-	result = dns_db_createiterator(db, 0, &dbiterator);
-	if (result != ISC_R_SUCCESS)
-		return (ISC_TRUE);
-
-	result = dns_dbiterator_first(dbiterator);
-	while (result == ISC_R_SUCCESS) {
-		result = dns_dbiterator_current(dbiterator, &node, name);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-
-		/*
-		 * Is this name visible in the zone?
-		 */
-		if (!dns_name_issubdomain(name, &zone->origin) ||
-		    (dns_name_countlabels(bottom) > 0 &&
-		     dns_name_issubdomain(name, bottom)))
-			goto next;
-
-		/*
-		 * Don't check the NS records at the origin.
-		 */
-		if (dns_name_equal(name, &zone->origin))
-			goto checkmx;
-
-		result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ns,
-					     0, 0, &rdataset, NULL);
-		if (result != ISC_R_SUCCESS)
-			goto checkmx;
-		/*
-		 * Remember bottom of zone.
-		 */
-		dns_name_copy(name, bottom, NULL);
-
-		result = dns_rdataset_first(&rdataset);
-		while (result == ISC_R_SUCCESS) {
-			dns_rdataset_current(&rdataset, &rdata);
-			result = dns_rdata_tostruct(&rdata, &ns, NULL);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			if (!zone_check_glue(zone, db, &ns.name, name))
-				ok = ISC_FALSE;
-			dns_rdata_reset(&rdata);
-			result = dns_rdataset_next(&rdataset);
-		}
-		dns_rdataset_disassociate(&rdataset);
-		goto next;
-
- checkmx:
-		result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_mx,
-					     0, 0, &rdataset, NULL);
-		if (result != ISC_R_SUCCESS)
-			goto checksrv;
-		result = dns_rdataset_first(&rdataset);
-		while (result == ISC_R_SUCCESS) {
-			dns_rdataset_current(&rdataset, &rdata);
-			result = dns_rdata_tostruct(&rdata, &mx, NULL);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			if (!zone_check_mx(zone, db, &mx.mx, name))
-				ok = ISC_FALSE;
-			dns_rdata_reset(&rdata);
-			result = dns_rdataset_next(&rdataset);
-		}
-		dns_rdataset_disassociate(&rdataset);
-
- checksrv:
-		if (zone->rdclass != dns_rdataclass_in)
-			goto next;
-		result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_srv,
-					     0, 0, &rdataset, NULL);
-		if (result != ISC_R_SUCCESS)
-			goto checkspf;
-		result = dns_rdataset_first(&rdataset);
-		while (result == ISC_R_SUCCESS) {
-			dns_rdataset_current(&rdataset, &rdata);
-			result = dns_rdata_tostruct(&rdata, &srv, NULL);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			if (!zone_check_srv(zone, db, &srv.target, name))
-				ok = ISC_FALSE;
-			dns_rdata_reset(&rdata);
-			result = dns_rdataset_next(&rdataset);
-		}
-		dns_rdataset_disassociate(&rdataset);
-
- checkspf:
-		/*
-		 * Check if there is a type TXT spf record without a type SPF
-		 * RRset being present.
-		 */
-		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKSPF))
-			goto next;
-		if (zone->rdclass != dns_rdataclass_in)
-			goto next;
-		have_spf = have_txt = ISC_FALSE;
-		result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_spf,
-					     0, 0, &rdataset, NULL);
-		if (result == ISC_R_SUCCESS) {
-			dns_rdataset_disassociate(&rdataset);
-			have_spf = ISC_TRUE;
-		}
-		result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_txt,
-					     0, 0, &rdataset, NULL);
-		if (result != ISC_R_SUCCESS)
-			goto notxt;
-		result = dns_rdataset_first(&rdataset);
-		while (result == ISC_R_SUCCESS) {
-			dns_rdataset_current(&rdataset, &rdata);
-			have_txt = isspf(&rdata);
-			dns_rdata_reset(&rdata);
-			if (have_txt)
-				break;
-			result = dns_rdataset_next(&rdataset);
-		}
-		dns_rdataset_disassociate(&rdataset);
-
- notxt:
-		if (have_spf != have_txt) {
-			char namebuf[DNS_NAME_FORMATSIZE];
-			const char *found = have_txt ? "TXT" : "SPF";
-			const char *need = have_txt ? "SPF" : "TXT";
-
-			dns_name_format(name, namebuf, sizeof(namebuf));
-			dns_zone_log(zone, ISC_LOG_WARNING, "'%s' found SPF/%s "
-				     "record but no SPF/%s record found, add "
-				     "matching type %s record", namebuf, found,
-				     need, need);
-		}
-
- next:
-		dns_db_detachnode(db, &node);
-		result = dns_dbiterator_next(dbiterator);
-	}
-
- cleanup:
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	dns_dbiterator_destroy(&dbiterator);
-
-	return (ok);
-}
-
-/*
- * OpenSSL verification of RSA keys with exponent 3 is known to be
- * broken prior OpenSSL 0.9.8c/0.9.7k.	Look for such keys and warn
- * if they are in use.
- */
-static void
-zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) {
-	dns_dbnode_t *node = NULL;
-	dns_dbversion_t *version = NULL;
-	dns_rdata_dnskey_t dnskey;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdataset_t rdataset;
-	isc_result_t result;
-	isc_boolean_t logit, foundrsa = ISC_FALSE, foundmd5 = ISC_FALSE;
-	const char *algorithm;
-
-	result = dns_db_findnode(db, &zone->origin, ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	dns_db_currentversion(db, &version);
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
-				     dns_rdatatype_none, 0, &rdataset, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset))
-	{
-		dns_rdataset_current(&rdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
-		INSIST(result == ISC_R_SUCCESS);
-
-		if ((dnskey.algorithm == DST_ALG_RSASHA1 ||
-		     dnskey.algorithm == DST_ALG_RSAMD5) &&
-		     dnskey.datalen > 1 && dnskey.data[0] == 1 &&
-		     dnskey.data[1] == 3)
-		{
-			if (dnskey.algorithm == DST_ALG_RSASHA1) {
-				logit = !foundrsa;
-				foundrsa = ISC_TRUE;
-				algorithm = "RSASHA1";
-			} else {
-				logit = !foundmd5;
-				foundmd5 = ISC_TRUE;
-				algorithm = "RSAMD5";
-			}
-			if (logit)
-				dns_zone_log(zone, ISC_LOG_WARNING,
-					     "weak %s (%u) key found "
-					     "(exponent=3)", algorithm,
-					     dnskey.algorithm);
-			if (foundrsa && foundmd5)
-				break;
-		}
-		dns_rdata_reset(&rdata);
-	}
-	dns_rdataset_disassociate(&rdataset);
-
- cleanup:
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	if (version != NULL)
-		dns_db_closeversion(db, &version, ISC_FALSE);
-}
-
-static void
-resume_signingwithkey(dns_zone_t *zone) {
-	dns_dbnode_t *node = NULL;
-	dns_dbversion_t *version = NULL;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdataset_t rdataset;
-	isc_result_t result;
-
-	result = dns_db_findnode(zone->db, &zone->origin, ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	dns_db_currentversion(zone->db, &version);
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(zone->db, node, version,
-				     zone->privatetype,
-				     dns_rdatatype_none, 0,
-				     &rdataset, NULL);
-	if (result != ISC_R_SUCCESS) {
-		INSIST(!dns_rdataset_isassociated(&rdataset));
-		goto cleanup;
-	}
-
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset))
-	{
-		dns_rdataset_current(&rdataset, &rdata);
-		if (rdata.length != 5 ||
-		    rdata.data[0] == 0 || rdata.data[4] != 0) {
-			dns_rdata_reset(&rdata);
-			continue;
-		}
-
-		result = zone_signwithkey(zone, rdata.data[0],
-					  (rdata.data[1] << 8) | rdata.data[2],
-					  ISC_TF(rdata.data[3]));
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "zone_signwithkey failed: %s",
-				     dns_result_totext(result));
-		}
-		dns_rdata_reset(&rdata);
-	}
-	dns_rdataset_disassociate(&rdataset);
-
- cleanup:
-	if (node != NULL)
-		dns_db_detachnode(zone->db, &node);
-	if (version != NULL)
-		dns_db_closeversion(zone->db, &version, ISC_FALSE);
-}
-
-static isc_result_t
-zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
-	dns_nsec3chain_t *nsec3chain, *current;
-	dns_dbversion_t *version = NULL;
-	isc_boolean_t nseconly = ISC_FALSE, nsec3ok = ISC_FALSE;
-	isc_result_t result;
-	isc_time_t now;
-	unsigned int options = 0;
-	char saltbuf[255*2+1];
-	char flags[sizeof("INITIAL|REMOVE|CREATE|NONSEC|OPTOUT")];
-	int i;
-
-	dns_db_currentversion(zone->db, &version);
-	result = dns_nsec_nseconly(zone->db, version, &nseconly);
-	nsec3ok = (result == ISC_R_SUCCESS && !nseconly);
-	dns_db_closeversion(zone->db, &version, ISC_FALSE);
-	if (!nsec3ok && (nsec3param->flags & DNS_NSEC3FLAG_REMOVE) == 0)
-		return (ISC_R_SUCCESS);
-
-	nsec3chain = isc_mem_get(zone->mctx, sizeof *nsec3chain);
-	if (nsec3chain == NULL)
-		return (ISC_R_NOMEMORY);
-
-	nsec3chain->magic = 0;
-	nsec3chain->done = ISC_FALSE;
-	nsec3chain->db = NULL;
-	nsec3chain->dbiterator = NULL;
-	nsec3chain->nsec3param.common.rdclass = nsec3param->common.rdclass;
-	nsec3chain->nsec3param.common.rdtype = nsec3param->common.rdtype;
-	nsec3chain->nsec3param.hash = nsec3param->hash;
-	nsec3chain->nsec3param.iterations = nsec3param->iterations;
-	nsec3chain->nsec3param.flags = nsec3param->flags;
-	nsec3chain->nsec3param.salt_length = nsec3param->salt_length;
-	memcpy(nsec3chain->salt, nsec3param->salt, nsec3param->salt_length);
-	nsec3chain->nsec3param.salt = nsec3chain->salt;
-	nsec3chain->seen_nsec = ISC_FALSE;
-	nsec3chain->delete_nsec = ISC_FALSE;
-	nsec3chain->save_delete_nsec = ISC_FALSE;
-
-	if (nsec3param->flags == 0)
-		strlcpy(flags, "NONE", sizeof(flags));
-	else {
-		flags[0] = '\0';
-		if (nsec3param->flags & DNS_NSEC3FLAG_REMOVE)
-			strlcat(flags, "REMOVE", sizeof(flags));
-		if (nsec3param->flags & DNS_NSEC3FLAG_INITIAL) {
-			if (flags[0] == '\0')
-				strlcpy(flags, "INITIAL", sizeof(flags));
-			else
-				strlcat(flags, "|INITIAL", sizeof(flags));
-		}
-		if (nsec3param->flags & DNS_NSEC3FLAG_CREATE) {
-			if (flags[0] == '\0')
-				strlcpy(flags, "CREATE", sizeof(flags));
-			else
-				strlcat(flags, "|CREATE", sizeof(flags));
-		}
-		if (nsec3param->flags & DNS_NSEC3FLAG_NONSEC) {
-			if (flags[0] == '\0')
-				strlcpy(flags, "NONSEC", sizeof(flags));
-			else
-				strlcat(flags, "|NONSEC", sizeof(flags));
-		}
-		if (nsec3param->flags & DNS_NSEC3FLAG_OPTOUT) {
-			if (flags[0] == '\0')
-				strlcpy(flags, "OPTOUT", sizeof(flags));
-			else
-				strlcat(flags, "|OPTOUT", sizeof(flags));
-		}
-	}
-	if (nsec3param->salt_length == 0)
-		strlcpy(saltbuf, "-", sizeof(saltbuf));
-	else
-		for (i = 0; i < nsec3param->salt_length; i++)
-			sprintf(&saltbuf[i*2], "%02X", nsec3chain->salt[i]);
-	dns_zone_log(zone, ISC_LOG_INFO,
-		     "zone_addnsec3chain(%u,%s,%u,%s)",
-		      nsec3param->hash, flags, nsec3param->iterations,
-		      saltbuf);
-
-	for (current = ISC_LIST_HEAD(zone->nsec3chain);
-	     current != NULL;
-	     current = ISC_LIST_NEXT(current, link)) {
-		if (current->db == zone->db &&
-		    current->nsec3param.hash == nsec3param->hash &&
-		    current->nsec3param.iterations == nsec3param->iterations &&
-		    current->nsec3param.salt_length == nsec3param->salt_length
-		    && !memcmp(current->nsec3param.salt, nsec3param->salt,
-			       nsec3param->salt_length))
-			current->done = ISC_TRUE;
-	}
-
-	if (zone->db != NULL) {
-		dns_db_attach(zone->db, &nsec3chain->db);
-		if ((nsec3chain->nsec3param.flags & DNS_NSEC3FLAG_CREATE) != 0)
-			options = DNS_DB_NONSEC3;
-		result = dns_db_createiterator(nsec3chain->db, options,
-					       &nsec3chain->dbiterator);
-		if (result == ISC_R_SUCCESS)
-			dns_dbiterator_first(nsec3chain->dbiterator);
-		if (result == ISC_R_SUCCESS) {
-			dns_dbiterator_pause(nsec3chain->dbiterator);
-			ISC_LIST_INITANDAPPEND(zone->nsec3chain,
-					       nsec3chain, link);
-			nsec3chain = NULL;
-			if (isc_time_isepoch(&zone->nsec3chaintime)) {
-				TIME_NOW(&now);
-				zone->nsec3chaintime = now;
-				if (zone->task != NULL)
-					zone_settimer(zone, &now);
-			}
-		}
-	} else
-		result = ISC_R_NOTFOUND;
-
-	if (nsec3chain != NULL) {
-		if (nsec3chain->db != NULL)
-			dns_db_detach(&nsec3chain->db);
-		if (nsec3chain->dbiterator != NULL)
-			dns_dbiterator_destroy(&nsec3chain->dbiterator);
-		isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
-	}
-	return (result);
-}
-
-static void
-resume_addnsec3chain(dns_zone_t *zone) {
-	dns_dbnode_t *node = NULL;
-	dns_dbversion_t *version = NULL;
-	dns_rdataset_t rdataset;
-	isc_result_t result;
-	dns_rdata_nsec3param_t nsec3param;
-	isc_boolean_t nseconly = ISC_FALSE, nsec3ok = ISC_FALSE;
-
-	if (zone->privatetype == 0)
-		return;
-
-	result = dns_db_findnode(zone->db, &zone->origin, ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	dns_db_currentversion(zone->db, &version);
-
-	result = dns_nsec_nseconly(zone->db, version, &nseconly);
-	nsec3ok = (result == ISC_R_SUCCESS && !nseconly);
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(zone->db, node, version,
-				     zone->privatetype, dns_rdatatype_none,
-				     0, &rdataset, NULL);
-	if (result != ISC_R_SUCCESS) {
-		INSIST(!dns_rdataset_isassociated(&rdataset));
-		goto cleanup;
-	}
-
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset))
-	{
-		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		dns_rdata_t private = DNS_RDATA_INIT;
-
-		dns_rdataset_current(&rdataset, &private);
-		if (!dns_nsec3param_fromprivate(&private, &rdata, buf,
-						sizeof(buf)))
-			continue;
-		result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		if (((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) ||
-		    ((nsec3param.flags & DNS_NSEC3FLAG_CREATE) != 0 && nsec3ok))
-		{
-			result = zone_addnsec3chain(zone, &nsec3param);
-			if (result != ISC_R_SUCCESS) {
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "zone_addnsec3chain failed: %s",
-					     dns_result_totext(result));
-			}
-		}
-	}
-	dns_rdataset_disassociate(&rdataset);
- cleanup:
-	if (node != NULL)
-		dns_db_detachnode(zone->db, &node);
-	if (version != NULL)
-		dns_db_closeversion(zone->db, &version, ISC_FALSE);
-}
-
-static void
-set_resigntime(dns_zone_t *zone) {
-	dns_rdataset_t rdataset;
-	dns_fixedname_t fixed;
-	unsigned int resign;
-	isc_result_t result;
-	isc_uint32_t nanosecs;
-
-	dns_rdataset_init(&rdataset);
-	dns_fixedname_init(&fixed);
-	result = dns_db_getsigningtime(zone->db, &rdataset,
-				       dns_fixedname_name(&fixed));
-	if (result != ISC_R_SUCCESS) {
-		isc_time_settoepoch(&zone->resigntime);
-		return;
-	}
-	resign = rdataset.resign;
-	dns_rdataset_disassociate(&rdataset);
-	isc_random_get(&nanosecs);
-	nanosecs %= 1000000000;
-	isc_time_set(&zone->resigntime, resign, nanosecs);
-}
-
-static isc_result_t
-check_nsec3param(dns_zone_t *zone, dns_db_t *db) {
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-	dns_dbversion_t *version = NULL;
-	dns_rdata_nsec3param_t nsec3param;
-	isc_boolean_t ok = ISC_FALSE;
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_boolean_t dynamic = (zone->type == dns_zone_master) ?
-				dns_zone_isdynamic(zone, ISC_FALSE) : ISC_FALSE;
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findnode(db, &zone->origin, ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "nsec3param lookup failure: %s",
-			     dns_result_totext(result));
-		return (result);
-	}
-	dns_db_currentversion(db, &version);
-
-	result = dns_db_findrdataset(db, node, version,
-				     dns_rdatatype_nsec3param,
-				     dns_rdatatype_none, 0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND) {
-		INSIST(!dns_rdataset_isassociated(&rdataset));
-		result = ISC_R_SUCCESS;
-		goto cleanup;
-	}
-	if (result != ISC_R_SUCCESS) {
-		INSIST(!dns_rdataset_isassociated(&rdataset));
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "nsec3param lookup failure: %s",
-			     dns_result_totext(result));
-		goto cleanup;
-	}
-
-	/*
-	 * For dynamic zones we must support every algorithm so we can
-	 * regenerate all the NSEC3 chains.
-	 * For non-dynamic zones we only need to find a supported algorithm.
-	 */
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset))
-	{
-		dns_rdataset_current(&rdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
-		dns_rdata_reset(&rdata);
-		INSIST(result == ISC_R_SUCCESS);
-		if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NSEC3TESTZONE) &&
-		    nsec3param.hash == DNS_NSEC3_UNKNOWNALG && !dynamic)
-		{
-			dns_zone_log(zone, ISC_LOG_WARNING,
-			     "nsec3 test \"unknown\" hash algorithm found: %u",
-				     nsec3param.hash);
-			ok = ISC_TRUE;
-		} else if (!dns_nsec3_supportedhash(nsec3param.hash)) {
-			if (dynamic) {
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "unsupported nsec3 hash algorithm"
-					     " in dynamic zone: %u",
-					     nsec3param.hash);
-				result = DNS_R_BADZONE;
-				/* Stop second error message. */
-				ok = ISC_TRUE;
-				break;
-			} else
-				dns_zone_log(zone, ISC_LOG_WARNING,
-				     "unsupported nsec3 hash algorithm: %u",
-					     nsec3param.hash);
-		} else
-			ok = ISC_TRUE;
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
-	if (!ok) {
-		result = DNS_R_BADZONE;
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "no supported nsec3 hash algorithm");
-	}
-
- cleanup:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	dns_db_closeversion(db, &version, ISC_FALSE);
-	dns_db_detachnode(db, &node);
-	return (result);
-}
-
-/*
- * Set the timer for refreshing the key zone to the soonest future time
- * of the set (current timer, keydata->refresh, keydata->addhd,
- * keydata->removehd).
- */
-static void
-set_refreshkeytimer(dns_zone_t *zone, dns_rdata_keydata_t *key,
-		    isc_stdtime_t now)
-{
-	const char me[] = "set_refreshkeytimer";
-	isc_stdtime_t then;
-	isc_time_t timenow, timethen;
-	char timebuf[80];
-
-	ENTER;
-	then = key->refresh;
-	if (key->addhd > now && key->addhd < then)
-		then = key->addhd;
-	if (key->removehd > now && key->removehd < then)
-		then = key->removehd;
-
-	TIME_NOW(&timenow);
-	if (then > now)
-		DNS_ZONE_TIME_ADD(&timenow, then - now, &timethen);
-	else
-		timethen = timenow;
-	if (isc_time_compare(&zone->refreshkeytime, &timenow) < 0 ||
-	    isc_time_compare(&timethen, &zone->refreshkeytime) < 0)
-		zone->refreshkeytime = timethen;
-
-	isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
-	dns_zone_log(zone, ISC_LOG_DEBUG(1), "next key refresh: %s", timebuf);
-	zone_settimer(zone, &timenow);
-}
-
-/*
- * Convert key(s) linked from 'keynode' to KEYDATA and add to the key zone.
- * If the key zone is changed, set '*changed' to ISC_TRUE.
- */
-static isc_result_t
-create_keydata(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
-	       dns_diff_t *diff, dns_keytable_t *keytable,
-	       dns_keynode_t **keynodep, isc_boolean_t *changed)
-{
-	const char me[] = "create_keydata";
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_buffer_t keyb, dstb;
-	unsigned char key_buf[4096], dst_buf[DST_KEY_MAXSIZE];
-	dns_rdata_keydata_t keydata;
-	dns_rdata_dnskey_t dnskey;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_keynode_t *keynode;
-	isc_stdtime_t now;
-	isc_region_t r;
-	dst_key_t *key;
-
-	REQUIRE(keynodep != NULL);
-	keynode = *keynodep;
-
-	ENTER;
-	isc_stdtime_get(&now);
-
-	/* Loop in case there's more than one key. */
-	while (result == ISC_R_SUCCESS) {
-		dns_keynode_t *nextnode = NULL;
-
-		key = dns_keynode_key(keynode);
-		if (key == NULL)
-			goto skip;
-
-		isc_buffer_init(&dstb, dst_buf, sizeof(dst_buf));
-		CHECK(dst_key_todns(key, &dstb));
-
-		/* Convert DST key to DNSKEY. */
-		dns_rdata_reset(&rdata);
-		isc_buffer_usedregion(&dstb, &r);
-		dns_rdata_fromregion(&rdata, dst_key_class(key),
-				     dns_rdatatype_dnskey, &r);
-
-		/* DSTKEY to KEYDATA. */
-		CHECK(dns_rdata_tostruct(&rdata, &dnskey, NULL));
-		CHECK(dns_keydata_fromdnskey(&keydata, &dnskey, now, 0, 0,
-					     NULL));
-
-		/* KEYDATA to rdata. */
-		dns_rdata_reset(&rdata);
-		isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
-		CHECK(dns_rdata_fromstruct(&rdata,
-					   zone->rdclass, dns_rdatatype_keydata,
-					   &keydata, &keyb));
-
-		/* Add rdata to zone. */
-		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADD,
-				    dst_key_name(key), 0, &rdata));
-		*changed = ISC_TRUE;
-		/* Refresh new keys from the zone apex as soon as possible. */
-		set_refreshkeytimer(zone, &keydata, now);
-
- skip:
-		result = dns_keytable_nextkeynode(keytable, keynode, &nextnode);
-		if (result != ISC_R_NOTFOUND) {
-			dns_keytable_detachkeynode(keytable, &keynode);
-			keynode = nextnode;
-		}
-	}
-
-	if (keynode != NULL)
-		dns_keytable_detachkeynode(keytable, &keynode);
-	*keynodep = NULL;
-
-	return (ISC_R_SUCCESS);
-
-  failure:
-	return (result);
-}
-
-/*
- * Remove from the key zone all the KEYDATA records found in rdataset.
- */
-static isc_result_t
-delete_keydata(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
-	       dns_name_t *name, dns_rdataset_t *rdataset)
-{
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_result_t result, uresult;
-
-	for (result = dns_rdataset_first(rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(rdataset)) {
-		dns_rdata_reset(&rdata);
-		dns_rdataset_current(rdataset, &rdata);
-		uresult = update_one_rr(db, ver, diff, DNS_DIFFOP_DEL,
-					name, 0, &rdata);
-		if (uresult != ISC_R_SUCCESS)
-			return (uresult);
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	return (result);
-}
-
-/*
- * Compute the DNSSEC key ID for a DNSKEY record.
- */
-static isc_result_t
-compute_tag(dns_name_t *name, dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx,
-	    dns_keytag_t *tag)
-{
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	unsigned char data[4096];
-	isc_buffer_t buffer;
-	dst_key_t *dstkey = NULL;
-
-	isc_buffer_init(&buffer, data, sizeof(data));
-	dns_rdata_fromstruct(&rdata, dnskey->common.rdclass,
-			     dns_rdatatype_dnskey, dnskey, &buffer);
-
-	result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dstkey);
-	if (result == ISC_R_SUCCESS)
-		*tag = dst_key_id(dstkey);
-	dst_key_free(&dstkey);
-
-	return (result);
-}
-
-/*
- * Add key to the security roots.
- */
-static void
-trust_key(dns_zone_t *zone, dns_name_t *keyname,
-	  dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx) {
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	unsigned char data[4096];
-	isc_buffer_t buffer;
-	dns_keytable_t *sr = NULL;
-	dst_key_t *dstkey = NULL;
-
-	/* Convert dnskey to DST key. */
-	isc_buffer_init(&buffer, data, sizeof(data));
-	dns_rdata_fromstruct(&rdata, dnskey->common.rdclass,
-			     dns_rdatatype_dnskey, dnskey, &buffer);
-
-	result = dns_view_getsecroots(zone->view, &sr);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	CHECK(dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &dstkey));
-	CHECK(dns_keytable_add(sr, ISC_TRUE, &dstkey));
-	dns_keytable_detach(&sr);
-
-  failure:
-	if (dstkey != NULL)
-		dst_key_free(&dstkey);
-	if (sr != NULL)
-		dns_keytable_detach(&sr);
-	return;
-}
-
-/*
- * Add a null key to the security roots for so that all queries
- * to the zone will fail.
- */
-static void
-fail_secure(dns_zone_t *zone, dns_name_t *keyname) {
-	isc_result_t result;
-	dns_keytable_t *sr = NULL;
-
-	result = dns_view_getsecroots(zone->view, &sr);
-	if (result == ISC_R_SUCCESS) {
-		dns_keytable_marksecure(sr, keyname);
-		dns_keytable_detach(&sr);
-	}
-}
-
-/*
- * Scan a set of KEYDATA records from the key zone.  The ones that are
- * valid (i.e., the add holddown timer has expired) become trusted keys.
- */
-static void
-load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) {
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_keydata_t keydata;
-	dns_rdata_dnskey_t dnskey;
-	isc_mem_t *mctx = zone->mctx;
-	int trusted = 0, revoked = 0, pending = 0;
-	isc_stdtime_t now;
-	dns_keytable_t *sr = NULL;
-
-	isc_stdtime_get(&now);
-
-	result = dns_view_getsecroots(zone->view, &sr);
-	if (result == ISC_R_SUCCESS) {
-		dns_keytable_delete(sr, name);
-		dns_keytable_detach(&sr);
-	}
-
-	/* Now insert all the accepted trust anchors from this keydata set. */
-	for (result = dns_rdataset_first(rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(rdataset)) {
-		dns_rdata_reset(&rdata);
-		dns_rdataset_current(rdataset, &rdata);
-
-		/* Convert rdata to keydata. */
-		result = dns_rdata_tostruct(&rdata, &keydata, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-		/* Set the key refresh timer. */
-		set_refreshkeytimer(zone, &keydata, now);
-
-		/* If the removal timer is nonzero, this key was revoked. */
-		if (keydata.removehd != 0) {
-			revoked++;
-			continue;
-		}
-
-		/*
-		 * If the add timer is still pending, this key is not
-		 * trusted yet.
-		 */
-		if (now < keydata.addhd) {
-			pending++;
-			continue;
-		}
-
-		/* Convert keydata to dnskey. */
-		dns_keydata_todnskey(&keydata, &dnskey, NULL);
-
-		/* Add to keytables. */
-		trusted++;
-		trust_key(zone, name, &dnskey, mctx);
-	}
-
-	if (trusted == 0 && pending != 0) {
-		char namebuf[DNS_NAME_FORMATSIZE];
-		dns_name_format(name, namebuf, sizeof namebuf);
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "No valid trust anchors for '%s'!", namebuf);
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "%d key(s) revoked, %d still pending",
-			     revoked, pending);
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "All queries to '%s' will fail", namebuf);
-		fail_secure(zone, name);
-	}
-}
-
-static isc_result_t
-do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
-	     dns_diff_t *diff)
-{
-	dns_diff_t temp_diff;
-	isc_result_t result;
-
-	/*
-	 * Create a singleton diff.
-	 */
-	dns_diff_init(diff->mctx, &temp_diff);
-	temp_diff.resign = diff->resign;
-	ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
-
-	/*
-	 * Apply it to the database.
-	 */
-	result = dns_diff_apply(&temp_diff, db, ver);
-	ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link);
-	if (result != ISC_R_SUCCESS) {
-		dns_difftuple_free(tuple);
-		return (result);
-	}
-
-	/*
-	 * Merge it into the current pending journal entry.
-	 */
-	dns_diff_appendminimal(diff, tuple);
-
-	/*
-	 * Do not clear temp_diff.
-	 */
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
-	      dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
-	      dns_rdata_t *rdata)
-{
-	dns_difftuple_t *tuple = NULL;
-	isc_result_t result;
-	result = dns_difftuple_create(diff->mctx, op,
-				      name, ttl, rdata, &tuple);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	return (do_one_tuple(&tuple, db, ver, diff));
-}
-
-static isc_result_t
-update_soa_serial(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
-		  isc_mem_t *mctx, dns_updatemethod_t method) {
-	dns_difftuple_t *deltuple = NULL;
-	dns_difftuple_t *addtuple = NULL;
-	isc_uint32_t serial;
-	isc_result_t result;
-
-	CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_DEL, &deltuple));
-	CHECK(dns_difftuple_copy(deltuple, &addtuple));
-	addtuple->op = DNS_DIFFOP_ADD;
-
-	serial = dns_soa_getserial(&addtuple->rdata);
-	serial = dns_update_soaserial(serial, method);
-	dns_soa_setserial(serial, &addtuple->rdata);
-	CHECK(do_one_tuple(&deltuple, db, ver, diff));
-	CHECK(do_one_tuple(&addtuple, db, ver, diff));
-	result = ISC_R_SUCCESS;
-
-	failure:
-	if (addtuple != NULL)
-		dns_difftuple_free(&addtuple);
-	if (deltuple != NULL)
-		dns_difftuple_free(&deltuple);
-	return (result);
-}
-
-/*
- * Write all transactions in 'diff' to the zone journal file.
- */
-static isc_result_t
-zone_journal(dns_zone_t *zone, dns_diff_t *diff, isc_uint32_t *sourceserial,
-	     const char *caller)
-{
-	const char me[] = "zone_journal";
-	const char *journalfile;
-	isc_result_t result = ISC_R_SUCCESS;
-	dns_journal_t *journal = NULL;
-	unsigned int mode = DNS_JOURNAL_CREATE|DNS_JOURNAL_WRITE;
-
-	ENTER;
-	journalfile = dns_zone_getjournal(zone);
-	if (journalfile != NULL) {
-		result = dns_journal_open(zone->mctx, journalfile, mode,
-					  &journal);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "%s:dns_journal_open -> %s",
-				     caller, dns_result_totext(result));
-			return (result);
-		}
-
-		if (sourceserial != NULL)
-			dns_journal_set_sourceserial(journal, *sourceserial);
-
-		result = dns_journal_write_transaction(journal, diff);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "%s:dns_journal_write_transaction -> %s",
-				     caller, dns_result_totext(result));
-		}
-		dns_journal_destroy(&journal);
-	}
-
-	return (result);
-}
-
-/*
- * Create an SOA record for a newly-created zone
- */
-static isc_result_t
-add_soa(dns_zone_t *zone, dns_db_t *db) {
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	unsigned char buf[DNS_SOA_BUFFERSIZE];
-	dns_dbversion_t *ver = NULL;
-	dns_diff_t diff;
-
-	dns_zone_log(zone, ISC_LOG_DEBUG(1), "creating SOA");
-
-	dns_diff_init(zone->mctx, &diff);
-	result = dns_db_newversion(db, &ver);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "add_soa:dns_db_newversion -> %s",
-			     dns_result_totext(result));
-		goto failure;
-	}
-
-	/* Build SOA record */
-	result = dns_soa_buildrdata(&zone->origin, dns_rootname, zone->rdclass,
-				    0, 0, 0, 0, 0, buf, &rdata);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "add_soa:dns_soa_buildrdata -> %s",
-			     dns_result_totext(result));
-		goto failure;
-	}
-
-	result = update_one_rr(db, ver, &diff, DNS_DIFFOP_ADD,
-			       &zone->origin, 0, &rdata);
-
-failure:
-	dns_diff_clear(&diff);
-	if (ver != NULL)
-		dns_db_closeversion(db, &ver, ISC_TF(result == ISC_R_SUCCESS));
-
-	return (result);
-}
-
-/*
- * Synchronize the set of initializing keys found in managed-keys {}
- * statements with the set of trust anchors found in the managed-keys.bind
- * zone.  If a domain is no longer named in managed-keys, delete all keys
- * from that domain from the key zone.	If a domain is mentioned in in
- * managed-keys but there are no references to it in the key zone, load
- * the key zone with the initializing key(s) for that domain.
- */
-static isc_result_t
-sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_boolean_t changed = ISC_FALSE;
-	isc_boolean_t commit = ISC_FALSE;
-	dns_rbtnodechain_t chain;
-	dns_fixedname_t fn;
-	dns_name_t foundname, *origin;
-	dns_keynode_t *keynode = NULL;
-	dns_view_t *view = zone->view;
-	dns_keytable_t *sr = NULL;
-	dns_dbversion_t *ver = NULL;
-	dns_diff_t diff;
-	dns_rriterator_t rrit;
-
-	dns_zone_log(zone, ISC_LOG_DEBUG(1), "synchronizing trusted keys");
-
-	dns_name_init(&foundname, NULL);
-	dns_fixedname_init(&fn);
-	origin = dns_fixedname_name(&fn);
-
-	dns_diff_init(zone->mctx, &diff);
-
-	CHECK(dns_view_getsecroots(view, &sr));
-
-	result = dns_db_newversion(db, &ver);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "sync_keyzone:dns_db_newversion -> %s",
-			     dns_result_totext(result));
-		goto failure;
-	}
-
-	/*
-	 * Walk the zone DB.  If we find any keys whose names are no longer
-	 * in managed-keys (or *are* in trusted-keys, meaning they are
-	 * permanent and not RFC5011-maintained), delete them from the
-	 * zone.  Otherwise call load_secroots(), which loads keys into
-	 * secroots as appropriate.
-	 */
-	dns_rriterator_init(&rrit, db, ver, 0);
-	for (result = dns_rriterator_first(&rrit);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rriterator_nextrrset(&rrit)) {
-		dns_rdataset_t *rdataset = NULL;
-		dns_name_t *rrname = NULL;
-		isc_uint32_t ttl;
-
-		dns_rriterator_current(&rrit, &rrname, &ttl,
-				       &rdataset, NULL);
-		if (!dns_rdataset_isassociated(rdataset)) {
-			dns_rriterator_destroy(&rrit);
-			goto failure;
-		}
-
-		if (rdataset->type != dns_rdatatype_keydata)
-			continue;
-
-		result = dns_keytable_find(sr, rrname, &keynode);
-		if ((result != ISC_R_SUCCESS &&
-		     result != DNS_R_PARTIALMATCH) ||
-		    dns_keynode_managed(keynode) == ISC_FALSE) {
-			CHECK(delete_keydata(db, ver, &diff,
-					     rrname, rdataset));
-			changed = ISC_TRUE;
-		} else {
-			load_secroots(zone, rrname, rdataset);
-		}
-
-		if (keynode != NULL)
-			dns_keytable_detachkeynode(sr, &keynode);
-	}
-	dns_rriterator_destroy(&rrit);
-
-	/*
-	 * Now walk secroots to find any managed keys that aren't
-	 * in the zone.  If we find any, we add them to the zone.
-	 */
-	RWLOCK(&sr->rwlock, isc_rwlocktype_write);
-	dns_rbtnodechain_init(&chain, zone->mctx);
-	result = dns_rbtnodechain_first(&chain, sr->table, &foundname, origin);
-	if (result == ISC_R_NOTFOUND)
-		result = ISC_R_NOMORE;
-	while (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
-		dns_rbtnode_t *rbtnode = NULL;
-
-		dns_rbtnodechain_current(&chain, &foundname, origin, &rbtnode);
-		if (rbtnode->data == NULL)
-			goto skip;
-
-		dns_keytable_attachkeynode(sr, rbtnode->data, &keynode);
-		if (dns_keynode_managed(keynode)) {
-			dns_fixedname_t fname;
-			dns_name_t *keyname;
-			dst_key_t *key;
-
-			key = dns_keynode_key(keynode);
-			dns_fixedname_init(&fname);
-
-			if (key == NULL)   /* fail_secure() was called. */
-				goto skip;
-
-			keyname = dst_key_name(key);
-			result = dns_db_find(db, keyname, ver,
-					     dns_rdatatype_keydata,
-					     DNS_DBFIND_NOWILD, 0, NULL,
-					     dns_fixedname_name(&fname),
-					     NULL, NULL);
-			if (result != ISC_R_SUCCESS)
-				result = create_keydata(zone, db, ver, &diff,
-							sr, &keynode, &changed);
-			if (result != ISC_R_SUCCESS)
-				break;
-		}
-  skip:
-		result = dns_rbtnodechain_next(&chain, &foundname, origin);
-		if (keynode != NULL)
-			dns_keytable_detachkeynode(sr, &keynode);
-	}
-	RWUNLOCK(&sr->rwlock, isc_rwlocktype_write);
-
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
-	if (changed) {
-		/* Write changes to journal file. */
-		CHECK(update_soa_serial(db, ver, &diff, zone->mctx,
-					zone->updatemethod));
-		CHECK(zone_journal(zone, &diff, NULL, "sync_keyzone"));
-
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
-		zone_needdump(zone, 30);
-		commit = ISC_TRUE;
-	}
-
- failure:
-	if (result != ISC_R_SUCCESS &&
-	    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "unable to synchronize managed keys: %s",
-			     dns_result_totext(result));
-		isc_time_settoepoch(&zone->refreshkeytime);
-	}
-	if (keynode != NULL)
-		dns_keytable_detachkeynode(sr, &keynode);
-	if (sr != NULL)
-		dns_keytable_detach(&sr);
-	if (ver != NULL)
-		dns_db_closeversion(db, &ver, commit);
-	dns_diff_clear(&diff);
-
-	return (result);
-}
-
-isc_result_t
-dns_zone_synckeyzone(dns_zone_t *zone) {
-	isc_result_t result;
-	dns_db_t *db = NULL;
-
-	if (zone->type != dns_zone_key)
-		return (DNS_R_BADZONE);
-
-	CHECK(dns_zone_getdb(zone, &db));
-
-	LOCK_ZONE(zone);
-	result = sync_keyzone(zone, db);
-	UNLOCK_ZONE(zone);
-
- failure:
-	if (db != NULL)
-		dns_db_detach(&db);
-	return (result);
-}
-
-static void
-maybe_send_secure(dns_zone_t *zone) {
-	isc_result_t result;
-
-	/*
-	 * We've finished loading, or else failed to load, an inline-signing
-	 * 'secure' zone.  We now need information about the status of the
-	 * 'raw' zone.  If we failed to load, then we need it to send a
-	 * copy of its database; if we succeeded, we need it to send its
-	 * serial number so that we can sync with it.  If it has not yet
-	 * loaded, we set a flag so that it will send the necessary
-	 * information when it has finished loading.
-	 */
-	if (zone->raw->db != NULL) {
-		if (zone->db != NULL) {
-			isc_uint32_t serial;
-			unsigned int soacount;
-
-			result = zone_get_from_db(zone->raw, zone->raw->db,
-						  NULL, &soacount, &serial, NULL,
-						  NULL, NULL, NULL, NULL);
-			if (result == ISC_R_SUCCESS && soacount > 0U)
-				zone_send_secureserial(zone->raw, ISC_TRUE, serial);
-		} else
-			zone_send_securedb(zone->raw, ISC_TRUE, zone->raw->db);
-
-	} else
-		DNS_ZONE_SETFLAG(zone->raw, DNS_ZONEFLG_SENDSECURE);
-}
-
-static isc_boolean_t
-zone_unchanged(dns_db_t *db1, dns_db_t *db2, isc_mem_t *mctx) {
-	isc_result_t result;
-	isc_boolean_t answer = ISC_FALSE;
-	dns_diff_t diff;
-
-	dns_diff_init(mctx, &diff);
-	result = dns_db_diffx(&diff, db1, NULL, db2, NULL, NULL);
-	if (result == ISC_R_SUCCESS && ISC_LIST_EMPTY(diff.tuples))
-		answer = ISC_TRUE;
-	dns_diff_clear(&diff);
-	return (answer);
-}
-
-/*
- * The zone is presumed to be locked.
- */
-static isc_result_t
-zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
-	      isc_result_t result)
-{
-	unsigned int soacount = 0;
-	unsigned int nscount = 0;
-	unsigned int errors = 0;
-	isc_uint32_t serial, oldserial, refresh, retry, expire, minimum;
-	isc_time_t now;
-	isc_boolean_t needdump = ISC_FALSE;
-	isc_boolean_t hasinclude = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HASINCLUDE);
-	isc_boolean_t nomaster = ISC_FALSE;
-	unsigned int options;
-
-	TIME_NOW(&now);
-
-	/*
-	 * Initiate zone transfer?  We may need a error code that
-	 * indicates that the "permanent" form does not exist.
-	 * XXX better error feedback to log.
-	 */
-	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) {
-		if (zone->type == dns_zone_slave ||
-		    zone->type == dns_zone_stub ||
-		    (zone->type == dns_zone_redirect &&
-		     zone->masters == NULL)) {
-			if (result == ISC_R_FILENOTFOUND)
-				dns_zone_log(zone, ISC_LOG_DEBUG(1),
-					     "no master file");
-			else if (result != DNS_R_NOMASTERFILE)
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "loading from master file %s "
-					     "failed: %s",
-					     zone->masterfile,
-					     dns_result_totext(result));
-		} else if (zone->type == dns_zone_master &&
-			   inline_secure(zone) && result == ISC_R_FILENOTFOUND)
-		{
-			dns_zone_log(zone, ISC_LOG_DEBUG(1),
-				     "no master file, requesting db");
-			maybe_send_secure(zone);
-		} else {
-			int level = ISC_LOG_ERROR;
-			if (zone->type == dns_zone_key &&
-			    result == ISC_R_FILENOTFOUND)
-				level = ISC_LOG_DEBUG(1);
-			dns_zone_log(zone, level,
-				     "loading from master file %s failed: %s",
-				     zone->masterfile,
-				     dns_result_totext(result));
-			nomaster = ISC_TRUE;
-		}
-
-		if (zone->type != dns_zone_key)
-			goto cleanup;
-	}
-
-	dns_zone_log(zone, ISC_LOG_DEBUG(2),
-		     "number of nodes in database: %u",
-		     dns_db_nodecount(db));
-
-	if (result == DNS_R_SEENINCLUDE)
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HASINCLUDE);
-	else
-		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HASINCLUDE);
-
-	/*
-	 * If there's no master file for a key zone, then the zone is new:
-	 * create an SOA record.  (We do this now, instead of later, so that
-	 * if there happens to be a journal file, we can roll forward from
-	 * a sane starting point.)
-	 */
-	if (nomaster && zone->type == dns_zone_key) {
-		result = add_soa(zone, db);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-	}
-
-	/*
-	 * Apply update log, if any, on initial load.
-	 */
-	if (zone->journal != NULL &&
-	    ! DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOMERGE) &&
-	    ! DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
-	{
-		if (zone->type == dns_zone_master &&
-		    (zone->update_acl != NULL || zone->ssutable != NULL))
-			options = DNS_JOURNALOPT_RESIGN;
-		else
-			options = 0;
-		result = dns_journal_rollforward2(zone->mctx, db, options,
-						  zone->sigresigninginterval,
-						  zone->journal);
-		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND &&
-		    result != DNS_R_UPTODATE && result != DNS_R_NOJOURNAL &&
-		    result != ISC_R_RANGE) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "journal rollforward failed: %s",
-				     dns_result_totext(result));
-			goto cleanup;
-
-
-		}
-		if (result == ISC_R_NOTFOUND || result == ISC_R_RANGE) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "journal rollforward failed: "
-				     "journal out of sync with zone");
-			goto cleanup;
-		}
-		dns_zone_log(zone, ISC_LOG_DEBUG(1),
-			     "journal rollforward completed "
-			     "successfully: %s",
-			     dns_result_totext(result));
-		if (result == ISC_R_SUCCESS)
-			needdump = ISC_TRUE;
-	}
-
-	/*
-	 * Obtain ns, soa and cname counts for top of zone.
-	 */
-	INSIST(db != NULL);
-	result = zone_get_from_db(zone, db, &nscount, &soacount, &serial,
-				  &refresh, &retry, &expire, &minimum,
-				  &errors);
-	if (result != ISC_R_SUCCESS && zone->type != dns_zone_key) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "could not find NS and/or SOA records");
-	}
-
-	/*
-	 * Check to make sure the journal is up to date, and remove the
-	 * journal file if it isn't, as we wouldn't be able to apply
-	 * updates otherwise.
-	 */
-	if (zone->journal != NULL && dns_zone_isdynamic(zone, ISC_TRUE) &&
-	    ! DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS)) {
-		isc_uint32_t jserial;
-		dns_journal_t *journal = NULL;
-
-		result = dns_journal_open(zone->mctx, zone->journal,
-					  DNS_JOURNAL_READ, &journal);
-		if (result == ISC_R_SUCCESS) {
-			jserial = dns_journal_last_serial(journal);
-			dns_journal_destroy(&journal);
-		} else {
-			jserial = serial;
-			result = ISC_R_SUCCESS;
-		}
-
-		if (jserial != serial) {
-			dns_zone_log(zone, ISC_LOG_INFO,
-				     "journal file is out of date: "
-				     "removing journal file");
-			if (remove(zone->journal) < 0 && errno != ENOENT) {
-				char strbuf[ISC_STRERRORSIZE];
-				isc__strerror(errno, strbuf, sizeof(strbuf));
-				isc_log_write(dns_lctx,
-					      DNS_LOGCATEGORY_GENERAL,
-					      DNS_LOGMODULE_ZONE,
-					      ISC_LOG_WARNING,
-					      "unable to remove journal "
-					      "'%s': '%s'",
-					      zone->journal, strbuf);
-			}
-		}
-	}
-
-	dns_zone_log(zone, ISC_LOG_DEBUG(1), "loaded; checking validity");
-
-	/*
-	 * Master / Slave / Stub zones require both NS and SOA records at
-	 * the top of the zone.
-	 */
-
-	switch (zone->type) {
-	case dns_zone_dlz:
-	case dns_zone_master:
-	case dns_zone_slave:
-	case dns_zone_stub:
-	case dns_zone_redirect:
-		if (soacount != 1) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "has %d SOA records", soacount);
-			result = DNS_R_BADZONE;
-		}
-		if (nscount == 0) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "has no NS records");
-			result = DNS_R_BADZONE;
-		}
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		if (zone->type == dns_zone_master && errors != 0) {
-			result = DNS_R_BADZONE;
-			goto cleanup;
-		}
-		if (zone->type != dns_zone_stub &&
-		    zone->type != dns_zone_redirect) {
-			result = check_nsec3param(zone, db);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-		}
-		if (zone->type == dns_zone_master &&
-		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKINTEGRITY) &&
-		    !integrity_checks(zone, db)) {
-			result = DNS_R_BADZONE;
-			goto cleanup;
-		}
-		if (zone->type == dns_zone_master &&
-		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKDUPRR) &&
-		    !zone_check_dup(zone, db)) {
-			result = DNS_R_BADZONE;
-			goto cleanup;
-		}
-
-		if (zone->db != NULL) {
-			unsigned int oldsoacount;
-
-			/*
-			 * This is checked in zone_replacedb() for slave zones
-			 * as they don't reload from disk.
-			 */
-			result = zone_get_from_db(zone, zone->db, NULL,
-						  &oldsoacount, &oldserial,
-						  NULL, NULL, NULL, NULL,
-						  NULL);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			RUNTIME_CHECK(soacount > 0U);
-			if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS) &&
-			    !isc_serial_gt(serial, oldserial)) {
-				isc_uint32_t serialmin, serialmax;
-
-				INSIST(zone->type == dns_zone_master);
-
-				if (serial == oldserial &&
-				    zone_unchanged(zone->db, db, zone->mctx)) {
-					dns_zone_log(zone, ISC_LOG_INFO,
-						     "ixfr-from-differences: "
-						     "unchanged");
-					return(ISC_R_SUCCESS);
-				}
-
-				serialmin = (oldserial + 1) & 0xffffffffU;
-				serialmax = (oldserial + 0x7fffffffU) &
-					     0xffffffffU;
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "ixfr-from-differences: "
-					     "new serial (%u) out of range "
-					     "[%u - %u]", serial, serialmin,
-					     serialmax);
-				result = DNS_R_BADZONE;
-				goto cleanup;
-			} else if (!isc_serial_ge(serial, oldserial))
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "zone serial (%u/%u) has gone "
-					     "backwards", serial, oldserial);
-			else if (serial == oldserial && !hasinclude &&
-				 strcmp(zone->db_argv[0], "_builtin") != 0)
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "zone serial (%u) unchanged. "
-					     "zone may fail to transfer "
-					     "to slaves.", serial);
-		}
-
-		if (zone->type == dns_zone_master &&
-		    (zone->update_acl != NULL || zone->ssutable != NULL) &&
-		    zone->sigresigninginterval < (3 * refresh) &&
-		    dns_db_issecure(db))
-		{
-			dns_zone_log(zone, ISC_LOG_WARNING,
-				     "sig-re-signing-interval less than "
-				     "3 * refresh.");
-		}
-
-		zone->refresh = RANGE(refresh,
-				      zone->minrefresh, zone->maxrefresh);
-		zone->retry = RANGE(retry,
-				    zone->minretry, zone->maxretry);
-		zone->expire = RANGE(expire, zone->refresh + zone->retry,
-				     DNS_MAX_EXPIRE);
-		zone->minimum = minimum;
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
-
-		if (zone->type == dns_zone_slave ||
-		    zone->type == dns_zone_stub ||
-		    (zone->type == dns_zone_redirect &&
-		     zone->masters != NULL)) {
-			isc_time_t t;
-			isc_uint32_t delay;
-
-			result = isc_file_getmodtime(zone->journal, &t);
-			if (result != ISC_R_SUCCESS)
-				result = isc_file_getmodtime(zone->masterfile,
-							     &t);
-			if (result == ISC_R_SUCCESS)
-				DNS_ZONE_TIME_ADD(&t, zone->expire,
-						  &zone->expiretime);
-			else
-				DNS_ZONE_TIME_ADD(&now, zone->retry,
-						  &zone->expiretime);
-
-			delay = isc_random_jitter(zone->retry,
-						  (zone->retry * 3) / 4);
-			DNS_ZONE_TIME_ADD(&now, delay, &zone->refreshtime);
-			if (isc_time_compare(&zone->refreshtime,
-					     &zone->expiretime) >= 0)
-				zone->refreshtime = now;
-		}
-
-		break;
-
-	case dns_zone_key:
-		result = sync_keyzone(zone, db);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		break;
-
-	default:
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "unexpected zone type %d", zone->type);
-		result = ISC_R_UNEXPECTED;
-		goto cleanup;
-	}
-
-	/*
-	 * Check for weak DNSKEY's.
-	 */
-	if (zone->type == dns_zone_master)
-		zone_check_dnskeys(zone, db);
-
-	/*
-	 * Schedule DNSSEC key refresh.
-	 */
-	if (zone->type == dns_zone_master &&
-	    DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN))
-		zone->refreshkeytime = now;
-
-#if 0
-	/* destroy notification example. */
-	{
-		isc_event_t *e = isc_event_allocate(zone->mctx, NULL,
-						    DNS_EVENT_DBDESTROYED,
-						    dns_zonemgr_dbdestroyed,
-						    zone,
-						    sizeof(isc_event_t));
-		dns_db_ondestroy(db, zone->task, &e);
-	}
-#endif
-
-	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
-	if (zone->db != NULL) {
-		result = zone_replacedb(zone, db, ISC_FALSE);
-		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-	} else {
-		zone_attachdb(zone, db);
-		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
-		DNS_ZONE_SETFLAG(zone,
-				 DNS_ZONEFLG_LOADED|DNS_ZONEFLG_NEEDNOTIFY);
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SENDSECURE) &&
-		    inline_raw(zone))
-		{
-			if (zone->secure->db == NULL)
-				zone_send_securedb(zone, ISC_FALSE, db);
-			else
-				zone_send_secureserial(zone, ISC_FALSE, serial);
-		}
-	}
-
-	/*
-	 * Finished loading inline-signing zone; need to get status
-	 * from the raw side now.
-	 */
-	if (zone->type == dns_zone_master && inline_secure(zone))
-		maybe_send_secure(zone);
-
-
-	result = ISC_R_SUCCESS;
-
-	if (needdump) {
-		if (zone->type == dns_zone_key)
-			zone_needdump(zone, 30);
-		else
-			zone_needdump(zone, DNS_DUMP_DELAY);
-	}
-
-	if (zone->task != NULL) {
-		if (zone->type == dns_zone_master) {
-			set_resigntime(zone);
-			resume_signingwithkey(zone);
-			resume_addnsec3chain(zone);
-		}
-
-		if (zone->type == dns_zone_master &&
-		    !DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_NORESIGN) &&
-		    dns_zone_isdynamic(zone, ISC_FALSE) &&
-		    dns_db_issecure(db)) {
-			dns_name_t *name;
-			dns_fixedname_t fixed;
-			dns_rdataset_t next;
-
-			dns_rdataset_init(&next);
-			dns_fixedname_init(&fixed);
-			name = dns_fixedname_name(&fixed);
-
-			result = dns_db_getsigningtime(db, &next, name);
-			if (result == ISC_R_SUCCESS) {
-				isc_stdtime_t timenow;
-				char namebuf[DNS_NAME_FORMATSIZE];
-				char typebuf[DNS_RDATATYPE_FORMATSIZE];
-
-				isc_stdtime_get(&timenow);
-				dns_name_format(name, namebuf, sizeof(namebuf));
-				dns_rdatatype_format(next.covers,
-						     typebuf, sizeof(typebuf));
-				dns_zone_log(zone, ISC_LOG_DEBUG(3),
-					     "next resign: %s/%s in %d seconds",
-					     namebuf, typebuf,
-					     next.resign - timenow);
-				dns_rdataset_disassociate(&next);
-			} else
-				dns_zone_log(zone, ISC_LOG_WARNING,
-					     "signed dynamic zone has no "
-					     "resign event scheduled");
-		}
-
-		zone_settimer(zone, &now);
-	}
-
-	if (! dns_db_ispersistent(db))
-		dns_zone_log(zone, ISC_LOG_INFO, "loaded serial %u%s", serial,
-			     dns_db_issecure(db) ? " (DNSSEC signed)" : "");
-
-	zone->loadtime = loadtime;
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADPENDING);
-	return (result);
-
- cleanup:
-	if (zone->type == dns_zone_slave ||
-	    zone->type == dns_zone_stub ||
-	    zone->type == dns_zone_key ||
-	    (zone->type == dns_zone_redirect && zone->masters != NULL)) {
-		if (zone->journal != NULL)
-			zone_saveunique(zone, zone->journal, "jn-XXXXXXXX");
-		if (zone->masterfile != NULL)
-			zone_saveunique(zone, zone->masterfile, "db-XXXXXXXX");
-
-		/* Mark the zone for immediate refresh. */
-		zone->refreshtime = now;
-		if (zone->task != NULL)
-			zone_settimer(zone, &now);
-		result = ISC_R_SUCCESS;
-	} else if (zone->type == dns_zone_master ||
-		   zone->type == dns_zone_redirect) {
-		if (!(inline_secure(zone) && result == ISC_R_FILENOTFOUND))
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "not loaded due to errors.");
-		else if (zone->type == dns_zone_master)
-			result = ISC_R_SUCCESS;
-	}
-
-	return (result);
-}
-
-static isc_boolean_t
-exit_check(dns_zone_t *zone) {
-
-	REQUIRE(LOCKED_ZONE(zone));
-
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SHUTDOWN) &&
-	    zone->irefs == 0)
-	{
-		/*
-		 * DNS_ZONEFLG_SHUTDOWN can only be set if erefs == 0.
-		 */
-		INSIST(isc_refcount_current(&zone->erefs) == 0);
-		return (ISC_TRUE);
-	}
-	return (ISC_FALSE);
-}
-
-static isc_boolean_t
-zone_check_ns(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
-	      dns_name_t *name, isc_boolean_t logit)
-{
-	isc_result_t result;
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char altbuf[DNS_NAME_FORMATSIZE];
-	dns_fixedname_t fixed;
-	dns_name_t *foundname;
-	int level;
-
-	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOCHECKNS))
-		return (ISC_TRUE);
-
-	if (zone->type == dns_zone_master)
-		level = ISC_LOG_ERROR;
-	else
-		level = ISC_LOG_WARNING;
-
-	dns_fixedname_init(&fixed);
-	foundname = dns_fixedname_name(&fixed);
-
-	result = dns_db_find(db, name, version, dns_rdatatype_a,
-			     0, 0, NULL, foundname, NULL, NULL);
-	if (result == ISC_R_SUCCESS)
-		return (ISC_TRUE);
-
-	if (result == DNS_R_NXRRSET) {
-		result = dns_db_find(db, name, version, dns_rdatatype_aaaa,
-				     0, 0, NULL, foundname, NULL, NULL);
-		if (result == ISC_R_SUCCESS)
-			return (ISC_TRUE);
-	}
-
-	if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
-	    result == DNS_R_EMPTYNAME) {
-		if (logit) {
-			dns_name_format(name, namebuf, sizeof namebuf);
-			dns_zone_log(zone, level, "NS '%s' has no address "
-				     "records (A or AAAA)", namebuf);
-		}
-		return (ISC_FALSE);
-	}
-
-	if (result == DNS_R_CNAME) {
-		if (logit) {
-			dns_name_format(name, namebuf, sizeof namebuf);
-			dns_zone_log(zone, level, "NS '%s' is a CNAME "
-				     "(illegal)", namebuf);
-		}
-		return (ISC_FALSE);
-	}
-
-	if (result == DNS_R_DNAME) {
-		if (logit) {
-			dns_name_format(name, namebuf, sizeof namebuf);
-			dns_name_format(foundname, altbuf, sizeof altbuf);
-			dns_zone_log(zone, level, "NS '%s' is below a DNAME "
-				     "'%s' (illegal)", namebuf, altbuf);
-		}
-		return (ISC_FALSE);
-	}
-
-	return (ISC_TRUE);
-}
-
-static isc_result_t
-zone_count_ns_rr(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node,
-		 dns_dbversion_t *version, unsigned int *nscount,
-		 unsigned int *errors, isc_boolean_t logit)
-{
-	isc_result_t result;
-	unsigned int count = 0;
-	unsigned int ecount = 0;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata;
-	dns_rdata_ns_t ns;
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, version, dns_rdatatype_ns,
-				     dns_rdatatype_none, 0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND) {
-		INSIST(!dns_rdataset_isassociated(&rdataset));
-		goto success;
-	}
-	if (result != ISC_R_SUCCESS) {
-		INSIST(!dns_rdataset_isassociated(&rdataset));
-		goto invalidate_rdataset;
-	}
-
-	result = dns_rdataset_first(&rdataset);
-	while (result == ISC_R_SUCCESS) {
-		if (errors != NULL && zone->rdclass == dns_rdataclass_in &&
-		    (zone->type == dns_zone_master ||
-		     zone->type == dns_zone_slave)) {
-			dns_rdata_init(&rdata);
-			dns_rdataset_current(&rdataset, &rdata);
-			result = dns_rdata_tostruct(&rdata, &ns, NULL);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			if (dns_name_issubdomain(&ns.name, &zone->origin) &&
-			    !zone_check_ns(zone, db, version, &ns.name, logit))
-				ecount++;
-		}
-		count++;
-		result = dns_rdataset_next(&rdataset);
-	}
-	dns_rdataset_disassociate(&rdataset);
-
- success:
-	if (nscount != NULL)
-		*nscount = count;
-	if (errors != NULL)
-		*errors = ecount;
-
-	result = ISC_R_SUCCESS;
-
- invalidate_rdataset:
-	dns_rdataset_invalidate(&rdataset);
-
-	return (result);
-}
-
-static isc_result_t
-zone_load_soa_rr(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-		 unsigned int *soacount,
-		 isc_uint32_t *serial, isc_uint32_t *refresh,
-		 isc_uint32_t *retry, isc_uint32_t *expire,
-		 isc_uint32_t *minimum)
-{
-	isc_result_t result;
-	unsigned int count;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_soa_t soa;
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa,
-				     dns_rdatatype_none, 0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND) {
-		INSIST(!dns_rdataset_isassociated(&rdataset));
-		if (soacount != NULL)
-			*soacount = 0;
-		if (serial != NULL)
-			*serial = 0;
-		if (refresh != NULL)
-			*refresh = 0;
-		if (retry != NULL)
-			*retry = 0;
-		if (expire != NULL)
-			*expire = 0;
-		if (minimum != NULL)
-			*minimum = 0;
-		result = ISC_R_SUCCESS;
-		goto invalidate_rdataset;
-	}
-	if (result != ISC_R_SUCCESS) {
-		INSIST(!dns_rdataset_isassociated(&rdataset));
-		goto invalidate_rdataset;
-	}
-
-	count = 0;
-	result = dns_rdataset_first(&rdataset);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdata_init(&rdata);
-		dns_rdataset_current(&rdataset, &rdata);
-		count++;
-		if (count == 1) {
-			result = dns_rdata_tostruct(&rdata, &soa, NULL);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		}
-
-		result = dns_rdataset_next(&rdataset);
-		dns_rdata_reset(&rdata);
-	}
-	dns_rdataset_disassociate(&rdataset);
-
-	if (soacount != NULL)
-		*soacount = count;
-
-	if (count > 0) {
-		if (serial != NULL)
-			*serial = soa.serial;
-		if (refresh != NULL)
-			*refresh = soa.refresh;
-		if (retry != NULL)
-			*retry = soa.retry;
-		if (expire != NULL)
-			*expire = soa.expire;
-		if (minimum != NULL)
-			*minimum = soa.minimum;
-	} else {
-		if (soacount != NULL)
-			*soacount = 0;
-		if (serial != NULL)
-			*serial = 0;
-		if (refresh != NULL)
-			*refresh = 0;
-		if (retry != NULL)
-			*retry = 0;
-		if (expire != NULL)
-			*expire = 0;
-		if (minimum != NULL)
-			*minimum = 0;
-	}
-
-	result = ISC_R_SUCCESS;
-
- invalidate_rdataset:
-	dns_rdataset_invalidate(&rdataset);
-
-	return (result);
-}
-
-/*
- * zone must be locked.
- */
-static isc_result_t
-zone_get_from_db(dns_zone_t *zone, dns_db_t *db, unsigned int *nscount,
-		 unsigned int *soacount, isc_uint32_t *serial,
-		 isc_uint32_t *refresh, isc_uint32_t *retry,
-		 isc_uint32_t *expire, isc_uint32_t *minimum,
-		 unsigned int *errors)
-{
-	isc_result_t result;
-	isc_result_t answer = ISC_R_SUCCESS;
-	dns_dbversion_t *version = NULL;
-	dns_dbnode_t *node;
-
-	REQUIRE(db != NULL);
-	REQUIRE(zone != NULL);
-
-	dns_db_currentversion(db, &version);
-
-	node = NULL;
-	result = dns_db_findnode(db, &zone->origin, ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS) {
-		answer = result;
-		goto closeversion;
-	}
-
-	if (nscount != NULL || errors != NULL) {
-		result = zone_count_ns_rr(zone, db, node, version,
-					  nscount, errors, ISC_TRUE);
-		if (result != ISC_R_SUCCESS)
-			answer = result;
-	}
-
-	if (soacount != NULL || serial != NULL || refresh != NULL
-	    || retry != NULL || expire != NULL || minimum != NULL) {
-		result = zone_load_soa_rr(db, node, version, soacount,
-					  serial, refresh, retry, expire,
-					  minimum);
-		if (result != ISC_R_SUCCESS)
-			answer = result;
-	}
-
-	dns_db_detachnode(db, &node);
- closeversion:
-	dns_db_closeversion(db, &version, ISC_FALSE);
-
-	return (answer);
-}
-
-void
-dns_zone_attach(dns_zone_t *source, dns_zone_t **target) {
-	REQUIRE(DNS_ZONE_VALID(source));
-	REQUIRE(target != NULL && *target == NULL);
-	isc_refcount_increment(&source->erefs, NULL);
-	*target = source;
-}
-
-void
-dns_zone_detach(dns_zone_t **zonep) {
-	dns_zone_t *zone;
-	dns_zone_t *raw = NULL;
-	dns_zone_t *secure = NULL;
-	unsigned int refs;
-	isc_boolean_t free_now = ISC_FALSE;
-
-	REQUIRE(zonep != NULL && DNS_ZONE_VALID(*zonep));
-
-	zone = *zonep;
-
-	isc_refcount_decrement(&zone->erefs, &refs);
-
-	if (refs == 0) {
-		LOCK_ZONE(zone);
-		/*
-		 * We just detached the last external reference.
-		 */
-		if (zone->task != NULL) {
-			/*
-			 * This zone is being managed.	Post
-			 * its control event and let it clean
-			 * up synchronously in the context of
-			 * its task.
-			 */
-			isc_event_t *ev = &zone->ctlevent;
-			isc_task_send(zone->task, &ev);
-		} else {
-			/*
-			 * This zone is not being managed; it has
-			 * no task and can have no outstanding
-			 * events.  Free it immediately.
-			 */
-			/*
-			 * Unmanaged zones should not have non-null views;
-			 * we have no way of detaching from the view here
-			 * without causing deadlock because this code is called
-			 * with the view already locked.
-			 */
-			INSIST(zone->view == NULL);
-			free_now = ISC_TRUE;
-			raw = zone->raw;
-			zone->raw = NULL;
-			secure = zone->secure;
-			zone->secure = NULL;
-		}
-		UNLOCK_ZONE(zone);
-	}
-	*zonep = NULL;
-	if (free_now) {
-		if (raw != NULL)
-			dns_zone_detach(&raw);
-		if (secure != NULL)
-			dns_zone_idetach(&secure);
-		zone_free(zone);
-	}
-}
-
-void
-dns_zone_iattach(dns_zone_t *source, dns_zone_t **target) {
-	REQUIRE(DNS_ZONE_VALID(source));
-	REQUIRE(target != NULL && *target == NULL);
-	LOCK_ZONE(source);
-	zone_iattach(source, target);
-	UNLOCK_ZONE(source);
-}
-
-static void
-zone_iattach(dns_zone_t *source, dns_zone_t **target) {
-
-	/*
-	 * 'source' locked by caller.
-	 */
-	REQUIRE(LOCKED_ZONE(source));
-	REQUIRE(DNS_ZONE_VALID(source));
-	REQUIRE(target != NULL && *target == NULL);
-	INSIST(source->irefs + isc_refcount_current(&source->erefs) > 0);
-	source->irefs++;
-	INSIST(source->irefs != 0);
-	*target = source;
-}
-
-static void
-zone_idetach(dns_zone_t **zonep) {
-	dns_zone_t *zone;
-
-	/*
-	 * 'zone' locked by caller.
-	 */
-	REQUIRE(zonep != NULL && DNS_ZONE_VALID(*zonep));
-	zone = *zonep;
-	REQUIRE(LOCKED_ZONE(*zonep));
-	*zonep = NULL;
-
-	INSIST(zone->irefs > 0);
-	zone->irefs--;
-	INSIST(zone->irefs + isc_refcount_current(&zone->erefs) > 0);
-}
-
-void
-dns_zone_idetach(dns_zone_t **zonep) {
-	dns_zone_t *zone;
-	isc_boolean_t free_needed;
-
-	REQUIRE(zonep != NULL && DNS_ZONE_VALID(*zonep));
-	zone = *zonep;
-	*zonep = NULL;
-
-	LOCK_ZONE(zone);
-	INSIST(zone->irefs > 0);
-	zone->irefs--;
-	free_needed = exit_check(zone);
-	UNLOCK_ZONE(zone);
-	if (free_needed)
-		zone_free(zone);
-}
-
-isc_mem_t *
-dns_zone_getmctx(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->mctx);
-}
-
-dns_zonemgr_t *
-dns_zone_getmgr(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->zmgr);
-}
-
-void
-dns_zone_setflag(dns_zone_t *zone, unsigned int flags, isc_boolean_t value) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (value)
-		DNS_ZONE_SETFLAG(zone, flags);
-	else
-		DNS_ZONE_CLRFLAG(zone, flags);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_setoption(dns_zone_t *zone, unsigned int option, isc_boolean_t value)
-{
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (value)
-		zone->options |= option;
-	else
-		zone->options &= ~option;
-	UNLOCK_ZONE(zone);
-}
-
-unsigned int
-dns_zone_getoptions(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->options);
-}
-
-void
-dns_zone_setkeyopt(dns_zone_t *zone, unsigned int keyopt, isc_boolean_t value)
-{
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (value)
-		zone->keyopts |= keyopt;
-	else
-		zone->keyopts &= ~keyopt;
-	UNLOCK_ZONE(zone);
-}
-
-unsigned int
-dns_zone_getkeyopts(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->keyopts);
-}
-
-isc_result_t
-dns_zone_setxfrsource4(dns_zone_t *zone, const isc_sockaddr_t *xfrsource) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	zone->xfrsource4 = *xfrsource;
-	UNLOCK_ZONE(zone);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_sockaddr_t *
-dns_zone_getxfrsource4(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	return (&zone->xfrsource4);
-}
-
-isc_result_t
-dns_zone_setxfrsource6(dns_zone_t *zone, const isc_sockaddr_t *xfrsource) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	zone->xfrsource6 = *xfrsource;
-	UNLOCK_ZONE(zone);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_sockaddr_t *
-dns_zone_getxfrsource6(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	return (&zone->xfrsource6);
-}
-
-isc_result_t
-dns_zone_setaltxfrsource4(dns_zone_t *zone,
-			  const isc_sockaddr_t *altxfrsource)
-{
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	zone->altxfrsource4 = *altxfrsource;
-	UNLOCK_ZONE(zone);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_sockaddr_t *
-dns_zone_getaltxfrsource4(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	return (&zone->altxfrsource4);
-}
-
-isc_result_t
-dns_zone_setaltxfrsource6(dns_zone_t *zone,
-			  const isc_sockaddr_t *altxfrsource)
-{
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	zone->altxfrsource6 = *altxfrsource;
-	UNLOCK_ZONE(zone);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_sockaddr_t *
-dns_zone_getaltxfrsource6(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	return (&zone->altxfrsource6);
-}
-
-isc_result_t
-dns_zone_setnotifysrc4(dns_zone_t *zone, const isc_sockaddr_t *notifysrc) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	zone->notifysrc4 = *notifysrc;
-	UNLOCK_ZONE(zone);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_sockaddr_t *
-dns_zone_getnotifysrc4(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	return (&zone->notifysrc4);
-}
-
-isc_result_t
-dns_zone_setnotifysrc6(dns_zone_t *zone, const isc_sockaddr_t *notifysrc) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	zone->notifysrc6 = *notifysrc;
-	UNLOCK_ZONE(zone);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_sockaddr_t *
-dns_zone_getnotifysrc6(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	return (&zone->notifysrc6);
-}
-
-static isc_boolean_t
-same_addrs(const isc_sockaddr_t *old, const isc_sockaddr_t *new,
-	     isc_uint32_t count)
-{
-	unsigned int i;
-
-	for (i = 0; i < count; i++)
-		if (!isc_sockaddr_equal(&old[i], &new[i]))
-			return (ISC_FALSE);
-	return (ISC_TRUE);
-}
-
-static isc_boolean_t
-same_keynames(dns_name_t **old, dns_name_t **new, isc_uint32_t count) {
-	unsigned int i;
-
-	if (old == NULL && new == NULL)
-		return (ISC_TRUE);
-	if (old == NULL || new == NULL)
-		return (ISC_FALSE);
-
-	for (i = 0; i < count; i++) {
-		if (old[i] == NULL && new[i] == NULL)
-			continue;
-		if (old[i] == NULL || new[i] == NULL ||
-		     !dns_name_equal(old[i], new[i]))
-			return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-static void
-clear_addresskeylist(isc_sockaddr_t **addrsp, dns_name_t ***keynamesp,
-		     unsigned int *countp, isc_mem_t *mctx)
-{
-	unsigned int count;
-	isc_sockaddr_t *addrs;
-	dns_name_t **keynames;
-
-	REQUIRE(countp != NULL && addrsp != NULL && keynamesp != NULL);
-
-	count = *countp;
-	*countp = 0;
-	addrs = *addrsp;
-	*addrsp = NULL;
-	keynames = *keynamesp;
-	*keynamesp = NULL;
-
-	if (addrs != NULL)
-		isc_mem_put(mctx, addrs, count * sizeof(isc_sockaddr_t));
-
-	if (keynames != NULL) {
-		unsigned int i;
-		for (i = 0; i < count; i++) {
-			if (keynames[i] != NULL) {
-				dns_name_free(keynames[i], mctx);
-				isc_mem_put(mctx, keynames[i],
-					    sizeof(dns_name_t));
-				keynames[i] = NULL;
-			}
-		}
-		isc_mem_put(mctx, keynames, count * sizeof(dns_name_t *));
-	}
-}
-
-static isc_result_t
-set_addrkeylist(unsigned int count,
-		const isc_sockaddr_t *addrs, isc_sockaddr_t **newaddrsp,
-		dns_name_t **names, dns_name_t ***newnamesp,
-		isc_mem_t *mctx)
-{
-	isc_result_t result;
-	isc_sockaddr_t *newaddrs = NULL;
-	dns_name_t **newnames = NULL;
-	unsigned int i;
-
-	REQUIRE(newaddrsp != NULL && *newaddrsp == NULL);
-	REQUIRE(newnamesp != NULL && *newnamesp == NULL);
-
-	newaddrs = isc_mem_get(mctx, count * sizeof(*newaddrs));
-	if (newaddrs == NULL)
-		return (ISC_R_NOMEMORY);
-	memcpy(newaddrs, addrs, count * sizeof(*newaddrs));
-
-	newnames = NULL;
-	if (names != NULL) {
-		newnames = isc_mem_get(mctx, count * sizeof(*newnames));
-		if (newnames == NULL) {
-			isc_mem_put(mctx, newaddrs, count * sizeof(*newaddrs));
-			return (ISC_R_NOMEMORY);
-		}
-		for (i = 0; i < count; i++)
-			newnames[i] = NULL;
-		for (i = 0; i < count; i++) {
-			if (names[i] != NULL) {
-				newnames[i] = isc_mem_get(mctx,
-							 sizeof(dns_name_t));
-				if (newnames[i] == NULL)
-					goto allocfail;
-				dns_name_init(newnames[i], NULL);
-				result = dns_name_dup(names[i], mctx,
-						      newnames[i]);
-				if (result != ISC_R_SUCCESS) {
-				allocfail:
-					for (i = 0; i < count; i++)
-						if (newnames[i] != NULL)
-							dns_name_free(
-							       newnames[i],
-							       mctx);
-					isc_mem_put(mctx, newaddrs,
-						    count * sizeof(*newaddrs));
-					isc_mem_put(mctx, newnames,
-						    count * sizeof(*newnames));
-					return (ISC_R_NOMEMORY);
-				}
-			}
-		}
-	}
-
-	*newaddrsp = newaddrs;
-	*newnamesp = newnames;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_zone_setalsonotify(dns_zone_t *zone, const isc_sockaddr_t *notify,
-		       isc_uint32_t count)
-{
-	return (dns_zone_setalsonotifywithkeys(zone, notify, NULL, count));
-}
-
-isc_result_t
-dns_zone_setalsonotifywithkeys(dns_zone_t *zone, const isc_sockaddr_t *notify,
-			       dns_name_t **keynames, isc_uint32_t count)
-{
-	isc_result_t result;
-	isc_sockaddr_t *newaddrs = NULL;
-	dns_name_t **newnames = NULL;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(count == 0 || notify != NULL);
-	if (keynames != NULL)
-		REQUIRE(count != 0);
-
-	LOCK_ZONE(zone);
-
-	if (count == zone->notifycnt &&
-	    same_addrs(zone->notify, notify, count) &&
-	    same_keynames(zone->notifykeynames, keynames, count))
-		goto unlock;
-
-	clear_addresskeylist(&zone->notify, &zone->notifykeynames,
-			     &zone->notifycnt, zone->mctx);
-
-	if (count == 0)
-		goto unlock;
-
-	/*
-	 * Set up the notify and notifykey lists
-	 */
-	result = set_addrkeylist(count, notify, &newaddrs,
-				 keynames, &newnames, zone->mctx);
-	if (result != ISC_R_SUCCESS)
-		goto unlock;
-
-	/*
-	 * Everything is ok so attach to the zone.
-	 */
-	zone->notify = newaddrs;
-	zone->notifykeynames = newnames;
-	zone->notifycnt = count;
- unlock:
-	UNLOCK_ZONE(zone);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_zone_setmasters(dns_zone_t *zone, const isc_sockaddr_t *masters,
-		    isc_uint32_t count)
-{
-	isc_result_t result;
-
-	result = dns_zone_setmasterswithkeys(zone, masters, NULL, count);
-	return (result);
-}
-
-isc_result_t
-dns_zone_setmasterswithkeys(dns_zone_t *zone,
-			    const isc_sockaddr_t *masters,
-			    dns_name_t **keynames,
-			    isc_uint32_t count)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_sockaddr_t *newaddrs = NULL;
-	dns_name_t **newnames = NULL;
-	isc_boolean_t *newok;
-	unsigned int i;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(count == 0 || masters != NULL);
-	if (keynames != NULL) {
-		REQUIRE(count != 0);
-	}
-
-	LOCK_ZONE(zone);
-	/*
-	 * The refresh code assumes that 'masters' wouldn't change under it.
-	 * If it will change then kill off any current refresh in progress
-	 * and update the masters info.  If it won't change then we can just
-	 * unlock and exit.
-	 */
-	if (count != zone->masterscnt ||
-	    !same_addrs(zone->masters, masters, count) ||
-	    !same_keynames(zone->masterkeynames, keynames, count)) {
-		if (zone->request != NULL)
-			dns_request_cancel(zone->request);
-	} else
-		goto unlock;
-
-	/*
-	 * This needs to happen before clear_addresskeylist() sets
-	 * zone->masterscnt to 0:
-	 */
-	if (zone->mastersok != NULL) {
-		isc_mem_put(zone->mctx, zone->mastersok,
-			    zone->masterscnt * sizeof(isc_boolean_t));
-		zone->mastersok = NULL;
-	}
-	clear_addresskeylist(&zone->masters, &zone->masterkeynames,
-			     &zone->masterscnt, zone->mctx);
-	/*
-	 * If count == 0, don't allocate any space for masters, mastersok or
-	 * keynames so internally, those pointers are NULL if count == 0
-	 */
-	if (count == 0)
-		goto unlock;
-
-	/*
-	 * mastersok must contain count elements
-	 */
-	newok = isc_mem_get(zone->mctx, count * sizeof(*newok));
-	if (newok == NULL) {
-		result = ISC_R_NOMEMORY;
-		isc_mem_put(zone->mctx, newaddrs, count * sizeof(*newaddrs));
-		goto unlock;
-	};
-	for (i = 0; i < count; i++)
-		newok[i] = ISC_FALSE;
-
-	/*
-	 * Now set up the masters and masterkey lists
-	 */
-	result = set_addrkeylist(count, masters, &newaddrs,
-				 keynames, &newnames, zone->mctx);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(zone->mctx, newok, count * sizeof(*newok));
-		goto unlock;
-	}
-
-	/*
-	 * Everything is ok so attach to the zone.
-	 */
-	zone->curmaster = 0;
-	zone->mastersok = newok;
-	zone->masters = newaddrs;
-	zone->masterkeynames = newnames;
-	zone->masterscnt = count;
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOMASTERS);
-
- unlock:
-	UNLOCK_ZONE(zone);
-	return (result);
-}
-
-isc_result_t
-dns_zone_getdb(dns_zone_t *zone, dns_db_t **dpb) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
-	if (zone->db == NULL)
-		result = DNS_R_NOTLOADED;
-	else
-		dns_db_attach(zone->db, dpb);
-	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
-
-	return (result);
-}
-
-void
-dns_zone_setdb(dns_zone_t *zone, dns_db_t *db) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(zone->type == dns_zone_staticstub);
-
-	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
-	REQUIRE(zone->db == NULL);
-	dns_db_attach(db, &zone->db);
-	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
-}
-
-/*
- * Co-ordinates the starting of routine jobs.
- */
-
-void
-dns_zone_maintenance(dns_zone_t *zone) {
-	const char me[] = "dns_zone_maintenance";
-	isc_time_t now;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	ENTER;
-
-	LOCK_ZONE(zone);
-	TIME_NOW(&now);
-	zone_settimer(zone, &now);
-	UNLOCK_ZONE(zone);
-}
-
-static inline isc_boolean_t
-was_dumping(dns_zone_t *zone) {
-	isc_boolean_t dumping;
-
-	REQUIRE(LOCKED_ZONE(zone));
-
-	dumping = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING);
-	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING);
-	if (!dumping) {
-		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
-		isc_time_settoepoch(&zone->dumptime);
-	}
-	return (dumping);
-}
-
-static isc_result_t
-find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
-	       isc_mem_t *mctx, unsigned int maxkeys,
-	       dst_key_t **keys, unsigned int *nkeys)
-{
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	const char *directory = dns_zone_getkeydirectory(zone);
-
-	CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
-	result = dns_dnssec_findzonekeys2(db, ver, node, dns_db_origin(db),
-					  directory, mctx, maxkeys, keys,
-					  nkeys);
-	if (result == ISC_R_NOTFOUND)
-		result = ISC_R_SUCCESS;
- failure:
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	return (result);
-}
-
-static isc_result_t
-offline(dns_db_t *db, dns_dbversion_t *ver, zonediff_t *zonediff,
-	dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata)
-{
-	isc_result_t result;
-
-	if ((rdata->flags & DNS_RDATA_OFFLINE) != 0)
-		return (ISC_R_SUCCESS);
-	result = update_one_rr(db, ver, zonediff->diff, DNS_DIFFOP_DELRESIGN,
-			       name, ttl, rdata);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	rdata->flags |= DNS_RDATA_OFFLINE;
-	result = update_one_rr(db, ver, zonediff->diff, DNS_DIFFOP_ADDRESIGN,
-			       name, ttl, rdata);
-	zonediff->offline = ISC_TRUE;
-	return (result);
-}
-
-static void
-set_key_expiry_warning(dns_zone_t *zone, isc_stdtime_t when, isc_stdtime_t now)
-{
-	unsigned int delta;
-	char timebuf[80];
-
-	zone->key_expiry = when;
-	if (when <= now) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "DNSKEY RRSIG(s) have expired");
-		isc_time_settoepoch(&zone->keywarntime);
-	} else if (when < now + 7 * 24 * 3600) {
-		isc_time_t t;
-		isc_time_set(&t, when, 0);
-		isc_time_formattimestamp(&t, timebuf, 80);
-		dns_zone_log(zone, ISC_LOG_WARNING,
-			     "DNSKEY RRSIG(s) will expire within 7 days: %s",
-			     timebuf);
-		delta = when - now;
-		delta--;		/* loop prevention */
-		delta /= 24 * 3600;	/* to whole days */
-		delta *= 24 * 3600;	/* to seconds */
-		isc_time_set(&zone->keywarntime, when - delta, 0);
-	}  else {
-		isc_time_set(&zone->keywarntime, when - 7 * 24 * 3600, 0);
-		isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
-		dns_zone_log(zone, ISC_LOG_NOTICE,
-			     "setting keywarntime to %s", timebuf);
-	}
-}
-
-/*
- * Helper function to del_sigs(). We don't want to delete RRSIGs that
- * have no new key.
- */
-static isc_boolean_t
-delsig_ok(dns_rdata_rrsig_t *rrsig_ptr, dst_key_t **keys, unsigned int nkeys) {
-	unsigned int i = 0;
-
-	/*
-	 * It's okay to delete a signature if there is an active ZSK
-	 * with the same algorithm
-	 */
-	for (i = 0; i < nkeys; i++) {
-		if (rrsig_ptr->algorithm == dst_key_alg(keys[i]) &&
-		    (dst_key_isprivate(keys[i])) && !KSK(keys[i]))
-			return (ISC_TRUE);
-	}
-
-	/*
-	 * Failing that, it is *not* okay to delete a signature
-	 * if the associated public key is still in the DNSKEY RRset
-	 */
-	for (i = 0; i < nkeys; i++) {
-		if ((rrsig_ptr->algorithm == dst_key_alg(keys[i])) &&
-		    (rrsig_ptr->keyid == dst_key_id(keys[i])))
-			return (ISC_FALSE);
-	}
-
-	/*
-	 * But if the key is gone, then go ahead.
-	 */
-	return (ISC_TRUE);
-}
-
-/*
- * Delete expired RRsigs and any RRsigs we are about to re-sign.
- * See also update.c:del_keysigs().
- */
-static isc_result_t
-del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	 dns_rdatatype_t type, zonediff_t *zonediff, dst_key_t **keys,
-	 unsigned int nkeys, isc_stdtime_t now, isc_boolean_t incremental)
-{
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-	unsigned int i;
-	dns_rdata_rrsig_t rrsig;
-	isc_boolean_t found, changed;
-	isc_int64_t warn = 0, maybe = 0;
-
-	dns_rdataset_init(&rdataset);
-
-	if (type == dns_rdatatype_nsec3)
-		result = dns_db_findnsec3node(db, name, ISC_FALSE, &node);
-	else
-		result = dns_db_findnode(db, name, ISC_FALSE, &node);
-	if (result == ISC_R_NOTFOUND)
-		return (ISC_R_SUCCESS);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_rrsig, type,
-				     (isc_stdtime_t) 0, &rdataset, NULL);
-	dns_db_detachnode(db, &node);
-
-	if (result == ISC_R_NOTFOUND) {
-		INSIST(!dns_rdataset_isassociated(&rdataset));
-		return (ISC_R_SUCCESS);
-	}
-	if (result != ISC_R_SUCCESS) {
-		INSIST(!dns_rdataset_isassociated(&rdataset));
-		goto failure;
-	}
-
-	changed = ISC_FALSE;
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-
-		dns_rdataset_current(&rdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-		if (type != dns_rdatatype_dnskey) {
-			if (delsig_ok(&rrsig, keys, nkeys)) {
-				result = update_one_rr(db, ver, zonediff->diff,
-					       DNS_DIFFOP_DELRESIGN, name,
-					       rdataset.ttl, &rdata);
-				if (incremental)
-					changed = ISC_TRUE;
-				if (result != ISC_R_SUCCESS)
-					break;
-			} else {
-				/*
-				 * At this point, we've got an RRSIG,
-				 * which is signed by an inactive key.
-				 * An administrator needs to provide a new
-				 * key/alg, but until that time, we want to
-				 * keep the old RRSIG.  Marking the key as
-				 * offline will prevent us spinning waiting
-				 * for the private part.
-				 */
-				if (incremental) {
-					result = offline(db, ver, zonediff,
-							 name, rdataset.ttl,
-							 &rdata);
-					changed = ISC_TRUE;
-					if (result != ISC_R_SUCCESS)
-						break;
-				}
-
-				/*
-				 * Log the key id and algorithm of
-				 * the inactive key with no replacement
-				 */
-				if (zone->log_key_expired_timer <= now) {
-					char origin[DNS_NAME_FORMATSIZE];
-					char algbuf[DNS_NAME_FORMATSIZE];
-					dns_name_format(&zone->origin, origin,
-							sizeof(origin));
-					dns_secalg_format(rrsig.algorithm,
-							  algbuf,
-							  sizeof(algbuf));
-					dns_zone_log(zone, ISC_LOG_WARNING,
-						     "Key %s/%s/%d "
-						     "missing or inactive "
-						     "and has no replacement: "
-						     "retaining signatures.",
-						     origin, algbuf,
-						     rrsig.keyid);
-					zone->log_key_expired_timer = now +
-									3600;
-				}
-			}
-			continue;
-		}
-
-		/*
-		 * RRSIG(DNSKEY) requires special processing.
-		 */
-		found = ISC_FALSE;
-		for (i = 0; i < nkeys; i++) {
-			if (rrsig.algorithm == dst_key_alg(keys[i]) &&
-			    rrsig.keyid == dst_key_id(keys[i])) {
-				found = ISC_TRUE;
-				/*
-				 * Mark offline RRSIG(DNSKEY).
-				 * We want the earliest offline expire time
-				 * iff there is a new offline signature.
-				 */
-				if (!dst_key_isprivate(keys[i])) {
-					isc_int64_t timeexpire =
-					   dns_time64_from32(rrsig.timeexpire);
-					if (warn != 0 && warn > timeexpire)
-						warn = timeexpire;
-					if (rdata.flags & DNS_RDATA_OFFLINE) {
-						if (maybe == 0 ||
-						    maybe > timeexpire)
-							maybe = timeexpire;
-						break;
-					}
-					if (warn == 0)
-						warn = maybe;
-					if (warn == 0 || warn > timeexpire)
-						warn = timeexpire;
-					result = offline(db, ver, zonediff,
-							 name, rdataset.ttl,
-							 &rdata);
-					break;
-				}
-				result = update_one_rr(db, ver, zonediff->diff,
-						       DNS_DIFFOP_DELRESIGN,
-						       name, rdataset.ttl,
-						       &rdata);
-				break;
-			}
-		}
-
-		/*
-		 * If there is not a matching DNSKEY then
-		 * delete the RRSIG.
-		 */
-		if (!found)
-			result = update_one_rr(db, ver, zonediff->diff,
-					       DNS_DIFFOP_DELRESIGN, name,
-					       rdataset.ttl, &rdata);
-		if (result != ISC_R_SUCCESS)
-			break;
-	}
-
-	if (changed && (rdataset.attributes & DNS_RDATASETATTR_RESIGN) != 0)
-		dns_db_resigned(db, &rdataset, ver);
-
-	dns_rdataset_disassociate(&rdataset);
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	if (warn > 0) {
-#if defined(STDTIME_ON_32BITS)
-		isc_stdtime_t stdwarn = (isc_stdtime_t)warn;
-		if (warn == stdwarn)
-#endif
-			set_key_expiry_warning(zone, (isc_stdtime_t)warn, now);
-#if defined(STDTIME_ON_32BITS)
-		else
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "key expiry warning time out of range");
-#endif
-	}
- failure:
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	return (result);
-}
-
-static isc_result_t
-add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	 dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys,
-	 unsigned int nkeys, isc_mem_t *mctx, isc_stdtime_t inception,
-	 isc_stdtime_t expire, isc_boolean_t check_ksk,
-	 isc_boolean_t keyset_kskonly)
-{
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-	dns_rdata_t sig_rdata = DNS_RDATA_INIT;
-	unsigned char data[1024]; /* XXX */
-	isc_buffer_t buffer;
-	unsigned int i, j;
-
-	dns_rdataset_init(&rdataset);
-	isc_buffer_init(&buffer, data, sizeof(data));
-
-	if (type == dns_rdatatype_nsec3)
-		result = dns_db_findnsec3node(db, name, ISC_FALSE, &node);
-	else
-		result = dns_db_findnode(db, name, ISC_FALSE, &node);
-	if (result == ISC_R_NOTFOUND)
-		return (ISC_R_SUCCESS);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-	result = dns_db_findrdataset(db, node, ver, type, 0,
-				     (isc_stdtime_t) 0, &rdataset, NULL);
-	dns_db_detachnode(db, &node);
-	if (result == ISC_R_NOTFOUND) {
-		INSIST(!dns_rdataset_isassociated(&rdataset));
-		return (ISC_R_SUCCESS);
-	}
-	if (result != ISC_R_SUCCESS) {
-		INSIST(!dns_rdataset_isassociated(&rdataset));
-		goto failure;
-	}
-
-	for (i = 0; i < nkeys; i++) {
-		isc_boolean_t both = ISC_FALSE;
-
-		if (!dst_key_isprivate(keys[i]))
-			continue;
-
-		if (check_ksk && !REVOKE(keys[i])) {
-			isc_boolean_t have_ksk, have_nonksk;
-			if (KSK(keys[i])) {
-				have_ksk = ISC_TRUE;
-				have_nonksk = ISC_FALSE;
-			} else {
-				have_ksk = ISC_FALSE;
-				have_nonksk = ISC_TRUE;
-			}
-			for (j = 0; j < nkeys; j++) {
-				if (j == i || ALG(keys[i]) != ALG(keys[j]))
-					continue;
-				if (REVOKE(keys[j]))
-					continue;
-				if (KSK(keys[j]))
-					have_ksk = ISC_TRUE;
-				else
-					have_nonksk = ISC_TRUE;
-				both = have_ksk && have_nonksk;
-				if (both)
-					break;
-			}
-		}
-		if (both) {
-			if (type == dns_rdatatype_dnskey) {
-				if (!KSK(keys[i]) && keyset_kskonly)
-					continue;
-			} else if (KSK(keys[i]))
-				continue;
-		} else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey)
-				continue;
-
-		/* Calculate the signature, creating a RRSIG RDATA. */
-		isc_buffer_clear(&buffer);
-		CHECK(dns_dnssec_sign(name, &rdataset, keys[i],
-				      &inception, &expire,
-				      mctx, &buffer, &sig_rdata));
-		/* Update the database and journal with the RRSIG. */
-		/* XXX inefficient - will cause dataset merging */
-		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADDRESIGN,
-				    name, rdataset.ttl, &sig_rdata));
-		dns_rdata_reset(&sig_rdata);
-		isc_buffer_init(&buffer, data, sizeof(data));
-	}
-
- failure:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	return (result);
-}
-
-static void
-zone_resigninc(dns_zone_t *zone) {
-	const char *me = "zone_resigninc";
-	dns_db_t *db = NULL;
-	dns_dbversion_t *version = NULL;
-	dns_diff_t _sig_diff;
-	zonediff_t zonediff;
-	dns_fixedname_t fixed;
-	dns_name_t *name;
-	dns_rdataset_t rdataset;
-	dns_rdatatype_t covers;
-	dst_key_t *zone_keys[DNS_MAXZONEKEYS];
-	isc_boolean_t check_ksk, keyset_kskonly = ISC_FALSE;
-	isc_result_t result;
-	isc_stdtime_t now, inception, soaexpire, expire, stop;
-	isc_uint32_t jitter;
-	unsigned int i;
-	unsigned int nkeys = 0;
-	unsigned int resign;
-
-	ENTER;
-
-	dns_rdataset_init(&rdataset);
-	dns_fixedname_init(&fixed);
-	dns_diff_init(zone->mctx, &_sig_diff);
-	_sig_diff.resign = zone->sigresigninginterval;
-	zonediff_init(&zonediff, &_sig_diff);
-
-	/*
-	 * Zone is frozen or automatic resigning is disabled.
-	 * Pause for 5 minutes.
-	 */
-	if (zone->update_disabled ||
-	    DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_NORESIGN))
-	{
-		result = ISC_R_FAILURE;
-		goto failure;
-	}
-
-	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
-	dns_db_attach(zone->db, &db);
-	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
-
-	result = dns_db_newversion(db, &version);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "zone_resigninc:dns_db_newversion -> %s",
-			     dns_result_totext(result));
-		goto failure;
-	}
-
-	result = find_zone_keys(zone, db, version, zone->mctx, DNS_MAXZONEKEYS,
-				zone_keys, &nkeys);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "zone_resigninc:find_zone_keys -> %s",
-			     dns_result_totext(result));
-		goto failure;
-	}
-
-	isc_stdtime_get(&now);
-	inception = now - 3600;	/* Allow for clock skew. */
-	soaexpire = now + dns_zone_getsigvalidityinterval(zone);
-	/*
-	 * Spread out signatures over time if they happen to be
-	 * clumped.  We don't do this for each add_sigs() call as
-	 * we still want some clustering to occur.
-	 */
-	isc_random_get(&jitter);
-	expire = soaexpire - jitter % 3600;
-	stop = now + 5;
-
-	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
-	keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
-
-	name = dns_fixedname_name(&fixed);
-	result = dns_db_getsigningtime(db, &rdataset, name);
-	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "zone_resigninc:dns_db_getsigningtime -> %s",
-			     dns_result_totext(result));
-	}
-
-	i = 0;
-	while (result == ISC_R_SUCCESS) {
-		resign = rdataset.resign;
-		covers = rdataset.covers;
-		dns_rdataset_disassociate(&rdataset);
-
-		/*
-		 * Stop if we hit the SOA as that means we have walked the
-		 * entire zone.  The SOA record should always be the most
-		 * recent signature.
-		 */
-		/* XXXMPA increase number of RRsets signed pre call */
-		if (covers == dns_rdatatype_soa || i++ > zone->signatures ||
-		    resign > stop)
-			break;
-
-		result = del_sigs(zone, db, version, name, covers, &zonediff,
-				  zone_keys, nkeys, now, ISC_TRUE);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "zone_resigninc:del_sigs -> %s",
-				     dns_result_totext(result));
-			break;
-		}
-
-		result = add_sigs(db, version, name, covers, zonediff.diff,
-				  zone_keys, nkeys, zone->mctx, inception,
-				  expire, check_ksk, keyset_kskonly);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "zone_resigninc:add_sigs -> %s",
-				     dns_result_totext(result));
-			break;
-		}
-		result	= dns_db_getsigningtime(db, &rdataset,
-						dns_fixedname_name(&fixed));
-		if (nkeys == 0 && result == ISC_R_NOTFOUND) {
-			result = ISC_R_SUCCESS;
-			break;
-		}
-		if (result != ISC_R_SUCCESS)
-			dns_zone_log(zone, ISC_LOG_ERROR,
-			     "zone_resigninc:dns_db_getsigningtime -> %s",
-				     dns_result_totext(result));
-	}
-
-	if (result != ISC_R_NOMORE && result != ISC_R_SUCCESS)
-		goto failure;
-
-	result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa,
-			  &zonediff, zone_keys, nkeys, now, ISC_TRUE);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "zone_resigninc:del_sigs -> %s",
-			     dns_result_totext(result));
-		goto failure;
-	}
-
-	/*
-	 * Did we change anything in the zone?
-	 */
-	if (ISC_LIST_EMPTY(zonediff.diff->tuples)) {
-		/*
-		 * Commit the changes if any key has been marked as offline.			 */
-		if (zonediff.offline)
-			dns_db_closeversion(db, &version, ISC_TRUE);
-		goto failure;
-	}
-
-	/* Increment SOA serial if we have made changes */
-	result = update_soa_serial(db, version, zonediff.diff, zone->mctx,
-				   zone->updatemethod);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "zone_resigninc:update_soa_serial -> %s",
-			     dns_result_totext(result));
-		goto failure;
-	}
-
-	/*
-	 * Generate maximum life time signatures so that the above loop
-	 * termination is sensible.
-	 */
-	result = add_sigs(db, version, &zone->origin, dns_rdatatype_soa,
-			  zonediff.diff, zone_keys, nkeys, zone->mctx,
-			  inception, soaexpire, check_ksk, keyset_kskonly);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "zone_resigninc:add_sigs -> %s",
-			     dns_result_totext(result));
-		goto failure;
-	}
-
-	/* Write changes to journal file. */
-	CHECK(zone_journal(zone, zonediff.diff, NULL, "zone_resigninc"));
-
-	/* Everything has succeeded. Commit the changes. */
-	dns_db_closeversion(db, &version, ISC_TRUE);
-
- failure:
-	dns_diff_clear(&_sig_diff);
-	for (i = 0; i < nkeys; i++)
-		dst_key_free(&zone_keys[i]);
-	if (version != NULL) {
-		dns_db_closeversion(zone->db, &version, ISC_FALSE);
-		dns_db_detach(&db);
-	} else if (db != NULL)
-		dns_db_detach(&db);
-	if (result == ISC_R_SUCCESS) {
-		set_resigntime(zone);
-		LOCK_ZONE(zone);
-		zone_needdump(zone, DNS_DUMP_DELAY);
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
-		UNLOCK_ZONE(zone);
-	} else {
-		/*
-		 * Something failed.  Retry in 5 minutes.
-		 */
-		isc_interval_t ival;
-		isc_interval_set(&ival, 300, 0);
-		isc_time_nowplusinterval(&zone->resigntime, &ival);
-	}
-}
-
-static isc_result_t
-next_active(dns_db_t *db, dns_dbversion_t *version, dns_name_t *oldname,
-	    dns_name_t *newname, isc_boolean_t bottom)
-{
-	isc_result_t result;
-	dns_dbiterator_t *dbit = NULL;
-	dns_rdatasetiter_t *rdsit = NULL;
-	dns_dbnode_t *node = NULL;
-
-	CHECK(dns_db_createiterator(db, DNS_DB_NONSEC3, &dbit));
-	CHECK(dns_dbiterator_seek(dbit, oldname));
-	do {
-		result = dns_dbiterator_next(dbit);
-		if (result == ISC_R_NOMORE)
-			CHECK(dns_dbiterator_first(dbit));
-		CHECK(dns_dbiterator_current(dbit, &node, newname));
-		if (bottom && dns_name_issubdomain(newname, oldname) &&
-		    !dns_name_equal(newname, oldname)) {
-			dns_db_detachnode(db, &node);
-			continue;
-		}
-		/*
-		 * Is this node empty?
-		 */
-		CHECK(dns_db_allrdatasets(db, node, version, 0, &rdsit));
-		result = dns_rdatasetiter_first(rdsit);
-		dns_db_detachnode(db, &node);
-		dns_rdatasetiter_destroy(&rdsit);
-		if (result != ISC_R_NOMORE)
-			break;
-	} while (1);
- failure:
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	if (dbit != NULL)
-		dns_dbiterator_destroy(&dbit);
-	return (result);
-}
-
-static isc_boolean_t
-signed_with_key(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-		dns_rdatatype_t type, dst_key_t *key)
-{
-	isc_result_t result;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_rrsig_t rrsig;
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, version, dns_rdatatype_rrsig,
-				     type, 0, &rdataset, NULL);
-	if (result != ISC_R_SUCCESS) {
-		INSIST(!dns_rdataset_isassociated(&rdataset));
-		return (ISC_FALSE);
-	}
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdataset_current(&rdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
-		INSIST(result == ISC_R_SUCCESS);
-		if (rrsig.algorithm == dst_key_alg(key) &&
-		    rrsig.keyid == dst_key_id(key)) {
-			dns_rdataset_disassociate(&rdataset);
-			return (ISC_TRUE);
-		}
-		dns_rdata_reset(&rdata);
-	}
-	dns_rdataset_disassociate(&rdataset);
-	return (ISC_FALSE);
-}
-
-static isc_result_t
-add_nsec(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
-	 dns_dbnode_t *node, dns_ttl_t ttl, isc_boolean_t bottom,
-	 dns_diff_t *diff)
-{
-	dns_fixedname_t fixed;
-	dns_name_t *next;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_result_t result;
-	unsigned char nsecbuffer[DNS_NSEC_BUFFERSIZE];
-
-	dns_fixedname_init(&fixed);
-	next = dns_fixedname_name(&fixed);
-
-	CHECK(next_active(db, version, name, next, bottom));
-	CHECK(dns_nsec_buildrdata(db, version, node, next, nsecbuffer,
-				  &rdata));
-	CHECK(update_one_rr(db, version, diff, DNS_DIFFOP_ADD, name, ttl,
-			    &rdata));
- failure:
-	return (result);
-}
-
-static isc_result_t
-sign_a_node(dns_db_t *db, dns_name_t *name, dns_dbnode_t *node,
-	    dns_dbversion_t *version, isc_boolean_t build_nsec3,
-	    isc_boolean_t build_nsec, dst_key_t *key,
-	    isc_stdtime_t inception, isc_stdtime_t expire,
-	    unsigned int minimum, isc_boolean_t is_ksk,
-	    isc_boolean_t keyset_kskonly, isc_boolean_t *delegation,
-	    dns_diff_t *diff, isc_int32_t *signatures, isc_mem_t *mctx)
-{
-	isc_result_t result;
-	dns_rdatasetiter_t *iterator = NULL;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_buffer_t buffer;
-	unsigned char data[1024];
-	isc_boolean_t seen_soa, seen_ns, seen_rr, seen_dname, seen_nsec,
-		      seen_nsec3, seen_ds;
-	isc_boolean_t bottom;
-
-	result = dns_db_allrdatasets(db, node, version, 0, &iterator);
-	if (result != ISC_R_SUCCESS) {
-		if (result == ISC_R_NOTFOUND)
-			result = ISC_R_SUCCESS;
-		return (result);
-	}
-
-	dns_rdataset_init(&rdataset);
-	isc_buffer_init(&buffer, data, sizeof(data));
-	seen_rr = seen_soa = seen_ns = seen_dname = seen_nsec =
-	seen_nsec3 = seen_ds = ISC_FALSE;
-	for (result = dns_rdatasetiter_first(iterator);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdatasetiter_next(iterator)) {
-		dns_rdatasetiter_current(iterator, &rdataset);
-		if (rdataset.type == dns_rdatatype_soa)
-			seen_soa = ISC_TRUE;
-		else if (rdataset.type == dns_rdatatype_ns)
-			seen_ns = ISC_TRUE;
-		else if (rdataset.type == dns_rdatatype_ds)
-			seen_ds = ISC_TRUE;
-		else if (rdataset.type == dns_rdatatype_dname)
-			seen_dname = ISC_TRUE;
-		else if (rdataset.type == dns_rdatatype_nsec)
-			seen_nsec = ISC_TRUE;
-		else if (rdataset.type == dns_rdatatype_nsec3)
-			seen_nsec3 = ISC_TRUE;
-		if (rdataset.type != dns_rdatatype_rrsig)
-			seen_rr = ISC_TRUE;
-		dns_rdataset_disassociate(&rdataset);
-	}
-	if (result != ISC_R_NOMORE)
-		goto failure;
-	if (seen_ns && !seen_soa)
-		*delegation = ISC_TRUE;
-	/*
-	 * Going from insecure to NSEC3.
-	 * Don't generate NSEC3 records for NSEC3 records.
-	 */
-	if (build_nsec3 && !seen_nsec3 && seen_rr) {
-		isc_boolean_t unsecure = !seen_ds && seen_ns && !seen_soa;
-		CHECK(dns_nsec3_addnsec3s(db, version, name, minimum,
-					  unsecure, diff));
-		(*signatures)--;
-	}
-	/*
-	 * Going from insecure to NSEC.
-	 * Don't generate NSEC records for NSEC3 records.
-	 */
-	if (build_nsec && !seen_nsec3 && !seen_nsec && seen_rr) {
-		/* Build and add NSEC. */
-		bottom = (seen_ns && !seen_soa) || seen_dname;
-		/*
-		 * Build a NSEC record except at the origin.
-		 */
-		if (!dns_name_equal(name, dns_db_origin(db))) {
-			CHECK(add_nsec(db, version, name, node, minimum,
-				       bottom, diff));
-			/* Count a NSEC generation as a signature generation. */
-			(*signatures)--;
-		}
-	}
-	result = dns_rdatasetiter_first(iterator);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdatasetiter_current(iterator, &rdataset);
-		if (rdataset.type == dns_rdatatype_soa ||
-		    rdataset.type == dns_rdatatype_rrsig)
-			goto next_rdataset;
-		if (rdataset.type == dns_rdatatype_dnskey) {
-			if (!is_ksk && keyset_kskonly)
-				goto next_rdataset;
-		} else if (is_ksk)
-			goto next_rdataset;
-		if (*delegation &&
-		    rdataset.type != dns_rdatatype_ds &&
-		    rdataset.type != dns_rdatatype_nsec)
-			goto next_rdataset;
-		if (signed_with_key(db, node, version, rdataset.type, key))
-			goto next_rdataset;
-		/* Calculate the signature, creating a RRSIG RDATA. */
-		isc_buffer_clear(&buffer);
-		CHECK(dns_dnssec_sign(name, &rdataset, key, &inception,
-				      &expire, mctx, &buffer, &rdata));
-		/* Update the database and journal with the RRSIG. */
-		/* XXX inefficient - will cause dataset merging */
-		CHECK(update_one_rr(db, version, diff, DNS_DIFFOP_ADDRESIGN,
-				    name, rdataset.ttl, &rdata));
-		dns_rdata_reset(&rdata);
-		(*signatures)--;
- next_rdataset:
-		dns_rdataset_disassociate(&rdataset);
-		result = dns_rdatasetiter_next(iterator);
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	if (seen_dname)
-		*delegation = ISC_TRUE;
- failure:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	if (iterator != NULL)
-		dns_rdatasetiter_destroy(&iterator);
-	return (result);
-}
-
-/*
- * If 'update_only' is set then don't create a NSEC RRset if it doesn't exist.
- */
-static isc_result_t
-updatesecure(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
-	     dns_ttl_t minimum, isc_boolean_t update_only, dns_diff_t *diff)
-{
-	isc_result_t result;
-	dns_rdataset_t rdataset;
-	dns_dbnode_t *node = NULL;
-
-	CHECK(dns_db_getoriginnode(db, &node));
-	if (update_only) {
-		dns_rdataset_init(&rdataset);
-		result = dns_db_findrdataset(db, node, version,
-					     dns_rdatatype_nsec,
-					     dns_rdatatype_none,
-					     0, &rdataset, NULL);
-		if (dns_rdataset_isassociated(&rdataset))
-			dns_rdataset_disassociate(&rdataset);
-		if (result == ISC_R_NOTFOUND)
-			goto success;
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-	}
-	CHECK(delete_nsec(db, version, node, name, diff));
-	CHECK(add_nsec(db, version, name, node, minimum, ISC_FALSE, diff));
- success:
-	result = ISC_R_SUCCESS;
- failure:
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	return (result);
-}
-
-static isc_result_t
-updatesignwithkey(dns_zone_t *zone, dns_signing_t *signing,
-		  dns_dbversion_t *version, isc_boolean_t build_nsec3,
-		  dns_ttl_t minimum, dns_diff_t *diff)
-{
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	unsigned char data[5];
-	isc_boolean_t seen_done = ISC_FALSE;
-	isc_boolean_t have_rr = ISC_FALSE;
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_getoriginnode(signing->db, &node);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	result = dns_db_findrdataset(signing->db, node, version,
-				     zone->privatetype, dns_rdatatype_none,
-				     0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND) {
-		INSIST(!dns_rdataset_isassociated(&rdataset));
-		result = ISC_R_SUCCESS;
-		goto failure;
-	}
-	if (result != ISC_R_SUCCESS) {
-		INSIST(!dns_rdataset_isassociated(&rdataset));
-		goto failure;
-	}
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdataset_current(&rdataset, &rdata);
-		/*
-		 * If we don't match the algorithm or keyid skip the record.
-		 */
-		if (rdata.length != 5 ||
-		    rdata.data[0] != signing->algorithm ||
-		    rdata.data[1] != ((signing->keyid >> 8) & 0xff) ||
-		    rdata.data[2] != (signing->keyid & 0xff)) {
-			have_rr = ISC_TRUE;
-			dns_rdata_reset(&rdata);
-			continue;
-		}
-		/*
-		 * We have a match.  If we were signing (!signing->delete)
-		 * and we already have a record indicating that we have
-		 * finished signing (rdata.data[4] != 0) then keep it.
-		 * Otherwise it needs to be deleted as we have removed all
-		 * the signatures (signing->delete), so any record indicating
-		 * completion is now out of date, or we have finished signing
-		 * with the new record so we no longer need to remember that
-		 * we need to sign the zone with the matching key across a
-		 * nameserver re-start.
-		 */
-		if (!signing->delete && rdata.data[4] != 0) {
-			seen_done = ISC_TRUE;
-			have_rr = ISC_TRUE;
-		} else
-			CHECK(update_one_rr(signing->db, version, diff,
-					    DNS_DIFFOP_DEL, &zone->origin,
-					    rdataset.ttl, &rdata));
-		dns_rdata_reset(&rdata);
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	if (!signing->delete && !seen_done) {
-		/*
-		 * If we were signing then we need to indicate that we have
-		 * finished signing the zone with this key.  If it is already
-		 * there we don't need to add it a second time.
-		 */
-		data[0] = signing->algorithm;
-		data[1] = (signing->keyid >> 8) & 0xff;
-		data[2] = signing->keyid & 0xff;
-		data[3] = 0;
-		data[4] = 1;
-		rdata.length = sizeof(data);
-		rdata.data = data;
-		rdata.type = zone->privatetype;
-		rdata.rdclass = dns_db_class(signing->db);
-		CHECK(update_one_rr(signing->db, version, diff, DNS_DIFFOP_ADD,
-				    &zone->origin, rdataset.ttl, &rdata));
-	} else if (!have_rr) {
-		dns_name_t *origin = dns_db_origin(signing->db);
-		/*
-		 * Rebuild the NSEC/NSEC3 record for the origin as we no
-		 * longer have any private records.
-		 */
-		if (build_nsec3)
-			CHECK(dns_nsec3_addnsec3s(signing->db, version, origin,
-						  minimum, ISC_FALSE, diff));
-		CHECK(updatesecure(signing->db, version, origin, minimum,
-				   ISC_TRUE, diff));
-	}
-
- failure:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	if (node != NULL)
-		dns_db_detachnode(signing->db, &node);
-	return (result);
-}
-
-/*
- * If 'active' is set then we are not done with the chain yet so only
- * delete the nsec3param record which indicates a full chain exists
- * (flags == 0).
- */
-static isc_result_t
-fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain,
-		 isc_boolean_t active, dns_rdatatype_t privatetype,
-		 dns_diff_t *diff)
-{
-	dns_dbnode_t *node = NULL;
-	dns_name_t *name = dns_db_origin(db);
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdataset_t rdataset;
-	dns_rdata_nsec3param_t nsec3param;
-	isc_result_t result;
-	isc_buffer_t buffer;
-	unsigned char parambuf[DNS_NSEC3PARAM_BUFFERSIZE];
-	dns_ttl_t ttl = 0;
-	isc_boolean_t nseconly = ISC_FALSE, nsec3ok = ISC_FALSE;
-
-	dns_rdataset_init(&rdataset);
-
-	result = dns_db_getoriginnode(db, &node);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
-				     0, 0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND)
-		goto try_private;
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	/*
-	 * Preserve the existing ttl.
-	 */
-	ttl = rdataset.ttl;
-
-	/*
-	 * Delete all NSEC3PARAM records which match that in nsec3chain.
-	 */
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-
-		dns_rdataset_current(&rdataset, &rdata);
-		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
-
-		if (nsec3param.hash != chain->nsec3param.hash ||
-		    (active && nsec3param.flags != 0) ||
-		    nsec3param.iterations != chain->nsec3param.iterations ||
-		    nsec3param.salt_length != chain->nsec3param.salt_length ||
-		    memcmp(nsec3param.salt, chain->nsec3param.salt,
-			   nsec3param.salt_length)) {
-			dns_rdata_reset(&rdata);
-			continue;
-		}
-
-		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL,
-				    name, rdataset.ttl, &rdata));
-		dns_rdata_reset(&rdata);
-	}
-	if (result != ISC_R_NOMORE)
-		goto failure;
-
-	dns_rdataset_disassociate(&rdataset);
-
- try_private:
-
-	if (active)
-		goto add;
-
-	result = dns_nsec_nseconly(db, ver, &nseconly);
-	nsec3ok = (result == ISC_R_SUCCESS && !nseconly);
-
-	/*
-	 * Delete all private records which match that in nsec3chain.
-	 */
-	result = dns_db_findrdataset(db, node, ver, privatetype,
-				     0, 0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND)
-		goto add;
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdata_t private = DNS_RDATA_INIT;
-		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
-
-		dns_rdataset_current(&rdataset, &private);
-		if (!dns_nsec3param_fromprivate(&private, &rdata,
-						buf, sizeof(buf)))
-			continue;
-		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
-
-		if ((!nsec3ok &&
-		     (nsec3param.flags & DNS_NSEC3FLAG_INITIAL) != 0) ||
-		    nsec3param.hash != chain->nsec3param.hash ||
-		    nsec3param.iterations != chain->nsec3param.iterations ||
-		    nsec3param.salt_length != chain->nsec3param.salt_length ||
-		    memcmp(nsec3param.salt, chain->nsec3param.salt,
-			   nsec3param.salt_length)) {
-			dns_rdata_reset(&rdata);
-			continue;
-		}
-
-		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL,
-				    name, rdataset.ttl, &private));
-		dns_rdata_reset(&rdata);
-	}
-	if (result != ISC_R_NOMORE)
-		goto failure;
-
-  add:
-	if ((chain->nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) {
-		result = ISC_R_SUCCESS;
-		goto failure;
-	}
-
-	/*
-	 * Add a NSEC3PARAM record which matches that in nsec3chain but
-	 * with all flags bits cleared.
-	 *
-	 * Note: we do not clear chain->nsec3param.flags as this change
-	 * may be reversed.
-	 */
-	isc_buffer_init(&buffer, &parambuf, sizeof(parambuf));
-	CHECK(dns_rdata_fromstruct(&rdata, dns_db_class(db),
-				   dns_rdatatype_nsec3param,
-				   &chain->nsec3param, &buffer));
-	rdata.data[1] = 0;	/* Clear flag bits. */
-	CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADD, name, ttl, &rdata));
-
-  failure:
-	dns_db_detachnode(db, &node);
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	return (result);
-}
-
-static isc_result_t
-delete_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
-	    dns_name_t *name, dns_diff_t *diff)
-{
-	dns_rdataset_t rdataset;
-	isc_result_t result;
-
-	dns_rdataset_init(&rdataset);
-
-	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec,
-				     0, 0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND)
-		return (ISC_R_SUCCESS);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-
-		dns_rdataset_current(&rdataset, &rdata);
-		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL, name,
-				    rdataset.ttl, &rdata));
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
- failure:
-	dns_rdataset_disassociate(&rdataset);
-	return (result);
-}
-
-static isc_result_t
-deletematchingnsec3(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
-		    dns_name_t *name, const dns_rdata_nsec3param_t *param,
-		    dns_diff_t *diff)
-{
-	dns_rdataset_t rdataset;
-	dns_rdata_nsec3_t nsec3;
-	isc_result_t result;
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3,
-				     0, 0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND)
-		return (ISC_R_SUCCESS);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-
-		dns_rdataset_current(&rdataset, &rdata);
-		CHECK(dns_rdata_tostruct(&rdata, &nsec3, NULL));
-		if (nsec3.hash != param->hash ||
-		    nsec3.iterations != param->iterations ||
-		    nsec3.salt_length != param->salt_length ||
-		    memcmp(nsec3.salt, param->salt, nsec3.salt_length))
-			continue;
-		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL, name,
-				    rdataset.ttl, &rdata));
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
- failure:
-	dns_rdataset_disassociate(&rdataset);
-	return (result);
-}
-
-static isc_result_t
-need_nsec_chain(dns_db_t *db, dns_dbversion_t *ver,
-		const dns_rdata_nsec3param_t *param,
-		isc_boolean_t *answer)
-{
-	dns_dbnode_t *node = NULL;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_nsec3param_t myparam;
-	dns_rdataset_t rdataset;
-	isc_result_t result;
-
-	*answer = ISC_FALSE;
-
-	result = dns_db_getoriginnode(db, &node);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-	dns_rdataset_init(&rdataset);
-
-	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec,
-				     0, 0, &rdataset, NULL);
-	if (result == ISC_R_SUCCESS) {
-		dns_rdataset_disassociate(&rdataset);
-		dns_db_detachnode(db, &node);
-		return (result);
-	}
-	if (result != ISC_R_NOTFOUND) {
-		dns_db_detachnode(db, &node);
-		return (result);
-	}
-
-	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
-				     0, 0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND) {
-		*answer = ISC_TRUE;
-		dns_db_detachnode(db, &node);
-		return (ISC_R_SUCCESS);
-	}
-	if (result != ISC_R_SUCCESS) {
-		dns_db_detachnode(db, &node);
-		return (result);
-	}
-
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdataset_current(&rdataset, &rdata);
-		CHECK(dns_rdata_tostruct(&rdata, &myparam, NULL));
-		dns_rdata_reset(&rdata);
-		/*
-		 * Ignore any NSEC3PARAM removals.
-		 */
-		if (NSEC3REMOVE(myparam.flags))
-			continue;
-		/*
-		 * Ignore the chain that we are in the process of deleting.
-		 */
-		if (myparam.hash == param->hash &&
-		    myparam.iterations == param->iterations &&
-		    myparam.salt_length == param->salt_length &&
-		    !memcmp(myparam.salt, param->salt, myparam.salt_length))
-			continue;
-		/*
-		 * Found an active NSEC3 chain.
-		 */
-		break;
-	}
-	if (result == ISC_R_NOMORE) {
-		*answer = ISC_TRUE;
-		result = ISC_R_SUCCESS;
-	}
-
- failure:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	dns_db_detachnode(db, &node);
-	return (result);
-}
-
-static isc_result_t
-update_sigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version,
-	    dst_key_t *zone_keys[], unsigned int nkeys, dns_zone_t *zone,
-	    isc_stdtime_t inception, isc_stdtime_t expire, isc_stdtime_t now,
-	    isc_boolean_t check_ksk, isc_boolean_t keyset_kskonly,
-	    zonediff_t *zonediff)
-{
-	dns_difftuple_t *tuple;
-	isc_result_t result;
-
-	for (tuple = ISC_LIST_HEAD(diff->tuples);
-	     tuple != NULL;
-	     tuple = ISC_LIST_HEAD(diff->tuples)) {
-		result = del_sigs(zone, db, version, &tuple->name,
-				  tuple->rdata.type, zonediff,
-				  zone_keys, nkeys, now, ISC_FALSE);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "update_sigs:del_sigs -> %s",
-				     dns_result_totext(result));
-			return (result);
-		}
-		result = add_sigs(db, version, &tuple->name,
-				  tuple->rdata.type, zonediff->diff,
-				  zone_keys, nkeys, zone->mctx, inception,
-				  expire, check_ksk, keyset_kskonly);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "update_sigs:add_sigs -> %s",
-				     dns_result_totext(result));
-			return (result);
-		}
-
-		do {
-			dns_difftuple_t *next = ISC_LIST_NEXT(tuple, link);
-			while (next != NULL &&
-			       (tuple->rdata.type != next->rdata.type ||
-				!dns_name_equal(&tuple->name, &next->name)))
-				next = ISC_LIST_NEXT(next, link);
-			ISC_LIST_UNLINK(diff->tuples, tuple, link);
-			dns_diff_appendminimal(zonediff->diff, &tuple);
-			INSIST(tuple == NULL);
-			tuple = next;
-		} while (tuple != NULL);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Incrementally build and sign a new NSEC3 chain using the parameters
- * requested.
- */
-static void
-zone_nsec3chain(dns_zone_t *zone) {
-	const char *me = "zone_nsec3chain";
-	dns_db_t *db = NULL;
-	dns_dbnode_t *node = NULL;
-	dns_dbversion_t *version = NULL;
-	dns_diff_t _sig_diff;
-	dns_diff_t nsec_diff;
-	dns_diff_t nsec3_diff;
-	dns_diff_t param_diff;
-	zonediff_t zonediff;
-	dns_fixedname_t fixed;
-	dns_fixedname_t nextfixed;
-	dns_name_t *name, *nextname;
-	dns_rdataset_t rdataset;
-	dns_nsec3chain_t *nsec3chain = NULL, *nextnsec3chain;
-	dns_nsec3chainlist_t cleanup;
-	dst_key_t *zone_keys[DNS_MAXZONEKEYS];
-	isc_int32_t signatures;
-	isc_boolean_t check_ksk, keyset_kskonly;
-	isc_boolean_t delegation;
-	isc_boolean_t first;
-	isc_result_t result;
-	isc_stdtime_t now, inception, soaexpire, expire;
-	isc_uint32_t jitter;
-	unsigned int i;
-	unsigned int nkeys = 0;
-	isc_uint32_t nodes;
-	isc_boolean_t unsecure = ISC_FALSE;
-	isc_boolean_t seen_soa, seen_ns, seen_dname, seen_ds;
-	isc_boolean_t seen_nsec, seen_nsec3, seen_rr;
-	dns_rdatasetiter_t *iterator = NULL;
-	isc_boolean_t buildnsecchain;
-	isc_boolean_t updatensec = ISC_FALSE;
-	dns_rdatatype_t privatetype = zone->privatetype;
-
-	ENTER;
-
-	dns_rdataset_init(&rdataset);
-	dns_fixedname_init(&fixed);
-	name = dns_fixedname_name(&fixed);
-	dns_fixedname_init(&nextfixed);
-	nextname = dns_fixedname_name(&nextfixed);
-	dns_diff_init(zone->mctx, &param_diff);
-	dns_diff_init(zone->mctx, &nsec3_diff);
-	dns_diff_init(zone->mctx, &nsec_diff);
-	dns_diff_init(zone->mctx, &_sig_diff);
-	_sig_diff.resign = zone->sigresigninginterval;
-	zonediff_init(&zonediff, &_sig_diff);
-	ISC_LIST_INIT(cleanup);
-
-	/*
-	 * Updates are disabled.  Pause for 5 minutes.
-	 */
-	if (zone->update_disabled) {
-		result = ISC_R_FAILURE;
-		goto failure;
-	}
-
-	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
-	dns_db_attach(zone->db, &db);
-	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
-
-	result = dns_db_newversion(db, &version);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "zone_nsec3chain:dns_db_newversion -> %s",
-			     dns_result_totext(result));
-		goto failure;
-	}
-
-	result = find_zone_keys(zone, db, version, zone->mctx,
-				DNS_MAXZONEKEYS, zone_keys, &nkeys);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "zone_nsec3chain:find_zone_keys -> %s",
-			     dns_result_totext(result));
-		goto failure;
-	}
-
-	isc_stdtime_get(&now);
-	inception = now - 3600;	/* Allow for clock skew. */
-	soaexpire = now + dns_zone_getsigvalidityinterval(zone);
-
-	/*
-	 * Spread out signatures over time if they happen to be
-	 * clumped.  We don't do this for each add_sigs() call as
-	 * we still want some clustering to occur.
-	 */
-	isc_random_get(&jitter);
-	expire = soaexpire - jitter % 3600;
-
-	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
-	keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
-
-	/*
-	 * We keep pulling nodes off each iterator in turn until
-	 * we have no more nodes to pull off or we reach the limits
-	 * for this quantum.
-	 */
-	nodes = zone->nodes;
-	signatures = zone->signatures;
-	LOCK_ZONE(zone);
-	nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
-	UNLOCK_ZONE(zone);
-	first = ISC_TRUE;
-
-	if (nsec3chain != NULL)
-		nsec3chain->save_delete_nsec = nsec3chain->delete_nsec;
-	/*
-	 * Generate new NSEC3 chains first.
-	 */
-	while (nsec3chain != NULL && nodes-- > 0 && signatures > 0) {
-		LOCK_ZONE(zone);
-		nextnsec3chain = ISC_LIST_NEXT(nsec3chain, link);
-
-		ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
-		if (nsec3chain->done || nsec3chain->db != zone->db) {
-			ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain, link);
-			ISC_LIST_APPEND(cleanup, nsec3chain, link);
-		}
-		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
-		UNLOCK_ZONE(zone);
-		if (ISC_LIST_TAIL(cleanup) == nsec3chain)
-			goto next_addchain;
-
-		/*
-		 * Possible future db.
-		 */
-		if (nsec3chain->db != db) {
-			goto next_addchain;
-		}
-
-		if (NSEC3REMOVE(nsec3chain->nsec3param.flags))
-			goto next_addchain;
-
-		dns_dbiterator_current(nsec3chain->dbiterator, &node, name);
-
-		if (nsec3chain->delete_nsec) {
-			delegation = ISC_FALSE;
-			dns_dbiterator_pause(nsec3chain->dbiterator);
-			CHECK(delete_nsec(db, version, node, name, &nsec_diff));
-			goto next_addnode;
-		}
-		/*
-		 * On the first pass we need to check if the current node
-		 * has not been obscured.
-		 */
-		delegation = ISC_FALSE;
-		unsecure = ISC_FALSE;
-		if (first) {
-			dns_fixedname_t ffound;
-			dns_name_t *found;
-			dns_fixedname_init(&ffound);
-			found = dns_fixedname_name(&ffound);
-			result = dns_db_find(db, name, version,
-					     dns_rdatatype_soa,
-					     DNS_DBFIND_NOWILD, 0, NULL, found,
-					     NULL, NULL);
-			if ((result == DNS_R_DELEGATION ||
-			    result == DNS_R_DNAME) &&
-			    !dns_name_equal(name, found)) {
-				/*
-				 * Remember the obscuring name so that
-				 * we skip all obscured names.
-				 */
-				dns_name_copy(found, name, NULL);
-				delegation = ISC_TRUE;
-				goto next_addnode;
-			}
-		}
-
-		/*
-		 * Check to see if this is a bottom of zone node.
-		 */
-		result = dns_db_allrdatasets(db, node, version, 0, &iterator);
-		if (result == ISC_R_NOTFOUND)	/* Empty node? */
-			goto next_addnode;
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-
-		seen_soa = seen_ns = seen_dname = seen_ds = seen_nsec =
-			ISC_FALSE;
-		for (result = dns_rdatasetiter_first(iterator);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdatasetiter_next(iterator)) {
-			dns_rdatasetiter_current(iterator, &rdataset);
-			INSIST(rdataset.type != dns_rdatatype_nsec3);
-			if (rdataset.type == dns_rdatatype_soa)
-				seen_soa = ISC_TRUE;
-			else if (rdataset.type == dns_rdatatype_ns)
-				seen_ns = ISC_TRUE;
-			else if (rdataset.type == dns_rdatatype_dname)
-				seen_dname = ISC_TRUE;
-			else if (rdataset.type == dns_rdatatype_ds)
-				seen_ds = ISC_TRUE;
-			else if (rdataset.type == dns_rdatatype_nsec)
-				seen_nsec = ISC_TRUE;
-			dns_rdataset_disassociate(&rdataset);
-		}
-		dns_rdatasetiter_destroy(&iterator);
-		/*
-		 * Is there a NSEC chain than needs to be cleaned up?
-		 */
-		if (seen_nsec)
-			nsec3chain->seen_nsec = ISC_TRUE;
-		if (seen_ns && !seen_soa && !seen_ds)
-			unsecure = ISC_TRUE;
-		if ((seen_ns && !seen_soa) || seen_dname)
-			delegation = ISC_TRUE;
-
-		/*
-		 * Process one node.
-		 */
-		dns_dbiterator_pause(nsec3chain->dbiterator);
-		result = dns_nsec3_addnsec3(db, version, name,
-					    &nsec3chain->nsec3param,
-					    zone->minimum, unsecure,
-					    &nsec3_diff);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
-				     "dns_nsec3_addnsec3 -> %s",
-				     dns_result_totext(result));
-			goto failure;
-		}
-
-		/*
-		 * Treat each call to dns_nsec3_addnsec3() as if it's cost is
-		 * two signatures.  Additionally there will, in general, be
-		 * two signature generated below.
-		 *
-		 * If we are only changing the optout flag the cost is half
-		 * that of the cost of generating a completely new chain.
-		 */
-		signatures -= 4;
-
-		/*
-		 * Go onto next node.
-		 */
- next_addnode:
-		first = ISC_FALSE;
-		dns_db_detachnode(db, &node);
-		do {
-			result = dns_dbiterator_next(nsec3chain->dbiterator);
-
-			if (result == ISC_R_NOMORE && nsec3chain->delete_nsec) {
-				dns_dbiterator_pause(nsec3chain->dbiterator);
-				CHECK(fixup_nsec3param(db, version, nsec3chain,
-						       ISC_FALSE, privatetype,
-						       &param_diff));
-				LOCK_ZONE(zone);
-				ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain,
-						link);
-				UNLOCK_ZONE(zone);
-				ISC_LIST_APPEND(cleanup, nsec3chain, link);
-				goto next_addchain;
-			}
-			if (result == ISC_R_NOMORE) {
-				dns_dbiterator_pause(nsec3chain->dbiterator);
-				if (nsec3chain->seen_nsec) {
-					CHECK(fixup_nsec3param(db, version,
-							       nsec3chain,
-							       ISC_TRUE,
-							       privatetype,
-							       &param_diff));
-					nsec3chain->delete_nsec = ISC_TRUE;
-					goto same_addchain;
-				}
-				CHECK(fixup_nsec3param(db, version, nsec3chain,
-						       ISC_FALSE, privatetype,
-						       &param_diff));
-				LOCK_ZONE(zone);
-				ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain,
-						link);
-				UNLOCK_ZONE(zone);
-				ISC_LIST_APPEND(cleanup, nsec3chain, link);
-				goto next_addchain;
-			} else if (result != ISC_R_SUCCESS) {
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "zone_nsec3chain:"
-					     "dns_dbiterator_next -> %s",
-					     dns_result_totext(result));
-				goto failure;
-			} else if (delegation) {
-				dns_dbiterator_current(nsec3chain->dbiterator,
-						       &node, nextname);
-				dns_db_detachnode(db, &node);
-				if (!dns_name_issubdomain(nextname, name))
-					break;
-			} else
-				break;
-		} while (1);
-		continue;
-
- same_addchain:
-		CHECK(dns_dbiterator_first(nsec3chain->dbiterator));
-		first = ISC_TRUE;
-		continue;
-
- next_addchain:
-		dns_dbiterator_pause(nsec3chain->dbiterator);
-		nsec3chain = nextnsec3chain;
-		first = ISC_TRUE;
-		if (nsec3chain != NULL)
-			nsec3chain->save_delete_nsec = nsec3chain->delete_nsec;
-	}
-
-	/*
-	 * Process removals.
-	 */
-	LOCK_ZONE(zone);
-	nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
-	UNLOCK_ZONE(zone);
-	first = ISC_TRUE;
-	buildnsecchain = ISC_FALSE;
-	while (nsec3chain != NULL && nodes-- > 0 && signatures > 0) {
-		LOCK_ZONE(zone);
-		nextnsec3chain = ISC_LIST_NEXT(nsec3chain, link);
-		UNLOCK_ZONE(zone);
-
-		if (nsec3chain->db != db)
-			goto next_removechain;
-
-		if (!NSEC3REMOVE(nsec3chain->nsec3param.flags))
-			goto next_removechain;
-
-		/*
-		 * Work out if we need to build a NSEC chain as a consequence
-		 * of removing this NSEC3 chain.
-		 */
-		if (first && !updatensec &&
-		    (nsec3chain->nsec3param.flags & DNS_NSEC3FLAG_NONSEC) == 0)
-		{
-			result = need_nsec_chain(db, version,
-						 &nsec3chain->nsec3param,
-						 &buildnsecchain);
-			if (result != ISC_R_SUCCESS) {
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "zone_nsec3chain:"
-					     "need_nsec_chain -> %s",
-					     dns_result_totext(result));
-				goto failure;
-			}
-		}
-
-		if (first)
-			dns_zone_log(zone, ISC_LOG_DEBUG(3), "zone_nsec3chain:"
-				     "buildnsecchain = %u\n", buildnsecchain);
-
-		dns_dbiterator_current(nsec3chain->dbiterator, &node, name);
-		delegation = ISC_FALSE;
-
-		if (!buildnsecchain) {
-			/*
-			 * Delete the NSECPARAM record that matches this chain.
-			 */
-			if (first) {
-				result = fixup_nsec3param(db, version,
-							  nsec3chain,
-							  ISC_TRUE, privatetype,
-							  &param_diff);
-				if (result != ISC_R_SUCCESS) {
-					dns_zone_log(zone, ISC_LOG_ERROR,
-						     "zone_nsec3chain:"
-						     "fixup_nsec3param -> %s",
-						     dns_result_totext(result));
-					goto failure;
-				}
-			}
-
-			/*
-			 *  Delete the NSEC3 records.
-			 */
-			result = deletematchingnsec3(db, version, node, name,
-						     &nsec3chain->nsec3param,
-						     &nsec3_diff);
-			if (result != ISC_R_SUCCESS) {
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "zone_nsec3chain:"
-					     "deletematchingnsec3 -> %s",
-					     dns_result_totext(result));
-				goto failure;
-			}
-			goto next_removenode;
-		}
-
-		if (first) {
-			dns_fixedname_t ffound;
-			dns_name_t *found;
-			dns_fixedname_init(&ffound);
-			found = dns_fixedname_name(&ffound);
-			result = dns_db_find(db, name, version,
-					     dns_rdatatype_soa,
-					     DNS_DBFIND_NOWILD, 0, NULL, found,
-					     NULL, NULL);
-			if ((result == DNS_R_DELEGATION ||
-			     result == DNS_R_DNAME) &&
-			    !dns_name_equal(name, found)) {
-				/*
-				 * Remember the obscuring name so that
-				 * we skip all obscured names.
-				 */
-				dns_name_copy(found, name, NULL);
-				delegation = ISC_TRUE;
-				goto next_removenode;
-			}
-		}
-
-		/*
-		 * Check to see if this is a bottom of zone node.
-		 */
-		result = dns_db_allrdatasets(db, node, version, 0, &iterator);
-		if (result == ISC_R_NOTFOUND)	/* Empty node? */
-			goto next_removenode;
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-
-		seen_soa = seen_ns = seen_dname = seen_nsec3 = seen_nsec =
-			seen_rr = ISC_FALSE;
-		for (result = dns_rdatasetiter_first(iterator);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdatasetiter_next(iterator)) {
-			dns_rdatasetiter_current(iterator, &rdataset);
-			if (rdataset.type == dns_rdatatype_soa)
-				seen_soa = ISC_TRUE;
-			else if (rdataset.type == dns_rdatatype_ns)
-				seen_ns = ISC_TRUE;
-			else if (rdataset.type == dns_rdatatype_dname)
-				seen_dname = ISC_TRUE;
-			else if (rdataset.type == dns_rdatatype_nsec)
-				seen_nsec = ISC_TRUE;
-			else if (rdataset.type == dns_rdatatype_nsec3)
-				seen_nsec3 = ISC_TRUE;
-			if (rdataset.type != dns_rdatatype_rrsig)
-				seen_rr = ISC_TRUE;
-			dns_rdataset_disassociate(&rdataset);
-		}
-		dns_rdatasetiter_destroy(&iterator);
-
-		if (!seen_rr || seen_nsec3 || seen_nsec)
-			goto next_removenode;
-		if ((seen_ns && !seen_soa) || seen_dname)
-			delegation = ISC_TRUE;
-
-		/*
-		 * Add a NSEC record except at the origin.
-		 */
-		if (!dns_name_equal(name, dns_db_origin(db))) {
-			dns_dbiterator_pause(nsec3chain->dbiterator);
-			CHECK(add_nsec(db, version, name, node, zone->minimum,
-				       delegation, &nsec_diff));
-		}
-
- next_removenode:
-		first = ISC_FALSE;
-		dns_db_detachnode(db, &node);
-		do {
-			result = dns_dbiterator_next(nsec3chain->dbiterator);
-			if (result == ISC_R_NOMORE && buildnsecchain) {
-				/*
-				 * The NSEC chain should now be built.
-				 * We can now remove the NSEC3 chain.
-				 */
-				updatensec = ISC_TRUE;
-				goto same_removechain;
-			}
-			if (result == ISC_R_NOMORE) {
-				LOCK_ZONE(zone);
-				ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain,
-						link);
-				UNLOCK_ZONE(zone);
-				ISC_LIST_APPEND(cleanup, nsec3chain, link);
-				dns_dbiterator_pause(nsec3chain->dbiterator);
-				result = fixup_nsec3param(db, version,
-							  nsec3chain, ISC_FALSE,
-							  privatetype,
-							  &param_diff);
-				if (result != ISC_R_SUCCESS) {
-					dns_zone_log(zone, ISC_LOG_ERROR,
-						     "zone_nsec3chain:"
-						     "fixup_nsec3param -> %s",
-						     dns_result_totext(result));
-					goto failure;
-				}
-				goto next_removechain;
-			} else if (result != ISC_R_SUCCESS) {
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "zone_nsec3chain:"
-					     "dns_dbiterator_next -> %s",
-					     dns_result_totext(result));
-				goto failure;
-			} else if (delegation) {
-				dns_dbiterator_current(nsec3chain->dbiterator,
-						       &node, nextname);
-				dns_db_detachnode(db, &node);
-				if (!dns_name_issubdomain(nextname, name))
-					break;
-			} else
-				break;
-		} while (1);
-		continue;
-
- same_removechain:
-		CHECK(dns_dbiterator_first(nsec3chain->dbiterator));
-		buildnsecchain = ISC_FALSE;
-		first = ISC_TRUE;
-		continue;
-
- next_removechain:
-		dns_dbiterator_pause(nsec3chain->dbiterator);
-		nsec3chain = nextnsec3chain;
-		first = ISC_TRUE;
-	}
-
-	/*
-	 * We may need to update the NSEC/NSEC3 records for the zone apex.
-	 */
-	if (!ISC_LIST_EMPTY(param_diff.tuples)) {
-		isc_boolean_t rebuild_nsec = ISC_FALSE,
-			      rebuild_nsec3 = ISC_FALSE;
-		result = dns_db_getoriginnode(db, &node);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		result = dns_db_allrdatasets(db, node, version, 0, &iterator);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
-				     "dns_db_allrdatasets -> %s",
-				     dns_result_totext(result));
-			goto failure;
-		}
-		for (result = dns_rdatasetiter_first(iterator);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdatasetiter_next(iterator)) {
-			dns_rdatasetiter_current(iterator, &rdataset);
-			if (rdataset.type == dns_rdatatype_nsec)
-				rebuild_nsec = ISC_TRUE;
-			if (rdataset.type == dns_rdatatype_nsec3param)
-				rebuild_nsec3 = ISC_TRUE;
-			dns_rdataset_disassociate(&rdataset);
-		}
-		dns_rdatasetiter_destroy(&iterator);
-		dns_db_detachnode(db, &node);
-
-		if (rebuild_nsec) {
-			if (nsec3chain != NULL)
-				dns_dbiterator_pause(nsec3chain->dbiterator);
-
-			result = updatesecure(db, version, &zone->origin,
-					      zone->minimum, ISC_TRUE,
-					      &nsec_diff);
-			if (result != ISC_R_SUCCESS) {
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "zone_nsec3chain:"
-					     "updatesecure -> %s",
-					     dns_result_totext(result));
-				goto failure;
-			}
-		}
-
-		if (rebuild_nsec3) {
-			if (nsec3chain != NULL)
-				dns_dbiterator_pause(nsec3chain->dbiterator);
-
-			result = dns_nsec3_addnsec3s(db, version,
-						     dns_db_origin(db),
-						     zone->minimum, ISC_FALSE,
-						     &nsec3_diff);
-			if (result != ISC_R_SUCCESS) {
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "zone_nsec3chain:"
-					     "dns_nsec3_addnsec3s -> %s",
-					     dns_result_totext(result));
-				goto failure;
-			}
-		}
-	}
-
-	if (nsec3chain != NULL)
-		dns_dbiterator_pause(nsec3chain->dbiterator);
-
-	/*
-	 * Add / update signatures for the NSEC3 records.
-	 */
-	if (nsec3chain != NULL)
-		dns_dbiterator_pause(nsec3chain->dbiterator);
-	result = update_sigs(&nsec3_diff, db, version, zone_keys,
-			     nkeys, zone, inception, expire, now,
-			     check_ksk, keyset_kskonly, &zonediff);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
-			     "update_sigs -> %s", dns_result_totext(result));
-		goto failure;
-	}
-
-	/*
-	 * We have changed the NSEC3PARAM or private RRsets
-	 * above so we need to update the signatures.
-	 */
-	result = update_sigs(&param_diff, db, version, zone_keys,
-			     nkeys, zone, inception, expire, now,
-			     check_ksk, keyset_kskonly, &zonediff);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
-			     "update_sigs -> %s", dns_result_totext(result));
-		goto failure;
-	}
-
-	if (updatensec) {
-		result = updatesecure(db, version, &zone->origin,
-				      zone->minimum, ISC_FALSE, &nsec_diff);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
-				     "updatesecure -> %s",
-				     dns_result_totext(result));
-			goto failure;
-		}
-	}
-
-	result = update_sigs(&nsec_diff, db, version, zone_keys,
-			     nkeys, zone, inception, expire, now,
-			     check_ksk, keyset_kskonly, &zonediff);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
-			     "update_sigs -> %s", dns_result_totext(result));
-		goto failure;
-	}
-
-	/*
-	 * If we made no effective changes to the zone then we can just
-	 * cleanup otherwise we need to increment the serial.
-	 */
-	if (ISC_LIST_EMPTY(zonediff.diff->tuples)) {
-		/*
-		 * No need to call dns_db_closeversion() here as it is
-		 * called with commit = ISC_TRUE below.
-		 */
-		goto done;
-	}
-
-	result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa,
-			  &zonediff, zone_keys, nkeys, now, ISC_FALSE);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
-			     "del_sigs -> %s", dns_result_totext(result));
-		goto failure;
-	}
-
-	result = update_soa_serial(db, version, zonediff.diff, zone->mctx,
-				   zone->updatemethod);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
-			     "update_soa_serial -> %s",
-			     dns_result_totext(result));
-		goto failure;
-	}
-
-	result = add_sigs(db, version, &zone->origin, dns_rdatatype_soa,
-			  zonediff.diff, zone_keys, nkeys, zone->mctx,
-			  inception, soaexpire, check_ksk, keyset_kskonly);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
-			     "add_sigs -> %s", dns_result_totext(result));
-		goto failure;
-	}
-
-	/* Write changes to journal file. */
-	CHECK(zone_journal(zone, zonediff.diff, NULL, "zone_nsec3chain"));
-
-	LOCK_ZONE(zone);
-	zone_needdump(zone, DNS_DUMP_DELAY);
-	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
-	UNLOCK_ZONE(zone);
-
- done:
-	/*
-	 * Pause all iterators so that dns_db_closeversion() can succeed.
-	 */
-	LOCK_ZONE(zone);
-	for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
-	     nsec3chain != NULL;
-	     nsec3chain = ISC_LIST_NEXT(nsec3chain, link))
-		dns_dbiterator_pause(nsec3chain->dbiterator);
-	UNLOCK_ZONE(zone);
-
-	/*
-	 * Everything has succeeded. Commit the changes.
-	 * Unconditionally commit as zonediff.offline not checked above.
-	 */
-	dns_db_closeversion(db, &version, ISC_TRUE);
-
-	/*
-	 * Everything succeeded so we can clean these up now.
-	 */
-	nsec3chain = ISC_LIST_HEAD(cleanup);
-	while (nsec3chain != NULL) {
-		ISC_LIST_UNLINK(cleanup, nsec3chain, link);
-		dns_db_detach(&nsec3chain->db);
-		dns_dbiterator_destroy(&nsec3chain->dbiterator);
-		isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
-		nsec3chain = ISC_LIST_HEAD(cleanup);
-	}
-
-	set_resigntime(zone);
-
- failure:
-	if (result != ISC_R_SUCCESS)
-		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain: %s",
-			     dns_result_totext(result));
-	/*
-	 * On error roll back the current nsec3chain.
-	 */
-	if (result != ISC_R_SUCCESS && nsec3chain != NULL) {
-		if (nsec3chain->done) {
-			dns_db_detach(&nsec3chain->db);
-			dns_dbiterator_destroy(&nsec3chain->dbiterator);
-			isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
-		} else {
-			result = dns_dbiterator_first(nsec3chain->dbiterator);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			dns_dbiterator_pause(nsec3chain->dbiterator);
-			nsec3chain->delete_nsec = nsec3chain->save_delete_nsec;
-		}
-	}
-
-	/*
-	 * Rollback the cleanup list.
-	 */
-	nsec3chain = ISC_LIST_TAIL(cleanup);
-	while (nsec3chain != NULL) {
-		ISC_LIST_UNLINK(cleanup, nsec3chain, link);
-		if (nsec3chain->done) {
-			dns_db_detach(&nsec3chain->db);
-			dns_dbiterator_destroy(&nsec3chain->dbiterator);
-			isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
-		} else {
-			LOCK_ZONE(zone);
-			ISC_LIST_PREPEND(zone->nsec3chain, nsec3chain, link);
-			UNLOCK_ZONE(zone);
-			result = dns_dbiterator_first(nsec3chain->dbiterator);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			dns_dbiterator_pause(nsec3chain->dbiterator);
-			nsec3chain->delete_nsec = nsec3chain->save_delete_nsec;
-		}
-		nsec3chain = ISC_LIST_TAIL(cleanup);
-	}
-
-	LOCK_ZONE(zone);
-	for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
-	     nsec3chain != NULL;
-	     nsec3chain = ISC_LIST_NEXT(nsec3chain, link))
-		dns_dbiterator_pause(nsec3chain->dbiterator);
-	UNLOCK_ZONE(zone);
-
-	dns_diff_clear(&param_diff);
-	dns_diff_clear(&nsec3_diff);
-	dns_diff_clear(&nsec_diff);
-	dns_diff_clear(&_sig_diff);
-
-	if (iterator != NULL)
-		dns_rdatasetiter_destroy(&iterator);
-
-	for (i = 0; i < nkeys; i++)
-		dst_key_free(&zone_keys[i]);
-
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	if (version != NULL) {
-		dns_db_closeversion(db, &version, ISC_FALSE);
-		dns_db_detach(&db);
-	} else if (db != NULL)
-		dns_db_detach(&db);
-
-	LOCK_ZONE(zone);
-	if (ISC_LIST_HEAD(zone->nsec3chain) != NULL) {
-		isc_interval_t i;
-		if (zone->update_disabled || result != ISC_R_SUCCESS)
-			isc_interval_set(&i, 60, 0);		/* 1 minute */
-		else
-			isc_interval_set(&i, 0, 10000000);	/* 10 ms */
-		isc_time_nowplusinterval(&zone->nsec3chaintime, &i);
-	} else
-		isc_time_settoepoch(&zone->nsec3chaintime);
-	UNLOCK_ZONE(zone);
-}
-
-static isc_result_t
-del_sig(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
-	dns_dbnode_t *node, unsigned int nkeys, dns_secalg_t algorithm,
-	isc_uint16_t keyid, dns_diff_t *diff)
-{
-	dns_rdata_rrsig_t rrsig;
-	dns_rdataset_t rdataset;
-	dns_rdatasetiter_t *iterator = NULL;
-	isc_result_t result;
-
-	result = dns_db_allrdatasets(db, node, version, 0, &iterator);
-	if (result != ISC_R_SUCCESS) {
-		if (result == ISC_R_NOTFOUND)
-			result = ISC_R_SUCCESS;
-		return (result);
-	}
-
-	dns_rdataset_init(&rdataset);
-	for (result = dns_rdatasetiter_first(iterator);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdatasetiter_next(iterator)) {
-		dns_rdatasetiter_current(iterator, &rdataset);
-		if (nkeys == 0 && rdataset.type == dns_rdatatype_nsec) {
-			for (result = dns_rdataset_first(&rdataset);
-			     result == ISC_R_SUCCESS;
-			     result = dns_rdataset_next(&rdataset)) {
-				dns_rdata_t rdata = DNS_RDATA_INIT;
-				dns_rdataset_current(&rdataset, &rdata);
-				CHECK(update_one_rr(db, version, diff,
-						    DNS_DIFFOP_DEL, name,
-						    rdataset.ttl, &rdata));
-			}
-			if (result != ISC_R_NOMORE)
-				goto failure;
-			dns_rdataset_disassociate(&rdataset);
-			continue;
-		}
-		if (rdataset.type != dns_rdatatype_rrsig) {
-			dns_rdataset_disassociate(&rdataset);
-			continue;
-		}
-		for (result = dns_rdataset_first(&rdataset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&rdataset)) {
-			dns_rdata_t rdata = DNS_RDATA_INIT;
-			dns_rdataset_current(&rdataset, &rdata);
-			CHECK(dns_rdata_tostruct(&rdata, &rrsig, NULL));
-			if (rrsig.algorithm != algorithm ||
-			    rrsig.keyid != keyid)
-				continue;
-			CHECK(update_one_rr(db, version, diff,
-					    DNS_DIFFOP_DELRESIGN, name,
-					    rdataset.ttl, &rdata));
-		}
-		dns_rdataset_disassociate(&rdataset);
-		if (result != ISC_R_NOMORE)
-			break;
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
- failure:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	dns_rdatasetiter_destroy(&iterator);
-	return (result);
-}
-
-/*
- * Incrementally sign the zone using the keys requested.
- * Builds the NSEC chain if required.
- */
-static void
-zone_sign(dns_zone_t *zone) {
-	const char *me = "zone_sign";
-	dns_db_t *db = NULL;
-	dns_dbnode_t *node = NULL;
-	dns_dbversion_t *version = NULL;
-	dns_diff_t _sig_diff;
-	dns_diff_t post_diff;
-	zonediff_t zonediff;
-	dns_fixedname_t fixed;
-	dns_fixedname_t nextfixed;
-	dns_name_t *name, *nextname;
-	dns_rdataset_t rdataset;
-	dns_signing_t *signing, *nextsigning;
-	dns_signinglist_t cleanup;
-	dst_key_t *zone_keys[DNS_MAXZONEKEYS];
-	isc_int32_t signatures;
-	isc_boolean_t check_ksk, keyset_kskonly, is_ksk;
-	isc_boolean_t commit = ISC_FALSE;
-	isc_boolean_t delegation;
-	isc_boolean_t build_nsec = ISC_FALSE;
-	isc_boolean_t build_nsec3 = ISC_FALSE;
-	isc_boolean_t first;
-	isc_result_t result;
-	isc_stdtime_t now, inception, soaexpire, expire;
-	isc_uint32_t jitter;
-	unsigned int i, j;
-	unsigned int nkeys = 0;
-	isc_uint32_t nodes;
-
-	ENTER;
-
-	dns_rdataset_init(&rdataset);
-	dns_fixedname_init(&fixed);
-	name = dns_fixedname_name(&fixed);
-	dns_fixedname_init(&nextfixed);
-	nextname = dns_fixedname_name(&nextfixed);
-	dns_diff_init(zone->mctx, &_sig_diff);
-	_sig_diff.resign = zone->sigresigninginterval;
-	dns_diff_init(zone->mctx, &post_diff);
-	zonediff_init(&zonediff, &_sig_diff);
-	ISC_LIST_INIT(cleanup);
-
-	/*
-	 * Updates are disabled.  Pause for 5 minutes.
-	 */
-	if (zone->update_disabled) {
-		result = ISC_R_FAILURE;
-		goto failure;
-	}
-
-	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
-	dns_db_attach(zone->db, &db);
-	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
-
-	result = dns_db_newversion(db, &version);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "zone_sign:dns_db_newversion -> %s",
-			     dns_result_totext(result));
-		goto failure;
-	}
-
-	result = find_zone_keys(zone, db, version, zone->mctx,
-				DNS_MAXZONEKEYS, zone_keys, &nkeys);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "zone_sign:find_zone_keys -> %s",
-			     dns_result_totext(result));
-		goto failure;
-	}
-
-	isc_stdtime_get(&now);
-	inception = now - 3600;	/* Allow for clock skew. */
-	soaexpire = now + dns_zone_getsigvalidityinterval(zone);
-
-	/*
-	 * Spread out signatures over time if they happen to be
-	 * clumped.  We don't do this for each add_sigs() call as
-	 * we still want some clustering to occur.
-	 */
-	isc_random_get(&jitter);
-	expire = soaexpire - jitter % 3600;
-
-	/*
-	 * We keep pulling nodes off each iterator in turn until
-	 * we have no more nodes to pull off or we reach the limits
-	 * for this quantum.
-	 */
-	nodes = zone->nodes;
-	signatures = zone->signatures;
-	signing = ISC_LIST_HEAD(zone->signing);
-	first = ISC_TRUE;
-
-	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
-	keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
-
-	/* Determine which type of chain to build */
-	CHECK(dns_private_chains(db, version, zone->privatetype,
-				 &build_nsec, &build_nsec3));
-
-	/* If neither chain is found, default to NSEC */
-	if (!build_nsec && !build_nsec3)
-		build_nsec = ISC_TRUE;
-
-	while (signing != NULL && nodes-- > 0 && signatures > 0) {
-		nextsigning = ISC_LIST_NEXT(signing, link);
-
-		ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
-		if (signing->done || signing->db != zone->db) {
-			/*
-			 * The zone has been reloaded.	We will have
-			 * created new signings as part of the reload
-			 * process so we can destroy this one.
-			 */
-			ISC_LIST_UNLINK(zone->signing, signing, link);
-			ISC_LIST_APPEND(cleanup, signing, link);
-			ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
-			goto next_signing;
-		}
-		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
-
-		if (signing->db != db)
-			goto next_signing;
-
-		delegation = ISC_FALSE;
-
-		if (first && signing->delete) {
-			/*
-			 * Remove the key we are deleting from consideration.
-			 */
-			for (i = 0, j = 0; i < nkeys; i++) {
-				/*
-				 * Find the key we want to remove.
-				 */
-				if (ALG(zone_keys[i]) == signing->algorithm &&
-				    dst_key_id(zone_keys[i]) == signing->keyid)
-				{
-					if (KSK(zone_keys[i]))
-						dst_key_free(&zone_keys[i]);
-					continue;
-				}
-				zone_keys[j] = zone_keys[i];
-				j++;
-			}
-			nkeys = j;
-		}
-
-		dns_dbiterator_current(signing->dbiterator, &node, name);
-
-		if (signing->delete) {
-			dns_dbiterator_pause(signing->dbiterator);
-			CHECK(del_sig(db, version, name, node, nkeys,
-				      signing->algorithm, signing->keyid,
-				      zonediff.diff));
-		}
-
-		/*
-		 * On the first pass we need to check if the current node
-		 * has not been obscured.
-		 */
-		if (first) {
-			dns_fixedname_t ffound;
-			dns_name_t *found;
-			dns_fixedname_init(&ffound);
-			found = dns_fixedname_name(&ffound);
-			result = dns_db_find(db, name, version,
-					     dns_rdatatype_soa,
-					     DNS_DBFIND_NOWILD, 0, NULL, found,
-					     NULL, NULL);
-			if ((result == DNS_R_DELEGATION ||
-			    result == DNS_R_DNAME) &&
-			    !dns_name_equal(name, found)) {
-				/*
-				 * Remember the obscuring name so that
-				 * we skip all obscured names.
-				 */
-				dns_name_copy(found, name, NULL);
-				delegation = ISC_TRUE;
-				goto next_node;
-			}
-		}
-
-		/*
-		 * Process one node.
-		 */
-		dns_dbiterator_pause(signing->dbiterator);
-		for (i = 0; i < nkeys; i++) {
-			isc_boolean_t both = ISC_FALSE;
-
-			/*
-			 * Find the keys we want to sign with.
-			 */
-			if (!dst_key_isprivate(zone_keys[i]))
-				continue;
-
-			/*
-			 * When adding look for the specific key.
-			 */
-			if (!signing->delete &&
-			    (dst_key_alg(zone_keys[i]) != signing->algorithm ||
-			     dst_key_id(zone_keys[i]) != signing->keyid))
-				continue;
-
-			/*
-			 * When deleting make sure we are properly signed
-			 * with the algorithm that was being removed.
-			 */
-			if (signing->delete &&
-			    ALG(zone_keys[i]) != signing->algorithm)
-				continue;
-
-			/*
-			 * Do we do KSK processing?
-			 */
-			if (check_ksk && !REVOKE(zone_keys[i])) {
-				isc_boolean_t have_ksk, have_nonksk;
-				if (KSK(zone_keys[i])) {
-					have_ksk = ISC_TRUE;
-					have_nonksk = ISC_FALSE;
-				} else {
-					have_ksk = ISC_FALSE;
-					have_nonksk = ISC_TRUE;
-				}
-				for (j = 0; j < nkeys; j++) {
-					if (j == i ||
-					    ALG(zone_keys[i]) !=
-					    ALG(zone_keys[j]))
-						continue;
-					if (REVOKE(zone_keys[j]))
-						continue;
-					if (KSK(zone_keys[j]))
-						have_ksk = ISC_TRUE;
-					else
-						have_nonksk = ISC_TRUE;
-					both = have_ksk && have_nonksk;
-					if (both)
-						break;
-				}
-			}
-			if (both || REVOKE(zone_keys[i]))
-				is_ksk = KSK(zone_keys[i]);
-			else
-				is_ksk = ISC_FALSE;
-
-			CHECK(sign_a_node(db, name, node, version, build_nsec3,
-					  build_nsec, zone_keys[i], inception,
-					  expire, zone->minimum, is_ksk,
-					  ISC_TF(both && keyset_kskonly),
-					  &delegation, zonediff.diff,
-					  &signatures, zone->mctx));
-			/*
-			 * If we are adding we are done.  Look for other keys
-			 * of the same algorithm if deleting.
-			 */
-			if (!signing->delete)
-				break;
-		}
-
-		/*
-		 * Go onto next node.
-		 */
- next_node:
-		first = ISC_FALSE;
-		dns_db_detachnode(db, &node);
-		do {
-			result = dns_dbiterator_next(signing->dbiterator);
-			if (result == ISC_R_NOMORE) {
-				ISC_LIST_UNLINK(zone->signing, signing, link);
-				ISC_LIST_APPEND(cleanup, signing, link);
-				dns_dbiterator_pause(signing->dbiterator);
-				if (nkeys != 0 && build_nsec) {
-					/*
-					 * We have finished regenerating the
-					 * zone with a zone signing key.
-					 * The NSEC chain is now complete and
-					 * there is a full set of signatures
-					 * for the zone.  We can now clear the
-					 * OPT bit from the NSEC record.
-					 */
-					result = updatesecure(db, version,
-							      &zone->origin,
-							      zone->minimum,
-							      ISC_FALSE,
-							      &post_diff);
-					if (result != ISC_R_SUCCESS) {
-						dns_zone_log(zone,
-							     ISC_LOG_ERROR,
-						    "updatesecure -> %s",
-						    dns_result_totext(result));
-						goto failure;
-					}
-				}
-				result = updatesignwithkey(zone, signing,
-							   version,
-							   build_nsec3,
-							   zone->minimum,
-							   &post_diff);
-				if (result != ISC_R_SUCCESS) {
-					dns_zone_log(zone, ISC_LOG_ERROR,
-						     "updatesignwithkey -> %s",
-						     dns_result_totext(result));
-					goto failure;
-				}
-				build_nsec = ISC_FALSE;
-				goto next_signing;
-			} else if (result != ISC_R_SUCCESS) {
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					"zone_sign:dns_dbiterator_next -> %s",
-					     dns_result_totext(result));
-				goto failure;
-			} else if (delegation) {
-				dns_dbiterator_current(signing->dbiterator,
-						       &node, nextname);
-				dns_db_detachnode(db, &node);
-				if (!dns_name_issubdomain(nextname, name))
-					break;
-			} else
-				break;
-		} while (1);
-		continue;
-
- next_signing:
-		dns_dbiterator_pause(signing->dbiterator);
-		signing = nextsigning;
-		first = ISC_TRUE;
-	}
-
-	if (ISC_LIST_HEAD(post_diff.tuples) != NULL) {
-		result = update_sigs(&post_diff, db, version, zone_keys,
-				     nkeys, zone, inception, expire, now,
-				     check_ksk, keyset_kskonly, &zonediff);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR, "zone_sign:"
-				     "update_sigs -> %s",
-				     dns_result_totext(result));
-			goto failure;
-		}
-	}
-
-	/*
-	 * Have we changed anything?
-	 */
-	if (ISC_LIST_EMPTY(zonediff.diff->tuples)) {
-		if (zonediff.offline)
-			commit = ISC_TRUE;
-		result = ISC_R_SUCCESS;
-		goto pauseall;
-	}
-
-	commit = ISC_TRUE;
-
-	result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa,
-			  &zonediff, zone_keys, nkeys, now, ISC_FALSE);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "zone_sign:del_sigs -> %s",
-			     dns_result_totext(result));
-		goto failure;
-	}
-
-	result = update_soa_serial(db, version, zonediff.diff, zone->mctx,
-				   zone->updatemethod);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "zone_sign:update_soa_serial -> %s",
-			     dns_result_totext(result));
-		goto failure;
-	}
-
-	/*
-	 * Generate maximum life time signatures so that the above loop
-	 * termination is sensible.
-	 */
-	result = add_sigs(db, version, &zone->origin, dns_rdatatype_soa,
-			  zonediff.diff, zone_keys, nkeys, zone->mctx,
-			  inception, soaexpire, check_ksk, keyset_kskonly);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "zone_sign:add_sigs -> %s",
-			     dns_result_totext(result));
-		goto failure;
-	}
-
-	/*
-	 * Write changes to journal file.
-	 */
-	CHECK(zone_journal(zone, zonediff.diff, NULL, "zone_sign"));
-
- pauseall:
-	/*
-	 * Pause all iterators so that dns_db_closeversion() can succeed.
-	 */
-	for (signing = ISC_LIST_HEAD(zone->signing);
-	     signing != NULL;
-	     signing = ISC_LIST_NEXT(signing, link))
-		dns_dbiterator_pause(signing->dbiterator);
-
-	for (signing = ISC_LIST_HEAD(cleanup);
-	     signing != NULL;
-	     signing = ISC_LIST_NEXT(signing, link))
-		dns_dbiterator_pause(signing->dbiterator);
-
-	/*
-	 * Everything has succeeded. Commit the changes.
-	 */
-	dns_db_closeversion(db, &version, commit);
-
-	/*
-	 * Everything succeeded so we can clean these up now.
-	 */
-	signing = ISC_LIST_HEAD(cleanup);
-	while (signing != NULL) {
-		ISC_LIST_UNLINK(cleanup, signing, link);
-		dns_db_detach(&signing->db);
-		dns_dbiterator_destroy(&signing->dbiterator);
-		isc_mem_put(zone->mctx, signing, sizeof *signing);
-		signing = ISC_LIST_HEAD(cleanup);
-	}
-
-	set_resigntime(zone);
-
-	if (commit) {
-		LOCK_ZONE(zone);
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
-		zone_needdump(zone, DNS_DUMP_DELAY);
-		UNLOCK_ZONE(zone);
-	}
-
- failure:
-	/*
-	 * Rollback the cleanup list.
-	 */
-	signing = ISC_LIST_HEAD(cleanup);
-	while (signing != NULL) {
-		ISC_LIST_UNLINK(cleanup, signing, link);
-		ISC_LIST_PREPEND(zone->signing, signing, link);
-		dns_dbiterator_first(signing->dbiterator);
-		dns_dbiterator_pause(signing->dbiterator);
-		signing = ISC_LIST_HEAD(cleanup);
-	}
-
-	for (signing = ISC_LIST_HEAD(zone->signing);
-	     signing != NULL;
-	     signing = ISC_LIST_NEXT(signing, link))
-		dns_dbiterator_pause(signing->dbiterator);
-
-	dns_diff_clear(&_sig_diff);
-
-	for (i = 0; i < nkeys; i++)
-		dst_key_free(&zone_keys[i]);
-
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-
-	if (version != NULL) {
-		dns_db_closeversion(db, &version, ISC_FALSE);
-		dns_db_detach(&db);
-	} else if (db != NULL)
-		dns_db_detach(&db);
-
-	if (ISC_LIST_HEAD(zone->signing) != NULL) {
-		isc_interval_t i;
-		if (zone->update_disabled || result != ISC_R_SUCCESS)
-			isc_interval_set(&i, 60, 0);		/* 1 minute */
-		else
-			isc_interval_set(&i, 0, 10000000);	/* 10 ms */
-		isc_time_nowplusinterval(&zone->signingtime, &i);
-	} else
-		isc_time_settoepoch(&zone->signingtime);
-}
-
-static void
-normalize_key(dns_rdata_t *rr, dns_rdata_t *target,
-	      unsigned char *data, int size) {
-	dns_rdata_dnskey_t dnskey;
-	dns_rdata_keydata_t keydata;
-	isc_buffer_t buf;
-	isc_result_t result;
-
-	dns_rdata_reset(target);
-	isc_buffer_init(&buf, data, size);
-
-	switch (rr->type) {
-	    case dns_rdatatype_dnskey:
-		result = dns_rdata_tostruct(rr, &dnskey, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		dnskey.flags &= ~DNS_KEYFLAG_REVOKE;
-		dns_rdata_fromstruct(target, rr->rdclass, dns_rdatatype_dnskey,
-				     &dnskey, &buf);
-		break;
-	    case dns_rdatatype_keydata:
-		result = dns_rdata_tostruct(rr, &keydata, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		dns_keydata_todnskey(&keydata, &dnskey, NULL);
-		dns_rdata_fromstruct(target, rr->rdclass, dns_rdatatype_dnskey,
-				     &dnskey, &buf);
-		break;
-	    default:
-		INSIST(0);
-	}
-}
-
-/*
- * 'rdset' contains either a DNSKEY rdataset from the zone apex, or
- * a KEYDATA rdataset from the key zone.
- *
- * 'rr' contains either a DNSKEY record, or a KEYDATA record
- *
- * After normalizing keys to the same format (DNSKEY, with revoke bit
- * cleared), return ISC_TRUE if a key that matches 'rr' is found in
- * 'rdset', or ISC_FALSE if not.
- */
-
-static isc_boolean_t
-matchkey(dns_rdataset_t *rdset, dns_rdata_t *rr) {
-	unsigned char data1[4096], data2[4096];
-	dns_rdata_t rdata, rdata1, rdata2;
-	isc_result_t result;
-
-	dns_rdata_init(&rdata);
-	dns_rdata_init(&rdata1);
-	dns_rdata_init(&rdata2);
-
-	normalize_key(rr, &rdata1, data1, sizeof(data1));
-
-	for (result = dns_rdataset_first(rdset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(rdset)) {
-		dns_rdata_reset(&rdata);
-		dns_rdataset_current(rdset, &rdata);
-		normalize_key(&rdata, &rdata2, data2, sizeof(data2));
-		if (dns_rdata_compare(&rdata1, &rdata2) == 0)
-			return (ISC_TRUE);
-	}
-
-	return (ISC_FALSE);
-}
-
-/*
- * Calculate the refresh interval for a keydata zone, per
- * RFC5011: MAX(1 hr,
- *		MIN(15 days,
- *		    1/2 * OrigTTL,
- *		    1/2 * RRSigExpirationInterval))
- * or for retries: MAX(1 hr,
- *		       MIN(1 day,
- *			   1/10 * OrigTTL,
- *			   1/10 * RRSigExpirationInterval))
- */
-static inline isc_stdtime_t
-refresh_time(dns_keyfetch_t *kfetch, isc_boolean_t retry) {
-	isc_result_t result;
-	isc_uint32_t t;
-	dns_rdataset_t *rdset;
-	dns_rdata_t sigrr = DNS_RDATA_INIT;
-	dns_rdata_sig_t sig;
-	isc_stdtime_t now;
-
-	isc_stdtime_get(&now);
-
-	if (dns_rdataset_isassociated(&kfetch->dnskeysigset))
-		rdset = &kfetch->dnskeysigset;
-	else
-		return (now + HOUR);
-
-	result = dns_rdataset_first(rdset);
-	if (result != ISC_R_SUCCESS)
-		return (now + HOUR);
-
-	dns_rdataset_current(rdset, &sigrr);
-	result = dns_rdata_tostruct(&sigrr, &sig, NULL);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-	if (!retry) {
-		t = sig.originalttl / 2;
-
-		if (isc_serial_gt(sig.timeexpire, now)) {
-			isc_uint32_t exp = (sig.timeexpire - now) / 2;
-			if (t > exp)
-				t = exp;
-		}
-
-		if (t > (15*DAY))
-			t = (15*DAY);
-
-		if (t < HOUR)
-			t = HOUR;
-	} else {
-		t = sig.originalttl / 10;
-
-		if (isc_serial_gt(sig.timeexpire, now)) {
-			isc_uint32_t exp = (sig.timeexpire - now) / 10;
-			if (t > exp)
-				t = exp;
-		}
-
-		if (t > DAY)
-			t = DAY;
-
-		if (t < HOUR)
-			t = HOUR;
-	}
-
-	return (now + t);
-}
-
-/*
- * This routine is called when no changes are needed in a KEYDATA
- * record except to simply update the refresh timer.  Caller should
- * hold zone lock.
- */
-static isc_result_t
-minimal_update(dns_keyfetch_t *kfetch, dns_dbversion_t *ver, dns_diff_t *diff)
-{
-	isc_result_t result;
-	isc_buffer_t keyb;
-	unsigned char key_buf[4096];
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_keydata_t keydata;
-	dns_name_t *name;
-	dns_zone_t *zone = kfetch->zone;
-	isc_stdtime_t now;
-
-	name = dns_fixedname_name(&kfetch->name);
-	isc_stdtime_get(&now);
-
-	for (result = dns_rdataset_first(&kfetch->keydataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&kfetch->keydataset)) {
-		dns_rdata_reset(&rdata);
-		dns_rdataset_current(&kfetch->keydataset, &rdata);
-
-		/* Delete old version */
-		CHECK(update_one_rr(kfetch->db, ver, diff, DNS_DIFFOP_DEL,
-				    name, 0, &rdata));
-
-		/* Update refresh timer */
-		CHECK(dns_rdata_tostruct(&rdata, &keydata, NULL));
-		keydata.refresh = refresh_time(kfetch, ISC_TRUE);
-		set_refreshkeytimer(zone, &keydata, now);
-
-		dns_rdata_reset(&rdata);
-		isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
-		CHECK(dns_rdata_fromstruct(&rdata,
-					   zone->rdclass, dns_rdatatype_keydata,
-					   &keydata, &keyb));
-
-		/* Insert updated version */
-		CHECK(update_one_rr(kfetch->db, ver, diff, DNS_DIFFOP_ADD,
-				    name, 0, &rdata));
-	}
-	result = ISC_R_SUCCESS;
-  failure:
-	return (result);
-}
-
-/*
- * Verify that DNSKEY set is signed by the key specified in 'keydata'.
- */
-static isc_boolean_t
-revocable(dns_keyfetch_t *kfetch, dns_rdata_keydata_t *keydata) {
-	isc_result_t result;
-	dns_name_t *keyname;
-	isc_mem_t *mctx;
-	dns_rdata_t sigrr = DNS_RDATA_INIT;
-	dns_rdata_t rr = DNS_RDATA_INIT;
-	dns_rdata_rrsig_t sig;
-	dns_rdata_dnskey_t dnskey;
-	dst_key_t *dstkey = NULL;
-	unsigned char key_buf[4096];
-	isc_buffer_t keyb;
-	isc_boolean_t answer = ISC_FALSE;
-
-	REQUIRE(kfetch != NULL && keydata != NULL);
-	REQUIRE(dns_rdataset_isassociated(&kfetch->dnskeysigset));
-
-	keyname = dns_fixedname_name(&kfetch->name);
-	mctx = kfetch->zone->view->mctx;
-
-	/* Generate a key from keydata */
-	isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
-	dns_keydata_todnskey(keydata, &dnskey, NULL);
-	dns_rdata_fromstruct(&rr, keydata->common.rdclass, dns_rdatatype_dnskey,
-				     &dnskey, &keyb);
-	result = dns_dnssec_keyfromrdata(keyname, &rr, mctx, &dstkey);
-	if (result != ISC_R_SUCCESS)
-		return (ISC_FALSE);
-
-	/* See if that key generated any of the signatures */
-	for (result = dns_rdataset_first(&kfetch->dnskeysigset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&kfetch->dnskeysigset)) {
-		dns_fixedname_t fixed;
-		dns_fixedname_init(&fixed);
-
-		dns_rdata_reset(&sigrr);
-		dns_rdataset_current(&kfetch->dnskeysigset, &sigrr);
-		result = dns_rdata_tostruct(&sigrr, &sig, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-		if (dst_key_alg(dstkey) == sig.algorithm &&
-		    (dst_key_id(dstkey) == sig.keyid ||
-		     dst_key_rid(dstkey) == sig.keyid)) {
-			result = dns_dnssec_verify2(keyname,
-					    &kfetch->dnskeyset,
-					    dstkey, ISC_FALSE, mctx, &sigrr,
-					    dns_fixedname_name(&fixed));
-
-			dns_zone_log(kfetch->zone, ISC_LOG_DEBUG(3),
-				     "Confirm revoked DNSKEY is self-signed: "
-				     "%s", dns_result_totext(result));
-
-			if (result == ISC_R_SUCCESS) {
-				answer = ISC_TRUE;
-				break;
-			}
-		}
-	}
-
-	dst_key_free(&dstkey);
-	return (answer);
-}
-
-/*
- * A DNSKEY set has been fetched from the zone apex of a zone whose trust
- * anchors are being managed; scan the keyset, and update the key zone and the
- * local trust anchors according to RFC5011.
- */
-static void
-keyfetch_done(isc_task_t *task, isc_event_t *event) {
-	isc_result_t result, eresult;
-	dns_fetchevent_t *devent;
-	dns_keyfetch_t *kfetch;
-	dns_zone_t *zone;
-	isc_mem_t *mctx = NULL;
-	dns_keytable_t *secroots = NULL;
-	dns_dbversion_t *ver = NULL;
-	dns_diff_t diff;
-	isc_boolean_t alldone = ISC_FALSE;
-	isc_boolean_t commit = ISC_FALSE;
-	dns_name_t *keyname;
-	dns_rdata_t sigrr = DNS_RDATA_INIT;
-	dns_rdata_t dnskeyrr = DNS_RDATA_INIT;
-	dns_rdata_t keydatarr = DNS_RDATA_INIT;
-	dns_rdata_rrsig_t sig;
-	dns_rdata_dnskey_t dnskey;
-	dns_rdata_keydata_t keydata;
-	isc_boolean_t initializing;
-	char namebuf[DNS_NAME_FORMATSIZE];
-	unsigned char key_buf[4096];
-	isc_buffer_t keyb;
-	dst_key_t *dstkey;
-	isc_stdtime_t now;
-	int pending = 0;
-	isc_boolean_t secure;
-	isc_boolean_t free_needed;
-
-	UNUSED(task);
-	INSIST(event != NULL && event->ev_type == DNS_EVENT_FETCHDONE);
-	INSIST(event->ev_arg != NULL);
-
-	kfetch = event->ev_arg;
-	zone = kfetch->zone;
-	isc_mem_attach(zone->mctx, &mctx);
-	keyname = dns_fixedname_name(&kfetch->name);
-
-	devent = (dns_fetchevent_t *) event;
-	eresult = devent->result;
-
-	/* Free resources which are not of interest */
-	if (devent->node != NULL)
-		dns_db_detachnode(devent->db, &devent->node);
-	if (devent->db != NULL)
-		dns_db_detach(&devent->db);
-	isc_event_free(&event);
-	dns_resolver_destroyfetch(&kfetch->fetch);
-
-	LOCK_ZONE(zone);
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) || zone->view == NULL)
-		goto cleanup;
-
-	isc_stdtime_get(&now);
-	dns_name_format(keyname, namebuf, sizeof(namebuf));
-
-	result = dns_view_getsecroots(zone->view, &secroots);
-	INSIST(result == ISC_R_SUCCESS);
-
-	dns_diff_init(mctx, &diff);
-	diff.resign = zone->sigresigninginterval;
-
-	CHECK(dns_db_newversion(kfetch->db, &ver));
-
-	zone->refreshkeycount--;
-	alldone = ISC_TF(zone->refreshkeycount == 0);
-
-	if (alldone)
-		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING);
-
-	/* Fetch failed */
-	if (eresult != ISC_R_SUCCESS ||
-	    !dns_rdataset_isassociated(&kfetch->dnskeyset)) {
-		dns_zone_log(zone, ISC_LOG_WARNING,
-			     "Unable to fetch DNSKEY set "
-			     "'%s': %s", namebuf, dns_result_totext(eresult));
-		CHECK(minimal_update(kfetch, ver, &diff));
-		goto done;
-	}
-
-	/* No RRSIGs found */
-	if (!dns_rdataset_isassociated(&kfetch->dnskeysigset)) {
-		dns_zone_log(zone, ISC_LOG_WARNING,
-			     "No DNSKEY RRSIGs found for "
-			     "'%s': %s", namebuf, dns_result_totext(eresult));
-		CHECK(minimal_update(kfetch, ver, &diff));
-		goto done;
-	}
-
-	/*
-	 * Validate the dnskeyset against the current trusted keys.
-	 */
-	for (result = dns_rdataset_first(&kfetch->dnskeysigset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&kfetch->dnskeysigset)) {
-		dns_keynode_t *keynode = NULL;
-
-		dns_rdata_reset(&sigrr);
-		dns_rdataset_current(&kfetch->dnskeysigset, &sigrr);
-		result = dns_rdata_tostruct(&sigrr, &sig, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-		result = dns_keytable_find(secroots, keyname, &keynode);
-		while (result == ISC_R_SUCCESS) {
-			dns_keynode_t *nextnode = NULL;
-			dns_fixedname_t fixed;
-			dns_fixedname_init(&fixed);
-
-			dstkey = dns_keynode_key(keynode);
-			if (dstkey == NULL) /* fail_secure() was called */
-				break;
-
-			if (dst_key_alg(dstkey) == sig.algorithm &&
-			    dst_key_id(dstkey) == sig.keyid) {
-				result = dns_dnssec_verify2(keyname,
-						    &kfetch->dnskeyset,
-						    dstkey, ISC_FALSE,
-						    zone->view->mctx, &sigrr,
-						    dns_fixedname_name(&fixed));
-
-				dns_zone_log(zone, ISC_LOG_DEBUG(3),
-					     "Verifying DNSKEY set for zone "
-					     "'%s': %s", namebuf,
-					     dns_result_totext(result));
-
-				if (result == ISC_R_SUCCESS) {
-					kfetch->dnskeyset.trust =
-						dns_trust_secure;
-					kfetch->dnskeysigset.trust =
-						dns_trust_secure;
-					dns_keytable_detachkeynode(secroots,
-								   &keynode);
-					break;
-				}
-			}
-
-			result = dns_keytable_nextkeynode(secroots,
-							  keynode, &nextnode);
-			dns_keytable_detachkeynode(secroots, &keynode);
-			keynode = nextnode;
-		}
-
-		if (kfetch->dnskeyset.trust == dns_trust_secure)
-			break;
-	}
-
-	/*
-	 * If we were not able to verify the answer using the current
-	 * trusted keys then all we can do is look at any revoked keys.
-	 */
-	secure = ISC_TF(kfetch->dnskeyset.trust == dns_trust_secure);
-
-	/*
-	 * First scan keydataset to find keys that are not in dnskeyset
-	 *   - Missing keys which are not scheduled for removal,
-	 *     log a warning
-	 *   - Missing keys which are scheduled for removal and
-	 *     the remove hold-down timer has completed should
-	 *     be removed from the key zone
-	 *   - Missing keys whose acceptance timers have not yet
-	 *     completed, log a warning and reset the acceptance
-	 *     timer to 30 days in the future
-	 *   - All keys not being removed have their refresh timers
-	 *     updated
-	 */
-	initializing = ISC_TRUE;
-	for (result = dns_rdataset_first(&kfetch->keydataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&kfetch->keydataset)) {
-		dns_rdata_reset(&keydatarr);
-		dns_rdataset_current(&kfetch->keydataset, &keydatarr);
-		result = dns_rdata_tostruct(&keydatarr, &keydata, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-		/*
-		 * If any keydata record has a nonzero add holddown, then
-		 * there was a pre-existing trust anchor for this domain;
-		 * that means we are *not* initializing it and shouldn't
-		 * automatically trust all the keys we find at the zone apex.
-		 */
-		initializing = initializing && ISC_TF(keydata.addhd == 0);
-
-		if (! matchkey(&kfetch->dnskeyset, &keydatarr)) {
-			isc_boolean_t deletekey = ISC_FALSE;
-
-			if (!secure) {
-				if (now > keydata.removehd)
-					deletekey = ISC_TRUE;
-			} else if (now < keydata.addhd) {
-				dns_zone_log(zone, ISC_LOG_WARNING,
-					     "Pending key unexpectedly missing "
-					     "from %s; restarting acceptance "
-					     "timer", namebuf);
-				keydata.addhd = now + MONTH;
-				keydata.refresh = refresh_time(kfetch,
-							       ISC_FALSE);
-			} else if (keydata.addhd == 0) {
-				keydata.addhd = now;
-			} else if (keydata.removehd == 0) {
-				dns_zone_log(zone, ISC_LOG_WARNING,
-					     "Active key unexpectedly missing "
-					     "from %s", namebuf);
-				keydata.refresh = now + HOUR;
-			} else if (now > keydata.removehd) {
-				deletekey = ISC_TRUE;
-			} else {
-				keydata.refresh = refresh_time(kfetch,
-							       ISC_FALSE);
-			}
-
-			if  (secure || deletekey) {
-				/* Delete old version */
-				CHECK(update_one_rr(kfetch->db, ver, &diff,
-						    DNS_DIFFOP_DEL, keyname, 0,
-						    &keydatarr));
-			}
-
-			if (!secure || deletekey)
-				continue;
-
-			dns_rdata_reset(&keydatarr);
-			isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
-			dns_rdata_fromstruct(&keydatarr, zone->rdclass,
-					     dns_rdatatype_keydata,
-					     &keydata, &keyb);
-
-			/* Insert updated version */
-			CHECK(update_one_rr(kfetch->db, ver, &diff,
-					    DNS_DIFFOP_ADD, keyname, 0,
-					    &keydatarr));
-
-			set_refreshkeytimer(zone, &keydata, now);
-		}
-	}
-
-	/*
-	 * Next scan dnskeyset:
-	 *   - If new keys are found (i.e., lacking a match in keydataset)
-	 *     add them to the key zone and set the acceptance timer
-	 *     to 30 days in the future (or to immediately if we've
-	 *     determined that we're initializing the zone for the
-	 *     first time)
-	 *   - Previously-known keys that have been revoked
-	 *     must be scheduled for removal from the key zone (or,
-	 *     if they hadn't been accepted as trust anchors yet
-	 *     anyway, removed at once)
-	 *   - Previously-known unrevoked keys whose acceptance timers
-	 *     have completed are promoted to trust anchors
-	 *   - All keys not being removed have their refresh
-	 *     timers updated
-	 */
-	for (result = dns_rdataset_first(&kfetch->dnskeyset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&kfetch->dnskeyset)) {
-		isc_boolean_t revoked = ISC_FALSE;
-		isc_boolean_t newkey = ISC_FALSE;
-		isc_boolean_t updatekey = ISC_FALSE;
-		isc_boolean_t deletekey = ISC_FALSE;
-		isc_boolean_t trustkey = ISC_FALSE;
-
-		dns_rdata_reset(&dnskeyrr);
-		dns_rdataset_current(&kfetch->dnskeyset, &dnskeyrr);
-		result = dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-		/* Skip ZSK's */
-		if (!ISC_TF(dnskey.flags & DNS_KEYFLAG_KSK))
-			continue;
-
-		revoked = ISC_TF(dnskey.flags & DNS_KEYFLAG_REVOKE);
-
-		if (matchkey(&kfetch->keydataset, &dnskeyrr)) {
-			dns_rdata_reset(&keydatarr);
-			dns_rdataset_current(&kfetch->keydataset, &keydatarr);
-			result = dns_rdata_tostruct(&keydatarr, &keydata, NULL);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-			if (revoked && revocable(kfetch, &keydata)) {
-				if (keydata.addhd > now) {
-					/*
-					 * Key wasn't trusted yet, and now
-					 * it's been revoked?  Just remove it
-					 */
-					deletekey = ISC_TRUE;
-				} else if (keydata.removehd == 0) {
-					/* Remove from secroots */
-					dns_view_untrust(zone->view, keyname,
-							 &dnskey, mctx);
-
-					/* If initializing, delete now */
-					if (keydata.addhd == 0)
-						deletekey = ISC_TRUE;
-					else
-						keydata.removehd = now + MONTH;
-				} else if (keydata.removehd < now) {
-					/* Scheduled for removal */
-					deletekey = ISC_TRUE;
-				}
-			} else if (revoked) {
-				if (secure && keydata.removehd == 0) {
-					dns_zone_log(zone, ISC_LOG_WARNING,
-						     "Active key for zone "
-						     "'%s' is revoked but "
-						     "did not self-sign; "
-							 "ignoring.", namebuf);
-						continue;
-				}
-			} else if (secure) {
-				if (keydata.removehd != 0) {
-					/*
-					 * Key isn't revoked--but it
-					 * seems it used to be.
-					 * Remove it now and add it
-					 * back as if it were a fresh key.
-					 */
-					deletekey = ISC_TRUE;
-					newkey = ISC_TRUE;
-				} else if (keydata.addhd > now)
-					pending++;
-				else if (keydata.addhd == 0)
-					keydata.addhd = now;
-
-				if (keydata.addhd <= now)
-					trustkey = ISC_TRUE;
-			}
-
-			if (!deletekey && !newkey)
-				updatekey = ISC_TRUE;
-		} else if (secure) {
-			/*
-			 * Key wasn't in the key zone but it's
-			 * revoked now anyway, so just skip it
-			 */
-			if (revoked)
-				continue;
-
-			/* Key wasn't in the key zone: add it */
-			newkey = ISC_TRUE;
-
-			if (initializing) {
-				dns_keytag_t tag = 0;
-				CHECK(compute_tag(keyname, &dnskey,
-						  mctx, &tag));
-				dns_zone_log(zone, ISC_LOG_WARNING,
-					     "Initializing automatic trust "
-					     "anchor management for zone '%s'; "
-					     "DNSKEY ID %d is now trusted, "
-					     "waiving the normal 30-day "
-					     "waiting period.",
-					     namebuf, tag);
-				trustkey = ISC_TRUE;
-			}
-		}
-
-		/* Delete old version */
-		if (deletekey || !newkey)
-			CHECK(update_one_rr(kfetch->db, ver, &diff,
-					    DNS_DIFFOP_DEL, keyname, 0,
-					    &keydatarr));
-
-		if (updatekey) {
-			/* Set refresh timer */
-			keydata.refresh = refresh_time(kfetch, ISC_FALSE);
-			dns_rdata_reset(&keydatarr);
-			isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
-			dns_rdata_fromstruct(&keydatarr, zone->rdclass,
-					     dns_rdatatype_keydata,
-					     &keydata, &keyb);
-
-			/* Insert updated version */
-			CHECK(update_one_rr(kfetch->db, ver, &diff,
-					    DNS_DIFFOP_ADD, keyname, 0,
-					    &keydatarr));
-		} else if (newkey) {
-			/* Convert DNSKEY to KEYDATA */
-			result = dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			dns_keydata_fromdnskey(&keydata, &dnskey, 0, 0, 0,
-					       NULL);
-			keydata.addhd = initializing ? now : now + MONTH;
-			keydata.refresh = refresh_time(kfetch, ISC_FALSE);
-			dns_rdata_reset(&keydatarr);
-			isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
-			dns_rdata_fromstruct(&keydatarr, zone->rdclass,
-					     dns_rdatatype_keydata,
-					     &keydata, &keyb);
-
-			/* Insert into key zone */
-			CHECK(update_one_rr(kfetch->db, ver, &diff,
-					    DNS_DIFFOP_ADD, keyname, 0,
-					    &keydatarr));
-		}
-
-		if (trustkey) {
-			/* Trust this key. */
-			result = dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			trust_key(zone, keyname, &dnskey, mctx);
-		}
-
-		if (!deletekey)
-			set_refreshkeytimer(zone, &keydata, now);
-	}
-
-	/*
-	 * RFC5011 says, "A trust point that has all of its trust anchors
-	 * revoked is considered deleted and is treated as if the trust
-	 * point was never configured."  But if someone revoked their
-	 * active key before the standby was trusted, that would mean the
-	 * zone would suddenly be nonsecured.  We avoid this by checking to
-	 * see if there's pending keydata.  If so, we put a null key in
-	 * the security roots; then all queries to the zone will fail.
-	 */
-	if (pending != 0)
-		fail_secure(zone, keyname);
-
- done:
-
-	if (!ISC_LIST_EMPTY(diff.tuples)) {
-		/* Write changes to journal file. */
-		CHECK(update_soa_serial(kfetch->db, ver, &diff, mctx,
-					zone->updatemethod));
-		CHECK(zone_journal(zone, &diff, NULL, "keyfetch_done"));
-		commit = ISC_TRUE;
-
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
-		zone_needdump(zone, 30);
-	}
-
-  failure:
-
-	dns_diff_clear(&diff);
-	if (ver != NULL)
-		dns_db_closeversion(kfetch->db, &ver, commit);
-
- cleanup:
-	dns_db_detach(&kfetch->db);
-
-	INSIST(zone->irefs > 0);
-	zone->irefs--;
-	kfetch->zone = NULL;
-
-	if (dns_rdataset_isassociated(&kfetch->keydataset))
-		dns_rdataset_disassociate(&kfetch->keydataset);
-	if (dns_rdataset_isassociated(&kfetch->dnskeyset))
-		dns_rdataset_disassociate(&kfetch->dnskeyset);
-	if (dns_rdataset_isassociated(&kfetch->dnskeysigset))
-		dns_rdataset_disassociate(&kfetch->dnskeysigset);
-
-	dns_name_free(keyname, mctx);
-	isc_mem_put(mctx, kfetch, sizeof(dns_keyfetch_t));
-	isc_mem_detach(&mctx);
-
-	if (secroots != NULL)
-		dns_keytable_detach(&secroots);
-
-	free_needed = exit_check(zone);
-	UNLOCK_ZONE(zone);
-	if (free_needed)
-		zone_free(zone);
-}
-
-/*
- * Refresh the data in the key zone.  Initiate a fetch to get new DNSKEY
- * records from the zone apex.
- */
-static void
-zone_refreshkeys(dns_zone_t *zone) {
-	const char me[] = "zone_refreshkeys";
-	isc_result_t result;
-	dns_rriterator_t rrit;
-	dns_db_t *db = NULL;
-	dns_dbversion_t *ver = NULL;
-	dns_diff_t diff;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_keydata_t kd;
-	isc_stdtime_t now;
-	isc_boolean_t commit = ISC_FALSE;
-	isc_boolean_t fetching = ISC_FALSE, fetch_err = ISC_FALSE;
-
-	ENTER;
-	REQUIRE(zone->db != NULL);
-
-	isc_stdtime_get(&now);
-
-	LOCK_ZONE(zone);
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
-		isc_time_settoepoch(&zone->refreshkeytime);
-		UNLOCK_ZONE(zone);
-		return;
-	}
-
-	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
-	dns_db_attach(zone->db, &db);
-	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
-
-	dns_diff_init(zone->mctx, &diff);
-
-	CHECK(dns_db_newversion(db, &ver));
-
-	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESHING);
-
-	dns_rriterator_init(&rrit, db, ver, 0);
-	for (result = dns_rriterator_first(&rrit);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rriterator_nextrrset(&rrit)) {
-		isc_stdtime_t timer = 0xffffffff;
-		dns_name_t *name = NULL, *kname = NULL;
-		dns_rdataset_t *kdset = NULL;
-		dns_keyfetch_t *kfetch;
-		isc_uint32_t ttl;
-
-		dns_rriterator_current(&rrit, &name, &ttl, &kdset, NULL);
-		if (kdset == NULL || kdset->type != dns_rdatatype_keydata ||
-		    !dns_rdataset_isassociated(kdset))
-			continue;
-
-		/*
-		 * Scan the stored keys looking for ones that need
-		 * removal or refreshing
-		 */
-		for (result = dns_rdataset_first(kdset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(kdset)) {
-			dns_rdata_reset(&rdata);
-			dns_rdataset_current(kdset, &rdata);
-			result = dns_rdata_tostruct(&rdata, &kd, NULL);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-			/* Removal timer expired? */
-			if (kd.removehd != 0 && kd.removehd < now) {
-				CHECK(update_one_rr(db, ver, &diff,
-						    DNS_DIFFOP_DEL, name, ttl,
-						    &rdata));
-				continue;
-			}
-
-			/* Acceptance timer expired? */
-			if (kd.addhd != 0 && kd.addhd < now)
-				timer = kd.addhd;
-
-			/* Or do we just need to refresh the keyset? */
-			if (timer > kd.refresh)
-				timer = kd.refresh;
-		}
-
-		if (timer > now)
-			continue;
-
-		kfetch = isc_mem_get(zone->mctx, sizeof(dns_keyfetch_t));
-		if (kfetch == NULL) {
-			fetch_err = ISC_TRUE;
-			goto failure;
-		}
-
-		zone->refreshkeycount++;
-		kfetch->zone = zone;
-		zone->irefs++;
-		INSIST(zone->irefs != 0);
-		dns_fixedname_init(&kfetch->name);
-		kname = dns_fixedname_name(&kfetch->name);
-		dns_name_dup(name, zone->mctx, kname);
-		dns_rdataset_init(&kfetch->dnskeyset);
-		dns_rdataset_init(&kfetch->dnskeysigset);
-		dns_rdataset_init(&kfetch->keydataset);
-		dns_rdataset_clone(kdset, &kfetch->keydataset);
-		kfetch->db = NULL;
-		dns_db_attach(db, &kfetch->db);
-		kfetch->fetch = NULL;
-
-		result = dns_resolver_createfetch(zone->view->resolver,
-						  kname, dns_rdatatype_dnskey,
-						  NULL, NULL, NULL,
-						  DNS_FETCHOPT_NOVALIDATE,
-						  zone->task,
-						  keyfetch_done, kfetch,
-						  &kfetch->dnskeyset,
-						  &kfetch->dnskeysigset,
-						  &kfetch->fetch);
-		if (result == ISC_R_SUCCESS)
-			fetching = ISC_TRUE;
-		else {
-			zone->refreshkeycount--;
-			zone->irefs--;
-			dns_db_detach(&kfetch->db);
-			dns_rdataset_disassociate(&kfetch->keydataset);
-			dns_name_free(kname, zone->mctx);
-			isc_mem_put(zone->mctx, kfetch, sizeof(dns_keyfetch_t));
-			dns_zone_log(zone, ISC_LOG_WARNING,
-				     "Failed to create fetch for "
-				     "DNSKEY update");
-			fetch_err = ISC_TRUE;
-		}
-	}
-	if (!ISC_LIST_EMPTY(diff.tuples)) {
-		CHECK(update_soa_serial(db, ver, &diff, zone->mctx,
-					zone->updatemethod));
-		CHECK(zone_journal(zone, &diff, NULL, "zone_refreshkeys"));
-		commit = ISC_TRUE;
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
-		zone_needdump(zone, 30);
-	}
-
-  failure:
-	if (fetch_err) {
-		/*
-		 * Error during a key fetch; retry in an hour.
-		 */
-		isc_time_t timenow, timethen;
-		char timebuf[80];
-
-		TIME_NOW(&timenow);
-		DNS_ZONE_TIME_ADD(&timenow, HOUR, &timethen);
-		zone->refreshkeytime = timethen;
-		zone_settimer(zone, &timenow);
-
-		isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
-		dns_zone_log(zone, ISC_LOG_DEBUG(1), "retry key refresh: %s",
-			     timebuf);
-
-		if (!fetching)
-			DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING);
-	}
-
-	UNLOCK_ZONE(zone);
-
-	dns_diff_clear(&diff);
-	if (ver != NULL) {
-		dns_rriterator_destroy(&rrit);
-		dns_db_closeversion(db, &ver, commit);
-	}
-	dns_db_detach(&db);
-}
-
-static void
-zone_maintenance(dns_zone_t *zone) {
-	const char me[] = "zone_maintenance";
-	isc_time_t now;
-	isc_result_t result;
-	isc_boolean_t dumping;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	ENTER;
-
-	/*
-	 * Are we pending load/reload?
-	 */
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING))
-		return;
-
-	/*
-	 * Configuring the view of this zone may have
-	 * failed, for example because the config file
-	 * had a syntax error.	In that case, the view
-	 * adb or resolver will be NULL, and we had better not try
-	 * to do further maintenance on it.
-	 */
-	if (zone->view == NULL || zone->view->adb == NULL)
-		return;
-
-	TIME_NOW(&now);
-
-	/*
-	 * Expire check.
-	 */
-	switch (zone->type) {
-	case dns_zone_redirect:
-		if (zone->masters == NULL)
-			break;
-	case dns_zone_slave:
-	case dns_zone_stub:
-		LOCK_ZONE(zone);
-		if (isc_time_compare(&now, &zone->expiretime) >= 0 &&
-		    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
-			zone_expire(zone);
-			zone->refreshtime = now;
-		}
-		UNLOCK_ZONE(zone);
-		break;
-	default:
-		break;
-	}
-
-	/*
-	 * Up to date check.
-	 */
-	switch (zone->type) {
-	case dns_zone_redirect:
-		if (zone->masters == NULL)
-			break;
-	case dns_zone_slave:
-	case dns_zone_stub:
-		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH) &&
-		    isc_time_compare(&now, &zone->refreshtime) >= 0)
-			dns_zone_refresh(zone);
-		break;
-	default:
-		break;
-	}
-
-	/*
-	 * Slaves send notifies before backing up to disk, masters after.
-	 */
-	if (zone->type == dns_zone_slave &&
-	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) &&
-	    isc_time_compare(&now, &zone->notifytime) >= 0)
-		zone_notify(zone, &now);
-
-	/*
-	 * Do we need to consolidate the backing store?
-	 */
-	switch (zone->type) {
-	case dns_zone_master:
-	case dns_zone_slave:
-	case dns_zone_key:
-	case dns_zone_redirect:
-	case dns_zone_stub:
-		LOCK_ZONE(zone);
-		if (zone->masterfile != NULL &&
-		    isc_time_compare(&now, &zone->dumptime) >= 0 &&
-		    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
-		    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP)) {
-			dumping = was_dumping(zone);
-		} else
-			dumping = ISC_TRUE;
-		UNLOCK_ZONE(zone);
-		if (!dumping) {
-			result = zone_dump(zone, ISC_TRUE); /* task locked */
-			if (result != ISC_R_SUCCESS)
-				dns_zone_log(zone, ISC_LOG_WARNING,
-					     "dump failed: %s",
-					     dns_result_totext(result));
-		}
-		break;
-	default:
-		break;
-	}
-
-	/*
-	 * Master/redirect zones send notifies now, if needed
-	 */
-	switch (zone->type) {
-	case dns_zone_master:
-	case dns_zone_redirect:
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) &&
-		    isc_time_compare(&now, &zone->notifytime) >= 0)
-			zone_notify(zone, &now);
-	default:
-		break;
-	}
-
-	/*
-	 * Do we need to refresh keys?
-	 */
-	switch (zone->type) {
-	case dns_zone_key:
-		if (isc_time_compare(&now, &zone->refreshkeytime) >= 0) {
-			if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
-			    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESHING)) {
-				zone_refreshkeys(zone);
-			}
-		}
-		break;
-	case dns_zone_master:
-		if (!isc_time_isepoch(&zone->refreshkeytime) &&
-		    isc_time_compare(&now, &zone->refreshkeytime) >= 0)
-			zone_rekey(zone);
-	default:
-		break;
-	}
-
-	switch (zone->type) {
-	case dns_zone_master:
-	case dns_zone_redirect:
-	case dns_zone_slave:
-		/*
-		 * Do we need to sign/resign some RRsets?
-		 */
-		if (!isc_time_isepoch(&zone->signingtime) &&
-		    isc_time_compare(&now, &zone->signingtime) >= 0)
-			zone_sign(zone);
-		else if (!isc_time_isepoch(&zone->resigntime) &&
-		    isc_time_compare(&now, &zone->resigntime) >= 0)
-			zone_resigninc(zone);
-		else if (!isc_time_isepoch(&zone->nsec3chaintime) &&
-			isc_time_compare(&now, &zone->nsec3chaintime) >= 0)
-			zone_nsec3chain(zone);
-		/*
-		 * Do we need to issue a key expiry warning?
-		 */
-		if (!isc_time_isepoch(&zone->keywarntime) &&
-		    isc_time_compare(&now, &zone->keywarntime) >= 0)
-			set_key_expiry_warning(zone, zone->key_expiry,
-					       isc_time_seconds(&now));
-		break;
-
-	default:
-		break;
-	}
-	zone_settimer(zone, &now);
-}
-
-void
-dns_zone_markdirty(dns_zone_t *zone) {
-	isc_uint32_t serial;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	LOCK_ZONE(zone);
-	if (zone->type == dns_zone_master) {
-		if (inline_raw(zone)) {
-			unsigned int soacount;
-
-			ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
-			if (zone->db != NULL) {
-				result = zone_get_from_db(zone, zone->db, NULL,
-							  &soacount, &serial,
-							  NULL, NULL, NULL,
-							  NULL, NULL);
-			} else
-				result = DNS_R_NOTLOADED;
-			ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
-			if (result == ISC_R_SUCCESS && soacount > 0U)
-				zone_send_secureserial(zone, ISC_FALSE, serial);
-		}
-
-		/* XXXMPA make separate call back */
-		if (result == ISC_R_SUCCESS)
-			set_resigntime(zone);
-	}
-	zone_needdump(zone, DNS_DUMP_DELAY);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_expire(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	zone_expire(zone);
-	UNLOCK_ZONE(zone);
-}
-
-static void
-zone_expire(dns_zone_t *zone) {
-	/*
-	 * 'zone' locked by caller.
-	 */
-
-	REQUIRE(LOCKED_ZONE(zone));
-
-	dns_zone_log(zone, ISC_LOG_WARNING, "expired");
-
-	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_EXPIRED);
-	zone->refresh = DNS_ZONE_DEFAULTREFRESH;
-	zone->retry = DNS_ZONE_DEFAULTRETRY;
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
-	zone_unload(zone);
-}
-
-void
-dns_zone_refresh(dns_zone_t *zone) {
-	isc_interval_t i;
-	isc_uint32_t oldflags;
-	unsigned int j;
-	isc_result_t result;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING))
-		return;
-
-	/*
-	 * Set DNS_ZONEFLG_REFRESH so that there is only one refresh operation
-	 * in progress at a time.
-	 */
-
-	LOCK_ZONE(zone);
-	oldflags = zone->flags;
-	if (zone->masterscnt == 0) {
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOMASTERS);
-		if ((oldflags & DNS_ZONEFLG_NOMASTERS) == 0)
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "cannot refresh: no masters");
-		goto unlock;
-	}
-	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH);
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS);
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
-	if ((oldflags & (DNS_ZONEFLG_REFRESH|DNS_ZONEFLG_LOADING)) != 0)
-		goto unlock;
-
-	/*
-	 * Set the next refresh time as if refresh check has failed.
-	 * Setting this to the retry time will do that.  XXXMLG
-	 * If we are successful it will be reset using zone->refresh.
-	 */
-	isc_interval_set(&i, isc_random_jitter(zone->retry, zone->retry / 4),
-			 0);
-	result = isc_time_nowplusinterval(&zone->refreshtime, &i);
-	if (result != ISC_R_SUCCESS)
-		dns_zone_log(zone, ISC_LOG_WARNING,
-			     "isc_time_nowplusinterval() failed: %s",
-			     dns_result_totext(result));
-
-	/*
-	 * When lacking user-specified timer values from the SOA,
-	 * do exponential backoff of the retry time up to a
-	 * maximum of six hours.
-	 */
-	if (! DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HAVETIMERS))
-		zone->retry = ISC_MIN(zone->retry * 2, 6 * 3600);
-
-	zone->curmaster = 0;
-	for (j = 0; j < zone->masterscnt; j++)
-		zone->mastersok[j] = ISC_FALSE;
-	/* initiate soa query */
-	queue_soa_query(zone);
- unlock:
-	UNLOCK_ZONE(zone);
-}
-
-isc_result_t
-dns_zone_flush(dns_zone_t *zone) {
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_boolean_t dumping;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FLUSH);
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
-	    zone->masterfile != NULL) {
-		result = ISC_R_ALREADYRUNNING;
-		dumping = was_dumping(zone);
-	} else
-		dumping = ISC_TRUE;
-	UNLOCK_ZONE(zone);
-	if (!dumping)
-		result = zone_dump(zone, ISC_FALSE);	/* Unknown task. */
-	return (result);
-}
-
-isc_result_t
-dns_zone_dump(dns_zone_t *zone) {
-	isc_result_t result = ISC_R_ALREADYRUNNING;
-	isc_boolean_t dumping;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	dumping = was_dumping(zone);
-	UNLOCK_ZONE(zone);
-	if (!dumping)
-		result = zone_dump(zone, ISC_FALSE);	/* Unknown task. */
-	return (result);
-}
-
-static void
-zone_needdump(dns_zone_t *zone, unsigned int delay) {
-	const char me[] = "zone_needdump";
-	isc_time_t dumptime;
-	isc_time_t now;
-
-	/*
-	 * 'zone' locked by caller
-	 */
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(LOCKED_ZONE(zone));
-	ENTER;
-
-	/*
-	 * Do we have a place to dump to and are we loaded?
-	 */
-	if (zone->masterfile == NULL ||
-	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) == 0)
-		return;
-
-	TIME_NOW(&now);
-	/* add some noise */
-	DNS_ZONE_JITTER_ADD(&now, delay, &dumptime);
-
-	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
-	if (isc_time_isepoch(&zone->dumptime) ||
-	    isc_time_compare(&zone->dumptime, &dumptime) > 0)
-		zone->dumptime = dumptime;
-	if (zone->task != NULL)
-		zone_settimer(zone, &now);
-}
-
-static void
-dump_done(void *arg, isc_result_t result) {
-	const char me[] = "dump_done";
-	dns_zone_t *zone = arg;
-	dns_db_t *db;
-	dns_dbversion_t *version;
-	isc_boolean_t again = ISC_FALSE;
-	isc_boolean_t compact = ISC_FALSE;
-	isc_uint32_t serial;
-	isc_result_t tresult;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	ENTER;
-
-	if (result == ISC_R_SUCCESS && zone->journal != NULL &&
-	    zone->journalsize != -1) {
-
-		/*
-		 * We don't own these, zone->dctx must stay valid.
-		 */
-		db = dns_dumpctx_db(zone->dctx);
-		version = dns_dumpctx_version(zone->dctx);
-
-		tresult = dns_db_getsoaserial(db, version, &serial);
-		/*
-		 * If there is a secure version of this zone
-		 * use its serial if it is less than ours.
-		 */
-		if (tresult == ISC_R_SUCCESS && inline_raw(zone) &&
-		    zone->secure->db != NULL)
-		{
-			isc_uint32_t sserial;
-			isc_result_t mresult;
-
-			mresult = dns_db_getsoaserial(zone->secure->db,
-						      NULL, &sserial);
-			if (mresult == ISC_R_SUCCESS &&
-			    isc_serial_lt(sserial, serial))
-				serial = sserial;
-		}
-		/*
-		 * Note: we are task locked here so we can test
-		 * zone->xfr safely.
-		 */
-		if (tresult == ISC_R_SUCCESS && zone->xfr == NULL) {
-			tresult = dns_journal_compact(zone->mctx,
-						      zone->journal,
-						      serial,
-						      zone->journalsize);
-			switch (tresult) {
-			case ISC_R_SUCCESS:
-			case ISC_R_NOSPACE:
-			case ISC_R_NOTFOUND:
-				dns_zone_log(zone, ISC_LOG_DEBUG(3),
-					     "dns_journal_compact: %s",
-					     dns_result_totext(tresult));
-				break;
-			default:
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "dns_journal_compact failed: %s",
-					     dns_result_totext(tresult));
-				break;
-			}
-		} else if (tresult == ISC_R_SUCCESS) {
-			compact = ISC_TRUE;
-			zone->compact_serial = serial;
-		}
-	}
-
-	LOCK_ZONE(zone);
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DUMPING);
-	if (compact)
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDCOMPACT);
-	if (result != ISC_R_SUCCESS && result != ISC_R_CANCELED) {
-		/*
-		 * Try again in a short while.
-		 */
-		zone_needdump(zone, DNS_DUMP_DELAY);
-	} else if (result == ISC_R_SUCCESS &&
-		   DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) &&
-		   DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
-		   DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
-		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING);
-		isc_time_settoepoch(&zone->dumptime);
-		again = ISC_TRUE;
-	} else if (result == ISC_R_SUCCESS)
-		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FLUSH);
-
-	if (zone->dctx != NULL)
-		dns_dumpctx_detach(&zone->dctx);
-	zonemgr_putio(&zone->writeio);
-	UNLOCK_ZONE(zone);
-	if (again)
-		(void)zone_dump(zone, ISC_FALSE);
-	dns_zone_idetach(&zone);
-}
-
-static isc_result_t
-zone_dump(dns_zone_t *zone, isc_boolean_t compact) {
-	const char me[] = "zone_dump";
-	isc_result_t result;
-	dns_dbversion_t *version = NULL;
-	isc_boolean_t again;
-	dns_db_t *db = NULL;
-	char *masterfile = NULL;
-	dns_masterformat_t masterformat = dns_masterformat_none;
-
-/*
- * 'compact' MUST only be set if we are task locked.
- */
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	ENTER;
-
- redo:
-	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
-	if (zone->db != NULL)
-		dns_db_attach(zone->db, &db);
-	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
-	LOCK_ZONE(zone);
-	if (zone->masterfile != NULL) {
-		masterfile = isc_mem_strdup(zone->mctx, zone->masterfile);
-		masterformat = zone->masterformat;
-	}
-	UNLOCK_ZONE(zone);
-	if (db == NULL) {
-		result = DNS_R_NOTLOADED;
-		goto fail;
-	}
-	if (masterfile == NULL) {
-		result = DNS_R_NOMASTERFILE;
-		goto fail;
-	}
-
-	if (compact && zone->type != dns_zone_stub) {
-		dns_zone_t *dummy = NULL;
-		LOCK_ZONE(zone);
-		zone_iattach(zone, &dummy);
-		result = zonemgr_getio(zone->zmgr, ISC_FALSE, zone->task,
-				       zone_gotwritehandle, zone,
-				       &zone->writeio);
-		if (result != ISC_R_SUCCESS)
-			zone_idetach(&dummy);
-		else
-			result = DNS_R_CONTINUE;
-		UNLOCK_ZONE(zone);
-	} else {
-		dns_masterrawheader_t rawdata;
-		dns_db_currentversion(db, &version);
-		dns_master_initrawheader(&rawdata);
-		if (inline_secure(zone))
-			get_raw_serial(zone->raw, &rawdata);
-		result = dns_master_dump3(zone->mctx, db, version,
-					  &dns_master_style_default,
-					  masterfile, masterformat,
-					  &rawdata);
-		dns_db_closeversion(db, &version, ISC_FALSE);
-	}
- fail:
-	if (db != NULL)
-		dns_db_detach(&db);
-	if (masterfile != NULL)
-		isc_mem_free(zone->mctx, masterfile);
-	masterfile = NULL;
-
-	if (result == DNS_R_CONTINUE)
-		return (ISC_R_SUCCESS); /* XXXMPA */
-
-	again = ISC_FALSE;
-	LOCK_ZONE(zone);
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DUMPING);
-	if (result != ISC_R_SUCCESS) {
-		/*
-		 * Try again in a short while.
-		 */
-		zone_needdump(zone, DNS_DUMP_DELAY);
-	} else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) &&
-		   DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
-		   DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
-		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING);
-		isc_time_settoepoch(&zone->dumptime);
-		again = ISC_TRUE;
-	} else
-		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FLUSH);
-	UNLOCK_ZONE(zone);
-	if (again)
-		goto redo;
-
-	return (result);
-}
-
-static isc_result_t
-dumptostream(dns_zone_t *zone, FILE *fd, const dns_master_style_t *style,
-	     dns_masterformat_t format, const isc_uint32_t rawversion)
-{
-	isc_result_t result;
-	dns_dbversion_t *version = NULL;
-	dns_db_t *db = NULL;
-	dns_masterrawheader_t rawdata;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
-	if (zone->db != NULL)
-		dns_db_attach(zone->db, &db);
-	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
-	if (db == NULL)
-		return (DNS_R_NOTLOADED);
-
-	dns_db_currentversion(db, &version);
-	dns_master_initrawheader(&rawdata);
-	if (rawversion == 0)
-		rawdata.flags |= DNS_MASTERRAW_COMPAT;
-	else if (inline_secure(zone))
-		get_raw_serial(zone->raw, &rawdata);
-	else if (zone->sourceserialset) {
-		rawdata.flags = DNS_MASTERRAW_SOURCESERIALSET;
-		rawdata.sourceserial = zone->sourceserial;
-	}
-	result = dns_master_dumptostream3(zone->mctx, db, version, style,
-					  format, &rawdata, fd);
-	dns_db_closeversion(db, &version, ISC_FALSE);
-	dns_db_detach(&db);
-	return (result);
-}
-
-isc_result_t
-dns_zone_dumptostream3(dns_zone_t *zone, FILE *fd, dns_masterformat_t format,
-		       const dns_master_style_t *style,
-		       const isc_uint32_t rawversion)
-{
-	return (dumptostream(zone, fd, style, format, rawversion));
-}
-
-isc_result_t
-dns_zone_dumptostream2(dns_zone_t *zone, FILE *fd, dns_masterformat_t format,
-		       const dns_master_style_t *style) {
-	return (dumptostream(zone, fd, style, format, DNS_RAWFORMAT_VERSION));
-}
-
-isc_result_t
-dns_zone_dumptostream(dns_zone_t *zone, FILE *fd) {
-	return (dumptostream(zone, fd, &dns_master_style_default,
-			     dns_masterformat_text, 0));
-}
-
-isc_result_t
-dns_zone_fulldumptostream(dns_zone_t *zone, FILE *fd) {
-	return (dumptostream(zone, fd, &dns_master_style_full,
-			     dns_masterformat_text, 0));
-}
-
-void
-dns_zone_unload(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	zone_unload(zone);
-	UNLOCK_ZONE(zone);
-}
-
-static void
-notify_cancel(dns_zone_t *zone) {
-	dns_notify_t *notify;
-
-	/*
-	 * 'zone' locked by caller.
-	 */
-
-	REQUIRE(LOCKED_ZONE(zone));
-
-	for (notify = ISC_LIST_HEAD(zone->notifies);
-	     notify != NULL;
-	     notify = ISC_LIST_NEXT(notify, link)) {
-		if (notify->find != NULL)
-			dns_adb_cancelfind(notify->find);
-		if (notify->request != NULL)
-			dns_request_cancel(notify->request);
-	}
-}
-
-static void
-forward_cancel(dns_zone_t *zone) {
-	dns_forward_t *forward;
-
-	/*
-	 * 'zone' locked by caller.
-	 */
-
-	REQUIRE(LOCKED_ZONE(zone));
-
-	for (forward = ISC_LIST_HEAD(zone->forwards);
-	     forward != NULL;
-	     forward = ISC_LIST_NEXT(forward, link)) {
-		if (forward->request != NULL)
-			dns_request_cancel(forward->request);
-	}
-}
-
-static void
-zone_unload(dns_zone_t *zone) {
-
-	/*
-	 * 'zone' locked by caller.
-	 */
-
-	REQUIRE(LOCKED_ZONE(zone));
-
-	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) ||
-	    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
-		if (zone->writeio != NULL)
-			zonemgr_cancelio(zone->writeio);
-
-		if (zone->dctx != NULL)
-			dns_dumpctx_cancel(zone->dctx);
-	}
-	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
-	zone_detachdb(zone);
-	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADED);
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
-}
-
-void
-dns_zone_setminrefreshtime(dns_zone_t *zone, isc_uint32_t val) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(val > 0);
-
-	zone->minrefresh = val;
-}
-
-void
-dns_zone_setmaxrefreshtime(dns_zone_t *zone, isc_uint32_t val) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(val > 0);
-
-	zone->maxrefresh = val;
-}
-
-void
-dns_zone_setminretrytime(dns_zone_t *zone, isc_uint32_t val) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(val > 0);
-
-	zone->minretry = val;
-}
-
-void
-dns_zone_setmaxretrytime(dns_zone_t *zone, isc_uint32_t val) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(val > 0);
-
-	zone->maxretry = val;
-}
-
-static isc_boolean_t
-notify_isqueued(dns_zone_t *zone, dns_name_t *name, isc_sockaddr_t *addr) {
-	dns_notify_t *notify;
-
-	for (notify = ISC_LIST_HEAD(zone->notifies);
-	     notify != NULL;
-	     notify = ISC_LIST_NEXT(notify, link)) {
-		if (notify->request != NULL)
-			continue;
-		if (name != NULL && dns_name_dynamic(&notify->ns) &&
-		    dns_name_equal(name, &notify->ns))
-			return (ISC_TRUE);
-		if (addr != NULL && isc_sockaddr_equal(addr, &notify->dst))
-			return (ISC_TRUE);
-	}
-	return (ISC_FALSE);
-}
-
-static isc_boolean_t
-notify_isself(dns_zone_t *zone, isc_sockaddr_t *dst) {
-	dns_tsigkey_t *key = NULL;
-	isc_sockaddr_t src;
-	isc_sockaddr_t any;
-	isc_boolean_t isself;
-	isc_netaddr_t dstaddr;
-	isc_result_t result;
-
-	if (zone->view == NULL || zone->isself == NULL)
-		return (ISC_FALSE);
-
-	switch (isc_sockaddr_pf(dst)) {
-	case PF_INET:
-		src = zone->notifysrc4;
-		isc_sockaddr_any(&any);
-		break;
-	case PF_INET6:
-		src = zone->notifysrc6;
-		isc_sockaddr_any6(&any);
-		break;
-	default:
-		return (ISC_FALSE);
-	}
-
-	/*
-	 * When sending from any the kernel will assign a source address
-	 * that matches the destination address.
-	 */
-	if (isc_sockaddr_eqaddr(&any, &src))
-		src = *dst;
-
-	isc_netaddr_fromsockaddr(&dstaddr, dst);
-	result = dns_view_getpeertsig(zone->view, &dstaddr, &key);
-	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
-		return (ISC_FALSE);
-	isself = (zone->isself)(zone->view, key, &src, dst, zone->rdclass,
-				zone->isselfarg);
-	if (key != NULL)
-		dns_tsigkey_detach(&key);
-	return (isself);
-}
-
-static void
-notify_destroy(dns_notify_t *notify, isc_boolean_t locked) {
-	isc_mem_t *mctx;
-
-	/*
-	 * Caller holds zone lock.
-	 */
-	REQUIRE(DNS_NOTIFY_VALID(notify));
-
-	if (notify->zone != NULL) {
-		if (!locked)
-			LOCK_ZONE(notify->zone);
-		REQUIRE(LOCKED_ZONE(notify->zone));
-		if (ISC_LINK_LINKED(notify, link))
-			ISC_LIST_UNLINK(notify->zone->notifies, notify, link);
-		if (!locked)
-			UNLOCK_ZONE(notify->zone);
-		if (locked)
-			zone_idetach(&notify->zone);
-		else
-			dns_zone_idetach(&notify->zone);
-	}
-	if (notify->find != NULL)
-		dns_adb_destroyfind(&notify->find);
-	if (notify->request != NULL)
-		dns_request_destroy(&notify->request);
-	if (dns_name_dynamic(&notify->ns))
-		dns_name_free(&notify->ns, notify->mctx);
-	if (notify->key != NULL)
-		dns_tsigkey_detach(&notify->key);
-	mctx = notify->mctx;
-	isc_mem_put(notify->mctx, notify, sizeof(*notify));
-	isc_mem_detach(&mctx);
-}
-
-static isc_result_t
-notify_create(isc_mem_t *mctx, unsigned int flags, dns_notify_t **notifyp) {
-	dns_notify_t *notify;
-
-	REQUIRE(notifyp != NULL && *notifyp == NULL);
-
-	notify = isc_mem_get(mctx, sizeof(*notify));
-	if (notify == NULL)
-		return (ISC_R_NOMEMORY);
-
-	notify->mctx = NULL;
-	isc_mem_attach(mctx, &notify->mctx);
-	notify->flags = flags;
-	notify->zone = NULL;
-	notify->find = NULL;
-	notify->request = NULL;
-	notify->key = NULL;
-	isc_sockaddr_any(&notify->dst);
-	dns_name_init(&notify->ns, NULL);
-	ISC_LINK_INIT(notify, link);
-	notify->magic = NOTIFY_MAGIC;
-	*notifyp = notify;
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * XXXAG should check for DNS_ZONEFLG_EXITING
- */
-static void
-process_adb_event(isc_task_t *task, isc_event_t *ev) {
-	dns_notify_t *notify;
-	isc_eventtype_t result;
-
-	UNUSED(task);
-
-	notify = ev->ev_arg;
-	REQUIRE(DNS_NOTIFY_VALID(notify));
-	INSIST(task == notify->zone->task);
-	result = ev->ev_type;
-	isc_event_free(&ev);
-	if (result == DNS_EVENT_ADBMOREADDRESSES) {
-		dns_adb_destroyfind(&notify->find);
-		notify_find_address(notify);
-		return;
-	}
-	if (result == DNS_EVENT_ADBNOMOREADDRESSES) {
-		LOCK_ZONE(notify->zone);
-		notify_send(notify);
-		UNLOCK_ZONE(notify->zone);
-	}
-	notify_destroy(notify, ISC_FALSE);
-}
-
-static void
-notify_find_address(dns_notify_t *notify) {
-	isc_result_t result;
-	unsigned int options;
-
-	REQUIRE(DNS_NOTIFY_VALID(notify));
-	options = DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_INET |
-		  DNS_ADBFIND_INET6 | DNS_ADBFIND_RETURNLAME;
-
-	if (notify->zone->view->adb == NULL)
-		goto destroy;
-
-	result = dns_adb_createfind(notify->zone->view->adb,
-				    notify->zone->task,
-				    process_adb_event, notify,
-				    &notify->ns, dns_rootname, 0,
-				    options, 0, NULL,
-				    notify->zone->view->dstport,
-				    &notify->find);
-
-	/* Something failed? */
-	if (result != ISC_R_SUCCESS)
-		goto destroy;
-
-	/* More addresses pending? */
-	if ((notify->find->options & DNS_ADBFIND_WANTEVENT) != 0)
-		return;
-
-	/* We have as many addresses as we can get. */
-	LOCK_ZONE(notify->zone);
-	notify_send(notify);
-	UNLOCK_ZONE(notify->zone);
-
- destroy:
-	notify_destroy(notify, ISC_FALSE);
-}
-
-
-static isc_result_t
-notify_send_queue(dns_notify_t *notify) {
-	isc_event_t *e;
-	isc_result_t result;
-
-	e = isc_event_allocate(notify->mctx, NULL,
-			       DNS_EVENT_NOTIFYSENDTOADDR,
-			       notify_send_toaddr,
-			       notify, sizeof(isc_event_t));
-	if (e == NULL)
-		return (ISC_R_NOMEMORY);
-	e->ev_arg = notify;
-	e->ev_sender = NULL;
-	result = isc_ratelimiter_enqueue(notify->zone->zmgr->rl,
-					 notify->zone->task, &e);
-	if (result != ISC_R_SUCCESS)
-		isc_event_free(&e);
-	return (result);
-}
-
-static void
-notify_send_toaddr(isc_task_t *task, isc_event_t *event) {
-	dns_notify_t *notify;
-	isc_result_t result;
-	dns_message_t *message = NULL;
-	isc_netaddr_t dstip;
-	dns_tsigkey_t *key = NULL;
-	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
-	isc_sockaddr_t src;
-	int timeout;
-	isc_boolean_t have_notifysource = ISC_FALSE;
-
-	notify = event->ev_arg;
-	REQUIRE(DNS_NOTIFY_VALID(notify));
-
-	UNUSED(task);
-
-	LOCK_ZONE(notify->zone);
-
-	if (DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_LOADED) == 0) {
-		result = ISC_R_CANCELED;
-		goto cleanup;
-	}
-
-	if ((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0 ||
-	    DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_EXITING) ||
-	    notify->zone->view->requestmgr == NULL ||
-	    notify->zone->db == NULL) {
-		result = ISC_R_CANCELED;
-		goto cleanup;
-	}
-
-	/*
-	 * The raw IPv4 address should also exist.  Don't send to the
-	 * mapped form.
-	 */
-	if (isc_sockaddr_pf(&notify->dst) == PF_INET6 &&
-	    IN6_IS_ADDR_V4MAPPED(&notify->dst.type.sin6.sin6_addr)) {
-		isc_sockaddr_format(&notify->dst, addrbuf, sizeof(addrbuf));
-		notify_log(notify->zone, ISC_LOG_DEBUG(3),
-			   "notify: ignoring IPv6 mapped IPV4 address: %s",
-			   addrbuf);
-		result = ISC_R_CANCELED;
-		goto cleanup;
-	}
-
-	result = notify_createmessage(notify->zone, notify->flags, &message);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	if (notify->key != NULL) {
-		/* Transfer ownership of key */
-		key = notify->key;
-		notify->key = NULL;
-	} else {
-		isc_netaddr_fromsockaddr(&dstip, &notify->dst);
-		isc_sockaddr_format(&notify->dst, addrbuf, sizeof(addrbuf));
-		result = dns_view_getpeertsig(notify->zone->view, &dstip, &key);
-		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
-			notify_log(notify->zone, ISC_LOG_ERROR,
-				   "NOTIFY to %s not sent. "
-				   "Peer TSIG key lookup failure.", addrbuf);
-			goto cleanup_message;
-		}
-	}
-
-	/* XXX: should we log the tsig key too? */
-	notify_log(notify->zone, ISC_LOG_DEBUG(3), "sending notify to %s",
-		   addrbuf);
-	if (notify->zone->view->peers != NULL) {
-		dns_peer_t *peer = NULL;
-		result = dns_peerlist_peerbyaddr(notify->zone->view->peers,
-						 &dstip, &peer);
-		if (result == ISC_R_SUCCESS) {
-			result = dns_peer_getnotifysource(peer, &src);
-			if (result == ISC_R_SUCCESS)
-				have_notifysource = ISC_TRUE;
-		}
-	}
-	switch (isc_sockaddr_pf(&notify->dst)) {
-	case PF_INET:
-		if (!have_notifysource)
-			src = notify->zone->notifysrc4;
-		break;
-	case PF_INET6:
-		if (!have_notifysource)
-			src = notify->zone->notifysrc6;
-		break;
-	default:
-		result = ISC_R_NOTIMPLEMENTED;
-		goto cleanup_key;
-	}
-	timeout = 15;
-	if (DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_DIALNOTIFY))
-		timeout = 30;
-	result = dns_request_createvia2(notify->zone->view->requestmgr,
-					message, &src, &notify->dst, 0, key,
-					timeout * 3, timeout,
-					notify->zone->task, notify_done,
-					notify, &notify->request);
-	if (result == ISC_R_SUCCESS) {
-		if (isc_sockaddr_pf(&notify->dst) == AF_INET) {
-			inc_stats(notify->zone,
-				  dns_zonestatscounter_notifyoutv4);
-		} else {
-			inc_stats(notify->zone,
-				  dns_zonestatscounter_notifyoutv6);
-		}
-	}
-
- cleanup_key:
-	if (key != NULL)
-		dns_tsigkey_detach(&key);
- cleanup_message:
-	dns_message_destroy(&message);
- cleanup:
-	UNLOCK_ZONE(notify->zone);
-	isc_event_free(&event);
-	if (result != ISC_R_SUCCESS)
-		notify_destroy(notify, ISC_FALSE);
-}
-
-static void
-notify_send(dns_notify_t *notify) {
-	dns_adbaddrinfo_t *ai;
-	isc_sockaddr_t dst;
-	isc_result_t result;
-	dns_notify_t *new = NULL;
-
-	/*
-	 * Zone lock held by caller.
-	 */
-	REQUIRE(DNS_NOTIFY_VALID(notify));
-	REQUIRE(LOCKED_ZONE(notify->zone));
-
-	for (ai = ISC_LIST_HEAD(notify->find->list);
-	     ai != NULL;
-	     ai = ISC_LIST_NEXT(ai, publink)) {
-		dst = ai->sockaddr;
-		if (notify_isqueued(notify->zone, NULL, &dst))
-			continue;
-		if (notify_isself(notify->zone, &dst))
-			continue;
-		new = NULL;
-		result = notify_create(notify->mctx,
-				       (notify->flags & DNS_NOTIFY_NOSOA),
-				       &new);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		zone_iattach(notify->zone, &new->zone);
-		ISC_LIST_APPEND(new->zone->notifies, new, link);
-		new->dst = dst;
-		result = notify_send_queue(new);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		new = NULL;
-	}
-
- cleanup:
-	if (new != NULL)
-		notify_destroy(new, ISC_TRUE);
-}
-
-void
-dns_zone_notify(dns_zone_t *zone) {
-	isc_time_t now;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
-
-	TIME_NOW(&now);
-	zone_settimer(zone, &now);
-	UNLOCK_ZONE(zone);
-}
-
-static void
-zone_notify(dns_zone_t *zone, isc_time_t *now) {
-	dns_dbnode_t *node = NULL;
-	dns_db_t *zonedb = NULL;
-	dns_dbversion_t *version = NULL;
-	dns_name_t *origin = NULL;
-	dns_name_t master;
-	dns_rdata_ns_t ns;
-	dns_rdata_soa_t soa;
-	isc_uint32_t serial;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdataset_t nsrdset;
-	dns_rdataset_t soardset;
-	isc_result_t result;
-	dns_notify_t *notify = NULL;
-	unsigned int i;
-	isc_sockaddr_t dst;
-	isc_boolean_t isqueued;
-	dns_notifytype_t notifytype;
-	unsigned int flags = 0;
-	isc_boolean_t loggednotify = ISC_FALSE;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
-	notifytype = zone->notifytype;
-	DNS_ZONE_TIME_ADD(now, zone->notifydelay, &zone->notifytime);
-	UNLOCK_ZONE(zone);
-
-	if (! DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
-		return;
-
-	if (notifytype == dns_notifytype_no)
-		return;
-
-	if (notifytype == dns_notifytype_masteronly &&
-	    zone->type != dns_zone_master)
-		return;
-
-	origin = &zone->origin;
-
-	/*
-	 * If the zone is dialup we are done as we don't want to send
-	 * the current soa so as to force a refresh query.
-	 */
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY))
-		flags |= DNS_NOTIFY_NOSOA;
-
-	/*
-	 * Get SOA RRset.
-	 */
-	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
-	if (zone->db != NULL)
-		dns_db_attach(zone->db, &zonedb);
-	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
-	if (zonedb == NULL)
-		return;
-	dns_db_currentversion(zonedb, &version);
-	result = dns_db_findnode(zonedb, origin, ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup1;
-
-	dns_rdataset_init(&soardset);
-	result = dns_db_findrdataset(zonedb, node, version, dns_rdatatype_soa,
-				     dns_rdatatype_none, 0, &soardset, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup2;
-
-	/*
-	 * Find serial and master server's name.
-	 */
-	dns_name_init(&master, NULL);
-	result = dns_rdataset_first(&soardset);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup3;
-	dns_rdataset_current(&soardset, &rdata);
-	result = dns_rdata_tostruct(&rdata, &soa, NULL);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	dns_rdata_reset(&rdata);
-	result = dns_name_dup(&soa.origin, zone->mctx, &master);
-	serial = soa.serial;
-	dns_rdataset_disassociate(&soardset);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup3;
-
-	/*
-	 * Enqueue notify requests for 'also-notify' servers.
-	 */
-	LOCK_ZONE(zone);
-	for (i = 0; i < zone->notifycnt; i++) {
-		dns_tsigkey_t *key = NULL;
-
-		dst = zone->notify[i];
-		if (notify_isqueued(zone, NULL, &dst))
-			continue;
-
-		result = notify_create(zone->mctx, flags, &notify);
-		if (result != ISC_R_SUCCESS)
-			continue;
-
-		zone_iattach(zone, &notify->zone);
-		notify->dst = dst;
-
-		if ((zone->notifykeynames != NULL) &&
-		    (zone->notifykeynames[i] != NULL)) {
-			dns_view_t *view = dns_zone_getview(zone);
-			dns_name_t *keyname = zone->notifykeynames[i];
-			result = dns_view_gettsig(view, keyname, &key);
-			if (result == ISC_R_SUCCESS) {
-				notify->key = key;
-				key = NULL;
-			}
-		}
-
-		ISC_LIST_APPEND(zone->notifies, notify, link);
-		result = notify_send_queue(notify);
-		if (result != ISC_R_SUCCESS)
-			notify_destroy(notify, ISC_TRUE);
-		if (!loggednotify) {
-			notify_log(zone, ISC_LOG_INFO,
-				   "sending notifies (serial %u)",
-				   serial);
-			loggednotify = ISC_TRUE;
-		}
-		notify = NULL;
-	}
-	UNLOCK_ZONE(zone);
-
-	if (notifytype == dns_notifytype_explicit)
-		goto cleanup3;
-
-	/*
-	 * Process NS RRset to generate notifies.
-	 */
-
-	dns_rdataset_init(&nsrdset);
-	result = dns_db_findrdataset(zonedb, node, version, dns_rdatatype_ns,
-				     dns_rdatatype_none, 0, &nsrdset, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup3;
-
-	result = dns_rdataset_first(&nsrdset);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdataset_current(&nsrdset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &ns, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		dns_rdata_reset(&rdata);
-		/*
-		 * Don't notify the master server unless explicitly
-		 * configured to do so.
-		 */
-		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOTIFYTOSOA) &&
-		    dns_name_compare(&master, &ns.name) == 0) {
-			result = dns_rdataset_next(&nsrdset);
-			continue;
-		}
-
-		if (!loggednotify) {
-			notify_log(zone, ISC_LOG_INFO,
-				   "sending notifies (serial %u)",
-				   serial);
-			loggednotify = ISC_TRUE;
-		}
-
-		LOCK_ZONE(zone);
-		isqueued = notify_isqueued(zone, &ns.name, NULL);
-		UNLOCK_ZONE(zone);
-		if (isqueued) {
-			result = dns_rdataset_next(&nsrdset);
-			continue;
-		}
-		result = notify_create(zone->mctx, flags, &notify);
-		if (result != ISC_R_SUCCESS)
-			continue;
-		dns_zone_iattach(zone, &notify->zone);
-		result = dns_name_dup(&ns.name, zone->mctx, &notify->ns);
-		if (result != ISC_R_SUCCESS) {
-			LOCK_ZONE(zone);
-			notify_destroy(notify, ISC_TRUE);
-			UNLOCK_ZONE(zone);
-			continue;
-		}
-		LOCK_ZONE(zone);
-		ISC_LIST_APPEND(zone->notifies, notify, link);
-		UNLOCK_ZONE(zone);
-		notify_find_address(notify);
-		notify = NULL;
-		result = dns_rdataset_next(&nsrdset);
-	}
-	dns_rdataset_disassociate(&nsrdset);
-
- cleanup3:
-	if (dns_name_dynamic(&master))
-		dns_name_free(&master, zone->mctx);
- cleanup2:
-	dns_db_detachnode(zonedb, &node);
- cleanup1:
-	dns_db_closeversion(zonedb, &version, ISC_FALSE);
-	dns_db_detach(&zonedb);
-}
-
-/***
- *** Private
- ***/
-
-static inline isc_result_t
-save_nsrrset(dns_message_t *message, dns_name_t *name,
-	     dns_db_t *db, dns_dbversion_t *version)
-{
-	dns_rdataset_t *nsrdataset = NULL;
-	dns_rdataset_t *rdataset = NULL;
-	dns_dbnode_t *node = NULL;
-	dns_rdata_ns_t ns;
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-
-	/*
-	 * Extract NS RRset from message.
-	 */
-	result = dns_message_findname(message, DNS_SECTION_ANSWER, name,
-				      dns_rdatatype_ns, dns_rdatatype_none,
-				      NULL, &nsrdataset);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	/*
-	 * Add NS rdataset.
-	 */
-	result = dns_db_findnode(db, name, ISC_TRUE, &node);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-	result = dns_db_addrdataset(db, node, version, 0,
-				    nsrdataset, 0, NULL);
-	dns_db_detachnode(db, &node);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-	/*
-	 * Add glue rdatasets.
-	 */
-	for (result = dns_rdataset_first(nsrdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(nsrdataset)) {
-		dns_rdataset_current(nsrdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &ns, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		dns_rdata_reset(&rdata);
-		if (!dns_name_issubdomain(&ns.name, name))
-			continue;
-		rdataset = NULL;
-		result = dns_message_findname(message, DNS_SECTION_ADDITIONAL,
-					      &ns.name, dns_rdatatype_aaaa,
-					      dns_rdatatype_none, NULL,
-					      &rdataset);
-		if (result == ISC_R_SUCCESS) {
-			result = dns_db_findnode(db, &ns.name,
-						 ISC_TRUE, &node);
-			if (result != ISC_R_SUCCESS)
-				goto fail;
-			result = dns_db_addrdataset(db, node, version, 0,
-						    rdataset, 0, NULL);
-			dns_db_detachnode(db, &node);
-			if (result != ISC_R_SUCCESS)
-				goto fail;
-		}
-		rdataset = NULL;
-		result = dns_message_findname(message, DNS_SECTION_ADDITIONAL,
-					      &ns.name, dns_rdatatype_a,
-					      dns_rdatatype_none, NULL,
-					      &rdataset);
-		if (result == ISC_R_SUCCESS) {
-			result = dns_db_findnode(db, &ns.name,
-						 ISC_TRUE, &node);
-			if (result != ISC_R_SUCCESS)
-				goto fail;
-			result = dns_db_addrdataset(db, node, version, 0,
-						    rdataset, 0, NULL);
-			dns_db_detachnode(db, &node);
-			if (result != ISC_R_SUCCESS)
-				goto fail;
-		}
-	}
-	if (result != ISC_R_NOMORE)
-		goto fail;
-
-	return (ISC_R_SUCCESS);
-
-fail:
-	return (result);
-}
-
-static void
-stub_callback(isc_task_t *task, isc_event_t *event) {
-	const char me[] = "stub_callback";
-	dns_requestevent_t *revent = (dns_requestevent_t *)event;
-	dns_stub_t *stub = NULL;
-	dns_message_t *msg = NULL;
-	dns_zone_t *zone = NULL;
-	char master[ISC_SOCKADDR_FORMATSIZE];
-	char source[ISC_SOCKADDR_FORMATSIZE];
-	isc_uint32_t nscnt, cnamecnt, refresh, retry, expire;
-	isc_result_t result;
-	isc_time_t now;
-	isc_boolean_t exiting = ISC_FALSE;
-	isc_interval_t i;
-	unsigned int j, soacount;
-
-	stub = revent->ev_arg;
-	INSIST(DNS_STUB_VALID(stub));
-
-	UNUSED(task);
-
-	zone = stub->zone;
-
-	ENTER;
-
-	TIME_NOW(&now);
-
-	LOCK_ZONE(zone);
-
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
-		zone_debuglog(zone, me, 1, "exiting");
-		exiting = ISC_TRUE;
-		goto next_master;
-	}
-
-	isc_sockaddr_format(&zone->masteraddr, master, sizeof(master));
-	isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
-
-	if (revent->result != ISC_R_SUCCESS) {
-		if (revent->result == ISC_R_TIMEDOUT &&
-		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
-			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
-			dns_zone_log(zone, ISC_LOG_DEBUG(1),
-				     "refreshing stub: timeout retrying "
-				     " without EDNS master %s (source %s)",
-				     master, source);
-			goto same_master;
-		}
-		dns_zonemgr_unreachableadd(zone->zmgr, &zone->masteraddr,
-					   &zone->sourceaddr, &now);
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "could not refresh stub from master %s"
-			     " (source %s): %s", master, source,
-			     dns_result_totext(revent->result));
-		goto next_master;
-	}
-
-	result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTPARSE, &msg);
-	if (result != ISC_R_SUCCESS)
-		goto next_master;
-
-	result = dns_request_getresponse(revent->request, msg, 0);
-	if (result != ISC_R_SUCCESS)
-		goto next_master;
-
-	/*
-	 * Unexpected rcode.
-	 */
-	if (msg->rcode != dns_rcode_noerror) {
-		char rcode[128];
-		isc_buffer_t rb;
-
-		isc_buffer_init(&rb, rcode, sizeof(rcode));
-		(void)dns_rcode_totext(msg->rcode, &rb);
-
-		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS) &&
-		    (msg->rcode == dns_rcode_servfail ||
-		     msg->rcode == dns_rcode_notimp ||
-		     msg->rcode == dns_rcode_formerr)) {
-			dns_zone_log(zone, ISC_LOG_DEBUG(1),
-				     "refreshing stub: rcode (%.*s) retrying "
-				     "without EDNS master %s (source %s)",
-				     (int)rb.used, rcode, master, source);
-			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
-			goto same_master;
-		}
-
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refreshing stub: "
-			     "unexpected rcode (%.*s) from %s (source %s)",
-			     (int)rb.used, rcode, master, source);
-		goto next_master;
-	}
-
-	/*
-	 * We need complete messages.
-	 */
-	if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
-		if (dns_request_usedtcp(revent->request)) {
-			dns_zone_log(zone, ISC_LOG_INFO,
-				     "refreshing stub: truncated TCP "
-				     "response from master %s (source %s)",
-				     master, source);
-			goto next_master;
-		}
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEVC);
-		goto same_master;
-	}
-
-	/*
-	 * If non-auth log and next master.
-	 */
-	if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0) {
-		dns_zone_log(zone, ISC_LOG_INFO, "refreshing stub: "
-			     "non-authoritative answer from "
-			     "master %s (source %s)", master, source);
-		goto next_master;
-	}
-
-	/*
-	 * Sanity checks.
-	 */
-	cnamecnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_cname);
-	nscnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_ns);
-
-	if (cnamecnt != 0) {
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refreshing stub: unexpected CNAME response "
-			     "from master %s (source %s)", master, source);
-		goto next_master;
-	}
-
-	if (nscnt == 0) {
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refreshing stub: no NS records in response "
-			     "from master %s (source %s)", master, source);
-		goto next_master;
-	}
-
-	/*
-	 * Save answer.
-	 */
-	result = save_nsrrset(msg, &zone->origin, stub->db, stub->version);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refreshing stub: unable to save NS records "
-			     "from master %s (source %s)", master, source);
-		goto next_master;
-	}
-
-	/*
-	 * Tidy up.
-	 */
-	dns_db_closeversion(stub->db, &stub->version, ISC_TRUE);
-	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
-	if (zone->db == NULL)
-		zone_attachdb(zone, stub->db);
-	result = zone_get_from_db(zone, zone->db, NULL, &soacount, NULL,
-				  &refresh, &retry, &expire, NULL, NULL);
-	if (result == ISC_R_SUCCESS && soacount > 0U) {
-		zone->refresh = RANGE(refresh, zone->minrefresh,
-				      zone->maxrefresh);
-		zone->retry = RANGE(retry, zone->minretry, zone->maxretry);
-		zone->expire = RANGE(expire, zone->refresh + zone->retry,
-				     DNS_MAX_EXPIRE);
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
-	}
-	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
-	dns_db_detach(&stub->db);
-
-	dns_message_destroy(&msg);
-	isc_event_free(&event);
-	dns_request_destroy(&zone->request);
-
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
-	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
-	DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
-	isc_interval_set(&i, zone->expire, 0);
-	DNS_ZONE_TIME_ADD(&now, zone->expire, &zone->expiretime);
-
-	if (zone->masterfile != NULL)
-		zone_needdump(zone, 0);
-
-	zone_settimer(zone, &now);
-	goto free_stub;
-
- next_master:
-	if (stub->version != NULL)
-		dns_db_closeversion(stub->db, &stub->version, ISC_FALSE);
-	if (stub->db != NULL)
-		dns_db_detach(&stub->db);
-	if (msg != NULL)
-		dns_message_destroy(&msg);
-	isc_event_free(&event);
-	dns_request_destroy(&zone->request);
-	/*
-	 * Skip to next failed / untried master.
-	 */
-	do {
-		zone->curmaster++;
-	} while (zone->curmaster < zone->masterscnt &&
-		 zone->mastersok[zone->curmaster]);
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS);
-	if (exiting || zone->curmaster >= zone->masterscnt) {
-		isc_boolean_t done = ISC_TRUE;
-		if (!exiting &&
-		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_USEALTXFRSRC) &&
-		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
-			/*
-			 * Did we get a good answer from all the masters?
-			 */
-			for (j = 0; j < zone->masterscnt; j++)
-				if (zone->mastersok[j] == ISC_FALSE) {
-					done = ISC_FALSE;
-					break;
-				}
-		} else
-			done = ISC_TRUE;
-		if (!done) {
-			zone->curmaster = 0;
-			/*
-			 * Find the next failed master.
-			 */
-			while (zone->curmaster < zone->masterscnt &&
-			       zone->mastersok[zone->curmaster])
-				zone->curmaster++;
-			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
-		} else {
-			DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
-
-			zone_settimer(zone, &now);
-			goto free_stub;
-		}
-	}
-	queue_soa_query(zone);
-	goto free_stub;
-
- same_master:
-	if (msg != NULL)
-		dns_message_destroy(&msg);
-	isc_event_free(&event);
-	dns_request_destroy(&zone->request);
-	ns_query(zone, NULL, stub);
-	UNLOCK_ZONE(zone);
-	goto done;
-
- free_stub:
-	UNLOCK_ZONE(zone);
-	stub->magic = 0;
-	dns_zone_idetach(&stub->zone);
-	INSIST(stub->db == NULL);
-	INSIST(stub->version == NULL);
-	isc_mem_put(stub->mctx, stub, sizeof(*stub));
-
- done:
-	INSIST(event == NULL);
-	return;
-}
-
-/*
- * An SOA query has finished (successfully or not).
- */
-static void
-refresh_callback(isc_task_t *task, isc_event_t *event) {
-	const char me[] = "refresh_callback";
-	dns_requestevent_t *revent = (dns_requestevent_t *)event;
-	dns_zone_t *zone;
-	dns_message_t *msg = NULL;
-	isc_uint32_t soacnt, cnamecnt, soacount, nscount;
-	isc_time_t now;
-	char master[ISC_SOCKADDR_FORMATSIZE];
-	char source[ISC_SOCKADDR_FORMATSIZE];
-	dns_rdataset_t *rdataset = NULL;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_soa_t soa;
-	isc_result_t result;
-	isc_uint32_t serial, oldserial = 0;
-	unsigned int j;
-	isc_boolean_t do_queue_xfrin = ISC_FALSE;
-
-	zone = revent->ev_arg;
-	INSIST(DNS_ZONE_VALID(zone));
-
-	UNUSED(task);
-
-	ENTER;
-
-	TIME_NOW(&now);
-
-	LOCK_ZONE(zone);
-
-	/*
-	 * if timeout log and next master;
-	 */
-
-	isc_sockaddr_format(&zone->masteraddr, master, sizeof(master));
-	isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
-
-	if (revent->result != ISC_R_SUCCESS) {
-		if (revent->result == ISC_R_TIMEDOUT &&
-		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
-			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
-			dns_zone_log(zone, ISC_LOG_DEBUG(1),
-				     "refresh: timeout retrying without EDNS "
-				     "master %s (source %s)", master, source);
-			goto same_master;
-		}
-		if (revent->result == ISC_R_TIMEDOUT &&
-		    !dns_request_usedtcp(revent->request)) {
-			dns_zone_log(zone, ISC_LOG_INFO,
-				     "refresh: retry limit for "
-				     "master %s exceeded (source %s)",
-				     master, source);
-			/* Try with slave with TCP. */
-			if ((zone->type == dns_zone_slave ||
-			     zone->type == dns_zone_redirect) &&
-			    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_TRYTCPREFRESH)) {
-				if (!dns_zonemgr_unreachable(zone->zmgr,
-							     &zone->masteraddr,
-							     &zone->sourceaddr,
-							     &now))
-				{
-					DNS_ZONE_SETFLAG(zone,
-						     DNS_ZONEFLG_SOABEFOREAXFR);
-					goto tcp_transfer;
-				}
-				dns_zone_log(zone, ISC_LOG_DEBUG(1),
-					     "refresh: skipped tcp fallback "
-					     "as master %s (source %s) is "
-					     "unreachable (cached)",
-					      master, source);
-			}
-		} else
-			dns_zone_log(zone, ISC_LOG_INFO,
-				     "refresh: failure trying master "
-				     "%s (source %s): %s", master, source,
-				     dns_result_totext(revent->result));
-		goto next_master;
-	}
-
-	result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTPARSE, &msg);
-	if (result != ISC_R_SUCCESS)
-		goto next_master;
-	result = dns_request_getresponse(revent->request, msg, 0);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refresh: failure trying master "
-			     "%s (source %s): %s", master, source,
-			     dns_result_totext(result));
-		goto next_master;
-	}
-
-	/*
-	 * Unexpected rcode.
-	 */
-	if (msg->rcode != dns_rcode_noerror) {
-		char rcode[128];
-		isc_buffer_t rb;
-
-		isc_buffer_init(&rb, rcode, sizeof(rcode));
-		(void)dns_rcode_totext(msg->rcode, &rb);
-
-		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS) &&
-		    (msg->rcode == dns_rcode_servfail ||
-		     msg->rcode == dns_rcode_notimp ||
-		     msg->rcode == dns_rcode_formerr)) {
-			dns_zone_log(zone, ISC_LOG_DEBUG(1),
-				     "refresh: rcode (%.*s) retrying without "
-				     "EDNS master %s (source %s)",
-				     (int)rb.used, rcode, master, source);
-			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
-			goto same_master;
-		}
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refresh: unexpected rcode (%.*s) from "
-			     "master %s (source %s)", (int)rb.used, rcode,
-			     master, source);
-		/*
-		 * Perhaps AXFR/IXFR is allowed even if SOA queries aren't.
-		 */
-		if (msg->rcode == dns_rcode_refused &&
-		    (zone->type == dns_zone_slave ||
-		     zone->type == dns_zone_redirect))
-			goto tcp_transfer;
-		goto next_master;
-	}
-
-	/*
-	 * If truncated punt to zone transfer which will query again.
-	 */
-	if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
-		if (zone->type == dns_zone_slave ||
-		    zone->type == dns_zone_redirect) {
-			dns_zone_log(zone, ISC_LOG_INFO,
-				     "refresh: truncated UDP answer, "
-				     "initiating TCP zone xfer "
-				     "for master %s (source %s)",
-				     master, source);
-			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR);
-			goto tcp_transfer;
-		} else {
-			INSIST(zone->type == dns_zone_stub);
-			if (dns_request_usedtcp(revent->request)) {
-				dns_zone_log(zone, ISC_LOG_INFO,
-					     "refresh: truncated TCP response "
-					     "from master %s (source %s)",
-					     master, source);
-				goto next_master;
-			}
-			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEVC);
-			goto same_master;
-		}
-	}
-
-	/*
-	 * if non-auth log and next master;
-	 */
-	if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0) {
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refresh: non-authoritative answer from "
-			     "master %s (source %s)", master, source);
-		goto next_master;
-	}
-
-	cnamecnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_cname);
-	soacnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_soa);
-	nscount = message_count(msg, DNS_SECTION_AUTHORITY, dns_rdatatype_ns);
-	soacount = message_count(msg, DNS_SECTION_AUTHORITY,
-				 dns_rdatatype_soa);
-
-	/*
-	 * There should not be a CNAME record at top of zone.
-	 */
-	if (cnamecnt != 0) {
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refresh: CNAME at top of zone "
-			     "in master %s (source %s)", master, source);
-		goto next_master;
-	}
-
-	/*
-	 * if referral log and next master;
-	 */
-	if (soacnt == 0 && soacount == 0 && nscount != 0) {
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refresh: referral response "
-			     "from master %s (source %s)", master, source);
-		goto next_master;
-	}
-
-	/*
-	 * if nodata log and next master;
-	 */
-	if (soacnt == 0 && (nscount == 0 || soacount != 0)) {
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refresh: NODATA response "
-			     "from master %s (source %s)", master, source);
-		goto next_master;
-	}
-
-	/*
-	 * Only one soa at top of zone.
-	 */
-	if (soacnt != 1) {
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refresh: answer SOA count (%d) != 1 "
-			     "from master %s (source %s)",
-			     soacnt, master, source);
-		goto next_master;
-	}
-
-	/*
-	 * Extract serial
-	 */
-	rdataset = NULL;
-	result = dns_message_findname(msg, DNS_SECTION_ANSWER, &zone->origin,
-				      dns_rdatatype_soa, dns_rdatatype_none,
-				      NULL, &rdataset);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refresh: unable to get SOA record "
-			     "from master %s (source %s)", master, source);
-		goto next_master;
-	}
-
-	result = dns_rdataset_first(rdataset);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refresh: dns_rdataset_first() failed");
-		goto next_master;
-	}
-
-	dns_rdataset_current(rdataset, &rdata);
-	result = dns_rdata_tostruct(&rdata, &soa, NULL);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-	serial = soa.serial;
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
-		unsigned int soacount;
-		result = zone_get_from_db(zone, zone->db, NULL, &soacount,
-					  &oldserial, NULL, NULL, NULL, NULL,
-					  NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		RUNTIME_CHECK(soacount > 0U);
-		zone_debuglog(zone, me, 1, "serial: new %u, old %u",
-			      serial, oldserial);
-	} else
-		zone_debuglog(zone, me, 1, "serial: new %u, old not loaded",
-			      serial);
-
-	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) ||
-	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER) ||
-	    isc_serial_gt(serial, oldserial)) {
-		if (dns_zonemgr_unreachable(zone->zmgr, &zone->masteraddr,
-					    &zone->sourceaddr, &now))
-		{
-			dns_zone_log(zone, ISC_LOG_INFO,
-				     "refresh: skipping %s as master %s "
-				     "(source %s) is unreachable (cached)",
-				     (zone->type == dns_zone_slave ||
-				      zone->type == dns_zone_redirect) ?
-				     "zone transfer" : "NS query",
-				     master, source);
-			goto next_master;
-		}
- tcp_transfer:
-		isc_event_free(&event);
-		dns_request_destroy(&zone->request);
-		if (zone->type == dns_zone_slave ||
-		    zone->type == dns_zone_redirect) {
-			do_queue_xfrin = ISC_TRUE;
-		} else {
-			INSIST(zone->type == dns_zone_stub);
-			ns_query(zone, rdataset, NULL);
-		}
-		if (msg != NULL)
-			dns_message_destroy(&msg);
-	} else if (isc_serial_eq(soa.serial, oldserial)) {
-		if (zone->masterfile != NULL) {
-			result = ISC_R_FAILURE;
-			if (zone->journal != NULL)
-				result = isc_file_settime(zone->journal, &now);
-			if (result == ISC_R_SUCCESS &&
-			    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
-			    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
-				result = isc_file_settime(zone->masterfile,
-							  &now);
-			} else if (result != ISC_R_SUCCESS)
-				result = isc_file_settime(zone->masterfile,
-							  &now);
-			/* Someone removed the file from underneath us! */
-			if (result == ISC_R_FILENOTFOUND) {
-				zone_needdump(zone, DNS_DUMP_DELAY);
-			} else if (result != ISC_R_SUCCESS)
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "refresh: could not set file "
-					     "modification time of '%s': %s",
-					     zone->masterfile,
-					     dns_result_totext(result));
-		}
-		DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
-		DNS_ZONE_TIME_ADD(&now, zone->expire, &zone->expiretime);
-		zone->mastersok[zone->curmaster] = ISC_TRUE;
-		goto next_master;
-	} else {
-		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MULTIMASTER))
-			dns_zone_log(zone, ISC_LOG_INFO, "serial number (%u) "
-				     "received from master %s < ours (%u)",
-				     soa.serial, master, oldserial);
-		else
-			zone_debuglog(zone, me, 1, "ahead");
-		zone->mastersok[zone->curmaster] = ISC_TRUE;
-		goto next_master;
-	}
-	if (msg != NULL)
-		dns_message_destroy(&msg);
-	goto detach;
-
- next_master:
-	if (msg != NULL)
-		dns_message_destroy(&msg);
-	isc_event_free(&event);
-	dns_request_destroy(&zone->request);
-	/*
-	 * Skip to next failed / untried master.
-	 */
-	do {
-		zone->curmaster++;
-	} while (zone->curmaster < zone->masterscnt &&
-		 zone->mastersok[zone->curmaster]);
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS);
-	if (zone->curmaster >= zone->masterscnt) {
-		isc_boolean_t done = ISC_TRUE;
-		if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_USEALTXFRSRC) &&
-		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
-			/*
-			 * Did we get a good answer from all the masters?
-			 */
-			for (j = 0; j < zone->masterscnt; j++)
-				if (zone->mastersok[j] == ISC_FALSE) {
-					done = ISC_FALSE;
-					break;
-				}
-		} else
-			done = ISC_TRUE;
-		if (!done) {
-			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
-			zone->curmaster = 0;
-			/*
-			 * Find the next failed master.
-			 */
-			while (zone->curmaster < zone->masterscnt &&
-			       zone->mastersok[zone->curmaster])
-				zone->curmaster++;
-			goto requeue;
-		}
-		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDREFRESH)) {
-			DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
-			zone->refreshtime = now;
-		}
-		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
-		zone_settimer(zone, &now);
-		goto detach;
-	}
-
- requeue:
-	queue_soa_query(zone);
-	goto detach;
-
- same_master:
-	if (msg != NULL)
-		dns_message_destroy(&msg);
-	isc_event_free(&event);
-	dns_request_destroy(&zone->request);
-	queue_soa_query(zone);
-
- detach:
-	UNLOCK_ZONE(zone);
-	if (do_queue_xfrin)
-		queue_xfrin(zone);
-	dns_zone_idetach(&zone);
-	return;
-}
-
-static void
-queue_soa_query(dns_zone_t *zone) {
-	const char me[] = "queue_soa_query";
-	isc_event_t *e;
-	dns_zone_t *dummy = NULL;
-	isc_result_t result;
-
-	ENTER;
-	/*
-	 * Locked by caller
-	 */
-	REQUIRE(LOCKED_ZONE(zone));
-
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
-		cancel_refresh(zone);
-		return;
-	}
-
-	e = isc_event_allocate(zone->mctx, NULL, DNS_EVENT_ZONE,
-			       soa_query, zone, sizeof(isc_event_t));
-	if (e == NULL) {
-		cancel_refresh(zone);
-		return;
-	}
-
-	/*
-	 * Attach so that we won't clean up
-	 * until the event is delivered.
-	 */
-	zone_iattach(zone, &dummy);
-
-	e->ev_arg = zone;
-	e->ev_sender = NULL;
-	result = isc_ratelimiter_enqueue(zone->zmgr->rl, zone->task, &e);
-	if (result != ISC_R_SUCCESS) {
-		zone_idetach(&dummy);
-		isc_event_free(&e);
-		cancel_refresh(zone);
-	}
-}
-
-static inline isc_result_t
-create_query(dns_zone_t *zone, dns_rdatatype_t rdtype,
-	     dns_message_t **messagep)
-{
-	dns_message_t *message = NULL;
-	dns_name_t *qname = NULL;
-	dns_rdataset_t *qrdataset = NULL;
-	isc_result_t result;
-
-	result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTRENDER,
-				    &message);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	message->opcode = dns_opcode_query;
-	message->rdclass = zone->rdclass;
-
-	result = dns_message_gettempname(message, &qname);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = dns_message_gettemprdataset(message, &qrdataset);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	/*
-	 * Make question.
-	 */
-	dns_name_init(qname, NULL);
-	dns_name_clone(&zone->origin, qname);
-	dns_rdataset_init(qrdataset);
-	dns_rdataset_makequestion(qrdataset, zone->rdclass, rdtype);
-	ISC_LIST_APPEND(qname->list, qrdataset, link);
-	dns_message_addname(message, qname, DNS_SECTION_QUESTION);
-
-	*messagep = message;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (qname != NULL)
-		dns_message_puttempname(message, &qname);
-	if (qrdataset != NULL)
-		dns_message_puttemprdataset(message, &qrdataset);
-	if (message != NULL)
-		dns_message_destroy(&message);
-	return (result);
-}
-
-static isc_result_t
-add_opt(dns_message_t *message, isc_uint16_t udpsize, isc_boolean_t reqnsid) {
-	dns_rdataset_t *rdataset = NULL;
-	dns_rdatalist_t *rdatalist = NULL;
-	dns_rdata_t *rdata = NULL;
-	isc_result_t result;
-
-	result = dns_message_gettemprdatalist(message, &rdatalist);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_message_gettemprdata(message, &rdata);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_message_gettemprdataset(message, &rdataset);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	dns_rdataset_init(rdataset);
-
-	rdatalist->type = dns_rdatatype_opt;
-	rdatalist->covers = 0;
-
-	/*
-	 * Set Maximum UDP buffer size.
-	 */
-	rdatalist->rdclass = udpsize;
-
-	/*
-	 * Set EXTENDED-RCODE, VERSION, DO and Z to 0.
-	 */
-	rdatalist->ttl = 0;
-
-	/* Set EDNS options if applicable */
-	if (reqnsid) {
-		unsigned char data[4];
-		isc_buffer_t buf;
-
-		isc_buffer_init(&buf, data, sizeof(data));
-		isc_buffer_putuint16(&buf, DNS_OPT_NSID);
-		isc_buffer_putuint16(&buf, 0);
-		rdata->data = data;
-		rdata->length = sizeof(data);
-	} else {
-		rdata->data = NULL;
-		rdata->length = 0;
-	}
-
-	rdata->rdclass = rdatalist->rdclass;
-	rdata->type = rdatalist->type;
-	rdata->flags = 0;
-
-	ISC_LIST_INIT(rdatalist->rdata);
-	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset)
-		      == ISC_R_SUCCESS);
-
-	return (dns_message_setopt(message, rdataset));
-
- cleanup:
-	if (rdatalist != NULL)
-		dns_message_puttemprdatalist(message, &rdatalist);
-	if (rdataset != NULL)
-		dns_message_puttemprdataset(message, &rdataset);
-	if (rdata != NULL)
-		dns_message_puttemprdata(message, &rdata);
-
-	return (result);
-}
-
-static void
-soa_query(isc_task_t *task, isc_event_t *event) {
-	const char me[] = "soa_query";
-	isc_result_t result = ISC_R_FAILURE;
-	dns_message_t *message = NULL;
-	dns_zone_t *zone = event->ev_arg;
-	dns_zone_t *dummy = NULL;
-	isc_netaddr_t masterip;
-	dns_tsigkey_t *key = NULL;
-	isc_uint32_t options;
-	isc_boolean_t cancel = ISC_TRUE;
-	int timeout;
-	isc_boolean_t have_xfrsource, reqnsid;
-	isc_uint16_t udpsize = SEND_BUFFER_SIZE;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	UNUSED(task);
-
-	ENTER;
-
-	LOCK_ZONE(zone);
-	if (((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0) ||
-	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) ||
-	    zone->view->requestmgr == NULL) {
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING))
-			cancel = ISC_FALSE;
-		goto cleanup;
-	}
-
-	/*
-	 * XXX Optimisation: Create message when zone is setup and reuse.
-	 */
-	result = create_query(zone, dns_rdatatype_soa, &message);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
- again:
-	INSIST(zone->masterscnt > 0);
-	INSIST(zone->curmaster < zone->masterscnt);
-
-	zone->masteraddr = zone->masters[zone->curmaster];
-
-	isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
-	/*
-	 * First, look for a tsig key in the master statement, then
-	 * try for a server key.
-	 */
-	if ((zone->masterkeynames != NULL) &&
-	    (zone->masterkeynames[zone->curmaster] != NULL)) {
-		dns_view_t *view = dns_zone_getview(zone);
-		dns_name_t *keyname = zone->masterkeynames[zone->curmaster];
-		result = dns_view_gettsig(view, keyname, &key);
-		if (result != ISC_R_SUCCESS) {
-			char namebuf[DNS_NAME_FORMATSIZE];
-			dns_name_format(keyname, namebuf, sizeof(namebuf));
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "unable to find key: %s", namebuf);
-			goto skip_master;
-		}
-	}
-	if (key == NULL) {
-		result = dns_view_getpeertsig(zone->view, &masterip, &key);
-		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
-			char addrbuf[ISC_NETADDR_FORMATSIZE];
-			isc_netaddr_format(&masterip, addrbuf, sizeof(addrbuf));
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "unable to find TSIG key for %s", addrbuf);
-			goto skip_master;
-		}
-	}
-
-	have_xfrsource = ISC_FALSE;
-	reqnsid = zone->view->requestnsid;
-	if (zone->view->peers != NULL) {
-		dns_peer_t *peer = NULL;
-		isc_boolean_t edns;
-		result = dns_peerlist_peerbyaddr(zone->view->peers,
-						 &masterip, &peer);
-		if (result == ISC_R_SUCCESS) {
-			result = dns_peer_getsupportedns(peer, &edns);
-			if (result == ISC_R_SUCCESS && !edns)
-				DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
-			result = dns_peer_gettransfersource(peer,
-							    &zone->sourceaddr);
-			if (result == ISC_R_SUCCESS)
-				have_xfrsource = ISC_TRUE;
-			if (zone->view->resolver != NULL)
-				udpsize =
-				  dns_resolver_getudpsize(zone->view->resolver);
-			(void)dns_peer_getudpsize(peer, &udpsize);
-			(void)dns_peer_getrequestnsid(peer, &reqnsid);
-		}
-	}
-
-	switch (isc_sockaddr_pf(&zone->masteraddr)) {
-	case PF_INET:
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
-			if (isc_sockaddr_equal(&zone->altxfrsource4,
-					       &zone->xfrsource4))
-				goto skip_master;
-			zone->sourceaddr = zone->altxfrsource4;
-		} else if (!have_xfrsource)
-			zone->sourceaddr = zone->xfrsource4;
-		break;
-	case PF_INET6:
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
-			if (isc_sockaddr_equal(&zone->altxfrsource6,
-					       &zone->xfrsource6))
-				goto skip_master;
-			zone->sourceaddr = zone->altxfrsource6;
-		} else if (!have_xfrsource)
-			zone->sourceaddr = zone->xfrsource6;
-		break;
-	default:
-		result = ISC_R_NOTIMPLEMENTED;
-		goto cleanup;
-	}
-
-	options = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEVC) ?
-		  DNS_REQUESTOPT_TCP : 0;
-
-	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
-		result = add_opt(message, udpsize, reqnsid);
-		if (result != ISC_R_SUCCESS)
-			zone_debuglog(zone, me, 1,
-				      "unable to add opt record: %s",
-				      dns_result_totext(result));
-	}
-
-	zone_iattach(zone, &dummy);
-	timeout = 15;
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH))
-		timeout = 30;
-	result = dns_request_createvia2(zone->view->requestmgr, message,
-					&zone->sourceaddr, &zone->masteraddr,
-					options, key, timeout * 3, timeout,
-					zone->task, refresh_callback, zone,
-					&zone->request);
-	if (result != ISC_R_SUCCESS) {
-		zone_idetach(&dummy);
-		zone_debuglog(zone, me, 1,
-			      "dns_request_createvia2() failed: %s",
-			      dns_result_totext(result));
-		goto cleanup;
-	} else {
-		if (isc_sockaddr_pf(&zone->masteraddr) == PF_INET)
-			inc_stats(zone, dns_zonestatscounter_soaoutv4);
-		else
-			inc_stats(zone, dns_zonestatscounter_soaoutv6);
-	}
-	cancel = ISC_FALSE;
-
- cleanup:
-	if (key != NULL)
-		dns_tsigkey_detach(&key);
-	if (result != ISC_R_SUCCESS)
-		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
-	if (message != NULL)
-		dns_message_destroy(&message);
-	if (cancel)
-		cancel_refresh(zone);
-	isc_event_free(&event);
-	UNLOCK_ZONE(zone);
-	dns_zone_idetach(&zone);
-	return;
-
- skip_master:
-	if (key != NULL)
-		dns_tsigkey_detach(&key);
-	/*
-	 * Skip to next failed / untried master.
-	 */
-	do {
-		zone->curmaster++;
-	} while (zone->curmaster < zone->masterscnt &&
-		 zone->mastersok[zone->curmaster]);
-	if (zone->curmaster < zone->masterscnt)
-		goto again;
-	zone->curmaster = 0;
-	goto cleanup;
-}
-
-static void
-ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
-	const char me[] = "ns_query";
-	isc_result_t result;
-	dns_message_t *message = NULL;
-	isc_netaddr_t masterip;
-	dns_tsigkey_t *key = NULL;
-	dns_dbnode_t *node = NULL;
-	int timeout;
-	isc_boolean_t have_xfrsource = ISC_FALSE, reqnsid;
-	isc_uint16_t udpsize = SEND_BUFFER_SIZE;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(LOCKED_ZONE(zone));
-	REQUIRE((soardataset != NULL && stub == NULL) ||
-		(soardataset == NULL && stub != NULL));
-	REQUIRE(stub == NULL || DNS_STUB_VALID(stub));
-
-	ENTER;
-
-	if (stub == NULL) {
-		stub = isc_mem_get(zone->mctx, sizeof(*stub));
-		if (stub == NULL)
-			goto cleanup;
-		stub->magic = STUB_MAGIC;
-		stub->mctx = zone->mctx;
-		stub->zone = NULL;
-		stub->db = NULL;
-		stub->version = NULL;
-
-		/*
-		 * Attach so that the zone won't disappear from under us.
-		 */
-		zone_iattach(zone, &stub->zone);
-
-		/*
-		 * If a db exists we will update it, otherwise we create a
-		 * new one and attach it to the zone once we have the NS
-		 * RRset and glue.
-		 */
-		ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
-		if (zone->db != NULL) {
-			dns_db_attach(zone->db, &stub->db);
-			ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
-		} else {
-			ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
-
-			INSIST(zone->db_argc >= 1);
-			result = dns_db_create(zone->mctx, zone->db_argv[0],
-					       &zone->origin, dns_dbtype_stub,
-					       zone->rdclass,
-					       zone->db_argc - 1,
-					       zone->db_argv + 1,
-					       &stub->db);
-			if (result != ISC_R_SUCCESS) {
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "refreshing stub: "
-					     "could not create "
-					     "database: %s",
-					     dns_result_totext(result));
-				goto cleanup;
-			}
-			dns_db_settask(stub->db, zone->task);
-		}
-
-		result = dns_db_newversion(stub->db, &stub->version);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_INFO, "refreshing stub: "
-				     "dns_db_newversion() failed: %s",
-				     dns_result_totext(result));
-			goto cleanup;
-		}
-
-		/*
-		 * Update SOA record.
-		 */
-		result = dns_db_findnode(stub->db, &zone->origin, ISC_TRUE,
-					 &node);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_INFO, "refreshing stub: "
-				     "dns_db_findnode() failed: %s",
-				     dns_result_totext(result));
-			goto cleanup;
-		}
-
-		result = dns_db_addrdataset(stub->db, node, stub->version, 0,
-					    soardataset, 0, NULL);
-		dns_db_detachnode(stub->db, &node);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_INFO,
-				     "refreshing stub: "
-				     "dns_db_addrdataset() failed: %s",
-				     dns_result_totext(result));
-			goto cleanup;
-		}
-	}
-
-	/*
-	 * XXX Optimisation: Create message when zone is setup and reuse.
-	 */
-	result = create_query(zone, dns_rdatatype_ns, &message);
-	INSIST(result == ISC_R_SUCCESS);
-
-	INSIST(zone->masterscnt > 0);
-	INSIST(zone->curmaster < zone->masterscnt);
-	zone->masteraddr = zone->masters[zone->curmaster];
-
-	isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
-	/*
-	 * First, look for a tsig key in the master statement, then
-	 * try for a server key.
-	 */
-	if ((zone->masterkeynames != NULL) &&
-	    (zone->masterkeynames[zone->curmaster] != NULL)) {
-		dns_view_t *view = dns_zone_getview(zone);
-		dns_name_t *keyname = zone->masterkeynames[zone->curmaster];
-		result = dns_view_gettsig(view, keyname, &key);
-		if (result != ISC_R_SUCCESS) {
-			char namebuf[DNS_NAME_FORMATSIZE];
-			dns_name_format(keyname, namebuf, sizeof(namebuf));
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "unable to find key: %s", namebuf);
-		}
-	}
-	if (key == NULL)
-		(void)dns_view_getpeertsig(zone->view, &masterip, &key);
-
-	reqnsid = zone->view->requestnsid;
-	if (zone->view->peers != NULL) {
-		dns_peer_t *peer = NULL;
-		isc_boolean_t edns;
-		result = dns_peerlist_peerbyaddr(zone->view->peers,
-						 &masterip, &peer);
-		if (result == ISC_R_SUCCESS) {
-			result = dns_peer_getsupportedns(peer, &edns);
-			if (result == ISC_R_SUCCESS && !edns)
-				DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
-			result = dns_peer_gettransfersource(peer,
-							    &zone->sourceaddr);
-			if (result == ISC_R_SUCCESS)
-				have_xfrsource = ISC_TRUE;
-			if (zone->view->resolver != NULL)
-				udpsize =
-				  dns_resolver_getudpsize(zone->view->resolver);
-			(void)dns_peer_getudpsize(peer, &udpsize);
-			(void)dns_peer_getrequestnsid(peer, &reqnsid);
-		}
-
-	}
-	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
-		result = add_opt(message, udpsize, reqnsid);
-		if (result != ISC_R_SUCCESS)
-			zone_debuglog(zone, me, 1,
-				      "unable to add opt record: %s",
-				      dns_result_totext(result));
-	}
-
-	/*
-	 * Always use TCP so that we shouldn't truncate in additional section.
-	 */
-	switch (isc_sockaddr_pf(&zone->masteraddr)) {
-	case PF_INET:
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC))
-			zone->sourceaddr = zone->altxfrsource4;
-		else if (!have_xfrsource)
-			zone->sourceaddr = zone->xfrsource4;
-		break;
-	case PF_INET6:
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC))
-			zone->sourceaddr = zone->altxfrsource6;
-		else if (!have_xfrsource)
-			zone->sourceaddr = zone->xfrsource6;
-		break;
-	default:
-		result = ISC_R_NOTIMPLEMENTED;
-		POST(result);
-		goto cleanup;
-	}
-	timeout = 15;
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH))
-		timeout = 30;
-	result = dns_request_createvia2(zone->view->requestmgr, message,
-					&zone->sourceaddr, &zone->masteraddr,
-					DNS_REQUESTOPT_TCP, key, timeout * 3,
-					timeout, zone->task, stub_callback,
-					stub, &zone->request);
-	if (result != ISC_R_SUCCESS) {
-		zone_debuglog(zone, me, 1,
-			      "dns_request_createvia() failed: %s",
-			      dns_result_totext(result));
-		goto cleanup;
-	}
-	dns_message_destroy(&message);
-	goto unlock;
-
- cleanup:
-	cancel_refresh(zone);
-	if (stub != NULL) {
-		stub->magic = 0;
-		if (stub->version != NULL)
-			dns_db_closeversion(stub->db, &stub->version,
-					    ISC_FALSE);
-		if (stub->db != NULL)
-			dns_db_detach(&stub->db);
-		if (stub->zone != NULL)
-			zone_idetach(&stub->zone);
-		isc_mem_put(stub->mctx, stub, sizeof(*stub));
-	}
-	if (message != NULL)
-		dns_message_destroy(&message);
- unlock:
-	if (key != NULL)
-		dns_tsigkey_detach(&key);
-	return;
-}
-
-/*
- * Handle the control event.  Note that although this event causes the zone
- * to shut down, it is not a shutdown event in the sense of the task library.
- */
-static void
-zone_shutdown(isc_task_t *task, isc_event_t *event) {
-	dns_zone_t *zone = (dns_zone_t *) event->ev_arg;
-	isc_boolean_t free_needed, linked = ISC_FALSE;
-	dns_zone_t *raw = NULL, *secure = NULL;
-
-	UNUSED(task);
-	REQUIRE(DNS_ZONE_VALID(zone));
-	INSIST(event->ev_type == DNS_EVENT_ZONECONTROL);
-	INSIST(isc_refcount_current(&zone->erefs) == 0);
-
-	zone_debuglog(zone, "zone_shutdown", 3, "shutting down");
-
-	/*
-	 * Stop things being restarted after we cancel them below.
-	 */
-	LOCK_ZONE(zone);
-	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_EXITING);
-	UNLOCK_ZONE(zone);
-
-	/*
-	 * If we were waiting for xfrin quota, step out of
-	 * the queue.
-	 * If there's no zone manager, we can't be waiting for the
-	 * xfrin quota
-	 */
-	if (zone->zmgr != NULL) {
-		RWLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
-		if (zone->statelist == &zone->zmgr->waiting_for_xfrin) {
-			ISC_LIST_UNLINK(zone->zmgr->waiting_for_xfrin, zone,
-					statelink);
-			linked = ISC_TRUE;
-			zone->statelist = NULL;
-		}
-		RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
-	}
-
-	/*
-	 * In task context, no locking required.  See zone_xfrdone().
-	 */
-	if (zone->xfr != NULL)
-		dns_xfrin_shutdown(zone->xfr);
-
-	LOCK_ZONE(zone);
-	if (linked) {
-		INSIST(zone->irefs > 0);
-		zone->irefs--;
-	}
-	if (zone->request != NULL) {
-		dns_request_cancel(zone->request);
-	}
-
-	if (zone->readio != NULL)
-		zonemgr_cancelio(zone->readio);
-
-	if (zone->lctx != NULL)
-		dns_loadctx_cancel(zone->lctx);
-
-	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) ||
-	    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
-		if (zone->writeio != NULL)
-			zonemgr_cancelio(zone->writeio);
-
-		if (zone->dctx != NULL)
-			dns_dumpctx_cancel(zone->dctx);
-	}
-
-	notify_cancel(zone);
-
-	forward_cancel(zone);
-
-	if (zone->timer != NULL) {
-		isc_timer_detach(&zone->timer);
-		INSIST(zone->irefs > 0);
-		zone->irefs--;
-	}
-
-	if (zone->view != NULL)
-		dns_view_weakdetach(&zone->view);
-
-	/*
-	 * We have now canceled everything set the flag to allow exit_check()
-	 * to succeed.	We must not unlock between setting this flag and
-	 * calling exit_check().
-	 */
-	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_SHUTDOWN);
-	free_needed = exit_check(zone);
-	if (inline_secure(zone)) {
-		raw = zone->raw;
-		zone->raw = NULL;
-	}
-	if (inline_raw(zone)) {
-		secure = zone->secure;
-		zone->secure = NULL;
-	}
-	UNLOCK_ZONE(zone);
-	if (raw != NULL)
-		dns_zone_detach(&raw);
-	if (secure != NULL)
-		dns_zone_idetach(&secure);
-	if (free_needed)
-		zone_free(zone);
-}
-
-static void
-zone_timer(isc_task_t *task, isc_event_t *event) {
-	const char me[] = "zone_timer";
-	dns_zone_t *zone = (dns_zone_t *)event->ev_arg;
-
-	UNUSED(task);
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	ENTER;
-
-	zone_maintenance(zone);
-
-	isc_event_free(&event);
-}
-
-static void
-zone_settimer(dns_zone_t *zone, isc_time_t *now) {
-	const char me[] = "zone_settimer";
-	isc_time_t next;
-	isc_result_t result;
-
-	ENTER;
-	REQUIRE(DNS_ZONE_VALID(zone));
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING))
-		return;
-
-	isc_time_settoepoch(&next);
-
-	switch (zone->type) {
-	case dns_zone_redirect:
-		if (zone->masters != NULL)
-			goto treat_as_slave;
-		/* FALLTHROUGH */
-
-	case dns_zone_master:
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY))
-			next = zone->notifytime;
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
-		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
-			INSIST(!isc_time_isepoch(&zone->dumptime));
-			if (isc_time_isepoch(&next) ||
-			    isc_time_compare(&zone->dumptime, &next) < 0)
-				next = zone->dumptime;
-		}
-		if (zone->type == dns_zone_redirect)
-			break;
-		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESHING) &&
-		    !isc_time_isepoch(&zone->refreshkeytime)) {
-			if (isc_time_isepoch(&next) ||
-			    isc_time_compare(&zone->refreshkeytime, &next) < 0)
-				next = zone->refreshkeytime;
-		}
-		if (!isc_time_isepoch(&zone->resigntime)) {
-			if (isc_time_isepoch(&next) ||
-			    isc_time_compare(&zone->resigntime, &next) < 0)
-				next = zone->resigntime;
-		}
-		if (!isc_time_isepoch(&zone->keywarntime)) {
-			if (isc_time_isepoch(&next) ||
-			    isc_time_compare(&zone->keywarntime, &next) < 0)
-				next = zone->keywarntime;
-		}
-		if (!isc_time_isepoch(&zone->signingtime)) {
-			if (isc_time_isepoch(&next) ||
-			    isc_time_compare(&zone->signingtime, &next) < 0)
-				next = zone->signingtime;
-		}
-		if (!isc_time_isepoch(&zone->nsec3chaintime)) {
-			if (isc_time_isepoch(&next) ||
-			    isc_time_compare(&zone->nsec3chaintime, &next) < 0)
-				next = zone->nsec3chaintime;
-		}
-		break;
-
-	case dns_zone_slave:
-	treat_as_slave:
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY))
-			next = zone->notifytime;
-		/* FALLTHROUGH */
-
-	case dns_zone_stub:
-		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH) &&
-		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOMASTERS) &&
-		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOREFRESH) &&
-		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADING)) {
-			INSIST(!isc_time_isepoch(&zone->refreshtime));
-			if (isc_time_isepoch(&next) ||
-			    isc_time_compare(&zone->refreshtime, &next) < 0)
-				next = zone->refreshtime;
-		}
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
-			INSIST(!isc_time_isepoch(&zone->expiretime));
-			if (isc_time_isepoch(&next) ||
-			    isc_time_compare(&zone->expiretime, &next) < 0)
-				next = zone->expiretime;
-		}
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
-		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
-			INSIST(!isc_time_isepoch(&zone->dumptime));
-			if (isc_time_isepoch(&next) ||
-			    isc_time_compare(&zone->dumptime, &next) < 0)
-				next = zone->dumptime;
-		}
-		break;
-
-	case dns_zone_key:
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
-		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
-			INSIST(!isc_time_isepoch(&zone->dumptime));
-			if (isc_time_isepoch(&next) ||
-			    isc_time_compare(&zone->dumptime, &next) < 0)
-				next = zone->dumptime;
-		}
-		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESHING)) {
-			if (isc_time_isepoch(&next) ||
-			    (!isc_time_isepoch(&zone->refreshkeytime) &&
-			    isc_time_compare(&zone->refreshkeytime, &next) < 0))
-				next = zone->refreshkeytime;
-		}
-		break;
-
-	default:
-		break;
-	}
-
-	if (isc_time_isepoch(&next)) {
-		zone_debuglog(zone, me, 10, "settimer inactive");
-		result = isc_timer_reset(zone->timer, isc_timertype_inactive,
-					  NULL, NULL, ISC_TRUE);
-		if (result != ISC_R_SUCCESS)
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "could not deactivate zone timer: %s",
-				     isc_result_totext(result));
-	} else {
-		if (isc_time_compare(&next, now) <= 0)
-			next = *now;
-		result = isc_timer_reset(zone->timer, isc_timertype_once,
-					 &next, NULL, ISC_TRUE);
-		if (result != ISC_R_SUCCESS)
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "could not reset zone timer: %s",
-				     isc_result_totext(result));
-	}
-}
-
-static void
-cancel_refresh(dns_zone_t *zone) {
-	const char me[] = "cancel_refresh";
-	isc_time_t now;
-
-	/*
-	 * 'zone' locked by caller.
-	 */
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(LOCKED_ZONE(zone));
-
-	ENTER;
-
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
-	TIME_NOW(&now);
-	zone_settimer(zone, &now);
-}
-
-static isc_result_t
-notify_createmessage(dns_zone_t *zone, unsigned int flags,
-		     dns_message_t **messagep)
-{
-	dns_db_t *zonedb = NULL;
-	dns_dbnode_t *node = NULL;
-	dns_dbversion_t *version = NULL;
-	dns_message_t *message = NULL;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-
-	dns_name_t *tempname = NULL;
-	dns_rdata_t *temprdata = NULL;
-	dns_rdatalist_t *temprdatalist = NULL;
-	dns_rdataset_t *temprdataset = NULL;
-
-	isc_result_t result;
-	isc_region_t r;
-	isc_buffer_t *b = NULL;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(messagep != NULL && *messagep == NULL);
-
-	result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTRENDER,
-				    &message);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	message->opcode = dns_opcode_notify;
-	message->flags |= DNS_MESSAGEFLAG_AA;
-	message->rdclass = zone->rdclass;
-
-	result = dns_message_gettempname(message, &tempname);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = dns_message_gettemprdataset(message, &temprdataset);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	/*
-	 * Make question.
-	 */
-	dns_name_init(tempname, NULL);
-	dns_name_clone(&zone->origin, tempname);
-	dns_rdataset_init(temprdataset);
-	dns_rdataset_makequestion(temprdataset, zone->rdclass,
-				  dns_rdatatype_soa);
-	ISC_LIST_APPEND(tempname->list, temprdataset, link);
-	dns_message_addname(message, tempname, DNS_SECTION_QUESTION);
-	tempname = NULL;
-	temprdataset = NULL;
-
-	if ((flags & DNS_NOTIFY_NOSOA) != 0)
-		goto done;
-
-	result = dns_message_gettempname(message, &tempname);
-	if (result != ISC_R_SUCCESS)
-		goto soa_cleanup;
-	result = dns_message_gettemprdata(message, &temprdata);
-	if (result != ISC_R_SUCCESS)
-		goto soa_cleanup;
-	result = dns_message_gettemprdataset(message, &temprdataset);
-	if (result != ISC_R_SUCCESS)
-		goto soa_cleanup;
-	result = dns_message_gettemprdatalist(message, &temprdatalist);
-	if (result != ISC_R_SUCCESS)
-		goto soa_cleanup;
-
-	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
-	INSIST(zone->db != NULL); /* XXXJT: is this assumption correct? */
-	dns_db_attach(zone->db, &zonedb);
-	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
-
-	dns_name_init(tempname, NULL);
-	dns_name_clone(&zone->origin, tempname);
-	dns_db_currentversion(zonedb, &version);
-	result = dns_db_findnode(zonedb, tempname, ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS)
-		goto soa_cleanup;
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(zonedb, node, version,
-				     dns_rdatatype_soa,
-				     dns_rdatatype_none, 0, &rdataset,
-				     NULL);
-	if (result != ISC_R_SUCCESS)
-		goto soa_cleanup;
-	result = dns_rdataset_first(&rdataset);
-	if (result != ISC_R_SUCCESS)
-		goto soa_cleanup;
-	dns_rdataset_current(&rdataset, &rdata);
-	dns_rdata_toregion(&rdata, &r);
-	result = isc_buffer_allocate(zone->mctx, &b, r.length);
-	if (result != ISC_R_SUCCESS)
-		goto soa_cleanup;
-	isc_buffer_putmem(b, r.base, r.length);
-	isc_buffer_usedregion(b, &r);
-	dns_rdata_init(temprdata);
-	dns_rdata_fromregion(temprdata, rdata.rdclass, rdata.type, &r);
-	dns_message_takebuffer(message, &b);
-	result = dns_rdataset_next(&rdataset);
-	dns_rdataset_disassociate(&rdataset);
-	if (result != ISC_R_NOMORE)
-		goto soa_cleanup;
-	temprdatalist->rdclass = rdata.rdclass;
-	temprdatalist->type = rdata.type;
-	temprdatalist->covers = 0;
-	temprdatalist->ttl = rdataset.ttl;
-	ISC_LIST_INIT(temprdatalist->rdata);
-	ISC_LIST_APPEND(temprdatalist->rdata, temprdata, link);
-
-	dns_rdataset_init(temprdataset);
-	result = dns_rdatalist_tordataset(temprdatalist, temprdataset);
-	if (result != ISC_R_SUCCESS)
-		goto soa_cleanup;
-
-	ISC_LIST_APPEND(tempname->list, temprdataset, link);
-	dns_message_addname(message, tempname, DNS_SECTION_ANSWER);
-	temprdatalist = NULL;
-	temprdataset = NULL;
-	temprdata = NULL;
-	tempname = NULL;
-
- soa_cleanup:
-	if (node != NULL)
-		dns_db_detachnode(zonedb, &node);
-	if (version != NULL)
-		dns_db_closeversion(zonedb, &version, ISC_FALSE);
-	if (zonedb != NULL)
-		dns_db_detach(&zonedb);
-	if (tempname != NULL)
-		dns_message_puttempname(message, &tempname);
-	if (temprdata != NULL)
-		dns_message_puttemprdata(message, &temprdata);
-	if (temprdataset != NULL)
-		dns_message_puttemprdataset(message, &temprdataset);
-	if (temprdatalist != NULL)
-		dns_message_puttemprdatalist(message, &temprdatalist);
-
- done:
-	*messagep = message;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (tempname != NULL)
-		dns_message_puttempname(message, &tempname);
-	if (temprdataset != NULL)
-		dns_message_puttemprdataset(message, &temprdataset);
-	dns_message_destroy(&message);
-	return (result);
-}
-
-isc_result_t
-dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
-		       dns_message_t *msg)
-{
-	unsigned int i;
-	dns_rdata_soa_t soa;
-	dns_rdataset_t *rdataset = NULL;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_result_t result;
-	char fromtext[ISC_SOCKADDR_FORMATSIZE];
-	int match = 0;
-	isc_netaddr_t netaddr;
-	isc_sockaddr_t local, remote;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	/*
-	 * If type != T_SOA return DNS_R_NOTIMP.  We don't yet support
-	 * ROLLOVER.
-	 *
-	 * SOA:	RFC1996
-	 * Check that 'from' is a valid notify source, (zone->masters).
-	 *	Return DNS_R_REFUSED if not.
-	 *
-	 * If the notify message contains a serial number check it
-	 * against the zones serial and return if <= current serial
-	 *
-	 * If a refresh check is progress, if so just record the
-	 * fact we received a NOTIFY and from where and return.
-	 * We will perform a new refresh check when the current one
-	 * completes. Return ISC_R_SUCCESS.
-	 *
-	 * Otherwise initiate a refresh check using 'from' as the
-	 * first address to check.  Return ISC_R_SUCCESS.
-	 */
-
-	isc_sockaddr_format(from, fromtext, sizeof(fromtext));
-
-	/*
-	 * Notify messages are processed by the raw zone.
-	 */
-	LOCK_ZONE(zone);
-	if (inline_secure(zone)) {
-		result = dns_zone_notifyreceive(zone->raw, from, msg);
-		UNLOCK_ZONE(zone);
-		return (result);
-	}
-	/*
-	 *  We only handle NOTIFY (SOA) at the present.
-	 */
-	if (isc_sockaddr_pf(from) == PF_INET)
-		inc_stats(zone, dns_zonestatscounter_notifyinv4);
-	else
-		inc_stats(zone, dns_zonestatscounter_notifyinv6);
-	if (msg->counts[DNS_SECTION_QUESTION] == 0 ||
-	    dns_message_findname(msg, DNS_SECTION_QUESTION, &zone->origin,
-				 dns_rdatatype_soa, dns_rdatatype_none,
-				 NULL, NULL) != ISC_R_SUCCESS) {
-		UNLOCK_ZONE(zone);
-		if (msg->counts[DNS_SECTION_QUESTION] == 0) {
-			dns_zone_log(zone, ISC_LOG_NOTICE,
-				     "NOTIFY with no "
-				     "question section from: %s", fromtext);
-			return (DNS_R_FORMERR);
-		}
-		dns_zone_log(zone, ISC_LOG_NOTICE,
-			     "NOTIFY zone does not match");
-		return (DNS_R_NOTIMP);
-	}
-
-	/*
-	 * If we are a master zone just succeed.
-	 */
-	if (zone->type == dns_zone_master) {
-		UNLOCK_ZONE(zone);
-		return (ISC_R_SUCCESS);
-	}
-
-	isc_netaddr_fromsockaddr(&netaddr, from);
-	for (i = 0; i < zone->masterscnt; i++) {
-		if (isc_sockaddr_eqaddr(from, &zone->masters[i]))
-			break;
-		if (zone->view->aclenv.match_mapped &&
-		    IN6_IS_ADDR_V4MAPPED(&from->type.sin6.sin6_addr) &&
-		    isc_sockaddr_pf(&zone->masters[i]) == AF_INET) {
-			isc_netaddr_t na1, na2;
-			isc_netaddr_fromv4mapped(&na1, &netaddr);
-			isc_netaddr_fromsockaddr(&na2, &zone->masters[i]);
-			if (isc_netaddr_equal(&na1, &na2))
-				break;
-		}
-	}
-
-	/*
-	 * Accept notify requests from non masters if they are on
-	 * 'zone->notify_acl'.
-	 */
-	if (i >= zone->masterscnt && zone->notify_acl != NULL &&
-	    dns_acl_match(&netaddr, NULL, zone->notify_acl,
-			  &zone->view->aclenv,
-			  &match, NULL) == ISC_R_SUCCESS &&
-	    match > 0)
-	{
-		/* Accept notify. */
-	} else if (i >= zone->masterscnt) {
-		UNLOCK_ZONE(zone);
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refused notify from non-master: %s", fromtext);
-		inc_stats(zone, dns_zonestatscounter_notifyrej);
-		return (DNS_R_REFUSED);
-	}
-
-	/*
-	 * If the zone is loaded and there are answers check the serial
-	 * to see if we need to do a refresh.  Do not worry about this
-	 * check if we are a dialup zone as we use the notify request
-	 * to trigger a refresh check.
-	 */
-	if (msg->counts[DNS_SECTION_ANSWER] > 0 &&
-	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
-	    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOREFRESH)) {
-		result = dns_message_findname(msg, DNS_SECTION_ANSWER,
-					      &zone->origin,
-					      dns_rdatatype_soa,
-					      dns_rdatatype_none, NULL,
-					      &rdataset);
-		if (result == ISC_R_SUCCESS)
-			result = dns_rdataset_first(rdataset);
-		if (result == ISC_R_SUCCESS) {
-			isc_uint32_t serial = 0, oldserial;
-			unsigned int soacount;
-
-			dns_rdataset_current(rdataset, &rdata);
-			result = dns_rdata_tostruct(&rdata, &soa, NULL);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			serial = soa.serial;
-			/*
-			 * The following should safely be performed without DB
-			 * lock and succeed in this context.
-			 */
-			result = zone_get_from_db(zone, zone->db, NULL,
-						  &soacount, &oldserial, NULL,
-						  NULL, NULL, NULL, NULL);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			RUNTIME_CHECK(soacount > 0U);
-			if (isc_serial_le(serial, oldserial)) {
-				dns_zone_log(zone,
-					     ISC_LOG_INFO,
-					     "notify from %s: "
-					     "zone is up to date",
-					     fromtext);
-				UNLOCK_ZONE(zone);
-				return (ISC_R_SUCCESS);
-			}
-		}
-	}
-
-	/*
-	 * If we got this far and there was a refresh in progress just
-	 * let it complete.  Record where we got the notify from so we
-	 * can perform a refresh check when the current one completes
-	 */
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH)) {
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
-		zone->notifyfrom = *from;
-		UNLOCK_ZONE(zone);
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "notify from %s: refresh in progress, "
-			     "refresh check queued",
-			     fromtext);
-		return (ISC_R_SUCCESS);
-	}
-	zone->notifyfrom = *from;
-	local = zone->masteraddr;
-	remote = zone->sourceaddr;
-	UNLOCK_ZONE(zone);
-	dns_zonemgr_unreachabledel(zone->zmgr, &local, &remote);
-	dns_zone_refresh(zone);
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_zone_setnotifyacl(dns_zone_t *zone, dns_acl_t *acl) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->notify_acl != NULL)
-		dns_acl_detach(&zone->notify_acl);
-	dns_acl_attach(acl, &zone->notify_acl);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_setqueryacl(dns_zone_t *zone, dns_acl_t *acl) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->query_acl != NULL)
-		dns_acl_detach(&zone->query_acl);
-	dns_acl_attach(acl, &zone->query_acl);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_setqueryonacl(dns_zone_t *zone, dns_acl_t *acl) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->queryon_acl != NULL)
-		dns_acl_detach(&zone->queryon_acl);
-	dns_acl_attach(acl, &zone->queryon_acl);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_setupdateacl(dns_zone_t *zone, dns_acl_t *acl) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->update_acl != NULL)
-		dns_acl_detach(&zone->update_acl);
-	dns_acl_attach(acl, &zone->update_acl);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_setforwardacl(dns_zone_t *zone, dns_acl_t *acl) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->forward_acl != NULL)
-		dns_acl_detach(&zone->forward_acl);
-	dns_acl_attach(acl, &zone->forward_acl);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_setxfracl(dns_zone_t *zone, dns_acl_t *acl) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->xfr_acl != NULL)
-		dns_acl_detach(&zone->xfr_acl);
-	dns_acl_attach(acl, &zone->xfr_acl);
-	UNLOCK_ZONE(zone);
-}
-
-dns_acl_t *
-dns_zone_getnotifyacl(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->notify_acl);
-}
-
-dns_acl_t *
-dns_zone_getqueryacl(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->query_acl);
-}
-
-dns_acl_t *
-dns_zone_getqueryonacl(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->queryon_acl);
-}
-
-dns_acl_t *
-dns_zone_getupdateacl(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->update_acl);
-}
-
-dns_acl_t *
-dns_zone_getforwardacl(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->forward_acl);
-}
-
-dns_acl_t *
-dns_zone_getxfracl(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->xfr_acl);
-}
-
-void
-dns_zone_clearupdateacl(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->update_acl != NULL)
-		dns_acl_detach(&zone->update_acl);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_clearforwardacl(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->forward_acl != NULL)
-		dns_acl_detach(&zone->forward_acl);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_clearnotifyacl(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->notify_acl != NULL)
-		dns_acl_detach(&zone->notify_acl);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_clearqueryacl(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->query_acl != NULL)
-		dns_acl_detach(&zone->query_acl);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_clearqueryonacl(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->queryon_acl != NULL)
-		dns_acl_detach(&zone->queryon_acl);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_clearxfracl(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->xfr_acl != NULL)
-		dns_acl_detach(&zone->xfr_acl);
-	UNLOCK_ZONE(zone);
-}
-
-isc_boolean_t
-dns_zone_getupdatedisabled(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	return (zone->update_disabled);
-
-}
-
-void
-dns_zone_setupdatedisabled(dns_zone_t *zone, isc_boolean_t state) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	zone->update_disabled = state;
-}
-
-isc_boolean_t
-dns_zone_getzeronosoattl(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	return (zone->zero_no_soa_ttl);
-
-}
-
-void
-dns_zone_setzeronosoattl(dns_zone_t *zone, isc_boolean_t state) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	zone->zero_no_soa_ttl = state;
-}
-
-void
-dns_zone_setchecknames(dns_zone_t *zone, dns_severity_t severity) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	zone->check_names = severity;
-}
-
-dns_severity_t
-dns_zone_getchecknames(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->check_names);
-}
-
-void
-dns_zone_setjournalsize(dns_zone_t *zone, isc_int32_t size) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	zone->journalsize = size;
-}
-
-isc_int32_t
-dns_zone_getjournalsize(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->journalsize);
-}
-
-static void
-zone_namerd_tostr(dns_zone_t *zone, char *buf, size_t length) {
-	isc_result_t result = ISC_R_FAILURE;
-	isc_buffer_t buffer;
-
-	REQUIRE(buf != NULL);
-	REQUIRE(length > 1U);
-
-	/*
-	 * Leave space for terminating '\0'.
-	 */
-	isc_buffer_init(&buffer, buf, length - 1);
-	if (zone->type != dns_zone_redirect && zone->type != dns_zone_key) {
-		if (dns_name_dynamic(&zone->origin))
-			result = dns_name_totext(&zone->origin, ISC_TRUE, &buffer);
-		if (result != ISC_R_SUCCESS &&
-		    isc_buffer_availablelength(&buffer) >= (sizeof("<UNKNOWN>") - 1))
-			isc_buffer_putstr(&buffer, "<UNKNOWN>");
-
-		if (isc_buffer_availablelength(&buffer) > 0)
-			isc_buffer_putstr(&buffer, "/");
-		(void)dns_rdataclass_totext(zone->rdclass, &buffer);
-	}
-
-	if (zone->view != NULL && strcmp(zone->view->name, "_bind") != 0 &&
-	    strcmp(zone->view->name, "_default") != 0 &&
-	    strlen(zone->view->name) < isc_buffer_availablelength(&buffer)) {
-		isc_buffer_putstr(&buffer, "/");
-		isc_buffer_putstr(&buffer, zone->view->name);
-	}
-	if (inline_secure(zone) && 9U < isc_buffer_availablelength(&buffer))
-		isc_buffer_putstr(&buffer, " (signed)");
-	if (inline_raw(zone) && 11U < isc_buffer_availablelength(&buffer))
-		isc_buffer_putstr(&buffer, " (unsigned)");
-
-	buf[isc_buffer_usedlength(&buffer)] = '\0';
-}
-
-static void
-zone_name_tostr(dns_zone_t *zone, char *buf, size_t length) {
-	isc_result_t result = ISC_R_FAILURE;
-	isc_buffer_t buffer;
-
-	REQUIRE(buf != NULL);
-	REQUIRE(length > 1U);
-
-	/*
-	 * Leave space for terminating '\0'.
-	 */
-	isc_buffer_init(&buffer, buf, length - 1);
-	if (dns_name_dynamic(&zone->origin))
-		result = dns_name_totext(&zone->origin, ISC_TRUE, &buffer);
-	if (result != ISC_R_SUCCESS &&
-	    isc_buffer_availablelength(&buffer) >= (sizeof("<UNKNOWN>") - 1))
-		isc_buffer_putstr(&buffer, "<UNKNOWN>");
-
-	buf[isc_buffer_usedlength(&buffer)] = '\0';
-}
-
-static void
-zone_rdclass_tostr(dns_zone_t *zone, char *buf, size_t length) {
-	isc_buffer_t buffer;
-
-	REQUIRE(buf != NULL);
-	REQUIRE(length > 1U);
-
-	/*
-	 * Leave space for terminating '\0'.
-	 */
-	isc_buffer_init(&buffer, buf, length - 1);
-	(void)dns_rdataclass_totext(zone->rdclass, &buffer);
-
-	buf[isc_buffer_usedlength(&buffer)] = '\0';
-}
-
-static void
-zone_viewname_tostr(dns_zone_t *zone, char *buf, size_t length) {
-	isc_buffer_t buffer;
-
-	REQUIRE(buf != NULL);
-	REQUIRE(length > 1U);
-
-
-	/*
-	 * Leave space for terminating '\0'.
-	 */
-	isc_buffer_init(&buffer, buf, length - 1);
-
-	if (zone->view == NULL) {
-		isc_buffer_putstr(&buffer, "_none");
-	} else if (strlen(zone->view->name)
-		   < isc_buffer_availablelength(&buffer)) {
-		isc_buffer_putstr(&buffer, zone->view->name);
-	} else {
-		isc_buffer_putstr(&buffer, "_toolong");
-	}
-
-	buf[isc_buffer_usedlength(&buffer)] = '\0';
-}
-
-void
-dns_zone_name(dns_zone_t *zone, char *buf, size_t length) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(buf != NULL);
-	zone_namerd_tostr(zone, buf, length);
-}
-
-static void
-notify_log(dns_zone_t *zone, int level, const char *fmt, ...) {
-	va_list ap;
-	char message[4096];
-
-	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
-		return;
-
-	va_start(ap, fmt);
-	vsnprintf(message, sizeof(message), fmt, ap);
-	va_end(ap);
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_NOTIFY, DNS_LOGMODULE_ZONE,
-		      level, "zone %s: %s", zone->strnamerd, message);
-}
-
-void
-dns_zone_logc(dns_zone_t *zone, isc_logcategory_t *category,
-	      int level, const char *fmt, ...) {
-	va_list ap;
-	char message[4096];
-
-	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
-		return;
-
-	va_start(ap, fmt);
-	vsnprintf(message, sizeof(message), fmt, ap);
-	va_end(ap);
-	isc_log_write(dns_lctx, category, DNS_LOGMODULE_ZONE,
-		      level, "%s%s: %s", (zone->type == dns_zone_key) ?
-		      "managed-keys-zone" : (zone->type == dns_zone_redirect) ?
-		      "redirect-zone" : "zone ", zone->strnamerd, message);
-}
-
-void
-dns_zone_log(dns_zone_t *zone, int level, const char *fmt, ...) {
-	va_list ap;
-	char message[4096];
-
-	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
-		return;
-
-	va_start(ap, fmt);
-	vsnprintf(message, sizeof(message), fmt, ap);
-	va_end(ap);
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
-		      level, "%s%s: %s", (zone->type == dns_zone_key) ?
-		      "managed-keys-zone" : (zone->type == dns_zone_redirect) ?
-		      "redirect-zone" : "zone ", zone->strnamerd, message);
-}
-
-static void
-zone_debuglog(dns_zone_t *zone, const char *me, int debuglevel,
-	      const char *fmt, ...)
-{
-	va_list ap;
-	char message[4096];
-	int level = ISC_LOG_DEBUG(debuglevel);
-	const char *zstr;
-
-	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
-		return;
-
-	va_start(ap, fmt);
-	vsnprintf(message, sizeof(message), fmt, ap);
-	va_end(ap);
-
-	switch (zone->type) {
-	case dns_zone_key:
-		zstr = "managed-keys-zone";
-		break;
-	case dns_zone_redirect:
-		zstr = "redirect-zone";
-		break;
-	default:
-		zstr = "zone";
-	}
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
-		      level, "%s: %s %s: %s", me, zstr, zone->strnamerd,
-		      message);
-}
-
-static int
-message_count(dns_message_t *msg, dns_section_t section, dns_rdatatype_t type)
-{
-	isc_result_t result;
-	dns_name_t *name;
-	dns_rdataset_t *curr;
-	int count = 0;
-
-	result = dns_message_firstname(msg, section);
-	while (result == ISC_R_SUCCESS) {
-		name = NULL;
-		dns_message_currentname(msg, section, &name);
-
-		for (curr = ISC_LIST_TAIL(name->list); curr != NULL;
-		     curr = ISC_LIST_PREV(curr, link)) {
-			if (curr->type == type)
-				count++;
-		}
-		result = dns_message_nextname(msg, section);
-	}
-
-	return (count);
-}
-
-void
-dns_zone_setmaxxfrin(dns_zone_t *zone, isc_uint32_t maxxfrin) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	zone->maxxfrin = maxxfrin;
-}
-
-isc_uint32_t
-dns_zone_getmaxxfrin(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->maxxfrin);
-}
-
-void
-dns_zone_setmaxxfrout(dns_zone_t *zone, isc_uint32_t maxxfrout) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	zone->maxxfrout = maxxfrout;
-}
-
-isc_uint32_t
-dns_zone_getmaxxfrout(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->maxxfrout);
-}
-
-dns_zonetype_t
-dns_zone_gettype(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->type);
-}
-
-dns_name_t *
-dns_zone_getorigin(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (&zone->origin);
-}
-
-void
-dns_zone_settask(dns_zone_t *zone, isc_task_t *task) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->task != NULL)
-		isc_task_detach(&zone->task);
-	isc_task_attach(task, &zone->task);
-	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
-	if (zone->db != NULL)
-		dns_db_settask(zone->db, zone->task);
-	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_gettask(dns_zone_t *zone, isc_task_t **target) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	isc_task_attach(zone->task, target);
-}
-
-void
-dns_zone_setidlein(dns_zone_t *zone, isc_uint32_t idlein) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	if (idlein == 0)
-		idlein = DNS_DEFAULT_IDLEIN;
-	zone->idlein = idlein;
-}
-
-isc_uint32_t
-dns_zone_getidlein(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->idlein);
-}
-
-void
-dns_zone_setidleout(dns_zone_t *zone, isc_uint32_t idleout) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	zone->idleout = idleout;
-}
-
-isc_uint32_t
-dns_zone_getidleout(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->idleout);
-}
-
-static void
-notify_done(isc_task_t *task, isc_event_t *event) {
-	dns_requestevent_t *revent = (dns_requestevent_t *)event;
-	dns_notify_t *notify;
-	isc_result_t result;
-	dns_message_t *message = NULL;
-	isc_buffer_t buf;
-	char rcode[128];
-	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
-
-	UNUSED(task);
-
-	notify = event->ev_arg;
-	REQUIRE(DNS_NOTIFY_VALID(notify));
-	INSIST(task == notify->zone->task);
-
-	isc_buffer_init(&buf, rcode, sizeof(rcode));
-	isc_sockaddr_format(&notify->dst, addrbuf, sizeof(addrbuf));
-
-	result = revent->result;
-	if (result == ISC_R_SUCCESS)
-		result = dns_message_create(notify->zone->mctx,
-					    DNS_MESSAGE_INTENTPARSE, &message);
-	if (result == ISC_R_SUCCESS)
-		result = dns_request_getresponse(revent->request, message,
-					DNS_MESSAGEPARSE_PRESERVEORDER);
-	if (result == ISC_R_SUCCESS)
-		result = dns_rcode_totext(message->rcode, &buf);
-	if (result == ISC_R_SUCCESS)
-		notify_log(notify->zone, ISC_LOG_DEBUG(3),
-			   "notify response from %s: %.*s",
-			   addrbuf, (int)buf.used, rcode);
-	else
-		notify_log(notify->zone, ISC_LOG_DEBUG(2),
-			   "notify to %s failed: %s", addrbuf,
-			   dns_result_totext(result));
-
-	/*
-	 * Old bind's return formerr if they see a soa record.	Retry w/o
-	 * the soa if we see a formerr and had sent a SOA.
-	 */
-	isc_event_free(&event);
-	if (message != NULL && message->rcode == dns_rcode_formerr &&
-	    (notify->flags & DNS_NOTIFY_NOSOA) == 0) {
-		notify->flags |= DNS_NOTIFY_NOSOA;
-		dns_request_destroy(&notify->request);
-		result = notify_send_queue(notify);
-		if (result != ISC_R_SUCCESS)
-			notify_destroy(notify, ISC_FALSE);
-	} else {
-		if (result == ISC_R_TIMEDOUT)
-			notify_log(notify->zone, ISC_LOG_DEBUG(1),
-				   "notify to %s: retries exceeded", addrbuf);
-		notify_destroy(notify, ISC_FALSE);
-	}
-	if (message != NULL)
-		dns_message_destroy(&message);
-}
-
-struct secure_event {
-	isc_event_t e;
-	dns_db_t *db;
-	isc_uint32_t serial;
-};
-
-static void
-update_log_cb(void *arg, dns_zone_t *zone, int level, const char *message) {
-	UNUSED(arg);
-	dns_zone_log(zone, level, "%s", message);
-}
-
-static isc_result_t
-sync_secure_journal(dns_zone_t *zone, dns_journal_t *journal,
-		    isc_uint32_t start, isc_uint32_t end,
-		    dns_difftuple_t **soatuplep, dns_diff_t *diff)
-{
-	isc_result_t result;
-	dns_difftuple_t *tuple = NULL;
-	dns_diffop_t op = DNS_DIFFOP_ADD;
-	int n_soa = 0;
-
-	REQUIRE(soatuplep != NULL);
-
-	if (start == end)
-		return (DNS_R_UNCHANGED);
-
-	CHECK(dns_journal_iter_init(journal, start, end));
-	for (result = dns_journal_first_rr(journal);
-	     result == ISC_R_SUCCESS;
-	     result = dns_journal_next_rr(journal))
-	{
-		dns_name_t *name = NULL;
-		isc_uint32_t ttl;
-		dns_rdata_t *rdata = NULL;
-		dns_journal_current_rr(journal, &name, &ttl, &rdata);
-
-		if (rdata->type == dns_rdatatype_soa) {
-			n_soa++;
-			if (n_soa == 2) {
-				/*
-				 * Save the latest raw SOA record.
-				 */
-				if (*soatuplep != NULL)
-					dns_difftuple_free(soatuplep);
-				CHECK(dns_difftuple_create(diff->mctx,
-							   DNS_DIFFOP_ADD,
-							   name, ttl, rdata,
-							   soatuplep));
-			}
-			if (n_soa == 3)
-				n_soa = 1;
-			continue;
-		}
-
-		/* Sanity. */
-		if (n_soa == 0) {
-			dns_zone_log(zone->raw, ISC_LOG_ERROR,
-				     "corrupt journal file: '%s'\n",
-				     zone->raw->journal);
-			return (ISC_R_FAILURE);
-		}
-
-		if (zone->privatetype != 0 &&
-		    rdata->type == zone->privatetype)
-			continue;
-
-		if (rdata->type == dns_rdatatype_nsec ||
-		    rdata->type == dns_rdatatype_rrsig ||
-		    rdata->type == dns_rdatatype_nsec3 ||
-		    rdata->type == dns_rdatatype_dnskey ||
-		    rdata->type == dns_rdatatype_nsec3param)
-			continue;
-
-		op = (n_soa == 1) ? DNS_DIFFOP_DEL : DNS_DIFFOP_ADD;
-
-		CHECK(dns_difftuple_create(diff->mctx, op, name, ttl, rdata,
-					   &tuple));
-		dns_diff_appendminimal(diff, &tuple);
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
- failure:
-	return(result);
-}
-
-static isc_result_t
-sync_secure_db(dns_zone_t *seczone, dns_db_t *secdb,
-	       dns_dbversion_t *secver, dns_difftuple_t **soatuple,
-	       dns_diff_t *diff)
-{
-	isc_result_t result;
-	dns_db_t *rawdb = NULL;
-	dns_dbversion_t *rawver = NULL;
-	dns_difftuple_t *tuple = NULL, *next;
-	dns_difftuple_t *oldtuple = NULL, *newtuple = NULL;
-	dns_rdata_soa_t oldsoa, newsoa;
-
-	REQUIRE(DNS_ZONE_VALID(seczone));
-	REQUIRE(inline_secure(seczone));
-	REQUIRE(soatuple != NULL && *soatuple == NULL);
-
-	if (!seczone->sourceserialset)
-		return (DNS_R_UNCHANGED);
-
-	dns_db_attach(seczone->raw->db, &rawdb);
-	dns_db_currentversion(rawdb, &rawver);
-	result = dns_db_diffx(diff, rawdb, rawver, secdb, secver, NULL);
-	dns_db_closeversion(rawdb, &rawver, ISC_FALSE);
-	dns_db_detach(&rawdb);
-
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	for (tuple = ISC_LIST_HEAD(diff->tuples);
-	     tuple != NULL;
-	     tuple = next)
-	{
-		next = ISC_LIST_NEXT(tuple, link);
-		if (tuple->rdata.type == dns_rdatatype_nsec ||
-		    tuple->rdata.type == dns_rdatatype_rrsig ||
-		    tuple->rdata.type == dns_rdatatype_dnskey ||
-		    tuple->rdata.type == dns_rdatatype_nsec3 ||
-		    tuple->rdata.type == dns_rdatatype_nsec3param)
-		{
-			ISC_LIST_UNLINK(diff->tuples, tuple, link);
-			dns_difftuple_free(&tuple);
-			continue;
-		}
-		if (tuple->rdata.type == dns_rdatatype_soa) {
-			if (tuple->op == DNS_DIFFOP_DEL) {
-				INSIST(oldtuple == NULL);
-				oldtuple = tuple;
-			}
-			if (tuple->op == DNS_DIFFOP_ADD) {
-				INSIST(newtuple == NULL);
-				newtuple = tuple;
-			}
-		}
-	}
-
-	if (oldtuple != NULL && newtuple != NULL) {
-
-		result = dns_rdata_tostruct(&oldtuple->rdata, &oldsoa, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-		result = dns_rdata_tostruct(&newtuple->rdata, &newsoa, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-		/*
-		 * If the SOA records are the same except for the serial
-		 * remove them from the diff.
-		 */
-		if (oldsoa.refresh == newsoa.refresh &&
-		    oldsoa.retry == newsoa.retry &&
-		    oldsoa.minimum == newsoa.minimum &&
-		    oldsoa.expire == newsoa.expire &&
-		    dns_name_equal(&oldsoa.origin, &newsoa.origin) &&
-		    dns_name_equal(&oldsoa.contact, &newsoa.contact)) {
-			ISC_LIST_UNLINK(diff->tuples, oldtuple, link);
-			dns_difftuple_free(&oldtuple);
-			ISC_LIST_UNLINK(diff->tuples, newtuple, link);
-			dns_difftuple_free(&newtuple);
-		}
-	}
-
-	if (ISC_LIST_EMPTY(diff->tuples))
-		return (DNS_R_UNCHANGED);
-
-	/*
-	 * If there are still SOA records in the diff they can now be removed
-	 * saving the new SOA record.
-	 */
-	if (oldtuple != NULL) {
-		ISC_LIST_UNLINK(diff->tuples, oldtuple, link);
-		dns_difftuple_free(&oldtuple);
-	}
-
-	if (newtuple != NULL) {
-		ISC_LIST_UNLINK(diff->tuples, newtuple, link);
-		*soatuple = newtuple;
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-receive_secure_serial(isc_task_t *task, isc_event_t *event) {
-	isc_result_t result;
-	dns_journal_t *rjournal = NULL;
-	isc_uint32_t start, end;
-	dns_zone_t *zone;
-	dns_db_t *db = NULL;
-	dns_dbversion_t *newver = NULL, *oldver = NULL;
-	dns_diff_t diff;
-	dns_difftuple_t *tuple = NULL, *soatuple = NULL;
-	dns_update_log_t log = { update_log_cb, NULL };
-	isc_time_t timenow;
-
-	zone = event->ev_arg;
-	end = ((struct secure_event *)event)->serial;
-	isc_event_free(&event);
-
-	LOCK_ZONE(zone);
-
-	dns_diff_init(zone->mctx, &diff);
-
-	UNUSED(task);
-
-	/*
-	 * zone->db may be NULL if the load from disk failed.
-	 */
-	if (zone->db == NULL || !inline_secure(zone)) {
-		result = ISC_R_FAILURE;
-		goto failure;
-	}
-
-	/*
-	 * We first attempt to sync the raw zone to the secure zone
-	 * by using the raw zone's journal, applying all the deltas
-	 * from the latest source-serial of the secure zone up to
-	 * the current serial number of the raw zone.
-	 *
-	 * If that fails, then we'll fall back to a direct comparison
-	 * between raw and secure zones.
-	 */
-	result = dns_journal_open(zone->raw->mctx, zone->raw->journal,
-				  DNS_JOURNAL_WRITE, &rjournal);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-	else {
-		dns_journal_t *sjournal = NULL;
-
-		result = dns_journal_open(zone->mctx, zone->journal,
-					  DNS_JOURNAL_READ, &sjournal);
-		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
-			goto failure;
-
-		if (!dns_journal_get_sourceserial(rjournal, &start)) {
-			start = dns_journal_first_serial(rjournal);
-			dns_journal_set_sourceserial(rjournal, start);
-		}
-		if (sjournal != NULL) {
-			isc_uint32_t serial;
-			/*
-			 * We read the secure journal first, if that exists
-			 * use its value provided it is greater that from the
-			 * raw journal.
-			 */
-			if (dns_journal_get_sourceserial(sjournal, &serial)) {
-				if (isc_serial_gt(serial, start))
-					start = serial;
-			}
-			dns_journal_destroy(&sjournal);
-		}
-	}
-
-	dns_db_attach(zone->db, &db);
-	dns_db_currentversion(db, &oldver);
-	CHECK(dns_db_newversion(db, &newver));
-
-	/*
-	 * Try to apply diffs from the raw zone's journal to the secure
-	 * zone.  If that fails, we recover by syncing up the databases
-	 * directly.
-	 */
-	result = sync_secure_journal(zone, rjournal, start, end,
-				     &soatuple, &diff);
-	if (result == DNS_R_UNCHANGED)
-		goto failure;
-	else if (result != ISC_R_SUCCESS)
-		CHECK(sync_secure_db(zone, db, oldver, &soatuple, &diff));
-
-	CHECK(dns_diff_apply(&diff, db, newver));
-
-	if (soatuple != NULL) {
-		isc_uint32_t oldserial, newserial, desired;
-
-		CHECK(dns_db_createsoatuple(db, oldver, diff.mctx,
-					    DNS_DIFFOP_DEL, &tuple));
-		oldserial = dns_soa_getserial(&tuple->rdata);
-		newserial = desired = dns_soa_getserial(&soatuple->rdata);
-		if (!isc_serial_gt(newserial, oldserial)) {
-			newserial = oldserial + 1;
-			if (newserial == 0)
-				newserial++;
-			dns_soa_setserial(newserial, &soatuple->rdata);
-		}
-		CHECK(do_one_tuple(&tuple, db, newver, &diff));
-		CHECK(do_one_tuple(&soatuple, db, newver, &diff));
-		dns_zone_log(zone, ISC_LOG_INFO, "serial %u (unsigned %u)",
-			     newserial, desired);
-	} else
-		CHECK(update_soa_serial(db, newver, &diff, zone->mctx,
-					zone->updatemethod));
-
-	CHECK(dns_update_signatures(&log, zone, db, oldver, newver,
-				    &diff, zone->sigvalidityinterval));
-
-	CHECK(zone_journal(zone, &diff, &end, "receive_secure_serial"));
-
-	dns_journal_set_sourceserial(rjournal, end);
-	dns_journal_commit(rjournal);
-
-	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
-
-	zone->sourceserial = end;
-	zone->sourceserialset = ISC_TRUE;
-	zone_needdump(zone, DNS_DUMP_DELAY);
-
-	TIME_NOW(&timenow);
-	zone_settimer(zone, &timenow);
-
-	dns_db_closeversion(db, &oldver, ISC_FALSE);
-	dns_db_closeversion(db, &newver, ISC_TRUE);
-
- failure:
-	UNLOCK_ZONE(zone);
-	if (result != ISC_R_SUCCESS)
-		dns_zone_log(zone, ISC_LOG_ERROR, "receive_secure_serial: %s",
-			     dns_result_totext(result));
-	if (tuple != NULL)
-		dns_difftuple_free(&tuple);
-	if (soatuple != NULL)
-		dns_difftuple_free(&soatuple);
-	if (db != NULL) {
-		if (oldver != NULL)
-			dns_db_closeversion(db, &oldver, ISC_FALSE);
-		if (newver != NULL)
-			dns_db_closeversion(db, &newver, ISC_FALSE);
-		dns_db_detach(&db);
-	}
-	if (rjournal != NULL)
-		dns_journal_destroy(&rjournal);
-	dns_diff_clear(&diff);
-	dns_zone_idetach(&zone);
-}
-
-static isc_result_t
-zone_send_secureserial(dns_zone_t *zone, isc_boolean_t locked,
-		       isc_uint32_t serial)
-{
-	isc_event_t *e;
-	dns_zone_t *dummy = NULL;
-
-	e = isc_event_allocate(zone->secure->mctx, zone,
-			       DNS_EVENT_ZONESECURESERIAL,
-			       receive_secure_serial, zone->secure,
-			       sizeof(struct secure_event));
-	if (e == NULL)
-		return (ISC_R_NOMEMORY);
-	((struct secure_event *)e)->serial = serial;
-	if (locked)
-		zone_iattach(zone->secure, &dummy);
-	else
-		dns_zone_iattach(zone->secure, &dummy);
-	isc_task_send(zone->secure->task, &e);
-
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_SENDSECURE);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-checkandaddsoa(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-	       dns_rdataset_t *rdataset, isc_uint32_t oldserial)
-{
-	dns_rdata_soa_t soa;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdatalist_t temprdatalist;
-	dns_rdataset_t temprdataset;
-	isc_buffer_t b;
-	isc_result_t result;
-	unsigned char buf[DNS_SOA_BUFFERSIZE];
-
-	result = dns_rdataset_first(rdataset);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	dns_rdataset_current(rdataset, &rdata);
-	result = dns_rdata_tostruct(&rdata, &soa, NULL);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-	if (isc_serial_gt(soa.serial, oldserial))
-		return (dns_db_addrdataset(db, node, version, 0, rdataset, 0,
-					   NULL));
-	/*
-	 * Always bump the serial.
-	 */
-	oldserial++;
-	if (oldserial == 0)
-		oldserial++;
-	soa.serial = oldserial;
-
-	/*
-	 * Construct a replacement rdataset.
-	 */
-	dns_rdata_reset(&rdata);
-	isc_buffer_init(&b, buf, sizeof(buf));
-	result = dns_rdata_fromstruct(&rdata, rdataset->rdclass,
-				      dns_rdatatype_soa, &soa, &b);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	temprdatalist.rdclass = rdata.rdclass;
-	temprdatalist.type = rdata.type;
-	temprdatalist.covers = 0;
-	temprdatalist.ttl = rdataset->ttl;
-	ISC_LIST_INIT(temprdatalist.rdata);
-	ISC_LIST_APPEND(temprdatalist.rdata, &rdata, link);
-
-	dns_rdataset_init(&temprdataset);
-	result = dns_rdatalist_tordataset(&temprdatalist, &temprdataset);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	return (dns_db_addrdataset(db, node, version, 0, &temprdataset,
-				   0, NULL));
-}
-
-static void
-receive_secure_db(isc_task_t *task, isc_event_t *event) {
-	isc_result_t result;
-	dns_zone_t *zone;
-	dns_db_t *rawdb, *db = NULL;
-	dns_dbnode_t *rawnode = NULL, *node = NULL;
-	dns_fixedname_t fname;
-	dns_name_t *name;
-	dns_dbiterator_t *dbiterator = NULL;
-	dns_rdatasetiter_t *rdsit = NULL;
-	dns_rdataset_t rdataset;
-	dns_dbversion_t *version = NULL;
-	isc_time_t loadtime;
-	unsigned int oldserial = 0;
-	isc_boolean_t have_oldserial = ISC_FALSE;
-
-	UNUSED(task);
-
-	zone = event->ev_arg;
-	rawdb = ((struct secure_event *)event)->db;
-	isc_event_free(&event);
-
-	REQUIRE(inline_secure(zone));
-
-	dns_fixedname_init(&fname);
-	name = dns_fixedname_name(&fname);
-	dns_rdataset_init(&rdataset);
-
-	TIME_NOW(&loadtime);
-	if (zone->db != NULL) {
-		result = dns_db_getsoaserial(zone->db, NULL, &oldserial);
-		if (result == ISC_R_SUCCESS)
-			have_oldserial = ISC_TRUE;
-	}
-
-	result = dns_db_create(zone->mctx, zone->db_argv[0],
-			       &zone->origin, dns_dbtype_zone, zone->rdclass,
-			       zone->db_argc - 1, zone->db_argv + 1, &db);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	result = dns_db_newversion(db, &version);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	result = dns_db_createiterator(rawdb, 0, &dbiterator);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	for (result = dns_dbiterator_first(dbiterator);
-	     result == ISC_R_SUCCESS;
-	     result = dns_dbiterator_next(dbiterator)) {
-		result = dns_dbiterator_current(dbiterator, &rawnode, name);
-		if (result != ISC_R_SUCCESS)
-			continue;
-
-		result = dns_db_findnode(db, name, ISC_TRUE, &node);
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-
-		result = dns_db_allrdatasets(rawdb, rawnode, NULL, 0, &rdsit);
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-
-		for (result = dns_rdatasetiter_first(rdsit);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdatasetiter_next(rdsit)) {
-			dns_rdatasetiter_current(rdsit, &rdataset);
-			if (rdataset.type == dns_rdatatype_nsec ||
-			    rdataset.type == dns_rdatatype_rrsig ||
-			    rdataset.type == dns_rdatatype_nsec3 ||
-			    rdataset.type == dns_rdatatype_dnskey ||
-			    rdataset.type == dns_rdatatype_nsec3param) {
-				dns_rdataset_disassociate(&rdataset);
-				continue;
-			}
-			if (rdataset.type == dns_rdatatype_soa &&
-			    have_oldserial) {
-				result = checkandaddsoa(db, node, version,
-							&rdataset, oldserial);
-			} else
-				result = dns_db_addrdataset(db, node, version,
-							    0, &rdataset, 0,
-							    NULL);
-			if (result != ISC_R_SUCCESS)
-				goto failure;
-
-			dns_rdataset_disassociate(&rdataset);
-		}
-		dns_rdatasetiter_destroy(&rdsit);
-		dns_db_detachnode(rawdb, &rawnode);
-		dns_db_detachnode(db, &node);
-	}
-
-	dns_db_closeversion(db, &version, ISC_TRUE);
-	/*
-	 * Lock hierarchy: zmgr, zone, raw.
-	 */
-	LOCK_ZONE(zone);
-	if (inline_secure(zone))
-		LOCK_ZONE(zone->raw);
-	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
-	result = zone_postload(zone, db, loadtime, ISC_R_SUCCESS);
-	zone_needdump(zone, 0); /* XXXMPA */
-	if (inline_secure(zone))
-		UNLOCK_ZONE(zone->raw);
-	UNLOCK_ZONE(zone);
-
- failure:
-	if (result != ISC_R_SUCCESS)
-		dns_zone_log(zone, ISC_LOG_ERROR, "receive_secure_db: %s",
-			     dns_result_totext(result));
-
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	if (db != NULL) {
-		if (node != NULL)
-			dns_db_detachnode(db, &node);
-		dns_db_detach(&db);
-	}
-	if (rawnode != NULL)
-		dns_db_detachnode(rawdb, &rawnode);
-	dns_db_detach(&rawdb);
-	if (dbiterator != NULL)
-		dns_dbiterator_destroy(&dbiterator);
-	dns_zone_idetach(&zone);
-}
-
-static isc_result_t
-zone_send_securedb(dns_zone_t *zone, isc_boolean_t locked, dns_db_t *db) {
-	isc_event_t *e;
-	dns_db_t *dummy = NULL;
-	dns_zone_t *secure = NULL;
-
-	e = isc_event_allocate(zone->secure->mctx, zone,
-			       DNS_EVENT_ZONESECUREDB,
-			       receive_secure_db, zone->secure,
-			       sizeof(struct secure_event));
-	if (e == NULL)
-		return (ISC_R_NOMEMORY);
-	dns_db_attach(db, &dummy);
-	((struct secure_event *)e)->db = dummy;
-	if (locked)
-		zone_iattach(zone->secure, &secure);
-	else
-		dns_zone_iattach(zone->secure, &secure);
-
-	isc_task_send(zone->secure->task, &e);
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_SENDSECURE);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
-	isc_result_t result;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	LOCK_ZONE(zone);
-	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
-	result = zone_replacedb(zone, db, dump);
-	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
-	UNLOCK_ZONE(zone);
-	return (result);
-}
-
-static isc_result_t
-zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
-	dns_dbversion_t *ver;
-	isc_result_t result;
-	unsigned int soacount = 0;
-	unsigned int nscount = 0;
-
-	/*
-	 * 'zone' and 'zonedb' locked by caller.
-	 */
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(LOCKED_ZONE(zone));
-
-	result = zone_get_from_db(zone, db, &nscount, &soacount,
-				  NULL, NULL, NULL, NULL, NULL, NULL);
-	if (result == ISC_R_SUCCESS) {
-		if (soacount != 1) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "has %d SOA records", soacount);
-			result = DNS_R_BADZONE;
-		}
-		if (nscount == 0 && zone->type != dns_zone_key) {
-			dns_zone_log(zone, ISC_LOG_ERROR, "has no NS records");
-			result = DNS_R_BADZONE;
-		}
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	} else {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			    "retrieving SOA and NS records failed: %s",
-			    dns_result_totext(result));
-		return (result);
-	}
-
-	result = check_nsec3param(zone, db);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	ver = NULL;
-	dns_db_currentversion(db, &ver);
-
-	/*
-	 * The initial version of a slave zone is always dumped;
-	 * subsequent versions may be journaled instead if this
-	 * is enabled in the configuration.
-	 */
-	if (zone->db != NULL && zone->journal != NULL &&
-	    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS) &&
-	    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER))
-	{
-		isc_uint32_t serial, oldserial;
-		unsigned int soacount;
-
-		dns_zone_log(zone, ISC_LOG_DEBUG(3), "generating diffs");
-
-		result = dns_db_getsoaserial(db, ver, &serial);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "ixfr-from-differences: unable to get "
-				     "new serial");
-			goto fail;
-		}
-
-		/*
-		 * This is checked in zone_postload() for master zones.
-		 */
-		result = zone_get_from_db(zone, zone->db, NULL, &soacount,
-					  &oldserial, NULL, NULL, NULL, NULL,
-					  NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		RUNTIME_CHECK(soacount > 0U);
-		if ((zone->type == dns_zone_slave ||
-		     (zone->type == dns_zone_redirect &&
-		      zone->masters != NULL))
-		    && !isc_serial_gt(serial, oldserial)) {
-			isc_uint32_t serialmin, serialmax;
-			serialmin = (oldserial + 1) & 0xffffffffU;
-			serialmax = (oldserial + 0x7fffffffU) & 0xffffffffU;
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "ixfr-from-differences: failed: "
-				     "new serial (%u) out of range [%u - %u]",
-				     serial, serialmin, serialmax);
-			result = ISC_R_RANGE;
-			goto fail;
-		}
-
-		result = dns_db_diff(zone->mctx, db, ver, zone->db, NULL,
-				     zone->journal);
-		if (result != ISC_R_SUCCESS)
-			goto fail;
-		if (dump)
-			zone_needdump(zone, DNS_DUMP_DELAY);
-		else if (zone->journalsize != -1) {
-			result = dns_journal_compact(zone->mctx, zone->journal,
-						     serial, zone->journalsize);
-			switch (result) {
-			case ISC_R_SUCCESS:
-			case ISC_R_NOSPACE:
-			case ISC_R_NOTFOUND:
-				dns_zone_log(zone, ISC_LOG_DEBUG(3),
-					     "dns_journal_compact: %s",
-					     dns_result_totext(result));
-				break;
-			default:
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "dns_journal_compact failed: %s",
-					     dns_result_totext(result));
-				break;
-			}
-		}
-		if (zone->type == dns_zone_master && inline_raw(zone))
-			zone_send_secureserial(zone, ISC_FALSE, serial);
-	} else {
-		if (dump && zone->masterfile != NULL) {
-			/*
-			 * If DNS_ZONEFLG_FORCEXFER was set we don't want
-			 * to keep the old masterfile.
-			 */
-			if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER) &&
-			    remove(zone->masterfile) < 0 && errno != ENOENT) {
-				char strbuf[ISC_STRERRORSIZE];
-				isc__strerror(errno, strbuf, sizeof(strbuf));
-				isc_log_write(dns_lctx,
-					      DNS_LOGCATEGORY_GENERAL,
-					      DNS_LOGMODULE_ZONE,
-					      ISC_LOG_WARNING,
-					      "unable to remove masterfile "
-					      "'%s': '%s'",
-					      zone->masterfile, strbuf);
-			}
-			if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) == 0)
-				DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NODELAY);
-			else
-				zone_needdump(zone, 0);
-		}
-		if (dump && zone->journal != NULL) {
-			/*
-			 * The in-memory database just changed, and
-			 * because 'dump' is set, it didn't change by
-			 * being loaded from disk.  Also, we have not
-			 * journaled diffs for this change.
-			 * Therefore, the on-disk journal is missing
-			 * the deltas for this change.	Since it can
-			 * no longer be used to bring the zone
-			 * up-to-date, it is useless and should be
-			 * removed.
-			 */
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-				      DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
-				      "removing journal file");
-			if (remove(zone->journal) < 0 && errno != ENOENT) {
-				char strbuf[ISC_STRERRORSIZE];
-				isc__strerror(errno, strbuf, sizeof(strbuf));
-				isc_log_write(dns_lctx,
-					      DNS_LOGCATEGORY_GENERAL,
-					      DNS_LOGMODULE_ZONE,
-					      ISC_LOG_WARNING,
-					      "unable to remove journal "
-					      "'%s': '%s'",
-					      zone->journal, strbuf);
-			}
-		}
-
-		if (inline_raw(zone))
-			zone_send_securedb(zone, ISC_FALSE, db);
-	}
-
-	dns_db_closeversion(db, &ver, ISC_FALSE);
-
-	dns_zone_log(zone, ISC_LOG_DEBUG(3), "replacing zone database");
-
-	if (zone->db != NULL)
-		zone_detachdb(zone);
-	zone_attachdb(zone, db);
-	dns_db_settask(zone->db, zone->task);
-	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED|DNS_ZONEFLG_NEEDNOTIFY);
-	return (ISC_R_SUCCESS);
-
- fail:
-	dns_db_closeversion(db, &ver, ISC_FALSE);
-	return (result);
-}
-
-/* The caller must hold the dblock as a writer. */
-static inline void
-zone_attachdb(dns_zone_t *zone, dns_db_t *db) {
-	REQUIRE(zone->db == NULL && db != NULL);
-
-	dns_db_attach(db, &zone->db);
-	if (zone->acache != NULL) {
-		isc_result_t result;
-		result = dns_acache_setdb(zone->acache, db);
-		if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "dns_acache_setdb() failed: %s",
-					 isc_result_totext(result));
-		}
-	}
-}
-
-/* The caller must hold the dblock as a writer. */
-static inline void
-zone_detachdb(dns_zone_t *zone) {
-	REQUIRE(zone->db != NULL);
-
-	if (zone->acache != NULL)
-		(void)dns_acache_putdb(zone->acache, zone->db);
-	dns_db_detach(&zone->db);
-}
-
-static void
-zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
-	isc_time_t now;
-	isc_boolean_t again = ISC_FALSE;
-	unsigned int soacount;
-	unsigned int nscount;
-	isc_uint32_t serial, refresh, retry, expire, minimum;
-	isc_result_t xfrresult = result;
-	isc_boolean_t free_needed;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	dns_zone_log(zone, ISC_LOG_DEBUG(1),
-		     "zone transfer finished: %s", dns_result_totext(result));
-
-	LOCK_ZONE(zone);
-	INSIST((zone->flags & DNS_ZONEFLG_REFRESH) != 0);
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR);
-
-	TIME_NOW(&now);
-	switch (result) {
-	case ISC_R_SUCCESS:
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
-		/*FALLTHROUGH*/
-	case DNS_R_UPTODATE:
-		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FORCEXFER);
-		/*
-		 * Has the zone expired underneath us?
-		 */
-		ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
-		if (zone->db == NULL) {
-			ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
-			goto same_master;
-		}
-
-		/*
-		 * Update the zone structure's data from the actual
-		 * SOA received.
-		 */
-		nscount = 0;
-		soacount = 0;
-		INSIST(zone->db != NULL);
-		result = zone_get_from_db(zone, zone->db, &nscount,
-					  &soacount, &serial, &refresh,
-					  &retry, &expire, &minimum, NULL);
-		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
-		if (result == ISC_R_SUCCESS) {
-			if (soacount != 1)
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "transferred zone "
-					     "has %d SOA record%s", soacount,
-					     (soacount != 0) ? "s" : "");
-			if (nscount == 0) {
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "transferred zone "
-					     "has no NS records");
-				if (DNS_ZONE_FLAG(zone,
-						  DNS_ZONEFLG_HAVETIMERS)) {
-					zone->refresh = DNS_ZONE_DEFAULTREFRESH;
-					zone->retry = DNS_ZONE_DEFAULTRETRY;
-				}
-				DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
-				zone_unload(zone);
-				goto next_master;
-			}
-			zone->refresh = RANGE(refresh, zone->minrefresh,
-					      zone->maxrefresh);
-			zone->retry = RANGE(retry, zone->minretry,
-					    zone->maxretry);
-			zone->expire = RANGE(expire,
-					     zone->refresh + zone->retry,
-					     DNS_MAX_EXPIRE);
-			zone->minimum = minimum;
-			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
-		}
-
-		/*
-		 * Set our next update/expire times.
-		 */
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDREFRESH)) {
-			DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
-			zone->refreshtime = now;
-			DNS_ZONE_TIME_ADD(&now, zone->expire,
-					  &zone->expiretime);
-		} else {
-			DNS_ZONE_JITTER_ADD(&now, zone->refresh,
-					    &zone->refreshtime);
-			DNS_ZONE_TIME_ADD(&now, zone->expire,
-					  &zone->expiretime);
-		}
-		if (result == ISC_R_SUCCESS && xfrresult == ISC_R_SUCCESS) {
-			char buf[DNS_NAME_FORMATSIZE + sizeof(": TSIG ''")];
-			if (zone->tsigkey != NULL) {
-				char namebuf[DNS_NAME_FORMATSIZE];
-				dns_name_format(&zone->tsigkey->name, namebuf,
-						sizeof(namebuf));
-				snprintf(buf, sizeof(buf), ": TSIG '%s'",
-					 namebuf);
-			} else
-				buf[0] = '\0';
-			dns_zone_log(zone, ISC_LOG_INFO,
-				     "transferred serial %u%s",
-				     serial, buf);
-			if (inline_raw(zone))
-				zone_send_secureserial(zone, ISC_FALSE, serial);
-		}
-
-		/*
-		 * This is not necessary if we just performed a AXFR
-		 * however it is necessary for an IXFR / UPTODATE and
-		 * won't hurt with an AXFR.
-		 */
-		if (zone->masterfile != NULL || zone->journal != NULL) {
-			unsigned int delay = DNS_DUMP_DELAY;
-
-			result = ISC_R_FAILURE;
-			if (zone->journal != NULL)
-				result = isc_file_settime(zone->journal, &now);
-			if (result != ISC_R_SUCCESS &&
-			    zone->masterfile != NULL)
-				result = isc_file_settime(zone->masterfile,
-							  &now);
-
-			if ((DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NODELAY) != 0) ||
-			    result == ISC_R_FILENOTFOUND)
-				delay = 0;
-
-			if ((result == ISC_R_SUCCESS ||
-			    result == ISC_R_FILENOTFOUND) &&
-			    zone->masterfile != NULL)
-				zone_needdump(zone, delay);
-			else if (result != ISC_R_SUCCESS)
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "transfer: could not set file "
-					     "modification time of '%s': %s",
-					     zone->masterfile,
-					     dns_result_totext(result));
-		}
-		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NODELAY);
-		inc_stats(zone, dns_zonestatscounter_xfrsuccess);
-		break;
-
-	case DNS_R_BADIXFR:
-		/* Force retry with AXFR. */
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLAG_NOIXFR);
-		goto same_master;
-
-	default:
-	next_master:
-		/*
-		 * Skip to next failed / untried master.
-		 */
-		do {
-			zone->curmaster++;
-		} while (zone->curmaster < zone->masterscnt &&
-			 zone->mastersok[zone->curmaster]);
-		/* FALLTHROUGH */
-	same_master:
-		if (zone->curmaster >= zone->masterscnt) {
-			zone->curmaster = 0;
-			if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_USEALTXFRSRC) &&
-			    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
-				DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH);
-				DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
-				while (zone->curmaster < zone->masterscnt &&
-				       zone->mastersok[zone->curmaster])
-					zone->curmaster++;
-				again = ISC_TRUE;
-			} else
-				DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
-		} else {
-			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH);
-			again = ISC_TRUE;
-		}
-		inc_stats(zone, dns_zonestatscounter_xfrfail);
-		break;
-	}
-	zone_settimer(zone, &now);
-
-	/*
-	 * If creating the transfer object failed, zone->xfr is NULL.
-	 * Otherwise, we are called as the done callback of a zone
-	 * transfer object that just entered its shutting-down
-	 * state.  Since we are no longer responsible for shutting
-	 * it down, we can detach our reference.
-	 */
-	if (zone->xfr != NULL)
-		dns_xfrin_detach(&zone->xfr);
-
-	if (zone->tsigkey != NULL)
-		dns_tsigkey_detach(&zone->tsigkey);
-
-	/*
-	 * Handle any deferred journal compaction.
-	 */
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDCOMPACT)) {
-		result = dns_journal_compact(zone->mctx, zone->journal,
-					     zone->compact_serial,
-					     zone->journalsize);
-		switch (result) {
-		case ISC_R_SUCCESS:
-		case ISC_R_NOSPACE:
-		case ISC_R_NOTFOUND:
-			dns_zone_log(zone, ISC_LOG_DEBUG(3),
-				     "dns_journal_compact: %s",
-				     dns_result_totext(result));
-			break;
-		default:
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "dns_journal_compact failed: %s",
-				     dns_result_totext(result));
-			break;
-		}
-		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDCOMPACT);
-	}
-
-	/*
-	 * This transfer finishing freed up a transfer quota slot.
-	 * Let any other zones waiting for quota have it.
-	 */
-	UNLOCK_ZONE(zone);
-	RWLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
-	ISC_LIST_UNLINK(zone->zmgr->xfrin_in_progress, zone, statelink);
-	zone->statelist = NULL;
-	zmgr_resume_xfrs(zone->zmgr, ISC_FALSE);
-	RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
-	LOCK_ZONE(zone);
-
-	/*
-	 * Retry with a different server if necessary.
-	 */
-	if (again && !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING))
-		queue_soa_query(zone);
-
-	INSIST(zone->irefs > 0);
-	zone->irefs--;
-	free_needed = exit_check(zone);
-	UNLOCK_ZONE(zone);
-	if (free_needed)
-		zone_free(zone);
-}
-
-static void
-zone_loaddone(void *arg, isc_result_t result) {
-	static char me[] = "zone_loaddone";
-	dns_load_t *load = arg;
-	dns_zone_t *zone;
-	isc_result_t tresult;
-
-	REQUIRE(DNS_LOAD_VALID(load));
-	zone = load->zone;
-
-	ENTER;
-
-	tresult = dns_db_endload(load->db, &load->callbacks.add_private);
-	if (tresult != ISC_R_SUCCESS &&
-	    (result == ISC_R_SUCCESS || result == DNS_R_SEENINCLUDE))
-		result = tresult;
-
-	/*
-	 * Lock hierarchy: zmgr, zone, raw.
-	 */
-	LOCK_ZONE(zone);
-	if (inline_secure(zone))
-		LOCK_ZONE(zone->raw);
-	(void)zone_postload(zone, load->db, load->loadtime, result);
-	zonemgr_putio(&zone->readio);
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADING);
-	zone_idetach(&load->callbacks.zone);
-	/*
-	 * Leave the zone frozen if the reload fails.
-	 */
-	if ((result == ISC_R_SUCCESS || result == DNS_R_SEENINCLUDE) &&
-	     DNS_ZONE_FLAG(zone, DNS_ZONEFLG_THAW))
-		zone->update_disabled = ISC_FALSE;
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_THAW);
-	if (inline_secure(zone))
-		UNLOCK_ZONE(zone->raw);
-	UNLOCK_ZONE(zone);
-
-	load->magic = 0;
-	dns_db_detach(&load->db);
-	if (load->zone->lctx != NULL)
-		dns_loadctx_detach(&load->zone->lctx);
-	dns_zone_idetach(&load->zone);
-	isc_mem_putanddetach(&load->mctx, load, sizeof(*load));
-}
-
-void
-dns_zone_getssutable(dns_zone_t *zone, dns_ssutable_t **table) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(table != NULL);
-	REQUIRE(*table == NULL);
-
-	LOCK_ZONE(zone);
-	if (zone->ssutable != NULL)
-		dns_ssutable_attach(zone->ssutable, table);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_setssutable(dns_zone_t *zone, dns_ssutable_t *table) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->ssutable != NULL)
-		dns_ssutable_detach(&zone->ssutable);
-	if (table != NULL)
-		dns_ssutable_attach(table, &zone->ssutable);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_setsigvalidityinterval(dns_zone_t *zone, isc_uint32_t interval) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	zone->sigvalidityinterval = interval;
-}
-
-isc_uint32_t
-dns_zone_getsigvalidityinterval(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->sigvalidityinterval);
-}
-
-void
-dns_zone_setsigresigninginterval(dns_zone_t *zone, isc_uint32_t interval) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	zone->sigresigninginterval = interval;
-}
-
-isc_uint32_t
-dns_zone_getsigresigninginterval(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->sigresigninginterval);
-}
-
-static void
-queue_xfrin(dns_zone_t *zone) {
-	const char me[] = "queue_xfrin";
-	isc_result_t result;
-	dns_zonemgr_t *zmgr = zone->zmgr;
-
-	ENTER;
-
-	INSIST(zone->statelist == NULL);
-
-	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
-	ISC_LIST_APPEND(zmgr->waiting_for_xfrin, zone, statelink);
-	LOCK_ZONE(zone);
-	zone->irefs++;
-	UNLOCK_ZONE(zone);
-	zone->statelist = &zmgr->waiting_for_xfrin;
-	result = zmgr_start_xfrin_ifquota(zmgr, zone);
-	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
-
-	if (result == ISC_R_QUOTA) {
-		dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
-			      "zone transfer deferred due to quota");
-	} else if (result != ISC_R_SUCCESS) {
-		dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_ERROR,
-			      "starting zone transfer: %s",
-			      isc_result_totext(result));
-	}
-}
-
-/*
- * This event callback is called when a zone has received
- * any necessary zone transfer quota.  This is the time
- * to go ahead and start the transfer.
- */
-static void
-got_transfer_quota(isc_task_t *task, isc_event_t *event) {
-	isc_result_t result = ISC_R_SUCCESS;
-	dns_peer_t *peer = NULL;
-	char master[ISC_SOCKADDR_FORMATSIZE];
-	char source[ISC_SOCKADDR_FORMATSIZE];
-	dns_rdatatype_t xfrtype;
-	dns_zone_t *zone = event->ev_arg;
-	isc_netaddr_t masterip;
-	isc_sockaddr_t sourceaddr;
-	isc_sockaddr_t masteraddr;
-	isc_time_t now;
-	const char *soa_before = "";
-
-	UNUSED(task);
-
-	INSIST(task == zone->task);
-
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
-		result = ISC_R_CANCELED;
-		goto cleanup;
-	}
-
-	TIME_NOW(&now);
-
-	isc_sockaddr_format(&zone->masteraddr, master, sizeof(master));
-	if (dns_zonemgr_unreachable(zone->zmgr, &zone->masteraddr,
-				    &zone->sourceaddr, &now))
-	{
-		isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "got_transfer_quota: skipping zone transfer as "
-			     "master %s (source %s) is unreachable (cached)",
-			     master, source);
-		result = ISC_R_CANCELED;
-		goto cleanup;
-	}
-
-	isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
-	(void)dns_peerlist_peerbyaddr(zone->view->peers, &masterip, &peer);
-
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR))
-		soa_before = "SOA before ";
-	/*
-	 * Decide whether we should request IXFR or AXFR.
-	 */
-	if (zone->db == NULL) {
-		dns_zone_log(zone, ISC_LOG_DEBUG(1),
-			     "no database exists yet, requesting AXFR of "
-			     "initial version from %s", master);
-		xfrtype = dns_rdatatype_axfr;
-	} else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER)) {
-		dns_zone_log(zone, ISC_LOG_DEBUG(1),
-			     "forced reload, requesting AXFR of "
-			     "initial version from %s", master);
-		xfrtype = dns_rdatatype_axfr;
-	} else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLAG_NOIXFR)) {
-		dns_zone_log(zone, ISC_LOG_DEBUG(1),
-			     "retrying with AXFR from %s due to "
-			     "previous IXFR failure", master);
-		xfrtype = dns_rdatatype_axfr;
-		LOCK_ZONE(zone);
-		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLAG_NOIXFR);
-		UNLOCK_ZONE(zone);
-	} else {
-		isc_boolean_t use_ixfr = ISC_TRUE;
-		if (peer != NULL)
-			result = dns_peer_getrequestixfr(peer, &use_ixfr);
-		if (peer == NULL || result != ISC_R_SUCCESS)
-			use_ixfr = zone->requestixfr;
-		if (use_ixfr == ISC_FALSE) {
-			dns_zone_log(zone, ISC_LOG_DEBUG(1),
-				     "IXFR disabled, requesting %sAXFR from %s",
-				     soa_before, master);
-			if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR))
-				xfrtype = dns_rdatatype_soa;
-			else
-				xfrtype = dns_rdatatype_axfr;
-		} else {
-			dns_zone_log(zone, ISC_LOG_DEBUG(1),
-				     "requesting IXFR from %s", master);
-			xfrtype = dns_rdatatype_ixfr;
-		}
-	}
-
-	/*
-	 * Determine if we should attempt to sign the request with TSIG.
-	 */
-	result = ISC_R_NOTFOUND;
-	/*
-	 * First, look for a tsig key in the master statement, then
-	 * try for a server key.
-	 */
-	if ((zone->masterkeynames != NULL) &&
-	    (zone->masterkeynames[zone->curmaster] != NULL)) {
-		dns_view_t *view = dns_zone_getview(zone);
-		dns_name_t *keyname = zone->masterkeynames[zone->curmaster];
-		result = dns_view_gettsig(view, keyname, &zone->tsigkey);
-	}
-	if (zone->tsigkey == NULL)
-		result = dns_view_getpeertsig(zone->view, &masterip,
-					      &zone->tsigkey);
-
-	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "could not get TSIG key for zone transfer: %s",
-			     isc_result_totext(result));
-	}
-
-	LOCK_ZONE(zone);
-	masteraddr = zone->masteraddr;
-	sourceaddr = zone->sourceaddr;
-	UNLOCK_ZONE(zone);
-	INSIST(isc_sockaddr_pf(&masteraddr) == isc_sockaddr_pf(&sourceaddr));
-	result = dns_xfrin_create2(zone, xfrtype, &masteraddr, &sourceaddr,
-				   zone->tsigkey, zone->mctx,
-				   zone->zmgr->timermgr, zone->zmgr->socketmgr,
-				   zone->task, zone_xfrdone, &zone->xfr);
-	if (result == ISC_R_SUCCESS) {
-		LOCK_ZONE(zone);
-		if (xfrtype == dns_rdatatype_axfr) {
-			if (isc_sockaddr_pf(&masteraddr) == PF_INET)
-				inc_stats(zone, dns_zonestatscounter_axfrreqv4);
-			else
-				inc_stats(zone, dns_zonestatscounter_axfrreqv6);
-		} else if (xfrtype == dns_rdatatype_ixfr) {
-			if (isc_sockaddr_pf(&masteraddr) == PF_INET)
-				inc_stats(zone, dns_zonestatscounter_ixfrreqv4);
-			else
-				inc_stats(zone, dns_zonestatscounter_ixfrreqv6);
-		}
-		UNLOCK_ZONE(zone);
-	}
- cleanup:
-	/*
-	 * Any failure in this function is handled like a failed
-	 * zone transfer.  This ensures that we get removed from
-	 * zmgr->xfrin_in_progress.
-	 */
-	if (result != ISC_R_SUCCESS)
-		zone_xfrdone(zone, result);
-
-	isc_event_free(&event);
-}
-
-/*
- * Update forwarding support.
- */
-
-static void
-forward_destroy(dns_forward_t *forward) {
-
-	forward->magic = 0;
-	if (forward->request != NULL)
-		dns_request_destroy(&forward->request);
-	if (forward->msgbuf != NULL)
-		isc_buffer_free(&forward->msgbuf);
-	if (forward->zone != NULL) {
-		LOCK(&forward->zone->lock);
-		if (ISC_LINK_LINKED(forward, link))
-			ISC_LIST_UNLINK(forward->zone->forwards, forward, link);
-		UNLOCK(&forward->zone->lock);
-		dns_zone_idetach(&forward->zone);
-	}
-	isc_mem_putanddetach(&forward->mctx, forward, sizeof(*forward));
-}
-
-static isc_result_t
-sendtomaster(dns_forward_t *forward) {
-	isc_result_t result;
-	isc_sockaddr_t src;
-
-	LOCK_ZONE(forward->zone);
-
-	if (DNS_ZONE_FLAG(forward->zone, DNS_ZONEFLG_EXITING)) {
-		UNLOCK_ZONE(forward->zone);
-		return (ISC_R_CANCELED);
-	}
-
-	if (forward->which >= forward->zone->masterscnt) {
-		UNLOCK_ZONE(forward->zone);
-		return (ISC_R_NOMORE);
-	}
-
-	forward->addr = forward->zone->masters[forward->which];
-	/*
-	 * Always use TCP regardless of whether the original update
-	 * used TCP.
-	 * XXX The timeout may but a bit small if we are far down a
-	 * transfer graph and the master has to try several masters.
-	 */
-	switch (isc_sockaddr_pf(&forward->addr)) {
-	case PF_INET:
-		src = forward->zone->xfrsource4;
-		break;
-	case PF_INET6:
-		src = forward->zone->xfrsource6;
-		break;
-	default:
-		result = ISC_R_NOTIMPLEMENTED;
-		goto unlock;
-	}
-	result = dns_request_createraw(forward->zone->view->requestmgr,
-				       forward->msgbuf,
-				       &src, &forward->addr,
-				       DNS_REQUESTOPT_TCP, 15 /* XXX */,
-				       forward->zone->task,
-				       forward_callback, forward,
-				       &forward->request);
-	if (result == ISC_R_SUCCESS) {
-		if (!ISC_LINK_LINKED(forward, link))
-			ISC_LIST_APPEND(forward->zone->forwards, forward, link);
-	}
-
- unlock:
-	UNLOCK_ZONE(forward->zone);
-	return (result);
-}
-
-static void
-forward_callback(isc_task_t *task, isc_event_t *event) {
-	const char me[] = "forward_callback";
-	dns_requestevent_t *revent = (dns_requestevent_t *)event;
-	dns_message_t *msg = NULL;
-	char master[ISC_SOCKADDR_FORMATSIZE];
-	isc_result_t result;
-	dns_forward_t *forward;
-	dns_zone_t *zone;
-
-	UNUSED(task);
-
-	forward = revent->ev_arg;
-	INSIST(DNS_FORWARD_VALID(forward));
-	zone = forward->zone;
-	INSIST(DNS_ZONE_VALID(zone));
-
-	ENTER;
-
-	isc_sockaddr_format(&forward->addr, master, sizeof(master));
-
-	if (revent->result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "could not forward dynamic update to %s: %s",
-			     master, dns_result_totext(revent->result));
-		goto next_master;
-	}
-
-	result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTPARSE, &msg);
-	if (result != ISC_R_SUCCESS)
-		goto next_master;
-
-	result = dns_request_getresponse(revent->request, msg,
-					 DNS_MESSAGEPARSE_PRESERVEORDER |
-					 DNS_MESSAGEPARSE_CLONEBUFFER);
-	if (result != ISC_R_SUCCESS)
-		goto next_master;
-
-	switch (msg->rcode) {
-	/*
-	 * Pass these rcodes back to client.
-	 */
-	case dns_rcode_noerror:
-	case dns_rcode_yxdomain:
-	case dns_rcode_yxrrset:
-	case dns_rcode_nxrrset:
-	case dns_rcode_refused:
-	case dns_rcode_nxdomain:
-		break;
-
-	/* These should not occur if the masters/zone are valid. */
-	case dns_rcode_notzone:
-	case dns_rcode_notauth: {
-		char rcode[128];
-		isc_buffer_t rb;
-
-		isc_buffer_init(&rb, rcode, sizeof(rcode));
-		(void)dns_rcode_totext(msg->rcode, &rb);
-		dns_zone_log(zone, ISC_LOG_WARNING,
-			     "forwarding dynamic update: "
-			     "unexpected response: master %s returned: %.*s",
-			     master, (int)rb.used, rcode);
-		goto next_master;
-	}
-
-	/* Try another server for these rcodes. */
-	case dns_rcode_formerr:
-	case dns_rcode_servfail:
-	case dns_rcode_notimp:
-	case dns_rcode_badvers:
-	default:
-		goto next_master;
-	}
-
-	/* call callback */
-	(forward->callback)(forward->callback_arg, ISC_R_SUCCESS, msg);
-	msg = NULL;
-	dns_request_destroy(&forward->request);
-	forward_destroy(forward);
-	isc_event_free(&event);
-	return;
-
- next_master:
-	if (msg != NULL)
-		dns_message_destroy(&msg);
-	isc_event_free(&event);
-	forward->which++;
-	dns_request_destroy(&forward->request);
-	result = sendtomaster(forward);
-	if (result != ISC_R_SUCCESS) {
-		/* call callback */
-		dns_zone_log(zone, ISC_LOG_DEBUG(3),
-			     "exhausted dynamic update forwarder list");
-		(forward->callback)(forward->callback_arg, result, NULL);
-		forward_destroy(forward);
-	}
-}
-
-isc_result_t
-dns_zone_forwardupdate(dns_zone_t *zone, dns_message_t *msg,
-		       dns_updatecallback_t callback, void *callback_arg)
-{
-	dns_forward_t *forward;
-	isc_result_t result;
-	isc_region_t *mr;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(msg != NULL);
-	REQUIRE(callback != NULL);
-
-	forward = isc_mem_get(zone->mctx, sizeof(*forward));
-	if (forward == NULL)
-		return (ISC_R_NOMEMORY);
-
-	forward->request = NULL;
-	forward->zone = NULL;
-	forward->msgbuf = NULL;
-	forward->which = 0;
-	forward->mctx = 0;
-	forward->callback = callback;
-	forward->callback_arg = callback_arg;
-	ISC_LINK_INIT(forward, link);
-	forward->magic = FORWARD_MAGIC;
-
-	mr = dns_message_getrawmessage(msg);
-	if (mr == NULL) {
-		result = ISC_R_UNEXPECTEDEND;
-		goto cleanup;
-	}
-
-	result = isc_buffer_allocate(zone->mctx, &forward->msgbuf, mr->length);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = isc_buffer_copyregion(forward->msgbuf, mr);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	isc_mem_attach(zone->mctx, &forward->mctx);
-	dns_zone_iattach(zone, &forward->zone);
-	result = sendtomaster(forward);
-
- cleanup:
-	if (result != ISC_R_SUCCESS) {
-		forward_destroy(forward);
-	}
-	return (result);
-}
-
-isc_result_t
-dns_zone_next(dns_zone_t *zone, dns_zone_t **next) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(next != NULL && *next == NULL);
-
-	*next = ISC_LIST_NEXT(zone, link);
-	if (*next == NULL)
-		return (ISC_R_NOMORE);
-	else
-		return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_zone_first(dns_zonemgr_t *zmgr, dns_zone_t **first) {
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-	REQUIRE(first != NULL && *first == NULL);
-
-	*first = ISC_LIST_HEAD(zmgr->zones);
-	if (*first == NULL)
-		return (ISC_R_NOMORE);
-	else
-		return (ISC_R_SUCCESS);
-}
-
-/***
- ***	Zone manager.
- ***/
-
-isc_result_t
-dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
-		   isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
-		   dns_zonemgr_t **zmgrp)
-{
-	dns_zonemgr_t *zmgr;
-	isc_result_t result;
-	isc_interval_t interval;
-
-	zmgr = isc_mem_get(mctx, sizeof(*zmgr));
-	if (zmgr == NULL)
-		return (ISC_R_NOMEMORY);
-	zmgr->mctx = NULL;
-	zmgr->refs = 1;
-	isc_mem_attach(mctx, &zmgr->mctx);
-	zmgr->taskmgr = taskmgr;
-	zmgr->timermgr = timermgr;
-	zmgr->socketmgr = socketmgr;
-	zmgr->zonetasks = NULL;
-	zmgr->loadtasks = NULL;
-	zmgr->mctxpool = NULL;
-	zmgr->task = NULL;
-	zmgr->rl = NULL;
-	ISC_LIST_INIT(zmgr->zones);
-	ISC_LIST_INIT(zmgr->waiting_for_xfrin);
-	ISC_LIST_INIT(zmgr->xfrin_in_progress);
-	memset(zmgr->unreachable, 0, sizeof(zmgr->unreachable));
-	result = isc_rwlock_init(&zmgr->rwlock, 0, 0);
-	if (result != ISC_R_SUCCESS)
-		goto free_mem;
-
-	zmgr->transfersin = 10;
-	zmgr->transfersperns = 2;
-
-	/* Unreachable lock. */
-	result = isc_rwlock_init(&zmgr->urlock, 0, 0);
-	if (result != ISC_R_SUCCESS)
-		goto free_rwlock;
-
-	/* Create a single task for queueing of SOA queries. */
-	result = isc_task_create(taskmgr, 1, &zmgr->task);
-	if (result != ISC_R_SUCCESS)
-		goto free_urlock;
-
-	isc_task_setname(zmgr->task, "zmgr", zmgr);
-	result = isc_ratelimiter_create(mctx, timermgr, zmgr->task,
-					&zmgr->rl);
-	if (result != ISC_R_SUCCESS)
-		goto free_task;
-
-	/* default to 20 refresh queries / notifies per second. */
-	isc_interval_set(&interval, 0, 1000000000/2);
-	result = isc_ratelimiter_setinterval(zmgr->rl, &interval);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	isc_ratelimiter_setpertic(zmgr->rl, 10);
-
-	zmgr->iolimit = 1;
-	zmgr->ioactive = 0;
-	ISC_LIST_INIT(zmgr->high);
-	ISC_LIST_INIT(zmgr->low);
-
-	result = isc_mutex_init(&zmgr->iolock);
-	if (result != ISC_R_SUCCESS)
-		goto free_rl;
-
-	zmgr->magic = ZONEMGR_MAGIC;
-
-	*zmgrp = zmgr;
-	return (ISC_R_SUCCESS);
-
-#if 0
- free_iolock:
-	DESTROYLOCK(&zmgr->iolock);
-#endif
- free_rl:
-	isc_ratelimiter_detach(&zmgr->rl);
- free_task:
-	isc_task_detach(&zmgr->task);
- free_urlock:
-	isc_rwlock_destroy(&zmgr->urlock);
- free_rwlock:
-	isc_rwlock_destroy(&zmgr->rwlock);
- free_mem:
-	isc_mem_put(zmgr->mctx, zmgr, sizeof(*zmgr));
-	isc_mem_detach(&mctx);
-	return (result);
-}
-
-isc_result_t
-dns_zonemgr_createzone(dns_zonemgr_t *zmgr, dns_zone_t **zonep) {
-	isc_result_t result;
-	isc_mem_t *mctx = NULL;
-	dns_zone_t *zone = NULL;
-	void *item;
-
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-	REQUIRE(zonep != NULL && *zonep == NULL);
-
-	if (zmgr->mctxpool == NULL)
-		return (ISC_R_FAILURE);
-
-	item = isc_pool_get(zmgr->mctxpool);
-	if (item == NULL)
-		return (ISC_R_FAILURE);
-
-	isc_mem_attach((isc_mem_t *) item, &mctx);
-	result = dns_zone_create(&zone, mctx);
-	isc_mem_detach(&mctx);
-
-	if (result == ISC_R_SUCCESS)
-		*zonep = zone;
-
-	return (result);
-}
-
-isc_result_t
-dns_zonemgr_managezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
-	isc_result_t result;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	if (zmgr->zonetasks == NULL)
-		return (ISC_R_FAILURE);
-
-	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
-	LOCK_ZONE(zone);
-	REQUIRE(zone->task == NULL);
-	REQUIRE(zone->timer == NULL);
-	REQUIRE(zone->zmgr == NULL);
-
-	isc_taskpool_gettask(zmgr->zonetasks, &zone->task);
-	isc_taskpool_gettask(zmgr->loadtasks, &zone->loadtask);
-
-	/*
-	 * Set the task name.  The tag will arbitrarily point to one
-	 * of the zones sharing the task (in practice, the one
-	 * to be managed last).
-	 */
-	isc_task_setname(zone->task, "zone", zone);
-	isc_task_setname(zone->loadtask, "loadzone", zone);
-
-	result = isc_timer_create(zmgr->timermgr, isc_timertype_inactive,
-				  NULL, NULL,
-				  zone->task, zone_timer, zone,
-				  &zone->timer);
-
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_tasks;
-
-	/*
-	 * The timer "holds" a iref.
-	 */
-	zone->irefs++;
-	INSIST(zone->irefs != 0);
-
-	ISC_LIST_APPEND(zmgr->zones, zone, link);
-	zone->zmgr = zmgr;
-	zmgr->refs++;
-
-	goto unlock;
-
- cleanup_tasks:
-	isc_task_detach(&zone->loadtask);
-	isc_task_detach(&zone->task);
-
- unlock:
-	UNLOCK_ZONE(zone);
-	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
-	return (result);
-}
-
-void
-dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
-	isc_boolean_t free_now = ISC_FALSE;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-	REQUIRE(zone->zmgr == zmgr);
-
-	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
-	LOCK_ZONE(zone);
-
-	ISC_LIST_UNLINK(zmgr->zones, zone, link);
-	zone->zmgr = NULL;
-	zmgr->refs--;
-	if (zmgr->refs == 0)
-		free_now = ISC_TRUE;
-
-	UNLOCK_ZONE(zone);
-	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
-
-	if (free_now)
-		zonemgr_free(zmgr);
-	ENSURE(zone->zmgr == NULL);
-}
-
-void
-dns_zonemgr_attach(dns_zonemgr_t *source, dns_zonemgr_t **target) {
-	REQUIRE(DNS_ZONEMGR_VALID(source));
-	REQUIRE(target != NULL && *target == NULL);
-
-	RWLOCK(&source->rwlock, isc_rwlocktype_write);
-	REQUIRE(source->refs > 0);
-	source->refs++;
-	INSIST(source->refs > 0);
-	RWUNLOCK(&source->rwlock, isc_rwlocktype_write);
-	*target = source;
-}
-
-void
-dns_zonemgr_detach(dns_zonemgr_t **zmgrp) {
-	dns_zonemgr_t *zmgr;
-	isc_boolean_t free_now = ISC_FALSE;
-
-	REQUIRE(zmgrp != NULL);
-	zmgr = *zmgrp;
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
-	zmgr->refs--;
-	if (zmgr->refs == 0)
-		free_now = ISC_TRUE;
-	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
-
-	if (free_now)
-		zonemgr_free(zmgr);
-	*zmgrp = NULL;
-}
-
-isc_result_t
-dns_zonemgr_forcemaint(dns_zonemgr_t *zmgr) {
-	dns_zone_t *p;
-
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	RWLOCK(&zmgr->rwlock, isc_rwlocktype_read);
-	for (p = ISC_LIST_HEAD(zmgr->zones);
-	     p != NULL;
-	     p = ISC_LIST_NEXT(p, link))
-	{
-		dns_zone_maintenance(p);
-	}
-	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_read);
-
-	/*
-	 * Recent configuration changes may have increased the
-	 * amount of available transfers quota.  Make sure any
-	 * transfers currently blocked on quota get started if
-	 * possible.
-	 */
-	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
-	zmgr_resume_xfrs(zmgr, ISC_TRUE);
-	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_zonemgr_resumexfrs(dns_zonemgr_t *zmgr) {
-
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
-	zmgr_resume_xfrs(zmgr, ISC_TRUE);
-	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
-}
-
-void
-dns_zonemgr_shutdown(dns_zonemgr_t *zmgr) {
-	dns_zone_t *zone;
-
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	isc_ratelimiter_shutdown(zmgr->rl);
-
-	if (zmgr->task != NULL)
-		isc_task_destroy(&zmgr->task);
-	if (zmgr->zonetasks != NULL)
-		isc_taskpool_destroy(&zmgr->zonetasks);
-	if (zmgr->loadtasks != NULL)
-		isc_taskpool_destroy(&zmgr->loadtasks);
-	if (zmgr->mctxpool != NULL)
-		isc_pool_destroy(&zmgr->mctxpool);
-
-	RWLOCK(&zmgr->rwlock, isc_rwlocktype_read);
-	for (zone = ISC_LIST_HEAD(zmgr->zones);
-	     zone != NULL;
-	     zone = ISC_LIST_NEXT(zone, link))
-	{
-		LOCK_ZONE(zone);
-		forward_cancel(zone);
-		UNLOCK_ZONE(zone);
-	}
-	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_read);
-}
-
-static isc_result_t
-mctxinit(void **target, void *arg) {
-	isc_result_t result;
-	isc_mem_t *mctx = NULL;
-
-	UNUSED(arg);
-
-	REQUIRE(target != NULL && *target == NULL);
-
-	result = isc_mem_create(0, 0, &mctx);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_mem_setname(mctx, "zonemgr-pool", NULL);
-
-	*target = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-mctxfree(void **target) {
-	isc_mem_t *mctx = *(isc_mem_t **) target;
-	isc_mem_detach(&mctx);
-	*target = NULL;
-}
-
-#define ZONES_PER_TASK 100
-#define ZONES_PER_MCTX 1000
-
-isc_result_t
-dns_zonemgr_setsize(dns_zonemgr_t *zmgr, int num_zones) {
-	isc_result_t result;
-	int ntasks = num_zones / ZONES_PER_TASK;
-	int nmctx = num_zones / ZONES_PER_MCTX;
-	isc_taskpool_t *pool = NULL;
-	isc_pool_t *mctxpool = NULL;
-
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	/*
-	 * For anything fewer than 1000 zones we use 10 tasks in
-	 * the task pools.  More than that, and we'll scale at one
-	 * task per 100 zones.  Similarly, for anything smaller than
-	 * 2000 zones we use 2 memory contexts, then scale at 1:1000.
-	 */
-	if (ntasks < 10)
-		ntasks = 10;
-	if (nmctx < 2)
-		nmctx = 2;
-
-	/* Create or resize the zone task pools. */
-	if (zmgr->zonetasks == NULL)
-		result = isc_taskpool_create(zmgr->taskmgr, zmgr->mctx,
-					     ntasks, 2, &pool);
-	else
-		result = isc_taskpool_expand(&zmgr->zonetasks, ntasks, &pool);
-
-	if (result == ISC_R_SUCCESS)
-		zmgr->zonetasks = pool;
-
-	pool = NULL;
-	if (zmgr->loadtasks == NULL)
-		result = isc_taskpool_create(zmgr->taskmgr, zmgr->mctx,
-					     ntasks, 2, &pool);
-	else
-		result = isc_taskpool_expand(&zmgr->loadtasks, ntasks, &pool);
-
-	if (result == ISC_R_SUCCESS)
-		zmgr->loadtasks = pool;
-
-#ifdef BIND9
-	/*
-	 * We always set all tasks in the zone-load task pool to
-	 * privileged.  This prevents other tasks in the system from
-	 * running while the server task manager is in privileged
-	 * mode.
-	 *
-	 * NOTE: If we start using task privileges for any other
-	 * part of the system than zone tasks, then this will need to be
-	 * revisted.  In that case we'd want to turn on privileges for
-	 * zone tasks only when we were loading, and turn them off the
-	 * rest of the time.  For now, however, it's okay to just
-	 * set it and forget it.
-	 */
-	isc_taskpool_setprivilege(zmgr->loadtasks, ISC_TRUE);
-#endif
-
-	/* Create or resize the zone memory context pool. */
-	if (zmgr->mctxpool == NULL)
-		result = isc_pool_create(zmgr->mctx, nmctx, mctxfree,
-					 mctxinit, NULL, &mctxpool);
-	else
-		result = isc_pool_expand(&zmgr->mctxpool, nmctx, &mctxpool);
-
-	if (result == ISC_R_SUCCESS)
-		zmgr->mctxpool = mctxpool;
-
-	return (result);
-}
-
-static void
-zonemgr_free(dns_zonemgr_t *zmgr) {
-	isc_mem_t *mctx;
-
-	INSIST(zmgr->refs == 0);
-	INSIST(ISC_LIST_EMPTY(zmgr->zones));
-
-	zmgr->magic = 0;
-
-	DESTROYLOCK(&zmgr->iolock);
-	isc_ratelimiter_detach(&zmgr->rl);
-
-	isc_rwlock_destroy(&zmgr->urlock);
-	isc_rwlock_destroy(&zmgr->rwlock);
-	mctx = zmgr->mctx;
-	isc_mem_put(zmgr->mctx, zmgr, sizeof(*zmgr));
-	isc_mem_detach(&mctx);
-}
-
-void
-dns_zonemgr_settransfersin(dns_zonemgr_t *zmgr, isc_uint32_t value) {
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	zmgr->transfersin = value;
-}
-
-isc_uint32_t
-dns_zonemgr_getttransfersin(dns_zonemgr_t *zmgr) {
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	return (zmgr->transfersin);
-}
-
-void
-dns_zonemgr_settransfersperns(dns_zonemgr_t *zmgr, isc_uint32_t value) {
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	zmgr->transfersperns = value;
-}
-
-isc_uint32_t
-dns_zonemgr_getttransfersperns(dns_zonemgr_t *zmgr) {
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	return (zmgr->transfersperns);
-}
-
-/*
- * Try to start a new incoming zone transfer to fill a quota
- * slot that was just vacated.
- *
- * Requires:
- *	The zone manager is locked by the caller.
- */
-static void
-zmgr_resume_xfrs(dns_zonemgr_t *zmgr, isc_boolean_t multi) {
-	dns_zone_t *zone;
-	dns_zone_t *next;
-
-	for (zone = ISC_LIST_HEAD(zmgr->waiting_for_xfrin);
-	     zone != NULL;
-	     zone = next)
-	{
-		isc_result_t result;
-		next = ISC_LIST_NEXT(zone, statelink);
-		result = zmgr_start_xfrin_ifquota(zmgr, zone);
-		if (result == ISC_R_SUCCESS) {
-			if (multi)
-				continue;
-			/*
-			 * We successfully filled the slot.  We're done.
-			 */
-			break;
-		} else if (result == ISC_R_QUOTA) {
-			/*
-			 * Not enough quota.  This is probably the per-server
-			 * quota, because we usually get called when a unit of
-			 * global quota has just been freed.  Try the next
-			 * zone, it may succeed if it uses another master.
-			 */
-			continue;
-		} else {
-			dns_zone_log(zone, ISC_LOG_DEBUG(1),
-				     "starting zone transfer: %s",
-				     isc_result_totext(result));
-			break;
-		}
-	}
-}
-
-/*
- * Try to start an incoming zone transfer for 'zone', quota permitting.
- *
- * Requires:
- *	The zone manager is locked by the caller.
- *
- * Returns:
- *	ISC_R_SUCCESS	There was enough quota and we attempted to
- *			start a transfer.  zone_xfrdone() has been or will
- *			be called.
- *	ISC_R_QUOTA	Not enough quota.
- *	Others		Failure.
- */
-static isc_result_t
-zmgr_start_xfrin_ifquota(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
-	dns_peer_t *peer = NULL;
-	isc_netaddr_t masterip;
-	isc_uint32_t nxfrsin, nxfrsperns;
-	dns_zone_t *x;
-	isc_uint32_t maxtransfersin, maxtransfersperns;
-	isc_event_t *e;
-
-	/*
-	 * If we are exiting just pretend we got quota so the zone will
-	 * be cleaned up in the zone's task context.
-	 */
-	LOCK_ZONE(zone);
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
-		UNLOCK_ZONE(zone);
-		goto gotquota;
-	}
-
-	/*
-	 * Find any configured information about the server we'd
-	 * like to transfer this zone from.
-	 */
-	isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
-	(void)dns_peerlist_peerbyaddr(zone->view->peers, &masterip, &peer);
-	UNLOCK_ZONE(zone);
-
-	/*
-	 * Determine the total maximum number of simultaneous
-	 * transfers allowed, and the maximum for this specific
-	 * master.
-	 */
-	maxtransfersin = zmgr->transfersin;
-	maxtransfersperns = zmgr->transfersperns;
-	if (peer != NULL)
-		(void)dns_peer_gettransfers(peer, &maxtransfersperns);
-
-	/*
-	 * Count the total number of transfers that are in progress,
-	 * and the number of transfers in progress from this master.
-	 * We linearly scan a list of all transfers; if this turns
-	 * out to be too slow, we could hash on the master address.
-	 */
-	nxfrsin = nxfrsperns = 0;
-	for (x = ISC_LIST_HEAD(zmgr->xfrin_in_progress);
-	     x != NULL;
-	     x = ISC_LIST_NEXT(x, statelink))
-	{
-		isc_netaddr_t xip;
-
-		LOCK_ZONE(x);
-		isc_netaddr_fromsockaddr(&xip, &x->masteraddr);
-		UNLOCK_ZONE(x);
-
-		nxfrsin++;
-		if (isc_netaddr_equal(&xip, &masterip))
-			nxfrsperns++;
-	}
-
-	/* Enforce quota. */
-	if (nxfrsin >= maxtransfersin)
-		return (ISC_R_QUOTA);
-
-	if (nxfrsperns >= maxtransfersperns)
-		return (ISC_R_QUOTA);
-
- gotquota:
-	/*
-	 * We have sufficient quota.  Move the zone to the "xfrin_in_progress"
-	 * list and send it an event to let it start the actual transfer in the
-	 * context of its own task.
-	 */
-	e = isc_event_allocate(zmgr->mctx, zmgr, DNS_EVENT_ZONESTARTXFRIN,
-			       got_transfer_quota, zone, sizeof(isc_event_t));
-	if (e == NULL)
-		return (ISC_R_NOMEMORY);
-
-	LOCK_ZONE(zone);
-	INSIST(zone->statelist == &zmgr->waiting_for_xfrin);
-	ISC_LIST_UNLINK(zmgr->waiting_for_xfrin, zone, statelink);
-	ISC_LIST_APPEND(zmgr->xfrin_in_progress, zone, statelink);
-	zone->statelist = &zmgr->xfrin_in_progress;
-	isc_task_send(zone->task, &e);
-	dns_zone_log(zone, ISC_LOG_INFO, "Transfer started.");
-	UNLOCK_ZONE(zone);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_zonemgr_setiolimit(dns_zonemgr_t *zmgr, isc_uint32_t iolimit) {
-
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-	REQUIRE(iolimit > 0);
-
-	zmgr->iolimit = iolimit;
-}
-
-isc_uint32_t
-dns_zonemgr_getiolimit(dns_zonemgr_t *zmgr) {
-
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	return (zmgr->iolimit);
-}
-
-/*
- * Get permission to request a file handle from the OS.
- * An event will be sent to action when one is available.
- * There are two queues available (high and low), the high
- * queue will be serviced before the low one.
- *
- * zonemgr_putio() must be called after the event is delivered to
- * 'action'.
- */
-
-static isc_result_t
-zonemgr_getio(dns_zonemgr_t *zmgr, isc_boolean_t high,
-	      isc_task_t *task, isc_taskaction_t action, void *arg,
-	      dns_io_t **iop)
-{
-	dns_io_t *io;
-	isc_boolean_t queue;
-
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-	REQUIRE(iop != NULL && *iop == NULL);
-
-	io = isc_mem_get(zmgr->mctx, sizeof(*io));
-	if (io == NULL)
-		return (ISC_R_NOMEMORY);
-
-	io->event = isc_event_allocate(zmgr->mctx, task, DNS_EVENT_IOREADY,
-				       action, arg, sizeof(*io->event));
-	if (io->event == NULL) {
-		isc_mem_put(zmgr->mctx, io, sizeof(*io));
-		return (ISC_R_NOMEMORY);
-	}
-
-	io->zmgr = zmgr;
-	io->high = high;
-	io->task = NULL;
-	isc_task_attach(task, &io->task);
-	ISC_LINK_INIT(io, link);
-	io->magic = IO_MAGIC;
-
-	LOCK(&zmgr->iolock);
-	zmgr->ioactive++;
-	queue = ISC_TF(zmgr->ioactive > zmgr->iolimit);
-	if (queue) {
-		if (io->high)
-			ISC_LIST_APPEND(zmgr->high, io, link);
-		else
-			ISC_LIST_APPEND(zmgr->low, io, link);
-	}
-	UNLOCK(&zmgr->iolock);
-	*iop = io;
-
-	if (!queue)
-		isc_task_send(io->task, &io->event);
-	return (ISC_R_SUCCESS);
-}
-
-static void
-zonemgr_putio(dns_io_t **iop) {
-	dns_io_t *io;
-	dns_io_t *next;
-	dns_zonemgr_t *zmgr;
-
-	REQUIRE(iop != NULL);
-	io = *iop;
-	REQUIRE(DNS_IO_VALID(io));
-
-	*iop = NULL;
-
-	INSIST(!ISC_LINK_LINKED(io, link));
-	INSIST(io->event == NULL);
-
-	zmgr = io->zmgr;
-	isc_task_detach(&io->task);
-	io->magic = 0;
-	isc_mem_put(zmgr->mctx, io, sizeof(*io));
-
-	LOCK(&zmgr->iolock);
-	INSIST(zmgr->ioactive > 0);
-	zmgr->ioactive--;
-	next = HEAD(zmgr->high);
-	if (next == NULL)
-		next = HEAD(zmgr->low);
-	if (next != NULL) {
-		if (next->high)
-			ISC_LIST_UNLINK(zmgr->high, next, link);
-		else
-			ISC_LIST_UNLINK(zmgr->low, next, link);
-		INSIST(next->event != NULL);
-	}
-	UNLOCK(&zmgr->iolock);
-	if (next != NULL)
-		isc_task_send(next->task, &next->event);
-}
-
-static void
-zonemgr_cancelio(dns_io_t *io) {
-	isc_boolean_t send_event = ISC_FALSE;
-
-	REQUIRE(DNS_IO_VALID(io));
-
-	/*
-	 * If we are queued to be run then dequeue.
-	 */
-	LOCK(&io->zmgr->iolock);
-	if (ISC_LINK_LINKED(io, link)) {
-		if (io->high)
-			ISC_LIST_UNLINK(io->zmgr->high, io, link);
-		else
-			ISC_LIST_UNLINK(io->zmgr->low, io, link);
-
-		send_event = ISC_TRUE;
-		INSIST(io->event != NULL);
-	}
-	UNLOCK(&io->zmgr->iolock);
-	if (send_event) {
-		io->event->ev_attributes |= ISC_EVENTATTR_CANCELED;
-		isc_task_send(io->task, &io->event);
-	}
-}
-
-static void
-zone_saveunique(dns_zone_t *zone, const char *path, const char *templat) {
-	char *buf;
-	int buflen;
-	isc_result_t result;
-
-	buflen = strlen(path) + strlen(templat) + 2;
-
-	buf = isc_mem_get(zone->mctx, buflen);
-	if (buf == NULL)
-		return;
-
-	result = isc_file_template(path, templat, buf, buflen);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = isc_file_renameunique(path, buf);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	dns_zone_log(zone, ISC_LOG_WARNING, "unable to load from '%s'; "
-		     "renaming file to '%s' for failure analysis and "
-		     "retransferring.", path, buf);
-
- cleanup:
-	isc_mem_put(zone->mctx, buf, buflen);
-}
-
-#if 0
-/* Hook for ondestroy notification from a database. */
-
-static void
-dns_zonemgr_dbdestroyed(isc_task_t *task, isc_event_t *event) {
-	dns_db_t *db = event->sender;
-	UNUSED(task);
-
-	isc_event_free(&event);
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-		      DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
-		      "database (%p) destroyed", (void*) db);
-}
-#endif
-
-void
-dns_zonemgr_setserialqueryrate(dns_zonemgr_t *zmgr, unsigned int value) {
-	isc_interval_t interval;
-	isc_uint32_t s, ns;
-	isc_uint32_t pertic;
-	isc_result_t result;
-
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	if (value == 0)
-		value = 1;
-
-	if (value == 1) {
-		s = 1;
-		ns = 0;
-		pertic = 1;
-	} else if (value <= 10) {
-		s = 0;
-		ns = 1000000000 / value;
-		pertic = 1;
-	} else {
-		s = 0;
-		ns = (1000000000 / value) * 10;
-		pertic = 10;
-	}
-
-	isc_interval_set(&interval, s, ns);
-	result = isc_ratelimiter_setinterval(zmgr->rl, &interval);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	isc_ratelimiter_setpertic(zmgr->rl, pertic);
-
-	zmgr->serialqueryrate = value;
-}
-
-unsigned int
-dns_zonemgr_getserialqueryrate(dns_zonemgr_t *zmgr) {
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	return (zmgr->serialqueryrate);
-}
-
-isc_boolean_t
-dns_zonemgr_unreachable(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
-			isc_sockaddr_t *local, isc_time_t *now)
-{
-	unsigned int i;
-	isc_rwlocktype_t locktype;
-	isc_result_t result;
-	isc_uint32_t seconds = isc_time_seconds(now);
-
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	locktype = isc_rwlocktype_read;
-	RWLOCK(&zmgr->urlock, locktype);
-	for (i = 0; i < UNREACH_CHACHE_SIZE; i++) {
-		if (zmgr->unreachable[i].expire >= seconds &&
-		    isc_sockaddr_equal(&zmgr->unreachable[i].remote, remote) &&
-		    isc_sockaddr_equal(&zmgr->unreachable[i].local, local)) {
-			result = isc_rwlock_tryupgrade(&zmgr->urlock);
-			if (result == ISC_R_SUCCESS) {
-				locktype = isc_rwlocktype_write;
-				zmgr->unreachable[i].last = seconds;
-			}
-			break;
-		}
-	}
-	RWUNLOCK(&zmgr->urlock, locktype);
-	return (ISC_TF(i < UNREACH_CHACHE_SIZE));
-}
-
-void
-dns_zonemgr_unreachabledel(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
-			   isc_sockaddr_t *local)
-{
-	unsigned int i;
-	isc_rwlocktype_t locktype;
-	isc_result_t result;
-
-	char master[ISC_SOCKADDR_FORMATSIZE];
-	char source[ISC_SOCKADDR_FORMATSIZE];
-
-	isc_sockaddr_format(remote, master, sizeof(master));
-	isc_sockaddr_format(local, source, sizeof(source));
-
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	locktype = isc_rwlocktype_read;
-	RWLOCK(&zmgr->urlock, locktype);
-	for (i = 0; i < UNREACH_CHACHE_SIZE; i++) {
-		if (isc_sockaddr_equal(&zmgr->unreachable[i].remote, remote) &&
-		    isc_sockaddr_equal(&zmgr->unreachable[i].local, local)) {
-			if (zmgr->unreachable[i].expire == 0)
-				break;
-			result = isc_rwlock_tryupgrade(&zmgr->urlock);
-			if (result == ISC_R_SUCCESS) {
-				locktype = isc_rwlocktype_write;
-				zmgr->unreachable[i].expire = 0;
-				isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-					      DNS_LOGMODULE_ZONE, ISC_LOG_INFO,
-					      "master %s (source %s) deleted "
-					      "from unreachable cache",
-					      master, source);
-			}
-			break;
-		}
-	}
-	RWUNLOCK(&zmgr->urlock, locktype);
-}
-
-void
-dns_zonemgr_unreachableadd(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
-			   isc_sockaddr_t *local, isc_time_t *now)
-{
-	isc_uint32_t seconds = isc_time_seconds(now);
-	isc_uint32_t last = seconds;
-	unsigned int i, slot = UNREACH_CHACHE_SIZE, oldest = 0;
-
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	RWLOCK(&zmgr->urlock, isc_rwlocktype_write);
-	for (i = 0; i < UNREACH_CHACHE_SIZE; i++) {
-		/* Existing entry? */
-		if (isc_sockaddr_equal(&zmgr->unreachable[i].remote, remote) &&
-		    isc_sockaddr_equal(&zmgr->unreachable[i].local, local))
-			break;
-		/* Empty slot? */
-		if (zmgr->unreachable[i].expire < seconds)
-			slot = i;
-		/* Least recently used slot? */
-		if (zmgr->unreachable[i].last < last) {
-			last = zmgr->unreachable[i].last;
-			oldest = i;
-		}
-	}
-	if (i < UNREACH_CHACHE_SIZE) {
-		/*
-		 * Found a existing entry.  Update the expire timer and
-		 * last usage timestamps.
-		 */
-		zmgr->unreachable[i].expire = seconds + UNREACH_HOLD_TIME;
-		zmgr->unreachable[i].last = seconds;
-	} else if (slot != UNREACH_CHACHE_SIZE) {
-		/*
-		 * Found a empty slot. Add a new entry to the cache.
-		 */
-		zmgr->unreachable[slot].expire = seconds + UNREACH_HOLD_TIME;
-		zmgr->unreachable[slot].last = seconds;
-		zmgr->unreachable[slot].remote = *remote;
-		zmgr->unreachable[slot].local = *local;
-	} else {
-		/*
-		 * Replace the least recently used entry in the cache.
-		 */
-		zmgr->unreachable[oldest].expire = seconds + UNREACH_HOLD_TIME;
-		zmgr->unreachable[oldest].last = seconds;
-		zmgr->unreachable[oldest].remote = *remote;
-		zmgr->unreachable[oldest].local = *local;
-	}
-	RWUNLOCK(&zmgr->urlock, isc_rwlocktype_write);
-}
-
-void
-dns_zone_forcereload(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	if (zone->type == dns_zone_master ||
-	    (zone->type == dns_zone_redirect && zone->masters == NULL))
-		return;
-
-	LOCK_ZONE(zone);
-	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FORCEXFER);
-	UNLOCK_ZONE(zone);
-	dns_zone_refresh(zone);
-}
-
-isc_boolean_t
-dns_zone_isforced(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER));
-}
-
-isc_result_t
-dns_zone_setstatistics(dns_zone_t *zone, isc_boolean_t on) {
-	/*
-	 * This function is obsoleted.
-	 */
-	UNUSED(zone);
-	UNUSED(on);
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-isc_uint64_t *
-dns_zone_getstatscounters(dns_zone_t *zone) {
-	/*
-	 * This function is obsoleted.
-	 */
-	UNUSED(zone);
-	return (NULL);
-}
-
-void
-dns_zone_setstats(dns_zone_t *zone, isc_stats_t *stats) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(zone->stats == NULL);
-
-	LOCK_ZONE(zone);
-	zone->stats = NULL;
-	isc_stats_attach(stats, &zone->stats);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_setrequeststats(dns_zone_t *zone, isc_stats_t *stats) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->requeststats_on && stats == NULL)
-		zone->requeststats_on = ISC_FALSE;
-	else if (!zone->requeststats_on && stats != NULL) {
-		if (zone->requeststats == NULL) {
-			isc_stats_attach(stats, &zone->requeststats);
-			zone->requeststats_on = ISC_TRUE;
-		}
-	}
-	UNLOCK_ZONE(zone);
-}
-
-#ifdef NEWSTATS
-void
-dns_zone_setrcvquerystats(dns_zone_t *zone, dns_stats_t *stats) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->requeststats_on && stats != NULL) {
-		if (zone->rcvquerystats == NULL) {
-			dns_stats_attach(stats, &zone->rcvquerystats);
-			zone->requeststats_on = ISC_TRUE;
-		}
-	}
-	UNLOCK_ZONE(zone);
-}
-#endif
-
-isc_stats_t *
-dns_zone_getrequeststats(dns_zone_t *zone) {
-	/*
-	 * We don't lock zone for efficiency reason.  This is not catastrophic
-	 * because requeststats must always be valid when requeststats_on is
-	 * true.
-	 * Some counters may be incremented while requeststats_on is becoming
-	 * false, or some cannot be incremented just after the statistics are
-	 * installed, but it shouldn't matter much in practice.
-	 */
-	if (zone->requeststats_on)
-		return (zone->requeststats);
-	else
-		return (NULL);
-}
-
-#ifdef NEWSTATS
-/*
- * Return the received query stats bucket
- * see note from dns_zone_getrequeststats()
- */
-dns_stats_t *
-dns_zone_getrcvquerystats(dns_zone_t *zone) {
-	if (zone->requeststats_on)
-		return (zone->rcvquerystats);
-	else
-		return (NULL);
-}
-#endif
-
-void
-dns_zone_dialup(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	zone_debuglog(zone, "dns_zone_dialup", 3,
-		      "notify = %d, refresh = %d",
-		      DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY),
-		      DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH));
-
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY))
-		dns_zone_notify(zone);
-	if (zone->type != dns_zone_master && zone->masters != NULL &&
-	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH))
-		dns_zone_refresh(zone);
-}
-
-void
-dns_zone_setdialup(dns_zone_t *zone, dns_dialuptype_t dialup) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DIALNOTIFY |
-			 DNS_ZONEFLG_DIALREFRESH |
-			 DNS_ZONEFLG_NOREFRESH);
-	switch (dialup) {
-	case dns_dialuptype_no:
-		break;
-	case dns_dialuptype_yes:
-		DNS_ZONE_SETFLAG(zone,	(DNS_ZONEFLG_DIALNOTIFY |
-				 DNS_ZONEFLG_DIALREFRESH |
-				 DNS_ZONEFLG_NOREFRESH));
-		break;
-	case dns_dialuptype_notify:
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALNOTIFY);
-		break;
-	case dns_dialuptype_notifypassive:
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALNOTIFY);
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
-		break;
-	case dns_dialuptype_refresh:
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALREFRESH);
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
-		break;
-	case dns_dialuptype_passive:
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
-		break;
-	default:
-		INSIST(0);
-	}
-	UNLOCK_ZONE(zone);
-}
-
-isc_result_t
-dns_zone_setkeydirectory(dns_zone_t *zone, const char *directory) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	result = dns_zone_setstring(zone, &zone->keydirectory, directory);
-	UNLOCK_ZONE(zone);
-
-	return (result);
-}
-
-const char *
-dns_zone_getkeydirectory(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->keydirectory);
-}
-
-unsigned int
-dns_zonemgr_getcount(dns_zonemgr_t *zmgr, int state) {
-	dns_zone_t *zone;
-	unsigned int count = 0;
-
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	RWLOCK(&zmgr->rwlock, isc_rwlocktype_read);
-	switch (state) {
-	case DNS_ZONESTATE_XFERRUNNING:
-		for (zone = ISC_LIST_HEAD(zmgr->xfrin_in_progress);
-		     zone != NULL;
-		     zone = ISC_LIST_NEXT(zone, statelink))
-			count++;
-		break;
-	case DNS_ZONESTATE_XFERDEFERRED:
-		for (zone = ISC_LIST_HEAD(zmgr->waiting_for_xfrin);
-		     zone != NULL;
-		     zone = ISC_LIST_NEXT(zone, statelink))
-			count++;
-		break;
-	case DNS_ZONESTATE_SOAQUERY:
-		for (zone = ISC_LIST_HEAD(zmgr->zones);
-		     zone != NULL;
-		     zone = ISC_LIST_NEXT(zone, link))
-			if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH))
-				count++;
-		break;
-	case DNS_ZONESTATE_ANY:
-		for (zone = ISC_LIST_HEAD(zmgr->zones);
-		     zone != NULL;
-		     zone = ISC_LIST_NEXT(zone, link)) {
-			dns_view_t *view = zone->view;
-			if (view != NULL && strcmp(view->name, "_bind") == 0)
-				continue;
-			count++;
-		}
-		break;
-	default:
-		INSIST(0);
-	}
-
-	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_read);
-
-	return (count);
-}
-
-isc_result_t
-dns_zone_checknames(dns_zone_t *zone, dns_name_t *name, dns_rdata_t *rdata) {
-	isc_boolean_t ok = ISC_TRUE;
-	isc_boolean_t fail = ISC_FALSE;
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char namebuf2[DNS_NAME_FORMATSIZE];
-	char typebuf[DNS_RDATATYPE_FORMATSIZE];
-	int level = ISC_LOG_WARNING;
-	dns_name_t bad;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMES))
-		return (ISC_R_SUCCESS);
-
-	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMESFAIL)) {
-		level = ISC_LOG_ERROR;
-		fail = ISC_TRUE;
-	}
-
-	ok = dns_rdata_checkowner(name, rdata->rdclass, rdata->type, ISC_TRUE);
-	if (!ok) {
-		dns_name_format(name, namebuf, sizeof(namebuf));
-		dns_rdatatype_format(rdata->type, typebuf, sizeof(typebuf));
-		dns_zone_log(zone, level, "%s/%s: %s", namebuf, typebuf,
-			     dns_result_totext(DNS_R_BADOWNERNAME));
-		if (fail)
-			return (DNS_R_BADOWNERNAME);
-	}
-
-	dns_name_init(&bad, NULL);
-	ok = dns_rdata_checknames(rdata, name, &bad);
-	if (!ok) {
-		dns_name_format(name, namebuf, sizeof(namebuf));
-		dns_name_format(&bad, namebuf2, sizeof(namebuf2));
-		dns_rdatatype_format(rdata->type, typebuf, sizeof(typebuf));
-		dns_zone_log(zone, level, "%s/%s: %s: %s ", namebuf, typebuf,
-			     namebuf2, dns_result_totext(DNS_R_BADNAME));
-		if (fail)
-			return (DNS_R_BADNAME);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_zone_setcheckmx(dns_zone_t *zone, dns_checkmxfunc_t checkmx) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	zone->checkmx = checkmx;
-}
-
-void
-dns_zone_setchecksrv(dns_zone_t *zone, dns_checksrvfunc_t checksrv) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	zone->checksrv = checksrv;
-}
-
-void
-dns_zone_setcheckns(dns_zone_t *zone, dns_checknsfunc_t checkns) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	zone->checkns = checkns;
-}
-
-void
-dns_zone_setisself(dns_zone_t *zone, dns_isselffunc_t isself, void *arg) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	zone->isself = isself;
-	zone->isselfarg = arg;
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_setnotifydelay(dns_zone_t *zone, isc_uint32_t delay) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	zone->notifydelay = delay;
-	UNLOCK_ZONE(zone);
-}
-
-isc_uint32_t
-dns_zone_getnotifydelay(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->notifydelay);
-}
-
-isc_result_t
-dns_zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm,
-		     isc_uint16_t keyid, isc_boolean_t delete)
-{
-	isc_result_t result;
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	dns_zone_log(zone, ISC_LOG_NOTICE,
-		     "dns_zone_signwithkey(algorithm=%u, keyid=%u)",
-		     algorithm, keyid);
-	LOCK_ZONE(zone);
-	result = zone_signwithkey(zone, algorithm, keyid, delete);
-	UNLOCK_ZONE(zone);
-
-	return (result);
-}
-
-static const char *hex = "0123456789ABCDEF";
-
-isc_result_t
-dns_zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
-	isc_result_t result;
-	char salt[255*2+1];
-	unsigned int i, j;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	if (nsec3param->salt_length != 0) {
-		INSIST((nsec3param->salt_length * 2U) < sizeof(salt));
-		for (i = 0, j = 0; i < nsec3param->salt_length; i++) {
-			salt[j++] = hex[(nsec3param->salt[i] >> 4) & 0xf];
-			salt[j++] = hex[nsec3param->salt[i] & 0xf];
-		}
-		salt[j] = '\0';
-	} else
-		strcpy(salt, "-");
-	dns_zone_log(zone, ISC_LOG_NOTICE,
-		     "dns_zone_addnsec3chain(hash=%u, iterations=%u, salt=%s)",
-		     nsec3param->hash, nsec3param->iterations,
-		     salt);
-	LOCK_ZONE(zone);
-	result = zone_addnsec3chain(zone, nsec3param);
-	UNLOCK_ZONE(zone);
-
-	return (result);
-}
-
-void
-dns_zone_setnodes(dns_zone_t *zone, isc_uint32_t nodes) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	if (nodes == 0)
-		nodes = 1;
-	zone->nodes = nodes;
-}
-
-void
-dns_zone_setsignatures(dns_zone_t *zone, isc_uint32_t signatures) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	/*
-	 * We treat signatures as a signed value so explicitly
-	 * limit its range here.
-	 */
-	if (signatures > ISC_INT32_MAX)
-		signatures = ISC_INT32_MAX;
-	else if (signatures == 0)
-		signatures = 1;
-	zone->signatures = signatures;
-}
-
-void
-dns_zone_setprivatetype(dns_zone_t *zone, dns_rdatatype_t type) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	zone->privatetype = type;
-}
-
-dns_rdatatype_t
-dns_zone_getprivatetype(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	return (zone->privatetype);
-}
-
-static isc_result_t
-zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, isc_uint16_t keyid,
-		 isc_boolean_t delete)
-{
-	dns_signing_t *signing;
-	dns_signing_t *current;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_time_t now;
-
-	signing = isc_mem_get(zone->mctx, sizeof *signing);
-	if (signing == NULL)
-		return (ISC_R_NOMEMORY);
-
-	signing->magic = 0;
-	signing->db  = NULL;
-	signing->dbiterator = NULL;
-	signing->algorithm = algorithm;
-	signing->keyid = keyid;
-	signing->delete = delete;
-	signing->done = ISC_FALSE;
-
-	TIME_NOW(&now);
-
-	for (current = ISC_LIST_HEAD(zone->signing);
-	     current != NULL;
-	     current = ISC_LIST_NEXT(current, link)) {
-		if (current->db == zone->db &&
-		    current->algorithm == signing->algorithm &&
-		    current->keyid == signing->keyid) {
-			if (current->delete != signing->delete)
-				current->done = ISC_TRUE;
-			else
-				goto cleanup;
-		}
-	}
-
-	if (zone->db != NULL) {
-		dns_db_attach(zone->db, &signing->db);
-		result = dns_db_createiterator(signing->db, 0,
-					       &signing->dbiterator);
-
-		if (result == ISC_R_SUCCESS)
-			result = dns_dbiterator_first(signing->dbiterator);
-		if (result == ISC_R_SUCCESS) {
-			dns_dbiterator_pause(signing->dbiterator);
-			ISC_LIST_INITANDAPPEND(zone->signing, signing, link);
-			signing = NULL;
-			if (isc_time_isepoch(&zone->signingtime)) {
-				zone->signingtime = now;
-				if (zone->task != NULL)
-					zone_settimer(zone, &now);
-			}
-		}
-	} else
-		result = ISC_R_NOTFOUND;
-
- cleanup:
-	if (signing != NULL) {
-		if (signing->db != NULL)
-			dns_db_detach(&signing->db);
-		if (signing->dbiterator != NULL)
-			dns_dbiterator_destroy(&signing->dbiterator);
-		isc_mem_put(zone->mctx, signing, sizeof *signing);
-	}
-	return (result);
-}
-
-static void
-logmsg(const char *format, ...) {
-	va_list args;
-	va_start(args, format);
-	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
-		       ISC_LOG_DEBUG(1), format, args);
-	va_end(args);
-}
-
-static void
-clear_keylist(dns_dnsseckeylist_t *list, isc_mem_t *mctx) {
-	dns_dnsseckey_t *key;
-	while (!ISC_LIST_EMPTY(*list)) {
-		key = ISC_LIST_HEAD(*list);
-		ISC_LIST_UNLINK(*list, key, link);
-		dns_dnsseckey_destroy(mctx, &key);
-	}
-}
-
-/* Called once; *timep should be set to the current time. */
-static isc_result_t
-next_keyevent(dst_key_t *key, isc_stdtime_t *timep) {
-	isc_result_t result;
-	isc_stdtime_t now, then = 0, event;
-	int i;
-
-	now = *timep;
-
-	for (i = 0; i <= DST_MAX_TIMES; i++) {
-		result = dst_key_gettime(key, i, &event);
-		if (result == ISC_R_SUCCESS && event > now &&
-		    (then == 0 || event < then))
-			then = event;
-	}
-
-	if (then != 0) {
-		*timep = then;
-		return (ISC_R_SUCCESS);
-	}
-
-	return (ISC_R_NOTFOUND);
-}
-
-static isc_result_t
-rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	  const dns_rdata_t *rdata, isc_boolean_t *flag)
-{
-	dns_rdataset_t rdataset;
-	dns_dbnode_t *node = NULL;
-	isc_result_t result;
-
-	dns_rdataset_init(&rdataset);
-	if (rdata->type == dns_rdatatype_nsec3)
-		CHECK(dns_db_findnsec3node(db, name, ISC_FALSE, &node));
-	else
-		CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
-	result = dns_db_findrdataset(db, node, ver, rdata->type, 0,
-				     (isc_stdtime_t) 0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND) {
-		*flag = ISC_FALSE;
-		result = ISC_R_SUCCESS;
-		goto failure;
-	}
-
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdata_t myrdata = DNS_RDATA_INIT;
-		dns_rdataset_current(&rdataset, &myrdata);
-		if (!dns_rdata_compare(&myrdata, rdata))
-			break;
-	}
-	dns_rdataset_disassociate(&rdataset);
-	if (result == ISC_R_SUCCESS) {
-		*flag = ISC_TRUE;
-	} else if (result == ISC_R_NOMORE) {
-		*flag = ISC_FALSE;
-		result = ISC_R_SUCCESS;
-	}
-
- failure:
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	return (result);
-}
-
-/*
- * Add records to signal the state of signing or of key removal.
- */
-static isc_result_t
-add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
-		    dns_dbversion_t *ver, dns_diff_t *diff,
-		    isc_boolean_t sign_all)
-{
-	dns_difftuple_t *tuple, *newtuple = NULL;
-	dns_rdata_dnskey_t dnskey;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_boolean_t flag;
-	isc_region_t r;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_uint16_t keyid;
-	unsigned char buf[5];
-	dns_name_t *name = dns_db_origin(db);
-
-	for (tuple = ISC_LIST_HEAD(diff->tuples);
-	     tuple != NULL;
-	     tuple = ISC_LIST_NEXT(tuple, link)) {
-		if (tuple->rdata.type != dns_rdatatype_dnskey)
-			continue;
-
-		result = dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		if ((dnskey.flags &
-		     (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
-			 != DNS_KEYOWNER_ZONE)
-			continue;
-
-		dns_rdata_toregion(&tuple->rdata, &r);
-
-		keyid = dst_region_computeid(&r, dnskey.algorithm);
-
-		buf[0] = dnskey.algorithm;
-		buf[1] = (keyid & 0xff00) >> 8;
-		buf[2] = (keyid & 0xff);
-		buf[3] = (tuple->op == DNS_DIFFOP_ADD) ? 0 : 1;
-		buf[4] = 0;
-		rdata.data = buf;
-		rdata.length = sizeof(buf);
-		rdata.type = privatetype;
-		rdata.rdclass = tuple->rdata.rdclass;
-
-		if (sign_all || tuple->op == DNS_DIFFOP_DEL) {
-			CHECK(rr_exists(db, ver, name, &rdata, &flag));
-			if (flag)
-				continue;
-			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
-						   name, 0, &rdata, &newtuple));
-			CHECK(do_one_tuple(&newtuple, db, ver, diff));
-			INSIST(newtuple == NULL);
-		}
-
-		/*
-		 * Remove any record which says this operation has already
-		 * completed.
-		 */
-		buf[4] = 1;
-		CHECK(rr_exists(db, ver, name, &rdata, &flag));
-		if (flag) {
-			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL,
-						   name, 0, &rdata, &newtuple));
-			CHECK(do_one_tuple(&newtuple, db, ver, diff));
-			INSIST(newtuple == NULL);
-		}
-	}
- failure:
-	return (result);
-}
-
-static isc_result_t
-sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
-	  dns_diff_t *diff, zonediff_t *zonediff)
-{
-	isc_result_t result;
-	isc_stdtime_t now, inception, soaexpire;
-	isc_boolean_t check_ksk, keyset_kskonly;
-	dst_key_t *zone_keys[DNS_MAXZONEKEYS];
-	unsigned int nkeys = 0, i;
-	dns_difftuple_t *tuple;
-
-	result = find_zone_keys(zone, db, ver, zone->mctx, DNS_MAXZONEKEYS,
-				zone_keys, &nkeys);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "sign_apex:find_zone_keys -> %s",
-			     dns_result_totext(result));
-		return (result);
-	}
-
-	isc_stdtime_get(&now);
-	inception = now - 3600;	/* Allow for clock skew. */
-	soaexpire = now + dns_zone_getsigvalidityinterval(zone);
-
-	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
-	keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
-
-	/*
-	 * See if update_sigs will update DNSKEY signature and if not
-	 * cause them to sign so that so that newly activated keys
-	 * are used.
-	 */
-	for (tuple = ISC_LIST_HEAD(diff->tuples);
-	     tuple != NULL;
-	     tuple = ISC_LIST_NEXT(tuple, link)) {
-		if (tuple->rdata.type == dns_rdatatype_dnskey &&
-		    dns_name_equal(&tuple->name, &zone->origin))
-			break;
-	}
-
-	if (tuple == NULL) {
-		result = del_sigs(zone, db, ver, &zone->origin,
-				  dns_rdatatype_dnskey, zonediff,
-				  zone_keys, nkeys, now, ISC_FALSE);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "sign_apex:del_sigs -> %s",
-				     dns_result_totext(result));
-			goto failure;
-		}
-		result = add_sigs(db, ver, &zone->origin, dns_rdatatype_dnskey,
-				  zonediff->diff, zone_keys, nkeys, zone->mctx,
-				  inception, soaexpire, check_ksk,
-				  keyset_kskonly);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "sign_apex:add_sigs -> %s",
-				     dns_result_totext(result));
-			goto failure;
-		}
-	}
-
-	result = update_sigs(diff, db, ver, zone_keys, nkeys, zone,
-			     inception, soaexpire, now, check_ksk,
-			     keyset_kskonly, zonediff);
-
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "sign_apex:update_sigs -> %s",
-			     dns_result_totext(result));
-		goto failure;
-	}
-
- failure:
-	for (i = 0; i < nkeys; i++)
-		dst_key_free(&zone_keys[i]);
-	return (result);
-}
-
-/*
- * Prevent the zone entering a inconsistent state where
- * NSEC only DNSKEYs are present with NSEC3 chains.
- * See update.c:check_dnssec()
- */
-static isc_boolean_t
-dnskey_sane(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
-	    dns_diff_t *diff)
-{
-	isc_result_t result;
-	dns_difftuple_t *tuple;
-	isc_boolean_t nseconly = ISC_FALSE, nsec3 = ISC_FALSE;
-	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
-
-	/* Scan the tuples for an NSEC-only DNSKEY */
-	for (tuple = ISC_LIST_HEAD(diff->tuples);
-	     tuple != NULL;
-	     tuple = ISC_LIST_NEXT(tuple, link)) {
-		isc_uint8_t alg;
-		if (tuple->rdata.type != dns_rdatatype_dnskey ||
-		    tuple->op != DNS_DIFFOP_ADD)
-			continue;
-
-		alg = tuple->rdata.data[3];
-		if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
-		    alg == DST_ALG_DSA || alg == DST_ALG_ECC) {
-			nseconly = ISC_TRUE;
-			break;
-		}
-	}
-
-	/* Check existing DB for NSEC-only DNSKEY */
-	if (!nseconly) {
-		result = dns_nsec_nseconly(db, ver, &nseconly);
-		if (result == ISC_R_NOTFOUND)
-			result = ISC_R_SUCCESS;
-		CHECK(result);
-	}
-
-	/* Check existing DB for NSEC3 */
-	if (!nsec3)
-		CHECK(dns_nsec3_activex(db, ver, ISC_FALSE,
-					privatetype, &nsec3));
-
-	/* Refuse to allow NSEC3 with NSEC-only keys */
-	if (nseconly && nsec3) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			   "NSEC only DNSKEYs and NSEC3 chains not allowed");
-		goto failure;
-	}
-
-	return (ISC_TRUE);
-
- failure:
-	return (ISC_FALSE);
-}
-
-static isc_result_t
-clean_nsec3param(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
-		 dns_diff_t *diff)
-{
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-
-	dns_rdataset_init(&rdataset);
-	CHECK(dns_db_getoriginnode(db, &node));
-
-	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey,
-				     dns_rdatatype_none, 0, &rdataset, NULL);
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	if (result != ISC_R_NOTFOUND)
-		goto failure;
-
-	result = dns_nsec3param_deletechains(db, ver, zone, ISC_TRUE, diff);
-
- failure:
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	return (result);
-}
-
-/*
- * Given an RRSIG rdataset and an algorithm, determine whether there
- * are any signatures using that algorithm.
- */
-static isc_boolean_t
-signed_with_alg(dns_rdataset_t *rdataset, dns_secalg_t alg) {
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_rrsig_t rrsig;
-	isc_result_t result;
-
-	REQUIRE(rdataset == NULL || rdataset->type == dns_rdatatype_rrsig);
-	if (rdataset == NULL || !dns_rdataset_isassociated(rdataset)) {
-		return (ISC_FALSE);
-	}
-
-	for (result = dns_rdataset_first(rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(rdataset))
-	{
-		dns_rdataset_current(rdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		dns_rdata_reset(&rdata);
-		if (rrsig.algorithm == alg)
-			return (ISC_TRUE);
-	}
-
-	return (ISC_FALSE);
-}
-
-static isc_result_t
-add_chains(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
-	   dns_diff_t *diff)
-{
-	dns_name_t *origin;
-	isc_boolean_t build_nsec3;
-	isc_result_t result;
-
-	origin = dns_db_origin(db);
-	CHECK(dns_private_chains(db, ver, zone->privatetype, NULL,
-				 &build_nsec3));
-	if (build_nsec3)
-		CHECK(dns_nsec3_addnsec3sx(db, ver, origin, zone->minimum,
-					   ISC_FALSE, zone->privatetype, diff));
-	CHECK(updatesecure(db, ver, origin, zone->minimum, ISC_TRUE, diff));
-
- failure:
-	return (result);
-}
-
-static void
-zone_rekey(dns_zone_t *zone) {
-	isc_result_t result;
-	dns_db_t *db = NULL;
-	dns_dbnode_t *node = NULL;
-	dns_dbversion_t *ver = NULL;
-	dns_rdataset_t soaset, soasigs, keyset, keysigs;
-	dns_dnsseckeylist_t dnskeys, keys, rmkeys;
-	dns_dnsseckey_t *key;
-	dns_diff_t diff, _sig_diff;
-	zonediff_t zonediff;
-	isc_boolean_t commit = ISC_FALSE, newactive = ISC_FALSE;
-	isc_boolean_t newalg = ISC_FALSE;
-	isc_boolean_t fullsign;
-	dns_ttl_t ttl = 3600;
-	const char *dir;
-	isc_mem_t *mctx;
-	isc_stdtime_t now;
-	isc_time_t timenow;
-	isc_interval_t ival;
-	char timebuf[80];
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	ISC_LIST_INIT(dnskeys);
-	ISC_LIST_INIT(keys);
-	ISC_LIST_INIT(rmkeys);
-	dns_rdataset_init(&soaset);
-	dns_rdataset_init(&soasigs);
-	dns_rdataset_init(&keyset);
-	dns_rdataset_init(&keysigs);
-	dir = dns_zone_getkeydirectory(zone);
-	mctx = zone->mctx;
-	dns_diff_init(mctx, &diff);
-	dns_diff_init(mctx, &_sig_diff);
-	_sig_diff.resign = zone->sigresigninginterval;
-	zonediff_init(&zonediff, &_sig_diff);
-
-	CHECK(dns_zone_getdb(zone, &db));
-	CHECK(dns_db_newversion(db, &ver));
-	CHECK(dns_db_getoriginnode(db, &node));
-
-	TIME_NOW(&timenow);
-	now = isc_time_seconds(&timenow);
-
-	dns_zone_log(zone, ISC_LOG_INFO, "reconfiguring zone keys");
-
-	/* Get the SOA record's TTL */
-	CHECK(dns_db_findrdataset(db, node, ver, dns_rdatatype_soa,
-				  dns_rdatatype_none, 0, &soaset, &soasigs));
-	ttl = soaset.ttl;
-	dns_rdataset_disassociate(&soaset);
-
-	/* Get the DNSKEY rdataset */
-	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey,
-				     dns_rdatatype_none, 0, &keyset, &keysigs);
-	if (result == ISC_R_SUCCESS) {
-		ttl = keyset.ttl;
-		CHECK(dns_dnssec_keylistfromrdataset(&zone->origin, dir,
-						     mctx, &keyset,
-						     &keysigs, &soasigs,
-						     ISC_FALSE, ISC_FALSE,
-						     &dnskeys));
-	} else if (result != ISC_R_NOTFOUND)
-		goto failure;
-
-	/*
-	 * True when called from "rndc sign".  Indicates the zone should be
-	 * fully signed now.
-	 */
-	fullsign = ISC_TF(DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_FULLSIGN) != 0);
-
-	result = dns_dnssec_findmatchingkeys(&zone->origin, dir, mctx, &keys);
-	if (result == ISC_R_SUCCESS) {
-		isc_boolean_t check_ksk;
-		check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
-
-		result = dns_dnssec_updatekeys(&dnskeys, &keys, &rmkeys,
-					       &zone->origin, ttl, &diff,
-					       ISC_TF(!check_ksk),
-					       mctx, logmsg);
-
-		/* Keys couldn't be updated for some reason;
-		 * try again later. */
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR, "zone_rekey:"
-				     "couldn't update zone keys: %s",
-				     isc_result_totext(result));
-			goto failure;
-		}
-
-		/*
-		 * See if any pre-existing keys have newly become active;
-		 * also, see if any new key is for a new algorithm, as in that
-		 * event, we need to sign the zone fully.  (If there's a new
-		 * key, but it's for an already-existing algorithm, then
-		 * the zone signing can be handled incrementally.)
-		 */
-		for (key = ISC_LIST_HEAD(dnskeys);
-		     key != NULL;
-		     key = ISC_LIST_NEXT(key, link)) {
-			if (!key->first_sign)
-				continue;
-
-			newactive = ISC_TRUE;
-
-			if (!dns_rdataset_isassociated(&keysigs)) {
-				newalg = ISC_TRUE;
-				break;
-			}
-
-			if (signed_with_alg(&keysigs, dst_key_alg(key->key))) {
-				/*
-				 * This isn't a new algorithm; clear
-				 * first_sign so we won't sign the
-				 * whole zone with this key later
-				 */
-				key->first_sign = ISC_FALSE;
-			} else {
-				newalg = ISC_TRUE;
-				break;
-			}
-		}
-
-		if ((newactive || fullsign || !ISC_LIST_EMPTY(diff.tuples)) &&
-		    dnskey_sane(zone, db, ver, &diff)) {
-			CHECK(dns_diff_apply(&diff, db, ver));
-			CHECK(clean_nsec3param(zone, db, ver, &diff));
-			CHECK(add_signing_records(db, zone->privatetype,
-						  ver, &diff,
-						  ISC_TF(newalg || fullsign)));
-			CHECK(update_soa_serial(db, ver, &diff, mctx,
-						zone->updatemethod));
-			CHECK(add_chains(zone, db, ver, &diff));
-			CHECK(sign_apex(zone, db, ver, &diff, &zonediff));
-			CHECK(zone_journal(zone, zonediff.diff, NULL,
-					   "zone_rekey"));
-			commit = ISC_TRUE;
-		}
-	}
-
-	dns_db_closeversion(db, &ver, ISC_TRUE);
-
-	if (commit) {
-		dns_difftuple_t *tuple;
-
-		LOCK_ZONE(zone);
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
-
-		zone_needdump(zone, DNS_DUMP_DELAY);
-
-		zone_settimer(zone, &timenow);
-
-		/* Remove any signatures from removed keys.  */
-		if (!ISC_LIST_EMPTY(rmkeys)) {
-			for (key = ISC_LIST_HEAD(rmkeys);
-			     key != NULL;
-			     key = ISC_LIST_NEXT(key, link)) {
-				result = zone_signwithkey(zone,
-							  dst_key_alg(key->key),
-							  dst_key_id(key->key),
-							  ISC_TRUE);
-				if (result != ISC_R_SUCCESS) {
-					dns_zone_log(zone, ISC_LOG_ERROR,
-					     "zone_signwithkey failed: %s",
-					     dns_result_totext(result));
-				}
-			}
-		}
-
-		if (fullsign) {
-			/*
-			 * "rndc sign" was called, so we now sign the zone
-			 * with all active keys, whether they're new or not.
-			 */
-			for (key = ISC_LIST_HEAD(dnskeys);
-			     key != NULL;
-			     key = ISC_LIST_NEXT(key, link)) {
-				if (!key->force_sign && !key->hint_sign)
-					continue;
-
-				result = zone_signwithkey(zone,
-							  dst_key_alg(key->key),
-							  dst_key_id(key->key),
-							  ISC_FALSE);
-				if (result != ISC_R_SUCCESS) {
-					dns_zone_log(zone, ISC_LOG_ERROR,
-					     "zone_signwithkey failed: %s",
-					     dns_result_totext(result));
-				}
-			}
-		} else if (newalg) {
-			/*
-			 * We haven't been told to sign fully, but a new
-			 * algorithm was added to the DNSKEY.  We sign
-			 * the full zone, but only with newly active
-			 * keys.
-			 */
-			for (key = ISC_LIST_HEAD(dnskeys);
-			     key != NULL;
-			     key = ISC_LIST_NEXT(key, link)) {
-				if (!key->first_sign)
-					continue;
-
-				result = zone_signwithkey(zone,
-							  dst_key_alg(key->key),
-							  dst_key_id(key->key),
-							  ISC_FALSE);
-				if (result != ISC_R_SUCCESS) {
-					dns_zone_log(zone, ISC_LOG_ERROR,
-					     "zone_signwithkey failed: %s",
-					     dns_result_totext(result));
-				}
-			}
-		}
-
-		/*
-		 * Clear fullsign flag, if it was set, so we don't do
-		 * another full signing next time
-		 */
-		zone->keyopts &= ~DNS_ZONEKEY_FULLSIGN;
-
-		/*
-		 * Cause the zone to add/delete NSEC3 chains for the
-		 * deferred NSEC3PARAM changes.
-		 */
-		for (tuple = ISC_LIST_HEAD(zonediff.diff->tuples);
-		     tuple != NULL;
-		     tuple = ISC_LIST_NEXT(tuple, link)) {
-			unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
-			dns_rdata_t rdata = DNS_RDATA_INIT;
-			dns_rdata_nsec3param_t nsec3param;
-
-			if (tuple->rdata.type != zone->privatetype ||
-			    tuple->op != DNS_DIFFOP_ADD)
-				continue;
-
-			if (!dns_nsec3param_fromprivate(&tuple->rdata, &rdata,
-							buf, sizeof(buf)))
-				continue;
-			result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			if (nsec3param.flags == 0)
-				continue;
-
-			result = zone_addnsec3chain(zone, &nsec3param);
-			if (result != ISC_R_SUCCESS) {
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "zone_addnsec3chain failed: %s",
-					     dns_result_totext(result));
-			}
-		}
-
-		/*
-		 * Activate any NSEC3 chain updates that may have
-		 * been scheduled before this rekey.
-		 */
-		if (fullsign || newalg)
-			resume_addnsec3chain(zone);
-
-		/*
-		 * Schedule the next resigning event
-		 */
-		set_resigntime(zone);
-		UNLOCK_ZONE(zone);
-	}
-
-	isc_time_settoepoch(&zone->refreshkeytime);
-
-	/*
-	 * If we're doing key maintenance, set the key refresh timer to
-	 * the next scheduled key event or to 'dnssec-loadkeys-interval'
-	 * seconds in the future, whichever is sooner.
-	 */
-	if (DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN)) {
-		isc_time_t timethen;
-		isc_stdtime_t then;
-
-		LOCK_ZONE(zone);
-		DNS_ZONE_TIME_ADD(&timenow, zone->refreshkeyinterval,
-				  &timethen);
-		zone->refreshkeytime = timethen;
-		UNLOCK_ZONE(zone);
-
-		for (key = ISC_LIST_HEAD(dnskeys);
-		     key != NULL;
-		     key = ISC_LIST_NEXT(key, link)) {
-			then = now;
-			result = next_keyevent(key->key, &then);
-			if (result != ISC_R_SUCCESS)
-				continue;
-
-			DNS_ZONE_TIME_ADD(&timenow, then - now, &timethen);
-			LOCK_ZONE(zone);
-			if (isc_time_compare(&timethen,
-					     &zone->refreshkeytime) < 0) {
-				zone->refreshkeytime = timethen;
-			}
-			UNLOCK_ZONE(zone);
-		}
-
-		zone_settimer(zone, &timenow);
-
-		isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
-		dns_zone_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf);
-	}
-
- done:
-	dns_diff_clear(&diff);
-	dns_diff_clear(&_sig_diff);
-
-	clear_keylist(&dnskeys, mctx);
-	clear_keylist(&keys, mctx);
-	clear_keylist(&rmkeys, mctx);
-
-	if (ver != NULL)
-		dns_db_closeversion(db, &ver, ISC_FALSE);
-	if (dns_rdataset_isassociated(&keyset))
-		dns_rdataset_disassociate(&keyset);
-	if (dns_rdataset_isassociated(&keysigs))
-		dns_rdataset_disassociate(&keysigs);
-	if (dns_rdataset_isassociated(&soasigs))
-		dns_rdataset_disassociate(&soasigs);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	if (db != NULL)
-		dns_db_detach(&db);
-	return;
-
- failure:
-	/*
-	 * Something went wrong; try again in ten minutes or
-	 * after a key refresh interval, whichever is shorter.
-	 */
-	isc_interval_set(&ival, ISC_MIN(zone->refreshkeyinterval, 600), 0);
-	isc_time_nowplusinterval(&zone->refreshkeytime, &ival);
-	goto done;
-}
-
-void
-dns_zone_rekey(dns_zone_t *zone, isc_boolean_t fullsign) {
-	isc_time_t now;
-
-	if (zone->type == dns_zone_master && zone->task != NULL) {
-		LOCK_ZONE(zone);
-
-		if (fullsign)
-			zone->keyopts |= DNS_ZONEKEY_FULLSIGN;
-
-		TIME_NOW(&now);
-		zone->refreshkeytime = now;
-		zone_settimer(zone, &now);
-
-		UNLOCK_ZONE(zone);
-	}
-}
-
-isc_result_t
-dns_zone_nscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
-		 unsigned int *errors)
-{
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(errors != NULL);
-
-	result = dns_db_getoriginnode(db, &node);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	result = zone_count_ns_rr(zone, db, node, version, NULL, errors,
-				  ISC_FALSE);
-	dns_db_detachnode(db, &node);
-	return (result);
-}
-
-void
-dns_zone_setadded(dns_zone_t *zone, isc_boolean_t added) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	LOCK_ZONE(zone);
-	zone->added = added;
-	UNLOCK_ZONE(zone);
-}
-
-isc_boolean_t
-dns_zone_getadded(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	return (zone->added);
-}
-
-isc_result_t
-dns_zone_dlzpostload(dns_zone_t *zone, dns_db_t *db)
-{
-	isc_time_t loadtime;
-	isc_result_t result;
-
-	TIME_NOW(&loadtime);
-
-	/*
-	 * Lock hierarchy: zmgr, zone, raw.
-	 */
-	LOCK_ZONE(zone);
-	if (inline_secure(zone))
-		LOCK_ZONE(zone->raw);
-	result = zone_postload(zone, db, loadtime, ISC_R_SUCCESS);
-	if (inline_secure(zone))
-		UNLOCK_ZONE(zone->raw);
-	UNLOCK_ZONE(zone);
-	return result;
-}
-
-isc_result_t
-dns_zone_setrefreshkeyinterval(dns_zone_t *zone, isc_uint32_t interval) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	if (interval == 0)
-		return (ISC_R_RANGE);
-	/* Maximum value: 24 hours (3600 minutes) */
-	if (interval > (24 * 60))
-		interval = (24 * 60);
-	/* Multiply by 60 for seconds */
-	zone->refreshkeyinterval = interval * 60;
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_zone_setrequestixfr(dns_zone_t *zone, isc_boolean_t flag) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	zone->requestixfr = flag;
-}
-
-isc_boolean_t
-dns_zone_getrequestixfr(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	return (zone->requestixfr);
-}
-
-void
-dns_zone_setserialupdatemethod(dns_zone_t *zone, dns_updatemethod_t method) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	zone->updatemethod = method;
-}
-
-dns_updatemethod_t
-dns_zone_getserialupdatemethod(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	return(zone->updatemethod);
-}
-
-/*
- * Lock hierarchy: zmgr, zone, raw.
- */
-isc_result_t
-dns_zone_link(dns_zone_t *zone, dns_zone_t *raw) {
-	isc_result_t result;
-	dns_zonemgr_t *zmgr;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(zone->zmgr != NULL);
-	REQUIRE(zone->task != NULL);
-	REQUIRE(zone->loadtask != NULL);
-	REQUIRE(zone->raw == NULL);
-
-	REQUIRE(DNS_ZONE_VALID(raw));
-	REQUIRE(raw->zmgr == NULL);
-	REQUIRE(raw->task == NULL);
-	REQUIRE(raw->loadtask == NULL);
-	REQUIRE(raw->secure == NULL);
-
-	/*
-	 * Lock hierarchy: zmgr, zone, raw.
-	 */
-	zmgr = zone->zmgr;
-	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
-	LOCK_ZONE(zone);
-	LOCK_ZONE(raw);
-
-	result = isc_timer_create(zmgr->timermgr, isc_timertype_inactive,
-				  NULL, NULL, zone->task, zone_timer, raw,
-				  &raw->timer);
-	if (result != ISC_R_SUCCESS)
-		goto unlock;
-
-	/*
-	 * The timer "holds" a iref.
-	 */
-	raw->irefs++;
-	INSIST(raw->irefs != 0);
-
-
-	/* dns_zone_attach(raw, &zone->raw); */
-	isc_refcount_increment(&raw->erefs, NULL);
-	zone->raw = raw;
-
-	/* dns_zone_iattach(zone,  &raw->secure); */
-	zone_iattach(zone, &raw->secure);
-
-	isc_task_attach(zone->task, &raw->task);
-	isc_task_attach(zone->loadtask, &raw->loadtask);
-
-	ISC_LIST_APPEND(zmgr->zones, raw, link);
-	raw->zmgr = zmgr;
-	zmgr->refs++;
-
- unlock:
-	UNLOCK_ZONE(raw);
-	UNLOCK_ZONE(zone);
-	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
-	return (result);
-}
-
-void
-dns_zone_getraw(dns_zone_t *zone, dns_zone_t **raw) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(raw != NULL && *raw == NULL);
-
-	LOCK(&zone->lock);
-	if (zone->raw != NULL)
-		dns_zone_attach(zone->raw, raw);
-	UNLOCK(&zone->lock);
-}
-
-struct keydone {
-	isc_event_t event;
-	isc_boolean_t all;
-	unsigned char data[5];
-};
-
-#define PENDINGFLAGS (DNS_NSEC3FLAG_CREATE|DNS_NSEC3FLAG_INITIAL)
-
-static void
-keydone(isc_task_t *task, isc_event_t *event) {
-	const char *me = "keydone";
-	isc_boolean_t commit = ISC_FALSE;
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_dbversion_t *oldver = NULL, *newver = NULL;
-	dns_zone_t *zone;
-	dns_db_t *db = NULL;
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-	dns_diff_t diff;
-	struct keydone *keydone = (struct keydone *)event;
-	dns_update_log_t log = { update_log_cb, NULL };
-	isc_boolean_t clear_pending = ISC_FALSE;
-
-	UNUSED(task);
-
-	zone = event->ev_arg;
-	INSIST(DNS_ZONE_VALID(zone));
-
-	ENTER;
-
-	dns_rdataset_init(&rdataset);
-	dns_diff_init(zone->mctx, &diff);
-
-	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
-	if (zone->db != NULL) {
-		dns_db_attach(zone->db, &db);
-		dns_db_currentversion(db, &oldver);
-		result = dns_db_newversion(db, &newver);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "keydone:dns_db_newversion -> %s",
-				     dns_result_totext(result));
-			goto failure;
-		}
-	}
-	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
-	if (db == NULL)
-		goto failure;
-
-	result = dns_db_getoriginnode(db, &node);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	result = dns_db_findrdataset(db, node, newver, zone->privatetype,
-				     dns_rdatatype_none, 0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND) {
-		INSIST(!dns_rdataset_isassociated(&rdataset));
-		goto failure;
-	}
-	if (result != ISC_R_SUCCESS) {
-		INSIST(!dns_rdataset_isassociated(&rdataset));
-		goto failure;
-	}
-
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		isc_boolean_t found = ISC_FALSE;
-
-		dns_rdataset_current(&rdataset, &rdata);
-
-		if (keydone->all) {
-			if (rdata.length == 5 && rdata.data[0] != 0 &&
-			       rdata.data[3] == 0 && rdata.data[4] == 1)
-				found = ISC_TRUE;
-			else if (rdata.data[0] == 0 &&
-				 (rdata.data[2] & PENDINGFLAGS) != 0) {
-				found = ISC_TRUE;
-				clear_pending = ISC_TRUE;
-			}
-		} else if (rdata.length == 5 &&
-			   memcmp(rdata.data, keydone->data, 5) == 0)
-			found = ISC_TRUE;
-
-		if (found)
-			CHECK(update_one_rr(db, newver, &diff, DNS_DIFFOP_DEL,
-					    &zone->origin, rdataset.ttl,
-					    &rdata));
-		dns_rdata_reset(&rdata);
-	}
-
-	if (!ISC_LIST_EMPTY(diff.tuples)) {
-		/* Write changes to journal file. */
-		CHECK(update_soa_serial(db, newver, &diff, zone->mctx,
-					zone->updatemethod));
-
-		result = dns_update_signatures(&log, zone, db,
-					       oldver, newver, &diff,
-					       zone->sigvalidityinterval);
-		if (!clear_pending)
-			CHECK(result);
-
-		CHECK(zone_journal(zone, &diff, NULL, "keydone"));
-		commit = ISC_TRUE;
-
-		LOCK_ZONE(zone);
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
-		zone_needdump(zone, 30);
-		UNLOCK_ZONE(zone);
-	}
-
- failure:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	if (db != NULL) {
-		if (node != NULL)
-			dns_db_detachnode(db, &node);
-		if (oldver != NULL)
-			dns_db_closeversion(db, &oldver, ISC_FALSE);
-		if (newver != NULL)
-			dns_db_closeversion(db, &newver, commit);
-		dns_db_detach(&db);
-	}
-	dns_diff_clear(&diff);
-	isc_event_free(&event);
-	dns_zone_idetach(&zone);
-}
-
-isc_result_t
-dns_zone_keydone(dns_zone_t *zone, const char *keystr) {
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_event_t *e;
-	isc_buffer_t b;
-	dns_zone_t *dummy = NULL;
-	struct keydone *kd;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-
-	e = isc_event_allocate(zone->mctx, zone, DNS_EVENT_KEYDONE, keydone,
-			       zone, sizeof(struct keydone));
-	if (e == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto failure;
-	}
-
-	kd = (struct keydone *) e;
-	if (strcasecmp(keystr, "all") == 0)
-		kd->all = ISC_TRUE;
-	else {
-		isc_textregion_t r;
-		char *algstr;
-		dns_keytag_t keyid;
-		dns_secalg_t alg;
-		size_t n;
-
-		kd->all = ISC_FALSE;
-
-		n = sscanf(keystr, "%hd/", &keyid);
-		if (n == 0U)
-			CHECK(ISC_R_FAILURE);
-
-		algstr = strchr(keystr, '/');
-		if (algstr != NULL)
-			algstr++;
-		else
-			CHECK(ISC_R_FAILURE);
-
-		n = sscanf(algstr, "%hhd", &alg);
-		if (n == 0U) {
-			DE_CONST(algstr, r.base);
-			r.length = strlen(algstr);
-			CHECK(dns_secalg_fromtext(&alg, &r));
-		}
-
-		/* construct a private-type rdata */
-		isc_buffer_init(&b, kd->data, sizeof(kd->data));
-		isc_buffer_putuint8(&b, alg);
-		isc_buffer_putuint8(&b, (keyid & 0xff00) >> 8);
-		isc_buffer_putuint8(&b, (keyid & 0xff));
-		isc_buffer_putuint8(&b, 0);
-		isc_buffer_putuint8(&b, 1);
-	}
-
-	zone_iattach(zone, &dummy);
-	isc_task_send(zone->task, &e);
-
- failure:
-	if (e != NULL)
-		isc_event_free(&e);
-	UNLOCK_ZONE(zone);
-	return (result);
-}
-
-struct nsec3param {
-	isc_event_t event;
-	unsigned char data[DNS_NSEC3PARAM_BUFFERSIZE + 1];
-	unsigned int length;
-	isc_boolean_t nsec;
-	isc_boolean_t replace;
-};
-
-static void
-setnsec3param(isc_task_t *task, isc_event_t *event) {
-	const char *me = "setnsec3param";
-	isc_boolean_t commit = ISC_FALSE;
-	isc_result_t result;
-	dns_dbversion_t *oldver = NULL, *newver = NULL;
-	dns_zone_t *zone;
-	dns_db_t *db = NULL;
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t prdataset, nrdataset;
-	dns_diff_t diff;
-	struct nsec3param *np = (struct nsec3param *)event;
-	dns_update_log_t log = { update_log_cb, NULL };
-	dns_rdata_t rdata;
-	isc_boolean_t nseconly;
-	isc_boolean_t exists = ISC_FALSE;
-
-	UNUSED(task);
-
-	zone = event->ev_arg;
-	INSIST(DNS_ZONE_VALID(zone));
-
-	ENTER;
-
-	dns_rdataset_init(&prdataset);
-	dns_rdataset_init(&nrdataset);
-	dns_diff_init(zone->mctx, &diff);
-
-	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
-	if (zone->db != NULL) {
-		dns_db_attach(zone->db, &db);
-		dns_db_currentversion(db, &oldver);
-		result = dns_db_newversion(db, &newver);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "setnsec3param:dns_db_newversion -> %s",
-				     dns_result_totext(result));
-			goto failure;
-		}
-	}
-	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
-	if (db == NULL)
-		goto failure;
-
-	CHECK(dns_db_getoriginnode(db, &node));
-
-	/*
-	 * Does a private-type record already exist for this chain?
-	 */
-	result = dns_db_findrdataset(db, node, newver, zone->privatetype,
-				     dns_rdatatype_none, 0, &prdataset, NULL);
-	if (result == ISC_R_SUCCESS) {
-		for (result = dns_rdataset_first(&prdataset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&prdataset)) {
-			dns_rdata_init(&rdata);
-			dns_rdataset_current(&prdataset, &rdata);
-
-			if (np->length == rdata.length &&
-			    memcmp(rdata.data, np->data, np->length) == 0) {
-				exists = ISC_TRUE;
-				break;
-			}
-		}
-	} else if (result != ISC_R_NOTFOUND) {
-		INSIST(!dns_rdataset_isassociated(&prdataset));
-		goto failure;
-	}
-
-	/*
-	 * Does the chain already exist?
-	 */
-	result = dns_db_findrdataset(db, node, newver,
-				     dns_rdatatype_nsec3param,
-				     dns_rdatatype_none, 0, &nrdataset, NULL);
-	if (result == ISC_R_SUCCESS) {
-		for (result = dns_rdataset_first(&nrdataset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&nrdataset)) {
-			dns_rdata_init(&rdata);
-			dns_rdataset_current(&nrdataset, &rdata);
-
-			if (np->length == (rdata.length + 1) &&
-			    memcmp(rdata.data, np->data + 1,
-				   np->length - 1) == 0)
-			{
-				exists = ISC_TRUE;
-				break;
-			}
-		}
-	} else if (result != ISC_R_NOTFOUND) {
-		INSIST(!dns_rdataset_isassociated(&nrdataset));
-		goto failure;
-	}
-
-
-	/*
-	 * We need to remove any existing NSEC3 chains.
-	 */
-	if (!exists && np->replace && (np->length != 0 || np->nsec))
-		CHECK(dns_nsec3param_deletechains(db, newver, zone,
-						  !np->nsec, &diff));
-
-	if (!exists && np->length != 0) {
-		/*
-		 * We're creating an NSEC3 chain.
-		 *
-		 * If the zone is not currently capable of supporting
-		 * an NSEC3 chain, add the INITIAL flag, so these
-		 * parameters can be used later when NSEC3 becomes
-		 * available.
-		 */
-		dns_rdata_init(&rdata);
-
-		np->data[2] |= DNS_NSEC3FLAG_CREATE;
-		result = dns_nsec_nseconly(db, newver, &nseconly);
-		if (result == ISC_R_NOTFOUND || nseconly)
-			np->data[2] |= DNS_NSEC3FLAG_INITIAL;
-
-		rdata.length = np->length;
-		rdata.data = np->data;
-		rdata.type = zone->privatetype;
-		rdata.rdclass = zone->rdclass;
-		CHECK(update_one_rr(db, newver, &diff, DNS_DIFFOP_ADD,
-				    &zone->origin, 0, &rdata));
-	}
-
-	if (!ISC_LIST_EMPTY(diff.tuples)) {
-		/* Write changes to journal file. */
-		CHECK(update_soa_serial(db, newver, &diff, zone->mctx,
-					zone->updatemethod));
-		result = dns_update_signatures(&log, zone, db,
-					       oldver, newver, &diff,
-					       zone->sigvalidityinterval);
-		if (result != ISC_R_NOTFOUND)
-			CHECK(result);
-		CHECK(zone_journal(zone, &diff, NULL, "setnsec3param"));
-		commit = ISC_TRUE;
-
-		LOCK_ZONE(zone);
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
-		zone_needdump(zone, 30);
-		UNLOCK_ZONE(zone);
-	}
-
- failure:
-	if (dns_rdataset_isassociated(&prdataset))
-		dns_rdataset_disassociate(&prdataset);
-	if (dns_rdataset_isassociated(&nrdataset))
-		dns_rdataset_disassociate(&nrdataset);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	if (oldver != NULL)
-		dns_db_closeversion(db, &oldver, ISC_FALSE);
-	if (newver != NULL)
-		dns_db_closeversion(db, &newver, commit);
-	if (db != NULL)
-		dns_db_detach(&db);
-	if (commit)
-		resume_addnsec3chain(zone);
-	dns_diff_clear(&diff);
-	isc_event_free(&event);
-	dns_zone_idetach(&zone);
-}
-
-isc_result_t
-dns_zone_setnsec3param(dns_zone_t *zone, isc_uint8_t hash, isc_uint8_t flags,
-		       isc_uint16_t iter, isc_uint8_t saltlen,
-		       unsigned char *salt, isc_boolean_t replace)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	dns_rdata_nsec3param_t param;
-	dns_rdata_t nrdata = DNS_RDATA_INIT;
-	dns_rdata_t prdata = DNS_RDATA_INIT;
-	unsigned char nbuf[DNS_NSEC3PARAM_BUFFERSIZE];
-	struct nsec3param *np;
-	dns_zone_t *dummy = NULL;
-	isc_buffer_t b;
-	isc_event_t *e;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(salt != NULL);
-
-	LOCK_ZONE(zone);
-
-	e = isc_event_allocate(zone->mctx, zone, DNS_EVENT_SETNSEC3PARAM,
-			       setnsec3param, zone, sizeof(struct nsec3param));
-	if (e == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto failure;
-	}
-
-	np = (struct nsec3param *) e;
-	np->replace = replace;
-	if (hash == 0) {
-		np->length = 0;
-		np->nsec = ISC_TRUE;
-	} else {
-		param.common.rdclass = zone->rdclass;
-		param.common.rdtype = dns_rdatatype_nsec3param;
-		ISC_LINK_INIT(&param.common, link);
-		param.mctx = NULL;
-		param.hash = hash;
-		param.flags = flags;
-		param.iterations = iter;
-		param.salt_length = saltlen;
-		param.salt = salt;
-		isc_buffer_init(&b, nbuf, sizeof(nbuf));
-		CHECK(dns_rdata_fromstruct(&nrdata, zone->rdclass,
-					   dns_rdatatype_nsec3param,
-					   &param, &b));
-		dns_nsec3param_toprivate(&nrdata, &prdata, zone->privatetype,
-					 np->data, sizeof(np->data));
-		np->length = prdata.length;
-	}
-
-	zone_iattach(zone, &dummy);
-	isc_task_send(zone->task, &e);
-
- failure:
-	if (e != NULL)
-		isc_event_free(&e);
-	UNLOCK_ZONE(zone);
-	return (result);
-}
-
-void
-dns_zone_setstatlevel(dns_zone_t *zone, dns_zonestat_level_t level) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	zone->statlevel = level;
-}
-
-dns_zonestat_level_t
-dns_zone_getstatlevel(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->statlevel);
-}
diff --git a/contrib/bind9/lib/dns/zonekey.c b/contrib/bind9/lib/dns/zonekey.c
deleted file mode 100644
index bf7474b..0000000
--- a/contrib/bind9/lib/dns/zonekey.c
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: zonekey.c,v 1.9 2007/06/19 23:47:16 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/result.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-#include <dns/keyvalues.h>
-#include <dns/rdata.h>
-#include <dns/rdatastruct.h>
-#include <dns/types.h>
-#include <dns/zonekey.h>
-
-isc_boolean_t
-dns_zonekey_iszonekey(dns_rdata_t *keyrdata) {
-	isc_result_t result;
-	dns_rdata_dnskey_t key;
-	isc_boolean_t iszonekey = ISC_TRUE;
-
-	REQUIRE(keyrdata != NULL);
-
-	result = dns_rdata_tostruct(keyrdata, &key, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (ISC_FALSE);
-
-	if ((key.flags & DNS_KEYTYPE_NOAUTH) != 0)
-		iszonekey = ISC_FALSE;
-	if ((key.flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
-		iszonekey = ISC_FALSE;
-	if (key.protocol != DNS_KEYPROTO_DNSSEC &&
-	key.protocol != DNS_KEYPROTO_ANY)
-		iszonekey = ISC_FALSE;
-	
-	return (iszonekey);
-}
diff --git a/contrib/bind9/lib/dns/zt.c b/contrib/bind9/lib/dns/zt.c
deleted file mode 100644
index eb1e424..0000000
--- a/contrib/bind9/lib/dns/zt.c
+++ /dev/null
@@ -1,539 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/file.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/util.h>
-
-#include <dns/log.h>
-#include <dns/name.h>
-#include <dns/rbt.h>
-#include <dns/rdataclass.h>
-#include <dns/result.h>
-#include <dns/view.h>
-#include <dns/zone.h>
-#include <dns/zt.h>
-
-struct dns_zt {
-	/* Unlocked. */
-	unsigned int		magic;
-	isc_mem_t		*mctx;
-	dns_rdataclass_t	rdclass;
-	isc_rwlock_t		rwlock;
-	dns_zt_allloaded_t	loaddone;
-	void *			loaddone_arg;
-	/* Locked by lock. */
-	isc_boolean_t		flush;
-	isc_uint32_t		references;
-	unsigned int		loads_pending;
-	dns_rbt_t		*table;
-};
-
-#define ZTMAGIC			ISC_MAGIC('Z', 'T', 'b', 'l')
-#define VALID_ZT(zt) 		ISC_MAGIC_VALID(zt, ZTMAGIC)
-
-static void
-auto_detach(void *, void *);
-
-static isc_result_t
-load(dns_zone_t *zone, void *uap);
-
-static isc_result_t
-asyncload(dns_zone_t *zone, void *callback);
-
-static isc_result_t
-loadnew(dns_zone_t *zone, void *uap);
-
-static isc_result_t
-freezezones(dns_zone_t *zone, void *uap);
-
-static isc_result_t
-doneloading(dns_zt_t *zt, dns_zone_t *zone, isc_task_t *task);
-
-isc_result_t
-dns_zt_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_zt_t **ztp)
-{
-	dns_zt_t *zt;
-	isc_result_t result;
-
-	REQUIRE(ztp != NULL && *ztp == NULL);
-
-	zt = isc_mem_get(mctx, sizeof(*zt));
-	if (zt == NULL)
-		return (ISC_R_NOMEMORY);
-
-	zt->table = NULL;
-	result = dns_rbt_create(mctx, auto_detach, zt, &zt->table);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_zt;
-
-	result = isc_rwlock_init(&zt->rwlock, 0, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_rbt;
-
-	zt->mctx = NULL;
-	isc_mem_attach(mctx, &zt->mctx);
-	zt->references = 1;
-	zt->flush = ISC_FALSE;
-	zt->rdclass = rdclass;
-	zt->magic = ZTMAGIC;
-	zt->loaddone = NULL;
-	zt->loaddone_arg = NULL;
-	zt->loads_pending = 0;
-	*ztp = zt;
-
-	return (ISC_R_SUCCESS);
-
-   cleanup_rbt:
-	dns_rbt_destroy(&zt->table);
-
-   cleanup_zt:
-	isc_mem_put(mctx, zt, sizeof(*zt));
-
-	return (result);
-}
-
-isc_result_t
-dns_zt_mount(dns_zt_t *zt, dns_zone_t *zone) {
-	isc_result_t result;
-	dns_zone_t *dummy = NULL;
-	dns_name_t *name;
-
-	REQUIRE(VALID_ZT(zt));
-
-	name = dns_zone_getorigin(zone);
-
-	RWLOCK(&zt->rwlock, isc_rwlocktype_write);
-
-	result = dns_rbt_addname(zt->table, name, zone);
-	if (result == ISC_R_SUCCESS)
-		dns_zone_attach(zone, &dummy);
-
-	RWUNLOCK(&zt->rwlock, isc_rwlocktype_write);
-
-	return (result);
-}
-
-isc_result_t
-dns_zt_unmount(dns_zt_t *zt, dns_zone_t *zone) {
-	isc_result_t result;
-	dns_name_t *name;
-
-	REQUIRE(VALID_ZT(zt));
-
-	name = dns_zone_getorigin(zone);
-
-	RWLOCK(&zt->rwlock, isc_rwlocktype_write);
-
-	result = dns_rbt_deletename(zt->table, name, ISC_FALSE);
-
-	RWUNLOCK(&zt->rwlock, isc_rwlocktype_write);
-
-	return (result);
-}
-
-isc_result_t
-dns_zt_find(dns_zt_t *zt, dns_name_t *name, unsigned int options,
-	    dns_name_t *foundname, dns_zone_t **zonep)
-{
-	isc_result_t result;
-	dns_zone_t *dummy = NULL;
-	unsigned int rbtoptions = 0;
-
-	REQUIRE(VALID_ZT(zt));
-
-	if ((options & DNS_ZTFIND_NOEXACT) != 0)
-		rbtoptions |= DNS_RBTFIND_NOEXACT;
-
-	RWLOCK(&zt->rwlock, isc_rwlocktype_read);
-
-	result = dns_rbt_findname(zt->table, name, rbtoptions, foundname,
-				  (void **) (void*)&dummy);
-	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
-		dns_zone_attach(dummy, zonep);
-
-	RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
-
-	return (result);
-}
-
-void
-dns_zt_attach(dns_zt_t *zt, dns_zt_t **ztp) {
-
-	REQUIRE(VALID_ZT(zt));
-	REQUIRE(ztp != NULL && *ztp == NULL);
-
-	RWLOCK(&zt->rwlock, isc_rwlocktype_write);
-
-	INSIST(zt->references > 0);
-	zt->references++;
-	INSIST(zt->references != 0);
-
-	RWUNLOCK(&zt->rwlock, isc_rwlocktype_write);
-
-	*ztp = zt;
-}
-
-static isc_result_t
-flush(dns_zone_t *zone, void *uap) {
-	UNUSED(uap);
-	return (dns_zone_flush(zone));
-}
-
-static void
-zt_destroy(dns_zt_t *zt) {
-	if (zt->flush)
-		(void)dns_zt_apply(zt, ISC_FALSE, flush, NULL);
-	dns_rbt_destroy(&zt->table);
-	isc_rwlock_destroy(&zt->rwlock);
-	zt->magic = 0;
-	isc_mem_putanddetach(&zt->mctx, zt, sizeof(*zt));
-}
-
-static void
-zt_flushanddetach(dns_zt_t **ztp, isc_boolean_t need_flush) {
-	isc_boolean_t destroy = ISC_FALSE;
-	dns_zt_t *zt;
-
-	REQUIRE(ztp != NULL && VALID_ZT(*ztp));
-
-	zt = *ztp;
-
-	RWLOCK(&zt->rwlock, isc_rwlocktype_write);
-
-	INSIST(zt->references > 0);
-	zt->references--;
-	if (zt->references == 0)
-		destroy = ISC_TRUE;
-	if (need_flush)
-		zt->flush = ISC_TRUE;
-
-	RWUNLOCK(&zt->rwlock, isc_rwlocktype_write);
-
-	if (destroy)
-		zt_destroy(zt);
-
-	*ztp = NULL;
-}
-
-void
-dns_zt_flushanddetach(dns_zt_t **ztp) {
-	zt_flushanddetach(ztp, ISC_TRUE);
-}
-
-void
-dns_zt_detach(dns_zt_t **ztp) {
-	zt_flushanddetach(ztp, ISC_FALSE);
-}
-
-isc_result_t
-dns_zt_load(dns_zt_t *zt, isc_boolean_t stop) {
-	isc_result_t result;
-
-	REQUIRE(VALID_ZT(zt));
-
-	RWLOCK(&zt->rwlock, isc_rwlocktype_read);
-	result = dns_zt_apply(zt, stop, load, NULL);
-	RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
-	return (result);
-}
-
-static isc_result_t
-load(dns_zone_t *zone, void *uap) {
-	isc_result_t result;
-	UNUSED(uap);
-
-	result = dns_zone_load(zone);
-	if (result == DNS_R_CONTINUE || result == DNS_R_UPTODATE)
-		result = ISC_R_SUCCESS;
-
-	return (result);
-}
-
-isc_result_t
-dns_zt_asyncload(dns_zt_t *zt, dns_zt_allloaded_t alldone, void *arg) {
-	isc_result_t result;
-	static dns_zt_zoneloaded_t dl = doneloading;
-	int pending;
-
-	REQUIRE(VALID_ZT(zt));
-
-	RWLOCK(&zt->rwlock, isc_rwlocktype_write);
-
-	INSIST(zt->loads_pending == 0);
-	result = dns_zt_apply2(zt, ISC_FALSE, NULL, asyncload, &dl);
-
-	pending = zt->loads_pending;
-	if (pending != 0) {
-		zt->loaddone = alldone;
-		zt->loaddone_arg = arg;
-	}
-
-	RWUNLOCK(&zt->rwlock, isc_rwlocktype_write);
-
-	if (pending == 0)
-		alldone(arg);
-
-	return (result);
-}
-
-/*
- * Initiates asynchronous loading of zone 'zone'.  'callback' is a
- * pointer to a function which will be used to inform the caller when
- * the zone loading is complete.
- */
-static isc_result_t
-asyncload(dns_zone_t *zone, void *callback) {
-	isc_result_t result;
-	dns_zt_zoneloaded_t *loaded = callback;
-	dns_zt_t *zt;
-
-	REQUIRE(zone != NULL);
-	zt = dns_zone_getview(zone)->zonetable;
-	INSIST(VALID_ZT(zt));
-
-	result = dns_zone_asyncload(zone, *loaded, zt);
-	if (result == ISC_R_SUCCESS) {
-		INSIST(zt->references > 0);
-		zt->references++;
-		INSIST(zt->references != 0);
-		zt->loads_pending++;
-	}
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_zt_loadnew(dns_zt_t *zt, isc_boolean_t stop) {
-	isc_result_t result;
-
-	REQUIRE(VALID_ZT(zt));
-
-	RWLOCK(&zt->rwlock, isc_rwlocktype_read);
-	result = dns_zt_apply(zt, stop, loadnew, NULL);
-	RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
-	return (result);
-}
-
-static isc_result_t
-loadnew(dns_zone_t *zone, void *uap) {
-	isc_result_t result;
-	UNUSED(uap);
-
-	result = dns_zone_loadnew(zone);
-	if (result == DNS_R_CONTINUE || result == DNS_R_UPTODATE ||
-	    result == DNS_R_DYNAMIC)
-		result = ISC_R_SUCCESS;
-	return (result);
-}
-
-isc_result_t
-dns_zt_freezezones(dns_zt_t *zt, isc_boolean_t freeze) {
-	isc_result_t result, tresult;
-
-	REQUIRE(VALID_ZT(zt));
-
-	RWLOCK(&zt->rwlock, isc_rwlocktype_read);
-	result = dns_zt_apply2(zt, ISC_FALSE, &tresult, freezezones, &freeze);
-	RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
-	if (tresult == ISC_R_NOTFOUND)
-		tresult = ISC_R_SUCCESS;
-	return ((result == ISC_R_SUCCESS) ? tresult : result);
-}
-
-static isc_result_t
-freezezones(dns_zone_t *zone, void *uap) {
-	isc_boolean_t freeze = *(isc_boolean_t *)uap;
-	isc_boolean_t frozen;
-	isc_result_t result = ISC_R_SUCCESS;
-	char classstr[DNS_RDATACLASS_FORMATSIZE];
-	char zonename[DNS_NAME_FORMATSIZE];
-	dns_zone_t *raw = NULL;
-	dns_view_t *view;
-	const char *vname;
-	const char *sep;
-	int level;
-
-	dns_zone_getraw(zone, &raw);
-	if (raw != NULL)
-		zone = raw;
-	if (dns_zone_gettype(zone) != dns_zone_master) {
-		if (raw != NULL)
-			dns_zone_detach(&raw);
-		return (ISC_R_SUCCESS);
-	}
-	if (!dns_zone_isdynamic(zone, ISC_TRUE)) {
-		if (raw != NULL)
-			dns_zone_detach(&raw);
-		return (ISC_R_SUCCESS);
-	}
-
-	frozen = dns_zone_getupdatedisabled(zone);
-	if (freeze) {
-		if (frozen)
-			result = DNS_R_FROZEN;
-		if (result == ISC_R_SUCCESS)
-			result = dns_zone_flush(zone);
-	} else {
-		if (frozen) {
-			result = dns_zone_load(zone);
-			if (result == DNS_R_CONTINUE ||
-			    result == DNS_R_UPTODATE)
-				result = ISC_R_SUCCESS;
-		}
-	}
-	if (result == ISC_R_SUCCESS)
-		dns_zone_setupdatedisabled(zone, freeze);
-	view = dns_zone_getview(zone);
-	if (strcmp(view->name, "_bind") == 0 ||
-	    strcmp(view->name, "_default") == 0)
-	{
-		vname = "";
-		sep = "";
-	} else {
-		vname = view->name;
-		sep = " ";
-	}
-	dns_rdataclass_format(dns_zone_getclass(zone), classstr,
-			      sizeof(classstr));
-	dns_name_format(dns_zone_getorigin(zone), zonename, sizeof(zonename));
-	level = (result != ISC_R_SUCCESS) ? ISC_LOG_ERROR : ISC_LOG_DEBUG(1);
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
-		      level, "%s zone '%s/%s'%s%s: %s",
-		      freeze ? "freezing" : "thawing",
-		      zonename, classstr, sep, vname,
-		      isc_result_totext(result));
-	if (raw != NULL)
-		dns_zone_detach(&raw);
-	return (result);
-}
-
-isc_result_t
-dns_zt_apply(dns_zt_t *zt, isc_boolean_t stop,
-	     isc_result_t (*action)(dns_zone_t *, void *), void *uap)
-{
-	return (dns_zt_apply2(zt, stop, NULL, action, uap));
-}
-
-isc_result_t
-dns_zt_apply2(dns_zt_t *zt, isc_boolean_t stop, isc_result_t *sub,
-	      isc_result_t (*action)(dns_zone_t *, void *), void *uap)
-{
-	dns_rbtnode_t *node;
-	dns_rbtnodechain_t chain;
-	isc_result_t result, tresult = ISC_R_SUCCESS;
-	dns_zone_t *zone;
-
-	REQUIRE(VALID_ZT(zt));
-	REQUIRE(action != NULL);
-
-	dns_rbtnodechain_init(&chain, zt->mctx);
-	result = dns_rbtnodechain_first(&chain, zt->table, NULL, NULL);
-	if (result == ISC_R_NOTFOUND) {
-		/*
-		 * The tree is empty.
-		 */
-		tresult = result;
-		result = ISC_R_NOMORE;
-	}
-	while (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
-		result = dns_rbtnodechain_current(&chain, NULL, NULL,
-						  &node);
-		if (result == ISC_R_SUCCESS) {
-			zone = node->data;
-			if (zone != NULL)
-				result = (action)(zone, uap);
-			if (result != ISC_R_SUCCESS && stop) {
-				tresult = result;
-				goto cleanup;	/* don't break */
-			} else if (result != ISC_R_SUCCESS &&
-				   tresult == ISC_R_SUCCESS)
-				tresult = result;
-		}
-		result = dns_rbtnodechain_next(&chain, NULL, NULL);
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
- cleanup:
-	dns_rbtnodechain_invalidate(&chain);
-	if (sub != NULL)
-		*sub = tresult;
-
-	return (result);
-}
-
-/*
- * Decrement the loads_pending counter; when counter reaches
- * zero, call the loaddone callback that was initially set by
- * dns_zt_asyncload().
- */
-static isc_result_t
-doneloading(dns_zt_t *zt, dns_zone_t *zone, isc_task_t *task) {
-	isc_boolean_t destroy = ISC_FALSE;
-	dns_zt_allloaded_t alldone = NULL;
-	void *arg = NULL;
-
-	UNUSED(zone);
-	UNUSED(task);
-
-	REQUIRE(VALID_ZT(zt));
-
-	RWLOCK(&zt->rwlock, isc_rwlocktype_write);
-	INSIST(zt->loads_pending != 0);
-	INSIST(zt->references != 0);
-	zt->references--;
-	if (zt->references == 0)
-		destroy = ISC_TRUE;
-	zt->loads_pending--;
-	if (zt->loads_pending == 0) {
-		alldone = zt->loaddone;
-		arg = zt->loaddone_arg;
-		zt->loaddone = NULL;
-		zt->loaddone_arg = NULL;
-	}
-	RWUNLOCK(&zt->rwlock, isc_rwlocktype_write);
-
-	if (alldone != NULL)
-		alldone(arg);
-
-	if (destroy)
-		zt_destroy(zt);
-
-	return (ISC_R_SUCCESS);
-}
-
-/***
- *** Private
- ***/
-
-static void
-auto_detach(void *data, void *arg) {
-	dns_zone_t *zone = data;
-
-	UNUSED(arg);
-
-	dns_zone_detach(&zone);
-}
diff --git a/contrib/bind9/lib/export/Makefile.in b/contrib/bind9/lib/export/Makefile.in
deleted file mode 100644
index 1fd7216..0000000
--- a/contrib/bind9/lib/export/Makefile.in
+++ /dev/null
@@ -1,27 +0,0 @@
-# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
-
-srcdir =	@srcdir@
-top_srcdir =	@top_srcdir@
-
-# Note: the order of SUBDIRS is important.
-# Attempt to disable parallel processing.
-.NOTPARALLEL:
-.NO_PARALLEL:
-SUBDIRS =	isc dns isccfg irs samples
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/export/dns/Makefile.in b/contrib/bind9/lib/export/dns/Makefile.in
deleted file mode 100644
index f575f86..0000000
--- a/contrib/bind9/lib/export/dns/Makefile.in
+++ /dev/null
@@ -1,181 +0,0 @@
-# Copyright (C) 2009-2013  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id$
-
-top_srcdir =	@top_srcdir@
-srcdir =	@top_srcdir@/lib/dns
-export_srcdir =	@top_srcdir@/lib/export
-
-# Attempt to disable parallel processing.
-.NOTPARALLEL:
-.NO_PARALLEL:
-
-@BIND9_VERSION@
-
-@LIBDNS_API@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	-I. -Iinclude ${DNS_INCLUDES} -I${export_srcdir}/isc/include \
-		${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
-
-CDEFINES =	-DUSE_MD5 @USE_OPENSSL@ @USE_GSSAPI@
-
-CWARNINGS =
-
-ISCLIBS =	../isc/libisc.@A@
-
-ISCDEPLIBS =	../isc/libisc.@A@
-
-LIBS =		@LIBS@
-
-# Alphabetically
-
-OPENSSLGOSTLINKOBJS = opensslgost_link.@O@
-OPENSSLLINKOBJS = openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \
-		opensslecdsa_link.@O@ @OPENSSLGOSTLINKOBJS@ opensslrsa_link.@O@
-
-DSTOBJS =	@OPENSSLLINKOBJS@ \
-		dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
-		gssapi_link.@O@ gssapictx.@O@ hmac_link.@O@ key.@O@
-
-DNSOBJS =	acl.@O@ adb.@O@ byaddr.@O@ \
-		cache.@O@ callbacks.@O@ client.@O@ compress.@O@ \
-		db.@O@ dbiterator.@O@ diff.@O@ dispatch.@O@ dlz.@O@ dnssec.@O@ \
-		ds.@O@ \
-		forward.@O@ iptable.@O@ \
-		keytable.@O@ \
-		lib.@O@ log.@O@ \
-		master.@O@ masterdump.@O@ message.@O@ \
-		name.@O@ ncache.@O@ nsec.@O@ nsec3.@O@ \
-		peer.@O@ portlist.@O@ \
-		rbt.@O@ rbtdb.@O@ rcode.@O@ rdata.@O@ \
-		rdatalist.@O@ rdataset.@O@ rdatasetiter.@O@ rdataslab.@O@ \
-		request.@O@ resolver.@O@ result.@O@ soa.@O@ stats.@O@ \
-		tcpmsg.@O@ time.@O@ tsec.@O@ tsig.@O@ ttl.@O@ \
-		validator.@O@ version.@O@ view.@O@
-PORTDNSOBJS =	ecdb.@O@
-
-OBJS=		${DNSOBJS} ${OTHEROBJS} ${DSTOBJS} ${PORTDNSOBJS}
-
-# Alphabetically
-
-OPENSSLGOSTLINKSRCS = opensslgost_link.c
-OPENSSLLINKSRCS = openssl_link.c openssldh_link.c openssldsa_link.c \
-		opensslecdsa_link.c @OPENSSLGOSTLINKSRCS@ opensslrsa_link.c
-
-DSTSRCS =	@OPENSSLLINKSRCS@ \
-		dst_api.c dst_lib.c dst_parse.c \
-		dst_result.c gssapi_link.c gssapictx.c \
-		hmac_link.c key.c 
-
-DNSSRCS =	acl.c adb.c byaddr.c \
-		cache.c callbacks.c client.c compress.c \
-		db.c dbiterator.c diff.c dispatch.c dlz.c dnssec.c ds.c \
-		forward.c iptable.c \
-		keytable.c \
-		lib.c log.c \
-		master.c masterdump.c message.c \
-		name.c ncache.c nsec.c nsec3.c \
-		peer.c portlist.c \
-		rbt.c rbtdb.c rcode.c rdata.c \
-		rdatalist.c rdataset.c rdatasetiter.c rdataslab.c \
-		request.c res.c resolver.c result.c soa.c stats.c \
-		tcpmsg.c time.c tsec.c tsig.c ttl.c \
-		validator.c version.c view.c
-PORTDNSSRCS =	ecdb.c
-
-SRCS = ${DSTSRCS} ${DNSSRCS} ${PORTDNSSRCS}
-
-SUBDIRS =	include
-TARGETS =	include/dns/enumtype.h include/dns/enumclass.h \
-		include/dns/rdatastruct.h timestamp
-
-DEPENDEXTRA =	./gen -F include/dns/rdatastruct.h \
-		-s ${srcdir} -d >> Makefile ;
-
-@BIND9_MAKE_RULES@
-
-version.@O@: ${srcdir}/version.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DVERSION=\"${VERSION}\" \
-		-DLIBINTERFACE=${LIBINTERFACE} \
-		-DLIBREVISION=${LIBREVISION} \
-		-DLIBAGE=${LIBAGE} \
-		-c ${srcdir}/version.c
-
-libdns.@SA@: ${OBJS}
-	${AR} ${ARFLAGS} $@ ${OBJS}
-	${RANLIB} $@
-
-libdns.la: ${OBJS}
-	${LIBTOOL_MODE_LINK} \
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la \
-		-rpath ${export_libdir} \
-		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
-		${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
-
-timestamp: libdns.@A@
-	touch timestamp
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
-
-install:: timestamp installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libdns.@A@ \
-	${DESTDIR}${export_libdir}/
-
-clean distclean::
-	rm -f libdns.@A@ timestamp
-	rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
-	rm -f include/dns/rdatastruct.h
-
-newrr::
-	rm -f code.h include/dns/enumtype.h include/dns/enumclass.h
-	rm -f include/dns/rdatastruct.h
-
-include: include/dns/enumtype.h include/dns/enumclass.h \
-	include/dns/rdatastruct.h
-
-rdata.@O@: code.h
-
-include/dns/enumtype.h: gen
-	./gen -s ${srcdir} -t > $@
-
-include/dns/enumclass.h: gen
-	./gen -s ${srcdir} -c > $@
-
-include/dns/rdatastruct.h: gen \
-		${srcdir}/rdata/rdatastructpre.h \
-		${srcdir}/rdata/rdatastructsuf.h
-	./gen -s ${srcdir} -i \
-		-P ${srcdir}/rdata/rdatastructpre.h \
-		-S ${srcdir}/rdata/rdatastructsuf.h > $@
-
-code.h:	gen
-	./gen -s ${srcdir} > code.h
-
-gen: ${srcdir}/gen.c
-	${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ${srcdir}/gen.c ${LIBS}
-
-#We don't need rbtdb64 for this library
-#rbtdb64.@O@: rbtdb.c
-
-depend: include/dns/enumtype.h include/dns/enumclass.h \
-	include/dns/rdatastruct.h code.h
-subdirs: include/dns/enumtype.h include/dns/enumclass.h \
-	include/dns/rdatastruct.h code.h
-${OBJS}: include/dns/enumtype.h include/dns/enumclass.h \
-	include/dns/rdatastruct.h
diff --git a/contrib/bind9/lib/export/dns/include/Makefile.in b/contrib/bind9/lib/export/dns/include/Makefile.in
deleted file mode 100644
index 6bf1205..0000000
--- a/contrib/bind9/lib/export/dns/include/Makefile.in
+++ /dev/null
@@ -1,23 +0,0 @@
-# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
-
-srcdir =	@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	dns dst
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/export/dns/include/dns/Makefile.in b/contrib/bind9/lib/export/dns/include/dns/Makefile.in
deleted file mode 100644
index b7f51b4..0000000
--- a/contrib/bind9/lib/export/dns/include/dns/Makefile.in
+++ /dev/null
@@ -1,56 +0,0 @@
-# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.4 2009/09/18 07:18:04 jinmei Exp $
-
-srcdir =	@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-HEADERS =	acl.h adb.h byaddr.h \
-		cache.h callbacks.h cert.h client.h compress.h \
-		db.h dbiterator.h diff.h dispatch.h dlz.h dnssec.h \
-		ds.h events.h fixedname.h ecdb.h \
-		forward.h iptable.h \
-		keytable.h keyvalues.h \
-		lib.h log.h \
-		master.h masterdump.h message.h \
-		name.h ncache.h nsec.h nsec3.h \
-		peer.h portlist.h \
-		rbt.h rcode.h rdata.h rdataclass.h \
-		rdatalist.h rdataset.h rdatasetiter.h rdataslab.h rdatatype.h \
-		request.h resolver.h result.h \
-		secalg.h secproto.h soa.h stats.h \
-		tcpmsg.h time.h tsec.h tsig.h ttl.h types.h \
-		validator.h version.h view.h
-
-GENHEADERS =	enumclass.h enumtype.h rdatastruct.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_includedir}/dns
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} ${top_srcdir}/lib/dns/include/dns/$$i \
-		${DESTDIR}${export_includedir}/dns ; \
-	done
-	for i in ${GENHEADERS}; do \
-		${INSTALL_DATA} $$i ${DESTDIR}${export_includedir}/dns ; \
-	done
diff --git a/contrib/bind9/lib/export/dns/include/dst/Makefile.in b/contrib/bind9/lib/export/dns/include/dst/Makefile.in
deleted file mode 100644
index f6f540a..0000000
--- a/contrib/bind9/lib/export/dns/include/dst/Makefile.in
+++ /dev/null
@@ -1,36 +0,0 @@
-# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
-
-srcdir =	@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-HEADERS =	dst.h gssapi.h lib.h result.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_includedir}/dst
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} ${top_srcdir}/lib/dns/include/dst/$$i \
-		${DESTDIR}${export_includedir}/dst ; \
-	done
diff --git a/contrib/bind9/lib/export/irs/Makefile.in b/contrib/bind9/lib/export/irs/Makefile.in
deleted file mode 100644
index b2520f9..0000000
--- a/contrib/bind9/lib/export/irs/Makefile.in
+++ /dev/null
@@ -1,87 +0,0 @@
-# Copyright (C) 2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id$
-
-top_srcdir =	@top_srcdir@
-srcdir =	@top_srcdir@/lib/irs
-export_srcdir =	@top_srcdir@/lib/export
-
-@BIND9_VERSION@
-
-@LIBIRS_API@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	-I. -I./include -I${srcdir}/include -I ../../irs/include \
-		${ISCCFG_INCLUDES} -I../dns/include ${DNS_INCLUDES} \
-		-I../dns/include ${DNS_INCLUDES} \
-		-I${export_srcdir}/isc/include ${ISC_INCLUDES}
-CDEFINES =
-CWARNINGS =
-
-# Alphabetically
-OBJS =		context.@O@ \
-		dnsconf.@O@ \
-		gai_strerror.@O@ getaddrinfo.@O@ getnameinfo.@O@ \
-		resconf.@O@
-
-# Alphabetically
-SRCS =		context.c \
-		dnsconf.c \
-		gai_sterror.c getaddrinfo.c getnameinfo.c \
-		resconf.c
-
-ISCLIBS =	../isc/libisc.@A@
-DNSLIBS =	../dns/libdns.@A@
-ISCCFGLIBS =	../isccfg/libisccfg.@A@
-
-LIBS =		@LIBS@
-
-SUBDIRS =	include
-TARGETS =	timestamp
-
-@BIND9_MAKE_RULES@
-
-version.@O@: ${srcdir}/version.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DVERSION=\"${VERSION}\" \
-		-DLIBINTERFACE=${LIBINTERFACE} \
-		-DLIBREVISION=${LIBREVISION} \
-		-DLIBAGE=${LIBAGE} \
-		-c ${srcdir}/version.c
-
-libirs.@SA@: ${OBJS} version.@O@
-	${AR} ${ARFLAGS} $@ ${OBJS} version.@O@
-	${RANLIB} $@
-
-libirs.la: ${OBJS} version.@O@
-	${LIBTOOL_MODE_LINK} \
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libirs.la \
-		-rpath ${export_libdir} \
-		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
-		${OBJS} version.@O@ ${LIBS} ${ISCCFGLIBS} ${DNSLIBS} ${ISCLIBS}
-
-timestamp: libirs.@A@
-	touch timestamp
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
-
-install:: timestamp installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libirs.@A@ \
-	${DESTDIR}${export_libdir}/
-
-clean distclean::
-	rm -f libirs.@A@ libirs.la timestamp
diff --git a/contrib/bind9/lib/export/irs/include/Makefile.in b/contrib/bind9/lib/export/irs/include/Makefile.in
deleted file mode 100644
index 2c167d1..0000000
--- a/contrib/bind9/lib/export/irs/include/Makefile.in
+++ /dev/null
@@ -1,24 +0,0 @@
-# Copyright (C) 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id$
-
-srcdir =	@srcdir@
-top_srcdir =	@top_srcdir@
-
-
-SUBDIRS =	irs
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/export/irs/include/irs/Makefile.in b/contrib/bind9/lib/export/irs/include/irs/Makefile.in
deleted file mode 100644
index 530e67c..0000000
--- a/contrib/bind9/lib/export/irs/include/irs/Makefile.in
+++ /dev/null
@@ -1,46 +0,0 @@
-# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
-
-srcdir =	@srcdir@
-top_srcdir =	@top_srcdir@
-
-#
-# Only list headers that are to be installed and are not
-# machine generated.  The latter are handled specially in the
-# install target below.
-#
-HEADERS =	context.h dnsconf.h resconf.h types.h version.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_includedir}/irs
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} ${top_srcdir}/lib/irs/include/irs/$$i \
-		${DESTDIR}${export_includedir}/irs ; \
-	done
-	${INSTALL_DATA} ${top_srcdir}/lib/irs/include/irs/netdb.h \
-	${DESTDIR}${export_includedir}/irs
-	${INSTALL_DATA} ${top_srcdir}/lib/irs/include/irs/platform.h \
-	${DESTDIR}${export_includedir}/irs
-
-distclean::
-	rm -f netdb.h platform.h
diff --git a/contrib/bind9/lib/export/isc/Makefile.in b/contrib/bind9/lib/export/isc/Makefile.in
deleted file mode 100644
index c04a907..0000000
--- a/contrib/bind9/lib/export/isc/Makefile.in
+++ /dev/null
@@ -1,138 +0,0 @@
-# Copyright (C) 2009, 2010, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.8 2010/06/09 23:50:58 tbox Exp $
-
-top_srcdir =	@top_srcdir@
-srcdir =	@top_srcdir@/lib/isc
-export_srcdir =	@top_srcdir@/lib/export
-
-@BIND9_VERSION@
-
-@LIBISC_API@
-
-CINCLUDES =	-I${srcdir}/unix/include \
-		-I${srcdir}/@ISC_THREAD_DIR@/include \
-		-I${srcdir}/@ISC_ARCH_DIR@/include \
-		-I${export_srcdir}/isc/include -I${srcdir}/include \
-		@ISC_OPENSSL_INC@
-CDEFINES =	@USE_OPENSSL@ -DUSE_APPIMPREGISTER -DUSE_MEMIMPREGISTER \
-		-DUSE_SOCKETIMPREGISTER -DUSE_TASKIMPREGISTER \
-		-DUSE_TIMERIMPREGISTER
-CWARNINGS =
-
-# Alphabetically
-# {file,dir}.c is necessary for isclog
-# symtab.c is necessary for isccfg
-APIOBJS =	app_api.@O@ mem_api.@O@ socket_api.@O@ \
-		task_api.@O@ timer_api.@O@
-
-ISCDRIVEROBJS =	mem.@O@ unix/socket.@O@ task.@O@ timer.@O@ lib.@O@ \
-		heap.@O@	#timer module depends on this
-
-UNIXOBJS =	@ISC_ISCIPV6_O@ \
-		unix/app.@O@ \
-		unix/dir.@O@ \
-		unix/errno2result.@O@ \
-		unix/file.@O@ \
-		unix/fsaccess.@O@ \
-		unix/stdio.@O@ \
-		unix/stdtime.@O@ unix/strerror.@O@ unix/time.@O@
-
-NLSOBJS =	nls/msgcat.@O@
-
-THREADOPTOBJS = @ISC_THREAD_DIR@/condition.@O@ @ISC_THREAD_DIR@/mutex.@O@
-
-THREADOBJS =	@THREADOPTOBJS@ @ISC_THREAD_DIR@/thread.@O@
-
-WIN32OBJS = 	win32/condition.@O@ win32/dir.@O@ win32/file.@O@ \
-		win32/fsaccess.@O@ win32/once.@O@ win32/stdtime.@O@ \
-		win32/thread.@O@ win32/time.@O@
-
-# Alphabetically
-OBJS =		@ISC_EXTRA_OBJS@ \
-		assertions.@O@ backtrace.@O@ backtrace-emptytbl.@O@ base32.@O@ \
-		base64.@O@ buffer.@O@ bufferlist.@O@ \
-		error.@O@ event.@O@ \
-		hash.@O@ hex.@O@ hmacmd5.@O@ hmacsha.@O@ \
-		inet_aton.@O@ iterated_hash.@O@ lex.@O@ lfsr.@O@ log.@O@ \
-		md5.@O@ mutexblock.@O@ netaddr.@O@ netscope.@O@ \
-		ondestroy.@O@ parseint.@O@ portset.@O@ radix.@O@ \
-		random.@O@ refcount.@O@ region.@O@ regex.@O@ result.@O@ \
-		rwlock.@O@ serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ \
-		stats.@O@ string.@O@ \
-		symtab.@O@ \
-		version.@O@ \
-		${APIOBJS} ${ISCDRIVEROBJS} \
-		${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
-
-# Alphabetically
-APISRCS =	app_api.c mem_api.c socket_api.c \
-		task_api.c timer_api.c
-
-ISCDRIVERSRCS =	mem.c task.c lib.c timer.c heap.c
-
-SRCS =		@ISC_EXTRA_SRCS@ \
-		assertions.c backtrace.c backtrace-emptytbl.c base32.c \
-		base64.c buffer.c bufferlist.c \
-		error.c event.c \
-		hash.c hex.c hmacmd5.c hmacsha.c \
-		inet_aton.c iterated_hash.c lex.c log.c lfsr.c \
-		md5.c mutexblock.c \
-		netaddr.c netscope.c \
-		ondestroy.c \
-		parseint.c portset.c radix.c \
-		random.c refcount.c region.c regex.c result.c rwlock.c \
-		serial.c sha1.c sha2.c sockaddr.c stats.c string.c symtab.c \
-		version.c \
-		${APISRCS} ${ISCDRIVERSRCS}
-
-LIBS =		@LIBS@
-
-SUBDIRS =	include unix nls @ISC_THREAD_DIR@
-TARGETS =	timestamp
-
-@BIND9_MAKE_RULES@
-
-version.@O@: ${srcdir}/version.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DVERSION=\"${VERSION}\" \
-		-DLIBINTERFACE=${LIBINTERFACE} \
-		-DLIBREVISION=${LIBREVISION} \
-		-DLIBAGE=${LIBAGE} \
-		-c ${srcdir}/version.c
-
-libisc.@SA@: ${OBJS}
-	${AR} ${ARFLAGS} $@ ${OBJS}
-	${RANLIB} $@
-
-libisc.la: ${OBJS}
-	${LIBTOOL_MODE_LINK} \
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la \
-		-rpath ${export_libdir} \
-		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
-		${OBJS} ${LIBS}
-
-timestamp: libisc.@A@
-	touch timestamp
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
-
-install:: timestamp installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisc.@A@ \
-	${DESTDIR}${export_libdir}
-
-clean distclean::
-	rm -f libisc.@A@ libisc.la timestamp
diff --git a/contrib/bind9/lib/export/isc/include/Makefile.in b/contrib/bind9/lib/export/isc/include/Makefile.in
deleted file mode 100644
index 1b7c659..0000000
--- a/contrib/bind9/lib/export/isc/include/Makefile.in
+++ /dev/null
@@ -1,24 +0,0 @@
-# Copyright (C) 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id$
-
-srcdir =	@srcdir@
-top_srcdir =	@top_srcdir@
-
-
-SUBDIRS =	isc
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/export/isc/include/isc/Makefile.in b/contrib/bind9/lib/export/isc/include/isc/Makefile.in
deleted file mode 100644
index 8c7eff8..0000000
--- a/contrib/bind9/lib/export/isc/include/isc/Makefile.in
+++ /dev/null
@@ -1,66 +0,0 @@
-# Copyright (C) 2009, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.3 2009/12/05 23:31:41 each Exp $
-
-srcdir =	@srcdir@
-top_srcdir =	@top_srcdir@
-export_srcdir =	@top_srcdir@/lib/export
-
-@BIND9_VERSION@
-
-#
-# Only list headers that are to be installed and are not
-# machine generated.  The latter are handled specially in the
-# install target below.
-#
-HEADERS =	app.h assertions.h base64.h bitstring.h boolean.h \
-		buffer.h bufferlist.h commandline.h entropy.h error.h event.h \
-		eventclass.h file.h formatcheck.h fsaccess.h \
-		hash.h heap.h hex.h hmacmd5.h \
-		httpd.h \
-		interfaceiter.h @ISC_IPV6_H@ iterated_hash.h lang.h lex.h \
-		lfsr.h lib.h list.h log.h \
-		magic.h md5.h mem.h msgcat.h msgs.h \
-		mutexblock.h namespace.h netaddr.h ondestroy.h os.h parseint.h \
-		print.h quota.h radix.h random.h ratelimiter.h \
-		refcount.h regex.h region.h resource.h \
-		result.h resultclass.h rwlock.h serial.h sha1.h sha2.h \
-		sockaddr.h socket.h stdio.h stdlib.h string.h \
-		symtab.h \
-	        task.h taskpool.h timer.h types.h util.h version.h \
-		xml.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_includedir}/isc
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} ${top_srcdir}/lib/isc/include/isc/$$i \
-		${DESTDIR}${export_includedir}/isc ; \
-	done
-	${INSTALL_DATA} ${top_srcdir}/lib/isc/include/isc/platform.h \
-	${DESTDIR}${export_includedir}/isc
-	${INSTALL_DATA} ${top_srcdir}/lib/isc/@ISC_ARCH_DIR@/include/isc/atomic.h \
-	${DESTDIR}${export_includedir}/isc
-	${INSTALL_DATA} ${export_srcdir}/isc/include/isc/bind9.h \
-	${DESTDIR}${export_includedir}/isc
-
-distclean::
-	rm -f platform.h
diff --git a/contrib/bind9/lib/export/isc/include/isc/bind9.h b/contrib/bind9/lib/export/isc/include/isc/bind9.h
deleted file mode 100644
index e96789b..0000000
--- a/contrib/bind9/lib/export/isc/include/isc/bind9.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: bind9.h,v 1.2 2009/12/05 23:31:41 each Exp $ */
-
-#ifndef ISC_BIND9_H
-#define ISC_BIND9_H 1
-
-/*
- * This determines whether we are building BIND9 or using the exported
- * libisc/libdns libraries.  The version of this file included in the
- * standard BIND9 build defines BIND9; the version included with the
- * exportable libraries does not.
- */
-#undef BIND9
-
-#endif /* ISC_BIND9_H */
diff --git a/contrib/bind9/lib/export/isc/nls/Makefile.in b/contrib/bind9/lib/export/isc/nls/Makefile.in
deleted file mode 100644
index 16a6a86..0000000
--- a/contrib/bind9/lib/export/isc/nls/Makefile.in
+++ /dev/null
@@ -1,37 +0,0 @@
-# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
-
-top_srcdir =	@top_srcdir@
-srcdir =	@top_srcdir@/lib/isc/nls
-export_srcdir = @top_srcdir@/lib/export
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	-I${srcdir}/unix/include \
-		-I${export_srcdir}/isc/include \
-		${ISC_INCLUDES}
-
-CDEFINES =
-CWARNINGS =
-
-OBJS =		msgcat.@O@
-
-SRCS =		msgcat.c
-
-SUBDIRS =
-TARGETS =	${OBJS}
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/export/isc/nothreads/Makefile.in b/contrib/bind9/lib/export/isc/nothreads/Makefile.in
deleted file mode 100644
index 4640993..0000000
--- a/contrib/bind9/lib/export/isc/nothreads/Makefile.in
+++ /dev/null
@@ -1,42 +0,0 @@
-# Copyright (C) 2009, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.5 2010/06/09 23:50:58 tbox Exp $
-
-top_srcdir =	@top_srcdir@
-srcdir =	@top_srcdir@/lib/isc/nothreads
-export_srcdir = @top_srcdir@/lib/export
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	-I${srcdir}/include \
-		-I${srcdir}/../unix/include \
-		-I${export_srcdir}/isc/include \
-		-I../include \
-		-I${srcdir}/../include \
-		-I${srcdir}/..
-
-CDEFINES =
-CWARNINGS =
-
-THREADOPTOBJS = condition.@O@ mutex.@O@
-OBJS =		@THREADOPTOBJS@ thread.@O@
-
-THREADOPTSRCS = condition.c mutex.c
-SRCS =		@THREADOPTSRCS@ thread.c
-
-SUBDIRS =	include
-TARGETS =	${OBJS}
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/export/isc/nothreads/include/Makefile.in b/contrib/bind9/lib/export/isc/nothreads/include/Makefile.in
deleted file mode 100644
index 1b7c659..0000000
--- a/contrib/bind9/lib/export/isc/nothreads/include/Makefile.in
+++ /dev/null
@@ -1,24 +0,0 @@
-# Copyright (C) 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id$
-
-srcdir =	@srcdir@
-top_srcdir =	@top_srcdir@
-
-
-SUBDIRS =	isc
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/export/isc/nothreads/include/isc/Makefile.in b/contrib/bind9/lib/export/isc/nothreads/include/isc/Makefile.in
deleted file mode 100644
index 9bda987..0000000
--- a/contrib/bind9/lib/export/isc/nothreads/include/isc/Makefile.in
+++ /dev/null
@@ -1,36 +0,0 @@
-# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
-
-srcdir =	@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-HEADERS =	condition.h mutex.h once.h thread.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_includedir}/isc
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} $(top_srcdir)/lib/isc/nothreads/include/isc/$$i \
-		${DESTDIR}${export_includedir}/isc ; \
-	done
diff --git a/contrib/bind9/lib/export/isc/pthreads/Makefile.in b/contrib/bind9/lib/export/isc/pthreads/Makefile.in
deleted file mode 100644
index 80c5e3b..0000000
--- a/contrib/bind9/lib/export/isc/pthreads/Makefile.in
+++ /dev/null
@@ -1,40 +0,0 @@
-# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
-
-top_srcdir =	@top_srcdir@
-srcdir =	@top_srcdir@/lib/isc/pthreads
-export_srcdir = @top_srcdir@/lib/export
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	-I${srcdir}/include \
-		-I${srcdir}/../unix/include \
-		-I${export_srcdir}/isc/include \
-		-I../include \
-		-I${srcdir}/../include \
-		-I${srcdir}/..
-
-CDEFINES =
-CWARNINGS =
-
-OBJS =		condition.@O@ mutex.@O@ thread.@O@
-
-SRCS =		condition.c mutex.c thread.c
-
-SUBDIRS =	include
-TARGETS =	${OBJS}
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/export/isc/pthreads/include/Makefile.in b/contrib/bind9/lib/export/isc/pthreads/include/Makefile.in
deleted file mode 100644
index 1b7c659..0000000
--- a/contrib/bind9/lib/export/isc/pthreads/include/Makefile.in
+++ /dev/null
@@ -1,24 +0,0 @@
-# Copyright (C) 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id$
-
-srcdir =	@srcdir@
-top_srcdir =	@top_srcdir@
-
-
-SUBDIRS =	isc
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/export/isc/pthreads/include/isc/Makefile.in b/contrib/bind9/lib/export/isc/pthreads/include/isc/Makefile.in
deleted file mode 100644
index 4319768..0000000
--- a/contrib/bind9/lib/export/isc/pthreads/include/isc/Makefile.in
+++ /dev/null
@@ -1,36 +0,0 @@
-# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
-
-srcdir =	@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-HEADERS =	condition.h mutex.h once.h thread.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_includedir}/isc
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} $(top_srcdir)/lib/isc/pthreads/include/isc/$$i \
-		${DESTDIR}${export_includedir}/isc ; \
-	done
diff --git a/contrib/bind9/lib/export/isc/unix/Makefile.in b/contrib/bind9/lib/export/isc/unix/Makefile.in
deleted file mode 100644
index 1873202..0000000
--- a/contrib/bind9/lib/export/isc/unix/Makefile.in
+++ /dev/null
@@ -1,59 +0,0 @@
-# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
-
-top_srcdir =	@top_srcdir@
-srcdir =	@top_srcdir@/lib/isc/unix
-export_srcdir = @top_srcdir@/lib/export
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	-I${srcdir}/include \
-		-I${srcdir}/../@ISC_THREAD_DIR@/include \
-		-I${export_srcdir}/isc/include \
-		-I../include \
-		-I${srcdir}/../include \
-		-I${srcdir}/..
-
-CDEFINES =	-DUSE_SOCKETIMPREGISTER -DUSE_APPIMPREGISTER
-
-CWARNINGS =
-
-# Alphabetically
-ISCDRIVEROBJS =	app.@O@ socket.@O@
-
-OBJS =		@ISC_IPV6_O@ \
-		dir.@O@ \
-		errno2result.@O@ \
-		file.@O@ fsaccess.@O@ \
-		stdio.@O@ stdtime.@O@ strerror.@O@ \
-		time.@O@ \
-		${ISCDRIVEROBJS}
-
-# Alphabetically
-ISCDRIVERSRCS =	app.c socket.c
-
-SRCS =		@ISC_IPV6_C@ \
-		dir.c \
-		errno2result.c \
-		file.c fsaccess.c \
-		stdio.c stdtime.c strerror.c \
-		time.c \
-		${ISCDRIVERSRCS}
-
-SUBDIRS =	include
-TARGETS =	${OBJS}
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/export/isc/unix/include/Makefile.in b/contrib/bind9/lib/export/isc/unix/include/Makefile.in
deleted file mode 100644
index 1b7c659..0000000
--- a/contrib/bind9/lib/export/isc/unix/include/Makefile.in
+++ /dev/null
@@ -1,24 +0,0 @@
-# Copyright (C) 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id$
-
-srcdir =	@srcdir@
-top_srcdir =	@top_srcdir@
-
-
-SUBDIRS =	isc
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/export/isc/unix/include/isc/Makefile.in b/contrib/bind9/lib/export/isc/unix/include/isc/Makefile.in
deleted file mode 100644
index 7159c76..0000000
--- a/contrib/bind9/lib/export/isc/unix/include/isc/Makefile.in
+++ /dev/null
@@ -1,37 +0,0 @@
-# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
-
-srcdir =	@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-HEADERS =	dir.h int.h net.h netdb.h offset.h stdtime.h \
-		syslog.h time.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_includedir}/isc
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} $(top_srcdir)/lib/isc/unix/include/isc/$$i \
-		${DESTDIR}${export_includedir}/isc ; \
-	done
diff --git a/contrib/bind9/lib/export/isccfg/Makefile.in b/contrib/bind9/lib/export/isccfg/Makefile.in
deleted file mode 100644
index 2a791a4..0000000
--- a/contrib/bind9/lib/export/isccfg/Makefile.in
+++ /dev/null
@@ -1,83 +0,0 @@
-# Copyright (C) 2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id$
-
-top_srcdir =	@top_srcdir@
-srcdir =	@top_srcdir@/lib/isccfg
-export_srcdir =	@top_srcdir@/lib/export
-
-@BIND9_VERSION@
-
-@LIBISCCFG_API@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	-I. ${DNS_INCLUDES} -I${export_srcdir}/isc/include \
-		${ISC_INCLUDES} ${ISCCFG_INCLUDES}
-
-CDEFINES =
-CWARNINGS =
-
-ISCLIBS =	../isc/libisc.@A@
-DNSLIBS =	../dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
-ISCCFGDEPLIBS =	libisccfg.@A@
-
-LIBS =		@LIBS@
-
-SUBDIRS =	include
-
-# Alphabetically
-OBJS =		dnsconf.@O@ log.@O@ parser.@O@ version.@O@
-
-# Alphabetically
-SRCS =		dnsconf.c log.c parser.c version.c
-
-TARGETS = 	timestamp
-
-@BIND9_MAKE_RULES@
-
-version.@O@: ${srcdir}/version.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DVERSION=\"${VERSION}\" \
-		-DLIBINTERFACE=${LIBINTERFACE} \
-		-DLIBREVISION=${LIBREVISION} \
-		-DLIBAGE=${LIBAGE} \
-		-c ${srcdir}/version.c
-
-libisccfg.@SA@: ${OBJS}
-	${AR} ${ARFLAGS} $@ ${OBJS}
-	${RANLIB} $@
-
-libisccfg.la: ${OBJS}
-	 ${LIBTOOL_MODE_LINK} \
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg.la \
-		-rpath ${export_libdir} \
-		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
-		${OBJS} ${LIBS} ${DNSLIBS} ${ISCLIBS}
-
-timestamp: libisccfg.@A@
-	touch timestamp
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
-
-install:: timestamp installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisccfg.@A@ \
-	${DESTDIR}${export_libdir}/
-
-clean distclean::
-	rm -f libisccfg.@A@ timestamp
diff --git a/contrib/bind9/lib/export/isccfg/include/Makefile.in b/contrib/bind9/lib/export/isccfg/include/Makefile.in
deleted file mode 100644
index 9733c11..0000000
--- a/contrib/bind9/lib/export/isccfg/include/Makefile.in
+++ /dev/null
@@ -1,24 +0,0 @@
-# Copyright (C) 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id$
-
-srcdir =	@srcdir@
-top_srcdir =	@top_srcdir@
-
-
-SUBDIRS =	isccfg
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/export/isccfg/include/isccfg/Makefile.in b/contrib/bind9/lib/export/isccfg/include/isccfg/Makefile.in
deleted file mode 100644
index 57a344c..0000000
--- a/contrib/bind9/lib/export/isccfg/include/isccfg/Makefile.in
+++ /dev/null
@@ -1,42 +0,0 @@
-# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
-
-srcdir =	@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-#
-# Only list headers that are to be installed and are not
-# machine generated.  The latter are handled specially in the
-# install target below.
-#
-HEADERS =	cfg.h grammar.h log.h dnsconf.h version.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs \
-	${DESTDIR}${export_includedir}/isccfg
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} ${top_srcdir}/lib/isccfg/include/isccfg/$$i \
-		${DESTDIR}${export_includedir}/isccfg ; \
-	done
diff --git a/contrib/bind9/lib/export/samples/Makefile-postinstall.in b/contrib/bind9/lib/export/samples/Makefile-postinstall.in
deleted file mode 100644
index 5b1aafb..0000000
--- a/contrib/bind9/lib/export/samples/Makefile-postinstall.in
+++ /dev/null
@@ -1,78 +0,0 @@
-# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile-postinstall.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
-
-srcdir =	@srcdir@
-#prefix =	@prefix@
-#exec_prefix =	@exec_prefix@
-
-CDEFINES =
-CWARNINGS =
-
-DNSLIBS =	-ldns @DNS_CRYPTO_LIBS@
-ISCLIBS =	-lisc
-ISCCFGLIBS =	-lisccfg
-IRSLIBS =	-lirs
-
-LIBS =		${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
-
-SUBDIRS =
-
-TARGETS =	sample@EXEEXT@ sample-async@EXEEXT@ sample-gai@EXEEXT@ \
-		sample-update@EXEEXT@ sample-request@EXEEXT@ nsprobe@EXEEXT@ \
-		dlvchecks@EXEEXT@
-
-OBJS =		sample.@O@ sample-async.@O@ sample-gai.@O@ sample-update.@O@ \
-		sample-request.@O@ nsprobe.@O@ dlvchecks.@O@
-
-SRCS =		sample.c sample-async.c sample-gai.c sample-update.c \
-		sample-request.c nsprobe.c dlvchecks..c
-
-@BIND9_MAKE_RULES@
-
-# The following two may depend on BIND9_MAKE_RULES
-CINCLUDES =	-I@export_includedir@
-LDFLAGS =	-L@export_libdir@
-
-sample@EXEEXT@: sample.@O@ ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	sample.@O@ ${LIBS}
-
-sample-async@EXEEXT@: sample-async.@O@ ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	sample-async.@O@ ${LIBS}
-
-sample-gai@EXEEXT@: sample-gai.@O@ ${IRSDEPLIBS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	sample-gai.@O@ ${IRSLIBS} ${LIBS}
-
-sample-update@EXEEXT@: sample-update.@O@ ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	sample-update.@O@ ${LIBS}
-
-sample-request@EXEEXT@: sample-request.@O@ ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	sample-request.@O@ ${LIBS}
-
-nsprobe@EXEEXT@: nsprobe.@O@ ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	nsprobe.@O@ ${LIBS}
-
-dlvchecks@EXEEXT@: dlvchecks.@O@ ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	dlvchecks.@O@ ${LIBS}
-
-clean distclean maintainer-clean::
-	rm -f ${TARGETS}
diff --git a/contrib/bind9/lib/export/samples/Makefile.in b/contrib/bind9/lib/export/samples/Makefile.in
deleted file mode 100644
index 194aaeb..0000000
--- a/contrib/bind9/lib/export/samples/Makefile.in
+++ /dev/null
@@ -1,99 +0,0 @@
-# Copyright (C) 2009, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.4 2009/12/05 23:31:41 each Exp $
-
-srcdir =	@srcdir@
-top_srcdir =	@top_srcdir@
-export_srcdir =	@top_srcdir@/lib/export
-
-@BIND9_VERSION@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	-I${srcdir}/include -I../dns/include \
-		-I${export_srcdir}/isc/include \
-		${DNS_INCLUDES} ${ISC_INCLUDES} \
-		-I${top_srcdir}/lib/irs/include \
-		-I../../irs/include
-
-CDEFINES =
-CWARNINGS =
-
-DNSLIBS =	../dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-ISCLIBS =	../isc/libisc.@A@
-ISCCFGLIBS =	../isccfg/libisccfg.@A@
-IRSLIBS =	../irs/libirs.@A@
-
-DNSDEPLIBS =	../dns/libdns.@A@
-ISCDEPLIBS =	../isc/libisc.@A@
-ISCCFGDEPLIBS =	../isccfg/libisccfg.@A@
-IRSDEPLIBS =	../irs/libirs.@A@
-
-DEPLIBS =	${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
-
-LIBS =		${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
-
-SUBDIRS =
-
-TARGETS =	sample@EXEEXT@ sample-async@EXEEXT@ sample-gai@EXEEXT@ \
-		sample-update@EXEEXT@ sample-request@EXEEXT@ nsprobe@EXEEXT@
-
-OBJS =		sample.@O@ sample-async.@O@ sample-gai.@O@ sample-update.@O@ \
-		sample-request.@O@ nsprobe.@O@
-
-UOBJS =
-
-SRCS =		sample.c sample-async.c sample-gai.c sample-update.c \
-		sample-request.c nsprobe.c
-
-MANPAGES =
-
-HTMLPAGES =
-
-MANOBJS =	${MANPAGES} ${HTMLPAGES}
-
-@BIND9_MAKE_RULES@
-
-sample@EXEEXT@: sample.@O@ ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	sample.@O@ ${LIBS}
-
-sample-async@EXEEXT@: sample-async.@O@ ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	sample-async.@O@ ${LIBS}
-
-sample-gai@EXEEXT@: sample-gai.@O@ ${IRSDEPLIBS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	sample-gai.@O@ ${IRSLIBS} ${LIBS}
-
-sample-update@EXEEXT@: sample-update.@O@ ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	sample-update.@O@ ${LIBS}
-
-sample-request@EXEEXT@: sample-request.@O@ ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	sample-request.@O@ ${LIBS}
-
-nsprobe@EXEEXT@: nsprobe.@O@ ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	nsprobe.@O@ ${LIBS}
-
-doc man:: ${MANOBJS}
-
-docclean manclean maintainer-clean::
-	rm -f ${MANOBJS}
-
-clean distclean maintainer-clean::
-	rm -f ${TARGETS}
diff --git a/contrib/bind9/lib/export/samples/nsprobe.c b/contrib/bind9/lib/export/samples/nsprobe.c
deleted file mode 100644
index 1d7ed3b..0000000
--- a/contrib/bind9/lib/export/samples/nsprobe.c
+++ /dev/null
@@ -1,1220 +0,0 @@
-/*
- * Copyright (C) 2009-2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#include <config.h>
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <netdb.h>
-
-#include <isc/app.h>
-#include <isc/buffer.h>
-#include <isc/lib.h>
-#include <isc/mem.h>
-#include <isc/socket.h>
-#include <isc/sockaddr.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#include <dns/client.h>
-#include <dns/fixedname.h>
-#include <dns/lib.h>
-#include <dns/message.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/result.h>
-
-#define MAX_PROBES 1000
-
-static dns_client_t *client = NULL;
-static isc_task_t *probe_task = NULL;
-static isc_appctx_t *actx = NULL;
-static isc_mem_t *mctx = NULL;
-static unsigned int outstanding_probes = 0;
-const char *cacheserver = "127.0.0.1";
-static FILE *fp;
-
-typedef enum {
-	none,
-	exist,
-	nxdomain,
-	othererr,
-	multiplesoa,
-	multiplecname,
-	brokenanswer,
-	lame,
-	timedout,
-	notype,
-	unexpected
-} query_result_t;
-
-struct server {
-	ISC_LINK(struct server) link;
-
-	isc_sockaddr_t address;
-	query_result_t result_a;
-	query_result_t result_aaaa;
-};
-
-struct probe_ns {
-	ISC_LINK(struct probe_ns) link;
-
-	dns_fixedname_t fixedname;
-	dns_name_t *name;
-	struct server *current_server;
-	ISC_LIST(struct server) servers;
-};
-
-struct probe_trans {
-	isc_boolean_t inuse;
-	char *domain;
-	dns_fixedname_t fixedname;
-	dns_name_t *qname;
-	const char **qlabel;
-	isc_boolean_t qname_found;
-	dns_clientrestrans_t *resid;
-	dns_message_t *qmessage;
-	dns_message_t *rmessage;
-	dns_clientreqtrans_t *reqid;
-
-	/* NS list */
-	struct probe_ns *current_ns;
-	ISC_LIST(struct probe_ns) nslist;
-};
-
-struct lcl_stat {
-	unsigned long valid;
-	unsigned long ignore;
-	unsigned long nxdomain;
-	unsigned long othererr;
-	unsigned long multiplesoa;
-	unsigned long multiplecname;
-	unsigned long brokenanswer;
-	unsigned long lame;
-	unsigned long unknown;
-} server_stat, domain_stat;
-
-static unsigned long number_of_domains = 0;
-static unsigned long number_of_servers = 0;
-static unsigned long multiple_error_domains = 0;
-static isc_boolean_t debug_mode = ISC_FALSE;
-static int verbose_level = 0;
-static const char *qlabels[] = {"www.", "ftp.", NULL};
-static struct probe_trans probes[MAX_PROBES];
-
-static isc_result_t probe_domain(struct probe_trans *trans);
-static void reset_probe(struct probe_trans *trans);
-static isc_result_t fetch_nsaddress(struct probe_trans *trans);
-static isc_result_t probe_name(struct probe_trans *trans,
-			       dns_rdatatype_t type);
-
-/* Dump an rdataset for debug */
-static isc_result_t
-print_rdataset(dns_rdataset_t *rdataset, dns_name_t *owner) {
-	isc_buffer_t target;
-	isc_result_t result;
-	isc_region_t r;
-	char t[4096];
-
-	if (!debug_mode)
-		return (ISC_R_SUCCESS);
-
-	isc_buffer_init(&target, t, sizeof(t));
-
-	if (!dns_rdataset_isassociated(rdataset))
-		return (ISC_R_SUCCESS);
-	result = dns_rdataset_totext(rdataset, owner, ISC_FALSE, ISC_FALSE,
-				     &target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_buffer_usedregion(&target, &r);
-	printf("%.*s", (int)r.length, (char *)r.base);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-print_name(dns_name_t *name) {
-	isc_result_t result;
-	isc_buffer_t target;
-	isc_region_t r;
-	char t[4096];
-
-	isc_buffer_init(&target, t, sizeof(t));
-	result = dns_name_totext(name, ISC_TRUE, &target);
-	if (result == ISC_R_SUCCESS) {
-		isc_buffer_usedregion(&target, &r);
-		printf("%.*s", (int)r.length, (char *)r.base);
-	} else
-		printf("(invalid name)");
-
-	return (result);
-}
-
-static isc_result_t
-print_address(FILE *fp, isc_sockaddr_t *addr) {
-	char buf[NI_MAXHOST];
-
-	if (getnameinfo(&addr->type.sa, addr->length, buf, sizeof(buf),
-			NULL, 0, NI_NUMERICHOST) == 0) {
-		fprintf(fp, "%s", buf);
-	} else {
-		fprintf(fp, "(invalid address)");
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-ctxs_destroy(isc_mem_t **mctxp, isc_appctx_t **actxp,
-	     isc_taskmgr_t **taskmgrp, isc_socketmgr_t **socketmgrp,
-	     isc_timermgr_t **timermgrp)
-{
-	if (*taskmgrp != NULL)
-		isc_taskmgr_destroy(taskmgrp);
-
-	if (*timermgrp != NULL)
-		isc_timermgr_destroy(timermgrp);
-
-	if (*socketmgrp != NULL)
-		isc_socketmgr_destroy(socketmgrp);
-
-	if (*actxp != NULL)
-		isc_appctx_destroy(actxp);
-
-	if (*mctxp != NULL)
-		isc_mem_destroy(mctxp);
-}
-
-static isc_result_t
-ctxs_init(isc_mem_t **mctxp, isc_appctx_t **actxp,
-	  isc_taskmgr_t **taskmgrp, isc_socketmgr_t **socketmgrp,
-	  isc_timermgr_t **timermgrp)
-{
-	isc_result_t result;
-
-	result = isc_mem_create(0, 0, mctxp);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	result = isc_appctx_create(*mctxp, actxp);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	result = isc_taskmgr_createinctx(*mctxp, *actxp, 1, 0, taskmgrp);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	result = isc_socketmgr_createinctx(*mctxp, *actxp, socketmgrp);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	result = isc_timermgr_createinctx(*mctxp, *actxp, timermgrp);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	return (ISC_R_SUCCESS);
-
- fail:
-	ctxs_destroy(mctxp, actxp, taskmgrp, socketmgrp, timermgrp);
-
-	return (result);
-}
-
-/*
- * Common routine to make query data
- */
-static isc_result_t
-make_querymessage(dns_message_t *message, dns_name_t *qname0,
-		  dns_rdatatype_t rdtype)
-{
-	dns_name_t *qname = NULL;
-	dns_rdataset_t *qrdataset = NULL;
-	isc_result_t result;
-
-	message->opcode = dns_opcode_query;
-	message->rdclass = dns_rdataclass_in;
-
-	result = dns_message_gettempname(message, &qname);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = dns_message_gettemprdataset(message, &qrdataset);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	dns_name_init(qname, NULL);
-	dns_name_clone(qname0, qname);
-	dns_rdataset_init(qrdataset);
-	dns_rdataset_makequestion(qrdataset, message->rdclass, rdtype);
-	ISC_LIST_APPEND(qname->list, qrdataset, link);
-	dns_message_addname(message, qname, DNS_SECTION_QUESTION);
-
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (qname != NULL)
-		dns_message_puttempname(message, &qname);
-	if (qrdataset != NULL)
-		dns_message_puttemprdataset(message, &qrdataset);
-	return (result);
-}
-
-/*
- * Update statistics
- */
-static inline void
-increment_entry(unsigned long *entryp) {
-	(*entryp)++;
-	INSIST(*entryp != 0U);	/* check overflow */
-}
-
-static void
-update_stat(struct probe_trans *trans) {
-	struct probe_ns *pns;
-	struct server *server;
-	struct lcl_stat local_stat;
-	unsigned int err_count = 0;
-	const char *stattype;
-
-	increment_entry(&number_of_domains);
-	memset(&local_stat, 0, sizeof(local_stat));
-
-	/* Update per sever statistics */
-	for (pns = ISC_LIST_HEAD(trans->nslist); pns != NULL;
-	     pns = ISC_LIST_NEXT(pns, link)) {
-		for (server = ISC_LIST_HEAD(pns->servers); server != NULL;
-		     server = ISC_LIST_NEXT(server, link)) {
-			increment_entry(&number_of_servers);
-
-			if (server->result_aaaa == exist ||
-			    server->result_aaaa == notype) {
-				/*
-				 * Don't care about the result of A query if
-				 * the answer to AAAA query was expected.
-				 */
-				stattype = "valid";
-				increment_entry(&server_stat.valid);
-				increment_entry(&local_stat.valid);
-			} else if (server->result_a == exist) {
-				switch (server->result_aaaa) {
-				case exist:
-				case notype:
-					stattype = "valid";
-					increment_entry(&server_stat.valid);
-					increment_entry(&local_stat.valid);
-					break;
-				case timedout:
-					stattype = "ignore";
-					increment_entry(&server_stat.ignore);
-					increment_entry(&local_stat.ignore);
-					break;
-				case nxdomain:
-					stattype = "nxdomain";
-					increment_entry(&server_stat.nxdomain);
-					increment_entry(&local_stat.nxdomain);
-					break;
-				case othererr:
-					stattype = "othererr";
-					increment_entry(&server_stat.othererr);
-					increment_entry(&local_stat.othererr);
-					break;
-				case multiplesoa:
-					stattype = "multiplesoa";
-					increment_entry(&server_stat.multiplesoa);
-					increment_entry(&local_stat.multiplesoa);
-					break;
-				case multiplecname:
-					stattype = "multiplecname";
-					increment_entry(&server_stat.multiplecname);
-					increment_entry(&local_stat.multiplecname);
-					break;
-				case brokenanswer:
-					stattype = "brokenanswer";
-					increment_entry(&server_stat.brokenanswer);
-					increment_entry(&local_stat.brokenanswer);
-					break;
-				case lame:
-					stattype = "lame";
-					increment_entry(&server_stat.lame);
-					increment_entry(&local_stat.lame);
-					break;
-				default:
-					stattype = "unknown";
-					increment_entry(&server_stat.unknown);
-					increment_entry(&local_stat.unknown);
-					break;
-				}
-			} else {
-				stattype = "unknown";
-				increment_entry(&server_stat.unknown);
-				increment_entry(&local_stat.unknown);
-			}
-
-			if (verbose_level > 1 ||
-			    (verbose_level == 1 &&
-			     strcmp(stattype, "valid") != 0 &&
-			     strcmp(stattype, "unknown") != 0)) {
-				print_name(pns->name);
-				putchar('(');
-				print_address(stdout, &server->address);
-				printf(") for %s:%s\n", trans->domain,
-				       stattype);
-			}
-		}
-	}
-
-	/* Update per domain statistics */
-	if (local_stat.ignore > 0U) {
-		if (verbose_level > 0)
-			printf("%s:ignore\n", trans->domain);
-		increment_entry(&domain_stat.ignore);
-		err_count++;
-	}
-	if (local_stat.nxdomain > 0U) {
-		if (verbose_level > 0)
-			printf("%s:nxdomain\n", trans->domain);
-		increment_entry(&domain_stat.nxdomain);
-		err_count++;
-	}
-	if (local_stat.othererr > 0U) {
-		if (verbose_level > 0)
-			printf("%s:othererr\n", trans->domain);
-		increment_entry(&domain_stat.othererr);
-		err_count++;
-	}
-	if (local_stat.multiplesoa > 0U) {
-		if (verbose_level > 0)
-			printf("%s:multiplesoa\n", trans->domain);
-		increment_entry(&domain_stat.multiplesoa);
-		err_count++;
-	}
-	if (local_stat.multiplecname > 0U) {
-		if (verbose_level > 0)
-			printf("%s:multiplecname\n", trans->domain);
-		increment_entry(&domain_stat.multiplecname);
-		err_count++;
-	}
-	if (local_stat.brokenanswer > 0U) {
-		if (verbose_level > 0)
-			printf("%s:brokenanswer\n", trans->domain);
-		increment_entry(&domain_stat.brokenanswer);
-		err_count++;
-	}
-	if (local_stat.lame > 0U) {
-		if (verbose_level > 0)
-			printf("%s:lame\n", trans->domain);
-		increment_entry(&domain_stat.lame);
-		err_count++;
-	}
-
-	if (err_count > 1U)
-		increment_entry(&multiple_error_domains);
-
-	/*
-	 * We regard the domain as valid if and only if no authoritative server
-	 * has a problem and at least one server is known to be valid.
-	 */
-	if (local_stat.valid > 0U && err_count == 0U) {
-		if (verbose_level > 1)
-			printf("%s:valid\n", trans->domain);
-		increment_entry(&domain_stat.valid);
-	}
-
-	/*
-	 * If the domain has no available server or all servers have the
-	 * 'unknown' result, the domain's result is also regarded as unknown.
-	 */
-	if (local_stat.valid == 0U && err_count == 0U) {
-		if (verbose_level > 1)
-			printf("%s:unknown\n", trans->domain);
-		increment_entry(&domain_stat.unknown);
-	}
-}
-
-/*
- * Search for an existent name with an A RR
- */
-
-static isc_result_t
-set_nextqname(struct probe_trans *trans) {
-	isc_result_t result;
-	size_t domainlen;
-	isc_buffer_t b;
-	char buf[4096];	/* XXX ad-hoc constant, but should be enough */
-
-	if (*trans->qlabel == NULL)
-		return (ISC_R_NOMORE);
-
-	result = isc_string_copy(buf, sizeof(buf), *trans->qlabel);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	result = isc_string_append(buf, sizeof(buf), trans->domain);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	domainlen = strlen(buf);
-	isc_buffer_init(&b, buf, domainlen);
-	isc_buffer_add(&b, domainlen);
-	dns_fixedname_init(&trans->fixedname);
-	trans->qname = dns_fixedname_name(&trans->fixedname);
-	result = dns_name_fromtext(trans->qname, &b, dns_rootname,
-				   0, NULL);
-
-	trans->qlabel++;
-
-	return (result);
-}
-
-static void
-request_done(isc_task_t *task, isc_event_t *event) {
-	struct probe_trans *trans = event->ev_arg;
-	dns_clientreqevent_t *rev = (dns_clientreqevent_t *)event;
-	dns_message_t *rmessage;
-	struct probe_ns *pns;
-	struct server *server;
-	isc_result_t result;
-	query_result_t *resultp;
-	dns_name_t *name;
-	dns_rdataset_t *rdataset;
-	dns_rdatatype_t type;
-
-	REQUIRE(task == probe_task);
-	REQUIRE(trans != NULL && trans->inuse == ISC_TRUE);
-	rmessage = rev->rmessage;
-	REQUIRE(rmessage == trans->rmessage);
-	INSIST(outstanding_probes > 0);
-
-	server = trans->current_ns->current_server;
-	INSIST(server != NULL);
-
-	if (server->result_a == none) {
-		type = dns_rdatatype_a;
-		resultp = &server->result_a;
-	} else {
-		resultp = &server->result_aaaa;
-		type = dns_rdatatype_aaaa;
-	}
-
-	if (rev->result == ISC_R_SUCCESS) {
-		if ((rmessage->flags & DNS_MESSAGEFLAG_AA) == 0)
-			*resultp = lame;
-		else if (rmessage->rcode == dns_rcode_nxdomain)
-			*resultp = nxdomain;
-		else if (rmessage->rcode != dns_rcode_noerror)
-			*resultp = othererr;
-		else if (rmessage->counts[DNS_SECTION_ANSWER] == 0) {
-			/* no error but empty answer */
-			*resultp = notype;
-		} else {
-			result = dns_message_firstname(rmessage,
-						       DNS_SECTION_ANSWER);
-			while (result == ISC_R_SUCCESS) {
-				name = NULL;
-				dns_message_currentname(rmessage,
-							DNS_SECTION_ANSWER,
-							&name);
-				for (rdataset = ISC_LIST_HEAD(name->list);
-				     rdataset != NULL;
-				     rdataset = ISC_LIST_NEXT(rdataset,
-							      link)) {
-					(void)print_rdataset(rdataset, name);
-
-					if (rdataset->type ==
-					    dns_rdatatype_cname ||
-					    rdataset->type ==
-					    dns_rdatatype_dname) {
-						/* Should chase the chain? */
-						*resultp = exist;
-						goto found;
-					} else if (rdataset->type == type) {
-						*resultp = exist;
-						goto found;
-					}
-				}
-				result = dns_message_nextname(rmessage,
-							      DNS_SECTION_ANSWER);
-			}
-
-			/*
-			 * Something unexpected happened: the response
-			 * contained a non-empty authoritative answer, but we
-			 * could not find an expected result.
-			 */
-			*resultp = unexpected;
-		}
-	} else if (rev->result == DNS_R_RECOVERABLE ||
-		   rev->result == DNS_R_BADLABELTYPE) {
-		/* Broken response.  Try identifying known cases. */
-		*resultp = brokenanswer;
-
-		if (rmessage->counts[DNS_SECTION_ANSWER] > 0) {
-			result = dns_message_firstname(rmessage,
-						       DNS_SECTION_ANSWER);
-			while (result == ISC_R_SUCCESS) {
-				/*
-				 * Check to see if the response has multiple
-				 * CNAME RRs.  Update the result code if so.
-				 */
-				name = NULL;
-				dns_message_currentname(rmessage,
-							DNS_SECTION_ANSWER,
-							&name);
-				for (rdataset = ISC_LIST_HEAD(name->list);
-				     rdataset != NULL;
-				     rdataset = ISC_LIST_NEXT(rdataset,
-							      link)) {
-					if (rdataset->type ==
-					    dns_rdatatype_cname &&
-					    dns_rdataset_count(rdataset) > 1) {
-						*resultp = multiplecname;
-						goto found;
-					}
-				}
-				result = dns_message_nextname(rmessage,
-							      DNS_SECTION_ANSWER);
-			}
-		}
-
-		if (rmessage->counts[DNS_SECTION_AUTHORITY] > 0) {
-			result = dns_message_firstname(rmessage,
-						       DNS_SECTION_AUTHORITY);
-			while (result == ISC_R_SUCCESS) {
-				/*
-				 * Check to see if the response has multiple
-				 * SOA RRs.  Update the result code if so.
-				 */
-				name = NULL;
-				dns_message_currentname(rmessage,
-							DNS_SECTION_AUTHORITY,
-							&name);
-				for (rdataset = ISC_LIST_HEAD(name->list);
-				     rdataset != NULL;
-				     rdataset = ISC_LIST_NEXT(rdataset,
-							      link)) {
-					if (rdataset->type ==
-					    dns_rdatatype_soa &&
-					    dns_rdataset_count(rdataset) > 1) {
-						*resultp = multiplesoa;
-						goto found;
-					}
-				}
-				result = dns_message_nextname(rmessage,
-							      DNS_SECTION_AUTHORITY);
-			}
-		}
-	} else if (rev->result == ISC_R_TIMEDOUT)
-		*resultp = timedout;
-	else {
-		fprintf(stderr, "unexpected result: %d (domain=%s, server=",
-			rev->result, trans->domain);
-		print_address(stderr, &server->address);
-		fputc('\n', stderr);
-		*resultp = unexpected;
-	}
-
- found:
-	INSIST(*resultp != none);
-	if (type == dns_rdatatype_a && *resultp == exist)
-		trans->qname_found = ISC_TRUE;
-
-	dns_client_destroyreqtrans(&trans->reqid);
-	isc_event_free(&event);
-	dns_message_reset(trans->rmessage, DNS_MESSAGE_INTENTPARSE);
-
-	result = probe_name(trans, type);
-	if (result == ISC_R_NOMORE) {
-		/* We've tried all addresses of all servers. */
-		if (type == dns_rdatatype_a && trans->qname_found) {
-			/*
-			 * If we've explored A RRs and found an existent
-			 * record, we can move to AAAA.
-			 */
-			trans->current_ns = ISC_LIST_HEAD(trans->nslist);
-			probe_name(trans, dns_rdatatype_aaaa);
-			result = ISC_R_SUCCESS;
-		} else if (type == dns_rdatatype_a) {
-			/*
-			 * No server provided an existent A RR of this name.
-			 * Try next label.
-			 */
-			dns_fixedname_invalidate(&trans->fixedname);
-			trans->qname = NULL;
-			result = set_nextqname(trans);
-			if (result == ISC_R_SUCCESS) {
-				trans->current_ns =
-					ISC_LIST_HEAD(trans->nslist);
-				for (pns = trans->current_ns; pns != NULL;
-				     pns = ISC_LIST_NEXT(pns, link)) {
-					for (server = ISC_LIST_HEAD(pns->servers);
-					     server != NULL;
-					     server = ISC_LIST_NEXT(server,
-								    link)) {
-						INSIST(server->result_aaaa ==
-						       none);
-						server->result_a = none;
-					}
-				}
-				result = probe_name(trans, dns_rdatatype_a);
-			}
-		}
-		if (result != ISC_R_SUCCESS) {
-			/*
-			 * We've explored AAAA RRs or failed to find a valid
-			 * query label.  Wrap up the result and move to the
-			 * next domain.
-			 */
-			reset_probe(trans);
-		}
-	} else if (result != ISC_R_SUCCESS)
-		reset_probe(trans); /* XXX */
-}
-
-static isc_result_t
-probe_name(struct probe_trans *trans, dns_rdatatype_t type) {
-	isc_result_t result;
-	struct probe_ns *pns;
-	struct server *server;
-
-	REQUIRE(trans->reqid == NULL);
-	REQUIRE(type == dns_rdatatype_a || type == dns_rdatatype_aaaa);
-
-	for (pns = trans->current_ns; pns != NULL;
-	     pns = ISC_LIST_NEXT(pns, link)) {
-		for (server = ISC_LIST_HEAD(pns->servers); server != NULL;
-		     server = ISC_LIST_NEXT(server, link)) {
-			if ((type == dns_rdatatype_a &&
-			     server->result_a == none) ||
-			    (type == dns_rdatatype_aaaa &&
-			     server->result_aaaa == none)) {
-				pns->current_server = server;
-				goto found;
-			}
-		}
-	}
-
- found:
-	trans->current_ns = pns;
-	if (pns == NULL)
-		return (ISC_R_NOMORE);
-
-	INSIST(pns->current_server != NULL);
-	dns_message_reset(trans->qmessage, DNS_MESSAGE_INTENTRENDER);
-	result = make_querymessage(trans->qmessage, trans->qname, type);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	result = dns_client_startrequest(client, trans->qmessage,
-					 trans->rmessage,
-					 &pns->current_server->address,
-					 0, DNS_MESSAGEPARSE_BESTEFFORT,
-					 NULL, 120, 0, 4,
-					 probe_task, request_done, trans,
-					 &trans->reqid);
-
-	return (result);
-}
-
-/*
- * Get IP addresses of NSes
- */
-
-static void
-resolve_nsaddress(isc_task_t *task, isc_event_t *event) {
-	struct probe_trans *trans = event->ev_arg;
-	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
-	dns_name_t *name;
-	dns_rdataset_t *rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	struct probe_ns *pns = trans->current_ns;
-	isc_result_t result;
-
-	REQUIRE(task == probe_task);
-	REQUIRE(trans->inuse == ISC_TRUE);
-	REQUIRE(pns != NULL);
-	INSIST(outstanding_probes > 0);
-
-	for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
-	     name = ISC_LIST_NEXT(name, link)) {
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			(void)print_rdataset(rdataset, name);
-
-			if (rdataset->type != dns_rdatatype_a)
-				continue;
-
-			for (result = dns_rdataset_first(rdataset);
-			     result == ISC_R_SUCCESS;
-			     result = dns_rdataset_next(rdataset)) {
-				dns_rdata_in_a_t rdata_a;
-				struct server *server;
-
-				dns_rdataset_current(rdataset, &rdata);
-				result = dns_rdata_tostruct(&rdata, &rdata_a,
-							    NULL);
-				if (result != ISC_R_SUCCESS)
-					continue;
-
-				server = isc_mem_get(mctx, sizeof(*server));
-				if (server == NULL) {
-					fprintf(stderr, "resolve_nsaddress: "
-						"mem_get failed");
-					result = ISC_R_NOMEMORY;
-					POST(result);
-					goto cleanup;
-				}
-				isc_sockaddr_fromin(&server->address,
-						    &rdata_a.in_addr, 53);
-				ISC_LINK_INIT(server, link);
-				server->result_a = none;
-				server->result_aaaa = none;
-				ISC_LIST_APPEND(pns->servers, server, link);
-			}
-		}
-	}
-
- cleanup:
-	dns_client_freeresanswer(client, &rev->answerlist);
-	dns_client_destroyrestrans(&trans->resid);
-	isc_event_free(&event);
-
- next_ns:
-	trans->current_ns = ISC_LIST_NEXT(pns, link);
-	if (trans->current_ns == NULL) {
-		trans->current_ns = ISC_LIST_HEAD(trans->nslist);
-		dns_fixedname_invalidate(&trans->fixedname);
-		trans->qname = NULL;
-		result = set_nextqname(trans);
-		if (result == ISC_R_SUCCESS)
-			 result = probe_name(trans, dns_rdatatype_a);
-	} else {
-		result = fetch_nsaddress(trans);
-		if (result != ISC_R_SUCCESS)
-			goto next_ns; /* XXX: this is unlikely to succeed */
-	}
-
-	if (result != ISC_R_SUCCESS)
-		reset_probe(trans);
-}
-
-static isc_result_t
-fetch_nsaddress(struct probe_trans *trans) {
-	struct probe_ns *pns;
-
-	pns = trans->current_ns;
-	REQUIRE(pns != NULL);
-
-	return (dns_client_startresolve(client, pns->name, dns_rdataclass_in,
-					dns_rdatatype_a, 0, probe_task,
-					resolve_nsaddress, trans,
-					&trans->resid));
-}
-
-/*
- * Get NS RRset for a given domain
- */
-
-static void
-reset_probe(struct probe_trans *trans) {
-	struct probe_ns *pns;
-	struct server *server;
-	isc_result_t result;
-
-	REQUIRE(trans->resid == NULL);
-	REQUIRE(trans->reqid == NULL);
-
-	update_stat(trans);
-
-	dns_message_reset(trans->qmessage, DNS_MESSAGE_INTENTRENDER);
-	dns_message_reset(trans->rmessage, DNS_MESSAGE_INTENTPARSE);
-
-	trans->inuse = ISC_FALSE;
-	if (trans->domain != NULL)
-		isc_mem_free(mctx, trans->domain);
-	trans->domain = NULL;
-	if (trans->qname != NULL)
-		dns_fixedname_invalidate(&trans->fixedname);
-	trans->qname = NULL;
-	trans->qlabel = qlabels;
-	trans->qname_found = ISC_FALSE;
-	trans->current_ns = NULL;
-
-	while ((pns = ISC_LIST_HEAD(trans->nslist)) != NULL) {
-		ISC_LIST_UNLINK(trans->nslist, pns, link);
-		while ((server = ISC_LIST_HEAD(pns->servers)) != NULL) {
-			ISC_LIST_UNLINK(pns->servers, server, link);
-			isc_mem_put(mctx, server, sizeof(*server));
-		}
-		isc_mem_put(mctx, pns, sizeof(*pns));
-	}
-
-	outstanding_probes--;
-
-	result = probe_domain(trans);
-	if (result == ISC_R_NOMORE && outstanding_probes == 0)
-		isc_app_ctxshutdown(actx);
-}
-
-static void
-resolve_ns(isc_task_t *task, isc_event_t *event) {
-	struct probe_trans *trans = event->ev_arg;
-	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
-	dns_name_t *name;
-	dns_rdataset_t *rdataset;
-	isc_result_t result = ISC_R_SUCCESS;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	struct probe_ns *pns;
-
-	REQUIRE(task == probe_task);
-	REQUIRE(trans->inuse == ISC_TRUE);
-	INSIST(outstanding_probes > 0);
-
-	for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
-	     name = ISC_LIST_NEXT(name, link)) {
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			(void)print_rdataset(rdataset, name);
-
-			if (rdataset->type != dns_rdatatype_ns)
-				continue;
-
-			for (result = dns_rdataset_first(rdataset);
-			     result == ISC_R_SUCCESS;
-			     result = dns_rdataset_next(rdataset)) {
-				dns_rdata_ns_t ns;
-
-				dns_rdataset_current(rdataset, &rdata);
-				/*
-				 * Extract the name from the NS record.
-				 */
-				result = dns_rdata_tostruct(&rdata, &ns, NULL);
-				if (result != ISC_R_SUCCESS)
-					continue;
-
-				pns = isc_mem_get(mctx, sizeof(*pns));
-				if (pns == NULL) {
-					fprintf(stderr,
-						"resolve_ns: mem_get failed");
-					result = ISC_R_NOMEMORY;
-					POST(result);
-					/*
-					 * XXX: should we continue with the
-					 * available servers anyway?
-					 */
-					goto cleanup;
-				}
-
-				dns_fixedname_init(&pns->fixedname);
-				pns->name =
-					dns_fixedname_name(&pns->fixedname);
-				ISC_LINK_INIT(pns, link);
-				ISC_LIST_APPEND(trans->nslist, pns, link);
-				ISC_LIST_INIT(pns->servers);
-
-				dns_name_copy(&ns.name, pns->name, NULL);
-				dns_rdata_reset(&rdata);
-				dns_rdata_freestruct(&ns);
-			}
-		}
-	}
-
- cleanup:
-	dns_client_freeresanswer(client, &rev->answerlist);
-	dns_client_destroyrestrans(&trans->resid);
-	isc_event_free(&event);
-
-	if (!ISC_LIST_EMPTY(trans->nslist)) {
-		/* Go get addresses of NSes */
-		trans->current_ns = ISC_LIST_HEAD(trans->nslist);
-		result = fetch_nsaddress(trans);
-	} else
-		result = ISC_R_FAILURE;
-
-	if (result == ISC_R_SUCCESS)
-		return;
-
-	reset_probe(trans);
-}
-
-static isc_result_t
-probe_domain(struct probe_trans *trans) {
-	isc_result_t result;
-	size_t domainlen;
-	isc_buffer_t b;
-	char buf[4096];	/* XXX ad hoc constant, but should be enough */
-	char *cp;
-
-	REQUIRE(trans != NULL);
-	REQUIRE(trans->inuse == ISC_FALSE);
-	REQUIRE(outstanding_probes < MAX_PROBES);
-
-	/* Construct domain */
-	cp = fgets(buf, sizeof(buf), fp);
-	if (cp == NULL)
-		return (ISC_R_NOMORE);
-	if ((cp = strchr(buf, '\n')) != NULL) /* zap NL if any */
-		*cp = '\0';
-	trans->domain = isc_mem_strdup(mctx, buf);
-	if (trans->domain == NULL) {
-		fprintf(stderr,
-			"failed to allocate memory for domain: %s", cp);
-		return (ISC_R_NOMEMORY);
-	}
-
-	/* Start getting NS for the domain */
-	domainlen = strlen(buf);
-	isc_buffer_init(&b, buf, domainlen);
-	isc_buffer_add(&b, domainlen);
-	dns_fixedname_init(&trans->fixedname);
-	trans->qname = dns_fixedname_name(&trans->fixedname);
-	result = dns_name_fromtext(trans->qname, &b, dns_rootname, 0, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_client_startresolve(client, trans->qname,
-					 dns_rdataclass_in, dns_rdatatype_ns,
-					 0, probe_task, resolve_ns, trans,
-					 &trans->resid);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	trans->inuse = ISC_TRUE;
-	outstanding_probes++;
-
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	isc_mem_free(mctx, trans->domain);
-	dns_fixedname_invalidate(&trans->fixedname);
-
-	return (result);
-}
-
-ISC_PLATFORM_NORETURN_PRE static void
-usage(void) ISC_PLATFORM_NORETURN_POST;
-
-static void
-usage(void) {
-	fprintf(stderr, "usage: nsprobe [-d] [-v [-v...]] [-c cache_address] "
-		"[input_file]\n");
-
-	exit(1);
-}
-
-int
-main(int argc, char *argv[]) {
-	int i, ch, error;
-	struct addrinfo hints, *res;
-	isc_result_t result;
-	isc_sockaddr_t sa;
-	isc_sockaddrlist_t servers;
-	isc_taskmgr_t *taskmgr = NULL;
-	isc_socketmgr_t *socketmgr = NULL;
-	isc_timermgr_t *timermgr = NULL;
-
-	while ((ch = getopt(argc, argv, "c:dhv")) != -1) {
-		switch (ch) {
-		case 'c':
-			cacheserver = optarg;
-			break;
-		case 'd':
-			debug_mode = ISC_TRUE;
-			break;
-		case 'h':
-			usage();
-			break;
-		case 'v':
-			verbose_level++;
-			break;
-		default:
-			usage();
-			break;
-		}
-	}
-
-	argc -= optind;
-	argv += optind;
-
-	/* Common set up */
-	isc_lib_register();
-	result = dns_lib_init();
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "dns_lib_init failed: %d\n", result);
-		exit(1);
-	}
-
-	result = ctxs_init(&mctx, &actx, &taskmgr, &socketmgr,
-			   &timermgr);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "ctx create failed: %d\n", result);
-		exit(1);
-	}
-
-	isc_app_ctxstart(actx);
-
-	result = dns_client_createx(mctx, actx, taskmgr, socketmgr,
-				    timermgr, 0, &client);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "dns_client_createx failed: %d\n", result);
-		exit(1);
-	}
-
-	/* Set local cache server */
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_family = AF_UNSPEC;
-	hints.ai_socktype = SOCK_DGRAM;
-	error = getaddrinfo(cacheserver, "53", &hints, &res);
-	if (error != 0) {
-		fprintf(stderr, "failed to convert server name (%s): %s\n",
-			cacheserver, gai_strerror(error));
-		exit(1);
-	}
-
-	if (res->ai_addrlen > sizeof(sa.type)) {
-		fprintf(stderr,
-			"assumption failure: addrlen is too long: %ld\n",
-			(long)res->ai_addrlen);
-		exit(1);
-	}
-	memcpy(&sa.type.sa, res->ai_addr, res->ai_addrlen);
-	sa.length = res->ai_addrlen;
-	freeaddrinfo(res);
-	ISC_LINK_INIT(&sa, link);
-	ISC_LIST_INIT(servers);
-	ISC_LIST_APPEND(servers, &sa, link);
-	result = dns_client_setservers(client, dns_rdataclass_in, NULL,
-				       &servers);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "failed to set server: %d\n", result);
-		exit(1);
-	}
-
-	/* Create the main task */
-	probe_task = NULL;
-	result = isc_task_create(taskmgr, 0, &probe_task);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "failed to create task: %d\n", result);
-		exit(1);
-	}
-
-	/* Open input file */
-	if (argc == 0)
-		fp = stdin;
-	else {
-		fp = fopen(argv[0], "r");
-		if (fp == NULL) {
-			fprintf(stderr, "failed to open input file: %s\n",
-				argv[0]);
-			exit(1);
-		}
-	}
-
-	/* Set up and start probe */
-	for (i = 0; i < MAX_PROBES; i++) {
-		probes[i].inuse = ISC_FALSE;
-		probes[i].domain = NULL;
-		dns_fixedname_init(&probes[i].fixedname);
-		probes[i].qname = NULL;
-		probes[i].qlabel = qlabels;
-		probes[i].qname_found = ISC_FALSE;
-		probes[i].resid = NULL;
-		ISC_LIST_INIT(probes[i].nslist);
-		probes[i].reqid = NULL;
-
-		probes[i].qmessage = NULL;
-		result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER,
-					    &probes[i].qmessage);
-		if (result == ISC_R_SUCCESS) {
-			result = dns_message_create(mctx,
-						    DNS_MESSAGE_INTENTPARSE,
-						    &probes[i].rmessage);
-		}
-		if (result != ISC_R_SUCCESS) {
-			fprintf(stderr, "initialization failure\n");
-			exit(1);
-		}
-	}
-	for (i = 0; i < MAX_PROBES; i++) {
-		result = probe_domain(&probes[i]);
-		if (result == ISC_R_NOMORE)
-			break;
-		else if (result != ISC_R_SUCCESS) {
-			fprintf(stderr, "failed to issue an initial probe\n");
-			exit(1);
-		}
-	}
-
-	/* Start event loop */
-	isc_app_ctxrun(actx);
-
-	/* Dump results */
-	printf("Per domain results (out of %lu domains):\n",
-	       number_of_domains);
-	printf("  valid: %lu\n"
-	       "  ignore: %lu\n"
-	       "  nxdomain: %lu\n"
-	       "  othererr: %lu\n"
-	       "  multiplesoa: %lu\n"
-	       "  multiplecname: %lu\n"
-	       "  brokenanswer: %lu\n"
-	       "  lame: %lu\n"
-	       "  unknown: %lu\n"
-	       "  multiple errors: %lu\n",
-	       domain_stat.valid, domain_stat.ignore, domain_stat.nxdomain,
-	       domain_stat.othererr, domain_stat.multiplesoa,
-	       domain_stat.multiplecname, domain_stat.brokenanswer,
-	       domain_stat.lame, domain_stat.unknown, multiple_error_domains);
-	printf("Per server results (out of %lu servers):\n",
-	       number_of_servers);
-	printf("  valid: %lu\n"
-	       "  ignore: %lu\n"
-	       "  nxdomain: %lu\n"
-	       "  othererr: %lu\n"
-	       "  multiplesoa: %lu\n"
-	       "  multiplecname: %lu\n"
-	       "  brokenanswer: %lu\n"
-	       "  lame: %lu\n"
-	       "  unknown: %lu\n",
-	       server_stat.valid, server_stat.ignore, server_stat.nxdomain,
-	       server_stat.othererr, server_stat.multiplesoa,
-	       server_stat.multiplecname, server_stat.brokenanswer,
-	       server_stat.lame, server_stat.unknown);
-
-	/* Cleanup */
-	for (i = 0; i < MAX_PROBES; i++) {
-		dns_message_destroy(&probes[i].qmessage);
-		dns_message_destroy(&probes[i].rmessage);
-	}
-	isc_task_detach(&probe_task);
-	dns_client_destroy(&client);
-	dns_lib_shutdown();
-	isc_app_ctxfinish(actx);
-	ctxs_destroy(&mctx, &actx, &taskmgr, &socketmgr, &timermgr);
-
-	return (0);
-}
diff --git a/contrib/bind9/lib/export/samples/sample-async.c b/contrib/bind9/lib/export/samples/sample-async.c
deleted file mode 100644
index a70dd47..0000000
--- a/contrib/bind9/lib/export/samples/sample-async.c
+++ /dev/null
@@ -1,402 +0,0 @@
-/*
- * Copyright (C) 2009, 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: sample-async.c,v 1.5 2009/09/29 15:06:07 fdupont Exp $ */
-
-#include <config.h>
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-
-#include <arpa/inet.h>
-
-#include <unistd.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/app.h>
-#include <isc/buffer.h>
-#include <isc/lib.h>
-#include <isc/mem.h>
-#include <isc/socket.h>
-#include <isc/sockaddr.h>
-#include <isc/task.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#include <dns/client.h>
-#include <dns/fixedname.h>
-#include <dns/lib.h>
-#include <dns/name.h>
-#include <dns/rdataset.h>
-#include <dns/rdatatype.h>
-#include <dns/result.h>
-
-#define MAX_SERVERS 10
-#define MAX_QUERIES 100
-
-static dns_client_t *client = NULL;
-static isc_task_t *query_task = NULL;
-static isc_appctx_t *query_actx = NULL;
-static unsigned int outstanding_queries = 0;
-static const char *def_server = "127.0.0.1";
-static FILE *fp;
-
-struct query_trans {
-	int id;
-	isc_boolean_t inuse;
-	dns_rdatatype_t type;
-	dns_fixedname_t fixedname;
-	dns_name_t *qname;
-	dns_namelist_t answerlist;
-	dns_clientrestrans_t *xid;
-};
-
-static struct query_trans query_array[MAX_QUERIES];
-
-static isc_result_t dispatch_query(struct query_trans *trans);
-
-static void
-ctxs_destroy(isc_mem_t **mctxp, isc_appctx_t **actxp,
-	     isc_taskmgr_t **taskmgrp, isc_socketmgr_t **socketmgrp,
-	     isc_timermgr_t **timermgrp)
-{
-	if (*taskmgrp != NULL)
-		isc_taskmgr_destroy(taskmgrp);
-
-	if (*timermgrp != NULL)
-		isc_timermgr_destroy(timermgrp);
-
-	if (*socketmgrp != NULL)
-		isc_socketmgr_destroy(socketmgrp);
-
-	if (*actxp != NULL)
-		isc_appctx_destroy(actxp);
-
-	if (*mctxp != NULL)
-		isc_mem_destroy(mctxp);
-}
-
-static isc_result_t
-ctxs_init(isc_mem_t **mctxp, isc_appctx_t **actxp,
-	  isc_taskmgr_t **taskmgrp, isc_socketmgr_t **socketmgrp,
-	  isc_timermgr_t **timermgrp)
-{
-	isc_result_t result;
-
-	result = isc_mem_create(0, 0, mctxp);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	result = isc_appctx_create(*mctxp, actxp);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	result = isc_taskmgr_createinctx(*mctxp, *actxp, 1, 0, taskmgrp);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	result = isc_socketmgr_createinctx(*mctxp, *actxp, socketmgrp);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	result = isc_timermgr_createinctx(*mctxp, *actxp, timermgrp);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	return (ISC_R_SUCCESS);
-
- fail:
-	ctxs_destroy(mctxp, actxp, taskmgrp, socketmgrp, timermgrp);
-
-	return (result);
-}
-
-static isc_result_t
-printdata(dns_rdataset_t *rdataset, dns_name_t *owner) {
-	isc_buffer_t target;
-	isc_result_t result;
-	isc_region_t r;
-	char t[4096];
-
-	isc_buffer_init(&target, t, sizeof(t));
-
-	if (!dns_rdataset_isassociated(rdataset))
-		return (ISC_R_SUCCESS);
-	result = dns_rdataset_totext(rdataset, owner, ISC_FALSE, ISC_FALSE,
-				     &target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_buffer_usedregion(&target, &r);
-	printf("  %.*s", (int)r.length, (char *)r.base);
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-process_answer(isc_task_t *task, isc_event_t *event) {
-	struct query_trans *trans = event->ev_arg;
-	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
-	dns_name_t *name;
-	dns_rdataset_t *rdataset;
-	isc_result_t result;
-
-	REQUIRE(task == query_task);
-	REQUIRE(trans->inuse == ISC_TRUE);
-	REQUIRE(outstanding_queries > 0);
-
-	printf("answer[%2d]\n", trans->id);
-
-	if (rev->result != ISC_R_SUCCESS)
-		printf("  failed: %d(%s)\n", rev->result,
-		       dns_result_totext(rev->result));
-
-	for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
-	     name = ISC_LIST_NEXT(name, link)) {
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			(void)printdata(rdataset, name);
-		}
-	}
-
-	dns_client_freeresanswer(client, &rev->answerlist);
-	dns_client_destroyrestrans(&trans->xid);
-
-	isc_event_free(&event);
-
-	trans->inuse = ISC_FALSE;
-	dns_fixedname_invalidate(&trans->fixedname);
-	trans->qname = NULL;
-	outstanding_queries--;
-
-	result = dispatch_query(trans);
-#if 0				/* for cancel test */
-	if (result == ISC_R_SUCCESS) {
-		static int count = 0;
-
-		if ((++count) % 10 == 0)
-			dns_client_cancelresolve(trans->xid);
-	}
-#endif
-	if (result == ISC_R_NOMORE && outstanding_queries == 0)
-		isc_app_ctxshutdown(query_actx);
-}
-
-static isc_result_t
-dispatch_query(struct query_trans *trans) {
-	isc_result_t result;
-	size_t namelen;
-	isc_buffer_t b;
-	char buf[4096];	/* XXX ad hoc constant, but should be enough */
-	char *cp;
-
-	REQUIRE(trans != NULL);
-	REQUIRE(trans->inuse == ISC_FALSE);
-	REQUIRE(ISC_LIST_EMPTY(trans->answerlist));
-	REQUIRE(outstanding_queries < MAX_QUERIES);
-
-	/* Construct qname */
-	cp = fgets(buf, sizeof(buf), fp);
-	if (cp == NULL)
-		return (ISC_R_NOMORE);
-	/* zap NL if any */
-	if ((cp = strchr(buf, '\n')) != NULL)
-		*cp = '\0';
-	namelen = strlen(buf);
-	isc_buffer_init(&b, buf, namelen);
-	isc_buffer_add(&b, namelen);
-	dns_fixedname_init(&trans->fixedname);
-	trans->qname = dns_fixedname_name(&trans->fixedname);
-	result = dns_name_fromtext(trans->qname, &b, dns_rootname, 0, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	/* Start resolution */
-	result = dns_client_startresolve(client, trans->qname,
-					 dns_rdataclass_in, trans->type, 0,
-					 query_task, process_answer, trans,
-					 &trans->xid);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	trans->inuse = ISC_TRUE;
-	outstanding_queries++;
-
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	dns_fixedname_invalidate(&trans->fixedname);
-
-	return (result);
-}
-
-ISC_PLATFORM_NORETURN_PRE static void
-usage(void) ISC_PLATFORM_NORETURN_POST;
-
-static void
-usage(void) {
-	fprintf(stderr, "usage: sample-async [-s server_address] [-t RR type] "
-		"input_file\n");
-
-	exit(1);
-}
-
-int
-main(int argc, char *argv[]) {
-	int ch;
-	isc_textregion_t tr;
-	isc_mem_t *mctx = NULL;
-	isc_taskmgr_t *taskmgr = NULL;
-	isc_socketmgr_t *socketmgr = NULL;
-	isc_timermgr_t *timermgr = NULL;
-	int nservers = 0;
-	const char *serveraddr[MAX_SERVERS];
-	isc_sockaddr_t sa[MAX_SERVERS];
-	isc_sockaddrlist_t servers;
-	dns_rdatatype_t type = dns_rdatatype_a;
-	struct in_addr inaddr;
-	isc_result_t result;
-	int i;
-
-	while ((ch = getopt(argc, argv, "s:t:")) != -1) {
-		switch (ch) {
-		case 't':
-			tr.base = optarg;
-			tr.length = strlen(optarg);
-			result = dns_rdatatype_fromtext(&type, &tr);
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr,
-					"invalid RRtype: %s\n", optarg);
-				exit(1);
-			}
-			break;
-		case 's':
-			if (nservers == MAX_SERVERS) {
-				fprintf(stderr,
-					"too many servers (up to %d)\n",
-					MAX_SERVERS);
-				exit(1);
-			}
-			serveraddr[nservers++] = (const char *)optarg;
-			break;
-		default:
-			usage();
-		}
-	}
-
-	argc -= optind;
-	argv += optind;
-	if (argc < 1)
-		usage();
-
-	if (nservers == 0) {
-		nservers = 1;
-		serveraddr[0] = def_server;
-	}
-
-	for (i = 0; i < MAX_QUERIES; i++) {
-		query_array[i].id = i;
-		query_array[i].inuse = ISC_FALSE;
-		query_array[i].type = type;
-		dns_fixedname_init(&query_array[i].fixedname);
-		query_array[i].qname = NULL;
-		ISC_LIST_INIT(query_array[i].answerlist);
-		query_array[i].xid = NULL;
-	}
-
-	isc_lib_register();
-	result = dns_lib_init();
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "dns_lib_init failed: %d\n", result);
-		exit(1);
-	}
-
-	result = ctxs_init(&mctx, &query_actx, &taskmgr, &socketmgr,
-			   &timermgr);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "ctx create failed: %d\n", result);
-		exit(1);
-	}
-
-	isc_app_ctxstart(query_actx);
-
-	result = dns_client_createx(mctx, query_actx, taskmgr, socketmgr,
-				    timermgr, 0, &client);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "dns_client_createx failed: %d\n", result);
-		exit(1);
-	}
-
-	/* Set nameservers */
-	ISC_LIST_INIT(servers);
-	for (i = 0; i < nservers; i++) {
-		if (inet_pton(AF_INET, serveraddr[i], &inaddr) != 1) {
-			fprintf(stderr, "failed to parse IPv4 address %s\n",
-				serveraddr[i]);
-			exit(1);
-		}
-		isc_sockaddr_fromin(&sa[i], &inaddr, 53);
-		ISC_LIST_APPEND(servers, &sa[i], link);
-	}
-	result = dns_client_setservers(client, dns_rdataclass_in, NULL,
-				       &servers);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "set server failed: %d\n", result);
-		exit(1);
-	}
-
-	/* Create the main task */
-	query_task = NULL;
-	result = isc_task_create(taskmgr, 0, &query_task);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "failed to create task: %d\n", result);
-		exit(1);
-	}
-
-	/* Open input file */
-	fp = fopen(argv[0], "r");
-	if (fp == NULL) {
-		fprintf(stderr, "failed to open input file: %s\n", argv[1]);
-		exit(1);
-	}
-
-	/* Dispatch initial queries */
-	for (i = 0; i < MAX_QUERIES; i++) {
-		result = dispatch_query(&query_array[i]);
-		if (result == ISC_R_NOMORE)
-			break;
-	}
-
-	/* Start event loop */
-	isc_app_ctxrun(query_actx);
-
-	/* Sanity check */
-	for (i = 0; i < MAX_QUERIES; i++)
-		INSIST(query_array[i].inuse == ISC_FALSE);
-
-	/* Cleanup */
-	isc_task_detach(&query_task);
-	dns_client_destroy(&client);
-	dns_lib_shutdown();
-	isc_app_ctxfinish(query_actx);
-	ctxs_destroy(&mctx, &query_actx, &taskmgr, &socketmgr, &timermgr);
-
-	return (0);
-}
diff --git a/contrib/bind9/lib/export/samples/sample-gai.c b/contrib/bind9/lib/export/samples/sample-gai.c
deleted file mode 100644
index 243d07a..0000000
--- a/contrib/bind9/lib/export/samples/sample-gai.c
+++ /dev/null
@@ -1,77 +0,0 @@
-/*
- * Copyright (C) 2009, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: sample-gai.c,v 1.4 2009/09/02 23:48:02 tbox Exp $ */
-
-#include <config.h>
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <irs/netdb.h>
-
-#include <stdlib.h>
-#include <string.h>
-#include <stdio.h>
-
-static void
-do_gai(int family, char *hostname) {
-	struct addrinfo hints, *res, *res0;
-	int error;
-	char namebuf[1024], addrbuf[1024], servbuf[1024];
-
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_family = family;
-	hints.ai_socktype = SOCK_STREAM;
-	hints.ai_flags = AI_CANONNAME;
-	error = getaddrinfo(hostname, "http", &hints, &res0);
-	if (error) {
-		fprintf(stderr, "getaddrinfo failed for %s,family=%d: %s\n",
-			hostname, family, gai_strerror(error));
-		return;
-	}
-
-	for (res = res0; res; res = res->ai_next) {
-		error = getnameinfo(res->ai_addr, res->ai_addrlen,
-				    addrbuf, sizeof(addrbuf),
-				    NULL, 0, NI_NUMERICHOST);
-		if (error == 0)
-			error = getnameinfo(res->ai_addr, res->ai_addrlen,
-					    namebuf, sizeof(namebuf),
-					    servbuf, sizeof(servbuf), 0);
-		if (error != 0) {
-			fprintf(stderr, "getnameinfo failed: %s\n",
-				gai_strerror(error));
-		} else {
-			printf("%s(%s/%s)=%s:%s\n", hostname,
-			       res->ai_canonname, addrbuf, namebuf, servbuf);
-		}
-	}
-
-	freeaddrinfo(res0);
-}
-
-int
-main(int argc, char *argv[]) {
-	if (argc < 2)
-		exit(1);
-
-	do_gai(AF_INET, argv[1]);
-	do_gai(AF_INET6, argv[1]);
-	do_gai(AF_UNSPEC, argv[1]);
-
-	return (0);
-}
diff --git a/contrib/bind9/lib/export/samples/sample-request.c b/contrib/bind9/lib/export/samples/sample-request.c
deleted file mode 100644
index 07baf39..0000000
--- a/contrib/bind9/lib/export/samples/sample-request.c
+++ /dev/null
@@ -1,265 +0,0 @@
-/*
- * Copyright (C) 2009, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: sample-request.c,v 1.5 2009/09/29 15:06:07 fdupont Exp $ */
-
-#include <config.h>
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-
-#include <arpa/inet.h>
-
-#include <unistd.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <netdb.h>
-
-#include <isc/base64.h>
-#include <isc/buffer.h>
-#include <isc/lib.h>
-#include <isc/mem.h>
-#include <isc/sockaddr.h>
-#include <isc/util.h>
-
-#include <dns/client.h>
-#include <dns/fixedname.h>
-#include <dns/keyvalues.h>
-#include <dns/lib.h>
-#include <dns/masterdump.h>
-#include <dns/message.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/result.h>
-#include <dns/secalg.h>
-
-#include <dst/dst.h>
-
-static isc_mem_t *mctx;
-static dns_fixedname_t fixedqname;
-
-ISC_PLATFORM_NORETURN_PRE static void
-usage(void) ISC_PLATFORM_NORETURN_POST;
-
-static void
-usage(void) {
-	fprintf(stderr, "sample-request [-t RRtype] server_address hostname\n");
-
-	exit(1);
-}
-
-static isc_result_t
-make_querymessage(dns_message_t *message, const char *namestr,
-		  dns_rdatatype_t rdtype)
-{
-	dns_name_t *qname = NULL, *qname0;
-	dns_rdataset_t *qrdataset = NULL;
-	isc_result_t result;
-	isc_buffer_t b;
-	size_t namelen;
-
-	REQUIRE(message != NULL);
-	REQUIRE(namestr != NULL);
-
-	/* Construct qname */
-	namelen = strlen(namestr);
-	isc_buffer_constinit(&b, namestr, namelen);
-	isc_buffer_add(&b, namelen);
-	dns_fixedname_init(&fixedqname);
-	qname0 = dns_fixedname_name(&fixedqname);
-	result = dns_name_fromtext(qname0, &b, dns_rootname, 0, NULL);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "failed to convert qname: %d\n", result);
-		return (result);
-	}
-
-	/* Construct query message */
-	message->opcode = dns_opcode_query;
-	message->rdclass = dns_rdataclass_in;
-
-	result = dns_message_gettempname(message, &qname);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = dns_message_gettemprdataset(message, &qrdataset);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	dns_name_init(qname, NULL);
-	dns_name_clone(qname0, qname);
-	dns_rdataset_init(qrdataset);
-	dns_rdataset_makequestion(qrdataset, message->rdclass, rdtype);
-	ISC_LIST_APPEND(qname->list, qrdataset, link);
-	dns_message_addname(message, qname, DNS_SECTION_QUESTION);
-
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (qname != NULL)
-		dns_message_puttempname(message, &qname);
-	if (qrdataset != NULL)
-		dns_message_puttemprdataset(message, &qrdataset);
-	dns_message_destroy(&message);
-	return (result);
-}
-
-static void
-print_section(dns_message_t *message, int section, isc_buffer_t *buf) {
-	isc_result_t result;
-	isc_region_t r;
-
-	result = dns_message_sectiontotext(message, section,
-					   &dns_master_style_full, 0, buf);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	isc_buffer_usedregion(buf, &r);
-	printf("%.*s", (int)r.length, (char *)r.base);
-
-	return;
-
- fail:
-	fprintf(stderr, "failed to convert a section\n");
-}
-
-int
-main(int argc, char *argv[]) {
-	int ch, i, gai_error;
-	struct addrinfo hints, *res;
-	isc_textregion_t tr;
-	dns_client_t *client = NULL;
-	isc_result_t result;
-	isc_sockaddr_t sa;
-	dns_message_t *qmessage, *rmessage;
-	dns_rdatatype_t type = dns_rdatatype_a;
-	isc_buffer_t *outputbuf;
-
-	while ((ch = getopt(argc, argv, "t:")) != -1) {
-		switch (ch) {
-		case 't':
-			tr.base = optarg;
-			tr.length = strlen(optarg);
-			result = dns_rdatatype_fromtext(&type, &tr);
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr,
-					"invalid RRtype: %s\n", optarg);
-				exit(1);
-			}
-			break;
-		default:
-			usage();
-		}
-	}
-
-	argc -= optind;
-	argv += optind;
-	if (argc < 2)
-		usage();
-
-	isc_lib_register();
-	result = dns_lib_init();
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "dns_lib_init failed: %d\n", result);
-		exit(1);
-	}
-
-	result = dns_client_create(&client, 0);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "dns_client_create failed: %d\n", result);
-		exit(1);
-	}
-
-	/* Prepare message structures */
-	mctx = NULL;
-	qmessage = NULL;
-	rmessage = NULL;
-
-	result = isc_mem_create(0, 0, &mctx);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "failed to create a memory context\n");
-		exit(1);
-	}
-	result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &qmessage);
-	if (result == ISC_R_SUCCESS) {
-		result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE,
-					    &rmessage);
-	}
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "failed to create messages\n");
-		exit(1);
-	}
-
-	/* Initialize the nameserver address */
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_family = AF_UNSPEC;
-	hints.ai_socktype = SOCK_DGRAM;
-	hints.ai_protocol = IPPROTO_UDP;
-	hints.ai_flags = AI_NUMERICHOST;
-	gai_error = getaddrinfo(argv[0], "53", &hints, &res);
-	if (gai_error != 0) {
-		fprintf(stderr, "getaddrinfo failed: %s\n",
-			gai_strerror(gai_error));
-		exit(1);
-	}
-	INSIST(res->ai_addrlen <= sizeof(sa.type));
-	memcpy(&sa.type, res->ai_addr, res->ai_addrlen);
-	freeaddrinfo(res);
-	sa.length = res->ai_addrlen;
-	ISC_LINK_INIT(&sa, link);
-
-	/* Construct qname */
-	result = make_querymessage(qmessage, argv[1], type);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "failed to create a query\n");
-		exit(1);
-	}
-
-	/* Send request and wait for a response */
-	result = dns_client_request(client, qmessage, rmessage, &sa, 0, 0,
-				    NULL, 60, 0, 3);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "failed to get a response: %s\n",
-			dns_result_totext(result));
-	}
-
-	/* Dump the response */
-	outputbuf = NULL;
-	result = isc_buffer_allocate(mctx, &outputbuf, 65535);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "failed to allocate a result buffer\n");
-		exit(1);
-	}
-	for (i = 0; i < DNS_SECTION_MAX; i++) {
-		print_section(rmessage, i, outputbuf);
-		isc_buffer_clear(outputbuf);
-	}
-	isc_buffer_free(&outputbuf);
-
-	/* Cleanup */
-	dns_message_destroy(&qmessage);
-	dns_message_destroy(&rmessage);
-	isc_mem_destroy(&mctx);
-	dns_client_destroy(&client);
-	dns_lib_shutdown();
-
-	return (0);
-}
diff --git a/contrib/bind9/lib/export/samples/sample-update.c b/contrib/bind9/lib/export/samples/sample-update.c
deleted file mode 100644
index 2c35baa..0000000
--- a/contrib/bind9/lib/export/samples/sample-update.c
+++ /dev/null
@@ -1,755 +0,0 @@
-/*
- * Copyright (C) 2009, 2010, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: sample-update.c,v 1.10 2010/12/09 00:54:34 marka Exp $ */
-
-#include <config.h>
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-
-#include <arpa/inet.h>
-
-#include <unistd.h>
-#include <ctype.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <netdb.h>
-
-#include <isc/buffer.h>
-#include <isc/lex.h>
-#include <isc/lib.h>
-#include <isc/mem.h>
-#include <isc/parseint.h>
-#include <isc/sockaddr.h>
-#include <isc/util.h>
-
-#include <dns/callbacks.h>
-#include <dns/client.h>
-#include <dns/fixedname.h>
-#include <dns/lib.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/result.h>
-#include <dns/secalg.h>
-#include <dns/tsec.h>
-
-#include <dst/dst.h>
-
-static dns_tsec_t *tsec = NULL;
-static const dns_rdataclass_t default_rdataclass = dns_rdataclass_in;
-static isc_bufferlist_t usedbuffers;
-static ISC_LIST(dns_rdatalist_t) usedrdatalists;
-
-static void setup_tsec(char *keyfile, isc_mem_t *mctx);
-static void update_addordelete(isc_mem_t *mctx, char *cmdline,
-			       isc_boolean_t isdelete, dns_name_t *name);
-static void evaluate_prereq(isc_mem_t *mctx, char *cmdline, dns_name_t *name);
-
-ISC_PLATFORM_NORETURN_PRE static void
-usage(void) ISC_PLATFORM_NORETURN_POST;
-
-static void
-usage(void) {
-	fprintf(stderr, "sample-update "
-		"[-a auth_server] "
-		"[-k keyfile] "
-		"[-p prerequisite] "
-		"[-r recursive_server] "
-		"[-z zonename] "
-		"(add|delete) \"name TTL RRtype RDATA\"\n");
-	exit(1);
-}
-
-int
-main(int argc, char *argv[]) {
-	int ch;
-	struct addrinfo hints, *res;
-	int gai_error;
-	dns_client_t *client = NULL;
-	char *zonenamestr = NULL;
-	char *keyfilename = NULL;
-	char *prereqstr = NULL;
-	isc_sockaddrlist_t auth_servers;
-	char *auth_server = NULL;
-	char *recursive_server = NULL;
-	isc_sockaddr_t sa_auth, sa_recursive;
-	isc_sockaddrlist_t rec_servers;
-	isc_result_t result;
-	isc_boolean_t isdelete;
-	isc_buffer_t b, *buf;
-	dns_fixedname_t zname0, pname0, uname0;
-	size_t namelen;
-	dns_name_t *zname = NULL, *uname, *pname;
-	dns_rdataset_t *rdataset;
-	dns_rdatalist_t *rdatalist;
-	dns_rdata_t *rdata;
-	dns_namelist_t updatelist, prereqlist, *prereqlistp = NULL;
-	isc_mem_t *umctx = NULL;
-
-	while ((ch = getopt(argc, argv, "a:k:p:r:z:")) != -1) {
-		switch (ch) {
-		case 'k':
-			keyfilename = optarg;
-			break;
-		case 'a':
-			auth_server = optarg;
-			break;
-		case 'p':
-			prereqstr = optarg;
-			break;
-		case 'r':
-			recursive_server = optarg;
-			break;
-		case 'z':
-			zonenamestr = optarg;
-			break;
-		default:
-			usage();
-		}
-	}
-
-	argc -= optind;
-	argv += optind;
-	if (argc < 2)
-		usage();
-
-	/* command line argument validation */
-	if (strcmp(argv[0], "delete") == 0)
-		isdelete = ISC_TRUE;
-	else if (strcmp(argv[0], "add") == 0)
-		isdelete = ISC_FALSE;
-	else {
-		fprintf(stderr, "invalid update command: %s\n", argv[0]);
-		exit(1);
-	}
-
-	if (auth_server == NULL && recursive_server == NULL) {
-		fprintf(stderr, "authoritative or recursive server "
-			"must be specified\n");
-		usage();
-	}
-
-	/* Initialization */
-	ISC_LIST_INIT(usedbuffers);
-	ISC_LIST_INIT(usedrdatalists);
-	ISC_LIST_INIT(prereqlist);
-	ISC_LIST_INIT(auth_servers);
-	isc_lib_register();
-	result = dns_lib_init();
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "dns_lib_init failed: %d\n", result);
-		exit(1);
-	}
-	result = isc_mem_create(0, 0, &umctx);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "failed to crate mctx\n");
-		exit(1);
-	}
-
-	result = dns_client_create(&client, 0);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "dns_client_create failed: %d\n", result);
-		exit(1);
-	}
-
-	/* Set the authoritative server */
-	if (auth_server != NULL) {
-		memset(&hints, 0, sizeof(hints));
-		hints.ai_family = AF_UNSPEC;
-		hints.ai_socktype = SOCK_DGRAM;
-		hints.ai_protocol = IPPROTO_UDP;
-		hints.ai_flags = AI_NUMERICHOST;
-		gai_error = getaddrinfo(auth_server, "53", &hints, &res);
-		if (gai_error != 0) {
-			fprintf(stderr, "getaddrinfo failed: %s\n",
-				gai_strerror(gai_error));
-			exit(1);
-		}
-		INSIST(res->ai_addrlen <= sizeof(sa_auth.type));
-		memcpy(&sa_auth.type, res->ai_addr, res->ai_addrlen);
-		freeaddrinfo(res);
-		sa_auth.length = res->ai_addrlen;
-		ISC_LINK_INIT(&sa_auth, link);
-
-		ISC_LIST_APPEND(auth_servers, &sa_auth, link);
-	}
-
-	/* Set the recursive server */
-	if (recursive_server != NULL) {
-		memset(&hints, 0, sizeof(hints));
-		hints.ai_family = AF_UNSPEC;
-		hints.ai_socktype = SOCK_DGRAM;
-		hints.ai_protocol = IPPROTO_UDP;
-		hints.ai_flags = AI_NUMERICHOST;
-		gai_error = getaddrinfo(recursive_server, "53", &hints, &res);
-		if (gai_error != 0) {
-			fprintf(stderr, "getaddrinfo failed: %s\n",
-				gai_strerror(gai_error));
-			exit(1);
-		}
-		INSIST(res->ai_addrlen <= sizeof(sa_recursive.type));
-		memcpy(&sa_recursive.type, res->ai_addr, res->ai_addrlen);
-		freeaddrinfo(res);
-		sa_recursive.length = res->ai_addrlen;
-		ISC_LINK_INIT(&sa_recursive, link);
-		ISC_LIST_INIT(rec_servers);
-		ISC_LIST_APPEND(rec_servers, &sa_recursive, link);
-		result = dns_client_setservers(client, dns_rdataclass_in,
-					       NULL, &rec_servers);
-		if (result != ISC_R_SUCCESS) {
-			fprintf(stderr, "set server failed: %d\n", result);
-			exit(1);
-		}
-	}
-
-	/* Construct zone name */
-	zname = NULL;
-	if (zonenamestr != NULL) {
-		namelen = strlen(zonenamestr);
-		isc_buffer_init(&b, zonenamestr, namelen);
-		isc_buffer_add(&b, namelen);
-		dns_fixedname_init(&zname0);
-		zname = dns_fixedname_name(&zname0);
-		result = dns_name_fromtext(zname, &b, dns_rootname, 0, NULL);
-		if (result != ISC_R_SUCCESS)
-			fprintf(stderr, "failed to convert zone name: %d\n",
-				result);
-	}
-
-	/* Construct prerequisite name (if given) */
-	if (prereqstr != NULL) {
-		dns_fixedname_init(&pname0);
-		pname = dns_fixedname_name(&pname0);
-		evaluate_prereq(umctx, prereqstr, pname);
-		ISC_LIST_APPEND(prereqlist, pname, link);
-		prereqlistp = &prereqlist;
-	}
-
-	/* Construct update name */
-	ISC_LIST_INIT(updatelist);
-	dns_fixedname_init(&uname0);
-	uname = dns_fixedname_name(&uname0);
-	update_addordelete(umctx, argv[1], isdelete, uname);
-	ISC_LIST_APPEND(updatelist, uname, link);
-
-	/* Set up TSIG/SIG(0) key (if given) */
-	if (keyfilename != NULL)
-		setup_tsec(keyfilename, umctx);
-
-	/* Perform update */
-	result = dns_client_update(client,
-				   default_rdataclass, /* XXX: fixed */
-				   zname, prereqlistp, &updatelist,
-				   (auth_server == NULL) ? NULL :
-				   &auth_servers, tsec, 0);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr,
-			"update failed: %s\n", dns_result_totext(result));
-	} else
-		fprintf(stderr, "update succeeded\n");
-
-	/* Cleanup */
-	while ((pname = ISC_LIST_HEAD(prereqlist)) != NULL) {
-		while ((rdataset = ISC_LIST_HEAD(pname->list)) != NULL) {
-			ISC_LIST_UNLINK(pname->list, rdataset, link);
-			dns_rdataset_disassociate(rdataset);
-			isc_mem_put(umctx, rdataset, sizeof(*rdataset));
-		}
-		ISC_LIST_UNLINK(prereqlist, pname, link);
-	}
-	while ((uname = ISC_LIST_HEAD(updatelist)) != NULL) {
-		while ((rdataset = ISC_LIST_HEAD(uname->list)) != NULL) {
-			ISC_LIST_UNLINK(uname->list, rdataset, link);
-			dns_rdataset_disassociate(rdataset);
-			isc_mem_put(umctx, rdataset, sizeof(*rdataset));
-		}
-		ISC_LIST_UNLINK(updatelist, uname, link);
-	}
-	while ((rdatalist = ISC_LIST_HEAD(usedrdatalists)) != NULL) {
-		while ((rdata = ISC_LIST_HEAD(rdatalist->rdata)) != NULL) {
-			ISC_LIST_UNLINK(rdatalist->rdata, rdata, link);
-			isc_mem_put(umctx, rdata, sizeof(*rdata));
-		}
-		ISC_LIST_UNLINK(usedrdatalists, rdatalist, link);
-		isc_mem_put(umctx, rdatalist, sizeof(*rdatalist));
-	}
-	while ((buf = ISC_LIST_HEAD(usedbuffers)) != NULL) {
-		ISC_LIST_UNLINK(usedbuffers, buf, link);
-		isc_buffer_free(&buf);
-	}
-	if (tsec != NULL)
-		dns_tsec_destroy(&tsec);
-	isc_mem_destroy(&umctx);
-	dns_client_destroy(&client);
-	dns_lib_shutdown();
-
-	return (0);
-}
-
-/*
- *  Subroutines borrowed from nsupdate.c
- */
-#define MAXWIRE (64 * 1024)
-#define TTL_MAX 2147483647U	/* Maximum signed 32 bit integer. */
-
-static char *
-nsu_strsep(char **stringp, const char *delim) {
-	char *string = *stringp;
-	char *s;
-	const char *d;
-	char sc, dc;
-
-	if (string == NULL)
-		return (NULL);
-
-	for (; *string != '\0'; string++) {
-		sc = *string;
-		for (d = delim; (dc = *d) != '\0'; d++) {
-			if (sc == dc)
-				break;
-		}
-		if (dc == 0)
-			break;
-	}
-
-	for (s = string; *s != '\0'; s++) {
-		sc = *s;
-		for (d = delim; (dc = *d) != '\0'; d++) {
-			if (sc == dc) {
-				*s++ = '\0';
-				*stringp = s;
-				return (string);
-			}
-		}
-	}
-	*stringp = NULL;
-	return (string);
-}
-
-static void
-fatal(const char *format, ...) {
-	va_list args;
-
-	va_start(args, format);
-	vfprintf(stderr, format, args);
-	va_end(args);
-	fprintf(stderr, "\n");
-	exit(1);
-}
-
-static inline void
-check_result(isc_result_t result, const char *msg) {
-	if (result != ISC_R_SUCCESS)
-		fatal("%s: %s", msg, isc_result_totext(result));
-}
-
-static void
-parse_name(char **cmdlinep, dns_name_t *name) {
-	isc_result_t result;
-	char *word;
-	isc_buffer_t source;
-
-	word = nsu_strsep(cmdlinep, " \t\r\n");
-	if (word == NULL || *word == 0) {
-		fprintf(stderr, "could not read owner name\n");
-		exit(1);
-	}
-
-	isc_buffer_init(&source, word, strlen(word));
-	isc_buffer_add(&source, strlen(word));
-	result = dns_name_fromtext(name, &source, dns_rootname, 0, NULL);
-	check_result(result, "dns_name_fromtext");
-	isc_buffer_invalidate(&source);
-}
-
-static void
-parse_rdata(isc_mem_t *mctx, char **cmdlinep, dns_rdataclass_t rdataclass,
-	    dns_rdatatype_t rdatatype, dns_rdata_t *rdata)
-{
-	char *cmdline = *cmdlinep;
-	isc_buffer_t source, *buf = NULL, *newbuf = NULL;
-	isc_region_t r;
-	isc_lex_t *lex = NULL;
-	dns_rdatacallbacks_t callbacks;
-	isc_result_t result;
-
-	while (cmdline != NULL && *cmdline != 0 &&
-	       isspace((unsigned char)*cmdline))
-		cmdline++;
-
-	if (cmdline != NULL && *cmdline != 0) {
-		dns_rdatacallbacks_init(&callbacks);
-		result = isc_lex_create(mctx, strlen(cmdline), &lex);
-		check_result(result, "isc_lex_create");
-		isc_buffer_init(&source, cmdline, strlen(cmdline));
-		isc_buffer_add(&source, strlen(cmdline));
-		result = isc_lex_openbuffer(lex, &source);
-		check_result(result, "isc_lex_openbuffer");
-		result = isc_buffer_allocate(mctx, &buf, MAXWIRE);
-		check_result(result, "isc_buffer_allocate");
-		result = dns_rdata_fromtext(rdata, rdataclass, rdatatype, lex,
-					    dns_rootname, 0, mctx, buf,
-					    &callbacks);
-		isc_lex_destroy(&lex);
-		if (result == ISC_R_SUCCESS) {
-			isc_buffer_usedregion(buf, &r);
-			result = isc_buffer_allocate(mctx, &newbuf, r.length);
-			check_result(result, "isc_buffer_allocate");
-			isc_buffer_putmem(newbuf, r.base, r.length);
-			isc_buffer_usedregion(newbuf, &r);
-			dns_rdata_reset(rdata);
-			dns_rdata_fromregion(rdata, rdataclass, rdatatype, &r);
-			isc_buffer_free(&buf);
-			ISC_LIST_APPEND(usedbuffers, newbuf, link);
-		} else {
-			fprintf(stderr, "invalid rdata format: %s\n",
-				isc_result_totext(result));
-			isc_buffer_free(&buf);
-			exit(1);
-		}
-	} else {
-		rdata->flags = DNS_RDATA_UPDATE;
-	}
-	*cmdlinep = cmdline;
-}
-
-static void
-update_addordelete(isc_mem_t *mctx, char *cmdline, isc_boolean_t isdelete,
-		   dns_name_t *name)
-{
-	isc_result_t result;
-	isc_uint32_t ttl;
-	char *word;
-	dns_rdataclass_t rdataclass;
-	dns_rdatatype_t rdatatype;
-	dns_rdata_t *rdata = NULL;
-	dns_rdatalist_t *rdatalist = NULL;
-	dns_rdataset_t *rdataset = NULL;
-	isc_textregion_t region;
-
-	/*
-	 * Read the owner name.
-	 */
-	parse_name(&cmdline, name);
-
-	rdata = isc_mem_get(mctx, sizeof(*rdata));
-	if (rdata == NULL) {
-		fprintf(stderr, "memory allocation for rdata failed\n");
-		exit(1);
-	}
-	dns_rdata_init(rdata);
-
-	/*
-	 * If this is an add, read the TTL and verify that it's in range.
-	 * If it's a delete, ignore a TTL if present (for compatibility).
-	 */
-	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (word == NULL || *word == 0) {
-		if (!isdelete) {
-			fprintf(stderr, "could not read owner ttl\n");
-			exit(1);
-		}
-		else {
-			ttl = 0;
-			rdataclass = dns_rdataclass_any;
-			rdatatype = dns_rdatatype_any;
-			rdata->flags = DNS_RDATA_UPDATE;
-			goto doneparsing;
-		}
-	}
-	result = isc_parse_uint32(&ttl, word, 10);
-	if (result != ISC_R_SUCCESS) {
-		if (isdelete) {
-			ttl = 0;
-			goto parseclass;
-		} else {
-			fprintf(stderr, "ttl '%s': %s\n", word,
-				isc_result_totext(result));
-			exit(1);
-		}
-	}
-
-	if (isdelete)
-		ttl = 0;
-	else if (ttl > TTL_MAX) {
-		fprintf(stderr, "ttl '%s' is out of range (0 to %u)\n",
-			word, TTL_MAX);
-		exit(1);
-	}
-
-	/*
-	 * Read the class or type.
-	 */
-	word = nsu_strsep(&cmdline, " \t\r\n");
- parseclass:
-	if (word == NULL || *word == 0) {
-		if (isdelete) {
-			rdataclass = dns_rdataclass_any;
-			rdatatype = dns_rdatatype_any;
-			rdata->flags = DNS_RDATA_UPDATE;
-		goto doneparsing;
-		} else {
-			fprintf(stderr, "could not read class or type\n");
-			exit(1);
-		}
-	}
-	region.base = word;
-	region.length = strlen(word);
-	result = dns_rdataclass_fromtext(&rdataclass, &region);
-	if (result == ISC_R_SUCCESS) {
-		/*
-		 * Now read the type.
-		 */
-		word = nsu_strsep(&cmdline, " \t\r\n");
-		if (word == NULL || *word == 0) {
-			if (isdelete) {
-				rdataclass = dns_rdataclass_any;
-				rdatatype = dns_rdatatype_any;
-				rdata->flags = DNS_RDATA_UPDATE;
-				goto doneparsing;
-			} else {
-				fprintf(stderr, "could not read type\n");
-				exit(1);
-			}
-		}
-		region.base = word;
-		region.length = strlen(word);
-		result = dns_rdatatype_fromtext(&rdatatype, &region);
-		if (result != ISC_R_SUCCESS) {
-			fprintf(stderr, "'%s' is not a valid type: %s\n",
-				word, isc_result_totext(result));
-			exit(1);
-		}
-	} else {
-		rdataclass = default_rdataclass;
-		result = dns_rdatatype_fromtext(&rdatatype, &region);
-		if (result != ISC_R_SUCCESS) {
-			fprintf(stderr, "'%s' is not a valid class or type: "
-				"%s\n", word, isc_result_totext(result));
-			exit(1);
-		}
-	}
-
-	parse_rdata(mctx, &cmdline, rdataclass, rdatatype, rdata);
-
-	if (isdelete) {
-		if ((rdata->flags & DNS_RDATA_UPDATE) != 0)
-			rdataclass = dns_rdataclass_any;
-		else
-			rdataclass = dns_rdataclass_none;
-	} else {
-		if ((rdata->flags & DNS_RDATA_UPDATE) != 0) {
-			fprintf(stderr, "could not read rdata\n");
-			exit(1);
-		}
-	}
-
- doneparsing:
-
-	rdatalist = isc_mem_get(mctx, sizeof(*rdatalist));
-	if (rdatalist == NULL) {
-		fprintf(stderr, "memory allocation for rdatalist failed\n");
-		exit(1);
-	}
-	dns_rdatalist_init(rdatalist);
-	rdatalist->type = rdatatype;
-	rdatalist->rdclass = rdataclass;
-	rdatalist->covers = rdatatype;
-	rdatalist->ttl = (dns_ttl_t)ttl;
-	ISC_LIST_INIT(rdatalist->rdata);
-	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-	ISC_LIST_APPEND(usedrdatalists, rdatalist, link);
-
-	rdataset = isc_mem_get(mctx, sizeof(*rdataset));
-	if (rdataset == NULL) {
-		fprintf(stderr, "memory allocation for rdataset failed\n");
-		exit(1);
-	}
-	dns_rdataset_init(rdataset);
-	dns_rdatalist_tordataset(rdatalist, rdataset);
-	ISC_LIST_INIT(name->list);
-	ISC_LIST_APPEND(name->list, rdataset, link);
-}
-
-static void
-make_prereq(isc_mem_t *mctx, char *cmdline, isc_boolean_t ispositive,
-	    isc_boolean_t isrrset, dns_name_t *name)
-{
-	isc_result_t result;
-	char *word;
-	isc_textregion_t region;
-	dns_rdataset_t *rdataset = NULL;
-	dns_rdatalist_t *rdatalist = NULL;
-	dns_rdataclass_t rdataclass;
-	dns_rdatatype_t rdatatype;
-	dns_rdata_t *rdata = NULL;
-
-	/*
-	 * Read the owner name
-	 */
-	parse_name(&cmdline, name);
-
-	/*
-	 * If this is an rrset prereq, read the class or type.
-	 */
-	if (isrrset) {
-		word = nsu_strsep(&cmdline, " \t\r\n");
-		if (word == NULL || *word == 0) {
-			fprintf(stderr, "could not read class or type\n");
-			exit(1);
-		}
-		region.base = word;
-		region.length = strlen(word);
-		result = dns_rdataclass_fromtext(&rdataclass, &region);
-		if (result == ISC_R_SUCCESS) {
-			/*
-			 * Now read the type.
-			 */
-			word = nsu_strsep(&cmdline, " \t\r\n");
-			if (word == NULL || *word == 0) {
-				fprintf(stderr, "could not read type\n");
-				exit(1);
-			}
-			region.base = word;
-			region.length = strlen(word);
-			result = dns_rdatatype_fromtext(&rdatatype, &region);
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr, "invalid type: %s\n", word);
-				exit(1);
-			}
-		} else {
-			rdataclass = default_rdataclass;
-			result = dns_rdatatype_fromtext(&rdatatype, &region);
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr, "invalid type: %s\n", word);
-				exit(1);
-			}
-		}
-	} else
-		rdatatype = dns_rdatatype_any;
-
-	rdata = isc_mem_get(mctx, sizeof(*rdata));
-	if (rdata == NULL) {
-		fprintf(stderr, "memory allocation for rdata failed\n");
-		exit(1);
-	}
-	dns_rdata_init(rdata);
-
-	if (isrrset && ispositive)
-		parse_rdata(mctx, &cmdline, rdataclass, rdatatype, rdata);
-	else
-		rdata->flags = DNS_RDATA_UPDATE;
-
-	rdatalist = isc_mem_get(mctx, sizeof(*rdatalist));
-	if (rdatalist == NULL) {
-		fprintf(stderr, "memory allocation for rdatalist failed\n");
-		exit(1);
-	}
-	dns_rdatalist_init(rdatalist);
-	rdatalist->type = rdatatype;
-	if (ispositive) {
-		if (isrrset && rdata->data != NULL)
-			rdatalist->rdclass = rdataclass;
-		else
-			rdatalist->rdclass = dns_rdataclass_any;
-	} else
-		rdatalist->rdclass = dns_rdataclass_none;
-	rdatalist->covers = 0;
-	rdatalist->ttl = 0;
-	rdata->rdclass = rdatalist->rdclass;
-	rdata->type = rdatatype;
-	ISC_LIST_INIT(rdatalist->rdata);
-	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-	ISC_LIST_APPEND(usedrdatalists, rdatalist, link);
-
-	rdataset = isc_mem_get(mctx, sizeof(*rdataset));
-	if (rdataset == NULL) {
-		fprintf(stderr, "memory allocation for rdataset failed\n");
-		exit(1);
-	}
-	dns_rdataset_init(rdataset);
-	dns_rdatalist_tordataset(rdatalist, rdataset);
-	ISC_LIST_INIT(name->list);
-	ISC_LIST_APPEND(name->list, rdataset, link);
-}
-
-static void
-evaluate_prereq(isc_mem_t *mctx, char *cmdline, dns_name_t *name) {
-	char *word;
-	isc_boolean_t ispositive, isrrset;
-
-	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (word == NULL || *word == 0) {
-		fprintf(stderr, "could not read operation code\n");
-		exit(1);
-	}
-	if (strcasecmp(word, "nxdomain") == 0) {
-		ispositive = ISC_FALSE;
-		isrrset = ISC_FALSE;
-	} else if (strcasecmp(word, "yxdomain") == 0) {
-		ispositive = ISC_TRUE;
-		isrrset = ISC_FALSE;
-	} else if (strcasecmp(word, "nxrrset") == 0) {
-		ispositive = ISC_FALSE;
-		isrrset = ISC_TRUE;
-	} else if (strcasecmp(word, "yxrrset") == 0) {
-		ispositive = ISC_TRUE;
-		isrrset = ISC_TRUE;
-	} else {
-		fprintf(stderr, "incorrect operation code: %s\n", word);
-		exit(1);
-	}
-
-	make_prereq(mctx, cmdline, ispositive, isrrset, name);
-}
-
-static void
-setup_tsec(char *keyfile, isc_mem_t *mctx) {
-	dst_key_t *dstkey = NULL;
-	isc_result_t result;
-	dns_tsectype_t tsectype;
-
-	result = dst_key_fromnamedfile(keyfile, NULL,
-				       DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx,
-				       &dstkey);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "could not read key from %s: %s\n",
-			keyfile, isc_result_totext(result));
-		exit(1);
-	}
-
-	if (dst_key_alg(dstkey) == DST_ALG_HMACMD5)
-		tsectype = dns_tsectype_tsig;
-	else
-		tsectype = dns_tsectype_sig0;
-
-	result = dns_tsec_create(mctx, tsectype, dstkey, &tsec);
-	dst_key_free(&dstkey);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "could not create tsec: %s\n",
-			isc_result_totext(result));
-		exit(1);
-	}
-}
diff --git a/contrib/bind9/lib/export/samples/sample.c b/contrib/bind9/lib/export/samples/sample.c
deleted file mode 100644
index b121a0d..0000000
--- a/contrib/bind9/lib/export/samples/sample.c
+++ /dev/null
@@ -1,384 +0,0 @@
-/*
- * Copyright (C) 2009, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: sample.c,v 1.5 2009/09/29 15:06:07 fdupont Exp $ */
-
-#include <config.h>
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-
-#include <arpa/inet.h>
-
-#include <unistd.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <netdb.h>
-
-#include <isc/base64.h>
-#include <isc/buffer.h>
-#include <isc/lib.h>
-#include <isc/mem.h>
-#include <isc/sockaddr.h>
-#include <isc/util.h>
-
-#include <dns/client.h>
-#include <dns/fixedname.h>
-#include <dns/keyvalues.h>
-#include <dns/lib.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/result.h>
-#include <dns/secalg.h>
-
-#include <dst/dst.h>
-
-static char *algname;
-
-static isc_result_t
-printdata(dns_rdataset_t *rdataset, dns_name_t *owner) {
-	isc_buffer_t target;
-	isc_result_t result;
-	isc_region_t r;
-	char t[4096];
-
-	if (!dns_rdataset_isassociated(rdataset)) {
-		printf("[WARN: empty]\n");
-		return (ISC_R_SUCCESS);
-	}
-
-	isc_buffer_init(&target, t, sizeof(t));
-
-	result = dns_rdataset_totext(rdataset, owner, ISC_FALSE, ISC_FALSE,
-				     &target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_buffer_usedregion(&target, &r);
-	printf("%.*s", (int)r.length, (char *)r.base);
-
-	return (ISC_R_SUCCESS);
-}
-
-ISC_PLATFORM_NORETURN_PRE static void
-usage(void) ISC_PLATFORM_NORETURN_POST;
-
-static void
-usage(void) {
-	fprintf(stderr, "sample [-t RRtype] "
-		"[[-a algorithm] [-e] -k keyname -K keystring] "
-		"[-s domain:serveraddr_for_domain ] "
-		"server_address hostname\n");
-
-	exit(1);
-}
-
-static void
-set_key(dns_client_t *client, char *keynamestr, char *keystr,
-	isc_boolean_t is_sep, isc_mem_t **mctxp)
-{
-	isc_result_t result;
-	dns_fixedname_t fkeyname;
-	size_t namelen;
-	dns_name_t *keyname;
-	dns_rdata_dnskey_t keystruct;
-	unsigned char keydata[4096];
-	isc_buffer_t keydatabuf;
-	unsigned char rrdata[4096];
-	isc_buffer_t rrdatabuf;
-	isc_buffer_t b;
-	isc_textregion_t tr;
-	isc_region_t r;
-	dns_secalg_t alg;
-
-	result = isc_mem_create(0, 0, mctxp);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "failed to crate mctx\n");
-		exit(1);
-	}
-
-	if (algname != NULL) {
-		tr.base = algname;
-		tr.length = strlen(algname);
-		result = dns_secalg_fromtext(&alg, &tr);
-		if (result != ISC_R_SUCCESS) {
-			fprintf(stderr, "failed to identify the algorithm\n");
-			exit(1);
-		}
-	} else
-		alg = DNS_KEYALG_RSASHA1;
-
-	keystruct.common.rdclass = dns_rdataclass_in;
-	keystruct.common.rdtype = dns_rdatatype_dnskey;
-	keystruct.flags = DNS_KEYOWNER_ZONE; /* fixed */
-	if (is_sep)
-		keystruct.flags |= DNS_KEYFLAG_KSK;
-	keystruct.protocol = DNS_KEYPROTO_DNSSEC; /* fixed */
-	keystruct.algorithm = alg;
-
-	isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
-	isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
-	result = isc_base64_decodestring(keystr, &keydatabuf);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "base64 decode failed\n");
-		exit(1);
-	}
-	isc_buffer_usedregion(&keydatabuf, &r);
-	keystruct.datalen = r.length;
-	keystruct.data = r.base;
-
-	result = dns_rdata_fromstruct(NULL, keystruct.common.rdclass,
-				      keystruct.common.rdtype,
-				      &keystruct, &rrdatabuf);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "failed to construct key rdata\n");
-		exit(1);
-	}
-	namelen = strlen(keynamestr);
-	isc_buffer_init(&b, keynamestr, namelen);
-	isc_buffer_add(&b, namelen);
-	dns_fixedname_init(&fkeyname);
-	keyname = dns_fixedname_name(&fkeyname);
-	result = dns_name_fromtext(keyname, &b, dns_rootname, 0, NULL);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "failed to construct key name\n");
-		exit(1);
-	}
-	result = dns_client_addtrustedkey(client, dns_rdataclass_in,
-					  keyname, &rrdatabuf);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "failed to add key for %s\n",
-			keynamestr);
-		exit(1);
-	}
-}
-
-static void
-addserver(dns_client_t *client, const char *addrstr, const char *port,
-	  const char *namespace)
-{
-	struct addrinfo hints, *res;
-	int gai_error;
-	isc_sockaddr_t sa;
-	isc_sockaddrlist_t servers;
-	isc_result_t result;
-	size_t namelen;
-	isc_buffer_t b;
-	dns_fixedname_t fname;
-	dns_name_t *name = NULL;
-
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_family = AF_UNSPEC;
-	hints.ai_socktype = SOCK_DGRAM;
-	hints.ai_protocol = IPPROTO_UDP;
-	hints.ai_flags = AI_NUMERICHOST;
-	gai_error = getaddrinfo(addrstr, port, &hints, &res);
-	if (gai_error != 0) {
-		fprintf(stderr, "getaddrinfo failed: %s\n",
-			gai_strerror(gai_error));
-		exit(1);
-	}
-	INSIST(res->ai_addrlen <= sizeof(sa.type));
-	memcpy(&sa.type, res->ai_addr, res->ai_addrlen);
-	sa.length = res->ai_addrlen;
-	freeaddrinfo(res);
-	ISC_LINK_INIT(&sa, link);
-	ISC_LIST_INIT(servers);
-	ISC_LIST_APPEND(servers, &sa, link);
-
-	if (namespace != NULL) {
-		namelen = strlen(namespace);
-		isc_buffer_constinit(&b, namespace, namelen);
-		isc_buffer_add(&b, namelen);
-		dns_fixedname_init(&fname);
-		name = dns_fixedname_name(&fname);
-		result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
-		if (result != ISC_R_SUCCESS) {
-			fprintf(stderr, "failed to convert qname: %d\n",
-				result);
-			exit(1);
-		}
-	}
-
-	result = dns_client_setservers(client, dns_rdataclass_in, name,
-				       &servers);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "set server failed: %d\n", result);
-		exit(1);
-	}
-}
-
-int
-main(int argc, char *argv[]) {
-	int ch;
-	isc_textregion_t tr;
-	char *altserver = NULL;
-	char *altserveraddr = NULL;
-	char *altservername = NULL;
-	dns_client_t *client = NULL;
-	char *keynamestr = NULL;
-	char *keystr = NULL;
-	isc_result_t result;
-	isc_buffer_t b;
-	dns_fixedname_t qname0;
-	size_t namelen;
-	dns_name_t *qname, *name;
-	dns_rdatatype_t type = dns_rdatatype_a;
-	dns_rdataset_t *rdataset;
-	dns_namelist_t namelist;
-	isc_mem_t *keymctx = NULL;
-	unsigned int clientopt, resopt;
-	isc_boolean_t is_sep = ISC_FALSE;
-	const char *port = "53";
-
-	while ((ch = getopt(argc, argv, "a:es:t:k:K:p:")) != -1) {
-		switch (ch) {
-		case 't':
-			tr.base = optarg;
-			tr.length = strlen(optarg);
-			result = dns_rdatatype_fromtext(&type, &tr);
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr,
-					"invalid RRtype: %s\n", optarg);
-				exit(1);
-			}
-			break;
-		case 'a':
-			algname = optarg;
-			break;
-		case 'e':
-			is_sep = ISC_TRUE;
-			break;
-		case 's':
-			if (altserver != NULL) {
-				fprintf(stderr, "alternate server "
-					"already defined: %s\n",
-					altserver);
-				exit(1);
-			}
-			altserver = optarg;
-			break;
-		case 'k':
-			keynamestr = optarg;
-			break;
-		case 'K':
-			keystr = optarg;
-			break;
-		case 'p':
-			port = optarg;
-			break;
-		default:
-			usage();
-		}
-	}
-
-	argc -= optind;
-	argv += optind;
-	if (argc < 2)
-		usage();
-
-	if (altserver != NULL) {
-		char *cp;
-
-		cp = strchr(altserver, ':');
-		if (cp == NULL) {
-			fprintf(stderr, "invalid alternate server: %s\n",
-				altserver);
-			exit(1);
-		}
-		*cp = '\0';
-		altservername = altserver;
-		altserveraddr = cp + 1;
-	}
-
-	isc_lib_register();
-	result = dns_lib_init();
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "dns_lib_init failed: %d\n", result);
-		exit(1);
-	}
-
-	clientopt = 0;
-	result = dns_client_create(&client, clientopt);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "dns_client_create failed: %d\n", result);
-		exit(1);
-	}
-
-	/* Set the nameserver */
-	addserver(client, argv[0], port, NULL);
-
-	/* Set the alternate nameserver (when specified) */
-	if (altserver != NULL)
-		addserver(client, altserveraddr, port, altservername);
-
-	/* Install DNSSEC key (if given) */
-	if (keynamestr != NULL) {
-		if (keystr == NULL) {
-			fprintf(stderr,
-				"key string is missing "
-				"while key name is provided\n");
-			exit(1);
-		}
-		set_key(client, keynamestr, keystr, is_sep, &keymctx);
-	}
-
-	/* Construct qname */
-	namelen = strlen(argv[1]);
-	isc_buffer_init(&b, argv[1], namelen);
-	isc_buffer_add(&b, namelen);
-	dns_fixedname_init(&qname0);
-	qname = dns_fixedname_name(&qname0);
-	result = dns_name_fromtext(qname, &b, dns_rootname, 0, NULL);
-	if (result != ISC_R_SUCCESS)
-		fprintf(stderr, "failed to convert qname: %d\n", result);
-
-	/* Perform resolution */
-	resopt = 0;
-	if (keynamestr == NULL)
-		resopt |= DNS_CLIENTRESOPT_NODNSSEC;
-	ISC_LIST_INIT(namelist);
-	result = dns_client_resolve(client, qname, dns_rdataclass_in, type,
-				    resopt, &namelist);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr,
-			"resolution failed: %s\n", dns_result_totext(result));
-	}
-	for (name = ISC_LIST_HEAD(namelist); name != NULL;
-	     name = ISC_LIST_NEXT(name, link)) {
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			if (printdata(rdataset, name) != ISC_R_SUCCESS)
-				fprintf(stderr, "print data failed\n");
-		}
-	}
-
-	dns_client_freeresanswer(client, &namelist);
-
-	/* Cleanup */
-	dns_client_destroy(&client);
-	if (keynamestr != NULL)
-		isc_mem_destroy(&keymctx);
-	dns_lib_shutdown();
-
-	return (0);
-}
diff --git a/contrib/bind9/lib/irs/Makefile.in b/contrib/bind9/lib/irs/Makefile.in
deleted file mode 100644
index d3c47b0..0000000
--- a/contrib/bind9/lib/irs/Makefile.in
+++ /dev/null
@@ -1,80 +0,0 @@
-# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-@LIBIRS_API@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	-I. -I./include -I${srcdir}/include \
-		${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES}
-
-CDEFINES =
-CWARNINGS =
-
-# Alphabetically
-OBJS =		context.@O@ \
-		dnsconf.@O@ \
-		gai_strerror.@O@ getaddrinfo.@O@ getnameinfo.@O@ \
-		resconf.@O@
-
-# Alphabetically
-SRCS =		context.c \
-		dnsconf.c \
-		gai_sterror.c getaddrinfo.c getnameinfo.c \
-		resconf.c
-
-LIBS =		@LIBS@
-
-SUBDIRS =	include
-TARGETS =	timestamp
-
-@BIND9_MAKE_RULES@
-
-version.@O@: version.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DVERSION=\"${VERSION}\" \
-		-DLIBINTERFACE=${LIBINTERFACE} \
-		-DLIBREVISION=${LIBREVISION} \
-		-DLIBAGE=${LIBAGE} \
-		-c ${srcdir}/version.c
-
-libirs.@SA@: ${OBJS} version.@O@
-	${AR} ${ARFLAGS} $@ ${OBJS} version.@O@
-	${RANLIB} $@
-
-libirs.la: ${OBJS} version.@O@
-	${LIBTOOL_MODE_LINK} \
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libirs.la -rpath ${libdir} \
-		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
-		${OBJS} version.@O@ ${LIBS}
-
-timestamp: libirs.@A@
-	touch timestamp
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
-
-install:: timestamp installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libirs.@A@ ${DESTDIR}${libdir}
-
-clean distclean::
-	rm -f libirs.@A@ libirs.la timestamp
diff --git a/contrib/bind9/lib/irs/api b/contrib/bind9/lib/irs/api
deleted file mode 100644
index 298e96a..0000000
--- a/contrib/bind9/lib/irs/api
+++ /dev/null
@@ -1,9 +0,0 @@
-# LIBINTERFACE ranges
-# 9.6: 50-59, 110-119
-# 9.7: 60-79
-# 9.8: 80-89, 120-129
-# 9.9: 90-109
-# 9.9-sub: 130-139
-LIBINTERFACE = 90
-LIBREVISION = 1
-LIBAGE = 0
diff --git a/contrib/bind9/lib/irs/context.c b/contrib/bind9/lib/irs/context.c
deleted file mode 100644
index be69622..0000000
--- a/contrib/bind9/lib/irs/context.c
+++ /dev/null
@@ -1,396 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: context.c,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
-
-#include <config.h>
-
-#include <isc/app.h>
-#include <isc/lib.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/once.h>
-#include <isc/socket.h>
-#include <isc/task.h>
-#include <isc/thread.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#include <dns/client.h>
-#include <dns/lib.h>
-
-#include <irs/context.h>
-#include <irs/dnsconf.h>
-#include <irs/resconf.h>
-
-#define IRS_CONTEXT_MAGIC		ISC_MAGIC('I', 'R', 'S', 'c')
-#define IRS_CONTEXT_VALID(c)		ISC_MAGIC_VALID(c, IRS_CONTEXT_MAGIC)
-
-#ifndef RESOLV_CONF
-/*% location of resolve.conf */
-#define RESOLV_CONF "/etc/resolv.conf"
-#endif
-
-#ifndef DNS_CONF
-/*% location of dns.conf */
-#define DNS_CONF "/etc/dns.conf"
-#endif
-
-#ifndef ISC_PLATFORM_USETHREADS
-irs_context_t *irs_g_context = NULL;
-#else
-static isc_boolean_t thread_key_initialized = ISC_FALSE;
-static isc_mutex_t thread_key_mutex;
-static isc_thread_key_t irs_context_key;
-static isc_once_t once = ISC_ONCE_INIT;
-#endif
-
-
-struct irs_context {
-	/*
-	 * An IRS context is a thread-specific object, and does not need to
-	 * be locked.
-	 */
-	unsigned int			magic;
-	isc_mem_t			*mctx;
-	isc_appctx_t			*actx;
-	isc_taskmgr_t			*taskmgr;
-	isc_task_t			*task;
-	isc_socketmgr_t			*socketmgr;
-	isc_timermgr_t			*timermgr;
-	dns_client_t			*dnsclient;
-	irs_resconf_t			*resconf;
-	irs_dnsconf_t			*dnsconf;
-};
-
-static void
-ctxs_destroy(isc_mem_t **mctxp, isc_appctx_t **actxp,
-	     isc_taskmgr_t **taskmgrp, isc_socketmgr_t **socketmgrp,
-	     isc_timermgr_t **timermgrp)
-{
-	if (taskmgrp != NULL)
-		isc_taskmgr_destroy(taskmgrp);
-
-	if (timermgrp != NULL)
-		isc_timermgr_destroy(timermgrp);
-
-	if (socketmgrp != NULL)
-		isc_socketmgr_destroy(socketmgrp);
-
-	if (actxp != NULL)
-		isc_appctx_destroy(actxp);
-
-	if (mctxp != NULL)
-		isc_mem_destroy(mctxp);
-}
-
-static isc_result_t
-ctxs_init(isc_mem_t **mctxp, isc_appctx_t **actxp,
-	  isc_taskmgr_t **taskmgrp, isc_socketmgr_t **socketmgrp,
-	  isc_timermgr_t **timermgrp)
-{
-	isc_result_t result;
-
-	result = isc_mem_create(0, 0, mctxp);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	result = isc_appctx_create(*mctxp, actxp);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	result = isc_taskmgr_createinctx(*mctxp, *actxp, 1, 0, taskmgrp);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	result = isc_socketmgr_createinctx(*mctxp, *actxp, socketmgrp);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	result = isc_timermgr_createinctx(*mctxp, *actxp, timermgrp);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	return (ISC_R_SUCCESS);
-
- fail:
-	ctxs_destroy(mctxp, actxp, taskmgrp, socketmgrp, timermgrp);
-
-	return (result);
-}
-
-#ifdef ISC_PLATFORM_USETHREADS
-static void
-free_specific_context(void *arg) {
-	irs_context_t *context = arg;
-
-	irs_context_destroy(&context);
-
-	isc_thread_key_setspecific(irs_context_key, NULL);
-}
-
-static void
-thread_key_mutex_init(void) {
-	RUNTIME_CHECK(isc_mutex_init(&thread_key_mutex) == ISC_R_SUCCESS);
-}
-
-static isc_result_t
-thread_key_init() {
-	isc_result_t result;
-
-	result = isc_once_do(&once, thread_key_mutex_init);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (!thread_key_initialized) {
-		LOCK(&thread_key_mutex);
-
-		if (!thread_key_initialized &&
-		    isc_thread_key_create(&irs_context_key,
-					  free_specific_context) != 0) {
-			result = ISC_R_FAILURE;
-		} else
-			thread_key_initialized = ISC_TRUE;
-
-		UNLOCK(&thread_key_mutex);
-	}
-
-	return (result);
-}
-#endif /* ISC_PLATFORM_USETHREADS */
-
-isc_result_t
-irs_context_get(irs_context_t **contextp) {
-	irs_context_t *context;
-	isc_result_t result;
-
-	REQUIRE(contextp != NULL && *contextp == NULL);
-
-#ifndef ISC_PLATFORM_USETHREADS
-	if (irs_g_context == NULL) {
-		result = irs_context_create(&irs_g_context);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	context = irs_g_context;
-#else
-	result = thread_key_init();
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	context = isc_thread_key_getspecific(irs_context_key);
-	if (context == NULL) {
-		result = irs_context_create(&context);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		result = isc_thread_key_setspecific(irs_context_key, context);
-		if (result != ISC_R_SUCCESS) {
-			irs_context_destroy(&context);
-			return (result);
-		}
-	}
-#endif /* ISC_PLATFORM_USETHREADS */
-
-	*contextp = context;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-irs_context_create(irs_context_t **contextp) {
-	isc_result_t result;
-	irs_context_t *context;
-	isc_appctx_t *actx = NULL;
-	isc_mem_t *mctx = NULL;
-	isc_taskmgr_t *taskmgr = NULL;
-	isc_socketmgr_t *socketmgr = NULL;
-	isc_timermgr_t *timermgr = NULL;
-	dns_client_t *client = NULL;
-	isc_sockaddrlist_t *nameservers;
-	irs_dnsconf_dnskeylist_t *trustedkeys;
-	irs_dnsconf_dnskey_t *trustedkey;
-
-	isc_lib_register();
-	result = dns_lib_init();
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = ctxs_init(&mctx, &actx, &taskmgr, &socketmgr, &timermgr);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = isc_app_ctxstart(actx);
-	if (result != ISC_R_SUCCESS) {
-		ctxs_destroy(&mctx, &actx, &taskmgr, &socketmgr, &timermgr);
-		return (result);
-	}
-
-	context = isc_mem_get(mctx, sizeof(*context));
-	if (context == NULL) {
-		ctxs_destroy(&mctx, &actx, &taskmgr, &socketmgr, &timermgr);
-		return (ISC_R_NOMEMORY);
-	}
-
-	context->mctx = mctx;
-	context->actx = actx;
-	context->taskmgr = taskmgr;
-	context->socketmgr = socketmgr;
-	context->timermgr = timermgr;
-	context->resconf = NULL;
-	context->dnsconf = NULL;
-	context->task = NULL;
-	result = isc_task_create(taskmgr, 0, &context->task);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	/* Create a DNS client object */
-	result = dns_client_createx(mctx, actx, taskmgr, socketmgr, timermgr,
-				    0, &client);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-	context->dnsclient = client;
-
-	/* Read resolver configuration file */
-	result = irs_resconf_load(mctx, RESOLV_CONF, &context->resconf);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-	/* Set nameservers */
-	nameservers = irs_resconf_getnameservers(context->resconf);
-	result = dns_client_setservers(client, dns_rdataclass_in, NULL,
-				       nameservers);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	/* Read advanced DNS configuration (if any) */
-	result = irs_dnsconf_load(mctx, DNS_CONF, &context->dnsconf);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-	trustedkeys = irs_dnsconf_gettrustedkeys(context->dnsconf);
-	for (trustedkey = ISC_LIST_HEAD(*trustedkeys);
-	     trustedkey != NULL;
-	     trustedkey = ISC_LIST_NEXT(trustedkey, link)) {
-		result = dns_client_addtrustedkey(client, dns_rdataclass_in,
-						  trustedkey->keyname,
-						  trustedkey->keydatabuf);
-		if (result != ISC_R_SUCCESS)
-			goto fail;
-	}
-
-	context->magic = IRS_CONTEXT_MAGIC;
-	*contextp = context;
-
-	return (ISC_R_SUCCESS);
-
-  fail:
-	if (context->task != NULL)
-		isc_task_detach(&context->task);
-	if (context->resconf != NULL)
-		irs_resconf_destroy(&context->resconf);
-	if (context->dnsconf != NULL)
-		irs_dnsconf_destroy(&context->dnsconf);
-	if (client != NULL)
-		dns_client_destroy(&client);
-	ctxs_destroy(NULL, &actx, &taskmgr, &socketmgr, &timermgr);
-	isc_mem_putanddetach(&mctx, context, sizeof(*context));
-
-	return (result);
-}
-
-void
-irs_context_destroy(irs_context_t **contextp) {
-	irs_context_t *context;
-
-	REQUIRE(contextp != NULL);
-	context = *contextp;
-	REQUIRE(IRS_CONTEXT_VALID(context));
-
-	isc_task_detach(&context->task);
-	irs_dnsconf_destroy(&context->dnsconf);
-	irs_resconf_destroy(&context->resconf);
-	dns_client_destroy(&context->dnsclient);
-
-	ctxs_destroy(NULL, &context->actx, &context->taskmgr,
-		     &context->socketmgr, &context->timermgr);
-
-	context->magic = 0;
-
-	isc_mem_putanddetach(&context->mctx, context, sizeof(*context));
-
-	*contextp = NULL;
-
-#ifndef ISC_PLATFORM_USETHREADS
-	irs_g_context = NULL;
-#else
-	(void)isc_thread_key_setspecific(irs_context_key, NULL);
-#endif
-}
-
-isc_mem_t *
-irs_context_getmctx(irs_context_t *context) {
-	REQUIRE(IRS_CONTEXT_VALID(context));
-
-	return (context->mctx);
-}
-
-isc_appctx_t *
-irs_context_getappctx(irs_context_t *context) {
-	REQUIRE(IRS_CONTEXT_VALID(context));
-
-	return (context->actx);
-}
-
-isc_taskmgr_t *
-irs_context_gettaskmgr(irs_context_t *context) {
-	REQUIRE(IRS_CONTEXT_VALID(context));
-
-	return (context->taskmgr);
-}
-
-isc_timermgr_t *
-irs_context_gettimermgr(irs_context_t *context) {
-	REQUIRE(IRS_CONTEXT_VALID(context));
-
-	return (context->timermgr);
-}
-
-isc_task_t *
-irs_context_gettask(irs_context_t *context) {
-	REQUIRE(IRS_CONTEXT_VALID(context));
-
-	return (context->task);
-}
-
-dns_client_t *
-irs_context_getdnsclient(irs_context_t *context) {
-	REQUIRE(IRS_CONTEXT_VALID(context));
-
-	return (context->dnsclient);
-}
-
-irs_resconf_t *
-irs_context_getresconf(irs_context_t *context) {
-	REQUIRE(IRS_CONTEXT_VALID(context));
-
-	return (context->resconf);
-}
-
-irs_dnsconf_t *
-irs_context_getdnsconf(irs_context_t *context) {
-	REQUIRE(IRS_CONTEXT_VALID(context));
-
-	return (context->dnsconf);
-}
diff --git a/contrib/bind9/lib/irs/dnsconf.c b/contrib/bind9/lib/irs/dnsconf.c
deleted file mode 100644
index 529cebd..0000000
--- a/contrib/bind9/lib/irs/dnsconf.c
+++ /dev/null
@@ -1,269 +0,0 @@
-/*
- * Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dnsconf.c,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <string.h>
-
-#include <isc/base64.h>
-#include <isc/buffer.h>
-#include <isc/file.h>
-#include <isc/mem.h>
-#include <isc/util.h>
-
-#include <isccfg/dnsconf.h>
-
-#include <dns/fixedname.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdatastruct.h>
-
-#include <irs/dnsconf.h>
-
-#define IRS_DNSCONF_MAGIC		ISC_MAGIC('D', 'c', 'f', 'g')
-#define IRS_DNSCONF_VALID(c)		ISC_MAGIC_VALID(c, IRS_DNSCONF_MAGIC)
-
-/*!
- * configuration data structure
- */
-
-struct irs_dnsconf {
-	unsigned int magic;
-	isc_mem_t *mctx;
-	irs_dnsconf_dnskeylist_t trusted_keylist;
-};
-
-static isc_result_t
-configure_dnsseckeys(irs_dnsconf_t *conf, cfg_obj_t *cfgobj,
-		     dns_rdataclass_t rdclass)
-{
-	isc_mem_t *mctx = conf->mctx;
-	const cfg_obj_t *keys = NULL;
-	const cfg_obj_t *key, *keylist;
-	dns_fixedname_t fkeyname;
-	dns_name_t *keyname_base, *keyname;
-	const cfg_listelt_t *element, *element2;
-	isc_result_t result;
-	isc_uint32_t flags, proto, alg;
-	const char *keystr, *keynamestr;
-	unsigned char keydata[4096];
-	isc_buffer_t keydatabuf_base, *keydatabuf;
-	dns_rdata_dnskey_t keystruct;
-	unsigned char rrdata[4096];
-	isc_buffer_t rrdatabuf;
-	isc_region_t r;
-	isc_buffer_t namebuf;
-	irs_dnsconf_dnskey_t *keyent;
-
-	cfg_map_get(cfgobj, "trusted-keys", &keys);
-	if (keys == NULL)
-		return (ISC_R_SUCCESS);
-
-	for (element = cfg_list_first(keys);
-	     element != NULL;
-	     element = cfg_list_next(element)) {
-		keylist = cfg_listelt_value(element);
-		for (element2 = cfg_list_first(keylist);
-		     element2 != NULL;
-		     element2 = cfg_list_next(element2))
-		{
-			keydatabuf = NULL;
-			keyname = NULL;
-
-			key = cfg_listelt_value(element2);
-
-			flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
-			proto = cfg_obj_asuint32(cfg_tuple_get(key,
-							       "protocol"));
-			alg = cfg_obj_asuint32(cfg_tuple_get(key,
-							     "algorithm"));
-			keynamestr = cfg_obj_asstring(cfg_tuple_get(key,
-								    "name"));
-
-			keystruct.common.rdclass = rdclass;
-			keystruct.common.rdtype = dns_rdatatype_dnskey;
-			keystruct.mctx = NULL;
-			ISC_LINK_INIT(&keystruct.common, link);
-
-			if (flags > 0xffff)
-				return (ISC_R_RANGE);
-			if (proto > 0xff)
-				return (ISC_R_RANGE);
-			if (alg > 0xff)
-				return (ISC_R_RANGE);
-			keystruct.flags = (isc_uint16_t)flags;
-			keystruct.protocol = (isc_uint8_t)proto;
-			keystruct.algorithm = (isc_uint8_t)alg;
-
-			isc_buffer_init(&keydatabuf_base, keydata,
-					sizeof(keydata));
-			isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
-
-			/* Configure key value */
-			keystr = cfg_obj_asstring(cfg_tuple_get(key, "key"));
-			result = isc_base64_decodestring(keystr,
-							 &keydatabuf_base);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-			isc_buffer_usedregion(&keydatabuf_base, &r);
-			keystruct.datalen = r.length;
-			keystruct.data = r.base;
-
-			result = dns_rdata_fromstruct(NULL,
-						      keystruct.common.rdclass,
-						      keystruct.common.rdtype,
-						      &keystruct, &rrdatabuf);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-			isc_buffer_usedregion(&rrdatabuf, &r);
-			result = isc_buffer_allocate(mctx, &keydatabuf,
-						     r.length);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-			result = isc_buffer_copyregion(keydatabuf, &r);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-
-			/* Configure key name */
-			dns_fixedname_init(&fkeyname);
-			keyname_base = dns_fixedname_name(&fkeyname);
-			isc_buffer_constinit(&namebuf, keynamestr,
-					     strlen(keynamestr));
-			isc_buffer_add(&namebuf, strlen(keynamestr));
-			result = dns_name_fromtext(keyname_base, &namebuf,
-						   dns_rootname, 0, NULL);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-			keyname = isc_mem_get(mctx, sizeof(*keyname));
-			if (keyname == NULL) {
-				result = ISC_R_NOMEMORY;
-				goto cleanup;
-			}
-			dns_name_init(keyname, NULL);
-			result = dns_name_dup(keyname_base, mctx, keyname);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-
-			/* Add the key data to the list */
-			keyent = isc_mem_get(mctx, sizeof(*keyent));
-			if (keyent == NULL) {
-				dns_name_free(keyname, mctx);
-				result = ISC_R_NOMEMORY;
-				goto cleanup;
-			}
-			keyent->keyname = keyname;
-			keyent->keydatabuf = keydatabuf;
-
-			ISC_LIST_APPEND(conf->trusted_keylist, keyent, link);
-		}
-	}
-
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (keydatabuf != NULL)
-		isc_buffer_free(&keydatabuf);
-	if (keyname != NULL)
-		isc_mem_put(mctx, keyname, sizeof(*keyname));
-
-	return (result);
-}
-
-isc_result_t
-irs_dnsconf_load(isc_mem_t *mctx, const char *filename, irs_dnsconf_t **confp)
-{
-	irs_dnsconf_t *conf;
-	cfg_parser_t *parser = NULL;
-	cfg_obj_t *cfgobj = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(confp != NULL && *confp == NULL);
-
-	conf = isc_mem_get(mctx, sizeof(*conf));
-	if (conf == NULL)
-		return (ISC_R_NOMEMORY);
-
-	conf->mctx = mctx;
-	ISC_LIST_INIT(conf->trusted_keylist);
-
-	/*
-	 * If the specified file does not exist, we'll simply with an empty
-	 * configuration.
-	 */
-	if (!isc_file_exists(filename))
-		goto cleanup;
-
-	result = cfg_parser_create(mctx, NULL, &parser);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = cfg_parse_file(parser, filename, &cfg_type_dnsconf,
-				&cfgobj);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = configure_dnsseckeys(conf, cfgobj, dns_rdataclass_in);
-
- cleanup:
-	if (parser != NULL) {
-		if (cfgobj != NULL)
-			cfg_obj_destroy(parser, &cfgobj);
-		cfg_parser_destroy(&parser);
-	}
-
-	conf->magic = IRS_DNSCONF_MAGIC;
-
-	if (result == ISC_R_SUCCESS)
-		*confp = conf;
-	else
-		irs_dnsconf_destroy(&conf);
-
-	return (result);
-}
-
-void
-irs_dnsconf_destroy(irs_dnsconf_t **confp) {
-	irs_dnsconf_t *conf;
-	irs_dnsconf_dnskey_t *keyent;
-
-	REQUIRE(confp != NULL);
-	conf = *confp;
-	REQUIRE(IRS_DNSCONF_VALID(conf));
-
-	while ((keyent = ISC_LIST_HEAD(conf->trusted_keylist)) != NULL) {
-		ISC_LIST_UNLINK(conf->trusted_keylist, keyent, link);
-
-		isc_buffer_free(&keyent->keydatabuf);
-		dns_name_free(keyent->keyname, conf->mctx);
-		isc_mem_put(conf->mctx, keyent->keyname, sizeof(dns_name_t));
-		isc_mem_put(conf->mctx, keyent, sizeof(*keyent));
-	}
-
-	isc_mem_put(conf->mctx, conf, sizeof(*conf));
-
-	*confp = NULL;
-}
-
-irs_dnsconf_dnskeylist_t *
-irs_dnsconf_gettrustedkeys(irs_dnsconf_t *conf) {
-	REQUIRE(IRS_DNSCONF_VALID(conf));
-
-	return (&conf->trusted_keylist);
-}
diff --git a/contrib/bind9/lib/irs/gai_strerror.c b/contrib/bind9/lib/irs/gai_strerror.c
deleted file mode 100644
index 2fe3941..0000000
--- a/contrib/bind9/lib/irs/gai_strerror.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: gai_strerror.c,v 1.5 2009/09/02 23:48:02 tbox Exp $ */
-
-/*! \file gai_strerror.c
- * gai_strerror() returns an error message corresponding to an
- * error code returned by getaddrinfo() and getnameinfo(). The following error
- * codes and their meaning are defined in
- * \link netdb.h include/irs/netdb.h.\endlink
- * This implementation is almost an exact copy of lwres/gai_sterror.c except
- * that it catches up the latest API standard, RFC3493.
- *
- * \li #EAI_ADDRFAMILY address family for hostname not supported
- * \li #EAI_AGAIN temporary failure in name resolution
- * \li #EAI_BADFLAGS invalid value for ai_flags
- * \li #EAI_FAIL non-recoverable failure in name resolution
- * \li #EAI_FAMILY ai_family not supported
- * \li #EAI_MEMORY memory allocation failure
- * \li #EAI_NODATA no address associated with hostname (obsoleted in RFC3493)
- * \li #EAI_NONAME hostname nor servname provided, or not known
- * \li #EAI_SERVICE servname not supported for ai_socktype
- * \li #EAI_SOCKTYPE ai_socktype not supported
- * \li #EAI_SYSTEM system error returned in errno
- * \li #EAI_BADHINTS Invalid value for hints (non-standard)
- * \li #EAI_PROTOCOL Resolved protocol is unknown (non-standard)
- * \li #EAI_OVERFLOW Argument buffer overflow
- * \li #EAI_INSECUREDATA Insecure Data (experimental)
- *
- * The message invalid error code is returned if ecode is out of range.
- *
- * ai_flags, ai_family and ai_socktype are elements of the struct
- * addrinfo used by lwres_getaddrinfo().
- *
- * \section gai_strerror_see See Also
- *
- * strerror(), getaddrinfo(), getnameinfo(), RFC3493.
- */
-#include <config.h>
-
-#include <irs/netdb.h>
-
-/*% Text of error messages. */
-static const char *gai_messages[] = {
-	"no error",
-	"address family for hostname not supported",
-	"temporary failure in name resolution",
-	"invalid value for ai_flags",
-	"non-recoverable failure in name resolution",
-	"ai_family not supported",
-	"memory allocation failure",
-	"no address associated with hostname",
-	"hostname nor servname provided, or not known",
-	"servname not supported for ai_socktype",
-	"ai_socktype not supported",
-	"system error returned in errno",
-	"bad hints",
-	"bad protocol",
-	"argument buffer overflow",
-	"insecure data provided"
-};
-
-/*%
- * Returns an error message corresponding to an error code returned by
- * getaddrinfo() and getnameinfo()
- */
-IRS_GAISTRERROR_RETURN_T
-gai_strerror(int ecode) {
-	union {
-		const char *const_ptr;
-		char *deconst_ptr;
-	} ptr;
-
-	if ((ecode < 0) ||
-	    (ecode >= (int)(sizeof(gai_messages)/sizeof(*gai_messages))))
-		ptr.const_ptr = "invalid error code";
-	else
-		ptr.const_ptr = gai_messages[ecode];
-	return (ptr.deconst_ptr);
-}
diff --git a/contrib/bind9/lib/irs/getaddrinfo.c b/contrib/bind9/lib/irs/getaddrinfo.c
deleted file mode 100644
index 1de540f..0000000
--- a/contrib/bind9/lib/irs/getaddrinfo.c
+++ /dev/null
@@ -1,1297 +0,0 @@
-/*
- * Copyright (C) 2009, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: getaddrinfo.c,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
-
-/*! \file */
-
-/**
- *    getaddrinfo() is used to get a list of IP addresses and port
- *    numbers for host hostname and service servname as defined in RFC3493.
- *    hostname and servname are pointers to null-terminated strings
- *    or NULL. hostname is either a host name or a numeric host address
- *    string: a dotted decimal IPv4 address or an IPv6 address. servname is
- *    either a decimal port number or a service name as listed in
- *    /etc/services.
- *
- *    If the operating system does not provide a struct addrinfo, the
- *    following structure is used:
- *
- * \code
- * struct  addrinfo {
- *         int             ai_flags;       // AI_PASSIVE, AI_CANONNAME
- *         int             ai_family;      // PF_xxx
- *         int             ai_socktype;    // SOCK_xxx
- *         int             ai_protocol;    // 0 or IPPROTO_xxx for IPv4 and IPv6
- *         size_t          ai_addrlen;     // length of ai_addr
- *         char            *ai_canonname;  // canonical name for hostname
- *         struct sockaddr *ai_addr;       // binary address
- *         struct addrinfo *ai_next;       // next structure in linked list
- * };
- * \endcode
- *
- *
- *    hints is an optional pointer to a struct addrinfo. This structure can
- *    be used to provide hints concerning the type of socket that the caller
- *    supports or wishes to use. The caller can supply the following
- *    structure elements in *hints:
- *
- * <ul>
- *    <li>ai_family:
- *           The protocol family that should be used. When ai_family is set
- *           to PF_UNSPEC, it means the caller will accept any protocol
- *           family supported by the operating system.</li>
- *
- *    <li>ai_socktype:
- *           denotes the type of socket -- SOCK_STREAM, SOCK_DGRAM or
- *           SOCK_RAW -- that is wanted. When ai_socktype is zero the caller
- *           will accept any socket type.</li>
- *
- *    <li>ai_protocol:
- *           indicates which transport protocol is wanted: IPPROTO_UDP or
- *           IPPROTO_TCP. If ai_protocol is zero the caller will accept any
- *           protocol.</li>
- *
- *    <li>ai_flags:
- *           Flag bits. If the AI_CANONNAME bit is set, a successful call to
- *           getaddrinfo() will return a null-terminated string
- *           containing the canonical name of the specified hostname in
- *           ai_canonname of the first addrinfo structure returned. Setting
- *           the AI_PASSIVE bit indicates that the returned socket address
- *           structure is intended for used in a call to bind(2). In this
- *           case, if the hostname argument is a NULL pointer, then the IP
- *           address portion of the socket address structure will be set to
- *           INADDR_ANY for an IPv4 address or IN6ADDR_ANY_INIT for an IPv6
- *           address.<br /><br />
- *
- *           When ai_flags does not set the AI_PASSIVE bit, the returned
- *           socket address structure will be ready for use in a call to
- *           connect(2) for a connection-oriented protocol or connect(2),
- *           sendto(2), or sendmsg(2) if a connectionless protocol was
- *           chosen. The IP address portion of the socket address structure
- *           will be set to the loopback address if hostname is a NULL
- *           pointer and AI_PASSIVE is not set in ai_flags.<br /><br />
- *
- *           If ai_flags is set to AI_NUMERICHOST it indicates that hostname
- *           should be treated as a numeric string defining an IPv4 or IPv6
- *           address and no name resolution should be attempted.
- * </li></ul>
- *
- *    All other elements of the struct addrinfo passed via hints must be
- *    zero.
- *
- *    A hints of NULL is treated as if the caller provided a struct addrinfo
- *    initialized to zero with ai_familyset to PF_UNSPEC.
- *
- *    After a successful call to getaddrinfo(), *res is a pointer to a
- *    linked list of one or more addrinfo structures. Each struct addrinfo
- *    in this list cn be processed by following the ai_next pointer, until a
- *    NULL pointer is encountered. The three members ai_family, ai_socktype,
- *    and ai_protocol in each returned addrinfo structure contain the
- *    corresponding arguments for a call to socket(2). For each addrinfo
- *    structure in the list, the ai_addr member points to a filled-in socket
- *    address structure of length ai_addrlen.
- *
- *    All of the information returned by getaddrinfo() is dynamically
- *    allocated: the addrinfo structures, and the socket address structures
- *    and canonical host name strings pointed to by the addrinfostructures.
- *    Memory allocated for the dynamically allocated structures created by a
- *    successful call to getaddrinfo() is released by freeaddrinfo().
- *    ai is a pointer to a struct addrinfo created by a call to getaddrinfo().
- *
- * \section irsreturn RETURN VALUES
- *
- *    getaddrinfo() returns zero on success or one of the error codes
- *    listed in gai_strerror() if an error occurs. If both hostname and
- *    servname are NULL getaddrinfo() returns #EAI_NONAME.
- *
- * \section irssee SEE ALSO
- *
- *    getaddrinfo(), freeaddrinfo(),
- *    gai_strerror(), RFC3493, getservbyname(3), connect(2),
- *    sendto(2), sendmsg(2), socket(2).
- */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <string.h>
-#include <errno.h>
-
-#include <isc/app.h>
-#include <isc/buffer.h>
-#include <isc/lib.h>
-#include <isc/mem.h>
-#include <isc/sockaddr.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/client.h>
-#include <dns/fixedname.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/result.h>
-
-#include <irs/context.h>
-#include <irs/netdb.h>
-#include <irs/resconf.h>
-
-#define SA(addr)	((struct sockaddr *)(addr))
-#define SIN(addr)	((struct sockaddr_in *)(addr))
-#define SIN6(addr)	((struct sockaddr_in6 *)(addr))
-#define SLOCAL(addr)	((struct sockaddr_un *)(addr))
-
-/*! \struct addrinfo
- */
-static struct addrinfo
-	*ai_concat(struct addrinfo *ai1, struct addrinfo *ai2),
-	*ai_reverse(struct addrinfo *oai),
-	*ai_clone(struct addrinfo *oai, int family),
-	*ai_alloc(int family, int addrlen);
-#ifdef AF_LOCAL
-static int get_local(const char *name, int socktype, struct addrinfo **res);
-#endif
-
-static int
-resolve_name(int family, const char *hostname, int flags,
-	     struct addrinfo **aip, int socktype, int port);
-
-static int add_ipv4(const char *hostname, int flags, struct addrinfo **aip,
-		    int socktype, int port);
-static int add_ipv6(const char *hostname, int flags, struct addrinfo **aip,
-		    int socktype, int port);
-static void set_order(int, int (**)(const char *, int, struct addrinfo **,
-				    int, int));
-
-#define FOUND_IPV4	0x1
-#define FOUND_IPV6	0x2
-#define FOUND_MAX	2
-
-#define ISC_AI_MASK (AI_PASSIVE|AI_CANONNAME|AI_NUMERICHOST)
-/*%
- * Get a list of IP addresses and port numbers for host hostname and
- * service servname.
- */
-int
-getaddrinfo(const char *hostname, const char *servname,
-	    const struct addrinfo *hints, struct addrinfo **res)
-{
-	struct servent *sp;
-	const char *proto;
-	int family, socktype, flags, protocol;
-	struct addrinfo *ai, *ai_list;
-	int err = 0;
-	int port, i;
-	int (*net_order[FOUND_MAX+1])(const char *, int, struct addrinfo **,
-				      int, int);
-
-	if (hostname == NULL && servname == NULL)
-		return (EAI_NONAME);
-
-	proto = NULL;
-	if (hints != NULL) {
-		if ((hints->ai_flags & ~(ISC_AI_MASK)) != 0)
-			return (EAI_BADFLAGS);
-		if (hints->ai_addrlen || hints->ai_canonname ||
-		    hints->ai_addr || hints->ai_next) {
-			errno = EINVAL;
-			return (EAI_SYSTEM);
-		}
-		family = hints->ai_family;
-		socktype = hints->ai_socktype;
-		protocol = hints->ai_protocol;
-		flags = hints->ai_flags;
-		switch (family) {
-		case AF_UNSPEC:
-			switch (hints->ai_socktype) {
-			case SOCK_STREAM:
-				proto = "tcp";
-				break;
-			case SOCK_DGRAM:
-				proto = "udp";
-				break;
-			}
-			break;
-		case AF_INET:
-		case AF_INET6:
-			switch (hints->ai_socktype) {
-			case 0:
-				break;
-			case SOCK_STREAM:
-				proto = "tcp";
-				break;
-			case SOCK_DGRAM:
-				proto = "udp";
-				break;
-			case SOCK_RAW:
-				break;
-			default:
-				return (EAI_SOCKTYPE);
-			}
-			break;
-#ifdef	AF_LOCAL
-		case AF_LOCAL:
-			switch (hints->ai_socktype) {
-			case 0:
-				break;
-			case SOCK_STREAM:
-				break;
-			case SOCK_DGRAM:
-				break;
-			default:
-				return (EAI_SOCKTYPE);
-			}
-			break;
-#endif
-		default:
-			return (EAI_FAMILY);
-		}
-	} else {
-		protocol = 0;
-		family = 0;
-		socktype = 0;
-		flags = 0;
-	}
-
-#ifdef	AF_LOCAL
-	/*!
-	 * First, deal with AF_LOCAL.  If the family was not set,
-	 * then assume AF_LOCAL if the first character of the
-	 * hostname/servname is '/'.
-	 */
-
-	if (hostname != NULL &&
-	    (family == AF_LOCAL || (family == 0 && *hostname == '/')))
-		return (get_local(hostname, socktype, res));
-
-	if (servname != NULL &&
-	    (family == AF_LOCAL || (family == 0 && *servname == '/')))
-		return (get_local(servname, socktype, res));
-#endif
-
-	/*
-	 * Ok, only AF_INET and AF_INET6 left.
-	 */
-	ai_list = NULL;
-
-	/*
-	 * First, look up the service name (port) if it was
-	 * requested.  If the socket type wasn't specified, then
-	 * try and figure it out.
-	 */
-	if (servname != NULL) {
-		char *e;
-
-		port = strtol(servname, &e, 10);
-		if (*e == '\0') {
-			if (socktype == 0)
-				return (EAI_SOCKTYPE);
-			if (port < 0 || port > 65535)
-				return (EAI_SERVICE);
-			port = htons((unsigned short) port);
-		} else {
-			sp = getservbyname(servname, proto);
-			if (sp == NULL)
-				return (EAI_SERVICE);
-			port = sp->s_port;
-			if (socktype == 0) {
-				if (strcmp(sp->s_proto, "tcp") == 0)
-					socktype = SOCK_STREAM;
-				else if (strcmp(sp->s_proto, "udp") == 0)
-					socktype = SOCK_DGRAM;
-			}
-		}
-	} else
-		port = 0;
-
-	/*
-	 * Next, deal with just a service name, and no hostname.
-	 * (we verified that one of them was non-null up above).
-	 */
-	if (hostname == NULL && (flags & AI_PASSIVE) != 0) {
-		if (family == AF_INET || family == 0) {
-			ai = ai_alloc(AF_INET, sizeof(struct sockaddr_in));
-			if (ai == NULL)
-				return (EAI_MEMORY);
-			ai->ai_socktype = socktype;
-			ai->ai_protocol = protocol;
-			SIN(ai->ai_addr)->sin_port = port;
-			ai->ai_next = ai_list;
-			ai_list = ai;
-		}
-
-		if (family == AF_INET6 || family == 0) {
-			ai = ai_alloc(AF_INET6, sizeof(struct sockaddr_in6));
-			if (ai == NULL) {
-				freeaddrinfo(ai_list);
-				return (EAI_MEMORY);
-			}
-			ai->ai_socktype = socktype;
-			ai->ai_protocol = protocol;
-			SIN6(ai->ai_addr)->sin6_port = port;
-			ai->ai_next = ai_list;
-			ai_list = ai;
-		}
-
-		*res = ai_list;
-		return (0);
-	}
-
-	/*
-	 * If the family isn't specified or AI_NUMERICHOST specified, check
-	 * first to see if it is a numeric address.
-	 * Though the gethostbyname2() routine will recognize numeric addresses,
-	 * it will only recognize the format that it is being called for.  Thus,
-	 * a numeric AF_INET address will be treated by the AF_INET6 call as
-	 * a domain name, and vice versa.  Checking for both numerics here
-	 * avoids that.
-	 */
-	if (hostname != NULL &&
-	    (family == 0 || (flags & AI_NUMERICHOST) != 0)) {
-		char abuf[sizeof(struct in6_addr)];
-		char nbuf[NI_MAXHOST];
-		int addrsize, addroff;
-#ifdef IRS_HAVE_SIN6_SCOPE_ID
-		char *p, *ep;
-		char ntmp[NI_MAXHOST];
-		isc_uint32_t scopeid;
-#endif
-
-#ifdef IRS_HAVE_SIN6_SCOPE_ID
-		/*
-		 * Scope identifier portion.
-		 */
-		ntmp[0] = '\0';
-		if (strchr(hostname, '%') != NULL) {
-			strncpy(ntmp, hostname, sizeof(ntmp) - 1);
-			ntmp[sizeof(ntmp) - 1] = '\0';
-			p = strchr(ntmp, '%');
-			ep = NULL;
-
-			/*
-			 * Vendors may want to support non-numeric
-			 * scopeid around here.
-			 */
-
-			if (p != NULL)
-				scopeid = (isc_uint32_t)strtoul(p + 1,
-								&ep, 10);
-			if (p != NULL && ep != NULL && ep[0] == '\0')
-				*p = '\0';
-			else {
-				ntmp[0] = '\0';
-				scopeid = 0;
-			}
-		} else
-			scopeid = 0;
-#endif
-
-		if (inet_pton(AF_INET, hostname, (struct in_addr *)abuf)
-		    == 1) {
-			if (family == AF_INET6) {
-				/*
-				 * Convert to a V4 mapped address.
-				 */
-				struct in6_addr *a6 = (struct in6_addr *)abuf;
-				memcpy(&a6->s6_addr[12], &a6->s6_addr[0], 4);
-				memset(&a6->s6_addr[10], 0xff, 2);
-				memset(&a6->s6_addr[0], 0, 10);
-				goto inet6_addr;
-			}
-			addrsize = sizeof(struct in_addr);
-			addroff = (char *)(&SIN(0)->sin_addr) - (char *)0;
-			family = AF_INET;
-			goto common;
-#ifdef IRS_HAVE_SIN6_SCOPE_ID
-		} else if (ntmp[0] != '\0' &&
-			   inet_pton(AF_INET6, ntmp, abuf) == 1) {
-			if (family && family != AF_INET6)
-				return (EAI_NONAME);
-			addrsize = sizeof(struct in6_addr);
-			addroff = (char *)(&SIN6(0)->sin6_addr) - (char *)0;
-			family = AF_INET6;
-			goto common;
-#endif
-		} else if (inet_pton(AF_INET6, hostname, abuf) == 1) {
-			if (family != 0 && family != AF_INET6)
-				return (EAI_NONAME);
-		inet6_addr:
-			addrsize = sizeof(struct in6_addr);
-			addroff = (char *)(&SIN6(0)->sin6_addr) - (char *)0;
-			family = AF_INET6;
-
-		common:
-			ai = ai_alloc(family,
-				      ((family == AF_INET6) ?
-				       sizeof(struct sockaddr_in6) :
-				       sizeof(struct sockaddr_in)));
-			if (ai == NULL)
-				return (EAI_MEMORY);
-			ai_list = ai;
-			ai->ai_socktype = socktype;
-			SIN(ai->ai_addr)->sin_port = port;
-			memcpy((char *)ai->ai_addr + addroff, abuf, addrsize);
-			if ((flags & AI_CANONNAME) != 0) {
-#ifdef IRS_HAVE_SIN6_SCOPE_ID
-				if (ai->ai_family == AF_INET6)
-					SIN6(ai->ai_addr)->sin6_scope_id =
-						scopeid;
-#endif
-				if (getnameinfo(ai->ai_addr, ai->ai_addrlen,
-						nbuf, sizeof(nbuf), NULL, 0,
-						NI_NUMERICHOST) == 0) {
-					ai->ai_canonname = strdup(nbuf);
-					if (ai->ai_canonname == NULL) {
-						freeaddrinfo(ai);
-						return (EAI_MEMORY);
-					}
-				} else {
-					/* XXX raise error? */
-					ai->ai_canonname = NULL;
-				}
-			}
-			goto done;
-		} else if ((flags & AI_NUMERICHOST) != 0) {
-			return (EAI_NONAME);
-		}
-	}
-
-	if (hostname == NULL && (flags & AI_PASSIVE) == 0) {
-		set_order(family, net_order);
-		for (i = 0; i < FOUND_MAX; i++) {
-			if (net_order[i] == NULL)
-				break;
-			err = (net_order[i])(hostname, flags, &ai_list,
-					     socktype, port);
-			if (err != 0) {
-				if (ai_list != NULL) {
-					freeaddrinfo(ai_list);
-					ai_list = NULL;
-				}
-				break;
-			}
-		}
-	} else
-		err = resolve_name(family, hostname, flags, &ai_list,
-				   socktype, port);
-
-	if (ai_list == NULL) {
-		if (err == 0)
-			err = EAI_NONAME;
-		return (err);
-	}
-
-done:
-	ai_list = ai_reverse(ai_list);
-
-	*res = ai_list;
-	return (0);
-}
-
-typedef struct gai_restrans {
-	dns_clientrestrans_t	*xid;
-	isc_boolean_t		is_inprogress;
-	int			error;
-	struct addrinfo		ai_sentinel;
-	struct gai_resstate	*resstate;
-} gai_restrans_t;
-
-typedef struct gai_resstate {
-	isc_mem_t			*mctx;
-	struct gai_statehead		*head;
-	dns_fixedname_t			fixedname;
-	dns_name_t			*qname;
-	gai_restrans_t			*trans4;
-	gai_restrans_t			*trans6;
-	ISC_LINK(struct gai_resstate)	link;
-} gai_resstate_t;
-
-typedef struct gai_statehead {
-	int				ai_family;
-	int				ai_flags;
-	int				ai_socktype;
-	int				ai_port;
-	isc_appctx_t			*actx;
-	dns_client_t			*dnsclient;
-	ISC_LIST(struct gai_resstate)	resstates;
-	unsigned int			activestates;
-} gai_statehead_t;
-
-static isc_result_t
-make_resstate(isc_mem_t *mctx, gai_statehead_t *head, const char *hostname,
-	      const char *domain, gai_resstate_t **statep)
-{
-	isc_result_t result;
-	gai_resstate_t *state;
-	dns_fixedname_t fixeddomain;
-	dns_name_t *qdomain;
-	size_t namelen;
-	isc_buffer_t b;
-	isc_boolean_t need_v4 = ISC_FALSE;
-	isc_boolean_t need_v6 = ISC_FALSE;
-
-	state = isc_mem_get(mctx, sizeof(*state));
-	if (state == NULL)
-		return (ISC_R_NOMEMORY);
-
-	/* Construct base domain name */
-	namelen = strlen(domain);
-	isc_buffer_constinit(&b, domain, namelen);
-	isc_buffer_add(&b, namelen);
-	dns_fixedname_init(&fixeddomain);
-	qdomain = dns_fixedname_name(&fixeddomain);
-	result = dns_name_fromtext(qdomain, &b, dns_rootname, 0, NULL);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, state, sizeof(*state));
-		return (result);
-	}
-
-	/* Construct query name */
-	namelen = strlen(hostname);
-	isc_buffer_constinit(&b, hostname, namelen);
-	isc_buffer_add(&b, namelen);
-	dns_fixedname_init(&state->fixedname);
-	state->qname = dns_fixedname_name(&state->fixedname);
-	result = dns_name_fromtext(state->qname, &b, qdomain, 0, NULL);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, state, sizeof(*state));
-		return (result);
-	}
-
-	if (head->ai_family == AF_UNSPEC || head->ai_family == AF_INET)
-		need_v4 = ISC_TRUE;
-	if (head->ai_family == AF_UNSPEC || head->ai_family == AF_INET6)
-		need_v6 = ISC_TRUE;
-
-	state->trans6 = NULL;
-	state->trans4 = NULL;
-	if (need_v4) {
-		state->trans4 = isc_mem_get(mctx, sizeof(gai_restrans_t));
-		if (state->trans4 == NULL) {
-			isc_mem_put(mctx, state, sizeof(*state));
-			return (ISC_R_NOMEMORY);
-		}
-		state->trans4->error = 0;
-		state->trans4->xid = NULL;
-		state->trans4->resstate = state;
-		state->trans4->is_inprogress = ISC_TRUE;
-		state->trans4->ai_sentinel.ai_next = NULL;
-	}
-	if (need_v6) {
-		state->trans6 = isc_mem_get(mctx, sizeof(gai_restrans_t));
-		if (state->trans6 == NULL) {
-			if (state->trans4 != NULL)
-				isc_mem_put(mctx, state->trans4,
-					    sizeof(*state->trans4));
-			isc_mem_put(mctx, state, sizeof(*state));
-			return (ISC_R_NOMEMORY);
-		}
-		state->trans6->error = 0;
-		state->trans6->xid = NULL;
-		state->trans6->resstate = state;
-		state->trans6->is_inprogress = ISC_TRUE;
-		state->trans6->ai_sentinel.ai_next = NULL;
-	}
-
-	state->mctx = mctx;
-	state->head = head;
-	ISC_LINK_INIT(state, link);
-
-	*statep = state;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-make_resstates(isc_mem_t *mctx, const char *hostname, gai_statehead_t *head,
-	       irs_resconf_t *resconf)
-{
-	isc_result_t result;
-	irs_resconf_searchlist_t *searchlist;
-	irs_resconf_search_t *searchent;
-	gai_resstate_t *resstate, *resstate0;
-
-	resstate0 = NULL;
-	result = make_resstate(mctx, head, hostname, ".", &resstate0);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	searchlist = irs_resconf_getsearchlist(resconf);
-	for (searchent = ISC_LIST_HEAD(*searchlist); searchent != NULL;
-	     searchent = ISC_LIST_NEXT(searchent, link)) {
-		resstate = NULL;
-		result = make_resstate(mctx, head, hostname,
-				       (const char *)searchent->domain,
-				       &resstate);
-		if (result != ISC_R_SUCCESS)
-			break;
-
-		ISC_LIST_APPEND(head->resstates, resstate, link);
-		head->activestates++;
-	}
-
-	/*
-	 * Insert the original hostname either at the head or the tail of the
-	 * state list, depending on the number of labels contained in the
-	 * original name and the 'ndots' configuration parameter.
-	 */
-	if (dns_name_countlabels(resstate0->qname) >
-	    irs_resconf_getndots(resconf) + 1) {
-		ISC_LIST_PREPEND(head->resstates, resstate0, link);
-	} else
-		ISC_LIST_APPEND(head->resstates, resstate0, link);
-	head->activestates++;
-
-	if (result != ISC_R_SUCCESS) {
-		while ((resstate = ISC_LIST_HEAD(head->resstates)) != NULL) {
-			ISC_LIST_UNLINK(head->resstates, resstate, link);
-			if (resstate->trans4 != NULL) {
-				isc_mem_put(mctx, resstate->trans4,
-					    sizeof(*resstate->trans4));
-			}
-			if (resstate->trans6 != NULL) {
-				isc_mem_put(mctx, resstate->trans6,
-					    sizeof(*resstate->trans6));
-			}
-
-			isc_mem_put(mctx, resstate, sizeof(*resstate));
-		}
-	}
-
-	return (result);
-}
-
-static void
-process_answer(isc_task_t *task, isc_event_t *event) {
-	int error = 0, family;
-	gai_restrans_t *trans = event->ev_arg;
-	gai_resstate_t *resstate;
-	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
-	dns_rdatatype_t qtype;
-	dns_name_t *name;
-
-	REQUIRE(trans != NULL);
-	resstate = trans->resstate;
-	REQUIRE(resstate != NULL);
-	REQUIRE(task != NULL);
-
-	if (trans == resstate->trans4) {
-		family = AF_INET;
-		qtype = dns_rdatatype_a;
-	} else {
-		INSIST(trans == resstate->trans6);
-		family = AF_INET6;
-		qtype = dns_rdatatype_aaaa;
-	}
-
-	INSIST(trans->is_inprogress);
-	trans->is_inprogress = ISC_FALSE;
-
-	switch (rev->result) {
-	case ISC_R_SUCCESS:
-	case DNS_R_NCACHENXDOMAIN: /* treat this as a fatal error? */
-	case DNS_R_NCACHENXRRSET:
-		break;
-	default:
-		switch (rev->vresult) {
-		case DNS_R_SIGINVALID:
-		case DNS_R_SIGEXPIRED:
-		case DNS_R_SIGFUTURE:
-		case DNS_R_KEYUNAUTHORIZED:
-		case DNS_R_MUSTBESECURE:
-		case DNS_R_COVERINGNSEC:
-		case DNS_R_NOTAUTHORITATIVE:
-		case DNS_R_NOVALIDKEY:
-		case DNS_R_NOVALIDDS:
-		case DNS_R_NOVALIDSIG:
-			error = EAI_INSECUREDATA;
-			break;
-		default:
-			error = EAI_FAIL;
-		}
-		goto done;
-	}
-
-	/* Parse the response and construct the addrinfo chain */
-	for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
-	     name = ISC_LIST_NEXT(name, link)) {
-		isc_result_t result;
-		dns_rdataset_t *rdataset;
-		isc_buffer_t b;
-		isc_region_t r;
-		char t[1024];
-
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			if (!dns_rdataset_isassociated(rdataset))
-				continue;
-			if (rdataset->type != qtype)
-				continue;
-
-			if ((resstate->head->ai_flags & AI_CANONNAME) != 0) {
-				isc_buffer_init(&b, t, sizeof(t));
-				result = dns_name_totext(name, ISC_TRUE, &b);
-				if (result != ISC_R_SUCCESS) {
-					error = EAI_FAIL;
-					goto done;
-				}
-				isc_buffer_putuint8(&b, '\0');
-				isc_buffer_usedregion(&b, &r);
-			}
-
-			for (result = dns_rdataset_first(rdataset);
-			     result == ISC_R_SUCCESS;
-			     result = dns_rdataset_next(rdataset)) {
-				struct addrinfo *ai;
-				dns_rdata_t rdata;
-				dns_rdata_in_a_t rdata_a;
-				dns_rdata_in_aaaa_t rdata_aaaa;
-
-				ai = ai_alloc(family,
-					      ((family == AF_INET6) ?
-					       sizeof(struct sockaddr_in6) :
-					       sizeof(struct sockaddr_in)));
-				if (ai == NULL) {
-					error = EAI_MEMORY;
-					goto done;
-				}
-				ai->ai_socktype = resstate->head->ai_socktype;
-				ai->ai_next = trans->ai_sentinel.ai_next;
-				trans->ai_sentinel.ai_next = ai;
-
-				/*
-				 * Set AF-specific parameters
-				 * (IPv4/v6 address/port)
-				 */
-				dns_rdata_init(&rdata);
-				switch (family) {
-				case AF_INET:
-					dns_rdataset_current(rdataset, &rdata);
-					result = dns_rdata_tostruct(&rdata, &rdata_a,
-								    NULL);
-					RUNTIME_CHECK(result == ISC_R_SUCCESS);
-					SIN(ai->ai_addr)->sin_port =
-						resstate->head->ai_port;
-					memcpy(&SIN(ai->ai_addr)->sin_addr,
-					       &rdata_a.in_addr, 4);
-					dns_rdata_freestruct(&rdata_a);
-					break;
-				case AF_INET6:
-					dns_rdataset_current(rdataset, &rdata);
-					result = dns_rdata_tostruct(&rdata, &rdata_aaaa,
-								    NULL);
-					RUNTIME_CHECK(result == ISC_R_SUCCESS);
-					SIN6(ai->ai_addr)->sin6_port =
-						resstate->head->ai_port;
-					memcpy(&SIN6(ai->ai_addr)->sin6_addr,
-					       &rdata_aaaa.in6_addr, 16);
-					dns_rdata_freestruct(&rdata_aaaa);
-					break;
-				}
-
-				if ((resstate->head->ai_flags & AI_CANONNAME)
-				    != 0) {
-					ai->ai_canonname =
-						strdup((const char *)r.base);
-					if (ai->ai_canonname == NULL) {
-						error = EAI_MEMORY;
-						goto done;
-					}
-				}
-			}
-		}
-	}
-
- done:
-	dns_client_freeresanswer(resstate->head->dnsclient, &rev->answerlist);
-	dns_client_destroyrestrans(&trans->xid);
-
-	isc_event_free(&event);
-
-	/* Make sure that error == 0 iff we have a non-empty list */
-	if (error == 0) {
-		if (trans->ai_sentinel.ai_next == NULL)
-			error = EAI_NONAME;
-	} else {
-		if (trans->ai_sentinel.ai_next != NULL) {
-			freeaddrinfo(trans->ai_sentinel.ai_next);
-			trans->ai_sentinel.ai_next = NULL;
-		}
-	}
-	trans->error = error;
-
-	/* Check whether we are done */
-	if ((resstate->trans4 == NULL || !resstate->trans4->is_inprogress) &&
-	    (resstate->trans6 == NULL || !resstate->trans6->is_inprogress)) {
-		/*
-		 * We're done for this state.  If there is no other outstanding
-		 * state, we can exit.
-		 */
-		resstate->head->activestates--;
-		if (resstate->head->activestates == 0) {
-			isc_app_ctxsuspend(resstate->head->actx);
-			return;
-		}
-
-		/*
-		 * There are outstanding states, but if we are at the head
-		 * of the state list (i.e., at the highest search priority)
-		 * and have any answer, we can stop now by canceling the
-		 * others.
-		 */
-		if (resstate == ISC_LIST_HEAD(resstate->head->resstates)) {
-			if ((resstate->trans4 != NULL &&
-			     resstate->trans4->ai_sentinel.ai_next != NULL) ||
-			    (resstate->trans6 != NULL &&
-			     resstate->trans6->ai_sentinel.ai_next != NULL)) {
-				gai_resstate_t *rest;
-
-				for (rest = ISC_LIST_NEXT(resstate, link);
-				     rest != NULL;
-				     rest = ISC_LIST_NEXT(rest, link)) {
-					if (rest->trans4 != NULL &&
-					    rest->trans4->xid != NULL)
-						dns_client_cancelresolve(
-							rest->trans4->xid);
-					if (rest->trans6 != NULL &&
-					    rest->trans6->xid != NULL)
-						dns_client_cancelresolve(
-							rest->trans6->xid);
-				}
-			} else {
-				/*
-				 * This search fails, so we move to the tail
-				 * of the list so that the next entry will
-				 * have the highest priority.
-				 */
-				ISC_LIST_UNLINK(resstate->head->resstates,
-						resstate, link);
-				ISC_LIST_APPEND(resstate->head->resstates,
-						resstate, link);
-			}
-		}
-	}
-}
-
-static int
-resolve_name(int family, const char *hostname, int flags,
-	     struct addrinfo **aip, int socktype, int port)
-{
-	isc_result_t result;
-	irs_context_t *irsctx;
-	irs_resconf_t *conf;
-	isc_mem_t *mctx;
-	isc_appctx_t *actx;
-	isc_task_t *task;
-	int terror = 0;
-	int error = 0;
-	dns_client_t *client;
-	gai_resstate_t *resstate;
-	gai_statehead_t head;
-	isc_boolean_t all_fail = ISC_TRUE;
-
-	/* get IRS context and the associated parameters */
-	irsctx = NULL;
-	result = irs_context_get(&irsctx);
-	if (result != ISC_R_SUCCESS)
-		return (EAI_FAIL);
-	actx = irs_context_getappctx(irsctx);
-
-	mctx = irs_context_getmctx(irsctx);
-	task = irs_context_gettask(irsctx);
-	conf = irs_context_getresconf(irsctx);
-	client = irs_context_getdnsclient(irsctx);
-
-	/* construct resolution states */
-	head.activestates = 0;
-	head.ai_family = family;
-	head.ai_socktype = socktype;
-	head.ai_flags = flags;
-	head.ai_port = port;
-	head.actx = actx;
-	head.dnsclient = client;
-	ISC_LIST_INIT(head.resstates);
-	result = make_resstates(mctx, hostname, &head, conf);
-	if (result != ISC_R_SUCCESS)
-		return (EAI_FAIL);
-
-	for (resstate = ISC_LIST_HEAD(head.resstates);
-	     resstate != NULL; resstate = ISC_LIST_NEXT(resstate, link)) {
-		if (resstate->trans4 != NULL) {
-			result = dns_client_startresolve(client,
-							 resstate->qname,
-							 dns_rdataclass_in,
-							 dns_rdatatype_a,
-							 0, task,
-							 process_answer,
-							 resstate->trans4,
-							 &resstate->trans4->xid);
-			if (result == ISC_R_SUCCESS) {
-				resstate->trans4->is_inprogress = ISC_TRUE;
-				all_fail = ISC_FALSE;
-			} else
-				resstate->trans4->is_inprogress = ISC_FALSE;
-		}
-		if (resstate->trans6 != NULL) {
-			result = dns_client_startresolve(client,
-							 resstate->qname,
-							 dns_rdataclass_in,
-							 dns_rdatatype_aaaa,
-							 0, task,
-							 process_answer,
-							 resstate->trans6,
-							 &resstate->trans6->xid);
-			if (result == ISC_R_SUCCESS) {
-				resstate->trans6->is_inprogress = ISC_TRUE;
-				all_fail = ISC_FALSE;
-			} else
-				resstate->trans6->is_inprogress= ISC_FALSE;
-		}
-	}
-	if (!all_fail) {
-		/* Start all the events */
-		isc_app_ctxrun(actx);
-	} else
-		error = EAI_FAIL;
-
-	/* Cleanup */
-	while ((resstate = ISC_LIST_HEAD(head.resstates)) != NULL) {
-		int terror4 = 0, terror6 = 0;
-
-		ISC_LIST_UNLINK(head.resstates, resstate, link);
-
-		if (*aip == NULL) {
-			struct addrinfo *sentinel4 = NULL;
-			struct addrinfo *sentinel6 = NULL;
-
-			if (resstate->trans4 != NULL) {
-				sentinel4 =
-					resstate->trans4->ai_sentinel.ai_next;
-				resstate->trans4->ai_sentinel.ai_next = NULL;
-			}
-			if (resstate->trans6 != NULL) {
-				sentinel6 =
-					resstate->trans6->ai_sentinel.ai_next;
-				resstate->trans6->ai_sentinel.ai_next = NULL;
-			}
-			*aip = ai_concat(sentinel4, sentinel6);
-		}
-
-		if (resstate->trans4 != NULL) {
-			INSIST(resstate->trans4->xid == NULL);
-			terror4 = resstate->trans4->error;
-			isc_mem_put(mctx, resstate->trans4,
-				    sizeof(*resstate->trans4));
-		}
-		if (resstate->trans6 != NULL) {
-			INSIST(resstate->trans6->xid == NULL);
-			terror6 = resstate->trans6->error;
-			isc_mem_put(mctx, resstate->trans6,
-				    sizeof(*resstate->trans6));
-		}
-
-		/*
-		 * If the entire lookup fails, we need to choose an appropriate
-		 * error code from individual codes.  We'll try to provide as
-		 * specific a code as possible.  In general, we are going to
-		 * find an error code other than EAI_NONAME (which is too
-		 * generic and may actually not be problematic in some cases).
-		 * EAI_NONAME will be set below if no better code is found.
-		 */
-		if (terror == 0 || terror == EAI_NONAME) {
-			if (terror4 != 0 && terror4 != EAI_NONAME)
-				terror = terror4;
-			else if (terror6 != 0 && terror6 != EAI_NONAME)
-				terror = terror6;
-		}
-
-		isc_mem_put(mctx, resstate, sizeof(*resstate));
-	}
-
-	if (*aip == NULL) {
-		error = terror;
-		if (error == 0)
-			error = EAI_NONAME;
-	}
-
-#if 1	/*  XXX: enabled for finding leaks.  should be cleaned up later. */
-	isc_app_ctxfinish(actx);
-	irs_context_destroy(&irsctx);
-#endif
-
-	return (error);
-}
-
-static char *
-irs_strsep(char **stringp, const char *delim) {
-	char *string = *stringp;
-	char *s;
-	const char *d;
-	char sc, dc;
-
-	if (string == NULL)
-		return (NULL);
-
-	for (s = string; *s != '\0'; s++) {
-		sc = *s;
-		for (d = delim; (dc = *d) != '\0'; d++)
-			if (sc == dc) {
-				*s++ = '\0';
-				*stringp = s;
-				return (string);
-			}
-	}
-	*stringp = NULL;
-	return (string);
-}
-
-static void
-set_order(int family, int (**net_order)(const char *, int, struct addrinfo **,
-					int, int))
-{
-	char *order, *tok;
-	int found;
-
-	if (family) {
-		switch (family) {
-		case AF_INET:
-			*net_order++ = add_ipv4;
-			break;
-		case AF_INET6:
-			*net_order++ = add_ipv6;
-			break;
-		}
-	} else {
-		order = getenv("NET_ORDER");
-		found = 0;
-		while (order != NULL) {
-			/*
-			 * We ignore any unknown names.
-			 */
-			tok = irs_strsep(&order, ":");
-			if (strcasecmp(tok, "inet6") == 0) {
-				if ((found & FOUND_IPV6) == 0)
-					*net_order++ = add_ipv6;
-				found |= FOUND_IPV6;
-			} else if (strcasecmp(tok, "inet") == 0 ||
-			    strcasecmp(tok, "inet4") == 0) {
-				if ((found & FOUND_IPV4) == 0)
-					*net_order++ = add_ipv4;
-				found |= FOUND_IPV4;
-			}
-		}
-
-		/*
-		 * Add in anything that we didn't find.
-		 */
-		if ((found & FOUND_IPV4) == 0)
-			*net_order++ = add_ipv4;
-		if ((found & FOUND_IPV6) == 0)
-			*net_order++ = add_ipv6;
-	}
-	*net_order = NULL;
-	return;
-}
-
-static char v4_loop[4] = { 127, 0, 0, 1 };
-
-static int
-add_ipv4(const char *hostname, int flags, struct addrinfo **aip,
-	 int socktype, int port)
-{
-	struct addrinfo *ai;
-
-	UNUSED(hostname);
-	UNUSED(flags);
-
-	ai = ai_clone(*aip, AF_INET); /* don't use ai_clone() */
-	if (ai == NULL) {
-		freeaddrinfo(*aip);
-		return (EAI_MEMORY);
-	}
-
-	*aip = ai;
-	ai->ai_socktype = socktype;
-	SIN(ai->ai_addr)->sin_port = port;
-	memcpy(&SIN(ai->ai_addr)->sin_addr, v4_loop, 4);
-
-	return (0);
-}
-
-static char v6_loop[16] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1 };
-
-static int
-add_ipv6(const char *hostname, int flags, struct addrinfo **aip,
-	 int socktype, int port)
-{
-	struct addrinfo *ai;
-
-	UNUSED(hostname);
-	UNUSED(flags);
-
-	ai = ai_clone(*aip, AF_INET6); /* don't use ai_clone() */
-	if (ai == NULL)
-		return (EAI_MEMORY);
-
-	*aip = ai;
-	ai->ai_socktype = socktype;
-	SIN6(ai->ai_addr)->sin6_port = port;
-	memcpy(&SIN6(ai->ai_addr)->sin6_addr, v6_loop, 16);
-
-	return (0);
-}
-
-/*% Free address info. */
-void
-freeaddrinfo(struct addrinfo *ai) {
-	struct addrinfo *ai_next;
-
-	while (ai != NULL) {
-		ai_next = ai->ai_next;
-		if (ai->ai_addr != NULL)
-			free(ai->ai_addr);
-		if (ai->ai_canonname)
-			free(ai->ai_canonname);
-		free(ai);
-		ai = ai_next;
-	}
-}
-
-#ifdef AF_LOCAL
-static int
-get_local(const char *name, int socktype, struct addrinfo **res) {
-	struct addrinfo *ai;
-	struct sockaddr_un *slocal;
-
-	if (socktype == 0)
-		return (EAI_SOCKTYPE);
-
-	ai = ai_alloc(AF_LOCAL, sizeof(*slocal));
-	if (ai == NULL)
-		return (EAI_MEMORY);
-
-	slocal = SLOCAL(ai->ai_addr);
-	strlcpy(slocal->sun_path, name, sizeof(slocal->sun_path));
-
-	ai->ai_socktype = socktype;
-	/*
-	 * ai->ai_flags, ai->ai_protocol, ai->ai_canonname,
-	 * and ai->ai_next were initialized to zero.
-	 */
-
-	*res = ai;
-	return (0);
-}
-#endif
-
-/*!
- * Allocate an addrinfo structure, and a sockaddr structure
- * of the specificed length.  We initialize:
- *	ai_addrlen
- *	ai_family
- *	ai_addr
- *	ai_addr->sa_family
- *	ai_addr->sa_len	(IRS_PLATFORM_HAVESALEN)
- * and everything else is initialized to zero.
- */
-static struct addrinfo *
-ai_alloc(int family, int addrlen) {
-	struct addrinfo *ai;
-
-	ai = (struct addrinfo *)calloc(1, sizeof(*ai));
-	if (ai == NULL)
-		return (NULL);
-
-	ai->ai_addr = SA(calloc(1, addrlen));
-	if (ai->ai_addr == NULL) {
-		free(ai);
-		return (NULL);
-	}
-	ai->ai_addrlen = addrlen;
-	ai->ai_family = family;
-	ai->ai_addr->sa_family = family;
-#ifdef IRS_PLATFORM_HAVESALEN
-	ai->ai_addr->sa_len = addrlen;
-#endif
-	return (ai);
-}
-
-static struct addrinfo *
-ai_clone(struct addrinfo *oai, int family) {
-	struct addrinfo *ai;
-
-	ai = ai_alloc(family, ((family == AF_INET6) ?
-	    sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in)));
-
-	if (ai == NULL) {
-		if (oai != NULL)
-			freeaddrinfo(oai);
-		return (NULL);
-	}
-	if (oai == NULL)
-		return (ai);
-
-	ai->ai_flags = oai->ai_flags;
-	ai->ai_socktype = oai->ai_socktype;
-	ai->ai_protocol = oai->ai_protocol;
-	ai->ai_canonname = NULL;
-	ai->ai_next = oai;
-	return (ai);
-}
-
-static struct addrinfo *
-ai_reverse(struct addrinfo *oai) {
-	struct addrinfo *nai, *tai;
-
-	nai = NULL;
-
-	while (oai != NULL) {
-		/*
-		 * Grab one off the old list.
-		 */
-		tai = oai;
-		oai = oai->ai_next;
-		/*
-		 * Put it on the front of the new list.
-		 */
-		tai->ai_next = nai;
-		nai = tai;
-	}
-	return (nai);
-}
-
-
-static struct addrinfo *
-ai_concat(struct addrinfo *ai1, struct addrinfo *ai2) {
-	struct addrinfo *ai_tmp;
-
-	if (ai1 == NULL)
-		return (ai2);
-	else if (ai2 == NULL)
-		return (ai1);
-
-	for (ai_tmp = ai1; ai_tmp != NULL && ai_tmp->ai_next != NULL;
-	     ai_tmp = ai_tmp->ai_next)
-		;
-
-	ai_tmp->ai_next = ai2;
-
-	return (ai1);
-}
diff --git a/contrib/bind9/lib/irs/getnameinfo.c b/contrib/bind9/lib/irs/getnameinfo.c
deleted file mode 100644
index 526ad09..0000000
--- a/contrib/bind9/lib/irs/getnameinfo.c
+++ /dev/null
@@ -1,409 +0,0 @@
-/*
- * Copyright (C) 2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/**
- *    getnameinfo() returns the hostname for the struct sockaddr sa which is
- *    salen bytes long. The hostname is of length hostlen and is returned via
- *    *host. The maximum length of the hostname is 1025 bytes: #NI_MAXHOST.
- *
- *    The name of the service associated with the port number in sa is
- *    returned in *serv. It is servlen bytes long. The maximum length of the
- *    service name is #NI_MAXSERV - 32 bytes.
- *
- *    The flags argument sets the following bits:
- *
- * \li   #NI_NOFQDN:
- *           A fully qualified domain name is not required for local hosts.
- *           The local part of the fully qualified domain name is returned
- *           instead.
- *
- * \li   #NI_NUMERICHOST
- *           Return the address in numeric form, as if calling inet_ntop(),
- *           instead of a host name.
- *
- * \li   #NI_NAMEREQD
- *           A name is required. If the hostname cannot be found in the DNS
- *           and this flag is set, a non-zero error code is returned. If the
- *           hostname is not found and the flag is not set, the address is
- *           returned in numeric form.
- *
- * \li   #NI_NUMERICSERV
- *           The service name is returned as a digit string representing the
- *           port number.
- *
- * \li   #NI_DGRAM
- *           Specifies that the service being looked up is a datagram
- *           service, and causes getservbyport() to be called with a second
- *           argument of "udp" instead of its default of "tcp". This is
- *           required for the few ports (512-514) that have different
- *           services for UDP and TCP.
- *
- * \section getnameinfo_return Return Values
- *
- *    getnameinfo() returns 0 on success or a non-zero error code if
- *    an error occurs.
- *
- * \section getname_see See Also
- *
- *    RFC3493, getservbyport(),
- *    getnamebyaddr(). inet_ntop().
- */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <string.h>
-
-#include <isc/netaddr.h>
-#include <isc/print.h>
-#include <isc/sockaddr.h>
-#include <isc/util.h>
-
-#include <dns/byaddr.h>
-#include <dns/client.h>
-#include <dns/fixedname.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/result.h>
-
-#include <irs/context.h>
-#include <irs/netdb.h>
-
-#define SUCCESS 0
-
-/*% afd structure definition */
-static struct afd {
-	int a_af;
-	size_t a_addrlen;
-	size_t a_socklen;
-} afdl [] = {
-	/*!
-	 * First entry is linked last...
-	 */
-	{ AF_INET, sizeof(struct in_addr), sizeof(struct sockaddr_in) },
-	{ AF_INET6, sizeof(struct in6_addr), sizeof(struct sockaddr_in6) },
-	{0, 0, 0},
-};
-
-/*!
- * The test against 0 is there to keep the Solaris compiler
- * from complaining about "end-of-loop code not reached".
- */
-#define ERR(code) \
-	do { result = (code);			\
-		if (result != 0) goto cleanup;	\
-	} while (0)
-
-int
-getnameinfo(const struct sockaddr *sa, socklen_t salen, char *host,
-	    IRS_GETNAMEINFO_BUFLEN_T hostlen, char *serv,
-	    IRS_GETNAMEINFO_BUFLEN_T servlen, IRS_GETNAMEINFO_FLAGS_T flags)
-{
-	struct afd *afd = NULL;
-	struct servent *sp;
-	unsigned short port = 0;
-#ifdef IRS_PLATFORM_HAVESALEN
-	size_t len;
-#endif
-	int family, i;
-	const void *addr = NULL;
-	char *p;
-#if 0
-	unsigned long v4a;
-	unsigned char pfx;
-#endif
-	char numserv[sizeof("65000")];
-	char numaddr[sizeof("abcd:abcd:abcd:abcd:abcd:abcd:255.255.255.255")
-		    + 1 + sizeof("4294967295")];
-	const char *proto;
-	int result = SUCCESS;
-
-	if (sa == NULL)
-		ERR(EAI_FAIL);
-
-#ifdef IRS_PLATFORM_HAVESALEN
-	len = sa->sa_len;
-	if (len != salen)
-		ERR(EAI_FAIL);
-#endif
-
-	family = sa->sa_family;
-	for (i = 0; afdl[i].a_af; i++)
-		if (afdl[i].a_af == family) {
-			afd = &afdl[i];
-			goto found;
-		}
-	ERR(EAI_FAMILY);
-
- found:
-	if (salen != afd->a_socklen)
-		ERR(EAI_FAIL);
-
-	switch (family) {
-	case AF_INET:
-		port = ((const struct sockaddr_in *)sa)->sin_port;
-		addr = &((const struct sockaddr_in *)sa)->sin_addr.s_addr;
-		break;
-
-	case AF_INET6:
-		port = ((const struct sockaddr_in6 *)sa)->sin6_port;
-		addr = ((const struct sockaddr_in6 *)sa)->sin6_addr.s6_addr;
-		break;
-
-	default:
-		INSIST(0);
-	}
-	proto = (flags & NI_DGRAM) ? "udp" : "tcp";
-
-	if (serv == NULL || servlen == 0U) {
-		/*
-		 * Caller does not want service.
-		 */
-	} else if ((flags & NI_NUMERICSERV) != 0 ||
-		   (sp = getservbyport(port, proto)) == NULL) {
-		snprintf(numserv, sizeof(numserv), "%d", ntohs(port));
-		if ((strlen(numserv) + 1) > servlen)
-			ERR(EAI_OVERFLOW);
-		strcpy(serv, numserv);
-	} else {
-		if ((strlen(sp->s_name) + 1) > servlen)
-			ERR(EAI_OVERFLOW);
-		strcpy(serv, sp->s_name);
-	}
-
-#if 0
-	switch (sa->sa_family) {
-	case AF_INET:
-		v4a = ((struct sockaddr_in *)sa)->sin_addr.s_addr;
-		if (IN_MULTICAST(v4a) || IN_EXPERIMENTAL(v4a))
-			flags |= NI_NUMERICHOST;
-		v4a >>= IN_CLASSA_NSHIFT;
-		if (v4a == 0 || v4a == IN_LOOPBACKNET)
-			flags |= NI_NUMERICHOST;
-		break;
-
-	case AF_INET6:
-		pfx = ((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr[0];
-		if (pfx == 0 || pfx == 0xfe || pfx == 0xff)
-			flags |= NI_NUMERICHOST;
-		break;
-	}
-#endif
-
-	if (host == NULL || hostlen == 0U) {
-		/*
-		 * do nothing in this case.
-		 * in case you are wondering if "&&" is more correct than
-		 * "||" here: RFC3493 says that host == NULL or hostlen == 0
-		 * means that the caller does not want the result.
-		 */
-	} else if ((flags & NI_NUMERICHOST) != 0) {
-		if (inet_ntop(afd->a_af, addr, numaddr, sizeof(numaddr))
-		    == NULL)
-			ERR(EAI_SYSTEM);
-#if defined(IRS_HAVE_SIN6_SCOPE_ID)
-		if (afd->a_af == AF_INET6 &&
-		    ((const struct sockaddr_in6 *)sa)->sin6_scope_id) {
-			char *p = numaddr + strlen(numaddr);
-			const char *stringscope = NULL;
-#ifdef VENDOR_SPECIFIC
-			/*
-			 * Vendors may want to add support for
-			 * non-numeric scope identifier.
-			 */
-			stringscope = foo;
-#endif
-			if (stringscope == NULL) {
-				snprintf(p, sizeof(numaddr) - (p - numaddr),
-				    "%%%u",
-				    ((const struct sockaddr_in6 *)sa)->sin6_scope_id);
-			} else {
-				snprintf(p, sizeof(numaddr) - (p - numaddr),
-				    "%%%s", stringscope);
-			}
-		}
-#endif
-		if (strlen(numaddr) + 1 > hostlen)
-			ERR(EAI_OVERFLOW);
-		strcpy(host, numaddr);
-	} else {
-		isc_netaddr_t netaddr;
-		dns_fixedname_t ptrfname;
-		dns_name_t *ptrname;
-		irs_context_t *irsctx = NULL;
-		dns_client_t *client;
-		isc_boolean_t found = ISC_FALSE;
-		dns_namelist_t answerlist;
-		dns_rdataset_t *rdataset;
-		isc_region_t hostregion;
-		char hoststr[1024]; /* is this enough? */
-		isc_result_t iresult;
-
-		/* Get IRS context and the associated DNS client object */
-		iresult = irs_context_get(&irsctx);
-		if (iresult != ISC_R_SUCCESS)
-			ERR(EAI_FAIL);
-		client = irs_context_getdnsclient(irsctx);
-
-		/* Make query name */
-		isc_netaddr_fromsockaddr(&netaddr, (const isc_sockaddr_t *)sa);
-		dns_fixedname_init(&ptrfname);
-		ptrname = dns_fixedname_name(&ptrfname);
-		iresult = dns_byaddr_createptrname2(&netaddr, 0, ptrname);
-		if (iresult != ISC_R_SUCCESS)
-			ERR(EAI_FAIL);
-
-		/* Get the PTR RRset */
-		ISC_LIST_INIT(answerlist);
-		iresult = dns_client_resolve(client, ptrname,
-					     dns_rdataclass_in,
-					     dns_rdatatype_ptr,
-					     DNS_CLIENTRESOPT_ALLOWRUN,
-					     &answerlist);
-		switch (iresult) {
-		case ISC_R_SUCCESS:
-		/*
-		 * a 'non-existent' error is not necessarily fatal for
-		 * getnameinfo().
-		 */
-		case DNS_R_NCACHENXDOMAIN:
-		case DNS_R_NCACHENXRRSET:
-			break;
-		case DNS_R_SIGINVALID:
-		case DNS_R_SIGEXPIRED:
-		case DNS_R_SIGFUTURE:
-		case DNS_R_KEYUNAUTHORIZED:
-		case DNS_R_MUSTBESECURE:
-		case DNS_R_COVERINGNSEC:
-		case DNS_R_NOTAUTHORITATIVE:
-		case DNS_R_NOVALIDKEY:
-		case DNS_R_NOVALIDDS:
-		case DNS_R_NOVALIDSIG:
-			ERR(EAI_INSECUREDATA);
-			break;
-		default:
-			ERR(EAI_FAIL);
-		}
-
-		/* Parse the answer for the hostname */
-		for (ptrname = ISC_LIST_HEAD(answerlist); ptrname != NULL;
-		     ptrname = ISC_LIST_NEXT(ptrname, link)) {
-			for (rdataset = ISC_LIST_HEAD(ptrname->list);
-			     rdataset != NULL;
-			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-				if (!dns_rdataset_isassociated(rdataset))
-					continue;
-				if (rdataset->type != dns_rdatatype_ptr)
-					continue;
-
-				for (iresult = dns_rdataset_first(rdataset);
-				     iresult == ISC_R_SUCCESS;
-				     iresult = dns_rdataset_next(rdataset)) {
-					dns_rdata_t rdata;
-					dns_rdata_ptr_t rdata_ptr;
-					isc_buffer_t b;
-
-					dns_rdata_init(&rdata);
-					dns_rdataset_current(rdataset, &rdata);
-					dns_rdata_tostruct(&rdata, &rdata_ptr,
-							   NULL);
-
-					isc_buffer_init(&b, hoststr,
-							sizeof(hoststr));
-					iresult =
-						dns_name_totext(&rdata_ptr.ptr,
-								ISC_TRUE, &b);
-					dns_rdata_freestruct(&rdata_ptr);
-					if (iresult == ISC_R_SUCCESS) {
-						/*
-						 * We ignore the rest of the
-						 * answer.  After all,
-						 * getnameinfo() can return
-						 * at most one hostname.
-						 */
-						found = ISC_TRUE;
-						isc_buffer_usedregion(
-							&b, &hostregion);
-						goto ptrfound;
-					}
-
-				}
-			}
-		}
-	ptrfound:
-		dns_client_freeresanswer(client, &answerlist);
-		if (found) {
-			if ((flags & NI_NOFQDN) != 0) {
-				p = strchr(hoststr, '.');
-				if (p)
-					*p = '\0';
-			}
-			if (hostregion.length + 1 > hostlen)
-				ERR(EAI_OVERFLOW);
-			snprintf(host, hostlen, "%.*s",
-				 (int)hostregion.length,
-				 (char *)hostregion.base);
-		} else {
-			if ((flags & NI_NAMEREQD) != 0)
-				ERR(EAI_NONAME);
-			if (inet_ntop(afd->a_af, addr, numaddr,
-				      sizeof(numaddr)) == NULL)
-				ERR(EAI_SYSTEM);
-			if ((strlen(numaddr) + 1) > hostlen)
-				ERR(EAI_OVERFLOW);
-			strcpy(host, numaddr);
-		}
-	}
-	result = SUCCESS;
-
- cleanup:
-	return (result);
-}
diff --git a/contrib/bind9/lib/irs/include/Makefile.in b/contrib/bind9/lib/irs/include/Makefile.in
deleted file mode 100644
index 91099f1..0000000
--- a/contrib/bind9/lib/irs/include/Makefile.in
+++ /dev/null
@@ -1,24 +0,0 @@
-# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	irs
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/irs/include/irs/Makefile.in b/contrib/bind9/lib/irs/include/irs/Makefile.in
deleted file mode 100644
index 63e7fd6..0000000
--- a/contrib/bind9/lib/irs/include/irs/Makefile.in
+++ /dev/null
@@ -1,44 +0,0 @@
-# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-#
-# Only list headers that are to be installed and are not
-# machine generated.  The latter are handled specially in the
-# install target below.
-#
-HEADERS =	version.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/irs
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/irs ; \
-	done
-	${INSTALL_DATA} netdb.h ${DESTDIR}${includedir}/irs
-	${INSTALL_DATA} platform.h ${DESTDIR}${includedir}/irs
-
-distclean::
-	rm -f netdb.h platform.h
diff --git a/contrib/bind9/lib/irs/include/irs/context.h b/contrib/bind9/lib/irs/include/irs/context.h
deleted file mode 100644
index f2ef3f4..0000000
--- a/contrib/bind9/lib/irs/include/irs/context.h
+++ /dev/null
@@ -1,159 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: context.h,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
-
-#ifndef IRS_CONTEXT_H
-#define IRS_CONTEXT_H 1
-
-/*! \file
- *
- * \brief
- * The IRS context module provides an abstract interface to the DNS library
- * with an application.  An IRS context object initializes and holds various
- * resources used in the DNS library.
- */
-
-#include <dns/types.h>
-#include <irs/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-irs_context_create(irs_context_t **contextp);
-/*%<
- * Create an IRS context.  It internally initializes the ISC and DNS libraries
- * (if not yet), creates a DNS client object and initializes the client using
- * the configuration files parsed via the 'resconf' and 'dnsconf' IRS modules.
- * Some of the internally initialized objects can be used by the application
- * via irs_context_getxxx() functions (see below).
- *
- * Requires:
- *
- *\li	contextp != NULL && *contextp == NULL.
- */
-
-isc_result_t
-irs_context_get(irs_context_t **contextp);
-/*%<
- * Return an IRS context for the calling thread.  If no IRS context is
- * associated to the thread, this function creates a new one by calling
- * irs_context_create(), and associates it with the thread as a thread specific
- * data value.  This function is provided for standard libraries that are
- * expected to be thread-safe but do not accept an appropriate IRS context
- * as a library parameter, e.g., getaddrinfo().
- *
- * Requires:
- *
- *\li	contextp != NULL && *contextp == NULL.
- */
-
-void
-irs_context_destroy(irs_context_t **contextp);
-/*%<
- * Destroy an IRS context.
- *
- * Requires:
- *
- *\li	'*contextp' is a valid IRS context.
- *
- * Ensures:
- *\li	'*contextp' == NULL.
- */
-
-isc_mem_t *
-irs_context_getmctx(irs_context_t *context);
-/*%<
- * Return the memory context held in the context.
- *
- * Requires:
- *
- *\li	'context' is a valid IRS context.
- */
-
-isc_appctx_t *
-irs_context_getappctx(irs_context_t *context);
-/*%<
- * Return the application context held in the context.
- *
- * Requires:
- *
- *\li	'context' is a valid IRS context.
- */
-
-isc_taskmgr_t *
-irs_context_gettaskmgr(irs_context_t *context);
-/*%<
- * Return the task manager held in the context.
- *
- * Requires:
- *
- *\li	'context' is a valid IRS context.
- */
-
-isc_timermgr_t *
-irs_context_gettimermgr(irs_context_t *context);
-/*%<
- * Return the timer manager held in the context.
- *
- * Requires:
- *
- *\li	'context' is a valid IRS context.
- */
-
-isc_task_t *
-irs_context_gettask(irs_context_t *context);
-/*%<
- * Return the task object held in the context.
- *
- * Requires:
- *
- *\li	'context' is a valid IRS context.
- */
-
-dns_client_t *
-irs_context_getdnsclient(irs_context_t *context);
-/*%<
- * Return the DNS client object held in the context.
- *
- * Requires:
- *
- *\li	'context' is a valid IRS context.
- */
-
-irs_resconf_t *
-irs_context_getresconf(irs_context_t *context);
-/*%<
- * Return the resolver configuration object held in the context.
- *
- * Requires:
- *
- *\li	'context' is a valid IRS context.
- */
-
-irs_dnsconf_t *
-irs_context_getdnsconf(irs_context_t *context);
-/*%<
- * Return the advanced DNS configuration object held in the context.
- *
- * Requires:
- *
- *\li	'context' is a valid IRS context.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* IRS_CONTEXT_H */
diff --git a/contrib/bind9/lib/irs/include/irs/dnsconf.h b/contrib/bind9/lib/irs/include/irs/dnsconf.h
deleted file mode 100644
index 4f673ff..0000000
--- a/contrib/bind9/lib/irs/include/irs/dnsconf.h
+++ /dev/null
@@ -1,94 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dnsconf.h,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
-
-#ifndef IRS_DNSCONF_H
-#define IRS_DNSCONF_H 1
-
-/*! \file
- *
- * \brief
- * The IRS dnsconf module parses an "advanced" configuration file related to
- * the DNS library, such as trusted keys for DNSSEC validation, and creates
- * the corresponding configuration objects for the DNS library modules.
- *
- * Notes:
- * This module is very experimental and the configuration syntax or library
- * interfaces may change in future versions.  Currently, only the
- * 'trusted-keys' statement is supported, whose syntax is the same as the
- * same name of statement for named.conf.
- */
-
-#include <irs/types.h>
-
-/*%
- * A compound structure storing DNS key information mainly for DNSSEC
- * validation.  A dns_key_t object will be created using the 'keyname' and
- * 'keydatabuf' members with the dst_key_fromdns() function.
- */
-typedef struct irs_dnsconf_dnskey {
-	dns_name_t				*keyname;
-	isc_buffer_t				*keydatabuf;
-	ISC_LINK(struct irs_dnsconf_dnskey)	link;
-} irs_dnsconf_dnskey_t;
-
-typedef ISC_LIST(irs_dnsconf_dnskey_t) irs_dnsconf_dnskeylist_t;
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-irs_dnsconf_load(isc_mem_t *mctx, const char *filename, irs_dnsconf_t **confp);
-/*%<
- * Load the "advanced" DNS configuration file 'filename' in the "dns.conf"
- * format, and create a new irs_dnsconf_t object from the configuration.
- *
- * Requires:
- *
- *\li	'mctx' is a valid memory context.
- *
- *\li	'filename' != NULL
- *
- *\li	'confp' != NULL && '*confp' == NULL
- */
-
-void
-irs_dnsconf_destroy(irs_dnsconf_t **confp);
-/*%<
- * Destroy the dnsconf object.
- *
- * Requires:
- *
- *\li	'*confp' is a valid dnsconf object.
- *
- * Ensures:
- *
- *\li	*confp == NULL
- */
-
-irs_dnsconf_dnskeylist_t *
-irs_dnsconf_gettrustedkeys(irs_dnsconf_t *conf);
-/*%<
- * Return a list of key information stored in 'conf'.
- *
- * Requires:
- *
- *\li	'conf' is a valid dnsconf object.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* IRS_DNSCONF_H */
diff --git a/contrib/bind9/lib/irs/include/irs/netdb.h.in b/contrib/bind9/lib/irs/include/irs/netdb.h.in
deleted file mode 100644
index 299928b..0000000
--- a/contrib/bind9/lib/irs/include/irs/netdb.h.in
+++ /dev/null
@@ -1,167 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: netdb.h.in,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
-
-/*! \file */
-
-#ifndef IRS_NETDB_H
-#define IRS_NETDB_H 1
-
-#include <stddef.h>	/* Required on FreeBSD (and  others?) for size_t. */
-#include <netdb.h>	/* Contractual provision. */
-
-/*
- * Define if <netdb.h> does not declare struct addrinfo.
- */
-@ISC_IRS_NEEDADDRINFO@
-
-#ifdef ISC_IRS_NEEDADDRINFO
-struct addrinfo {
-	int		ai_flags;      /* AI_PASSIVE, AI_CANONNAME */
-	int		ai_family;     /* PF_xxx */
-	int		ai_socktype;   /* SOCK_xxx */
-	int		ai_protocol;   /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
-	size_t		ai_addrlen;    /* Length of ai_addr */
-	char		*ai_canonname; /* Canonical name for hostname */
-	struct sockaddr	*ai_addr;      /* Binary address */
-	struct addrinfo	*ai_next;      /* Next structure in linked list */
-};
-#endif
-
-/*
- * Undefine all #defines we are interested in as <netdb.h> may or may not have
- * defined them.
- */
-
-/*
- * Error return codes from gethostbyname() and gethostbyaddr()
- * (left in extern int h_errno).
- */
-
-#undef	NETDB_INTERNAL
-#undef	NETDB_SUCCESS
-#undef	HOST_NOT_FOUND
-#undef	TRY_AGAIN
-#undef	NO_RECOVERY
-#undef	NO_DATA
-#undef	NO_ADDRESS
-
-#define	NETDB_INTERNAL	-1	/* see errno */
-#define	NETDB_SUCCESS	0	/* no problem */
-#define	HOST_NOT_FOUND	1 /* Authoritative Answer Host not found */
-#define	TRY_AGAIN	2 /* Non-Authoritive Host not found, or SERVERFAIL */
-#define	NO_RECOVERY	3 /* Non recoverable errors, FORMERR, REFUSED, NOTIMP */
-#define	NO_DATA		4 /* Valid name, no data record of requested type */
-#define	NO_ADDRESS	NO_DATA		/* no address, look for MX record */
-
-/*
- * Error return codes from getaddrinfo().  EAI_INSECUREDATA is our own extension
- * and it's very unlikely to be already defined, but undef it just in case; it
- * at least doesn't do any harm.
- */
-
-#undef	EAI_ADDRFAMILY
-#undef	EAI_AGAIN
-#undef	EAI_BADFLAGS
-#undef	EAI_FAIL
-#undef	EAI_FAMILY
-#undef	EAI_MEMORY
-#undef	EAI_NODATA
-#undef	EAI_NONAME
-#undef	EAI_SERVICE
-#undef	EAI_SOCKTYPE
-#undef	EAI_SYSTEM
-#undef	EAI_BADHINTS
-#undef	EAI_PROTOCOL
-#undef	EAI_OVERFLOW
-#undef	EAI_INSECUREDATA
-#undef	EAI_MAX
-
-#define	EAI_ADDRFAMILY	 1	/* address family for hostname not supported */
-#define	EAI_AGAIN	 2	/* temporary failure in name resolution */
-#define	EAI_BADFLAGS	 3	/* invalid value for ai_flags */
-#define	EAI_FAIL	 4	/* non-recoverable failure in name resolution */
-#define	EAI_FAMILY	 5	/* ai_family not supported */
-#define	EAI_MEMORY	 6	/* memory allocation failure */
-#define	EAI_NODATA	 7	/* no address associated with hostname */
-#define	EAI_NONAME	 8	/* hostname nor servname provided, or not known */
-#define	EAI_SERVICE	 9	/* servname not supported for ai_socktype */
-#define	EAI_SOCKTYPE	10	/* ai_socktype not supported */
-#define	EAI_SYSTEM	11	/* system error returned in errno */
-#define EAI_BADHINTS	12
-#define EAI_PROTOCOL	13
-#define EAI_OVERFLOW	14
-#define EAI_INSECUREDATA 15
-#define EAI_MAX		16
-
-/*
- * Flag values for getaddrinfo()
- */
-#undef	AI_PASSIVE
-#undef	AI_CANONNAME
-#undef	AI_NUMERICHOST
-
-#define	AI_PASSIVE	0x00000001
-#define	AI_CANONNAME	0x00000002
-#define AI_NUMERICHOST	0x00000004
-
-/*
- * Flag values for getipnodebyname()
- */
-#undef AI_V4MAPPED
-#undef AI_ALL
-#undef AI_ADDRCONFIG
-#undef AI_DEFAULT
-
-#define AI_V4MAPPED	0x00000008
-#define AI_ALL		0x00000010
-#define AI_ADDRCONFIG	0x00000020
-#define AI_DEFAULT	(AI_V4MAPPED|AI_ADDRCONFIG)
-
-/*
- * Constants for lwres_getnameinfo()
- */
-#undef	NI_MAXHOST
-#undef	NI_MAXSERV
-
-#define	NI_MAXHOST	1025
-#define	NI_MAXSERV	32
-
-/*
- * Flag values for lwres_getnameinfo()
- */
-#undef	NI_NOFQDN
-#undef	NI_NUMERICHOST
-#undef	NI_NAMEREQD
-#undef	NI_NUMERICSERV
-#undef	NI_DGRAM
-#undef	NI_NUMERICSCOPE
-
-#define	NI_NOFQDN	0x00000001
-#define	NI_NUMERICHOST	0x00000002
-#define	NI_NAMEREQD	0x00000004
-#define	NI_NUMERICSERV	0x00000008
-#define	NI_DGRAM	0x00000010
-
-/*
- * Tell Emacs to use C mode on this file.
- * Local variables:
- * mode: c
- * End:
- */
-
-#endif /* IRS_NETDB_H */
diff --git a/contrib/bind9/lib/irs/include/irs/platform.h.in b/contrib/bind9/lib/irs/include/irs/platform.h.in
deleted file mode 100644
index 0e9be3c..0000000
--- a/contrib/bind9/lib/irs/include/irs/platform.h.in
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: platform.h.in,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
-
-/*! \file */
-
-#ifndef IRS_PLATFORM_H
-#define IRS_PLATFORM_H 1
-
-/*****
- ***** Platform-dependent defines.
- *****/
-
-#ifndef IRS_PLATFORM_USEDECLSPEC
-#define LIBIRS_EXTERNAL_DATA
-#else
-#ifdef LIBIRS_EXPORTS
-#define LIBIRS_EXTERNAL_DATA __declspec(dllexport)
-#else
-#define LIBIRS_EXTERNAL_DATA __declspec(dllimport)
-#endif
-#endif
-
-/*
- * Tell Emacs to use C mode on this file.
- * Local Variables:
- * mode: c
- * End:
- */
-
-#endif /* IRS_PLATFORM_H */
diff --git a/contrib/bind9/lib/irs/include/irs/resconf.h b/contrib/bind9/lib/irs/include/irs/resconf.h
deleted file mode 100644
index 78c87d5..0000000
--- a/contrib/bind9/lib/irs/include/irs/resconf.h
+++ /dev/null
@@ -1,113 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: resconf.h,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
-
-#ifndef IRS_RESCONF_H
-#define IRS_RESCONF_H 1
-
-/*! \file
- *
- * \brief
- * The IRS resconf module parses the legacy "/etc/resolv.conf" file and
- * creates the corresponding configuration objects for the DNS library
- * modules.
- */
-
-#include <irs/types.h>
-
-/*%
- * A DNS search list specified in the 'domain' or 'search' statements
- * in the "resolv.conf" file.
- */
-typedef struct irs_resconf_search {
-	char					*domain;
-	ISC_LINK(struct irs_resconf_search)	link;
-} irs_resconf_search_t;
-
-typedef ISC_LIST(irs_resconf_search_t) irs_resconf_searchlist_t;
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-irs_resconf_load(isc_mem_t *mctx, const char *filename, irs_resconf_t **confp);
-/*%<
- * Load the resolver configuration file 'filename' in the "resolv.conf" format,
- * and create a new irs_resconf_t object from the configuration.
- *
- * Notes:
- *
- *\li	Currently, only the following options are supported:
- *	nameserver, domain, search, sortlist, ndots, and options.
- *	In addition, 'sortlist' is not actually effective; it's parsed, but
- *	the application cannot use the configuration.
- *
- * Requires:
- *
- *\li	'mctx' is a valid memory context.
- *
- *\li	'filename' != NULL
- *
- *\li	'confp' != NULL && '*confp' == NULL
- */
-
-void
-irs_resconf_destroy(irs_resconf_t **confp);
-/*%<
- * Destroy the resconf object.
- *
- * Requires:
- *
- *\li	'*confp' is a valid resconf object.
- *
- * Ensures:
- *
- *\li	*confp == NULL
- */
-
-isc_sockaddrlist_t *
-irs_resconf_getnameservers(irs_resconf_t *conf);
-/*%<
- * Return a list of name server addresses stored in 'conf'.
- *
- * Requires:
- *
- *\li	'conf' is a valid resconf object.
- */
-
-irs_resconf_searchlist_t *
-irs_resconf_getsearchlist(irs_resconf_t *conf);
-/*%<
- * Return the search list stored in 'conf'.
- *
- * Requires:
- *
- *\li	'conf' is a valid resconf object.
- */
-
-unsigned int
-irs_resconf_getndots(irs_resconf_t *conf);
-/*%<
- * Return the 'ndots' value stored in 'conf'.
- *
- * Requires:
- *
- *\li	'conf' is a valid resconf object.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* IRS_RESCONF_H */
diff --git a/contrib/bind9/lib/irs/include/irs/types.h b/contrib/bind9/lib/irs/include/irs/types.h
deleted file mode 100644
index 0a539de..0000000
--- a/contrib/bind9/lib/irs/include/irs/types.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: types.h,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
-
-#ifndef IRS_TYPES_H
-#define IRS_TYPES_H 1
-
-/* Core Types.  Alphabetized by defined type. */
-
-/*%< per-thread IRS context */
-typedef struct irs_context		irs_context_t;
-/*%< resolv.conf configuration information */
-typedef struct irs_resconf		irs_resconf_t;
-/*%< advanced DNS-related configuration information */
-typedef struct irs_dnsconf		irs_dnsconf_t;
-
-#endif /* IRS_TYPES_H */
diff --git a/contrib/bind9/lib/irs/include/irs/version.h b/contrib/bind9/lib/irs/include/irs/version.h
deleted file mode 100644
index bd7e5cf..0000000
--- a/contrib/bind9/lib/irs/include/irs/version.h
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: version.h,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
-
-/*! \file */
-
-#include <irs/platform.h>
-
-LIBIRS_EXTERNAL_DATA extern const char irs_version[];
-
-LIBIRS_EXTERNAL_DATA extern const unsigned int irs_libinterface;
-LIBIRS_EXTERNAL_DATA extern const unsigned int irs_librevision;
-LIBIRS_EXTERNAL_DATA extern const unsigned int irs_libage;
diff --git a/contrib/bind9/lib/irs/resconf.c b/contrib/bind9/lib/irs/resconf.c
deleted file mode 100644
index 88bdac1..0000000
--- a/contrib/bind9/lib/irs/resconf.c
+++ /dev/null
@@ -1,637 +0,0 @@
-/*
- * Copyright (C) 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file resconf.c */
-
-/**
- * Module for parsing resolv.conf files (largely derived from lwconfig.c).
- *
- *    irs_resconf_load() opens the file filename and parses it to initialize
- *    the configuration structure.
- *
- * \section lwconfig_return Return Values
- *
- *    irs_resconf_load() returns #IRS_R_SUCCESS if it successfully read and
- *    parsed filename. It returns a non-0 error code if filename could not be
- *    opened or contained incorrect resolver statements.
- *
- * \section lwconfig_see See Also
- *
- *    stdio(3), \link resolver resolver \endlink
- *
- * \section files Files
- *
- *    /etc/resolv.conf
- */
-
-#include <config.h>
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <netdb.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/netaddr.h>
-#include <isc/sockaddr.h>
-#include <isc/util.h>
-
-#include <irs/resconf.h>
-
-#define IRS_RESCONF_MAGIC		ISC_MAGIC('R', 'E', 'S', 'c')
-#define IRS_RESCONF_VALID(c)		ISC_MAGIC_VALID(c, IRS_RESCONF_MAGIC)
-
-/*!
- * protocol constants
- */
-
-#if ! defined(NS_INADDRSZ)
-#define NS_INADDRSZ	 4
-#endif
-
-#if ! defined(NS_IN6ADDRSZ)
-#define NS_IN6ADDRSZ	16
-#endif
-
-/*!
- * resolv.conf parameters
- */
-
-#define RESCONFMAXNAMESERVERS 3		/*%< max 3 "nameserver" entries */
-#define RESCONFMAXSEARCH 8		/*%< max 8 domains in "search" entry */
-#define RESCONFMAXLINELEN 256		/*%< max size of a line */
-#define RESCONFMAXSORTLIST 10		/*%< max 10 */
-
-/*!
- * configuration data structure
- */
-
-struct irs_resconf {
-	/*
-	 * The configuration data is a thread-specific object, and does not
-	 * need to be locked.
-	 */
-	unsigned int		magic;
-	isc_mem_t		*mctx;
-
-	isc_sockaddrlist_t	nameservers;
-	unsigned int		numns; /*%< number of configured servers */
-
-	char	       		*domainname;
-	char 	       		*search[RESCONFMAXSEARCH];
-	isc_uint8_t		searchnxt; /*%< index for next free slot */
-
-	irs_resconf_searchlist_t searchlist;
-
-	struct {
-		isc_netaddr_t	addr;
-		/*% mask has a non-zero 'family' if set */
-		isc_netaddr_t	mask;
-	} sortlist[RESCONFMAXSORTLIST];
-	isc_uint8_t		sortlistnxt;
-
-	/*%< non-zero if 'options debug' set */
-	isc_uint8_t		resdebug;
-	/*%< set to n in 'options ndots:n' */
-	isc_uint8_t		ndots;
-};
-
-static isc_result_t
-resconf_parsenameserver(irs_resconf_t *conf,  FILE *fp);
-static isc_result_t
-resconf_parsedomain(irs_resconf_t *conf,  FILE *fp);
-static isc_result_t
-resconf_parsesearch(irs_resconf_t *conf,  FILE *fp);
-static isc_result_t
-resconf_parsesortlist(irs_resconf_t *conf,  FILE *fp);
-static isc_result_t
-resconf_parseoption(irs_resconf_t *ctx,  FILE *fp);
-
-/*!
- * Eat characters from FP until EOL or EOF. Returns EOF or '\n'
- */
-static int
-eatline(FILE *fp) {
-	int ch;
-
-	ch = fgetc(fp);
-	while (ch != '\n' && ch != EOF)
-		ch = fgetc(fp);
-
-	return (ch);
-}
-
-/*!
- * Eats white space up to next newline or non-whitespace character (of
- * EOF). Returns the last character read. Comments are considered white
- * space.
- */
-static int
-eatwhite(FILE *fp) {
-	int ch;
-
-	ch = fgetc(fp);
-	while (ch != '\n' && ch != EOF && isspace((unsigned char)ch))
-		ch = fgetc(fp);
-
-	if (ch == ';' || ch == '#')
-		ch = eatline(fp);
-
-	return (ch);
-}
-
-/*!
- * Skip over any leading whitespace and then read in the next sequence of
- * non-whitespace characters. In this context newline is not considered
- * whitespace. Returns EOF on end-of-file, or the character
- * that caused the reading to stop.
- */
-static int
-getword(FILE *fp, char *buffer, size_t size) {
-	int ch;
-	char *p = buffer;
-
-	REQUIRE(buffer != NULL);
-	REQUIRE(size > 0U);
-
-	*p = '\0';
-
-	ch = eatwhite(fp);
-
-	if (ch == EOF)
-		return (EOF);
-
-	do {
-		*p = '\0';
-
-		if (ch == EOF || isspace((unsigned char)ch))
-			break;
-		else if ((size_t) (p - buffer) == size - 1)
-			return (EOF);	/* Not enough space. */
-
-		*p++ = (char)ch;
-		ch = fgetc(fp);
-	} while (1);
-
-	return (ch);
-}
-
-static isc_result_t
-add_server(isc_mem_t *mctx, const char *address_str,
-	   isc_sockaddrlist_t *nameservers)
-{
-	int error;
-	isc_sockaddr_t *address = NULL;
-	struct addrinfo hints, *res;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	res = NULL;
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_family = AF_UNSPEC;
-	hints.ai_socktype = SOCK_DGRAM;
-	hints.ai_protocol = IPPROTO_UDP;
-	hints.ai_flags = AI_NUMERICHOST;
-	error = getaddrinfo(address_str, "53", &hints, &res);
-	if (error != 0)
-		return (ISC_R_BADADDRESSFORM);
-
-	/* XXX: special case: treat all-0 IPv4 address as loopback */
-	if (res->ai_family == AF_INET) {
-		struct in_addr *v4;
-		unsigned char zeroaddress[] = {0, 0, 0, 0};
-		unsigned char loopaddress[] = {127, 0, 0, 1};
-
-		v4 = &((struct sockaddr_in *)res->ai_addr)->sin_addr;
-		if (memcmp(v4, zeroaddress, 4) == 0)
-			memcpy(v4, loopaddress, 4);
-	}
-
-	address = isc_mem_get(mctx, sizeof(*address));
-	if (address == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
-	}
-	if (res->ai_addrlen > sizeof(address->type)) {
-		isc_mem_put(mctx, address, sizeof(*address));
-		result = ISC_R_RANGE;
-		goto cleanup;
-	}
-	address->length = res->ai_addrlen;
-	memcpy(&address->type.ss, res->ai_addr, res->ai_addrlen);
-	ISC_LINK_INIT(address, link);
-	ISC_LIST_APPEND(*nameservers, address, link);
-
-  cleanup:
-	freeaddrinfo(res);
-
-	return (result);
-}
-
-static isc_result_t
-create_addr(const char *buffer, isc_netaddr_t *addr, int convert_zero) {
-	struct in_addr v4;
-	struct in6_addr v6;
-
-	if (inet_aton(buffer, &v4) == 1) {
-		if (convert_zero) {
-			unsigned char zeroaddress[] = {0, 0, 0, 0};
-			unsigned char loopaddress[] = {127, 0, 0, 1};
-			if (memcmp(&v4, zeroaddress, 4) == 0)
-				memcpy(&v4, loopaddress, 4);
-		}
-		addr->family = AF_INET;
-		memcpy(&addr->type.in, &v4, NS_INADDRSZ);
-		addr->zone = 0;
-	} else if (inet_pton(AF_INET6, buffer, &v6) == 1) {
-		addr->family = AF_INET6;
-		memcpy(&addr->type.in6, &v6, NS_IN6ADDRSZ);
-		addr->zone = 0;
-	} else
-		return (ISC_R_BADADDRESSFORM); /* Unrecognised format. */
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-resconf_parsenameserver(irs_resconf_t *conf,  FILE *fp) {
-	char word[RESCONFMAXLINELEN];
-	int cp;
-	isc_result_t result;
-
-	if (conf->numns == RESCONFMAXNAMESERVERS)
-		return (ISC_R_SUCCESS);
-
-	cp = getword(fp, word, sizeof(word));
-	if (strlen(word) == 0U)
-		return (ISC_R_UNEXPECTEDEND); /* Nothing on line. */
-	else if (cp == ' ' || cp == '\t')
-		cp = eatwhite(fp);
-
-	if (cp != EOF && cp != '\n')
-		return (ISC_R_UNEXPECTEDTOKEN); /* Extra junk on line. */
-
-	result = add_server(conf->mctx, word, &conf->nameservers);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	conf->numns++;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-resconf_parsedomain(irs_resconf_t *conf,  FILE *fp) {
-	char word[RESCONFMAXLINELEN];
-	int res, i;
-
-	res = getword(fp, word, sizeof(word));
-	if (strlen(word) == 0U)
-		return (ISC_R_UNEXPECTEDEND); /* Nothing else on line. */
-	else if (res == ' ' || res == '\t')
-		res = eatwhite(fp);
-
-	if (res != EOF && res != '\n')
-		return (ISC_R_UNEXPECTEDTOKEN); /* Extra junk on line. */
-
-	if (conf->domainname != NULL)
-		isc_mem_free(conf->mctx, conf->domainname);
-
-	/*
-	 * Search and domain are mutually exclusive.
-	 */
-	for (i = 0; i < RESCONFMAXSEARCH; i++) {
-		if (conf->search[i] != NULL) {
-			isc_mem_free(conf->mctx, conf->search[i]);
-			conf->search[i] = NULL;
-		}
-	}
-	conf->searchnxt = 0;
-
-	conf->domainname = isc_mem_strdup(conf->mctx, word);
-	if (conf->domainname == NULL)
-		return (ISC_R_NOMEMORY);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-resconf_parsesearch(irs_resconf_t *conf,  FILE *fp) {
-	int idx, delim;
-	char word[RESCONFMAXLINELEN];
-
-	if (conf->domainname != NULL) {
-		/*
-		 * Search and domain are mutually exclusive.
-		 */
-		isc_mem_free(conf->mctx, conf->domainname);
-		conf->domainname = NULL;
-	}
-
-	/*
-	 * Remove any previous search definitions.
-	 */
-	for (idx = 0; idx < RESCONFMAXSEARCH; idx++) {
-		if (conf->search[idx] != NULL) {
-			isc_mem_free(conf->mctx, conf->search[idx]);
-			conf->search[idx] = NULL;
-		}
-	}
-	conf->searchnxt = 0;
-
-	delim = getword(fp, word, sizeof(word));
-	if (strlen(word) == 0U)
-		return (ISC_R_UNEXPECTEDEND); /* Nothing else on line. */
-
-	idx = 0;
-	while (strlen(word) > 0U) {
-		if (conf->searchnxt == RESCONFMAXSEARCH)
-			goto ignore; /* Too many domains. */
-
-		conf->search[idx] = isc_mem_strdup(conf->mctx, word);
-		if (conf->search[idx] == NULL)
-			return (ISC_R_NOMEMORY);
-		idx++;
-		conf->searchnxt++;
-
-	ignore:
-		if (delim == EOF || delim == '\n')
-			break;
-		else
-			delim = getword(fp, word, sizeof(word));
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-resconf_parsesortlist(irs_resconf_t *conf,  FILE *fp) {
-	int delim, res, idx;
-	char word[RESCONFMAXLINELEN];
-	char *p;
-
-	delim = getword(fp, word, sizeof(word));
-	if (strlen(word) == 0U)
-		return (ISC_R_UNEXPECTEDEND); /* Empty line after keyword. */
-
-	while (strlen(word) > 0U) {
-		if (conf->sortlistnxt == RESCONFMAXSORTLIST)
-			return (ISC_R_QUOTA); /* Too many values. */
-
-		p = strchr(word, '/');
-		if (p != NULL)
-			*p++ = '\0';
-
-		idx = conf->sortlistnxt;
-		res = create_addr(word, &conf->sortlist[idx].addr, 1);
-		if (res != ISC_R_SUCCESS)
-			return (res);
-
-		if (p != NULL) {
-			res = create_addr(p, &conf->sortlist[idx].mask, 0);
-			if (res != ISC_R_SUCCESS)
-				return (res);
-		} else {
-			/*
-			 * Make up a mask. (XXX: is this correct?)
-			 */
-			conf->sortlist[idx].mask = conf->sortlist[idx].addr;
-			memset(&conf->sortlist[idx].mask.type, 0xff,
-			       sizeof(conf->sortlist[idx].mask.type));
-		}
-
-		conf->sortlistnxt++;
-
-		if (delim == EOF || delim == '\n')
-			break;
-		else
-			delim = getword(fp, word, sizeof(word));
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-resconf_parseoption(irs_resconf_t *conf,  FILE *fp) {
-	int delim;
-	long ndots;
-	char *p;
-	char word[RESCONFMAXLINELEN];
-
-	delim = getword(fp, word, sizeof(word));
-	if (strlen(word) == 0U)
-		return (ISC_R_UNEXPECTEDEND); /* Empty line after keyword. */
-
-	while (strlen(word) > 0U) {
-		if (strcmp("debug", word) == 0) {
-			conf->resdebug = 1;
-		} else if (strncmp("ndots:", word, 6) == 0) {
-			ndots = strtol(word + 6, &p, 10);
-			if (*p != '\0') /* Bad string. */
-				return (ISC_R_UNEXPECTEDTOKEN);
-			if (ndots < 0 || ndots > 0xff) /* Out of range. */
-				return (ISC_R_RANGE);
-			conf->ndots = (isc_uint8_t)ndots;
-		}
-
-		if (delim == EOF || delim == '\n')
-			break;
-		else
-			delim = getword(fp, word, sizeof(word));
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-add_search(irs_resconf_t *conf, char *domain) {
-	irs_resconf_search_t *entry;
-
-	entry = isc_mem_get(conf->mctx, sizeof(*entry));
-	if (entry == NULL)
-		return (ISC_R_NOMEMORY);
-
-	entry->domain = domain;
-	ISC_LINK_INIT(entry, link);
-	ISC_LIST_APPEND(conf->searchlist, entry, link);
-
-	return (ISC_R_SUCCESS);
-}
-
-/*% parses a file and fills in the data structure. */
-isc_result_t
-irs_resconf_load(isc_mem_t *mctx, const char *filename, irs_resconf_t **confp)
-{
-	FILE *fp = NULL;
-	char word[256];
-	isc_result_t rval, ret;
-	irs_resconf_t *conf;
-	int i, stopchar;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(filename != NULL);
-	REQUIRE(strlen(filename) > 0U);
-	REQUIRE(confp != NULL && *confp == NULL);
-
-	conf = isc_mem_get(mctx, sizeof(*conf));
-	if (conf == NULL)
-		return (ISC_R_NOMEMORY);
-
-	conf->mctx = mctx;
-	ISC_LIST_INIT(conf->nameservers);
-	conf->numns = 0;
-	conf->domainname = NULL;
-	conf->searchnxt = 0;
-	conf->resdebug = 0;
-	conf->ndots = 1;
-	for (i = 0; i < RESCONFMAXSEARCH; i++)
-		conf->search[i] = NULL;
-
-	errno = 0;
-	if ((fp = fopen(filename, "r")) == NULL) {
-		isc_mem_put(mctx, conf, sizeof(*conf));
-		return (ISC_R_INVALIDFILE);
-	}
-
-	ret = ISC_R_SUCCESS;
-	do {
-		stopchar = getword(fp, word, sizeof(word));
-		if (stopchar == EOF) {
-			rval = ISC_R_SUCCESS;
-			POST(rval);
-			break;
-		}
-
-		if (strlen(word) == 0U)
-			rval = ISC_R_SUCCESS;
-		else if (strcmp(word, "nameserver") == 0)
-			rval = resconf_parsenameserver(conf, fp);
-		else if (strcmp(word, "domain") == 0)
-			rval = resconf_parsedomain(conf, fp);
-		else if (strcmp(word, "search") == 0)
-			rval = resconf_parsesearch(conf, fp);
-		else if (strcmp(word, "sortlist") == 0)
-			rval = resconf_parsesortlist(conf, fp);
-		else if (strcmp(word, "options") == 0)
-			rval = resconf_parseoption(conf, fp);
-		else {
-			/* unrecognised word. Ignore entire line */
-			rval = ISC_R_SUCCESS;
-			stopchar = eatline(fp);
-			if (stopchar == EOF) {
-				break;
-			}
-		}
-		if (ret == ISC_R_SUCCESS && rval != ISC_R_SUCCESS)
-			ret = rval;
-	} while (1);
-
-	fclose(fp);
-
-	/* If we don't find a nameserver fall back to localhost */
-	if (conf->numns == 0) {
-		INSIST(ISC_LIST_EMPTY(conf->nameservers));
-
-		/* XXX: should we catch errors? */
-		(void)add_server(conf->mctx, "127.0.0.1", &conf->nameservers);
-		(void)add_server(conf->mctx, "::1", &conf->nameservers);
-	}
-
-	/*
-	 * Construct unified search list from domain or configured
-	 * search list
-	 */
-	ISC_LIST_INIT(conf->searchlist);
-	if (conf->domainname != NULL) {
-		ret = add_search(conf, conf->domainname);
-	} else if (conf->searchnxt > 0) {
-		for (i = 0; i < conf->searchnxt; i++) {
-			ret = add_search(conf, conf->search[i]);
-			if (ret != ISC_R_SUCCESS)
-				break;
-		}
-	}
-
-	conf->magic = IRS_RESCONF_MAGIC;
-
-	if (ret != ISC_R_SUCCESS)
-		irs_resconf_destroy(&conf);
-	else
-		*confp = conf;
-
-	return (ret);
-}
-
-void
-irs_resconf_destroy(irs_resconf_t **confp) {
-	irs_resconf_t *conf;
-	isc_sockaddr_t *address;
-	irs_resconf_search_t *searchentry;
-	int i;
-
-	REQUIRE(confp != NULL);
-	conf = *confp;
-	REQUIRE(IRS_RESCONF_VALID(conf));
-
-	while ((searchentry = ISC_LIST_HEAD(conf->searchlist)) != NULL) {
-		ISC_LIST_UNLINK(conf->searchlist, searchentry, link);
-		isc_mem_put(conf->mctx, searchentry, sizeof(*searchentry));
-	}
-
-	while ((address = ISC_LIST_HEAD(conf->nameservers)) != NULL) {
-		ISC_LIST_UNLINK(conf->nameservers, address, link);
-		isc_mem_put(conf->mctx, address, sizeof(*address));
-	}
-
-	if (conf->domainname != NULL)
-		isc_mem_free(conf->mctx, conf->domainname);
-
-	for (i = 0; i < RESCONFMAXSEARCH; i++) {
-		if (conf->search[i] != NULL)
-			isc_mem_free(conf->mctx, conf->search[i]);
-	}
-
-	isc_mem_put(conf->mctx, conf, sizeof(*conf));
-
-	*confp = NULL;
-}
-
-isc_sockaddrlist_t *
-irs_resconf_getnameservers(irs_resconf_t *conf) {
-	REQUIRE(IRS_RESCONF_VALID(conf));
-
-	return (&conf->nameservers);
-}
-
-irs_resconf_searchlist_t *
-irs_resconf_getsearchlist(irs_resconf_t *conf) {
-	REQUIRE(IRS_RESCONF_VALID(conf));
-
-	return (&conf->searchlist);
-}
-
-unsigned int
-irs_resconf_getndots(irs_resconf_t *conf) {
-	REQUIRE(IRS_RESCONF_VALID(conf));
-
-	return ((unsigned int)conf->ndots);
-}
diff --git a/contrib/bind9/lib/irs/version.c b/contrib/bind9/lib/irs/version.c
deleted file mode 100644
index f50a385..0000000
--- a/contrib/bind9/lib/irs/version.c
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: version.c,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
-
-/*! \file */
-
-#include <irs/version.h>
-
-const char irs_version[] = VERSION;
-
-const unsigned int irs_libinterface = LIBINTERFACE;
-const unsigned int irs_librevision = LIBREVISION;
-const unsigned int irs_libage = LIBAGE;
diff --git a/contrib/bind9/lib/isc/Makefile.in b/contrib/bind9/lib/isc/Makefile.in
deleted file mode 100644
index e68290c..0000000
--- a/contrib/bind9/lib/isc/Makefile.in
+++ /dev/null
@@ -1,135 +0,0 @@
-# Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2003  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id$
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-@LIBISC_API@
-
-CINCLUDES =	-I${srcdir}/unix/include \
-		-I${srcdir}/@ISC_THREAD_DIR@/include \
-		-I${srcdir}/@ISC_ARCH_DIR@/include \
-		-I./include \
-		-I${srcdir}/include @ISC_OPENSSL_INC@
-CDEFINES =	@USE_OPENSSL@
-CWARNINGS =
-
-# Alphabetically
-UNIXOBJS =	@ISC_ISCIPV6_O@ \
-		unix/app.@O@ unix/dir.@O@ unix/entropy.@O@ \
-		unix/errno2result.@O@ unix/file.@O@ unix/fsaccess.@O@ \
-		unix/interfaceiter.@O@ unix/keyboard.@O@ unix/net.@O@ \
-		unix/os.@O@ unix/resource.@O@ unix/socket.@O@ unix/stdio.@O@ \
-		unix/stdtime.@O@ unix/strerror.@O@ unix/syslog.@O@ unix/time.@O@
-
-NLSOBJS =	nls/msgcat.@O@
-
-THREADOPTOBJS = @ISC_THREAD_DIR@/condition.@O@ @ISC_THREAD_DIR@/mutex.@O@
-
-THREADOBJS =	@THREADOPTOBJS@ @ISC_THREAD_DIR@/thread.@O@
-
-WIN32OBJS = 	win32/condition.@O@ win32/dir.@O@ win32/file.@O@ \
-		win32/fsaccess.@O@ win32/once.@O@ win32/stdtime.@O@ \
-		win32/thread.@O@ win32/time.@O@
-
-# Alphabetically
-OBJS =		@ISC_EXTRA_OBJS@ \
-		assertions.@O@ backtrace.@O@ base32.@O@ base64.@O@ \
-		bitstring.@O@ buffer.@O@ bufferlist.@O@ commandline.@O@ \
-		error.@O@ event.@O@ \
-		hash.@O@ heap.@O@ hex.@O@ hmacmd5.@O@ hmacsha.@O@ \
-		httpd.@O@ inet_aton.@O@ iterated_hash.@O@ \
-		lex.@O@ lfsr.@O@ lib.@O@ log.@O@ \
-		md5.@O@ mem.@O@ mutexblock.@O@ \
-		netaddr.@O@ netscope.@O@ pool.@O@ ondestroy.@O@ \
-		parseint.@O@ portset.@O@ quota.@O@ radix.@O@ random.@O@ \
-		ratelimiter.@O@ refcount.@O@ region.@O@ regex.@O@ result.@O@ \
-		rwlock.@O@ \
-		serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
-		string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \
-		timer.@O@ version.@O@ ${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
-SYMTBLOBJS =	backtrace-emptytbl.@O@
-
-# Alphabetically
-SRCS =		@ISC_EXTRA_SRCS@ \
-		assertions.c backtrace.c base32.c base64.c bitstring.c \
-		buffer.c bufferlist.c commandline.c error.c event.c \
-		heap.c hex.c hmacmd5.c hmacsha.c \
-		httpd.c inet_aton.c iterated_hash.c \
-		lex.c lfsr.c lib.c log.c \
-		md5.c mem.c mutexblock.c \
-		netaddr.c netscope.c pool.c ondestroy.c \
-		parseint.c portset.c quota.c radix.c random.c \
-		ratelimiter.c refcount.c region.c regex.c result.c rwlock.c \
-		serial.c sha1.c sha2.c sockaddr.c stats.c string.c strtoul.c \
-		symtab.c symtbl-empty.c task.c taskpool.c timer.c version.c
-
-LIBS =		@LIBS@
-
-# Note: the order of SUBDIRS is important.
-# Attempt to disable parallel processing.
-.NOTPARALLEL:
-.NO_PARALLEL:
-SUBDIRS =	include unix nls @ISC_THREAD_DIR@ @ISC_ARCH_DIR@
-TARGETS =	timestamp
-TESTDIRS =	@UNITTESTS@
-
-@BIND9_MAKE_RULES@
-
-version.@O@: version.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DVERSION=\"${VERSION}\" \
-		-DLIBINTERFACE=${LIBINTERFACE} \
-		-DLIBREVISION=${LIBREVISION} \
-		-DLIBAGE=${LIBAGE} \
-		-c ${srcdir}/version.c
-
-libisc.@SA@: ${OBJS} ${SYMTBLOBJS}
-	${AR} ${ARFLAGS} $@ ${OBJS} ${SYMTBLOBJS}
-	${RANLIB} $@
-
-libisc-nosymtbl.@SA@: ${OBJS}
-	${AR} ${ARFLAGS} $@ ${OBJS}
-	${RANLIB} $@
-
-libisc.la: ${OBJS} ${SYMTBLOBJS}
-	${LIBTOOL_MODE_LINK} \
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la -rpath ${libdir} \
-		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
-		${OBJS} ${SYMTBLOBJS} ${LIBS}
-
-libisc-nosymtbl.la: ${OBJS}
-	${LIBTOOL_MODE_LINK} \
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-nosymtbl.la -rpath ${libdir} \
-		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
-		${OBJS} ${LIBS}
-
-timestamp: libisc.@A@ libisc-nosymtbl.@A@
-	touch timestamp
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
-
-install:: timestamp installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisc.@A@ ${DESTDIR}${libdir}
-
-clean distclean::
-	rm -f libisc.@A@ libisc-nosymtbl.@A@ libisc.la \
-	libisc-nosymtbl.la timestamp
diff --git a/contrib/bind9/lib/isc/alpha/Makefile.in b/contrib/bind9/lib/isc/alpha/Makefile.in
deleted file mode 100644
index 9c24cdf..0000000
--- a/contrib/bind9/lib/isc/alpha/Makefile.in
+++ /dev/null
@@ -1,24 +0,0 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	include
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/alpha/include/Makefile.in b/contrib/bind9/lib/isc/alpha/include/Makefile.in
deleted file mode 100644
index e399559..0000000
--- a/contrib/bind9/lib/isc/alpha/include/Makefile.in
+++ /dev/null
@@ -1,24 +0,0 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	isc
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/alpha/include/isc/Makefile.in b/contrib/bind9/lib/isc/alpha/include/isc/Makefile.in
deleted file mode 100644
index 4927e21..0000000
--- a/contrib/bind9/lib/isc/alpha/include/isc/Makefile.in
+++ /dev/null
@@ -1,36 +0,0 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-HEADERS =	atomic.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc ; \
-	done
diff --git a/contrib/bind9/lib/isc/alpha/include/isc/atomic.h b/contrib/bind9/lib/isc/alpha/include/isc/atomic.h
deleted file mode 100644
index 138d828..0000000
--- a/contrib/bind9/lib/isc/alpha/include/isc/atomic.h
+++ /dev/null
@@ -1,184 +0,0 @@
-/*
- * Copyright (C) 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: atomic.h,v 1.7 2009/04/08 06:48:23 tbox Exp $ */
-
-/*
- * This code was written based on FreeBSD's kernel source whose copyright
- * follows:
- */
-
-/*-
- * Copyright (c) 1998 Doug Rabson
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * $FreeBSD$
- */
-
-#ifndef ISC_ATOMIC_H
-#define ISC_ATOMIC_H 1
-
-#include <isc/platform.h>
-#include <isc/types.h>
-
-#ifdef ISC_PLATFORM_USEOSFASM
-#include <c_asm.h>
-
-#pragma intrinsic(asm)
-
-/*
- * This routine atomically increments the value stored in 'p' by 'val', and
- * returns the previous value.  Memory access ordering around this function
- * can be critical, so we add explicit memory block instructions at the
- * beginning and the end of it (same for other functions).
- */
-static inline isc_int32_t
-isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
-	return (asm("mb;"
-		    "1:"
-		    "ldl_l %t0, 0(%a0);"	/* load old value */
-		    "mov %t0, %v0;"		/* copy the old value */
-		    "addl %t0, %a1, %t0;"	/* calculate new value */
-		    "stl_c %t0, 0(%a0);"	/* attempt to store */
-		    "beq %t0, 1b;"		/* spin if failed */
-		    "mb;",
-		    p, val));
-}
-
-/*
- * This routine atomically stores the value 'val' in 'p'.
- */
-static inline void
-isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
-	(void)asm("mb;"
-		  "1:"
-		  "ldl_l %t0, 0(%a0);"		/* load old value */
-		  "mov %a1, %t0;"		/* value to store */
-		  "stl_c %t0, 0(%a0);"		/* attempt to store */
-		  "beq %t0, 1b;"		/* spin if failed */
-		  "mb;",
-		  p, val);
-}
-
-/*
- * This routine atomically replaces the value in 'p' with 'val', if the
- * original value is equal to 'cmpval'.  The original value is returned in any
- * case.
- */
-static inline isc_int32_t
-isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
-
-	return(asm("mb;"
-		   "1:"
-		   "ldl_l %t0, 0(%a0);"		/* load old value */
-		   "mov %t0, %v0;"		/* copy the old value */
-		   "cmpeq %t0, %a1, %t0;"	/* compare */
-		   "beq %t0, 2f;"		/* exit if not equal */
-		   "mov %a2, %t0;"		/* value to store */
-		   "stl_c %t0, 0(%a0);"		/* attempt to store */
-		   "beq %t0, 1b;"		/* if it failed, spin */
-		   "2:"
-		   "mb;",
-		   p, cmpval, val));
-}
-#elif defined (ISC_PLATFORM_USEGCCASM)
-static inline isc_int32_t
-isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
-	isc_int32_t temp, prev;
-
-	__asm__ volatile(
-		"mb;"
-		"1:"
-		"ldl_l %0, %1;"			/* load old value */
-		"mov %0, %2;"			/* copy the old value */
-		"addl %0, %3, %0;"		/* calculate new value */
-		"stl_c %0, %1;"			/* attempt to store */
-		"beq %0, 1b;"			/* spin if failed */
-		"mb;"
-		: "=&r"(temp), "+m"(*p), "=&r"(prev)
-		: "r"(val)
-		: "memory");
-
-	return (prev);
-}
-
-static inline void
-isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
-	isc_int32_t temp;
-
-	__asm__ volatile(
-		"mb;"
-		"1:"
-		"ldl_l %0, %1;"			/* load old value */
-		"mov %2, %0;"			/* value to store */
-		"stl_c %0, %1;"			/* attempt to store */
-		"beq %0, 1b;"			/* if it failed, spin */
-		"mb;"
-		: "=&r"(temp), "+m"(*p)
-		: "r"(val)
-		: "memory");
-}
-
-static inline isc_int32_t
-isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
-	isc_int32_t temp, prev;
-
-	__asm__ volatile(
-		"mb;"
-		"1:"
-		"ldl_l %0, %1;"			/* load old value */
-		"mov %0, %2;"			/* copy the old value */
-		"cmpeq %0, %3, %0;"		/* compare */
-		"beq %0, 2f;"			/* exit if not equal */
-		"mov %4, %0;"			/* value to store */
-		"stl_c %0, %1;"			/* attempt to store */
-		"beq %0, 1b;"			/* if it failed, spin */
-		"2:"
-		"mb;"
-		: "=&r"(temp), "+m"(*p), "=&r"(prev)
-		: "r"(cmpval), "r"(val)
-		: "memory");
-
-	return (prev);
-}
-#else
-
-#error "unsupported compiler.  disable atomic ops by --disable-atomic"
-
-#endif
-
-#endif /* ISC_ATOMIC_H */
diff --git a/contrib/bind9/lib/isc/api b/contrib/bind9/lib/isc/api
deleted file mode 100644
index 48bc766..0000000
--- a/contrib/bind9/lib/isc/api
+++ /dev/null
@@ -1,9 +0,0 @@
-# LIBINTERFACE ranges
-# 9.6: 50-59, 110-119
-# 9.7: 60-79
-# 9.8: 80-89, 120-129
-# 9.9: 90-109
-# 9.9-sub: 130-139
-LIBINTERFACE = 95
-LIBREVISION = 1
-LIBAGE = 0
diff --git a/contrib/bind9/lib/isc/app_api.c b/contrib/bind9/lib/isc/app_api.c
deleted file mode 100644
index ce767d1..0000000
--- a/contrib/bind9/lib/isc/app_api.c
+++ /dev/null
@@ -1,136 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: app_api.c,v 1.5 2009/09/02 23:48:02 tbox Exp $ */
-
-#include <config.h>
-
-#include <unistd.h>
-
-#include <isc/app.h>
-#include <isc/magic.h>
-#include <isc/mutex.h>
-#include <isc/once.h>
-#include <isc/util.h>
-
-static isc_mutex_t createlock;
-static isc_once_t once = ISC_ONCE_INIT;
-static isc_appctxcreatefunc_t appctx_createfunc = NULL;
-
-#define ISCAPI_APPMETHODS_VALID(m) ISC_MAGIC_VALID(m, ISCAPI_APPMETHODS_MAGIC)
-
-static void
-initialize(void) {
-	RUNTIME_CHECK(isc_mutex_init(&createlock) == ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_app_register(isc_appctxcreatefunc_t createfunc) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
-
-	LOCK(&createlock);
-	if (appctx_createfunc == NULL)
-		appctx_createfunc = createfunc;
-	else
-		result = ISC_R_EXISTS;
-	UNLOCK(&createlock);
-
-	return (result);
-}
-
-isc_result_t
-isc_appctx_create(isc_mem_t *mctx, isc_appctx_t **ctxp) {
-	isc_result_t result;
-
-	LOCK(&createlock);
-
-	REQUIRE(appctx_createfunc != NULL);
-	result = (*appctx_createfunc)(mctx, ctxp);
-
-	UNLOCK(&createlock);
-
-	return (result);
-}
-
-void
-isc_appctx_destroy(isc_appctx_t **ctxp) {
-	REQUIRE(ctxp != NULL && ISCAPI_APPCTX_VALID(*ctxp));
-
-	(*ctxp)->methods->ctxdestroy(ctxp);
-
-	ENSURE(*ctxp == NULL);
-}
-
-isc_result_t
-isc_app_ctxstart(isc_appctx_t *ctx) {
-	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
-
-	return (ctx->methods->ctxstart(ctx));
-}
-
-isc_result_t
-isc_app_ctxrun(isc_appctx_t *ctx) {
-	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
-
-	return (ctx->methods->ctxrun(ctx));
-}
-
-isc_result_t
-isc_app_ctxsuspend(isc_appctx_t *ctx) {
-	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
-
-	return (ctx->methods->ctxsuspend(ctx));
-}
-
-isc_result_t
-isc_app_ctxshutdown(isc_appctx_t *ctx) {
-	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
-
-	return (ctx->methods->ctxshutdown(ctx));
-}
-
-void
-isc_app_ctxfinish(isc_appctx_t *ctx) {
-	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
-
-	ctx->methods->ctxfinish(ctx);
-}
-
-void
-isc_appctx_settaskmgr(isc_appctx_t *ctx, isc_taskmgr_t *taskmgr) {
-	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
-	REQUIRE(taskmgr != NULL);
-
-	ctx->methods->settaskmgr(ctx, taskmgr);
-}
-
-void
-isc_appctx_setsocketmgr(isc_appctx_t *ctx, isc_socketmgr_t *socketmgr) {
-	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
-	REQUIRE(socketmgr != NULL);
-
-	ctx->methods->setsocketmgr(ctx, socketmgr);
-}
-
-void
-isc_appctx_settimermgr(isc_appctx_t *ctx, isc_timermgr_t *timermgr) {
-	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
-	REQUIRE(timermgr != NULL);
-
-	ctx->methods->settimermgr(ctx, timermgr);
-}
diff --git a/contrib/bind9/lib/isc/arm/include/isc/atomic.h b/contrib/bind9/lib/isc/arm/include/isc/atomic.h
deleted file mode 100644
index 4c519ee..0000000
--- a/contrib/bind9/lib/isc/arm/include/isc/atomic.h
+++ /dev/null
@@ -1,81 +0,0 @@
-/*-
- * Copyright (c) 2007 Warner Losh
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * $FreeBSD$
- */
-
-#ifndef ISC_ATOMIC_H
-#define ISC_ATOMIC_H 1
-
-#include <isc/platform.h>
-#include <isc/types.h>
-#include <machine/atomic.h>
-
-#ifdef __FreeBSD__
-static inline isc_int32_t
-isc_atomic_xadd(isc_int32_t *p, isc_int32_t val)
-{
-	return atomic_fetchadd_int(p, val);
-}
-
-static inline void
-isc_atomic_store(isc_int32_t *p, isc_int32_t val)
-{
-	atomic_store_rel_int(p, val);
-}
-
-static inline isc_int32_t
-isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val)
-{
-	register int done, ras_start;
-
-	__asm __volatile("1:\n"
-	    "adr	%1, 1b\n"
-	    "mov	%0, #0xe0000004\n"
-	    "str	%1, [%0]\n"
-	    "mov	%0, #0xe0000008\n"
-	    "adr	%1, 2f\n"
-	    "str	%1, [%0]\n"
-	    "ldr	%1, [%2]\n"
-	    "cmp	%1, %3\n"
-	    "streq	%4, [%2]\n"
-	    "2:\n"
-	    "mov	%3, #0\n"
-	    "mov	%0, #0xe0000004\n"
-	    "str	%3, [%0]\n"
-	    "mov	%3, #0xffffffff\n"
-	    "mov	%0, #0xe0000008\n"
-	    "str	%3, [%0]\n"
-	    : "=r" (ras_start), "=r" (done)
-	    ,"+r" (p), "+r" (cmpval), "+r" (val) : : "memory");
-	return (done);
-
-}
-#else /* !FreeBSD */
-
-#error "unsupported compiler.  disable atomic ops by --disable-atomic"
-
-#endif
-#endif /* ISC_ATOMIC_H */
diff --git a/contrib/bind9/lib/isc/assertions.c b/contrib/bind9/lib/isc/assertions.c
deleted file mode 100644
index 31c4fe7..0000000
--- a/contrib/bind9/lib/isc/assertions.c
+++ /dev/null
@@ -1,139 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1997-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: assertions.c,v 1.26 2009/09/29 15:06:07 fdupont Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <stdlib.h>
-
-#include <isc/assertions.h>
-#include <isc/backtrace.h>
-#include <isc/msgs.h>
-#include <isc/result.h>
-
-/*
- * The maximum number of stack frames to dump on assertion failure.
- */
-#ifndef BACKTRACE_MAXFRAME
-#define BACKTRACE_MAXFRAME 128
-#endif
-
-/*%
- * Forward.
- */
-static void
-default_callback(const char *, int, isc_assertiontype_t, const char *);
-
-static isc_assertioncallback_t isc_assertion_failed_cb = default_callback;
-
-/*%
- * Public.
- */
-
-/*% assertion failed handler */
-/* coverity[+kill] */
-void
-isc_assertion_failed(const char *file, int line, isc_assertiontype_t type,
-		     const char *cond)
-{
-	isc_assertion_failed_cb(file, line, type, cond);
-	abort();
-	/* NOTREACHED */
-}
-
-/*% Set callback. */
-void
-isc_assertion_setcallback(isc_assertioncallback_t cb) {
-	if (cb == NULL)
-		isc_assertion_failed_cb = default_callback;
-	else
-		isc_assertion_failed_cb = cb;
-}
-
-/*% Type to Text */
-const char *
-isc_assertion_typetotext(isc_assertiontype_t type) {
-	const char *result;
-
-	/*
-	 * These strings have purposefully not been internationalized
-	 * because they are considered to essentially be keywords of
-	 * the ISC development environment.
-	 */
-	switch (type) {
-	case isc_assertiontype_require:
-		result = "REQUIRE";
-		break;
-	case isc_assertiontype_ensure:
-		result = "ENSURE";
-		break;
-	case isc_assertiontype_insist:
-		result = "INSIST";
-		break;
-	case isc_assertiontype_invariant:
-		result = "INVARIANT";
-		break;
-	default:
-		result = NULL;
-	}
-	return (result);
-}
-
-/*
- * Private.
- */
-
-static void
-default_callback(const char *file, int line, isc_assertiontype_t type,
-		 const char *cond)
-{
-	void *tracebuf[BACKTRACE_MAXFRAME];
-	int i, nframes;
-	const char *logsuffix = ".";
-	const char *fname;
-	isc_result_t result;
-
-	result = isc_backtrace_gettrace(tracebuf, BACKTRACE_MAXFRAME, &nframes);
-		if (result == ISC_R_SUCCESS && nframes > 0)
-			logsuffix = ", back trace";
-
-	fprintf(stderr, "%s:%d: %s(%s) %s%s\n",
-		file, line, isc_assertion_typetotext(type), cond,
-		isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-			       ISC_MSG_FAILED, "failed"), logsuffix);
-	if (result == ISC_R_SUCCESS) {
-		for (i = 0; i < nframes; i++) {
-			unsigned long offset;
-
-			fname = NULL;
-			result = isc_backtrace_getsymbol(tracebuf[i], &fname,
-							 &offset);
-			if (result == ISC_R_SUCCESS) {
-				fprintf(stderr, "#%d %p in %s()+0x%lx\n", i,
-					tracebuf[i], fname, offset);
-			} else {
-				fprintf(stderr, "#%d %p in ??\n", i,
-					tracebuf[i]);
-			}
-		}
-	}
-	fflush(stderr);
-}
diff --git a/contrib/bind9/lib/isc/backtrace-emptytbl.c b/contrib/bind9/lib/isc/backtrace-emptytbl.c
deleted file mode 100644
index bd534d6..0000000
--- a/contrib/bind9/lib/isc/backtrace-emptytbl.c
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: backtrace-emptytbl.c,v 1.3 2009/09/01 20:13:44 each Exp $ */
-
-/*! \file */
-
-/*
- * This file defines an empty (default) symbol table used in backtrace.c
- * If the application wants to have a complete symbol table, it should redefine
- * isc__backtrace_symtable with the complete table in some way, and link the
- * version of the library not including this definition
- * (e.g. libisc-nosymbol.a).
- */
-
-#include <config.h>
-
-#include <isc/backtrace.h>
-
-const int isc__backtrace_nsymbols = 0;
-const isc_backtrace_symmap_t isc__backtrace_symtable[] = { { NULL, "" } };
diff --git a/contrib/bind9/lib/isc/backtrace.c b/contrib/bind9/lib/isc/backtrace.c
deleted file mode 100644
index d2f044c..0000000
--- a/contrib/bind9/lib/isc/backtrace.c
+++ /dev/null
@@ -1,285 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: backtrace.c,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
-
-/*! \file */
-
-#include "config.h"
-
-#include <string.h>
-#include <stdlib.h>
-#ifdef HAVE_LIBCTRACE
-#include <execinfo.h>
-#endif
-
-#include <isc/backtrace.h>
-#include <isc/result.h>
-#include <isc/util.h>
-
-#ifdef ISC_PLATFORM_USEBACKTRACE
-/*
- * Getting a back trace of a running process is tricky and highly platform
- * dependent.  Our current approach is as follows:
- * 1. If the system library supports the "backtrace()" function, use it.
- * 2. Otherwise, if the compiler is gcc and the architecture is x86_64 or IA64,
- *    then use gcc's (hidden) Unwind_Backtrace() function.  Note that this
- *    function doesn't work for C programs on many other architectures.
- * 3. Otherwise, if the architecture x86 or x86_64, try to unwind the stack
- *    frame following frame pointers.  This assumes the executable binary
- *    compiled with frame pointers; this is not always true for x86_64 (rather,
- *    compiler optimizations often disable frame pointers).  The validation
- *    checks in getnextframeptr() hopefully rejects bogus values stored in
- *    the RBP register in such a case.  If the backtrace function itself crashes
- *    due to this problem, the whole package should be rebuilt with
- *    --disable-backtrace.
- */
-#ifdef HAVE_LIBCTRACE
-#define BACKTRACE_LIBC
-#elif defined(__GNUC__) && (defined(__x86_64__) || defined(__ia64__))
-#define BACKTRACE_GCC
-#elif defined(__x86_64__) || defined(__i386__)
-#define BACKTRACE_X86STACK
-#else
-#define BACKTRACE_DISABLED
-#endif  /* HAVE_LIBCTRACE */
-#else	/* !ISC_PLATFORM_USEBACKTRACE */
-#define BACKTRACE_DISABLED
-#endif	/* ISC_PLATFORM_USEBACKTRACE */
-
-#ifdef BACKTRACE_LIBC
-isc_result_t
-isc_backtrace_gettrace(void **addrs, int maxaddrs, int *nframes) {
-	int n;
-
-	/*
-	 * Validate the arguments: intentionally avoid using REQUIRE().
-	 * See notes in backtrace.h.
-	 */
-	if (addrs == NULL || nframes == NULL)
-		return (ISC_R_FAILURE);
-
-	/*
-	 * backtrace(3) includes this function itself in the address array,
-	 * which should be eliminated from the returned sequence.
-	 */
-	n = backtrace(addrs, maxaddrs);
-	if (n < 2)
-		return (ISC_R_NOTFOUND);
-	n--;
-	memmove(addrs, &addrs[1], sizeof(void *) * n);
-	*nframes = n;
-	return (ISC_R_SUCCESS);
-}
-#elif defined(BACKTRACE_GCC)
-extern int _Unwind_Backtrace(void* fn, void* a);
-extern void* _Unwind_GetIP(void* ctx);
-
-typedef struct {
-	void **result;
-	int max_depth;
-	int skip_count;
-	int count;
-} trace_arg_t;
-
-static int
-btcallback(void *uc, void *opq) {
-	trace_arg_t *arg = (trace_arg_t *)opq;
-
-	if (arg->skip_count > 0)
-		arg->skip_count--;
-	else
-		arg->result[arg->count++] = (void *)_Unwind_GetIP(uc);
-	if (arg->count == arg->max_depth)
-		return (5); /* _URC_END_OF_STACK */
-
-	return (0); /* _URC_NO_REASON */
-}
-
-isc_result_t
-isc_backtrace_gettrace(void **addrs, int maxaddrs, int *nframes) {
-	trace_arg_t arg;
-
-	/* Argument validation: see above. */
-	if (addrs == NULL || nframes == NULL)
-		return (ISC_R_FAILURE);
-
-	arg.skip_count = 1;
-	arg.result = addrs;
-	arg.max_depth = maxaddrs;
-	arg.count = 0;
-	_Unwind_Backtrace(btcallback, &arg);
-
-	*nframes = arg.count;
-
-	return (ISC_R_SUCCESS);
-}
-#elif defined(BACKTRACE_X86STACK)
-#ifdef __x86_64__
-static unsigned long
-getrbp() {
-	__asm("movq %rbp, %rax\n");
-}
-#endif
-
-static void **
-getnextframeptr(void **sp) {
-	void **newsp = (void **)*sp;
-
-	/*
-	 * Perform sanity check for the new frame pointer, derived from
-	 * google glog.  This can actually be bogus depending on compiler.
-	 */
-
-	/* prohibit the stack frames from growing downwards */
-	if (newsp <= sp)
-		return (NULL);
-
-	/* A heuristics to reject "too large" frame: this actually happened. */
-	if ((char *)newsp - (char *)sp > 100000)
-		return (NULL);
-
-	/*
-	 * Not sure if other checks used in glog are needed at this moment.
-	 * For our purposes we don't have to consider non-contiguous frames,
-	 * for example.
-	 */
-
-	return (newsp);
-}
-
-isc_result_t
-isc_backtrace_gettrace(void **addrs, int maxaddrs, int *nframes) {
-	int i = 0;
-	void **sp;
-
-	/* Argument validation: see above. */
-	if (addrs == NULL || nframes == NULL)
-		return (ISC_R_FAILURE);
-
-#ifdef __x86_64__
-	sp = (void **)getrbp();
-	if (sp == NULL)
-		return (ISC_R_NOTFOUND);
-	/*
-	 * sp is the frame ptr of this function itself due to the call to
-	 * getrbp(), so need to unwind one frame for consistency.
-	 */
-	sp = getnextframeptr(sp);
-#else
-	/*
-	 * i386: the frame pointer is stored 2 words below the address for the
-	 * first argument.  Note that the body of this function cannot be
-	 * inlined since it depends on the address of the function argument.
-	 */
-	sp = (void **)&addrs - 2;
-#endif
-
-	while (sp != NULL && i < maxaddrs) {
-		addrs[i++] = *(sp + 1);
-		sp = getnextframeptr(sp);
-	}
-
-	*nframes = i;
-
-	return (ISC_R_SUCCESS);
-}
-#elif defined(BACKTRACE_DISABLED)
-isc_result_t
-isc_backtrace_gettrace(void **addrs, int maxaddrs, int *nframes) {
-	/* Argument validation: see above. */
-	if (addrs == NULL || nframes == NULL)
-		return (ISC_R_FAILURE);
-
-	UNUSED(maxaddrs);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-#endif
-
-isc_result_t
-isc_backtrace_getsymbolfromindex(int index, const void **addrp,
-				 const char **symbolp)
-{
-	REQUIRE(addrp != NULL && *addrp == NULL);
-	REQUIRE(symbolp != NULL && *symbolp == NULL);
-
-	if (index < 0 || index >= isc__backtrace_nsymbols)
-		return (ISC_R_RANGE);
-
-	*addrp = isc__backtrace_symtable[index].addr;
-	*symbolp = isc__backtrace_symtable[index].symbol;
-	return (ISC_R_SUCCESS);
-}
-
-static int
-symtbl_compare(const void *addr, const void *entryarg) {
-	const isc_backtrace_symmap_t *entry = entryarg;
-	const isc_backtrace_symmap_t *end =
-		&isc__backtrace_symtable[isc__backtrace_nsymbols - 1];
-
-	if (isc__backtrace_nsymbols == 1 || entry == end) {
-		if (addr >= entry->addr) {
-			/*
-			 * If addr is equal to or larger than that of the last
-			 * entry of the table, we cannot be sure if this is
-			 * within a valid range so we consider it valid.
-			 */
-			return (0);
-		}
-		return (-1);
-	}
-
-	/* entry + 1 is a valid entry from now on. */
-	if (addr < entry->addr)
-		return (-1);
-	else if (addr >= (entry + 1)->addr)
-		return (1);
-	return (0);
-}
-
-isc_result_t
-isc_backtrace_getsymbol(const void *addr, const char **symbolp,
-			unsigned long *offsetp)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_backtrace_symmap_t *found;
-
-	/*
-	 * Validate the arguments: intentionally avoid using REQUIRE().
-	 * See notes in backtrace.h.
-	 */
-	if (symbolp == NULL || *symbolp != NULL || offsetp == NULL)
-		return (ISC_R_FAILURE);
-
-	if (isc__backtrace_nsymbols < 1)
-		return (ISC_R_NOTFOUND);
-
-	/*
-	 * Search the table for the entry that meets:
-	 * entry.addr <= addr < next_entry.addr.
-	 */
-	found = bsearch(addr, isc__backtrace_symtable, isc__backtrace_nsymbols,
-			sizeof(isc__backtrace_symtable[0]), symtbl_compare);
-	if (found == NULL)
-		result = ISC_R_NOTFOUND;
-	else {
-		*symbolp = found->symbol;
-		*offsetp = (const char *)addr - (char *)found->addr;
-	}
-
-	return (result);
-}
diff --git a/contrib/bind9/lib/isc/base32.c b/contrib/bind9/lib/isc/base32.c
deleted file mode 100644
index d25e3c4..0000000
--- a/contrib/bind9/lib/isc/base32.c
+++ /dev/null
@@ -1,373 +0,0 @@
-/*
- * Copyright (C) 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: base32.c,v 1.6 2009/10/21 01:22:29 each Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/base32.h>
-#include <isc/buffer.h>
-#include <isc/lex.h>
-#include <isc/region.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#define RETERR(x) do { \
-	isc_result_t _r = (x); \
-	if (_r != ISC_R_SUCCESS) \
-		return (_r); \
-	} while (0)
-
-
-/*@{*/
-/*!
- * These static functions are also present in lib/dns/rdata.c.  I'm not
- * sure where they should go. -- bwelling
- */
-static isc_result_t
-str_totext(const char *source, isc_buffer_t *target);
-
-static isc_result_t
-mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length);
-
-/*@}*/
-
-static const char base32[] =
-	 "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567=abcdefghijklmnopqrstuvwxyz234567";
-static const char base32hex[] =
-	"0123456789ABCDEFGHIJKLMNOPQRSTUV=0123456789abcdefghijklmnopqrstuv";
-
-static isc_result_t
-base32_totext(isc_region_t *source, int wordlength, const char *wordbreak,
-	      isc_buffer_t *target, const char base[])
-{
-	char buf[9];
-	unsigned int loops = 0;
-
-	if (wordlength >= 0 && wordlength < 8)
-		wordlength = 8;
-
-	memset(buf, 0, sizeof(buf));
-	while (source->length > 0) {
-		buf[0] = base[((source->base[0]>>3)&0x1f)];	/* 5 + */
-		if (source->length == 1) {
-			buf[1] = base[(source->base[0]<<2)&0x1c];
-			buf[2] = buf[3] = buf[4] = '=';
-			buf[5] = buf[6] = buf[7] = '=';
-			RETERR(str_totext(buf, target));
-			break;
-		}
-		buf[1] = base[((source->base[0]<<2)&0x1c)|	/* 3 = 8 */
-			      ((source->base[1]>>6)&0x03)];	/* 2 + */
-		buf[2] = base[((source->base[1]>>1)&0x1f)];	/* 5 + */
-		if (source->length == 2) {
-			buf[3] = base[(source->base[1]<<4)&0x10];
-			buf[4] = buf[5] = buf[6] = buf[7] = '=';
-			RETERR(str_totext(buf, target));
-			break;
-		}
-		buf[3] = base[((source->base[1]<<4)&0x10)|	/* 1 = 8 */
-			      ((source->base[2]>>4)&0x0f)];	/* 4 + */
-		if (source->length == 3) {
-			buf[4] = base[(source->base[2]<<1)&0x1e];
-			buf[5] = buf[6] = buf[7] = '=';
-			RETERR(str_totext(buf, target));
-			break;
-		}
-		buf[4] = base[((source->base[2]<<1)&0x1e)|	/* 4 = 8 */
-			      ((source->base[3]>>7)&0x01)];	/* 1 + */
-		buf[5] = base[((source->base[3]>>2)&0x1f)];	/* 5 + */
-		if (source->length == 4) {
-			buf[6] = base[(source->base[3]<<3)&0x18];
-			buf[7] = '=';
-			RETERR(str_totext(buf, target));
-			break;
-		}
-		buf[6] = base[((source->base[3]<<3)&0x18)|	/* 2 = 8 */
-			      ((source->base[4]>>5)&0x07)];	/* 3 + */
-		buf[7] = base[source->base[4]&0x1f];		/* 5 = 8 */
-		RETERR(str_totext(buf, target));
-		isc_region_consume(source, 5);
-
-		loops++;
-		if (source->length != 0 && wordlength >= 0 &&
-		    (int)((loops + 1) * 8) >= wordlength)
-		{
-			loops = 0;
-			RETERR(str_totext(wordbreak, target));
-		}
-	}
-	if (source->length > 0)
-		isc_region_consume(source, source->length);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_base32_totext(isc_region_t *source, int wordlength,
-		  const char *wordbreak, isc_buffer_t *target)
-{
-	return (base32_totext(source, wordlength, wordbreak, target, base32));
-}
-
-isc_result_t
-isc_base32hex_totext(isc_region_t *source, int wordlength,
-		     const char *wordbreak, isc_buffer_t *target)
-{
-	return (base32_totext(source, wordlength, wordbreak, target,
-			      base32hex));
-}
-
-/*%
- * State of a base32 decoding process in progress.
- */
-typedef struct {
-	int length;		/*%< Desired length of binary data or -1 */
-	isc_buffer_t *target;	/*%< Buffer for resulting binary data */
-	int digits;		/*%< Number of buffered base32 digits */
-	isc_boolean_t seen_end;	/*%< True if "=" end marker seen */
-	int val[8];
-	const char *base;	/*%< Which encoding we are using */
-	int seen_32;		/*%< Number of significant bytes if non zero */
-} base32_decode_ctx_t;
-
-static inline void
-base32_decode_init(base32_decode_ctx_t *ctx, int length,
-		   const char base[], isc_buffer_t *target)
-{
-	ctx->digits = 0;
-	ctx->seen_end = ISC_FALSE;
-	ctx->seen_32 = 0;
-	ctx->length = length;
-	ctx->target = target;
-	ctx->base = base;
-}
-
-static inline isc_result_t
-base32_decode_char(base32_decode_ctx_t *ctx, int c) {
-	char *s;
-	unsigned int last;
-
-	if (ctx->seen_end)
-		return (ISC_R_BADBASE32);
-	if ((s = strchr(ctx->base, c)) == NULL)
-		return (ISC_R_BADBASE32);
-	last = s - ctx->base;
-	/*
-	 * Handle lower case.
-	 */
-	if (last > 32)
-		last -= 33;
-	/*
-	 * Check that padding is contiguous.
-	 */
-	if (last != 32 && ctx->seen_32 != 0)
-		return (ISC_R_BADBASE32);
-	/*
-	 * Check that padding starts at the right place and that
-	 * bits that should be zero are.
-	 * Record how many significant bytes in answer (seen_32).
-	 */
-	if (last == 32 && ctx->seen_32 == 0)
-		switch (ctx->digits) {
-		case 0:
-		case 1:
-			return (ISC_R_BADBASE32);
-		case 2:
-			if ((ctx->val[1]&0x03) != 0)
-				return (ISC_R_BADBASE32);
-			ctx->seen_32 = 1;
-			break;
-		case 3:
-			return (ISC_R_BADBASE32);
-		case 4:
-			if ((ctx->val[3]&0x0f) != 0)
-				return (ISC_R_BADBASE32);
-			ctx->seen_32 = 3;
-			break;
-		case 5:
-			if ((ctx->val[4]&0x01) != 0)
-				return (ISC_R_BADBASE32);
-			ctx->seen_32 = 3;
-			break;
-		case 6:
-			return (ISC_R_BADBASE32);
-		case 7:
-			if ((ctx->val[6]&0x07) != 0)
-				return (ISC_R_BADBASE32);
-			ctx->seen_32 = 4;
-			break;
-		}
-	/*
-	 * Zero fill pad values.
-	 */
-	ctx->val[ctx->digits++] = (last == 32) ? 0 : last;
-
-	if (ctx->digits == 8) {
-		int n = 5;
-		unsigned char buf[5];
-
-		if (ctx->seen_32 != 0) {
-			ctx->seen_end = ISC_TRUE;
-			n = ctx->seen_32;
-		}
-		buf[0] = (ctx->val[0]<<3)|(ctx->val[1]>>2);
-		buf[1] = (ctx->val[1]<<6)|(ctx->val[2]<<1)|(ctx->val[3]>>4);
-		buf[2] = (ctx->val[3]<<4)|(ctx->val[4]>>1);
-		buf[3] = (ctx->val[4]<<7)|(ctx->val[5]<<2)|(ctx->val[6]>>3);
-		buf[4] = (ctx->val[6]<<5)|(ctx->val[7]);
-		RETERR(mem_tobuffer(ctx->target, buf, n));
-		if (ctx->length >= 0) {
-			if (n > ctx->length)
-				return (ISC_R_BADBASE32);
-			else
-				ctx->length -= n;
-		}
-		ctx->digits = 0;
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-base32_decode_finish(base32_decode_ctx_t *ctx) {
-	if (ctx->length > 0)
-		return (ISC_R_UNEXPECTEDEND);
-	if (ctx->digits != 0)
-		return (ISC_R_BADBASE32);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-base32_tobuffer(isc_lex_t *lexer, const char base[], isc_buffer_t *target,
-		int length)
-{
-	base32_decode_ctx_t ctx;
-	isc_textregion_t *tr;
-	isc_token_t token;
-	isc_boolean_t eol;
-
-	base32_decode_init(&ctx, length, base, target);
-
-	while (!ctx.seen_end && (ctx.length != 0)) {
-		unsigned int i;
-
-		if (length > 0)
-			eol = ISC_FALSE;
-		else
-			eol = ISC_TRUE;
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_string, eol));
-		if (token.type != isc_tokentype_string)
-			break;
-		tr = &token.value.as_textregion;
-		for (i = 0; i < tr->length; i++)
-			RETERR(base32_decode_char(&ctx, tr->base[i]));
-	}
-	if (ctx.length < 0 && !ctx.seen_end)
-		isc_lex_ungettoken(lexer, &token);
-	RETERR(base32_decode_finish(&ctx));
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_base32_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length) {
-	return (base32_tobuffer(lexer, base32, target, length));
-}
-
-isc_result_t
-isc_base32hex_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length) {
-	return (base32_tobuffer(lexer, base32hex, target, length));
-}
-
-static isc_result_t
-base32_decodestring(const char *cstr, const char base[], isc_buffer_t *target) {
-	base32_decode_ctx_t ctx;
-
-	base32_decode_init(&ctx, -1, base, target);
-	for (;;) {
-		int c = *cstr++;
-		if (c == '\0')
-			break;
-		if (c == ' ' || c == '\t' || c == '\n' || c== '\r')
-			continue;
-		RETERR(base32_decode_char(&ctx, c));
-	}
-	RETERR(base32_decode_finish(&ctx));
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_base32_decodestring(const char *cstr, isc_buffer_t *target) {
-	return (base32_decodestring(cstr, base32, target));
-}
-
-isc_result_t
-isc_base32hex_decodestring(const char *cstr, isc_buffer_t *target) {
-	return (base32_decodestring(cstr, base32hex, target));
-}
-
-static isc_result_t
-base32_decoderegion(isc_region_t *source, const char base[], isc_buffer_t *target) {
-	base32_decode_ctx_t ctx;
-
-	base32_decode_init(&ctx, -1, base, target);
-	while (source->length != 0) {
-		int c = *source->base;
-		RETERR(base32_decode_char(&ctx, c));
-		isc_region_consume(source, 1);
-	}
-	RETERR(base32_decode_finish(&ctx));
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_base32_decoderegion(isc_region_t *source, isc_buffer_t *target) {
-	return (base32_decoderegion(source, base32, target));
-}
-
-isc_result_t
-isc_base32hex_decoderegion(isc_region_t *source, isc_buffer_t *target) {
-	return (base32_decoderegion(source, base32hex, target));
-}
-
-static isc_result_t
-str_totext(const char *source, isc_buffer_t *target) {
-	unsigned int l;
-	isc_region_t region;
-
-	isc_buffer_availableregion(target, &region);
-	l = strlen(source);
-
-	if (l > region.length)
-		return (ISC_R_NOSPACE);
-
-	memcpy(region.base, source, l);
-	isc_buffer_add(target, l);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length) {
-	isc_region_t tr;
-
-	isc_buffer_availableregion(target, &tr);
-	if (length > tr.length)
-		return (ISC_R_NOSPACE);
-	memcpy(tr.base, base, length);
-	isc_buffer_add(target, length);
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/isc/base64.c b/contrib/bind9/lib/isc/base64.c
deleted file mode 100644
index bad1565..0000000
--- a/contrib/bind9/lib/isc/base64.c
+++ /dev/null
@@ -1,252 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: base64.c,v 1.34 2009/10/21 23:48:05 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/base64.h>
-#include <isc/buffer.h>
-#include <isc/lex.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#define RETERR(x) do { \
-	isc_result_t _r = (x); \
-	if (_r != ISC_R_SUCCESS) \
-		return (_r); \
-	} while (0)
-
-
-/*@{*/
-/*!
- * These static functions are also present in lib/dns/rdata.c.  I'm not
- * sure where they should go. -- bwelling
- */
-static isc_result_t
-str_totext(const char *source, isc_buffer_t *target);
-
-static isc_result_t
-mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length);
-
-static const char base64[] =
-	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
-/*@}*/
-
-isc_result_t
-isc_base64_totext(isc_region_t *source, int wordlength,
-		  const char *wordbreak, isc_buffer_t *target)
-{
-	char buf[5];
-	unsigned int loops = 0;
-
-	if (wordlength < 4)
-		wordlength = 4;
-
-	memset(buf, 0, sizeof(buf));
-	while (source->length > 2) {
-		buf[0] = base64[(source->base[0]>>2)&0x3f];
-		buf[1] = base64[((source->base[0]<<4)&0x30)|
-				((source->base[1]>>4)&0x0f)];
-		buf[2] = base64[((source->base[1]<<2)&0x3c)|
-				((source->base[2]>>6)&0x03)];
-		buf[3] = base64[source->base[2]&0x3f];
-		RETERR(str_totext(buf, target));
-		isc_region_consume(source, 3);
-
-		loops++;
-		if (source->length != 0 &&
-		    (int)((loops + 1) * 4) >= wordlength)
-		{
-			loops = 0;
-			RETERR(str_totext(wordbreak, target));
-		}
-	}
-	if (source->length == 2) {
-		buf[0] = base64[(source->base[0]>>2)&0x3f];
-		buf[1] = base64[((source->base[0]<<4)&0x30)|
-				((source->base[1]>>4)&0x0f)];
-		buf[2] = base64[((source->base[1]<<2)&0x3c)];
-		buf[3] = '=';
-		RETERR(str_totext(buf, target));
-		isc_region_consume(source, 2);
-	} else if (source->length == 1) {
-		buf[0] = base64[(source->base[0]>>2)&0x3f];
-		buf[1] = base64[((source->base[0]<<4)&0x30)];
-		buf[2] = buf[3] = '=';
-		RETERR(str_totext(buf, target));
-		isc_region_consume(source, 1);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-/*%
- * State of a base64 decoding process in progress.
- */
-typedef struct {
-	int length;		/*%< Desired length of binary data or -1 */
-	isc_buffer_t *target;	/*%< Buffer for resulting binary data */
-	int digits;		/*%< Number of buffered base64 digits */
-	isc_boolean_t seen_end;	/*%< True if "=" end marker seen */
-	int val[4];
-} base64_decode_ctx_t;
-
-static inline void
-base64_decode_init(base64_decode_ctx_t *ctx, int length, isc_buffer_t *target)
-{
-	ctx->digits = 0;
-	ctx->seen_end = ISC_FALSE;
-	ctx->length = length;
-	ctx->target = target;
-}
-
-static inline isc_result_t
-base64_decode_char(base64_decode_ctx_t *ctx, int c) {
-	char *s;
-
-	if (ctx->seen_end)
-		return (ISC_R_BADBASE64);
-	if ((s = strchr(base64, c)) == NULL)
-		return (ISC_R_BADBASE64);
-	ctx->val[ctx->digits++] = s - base64;
-	if (ctx->digits == 4) {
-		int n;
-		unsigned char buf[3];
-		if (ctx->val[0] == 64 || ctx->val[1] == 64)
-			return (ISC_R_BADBASE64);
-		if (ctx->val[2] == 64 && ctx->val[3] != 64)
-			return (ISC_R_BADBASE64);
-		/*
-		 * Check that bits that should be zero are.
-		 */
-		if (ctx->val[2] == 64 && (ctx->val[1] & 0xf) != 0)
-			return (ISC_R_BADBASE64);
-		/*
-		 * We don't need to test for ctx->val[2] != 64 as
-		 * the bottom two bits of 64 are zero.
-		 */
-		if (ctx->val[3] == 64 && (ctx->val[2] & 0x3) != 0)
-			return (ISC_R_BADBASE64);
-		n = (ctx->val[2] == 64) ? 1 :
-			(ctx->val[3] == 64) ? 2 : 3;
-		if (n != 3) {
-			ctx->seen_end = ISC_TRUE;
-			if (ctx->val[2] == 64)
-				ctx->val[2] = 0;
-			if (ctx->val[3] == 64)
-				ctx->val[3] = 0;
-		}
-		buf[0] = (ctx->val[0]<<2)|(ctx->val[1]>>4);
-		buf[1] = (ctx->val[1]<<4)|(ctx->val[2]>>2);
-		buf[2] = (ctx->val[2]<<6)|(ctx->val[3]);
-		RETERR(mem_tobuffer(ctx->target, buf, n));
-		if (ctx->length >= 0) {
-			if (n > ctx->length)
-				return (ISC_R_BADBASE64);
-			else
-				ctx->length -= n;
-		}
-		ctx->digits = 0;
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-base64_decode_finish(base64_decode_ctx_t *ctx) {
-	if (ctx->length > 0)
-		return (ISC_R_UNEXPECTEDEND);
-	if (ctx->digits != 0)
-		return (ISC_R_BADBASE64);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_base64_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length) {
-	base64_decode_ctx_t ctx;
-	isc_textregion_t *tr;
-	isc_token_t token;
-	isc_boolean_t eol;
-
-	base64_decode_init(&ctx, length, target);
-
-	while (!ctx.seen_end && (ctx.length != 0)) {
-		unsigned int i;
-
-		if (length > 0)
-			eol = ISC_FALSE;
-		else
-			eol = ISC_TRUE;
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_string, eol));
-		if (token.type != isc_tokentype_string)
-			break;
-		tr = &token.value.as_textregion;
-		for (i = 0; i < tr->length; i++)
-			RETERR(base64_decode_char(&ctx, tr->base[i]));
-	}
-	if (ctx.length < 0 && !ctx.seen_end)
-		isc_lex_ungettoken(lexer, &token);
-	RETERR(base64_decode_finish(&ctx));
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_base64_decodestring(const char *cstr, isc_buffer_t *target) {
-	base64_decode_ctx_t ctx;
-
-	base64_decode_init(&ctx, -1, target);
-	for (;;) {
-		int c = *cstr++;
-		if (c == '\0')
-			break;
-		if (c == ' ' || c == '\t' || c == '\n' || c== '\r')
-			continue;
-		RETERR(base64_decode_char(&ctx, c));
-	}
-	RETERR(base64_decode_finish(&ctx));
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-str_totext(const char *source, isc_buffer_t *target) {
-	unsigned int l;
-	isc_region_t region;
-
-	isc_buffer_availableregion(target, &region);
-	l = strlen(source);
-
-	if (l > region.length)
-		return (ISC_R_NOSPACE);
-
-	memcpy(region.base, source, l);
-	isc_buffer_add(target, l);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length) {
-	isc_region_t tr;
-
-	isc_buffer_availableregion(target, &tr);
-	if (length > tr.length)
-		return (ISC_R_NOSPACE);
-	memcpy(tr.base, base, length);
-	isc_buffer_add(target, length);
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/isc/bitstring.c b/contrib/bind9/lib/isc/bitstring.c
deleted file mode 100644
index 33c7c1f..0000000
--- a/contrib/bind9/lib/isc/bitstring.c
+++ /dev/null
@@ -1,127 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: bitstring.c,v 1.17 2007/06/19 23:47:17 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stddef.h>
-
-#include <isc/magic.h>
-#include <isc/bitstring.h>
-#include <isc/util.h>
-
-#define DIV8(x)			((x) >> 3)
-#define MOD8(x)			((x) & 0x00000007U)
-#define OCTETS(n)		(((n) + 7) >> 3)
-#define PADDED(n)		((((n) + 7) >> 3) << 3)
-#define BITSET(bs, n) 		(((bs)->data[DIV8(n)] & \
-				 (1 << (7 - MOD8(n)))) != 0)
-#define SETBIT(bs, n)		(bs)->data[DIV8(n)] |= (1 << (7 - MOD8(n)))
-#define CLEARBIT(bs, n)		(bs)->data[DIV8(n)] &= ~(1 << (7 - MOD8(n)))
-
-#define BITSTRING_MAGIC		ISC_MAGIC('B', 'S', 't', 'r')
-#define VALID_BITSTRING(b)	ISC_MAGIC_VALID(b, BITSTRING_MAGIC)
-
-void
-isc_bitstring_init(isc_bitstring_t *bitstring, unsigned char *data,
-		   unsigned int length, unsigned int size, isc_boolean_t lsb0)
-{
-	/*
-	 * Make 'bitstring' refer to the bitstring of 'size' bits starting
-	 * at 'data'.  'length' bits of the bitstring are valid.  If 'lsb0'
-	 * is set then, bit 0 refers to the least significant bit of the
-	 * bitstring.  Otherwise bit 0 is the most significant bit.
-	 */
-
-	REQUIRE(bitstring != NULL);
-	REQUIRE(data != NULL);
-	REQUIRE(length <= size);
-
-	bitstring->magic = BITSTRING_MAGIC;
-	bitstring->data = data;
-	bitstring->length = length;
-	bitstring->size = size;
-	bitstring->lsb0 = lsb0;
-}
-
-void
-isc_bitstring_invalidate(isc_bitstring_t *bitstring) {
-
-	/*
-	 * Invalidate 'bitstring'.
-	 */
-
-	REQUIRE(VALID_BITSTRING(bitstring));
-
-	bitstring->magic = 0;
-	bitstring->data = NULL;
-	bitstring->length = 0;
-	bitstring->size = 0;
-	bitstring->lsb0 = ISC_FALSE;
-}
-
-void
-isc_bitstring_copy(isc_bitstring_t *source, unsigned int sbitpos,
-		   isc_bitstring_t *target, unsigned int tbitpos,
-		   unsigned int n)
-{
-	unsigned int tlast;
-
-	/*
-	 * Starting at bit 'sbitpos', copy 'n' bits from 'source' to
-	 * the 'n' bits of 'target' starting at 'tbitpos'.
-	 */
-
-	REQUIRE(VALID_BITSTRING(source));
-	REQUIRE(VALID_BITSTRING(target));
-	REQUIRE(source->lsb0 == target->lsb0);
-	if (source->lsb0) {
-		REQUIRE(sbitpos <= source->length);
-		sbitpos = PADDED(source->size) - sbitpos;
-		REQUIRE(sbitpos >= n);
-		sbitpos -= n;
-	} else
-		REQUIRE(sbitpos + n <= source->length);
-	tlast = tbitpos + n;
-	if (target->lsb0) {
-		REQUIRE(tbitpos <= target->length);
-		tbitpos = PADDED(target->size) - tbitpos;
-		REQUIRE(tbitpos >= n);
-		tbitpos -= n;
-	} else
-		REQUIRE(tlast <= target->size);
-
-	if (tlast > target->length)
-		target->length = tlast;
-
-	/*
-	 * This is far from optimal...
-	 */
-
-	while (n > 0) {
-		if (BITSET(source, sbitpos))
-			SETBIT(target, tbitpos);
-		else
-			CLEARBIT(target, tbitpos);
-		sbitpos++;
-		tbitpos++;
-		n--;
-	}
-}
diff --git a/contrib/bind9/lib/isc/buffer.c b/contrib/bind9/lib/isc/buffer.c
deleted file mode 100644
index e37af15..0000000
--- a/contrib/bind9/lib/isc/buffer.c
+++ /dev/null
@@ -1,489 +0,0 @@
-/*
- * Copyright (C) 2004-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: buffer.c,v 1.49 2008/09/25 04:02:39 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/buffer.h>
-#include <isc/mem.h>
-#include <isc/region.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-void
-isc__buffer_init(isc_buffer_t *b, void *base, unsigned int length) {
-	/*
-	 * Make 'b' refer to the 'length'-byte region starting at 'base'.
-	 * XXXDCL see the comment in buffer.h about base being const.
-	 */
-
-	REQUIRE(b != NULL);
-
-	ISC__BUFFER_INIT(b, base, length);
-}
-
-void
-isc__buffer_initnull(isc_buffer_t *b) {
-	/*
-	 * Initialize a new buffer which has no backing store.  This can
-	 * later be grown as needed and swapped in place.
-	 */
-
-	ISC__BUFFER_INIT(b, NULL, 0);
-}
-
-void
-isc_buffer_reinit(isc_buffer_t *b, void *base, unsigned int length) {
-	/*
-	 * Re-initialize the buffer enough to reconfigure the base of the
-	 * buffer.  We will swap in the new buffer, after copying any
-	 * data we contain into the new buffer and adjusting all of our
-	 * internal pointers.
-	 *
-	 * The buffer must not be smaller than the length of the original
-	 * buffer.
-	 */
-	REQUIRE(b->length <= length);
-	REQUIRE(base != NULL);
-
-	(void)memmove(base, b->base, b->length);
-	b->base = base;
-	b->length = length;
-}
-
-void
-isc__buffer_invalidate(isc_buffer_t *b) {
-	/*
-	 * Make 'b' an invalid buffer.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(!ISC_LINK_LINKED(b, link));
-	REQUIRE(b->mctx == NULL);
-
-	ISC__BUFFER_INVALIDATE(b);
-}
-
-void
-isc__buffer_region(isc_buffer_t *b, isc_region_t *r) {
-	/*
-	 * Make 'r' refer to the region of 'b'.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(r != NULL);
-
-	ISC__BUFFER_REGION(b, r);
-}
-
-void
-isc__buffer_usedregion(isc_buffer_t *b, isc_region_t *r) {
-	/*
-	 * Make 'r' refer to the used region of 'b'.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(r != NULL);
-
-	ISC__BUFFER_USEDREGION(b, r);
-}
-
-void
-isc__buffer_availableregion(isc_buffer_t *b, isc_region_t *r) {
-	/*
-	 * Make 'r' refer to the available region of 'b'.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(r != NULL);
-
-	ISC__BUFFER_AVAILABLEREGION(b, r);
-}
-
-void
-isc__buffer_add(isc_buffer_t *b, unsigned int n) {
-	/*
-	 * Increase the 'used' region of 'b' by 'n' bytes.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(b->used + n <= b->length);
-
-	ISC__BUFFER_ADD(b, n);
-}
-
-void
-isc__buffer_subtract(isc_buffer_t *b, unsigned int n) {
-	/*
-	 * Decrease the 'used' region of 'b' by 'n' bytes.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(b->used >= n);
-
-	ISC__BUFFER_SUBTRACT(b, n);
-}
-
-void
-isc__buffer_clear(isc_buffer_t *b) {
-	/*
-	 * Make the used region empty.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-
-	ISC__BUFFER_CLEAR(b);
-}
-
-void
-isc__buffer_consumedregion(isc_buffer_t *b, isc_region_t *r) {
-	/*
-	 * Make 'r' refer to the consumed region of 'b'.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(r != NULL);
-
-	ISC__BUFFER_CONSUMEDREGION(b, r);
-}
-
-void
-isc__buffer_remainingregion(isc_buffer_t *b, isc_region_t *r) {
-	/*
-	 * Make 'r' refer to the remaining region of 'b'.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(r != NULL);
-
-	ISC__BUFFER_REMAININGREGION(b, r);
-}
-
-void
-isc__buffer_activeregion(isc_buffer_t *b, isc_region_t *r) {
-	/*
-	 * Make 'r' refer to the active region of 'b'.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(r != NULL);
-
-	ISC__BUFFER_ACTIVEREGION(b, r);
-}
-
-void
-isc__buffer_setactive(isc_buffer_t *b, unsigned int n) {
-	/*
-	 * Sets the end of the active region 'n' bytes after current.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(b->current + n <= b->used);
-
-	ISC__BUFFER_SETACTIVE(b, n);
-}
-
-void
-isc__buffer_first(isc_buffer_t *b) {
-	/*
-	 * Make the consumed region empty.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-
-	ISC__BUFFER_FIRST(b);
-}
-
-void
-isc__buffer_forward(isc_buffer_t *b, unsigned int n) {
-	/*
-	 * Increase the 'consumed' region of 'b' by 'n' bytes.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(b->current + n <= b->used);
-
-	ISC__BUFFER_FORWARD(b, n);
-}
-
-void
-isc__buffer_back(isc_buffer_t *b, unsigned int n) {
-	/*
-	 * Decrease the 'consumed' region of 'b' by 'n' bytes.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(n <= b->current);
-
-	ISC__BUFFER_BACK(b, n);
-}
-
-void
-isc_buffer_compact(isc_buffer_t *b) {
-	unsigned int length;
-	void *src;
-
-	/*
-	 * Compact the used region by moving the remaining region so it occurs
-	 * at the start of the buffer.  The used region is shrunk by the size
-	 * of the consumed region, and the consumed region is then made empty.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-
-	src = isc_buffer_current(b);
-	length = isc_buffer_remaininglength(b);
-	(void)memmove(b->base, src, (size_t)length);
-
-	if (b->active > b->current)
-		b->active -= b->current;
-	else
-		b->active = 0;
-	b->current = 0;
-	b->used = length;
-}
-
-isc_uint8_t
-isc_buffer_getuint8(isc_buffer_t *b) {
-	unsigned char *cp;
-	isc_uint8_t result;
-
-	/*
-	 * Read an unsigned 8-bit integer from 'b' and return it.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(b->used - b->current >= 1);
-
-	cp = isc_buffer_current(b);
-	b->current += 1;
-	result = ((isc_uint8_t)(cp[0]));
-
-	return (result);
-}
-
-void
-isc__buffer_putuint8(isc_buffer_t *b, isc_uint8_t val) {
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(b->used + 1 <= b->length);
-
-	ISC__BUFFER_PUTUINT8(b, val);
-}
-
-isc_uint16_t
-isc_buffer_getuint16(isc_buffer_t *b) {
-	unsigned char *cp;
-	isc_uint16_t result;
-
-	/*
-	 * Read an unsigned 16-bit integer in network byte order from 'b',
-	 * convert it to host byte order, and return it.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(b->used - b->current >= 2);
-
-	cp = isc_buffer_current(b);
-	b->current += 2;
-	result = ((unsigned int)(cp[0])) << 8;
-	result |= ((unsigned int)(cp[1]));
-
-	return (result);
-}
-
-void
-isc__buffer_putuint16(isc_buffer_t *b, isc_uint16_t val) {
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(b->used + 2 <= b->length);
-
-	ISC__BUFFER_PUTUINT16(b, val);
-}
-
-void
-isc__buffer_putuint24(isc_buffer_t *b, isc_uint32_t val) {
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(b->used + 3 <= b->length);
-
-	ISC__BUFFER_PUTUINT24(b, val);
-}
-
-isc_uint32_t
-isc_buffer_getuint32(isc_buffer_t *b) {
-	unsigned char *cp;
-	isc_uint32_t result;
-
-	/*
-	 * Read an unsigned 32-bit integer in network byte order from 'b',
-	 * convert it to host byte order, and return it.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(b->used - b->current >= 4);
-
-	cp = isc_buffer_current(b);
-	b->current += 4;
-	result = ((unsigned int)(cp[0])) << 24;
-	result |= ((unsigned int)(cp[1])) << 16;
-	result |= ((unsigned int)(cp[2])) << 8;
-	result |= ((unsigned int)(cp[3]));
-
-	return (result);
-}
-
-void
-isc__buffer_putuint32(isc_buffer_t *b, isc_uint32_t val) {
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(b->used + 4 <= b->length);
-
-	ISC__BUFFER_PUTUINT32(b, val);
-}
-
-isc_uint64_t
-isc_buffer_getuint48(isc_buffer_t *b) {
-	unsigned char *cp;
-	isc_uint64_t result;
-
-	/*
-	 * Read an unsigned 48-bit integer in network byte order from 'b',
-	 * convert it to host byte order, and return it.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(b->used - b->current >= 6);
-
-	cp = isc_buffer_current(b);
-	b->current += 6;
-	result = ((isc_int64_t)(cp[0])) << 40;
-	result |= ((isc_int64_t)(cp[1])) << 32;
-	result |= ((isc_int64_t)(cp[2])) << 24;
-	result |= ((isc_int64_t)(cp[3])) << 16;
-	result |= ((isc_int64_t)(cp[4])) << 8;
-	result |= ((isc_int64_t)(cp[5]));
-
-	return (result);
-}
-
-void
-isc__buffer_putuint48(isc_buffer_t *b, isc_uint64_t val) {
-	isc_uint16_t valhi;
-	isc_uint32_t vallo;
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(b->used + 6 <= b->length);
-
-	valhi = (isc_uint16_t)(val >> 32);
-	vallo = (isc_uint32_t)(val & 0xFFFFFFFF);
-	ISC__BUFFER_PUTUINT16(b, valhi);
-	ISC__BUFFER_PUTUINT32(b, vallo);
-}
-
-void
-isc__buffer_putmem(isc_buffer_t *b, const unsigned char *base,
-		   unsigned int length)
-{
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(b->used + length <= b->length);
-
-	ISC__BUFFER_PUTMEM(b, base, length);
-}
-
-void
-isc__buffer_putstr(isc_buffer_t *b, const char *source) {
-	unsigned int l;
-	unsigned char *cp;
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(source != NULL);
-
-	/*
-	 * Do not use ISC__BUFFER_PUTSTR(), so strlen is only done once.
-	 */
-	l = strlen(source);
-
-	REQUIRE(l <= isc_buffer_availablelength(b));
-
-	cp = isc_buffer_used(b);
-	memcpy(cp, source, l);
-	b->used += l;
-}
-
-isc_result_t
-isc_buffer_copyregion(isc_buffer_t *b, const isc_region_t *r) {
-	unsigned char *base;
-	unsigned int available;
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(r != NULL);
-
-	/*
-	 * XXXDCL
-	 */
-	base = isc_buffer_used(b);
-	available = isc_buffer_availablelength(b);
-	if (r->length > available)
-		return (ISC_R_NOSPACE);
-	memcpy(base, r->base, r->length);
-	b->used += r->length;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_buffer_allocate(isc_mem_t *mctx, isc_buffer_t **dynbuffer,
-		    unsigned int length)
-{
-	isc_buffer_t *dbuf;
-
-	REQUIRE(dynbuffer != NULL);
-	REQUIRE(*dynbuffer == NULL);
-
-	dbuf = isc_mem_get(mctx, length + sizeof(isc_buffer_t));
-	if (dbuf == NULL)
-		return (ISC_R_NOMEMORY);
-
-	isc_buffer_init(dbuf, ((unsigned char *)dbuf) + sizeof(isc_buffer_t),
-			length);
-	dbuf->mctx = mctx;
-
-	*dynbuffer = dbuf;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_buffer_free(isc_buffer_t **dynbuffer) {
-	unsigned int real_length;
-	isc_buffer_t *dbuf;
-	isc_mem_t *mctx;
-
-	REQUIRE(dynbuffer != NULL);
-	REQUIRE(ISC_BUFFER_VALID(*dynbuffer));
-	REQUIRE((*dynbuffer)->mctx != NULL);
-
-	dbuf = *dynbuffer;
-	*dynbuffer = NULL;	/* destroy external reference */
-
-	real_length = dbuf->length + sizeof(isc_buffer_t);
-	mctx = dbuf->mctx;
-	dbuf->mctx = NULL;
-	isc_buffer_invalidate(dbuf);
-
-	isc_mem_put(mctx, dbuf, real_length);
-}
diff --git a/contrib/bind9/lib/isc/bufferlist.c b/contrib/bind9/lib/isc/bufferlist.c
deleted file mode 100644
index 0e5c125..0000000
--- a/contrib/bind9/lib/isc/bufferlist.c
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: bufferlist.c,v 1.17 2007/06/19 23:47:17 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stddef.h>
-
-#include <isc/buffer.h>
-#include <isc/bufferlist.h>
-#include <isc/util.h>
-
-unsigned int
-isc_bufferlist_usedcount(isc_bufferlist_t *bl) {
-	isc_buffer_t *buffer;
-	unsigned int length;
-
-	REQUIRE(bl != NULL);
-
-	length = 0;
-	buffer = ISC_LIST_HEAD(*bl);
-	while (buffer != NULL) {
-		REQUIRE(ISC_BUFFER_VALID(buffer));
-		length += isc_buffer_usedlength(buffer);
-		buffer = ISC_LIST_NEXT(buffer, link);
-	}
-
-	return (length);
-}
-
-unsigned int
-isc_bufferlist_availablecount(isc_bufferlist_t *bl) {
-	isc_buffer_t *buffer;
-	unsigned int length;
-
-	REQUIRE(bl != NULL);
-
-	length = 0;
-	buffer = ISC_LIST_HEAD(*bl);
-	while (buffer != NULL) {
-		REQUIRE(ISC_BUFFER_VALID(buffer));
-		length += isc_buffer_availablelength(buffer);
-		buffer = ISC_LIST_NEXT(buffer, link);
-	}
-
-	return (length);
-}
diff --git a/contrib/bind9/lib/isc/commandline.c b/contrib/bind9/lib/isc/commandline.c
deleted file mode 100644
index aca1203..0000000
--- a/contrib/bind9/lib/isc/commandline.c
+++ /dev/null
@@ -1,225 +0,0 @@
-/*
- * Portions Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Copyright (c) 1987, 1993, 1994
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* $Id: commandline.c,v 1.22 2008/09/25 04:02:39 tbox Exp $ */
-
-/*! \file
- * This file was adapted from the NetBSD project's source tree, RCS ID:
- *    NetBSD: getopt.c,v 1.15 1999/09/20 04:39:37 lukem Exp
- *
- * The primary change has been to rename items to the ISC namespace
- * and format in the ISC coding style.
- */
-
-/*
- * \author Principal Authors: Computer Systems Research Group at UC Berkeley
- * \author Principal ISC caretaker: DCL
- */
-
-#include <config.h>
-
-#include <stdio.h>
-
-#include <isc/commandline.h>
-#include <isc/msgs.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-/*% Index into parent argv vector. */
-LIBISC_EXTERNAL_DATA int isc_commandline_index = 1;
-/*% Character checked for validity. */
-LIBISC_EXTERNAL_DATA int isc_commandline_option;
-/*% Argument associated with option. */
-LIBISC_EXTERNAL_DATA char *isc_commandline_argument;
-/*% For printing error messages. */
-LIBISC_EXTERNAL_DATA char *isc_commandline_progname;
-/*% Print error messages. */
-LIBISC_EXTERNAL_DATA isc_boolean_t isc_commandline_errprint = ISC_TRUE;
-/*% Reset processing. */
-LIBISC_EXTERNAL_DATA isc_boolean_t isc_commandline_reset = ISC_TRUE;
-
-static char endopt = '\0';
-
-#define	BADOPT	'?'
-#define	BADARG	':'
-#define ENDOPT  &endopt
-
-/*!
- * getopt --
- *	Parse argc/argv argument vector.
- */
-int
-isc_commandline_parse(int argc, char * const *argv, const char *options) {
-	static char *place = ENDOPT;
-	char *option;			/* Index into *options of option. */
-
-	REQUIRE(argc >= 0 && argv != NULL && options != NULL);
-
-	/*
-	 * Update scanning pointer, either because a reset was requested or
-	 * the previous argv was finished.
-	 */
-	if (isc_commandline_reset || *place == '\0') {
-		if (isc_commandline_reset) {
-			isc_commandline_index = 1;
-			isc_commandline_reset = ISC_FALSE;
-		}
-
-		if (isc_commandline_progname == NULL)
-			isc_commandline_progname = argv[0];
-
-		if (isc_commandline_index >= argc ||
-		    *(place = argv[isc_commandline_index]) != '-') {
-			/*
-			 * Index out of range or points to non-option.
-			 */
-			place = ENDOPT;
-			return (-1);
-		}
-
-		if (place[1] != '\0' && *++place == '-' && place[1] == '\0') {
-			/*
-			 * Found '--' to signal end of options.  Advance
-			 * index to next argv, the first non-option.
-			 */
-			isc_commandline_index++;
-			place = ENDOPT;
-			return (-1);
-		}
-	}
-
-	isc_commandline_option = *place++;
-	option = strchr(options, isc_commandline_option);
-
-	/*
-	 * Ensure valid option has been passed as specified by options string.
-	 * '-:' is never a valid command line option because it could not
-	 * distinguish ':' from the argument specifier in the options string.
-	 */
-	if (isc_commandline_option == ':' || option == NULL) {
-		if (*place == '\0')
-			isc_commandline_index++;
-
-		if (isc_commandline_errprint && *options != ':')
-			fprintf(stderr, "%s: %s -- %c\n",
-				isc_commandline_progname,
-				isc_msgcat_get(isc_msgcat,
-					       ISC_MSGSET_COMMANDLINE,
-					       ISC_MSG_ILLEGALOPT,
-					       "illegal option"),
-				isc_commandline_option);
-
-		return (BADOPT);
-	}
-
-	if (*++option != ':') {
-		/*
-		 * Option does not take an argument.
-		 */
-		isc_commandline_argument = NULL;
-
-		/*
-		 * Skip to next argv if at the end of the current argv.
-		 */
-		if (*place == '\0')
-			++isc_commandline_index;
-
-	} else {
-		/*
-		 * Option needs an argument.
-		 */
-		if (*place != '\0')
-			/*
-			 * Option is in this argv, -D1 style.
-			 */
-			isc_commandline_argument = place;
-
-		else if (argc > ++isc_commandline_index)
-			/*
-			 * Option is next argv, -D 1 style.
-			 */
-			isc_commandline_argument = argv[isc_commandline_index];
-
-		else {
-			/*
-			 * Argument needed, but no more argv.
-			 */
-			place = ENDOPT;
-
-			/*
-			 * Silent failure with "missing argument" return
-			 * when ':' starts options string, per historical spec.
-			 */
-			if (*options == ':')
-				return (BADARG);
-
-			if (isc_commandline_errprint)
-				fprintf(stderr, "%s: %s -- %c\n",
-					isc_commandline_progname,
-					isc_msgcat_get(isc_msgcat,
-						       ISC_MSGSET_COMMANDLINE,
-						       ISC_MSG_OPTNEEDARG,
-						       "option requires "
-						       "an argument"),
-					isc_commandline_option);
-
-			return (BADOPT);
-		}
-
-		place = ENDOPT;
-
-		/*
-		 * Point to argv that follows argument.
-		 */
-		isc_commandline_index++;
-	}
-
-	return (isc_commandline_option);
-}
diff --git a/contrib/bind9/lib/isc/entropy.c b/contrib/bind9/lib/isc/entropy.c
deleted file mode 100644
index da9e81f..0000000
--- a/contrib/bind9/lib/isc/entropy.c
+++ /dev/null
@@ -1,1277 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: entropy.c,v 1.22 2010/08/10 23:48:19 tbox Exp $ */
-
-/*! \file
- * \brief
- * This is the system independent part of the entropy module.  It is
- * compiled via inclusion from the relevant OS source file, ie,
- * \link unix/entropy.c unix/entropy.c \endlink or win32/entropy.c.
- *
- * \author Much of this code is modeled after the NetBSD /dev/random implementation,
- * written by Michael Graff <explorer@netbsd.org>.
- */
-
-#include <errno.h>
-#include <fcntl.h>
-#include <stdio.h>
-
-#include <isc/buffer.h>
-#include <isc/entropy.h>
-#include <isc/keyboard.h>
-#include <isc/list.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/msgs.h>
-#include <isc/mutex.h>
-#include <isc/platform.h>
-#include <isc/region.h>
-#include <isc/sha1.h>
-#include <isc/string.h>
-#include <isc/time.h>
-#include <isc/util.h>
-
-
-#define ENTROPY_MAGIC		ISC_MAGIC('E', 'n', 't', 'e')
-#define SOURCE_MAGIC		ISC_MAGIC('E', 'n', 't', 's')
-
-#define VALID_ENTROPY(e)	ISC_MAGIC_VALID(e, ENTROPY_MAGIC)
-#define VALID_SOURCE(s)		ISC_MAGIC_VALID(s, SOURCE_MAGIC)
-
-/***
- *** "constants."  Do not change these unless you _really_ know what
- *** you are doing.
- ***/
-
-/*%
- * Size of entropy pool in 32-bit words.  This _MUST_ be a power of 2.
- */
-#define RND_POOLWORDS	128
-/*% Pool in bytes. */
-#define RND_POOLBYTES	(RND_POOLWORDS * 4)
-/*% Pool in bits. */
-#define RND_POOLBITS	(RND_POOLWORDS * 32)
-
-/*%
- * Number of bytes returned per hash.  This must be true:
- *	threshold * 2 <= digest_size_in_bytes
- */
-#define RND_ENTROPY_THRESHOLD	10
-#define THRESHOLD_BITS		(RND_ENTROPY_THRESHOLD * 8)
-
-/*%
- * Size of the input event queue in samples.
- */
-#define RND_EVENTQSIZE	32
-
-/*%
- * The number of times we'll "reseed" for pseudorandom seeds.  This is an
- * extremely weak pseudorandom seed.  If the caller is using lots of
- * pseudorandom data and they cannot provide a stronger random source,
- * there is little we can do other than hope they're smart enough to
- * call _adddata() with something better than we can come up with.
- */
-#define RND_INITIALIZE	128
-
-/*% Entropy Pool */
-typedef struct {
-	isc_uint32_t	cursor;		/*%< current add point in the pool */
-	isc_uint32_t	entropy;	/*%< current entropy estimate in bits */
-	isc_uint32_t	pseudo;		/*%< bits extracted in pseudorandom */
-	isc_uint32_t	rotate;		/*%< how many bits to rotate by */
-	isc_uint32_t	pool[RND_POOLWORDS];	/*%< random pool data */
-} isc_entropypool_t;
-
-struct isc_entropy {
-	unsigned int			magic;
-	isc_mem_t		       *mctx;
-	isc_mutex_t			lock;
-	unsigned int			refcnt;
-	isc_uint32_t			initialized;
-	isc_uint32_t			initcount;
-	isc_entropypool_t		pool;
-	unsigned int			nsources;
-	isc_entropysource_t	       *nextsource;
-	ISC_LIST(isc_entropysource_t)	sources;
-};
-
-/*% Sample Queue */
-typedef struct {
-	isc_uint32_t	last_time;	/*%< last time recorded */
-	isc_uint32_t	last_delta;	/*%< last delta value */
-	isc_uint32_t	last_delta2;	/*%< last delta2 value */
-	isc_uint32_t	nsamples;	/*%< number of samples filled in */
-	isc_uint32_t   *samples;	/*%< the samples */
-	isc_uint32_t   *extra;		/*%< extra samples added in */
-} sample_queue_t;
-
-typedef struct {
-	sample_queue_t	samplequeue;
-} isc_entropysamplesource_t;
-
-typedef struct {
-	isc_boolean_t		start_called;
-	isc_entropystart_t	startfunc;
-	isc_entropyget_t	getfunc;
-	isc_entropystop_t	stopfunc;
-	void		       *arg;
-	sample_queue_t		samplequeue;
-} isc_cbsource_t;
-
-typedef struct {
-	FILESOURCE_HANDLE_TYPE handle;
-} isc_entropyfilesource_t;
-
-struct isc_entropysource {
-	unsigned int	magic;
-	unsigned int	type;
-	isc_entropy_t  *ent;
-	isc_uint32_t	total;		/*%< entropy from this source */
-	ISC_LINK(isc_entropysource_t)	link;
-	char		name[32];
-	isc_boolean_t	bad;
-	isc_boolean_t	warn_keyboard;
-	isc_keyboard_t	kbd;
-	union {
-		isc_entropysamplesource_t	sample;
-		isc_entropyfilesource_t		file;
-		isc_cbsource_t			callback;
-		isc_entropyusocketsource_t	usocket;
-	} sources;
-};
-
-#define ENTROPY_SOURCETYPE_SAMPLE	1	/*%< Type is a sample source */
-#define ENTROPY_SOURCETYPE_FILE		2	/*%< Type is a file source */
-#define ENTROPY_SOURCETYPE_CALLBACK	3	/*%< Type is a callback source */
-#define ENTROPY_SOURCETYPE_USOCKET	4	/*%< Type is a Unix socket source */
-
-/*@{*/
-/*%
- * The random pool "taps"
- */
-#define TAP1	99
-#define TAP2	59
-#define TAP3	31
-#define TAP4	 9
-#define TAP5	 7
-/*@}*/
-
-/*@{*/
-/*%
- * Declarations for function provided by the system dependent sources that
- * include this file.
- */
-static void
-fillpool(isc_entropy_t *, unsigned int, isc_boolean_t);
-
-static int
-wait_for_sources(isc_entropy_t *);
-
-static void
-destroyfilesource(isc_entropyfilesource_t *source);
-
-static void
-destroyusocketsource(isc_entropyusocketsource_t *source);
-
-/*@}*/
-
-static void
-samplequeue_release(isc_entropy_t *ent, sample_queue_t *sq) {
-	REQUIRE(sq->samples != NULL);
-	REQUIRE(sq->extra != NULL);
-
-	isc_mem_put(ent->mctx, sq->samples, RND_EVENTQSIZE * 4);
-	isc_mem_put(ent->mctx, sq->extra, RND_EVENTQSIZE * 4);
-	sq->samples = NULL;
-	sq->extra = NULL;
-}
-
-static isc_result_t
-samplesource_allocate(isc_entropy_t *ent, sample_queue_t *sq) {
-	sq->samples = isc_mem_get(ent->mctx, RND_EVENTQSIZE * 4);
-	if (sq->samples == NULL)
-		return (ISC_R_NOMEMORY);
-
-	sq->extra = isc_mem_get(ent->mctx, RND_EVENTQSIZE * 4);
-	if (sq->extra == NULL) {
-		isc_mem_put(ent->mctx, sq->samples, RND_EVENTQSIZE * 4);
-		sq->samples = NULL;
-		return (ISC_R_NOMEMORY);
-	}
-
-	sq->nsamples = 0;
-
-	return (ISC_R_SUCCESS);
-}
-
-/*%
- * Add in entropy, even when the value we're adding in could be
- * very large.
- */
-static inline void
-add_entropy(isc_entropy_t *ent, isc_uint32_t entropy) {
-	/* clamp input.  Yes, this must be done. */
-	entropy = ISC_MIN(entropy, RND_POOLBITS);
-	/* Add in the entropy we already have. */
-	entropy += ent->pool.entropy;
-	/* Clamp. */
-	ent->pool.entropy = ISC_MIN(entropy, RND_POOLBITS);
-}
-
-/*%
- * Decrement the amount of entropy the pool has.
- */
-static inline void
-subtract_entropy(isc_entropy_t *ent, isc_uint32_t entropy) {
-	entropy = ISC_MIN(entropy, ent->pool.entropy);
-	ent->pool.entropy -= entropy;
-}
-
-/*!
- * Add in entropy, even when the value we're adding in could be
- * very large.
- */
-static inline void
-add_pseudo(isc_entropy_t *ent, isc_uint32_t pseudo) {
-	/* clamp input.  Yes, this must be done. */
-	pseudo = ISC_MIN(pseudo, RND_POOLBITS * 8);
-	/* Add in the pseudo we already have. */
-	pseudo += ent->pool.pseudo;
-	/* Clamp. */
-	ent->pool.pseudo = ISC_MIN(pseudo, RND_POOLBITS * 8);
-}
-
-/*!
- * Decrement the amount of pseudo the pool has.
- */
-static inline void
-subtract_pseudo(isc_entropy_t *ent, isc_uint32_t pseudo) {
-	pseudo = ISC_MIN(pseudo, ent->pool.pseudo);
-	ent->pool.pseudo -= pseudo;
-}
-
-/*!
- * Add one word to the pool, rotating the input as needed.
- */
-static inline void
-entropypool_add_word(isc_entropypool_t *rp, isc_uint32_t val) {
-	/*
-	 * Steal some values out of the pool, and xor them into the
-	 * word we were given.
-	 *
-	 * Mix the new value into the pool using xor.  This will
-	 * prevent the actual values from being known to the caller
-	 * since the previous values are assumed to be unknown as well.
-	 */
-	val ^= rp->pool[(rp->cursor + TAP1) & (RND_POOLWORDS - 1)];
-	val ^= rp->pool[(rp->cursor + TAP2) & (RND_POOLWORDS - 1)];
-	val ^= rp->pool[(rp->cursor + TAP3) & (RND_POOLWORDS - 1)];
-	val ^= rp->pool[(rp->cursor + TAP4) & (RND_POOLWORDS - 1)];
-	val ^= rp->pool[(rp->cursor + TAP5) & (RND_POOLWORDS - 1)];
-	if (rp->rotate == 0)
-		rp->pool[rp->cursor++] ^= val;
-	else
-		rp->pool[rp->cursor++] ^=
-		  ((val << rp->rotate) | (val >> (32 - rp->rotate)));
-
-	/*
-	 * If we have looped around the pool, increment the rotate
-	 * variable so the next value will get xored in rotated to
-	 * a different position.
-	 * Increment by a value that is relatively prime to the word size
-	 * to try to spread the bits throughout the pool quickly when the
-	 * pool is empty.
-	 */
-	if (rp->cursor == RND_POOLWORDS) {
-		rp->cursor = 0;
-		rp->rotate = (rp->rotate + 7) & 31;
-	}
-}
-
-/*!
- * Add a buffer's worth of data to the pool.
- *
- * Requires that the lock is held on the entropy pool.
- */
-static void
-entropypool_adddata(isc_entropy_t *ent, void *p, unsigned int len,
-		    isc_uint32_t entropy)
-{
-	isc_uint32_t val;
-	unsigned long addr;
-	isc_uint8_t *buf;
-
-	addr = (unsigned long)p;
-	buf = p;
-
-	if ((addr & 0x03U) != 0U) {
-		val = 0;
-		switch (len) {
-		case 3:
-			val = *buf++;
-			len--;
-		case 2:
-			val = val << 8 | *buf++;
-			len--;
-		case 1:
-			val = val << 8 | *buf++;
-			len--;
-		}
-
-		entropypool_add_word(&ent->pool, val);
-	}
-
-	for (; len > 3; len -= 4) {
-		val = *((isc_uint32_t *)buf);
-
-		entropypool_add_word(&ent->pool, val);
-		buf += 4;
-	}
-
-	if (len != 0) {
-		val = 0;
-		switch (len) {
-		case 3:
-			val = *buf++;
-		case 2:
-			val = val << 8 | *buf++;
-		case 1:
-			val = val << 8 | *buf++;
-		}
-
-		entropypool_add_word(&ent->pool, val);
-	}
-
-	add_entropy(ent, entropy);
-	subtract_pseudo(ent, entropy);
-}
-
-static inline void
-reseed(isc_entropy_t *ent) {
-	isc_time_t t;
-	pid_t pid;
-
-	if (ent->initcount == 0) {
-		pid = getpid();
-		entropypool_adddata(ent, &pid, sizeof(pid), 0);
-		pid = getppid();
-		entropypool_adddata(ent, &pid, sizeof(pid), 0);
-	}
-
-	/*!
-	 * After we've reseeded 100 times, only add new timing info every
-	 * 50 requests.  This will keep us from using lots and lots of
-	 * CPU just to return bad pseudorandom data anyway.
-	 */
-	if (ent->initcount > 100)
-		if ((ent->initcount % 50) != 0)
-			return;
-
-	TIME_NOW(&t);
-	entropypool_adddata(ent, &t, sizeof(t), 0);
-	ent->initcount++;
-}
-
-static inline unsigned int
-estimate_entropy(sample_queue_t *sq, isc_uint32_t t) {
-	isc_int32_t		delta;
-	isc_int32_t		delta2;
-	isc_int32_t		delta3;
-
-	/*!
-	 * If the time counter has overflowed, calculate the real difference.
-	 * If it has not, it is simpler.
-	 */
-	if (t < sq->last_time)
-		delta = UINT_MAX - sq->last_time + t;
-	else
-		delta = sq->last_time - t;
-
-	if (delta < 0)
-		delta = -delta;
-
-	/*
-	 * Calculate the second and third order differentials
-	 */
-	delta2 = sq->last_delta - delta;
-	if (delta2 < 0)
-		delta2 = -delta2;
-
-	delta3 = sq->last_delta2 - delta2;
-	if (delta3 < 0)
-		delta3 = -delta3;
-
-	sq->last_time = t;
-	sq->last_delta = delta;
-	sq->last_delta2 = delta2;
-
-	/*
-	 * If any delta is 0, we got no entropy.  If all are non-zero, we
-	 * might have something.
-	 */
-	if (delta == 0 || delta2 == 0 || delta3 == 0)
-		return 0;
-
-	/*
-	 * We could find the smallest delta and claim we got log2(delta)
-	 * bits, but for now return that we found 1 bit.
-	 */
-	return 1;
-}
-
-static unsigned int
-crunchsamples(isc_entropy_t *ent, sample_queue_t *sq) {
-	unsigned int ns;
-	unsigned int added;
-
-	if (sq->nsamples < 6)
-		return (0);
-
-	added = 0;
-	sq->last_time = sq->samples[0];
-	sq->last_delta = 0;
-	sq->last_delta2 = 0;
-
-	/*
-	 * Prime the values by adding in the first 4 samples in.  This
-	 * should completely initialize the delta calculations.
-	 */
-	for (ns = 0; ns < 4; ns++)
-		(void)estimate_entropy(sq, sq->samples[ns]);
-
-	for (ns = 4; ns < sq->nsamples; ns++)
-		added += estimate_entropy(sq, sq->samples[ns]);
-
-	entropypool_adddata(ent, sq->samples, sq->nsamples * 4, added);
-	entropypool_adddata(ent, sq->extra, sq->nsamples * 4, 0);
-
-	/*
-	 * Move the last 4 samples into the first 4 positions, and start
-	 * adding new samples from that point.
-	 */
-	for (ns = 0; ns < 4; ns++) {
-		sq->samples[ns] = sq->samples[sq->nsamples - 4 + ns];
-		sq->extra[ns] = sq->extra[sq->nsamples - 4 + ns];
-	}
-
-	sq->nsamples = 4;
-
-	return (added);
-}
-
-static unsigned int
-get_from_callback(isc_entropysource_t *source, unsigned int desired,
-		  isc_boolean_t blocking)
-{
-	isc_entropy_t *ent = source->ent;
-	isc_cbsource_t *cbs = &source->sources.callback;
-	unsigned int added;
-	unsigned int got;
-	isc_result_t result;
-
-	if (desired == 0)
-		return (0);
-
-	if (source->bad)
-		return (0);
-
-	if (!cbs->start_called && cbs->startfunc != NULL) {
-		result = cbs->startfunc(source, cbs->arg, blocking);
-		if (result != ISC_R_SUCCESS)
-			return (0);
-		cbs->start_called = ISC_TRUE;
-	}
-
-	added = 0;
-	result = ISC_R_SUCCESS;
-	while (desired > 0 && result == ISC_R_SUCCESS) {
-		result = cbs->getfunc(source, cbs->arg, blocking);
-		if (result == ISC_R_QUEUEFULL) {
-			got = crunchsamples(ent, &cbs->samplequeue);
-			added += got;
-			desired -= ISC_MIN(got, desired);
-			result = ISC_R_SUCCESS;
-		} else if (result != ISC_R_SUCCESS &&
-			   result != ISC_R_NOTBLOCKING)
-			source->bad = ISC_TRUE;
-
-	}
-
-	return (added);
-}
-
-/*
- * Extract some number of bytes from the random pool, decreasing the
- * estimate of randomness as each byte is extracted.
- *
- * Do this by stiring the pool and returning a part of hash as randomness.
- * Note that no secrets are given away here since parts of the hash are
- * xored together before returned.
- *
- * Honor the request from the caller to only return good data, any data,
- * etc.
- */
-isc_result_t
-isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
-		    unsigned int *returned, unsigned int flags)
-{
-	unsigned int i;
-	isc_sha1_t hash;
-	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
-	isc_uint32_t remain, deltae, count, total;
-	isc_uint8_t *buf;
-	isc_boolean_t goodonly, partial, blocking;
-
-	REQUIRE(VALID_ENTROPY(ent));
-	REQUIRE(data != NULL);
-	REQUIRE(length > 0);
-
-	goodonly = ISC_TF((flags & ISC_ENTROPY_GOODONLY) != 0);
-	partial = ISC_TF((flags & ISC_ENTROPY_PARTIAL) != 0);
-	blocking = ISC_TF((flags & ISC_ENTROPY_BLOCKING) != 0);
-
-	REQUIRE(!partial || returned != NULL);
-
-	LOCK(&ent->lock);
-
-	remain = length;
-	buf = data;
-	total = 0;
-	while (remain != 0) {
-		count = ISC_MIN(remain, RND_ENTROPY_THRESHOLD);
-
-		/*
-		 * If we are extracting good data only, make certain we
-		 * have enough data in our pool for this pass.  If we don't,
-		 * get some, and fail if we can't, and partial returns
-		 * are not ok.
-		 */
-		if (goodonly) {
-			unsigned int fillcount;
-
-			fillcount = ISC_MAX(remain * 8, count * 8);
-
-			/*
-			 * If, however, we have at least THRESHOLD_BITS
-			 * of entropy in the pool, don't block here.  It is
-			 * better to drain the pool once in a while and
-			 * then refill it than it is to constantly keep the
-			 * pool full.
-			 */
-			if (ent->pool.entropy >= THRESHOLD_BITS)
-				fillpool(ent, fillcount, ISC_FALSE);
-			else
-				fillpool(ent, fillcount, blocking);
-
-			/*
-			 * Verify that we got enough entropy to do one
-			 * extraction.  If we didn't, bail.
-			 */
-			if (ent->pool.entropy < THRESHOLD_BITS) {
-				if (!partial)
-					goto zeroize;
-				else
-					goto partial_output;
-			}
-		} else {
-			/*
-			 * If we've extracted half our pool size in bits
-			 * since the last refresh, try to refresh here.
-			 */
-			if (ent->initialized < THRESHOLD_BITS)
-				fillpool(ent, THRESHOLD_BITS, blocking);
-			else
-				fillpool(ent, 0, ISC_FALSE);
-
-			/*
-			 * If we've not initialized with enough good random
-			 * data, seed with our crappy code.
-			 */
-			if (ent->initialized < THRESHOLD_BITS)
-				reseed(ent);
-		}
-
-		isc_sha1_init(&hash);
-		isc_sha1_update(&hash, (void *)(ent->pool.pool),
-				RND_POOLBYTES);
-		isc_sha1_final(&hash, digest);
-
-		/*
-		 * Stir the extracted data (all of it) back into the pool.
-		 */
-		entropypool_adddata(ent, digest, ISC_SHA1_DIGESTLENGTH, 0);
-
-		for (i = 0; i < count; i++)
-			buf[i] = digest[i] ^ digest[i + RND_ENTROPY_THRESHOLD];
-
-		buf += count;
-		remain -= count;
-
-		deltae = count * 8;
-		deltae = ISC_MIN(deltae, ent->pool.entropy);
-		total += deltae;
-		subtract_entropy(ent, deltae);
-		add_pseudo(ent, count * 8);
-	}
-
- partial_output:
-	memset(digest, 0, sizeof(digest));
-
-	if (returned != NULL)
-		*returned = (length - remain);
-
-	UNLOCK(&ent->lock);
-
-	return (ISC_R_SUCCESS);
-
- zeroize:
-	/* put the entropy we almost extracted back */
-	add_entropy(ent, total);
-	memset(data, 0, length);
-	memset(digest, 0, sizeof(digest));
-	if (returned != NULL)
-		*returned = 0;
-
-	UNLOCK(&ent->lock);
-
-	return (ISC_R_NOENTROPY);
-}
-
-static void
-isc_entropypool_init(isc_entropypool_t *pool) {
-	pool->cursor = RND_POOLWORDS - 1;
-	pool->entropy = 0;
-	pool->pseudo = 0;
-	pool->rotate = 0;
-	memset(pool->pool, 0, RND_POOLBYTES);
-}
-
-static void
-isc_entropypool_invalidate(isc_entropypool_t *pool) {
-	pool->cursor = 0;
-	pool->entropy = 0;
-	pool->pseudo = 0;
-	pool->rotate = 0;
-	memset(pool->pool, 0, RND_POOLBYTES);
-}
-
-isc_result_t
-isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp) {
-	isc_result_t result;
-	isc_entropy_t *ent;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(entp != NULL && *entp == NULL);
-
-	ent = isc_mem_get(mctx, sizeof(isc_entropy_t));
-	if (ent == NULL)
-		return (ISC_R_NOMEMORY);
-
-	/*
-	 * We need a lock.
-	 */
-	result = isc_mutex_init(&ent->lock);
-	if (result != ISC_R_SUCCESS)
-		goto errout;
-
-	/*
-	 * From here down, no failures will/can occur.
-	 */
-	ISC_LIST_INIT(ent->sources);
-	ent->nextsource = NULL;
-	ent->nsources = 0;
-	ent->mctx = NULL;
-	isc_mem_attach(mctx, &ent->mctx);
-	ent->refcnt = 1;
-	ent->initialized = 0;
-	ent->initcount = 0;
-	ent->magic = ENTROPY_MAGIC;
-
-	isc_entropypool_init(&ent->pool);
-
-	*entp = ent;
-	return (ISC_R_SUCCESS);
-
- errout:
-	isc_mem_put(mctx, ent, sizeof(isc_entropy_t));
-
-	return (result);
-}
-
-/*!
- * Requires "ent" be locked.
- */
-static void
-destroysource(isc_entropysource_t **sourcep) {
-	isc_entropysource_t *source;
-	isc_entropy_t *ent;
-	isc_cbsource_t *cbs;
-
-	source = *sourcep;
-	*sourcep = NULL;
-	ent = source->ent;
-
-	ISC_LIST_UNLINK(ent->sources, source, link);
-	ent->nextsource = NULL;
-	REQUIRE(ent->nsources > 0);
-	ent->nsources--;
-
-	switch (source->type) {
-	case ENTROPY_SOURCETYPE_FILE:
-		if (! source->bad)
-			destroyfilesource(&source->sources.file);
-		break;
-	case ENTROPY_SOURCETYPE_USOCKET:
-		if (! source->bad)
-			destroyusocketsource(&source->sources.usocket);
-		break;
-	case ENTROPY_SOURCETYPE_SAMPLE:
-		samplequeue_release(ent, &source->sources.sample.samplequeue);
-		break;
-	case ENTROPY_SOURCETYPE_CALLBACK:
-		cbs = &source->sources.callback;
-		if (cbs->start_called && cbs->stopfunc != NULL) {
-			cbs->stopfunc(source, cbs->arg);
-			cbs->start_called = ISC_FALSE;
-		}
-		samplequeue_release(ent, &cbs->samplequeue);
-		break;
-	}
-
-	memset(source, 0, sizeof(isc_entropysource_t));
-
-	isc_mem_put(ent->mctx, source, sizeof(isc_entropysource_t));
-}
-
-static inline isc_boolean_t
-destroy_check(isc_entropy_t *ent) {
-	isc_entropysource_t *source;
-
-	if (ent->refcnt > 0)
-		return (ISC_FALSE);
-
-	source = ISC_LIST_HEAD(ent->sources);
-	while (source != NULL) {
-		switch (source->type) {
-		case ENTROPY_SOURCETYPE_FILE:
-		case ENTROPY_SOURCETYPE_USOCKET:
-			break;
-		default:
-			return (ISC_FALSE);
-		}
-		source = ISC_LIST_NEXT(source, link);
-	}
-
-	return (ISC_TRUE);
-}
-
-static void
-destroy(isc_entropy_t **entp) {
-	isc_entropy_t *ent;
-	isc_entropysource_t *source;
-	isc_mem_t *mctx;
-
-	REQUIRE(entp != NULL && *entp != NULL);
-	ent = *entp;
-	*entp = NULL;
-
-	LOCK(&ent->lock);
-
-	REQUIRE(ent->refcnt == 0);
-
-	/*
-	 * Here, detach non-sample sources.
-	 */
-	source = ISC_LIST_HEAD(ent->sources);
-	while (source != NULL) {
-		switch(source->type) {
-		case ENTROPY_SOURCETYPE_FILE:
-		case ENTROPY_SOURCETYPE_USOCKET:
-			destroysource(&source);
-			break;
-		}
-		source = ISC_LIST_HEAD(ent->sources);
-	}
-
-	/*
-	 * If there are other types of sources, we've found a bug.
-	 */
-	REQUIRE(ISC_LIST_EMPTY(ent->sources));
-
-	mctx = ent->mctx;
-
-	isc_entropypool_invalidate(&ent->pool);
-
-	UNLOCK(&ent->lock);
-
-	DESTROYLOCK(&ent->lock);
-
-	memset(ent, 0, sizeof(isc_entropy_t));
-	isc_mem_put(mctx, ent, sizeof(isc_entropy_t));
-	isc_mem_detach(&mctx);
-}
-
-void
-isc_entropy_destroysource(isc_entropysource_t **sourcep) {
-	isc_entropysource_t *source;
-	isc_entropy_t *ent;
-	isc_boolean_t killit;
-
-	REQUIRE(sourcep != NULL);
-	REQUIRE(VALID_SOURCE(*sourcep));
-
-	source = *sourcep;
-	*sourcep = NULL;
-
-	ent = source->ent;
-	REQUIRE(VALID_ENTROPY(ent));
-
-	LOCK(&ent->lock);
-
-	destroysource(&source);
-
-	killit = destroy_check(ent);
-
-	UNLOCK(&ent->lock);
-
-	if (killit)
-		destroy(&ent);
-}
-
-isc_result_t
-isc_entropy_createcallbacksource(isc_entropy_t *ent,
-				 isc_entropystart_t start,
-				 isc_entropyget_t get,
-				 isc_entropystop_t stop,
-				 void *arg,
-				 isc_entropysource_t **sourcep)
-{
-	isc_result_t result;
-	isc_entropysource_t *source;
-	isc_cbsource_t *cbs;
-
-	REQUIRE(VALID_ENTROPY(ent));
-	REQUIRE(get != NULL);
-	REQUIRE(sourcep != NULL && *sourcep == NULL);
-
-	LOCK(&ent->lock);
-
-	source = isc_mem_get(ent->mctx, sizeof(isc_entropysource_t));
-	if (source == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto errout;
-	}
-	source->bad = ISC_FALSE;
-
-	cbs = &source->sources.callback;
-
-	result = samplesource_allocate(ent, &cbs->samplequeue);
-	if (result != ISC_R_SUCCESS)
-		goto errout;
-
-	cbs->start_called = ISC_FALSE;
-	cbs->startfunc = start;
-	cbs->getfunc = get;
-	cbs->stopfunc = stop;
-	cbs->arg = arg;
-
-	/*
-	 * From here down, no failures can occur.
-	 */
-	source->magic = SOURCE_MAGIC;
-	source->type = ENTROPY_SOURCETYPE_CALLBACK;
-	source->ent = ent;
-	source->total = 0;
-	memset(source->name, 0, sizeof(source->name));
-	ISC_LINK_INIT(source, link);
-
-	/*
-	 * Hook it into the entropy system.
-	 */
-	ISC_LIST_APPEND(ent->sources, source, link);
-	ent->nsources++;
-
-	*sourcep = source;
-
-	UNLOCK(&ent->lock);
-	return (ISC_R_SUCCESS);
-
- errout:
-	if (source != NULL)
-		isc_mem_put(ent->mctx, source, sizeof(isc_entropysource_t));
-
-	UNLOCK(&ent->lock);
-
-	return (result);
-}
-
-void
-isc_entropy_stopcallbacksources(isc_entropy_t *ent) {
-	isc_entropysource_t *source;
-	isc_cbsource_t *cbs;
-
-	REQUIRE(VALID_ENTROPY(ent));
-
-	LOCK(&ent->lock);
-
-	source = ISC_LIST_HEAD(ent->sources);
-	while (source != NULL) {
-		if (source->type == ENTROPY_SOURCETYPE_CALLBACK) {
-			cbs = &source->sources.callback;
-			if (cbs->start_called && cbs->stopfunc != NULL) {
-				cbs->stopfunc(source, cbs->arg);
-				cbs->start_called = ISC_FALSE;
-			}
-		}
-
-		source = ISC_LIST_NEXT(source, link);
-	}
-
-	UNLOCK(&ent->lock);
-}
-
-isc_result_t
-isc_entropy_createsamplesource(isc_entropy_t *ent,
-			       isc_entropysource_t **sourcep)
-{
-	isc_result_t result;
-	isc_entropysource_t *source;
-	sample_queue_t *sq;
-
-	REQUIRE(VALID_ENTROPY(ent));
-	REQUIRE(sourcep != NULL && *sourcep == NULL);
-
-	LOCK(&ent->lock);
-
-	source = isc_mem_get(ent->mctx, sizeof(isc_entropysource_t));
-	if (source == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto errout;
-	}
-
-	sq = &source->sources.sample.samplequeue;
-	result = samplesource_allocate(ent, sq);
-	if (result != ISC_R_SUCCESS)
-		goto errout;
-
-	/*
-	 * From here down, no failures can occur.
-	 */
-	source->magic = SOURCE_MAGIC;
-	source->type = ENTROPY_SOURCETYPE_SAMPLE;
-	source->ent = ent;
-	source->total = 0;
-	memset(source->name, 0, sizeof(source->name));
-	ISC_LINK_INIT(source, link);
-
-	/*
-	 * Hook it into the entropy system.
-	 */
-	ISC_LIST_APPEND(ent->sources, source, link);
-	ent->nsources++;
-
-	*sourcep = source;
-
-	UNLOCK(&ent->lock);
-	return (ISC_R_SUCCESS);
-
- errout:
-	if (source != NULL)
-		isc_mem_put(ent->mctx, source, sizeof(isc_entropysource_t));
-
-	UNLOCK(&ent->lock);
-
-	return (result);
-}
-
-/*!
- * Add a sample, and return ISC_R_SUCCESS if the queue has become full,
- * ISC_R_NOENTROPY if it has space remaining, and ISC_R_NOMORE if the
- * queue was full when this function was called.
- */
-static isc_result_t
-addsample(sample_queue_t *sq, isc_uint32_t sample, isc_uint32_t extra) {
-	if (sq->nsamples >= RND_EVENTQSIZE)
-		return (ISC_R_NOMORE);
-
-	sq->samples[sq->nsamples] = sample;
-	sq->extra[sq->nsamples] = extra;
-	sq->nsamples++;
-
-	if (sq->nsamples >= RND_EVENTQSIZE)
-		return (ISC_R_QUEUEFULL);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_entropy_addsample(isc_entropysource_t *source, isc_uint32_t sample,
-		      isc_uint32_t extra)
-{
-	isc_entropy_t *ent;
-	sample_queue_t *sq;
-	unsigned int entropy;
-	isc_result_t result;
-
-	REQUIRE(VALID_SOURCE(source));
-
-	ent = source->ent;
-
-	LOCK(&ent->lock);
-
-	sq = &source->sources.sample.samplequeue;
-	result = addsample(sq, sample, extra);
-	if (result == ISC_R_QUEUEFULL) {
-		entropy = crunchsamples(ent, sq);
-		add_entropy(ent, entropy);
-	}
-
-	UNLOCK(&ent->lock);
-
-	return (result);
-}
-
-isc_result_t
-isc_entropy_addcallbacksample(isc_entropysource_t *source, isc_uint32_t sample,
-			      isc_uint32_t extra)
-{
-	sample_queue_t *sq;
-	isc_result_t result;
-
-	REQUIRE(VALID_SOURCE(source));
-	REQUIRE(source->type == ENTROPY_SOURCETYPE_CALLBACK);
-
-	sq = &source->sources.callback.samplequeue;
-	result = addsample(sq, sample, extra);
-
-	return (result);
-}
-
-void
-isc_entropy_putdata(isc_entropy_t *ent, void *data, unsigned int length,
-		    isc_uint32_t entropy)
-{
-	REQUIRE(VALID_ENTROPY(ent));
-
-	LOCK(&ent->lock);
-
-	entropypool_adddata(ent, data, length, entropy);
-
-	if (ent->initialized < THRESHOLD_BITS)
-		ent->initialized = THRESHOLD_BITS;
-
-	UNLOCK(&ent->lock);
-}
-
-static void
-dumpstats(isc_entropy_t *ent, FILE *out) {
-	fprintf(out,
-		isc_msgcat_get(isc_msgcat, ISC_MSGSET_ENTROPY,
-			       ISC_MSG_ENTROPYSTATS,
-			       "Entropy pool %p:  refcnt %u cursor %u,"
-			       " rotate %u entropy %u pseudo %u nsources %u"
-			       " nextsource %p initialized %u initcount %u\n"),
-		ent, ent->refcnt,
-		ent->pool.cursor, ent->pool.rotate,
-		ent->pool.entropy, ent->pool.pseudo,
-		ent->nsources, ent->nextsource, ent->initialized,
-		ent->initcount);
-}
-
-/*
- * This function ignores locking.  Use at your own risk.
- */
-void
-isc_entropy_stats(isc_entropy_t *ent, FILE *out) {
-	REQUIRE(VALID_ENTROPY(ent));
-
-	LOCK(&ent->lock);
-	dumpstats(ent, out);
-	UNLOCK(&ent->lock);
-}
-
-unsigned int
-isc_entropy_status(isc_entropy_t *ent) {
-	unsigned int estimate;
-
-	LOCK(&ent->lock);
-	estimate = ent->pool.entropy;
-	UNLOCK(&ent->lock);
-
-	return estimate;
-}
-
-void
-isc_entropy_attach(isc_entropy_t *ent, isc_entropy_t **entp) {
-	REQUIRE(VALID_ENTROPY(ent));
-	REQUIRE(entp != NULL && *entp == NULL);
-
-	LOCK(&ent->lock);
-
-	ent->refcnt++;
-	*entp = ent;
-
-	UNLOCK(&ent->lock);
-}
-
-void
-isc_entropy_detach(isc_entropy_t **entp) {
-	isc_entropy_t *ent;
-	isc_boolean_t killit;
-
-	REQUIRE(entp != NULL && VALID_ENTROPY(*entp));
-	ent = *entp;
-	*entp = NULL;
-
-	LOCK(&ent->lock);
-
-	REQUIRE(ent->refcnt > 0);
-	ent->refcnt--;
-
-	killit = destroy_check(ent);
-
-	UNLOCK(&ent->lock);
-
-	if (killit)
-		destroy(&ent);
-}
-
-static isc_result_t
-kbdstart(isc_entropysource_t *source, void *arg, isc_boolean_t blocking) {
-	/*
-	 * The intent of "first" is to provide a warning message only once
-	 * during the run of a program that might try to gather keyboard
-	 * entropy multiple times.
-	 */
-	static isc_boolean_t first = ISC_TRUE;
-
-	UNUSED(arg);
-
-	if (! blocking)
-		return (ISC_R_NOENTROPY);
-
-	if (first) {
-		if (source->warn_keyboard)
-			fprintf(stderr, "You must use the keyboard to create "
-				"entropy, since your system is lacking\n"
-				"/dev/random (or equivalent)\n\n");
-		first = ISC_FALSE;
-	}
-	fprintf(stderr, "start typing:\n");
-
-	return (isc_keyboard_open(&source->kbd));
-}
-
-static void
-kbdstop(isc_entropysource_t *source, void *arg) {
-
-	UNUSED(arg);
-
-	if (! isc_keyboard_canceled(&source->kbd))
-		fprintf(stderr, "stop typing.\r\n");
-
-	(void)isc_keyboard_close(&source->kbd, 3);
-}
-
-static isc_result_t
-kbdget(isc_entropysource_t *source, void *arg, isc_boolean_t blocking) {
-	isc_result_t result;
-	isc_time_t t;
-	isc_uint32_t sample;
-	isc_uint32_t extra;
-	unsigned char c;
-
-	UNUSED(arg);
-
-	if (!blocking)
-		return (ISC_R_NOTBLOCKING);
-
-	result = isc_keyboard_getchar(&source->kbd, &c);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	TIME_NOW(&t);
-
-	sample = isc_time_nanoseconds(&t);
-	extra = c;
-
-	result = isc_entropy_addcallbacksample(source, sample, extra);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "\r\n");
-		return (result);
-	}
-
-	fprintf(stderr, ".");
-	fflush(stderr);
-
-	return (result);
-}
-
-isc_result_t
-isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
-			  const char *randomfile, int use_keyboard)
-{
-	isc_result_t result;
-	isc_result_t final_result = ISC_R_NOENTROPY;
-	isc_boolean_t userfile = ISC_TRUE;
-
-	REQUIRE(VALID_ENTROPY(ectx));
-	REQUIRE(source != NULL && *source == NULL);
-	REQUIRE(use_keyboard == ISC_ENTROPY_KEYBOARDYES ||
-		use_keyboard == ISC_ENTROPY_KEYBOARDNO  ||
-		use_keyboard == ISC_ENTROPY_KEYBOARDMAYBE);
-
-#ifdef PATH_RANDOMDEV
-	if (randomfile == NULL) {
-		randomfile = PATH_RANDOMDEV;
-		userfile = ISC_FALSE;
-	}
-#endif
-
-	if (randomfile != NULL && use_keyboard != ISC_ENTROPY_KEYBOARDYES) {
-		result = isc_entropy_createfilesource(ectx, randomfile);
-		if (result == ISC_R_SUCCESS &&
-		    use_keyboard == ISC_ENTROPY_KEYBOARDMAYBE)
-			use_keyboard = ISC_ENTROPY_KEYBOARDNO;
-		if (result != ISC_R_SUCCESS && userfile)
-			return (result);
-
-		final_result = result;
-	}
-
-	if (use_keyboard != ISC_ENTROPY_KEYBOARDNO) {
-		result = isc_entropy_createcallbacksource(ectx, kbdstart,
-							  kbdget, kbdstop,
-							  NULL, source);
-		if (result == ISC_R_SUCCESS)
-			(*source)->warn_keyboard =
-				ISC_TF(use_keyboard ==
-				       ISC_ENTROPY_KEYBOARDMAYBE);
-
-		if (final_result != ISC_R_SUCCESS)
-			final_result = result;
-	}
-
-	/*
-	 * final_result is ISC_R_SUCCESS if at least one source of entropy
-	 * could be started, otherwise it is the error from the most recently
-	 * failed operation (or ISC_R_NOENTROPY if PATH_RANDOMDEV is not
-	 * defined and use_keyboard is ISC_ENTROPY_KEYBOARDNO).
-	 */
-	return (final_result);
-}
diff --git a/contrib/bind9/lib/isc/error.c b/contrib/bind9/lib/isc/error.c
deleted file mode 100644
index 095100a..0000000
--- a/contrib/bind9/lib/isc/error.c
+++ /dev/null
@@ -1,106 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: error.c,v 1.21 2007/06/19 23:47:17 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <stdlib.h>
-
-#include <isc/error.h>
-#include <isc/msgs.h>
-
-/*% Default unexpected callback. */
-static void
-default_unexpected_callback(const char *, int, const char *, va_list)
-     ISC_FORMAT_PRINTF(3, 0);
-
-/*% Default fatal callback. */
-static void
-default_fatal_callback(const char *, int, const char *, va_list)
-     ISC_FORMAT_PRINTF(3, 0);
-
-/*% unexpected_callback */
-static isc_errorcallback_t unexpected_callback = default_unexpected_callback;
-static isc_errorcallback_t fatal_callback = default_fatal_callback;
-
-void
-isc_error_setunexpected(isc_errorcallback_t cb) {
-	if (cb == NULL)
-		unexpected_callback = default_unexpected_callback;
-	else
-		unexpected_callback = cb;
-}
-
-void
-isc_error_setfatal(isc_errorcallback_t cb) {
-	if (cb == NULL)
-		fatal_callback = default_fatal_callback;
-	else
-		fatal_callback = cb;
-}
-
-void
-isc_error_unexpected(const char *file, int line, const char *format, ...) {
-	va_list args;
-
-	va_start(args, format);
-	(unexpected_callback)(file, line, format, args);
-	va_end(args);
-}
-
-void
-isc_error_fatal(const char *file, int line, const char *format, ...) {
-	va_list args;
-
-	va_start(args, format);
-	(fatal_callback)(file, line, format, args);
-	va_end(args);
-	abort();
-}
-
-void
-isc_error_runtimecheck(const char *file, int line, const char *expression) {
-	isc_error_fatal(file, line, "RUNTIME_CHECK(%s) %s", expression,
-			isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-				       ISC_MSG_FAILED, "failed"));
-}
-
-static void
-default_unexpected_callback(const char *file, int line, const char *format,
-			    va_list args)
-{
-	fprintf(stderr, "%s:%d: ", file, line);
-	vfprintf(stderr, format, args);
-	fprintf(stderr, "\n");
-	fflush(stderr);
-}
-
-static void
-default_fatal_callback(const char *file, int line, const char *format,
-		       va_list args)
-{
-	fprintf(stderr, "%s:%d: %s: ", file, line,
-		isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-			       ISC_MSG_FATALERROR, "fatal error"));
-	vfprintf(stderr, format, args);
-	fprintf(stderr, "\n");
-	fflush(stderr);
-}
diff --git a/contrib/bind9/lib/isc/event.c b/contrib/bind9/lib/isc/event.c
deleted file mode 100644
index 8ab7524..0000000
--- a/contrib/bind9/lib/isc/event.c
+++ /dev/null
@@ -1,88 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: event.c,v 1.21 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- * \file
- * \author Principal Author: Bob Halley
- */
-
-#include <config.h>
-
-#include <isc/event.h>
-#include <isc/mem.h>
-#include <isc/util.h>
-
-/***
- *** Events.
- ***/
-
-static void
-destroy(isc_event_t *event) {
-	isc_mem_t *mctx = event->ev_destroy_arg;
-
-	isc_mem_put(mctx, event, event->ev_size);
-}
-
-isc_event_t *
-isc_event_allocate(isc_mem_t *mctx, void *sender, isc_eventtype_t type,
-		   isc_taskaction_t action, const void *arg, size_t size)
-{
-	isc_event_t *event;
-	void *deconst_arg;
-
-	REQUIRE(size >= sizeof(struct isc_event));
-	REQUIRE(action != NULL);
-
-	event = isc_mem_get(mctx, size);
-	if (event == NULL)
-		return (NULL);
-
-	/*
-	 * Removing the const attribute from "arg" is the best of two
-	 * evils here.  If the event->ev_arg member is made const, then
-	 * it affects a great many users of the task/event subsystem
-	 * which are not passing in an "arg" which starts its life as
-	 * const.  Changing isc_event_allocate() and isc_task_onshutdown()
-	 * to not have "arg" prototyped as const (which is quite legitimate,
-	 * because neither of those functions modify arg) can cause
-	 * compiler whining anytime someone does want to use a const
-	 * arg that they themselves never modify, such as with
-	 * gcc -Wwrite-strings and using a string "arg".
-	 */
-	DE_CONST(arg, deconst_arg);
-
-	ISC_EVENT_INIT(event, size, 0, NULL, type, action, deconst_arg,
-		       sender, destroy, mctx);
-
-	return (event);
-}
-
-void
-isc_event_free(isc_event_t **eventp) {
-	isc_event_t *event;
-
-	REQUIRE(eventp != NULL);
-	event = *eventp;
-	REQUIRE(event != NULL);
-
-	if (event->ev_destroy != NULL)
-		(event->ev_destroy)(event);
-
-	*eventp = NULL;
-}
diff --git a/contrib/bind9/lib/isc/fsaccess.c b/contrib/bind9/lib/isc/fsaccess.c
deleted file mode 100644
index 5c97183..0000000
--- a/contrib/bind9/lib/isc/fsaccess.c
+++ /dev/null
@@ -1,102 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: fsaccess.c,v 1.10 2007/06/19 23:47:17 tbox Exp $ */
-
-/*! \file
- * \brief
- * This file contains the OS-independent functionality of the API.
- */
-#include <isc/fsaccess.h>
-#include <isc/result.h>
-#include <isc/util.h>
-
-/*!
- * Shorthand.  Maybe ISC__FSACCESS_PERMISSIONBITS should not even be in
- * <isc/fsaccess.h>.  Could check consistency with sizeof(isc_fsaccess_t)
- * and the number of bits in each function.
- */
-#define STEP		(ISC__FSACCESS_PERMISSIONBITS)
-#define GROUP		(STEP)
-#define OTHER		(STEP * 2)
-
-void
-isc_fsaccess_add(int trustee, int permission, isc_fsaccess_t *access) {
-	REQUIRE(trustee <= 0x7);
-	REQUIRE(permission <= 0xFF);
-
-	if ((trustee & ISC_FSACCESS_OWNER) != 0)
-		*access |= permission;
-
-	if ((trustee & ISC_FSACCESS_GROUP) != 0)
-		*access |= (permission << GROUP);
-
-	if ((trustee & ISC_FSACCESS_OTHER) != 0)
-		*access |= (permission << OTHER);
-}
-
-void
-isc_fsaccess_remove(int trustee, int permission, isc_fsaccess_t *access) {
-	REQUIRE(trustee <= 0x7);
-	REQUIRE(permission <= 0xFF);
-
-
-	if ((trustee & ISC_FSACCESS_OWNER) != 0)
-		*access &= ~permission;
-
-	if ((trustee & ISC_FSACCESS_GROUP) != 0)
-		*access &= ~(permission << GROUP);
-
-	if ((trustee & ISC_FSACCESS_OTHER) != 0)
-		*access &= ~(permission << OTHER);
-}
-
-static isc_result_t
-check_bad_bits(isc_fsaccess_t access, isc_boolean_t is_dir) {
-	isc_fsaccess_t bits;
-
-	/*
-	 * Check for disallowed user bits.
-	 */
-	if (is_dir)
-		bits = ISC_FSACCESS_READ |
-		       ISC_FSACCESS_WRITE |
-		       ISC_FSACCESS_EXECUTE;
-	else
-		bits = ISC_FSACCESS_CREATECHILD |
-		       ISC_FSACCESS_ACCESSCHILD |
-		       ISC_FSACCESS_DELETECHILD |
-		       ISC_FSACCESS_LISTDIRECTORY;
-
-	/*
-	 * Set group bad bits.
-	 */
-	bits |= bits << STEP;
-	/*
-	 * Set other bad bits.
-	 */
-	bits |= bits << STEP;
-
-	if ((access & bits) != 0) {
-		if (is_dir)
-			return (ISC_R_NOTFILE);
-		else
-			return (ISC_R_NOTDIRECTORY);
-	}
-
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/isc/hash.c b/contrib/bind9/lib/isc/hash.c
deleted file mode 100644
index f1d68c7..0000000
--- a/contrib/bind9/lib/isc/hash.c
+++ /dev/null
@@ -1,404 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: hash.c,v 1.16 2009/09/01 00:22:28 jinmei Exp $ */
-
-/*! \file
- * Some portion of this code was derived from universal hash function
- * libraries of Rice University.
-\section license UH Universal Hashing Library
-
-Copyright ((c)) 2002, Rice University
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
-    * Redistributions of source code must retain the above copyright
-    notice, this list of conditions and the following disclaimer.
-
-    * Redistributions in binary form must reproduce the above
-    copyright notice, this list of conditions and the following
-    disclaimer in the documentation and/or other materials provided
-    with the distribution.
-
-    * Neither the name of Rice University (RICE) nor the names of its
-    contributors may be used to endorse or promote products derived
-    from this software without specific prior written permission.
-
-
-This software is provided by RICE and the contributors on an "as is"
-basis, without any representations or warranties of any kind, express
-or implied including, but not limited to, representations or
-warranties of non-infringement, merchantability or fitness for a
-particular purpose. In no event shall RICE or contributors be liable
-for any direct, indirect, incidental, special, exemplary, or
-consequential damages (including, but not limited to, procurement of
-substitute goods or services; loss of use, data, or profits; or
-business interruption) however caused and on any theory of liability,
-whether in contract, strict liability, or tort (including negligence
-or otherwise) arising in any way out of the use of this software, even
-if advised of the possibility of such damage.
-*/
-
-#include <config.h>
-
-#include <isc/entropy.h>
-#include <isc/hash.h>
-#include <isc/mem.h>
-#include <isc/magic.h>
-#include <isc/mutex.h>
-#include <isc/once.h>
-#include <isc/random.h>
-#include <isc/refcount.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#define HASH_MAGIC		ISC_MAGIC('H', 'a', 's', 'h')
-#define VALID_HASH(h)		ISC_MAGIC_VALID((h), HASH_MAGIC)
-
-/*%
- * A large 32-bit prime number that specifies the range of the hash output.
- */
-#define PRIME32 0xFFFFFFFB              /* 2^32 -  5 */
-
-/*@{*/
-/*%
- * Types of random seed and hash accumulator.  Perhaps they can be system
- * dependent.
- */
-typedef isc_uint32_t hash_accum_t;
-typedef isc_uint16_t hash_random_t;
-/*@}*/
-
-/*% isc hash structure */
-struct isc_hash {
-	unsigned int	magic;
-	isc_mem_t	*mctx;
-	isc_mutex_t	lock;
-	isc_boolean_t	initialized;
-	isc_refcount_t	refcnt;
-	isc_entropy_t	*entropy; /*%< entropy source */
-	unsigned int	limit;	/*%< upper limit of key length */
-	size_t		vectorlen; /*%< size of the vector below */
-	hash_random_t	*rndvector; /*%< random vector for universal hashing */
-};
-
-static isc_mutex_t createlock;
-static isc_once_t once = ISC_ONCE_INIT;
-static isc_hash_t *hash = NULL;
-
-static unsigned char maptolower[] = {
-	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-	0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
-	0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
-	0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
-	0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
-	0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
-	0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
-	0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
-	0x40, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
-	0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
-	0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
-	0x78, 0x79, 0x7a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
-	0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
-	0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
-	0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
-	0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
-	0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
-	0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
-	0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
-	0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
-	0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
-	0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf,
-	0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
-	0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
-	0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
-	0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
-	0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
-	0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
-	0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
-	0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
-	0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
-	0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
-};
-
-isc_result_t
-isc_hash_ctxcreate(isc_mem_t *mctx, isc_entropy_t *entropy,
-		   unsigned int limit, isc_hash_t **hctxp)
-{
-	isc_result_t result;
-	isc_hash_t *hctx;
-	size_t vlen;
-	hash_random_t *rv;
-	hash_accum_t overflow_limit;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(hctxp != NULL && *hctxp == NULL);
-
-	/*
-	 * Overflow check.  Since our implementation only does a modulo
-	 * operation at the last stage of hash calculation, the accumulator
-	 * must not overflow.
-	 */
-	overflow_limit =
-		1 << (((sizeof(hash_accum_t) - sizeof(hash_random_t))) * 8);
-	if (overflow_limit < (limit + 1) * 0xff)
-		return (ISC_R_RANGE);
-
-	hctx = isc_mem_get(mctx, sizeof(isc_hash_t));
-	if (hctx == NULL)
-		return (ISC_R_NOMEMORY);
-
-	vlen = sizeof(hash_random_t) * (limit + 1);
-	rv = isc_mem_get(mctx, vlen);
-	if (rv == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto errout;
-	}
-
-	/*
-	 * We need a lock.
-	 */
-	result = isc_mutex_init(&hctx->lock);
-	if (result != ISC_R_SUCCESS)
-		goto errout;
-
-	/*
-	 * From here down, no failures will/can occur.
-	 */
-	hctx->magic = HASH_MAGIC;
-	hctx->mctx = NULL;
-	isc_mem_attach(mctx, &hctx->mctx);
-	hctx->initialized = ISC_FALSE;
-	result = isc_refcount_init(&hctx->refcnt, 1);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_lock;
-	hctx->entropy = NULL;
-	hctx->limit = limit;
-	hctx->vectorlen = vlen;
-	hctx->rndvector = rv;
-
-#ifdef BIND9
-	if (entropy != NULL)
-		isc_entropy_attach(entropy, &hctx->entropy);
-#else
-	UNUSED(entropy);
-#endif
-
-	*hctxp = hctx;
-	return (ISC_R_SUCCESS);
-
- cleanup_lock:
-	DESTROYLOCK(&hctx->lock);
- errout:
-	isc_mem_put(mctx, hctx, sizeof(isc_hash_t));
-	if (rv != NULL)
-		isc_mem_put(mctx, rv, vlen);
-
-	return (result);
-}
-
-static void
-initialize_lock(void) {
-	RUNTIME_CHECK(isc_mutex_init(&createlock) == ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_hash_create(isc_mem_t *mctx, isc_entropy_t *entropy, size_t limit) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(mctx != NULL);
-	INSIST(hash == NULL);
-
-	RUNTIME_CHECK(isc_once_do(&once, initialize_lock) == ISC_R_SUCCESS);
-
-	LOCK(&createlock);
-
-	if (hash == NULL)
-		result = isc_hash_ctxcreate(mctx, entropy, limit, &hash);
-
-	UNLOCK(&createlock);
-
-	return (result);
-}
-
-void
-isc_hash_ctxinit(isc_hash_t *hctx) {
-	LOCK(&hctx->lock);
-
-	if (hctx->initialized == ISC_TRUE)
-		goto out;
-
-	if (hctx->entropy) {
-#ifdef BIND9
-		isc_result_t result;
-
-		result = isc_entropy_getdata(hctx->entropy,
-					     hctx->rndvector, hctx->vectorlen,
-					     NULL, 0);
-		INSIST(result == ISC_R_SUCCESS);
-#else
-		INSIST(0);
-#endif
-	} else {
-		isc_uint32_t pr;
-		unsigned int i, copylen;
-		unsigned char *p;
-
-		p = (unsigned char *)hctx->rndvector;
-		for (i = 0; i < hctx->vectorlen; i += copylen, p += copylen) {
-			isc_random_get(&pr);
-			if (i + sizeof(pr) <= hctx->vectorlen)
-				copylen = sizeof(pr);
-			else
-				copylen = hctx->vectorlen - i;
-
-			memcpy(p, &pr, copylen);
-		}
-		INSIST(p == (unsigned char *)hctx->rndvector +
-		       hctx->vectorlen);
-	}
-
-	hctx->initialized = ISC_TRUE;
-
- out:
-	UNLOCK(&hctx->lock);
-}
-
-void
-isc_hash_init() {
-	INSIST(hash != NULL && VALID_HASH(hash));
-
-	isc_hash_ctxinit(hash);
-}
-
-void
-isc_hash_ctxattach(isc_hash_t *hctx, isc_hash_t **hctxp) {
-	REQUIRE(VALID_HASH(hctx));
-	REQUIRE(hctxp != NULL && *hctxp == NULL);
-
-	isc_refcount_increment(&hctx->refcnt, NULL);
-	*hctxp = hctx;
-}
-
-static void
-destroy(isc_hash_t **hctxp) {
-	isc_hash_t *hctx;
-	isc_mem_t *mctx;
-	unsigned char canary0[4], canary1[4];
-
-	REQUIRE(hctxp != NULL && *hctxp != NULL);
-	hctx = *hctxp;
-	*hctxp = NULL;
-
-	LOCK(&hctx->lock);
-
-	isc_refcount_destroy(&hctx->refcnt);
-
-	mctx = hctx->mctx;
-#ifdef BIND9
-	if (hctx->entropy != NULL)
-		isc_entropy_detach(&hctx->entropy);
-#endif
-	if (hctx->rndvector != NULL)
-		isc_mem_put(mctx, hctx->rndvector, hctx->vectorlen);
-
-	UNLOCK(&hctx->lock);
-
-	DESTROYLOCK(&hctx->lock);
-
-	memcpy(canary0, hctx + 1, sizeof(canary0));
-	memset(hctx, 0, sizeof(isc_hash_t));
-	memcpy(canary1, hctx + 1, sizeof(canary1));
-	INSIST(memcmp(canary0, canary1, sizeof(canary0)) == 0);
-	isc_mem_put(mctx, hctx, sizeof(isc_hash_t));
-	isc_mem_detach(&mctx);
-}
-
-void
-isc_hash_ctxdetach(isc_hash_t **hctxp) {
-	isc_hash_t *hctx;
-	unsigned int refs;
-
-	REQUIRE(hctxp != NULL && VALID_HASH(*hctxp));
-	hctx = *hctxp;
-
-	isc_refcount_decrement(&hctx->refcnt, &refs);
-	if (refs == 0)
-		destroy(&hctx);
-
-	*hctxp = NULL;
-}
-
-void
-isc_hash_destroy() {
-	unsigned int refs;
-
-	INSIST(hash != NULL && VALID_HASH(hash));
-
-	isc_refcount_decrement(&hash->refcnt, &refs);
-	INSIST(refs == 0);
-
-	destroy(&hash);
-}
-
-static inline unsigned int
-hash_calc(isc_hash_t *hctx, const unsigned char *key, unsigned int keylen,
-	  isc_boolean_t case_sensitive)
-{
-	hash_accum_t partial_sum = 0;
-	hash_random_t *p = hctx->rndvector;
-	unsigned int i = 0;
-
-	/* Make it sure that the hash context is initialized. */
-	if (hctx->initialized == ISC_FALSE)
-		isc_hash_ctxinit(hctx);
-
-	if (case_sensitive) {
-		for (i = 0; i < keylen; i++)
-			partial_sum += key[i] * (hash_accum_t)p[i];
-	} else {
-		for (i = 0; i < keylen; i++)
-			partial_sum += maptolower[key[i]] * (hash_accum_t)p[i];
-	}
-
-	partial_sum += p[i];
-
-	return ((unsigned int)(partial_sum % PRIME32));
-}
-
-unsigned int
-isc_hash_ctxcalc(isc_hash_t *hctx, const unsigned char *key,
-		 unsigned int keylen, isc_boolean_t case_sensitive)
-{
-	REQUIRE(hctx != NULL && VALID_HASH(hctx));
-	REQUIRE(keylen <= hctx->limit);
-
-	return (hash_calc(hctx, key, keylen, case_sensitive));
-}
-
-unsigned int
-isc_hash_calc(const unsigned char *key, unsigned int keylen,
-	      isc_boolean_t case_sensitive)
-{
-	INSIST(hash != NULL && VALID_HASH(hash));
-	REQUIRE(keylen <= hash->limit);
-
-	return (hash_calc(hash, key, keylen, case_sensitive));
-}
diff --git a/contrib/bind9/lib/isc/heap.c b/contrib/bind9/lib/isc/heap.c
deleted file mode 100644
index ebadd2f..0000000
--- a/contrib/bind9/lib/isc/heap.c
+++ /dev/null
@@ -1,265 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2010-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1997-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file
- * Heap implementation of priority queues adapted from the following:
- *
- *	\li "Introduction to Algorithms," Cormen, Leiserson, and Rivest,
- *	MIT Press / McGraw Hill, 1990, ISBN 0-262-03141-8, chapter 7.
- *
- *	\li "Algorithms," Second Edition, Sedgewick, Addison-Wesley, 1988,
- *	ISBN 0-201-06673-4, chapter 11.
- */
-
-#include <config.h>
-
-#include <isc/heap.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/string.h>		/* Required for memcpy. */
-#include <isc/util.h>
-
-/*@{*/
-/*%
- * Note: to make heap_parent and heap_left easy to compute, the first
- * element of the heap array is not used; i.e. heap subscripts are 1-based,
- * not 0-based.  The parent is index/2, and the left-child is index*2.
- * The right child is index*2+1.
- */
-#define heap_parent(i)			((i) >> 1)
-#define heap_left(i)			((i) << 1)
-/*@}*/
-
-#define SIZE_INCREMENT			1024
-
-#define HEAP_MAGIC			ISC_MAGIC('H', 'E', 'A', 'P')
-#define VALID_HEAP(h)			ISC_MAGIC_VALID(h, HEAP_MAGIC)
-
-/*%
- * When the heap is in a consistent state, the following invariant
- * holds true: for every element i > 1, heap_parent(i) has a priority
- * higher than or equal to that of i.
- */
-#define HEAPCONDITION(i) ((i) == 1 || \
-			  ! heap->compare(heap->array[(i)], \
-					  heap->array[heap_parent(i)]))
-
-/*% ISC heap structure. */
-struct isc_heap {
-	unsigned int			magic;
-	isc_mem_t *			mctx;
-	unsigned int			size;
-	unsigned int			size_increment;
-	unsigned int			last;
-	void				**array;
-	isc_heapcompare_t		compare;
-	isc_heapindex_t			index;
-};
-
-isc_result_t
-isc_heap_create(isc_mem_t *mctx, isc_heapcompare_t compare,
-		isc_heapindex_t index, unsigned int size_increment,
-		isc_heap_t **heapp)
-{
-	isc_heap_t *heap;
-
-	REQUIRE(heapp != NULL && *heapp == NULL);
-	REQUIRE(compare != NULL);
-
-	heap = isc_mem_get(mctx, sizeof(*heap));
-	if (heap == NULL)
-		return (ISC_R_NOMEMORY);
-	heap->magic = HEAP_MAGIC;
-	heap->size = 0;
-	heap->mctx = NULL;
-	isc_mem_attach(mctx, &heap->mctx);
-	if (size_increment == 0)
-		heap->size_increment = SIZE_INCREMENT;
-	else
-		heap->size_increment = size_increment;
-	heap->last = 0;
-	heap->array = NULL;
-	heap->compare = compare;
-	heap->index = index;
-
-	*heapp = heap;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_heap_destroy(isc_heap_t **heapp) {
-	isc_heap_t *heap;
-
-	REQUIRE(heapp != NULL);
-	heap = *heapp;
-	REQUIRE(VALID_HEAP(heap));
-
-	if (heap->array != NULL)
-		isc_mem_put(heap->mctx, heap->array,
-			    heap->size * sizeof(void *));
-	heap->magic = 0;
-	isc_mem_putanddetach(&heap->mctx, heap, sizeof(*heap));
-
-	*heapp = NULL;
-}
-
-static isc_boolean_t
-resize(isc_heap_t *heap) {
-	void **new_array;
-	size_t new_size;
-
-	REQUIRE(VALID_HEAP(heap));
-
-	new_size = heap->size + heap->size_increment;
-	new_array = isc_mem_get(heap->mctx, new_size * sizeof(void *));
-	if (new_array == NULL)
-		return (ISC_FALSE);
-	if (heap->array != NULL) {
-		memcpy(new_array, heap->array, heap->size * sizeof(void *));
-		isc_mem_put(heap->mctx, heap->array,
-			    heap->size * sizeof(void *));
-	}
-	heap->size = new_size;
-	heap->array = new_array;
-
-	return (ISC_TRUE);
-}
-
-static void
-float_up(isc_heap_t *heap, unsigned int i, void *elt) {
-	unsigned int p;
-
-	for (p = heap_parent(i) ;
-	     i > 1 && heap->compare(elt, heap->array[p]) ;
-	     i = p, p = heap_parent(i)) {
-		heap->array[i] = heap->array[p];
-		if (heap->index != NULL)
-			(heap->index)(heap->array[i], i);
-	}
-	heap->array[i] = elt;
-	if (heap->index != NULL)
-		(heap->index)(heap->array[i], i);
-
-	INSIST(HEAPCONDITION(i));
-}
-
-static void
-sink_down(isc_heap_t *heap, unsigned int i, void *elt) {
-	unsigned int j, size, half_size;
-	size = heap->last;
-	half_size = size / 2;
-	while (i <= half_size) {
-		/* Find the smallest of the (at most) two children. */
-		j = heap_left(i);
-		if (j < size && heap->compare(heap->array[j+1],
-					      heap->array[j]))
-			j++;
-		if (heap->compare(elt, heap->array[j]))
-			break;
-		heap->array[i] = heap->array[j];
-		if (heap->index != NULL)
-			(heap->index)(heap->array[i], i);
-		i = j;
-	}
-	heap->array[i] = elt;
-	if (heap->index != NULL)
-		(heap->index)(heap->array[i], i);
-
-	INSIST(HEAPCONDITION(i));
-}
-
-isc_result_t
-isc_heap_insert(isc_heap_t *heap, void *elt) {
-	unsigned int new_last;
-
-	REQUIRE(VALID_HEAP(heap));
-
-	new_last = heap->last + 1;
-	RUNTIME_CHECK(new_last > 0); /* overflow check */
-	if (new_last >= heap->size && !resize(heap))
-		return (ISC_R_NOMEMORY);
-	heap->last = new_last;
-
-	float_up(heap, new_last, elt);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_heap_delete(isc_heap_t *heap, unsigned int index) {
-	void *elt;
-	isc_boolean_t less;
-
-	REQUIRE(VALID_HEAP(heap));
-	REQUIRE(index >= 1 && index <= heap->last);
-
-	if (index == heap->last) {
-		heap->array[heap->last] = NULL;
-		heap->last--;
-	} else {
-		elt = heap->array[heap->last];
-		heap->array[heap->last] = NULL;
-		heap->last--;
-
-		less = heap->compare(elt, heap->array[index]);
-		heap->array[index] = elt;
-		if (less)
-			float_up(heap, index, heap->array[index]);
-		else
-			sink_down(heap, index, heap->array[index]);
-	}
-}
-
-void
-isc_heap_increased(isc_heap_t *heap, unsigned int index) {
-	REQUIRE(VALID_HEAP(heap));
-	REQUIRE(index >= 1 && index <= heap->last);
-
-	float_up(heap, index, heap->array[index]);
-}
-
-void
-isc_heap_decreased(isc_heap_t *heap, unsigned int index) {
-	REQUIRE(VALID_HEAP(heap));
-	REQUIRE(index >= 1 && index <= heap->last);
-
-	sink_down(heap, index, heap->array[index]);
-}
-
-void *
-isc_heap_element(isc_heap_t *heap, unsigned int index) {
-	REQUIRE(VALID_HEAP(heap));
-	REQUIRE(index >= 1);
-
-	if (index <= heap->last)
-		return (heap->array[index]);
-	return (NULL);
-}
-
-void
-isc_heap_foreach(isc_heap_t *heap, isc_heapaction_t action, void *uap) {
-	unsigned int i;
-
-	REQUIRE(VALID_HEAP(heap));
-	REQUIRE(action != NULL);
-
-	for (i = 1 ; i <= heap->last ; i++)
-		(action)(heap->array[i], uap);
-}
diff --git a/contrib/bind9/lib/isc/hex.c b/contrib/bind9/lib/isc/hex.c
deleted file mode 100644
index 3fa0e69..0000000
--- a/contrib/bind9/lib/isc/hex.c
+++ /dev/null
@@ -1,201 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: hex.c,v 1.20 2008/09/25 04:02:39 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <ctype.h>
-
-#include <isc/buffer.h>
-#include <isc/hex.h>
-#include <isc/lex.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#define RETERR(x) do { \
-	isc_result_t _r = (x); \
-	if (_r != ISC_R_SUCCESS) \
-		return (_r); \
-	} while (0)
-
-
-/*
- * BEW: These static functions are copied from lib/dns/rdata.c.
- */
-static isc_result_t
-str_totext(const char *source, isc_buffer_t *target);
-
-static isc_result_t
-mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length);
-
-static const char hex[] = "0123456789ABCDEF";
-
-isc_result_t
-isc_hex_totext(isc_region_t *source, int wordlength,
-	       const char *wordbreak, isc_buffer_t *target)
-{
-	char buf[3];
-	unsigned int loops = 0;
-
-	if (wordlength < 2)
-		wordlength = 2;
-
-	memset(buf, 0, sizeof(buf));
-	while (source->length > 0) {
-		buf[0] = hex[(source->base[0] >> 4) & 0xf];
-		buf[1] = hex[(source->base[0]) & 0xf];
-		RETERR(str_totext(buf, target));
-		isc_region_consume(source, 1);
-
-		loops++;
-		if (source->length != 0 &&
-		    (int)((loops + 1) * 2) >= wordlength)
-		{
-			loops = 0;
-			RETERR(str_totext(wordbreak, target));
-		}
-	}
-	return (ISC_R_SUCCESS);
-}
-
-/*%
- * State of a hex decoding process in progress.
- */
-typedef struct {
-	int length;		/*%< Desired length of binary data or -1 */
-	isc_buffer_t *target;	/*%< Buffer for resulting binary data */
-	int digits;		/*%< Number of buffered hex digits */
-	int val[2];
-} hex_decode_ctx_t;
-
-static inline void
-hex_decode_init(hex_decode_ctx_t *ctx, int length, isc_buffer_t *target)
-{
-	ctx->digits = 0;
-	ctx->length = length;
-	ctx->target = target;
-}
-
-static inline isc_result_t
-hex_decode_char(hex_decode_ctx_t *ctx, int c) {
-	char *s;
-
-	if ((s = strchr(hex, toupper(c))) == NULL)
-		return (ISC_R_BADHEX);
-	ctx->val[ctx->digits++] = s - hex;
-	if (ctx->digits == 2) {
-		unsigned char num;
-
-		num = (ctx->val[0] << 4) + (ctx->val[1]);
-		RETERR(mem_tobuffer(ctx->target, &num, 1));
-		if (ctx->length >= 0) {
-			if (ctx->length == 0)
-				return (ISC_R_BADHEX);
-			else
-				ctx->length -= 1;
-		}
-		ctx->digits = 0;
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-hex_decode_finish(hex_decode_ctx_t *ctx) {
-	if (ctx->length > 0)
-		return (ISC_R_UNEXPECTEDEND);
-	if (ctx->digits != 0)
-		return (ISC_R_BADHEX);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_hex_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length) {
-	hex_decode_ctx_t ctx;
-	isc_textregion_t *tr;
-	isc_token_t token;
-	isc_boolean_t eol;
-
-	hex_decode_init(&ctx, length, target);
-
-	while (ctx.length != 0) {
-		unsigned int i;
-
-		if (length > 0)
-			eol = ISC_FALSE;
-		else
-			eol = ISC_TRUE;
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_string, eol));
-		if (token.type != isc_tokentype_string)
-			break;
-		tr = &token.value.as_textregion;
-		for (i = 0; i < tr->length; i++)
-			RETERR(hex_decode_char(&ctx, tr->base[i]));
-	}
-	if (ctx.length < 0)
-		isc_lex_ungettoken(lexer, &token);
-	RETERR(hex_decode_finish(&ctx));
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_hex_decodestring(const char *cstr, isc_buffer_t *target) {
-	hex_decode_ctx_t ctx;
-
-	hex_decode_init(&ctx, -1, target);
-	for (;;) {
-		int c = *cstr++;
-		if (c == '\0')
-			break;
-		if (c == ' ' || c == '\t' || c == '\n' || c== '\r')
-			continue;
-		RETERR(hex_decode_char(&ctx, c));
-	}
-	RETERR(hex_decode_finish(&ctx));
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-str_totext(const char *source, isc_buffer_t *target) {
-	unsigned int l;
-	isc_region_t region;
-
-	isc_buffer_availableregion(target, &region);
-	l = strlen(source);
-
-	if (l > region.length)
-		return (ISC_R_NOSPACE);
-
-	memcpy(region.base, source, l);
-	isc_buffer_add(target, l);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length) {
-	isc_region_t tr;
-
-	isc_buffer_availableregion(target, &tr);
-	if (length > tr.length)
-		return (ISC_R_NOSPACE);
-	memcpy(tr.base, base, length);
-	isc_buffer_add(target, length);
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/isc/hmacmd5.c b/contrib/bind9/lib/isc/hmacmd5.c
deleted file mode 100644
index 6abe6e2..0000000
--- a/contrib/bind9/lib/isc/hmacmd5.c
+++ /dev/null
@@ -1,149 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: hmacmd5.c,v 1.16 2009/02/06 23:47:42 tbox Exp $ */
-
-/*! \file
- * This code implements the HMAC-MD5 keyed hash algorithm
- * described in RFC2104.
- */
-
-#include "config.h"
-
-#include <isc/assertions.h>
-#include <isc/hmacmd5.h>
-#include <isc/md5.h>
-#include <isc/platform.h>
-#include <isc/string.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-#ifdef ISC_PLATFORM_OPENSSLHASH
-
-void
-isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
-		 unsigned int len)
-{
-	HMAC_Init(ctx, (const void *) key, (int) len, EVP_md5());
-}
-
-void
-isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) {
-	HMAC_CTX_cleanup(ctx);
-}
-
-void
-isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf,
-		   unsigned int len)
-{
-	HMAC_Update(ctx, buf, (int) len);
-}
-
-void
-isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) {
-	HMAC_Final(ctx, digest, NULL);
-	HMAC_CTX_cleanup(ctx);
-}
-
-#else
-
-#define PADLEN 64
-#define IPAD 0x36
-#define OPAD 0x5C
-
-/*!
- * Start HMAC-MD5 process.  Initialize an md5 context and digest the key.
- */
-void
-isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
-		 unsigned int len)
-{
-	unsigned char ipad[PADLEN];
-	int i;
-
-	memset(ctx->key, 0, sizeof(ctx->key));
-	if (len > sizeof(ctx->key)) {
-		isc_md5_t md5ctx;
-		isc_md5_init(&md5ctx);
-		isc_md5_update(&md5ctx, key, len);
-		isc_md5_final(&md5ctx, ctx->key);
-	} else
-		memcpy(ctx->key, key, len);
-
-	isc_md5_init(&ctx->md5ctx);
-	memset(ipad, IPAD, sizeof(ipad));
-	for (i = 0; i < PADLEN; i++)
-		ipad[i] ^= ctx->key[i];
-	isc_md5_update(&ctx->md5ctx, ipad, sizeof(ipad));
-}
-
-void
-isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) {
-	isc_md5_invalidate(&ctx->md5ctx);
-	memset(ctx->key, 0, sizeof(ctx->key));
-}
-
-/*!
- * Update context to reflect the concatenation of another buffer full
- * of bytes.
- */
-void
-isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf,
-		   unsigned int len)
-{
-	isc_md5_update(&ctx->md5ctx, buf, len);
-}
-
-/*!
- * Compute signature - finalize MD5 operation and reapply MD5.
- */
-void
-isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) {
-	unsigned char opad[PADLEN];
-	int i;
-
-	isc_md5_final(&ctx->md5ctx, digest);
-
-	memset(opad, OPAD, sizeof(opad));
-	for (i = 0; i < PADLEN; i++)
-		opad[i] ^= ctx->key[i];
-
-	isc_md5_init(&ctx->md5ctx);
-	isc_md5_update(&ctx->md5ctx, opad, sizeof(opad));
-	isc_md5_update(&ctx->md5ctx, digest, ISC_MD5_DIGESTLENGTH);
-	isc_md5_final(&ctx->md5ctx, digest);
-	isc_hmacmd5_invalidate(ctx);
-}
-#endif /* !ISC_PLATFORM_OPENSSLHASH */
-
-/*!
- * Verify signature - finalize MD5 operation and reapply MD5, then
- * compare to the supplied digest.
- */
-isc_boolean_t
-isc_hmacmd5_verify(isc_hmacmd5_t *ctx, unsigned char *digest) {
-	return (isc_hmacmd5_verify2(ctx, digest, ISC_MD5_DIGESTLENGTH));
-}
-
-isc_boolean_t
-isc_hmacmd5_verify2(isc_hmacmd5_t *ctx, unsigned char *digest, size_t len) {
-	unsigned char newdigest[ISC_MD5_DIGESTLENGTH];
-
-	REQUIRE(len <= ISC_MD5_DIGESTLENGTH);
-	isc_hmacmd5_sign(ctx, newdigest);
-	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
-}
diff --git a/contrib/bind9/lib/isc/hmacsha.c b/contrib/bind9/lib/isc/hmacsha.c
deleted file mode 100644
index d7b9f18..0000000
--- a/contrib/bind9/lib/isc/hmacsha.c
+++ /dev/null
@@ -1,594 +0,0 @@
-/*
- * Copyright (C) 2005-2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*
- * This code implements the HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384
- * and HMAC-SHA512 keyed hash algorithm described in RFC 2104 and
- * draft-ietf-dnsext-tsig-sha-01.txt.
- */
-
-#include "config.h"
-
-#include <isc/assertions.h>
-#include <isc/hmacsha.h>
-#include <isc/platform.h>
-#include <isc/sha1.h>
-#include <isc/sha2.h>
-#include <isc/string.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-#ifdef ISC_PLATFORM_OPENSSLHASH
-
-void
-isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
-		  unsigned int len)
-{
-	HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha1());
-}
-
-void
-isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) {
-	HMAC_CTX_cleanup(ctx);
-}
-
-void
-isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
-		   unsigned int len)
-{
-	HMAC_Update(ctx, buf, (int) len);
-}
-
-void
-isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
-	unsigned char newdigest[ISC_SHA1_DIGESTLENGTH];
-
-	REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
-
-	HMAC_Final(ctx, newdigest, NULL);
-	HMAC_CTX_cleanup(ctx);
-	memcpy(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
-}
-
-void
-isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
-		    unsigned int len)
-{
-	HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha224());
-}
-
-void
-isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) {
-	HMAC_CTX_cleanup(ctx);
-}
-
-void
-isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
-		   unsigned int len)
-{
-	HMAC_Update(ctx, buf, (int) len);
-}
-
-void
-isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
-	unsigned char newdigest[ISC_SHA224_DIGESTLENGTH];
-
-	REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
-
-	HMAC_Final(ctx, newdigest, NULL);
-	HMAC_CTX_cleanup(ctx);
-	memcpy(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
-}
-
-void
-isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
-		    unsigned int len)
-{
-	HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha256());
-}
-
-void
-isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) {
-	HMAC_CTX_cleanup(ctx);
-}
-
-void
-isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
-		   unsigned int len)
-{
-	HMAC_Update(ctx, buf, (int) len);
-}
-
-void
-isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
-	unsigned char newdigest[ISC_SHA256_DIGESTLENGTH];
-
-	REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
-
-	HMAC_Final(ctx, newdigest, NULL);
-	HMAC_CTX_cleanup(ctx);
-	memcpy(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
-}
-
-void
-isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
-		    unsigned int len)
-{
-	HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha384());
-}
-
-void
-isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) {
-	HMAC_CTX_cleanup(ctx);
-}
-
-void
-isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
-		   unsigned int len)
-{
-	HMAC_Update(ctx, buf, (int) len);
-}
-
-void
-isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
-	unsigned char newdigest[ISC_SHA384_DIGESTLENGTH];
-
-	REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
-
-	HMAC_Final(ctx, newdigest, NULL);
-	HMAC_CTX_cleanup(ctx);
-	memcpy(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
-}
-
-void
-isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
-		    unsigned int len)
-{
-	HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha512());
-}
-
-void
-isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) {
-	HMAC_CTX_cleanup(ctx);
-}
-
-void
-isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
-		   unsigned int len)
-{
-	HMAC_Update(ctx, buf, (int) len);
-}
-
-void
-isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
-	unsigned char newdigest[ISC_SHA512_DIGESTLENGTH];
-
-	REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
-
-	HMAC_Final(ctx, newdigest, NULL);
-	HMAC_CTX_cleanup(ctx);
-	memcpy(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
-}
-
-#else
-
-#define IPAD 0x36
-#define OPAD 0x5C
-
-/*
- * Start HMAC-SHA1 process.  Initialize an sha1 context and digest the key.
- */
-void
-isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
-		  unsigned int len)
-{
-	unsigned char ipad[ISC_SHA1_BLOCK_LENGTH];
-	unsigned int i;
-
-	memset(ctx->key, 0, sizeof(ctx->key));
-	if (len > sizeof(ctx->key)) {
-		isc_sha1_t sha1ctx;
-		isc_sha1_init(&sha1ctx);
-		isc_sha1_update(&sha1ctx, key, len);
-		isc_sha1_final(&sha1ctx, ctx->key);
-	} else
-		memcpy(ctx->key, key, len);
-
-	isc_sha1_init(&ctx->sha1ctx);
-	memset(ipad, IPAD, sizeof(ipad));
-	for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++)
-		ipad[i] ^= ctx->key[i];
-	isc_sha1_update(&ctx->sha1ctx, ipad, sizeof(ipad));
-}
-
-void
-isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) {
-	isc_sha1_invalidate(&ctx->sha1ctx);
-	memset(ctx, 0, sizeof(*ctx));
-}
-
-/*
- * Update context to reflect the concatenation of another buffer full
- * of bytes.
- */
-void
-isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
-		   unsigned int len)
-{
-	isc_sha1_update(&ctx->sha1ctx, buf, len);
-}
-
-/*
- * Compute signature - finalize SHA1 operation and reapply SHA1.
- */
-void
-isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
-	unsigned char opad[ISC_SHA1_BLOCK_LENGTH];
-	unsigned char newdigest[ISC_SHA1_DIGESTLENGTH];
-	unsigned int i;
-
-	REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
-	isc_sha1_final(&ctx->sha1ctx, newdigest);
-
-	memset(opad, OPAD, sizeof(opad));
-	for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++)
-		opad[i] ^= ctx->key[i];
-
-	isc_sha1_init(&ctx->sha1ctx);
-	isc_sha1_update(&ctx->sha1ctx, opad, sizeof(opad));
-	isc_sha1_update(&ctx->sha1ctx, newdigest, ISC_SHA1_DIGESTLENGTH);
-	isc_sha1_final(&ctx->sha1ctx, newdigest);
-	isc_hmacsha1_invalidate(ctx);
-	memcpy(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
-}
-
-/*
- * Start HMAC-SHA224 process.  Initialize an sha224 context and digest the key.
- */
-void
-isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
-		    unsigned int len)
-{
-	unsigned char ipad[ISC_SHA224_BLOCK_LENGTH];
-	unsigned int i;
-
-	memset(ctx->key, 0, sizeof(ctx->key));
-	if (len > sizeof(ctx->key)) {
-		isc_sha224_t sha224ctx;
-		isc_sha224_init(&sha224ctx);
-		isc_sha224_update(&sha224ctx, key, len);
-		isc_sha224_final(ctx->key, &sha224ctx);
-	} else
-		memcpy(ctx->key, key, len);
-
-	isc_sha224_init(&ctx->sha224ctx);
-	memset(ipad, IPAD, sizeof(ipad));
-	for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++)
-		ipad[i] ^= ctx->key[i];
-	isc_sha224_update(&ctx->sha224ctx, ipad, sizeof(ipad));
-}
-
-void
-isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) {
-	memset(ctx, 0, sizeof(*ctx));
-}
-
-/*
- * Update context to reflect the concatenation of another buffer full
- * of bytes.
- */
-void
-isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
-		   unsigned int len)
-{
-	isc_sha224_update(&ctx->sha224ctx, buf, len);
-}
-
-/*
- * Compute signature - finalize SHA224 operation and reapply SHA224.
- */
-void
-isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
-	unsigned char opad[ISC_SHA224_BLOCK_LENGTH];
-	unsigned char newdigest[ISC_SHA224_DIGESTLENGTH];
-	unsigned int i;
-
-	REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
-	isc_sha224_final(newdigest, &ctx->sha224ctx);
-
-	memset(opad, OPAD, sizeof(opad));
-	for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++)
-		opad[i] ^= ctx->key[i];
-
-	isc_sha224_init(&ctx->sha224ctx);
-	isc_sha224_update(&ctx->sha224ctx, opad, sizeof(opad));
-	isc_sha224_update(&ctx->sha224ctx, newdigest, ISC_SHA224_DIGESTLENGTH);
-	isc_sha224_final(newdigest, &ctx->sha224ctx);
-	memcpy(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
-}
-
-/*
- * Start HMAC-SHA256 process.  Initialize an sha256 context and digest the key.
- */
-void
-isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
-		    unsigned int len)
-{
-	unsigned char ipad[ISC_SHA256_BLOCK_LENGTH];
-	unsigned int i;
-
-	memset(ctx->key, 0, sizeof(ctx->key));
-	if (len > sizeof(ctx->key)) {
-		isc_sha256_t sha256ctx;
-		isc_sha256_init(&sha256ctx);
-		isc_sha256_update(&sha256ctx, key, len);
-		isc_sha256_final(ctx->key, &sha256ctx);
-	} else
-		memcpy(ctx->key, key, len);
-
-	isc_sha256_init(&ctx->sha256ctx);
-	memset(ipad, IPAD, sizeof(ipad));
-	for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++)
-		ipad[i] ^= ctx->key[i];
-	isc_sha256_update(&ctx->sha256ctx, ipad, sizeof(ipad));
-}
-
-void
-isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) {
-	memset(ctx, 0, sizeof(*ctx));
-}
-
-/*
- * Update context to reflect the concatenation of another buffer full
- * of bytes.
- */
-void
-isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
-		   unsigned int len)
-{
-	isc_sha256_update(&ctx->sha256ctx, buf, len);
-}
-
-/*
- * Compute signature - finalize SHA256 operation and reapply SHA256.
- */
-void
-isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
-	unsigned char opad[ISC_SHA256_BLOCK_LENGTH];
-	unsigned char newdigest[ISC_SHA256_DIGESTLENGTH];
-	unsigned int i;
-
-	REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
-	isc_sha256_final(newdigest, &ctx->sha256ctx);
-
-	memset(opad, OPAD, sizeof(opad));
-	for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++)
-		opad[i] ^= ctx->key[i];
-
-	isc_sha256_init(&ctx->sha256ctx);
-	isc_sha256_update(&ctx->sha256ctx, opad, sizeof(opad));
-	isc_sha256_update(&ctx->sha256ctx, newdigest, ISC_SHA256_DIGESTLENGTH);
-	isc_sha256_final(newdigest, &ctx->sha256ctx);
-	memcpy(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
-}
-
-/*
- * Start HMAC-SHA384 process.  Initialize an sha384 context and digest the key.
- */
-void
-isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
-		    unsigned int len)
-{
-	unsigned char ipad[ISC_SHA384_BLOCK_LENGTH];
-	unsigned int i;
-
-	memset(ctx->key, 0, sizeof(ctx->key));
-	if (len > sizeof(ctx->key)) {
-		isc_sha384_t sha384ctx;
-		isc_sha384_init(&sha384ctx);
-		isc_sha384_update(&sha384ctx, key, len);
-		isc_sha384_final(ctx->key, &sha384ctx);
-	} else
-		memcpy(ctx->key, key, len);
-
-	isc_sha384_init(&ctx->sha384ctx);
-	memset(ipad, IPAD, sizeof(ipad));
-	for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++)
-		ipad[i] ^= ctx->key[i];
-	isc_sha384_update(&ctx->sha384ctx, ipad, sizeof(ipad));
-}
-
-void
-isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) {
-	memset(ctx, 0, sizeof(*ctx));
-}
-
-/*
- * Update context to reflect the concatenation of another buffer full
- * of bytes.
- */
-void
-isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
-		   unsigned int len)
-{
-	isc_sha384_update(&ctx->sha384ctx, buf, len);
-}
-
-/*
- * Compute signature - finalize SHA384 operation and reapply SHA384.
- */
-void
-isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
-	unsigned char opad[ISC_SHA384_BLOCK_LENGTH];
-	unsigned char newdigest[ISC_SHA384_DIGESTLENGTH];
-	unsigned int i;
-
-	REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
-	isc_sha384_final(newdigest, &ctx->sha384ctx);
-
-	memset(opad, OPAD, sizeof(opad));
-	for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++)
-		opad[i] ^= ctx->key[i];
-
-	isc_sha384_init(&ctx->sha384ctx);
-	isc_sha384_update(&ctx->sha384ctx, opad, sizeof(opad));
-	isc_sha384_update(&ctx->sha384ctx, newdigest, ISC_SHA384_DIGESTLENGTH);
-	isc_sha384_final(newdigest, &ctx->sha384ctx);
-	memcpy(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
-}
-
-/*
- * Start HMAC-SHA512 process.  Initialize an sha512 context and digest the key.
- */
-void
-isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
-		    unsigned int len)
-{
-	unsigned char ipad[ISC_SHA512_BLOCK_LENGTH];
-	unsigned int i;
-
-	memset(ctx->key, 0, sizeof(ctx->key));
-	if (len > sizeof(ctx->key)) {
-		isc_sha512_t sha512ctx;
-		isc_sha512_init(&sha512ctx);
-		isc_sha512_update(&sha512ctx, key, len);
-		isc_sha512_final(ctx->key, &sha512ctx);
-	} else
-		memcpy(ctx->key, key, len);
-
-	isc_sha512_init(&ctx->sha512ctx);
-	memset(ipad, IPAD, sizeof(ipad));
-	for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++)
-		ipad[i] ^= ctx->key[i];
-	isc_sha512_update(&ctx->sha512ctx, ipad, sizeof(ipad));
-}
-
-void
-isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) {
-	memset(ctx, 0, sizeof(*ctx));
-}
-
-/*
- * Update context to reflect the concatenation of another buffer full
- * of bytes.
- */
-void
-isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
-		   unsigned int len)
-{
-	isc_sha512_update(&ctx->sha512ctx, buf, len);
-}
-
-/*
- * Compute signature - finalize SHA512 operation and reapply SHA512.
- */
-void
-isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
-	unsigned char opad[ISC_SHA512_BLOCK_LENGTH];
-	unsigned char newdigest[ISC_SHA512_DIGESTLENGTH];
-	unsigned int i;
-
-	REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
-	isc_sha512_final(newdigest, &ctx->sha512ctx);
-
-	memset(opad, OPAD, sizeof(opad));
-	for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++)
-		opad[i] ^= ctx->key[i];
-
-	isc_sha512_init(&ctx->sha512ctx);
-	isc_sha512_update(&ctx->sha512ctx, opad, sizeof(opad));
-	isc_sha512_update(&ctx->sha512ctx, newdigest, ISC_SHA512_DIGESTLENGTH);
-	isc_sha512_final(newdigest, &ctx->sha512ctx);
-	memcpy(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
-}
-#endif /* !ISC_PLATFORM_OPENSSLHASH */
-
-/*
- * Verify signature - finalize SHA1 operation and reapply SHA1, then
- * compare to the supplied digest.
- */
-isc_boolean_t
-isc_hmacsha1_verify(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
-	unsigned char newdigest[ISC_SHA1_DIGESTLENGTH];
-
-	REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
-	isc_hmacsha1_sign(ctx, newdigest, ISC_SHA1_DIGESTLENGTH);
-	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
-}
-
-/*
- * Verify signature - finalize SHA224 operation and reapply SHA224, then
- * compare to the supplied digest.
- */
-isc_boolean_t
-isc_hmacsha224_verify(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
-	unsigned char newdigest[ISC_SHA224_DIGESTLENGTH];
-
-	REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
-	isc_hmacsha224_sign(ctx, newdigest, ISC_SHA224_DIGESTLENGTH);
-	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
-}
-
-/*
- * Verify signature - finalize SHA256 operation and reapply SHA256, then
- * compare to the supplied digest.
- */
-isc_boolean_t
-isc_hmacsha256_verify(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
-	unsigned char newdigest[ISC_SHA256_DIGESTLENGTH];
-
-	REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
-	isc_hmacsha256_sign(ctx, newdigest, ISC_SHA256_DIGESTLENGTH);
-	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
-}
-
-/*
- * Verify signature - finalize SHA384 operation and reapply SHA384, then
- * compare to the supplied digest.
- */
-isc_boolean_t
-isc_hmacsha384_verify(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
-	unsigned char newdigest[ISC_SHA384_DIGESTLENGTH];
-
-	REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
-	isc_hmacsha384_sign(ctx, newdigest, ISC_SHA384_DIGESTLENGTH);
-	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
-}
-
-/*
- * Verify signature - finalize SHA512 operation and reapply SHA512, then
- * compare to the supplied digest.
- */
-isc_boolean_t
-isc_hmacsha512_verify(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
-	unsigned char newdigest[ISC_SHA512_DIGESTLENGTH];
-
-	REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
-	isc_hmacsha512_sign(ctx, newdigest, ISC_SHA512_DIGESTLENGTH);
-	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
-}
diff --git a/contrib/bind9/lib/isc/httpd.c b/contrib/bind9/lib/isc/httpd.c
deleted file mode 100644
index 16a8c9f..0000000
--- a/contrib/bind9/lib/isc/httpd.c
+++ /dev/null
@@ -1,1028 +0,0 @@
-/*
- * Copyright (C) 2006-2008, 2010-2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/buffer.h>
-#include <isc/httpd.h>
-#include <isc/mem.h>
-#include <isc/socket.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/util.h>
-
-#include <string.h>
-
-/*%
- * TODO:
- *
- *  o  Put in better checks to make certain things are passed in correctly.
- *     This includes a magic number for externally-visible structures,
- *     checking for NULL-ness before dereferencing, etc.
- *  o  Make the URL processing external functions which will fill-in a buffer
- *     structure we provide, or return an error and we will render a generic
- *     page and close the client.
- */
-
-#define MSHUTTINGDOWN(cm) ((cm->flags & ISC_HTTPDMGR_FLAGSHUTTINGDOWN) != 0)
-#define MSETSHUTTINGDOWN(cm) (cm->flags |= ISC_HTTPDMGR_FLAGSHUTTINGDOWN)
-
-#ifdef DEBUG_HTTPD
-#define ENTER(x) do { fprintf(stderr, "ENTER %s\n", (x)); } while (0)
-#define EXIT(x) do { fprintf(stderr, "EXIT %s\n", (x)); } while (0)
-#define NOTICE(x) do { fprintf(stderr, "NOTICE %s\n", (x)); } while (0)
-#else
-#define ENTER(x) do { } while(0)
-#define EXIT(x) do { } while(0)
-#define NOTICE(x) do { } while(0)
-#endif
-
-#define HTTP_RECVLEN			1024
-#define HTTP_SENDGROW			1024
-#define HTTP_SEND_MAXLEN		10240
-
-/*%
- * HTTP urls.  These are the URLs we manage, and the function to call to
- * provide the data for it.  We pass in the base url (so the same function
- * can handle multiple requests), and a structure to fill in to return a
- * result to the client.  We also pass in a pointer to be filled in for
- * the data cleanup function.
- */
-struct isc_httpdurl {
-	char			       *url;
-	isc_httpdaction_t	       *action;
-	void			       *action_arg;
-	ISC_LINK(isc_httpdurl_t)	link;
-};
-
-#define HTTPD_CLOSE		0x0001 /* Got a Connection: close header */
-#define HTTPD_FOUNDHOST		0x0002 /* Got a Host: header */
-
-/*% http client */
-struct isc_httpd {
-	isc_httpdmgr_t	       *mgr;		/*%< our parent */
-	ISC_LINK(isc_httpd_t)	link;
-	unsigned int		state;
-	isc_socket_t		*sock;
-
-	/*%
-	 * Received data state.
-	 */
-	char			recvbuf[HTTP_RECVLEN]; /*%< receive buffer */
-	isc_uint32_t		recvlen;	/*%< length recv'd */
-	unsigned int		method;
-	char		       *url;
-	char		       *querystring;
-	char		       *protocol;
-
-	/*
-	 * Flags on the httpd client.
-	 */
-	int			flags;
-
-	/*%
-	 * Transmit data state.
-	 *
-	 * This is the data buffer we will transmit.
-	 *
-	 * This free function pointer is filled in by the rendering function
-	 * we call.  The free function is called after the data is transmitted
-	 * to the client.
-	 *
-	 * The bufflist is the list of buffers we are currently transmitting.
-	 * The headerdata is where we render our headers to.  If we run out of
-	 * space when rendering a header, we will change the size of our
-	 * buffer.  We will not free it until we are finished, and will
-	 * allocate an additional HTTP_SENDGROW bytes per header space grow.
-	 *
-	 * We currently use two buffers total, one for the headers (which
-	 * we manage) and another for the client to fill in (which it manages,
-	 * it provides the space for it, etc) -- we will pass that buffer
-	 * structure back to the caller, who is responsible for managing the
-	 * space it may have allocated as backing store for it.  This second
-	 * buffer is bodybuffer, and we only allocate the buffer itself, not
-	 * the backing store.
-	 */
-	isc_bufferlist_t	bufflist;
-	char		       *headerdata; /*%< send header buf */
-	unsigned int		headerlen;  /*%< current header buffer size */
-	isc_buffer_t		headerbuffer;
-
-	const char	       *mimetype;
-	unsigned int		retcode;
-	const char	       *retmsg;
-	isc_buffer_t		bodybuffer;
-	isc_httpdfree_t	       *freecb;
-	void		       *freecb_arg;
-};
-
-/*% lightweight socket manager for httpd output */
-struct isc_httpdmgr {
-	isc_mem_t	       *mctx;
-	isc_socket_t	       *sock;		/*%< listening socket */
-	isc_task_t	       *task;		/*%< owning task */
-	isc_timermgr_t	       *timermgr;
-
-	isc_httpdclientok_t    *client_ok;	/*%< client validator */
-	isc_httpdondestroy_t   *ondestroy;	/*%< cleanup callback */
-	void		       *cb_arg;		/*%< argument for the above */
-
-	unsigned int		flags;
-	ISC_LIST(isc_httpd_t)	running;	/*%< running clients */
-
-	isc_mutex_t		lock;
-
-	ISC_LIST(isc_httpdurl_t) urls;		/*%< urls we manage */
-	isc_httpdaction_t      *render_404;
-	isc_httpdaction_t      *render_500;
-};
-
-/*%
- * HTTP methods.
- */
-#define ISC_HTTPD_METHODUNKNOWN	0
-#define ISC_HTTPD_METHODGET	1
-#define ISC_HTTPD_METHODPOST	2
-
-/*%
- * Client states.
- *
- * _IDLE	The client is not doing anything at all.  This state should
- *		only occur just after creation, and just before being
- *		destroyed.
- *
- * _RECV	The client is waiting for data after issuing a socket recv().
- *
- * _RECVDONE	Data has been received, and is being processed.
- *
- * _SEND	All data for a response has completed, and a reply was
- *		sent via a socket send() call.
- *
- * _SENDDONE	Send is completed.
- *
- * Badly formatted state table:
- *
- *	IDLE -> RECV when client has a recv() queued.
- *
- *	RECV -> RECVDONE when recvdone event received.
- *
- *	RECVDONE -> SEND if the data for a reply is at hand.
- *
- *	SEND -> RECV when a senddone event was received.
- *
- *	At any time -> RECV on error.  If RECV fails, the client will
- *	self-destroy, closing the socket and freeing memory.
- */
-#define ISC_HTTPD_STATEIDLE	0
-#define ISC_HTTPD_STATERECV	1
-#define ISC_HTTPD_STATERECVDONE	2
-#define ISC_HTTPD_STATESEND	3
-#define ISC_HTTPD_STATESENDDONE	4
-
-#define ISC_HTTPD_ISRECV(c)	((c)->state == ISC_HTTPD_STATERECV)
-#define ISC_HTTPD_ISRECVDONE(c)	((c)->state == ISC_HTTPD_STATERECVDONE)
-#define ISC_HTTPD_ISSEND(c)	((c)->state == ISC_HTTPD_STATESEND)
-#define ISC_HTTPD_ISSENDDONE(c)	((c)->state == ISC_HTTPD_STATESENDDONE)
-
-/*%
- * Overall magic test that means we're not idle.
- */
-#define ISC_HTTPD_SETRECV(c)	((c)->state = ISC_HTTPD_STATERECV)
-#define ISC_HTTPD_SETRECVDONE(c)	((c)->state = ISC_HTTPD_STATERECVDONE)
-#define ISC_HTTPD_SETSEND(c)	((c)->state = ISC_HTTPD_STATESEND)
-#define ISC_HTTPD_SETSENDDONE(c)	((c)->state = ISC_HTTPD_STATESENDDONE)
-
-static void isc_httpd_accept(isc_task_t *, isc_event_t *);
-static void isc_httpd_recvdone(isc_task_t *, isc_event_t *);
-static void isc_httpd_senddone(isc_task_t *, isc_event_t *);
-static void destroy_client(isc_httpd_t **);
-static isc_result_t process_request(isc_httpd_t *, int);
-static void httpdmgr_destroy(isc_httpdmgr_t *);
-static isc_result_t grow_headerspace(isc_httpd_t *);
-static void reset_client(isc_httpd_t *httpd);
-static isc_result_t render_404(const char *, const char *,
-			       void *,
-			       unsigned int *, const char **,
-			       const char **, isc_buffer_t *,
-			       isc_httpdfree_t **, void **);
-static isc_result_t render_500(const char *, const char *,
-			       void *,
-			       unsigned int *, const char **,
-			       const char **, isc_buffer_t *,
-			       isc_httpdfree_t **, void **);
-
-static void
-destroy_client(isc_httpd_t **httpdp)
-{
-	isc_httpd_t *httpd = *httpdp;
-	isc_httpdmgr_t *httpdmgr = httpd->mgr;
-
-	*httpdp = NULL;
-
-	LOCK(&httpdmgr->lock);
-
-	isc_socket_detach(&httpd->sock);
-	ISC_LIST_UNLINK(httpdmgr->running, httpd, link);
-
-	if (httpd->headerlen > 0)
-		isc_mem_put(httpdmgr->mctx, httpd->headerdata,
-			    httpd->headerlen);
-
-	isc_mem_put(httpdmgr->mctx, httpd, sizeof(isc_httpd_t));
-
-	UNLOCK(&httpdmgr->lock);
-
-	httpdmgr_destroy(httpdmgr);
-}
-
-isc_result_t
-isc_httpdmgr_create(isc_mem_t *mctx, isc_socket_t *sock, isc_task_t *task,
-		    isc_httpdclientok_t *client_ok,
-		    isc_httpdondestroy_t *ondestroy, void *cb_arg,
-		    isc_timermgr_t *tmgr, isc_httpdmgr_t **httpdp)
-{
-	isc_result_t result;
-	isc_httpdmgr_t *httpd;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(sock != NULL);
-	REQUIRE(task != NULL);
-	REQUIRE(tmgr != NULL);
-	REQUIRE(httpdp != NULL && *httpdp == NULL);
-
-	httpd = isc_mem_get(mctx, sizeof(isc_httpdmgr_t));
-	if (httpd == NULL)
-		return (ISC_R_NOMEMORY);
-
-	result = isc_mutex_init(&httpd->lock);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, httpd, sizeof(isc_httpdmgr_t));
-		return (result);
-	}
-	httpd->mctx = NULL;
-	isc_mem_attach(mctx, &httpd->mctx);
-	httpd->sock = NULL;
-	isc_socket_attach(sock, &httpd->sock);
-	httpd->task = NULL;
-	isc_task_attach(task, &httpd->task);
-	httpd->timermgr = tmgr; /* XXXMLG no attach function? */
-	httpd->client_ok = client_ok;
-	httpd->ondestroy = ondestroy;
-	httpd->cb_arg = cb_arg;
-
-	ISC_LIST_INIT(httpd->running);
-	ISC_LIST_INIT(httpd->urls);
-
-	/* XXXMLG ignore errors on isc_socket_listen() */
-	result = isc_socket_listen(sock, SOMAXCONN);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_socket_listen() failed: %s",
-				 isc_result_totext(result));
-		goto cleanup;
-	}
-
-	(void)isc_socket_filter(sock, "httpready");
-
-	result = isc_socket_accept(sock, task, isc_httpd_accept, httpd);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	httpd->render_404 = render_404;
-	httpd->render_500 = render_500;
-
-	*httpdp = httpd;
-	return (ISC_R_SUCCESS);
-
-  cleanup:
-	isc_task_detach(&httpd->task);
-	isc_socket_detach(&httpd->sock);
-	isc_mem_detach(&httpd->mctx);
-	(void)isc_mutex_destroy(&httpd->lock);
-	isc_mem_put(mctx, httpd, sizeof(isc_httpdmgr_t));
-	return (result);
-}
-
-static void
-httpdmgr_destroy(isc_httpdmgr_t *httpdmgr)
-{
-	isc_mem_t *mctx;
-	isc_httpdurl_t *url;
-
-	ENTER("httpdmgr_destroy");
-
-	LOCK(&httpdmgr->lock);
-
-	if (!MSHUTTINGDOWN(httpdmgr)) {
-		NOTICE("httpdmgr_destroy not shutting down yet");
-		UNLOCK(&httpdmgr->lock);
-		return;
-	}
-
-	/*
-	 * If all clients are not shut down, don't do anything yet.
-	 */
-	if (!ISC_LIST_EMPTY(httpdmgr->running)) {
-		NOTICE("httpdmgr_destroy clients still active");
-		UNLOCK(&httpdmgr->lock);
-		return;
-	}
-
-	NOTICE("httpdmgr_destroy detaching socket, task, and timermgr");
-
-	isc_socket_detach(&httpdmgr->sock);
-	isc_task_detach(&httpdmgr->task);
-	httpdmgr->timermgr = NULL;
-
-	/*
-	 * Clear out the list of all actions we know about.  Just free the
-	 * memory.
-	 */
-	url = ISC_LIST_HEAD(httpdmgr->urls);
-	while (url != NULL) {
-		isc_mem_free(httpdmgr->mctx, url->url);
-		ISC_LIST_UNLINK(httpdmgr->urls, url, link);
-		isc_mem_put(httpdmgr->mctx, url, sizeof(isc_httpdurl_t));
-		url = ISC_LIST_HEAD(httpdmgr->urls);
-	}
-
-	UNLOCK(&httpdmgr->lock);
-	(void)isc_mutex_destroy(&httpdmgr->lock);
-
-	if (httpdmgr->ondestroy != NULL)
-		(httpdmgr->ondestroy)(httpdmgr->cb_arg);
-
-	mctx = httpdmgr->mctx;
-	isc_mem_putanddetach(&mctx, httpdmgr, sizeof(isc_httpdmgr_t));
-
-	EXIT("httpdmgr_destroy");
-}
-
-#define LENGTHOK(s) (httpd->recvbuf - (s) < (int)httpd->recvlen)
-#define BUFLENOK(s) (httpd->recvbuf - (s) < HTTP_RECVLEN)
-
-static isc_result_t
-process_request(isc_httpd_t *httpd, int length)
-{
-	char *s;
-	char *p;
-	int delim;
-
-	ENTER("request");
-
-	httpd->recvlen += length;
-
-	httpd->recvbuf[httpd->recvlen] = 0;
-
-	/*
-	 * If we don't find a blank line in our buffer, return that we need
-	 * more data.
-	 */
-	s = strstr(httpd->recvbuf, "\r\n\r\n");
-	delim = 1;
-	if (s == NULL) {
-		s = strstr(httpd->recvbuf, "\n\n");
-		delim = 2;
-	}
-	if (s == NULL)
-		return (ISC_R_NOTFOUND);
-
-	/*
-	 * Determine if this is a POST or GET method.  Any other values will
-	 * cause an error to be returned.
-	 */
-	if (strncmp(httpd->recvbuf, "GET ", 4) == 0) {
-		httpd->method = ISC_HTTPD_METHODGET;
-		p = httpd->recvbuf + 4;
-	} else if (strncmp(httpd->recvbuf, "POST ", 5) == 0) {
-		httpd->method = ISC_HTTPD_METHODPOST;
-		p = httpd->recvbuf + 5;
-	} else {
-		return (ISC_R_RANGE);
-	}
-
-	/*
-	 * From now on, p is the start of our buffer.
-	 */
-
-	/*
-	 * Extract the URL.
-	 */
-	s = p;
-	while (LENGTHOK(s) && BUFLENOK(s) &&
-	       (*s != '\n' && *s != '\r' && *s != '\0' && *s != ' '))
-		s++;
-	if (!LENGTHOK(s))
-		return (ISC_R_NOTFOUND);
-	if (!BUFLENOK(s))
-		return (ISC_R_NOMEMORY);
-	*s = 0;
-
-	/*
-	 * Make the URL relative.
-	 */
-	if ((strncmp(p, "http:/", 6) == 0)
-	    || (strncmp(p, "https:/", 7) == 0)) {
-		/* Skip first / */
-		while (*p != '/' && *p != 0)
-			p++;
-		if (*p == 0)
-			return (ISC_R_RANGE);
-		p++;
-		/* Skip second / */
-		while (*p != '/' && *p != 0)
-			p++;
-		if (*p == 0)
-			return (ISC_R_RANGE);
-		p++;
-		/* Find third / */
-		while (*p != '/' && *p != 0)
-			p++;
-		if (*p == 0) {
-			p--;
-			*p = '/';
-		}
-	}
-
-	httpd->url = p;
-	p = s + delim;
-	s = p;
-
-	/*
-	 * Now, see if there is a ? mark in the URL.  If so, this is
-	 * part of the query string, and we will split it from the URL.
-	 */
-	httpd->querystring = strchr(httpd->url, '?');
-	if (httpd->querystring != NULL) {
-		*(httpd->querystring) = 0;
-		httpd->querystring++;
-	}
-
-	/*
-	 * Extract the HTTP/1.X protocol.  We will bounce on anything but
-	 * HTTP/1.1 for now.
-	 */
-	while (LENGTHOK(s) && BUFLENOK(s) &&
-	       (*s != '\n' && *s != '\r' && *s != '\0'))
-		s++;
-	if (!LENGTHOK(s))
-		return (ISC_R_NOTFOUND);
-	if (!BUFLENOK(s))
-		return (ISC_R_NOMEMORY);
-	*s = 0;
-	if ((strncmp(p, "HTTP/1.0", 8) != 0)
-	    && (strncmp(p, "HTTP/1.1", 8) != 0))
-		return (ISC_R_RANGE);
-	httpd->protocol = p;
-	p = s + 1;
-	s = p;
-
-	if (strstr(s, "Connection: close") != NULL)
-		httpd->flags |= HTTPD_CLOSE;
-
-	if (strstr(s, "Host: ") != NULL)
-		httpd->flags |= HTTPD_FOUNDHOST;
-
-	/*
-	 * Standards compliance hooks here.
-	 */
-	if (strcmp(httpd->protocol, "HTTP/1.1") == 0
-	    && ((httpd->flags & HTTPD_FOUNDHOST) == 0))
-		return (ISC_R_RANGE);
-
-	EXIT("request");
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-isc_httpd_accept(isc_task_t *task, isc_event_t *ev)
-{
-	isc_result_t result;
-	isc_httpdmgr_t *httpdmgr = ev->ev_arg;
-	isc_httpd_t *httpd;
-	isc_region_t r;
-	isc_socket_newconnev_t *nev = (isc_socket_newconnev_t *)ev;
-	isc_sockaddr_t peeraddr;
-
-	ENTER("accept");
-
-	LOCK(&httpdmgr->lock);
-	if (MSHUTTINGDOWN(httpdmgr)) {
-		NOTICE("accept shutting down, goto out");
-		goto out;
-	}
-
-	if (nev->result == ISC_R_CANCELED) {
-		NOTICE("accept canceled, goto out");
-		goto out;
-	}
-
-	if (nev->result != ISC_R_SUCCESS) {
-		/* XXXMLG log failure */
-		NOTICE("accept returned failure, goto requeue");
-		goto requeue;
-	}
-
-	(void)isc_socket_getpeername(nev->newsocket, &peeraddr);
-	if (httpdmgr->client_ok != NULL &&
-	    !(httpdmgr->client_ok)(&peeraddr, httpdmgr->cb_arg)) {
-		isc_socket_detach(&nev->newsocket);
-		goto requeue;
-	}
-
-	httpd = isc_mem_get(httpdmgr->mctx, sizeof(isc_httpd_t));
-	if (httpd == NULL) {
-		/* XXXMLG log failure */
-		NOTICE("accept failed to allocate memory, goto requeue");
-		isc_socket_detach(&nev->newsocket);
-		goto requeue;
-	}
-
-	httpd->mgr = httpdmgr;
-	ISC_LINK_INIT(httpd, link);
-	ISC_LIST_APPEND(httpdmgr->running, httpd, link);
-	ISC_HTTPD_SETRECV(httpd);
-	httpd->sock = nev->newsocket;
-	isc_socket_setname(httpd->sock, "httpd", NULL);
-	httpd->flags = 0;
-
-	/*
-	 * Initialize the buffer for our headers.
-	 */
-	httpd->headerdata = isc_mem_get(httpdmgr->mctx, HTTP_SENDGROW);
-	if (httpd->headerdata == NULL) {
-		isc_mem_put(httpdmgr->mctx, httpd, sizeof(isc_httpd_t));
-		isc_socket_detach(&nev->newsocket);
-		goto requeue;
-	}
-	httpd->headerlen = HTTP_SENDGROW;
-	isc_buffer_init(&httpd->headerbuffer, httpd->headerdata,
-			httpd->headerlen);
-
-	ISC_LIST_INIT(httpd->bufflist);
-
-	isc_buffer_initnull(&httpd->bodybuffer);
-	reset_client(httpd);
-
-	r.base = (unsigned char *)httpd->recvbuf;
-	r.length = HTTP_RECVLEN - 1;
-	result = isc_socket_recv(httpd->sock, &r, 1, task, isc_httpd_recvdone,
-				 httpd);
-	/* FIXME!!! */
-	POST(result);
-	NOTICE("accept queued recv on socket");
-
- requeue:
-	result = isc_socket_accept(httpdmgr->sock, task, isc_httpd_accept,
-				   httpdmgr);
-	if (result != ISC_R_SUCCESS) {
-		/* XXXMLG what to do?  Log failure... */
-		NOTICE("accept could not reaccept due to failure");
-	}
-
- out:
-	UNLOCK(&httpdmgr->lock);
-
-	httpdmgr_destroy(httpdmgr);
-
-	isc_event_free(&ev);
-
-	EXIT("accept");
-}
-
-static isc_result_t
-render_404(const char *url, const char *querystring,
-	   void *arg,
-	   unsigned int *retcode, const char **retmsg,
-	   const char **mimetype, isc_buffer_t *b,
-	   isc_httpdfree_t **freecb, void **freecb_args)
-{
-	static char msg[] = "No such URL.";
-
-	UNUSED(url);
-	UNUSED(querystring);
-	UNUSED(arg);
-
-	*retcode = 404;
-	*retmsg = "No such URL";
-	*mimetype = "text/plain";
-	isc_buffer_reinit(b, msg, strlen(msg));
-	isc_buffer_add(b, strlen(msg));
-	*freecb = NULL;
-	*freecb_args = NULL;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-render_500(const char *url, const char *querystring,
-	   void *arg,
-	   unsigned int *retcode, const char **retmsg,
-	   const char **mimetype, isc_buffer_t *b,
-	   isc_httpdfree_t **freecb, void **freecb_args)
-{
-	static char msg[] = "Internal server failure.";
-
-	UNUSED(url);
-	UNUSED(querystring);
-	UNUSED(arg);
-
-	*retcode = 500;
-	*retmsg = "Internal server failure";
-	*mimetype = "text/plain";
-	isc_buffer_reinit(b, msg, strlen(msg));
-	isc_buffer_add(b, strlen(msg));
-	*freecb = NULL;
-	*freecb_args = NULL;
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-isc_httpd_recvdone(isc_task_t *task, isc_event_t *ev)
-{
-	isc_region_t r;
-	isc_result_t result;
-	isc_httpd_t *httpd = ev->ev_arg;
-	isc_socketevent_t *sev = (isc_socketevent_t *)ev;
-	isc_httpdurl_t *url;
-	isc_time_t now;
-	char datebuf[32];  /* Only need 30, but safety first */
-
-	ENTER("recv");
-
-	INSIST(ISC_HTTPD_ISRECV(httpd));
-
-	if (sev->result != ISC_R_SUCCESS) {
-		NOTICE("recv destroying client");
-		destroy_client(&httpd);
-		goto out;
-	}
-
-	result = process_request(httpd, sev->n);
-	if (result == ISC_R_NOTFOUND) {
-		if (httpd->recvlen >= HTTP_RECVLEN - 1) {
-			destroy_client(&httpd);
-			goto out;
-		}
-		r.base = (unsigned char *)httpd->recvbuf + httpd->recvlen;
-		r.length = HTTP_RECVLEN - httpd->recvlen - 1;
-		/* check return code? */
-		(void)isc_socket_recv(httpd->sock, &r, 1, task,
-				      isc_httpd_recvdone, httpd);
-		goto out;
-	} else if (result != ISC_R_SUCCESS) {
-		destroy_client(&httpd);
-		goto out;
-	}
-
-	ISC_HTTPD_SETSEND(httpd);
-
-	/*
-	 * XXXMLG Call function here.  Provide an add-header function
-	 * which will append the common headers to a response we generate.
-	 */
-	isc_buffer_initnull(&httpd->bodybuffer);
-	isc_time_now(&now);
-	isc_time_formathttptimestamp(&now, datebuf, sizeof(datebuf));
-	url = ISC_LIST_HEAD(httpd->mgr->urls);
-	while (url != NULL) {
-		if (strcmp(httpd->url, url->url) == 0)
-			break;
-		url = ISC_LIST_NEXT(url, link);
-	}
-	if (url == NULL)
-		result = httpd->mgr->render_404(httpd->url, httpd->querystring,
-						NULL,
-						&httpd->retcode,
-						&httpd->retmsg,
-						&httpd->mimetype,
-						&httpd->bodybuffer,
-						&httpd->freecb,
-						&httpd->freecb_arg);
-	else
-		result = url->action(httpd->url, httpd->querystring,
-				     url->action_arg,
-				     &httpd->retcode, &httpd->retmsg,
-				     &httpd->mimetype, &httpd->bodybuffer,
-				     &httpd->freecb, &httpd->freecb_arg);
-	if (result != ISC_R_SUCCESS) {
-		result = httpd->mgr->render_500(httpd->url, httpd->querystring,
-						NULL, &httpd->retcode,
-						&httpd->retmsg,
-						&httpd->mimetype,
-						&httpd->bodybuffer,
-						&httpd->freecb,
-						&httpd->freecb_arg);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	}
-
-	isc_httpd_response(httpd);
-	isc_httpd_addheader(httpd, "Content-Type", httpd->mimetype);
-	isc_httpd_addheader(httpd, "Date", datebuf);
-	isc_httpd_addheader(httpd, "Expires", datebuf);
-	isc_httpd_addheader(httpd, "Last-Modified", datebuf);
-	isc_httpd_addheader(httpd, "Pragma: no-cache", NULL);
-	isc_httpd_addheader(httpd, "Cache-Control: no-cache", NULL);
-	isc_httpd_addheader(httpd, "Server: libisc", NULL);
-	isc_httpd_addheaderuint(httpd, "Content-Length",
-				isc_buffer_usedlength(&httpd->bodybuffer));
-	isc_httpd_endheaders(httpd);  /* done */
-
-	ISC_LIST_APPEND(httpd->bufflist, &httpd->headerbuffer, link);
-	/*
-	 * Link the data buffer into our send queue, should we have any data
-	 * rendered into it.  If no data is present, we won't do anything
-	 * with the buffer.
-	 */
-	if (isc_buffer_length(&httpd->bodybuffer) > 0)
-		ISC_LIST_APPEND(httpd->bufflist, &httpd->bodybuffer, link);
-
-	/* check return code? */
-	(void)isc_socket_sendv(httpd->sock, &httpd->bufflist, task,
-			       isc_httpd_senddone, httpd);
-
- out:
-	isc_event_free(&ev);
-	EXIT("recv");
-}
-
-void
-isc_httpdmgr_shutdown(isc_httpdmgr_t **httpdmgrp)
-{
-	isc_httpdmgr_t *httpdmgr;
-	isc_httpd_t *httpd;
-	httpdmgr = *httpdmgrp;
-	*httpdmgrp = NULL;
-
-	ENTER("isc_httpdmgr_shutdown");
-
-	LOCK(&httpdmgr->lock);
-
-	MSETSHUTTINGDOWN(httpdmgr);
-
-	isc_socket_cancel(httpdmgr->sock, httpdmgr->task, ISC_SOCKCANCEL_ALL);
-
-	httpd = ISC_LIST_HEAD(httpdmgr->running);
-	while (httpd != NULL) {
-		isc_socket_cancel(httpd->sock, httpdmgr->task,
-				  ISC_SOCKCANCEL_ALL);
-		httpd = ISC_LIST_NEXT(httpd, link);
-	}
-
-	UNLOCK(&httpdmgr->lock);
-
-	EXIT("isc_httpdmgr_shutdown");
-}
-
-static isc_result_t
-grow_headerspace(isc_httpd_t *httpd)
-{
-	char *newspace;
-	unsigned int newlen;
-	isc_region_t r;
-
-	newlen = httpd->headerlen + HTTP_SENDGROW;
-	if (newlen > HTTP_SEND_MAXLEN)
-		return (ISC_R_NOSPACE);
-
-	newspace = isc_mem_get(httpd->mgr->mctx, newlen);
-	if (newspace == NULL)
-		return (ISC_R_NOMEMORY);
-	isc_buffer_region(&httpd->headerbuffer, &r);
-	isc_buffer_reinit(&httpd->headerbuffer, newspace, newlen);
-
-	isc_mem_put(httpd->mgr->mctx, r.base, r.length);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_httpd_response(isc_httpd_t *httpd)
-{
-	isc_result_t result;
-	unsigned int needlen;
-
-	needlen = strlen(httpd->protocol) + 1; /* protocol + space */
-	needlen += 3 + 1;  /* room for response code, always 3 bytes */
-	needlen += strlen(httpd->retmsg) + 2;  /* return msg + CRLF */
-
-	while (isc_buffer_availablelength(&httpd->headerbuffer) < needlen) {
-		result = grow_headerspace(httpd);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	sprintf(isc_buffer_used(&httpd->headerbuffer), "%s %03d %s\r\n",
-		httpd->protocol, httpd->retcode, httpd->retmsg);
-	isc_buffer_add(&httpd->headerbuffer, needlen);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_httpd_addheader(isc_httpd_t *httpd, const char *name,
-		    const char *val)
-{
-	isc_result_t result;
-	unsigned int needlen;
-
-	needlen = strlen(name); /* name itself */
-	if (val != NULL)
-		needlen += 2 + strlen(val); /* :<space> and val */
-	needlen += 2; /* CRLF */
-
-	while (isc_buffer_availablelength(&httpd->headerbuffer) < needlen) {
-		result = grow_headerspace(httpd);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	if (val != NULL)
-		sprintf(isc_buffer_used(&httpd->headerbuffer),
-			"%s: %s\r\n", name, val);
-	else
-		sprintf(isc_buffer_used(&httpd->headerbuffer),
-			"%s\r\n", name);
-
-	isc_buffer_add(&httpd->headerbuffer, needlen);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_httpd_endheaders(isc_httpd_t *httpd)
-{
-	isc_result_t result;
-
-	while (isc_buffer_availablelength(&httpd->headerbuffer) < 2) {
-		result = grow_headerspace(httpd);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	sprintf(isc_buffer_used(&httpd->headerbuffer), "\r\n");
-	isc_buffer_add(&httpd->headerbuffer, 2);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_httpd_addheaderuint(isc_httpd_t *httpd, const char *name, int val) {
-	isc_result_t result;
-	unsigned int needlen;
-	char buf[sizeof "18446744073709551616"];
-
-	sprintf(buf, "%d", val);
-
-	needlen = strlen(name); /* name itself */
-	needlen += 2 + strlen(buf); /* :<space> and val */
-	needlen += 2; /* CRLF */
-
-	while (isc_buffer_availablelength(&httpd->headerbuffer) < needlen) {
-		result = grow_headerspace(httpd);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	sprintf(isc_buffer_used(&httpd->headerbuffer),
-		"%s: %s\r\n", name, buf);
-
-	isc_buffer_add(&httpd->headerbuffer, needlen);
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-isc_httpd_senddone(isc_task_t *task, isc_event_t *ev)
-{
-	isc_httpd_t *httpd = ev->ev_arg;
-	isc_region_t r;
-	isc_socketevent_t *sev = (isc_socketevent_t *)ev;
-
-	ENTER("senddone");
-	INSIST(ISC_HTTPD_ISSEND(httpd));
-
-	/*
-	 * First, unlink our header buffer from the socket's bufflist.  This
-	 * is sort of an evil hack, since we know our buffer will be there,
-	 * and we know it's address, so we can just remove it directly.
-	 */
-	NOTICE("senddone unlinked header");
-	ISC_LIST_UNLINK(sev->bufferlist, &httpd->headerbuffer, link);
-
-	/*
-	 * We will always want to clean up our receive buffer, even if we
-	 * got an error on send or we are shutting down.
-	 *
-	 * We will pass in the buffer only if there is data in it.  If
-	 * there is no data, we will pass in a NULL.
-	 */
-	if (httpd->freecb != NULL) {
-		isc_buffer_t *b = NULL;
-		if (isc_buffer_length(&httpd->bodybuffer) > 0)
-			b = &httpd->bodybuffer;
-		httpd->freecb(b, httpd->freecb_arg);
-		NOTICE("senddone free callback performed");
-	}
-	if (ISC_LINK_LINKED(&httpd->bodybuffer, link)) {
-		ISC_LIST_UNLINK(sev->bufferlist, &httpd->bodybuffer, link);
-		NOTICE("senddone body buffer unlinked");
-	}
-
-	if (sev->result != ISC_R_SUCCESS) {
-		destroy_client(&httpd);
-		goto out;
-	}
-
-	if ((httpd->flags & HTTPD_CLOSE) != 0) {
-		destroy_client(&httpd);
-		goto out;
-	}
-
-	ISC_HTTPD_SETRECV(httpd);
-
-	NOTICE("senddone restarting recv on socket");
-
-	reset_client(httpd);
-
-	r.base = (unsigned char *)httpd->recvbuf;
-	r.length = HTTP_RECVLEN - 1;
-	/* check return code? */
-	(void)isc_socket_recv(httpd->sock, &r, 1, task,
-			      isc_httpd_recvdone, httpd);
-
-out:
-	isc_event_free(&ev);
-	EXIT("senddone");
-}
-
-static void
-reset_client(isc_httpd_t *httpd)
-{
-	/*
-	 * Catch errors here.  We MUST be in RECV mode, and we MUST NOT have
-	 * any outstanding buffers.  If we have buffers, we have a leak.
-	 */
-	INSIST(ISC_HTTPD_ISRECV(httpd));
-	INSIST(!ISC_LINK_LINKED(&httpd->headerbuffer, link));
-	INSIST(!ISC_LINK_LINKED(&httpd->bodybuffer, link));
-
-	httpd->recvbuf[0] = 0;
-	httpd->recvlen = 0;
-	httpd->method = ISC_HTTPD_METHODUNKNOWN;
-	httpd->url = NULL;
-	httpd->querystring = NULL;
-	httpd->protocol = NULL;
-	httpd->flags = 0;
-
-	isc_buffer_clear(&httpd->headerbuffer);
-	isc_buffer_invalidate(&httpd->bodybuffer);
-}
-
-isc_result_t
-isc_httpdmgr_addurl(isc_httpdmgr_t *httpdmgr, const char *url,
-		    isc_httpdaction_t *func, void *arg)
-{
-	isc_httpdurl_t *item;
-
-	if (url == NULL) {
-		httpdmgr->render_404 = func;
-		return (ISC_R_SUCCESS);
-	}
-
-	item = isc_mem_get(httpdmgr->mctx, sizeof(isc_httpdurl_t));
-	if (item == NULL)
-		return (ISC_R_NOMEMORY);
-
-	item->url = isc_mem_strdup(httpdmgr->mctx, url);
-	if (item->url == NULL) {
-		isc_mem_put(httpdmgr->mctx, item, sizeof(isc_httpdurl_t));
-		return (ISC_R_NOMEMORY);
-	}
-
-	item->action = func;
-	item->action_arg = arg;
-	ISC_LINK_INIT(item, link);
-	ISC_LIST_APPEND(httpdmgr->urls, item, link);
-
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/isc/ia64/Makefile.in b/contrib/bind9/lib/isc/ia64/Makefile.in
deleted file mode 100644
index 9c24cdf..0000000
--- a/contrib/bind9/lib/isc/ia64/Makefile.in
+++ /dev/null
@@ -1,24 +0,0 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	include
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/ia64/include/Makefile.in b/contrib/bind9/lib/isc/ia64/include/Makefile.in
deleted file mode 100644
index e399559..0000000
--- a/contrib/bind9/lib/isc/ia64/include/Makefile.in
+++ /dev/null
@@ -1,24 +0,0 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	isc
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/ia64/include/isc/Makefile.in b/contrib/bind9/lib/isc/ia64/include/isc/Makefile.in
deleted file mode 100644
index 4927e21..0000000
--- a/contrib/bind9/lib/isc/ia64/include/isc/Makefile.in
+++ /dev/null
@@ -1,36 +0,0 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-HEADERS =	atomic.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc ; \
-	done
diff --git a/contrib/bind9/lib/isc/ia64/include/isc/atomic.h b/contrib/bind9/lib/isc/ia64/include/isc/atomic.h
deleted file mode 100644
index 557941d..0000000
--- a/contrib/bind9/lib/isc/ia64/include/isc/atomic.h
+++ /dev/null
@@ -1,100 +0,0 @@
-/*
- * Copyright (C) 2006, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: atomic.h,v 1.7 2009/06/24 02:22:50 marka Exp $ */
-
-#ifndef ISC_ATOMIC_H
-#define ISC_ATOMIC_H 1
-
-#include <isc/platform.h>
-#include <isc/types.h>
-
-#ifdef ISC_PLATFORM_USEGCCASM
-/*
- * This routine atomically increments the value stored in 'p' by 'val', and
- * returns the previous value.
- *
- * Open issue: can 'fetchadd' make the code faster for some particular values
- * (e.g., 1 and -1)?
- */
-static inline isc_int32_t
-#ifdef __GNUC__
-__attribute__ ((unused))
-#endif
-isc_atomic_xadd(isc_int32_t *p, isc_int32_t val)
-{
-	isc_int32_t prev, swapped;
-
-	for (prev = *(volatile isc_int32_t *)p; ; prev = swapped) {
-		swapped = prev + val;
-		__asm__ volatile(
-			"mov ar.ccv=%2;;"
-			"cmpxchg4.acq %0=%4,%3,ar.ccv"
-			: "=r" (swapped), "=m" (*p)
-			: "r" (prev), "r" (swapped), "m" (*p)
-			: "memory");
-		if (swapped == prev)
-			break;
-	}
-
-	return (prev);
-}
-
-/*
- * This routine atomically stores the value 'val' in 'p'.
- */
-static inline void
-#ifdef __GNUC__
-__attribute__ ((unused))
-#endif
-isc_atomic_store(isc_int32_t *p, isc_int32_t val)
-{
-	__asm__ volatile(
-		"st4.rel %0=%1"
-		: "=m" (*p)
-		: "r" (val)
-		: "memory"
-		);
-}
-
-/*
- * This routine atomically replaces the value in 'p' with 'val', if the
- * original value is equal to 'cmpval'.  The original value is returned in any
- * case.
- */
-static inline isc_int32_t
-#ifdef __GNUC__
-__attribute__ ((unused))
-#endif
-isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val)
-{
-	isc_int32_t ret;
-
-	__asm__ volatile(
-		"mov ar.ccv=%2;;"
-		"cmpxchg4.acq %0=%4,%3,ar.ccv"
-		: "=r" (ret), "=m" (*p)
-		: "r" (cmpval), "r" (val), "m" (*p)
-		: "memory");
-
-	return (ret);
-}
-#else /* !ISC_PLATFORM_USEGCCASM */
-
-#error "unsupported compiler.  disable atomic ops by --disable-atomic"
-
-#endif
-#endif /* ISC_ATOMIC_H */
diff --git a/contrib/bind9/lib/isc/include/Makefile.in b/contrib/bind9/lib/isc/include/Makefile.in
deleted file mode 100644
index 70c165e..0000000
--- a/contrib/bind9/lib/isc/include/Makefile.in
+++ /dev/null
@@ -1,25 +0,0 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.13 2007/06/19 23:47:18 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	isc
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/include/isc/Makefile.in b/contrib/bind9/lib/isc/include/isc/Makefile.in
deleted file mode 100644
index 8afcfa7..0000000
--- a/contrib/bind9/lib/isc/include/isc/Makefile.in
+++ /dev/null
@@ -1,61 +0,0 @@
-# Copyright (C) 2004-2009, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001, 2003  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id$
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-#
-# Only list headers that are to be installed and are not
-# machine generated.  The latter are handled specially in the
-# install target below.
-#
-HEADERS =	app.h assertions.h base64.h bind9.h bitstring.h boolean.h \
-		buffer.h bufferlist.h commandline.h entropy.h error.h event.h \
-		eventclass.h file.h formatcheck.h fsaccess.h \
-		hash.h heap.h hex.h hmacmd5.h hmacsha.h \
-		httpd.h \
-		interfaceiter.h @ISC_IPV6_H@ iterated_hash.h lang.h lex.h \
-		lfsr.h lib.h list.h log.h \
-		magic.h md5.h mem.h msgcat.h msgs.h mutexblock.h \
-		namespace.h netaddr.h ondestroy.h os.h parseint.h \
-		print.h quota.h radix.h random.h ratelimiter.h \
-		refcount.h regex.h region.h resource.h \
-		result.h resultclass.h rwlock.h serial.h sha1.h sha2.h \
-		sockaddr.h socket.h stdio.h stdlib.h string.h \
-		symtab.h \
-	        task.h taskpool.h timer.h types.h util.h version.h \
-		xml.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/isc ; \
-	done
-	${INSTALL_DATA} platform.h ${DESTDIR}${includedir}/isc
-
-distclean::
-	rm -f platform.h
diff --git a/contrib/bind9/lib/isc/include/isc/app.h b/contrib/bind9/lib/isc/include/isc/app.h
deleted file mode 100644
index e0be790..0000000
--- a/contrib/bind9/lib/isc/include/isc/app.h
+++ /dev/null
@@ -1,375 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: app.h,v 1.11 2009/09/02 23:48:03 tbox Exp $ */
-
-#ifndef ISC_APP_H
-#define ISC_APP_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file isc/app.h
- * \brief ISC Application Support
- *
- * Dealing with program termination can be difficult, especially in a
- * multithreaded program.  The routines in this module help coordinate
- * the shutdown process.  They are used as follows by the initial (main)
- * thread of the application:
- *
- *\li		isc_app_start();	Call very early in main(), before
- *					any other threads have been created.
- *
- *\li		isc_app_run();		This will post any on-run events,
- *					and then block until application
- *					shutdown is requested.  A shutdown
- *					request is made by calling
- *					isc_app_shutdown(), or by sending
- *					SIGINT or SIGTERM to the process.
- *					After isc_app_run() returns, the
- *					application should shutdown itself.
- *
- *\li		isc_app_finish();	Call very late in main().
- *
- * Applications that want to use SIGHUP/isc_app_reload() to trigger reloading
- * should check the result of isc_app_run() and call the reload routine if
- * the result is ISC_R_RELOAD.  They should then call isc_app_run() again
- * to resume waiting for reload or termination.
- *
- * Use of this module is not required.  In particular, isc_app_start() is
- * NOT an ISC library initialization routine.
- *
- * This module also supports per-thread 'application contexts'.  With this
- * mode, a thread-based application will have a separate context, in which
- * it uses other ISC library services such as tasks or timers.  Signals are
- * not caught in this mode, so that the application can handle the signals
- * in its preferred way.
- *
- * \li MP:
- *	Clients must ensure that isc_app_start(), isc_app_run(), and
- *	isc_app_finish() are called at most once.  isc_app_shutdown()
- *	is safe to use by any thread (provided isc_app_start() has been
- *	called previously).
- *
- *	The same note applies to isc_app_ctxXXX() functions, but in this case
- *	it's a per-thread restriction.  For example, a thread with an
- *	application context must ensure that isc_app_ctxstart() with the
- *	context is called at most once.
- *
- * \li Reliability:
- *	No anticipated impact.
- *
- * \li Resources:
- *	None.
- *
- * \li Security:
- *	No anticipated impact.
- *
- * \li Standards:
- *	None.
- */
-
-#include <isc/eventclass.h>
-#include <isc/lang.h>
-#include <isc/magic.h>
-#include <isc/result.h>
-
-/***
- *** Types
- ***/
-
-typedef isc_event_t isc_appevent_t;
-
-#define ISC_APPEVENT_FIRSTEVENT		(ISC_EVENTCLASS_APP + 0)
-#define ISC_APPEVENT_SHUTDOWN		(ISC_EVENTCLASS_APP + 1)
-#define ISC_APPEVENT_LASTEVENT		(ISC_EVENTCLASS_APP + 65535)
-
-/*%
- * app module methods.  Only app driver implementations use this structure.
- * Other clients should use the top-level interfaces (i.e., isc_app_xxx
- * functions).  magic must be ISCAPI_APPMETHODS_MAGIC.
- */
-typedef struct isc_appmethods {
-	void		(*ctxdestroy)(isc_appctx_t **ctxp);
-	isc_result_t	(*ctxstart)(isc_appctx_t *ctx);
-	isc_result_t	(*ctxrun)(isc_appctx_t *ctx);
-	isc_result_t	(*ctxsuspend)(isc_appctx_t *ctx);
-	isc_result_t	(*ctxshutdown)(isc_appctx_t *ctx);
-	void		(*ctxfinish)(isc_appctx_t *ctx);
-	void		(*settaskmgr)(isc_appctx_t *ctx,
-				      isc_taskmgr_t *timermgr);
-	void		(*setsocketmgr)(isc_appctx_t *ctx,
-					isc_socketmgr_t *timermgr);
-	void		(*settimermgr)(isc_appctx_t *ctx,
-				       isc_timermgr_t *timermgr);
-} isc_appmethods_t;
-
-/*%
- * This structure is actually just the common prefix of an application context
- * implementation's version of an isc_appctx_t.
- * \brief
- * Direct use of this structure by clients is forbidden.  app implementations
- * may change the structure.  'magic' must be ISCAPI_APPCTX_MAGIC for any
- * of the isc_app_ routines to work.  app implementations must maintain
- * all app context invariants.
- */
-struct isc_appctx {
-	unsigned int		impmagic;
-	unsigned int		magic;
-	isc_appmethods_t	*methods;
-};
-
-#define ISCAPI_APPCTX_MAGIC		ISC_MAGIC('A','a','p','c')
-#define ISCAPI_APPCTX_VALID(c)		((c) != NULL && \
-					 (c)->magic == ISCAPI_APPCTX_MAGIC)
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isc_app_ctxstart(isc_appctx_t *ctx);
-
-isc_result_t
-isc_app_start(void);
-/*!<
- * \brief Start an ISC library application.
- *
- * Notes:
- *	This call should be made before any other ISC library call, and as
- *	close to the beginning of the application as possible.
- *
- * Requires:
- *	'ctx' is a valid application context (for app_ctxstart()).
- */
-
-isc_result_t
-isc_app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
-	      void *arg);
-/*!<
- * \brief Request delivery of an event when the application is run.
- *
- * Requires:
- *\li	isc_app_start() has been called.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- */
-
-isc_result_t
-isc_app_ctxrun(isc_appctx_t *ctx);
-
-isc_result_t
-isc_app_run(void);
-/*!<
- * \brief Run an ISC library application.
- *
- * Notes:
- *\li	The caller (typically the initial thread of an application) will
- *	block until shutdown is requested.  When the call returns, the
- *	caller should start shutting down the application.
- *
- * Requires:
- *\li	isc_app_[ctx]start() has been called.
- *
- * Ensures:
- *\li	Any events requested via isc_app_onrun() will have been posted (in
- *	FIFO order) before isc_app_run() blocks.
- *\li	'ctx' is a valid application context (for app_ctxrun()).
- *
- * Returns:
- *\li	ISC_R_SUCCESS			Shutdown has been requested.
- *\li	ISC_R_RELOAD			Reload has been requested.
- */
-
-isc_result_t
-isc_app_ctxshutdown(isc_appctx_t *ctx);
-
-isc_result_t
-isc_app_shutdown(void);
-/*!<
- * \brief Request application shutdown.
- *
- * Notes:
- *\li	It is safe to call isc_app_shutdown() multiple times.  Shutdown will
- *	only be triggered once.
- *
- * Requires:
- *\li	isc_app_[ctx]run() has been called.
- *\li	'ctx' is a valid application context (for app_ctxshutdown()).
- *
- * Returns:
- *\li	ISC_R_SUCCESS
- *\li	ISC_R_UNEXPECTED
- */
-
-isc_result_t
-isc_app_ctxsuspend(isc_appctx_t *ctx);
-/*!<
- * \brief This has the same behavior as isc_app_ctxsuspend().
- */
-
-isc_result_t
-isc_app_reload(void);
-/*!<
- * \brief Request application reload.
- *
- * Requires:
- *\li	isc_app_run() has been called.
- *
- * Returns:
- *\li	ISC_R_SUCCESS
- *\li	ISC_R_UNEXPECTED
- */
-
-void
-isc_app_ctxfinish(isc_appctx_t *ctx);
-
-void
-isc_app_finish(void);
-/*!<
- * \brief Finish an ISC library application.
- *
- * Notes:
- *\li	This call should be made at or near the end of main().
- *
- * Requires:
- *\li	isc_app_start() has been called.
- *\li	'ctx' is a valid application context (for app_ctxfinish()).
- *
- * Ensures:
- *\li	Any resources allocated by isc_app_start() have been released.
- */
-
-void
-isc_app_block(void);
-/*!<
- * \brief Indicate that a blocking operation will be performed.
- *
- * Notes:
- *\li	If a blocking operation is in process, a call to isc_app_shutdown()
- *	or an external signal will abort the program, rather than allowing
- *	clean shutdown.  This is primarily useful for reading user input.
- *
- * Requires:
- * \li	isc_app_start() has been called.
- * \li	No other blocking operations are in progress.
- */
-
-void
-isc_app_unblock(void);
-/*!<
- * \brief Indicate that a blocking operation is complete.
- *
- * Notes:
- * \li	When a blocking operation has completed, return the program to a
- * 	state where a call to isc_app_shutdown() or an external signal will
- * 	shutdown normally.
- *
- * Requires:
- * \li	isc_app_start() has been called.
- * \li	isc_app_block() has been called by the same thread.
- */
-
-isc_result_t
-isc_appctx_create(isc_mem_t *mctx, isc_appctx_t **ctxp);
-/*!<
- * \brief Create an application context.
- *
- * Requires:
- *\li	'mctx' is a valid memory context.
- *\li	'ctxp' != NULL && *ctxp == NULL.
- */
-
-void
-isc_appctx_destroy(isc_appctx_t **ctxp);
-/*!<
- * \brief Destroy an application context.
- *
- * Requires:
- *\li	'*ctxp' is a valid application context.
- *
- * Ensures:
- *\li	*ctxp == NULL.
- */
-
-void
-isc_appctx_settaskmgr(isc_appctx_t *ctx, isc_taskmgr_t *taskmgr);
-/*!<
- * \brief Associate a task manager with an application context.
- *
- * This must be done before running tasks within the application context.
- *
- * Requires:
- *\li	'ctx' is a valid application context.
- *\li	'taskmgr' is a valid task manager.
- */
-
-void
-isc_appctx_setsocketmgr(isc_appctx_t *ctx, isc_socketmgr_t *socketmgr);
-/*!<
- * \brief Associate a socket manager with an application context.
- *
- * This must be done before handling socket events within the application
- * context.
- *
- * Requires:
- *\li	'ctx' is a valid application context.
- *\li	'socketmgr' is a valid socket manager.
- */
-
-void
-isc_appctx_settimermgr(isc_appctx_t *ctx, isc_timermgr_t *timermgr);
-/*!<
- * \brief Associate a socket timer with an application context.
- *
- * This must be done before handling timer events within the application
- * context.
- *
- * Requires:
- *\li	'ctx' is a valid application context.
- *\li	'timermgr' is a valid timer manager.
- */
-
-#ifdef USE_APPIMPREGISTER
-/*%<
- * See isc_appctx_create() above.
- */
-typedef isc_result_t
-(*isc_appctxcreatefunc_t)(isc_mem_t *mctx, isc_appctx_t **ctxp);
-
-isc_result_t
-isc_app_register(isc_appctxcreatefunc_t createfunc);
-/*%<
- * Register a new application implementation and add it to the list of
- * supported implementations.  This function must be called when a different
- * event library is used than the one contained in the ISC library.
- */
-
-isc_result_t
-isc__app_register(void);
-/*%<
- * A short cut function that specifies the application module in the ISC
- * library for isc_app_register().  An application that uses the ISC library
- * usually do not have to care about this function: it would call
- * isc_lib_register(), which internally calls this function.
- */
-#endif /* USE_APPIMPREGISTER */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_APP_H */
diff --git a/contrib/bind9/lib/isc/include/isc/assertions.h b/contrib/bind9/lib/isc/include/isc/assertions.h
deleted file mode 100644
index 2c81b1a..0000000
--- a/contrib/bind9/lib/isc/include/isc/assertions.h
+++ /dev/null
@@ -1,126 +0,0 @@
-/*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1997-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * $Id: assertions.h,v 1.28 2009/09/29 23:48:04 tbox Exp $
- */
-/*! \file isc/assertions.h
- */
-
-#ifndef ISC_ASSERTIONS_H
-#define ISC_ASSERTIONS_H 1
-
-#include <isc/lang.h>
-#include <isc/platform.h>
-
-ISC_LANG_BEGINDECLS
-
-/*% isc assertion type */
-typedef enum {
-	isc_assertiontype_require,
-	isc_assertiontype_ensure,
-	isc_assertiontype_insist,
-	isc_assertiontype_invariant
-} isc_assertiontype_t;
-
-typedef void (*isc_assertioncallback_t)(const char *, int, isc_assertiontype_t,
-					const char *);
-
-/* coverity[+kill] */
-ISC_PLATFORM_NORETURN_PRE
-void isc_assertion_failed(const char *, int, isc_assertiontype_t,
-			  const char *) ISC_PLATFORM_NORETURN_POST;
-
-void
-isc_assertion_setcallback(isc_assertioncallback_t);
-
-const char *
-isc_assertion_typetotext(isc_assertiontype_t type);
-
-#if defined(ISC_CHECK_ALL) || defined(__COVERITY__)
-#define ISC_CHECK_REQUIRE		1
-#define ISC_CHECK_ENSURE		1
-#define ISC_CHECK_INSIST		1
-#define ISC_CHECK_INVARIANT		1
-#endif
-
-#if defined(ISC_CHECK_NONE) && !defined(__COVERITY__)
-#define ISC_CHECK_REQUIRE		0
-#define ISC_CHECK_ENSURE		0
-#define ISC_CHECK_INSIST		0
-#define ISC_CHECK_INVARIANT		0
-#endif
-
-#ifndef ISC_CHECK_REQUIRE
-#define ISC_CHECK_REQUIRE		1
-#endif
-
-#ifndef ISC_CHECK_ENSURE
-#define ISC_CHECK_ENSURE		1
-#endif
-
-#ifndef ISC_CHECK_INSIST
-#define ISC_CHECK_INSIST		1
-#endif
-
-#ifndef ISC_CHECK_INVARIANT
-#define ISC_CHECK_INVARIANT		1
-#endif
-
-#if ISC_CHECK_REQUIRE != 0
-#define ISC_REQUIRE(cond) \
-	((void) ((cond) || \
-		 ((isc_assertion_failed)(__FILE__, __LINE__, \
-					 isc_assertiontype_require, \
-					 #cond), 0)))
-#else
-#define ISC_REQUIRE(cond)	((void) 0)
-#endif /* ISC_CHECK_REQUIRE */
-
-#if ISC_CHECK_ENSURE != 0
-#define ISC_ENSURE(cond) \
-	((void) ((cond) || \
-		 ((isc_assertion_failed)(__FILE__, __LINE__, \
-					 isc_assertiontype_ensure, \
-					 #cond), 0)))
-#else
-#define ISC_ENSURE(cond)	((void) 0)
-#endif /* ISC_CHECK_ENSURE */
-
-#if ISC_CHECK_INSIST != 0
-#define ISC_INSIST(cond) \
-	((void) ((cond) || \
-		 ((isc_assertion_failed)(__FILE__, __LINE__, \
-					 isc_assertiontype_insist, \
-					 #cond), 0)))
-#else
-#define ISC_INSIST(cond)	((void) 0)
-#endif /* ISC_CHECK_INSIST */
-
-#if ISC_CHECK_INVARIANT != 0
-#define ISC_INVARIANT(cond) \
-	((void) ((cond) || \
-		 ((isc_assertion_failed)(__FILE__, __LINE__, \
-					 isc_assertiontype_invariant, \
-					 #cond), 0)))
-#else
-#define ISC_INVARIANT(cond)	((void) 0)
-#endif /* ISC_CHECK_INVARIANT */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_ASSERTIONS_H */
diff --git a/contrib/bind9/lib/isc/include/isc/backtrace.h b/contrib/bind9/lib/isc/include/isc/backtrace.h
deleted file mode 100644
index c0e98c0..0000000
--- a/contrib/bind9/lib/isc/include/isc/backtrace.h
+++ /dev/null
@@ -1,131 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: backtrace.h,v 1.2 2009/09/01 18:40:25 jinmei Exp $ */
-
-/*! \file isc/backtrace.h
- * \brief provide a back trace of the running process to help debug problems.
- *
- * This module tries to get a back trace of the process using some platform
- * dependent way when available.  It also manages an internal symbol table
- * that maps function addresses used in the process to their textual symbols.
- * This module is expected to be used to help debug when some fatal error
- * happens.
- *
- * IMPORTANT NOTE: since the (major) intended use case of this module is
- * dumping a back trace on a fatal error, normally followed by self termination,
- * functions defined in this module generally doesn't employ assertion checks
- * (if it did, a program bug could cause infinite recursive calls to a
- * backtrace function).  These functions still perform minimal checks and return
- * ISC_R_FAILURE if they detect an error, but the caller should therefore be
- * very careful about the use of these functions, and generally discouraged to
- * use them except in an exit path.  The exception is
- * isc_backtrace_getsymbolfromindex(), which is expected to be used in a
- * non-error-handling context and validates arguments with assertion checks.
- */
-
-#ifndef ISC_BACKTRACE_H
-#define ISC_BACKTRACE_H 1
-
-/***
- ***	Imports
- ***/
-
-#include <isc/types.h>
-
-/***
- *** Types
- ***/
-struct isc_backtrace_symmap {
-	void		*addr;
-	const char	*symbol;
-};
-
-extern const int isc__backtrace_nsymbols;
-extern const isc_backtrace_symmap_t isc__backtrace_symtable[];
-
-/***
- *** Functions
- ***/
-
-ISC_LANG_BEGINDECLS
-isc_result_t
-isc_backtrace_gettrace(void **addrs, int maxaddrs, int *nframes);
-/*%<
- * Get a back trace of the running process above this function itself.  On
- * success, addrs[i] will store the address of the call point of the i-th
- * stack frame (addrs[0] is the caller of this function).  *nframes will store
- * the total number of frames.
- *
- * Requires (note that these are not ensured by assertion checks, see above):
- *
- *\li	'addrs' is a valid array containing at least 'maxaddrs' void * entries.
- *
- *\li	'nframes' must be non NULL.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_FAILURE
- *\li	#ISC_R_NOTFOUND
- *\li	#ISC_R_NOTIMPLEMENTED
- */
-
-isc_result_t
-isc_backtrace_getsymbolfromindex(int index, const void **addrp,
-				 const char **symbolp);
-/*%<
- * Returns the content of the internal symbol table of the given index.
- * On success, *addrsp and *symbolp point to the address and the symbol of
- * the 'index'th entry of the table, respectively.  If 'index' is not in the
- * range of the symbol table, ISC_R_RANGE will be returned.
- *
- * Requires
- *
- *\li	'addrp' must be non NULL && '*addrp' == NULL.
- *
- *\li	'symbolp' must be non NULL && '*symbolp' == NULL.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_RANGE
- */
-
-isc_result_t
-isc_backtrace_getsymbol(const void *addr, const char **symbolp,
-			unsigned long *offsetp);
-/*%<
- * Searches the internal symbol table for the symbol that most matches the
- * given 'addr'.  On success, '*symbolp' will point to the name of function
- * to which the address 'addr' belong, and '*offsetp' will store the offset
- * from the function's entry address to 'addr'.
- *
- * Requires (note that these are not ensured by assertion checks, see above):
- *
- *\li	'symbolp' must be non NULL && '*symbolp' == NULL.
- *
- *\li	'offsetp' must be non NULL.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_FAILURE
- *\li	#ISC_R_NOTFOUND
- */
-ISC_LANG_ENDDECLS
-
-#endif	/* ISC_BACKTRACE_H */
diff --git a/contrib/bind9/lib/isc/include/isc/base32.h b/contrib/bind9/lib/isc/include/isc/base32.h
deleted file mode 100644
index 978a8db..0000000
--- a/contrib/bind9/lib/isc/include/isc/base32.h
+++ /dev/null
@@ -1,128 +0,0 @@
-/*
- * Copyright (C) 2008  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: base32.h,v 1.3 2008/09/25 04:02:39 tbox Exp $ */
-
-#ifndef ISC_BASE32_H
-#define ISC_BASE32_H 1
-
-/*! \file */
-
-/*
- * Routines for manipulating base 32 and base 32 hex encoded data.
- * Based on RFC 4648.
- *
- * Base 32 hex preserves the sort order of data when it is encoded /
- * decoded.
- */
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Functions
- ***/
-
-isc_result_t
-isc_base32_totext(isc_region_t *source, int wordlength,
-		  const char *wordbreak, isc_buffer_t *target);
-isc_result_t
-isc_base32hex_totext(isc_region_t *source, int wordlength,
-		     const char *wordbreak, isc_buffer_t *target);
-/*!<
- * \brief Convert data into base32 encoded text.
- *
- * Notes:
- *\li	The base32 encoded text in 'target' will be divided into
- *	words of at most 'wordlength' characters, separated by
- * 	the 'wordbreak' string.  No parentheses will surround
- *	the text.
- *
- * Requires:
- *\li	'source' is a region containing binary data
- *\li	'target' is a text buffer containing available space
- *\li	'wordbreak' points to a null-terminated string of
- *		zero or more whitespace characters
- *
- * Ensures:
- *\li	target will contain the base32 encoded version of the data
- *	in source.  The 'used' pointer in target will be advanced as
- *	necessary.
- */
-
-isc_result_t
-isc_base32_decodestring(const char *cstr, isc_buffer_t *target);
-isc_result_t
-isc_base32hex_decodestring(const char *cstr, isc_buffer_t *target);
-/*!<
- * \brief Decode a null-terminated base32 string.
- *
- * Requires:
- *\li	'cstr' is non-null.
- *\li	'target' is a valid buffer.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS	-- the entire decoded representation of 'cstring'
- *			   fit in 'target'.
- *\li	#ISC_R_BADBASE32 -- 'cstr' is not a valid base32 encoding.
- *
- * 	Other error returns are any possible error code from:
- *\li		isc_lex_create(),
- *\li		isc_lex_openbuffer(),
- *\li		isc_base32_tobuffer().
- */
-
-isc_result_t
-isc_base32_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length);
-isc_result_t
-isc_base32hex_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length);
-/*!<
- * \brief Convert base32 encoded text from a lexer context into data.
- *
- * Requires:
- *\li	'lex' is a valid lexer context
- *\li	'target' is a buffer containing binary data
- *\li	'length' is an integer
- *
- * Ensures:
- *\li	target will contain the data represented by the base32 encoded
- *	string parsed by the lexer.  No more than length bytes will be read,
- *	if length is positive.  The 'used' pointer in target will be
- *	advanced as necessary.
- */
-
-isc_result_t
-isc_base32_decoderegion(isc_region_t *source, isc_buffer_t *target);
-isc_result_t
-isc_base32hex_decoderegion(isc_region_t *source, isc_buffer_t *target);
-/*!<
- * \brief Decode a packed (no white space permitted) base32 region.
- *
- * Requires:
- *\li   'source' is a valid region.
- *\li   'target' is a valid buffer.
- *
- * Returns:
- *\li   #ISC_R_SUCCESS  -- the entire decoded representation of 'cstring'
- *                         fit in 'target'.
- *\li   #ISC_R_BADBASE32 -- 'source' is not a valid base32 encoding.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_BASE32_H */
diff --git a/contrib/bind9/lib/isc/include/isc/base64.h b/contrib/bind9/lib/isc/include/isc/base64.h
deleted file mode 100644
index e48ef2a..0000000
--- a/contrib/bind9/lib/isc/include/isc/base64.h
+++ /dev/null
@@ -1,99 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: base64.h,v 1.22 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_BASE64_H
-#define ISC_BASE64_H 1
-
-/*! \file isc/base64.h */
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Functions
- ***/
-
-isc_result_t
-isc_base64_totext(isc_region_t *source, int wordlength,
-		  const char *wordbreak, isc_buffer_t *target);
-/*!<
- * \brief Convert data into base64 encoded text.
- *
- * Notes:
- *\li	The base64 encoded text in 'target' will be divided into
- *	words of at most 'wordlength' characters, separated by
- * 	the 'wordbreak' string.  No parentheses will surround
- *	the text.
- *
- * Requires:
- *\li	'source' is a region containing binary data
- *\li	'target' is a text buffer containing available space
- *\li	'wordbreak' points to a null-terminated string of
- *		zero or more whitespace characters
- *
- * Ensures:
- *\li	target will contain the base64 encoded version of the data
- *	in source.  The 'used' pointer in target will be advanced as
- *	necessary.
- */
-
-isc_result_t
-isc_base64_decodestring(const char *cstr, isc_buffer_t *target);
-/*!<
- * \brief Decode a null-terminated base64 string.
- *
- * Requires:
- *\li	'cstr' is non-null.
- *\li	'target' is a valid buffer.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS	-- the entire decoded representation of 'cstring'
- *			   fit in 'target'.
- *\li	#ISC_R_BADBASE64 -- 'cstr' is not a valid base64 encoding.
- *
- * 	Other error returns are any possible error code from:
- *\li		isc_lex_create(),
- *\li		isc_lex_openbuffer(),
- *\li		isc_base64_tobuffer().
- */
-
-isc_result_t
-isc_base64_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length);
-/*!<
- * \brief Convert base64 encoded text from a lexer context into data.
- *
- * Requires:
- *\li	'lex' is a valid lexer context
- *\li	'target' is a buffer containing binary data
- *\li	'length' is an integer
- *
- * Ensures:
- *\li	target will contain the data represented by the base64 encoded
- *	string parsed by the lexer.  No more than length bytes will be read,
- *	if length is positive.  The 'used' pointer in target will be
- *	advanced as necessary.
- */
-
-
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_BASE64_H */
diff --git a/contrib/bind9/lib/isc/include/isc/bind9.h b/contrib/bind9/lib/isc/include/isc/bind9.h
deleted file mode 100644
index 00bcb24..0000000
--- a/contrib/bind9/lib/isc/include/isc/bind9.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: bind9.h,v 1.2 2009/12/05 23:31:41 each Exp $ */
-
-#ifndef ISC_BIND9_H
-#define ISC_BIND9_H 1
-
-/*
- * This determines whether we are building BIND9 or using the exported
- * libisc/libdns libraries.  The version of this file included in the
- * standard BIND9 build defines BIND9; the version included with the
- * exportable libraries does not.
- */
-#define BIND9 1
-
-#endif /* ISC_BIND9_H */
diff --git a/contrib/bind9/lib/isc/include/isc/bitstring.h b/contrib/bind9/lib/isc/include/isc/bitstring.h
deleted file mode 100644
index 252d111..0000000
--- a/contrib/bind9/lib/isc/include/isc/bitstring.h
+++ /dev/null
@@ -1,157 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: bitstring.h,v 1.14 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_BITSTRING_H
-#define ISC_BITSTRING_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file isc/bitstring.h
- *
- * \brief Bitstring manipulation functions.
- *
- * A bitstring is a packed array of bits, stored in a contiguous
- * sequence of octets.  The "most significant bit" (msb) of a bitstring
- * is the high bit of the first octet.  The "least significant bit" of a
- * bitstring is the low bit of the last octet.
- *
- * Two bit numbering schemes are supported, "msb0" and "lsb0".
- *
- * In the "msb0" scheme, bit number 0 designates the most significant bit,
- * and any padding bits required to make the bitstring a multiple of 8 bits
- * long are added to the least significant end of the last octet.
- *
- * In the "lsb0" scheme, bit number 0 designates the least significant bit,
- * and any padding bits required to make the bitstring a multiple of 8 bits
- * long are added to the most significant end of the first octet.
- *
- * E.g., consider the bitstring "11010001111".  This bitstring is 11 bits
- * long and will take two octets.  Let "p" denote a pad bit.  In the msb0
- * encoding, it would be
- *
- * \verbatim
- *             Octet 0           Octet 1
- *                         |
- *         1 1 0 1 0 0 0 1 | 1 1 1 p p p p p
- *         ^               |               ^
- *         |                               |
- *         bit 0                           bit 15
- * \endverbatim
- *
- * In the lsb0 encoding, it would be
- *
- * \verbatim
- *             Octet 0           Octet 1
- *                         |
- *         p p p p p 1 1 0 | 1 0 0 0 1 1 1 1 
- *         ^               |               ^
- *         |                               |
- *         bit 15                          bit 0
- * \endverbatim
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Types
- ***/
-
-struct isc_bitstring {
-	unsigned int		magic;
-	unsigned char *		data;
-	unsigned int		length;
-	unsigned int		size;
-	isc_boolean_t		lsb0;
-};
-
-/***
- *** Functions
- ***/
-
-void
-isc_bitstring_init(isc_bitstring_t *bitstring, unsigned char *data,
-		   unsigned int length, unsigned int size, isc_boolean_t lsb0);
-/*!<
- * \brief Make 'bitstring' refer to the bitstring of 'size' bits starting
- * at 'data'.  'length' bits of the bitstring are valid.  If 'lsb0'
- * is set then, bit 0 refers to the least significant bit of the
- * bitstring.  Otherwise bit 0 is the most significant bit.
- *
- * Requires:
- *
- *\li	'bitstring' points to a isc_bitstring_t.
- *
- *\li	'data' points to an array of unsigned char large enough to hold
- *	'size' bits.
- *
- *\li	'length' <= 'size'.
- *
- * Ensures:
- *
- *\li	'bitstring' is a valid bitstring.
- */
-
-void
-isc_bitstring_invalidate(isc_bitstring_t *bitstring);
-/*!<
- * \brief Invalidate 'bitstring'.
- *
- * Requires:
- *
- *\li	'bitstring' is a valid bitstring.
- *
- * Ensures:
- *
- *\li	'bitstring' is not a valid bitstring.
- */
-
-void
-isc_bitstring_copy(isc_bitstring_t *source, unsigned int sbitpos,
-		   isc_bitstring_t *target, unsigned int tbitpos,
-		   unsigned int n);
-/*!<
- * \brief Starting at bit 'sbitpos', copy 'n' bits from 'source' to
- * the 'n' bits of 'target' starting at 'tbitpos'.
- *
- * Requires:
- *
- *\li	'source' and target are valid bitstrings with the same lsb0 setting.
- *
- *\li	'sbitpos' + 'n' is less than or equal to the length of 'source'.
- *
- *\li	'tbitpos' + 'n' is less than or equal to the size of 'target'.
- *
- * Ensures:
- *
- *\li	The specified bits have been copied, and the length of 'target'
- *	adjusted (if required).
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_BITSTRING_H */
diff --git a/contrib/bind9/lib/isc/include/isc/boolean.h b/contrib/bind9/lib/isc/include/isc/boolean.h
deleted file mode 100644
index 348b096..0000000
--- a/contrib/bind9/lib/isc/include/isc/boolean.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: boolean.h,v 1.19 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_BOOLEAN_H
-#define ISC_BOOLEAN_H 1
-
-/*! \file isc/boolean.h */
-
-typedef enum { isc_boolean_false = 0, isc_boolean_true = 1 } isc_boolean_t;
-
-#define ISC_FALSE isc_boolean_false
-#define ISC_TRUE isc_boolean_true
-#define ISC_TF(x) ((x) ? ISC_TRUE : ISC_FALSE)
-
-#endif /* ISC_BOOLEAN_H */
diff --git a/contrib/bind9/lib/isc/include/isc/buffer.h b/contrib/bind9/lib/isc/include/isc/buffer.h
deleted file mode 100644
index 72b8560..0000000
--- a/contrib/bind9/lib/isc/include/isc/buffer.h
+++ /dev/null
@@ -1,906 +0,0 @@
-/*
- * Copyright (C) 2004-2008, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: buffer.h,v 1.55 2010/12/20 23:47:21 tbox Exp $ */
-
-#ifndef ISC_BUFFER_H
-#define ISC_BUFFER_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file isc/buffer.h
- *
- * \brief A buffer is a region of memory, together with a set of related subregions.
- * Buffers are used for parsing and I/O operations.
- *
- * The 'used region' and the 'available' region are disjoint, and their
- * union is the buffer's region.  The used region extends from the beginning
- * of the buffer region to the last used byte.  The available region
- * extends from one byte greater than the last used byte to the end of the
- * buffer's region.  The size of the used region can be changed using various
- * buffer commands.  Initially, the used region is empty.
- *
- * The used region is further subdivided into two disjoint regions: the
- * 'consumed region' and the 'remaining region'.  The union of these two
- * regions is the used region.  The consumed region extends from the beginning
- * of the used region to the byte before the 'current' offset (if any).  The
- * 'remaining' region the current pointer to the end of the used
- * region.  The size of the consumed region can be changed using various
- * buffer commands.  Initially, the consumed region is empty.
- *
- * The 'active region' is an (optional) subregion of the remaining region.
- * It extends from the current offset to an offset in the remaining region
- * that is selected with isc_buffer_setactive().  Initially, the active region
- * is empty.  If the current offset advances beyond the chosen offset, the
- * active region will also be empty.
- *
- * \verbatim
- *  /------------entire length---------------\
- *  /----- used region -----\/-- available --\
- *  +----------------------------------------+
- *  | consumed  | remaining |                |
- *  +----------------------------------------+
- *  a           b     c     d                e
- *
- * a == base of buffer.
- * b == current pointer.  Can be anywhere between a and d.
- * c == active pointer.  Meaningful between b and d.
- * d == used pointer.
- * e == length of buffer.
- *
- * a-e == entire length of buffer.
- * a-d == used region.
- * a-b == consumed region.
- * b-d == remaining region.
- * b-c == optional active region.
- *\endverbatim
- *
- * The following invariants are maintained by all routines:
- *
- *\code
- *	length > 0
- *
- *	base is a valid pointer to length bytes of memory
- *
- *	0 <= used <= length
- *
- *	0 <= current <= used
- *
- *	0 <= active <= used
- *	(although active < current implies empty active region)
- *\endcode
- *
- * \li MP:
- *	Buffers have no synchronization.  Clients must ensure exclusive
- *	access.
- *
- * \li Reliability:
- *	No anticipated impact.
- *
- * \li Resources:
- *	Memory: 1 pointer + 6 unsigned integers per buffer.
- *
- * \li Security:
- *	No anticipated impact.
- *
- * \li Standards:
- *	None.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-#include <isc/types.h>
-
-/*!
- * To make many functions be inline macros (via \#define) define this.
- * If it is undefined, a function will be used.
- */
-/* #define ISC_BUFFER_USEINLINE */
-
-ISC_LANG_BEGINDECLS
-
-/*@{*/
-/*!
- *** Magic numbers
- ***/
-#define ISC_BUFFER_MAGIC		0x42756621U	/* Buf!. */
-#define ISC_BUFFER_VALID(b)		ISC_MAGIC_VALID(b, ISC_BUFFER_MAGIC)
-/*@}*/
-
-/*
- * The following macros MUST be used only on valid buffers.  It is the
- * caller's responsibility to ensure this by using the ISC_BUFFER_VALID
- * check above, or by calling another isc_buffer_*() function (rather than
- * another macro.)
- */
-
-/*@{*/
-/*!
- * Fundamental buffer elements.  (A through E in the introductory comment.)
- */
-#define isc_buffer_base(b)    ((void *)(b)->base)			  /*a*/
-#define isc_buffer_current(b) \
-		((void *)((unsigned char *)(b)->base + (b)->current))     /*b*/
-#define isc_buffer_active(b)  \
-		((void *)((unsigned char *)(b)->base + (b)->active))      /*c*/
-#define isc_buffer_used(b)    \
-		((void *)((unsigned char *)(b)->base + (b)->used))        /*d*/
-#define isc_buffer_length(b)  ((b)->length)				  /*e*/
-/*@}*/
-
-/*@{*/
-/*!
- * Derived lengths.  (Described in the introductory comment.)
- */
-#define isc_buffer_usedlength(b)	((b)->used)		      /* d-a */
-#define isc_buffer_consumedlength(b)	((b)->current)		      /* b-a */
-#define isc_buffer_remaininglength(b)	((b)->used - (b)->current)    /* d-b */
-#define isc_buffer_activelength(b)	((b)->active - (b)->current)  /* c-b */
-#define isc_buffer_availablelength(b)	((b)->length - (b)->used)     /* e-d */
-/*@}*/
-
-/*!
- * Note that the buffer structure is public.  This is principally so buffer
- * operations can be implemented using macros.  Applications are strongly
- * discouraged from directly manipulating the structure.
- */
-
-struct isc_buffer {
-	unsigned int		magic;
-	void		       *base;
-	/*@{*/
-	/*! The following integers are byte offsets from 'base'. */
-	unsigned int		length;
-	unsigned int		used;
-	unsigned int 		current;
-	unsigned int 		active;
-	/*@}*/
-	/*! linkable */
-	ISC_LINK(isc_buffer_t)	link;
-	/*! private internal elements */
-	isc_mem_t	       *mctx;
-};
-
-/***
- *** Functions
- ***/
-
-isc_result_t
-isc_buffer_allocate(isc_mem_t *mctx, isc_buffer_t **dynbuffer,
-		    unsigned int length);
-/*!<
- * \brief Allocate a dynamic linkable buffer which has "length" bytes in the
- * data region.
- *
- * Requires:
- *\li	"mctx" is valid.
- *
- *\li	"dynbuffer" is non-NULL, and "*dynbuffer" is NULL.
- *
- * Returns:
- *\li	ISC_R_SUCCESS		- success
- *\li	ISC_R_NOMEMORY		- no memory available
- *
- * Note:
- *\li	Changing the buffer's length field is not permitted.
- */
-
-void
-isc_buffer_free(isc_buffer_t **dynbuffer);
-/*!<
- * \brief Release resources allocated for a dynamic buffer.
- *
- * Requires:
- *\li	"dynbuffer" is not NULL.
- *
- *\li	"*dynbuffer" is a valid dynamic buffer.
- *
- * Ensures:
- *\li	"*dynbuffer" will be NULL on return, and all memory associated with
- *	the dynamic buffer is returned to the memory context used in
- *	isc_buffer_allocate().
- */
-
-void
-isc__buffer_init(isc_buffer_t *b, void *base, unsigned int length);
-/*!<
- * \brief Make 'b' refer to the 'length'-byte region starting at base.
- *
- * Requires:
- *
- *\li	'length' > 0
- *
- *\li	'base' is a pointer to a sequence of 'length' bytes.
- *
- */
-
-void
-isc__buffer_initnull(isc_buffer_t *b);
-/*!<
- *\brief Initialize a buffer 'b' with a null data and zero length/
- */
-
-void
-isc_buffer_reinit(isc_buffer_t *b, void *base, unsigned int length);
-/*!<
- * \brief Make 'b' refer to the 'length'-byte region starting at base.
- * Any existing data will be copied.
- *
- * Requires:
- *
- *\li	'length' > 0 AND length >= previous length
- *
- *\li	'base' is a pointer to a sequence of 'length' bytes.
- *
- */
-
-void
-isc__buffer_invalidate(isc_buffer_t *b);
-/*!<
- * \brief Make 'b' an invalid buffer.
- *
- * Requires:
- *\li	'b' is a valid buffer.
- *
- * Ensures:
- *\li	If assertion checking is enabled, future attempts to use 'b' without
- *	calling isc_buffer_init() on it will cause an assertion failure.
- */
-
-void
-isc__buffer_region(isc_buffer_t *b, isc_region_t *r);
-/*!<
- * \brief Make 'r' refer to the region of 'b'.
- *
- * Requires:
- *
- *\li	'b' is a valid buffer.
- *
- *\li	'r' points to a region structure.
- */
-
-void
-isc__buffer_usedregion(isc_buffer_t *b, isc_region_t *r);
-/*!<
- * \brief Make 'r' refer to the used region of 'b'.
- *
- * Requires:
- *
- *\li	'b' is a valid buffer.
- *
- *\li	'r' points to a region structure.
- */
-
-void
-isc__buffer_availableregion(isc_buffer_t *b, isc_region_t *r);
-/*!<
- * \brief Make 'r' refer to the available region of 'b'.
- *
- * Requires:
- *
- *\li	'b' is a valid buffer.
- *
- *\li	'r' points to a region structure.
- */
-
-void
-isc__buffer_add(isc_buffer_t *b, unsigned int n);
-/*!<
- * \brief Increase the 'used' region of 'b' by 'n' bytes.
- *
- * Requires:
- *
- *\li	'b' is a valid buffer
- *
- *\li	used + n <= length
- *
- */
-
-void
-isc__buffer_subtract(isc_buffer_t *b, unsigned int n);
-/*!<
- * \brief Decrease the 'used' region of 'b' by 'n' bytes.
- *
- * Requires:
- *
- *\li	'b' is a valid buffer
- *
- *\li	used >= n
- *
- */
-
-void
-isc__buffer_clear(isc_buffer_t *b);
-/*!<
- * \brief Make the used region empty.
- *
- * Requires:
- *
- *\li	'b' is a valid buffer
- *
- * Ensures:
- *
- *\li	used = 0
- *
- */
-
-void
-isc__buffer_consumedregion(isc_buffer_t *b, isc_region_t *r);
-/*!<
- * \brief Make 'r' refer to the consumed region of 'b'.
- *
- * Requires:
- *
- *\li	'b' is a valid buffer.
- *
- *\li	'r' points to a region structure.
- */
-
-void
-isc__buffer_remainingregion(isc_buffer_t *b, isc_region_t *r);
-/*!<
- * \brief Make 'r' refer to the remaining region of 'b'.
- *
- * Requires:
- *
- *\li	'b' is a valid buffer.
- *
- *\li	'r' points to a region structure.
- */
-
-void
-isc__buffer_activeregion(isc_buffer_t *b, isc_region_t *r);
-/*!<
- * \brief Make 'r' refer to the active region of 'b'.
- *
- * Requires:
- *
- *\li	'b' is a valid buffer.
- *
- *\li	'r' points to a region structure.
- */
-
-void
-isc__buffer_setactive(isc_buffer_t *b, unsigned int n);
-/*!<
- * \brief Sets the end of the active region 'n' bytes after current.
- *
- * Requires:
- *
- *\li	'b' is a valid buffer.
- *
- *\li	current + n <= used
- */
-
-void
-isc__buffer_first(isc_buffer_t *b);
-/*!<
- * \brief Make the consumed region empty.
- *
- * Requires:
- *
- *\li	'b' is a valid buffer
- *
- * Ensures:
- *
- *\li	current == 0
- *
- */
-
-void
-isc__buffer_forward(isc_buffer_t *b, unsigned int n);
-/*!<
- * \brief Increase the 'consumed' region of 'b' by 'n' bytes.
- *
- * Requires:
- *
- *\li	'b' is a valid buffer
- *
- *\li	current + n <= used
- *
- */
-
-void
-isc__buffer_back(isc_buffer_t *b, unsigned int n);
-/*!<
- * \brief Decrease the 'consumed' region of 'b' by 'n' bytes.
- *
- * Requires:
- *
- *\li	'b' is a valid buffer
- *
- *\li	n <= current
- *
- */
-
-void
-isc_buffer_compact(isc_buffer_t *b);
-/*!<
- * \brief Compact the used region by moving the remaining region so it occurs
- * at the start of the buffer.  The used region is shrunk by the size of
- * the consumed region, and the consumed region is then made empty.
- *
- * Requires:
- *
- *\li	'b' is a valid buffer
- *
- * Ensures:
- *
- *\li	current == 0
- *
- *\li	The size of the used region is now equal to the size of the remaining
- *	region (as it was before the call).  The contents of the used region
- *	are those of the remaining region (as it was before the call).
- */
-
-isc_uint8_t
-isc_buffer_getuint8(isc_buffer_t *b);
-/*!<
- * \brief Read an unsigned 8-bit integer from 'b' and return it.
- *
- * Requires:
- *
- *\li	'b' is a valid buffer.
- *
- *\li	The length of the available region of 'b' is at least 1.
- *
- * Ensures:
- *
- *\li	The current pointer in 'b' is advanced by 1.
- *
- * Returns:
- *
- *\li	A 8-bit unsigned integer.
- */
-
-void
-isc__buffer_putuint8(isc_buffer_t *b, isc_uint8_t val);
-/*!<
- * \brief Store an unsigned 8-bit integer from 'val' into 'b'.
- *
- * Requires:
- *\li	'b' is a valid buffer.
- *
- *\li	The length of the unused region of 'b' is at least 1.
- *
- * Ensures:
- *\li	The used pointer in 'b' is advanced by 1.
- */
-
-isc_uint16_t
-isc_buffer_getuint16(isc_buffer_t *b);
-/*!<
- * \brief Read an unsigned 16-bit integer in network byte order from 'b', convert
- * it to host byte order, and return it.
- *
- * Requires:
- *
- *\li	'b' is a valid buffer.
- *
- *\li	The length of the available region of 'b' is at least 2.
- *
- * Ensures:
- *
- *\li	The current pointer in 'b' is advanced by 2.
- *
- * Returns:
- *
- *\li	A 16-bit unsigned integer.
- */
-
-void
-isc__buffer_putuint16(isc_buffer_t *b, isc_uint16_t val);
-/*!<
- * \brief Store an unsigned 16-bit integer in host byte order from 'val'
- * into 'b' in network byte order.
- *
- * Requires:
- *\li	'b' is a valid buffer.
- *
- *\li	The length of the unused region of 'b' is at least 2.
- *
- * Ensures:
- *\li	The used pointer in 'b' is advanced by 2.
- */
-
-isc_uint32_t
-isc_buffer_getuint32(isc_buffer_t *b);
-/*!<
- * \brief Read an unsigned 32-bit integer in network byte order from 'b', convert
- * it to host byte order, and return it.
- *
- * Requires:
- *
- *\li	'b' is a valid buffer.
- *
- *\li	The length of the available region of 'b' is at least 4.
- *
- * Ensures:
- *
- *\li	The current pointer in 'b' is advanced by 4.
- *
- * Returns:
- *
- *\li	A 32-bit unsigned integer.
- */
-
-void
-isc__buffer_putuint32(isc_buffer_t *b, isc_uint32_t val);
-/*!<
- * \brief Store an unsigned 32-bit integer in host byte order from 'val'
- * into 'b' in network byte order.
- *
- * Requires:
- *\li	'b' is a valid buffer.
- *
- *\li	The length of the unused region of 'b' is at least 4.
- *
- * Ensures:
- *\li	The used pointer in 'b' is advanced by 4.
- */
-
-isc_uint64_t
-isc_buffer_getuint48(isc_buffer_t *b);
-/*!<
- * \brief Read an unsigned 48-bit integer in network byte order from 'b',
- * convert it to host byte order, and return it.
- *
- * Requires:
- *
- *\li	'b' is a valid buffer.
- *
- *\li	The length of the available region of 'b' is at least 6.
- *
- * Ensures:
- *
- *\li	The current pointer in 'b' is advanced by 6.
- *
- * Returns:
- *
- *\li	A 48-bit unsigned integer (stored in a 64-bit integer).
- */
-
-void
-isc__buffer_putuint48(isc_buffer_t *b, isc_uint64_t val);
-/*!<
- * \brief Store an unsigned 48-bit integer in host byte order from 'val'
- * into 'b' in network byte order.
- *
- * Requires:
- *\li	'b' is a valid buffer.
- *
- *\li	The length of the unused region of 'b' is at least 6.
- *
- * Ensures:
- *\li	The used pointer in 'b' is advanced by 6.
- */
-
-void
-isc__buffer_putuint24(isc_buffer_t *b, isc_uint32_t val);
-/*!<
- * Store an unsigned 24-bit integer in host byte order from 'val'
- * into 'b' in network byte order.
- *
- * Requires:
- *\li	'b' is a valid buffer.
- *
- *	The length of the unused region of 'b' is at least 3.
- *
- * Ensures:
- *\li	The used pointer in 'b' is advanced by 3.
- */
-
-void
-isc__buffer_putmem(isc_buffer_t *b, const unsigned char *base,
-		   unsigned int length);
-/*!<
- * \brief Copy 'length' bytes of memory at 'base' into 'b'.
- *
- * Requires:
- *\li	'b' is a valid buffer.
- *
- *\li	'base' points to 'length' bytes of valid memory.
- *
- */
-
-void
-isc__buffer_putstr(isc_buffer_t *b, const char *source);
-/*!<
- * \brief Copy 'source' into 'b', not including terminating NUL.
- *
- * Requires:
- *\li	'b' is a valid buffer.
- *
- *\li	'source' to be a valid NULL terminated string.
- *
- *\li	strlen(source) <= isc_buffer_available(b)
- */
-
-isc_result_t
-isc_buffer_copyregion(isc_buffer_t *b, const isc_region_t *r);
-/*!<
- * \brief Copy the contents of 'r' into 'b'.
- *
- * Requires:
- *\li	'b' is a valid buffer.
- *
- *\li	'r' is a valid region.
- *
- * Returns:
- *
- *\li	ISC_R_SUCCESS
- *\li	ISC_R_NOSPACE			The available region of 'b' is not
- *					big enough.
- */
-
-ISC_LANG_ENDDECLS
-
-/*
- * Inline macro versions of the functions.  These should never be called
- * directly by an application, but will be used by the functions within
- * buffer.c.  The callers should always use "isc_buffer_*()" names, never
- * ones beginning with "isc__"
- */
-
-/*! \note
- * XXXDCL Something more could be done with initializing buffers that
- * point to const data.  For example, a new function, isc_buffer_initconst,
- * could be used, and a new boolean flag in the buffer structure could
- * indicate whether the buffer was initialized with that function.
- * (isc_bufer_init itself would be reprototyped to *not* have its "base"
- * parameter be const.)  Then if the boolean were true, the isc_buffer_put*
- * functions could assert a contractual requirement for a non-const buffer.
- * One drawback is that the isc_buffer_* functions (macros) that return
- * pointers would still need to return non-const pointers to avoid compiler
- * warnings, so it would be up to code that uses them to have to deal
- * with the possibility that the buffer was initialized as const --
- * a problem that they *already* have to deal with but have absolutely
- * no ability to.  With a new isc_buffer_isconst() function returning
- * true/false, they could at least assert a contractual requirement for
- * non-const buffers when needed.
- */
-#define ISC__BUFFER_INIT(_b, _base, _length) \
-	do { \
-		(_b)->base = _base; \
-		(_b)->length = (_length); \
-		(_b)->used = 0; \
-		(_b)->current = 0; \
-		(_b)->active = 0; \
-		(_b)->mctx = NULL; \
-		ISC_LINK_INIT(_b, link); \
-		(_b)->magic = ISC_BUFFER_MAGIC; \
-	} while (0)
-
-#define ISC__BUFFER_INITNULL(_b) ISC__BUFFER_INIT(_b, NULL, 0)
-
-#define ISC__BUFFER_INVALIDATE(_b) \
-	do { \
-		(_b)->magic = 0; \
-		(_b)->base = NULL; \
-		(_b)->length = 0; \
-		(_b)->used = 0; \
-		(_b)->current = 0; \
-		(_b)->active = 0; \
-	} while (0)
-
-#define ISC__BUFFER_REGION(_b, _r) \
-	do { \
-		(_r)->base = (_b)->base; \
-		(_r)->length = (_b)->length; \
-	} while (0)
-
-#define ISC__BUFFER_USEDREGION(_b, _r) \
-	do { \
-		(_r)->base = (_b)->base; \
-		(_r)->length = (_b)->used; \
-	} while (0)
-
-#define ISC__BUFFER_AVAILABLEREGION(_b, _r) \
-	do { \
-		(_r)->base = isc_buffer_used(_b); \
-		(_r)->length = isc_buffer_availablelength(_b); \
-	} while (0)
-
-#define ISC__BUFFER_ADD(_b, _n) \
-	do { \
-		(_b)->used += (_n); \
-	} while (0)
-
-#define ISC__BUFFER_SUBTRACT(_b, _n) \
-	do { \
-		(_b)->used -= (_n); \
-		if ((_b)->current > (_b)->used) \
-			(_b)->current = (_b)->used; \
-		if ((_b)->active > (_b)->used) \
-			(_b)->active = (_b)->used; \
-	} while (0)
-
-#define ISC__BUFFER_CLEAR(_b) \
-	do { \
-		(_b)->used = 0; \
-		(_b)->current = 0; \
-		(_b)->active = 0; \
-	} while (0)
-
-#define ISC__BUFFER_CONSUMEDREGION(_b, _r) \
-	do { \
-		(_r)->base = (_b)->base; \
-		(_r)->length = (_b)->current; \
-	} while (0)
-
-#define ISC__BUFFER_REMAININGREGION(_b, _r) \
-	do { \
-		(_r)->base = isc_buffer_current(_b); \
-		(_r)->length = isc_buffer_remaininglength(_b); \
-	} while (0)
-
-#define ISC__BUFFER_ACTIVEREGION(_b, _r) \
-	do { \
-		if ((_b)->current < (_b)->active) { \
-			(_r)->base = isc_buffer_current(_b); \
-			(_r)->length = isc_buffer_activelength(_b); \
-		} else { \
-			(_r)->base = NULL; \
-			(_r)->length = 0; \
-		} \
-	} while (0)
-
-#define ISC__BUFFER_SETACTIVE(_b, _n) \
-	do { \
-		(_b)->active = (_b)->current + (_n); \
-	} while (0)
-
-#define ISC__BUFFER_FIRST(_b) \
-	do { \
-		(_b)->current = 0; \
-	} while (0)
-
-#define ISC__BUFFER_FORWARD(_b, _n) \
-	do { \
-		(_b)->current += (_n); \
-	} while (0)
-
-#define ISC__BUFFER_BACK(_b, _n) \
-	do { \
-		(_b)->current -= (_n); \
-	} while (0)
-
-#define ISC__BUFFER_PUTMEM(_b, _base, _length) \
-	do { \
-		memcpy(isc_buffer_used(_b), (_base), (_length)); \
-		(_b)->used += (_length); \
-	} while (0)
-
-#define ISC__BUFFER_PUTSTR(_b, _source) \
-	do { \
-		unsigned int _length; \
-		unsigned char *_cp; \
-		_length = strlen(_source); \
-		_cp = isc_buffer_used(_b); \
-		memcpy(_cp, (_source), _length); \
-		(_b)->used += (_length); \
-	} while (0)
-
-#define ISC__BUFFER_PUTUINT8(_b, _val) \
-	do { \
-		unsigned char *_cp; \
-		isc_uint8_t _val2 = (_val); \
-		_cp = isc_buffer_used(_b); \
-		(_b)->used++; \
-		_cp[0] = _val2 & 0x00ff; \
-	} while (0)
-
-#define ISC__BUFFER_PUTUINT16(_b, _val) \
-	do { \
-		unsigned char *_cp; \
-		isc_uint16_t _val2 = (_val); \
-		_cp = isc_buffer_used(_b); \
-		(_b)->used += 2; \
-		_cp[0] = (unsigned char)((_val2 & 0xff00U) >> 8); \
-		_cp[1] = (unsigned char)(_val2 & 0x00ffU); \
-	} while (0)
-
-#define ISC__BUFFER_PUTUINT24(_b, _val) \
-	do { \
-		unsigned char *_cp; \
-		isc_uint32_t _val2 = (_val); \
-		_cp = isc_buffer_used(_b); \
-		(_b)->used += 3; \
-		_cp[0] = (unsigned char)((_val2 & 0xff0000U) >> 16); \
-		_cp[1] = (unsigned char)((_val2 & 0xff00U) >> 8); \
-		_cp[2] = (unsigned char)(_val2 & 0x00ffU); \
-	} while (0)
-
-#define ISC__BUFFER_PUTUINT32(_b, _val) \
-	do { \
-		unsigned char *_cp; \
-		isc_uint32_t _val2 = (_val); \
-		_cp = isc_buffer_used(_b); \
-		(_b)->used += 4; \
-		_cp[0] = (unsigned char)((_val2 & 0xff000000) >> 24); \
-		_cp[1] = (unsigned char)((_val2 & 0x00ff0000) >> 16); \
-		_cp[2] = (unsigned char)((_val2 & 0x0000ff00) >> 8); \
-		_cp[3] = (unsigned char)((_val2 & 0x000000ff)); \
-	} while (0)
-
-#if defined(ISC_BUFFER_USEINLINE)
-#define isc_buffer_init			ISC__BUFFER_INIT
-#define isc_buffer_initnull		ISC__BUFFER_INITNULL
-#define isc_buffer_invalidate		ISC__BUFFER_INVALIDATE
-#define isc_buffer_region		ISC__BUFFER_REGION
-#define isc_buffer_usedregion		ISC__BUFFER_USEDREGION
-#define isc_buffer_availableregion	ISC__BUFFER_AVAILABLEREGION
-#define isc_buffer_add			ISC__BUFFER_ADD
-#define isc_buffer_subtract		ISC__BUFFER_SUBTRACT
-#define isc_buffer_clear		ISC__BUFFER_CLEAR
-#define isc_buffer_consumedregion	ISC__BUFFER_CONSUMEDREGION
-#define isc_buffer_remainingregion	ISC__BUFFER_REMAININGREGION
-#define isc_buffer_activeregion		ISC__BUFFER_ACTIVEREGION
-#define isc_buffer_setactive		ISC__BUFFER_SETACTIVE
-#define isc_buffer_first		ISC__BUFFER_FIRST
-#define isc_buffer_forward		ISC__BUFFER_FORWARD
-#define isc_buffer_back			ISC__BUFFER_BACK
-#define isc_buffer_putmem		ISC__BUFFER_PUTMEM
-#define isc_buffer_putstr		ISC__BUFFER_PUTSTR
-#define isc_buffer_putuint8		ISC__BUFFER_PUTUINT8
-#define isc_buffer_putuint16		ISC__BUFFER_PUTUINT16
-#define isc_buffer_putuint24		ISC__BUFFER_PUTUINT24
-#define isc_buffer_putuint32		ISC__BUFFER_PUTUINT32
-#else
-#define isc_buffer_init			isc__buffer_init
-#define isc_buffer_initnull		isc__buffer_initnull
-#define isc_buffer_invalidate		isc__buffer_invalidate
-#define isc_buffer_region		isc__buffer_region
-#define isc_buffer_usedregion		isc__buffer_usedregion
-#define isc_buffer_availableregion	isc__buffer_availableregion
-#define isc_buffer_add			isc__buffer_add
-#define isc_buffer_subtract		isc__buffer_subtract
-#define isc_buffer_clear		isc__buffer_clear
-#define isc_buffer_consumedregion	isc__buffer_consumedregion
-#define isc_buffer_remainingregion	isc__buffer_remainingregion
-#define isc_buffer_activeregion		isc__buffer_activeregion
-#define isc_buffer_setactive		isc__buffer_setactive
-#define isc_buffer_first		isc__buffer_first
-#define isc_buffer_forward		isc__buffer_forward
-#define isc_buffer_back			isc__buffer_back
-#define isc_buffer_putmem		isc__buffer_putmem
-#define isc_buffer_putstr		isc__buffer_putstr
-#define isc_buffer_putuint8		isc__buffer_putuint8
-#define isc_buffer_putuint16		isc__buffer_putuint16
-#define isc_buffer_putuint24		isc__buffer_putuint24
-#define isc_buffer_putuint32		isc__buffer_putuint32
-#endif
-
-#define isc_buffer_constinit(_b, _d, _l) \
-	do { \
-		union { void *_var; const void *_const; } _deconst; \
-		_deconst._const = (_d); \
-		isc_buffer_init((_b), _deconst._var, (_l)); \
-	} while (0)
-
-/*
- * No inline method for this one (yet).
- */
-#define isc_buffer_putuint48		isc__buffer_putuint48
-
-#endif /* ISC_BUFFER_H */
diff --git a/contrib/bind9/lib/isc/include/isc/bufferlist.h b/contrib/bind9/lib/isc/include/isc/bufferlist.h
deleted file mode 100644
index 54e00c7..0000000
--- a/contrib/bind9/lib/isc/include/isc/bufferlist.h
+++ /dev/null
@@ -1,86 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: bufferlist.h,v 1.17 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_BUFFERLIST_H
-#define ISC_BUFFERLIST_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file isc/bufferlist.h
- *
- *
- *\brief	Buffer lists have no synchronization.  Clients must ensure exclusive
- *	access.
- *
- * \li Reliability:
- *	No anticipated impact.
-
- * \li Security:
- *	No anticipated impact.
- *
- * \li Standards:
- *	None.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Functions
- ***/
-
-unsigned int
-isc_bufferlist_usedcount(isc_bufferlist_t *bl);
-/*!<
- * \brief Return the length of the sum of all used regions of all buffers in
- * the buffer list 'bl'
- *
- * Requires:
- *
- *\li	'bl' is not NULL.
- *
- * Returns:
- *\li	sum of all used regions' lengths.
- */
-
-unsigned int
-isc_bufferlist_availablecount(isc_bufferlist_t *bl);
-/*!<
- * \brief Return the length of the sum of all available regions of all buffers in
- * the buffer list 'bl'
- *
- * Requires:
- *
- *\li	'bl' is not NULL.
- *
- * Returns:
- *\li	sum of all available regions' lengths.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_BUFFERLIST_H */
diff --git a/contrib/bind9/lib/isc/include/isc/commandline.h b/contrib/bind9/lib/isc/include/isc/commandline.h
deleted file mode 100644
index 384640a..0000000
--- a/contrib/bind9/lib/isc/include/isc/commandline.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: commandline.h,v 1.16 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_COMMANDLINE_H
-#define ISC_COMMANDLINE_H 1
-
-/*! \file isc/commandline.h */
-
-#include <isc/boolean.h>
-#include <isc/lang.h>
-#include <isc/platform.h>
-
-/*% Index into parent argv vector. */
-LIBISC_EXTERNAL_DATA extern int isc_commandline_index;
-/*% Character checked for validity. */
-LIBISC_EXTERNAL_DATA extern int isc_commandline_option;
-/*% Argument associated with option. */
-LIBISC_EXTERNAL_DATA extern char *isc_commandline_argument;
-/*% For printing error messages. */
-LIBISC_EXTERNAL_DATA extern char *isc_commandline_progname;
-/*% Print error message. */
-LIBISC_EXTERNAL_DATA extern isc_boolean_t isc_commandline_errprint;
-/*% Reset getopt. */
-LIBISC_EXTERNAL_DATA extern isc_boolean_t isc_commandline_reset;
-
-ISC_LANG_BEGINDECLS
-
-/*% parse command line */
-int
-isc_commandline_parse(int argc, char * const *argv, const char *options);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_COMMANDLINE_H */
diff --git a/contrib/bind9/lib/isc/include/isc/entropy.h b/contrib/bind9/lib/isc/include/isc/entropy.h
deleted file mode 100644
index d28f29a..0000000
--- a/contrib/bind9/lib/isc/include/isc/entropy.h
+++ /dev/null
@@ -1,314 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: entropy.h,v 1.35 2009/10/19 02:37:08 marka Exp $ */
-
-#ifndef ISC_ENTROPY_H
-#define ISC_ENTROPY_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file isc/entropy.h
- * \brief The entropy API
- *
- * \li MP:
- *	The entropy object is locked internally.  All callbacks into
- *	application-provided functions (for setup, gathering, and
- *	shutdown of sources) are guaranteed to be called with the
- *	entropy API lock held.  This means these functions are
- *	not permitted to call back into the entropy API.
- *
- * \li Reliability:
- *	No anticipated impact.
- *
- * \li Resources:
- *	A buffer, used as an entropy pool.
- *
- * \li Security:
- *	While this code is believed to implement good entropy gathering
- *	and distribution, it has not been reviewed by a cryptographic
- *	expert.
- *	Since the added entropy is only as good as the sources used,
- *	this module could hand out bad data and never know it.
- *
- * \li Standards:
- *	None.
- */
-
-/***
- *** Imports
- ***/
-
-#include <stdio.h>
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-/*@{*/
-/*% Entropy callback function. */
-typedef isc_result_t (*isc_entropystart_t)(isc_entropysource_t *source,
-					   void *arg, isc_boolean_t blocking);
-typedef isc_result_t (*isc_entropyget_t)(isc_entropysource_t *source,
-					 void *arg, isc_boolean_t blocking);
-typedef void (*isc_entropystop_t)(isc_entropysource_t *source, void *arg);
-/*@}*/
-
-/***
- *** Flags.
- ***/
-
-/*!
- * \brief
- *	Extract only "good" data; return failure if there is not enough
- *	data available and there are no sources which we can poll to get
- *	data, or those sources are empty.
- *
- *
- */
-#define ISC_ENTROPY_GOODONLY	0x00000001U
-/*!
- * \brief
- *	Extract as much good data as possible, but if there isn't enough
- *	at hand, return what is available.  This flag only makes sense
- *	when used with _GOODONLY.
- */
-#define ISC_ENTROPY_PARTIAL	0x00000002U
-/*!
- * \brief
- *	Block the task until data is available.  This is contrary to the
- *	ISC task system, where tasks should never block.  However, if
- *	this is a special purpose application where blocking a task is
- *	acceptable (say, an offline zone signer) this flag may be set.
- *	This flag only makes sense when used with _GOODONLY, and will
- *	block regardless of the setting for _PARTIAL.
- */
-#define ISC_ENTROPY_BLOCKING	0x00000004U
-
-/*!
- * \brief
- *	Estimate the amount of entropy contained in the sample pool.
- *	If this is not set, the source will be gathered and periodically
- *	mixed into the entropy pool, but no increment in contained entropy
- *	will be assumed.  This flag only makes sense on sample sources.
- */
-#define ISC_ENTROPYSOURCE_ESTIMATE	0x00000001U
-
-/*
- * For use with isc_entropy_usebestsource().
- */
-/*!
- * \brief
- *	Use the keyboard as the only entropy source.
- */
-#define ISC_ENTROPY_KEYBOARDYES		1
-/*!
- * \brief
- *	Never use the keyboard as an entropy source.
- */
-#define ISC_ENTROPY_KEYBOARDNO		2
-/*!
- * \brief
- *	Use the keyboard as an entropy source only if opening the
- *	random device fails.
- */
-#define ISC_ENTROPY_KEYBOARDMAYBE	3
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Functions
- ***/
-
-isc_result_t
-isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp);
-/*!<
- * \brief Create a new entropy object.
- */
-
-void
-isc_entropy_attach(isc_entropy_t *ent, isc_entropy_t **entp);
-/*!<
- * Attaches to an entropy object.
- */
-
-void
-isc_entropy_detach(isc_entropy_t **entp);
-/*!<
- * \brief Detaches from an entropy object.
- */
-
-isc_result_t
-isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname);
-/*!<
- * \brief Create a new entropy source from a file.
- *
- * The file is assumed to contain good randomness, and will be mixed directly
- * into the pool with every byte adding 8 bits of entropy.
- *
- * The file will be put into non-blocking mode, so it may be a device file,
- * such as /dev/random.  /dev/urandom should not be used here if it can
- * be avoided, since it will always provide data even if it isn't good.
- * We will make as much pseudorandom data as we need internally if our
- * caller asks for it.
- *
- * If we hit end-of-file, we will stop reading from this source.  Callers
- * who require strong random data will get failure when our pool drains.
- * The file will never be opened/read again once EOF is reached.
- */
-
-void
-isc_entropy_destroysource(isc_entropysource_t **sourcep);
-/*!<
- * \brief Removes an entropy source from the entropy system.
- */
-
-isc_result_t
-isc_entropy_createsamplesource(isc_entropy_t *ent,
-			       isc_entropysource_t **sourcep);
-/*!<
- * \brief Create an entropy source that consists of samples.  Each sample is
- * added to the source via isc_entropy_addsamples(), below.
- */
-
-isc_result_t
-isc_entropy_createcallbacksource(isc_entropy_t *ent,
-				 isc_entropystart_t start,
-				 isc_entropyget_t get,
-				 isc_entropystop_t stop,
-				 void *arg,
-				 isc_entropysource_t **sourcep);
-/*!<
- * \brief Create an entropy source that is polled via a callback.
- *
- * This would
- * be used when keyboard input is used, or a GUI input method.  It can
- * also be used to hook in any external entropy source.
- *
- * Samples are added via isc_entropy_addcallbacksample(), below.
- * _addcallbacksample() is the only function which may be called from
- * within an entropy API callback function.
- */
-
-void
-isc_entropy_stopcallbacksources(isc_entropy_t *ent);
-/*!<
- * \brief Call the stop functions for callback sources that have had their
- * start functions called.
- */
-
-/*@{*/
-isc_result_t
-isc_entropy_addcallbacksample(isc_entropysource_t *source, isc_uint32_t sample,
-			      isc_uint32_t extra);
-isc_result_t
-isc_entropy_addsample(isc_entropysource_t *source, isc_uint32_t sample,
-		      isc_uint32_t extra);
-/*!<
- * \brief Add a sample to the sample source.
- *
- * The sample MUST be a timestamp
- * that increases over time, with the exception of wrap-around for
- * extremely high resolution timers which will quickly wrap-around
- * a 32-bit integer.
- *
- * The "extra" parameter is used only to add a bit more unpredictable
- * data.  It is not used other than included in the hash of samples.
- *
- * When in an entropy API callback function, _addcallbacksource() must be
- * used.  At all other times, _addsample() must be used.
- */
-/*@}*/
-
-isc_result_t
-isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
-		    unsigned int *returned, unsigned int flags);
-/*!<
- * \brief Extract data from the entropy pool.  This may load the pool from various
- * sources.
- *
- * Do this by stiring the pool and returning a part of hash as randomness.
- * Note that no secrets are given away here since parts of the hash are
- * xored together before returned.
- *
- * Honor the request from the caller to only return good data, any data,
- * etc.
- */
-
-void
-isc_entropy_putdata(isc_entropy_t *ent, void *data, unsigned int length,
-		    isc_uint32_t entropy);
-/*!<
- * \brief Add "length" bytes in "data" to the entropy pool, incrementing the
- * pool's entropy count by "entropy."
- *
- * These bytes will prime the pseudorandom portion even if no entropy is
- * actually added.
- */
-
-void
-isc_entropy_stats(isc_entropy_t *ent, FILE *out);
-/*!<
- * \brief Dump some (trivial) stats to the stdio stream "out".
- */
-
-unsigned int
-isc_entropy_status(isc_entropy_t *end);
-/*
- * Returns the number of bits the pool currently contains.  This is just
- * an estimate.
- */
-
-isc_result_t
-isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
-			  const char *randomfile, int use_keyboard);
-/*!<
- * \brief Use whatever source of entropy is best.
- *
- * Notes:
- *\li	If "randomfile" is not NULL, open it with
- *	isc_entropy_createfilesource().
- *
- *\li	If "randomfile" is NULL and the system's random device was detected
- *	when the program was configured and built, open that device with
- *	isc_entropy_createfilesource().
- *
- *\li	If "use_keyboard" is #ISC_ENTROPY_KEYBOARDYES, then always open
- *	the keyboard as an entropy source (possibly in addition to
- *	"randomfile" or the random device).
- *
- *\li	If "use_keyboard" is #ISC_ENTROPY_KEYBOARDMAYBE, open the keyboard only
- *	if opening the random file/device fails.  A message will be
- *	printed describing the need for keyboard input.
- *
- *\li	If "use_keyboard" is #ISC_ENTROPY_KEYBOARDNO, the keyboard will
- *	never be opened.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS if at least one source of entropy could be started.
- *
- *\li	#ISC_R_NOENTROPY if use_keyboard is #ISC_ENTROPY_KEYBOARDNO and
- *	there is no random device pathname compiled into the program.
- *
- *\li	A return code from isc_entropy_createfilesource() or
- *	isc_entropy_createcallbacksource().
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_ENTROPY_H */
diff --git a/contrib/bind9/lib/isc/include/isc/error.h b/contrib/bind9/lib/isc/include/isc/error.h
deleted file mode 100644
index e0cdfa8..0000000
--- a/contrib/bind9/lib/isc/include/isc/error.h
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: error.h,v 1.22 2009/09/29 23:48:04 tbox Exp $ */
-
-#ifndef ISC_ERROR_H
-#define ISC_ERROR_H 1
-
-/*! \file isc/error.h */
-
-#include <stdarg.h>
-
-#include <isc/formatcheck.h>
-#include <isc/lang.h>
-#include <isc/platform.h>
-
-ISC_LANG_BEGINDECLS
-
-typedef void (*isc_errorcallback_t)(const char *, int, const char *, va_list);
-
-/*% set unexpected error */
-void
-isc_error_setunexpected(isc_errorcallback_t);
-
-/*% set fatal error */
-void
-isc_error_setfatal(isc_errorcallback_t);
-
-/*% unexpected error */
-void
-isc_error_unexpected(const char *, int, const char *, ...)
-     ISC_FORMAT_PRINTF(3, 4);
-
-/*% fatal error */
-ISC_PLATFORM_NORETURN_PRE void
-isc_error_fatal(const char *, int, const char *, ...)
-ISC_FORMAT_PRINTF(3, 4) ISC_PLATFORM_NORETURN_POST;
-
-/*% runtimecheck error */
-void
-isc_error_runtimecheck(const char *, int, const char *);
-
-#define ISC_ERROR_RUNTIMECHECK(cond) \
-	((void) ((cond) || \
-		 ((isc_error_runtimecheck)(__FILE__, __LINE__, #cond), 0)))
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_ERROR_H */
diff --git a/contrib/bind9/lib/isc/include/isc/event.h b/contrib/bind9/lib/isc/include/isc/event.h
deleted file mode 100644
index 68fabb2..0000000
--- a/contrib/bind9/lib/isc/include/isc/event.h
+++ /dev/null
@@ -1,121 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: event.h,v 1.34 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_EVENT_H
-#define ISC_EVENT_H 1
-
-/*! \file isc/event.h */
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-/*****
- ***** Events.
- *****/
-
-typedef void (*isc_eventdestructor_t)(isc_event_t *);
-
-#define ISC_EVENT_COMMON(ltype)		\
-	size_t				ev_size; \
-	unsigned int			ev_attributes; \
-	void *				ev_tag; \
-	isc_eventtype_t			ev_type; \
-	isc_taskaction_t		ev_action; \
-	void *				ev_arg; \
-	void *				ev_sender; \
-	isc_eventdestructor_t		ev_destroy; \
-	void *				ev_destroy_arg; \
-	ISC_LINK(ltype)			ev_link
-
-/*%
- * Attributes matching a mask of 0x000000ff are reserved for the task library's
- * definition.  Attributes of 0xffffff00 may be used by the application
- * or non-ISC libraries.
- */
-#define ISC_EVENTATTR_NOPURGE		0x00000001
-
-/*%
- * The ISC_EVENTATTR_CANCELED attribute is intended to indicate
- * that an event is delivered as a result of a canceled operation
- * rather than successful completion, by mutual agreement
- * between the sender and receiver.  It is not set or used by
- * the task system.
- */
-#define ISC_EVENTATTR_CANCELED		0x00000002
-
-#define ISC_EVENT_INIT(event, sz, at, ta, ty, ac, ar, sn, df, da) \
-do { \
-	(event)->ev_size = (sz); \
-	(event)->ev_attributes = (at); \
-	(event)->ev_tag = (ta); \
-	(event)->ev_type = (ty); \
-	(event)->ev_action = (ac); \
-	(event)->ev_arg = (ar); \
-	(event)->ev_sender = (sn); \
-	(event)->ev_destroy = (df); \
-	(event)->ev_destroy_arg = (da); \
-	ISC_LINK_INIT((event), ev_link); \
-} while (0)
-
-/*%
- * This structure is public because "subclassing" it may be useful when
- * defining new event types.
- */
-struct isc_event {
-	ISC_EVENT_COMMON(struct isc_event);
-};
-
-#define ISC_EVENTTYPE_FIRSTEVENT	0x00000000
-#define ISC_EVENTTYPE_LASTEVENT		0xffffffff
-
-#define ISC_EVENT_PTR(p) ((isc_event_t **)(void *)(p))
-
-ISC_LANG_BEGINDECLS
-
-isc_event_t *
-isc_event_allocate(isc_mem_t *mctx, void *sender, isc_eventtype_t type,
-		   isc_taskaction_t action, const void *arg, size_t size);
-/*%<
- * Allocate an event structure. 
- *
- * Allocate and initialize in a structure with initial elements
- * defined by:
- *
- * \code
- *	struct {
- *		ISC_EVENT_COMMON(struct isc_event);
- *		...
- *	};
- * \endcode
- *	
- * Requires:
- *\li	'size' >= sizeof(struct isc_event)
- *\li	'action' to be non NULL
- *
- * Returns:
- *\li	a pointer to a initialized structure of the requested size.
- *\li	NULL if unable to allocate memory.
- */
-
-void
-isc_event_free(isc_event_t **);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_EVENT_H */
diff --git a/contrib/bind9/lib/isc/include/isc/eventclass.h b/contrib/bind9/lib/isc/include/isc/eventclass.h
deleted file mode 100644
index 9e6c145..0000000
--- a/contrib/bind9/lib/isc/include/isc/eventclass.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: eventclass.h,v 1.18 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_EVENTCLASS_H
-#define ISC_EVENTCLASS_H 1
-
-/*! \file isc/eventclass.h
- ***** Registry of Predefined Event Type Classes
- *****/
-
-/*%
- * An event class is an unsigned 16 bit number.  Each class may contain up
- * to 65536 events.  An event type is formed by adding the event number
- * within the class to the class number.
- *
- */
-
-#define ISC_EVENTCLASS(eclass)		((eclass) << 16)
-
-/*@{*/
-/*!
- * Classes < 1024 are reserved for ISC use.
- * Event classes >= 1024 and <= 65535 are reserved for application use.
- */
-
-#define	ISC_EVENTCLASS_TASK		ISC_EVENTCLASS(0)
-#define	ISC_EVENTCLASS_TIMER		ISC_EVENTCLASS(1)
-#define	ISC_EVENTCLASS_SOCKET		ISC_EVENTCLASS(2)
-#define	ISC_EVENTCLASS_FILE		ISC_EVENTCLASS(3)
-#define	ISC_EVENTCLASS_DNS		ISC_EVENTCLASS(4)
-#define	ISC_EVENTCLASS_APP		ISC_EVENTCLASS(5)
-#define	ISC_EVENTCLASS_OMAPI		ISC_EVENTCLASS(6)
-#define	ISC_EVENTCLASS_RATELIMITER	ISC_EVENTCLASS(7)
-#define	ISC_EVENTCLASS_ISCCC		ISC_EVENTCLASS(8)
-/*@}*/
-
-#endif /* ISC_EVENTCLASS_H */
diff --git a/contrib/bind9/lib/isc/include/isc/file.h b/contrib/bind9/lib/isc/include/isc/file.h
deleted file mode 100644
index 92ea96e..0000000
--- a/contrib/bind9/lib/isc/include/isc/file.h
+++ /dev/null
@@ -1,331 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef ISC_FILE_H
-#define ISC_FILE_H 1
-
-/*! \file isc/file.h */
-
-#include <stdio.h>
-
-#include <isc/lang.h>
-#include <isc/stat.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isc_file_settime(const char *file, isc_time_t *time);
-
-isc_result_t
-isc_file_mode(const char *file, mode_t *modep);
-
-isc_result_t
-isc_file_getmodtime(const char *file, isc_time_t *time);
-/*!<
- * \brief Get the time of last modification of a file.
- *
- * Notes:
- *\li	The time that is set is relative to the (OS-specific) epoch, as are
- *	all isc_time_t structures.
- *
- * Requires:
- *\li	file != NULL.
- *\li	time != NULL.
- *
- * Ensures:
- *\li	If the file could not be accessed, 'time' is unchanged.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *		Success.
- *\li	#ISC_R_NOTFOUND
- *		No such file exists.
- *\li	#ISC_R_INVALIDFILE
- *		The path specified was not usable by the operating system.
- *\li	#ISC_R_NOPERM
- *		The file's metainformation could not be retrieved because
- *		permission was denied to some part of the file's path.
- *\li	#ISC_R_EIO
- *		Hardware error interacting with the filesystem.
- *\li	#ISC_R_UNEXPECTED
- *		Something totally unexpected happened.
- *
- */
-
-isc_result_t
-isc_file_mktemplate(const char *path, char *buf, size_t buflen);
-/*!<
- * \brief Generate a template string suitable for use with isc_file_openunique().
- *
- * Notes:
- *\li	This function is intended to make creating temporary files
- *	portable between different operating systems.
- *
- *\li	The path is prepended to an implementation-defined string and
- *	placed into buf.  The string has no path characters in it,
- *	and its maximum length is 14 characters plus a NUL.  Thus
- *	buflen should be at least strlen(path) + 15 characters or
- *	an error will be returned.
- *
- * Requires:
- *\li	buf != NULL.
- *
- * Ensures:
- *\li	If result == #ISC_R_SUCCESS:
- *		buf contains a string suitable for use as the template argument
- *		to isc_file_openunique().
- *
- *\li	If result != #ISC_R_SUCCESS:
- *		buf is unchanged.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS 	Success.
- *\li	#ISC_R_NOSPACE	buflen indicates buf is too small for the catenation
- *				of the path with the internal template string.
- */
-
-isc_result_t
-isc_file_openunique(char *templet, FILE **fp);
-isc_result_t
-isc_file_openuniqueprivate(char *templet, FILE **fp);
-isc_result_t
-isc_file_openuniquemode(char *templet, int mode, FILE **fp);
-isc_result_t
-isc_file_bopenunique(char *templet, FILE **fp);
-isc_result_t
-isc_file_bopenuniqueprivate(char *templet, FILE **fp);
-isc_result_t
-isc_file_bopenuniquemode(char *templet, int mode, FILE **fp);
-/*!<
- * \brief Create and open a file with a unique name based on 'templet'.
- *	isc_file_bopen*() open the file in binary mode in Windows.
- *	isc_file_open*() open the file in text mode in Windows.
- *
- * Notes:
- *\li	'template' is a reserved work in C++.  If you want to complain
- *	about the spelling of 'templet', first look it up in the
- *	Merriam-Webster English dictionary. (http://www.m-w.com/)
- *
- *\li	This function works by using the template to generate file names.
- *	The template must be a writable string, as it is modified in place.
- *	Trailing X characters in the file name (full file name on Unix,
- *	basename on Win32 -- eg, tmp-XXXXXX vs XXXXXX.tmp, respectively)
- *	are replaced with ASCII characters until a non-existent filename
- *	is found.  If the template does not include pathname information,
- *	the files in the working directory of the program are searched.
- *
- *\li	isc_file_mktemplate is a good, portable way to get a template.
- *
- * Requires:
- *\li	'fp' is non-NULL and '*fp' is NULL.
- *
- *\li	'template' is non-NULL, and of a form suitable for use by
- *	the system as described above.
- *
- * Ensures:
- *\li	If result is #ISC_R_SUCCESS:
- *		*fp points to an stream opening in stdio's "w+" mode.
- *
- *\li	If result is not #ISC_R_SUCCESS:
- *		*fp is NULL.
- *
- *		No file is open.  Even if one was created (but unable
- *		to be reopened as a stdio FILE pointer) then it has been
- *		removed.
- *
- *\li	This function does *not* ensure that the template string has not been
- *	modified, even if the operation was unsuccessful.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *		Success.
- *\li	#ISC_R_EXISTS
- *		No file with a unique name could be created based on the
- *		template.
- *\li	#ISC_R_INVALIDFILE
- *		The path specified was not usable by the operating system.
- *\li	#ISC_R_NOPERM
- *		The file could not be created because permission was denied
- *		to some part of the file's path.
- *\li	#ISC_R_IOERROR
- *		Hardware error interacting with the filesystem.
- *\li	#ISC_R_UNEXPECTED
- *		Something totally unexpected happened.
- */
-
-isc_result_t
-isc_file_remove(const char *filename);
-/*!<
- * \brief Remove the file named by 'filename'.
- */
-
-isc_result_t
-isc_file_rename(const char *oldname, const char *newname);
-/*!<
- * \brief Rename the file 'oldname' to 'newname'.
- */
-
-isc_boolean_t
-isc_file_exists(const char *pathname);
-/*!<
- * \brief Return #ISC_TRUE if the calling process can tell that the given file exists.
- * Will not return true if the calling process has insufficient privileges
- * to search the entire path.
- */
-
-isc_boolean_t
-isc_file_isabsolute(const char *filename);
-/*!<
- * \brief Return #ISC_TRUE if the given file name is absolute.
- */
-
-isc_result_t
-isc_file_isplainfile(const char *name);
-/*!<
- * \brief Check that the file is a plain file
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *		Success. The file is a plain file.
- *\li	#ISC_R_INVALIDFILE
- *		The path specified was not usable by the operating system.
- *\li	#ISC_R_FILENOTFOUND
- *		The file does not exist. This return code comes from
- *		errno=ENOENT when stat returns -1. This code is mentioned
- *		here, because in logconf.c, it is the one rcode that is
- *		permitted in addition to ISC_R_SUCCESS. This is done since
- *		the next call in logconf.c is to isc_stdio_open(), which
- *		will create the file if it can.
- *\li	#other ISC_R_* errors translated from errno
- *		These occur when stat returns -1 and an errno.
- */
-
-isc_result_t
-isc_file_isdirectory(const char *name);
-/*!<
- * \brief Check that 'name' exists and is a directory.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *		Success, file is a directory.
- *\li	#ISC_R_INVALIDFILE
- *		File is not a directory.
- *\li	#ISC_R_FILENOTFOUND
- *		File does not exist.
- *\li	#other ISC_R_* errors translated from errno
- *		These occur when stat returns -1 and an errno.
- */
-
-isc_boolean_t
-isc_file_iscurrentdir(const char *filename);
-/*!<
- * \brief Return #ISC_TRUE if the given file name is the current directory (".").
- */
-
-isc_boolean_t
-isc_file_ischdiridempotent(const char *filename);
-/*%<
- * Return #ISC_TRUE if calling chdir(filename) multiple times will give
- * the same result as calling it once.
- */
-
-const char *
-isc_file_basename(const char *filename);
-/*%<
- * Return the final component of the path in the file name.
- */
-
-isc_result_t
-isc_file_progname(const char *filename, char *buf, size_t buflen);
-/*!<
- * \brief Given an operating system specific file name "filename"
- * referring to a program, return the canonical program name.
- *
- *
- * Any directory prefix or executable file name extension (if
- * used on the OS in case) is stripped.  On systems where program
- * names are case insensitive, the name is canonicalized to all
- * lower case.  The name is written to 'buf', an array of 'buflen'
- * chars, and null terminated.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOSPACE 	The name did not fit in 'buf'.
- */
-
-isc_result_t
-isc_file_template(const char *path, const char *templet, char *buf,
-		  size_t buflen);
-/*%<
- * Create an OS specific template using 'path' to define the directory
- * 'templet' to describe the filename and store the result in 'buf'
- * such that path can be renamed to buf atomically.
- */
-
-isc_result_t
-isc_file_renameunique(const char *file, char *templet);
-/*%<
- * Rename 'file' using 'templet' as a template for the new file name.
- */
-
-isc_result_t
-isc_file_absolutepath(const char *filename, char *path, size_t pathlen);
-/*%<
- * Given a file name, return the fully qualified path to the file.
- */
-
-/*
- * XXX We should also have a isc_file_writeeopen() function
- * for safely open a file in a publicly writable directory
- * (see write_open() in BIND 8's ns_config.c).
- */
-
-isc_result_t
-isc_file_truncate(const char *filename, isc_offset_t size);
-/*%<
- * Truncate/extend the file specified to 'size' bytes.
- */
-
-isc_result_t
-isc_file_safecreate(const char *filename, FILE **fp);
-/*%<
- * Open 'filename' for writing, truncating if necessary.  Ensure that
- * if it existed it was a normal file.  If creating the file, ensure
- * that only the owner can read/write it.
- */
-
-isc_result_t
-isc_file_splitpath(isc_mem_t *mctx, char *path,
-		   char **dirname, char **basename);
-/*%<
- * Split a path into dirname and basename.  If 'path' contains no slash
- * (or, on windows, backslash), then '*dirname' is set to ".".
- *
- * Allocates memory for '*dirname', which can be freed with isc_mem_free().
- *
- * Returns:
- * - ISC_R_SUCCESS on success
- * - ISC_R_INVALIDFILE if 'path' is empty or ends with '/'
- * - ISC_R_NOMEMORY if unable to allocate memory
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_FILE_H */
diff --git a/contrib/bind9/lib/isc/include/isc/formatcheck.h b/contrib/bind9/lib/isc/include/isc/formatcheck.h
deleted file mode 100644
index 51ce3ca..0000000
--- a/contrib/bind9/lib/isc/include/isc/formatcheck.h
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: formatcheck.h,v 1.13 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_FORMATCHECK_H
-#define ISC_FORMATCHECK_H 1
-
-/*! \file isc/formatcheck.h */
-
-/*%
- * ISC_FORMAT_PRINTF().
- *
- * \li fmt is the location of the format string parameter.
- * \li args is the location of the first argument (or 0 for no argument checking).
- * 
- * Note:
- * \li The first parameter is 1, not 0.
- */
-#ifdef __GNUC__
-#define ISC_FORMAT_PRINTF(fmt, args) __attribute__((__format__(__printf__, fmt, args)))
-#else
-#define ISC_FORMAT_PRINTF(fmt, args)
-#endif
-
-#endif /* ISC_FORMATCHECK_H */
diff --git a/contrib/bind9/lib/isc/include/isc/fsaccess.h b/contrib/bind9/lib/isc/include/isc/fsaccess.h
deleted file mode 100644
index 7962bbe..0000000
--- a/contrib/bind9/lib/isc/include/isc/fsaccess.h
+++ /dev/null
@@ -1,178 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: fsaccess.h,v 1.16 2009/01/17 23:47:43 tbox Exp $ */
-
-#ifndef ISC_FSACCESS_H
-#define ISC_FSACCESS_H 1
-
-/*! \file isc/fsaccess.h
- * \brief The ISC filesystem access module encapsulates the setting of file
- * and directory access permissions into one API that is meant to be
- * portable to multiple operating systems.
- *
- * The two primary operating system flavors that are initially accommodated
- * are POSIX and Windows NT 4.0 and later.  The Windows NT access model is
- * considerable more flexible than POSIX's model (as much as I am loathe to
- * admit it), and so the ISC API has a higher degree of complexity than would
- * be needed to simply address POSIX's needs.
- *
- * The full breadth of NT's flexibility is not available either, for the
- * present time.  Much of it is to provide compatibility with what Unix
- * programmers are expecting.  This is also due to not yet really needing all
- * of the functionality of an NT system (or, for that matter, a POSIX system)
- * in BIND9, and so resolving how to handle the various incompatibilities has
- * been a purely theoretical exercise with no operational experience to
- * indicate how flawed the thinking may be.
- *
- * Some of the more notable dumbing down of NT for this API includes:
- *
- *\li   Each of FILE_READ_DATA and FILE_READ_EA are set with #ISC_FSACCESS_READ.
- *
- * \li  All of FILE_WRITE_DATA, FILE_WRITE_EA and FILE_APPEND_DATA are
- *     set with #ISC_FSACCESS_WRITE.  FILE_WRITE_ATTRIBUTES is not set
- *     so as to be consistent with Unix, where only the owner of the file
- *     or the superuser can change the attributes/mode of a file.
- *
- * \li  Both of FILE_ADD_FILE and FILE_ADD_SUBDIRECTORY are set with
- *     #ISC_FSACCESS_CREATECHILD.  This is similar to setting the WRITE
- *     permission on a Unix directory.
- *
- * \li  SYNCHRONIZE is always set for files and directories, unless someone
- *     can give me a reason why this is a bad idea.
- *
- * \li  READ_CONTROL and FILE_READ_ATTRIBUTES are always set; this is
- *     consistent with Unix, where any file or directory can be stat()'d
- *     unless the directory path disallows complete access somewhere along
- *     the way.
- *
- * \li  WRITE_DAC is only set for the owner.  This too is consistent with
- *     Unix, and is tighter security than allowing anyone else to be
- *     able to set permissions.
- *
- * \li  DELETE is only set for the owner.  On Unix the ability to delete
- *     a file is controlled by the directory permissions, but it isn't
- *     currently clear to me what happens on NT if the directory has
- *     FILE_DELETE_CHILD set but a file within it does not have DELETE
- *     set.  Always setting DELETE on the file/directory for the owner
- *     gives maximum flexibility to the owner without exposing the
- *     file to deletion by others.
- *
- * \li  WRITE_OWNER is never set.  This too is consistent with Unix,
- *     and is also tighter security than allowing anyone to change the
- *     ownership of the file apart from the superu..ahem, Administrator.
- *
- * \li  Inheritance is set to NO_INHERITANCE.
- *
- * Unix's dumbing down includes:
- *
- * \li  The sticky bit cannot be set.
- *
- * \li  setuid and setgid cannot be set.
- *
- * \li  Only regular files and directories can be set.
- *
- * The rest of this comment discusses a few of the incompatibilities
- * between the two systems that need more thought if this API is to
- * be extended to accommodate them.
- *
- * The Windows standard access right "DELETE" doesn't have a direct
- * equivalent in the Unix world, so it isn't clear what should be done
- * with it.
- *
- * The Unix sticky bit is not supported.  While NT does have a concept
- * of allowing users to create files in a directory but not delete or
- * rename them, it does not have a concept of allowing them to be deleted
- * if they are owned by the user trying to delete/rename.  While it is
- * probable that something could be cobbled together in NT 5 with inheritance,
- * it can't really be done in NT 4 as a single property that you could
- * set on a directory.  You'd need to coordinate something with file creation
- * so that every file created had DELETE set for the owner but noone else.
- *
- * On Unix systems, setting #ISC_FSACCESS_LISTDIRECTORY sets READ.
- * ... setting either #ISC_FSACCESS_CREATECHILD or #ISC_FSACCESS_DELETECHILD
- *      sets WRITE.
- * ... setting #ISC_FSACCESS_ACCESSCHILD sets EXECUTE.
- *
- * On NT systems, setting #ISC_FSACCESS_LISTDIRECTORY sets FILE_LIST_DIRECTORY.
- * ... setting #ISC_FSACCESS_CREATECHILD sets FILE_CREATE_CHILD independently.
- * ... setting #ISC_FSACCESS_DELETECHILD sets FILE_DELETE_CHILD independently.
- * ... setting #ISC_FSACCESS_ACCESSCHILD sets FILE_TRAVERSE.
- *
- * Unresolved:							XXXDCL
- * \li  What NT access right controls the ability to rename a file?
- * \li  How does DELETE work?  If a directory has FILE_DELETE_CHILD but a
- *      file or directory within it does not have DELETE, is that file
- *	or directory deletable?
- * \li  To implement isc_fsaccess_get(), mapping an existing Unix permission
- * 	mode_t back to an isc_fsaccess_t is pretty trivial; however, mapping
- *	an NT DACL could be impossible to do in a responsible way.
- * \li  Similarly, trying to implement the functionality of being able to
- *	say "add group writability to whatever permissions already exist"
- *	could be tricky on NT because of the order-of-entry issue combined
- *	with possibly having one or more matching ACEs already explicitly
- *	granting or denying access.  Because this functionality is
- *	not yet needed by the ISC, no code has been written to try to
- * 	solve this problem.
- */
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-/*
- * Trustees.
- */
-#define ISC_FSACCESS_OWNER	0x1 /*%< User account. */
-#define ISC_FSACCESS_GROUP	0x2 /*%< Primary group owner. */
-#define ISC_FSACCESS_OTHER	0x4 /*%< Not the owner or the group owner. */
-#define ISC_FSACCESS_WORLD	0x7 /*%< User, Group, Other. */
-
-/*
- * Types of permission.
- */
-#define ISC_FSACCESS_READ		0x00000001 /*%< File only. */
-#define ISC_FSACCESS_WRITE		0x00000002 /*%< File only. */
-#define ISC_FSACCESS_EXECUTE		0x00000004 /*%< File only. */
-#define ISC_FSACCESS_CREATECHILD	0x00000008 /*%< Dir only. */
-#define ISC_FSACCESS_DELETECHILD	0x00000010 /*%< Dir only. */
-#define ISC_FSACCESS_LISTDIRECTORY	0x00000020 /*%< Dir only. */
-#define ISC_FSACCESS_ACCESSCHILD	0x00000040 /*%< Dir only. */
-
-/*%
- * Adding any permission bits beyond 0x200 would mean typedef'ing
- * isc_fsaccess_t as isc_uint64_t, and redefining this value to
- * reflect the new range of permission types, Probably to 21 for
- * maximum flexibility.  The number of bits has to accommodate all of
- * the permission types, and three full sets of them have to fit
- * within an isc_fsaccess_t.
- */
-#define ISC__FSACCESS_PERMISSIONBITS 10
-
-ISC_LANG_BEGINDECLS
-
-void
-isc_fsaccess_add(int trustee, int permission, isc_fsaccess_t *access);
-
-void
-isc_fsaccess_remove(int trustee, int permission, isc_fsaccess_t *access);
-
-isc_result_t
-isc_fsaccess_set(const char *path, isc_fsaccess_t access);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_FSACCESS_H */
diff --git a/contrib/bind9/lib/isc/include/isc/hash.h b/contrib/bind9/lib/isc/include/isc/hash.h
deleted file mode 100644
index ca04b4e..0000000
--- a/contrib/bind9/lib/isc/include/isc/hash.h
+++ /dev/null
@@ -1,185 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: hash.h,v 1.12 2009/01/17 23:47:43 tbox Exp $ */
-
-#ifndef ISC_HASH_H
-#define ISC_HASH_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file isc/hash.h
- *
- * \brief The hash API
- *	provides an unpredictable hash value for variable length data.
- *	A hash object contains a random vector (which is hidden from clients
- *	of this API) to make the actual hash value unpredictable.
- *
- *	The algorithm used in the API guarantees the probability of hash
- *	collision; in the current implementation, as long as the values stored
- *	in the random vector are unpredictable, the probability of hash
- *	collision between arbitrary two different values is at most 1/2^16.
- *
- *	Although the API is generic about the hash keys, it mainly expects
- *	DNS names (and sometimes IPv4/v6 addresses) as inputs.  It has an
- *	upper limit of the input length, and may run slow to calculate the
- *	hash values for large inputs.
- *
- *	This API is designed to be general so that it can provide multiple
- *	different hash contexts that have different random vectors.  However,
- *	it should be typical to have a single context for an entire system.
- *	To support such cases, the API also provides a single-context mode.
- *
- * \li MP:
- *	The hash object is almost read-only.  Once the internal random vector
- *	is initialized, no write operation will occur, and there will be no
- *	need to lock the object to calculate actual hash values.
- *
- * \li Reliability:
- *	In some cases this module uses low-level data copy to initialize the
- *	random vector.  Errors in this part are likely to crash the server or
- *	corrupt memory.
- *
- * \li Resources:
- *	A buffer, used as a random vector for calculating hash values.
- *
- * \li Security:
- *	This module intends to provide unpredictable hash values in
- *	adversarial environments in order to avoid denial of service attacks
- *	to hash buckets.
- *	Its unpredictability relies on the quality of entropy to build the
- *	random vector.
- *
- * \li Standards:
- *	None.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/types.h>
-
-/***
- *** Functions
- ***/
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isc_hash_ctxcreate(isc_mem_t *mctx, isc_entropy_t *entropy, unsigned int limit,
-		   isc_hash_t **hctx);
-isc_result_t
-isc_hash_create(isc_mem_t *mctx, isc_entropy_t *entropy, size_t limit);
-/*!<
- * \brief Create a new hash object.
- *
- * isc_hash_ctxcreate() creates a different object.
- *
- * isc_hash_create() creates a module-internal object to support the
- * single-context mode.  It should be called only once.
- *
- * 'entropy' must be NULL or a valid entropy object.  If 'entropy' is NULL,
- * pseudo random values will be used to build the random vector, which may
- * weaken security.
- *
- * 'limit' specifies the maximum number of hash keys.  If it is too large,
- * these functions may fail.
- */
-
-void
-isc_hash_ctxattach(isc_hash_t *hctx, isc_hash_t **hctxp);
-/*!<
- * \brief Attach to a hash object.
- *
- * This function is only necessary for the multiple-context mode.
- */
-
-void
-isc_hash_ctxdetach(isc_hash_t **hctxp);
-/*!<
- * \brief Detach from a hash object.
- *
- * This function  is for the multiple-context mode, and takes a valid
- * hash object as an argument.
- */
-
-void
-isc_hash_destroy(void);
-/*!<
- * \brief This function is for the single-context mode, and is expected to be used
- * as a counterpart of isc_hash_create().
- *
- * A valid module-internal hash object must have been created, and this
- * function should be called only once.
- */
-
-/*@{*/
-void
-isc_hash_ctxinit(isc_hash_t *hctx);
-void
-isc_hash_init(void);
-/*!<
- * \brief Initialize a hash object.
- *
- * It fills in the random vector with a proper
- * source of entropy, which is typically from the entropy object specified
- * at the creation.  Thus, it is desirable to call these functions after
- * initializing the entropy object with some good entropy sources.
- *
- * These functions should be called before the first hash calculation.
- *
- * isc_hash_ctxinit() is for the multiple-context mode, and takes a valid hash
- * object as an argument.
- *
- * isc_hash_init() is for the single-context mode.  A valid module-internal
- * hash object must have been created, and this function should be called only
- * once.
- */
-/*@}*/
-
-/*@{*/
-unsigned int
-isc_hash_ctxcalc(isc_hash_t *hctx, const unsigned char *key,
-		 unsigned int keylen, isc_boolean_t case_sensitive);
-unsigned int
-isc_hash_calc(const unsigned char *key, unsigned int keylen,
-	      isc_boolean_t case_sensitive);
-/*!<
- * \brief Calculate a hash value.
- *
- * isc_hash_ctxinit() is for the multiple-context mode, and takes a valid hash
- * object as an argument.
- *
- * isc_hash_init() is for the single-context mode.  A valid module-internal
- * hash object must have been created.
- *
- * 'key' is the hash key, which is a variable length buffer.
- *
- * 'keylen' specifies the key length, which must not be larger than the limit
- * specified for the corresponding hash object.
- *
- * 'case_sensitive' specifies whether the hash key should be treated as
- * case_sensitive values.  It should typically be ISC_FALSE if the hash key
- * is a DNS name.
- */
-/*@}*/
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_HASH_H */
diff --git a/contrib/bind9/lib/isc/include/isc/heap.h b/contrib/bind9/lib/isc/include/isc/heap.h
deleted file mode 100644
index 0b3a53b..0000000
--- a/contrib/bind9/lib/isc/include/isc/heap.h
+++ /dev/null
@@ -1,172 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1997-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: heap.h,v 1.26 2009/01/17 23:47:43 tbox Exp $ */
-
-#ifndef ISC_HEAP_H
-#define ISC_HEAP_H 1
-
-/*! \file isc/heap.h */
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*%
- * The comparison function returns ISC_TRUE if the first argument has
- * higher priority than the second argument, and ISC_FALSE otherwise.
- */
-typedef isc_boolean_t (*isc_heapcompare_t)(void *, void *);
-
-/*%
- * The index function allows the client of the heap to receive a callback
- * when an item's index number changes.  This allows it to maintain
- * sync with its external state, but still delete itself, since deletions
- * from the heap require the index be provided.
- */
-typedef void (*isc_heapindex_t)(void *, unsigned int);
-
-/*%
- * The heapaction function is used when iterating over the heap.
- *
- * NOTE:  The heap structure CANNOT BE MODIFIED during the call to
- * isc_heap_foreach().
- */
-typedef void (*isc_heapaction_t)(void *, void *);
-
-typedef struct isc_heap isc_heap_t;
-
-isc_result_t
-isc_heap_create(isc_mem_t *mctx, isc_heapcompare_t compare,
-		isc_heapindex_t index, unsigned int size_increment,
-		isc_heap_t **heapp);
-/*!<
- * \brief Create a new heap.  The heap is implemented using a space-efficient
- * storage method.  When the heap elements are deleted space is not freed
- * but will be reused when new elements are inserted.
- *
- * Heap elements are indexed from 1.
- *
- * Requires:
- *\li	"mctx" is valid.
- *\li	"compare" is a function which takes two void * arguments and
- *	returns ISC_TRUE if the first argument has a higher priority than
- *	the second, and ISC_FALSE otherwise.
- *\li	"index" is a function which takes a void *, and an unsigned int
- *	argument.  This function will be called whenever an element's
- *	index value changes, so it may continue to delete itself from the
- *	heap.  This option may be NULL if this functionality is unneeded.
- *\li	"size_increment" is a hint about how large the heap should grow
- *	when resizing is needed.  If this is 0, a default size will be
- *	used, which is currently 1024, allowing space for an additional 1024
- *	heap elements to be inserted before adding more space.
- *\li	"heapp" is not NULL, and "*heap" is NULL.
- *
- * Returns:
- *\li	ISC_R_SUCCESS		- success
- *\li	ISC_R_NOMEMORY		- insufficient memory
- */
-
-void
-isc_heap_destroy(isc_heap_t **heapp);
-/*!<
- * \brief Destroys a heap.
- *
- * Requires:
- *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
- */
-
-isc_result_t
-isc_heap_insert(isc_heap_t *heap, void *elt);
-/*!<
- * \brief Inserts a new element into a heap.
- *
- * Requires:
- *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
- */
-
-void
-isc_heap_delete(isc_heap_t *heap, unsigned int index);
-/*!<
- * \brief Deletes an element from a heap, by element index.
- *
- * Requires:
- *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
- *\li	"index" is a valid element index, as provided by the "index" callback
- *	provided during heap creation.
- */
-
-void
-isc_heap_increased(isc_heap_t *heap, unsigned int index);
-/*!<
- * \brief Indicates to the heap that an element's priority has increased.
- * This function MUST be called whenever an element has increased in priority.
- *
- * Requires:
- *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
- *\li	"index" is a valid element index, as provided by the "index" callback
- *	provided during heap creation.
- */
-
-void
-isc_heap_decreased(isc_heap_t *heap, unsigned int index);
-/*!<
- * \brief Indicates to the heap that an element's priority has decreased.
- * This function MUST be called whenever an element has decreased in priority.
- *
- * Requires:
- *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
- *\li	"index" is a valid element index, as provided by the "index" callback
- *	provided during heap creation.
- */
-
-void *
-isc_heap_element(isc_heap_t *heap, unsigned int index);
-/*!<
- * \brief Returns the element for a specific element index.
- *
- * Requires:
- *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
- *\li	"index" is a valid element index, as provided by the "index" callback
- *	provided during heap creation.
- *
- * Returns:
- *\li	A pointer to the element for the element index.
- */
-
-void
-isc_heap_foreach(isc_heap_t *heap, isc_heapaction_t action, void *uap);
-/*!<
- * \brief Iterate over the heap, calling an action for each element.  The
- * order of iteration is not sorted.
- *
- * Requires:
- *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
- *\li	"action" is not NULL, and is a function which takes two arguments.
- *	The first is a void *, representing the element, and the second is
- *	"uap" as provided to isc_heap_foreach.
- *\li	"uap" is a caller-provided argument, and may be NULL.
- *
- * Note:
- *\li	The heap structure CANNOT be modified during this iteration.  The only
- *	safe function to call while iterating the heap is isc_heap_element().
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_HEAP_H */
diff --git a/contrib/bind9/lib/isc/include/isc/hex.h b/contrib/bind9/lib/isc/include/isc/hex.h
deleted file mode 100644
index a5e2f53..0000000
--- a/contrib/bind9/lib/isc/include/isc/hex.h
+++ /dev/null
@@ -1,98 +0,0 @@
-/*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: hex.h,v 1.13 2008/09/25 04:02:39 tbox Exp $ */
-
-#ifndef ISC_HEX_H
-#define ISC_HEX_H 1
-
-/*! \file isc/hex.h */
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Functions
- ***/
-
-isc_result_t
-isc_hex_totext(isc_region_t *source, int wordlength,
-	       const char *wordbreak, isc_buffer_t *target);
-/*!<
- * \brief Convert data into hex encoded text.
- *
- * Notes:
- *\li	The hex encoded text in 'target' will be divided into
- *	words of at most 'wordlength' characters, separated by
- * 	the 'wordbreak' string.  No parentheses will surround
- *	the text.
- *
- * Requires:
- *\li	'source' is a region containing binary data
- *\li	'target' is a text buffer containing available space
- *\li	'wordbreak' points to a null-terminated string of
- *		zero or more whitespace characters
- *
- * Ensures:
- *\li	target will contain the hex encoded version of the data
- *	in source.  The 'used' pointer in target will be advanced as
- *	necessary.
- */
-
-isc_result_t
-isc_hex_decodestring(const char *cstr, isc_buffer_t *target);
-/*!<
- * \brief Decode a null-terminated hex string.
- *
- * Requires:
- *\li	'cstr' is non-null.
- *\li	'target' is a valid buffer.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS	-- the entire decoded representation of 'cstring'
- *			   fit in 'target'.
- *\li	#ISC_R_BADHEX -- 'cstr' is not a valid hex encoding.
- *
- * 	Other error returns are any possible error code from:
- *		isc_lex_create(),
- *		isc_lex_openbuffer(),
- *		isc_hex_tobuffer().
- */
-
-isc_result_t
-isc_hex_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length);
-/*!<
- * \brief Convert hex encoded text from a lexer context into data.
- *
- * Requires:
- *\li	'lex' is a valid lexer context
- *\li	'target' is a buffer containing binary data
- *\li	'length' is an integer
- *
- * Ensures:
- *\li	target will contain the data represented by the hex encoded
- *	string parsed by the lexer.  No more than length bytes will be read,
- *	if length is positive.  The 'used' pointer in target will be
- *	advanced as necessary.
- */
-
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_HEX_H */
diff --git a/contrib/bind9/lib/isc/include/isc/hmacmd5.h b/contrib/bind9/lib/isc/include/isc/hmacmd5.h
deleted file mode 100644
index 9ecad453..0000000
--- a/contrib/bind9/lib/isc/include/isc/hmacmd5.h
+++ /dev/null
@@ -1,72 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: hmacmd5.h,v 1.14 2009/02/06 23:47:42 tbox Exp $ */
-
-/*! \file isc/hmacmd5.h
- * \brief This is the header file for the HMAC-MD5 keyed hash algorithm
- * described in RFC2104.
- */
-
-#ifndef ISC_HMACMD5_H
-#define ISC_HMACMD5_H 1
-
-#include <isc/lang.h>
-#include <isc/md5.h>
-#include <isc/platform.h>
-#include <isc/types.h>
-
-#define ISC_HMACMD5_KEYLENGTH 64
-
-#ifdef ISC_PLATFORM_OPENSSLHASH
-#include <openssl/hmac.h>
-
-typedef HMAC_CTX isc_hmacmd5_t;
-
-#else
-
-typedef struct {
-	isc_md5_t md5ctx;
-	unsigned char key[ISC_HMACMD5_KEYLENGTH];
-} isc_hmacmd5_t;
-#endif
-
-ISC_LANG_BEGINDECLS
-
-void
-isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
-		 unsigned int len);
-
-void
-isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx);
-
-void
-isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf,
-		   unsigned int len);
-
-void
-isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest);
-
-isc_boolean_t
-isc_hmacmd5_verify(isc_hmacmd5_t *ctx, unsigned char *digest);
-
-isc_boolean_t
-isc_hmacmd5_verify2(isc_hmacmd5_t *ctx, unsigned char *digest, size_t len);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_HMACMD5_H */
diff --git a/contrib/bind9/lib/isc/include/isc/hmacsha.h b/contrib/bind9/lib/isc/include/isc/hmacsha.h
deleted file mode 100644
index 1d0e184..0000000
--- a/contrib/bind9/lib/isc/include/isc/hmacsha.h
+++ /dev/null
@@ -1,169 +0,0 @@
-/*
- * Copyright (C) 2005-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: hmacsha.h,v 1.9 2009/02/06 23:47:42 tbox Exp $ */
-
-/*! \file isc/hmacsha.h
- * This is the header file for the HMAC-SHA1, HMAC-SHA224, HMAC-SHA256,
- * HMAC-SHA334 and HMAC-SHA512 hash algorithm described in RFC 2104.
- */
-
-#ifndef ISC_HMACSHA_H
-#define ISC_HMACSHA_H 1
-
-#include <isc/lang.h>
-#include <isc/platform.h>
-#include <isc/sha1.h>
-#include <isc/sha2.h>
-#include <isc/types.h>
-
-#define ISC_HMACSHA1_KEYLENGTH ISC_SHA1_BLOCK_LENGTH
-#define ISC_HMACSHA224_KEYLENGTH ISC_SHA224_BLOCK_LENGTH
-#define ISC_HMACSHA256_KEYLENGTH ISC_SHA256_BLOCK_LENGTH
-#define ISC_HMACSHA384_KEYLENGTH ISC_SHA384_BLOCK_LENGTH
-#define ISC_HMACSHA512_KEYLENGTH ISC_SHA512_BLOCK_LENGTH
-
-#ifdef ISC_PLATFORM_OPENSSLHASH
-#include <openssl/hmac.h>
-
-typedef HMAC_CTX isc_hmacsha1_t;
-typedef HMAC_CTX isc_hmacsha224_t;
-typedef HMAC_CTX isc_hmacsha256_t;
-typedef HMAC_CTX isc_hmacsha384_t;
-typedef HMAC_CTX isc_hmacsha512_t;
-
-#else
-
-typedef struct {
-	isc_sha1_t sha1ctx;
-	unsigned char key[ISC_HMACSHA1_KEYLENGTH];
-} isc_hmacsha1_t;
-
-typedef struct {
-	isc_sha224_t sha224ctx;
-	unsigned char key[ISC_HMACSHA224_KEYLENGTH];
-} isc_hmacsha224_t;
-
-typedef struct {
-	isc_sha256_t sha256ctx;
-	unsigned char key[ISC_HMACSHA256_KEYLENGTH];
-} isc_hmacsha256_t;
-
-typedef struct {
-	isc_sha384_t sha384ctx;
-	unsigned char key[ISC_HMACSHA384_KEYLENGTH];
-} isc_hmacsha384_t;
-
-typedef struct {
-	isc_sha512_t sha512ctx;
-	unsigned char key[ISC_HMACSHA512_KEYLENGTH];
-} isc_hmacsha512_t;
-#endif
-
-ISC_LANG_BEGINDECLS
-
-void
-isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
-		  unsigned int len);
-
-void
-isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx);
-
-void
-isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
-		    unsigned int len);
-
-void
-isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len);
-
-isc_boolean_t
-isc_hmacsha1_verify(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len);
-
-
-void
-isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
-		    unsigned int len);
-
-void
-isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx);
-
-void
-isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
-		      unsigned int len);
-
-void
-isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len);
-
-isc_boolean_t
-isc_hmacsha224_verify(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len);
-
-
-void
-isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
-		    unsigned int len);
-
-void
-isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx);
-
-void
-isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
-		      unsigned int len);
-
-void
-isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len);
-
-isc_boolean_t
-isc_hmacsha256_verify(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len);
-
-
-void
-isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
-		    unsigned int len);
-
-void
-isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx);
-
-void
-isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
-		      unsigned int len);
-
-void
-isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len);
-
-isc_boolean_t
-isc_hmacsha384_verify(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len);
-
-
-void
-isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
-		    unsigned int len);
-
-void
-isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx);
-
-void
-isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
-		      unsigned int len);
-
-void
-isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len);
-
-isc_boolean_t
-isc_hmacsha512_verify(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_HMACSHA_H */
diff --git a/contrib/bind9/lib/isc/include/isc/httpd.h b/contrib/bind9/lib/isc/include/isc/httpd.h
deleted file mode 100644
index ba7f900..0000000
--- a/contrib/bind9/lib/isc/include/isc/httpd.h
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
- * Copyright (C) 2006-2008  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: httpd.h,v 1.9 2008/08/08 05:06:49 marka Exp $ */
-
-#ifndef ISC_HTTPD_H
-#define ISC_HTTPD_H 1
-
-/*! \file */
-
-#include <isc/event.h>
-#include <isc/eventclass.h>
-#include <isc/types.h>
-#include <isc/mutex.h>
-#include <isc/task.h>
-
-#define HTTPD_EVENTCLASS		ISC_EVENTCLASS(4300)
-#define HTTPD_SHUTDOWN			(HTTPD_EVENTCLASS + 0x0001)
-
-#define ISC_HTTPDMGR_FLAGSHUTTINGDOWN	0x00000001
-
-/*
- * Create a new http daemon which will send, once every time period,
- * a http-like header followed by HTTP data.
- */
-isc_result_t
-isc_httpdmgr_create(isc_mem_t *mctx, isc_socket_t *sock, isc_task_t *task,
-		    isc_httpdclientok_t *client_ok,
-		    isc_httpdondestroy_t *ondestory, void *cb_arg,
-		    isc_timermgr_t *tmgr, isc_httpdmgr_t **httpdp);
-
-void
-isc_httpdmgr_shutdown(isc_httpdmgr_t **httpdp);
-
-isc_result_t
-isc_httpdmgr_addurl(isc_httpdmgr_t *httpdmgr, const char *url,
-		    isc_httpdaction_t *func, void *arg);
-
-isc_result_t
-isc_httpd_response(isc_httpd_t *httpd);
-
-isc_result_t
-isc_httpd_addheader(isc_httpd_t *httpd, const char *name,
-		    const char *val);
-
-isc_result_t
-isc_httpd_addheaderuint(isc_httpd_t *httpd, const char *name, int val);
-
-isc_result_t isc_httpd_endheaders(isc_httpd_t *httpd);
-
-#endif /* ISC_HTTPD_H */
diff --git a/contrib/bind9/lib/isc/include/isc/interfaceiter.h b/contrib/bind9/lib/isc/include/isc/interfaceiter.h
deleted file mode 100644
index 26d5dfb..0000000
--- a/contrib/bind9/lib/isc/include/isc/interfaceiter.h
+++ /dev/null
@@ -1,133 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: interfaceiter.h,v 1.17 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_INTERFACEITER_H
-#define ISC_INTERFACEITER_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file isc/interfaceiter.h
- * \brief Iterates over the list of network interfaces.
- *
- * Interfaces whose address family is not supported are ignored and never
- * returned by the iterator.  Interfaces whose netmask, interface flags,
- * or similar cannot be obtained are also ignored, and the failure is logged.
- *
- * Standards:
- *	The API for scanning varies greatly among operating systems.
- *	This module attempts to hide the differences.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/netaddr.h>
-#include <isc/types.h>
-
-/*!
- * \brief Public structure describing a network interface.
- */
-
-struct isc_interface {
-	char name[32];			/*%< Interface name, null-terminated. */
-	unsigned int af;		/*%< Address family. */
-	isc_netaddr_t address;		/*%< Local address. */
-	isc_netaddr_t netmask;		/*%< Network mask. */
-	isc_netaddr_t dstaddress; 	/*%< Destination address (point-to-point only). */
-	isc_uint32_t flags;		/*%< Flags; see INTERFACE flags. */
-};
-
-/*@{*/
-/*! Interface flags. */
-
-#define INTERFACE_F_UP			0x00000001U
-#define INTERFACE_F_POINTTOPOINT	0x00000002U
-#define INTERFACE_F_LOOPBACK		0x00000004U
-/*@}*/
-
-/***
- *** Functions
- ***/
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp);
-/*!<
- * \brief Create an iterator for traversing the operating system's list
- * of network interfaces.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- * \li	#ISC_R_NOMEMORY
- *\li	Various network-related errors
- */
-
-isc_result_t
-isc_interfaceiter_first(isc_interfaceiter_t *iter);
-/*!<
- * \brief Position the iterator on the first interface.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		Success.
- *\li	#ISC_R_NOMORE		There are no interfaces.
- */
-
-isc_result_t
-isc_interfaceiter_current(isc_interfaceiter_t *iter,
-			  isc_interface_t *ifdata);
-/*!<
- * \brief Get information about the interface the iterator is currently
- * positioned at and store it at *ifdata.
- *
- * Requires:
- *\li 	The iterator has been successfully positioned using
- * 	isc_interface_iter_first() / isc_interface_iter_next().
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		Success.
- */
-
-isc_result_t
-isc_interfaceiter_next(isc_interfaceiter_t *iter);
-/*!<
- * \brief Position the iterator on the next interface.
- *
- * Requires:
- * \li	The iterator has been successfully positioned using
- * 	isc_interface_iter_first() / isc_interface_iter_next().
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		Success.
- *\li	#ISC_R_NOMORE		There are no more interfaces.
- */
-
-void
-isc_interfaceiter_destroy(isc_interfaceiter_t **iterp);
-/*!<
- * \brief Destroy the iterator.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_INTERFACEITER_H */
diff --git a/contrib/bind9/lib/isc/include/isc/ipv6.h b/contrib/bind9/lib/isc/include/isc/ipv6.h
deleted file mode 100644
index 8054c9e..0000000
--- a/contrib/bind9/lib/isc/include/isc/ipv6.h
+++ /dev/null
@@ -1,148 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ipv6.h,v 1.24 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_IPV6_H
-#define ISC_IPV6_H 1
-
-/*!
- * Also define LWRES_IPV6_H to keep it from being included if liblwres is
- * being used, or redefinition errors will occur.
- */
-#define LWRES_IPV6_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file isc/ipv6.h
- * \brief IPv6 definitions for systems which do not support IPv6.
- *
- * \li MP:
- *	No impact.
- *
- * \li Reliability:
- *	No anticipated impact.
- *
- * \li Resources:
- *	N/A.
- *
- * \li Security:
- *	No anticipated impact.
- *
- * \li Standards:
- *	RFC2553.
- */
-
-/***
- *** Imports.
- ***/
-
-#include <isc/int.h>
-#include <isc/platform.h>
-
-/***
- *** Types.
- ***/
-
-struct in6_addr {
-        union {
-		isc_uint8_t	_S6_u8[16];
-		isc_uint16_t	_S6_u16[8];
-		isc_uint32_t	_S6_u32[4];
-        } _S6_un;
-};
-#define s6_addr		_S6_un._S6_u8
-#define s6_addr8	_S6_un._S6_u8
-#define s6_addr16	_S6_un._S6_u16
-#define s6_addr32	_S6_un._S6_u32
-
-#define IN6ADDR_ANY_INIT 	{{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }}}
-#define IN6ADDR_LOOPBACK_INIT 	{{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 }}}
-
-LIBISC_EXTERNAL_DATA extern const struct in6_addr in6addr_any;
-LIBISC_EXTERNAL_DATA extern const struct in6_addr in6addr_loopback;
-
-struct sockaddr_in6 {
-#ifdef ISC_PLATFORM_HAVESALEN
-	isc_uint8_t		sin6_len;
-	isc_uint8_t		sin6_family;
-#else
-	isc_uint16_t		sin6_family;
-#endif
-	isc_uint16_t		sin6_port;
-	isc_uint32_t		sin6_flowinfo;
-	struct in6_addr		sin6_addr;
-	isc_uint32_t		sin6_scope_id;
-};
-
-#ifdef ISC_PLATFORM_HAVESALEN
-#define SIN6_LEN 1
-#endif
-
-/*%
- * Unspecified
- */
-#define IN6_IS_ADDR_UNSPECIFIED(a)      \
-        (((a)->s6_addr32[0] == 0) &&    \
-         ((a)->s6_addr32[1] == 0) &&    \
-         ((a)->s6_addr32[2] == 0) &&    \
-         ((a)->s6_addr32[3] == 0))
-
-/*%
- * Loopback
- */
-#define IN6_IS_ADDR_LOOPBACK(a)         \
-        (((a)->s6_addr32[0] == 0) &&    \
-         ((a)->s6_addr32[1] == 0) &&    \
-         ((a)->s6_addr32[2] == 0) &&    \
-         ((a)->s6_addr32[3] == htonl(1)))
-
-/*%
- * IPv4 compatible
- */
-#define IN6_IS_ADDR_V4COMPAT(a)         \
-        (((a)->s6_addr32[0] == 0) &&    \
-         ((a)->s6_addr32[1] == 0) &&    \
-         ((a)->s6_addr32[2] == 0) &&    \
-         ((a)->s6_addr32[3] != 0) &&    \
-         ((a)->s6_addr32[3] != htonl(1)))
-
-/*%
- * Mapped
- */
-#define IN6_IS_ADDR_V4MAPPED(a)               \
-        (((a)->s6_addr32[0] == 0) &&          \
-         ((a)->s6_addr32[1] == 0) &&          \
-         ((a)->s6_addr32[2] == htonl(0x0000ffff)))
-
-/*%
- * Multicast
- */
-#define IN6_IS_ADDR_MULTICAST(a)	\
-	((a)->s6_addr8[0] == 0xffU)
-
-/*%
- * Unicast link / site local.
- */
-#define IN6_IS_ADDR_LINKLOCAL(a)	\
-	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0x80))
-#define IN6_IS_ADDR_SITELOCAL(a)	\
-	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0xc0))
-
-#endif /* ISC_IPV6_H */
diff --git a/contrib/bind9/lib/isc/include/isc/iterated_hash.h b/contrib/bind9/lib/isc/include/isc/iterated_hash.h
deleted file mode 100644
index a8173f0..0000000
--- a/contrib/bind9/lib/isc/include/isc/iterated_hash.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2008  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: iterated_hash.h,v 1.3 2008/09/25 04:02:39 tbox Exp $ */
-
-#ifndef ISC_ITERATED_HASH_H
-#define ISC_ITERATED_HASH_H 1
-
-#include <isc/lang.h>
-#include <isc/sha1.h>
-
-/*
- * The maximal hash length that can be encoded it a name
- * using base32hex.  floor(255/8)*5
- */
-#define NSEC3_MAX_HASH_LENGTH 155
-
-/*
- * The maximum has that can be encoded in a single label using
- * base32hex.  floor(63/8)*5
- */
-#define NSEC3_MAX_LABEL_HASH 35
-
-ISC_LANG_BEGINDECLS
-
-int isc_iterated_hash(unsigned char out[NSEC3_MAX_HASH_LENGTH],
-		      unsigned int hashalg, int iterations,
-		      const unsigned char *salt, int saltlength,
-		      const unsigned char *in, int inlength);
-
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_ITERATED_HASH_H */
diff --git a/contrib/bind9/lib/isc/include/isc/lang.h b/contrib/bind9/lib/isc/include/isc/lang.h
deleted file mode 100644
index 8c60866..0000000
--- a/contrib/bind9/lib/isc/include/isc/lang.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lang.h,v 1.13 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_LANG_H
-#define ISC_LANG_H 1
-
-/*! \file isc/lang.h */
-
-#ifdef __cplusplus
-#define ISC_LANG_BEGINDECLS	extern "C" {
-#define ISC_LANG_ENDDECLS	}
-#else
-#define ISC_LANG_BEGINDECLS
-#define ISC_LANG_ENDDECLS
-#endif
-
-#endif /* ISC_LANG_H */
diff --git a/contrib/bind9/lib/isc/include/isc/lex.h b/contrib/bind9/lib/isc/include/isc/lex.h
deleted file mode 100644
index 8612150..0000000
--- a/contrib/bind9/lib/isc/include/isc/lex.h
+++ /dev/null
@@ -1,431 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lex.h,v 1.37 2008/05/30 23:47:01 tbox Exp $ */
-
-#ifndef ISC_LEX_H
-#define ISC_LEX_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file isc/lex.h
- * \brief The "lex" module provides a lightweight tokenizer.  It can operate
- * on files or buffers, and can handle "include".  It is designed for
- * parsing of DNS master files and the BIND configuration file, but
- * should be general enough to tokenize other things, e.g. HTTP.
- *
- * \li MP:
- *	No synchronization is provided.  Clients must ensure exclusive
- *	access.
- *
- * \li Reliability:
- *	No anticipated impact.
- *
- * \li Resources:
- *	TBS
- *
- * \li Security:
- *	No anticipated impact.
- *
- * \li Standards:
- * 	None.
- */
-
-/***
- *** Imports
- ***/
-
-#include <stdio.h>
-
-#include <isc/lang.h>
-#include <isc/region.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Options
- ***/
-
-/*@{*/
-/*!
- * Various options for isc_lex_gettoken().
- */
-
-#define ISC_LEXOPT_EOL			0x01	/*%< Want end-of-line token. */
-#define ISC_LEXOPT_EOF			0x02	/*%< Want end-of-file token. */
-#define ISC_LEXOPT_INITIALWS		0x04	/*%< Want initial whitespace. */
-#define ISC_LEXOPT_NUMBER		0x08	/*%< Recognize numbers. */
-#define ISC_LEXOPT_QSTRING		0x10	/*%< Recognize qstrings. */
-/*@}*/
-
-/*@{*/
-/*!
- * The ISC_LEXOPT_DNSMULTILINE option handles the processing of '(' and ')' in
- * the DNS master file format.  If this option is set, then the
- * ISC_LEXOPT_INITIALWS and ISC_LEXOPT_EOL options will be ignored when
- * the paren count is > 0.  To use this option, '(' and ')' must be special
- * characters.
- */
-#define ISC_LEXOPT_DNSMULTILINE		0x20	/*%< Handle '(' and ')'. */
-#define ISC_LEXOPT_NOMORE		0x40	/*%< Want "no more" token. */
-
-#define ISC_LEXOPT_CNUMBER		0x80    /*%< Recognize octal and hex. */
-#define ISC_LEXOPT_ESCAPE		0x100	/*%< Recognize escapes. */
-#define ISC_LEXOPT_QSTRINGMULTILINE	0x200	/*%< Allow multiline "" strings */
-#define ISC_LEXOPT_OCTAL		0x400	/*%< Expect a octal number. */
-/*@}*/
-/*@{*/
-/*!
- * Various commenting styles, which may be changed at any time with
- * isc_lex_setcomments().
- */
-
-#define ISC_LEXCOMMENT_C		0x01
-#define ISC_LEXCOMMENT_CPLUSPLUS	0x02
-#define ISC_LEXCOMMENT_SHELL		0x04
-#define ISC_LEXCOMMENT_DNSMASTERFILE	0x08
-/*@}*/
-
-/***
- *** Types
- ***/
-
-/*! Lex */
-
-typedef char isc_lexspecials_t[256];
-
-/* Tokens */
-
-typedef enum {
-	isc_tokentype_unknown = 0,
-	isc_tokentype_string = 1,
-	isc_tokentype_number = 2,
-	isc_tokentype_qstring = 3,
-	isc_tokentype_eol = 4,
-	isc_tokentype_eof = 5,
-	isc_tokentype_initialws = 6,
-	isc_tokentype_special = 7,
-	isc_tokentype_nomore = 8
-} isc_tokentype_t;
-
-typedef union {
-	char				as_char;
-	unsigned long			as_ulong;
-	isc_region_t			as_region;
-	isc_textregion_t		as_textregion;
-	void *				as_pointer;
-} isc_tokenvalue_t;
-
-typedef struct isc_token {
-	isc_tokentype_t			type;
-	isc_tokenvalue_t		value;
-} isc_token_t;
-
-/***
- *** Functions
- ***/
-
-isc_result_t
-isc_lex_create(isc_mem_t *mctx, size_t max_token, isc_lex_t **lexp);
-/*%<
- * Create a lexer.
- *
- * 'max_token' is a hint of the number of bytes in the largest token.
- *
- * Requires:
- *\li	'*lexp' is a valid lexer.
- *
- *\li	max_token > 0.
- *
- * Ensures:
- *\li	On success, *lexp is attached to the newly created lexer.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- */
-
-void
-isc_lex_destroy(isc_lex_t **lexp);
-/*%<
- * Destroy the lexer.
- *
- * Requires:
- *\li	'*lexp' is a valid lexer.
- *
- * Ensures:
- *\li	*lexp == NULL
- */
-
-unsigned int
-isc_lex_getcomments(isc_lex_t *lex);
-/*%<
- * Return the current lexer commenting styles.
- *
- * Requires:
- *\li	'lex' is a valid lexer.
- *
- * Returns:
- *\li	The commenting sytles which are currently allowed.
- */
-
-void
-isc_lex_setcomments(isc_lex_t *lex, unsigned int comments);
-/*%<
- * Set allowed lexer commenting styles.
- *
- * Requires:
- *\li	'lex' is a valid lexer.
- *
- *\li	'comments' has meaningful values.
- */
-
-void
-isc_lex_getspecials(isc_lex_t *lex, isc_lexspecials_t specials);
-/*%<
- * Put the current list of specials into 'specials'.
- *
- * Requires:
- *\li	'lex' is a valid lexer.
- */
-
-void
-isc_lex_setspecials(isc_lex_t *lex, isc_lexspecials_t specials);
-/*!<
- * The characters in 'specials' are returned as tokens.  Along with
- * whitespace, they delimit strings and numbers.
- *
- * Note:
- *\li	Comment processing takes precedence over special character
- *	recognition.
- *
- * Requires:
- *\li	'lex' is a valid lexer.
- */
-
-isc_result_t
-isc_lex_openfile(isc_lex_t *lex, const char *filename);
-/*%<
- * Open 'filename' and make it the current input source for 'lex'.
- *
- * Requires:
- *\li	'lex' is a valid lexer.
- *
- *\li	filename is a valid C string.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY			Out of memory
- *\li	#ISC_R_NOTFOUND			File not found
- *\li	#ISC_R_NOPERM			No permission to open file
- *\li	#ISC_R_FAILURE			Couldn't open file, not sure why
- *\li	#ISC_R_UNEXPECTED
- */
-
-isc_result_t
-isc_lex_openstream(isc_lex_t *lex, FILE *stream);
-/*%<
- * Make 'stream' the current input source for 'lex'.
- *
- * Requires:
- *\li	'lex' is a valid lexer.
- *
- *\li	'stream' is a valid C stream.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY			Out of memory
- */
-
-isc_result_t
-isc_lex_openbuffer(isc_lex_t *lex, isc_buffer_t *buffer);
-/*%<
- * Make 'buffer' the current input source for 'lex'.
- *
- * Requires:
- *\li	'lex' is a valid lexer.
- *
- *\li	'buffer' is a valid buffer.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY			Out of memory
- */
-
-isc_result_t
-isc_lex_close(isc_lex_t *lex);
-/*%<
- * Close the most recently opened object (i.e. file or buffer).
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMORE			No more input sources
- */
-
-isc_result_t
-isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp);
-/*%<
- * Get the next token.
- *
- * Requires:
- *\li	'lex' is a valid lexer.
- *
- *\li	'lex' has an input source.
- *
- *\li	'options' contains valid options.
- *
- *\li	'*tokenp' is a valid pointer.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_UNEXPECTEDEND
- *\li	#ISC_R_NOMEMORY
- *
- *	These two results are returned only if their corresponding lexer
- *	options are not set.
- *
- *\li	#ISC_R_EOF			End of input source
- *\li	#ISC_R_NOMORE			No more input sources
- */
-
-isc_result_t
-isc_lex_getmastertoken(isc_lex_t *lex, isc_token_t *token,
-		       isc_tokentype_t expect, isc_boolean_t eol);
-/*%<
- * Get the next token from a DNS master file type stream.  This is a
- * convenience function that sets appropriate options and handles quoted
- * strings and end of line correctly for master files.  It also ungets
- * unexpected tokens.
- *
- * Requires:
- *\li	'lex' is a valid lexer.
- *
- *\li	'token' is a valid pointer
- *
- * Returns:
- *
- * \li	any return code from isc_lex_gettoken().
- */
-
-isc_result_t
-isc_lex_getoctaltoken(isc_lex_t *lex, isc_token_t *token, isc_boolean_t eol);
-/*%<
- * Get the next token from a DNS master file type stream.  This is a
- * convenience function that sets appropriate options and handles end
- * of line correctly for master files.  It also ungets unexpected tokens.
- *
- * Requires:
- *\li	'lex' is a valid lexer.
- *
- *\li	'token' is a valid pointer
- *
- * Returns:
- *
- * \li	any return code from isc_lex_gettoken().
- */
-
-void
-isc_lex_ungettoken(isc_lex_t *lex, isc_token_t *tokenp);
-/*%<
- * Unget the current token.
- *
- * Requires:
- *\li	'lex' is a valid lexer.
- *
- *\li	'lex' has an input source.
- *
- *\li	'tokenp' points to a valid token.
- *
- *\li	There is no ungotten token already.
- */
-
-void
-isc_lex_getlasttokentext(isc_lex_t *lex, isc_token_t *tokenp, isc_region_t *r);
-/*%<
- * Returns a region containing the text of the last token returned.
- *
- * Requires:
- *\li	'lex' is a valid lexer.
- *
- *\li	'lex' has an input source.
- *
- *\li	'tokenp' points to a valid token.
- *
- *\li	A token has been gotten and not ungotten.
- */
-
-char *
-isc_lex_getsourcename(isc_lex_t *lex);
-/*%<
- * Return the input source name.
- *
- * Requires:
- *\li	'lex' is a valid lexer.
- *
- * Returns:
- * \li	source name or NULL if no current source.
- *\li	result valid while current input source exists.
- */
-
-
-unsigned long
-isc_lex_getsourceline(isc_lex_t *lex);
-/*%<
- * Return the input source line number.
- *
- * Requires:
- *\li	'lex' is a valid lexer.
- *
- * Returns:
- *\li 	Current line number or 0 if no current source.
- */
-
-isc_result_t
-isc_lex_setsourcename(isc_lex_t *lex, const char *name);
-/*%<
- * Assigns a new name to the input source.
- *
- * Requires:
- *
- * \li	'lex' is a valid lexer.
- *
- * Returns:
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_NOMEMORY
- * \li	#ISC_R_NOTFOUND - there are no sources.
- */
-
-isc_boolean_t
-isc_lex_isfile(isc_lex_t *lex);
-/*%<
- * Return whether the current input source is a file.
- *
- * Requires:
- *\li	'lex' is a valid lexer.
- *
- * Returns:
- * \li	#ISC_TRUE if the current input is a file,
- *\li	#ISC_FALSE otherwise.
- */
-
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_LEX_H */
diff --git a/contrib/bind9/lib/isc/include/isc/lfsr.h b/contrib/bind9/lib/isc/include/isc/lfsr.h
deleted file mode 100644
index d4d9707..0000000
--- a/contrib/bind9/lib/isc/include/isc/lfsr.h
+++ /dev/null
@@ -1,130 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lfsr.h,v 1.17 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_LFSR_H
-#define ISC_LFSR_H 1
-
-/*! \file isc/lfsr.h */
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-typedef struct isc_lfsr isc_lfsr_t;
-
-/*%
- * This function is called when reseeding is needed.  It is allowed to
- * modify any state in the LFSR in any way it sees fit OTHER THAN "bits".
- *
- * It MUST set "count" to a new value or the lfsr will never reseed again.
- *
- * Also, a reseed will never occur in the middle of an extraction.  This
- * is purely an optimization, and is probably what one would want.
- */
-typedef void (*isc_lfsrreseed_t)(isc_lfsr_t *, void *);
-
-/*%
- * The members of this structure can be used by the application, but care
- * needs to be taken to not change state once the lfsr is in operation.
- */
-struct isc_lfsr {
-	isc_uint32_t		state;	/*%< previous state */
-	unsigned int		bits;	/*%< length */
-	isc_uint32_t		tap;	/*%< bit taps */
-	unsigned int		count;	/*%< reseed count (in BITS!) */
-	isc_lfsrreseed_t	reseed;	/*%< reseed function */
-	void		       *arg;	/*%< reseed function argument */
-};
-
-ISC_LANG_BEGINDECLS
-
-
-void 
-isc_lfsr_init(isc_lfsr_t *lfsr, isc_uint32_t state, unsigned int bits,
-		   isc_uint32_t tap, unsigned int count,
-		   isc_lfsrreseed_t reseed, void *arg);
-/*%<
- * Initialize an LFSR.
- *
- * Note:
- *
- *\li	Putting untrusted values into this function will cause the LFSR to
- *	generate (perhaps) non-maximal length sequences.
- *
- * Requires:
- *
- *\li	lfsr != NULL
- *
- *\li	8 <= bits <= 32
- *
- *\li	tap != 0
- */
-
-void 
-isc_lfsr_generate(isc_lfsr_t *lfsr, void *data, unsigned int count);
-/*%<
- * Returns "count" bytes of data from the LFSR.
- *
- * Requires:
- *
- *\li	lfsr be valid.
- *
- *\li	data != NULL.
- *
- *\li	count > 0.
- */
-
-void 
-isc_lfsr_skip(isc_lfsr_t *lfsr, unsigned int skip);
-/*%<
- * Skip "skip" states.
- *
- * Requires:
- *
- *\li	lfsr be valid.
- */
-
-isc_uint32_t 
-isc_lfsr_generate32(isc_lfsr_t *lfsr1, isc_lfsr_t *lfsr2);
-/*%<
- * Given two LFSRs, use the current state from each to skip entries in the
- * other.  The next states are then xor'd together and returned.
- *
- * WARNING:
- *
- *\li	This function is used only for very, very low security data, such
- *	as DNS message IDs where it is desired to have an unpredictable
- *	stream of bytes that are harder to predict than a simple flooding
- *	attack.
- *
- * Notes:
- *
- *\li	Since the current state from each of the LFSRs is used to skip
- *	state in the other, it is important that no state be leaked
- *	from either LFSR.
- *
- * Requires:
- *
- *\li	lfsr1 and lfsr2 be valid.
- *
- *\li	1 <= skipbits <= 31
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_LFSR_H */
diff --git a/contrib/bind9/lib/isc/include/isc/lib.h b/contrib/bind9/lib/isc/include/isc/lib.h
deleted file mode 100644
index f24fef8..0000000
--- a/contrib/bind9/lib/isc/include/isc/lib.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lib.h,v 1.16 2009/09/02 23:48:03 tbox Exp $ */
-
-#ifndef ISC_LIB_H
-#define ISC_LIB_H 1
-
-/*! \file isc/lib.h */
-
-#include <isc/types.h>
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
-LIBISC_EXTERNAL_DATA extern isc_msgcat_t *isc_msgcat;
-
-void
-isc_lib_initmsgcat(void);
-/*!<
- * \brief Initialize the ISC library's message catalog, isc_msgcat, if it
- * has not already been initialized.
- */
-
-void
-isc_lib_register(void);
-/*!<
- * \brief Register the ISC library implementations for some base services
- * such as memory or event management and handling socket or timer events.
- * An external application that wants to use the ISC library must call this
- * function very early in main().
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_LIB_H */
diff --git a/contrib/bind9/lib/isc/include/isc/list.h b/contrib/bind9/lib/isc/include/isc/list.h
deleted file mode 100644
index 401bbdad..0000000
--- a/contrib/bind9/lib/isc/include/isc/list.h
+++ /dev/null
@@ -1,199 +0,0 @@
-/*
- * Copyright (C) 2004, 2006, 2007, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1997-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef ISC_LIST_H
-#define ISC_LIST_H 1
-#include <isc/boolean.h>
-#include <isc/assertions.h>
-
-#ifdef ISC_LIST_CHECKINIT
-#define ISC_LINK_INSIST(x) ISC_INSIST(x)
-#else
-#define ISC_LINK_INSIST(x)
-#endif
-
-#define ISC_LIST(type) struct { type *head, *tail; }
-#define ISC_LIST_INIT(list) \
-	do { (list).head = NULL; (list).tail = NULL; } while (0)
-
-#define ISC_LINK(type) struct { type *prev, *next; }
-#define ISC_LINK_INIT_TYPE(elt, link, type) \
-	do { \
-		(elt)->link.prev = (type *)(-1); \
-		(elt)->link.next = (type *)(-1); \
-	} while (0)
-#define ISC_LINK_INIT(elt, link) \
-	ISC_LINK_INIT_TYPE(elt, link, void)
-#define ISC_LINK_LINKED(elt, link) ((void *)((elt)->link.prev) != (void *)(-1))
-
-#define ISC_LIST_HEAD(list) ((list).head)
-#define ISC_LIST_TAIL(list) ((list).tail)
-#define ISC_LIST_EMPTY(list) ISC_TF((list).head == NULL)
-
-#define __ISC_LIST_PREPENDUNSAFE(list, elt, link) \
-	do { \
-		if ((list).head != NULL) \
-			(list).head->link.prev = (elt); \
-		else \
-			(list).tail = (elt); \
-		(elt)->link.prev = NULL; \
-		(elt)->link.next = (list).head; \
-		(list).head = (elt); \
-	} while (0)
-
-#define ISC_LIST_PREPEND(list, elt, link) \
-	do { \
-		ISC_LINK_INSIST(!ISC_LINK_LINKED(elt, link)); \
-		__ISC_LIST_PREPENDUNSAFE(list, elt, link); \
-	} while (0)
-
-#define ISC_LIST_INITANDPREPEND(list, elt, link) \
-		__ISC_LIST_PREPENDUNSAFE(list, elt, link)
-
-#define __ISC_LIST_APPENDUNSAFE(list, elt, link) \
-	do { \
-		if ((list).tail != NULL) \
-			(list).tail->link.next = (elt); \
-		else \
-			(list).head = (elt); \
-		(elt)->link.prev = (list).tail; \
-		(elt)->link.next = NULL; \
-		(list).tail = (elt); \
-	} while (0)
-
-#define ISC_LIST_APPEND(list, elt, link) \
-	do { \
-		ISC_LINK_INSIST(!ISC_LINK_LINKED(elt, link)); \
-		__ISC_LIST_APPENDUNSAFE(list, elt, link); \
-	} while (0)
-
-#define ISC_LIST_INITANDAPPEND(list, elt, link) \
-		__ISC_LIST_APPENDUNSAFE(list, elt, link)
-
-#define __ISC_LIST_UNLINKUNSAFE_TYPE(list, elt, link, type) \
-	do { \
-		if ((elt)->link.next != NULL) \
-			(elt)->link.next->link.prev = (elt)->link.prev; \
-		else { \
-			ISC_INSIST((list).tail == (elt)); \
-			(list).tail = (elt)->link.prev; \
-		} \
-		if ((elt)->link.prev != NULL) \
-			(elt)->link.prev->link.next = (elt)->link.next; \
-		else { \
-			ISC_INSIST((list).head == (elt)); \
-			(list).head = (elt)->link.next; \
-		} \
-		(elt)->link.prev = (type *)(-1); \
-		(elt)->link.next = (type *)(-1); \
-		ISC_INSIST((list).head != (elt)); \
-		ISC_INSIST((list).tail != (elt)); \
-	} while (0)
-
-#define __ISC_LIST_UNLINKUNSAFE(list, elt, link) \
-	__ISC_LIST_UNLINKUNSAFE_TYPE(list, elt, link, void)
-
-#define ISC_LIST_UNLINK_TYPE(list, elt, link, type) \
-	do { \
-		ISC_LINK_INSIST(ISC_LINK_LINKED(elt, link)); \
-		__ISC_LIST_UNLINKUNSAFE_TYPE(list, elt, link, type); \
-	} while (0)
-#define ISC_LIST_UNLINK(list, elt, link) \
-	ISC_LIST_UNLINK_TYPE(list, elt, link, void)
-
-#define ISC_LIST_PREV(elt, link) ((elt)->link.prev)
-#define ISC_LIST_NEXT(elt, link) ((elt)->link.next)
-
-#define __ISC_LIST_INSERTBEFOREUNSAFE(list, before, elt, link) \
-	do { \
-		if ((before)->link.prev == NULL) \
-			ISC_LIST_PREPEND(list, elt, link); \
-		else { \
-			(elt)->link.prev = (before)->link.prev; \
-			(before)->link.prev = (elt); \
-			(elt)->link.prev->link.next = (elt); \
-			(elt)->link.next = (before); \
-		} \
-	} while (0)
-
-#define ISC_LIST_INSERTBEFORE(list, before, elt, link) \
-	do { \
-		ISC_LINK_INSIST(ISC_LINK_LINKED(before, link)); \
-		ISC_LINK_INSIST(!ISC_LINK_LINKED(elt, link)); \
-		__ISC_LIST_INSERTBEFOREUNSAFE(list, before, elt, link); \
-	} while (0)
-
-#define __ISC_LIST_INSERTAFTERUNSAFE(list, after, elt, link) \
-	do { \
-		if ((after)->link.next == NULL) \
-			ISC_LIST_APPEND(list, elt, link); \
-		else { \
-			(elt)->link.next = (after)->link.next; \
-			(after)->link.next = (elt); \
-			(elt)->link.next->link.prev = (elt); \
-			(elt)->link.prev = (after); \
-		} \
-	} while (0)
-
-#define ISC_LIST_INSERTAFTER(list, after, elt, link) \
-	do { \
-		ISC_LINK_INSIST(ISC_LINK_LINKED(after, link)); \
-		ISC_LINK_INSIST(!ISC_LINK_LINKED(elt, link)); \
-		__ISC_LIST_INSERTAFTERUNSAFE(list, after, elt, link); \
-	} while (0)
-
-#define ISC_LIST_APPENDLIST(list1, list2, link) \
-	do { \
-		if (ISC_LIST_EMPTY(list1)) \
-			(list1) = (list2); \
-		else if (!ISC_LIST_EMPTY(list2)) { \
-			(list1).tail->link.next = (list2).head; \
-			(list2).head->link.prev = (list1).tail; \
-			(list1).tail = (list2).tail; \
-		} \
-		(list2).head = NULL; \
-		(list2).tail = NULL; \
-	} while (0)
-
-#define ISC_LIST_PREPENDLIST(list1, list2, link) \
-	do { \
-		if (ISC_LIST_EMPTY(list1)) \
-			(list1) = (list2); \
-		else if (!ISC_LIST_EMPTY(list2)) { \
-			(list2).tail->link.next = (list1).head; \
-			(list1).head->link.prev = (list2).tail; \
-			(list1).head = (list2).head; \
-		} \
-		(list2).head = NULL; \
-		(list2).tail = NULL; \
-	} while (0)
-
-#define ISC_LIST_ENQUEUE(list, elt, link) ISC_LIST_APPEND(list, elt, link)
-#define __ISC_LIST_ENQUEUEUNSAFE(list, elt, link) \
-	__ISC_LIST_APPENDUNSAFE(list, elt, link)
-#define ISC_LIST_DEQUEUE(list, elt, link) \
-	 ISC_LIST_UNLINK_TYPE(list, elt, link, void)
-#define ISC_LIST_DEQUEUE_TYPE(list, elt, link, type) \
-	 ISC_LIST_UNLINK_TYPE(list, elt, link, type)
-#define __ISC_LIST_DEQUEUEUNSAFE(list, elt, link) \
-	__ISC_LIST_UNLINKUNSAFE_TYPE(list, elt, link, void)
-#define __ISC_LIST_DEQUEUEUNSAFE_TYPE(list, elt, link, type) \
-	__ISC_LIST_UNLINKUNSAFE_TYPE(list, elt, link, type)
-
-#endif /* ISC_LIST_H */
diff --git a/contrib/bind9/lib/isc/include/isc/log.h b/contrib/bind9/lib/isc/include/isc/log.h
deleted file mode 100644
index 741c532..0000000
--- a/contrib/bind9/lib/isc/include/isc/log.h
+++ /dev/null
@@ -1,914 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: log.h,v 1.59 2009/02/16 02:01:16 marka Exp $ */
-
-#ifndef ISC_LOG_H
-#define ISC_LOG_H 1
-
-/*! \file isc/log.h */
-
-#include <stdio.h>
-#include <stdarg.h>
-#include <syslog.h> /* XXXDCL NT */
-
-#include <isc/formatcheck.h>
-#include <isc/lang.h>
-#include <isc/platform.h>
-#include <isc/types.h>
-
-/*@{*/
-/*!
- * \brief Severity levels, patterned after Unix's syslog levels.
- *
- */
-#define ISC_LOG_DEBUG(level)	(level)
-/*!
- * #ISC_LOG_DYNAMIC can only be used for defining channels with
- * isc_log_createchannel(), not to specify a level in isc_log_write().
- */
-#define ISC_LOG_DYNAMIC	  	  0
-#define ISC_LOG_INFO		(-1)
-#define ISC_LOG_NOTICE		(-2)
-#define ISC_LOG_WARNING 	(-3)
-#define ISC_LOG_ERROR		(-4)
-#define ISC_LOG_CRITICAL	(-5)
-/*@}*/
-
-/*@{*/
-/*!
- * \brief Destinations.
- */
-#define ISC_LOG_TONULL		1
-#define ISC_LOG_TOSYSLOG	2
-#define ISC_LOG_TOFILE		3
-#define ISC_LOG_TOFILEDESC	4
-/*@}*/
-
-/*@{*/
-/*%
- * Channel flags.
- */
-#define ISC_LOG_PRINTTIME	0x0001
-#define ISC_LOG_PRINTLEVEL	0x0002
-#define ISC_LOG_PRINTCATEGORY	0x0004
-#define ISC_LOG_PRINTMODULE	0x0008
-#define ISC_LOG_PRINTTAG	0x0010
-#define ISC_LOG_PRINTALL	0x001F
-#define ISC_LOG_DEBUGONLY	0x1000
-#define ISC_LOG_OPENERR		0x8000		/* internal */
-/*@}*/
-
-/*@{*/
-/*!
- * \brief Other options.
- *
- * XXXDCL INFINITE doesn't yet work.  Arguably it isn't needed, but
- *   since I am intend to make large number of versions work efficiently,
- *   INFINITE is going to be trivial to add to that.
- */
-#define ISC_LOG_ROLLINFINITE	(-1)
-#define ISC_LOG_ROLLNEVER	(-2)
-/*@}*/
-
-/*!
- * \brief Used to name the categories used by a library.
- *
- * An array of isc_logcategory
- * structures names each category, and the id value is initialized by calling
- * isc_log_registercategories.
- */
-struct isc_logcategory {
-	const char *name;
-	unsigned int id;
-};
-
-/*%
- * Similar to isc_logcategory, but for all the modules a library defines.
- */
-struct isc_logmodule {
-	const char *name;
-	unsigned int id;
-};
-
-/*%
- * The isc_logfile structure is initialized as part of an isc_logdestination
- * before calling isc_log_createchannel().
- *
- * When defining an #ISC_LOG_TOFILE
- * channel the name, versions and maximum_size should be set before calling
- * isc_log_createchannel().  To define an #ISC_LOG_TOFILEDESC channel set only
- * the stream before the call.
- *
- * Setting maximum_size to zero implies no maximum.
- */
-typedef struct isc_logfile {
-	FILE *stream;		/*%< Initialized to NULL for #ISC_LOG_TOFILE. */
-	const char *name;	/*%< NULL for #ISC_LOG_TOFILEDESC. */
-	int versions;	/* >= 0, #ISC_LOG_ROLLNEVER, #ISC_LOG_ROLLINFINITE. */
-	/*%
-	 * stdio's ftell is standardized to return a long, which may well not
-	 * be big enough for the largest file supportable by the operating
-	 * system (though it is _probably_ big enough for the largest log
-	 * anyone would want).  st_size returned by fstat should be typedef'd
-	 * to a size large enough for the largest possible file on a system.
-	 */
-	isc_offset_t maximum_size;
-	isc_boolean_t maximum_reached; /*%< Private. */
-} isc_logfile_t;
-
-/*%
- * Passed to isc_log_createchannel to define the attributes of either
- * a stdio or a syslog log.
- */
-typedef union isc_logdestination {
-	isc_logfile_t file;
-	int facility;		/* XXXDCL NT */
-} isc_logdestination_t;
-
-/*@{*/
-/*%
- * The built-in categories of libisc.
- *
- * Each library registering categories should provide library_LOGCATEGORY_name
- * definitions with indexes into its isc_logcategory structure corresponding to
- * the order of the names.
- */
-LIBISC_EXTERNAL_DATA extern isc_logcategory_t isc_categories[];
-LIBISC_EXTERNAL_DATA extern isc_log_t *isc_lctx;
-LIBISC_EXTERNAL_DATA extern isc_logmodule_t isc_modules[];
-/*@}*/
-
-/*@{*/
-/*%
- * Do not log directly to DEFAULT.  Use another category.  When in doubt,
- * use GENERAL.
- */
-#define ISC_LOGCATEGORY_DEFAULT	(&isc_categories[0])
-#define ISC_LOGCATEGORY_GENERAL	(&isc_categories[1])
-/*@}*/
-
-#define ISC_LOGMODULE_SOCKET (&isc_modules[0])
-#define ISC_LOGMODULE_TIME (&isc_modules[1])
-#define ISC_LOGMODULE_INTERFACE (&isc_modules[2])
-#define ISC_LOGMODULE_TIMER (&isc_modules[3])
-#define ISC_LOGMODULE_FILE (&isc_modules[4])
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isc_log_create(isc_mem_t *mctx, isc_log_t **lctxp, isc_logconfig_t **lcfgp);
-/*%<
- * Establish a new logging context, with default channels.
- *
- * Notes:
- *\li	isc_log_create() calls isc_logconfig_create(), so see its comment
- *	below for more information.
- *
- * Requires:
- *\li	mctx is a valid memory context.
- *\li	lctxp is not null and *lctxp is null.
- *\li	lcfgp is null or lcfgp is not null and *lcfgp is null.
- *
- * Ensures:
- *\li	*lctxp will point to a valid logging context if all of the necessary
- *	memory was allocated, or NULL otherwise.
- *\li	*lcfgp will point to a valid logging configuration if all of the
- *	necessary memory was allocated, or NULL otherwise.
- *\li	On failure, no additional memory is allocated.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		Success
- *\li	#ISC_R_NOMEMORY		Resource limit: Out of memory
- */
-
-isc_result_t
-isc_logconfig_create(isc_log_t *lctx, isc_logconfig_t **lcfgp);
-/*%<
- * Create the data structure that holds all of the configurable information
- * about where messages are actually supposed to be sent -- the information
- * that could changed based on some configuration file, as opposed to the
- * the category/module specification of isc_log_[v]write[1] that is compiled
- * into a program, or the debug_level which is dynamic state information.
- *
- * Notes:
- *\li	It is necessary to specify the logging context the configuration
- * 	will be used with because the number of categories and modules
- *	needs to be known in order to set the configuration.  However,
- *	the configuration is not used by the logging context until the
- *	isc_logconfig_use function is called.
- *
- *\li	The memory context used for operations that allocate memory for
- *	the configuration is that of the logging context, as specified
- *	in the isc_log_create call.
- *
- *\li	Four default channels are established:
- *\verbatim
- *	    	default_syslog
- *		 - log to syslog's daemon facility #ISC_LOG_INFO or higher
- *		default_stderr
- *		 - log to stderr #ISC_LOG_INFO or higher
- *		default_debug
- *		 - log to stderr #ISC_LOG_DEBUG dynamically
- *		null
- *		 - log nothing
- *\endverbatim
- *
- * Requires:
- *\li 	lctx is a valid logging context.
- *\li	lcftp is not null and *lcfgp is null.
- *
- * Ensures:
- *\li	*lcfgp will point to a valid logging context if all of the necessary
- *	memory was allocated, or NULL otherwise.
- *\li	On failure, no additional memory is allocated.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		Success
- *\li	#ISC_R_NOMEMORY		Resource limit: Out of memory
- */
-
-isc_logconfig_t *
-isc_logconfig_get(isc_log_t *lctx);
-/*%<
- * Returns a pointer to the configuration currently in use by the log context.
- *
- * Requires:
- *\li	lctx is a valid context.
- *
- * Ensures:
- *\li	The configuration pointer is non-null.
- *
- * Returns:
- *\li	The configuration pointer.
- */
-
-isc_result_t
-isc_logconfig_use(isc_log_t *lctx, isc_logconfig_t *lcfg);
-/*%<
- * Associate a new configuration with a logging context.
- *
- * Notes:
- *\li	This is thread safe.  The logging context will lock a mutex
- *	before attempting to swap in the new configuration, and isc_log_doit
- *	(the internal function used by all of isc_log_[v]write[1]) locks
- *	the same lock for the duration of its use of the configuration.
- *
- * Requires:
- *\li	lctx is a valid logging context.
- *\li	lcfg is a valid logging configuration.
- *\li	lctx is the same configuration given to isc_logconfig_create
- *		when the configuration was created.
- *
- * Ensures:
- *\li	Future calls to isc_log_write will use the new configuration.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		Success
- *\li	#ISC_R_NOMEMORY		Resource limit: Out of memory
- */
-
-void
-isc_log_destroy(isc_log_t **lctxp);
-/*%<
- * Deallocate the memory associated with a logging context.
- *
- * Requires:
- *\li	*lctx is a valid logging context.
- *
- * Ensures:
- *\li	All of the memory associated with the logging context is returned
- *	to the free memory pool.
- *
- *\li	Any open files are closed.
- *
- *\li	The logging context is marked as invalid.
- */
-
-void
-isc_logconfig_destroy(isc_logconfig_t **lcfgp);
-/*%<
- * Destroy a logging configuration.
- *
- * Notes:
- *\li	This function cannot be used directly with the return value of
- *	isc_logconfig_get, because a logging context must always have
- *	a valid configuration associated with it.
- *
- * Requires:
- *\li	lcfgp is not null and *lcfgp is a valid logging configuration.
- *\li	The logging configuration is not in use by an existing logging context.
- *
- * Ensures:
- *\li	All memory allocated for the configuration is freed.
- *
- *\li	The configuration is marked as invalid.
- */
-
-void
-isc_log_registercategories(isc_log_t *lctx, isc_logcategory_t categories[]);
-/*%<
- * Identify logging categories a library will use.
- *
- * Notes:
- *\li	A category should only be registered once, but no mechanism enforces
- *	this rule.
- *
- *\li	The end of the categories array is identified by a NULL name.
- *
- *\li	Because the name is used by #ISC_LOG_PRINTCATEGORY, it should not
- *	be altered or destroyed after isc_log_registercategories().
- *
- *\li	Because each element of the categories array is used by
- *	isc_log_categorybyname, it should not be altered or destroyed
- *	after registration.
- *
- *\li	The value of the id integer in each structure is overwritten
- *	by this function, and so id need not be initialized to any particular
- *	value prior to the function call.
- *
- *\li	A subsequent call to isc_log_registercategories with the same
- *	logging context (but new categories) will cause the last
- *	element of the categories array from the prior call to have
- *	its "name" member changed from NULL to point to the new
- *	categories array, and its "id" member set to UINT_MAX.
- *
- * Requires:
- *\li	lctx is a valid logging context.
- *\li	categories != NULL.
- *\li	categories[0].name != NULL.
- *
- * Ensures:
- * \li	There are references to each category in the logging context,
- * 	so they can be used with isc_log_usechannel() and isc_log_write().
- */
-
-void
-isc_log_registermodules(isc_log_t *lctx, isc_logmodule_t modules[]);
-/*%<
- * Identify logging categories a library will use.
- *
- * Notes:
- *\li	A module should only be registered once, but no mechanism enforces
- *	this rule.
- *
- *\li	The end of the modules array is identified by a NULL name.
- *
- *\li	Because the name is used by #ISC_LOG_PRINTMODULE, it should not
- *	be altered or destroyed after isc_log_registermodules().
- *
- *\li	Because each element of the modules array is used by
- *	isc_log_modulebyname, it should not be altered or destroyed
- *	after registration.
- *
- *\li	The value of the id integer in each structure is overwritten
- *	by this function, and so id need not be initialized to any particular
- *	value prior to the function call.
- *
- *\li	A subsequent call to isc_log_registermodules with the same
- *	logging context (but new modules) will cause the last
- *	element of the modules array from the prior call to have
- *	its "name" member changed from NULL to point to the new
- *	modules array, and its "id" member set to UINT_MAX.
- *
- * Requires:
- *\li	lctx is a valid logging context.
- *\li	modules != NULL.
- *\li	modules[0].name != NULL;
- *
- * Ensures:
- *\li	Each module has a reference in the logging context, so they can be
- *	used with isc_log_usechannel() and isc_log_write().
- */
-
-isc_result_t
-isc_log_createchannel(isc_logconfig_t *lcfg, const char *name,
-		      unsigned int type, int level,
-		      const isc_logdestination_t *destination,
-		      unsigned int flags);
-/*%<
- * Specify the parameters of a logging channel.
- *
- * Notes:
- *\li	The name argument is copied to memory in the logging context, so
- *	it can be altered or destroyed after isc_log_createchannel().
- *
- *\li	Defining a very large number of channels will have a performance
- *	impact on isc_log_usechannel(), since the names are searched
- *	linearly until a match is made.  This same issue does not affect
- *	isc_log_write, however.
- *
- *\li	Channel names can be redefined; this is primarily useful for programs
- *	that want their own definition of default_syslog, default_debug
- *	and default_stderr.
- *
- *\li	Any channel that is redefined will not affect logging that was
- *	already directed to its original definition, _except_ for the
- *	default_stderr channel.  This case is handled specially so that
- *	the default logging category can be changed by redefining
- *	default_stderr.  (XXXDCL Though now that I think of it, the default
- *	logging category can be changed with only one additional function
- *	call by defining a new channel and then calling isc_log_usechannel()
- *	for #ISC_LOGCATEGORY_DEFAULT.)
- *
- *\li	Specifying #ISC_LOG_PRINTTIME or #ISC_LOG_PRINTTAG for syslog is allowed,
- *	but probably not what you wanted to do.
- *
- *	#ISC_LOG_DEBUGONLY will mark the channel as usable only when the
- *	debug level of the logging context (see isc_log_setdebuglevel)
- *	is non-zero.
- *
- * Requires:
- *\li	lcfg is a valid logging configuration.
- *
- *\li	name is not NULL.
- *
- *\li	type is #ISC_LOG_TOSYSLOG, #ISC_LOG_TOFILE, #ISC_LOG_TOFILEDESC or
- *		#ISC_LOG_TONULL.
- *
- *\li	destination is not NULL unless type is #ISC_LOG_TONULL.
- *
- *\li	level is >= #ISC_LOG_CRITICAL (the most negative logging level).
- *
- *\li	flags does not include any bits aside from the ISC_LOG_PRINT* bits
- *	or #ISC_LOG_DEBUGONLY.
- *
- * Ensures:
- *\li	#ISC_R_SUCCESS
- *		A channel with the given name is usable with
- *		isc_log_usechannel().
- *
- *\li	#ISC_R_NOMEMORY or #ISC_R_UNEXPECTED
- *		No additional memory is being used by the logging context.
- *		Any channel that previously existed with the given name
- *		is not redefined.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		Success
- *\li	#ISC_R_NOMEMORY		Resource limit: Out of memory
- *\li	#ISC_R_UNEXPECTED	type was out of range and REQUIRE()
- *					was disabled.
- */
-
-isc_result_t
-isc_log_usechannel(isc_logconfig_t *lcfg, const char *name,
-		   const isc_logcategory_t *category,
-		   const isc_logmodule_t *module);
-/*%<
- * Associate a named logging channel with a category and module that
- * will use it.
- *
- * Notes:
- *\li	The name is searched for linearly in the set of known channel names
- *	until a match is found.  (Note the performance impact of a very large
- *	number of named channels.)  When multiple channels of the same
- *	name are defined, the most recent definition is found.
- *
- *\li	Specifying a very large number of channels for a category will have
- *	a moderate impact on performance in isc_log_write(), as each
- *	call looks up the category for the start of a linked list, which
- *	it follows all the way to the end to find matching modules.  The
- *	test for matching modules is  integral, though.
- *
- *\li	If category is NULL, then the channel is associated with the indicated
- *	module for all known categories (including the "default" category).
- *
- *\li	If module is NULL, then the channel is associated with every module
- *	that uses that category.
- *
- *\li	Passing both category and module as NULL would make every log message
- *	use the indicated channel.
- *
- * \li	Specifying a channel that is #ISC_LOG_TONULL for a category/module pair
- *	has no effect on any other channels associated with that pair,
- *	regardless of ordering.  Thus you cannot use it to "mask out" one
- *	category/module pair when you have specified some other channel that
- * 	is also used by that category/module pair.
- *
- * Requires:
- *\li	lcfg is a valid logging configuration.
- *
- *\li	category is NULL or has an id that is in the range of known ids.
- *
- *	module is NULL or has an id that is in the range of known ids.
- *
- * Ensures:
- *\li	#ISC_R_SUCCESS
- *		The channel will be used by the indicated category/module
- *		arguments.
- *
- *\li	#ISC_R_NOMEMORY
- *		If assignment for a specific category has been requested,
- *		the channel has not been associated with the indicated
- *		category/module arguments and no additional memory is
- *		used by the logging context.
- *		If assignment for all categories has been requested
- *		then _some_ may have succeeded (starting with category
- *		"default" and progressing through the order of categories
- *		passed to isc_log_registercategories()) and additional memory
- *		is being used by whatever assignments succeeded.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS	Success
- *\li	#ISC_R_NOMEMORY	Resource limit: Out of memory
- */
-
-/* Attention: next four comments PRECEED code */
-/*!
- *   \brief
- * Write a message to the log channels.
- *
- * Notes:
- *\li	Log messages containing natural language text should be logged with
- *	isc_log_iwrite() to allow for localization.
- *
- *\li	lctx can be NULL; this is allowed so that programs which use
- *	libraries that use the ISC logging system are not required to
- *	also use it.
- *
- *\li	The format argument is a printf(3) string, with additional arguments
- *	as necessary.
- *
- * Requires:
- *\li	lctx is a valid logging context.
- *
- *\li	The category and module arguments must have ids that are in the
- *	range of known ids, as established by isc_log_registercategories()
- *	and isc_log_registermodules().
- *
- *\li	level != #ISC_LOG_DYNAMIC.  ISC_LOG_DYNAMIC is used only to define
- *	channels, and explicit debugging level must be identified for
- *	isc_log_write() via ISC_LOG_DEBUG(level).
- *
- *\li	format != NULL.
- *
- * Ensures:
- *\li	The log message is written to every channel associated with the
- *	indicated category/module pair.
- *
- * Returns:
- *\li	Nothing.  Failure to log a message is not construed as a
- *	meaningful error.
- */
-void
-isc_log_write(isc_log_t *lctx, isc_logcategory_t *category,
-	       isc_logmodule_t *module, int level,
-	      const char *format, ...)
-
-ISC_FORMAT_PRINTF(5, 6);
-
-/*%
- * Write a message to the log channels.
- *
- * Notes:
- *\li	lctx can be NULL; this is allowed so that programs which use
- *	libraries that use the ISC logging system are not required to
- *	also use it.
- *
- *\li	The format argument is a printf(3) string, with additional arguments
- *	as necessary.
- *
- * Requires:
- *\li	lctx is a valid logging context.
- *
- *\li	The category and module arguments must have ids that are in the
- *	range of known ids, as established by isc_log_registercategories()
- *	and isc_log_registermodules().
- *
- *\li	level != #ISC_LOG_DYNAMIC.  ISC_LOG_DYNAMIC is used only to define
- *	channels, and explicit debugging level must be identified for
- *	isc_log_write() via ISC_LOG_DEBUG(level).
- *
- *\li	format != NULL.
- *
- * Ensures:
- *\li	The log message is written to every channel associated with the
- *	indicated category/module pair.
- *
- * Returns:
- *\li	Nothing.  Failure to log a message is not construed as a
- *	meaningful error.
- */
-void
-isc_log_vwrite(isc_log_t *lctx, isc_logcategory_t *category,
-	       isc_logmodule_t *module, int level,
-	       const char *format, va_list args)
-
-ISC_FORMAT_PRINTF(5, 0);
-
-/*%
- * Write a message to the log channels, pruning duplicates that occur within
- * a configurable amount of seconds (see isc_log_[sg]etduplicateinterval).
- * This function is otherwise identical to isc_log_write().
- */
-void
-isc_log_write1(isc_log_t *lctx, isc_logcategory_t *category,
-	       isc_logmodule_t *module, int level, const char *format, ...)
-
-ISC_FORMAT_PRINTF(5, 6);
-
-/*%
- * Write a message to the log channels, pruning duplicates that occur within
- * a configurable amount of seconds (see isc_log_[sg]etduplicateinterval).
- * This function is otherwise identical to isc_log_vwrite().
- */
-void
-isc_log_vwrite1(isc_log_t *lctx, isc_logcategory_t *category,
-		isc_logmodule_t *module, int level, const char *format,
-		va_list args)
-
-ISC_FORMAT_PRINTF(5, 0);
-
-/*%
- * These are four internationalized versions of the isc_log_[v]write[1]
- * functions.
- *
- * The only difference is that they take arguments for a message
- * catalog, message set, and message number, all immediately preceding the
- * format argument.  The format argument becomes the default text, a la
- * isc_msgcat_get.  If the message catalog is NULL, no lookup is attempted
- * for a message -- which makes the message set and message number irrelevant,
- * and the non-internationalized call should have probably been used instead.
- *
- * Yes, that means there are now *eight* interfaces to logging a message.
- * Sheesh.   Make the madness stop!
- */
-/*@{*/
-void
-isc_log_iwrite(isc_log_t *lctx, isc_logcategory_t *category,
-	      isc_logmodule_t *module, int level,
-	      isc_msgcat_t *msgcat, int msgset, int message,
-	      const char *format, ...)
-ISC_FORMAT_PRINTF(8, 9);
-
-void
-isc_log_ivwrite(isc_log_t *lctx, isc_logcategory_t *category,
-		isc_logmodule_t *module, int level,
-		isc_msgcat_t *msgcat, int msgset, int message,
-		const char *format, va_list args)
-ISC_FORMAT_PRINTF(8, 0);
-
-void
-isc_log_iwrite1(isc_log_t *lctx, isc_logcategory_t *category,
-		isc_logmodule_t *module, int level,
-		isc_msgcat_t *msgcat, int msgset, int message,
-		const char *format, ...)
-ISC_FORMAT_PRINTF(8, 9);
-
-void
-isc_log_ivwrite1(isc_log_t *lctx, isc_logcategory_t *category,
-		 isc_logmodule_t *module, int level,
-		 isc_msgcat_t *msgcat, int msgset, int message,
-		 const char *format, va_list args)
-ISC_FORMAT_PRINTF(8, 0);
-/*@}*/
-
-void
-isc_log_setdebuglevel(isc_log_t *lctx, unsigned int level);
-/*%<
- * Set the debugging level used for logging.
- *
- * Notes:
- *\li	Setting the debugging level to 0 disables debugging log messages.
- *
- * Requires:
- *\li	lctx is a valid logging context.
- *
- * Ensures:
- *\li	The debugging level is set to the requested value.
- */
-
-unsigned int
-isc_log_getdebuglevel(isc_log_t *lctx);
-/*%<
- * Get the current debugging level.
- *
- * Notes:
- *\li	This is provided so that a program can have a notion of
- *	"increment debugging level" or "decrement debugging level"
- *	without needing to keep track of what the current level is.
- *
- *\li	A return value of 0 indicates that debugging messages are disabled.
- *
- * Requires:
- *\li	lctx is a valid logging context.
- *
- * Ensures:
- *\li	The current logging debugging level is returned.
- */
-
-isc_boolean_t
-isc_log_wouldlog(isc_log_t *lctx, int level);
-/*%<
- * Determine whether logging something to 'lctx' at 'level' would
- * actually cause something to be logged somewhere.
- *
- * If #ISC_FALSE is returned, it is guaranteed that nothing would
- * be logged, allowing the caller to omit unnecessary
- * isc_log_write() calls and possible message preformatting.
- */
-
-void
-isc_log_setduplicateinterval(isc_logconfig_t *lcfg, unsigned int interval);
-/*%<
- * Set the interval over which duplicate log messages will be ignored
- * by isc_log_[v]write1(), in seconds.
- *
- * Notes:
- *\li	Increasing the duplicate interval from X to Y will not necessarily
- *	filter out duplicates of messages logged in Y - X seconds since the
- *	increase.  (Example: Message1 is logged at midnight.  Message2
- *	is logged at 00:01:00, when the interval is only 30 seconds, causing
- *	Message1 to be expired from the log message history.  Then the interval
- *	is increased to 3000 (five minutes) and at 00:04:00 Message1 is logged
- *	again.  It will appear the second time even though less than five
- *	passed since the first occurrence.
- *
- * Requires:
- *\li	lctx is a valid logging context.
- */
-
-unsigned int
-isc_log_getduplicateinterval(isc_logconfig_t *lcfg);
-/*%<
- * Get the current duplicate filtering interval.
- *
- * Requires:
- *\li	lctx is a valid logging context.
- *
- * Returns:
- *\li	The current duplicate filtering interval.
- */
-
-isc_result_t
-isc_log_settag(isc_logconfig_t *lcfg, const char *tag);
-/*%<
- * Set the program name or other identifier for #ISC_LOG_PRINTTAG.
- *
- * Requires:
- *\li	lcfg is a valid logging configuration.
- *
- * Notes:
- *\li	If this function has not set the tag to a non-NULL, non-empty value,
- *	then the #ISC_LOG_PRINTTAG channel flag will not print anything.
- *	Unlike some implementations of syslog on Unix systems, you *must* set
- *	the tag in order to get it logged.  It is not implicitly derived from
- *	the program name (which is pretty impossible to infer portably).
- *
- *\li	Setting the tag to NULL or the empty string will also cause the
- *	#ISC_LOG_PRINTTAG channel flag to not print anything.  If tag equals the
- *	empty string, calls to isc_log_gettag will return NULL.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS	Success
- *\li	#ISC_R_NOMEMORY  Resource Limit: Out of memory
- *
- * XXXDCL when creating a new isc_logconfig_t, it might be nice if the tag
- * of the currently active isc_logconfig_t was inherited.  this does not
- * currently happen.
- */
-
-char *
-isc_log_gettag(isc_logconfig_t *lcfg);
-/*%<
- * Get the current identifier printed with #ISC_LOG_PRINTTAG.
- *
- * Requires:
- *\li	lcfg is a valid logging configuration.
- *
- * Notes:
- *\li	Since isc_log_settag() will not associate a zero-length string
- *	with the logging configuration, attempts to do so will cause
- *	this function to return NULL.  However, a determined programmer
- *	will observe that (currently) a tag of length greater than zero
- *	could be set, and then modified to be zero length.
- *
- * Returns:
- *\li	A pointer to the current identifier, or NULL if none has been set.
- */
-
-void
-isc_log_opensyslog(const char *tag, int options, int facility);
-/*%<
- * Initialize syslog logging.
- *
- * Notes:
- *\li	XXXDCL NT
- *	This is currently equivalent to openlog(), but is not going to remain
- *	that way.  In the meantime, the arguments are all identical to
- *	those used by openlog(3), as follows:
- *
- * \code
- *		tag: The string to use in the position of the program
- *			name in syslog messages.  Most (all?) syslogs
- *			will use basename(argv[0]) if tag is NULL.
- *
- *		options: LOG_CONS, LOG_PID, LOG_NDELAY ... whatever your
- *			syslog supports.
- *
- *		facility: The default syslog facility.  This is irrelevant
- *			since isc_log_write will ALWAYS use the channel's
- *			declared facility.
- * \endcode
- *
- *\li	Zero effort has been made (yet) to accommodate systems with openlog()
- *	that only takes two arguments, or to identify valid syslog
- *	facilities or options for any given architecture.
- *
- *\li	It is necessary to call isc_log_opensyslog() to initialize
- *	syslogging on machines which do not support network connections to
- *	syslogd because they require a Unix domain socket to be used.  Since
- *	this is a chore to determine at run-time, it is suggested that it
- *	always be called by programs using the ISC logging system.
- *
- * Requires:
- *\li	Nothing.
- *
- * Ensures:
- *\li	openlog() is called to initialize the syslog system.
- */
-
-void
-isc_log_closefilelogs(isc_log_t *lctx);
-/*%<
- * Close all open files used by #ISC_LOG_TOFILE channels.
- *
- * Notes:
- *\li	This function is provided for programs that want to use their own
- *	log rolling mechanism rather than the one provided internally.
- *	For example, a program that wanted to keep daily logs would define
- *	a channel which used #ISC_LOG_ROLLNEVER, then once a day would
- *	rename the log file and call isc_log_closefilelogs().
- *
- *\li	#ISC_LOG_TOFILEDESC channels are unaffected.
- *
- * Requires:
- *\li	lctx is a valid context.
- *
- * Ensures:
- *\li	The open files are closed and will be reopened when they are
- *	next needed.
- */
-
-isc_logcategory_t *
-isc_log_categorybyname(isc_log_t *lctx, const char *name);
-/*%<
- * Find a category by its name.
- *
- * Notes:
- *\li	The string name of a category is not required to be unique.
- *
- * Requires:
- *\li	lctx is a valid context.
- *\li	name is not NULL.
- *
- * Returns:
- *\li	A pointer to the _first_ isc_logcategory_t structure used by "name".
- *
- *\li	NULL if no category exists by that name.
- */
-
-isc_logmodule_t *
-isc_log_modulebyname(isc_log_t *lctx, const char *name);
-/*%<
- * Find a module by its name.
- *
- * Notes:
- *\li	The string name of a module is not required to be unique.
- *
- * Requires:
- *\li	lctx is a valid context.
- *\li	name is not NULL.
- *
- * Returns:
- *\li	A pointer to the _first_ isc_logmodule_t structure used by "name".
- *
- *\li	NULL if no module exists by that name.
- */
-
-void
-isc_log_setcontext(isc_log_t *lctx);
-/*%<
- * Sets the context used by the libisc for logging.
- *
- * Requires:
- *\li	lctx be a valid context.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_LOG_H */
diff --git a/contrib/bind9/lib/isc/include/isc/magic.h b/contrib/bind9/lib/isc/include/isc/magic.h
deleted file mode 100644
index 073de90..0000000
--- a/contrib/bind9/lib/isc/include/isc/magic.h
+++ /dev/null
@@ -1,41 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: magic.h,v 1.18 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_MAGIC_H
-#define ISC_MAGIC_H 1
-
-/*! \file isc/magic.h */
-
-typedef struct {
-	unsigned int magic;
-} isc__magic_t;
-
-
-/*%
- * To use this macro the magic number MUST be the first thing in the
- * structure, and MUST be of type "unsigned int".
- * The intent of this is to allow magic numbers to be checked even though
- * the object is otherwise opaque.
- */
-#define ISC_MAGIC_VALID(a,b)	(((a) != NULL) && \
-				 (((const isc__magic_t *)(a))->magic == (b)))
-
-#define ISC_MAGIC(a, b, c, d)	((a) << 24 | (b) << 16 | (c) << 8 | (d))
-
-#endif /* ISC_MAGIC_H */
diff --git a/contrib/bind9/lib/isc/include/isc/md5.h b/contrib/bind9/lib/isc/include/isc/md5.h
deleted file mode 100644
index dfa586d..0000000
--- a/contrib/bind9/lib/isc/include/isc/md5.h
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: md5.h,v 1.20 2010/01/07 23:48:54 tbox Exp $ */
-
-/*! \file isc/md5.h
- * \brief This is the header file for the MD5 message-digest algorithm.
- *
- * The algorithm is due to Ron Rivest.  This code was
- * written by Colin Plumb in 1993, no copyright is claimed.
- * This code is in the public domain; do with it what you wish.
- *
- * Equivalent code is available from RSA Data Security, Inc.
- * This code has been tested against that, and is equivalent,
- * except that you don't need to include two pages of legalese
- * with every copy.
- *
- * To compute the message digest of a chunk of bytes, declare an
- * MD5Context structure, pass it to MD5Init, call MD5Update as
- * needed on buffers full of bytes, and then call MD5Final, which
- * will fill a supplied 16-byte array with the digest.
- *
- * Changed so as no longer to depend on Colin Plumb's `usual.h'
- * header definitions; now uses stuff from dpkg's config.h
- *  - Ian Jackson <ijackson@nyx.cs.du.edu>.
- * Still in the public domain.
- */
-
-#ifndef ISC_MD5_H
-#define ISC_MD5_H 1
-
-#include <isc/lang.h>
-#include <isc/platform.h>
-#include <isc/types.h>
-
-#define ISC_MD5_DIGESTLENGTH 16U
-#define ISC_MD5_BLOCK_LENGTH 64U
-
-#ifdef ISC_PLATFORM_OPENSSLHASH
-#include <openssl/evp.h>
-
-typedef EVP_MD_CTX isc_md5_t;
-
-#else
-
-typedef struct {
-	isc_uint32_t buf[4];
-	isc_uint32_t bytes[2];
-	isc_uint32_t in[16];
-} isc_md5_t;
-#endif
-
-ISC_LANG_BEGINDECLS
-
-void
-isc_md5_init(isc_md5_t *ctx);
-
-void
-isc_md5_invalidate(isc_md5_t *ctx);
-
-void
-isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len);
-
-void
-isc_md5_final(isc_md5_t *ctx, unsigned char *digest);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_MD5_H */
diff --git a/contrib/bind9/lib/isc/include/isc/mem.h b/contrib/bind9/lib/isc/include/isc/mem.h
deleted file mode 100644
index 320d0d8..0000000
--- a/contrib/bind9/lib/isc/include/isc/mem.h
+++ /dev/null
@@ -1,733 +0,0 @@
-/*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1997-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef ISC_MEM_H
-#define ISC_MEM_H 1
-
-/*! \file isc/mem.h */
-
-#include <stdio.h>
-
-#include <isc/lang.h>
-#include <isc/mutex.h>
-#include <isc/platform.h>
-#include <isc/types.h>
-#include <isc/xml.h>
-
-ISC_LANG_BEGINDECLS
-
-#define ISC_MEM_LOWATER 0
-#define ISC_MEM_HIWATER 1
-typedef void (*isc_mem_water_t)(void *, int);
-
-typedef void * (*isc_memalloc_t)(void *, size_t);
-typedef void (*isc_memfree_t)(void *, void *);
-
-/*%
- * Define ISC_MEM_TRACKLINES=1 to turn on detailed tracing of memory
- * allocation and freeing by file and line number.
- */
-#ifndef ISC_MEM_TRACKLINES
-#define ISC_MEM_TRACKLINES 1
-#endif
-
-/*%
- * Define ISC_MEM_CHECKOVERRUN=1 to turn on checks for using memory outside
- * the requested space.  This will increase the size of each allocation.
- */
-#ifndef ISC_MEM_CHECKOVERRUN
-#define ISC_MEM_CHECKOVERRUN 1
-#endif
-
-/*%
- * Define ISC_MEM_FILL=1 to fill each block of memory returned to the system
- * with the byte string '0xbe'.  This helps track down uninitialized pointers
- * and the like.  On freeing memory, the space is filled with '0xde' for
- * the same reasons.
- */
-#ifndef ISC_MEM_FILL
-#define ISC_MEM_FILL 1
-#endif
-
-/*%
- * Define ISC_MEMPOOL_NAMES=1 to make memory pools store a symbolic
- * name so that the leaking pool can be more readily identified in
- * case of a memory leak.
- */
-#ifndef ISC_MEMPOOL_NAMES
-#define ISC_MEMPOOL_NAMES 1
-#endif
-
-LIBISC_EXTERNAL_DATA extern unsigned int isc_mem_debugging;
-/*@{*/
-#define ISC_MEM_DEBUGTRACE		0x00000001U
-#define ISC_MEM_DEBUGRECORD		0x00000002U
-#define ISC_MEM_DEBUGUSAGE		0x00000004U
-#define ISC_MEM_DEBUGSIZE		0x00000008U
-#define ISC_MEM_DEBUGCTX		0x00000010U
-#define ISC_MEM_DEBUGALL		0x0000001FU
-/*!<
- * The variable isc_mem_debugging holds a set of flags for
- * turning certain memory debugging options on or off at
- * runtime.  It is initialized to the value ISC_MEM_DEGBUGGING,
- * which is 0 by default but may be overridden at compile time.
- * The following flags can be specified:
- *
- * \li #ISC_MEM_DEBUGTRACE
- *	Log each allocation and free to isc_lctx.
- *
- * \li #ISC_MEM_DEBUGRECORD
- *	Remember each allocation, and match them up on free.
- *	Crash if a free doesn't match an allocation.
- *
- * \li #ISC_MEM_DEBUGUSAGE
- *	If a hi_water mark is set, print the maximum inuse memory
- *	every time it is raised once it exceeds the hi_water mark.
- *
- * \li #ISC_MEM_DEBUGSIZE
- *	Check the size argument being passed to isc_mem_put() matches
- *	that passed to isc_mem_get().
- *
- * \li #ISC_MEM_DEBUGCTX
- *	Check the mctx argument being passed to isc_mem_put() matches
- *	that passed to isc_mem_get().
- */
-/*@}*/
-
-#if ISC_MEM_TRACKLINES
-#define _ISC_MEM_FILELINE	, __FILE__, __LINE__
-#define _ISC_MEM_FLARG		, const char *, unsigned int
-#else
-#define _ISC_MEM_FILELINE
-#define _ISC_MEM_FLARG
-#endif
-
-/*!
- * Define ISC_MEM_USE_INTERNAL_MALLOC=1 to use the internal malloc()
- * implementation in preference to the system one.  The internal malloc()
- * is very space-efficient, and quite fast on uniprocessor systems.  It
- * performs poorly on multiprocessor machines.
- * JT: we can overcome the performance issue on multiprocessor machines
- * by carefully separating memory contexts.
- */
-
-#ifndef ISC_MEM_USE_INTERNAL_MALLOC
-#define ISC_MEM_USE_INTERNAL_MALLOC 1
-#endif
-
-/*
- * Flags for isc_mem_create2()calls.
- */
-#define ISC_MEMFLAG_NOLOCK	0x00000001	 /* no lock is necessary */
-#define ISC_MEMFLAG_INTERNAL	0x00000002	 /* use internal malloc */
-#if ISC_MEM_USE_INTERNAL_MALLOC
-#define ISC_MEMFLAG_DEFAULT 	ISC_MEMFLAG_INTERNAL
-#else
-#define ISC_MEMFLAG_DEFAULT 	0
-#endif
-
-
-/*%<
- * We use either isc___mem (three underscores) or isc__mem (two) depending on
- * whether it's for BIND9's internal purpose (with -DBIND9) or generic export
- * library.  This condition is generally handled in isc/namespace.h, but for
- * Windows it doesn't work if it involves multiple times of macro expansion
- * (such as isc_mem to isc__mem then to isc___mem).  The following definitions
- * are used to work around this portability issue.  Right now, we don't support
- * the export library for Windows, so we always use the three-underscore
- * version.
- */
-#ifdef WIN32
-#define ISCMEMFUNC(sfx) isc___mem_ ## sfx
-#define ISCMEMPOOLFUNC(sfx) isc___mempool_ ## sfx
-#else
-#define ISCMEMFUNC(sfx) isc__mem_ ## sfx
-#define ISCMEMPOOLFUNC(sfx) isc__mempool_ ## sfx
-#endif
-
-#define isc_mem_get(c, s)	ISCMEMFUNC(get)((c), (s) _ISC_MEM_FILELINE)
-#define isc_mem_allocate(c, s)	ISCMEMFUNC(allocate)((c), (s) _ISC_MEM_FILELINE)
-#define isc_mem_reallocate(c, p, s) ISCMEMFUNC(reallocate)((c), (p), (s) _ISC_MEM_FILELINE)
-#define isc_mem_strdup(c, p)	ISCMEMFUNC(strdup)((c), (p) _ISC_MEM_FILELINE)
-#define isc_mempool_get(c)	ISCMEMPOOLFUNC(get)((c) _ISC_MEM_FILELINE)
-
-/*%
- * isc_mem_putanddetach() is a convenience function for use where you
- * have a structure with an attached memory context.
- *
- * Given:
- *
- * \code
- * struct {
- *	...
- *	isc_mem_t *mctx;
- *	...
- * } *ptr;
- *
- * isc_mem_t *mctx;
- *
- * isc_mem_putanddetach(&ptr->mctx, ptr, sizeof(*ptr));
- * \endcode
- *
- * is the equivalent of:
- *
- * \code
- * mctx = NULL;
- * isc_mem_attach(ptr->mctx, &mctx);
- * isc_mem_detach(&ptr->mctx);
- * isc_mem_put(mctx, ptr, sizeof(*ptr));
- * isc_mem_detach(&mctx);
- * \endcode
- */
-
-/*% memory and memory pool methods */
-typedef struct isc_memmethods {
-	void (*attach)(isc_mem_t *source, isc_mem_t **targetp);
-	void (*detach)(isc_mem_t **mctxp);
-	void (*destroy)(isc_mem_t **mctxp);
-	void *(*memget)(isc_mem_t *mctx, size_t size _ISC_MEM_FLARG);
-	void (*memput)(isc_mem_t *mctx, void *ptr, size_t size _ISC_MEM_FLARG);
-	void (*memputanddetach)(isc_mem_t **mctxp, void *ptr,
-				size_t size _ISC_MEM_FLARG);
-	void *(*memallocate)(isc_mem_t *mctx, size_t size _ISC_MEM_FLARG);
-	void *(*memreallocate)(isc_mem_t *mctx, void *ptr,
-			       size_t size _ISC_MEM_FLARG);
-	char *(*memstrdup)(isc_mem_t *mctx, const char *s _ISC_MEM_FLARG);
-	void (*memfree)(isc_mem_t *mctx, void *ptr _ISC_MEM_FLARG);
-	void (*setdestroycheck)(isc_mem_t *mctx, isc_boolean_t flag);
-	void (*setwater)(isc_mem_t *ctx, isc_mem_water_t water,
-			 void *water_arg, size_t hiwater, size_t lowater);
-	void (*waterack)(isc_mem_t *ctx, int flag);
-	size_t (*inuse)(isc_mem_t *mctx);
-	isc_boolean_t (*isovermem)(isc_mem_t *mctx);
-	isc_result_t (*mpcreate)(isc_mem_t *mctx, size_t size,
-				 isc_mempool_t **mpctxp);
-} isc_memmethods_t;
-
-typedef struct isc_mempoolmethods {
-	void (*destroy)(isc_mempool_t **mpctxp);
-	void *(*get)(isc_mempool_t *mpctx _ISC_MEM_FLARG);
-	void (*put)(isc_mempool_t *mpctx, void *mem _ISC_MEM_FLARG);
-	unsigned int (*getallocated)(isc_mempool_t *mpctx);
-	void (*setmaxalloc)(isc_mempool_t *mpctx, unsigned int limit);
-	void (*setfreemax)(isc_mempool_t *mpctx, unsigned int limit);
-	void (*setname)(isc_mempool_t *mpctx, const char *name);
-	void (*associatelock)(isc_mempool_t *mpctx, isc_mutex_t *lock);
-	void (*setfillcount)(isc_mempool_t *mpctx, unsigned int limit);
-} isc_mempoolmethods_t;
-
-/*%
- * This structure is actually just the common prefix of a memory context
- * implementation's version of an isc_mem_t.
- * \brief
- * Direct use of this structure by clients is forbidden.  mctx implementations
- * may change the structure.  'magic' must be ISCAPI_MCTX_MAGIC for any of the
- * isc_mem_ routines to work.  mctx implementations must maintain all mctx
- * invariants.
- */
-struct isc_mem {
-	unsigned int		impmagic;
-	unsigned int		magic;
-	isc_memmethods_t	*methods;
-};
-
-#define ISCAPI_MCTX_MAGIC	ISC_MAGIC('A','m','c','x')
-#define ISCAPI_MCTX_VALID(m)	((m) != NULL && \
-				 (m)->magic == ISCAPI_MCTX_MAGIC)
-
-/*%
- * This is the common prefix of a memory pool context.  The same note as
- * that for the mem structure applies.
- */
-struct isc_mempool {
-	unsigned int		impmagic;
-	unsigned int		magic;
-	isc_mempoolmethods_t	*methods;
-};
-
-#define ISCAPI_MPOOL_MAGIC	ISC_MAGIC('A','m','p','l')
-#define ISCAPI_MPOOL_VALID(mp)	((mp) != NULL && \
-				 (mp)->magic == ISCAPI_MPOOL_MAGIC)
-
-#define isc_mem_put(c, p, s) \
-	do { \
-		ISCMEMFUNC(put)((c), (p), (s) _ISC_MEM_FILELINE);	\
-		(p) = NULL; \
-	} while (0)
-#define isc_mem_putanddetach(c, p, s) \
-	do { \
-		ISCMEMFUNC(putanddetach)((c), (p), (s) _ISC_MEM_FILELINE); \
-		(p) = NULL; \
-	} while (0)
-#define isc_mem_free(c, p) \
-	do { \
-		ISCMEMFUNC(free)((c), (p) _ISC_MEM_FILELINE);	\
-		(p) = NULL; \
-	} while (0)
-#define isc_mempool_put(c, p) \
-	do { \
-		ISCMEMPOOLFUNC(put)((c), (p) _ISC_MEM_FILELINE);	\
-		(p) = NULL; \
-	} while (0)
-
-/*@{*/
-isc_result_t
-isc_mem_create(size_t max_size, size_t target_size,
-	       isc_mem_t **mctxp);
-
-isc_result_t
-isc_mem_create2(size_t max_size, size_t target_size,
-		isc_mem_t **mctxp, unsigned int flags);
-
-isc_result_t
-isc_mem_createx(size_t max_size, size_t target_size,
-		isc_memalloc_t memalloc, isc_memfree_t memfree,
-		void *arg, isc_mem_t **mctxp);
-
-isc_result_t
-isc_mem_createx2(size_t max_size, size_t target_size,
-		 isc_memalloc_t memalloc, isc_memfree_t memfree,
-		 void *arg, isc_mem_t **mctxp, unsigned int flags);
-
-/*!<
- * \brief Create a memory context.
- *
- * 'max_size' and 'target_size' are tuning parameters.  When
- * ISC_MEMFLAG_INTERNAL is set, allocations smaller than 'max_size'
- * will be satisfied by getting blocks of size 'target_size' from the
- * system allocator and breaking them up into pieces; larger allocations
- * will use the system allocator directly. If 'max_size' and/or
- * 'target_size' are zero, default values will be * used.  When
- * ISC_MEMFLAG_INTERNAL is not set, 'target_size' is ignored.
- *
- * 'max_size' is also used to size the statistics arrays and the array
- * used to record active memory when ISC_MEM_DEBUGRECORD is set.  Setting
- * 'max_size' too low can have detrimental effects on performance.
- *
- * A memory context created using isc_mem_createx() will obtain
- * memory from the system by calling 'memalloc' and 'memfree',
- * passing them the argument 'arg'.  A memory context created
- * using isc_mem_create() will use the standard library malloc()
- * and free().
- *
- * If ISC_MEMFLAG_NOLOCK is set in 'flags', the corresponding memory context
- * will be accessed without locking.  The user who creates the context must
- * ensure there be no race.  Since this can be a source of bug, it is generally
- * inadvisable to use this flag unless the user is very sure about the race
- * condition and the access to the object is highly performance sensitive.
- *
- * Requires:
- * mctxp != NULL && *mctxp == NULL */
-/*@}*/
-
-/*@{*/
-void
-isc_mem_attach(isc_mem_t *, isc_mem_t **);
-void
-isc_mem_detach(isc_mem_t **);
-/*!<
- * \brief Attach to / detach from a memory context.
- *
- * This is intended for applications that use multiple memory contexts
- * in such a way that it is not obvious when the last allocations from
- * a given context has been freed and destroying the context is safe.
- *
- * Most applications do not need to call these functions as they can
- * simply create a single memory context at the beginning of main()
- * and destroy it at the end of main(), thereby guaranteeing that it
- * is not destroyed while there are outstanding allocations.
- */
-/*@}*/
-
-void
-isc_mem_destroy(isc_mem_t **);
-/*%<
- * Destroy a memory context.
- */
-
-isc_result_t
-isc_mem_ondestroy(isc_mem_t *ctx,
-		  isc_task_t *task,
-		  isc_event_t **event);
-/*%<
- * Request to be notified with an event when a memory context has
- * been successfully destroyed.
- */
-
-void
-isc_mem_stats(isc_mem_t *mctx, FILE *out);
-/*%<
- * Print memory usage statistics for 'mctx' on the stream 'out'.
- */
-
-void
-isc_mem_setdestroycheck(isc_mem_t *mctx,
-			isc_boolean_t on);
-/*%<
- * If 'on' is ISC_TRUE, 'mctx' will check for memory leaks when
- * destroyed and abort the program if any are present.
- */
-
-/*@{*/
-void
-isc_mem_setquota(isc_mem_t *, size_t);
-size_t
-isc_mem_getquota(isc_mem_t *);
-/*%<
- * Set/get the memory quota of 'mctx'.  This is a hard limit
- * on the amount of memory that may be allocated from mctx;
- * if it is exceeded, allocations will fail.
- */
-/*@}*/
-
-size_t
-isc_mem_inuse(isc_mem_t *mctx);
-/*%<
- * Get an estimate of the number of memory in use in 'mctx', in bytes.
- * This includes quantization overhead, but does not include memory
- * allocated from the system but not yet used.
- */
-
-isc_boolean_t
-isc_mem_isovermem(isc_mem_t *mctx);
-/*%<
- * Return true iff the memory context is in "over memory" state, i.e.,
- * a hiwater mark has been set and the used amount of memory has exceeds
- * the mark.
- */
-
-void
-isc_mem_setwater(isc_mem_t *mctx, isc_mem_water_t water, void *water_arg,
-		 size_t hiwater, size_t lowater);
-/*%<
- * Set high and low water marks for this memory context.
- *
- * When the memory usage of 'mctx' exceeds 'hiwater',
- * '(water)(water_arg, #ISC_MEM_HIWATER)' will be called.  'water' needs to
- * call isc_mem_waterack() with #ISC_MEM_HIWATER to acknowledge the state
- * change.  'water' may be called multiple times.
- *
- * When the usage drops below 'lowater', 'water' will again be called, this
- * time with #ISC_MEM_LOWATER.  'water' need to calls isc_mem_waterack() with
- * #ISC_MEM_LOWATER to acknowledge the change.
- *
- *	static void
- *	water(void *arg, int mark) {
- *		struct foo *foo = arg;
- *
- *		LOCK(&foo->marklock);
- *		if (foo->mark != mark) {
- * 			foo->mark = mark;
- *			....
- *			isc_mem_waterack(foo->mctx, mark);
- *		}
- *		UNLOCK(&foo->marklock);
- *	}
- *
- * If 'water' is NULL then 'water_arg', 'hi_water' and 'lo_water' are
- * ignored and the state is reset.
- *
- * Requires:
- *
- *	'water' is not NULL.
- *	hi_water >= lo_water
- */
-
-void
-isc_mem_waterack(isc_mem_t *ctx, int mark);
-/*%<
- * Called to acknowledge changes in signaled by calls to 'water'.
- */
-
-void
-isc_mem_printactive(isc_mem_t *mctx, FILE *file);
-/*%<
- * Print to 'file' all active memory in 'mctx'.
- *
- * Requires ISC_MEM_DEBUGRECORD to have been set.
- */
-
-void
-isc_mem_printallactive(FILE *file);
-/*%<
- * Print to 'file' all active memory in all contexts.
- *
- * Requires ISC_MEM_DEBUGRECORD to have been set.
- */
-
-void
-isc_mem_checkdestroyed(FILE *file);
-/*%<
- * Check that all memory contexts have been destroyed.
- * Prints out those that have not been.
- * Fatally fails if there are still active contexts.
- */
-
-unsigned int
-isc_mem_references(isc_mem_t *ctx);
-/*%<
- * Return the current reference count.
- */
-
-void
-isc_mem_setname(isc_mem_t *ctx, const char *name, void *tag);
-/*%<
- * Name 'ctx'.
- *
- * Notes:
- *
- *\li	Only the first 15 characters of 'name' will be copied.
- *
- *\li	'tag' is for debugging purposes only.
- *
- * Requires:
- *
- *\li	'ctx' is a valid ctx.
- */
-
-const char *
-isc_mem_getname(isc_mem_t *ctx);
-/*%<
- * Get the name of 'ctx', as previously set using isc_mem_setname().
- *
- * Requires:
- *\li	'ctx' is a valid ctx.
- *
- * Returns:
- *\li	A non-NULL pointer to a null-terminated string.
- * 	If the ctx has not been named, the string is
- * 	empty.
- */
-
-void *
-isc_mem_gettag(isc_mem_t *ctx);
-/*%<
- * Get the tag value for  'task', as previously set using isc_mem_setname().
- *
- * Requires:
- *\li	'ctx' is a valid ctx.
- *
- * Notes:
- *\li	This function is for debugging purposes only.
- *
- * Requires:
- *\li	'ctx' is a valid task.
- */
-
-#ifdef HAVE_LIBXML2
-int
-isc_mem_renderxml(xmlTextWriterPtr writer);
-/*%<
- * Render all contexts' statistics and status in XML for writer.
- */
-#endif /* HAVE_LIBXML2 */
-
-/*
- * Memory pools
- */
-
-isc_result_t
-isc_mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp);
-/*%<
- * Create a memory pool.
- *
- * Requires:
- *\li	mctx is a valid memory context.
- *\li	size > 0
- *\li	mpctxp != NULL and *mpctxp == NULL
- *
- * Defaults:
- *\li	maxalloc = UINT_MAX
- *\li	freemax = 1
- *\li	fillcount = 1
- *
- * Returns:
- *\li	#ISC_R_NOMEMORY		-- not enough memory to create pool
- *\li	#ISC_R_SUCCESS		-- all is well.
- */
-
-void
-isc_mempool_destroy(isc_mempool_t **mpctxp);
-/*%<
- * Destroy a memory pool.
- *
- * Requires:
- *\li	mpctxp != NULL && *mpctxp is a valid pool.
- *\li	The pool has no un"put" allocations outstanding
- */
-
-void
-isc_mempool_setname(isc_mempool_t *mpctx, const char *name);
-/*%<
- * Associate a name with a memory pool.  At most 15 characters may be used.
- *
- * Requires:
- *\li	mpctx is a valid pool.
- *\li	name != NULL;
- */
-
-void
-isc_mempool_associatelock(isc_mempool_t *mpctx, isc_mutex_t *lock);
-/*%<
- * Associate a lock with this memory pool.
- *
- * This lock is used when getting or putting items using this memory pool,
- * and it is also used to set or get internal state via the isc_mempool_get*()
- * and isc_mempool_set*() set of functions.
- *
- * Multiple pools can each share a single lock.  For instance, if "manager"
- * type object contained pools for various sizes of events, and each of
- * these pools used a common lock.  Note that this lock must NEVER be used
- * by other than mempool routines once it is given to a pool, since that can
- * easily cause double locking.
- *
- * Requires:
- *
- *\li	mpctpx is a valid pool.
- *
- *\li	lock != NULL.
- *
- *\li	No previous lock is assigned to this pool.
- *
- *\li	The lock is initialized before calling this function via the normal
- *	means of doing that.
- */
-
-/*
- * The following functions get/set various parameters.  Note that due to
- * the unlocked nature of pools these are potentially random values unless
- * the imposed externally provided locking protocols are followed.
- *
- * Also note that the quota limits will not always take immediate effect.
- * For instance, setting "maxalloc" to a number smaller than the currently
- * allocated count is permitted.  New allocations will be refused until
- * the count drops below this threshold.
- *
- * All functions require (in addition to other requirements):
- *	mpctx is a valid memory pool
- */
-
-unsigned int
-isc_mempool_getfreemax(isc_mempool_t *mpctx);
-/*%<
- * Returns the maximum allowed size of the free list.
- */
-
-void
-isc_mempool_setfreemax(isc_mempool_t *mpctx, unsigned int limit);
-/*%<
- * Sets the maximum allowed size of the free list.
- */
-
-unsigned int
-isc_mempool_getfreecount(isc_mempool_t *mpctx);
-/*%<
- * Returns current size of the free list.
- */
-
-unsigned int
-isc_mempool_getmaxalloc(isc_mempool_t *mpctx);
-/*!<
- * Returns the maximum allowed number of allocations.
- */
-
-void
-isc_mempool_setmaxalloc(isc_mempool_t *mpctx, unsigned int limit);
-/*%<
- * Sets the maximum allowed number of allocations.
- *
- * Additional requirements:
- *\li	limit > 0
- */
-
-unsigned int
-isc_mempool_getallocated(isc_mempool_t *mpctx);
-/*%<
- * Returns the number of items allocated from this pool.
- */
-
-unsigned int
-isc_mempool_getfillcount(isc_mempool_t *mpctx);
-/*%<
- * Returns the number of items allocated as a block from the parent memory
- * context when the free list is empty.
- */
-
-void
-isc_mempool_setfillcount(isc_mempool_t *mpctx, unsigned int limit);
-/*%<
- * Sets the fillcount.
- *
- * Additional requirements:
- *\li	limit > 0
- */
-
-
-/*
- * Pseudo-private functions for use via macros.  Do not call directly.
- */
-void *
-ISCMEMFUNC(get)(isc_mem_t *, size_t _ISC_MEM_FLARG);
-void
-ISCMEMFUNC(putanddetach)(isc_mem_t **, void *, size_t _ISC_MEM_FLARG);
-void
-ISCMEMFUNC(put)(isc_mem_t *, void *, size_t _ISC_MEM_FLARG);
-void *
-ISCMEMFUNC(allocate)(isc_mem_t *, size_t _ISC_MEM_FLARG);
-void *
-ISCMEMFUNC(reallocate)(isc_mem_t *, void *, size_t _ISC_MEM_FLARG);
-void
-ISCMEMFUNC(free)(isc_mem_t *, void * _ISC_MEM_FLARG);
-char *
-ISCMEMFUNC(strdup)(isc_mem_t *, const char *_ISC_MEM_FLARG);
-void *
-ISCMEMPOOLFUNC(get)(isc_mempool_t * _ISC_MEM_FLARG);
-void
-ISCMEMPOOLFUNC(put)(isc_mempool_t *, void * _ISC_MEM_FLARG);
-
-#ifdef USE_MEMIMPREGISTER
-
-/*%<
- * See isc_mem_create2() above.
- */
-typedef isc_result_t
-(*isc_memcreatefunc_t)(size_t init_max_size, size_t target_size,
-		       isc_mem_t **ctxp, unsigned int flags);
-
-isc_result_t
-isc_mem_register(isc_memcreatefunc_t createfunc);
-/*%<
- * Register a new memory management implementation and add it to the list of
- * supported implementations.  This function must be called when a different
- * memory management library is used than the one contained in the ISC library.
- */
-
-isc_result_t
-isc__mem_register(void);
-/*%<
- * A short cut function that specifies the memory management module in the ISC
- * library for isc_mem_register().  An application that uses the ISC library
- * usually do not have to care about this function: it would call
- * isc_lib_register(), which internally calls this function.
- */
-#endif /* USE_MEMIMPREGISTER */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_MEM_H */
diff --git a/contrib/bind9/lib/isc/include/isc/msgcat.h b/contrib/bind9/lib/isc/include/isc/msgcat.h
deleted file mode 100644
index fe3d336..0000000
--- a/contrib/bind9/lib/isc/include/isc/msgcat.h
+++ /dev/null
@@ -1,131 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: msgcat.h,v 1.13 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_MSGCAT_H
-#define ISC_MSGCAT_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file isc/msgcat.h
- * \brief The ISC Message Catalog
- * aids internationalization of applications by allowing
- * messages to be retrieved from locale-specific files instead of
- * hardwiring them into the application.  This allows translations of
- * messages appropriate to the locale to be supplied without recompiling
- * the application.
- *
- * Notes:
- *\li	It's very important that message catalogs work, even if only the
- *	default_text can be used.
- *
- * MP:
- *\li	The caller must ensure appropriate synchronization of
- *	isc_msgcat_open() and isc_msgcat_close().  isc_msgcat_get()
- *	ensures appropriate synchronization.
- *
- * Reliability:
- *\li	No anticipated impact.
- *
- * Resources:
- *\li	TBS
- *
- * \li Security:
- *	No anticipated impact.
- *
- * \li Standards:
- *	None.
- */
-
-/*****
- ***** Imports
- *****/
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*****
- ***** Methods
- *****/
-
-void
-isc_msgcat_open(const char *name, isc_msgcat_t **msgcatp);
-/*%<
- * Open a message catalog.
- *
- * Notes:
- *
- *\li	If memory cannot be allocated or other failures occur, *msgcatp
- *	will be set to NULL.  If a NULL msgcat is given to isc_msgcat_get(),
- *	the default_text will be returned, ensuring that some message text
- *	will be available, no matter what's going wrong.
- *
- * Requires:
- *
- *\li	'name' is a valid string.
- *
- *\li	msgcatp != NULL && *msgcatp == NULL
- */
-
-void
-isc_msgcat_close(isc_msgcat_t **msgcatp);
-/*%<
- * Close a message catalog.
- *
- * Notes:
- *
- *\li	Any string pointers returned by prior calls to isc_msgcat_get() are
- *	invalid after isc_msgcat_close() has been called and must not be
- *	used.
- *
- * Requires:
- *
- *\li	*msgcatp is a valid message catalog or is NULL.
- *
- * Ensures:
- *
- *\li	All resources associated with the message catalog are released.
- *
- *\li	*msgcatp == NULL
- */
-
-const char *
-isc_msgcat_get(isc_msgcat_t *msgcat, int set, int message,
-	       const char *default_text);
-/*%<
- * Get message 'message' from message set 'set' in 'msgcat'.  If it
- * is not available, use 'default_text'.
- *
- * Requires:
- *
- *\li	'msgcat' is a valid message catalog or is NULL.
- *
- *\li	set > 0
- *
- *\li	message > 0
- *
- *\li	'default_text' is a valid string.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_MSGCAT_H */
diff --git a/contrib/bind9/lib/isc/include/isc/msgs.h b/contrib/bind9/lib/isc/include/isc/msgs.h
deleted file mode 100644
index f780284..0000000
--- a/contrib/bind9/lib/isc/include/isc/msgs.h
+++ /dev/null
@@ -1,194 +0,0 @@
-/*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: msgs.h,v 1.19 2009/10/01 23:48:08 tbox Exp $ */
-
-#ifndef ISC_MSGS_H
-#define ISC_MSGS_H 1
-
-/*! \file isc/msgs.h */
-
-#include <isc/lib.h>		/* Provide isc_msgcat global variable. */
-#include <isc/msgcat.h>		/* Provide isc_msgcat_*() functions. */
-
-/*@{*/
-/*!
- * \brief Message sets, named per source file, excepting "GENERAL".
- *
- * IMPORTANT: The original list is alphabetical, but any new sets must
- * be added to the end.
- */
-#define ISC_MSGSET_GENERAL	1
-/*	ISC_RESULT_RESULTSET    2 */     /* XXX */
-/*	ISC_RESULT_UNAVAILABLESET 3 */   /* XXX */
-#define ISC_MSGSET_APP		4
-#define ISC_MSGSET_COMMANDLINE	5
-#define ISC_MSGSET_ENTROPY	6
-#define ISC_MSGSET_IFITERIOCTL	7
-#define ISC_MSGSET_IFITERSYSCTL	8
-#define ISC_MSGSET_LEX		9
-#define ISC_MSGSET_LOG		10
-#define ISC_MSGSET_MEM		11
-#define ISC_MSGSET_NETADDR	12
-#define ISC_MSGSET_PRINT	13
-#define ISC_MSGSET_RESULT	14
-#define ISC_MSGSET_RWLOCK	15
-#define ISC_MSGSET_SOCKADDR	16
-#define ISC_MSGSET_SOCKET	17
-#define ISC_MSGSET_TASK		18
-#define ISC_MSGSET_TIMER	19
-#define ISC_MSGSET_UTIL		20
-#define ISC_MSGSET_IFITERGETIFADDRS 21
-/*@}*/
-
-/*@{*/
-/*!
- * Message numbers
- * are only required to be unique per message set,
- * but are unique throughout the entire catalog to not be as confusing when
- * debugging.
- *
- * The initial numbering was done by multiply by 100 the set number the
- * message appears in then adding the incremental message number.
- */
-#define ISC_MSG_FAILED		101 /*%< "failed" */
-#define ISC_MSG_SUCCEEDED	102 /*%< Compatible with "failed" */
-#define ISC_MSG_SUCCESS		103 /*%< More usual way to say "success" */
-#define ISC_MSG_STARTING	104 /*%< As in "daemon: starting" */
-#define ISC_MSG_STOPING		105 /*%< As in "daemon: stopping" */
-#define ISC_MSG_ENTERING	106 /*%< As in "some_subr: entering" */
-#define ISC_MSG_EXITING		107 /*%< As in "some_subr: exiting" */
-#define ISC_MSG_CALLING		108 /*%< As in "calling some_subr()" */
-#define ISC_MSG_RETURNED	109 /*%< As in "some_subr: returned <foo>" */
-#define ISC_MSG_FATALERROR	110 /*%< "fatal error" */
-#define ISC_MSG_SHUTTINGDOWN	111 /*%< "shutting down" */
-#define ISC_MSG_RUNNING		112 /*%< "running" */
-#define ISC_MSG_WAIT		113 /*%< "wait" */
-#define ISC_MSG_WAITUNTIL	114 /*%< "waituntil" */
-
-#define ISC_MSG_SIGNALSETUP	201 /*%< "handle_signal() %d setup: %s" */
-
-#define ISC_MSG_ILLEGALOPT	301 /*%< "illegal option" */
-#define ISC_MSG_OPTNEEDARG	302 /*%< "option requires an argument" */
-
-#define ISC_MSG_ENTROPYSTATS	401 /*%< "Entropy pool %p:  refcnt %u ..." */
-
-#define ISC_MSG_MAKESCANSOCKET	501 /*%< "making interface scan socket: %s" */
-#define ISC_MSG_GETIFCONFIG	502 /*%< "get interface configuration: %s" */
-#define ISC_MSG_BUFFERMAX	503 /*%< "... maximum buffer size exceeded" */
-#define ISC_MSG_GETDESTADDR	504 /*%< "%s: getting destination address: %s" */
-#define ISC_MSG_GETNETMASK	505 /*%< "%s: getting netmask: %s" */
-
-#define ISC_MSG_GETIFLISTSIZE	601 /*%< "getting interface list size: ..." */
-#define ISC_MSG_GETIFLIST	602 /*%< "getting interface list: ..." */
-#define ISC_MSG_UNEXPECTEDTYPE	603 /*%< "... unexpected ... message type" */
-
-#define ISC_MSG_UNEXPECTEDSTATE	701 /*%< "Unexpected state %d" */
-
-#define ISC_MSG_BADTIME		801 /*%< "Bad 00 99:99:99.999 " */
-#define ISC_MSG_LEVEL		802 /*%< "level %d: " */
-
-#define ISC_MSG_ADDTRACE	901 /*%< "add %p size %u " */
-#define ISC_MSG_DELTRACE	902 /*%< "del %p size %u " */
-#define ISC_MSG_POOLSTATS	903 /*%< "[Pool statistics]\n" */
-#define ISC_MSG_POOLNAME	904 /*%< "name" */
-#define ISC_MSG_POOLSIZE	905 /*%< "size" */
-#define ISC_MSG_POOLMAXALLOC	906 /*%< "maxalloc" */
-#define ISC_MSG_POOLALLOCATED	907 /*%< "allocated" */
-#define ISC_MSG_POOLFREECOUNT	908 /*%< "freecount" */
-#define ISC_MSG_POOLFREEMAX	909 /*%< "freemax" */
-#define ISC_MSG_POOLFILLCOUNT	910 /*%< "fillcount" */
-#define ISC_MSG_POOLGETS	911 /*%< "gets" */
-#define ISC_MSG_DUMPALLOC	912 /*%< "DUMP OF ALL OUTSTANDING MEMORY ..." */
-#define ISC_MSG_NONE		913 /*%< "\tNone.\n" */
-#define ISC_MSG_PTRFILELINE	914 /*%< "\tptr %p file %s line %u\n" */
-
-#define ISC_MSG_UNKNOWNADDR    1001 /*%< "<unknown address, family %u>" */
-
-#define ISC_MSG_NOLONGDBL      1104 /*%< "long doubles are not supported" */
-
-#define ISC_MSG_PRINTLOCK      1201 /*%< "rwlock %p thread %lu ..." */
-#define ISC_MSG_READ	       1202 /*%< "read" */
-#define ISC_MSG_WRITE	       1203 /*%< "write" */
-#define ISC_MSG_READING	       1204 /*%< "reading" */
-#define ISC_MSG_WRITING	       1205 /*%< "writing" */
-#define ISC_MSG_PRELOCK	       1206 /*%< "prelock" */
-#define ISC_MSG_POSTLOCK       1207 /*%< "postlock" */
-#define ISC_MSG_PREUNLOCK      1208 /*%< "preunlock" */
-#define ISC_MSG_POSTUNLOCK     1209 /*%< "postunlock" */
-
-#define ISC_MSG_UNKNOWNFAMILY  1301 /*%< "unknown address family: %d" */
-
-#define ISC_MSG_WRITEFAILED    1401 /*%< "write() failed during watcher ..." */
-#define ISC_MSG_READFAILED     1402 /*%< "read() failed during watcher ... " */
-#define ISC_MSG_PROCESSCMSG    1403 /*%< "processing cmsg %p" */
-#define ISC_MSG_IFRECEIVED     1404 /*%< "interface received on ifindex %u" */
-#define ISC_MSG_SENDTODATA     1405 /*%< "sendto pktinfo data, ifindex %u" */
-#define ISC_MSG_DOIORECV       1406 /*%< "doio_recv: recvmsg(%d) %d bytes ..." */
-#define ISC_MSG_PKTRECV	       1407 /*%< "packet received correctly" */
-#define ISC_MSG_DESTROYING     1408 /*%< "destroying" */
-#define ISC_MSG_CREATED	       1409 /*%< "created" */
-#define ISC_MSG_ACCEPTLOCK     1410 /*%< "internal_accept called, locked ..." */
-#define ISC_MSG_ACCEPTEDCXN    1411 /*%< "accepted connection, new socket %p" */
-#define ISC_MSG_INTERNALRECV   1412 /*%< "internal_recv: task %p got event %p" */
-#define ISC_MSG_INTERNALSEND   1413 /*%< "internal_send: task %p got event %p" */
-#define ISC_MSG_WATCHERMSG     1414 /*%< "watcher got message %d" */
-#define ISC_MSG_SOCKETSREMAIN  1415 /*%< "sockets exist" */
-#define ISC_MSG_PKTINFOPROVIDED	1416 /*%< "pktinfo structure provided, ..." */
-#define ISC_MSG_BOUND	       1417 /*%< "bound" */
-#define ISC_MSG_ACCEPTRETURNED 1418 /*%< accept() returned %d/%s */
-#define ISC_MSG_TOOMANYFDS     1419 /*%< %s: too many open file descriptors */
-#define ISC_MSG_ZEROPORT       1420 /*%< dropping source port zero packet */
-#define ISC_MSG_FILTER	       1421 /*%< setsockopt(SO_ACCEPTFILTER): %s */
-
-#define ISC_MSG_TOOMANYHANDLES 1422 /*%< %s: too many open WSA event handles: %s */
-#define ISC_MSG_POKED          1423 /*%< "poked flags: %d" */
-
-#define ISC_MSG_AWAKE	       1502 /*%< "awake" */
-#define ISC_MSG_WORKING	       1503 /*%< "working" */
-#define ISC_MSG_EXECUTE	       1504 /*%< "execute action" */
-#define ISC_MSG_EMPTY	       1505 /*%< "empty" */
-#define ISC_MSG_DONE	       1506 /*%< "done" */
-#define ISC_MSG_QUANTUM	       1507 /*%< "quantum" */
-
-#define ISC_MSG_SCHEDULE       1601 /*%< "schedule" */
-#define ISC_MSG_SIGNALSCHED    1602 /*%< "signal (schedule)" */
-#define ISC_MSG_SIGNALDESCHED  1603 /*%< "signal (deschedule)" */
-#define ISC_MSG_SIGNALDESTROY  1604 /*%< "signal (destroy)" */
-#define ISC_MSG_IDLERESCHED    1605 /*%< "idle reschedule" */
-#define ISC_MSG_EVENTNOTALLOC  1606 /*%< "couldn't allocate event" */
-#define ISC_MSG_SCHEDFAIL      1607 /*%< "couldn't schedule timer: %u" */
-#define ISC_MSG_POSTING	       1608 /*%< "posting" */
-#define ISC_MSG_WAKEUP	       1609 /*%< "wakeup" */
-
-#define ISC_MSG_LOCK	       1701 /*%< "LOCK" */
-#define ISC_MSG_LOCKING	       1702 /*%< "LOCKING" */
-#define ISC_MSG_LOCKED	       1703 /*%< "LOCKED" */
-#define ISC_MSG_UNLOCKED       1704 /*%< "UNLOCKED" */
-#define ISC_MSG_RWLOCK	       1705 /*%< "RWLOCK" */
-#define ISC_MSG_RWLOCKED       1706 /*%< "RWLOCKED" */
-#define ISC_MSG_RWUNLOCK       1707 /*%< "RWUNLOCK" */
-#define ISC_MSG_BROADCAST      1708 /*%< "BROADCAST" */
-#define ISC_MSG_SIGNAL	       1709 /*%< "SIGNAL" */
-#define ISC_MSG_UTILWAIT       1710 /*%< "WAIT" */
-#define ISC_MSG_WAITED	       1711 /*%< "WAITED" */
-
-#define ISC_MSG_GETIFADDRS     1801 /*%< "getting interface addresses: ..." */
-
-/*@}*/
-
-#endif /* ISC_MSGS_H */
diff --git a/contrib/bind9/lib/isc/include/isc/mutexblock.h b/contrib/bind9/lib/isc/include/isc/mutexblock.h
deleted file mode 100644
index 65bf2bf..0000000
--- a/contrib/bind9/lib/isc/include/isc/mutexblock.h
+++ /dev/null
@@ -1,71 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: mutexblock.h,v 1.17 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_MUTEXBLOCK_H
-#define ISC_MUTEXBLOCK_H 1
-
-/*! \file isc/mutexblock.h */
-
-#include <isc/lang.h>
-#include <isc/mutex.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isc_mutexblock_init(isc_mutex_t *block, unsigned int count);
-/*%<
- * Initialize a block of locks.  If an error occurs all initialized locks
- * will be destroyed, if possible.
- *
- * Requires:
- *
- *\li	block != NULL
- *
- *\li	count > 0
- *
- * Returns:
- *
- *\li	Any code isc_mutex_init() can return is a valid return for this
- *	function.
- */
-
-isc_result_t
-isc_mutexblock_destroy(isc_mutex_t *block, unsigned int count);
-/*%<
- * Destroy a block of locks.
- *
- * Requires:
- *
- *\li	block != NULL
- *
- *\li	count > 0
- *
- *\li	Each lock in the block be initialized via isc_mutex_init() or
- * 	the whole block was initialized via isc_mutex_initblock().
- *
- * Returns:
- *
- *\li	Any code isc_mutex_init() can return is a valid return for this
- *	function.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_MUTEXBLOCK_H */
diff --git a/contrib/bind9/lib/isc/include/isc/namespace.h b/contrib/bind9/lib/isc/include/isc/namespace.h
deleted file mode 100644
index f8744d8..0000000
--- a/contrib/bind9/lib/isc/include/isc/namespace.h
+++ /dev/null
@@ -1,174 +0,0 @@
-/*
- * Copyright (C) 2009-2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef ISCAPI_NAMESPACE_H
-#define ISCAPI_NAMESPACE_H 1
-
-/*%
- * name space conversions
- */
-
-#ifdef BIND9
-
-#define isc_app_start isc__app_start
-#define isc_app_ctxstart isc__app_ctxstart
-#define isc_app_onrun isc__app_onrun
-#define isc_app_run isc__app_run
-#define isc_app_ctxrun isc__app_ctxrun
-#define isc_app_shutdown isc__app_shutdown
-#define isc_app_ctxfinish isc__app_ctxfinish
-#define isc_app_ctxshutdown isc__app_ctxshutdown
-#define isc_app_ctxsuspend isc__app_ctxsuspend
-#define isc_app_reload isc__app_reload
-#define isc_app_finish isc__app_finish
-#define isc_app_block isc__app_block
-#define isc_app_unblock isc__app_unblock
-#define isc_appctx_create isc__appctx_create
-#define isc_appctx_destroy isc__appctx_destroy
-#define isc_appctx_settaskmgr isc__appctx_settaskmgr
-#define isc_appctx_setsocketmgr isc__appctx_setsocketmgr
-#define isc_appctx_settimermgr isc__appctx_settimermgr
-
-#define isc_mem_checkdestroyed isc__mem_checkdestroyed
-#define isc_mem_createx isc__mem_createx
-#define isc_mem_createx2 isc__mem_createx2
-#define isc_mem_create isc__mem_create
-#define isc_mem_create2 isc__mem_create2
-#define isc_mem_attach isc__mem_attach
-#define isc_mem_detach isc__mem_detach
-#define isc__mem_putanddetach isc___mem_putanddetach
-#define isc_mem_destroy isc__mem_destroy
-#define isc_mem_ondestroy isc__mem_ondestroy
-#define isc__mem_get isc___mem_get
-#define isc__mem_put isc___mem_put
-#define isc_mem_stats isc__mem_stats
-#define isc__mem_allocate isc___mem_allocate
-#define isc__mem_free isc___mem_free
-#define isc__mem_strdup isc___mem_strdup
-#define isc__mem_reallocate isc___mem_reallocate
-#define isc_mem_references isc__mem_references
-#define isc_mem_setdestroycheck isc__mem_setdestroycheck
-#define isc_mem_setquota isc__mem_setquota
-#define isc_mem_getname isc__mem_getname
-#define isc_mem_getquota isc__mem_getquota
-#define isc_mem_gettag isc__mem_gettag
-#define isc_mem_inuse isc__mem_inuse
-#define isc_mem_isovermem isc__mem_isovermem
-#define isc_mem_setname isc__mem_setname
-#define isc_mem_setwater isc__mem_setwater
-#define isc_mem_printactive isc__mem_printactive
-#define isc_mem_printallactive isc__mem_printallactive
-#define isc_mem_waterack isc__mem_waterack
-#define isc_mempool_create isc__mempool_create
-#define isc_mempool_setname isc__mempool_setname
-#define isc_mempool_destroy isc__mempool_destroy
-#define isc_mempool_associatelock isc__mempool_associatelock
-#define isc__mempool_get isc___mempool_get
-#define isc__mempool_put isc___mempool_put
-#define isc_mempool_setfreemax isc__mempool_setfreemax
-#define isc_mempool_getfreemax isc__mempool_getfreemax
-#define isc_mempool_getfreecount isc__mempool_getfreecount
-#define isc_mempool_setmaxalloc isc__mempool_setmaxalloc
-#define isc_mempool_getmaxalloc isc__mempool_getmaxalloc
-#define isc_mempool_getallocated isc__mempool_getallocated
-#define isc_mempool_setfillcount isc__mempool_setfillcount
-#define isc_mempool_getfillcount isc__mempool_getfillcount
-
-#define isc_socket_create isc__socket_create
-#define isc_socket_dup isc__socket_dup
-#define isc_socket_attach isc__socket_attach
-#define isc_socket_detach isc__socket_detach
-#define isc_socketmgr_create isc__socketmgr_create
-#define isc_socketmgr_create2 isc__socketmgr_create2
-#define isc_socketmgr_destroy isc__socketmgr_destroy
-#define isc_socket_open isc__socket_open
-#define isc_socket_close isc__socket_close
-#define isc_socket_recvv isc__socket_recvv
-#define isc_socket_recv isc__socket_recv
-#define isc_socket_recv2 isc__socket_recv2
-#define isc_socket_send isc__socket_send
-#define isc_socket_sendto isc__socket_sendto
-#define isc_socket_sendv isc__socket_sendv
-#define isc_socket_sendtov isc__socket_sendtov
-#define isc_socket_sendto2 isc__socket_sendto2
-#define isc_socket_cleanunix isc__socket_cleanunix
-#define isc_socket_permunix isc__socket_permunix
-#define isc_socket_bind isc__socket_bind
-#define isc_socket_filter isc__socket_filter
-#define isc_socket_listen isc__socket_listen
-#define isc_socket_accept isc__socket_accept
-#define isc_socket_connect isc__socket_connect
-#define isc_socket_getfd isc__socket_getfd
-#define isc_socket_getname isc__socket_getname
-#define isc_socket_gettag isc__socket_gettag
-#define isc_socket_getpeername isc__socket_getpeername
-#define isc_socket_getsockname isc__socket_getsockname
-#define isc_socket_cancel isc__socket_cancel
-#define isc_socket_gettype isc__socket_gettype
-#define isc_socket_isbound isc__socket_isbound
-#define isc_socket_ipv6only isc__socket_ipv6only
-#define isc_socket_setname isc__socket_setname
-#define isc_socketmgr_getmaxsockets isc__socketmgr_getmaxsockets
-#define isc_socketmgr_setstats isc__socketmgr_setstats
-#define isc_socketmgr_setreserved isc__socketmgr_setreserved
-#define isc__socketmgr_maxudp isc___socketmgr_maxudp
-#define isc_socket_fdwatchcreate isc__socket_fdwatchcreate
-#define isc_socket_fdwatchpoke isc__socket_fdwatchpoke
-
-#define isc_task_create isc__task_create
-#define isc_task_attach isc__task_attach
-#define isc_task_detach isc__task_detach
-/* #define isc_task_exiting isc__task_exiting XXXMPA */
-#define isc_task_send isc__task_send
-#define isc_task_sendanddetach isc__task_sendanddetach
-#define isc_task_purgerange isc__task_purgerange
-#define isc_task_purge isc__task_purge
-#define isc_task_purgeevent isc__task_purgeevent
-#define isc_task_unsendrange isc__task_unsendrange
-#define isc_task_unsend isc__task_unsend
-#define isc_task_onshutdown isc__task_onshutdown
-#define isc_task_shutdown isc__task_shutdown
-#define isc_task_destroy isc__task_destroy
-#define isc_task_setname isc__task_setname
-#define isc_task_getname isc__task_getname
-#define isc_task_gettag isc__task_gettag
-#define isc_task_getcurrenttime isc__task_getcurrenttime
-#define isc_taskmgr_create isc__taskmgr_create
-#define isc_taskmgr_setmode isc__taskmgr_setmode
-#define isc_taskmgr_mode isc__taskmgr_mode
-#define isc_taskmgr_destroy isc__taskmgr_destroy
-#define isc_taskmgr_setexcltask isc__taskmgr_setexcltask
-#define isc_taskmgr_excltask isc__taskmgr_excltask
-#define isc_task_beginexclusive isc__task_beginexclusive
-#define isc_task_endexclusive isc__task_endexclusive
-#define isc_task_setprivilege isc__task_setprivilege
-#define isc_task_privilege isc__task_privilege
-
-#define isc_timer_create isc__timer_create
-#define isc_timer_reset isc__timer_reset
-#define isc_timer_gettype isc__timer_gettype
-#define isc_timer_touch isc__timer_touch
-#define isc_timer_attach isc__timer_attach
-#define isc_timer_detach isc__timer_detach
-#define isc_timermgr_create isc__timermgr_create
-#define isc_timermgr_poke isc__timermgr_poke
-#define isc_timermgr_destroy isc__timermgr_destroy
-
-#endif /* BIND9 */
-
-#endif /* ISCAPI_NAMESPACE_H */
diff --git a/contrib/bind9/lib/isc/include/isc/netaddr.h b/contrib/bind9/lib/isc/include/isc/netaddr.h
deleted file mode 100644
index 954d770..0000000
--- a/contrib/bind9/lib/isc/include/isc/netaddr.h
+++ /dev/null
@@ -1,180 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: netaddr.h,v 1.37 2009/01/17 23:47:43 tbox Exp $ */
-
-#ifndef ISC_NETADDR_H
-#define ISC_NETADDR_H 1
-
-/*! \file isc/netaddr.h */
-
-#include <isc/lang.h>
-#include <isc/net.h>
-#include <isc/types.h>
-
-#ifdef ISC_PLATFORM_HAVESYSUNH
-#include <sys/types.h>
-#include <sys/un.h>
-#endif
-
-ISC_LANG_BEGINDECLS
-
-struct isc_netaddr {
-	unsigned int family;
-	union {
-		struct in_addr in;
-		struct in6_addr in6;
-#ifdef ISC_PLATFORM_HAVESYSUNH
-		char un[sizeof(((struct sockaddr_un *)0)->sun_path)];
-#endif
-	} type;
-	isc_uint32_t zone;
-};
-
-isc_boolean_t
-isc_netaddr_equal(const isc_netaddr_t *a, const isc_netaddr_t *b);
-
-/*%<
- * Compare network addresses 'a' and 'b'.  Return #ISC_TRUE if
- * they are equal, #ISC_FALSE if not.
- */
-
-isc_boolean_t
-isc_netaddr_eqprefix(const isc_netaddr_t *a, const isc_netaddr_t *b,
-		     unsigned int prefixlen);
-/*%<
- * Compare the 'prefixlen' most significant bits of the network
- * addresses 'a' and 'b'.  If 'b''s scope is zero then 'a''s scope is
- * ignored.  Return #ISC_TRUE if they are equal, #ISC_FALSE if not.
- */
-
-isc_result_t
-isc_netaddr_masktoprefixlen(const isc_netaddr_t *s, unsigned int *lenp);
-/*%<
- * Convert a netmask in 's' into a prefix length in '*lenp'.
- * The mask should consist of zero or more '1' bits in the most
- * most significant part of the address, followed by '0' bits.
- * If this is not the case, #ISC_R_MASKNONCONTIG is returned.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_MASKNONCONTIG
- */
-
-isc_result_t
-isc_netaddr_totext(const isc_netaddr_t *netaddr, isc_buffer_t *target);
-/*%<
- * Append a text representation of 'sockaddr' to the buffer 'target'.
- * The text is NOT null terminated.  Handles IPv4 and IPv6 addresses.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOSPACE	The text or the null termination did not fit.
- *\li	#ISC_R_FAILURE	Unspecified failure
- */
-
-void
-isc_netaddr_format(const isc_netaddr_t *na, char *array, unsigned int size);
-/*%<
- * Format a human-readable representation of the network address '*na'
- * into the character array 'array', which is of size 'size'.
- * The resulting string is guaranteed to be null-terminated.
- */
-
-#define ISC_NETADDR_FORMATSIZE \
-	sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:XXX.XXX.XXX.XXX%SSSSSSSSSS")
-/*%<
- * Minimum size of array to pass to isc_netaddr_format().
- */
-
-void
-isc_netaddr_fromsockaddr(isc_netaddr_t *netaddr, const isc_sockaddr_t *source);
-
-void
-isc_netaddr_fromin(isc_netaddr_t *netaddr, const struct in_addr *ina);
-
-void
-isc_netaddr_fromin6(isc_netaddr_t *netaddr, const struct in6_addr *ina6);
-
-isc_result_t
-isc_netaddr_frompath(isc_netaddr_t *netaddr, const char *path);
-
-void
-isc_netaddr_setzone(isc_netaddr_t *netaddr, isc_uint32_t zone);
-
-isc_uint32_t
-isc_netaddr_getzone(const isc_netaddr_t *netaddr);
-
-void
-isc_netaddr_any(isc_netaddr_t *netaddr);
-/*%<
- * Return the IPv4 wildcard address.
- */
-
-void
-isc_netaddr_any6(isc_netaddr_t *netaddr);
-/*%<
- * Return the IPv6 wildcard address.
- */
-
-isc_boolean_t
-isc_netaddr_ismulticast(isc_netaddr_t *na);
-/*%<
- * Returns ISC_TRUE if the address is a multicast address.
- */
-
-isc_boolean_t
-isc_netaddr_isexperimental(isc_netaddr_t *na);
-/*%<
- * Returns ISC_TRUE if the address is a experimental (CLASS E) address.
- */
-
-isc_boolean_t
-isc_netaddr_islinklocal(isc_netaddr_t *na);
-/*%<
- * Returns #ISC_TRUE if the address is a link local address.
- */
-
-isc_boolean_t
-isc_netaddr_issitelocal(isc_netaddr_t *na);
-/*%<
- * Returns #ISC_TRUE if the address is a site local address.
- */
-
-void
-isc_netaddr_fromv4mapped(isc_netaddr_t *t, const isc_netaddr_t *s);
-/*%<
- * Convert an IPv6 v4mapped address into an IPv4 address.
- */
-
-isc_result_t
-isc_netaddr_prefixok(const isc_netaddr_t *na, unsigned int prefixlen);
-/*
- * Test whether the netaddr 'na' and 'prefixlen' are consistant.
- * e.g. prefixlen within range.
- *      na does not have bits set which are not covered by the prefixlen.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_RANGE		prefixlen out of range
- *	ISC_R_NOTIMPLEMENTED	unsupported family
- *	ISC_R_FAILURE		extra bits.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_NETADDR_H */
diff --git a/contrib/bind9/lib/isc/include/isc/netscope.h b/contrib/bind9/lib/isc/include/isc/netscope.h
deleted file mode 100644
index 163a08c..0000000
--- a/contrib/bind9/lib/isc/include/isc/netscope.h
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: netscope.h,v 1.13 2009/06/25 23:48:02 tbox Exp $ */
-
-#ifndef ISC_NETSCOPE_H
-#define ISC_NETSCOPE_H 1
-
-/*! \file isc/netscope.h */
-
-ISC_LANG_BEGINDECLS
-
-/*%
- * Convert a string of an IPv6 scope zone to zone index.  If the conversion
- * succeeds, 'zoneid' will store the index value.
- *
- * XXXJT: when a standard interface for this purpose is defined,
- * we should use it.
- *
- * Returns:
- * \li	ISC_R_SUCCESS: conversion succeeds
- * \li	ISC_R_FAILURE: conversion fails
- */
-isc_result_t
-isc_netscope_pton(int af, char *scopename, void *addr, isc_uint32_t *zoneid);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_NETSCOPE_H */
diff --git a/contrib/bind9/lib/isc/include/isc/ondestroy.h b/contrib/bind9/lib/isc/include/isc/ondestroy.h
deleted file mode 100644
index 64bd643..0000000
--- a/contrib/bind9/lib/isc/include/isc/ondestroy.h
+++ /dev/null
@@ -1,116 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ondestroy.h,v 1.14 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_ONDESTROY_H
-#define ISC_ONDESTROY_H 1
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*! \file isc/ondestroy.h
- * ondestroy handling.
- *
- * Any class ``X'' of objects that wants to send out notifications
- * on its destruction should declare a field of type isc_ondestroy_t
- * (call it 'ondest').
- *
- * \code
- * 	typedef struct {
- * 		...
- * 		isc_ondestroy_t	ondest;
- * 		...
- * 	} X;
- * \endcode
- *
- * When an object ``A'' of type X is created
- * it must initialize the field ondest with a call to
- *
- * \code
- * 	isc_ondestroy_init(&A->ondest).
- * \endcode
- *
- * X should also provide a registration function for third-party
- * objects to call to register their interest in being told about
- * the destruction of a particular instance of X.
- *
- * \code
- *	isc_result_t
- * 	X_ondestroy(X *instance, isc_task_t *task,
- * 		     isc_event_t **eventp) {
- * 		return(isc_ondestroy_register(&instance->ondest, task,eventp));
- * 	}
- * \endcode
- *
- *	Note: locking of the ondestory structure embedded inside of X, is
- * 	X's responsibility.
- *
- * When an instance of X is destroyed, a call to  isc_ondestroy_notify()
- * sends the notifications:
- *
- * \code
- *	X *instance;
- *	isc_ondestroy_t ondest = instance->ondest;
- *
- *	... completely cleanup 'instance' here...
- *
- * 	isc_ondestroy_notify(&ondest, instance);
- * \endcode
- *
- *
- * see lib/dns/zone.c for an ifdef'd-out example.
- */
-
-struct isc_ondestroy {
-	unsigned int magic;
-	isc_eventlist_t events;
-};
-
-void
-isc_ondestroy_init(isc_ondestroy_t *ondest);
-/*%<
- * Initialize the on ondest structure. *must* be called before first call
- * to isc_ondestroy_register().
- */
-
-isc_result_t
-isc_ondestroy_register(isc_ondestroy_t *ondest, isc_task_t *task,
-		       isc_event_t **eventp);
-
-/*%<
- * Stores task and *eventp away inside *ondest.  Ownership of **event is
- * taken from the caller (and *eventp is set to NULL). The task is attached
- * to.
- */
-
-void
-isc_ondestroy_notify(isc_ondestroy_t *ondest, void *sender);
-/*%<
- * Dispatches the event(s) to the task(s) that were given in
- * isc_ondestroy_register call(s) (done via calls to
- * isc_task_sendanddetach()).  Before dispatch, the sender value of each
- * event structure is set to the value of the sender paramater. The
- * internal structures of the ondest parameter are cleaned out, so no other
- * cleanup is needed.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_ONDESTROY_H */
diff --git a/contrib/bind9/lib/isc/include/isc/os.h b/contrib/bind9/lib/isc/include/isc/os.h
deleted file mode 100644
index 3cf59e2..0000000
--- a/contrib/bind9/lib/isc/include/isc/os.h
+++ /dev/null
@@ -1,38 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: os.h,v 1.12 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_OS_H
-#define ISC_OS_H 1
-
-/*! \file isc/os.h */
-
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
-unsigned int
-isc_os_ncpus(void);
-/*%<
- * Return the number of CPUs available on the system, or 1 if this cannot
- * be determined.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_OS_H */
diff --git a/contrib/bind9/lib/isc/include/isc/parseint.h b/contrib/bind9/lib/isc/include/isc/parseint.h
deleted file mode 100644
index 5047676..0000000
--- a/contrib/bind9/lib/isc/include/isc/parseint.h
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001, 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: parseint.h,v 1.9 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_PARSEINT_H
-#define ISC_PARSEINT_H 1
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-/*! \file isc/parseint.h
- * \brief Parse integers, in a saner way than atoi() or strtoul() do.
- */
-
-/***
- ***	Functions
- ***/
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isc_parse_uint32(isc_uint32_t *uip, const char *string, int base);
-
-isc_result_t
-isc_parse_uint16(isc_uint16_t *uip, const char *string, int base);
-
-isc_result_t
-isc_parse_uint8(isc_uint8_t *uip, const char *string, int base);
-/*%<
- * Parse the null-terminated string 'string' containing a base 'base'
- * integer, storing the result in '*uip'.  
- * The base is interpreted
- * as in strtoul().  Unlike strtoul(), leading whitespace, minus or
- * plus signs are not accepted, and all errors (including overflow)
- * are reported uniformly through the return value.
- *
- * Requires:
- *\li	'string' points to a null-terminated string
- *\li	0 <= 'base' <= 36
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_BADNUMBER   The string is not numeric (in the given base)
- *\li	#ISC_R_RANGE	  The number is not representable as the requested type.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_PARSEINT_H */
diff --git a/contrib/bind9/lib/isc/include/isc/platform.h.in b/contrib/bind9/lib/isc/include/isc/platform.h.in
deleted file mode 100644
index 03c2710..0000000
--- a/contrib/bind9/lib/isc/include/isc/platform.h.in
+++ /dev/null
@@ -1,367 +0,0 @@
-/*
- * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: platform.h.in,v 1.56 2010/12/18 01:56:23 each Exp $ */
-
-#ifndef ISC_PLATFORM_H
-#define ISC_PLATFORM_H 1
-
-/*! \file */
-
-/*****
- ***** Platform-dependent defines.
- *****/
-
-/***
- *** Network.
- ***/
-
-/*! \brief
- * Define if this system needs the <netinet/in6.h> header file included
- * for full IPv6 support (pretty much only UnixWare).
- */
-@ISC_PLATFORM_NEEDNETINETIN6H@
-
-/*! \brief
- * Define if this system needs the <netinet6/in6.h> header file included
- * to support in6_pkinfo (pretty much only BSD/OS).
- */
-@ISC_PLATFORM_NEEDNETINET6IN6H@
-
-/*! \brief
- * If sockaddrs on this system have an sa_len field, ISC_PLATFORM_HAVESALEN
- * will be defined.
- */
-@ISC_PLATFORM_HAVESALEN@
-
-/*! \brief
- * If this system has the IPv6 structure definitions, ISC_PLATFORM_HAVEIPV6
- * will be defined.
- */
-@ISC_PLATFORM_HAVEIPV6@
-
-/*! \brief
- * If this system is missing in6addr_any, ISC_PLATFORM_NEEDIN6ADDRANY will
- * be defined.
- */
-@ISC_PLATFORM_NEEDIN6ADDRANY@
-
-/*! \brief
- * If this system is missing in6addr_loopback, ISC_PLATFORM_NEEDIN6ADDRLOOPBACK
- * will be defined.
- */
-@ISC_PLATFORM_NEEDIN6ADDRLOOPBACK@
-
-/*! \brief
- * If this system has in6_pktinfo, ISC_PLATFORM_HAVEIN6PKTINFO will be
- * defined.
- */
-@ISC_PLATFORM_HAVEIN6PKTINFO@
-
-/*! \brief
- * If this system has in_addr6, rather than in6_addr, ISC_PLATFORM_HAVEINADDR6
- * will be defined.
- */
-@ISC_PLATFORM_HAVEINADDR6@
-
-/*! \brief
- * If this system has sin6_scope_id, ISC_PLATFORM_HAVESCOPEID will be defined.
- */
-@ISC_PLATFORM_HAVESCOPEID@
-
-/*! \brief
- * If this system needs inet_ntop(), ISC_PLATFORM_NEEDNTOP will be defined.
- */
-@ISC_PLATFORM_NEEDNTOP@
-
-/*! \brief
- * If this system needs inet_pton(), ISC_PLATFORM_NEEDPTON will be defined.
- */
-@ISC_PLATFORM_NEEDPTON@
-
-/*! \brief
- * If this system needs in_port_t, ISC_PLATFORM_NEEDPORTT will be defined.
- */
-@ISC_PLATFORM_NEEDPORTT@
-
-/*! \brief
- * Define if the system has struct lifconf which is a extended struct ifconf
- * for IPv6.
- */
-@ISC_PLATFORM_HAVELIFCONF@
-
-/*! \brief
- * Define if the system has struct if_laddrconf which is a extended struct
- * ifconf for IPv6.
- */
-@ISC_PLATFORM_HAVEIF_LADDRCONF@
-
-/*! \brief
- * Define if the system has struct if_laddrreq.
- */
-@ISC_PLATFORM_HAVEIF_LADDRREQ@
-
-/*! \brief
- * Define either ISC_PLATFORM_BSD44MSGHDR or ISC_PLATFORM_BSD43MSGHDR.
- */
-@ISC_PLATFORM_MSGHDRFLAVOR@
-
-/*! \brief
- * Define if the system supports if_nametoindex.
- */
-@ISC_PLATFORM_HAVEIFNAMETOINDEX@
-
-/*! \brief
- * Define on some UnixWare systems to fix erroneous definitions of various
- * IN6_IS_ADDR_* macros.
- */
-@ISC_PLATFORM_FIXIN6ISADDR@
-
-/*! \brief
- * Define if the system supports kqueue multiplexing
- */
-@ISC_PLATFORM_HAVEKQUEUE@
-
-/*! \brief
- * Define if the system supports epoll multiplexing
- */
-@ISC_PLATFORM_HAVEEPOLL@
-
-/*! \brief
- * Define if the system supports /dev/poll multiplexing
- */
-@ISC_PLATFORM_HAVEDEVPOLL@
-
-/*! \brief
- * Define if we want to log backtrace
- */
-@ISC_PLATFORM_USEBACKTRACE@
-
-/*
- *** Printing.
- ***/
-
-/*! \brief
- * If this system needs vsnprintf() and snprintf(), ISC_PLATFORM_NEEDVSNPRINTF
- * will be defined.
- */
-@ISC_PLATFORM_NEEDVSNPRINTF@
-
-/*! \brief
- * If this system need a modern sprintf() that returns (int) not (char*).
- */
-@ISC_PLATFORM_NEEDSPRINTF@
-
-/*! \brief
- * The printf format string modifier to use with isc_uint64_t values.
- */
-@ISC_PLATFORM_QUADFORMAT@
-
-/***
- *** String functions.
- ***/
-/*
- * If the system needs strsep(), ISC_PLATFORM_NEEDSTRSEP will be defined.
- */
-@ISC_PLATFORM_NEEDSTRSEP@
-
-/*
- * If the system needs strlcpy(), ISC_PLATFORM_NEEDSTRLCPY will be defined.
- */
-@ISC_PLATFORM_NEEDSTRLCPY@
-
-/*
- * If the system needs strlcat(), ISC_PLATFORM_NEEDSTRLCAT will be defined.
- */
-@ISC_PLATFORM_NEEDSTRLCAT@
-
-/*
- * Define if this system needs strtoul.
- */
-@ISC_PLATFORM_NEEDSTRTOUL@
-
-/*
- * Define if this system needs memmove.
- */
-@ISC_PLATFORM_NEEDMEMMOVE@
-
-/***
- *** Miscellaneous.
- ***/
-
-/*
- * Defined if we are using threads.
- */
-@ISC_PLATFORM_USETHREADS@
-
-/*
- * Defined if unistd.h does not cause fd_set to be delared.
- */
-@ISC_PLATFORM_NEEDSYSSELECTH@
-
-/*
- * Defined to <gssapi.h> or <gssapi/gssapi.h> for how to include
- * the GSSAPI header.
- */
-@ISC_PLATFORM_GSSAPIHEADER@
-
-/*
- * Defined to <gssapi_krb5.h> or <gssapi/gssapi_krb5.h> for how to
- * include the GSSAPI KRB5 header.
- */
-@ISC_PLATFORM_GSSAPI_KRB5_HEADER@
-
-/*
- * Defined to <krb5.h> or <krb5/krb5.h> for how to include
- * the KRB5 header.
- */
-@ISC_PLATFORM_KRB5HEADER@
-
-/*
- * Type used for resource limits.
- */
-@ISC_PLATFORM_RLIMITTYPE@
-
-/*
- * Define if your compiler supports "long long int".
- */
-@ISC_PLATFORM_HAVELONGLONG@
-
-/*
- * Define if PTHREAD_ONCE_INIT should be surrounded by braces to
- * prevent compiler warnings (such as with gcc on Solaris 2.8).
- */
-@ISC_PLATFORM_BRACEPTHREADONCEINIT@
-
-/*
- * Used to control how extern data is linked; needed for Win32 platforms.
- */
-@ISC_PLATFORM_USEDECLSPEC@
-
-/*
- * Define if the platform has <sys/un.h>.
- */
-@ISC_PLATFORM_HAVESYSUNH@
-
-/*
- * If the "xadd" operation is available on this architecture,
- * ISC_PLATFORM_HAVEXADD will be defined.
- */
-@ISC_PLATFORM_HAVEXADD@
-
-/*
- * If the "xaddq" operation (64bit xadd) is available on this architecture,
- * ISC_PLATFORM_HAVEXADDQ will be defined.
- */
-@ISC_PLATFORM_HAVEXADDQ@
-
-/*
- * If the "atomic swap" operation is available on this architecture,
- * ISC_PLATFORM_HAVEATOMICSTORE" will be defined.
- */
-@ISC_PLATFORM_HAVEATOMICSTORE@
-
-/*
- * If the "compare-and-exchange" operation is available on this architecture,
- * ISC_PLATFORM_HAVECMPXCHG will be defined.
- */
-@ISC_PLATFORM_HAVECMPXCHG@
-
-/*
- * Define if gcc ASM extension is available
- */
-@ISC_PLATFORM_USEGCCASM@
-
-/*
- * Define if Tru64 style ASM syntax must be used.
- */
-@ISC_PLATFORM_USEOSFASM@
-
-/*
- * Define if the standard __asm function must be used.
- */
-@ISC_PLATFORM_USESTDASM@
-
-/*
- * Define if the platform has <strings.h>.
- */
-@ISC_PLATFORM_HAVESTRINGSH@
-
-/*
- * Define if the hash functions must be provided by OpenSSL.
- */
-@ISC_PLATFORM_OPENSSLHASH@
-
-/*
- * Defines for the noreturn attribute.
- */
-@ISC_PLATFORM_NORETURN_PRE@
-@ISC_PLATFORM_NORETURN_POST@
-
-/***
- ***	Windows dll support.
- ***/
-
-/*
- * Define if MacOS style of PPC assembly must be used.
- * e.g. "r6", not "6", for register six.
- */
-@ISC_PLATFORM_USEMACASM@
-
-#ifndef ISC_PLATFORM_USEDECLSPEC
-#define LIBISC_EXTERNAL_DATA
-#define LIBDNS_EXTERNAL_DATA
-#define LIBISCCC_EXTERNAL_DATA
-#define LIBISCCFG_EXTERNAL_DATA
-#define LIBBIND9_EXTERNAL_DATA
-#else /*! \brief ISC_PLATFORM_USEDECLSPEC */
-#ifdef LIBISC_EXPORTS
-#define LIBISC_EXTERNAL_DATA __declspec(dllexport)
-#else
-#define LIBISC_EXTERNAL_DATA __declspec(dllimport)
-#endif
-#ifdef LIBDNS_EXPORTS
-#define LIBDNS_EXTERNAL_DATA __declspec(dllexport)
-#else
-#define LIBDNS_EXTERNAL_DATA __declspec(dllimport)
-#endif
-#ifdef LIBISCCC_EXPORTS
-#define LIBISCCC_EXTERNAL_DATA __declspec(dllexport)
-#else
-#define LIBISCCC_EXTERNAL_DATA __declspec(dllimport)
-#endif
-#ifdef LIBISCCFG_EXPORTS
-#define LIBISCCFG_EXTERNAL_DATA __declspec(dllexport)
-#else
-#define LIBISCCFG_EXTERNAL_DATA __declspec(dllimport)
-#endif
-#ifdef LIBBIND9_EXPORTS
-#define LIBBIND9_EXTERNAL_DATA __declspec(dllexport)
-#else
-#define LIBBIND9_EXTERNAL_DATA __declspec(dllimport)
-#endif
-#endif /*! \brief ISC_PLATFORM_USEDECLSPEC */
-
-/*
- * Tell emacs to use C mode for this file.
- *
- * Local Variables:
- * mode: c
- * End:
- */
-
-#endif /* ISC_PLATFORM_H */
diff --git a/contrib/bind9/lib/isc/include/isc/pool.h b/contrib/bind9/lib/isc/include/isc/pool.h
deleted file mode 100644
index 7b33c37..0000000
--- a/contrib/bind9/lib/isc/include/isc/pool.h
+++ /dev/null
@@ -1,149 +0,0 @@
-/*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef ISC_OBJPOOL_H
-#define ISC_OBJPOOL_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file isc/pool.h
- * \brief An object pool is a mechanism for sharing a small pool of
- * fungible objects among a large number of objects that depend on them.
- *
- * This is useful, for example, when it causes performance problems for
- * large number of zones to share a single memory context or task object,
- * but it would create a different set of problems for them each to have an
- * independent task or memory context.
- */
-
-
-/***
- *** Imports.
- ***/
-
-#include <isc/lang.h>
-#include <isc/mem.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*****
- ***** Types.
- *****/
-
-typedef void
-(*isc_pooldeallocator_t)(void **object);
-
-typedef isc_result_t
-(*isc_poolinitializer_t)(void **target, void *arg);
-
-typedef struct isc_pool isc_pool_t;
-
-/*****
- ***** Functions.
- *****/
-
-isc_result_t
-isc_pool_create(isc_mem_t *mctx, unsigned int count,
-		isc_pooldeallocator_t free,
-		isc_poolinitializer_t init, void *initarg,
-		isc_pool_t **poolp);
-/*%<
- * Create a pool of "count" object pointers. If 'free' is not NULL,
- * it points to a function that will detach the objects.  'init'
- * points to a function that will initialize the arguments, and
- * 'arg' to an argument to be passed into that function (for example,
- * a relevant manager or context object).
- *
- * Requires:
- *
- *\li	'mctx' is a valid memory context.
- *
- *\li	init != NULL
- *
- *\li	poolp != NULL && *poolp == NULL
- *
- * Ensures:
- *
- *\li	On success, '*poolp' points to the new object pool.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- *\li	#ISC_R_UNEXPECTED
- */
-
-void *
-isc_pool_get(isc_pool_t *pool);
-/*%<
- * Returns a pointer to an object from the pool. Currently the object
- * is chosen from the pool at random.  (This may be changed in the future
- * to something that guaratees balance.)
- */
-
-int
-isc_pool_count(isc_pool_t *pool);
-/*%<
- * Returns the number of objcts in the pool 'pool'.
- */
-
-isc_result_t
-isc_pool_expand(isc_pool_t **sourcep, unsigned int count, isc_pool_t **targetp);
-
-/*%<
- * If 'size' is larger than the number of objects in the pool pointed to by
- * 'sourcep', then a new pool of size 'count' is allocated, the existing
- * objects are copied into it, additional ones created to bring the
- * total number up to 'count', and the resulting pool is attached to
- * 'targetp'.
- *
- * If 'count' is less than or equal to the number of objects in 'source', then
- * 'sourcep' is attached to 'targetp' without any other action being taken.
- *
- * In either case, 'sourcep' is detached.
- *
- * Requires:
- *
- * \li	'sourcep' is not NULL and '*source' is not NULL
- * \li	'targetp' is not NULL and '*source' is NULL
- *
- * Ensures:
- *
- * \li	On success, '*targetp' points to a valid task pool.
- * \li	On success, '*sourcep' points to NULL.
- *
- * Returns:
- *
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_NOMEMORY
- */
-
-void
-isc_pool_destroy(isc_pool_t **poolp);
-/*%<
- * Destroy a task pool.  The tasks in the pool are detached but not
- * shut down.
- *
- * Requires:
- * \li	'*poolp' is a valid task pool.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_OBJPOOL_H */
diff --git a/contrib/bind9/lib/isc/include/isc/portset.h b/contrib/bind9/lib/isc/include/isc/portset.h
deleted file mode 100644
index 774d6bb..0000000
--- a/contrib/bind9/lib/isc/include/isc/portset.h
+++ /dev/null
@@ -1,141 +0,0 @@
-/*
- * Copyright (C) 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: portset.h,v 1.6 2009/06/25 05:28:34 marka Exp $ */
-
-/*! \file isc/portset.h
- * \brief Transport Protocol Port Manipulation Module
- *
- * This module provides simple utilities to handle a set of transport protocol
- * (UDP or TCP) port numbers, e.g., for creating an ACL list.  An isc_portset_t
- * object is an opaque instance of a port set, for which the user can add or
- * remove a specific port or a range of consecutive ports.  This object is
- * expected to be used as a temporary work space only, and does not protect
- * simultaneous access from multiple threads.  Therefore it must not be stored
- * in a place that can be accessed from multiple threads.
- */
-
-#ifndef ISC_PORTSET_H
-#define ISC_PORTSET_H 1
-
-/***
- ***	Imports
- ***/
-
-#include <isc/net.h>
-
-/***
- *** Functions
- ***/
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isc_portset_create(isc_mem_t *mctx, isc_portset_t **portsetp);
-/*%<
- * Create a port set and initialize it as an empty set.
- *
- * Requires:
- *\li	'mctx' to be valid.
- *\li	'portsetp' to be non NULL and '*portsetp' to be NULL;
- *
- * Returns:
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- */
-
-void
-isc_portset_destroy(isc_mem_t *mctx, isc_portset_t **portsetp);
-/*%<
- * Destroy a port set.
- *
- * Requires:
- *\li	'mctx' to be valid and must be the same context given when the port set
- *       was created.
- *\li	'*portsetp' to be a valid set.
- */
-
-isc_boolean_t
-isc_portset_isset(isc_portset_t *portset, in_port_t port);
-/*%<
- * Test whether the given port is stored in the portset.
- *
- * Requires:
- *\li	'portset' to be a valid set.
- *
- * Returns
- * \li	#ISC_TRUE if the port is found, ISC_FALSE otherwise.
- */
-
-unsigned int
-isc_portset_nports(isc_portset_t *portset);
-/*%<
- * Provides the number of ports stored in the given portset.
- *
- * Requires:
- *\li	'portset' to be a valid set.
- *
- * Returns
- * \li	the number of ports stored in portset.
- */
-
-void
-isc_portset_add(isc_portset_t *portset, in_port_t port);
-/*%<
- * Add the given port to the portset.  The port may or may not be stored in
- * the portset.
- *
- * Requires:
- *\li	'portlist' to be valid.
- */
-
-void
-isc_portset_remove(isc_portset_t *portset, in_port_t port);
-/*%<
- * Remove the given port to the portset.  The port may or may not be stored in
- * the portset.
- *
- * Requires:
- *\li	'portlist' to be valid.
- */
-
-void
-isc_portset_addrange(isc_portset_t *portset, in_port_t port_lo,
-		     in_port_t port_hi);
-/*%<
- * Add a subset of [port_lo, port_hi] (inclusive) to the portset.  Ports in the
- * subset may or may not be stored in portset.
- *
- * Requires:
- *\li	'portlist' to be valid.
- *\li	port_lo <= port_hi
- */
-
-void
-isc_portset_removerange(isc_portset_t *portset, in_port_t port_lo,
-			in_port_t port_hi);
-/*%<
- * Subtract a subset of [port_lo, port_hi] (inclusive) from the portset.  Ports
- * in the subset may or may not be stored in portset.
- *
- * Requires:
- *\li	'portlist' to be valid.
- *\li	port_lo <= port_hi
- */
-
-ISC_LANG_ENDDECLS
-
-#endif	/* ISC_PORTSET_H */
diff --git a/contrib/bind9/lib/isc/include/isc/print.h b/contrib/bind9/lib/isc/include/isc/print.h
deleted file mode 100644
index cd1e38e..0000000
--- a/contrib/bind9/lib/isc/include/isc/print.h
+++ /dev/null
@@ -1,87 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: print.h,v 1.26 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_PRINT_H
-#define ISC_PRINT_H 1
-
-/*! \file isc/print.h */
-
-/***
- *** Imports
- ***/
-
-#include <isc/formatcheck.h>    /* Required for ISC_FORMAT_PRINTF() macro. */
-#include <isc/lang.h>
-#include <isc/platform.h>
-
-/*!
- * This block allows lib/isc/print.c to be cleanly compiled even if
- * the platform does not need it.  The standard Makefile will still
- * not compile print.c or archive print.o, so this is just to make test
- * compilation ("make print.o") easier.
- */
-#if !defined(ISC_PLATFORM_NEEDVSNPRINTF) && defined(ISC__PRINT_SOURCE)
-#define ISC_PLATFORM_NEEDVSNPRINTF
-#endif
-
-#if !defined(ISC_PLATFORM_NEEDSPRINTF) && defined(ISC__PRINT_SOURCE)
-#define ISC_PLATFORM_NEEDSPRINTF
-#endif
-
-/***
- *** Macros
- ***/
-#define ISC_PRINT_QUADFORMAT ISC_PLATFORM_QUADFORMAT
-
-/***
- *** Functions
- ***/
-
-#ifdef ISC_PLATFORM_NEEDVSNPRINTF
-#include <stdarg.h>
-#include <stddef.h>
-#endif
-#ifdef ISC_PLATFORM_NEEDSPRINTF
-#include <stdio.h>
-#endif
-
-
-ISC_LANG_BEGINDECLS
-
-#ifdef ISC_PLATFORM_NEEDVSNPRINTF
-int
-isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap)
-     ISC_FORMAT_PRINTF(3, 0);
-#define vsnprintf isc_print_vsnprintf
-
-int
-isc_print_snprintf(char *str, size_t size, const char *format, ...)
-     ISC_FORMAT_PRINTF(3, 4);
-#define snprintf isc_print_snprintf
-#endif /* ISC_PLATFORM_NEEDVSNPRINTF */
-
-#ifdef ISC_PLATFORM_NEEDSPRINTF
-int
-isc_print_sprintf(char *str, const char *format, ...) ISC_FORMAT_PRINTF(2, 3);
-#define sprintf isc_print_sprintf
-#endif
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_PRINT_H */
diff --git a/contrib/bind9/lib/isc/include/isc/queue.h b/contrib/bind9/lib/isc/include/isc/queue.h
deleted file mode 100644
index 1cc6c12..0000000
--- a/contrib/bind9/lib/isc/include/isc/queue.h
+++ /dev/null
@@ -1,165 +0,0 @@
-/*
- * Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*
- * This is a generic implementation of a two-lock concurrent queue.
- * There are built-in mutex locks for the head and tail of the queue,
- * allowing elements to be safely added and removed at the same time.
- *
- * NULL is "end of list"
- * -1 is "not linked"
- */
-
-#ifndef ISC_QUEUE_H
-#define ISC_QUEUE_H 1
-#include <isc/assertions.h>
-#include <isc/boolean.h>
-#include <isc/mutex.h>
-
-#ifdef ISC_QUEUE_CHECKINIT
-#define ISC_QLINK_INSIST(x) ISC_INSIST(x)
-#else
-#define ISC_QLINK_INSIST(x) (void)0
-#endif
-
-#define ISC_QLINK(type) struct { type *prev, *next; }
-
-#define ISC_QLINK_INIT(elt, link) \
-	do { \
-		(elt)->link.next = (elt)->link.prev = (void *)(-1); \
-	} while(0)
-
-#define ISC_QLINK_LINKED(elt, link) ((void*)(elt)->link.next != (void*)(-1))
-
-#define ISC_QUEUE(type) struct { \
-	type *head, *tail; \
-	isc_mutex_t headlock, taillock; \
-}
-
-#define ISC_QUEUE_INIT(queue, link) \
-	do { \
-		(void) isc_mutex_init(&(queue).taillock); \
-		(void) isc_mutex_init(&(queue).headlock); \
-		(queue).tail = (queue).head = NULL; \
-	} while (0)
-
-#define ISC_QUEUE_EMPTY(queue) ISC_TF((queue).head == NULL)
-
-#define ISC_QUEUE_DESTROY(queue) \
-	do { \
-		ISC_QLINK_INSIST(ISC_QUEUE_EMPTY(queue)); \
-		(void) isc_mutex_destroy(&(queue).taillock); \
-		(void) isc_mutex_destroy(&(queue).headlock); \
-	} while (0)
-
-/*
- * queues are meant to separate the locks at either end.  For best effect, that
- * means keeping the ends separate - i.e. non-empty queues work best.
- *
- * a push to an empty queue has to take the pop lock to update
- * the pop side of the queue.
- * Popping the last entry has to take the push lock to update
- * the push side of the queue.
- *
- * The order is (pop, push), because a pop is presumably in the
- * latency path and a push is when we're done.
- *
- * We do an MT hot test in push to see if we need both locks, so we can
- * acquire them in order.  Hopefully that makes the case where we get
- * the push lock and find we need the pop lock (and have to release it) rare.
- *
- * > 1 entry - no collision, push works on one end, pop on the other
- *   0 entry - headlock race
- *     pop wins - return(NULL), push adds new as both head/tail
- *     push wins - updates head/tail, becomes 1 entry case.
- *   1 entry - taillock race
- *     pop wins - return(pop) sets head/tail NULL, becomes 0 entry case
- *     push wins - updates {head,tail}->link.next, pop updates head
- *                 with new ->link.next and doesn't update tail
- *
- */
-#define ISC_QUEUE_PUSH(queue, elt, link) \
-	do { \
-		isc_boolean_t headlocked = ISC_FALSE; \
-		ISC_QLINK_INSIST(!ISC_QLINK_LINKED(elt, link)); \
-		if ((queue).head == NULL) { \
-			LOCK(&(queue).headlock); \
-			headlocked = ISC_TRUE; \
-		} \
-		LOCK(&(queue).taillock); \
-		if ((queue).tail == NULL && !headlocked) { \
-			UNLOCK(&(queue).taillock); \
-			LOCK(&(queue).headlock); \
-			LOCK(&(queue).taillock); \
-			headlocked = ISC_TRUE; \
-		} \
-		(elt)->link.prev = (queue).tail; \
-		(elt)->link.next = NULL; \
-		if ((queue).tail != NULL) \
-			(queue).tail->link.next = (elt); \
-		(queue).tail = (elt); \
-		UNLOCK(&(queue).taillock); \
-		if (headlocked) { \
-			if ((queue).head == NULL) \
-				(queue).head = (elt); \
-			UNLOCK(&(queue).headlock); \
-		} \
-	} while (0)
-
-#define ISC_QUEUE_POP(queue, link, ret) \
-	do { \
-		LOCK(&(queue).headlock); \
-		ret = (queue).head; \
-		while (ret != NULL) { \
-			if (ret->link.next == NULL) { \
-				LOCK(&(queue).taillock); \
-				if (ret->link.next == NULL) { \
-					(queue).head = (queue).tail = NULL; \
-					UNLOCK(&(queue).taillock); \
-					break; \
-				}\
-				UNLOCK(&(queue).taillock); \
-			} \
-			(queue).head = ret->link.next; \
-			(queue).head->link.prev = NULL; \
-			break; \
-		} \
-		UNLOCK(&(queue).headlock); \
-		if (ret != NULL) \
-			(ret)->link.next = (ret)->link.prev = (void *)(-1); \
-	} while(0)
-
-#define ISC_QUEUE_UNLINK(queue, elt, link) \
-	do { \
-		ISC_QLINK_INSIST(ISC_QLINK_LINKED(elt, link)); \
-		LOCK(&(queue).headlock); \
-		LOCK(&(queue).taillock); \
-		if ((elt)->link.prev == NULL) \
-			(queue).head = (elt)->link.next; \
-		else \
-			(elt)->link.prev->link.next = (elt)->link.next; \
-		if ((elt)->link.next == NULL) \
-			(queue).tail = (elt)->link.prev; \
-		else \
-			(elt)->link.next->link.prev = (elt)->link.prev; \
-		UNLOCK(&(queue).taillock); \
-		UNLOCK(&(queue).headlock); \
-		(elt)->link.next = (elt)->link.prev = (void *)(-1); \
-	} while(0)
-
-#endif /* ISC_QUEUE_H */
diff --git a/contrib/bind9/lib/isc/include/isc/quota.h b/contrib/bind9/lib/isc/include/isc/quota.h
deleted file mode 100644
index 7b0d0d9..0000000
--- a/contrib/bind9/lib/isc/include/isc/quota.h
+++ /dev/null
@@ -1,119 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: quota.h,v 1.16 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_QUOTA_H
-#define ISC_QUOTA_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file isc/quota.h
- *
- * \brief The isc_quota_t object is a simple helper object for implementing
- * quotas on things like the number of simultaneous connections to
- * a server.  It keeps track of the amount of quota in use, and
- * encapsulates the locking necessary to allow multiple tasks to
- * share a quota.
- */
-
-/***
- *** Imports.
- ***/
-
-#include <isc/lang.h>
-#include <isc/mutex.h>
-#include <isc/types.h>
-
-/*****
- ***** Types.
- *****/
-
-ISC_LANG_BEGINDECLS
-
-/*% isc_quota structure */
-struct isc_quota {
-	isc_mutex_t	lock; /*%< Locked by lock. */
-	int 		max;
-	int 		used;
-	int		soft;
-};
-
-isc_result_t
-isc_quota_init(isc_quota_t *quota, int max);
-/*%<
- * Initialize a quota object.
- *
- * Returns:
- * 	ISC_R_SUCCESS
- *	Other error	Lock creation failed.
- */
-
-void
-isc_quota_destroy(isc_quota_t *quota);
-/*%<
- * Destroy a quota object.
- */
-
-void
-isc_quota_soft(isc_quota_t *quota, int soft);
-/*%<
- * Set a soft quota.
- */
-
-void
-isc_quota_max(isc_quota_t *quota, int max);
-/*%<
- * Re-set a maximum quota.
- */
-
-isc_result_t
-isc_quota_reserve(isc_quota_t *quota);
-/*%<
- * Attempt to reserve one unit of 'quota'.
- *
- * Returns:
- * \li 	#ISC_R_SUCCESS		Success
- * \li	#ISC_R_SOFTQUOTA	Success soft quota reached
- * \li	#ISC_R_QUOTA		Quota is full
- */
-
-void
-isc_quota_release(isc_quota_t *quota);
-/*%<
- * Release one unit of quota.
- */
-
-isc_result_t
-isc_quota_attach(isc_quota_t *quota, isc_quota_t **p);
-/*%<
- * Like isc_quota_reserve, and also attaches '*p' to the
- * quota if successful (ISC_R_SUCCESS or ISC_R_SOFTQUOTA).
- */
-
-void
-isc_quota_detach(isc_quota_t **p);
-/*%<
- * Like isc_quota_release, and also detaches '*p' from the
- * quota.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_QUOTA_H */
diff --git a/contrib/bind9/lib/isc/include/isc/radix.h b/contrib/bind9/lib/isc/include/isc/radix.h
deleted file mode 100644
index 47512c7..0000000
--- a/contrib/bind9/lib/isc/include/isc/radix.h
+++ /dev/null
@@ -1,242 +0,0 @@
-/*
- * Copyright (C) 2007, 2008, 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: radix.h,v 1.13 2008/12/01 23:47:45 tbox Exp $ */
-
-/*
- * This source was adapted from MRT's RCS Ids:
- * Id: radix.h,v 1.6 1999/08/03 03:32:53 masaki Exp
- * Id: mrt.h,v 1.57.2.6 1999/12/28 23:41:27 labovit Exp
- * Id: defs.h,v 1.5.2.2 2000/01/15 14:19:16 masaki Exp
- */
-
-#include <isc/magic.h>
-#include <isc/types.h>
-#include <isc/mutex.h>
-#include <isc/net.h>
-#include <isc/refcount.h>
-
-#include <string.h>
-
-#ifndef _RADIX_H
-#define _RADIX_H
-
-#define NETADDR_TO_PREFIX_T(na,pt,bits) \
-	do { \
-		memset(&(pt), 0, sizeof(pt)); \
-		if((na) != NULL) { \
-			(pt).family = (na)->family; \
-			(pt).bitlen = (bits); \
-			if ((pt).family == AF_INET6) { \
-				memcpy(&(pt).add.sin6, &(na)->type.in6, \
-				       ((bits)+7)/8); \
-			} else \
-				memcpy(&(pt).add.sin, &(na)->type.in, \
-				       ((bits)+7)/8); \
-		} else { \
-			(pt).family = AF_UNSPEC; \
-			(pt).bitlen = 0; \
-		} \
-		isc_refcount_init(&(pt).refcount, 0); \
-	} while(0)
-
-typedef struct isc_prefix {
-	isc_mem_t *mctx;
-	unsigned int family;	/* AF_INET | AF_INET6, or AF_UNSPEC for "any" */
-	unsigned int bitlen;	/* 0 for "any" */
-	isc_refcount_t refcount;
-	union {
-		struct in_addr sin;
-		struct in6_addr sin6;
-	} add;
-} isc_prefix_t;
-
-typedef void (*isc_radix_destroyfunc_t)(void *);
-typedef void (*isc_radix_processfunc_t)(isc_prefix_t *, void **);
-
-#define isc_prefix_tochar(prefix) ((char *)&(prefix)->add.sin)
-#define isc_prefix_touchar(prefix) ((u_char *)&(prefix)->add.sin)
-
-#define BIT_TEST(f, b)  ((f) & (b))
-
-/*
- * We need "first match" when we search the radix tree to preserve
- * compatibility with the existing ACL implementation. Radix trees
- * naturally lend themselves to "best match". In order to get "first match"
- * behavior, we keep track of the order in which entries are added to the
- * tree--and when a search is made, we find all matching entries, and
- * return the one that was added first.
- *
- * An IPv4 prefix and an IPv6 prefix may share a radix tree node if they
- * have the same length and bit pattern (e.g., 127/8 and 7f::/8).  To
- * disambiguate between them, node_num and data are two-element arrays;
- * node_num[0] and data[0] are used for IPv4 addresses, node_num[1]
- * and data[1] for IPv6 addresses.  The only exception is a prefix of
- * 0/0 (aka "any" or "none"), which is always stored as IPv4 but matches
- * IPv6 addresses too.
- */
-
-#define ISC_IS6(family) ((family) == AF_INET6 ? 1 : 0)
-typedef struct isc_radix_node {
-	isc_mem_t *mctx;
-	isc_uint32_t bit;		/* bit length of the prefix */
-	isc_prefix_t *prefix;		/* who we are in radix tree */
-	struct isc_radix_node *l, *r;	/* left and right children */
-	struct isc_radix_node *parent;	/* may be used */
-	void *data[2];			/* pointers to IPv4 and IPV6 data */
-	int node_num[2];		/* which node this was in the tree,
-					   or -1 for glue nodes */
-} isc_radix_node_t;
-
-#define RADIX_TREE_MAGIC         ISC_MAGIC('R','d','x','T');
-#define RADIX_TREE_VALID(a)      ISC_MAGIC_VALID(a, RADIX_TREE_MAGIC);
-
-typedef struct isc_radix_tree {
-	unsigned int magic;
-	isc_mem_t *mctx;
-	isc_radix_node_t *head;
-	isc_uint32_t maxbits;		/* for IP, 32 bit addresses */
-	int num_active_node;		/* for debugging purposes */
-	int num_added_node;		/* total number of nodes */
-} isc_radix_tree_t;
-
-isc_result_t
-isc_radix_search(isc_radix_tree_t *radix, isc_radix_node_t **target,
-		 isc_prefix_t *prefix);
-/*%<
- * Search 'radix' for the best match to 'prefix'.
- * Return the node found in '*target'.
- *
- * Requires:
- * \li	'radix' to be valid.
- * \li	'target' is not NULL and "*target" is NULL.
- * \li	'prefix' to be valid.
- *
- * Returns:
- * \li	ISC_R_NOTFOUND
- * \li	ISC_R_SUCCESS
- */
-
-isc_result_t
-isc_radix_insert(isc_radix_tree_t *radix, isc_radix_node_t **target,
-		 isc_radix_node_t *source, isc_prefix_t *prefix);
-/*%<
- * Insert 'source' or 'prefix' into the radix tree 'radix'.
- * Return the node added in 'target'.
- *
- * Requires:
- * \li	'radix' to be valid.
- * \li	'target' is not NULL and "*target" is NULL.
- * \li	'prefix' to be valid or 'source' to be non NULL and contain
- *	a valid prefix.
- *
- * Returns:
- * \li	ISC_R_NOMEMORY
- * \li	ISC_R_SUCCESS
- */
-
-void
-isc_radix_remove(isc_radix_tree_t *radix, isc_radix_node_t *node);
-/*%<
- * Remove the node 'node' from the radix tree 'radix'.
- *
- * Requires:
- * \li	'radix' to be valid.
- * \li	'node' to be valid.
- */
-
-isc_result_t
-isc_radix_create(isc_mem_t *mctx, isc_radix_tree_t **target, int maxbits);
-/*%<
- * Create a radix tree with a maximum depth of 'maxbits';
- *
- * Requires:
- * \li	'mctx' to be valid.
- * \li	'target' to be non NULL and '*target' to be NULL.
- * \li	'maxbits' to be less than or equal to RADIX_MAXBITS.
- *
- * Returns:
- * \li	ISC_R_NOMEMORY
- * \li	ISC_R_SUCCESS
- */
-
-void
-isc_radix_destroy(isc_radix_tree_t *radix, isc_radix_destroyfunc_t func);
-/*%<
- * Destroy a radix tree optionally calling 'func' to clean up node data.
- *
- * Requires:
- * \li	'radix' to be valid.
- */
-
-void
-isc_radix_process(isc_radix_tree_t *radix, isc_radix_processfunc_t func);
-/*%<
- * Walk a radix tree calling 'func' to process node data.
- *
- * Requires:
- * \li	'radix' to be valid.
- * \li	'func' to point to a function.
- */
-
-#define RADIX_MAXBITS 128
-#define RADIX_NBIT(x)        (0x80 >> ((x) & 0x7f))
-#define RADIX_NBYTE(x)       ((x) >> 3)
-
-#define RADIX_DATA_GET(node, type) (type *)((node)->data)
-#define RADIX_DATA_SET(node, value) ((node)->data = (void *)(value))
-
-#define RADIX_WALK(Xhead, Xnode) \
-    do { \
-	isc_radix_node_t *Xstack[RADIX_MAXBITS+1]; \
-	isc_radix_node_t **Xsp = Xstack; \
-	isc_radix_node_t *Xrn = (Xhead); \
-	while ((Xnode = Xrn)) { \
-	    if (Xnode->prefix)
-
-#define RADIX_WALK_ALL(Xhead, Xnode) \
-do { \
-	isc_radix_node_t *Xstack[RADIX_MAXBITS+1]; \
-	isc_radix_node_t **Xsp = Xstack; \
-	isc_radix_node_t *Xrn = (Xhead); \
-	while ((Xnode = Xrn)) { \
-	    if (1)
-
-#define RADIX_WALK_BREAK { \
-	    if (Xsp != Xstack) { \
-		Xrn = *(--Xsp); \
-	     } else { \
-		Xrn = (radix_node_t *) 0; \
-	    } \
-	    continue; }
-
-#define RADIX_WALK_END \
-	    if (Xrn->l) { \
-		if (Xrn->r) { \
-		    *Xsp++ = Xrn->r; \
-		} \
-		Xrn = Xrn->l; \
-	    } else if (Xrn->r) { \
-		Xrn = Xrn->r; \
-	    } else if (Xsp != Xstack) { \
-		Xrn = *(--Xsp); \
-	    } else { \
-		Xrn = (isc_radix_node_t *) 0; \
-	    } \
-	} \
-    } while (0)
-
-#endif /* _RADIX_H */
diff --git a/contrib/bind9/lib/isc/include/isc/random.h b/contrib/bind9/lib/isc/include/isc/random.h
deleted file mode 100644
index 1f9572d..0000000
--- a/contrib/bind9/lib/isc/include/isc/random.h
+++ /dev/null
@@ -1,62 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: random.h,v 1.20 2009/01/17 23:47:43 tbox Exp $ */
-
-#ifndef ISC_RANDOM_H
-#define ISC_RANDOM_H 1
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-/*! \file isc/random.h
- * \brief Implements a random state pool which will let the caller return a
- * series of possibly non-reproducible random values.
- *
- * Note that the
- * strength of these numbers is not all that high, and should not be
- * used in cryptography functions.  It is useful for jittering values
- * a bit here and there, such as timeouts, etc.
- */
-
-ISC_LANG_BEGINDECLS
-
-void
-isc_random_seed(isc_uint32_t seed);
-/*%<
- * Set the initial seed of the random state.
- */
-
-void
-isc_random_get(isc_uint32_t *val);
-/*%<
- * Get a random value.
- *
- * Requires:
- *	val != NULL.
- */
-
-isc_uint32_t
-isc_random_jitter(isc_uint32_t max, isc_uint32_t jitter);
-/*%<
- * Get a random value between (max - jitter) and (max).
- * This is useful for jittering timer values.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_RANDOM_H */
diff --git a/contrib/bind9/lib/isc/include/isc/ratelimiter.h b/contrib/bind9/lib/isc/include/isc/ratelimiter.h
deleted file mode 100644
index 00a7209..0000000
--- a/contrib/bind9/lib/isc/include/isc/ratelimiter.h
+++ /dev/null
@@ -1,134 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ratelimiter.h,v 1.23 2009/01/18 23:48:14 tbox Exp $ */
-
-#ifndef ISC_RATELIMITER_H
-#define ISC_RATELIMITER_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file isc/ratelimiter.h
- * \brief A rate limiter is a mechanism for dispatching events at a limited
- * rate.  This is intended to be used when sending zone maintenance
- * SOA queries, NOTIFY messages, etc.
- */
-
-/***
- *** Imports.
- ***/
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*****
- ***** Functions.
- *****/
-
-isc_result_t
-isc_ratelimiter_create(isc_mem_t *mctx, isc_timermgr_t *timermgr,
-		       isc_task_t *task, isc_ratelimiter_t **ratelimiterp);
-/*%<
- * Create a rate limiter.  The execution interval is initially undefined.
- */
-
-isc_result_t
-isc_ratelimiter_setinterval(isc_ratelimiter_t *rl, isc_interval_t *interval);
-/*!<
- * Set the minimum interval between event executions.
- * The interval value is copied, so the caller need not preserve it.
- *
- * Requires:
- *	'*interval' is a nonzero interval.
- */
-
-void
-isc_ratelimiter_setpertic(isc_ratelimiter_t *rl, isc_uint32_t perint);
-/*%<
- * Set the number of events processed per interval timer tick.
- * If 'perint' is zero it is treated as 1.
- */
-
-isc_result_t
-isc_ratelimiter_enqueue(isc_ratelimiter_t *rl, isc_task_t *task,
-			isc_event_t **eventp);
-/*%<
- * Queue an event for rate-limited execution.
- *
- * This is similar
- * to doing an isc_task_send() to the 'task', except that the
- * execution may be delayed to achieve the desired rate of
- * execution.
- *
- * '(*eventp)->ev_sender' is used to hold the task.  The caller
- * must ensure that the task exists until the event is delivered.
- *
- * Requires:
- *\li	An interval has been set by calling
- *	isc_ratelimiter_setinterval().
- *
- *\li	'task' to be non NULL.
- *\li	'(*eventp)->ev_sender' to be NULL.
- */
-
-void
-isc_ratelimiter_shutdown(isc_ratelimiter_t *ratelimiter);
-/*%<
- * Shut down a rate limiter.
- *
- * Ensures:
- *\li	All events that have not yet been
- * 	dispatched to the task are dispatched immediately with
- *	the #ISC_EVENTATTR_CANCELED bit set in ev_attributes.
- *
- *\li	Further attempts to enqueue events will fail with
- * 	#ISC_R_SHUTTINGDOWN.
- *
- *\li	The rate limiter is no longer attached to its task.
- */
-
-void
-isc_ratelimiter_attach(isc_ratelimiter_t *source, isc_ratelimiter_t **target);
-/*%<
- * Attach to a rate limiter.
- */
-
-void
-isc_ratelimiter_detach(isc_ratelimiter_t **ratelimiterp);
-/*%<
- * Detach from a rate limiter.
- */
-
-isc_result_t
-isc_ratelimiter_stall(isc_ratelimiter_t *rl);
-/*%<
- * Stall event processing.
- */
-
-isc_result_t
-isc_ratelimiter_release(isc_ratelimiter_t *rl);
-/*%<
- * Release a stalled rate limiter.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_RATELIMITER_H */
diff --git a/contrib/bind9/lib/isc/include/isc/refcount.h b/contrib/bind9/lib/isc/include/isc/refcount.h
deleted file mode 100644
index b72b158..0000000
--- a/contrib/bind9/lib/isc/include/isc/refcount.h
+++ /dev/null
@@ -1,233 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: refcount.h,v 1.17 2009/09/29 23:48:04 tbox Exp $ */
-
-#ifndef ISC_REFCOUNT_H
-#define ISC_REFCOUNT_H 1
-
-#include <isc/atomic.h>
-#include <isc/lang.h>
-#include <isc/mutex.h>
-#include <isc/platform.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-/*! \file isc/refcount.h
- * \brief Implements a locked reference counter.
- *
- * These functions may actually be
- * implemented using macros, and implementations of these macros are below.
- * The isc_refcount_t type should not be accessed directly, as its contents
- * depend on the implementation.
- */
-
-ISC_LANG_BEGINDECLS
-
-/*
- * Function prototypes
- */
-
-/*
- * isc_result_t
- * isc_refcount_init(isc_refcount_t *ref, unsigned int n);
- *
- * Initialize the reference counter.  There will be 'n' initial references.
- *
- * Requires:
- *	ref != NULL
- */
-
-/*
- * void
- * isc_refcount_destroy(isc_refcount_t *ref);
- *
- * Destroys a reference counter.
- *
- * Requires:
- *	ref != NULL
- *	The number of references is 0.
- */
-
-/*
- * void
- * isc_refcount_increment(isc_refcount_t *ref, unsigned int *targetp);
- * isc_refcount_increment0(isc_refcount_t *ref, unsigned int *targetp);
- *
- * Increments the reference count, returning the new value in targetp if it's
- * not NULL.  The reference counter typically begins with the initial counter
- * of 1, and will be destroyed once the counter reaches 0.  Thus,
- * isc_refcount_increment() additionally requires the previous counter be
- * larger than 0 so that an error which violates the usage can be easily
- * caught.  isc_refcount_increment0() does not have this restriction.
- *
- * Requires:
- *	ref != NULL.
- */
-
-/*
- * void
- * isc_refcount_decrement(isc_refcount_t *ref, unsigned int *targetp);
- *
- * Decrements the reference count,  returning the new value in targetp if it's
- * not NULL.
- *
- * Requires:
- *	ref != NULL.
- */
-
-
-/*
- * Sample implementations
- */
-#ifdef ISC_PLATFORM_USETHREADS
-#ifdef ISC_PLATFORM_HAVEXADD
-
-#define ISC_REFCOUNT_HAVEATOMIC 1
-
-typedef struct isc_refcount {
-	isc_int32_t refs;
-} isc_refcount_t;
-
-#define isc_refcount_destroy(rp) REQUIRE((rp)->refs == 0)
-#define isc_refcount_current(rp) ((unsigned int)((rp)->refs))
-
-#define isc_refcount_increment0(rp, tp)				\
-	do {							\
-		unsigned int *_tmp = (unsigned int *)(tp);	\
-		isc_int32_t prev;				\
-		prev = isc_atomic_xadd(&(rp)->refs, 1);		\
-		if (_tmp != NULL)				\
-			*_tmp = prev + 1;			\
-	} while (0)
-
-#define isc_refcount_increment(rp, tp)				\
-	do {							\
-		unsigned int *_tmp = (unsigned int *)(tp);	\
-		isc_int32_t prev;				\
-		prev = isc_atomic_xadd(&(rp)->refs, 1);		\
-		REQUIRE(prev > 0);				\
-		if (_tmp != NULL)				\
-			*_tmp = prev + 1;			\
-	} while (0)
-
-#define isc_refcount_decrement(rp, tp)				\
-	do {							\
-		unsigned int *_tmp = (unsigned int *)(tp);	\
-		isc_int32_t prev;				\
-		prev = isc_atomic_xadd(&(rp)->refs, -1);	\
-		REQUIRE(prev > 0);				\
-		if (_tmp != NULL)				\
-			*_tmp = prev - 1;			\
-	} while (0)
-
-#else  /* ISC_PLATFORM_HAVEXADD */
-
-typedef struct isc_refcount {
-	int refs;
-	isc_mutex_t lock;
-} isc_refcount_t;
-
-/*% Destroys a reference counter. */
-#define isc_refcount_destroy(rp)			\
-	do {						\
-		REQUIRE((rp)->refs == 0);		\
-		DESTROYLOCK(&(rp)->lock);		\
-	} while (0)
-
-#define isc_refcount_current(rp) ((unsigned int)((rp)->refs))
-
-/*% Increments the reference count, returning the new value in targetp if it's not NULL. */
-#define isc_refcount_increment0(rp, tp)				\
-	do {							\
-		unsigned int *_tmp = (unsigned int *)(tp);	\
-		LOCK(&(rp)->lock);				\
-		++((rp)->refs);					\
-		if (_tmp != NULL)				\
-			*_tmp = ((rp)->refs);			\
-		UNLOCK(&(rp)->lock);				\
-	} while (0)
-
-#define isc_refcount_increment(rp, tp)				\
-	do {							\
-		unsigned int *_tmp = (unsigned int *)(tp);	\
-		LOCK(&(rp)->lock);				\
-		REQUIRE((rp)->refs > 0);			\
-		++((rp)->refs);					\
-		if (_tmp != NULL)				\
-			*_tmp = ((rp)->refs);			\
-		UNLOCK(&(rp)->lock);				\
-	} while (0)
-
-/*% Decrements the reference count,  returning the new value in targetp if it's not NULL. */
-#define isc_refcount_decrement(rp, tp)				\
-	do {							\
-		unsigned int *_tmp = (unsigned int *)(tp);	\
-		LOCK(&(rp)->lock);				\
-		REQUIRE((rp)->refs > 0);			\
-		--((rp)->refs);					\
-		if (_tmp != NULL)				\
-			*_tmp = ((rp)->refs);			\
-		UNLOCK(&(rp)->lock);				\
-	} while (0)
-
-#endif /* ISC_PLATFORM_HAVEXADD */
-#else  /* ISC_PLATFORM_USETHREADS */
-
-typedef struct isc_refcount {
-	int refs;
-} isc_refcount_t;
-
-#define isc_refcount_destroy(rp) REQUIRE((rp)->refs == 0)
-#define isc_refcount_current(rp) ((unsigned int)((rp)->refs))
-
-#define isc_refcount_increment0(rp, tp)					\
-	do {								\
-		unsigned int *_tmp = (unsigned int *)(tp);		\
-		int _n = ++(rp)->refs;					\
-		if (_tmp != NULL)					\
-			*_tmp = _n;					\
-	} while (0)
-
-#define isc_refcount_increment(rp, tp)					\
-	do {								\
-		unsigned int *_tmp = (unsigned int *)(tp);		\
-		int _n;							\
-		REQUIRE((rp)->refs > 0);				\
-		_n = ++(rp)->refs;					\
-		if (_tmp != NULL)					\
-			*_tmp = _n;					\
-	} while (0)
-
-#define isc_refcount_decrement(rp, tp)					\
-	do {								\
-		unsigned int *_tmp = (unsigned int *)(tp);		\
-		int _n;							\
-		REQUIRE((rp)->refs > 0);				\
-		_n = --(rp)->refs;					\
-		if (_tmp != NULL)					\
-			*_tmp = _n;					\
-	} while (0)
-
-#endif /* ISC_PLATFORM_USETHREADS */
-
-isc_result_t
-isc_refcount_init(isc_refcount_t *ref, unsigned int n);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_REFCOUNT_H */
diff --git a/contrib/bind9/lib/isc/include/isc/regex.h b/contrib/bind9/lib/isc/include/isc/regex.h
deleted file mode 100644
index 3cf6aa4..0000000
--- a/contrib/bind9/lib/isc/include/isc/regex.h
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef ISC_REGEX_H
-#define ISC_REGEX_H 1
-
-/*! \file isc/regex.h */
-
-#include <isc/types.h>
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
-int
-isc_regex_validate(const char *expression);
-/*%<
- * Check a regular expression for syntactic correctness.
- *
- * Returns:
- *\li	 -1 on error.
- *\li	 the number of groups in the expression.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_REGEX_H */
diff --git a/contrib/bind9/lib/isc/include/isc/region.h b/contrib/bind9/lib/isc/include/isc/region.h
deleted file mode 100644
index ccca272..0000000
--- a/contrib/bind9/lib/isc/include/isc/region.h
+++ /dev/null
@@ -1,104 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: region.h,v 1.25 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_REGION_H
-#define ISC_REGION_H 1
-
-/*! \file isc/region.h */
-
-#include <isc/types.h>
-#include <isc/lang.h>
-
-struct isc_region {
-	unsigned char *	base;
-	unsigned int	length;
-};
-
-struct isc_textregion {
-	char *		base;
-	unsigned int	length;
-};
-
-/* XXXDCL questionable ... bears discussion.  we have been putting off
- * discussing the region api.
- */
-struct isc_constregion {
-	const void *	base;
-	unsigned int	length;
-};
-
-struct isc_consttextregion {
-	const char *	base;
-	unsigned int	length;
-};
-
-/*@{*/
-/*!
- * The region structure is not opaque, and is usually directly manipulated.
- * Some macros are defined below for convenience.
- */
-
-#define isc_region_consume(r,l) \
-	do { \
-		isc_region_t *_r = (r); \
-		unsigned int _l = (l); \
-		INSIST(_r->length >= _l); \
-		_r->base += _l; \
-		_r->length -= _l; \
-	} while (0)
-
-#define isc_textregion_consume(r,l) \
-	do { \
-		isc_textregion_t *_r = (r); \
-		unsigned int _l = (l); \
-		INSIST(_r->length >= _l); \
-		_r->base += _l; \
-		_r->length -= _l; \
-	} while (0)
-
-#define isc_constregion_consume(r,l) \
-	do { \
-		isc_constregion_t *_r = (r); \
-		unsigned int _l = (l); \
-		INSIST(_r->length >= _l); \
-		_r->base += _l; \
-		_r->length -= _l; \
-	} while (0)
-/*@}*/
-
-ISC_LANG_BEGINDECLS
-
-int
-isc_region_compare(isc_region_t *r1, isc_region_t *r2);
-/*%<
- * Compares the contents of two regions
- *
- * Requires:
- *\li	'r1' is a valid region
- *\li	'r2' is a valid region
- *
- * Returns:
- *\li	 < 0 if r1 is lexicographically less than r2
- *\li	 = 0 if r1 is lexicographically identical to r2
- *\li	 > 0 if r1 is lexicographically greater than r2
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_REGION_H */
diff --git a/contrib/bind9/lib/isc/include/isc/resource.h b/contrib/bind9/lib/isc/include/isc/resource.h
deleted file mode 100644
index 747c9fd..0000000
--- a/contrib/bind9/lib/isc/include/isc/resource.h
+++ /dev/null
@@ -1,97 +0,0 @@
-/*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: resource.h,v 1.13 2008/07/11 23:47:09 tbox Exp $ */
-
-#ifndef ISC_RESOURCE_H
-#define ISC_RESOURCE_H 1
-
-/*! \file isc/resource.h */
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-#define ISC_RESOURCE_UNLIMITED ((isc_resourcevalue_t)ISC_UINT64_MAX)
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isc_resource_setlimit(isc_resource_t resource, isc_resourcevalue_t value);
-/*%<
- * Set the maximum limit for a system resource.
- *
- * Notes:
- *\li	If 'value' exceeds the maximum possible on the operating system,
- *	it is silently limited to that maximum -- or to "infinity", if
- *	the operating system has that concept.  #ISC_RESOURCE_UNLIMITED
- *	can be used to explicitly ask for the maximum.
- *
- * Requires:
- *\li	'resource' is a valid member of the isc_resource_t enumeration.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS	Success.
- *\li	#ISC_R_NOTIMPLEMENTED	'resource' is not a type known by the OS.
- *\li	#ISC_R_NOPERM	The calling process did not have adequate permission
- *			to change the resource limit.
- */
-
-isc_result_t
-isc_resource_getlimit(isc_resource_t resource, isc_resourcevalue_t *value);
-/*%<
- * Get the maximum limit for a system resource.
- *
- * Notes:
- *\li	'value' is set to the maximum limit.
- *
- *\li	#ISC_RESOURCE_UNLIMITED is the maximum value of isc_resourcevalue_t.
- *
- *\li	On many (all?) Unix systems, RLIM_INFINITY is a valid value that is
- *	significantly less than #ISC_RESOURCE_UNLIMITED, but which in practice
- *	behaves the same.
- *
- *\li	The current ISC libdns configuration file parser assigns a value
- *	of ISC_UINT32_MAX for a size_spec of "unlimited" and ISC_UNIT32_MAX - 1
- *	for "default", the latter of which is supposed to represent "the
- *	limit that was in force when the server started".  Since these are
- *	valid values in the middle of the range of isc_resourcevalue_t,
- *	there is the possibility for confusion over what exactly those
- *	particular values are supposed to represent in a particular context --
- *	discrete integral values or generalized concepts.
- *
- * Requires:
- *\li	'resource' is a valid member of the isc_resource_t enumeration.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		Success.
- *\li	#ISC_R_NOTIMPLEMENTED	'resource' is not a type known by the OS.
- */
-
-isc_result_t
-isc_resource_getcurlimit(isc_resource_t resource, isc_resourcevalue_t *value);
-/*%<
- * Same as isc_resource_getlimit(), but returns the current (soft) limit.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		Success.
- *\li	#ISC_R_NOTIMPLEMENTED	'resource' is not a type known by the OS.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_RESOURCE_H */
-
diff --git a/contrib/bind9/lib/isc/include/isc/result.h b/contrib/bind9/lib/isc/include/isc/result.h
deleted file mode 100644
index dcd457b..0000000
--- a/contrib/bind9/lib/isc/include/isc/result.h
+++ /dev/null
@@ -1,109 +0,0 @@
-/*
- * Copyright (C) 2004-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef ISC_RESULT_H
-#define ISC_RESULT_H 1
-
-/*! \file isc/result.h */
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-#define ISC_R_SUCCESS			0	/*%< success */
-#define ISC_R_NOMEMORY			1	/*%< out of memory */
-#define ISC_R_TIMEDOUT			2	/*%< timed out */
-#define ISC_R_NOTHREADS			3	/*%< no available threads */
-#define ISC_R_ADDRNOTAVAIL		4	/*%< address not available */
-#define ISC_R_ADDRINUSE			5	/*%< address in use */
-#define ISC_R_NOPERM			6	/*%< permission denied */
-#define ISC_R_NOCONN			7	/*%< no pending connections */
-#define ISC_R_NETUNREACH		8	/*%< network unreachable */
-#define ISC_R_HOSTUNREACH		9	/*%< host unreachable */
-#define ISC_R_NETDOWN			10	/*%< network down */
-#define ISC_R_HOSTDOWN			11	/*%< host down */
-#define ISC_R_CONNREFUSED		12	/*%< connection refused */
-#define ISC_R_NORESOURCES		13	/*%< not enough free resources */
-#define ISC_R_EOF			14	/*%< end of file */
-#define ISC_R_BOUND			15	/*%< socket already bound */
-#define ISC_R_RELOAD			16	/*%< reload */
-#define ISC_R_SUSPEND	      ISC_R_RELOAD	/*%< alias of 'reload' */
-#define ISC_R_LOCKBUSY			17	/*%< lock busy */
-#define ISC_R_EXISTS			18	/*%< already exists */
-#define ISC_R_NOSPACE			19	/*%< ran out of space */
-#define ISC_R_CANCELED			20	/*%< operation canceled */
-#define ISC_R_NOTBOUND			21	/*%< socket is not bound */
-#define ISC_R_SHUTTINGDOWN		22	/*%< shutting down */
-#define ISC_R_NOTFOUND			23	/*%< not found */
-#define ISC_R_UNEXPECTEDEND		24	/*%< unexpected end of input */
-#define ISC_R_FAILURE			25	/*%< generic failure */
-#define ISC_R_IOERROR			26	/*%< I/O error */
-#define ISC_R_NOTIMPLEMENTED		27	/*%< not implemented */
-#define ISC_R_UNBALANCED		28	/*%< unbalanced parentheses */
-#define ISC_R_NOMORE			29	/*%< no more */
-#define ISC_R_INVALIDFILE		30	/*%< invalid file */
-#define ISC_R_BADBASE64			31	/*%< bad base64 encoding */
-#define ISC_R_UNEXPECTEDTOKEN		32	/*%< unexpected token */
-#define ISC_R_QUOTA			33	/*%< quota reached */
-#define ISC_R_UNEXPECTED		34	/*%< unexpected error */
-#define ISC_R_ALREADYRUNNING		35	/*%< already running */
-#define ISC_R_IGNORE			36	/*%< ignore */
-#define ISC_R_MASKNONCONTIG             37	/*%< addr mask not contiguous */
-#define ISC_R_FILENOTFOUND		38	/*%< file not found */
-#define ISC_R_FILEEXISTS		39	/*%< file already exists */
-#define ISC_R_NOTCONNECTED		40	/*%< socket is not connected */
-#define ISC_R_RANGE			41	/*%< out of range */
-#define ISC_R_NOENTROPY			42	/*%< out of entropy */
-#define ISC_R_MULTICAST			43	/*%< invalid use of multicast */
-#define ISC_R_NOTFILE			44	/*%< not a file */
-#define ISC_R_NOTDIRECTORY		45	/*%< not a directory */
-#define ISC_R_QUEUEFULL			46	/*%< queue is full */
-#define ISC_R_FAMILYMISMATCH		47	/*%< address family mismatch */
-#define ISC_R_FAMILYNOSUPPORT		48	/*%< AF not supported */
-#define ISC_R_BADHEX			49	/*%< bad hex encoding */
-#define ISC_R_TOOMANYOPENFILES		50	/*%< too many open files */
-#define ISC_R_NOTBLOCKING		51	/*%< not blocking */
-#define ISC_R_UNBALANCEDQUOTES		52	/*%< unbalanced quotes */
-#define ISC_R_INPROGRESS		53	/*%< operation in progress */
-#define ISC_R_CONNECTIONRESET		54	/*%< connection reset */
-#define ISC_R_SOFTQUOTA			55	/*%< soft quota reached */
-#define ISC_R_BADNUMBER			56	/*%< not a valid number */
-#define ISC_R_DISABLED			57	/*%< disabled */
-#define ISC_R_MAXSIZE			58	/*%< max size */
-#define ISC_R_BADADDRESSFORM		59	/*%< invalid address format */
-#define ISC_R_BADBASE32			60	/*%< bad base32 encoding */
-#define ISC_R_UNSET			61	/*%< unset */
-
-/*% Not a result code: the number of results. */
-#define ISC_R_NRESULTS 			62
-
-ISC_LANG_BEGINDECLS
-
-const char *
-isc_result_totext(isc_result_t);
-/*%<
- * Convert an isc_result_t into a string message describing the result.
- */
-
-isc_result_t
-isc_result_register(unsigned int base, unsigned int nresults,
-		    const char **text, isc_msgcat_t *msgcat, int set);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_RESULT_H */
diff --git a/contrib/bind9/lib/isc/include/isc/resultclass.h b/contrib/bind9/lib/isc/include/isc/resultclass.h
deleted file mode 100644
index d91e800..0000000
--- a/contrib/bind9/lib/isc/include/isc/resultclass.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: resultclass.h,v 1.20 2009/09/02 23:48:03 tbox Exp $ */
-
-#ifndef ISC_RESULTCLASS_H
-#define ISC_RESULTCLASS_H 1
-
-
-/*! \file isc/resultclass.h
- * \brief Registry of Predefined Result Type Classes
- *
- * A result class number is an unsigned 16 bit number.  Each class may
- * contain up to 65536 results.  A result code is formed by adding the
- * result number within the class to the class number multiplied by 65536.
- *
- * Classes < 1024 are reserved for ISC use.
- * Result classes >= 1024 and <= 65535 are reserved for application use.
- */
-
-#define ISC_RESULTCLASS_FROMNUM(num)		((num) << 16)
-#define ISC_RESULTCLASS_TONUM(rclass)		((rclass) >> 16)
-#define ISC_RESULTCLASS_SIZE			65536
-#define ISC_RESULTCLASS_INCLASS(rclass, result) \
-	((rclass) == ((result) & 0xFFFF0000))
-
-
-#define	ISC_RESULTCLASS_ISC		ISC_RESULTCLASS_FROMNUM(0)
-#define	ISC_RESULTCLASS_DNS		ISC_RESULTCLASS_FROMNUM(1)
-#define	ISC_RESULTCLASS_DST		ISC_RESULTCLASS_FROMNUM(2)
-#define	ISC_RESULTCLASS_DNSRCODE	ISC_RESULTCLASS_FROMNUM(3)
-#define	ISC_RESULTCLASS_OMAPI		ISC_RESULTCLASS_FROMNUM(4)
-#define	ISC_RESULTCLASS_ISCCC		ISC_RESULTCLASS_FROMNUM(5)
-#define	ISC_RESULTCLASS_DHCP		ISC_RESULTCLASS_FROMNUM(6)
-
-
-#endif /* ISC_RESULTCLASS_H */
diff --git a/contrib/bind9/lib/isc/include/isc/rwlock.h b/contrib/bind9/lib/isc/include/isc/rwlock.h
deleted file mode 100644
index 28052cd..0000000
--- a/contrib/bind9/lib/isc/include/isc/rwlock.h
+++ /dev/null
@@ -1,135 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rwlock.h,v 1.28 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_RWLOCK_H
-#define ISC_RWLOCK_H 1
-
-/*! \file isc/rwlock.h */
-
-#include <isc/condition.h>
-#include <isc/lang.h>
-#include <isc/platform.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-typedef enum {
-	isc_rwlocktype_none = 0,
-	isc_rwlocktype_read,
-	isc_rwlocktype_write
-} isc_rwlocktype_t;
-
-#ifdef ISC_PLATFORM_USETHREADS
-#if defined(ISC_PLATFORM_HAVEXADD) && defined(ISC_PLATFORM_HAVECMPXCHG)
-#define ISC_RWLOCK_USEATOMIC 1
-#endif
-
-struct isc_rwlock {
-	/* Unlocked. */
-	unsigned int		magic;
-	isc_mutex_t		lock;
-
-#if defined(ISC_PLATFORM_HAVEXADD) && defined(ISC_PLATFORM_HAVECMPXCHG)
-	/*
-	 * When some atomic instructions with hardware assistance are
-	 * available, rwlock will use those so that concurrent readers do not
-	 * interfere with each other through mutex as long as no writers
-	 * appear, massively reducing the lock overhead in the typical case.
-	 *
-	 * The basic algorithm of this approach is the "simple
-	 * writer-preference lock" shown in the following URL:
-	 * http://www.cs.rochester.edu/u/scott/synchronization/pseudocode/rw.html
-	 * but our implementation does not rely on the spin lock unlike the
-	 * original algorithm to be more portable as a user space application.
-	 */
-
-	/* Read or modified atomically. */
-	isc_int32_t		write_requests;
-	isc_int32_t		write_completions;
-	isc_int32_t		cnt_and_flag;
-
-	/* Locked by lock. */
-	isc_condition_t		readable;
-	isc_condition_t		writeable;
-	unsigned int		readers_waiting;
-
-	/* Locked by rwlock itself. */
-	unsigned int		write_granted;
-
-	/* Unlocked. */
-	unsigned int		write_quota;
-
-#else  /* ISC_PLATFORM_HAVEXADD && ISC_PLATFORM_HAVECMPXCHG */
-
-	/*%< Locked by lock. */
-	isc_condition_t		readable;
-	isc_condition_t		writeable;
-	isc_rwlocktype_t	type;
-
-	/*% The number of threads that have the lock. */
-	unsigned int		active;
-
-	/*%
-	 * The number of lock grants made since the lock was last switched
-	 * from reading to writing or vice versa; used in determining
-	 * when the quota is reached and it is time to switch.
-	 */
-	unsigned int		granted;
-	
-	unsigned int		readers_waiting;
-	unsigned int		writers_waiting;
-	unsigned int		read_quota;
-	unsigned int		write_quota;
-	isc_rwlocktype_t	original;
-#endif  /* ISC_PLATFORM_HAVEXADD && ISC_PLATFORM_HAVECMPXCHG */
-};
-#else /* ISC_PLATFORM_USETHREADS */
-struct isc_rwlock {
-	unsigned int		magic;
-	isc_rwlocktype_t	type;
-	unsigned int		active;
-};
-#endif /* ISC_PLATFORM_USETHREADS */
-
-
-isc_result_t
-isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
-		unsigned int write_quota);
-
-isc_result_t
-isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type);
-
-isc_result_t
-isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type);
-
-isc_result_t
-isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type);
-
-isc_result_t
-isc_rwlock_tryupgrade(isc_rwlock_t *rwl);
-
-void
-isc_rwlock_downgrade(isc_rwlock_t *rwl);
-
-void
-isc_rwlock_destroy(isc_rwlock_t *rwl);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_RWLOCK_H */
diff --git a/contrib/bind9/lib/isc/include/isc/serial.h b/contrib/bind9/lib/isc/include/isc/serial.h
deleted file mode 100644
index a5e0397..0000000
--- a/contrib/bind9/lib/isc/include/isc/serial.h
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: serial.h,v 1.18 2009/01/18 23:48:14 tbox Exp $ */
-
-#ifndef ISC_SERIAL_H
-#define ISC_SERIAL_H 1
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-/*! \file isc/serial.h
- *	\brief Implement 32 bit serial space arithmetic comparison functions.
- *	Note: Undefined results are returned as ISC_FALSE.
- */
-
-/***
- ***	Functions
- ***/
-
-ISC_LANG_BEGINDECLS
-
-isc_boolean_t
-isc_serial_lt(isc_uint32_t a, isc_uint32_t b);
-/*%<
- *	Return true if 'a' < 'b' otherwise false.
- */
-
-isc_boolean_t
-isc_serial_gt(isc_uint32_t a, isc_uint32_t b);
-/*%<
- *	Return true if 'a' > 'b' otherwise false.
- */
-
-isc_boolean_t
-isc_serial_le(isc_uint32_t a, isc_uint32_t b);
-/*%<
- *	Return true if 'a' <= 'b' otherwise false.
- */
-
-isc_boolean_t
-isc_serial_ge(isc_uint32_t a, isc_uint32_t b);
-/*%<
- *	Return true if 'a' >= 'b' otherwise false.
- */
-
-isc_boolean_t
-isc_serial_eq(isc_uint32_t a, isc_uint32_t b);
-/*%<
- *	Return true if 'a' == 'b' otherwise false.
- */
-
-isc_boolean_t
-isc_serial_ne(isc_uint32_t a, isc_uint32_t b);
-/*%<
- *	Return true if 'a' != 'b' otherwise false.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_SERIAL_H */
diff --git a/contrib/bind9/lib/isc/include/isc/sha1.h b/contrib/bind9/lib/isc/include/isc/sha1.h
deleted file mode 100644
index 313ff96..0000000
--- a/contrib/bind9/lib/isc/include/isc/sha1.h
+++ /dev/null
@@ -1,68 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef ISC_SHA1_H
-#define ISC_SHA1_H 1
-
-/* $Id: sha1.h,v 1.19 2009/02/06 23:47:42 tbox Exp $ */
-
-/*	$NetBSD: sha1.h,v 1.2 1998/05/29 22:55:44 thorpej Exp $	*/
-
-/*! \file isc/sha1.h
- * \brief SHA-1 in C
- * \author By Steve Reid <steve@edmweb.com>
- * \note 100% Public Domain
- */
-
-#include <isc/lang.h>
-#include <isc/platform.h>
-#include <isc/types.h>
-
-#define ISC_SHA1_DIGESTLENGTH 20U
-#define ISC_SHA1_BLOCK_LENGTH 64U
-
-#ifdef ISC_PLATFORM_OPENSSLHASH
-#include <openssl/evp.h>
-
-typedef EVP_MD_CTX isc_sha1_t;
-
-#else
-
-typedef struct {
-	isc_uint32_t state[5];
-	isc_uint32_t count[2];
-	unsigned char buffer[ISC_SHA1_BLOCK_LENGTH];
-} isc_sha1_t;
-#endif
-
-ISC_LANG_BEGINDECLS
-
-void
-isc_sha1_init(isc_sha1_t *ctx);
-
-void
-isc_sha1_invalidate(isc_sha1_t *ctx);
-
-void
-isc_sha1_update(isc_sha1_t *ctx, const unsigned char *data, unsigned int len);
-
-void
-isc_sha1_final(isc_sha1_t *ctx, unsigned char *digest);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_SHA1_H */
diff --git a/contrib/bind9/lib/isc/include/isc/sha2.h b/contrib/bind9/lib/isc/include/isc/sha2.h
deleted file mode 100644
index 9788a64..0000000
--- a/contrib/bind9/lib/isc/include/isc/sha2.h
+++ /dev/null
@@ -1,145 +0,0 @@
-/*
- * Copyright (C) 2005-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: sha2.h,v 1.12 2009/10/22 02:21:31 each Exp $ */
-
-/*	$FreeBSD$	*/
-/*	$KAME: sha2.h,v 1.3 2001/03/12 08:27:48 itojun Exp $	*/
-
-/*
- * sha2.h
- *
- * Version 1.0.0beta1
- *
- * Written by Aaron D. Gifford <me@aarongifford.com>
- *
- * Copyright 2000 Aaron D. Gifford.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the copyright holder nor the names of contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- */
-
-#ifndef ISC_SHA2_H
-#define ISC_SHA2_H
-
-#include <isc/lang.h>
-#include <isc/platform.h>
-#include <isc/types.h>
-
-/*** SHA-224/256/384/512 Various Length Definitions ***********************/
-
-#define ISC_SHA224_BLOCK_LENGTH		64U
-#define ISC_SHA224_DIGESTLENGTH	28U
-#define ISC_SHA224_DIGESTSTRINGLENGTH	(ISC_SHA224_DIGESTLENGTH * 2 + 1)
-#define ISC_SHA256_BLOCK_LENGTH		64U
-#define ISC_SHA256_DIGESTLENGTH	32U
-#define ISC_SHA256_DIGESTSTRINGLENGTH	(ISC_SHA256_DIGESTLENGTH * 2 + 1)
-#define ISC_SHA384_BLOCK_LENGTH		128
-#define ISC_SHA384_DIGESTLENGTH	48U
-#define ISC_SHA384_DIGESTSTRINGLENGTH	(ISC_SHA384_DIGESTLENGTH * 2 + 1)
-#define ISC_SHA512_BLOCK_LENGTH		128U
-#define ISC_SHA512_DIGESTLENGTH	64U
-#define ISC_SHA512_DIGESTSTRINGLENGTH	(ISC_SHA512_DIGESTLENGTH * 2 + 1)
-
-/*** SHA-256/384/512 Context Structures *******************************/
-
-#ifdef ISC_PLATFORM_OPENSSLHASH
-#include <openssl/evp.h>
-
-typedef EVP_MD_CTX isc_sha256_t;
-typedef EVP_MD_CTX isc_sha512_t;
-
-#else
-
-/*
- * Keep buffer immediately after bitcount to preserve alignment.
- */
-typedef struct {
-	isc_uint32_t	state[8];
-	isc_uint64_t	bitcount;
-	isc_uint8_t	buffer[ISC_SHA256_BLOCK_LENGTH];
-} isc_sha256_t;
-
-/*
- * Keep buffer immediately after bitcount to preserve alignment.
- */
-typedef struct {
-	isc_uint64_t	state[8];
-	isc_uint64_t	bitcount[2];
-	isc_uint8_t	buffer[ISC_SHA512_BLOCK_LENGTH];
-} isc_sha512_t;
-#endif
-
-typedef isc_sha256_t isc_sha224_t;
-typedef isc_sha512_t isc_sha384_t;
-
-ISC_LANG_BEGINDECLS
-
-/*** SHA-224/256/384/512 Function Prototypes ******************************/
-
-void isc_sha224_init (isc_sha224_t *);
-void isc_sha224_invalidate (isc_sha224_t *);
-void isc_sha224_update (isc_sha224_t *, const isc_uint8_t *, size_t);
-void isc_sha224_final (isc_uint8_t[ISC_SHA224_DIGESTLENGTH], isc_sha224_t *);
-char *isc_sha224_end (isc_sha224_t *, char[ISC_SHA224_DIGESTSTRINGLENGTH]);
-char *isc_sha224_data (const isc_uint8_t *, size_t, char[ISC_SHA224_DIGESTSTRINGLENGTH]);
-
-void isc_sha256_init (isc_sha256_t *);
-void isc_sha256_invalidate (isc_sha256_t *);
-void isc_sha256_update (isc_sha256_t *, const isc_uint8_t *, size_t);
-void isc_sha256_final (isc_uint8_t[ISC_SHA256_DIGESTLENGTH], isc_sha256_t *);
-char *isc_sha256_end (isc_sha256_t *, char[ISC_SHA256_DIGESTSTRINGLENGTH]);
-char *isc_sha256_data (const isc_uint8_t *, size_t, char[ISC_SHA256_DIGESTSTRINGLENGTH]);
-
-void isc_sha384_init (isc_sha384_t *);
-void isc_sha384_invalidate (isc_sha384_t *);
-void isc_sha384_update (isc_sha384_t *, const isc_uint8_t *, size_t);
-void isc_sha384_final (isc_uint8_t[ISC_SHA384_DIGESTLENGTH], isc_sha384_t *);
-char *isc_sha384_end (isc_sha384_t *, char[ISC_SHA384_DIGESTSTRINGLENGTH]);
-char *isc_sha384_data (const isc_uint8_t *, size_t, char[ISC_SHA384_DIGESTSTRINGLENGTH]);
-
-void isc_sha512_init (isc_sha512_t *);
-void isc_sha512_invalidate (isc_sha512_t *);
-void isc_sha512_update (isc_sha512_t *, const isc_uint8_t *, size_t);
-void isc_sha512_final (isc_uint8_t[ISC_SHA512_DIGESTLENGTH], isc_sha512_t *);
-char *isc_sha512_end (isc_sha512_t *, char[ISC_SHA512_DIGESTSTRINGLENGTH]);
-char *isc_sha512_data (const isc_uint8_t *, size_t, char[ISC_SHA512_DIGESTSTRINGLENGTH]);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_SHA2_H */
diff --git a/contrib/bind9/lib/isc/include/isc/sockaddr.h b/contrib/bind9/lib/isc/include/isc/sockaddr.h
deleted file mode 100644
index 4d811dd..0000000
--- a/contrib/bind9/lib/isc/include/isc/sockaddr.h
+++ /dev/null
@@ -1,242 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: sockaddr.h,v 1.57 2009/01/18 23:48:14 tbox Exp $ */
-
-#ifndef ISC_SOCKADDR_H
-#define ISC_SOCKADDR_H 1
-
-/*! \file isc/sockaddr.h */
-
-#include <isc/lang.h>
-#include <isc/net.h>
-#include <isc/types.h>
-#ifdef ISC_PLATFORM_HAVESYSUNH
-#include <sys/un.h>
-#endif
-
-struct isc_sockaddr {
-	union {
-		struct sockaddr		sa;
-		struct sockaddr_in	sin;
-		struct sockaddr_in6	sin6;
-		struct sockaddr_storage ss;
-#ifdef ISC_PLATFORM_HAVESYSUNH
-		struct sockaddr_un	sunix;
-#endif
-	}				type;
-	unsigned int			length;		/* XXXRTH beginning? */
-	ISC_LINK(struct isc_sockaddr)	link;
-};
-
-typedef ISC_LIST(struct isc_sockaddr)	isc_sockaddrlist_t;
-
-#define ISC_SOCKADDR_CMPADDR	  0x0001	/*%< compare the address
-						 *   sin_addr/sin6_addr */
-#define ISC_SOCKADDR_CMPPORT 	  0x0002	/*%< compare the port
-						 *   sin_port/sin6_port */
-#define ISC_SOCKADDR_CMPSCOPE     0x0004	/*%< compare the scope
-						 *   sin6_scope */
-#define ISC_SOCKADDR_CMPSCOPEZERO 0x0008	/*%< when comparing scopes
-						 *   zero scopes always match */
-
-ISC_LANG_BEGINDECLS
-
-isc_boolean_t
-isc_sockaddr_compare(const isc_sockaddr_t *a, const isc_sockaddr_t *b,
-		     unsigned int flags);
-/*%<
- * Compare the elements of the two address ('a' and 'b') as specified
- * by 'flags' and report if they are equal or not.
- *
- * 'flags' is set from ISC_SOCKADDR_CMP*.
- */
-
-isc_boolean_t
-isc_sockaddr_equal(const isc_sockaddr_t *a, const isc_sockaddr_t *b);
-/*%<
- * Return ISC_TRUE iff the socket addresses 'a' and 'b' are equal.
- */
-
-isc_boolean_t
-isc_sockaddr_eqaddr(const isc_sockaddr_t *a, const isc_sockaddr_t *b);
-/*%<
- * Return ISC_TRUE iff the address parts of the socket addresses
- * 'a' and 'b' are equal, ignoring the ports.
- */
-
-isc_boolean_t
-isc_sockaddr_eqaddrprefix(const isc_sockaddr_t *a, const isc_sockaddr_t *b,
-			  unsigned int prefixlen);
-/*%<
- * Return ISC_TRUE iff the most significant 'prefixlen' bits of the
- * socket addresses 'a' and 'b' are equal, ignoring the ports.
- * If 'b''s scope is zero then 'a''s scope will be ignored.
- */
-
-unsigned int
-isc_sockaddr_hash(const isc_sockaddr_t *sockaddr, isc_boolean_t address_only);
-/*%<
- * Return a hash value for the socket address 'sockaddr'.  If 'address_only'
- * is ISC_TRUE, the hash value will not depend on the port.
- *
- * IPv6 addresses containing mapped IPv4 addresses generate the same hash
- * value as the equivalent IPv4 address.
- */
-
-void
-isc_sockaddr_any(isc_sockaddr_t *sockaddr);
-/*%<
- * Return the IPv4 wildcard address.
- */
-
-void
-isc_sockaddr_any6(isc_sockaddr_t *sockaddr);
-/*%<
- * Return the IPv6 wildcard address.
- */
-
-void
-isc_sockaddr_anyofpf(isc_sockaddr_t *sockaddr, int family);
-/*%<
- * Set '*sockaddr' to the wildcard address of protocol family
- * 'family'.
- *
- * Requires:
- * \li	'family' is AF_INET or AF_INET6.
- */
-
-void
-isc_sockaddr_fromin(isc_sockaddr_t *sockaddr, const struct in_addr *ina,
-		    in_port_t port);
-/*%<
- * Construct an isc_sockaddr_t from an IPv4 address and port.
- */
-
-void
-isc_sockaddr_fromin6(isc_sockaddr_t *sockaddr, const struct in6_addr *ina6,
-		     in_port_t port);
-/*%<
- * Construct an isc_sockaddr_t from an IPv6 address and port.
- */
-
-void
-isc_sockaddr_v6fromin(isc_sockaddr_t *sockaddr, const struct in_addr *ina,
-		      in_port_t port);
-/*%<
- * Construct an IPv6 isc_sockaddr_t representing a mapped IPv4 address.
- */
-
-void
-isc_sockaddr_fromnetaddr(isc_sockaddr_t *sockaddr, const isc_netaddr_t *na,
-			 in_port_t port);
-/*%<
- * Construct an isc_sockaddr_t from an isc_netaddr_t and port.
- */
-
-int
-isc_sockaddr_pf(const isc_sockaddr_t *sockaddr);
-/*%<
- * Get the protocol family of 'sockaddr'.
- *
- * Requires:
- *
- *\li	'sockaddr' is a valid sockaddr with an address family of AF_INET
- *	or AF_INET6.
- *
- * Returns:
- *
- *\li	The protocol family of 'sockaddr', e.g. PF_INET or PF_INET6.
- */
-
-void
-isc_sockaddr_setport(isc_sockaddr_t *sockaddr, in_port_t port);
-/*%<
- * Set the port of 'sockaddr' to 'port'.
- */
-
-in_port_t
-isc_sockaddr_getport(const isc_sockaddr_t *sockaddr);
-/*%<
- * Get the port stored in 'sockaddr'.
- */
-
-isc_result_t
-isc_sockaddr_totext(const isc_sockaddr_t *sockaddr, isc_buffer_t *target);
-/*%<
- * Append a text representation of 'sockaddr' to the buffer 'target'.
- * The text will include both the IP address (v4 or v6) and the port.
- * The text is null terminated, but the terminating null is not
- * part of the buffer's used region.
- *
- * Returns:
- * \li	ISC_R_SUCCESS
- * \li	ISC_R_NOSPACE	The text or the null termination did not fit.
- */
-
-void
-isc_sockaddr_format(const isc_sockaddr_t *sa, char *array, unsigned int size);
-/*%<
- * Format a human-readable representation of the socket address '*sa'
- * into the character array 'array', which is of size 'size'.
- * The resulting string is guaranteed to be null-terminated.
- */
-
-isc_boolean_t
-isc_sockaddr_ismulticast(const isc_sockaddr_t *sa);
-/*%<
- * Returns #ISC_TRUE if the address is a multicast address.
- */
-
-isc_boolean_t
-isc_sockaddr_isexperimental(const isc_sockaddr_t *sa);
-/*
- * Returns ISC_TRUE if the address is a experimental (CLASS E) address.
- */
-
-isc_boolean_t
-isc_sockaddr_islinklocal(const isc_sockaddr_t *sa);
-/*%<
- * Returns ISC_TRUE if the address is a link local address.
- */
-
-isc_boolean_t
-isc_sockaddr_issitelocal(const isc_sockaddr_t *sa);
-/*%<
- * Returns ISC_TRUE if the address is a sitelocal address.
- */
-
-isc_result_t
-isc_sockaddr_frompath(isc_sockaddr_t *sockaddr, const char *path);
-/*
- *  Create a UNIX domain sockaddr that refers to path.
- *
- * Returns:
- * \li	ISC_R_NOSPACE
- * \li	ISC_R_NOTIMPLEMENTED
- * \li	ISC_R_SUCCESS
- */
-
-#define ISC_SOCKADDR_FORMATSIZE \
-	sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:XXX.XXX.XXX.XXX%SSSSSSSSSS#YYYYY")
-/*%<
- * Minimum size of array to pass to isc_sockaddr_format().
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_SOCKADDR_H */
diff --git a/contrib/bind9/lib/isc/include/isc/socket.h b/contrib/bind9/lib/isc/include/isc/socket.h
deleted file mode 100644
index 9d086b4..0000000
--- a/contrib/bind9/lib/isc/include/isc/socket.h
+++ /dev/null
@@ -1,1176 +0,0 @@
-/*
- * Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef ISC_SOCKET_H
-#define ISC_SOCKET_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file isc/socket.h
- * \brief Provides TCP and UDP sockets for network I/O.  The sockets are event
- * sources in the task system.
- *
- * When I/O completes, a completion event for the socket is posted to the
- * event queue of the task which requested the I/O.
- *
- * \li MP:
- *	The module ensures appropriate synchronization of data structures it
- *	creates and manipulates.
- *	Clients of this module must not be holding a socket's task's lock when
- *	making a call that affects that socket.  Failure to follow this rule
- *	can result in deadlock.
- *	The caller must ensure that isc_socketmgr_destroy() is called only
- *	once for a given manager.
- *
- * \li Reliability:
- *	No anticipated impact.
- *
- * \li Resources:
- *	TBS
- *
- * \li Security:
- *	No anticipated impact.
- *
- * \li Standards:
- *	None.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/types.h>
-#include <isc/event.h>
-#include <isc/eventclass.h>
-#include <isc/time.h>
-#include <isc/region.h>
-#include <isc/sockaddr.h>
-#include <isc/xml.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Constants
- ***/
-
-/*%
- * Maximum number of buffers in a scatter/gather read/write.  The operating
- * system in use must support at least this number (plus one on some.)
- */
-#define ISC_SOCKET_MAXSCATTERGATHER	8
-
-/*%
- * In isc_socket_bind() set socket option SO_REUSEADDR prior to calling
- * bind() if a non zero port is specified (AF_INET and AF_INET6).
- */
-#define ISC_SOCKET_REUSEADDRESS		0x01U
-
-/*%
- * Statistics counters.  Used as isc_statscounter_t values.
- */
-enum {
-	isc_sockstatscounter_udp4open = 0,
-	isc_sockstatscounter_udp6open = 1,
-	isc_sockstatscounter_tcp4open = 2,
-	isc_sockstatscounter_tcp6open = 3,
-	isc_sockstatscounter_unixopen = 4,
-
-	isc_sockstatscounter_udp4openfail = 5,
-	isc_sockstatscounter_udp6openfail = 6,
-	isc_sockstatscounter_tcp4openfail = 7,
-	isc_sockstatscounter_tcp6openfail = 8,
-	isc_sockstatscounter_unixopenfail = 9,
-
-	isc_sockstatscounter_udp4close = 10,
-	isc_sockstatscounter_udp6close = 11,
-	isc_sockstatscounter_tcp4close = 12,
-	isc_sockstatscounter_tcp6close = 13,
-	isc_sockstatscounter_unixclose = 14,
-	isc_sockstatscounter_fdwatchclose = 15,
-
-	isc_sockstatscounter_udp4bindfail = 16,
-	isc_sockstatscounter_udp6bindfail = 17,
-	isc_sockstatscounter_tcp4bindfail = 18,
-	isc_sockstatscounter_tcp6bindfail = 19,
-	isc_sockstatscounter_unixbindfail = 20,
-	isc_sockstatscounter_fdwatchbindfail = 21,
-
-	isc_sockstatscounter_udp4connect = 22,
-	isc_sockstatscounter_udp6connect = 23,
-	isc_sockstatscounter_tcp4connect = 24,
-	isc_sockstatscounter_tcp6connect = 25,
-	isc_sockstatscounter_unixconnect = 26,
-	isc_sockstatscounter_fdwatchconnect = 27,
-
-	isc_sockstatscounter_udp4connectfail = 28,
-	isc_sockstatscounter_udp6connectfail = 29,
-	isc_sockstatscounter_tcp4connectfail = 30,
-	isc_sockstatscounter_tcp6connectfail = 31,
-	isc_sockstatscounter_unixconnectfail = 32,
-	isc_sockstatscounter_fdwatchconnectfail = 33,
-
-	isc_sockstatscounter_tcp4accept = 34,
-	isc_sockstatscounter_tcp6accept = 35,
-	isc_sockstatscounter_unixaccept = 36,
-
-	isc_sockstatscounter_tcp4acceptfail = 37,
-	isc_sockstatscounter_tcp6acceptfail = 38,
-	isc_sockstatscounter_unixacceptfail = 39,
-
-	isc_sockstatscounter_udp4sendfail = 40,
-	isc_sockstatscounter_udp6sendfail = 41,
-	isc_sockstatscounter_tcp4sendfail = 42,
-	isc_sockstatscounter_tcp6sendfail = 43,
-	isc_sockstatscounter_unixsendfail = 44,
-	isc_sockstatscounter_fdwatchsendfail = 45,
-
-	isc_sockstatscounter_udp4recvfail = 46,
-	isc_sockstatscounter_udp6recvfail = 47,
-	isc_sockstatscounter_tcp4recvfail = 48,
-	isc_sockstatscounter_tcp6recvfail = 49,
-	isc_sockstatscounter_unixrecvfail = 50,
-	isc_sockstatscounter_fdwatchrecvfail = 51,
-
-	isc_sockstatscounter_max = 52
-};
-
-/***
- *** Types
- ***/
-
-struct isc_socketevent {
-	ISC_EVENT_COMMON(isc_socketevent_t);
-	isc_result_t		result;		/*%< OK, EOF, whatever else */
-	unsigned int		minimum;	/*%< minimum i/o for event */
-	unsigned int		n;		/*%< bytes read or written */
-	unsigned int		offset;		/*%< offset into buffer list */
-	isc_region_t		region;		/*%< for single-buffer i/o */
-	isc_bufferlist_t	bufferlist;	/*%< list of buffers */
-	isc_sockaddr_t		address;	/*%< source address */
-	isc_time_t		timestamp;	/*%< timestamp of packet recv */
-	struct in6_pktinfo	pktinfo;	/*%< ipv6 pktinfo */
-	isc_uint32_t		attributes;	/*%< see below */
-	isc_eventdestructor_t   destroy;	/*%< original destructor */
-};
-
-typedef struct isc_socket_newconnev isc_socket_newconnev_t;
-struct isc_socket_newconnev {
-	ISC_EVENT_COMMON(isc_socket_newconnev_t);
-	isc_socket_t *		newsocket;
-	isc_result_t		result;		/*%< OK, EOF, whatever else */
-	isc_sockaddr_t		address;	/*%< source address */
-};
-
-typedef struct isc_socket_connev isc_socket_connev_t;
-struct isc_socket_connev {
-	ISC_EVENT_COMMON(isc_socket_connev_t);
-	isc_result_t		result;		/*%< OK, EOF, whatever else */
-};
-
-/*@{*/
-/*!
- * _ATTACHED:	Internal use only.
- * _TRUNC:	Packet was truncated on receive.
- * _CTRUNC:	Packet control information was truncated.  This can
- *		indicate that the packet is not complete, even though
- *		all the data is valid.
- * _TIMESTAMP:	The timestamp member is valid.
- * _PKTINFO:	The pktinfo member is valid.
- * _MULTICAST:	The UDP packet was received via a multicast transmission.
- */
-#define ISC_SOCKEVENTATTR_ATTACHED		0x80000000U /* internal */
-#define ISC_SOCKEVENTATTR_TRUNC			0x00800000U /* public */
-#define ISC_SOCKEVENTATTR_CTRUNC		0x00400000U /* public */
-#define ISC_SOCKEVENTATTR_TIMESTAMP		0x00200000U /* public */
-#define ISC_SOCKEVENTATTR_PKTINFO		0x00100000U /* public */
-#define ISC_SOCKEVENTATTR_MULTICAST		0x00080000U /* public */
-/*@}*/
-
-#define ISC_SOCKEVENT_ANYEVENT  (0)
-#define ISC_SOCKEVENT_RECVDONE	(ISC_EVENTCLASS_SOCKET + 1)
-#define ISC_SOCKEVENT_SENDDONE	(ISC_EVENTCLASS_SOCKET + 2)
-#define ISC_SOCKEVENT_NEWCONN	(ISC_EVENTCLASS_SOCKET + 3)
-#define ISC_SOCKEVENT_CONNECT	(ISC_EVENTCLASS_SOCKET + 4)
-
-/*
- * Internal events.
- */
-#define ISC_SOCKEVENT_INTR	(ISC_EVENTCLASS_SOCKET + 256)
-#define ISC_SOCKEVENT_INTW	(ISC_EVENTCLASS_SOCKET + 257)
-
-typedef enum {
-	isc_sockettype_udp = 1,
-	isc_sockettype_tcp = 2,
-	isc_sockettype_unix = 3,
-	isc_sockettype_fdwatch = 4
-} isc_sockettype_t;
-
-/*@{*/
-/*!
- * How a socket should be shutdown in isc_socket_shutdown() calls.
- */
-#define ISC_SOCKSHUT_RECV	0x00000001	/*%< close read side */
-#define ISC_SOCKSHUT_SEND	0x00000002	/*%< close write side */
-#define ISC_SOCKSHUT_ALL	0x00000003	/*%< close them all */
-/*@}*/
-
-/*@{*/
-/*!
- * What I/O events to cancel in isc_socket_cancel() calls.
- */
-#define ISC_SOCKCANCEL_RECV	0x00000001	/*%< cancel recv */
-#define ISC_SOCKCANCEL_SEND	0x00000002	/*%< cancel send */
-#define ISC_SOCKCANCEL_ACCEPT	0x00000004	/*%< cancel accept */
-#define ISC_SOCKCANCEL_CONNECT	0x00000008	/*%< cancel connect */
-#define ISC_SOCKCANCEL_ALL	0x0000000f	/*%< cancel everything */
-/*@}*/
-
-/*@{*/
-/*!
- * Flags for isc_socket_send() and isc_socket_recv() calls.
- */
-#define ISC_SOCKFLAG_IMMEDIATE	0x00000001	/*%< send event only if needed */
-#define ISC_SOCKFLAG_NORETRY	0x00000002	/*%< drop failed UDP sends */
-/*@}*/
-
-/*@{*/
-/*!
- * Flags for fdwatchcreate.
- */
-#define ISC_SOCKFDWATCH_READ	0x00000001	/*%< watch for readable */
-#define ISC_SOCKFDWATCH_WRITE	0x00000002	/*%< watch for writable */
-/*@}*/
-
-/*% Socket and socket manager methods */
-typedef struct isc_socketmgrmethods {
-	void		(*destroy)(isc_socketmgr_t **managerp);
-	isc_result_t	(*socketcreate)(isc_socketmgr_t *manager, int pf,
-					isc_sockettype_t type,
-					isc_socket_t **socketp);
-	isc_result_t    (*fdwatchcreate)(isc_socketmgr_t *manager, int fd,
-					 int flags,
-					 isc_sockfdwatch_t callback,
-					 void *cbarg, isc_task_t *task,
-					 isc_socket_t **socketp);
-} isc_socketmgrmethods_t;
-
-typedef struct isc_socketmethods {
-	void		(*attach)(isc_socket_t *socket,
-				  isc_socket_t **socketp);
-	void		(*detach)(isc_socket_t **socketp);
-	isc_result_t	(*bind)(isc_socket_t *sock, isc_sockaddr_t *sockaddr,
-				unsigned int options);
-	isc_result_t	(*sendto)(isc_socket_t *sock, isc_region_t *region,
-				  isc_task_t *task, isc_taskaction_t action,
-				  const void *arg, isc_sockaddr_t *address,
-				  struct in6_pktinfo *pktinfo);
-	isc_result_t	(*sendto2)(isc_socket_t *sock, isc_region_t *region,
-				   isc_task_t *task, isc_sockaddr_t *address,
-				   struct in6_pktinfo *pktinfo,
-				   isc_socketevent_t *event,
-				   unsigned int flags);
-	isc_result_t	(*connect)(isc_socket_t *sock, isc_sockaddr_t *addr,
-				   isc_task_t *task, isc_taskaction_t action,
-				   const void *arg);
-	isc_result_t	(*recv)(isc_socket_t *sock, isc_region_t *region,
-				unsigned int minimum, isc_task_t *task,
-				isc_taskaction_t action, const void *arg);
-	isc_result_t	(*recv2)(isc_socket_t *sock, isc_region_t *region,
-				 unsigned int minimum, isc_task_t *task,
-				 isc_socketevent_t *event, unsigned int flags);
-	void		(*cancel)(isc_socket_t *sock, isc_task_t *task,
-				  unsigned int how);
-	isc_result_t	(*getsockname)(isc_socket_t *sock,
-				       isc_sockaddr_t *addressp);
-	isc_sockettype_t (*gettype)(isc_socket_t *sock);
-	void		(*ipv6only)(isc_socket_t *sock, isc_boolean_t yes);
-	isc_result_t    (*fdwatchpoke)(isc_socket_t *sock, int flags);
-	isc_result_t		(*dup)(isc_socket_t *socket,
-				  isc_socket_t **socketp);
-	int 		(*getfd)(isc_socket_t *socket);
-} isc_socketmethods_t;
-
-/*%
- * This structure is actually just the common prefix of a socket manager
- * object implementation's version of an isc_socketmgr_t.
- * \brief
- * Direct use of this structure by clients is forbidden.  socket implementations
- * may change the structure.  'magic' must be ISCAPI_SOCKETMGR_MAGIC for any
- * of the isc_socket_ routines to work.  socket implementations must maintain
- * all socket invariants.
- * In effect, this definition is used only for non-BIND9 version ("export")
- * of the library, and the export version does not work for win32.  So, to avoid
- * the definition conflict with win32/socket.c, we enable this definition only
- * for non-Win32 (i.e. Unix) platforms.
- */
-#ifndef WIN32
-struct isc_socketmgr {
-	unsigned int		impmagic;
-	unsigned int		magic;
-	isc_socketmgrmethods_t	*methods;
-};
-#endif
-
-#define ISCAPI_SOCKETMGR_MAGIC		ISC_MAGIC('A','s','m','g')
-#define ISCAPI_SOCKETMGR_VALID(m)	((m) != NULL && \
-					 (m)->magic == ISCAPI_SOCKETMGR_MAGIC)
-
-/*%
- * This is the common prefix of a socket object.  The same note as
- * that for the socketmgr structure applies.
- */
-#ifndef WIN32
-struct isc_socket {
-	unsigned int		impmagic;
-	unsigned int		magic;
-	isc_socketmethods_t	*methods;
-};
-#endif
-
-#define ISCAPI_SOCKET_MAGIC	ISC_MAGIC('A','s','c','t')
-#define ISCAPI_SOCKET_VALID(s)	((s) != NULL && \
-				 (s)->magic == ISCAPI_SOCKET_MAGIC)
-
-/***
- *** Socket and Socket Manager Functions
- ***
- *** Note: all Ensures conditions apply only if the result is success for
- *** those functions which return an isc_result.
- ***/
-
-isc_result_t
-isc_socket_fdwatchcreate(isc_socketmgr_t *manager,
-			 int fd,
-			 int flags,
-			 isc_sockfdwatch_t callback,
-			 void *cbarg,
-			 isc_task_t *task,
-			 isc_socket_t **socketp);
-/*%<
- * Create a new file descriptor watch socket managed by 'manager'.
- *
- * Note:
- *
- *\li   'fd' is the already-opened file descriptor.
- *\li	This function is not available on Windows.
- *\li	The callback function is called "in-line" - this means the function
- *	needs to return as fast as possible, as all other I/O will be suspended
- *	until the callback completes.
- *
- * Requires:
- *
- *\li	'manager' is a valid manager
- *
- *\li	'socketp' is a valid pointer, and *socketp == NULL
- *
- *\li	'fd' be opened.
- *
- * Ensures:
- *
- *	'*socketp' is attached to the newly created fdwatch socket
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- *\li	#ISC_R_NORESOURCES
- *\li	#ISC_R_UNEXPECTED
- */
-
-isc_result_t
-isc_socket_fdwatchpoke(isc_socket_t *sock,
-		       int flags);
-/*%<
- * Poke a file descriptor watch socket informing the manager that it
- * should restart watching the socket
- *
- * Note:
- *
- *\li   'sock' is the socket returned by isc_socket_fdwatchcreate
- *
- *\li   'flags' indicates what the manager should watch for on the socket
- *      in addition to what it may already be watching.  It can be one or
- *      both of ISC_SOCKFDWATCH_READ and ISC_SOCKFDWATCH_WRITE.  To
- *      temporarily disable watching on a socket the value indicating
- *      no more data should be returned from the call back routine.
- *
- *\li	This function is not available on Windows.
- *
- * Requires:
- *
- *\li	'sock' is a valid isc socket
- *
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- */
-
-isc_result_t
-isc_socket_create(isc_socketmgr_t *manager,
-		  int pf,
-		  isc_sockettype_t type,
-		  isc_socket_t **socketp);
-/*%<
- * Create a new 'type' socket managed by 'manager'.
- *
- * For isc_sockettype_fdwatch sockets you should use isc_socket_fdwatchcreate()
- * rather than isc_socket_create().
- *
- * Note:
- *
- *\li	'pf' is the desired protocol family, e.g. PF_INET or PF_INET6.
- *
- * Requires:
- *
- *\li	'manager' is a valid manager
- *
- *\li	'socketp' is a valid pointer, and *socketp == NULL
- *
- *\li	'type' is not isc_sockettype_fdwatch
- *
- * Ensures:
- *
- *	'*socketp' is attached to the newly created socket
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- *\li	#ISC_R_NORESOURCES
- *\li	#ISC_R_UNEXPECTED
- */
-
-isc_result_t
-isc_socket_dup(isc_socket_t *sock0, isc_socket_t **socketp);
-/*%<
- * Duplicate an existing socket, reusing its file descriptor.
- */
-
-void
-isc_socket_cancel(isc_socket_t *sock, isc_task_t *task,
-		  unsigned int how);
-/*%<
- * Cancel pending I/O of the type specified by "how".
- *
- * Note: if "task" is NULL, then the cancel applies to all tasks using the
- * socket.
- *
- * Requires:
- *
- * \li	"socket" is a valid socket
- *
- * \li	"task" is NULL or a valid task
- *
- * "how" is a bitmask describing the type of cancelation to perform.
- * The type ISC_SOCKCANCEL_ALL will cancel all pending I/O on this
- * socket.
- *
- * \li ISC_SOCKCANCEL_RECV:
- *	Cancel pending isc_socket_recv() calls.
- *
- * \li ISC_SOCKCANCEL_SEND:
- *	Cancel pending isc_socket_send() and isc_socket_sendto() calls.
- *
- * \li ISC_SOCKCANCEL_ACCEPT:
- *	Cancel pending isc_socket_accept() calls.
- *
- * \li ISC_SOCKCANCEL_CONNECT:
- *	Cancel pending isc_socket_connect() call.
- */
-
-void
-isc_socket_shutdown(isc_socket_t *sock, unsigned int how);
-/*%<
- * Shutdown 'socket' according to 'how'.
- *
- * Requires:
- *
- * \li	'socket' is a valid socket.
- *
- * \li	'task' is NULL or is a valid task.
- *
- * \li	If 'how' is 'ISC_SOCKSHUT_RECV' or 'ISC_SOCKSHUT_ALL' then
- *
- *		The read queue must be empty.
- *
- *		No further read requests may be made.
- *
- * \li	If 'how' is 'ISC_SOCKSHUT_SEND' or 'ISC_SOCKSHUT_ALL' then
- *
- *		The write queue must be empty.
- *
- *		No further write requests may be made.
- */
-
-void
-isc_socket_attach(isc_socket_t *sock, isc_socket_t **socketp);
-/*%<
- * Attach *socketp to socket.
- *
- * Requires:
- *
- * \li	'socket' is a valid socket.
- *
- * \li	'socketp' points to a NULL socket.
- *
- * Ensures:
- *
- * \li	*socketp is attached to socket.
- */
-
-void
-isc_socket_detach(isc_socket_t **socketp);
-/*%<
- * Detach *socketp from its socket.
- *
- * Requires:
- *
- * \li	'socketp' points to a valid socket.
- *
- * \li	If '*socketp' is the last reference to the socket,
- *	then:
- *
- *		There must be no pending I/O requests.
- *
- * Ensures:
- *
- * \li	*socketp is NULL.
- *
- * \li	If '*socketp' is the last reference to the socket,
- *	then:
- *
- *		The socket will be shutdown (both reading and writing)
- *		for all tasks.
- *
- *		All resources used by the socket have been freed
- */
-
-isc_result_t
-isc_socket_open(isc_socket_t *sock);
-/*%<
- * Open a new socket file descriptor of the given socket structure.  It simply
- * opens a new descriptor; all of the other parameters including the socket
- * type are inherited from the existing socket.  This function is provided to
- * avoid overhead of destroying and creating sockets when many short-lived
- * sockets are frequently opened and closed.  When the efficiency is not an
- * issue, it should be safer to detach the unused socket and re-create a new
- * one.  This optimization may not be available for some systems, in which
- * case this function will return ISC_R_NOTIMPLEMENTED and must not be used.
- *
- * isc_socket_open() should not be called on sockets created by
- * isc_socket_fdwatchcreate().
- *
- * Requires:
- *
- * \li	there must be no other reference to this socket.
- *
- * \li	'socket' is a valid and previously closed by isc_socket_close()
- *
- * \li  'sock->type' is not isc_sockettype_fdwatch
- *
- * Returns:
- *	Same as isc_socket_create().
- * \li	ISC_R_NOTIMPLEMENTED
- */
-
-isc_result_t
-isc_socket_close(isc_socket_t *sock);
-/*%<
- * Close a socket file descriptor of the given socket structure.  This function
- * is provided as an alternative to destroying an unused socket when overhead
- * destroying/re-creating sockets can be significant, and is expected to be
- * used with isc_socket_open().  This optimization may not be available for some
- * systems, in which case this function will return ISC_R_NOTIMPLEMENTED and
- * must not be used.
- *
- * isc_socket_close() should not be called on sockets created by
- * isc_socket_fdwatchcreate().
- *
- * Requires:
- *
- * \li	The socket must have a valid descriptor.
- *
- * \li	There must be no other reference to this socket.
- *
- * \li	There must be no pending I/O requests.
- *
- * \li  'sock->type' is not isc_sockettype_fdwatch
- *
- * Returns:
- * \li	#ISC_R_NOTIMPLEMENTED
- */
-
-isc_result_t
-isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *addressp,
-		unsigned int options);
-/*%<
- * Bind 'socket' to '*addressp'.
- *
- * Requires:
- *
- * \li	'socket' is a valid socket
- *
- * \li	'addressp' points to a valid isc_sockaddr.
- *
- * Returns:
- *
- * \li	ISC_R_SUCCESS
- * \li	ISC_R_NOPERM
- * \li	ISC_R_ADDRNOTAVAIL
- * \li	ISC_R_ADDRINUSE
- * \li	ISC_R_BOUND
- * \li	ISC_R_UNEXPECTED
- */
-
-isc_result_t
-isc_socket_filter(isc_socket_t *sock, const char *filter);
-/*%<
- * Inform the kernel that it should perform accept filtering.
- * If filter is NULL the current filter will be removed.:w
- */
-
-isc_result_t
-isc_socket_listen(isc_socket_t *sock, unsigned int backlog);
-/*%<
- * Set listen mode on the socket.  After this call, the only function that
- * can be used (other than attach and detach) is isc_socket_accept().
- *
- * Notes:
- *
- * \li	'backlog' is as in the UNIX system call listen() and may be
- *	ignored by non-UNIX implementations.
- *
- * \li	If 'backlog' is zero, a reasonable system default is used, usually
- *	SOMAXCONN.
- *
- * Requires:
- *
- * \li	'socket' is a valid, bound TCP socket or a valid, bound UNIX socket.
- *
- * Returns:
- *
- * \li	ISC_R_SUCCESS
- * \li	ISC_R_UNEXPECTED
- */
-
-isc_result_t
-isc_socket_accept(isc_socket_t *sock,
-		  isc_task_t *task, isc_taskaction_t action, const void *arg);
-/*%<
- * Queue accept event.  When a new connection is received, the task will
- * get an ISC_SOCKEVENT_NEWCONN event with the sender set to the listen
- * socket.  The new socket structure is sent inside the isc_socket_newconnev_t
- * event type, and is attached to the task 'task'.
- *
- * REQUIRES:
- * \li	'socket' is a valid TCP socket that isc_socket_listen() was called
- *	on.
- *
- * \li	'task' is a valid task
- *
- * \li	'action' is a valid action
- *
- * RETURNS:
- * \li	ISC_R_SUCCESS
- * \li	ISC_R_NOMEMORY
- * \li	ISC_R_UNEXPECTED
- */
-
-isc_result_t
-isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addressp,
-		   isc_task_t *task, isc_taskaction_t action,
-		   const void *arg);
-/*%<
- * Connect 'socket' to peer with address *saddr.  When the connection
- * succeeds, or when an error occurs, a CONNECT event with action 'action'
- * and arg 'arg' will be posted to the event queue for 'task'.
- *
- * Requires:
- *
- * \li	'socket' is a valid TCP socket
- *
- * \li	'addressp' points to a valid isc_sockaddr
- *
- * \li	'task' is a valid task
- *
- * \li	'action' is a valid action
- *
- * Returns:
- *
- * \li	ISC_R_SUCCESS
- * \li	ISC_R_NOMEMORY
- * \li	ISC_R_UNEXPECTED
- *
- * Posted event's result code:
- *
- * \li	ISC_R_SUCCESS
- * \li	ISC_R_TIMEDOUT
- * \li	ISC_R_CONNREFUSED
- * \li	ISC_R_NETUNREACH
- * \li	ISC_R_UNEXPECTED
- */
-
-isc_result_t
-isc_socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp);
-/*%<
- * Get the name of the peer connected to 'socket'.
- *
- * Requires:
- *
- * \li	'socket' is a valid TCP socket.
- *
- * Returns:
- *
- * \li	ISC_R_SUCCESS
- * \li	ISC_R_TOOSMALL
- * \li	ISC_R_UNEXPECTED
- */
-
-isc_result_t
-isc_socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp);
-/*%<
- * Get the name of 'socket'.
- *
- * Requires:
- *
- * \li	'socket' is a valid socket.
- *
- * Returns:
- *
- * \li	ISC_R_SUCCESS
- * \li	ISC_R_TOOSMALL
- * \li	ISC_R_UNEXPECTED
- */
-
-/*@{*/
-isc_result_t
-isc_socket_recv(isc_socket_t *sock, isc_region_t *region,
-		unsigned int minimum,
-		isc_task_t *task, isc_taskaction_t action, const void *arg);
-isc_result_t
-isc_socket_recvv(isc_socket_t *sock, isc_bufferlist_t *buflist,
-		 unsigned int minimum,
-		 isc_task_t *task, isc_taskaction_t action, const void *arg);
-
-isc_result_t
-isc_socket_recv2(isc_socket_t *sock, isc_region_t *region,
-		 unsigned int minimum, isc_task_t *task,
-		 isc_socketevent_t *event, unsigned int flags);
-
-/*!
- * Receive from 'socket', storing the results in region.
- *
- * Notes:
- *
- *\li	Let 'length' refer to the length of 'region' or to the sum of all
- *	available regions in the list of buffers '*buflist'.
- *
- *\li	If 'minimum' is non-zero and at least that many bytes are read,
- *	the completion event will be posted to the task 'task.'  If minimum
- *	is zero, the exact number of bytes requested in the region must
- * 	be read for an event to be posted.  This only makes sense for TCP
- *	connections, and is always set to 1 byte for UDP.
- *
- *\li	The read will complete when the desired number of bytes have been
- *	read, if end-of-input occurs, or if an error occurs.  A read done
- *	event with the given 'action' and 'arg' will be posted to the
- *	event queue of 'task'.
- *
- *\li	The caller may not modify 'region', the buffers which are passed
- *	into this function, or any data they refer to until the completion
- *	event is received.
- *
- *\li	For isc_socket_recvv():
- *	On successful completion, '*buflist' will be empty, and the list of
- *	all buffers will be returned in the done event's 'bufferlist'
- *	member.  On error return, '*buflist' will be unchanged.
- *
- *\li	For isc_socket_recv2():
- *	'event' is not NULL, and the non-socket specific fields are
- *	expected to be initialized.
- *
- *\li	For isc_socket_recv2():
- *	The only defined value for 'flags' is ISC_SOCKFLAG_IMMEDIATE.  If
- *	set and the operation completes, the return value will be
- *	ISC_R_SUCCESS and the event will be filled in and not sent.  If the
- *	operation does not complete, the return value will be
- *	ISC_R_INPROGRESS and the event will be sent when the operation
- *	completes.
- *
- * Requires:
- *
- *\li	'socket' is a valid, bound socket.
- *
- *\li	For isc_socket_recv():
- *	'region' is a valid region
- *
- *\li	For isc_socket_recvv():
- *	'buflist' is non-NULL, and '*buflist' contain at least one buffer.
- *
- *\li	'task' is a valid task
- *
- *\li	For isc_socket_recv() and isc_socket_recvv():
- *	action != NULL and is a valid action
- *
- *\li	For isc_socket_recv2():
- *	event != NULL
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_INPROGRESS
- *\li	#ISC_R_NOMEMORY
- *\li	#ISC_R_UNEXPECTED
- *
- * Event results:
- *
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_UNEXPECTED
- *\li	XXX needs other net-type errors
- */
-/*@}*/
-
-/*@{*/
-isc_result_t
-isc_socket_send(isc_socket_t *sock, isc_region_t *region,
-		isc_task_t *task, isc_taskaction_t action, const void *arg);
-isc_result_t
-isc_socket_sendto(isc_socket_t *sock, isc_region_t *region,
-		  isc_task_t *task, isc_taskaction_t action, const void *arg,
-		  isc_sockaddr_t *address, struct in6_pktinfo *pktinfo);
-isc_result_t
-isc_socket_sendv(isc_socket_t *sock, isc_bufferlist_t *buflist,
-		 isc_task_t *task, isc_taskaction_t action, const void *arg);
-isc_result_t
-isc_socket_sendtov(isc_socket_t *sock, isc_bufferlist_t *buflist,
-		   isc_task_t *task, isc_taskaction_t action, const void *arg,
-		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo);
-isc_result_t
-isc_socket_sendto2(isc_socket_t *sock, isc_region_t *region,
-		   isc_task_t *task,
-		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
-		   isc_socketevent_t *event, unsigned int flags);
-
-/*!
- * Send the contents of 'region' to the socket's peer.
- *
- * Notes:
- *
- *\li	Shutting down the requestor's task *may* result in any
- *	still pending writes being dropped or completed, depending on the
- *	underlying OS implementation.
- *
- *\li	If 'action' is NULL, then no completion event will be posted.
- *
- *\li	The caller may not modify 'region', the buffers which are passed
- *	into this function, or any data they refer to until the completion
- *	event is received.
- *
- *\li	For isc_socket_sendv() and isc_socket_sendtov():
- *	On successful completion, '*buflist' will be empty, and the list of
- *	all buffers will be returned in the done event's 'bufferlist'
- *	member.  On error return, '*buflist' will be unchanged.
- *
- *\li	For isc_socket_sendto2():
- *	'event' is not NULL, and the non-socket specific fields are
- *	expected to be initialized.
- *
- *\li	For isc_socket_sendto2():
- *	The only defined values for 'flags' are ISC_SOCKFLAG_IMMEDIATE
- *	and ISC_SOCKFLAG_NORETRY.
- *
- *\li	If ISC_SOCKFLAG_IMMEDIATE is set and the operation completes, the
- *	return value will be ISC_R_SUCCESS and the event will be filled
- *	in and not sent.  If the operation does not complete, the return
- *	value will be ISC_R_INPROGRESS and the event will be sent when
- *	the operation completes.
- *
- *\li	ISC_SOCKFLAG_NORETRY can only be set for UDP sockets.  If set
- *	and the send operation fails due to a transient error, the send
- *	will not be retried and the error will be indicated in the event.
- *	Using this option along with ISC_SOCKFLAG_IMMEDIATE allows the caller
- *	to specify a region that is allocated on the stack.
- *
- * Requires:
- *
- *\li	'socket' is a valid, bound socket.
- *
- *\li	For isc_socket_send():
- *	'region' is a valid region
- *
- *\li	For isc_socket_sendv() and isc_socket_sendtov():
- *	'buflist' is non-NULL, and '*buflist' contain at least one buffer.
- *
- *\li	'task' is a valid task
- *
- *\li	For isc_socket_sendv(), isc_socket_sendtov(), isc_socket_send(), and
- *	isc_socket_sendto():
- *	action == NULL or is a valid action
- *
- *\li	For isc_socket_sendto2():
- *	event != NULL
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_INPROGRESS
- *\li	#ISC_R_NOMEMORY
- *\li	#ISC_R_UNEXPECTED
- *
- * Event results:
- *
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_UNEXPECTED
- *\li	XXX needs other net-type errors
- */
-/*@}*/
-
-isc_result_t
-isc_socketmgr_createinctx(isc_mem_t *mctx, isc_appctx_t *actx,
-			  isc_socketmgr_t **managerp);
-
-isc_result_t
-isc_socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp);
-
-isc_result_t
-isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
-		      unsigned int maxsocks);
-/*%<
- * Create a socket manager.  If "maxsocks" is non-zero, it specifies the
- * maximum number of sockets that the created manager should handle.
- * isc_socketmgr_create() is equivalent of isc_socketmgr_create2() with
- * "maxsocks" being zero.
- * isc_socketmgr_createinctx() also associates the new manager with the
- * specified application context.
- *
- * Notes:
- *
- *\li	All memory will be allocated in memory context 'mctx'.
- *
- * Requires:
- *
- *\li	'mctx' is a valid memory context.
- *
- *\li	'managerp' points to a NULL isc_socketmgr_t.
- *
- *\li	'actx' is a valid application context (for createinctx()).
- *
- * Ensures:
- *
- *\li	'*managerp' is a valid isc_socketmgr_t.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- *\li	#ISC_R_UNEXPECTED
- *\li	#ISC_R_NOTIMPLEMENTED
- */
-
-isc_result_t
-isc_socketmgr_getmaxsockets(isc_socketmgr_t *manager, unsigned int *nsockp);
-/*%<
- * Returns in "*nsockp" the maximum number of sockets this manager may open.
- *
- * Requires:
- *
- *\li	'*manager' is a valid isc_socketmgr_t.
- *\li	'nsockp' is not NULL.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOTIMPLEMENTED
- */
-
-void
-isc_socketmgr_setstats(isc_socketmgr_t *manager, isc_stats_t *stats);
-/*%<
- * Set a general socket statistics counter set 'stats' for 'manager'.
- *
- * Requires:
- * \li	'manager' is valid, hasn't opened any socket, and doesn't have
- *	stats already set.
- *
- *\li	stats is a valid statistics supporting socket statistics counters
- *	(see above).
- */
-
-void
-isc_socketmgr_destroy(isc_socketmgr_t **managerp);
-/*%<
- * Destroy a socket manager.
- *
- * Notes:
- *
- *\li	This routine blocks until there are no sockets left in the manager,
- *	so if the caller holds any socket references using the manager, it
- *	must detach them before calling isc_socketmgr_destroy() or it will
- *	block forever.
- *
- * Requires:
- *
- *\li	'*managerp' is a valid isc_socketmgr_t.
- *
- *\li	All sockets managed by this manager are fully detached.
- *
- * Ensures:
- *
- *\li	*managerp == NULL
- *
- *\li	All resources used by the manager have been freed.
- */
-
-isc_sockettype_t
-isc_socket_gettype(isc_socket_t *sock);
-/*%<
- * Returns the socket type for "sock."
- *
- * Requires:
- *
- *\li	"sock" is a valid socket.
- */
-
-/*@{*/
-isc_boolean_t
-isc_socket_isbound(isc_socket_t *sock);
-
-void
-isc_socket_ipv6only(isc_socket_t *sock, isc_boolean_t yes);
-/*%<
- * If the socket is an IPv6 socket set/clear the IPV6_IPV6ONLY socket
- * option if the host OS supports this option.
- *
- * Requires:
- *\li	'sock' is a valid socket.
- */
-/*@}*/
-
-void
-isc_socket_cleanunix(isc_sockaddr_t *addr, isc_boolean_t active);
-
-/*%<
- * Cleanup UNIX domain sockets in the file-system.  If 'active' is true
- * then just unlink the socket.  If 'active' is false try to determine
- * if there is a listener of the socket or not.  If no listener is found
- * then unlink socket.
- *
- * Prior to unlinking the path is tested to see if it a socket.
- *
- * Note: there are a number of race conditions which cannot be avoided
- *       both in the filesystem and any application using UNIX domain
- *	 sockets (e.g. socket is tested between bind() and listen(),
- *	 the socket is deleted and replaced in the file-system between
- *	 stat() and unlink()).
- */
-
-isc_result_t
-isc_socket_permunix(isc_sockaddr_t *sockaddr, isc_uint32_t perm,
-		    isc_uint32_t owner, isc_uint32_t group);
-/*%<
- * Set ownership and file permissions on the UNIX domain socket.
- *
- * Note: On Solaris and SunOS this secures the directory containing
- *       the socket as Solaris and SunOS do not honour the filesystem
- *	 permissions on the socket.
- *
- * Requires:
- * \li	'sockaddr' to be a valid UNIX domain sockaddr.
- *
- * Returns:
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_FAILURE
- */
-
-void isc_socket_setname(isc_socket_t *socket, const char *name, void *tag);
-/*%<
- * Set the name and optional tag for a socket.  This allows tracking of the
- * owner or purpose for this socket, and is useful for tracing and statistics
- * reporting.
- */
-
-const char *isc_socket_getname(isc_socket_t *socket);
-/*%<
- * Get the name associated with a socket, if any.
- */
-
-void *isc_socket_gettag(isc_socket_t *socket);
-/*%<
- * Get the tag associated with a socket, if any.
- */
-
-int isc_socket_getfd(isc_socket_t *socket);
-/*%<
- * Get the file descriptor associated with a socket
- */
-
-void
-isc__socketmgr_setreserved(isc_socketmgr_t *mgr, isc_uint32_t);
-/*%<
- * Temporary.  For use by named only.
- */
-
-void
-isc__socketmgr_maxudp(isc_socketmgr_t *mgr, int maxudp);
-/*%<
- * Test interface. Drop UDP packet > 'maxudp'.
- */
-
-#ifdef HAVE_LIBXML2
-
-int
-isc_socketmgr_renderxml(isc_socketmgr_t *mgr, xmlTextWriterPtr writer);
-/*%<
- * Render internal statistics and other state into the XML document.
- */
-
-#endif /* HAVE_LIBXML2 */
-
-#ifdef USE_SOCKETIMPREGISTER
-/*%<
- * See isc_socketmgr_create() above.
- */
-typedef isc_result_t
-(*isc_socketmgrcreatefunc_t)(isc_mem_t *mctx, isc_socketmgr_t **managerp);
-
-isc_result_t
-isc_socket_register(isc_socketmgrcreatefunc_t createfunc);
-/*%<
- * Register a new socket I/O implementation and add it to the list of
- * supported implementations.  This function must be called when a different
- * event library is used than the one contained in the ISC library.
- */
-
-isc_result_t
-isc__socket_register(void);
-/*%<
- * A short cut function that specifies the socket I/O module in the ISC
- * library for isc_socket_register().  An application that uses the ISC library
- * usually do not have to care about this function: it would call
- * isc_lib_register(), which internally calls this function.
- */
-#endif /* USE_SOCKETIMPREGISTER */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_SOCKET_H */
diff --git a/contrib/bind9/lib/isc/include/isc/stats.h b/contrib/bind9/lib/isc/include/isc/stats.h
deleted file mode 100644
index 682eefd..0000000
--- a/contrib/bind9/lib/isc/include/isc/stats.h
+++ /dev/null
@@ -1,121 +0,0 @@
-/*
- * Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef ISC_STATS_H
-#define ISC_STATS_H 1
-
-/*! \file isc/stats.h */
-
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*%<
- * Flag(s) for isc_stats_dump().
- */
-#define ISC_STATSDUMP_VERBOSE	0x00000001 /*%< dump 0-value counters */
-
-/*%<
- * Dump callback type.
- */
-typedef void (*isc_stats_dumper_t)(isc_statscounter_t, isc_uint64_t, void *);
-
-isc_result_t
-isc_stats_create(isc_mem_t *mctx, isc_stats_t **statsp, int ncounters);
-/*%<
- * Create a statistics counter structure of general type.  It counts a general
- * set of counters indexed by an ID between 0 and ncounters -1.
- *
- * Requires:
- *\li	'mctx' must be a valid memory context.
- *
- *\li	'statsp' != NULL && '*statsp' == NULL.
- *
- * Returns:
- *\li	ISC_R_SUCCESS	-- all ok
- *
- *\li	anything else	-- failure
- */
-
-void
-isc_stats_attach(isc_stats_t *stats, isc_stats_t **statsp);
-/*%<
- * Attach to a statistics set.
- *
- * Requires:
- *\li	'stats' is a valid isc_stats_t.
- *
- *\li	'statsp' != NULL && '*statsp' == NULL
- */
-
-void
-isc_stats_detach(isc_stats_t **statsp);
-/*%<
- * Detaches from the statistics set.
- *
- * Requires:
- *\li	'statsp' != NULL and '*statsp' is a valid isc_stats_t.
- */
-
-int
-isc_stats_ncounters(isc_stats_t *stats);
-/*%<
- * Returns the number of counters contained in stats.
- *
- * Requires:
- *\li	'stats' is a valid isc_stats_t.
- *
- */
-
-void
-isc_stats_increment(isc_stats_t *stats, isc_statscounter_t counter);
-/*%<
- * Increment the counter-th counter of stats.
- *
- * Requires:
- *\li	'stats' is a valid isc_stats_t.
- *
- *\li	counter is less than the maximum available ID for the stats specified
- *	on creation.
- */
-
-void
-isc_stats_decrement(isc_stats_t *stats, isc_statscounter_t counter);
-/*%<
- * Decrement the counter-th counter of stats.
- *
- * Requires:
- *\li	'stats' is a valid isc_stats_t.
- */
-
-void
-isc_stats_dump(isc_stats_t *stats, isc_stats_dumper_t dump_fn, void *arg,
-	       unsigned int options);
-/*%<
- * Dump the current statistics counters in a specified way.  For each counter
- * in stats, dump_fn is called with its current value and the given argument
- * arg.  By default counters that have a value of 0 is skipped; if options has
- * the ISC_STATSDUMP_VERBOSE flag, even such counters are dumped.
- *
- * Requires:
- *\li	'stats' is a valid isc_stats_t.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_STATS_H */
diff --git a/contrib/bind9/lib/isc/include/isc/stdio.h b/contrib/bind9/lib/isc/include/isc/stdio.h
deleted file mode 100644
index 1a7ae64..0000000
--- a/contrib/bind9/lib/isc/include/isc/stdio.h
+++ /dev/null
@@ -1,77 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: stdio.h,v 1.13 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_STDIO_H
-#define ISC_STDIO_H 1
-
-/*! \file isc/stdio.h */
-
-/*% 
- * These functions are wrappers around the corresponding stdio functions.
- *
- * They return a detailed error code in the form of an an isc_result_t.  ANSI C
- * does not guarantee that stdio functions set errno, hence these functions
- * must use platform dependent methods (e.g., the POSIX errno) to construct the
- * error code.
- */
-
-#include <stdio.h>
-
-#include <isc/lang.h>
-#include <isc/result.h>
-
-ISC_LANG_BEGINDECLS
-
-/*% Open */
-isc_result_t
-isc_stdio_open(const char *filename, const char *mode, FILE **fp);
-
-/*% Close */
-isc_result_t
-isc_stdio_close(FILE *f);
-
-/*% Seek */
-isc_result_t
-isc_stdio_seek(FILE *f, long offset, int whence);
-
-/*% Read */
-isc_result_t
-isc_stdio_read(void *ptr, size_t size, size_t nmemb, FILE *f,
-	       size_t *nret);
-
-/*% Write */
-isc_result_t
-isc_stdio_write(const void *ptr, size_t size, size_t nmemb, FILE *f,
-		size_t *nret);
-
-/*% Flush */
-isc_result_t
-isc_stdio_flush(FILE *f);
-
-isc_result_t
-isc_stdio_sync(FILE *f);
-/*%<
- * Invoke fsync() on the file descriptor underlying an stdio stream, or an
- * equivalent system-dependent operation.  Note that this function has no
- * direct counterpart in the stdio library.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_STDIO_H */
diff --git a/contrib/bind9/lib/isc/include/isc/stdlib.h b/contrib/bind9/lib/isc/include/isc/stdlib.h
deleted file mode 100644
index 02243f0..0000000
--- a/contrib/bind9/lib/isc/include/isc/stdlib.h
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: stdlib.h,v 1.8 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_STDLIB_H
-#define ISC_STDLIB_H 1
-
-/*! \file isc/stdlib.h */
-
-#include <stdlib.h>
-
-#include <isc/lang.h>
-#include <isc/platform.h>
-
-#ifdef ISC_PLATFORM_NEEDSTRTOUL
-#define strtoul isc_strtoul
-#endif
-
-ISC_LANG_BEGINDECLS
-
-unsigned long isc_strtoul(const char *, char **, int);
-
-ISC_LANG_ENDDECLS
-
-#endif
diff --git a/contrib/bind9/lib/isc/include/isc/string.h b/contrib/bind9/lib/isc/include/isc/string.h
deleted file mode 100644
index b49fdbc..0000000
--- a/contrib/bind9/lib/isc/include/isc/string.h
+++ /dev/null
@@ -1,231 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: string.h,v 1.23 2007/09/13 04:48:16 each Exp $ */
-
-#ifndef ISC_STRING_H
-#define ISC_STRING_H 1
-
-/*! \file isc/string.h */
-
-#include <isc/formatcheck.h>
-#include <isc/int.h>
-#include <isc/lang.h>
-#include <isc/platform.h>
-#include <isc/types.h>
-
-#include <string.h>
-
-#ifdef ISC_PLATFORM_HAVESTRINGSH
-#include <strings.h>
-#endif
-
-#define ISC_STRING_MAGIC 0x5e
-
-ISC_LANG_BEGINDECLS
-
-isc_uint64_t
-isc_string_touint64(char *source, char **endp, int base);
-/*%<
- * Convert the string pointed to by 'source' to isc_uint64_t.
- *
- * On successful conversion 'endp' points to the first character
- * after conversion is complete.
- *
- * 'base': 0 or 2..36
- *
- * If base is 0 the base is computed from the string type.
- *
- * On error 'endp' points to 'source'.
- */
-
-isc_result_t
-isc_string_copy(char *target, size_t size, const char *source);
-/*
- * Copy the string pointed to by 'source' to 'target' which is a
- * pointer to a string of at least 'size' bytes.
- *
- * Requires:
- *	'target' is a pointer to a char[] of at least 'size' bytes.
- *	'size' an integer > 0.
- *	'source' == NULL or points to a NUL terminated string.
- *
- * Ensures:
- *	If result == ISC_R_SUCCESS
- *		'target' will be a NUL terminated string of no more
- *		than 'size' bytes (including NUL).
- *
- *	If result == ISC_R_NOSPACE
- *		'target' is undefined.
- *
- * Returns:
- *	ISC_R_SUCCESS  -- 'source' was successfully copied to 'target'.
- *	ISC_R_NOSPACE  -- 'source' could not be copied since 'target'
- *	                  is too small.
- */
-
-void
-isc_string_copy_truncate(char *target, size_t size, const char *source);
-/*
- * Copy the string pointed to by 'source' to 'target' which is a
- * pointer to a string of at least 'size' bytes.
- *
- * Requires:
- *	'target' is a pointer to a char[] of at least 'size' bytes.
- *	'size' an integer > 0.
- *	'source' == NULL or points to a NUL terminated string.
- *
- * Ensures:
- *	'target' will be a NUL terminated string of no more
- *	than 'size' bytes (including NUL).
- */
-
-isc_result_t
-isc_string_append(char *target, size_t size, const char *source);
-/*
- * Append the string pointed to by 'source' to 'target' which is a
- * pointer to a NUL terminated string of at least 'size' bytes.
- *
- * Requires:
- *	'target' is a pointer to a NUL terminated char[] of at
- *	least 'size' bytes.
- *	'size' an integer > 0.
- *	'source' == NULL or points to a NUL terminated string.
- *
- * Ensures:
- *	If result == ISC_R_SUCCESS
- *		'target' will be a NUL terminated string of no more
- *		than 'size' bytes (including NUL).
- *
- *	If result == ISC_R_NOSPACE
- *		'target' is undefined.
- *
- * Returns:
- *	ISC_R_SUCCESS  -- 'source' was successfully appended to 'target'.
- *	ISC_R_NOSPACE  -- 'source' could not be appended since 'target'
- *	                  is too small.
- */
-
-void
-isc_string_append_truncate(char *target, size_t size, const char *source);
-/*
- * Append the string pointed to by 'source' to 'target' which is a
- * pointer to a NUL terminated string of at least 'size' bytes.
- *
- * Requires:
- *	'target' is a pointer to a NUL terminated char[] of at
- *	least 'size' bytes.
- *	'size' an integer > 0.
- *	'source' == NULL or points to a NUL terminated string.
- *
- * Ensures:
- *	'target' will be a NUL terminated string of no more
- *	than 'size' bytes (including NUL).
- */
-
-isc_result_t
-isc_string_printf(char *target, size_t size, const char *format, ...)
-	ISC_FORMAT_PRINTF(3, 4);
-/*
- * Print 'format' to 'target' which is a pointer to a string of at least
- * 'size' bytes.
- *
- * Requires:
- *	'target' is a pointer to a char[] of at least 'size' bytes.
- *	'size' an integer > 0.
- *	'format' == NULL or points to a NUL terminated string.
- *
- * Ensures:
- *	If result == ISC_R_SUCCESS
- *		'target' will be a NUL terminated string of no more
- *		than 'size' bytes (including NUL).
- *
- *	If result == ISC_R_NOSPACE
- *		'target' is undefined.
- *
- * Returns:
- *	ISC_R_SUCCESS  -- 'format' was successfully printed to 'target'.
- *	ISC_R_NOSPACE  -- 'format' could not be printed to 'target' since it
- *	                  is too small.
- */
-
-void
-isc_string_printf_truncate(char *target, size_t size, const char *format, ...)
-	ISC_FORMAT_PRINTF(3, 4);
-/*
- * Print 'format' to 'target' which is a pointer to a string of at least
- * 'size' bytes.
- *
- * Requires:
- *	'target' is a pointer to a char[] of at least 'size' bytes.
- *	'size' an integer > 0.
- *	'format' == NULL or points to a NUL terminated string.
- *
- * Ensures:
- *	'target' will be a NUL terminated string of no more
- *	than 'size' bytes (including NUL).
- */
-
-
-char *
-isc_string_regiondup(isc_mem_t *mctx, const isc_region_t *source);
-/*
- * Copy the region pointed to by r to a NUL terminated string
- * allocated from the memory context pointed to by mctx.
- *
- * The result should be deallocated using isc_mem_free()
- *
- * Requires:
- *	'mctx' is a point to a valid memory context.
- *	'source' is a pointer to a valid region.
- *
- * Returns:
- *	a pointer to a NUL terminated string or
- *	NULL if memory for the copy could not be allocated
- *
- */
-
-char *
-isc_string_separate(char **stringp, const char *delim);
-
-#ifdef ISC_PLATFORM_NEEDSTRSEP
-#define strsep isc_string_separate
-#endif
-
-#ifdef ISC_PLATFORM_NEEDMEMMOVE
-#define memmove(a,b,c) bcopy(b,a,c)
-#endif
-
-size_t
-isc_string_strlcpy(char *dst, const char *src, size_t size);
-
-
-#ifdef ISC_PLATFORM_NEEDSTRLCPY
-#define strlcpy isc_string_strlcpy
-#endif
-
-
-size_t
-isc_string_strlcat(char *dst, const char *src, size_t size);
-
-#ifdef ISC_PLATFORM_NEEDSTRLCAT
-#define strlcat isc_string_strlcat
-#endif
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_STRING_H */
diff --git a/contrib/bind9/lib/isc/include/isc/symtab.h b/contrib/bind9/lib/isc/include/isc/symtab.h
deleted file mode 100644
index 9d0e5e2f..0000000
--- a/contrib/bind9/lib/isc/include/isc/symtab.h
+++ /dev/null
@@ -1,139 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1996-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef ISC_SYMTAB_H
-#define ISC_SYMTAB_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file isc/symtab.h
- * \brief Provides a simple memory-based symbol table.
- *
- * Keys are C strings, and key comparisons are case-insensitive.  A type may
- * be specified when looking up, defining, or undefining.  A type value of
- * 0 means "match any type"; any other value will only match the given
- * type.
- *
- * It's possible that a client will attempt to define a <key, type, value>
- * tuple when a tuple with the given key and type already exists in the table.
- * What to do in this case is specified by the client.  Possible policies are:
- *
- *\li	#isc_symexists_reject	Disallow the define, returning #ISC_R_EXISTS
- *\li	#isc_symexists_replace	Replace the old value with the new.  The
- *				undefine action (if provided) will be called
- *				with the old <key, type, value> tuple.
- *\li	#isc_symexists_add	Add the new tuple, leaving the old tuple in
- *				the table.  Subsequent lookups will retrieve
- *				the most-recently-defined tuple.
- *
- * A lookup of a key using type 0 will return the most-recently defined
- * symbol with that key.  An undefine of a key using type 0 will undefine the
- * most-recently defined symbol with that key.  Trying to define a key with
- * type 0 is illegal.
- *
- * The symbol table library does not make a copy the key field, so the
- * caller must ensure that any key it passes to isc_symtab_define() will not
- * change until it calls isc_symtab_undefine() or isc_symtab_destroy().
- *
- * A user-specified action will be called (if provided) when a symbol is
- * undefined.  It can be used to free memory associated with keys and/or
- * values.
- *
- * A symbol table is implemented as a hash table of lists; the size of the
- * hash table is set by the 'size' parameter to isc_symtbl_create().  When
- * the number of entries in the symbol table reaches three quarters of this
- * value, the hash table is reallocated with size doubled, in order to
- * optimize lookup performance.  This has a negative effect on insertion
- * performance, which can be mitigated by sizing the table appropriately
- * when creating it.
- *
- * \li MP:
- *	The callers of this module must ensure any required synchronization.
- *
- * \li Reliability:
- *	No anticipated impact.
- *
- * \li Resources:
- *	TBS
- *
- * \li Security:
- *	No anticipated impact.
- *
- * \li Standards:
- *	None.
- */
-
-/***
- *** Imports.
- ***/
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-/*
- *** Symbol Tables.
- ***/
-/*% Symbol table value. */
-typedef union isc_symvalue {
-	void *				as_pointer;
-	const void *			as_cpointer;
-	int				as_integer;
-	unsigned int			as_uinteger;
-} isc_symvalue_t;
-
-typedef void (*isc_symtabaction_t)(char *key, unsigned int type,
-				   isc_symvalue_t value, void *userarg);
-/*% Symbol table exists. */
-typedef enum {
-	isc_symexists_reject = 0,	/*%< Disallow the define */
-	isc_symexists_replace = 1,	/*%< Replace the old value with the new */
-	isc_symexists_add = 2		/*%< Add the new tuple */
-} isc_symexists_t;
-
-ISC_LANG_BEGINDECLS
-
-/*% Create a symbol table. */
-isc_result_t
-isc_symtab_create(isc_mem_t *mctx, unsigned int size,
-		  isc_symtabaction_t undefine_action, void *undefine_arg,
-		  isc_boolean_t case_sensitive, isc_symtab_t **symtabp);
-
-/*% Destroy a symbol table. */
-void
-isc_symtab_destroy(isc_symtab_t **symtabp);
-
-/*% Lookup a symbol table. */
-isc_result_t
-isc_symtab_lookup(isc_symtab_t *symtab, const char *key, unsigned int type,
-		  isc_symvalue_t *value);
-
-/*% Define a symbol table. */
-isc_result_t
-isc_symtab_define(isc_symtab_t *symtab, const char *key, unsigned int type,
-		  isc_symvalue_t value, isc_symexists_t exists_policy);
-
-/*% Undefine a symbol table. */
-isc_result_t
-isc_symtab_undefine(isc_symtab_t *symtab, const char *key, unsigned int type);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_SYMTAB_H */
diff --git a/contrib/bind9/lib/isc/include/isc/task.h b/contrib/bind9/lib/isc/include/isc/task.h
deleted file mode 100644
index 7abf2ef..0000000
--- a/contrib/bind9/lib/isc/include/isc/task.h
+++ /dev/null
@@ -1,823 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef ISC_TASK_H
-#define ISC_TASK_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file isc/task.h
- * \brief The task system provides a lightweight execution context, which is
- * basically an event queue.
-
- * When a task's event queue is non-empty, the
- * task is runnable.  A small work crew of threads, typically one per CPU,
- * execute runnable tasks by dispatching the events on the tasks' event
- * queues.  Context switching between tasks is fast.
- *
- * \li MP:
- *	The module ensures appropriate synchronization of data structures it
- *	creates and manipulates.
- *	The caller must ensure that isc_taskmgr_destroy() is called only
- *	once for a given manager.
- *
- * \li Reliability:
- *	No anticipated impact.
- *
- * \li Resources:
- *	TBS
- *
- * \li Security:
- *	No anticipated impact.
- *
- * \li Standards:
- *	None.
- *
- * \section purge Purging and Unsending
- *
- * Events which have been queued for a task but not delivered may be removed
- * from the task's event queue by purging or unsending.
- *
- * With both types, the caller specifies a matching pattern that selects
- * events based upon their sender, type, and tag.
- *
- * Purging calls isc_event_free() on the matching events.
- *
- * Unsending returns a list of events that matched the pattern.
- * The caller is then responsible for them.
- *
- * Consumers of events should purge, not unsend.
- *
- * Producers of events often want to remove events when the caller indicates
- * it is no longer interested in the object, e.g. by canceling a timer.
- * Sometimes this can be done by purging, but for some event types, the
- * calls to isc_event_free() cause deadlock because the event free routine
- * wants to acquire a lock the caller is already holding.  Unsending instead
- * of purging solves this problem.  As a general rule, producers should only
- * unsend events which they have sent.
- */
-
-
-/***
- *** Imports.
- ***/
-
-#include <isc/eventclass.h>
-#include <isc/lang.h>
-#include <isc/stdtime.h>
-#include <isc/types.h>
-#include <isc/xml.h>
-
-#define ISC_TASKEVENT_FIRSTEVENT	(ISC_EVENTCLASS_TASK + 0)
-#define ISC_TASKEVENT_SHUTDOWN		(ISC_EVENTCLASS_TASK + 1)
-#define ISC_TASKEVENT_TEST		(ISC_EVENTCLASS_TASK + 1)
-#define ISC_TASKEVENT_LASTEVENT		(ISC_EVENTCLASS_TASK + 65535)
-
-/*****
- ***** Tasks.
- *****/
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Types
- ***/
-
-typedef enum {
-		isc_taskmgrmode_normal = 0,
-		isc_taskmgrmode_privileged
-} isc_taskmgrmode_t;
-
-/*% Task and task manager methods */
-typedef struct isc_taskmgrmethods {
-	void		(*destroy)(isc_taskmgr_t **managerp);
-	void		(*setmode)(isc_taskmgr_t *manager,
-				   isc_taskmgrmode_t mode);
-	isc_taskmgrmode_t (*mode)(isc_taskmgr_t *manager);
-	isc_result_t	(*taskcreate)(isc_taskmgr_t *manager,
-				      unsigned int quantum,
-				      isc_task_t **taskp);
-	void (*setexcltask)(isc_taskmgr_t *mgr, isc_task_t *task);
-	isc_result_t (*excltask)(isc_taskmgr_t *mgr, isc_task_t **taskp);
-} isc_taskmgrmethods_t;
-
-typedef struct isc_taskmethods {
-	void (*attach)(isc_task_t *source, isc_task_t **targetp);
-	void (*detach)(isc_task_t **taskp);
-	void (*destroy)(isc_task_t **taskp);
-	void (*send)(isc_task_t *task, isc_event_t **eventp);
-	void (*sendanddetach)(isc_task_t **taskp, isc_event_t **eventp);
-	unsigned int (*unsend)(isc_task_t *task, void *sender, isc_eventtype_t type,
-			       void *tag, isc_eventlist_t *events);
-	isc_result_t (*onshutdown)(isc_task_t *task, isc_taskaction_t action,
-				   const void *arg);
-	void (*shutdown)(isc_task_t *task);
-	void (*setname)(isc_task_t *task, const char *name, void *tag);
-	unsigned int (*purgeevents)(isc_task_t *task, void *sender,
-				    isc_eventtype_t type, void *tag);
-	unsigned int (*purgerange)(isc_task_t *task, void *sender,
-				   isc_eventtype_t first, isc_eventtype_t last,
-				   void *tag);
-	isc_result_t (*beginexclusive)(isc_task_t *task);
-	void (*endexclusive)(isc_task_t *task);
-    void (*setprivilege)(isc_task_t *task, isc_boolean_t priv);
-    isc_boolean_t (*privilege)(isc_task_t *task);
-} isc_taskmethods_t;
-
-/*%
- * This structure is actually just the common prefix of a task manager
- * object implementation's version of an isc_taskmgr_t.
- * \brief
- * Direct use of this structure by clients is forbidden.  task implementations
- * may change the structure.  'magic' must be ISCAPI_TASKMGR_MAGIC for any
- * of the isc_task_ routines to work.  task implementations must maintain
- * all task invariants.
- */
-struct isc_taskmgr {
-	unsigned int		impmagic;
-	unsigned int		magic;
-	isc_taskmgrmethods_t	*methods;
-};
-
-#define ISCAPI_TASKMGR_MAGIC	ISC_MAGIC('A','t','m','g')
-#define ISCAPI_TASKMGR_VALID(m)	((m) != NULL && \
-				 (m)->magic == ISCAPI_TASKMGR_MAGIC)
-
-/*%
- * This is the common prefix of a task object.  The same note as
- * that for the taskmgr structure applies.
- */
-struct isc_task {
-	unsigned int		impmagic;
-	unsigned int		magic;
-	isc_taskmethods_t	*methods;
-};
-
-#define ISCAPI_TASK_MAGIC	ISC_MAGIC('A','t','s','t')
-#define ISCAPI_TASK_VALID(s)	((s) != NULL && \
-				 (s)->magic == ISCAPI_TASK_MAGIC)
-
-isc_result_t
-isc_task_create(isc_taskmgr_t *manager, unsigned int quantum,
-		isc_task_t **taskp);
-/*%<
- * Create a task.
- *
- * Notes:
- *
- *\li	If 'quantum' is non-zero, then only that many events can be dispatched
- *	before the task must yield to other tasks waiting to execute.  If
- *	quantum is zero, then the default quantum of the task manager will
- *	be used.
- *
- *\li	The 'quantum' option may be removed from isc_task_create() in the
- *	future.  If this happens, isc_task_getquantum() and
- *	isc_task_setquantum() will be provided.
- *
- * Requires:
- *
- *\li	'manager' is a valid task manager.
- *
- *\li	taskp != NULL && *taskp == NULL
- *
- * Ensures:
- *
- *\li	On success, '*taskp' is bound to the new task.
- *
- * Returns:
- *
- *\li   #ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- *\li	#ISC_R_UNEXPECTED
- *\li	#ISC_R_SHUTTINGDOWN
- */
-
-void
-isc_task_attach(isc_task_t *source, isc_task_t **targetp);
-/*%<
- * Attach *targetp to source.
- *
- * Requires:
- *
- *\li	'source' is a valid task.
- *
- *\li	'targetp' points to a NULL isc_task_t *.
- *
- * Ensures:
- *
- *\li	*targetp is attached to source.
- */
-
-void
-isc_task_detach(isc_task_t **taskp);
-/*%<
- * Detach *taskp from its task.
- *
- * Requires:
- *
- *\li	'*taskp' is a valid task.
- *
- * Ensures:
- *
- *\li	*taskp is NULL.
- *
- *\li	If '*taskp' is the last reference to the task, the task is idle (has
- *	an empty event queue), and has not been shutdown, the task will be
- *	shutdown.
- *
- *\li	If '*taskp' is the last reference to the task and
- *	the task has been shutdown,
- *		all resources used by the task will be freed.
- */
-
-void
-isc_task_send(isc_task_t *task, isc_event_t **eventp);
-/*%<
- * Send '*event' to 'task'.
- *
- * Requires:
- *
- *\li	'task' is a valid task.
- *\li	eventp != NULL && *eventp != NULL.
- *
- * Ensures:
- *
- *\li	*eventp == NULL.
- */
-
-void
-isc_task_sendanddetach(isc_task_t **taskp, isc_event_t **eventp);
-/*%<
- * Send '*event' to '*taskp' and then detach '*taskp' from its
- * task.
- *
- * Requires:
- *
- *\li	'*taskp' is a valid task.
- *\li	eventp != NULL && *eventp != NULL.
- *
- * Ensures:
- *
- *\li	*eventp == NULL.
- *
- *\li	*taskp == NULL.
- *
- *\li	If '*taskp' is the last reference to the task, the task is
- *	idle (has an empty event queue), and has not been shutdown,
- *	the task will be shutdown.
- *
- *\li	If '*taskp' is the last reference to the task and
- *	the task has been shutdown,
- *		all resources used by the task will be freed.
- */
-
-
-unsigned int
-isc_task_purgerange(isc_task_t *task, void *sender, isc_eventtype_t first,
-		    isc_eventtype_t last, void *tag);
-/*%<
- * Purge events from a task's event queue.
- *
- * Requires:
- *
- *\li	'task' is a valid task.
- *
- *\li	last >= first
- *
- * Ensures:
- *
- *\li	Events in the event queue of 'task' whose sender is 'sender', whose
- *	type is >= first and <= last, and whose tag is 'tag' will be purged,
- *	unless they are marked as unpurgable.
- *
- *\li	A sender of NULL will match any sender.  A NULL tag matches any
- *	tag.
- *
- * Returns:
- *
- *\li	The number of events purged.
- */
-
-unsigned int
-isc_task_purge(isc_task_t *task, void *sender, isc_eventtype_t type,
-	       void *tag);
-/*%<
- * Purge events from a task's event queue.
- *
- * Notes:
- *
- *\li	This function is equivalent to
- *
- *\code
- *		isc_task_purgerange(task, sender, type, type, tag);
- *\endcode
- *
- * Requires:
- *
- *\li	'task' is a valid task.
- *
- * Ensures:
- *
- *\li	Events in the event queue of 'task' whose sender is 'sender', whose
- *	type is 'type', and whose tag is 'tag' will be purged, unless they
- *	are marked as unpurgable.
- *
- *\li	A sender of NULL will match any sender.  A NULL tag matches any
- *	tag.
- *
- * Returns:
- *
- *\li	The number of events purged.
- */
-
-isc_boolean_t
-isc_task_purgeevent(isc_task_t *task, isc_event_t *event);
-/*%<
- * Purge 'event' from a task's event queue.
- *
- * XXXRTH:  WARNING:  This method may be removed before beta.
- *
- * Notes:
- *
- *\li	If 'event' is on the task's event queue, it will be purged,
- * 	unless it is marked as unpurgeable.  'event' does not have to be
- *	on the task's event queue; in fact, it can even be an invalid
- *	pointer.  Purging only occurs if the event is actually on the task's
- *	event queue.
- *
- * \li	Purging never changes the state of the task.
- *
- * Requires:
- *
- *\li	'task' is a valid task.
- *
- * Ensures:
- *
- *\li	'event' is not in the event queue for 'task'.
- *
- * Returns:
- *
- *\li	#ISC_TRUE			The event was purged.
- *\li	#ISC_FALSE			The event was not in the event queue,
- *					or was marked unpurgeable.
- */
-
-unsigned int
-isc_task_unsendrange(isc_task_t *task, void *sender, isc_eventtype_t first,
-		     isc_eventtype_t last, void *tag, isc_eventlist_t *events);
-/*%<
- * Remove events from a task's event queue.
- *
- * Requires:
- *
- *\li	'task' is a valid task.
- *
- *\li	last >= first.
- *
- *\li	*events is a valid list.
- *
- * Ensures:
- *
- *\li	Events in the event queue of 'task' whose sender is 'sender', whose
- *	type is >= first and <= last, and whose tag is 'tag' will be dequeued
- *	and appended to *events.
- *
- *\li	A sender of NULL will match any sender.  A NULL tag matches any
- *	tag.
- *
- * Returns:
- *
- *\li	The number of events unsent.
- */
-
-unsigned int
-isc_task_unsend(isc_task_t *task, void *sender, isc_eventtype_t type,
-		void *tag, isc_eventlist_t *events);
-/*%<
- * Remove events from a task's event queue.
- *
- * Notes:
- *
- *\li	This function is equivalent to
- *
- *\code
- *		isc_task_unsendrange(task, sender, type, type, tag, events);
- *\endcode
- *
- * Requires:
- *
- *\li	'task' is a valid task.
- *
- *\li	*events is a valid list.
- *
- * Ensures:
- *
- *\li	Events in the event queue of 'task' whose sender is 'sender', whose
- *	type is 'type', and whose tag is 'tag' will be dequeued and appended
- *	to *events.
- *
- * Returns:
- *
- *\li	The number of events unsent.
- */
-
-isc_result_t
-isc_task_onshutdown(isc_task_t *task, isc_taskaction_t action,
-		    const void *arg);
-/*%<
- * Send a shutdown event with action 'action' and argument 'arg' when
- * 'task' is shutdown.
- *
- * Notes:
- *
- *\li	Shutdown events are posted in LIFO order.
- *
- * Requires:
- *
- *\li	'task' is a valid task.
- *
- *\li	'action' is a valid task action.
- *
- * Ensures:
- *
- *\li	When the task is shutdown, shutdown events requested with
- *	isc_task_onshutdown() will be appended to the task's event queue.
- *
-
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- *\li	#ISC_R_TASKSHUTTINGDOWN			Task is shutting down.
- */
-
-void
-isc_task_shutdown(isc_task_t *task);
-/*%<
- * Shutdown 'task'.
- *
- * Notes:
- *
- *\li	Shutting down a task causes any shutdown events requested with
- *	isc_task_onshutdown() to be posted (in LIFO order).  The task
- *	moves into a "shutting down" mode which prevents further calls
- *	to isc_task_onshutdown().
- *
- *\li	Trying to shutdown a task that has already been shutdown has no
- *	effect.
- *
- * Requires:
- *
- *\li	'task' is a valid task.
- *
- * Ensures:
- *
- *\li	Any shutdown events requested with isc_task_onshutdown() have been
- *	posted (in LIFO order).
- */
-
-void
-isc_task_destroy(isc_task_t **taskp);
-/*%<
- * Destroy '*taskp'.
- *
- * Notes:
- *
- *\li	This call is equivalent to:
- *
- *\code
- *		isc_task_shutdown(*taskp);
- *		isc_task_detach(taskp);
- *\endcode
- *
- * Requires:
- *
- *	'*taskp' is a valid task.
- *
- * Ensures:
- *
- *\li	Any shutdown events requested with isc_task_onshutdown() have been
- *	posted (in LIFO order).
- *
- *\li	*taskp == NULL
- *
- *\li	If '*taskp' is the last reference to the task,
- *		all resources used by the task will be freed.
- */
-
-void
-isc_task_setname(isc_task_t *task, const char *name, void *tag);
-/*%<
- * Name 'task'.
- *
- * Notes:
- *
- *\li	Only the first 15 characters of 'name' will be copied.
- *
- *\li	Naming a task is currently only useful for debugging purposes.
- *
- * Requires:
- *
- *\li	'task' is a valid task.
- */
-
-const char *
-isc_task_getname(isc_task_t *task);
-/*%<
- * Get the name of 'task', as previously set using isc_task_setname().
- *
- * Notes:
- *\li	This function is for debugging purposes only.
- *
- * Requires:
- *\li	'task' is a valid task.
- *
- * Returns:
- *\li	A non-NULL pointer to a null-terminated string.
- * 	If the task has not been named, the string is
- * 	empty.
- *
- */
-
-void *
-isc_task_gettag(isc_task_t *task);
-/*%<
- * Get the tag value for  'task', as previously set using isc_task_settag().
- *
- * Notes:
- *\li	This function is for debugging purposes only.
- *
- * Requires:
- *\li	'task' is a valid task.
- */
-
-isc_result_t
-isc_task_beginexclusive(isc_task_t *task);
-/*%<
- * Request exclusive access for 'task', which must be the calling
- * task.  Waits for any other concurrently executing tasks to finish their
- * current event, and prevents any new events from executing in any of the
- * tasks sharing a task manager with 'task'.
- *
- * The exclusive access must be relinquished by calling
- * isc_task_endexclusive() before returning from the current event handler.
- *
- * Requires:
- *\li	'task' is the calling task.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		The current task now has exclusive access.
- *\li	#ISC_R_LOCKBUSY		Another task has already requested exclusive
- *				access.
- */
-
-void
-isc_task_endexclusive(isc_task_t *task);
-/*%<
- * Relinquish the exclusive access obtained by isc_task_beginexclusive(),
- * allowing other tasks to execute.
- *
- * Requires:
- *\li	'task' is the calling task, and has obtained
- *		exclusive access by calling isc_task_spl().
- */
-
-void
-isc_task_getcurrenttime(isc_task_t *task, isc_stdtime_t *t);
-/*%<
- * Provide the most recent timestamp on the task.  The timestamp is considered
- * as the "current time" in the second-order granularity.
- *
- * Requires:
- *\li	'task' is a valid task.
- *\li	't' is a valid non NULL pointer.
- *
- * Ensures:
- *\li	'*t' has the "current time".
- */
-
-isc_boolean_t
-isc_task_exiting(isc_task_t *t);
-/*%<
- * Returns ISC_TRUE if the task is in the process of shutting down,
- * ISC_FALSE otherwise.
- *
- * Requires:
- *\li	'task' is a valid task.
- */
-
-void
-isc_task_setprivilege(isc_task_t *task, isc_boolean_t priv);
-/*%<
- * Set or unset the task's "privileged" flag depending on the value of
- * 'priv'.
- *
- * Under normal circumstances this flag has no effect on the task behavior,
- * but when the task manager has been set to privileged exeuction mode via
- * isc_taskmgr_setmode(), only tasks with the flag set will be executed,
- * and all other tasks will wait until they're done.  Once all privileged
- * tasks have finished executing, the task manager will automatically
- * return to normal execution mode and nonprivileged task can resume.
- *
- * Requires:
- *\li	'task' is a valid task.
- */
-
-isc_boolean_t
-isc_task_privilege(isc_task_t *task);
-/*%<
- * Returns the current value of the task's privilege flag.
- *
- * Requires:
- *\li	'task' is a valid task.
- */
-
-/*****
- ***** Task Manager.
- *****/
-
-isc_result_t
-isc_taskmgr_createinctx(isc_mem_t *mctx, isc_appctx_t *actx,
-			unsigned int workers, unsigned int default_quantum,
-			isc_taskmgr_t **managerp);
-isc_result_t
-isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
-		   unsigned int default_quantum, isc_taskmgr_t **managerp);
-/*%<
- * Create a new task manager.  isc_taskmgr_createinctx() also associates
- * the new manager with the specified application context.
- *
- * Notes:
- *
- *\li	'workers' in the number of worker threads to create.  In general,
- *	the value should be close to the number of processors in the system.
- *	The 'workers' value is advisory only.  An attempt will be made to
- *	create 'workers' threads, but if at least one thread creation
- *	succeeds, isc_taskmgr_create() may return ISC_R_SUCCESS.
- *
- *\li	If 'default_quantum' is non-zero, then it will be used as the default
- *	quantum value when tasks are created.  If zero, then an implementation
- *	defined default quantum will be used.
- *
- * Requires:
- *
- *\li      'mctx' is a valid memory context.
- *
- *\li	workers > 0
- *
- *\li	managerp != NULL && *managerp == NULL
- *
- *\li	'actx' is a valid application context (for createinctx()).
- *
- * Ensures:
- *
- *\li	On success, '*managerp' will be attached to the newly created task
- *	manager.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- *\li	#ISC_R_NOTHREADS		No threads could be created.
- *\li	#ISC_R_UNEXPECTED		An unexpected error occurred.
- *\li	#ISC_R_SHUTTINGDOWN      	The non-threaded, shared, task
- *					manager shutting down.
- */
-
-void
-isc_taskmgr_setmode(isc_taskmgr_t *manager, isc_taskmgrmode_t mode);
-
-isc_taskmgrmode_t
-isc_taskmgr_mode(isc_taskmgr_t *manager);
-/*%<
- * Set/get the current operating mode of the task manager.  Valid modes are:
- *
- *\li  isc_taskmgrmode_normal
- *\li  isc_taskmgrmode_privileged
- *
- * In privileged execution mode, only tasks that have had the "privilege"
- * flag set via isc_task_setprivilege() can be executed.  When all such
- * tasks are complete, the manager automatically returns to normal mode
- * and proceeds with running non-privileged ready tasks.  This means it is
- * necessary to have at least one privileged task waiting on the ready
- * queue *before* setting the manager into privileged execution mode,
- * which in turn means the task which calls this function should be in
- * task-exclusive mode when it does so.
- *
- * Requires:
- *
- *\li      'manager' is a valid task manager.
- */
-
-void
-isc_taskmgr_destroy(isc_taskmgr_t **managerp);
-/*%<
- * Destroy '*managerp'.
- *
- * Notes:
- *
- *\li	Calling isc_taskmgr_destroy() will shutdown all tasks managed by
- *	*managerp that haven't already been shutdown.  The call will block
- *	until all tasks have entered the done state.
- *
- *\li	isc_taskmgr_destroy() must not be called by a task event action,
- *	because it would block forever waiting for the event action to
- *	complete.  An event action that wants to cause task manager shutdown
- *	should request some non-event action thread of execution to do the
- *	shutdown, e.g. by signaling a condition variable or using
- *	isc_app_shutdown().
- *
- *\li	Task manager references are not reference counted, so the caller
- *	must ensure that no attempt will be made to use the manager after
- *	isc_taskmgr_destroy() returns.
- *
- * Requires:
- *
- *\li	'*managerp' is a valid task manager.
- *
- *\li	isc_taskmgr_destroy() has not be called previously on '*managerp'.
- *
- * Ensures:
- *
- *\li	All resources used by the task manager, and any tasks it managed,
- *	have been freed.
- */
-
-void
-isc_taskmgr_setexcltask(isc_taskmgr_t *mgr, isc_task_t *task);
-/*%<
- * Set a task which will be used for all task-exclusive operations.
- *
- * Requires:
- *\li	'manager' is a valid task manager.
- *
- *\li	'task' is a valid task.
- */
-
-isc_result_t
-isc_taskmgr_excltask(isc_taskmgr_t *mgr, isc_task_t **taskp);
-/*%<
- * Attach '*taskp' to the task set by isc_taskmgr_getexcltask().
- * This task should be used whenever running in task-exclusive mode,
- * so as to prevent deadlock between two exclusive tasks.
- *
- * Requires:
- *\li	'manager' is a valid task manager.
-
- *\li	taskp != NULL && *taskp == NULL
- */
-
-
-#ifdef HAVE_LIBXML2
-
-int
-isc_taskmgr_renderxml(isc_taskmgr_t *mgr, xmlTextWriterPtr writer);
-
-#endif
-
-/*%<
- * See isc_taskmgr_create() above.
- */
-typedef isc_result_t
-(*isc_taskmgrcreatefunc_t)(isc_mem_t *mctx, unsigned int workers,
-			   unsigned int default_quantum,
-			   isc_taskmgr_t **managerp);
-
-isc_result_t
-isc_task_register(isc_taskmgrcreatefunc_t createfunc);
-/*%<
- * Register a new task management implementation and add it to the list of
- * supported implementations.  This function must be called when a different
- * event library is used than the one contained in the ISC library.
- */
-
-isc_result_t
-isc__task_register(void);
-/*%<
- * A short cut function that specifies the task management module in the ISC
- * library for isc_task_register().  An application that uses the ISC library
- * usually do not have to care about this function: it would call
- * isc_lib_register(), which internally calls this function.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_TASK_H */
diff --git a/contrib/bind9/lib/isc/include/isc/taskpool.h b/contrib/bind9/lib/isc/include/isc/taskpool.h
deleted file mode 100644
index 46f395e..0000000
--- a/contrib/bind9/lib/isc/include/isc/taskpool.h
+++ /dev/null
@@ -1,157 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef ISC_TASKPOOL_H
-#define ISC_TASKPOOL_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file isc/taskpool.h
- * \brief A task pool is a mechanism for sharing a small number of tasks
- * among a large number of objects such that each object is
- * assigned a unique task, but each task may be shared by several
- * objects.
- *
- * Task pools are used to let objects that can exist in large
- * numbers (e.g., zones) use tasks for synchronization without
- * the memory overhead and unfair scheduling competition that
- * could result from creating a separate task for each object.
- */
-
-
-/***
- *** Imports.
- ***/
-
-#include <isc/lang.h>
-#include <isc/task.h>
-
-ISC_LANG_BEGINDECLS
-
-/*****
- ***** Types.
- *****/
-
-typedef struct isc_taskpool isc_taskpool_t;
-
-/*****
- ***** Functions.
- *****/
-
-isc_result_t
-isc_taskpool_create(isc_taskmgr_t *tmgr, isc_mem_t *mctx,
-		    unsigned int ntasks, unsigned int quantum,
-		    isc_taskpool_t **poolp);
-/*%<
- * Create a task pool of "ntasks" tasks, each with quantum
- * "quantum".
- *
- * Requires:
- *
- *\li	'tmgr' is a valid task manager.
- *
- *\li	'mctx' is a valid memory context.
- *
- *\li	poolp != NULL && *poolp == NULL
- *
- * Ensures:
- *
- *\li	On success, '*taskp' points to the new task pool.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *\li	#ISC_R_NOMEMORY
- *\li	#ISC_R_UNEXPECTED
- */
-
-void
-isc_taskpool_gettask(isc_taskpool_t *pool, isc_task_t **targetp);
-/*%<
- * Attach to a task from the pool.  Currently the next task is chosen
- * from the pool at random.  (This may be changed in the future to
- * something that guaratees balance.)
- */
-
-int
-isc_taskpool_size(isc_taskpool_t *pool);
-/*%<
- * Returns the number of tasks in the task pool 'pool'.
- */
-
-isc_result_t
-isc_taskpool_expand(isc_taskpool_t **sourcep, unsigned int size,
-					isc_taskpool_t **targetp);
-
-/*%<
- * If 'size' is larger than the number of tasks in the pool pointed to by
- * 'sourcep', then a new taskpool of size 'size' is allocated, the existing
- * tasks from are moved into it, additional tasks are created to bring the
- * total number up to 'size', and the resulting pool is attached to
- * 'targetp'.
- *
- * If 'size' is less than or equal to the tasks in pool 'source', then
- * 'sourcep' is attached to 'targetp' without any other action being taken.
- *
- * In either case, 'sourcep' is detached.
- *
- * Requires:
- *
- * \li	'sourcep' is not NULL and '*source' is not NULL
- * \li	'targetp' is not NULL and '*source' is NULL
- *
- * Ensures:
- *
- * \li	On success, '*targetp' points to a valid task pool.
- * \li	On success, '*sourcep' points to NULL.
- *
- * Returns:
- *
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_NOMEMORY
- */
-
-void
-isc_taskpool_destroy(isc_taskpool_t **poolp);
-/*%<
- * Destroy a task pool.  The tasks in the pool are detached but not
- * shut down.
- *
- * Requires:
- * \li	'*poolp' is a valid task pool.
- */
-
-void
-isc_taskpool_setprivilege(isc_taskpool_t *pool, isc_boolean_t priv);
-/*%<
- * Set the privilege flag on all tasks in 'pool' to 'priv'.  If 'priv' is
- * true, then when the task manager is set into privileged mode, only
- * tasks wihin this pool will be able to execute.  (Note:  It is important
- * to turn the pool tasks' privilege back off before the last task finishes
- * executing.)
- *
- * Requires:
- * \li	'pool' is a valid task pool.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_TASKPOOL_H */
diff --git a/contrib/bind9/lib/isc/include/isc/timer.h b/contrib/bind9/lib/isc/include/isc/timer.h
deleted file mode 100644
index 0598f79..0000000
--- a/contrib/bind9/lib/isc/include/isc/timer.h
+++ /dev/null
@@ -1,432 +0,0 @@
-/*
- * Copyright (C) 2004-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: timer.h,v 1.43 2009/09/02 23:48:03 tbox Exp $ */
-
-#ifndef ISC_TIMER_H
-#define ISC_TIMER_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file isc/timer.h
- * \brief Provides timers which are event sources in the task system.
- *
- * Three types of timers are supported:
- *
- *\li	'ticker' timers generate a periodic tick event.
- *
- *\li	'once' timers generate an idle timeout event if they are idle for too
- *	long, and generate a life timeout event if their lifetime expires.
- *	They are used to implement both (possibly expiring) idle timers and
- *	'one-shot' timers.
- *
- *\li	'limited' timers generate a periodic tick event until they reach
- *	their lifetime when they generate a life timeout event.
- *
- *\li	'inactive' timers generate no events.
- *
- * Timers can change type.  It is typical to create a timer as
- * an 'inactive' timer and then change it into a 'ticker' or
- * 'once' timer.
- *
- *\li MP:
- *	The module ensures appropriate synchronization of data structures it
- *	creates and manipulates.
- *	Clients of this module must not be holding a timer's task's lock when
- *	making a call that affects that timer.  Failure to follow this rule
- *	can result in deadlock.
- *	The caller must ensure that isc_timermgr_destroy() is called only
- *	once for a given manager.
- *
- * \li Reliability:
- *	No anticipated impact.
- *
- * \li Resources:
- *	TBS
- *
- * \li Security:
- *	No anticipated impact.
- *
- * \li Standards:
- *	None.
- */
-
-
-/***
- *** Imports
- ***/
-
-#include <isc/types.h>
-#include <isc/event.h>
-#include <isc/eventclass.h>
-#include <isc/lang.h>
-#include <isc/time.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Types
- ***/
-
-/*% Timer Type */
-typedef enum {
-	isc_timertype_ticker = 0, 	/*%< Ticker */
-	isc_timertype_once = 1, 	/*%< Once */
-	isc_timertype_limited = 2, 	/*%< Limited */
-	isc_timertype_inactive = 3 	/*%< Inactive */
-} isc_timertype_t;
-
-typedef struct isc_timerevent {
-	struct isc_event	common;
-	isc_time_t		due;
-} isc_timerevent_t;
-
-#define ISC_TIMEREVENT_FIRSTEVENT	(ISC_EVENTCLASS_TIMER + 0)
-#define ISC_TIMEREVENT_TICK		(ISC_EVENTCLASS_TIMER + 1)
-#define ISC_TIMEREVENT_IDLE		(ISC_EVENTCLASS_TIMER + 2)
-#define ISC_TIMEREVENT_LIFE		(ISC_EVENTCLASS_TIMER + 3)
-#define ISC_TIMEREVENT_LASTEVENT	(ISC_EVENTCLASS_TIMER + 65535)
-
-/*% Timer and timer manager methods */
-typedef struct {
-	void		(*destroy)(isc_timermgr_t **managerp);
-	isc_result_t	(*timercreate)(isc_timermgr_t *manager,
-				       isc_timertype_t type,
-				       const isc_time_t *expires,
-				       const isc_interval_t *interval,
-				       isc_task_t *task,
-				       isc_taskaction_t action,
-				       const void *arg,
-				       isc_timer_t **timerp);
-} isc_timermgrmethods_t;
-
-typedef struct {
-	void		(*attach)(isc_timer_t *timer, isc_timer_t **timerp);
-	void		(*detach)(isc_timer_t **timerp);
-	isc_result_t	(*reset)(isc_timer_t *timer, isc_timertype_t type,
-				 const isc_time_t *expires,
-				 const isc_interval_t *interval,
-				 isc_boolean_t purge);
-	isc_result_t	(*touch)(isc_timer_t *timer);
-} isc_timermethods_t;
-
-/*%
- * This structure is actually just the common prefix of a timer manager
- * object implementation's version of an isc_timermgr_t.
- * \brief
- * Direct use of this structure by clients is forbidden.  timer implementations
- * may change the structure.  'magic' must be ISCAPI_TIMERMGR_MAGIC for any
- * of the isc_timer_ routines to work.  timer implementations must maintain
- * all timer invariants.
- */
-struct isc_timermgr {
-	unsigned int		impmagic;
-	unsigned int		magic;
-	isc_timermgrmethods_t	*methods;
-};
-
-#define ISCAPI_TIMERMGR_MAGIC		ISC_MAGIC('A','t','m','g')
-#define ISCAPI_TIMERMGR_VALID(m)	((m) != NULL && \
-					 (m)->magic == ISCAPI_TIMERMGR_MAGIC)
-
-/*%
- * This is the common prefix of a timer object.  The same note as
- * that for the timermgr structure applies.
- */
-struct isc_timer {
-	unsigned int		impmagic;
-	unsigned int		magic;
-	isc_timermethods_t	*methods;
-};
-
-#define ISCAPI_TIMER_MAGIC	ISC_MAGIC('A','t','m','r')
-#define ISCAPI_TIMER_VALID(s)	((s) != NULL && \
-				 (s)->magic == ISCAPI_TIMER_MAGIC)
-
-/***
- *** Timer and Timer Manager Functions
- ***
- *** Note: all Ensures conditions apply only if the result is success for
- *** those functions which return an isc_result_t.
- ***/
-
-isc_result_t
-isc_timer_create(isc_timermgr_t *manager,
-		 isc_timertype_t type,
-		 const isc_time_t *expires,
-		 const isc_interval_t *interval,
-		 isc_task_t *task,
-		 isc_taskaction_t action,
-		 const void *arg,
-		 isc_timer_t **timerp);
-/*%<
- * Create a new 'type' timer managed by 'manager'.  The timers parameters
- * are specified by 'expires' and 'interval'.  Events will be posted to
- * 'task' and when dispatched 'action' will be called with 'arg' as the
- * arg value.  The new timer is returned in 'timerp'.
- *
- * Notes:
- *
- *\li	For ticker timers, the timer will generate a 'tick' event every
- *	'interval' seconds.  The value of 'expires' is ignored.
- *
- *\li	For once timers, 'expires' specifies the time when a life timeout
- *	event should be generated.  If 'expires' is 0 (the epoch), then no life
- *	timeout will be generated.  'interval' specifies how long the timer
- *	can be idle before it generates an idle timeout.  If 0, then no
- *	idle timeout will be generated.
- *
- *\li	If 'expires' is NULL, the epoch will be used.
- *
- *	If 'interval' is NULL, the zero interval will be used.
- *
- * Requires:
- *
- *\li	'manager' is a valid manager
- *
- *\li	'task' is a valid task
- *
- *\li	'action' is a valid action
- *
- *\li	'expires' points to a valid time, or is NULL.
- *
- *\li	'interval' points to a valid interval, or is NULL.
- *
- *\li	type == isc_timertype_inactive ||
- *	('expires' and 'interval' are not both 0)
- *
- *\li	'timerp' is a valid pointer, and *timerp == NULL
- *
- * Ensures:
- *
- *\li	'*timerp' is attached to the newly created timer
- *
- *\li	The timer is attached to the task
- *
- *\li	An idle timeout will not be generated until at least Now + the
- *	timer's interval if 'timer' is a once timer with a non-zero
- *	interval.
- *
- * Returns:
- *
- *\li	Success
- *\li	No memory
- *\li	Unexpected error
- */
-
-isc_result_t
-isc_timer_reset(isc_timer_t *timer,
-		isc_timertype_t type,
-		const isc_time_t *expires,
-		const isc_interval_t *interval,
-		isc_boolean_t purge);
-/*%<
- * Change the timer's type, expires, and interval values to the given
- * values.  If 'purge' is TRUE, any pending events from this timer
- * are purged from its task's event queue.
- *
- * Notes:
- *
- *\li	If 'expires' is NULL, the epoch will be used.
- *
- *\li	If 'interval' is NULL, the zero interval will be used.
- *
- * Requires:
- *
- *\li	'timer' is a valid timer
- *
- *\li	The same requirements that isc_timer_create() imposes on 'type',
- *	'expires' and 'interval' apply.
- *
- * Ensures:
- *
- *\li	An idle timeout will not be generated until at least Now + the
- *	timer's interval if 'timer' is a once timer with a non-zero
- *	interval.
- *
- * Returns:
- *
- *\li	Success
- *\li	No memory
- *\li	Unexpected error
- */
-
-isc_result_t
-isc_timer_touch(isc_timer_t *timer);
-/*%<
- * Set the last-touched time of 'timer' to the current time.
- *
- * Requires:
- *
- *\li	'timer' is a valid once timer.
- *
- * Ensures:
- *
- *\li	An idle timeout will not be generated until at least Now + the
- *	timer's interval if 'timer' is a once timer with a non-zero
- *	interval.
- *
- * Returns:
- *
- *\li	Success
- *\li	Unexpected error
- */
-
-void
-isc_timer_attach(isc_timer_t *timer, isc_timer_t **timerp);
-/*%<
- * Attach *timerp to timer.
- *
- * Requires:
- *
- *\li	'timer' is a valid timer.
- *
- *\li	'timerp' points to a NULL timer.
- *
- * Ensures:
- *
- *\li	*timerp is attached to timer.
- */
-
-void
-isc_timer_detach(isc_timer_t **timerp);
-/*%<
- * Detach *timerp from its timer.
- *
- * Requires:
- *
- *\li	'timerp' points to a valid timer.
- *
- * Ensures:
- *
- *\li	*timerp is NULL.
- *
- *\li	If '*timerp' is the last reference to the timer,
- *	then:
- *
- *\code
- *		The timer will be shutdown
- *
- *		The timer will detach from its task
- *
- *		All resources used by the timer have been freed
- *
- *		Any events already posted by the timer will be purged.
- *		Therefore, if isc_timer_detach() is called in the context
- *		of the timer's task, it is guaranteed that no more
- *		timer event callbacks will run after the call.
- *\endcode
- */
-
-isc_timertype_t
-isc_timer_gettype(isc_timer_t *timer);
-/*%<
- * Return the timer type.
- *
- * Requires:
- *
- *\li	'timer' to be a valid timer.
- */
-
-isc_result_t
-isc_timermgr_createinctx(isc_mem_t *mctx, isc_appctx_t *actx,
-			 isc_timermgr_t **managerp);
-
-isc_result_t
-isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp);
-/*%<
- * Create a timer manager.  isc_timermgr_createinctx() also associates
- * the new manager with the specified application context.
- *
- * Notes:
- *
- *\li	All memory will be allocated in memory context 'mctx'.
- *
- * Requires:
- *
- *\li	'mctx' is a valid memory context.
- *
- *\li	'managerp' points to a NULL isc_timermgr_t.
- *
- *\li	'actx' is a valid application context (for createinctx()).
- *
- * Ensures:
- *
- *\li	'*managerp' is a valid isc_timermgr_t.
- *
- * Returns:
- *
- *\li	Success
- *\li	No memory
- *\li	Unexpected error
- */
-
-void
-isc_timermgr_destroy(isc_timermgr_t **managerp);
-/*%<
- * Destroy a timer manager.
- *
- * Notes:
- *
- *\li	This routine blocks until there are no timers left in the manager,
- *	so if the caller holds any timer references using the manager, it
- *	must detach them before calling isc_timermgr_destroy() or it will
- *	block forever.
- *
- * Requires:
- *
- *\li	'*managerp' is a valid isc_timermgr_t.
- *
- * Ensures:
- *
- *\li	*managerp == NULL
- *
- *\li	All resources used by the manager have been freed.
- */
-
-void isc_timermgr_poke(isc_timermgr_t *m);
-
-#ifdef USE_TIMERIMPREGISTER
-/*%<
- * See isc_timermgr_create() above.
- */
-typedef isc_result_t
-(*isc_timermgrcreatefunc_t)(isc_mem_t *mctx, isc_timermgr_t **managerp);
-
-isc_result_t
-isc__timer_register(void);
-/*%<
- * Register a new timer management implementation and add it to the list of
- * supported implementations.  This function must be called when a different
- * event library is used than the one contained in the ISC library.
- */
-
-isc_result_t
-isc_timer_register(isc_timermgrcreatefunc_t createfunc);
-/*%<
- * A short cut function that specifies the timer management module in the ISC
- * library for isc_timer_register().  An application that uses the ISC library
- * usually do not have to care about this function: it would call
- * isc_lib_register(), which internally calls this function.
- */
-#endif /* USE_TIMERIMPREGISTER */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_TIMER_H */
diff --git a/contrib/bind9/lib/isc/include/isc/types.h b/contrib/bind9/lib/isc/include/isc/types.h
deleted file mode 100644
index 8dbf67e..0000000
--- a/contrib/bind9/lib/isc/include/isc/types.h
+++ /dev/null
@@ -1,129 +0,0 @@
-/*
- * Copyright (C) 2004-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef ISC_TYPES_H
-#define ISC_TYPES_H 1
-
-#include <isc/bind9.h>
-#include <isc/namespace.h>
-
-/*! \file isc/types.h
- * \brief
- * OS-specific types, from the OS-specific include directories.
- */
-#include <isc/int.h>
-#include <isc/offset.h>
-
-/*
- * XXXDCL should isc_boolean_t be moved here, requiring an explicit include
- * of <isc/boolean.h> when ISC_TRUE/ISC_FALSE/ISC_TF() are desired?
- */
-#include <isc/boolean.h>
-/*
- * XXXDCL This is just for ISC_LIST and ISC_LINK, but gets all of the other
- * list macros too.
- */
-#include <isc/list.h>
-
-/* Core Types.  Alphabetized by defined type. */
-
-typedef struct isc_appctx		isc_appctx_t;	 	/*%< Application context */
-typedef struct isc_backtrace_symmap	isc_backtrace_symmap_t; /*%< Symbol Table Entry */
-typedef struct isc_bitstring		isc_bitstring_t; 	/*%< Bitstring */
-typedef struct isc_buffer		isc_buffer_t;		/*%< Buffer */
-typedef ISC_LIST(isc_buffer_t)		isc_bufferlist_t;	/*%< Buffer List */
-typedef struct isc_constregion		isc_constregion_t;	/*%< Const region */
-typedef struct isc_consttextregion	isc_consttextregion_t;	/*%< Const Text Region */
-typedef struct isc_entropy		isc_entropy_t;		/*%< Entropy */
-typedef struct isc_entropysource	isc_entropysource_t;	/*%< Entropy Source */
-typedef struct isc_event		isc_event_t;		/*%< Event */
-typedef ISC_LIST(isc_event_t)		isc_eventlist_t;	/*%< Event List */
-typedef unsigned int			isc_eventtype_t;	/*%< Event Type */
-typedef isc_uint32_t			isc_fsaccess_t;		/*%< FS Access */
-typedef struct isc_hash			isc_hash_t;		/*%< Hash */
-typedef struct isc_httpd		isc_httpd_t;		/*%< HTTP client */
-typedef void (isc_httpdfree_t)(isc_buffer_t *, void *);		/*%< HTTP free function */
-typedef struct isc_httpdmgr		isc_httpdmgr_t;		/*%< HTTP manager */
-typedef struct isc_httpdurl		isc_httpdurl_t;		/*%< HTTP URL */
-typedef void (isc_httpdondestroy_t)(void *);			/*%< Callback on destroying httpd */
-typedef struct isc_interface		isc_interface_t;	/*%< Interface */
-typedef struct isc_interfaceiter	isc_interfaceiter_t;	/*%< Interface Iterator */
-typedef struct isc_interval		isc_interval_t;		/*%< Interval */
-typedef struct isc_lex			isc_lex_t;		/*%< Lex */
-typedef struct isc_log 			isc_log_t;		/*%< Log */
-typedef struct isc_logcategory		isc_logcategory_t;	/*%< Log Category */
-typedef struct isc_logconfig		isc_logconfig_t;	/*%< Log Configuration */
-typedef struct isc_logmodule		isc_logmodule_t;	/*%< Log Module */
-typedef struct isc_mem			isc_mem_t;		/*%< Memory */
-typedef struct isc_mempool		isc_mempool_t;		/*%< Memory Pool */
-typedef struct isc_msgcat		isc_msgcat_t;		/*%< Message Catalog */
-typedef struct isc_ondestroy		isc_ondestroy_t;	/*%< On Destroy */
-typedef struct isc_netaddr		isc_netaddr_t;		/*%< Net Address */
-typedef struct isc_portset		isc_portset_t;		/*%< Port Set */
-typedef struct isc_quota		isc_quota_t;		/*%< Quota */
-typedef struct isc_random		isc_random_t;		/*%< Random */
-typedef struct isc_ratelimiter		isc_ratelimiter_t;	/*%< Rate Limiter */
-typedef struct isc_region		isc_region_t;		/*%< Region */
-typedef isc_uint64_t			isc_resourcevalue_t;	/*%< Resource Value */
-typedef unsigned int			isc_result_t;		/*%< Result */
-typedef struct isc_rwlock		isc_rwlock_t;		/*%< Read Write Lock */
-typedef struct isc_sockaddr		isc_sockaddr_t;		/*%< Socket Address */
-typedef struct isc_socket		isc_socket_t;		/*%< Socket */
-typedef struct isc_socketevent		isc_socketevent_t;	/*%< Socket Event */
-typedef struct isc_socketmgr		isc_socketmgr_t;	/*%< Socket Manager */
-typedef struct isc_stats		isc_stats_t;		/*%< Statistics */
-typedef int				isc_statscounter_t;	/*%< Statistics Counter */
-typedef struct isc_symtab		isc_symtab_t;		/*%< Symbol Table */
-typedef struct isc_task			isc_task_t;		/*%< Task */
-typedef ISC_LIST(isc_task_t)		isc_tasklist_t;		/*%< Task List */
-typedef struct isc_taskmgr		isc_taskmgr_t;		/*%< Task Manager */
-typedef struct isc_textregion		isc_textregion_t;	/*%< Text Region */
-typedef struct isc_time			isc_time_t;		/*%< Time */
-typedef struct isc_timer		isc_timer_t;		/*%< Timer */
-typedef struct isc_timermgr		isc_timermgr_t;		/*%< Timer Manager */
-
-typedef void (*isc_taskaction_t)(isc_task_t *, isc_event_t *);
-typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int);
-
-/* The following cannot be listed alphabetically due to forward reference */
-typedef isc_result_t (isc_httpdaction_t)(const char *url,
-					 const char *querystring,
-					 void *arg,
-					 unsigned int *retcode,
-					 const char **retmsg,
-					 const char **mimetype,
-					 isc_buffer_t *body,
-					 isc_httpdfree_t **freecb,
-					 void **freecb_args);
-typedef isc_boolean_t (isc_httpdclientok_t)(const isc_sockaddr_t *, void *);
-
-/*% Resource */
-typedef enum {
-	isc_resource_coresize = 1,
-	isc_resource_cputime,
-	isc_resource_datasize,
-	isc_resource_filesize,
-	isc_resource_lockedmemory,
-	isc_resource_openfiles,
-	isc_resource_processes,
-	isc_resource_residentsize,
-	isc_resource_stacksize
-} isc_resource_t;
-
-#endif /* ISC_TYPES_H */
diff --git a/contrib/bind9/lib/isc/include/isc/util.h b/contrib/bind9/lib/isc/include/isc/util.h
deleted file mode 100644
index 0a7799c..0000000
--- a/contrib/bind9/lib/isc/include/isc/util.h
+++ /dev/null
@@ -1,238 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2010-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef ISC_UTIL_H
-#define ISC_UTIL_H 1
-
-/*! \file isc/util.h
- * NOTE:
- *
- * This file is not to be included from any <isc/???.h> (or other) library
- * files.
- *
- * \brief
- * Including this file puts several macros in your name space that are
- * not protected (as all the other ISC functions/macros do) by prepending
- * ISC_ or isc_ to the name.
- */
-
-/***
- *** General Macros.
- ***/
-
-/*%
- * Use this to hide unused function arguments.
- * \code
- * int
- * foo(char *bar)
- * {
- *	UNUSED(bar);
- * }
- * \endcode
- */
-#define UNUSED(x)      (void)(x)
-
-/*%
- * The opposite: silent warnings about stored values which are never read.
- */
-#define POST(x)        (void)(x)
-
-#define ISC_MAX(a, b)  ((a) > (b) ? (a) : (b))
-#define ISC_MIN(a, b)  ((a) < (b) ? (a) : (b))
-
-/*%
- * Use this to remove the const qualifier of a variable to assign it to
- * a non-const variable or pass it as a non-const function argument ...
- * but only when you are sure it won't then be changed!
- * This is necessary to sometimes shut up some compilers
- * (as with gcc -Wcast-qual) when there is just no other good way to avoid the
- * situation.
- */
-#define DE_CONST(konst, var) \
-	do { \
-		union { const void *k; void *v; } _u; \
-		_u.k = konst; \
-		var = _u.v; \
-	} while (0)
-
-/*%
- * Use this in translation units that would otherwise be empty, to
- * suppress compiler warnings.
- */
-#define EMPTY_TRANSLATION_UNIT static void isc__empty(void) { isc__empty(); }
-
-/*%
- * We use macros instead of calling the routines directly because
- * the capital letters make the locking stand out.
- * We RUNTIME_CHECK for success since in general there's no way
- * for us to continue if they fail.
- */
-
-#ifdef ISC_UTIL_TRACEON
-#define ISC_UTIL_TRACE(a) a
-#include <stdio.h>		/* Required for fprintf/stderr when tracing. */
-#include <isc/msgs.h>		/* Required for isc_msgcat when tracing. */
-#else
-#define ISC_UTIL_TRACE(a)
-#endif
-
-#include <isc/result.h>		/* Contractual promise. */
-
-#define LOCK(lp) do { \
-	ISC_UTIL_TRACE(fprintf(stderr, "%s %p %s %d\n", \
-			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
-					      ISC_MSG_LOCKING, "LOCKING"), \
-			       (lp), __FILE__, __LINE__)); \
-	RUNTIME_CHECK(isc_mutex_lock((lp)) == ISC_R_SUCCESS); \
-	ISC_UTIL_TRACE(fprintf(stderr, "%s %p %s %d\n", \
-			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
-					      ISC_MSG_LOCKED, "LOCKED"), \
-			       (lp), __FILE__, __LINE__)); \
-	} while (0)
-#define UNLOCK(lp) do { \
-	RUNTIME_CHECK(isc_mutex_unlock((lp)) == ISC_R_SUCCESS); \
-	ISC_UTIL_TRACE(fprintf(stderr, "%s %p %s %d\n", \
-			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
-					      ISC_MSG_UNLOCKED, "UNLOCKED"), \
-			       (lp), __FILE__, __LINE__)); \
-	} while (0)
-#define ISLOCKED(lp) (1)
-#define DESTROYLOCK(lp) \
-	RUNTIME_CHECK(isc_mutex_destroy((lp)) == ISC_R_SUCCESS)
-
-
-#define BROADCAST(cvp) do { \
-	ISC_UTIL_TRACE(fprintf(stderr, "%s %p %s %d\n", \
-			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
-					      ISC_MSG_BROADCAST, "BROADCAST"),\
-			       (cvp), __FILE__, __LINE__)); \
-	RUNTIME_CHECK(isc_condition_broadcast((cvp)) == ISC_R_SUCCESS); \
-	} while (0)
-#define SIGNAL(cvp) do { \
-	ISC_UTIL_TRACE(fprintf(stderr, "%s %p %s %d\n", \
-			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
-					      ISC_MSG_SIGNAL, "SIGNAL"), \
-			       (cvp), __FILE__, __LINE__)); \
-	RUNTIME_CHECK(isc_condition_signal((cvp)) == ISC_R_SUCCESS); \
-	} while (0)
-#define WAIT(cvp, lp) do { \
-	ISC_UTIL_TRACE(fprintf(stderr, "%s %p %s %p %s %d\n", \
-			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
-					      ISC_MSG_UTILWAIT, "WAIT"), \
-			       (cvp), \
-			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
-					      ISC_MSG_LOCK, "LOCK"), \
-			       (lp), __FILE__, __LINE__)); \
-	RUNTIME_CHECK(isc_condition_wait((cvp), (lp)) == ISC_R_SUCCESS); \
-	ISC_UTIL_TRACE(fprintf(stderr, "%s %p %s %p %s %d\n", \
-			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
-					      ISC_MSG_WAITED, "WAITED"), \
-			       (cvp), \
-			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
-					      ISC_MSG_LOCKED, "LOCKED"), \
-			       (lp), __FILE__, __LINE__)); \
-	} while (0)
-
-/*
- * isc_condition_waituntil can return ISC_R_TIMEDOUT, so we
- * don't RUNTIME_CHECK the result.
- *
- *  XXX Also, can't really debug this then...
- */
-
-#define WAITUNTIL(cvp, lp, tp) \
-	isc_condition_waituntil((cvp), (lp), (tp))
-
-#define RWLOCK(lp, t) do { \
-	ISC_UTIL_TRACE(fprintf(stderr, "%s %p, %d %s %d\n", \
-			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
-					      ISC_MSG_RWLOCK, "RWLOCK"), \
-			       (lp), (t), __FILE__, __LINE__)); \
-	RUNTIME_CHECK(isc_rwlock_lock((lp), (t)) == ISC_R_SUCCESS); \
-	ISC_UTIL_TRACE(fprintf(stderr, "%s %p, %d %s %d\n", \
-			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
-					      ISC_MSG_RWLOCKED, "RWLOCKED"), \
-			       (lp), (t), __FILE__, __LINE__)); \
-	} while (0)
-#define RWUNLOCK(lp, t) do { \
-	ISC_UTIL_TRACE(fprintf(stderr, "%s %p, %d %s %d\n", \
-			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
-					      ISC_MSG_RWUNLOCK, "RWUNLOCK"), \
-			       (lp), (t), __FILE__, __LINE__)); \
-	RUNTIME_CHECK(isc_rwlock_unlock((lp), (t)) == ISC_R_SUCCESS); \
-	} while (0)
-
-#define DESTROYMUTEXBLOCK(bp, n) \
-	RUNTIME_CHECK(isc_mutexblock_destroy((bp), (n)) == ISC_R_SUCCESS)
-
-/*
- * List Macros.
- */
-#include <isc/list.h>		/* Contractual promise. */
-
-#define LIST(type)			ISC_LIST(type)
-#define INIT_LIST(type)			ISC_LIST_INIT(type)
-#define LINK(type)			ISC_LINK(type)
-#define INIT_LINK(elt, link)		ISC_LINK_INIT(elt, link)
-#define HEAD(list)			ISC_LIST_HEAD(list)
-#define TAIL(list)			ISC_LIST_TAIL(list)
-#define EMPTY(list)			ISC_LIST_EMPTY(list)
-#define PREV(elt, link)			ISC_LIST_PREV(elt, link)
-#define NEXT(elt, link)			ISC_LIST_NEXT(elt, link)
-#define APPEND(list, elt, link)		ISC_LIST_APPEND(list, elt, link)
-#define PREPEND(list, elt, link)	ISC_LIST_PREPEND(list, elt, link)
-#define UNLINK(list, elt, link)		ISC_LIST_UNLINK(list, elt, link)
-#define ENQUEUE(list, elt, link)	ISC_LIST_APPEND(list, elt, link)
-#define DEQUEUE(list, elt, link)	ISC_LIST_UNLINK(list, elt, link)
-#define INSERTBEFORE(li, b, e, ln)	ISC_LIST_INSERTBEFORE(li, b, e, ln)
-#define INSERTAFTER(li, a, e, ln)	ISC_LIST_INSERTAFTER(li, a, e, ln)
-#define APPENDLIST(list1, list2, link)	ISC_LIST_APPENDLIST(list1, list2, link)
-
-/*
- * Assertions
- */
-#include <isc/assertions.h>	/* Contractual promise. */
-
-/*% Require Assertion */
-#define REQUIRE(e)			ISC_REQUIRE(e)
-/*% Ensure Assertion */
-#define ENSURE(e)			ISC_ENSURE(e)
-/*% Insist Assertion */
-#define INSIST(e)			ISC_INSIST(e)
-/*% Invariant Assertion */
-#define INVARIANT(e)			ISC_INVARIANT(e)
-
-/*
- * Errors
- */
-#include <isc/error.h>		/* Contractual promise. */
-
-/*% Unexpected Error */
-#define UNEXPECTED_ERROR		isc_error_unexpected
-/*% Fatal Error */
-#define FATAL_ERROR			isc_error_fatal
-/*% Runtime Check */
-#define RUNTIME_CHECK(cond)		ISC_ERROR_RUNTIMECHECK(cond)
-
-/*%
- * Time
- */
-#define TIME_NOW(tp) 	RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS)
-
-#endif /* ISC_UTIL_H */
diff --git a/contrib/bind9/lib/isc/include/isc/version.h b/contrib/bind9/lib/isc/include/isc/version.h
deleted file mode 100644
index ec00bde..0000000
--- a/contrib/bind9/lib/isc/include/isc/version.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: version.h,v 1.9 2007/06/19 23:47:18 tbox Exp $ */
-
-/*! \file isc/version.h */
-
-#include <isc/platform.h>
-
-LIBISC_EXTERNAL_DATA extern const char isc_version[];
-
-LIBISC_EXTERNAL_DATA extern const unsigned int isc_libinterface;
-LIBISC_EXTERNAL_DATA extern const unsigned int isc_librevision;
-LIBISC_EXTERNAL_DATA extern const unsigned int isc_libage;
diff --git a/contrib/bind9/lib/isc/include/isc/xml.h b/contrib/bind9/lib/isc/include/isc/xml.h
deleted file mode 100644
index d31a31a..0000000
--- a/contrib/bind9/lib/isc/include/isc/xml.h
+++ /dev/null
@@ -1,41 +0,0 @@
-/*
- * Copyright (C) 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: xml.h,v 1.4 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_XML_H
-#define ISC_XML_H 1
-
-/*
- * This file is here mostly to make it easy to add additional libxml header
- * files as needed across all the users of this file.  Rather than place
- * these libxml includes in each file, one include makes it easy to handle
- * the ifdef as well as adding the ability to add additional functions
- * which may be useful.
- */
-
-#ifdef HAVE_LIBXML2
-#include <libxml/encoding.h>
-#include <libxml/xmlwriter.h>
-#endif
-
-#define ISC_XMLCHAR (const xmlChar *)
-
-#define ISC_XML_RENDERCONFIG		0x00000001 /* render config data */
-#define ISC_XML_RENDERSTATS		0x00000002 /* render stats */
-#define ISC_XML_RENDERALL		0x000000ff /* render everything */
-
-#endif /* ISC_XML_H */
diff --git a/contrib/bind9/lib/isc/inet_aton.c b/contrib/bind9/lib/isc/inet_aton.c
deleted file mode 100644
index 66a108d..0000000
--- a/contrib/bind9/lib/isc/inet_aton.c
+++ /dev/null
@@ -1,196 +0,0 @@
-/*
- * Portions Copyright (C) 2004, 2005, 2007, 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1996-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Copyright (c) 1983, 1990, 1993
- *    The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Portions Copyright (c) 1993 by Digital Equipment Corporation.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies, and that
- * the name of Digital Equipment Corporation not be used in advertising or
- * publicity pertaining to distribution of the document or software without
- * specific, written prior permission.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
- * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-/*! \file */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
-static char rcsid[] = "$Id: inet_aton.c,v 1.23 2008/12/01 23:47:45 tbox Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <config.h>
-
-#include <ctype.h>
-#include <stddef.h>		/* Required for NULL. */
-
-#include <isc/types.h>
-#include <isc/net.h>
-
-/*%
- * Check whether "cp" is a valid ascii representation
- * of an Internet address and convert to a binary address.
- * Returns 1 if the address is valid, 0 if not.
- * This replaces inet_addr, the return value from which
- * cannot distinguish between failure and a local broadcast address.
- */
-int
-isc_net_aton(const char *cp, struct in_addr *addr) {
-	isc_uint32_t val;
-	int base, n;
-	unsigned char c;
-	isc_uint8_t parts[4];
-	isc_uint8_t *pp = parts;
-	int digit;
-
-	c = *cp;
-	for (;;) {
-		/*
-		 * Collect number up to ``.''.
-		 * Values are specified as for C:
-		 * 0x=hex, 0=octal, isdigit=decimal.
-		 */
-		if (!isdigit(c & 0xff))
-			return (0);
-		val = 0; base = 10; digit = 0;
-		if (c == '0') {
-			c = *++cp;
-			if (c == 'x' || c == 'X')
-				base = 16, c = *++cp;
-			else {
-				base = 8;
-				digit = 1;
-			}
-		}
-		for (;;) {
-			/*
-			 * isascii() is valid for all integer values, and
-			 * when it is true, c is known to be in scope
-			 * for isdigit().  No cast necessary.  Similar
-			 * comment applies for later ctype uses.
-			 */
-			if (isascii(c) && isdigit(c)) {
-				if (base == 8 && (c == '8' || c == '9'))
-					return (0);
-				val = (val * base) + (c - '0');
-				c = *++cp;
-				digit = 1;
-			} else if (base == 16 && isascii(c) && isxdigit(c)) {
-				val = (val << 4) |
-					(c + 10 - (islower(c) ? 'a' : 'A'));
-				c = *++cp;
-				digit = 1;
-			} else
-				break;
-		}
-		if (c == '.') {
-			/*
-			 * Internet format:
-			 *	a.b.c.d
-			 *	a.b.c	(with c treated as 16 bits)
-			 *	a.b	(with b treated as 24 bits)
-			 */
-			if (pp >= parts + 3 || val > 0xffU)
-				return (0);
-			*pp++ = (isc_uint8_t)val;
-			c = *++cp;
-		} else
-			break;
-	}
-	/*
-	 * Check for trailing characters.
-	 */
-	if (c != '\0' && (!isascii(c) || !isspace(c)))
-		return (0);
-	/*
-	 * Did we get a valid digit?
-	 */
-	if (!digit)
-		return (0);
-	/*
-	 * Concoct the address according to
-	 * the number of parts specified.
-	 */
-	n = pp - parts + 1;
-	switch (n) {
-	case 1:				/* a -- 32 bits */
-		break;
-
-	case 2:				/* a.b -- 8.24 bits */
-		if (val > 0xffffffU)
-			return (0);
-		val |= parts[0] << 24;
-		break;
-
-	case 3:				/* a.b.c -- 8.8.16 bits */
-		if (val > 0xffffU)
-			return (0);
-		val |= (parts[0] << 24) | (parts[1] << 16);
-		break;
-
-	case 4:				/* a.b.c.d -- 8.8.8.8 bits */
-		if (val > 0xffU)
-			return (0);
-		val |= (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8);
-		break;
-	}
-	if (addr != NULL)
-		addr->s_addr = htonl(val);
-
-	return (1);
-}
diff --git a/contrib/bind9/lib/isc/inet_ntop.c b/contrib/bind9/lib/isc/inet_ntop.c
deleted file mode 100644
index 94910f0..0000000
--- a/contrib/bind9/lib/isc/inet_ntop.c
+++ /dev/null
@@ -1,199 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1996-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*! \file */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] =
-	"$Id: inet_ntop.c,v 1.21 2009/07/17 23:47:41 tbox Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <config.h>
-
-#include <errno.h>
-#include <stdio.h>
-#include <string.h>
-
-#include <isc/net.h>
-#include <isc/print.h>
-
-#define NS_INT16SZ	 2
-#define NS_IN6ADDRSZ	16
-
-/*
- * WARNING: Don't even consider trying to compile this on a system where
- * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
- */
-
-static const char *inet_ntop4(const unsigned char *src, char *dst,
-			      size_t size);
-
-#ifdef AF_INET6
-static const char *inet_ntop6(const unsigned char *src, char *dst,
-			      size_t size);
-#endif
-
-/*! char *
- * isc_net_ntop(af, src, dst, size)
- *	convert a network format address to presentation format.
- * \return
- *	pointer to presentation format address (`dst'), or NULL (see errno).
- * \author
- *	Paul Vixie, 1996.
- */
-const char *
-isc_net_ntop(int af, const void *src, char *dst, size_t size)
-{
-	switch (af) {
-	case AF_INET:
-		return (inet_ntop4(src, dst, size));
-#ifdef AF_INET6
-	case AF_INET6:
-		return (inet_ntop6(src, dst, size));
-#endif
-	default:
-		errno = EAFNOSUPPORT;
-		return (NULL);
-	}
-	/* NOTREACHED */
-}
-
-/*! const char *
- * inet_ntop4(src, dst, size)
- *	format an IPv4 address
- * \return
- *	`dst' (as a const)
- * \note
- *	(1) uses no statics
- * \note
- *	(2) takes a unsigned char* not an in_addr as input
- * \author
- *	Paul Vixie, 1996.
- */
-static const char *
-inet_ntop4(const unsigned char *src, char *dst, size_t size)
-{
-	static const char *fmt = "%u.%u.%u.%u";
-	char tmp[sizeof("255.255.255.255")];
-
-	if ((size_t)sprintf(tmp, fmt, src[0], src[1], src[2], src[3]) >= size)
-	{
-		errno = ENOSPC;
-		return (NULL);
-	}
-	strcpy(dst, tmp);
-
-	return (dst);
-}
-
-/*! const char *
- * isc_inet_ntop6(src, dst, size)
- *	convert IPv6 binary address into presentation (printable) format
- * \author
- *	Paul Vixie, 1996.
- */
-#ifdef AF_INET6
-static const char *
-inet_ntop6(const unsigned char *src, char *dst, size_t size)
-{
-	/*
-	 * Note that int32_t and int16_t need only be "at least" large enough
-	 * to contain a value of the specified size.  On some systems, like
-	 * Crays, there is no such thing as an integer variable with 16 bits.
-	 * Keep this in mind if you think this function should have been coded
-	 * to use pointer overlays.  All the world's not a VAX.
-	 */
-	char tmp[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")], *tp;
-	struct { int base, len; } best, cur;
-	unsigned int words[NS_IN6ADDRSZ / NS_INT16SZ];
-	int i;
-
-	/*
-	 * Preprocess:
-	 *	Copy the input (bytewise) array into a wordwise array.
-	 *	Find the longest run of 0x00's in src[] for :: shorthanding.
-	 */
-	memset(words, '\0', sizeof(words));
-	for (i = 0; i < NS_IN6ADDRSZ; i++)
-		words[i / 2] |= (src[i] << ((1 - (i % 2)) << 3));
-	best.base = -1;
-	cur.base = -1;
-	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
-		if (words[i] == 0) {
-			if (cur.base == -1)
-				cur.base = i, cur.len = 1;
-			else
-				cur.len++;
-		} else {
-			if (cur.base != -1) {
-				if (best.base == -1 || cur.len > best.len)
-					best = cur;
-				cur.base = -1;
-			}
-		}
-	}
-	if (cur.base != -1) {
-		if (best.base == -1 || cur.len > best.len)
-			best = cur;
-	}
-	if (best.base != -1 && best.len < 2)
-		best.base = -1;
-
-	/*
-	 * Format the result.
-	 */
-	tp = tmp;
-	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
-		/* Are we inside the best run of 0x00's? */
-		if (best.base != -1 && i >= best.base &&
-		    i < (best.base + best.len)) {
-			if (i == best.base)
-				*tp++ = ':';
-			continue;
-		}
-		/* Are we following an initial run of 0x00s or any real hex? */
-		if (i != 0)
-			*tp++ = ':';
-		/* Is this address an encapsulated IPv4? */
-		if (i == 6 && best.base == 0 && (best.len == 6 ||
-		    (best.len == 7 && words[7] != 0x0001) ||
-		    (best.len == 5 && words[5] == 0xffff))) {
-			if (!inet_ntop4(src+12, tp,
-					sizeof(tmp) - (tp - tmp)))
-				return (NULL);
-			tp += strlen(tp);
-			break;
-		}
-		tp += sprintf(tp, "%x", words[i]);
-	}
-	/* Was it a trailing run of 0x00's? */
-	if (best.base != -1 && (best.base + best.len) ==
-	    (NS_IN6ADDRSZ / NS_INT16SZ))
-		*tp++ = ':';
-	*tp++ = '\0';
-
-	/*
-	 * Check for overflow, copy, and we're done.
-	 */
-	if ((size_t)(tp - tmp) > size) {
-		errno = ENOSPC;
-		return (NULL);
-	}
-	strcpy(dst, tmp);
-	return (dst);
-}
-#endif /* AF_INET6 */
diff --git a/contrib/bind9/lib/isc/inet_pton.c b/contrib/bind9/lib/isc/inet_pton.c
deleted file mode 100644
index 6bada23..0000000
--- a/contrib/bind9/lib/isc/inet_pton.c
+++ /dev/null
@@ -1,214 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1996-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*! \file */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] =
-	"$Id: inet_pton.c,v 1.19 2007/06/19 23:47:17 tbox Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <config.h>
-
-#include <errno.h>
-#include <string.h>
-
-#include <isc/net.h>
-
-/*% INT16 Size */
-#define NS_INT16SZ	 2
-/*% IPv4 Address Size */
-#define NS_INADDRSZ	 4
-/*% IPv6 Address Size */
-#define NS_IN6ADDRSZ	16
-
-/*
- * WARNING: Don't even consider trying to compile this on a system where
- * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
- */
-
-static int inet_pton4(const char *src, unsigned char *dst);
-static int inet_pton6(const char *src, unsigned char *dst);
-
-/*% 
- *	convert from presentation format (which usually means ASCII printable)
- *	to network format (which is usually some kind of binary format).
- * \return
- *	1 if the address was valid for the specified address family
- *	0 if the address wasn't valid (`dst' is untouched in this case)
- *	-1 if some other error occurred (`dst' is untouched in this case, too)
- * \author
- *	Paul Vixie, 1996.
- */
-int
-isc_net_pton(int af, const char *src, void *dst) {
-	switch (af) {
-	case AF_INET:
-		return (inet_pton4(src, dst));
-	case AF_INET6:
-		return (inet_pton6(src, dst));
-	default:
-		errno = EAFNOSUPPORT;
-		return (-1);
-	}
-	/* NOTREACHED */
-}
-
-/*!\fn static int inet_pton4(const char *src, unsigned char *dst)
- * \brief
- *	like inet_aton() but without all the hexadecimal and shorthand.
- * \return
- *	1 if `src' is a valid dotted quad, else 0.
- * \note
- *	does not touch `dst' unless it's returning 1.
- * \author
- *	Paul Vixie, 1996.
- */
-static int
-inet_pton4(const char *src, unsigned char *dst) {
-	static const char digits[] = "0123456789";
-	int saw_digit, octets, ch;
-	unsigned char tmp[NS_INADDRSZ], *tp;
-
-	saw_digit = 0;
-	octets = 0;
-	*(tp = tmp) = 0;
-	while ((ch = *src++) != '\0') {
-		const char *pch;
-
-		if ((pch = strchr(digits, ch)) != NULL) {
-			unsigned int new = *tp * 10 + (pch - digits);
-
-			if (saw_digit && *tp == 0)
-				return (0);
-			if (new > 255)
-				return (0);
-			*tp = new;
-			if (!saw_digit) {
-				if (++octets > 4)
-					return (0);
-				saw_digit = 1;
-			}
-		} else if (ch == '.' && saw_digit) {
-			if (octets == 4)
-				return (0);
-			*++tp = 0;
-			saw_digit = 0;
-		} else
-			return (0);
-	}
-	if (octets < 4)
-		return (0);
-	memcpy(dst, tmp, NS_INADDRSZ);
-	return (1);
-}
-
-/*%
- *	convert presentation level address to network order binary form.
- * \return
- *	1 if `src' is a valid [RFC1884 2.2] address, else 0.
- * \note
- *	(1) does not touch `dst' unless it's returning 1.
- * \note
- *	(2) :: in a full address is silently ignored.
- * \author
- *	inspired by Mark Andrews.
- * \author
- *	Paul Vixie, 1996.
- */
-static int
-inet_pton6(const char *src, unsigned char *dst) {
-	static const char xdigits_l[] = "0123456789abcdef",
-			  xdigits_u[] = "0123456789ABCDEF";
-	unsigned char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;
-	const char *xdigits, *curtok;
-	int ch, seen_xdigits;
-	unsigned int val;
-
-	memset((tp = tmp), '\0', NS_IN6ADDRSZ);
-	endp = tp + NS_IN6ADDRSZ;
-	colonp = NULL;
-	/* Leading :: requires some special handling. */
-	if (*src == ':')
-		if (*++src != ':')
-			return (0);
-	curtok = src;
-	seen_xdigits = 0;
-	val = 0;
-	while ((ch = *src++) != '\0') {
-		const char *pch;
-
-		if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)
-			pch = strchr((xdigits = xdigits_u), ch);
-		if (pch != NULL) {
-			val <<= 4;
-			val |= (pch - xdigits);
-			if (++seen_xdigits > 4)
-				return (0);
-			continue;
-		}
-		if (ch == ':') {
-			curtok = src;
-			if (!seen_xdigits) {
-				if (colonp)
-					return (0);
-				colonp = tp;
-				continue;
-			}
-			if (tp + NS_INT16SZ > endp)
-				return (0);
-			*tp++ = (unsigned char) (val >> 8) & 0xff;
-			*tp++ = (unsigned char) val & 0xff;
-			seen_xdigits = 0;
-			val = 0;
-			continue;
-		}
-		if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) &&
-		    inet_pton4(curtok, tp) > 0) {
-			tp += NS_INADDRSZ;
-			seen_xdigits = 0;
-			break;	/* '\0' was seen by inet_pton4(). */
-		}
-		return (0);
-	}
-	if (seen_xdigits) {
-		if (tp + NS_INT16SZ > endp)
-			return (0);
-		*tp++ = (unsigned char) (val >> 8) & 0xff;
-		*tp++ = (unsigned char) val & 0xff;
-	}
-	if (colonp != NULL) {
-		/*
-		 * Since some memmove()'s erroneously fail to handle
-		 * overlapping regions, we'll do the shift by hand.
-		 */
-		const int n = tp - colonp;
-		int i;
-
-		if (tp == endp)
-			return (0);
-		for (i = 1; i <= n; i++) {
-			endp[- i] = colonp[n - i];
-			colonp[n - i] = 0;
-		}
-		tp = endp;
-	}
-	if (tp != endp)
-		return (0);
-	memcpy(dst, tmp, NS_IN6ADDRSZ);
-	return (1);
-}
diff --git a/contrib/bind9/lib/isc/iterated_hash.c b/contrib/bind9/lib/isc/iterated_hash.c
deleted file mode 100644
index 86dedde..0000000
--- a/contrib/bind9/lib/isc/iterated_hash.c
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
- * Copyright (C) 2006, 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: iterated_hash.c,v 1.6 2009/02/18 23:47:48 tbox Exp $ */
-
-#include "config.h"
-
-#include <stdio.h>
-
-#include <isc/sha1.h>
-#include <isc/iterated_hash.h>
-
-int
-isc_iterated_hash(unsigned char out[ISC_SHA1_DIGESTLENGTH],
-		  unsigned int hashalg, int iterations,
-		  const unsigned char *salt, int saltlength,
-		  const unsigned char *in, int inlength)
-{
-	isc_sha1_t ctx;
-	int n = 0;
-
-	if (hashalg != 1)
-		return (0);
-
-	do {
-		isc_sha1_init(&ctx);
-		isc_sha1_update(&ctx, in, inlength);
-		isc_sha1_update(&ctx, salt, saltlength);
-		isc_sha1_final(&ctx, out);
-		in = out;
-		inlength = ISC_SHA1_DIGESTLENGTH;
-	} while (n++ < iterations);
-
-	return (ISC_SHA1_DIGESTLENGTH);
-}
diff --git a/contrib/bind9/lib/isc/lex.c b/contrib/bind9/lib/isc/lex.c
deleted file mode 100644
index 8749ed0..0000000
--- a/contrib/bind9/lib/isc/lex.c
+++ /dev/null
@@ -1,959 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lex.c,v 1.86 2007/09/17 09:56:29 shane Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <stdlib.h>
-
-#include <isc/buffer.h>
-#include <isc/file.h>
-#include <isc/lex.h>
-#include <isc/mem.h>
-#include <isc/msgs.h>
-#include <isc/parseint.h>
-#include <isc/print.h>
-#include <isc/stdio.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-typedef struct inputsource {
-	isc_result_t			result;
-	isc_boolean_t			is_file;
-	isc_boolean_t			need_close;
-	isc_boolean_t			at_eof;
-	isc_buffer_t *			pushback;
-	unsigned int			ignored;
-	void *				input;
-	char *				name;
-	unsigned long			line;
-	unsigned long			saved_line;
-	ISC_LINK(struct inputsource)	link;
-} inputsource;
-
-#define LEX_MAGIC			ISC_MAGIC('L', 'e', 'x', '!')
-#define VALID_LEX(l)			ISC_MAGIC_VALID(l, LEX_MAGIC)
-
-struct isc_lex {
-	/* Unlocked. */
-	unsigned int			magic;
-	isc_mem_t *			mctx;
-	size_t				max_token;
-	char *				data;
-	unsigned int			comments;
-	isc_boolean_t			comment_ok;
-	isc_boolean_t			last_was_eol;
-	unsigned int			paren_count;
-	unsigned int			saved_paren_count;
-	isc_lexspecials_t		specials;
-	LIST(struct inputsource)	sources;
-};
-
-static inline isc_result_t
-grow_data(isc_lex_t *lex, size_t *remainingp, char **currp, char **prevp) {
-	char *new;
-
-	new = isc_mem_get(lex->mctx, lex->max_token * 2 + 1);
-	if (new == NULL)
-		return (ISC_R_NOMEMORY);
-	memcpy(new, lex->data, lex->max_token + 1);
-	*currp = new + (*currp - lex->data);
-	if (*prevp != NULL)
-		*prevp = new + (*prevp - lex->data);
-	isc_mem_put(lex->mctx, lex->data, lex->max_token + 1);
-	lex->data = new;
-	*remainingp += lex->max_token;
-	lex->max_token *= 2;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_lex_create(isc_mem_t *mctx, size_t max_token, isc_lex_t **lexp) {
-	isc_lex_t *lex;
-
-	/*
-	 * Create a lexer.
-	 */
-
-	REQUIRE(lexp != NULL && *lexp == NULL);
-	REQUIRE(max_token > 0U);
-
-	lex = isc_mem_get(mctx, sizeof(*lex));
-	if (lex == NULL)
-		return (ISC_R_NOMEMORY);
-	lex->data = isc_mem_get(mctx, max_token + 1);
-	if (lex->data == NULL) {
-		isc_mem_put(mctx, lex, sizeof(*lex));
-		return (ISC_R_NOMEMORY);
-	}
-	lex->mctx = mctx;
-	lex->max_token = max_token;
-	lex->comments = 0;
-	lex->comment_ok = ISC_TRUE;
-	lex->last_was_eol = ISC_TRUE;
-	lex->paren_count = 0;
-	lex->saved_paren_count = 0;
-	memset(lex->specials, 0, 256);
-	INIT_LIST(lex->sources);
-	lex->magic = LEX_MAGIC;
-
-	*lexp = lex;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_lex_destroy(isc_lex_t **lexp) {
-	isc_lex_t *lex;
-
-	/*
-	 * Destroy the lexer.
-	 */
-
-	REQUIRE(lexp != NULL);
-	lex = *lexp;
-	REQUIRE(VALID_LEX(lex));
-
-	while (!EMPTY(lex->sources))
-		RUNTIME_CHECK(isc_lex_close(lex) == ISC_R_SUCCESS);
-	if (lex->data != NULL)
-		isc_mem_put(lex->mctx, lex->data, lex->max_token + 1);
-	lex->magic = 0;
-	isc_mem_put(lex->mctx, lex, sizeof(*lex));
-
-	*lexp = NULL;
-}
-
-unsigned int
-isc_lex_getcomments(isc_lex_t *lex) {
-	/*
-	 * Return the current lexer commenting styles.
-	 */
-
-	REQUIRE(VALID_LEX(lex));
-
-	return (lex->comments);
-}
-
-void
-isc_lex_setcomments(isc_lex_t *lex, unsigned int comments) {
-	/*
-	 * Set allowed lexer commenting styles.
-	 */
-
-	REQUIRE(VALID_LEX(lex));
-
-	lex->comments = comments;
-}
-
-void
-isc_lex_getspecials(isc_lex_t *lex, isc_lexspecials_t specials) {
-	/*
-	 * Put the current list of specials into 'specials'.
-	 */
-
-	REQUIRE(VALID_LEX(lex));
-
-	memcpy(specials, lex->specials, 256);
-}
-
-void
-isc_lex_setspecials(isc_lex_t *lex, isc_lexspecials_t specials) {
-	/*
-	 * The characters in 'specials' are returned as tokens.  Along with
-	 * whitespace, they delimit strings and numbers.
-	 */
-
-	REQUIRE(VALID_LEX(lex));
-
-	memcpy(lex->specials, specials, 256);
-}
-
-static inline isc_result_t
-new_source(isc_lex_t *lex, isc_boolean_t is_file, isc_boolean_t need_close,
-	   void *input, const char *name)
-{
-	inputsource *source;
-	isc_result_t result;
-
-	source = isc_mem_get(lex->mctx, sizeof(*source));
-	if (source == NULL)
-		return (ISC_R_NOMEMORY);
-	source->result = ISC_R_SUCCESS;
-	source->is_file = is_file;
-	source->need_close = need_close;
-	source->at_eof = ISC_FALSE;
-	source->input = input;
-	source->name = isc_mem_strdup(lex->mctx, name);
-	if (source->name == NULL) {
-		isc_mem_put(lex->mctx, source, sizeof(*source));
-		return (ISC_R_NOMEMORY);
-	}
-	source->pushback = NULL;
-	result = isc_buffer_allocate(lex->mctx, &source->pushback,
-				     lex->max_token);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_free(lex->mctx, source->name);
-		isc_mem_put(lex->mctx, source, sizeof(*source));
-		return (result);
-	}
-	source->ignored = 0;
-	source->line = 1;
-	ISC_LIST_INITANDPREPEND(lex->sources, source, link);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_lex_openfile(isc_lex_t *lex, const char *filename) {
-	isc_result_t result;
-	FILE *stream = NULL;
-
-	/*
-	 * Open 'filename' and make it the current input source for 'lex'.
-	 */
-
-	REQUIRE(VALID_LEX(lex));
-
-	result = isc_stdio_open(filename, "r", &stream);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = new_source(lex, ISC_TRUE, ISC_TRUE, stream, filename);
-	if (result != ISC_R_SUCCESS)
-		(void)fclose(stream);
-	return (result);
-}
-
-isc_result_t
-isc_lex_openstream(isc_lex_t *lex, FILE *stream) {
-	char name[128];
-
-	/*
-	 * Make 'stream' the current input source for 'lex'.
-	 */
-
-	REQUIRE(VALID_LEX(lex));
-
-	snprintf(name, sizeof(name), "stream-%p", stream);
-
-	return (new_source(lex, ISC_TRUE, ISC_FALSE, stream, name));
-}
-
-isc_result_t
-isc_lex_openbuffer(isc_lex_t *lex, isc_buffer_t *buffer) {
-	char name[128];
-
-	/*
-	 * Make 'buffer' the current input source for 'lex'.
-	 */
-
-	REQUIRE(VALID_LEX(lex));
-
-	snprintf(name, sizeof(name), "buffer-%p", buffer);
-
-	return (new_source(lex, ISC_FALSE, ISC_FALSE, buffer, name));
-}
-
-isc_result_t
-isc_lex_close(isc_lex_t *lex) {
-	inputsource *source;
-
-	/*
-	 * Close the most recently opened object (i.e. file or buffer).
-	 */
-
-	REQUIRE(VALID_LEX(lex));
-
-	source = HEAD(lex->sources);
-	if (source == NULL)
-		return (ISC_R_NOMORE);
-
-	ISC_LIST_UNLINK(lex->sources, source, link);
-	if (source->is_file) {
-		if (source->need_close)
-			(void)fclose((FILE *)(source->input));
-	}
-	isc_mem_free(lex->mctx, source->name);
-	isc_buffer_free(&source->pushback);
-	isc_mem_put(lex->mctx, source, sizeof(*source));
-
-	return (ISC_R_SUCCESS);
-}
-
-typedef enum {
-	lexstate_start,
-	lexstate_crlf,
-	lexstate_string,
-	lexstate_number,
-	lexstate_maybecomment,
-	lexstate_ccomment,
-	lexstate_ccommentend,
-	lexstate_eatline,
-	lexstate_qstring
-} lexstate;
-
-#define IWSEOL (ISC_LEXOPT_INITIALWS | ISC_LEXOPT_EOL)
-
-static void
-pushback(inputsource *source, int c) {
-	REQUIRE(source->pushback->current > 0);
-	if (c == EOF) {
-		source->at_eof = ISC_FALSE;
-		return;
-	}
-	source->pushback->current--;
-	if (c == '\n')
-		source->line--;
-}
-
-static isc_result_t
-pushandgrow(isc_lex_t *lex, inputsource *source, int c) {
-	if (isc_buffer_availablelength(source->pushback) == 0) {
-		isc_buffer_t *tbuf = NULL;
-		unsigned int oldlen;
-		isc_region_t used;
-		isc_result_t result;
-
-		oldlen = isc_buffer_length(source->pushback);
-		result = isc_buffer_allocate(lex->mctx, &tbuf, oldlen * 2);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		isc_buffer_usedregion(source->pushback, &used);
-		result = isc_buffer_copyregion(tbuf, &used);
-		INSIST(result == ISC_R_SUCCESS);
-		tbuf->current = source->pushback->current;
-		isc_buffer_free(&source->pushback);
-		source->pushback = tbuf;
-	}
-	isc_buffer_putuint8(source->pushback, (isc_uint8_t)c);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
-	inputsource *source;
-	int c;
-	isc_boolean_t done = ISC_FALSE;
-	isc_boolean_t no_comments = ISC_FALSE;
-	isc_boolean_t escaped = ISC_FALSE;
-	lexstate state = lexstate_start;
-	lexstate saved_state = lexstate_start;
-	isc_buffer_t *buffer;
-	FILE *stream;
-	char *curr, *prev;
-	size_t remaining;
-	isc_uint32_t as_ulong;
-	unsigned int saved_options;
-	isc_result_t result;
-
-	/*
-	 * Get the next token.
-	 */
-
-	REQUIRE(VALID_LEX(lex));
-	source = HEAD(lex->sources);
-	REQUIRE(tokenp != NULL);
-
-	if (source == NULL) {
-		if ((options & ISC_LEXOPT_NOMORE) != 0) {
-			tokenp->type = isc_tokentype_nomore;
-			return (ISC_R_SUCCESS);
-		}
-		return (ISC_R_NOMORE);
-	}
-
-	if (source->result != ISC_R_SUCCESS)
-		return (source->result);
-
-	lex->saved_paren_count = lex->paren_count;
-	source->saved_line = source->line;
-
-	if (isc_buffer_remaininglength(source->pushback) == 0 &&
-	    source->at_eof)
-	{
-		if ((options & ISC_LEXOPT_DNSMULTILINE) != 0 &&
-		    lex->paren_count != 0) {
-			lex->paren_count = 0;
-			return (ISC_R_UNBALANCED);
-		}
-		if ((options & ISC_LEXOPT_EOF) != 0) {
-			tokenp->type = isc_tokentype_eof;
-			return (ISC_R_SUCCESS);
-		}
-		return (ISC_R_EOF);
-	}
-
-	isc_buffer_compact(source->pushback);
-
-	saved_options = options;
-	if ((options & ISC_LEXOPT_DNSMULTILINE) != 0 && lex->paren_count > 0)
-		options &= ~IWSEOL;
-
-	curr = lex->data;
-	*curr = '\0';
-
-	prev = NULL;
-	remaining = lex->max_token;
-
-#ifdef HAVE_FLOCKFILE
-	if (source->is_file)
-		flockfile(source->input);
-#endif
-
-	do {
-		if (isc_buffer_remaininglength(source->pushback) == 0) {
-			if (source->is_file) {
-				stream = source->input;
-
-#if defined(HAVE_FLOCKFILE) && defined(HAVE_GETCUNLOCKED)
-				c = getc_unlocked(stream);
-#else
-				c = getc(stream);
-#endif
-				if (c == EOF) {
-					if (ferror(stream)) {
-						source->result = ISC_R_IOERROR;
-						result = source->result;
-						goto done;
-					}
-					source->at_eof = ISC_TRUE;
-				}
-			} else {
-				buffer = source->input;
-
-				if (buffer->current == buffer->used) {
-					c = EOF;
-					source->at_eof = ISC_TRUE;
-				} else {
-					c = *((char *)buffer->base +
-					      buffer->current);
-					buffer->current++;
-				}
-			}
-			if (c != EOF) {
-				source->result = pushandgrow(lex, source, c);
-				if (source->result != ISC_R_SUCCESS) {
-					result = source->result;
-					goto done;
-				}
-			}
-		}
-
-		if (!source->at_eof) {
-			if (state == lexstate_start)
-				/* Token has not started yet. */
-				source->ignored =
-				   isc_buffer_consumedlength(source->pushback);
-			c = isc_buffer_getuint8(source->pushback);
-		} else {
-			c = EOF;
-		}
-
-		if (c == '\n')
-			source->line++;
-
-		if (lex->comment_ok && !no_comments) {
-			if (!escaped && c == ';' &&
-			    ((lex->comments & ISC_LEXCOMMENT_DNSMASTERFILE)
-			     != 0)) {
-				saved_state = state;
-				state = lexstate_eatline;
-				no_comments = ISC_TRUE;
-				continue;
-			} else if (c == '/' &&
-				   (lex->comments &
-				    (ISC_LEXCOMMENT_C|
-				     ISC_LEXCOMMENT_CPLUSPLUS)) != 0) {
-				saved_state = state;
-				state = lexstate_maybecomment;
-				no_comments = ISC_TRUE;
-				continue;
-			} else if (c == '#' &&
-				   ((lex->comments & ISC_LEXCOMMENT_SHELL)
-				    != 0)) {
-				saved_state = state;
-				state = lexstate_eatline;
-				no_comments = ISC_TRUE;
-				continue;
-			}
-		}
-
-	no_read:
-		/* INSIST(c == EOF || (c >= 0 && c <= 255)); */
-		switch (state) {
-		case lexstate_start:
-			if (c == EOF) {
-				lex->last_was_eol = ISC_FALSE;
-				if ((options & ISC_LEXOPT_DNSMULTILINE) != 0 &&
-				    lex->paren_count != 0) {
-					lex->paren_count = 0;
-					result = ISC_R_UNBALANCED;
-					goto done;
-				}
-				if ((options & ISC_LEXOPT_EOF) == 0) {
-					result = ISC_R_EOF;
-					goto done;
-				}
-				tokenp->type = isc_tokentype_eof;
-				done = ISC_TRUE;
-			} else if (c == ' ' || c == '\t') {
-				if (lex->last_was_eol &&
-				    (options & ISC_LEXOPT_INITIALWS)
-				    != 0) {
-					lex->last_was_eol = ISC_FALSE;
-					tokenp->type = isc_tokentype_initialws;
- 					tokenp->value.as_char = c;
-					done = ISC_TRUE;
-				}
-			} else if (c == '\n') {
-				if ((options & ISC_LEXOPT_EOL) != 0) {
-					tokenp->type = isc_tokentype_eol;
-					done = ISC_TRUE;
-				}
-				lex->last_was_eol = ISC_TRUE;
-			} else if (c == '\r') {
-				if ((options & ISC_LEXOPT_EOL) != 0)
-					state = lexstate_crlf;
-			} else if (c == '"' &&
-				   (options & ISC_LEXOPT_QSTRING) != 0) {
-				lex->last_was_eol = ISC_FALSE;
-				no_comments = ISC_TRUE;
-				state = lexstate_qstring;
-			} else if (lex->specials[c]) {
-				lex->last_was_eol = ISC_FALSE;
-				if ((c == '(' || c == ')') &&
-				    (options & ISC_LEXOPT_DNSMULTILINE) != 0) {
-					if (c == '(') {
-						if (lex->paren_count == 0)
-							options &= ~IWSEOL;
-						lex->paren_count++;
-					} else {
-						if (lex->paren_count == 0) {
-						    result = ISC_R_UNBALANCED;
-						    goto done;
-						}
-						lex->paren_count--;
-						if (lex->paren_count == 0)
-							options =
-								saved_options;
-					}
-					continue;
-				}
-				tokenp->type = isc_tokentype_special;
-				tokenp->value.as_char = c;
-				done = ISC_TRUE;
-			} else if (isdigit((unsigned char)c) &&
-				   (options & ISC_LEXOPT_NUMBER) != 0) {
-				lex->last_was_eol = ISC_FALSE;
-				if ((options & ISC_LEXOPT_OCTAL) != 0 &&
-				    (c == '8' || c == '9'))
-					state = lexstate_string;
-				else
-					state = lexstate_number;
-				goto no_read;
-			} else {
-				lex->last_was_eol = ISC_FALSE;
-				state = lexstate_string;
-				goto no_read;
-			}
-			break;
-		case lexstate_crlf:
-			if (c != '\n')
-				pushback(source, c);
-			tokenp->type = isc_tokentype_eol;
-			done = ISC_TRUE;
-			lex->last_was_eol = ISC_TRUE;
-			break;
-		case lexstate_number:
-			if (c == EOF || !isdigit((unsigned char)c)) {
-				if (c == ' ' || c == '\t' || c == '\r' ||
-				    c == '\n' || c == EOF ||
-				    lex->specials[c]) {
-					int base;
-					if ((options & ISC_LEXOPT_OCTAL) != 0)
-						base = 8;
-					else if ((options & ISC_LEXOPT_CNUMBER) != 0)
-						base = 0;
-					else
-						base = 10;
-					pushback(source, c);
-
-					result = isc_parse_uint32(&as_ulong,
-								  lex->data,
-								  base);
-					if (result == ISC_R_SUCCESS) {
-						tokenp->type =
-							isc_tokentype_number;
-						tokenp->value.as_ulong =
-							as_ulong;
-					} else if (result == ISC_R_BADNUMBER) {
-						isc_tokenvalue_t *v;
-
-						tokenp->type =
-							isc_tokentype_string;
-						v = &(tokenp->value);
-						v->as_textregion.base =
-							lex->data;
-						v->as_textregion.length =
-							lex->max_token -
-							remaining;
-					} else
-						goto done;
-					done = ISC_TRUE;
-					continue;
-				} else if (!(options & ISC_LEXOPT_CNUMBER) ||
-					   ((c != 'x' && c != 'X') ||
-					   (curr != &lex->data[1]) ||
-					   (lex->data[0] != '0'))) {
-					/* Above test supports hex numbers */
-					state = lexstate_string;
-				}
-			} else if ((options & ISC_LEXOPT_OCTAL) != 0 &&
-				   (c == '8' || c == '9')) {
-				state = lexstate_string;
-			}
-			if (remaining == 0U) {
-				result = grow_data(lex, &remaining,
-						   &curr, &prev);
-				if (result != ISC_R_SUCCESS)
-					goto done;
-			}
-			INSIST(remaining > 0U);
-			*curr++ = c;
-			*curr = '\0';
-			remaining--;
-			break;
-		case lexstate_string:
-			/*
-			 * EOF needs to be checked before lex->specials[c]
-			 * as lex->specials[EOF] is not a good idea.
-			 */
-			if (c == '\r' || c == '\n' || c == EOF ||
-			    (!escaped &&
-			     (c == ' ' || c == '\t' || lex->specials[c]))) {
-				pushback(source, c);
-				if (source->result != ISC_R_SUCCESS) {
-					result = source->result;
-					goto done;
-				}
-				tokenp->type = isc_tokentype_string;
-				tokenp->value.as_textregion.base = lex->data;
-				tokenp->value.as_textregion.length =
-					lex->max_token - remaining;
-				done = ISC_TRUE;
-				continue;
-			}
-			if ((options & ISC_LEXOPT_ESCAPE) != 0)
-				escaped = (!escaped && c == '\\') ?
-						ISC_TRUE : ISC_FALSE;
-			if (remaining == 0U) {
-				result = grow_data(lex, &remaining,
-						   &curr, &prev);
-				if (result != ISC_R_SUCCESS)
-					goto done;
-			}
-			INSIST(remaining > 0U);
-			*curr++ = c;
-			*curr = '\0';
-			remaining--;
-			break;
-		case lexstate_maybecomment:
-			if (c == '*' &&
-			    (lex->comments & ISC_LEXCOMMENT_C) != 0) {
-				state = lexstate_ccomment;
-				continue;
-			} else if (c == '/' &&
-			    (lex->comments & ISC_LEXCOMMENT_CPLUSPLUS) != 0) {
-				state = lexstate_eatline;
-				continue;
-			}
-			pushback(source, c);
-			c = '/';
-			no_comments = ISC_FALSE;
-			state = saved_state;
-			goto no_read;
-		case lexstate_ccomment:
-			if (c == EOF) {
-				result = ISC_R_UNEXPECTEDEND;
-				goto done;
-			}
-			if (c == '*')
-				state = lexstate_ccommentend;
-			break;
-		case lexstate_ccommentend:
-			if (c == EOF) {
-				result = ISC_R_UNEXPECTEDEND;
-				goto done;
-			}
-			if (c == '/') {
-				/*
-				 * C-style comments become a single space.
-				 * We do this to ensure that a comment will
-				 * act as a delimiter for strings and
-				 * numbers.
-				 */
-				c = ' ';
-				no_comments = ISC_FALSE;
-				state = saved_state;
-				goto no_read;
-			} else if (c != '*')
-				state = lexstate_ccomment;
-			break;
-		case lexstate_eatline:
-			if ((c == '\n') || (c == EOF)) {
-				no_comments = ISC_FALSE;
-				state = saved_state;
-				goto no_read;
-			}
-			break;
-		case lexstate_qstring:
-			if (c == EOF) {
-				result = ISC_R_UNEXPECTEDEND;
-				goto done;
-			}
-			if (c == '"') {
-				if (escaped) {
-					escaped = ISC_FALSE;
-					/*
-					 * Overwrite the preceding backslash.
-					 */
-					INSIST(prev != NULL);
-					*prev = '"';
-				} else {
-					tokenp->type = isc_tokentype_qstring;
-					tokenp->value.as_textregion.base =
-						lex->data;
-					tokenp->value.as_textregion.length =
-						lex->max_token - remaining;
-					no_comments = ISC_FALSE;
-					done = ISC_TRUE;
-				}
-			} else {
-				if (c == '\n' && !escaped &&
-			    (options & ISC_LEXOPT_QSTRINGMULTILINE) == 0) {
-					pushback(source, c);
-					result = ISC_R_UNBALANCEDQUOTES;
-					goto done;
-				}
-				if (c == '\\' && !escaped)
-					escaped = ISC_TRUE;
-				else
-					escaped = ISC_FALSE;
-				if (remaining == 0U) {
-					result = grow_data(lex, &remaining,
-							   &curr, &prev);
-					if (result != ISC_R_SUCCESS)
-						goto done;
-				}
-				INSIST(remaining > 0U);
-				prev = curr;
-				*curr++ = c;
-				*curr = '\0';
-				remaining--;
-			}
-			break;
-		default:
-			FATAL_ERROR(__FILE__, __LINE__,
-				    isc_msgcat_get(isc_msgcat, ISC_MSGSET_LEX,
-						   ISC_MSG_UNEXPECTEDSTATE,
-						   "Unexpected state %d"),
-				    state);
-			/* Does not return. */
-		}
-
-	} while (!done);
-
-	result = ISC_R_SUCCESS;
- done:
-#ifdef HAVE_FLOCKFILE
-	if (source->is_file)
-		funlockfile(source->input);
-#endif
-	return (result);
-}
-
-isc_result_t
-isc_lex_getmastertoken(isc_lex_t *lex, isc_token_t *token,
-		       isc_tokentype_t expect, isc_boolean_t eol)
-{
-	unsigned int options = ISC_LEXOPT_EOL | ISC_LEXOPT_EOF |
-			       ISC_LEXOPT_DNSMULTILINE | ISC_LEXOPT_ESCAPE;
-	isc_result_t result;
-
-	if (expect == isc_tokentype_qstring)
-		options |= ISC_LEXOPT_QSTRING;
-	else if (expect == isc_tokentype_number)
-		options |= ISC_LEXOPT_NUMBER;
-	result = isc_lex_gettoken(lex, options, token);
-	if (result == ISC_R_RANGE)
-		isc_lex_ungettoken(lex, token);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (eol && ((token->type == isc_tokentype_eol) ||
-		    (token->type == isc_tokentype_eof)))
-		return (ISC_R_SUCCESS);
-	if (token->type == isc_tokentype_string &&
-	    expect == isc_tokentype_qstring)
-		return (ISC_R_SUCCESS);
-	if (token->type != expect) {
-		isc_lex_ungettoken(lex, token);
-		if (token->type == isc_tokentype_eol ||
-		    token->type == isc_tokentype_eof)
-			return (ISC_R_UNEXPECTEDEND);
-		if (expect == isc_tokentype_number)
-			return (ISC_R_BADNUMBER);
-		return (ISC_R_UNEXPECTEDTOKEN);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_lex_getoctaltoken(isc_lex_t *lex, isc_token_t *token, isc_boolean_t eol)
-{
-	unsigned int options = ISC_LEXOPT_EOL | ISC_LEXOPT_EOF |
-			       ISC_LEXOPT_DNSMULTILINE | ISC_LEXOPT_ESCAPE|
-			       ISC_LEXOPT_NUMBER | ISC_LEXOPT_OCTAL;
-	isc_result_t result;
-
-	result = isc_lex_gettoken(lex, options, token);
-	if (result == ISC_R_RANGE)
-		isc_lex_ungettoken(lex, token);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (eol && ((token->type == isc_tokentype_eol) ||
-		    (token->type == isc_tokentype_eof)))
-		return (ISC_R_SUCCESS);
-	if (token->type != isc_tokentype_number) {
-		isc_lex_ungettoken(lex, token);
-		if (token->type == isc_tokentype_eol ||
-		    token->type == isc_tokentype_eof)
-			return (ISC_R_UNEXPECTEDEND);
-		return (ISC_R_BADNUMBER);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_lex_ungettoken(isc_lex_t *lex, isc_token_t *tokenp) {
-	inputsource *source;
-	/*
-	 * Unget the current token.
-	 */
-
-	REQUIRE(VALID_LEX(lex));
-	source = HEAD(lex->sources);
-	REQUIRE(source != NULL);
-	REQUIRE(tokenp != NULL);
-	REQUIRE(isc_buffer_consumedlength(source->pushback) != 0 ||
-		tokenp->type == isc_tokentype_eof);
-
-	UNUSED(tokenp);
-
-	isc_buffer_first(source->pushback);
-	lex->paren_count = lex->saved_paren_count;
-	source->line = source->saved_line;
-	source->at_eof = ISC_FALSE;
-}
-
-void
-isc_lex_getlasttokentext(isc_lex_t *lex, isc_token_t *tokenp, isc_region_t *r)
-{
-	inputsource *source;
-
-	REQUIRE(VALID_LEX(lex));
-	source = HEAD(lex->sources);
-	REQUIRE(source != NULL);
-	REQUIRE(tokenp != NULL);
-	REQUIRE(isc_buffer_consumedlength(source->pushback) != 0 ||
-		tokenp->type == isc_tokentype_eof);
-
-	UNUSED(tokenp);
-
-	INSIST(source->ignored <= isc_buffer_consumedlength(source->pushback));
-	r->base = (unsigned char *)isc_buffer_base(source->pushback) +
-		  source->ignored;
-	r->length = isc_buffer_consumedlength(source->pushback) -
-		    source->ignored;
-}
-
-
-char *
-isc_lex_getsourcename(isc_lex_t *lex) {
-	inputsource *source;
-
-	REQUIRE(VALID_LEX(lex));
-	source = HEAD(lex->sources);
-
-	if (source == NULL)
-		return (NULL);
-
-	return (source->name);
-}
-
-unsigned long
-isc_lex_getsourceline(isc_lex_t *lex) {
-	inputsource *source;
-
-	REQUIRE(VALID_LEX(lex));
-	source = HEAD(lex->sources);
-
-	if (source == NULL)
-		return (0);
-
-	return (source->line);
-}
-
-
-isc_result_t
-isc_lex_setsourcename(isc_lex_t *lex, const char *name) {
-	inputsource *source;
-	char *newname;
-
-	REQUIRE(VALID_LEX(lex));
-	source = HEAD(lex->sources);
-
-	if (source == NULL)
-		return(ISC_R_NOTFOUND);
-	newname = isc_mem_strdup(lex->mctx, name);
-	if (newname == NULL)
-		return (ISC_R_NOMEMORY);
-	isc_mem_free(lex->mctx, source->name);
-	source->name = newname;
-	return (ISC_R_SUCCESS);
-}
-
-isc_boolean_t
-isc_lex_isfile(isc_lex_t *lex) {
-	inputsource *source;
-
-	REQUIRE(VALID_LEX(lex));
-
-	source = HEAD(lex->sources);
-
-	if (source == NULL)
-		return (ISC_FALSE);
-
-	return (source->is_file);
-}
diff --git a/contrib/bind9/lib/isc/lfsr.c b/contrib/bind9/lib/isc/lfsr.c
deleted file mode 100644
index 0b8d782..0000000
--- a/contrib/bind9/lib/isc/lfsr.c
+++ /dev/null
@@ -1,161 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lfsr.c,v 1.20 2007/06/19 23:47:17 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stddef.h>
-#include <stdlib.h>
-
-#include <isc/assertions.h>
-#include <isc/lfsr.h>
-#include <isc/util.h>
-
-#define VALID_LFSR(x)	(x != NULL)
-
-void
-isc_lfsr_init(isc_lfsr_t *lfsr, isc_uint32_t state, unsigned int bits,
-	      isc_uint32_t tap, unsigned int count,
-	      isc_lfsrreseed_t reseed, void *arg)
-{
-	REQUIRE(VALID_LFSR(lfsr));
-	REQUIRE(8 <= bits && bits <= 32);
-	REQUIRE(tap != 0);
-
-	lfsr->state = state;
-	lfsr->bits = bits;
-	lfsr->tap = tap;
-	lfsr->count = count;
-	lfsr->reseed = reseed;
-	lfsr->arg = arg;
-
-	if (count == 0 && reseed != NULL)
-		reseed(lfsr, arg);
-	if (lfsr->state == 0)
-		lfsr->state = 0xffffffffU >> (32 - lfsr->bits);
-}
-
-/*!
- * Return the next state of the lfsr.
- */
-static inline isc_uint32_t
-lfsr_generate(isc_lfsr_t *lfsr)
-{
-
-	/*
-	 * If the previous state is zero, we must fill it with something
-	 * here, or we will begin to generate an extremely predictable output.
-	 *
-	 * First, give the reseed function a crack at it.  If the state is
-	 * still 0, set it to all ones.
-	 */
-	if (lfsr->state == 0) {
-		if (lfsr->reseed != NULL)
-			lfsr->reseed(lfsr, lfsr->arg);
-		if (lfsr->state == 0)
-			lfsr->state = 0xffffffffU >> (32 - lfsr->bits);
-	}
-
-	if (lfsr->state & 0x01) {
-		lfsr->state = (lfsr->state >> 1) ^ lfsr->tap;
-		return (1);
-	} else {
-		lfsr->state >>= 1;
-		return (0);
-	}
-}
-
-void
-isc_lfsr_generate(isc_lfsr_t *lfsr, void *data, unsigned int count)
-{
-	unsigned char *p;
-	unsigned int bit;
-	unsigned int byte;
-
-	REQUIRE(VALID_LFSR(lfsr));
-	REQUIRE(data != NULL);
-	REQUIRE(count > 0);
-
-	p = data;
-	byte = count;
-
-	while (byte--) {
-		*p = 0;
-		for (bit = 0; bit < 7; bit++) {
-			*p |= lfsr_generate(lfsr);
-			*p <<= 1;
-		}
-		*p |= lfsr_generate(lfsr);
-		p++;
-	}
-
-	if (lfsr->count != 0 && lfsr->reseed != NULL) {
-		if (lfsr->count <= count * 8)
-			lfsr->reseed(lfsr, lfsr->arg);
-		else
-			lfsr->count -= (count * 8);
-	}
-}
-
-static inline isc_uint32_t
-lfsr_skipgenerate(isc_lfsr_t *lfsr, unsigned int skip)
-{
-	while (skip--)
-		(void)lfsr_generate(lfsr);
-
-	(void)lfsr_generate(lfsr);
-
-	return (lfsr->state);
-}
-
-/*
- * Skip "skip" states in "lfsr".
- */
-void
-isc_lfsr_skip(isc_lfsr_t *lfsr, unsigned int skip)
-{
-	REQUIRE(VALID_LFSR(lfsr));
-
-	while (skip--)
-		(void)lfsr_generate(lfsr);
-}
-
-/*
- * Skip states in lfsr1 and lfsr2 using the other's current state.
- * Return the final state of lfsr1 ^ lfsr2.
- */
-isc_uint32_t
-isc_lfsr_generate32(isc_lfsr_t *lfsr1, isc_lfsr_t *lfsr2)
-{
-	isc_uint32_t state1, state2;
-	isc_uint32_t skip1, skip2;
-
-	REQUIRE(VALID_LFSR(lfsr1));
-	REQUIRE(VALID_LFSR(lfsr2));
-
-	skip1 = lfsr1->state & 0x01;
-	skip2 = lfsr2->state & 0x01;
-
-	/* cross-skip. */
-	state1 = lfsr_skipgenerate(lfsr1, skip2);
-	state2 = lfsr_skipgenerate(lfsr2, skip1);
-
-	return (state1 ^ state2);
-}
diff --git a/contrib/bind9/lib/isc/lib.c b/contrib/bind9/lib/isc/lib.c
deleted file mode 100644
index a505425..0000000
--- a/contrib/bind9/lib/isc/lib.c
+++ /dev/null
@@ -1,103 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lib.c,v 1.16 2009/09/02 23:48:02 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <stdlib.h>
-
-#include <isc/app.h>
-#include <isc/lib.h>
-#include <isc/mem.h>
-#include <isc/msgs.h>
-#include <isc/once.h>
-#include <isc/socket.h>
-#include <isc/task.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-/***
- *** Globals
- ***/
-
-LIBISC_EXTERNAL_DATA isc_msgcat_t *		isc_msgcat = NULL;
-
-
-/***
- *** Private
- ***/
-
-static isc_once_t		msgcat_once = ISC_ONCE_INIT;
-
-/***
- *** Functions
- ***/
-
-static void
-open_msgcat(void) {
-	isc_msgcat_open("libisc.cat", &isc_msgcat);
-}
-
-void
-isc_lib_initmsgcat(void) {
-	isc_result_t result;
-
-	/*!
-	 * Initialize the ISC library's message catalog, isc_msgcat, if it
-	 * has not already been initialized.
-	 */
-
-	result = isc_once_do(&msgcat_once, open_msgcat);
-	if (result != ISC_R_SUCCESS) {
-		/*
-		 * Normally we'd use RUNTIME_CHECK() or FATAL_ERROR(), but
-		 * we can't do that here, since they might call us!
-		 * (Note that the catalog might be open anyway, so we might
-		 * as well try to  provide an internationalized message.)
-		 */
-		fprintf(stderr, "%s:%d: %s: isc_once_do() %s.\n",
-			__FILE__, __LINE__,
-			isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-				       ISC_MSG_FATALERROR, "fatal error"),
-			isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-				       ISC_MSG_FAILED, "failed"));
-		abort();
-	}
-}
-
-#ifndef BIND9
-static isc_once_t		register_once = ISC_ONCE_INIT;
-
-static void
-do_register(void) {
-	RUNTIME_CHECK(isc__mem_register() == ISC_R_SUCCESS);
-	RUNTIME_CHECK(isc__app_register() == ISC_R_SUCCESS);
-	RUNTIME_CHECK(isc__task_register() == ISC_R_SUCCESS);
-	RUNTIME_CHECK(isc__socket_register() == ISC_R_SUCCESS);
-	RUNTIME_CHECK(isc__timer_register() == ISC_R_SUCCESS);
-}
-
-void
-isc_lib_register() {
-	RUNTIME_CHECK(isc_once_do(&register_once, do_register)
-		      == ISC_R_SUCCESS);
-}
-#endif
diff --git a/contrib/bind9/lib/isc/log.c b/contrib/bind9/lib/isc/log.c
deleted file mode 100644
index 024d97c..0000000
--- a/contrib/bind9/lib/isc/log.c
+++ /dev/null
@@ -1,1764 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file
- * \author  Principal Authors: DCL */
-
-#include <config.h>
-
-#include <errno.h>
-#include <stdlib.h>
-#include <limits.h>
-#include <time.h>
-
-#include <sys/types.h>	/* dev_t FreeBSD 2.1 */
-
-#include <isc/dir.h>
-#include <isc/file.h>
-#include <isc/log.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/msgs.h>
-#include <isc/print.h>
-#include <isc/stat.h>
-#include <isc/stdio.h>
-#include <isc/string.h>
-#include <isc/time.h>
-#include <isc/util.h>
-
-#define LCTX_MAGIC		ISC_MAGIC('L', 'c', 't', 'x')
-#define VALID_CONTEXT(lctx)	ISC_MAGIC_VALID(lctx, LCTX_MAGIC)
-
-#define LCFG_MAGIC		ISC_MAGIC('L', 'c', 'f', 'g')
-#define VALID_CONFIG(lcfg)	ISC_MAGIC_VALID(lcfg, LCFG_MAGIC)
-
-/*
- * XXXDCL make dynamic?
- */
-#define LOG_BUFFER_SIZE	(8 * 1024)
-
-#ifndef PATH_MAX
-#define PATH_MAX 1024	/* AIX and others don't define this. */
-#endif
-
-/*!
- * This is the structure that holds each named channel.  A simple linked
- * list chains all of the channels together, so an individual channel is
- * found by doing strcmp()s with the names down the list.  Their should
- * be no performance penalty from this as it is expected that the number
- * of named channels will be no more than a dozen or so, and name lookups
- * from the head of the list are only done when isc_log_usechannel() is
- * called, which should also be very infrequent.
- */
-typedef struct isc_logchannel isc_logchannel_t;
-
-struct isc_logchannel {
-	char *				name;
-	unsigned int			type;
-	int 				level;
-	unsigned int			flags;
-	isc_logdestination_t 		destination;
-	ISC_LINK(isc_logchannel_t)	link;
-};
-
-/*!
- * The logchannellist structure associates categories and modules with
- * channels.  First the appropriate channellist is found based on the
- * category, and then each structure in the linked list is checked for
- * a matching module.  It is expected that the number of channels
- * associated with any given category will be very short, no more than
- * three or four in the more unusual cases.
- */
-typedef struct isc_logchannellist isc_logchannellist_t;
-
-struct isc_logchannellist {
-	const isc_logmodule_t *		module;
-	isc_logchannel_t *		channel;
-	ISC_LINK(isc_logchannellist_t)	link;
-};
-
-/*!
- * This structure is used to remember messages for pruning via
- * isc_log_[v]write1().
- */
-typedef struct isc_logmessage isc_logmessage_t;
-
-struct isc_logmessage {
-	char *				text;
-	isc_time_t			time;
-	ISC_LINK(isc_logmessage_t)	link;
-};
-
-/*!
- * The isc_logconfig structure is used to store the configurable information
- * about where messages are actually supposed to be sent -- the information
- * that could changed based on some configuration file, as opposed to the
- * the category/module specification of isc_log_[v]write[1] that is compiled
- * into a program, or the debug_level which is dynamic state information.
- */
-struct isc_logconfig {
-	unsigned int			magic;
-	isc_log_t *			lctx;
-	ISC_LIST(isc_logchannel_t)	channels;
-	ISC_LIST(isc_logchannellist_t) *channellists;
-	unsigned int			channellist_count;
-	unsigned int			duplicate_interval;
-	int				highest_level;
-	char *				tag;
-	isc_boolean_t			dynamic;
-};
-
-/*!
- * This isc_log structure provides the context for the isc_log functions.
- * The log context locks itself in isc_log_doit, the internal backend to
- * isc_log_write.  The locking is necessary both to provide exclusive access
- * to the buffer into which the message is formatted and to guard against
- * competing threads trying to write to the same syslog resource.  (On
- * some systems, such as BSD/OS, stdio is thread safe but syslog is not.)
- * Unfortunately, the lock cannot guard against a _different_ logging
- * context in the same program competing for syslog's attention.  Thus
- * There Can Be Only One, but this is not enforced.
- * XXXDCL enforce it?
- *
- * Note that the category and module information is not locked.
- * This is because in the usual case, only one isc_log_t is ever created
- * in a program, and the category/module registration happens only once.
- * XXXDCL it might be wise to add more locking overall.
- */
-struct isc_log {
-	/* Not locked. */
-	unsigned int			magic;
-	isc_mem_t *			mctx;
-	isc_logcategory_t *		categories;
-	unsigned int			category_count;
-	isc_logmodule_t *		modules;
-	unsigned int			module_count;
-	int				debug_level;
-	isc_mutex_t			lock;
-	/* Locked by isc_log lock. */
-	isc_logconfig_t * 		logconfig;
-	char 				buffer[LOG_BUFFER_SIZE];
-	ISC_LIST(isc_logmessage_t)	messages;
-};
-
-/*!
- * Used when ISC_LOG_PRINTLEVEL is enabled for a channel.
- */
-static const char *log_level_strings[] = {
-	"debug",
-	"info",
-	"notice",
-	"warning",
-	"error",
-	"critical"
-};
-
-/*!
- * Used to convert ISC_LOG_* priorities into syslog priorities.
- * XXXDCL This will need modification for NT.
- */
-static const int syslog_map[] = {
-	LOG_DEBUG,
-	LOG_INFO,
-	LOG_NOTICE,
-	LOG_WARNING,
-	LOG_ERR,
-	LOG_CRIT
-};
-
-/*!
- * When adding new categories, a corresponding ISC_LOGCATEGORY_foo
- * definition needs to be added to <isc/log.h>.
- *
- * The default category is provided so that the internal default can
- * be overridden.  Since the default is always looked up as the first
- * channellist in the log context, it must come first in isc_categories[].
- */
-LIBISC_EXTERNAL_DATA isc_logcategory_t isc_categories[] = {
-	{ "default", 0 },	/* "default" must come first. */
-	{ "general", 0 },
-	{ NULL, 0 }
-};
-
-/*!
- * See above comment for categories on LIBISC_EXTERNAL_DATA, and apply it to modules.
- */
-LIBISC_EXTERNAL_DATA isc_logmodule_t isc_modules[] = {
-	{ "socket", 0 },
-	{ "time", 0 },
-	{ "interface", 0 },
-	{ "timer", 0 },
-	{ "file", 0 },
-	{ NULL, 0 }
-};
-
-/*!
- * This essentially constant structure must be filled in at run time,
- * because its channel member is pointed to a channel that is created
- * dynamically with isc_log_createchannel.
- */
-static isc_logchannellist_t default_channel;
-
-/*!
- * libisc logs to this context.
- */
-LIBISC_EXTERNAL_DATA isc_log_t *isc_lctx = NULL;
-
-/*!
- * Forward declarations.
- */
-static isc_result_t
-assignchannel(isc_logconfig_t *lcfg, unsigned int category_id,
-	      const isc_logmodule_t *module, isc_logchannel_t *channel);
-
-static isc_result_t
-sync_channellist(isc_logconfig_t *lcfg);
-
-static isc_result_t
-greatest_version(isc_logchannel_t *channel, int *greatest);
-
-static isc_result_t
-roll_log(isc_logchannel_t *channel);
-
-static void
-isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
-	     isc_logmodule_t *module, int level, isc_boolean_t write_once,
-	     isc_msgcat_t *msgcat, int msgset, int msg,
-	     const char *format, va_list args)
-     ISC_FORMAT_PRINTF(9, 0);
-
-/*@{*/
-/*!
- * Convenience macros.
- */
-
-#define FACILITY(channel)	 (channel->destination.facility)
-#define FILE_NAME(channel)	 (channel->destination.file.name)
-#define FILE_STREAM(channel)	 (channel->destination.file.stream)
-#define FILE_VERSIONS(channel)	 (channel->destination.file.versions)
-#define FILE_MAXSIZE(channel)	 (channel->destination.file.maximum_size)
-#define FILE_MAXREACHED(channel) (channel->destination.file.maximum_reached)
-
-/*@}*/
-/****
- **** Public interfaces.
- ****/
-
-/*
- * Establish a new logging context, with default channels.
- */
-isc_result_t
-isc_log_create(isc_mem_t *mctx, isc_log_t **lctxp, isc_logconfig_t **lcfgp) {
-	isc_log_t *lctx;
-	isc_logconfig_t *lcfg = NULL;
-	isc_result_t result;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(lctxp != NULL && *lctxp == NULL);
-	REQUIRE(lcfgp == NULL || *lcfgp == NULL);
-
-	lctx = isc_mem_get(mctx, sizeof(*lctx));
-	if (lctx != NULL) {
-		lctx->mctx = NULL;
-		isc_mem_attach(mctx, &lctx->mctx);
-		lctx->categories = NULL;
-		lctx->category_count = 0;
-		lctx->modules = NULL;
-		lctx->module_count = 0;
-		lctx->debug_level = 0;
-
-		ISC_LIST_INIT(lctx->messages);
-
-		result = isc_mutex_init(&lctx->lock);
-		if (result != ISC_R_SUCCESS) {
-			isc_mem_putanddetach(&mctx, lctx, sizeof(*lctx));
-			return (result);
-		}
-
-		/*
-		 * Normally setting the magic number is the last step done
-		 * in a creation function, but a valid log context is needed
-		 * by isc_log_registercategories and isc_logconfig_create.
-		 * If either fails, the lctx is destroyed and not returned
-		 * to the caller.
-		 */
-		lctx->magic = LCTX_MAGIC;
-
-		isc_log_registercategories(lctx, isc_categories);
-		isc_log_registermodules(lctx, isc_modules);
-		result = isc_logconfig_create(lctx, &lcfg);
-
-	} else
-		result = ISC_R_NOMEMORY;
-
-	if (result == ISC_R_SUCCESS)
-		result = sync_channellist(lcfg);
-
-	if (result == ISC_R_SUCCESS) {
-		lctx->logconfig = lcfg;
-
-		*lctxp = lctx;
-		if (lcfgp != NULL)
-			*lcfgp = lcfg;
-
-	} else {
-		if (lcfg != NULL)
-			isc_logconfig_destroy(&lcfg);
-		if (lctx != NULL)
-			isc_log_destroy(&lctx);
-	}
-
-	return (result);
-}
-
-isc_result_t
-isc_logconfig_create(isc_log_t *lctx, isc_logconfig_t **lcfgp) {
-	isc_logconfig_t *lcfg;
-	isc_logdestination_t destination;
-	isc_result_t result = ISC_R_SUCCESS;
-	int level = ISC_LOG_INFO;
-
-	REQUIRE(lcfgp != NULL && *lcfgp == NULL);
-	REQUIRE(VALID_CONTEXT(lctx));
-
-	lcfg = isc_mem_get(lctx->mctx, sizeof(*lcfg));
-
-	if (lcfg != NULL) {
-		lcfg->lctx = lctx;
-		lcfg->channellists = NULL;
-		lcfg->channellist_count = 0;
-		lcfg->duplicate_interval = 0;
-		lcfg->highest_level = level;
-		lcfg->tag = NULL;
-		lcfg->dynamic = ISC_FALSE;
-
-		ISC_LIST_INIT(lcfg->channels);
-
-		/*
-		 * Normally the magic number is the last thing set in the
-		 * structure, but isc_log_createchannel() needs a valid
-		 * config.  If the channel creation fails, the lcfg is not
-		 * returned to the caller.
-		 */
-		lcfg->magic = LCFG_MAGIC;
-
-	} else
-		result = ISC_R_NOMEMORY;
-
-	/*
-	 * Create the default channels:
-	 *   	default_syslog, default_stderr, default_debug and null.
-	 */
-	if (result == ISC_R_SUCCESS) {
-		destination.facility = LOG_DAEMON;
-		result = isc_log_createchannel(lcfg, "default_syslog",
-					       ISC_LOG_TOSYSLOG, level,
-					       &destination, 0);
-	}
-
-	if (result == ISC_R_SUCCESS) {
-		destination.file.stream = stderr;
-		destination.file.name = NULL;
-		destination.file.versions = ISC_LOG_ROLLNEVER;
-		destination.file.maximum_size = 0;
-		result = isc_log_createchannel(lcfg, "default_stderr",
-					       ISC_LOG_TOFILEDESC,
-					       level,
-					       &destination,
-					       ISC_LOG_PRINTTIME);
-	}
-
-	if (result == ISC_R_SUCCESS) {
-		/*
-		 * Set the default category's channel to default_stderr,
-		 * which is at the head of the channels list because it was
-		 * just created.
-		 */
-		default_channel.channel = ISC_LIST_HEAD(lcfg->channels);
-
-		destination.file.stream = stderr;
-		destination.file.name = NULL;
-		destination.file.versions = ISC_LOG_ROLLNEVER;
-		destination.file.maximum_size = 0;
-		result = isc_log_createchannel(lcfg, "default_debug",
-					       ISC_LOG_TOFILEDESC,
-					       ISC_LOG_DYNAMIC,
-					       &destination,
-					       ISC_LOG_PRINTTIME);
-	}
-
-	if (result == ISC_R_SUCCESS)
-		result = isc_log_createchannel(lcfg, "null",
-					       ISC_LOG_TONULL,
-					       ISC_LOG_DYNAMIC,
-					       NULL, 0);
-
-	if (result == ISC_R_SUCCESS)
-		*lcfgp = lcfg;
-
-	else
-		if (lcfg != NULL)
-			isc_logconfig_destroy(&lcfg);
-
-	return (result);
-}
-
-isc_logconfig_t *
-isc_logconfig_get(isc_log_t *lctx) {
-	REQUIRE(VALID_CONTEXT(lctx));
-
-	ENSURE(lctx->logconfig != NULL);
-
-	return (lctx->logconfig);
-}
-
-isc_result_t
-isc_logconfig_use(isc_log_t *lctx, isc_logconfig_t *lcfg) {
-	isc_logconfig_t *old_cfg;
-	isc_result_t result;
-
-	REQUIRE(VALID_CONTEXT(lctx));
-	REQUIRE(VALID_CONFIG(lcfg));
-	REQUIRE(lcfg->lctx == lctx);
-
-	/*
-	 * Ensure that lcfg->channellist_count == lctx->category_count.
-	 * They won't be equal if isc_log_usechannel has not been called
-	 * since any call to isc_log_registercategories.
-	 */
-	result = sync_channellist(lcfg);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	LOCK(&lctx->lock);
-
-	old_cfg = lctx->logconfig;
-	lctx->logconfig = lcfg;
-
-	UNLOCK(&lctx->lock);
-
-	isc_logconfig_destroy(&old_cfg);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_log_destroy(isc_log_t **lctxp) {
-	isc_log_t *lctx;
-	isc_logconfig_t *lcfg;
-	isc_mem_t *mctx;
-	isc_logmessage_t *message;
-
-	REQUIRE(lctxp != NULL && VALID_CONTEXT(*lctxp));
-
-	lctx = *lctxp;
-	mctx = lctx->mctx;
-
-	if (lctx->logconfig != NULL) {
-		lcfg = lctx->logconfig;
-		lctx->logconfig = NULL;
-		isc_logconfig_destroy(&lcfg);
-	}
-
-	DESTROYLOCK(&lctx->lock);
-
-	while ((message = ISC_LIST_HEAD(lctx->messages)) != NULL) {
-		ISC_LIST_UNLINK(lctx->messages, message, link);
-
-		isc_mem_put(mctx, message,
-			    sizeof(*message) + strlen(message->text) + 1);
-	}
-
-	lctx->buffer[0] = '\0';
-	lctx->debug_level = 0;
-	lctx->categories = NULL;
-	lctx->category_count = 0;
-	lctx->modules = NULL;
-	lctx->module_count = 0;
-	lctx->mctx = NULL;
-	lctx->magic = 0;
-
-	isc_mem_putanddetach(&mctx, lctx, sizeof(*lctx));
-
-	*lctxp = NULL;
-}
-
-void
-isc_logconfig_destroy(isc_logconfig_t **lcfgp) {
-	isc_logconfig_t *lcfg;
-	isc_mem_t *mctx;
-	isc_logchannel_t *channel;
-	isc_logchannellist_t *item;
-	char *filename;
-	unsigned int i;
-
-	REQUIRE(lcfgp != NULL && VALID_CONFIG(*lcfgp));
-
-	lcfg = *lcfgp;
-
-	/*
-	 * This function cannot be called with a logconfig that is in
-	 * use by a log context.
-	 */
-	REQUIRE(lcfg->lctx != NULL && lcfg->lctx->logconfig != lcfg);
-
-	mctx = lcfg->lctx->mctx;
-
-	while ((channel = ISC_LIST_HEAD(lcfg->channels)) != NULL) {
-		ISC_LIST_UNLINK(lcfg->channels, channel, link);
-
-		if (channel->type == ISC_LOG_TOFILE) {
-			/*
-			 * The filename for the channel may have ultimately
-			 * started its life in user-land as a const string,
-			 * but in isc_log_createchannel it gets copied
-			 * into writable memory and is not longer truly const.
-			 */
-			DE_CONST(FILE_NAME(channel), filename);
-			isc_mem_free(mctx, filename);
-
-			if (FILE_STREAM(channel) != NULL)
-				(void)fclose(FILE_STREAM(channel));
-		}
-
-		isc_mem_free(mctx, channel->name);
-		isc_mem_put(mctx, channel, sizeof(*channel));
-	}
-
-	for (i = 0; i < lcfg->channellist_count; i++)
-		while ((item = ISC_LIST_HEAD(lcfg->channellists[i])) != NULL) {
-			ISC_LIST_UNLINK(lcfg->channellists[i], item, link);
-			isc_mem_put(mctx, item, sizeof(*item));
-		}
-
-	if (lcfg->channellist_count > 0)
-		isc_mem_put(mctx, lcfg->channellists,
-			    lcfg->channellist_count *
-			    sizeof(ISC_LIST(isc_logchannellist_t)));
-
-	lcfg->dynamic = ISC_FALSE;
-	if (lcfg->tag != NULL)
-		isc_mem_free(lcfg->lctx->mctx, lcfg->tag);
-	lcfg->tag = NULL;
-	lcfg->highest_level = 0;
-	lcfg->duplicate_interval = 0;
-	lcfg->magic = 0;
-
-	isc_mem_put(mctx, lcfg, sizeof(*lcfg));
-
-	*lcfgp = NULL;
-}
-
-void
-isc_log_registercategories(isc_log_t *lctx, isc_logcategory_t categories[]) {
-	isc_logcategory_t *catp;
-
-	REQUIRE(VALID_CONTEXT(lctx));
-	REQUIRE(categories != NULL && categories[0].name != NULL);
-
-	/*
-	 * XXXDCL This somewhat sleazy situation of using the last pointer
-	 * in one category array to point to the next array exists because
-	 * this registration function returns void and I didn't want to have
-	 * change everything that used it by making it return an isc_result_t.
-	 * It would need to do that if it had to allocate memory to store
-	 * pointers to each array passed in.
-	 */
-	if (lctx->categories == NULL)
-		lctx->categories = categories;
-
-	else {
-		/*
-		 * Adjust the last (NULL) pointer of the already registered
-		 * categories to point to the incoming array.
-		 */
-		for (catp = lctx->categories; catp->name != NULL; )
-			if (catp->id == UINT_MAX)
-				/*
-				 * The name pointer points to the next array.
-				 * Ick.
-				 */
-				DE_CONST(catp->name, catp);
-			else
-				catp++;
-
-		catp->name = (void *)categories;
-		catp->id = UINT_MAX;
-	}
-
-	/*
-	 * Update the id number of the category with its new global id.
-	 */
-	for (catp = categories; catp->name != NULL; catp++)
-		catp->id = lctx->category_count++;
-}
-
-isc_logcategory_t *
-isc_log_categorybyname(isc_log_t *lctx, const char *name) {
-	isc_logcategory_t *catp;
-
-	REQUIRE(VALID_CONTEXT(lctx));
-	REQUIRE(name != NULL);
-
-	for (catp = lctx->categories; catp->name != NULL; )
-		if (catp->id == UINT_MAX)
-			/*
-			 * catp is neither modified nor returned to the
-			 * caller, so removing its const qualifier is ok.
-			 */
-			DE_CONST(catp->name, catp);
-		else {
-			if (strcmp(catp->name, name) == 0)
-				return (catp);
-			catp++;
-		}
-
-	return (NULL);
-}
-
-void
-isc_log_registermodules(isc_log_t *lctx, isc_logmodule_t modules[]) {
-	isc_logmodule_t *modp;
-
-	REQUIRE(VALID_CONTEXT(lctx));
-	REQUIRE(modules != NULL && modules[0].name != NULL);
-
-	/*
-	 * XXXDCL This somewhat sleazy situation of using the last pointer
-	 * in one category array to point to the next array exists because
-	 * this registration function returns void and I didn't want to have
-	 * change everything that used it by making it return an isc_result_t.
-	 * It would need to do that if it had to allocate memory to store
-	 * pointers to each array passed in.
-	 */
-	if (lctx->modules == NULL)
-		lctx->modules = modules;
-
-	else {
-		/*
-		 * Adjust the last (NULL) pointer of the already registered
-		 * modules to point to the incoming array.
-		 */
-		for (modp = lctx->modules; modp->name != NULL; )
-			if (modp->id == UINT_MAX)
-				/*
-				 * The name pointer points to the next array.
-				 * Ick.
-				 */
-				DE_CONST(modp->name, modp);
-			else
-				modp++;
-
-		modp->name = (void *)modules;
-		modp->id = UINT_MAX;
-	}
-
-	/*
-	 * Update the id number of the module with its new global id.
-	 */
-	for (modp = modules; modp->name != NULL; modp++)
-		modp->id = lctx->module_count++;
-}
-
-isc_logmodule_t *
-isc_log_modulebyname(isc_log_t *lctx, const char *name) {
-	isc_logmodule_t *modp;
-
-	REQUIRE(VALID_CONTEXT(lctx));
-	REQUIRE(name != NULL);
-
-	for (modp = lctx->modules; modp->name != NULL; )
-		if (modp->id == UINT_MAX)
-			/*
-			 * modp is neither modified nor returned to the
-			 * caller, so removing its const qualifier is ok.
-			 */
-			DE_CONST(modp->name, modp);
-		else {
-			if (strcmp(modp->name, name) == 0)
-				return (modp);
-			modp++;
-		}
-
-	return (NULL);
-}
-
-isc_result_t
-isc_log_createchannel(isc_logconfig_t *lcfg, const char *name,
-		      unsigned int type, int level,
-		      const isc_logdestination_t *destination,
-		      unsigned int flags)
-{
-	isc_logchannel_t *channel;
-	isc_mem_t *mctx;
-
-	REQUIRE(VALID_CONFIG(lcfg));
-	REQUIRE(name != NULL);
-	REQUIRE(type == ISC_LOG_TOSYSLOG   || type == ISC_LOG_TOFILE ||
-		type == ISC_LOG_TOFILEDESC || type == ISC_LOG_TONULL);
-	REQUIRE(destination != NULL || type == ISC_LOG_TONULL);
-	REQUIRE(level >= ISC_LOG_CRITICAL);
-	REQUIRE((flags &
-		 (unsigned int)~(ISC_LOG_PRINTALL | ISC_LOG_DEBUGONLY)) == 0);
-
-	/* XXXDCL find duplicate names? */
-
-	mctx = lcfg->lctx->mctx;
-
-	channel = isc_mem_get(mctx, sizeof(*channel));
-	if (channel == NULL)
-		return (ISC_R_NOMEMORY);
-
-	channel->name = isc_mem_strdup(mctx, name);
-	if (channel->name == NULL) {
-		isc_mem_put(mctx, channel, sizeof(*channel));
-		return (ISC_R_NOMEMORY);
-	}
-
-	channel->type = type;
-	channel->level = level;
-	channel->flags = flags;
-	ISC_LINK_INIT(channel, link);
-
-	switch (type) {
-	case ISC_LOG_TOSYSLOG:
-		FACILITY(channel) = destination->facility;
-		break;
-
-	case ISC_LOG_TOFILE:
-		/*
-		 * The file name is copied because greatest_version wants
-		 * to scribble on it, so it needs to be definitely in
-		 * writable memory.
-		 */
-		FILE_NAME(channel) =
-			isc_mem_strdup(mctx, destination->file.name);
-		FILE_STREAM(channel) = NULL;
-		FILE_VERSIONS(channel) = destination->file.versions;
-		FILE_MAXSIZE(channel) = destination->file.maximum_size;
-		FILE_MAXREACHED(channel) = ISC_FALSE;
-		break;
-
-	case ISC_LOG_TOFILEDESC:
-		FILE_NAME(channel) = NULL;
-		FILE_STREAM(channel) = destination->file.stream;
-		FILE_MAXSIZE(channel) = 0;
-		FILE_VERSIONS(channel) = ISC_LOG_ROLLNEVER;
-		break;
-
-	case ISC_LOG_TONULL:
-		/* Nothing. */
-		break;
-
-	default:
-		isc_mem_put(mctx, channel->name, strlen(channel->name) + 1);
-		isc_mem_put(mctx, channel, sizeof(*channel));
-		return (ISC_R_UNEXPECTED);
-	}
-
-	ISC_LIST_PREPEND(lcfg->channels, channel, link);
-
-	/*
-	 * If default_stderr was redefined, make the default category
-	 * point to the new default_stderr.
-	 */
-	if (strcmp(name, "default_stderr") == 0)
-		default_channel.channel = channel;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_log_usechannel(isc_logconfig_t *lcfg, const char *name,
-		   const isc_logcategory_t *category,
-		   const isc_logmodule_t *module)
-{
-	isc_log_t *lctx;
-	isc_logchannel_t *channel;
-	isc_result_t result = ISC_R_SUCCESS;
-	unsigned int i;
-
-	REQUIRE(VALID_CONFIG(lcfg));
-	REQUIRE(name != NULL);
-
-	lctx = lcfg->lctx;
-
-	REQUIRE(category == NULL || category->id < lctx->category_count);
-	REQUIRE(module == NULL || module->id < lctx->module_count);
-
-	for (channel = ISC_LIST_HEAD(lcfg->channels); channel != NULL;
-	     channel = ISC_LIST_NEXT(channel, link))
-		if (strcmp(name, channel->name) == 0)
-			break;
-
-	if (channel == NULL)
-		return (ISC_R_NOTFOUND);
-
-	if (category != NULL)
-		result = assignchannel(lcfg, category->id, module, channel);
-
-	else
-		/*
-		 * Assign to all categories.  Note that this includes
-		 * the default channel.
-		 */
-		for (i = 0; i < lctx->category_count; i++) {
-			result = assignchannel(lcfg, i, module, channel);
-			if (result != ISC_R_SUCCESS)
-				break;
-		}
-
-	return (result);
-}
-
-void
-isc_log_write(isc_log_t *lctx, isc_logcategory_t *category,
-	      isc_logmodule_t *module, int level, const char *format, ...)
-{
-	va_list args;
-
-	/*
-	 * Contract checking is done in isc_log_doit().
-	 */
-
-	va_start(args, format);
-	isc_log_doit(lctx, category, module, level, ISC_FALSE,
-		     NULL, 0, 0, format, args);
-	va_end(args);
-}
-
-void
-isc_log_vwrite(isc_log_t *lctx, isc_logcategory_t *category,
-	       isc_logmodule_t *module, int level,
-	       const char *format, va_list args)
-{
-	/*
-	 * Contract checking is done in isc_log_doit().
-	 */
-	isc_log_doit(lctx, category, module, level, ISC_FALSE,
-		     NULL, 0, 0, format, args);
-}
-
-void
-isc_log_write1(isc_log_t *lctx, isc_logcategory_t *category,
-	       isc_logmodule_t *module, int level, const char *format, ...)
-{
-	va_list args;
-
-	/*
-	 * Contract checking is done in isc_log_doit().
-	 */
-
-	va_start(args, format);
-	isc_log_doit(lctx, category, module, level, ISC_TRUE,
-		     NULL, 0, 0, format, args);
-	va_end(args);
-}
-
-void
-isc_log_vwrite1(isc_log_t *lctx, isc_logcategory_t *category,
-		isc_logmodule_t *module, int level,
-		const char *format, va_list args)
-{
-	/*
-	 * Contract checking is done in isc_log_doit().
-	 */
-	isc_log_doit(lctx, category, module, level, ISC_TRUE,
-		     NULL, 0, 0, format, args);
-}
-
-void
-isc_log_iwrite(isc_log_t *lctx, isc_logcategory_t *category,
-	       isc_logmodule_t *module, int level,
-	       isc_msgcat_t *msgcat, int msgset, int msg,
-	       const char *format, ...)
-{
-	va_list args;
-
-	/*
-	 * Contract checking is done in isc_log_doit().
-	 */
-
-	va_start(args, format);
-	isc_log_doit(lctx, category, module, level, ISC_FALSE,
-		     msgcat, msgset, msg, format, args);
-	va_end(args);
-}
-
-void
-isc_log_ivwrite(isc_log_t *lctx, isc_logcategory_t *category,
-	       isc_logmodule_t *module, int level,
-	       isc_msgcat_t *msgcat, int msgset, int msg,
-	       const char *format, va_list args)
-{
-	/*
-	 * Contract checking is done in isc_log_doit().
-	 */
-	isc_log_doit(lctx, category, module, level, ISC_FALSE,
-		     msgcat, msgset, msg, format, args);
-}
-
-void
-isc_log_iwrite1(isc_log_t *lctx, isc_logcategory_t *category,
-		isc_logmodule_t *module, int level,
-		isc_msgcat_t *msgcat, int msgset, int msg,
-		const char *format, ...)
-{
-	va_list args;
-
-	/*
-	 * Contract checking is done in isc_log_doit().
-	 */
-
-	va_start(args, format);
-	isc_log_doit(lctx, category, module, level, ISC_TRUE,
-		     msgcat, msgset, msg, format, args);
-	va_end(args);
-}
-
-void
-isc_log_ivwrite1(isc_log_t *lctx, isc_logcategory_t *category,
-		 isc_logmodule_t *module, int level,
-		 isc_msgcat_t *msgcat, int msgset, int msg,
-		 const char *format, va_list args)
-{
-	/*
-	 * Contract checking is done in isc_log_doit().
-	 */
-	isc_log_doit(lctx, category, module, level, ISC_TRUE,
-		     msgcat, msgset, msg, format, args);
-}
-
-void
-isc_log_setcontext(isc_log_t *lctx) {
-	isc_lctx = lctx;
-}
-
-void
-isc_log_setdebuglevel(isc_log_t *lctx, unsigned int level) {
-	isc_logchannel_t *channel;
-
-	REQUIRE(VALID_CONTEXT(lctx));
-
-	LOCK(&lctx->lock);
-
-	lctx->debug_level = level;
-	/*
-	 * Close ISC_LOG_DEBUGONLY channels if level is zero.
-	 */
-	if (lctx->debug_level == 0)
-		for (channel = ISC_LIST_HEAD(lctx->logconfig->channels);
-		     channel != NULL;
-		     channel = ISC_LIST_NEXT(channel, link))
-			if (channel->type == ISC_LOG_TOFILE &&
-			    (channel->flags & ISC_LOG_DEBUGONLY) != 0 &&
-			    FILE_STREAM(channel) != NULL) {
-				(void)fclose(FILE_STREAM(channel));
-				FILE_STREAM(channel) = NULL;
-			}
-	UNLOCK(&lctx->lock);
-}
-
-unsigned int
-isc_log_getdebuglevel(isc_log_t *lctx) {
-	REQUIRE(VALID_CONTEXT(lctx));
-
-	return (lctx->debug_level);
-}
-
-void
-isc_log_setduplicateinterval(isc_logconfig_t *lcfg, unsigned int interval) {
-	REQUIRE(VALID_CONFIG(lcfg));
-
-	lcfg->duplicate_interval = interval;
-}
-
-unsigned int
-isc_log_getduplicateinterval(isc_logconfig_t *lcfg) {
-	REQUIRE(VALID_CONTEXT(lcfg));
-
-	return (lcfg->duplicate_interval);
-}
-
-isc_result_t
-isc_log_settag(isc_logconfig_t *lcfg, const char *tag) {
-	REQUIRE(VALID_CONFIG(lcfg));
-
-	if (tag != NULL && *tag != '\0') {
-		if (lcfg->tag != NULL)
-			isc_mem_free(lcfg->lctx->mctx, lcfg->tag);
-		lcfg->tag = isc_mem_strdup(lcfg->lctx->mctx, tag);
-		if (lcfg->tag == NULL)
-			return (ISC_R_NOMEMORY);
-
-	} else {
-		if (lcfg->tag != NULL)
-			isc_mem_free(lcfg->lctx->mctx, lcfg->tag);
-		lcfg->tag = NULL;
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-char *
-isc_log_gettag(isc_logconfig_t *lcfg) {
-	REQUIRE(VALID_CONFIG(lcfg));
-
-	return (lcfg->tag);
-}
-
-/* XXXDCL NT  -- This interface will assuredly be changing. */
-void
-isc_log_opensyslog(const char *tag, int options, int facility) {
-	(void)openlog(tag, options, facility);
-}
-
-void
-isc_log_closefilelogs(isc_log_t *lctx) {
-	isc_logchannel_t *channel;
-
-	REQUIRE(VALID_CONTEXT(lctx));
-
-	LOCK(&lctx->lock);
-	for (channel = ISC_LIST_HEAD(lctx->logconfig->channels);
-	     channel != NULL;
-	     channel = ISC_LIST_NEXT(channel, link))
-
-		if (channel->type == ISC_LOG_TOFILE &&
-		    FILE_STREAM(channel) != NULL) {
-			(void)fclose(FILE_STREAM(channel));
-			FILE_STREAM(channel) = NULL;
-		}
-	UNLOCK(&lctx->lock);
-}
-
-/****
- **** Internal functions
- ****/
-
-static isc_result_t
-assignchannel(isc_logconfig_t *lcfg, unsigned int category_id,
-	      const isc_logmodule_t *module, isc_logchannel_t *channel)
-{
-	isc_logchannellist_t *new_item;
-	isc_log_t *lctx;
-	isc_result_t result;
-
-	REQUIRE(VALID_CONFIG(lcfg));
-
-	lctx = lcfg->lctx;
-
-	REQUIRE(category_id < lctx->category_count);
-	REQUIRE(module == NULL || module->id < lctx->module_count);
-	REQUIRE(channel != NULL);
-
-	/*
-	 * Ensure lcfg->channellist_count == lctx->category_count.
-	 */
-	result = sync_channellist(lcfg);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	new_item = isc_mem_get(lctx->mctx, sizeof(*new_item));
-	if (new_item == NULL)
-		return (ISC_R_NOMEMORY);
-
-	new_item->channel = channel;
-	new_item->module = module;
-	ISC_LIST_INITANDPREPEND(lcfg->channellists[category_id],
-			       new_item, link);
-
-	/*
-	 * Remember the highest logging level set by any channel in the
-	 * logging config, so isc_log_doit() can quickly return if the
-	 * message is too high to be logged by any channel.
-	 */
-	if (channel->type != ISC_LOG_TONULL) {
-		if (lcfg->highest_level < channel->level)
-			lcfg->highest_level = channel->level;
-		if (channel->level == ISC_LOG_DYNAMIC)
-			lcfg->dynamic = ISC_TRUE;
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * This would ideally be part of isc_log_registercategories(), except then
- * that function would have to return isc_result_t instead of void.
- */
-static isc_result_t
-sync_channellist(isc_logconfig_t *lcfg) {
-	unsigned int bytes;
-	isc_log_t *lctx;
-	void *lists;
-
-	REQUIRE(VALID_CONFIG(lcfg));
-
-	lctx = lcfg->lctx;
-
-	REQUIRE(lctx->category_count != 0);
-
-	if (lctx->category_count == lcfg->channellist_count)
-		return (ISC_R_SUCCESS);
-
-	bytes = lctx->category_count * sizeof(ISC_LIST(isc_logchannellist_t));
-
-	lists = isc_mem_get(lctx->mctx, bytes);
-
-	if (lists == NULL)
-		return (ISC_R_NOMEMORY);
-
-	memset(lists, 0, bytes);
-
-	if (lcfg->channellist_count != 0) {
-		bytes = lcfg->channellist_count *
-			sizeof(ISC_LIST(isc_logchannellist_t));
-		memcpy(lists, lcfg->channellists, bytes);
-		isc_mem_put(lctx->mctx, lcfg->channellists, bytes);
-	}
-
-	lcfg->channellists = lists;
-	lcfg->channellist_count = lctx->category_count;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-greatest_version(isc_logchannel_t *channel, int *greatestp) {
-	/* XXXDCL HIGHLY NT */
-	char *basename, *digit_end;
-	const char *dirname;
-	int version, greatest = -1;
-	unsigned int basenamelen;
-	isc_dir_t dir;
-	isc_result_t result;
-	char sep = '/';
-#ifdef _WIN32
-	char *basename2;
-#endif
-
-	REQUIRE(channel->type == ISC_LOG_TOFILE);
-
-	/*
-	 * It is safe to DE_CONST the file.name because it was copied
-	 * with isc_mem_strdup in isc_log_createchannel.
-	 */
-	basename = strrchr(FILE_NAME(channel), sep);
-#ifdef _WIN32
-	basename2 = strrchr(FILE_NAME(channel), '\\');
-	if ((basename != NULL && basename2 != NULL && basename2 > basename) ||
-	    (basename == NULL && basename2 != NULL)) {
-		basename = basename2;
-		sep = '\\';
-	}
-#endif
-	if (basename != NULL) {
-		*basename++ = '\0';
-		dirname = FILE_NAME(channel);
-	} else {
-		DE_CONST(FILE_NAME(channel), basename);
-		dirname = ".";
-	}
-	basenamelen = strlen(basename);
-
-	isc_dir_init(&dir);
-	result = isc_dir_open(&dir, dirname);
-
-	/*
-	 * Replace the file separator if it was taken out.
-	 */
-	if (basename != FILE_NAME(channel))
-		*(basename - 1) = sep;
-
-	/*
-	 * Return if the directory open failed.
-	 */
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	while (isc_dir_read(&dir) == ISC_R_SUCCESS) {
-		if (dir.entry.length > basenamelen &&
-		    strncmp(dir.entry.name, basename, basenamelen) == 0 &&
-		    dir.entry.name[basenamelen] == '.') {
-
-			version = strtol(&dir.entry.name[basenamelen + 1],
-					 &digit_end, 10);
-			if (*digit_end == '\0' && version > greatest)
-				greatest = version;
-		}
-	}
-	isc_dir_close(&dir);
-
-	*greatestp = ++greatest;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-roll_log(isc_logchannel_t *channel) {
-	int i, n, greatest;
-	char current[PATH_MAX + 1];
-	char new[PATH_MAX + 1];
-	const char *path;
-	isc_result_t result;
-
-	/*
-	 * Do nothing (not even excess version trimming) if ISC_LOG_ROLLNEVER
-	 * is specified.  Apparently complete external control over the log
-	 * files is desired.
-	 */
-	if (FILE_VERSIONS(channel) == ISC_LOG_ROLLNEVER)
-		return (ISC_R_SUCCESS);
-
-	path = FILE_NAME(channel);
-
-	/*
-	 * Set greatest_version to the greatest existing version
-	 * (not the maximum requested version).  This is 1 based even
-	 * though the file names are 0 based, so an oldest log of log.1
-	 * is a greatest_version of 2.
-	 */
-	result = greatest_version(channel, &greatest);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Now greatest should be set to the highest version number desired.
-	 * Since the highest number is one less than FILE_VERSIONS(channel)
-	 * when not doing infinite log rolling, greatest will need to be
-	 * decremented when it is equal to -- or greater than --
-	 * FILE_VERSIONS(channel).  When greatest is less than
-	 * FILE_VERSIONS(channel), it is already suitable for use as
-	 * the maximum version number.
-	 */
-
-	if (FILE_VERSIONS(channel) == ISC_LOG_ROLLINFINITE ||
-	    FILE_VERSIONS(channel) > greatest)
-		;		/* Do nothing. */
-	else
-		/*
-		 * When greatest is >= FILE_VERSIONS(channel), it needs to
-		 * be reduced until it is FILE_VERSIONS(channel) - 1.
-		 * Remove any excess logs on the way to that value.
-		 */
-		while (--greatest >= FILE_VERSIONS(channel)) {
-			n = snprintf(current, sizeof(current), "%s.%d",
-				     path, greatest);
-			if (n >= (int)sizeof(current) || n < 0)
-				result = ISC_R_NOSPACE;
-			else
-				result = isc_file_remove(current);
-			if (result != ISC_R_SUCCESS &&
-			    result != ISC_R_FILENOTFOUND)
-				syslog(LOG_ERR,
-				       "unable to remove log file '%s.%d': %s",
-				       path, greatest,
-				       isc_result_totext(result));
-		}
-
-	for (i = greatest; i > 0; i--) {
-		result = ISC_R_SUCCESS;
-		n = snprintf(current, sizeof(current), "%s.%d", path, i - 1);
-		if (n >= (int)sizeof(current) || n < 0)
-			result = ISC_R_NOSPACE;
-		if (result == ISC_R_SUCCESS) {
-			n = snprintf(new, sizeof(new), "%s.%d", path, i);
-			if (n >= (int)sizeof(new) || n < 0)
-				result = ISC_R_NOSPACE;
-		}
-		if (result == ISC_R_SUCCESS)
-			result = isc_file_rename(current, new);
-		if (result != ISC_R_SUCCESS &&
-		    result != ISC_R_FILENOTFOUND)
-			syslog(LOG_ERR,
-			       "unable to rename log file '%s.%d' to "
-			       "'%s.%d': %s", path, i - 1, path, i,
-			       isc_result_totext(result));
-	}
-
-	if (FILE_VERSIONS(channel) != 0) {
-		n = snprintf(new, sizeof(new), "%s.0", path);
-		if (n >= (int)sizeof(new) || n < 0)
-			result = ISC_R_NOSPACE;
-		else
-			result = isc_file_rename(path, new);
-		if (result != ISC_R_SUCCESS &&
-		    result != ISC_R_FILENOTFOUND)
-			syslog(LOG_ERR,
-			       "unable to rename log file '%s' to '%s.0': %s",
-			       path, path, isc_result_totext(result));
-	} else {
-		result = isc_file_remove(path);
-		if (result != ISC_R_SUCCESS &&
-		    result != ISC_R_FILENOTFOUND)
-			syslog(LOG_ERR, "unable to remove log file '%s': %s",
-			       path, isc_result_totext(result));
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-isc_log_open(isc_logchannel_t *channel) {
-	struct stat statbuf;
-	isc_boolean_t regular_file;
-	isc_boolean_t roll = ISC_FALSE;
-	isc_result_t result = ISC_R_SUCCESS;
-	const char *path;
-
-	REQUIRE(channel->type == ISC_LOG_TOFILE);
-	REQUIRE(FILE_STREAM(channel) == NULL);
-
-	path = FILE_NAME(channel);
-
-	REQUIRE(path != NULL && *path != '\0');
-
-	/*
-	 * Determine type of file; only regular files will be
-	 * version renamed, and only if the base file exists
-	 * and either has no size limit or has reached its size limit.
-	 */
-	if (stat(path, &statbuf) == 0) {
-		regular_file = S_ISREG(statbuf.st_mode) ? ISC_TRUE : ISC_FALSE;
-		/* XXXDCL if not regular_file complain? */
-		if ((FILE_MAXSIZE(channel) == 0 &&
-		     FILE_VERSIONS(channel) != ISC_LOG_ROLLNEVER) ||
-		    (FILE_MAXSIZE(channel) > 0 &&
-		     statbuf.st_size >= FILE_MAXSIZE(channel)))
-			roll = regular_file;
-	} else if (errno == ENOENT) {
-		regular_file = ISC_TRUE;
-		POST(regular_file);
-	} else
-		result = ISC_R_INVALIDFILE;
-
-	/*
-	 * Version control.
-	 */
-	if (result == ISC_R_SUCCESS && roll) {
-		if (FILE_VERSIONS(channel) == ISC_LOG_ROLLNEVER)
-			return (ISC_R_MAXSIZE);
-		result = roll_log(channel);
-		if (result != ISC_R_SUCCESS) {
-			if ((channel->flags & ISC_LOG_OPENERR) == 0) {
-				syslog(LOG_ERR,
-				       "isc_log_open: roll_log '%s' "
-				       "failed: %s",
-				       FILE_NAME(channel),
-				       isc_result_totext(result));
-				channel->flags |= ISC_LOG_OPENERR;
-			}
-			return (result);
-		}
-	}
-
-	result = isc_stdio_open(path, "a", &FILE_STREAM(channel));
-
-	return (result);
-}
-
-isc_boolean_t
-isc_log_wouldlog(isc_log_t *lctx, int level) {
-	/*
-	 * Try to avoid locking the mutex for messages which can't
-	 * possibly be logged to any channels -- primarily debugging
-	 * messages that the debug level is not high enough to print.
-	 *
-	 * If the level is (mathematically) less than or equal to the
-	 * highest_level, or if there is a dynamic channel and the level is
-	 * less than or equal to the debug level, the main loop must be
-	 * entered to see if the message should really be output.
-	 *
-	 * NOTE: this is UNLOCKED access to the logconfig.  However,
-	 * the worst thing that can happen is that a bad decision is made
-	 * about returning without logging, and that's not a big concern,
-	 * because that's a risk anyway if the logconfig is being
-	 * dynamically changed.
-	 */
-
-	if (lctx == NULL || lctx->logconfig == NULL)
-		return (ISC_FALSE);
-
-	return (ISC_TF(level <= lctx->logconfig->highest_level ||
-		       (lctx->logconfig->dynamic &&
-			level <= lctx->debug_level)));
-}
-
-static void
-isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
-	     isc_logmodule_t *module, int level, isc_boolean_t write_once,
-	     isc_msgcat_t *msgcat, int msgset, int msg,
-	     const char *format, va_list args)
-{
-	int syslog_level;
-	char time_string[64];
-	char level_string[24];
-	const char *iformat;
-	struct stat statbuf;
-	isc_boolean_t matched = ISC_FALSE;
-	isc_boolean_t printtime, printtag;
-	isc_boolean_t printcategory, printmodule, printlevel;
-	isc_logconfig_t *lcfg;
-	isc_logchannel_t *channel;
-	isc_logchannellist_t *category_channels;
-	isc_result_t result;
-
-	REQUIRE(lctx == NULL || VALID_CONTEXT(lctx));
-	REQUIRE(category != NULL);
-	REQUIRE(module != NULL);
-	REQUIRE(level != ISC_LOG_DYNAMIC);
-	REQUIRE(format != NULL);
-
-	/*
-	 * Programs can use libraries that use this logging code without
-	 * wanting to do any logging, thus the log context is allowed to
-	 * be non-existent.
-	 */
-	if (lctx == NULL)
-		return;
-
-	REQUIRE(category->id < lctx->category_count);
-	REQUIRE(module->id < lctx->module_count);
-
-	if (! isc_log_wouldlog(lctx, level))
-		return;
-
-	if (msgcat != NULL)
-		iformat = isc_msgcat_get(msgcat, msgset, msg, format);
-	else
-		iformat = format;
-
-	time_string[0]  = '\0';
-	level_string[0] = '\0';
-
-	LOCK(&lctx->lock);
-
-	lctx->buffer[0] = '\0';
-
-	lcfg = lctx->logconfig;
-
-	category_channels = ISC_LIST_HEAD(lcfg->channellists[category->id]);
-
-	/*
-	 * XXXDCL add duplicate filtering? (To not write multiple times to
-	 * the same source via various channels).
-	 */
-	do {
-		/*
-		 * If the channel list end was reached and a match was made,
-		 * everything is finished.
-		 */
-		if (category_channels == NULL && matched)
-			break;
-
-		if (category_channels == NULL && ! matched &&
-		    category_channels != ISC_LIST_HEAD(lcfg->channellists[0]))
-			/*
-			 * No category/module pair was explicitly configured.
-			 * Try the category named "default".
-			 */
-			category_channels =
-				ISC_LIST_HEAD(lcfg->channellists[0]);
-
-		if (category_channels == NULL && ! matched)
-			/*
-			 * No matching module was explicitly configured
-			 * for the category named "default".  Use the internal
-			 * default channel.
-			 */
-			category_channels = &default_channel;
-
-		if (category_channels->module != NULL &&
-		    category_channels->module != module) {
-			category_channels = ISC_LIST_NEXT(category_channels,
-							  link);
-			continue;
-		}
-
-		matched = ISC_TRUE;
-
-		channel = category_channels->channel;
-		category_channels = ISC_LIST_NEXT(category_channels, link);
-
-		if (((channel->flags & ISC_LOG_DEBUGONLY) != 0) &&
-		    lctx->debug_level == 0)
-			continue;
-
-		if (channel->level == ISC_LOG_DYNAMIC) {
-			if (lctx->debug_level < level)
-				continue;
-		} else if (channel->level < level)
-			continue;
-
-		if ((channel->flags & ISC_LOG_PRINTTIME) != 0 &&
-		    time_string[0] == '\0') {
-			isc_time_t isctime;
-
-			TIME_NOW(&isctime);
-			isc_time_formattimestamp(&isctime, time_string,
-						 sizeof(time_string));
-		}
-
-		if ((channel->flags & ISC_LOG_PRINTLEVEL) != 0 &&
-		    level_string[0] == '\0') {
-			if (level < ISC_LOG_CRITICAL)
-				snprintf(level_string, sizeof(level_string),
-					 isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_LOG,
-							ISC_MSG_LEVEL,
-							"level %d: "),
-					 level);
-			else if (level > ISC_LOG_DYNAMIC)
-				snprintf(level_string, sizeof(level_string),
-					 "%s %d: ", log_level_strings[0],
-					 level);
-			else
-				snprintf(level_string, sizeof(level_string),
-					 "%s: ", log_level_strings[-level]);
-		}
-
-		/*
-		 * Only format the message once.
-		 */
-		if (lctx->buffer[0] == '\0') {
-			(void)vsnprintf(lctx->buffer, sizeof(lctx->buffer),
-					iformat, args);
-
-			/*
-			 * Check for duplicates.
-			 */
-			if (write_once) {
-				isc_logmessage_t *message, *new;
-				isc_time_t oldest;
-				isc_interval_t interval;
-
-				isc_interval_set(&interval,
-						 lcfg->duplicate_interval, 0);
-
-				/*
-				 * 'oldest' is the age of the oldest messages
-				 * which fall within the duplicate_interval
-				 * range.
-				 */
-				TIME_NOW(&oldest);
-				if (isc_time_subtract(&oldest, &interval, &oldest)
-				    != ISC_R_SUCCESS)
-					/*
-					 * Can't effectively do the checking
-					 * without having a valid time.
-					 */
-					message = NULL;
-				else
-					message =ISC_LIST_HEAD(lctx->messages);
-
-				while (message != NULL) {
-					if (isc_time_compare(&message->time,
-							     &oldest) < 0) {
-						/*
-						 * This message is older
-						 * than the duplicate_interval,
-						 * so it should be dropped from
-						 * the history.
-						 *
-						 * Setting the interval to be
-						 * to be longer will obviously
-						 * not cause the expired
-						 * message to spring back into
-						 * existence.
-						 */
-						new = ISC_LIST_NEXT(message,
-								    link);
-
-						ISC_LIST_UNLINK(lctx->messages,
-								message, link);
-
-						isc_mem_put(lctx->mctx,
-							message,
-							sizeof(*message) + 1 +
-							strlen(message->text));
-
-						message = new;
-						continue;
-					}
-
-					/*
-					 * This message is in the duplicate
-					 * filtering interval ...
-					 */
-					if (strcmp(lctx->buffer, message->text)
-					    == 0) {
-						/*
-						 * ... and it is a duplicate.
-						 * Unlock the mutex and
-						 * get the hell out of Dodge.
-						 */
-						UNLOCK(&lctx->lock);
-						return;
-					}
-
-					message = ISC_LIST_NEXT(message, link);
-				}
-
-				/*
-				 * It wasn't in the duplicate interval,
-				 * so add it to the message list.
-				 */
-				new = isc_mem_get(lctx->mctx,
-						  sizeof(isc_logmessage_t) +
-						  strlen(lctx->buffer) + 1);
-				if (new != NULL) {
-					/*
-					 * Put the text immediately after
-					 * the struct.  The strcpy is safe.
-					 */
-					new->text = (char *)(new + 1);
-					strcpy(new->text, lctx->buffer);
-
-					TIME_NOW(&new->time);
-
-					ISC_LIST_APPEND(lctx->messages,
-							new, link);
-				}
-			}
-		}
-
-		printtime     = ISC_TF((channel->flags & ISC_LOG_PRINTTIME)
-				       != 0);
-		printtag      = ISC_TF((channel->flags & ISC_LOG_PRINTTAG)
-				       != 0 && lcfg->tag != NULL);
-		printcategory = ISC_TF((channel->flags & ISC_LOG_PRINTCATEGORY)
-				       != 0);
-		printmodule   = ISC_TF((channel->flags & ISC_LOG_PRINTMODULE)
-				       != 0);
-		printlevel    = ISC_TF((channel->flags & ISC_LOG_PRINTLEVEL)
-				       != 0);
-
-		switch (channel->type) {
-		case ISC_LOG_TOFILE:
-			if (FILE_MAXREACHED(channel)) {
-				/*
-				 * If the file can be rolled, OR
-				 * If the file no longer exists, OR
-				 * If the file is less than the maximum size,
-				 *    (such as if it had been renamed and
-				 *     a new one touched, or it was truncated
-				 *     in place)
-				 * ... then close it to trigger reopening.
-				 */
-				if (FILE_VERSIONS(channel) !=
-				    ISC_LOG_ROLLNEVER ||
-				    (stat(FILE_NAME(channel), &statbuf) != 0 &&
-				     errno == ENOENT) ||
-				    statbuf.st_size < FILE_MAXSIZE(channel)) {
-					(void)fclose(FILE_STREAM(channel));
-					FILE_STREAM(channel) = NULL;
-					FILE_MAXREACHED(channel) = ISC_FALSE;
-				} else
-					/*
-					 * Eh, skip it.
-					 */
-					break;
-			}
-
-			if (FILE_STREAM(channel) == NULL) {
-				result = isc_log_open(channel);
-				if (result != ISC_R_SUCCESS &&
-				    result != ISC_R_MAXSIZE &&
-				    (channel->flags & ISC_LOG_OPENERR) == 0) {
-					syslog(LOG_ERR,
-					       "isc_log_open '%s' failed: %s",
-					       FILE_NAME(channel),
-					       isc_result_totext(result));
-					channel->flags |= ISC_LOG_OPENERR;
-				}
-				if (result != ISC_R_SUCCESS)
-					break;
-				channel->flags &= ~ISC_LOG_OPENERR;
-			}
-			/* FALLTHROUGH */
-
-		case ISC_LOG_TOFILEDESC:
-			fprintf(FILE_STREAM(channel), "%s%s%s%s%s%s%s%s%s%s\n",
-				printtime     ? time_string	: "",
-				printtime     ? " "		: "",
-				printtag      ? lcfg->tag	: "",
-				printtag      ? ": "		: "",
-				printcategory ? category->name	: "",
-				printcategory ? ": "		: "",
-				printmodule   ? (module != NULL ? module->name
-								: "no_module")
-								: "",
-				printmodule   ? ": "		: "",
-				printlevel    ? level_string	: "",
-				lctx->buffer);
-
-			fflush(FILE_STREAM(channel));
-
-			/*
-			 * If the file now exceeds its maximum size
-			 * threshold, note it so that it will not be logged
-			 * to any more.
-			 */
-			if (FILE_MAXSIZE(channel) > 0) {
-				INSIST(channel->type == ISC_LOG_TOFILE);
-
-				/* XXXDCL NT fstat/fileno */
-				/* XXXDCL complain if fstat fails? */
-				if (fstat(fileno(FILE_STREAM(channel)),
-					  &statbuf) >= 0 &&
-				    statbuf.st_size > FILE_MAXSIZE(channel))
-					FILE_MAXREACHED(channel) = ISC_TRUE;
-			}
-
-			break;
-
-		case ISC_LOG_TOSYSLOG:
-			if (level > 0)
-				syslog_level = LOG_DEBUG;
-			else if (level < ISC_LOG_CRITICAL)
-				syslog_level = LOG_CRIT;
-			else
-				syslog_level = syslog_map[-level];
-
-			(void)syslog(FACILITY(channel) | syslog_level,
-			       "%s%s%s%s%s%s%s%s%s%s",
-			       printtime     ? time_string	: "",
-			       printtime     ? " "		: "",
-			       printtag      ? lcfg->tag	: "",
-			       printtag      ? ": "		: "",
-			       printcategory ? category->name	: "",
-			       printcategory ? ": "		: "",
-			       printmodule   ? (module != NULL	? module->name
-								: "no_module")
-								: "",
-			       printmodule   ? ": "		: "",
-			       printlevel    ? level_string	: "",
-			       lctx->buffer);
-			break;
-
-		case ISC_LOG_TONULL:
-			break;
-
-		}
-
-	} while (1);
-
-	UNLOCK(&lctx->lock);
-}
diff --git a/contrib/bind9/lib/isc/md5.c b/contrib/bind9/lib/isc/md5.c
deleted file mode 100644
index 7c6419b..0000000
--- a/contrib/bind9/lib/isc/md5.c
+++ /dev/null
@@ -1,277 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: md5.c,v 1.16 2009/02/06 23:47:42 tbox Exp $ */
-
-/*! \file
- * This code implements the MD5 message-digest algorithm.
- * The algorithm is due to Ron Rivest.  This code was
- * written by Colin Plumb in 1993, no copyright is claimed.
- * This code is in the public domain; do with it what you wish.
- *
- * Equivalent code is available from RSA Data Security, Inc.
- * This code has been tested against that, and is equivalent,
- * except that you don't need to include two pages of legalese
- * with every copy.
- *
- * To compute the message digest of a chunk of bytes, declare an
- * MD5Context structure, pass it to MD5Init, call MD5Update as
- * needed on buffers full of bytes, and then call MD5Final, which
- * will fill a supplied 16-byte array with the digest.
- */
-
-#include "config.h"
-
-#include <isc/assertions.h>
-#include <isc/md5.h>
-#include <isc/platform.h>
-#include <isc/string.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-#ifdef ISC_PLATFORM_OPENSSLHASH
-
-void
-isc_md5_init(isc_md5_t *ctx) {
-	EVP_DigestInit(ctx, EVP_md5());
-}
-
-void
-isc_md5_invalidate(isc_md5_t *ctx) {
-	EVP_MD_CTX_cleanup(ctx);
-}
-
-void
-isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len) {
-	EVP_DigestUpdate(ctx, (const void *) buf, (size_t) len);
-}
-
-void
-isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
-	EVP_DigestFinal(ctx, digest, NULL);
-}
-
-#else
-
-static void
-byteSwap(isc_uint32_t *buf, unsigned words)
-{
-	unsigned char *p = (unsigned char *)buf;
-
-	do {
-		*buf++ = (isc_uint32_t)((unsigned)p[3] << 8 | p[2]) << 16 |
-			((unsigned)p[1] << 8 | p[0]);
-		p += 4;
-	} while (--words);
-}
-
-/*!
- * Start MD5 accumulation.  Set bit count to 0 and buffer to mysterious
- * initialization constants.
- */
-void
-isc_md5_init(isc_md5_t *ctx) {
-	ctx->buf[0] = 0x67452301;
-	ctx->buf[1] = 0xefcdab89;
-	ctx->buf[2] = 0x98badcfe;
-	ctx->buf[3] = 0x10325476;
-
-	ctx->bytes[0] = 0;
-	ctx->bytes[1] = 0;
-}
-
-void
-isc_md5_invalidate(isc_md5_t *ctx) {
-	memset(ctx, 0, sizeof(isc_md5_t));
-}
-
-/*@{*/
-/*! The four core functions - F1 is optimized somewhat */
-
-/* #define F1(x, y, z) (x & y | ~x & z) */
-#define F1(x, y, z) (z ^ (x & (y ^ z)))
-#define F2(x, y, z) F1(z, x, y)
-#define F3(x, y, z) (x ^ y ^ z)
-#define F4(x, y, z) (y ^ (x | ~z))
-/*@}*/
-
-/*! This is the central step in the MD5 algorithm. */
-#define MD5STEP(f,w,x,y,z,in,s) \
-	 (w += f(x,y,z) + in, w = (w<<s | w>>(32-s)) + x)
-
-/*!
- * The core of the MD5 algorithm, this alters an existing MD5 hash to
- * reflect the addition of 16 longwords of new data.  MD5Update blocks
- * the data and converts bytes into longwords for this routine.
- */
-static void
-transform(isc_uint32_t buf[4], isc_uint32_t const in[16]) {
-	register isc_uint32_t a, b, c, d;
-
-	a = buf[0];
-	b = buf[1];
-	c = buf[2];
-	d = buf[3];
-
-	MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478, 7);
-	MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756, 12);
-	MD5STEP(F1, c, d, a, b, in[2] + 0x242070db, 17);
-	MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceee, 22);
-	MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0faf, 7);
-	MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62a, 12);
-	MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613, 17);
-	MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501, 22);
-	MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8, 7);
-	MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7af, 12);
-	MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17);
-	MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22);
-	MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7);
-	MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12);
-	MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17);
-	MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22);
-
-	MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562, 5);
-	MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340, 9);
-	MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14);
-	MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20);
-	MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105d, 5);
-	MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9);
-	MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14);
-	MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20);
-	MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6, 5);
-	MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9);
-	MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87, 14);
-	MD5STEP(F2, b, c, d, a, in[8] + 0x455a14ed, 20);
-	MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5);
-	MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8, 9);
-	MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9, 14);
-	MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20);
-
-	MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942, 4);
-	MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681, 11);
-	MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16);
-	MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23);
-	MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44, 4);
-	MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9, 11);
-	MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60, 16);
-	MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23);
-	MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4);
-	MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127fa, 11);
-	MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085, 16);
-	MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05, 23);
-	MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039, 4);
-	MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11);
-	MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16);
-	MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665, 23);
-
-	MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244, 6);
-	MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97, 10);
-	MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15);
-	MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039, 21);
-	MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6);
-	MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92, 10);
-	MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15);
-	MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1, 21);
-	MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4f, 6);
-	MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10);
-	MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314, 15);
-	MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21);
-	MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82, 6);
-	MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10);
-	MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15);
-	MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391, 21);
-
-	buf[0] += a;
-	buf[1] += b;
-	buf[2] += c;
-	buf[3] += d;
-}
-
-/*!
- * Update context to reflect the concatenation of another buffer full
- * of bytes.
- */
-void
-isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len) {
-	isc_uint32_t t;
-
-	/* Update byte count */
-
-	t = ctx->bytes[0];
-	if ((ctx->bytes[0] = t + len) < t)
-		ctx->bytes[1]++;	/* Carry from low to high */
-
-	t = 64 - (t & 0x3f);	/* Space available in ctx->in (at least 1) */
-	if (t > len) {
-		memcpy((unsigned char *)ctx->in + 64 - t, buf, len);
-		return;
-	}
-	/* First chunk is an odd size */
-	memcpy((unsigned char *)ctx->in + 64 - t, buf, t);
-	byteSwap(ctx->in, 16);
-	transform(ctx->buf, ctx->in);
-	buf += t;
-	len -= t;
-
-	/* Process data in 64-byte chunks */
-	while (len >= 64) {
-		memcpy(ctx->in, buf, 64);
-		byteSwap(ctx->in, 16);
-		transform(ctx->buf, ctx->in);
-		buf += 64;
-		len -= 64;
-	}
-
-	/* Handle any remaining bytes of data. */
-	memcpy(ctx->in, buf, len);
-}
-
-/*!
- * Final wrapup - pad to 64-byte boundary with the bit pattern
- * 1 0* (64-bit count of bits processed, MSB-first)
- */
-void
-isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
-	int count = ctx->bytes[0] & 0x3f;    /* Number of bytes in ctx->in */
-	unsigned char *p = (unsigned char *)ctx->in + count;
-
-	/* Set the first char of padding to 0x80.  There is always room. */
-	*p++ = 0x80;
-
-	/* Bytes of padding needed to make 56 bytes (-8..55) */
-	count = 56 - 1 - count;
-
-	if (count < 0) {	/* Padding forces an extra block */
-		memset(p, 0, count + 8);
-		byteSwap(ctx->in, 16);
-		transform(ctx->buf, ctx->in);
-		p = (unsigned char *)ctx->in;
-		count = 56;
-	}
-	memset(p, 0, count);
-	byteSwap(ctx->in, 14);
-
-	/* Append length in bits and transform */
-	ctx->in[14] = ctx->bytes[0] << 3;
-	ctx->in[15] = ctx->bytes[1] << 3 | ctx->bytes[0] >> 29;
-	transform(ctx->buf, ctx->in);
-
-	byteSwap(ctx->buf, 4);
-	memcpy(digest, ctx->buf, 16);
-	memset(ctx, 0, sizeof(isc_md5_t));	/* In case it's sensitive */
-}
-#endif
diff --git a/contrib/bind9/lib/isc/mem.c b/contrib/bind9/lib/isc/mem.c
deleted file mode 100644
index 20fec46..0000000
--- a/contrib/bind9/lib/isc/mem.c
+++ /dev/null
@@ -1,2514 +0,0 @@
-/*
- * Copyright (C) 2004-2010, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1997-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <stddef.h>
-
-#include <limits.h>
-
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/msgs.h>
-#include <isc/once.h>
-#include <isc/ondestroy.h>
-#include <isc/string.h>
-#include <isc/mutex.h>
-#include <isc/print.h>
-#include <isc/util.h>
-#include <isc/xml.h>
-
-#define MCTXLOCK(m, l) if (((m)->flags & ISC_MEMFLAG_NOLOCK) == 0) LOCK(l)
-#define MCTXUNLOCK(m, l) if (((m)->flags & ISC_MEMFLAG_NOLOCK) == 0) UNLOCK(l)
-
-#ifndef ISC_MEM_DEBUGGING
-#define ISC_MEM_DEBUGGING 0
-#endif
-LIBISC_EXTERNAL_DATA unsigned int isc_mem_debugging = ISC_MEM_DEBUGGING;
-
-/*
- * Constants.
- */
-
-#define DEF_MAX_SIZE		1100
-#define DEF_MEM_TARGET		4096
-#define ALIGNMENT_SIZE		8U		/*%< must be a power of 2 */
-#define NUM_BASIC_BLOCKS	64		/*%< must be > 1 */
-#define TABLE_INCREMENT		1024
-#define DEBUGLIST_COUNT		1024
-
-/*
- * Types.
- */
-typedef struct isc__mem isc__mem_t;
-typedef struct isc__mempool isc__mempool_t;
-
-#if ISC_MEM_TRACKLINES
-typedef struct debuglink debuglink_t;
-struct debuglink {
-	ISC_LINK(debuglink_t)	link;
-	const void	       *ptr[DEBUGLIST_COUNT];
-	unsigned int		size[DEBUGLIST_COUNT];
-	const char	       *file[DEBUGLIST_COUNT];
-	unsigned int		line[DEBUGLIST_COUNT];
-	unsigned int		count;
-};
-
-#define FLARG_PASS	, file, line
-#define FLARG		, const char *file, unsigned int line
-#else
-#define FLARG_PASS
-#define FLARG
-#endif
-
-typedef struct element element;
-struct element {
-	element *		next;
-};
-
-typedef struct {
-	/*!
-	 * This structure must be ALIGNMENT_SIZE bytes.
-	 */
-	union {
-		size_t		size;
-		isc__mem_t	*ctx;
-		char		bytes[ALIGNMENT_SIZE];
-	} u;
-} size_info;
-
-struct stats {
-	unsigned long		gets;
-	unsigned long		totalgets;
-	unsigned long		blocks;
-	unsigned long		freefrags;
-};
-
-#define MEM_MAGIC		ISC_MAGIC('M', 'e', 'm', 'C')
-#define VALID_CONTEXT(c)	ISC_MAGIC_VALID(c, MEM_MAGIC)
-
-#if ISC_MEM_TRACKLINES
-typedef ISC_LIST(debuglink_t)	debuglist_t;
-#endif
-
-/* List of all active memory contexts. */
-
-static ISC_LIST(isc__mem_t)	contexts;
-static isc_once_t		once = ISC_ONCE_INIT;
-static isc_mutex_t		lock;
-
-/*%
- * Total size of lost memory due to a bug of external library.
- * Locked by the global lock.
- */
-static isc_uint64_t		totallost;
-
-struct isc__mem {
-	isc_mem_t		common;
-	isc_ondestroy_t		ondestroy;
-	unsigned int		flags;
-	isc_mutex_t		lock;
-	isc_memalloc_t		memalloc;
-	isc_memfree_t		memfree;
-	void *			arg;
-	size_t			max_size;
-	isc_boolean_t		checkfree;
-	struct stats *		stats;
-	unsigned int		references;
-	char			name[16];
-	void *			tag;
-	size_t			quota;
-	size_t			total;
-	size_t			inuse;
-	size_t			maxinuse;
-	size_t			hi_water;
-	size_t			lo_water;
-	isc_boolean_t		hi_called;
-	isc_boolean_t		is_overmem;
-	isc_mem_water_t		water;
-	void *			water_arg;
-	ISC_LIST(isc__mempool_t) pools;
-	unsigned int		poolcnt;
-
-	/*  ISC_MEMFLAG_INTERNAL */
-	size_t			mem_target;
-	element **		freelists;
-	element *		basic_blocks;
-	unsigned char **	basic_table;
-	unsigned int		basic_table_count;
-	unsigned int		basic_table_size;
-	unsigned char *		lowest;
-	unsigned char *		highest;
-
-#if ISC_MEM_TRACKLINES
-	debuglist_t *	 	debuglist;
-	unsigned int		debuglistcnt;
-#endif
-
-	unsigned int		memalloc_failures;
-	ISC_LINK(isc__mem_t)	link;
-};
-
-#define MEMPOOL_MAGIC		ISC_MAGIC('M', 'E', 'M', 'p')
-#define VALID_MEMPOOL(c)	ISC_MAGIC_VALID(c, MEMPOOL_MAGIC)
-
-struct isc__mempool {
-	/* always unlocked */
-	isc_mempool_t	common;		/*%< common header of mempool's */
-	isc_mutex_t    *lock;		/*%< optional lock */
-	isc__mem_t      *mctx;		/*%< our memory context */
-	/*%< locked via the memory context's lock */
-	ISC_LINK(isc__mempool_t)	link;	/*%< next pool in this mem context */
-	/*%< optionally locked from here down */
-	element	       *items;		/*%< low water item list */
-	size_t		size;		/*%< size of each item on this pool */
-	unsigned int	maxalloc;	/*%< max number of items allowed */
-	unsigned int	allocated;	/*%< # of items currently given out */
-	unsigned int	freecount;	/*%< # of items on reserved list */
-	unsigned int	freemax;	/*%< # of items allowed on free list */
-	unsigned int	fillcount;	/*%< # of items to fetch on each fill */
-	/*%< Stats only. */
-	unsigned int	gets;		/*%< # of requests to this pool */
-	/*%< Debugging only. */
-#if ISC_MEMPOOL_NAMES
-	char		name[16];	/*%< printed name in stats reports */
-#endif
-};
-
-/*
- * Private Inline-able.
- */
-
-#if ! ISC_MEM_TRACKLINES
-#define ADD_TRACE(a, b, c, d, e)
-#define DELETE_TRACE(a, b, c, d, e)
-#define ISC_MEMFUNC_SCOPE
-#else
-#define ADD_TRACE(a, b, c, d, e) \
-	do { \
-		if ((isc_mem_debugging & (ISC_MEM_DEBUGTRACE | \
-					  ISC_MEM_DEBUGRECORD)) != 0 && \
-		     b != NULL) \
-			 add_trace_entry(a, b, c, d, e); \
-	} while (0)
-#define DELETE_TRACE(a, b, c, d, e)	delete_trace_entry(a, b, c, d, e)
-
-static void
-print_active(isc__mem_t *ctx, FILE *out);
-
-/*%
- * The following can be either static or public, depending on build environment.
- */
-
-#ifdef BIND9
-#define ISC_MEMFUNC_SCOPE
-#else
-#define ISC_MEMFUNC_SCOPE static
-#endif
-
-ISC_MEMFUNC_SCOPE isc_result_t
-isc__mem_createx(size_t init_max_size, size_t target_size,
-		 isc_memalloc_t memalloc, isc_memfree_t memfree, void *arg,
-		 isc_mem_t **ctxp);
-ISC_MEMFUNC_SCOPE isc_result_t
-isc__mem_createx2(size_t init_max_size, size_t target_size,
-		  isc_memalloc_t memalloc, isc_memfree_t memfree, void *arg,
-		  isc_mem_t **ctxp, unsigned int flags);
-ISC_MEMFUNC_SCOPE isc_result_t
-isc__mem_create(size_t init_max_size, size_t target_size, isc_mem_t **ctxp);
-ISC_MEMFUNC_SCOPE isc_result_t
-isc__mem_create2(size_t init_max_size, size_t target_size,
-		 isc_mem_t **ctxp, unsigned int flags);
-ISC_MEMFUNC_SCOPE void
-isc__mem_attach(isc_mem_t *source, isc_mem_t **targetp);
-ISC_MEMFUNC_SCOPE void
-isc__mem_detach(isc_mem_t **ctxp);
-ISC_MEMFUNC_SCOPE void
-isc___mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG);
-ISC_MEMFUNC_SCOPE void
-isc__mem_destroy(isc_mem_t **ctxp);
-ISC_MEMFUNC_SCOPE isc_result_t
-isc__mem_ondestroy(isc_mem_t *ctx, isc_task_t *task, isc_event_t **event);
-ISC_MEMFUNC_SCOPE void *
-isc___mem_get(isc_mem_t *ctx, size_t size FLARG);
-ISC_MEMFUNC_SCOPE void
-isc___mem_put(isc_mem_t *ctx, void *ptr, size_t size FLARG);
-ISC_MEMFUNC_SCOPE void
-isc__mem_stats(isc_mem_t *ctx, FILE *out);
-ISC_MEMFUNC_SCOPE void *
-isc___mem_allocate(isc_mem_t *ctx, size_t size FLARG);
-ISC_MEMFUNC_SCOPE void *
-isc___mem_reallocate(isc_mem_t *ctx, void *ptr, size_t size FLARG);
-ISC_MEMFUNC_SCOPE void
-isc___mem_free(isc_mem_t *ctx, void *ptr FLARG);
-ISC_MEMFUNC_SCOPE char *
-isc___mem_strdup(isc_mem_t *mctx, const char *s FLARG);
-ISC_MEMFUNC_SCOPE void
-isc__mem_setdestroycheck(isc_mem_t *ctx, isc_boolean_t flag);
-ISC_MEMFUNC_SCOPE void
-isc__mem_setquota(isc_mem_t *ctx, size_t quota);
-ISC_MEMFUNC_SCOPE size_t
-isc__mem_getquota(isc_mem_t *ctx);
-ISC_MEMFUNC_SCOPE size_t
-isc__mem_inuse(isc_mem_t *ctx);
-ISC_MEMFUNC_SCOPE isc_boolean_t
-isc__mem_isovermem(isc_mem_t *ctx);
-ISC_MEMFUNC_SCOPE void
-isc__mem_setwater(isc_mem_t *ctx, isc_mem_water_t water, void *water_arg,
-		  size_t hiwater, size_t lowater);
-ISC_MEMFUNC_SCOPE void
-isc__mem_waterack(isc_mem_t *ctx0, int flag);
-ISC_MEMFUNC_SCOPE void
-isc__mem_setname(isc_mem_t *ctx, const char *name, void *tag);
-ISC_MEMFUNC_SCOPE const char *
-isc__mem_getname(isc_mem_t *ctx);
-ISC_MEMFUNC_SCOPE void *
-isc__mem_gettag(isc_mem_t *ctx);
-ISC_MEMFUNC_SCOPE isc_result_t
-isc__mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp);
-ISC_MEMFUNC_SCOPE void
-isc__mempool_setname(isc_mempool_t *mpctx, const char *name);
-ISC_MEMFUNC_SCOPE void
-isc__mempool_destroy(isc_mempool_t **mpctxp);
-ISC_MEMFUNC_SCOPE void
-isc__mempool_associatelock(isc_mempool_t *mpctx, isc_mutex_t *lock);
-ISC_MEMFUNC_SCOPE void *
-isc___mempool_get(isc_mempool_t *mpctx FLARG);
-ISC_MEMFUNC_SCOPE void
-isc___mempool_put(isc_mempool_t *mpctx, void *mem FLARG);
-ISC_MEMFUNC_SCOPE void
-isc__mempool_setfreemax(isc_mempool_t *mpctx, unsigned int limit);
-ISC_MEMFUNC_SCOPE unsigned int
-isc__mempool_getfreemax(isc_mempool_t *mpctx);
-ISC_MEMFUNC_SCOPE unsigned int
-isc__mempool_getfreecount(isc_mempool_t *mpctx);
-ISC_MEMFUNC_SCOPE void
-isc__mempool_setmaxalloc(isc_mempool_t *mpctx, unsigned int limit);
-ISC_MEMFUNC_SCOPE unsigned int
-isc__mempool_getmaxalloc(isc_mempool_t *mpctx);
-ISC_MEMFUNC_SCOPE unsigned int
-isc__mempool_getallocated(isc_mempool_t *mpctx);
-ISC_MEMFUNC_SCOPE void
-isc__mempool_setfillcount(isc_mempool_t *mpctx, unsigned int limit);
-ISC_MEMFUNC_SCOPE unsigned int
-isc__mempool_getfillcount(isc_mempool_t *mpctx);
-#ifdef BIND9
-ISC_MEMFUNC_SCOPE void
-isc__mem_printactive(isc_mem_t *ctx0, FILE *file);
-ISC_MEMFUNC_SCOPE void
-isc__mem_printallactive(FILE *file);
-ISC_MEMFUNC_SCOPE void
-isc__mem_checkdestroyed(FILE *file);
-ISC_MEMFUNC_SCOPE unsigned int
-isc__mem_references(isc_mem_t *ctx0);
-#endif
-#endif /* ISC_MEM_TRACKLINES */
-
-static struct isc__memmethods {
-	isc_memmethods_t methods;
-
-	/*%
-	 * The following are defined just for avoiding unused static functions.
-	 */
-#ifndef BIND9
-	void *createx, *create, *create2, *ondestroy, *stats,
-		*setquota, *getquota, *setname, *getname, *gettag;
-#endif
-} memmethods = {
-	{
-		isc__mem_attach,
-		isc__mem_detach,
-		isc__mem_destroy,
-		isc___mem_get,
-		isc___mem_put,
-		isc___mem_putanddetach,
-		isc___mem_allocate,
-		isc___mem_reallocate,
-		isc___mem_strdup,
-		isc___mem_free,
-		isc__mem_setdestroycheck,
-		isc__mem_setwater,
-		isc__mem_waterack,
-		isc__mem_inuse,
-		isc__mem_isovermem,
-		isc__mempool_create
-	}
-#ifndef BIND9
-	,
-	(void *)isc__mem_createx, (void *)isc__mem_create,
-	(void *)isc__mem_create2, (void *)isc__mem_ondestroy,
-	(void *)isc__mem_stats, (void *)isc__mem_setquota,
-	(void *)isc__mem_getquota, (void *)isc__mem_setname,
-	(void *)isc__mem_getname, (void *)isc__mem_gettag
-#endif
-};
-
-static struct isc__mempoolmethods {
-	isc_mempoolmethods_t methods;
-
-	/*%
-	 * The following are defined just for avoiding unused static functions.
-	 */
-#ifndef BIND9
-	void *getfreemax, *getfreecount, *getmaxalloc, *getfillcount;
-#endif
-} mempoolmethods = {
-	{
-		isc__mempool_destroy,
-		isc___mempool_get,
-		isc___mempool_put,
-		isc__mempool_getallocated,
-		isc__mempool_setmaxalloc,
-		isc__mempool_setfreemax,
-		isc__mempool_setname,
-		isc__mempool_associatelock,
-		isc__mempool_setfillcount
-	}
-#ifndef BIND9
-	,
-	(void *)isc__mempool_getfreemax, (void *)isc__mempool_getfreecount,
-	(void *)isc__mempool_getmaxalloc, (void *)isc__mempool_getfillcount
-#endif
-};
-
-#if ISC_MEM_TRACKLINES
-/*!
- * mctx must be locked.
- */
-static inline void
-add_trace_entry(isc__mem_t *mctx, const void *ptr, unsigned int size
-		FLARG)
-{
-	debuglink_t *dl;
-	unsigned int i;
-	unsigned int mysize = size;
-
-	if ((isc_mem_debugging & ISC_MEM_DEBUGTRACE) != 0)
-		fprintf(stderr, isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-					       ISC_MSG_ADDTRACE,
-					       "add %p size %u "
-					       "file %s line %u mctx %p\n"),
-			ptr, size, file, line, mctx);
-
-	if (mctx->debuglist == NULL)
-		return;
-
-	if (mysize > mctx->max_size)
-		mysize = mctx->max_size;
-
-	dl = ISC_LIST_HEAD(mctx->debuglist[mysize]);
-	while (dl != NULL) {
-		if (dl->count == DEBUGLIST_COUNT)
-			goto next;
-		for (i = 0; i < DEBUGLIST_COUNT; i++) {
-			if (dl->ptr[i] == NULL) {
-				dl->ptr[i] = ptr;
-				dl->size[i] = size;
-				dl->file[i] = file;
-				dl->line[i] = line;
-				dl->count++;
-				return;
-			}
-		}
-	next:
-		dl = ISC_LIST_NEXT(dl, link);
-	}
-
-	dl = malloc(sizeof(debuglink_t));
-	INSIST(dl != NULL);
-
-	ISC_LINK_INIT(dl, link);
-	for (i = 1; i < DEBUGLIST_COUNT; i++) {
-		dl->ptr[i] = NULL;
-		dl->size[i] = 0;
-		dl->file[i] = NULL;
-		dl->line[i] = 0;
-	}
-
-	dl->ptr[0] = ptr;
-	dl->size[0] = size;
-	dl->file[0] = file;
-	dl->line[0] = line;
-	dl->count = 1;
-
-	ISC_LIST_PREPEND(mctx->debuglist[mysize], dl, link);
-	mctx->debuglistcnt++;
-}
-
-static inline void
-delete_trace_entry(isc__mem_t *mctx, const void *ptr, unsigned int size,
-		   const char *file, unsigned int line)
-{
-	debuglink_t *dl;
-	unsigned int i;
-
-	if ((isc_mem_debugging & ISC_MEM_DEBUGTRACE) != 0)
-		fprintf(stderr, isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-					       ISC_MSG_DELTRACE,
-					       "del %p size %u "
-					       "file %s line %u mctx %p\n"),
-			ptr, size, file, line, mctx);
-
-	if (mctx->debuglist == NULL)
-		return;
-
-	if (size > mctx->max_size)
-		size = mctx->max_size;
-
-	dl = ISC_LIST_HEAD(mctx->debuglist[size]);
-	while (dl != NULL) {
-		for (i = 0; i < DEBUGLIST_COUNT; i++) {
-			if (dl->ptr[i] == ptr) {
-				dl->ptr[i] = NULL;
-				dl->size[i] = 0;
-				dl->file[i] = NULL;
-				dl->line[i] = 0;
-
-				INSIST(dl->count > 0);
-				dl->count--;
-				if (dl->count == 0) {
-					ISC_LIST_UNLINK(mctx->debuglist[size],
-							dl, link);
-					free(dl);
-				}
-				return;
-			}
-		}
-		dl = ISC_LIST_NEXT(dl, link);
-	}
-
-	/*
-	 * If we get here, we didn't find the item on the list.  We're
-	 * screwed.
-	 */
-	INSIST(dl != NULL);
-}
-#endif /* ISC_MEM_TRACKLINES */
-
-static inline size_t
-rmsize(size_t size) {
-	/*
-	 * round down to ALIGNMENT_SIZE
-	 */
-	return (size & (~(ALIGNMENT_SIZE - 1)));
-}
-
-static inline size_t
-quantize(size_t size) {
-	/*!
-	 * Round up the result in order to get a size big
-	 * enough to satisfy the request and be aligned on ALIGNMENT_SIZE
-	 * byte boundaries.
-	 */
-
-	if (size == 0U)
-		return (ALIGNMENT_SIZE);
-	return ((size + ALIGNMENT_SIZE - 1) & (~(ALIGNMENT_SIZE - 1)));
-}
-
-static inline isc_boolean_t
-more_basic_blocks(isc__mem_t *ctx) {
-	void *new;
-	unsigned char *curr, *next;
-	unsigned char *first, *last;
-	unsigned char **table;
-	unsigned int table_size;
-	size_t increment;
-	int i;
-
-	/* Require: we hold the context lock. */
-
-	/*
-	 * Did we hit the quota for this context?
-	 */
-	increment = NUM_BASIC_BLOCKS * ctx->mem_target;
-	if (ctx->quota != 0U && ctx->total + increment > ctx->quota)
-		return (ISC_FALSE);
-
-	INSIST(ctx->basic_table_count <= ctx->basic_table_size);
-	if (ctx->basic_table_count == ctx->basic_table_size) {
-		table_size = ctx->basic_table_size + TABLE_INCREMENT;
-		table = (ctx->memalloc)(ctx->arg,
-					table_size * sizeof(unsigned char *));
-		if (table == NULL) {
-			ctx->memalloc_failures++;
-			return (ISC_FALSE);
-		}
-		if (ctx->basic_table_size != 0) {
-			memcpy(table, ctx->basic_table,
-			       ctx->basic_table_size *
-			       sizeof(unsigned char *));
-			(ctx->memfree)(ctx->arg, ctx->basic_table);
-		}
-		ctx->basic_table = table;
-		ctx->basic_table_size = table_size;
-	}
-
-	new = (ctx->memalloc)(ctx->arg, NUM_BASIC_BLOCKS * ctx->mem_target);
-	if (new == NULL) {
-		ctx->memalloc_failures++;
-		return (ISC_FALSE);
-	}
-	ctx->total += increment;
-	ctx->basic_table[ctx->basic_table_count] = new;
-	ctx->basic_table_count++;
-
-	curr = new;
-	next = curr + ctx->mem_target;
-	for (i = 0; i < (NUM_BASIC_BLOCKS - 1); i++) {
-		((element *)curr)->next = (element *)next;
-		curr = next;
-		next += ctx->mem_target;
-	}
-	/*
-	 * curr is now pointing at the last block in the
-	 * array.
-	 */
-	((element *)curr)->next = NULL;
-	first = new;
-	last = first + NUM_BASIC_BLOCKS * ctx->mem_target - 1;
-	if (first < ctx->lowest || ctx->lowest == NULL)
-		ctx->lowest = first;
-	if (last > ctx->highest)
-		ctx->highest = last;
-	ctx->basic_blocks = new;
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-more_frags(isc__mem_t *ctx, size_t new_size) {
-	int i, frags;
-	size_t total_size;
-	void *new;
-	unsigned char *curr, *next;
-
-	/*!
-	 * Try to get more fragments by chopping up a basic block.
-	 */
-
-	if (ctx->basic_blocks == NULL) {
-		if (!more_basic_blocks(ctx)) {
-			/*
-			 * We can't get more memory from the OS, or we've
-			 * hit the quota for this context.
-			 */
-			/*
-			 * XXXRTH  "At quota" notification here.
-			 */
-			return (ISC_FALSE);
-		}
-	}
-
-	total_size = ctx->mem_target;
-	new = ctx->basic_blocks;
-	ctx->basic_blocks = ctx->basic_blocks->next;
-	frags = total_size / new_size;
-	ctx->stats[new_size].blocks++;
-	ctx->stats[new_size].freefrags += frags;
-	/*
-	 * Set up a linked-list of blocks of size
-	 * "new_size".
-	 */
-	curr = new;
-	next = curr + new_size;
-	total_size -= new_size;
-	for (i = 0; i < (frags - 1); i++) {
-		((element *)curr)->next = (element *)next;
-		curr = next;
-		next += new_size;
-		total_size -= new_size;
-	}
-	/*
-	 * Add the remaining fragment of the basic block to a free list.
-	 */
-	total_size = rmsize(total_size);
-	if (total_size > 0U) {
-		((element *)next)->next = ctx->freelists[total_size];
-		ctx->freelists[total_size] = (element *)next;
-		ctx->stats[total_size].freefrags++;
-	}
-	/*
-	 * curr is now pointing at the last block in the
-	 * array.
-	 */
-	((element *)curr)->next = NULL;
-	ctx->freelists[new_size] = new;
-
-	return (ISC_TRUE);
-}
-
-static inline void *
-mem_getunlocked(isc__mem_t *ctx, size_t size) {
-	size_t new_size = quantize(size);
-	void *ret;
-
-	if (size >= ctx->max_size || new_size >= ctx->max_size) {
-		/*
-		 * memget() was called on something beyond our upper limit.
-		 */
-		if (ctx->quota != 0U && ctx->total + size > ctx->quota) {
-			ret = NULL;
-			goto done;
-		}
-		ret = (ctx->memalloc)(ctx->arg, size);
-		if (ret == NULL) {
-			ctx->memalloc_failures++;
-			goto done;
-		}
-		ctx->total += size;
-		ctx->inuse += size;
-		ctx->stats[ctx->max_size].gets++;
-		ctx->stats[ctx->max_size].totalgets++;
-		/*
-		 * If we don't set new_size to size, then the
-		 * ISC_MEM_FILL code might write over bytes we
-		 * don't own.
-		 */
-		new_size = size;
-		goto done;
-	}
-
-	/*
-	 * If there are no blocks in the free list for this size, get a chunk
-	 * of memory and then break it up into "new_size"-sized blocks, adding
-	 * them to the free list.
-	 */
-	if (ctx->freelists[new_size] == NULL && !more_frags(ctx, new_size))
-		return (NULL);
-
-	/*
-	 * The free list uses the "rounded-up" size "new_size".
-	 */
-	ret = ctx->freelists[new_size];
-	ctx->freelists[new_size] = ctx->freelists[new_size]->next;
-
-	/*
-	 * The stats[] uses the _actual_ "size" requested by the
-	 * caller, with the caveat (in the code above) that "size" >= the
-	 * max. size (max_size) ends up getting recorded as a call to
-	 * max_size.
-	 */
-	ctx->stats[size].gets++;
-	ctx->stats[size].totalgets++;
-	ctx->stats[new_size].freefrags--;
-	ctx->inuse += new_size;
-
- done:
-
-#if ISC_MEM_FILL
-	if (ret != NULL)
-		memset(ret, 0xbe, new_size); /* Mnemonic for "beef". */
-#endif
-
-	return (ret);
-}
-
-#if ISC_MEM_FILL && ISC_MEM_CHECKOVERRUN
-static inline void
-check_overrun(void *mem, size_t size, size_t new_size) {
-	unsigned char *cp;
-
-	cp = (unsigned char *)mem;
-	cp += size;
-	while (size < new_size) {
-		INSIST(*cp == 0xbe);
-		cp++;
-		size++;
-	}
-}
-#endif
-
-static inline void
-mem_putunlocked(isc__mem_t *ctx, void *mem, size_t size) {
-	size_t new_size = quantize(size);
-
-	if (size == ctx->max_size || new_size >= ctx->max_size) {
-		/*
-		 * memput() called on something beyond our upper limit.
-		 */
-#if ISC_MEM_FILL
-		memset(mem, 0xde, size); /* Mnemonic for "dead". */
-#endif
-		(ctx->memfree)(ctx->arg, mem);
-		INSIST(ctx->stats[ctx->max_size].gets != 0U);
-		ctx->stats[ctx->max_size].gets--;
-		INSIST(size <= ctx->total);
-		ctx->inuse -= size;
-		ctx->total -= size;
-		return;
-	}
-
-#if ISC_MEM_FILL
-#if ISC_MEM_CHECKOVERRUN
-	check_overrun(mem, size, new_size);
-#endif
-	memset(mem, 0xde, new_size); /* Mnemonic for "dead". */
-#endif
-
-	/*
-	 * The free list uses the "rounded-up" size "new_size".
-	 */
-	((element *)mem)->next = ctx->freelists[new_size];
-	ctx->freelists[new_size] = (element *)mem;
-
-	/*
-	 * The stats[] uses the _actual_ "size" requested by the
-	 * caller, with the caveat (in the code above) that "size" >= the
-	 * max. size (max_size) ends up getting recorded as a call to
-	 * max_size.
-	 */
-	INSIST(ctx->stats[size].gets != 0U);
-	ctx->stats[size].gets--;
-	ctx->stats[new_size].freefrags++;
-	ctx->inuse -= new_size;
-}
-
-/*!
- * Perform a malloc, doing memory filling and overrun detection as necessary.
- */
-static inline void *
-mem_get(isc__mem_t *ctx, size_t size) {
-	char *ret;
-
-#if ISC_MEM_CHECKOVERRUN
-	size += 1;
-#endif
-
-	ret = (ctx->memalloc)(ctx->arg, size);
-	if (ret == NULL)
-		ctx->memalloc_failures++;
-
-#if ISC_MEM_FILL
-	if (ret != NULL)
-		memset(ret, 0xbe, size); /* Mnemonic for "beef". */
-#else
-#  if ISC_MEM_CHECKOVERRUN
-	if (ret != NULL)
-		ret[size-1] = 0xbe;
-#  endif
-#endif
-
-	return (ret);
-}
-
-/*!
- * Perform a free, doing memory filling and overrun detection as necessary.
- */
-static inline void
-mem_put(isc__mem_t *ctx, void *mem, size_t size) {
-#if ISC_MEM_CHECKOVERRUN
-	INSIST(((unsigned char *)mem)[size] == 0xbe);
-#endif
-#if ISC_MEM_FILL
-	memset(mem, 0xde, size); /* Mnemonic for "dead". */
-#else
-	UNUSED(size);
-#endif
-	(ctx->memfree)(ctx->arg, mem);
-}
-
-/*!
- * Update internal counters after a memory get.
- */
-static inline void
-mem_getstats(isc__mem_t *ctx, size_t size) {
-	ctx->total += size;
-	ctx->inuse += size;
-
-	if (size > ctx->max_size) {
-		ctx->stats[ctx->max_size].gets++;
-		ctx->stats[ctx->max_size].totalgets++;
-	} else {
-		ctx->stats[size].gets++;
-		ctx->stats[size].totalgets++;
-	}
-}
-
-/*!
- * Update internal counters after a memory put.
- */
-static inline void
-mem_putstats(isc__mem_t *ctx, void *ptr, size_t size) {
-	UNUSED(ptr);
-
-	INSIST(ctx->inuse >= size);
-	ctx->inuse -= size;
-
-	if (size > ctx->max_size) {
-		INSIST(ctx->stats[ctx->max_size].gets > 0U);
-		ctx->stats[ctx->max_size].gets--;
-	} else {
-		INSIST(ctx->stats[size].gets > 0U);
-		ctx->stats[size].gets--;
-	}
-}
-
-/*
- * Private.
- */
-
-static void *
-default_memalloc(void *arg, size_t size) {
-	UNUSED(arg);
-	if (size == 0U)
-		size = 1;
-	return (malloc(size));
-}
-
-static void
-default_memfree(void *arg, void *ptr) {
-	UNUSED(arg);
-	free(ptr);
-}
-
-static void
-initialize_action(void) {
-	RUNTIME_CHECK(isc_mutex_init(&lock) == ISC_R_SUCCESS);
-	ISC_LIST_INIT(contexts);
-	totallost = 0;
-}
-
-/*
- * Public.
- */
-
-ISC_MEMFUNC_SCOPE isc_result_t
-isc__mem_createx(size_t init_max_size, size_t target_size,
-		 isc_memalloc_t memalloc, isc_memfree_t memfree, void *arg,
-		 isc_mem_t **ctxp)
-{
-	return (isc__mem_createx2(init_max_size, target_size, memalloc, memfree,
-				  arg, ctxp, ISC_MEMFLAG_DEFAULT));
-
-}
-
-ISC_MEMFUNC_SCOPE isc_result_t
-isc__mem_createx2(size_t init_max_size, size_t target_size,
-		  isc_memalloc_t memalloc, isc_memfree_t memfree, void *arg,
-		  isc_mem_t **ctxp, unsigned int flags)
-{
-	isc__mem_t *ctx;
-	isc_result_t result;
-
-	REQUIRE(ctxp != NULL && *ctxp == NULL);
-	REQUIRE(memalloc != NULL);
-	REQUIRE(memfree != NULL);
-
-	INSIST((ALIGNMENT_SIZE & (ALIGNMENT_SIZE - 1)) == 0);
-
-	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
-
-	ctx = (memalloc)(arg, sizeof(*ctx));
-	if (ctx == NULL)
-		return (ISC_R_NOMEMORY);
-
-	if ((flags & ISC_MEMFLAG_NOLOCK) == 0) {
-		result = isc_mutex_init(&ctx->lock);
-		if (result != ISC_R_SUCCESS) {
-			(memfree)(arg, ctx);
-			return (result);
-		}
-	}
-
-	if (init_max_size == 0U)
-		ctx->max_size = DEF_MAX_SIZE;
-	else
-		ctx->max_size = init_max_size;
-	ctx->flags = flags;
-	ctx->references = 1;
-	memset(ctx->name, 0, sizeof(ctx->name));
-	ctx->tag = NULL;
-	ctx->quota = 0;
-	ctx->total = 0;
-	ctx->inuse = 0;
-	ctx->maxinuse = 0;
-	ctx->hi_water = 0;
-	ctx->lo_water = 0;
-	ctx->hi_called = ISC_FALSE;
-	ctx->is_overmem = ISC_FALSE;
-	ctx->water = NULL;
-	ctx->water_arg = NULL;
-	ctx->common.impmagic = MEM_MAGIC;
-	ctx->common.magic = ISCAPI_MCTX_MAGIC;
-	ctx->common.methods = (isc_memmethods_t *)&memmethods;
-	isc_ondestroy_init(&ctx->ondestroy);
-	ctx->memalloc = memalloc;
-	ctx->memfree = memfree;
-	ctx->arg = arg;
-	ctx->stats = NULL;
-	ctx->checkfree = ISC_TRUE;
-#if ISC_MEM_TRACKLINES
-	ctx->debuglist = NULL;
-	ctx->debuglistcnt = 0;
-#endif
-	ISC_LIST_INIT(ctx->pools);
-	ctx->poolcnt = 0;
-	ctx->freelists = NULL;
-	ctx->basic_blocks = NULL;
-	ctx->basic_table = NULL;
-	ctx->basic_table_count = 0;
-	ctx->basic_table_size = 0;
-	ctx->lowest = NULL;
-	ctx->highest = NULL;
-
-	ctx->stats = (memalloc)(arg,
-				(ctx->max_size+1) * sizeof(struct stats));
-	if (ctx->stats == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto error;
-	}
-	memset(ctx->stats, 0, (ctx->max_size + 1) * sizeof(struct stats));
-
-	if ((flags & ISC_MEMFLAG_INTERNAL) != 0) {
-		if (target_size == 0U)
-			ctx->mem_target = DEF_MEM_TARGET;
-		else
-			ctx->mem_target = target_size;
-		ctx->freelists = (memalloc)(arg, ctx->max_size *
-						 sizeof(element *));
-		if (ctx->freelists == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto error;
-		}
-		memset(ctx->freelists, 0,
-		       ctx->max_size * sizeof(element *));
-	}
-
-#if ISC_MEM_TRACKLINES
-	if ((isc_mem_debugging & ISC_MEM_DEBUGRECORD) != 0) {
-		unsigned int i;
-
-		ctx->debuglist = (memalloc)(arg,
-				      (ctx->max_size+1) * sizeof(debuglist_t));
-		if (ctx->debuglist == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto error;
-		}
-		for (i = 0; i <= ctx->max_size; i++)
-			ISC_LIST_INIT(ctx->debuglist[i]);
-	}
-#endif
-
-	ctx->memalloc_failures = 0;
-
-	LOCK(&lock);
-	ISC_LIST_INITANDAPPEND(contexts, ctx, link);
-	UNLOCK(&lock);
-
-	*ctxp = (isc_mem_t *)ctx;
-	return (ISC_R_SUCCESS);
-
-  error:
-	if (ctx != NULL) {
-		if (ctx->stats != NULL)
-			(memfree)(arg, ctx->stats);
-		if (ctx->freelists != NULL)
-			(memfree)(arg, ctx->freelists);
-#if ISC_MEM_TRACKLINES
-		if (ctx->debuglist != NULL)
-			(ctx->memfree)(ctx->arg, ctx->debuglist);
-#endif /* ISC_MEM_TRACKLINES */
-		if ((ctx->flags & ISC_MEMFLAG_NOLOCK) == 0)
-			DESTROYLOCK(&ctx->lock);
-		(memfree)(arg, ctx);
-	}
-
-	return (result);
-}
-
-ISC_MEMFUNC_SCOPE isc_result_t
-isc__mem_create(size_t init_max_size, size_t target_size, isc_mem_t **ctxp) {
-	return (isc__mem_createx2(init_max_size, target_size,
-				  default_memalloc, default_memfree, NULL,
-				  ctxp, ISC_MEMFLAG_DEFAULT));
-}
-
-ISC_MEMFUNC_SCOPE isc_result_t
-isc__mem_create2(size_t init_max_size, size_t target_size,
-		 isc_mem_t **ctxp, unsigned int flags)
-{
-	return (isc__mem_createx2(init_max_size, target_size,
-				  default_memalloc, default_memfree, NULL,
-				  ctxp, flags));
-}
-
-static void
-destroy(isc__mem_t *ctx) {
-	unsigned int i;
-	isc_ondestroy_t ondest;
-
-	LOCK(&lock);
-	ISC_LIST_UNLINK(contexts, ctx, link);
-	totallost += ctx->inuse;
-	UNLOCK(&lock);
-
-	ctx->common.impmagic = 0;
-	ctx->common.magic = 0;
-
-	INSIST(ISC_LIST_EMPTY(ctx->pools));
-
-#if ISC_MEM_TRACKLINES
-	if (ctx->debuglist != NULL) {
-		if (ctx->checkfree) {
-			for (i = 0; i <= ctx->max_size; i++) {
-				if (!ISC_LIST_EMPTY(ctx->debuglist[i]))
-					print_active(ctx, stderr);
-				INSIST(ISC_LIST_EMPTY(ctx->debuglist[i]));
-			}
-		} else {
-			debuglink_t *dl;
-
-			for (i = 0; i <= ctx->max_size; i++)
-				for (dl = ISC_LIST_HEAD(ctx->debuglist[i]);
-				     dl != NULL;
-				     dl = ISC_LIST_HEAD(ctx->debuglist[i])) {
-					ISC_LIST_UNLINK(ctx->debuglist[i],
-							dl, link);
-					free(dl);
-				}
-		}
-		(ctx->memfree)(ctx->arg, ctx->debuglist);
-	}
-#endif
-	INSIST(ctx->references == 0);
-
-	if (ctx->checkfree) {
-		for (i = 0; i <= ctx->max_size; i++) {
-#if ISC_MEM_TRACKLINES
-			if (ctx->stats[i].gets != 0U)
-				print_active(ctx, stderr);
-#endif
-			INSIST(ctx->stats[i].gets == 0U);
-		}
-	}
-
-	(ctx->memfree)(ctx->arg, ctx->stats);
-
-	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
-		for (i = 0; i < ctx->basic_table_count; i++)
-			(ctx->memfree)(ctx->arg, ctx->basic_table[i]);
-		(ctx->memfree)(ctx->arg, ctx->freelists);
-		if (ctx->basic_table != NULL)
-			(ctx->memfree)(ctx->arg, ctx->basic_table);
-	}
-
-	ondest = ctx->ondestroy;
-
-	if ((ctx->flags & ISC_MEMFLAG_NOLOCK) == 0)
-		DESTROYLOCK(&ctx->lock);
-	(ctx->memfree)(ctx->arg, ctx);
-
-	isc_ondestroy_notify(&ondest, ctx);
-}
-
-ISC_MEMFUNC_SCOPE void
-isc__mem_attach(isc_mem_t *source0, isc_mem_t **targetp) {
-	isc__mem_t *source = (isc__mem_t *)source0;
-
-	REQUIRE(VALID_CONTEXT(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	MCTXLOCK(source, &source->lock);
-	source->references++;
-	MCTXUNLOCK(source, &source->lock);
-
-	*targetp = (isc_mem_t *)source;
-}
-
-ISC_MEMFUNC_SCOPE void
-isc__mem_detach(isc_mem_t **ctxp) {
-	isc__mem_t *ctx;
-	isc_boolean_t want_destroy = ISC_FALSE;
-
-	REQUIRE(ctxp != NULL);
-	ctx = (isc__mem_t *)*ctxp;
-	REQUIRE(VALID_CONTEXT(ctx));
-
-	MCTXLOCK(ctx, &ctx->lock);
-	INSIST(ctx->references > 0);
-	ctx->references--;
-	if (ctx->references == 0)
-		want_destroy = ISC_TRUE;
-	MCTXUNLOCK(ctx, &ctx->lock);
-
-	if (want_destroy)
-		destroy(ctx);
-
-	*ctxp = NULL;
-}
-
-/*
- * isc_mem_putanddetach() is the equivalent of:
- *
- * mctx = NULL;
- * isc_mem_attach(ptr->mctx, &mctx);
- * isc_mem_detach(&ptr->mctx);
- * isc_mem_put(mctx, ptr, sizeof(*ptr);
- * isc_mem_detach(&mctx);
- */
-
-ISC_MEMFUNC_SCOPE void
-isc___mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG) {
-	isc__mem_t *ctx;
-	isc_boolean_t want_destroy = ISC_FALSE;
-	size_info *si;
-	size_t oldsize;
-
-	REQUIRE(ctxp != NULL);
-	ctx = (isc__mem_t *)*ctxp;
-	REQUIRE(VALID_CONTEXT(ctx));
-	REQUIRE(ptr != NULL);
-
-	/*
-	 * Must be before mem_putunlocked() as ctxp is usually within
-	 * [ptr..ptr+size).
-	 */
-	*ctxp = NULL;
-
-	if ((isc_mem_debugging & (ISC_MEM_DEBUGSIZE|ISC_MEM_DEBUGCTX)) != 0) {
-		if ((isc_mem_debugging & ISC_MEM_DEBUGSIZE) != 0) {
-			si = &(((size_info *)ptr)[-1]);
-			oldsize = si->u.size - ALIGNMENT_SIZE;
-			if ((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0)
-				oldsize -= ALIGNMENT_SIZE;
-			INSIST(oldsize == size);
-		}
-		isc__mem_free((isc_mem_t *)ctx, ptr FLARG_PASS);
-
-		MCTXLOCK(ctx, &ctx->lock);
-		ctx->references--;
-		if (ctx->references == 0)
-			want_destroy = ISC_TRUE;
-		MCTXUNLOCK(ctx, &ctx->lock);
-		if (want_destroy)
-			destroy(ctx);
-
-		return;
-	}
-
-	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
-		MCTXLOCK(ctx, &ctx->lock);
-		mem_putunlocked(ctx, ptr, size);
-	} else {
-		mem_put(ctx, ptr, size);
-		MCTXLOCK(ctx, &ctx->lock);
-		mem_putstats(ctx, ptr, size);
-	}
-
-	DELETE_TRACE(ctx, ptr, size, file, line);
-	INSIST(ctx->references > 0);
-	ctx->references--;
-	if (ctx->references == 0)
-		want_destroy = ISC_TRUE;
-
-	MCTXUNLOCK(ctx, &ctx->lock);
-
-	if (want_destroy)
-		destroy(ctx);
-}
-
-ISC_MEMFUNC_SCOPE void
-isc__mem_destroy(isc_mem_t **ctxp) {
-	isc__mem_t *ctx;
-
-	/*
-	 * This routine provides legacy support for callers who use mctxs
-	 * without attaching/detaching.
-	 */
-
-	REQUIRE(ctxp != NULL);
-	ctx = (isc__mem_t *)*ctxp;
-	REQUIRE(VALID_CONTEXT(ctx));
-
-	MCTXLOCK(ctx, &ctx->lock);
-#if ISC_MEM_TRACKLINES
-	if (ctx->references != 1)
-		print_active(ctx, stderr);
-#endif
-	REQUIRE(ctx->references == 1);
-	ctx->references--;
-	MCTXUNLOCK(ctx, &ctx->lock);
-
-	destroy(ctx);
-
-	*ctxp = NULL;
-}
-
-ISC_MEMFUNC_SCOPE isc_result_t
-isc__mem_ondestroy(isc_mem_t *ctx0, isc_task_t *task, isc_event_t **event) {
-	isc__mem_t *ctx = (isc__mem_t *)ctx0;
-	isc_result_t res;
-
-	MCTXLOCK(ctx, &ctx->lock);
-	res = isc_ondestroy_register(&ctx->ondestroy, task, event);
-	MCTXUNLOCK(ctx, &ctx->lock);
-
-	return (res);
-}
-
-ISC_MEMFUNC_SCOPE void *
-isc___mem_get(isc_mem_t *ctx0, size_t size FLARG) {
-	isc__mem_t *ctx = (isc__mem_t *)ctx0;
-	void *ptr;
-	isc_boolean_t call_water = ISC_FALSE;
-
-	REQUIRE(VALID_CONTEXT(ctx));
-
-	if ((isc_mem_debugging & (ISC_MEM_DEBUGSIZE|ISC_MEM_DEBUGCTX)) != 0)
-		return (isc__mem_allocate(ctx0, size FLARG_PASS));
-
-	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
-		MCTXLOCK(ctx, &ctx->lock);
-		ptr = mem_getunlocked(ctx, size);
-	} else {
-		ptr = mem_get(ctx, size);
-		MCTXLOCK(ctx, &ctx->lock);
-		if (ptr != NULL)
-			mem_getstats(ctx, size);
-	}
-
-	ADD_TRACE(ctx, ptr, size, file, line);
-	if (ctx->hi_water != 0U && ctx->inuse > ctx->hi_water &&
-	    !ctx->is_overmem) {
-		ctx->is_overmem = ISC_TRUE;
-	}
-	if (ctx->hi_water != 0U && !ctx->hi_called &&
-	    ctx->inuse > ctx->hi_water) {
-		call_water = ISC_TRUE;
-	}
-	if (ctx->inuse > ctx->maxinuse) {
-		ctx->maxinuse = ctx->inuse;
-		if (ctx->hi_water != 0U && ctx->inuse > ctx->hi_water &&
-		    (isc_mem_debugging & ISC_MEM_DEBUGUSAGE) != 0)
-			fprintf(stderr, "maxinuse = %lu\n",
-				(unsigned long)ctx->inuse);
-	}
-	MCTXUNLOCK(ctx, &ctx->lock);
-
-	if (call_water)
-		(ctx->water)(ctx->water_arg, ISC_MEM_HIWATER);
-
-	return (ptr);
-}
-
-ISC_MEMFUNC_SCOPE void
-isc___mem_put(isc_mem_t *ctx0, void *ptr, size_t size FLARG) {
-	isc__mem_t *ctx = (isc__mem_t *)ctx0;
-	isc_boolean_t call_water = ISC_FALSE;
-	size_info *si;
-	size_t oldsize;
-
-	REQUIRE(VALID_CONTEXT(ctx));
-	REQUIRE(ptr != NULL);
-
-	if ((isc_mem_debugging & (ISC_MEM_DEBUGSIZE|ISC_MEM_DEBUGCTX)) != 0) {
-		if ((isc_mem_debugging & ISC_MEM_DEBUGSIZE) != 0) {
-			si = &(((size_info *)ptr)[-1]);
-			oldsize = si->u.size - ALIGNMENT_SIZE;
-			if ((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0)
-				oldsize -= ALIGNMENT_SIZE;
-			INSIST(oldsize == size);
-		}
-		isc__mem_free((isc_mem_t *)ctx, ptr FLARG_PASS);
-		return;
-	}
-
-	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
-		MCTXLOCK(ctx, &ctx->lock);
-		mem_putunlocked(ctx, ptr, size);
-	} else {
-		mem_put(ctx, ptr, size);
-		MCTXLOCK(ctx, &ctx->lock);
-		mem_putstats(ctx, ptr, size);
-	}
-
-	DELETE_TRACE(ctx, ptr, size, file, line);
-
-	/*
-	 * The check against ctx->lo_water == 0 is for the condition
-	 * when the context was pushed over hi_water but then had
-	 * isc_mem_setwater() called with 0 for hi_water and lo_water.
-	 */
-	if (ctx->is_overmem &&
-	    (ctx->inuse < ctx->lo_water || ctx->lo_water == 0U)) {
-		ctx->is_overmem = ISC_FALSE;
-	}
-	if (ctx->hi_called &&
-	    (ctx->inuse < ctx->lo_water || ctx->lo_water == 0U)) {
-		if (ctx->water != NULL)
-			call_water = ISC_TRUE;
-	}
-	MCTXUNLOCK(ctx, &ctx->lock);
-
-	if (call_water)
-		(ctx->water)(ctx->water_arg, ISC_MEM_LOWATER);
-}
-
-ISC_MEMFUNC_SCOPE void
-isc__mem_waterack(isc_mem_t *ctx0, int flag) {
-	isc__mem_t *ctx = (isc__mem_t *)ctx0;
-
-	REQUIRE(VALID_CONTEXT(ctx));
-
-	MCTXLOCK(ctx, &ctx->lock);
-	if (flag == ISC_MEM_LOWATER)
-		ctx->hi_called = ISC_FALSE;
-	else if (flag == ISC_MEM_HIWATER)
-		ctx->hi_called = ISC_TRUE;
-	MCTXUNLOCK(ctx, &ctx->lock);
-}
-
-#if ISC_MEM_TRACKLINES
-static void
-print_active(isc__mem_t *mctx, FILE *out) {
-	if (mctx->debuglist != NULL) {
-		debuglink_t *dl;
-		unsigned int i, j;
-		const char *format;
-		isc_boolean_t found;
-
-		fprintf(out, "%s", isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-					    ISC_MSG_DUMPALLOC,
-					    "Dump of all outstanding "
-					    "memory allocations:\n"));
-		found = ISC_FALSE;
-		format = isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-					ISC_MSG_PTRFILELINE,
-					"\tptr %p size %u file %s line %u\n");
-		for (i = 0; i <= mctx->max_size; i++) {
-			dl = ISC_LIST_HEAD(mctx->debuglist[i]);
-
-			if (dl != NULL)
-				found = ISC_TRUE;
-
-			while (dl != NULL) {
-				for (j = 0; j < DEBUGLIST_COUNT; j++)
-					if (dl->ptr[j] != NULL)
-						fprintf(out, format,
-							dl->ptr[j],
-							dl->size[j],
-							dl->file[j],
-							dl->line[j]);
-				dl = ISC_LIST_NEXT(dl, link);
-			}
-		}
-		if (!found)
-			fprintf(out, "%s", isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-						    ISC_MSG_NONE, "\tNone.\n"));
-	}
-}
-#endif
-
-/*
- * Print the stats[] on the stream "out" with suitable formatting.
- */
-ISC_MEMFUNC_SCOPE void
-isc__mem_stats(isc_mem_t *ctx0, FILE *out) {
-	isc__mem_t *ctx = (isc__mem_t *)ctx0;
-	size_t i;
-	const struct stats *s;
-	const isc__mempool_t *pool;
-
-	REQUIRE(VALID_CONTEXT(ctx));
-	MCTXLOCK(ctx, &ctx->lock);
-
-	for (i = 0; i <= ctx->max_size; i++) {
-		s = &ctx->stats[i];
-
-		if (s->totalgets == 0U && s->gets == 0U)
-			continue;
-		fprintf(out, "%s%5lu: %11lu gets, %11lu rem",
-			(i == ctx->max_size) ? ">=" : "  ",
-			(unsigned long) i, s->totalgets, s->gets);
-		if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0 &&
-		    (s->blocks != 0U || s->freefrags != 0U))
-			fprintf(out, " (%lu bl, %lu ff)",
-				s->blocks, s->freefrags);
-		fputc('\n', out);
-	}
-
-	/*
-	 * Note that since a pool can be locked now, these stats might be
-	 * somewhat off if the pool is in active use at the time the stats
-	 * are dumped.  The link fields are protected by the isc_mem_t's
-	 * lock, however, so walking this list and extracting integers from
-	 * stats fields is always safe.
-	 */
-	pool = ISC_LIST_HEAD(ctx->pools);
-	if (pool != NULL) {
-		fprintf(out, "%s", isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-					    ISC_MSG_POOLSTATS,
-					    "[Pool statistics]\n"));
-		fprintf(out, "%15s %10s %10s %10s %10s %10s %10s %10s %1s\n",
-			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-				       ISC_MSG_POOLNAME, "name"),
-			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-				       ISC_MSG_POOLSIZE, "size"),
-			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-				       ISC_MSG_POOLMAXALLOC, "maxalloc"),
-			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-				       ISC_MSG_POOLALLOCATED, "allocated"),
-			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-				       ISC_MSG_POOLFREECOUNT, "freecount"),
-			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-				       ISC_MSG_POOLFREEMAX, "freemax"),
-			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-				       ISC_MSG_POOLFILLCOUNT, "fillcount"),
-			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-				       ISC_MSG_POOLGETS, "gets"),
-			"L");
-	}
-	while (pool != NULL) {
-		fprintf(out, "%15s %10lu %10u %10u %10u %10u %10u %10u %s\n",
-#if ISC_MEMPOOL_NAMES
-			pool->name,
-#else
-			"(not tracked)",
-#endif
-			(unsigned long) pool->size, pool->maxalloc,
-			pool->allocated, pool->freecount, pool->freemax,
-			pool->fillcount, pool->gets,
-			(pool->lock == NULL ? "N" : "Y"));
-		pool = ISC_LIST_NEXT(pool, link);
-	}
-
-#if ISC_MEM_TRACKLINES
-	print_active(ctx, out);
-#endif
-
-	MCTXUNLOCK(ctx, &ctx->lock);
-}
-
-/*
- * Replacements for malloc() and free() -- they implicitly remember the
- * size of the object allocated (with some additional overhead).
- */
-
-static void *
-isc__mem_allocateunlocked(isc_mem_t *ctx0, size_t size) {
-	isc__mem_t *ctx = (isc__mem_t *)ctx0;
-	size_info *si;
-
-	size += ALIGNMENT_SIZE;
-	if ((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0)
-		size += ALIGNMENT_SIZE;
-
-	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0)
-		si = mem_getunlocked(ctx, size);
-	else
-		si = mem_get(ctx, size);
-
-	if (si == NULL)
-		return (NULL);
-	if ((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0) {
-		si->u.ctx = ctx;
-		si++;
-	}
-	si->u.size = size;
-	return (&si[1]);
-}
-
-ISC_MEMFUNC_SCOPE void *
-isc___mem_allocate(isc_mem_t *ctx0, size_t size FLARG) {
-	isc__mem_t *ctx = (isc__mem_t *)ctx0;
-	size_info *si;
-	isc_boolean_t call_water = ISC_FALSE;
-
-	REQUIRE(VALID_CONTEXT(ctx));
-
-	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
-		MCTXLOCK(ctx, &ctx->lock);
-		si = isc__mem_allocateunlocked((isc_mem_t *)ctx, size);
-	} else {
-		si = isc__mem_allocateunlocked((isc_mem_t *)ctx, size);
-		MCTXLOCK(ctx, &ctx->lock);
-		if (si != NULL)
-			mem_getstats(ctx, si[-1].u.size);
-	}
-
-#if ISC_MEM_TRACKLINES
-	ADD_TRACE(ctx, si, si[-1].u.size, file, line);
-#endif
-	if (ctx->hi_water != 0U && ctx->inuse > ctx->hi_water &&
-	    !ctx->is_overmem) {
-		ctx->is_overmem = ISC_TRUE;
-	}
-
-	if (ctx->hi_water != 0U && !ctx->hi_called &&
-	    ctx->inuse > ctx->hi_water) {
-		ctx->hi_called = ISC_TRUE;
-		call_water = ISC_TRUE;
-	}
-	if (ctx->inuse > ctx->maxinuse) {
-		ctx->maxinuse = ctx->inuse;
-		if (ctx->hi_water != 0U && ctx->inuse > ctx->hi_water &&
-		    (isc_mem_debugging & ISC_MEM_DEBUGUSAGE) != 0)
-			fprintf(stderr, "maxinuse = %lu\n",
-				(unsigned long)ctx->inuse);
-	}
-	MCTXUNLOCK(ctx, &ctx->lock);
-
-	if (call_water)
-		(ctx->water)(ctx->water_arg, ISC_MEM_HIWATER);
-
-	return (si);
-}
-
-ISC_MEMFUNC_SCOPE void *
-isc___mem_reallocate(isc_mem_t *ctx0, void *ptr, size_t size FLARG) {
-	isc__mem_t *ctx = (isc__mem_t *)ctx0;
-	void *new_ptr = NULL;
-	size_t oldsize, copysize;
-
-	REQUIRE(VALID_CONTEXT(ctx));
-
-	/*
-	 * This function emulates the realloc(3) standard library function:
-	 * - if size > 0, allocate new memory; and if ptr is non NULL, copy
-	 *   as much of the old contents to the new buffer and free the old one.
-	 *   Note that when allocation fails the original pointer is intact;
-	 *   the caller must free it.
-	 * - if size is 0 and ptr is non NULL, simply free the given ptr.
-	 * - this function returns:
-	 *     pointer to the newly allocated memory, or
-	 *     NULL if allocation fails or doesn't happen.
-	 */
-	if (size > 0U) {
-		new_ptr = isc__mem_allocate(ctx0, size FLARG_PASS);
-		if (new_ptr != NULL && ptr != NULL) {
-			oldsize = (((size_info *)ptr)[-1]).u.size;
-			INSIST(oldsize >= ALIGNMENT_SIZE);
-			oldsize -= ALIGNMENT_SIZE;
-			if ((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0) {
-				INSIST(oldsize >= ALIGNMENT_SIZE);
-				oldsize -= ALIGNMENT_SIZE;
-			}
-			copysize = (oldsize > size) ? size : oldsize;
-			memcpy(new_ptr, ptr, copysize);
-			isc__mem_free(ctx0, ptr FLARG_PASS);
-		}
-	} else if (ptr != NULL)
-		isc__mem_free(ctx0, ptr FLARG_PASS);
-
-	return (new_ptr);
-}
-
-ISC_MEMFUNC_SCOPE void
-isc___mem_free(isc_mem_t *ctx0, void *ptr FLARG) {
-	isc__mem_t *ctx = (isc__mem_t *)ctx0;
-	size_info *si;
-	size_t size;
-	isc_boolean_t call_water= ISC_FALSE;
-
-	REQUIRE(VALID_CONTEXT(ctx));
-	REQUIRE(ptr != NULL);
-
-	if ((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0) {
-		si = &(((size_info *)ptr)[-2]);
-		REQUIRE(si->u.ctx == ctx);
-		size = si[1].u.size;
-	} else {
-		si = &(((size_info *)ptr)[-1]);
-		size = si->u.size;
-	}
-
-	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
-		MCTXLOCK(ctx, &ctx->lock);
-		mem_putunlocked(ctx, si, size);
-	} else {
-		mem_put(ctx, si, size);
-		MCTXLOCK(ctx, &ctx->lock);
-		mem_putstats(ctx, si, size);
-	}
-
-	DELETE_TRACE(ctx, ptr, size, file, line);
-
-	/*
-	 * The check against ctx->lo_water == 0 is for the condition
-	 * when the context was pushed over hi_water but then had
-	 * isc_mem_setwater() called with 0 for hi_water and lo_water.
-	 */
-	if (ctx->is_overmem &&
-	    (ctx->inuse < ctx->lo_water || ctx->lo_water == 0U)) {
-		ctx->is_overmem = ISC_FALSE;
-	}
-
-	if (ctx->hi_called &&
-	    (ctx->inuse < ctx->lo_water || ctx->lo_water == 0U)) {
-		ctx->hi_called = ISC_FALSE;
-
-		if (ctx->water != NULL)
-			call_water = ISC_TRUE;
-	}
-	MCTXUNLOCK(ctx, &ctx->lock);
-
-	if (call_water)
-		(ctx->water)(ctx->water_arg, ISC_MEM_LOWATER);
-}
-
-
-/*
- * Other useful things.
- */
-
-ISC_MEMFUNC_SCOPE char *
-isc___mem_strdup(isc_mem_t *mctx0, const char *s FLARG) {
-	isc__mem_t *mctx = (isc__mem_t *)mctx0;
-	size_t len;
-	char *ns;
-
-	REQUIRE(VALID_CONTEXT(mctx));
-	REQUIRE(s != NULL);
-
-	len = strlen(s);
-
-	ns = isc___mem_allocate((isc_mem_t *)mctx, len + 1 FLARG_PASS);
-
-	if (ns != NULL)
-		strncpy(ns, s, len + 1);
-
-	return (ns);
-}
-
-ISC_MEMFUNC_SCOPE void
-isc__mem_setdestroycheck(isc_mem_t *ctx0, isc_boolean_t flag) {
-	isc__mem_t *ctx = (isc__mem_t *)ctx0;
-
-	REQUIRE(VALID_CONTEXT(ctx));
-	MCTXLOCK(ctx, &ctx->lock);
-
-	ctx->checkfree = flag;
-
-	MCTXUNLOCK(ctx, &ctx->lock);
-}
-
-/*
- * Quotas
- */
-
-ISC_MEMFUNC_SCOPE void
-isc__mem_setquota(isc_mem_t *ctx0, size_t quota) {
-	isc__mem_t *ctx = (isc__mem_t *)ctx0;
-
-	REQUIRE(VALID_CONTEXT(ctx));
-	MCTXLOCK(ctx, &ctx->lock);
-
-	ctx->quota = quota;
-
-	MCTXUNLOCK(ctx, &ctx->lock);
-}
-
-ISC_MEMFUNC_SCOPE size_t
-isc__mem_getquota(isc_mem_t *ctx0) {
-	isc__mem_t *ctx = (isc__mem_t *)ctx0;
-	size_t quota;
-
-	REQUIRE(VALID_CONTEXT(ctx));
-	MCTXLOCK(ctx, &ctx->lock);
-
-	quota = ctx->quota;
-
-	MCTXUNLOCK(ctx, &ctx->lock);
-
-	return (quota);
-}
-
-ISC_MEMFUNC_SCOPE size_t
-isc__mem_inuse(isc_mem_t *ctx0) {
-	isc__mem_t *ctx = (isc__mem_t *)ctx0;
-	size_t inuse;
-
-	REQUIRE(VALID_CONTEXT(ctx));
-	MCTXLOCK(ctx, &ctx->lock);
-
-	inuse = ctx->inuse;
-
-	MCTXUNLOCK(ctx, &ctx->lock);
-
-	return (inuse);
-}
-
-ISC_MEMFUNC_SCOPE void
-isc__mem_setwater(isc_mem_t *ctx0, isc_mem_water_t water, void *water_arg,
-		 size_t hiwater, size_t lowater)
-{
-	isc__mem_t *ctx = (isc__mem_t *)ctx0;
-	isc_boolean_t callwater = ISC_FALSE;
-	isc_mem_water_t oldwater;
-	void *oldwater_arg;
-
-	REQUIRE(VALID_CONTEXT(ctx));
-	REQUIRE(hiwater >= lowater);
-
-	MCTXLOCK(ctx, &ctx->lock);
-	oldwater = ctx->water;
-	oldwater_arg = ctx->water_arg;
-	if (water == NULL) {
-		callwater = ctx->hi_called;
-		ctx->water = NULL;
-		ctx->water_arg = NULL;
-		ctx->hi_water = 0;
-		ctx->lo_water = 0;
-		ctx->hi_called = ISC_FALSE;
-	} else {
-		if (ctx->hi_called &&
-		    (ctx->water != water || ctx->water_arg != water_arg ||
-		     ctx->inuse < lowater || lowater == 0U))
-			callwater = ISC_TRUE;
-		ctx->water = water;
-		ctx->water_arg = water_arg;
-		ctx->hi_water = hiwater;
-		ctx->lo_water = lowater;
-		ctx->hi_called = ISC_FALSE;
-	}
-	MCTXUNLOCK(ctx, &ctx->lock);
-
-	if (callwater && oldwater != NULL)
-		(oldwater)(oldwater_arg, ISC_MEM_LOWATER);
-}
-
-ISC_MEMFUNC_SCOPE isc_boolean_t
-isc__mem_isovermem(isc_mem_t *ctx0) {
-	isc__mem_t *ctx = (isc__mem_t *)ctx0;
-
-	REQUIRE(VALID_CONTEXT(ctx));
-
-	/*
-	 * We don't bother to lock the context because 100% accuracy isn't
-	 * necessary (and even if we locked the context the returned value
-	 * could be different from the actual state when it's used anyway)
-	 */
-	return (ctx->is_overmem);
-}
-
-ISC_MEMFUNC_SCOPE void
-isc__mem_setname(isc_mem_t *ctx0, const char *name, void *tag) {
-	isc__mem_t *ctx = (isc__mem_t *)ctx0;
-
-	REQUIRE(VALID_CONTEXT(ctx));
-
-	LOCK(&ctx->lock);
-	memset(ctx->name, 0, sizeof(ctx->name));
-	strncpy(ctx->name, name, sizeof(ctx->name) - 1);
-	ctx->tag = tag;
-	UNLOCK(&ctx->lock);
-}
-
-ISC_MEMFUNC_SCOPE const char *
-isc__mem_getname(isc_mem_t *ctx0) {
-	isc__mem_t *ctx = (isc__mem_t *)ctx0;
-
-	REQUIRE(VALID_CONTEXT(ctx));
-
-	return (ctx->name);
-}
-
-ISC_MEMFUNC_SCOPE void *
-isc__mem_gettag(isc_mem_t *ctx0) {
-	isc__mem_t *ctx = (isc__mem_t *)ctx0;
-
-	REQUIRE(VALID_CONTEXT(ctx));
-
-	return (ctx->tag);
-}
-
-/*
- * Memory pool stuff
- */
-
-ISC_MEMFUNC_SCOPE isc_result_t
-isc__mempool_create(isc_mem_t *mctx0, size_t size, isc_mempool_t **mpctxp) {
-	isc__mem_t *mctx = (isc__mem_t *)mctx0;
-	isc__mempool_t *mpctx;
-
-	REQUIRE(VALID_CONTEXT(mctx));
-	REQUIRE(size > 0U);
-	REQUIRE(mpctxp != NULL && *mpctxp == NULL);
-
-	/*
-	 * Allocate space for this pool, initialize values, and if all works
-	 * well, attach to the memory context.
-	 */
-	mpctx = isc_mem_get((isc_mem_t *)mctx, sizeof(isc__mempool_t));
-	if (mpctx == NULL)
-		return (ISC_R_NOMEMORY);
-
-	mpctx->common.methods = (isc_mempoolmethods_t *)&mempoolmethods;
-	mpctx->common.impmagic = MEMPOOL_MAGIC;
-	mpctx->common.magic = ISCAPI_MPOOL_MAGIC;
-	mpctx->lock = NULL;
-	mpctx->mctx = mctx;
-	mpctx->size = size;
-	mpctx->maxalloc = UINT_MAX;
-	mpctx->allocated = 0;
-	mpctx->freecount = 0;
-	mpctx->freemax = 1;
-	mpctx->fillcount = 1;
-	mpctx->gets = 0;
-#if ISC_MEMPOOL_NAMES
-	mpctx->name[0] = 0;
-#endif
-	mpctx->items = NULL;
-
-	*mpctxp = (isc_mempool_t *)mpctx;
-
-	MCTXLOCK(mctx, &mctx->lock);
-	ISC_LIST_INITANDAPPEND(mctx->pools, mpctx, link);
-	mctx->poolcnt++;
-	MCTXUNLOCK(mctx, &mctx->lock);
-
-	return (ISC_R_SUCCESS);
-}
-
-ISC_MEMFUNC_SCOPE void
-isc__mempool_setname(isc_mempool_t *mpctx0, const char *name) {
-	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
-
-	REQUIRE(name != NULL);
-	REQUIRE(VALID_MEMPOOL(mpctx));
-
-#if ISC_MEMPOOL_NAMES
-	if (mpctx->lock != NULL)
-		LOCK(mpctx->lock);
-
-	strncpy(mpctx->name, name, sizeof(mpctx->name) - 1);
-	mpctx->name[sizeof(mpctx->name) - 1] = '\0';
-
-	if (mpctx->lock != NULL)
-		UNLOCK(mpctx->lock);
-#else
-	UNUSED(mpctx);
-	UNUSED(name);
-#endif
-}
-
-ISC_MEMFUNC_SCOPE void
-isc__mempool_destroy(isc_mempool_t **mpctxp) {
-	isc__mempool_t *mpctx;
-	isc__mem_t *mctx;
-	isc_mutex_t *lock;
-	element *item;
-
-	REQUIRE(mpctxp != NULL);
-	mpctx = (isc__mempool_t *)*mpctxp;
-	REQUIRE(VALID_MEMPOOL(mpctx));
-#if ISC_MEMPOOL_NAMES
-	if (mpctx->allocated > 0)
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc__mempool_destroy(): mempool %s "
-				 "leaked memory",
-				 mpctx->name);
-#endif
-	REQUIRE(mpctx->allocated == 0);
-
-	mctx = mpctx->mctx;
-
-	lock = mpctx->lock;
-
-	if (lock != NULL)
-		LOCK(lock);
-
-	/*
-	 * Return any items on the free list
-	 */
-	MCTXLOCK(mctx, &mctx->lock);
-	while (mpctx->items != NULL) {
-		INSIST(mpctx->freecount > 0);
-		mpctx->freecount--;
-		item = mpctx->items;
-		mpctx->items = item->next;
-
-		if ((mctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
-			mem_putunlocked(mctx, item, mpctx->size);
-		} else {
-			mem_put(mctx, item, mpctx->size);
-			mem_putstats(mctx, item, mpctx->size);
-		}
-	}
-	MCTXUNLOCK(mctx, &mctx->lock);
-
-	/*
-	 * Remove our linked list entry from the memory context.
-	 */
-	MCTXLOCK(mctx, &mctx->lock);
-	ISC_LIST_UNLINK(mctx->pools, mpctx, link);
-	mctx->poolcnt--;
-	MCTXUNLOCK(mctx, &mctx->lock);
-
-	mpctx->common.impmagic = 0;
-	mpctx->common.magic = 0;
-
-	isc_mem_put((isc_mem_t *)mpctx->mctx, mpctx, sizeof(isc__mempool_t));
-
-	if (lock != NULL)
-		UNLOCK(lock);
-
-	*mpctxp = NULL;
-}
-
-ISC_MEMFUNC_SCOPE void
-isc__mempool_associatelock(isc_mempool_t *mpctx0, isc_mutex_t *lock) {
-	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
-
-	REQUIRE(VALID_MEMPOOL(mpctx));
-	REQUIRE(mpctx->lock == NULL);
-	REQUIRE(lock != NULL);
-
-	mpctx->lock = lock;
-}
-
-ISC_MEMFUNC_SCOPE void *
-isc___mempool_get(isc_mempool_t *mpctx0 FLARG) {
-	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
-	element *item;
-	isc__mem_t *mctx;
-	unsigned int i;
-
-	REQUIRE(VALID_MEMPOOL(mpctx));
-
-	mctx = mpctx->mctx;
-
-	if (mpctx->lock != NULL)
-		LOCK(mpctx->lock);
-
-	/*
-	 * Don't let the caller go over quota
-	 */
-	if (mpctx->allocated >= mpctx->maxalloc) {
-		item = NULL;
-		goto out;
-	}
-
-	/*
-	 * if we have a free list item, return the first here
-	 */
-	item = mpctx->items;
-	if (item != NULL) {
-		mpctx->items = item->next;
-		INSIST(mpctx->freecount > 0);
-		mpctx->freecount--;
-		mpctx->gets++;
-		mpctx->allocated++;
-		goto out;
-	}
-
-	/*
-	 * We need to dip into the well.  Lock the memory context here and
-	 * fill up our free list.
-	 */
-	MCTXLOCK(mctx, &mctx->lock);
-	for (i = 0; i < mpctx->fillcount; i++) {
-		if ((mctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
-			item = mem_getunlocked(mctx, mpctx->size);
-		} else {
-			item = mem_get(mctx, mpctx->size);
-			if (item != NULL)
-				mem_getstats(mctx, mpctx->size);
-		}
-		if (item == NULL)
-			break;
-		item->next = mpctx->items;
-		mpctx->items = item;
-		mpctx->freecount++;
-	}
-	MCTXUNLOCK(mctx, &mctx->lock);
-
-	/*
-	 * If we didn't get any items, return NULL.
-	 */
-	item = mpctx->items;
-	if (item == NULL)
-		goto out;
-
-	mpctx->items = item->next;
-	mpctx->freecount--;
-	mpctx->gets++;
-	mpctx->allocated++;
-
- out:
-	if (mpctx->lock != NULL)
-		UNLOCK(mpctx->lock);
-
-#if ISC_MEM_TRACKLINES
-	if (item != NULL) {
-		MCTXLOCK(mctx, &mctx->lock);
-		ADD_TRACE(mctx, item, mpctx->size, file, line);
-		MCTXUNLOCK(mctx, &mctx->lock);
-	}
-#endif /* ISC_MEM_TRACKLINES */
-
-	return (item);
-}
-
-ISC_MEMFUNC_SCOPE void
-isc___mempool_put(isc_mempool_t *mpctx0, void *mem FLARG) {
-	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
-	isc__mem_t *mctx;
-	element *item;
-
-	REQUIRE(VALID_MEMPOOL(mpctx));
-	REQUIRE(mem != NULL);
-
-	mctx = mpctx->mctx;
-
-	if (mpctx->lock != NULL)
-		LOCK(mpctx->lock);
-
-	INSIST(mpctx->allocated > 0);
-	mpctx->allocated--;
-
-#if ISC_MEM_TRACKLINES
-	MCTXLOCK(mctx, &mctx->lock);
-	DELETE_TRACE(mctx, mem, mpctx->size, file, line);
-	MCTXUNLOCK(mctx, &mctx->lock);
-#endif /* ISC_MEM_TRACKLINES */
-
-	/*
-	 * If our free list is full, return this to the mctx directly.
-	 */
-	if (mpctx->freecount >= mpctx->freemax) {
-		if ((mctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
-			MCTXLOCK(mctx, &mctx->lock);
-			mem_putunlocked(mctx, mem, mpctx->size);
-			MCTXUNLOCK(mctx, &mctx->lock);
-		} else {
-			mem_put(mctx, mem, mpctx->size);
-			MCTXLOCK(mctx, &mctx->lock);
-			mem_putstats(mctx, mem, mpctx->size);
-			MCTXUNLOCK(mctx, &mctx->lock);
-		}
-		if (mpctx->lock != NULL)
-			UNLOCK(mpctx->lock);
-		return;
-	}
-
-	/*
-	 * Otherwise, attach it to our free list and bump the counter.
-	 */
-	mpctx->freecount++;
-	item = (element *)mem;
-	item->next = mpctx->items;
-	mpctx->items = item;
-
-	if (mpctx->lock != NULL)
-		UNLOCK(mpctx->lock);
-}
-
-/*
- * Quotas
- */
-
-ISC_MEMFUNC_SCOPE void
-isc__mempool_setfreemax(isc_mempool_t *mpctx0, unsigned int limit) {
-	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
-
-	REQUIRE(VALID_MEMPOOL(mpctx));
-
-	if (mpctx->lock != NULL)
-		LOCK(mpctx->lock);
-
-	mpctx->freemax = limit;
-
-	if (mpctx->lock != NULL)
-		UNLOCK(mpctx->lock);
-}
-
-ISC_MEMFUNC_SCOPE unsigned int
-isc__mempool_getfreemax(isc_mempool_t *mpctx0) {
-	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
-	unsigned int freemax;
-
-	REQUIRE(VALID_MEMPOOL(mpctx));
-
-	if (mpctx->lock != NULL)
-		LOCK(mpctx->lock);
-
-	freemax = mpctx->freemax;
-
-	if (mpctx->lock != NULL)
-		UNLOCK(mpctx->lock);
-
-	return (freemax);
-}
-
-ISC_MEMFUNC_SCOPE unsigned int
-isc__mempool_getfreecount(isc_mempool_t *mpctx0) {
-	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
-	unsigned int freecount;
-
-	REQUIRE(VALID_MEMPOOL(mpctx));
-
-	if (mpctx->lock != NULL)
-		LOCK(mpctx->lock);
-
-	freecount = mpctx->freecount;
-
-	if (mpctx->lock != NULL)
-		UNLOCK(mpctx->lock);
-
-	return (freecount);
-}
-
-ISC_MEMFUNC_SCOPE void
-isc__mempool_setmaxalloc(isc_mempool_t *mpctx0, unsigned int limit) {
-	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
-
-	REQUIRE(limit > 0);
-
-	REQUIRE(VALID_MEMPOOL(mpctx));
-
-	if (mpctx->lock != NULL)
-		LOCK(mpctx->lock);
-
-	mpctx->maxalloc = limit;
-
-	if (mpctx->lock != NULL)
-		UNLOCK(mpctx->lock);
-}
-
-ISC_MEMFUNC_SCOPE unsigned int
-isc__mempool_getmaxalloc(isc_mempool_t *mpctx0) {
-	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
-	unsigned int maxalloc;
-
-	REQUIRE(VALID_MEMPOOL(mpctx));
-
-	if (mpctx->lock != NULL)
-		LOCK(mpctx->lock);
-
-	maxalloc = mpctx->maxalloc;
-
-	if (mpctx->lock != NULL)
-		UNLOCK(mpctx->lock);
-
-	return (maxalloc);
-}
-
-ISC_MEMFUNC_SCOPE unsigned int
-isc__mempool_getallocated(isc_mempool_t *mpctx0) {
-	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
-	unsigned int allocated;
-
-	REQUIRE(VALID_MEMPOOL(mpctx));
-
-	if (mpctx->lock != NULL)
-		LOCK(mpctx->lock);
-
-	allocated = mpctx->allocated;
-
-	if (mpctx->lock != NULL)
-		UNLOCK(mpctx->lock);
-
-	return (allocated);
-}
-
-ISC_MEMFUNC_SCOPE void
-isc__mempool_setfillcount(isc_mempool_t *mpctx0, unsigned int limit) {
-	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
-
-	REQUIRE(limit > 0);
-	REQUIRE(VALID_MEMPOOL(mpctx));
-
-	if (mpctx->lock != NULL)
-		LOCK(mpctx->lock);
-
-	mpctx->fillcount = limit;
-
-	if (mpctx->lock != NULL)
-		UNLOCK(mpctx->lock);
-}
-
-ISC_MEMFUNC_SCOPE unsigned int
-isc__mempool_getfillcount(isc_mempool_t *mpctx0) {
-	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
-
-	unsigned int fillcount;
-
-	REQUIRE(VALID_MEMPOOL(mpctx));
-
-	if (mpctx->lock != NULL)
-		LOCK(mpctx->lock);
-
-	fillcount = mpctx->fillcount;
-
-	if (mpctx->lock != NULL)
-		UNLOCK(mpctx->lock);
-
-	return (fillcount);
-}
-
-#ifdef USE_MEMIMPREGISTER
-isc_result_t
-isc__mem_register() {
-	return (isc_mem_register(isc__mem_create2));
-}
-#endif
-
-#ifdef BIND9
-ISC_MEMFUNC_SCOPE void
-isc__mem_printactive(isc_mem_t *ctx0, FILE *file) {
-#if ISC_MEM_TRACKLINES
-	isc__mem_t *ctx = (isc__mem_t *)ctx0;
-
-	REQUIRE(VALID_CONTEXT(ctx));
-	REQUIRE(file != NULL);
-
-	print_active(ctx, file);
-#else
-	UNUSED(ctx0);
-	UNUSED(file);
-#endif
-}
-
-ISC_MEMFUNC_SCOPE void
-isc__mem_printallactive(FILE *file) {
-#if !ISC_MEM_TRACKLINES
-	UNUSED(file);
-#else
-	isc__mem_t *ctx;
-
-	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
-
-	LOCK(&lock);
-	for (ctx = ISC_LIST_HEAD(contexts);
-	     ctx != NULL;
-	     ctx = ISC_LIST_NEXT(ctx, link)) {
-		fprintf(file, "context: %p\n", ctx);
-		print_active(ctx, file);
-	}
-	UNLOCK(&lock);
-#endif
-}
-
-ISC_MEMFUNC_SCOPE void
-isc__mem_checkdestroyed(FILE *file) {
-#if !ISC_MEM_TRACKLINES
-	UNUSED(file);
-#endif
-
-	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
-
-	LOCK(&lock);
-	if (!ISC_LIST_EMPTY(contexts))  {
-#if ISC_MEM_TRACKLINES
-		isc__mem_t *ctx;
-
-		for (ctx = ISC_LIST_HEAD(contexts);
-		     ctx != NULL;
-		     ctx = ISC_LIST_NEXT(ctx, link)) {
-			fprintf(file, "context: %p\n", ctx);
-			print_active(ctx, file);
-		}
-		fflush(file);
-#endif
-		INSIST(0);
-	}
-	UNLOCK(&lock);
-}
-
-ISC_MEMFUNC_SCOPE unsigned int
-isc_mem_references(isc_mem_t *ctx0) {
-	isc__mem_t *ctx = (isc__mem_t *)ctx0;
-	unsigned int references;
-
-	REQUIRE(VALID_CONTEXT(ctx));
-
-	MCTXLOCK(ctx, &ctx->lock);
-	references = ctx->references;
-	MCTXUNLOCK(ctx, &ctx->lock);
-
-	return (references);
-}
-
-#ifdef HAVE_LIBXML2
-
-typedef struct summarystat {
-	isc_uint64_t	total;
-	isc_uint64_t	inuse;
-	isc_uint64_t	blocksize;
-	isc_uint64_t	contextsize;
-} summarystat_t;
-
-#define TRY0(a) do { xmlrc = (a); if (xmlrc < 0) goto error; } while(0)
-static int
-renderctx(isc__mem_t *ctx, summarystat_t *summary, xmlTextWriterPtr writer) {
-	int xmlrc;
-
-	REQUIRE(VALID_CONTEXT(ctx));
-
-	MCTXLOCK(ctx, &ctx->lock);
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "context"));
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "id"));
-	TRY0(xmlTextWriterWriteFormatString(writer, "%p", ctx));
-	TRY0(xmlTextWriterEndElement(writer)); /* id */
-
-	if (ctx->name[0] != 0) {
-		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "name"));
-		TRY0(xmlTextWriterWriteFormatString(writer, "%s", ctx->name));
-		TRY0(xmlTextWriterEndElement(writer)); /* name */
-	}
-
-	summary->contextsize += sizeof(*ctx) +
-		(ctx->max_size + 1) * sizeof(struct stats) +
-		ctx->max_size * sizeof(element *) +
-		ctx->basic_table_count * sizeof(char *);
-#if ISC_MEM_TRACKLINES
-	if (ctx->debuglist != NULL) {
-		summary->contextsize +=
-			(ctx->max_size + 1) * sizeof(debuglist_t) +
-			ctx->debuglistcnt * sizeof(debuglink_t);
-	}
-#endif
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "references"));
-	TRY0(xmlTextWriterWriteFormatString(writer, "%d", ctx->references));
-	TRY0(xmlTextWriterEndElement(writer)); /* references */
-
-	summary->total += ctx->total;
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "total"));
-	TRY0(xmlTextWriterWriteFormatString(writer,
-					    "%" ISC_PRINT_QUADFORMAT "u",
-					    (isc_uint64_t)ctx->total));
-	TRY0(xmlTextWriterEndElement(writer)); /* total */
-
-	summary->inuse += ctx->inuse;
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "inuse"));
-	TRY0(xmlTextWriterWriteFormatString(writer,
-					    "%" ISC_PRINT_QUADFORMAT "u",
-					    (isc_uint64_t)ctx->inuse));
-	TRY0(xmlTextWriterEndElement(writer)); /* inuse */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "maxinuse"));
-	TRY0(xmlTextWriterWriteFormatString(writer,
-					    "%" ISC_PRINT_QUADFORMAT "u",
-					    (isc_uint64_t)ctx->maxinuse));
-	TRY0(xmlTextWriterEndElement(writer)); /* maxinuse */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "blocksize"));
-	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
-		summary->blocksize += ctx->basic_table_count *
-			NUM_BASIC_BLOCKS * ctx->mem_target;
-		TRY0(xmlTextWriterWriteFormatString(writer,
-					       "%" ISC_PRINT_QUADFORMAT "u",
-					       (isc_uint64_t)
-					       ctx->basic_table_count *
-					       NUM_BASIC_BLOCKS *
-					       ctx->mem_target));
-	} else
-		TRY0(xmlTextWriterWriteFormatString(writer, "%s", "-"));
-	TRY0(xmlTextWriterEndElement(writer)); /* blocksize */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "pools"));
-	TRY0(xmlTextWriterWriteFormatString(writer, "%u", ctx->poolcnt));
-	TRY0(xmlTextWriterEndElement(writer)); /* pools */
-	summary->contextsize += ctx->poolcnt * sizeof(isc_mempool_t);
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "hiwater"));
-	TRY0(xmlTextWriterWriteFormatString(writer,
-					    "%" ISC_PRINT_QUADFORMAT "u",
-					    (isc_uint64_t)ctx->hi_water));
-	TRY0(xmlTextWriterEndElement(writer)); /* hiwater */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "lowater"));
-	TRY0(xmlTextWriterWriteFormatString(writer,
-					    "%" ISC_PRINT_QUADFORMAT "u",
-					    (isc_uint64_t)ctx->lo_water));
-	TRY0(xmlTextWriterEndElement(writer)); /* lowater */
-
-	TRY0(xmlTextWriterEndElement(writer)); /* context */
-
- error:
-	MCTXUNLOCK(ctx, &ctx->lock);
-
-	return (xmlrc);
-}
-
-int
-isc_mem_renderxml(xmlTextWriterPtr writer) {
-	isc__mem_t *ctx;
-	summarystat_t summary;
-	isc_uint64_t lost;
-	int xmlrc;
-
-	memset(&summary, 0, sizeof(summary));
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "contexts"));
-
-	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
-
-	LOCK(&lock);
-	lost = totallost;
-	for (ctx = ISC_LIST_HEAD(contexts);
-	     ctx != NULL;
-	     ctx = ISC_LIST_NEXT(ctx, link)) {
-		xmlrc = renderctx(ctx, &summary, writer);
-		if (xmlrc < 0) {
-			UNLOCK(&lock);
-			goto error;
-		}
-	}
-	UNLOCK(&lock);
-
-	TRY0(xmlTextWriterEndElement(writer)); /* contexts */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "summary"));
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "TotalUse"));
-	TRY0(xmlTextWriterWriteFormatString(writer,
-					    "%" ISC_PRINT_QUADFORMAT "u",
-					    summary.total));
-	TRY0(xmlTextWriterEndElement(writer)); /* TotalUse */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "InUse"));
-	TRY0(xmlTextWriterWriteFormatString(writer,
-					    "%" ISC_PRINT_QUADFORMAT "u",
-					    summary.inuse));
-	TRY0(xmlTextWriterEndElement(writer)); /* InUse */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "BlockSize"));
-	TRY0(xmlTextWriterWriteFormatString(writer,
-					    "%" ISC_PRINT_QUADFORMAT "u",
-					    summary.blocksize));
-	TRY0(xmlTextWriterEndElement(writer)); /* BlockSize */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "ContextSize"));
-	TRY0(xmlTextWriterWriteFormatString(writer,
-					    "%" ISC_PRINT_QUADFORMAT "u",
-					    summary.contextsize));
-	TRY0(xmlTextWriterEndElement(writer)); /* ContextSize */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "Lost"));
-	TRY0(xmlTextWriterWriteFormatString(writer,
-					    "%" ISC_PRINT_QUADFORMAT "u",
-					    lost));
-	TRY0(xmlTextWriterEndElement(writer)); /* Lost */
-
-	TRY0(xmlTextWriterEndElement(writer)); /* summary */
- error:
-	return (xmlrc);
-}
-
-#endif /* HAVE_LIBXML2 */
-#endif /* BIND9 */
diff --git a/contrib/bind9/lib/isc/mem_api.c b/contrib/bind9/lib/isc/mem_api.c
deleted file mode 100644
index 85abb9b..0000000
--- a/contrib/bind9/lib/isc/mem_api.c
+++ /dev/null
@@ -1,303 +0,0 @@
-/*
- * Copyright (C) 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: mem_api.c,v 1.8 2010/08/12 21:30:26 jinmei Exp $ */
-
-#include <config.h>
-
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/once.h>
-#include <isc/util.h>
-
-#if ISC_MEM_TRACKLINES
-#define FLARG_PASS	, file, line
-#define FLARG		, const char *file, unsigned int line
-#else
-#define FLARG_PASS
-#define FLARG
-#endif
-
-static isc_mutex_t createlock;
-static isc_once_t once = ISC_ONCE_INIT;
-static isc_memcreatefunc_t mem_createfunc = NULL;
-
-static void
-initialize(void) {
-	RUNTIME_CHECK(isc_mutex_init(&createlock) == ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_mem_register(isc_memcreatefunc_t createfunc) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
-
-	LOCK(&createlock);
-	if (mem_createfunc == NULL)
-		mem_createfunc = createfunc;
-	else
-		result = ISC_R_EXISTS;
-	UNLOCK(&createlock);
-
-	return (result);
-}
-
-isc_result_t
-isc_mem_create(size_t init_max_size, size_t target_size, isc_mem_t **mctxp) {
-	isc_result_t result;
-
-	LOCK(&createlock);
-
-	REQUIRE(mem_createfunc != NULL);
-	result = (*mem_createfunc)(init_max_size, target_size, mctxp,
-				   ISC_MEMFLAG_DEFAULT);
-
-	UNLOCK(&createlock);
-
-	return (result);
-}
-
-isc_result_t
-isc_mem_create2(size_t init_max_size, size_t target_size, isc_mem_t **mctxp,
-		unsigned int flags)
-{
-	isc_result_t result;
-
-	LOCK(&createlock);
-
-	REQUIRE(mem_createfunc != NULL);
-	result = (*mem_createfunc)(init_max_size, target_size, mctxp, flags);
-
-	UNLOCK(&createlock);
-
-	return (result);
-}
-
-void
-isc_mem_attach(isc_mem_t *source, isc_mem_t **targetp) {
-	REQUIRE(ISCAPI_MCTX_VALID(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	source->methods->attach(source, targetp);
-
-	ENSURE(*targetp == source);
-}
-
-void
-isc_mem_detach(isc_mem_t **mctxp) {
-	REQUIRE(mctxp != NULL && ISCAPI_MCTX_VALID(*mctxp));
-
-	(*mctxp)->methods->detach(mctxp);
-
-	ENSURE(*mctxp == NULL);
-}
-
-void
-isc_mem_destroy(isc_mem_t **mctxp) {
-	REQUIRE(mctxp != NULL && ISCAPI_MCTX_VALID(*mctxp));
-
-	(*mctxp)->methods->destroy(mctxp);
-
-	ENSURE(*mctxp == NULL);
-}
-
-void *
-isc__mem_get(isc_mem_t *mctx, size_t size FLARG) {
-	REQUIRE(ISCAPI_MCTX_VALID(mctx));
-
-	return (mctx->methods->memget(mctx, size FLARG_PASS));
-}
-
-void
-isc__mem_put(isc_mem_t *mctx, void *ptr, size_t size FLARG) {
-	REQUIRE(ISCAPI_MCTX_VALID(mctx));
-
-	mctx->methods->memput(mctx, ptr, size FLARG_PASS);
-}
-
-void
-isc__mem_putanddetach(isc_mem_t **mctxp, void *ptr, size_t size FLARG) {
-	REQUIRE(mctxp != NULL && ISCAPI_MCTX_VALID(*mctxp));
-
-	(*mctxp)->methods->memputanddetach(mctxp, ptr, size FLARG_PASS);
-
-	/*
-	 * XXX: We cannot always ensure *mctxp == NULL here
-	 * (see lib/isc/mem.c).
-	 */
-}
-
-void *
-isc__mem_allocate(isc_mem_t *mctx, size_t size FLARG) {
-	REQUIRE(ISCAPI_MCTX_VALID(mctx));
-
-	return (mctx->methods->memallocate(mctx, size FLARG_PASS));
-}
-
-void *
-isc__mem_reallocate(isc_mem_t *mctx, void *ptr, size_t size FLARG) {
-	REQUIRE(ISCAPI_MCTX_VALID(mctx));
-
-	return (mctx->methods->memreallocate(mctx, ptr, size FLARG_PASS));
-}
-
-char *
-isc__mem_strdup(isc_mem_t *mctx, const char *s FLARG) {
-	REQUIRE(ISCAPI_MCTX_VALID(mctx));
-
-	return (mctx->methods->memstrdup(mctx, s FLARG_PASS));
-}
-
-void
-isc__mem_free(isc_mem_t *mctx, void *ptr FLARG) {
-	REQUIRE(ISCAPI_MCTX_VALID(mctx));
-
-	mctx->methods->memfree(mctx, ptr FLARG_PASS);
-}
-
-void
-isc_mem_setdestroycheck(isc_mem_t *mctx, isc_boolean_t flag) {
-	REQUIRE(ISCAPI_MCTX_VALID(mctx));
-
-	mctx->methods->setdestroycheck(mctx, flag);
-}
-
-void
-isc_mem_setwater(isc_mem_t *ctx, isc_mem_water_t water, void *water_arg,
-		 size_t hiwater, size_t lowater)
-{
-	REQUIRE(ISCAPI_MCTX_VALID(ctx));
-
-	ctx->methods->setwater(ctx, water, water_arg, hiwater, lowater);
-}
-
-void
-isc_mem_waterack(isc_mem_t *ctx, int flag) {
-	REQUIRE(ISCAPI_MCTX_VALID(ctx));
-
-	ctx->methods->waterack(ctx, flag);
-}
-
-size_t
-isc_mem_inuse(isc_mem_t *mctx) {
-	REQUIRE(ISCAPI_MCTX_VALID(mctx));
-
-	return (mctx->methods->inuse(mctx));
-}
-
-isc_boolean_t
-isc_mem_isovermem(isc_mem_t *mctx) {
-	REQUIRE(ISCAPI_MCTX_VALID(mctx));
-
-	return (mctx->methods->isovermem(mctx));
-}
-
-void
-isc_mem_setname(isc_mem_t *mctx, const char *name, void *tag) {
-	REQUIRE(ISCAPI_MCTX_VALID(mctx));
-
-	UNUSED(name);
-	UNUSED(tag);
-
-	return;
-}
-
-const char *
-isc_mem_getname(isc_mem_t *mctx) {
-	REQUIRE(ISCAPI_MCTX_VALID(mctx));
-
-	return ("");
-}
-
-void *
-isc_mem_gettag(isc_mem_t *mctx) {
-	REQUIRE(ISCAPI_MCTX_VALID(mctx));
-
-	return (NULL);
-}
-
-isc_result_t
-isc_mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp) {
-	REQUIRE(ISCAPI_MCTX_VALID(mctx));
-
-	return (mctx->methods->mpcreate(mctx, size, mpctxp));
-}
-
-void
-isc_mempool_destroy(isc_mempool_t **mpctxp) {
-	REQUIRE(mpctxp != NULL && ISCAPI_MPOOL_VALID(*mpctxp));
-
-	(*mpctxp)->methods->destroy(mpctxp);
-
-	ENSURE(*mpctxp == NULL);
-}
-
-void *
-isc__mempool_get(isc_mempool_t *mpctx FLARG) {
-	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
-
-	return (mpctx->methods->get(mpctx FLARG_PASS));
-}
-
-void
-isc__mempool_put(isc_mempool_t *mpctx, void *mem FLARG) {
-	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
-
-	mpctx->methods->put(mpctx, mem FLARG_PASS);
-}
-
-unsigned int
-isc_mempool_getallocated(isc_mempool_t *mpctx) {
-	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
-
-	return (mpctx->methods->getallocated(mpctx));
-}
-
-void
-isc_mempool_setmaxalloc(isc_mempool_t *mpctx, unsigned int limit) {
-	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
-
-	mpctx->methods->setmaxalloc(mpctx, limit);
-}
-
-void
-isc_mempool_setfreemax(isc_mempool_t *mpctx, unsigned int limit) {
-	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
-
-	mpctx->methods->setfreemax(mpctx, limit);
-}
-
-void
-isc_mempool_setname(isc_mempool_t *mpctx, const char *name) {
-	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
-
-	mpctx->methods->setname(mpctx, name);
-}
-
-void
-isc_mempool_associatelock(isc_mempool_t *mpctx, isc_mutex_t *lock) {
-	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
-
-	mpctx->methods->associatelock(mpctx, lock);
-}
-
-void
-isc_mempool_setfillcount(isc_mempool_t *mpctx, unsigned int limit) {
-	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
-
-	mpctx->methods->setfillcount(mpctx, limit);
-}
diff --git a/contrib/bind9/lib/isc/mips/Makefile.in b/contrib/bind9/lib/isc/mips/Makefile.in
deleted file mode 100644
index 9c24cdf..0000000
--- a/contrib/bind9/lib/isc/mips/Makefile.in
+++ /dev/null
@@ -1,24 +0,0 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	include
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/mips/include/Makefile.in b/contrib/bind9/lib/isc/mips/include/Makefile.in
deleted file mode 100644
index e399559..0000000
--- a/contrib/bind9/lib/isc/mips/include/Makefile.in
+++ /dev/null
@@ -1,24 +0,0 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	isc
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/mips/include/isc/Makefile.in b/contrib/bind9/lib/isc/mips/include/isc/Makefile.in
deleted file mode 100644
index 4927e21..0000000
--- a/contrib/bind9/lib/isc/mips/include/isc/Makefile.in
+++ /dev/null
@@ -1,36 +0,0 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-HEADERS =	atomic.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc ; \
-	done
diff --git a/contrib/bind9/lib/isc/mips/include/isc/atomic.h b/contrib/bind9/lib/isc/mips/include/isc/atomic.h
deleted file mode 100644
index bb739f7..0000000
--- a/contrib/bind9/lib/isc/mips/include/isc/atomic.h
+++ /dev/null
@@ -1,98 +0,0 @@
-/*
- * Copyright (C) 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: atomic.h,v 1.3 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_ATOMIC_H
-#define ISC_ATOMIC_H 1
-
-#include <isc/platform.h>
-#include <isc/types.h>
-
-#ifdef ISC_PLATFORM_USEGCCASM
-/*
- * This routine atomically increments the value stored in 'p' by 'val', and
- * returns the previous value.
- */
-static inline isc_int32_t
-isc_atomic_xadd(isc_int32_t *p, int val) {
-	isc_int32_t orig;
-
-	/* add is a cheat, since MIPS has no mov instruction */
-	__asm__ volatile (
-	    "1:"
-	    "ll $3, %1\n"
-	    "add %0, $0, $3\n"
-	    "add $3, $3, %2\n"
-	    "sc $3, %1\n"
-	    "beq $3, 0, 1b"
-	    : "=&r"(orig)
-	    : "m"(*p), "r"(val)
-	    : "memory", "$3"
-		);
-
-	return (orig);
-}
-
-/*
- * This routine atomically stores the value 'val' in 'p'.
- */
-static inline void
-isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
-	__asm__ volatile (
-	    "1:"
-	    "ll $3, %0\n"
-	    "add $3, $0, %1\n"
-	    "sc $3, %0\n"
-	    "beq $3, 0, 1b"
-	    :
-	    : "m"(*p), "r"(val)
-	    : "memory", "$3"
-		);
-}
-
-/*
- * This routine atomically replaces the value in 'p' with 'val', if the
- * original value is equal to 'cmpval'.  The original value is returned in any
- * case.
- */
-static inline isc_int32_t
-isc_atomic_cmpxchg(isc_int32_t *p, int cmpval, int val) {
-	isc_int32_t orig;
-
-	__asm__ volatile(
-	    "1:"
-	    "ll $3, %1\n"
-	    "add %0, $0, $3\n"
-	    "bne $3, %2, 2f\n"
-	    "add $3, $0, %3\n"
-	    "sc $3, %1\n"
-	    "beq $3, 0, 1b\n"
-	    "2:"
-	    : "=&r"(orig)
-	    : "m"(*p), "r"(cmpval), "r"(val)
-	    : "memory", "$3"
-		);
-
-	return (orig);
-}
-
-#else /* !ISC_PLATFORM_USEGCCASM */
-
-#error "unsupported compiler.  disable atomic ops by --disable-atomic"
-
-#endif
-#endif /* ISC_ATOMIC_H */
diff --git a/contrib/bind9/lib/isc/mutexblock.c b/contrib/bind9/lib/isc/mutexblock.c
deleted file mode 100644
index d41e9d2..0000000
--- a/contrib/bind9/lib/isc/mutexblock.c
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/mutexblock.h>
-#include <isc/util.h>
-
-isc_result_t
-isc_mutexblock_init(isc_mutex_t *block, unsigned int count) {
-	isc_result_t result;
-	unsigned int i;
-
-	for (i = 0; i < count; i++) {
-		result = isc_mutex_init(&block[i]);
-		if (result != ISC_R_SUCCESS) {
-			while (i > 0U) {
-				i--;
-				DESTROYLOCK(&block[i]);
-			}
-			return (result);
-		}
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_mutexblock_destroy(isc_mutex_t *block, unsigned int count) {
-	isc_result_t result;
-	unsigned int i;
-
-	for (i = 0; i < count; i++) {
-		result = isc_mutex_destroy(&block[i]);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/isc/netaddr.c b/contrib/bind9/lib/isc/netaddr.c
deleted file mode 100644
index 5cce1bc..0000000
--- a/contrib/bind9/lib/isc/netaddr.c
+++ /dev/null
@@ -1,434 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2010-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdio.h>
-
-#include <isc/buffer.h>
-#include <isc/msgs.h>
-#include <isc/net.h>
-#include <isc/netaddr.h>
-#include <isc/print.h>
-#include <isc/sockaddr.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-isc_boolean_t
-isc_netaddr_equal(const isc_netaddr_t *a, const isc_netaddr_t *b) {
-	REQUIRE(a != NULL && b != NULL);
-
-	if (a->family != b->family)
-		return (ISC_FALSE);
-
-	if (a->zone != b->zone)
-		return (ISC_FALSE);
-
-	switch (a->family) {
-	case AF_INET:
-		if (a->type.in.s_addr != b->type.in.s_addr)
-			return (ISC_FALSE);
-		break;
-	case AF_INET6:
-		if (memcmp(&a->type.in6, &b->type.in6,
-			   sizeof(a->type.in6)) != 0 ||
-		    a->zone != b->zone)
-			return (ISC_FALSE);
-		break;
-#ifdef ISC_PLATFORM_HAVESYSUNH
-	case AF_UNIX:
-		if (strcmp(a->type.un, b->type.un) != 0)
-			return (ISC_FALSE);
-		break;
-#endif
-	default:
-		return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-isc_boolean_t
-isc_netaddr_eqprefix(const isc_netaddr_t *a, const isc_netaddr_t *b,
-		     unsigned int prefixlen)
-{
-	const unsigned char *pa = NULL, *pb = NULL;
-	unsigned int ipabytes = 0; /* Length of whole IP address in bytes */
-	unsigned int nbytes;       /* Number of significant whole bytes */
-	unsigned int nbits;        /* Number of significant leftover bits */
-
-	REQUIRE(a != NULL && b != NULL);
-
-	if (a->family != b->family)
-		return (ISC_FALSE);
-
-	if (a->zone != b->zone && b->zone != 0)
-		return (ISC_FALSE);
-
-	switch (a->family) {
-	case AF_INET:
-		pa = (const unsigned char *) &a->type.in;
-		pb = (const unsigned char *) &b->type.in;
-		ipabytes = 4;
-		break;
-	case AF_INET6:
-		pa = (const unsigned char *) &a->type.in6;
-		pb = (const unsigned char *) &b->type.in6;
-		ipabytes = 16;
-		break;
-	default:
-		return (ISC_FALSE);
-	}
-
-	/*
-	 * Don't crash if we get a pattern like 10.0.0.1/9999999.
-	 */
-	if (prefixlen > ipabytes * 8)
-		prefixlen = ipabytes * 8;
-
-	nbytes = prefixlen / 8;
-	nbits = prefixlen % 8;
-
-	if (nbytes > 0) {
-		if (memcmp(pa, pb, nbytes) != 0)
-			return (ISC_FALSE);
-	}
-	if (nbits > 0) {
-		unsigned int bytea, byteb, mask;
-		INSIST(nbytes < ipabytes);
-		INSIST(nbits < 8);
-		bytea = pa[nbytes];
-		byteb = pb[nbytes];
-		mask = (0xFF << (8-nbits)) & 0xFF;
-		if ((bytea & mask) != (byteb & mask))
-			return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-isc_result_t
-isc_netaddr_totext(const isc_netaddr_t *netaddr, isc_buffer_t *target) {
-	char abuf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:255.255.255.255")];
-	char zbuf[sizeof("%4294967295")];
-	unsigned int alen;
-	int zlen;
-	const char *r;
-	const void *type;
-
-	REQUIRE(netaddr != NULL);
-
-	switch (netaddr->family) {
-	case AF_INET:
-		type = &netaddr->type.in;
-		break;
-	case AF_INET6:
-		type = &netaddr->type.in6;
-		break;
-#ifdef ISC_PLATFORM_HAVESYSUNH
-	case AF_UNIX:
-		alen = strlen(netaddr->type.un);
-		if (alen > isc_buffer_availablelength(target))
-			return (ISC_R_NOSPACE);
-		isc_buffer_putmem(target,
-				  (const unsigned char *)(netaddr->type.un),
-				  alen);
-		return (ISC_R_SUCCESS);
-#endif
-	default:
-		return (ISC_R_FAILURE);
-	}
-	r = inet_ntop(netaddr->family, type, abuf, sizeof(abuf));
-	if (r == NULL)
-		return (ISC_R_FAILURE);
-
-	alen = strlen(abuf);
-	INSIST(alen < sizeof(abuf));
-
-	zlen = 0;
-	if (netaddr->family == AF_INET6 && netaddr->zone != 0) {
-		zlen = snprintf(zbuf, sizeof(zbuf), "%%%u", netaddr->zone);
-		if (zlen < 0)
-			return (ISC_R_FAILURE);
-		INSIST((unsigned int)zlen < sizeof(zbuf));
-	}
-
-	if (alen + zlen > isc_buffer_availablelength(target))
-		return (ISC_R_NOSPACE);
-
-	isc_buffer_putmem(target, (unsigned char *)abuf, alen);
-	isc_buffer_putmem(target, (unsigned char *)zbuf, zlen);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_netaddr_format(const isc_netaddr_t *na, char *array, unsigned int size) {
-	isc_result_t result;
-	isc_buffer_t buf;
-
-	isc_buffer_init(&buf, array, size);
-	result = isc_netaddr_totext(na, &buf);
-
-	if (size == 0)
-		return;
-
-	/*
-	 * Null terminate.
-	 */
-	if (result == ISC_R_SUCCESS) {
-		if (isc_buffer_availablelength(&buf) >= 1)
-			isc_buffer_putuint8(&buf, 0);
-		else
-			result = ISC_R_NOSPACE;
-	}
-
-	if (result != ISC_R_SUCCESS) {
-		snprintf(array, size,
-			 isc_msgcat_get(isc_msgcat, ISC_MSGSET_NETADDR,
-					ISC_MSG_UNKNOWNADDR,
-					"<unknown address, family %u>"),
-			 na->family);
-		array[size - 1] = '\0';
-	}
-}
-
-
-isc_result_t
-isc_netaddr_prefixok(const isc_netaddr_t *na, unsigned int prefixlen) {
-	static const unsigned char zeros[16];
-	unsigned int nbits, nbytes, ipbytes = 0;
-	const unsigned char *p;
-
-	switch (na->family) {
-	case AF_INET:
-		p = (const unsigned char *) &na->type.in;
-		ipbytes = 4;
-		if (prefixlen > 32)
-			return (ISC_R_RANGE);
-		break;
-	case AF_INET6:
-		p = (const unsigned char *) &na->type.in6;
-		ipbytes = 16;
-		if (prefixlen > 128)
-			return (ISC_R_RANGE);
-		break;
-	default:
-		return (ISC_R_NOTIMPLEMENTED);
-	}
-	nbytes = prefixlen / 8;
-	nbits = prefixlen % 8;
-	if (nbits != 0) {
-		if ((p[nbytes] & (0xff>>nbits)) != 0U)
-			return (ISC_R_FAILURE);
-		nbytes++;
-	}
-	if (memcmp(p + nbytes, zeros, ipbytes - nbytes) != 0)
-		return (ISC_R_FAILURE);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_netaddr_masktoprefixlen(const isc_netaddr_t *s, unsigned int *lenp) {
-	unsigned int nbits = 0, nbytes = 0, ipbytes = 0, i;
-	const unsigned char *p;
-
-	switch (s->family) {
-	case AF_INET:
-		p = (const unsigned char *) &s->type.in;
-		ipbytes = 4;
-		break;
-	case AF_INET6:
-		p = (const unsigned char *) &s->type.in6;
-		ipbytes = 16;
-		break;
-	default:
-		return (ISC_R_NOTIMPLEMENTED);
-	}
-	for (i = 0; i < ipbytes; i++) {
-		if (p[i] != 0xFF)
-			break;
-	}
-	nbytes = i;
-	if (i < ipbytes) {
-		unsigned int c = p[nbytes];
-		while ((c & 0x80) != 0 && nbits < 8) {
-			c <<= 1; nbits++;
-		}
-		if ((c & 0xFF) != 0)
-			return (ISC_R_MASKNONCONTIG);
-		i++;
-	}
-	for (; i < ipbytes; i++) {
-		if (p[i] != 0)
-			return (ISC_R_MASKNONCONTIG);
-		i++;
-	}
-	*lenp = nbytes * 8 + nbits;
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_netaddr_fromin(isc_netaddr_t *netaddr, const struct in_addr *ina) {
-	memset(netaddr, 0, sizeof(*netaddr));
-	netaddr->family = AF_INET;
-	netaddr->type.in = *ina;
-}
-
-void
-isc_netaddr_fromin6(isc_netaddr_t *netaddr, const struct in6_addr *ina6) {
-	memset(netaddr, 0, sizeof(*netaddr));
-	netaddr->family = AF_INET6;
-	netaddr->type.in6 = *ina6;
-}
-
-isc_result_t
-isc_netaddr_frompath(isc_netaddr_t *netaddr, const char *path) {
-#ifdef ISC_PLATFORM_HAVESYSUNH
-	if (strlen(path) > sizeof(netaddr->type.un) - 1)
-		return (ISC_R_NOSPACE);
-
-	memset(netaddr, 0, sizeof(*netaddr));
-	netaddr->family = AF_UNIX;
-	strcpy(netaddr->type.un, path);
-	netaddr->zone = 0;
-	return (ISC_R_SUCCESS);
-#else
-	UNUSED(netaddr);
-	UNUSED(path);
-	return (ISC_R_NOTIMPLEMENTED);
-#endif
-}
-
-
-void
-isc_netaddr_setzone(isc_netaddr_t *netaddr, isc_uint32_t zone) {
-	/* we currently only support AF_INET6. */
-	REQUIRE(netaddr->family == AF_INET6);
-
-	netaddr->zone = zone;
-}
-
-isc_uint32_t
-isc_netaddr_getzone(const isc_netaddr_t *netaddr) {
-	return (netaddr->zone);
-}
-
-void
-isc_netaddr_fromsockaddr(isc_netaddr_t *t, const isc_sockaddr_t *s) {
-	int family = s->type.sa.sa_family;
-	t->family = family;
-	switch (family) {
-	case AF_INET:
-		t->type.in = s->type.sin.sin_addr;
-		t->zone = 0;
-		break;
-	case AF_INET6:
-		memcpy(&t->type.in6, &s->type.sin6.sin6_addr, 16);
-#ifdef ISC_PLATFORM_HAVESCOPEID
-		t->zone = s->type.sin6.sin6_scope_id;
-#else
-		t->zone = 0;
-#endif
-		break;
-#ifdef ISC_PLATFORM_HAVESYSUNH
-	case AF_UNIX:
-		memcpy(t->type.un, s->type.sunix.sun_path, sizeof(t->type.un));
-		t->zone = 0;
-		break;
-#endif
-	default:
-		INSIST(0);
-	}
-}
-
-void
-isc_netaddr_any(isc_netaddr_t *netaddr) {
-	memset(netaddr, 0, sizeof(*netaddr));
-	netaddr->family = AF_INET;
-	netaddr->type.in.s_addr = INADDR_ANY;
-}
-
-void
-isc_netaddr_any6(isc_netaddr_t *netaddr) {
-	memset(netaddr, 0, sizeof(*netaddr));
-	netaddr->family = AF_INET6;
-	netaddr->type.in6 = in6addr_any;
-}
-
-isc_boolean_t
-isc_netaddr_ismulticast(isc_netaddr_t *na) {
-	switch (na->family) {
-	case AF_INET:
-		return (ISC_TF(ISC_IPADDR_ISMULTICAST(na->type.in.s_addr)));
-	case AF_INET6:
-		return (ISC_TF(IN6_IS_ADDR_MULTICAST(&na->type.in6)));
-	default:
-		return (ISC_FALSE);  /* XXXMLG ? */
-	}
-}
-
-isc_boolean_t
-isc_netaddr_isexperimental(isc_netaddr_t *na) {
-	switch (na->family) {
-	case AF_INET:
-		return (ISC_TF(ISC_IPADDR_ISEXPERIMENTAL(na->type.in.s_addr)));
-	default:
-		return (ISC_FALSE);  /* XXXMLG ? */
-	}
-}
-
-isc_boolean_t
-isc_netaddr_islinklocal(isc_netaddr_t *na) {
-	switch (na->family) {
-	case AF_INET:
-		return (ISC_FALSE);
-	case AF_INET6:
-		return (ISC_TF(IN6_IS_ADDR_LINKLOCAL(&na->type.in6)));
-	default:
-		return (ISC_FALSE);
-	}
-}
-
-isc_boolean_t
-isc_netaddr_issitelocal(isc_netaddr_t *na) {
-	switch (na->family) {
-	case AF_INET:
-		return (ISC_FALSE);
-	case AF_INET6:
-		return (ISC_TF(IN6_IS_ADDR_SITELOCAL(&na->type.in6)));
-	default:
-		return (ISC_FALSE);
-	}
-}
-
-void
-isc_netaddr_fromv4mapped(isc_netaddr_t *t, const isc_netaddr_t *s) {
-	isc_netaddr_t *src;
-
-	DE_CONST(s, src);	/* Must come before IN6_IS_ADDR_V4MAPPED. */
-
-	REQUIRE(s->family == AF_INET6);
-	REQUIRE(IN6_IS_ADDR_V4MAPPED(&src->type.in6));
-
-	memset(t, 0, sizeof(*t));
-	t->family = AF_INET;
-	memcpy(&t->type.in, (char *)&src->type.in6 + 12, 4);
-	return;
-}
diff --git a/contrib/bind9/lib/isc/netscope.c b/contrib/bind9/lib/isc/netscope.c
deleted file mode 100644
index 9aa11db..0000000
--- a/contrib/bind9/lib/isc/netscope.c
+++ /dev/null
@@ -1,76 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*! \file */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] =
-	"$Id: netscope.c,v 1.13 2007/06/19 23:47:17 tbox Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <config.h>
-
-#include <isc/string.h>
-#include <isc/net.h>
-#include <isc/netscope.h>
-#include <isc/result.h>
-
-isc_result_t
-isc_netscope_pton(int af, char *scopename, void *addr, isc_uint32_t *zoneid) {
-	char *ep;
-#ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX
-	unsigned int ifid;
-#endif
-	struct in6_addr *in6;
-	isc_uint32_t zone;
-	isc_uint64_t llz;
-
-	/* at this moment, we only support AF_INET6 */
-	if (af != AF_INET6)
-		return (ISC_R_FAILURE);
-
-	in6 = (struct in6_addr *)addr;
-
-	/*
-	 * Basically, "names" are more stable than numeric IDs in terms of
-	 * renumbering, and are more preferred.  However, since there is no
-	 * standard naming convention and APIs to deal with the names.  Thus,
-	 * we only handle the case of link-local addresses, for which we use
-	 * interface names as link names, assuming one to one mapping between
-	 * interfaces and links.
-	 */
-#ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX
-	if (IN6_IS_ADDR_LINKLOCAL(in6) &&
-	    (ifid = if_nametoindex((const char *)scopename)) != 0)
-		zone = (isc_uint32_t)ifid;
-	else {
-#endif
-		llz = isc_string_touint64(scopename, &ep, 10);
-		if (ep == scopename)
-			return (ISC_R_FAILURE);
-
-		/* check overflow */
-		zone = (isc_uint32_t)(llz & 0xffffffffUL);
-		if (zone != llz)
-			return (ISC_R_FAILURE);
-#ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX
-	}
-#endif
-
-	*zoneid = zone;
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/isc/nls/Makefile.in b/contrib/bind9/lib/isc/nls/Makefile.in
deleted file mode 100644
index 7bacf1c..0000000
--- a/contrib/bind9/lib/isc/nls/Makefile.in
+++ /dev/null
@@ -1,37 +0,0 @@
-# Copyright (C) 2004, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1999-2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.17 2009/12/05 23:31:41 each Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-CINCLUDES =	-I../unix/include \
-		-I${srcdir}/../unix/include \
-		-I../include \
-		-I${srcdir}/../include
-
-CDEFINES =
-CWARNINGS =
-
-OBJS =		msgcat.@O@
-
-SRCS =		msgcat.c
-
-SUBDIRS =
-TARGETS =	${OBJS}
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/nls/msgcat.c b/contrib/bind9/lib/isc/nls/msgcat.c
deleted file mode 100644
index 3d6b676..0000000
--- a/contrib/bind9/lib/isc/nls/msgcat.c
+++ /dev/null
@@ -1,131 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: msgcat.c,v 1.18 2007/06/19 23:47:18 tbox Exp $ */
-
-/*! \file msgcat.c
- *
- * \author Principal Author: Bob Halley
- */
-
-#include <config.h>
-
-#include <stddef.h>
-#include <stdlib.h>
-
-#include <isc/magic.h>
-#include <isc/msgcat.h>
-#include <isc/util.h>
-
-#ifdef HAVE_CATGETS
-#include <nl_types.h>		/* Required for nl_catd. */
-#endif
-
-/*
- * Implementation Notes:
- *
- *	We use malloc() and free() instead of isc_mem_get() and isc_mem_put()
- *	because we don't want to require a memory context to be specified
- *	in order to use a message catalog.
- */
-
-struct isc_msgcat {
-	unsigned int	magic;
-#ifdef HAVE_CATGETS
-	nl_catd		catalog;
-#endif
-};
-
-#define MSGCAT_MAGIC			ISC_MAGIC('M', 'C', 'a', 't')
-#define VALID_MSGCAT(m)			ISC_MAGIC_VALID(m, MSGCAT_MAGIC)
-
-void
-isc_msgcat_open(const char *name, isc_msgcat_t **msgcatp) {
-	isc_msgcat_t *msgcat;
-
-	/*
-	 * Open a message catalog.
-	 */
-
-	REQUIRE(name != NULL);
-	REQUIRE(msgcatp != NULL && *msgcatp == NULL);
-
-	msgcat = malloc(sizeof(*msgcat));
-	if (msgcat == NULL) {
-		*msgcatp = NULL;
-		return;
-	}
-
-#ifdef HAVE_CATGETS
-	/*
-	 * We don't check if catopen() fails because we don't care.
-	 * If it does fail, then when we call catgets(), it will use
-	 * the default string.
-	 */
-	msgcat->catalog = catopen(name, 0);
-#endif
-	msgcat->magic = MSGCAT_MAGIC;
-
-	*msgcatp = msgcat;
-}
-
-void
-isc_msgcat_close(isc_msgcat_t **msgcatp) {
-	isc_msgcat_t *msgcat;
-
-	/*
-	 * Close a message catalog.
-	 */
-
-	REQUIRE(msgcatp != NULL);
-	msgcat = *msgcatp;
-	REQUIRE(VALID_MSGCAT(msgcat) || msgcat == NULL);
-
-	if (msgcat != NULL) {
-#ifdef HAVE_CATGETS
-		if (msgcat->catalog != (nl_catd)(-1))
-			(void)catclose(msgcat->catalog);
-#endif
-		msgcat->magic = 0;
-		free(msgcat);
-	}
-
-	*msgcatp = NULL;
-}
-
-const char *
-isc_msgcat_get(isc_msgcat_t *msgcat, int set, int message,
-	       const char *default_text)
-{
-	/*
-	 * Get message 'message' from message set 'set' in 'msgcat'.  If it
-	 * is not available, use 'default'.
-	 */
-
-	REQUIRE(VALID_MSGCAT(msgcat) || msgcat == NULL);
-	REQUIRE(set > 0);
-	REQUIRE(message > 0);
-	REQUIRE(default_text != NULL);
-
-#ifdef HAVE_CATGETS
-	if (msgcat == NULL)
-		return (default_text);
-	return (catgets(msgcat->catalog, set, message, default_text));
-#else
-	return (default_text);
-#endif
-}
diff --git a/contrib/bind9/lib/isc/noatomic/Makefile.in b/contrib/bind9/lib/isc/noatomic/Makefile.in
deleted file mode 100644
index 9c24cdf..0000000
--- a/contrib/bind9/lib/isc/noatomic/Makefile.in
+++ /dev/null
@@ -1,24 +0,0 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	include
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/noatomic/include/Makefile.in b/contrib/bind9/lib/isc/noatomic/include/Makefile.in
deleted file mode 100644
index e399559..0000000
--- a/contrib/bind9/lib/isc/noatomic/include/Makefile.in
+++ /dev/null
@@ -1,24 +0,0 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	isc
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/noatomic/include/isc/Makefile.in b/contrib/bind9/lib/isc/noatomic/include/isc/Makefile.in
deleted file mode 100644
index 4927e21..0000000
--- a/contrib/bind9/lib/isc/noatomic/include/isc/Makefile.in
+++ /dev/null
@@ -1,36 +0,0 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-HEADERS =	atomic.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc ; \
-	done
diff --git a/contrib/bind9/lib/isc/noatomic/include/isc/atomic.h b/contrib/bind9/lib/isc/noatomic/include/isc/atomic.h
deleted file mode 100644
index 942ba03..0000000
--- a/contrib/bind9/lib/isc/noatomic/include/isc/atomic.h
+++ /dev/null
@@ -1,24 +0,0 @@
-/*
- * Copyright (C) 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: atomic.h,v 1.4 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_ATOMIC_H
-#define ISC_ATOMIC_H 1
-
-/* This file is inherently empty. */
-
-#endif /* ISC_ATOMIC_H */
diff --git a/contrib/bind9/lib/isc/nothreads/Makefile.in b/contrib/bind9/lib/isc/nothreads/Makefile.in
deleted file mode 100644
index b8b5f98..0000000
--- a/contrib/bind9/lib/isc/nothreads/Makefile.in
+++ /dev/null
@@ -1,40 +0,0 @@
-# Copyright (C) 2004, 2007, 2009, 2010, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.12 2010/06/09 23:50:58 tbox Exp $
-
-top_srcdir =	@top_srcdir@
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-
-CINCLUDES =	-I${srcdir}/include \
-		-I${srcdir}/../unix/include \
-		-I../include \
-		-I${srcdir}/../include \
-		-I${srcdir}/..
-
-CDEFINES =
-CWARNINGS =
-
-THREADOPTOBJS = condition.@O@ mutex.@O@
-OBJS =		@THREADOPTOBJS@ thread.@O@
-
-THREADOPTSRCS = condition.c mutex.c
-SRCS =		@THREADOPTSRCS@ thread.c
-
-SUBDIRS =	include
-TARGETS =	${OBJS}
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/nothreads/condition.c b/contrib/bind9/lib/isc/nothreads/condition.c
deleted file mode 100644
index 9be8f83..0000000
--- a/contrib/bind9/lib/isc/nothreads/condition.c
+++ /dev/null
@@ -1,24 +0,0 @@
-/*
- * Copyright (C) 2004, 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: condition.c,v 1.10 2007/06/19 23:47:18 tbox Exp $ */
-
-#include <config.h>
-
-#include <isc/util.h>
-
-EMPTY_TRANSLATION_UNIT
diff --git a/contrib/bind9/lib/isc/nothreads/include/Makefile.in b/contrib/bind9/lib/isc/nothreads/include/Makefile.in
deleted file mode 100644
index 662a72d..0000000
--- a/contrib/bind9/lib/isc/nothreads/include/Makefile.in
+++ /dev/null
@@ -1,25 +0,0 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.5 2007/06/19 23:47:18 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	isc
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/nothreads/include/isc/Makefile.in b/contrib/bind9/lib/isc/nothreads/include/isc/Makefile.in
deleted file mode 100644
index a2c347e..0000000
--- a/contrib/bind9/lib/isc/nothreads/include/isc/Makefile.in
+++ /dev/null
@@ -1,37 +0,0 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.7 2007/06/19 23:47:18 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-HEADERS =	condition.h mutex.h once.h thread.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc ; \
-	done
diff --git a/contrib/bind9/lib/isc/nothreads/include/isc/condition.h b/contrib/bind9/lib/isc/nothreads/include/isc/condition.h
deleted file mode 100644
index b269f82..0000000
--- a/contrib/bind9/lib/isc/nothreads/include/isc/condition.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: condition.h,v 1.6 2007/06/19 23:47:18 tbox Exp $ */
-
-/*
- * This provides a limited subset of the isc_condition_t
- * functionality for use by single-threaded programs that
- * need to block waiting for events.   Only a single
- * call to isc_condition_wait() may be blocked at any given
- * time, and the _waituntil and _broadcast functions are not
- * supported.  This is intended primarily for use by the omapi
- * library, and may go away once omapi goes away.  Use for
- * other purposes is strongly discouraged.
- */
-
-#ifndef ISC_CONDITION_H
-#define ISC_CONDITION_H 1
-
-#include <isc/mutex.h>
-
-typedef int isc_condition_t;
-
-isc_result_t isc__nothread_wait_hack(isc_condition_t *cp, isc_mutex_t *mp);
-isc_result_t isc__nothread_signal_hack(isc_condition_t *cp);
-
-#define isc_condition_init(cp) \
-	(*(cp) = 0, ISC_R_SUCCESS)
-
-#define isc_condition_wait(cp, mp) \
-	isc__nothread_wait_hack(cp, mp)
-
-#define isc_condition_waituntil(cp, mp, tp) \
-	((void)(cp), (void)(mp), (void)(tp), ISC_R_NOTIMPLEMENTED)
-
-#define isc_condition_signal(cp) \
-	isc__nothread_signal_hack(cp)
-
-#define isc_condition_broadcast(cp) \
-	((void)(cp), ISC_R_NOTIMPLEMENTED)
-
-#define isc_condition_destroy(cp) \
-	(*(cp) == 0 ? (*(cp) = -1, ISC_R_SUCCESS) : ISC_R_UNEXPECTED)
-
-#endif /* ISC_CONDITION_H */
diff --git a/contrib/bind9/lib/isc/nothreads/include/isc/mutex.h b/contrib/bind9/lib/isc/nothreads/include/isc/mutex.h
deleted file mode 100644
index 1f2187b..0000000
--- a/contrib/bind9/lib/isc/nothreads/include/isc/mutex.h
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: mutex.h,v 1.6 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_MUTEX_H
-#define ISC_MUTEX_H 1
-
-#include <isc/result.h>		/* for ISC_R_ codes */
-
-typedef int isc_mutex_t;
-
-#define isc_mutex_init(mp) \
-	(*(mp) = 0, ISC_R_SUCCESS)
-#define isc_mutex_lock(mp) \
-	((*(mp))++ == 0 ? ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-#define isc_mutex_unlock(mp) \
-	(--(*(mp)) == 0 ? ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-#define isc_mutex_trylock(mp) \
-	(*(mp) == 0 ? ((*(mp))++, ISC_R_SUCCESS) : ISC_R_LOCKBUSY)
-#define isc_mutex_destroy(mp) \
-	(*(mp) == 0 ? (*(mp) = -1, ISC_R_SUCCESS) : ISC_R_UNEXPECTED)
-#define isc_mutex_stats(fp)
-
-#endif /* ISC_MUTEX_H */
diff --git a/contrib/bind9/lib/isc/nothreads/include/isc/once.h b/contrib/bind9/lib/isc/nothreads/include/isc/once.h
deleted file mode 100644
index ab705a4..0000000
--- a/contrib/bind9/lib/isc/nothreads/include/isc/once.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: once.h,v 1.6 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_ONCE_H
-#define ISC_ONCE_H 1
-
-#include <isc/result.h>
-
-typedef isc_boolean_t isc_once_t;
-
-#define ISC_ONCE_INIT ISC_FALSE
-
-#define isc_once_do(op, f) \
-	(!*(op) ? (f(), *(op) = ISC_TRUE, ISC_R_SUCCESS) : ISC_R_SUCCESS)
-
-#endif /* ISC_ONCE_H */
diff --git a/contrib/bind9/lib/isc/nothreads/include/isc/thread.h b/contrib/bind9/lib/isc/nothreads/include/isc/thread.h
deleted file mode 100644
index 313bc5f..0000000
--- a/contrib/bind9/lib/isc/nothreads/include/isc/thread.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: thread.h,v 1.6 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_THREAD_H
-#define ISC_THREAD_H 1
-
-#include <isc/lang.h>
-#include <isc/result.h>
-
-ISC_LANG_BEGINDECLS
-
-void
-isc_thread_setconcurrency(unsigned int level);
-
-#define isc_thread_self() ((unsigned long)0)
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_THREAD_H */
diff --git a/contrib/bind9/lib/isc/nothreads/mutex.c b/contrib/bind9/lib/isc/nothreads/mutex.c
deleted file mode 100644
index 50ba0f4..0000000
--- a/contrib/bind9/lib/isc/nothreads/mutex.c
+++ /dev/null
@@ -1,25 +0,0 @@
-/*
- * Copyright (C) 2004, 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: mutex.c,v 1.10 2007/06/19 23:47:18 tbox Exp $ */
-
-#include <config.h>
-
-#include <isc/util.h>
-
-EMPTY_TRANSLATION_UNIT
-
diff --git a/contrib/bind9/lib/isc/nothreads/thread.c b/contrib/bind9/lib/isc/nothreads/thread.c
deleted file mode 100644
index 9075e25..0000000
--- a/contrib/bind9/lib/isc/nothreads/thread.c
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: thread.c,v 1.5 2007/06/19 23:47:18 tbox Exp $ */
-
-#include <config.h>
-
-#include <isc/thread.h>
-#include <isc/util.h>
-
-void
-isc_thread_setconcurrency(unsigned int level) {
-	UNUSED(level);
-}
diff --git a/contrib/bind9/lib/isc/ondestroy.c b/contrib/bind9/lib/isc/ondestroy.c
deleted file mode 100644
index 32a75e1..0000000
--- a/contrib/bind9/lib/isc/ondestroy.c
+++ /dev/null
@@ -1,85 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ondestroy.c,v 1.16 2007/06/19 23:47:17 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stddef.h>
-
-#include <isc/event.h>
-#include <isc/magic.h>
-#include <isc/ondestroy.h>
-#include <isc/task.h>
-#include <isc/util.h>
-
-#define ONDESTROY_MAGIC		ISC_MAGIC('D', 'e', 'S', 't')
-#define VALID_ONDESTROY(s)	ISC_MAGIC_VALID(s, ONDESTROY_MAGIC)
-
-void
-isc_ondestroy_init(isc_ondestroy_t *ondest) {
-	ondest->magic = ONDESTROY_MAGIC;
-	ISC_LIST_INIT(ondest->events);
-}
-
-isc_result_t
-isc_ondestroy_register(isc_ondestroy_t *ondest, isc_task_t *task,
-		       isc_event_t **eventp)
-{
-	isc_event_t *theevent;
-	isc_task_t *thetask = NULL;
-
-	REQUIRE(VALID_ONDESTROY(ondest));
-	REQUIRE(task != NULL);
-	REQUIRE(eventp != NULL);
-
-	theevent = *eventp;
-
-	REQUIRE(theevent != NULL);
-
-	isc_task_attach(task, &thetask);
-
-	theevent->ev_sender = thetask;
-
-	ISC_LIST_APPEND(ondest->events, theevent, ev_link);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_ondestroy_notify(isc_ondestroy_t *ondest, void *sender) {
-	isc_event_t *eventp;
-	isc_task_t *task;
-
-	REQUIRE(VALID_ONDESTROY(ondest));
-
-	eventp = ISC_LIST_HEAD(ondest->events);
-	while (eventp != NULL) {
-		ISC_LIST_UNLINK(ondest->events, eventp, ev_link);
-
-		task = eventp->ev_sender;
-		eventp->ev_sender = sender;
-
-		isc_task_sendanddetach(&task, &eventp);
-
-		eventp = ISC_LIST_HEAD(ondest->events);
-	}
-}
-
-
diff --git a/contrib/bind9/lib/isc/parseint.c b/contrib/bind9/lib/isc/parseint.c
deleted file mode 100644
index f8ec389..0000000
--- a/contrib/bind9/lib/isc/parseint.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: parseint.c,v 1.8 2007/06/19 23:47:17 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <limits.h>
-
-#include <isc/parseint.h>
-#include <isc/result.h>
-#include <isc/stdlib.h>
-
-isc_result_t
-isc_parse_uint32(isc_uint32_t *uip, const char *string, int base) {
-	unsigned long n;
-	isc_uint32_t r;
-	char *e;
-	if (! isalnum((unsigned char)(string[0])))
-		return (ISC_R_BADNUMBER);
-	errno = 0;
-	n = strtoul(string, &e, base);
-	if (*e != '\0')
-		return (ISC_R_BADNUMBER);
-	/*
-	 * Where long is 64 bits we need to convert to 32 bits then test for
-	 * equality.  This is a no-op on 32 bit machines and a good compiler
-	 * will optimise it away.
-	 */
-	r = (isc_uint32_t)n;
-	if ((n == ULONG_MAX && errno == ERANGE) || (n != (unsigned long)r))
-		return (ISC_R_RANGE);
-	*uip = r;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_parse_uint16(isc_uint16_t *uip, const char *string, int base) {
-	isc_uint32_t val;
-	isc_result_t result;
-	result = isc_parse_uint32(&val, string, base);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (val > 0xFFFF)
-		return (ISC_R_RANGE);
-	*uip = (isc_uint16_t) val;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_parse_uint8(isc_uint8_t *uip, const char *string, int base) {
-	isc_uint32_t val;
-	isc_result_t result;
-	result = isc_parse_uint32(&val, string, base);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (val > 0xFF)
-		return (ISC_R_RANGE);
-	*uip = (isc_uint8_t) val;
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/isc/pool.c b/contrib/bind9/lib/isc/pool.c
deleted file mode 100644
index 509abcb..0000000
--- a/contrib/bind9/lib/isc/pool.c
+++ /dev/null
@@ -1,177 +0,0 @@
-/*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <string.h>
-
-#include <isc/mem.h>
-#include <isc/random.h>
-#include <isc/pool.h>
-#include <isc/util.h>
-
-/***
- *** Types.
- ***/
-
-struct isc_pool {
-	isc_mem_t *			mctx;
-	unsigned int			count;
-	isc_pooldeallocator_t		free;
-	isc_poolinitializer_t		init;
-	void *				initarg;
-	void **				pool;
-};
-
-/***
- *** Functions.
- ***/
-
-static isc_result_t
-alloc_pool(isc_mem_t *mctx, unsigned int count, isc_pool_t **poolp) {
-	isc_pool_t *pool;
-
-	pool = isc_mem_get(mctx, sizeof(*pool));
-	if (pool == NULL)
-		return (ISC_R_NOMEMORY);
-	pool->count = count;
-	pool->free = NULL;
-	pool->init = NULL;
-	pool->initarg = NULL;
-	pool->mctx = NULL;
-	isc_mem_attach(mctx, &pool->mctx);
-	pool->pool = isc_mem_get(mctx, count * sizeof(void *));
-	if (pool->pool == NULL) {
-		isc_mem_put(mctx, pool, sizeof(*pool));
-		return (ISC_R_NOMEMORY);
-	}
-	memset(pool->pool, 0, count * sizeof(void *));
-
-	*poolp = pool;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_pool_create(isc_mem_t *mctx, unsigned int count,
-		   isc_pooldeallocator_t free,
-		   isc_poolinitializer_t init, void *initarg,
-		   isc_pool_t **poolp)
-{
-	isc_pool_t *pool = NULL;
-	isc_result_t result;
-	unsigned int i;
-
-	INSIST(count > 0);
-
-	/* Allocate the pool structure */
-	result = alloc_pool(mctx, count, &pool);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	pool->free = free;
-	pool->init = init;
-	pool->initarg = initarg;
-
-	/* Populate the pool */
-	for (i = 0; i < count; i++) {
-		result = init(&pool->pool[i], initarg);
-		if (result != ISC_R_SUCCESS) {
-			isc_pool_destroy(&pool);
-			return (result);
-		}
-	}
-
-	*poolp = pool;
-	return (ISC_R_SUCCESS);
-}
-
-void *
-isc_pool_get(isc_pool_t *pool) {
-	isc_uint32_t i;
-	isc_random_get(&i);
-	return (pool->pool[i % pool->count]);
-}
-
-int
-isc_pool_count(isc_pool_t *pool) {
-	REQUIRE(pool != NULL);
-	return (pool->count);
-}
-
-isc_result_t
-isc_pool_expand(isc_pool_t **sourcep, unsigned int count,
-		   isc_pool_t **targetp)
-{
-	isc_result_t result;
-	isc_pool_t *pool;
-
-	REQUIRE(sourcep != NULL && *sourcep != NULL);
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	pool = *sourcep;
-	if (count > pool->count) {
-		isc_pool_t *newpool = NULL;
-		unsigned int i;
-
-		/* Allocate a new pool structure */
-		result = alloc_pool(pool->mctx, count, &newpool);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-
-		newpool->free = pool->free;
-		newpool->init = pool->init;
-		newpool->initarg = pool->initarg;
-
-		/* Copy over the objects from the old pool */
-		for (i = 0; i < pool->count; i++) {
-			newpool->pool[i] = pool->pool[i];
-			pool->pool[i] = NULL;
-		}
-
-		/* Populate the new entries */
-		for (i = pool->count; i < count; i++) {
-			result = pool->init(&newpool->pool[i], pool->initarg);
-			if (result != ISC_R_SUCCESS) {
-				isc_pool_destroy(&pool);
-				return (result);
-			}
-		}
-
-		isc_pool_destroy(&pool);
-		pool = newpool;
-	}
-
-	*sourcep = NULL;
-	*targetp = pool;
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_pool_destroy(isc_pool_t **poolp) {
-	unsigned int i;
-	isc_pool_t *pool = *poolp;
-	for (i = 0; i < pool->count; i++) {
-		if (pool->free != NULL && pool->pool[i] != NULL)
-			pool->free(&pool->pool[i]);
-	}
-	isc_mem_put(pool->mctx, pool->pool, pool->count * sizeof(void *));
-	isc_mem_putanddetach(&pool->mctx, pool, sizeof(*pool));
-	*poolp = NULL;
-}
diff --git a/contrib/bind9/lib/isc/portset.c b/contrib/bind9/lib/isc/portset.c
deleted file mode 100644
index 471ca8e..0000000
--- a/contrib/bind9/lib/isc/portset.c
+++ /dev/null
@@ -1,143 +0,0 @@
-/*
- * Copyright (C) 2008  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: portset.c,v 1.4 2008/06/24 23:24:35 marka Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/portset.h>
-#include <isc/string.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-#define ISC_PORTSET_BUFSIZE (65536 / (sizeof(isc_uint32_t) * 8))
-
-/*%
- * Internal representation of portset.  It's an array of 32-bit integers, each
- * bit corresponding to a single port in the ascending order.  For example,
- * the second most significant bit of buf[0] corresponds to port 1.
- */
-struct isc_portset {
-	unsigned int nports;	/*%< number of ports in the set */
-	isc_uint32_t buf[ISC_PORTSET_BUFSIZE];
-};
-
-static inline isc_boolean_t
-portset_isset(isc_portset_t *portset, in_port_t port) {
-	return (ISC_TF((portset->buf[port >> 5] & (1 << (port & 31))) != 0));
-}
-
-static inline void
-portset_add(isc_portset_t *portset, in_port_t port) {
-	if (!portset_isset(portset, port)) {
-		portset->nports++;
-		portset->buf[port >> 5] |= (1 << (port & 31));
-	}
-}
-
-static inline void
-portset_remove(isc_portset_t *portset, in_port_t port) {
-	if (portset_isset(portset, port)) {
-		portset->nports--;
-		portset->buf[port >> 5] &= ~(1 << (port & 31));
-	}
-}
-
-isc_result_t
-isc_portset_create(isc_mem_t *mctx, isc_portset_t **portsetp) {
-	isc_portset_t *portset;
-
-	REQUIRE(portsetp != NULL && *portsetp == NULL);
-
-	portset = isc_mem_get(mctx, sizeof(*portset));
-	if (portset == NULL)
-		return (ISC_R_NOMEMORY);
-
-	/* Make the set 'empty' by default */
-	memset(portset, 0, sizeof(*portset));
-	*portsetp = portset;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_portset_destroy(isc_mem_t *mctx, isc_portset_t **portsetp) {
-	isc_portset_t *portset;
-
-	REQUIRE(portsetp != NULL);
-	portset = *portsetp;
-
-	isc_mem_put(mctx, portset, sizeof(*portset));
-}
-
-isc_boolean_t
-isc_portset_isset(isc_portset_t *portset, in_port_t port) {
-	REQUIRE(portset != NULL);
-
-	return (portset_isset(portset, port));
-}
-
-unsigned int
-isc_portset_nports(isc_portset_t *portset) {
-	REQUIRE(portset != NULL);
-
-	return (portset->nports);
-}
-
-void
-isc_portset_add(isc_portset_t *portset, in_port_t port) {
-	REQUIRE(portset != NULL);
-
-	portset_add(portset, port);
-}
-
-void
-isc_portset_remove(isc_portset_t *portset, in_port_t port) {
-	portset_remove(portset, port);
-}
-
-void
-isc_portset_addrange(isc_portset_t *portset, in_port_t port_lo,
-		     in_port_t port_hi)
-{
-	in_port_t p;
-
-	REQUIRE(portset != NULL);
-	REQUIRE(port_lo <= port_hi);
-
-	p = port_lo;
-	do {
-		portset_add(portset, p);
-	} while (p++ < port_hi);
-}
-
-void
-isc_portset_removerange(isc_portset_t *portset, in_port_t port_lo,
-			in_port_t port_hi)
-{
-	in_port_t p;
-
-	REQUIRE(portset != NULL);
-	REQUIRE(port_lo <= port_hi);
-
-	p = port_lo;
-	do {
-		portset_remove(portset, p);
-	} while (p++ < port_hi);
-}
diff --git a/contrib/bind9/lib/isc/powerpc/Makefile.in b/contrib/bind9/lib/isc/powerpc/Makefile.in
deleted file mode 100644
index 9c24cdf..0000000
--- a/contrib/bind9/lib/isc/powerpc/Makefile.in
+++ /dev/null
@@ -1,24 +0,0 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	include
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/powerpc/include/Makefile.in b/contrib/bind9/lib/isc/powerpc/include/Makefile.in
deleted file mode 100644
index e399559..0000000
--- a/contrib/bind9/lib/isc/powerpc/include/Makefile.in
+++ /dev/null
@@ -1,24 +0,0 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	isc
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/powerpc/include/isc/Makefile.in b/contrib/bind9/lib/isc/powerpc/include/isc/Makefile.in
deleted file mode 100644
index 4927e21..0000000
--- a/contrib/bind9/lib/isc/powerpc/include/isc/Makefile.in
+++ /dev/null
@@ -1,36 +0,0 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-HEADERS =	atomic.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc ; \
-	done
diff --git a/contrib/bind9/lib/isc/powerpc/include/isc/atomic.h b/contrib/bind9/lib/isc/powerpc/include/isc/atomic.h
deleted file mode 100644
index 030007f..0000000
--- a/contrib/bind9/lib/isc/powerpc/include/isc/atomic.h
+++ /dev/null
@@ -1,197 +0,0 @@
-/*
- * Copyright (C) 2005, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef ISC_ATOMIC_H
-#define ISC_ATOMIC_H 1
-
-#include <isc/platform.h>
-#include <isc/types.h>
-
-/*!\file
- * static inline isc_int32_t
- * isc_atomic_xadd(isc_int32_t *p, isc_int32_t val);
- *
- * This routine atomically increments the value stored in 'p' by 'val', and
- * returns the previous value.
- *
- * static inline void
- * isc_atomic_store(void *p, isc_int32_t val);
- *
- * This routine atomically stores the value 'val' in 'p'.
- *
- * static inline isc_int32_t
- * isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val);
- *
- * This routine atomically replaces the value in 'p' with 'val', if the
- * original value is equal to 'cmpval'.  The original value is returned in any
- * case.
- */
-
-#if defined(_AIX)
-
-#include <sys/atomic_op.h>
-
-#define isc_atomic_store(p, v) _clear_lock(p, v)
-
-#ifdef __GNUC__
-static inline isc_int32_t
-#else
-static isc_int32_t
-#endif
-isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
-	int ret;
-
-#ifdef __GNUC__
-	asm("ics");
-#else
-	 __isync();
-#endif
-
-	ret = fetch_and_add((atomic_p)p, (int)val);
-
-#ifdef __GNUC__
-	asm("ics");
-#else
-	 __isync();
-#endif
-
-	 return (ret);
-}
-
-#ifdef __GNUC__
-static inline int
-#else
-static int
-#endif
-isc_atomic_cmpxchg(atomic_p p, int old, int new) {
-	int orig = old;
-
-#ifdef __GNUC__
-	asm("ics");
-#else
-	 __isync();
-#endif
-	if (compare_and_swap(p, &orig, new))
-		orig = old;
-
-#ifdef __GNUC__
-	asm("ics");
-#else
-	 __isync();
-#endif
-
-	return (orig);
-}
-
-#elif defined(ISC_PLATFORM_USEGCCASM) || defined(ISC_PLATFORM_USEMACASM)
-static inline isc_int32_t
-isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
-	isc_int32_t orig;
-
-	__asm__ volatile (
-#ifdef ISC_PLATFORM_USEMACASM
-		"1:"
-		"lwarx r6, 0, %1\n"
-		"mr %0, r6\n"
-		"add r6, r6, %2\n"
-		"stwcx. r6, 0, %1\n"
-		"bne- 1b\n"
-		"sync"
-#else
-		"1:"
-		"lwarx 6, 0, %1\n"
-		"mr %0, 6\n"
-		"add 6, 6, %2\n"
-		"stwcx. 6, 0, %1\n"
-		"bne- 1b\n"
-		"sync"
-#endif
-		: "=&r"(orig)
-		: "r"(p), "r"(val)
-		: "r6", "memory"
-		);
-
-	return (orig);
-}
-
-static inline void
-isc_atomic_store(void *p, isc_int32_t val) {
-	__asm__ volatile (
-#ifdef ISC_PLATFORM_USEMACASM
-		"1:"
-		"lwarx r6, 0, %0\n"
-		"lwz r6, %1\n"
-		"stwcx. r6, 0, %0\n"
-		"bne- 1b\n"
-		"sync"
-#else
-		"1:"
-		"lwarx 6, 0, %0\n"
-		"lwz 6, %1\n"
-		"stwcx. 6, 0, %0\n"
-		"bne- 1b\n"
-		"sync"
-#endif
-		:
-		: "r"(p), "m"(val)
-		: "r6", "memory"
-		);
-}
-
-static inline isc_int32_t
-isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
-	isc_int32_t orig;
-
-	__asm__ volatile (
-#ifdef ISC_PLATFORM_USEMACASM
-		"1:"
-		"lwarx r6, 0, %1\n"
-		"mr %0,r6\n"
-		"cmpw r6, %2\n"
-		"bne 2f\n"
-		"mr r6, %3\n"
-		"stwcx. r6, 0, %1\n"
-		"bne- 1b\n"
-		"2:\n"
-		"sync"
-#else
-		"1:"
-		"lwarx 6, 0, %1\n"
-		"mr %0,6\n"
-		"cmpw 6, %2\n"
-		"bne 2f\n"
-		"mr 6, %3\n"
-		"stwcx. 6, 0, %1\n"
-		"bne- 1b\n"
-		"2:\n"
-		"sync"
-#endif
-		: "=&r" (orig)
-		: "r"(p), "r"(cmpval), "r"(val)
-		: "r6", "memory"
-		);
-
-	return (orig);
-}
-
-#else
-
-#error "unsupported compiler.  disable atomic ops by --disable-atomic"
-
-#endif
-#endif /* ISC_ATOMIC_H */
diff --git a/contrib/bind9/lib/isc/print.c b/contrib/bind9/lib/isc/print.c
deleted file mode 100644
index a5e5ba6..0000000
--- a/contrib/bind9/lib/isc/print.c
+++ /dev/null
@@ -1,624 +0,0 @@
-/*
- * Copyright (C) 2004-2008, 2010  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: print.c,v 1.37 2010/10/18 23:47:08 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <ctype.h>
-#include <stdio.h>		/* for sprintf() */
-#include <string.h>		/* for strlen() */
-
-#define	ISC__PRINT_SOURCE	/* Used to get the isc_print_* prototypes. */
-
-#include <isc/assertions.h>
-#include <isc/int.h>
-#include <isc/msgs.h>
-#include <isc/print.h>
-#include <isc/stdlib.h>
-#include <isc/util.h>
-
-int
-isc_print_sprintf(char *str, const char *format, ...) {
-	va_list ap;
-
-	va_start(ap, format);
-	vsprintf(str, format, ap);
-	va_end(ap);
-	return (strlen(str));
-}
-
-/*!
- * Return length of string that would have been written if not truncated.
- */
-
-int
-isc_print_snprintf(char *str, size_t size, const char *format, ...) {
-	va_list ap;
-	int ret;
-
-	va_start(ap, format);
-	ret = vsnprintf(str, size, format, ap);
-	va_end(ap);
-	return (ret);
-
-}
-
-/*!
- * Return length of string that would have been written if not truncated.
- */
-
-int
-isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap) {
-	int h;
-	int l;
-	int q;
-	int alt;
-	int zero;
-	int left;
-	int plus;
-	int space;
-	int neg;
-	isc_int64_t tmpi;
-	isc_uint64_t tmpui;
-	unsigned long width;
-	unsigned long precision;
-	unsigned int length;
-	char buf[1024];
-	char c;
-	void *v;
-	char *save = str;
-	const char *cp;
-	const char *head;
-	int count = 0;
-	int pad;
-	int zeropad;
-	int dot;
-	double dbl;
-#ifdef HAVE_LONG_DOUBLE
-	long double ldbl;
-#endif
-	char fmt[32];
-
-	INSIST(str != NULL);
-	INSIST(format != NULL);
-
-	while (*format != '\0') {
-		if (*format != '%') {
-			if (size > 1) {
-				*str++ = *format;
-				size--;
-			}
-			count++;
-			format++;
-			continue;
-		}
-		format++;
-
-		/*
-		 * Reset flags.
-		 */
-		dot = neg = space = plus = left = zero = alt = h = l = q = 0;
-		width = precision = 0;
-		head = "";
-		length = pad = zeropad = 0;
-
-		do {
-			if (*format == '#') {
-				alt = 1;
-				format++;
-			} else if (*format == '-') {
-				left = 1;
-				zero = 0;
-				format++;
-			} else if (*format == ' ') {
-				if (!plus)
-					space = 1;
-				format++;
-			} else if (*format == '+') {
-				plus = 1;
-				space = 0;
-				format++;
-			} else if (*format == '0') {
-				if (!left)
-					zero = 1;
-				format++;
-			} else
-				break;
-		} while (1);
-
-		/*
-		 * Width.
-		 */
-		if (*format == '*') {
-			width = va_arg(ap, int);
-			format++;
-		} else if (isdigit((unsigned char)*format)) {
-			char *e;
-			width = strtoul(format, &e, 10);
-			format = e;
-		}
-
-		/*
-		 * Precision.
-		 */
-		if (*format == '.') {
-			format++;
-			dot = 1;
-			if (*format == '*') {
-				precision = va_arg(ap, int);
-				format++;
-			} else if (isdigit((unsigned char)*format)) {
-				char *e;
-				precision = strtoul(format, &e, 10);
-				format = e;
-			}
-		}
-
-		switch (*format) {
-		case '\0':
-			continue;
-		case '%':
-			if (size > 1) {
-				*str++ = *format;
-				size--;
-			}
-			count++;
-			break;
-		case 'q':
-			q = 1;
-			format++;
-			goto doint;
-		case 'h':
-			h = 1;
-			format++;
-			goto doint;
-		case 'l':
-			l = 1;
-			format++;
-			if (*format == 'l') {
-				q = 1;
-				format++;
-			}
-			goto doint;
-		case 'n':
-		case 'i':
-		case 'd':
-		case 'o':
-		case 'u':
-		case 'x':
-		case 'X':
-		doint:
-			if (precision != 0)
-				zero = 0;
-			switch (*format) {
-			case 'n':
-				if (h) {
-					short int *p;
-					p = va_arg(ap, short *);
-					REQUIRE(p != NULL);
-					*p = str - save;
-				} else if (l) {
-					long int *p;
-					p = va_arg(ap, long *);
-					REQUIRE(p != NULL);
-					*p = str - save;
-				} else {
-					int *p;
-					p = va_arg(ap, int *);
-					REQUIRE(p != NULL);
-					*p = str - save;
-				}
-				break;
-			case 'i':
-			case 'd':
-				if (q)
-					tmpi = va_arg(ap, isc_int64_t);
-				else if (l)
-					tmpi = va_arg(ap, long int);
-				else
-					tmpi = va_arg(ap, int);
-				if (tmpi < 0) {
-					head = "-";
-					tmpui = -tmpi;
-				} else {
-					if (plus)
-						head = "+";
-					else if (space)
-						head = " ";
-					else
-						head = "";
-					tmpui = tmpi;
-				}
-				if (tmpui <= 0xffffffffU)
-					sprintf(buf, "%lu",
-						(unsigned long)tmpui);
-				else {
-					unsigned long mid;
-					unsigned long lo;
-					unsigned long hi;
-					lo = tmpui % 1000000000;
-					tmpui /= 1000000000;
-					mid = tmpui % 1000000000;
-					hi = tmpui / 1000000000;
-					if (hi != 0)
-						sprintf(buf, "%lu", hi);
-					else
-						buf[0] = '\n';
-					sprintf(buf + strlen(buf), "%lu", mid);
-					sprintf(buf + strlen(buf), "%lu", lo);
-				}
-				goto printint;
-			case 'o':
-				if (q)
-					tmpui = va_arg(ap, isc_uint64_t);
-				else if (l)
-					tmpui = va_arg(ap, long int);
-				else
-					tmpui = va_arg(ap, int);
-				if (tmpui <= 0xffffffffU)
-					sprintf(buf, alt ?  "%#lo" : "%lo",
-						(unsigned long)tmpui);
-				else {
-					unsigned long mid;
-					unsigned long lo;
-					unsigned long hi;
-					lo = tmpui % 010000000000;
-					tmpui /= 010000000000;
-					mid = tmpui % 010000000000;
-					hi = tmpui / 010000000000;
-					if (hi != 0) {
-						sprintf(buf,
-							alt ?  "%#lo" : "%lo",
-							hi);
-						sprintf(buf + strlen(buf),
-							"%lo", mid);
-					} else
-						sprintf(buf,
-							alt ?  "%#lo" : "%lo",
-							mid);
-					sprintf(buf + strlen(buf), "%lo", lo);
-				}
-				goto printint;
-			case 'u':
-				if (q)
-					tmpui = va_arg(ap, isc_uint64_t);
-				else if (l)
-					tmpui = va_arg(ap, unsigned long int);
-				else
-					tmpui = va_arg(ap, unsigned int);
-				if (tmpui <= 0xffffffffU)
-					sprintf(buf, "%lu",
-						(unsigned long)tmpui);
-				else {
-					unsigned long mid;
-					unsigned long lo;
-					unsigned long hi;
-					lo = tmpui % 1000000000;
-					tmpui /= 1000000000;
-					mid = tmpui % 1000000000;
-					hi = tmpui / 1000000000;
-					if (hi != 0)
-						sprintf(buf, "%lu", hi);
-					else
-						buf[0] = '\n';
-					sprintf(buf + strlen(buf), "%lu", mid);
-					sprintf(buf + strlen(buf), "%lu", lo);
-				}
-				goto printint;
-			case 'x':
-				if (q)
-					tmpui = va_arg(ap, isc_uint64_t);
-				else if (l)
-					tmpui = va_arg(ap, unsigned long int);
-				else
-					tmpui = va_arg(ap, unsigned int);
-				if (alt) {
-					head = "0x";
-					if (precision > 2)
-						precision -= 2;
-				}
-				if (tmpui <= 0xffffffffU)
-					sprintf(buf, "%lx",
-						(unsigned long)tmpui);
-				else {
-					unsigned long hi = tmpui>>32;
-					unsigned long lo = tmpui & 0xffffffff;
-					sprintf(buf, "%lx", hi);
-					sprintf(buf + strlen(buf), "%lx", lo);
-				}
-				goto printint;
-			case 'X':
-				if (q)
-					tmpui = va_arg(ap, isc_uint64_t);
-				else if (l)
-					tmpui = va_arg(ap, unsigned long int);
-				else
-					tmpui = va_arg(ap, unsigned int);
-				if (alt) {
-					head = "0X";
-					if (precision > 2)
-						precision -= 2;
-				}
-				if (tmpui <= 0xffffffffU)
-					sprintf(buf, "%lX",
-						(unsigned long)tmpui);
-				else  {
-					unsigned long hi = tmpui>>32;
-					unsigned long lo = tmpui & 0xffffffff;
-					sprintf(buf, "%lX", hi);
-					sprintf(buf + strlen(buf), "%lX", lo);
-				}
-				goto printint;
-			printint:
-				if (precision != 0 || width != 0) {
-					length = strlen(buf);
-					if (length < precision)
-						zeropad = precision - length;
-					else if (length < width && zero)
-						zeropad = width - length;
-					if (width != 0) {
-						pad = width - length -
-						      zeropad - strlen(head);
-						if (pad < 0)
-							pad = 0;
-					}
-				}
-				count += strlen(head) + strlen(buf) + pad +
-					 zeropad;
-				if (!left) {
-					while (pad > 0 && size > 1) {
-						*str++ = ' ';
-						size--;
-						pad--;
-					}
-				}
-				cp = head;
-				while (*cp != '\0' && size > 1) {
-					*str++ = *cp++;
-					size--;
-				}
-				while (zeropad > 0 && size > 1) {
-					*str++ = '0';
-					size--;
-					zeropad--;
-				}
-				cp = buf;
-				while (*cp != '\0' && size > 1) {
-					*str++ = *cp++;
-					size--;
-				}
-				while (pad > 0 && size > 1) {
-					*str++ = ' ';
-					size--;
-					pad--;
-				}
-				break;
-			default:
-				break;
-			}
-			break;
-		case 's':
-			cp = va_arg(ap, char *);
-			REQUIRE(cp != NULL);
-
-			if (precision != 0) {
-				/*
-				 * cp need not be NULL terminated.
-				 */
-				const char *tp;
-				unsigned long n;
-
-				n = precision;
-				tp = cp;
-				while (n != 0 && *tp != '\0')
-					n--, tp++;
-				length = precision - n;
-			} else {
-				length = strlen(cp);
-			}
-			if (width != 0) {
-				pad = width - length;
-				if (pad < 0)
-					pad = 0;
-			}
-			count += pad + length;
-			if (!left)
-				while (pad > 0 && size > 1) {
-					*str++ = ' ';
-					size--;
-					pad--;
-				}
-			if (precision != 0)
-				while (precision > 0 && *cp != '\0' &&
-				       size > 1) {
-					*str++ = *cp++;
-					size--;
-					precision--;
-				}
-			else
-				while (*cp != '\0' && size > 1) {
-					*str++ = *cp++;
-					size--;
-				}
-			while (pad > 0 && size > 1) {
-				*str++ = ' ';
-				size--;
-				pad--;
-			}
-			break;
-		case 'c':
-			c = va_arg(ap, int);
-			if (width > 0) {
-				count += width;
-				width--;
-				if (left && size > 1) {
-					*str++ = c;
-					size--;
-				}
-				while (width-- > 0 && size > 1) {
-					*str++ = ' ';
-					size--;
-				}
-				if (!left && size > 1) {
-					*str++ = c;
-					size--;
-				}
-			} else {
-				count++;
-				if (size > 1) {
-					*str++ = c;
-					size--;
-				}
-			}
-			break;
-		case 'p':
-			v = va_arg(ap, void *);
-			sprintf(buf, "%p", v);
-			length = strlen(buf);
-			if (precision > length)
-				zeropad = precision - length;
-			if (width > 0) {
-				pad = width - length - zeropad;
-				if (pad < 0)
-					pad = 0;
-			}
-			count += length + pad + zeropad;
-			if (!left)
-				while (pad > 0 && size > 1) {
-					*str++ = ' ';
-					size--;
-					pad--;
-				}
-			cp = buf;
-			if (zeropad > 0 && buf[0] == '0' &&
-			    (buf[1] == 'x' || buf[1] == 'X')) {
-				if (size > 1) {
-					*str++ = *cp++;
-					size--;
-				}
-				if (size > 1) {
-					*str++ = *cp++;
-					size--;
-				}
-				while (zeropad > 0 && size > 1) {
-					*str++ = '0';
-					size--;
-					zeropad--;
-				}
-			}
-			while (*cp != '\0' && size > 1) {
-				*str++ = *cp++;
-				size--;
-			}
-			while (pad > 0 && size > 1) {
-				*str++ = ' ';
-				size--;
-				pad--;
-			}
-			break;
-		case 'D':	/*deprecated*/
-			INSIST("use %ld instead of %D" == NULL);
-		case 'O':	/*deprecated*/
-			INSIST("use %lo instead of %O" == NULL);
-		case 'U':	/*deprecated*/
-			INSIST("use %lu instead of %U" == NULL);
-
-		case 'L':
-#ifdef HAVE_LONG_DOUBLE
-			l = 1;
-#else
-			INSIST("long doubles are not supported" == NULL);
-#endif
-			/*FALLTHROUGH*/
-		case 'e':
-		case 'E':
-		case 'f':
-		case 'g':
-		case 'G':
-			if (!dot)
-				precision = 6;
-			/*
-			 * IEEE floating point.
-			 * MIN 2.2250738585072014E-308
-			 * MAX 1.7976931348623157E+308
-			 * VAX floating point has a smaller range than IEEE.
-			 *
-			 * precisions > 324 don't make much sense.
-			 * if we cap the precision at 512 we will not
-			 * overflow buf.
-			 */
-			if (precision > 512)
-				precision = 512;
-			sprintf(fmt, "%%%s%s.%lu%s%c", alt ? "#" : "",
-				plus ? "+" : space ? " " : "",
-				precision, l ? "L" : "", *format);
-			switch (*format) {
-			case 'e':
-			case 'E':
-			case 'f':
-			case 'g':
-			case 'G':
-#ifdef HAVE_LONG_DOUBLE
-				if (l) {
-					ldbl = va_arg(ap, long double);
-					sprintf(buf, fmt, ldbl);
-				} else
-#endif
-				{
-					dbl = va_arg(ap, double);
-					sprintf(buf, fmt, dbl);
-				}
-				length = strlen(buf);
-				if (width > 0) {
-					pad = width - length;
-					if (pad < 0)
-						pad = 0;
-				}
-				count += length + pad;
-				if (!left)
-					while (pad > 0 && size > 1) {
-						*str++ = ' ';
-						size--;
-						pad--;
-					}
-				cp = buf;
-				while (*cp != ' ' && size > 1) {
-					*str++ = *cp++;
-					size--;
-				}
-				while (pad > 0 && size > 1) {
-					*str++ = ' ';
-					size--;
-					pad--;
-				}
-				break;
-			default:
-				continue;
-			}
-			break;
-		default:
-			continue;
-		}
-		format++;
-	}
-	if (size > 0)
-		*str = '\0';
-	return (count);
-}
diff --git a/contrib/bind9/lib/isc/pthreads/Makefile.in b/contrib/bind9/lib/isc/pthreads/Makefile.in
deleted file mode 100644
index 9f66ef3..0000000
--- a/contrib/bind9/lib/isc/pthreads/Makefile.in
+++ /dev/null
@@ -1,38 +0,0 @@
-# Copyright (C) 2004, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.22 2009/12/05 23:31:41 each Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-CINCLUDES =	-I${srcdir}/include \
-		-I${srcdir}/../unix/include \
-		-I../include \
-		-I${srcdir}/../include \
-		-I${srcdir}/..
-
-CDEFINES =
-CWARNINGS =
-
-OBJS =		condition.@O@ mutex.@O@ thread.@O@
-
-SRCS =		condition.c mutex.c thread.c
-
-SUBDIRS =	include
-TARGETS =	${OBJS}
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/pthreads/condition.c b/contrib/bind9/lib/isc/pthreads/condition.c
deleted file mode 100644
index 9053cf0..0000000
--- a/contrib/bind9/lib/isc/pthreads/condition.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: condition.c,v 1.36 2007/06/19 23:47:18 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <errno.h>
-
-#include <isc/condition.h>
-#include <isc/msgs.h>
-#include <isc/strerror.h>
-#include <isc/string.h>
-#include <isc/time.h>
-#include <isc/util.h>
-
-isc_result_t
-isc_condition_waituntil(isc_condition_t *c, isc_mutex_t *m, isc_time_t *t) {
-	int presult;
-	isc_result_t result;
-	struct timespec ts;
-	char strbuf[ISC_STRERRORSIZE];
-
-	REQUIRE(c != NULL && m != NULL && t != NULL);
-
-	/*
-	 * POSIX defines a timespec's tv_sec as time_t.
-	 */
-	result = isc_time_secondsastimet(t, &ts.tv_sec);
-
-	/*
-	 * If we have a range error ts.tv_sec is most probably a signed
-	 * 32 bit value.  Set ts.tv_sec to INT_MAX.  This is a kludge.
-	 */
-	if (result == ISC_R_RANGE)
-		ts.tv_sec = INT_MAX;
-	else if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*!
-	 * POSIX defines a timespec's tv_nsec as long.  isc_time_nanoseconds
-	 * ensures its return value is < 1 billion, which will fit in a long.
-	 */
-	ts.tv_nsec = (long)isc_time_nanoseconds(t);
-
-	do {
-#if ISC_MUTEX_PROFILE
-		presult = pthread_cond_timedwait(c, &m->mutex, &ts);
-#else
-		presult = pthread_cond_timedwait(c, m, &ts);
-#endif
-		if (presult == 0)
-			return (ISC_R_SUCCESS);
-		if (presult == ETIMEDOUT)
-			return (ISC_R_TIMEDOUT);
-	} while (presult == EINTR);
-
-	isc__strerror(presult, strbuf, sizeof(strbuf));
-	UNEXPECTED_ERROR(__FILE__, __LINE__,
-			 "pthread_cond_timedwait() %s %s",
-			 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-					ISC_MSG_RETURNED, "returned"),
-			 strbuf);
-	return (ISC_R_UNEXPECTED);
-}
diff --git a/contrib/bind9/lib/isc/pthreads/include/Makefile.in b/contrib/bind9/lib/isc/pthreads/include/Makefile.in
deleted file mode 100644
index 46c243e..0000000
--- a/contrib/bind9/lib/isc/pthreads/include/Makefile.in
+++ /dev/null
@@ -1,25 +0,0 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.14 2007/06/19 23:47:18 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	isc
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/pthreads/include/isc/Makefile.in b/contrib/bind9/lib/isc/pthreads/include/isc/Makefile.in
deleted file mode 100644
index 7cadcf4..0000000
--- a/contrib/bind9/lib/isc/pthreads/include/isc/Makefile.in
+++ /dev/null
@@ -1,37 +0,0 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.16 2007/06/19 23:47:18 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-HEADERS =	condition.h mutex.h once.h thread.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc ; \
-	done
diff --git a/contrib/bind9/lib/isc/pthreads/include/isc/condition.h b/contrib/bind9/lib/isc/pthreads/include/isc/condition.h
deleted file mode 100644
index 04a6118..0000000
--- a/contrib/bind9/lib/isc/pthreads/include/isc/condition.h
+++ /dev/null
@@ -1,65 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: condition.h,v 1.26 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_CONDITION_H
-#define ISC_CONDITION_H 1
-
-/*! \file */
-
-#include <isc/lang.h>
-#include <isc/mutex.h>
-#include <isc/result.h>
-#include <isc/types.h>
-
-typedef pthread_cond_t isc_condition_t;
-
-#define isc_condition_init(cp) \
-	((pthread_cond_init((cp), NULL) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-
-#if ISC_MUTEX_PROFILE
-#define isc_condition_wait(cp, mp) \
-	((pthread_cond_wait((cp), &((mp)->mutex)) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-#else
-#define isc_condition_wait(cp, mp) \
-	((pthread_cond_wait((cp), (mp)) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-#endif
-
-#define isc_condition_signal(cp) \
-	((pthread_cond_signal((cp)) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-
-#define isc_condition_broadcast(cp) \
-	((pthread_cond_broadcast((cp)) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-
-#define isc_condition_destroy(cp) \
-	((pthread_cond_destroy((cp)) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isc_condition_waituntil(isc_condition_t *, isc_mutex_t *, isc_time_t *);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_CONDITION_H */
diff --git a/contrib/bind9/lib/isc/pthreads/include/isc/mutex.h b/contrib/bind9/lib/isc/pthreads/include/isc/mutex.h
deleted file mode 100644
index dd7d326..0000000
--- a/contrib/bind9/lib/isc/pthreads/include/isc/mutex.h
+++ /dev/null
@@ -1,145 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: mutex.h,v 1.30 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_MUTEX_H
-#define ISC_MUTEX_H 1
-
-/*! \file */
-
-#include <pthread.h>
-#include <stdio.h>
-
-#include <isc/lang.h>
-#include <isc/result.h>		/* for ISC_R_ codes */
-
-ISC_LANG_BEGINDECLS
-
-/*!
- * Supply mutex attributes that enable deadlock detection
- * (helpful when debugging).  This is system dependent and
- * currently only supported on NetBSD.
- */
-#if ISC_MUTEX_DEBUG && defined(__NetBSD__) && defined(PTHREAD_MUTEX_ERRORCHECK)
-extern pthread_mutexattr_t isc__mutex_attrs;
-#define ISC__MUTEX_ATTRS &isc__mutex_attrs
-#else
-#define ISC__MUTEX_ATTRS NULL
-#endif
-
-/* XXX We could do fancier error handling... */
-
-/*!
- * Define ISC_MUTEX_PROFILE to turn on profiling of mutexes by line.  When
- * enabled, isc_mutex_stats() can be used to print a table showing the
- * number of times each type of mutex was locked and the amount of time
- * waiting to obtain the lock.
- */
-#ifndef ISC_MUTEX_PROFILE
-#define ISC_MUTEX_PROFILE 0
-#endif
-
-#if ISC_MUTEX_PROFILE
-typedef struct isc_mutexstats isc_mutexstats_t;
-
-typedef struct {
-	pthread_mutex_t		mutex;	/*%< The actual mutex. */
-	isc_mutexstats_t *	stats;	/*%< Mutex statistics. */
-} isc_mutex_t;
-#else
-typedef pthread_mutex_t	isc_mutex_t;
-#endif
-
-
-#if ISC_MUTEX_PROFILE
-#define isc_mutex_init(mp) \
-	isc_mutex_init_profile((mp), __FILE__, __LINE__)
-#else
-#if ISC_MUTEX_DEBUG && defined(PTHREAD_MUTEX_ERRORCHECK)
-#define isc_mutex_init(mp) \
-        isc_mutex_init_errcheck((mp))
-#else
-#define isc_mutex_init(mp) \
-	isc__mutex_init((mp), __FILE__, __LINE__)
-isc_result_t isc__mutex_init(isc_mutex_t *mp, const char *file, unsigned int line);
-#endif
-#endif
-
-#if ISC_MUTEX_PROFILE
-#define isc_mutex_lock(mp) \
-	isc_mutex_lock_profile((mp), __FILE__, __LINE__)
-#else
-#define isc_mutex_lock(mp) \
-	((pthread_mutex_lock((mp)) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-#endif
-
-#if ISC_MUTEX_PROFILE
-#define isc_mutex_unlock(mp) \
-	isc_mutex_unlock_profile((mp), __FILE__, __LINE__)
-#else
-#define isc_mutex_unlock(mp) \
-	((pthread_mutex_unlock((mp)) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-#endif
-
-#if ISC_MUTEX_PROFILE
-#define isc_mutex_trylock(mp) \
-	((pthread_mutex_trylock((&(mp)->mutex)) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_LOCKBUSY)
-#else
-#define isc_mutex_trylock(mp) \
-	((pthread_mutex_trylock((mp)) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_LOCKBUSY)
-#endif
-
-#if ISC_MUTEX_PROFILE
-#define isc_mutex_destroy(mp) \
-	((pthread_mutex_destroy((&(mp)->mutex)) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-#else
-#define isc_mutex_destroy(mp) \
-	((pthread_mutex_destroy((mp)) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-#endif
-
-#if ISC_MUTEX_PROFILE
-#define isc_mutex_stats(fp) isc_mutex_statsprofile(fp);
-#else
-#define isc_mutex_stats(fp)
-#endif
-
-#if ISC_MUTEX_PROFILE
-
-isc_result_t
-isc_mutex_init_profile(isc_mutex_t *mp, const char * _file, int _line);
-isc_result_t
-isc_mutex_lock_profile(isc_mutex_t *mp, const char * _file, int _line);
-isc_result_t
-isc_mutex_unlock_profile(isc_mutex_t *mp, const char * _file, int _line);
-
-void
-isc_mutex_statsprofile(FILE *fp);
-
-isc_result_t
-isc_mutex_init_errcheck(isc_mutex_t *mp);
-
-#endif /* ISC_MUTEX_PROFILE */
-
-ISC_LANG_ENDDECLS
-#endif /* ISC_MUTEX_H */
diff --git a/contrib/bind9/lib/isc/pthreads/include/isc/once.h b/contrib/bind9/lib/isc/pthreads/include/isc/once.h
deleted file mode 100644
index 31d76fb..0000000
--- a/contrib/bind9/lib/isc/pthreads/include/isc/once.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: once.h,v 1.13 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_ONCE_H
-#define ISC_ONCE_H 1
-
-/*! \file */
-
-#include <pthread.h>
-
-#include <isc/platform.h>
-#include <isc/result.h>
-
-typedef pthread_once_t isc_once_t;
-
-#ifdef ISC_PLATFORM_BRACEPTHREADONCEINIT
-/*!
- * This accomodates systems that define PTHRAD_ONCE_INIT improperly.
- */
-#define ISC_ONCE_INIT { PTHREAD_ONCE_INIT }
-#else
-/*!
- * This is the usual case.
- */
-#define ISC_ONCE_INIT PTHREAD_ONCE_INIT
-#endif
-
-/* XXX We could do fancier error handling... */
-
-#define isc_once_do(op, f) \
-	((pthread_once((op), (f)) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-
-#endif /* ISC_ONCE_H */
diff --git a/contrib/bind9/lib/isc/pthreads/include/isc/thread.h b/contrib/bind9/lib/isc/pthreads/include/isc/thread.h
deleted file mode 100644
index 7dcc952..0000000
--- a/contrib/bind9/lib/isc/pthreads/include/isc/thread.h
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: thread.h,v 1.26 2007/06/19 23:47:18 tbox Exp $ */
-
-#ifndef ISC_THREAD_H
-#define ISC_THREAD_H 1
-
-/*! \file */
-
-#include <pthread.h>
-
-#include <isc/lang.h>
-#include <isc/result.h>
-
-ISC_LANG_BEGINDECLS
-
-typedef pthread_t isc_thread_t;
-typedef void * isc_threadresult_t;
-typedef void * isc_threadarg_t;
-typedef isc_threadresult_t (*isc_threadfunc_t)(isc_threadarg_t);
-typedef pthread_key_t isc_thread_key_t;
-
-isc_result_t
-isc_thread_create(isc_threadfunc_t, isc_threadarg_t, isc_thread_t *);
-
-void
-isc_thread_setconcurrency(unsigned int level);
-
-/* XXX We could do fancier error handling... */
-
-#define isc_thread_join(t, rp) \
-	((pthread_join((t), (rp)) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-
-#define isc_thread_self \
-	(unsigned long)pthread_self
-
-#define isc_thread_key_create pthread_key_create
-#define isc_thread_key_getspecific pthread_getspecific
-#define isc_thread_key_setspecific pthread_setspecific
-#define isc_thread_key_delete pthread_key_delete
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_THREAD_H */
diff --git a/contrib/bind9/lib/isc/pthreads/mutex.c b/contrib/bind9/lib/isc/pthreads/mutex.c
deleted file mode 100644
index c7e5795..0000000
--- a/contrib/bind9/lib/isc/pthreads/mutex.c
+++ /dev/null
@@ -1,275 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2008, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: mutex.c,v 1.18 2011/01/04 23:47:14 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <time.h>
-#include <sys/time.h>
-#include <errno.h>
-
-#include <isc/mutex.h>
-#include <isc/util.h>
-#include <isc/strerror.h>
-
-#if ISC_MUTEX_PROFILE
-
-/*@{*/
-/*% Operations on timevals; adapted from FreeBSD's sys/time.h */
-#define timevalclear(tvp)      ((tvp)->tv_sec = (tvp)->tv_usec = 0)
-#define timevaladd(vvp, uvp)                                            \
-	do {                                                            \
-		(vvp)->tv_sec += (uvp)->tv_sec;                         \
-		(vvp)->tv_usec += (uvp)->tv_usec;                       \
-		if ((vvp)->tv_usec >= 1000000) {                        \
-			(vvp)->tv_sec++;                                \
-			(vvp)->tv_usec -= 1000000;                      \
-		}                                                       \
-	} while (0)
-#define timevalsub(vvp, uvp)                                            \
-	do {                                                            \
-		(vvp)->tv_sec -= (uvp)->tv_sec;                         \
-		(vvp)->tv_usec -= (uvp)->tv_usec;                       \
-		if ((vvp)->tv_usec < 0) {                               \
-			(vvp)->tv_sec--;                                \
-			(vvp)->tv_usec += 1000000;                      \
-		}                                                       \
-	} while (0)
-
-/*@}*/
-
-#define ISC_MUTEX_MAX_LOCKERS 32
-
-typedef struct {
-	const char *		file;
-	int			line;
-	unsigned		count;
-	struct timeval		locked_total;
-	struct timeval		wait_total;
-} isc_mutexlocker_t;
-
-struct isc_mutexstats {
-	const char *		file;	/*%< File mutex was created in. */
-	int 			line;	/*%< Line mutex was created on. */
-	unsigned		count;
-	struct timeval		lock_t;
-	struct timeval		locked_total;
-	struct timeval		wait_total;
-	isc_mutexlocker_t *	cur_locker;
-	isc_mutexlocker_t	lockers[ISC_MUTEX_MAX_LOCKERS];
-};
-
-#ifndef ISC_MUTEX_PROFTABLESIZE
-#define ISC_MUTEX_PROFTABLESIZE (1024 * 1024)
-#endif
-static isc_mutexstats_t stats[ISC_MUTEX_PROFTABLESIZE];
-static int stats_next = 0;
-static isc_boolean_t stats_init = ISC_FALSE;
-static pthread_mutex_t statslock = PTHREAD_MUTEX_INITIALIZER;
-
-
-isc_result_t
-isc_mutex_init_profile(isc_mutex_t *mp, const char *file, int line) {
-	int i, err;
-
-	err = pthread_mutex_init(&mp->mutex, NULL);
-	if (err == ENOMEM)
-		return (ISC_R_NOMEMORY);
-	if (err != 0)
-		return (ISC_R_UNEXPECTED);
-
-	RUNTIME_CHECK(pthread_mutex_lock(&statslock) == 0);
-
-	if (stats_init == ISC_FALSE)
-		stats_init = ISC_TRUE;
-
-	/*
-	 * If all statistics entries have been used, give up and trigger an
-	 * assertion failure.  There would be no other way to deal with this
-	 * because we'd like to keep record of all locks for the purpose of
-	 * debugging and the number of necessary locks is unpredictable.
-	 * If this failure is triggered while debugging, named should be
-	 * rebuilt with an increased ISC_MUTEX_PROFTABLESIZE.
-	 */
-	RUNTIME_CHECK(stats_next < ISC_MUTEX_PROFTABLESIZE);
-	mp->stats = &stats[stats_next++];
-
-	RUNTIME_CHECK(pthread_mutex_unlock(&statslock) == 0);
-
-	mp->stats->file = file;
-	mp->stats->line = line;
-	mp->stats->count = 0;
-	timevalclear(&mp->stats->locked_total);
-	timevalclear(&mp->stats->wait_total);
-	for (i = 0; i < ISC_MUTEX_MAX_LOCKERS; i++) {
-		mp->stats->lockers[i].file = NULL;
-		mp->stats->lockers[i].line = 0;
-		mp->stats->lockers[i].count = 0;
-		timevalclear(&mp->stats->lockers[i].locked_total);
-		timevalclear(&mp->stats->lockers[i].wait_total);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_mutex_lock_profile(isc_mutex_t *mp, const char *file, int line) {
-	struct timeval prelock_t;
-	struct timeval postlock_t;
-	isc_mutexlocker_t *locker = NULL;
-	int i;
-
-	gettimeofday(&prelock_t, NULL);
-
-	if (pthread_mutex_lock(&mp->mutex) != 0)
-		return (ISC_R_UNEXPECTED);
-
-	gettimeofday(&postlock_t, NULL);
-	mp->stats->lock_t = postlock_t;
-
-	timevalsub(&postlock_t, &prelock_t);
-
-	mp->stats->count++;
-	timevaladd(&mp->stats->wait_total, &postlock_t);
-
-	for (i = 0; i < ISC_MUTEX_MAX_LOCKERS; i++) {
-		if (mp->stats->lockers[i].file == NULL) {
-			locker = &mp->stats->lockers[i];
-			locker->file = file;
-			locker->line = line;
-			break;
-		} else if (mp->stats->lockers[i].file == file &&
-			   mp->stats->lockers[i].line == line) {
-			locker = &mp->stats->lockers[i];
-			break;
-		}
-	}
-
-	if (locker != NULL) {
-		locker->count++;
-		timevaladd(&locker->wait_total, &postlock_t);
-	}
-
-	mp->stats->cur_locker = locker;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_mutex_unlock_profile(isc_mutex_t *mp, const char *file, int line) {
-	struct timeval unlock_t;
-
-	UNUSED(file);
-	UNUSED(line);
-
-	if (mp->stats->cur_locker != NULL) {
-		gettimeofday(&unlock_t, NULL);
-		timevalsub(&unlock_t, &mp->stats->lock_t);
-		timevaladd(&mp->stats->locked_total, &unlock_t);
-		timevaladd(&mp->stats->cur_locker->locked_total, &unlock_t);
-		mp->stats->cur_locker = NULL;
-	}
-
-	return ((pthread_mutex_unlock((&mp->mutex)) == 0) ? \
-		ISC_R_SUCCESS : ISC_R_UNEXPECTED);
-}
-
-
-void
-isc_mutex_statsprofile(FILE *fp) {
-	isc_mutexlocker_t *locker;
-	int i, j;
-
-	fprintf(fp, "Mutex stats (in us)\n");
-	for (i = 0; i < stats_next; i++) {
-		fprintf(fp, "%-12s %4d: %10u  %lu.%06lu %lu.%06lu %5d\n",
-			stats[i].file, stats[i].line, stats[i].count,
-			stats[i].locked_total.tv_sec,
-			stats[i].locked_total.tv_usec,
-			stats[i].wait_total.tv_sec,
-			stats[i].wait_total.tv_usec,
-			i);
-		for (j = 0; j < ISC_MUTEX_MAX_LOCKERS; j++) {
-			locker = &stats[i].lockers[j];
-			if (locker->file == NULL)
-				continue;
-			fprintf(fp, " %-11s %4d: %10u  %lu.%06lu %lu.%06lu %5d\n",
-				locker->file, locker->line, locker->count,
-				locker->locked_total.tv_sec,
-				locker->locked_total.tv_usec,
-				locker->wait_total.tv_sec,
-				locker->wait_total.tv_usec,
-				i);
-		}
-	}
-}
-
-#endif /* ISC_MUTEX_PROFILE */
-
-#if ISC_MUTEX_DEBUG && defined(PTHREAD_MUTEX_ERRORCHECK)
-isc_result_t
-isc_mutex_init_errcheck(isc_mutex_t *mp)
-{
-	pthread_mutexattr_t attr;
-	int err;
-
-	if (pthread_mutexattr_init(&attr) != 0)
-		return (ISC_R_UNEXPECTED);
-
-	if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK) != 0) {
-		pthread_mutexattr_destroy(&attr);
-		return (ISC_R_UNEXPECTED);
-	}
-
-	err = pthread_mutex_init(mp, &attr) != 0)
-	pthread_mutexattr_destroy(&attr);
-	if (err == ENOMEM)
-		return (ISC_R_NOMEMORY);
-	return ((err == 0) ? ISC_R_SUCCESS : ISC_R_UNEXPECTED);
-}
-#endif
-
-#if ISC_MUTEX_DEBUG && defined(__NetBSD__) && defined(PTHREAD_MUTEX_ERRORCHECK)
-pthread_mutexattr_t isc__mutex_attrs = {
-	PTHREAD_MUTEX_ERRORCHECK,	/* m_type */
-	0				/* m_flags, which appears to be unused. */
-};
-#endif
-
-#if !(ISC_MUTEX_DEBUG && defined(PTHREAD_MUTEX_ERRORCHECK)) && !ISC_MUTEX_PROFILE
-isc_result_t
-isc__mutex_init(isc_mutex_t *mp, const char *file, unsigned int line) {
-	char strbuf[ISC_STRERRORSIZE];
-	isc_result_t result = ISC_R_SUCCESS;
-	int err;
-
-	err = pthread_mutex_init(mp, ISC__MUTEX_ATTRS);
-	if (err == ENOMEM)
-		return (ISC_R_NOMEMORY);
-	if (err != 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(file, line, "isc_mutex_init() failed: %s",
-				 strbuf);
-		result = ISC_R_UNEXPECTED;
-	}
-	return (result);
-}
-#endif
diff --git a/contrib/bind9/lib/isc/pthreads/thread.c b/contrib/bind9/lib/isc/pthreads/thread.c
deleted file mode 100644
index 1b250fa..0000000
--- a/contrib/bind9/lib/isc/pthreads/thread.c
+++ /dev/null
@@ -1,76 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: thread.c,v 1.17 2007/06/19 23:47:18 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/thread.h>
-#include <isc/util.h>
-
-#ifndef THREAD_MINSTACKSIZE
-#define THREAD_MINSTACKSIZE		(1024U * 1024)
-#endif
-
-isc_result_t
-isc_thread_create(isc_threadfunc_t func, isc_threadarg_t arg,
-		  isc_thread_t *thread)
-{
-	pthread_attr_t attr;
-	size_t stacksize;
-	int ret;
-
-	pthread_attr_init(&attr);
-
-#if defined(HAVE_PTHREAD_ATTR_GETSTACKSIZE) && \
-    defined(HAVE_PTHREAD_ATTR_SETSTACKSIZE)
-	ret = pthread_attr_getstacksize(&attr, &stacksize);
-	if (ret != 0)
-		return (ISC_R_UNEXPECTED);
-
-	if (stacksize < THREAD_MINSTACKSIZE) {
-		ret = pthread_attr_setstacksize(&attr, THREAD_MINSTACKSIZE);
-		if (ret != 0)
-			return (ISC_R_UNEXPECTED);
-	}
-#endif
-
-#if defined(PTHREAD_SCOPE_SYSTEM) && defined(NEED_PTHREAD_SCOPE_SYSTEM)
-	ret = pthread_attr_setscope(&attr, PTHREAD_SCOPE_SYSTEM);
-	if (ret != 0)
-		return (ISC_R_UNEXPECTED);
-#endif
-
-	ret = pthread_create(thread, &attr, func, arg);
-	if (ret != 0)
-		return (ISC_R_UNEXPECTED);
-
-	pthread_attr_destroy(&attr);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_thread_setconcurrency(unsigned int level) {
-#if defined(CALL_PTHREAD_SETCONCURRENCY)
-	(void)pthread_setconcurrency(level);
-#else
-	UNUSED(level);
-#endif
-}
diff --git a/contrib/bind9/lib/isc/quota.c b/contrib/bind9/lib/isc/quota.c
deleted file mode 100644
index 5e5c50c..0000000
--- a/contrib/bind9/lib/isc/quota.c
+++ /dev/null
@@ -1,101 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: quota.c,v 1.18 2007/06/19 23:47:17 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stddef.h>
-
-#include <isc/quota.h>
-#include <isc/util.h>
-
-isc_result_t
-isc_quota_init(isc_quota_t *quota, int max) {
-	quota->max = max;
-	quota->used = 0;
-	quota->soft = 0;
-	return (isc_mutex_init(&quota->lock));
-}
-
-void
-isc_quota_destroy(isc_quota_t *quota) {
-	INSIST(quota->used == 0);
-	quota->max = 0;
-	quota->used = 0;
-	quota->soft = 0;
-	DESTROYLOCK(&quota->lock);
-}
-
-void
-isc_quota_soft(isc_quota_t *quota, int soft) {
-	LOCK(&quota->lock);
-	quota->soft = soft;
-	UNLOCK(&quota->lock);
-}
-
-void
-isc_quota_max(isc_quota_t *quota, int max) {
-	LOCK(&quota->lock);
-	quota->max = max;
-	UNLOCK(&quota->lock);
-}
-
-isc_result_t
-isc_quota_reserve(isc_quota_t *quota) {
-	isc_result_t result;
-	LOCK(&quota->lock);
-	if (quota->max == 0 || quota->used < quota->max) {
-		if (quota->soft == 0 || quota->used < quota->soft)
-			result = ISC_R_SUCCESS;
-		else
-			result = ISC_R_SOFTQUOTA;
-		quota->used++;
-	} else
-		result = ISC_R_QUOTA;
-	UNLOCK(&quota->lock);
-	return (result);
-}
-
-void
-isc_quota_release(isc_quota_t *quota) {
-	LOCK(&quota->lock);
-	INSIST(quota->used > 0);
-	quota->used--;
-	UNLOCK(&quota->lock);
-}
-
-isc_result_t
-isc_quota_attach(isc_quota_t *quota, isc_quota_t **p)
-{
-	isc_result_t result;
-	INSIST(p != NULL && *p == NULL);
-	result = isc_quota_reserve(quota);
-	if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA)
-		*p = quota;
-	return (result);
-}
-
-void
-isc_quota_detach(isc_quota_t **p)
-{
-	INSIST(p != NULL && *p != NULL);
-	isc_quota_release(*p);
-	*p = NULL;
-}
diff --git a/contrib/bind9/lib/isc/radix.c b/contrib/bind9/lib/isc/radix.c
deleted file mode 100644
index 3508878..0000000
--- a/contrib/bind9/lib/isc/radix.c
+++ /dev/null
@@ -1,707 +0,0 @@
-/*
- * Copyright (C) 2007-2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*
- * This source was adapted from MRT's RCS Ids:
- * Id: radix.c,v 1.10.2.1 1999/11/29 05:16:24 masaki Exp
- * Id: prefix.c,v 1.37.2.9 2000/03/10 02:53:19 labovit Exp
- */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/types.h>
-#include <isc/util.h>
-#include <isc/radix.h>
-
-static isc_result_t
-_new_prefix(isc_mem_t *mctx, isc_prefix_t **target, int family,
-	    void *dest, int bitlen);
-
-static void
-_deref_prefix(isc_prefix_t *prefix);
-
-static isc_result_t
-_ref_prefix(isc_mem_t *mctx, isc_prefix_t **target, isc_prefix_t *prefix);
-
-static int
-_comp_with_mask(void *addr, void *dest, u_int mask);
-
-static void
-_clear_radix(isc_radix_tree_t *radix, isc_radix_destroyfunc_t func);
-
-static isc_result_t
-_new_prefix(isc_mem_t *mctx, isc_prefix_t **target, int family, void *dest,
-	    int bitlen)
-{
-	isc_prefix_t *prefix;
-
-	REQUIRE(target != NULL);
-
-	if (family != AF_INET6 && family != AF_INET && family != AF_UNSPEC)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	prefix = isc_mem_get(mctx, sizeof(isc_prefix_t));
-	if (prefix == NULL)
-		return (ISC_R_NOMEMORY);
-
-	if (family == AF_INET6) {
-		prefix->bitlen = (bitlen >= 0) ? bitlen : 128;
-		memcpy(&prefix->add.sin6, dest, 16);
-	} else {
-		/* AF_UNSPEC is "any" or "none"--treat it as AF_INET */
-		prefix->bitlen = (bitlen >= 0) ? bitlen : 32;
-		memcpy(&prefix->add.sin, dest, 4);
-	}
-
-	prefix->family = family;
-	prefix->mctx = NULL;
-	isc_mem_attach(mctx, &prefix->mctx);
-
-	isc_refcount_init(&prefix->refcount, 1);
-
-	*target = prefix;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-_deref_prefix(isc_prefix_t *prefix) {
-	int refs;
-
-	if (prefix == NULL)
-		return;
-
-	isc_refcount_decrement(&prefix->refcount, &refs);
-
-	if (refs <= 0) {
-		isc_refcount_destroy(&prefix->refcount);
-		isc_mem_putanddetach(&prefix->mctx, prefix,
-				     sizeof(isc_prefix_t));
-	}
-}
-
-static isc_result_t
-_ref_prefix(isc_mem_t *mctx, isc_prefix_t **target, isc_prefix_t *prefix) {
-	INSIST(prefix != NULL);
-	INSIST((prefix->family == AF_INET && prefix->bitlen <= 32) ||
-	       (prefix->family == AF_INET6 && prefix->bitlen <= 128) ||
-	       (prefix->family == AF_UNSPEC && prefix->bitlen == 0));
-	REQUIRE(target != NULL && *target == NULL);
-
-	/*
-	 * If this prefix is a static allocation, copy it into new memory.
-	 * (Note, the refcount still has to be destroyed by the calling
-	 * routine.)
-	 */
-	if (isc_refcount_current(&prefix->refcount) == 0) {
-		isc_result_t ret;
-		ret = _new_prefix(mctx, target, prefix->family,
-				  &prefix->add, prefix->bitlen);
-		return (ret);
-	}
-
-	isc_refcount_increment(&prefix->refcount, NULL);
-
-	*target = prefix;
-	return (ISC_R_SUCCESS);
-}
-
-static int
-_comp_with_mask(void *addr, void *dest, u_int mask) {
-
-	/* Mask length of zero matches everything */
-	if (mask == 0)
-		return (1);
-
-	if (memcmp(addr, dest, mask / 8) == 0) {
-		int n = mask / 8;
-		int m = ((~0) << (8 - (mask % 8)));
-
-		if ((mask % 8) == 0 ||
-		    (((u_char *)addr)[n] & m) == (((u_char *)dest)[n] & m))
-			return (1);
-	}
-	return (0);
-}
-
-isc_result_t
-isc_radix_create(isc_mem_t *mctx, isc_radix_tree_t **target, int maxbits) {
-	isc_radix_tree_t *radix;
-
-	REQUIRE(target != NULL && *target == NULL);
-
-	radix = isc_mem_get(mctx, sizeof(isc_radix_tree_t));
-	if (radix == NULL)
-		return (ISC_R_NOMEMORY);
-
-	radix->mctx = NULL;
-	isc_mem_attach(mctx, &radix->mctx);
-	radix->maxbits = maxbits;
-	radix->head = NULL;
-	radix->num_active_node = 0;
-	radix->num_added_node = 0;
-	RUNTIME_CHECK(maxbits <= RADIX_MAXBITS); /* XXX */
-	radix->magic = RADIX_TREE_MAGIC;
-	*target = radix;
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * if func is supplied, it will be called as func(node->data)
- * before deleting the node
- */
-
-static void
-_clear_radix(isc_radix_tree_t *radix, isc_radix_destroyfunc_t func) {
-
-	REQUIRE(radix != NULL);
-
-	if (radix->head != NULL) {
-		isc_radix_node_t *Xstack[RADIX_MAXBITS+1];
-		isc_radix_node_t **Xsp = Xstack;
-		isc_radix_node_t *Xrn = radix->head;
-
-		while (Xrn != NULL) {
-			isc_radix_node_t *l = Xrn->l;
-			isc_radix_node_t *r = Xrn->r;
-
-			if (Xrn->prefix != NULL) {
-				_deref_prefix(Xrn->prefix);
-				if (func != NULL && (Xrn->data[0] != NULL ||
-						     Xrn->data[1] != NULL))
-					func(Xrn->data);
-			} else {
-				INSIST(Xrn->data[0] == NULL &&
-				       Xrn->data[1] == NULL);
-			}
-
-			isc_mem_put(radix->mctx, Xrn, sizeof(*Xrn));
-			radix->num_active_node--;
-
-			if (l != NULL) {
-				if (r != NULL) {
-					*Xsp++ = r;
-				}
-				Xrn = l;
-			} else if (r != NULL) {
-				Xrn = r;
-			} else if (Xsp != Xstack) {
-				Xrn = *(--Xsp);
-			} else {
-				Xrn = NULL;
-			}
-		}
-	}
-	RUNTIME_CHECK(radix->num_active_node == 0);
-}
-
-
-void
-isc_radix_destroy(isc_radix_tree_t *radix, isc_radix_destroyfunc_t func) {
-	REQUIRE(radix != NULL);
-	_clear_radix(radix, func);
-	isc_mem_putanddetach(&radix->mctx, radix, sizeof(*radix));
-}
-
-
-/*
- * func will be called as func(node->prefix, node->data)
- */
-void
-isc_radix_process(isc_radix_tree_t *radix, isc_radix_processfunc_t func) {
-	isc_radix_node_t *node;
-
-	REQUIRE(func != NULL);
-
-	RADIX_WALK(radix->head, node) {
-		func(node->prefix, node->data);
-	} RADIX_WALK_END;
-}
-
-
-isc_result_t
-isc_radix_search(isc_radix_tree_t *radix, isc_radix_node_t **target,
-		 isc_prefix_t *prefix)
-{
-	isc_radix_node_t *node;
-	isc_radix_node_t *stack[RADIX_MAXBITS + 1];
-	u_char *addr;
-	isc_uint32_t bitlen;
-	int tfamily = -1;
-	int cnt = 0;
-
-	REQUIRE(radix != NULL);
-	REQUIRE(prefix != NULL);
-	REQUIRE(target != NULL && *target == NULL);
-	RUNTIME_CHECK(prefix->bitlen <= radix->maxbits);
-
-	*target = NULL;
-
-	if (radix->head == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-
-	node = radix->head;
-	addr = isc_prefix_touchar(prefix);
-	bitlen = prefix->bitlen;
-
-	while (node->bit < bitlen) {
-		if (node->prefix)
-			stack[cnt++] = node;
-
-		if (BIT_TEST(addr[node->bit >> 3], 0x80 >> (node->bit & 0x07)))
-			node = node->r;
-		else
-			node = node->l;
-
-		if (node == NULL)
-			break;
-	}
-
-	if (node && node->prefix)
-		stack[cnt++] = node;
-
-	while (cnt-- > 0) {
-		node = stack[cnt];
-
-		if (_comp_with_mask(isc_prefix_tochar(node->prefix),
-				    isc_prefix_tochar(prefix),
-				    node->prefix->bitlen)) {
-			if (node->node_num[ISC_IS6(prefix->family)] != -1 &&
-				 ((*target == NULL) ||
-				  (*target)->node_num[ISC_IS6(tfamily)] >
-				   node->node_num[ISC_IS6(prefix->family)])) {
-				*target = node;
-				tfamily = prefix->family;
-			}
-		}
-	}
-
-	if (*target == NULL) {
-		return (ISC_R_NOTFOUND);
-	} else {
-		return (ISC_R_SUCCESS);
-	}
-}
-
-isc_result_t
-isc_radix_insert(isc_radix_tree_t *radix, isc_radix_node_t **target,
-		 isc_radix_node_t *source, isc_prefix_t *prefix)
-{
-	isc_radix_node_t *node, *new_node, *parent, *glue = NULL;
-	u_char *addr, *test_addr;
-	isc_uint32_t bitlen, fam, check_bit, differ_bit;
-	isc_uint32_t i, j, r;
-	isc_result_t result;
-
-	REQUIRE(radix != NULL);
-	REQUIRE(target != NULL && *target == NULL);
-	REQUIRE(prefix != NULL || (source != NULL && source->prefix != NULL));
-	RUNTIME_CHECK(prefix == NULL || prefix->bitlen <= radix->maxbits);
-
-	if (prefix == NULL)
-		prefix = source->prefix;
-
-	INSIST(prefix != NULL);
-
-	bitlen = prefix->bitlen;
-	fam = prefix->family;
-
-	if (radix->head == NULL) {
-		node = isc_mem_get(radix->mctx, sizeof(isc_radix_node_t));
-		if (node == NULL)
-			return (ISC_R_NOMEMORY);
-		node->bit = bitlen;
-		node->node_num[0] = node->node_num[1] = -1;
-		node->prefix = NULL;
-		result = _ref_prefix(radix->mctx, &node->prefix, prefix);
-		if (result != ISC_R_SUCCESS) {
-			isc_mem_put(radix->mctx, node,
-				    sizeof(isc_radix_node_t));
-			return (result);
-		}
-		node->parent = NULL;
-		node->l = node->r = NULL;
-		if (source != NULL) {
-			/*
-			 * If source is non-NULL, then we're merging in a
-			 * node from an existing radix tree.  To keep
-			 * the node_num values consistent, the calling
-			 * function will add the total number of nodes
-			 * added to num_added_node at the end of
-			 * the merge operation--we don't do it here.
-			 */
-			if (source->node_num[0] != -1)
-				node->node_num[0] = radix->num_added_node +
-						    source->node_num[0];
-			if (source->node_num[1] != -1)
-				node->node_num[1] = radix->num_added_node +
-						    source->node_num[1];
-			node->data[0] = source->data[0];
-			node->data[1] = source->data[1];
-		} else {
-			if (fam == AF_UNSPEC) {
-				/* "any" or "none" */
-				node->node_num[0] = node->node_num[1] =
-					++radix->num_added_node;
-			} else {
-				node->node_num[ISC_IS6(fam)] =
-					++radix->num_added_node;
-			}
-			node->data[0] = NULL;
-			node->data[1] = NULL;
-		}
-		radix->head = node;
-		radix->num_active_node++;
-		*target = node;
-		return (ISC_R_SUCCESS);
-	}
-
-	addr = isc_prefix_touchar(prefix);
-	node = radix->head;
-
-	while (node->bit < bitlen || node->prefix == NULL) {
-		if (node->bit < radix->maxbits &&
-		    BIT_TEST(addr[node->bit >> 3], 0x80 >> (node->bit & 0x07)))
-		{
-			if (node->r == NULL)
-				break;
-			node = node->r;
-		} else {
-			if (node->l == NULL)
-				break;
-			node = node->l;
-		}
-
-		INSIST(node != NULL);
-	}
-
-	INSIST(node->prefix != NULL);
-
-	test_addr = isc_prefix_touchar(node->prefix);
-	/* Find the first bit different. */
-	check_bit = (node->bit < bitlen) ? node->bit : bitlen;
-	differ_bit = 0;
-	for (i = 0; i*8 < check_bit; i++) {
-		if ((r = (addr[i] ^ test_addr[i])) == 0) {
-			differ_bit = (i + 1) * 8;
-			continue;
-		}
-		/* I know the better way, but for now. */
-		for (j = 0; j < 8; j++) {
-			if (BIT_TEST (r, (0x80 >> j)))
-				break;
-		}
-		/* Must be found. */
-		INSIST(j < 8);
-		differ_bit = i * 8 + j;
-		break;
-	}
-
-	if (differ_bit > check_bit)
-		differ_bit = check_bit;
-
-	parent = node->parent;
-	while (parent != NULL && parent->bit >= differ_bit) {
-		node = parent;
-		parent = node->parent;
-	}
-
-	if (differ_bit == bitlen && node->bit == bitlen) {
-		if (node->prefix != NULL) {
-			/* Set node_num only if it hasn't been set before */
-			if (source != NULL) {
-				/* Merging node */
-				if (node->node_num[0] == -1 &&
-				    source->node_num[0] != -1) {
-					node->node_num[0] =
-						radix->num_added_node +
-						source->node_num[0];
-					node->data[0] = source->data[0];
-				}
-				if (node->node_num[1] == -1 &&
-				    source->node_num[0] != -1) {
-					node->node_num[1] =
-						radix->num_added_node +
-						source->node_num[1];
-					node->data[1] = source->data[1];
-				}
-			} else {
-				if (fam == AF_UNSPEC) {
-					/* "any" or "none" */
-					int next = radix->num_added_node + 1;
-					if (node->node_num[0] == -1) {
-						node->node_num[0] = next;
-						radix->num_added_node = next;
-					}
-					if (node->node_num[1] == -1) {
-						node->node_num[1] = next;
-						radix->num_added_node = next;
-					}
-				} else {
-					if (node->node_num[ISC_IS6(fam)] == -1)
-						node->node_num[ISC_IS6(fam)]
-						   = ++radix->num_added_node;
-				}
-			}
-			*target = node;
-			return (ISC_R_SUCCESS);
-		} else {
-			result = _ref_prefix(radix->mctx,
-					     &node->prefix, prefix);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-		}
-		INSIST(node->data[0] == NULL && node->node_num[0] == -1 &&
-		       node->data[1] == NULL && node->node_num[1] == -1);
-		if (source != NULL) {
-			/* Merging node */
-			if (source->node_num[0] != -1) {
-				node->node_num[0] = radix->num_added_node +
-						    source->node_num[0];
-				node->data[0] = source->data[0];
-			}
-			if (source->node_num[1] != -1) {
-				node->node_num[1] = radix->num_added_node +
-						    source->node_num[1];
-				node->data[1] = source->data[1];
-			}
-		} else {
-			if (fam == AF_UNSPEC) {
-				/* "any" or "none" */
-				node->node_num[0] = node->node_num[1] =
-					++radix->num_added_node;
-			} else {
-				node->node_num[ISC_IS6(fam)] =
-					++radix->num_added_node;
-			}
-		}
-		*target = node;
-		return (ISC_R_SUCCESS);
-	}
-
-	new_node = isc_mem_get(radix->mctx, sizeof(isc_radix_node_t));
-	if (new_node == NULL)
-		return (ISC_R_NOMEMORY);
-	if (node->bit != differ_bit && bitlen != differ_bit) {
-		glue = isc_mem_get(radix->mctx, sizeof(isc_radix_node_t));
-		if (glue == NULL) {
-			isc_mem_put(radix->mctx, new_node,
-				    sizeof(isc_radix_node_t));
-			return (ISC_R_NOMEMORY);
-		}
-	}
-	new_node->bit = bitlen;
-	new_node->prefix = NULL;
-	result = _ref_prefix(radix->mctx, &new_node->prefix, prefix);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(radix->mctx, new_node, sizeof(isc_radix_node_t));
-		if (glue != NULL)
-			isc_mem_put(radix->mctx, glue,
-				    sizeof(isc_radix_node_t));
-		return (result);
-	}
-	new_node->parent = NULL;
-	new_node->l = new_node->r = NULL;
-	new_node->node_num[0] = new_node->node_num[1] = -1;
-	radix->num_active_node++;
-
-	if (source != NULL) {
-		/* Merging node */
-		if (source->node_num[0] != -1)
-			new_node->node_num[0] = radix->num_added_node +
-						source->node_num[0];
-		if (source->node_num[1] != -1)
-			new_node->node_num[1] = radix->num_added_node +
-						source->node_num[1];
-		new_node->data[0] = source->data[0];
-		new_node->data[1] = source->data[1];
-	} else {
-		if (fam == AF_UNSPEC) {
-			/* "any" or "none" */
-			new_node->node_num[0] = new_node->node_num[1] =
-				++radix->num_added_node;
-		} else {
-			new_node->node_num[ISC_IS6(fam)] =
-				++radix->num_added_node;
-		}
-		new_node->data[0] = NULL;
-		new_node->data[1] = NULL;
-	}
-
-	if (node->bit == differ_bit) {
-		INSIST(glue == NULL);
-		new_node->parent = node;
-		if (node->bit < radix->maxbits &&
-		    BIT_TEST(addr[node->bit >> 3], 0x80 >> (node->bit & 0x07)))
-		{
-			INSIST(node->r == NULL);
-			node->r = new_node;
-		} else {
-			INSIST(node->l == NULL);
-			node->l = new_node;
-		}
-		*target = new_node;
-		return (ISC_R_SUCCESS);
-	}
-
-	if (bitlen == differ_bit) {
-		INSIST(glue == NULL);
-		if (bitlen < radix->maxbits &&
-		    BIT_TEST(test_addr[bitlen >> 3], 0x80 >> (bitlen & 0x07))) {
-			new_node->r = node;
-		} else {
-			new_node->l = node;
-		}
-		new_node->parent = node->parent;
-		if (node->parent == NULL) {
-			INSIST(radix->head == node);
-			radix->head = new_node;
-		} else if (node->parent->r == node) {
-			node->parent->r = new_node;
-		} else {
-			node->parent->l = new_node;
-		}
-		node->parent = new_node;
-	} else {
-		INSIST(glue != NULL);
-		glue->bit = differ_bit;
-		glue->prefix = NULL;
-		glue->parent = node->parent;
-		glue->data[0] = glue->data[1] = NULL;
-		glue->node_num[0] = glue->node_num[1] = -1;
-		radix->num_active_node++;
-		if (differ_bit < radix->maxbits &&
-		    BIT_TEST(addr[differ_bit>>3], 0x80 >> (differ_bit & 07))) {
-			glue->r = new_node;
-			glue->l = node;
-		} else {
-			glue->r = node;
-			glue->l = new_node;
-		}
-		new_node->parent = glue;
-
-		if (node->parent == NULL) {
-			INSIST(radix->head == node);
-			radix->head = glue;
-		} else if (node->parent->r == node) {
-			node->parent->r = glue;
-		} else {
-			node->parent->l = glue;
-		}
-		node->parent = glue;
-	}
-
-	*target = new_node;
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_radix_remove(isc_radix_tree_t *radix, isc_radix_node_t *node) {
-	isc_radix_node_t *parent, *child;
-
-	REQUIRE(radix != NULL);
-	REQUIRE(node != NULL);
-
-	if (node->r && node->l) {
-		/*
-		 * This might be a placeholder node -- have to check and
-		 * make sure there is a prefix associated with it!
-		 */
-		if (node->prefix != NULL)
-			_deref_prefix(node->prefix);
-
-		node->prefix = NULL;
-		node->data[0] = node->data[1] = NULL;
-		return;
-	}
-
-	if (node->r == NULL && node->l == NULL) {
-		parent = node->parent;
-		_deref_prefix(node->prefix);
-		isc_mem_put(radix->mctx, node, sizeof(*node));
-		radix->num_active_node--;
-
-		if (parent == NULL) {
-			INSIST(radix->head == node);
-			radix->head = NULL;
-			return;
-		}
-
-		if (parent->r == node) {
-			parent->r = NULL;
-			child = parent->l;
-		} else {
-			INSIST(parent->l == node);
-			parent->l = NULL;
-			child = parent->r;
-		}
-
-		if (parent->prefix)
-			return;
-
-		/* We need to remove parent too. */
-
-		if (parent->parent == NULL) {
-			INSIST(radix->head == parent);
-			radix->head = child;
-		} else if (parent->parent->r == parent) {
-			parent->parent->r = child;
-		} else {
-			INSIST(parent->parent->l == parent);
-			parent->parent->l = child;
-		}
-		child->parent = parent->parent;
-		isc_mem_put(radix->mctx, parent, sizeof(*parent));
-		radix->num_active_node--;
-		return;
-	}
-
-	if (node->r) {
-		child = node->r;
-	} else {
-		INSIST(node->l != NULL);
-		child = node->l;
-	}
-	parent = node->parent;
-	child->parent = parent;
-
-	_deref_prefix(node->prefix);
-	isc_mem_put(radix->mctx, node, sizeof(*node));
-	radix->num_active_node--;
-
-	if (parent == NULL) {
-		INSIST(radix->head == node);
-		radix->head = child;
-		return;
-	}
-
-	if (parent->r == node) {
-		parent->r = child;
-	} else {
-		INSIST(parent->l == node);
-		parent->l = child;
-	}
-}
-
-/*
-Local Variables:
-c-basic-offset: 4
-indent-tabs-mode: t
-End:
-*/
diff --git a/contrib/bind9/lib/isc/random.c b/contrib/bind9/lib/isc/random.c
deleted file mode 100644
index 8b73ed5..0000000
--- a/contrib/bind9/lib/isc/random.c
+++ /dev/null
@@ -1,113 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: random.c,v 1.28 2009/07/16 05:52:46 marka Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <time.h>		/* Required for time(). */
-#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-
-#include <isc/mutex.h>
-#include <isc/once.h>
-#include <isc/random.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-static isc_once_t once = ISC_ONCE_INIT;
-
-static void
-initialize_rand(void)
-{
-#ifndef HAVE_ARC4RANDOM
-	unsigned int pid = getpid();
-
-	/*
-	 * The low bits of pid generally change faster.
-	 * Xor them with the high bits of time which change slowly.
-	 */
-	pid = ((pid << 16) & 0xffff0000) | ((pid >> 16) & 0xffff);
-
-	srand(time(NULL) ^ pid);
-#endif
-}
-
-static void
-initialize(void)
-{
-	RUNTIME_CHECK(isc_once_do(&once, initialize_rand) == ISC_R_SUCCESS);
-}
-
-void
-isc_random_seed(isc_uint32_t seed)
-{
-	initialize();
-
-#ifndef HAVE_ARC4RANDOM
-	srand(seed);
-#else
-	arc4random_addrandom((u_char *) &seed, sizeof(isc_uint32_t));
-#endif
-}
-
-void
-isc_random_get(isc_uint32_t *val)
-{
-	REQUIRE(val != NULL);
-
-	initialize();
-
-#ifndef HAVE_ARC4RANDOM
-	/*
-	 * rand()'s lower bits are not random.
-	 * rand()'s upper bit is zero.
-	 */
-#if RAND_MAX >= 0xfffff
-	/* We have at least 20 bits.  Use lower 16 excluding lower most 4 */
-	*val = ((rand() >> 4) & 0xffff) | ((rand() << 12) & 0xffff0000);
-#elif RAND_MAX >= 0x7fff
-	/* We have at least 15 bits.  Use lower 10/11 excluding lower most 4 */
-	*val = ((rand() >> 4) & 0x000007ff) | ((rand() << 7) & 0x003ff800) |
-		((rand() << 18) & 0xffc00000);
-#else
-#error RAND_MAX is too small
-#endif
-#else
-	*val = arc4random();
-#endif
-}
-
-isc_uint32_t
-isc_random_jitter(isc_uint32_t max, isc_uint32_t jitter) {
-	isc_uint32_t rnd;
-
-	REQUIRE(jitter < max || (jitter == 0 && max == 0));
-
-	if (jitter == 0)
-		return (max);
-
-	isc_random_get(&rnd);
-	return (max - rnd % jitter);
-}
diff --git a/contrib/bind9/lib/isc/ratelimiter.c b/contrib/bind9/lib/isc/ratelimiter.c
deleted file mode 100644
index fc66e9f..0000000
--- a/contrib/bind9/lib/isc/ratelimiter.c
+++ /dev/null
@@ -1,329 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ratelimiter.c,v 1.25 2007/06/19 23:47:17 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/ratelimiter.h>
-#include <isc/task.h>
-#include <isc/time.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-typedef enum {
-	isc_ratelimiter_stalled = 0,
-	isc_ratelimiter_ratelimited = 1,
-	isc_ratelimiter_idle = 2,
-	isc_ratelimiter_shuttingdown = 3
-} isc_ratelimiter_state_t;
-
-struct isc_ratelimiter {
-	isc_mem_t *		mctx;
-	isc_mutex_t		lock;
-	int			refs;
-	isc_task_t *		task;
-	isc_timer_t *		timer;
-	isc_interval_t		interval;
-	isc_uint32_t		pertic;
-	isc_ratelimiter_state_t	state;
-	isc_event_t		shutdownevent;
-	ISC_LIST(isc_event_t)	pending;
-};
-
-#define ISC_RATELIMITEREVENT_SHUTDOWN (ISC_EVENTCLASS_RATELIMITER + 1)
-
-static void
-ratelimiter_tick(isc_task_t *task, isc_event_t *event);
-
-static void
-ratelimiter_shutdowncomplete(isc_task_t *task, isc_event_t *event);
-
-isc_result_t
-isc_ratelimiter_create(isc_mem_t *mctx, isc_timermgr_t *timermgr,
-		       isc_task_t *task, isc_ratelimiter_t **ratelimiterp)
-{
-	isc_result_t result;
-	isc_ratelimiter_t *rl;
-	INSIST(ratelimiterp != NULL && *ratelimiterp == NULL);
-
-	rl = isc_mem_get(mctx, sizeof(*rl));
-	if (rl == NULL)
-		return ISC_R_NOMEMORY;
-	rl->mctx = mctx;
-	rl->refs = 1;
-	rl->task = task;
-	isc_interval_set(&rl->interval, 0, 0);
-	rl->timer = NULL;
-	rl->pertic = 1;
-	rl->state = isc_ratelimiter_idle;
-	ISC_LIST_INIT(rl->pending);
-
-	result = isc_mutex_init(&rl->lock);
-	if (result != ISC_R_SUCCESS)
-		goto free_mem;
-	result = isc_timer_create(timermgr, isc_timertype_inactive,
-				  NULL, NULL, rl->task, ratelimiter_tick,
-				  rl, &rl->timer);
-	if (result != ISC_R_SUCCESS)
-		goto free_mutex;
-
-	/*
-	 * Increment the reference count to indicate that we may
-	 * (soon) have events outstanding.
-	 */
-	rl->refs++;
-
-	ISC_EVENT_INIT(&rl->shutdownevent,
-		       sizeof(isc_event_t),
-		       0, NULL, ISC_RATELIMITEREVENT_SHUTDOWN,
-		       ratelimiter_shutdowncomplete, rl, rl, NULL, NULL);
-
-	*ratelimiterp = rl;
-	return (ISC_R_SUCCESS);
-
-free_mutex:
-	DESTROYLOCK(&rl->lock);
-free_mem:
-	isc_mem_put(mctx, rl, sizeof(*rl));
-	return (result);
-}
-
-isc_result_t
-isc_ratelimiter_setinterval(isc_ratelimiter_t *rl, isc_interval_t *interval) {
-	isc_result_t result = ISC_R_SUCCESS;
-	LOCK(&rl->lock);
-	rl->interval = *interval;
-	/*
-	 * If the timer is currently running, change its rate.
-	 */
-	if (rl->state == isc_ratelimiter_ratelimited) {
-		result = isc_timer_reset(rl->timer, isc_timertype_ticker, NULL,
-					 &rl->interval, ISC_FALSE);
-	}
-	UNLOCK(&rl->lock);
-	return (result);
-}
-
-void
-isc_ratelimiter_setpertic(isc_ratelimiter_t *rl, isc_uint32_t pertic) {
-	if (pertic == 0)
-		pertic = 1;
-	rl->pertic = pertic;
-}
-
-isc_result_t
-isc_ratelimiter_enqueue(isc_ratelimiter_t *rl, isc_task_t *task,
-			isc_event_t **eventp)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_event_t *ev;
-
-	REQUIRE(eventp != NULL && *eventp != NULL);
-	REQUIRE(task != NULL);
-	ev = *eventp;
-	REQUIRE(ev->ev_sender == NULL);
-
-	LOCK(&rl->lock);
-	if (rl->state == isc_ratelimiter_ratelimited ||
-	    rl->state == isc_ratelimiter_stalled) {
-		isc_event_t *ev = *eventp;
-		ev->ev_sender = task;
-		ISC_LIST_APPEND(rl->pending, ev, ev_link);
-		*eventp = NULL;
-	} else if (rl->state == isc_ratelimiter_idle) {
-		result = isc_timer_reset(rl->timer, isc_timertype_ticker, NULL,
-					 &rl->interval, ISC_FALSE);
-		if (result == ISC_R_SUCCESS) {
-			ev->ev_sender = task;
-			rl->state = isc_ratelimiter_ratelimited;
-		}
-	} else {
-		INSIST(rl->state == isc_ratelimiter_shuttingdown);
-		result = ISC_R_SHUTTINGDOWN;
-	}
-	UNLOCK(&rl->lock);
-	if (*eventp != NULL && result == ISC_R_SUCCESS)
-		isc_task_send(task, eventp);
-	return (result);
-}
-
-static void
-ratelimiter_tick(isc_task_t *task, isc_event_t *event) {
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_ratelimiter_t *rl = (isc_ratelimiter_t *)event->ev_arg;
-	isc_event_t *p;
-	isc_uint32_t pertic;
-
-	UNUSED(task);
-
-	isc_event_free(&event);
-
-	pertic = rl->pertic;
-	while (pertic != 0) {
-		pertic--;
-		LOCK(&rl->lock);
-		p = ISC_LIST_HEAD(rl->pending);
-		if (p != NULL) {
-			/*
-			 * There is work to do.  Let's do it after unlocking.
-			 */
-			ISC_LIST_UNLINK(rl->pending, p, ev_link);
-		} else {
-			/*
-			 * No work left to do.  Stop the timer so that we don't
-			 * waste resources by having it fire periodically.
-			 */
-			result = isc_timer_reset(rl->timer,
-						 isc_timertype_inactive,
-						 NULL, NULL, ISC_FALSE);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			rl->state = isc_ratelimiter_idle;
-			pertic = 0;	/* Force the loop to exit. */
-		}
-		UNLOCK(&rl->lock);
-		if (p != NULL) {
-			isc_task_t *evtask = p->ev_sender;
-			isc_task_send(evtask, &p);
-		}
-		INSIST(p == NULL);
-	}
-}
-
-void
-isc_ratelimiter_shutdown(isc_ratelimiter_t *rl) {
-	isc_event_t *ev;
-	isc_task_t *task;
-	LOCK(&rl->lock);
-	rl->state = isc_ratelimiter_shuttingdown;
-	(void)isc_timer_reset(rl->timer, isc_timertype_inactive,
-			      NULL, NULL, ISC_FALSE);
-	while ((ev = ISC_LIST_HEAD(rl->pending)) != NULL) {
-		ISC_LIST_UNLINK(rl->pending, ev, ev_link);
-		ev->ev_attributes |= ISC_EVENTATTR_CANCELED;
-		task = ev->ev_sender;
-		isc_task_send(task, &ev);
-	}
-	isc_timer_detach(&rl->timer);
-	/*
-	 * Send an event to our task.  The delivery of this event
-	 * indicates that no more timer events will be delivered.
-	 */
-	ev = &rl->shutdownevent;
-	isc_task_send(rl->task, &ev);
-
-	UNLOCK(&rl->lock);
-}
-
-static void
-ratelimiter_shutdowncomplete(isc_task_t *task, isc_event_t *event) {
-	isc_ratelimiter_t *rl = (isc_ratelimiter_t *)event->ev_arg;
-
-	UNUSED(task);
-
-	isc_ratelimiter_detach(&rl);
-}
-
-static void
-ratelimiter_free(isc_ratelimiter_t *rl) {
-	DESTROYLOCK(&rl->lock);
-	isc_mem_put(rl->mctx, rl, sizeof(*rl));
-}
-
-void
-isc_ratelimiter_attach(isc_ratelimiter_t *source, isc_ratelimiter_t **target) {
-	REQUIRE(source != NULL);
-	REQUIRE(target != NULL && *target == NULL);
-
-	LOCK(&source->lock);
-	REQUIRE(source->refs > 0);
-	source->refs++;
-	INSIST(source->refs > 0);
-	UNLOCK(&source->lock);
-	*target = source;
-}
-
-void
-isc_ratelimiter_detach(isc_ratelimiter_t **rlp) {
-	isc_ratelimiter_t *rl = *rlp;
-	isc_boolean_t free_now = ISC_FALSE;
-
-	LOCK(&rl->lock);
-	REQUIRE(rl->refs > 0);
-	rl->refs--;
-	if (rl->refs == 0)
-		free_now = ISC_TRUE;
-	UNLOCK(&rl->lock);
-
-	if (free_now)
-		ratelimiter_free(rl);
-
-	*rlp = NULL;
-}
-
-isc_result_t
-isc_ratelimiter_stall(isc_ratelimiter_t *rl) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	LOCK(&rl->lock);
-	switch (rl->state) {
-	case isc_ratelimiter_shuttingdown:
-		result = ISC_R_SHUTTINGDOWN;
-		break;
-	case isc_ratelimiter_ratelimited:
-		result = isc_timer_reset(rl->timer, isc_timertype_inactive,
-					 NULL, NULL, ISC_FALSE);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		/* FALLTHROUGH */
-	case isc_ratelimiter_idle:
-	case isc_ratelimiter_stalled:
-		rl->state = isc_ratelimiter_stalled;
-		break;
-	}
-	UNLOCK(&rl->lock);
-	return (result);
-}
-
-isc_result_t
-isc_ratelimiter_release(isc_ratelimiter_t *rl) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	LOCK(&rl->lock);
-	switch (rl->state) {
-	case isc_ratelimiter_shuttingdown:
-		result = ISC_R_SHUTTINGDOWN;
-		break;
-	case isc_ratelimiter_stalled:
-		if (!ISC_LIST_EMPTY(rl->pending)) {
-			result = isc_timer_reset(rl->timer,
-						 isc_timertype_ticker, NULL,
-						 &rl->interval, ISC_FALSE);
-			if (result == ISC_R_SUCCESS)
-				rl->state = isc_ratelimiter_ratelimited;
-		} else
-			rl->state = isc_ratelimiter_idle;
-		break;
-	case isc_ratelimiter_ratelimited:
-	case isc_ratelimiter_idle:
-		break;
-	}
-	UNLOCK(&rl->lock);
-	return (result);
-}
diff --git a/contrib/bind9/lib/isc/refcount.c b/contrib/bind9/lib/isc/refcount.c
deleted file mode 100644
index 36dfff2..0000000
--- a/contrib/bind9/lib/isc/refcount.c
+++ /dev/null
@@ -1,37 +0,0 @@
-/*
- * Copyright (C) 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: refcount.c,v 1.5 2007/06/19 23:47:17 tbox Exp $ */
-
-#include <config.h>
-
-#include <stddef.h>
-
-#include <isc/mutex.h>
-#include <isc/refcount.h>
-#include <isc/result.h>
-
-isc_result_t
-isc_refcount_init(isc_refcount_t *ref, unsigned int n) {
-	REQUIRE(ref != NULL);
-
-	ref->refs = n;
-#if defined(ISC_PLATFORM_USETHREADS) && !defined(ISC_PLATFORM_HAVEXADD)
-	return (isc_mutex_init(&ref->lock));
-#else
-	return (ISC_R_SUCCESS);
-#endif
-}
diff --git a/contrib/bind9/lib/isc/regex.c b/contrib/bind9/lib/isc/regex.c
deleted file mode 100644
index 279bcdc..0000000
--- a/contrib/bind9/lib/isc/regex.c
+++ /dev/null
@@ -1,370 +0,0 @@
-/*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include <config.h>
-
-#include <isc/file.h>
-#include <isc/regex.h>
-#include <isc/string.h>
-
-#if VALREGEX_REPORT_REASON
-#define FAIL(x) do { reason = (x); goto error; } while(0)
-#else
-#define FAIL(x) goto error
-#endif
-
-/*
- * Validate the regular expression 'C' locale.
- */
-int
-isc_regex_validate(const char *c) {
-	enum {
-		none, parse_bracket, parse_bound,
-		parse_ce, parse_ec, parse_cc
-	} state = none;
-	/* Well known character classes. */
-	const char *cc[] = {
-		":alnum:", ":digit:", ":punct:", ":alpha:", ":graph:",
-		":space:", ":blank:", ":lower:", ":upper:", ":cntrl:",
-		":print:", ":xdigit:"
-	};
-	isc_boolean_t seen_comma = ISC_FALSE;
-	isc_boolean_t seen_high = ISC_FALSE;
-	isc_boolean_t seen_char = ISC_FALSE;
-	isc_boolean_t seen_ec = ISC_FALSE;
-	isc_boolean_t seen_ce = ISC_FALSE;
-	isc_boolean_t have_atom = ISC_FALSE;
-	int group = 0;
-	int range = 0;
-	int sub = 0;
-	isc_boolean_t empty_ok = ISC_FALSE;
-	isc_boolean_t neg = ISC_FALSE;
-	isc_boolean_t was_multiple = ISC_FALSE;
-	unsigned int low = 0;
-	unsigned int high = 0;
-	const char *ccname = NULL;
-	int range_start = 0;
-#if VALREGEX_REPORT_REASON
-	const char *reason = "";
-#endif
-
-	if (c == NULL || *c == 0)
-		FAIL("empty string");
-
-	while (c != NULL && *c != 0) {
-		switch (state) {
-		case none:
-			switch (*c) {
-			case '\\':	/* make literal */
-				++c;
-				switch (*c) {
-				case '1': case '2': case '3':
-				case '4': case '5': case '6':
-				case '7': case '8': case '9':
-					if ((*c - '0') > sub)
-						FAIL("bad back reference");
-					have_atom = ISC_TRUE;
-					was_multiple = ISC_FALSE;
-					break;
-				case 0:
-					FAIL("escaped end-of-string");
-				default:
-					goto literal;
-				}
-				++c;
-				break;
-			case '[':	/* bracket start */
-				++c;
-				neg = ISC_FALSE;
-				was_multiple = ISC_FALSE;
-				seen_char = ISC_FALSE;
-				state = parse_bracket;
-				break;
-			case '{': 	/* bound start */
-				switch (c[1]) {
-				case '0': case '1': case '2': case '3':
-				case '4': case '5': case '6': case '7':
-				case '8': case '9':
-					if (!have_atom)
-						FAIL("no atom");
-					if (was_multiple)
-						FAIL("was multiple");
-					seen_comma = ISC_FALSE;
-					seen_high = ISC_FALSE;
-					low = high = 0;
-					state = parse_bound;
-					break;
-				default:
-					goto literal;
-				}
-				++c;
-				have_atom = ISC_TRUE;
-				was_multiple = ISC_TRUE;
-				break;
-			case '}':
-				goto literal;
-			case '(':	/* group start */
-				have_atom = ISC_FALSE;
-				was_multiple = ISC_FALSE;
-				empty_ok = ISC_TRUE;
-				++group;
-				++sub;
-				++c;
-				break;
-			case ')':	/* group end */
-				if (group && !have_atom && !empty_ok)
-					FAIL("empty alternative");
-				have_atom = ISC_TRUE;
-				was_multiple = ISC_FALSE;
-				if (group != 0)
-					--group;
-				++c;
-				break;
-			case '|':	/* alternative seperator */
-				if (!have_atom)
-					FAIL("no atom");
-				have_atom = ISC_FALSE;
-				empty_ok = ISC_FALSE;
-				was_multiple = ISC_FALSE;
-				++c;
-				break;
-			case '^':
-			case '$':
-				have_atom = ISC_TRUE;
-				was_multiple = ISC_TRUE;
-				++c;
-				break;
-			case '+':
-			case '*':
-			case '?':
-				if (was_multiple)
-					FAIL("was multiple");
-				if (!have_atom)
-					FAIL("no atom");
-				have_atom = ISC_TRUE;
-				was_multiple = ISC_TRUE;
-				++c;
-				break;
-			case '.':
-			default:
-			literal:
-				have_atom = ISC_TRUE;
-				was_multiple = ISC_FALSE;
-				++c;
-				break;
-			}
-			break;
-		case parse_bound:
-			switch (*c) {
-			case '0': case '1': case '2': case '3': case '4':
-			case '5': case '6': case '7': case '8': case '9':
-				if (!seen_comma) {
-					low = low * 10 + *c - '0';
-					if (low > 255)
-						FAIL("lower bound too big");
-				} else {
-					seen_high = ISC_TRUE;
-					high = high * 10 + *c - '0';
-					if (high > 255)
-						FAIL("upper bound too big");
-				}
-				++c;
-				break;
-			case ',':
-				if (seen_comma)
-					FAIL("multiple commas");
-				seen_comma = ISC_TRUE;
-				++c;
-				break;
-			default:
-			case '{':
-				FAIL("non digit/comma");
-			case '}':
-				if (seen_high && low > high)
-					FAIL("bad parse bound");
-				seen_comma = ISC_FALSE;
-				state = none;
-				++c;
-				break;
-			}
-			break;
-		case parse_bracket:
-			switch (*c) {
-			case '^':
-				if (seen_char || neg) goto inside;
-				neg = ISC_TRUE;
-				++c;
-				break;
-			case '-':
-				if (range == 2) goto inside;
-				if (!seen_char) goto inside;
-				if (range == 1)
-					FAIL("bad range");
-				range = 2;
-				++c;
-				break;
-			case '[':
-				++c;
-				switch (*c) {
-				case '.':	/* collating element */
-					if (range) --range;
-					++c;
-					state = parse_ce;
-					seen_ce = ISC_FALSE;
-					break;
-				case '=':	/* equivalence class */
-					if (range == 2)
-					    FAIL("equivalence class in range");
-					++c;
-					state = parse_ec;
-					seen_ec = ISC_FALSE;
-					break;
-				case ':':	/* character class */
-					if (range == 2)
-					      FAIL("character class in range");
-					ccname = c;
-					++c;
-					state = parse_cc;
-					break;
-				}
-				seen_char = ISC_TRUE;
-				break;
-			case ']':
-				if (!c[1] && !seen_char)
-					FAIL("unfinished brace");
-				if (!seen_char)
-					goto inside;
-				++c;
-				range = 0;
-				have_atom = ISC_TRUE;
-				state = none;
-				break;
-			default:
-			inside:
-				seen_char = ISC_TRUE;
-				if (range == 2 && *c < range_start)
-					FAIL("out of order range");
-				if (range != 0)
-					--range;
-				range_start = *c;
-				++c;
-				break;
-			};
-			break;
-		case parse_ce:
-			switch (*c) {
-			case '.':
-				++c;
-				switch (*c) {
-				case ']':
-					if (!seen_ce)
-						 FAIL("empty ce");
-					++c;
-					state = parse_bracket;
-					break;
-				default:
-					if (seen_ce)
-						range_start = 256;
-					else
-						range_start = '.';
-					seen_ce = ISC_TRUE;
-					break;
-				}
-				break;
-			default:
-				if (seen_ce)
-					range_start = 256;
-				else
-					range_start = *c;
-				seen_ce = ISC_TRUE;
-				++c;
-				break;
-			}
-			break;
-		case parse_ec:
-			switch (*c) {
-			case '=':
-				++c;
-				switch (*c) {
-				case ']':
-					if (!seen_ec)
-						FAIL("no ec");
-					++c;
-					state = parse_bracket;
-					break;
-				default:
-					seen_ec = ISC_TRUE;
-					break;
-				}
-				break;
-			default:
-				seen_ec = ISC_TRUE;
-				++c;
-				break;
-			}
-			break;
-		case parse_cc:
-			switch (*c) {
-			case ':':
-				++c;
-				switch (*c) {
-				case ']': {
-					unsigned int i;
-					isc_boolean_t found = ISC_FALSE;
-					for (i = 0;
-					     i < sizeof(cc)/sizeof(*cc);
-					     i++)
-					{
-						unsigned int len;
-						len = strlen(cc[i]);
-						if (len !=
-						    (unsigned int)(c - ccname))
-							continue;
-						if (strncmp(cc[i], ccname, len))
-							continue;
-						found = ISC_TRUE;
-					}
-					if (!found)
-						FAIL("unknown cc");
-					++c;
-					state = parse_bracket;
-					break;
-					}
-				default:
-					break;
-				}
-				break;
-			default:
-				++c;
-				break;
-			}
-			break;
-		}
-	}
-	if (group != 0)
-		FAIL("group open");
-	if (state != none)
-		FAIL("incomplete");
-	if (!have_atom)
-		FAIL("no atom");
-	return (sub);
-
- error:
-#if VALREGEX_REPORT_REASON
-	fprintf(stderr, "%s\n", reason);
-#endif
-	return (-1);
-}
diff --git a/contrib/bind9/lib/isc/region.c b/contrib/bind9/lib/isc/region.c
deleted file mode 100644
index cf64979..0000000
--- a/contrib/bind9/lib/isc/region.c
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: region.c,v 1.7 2007/06/19 23:47:17 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/region.h>
-#include <isc/util.h>
-
-int
-isc_region_compare(isc_region_t *r1, isc_region_t *r2) {
-	unsigned int l;
-	int result;
-
-	REQUIRE(r1 != NULL);
-	REQUIRE(r2 != NULL);
-	       
-	l = (r1->length < r2->length) ? r1->length : r2->length;
-
-	if ((result = memcmp(r1->base, r2->base, l)) != 0)
-		return ((result < 0) ? -1 : 1);
-	else
-		return ((r1->length == r2->length) ? 0 :
-			(r1->length < r2->length) ? -1 : 1);
-}
diff --git a/contrib/bind9/lib/isc/result.c b/contrib/bind9/lib/isc/result.c
deleted file mode 100644
index a9405fd..0000000
--- a/contrib/bind9/lib/isc/result.c
+++ /dev/null
@@ -1,214 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stddef.h>
-#include <stdlib.h>
-
-#include <isc/lib.h>
-#include <isc/msgs.h>
-#include <isc/mutex.h>
-#include <isc/once.h>
-#include <isc/resultclass.h>
-#include <isc/util.h>
-
-typedef struct resulttable {
-	unsigned int				base;
-	unsigned int				last;
-	const char **				text;
-	isc_msgcat_t *				msgcat;
-	int					set;
-	ISC_LINK(struct resulttable)		link;
-} resulttable;
-
-static const char *text[ISC_R_NRESULTS] = {
-	"success",				/*%< 0 */
-	"out of memory",			/*%< 1 */
-	"timed out",				/*%< 2 */
-	"no available threads",			/*%< 3 */
-	"address not available",		/*%< 4 */
-	"address in use",			/*%< 5 */
-	"permission denied",			/*%< 6 */
-	"no pending connections",		/*%< 7 */
-	"network unreachable",			/*%< 8 */
-	"host unreachable",			/*%< 9 */
-	"network down",				/*%< 10 */
-	"host down",				/*%< 11 */
-	"connection refused",			/*%< 12 */
-	"not enough free resources",		/*%< 13 */
-	"end of file",				/*%< 14 */
-	"socket already bound",			/*%< 15 */
-	"reload",				/*%< 16 */
-	"lock busy",				/*%< 17 */
-	"already exists",			/*%< 18 */
-	"ran out of space",			/*%< 19 */
-	"operation canceled",			/*%< 20 */
-	"socket is not bound",			/*%< 21 */
-	"shutting down",			/*%< 22 */
-	"not found",				/*%< 23 */
-	"unexpected end of input",		/*%< 24 */
-	"failure",				/*%< 25 */
-	"I/O error",				/*%< 26 */
-	"not implemented",			/*%< 27 */
-	"unbalanced parentheses",		/*%< 28 */
-	"no more",				/*%< 29 */
-	"invalid file",				/*%< 30 */
-	"bad base64 encoding",			/*%< 31 */
-	"unexpected token",			/*%< 32 */
-	"quota reached",			/*%< 33 */
-	"unexpected error",			/*%< 34 */
-	"already running",			/*%< 35 */
-	"ignore",				/*%< 36 */
-	"address mask not contiguous",		/*%< 37 */
-	"file not found",			/*%< 38 */
-	"file already exists",			/*%< 39 */
-	"socket is not connected",		/*%< 40 */
-	"out of range",				/*%< 41 */
-	"out of entropy",			/*%< 42 */
-	"invalid use of multicast address",	/*%< 43 */
-	"not a file",				/*%< 44 */
-	"not a directory",			/*%< 45 */
-	"queue is full",			/*%< 46 */
-	"address family mismatch",		/*%< 47 */
-	"address family not supported",		/*%< 48 */
-	"bad hex encoding",			/*%< 49 */
-	"too many open files",			/*%< 50 */
-	"not blocking",				/*%< 51 */
-	"unbalanced quotes",			/*%< 52 */
-	"operation in progress",		/*%< 53 */
-	"connection reset",			/*%< 54 */
-	"soft quota reached",			/*%< 55 */
-	"not a valid number",			/*%< 56 */
-	"disabled",				/*%< 57 */
-	"max size",				/*%< 58 */
-	"invalid address format",		/*%< 59 */
-	"bad base32 encoding",			/*%< 60 */
-	"unset",				/*%< 61 */
-};
-
-#define ISC_RESULT_RESULTSET			2
-#define ISC_RESULT_UNAVAILABLESET		3
-
-static isc_once_t 				once = ISC_ONCE_INIT;
-static ISC_LIST(resulttable)			tables;
-static isc_mutex_t				lock;
-
-static isc_result_t
-register_table(unsigned int base, unsigned int nresults, const char **text,
-	       isc_msgcat_t *msgcat, int set)
-{
-	resulttable *table;
-
-	REQUIRE(base % ISC_RESULTCLASS_SIZE == 0);
-	REQUIRE(nresults <= ISC_RESULTCLASS_SIZE);
-	REQUIRE(text != NULL);
-
-	/*
-	 * We use malloc() here because we we want to be able to use
-	 * isc_result_totext() even if there is no memory context.
-	 */
-	table = malloc(sizeof(*table));
-	if (table == NULL)
-		return (ISC_R_NOMEMORY);
-	table->base = base;
-	table->last = base + nresults - 1;
-	table->text = text;
-	table->msgcat = msgcat;
-	table->set = set;
-	ISC_LINK_INIT(table, link);
-
-	LOCK(&lock);
-
-	ISC_LIST_APPEND(tables, table, link);
-
-	UNLOCK(&lock);
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-initialize_action(void) {
-	isc_result_t result;
-
-	RUNTIME_CHECK(isc_mutex_init(&lock) == ISC_R_SUCCESS);
-	ISC_LIST_INIT(tables);
-
-	result = register_table(ISC_RESULTCLASS_ISC, ISC_R_NRESULTS, text,
-				isc_msgcat, ISC_RESULT_RESULTSET);
-	if (result != ISC_R_SUCCESS)
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "register_table() %s: %u",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"),
-				 result);
-}
-
-static void
-initialize(void) {
-	isc_lib_initmsgcat();
-	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
-}
-
-const char *
-isc_result_totext(isc_result_t result) {
-	resulttable *table;
-	const char *text, *default_text;
-	int index;
-
-	initialize();
-
-	LOCK(&lock);
-
-	text = NULL;
-	for (table = ISC_LIST_HEAD(tables);
-	     table != NULL;
-	     table = ISC_LIST_NEXT(table, link)) {
-		if (result >= table->base && result <= table->last) {
-			index = (int)(result - table->base);
-			default_text = table->text[index];
-			/*
-			 * Note: we use 'index + 1' as the message number
-			 * instead of index because isc_msgcat_get() requires
-			 * the message number to be > 0.
-			 */
-			text = isc_msgcat_get(table->msgcat, table->set,
-					      index + 1, default_text);
-			break;
-		}
-	}
-	if (text == NULL)
-		text = isc_msgcat_get(isc_msgcat, ISC_RESULT_UNAVAILABLESET,
-				      1, "(result code text not available)");
-
-	UNLOCK(&lock);
-
-	return (text);
-}
-
-isc_result_t
-isc_result_register(unsigned int base, unsigned int nresults,
-		    const char **text, isc_msgcat_t *msgcat, int set)
-{
-	initialize();
-
-	return (register_table(base, nresults, text, msgcat, set));
-}
diff --git a/contrib/bind9/lib/isc/rwlock.c b/contrib/bind9/lib/isc/rwlock.c
deleted file mode 100644
index 9c84c25..0000000
--- a/contrib/bind9/lib/isc/rwlock.c
+++ /dev/null
@@ -1,809 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stddef.h>
-
-#include <isc/atomic.h>
-#include <isc/magic.h>
-#include <isc/msgs.h>
-#include <isc/platform.h>
-#include <isc/rwlock.h>
-#include <isc/util.h>
-
-#define RWLOCK_MAGIC		ISC_MAGIC('R', 'W', 'L', 'k')
-#define VALID_RWLOCK(rwl)	ISC_MAGIC_VALID(rwl, RWLOCK_MAGIC)
-
-#ifdef ISC_PLATFORM_USETHREADS
-
-#ifndef RWLOCK_DEFAULT_READ_QUOTA
-#define RWLOCK_DEFAULT_READ_QUOTA 4
-#endif
-
-#ifndef RWLOCK_DEFAULT_WRITE_QUOTA
-#define RWLOCK_DEFAULT_WRITE_QUOTA 4
-#endif
-
-#ifdef ISC_RWLOCK_TRACE
-#include <stdio.h>		/* Required for fprintf/stderr. */
-#include <isc/thread.h>		/* Required for isc_thread_self(). */
-
-static void
-print_lock(const char *operation, isc_rwlock_t *rwl, isc_rwlocktype_t type) {
-	fprintf(stderr,
-		isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
-			       ISC_MSG_PRINTLOCK,
-			       "rwlock %p thread %lu %s(%s): %s, %u active, "
-			       "%u granted, %u rwaiting, %u wwaiting\n"),
-		rwl, isc_thread_self(), operation,
-		(type == isc_rwlocktype_read ?
-		 isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
-				ISC_MSG_READ, "read") :
-		 isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
-				ISC_MSG_WRITE, "write")),
-		(rwl->type == isc_rwlocktype_read ?
-		 isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
-				ISC_MSG_READING, "reading") :
-		 isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
-				ISC_MSG_WRITING, "writing")),
-		rwl->active, rwl->granted, rwl->readers_waiting,
-		rwl->writers_waiting);
-}
-#endif
-
-isc_result_t
-isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
-		unsigned int write_quota)
-{
-	isc_result_t result;
-
-	REQUIRE(rwl != NULL);
-
-	/*
-	 * In case there's trouble initializing, we zero magic now.  If all
-	 * goes well, we'll set it to RWLOCK_MAGIC.
-	 */
-	rwl->magic = 0;
-
-#if defined(ISC_PLATFORM_HAVEXADD) && defined(ISC_PLATFORM_HAVECMPXCHG)
-	rwl->write_requests = 0;
-	rwl->write_completions = 0;
-	rwl->cnt_and_flag = 0;
-	rwl->readers_waiting = 0;
-	rwl->write_granted = 0;
-	if (read_quota != 0) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "read quota is not supported");
-	}
-	if (write_quota == 0)
-		write_quota = RWLOCK_DEFAULT_WRITE_QUOTA;
-	rwl->write_quota = write_quota;
-#else
-	rwl->type = isc_rwlocktype_read;
-	rwl->original = isc_rwlocktype_none;
-	rwl->active = 0;
-	rwl->granted = 0;
-	rwl->readers_waiting = 0;
-	rwl->writers_waiting = 0;
-	if (read_quota == 0)
-		read_quota = RWLOCK_DEFAULT_READ_QUOTA;
-	rwl->read_quota = read_quota;
-	if (write_quota == 0)
-		write_quota = RWLOCK_DEFAULT_WRITE_QUOTA;
-	rwl->write_quota = write_quota;
-#endif
-
-	result = isc_mutex_init(&rwl->lock);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = isc_condition_init(&rwl->readable);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_condition_init(readable) %s: %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"),
-				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
-		goto destroy_lock;
-	}
-	result = isc_condition_init(&rwl->writeable);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_condition_init(writeable) %s: %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"),
-				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
-		goto destroy_rcond;
-	}
-
-	rwl->magic = RWLOCK_MAGIC;
-
-	return (ISC_R_SUCCESS);
-
-  destroy_rcond:
-	(void)isc_condition_destroy(&rwl->readable);
-  destroy_lock:
-	DESTROYLOCK(&rwl->lock);
-
-	return (result);
-}
-
-void
-isc_rwlock_destroy(isc_rwlock_t *rwl) {
-	REQUIRE(VALID_RWLOCK(rwl));
-
-#if defined(ISC_PLATFORM_HAVEXADD) && defined(ISC_PLATFORM_HAVECMPXCHG)
-	REQUIRE(rwl->write_requests == rwl->write_completions &&
-		rwl->cnt_and_flag == 0 && rwl->readers_waiting == 0);
-#else
-	LOCK(&rwl->lock);
-	REQUIRE(rwl->active == 0 &&
-		rwl->readers_waiting == 0 &&
-		rwl->writers_waiting == 0);
-	UNLOCK(&rwl->lock);
-#endif
-
-	rwl->magic = 0;
-	(void)isc_condition_destroy(&rwl->readable);
-	(void)isc_condition_destroy(&rwl->writeable);
-	DESTROYLOCK(&rwl->lock);
-}
-
-#if defined(ISC_PLATFORM_HAVEXADD) && defined(ISC_PLATFORM_HAVECMPXCHG)
-
-/*
- * When some architecture-dependent atomic operations are available,
- * rwlock can be more efficient than the generic algorithm defined below.
- * The basic algorithm is described in the following URL:
- *   http://www.cs.rochester.edu/u/scott/synchronization/pseudocode/rw.html
- *
- * The key is to use the following integer variables modified atomically:
- *   write_requests, write_completions, and cnt_and_flag.
- *
- * write_requests and write_completions act as a waiting queue for writers
- * in order to ensure the FIFO order.  Both variables begin with the initial
- * value of 0.  When a new writer tries to get a write lock, it increments
- * write_requests and gets the previous value of the variable as a "ticket".
- * When write_completions reaches the ticket number, the new writer can start
- * writing.  When the writer completes its work, it increments
- * write_completions so that another new writer can start working.  If the
- * write_requests is not equal to write_completions, it means a writer is now
- * working or waiting.  In this case, a new readers cannot start reading, or
- * in other words, this algorithm basically prefers writers.
- *
- * cnt_and_flag is a "lock" shared by all readers and writers.  This integer
- * variable is a kind of structure with two members: writer_flag (1 bit) and
- * reader_count (31 bits).  The writer_flag shows whether a writer is working,
- * and the reader_count shows the number of readers currently working or almost
- * ready for working.  A writer who has the current "ticket" tries to get the
- * lock by exclusively setting the writer_flag to 1, provided that the whole
- * 32-bit is 0 (meaning no readers or writers working).  On the other hand,
- * a new reader tries to increment the "reader_count" field provided that
- * the writer_flag is 0 (meaning there is no writer working).
- *
- * If some of the above operations fail, the reader or the writer sleeps
- * until the related condition changes.  When a working reader or writer
- * completes its work, some readers or writers are sleeping, and the condition
- * that suspended the reader or writer has changed, it wakes up the sleeping
- * readers or writers.
- *
- * As already noted, this algorithm basically prefers writers.  In order to
- * prevent readers from starving, however, the algorithm also introduces the
- * "writer quota" (Q).  When Q consecutive writers have completed their work,
- * suspending readers, the last writer will wake up the readers, even if a new
- * writer is waiting.
- *
- * Implementation specific note: due to the combination of atomic operations
- * and a mutex lock, ordering between the atomic operation and locks can be
- * very sensitive in some cases.  In particular, it is generally very important
- * to check the atomic variable that requires a reader or writer to sleep after
- * locking the mutex and before actually sleeping; otherwise, it could be very
- * likely to cause a deadlock.  For example, assume "var" is a variable
- * atomically modified, then the corresponding code would be:
- *	if (var == need_sleep) {
- *		LOCK(lock);
- *		if (var == need_sleep)
- *			WAIT(cond, lock);
- *		UNLOCK(lock);
- *	}
- * The second check is important, since "var" is protected by the atomic
- * operation, not by the mutex, and can be changed just before sleeping.
- * (The first "if" could be omitted, but this is also important in order to
- * make the code efficient by avoiding the use of the mutex unless it is
- * really necessary.)
- */
-
-#define WRITER_ACTIVE	0x1
-#define READER_INCR	0x2
-
-isc_result_t
-isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
-	isc_int32_t cntflag;
-
-	REQUIRE(VALID_RWLOCK(rwl));
-
-#ifdef ISC_RWLOCK_TRACE
-	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
-				  ISC_MSG_PRELOCK, "prelock"), rwl, type);
-#endif
-
-	if (type == isc_rwlocktype_read) {
-		if (rwl->write_requests != rwl->write_completions) {
-			/* there is a waiting or active writer */
-			LOCK(&rwl->lock);
-			if (rwl->write_requests != rwl->write_completions) {
-				rwl->readers_waiting++;
-				WAIT(&rwl->readable, &rwl->lock);
-				rwl->readers_waiting--;
-			}
-			UNLOCK(&rwl->lock);
-		}
-
-		cntflag = isc_atomic_xadd(&rwl->cnt_and_flag, READER_INCR);
-		POST(cntflag);
-		while (1) {
-			if ((rwl->cnt_and_flag & WRITER_ACTIVE) == 0)
-				break;
-
-			/* A writer is still working */
-			LOCK(&rwl->lock);
-			rwl->readers_waiting++;
-			if ((rwl->cnt_and_flag & WRITER_ACTIVE) != 0)
-				WAIT(&rwl->readable, &rwl->lock);
-			rwl->readers_waiting--;
-			UNLOCK(&rwl->lock);
-
-			/*
-			 * Typically, the reader should be able to get a lock
-			 * at this stage:
-			 *   (1) there should have been no pending writer when
-			 *       the reader was trying to increment the
-			 *       counter; otherwise, the writer should be in
-			 *       the waiting queue, preventing the reader from
-			 *       proceeding to this point.
-			 *   (2) once the reader increments the counter, no
-			 *       more writer can get a lock.
-			 * Still, it is possible another writer can work at
-			 * this point, e.g. in the following scenario:
-			 *   A previous writer unlocks the writer lock.
-			 *   This reader proceeds to point (1).
-			 *   A new writer appears, and gets a new lock before
-			 *   the reader increments the counter.
-			 *   The reader then increments the counter.
-			 *   The previous writer notices there is a waiting
-			 *   reader who is almost ready, and wakes it up.
-			 * So, the reader needs to confirm whether it can now
-			 * read explicitly (thus we loop).  Note that this is
-			 * not an infinite process, since the reader has
-			 * incremented the counter at this point.
-			 */
-		}
-
-		/*
-		 * If we are temporarily preferred to writers due to the writer
-		 * quota, reset the condition (race among readers doesn't
-		 * matter).
-		 */
-		rwl->write_granted = 0;
-	} else {
-		isc_int32_t prev_writer;
-
-		/* enter the waiting queue, and wait for our turn */
-		prev_writer = isc_atomic_xadd(&rwl->write_requests, 1);
-		while (rwl->write_completions != prev_writer) {
-			LOCK(&rwl->lock);
-			if (rwl->write_completions != prev_writer) {
-				WAIT(&rwl->writeable, &rwl->lock);
-				UNLOCK(&rwl->lock);
-				continue;
-			}
-			UNLOCK(&rwl->lock);
-			break;
-		}
-
-		while (1) {
-			cntflag = isc_atomic_cmpxchg(&rwl->cnt_and_flag, 0,
-						     WRITER_ACTIVE);
-			if (cntflag == 0)
-				break;
-
-			/* Another active reader or writer is working. */
-			LOCK(&rwl->lock);
-			if (rwl->cnt_and_flag != 0)
-				WAIT(&rwl->writeable, &rwl->lock);
-			UNLOCK(&rwl->lock);
-		}
-
-		INSIST((rwl->cnt_and_flag & WRITER_ACTIVE) != 0);
-		rwl->write_granted++;
-	}
-
-#ifdef ISC_RWLOCK_TRACE
-	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
-				  ISC_MSG_POSTLOCK, "postlock"), rwl, type);
-#endif
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
-	isc_int32_t cntflag;
-
-	REQUIRE(VALID_RWLOCK(rwl));
-
-#ifdef ISC_RWLOCK_TRACE
-	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
-				  ISC_MSG_PRELOCK, "prelock"), rwl, type);
-#endif
-
-	if (type == isc_rwlocktype_read) {
-		/* If a writer is waiting or working, we fail. */
-		if (rwl->write_requests != rwl->write_completions)
-			return (ISC_R_LOCKBUSY);
-
-		/* Otherwise, be ready for reading. */
-		cntflag = isc_atomic_xadd(&rwl->cnt_and_flag, READER_INCR);
-		if ((cntflag & WRITER_ACTIVE) != 0) {
-			/*
-			 * A writer is working.  We lose, and cancel the read
-			 * request.
-			 */
-			cntflag = isc_atomic_xadd(&rwl->cnt_and_flag,
-						  -READER_INCR);
-			/*
-			 * If no other readers are waiting and we've suspended
-			 * new writers in this short period, wake them up.
-			 */
-			if (cntflag == READER_INCR &&
-			    rwl->write_completions != rwl->write_requests) {
-				LOCK(&rwl->lock);
-				BROADCAST(&rwl->writeable);
-				UNLOCK(&rwl->lock);
-			}
-
-			return (ISC_R_LOCKBUSY);
-		}
-	} else {
-		/* Try locking without entering the waiting queue. */
-		cntflag = isc_atomic_cmpxchg(&rwl->cnt_and_flag, 0,
-					     WRITER_ACTIVE);
-		if (cntflag != 0)
-			return (ISC_R_LOCKBUSY);
-
-		/*
-		 * XXXJT: jump into the queue, possibly breaking the writer
-		 * order.
-		 */
-		(void)isc_atomic_xadd(&rwl->write_completions, -1);
-
-		rwl->write_granted++;
-	}
-
-#ifdef ISC_RWLOCK_TRACE
-	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
-				  ISC_MSG_POSTLOCK, "postlock"), rwl, type);
-#endif
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_rwlock_tryupgrade(isc_rwlock_t *rwl) {
-	isc_int32_t prevcnt;
-
-	REQUIRE(VALID_RWLOCK(rwl));
-
-	/* Try to acquire write access. */
-	prevcnt = isc_atomic_cmpxchg(&rwl->cnt_and_flag,
-				     READER_INCR, WRITER_ACTIVE);
-	/*
-	 * There must have been no writer, and there must have been at least
-	 * one reader.
-	 */
-	INSIST((prevcnt & WRITER_ACTIVE) == 0 &&
-	       (prevcnt & ~WRITER_ACTIVE) != 0);
-
-	if (prevcnt == READER_INCR) {
-		/*
-		 * We are the only reader and have been upgraded.
-		 * Now jump into the head of the writer waiting queue.
-		 */
-		(void)isc_atomic_xadd(&rwl->write_completions, -1);
-	} else
-		return (ISC_R_LOCKBUSY);
-
-	return (ISC_R_SUCCESS);
-
-}
-
-void
-isc_rwlock_downgrade(isc_rwlock_t *rwl) {
-	isc_int32_t prev_readers;
-
-	REQUIRE(VALID_RWLOCK(rwl));
-
-	/* Become an active reader. */
-	prev_readers = isc_atomic_xadd(&rwl->cnt_and_flag, READER_INCR);
-	/* We must have been a writer. */
-	INSIST((prev_readers & WRITER_ACTIVE) != 0);
-
-	/* Complete write */
-	(void)isc_atomic_xadd(&rwl->cnt_and_flag, -WRITER_ACTIVE);
-	(void)isc_atomic_xadd(&rwl->write_completions, 1);
-
-	/* Resume other readers */
-	LOCK(&rwl->lock);
-	if (rwl->readers_waiting > 0)
-		BROADCAST(&rwl->readable);
-	UNLOCK(&rwl->lock);
-}
-
-isc_result_t
-isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
-	isc_int32_t prev_cnt;
-
-	REQUIRE(VALID_RWLOCK(rwl));
-
-#ifdef ISC_RWLOCK_TRACE
-	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
-				  ISC_MSG_PREUNLOCK, "preunlock"), rwl, type);
-#endif
-
-	if (type == isc_rwlocktype_read) {
-		prev_cnt = isc_atomic_xadd(&rwl->cnt_and_flag, -READER_INCR);
-
-		/*
-		 * If we're the last reader and any writers are waiting, wake
-		 * them up.  We need to wake up all of them to ensure the
-		 * FIFO order.
-		 */
-		if (prev_cnt == READER_INCR &&
-		    rwl->write_completions != rwl->write_requests) {
-			LOCK(&rwl->lock);
-			BROADCAST(&rwl->writeable);
-			UNLOCK(&rwl->lock);
-		}
-	} else {
-		isc_boolean_t wakeup_writers = ISC_TRUE;
-
-		/*
-		 * Reset the flag, and (implicitly) tell other writers
-		 * we are done.
-		 */
-		(void)isc_atomic_xadd(&rwl->cnt_and_flag, -WRITER_ACTIVE);
-		(void)isc_atomic_xadd(&rwl->write_completions, 1);
-
-		if (rwl->write_granted >= rwl->write_quota ||
-		    rwl->write_requests == rwl->write_completions ||
-		    (rwl->cnt_and_flag & ~WRITER_ACTIVE) != 0) {
-			/*
-			 * We have passed the write quota, no writer is
-			 * waiting, or some readers are almost ready, pending
-			 * possible writers.  Note that the last case can
-			 * happen even if write_requests != write_completions
-			 * (which means a new writer in the queue), so we need
-			 * to catch the case explicitly.
-			 */
-			LOCK(&rwl->lock);
-			if (rwl->readers_waiting > 0) {
-				wakeup_writers = ISC_FALSE;
-				BROADCAST(&rwl->readable);
-			}
-			UNLOCK(&rwl->lock);
-		}
-
-		if (rwl->write_requests != rwl->write_completions &&
-		    wakeup_writers) {
-			LOCK(&rwl->lock);
-			BROADCAST(&rwl->writeable);
-			UNLOCK(&rwl->lock);
-		}
-	}
-
-#ifdef ISC_RWLOCK_TRACE
-	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
-				  ISC_MSG_POSTUNLOCK, "postunlock"),
-		   rwl, type);
-#endif
-
-	return (ISC_R_SUCCESS);
-}
-
-#else /* ISC_PLATFORM_HAVEXADD && ISC_PLATFORM_HAVECMPXCHG */
-
-static isc_result_t
-doit(isc_rwlock_t *rwl, isc_rwlocktype_t type, isc_boolean_t nonblock) {
-	isc_boolean_t skip = ISC_FALSE;
-	isc_boolean_t done = ISC_FALSE;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(VALID_RWLOCK(rwl));
-
-	LOCK(&rwl->lock);
-
-#ifdef ISC_RWLOCK_TRACE
-	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
-				  ISC_MSG_PRELOCK, "prelock"), rwl, type);
-#endif
-
-	if (type == isc_rwlocktype_read) {
-		if (rwl->readers_waiting != 0)
-			skip = ISC_TRUE;
-		while (!done) {
-			if (!skip &&
-			    ((rwl->active == 0 ||
-			      (rwl->type == isc_rwlocktype_read &&
-			       (rwl->writers_waiting == 0 ||
-				rwl->granted < rwl->read_quota)))))
-			{
-				rwl->type = isc_rwlocktype_read;
-				rwl->active++;
-				rwl->granted++;
-				done = ISC_TRUE;
-			} else if (nonblock) {
-				result = ISC_R_LOCKBUSY;
-				done = ISC_TRUE;
-			} else {
-				skip = ISC_FALSE;
-				rwl->readers_waiting++;
-				WAIT(&rwl->readable, &rwl->lock);
-				rwl->readers_waiting--;
-			}
-		}
-	} else {
-		if (rwl->writers_waiting != 0)
-			skip = ISC_TRUE;
-		while (!done) {
-			if (!skip && rwl->active == 0) {
-				rwl->type = isc_rwlocktype_write;
-				rwl->active = 1;
-				rwl->granted++;
-				done = ISC_TRUE;
-			} else if (nonblock) {
-				result = ISC_R_LOCKBUSY;
-				done = ISC_TRUE;
-			} else {
-				skip = ISC_FALSE;
-				rwl->writers_waiting++;
-				WAIT(&rwl->writeable, &rwl->lock);
-				rwl->writers_waiting--;
-			}
-		}
-	}
-
-#ifdef ISC_RWLOCK_TRACE
-	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
-				  ISC_MSG_POSTLOCK, "postlock"), rwl, type);
-#endif
-
-	UNLOCK(&rwl->lock);
-
-	return (result);
-}
-
-isc_result_t
-isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
-	return (doit(rwl, type, ISC_FALSE));
-}
-
-isc_result_t
-isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
-	return (doit(rwl, type, ISC_TRUE));
-}
-
-isc_result_t
-isc_rwlock_tryupgrade(isc_rwlock_t *rwl) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(VALID_RWLOCK(rwl));
-	LOCK(&rwl->lock);
-	REQUIRE(rwl->type == isc_rwlocktype_read);
-	REQUIRE(rwl->active != 0);
-
-	/* If we are the only reader then succeed. */
-	if (rwl->active == 1) {
-		rwl->original = (rwl->original == isc_rwlocktype_none) ?
-				isc_rwlocktype_read : isc_rwlocktype_none;
-		rwl->type = isc_rwlocktype_write;
-	} else
-		result = ISC_R_LOCKBUSY;
-
-	UNLOCK(&rwl->lock);
-	return (result);
-}
-
-void
-isc_rwlock_downgrade(isc_rwlock_t *rwl) {
-
-	REQUIRE(VALID_RWLOCK(rwl));
-	LOCK(&rwl->lock);
-	REQUIRE(rwl->type == isc_rwlocktype_write);
-	REQUIRE(rwl->active == 1);
-
-	rwl->type = isc_rwlocktype_read;
-	rwl->original = (rwl->original == isc_rwlocktype_none) ?
-			isc_rwlocktype_write : isc_rwlocktype_none;
-	/*
-	 * Resume processing any read request that were blocked when
-	 * we upgraded.
-	 */
-	if (rwl->original == isc_rwlocktype_none &&
-	    (rwl->writers_waiting == 0 || rwl->granted < rwl->read_quota) &&
-	    rwl->readers_waiting > 0)
-		BROADCAST(&rwl->readable);
-
-	UNLOCK(&rwl->lock);
-}
-
-isc_result_t
-isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
-
-	REQUIRE(VALID_RWLOCK(rwl));
-	LOCK(&rwl->lock);
-	REQUIRE(rwl->type == type);
-
-	UNUSED(type);
-
-#ifdef ISC_RWLOCK_TRACE
-	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
-				  ISC_MSG_PREUNLOCK, "preunlock"), rwl, type);
-#endif
-
-	INSIST(rwl->active > 0);
-	rwl->active--;
-	if (rwl->active == 0) {
-		if (rwl->original != isc_rwlocktype_none) {
-			rwl->type = rwl->original;
-			rwl->original = isc_rwlocktype_none;
-		}
-		if (rwl->type == isc_rwlocktype_read) {
-			rwl->granted = 0;
-			if (rwl->writers_waiting > 0) {
-				rwl->type = isc_rwlocktype_write;
-				SIGNAL(&rwl->writeable);
-			} else if (rwl->readers_waiting > 0) {
-				/* Does this case ever happen? */
-				BROADCAST(&rwl->readable);
-			}
-		} else {
-			if (rwl->readers_waiting > 0) {
-				if (rwl->writers_waiting > 0 &&
-				    rwl->granted < rwl->write_quota) {
-					SIGNAL(&rwl->writeable);
-				} else {
-					rwl->granted = 0;
-					rwl->type = isc_rwlocktype_read;
-					BROADCAST(&rwl->readable);
-				}
-			} else if (rwl->writers_waiting > 0) {
-				rwl->granted = 0;
-				SIGNAL(&rwl->writeable);
-			} else {
-				rwl->granted = 0;
-			}
-		}
-	}
-	INSIST(rwl->original == isc_rwlocktype_none);
-
-#ifdef ISC_RWLOCK_TRACE
-	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
-				  ISC_MSG_POSTUNLOCK, "postunlock"),
-		   rwl, type);
-#endif
-
-	UNLOCK(&rwl->lock);
-
-	return (ISC_R_SUCCESS);
-}
-
-#endif /* ISC_PLATFORM_HAVEXADD && ISC_PLATFORM_HAVECMPXCHG */
-#else /* ISC_PLATFORM_USETHREADS */
-
-isc_result_t
-isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
-		unsigned int write_quota)
-{
-	REQUIRE(rwl != NULL);
-
-	UNUSED(read_quota);
-	UNUSED(write_quota);
-
-	rwl->type = isc_rwlocktype_read;
-	rwl->active = 0;
-	rwl->magic = RWLOCK_MAGIC;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
-	REQUIRE(VALID_RWLOCK(rwl));
-
-	if (type == isc_rwlocktype_read) {
-		if (rwl->type != isc_rwlocktype_read && rwl->active != 0)
-			return (ISC_R_LOCKBUSY);
-		rwl->type = isc_rwlocktype_read;
-		rwl->active++;
-	} else {
-		if (rwl->active != 0)
-			return (ISC_R_LOCKBUSY);
-		rwl->type = isc_rwlocktype_write;
-		rwl->active = 1;
-	}
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
-	return (isc_rwlock_lock(rwl, type));
-}
-
-isc_result_t
-isc_rwlock_tryupgrade(isc_rwlock_t *rwl) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(VALID_RWLOCK(rwl));
-	REQUIRE(rwl->type == isc_rwlocktype_read);
-	REQUIRE(rwl->active != 0);
-
-	/* If we are the only reader then succeed. */
-	if (rwl->active == 1)
-		rwl->type = isc_rwlocktype_write;
-	else
-		result = ISC_R_LOCKBUSY;
-	return (result);
-}
-
-void
-isc_rwlock_downgrade(isc_rwlock_t *rwl) {
-
-	REQUIRE(VALID_RWLOCK(rwl));
-	REQUIRE(rwl->type == isc_rwlocktype_write);
-	REQUIRE(rwl->active == 1);
-
-	rwl->type = isc_rwlocktype_read;
-}
-
-isc_result_t
-isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
-	REQUIRE(VALID_RWLOCK(rwl));
-	REQUIRE(rwl->type == type);
-
-	UNUSED(type);
-
-	INSIST(rwl->active > 0);
-	rwl->active--;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_rwlock_destroy(isc_rwlock_t *rwl) {
-	REQUIRE(rwl != NULL);
-	REQUIRE(rwl->active == 0);
-	rwl->magic = 0;
-}
-
-#endif /* ISC_PLATFORM_USETHREADS */
diff --git a/contrib/bind9/lib/isc/serial.c b/contrib/bind9/lib/isc/serial.c
deleted file mode 100644
index b43aac7..0000000
--- a/contrib/bind9/lib/isc/serial.c
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: serial.c,v 1.12 2007/06/19 23:47:17 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/serial.h>
-
-isc_boolean_t
-isc_serial_lt(isc_uint32_t a, isc_uint32_t b) {
-	/*
-	 * Undefined => ISC_FALSE
-	 */
-	if (a == (b ^ 0x80000000U))
-		return (ISC_FALSE);
-	return (((isc_int32_t)(a - b) < 0) ? ISC_TRUE : ISC_FALSE);
-}
-
-isc_boolean_t
-isc_serial_gt(isc_uint32_t a, isc_uint32_t b) {
-	return (((isc_int32_t)(a - b) > 0) ? ISC_TRUE : ISC_FALSE);
-}
-
-isc_boolean_t
-isc_serial_le(isc_uint32_t a, isc_uint32_t b) {
-	return ((a == b) ? ISC_TRUE : isc_serial_lt(a, b));
-}
-
-isc_boolean_t
-isc_serial_ge(isc_uint32_t a, isc_uint32_t b) {
-	return ((a == b) ? ISC_TRUE : isc_serial_gt(a, b));
-}
-
-isc_boolean_t
-isc_serial_eq(isc_uint32_t a, isc_uint32_t b) {
-	return ((a == b) ? ISC_TRUE : ISC_FALSE);
-}
-
-isc_boolean_t
-isc_serial_ne(isc_uint32_t a, isc_uint32_t b) {
-	return ((a != b) ? ISC_TRUE : ISC_FALSE);
-}
diff --git a/contrib/bind9/lib/isc/sha1.c b/contrib/bind9/lib/isc/sha1.c
deleted file mode 100644
index cce9603..0000000
--- a/contrib/bind9/lib/isc/sha1.c
+++ /dev/null
@@ -1,354 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*	$NetBSD: sha1.c,v 1.5 2000/01/22 22:19:14 mycroft Exp $	*/
-/*	$OpenBSD: sha1.c,v 1.9 1997/07/23 21:12:32 kstailey Exp $	*/
-
-/*! \file
- * SHA-1 in C
- * \author By Steve Reid <steve@edmweb.com>
- * 100% Public Domain
- * \verbatim
- * Test Vectors (from FIPS PUB 180-1)
- * "abc"
- *   A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D
- * "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
- *   84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1
- * A million repetitions of "a"
- *   34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F
- * \endverbatim
- */
-
-#include "config.h"
-
-#include <isc/assertions.h>
-#include <isc/platform.h>
-#include <isc/sha1.h>
-#include <isc/string.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-#ifdef ISC_PLATFORM_OPENSSLHASH
-
-void
-isc_sha1_init(isc_sha1_t *context)
-{
-	INSIST(context != NULL);
-
-	EVP_DigestInit(context, EVP_sha1());
-}
-
-void
-isc_sha1_invalidate(isc_sha1_t *context) {
-	EVP_MD_CTX_cleanup(context);
-}
-
-void
-isc_sha1_update(isc_sha1_t *context, const unsigned char *data,
-		unsigned int len)
-{
-	INSIST(context != 0);
-	INSIST(data != 0);
-
-	EVP_DigestUpdate(context, (const void *) data, (size_t) len);
-}
-
-void
-isc_sha1_final(isc_sha1_t *context, unsigned char *digest) {
-	INSIST(digest != 0);
-	INSIST(context != 0);
-
-	EVP_DigestFinal(context, digest, NULL);
-}
-
-#else
-
-#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
-
-/*@{*/
-/*!
- * blk0() and blk() perform the initial expand.
- * I got the idea of expanding during the round function from SSLeay
- */
-#if !defined(WORDS_BIGENDIAN)
-# define blk0(i) \
-	(block->l[i] = (rol(block->l[i], 24) & 0xFF00FF00) \
-	 | (rol(block->l[i], 8) & 0x00FF00FF))
-#else
-# define blk0(i) block->l[i]
-#endif
-#define blk(i) \
-	(block->l[i & 15] = rol(block->l[(i + 13) & 15] \
-				^ block->l[(i + 8) & 15] \
-				^ block->l[(i + 2) & 15] \
-				^ block->l[i & 15], 1))
-
-/*@}*/
-/*@{*/
-/*!
- * (R0+R1), R2, R3, R4 are the different operations (rounds) used in SHA1
- */
-#define R0(v,w,x,y,z,i) \
-	z += ((w & (x ^ y)) ^ y) + blk0(i) + 0x5A827999 + rol(v, 5); \
-	w = rol(w, 30);
-#define R1(v,w,x,y,z,i) \
-	z += ((w & (x ^ y)) ^ y) + blk(i) + 0x5A827999 + rol(v, 5); \
-	w = rol(w, 30);
-#define R2(v,w,x,y,z,i) \
-	z += (w ^ x ^ y) + blk(i) + 0x6ED9EBA1 + rol(v, 5); \
-	w = rol(w, 30);
-#define R3(v,w,x,y,z,i) \
-	z += (((w | x) & y) | (w & x)) + blk(i) + 0x8F1BBCDC + rol(v, 5); \
-	w = rol(w, 30);
-#define R4(v,w,x,y,z,i) \
-	z += (w ^ x ^ y) + blk(i) + 0xCA62C1D6 + rol(v, 5); \
-	w = rol(w, 30);
-
-/*@}*/
-
-typedef union {
-	unsigned char c[64];
-	unsigned int l[16];
-} CHAR64LONG16;
-
-#ifdef __sparc_v9__
-static void do_R01(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c,
-		   isc_uint32_t *d, isc_uint32_t *e, CHAR64LONG16 *);
-static void do_R2(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c,
-		  isc_uint32_t *d, isc_uint32_t *e, CHAR64LONG16 *);
-static void do_R3(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c,
-		  isc_uint32_t *d, isc_uint32_t *e, CHAR64LONG16 *);
-static void do_R4(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c,
-		  isc_uint32_t *d, isc_uint32_t *e, CHAR64LONG16 *);
-
-#define nR0(v,w,x,y,z,i) R0(*v,*w,*x,*y,*z,i)
-#define nR1(v,w,x,y,z,i) R1(*v,*w,*x,*y,*z,i)
-#define nR2(v,w,x,y,z,i) R2(*v,*w,*x,*y,*z,i)
-#define nR3(v,w,x,y,z,i) R3(*v,*w,*x,*y,*z,i)
-#define nR4(v,w,x,y,z,i) R4(*v,*w,*x,*y,*z,i)
-
-static void
-do_R01(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c, isc_uint32_t *d,
-       isc_uint32_t *e, CHAR64LONG16 *block)
-{
-	nR0(a,b,c,d,e, 0); nR0(e,a,b,c,d, 1); nR0(d,e,a,b,c, 2);
-	nR0(c,d,e,a,b, 3); nR0(b,c,d,e,a, 4); nR0(a,b,c,d,e, 5);
-	nR0(e,a,b,c,d, 6); nR0(d,e,a,b,c, 7); nR0(c,d,e,a,b, 8);
-	nR0(b,c,d,e,a, 9); nR0(a,b,c,d,e,10); nR0(e,a,b,c,d,11);
-	nR0(d,e,a,b,c,12); nR0(c,d,e,a,b,13); nR0(b,c,d,e,a,14);
-	nR0(a,b,c,d,e,15); nR1(e,a,b,c,d,16); nR1(d,e,a,b,c,17);
-	nR1(c,d,e,a,b,18); nR1(b,c,d,e,a,19);
-}
-
-static void
-do_R2(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c, isc_uint32_t *d,
-      isc_uint32_t *e, CHAR64LONG16 *block)
-{
-	nR2(a,b,c,d,e,20); nR2(e,a,b,c,d,21); nR2(d,e,a,b,c,22);
-	nR2(c,d,e,a,b,23); nR2(b,c,d,e,a,24); nR2(a,b,c,d,e,25);
-	nR2(e,a,b,c,d,26); nR2(d,e,a,b,c,27); nR2(c,d,e,a,b,28);
-	nR2(b,c,d,e,a,29); nR2(a,b,c,d,e,30); nR2(e,a,b,c,d,31);
-	nR2(d,e,a,b,c,32); nR2(c,d,e,a,b,33); nR2(b,c,d,e,a,34);
-	nR2(a,b,c,d,e,35); nR2(e,a,b,c,d,36); nR2(d,e,a,b,c,37);
-	nR2(c,d,e,a,b,38); nR2(b,c,d,e,a,39);
-}
-
-static void
-do_R3(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c, isc_uint32_t *d,
-      isc_uint32_t *e, CHAR64LONG16 *block)
-{
-	nR3(a,b,c,d,e,40); nR3(e,a,b,c,d,41); nR3(d,e,a,b,c,42);
-	nR3(c,d,e,a,b,43); nR3(b,c,d,e,a,44); nR3(a,b,c,d,e,45);
-	nR3(e,a,b,c,d,46); nR3(d,e,a,b,c,47); nR3(c,d,e,a,b,48);
-	nR3(b,c,d,e,a,49); nR3(a,b,c,d,e,50); nR3(e,a,b,c,d,51);
-	nR3(d,e,a,b,c,52); nR3(c,d,e,a,b,53); nR3(b,c,d,e,a,54);
-	nR3(a,b,c,d,e,55); nR3(e,a,b,c,d,56); nR3(d,e,a,b,c,57);
-	nR3(c,d,e,a,b,58); nR3(b,c,d,e,a,59);
-}
-
-static void
-do_R4(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c, isc_uint32_t *d,
-      isc_uint32_t *e, CHAR64LONG16 *block)
-{
-	nR4(a,b,c,d,e,60); nR4(e,a,b,c,d,61); nR4(d,e,a,b,c,62);
-	nR4(c,d,e,a,b,63); nR4(b,c,d,e,a,64); nR4(a,b,c,d,e,65);
-	nR4(e,a,b,c,d,66); nR4(d,e,a,b,c,67); nR4(c,d,e,a,b,68);
-	nR4(b,c,d,e,a,69); nR4(a,b,c,d,e,70); nR4(e,a,b,c,d,71);
-	nR4(d,e,a,b,c,72); nR4(c,d,e,a,b,73); nR4(b,c,d,e,a,74);
-	nR4(a,b,c,d,e,75); nR4(e,a,b,c,d,76); nR4(d,e,a,b,c,77);
-	nR4(c,d,e,a,b,78); nR4(b,c,d,e,a,79);
-}
-#endif
-
-/*!
- * Hash a single 512-bit block. This is the core of the algorithm.
- */
-static void
-transform(isc_uint32_t state[5], const unsigned char buffer[64]) {
-	isc_uint32_t a, b, c, d, e;
-	CHAR64LONG16 *block;
-	CHAR64LONG16 workspace;
-
-	INSIST(buffer != NULL);
-	INSIST(state != NULL);
-
-	block = &workspace;
-	(void)memcpy(block, buffer, 64);
-
-	/* Copy context->state[] to working vars */
-	a = state[0];
-	b = state[1];
-	c = state[2];
-	d = state[3];
-	e = state[4];
-
-#ifdef __sparc_v9__
-	do_R01(&a, &b, &c, &d, &e, block);
-	do_R2(&a, &b, &c, &d, &e, block);
-	do_R3(&a, &b, &c, &d, &e, block);
-	do_R4(&a, &b, &c, &d, &e, block);
-#else
-	/* 4 rounds of 20 operations each. Loop unrolled. */
-	R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
-	R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
-	R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
-	R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
-	R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
-	R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
-	R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
-	R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
-	R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
-	R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
-	R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
-	R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
-	R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
-	R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
-	R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
-	R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
-	R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
-	R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
-	R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
-	R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
-#endif
-
-	/* Add the working vars back into context.state[] */
-	state[0] += a;
-	state[1] += b;
-	state[2] += c;
-	state[3] += d;
-	state[4] += e;
-
-	/* Wipe variables */
-	a = b = c = d = e = 0;
-	/* Avoid compiler warnings */
-	POST(a); POST(b); POST(c); POST(d); POST(e);
-}
-
-
-/*!
- * isc_sha1_init - Initialize new context
- */
-void
-isc_sha1_init(isc_sha1_t *context)
-{
-	INSIST(context != NULL);
-
-	/* SHA1 initialization constants */
-	context->state[0] = 0x67452301;
-	context->state[1] = 0xEFCDAB89;
-	context->state[2] = 0x98BADCFE;
-	context->state[3] = 0x10325476;
-	context->state[4] = 0xC3D2E1F0;
-	context->count[0] = 0;
-	context->count[1] = 0;
-}
-
-void
-isc_sha1_invalidate(isc_sha1_t *context) {
-	memset(context, 0, sizeof(isc_sha1_t));
-}
-
-/*!
- * Run your data through this.
- */
-void
-isc_sha1_update(isc_sha1_t *context, const unsigned char *data,
-		unsigned int len)
-{
-	unsigned int i, j;
-
-	INSIST(context != 0);
-	INSIST(data != 0);
-
-	j = context->count[0];
-	if ((context->count[0] += len << 3) < j)
-		context->count[1] += (len >> 29) + 1;
-	j = (j >> 3) & 63;
-	if ((j + len) > 63) {
-		(void)memcpy(&context->buffer[j], data, (i = 64 - j));
-		transform(context->state, context->buffer);
-		for (; i + 63 < len; i += 64)
-			transform(context->state, &data[i]);
-		j = 0;
-	} else {
-		i = 0;
-	}
-
-	(void)memcpy(&context->buffer[j], &data[i], len - i);
-}
-
-
-/*!
- * Add padding and return the message digest.
- */
-
-static const unsigned char final_200 = 128;
-static const unsigned char final_0 = 0;
-
-void
-isc_sha1_final(isc_sha1_t *context, unsigned char *digest) {
-	unsigned int i;
-	unsigned char finalcount[8];
-
-	INSIST(digest != 0);
-	INSIST(context != 0);
-
-	for (i = 0; i < 8; i++) {
-		/* Endian independent */
-		finalcount[i] = (unsigned char)
-			((context->count[(i >= 4 ? 0 : 1)]
-			  >> ((3 - (i & 3)) * 8)) & 255);
-	}
-
-	isc_sha1_update(context, &final_200, 1);
-	while ((context->count[0] & 504) != 448)
-		isc_sha1_update(context, &final_0, 1);
-	/* The next Update should cause a transform() */
-	isc_sha1_update(context, finalcount, 8);
-
-	if (digest) {
-		for (i = 0; i < 20; i++)
-			digest[i] = (unsigned char)
-				((context->state[i >> 2]
-				  >> ((3 - (i & 3)) * 8)) & 255);
-	}
-
-	memset(context, 0, sizeof(isc_sha1_t));
-}
-#endif
diff --git a/contrib/bind9/lib/isc/sha2.c b/contrib/bind9/lib/isc/sha2.c
deleted file mode 100644
index aca048e..0000000
--- a/contrib/bind9/lib/isc/sha2.c
+++ /dev/null
@@ -1,1449 +0,0 @@
-/*
- * Copyright (C) 2005-2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*	$FreeBSD$	*/
-/*	$KAME: sha2.c,v 1.8 2001/11/08 01:07:52 itojun Exp $	*/
-
-/*
- * sha2.c
- *
- * Version 1.0.0beta1
- *
- * Written by Aaron D. Gifford <me@aarongifford.com>
- *
- * Copyright 2000 Aaron D. Gifford.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the copyright holder nor the names of contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- */
-
-
-#include <config.h>
-
-#include <isc/assertions.h>
-#include <isc/platform.h>
-#include <isc/sha2.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#ifdef ISC_PLATFORM_OPENSSLHASH
-
-void
-isc_sha224_init(isc_sha224_t *context) {
-	if (context == (isc_sha224_t *)0) {
-		return;
-	}
-	EVP_DigestInit(context, EVP_sha224());
-}
-
-void
-isc_sha224_invalidate(isc_sha224_t *context) {
-	EVP_MD_CTX_cleanup(context);
-}
-
-void
-isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) {
-	if (len == 0U) {
-		/* Calling with no data is valid - we do nothing */
-		return;
-	}
-
-	/* Sanity check: */
-	REQUIRE(context != (isc_sha224_t *)0 && data != (isc_uint8_t*)0);
-
-	EVP_DigestUpdate(context, (const void *) data, len);
-}
-
-void
-isc_sha224_final(isc_uint8_t digest[], isc_sha224_t *context) {
-	/* Sanity check: */
-	REQUIRE(context != (isc_sha224_t *)0);
-
-	/* If no digest buffer is passed, we don't bother doing this: */
-	if (digest != (isc_uint8_t*)0) {
-		EVP_DigestFinal(context, digest, NULL);
-	} else {
-		EVP_MD_CTX_cleanup(context);
-	}
-}
-
-void
-isc_sha256_init(isc_sha256_t *context) {
-	if (context == (isc_sha256_t *)0) {
-		return;
-	}
-	EVP_DigestInit(context, EVP_sha256());
-}
-
-void
-isc_sha256_invalidate(isc_sha256_t *context) {
-	EVP_MD_CTX_cleanup(context);
-}
-
-void
-isc_sha256_update(isc_sha256_t *context, const isc_uint8_t *data, size_t len) {
-	if (len == 0U) {
-		/* Calling with no data is valid - we do nothing */
-		return;
-	}
-
-	/* Sanity check: */
-	REQUIRE(context != (isc_sha256_t *)0 && data != (isc_uint8_t*)0);
-
-	EVP_DigestUpdate(context, (const void *) data, len);
-}
-
-void
-isc_sha256_final(isc_uint8_t digest[], isc_sha256_t *context) {
-	/* Sanity check: */
-	REQUIRE(context != (isc_sha256_t *)0);
-
-	/* If no digest buffer is passed, we don't bother doing this: */
-	if (digest != (isc_uint8_t*)0) {
-		EVP_DigestFinal(context, digest, NULL);
-	} else {
-		EVP_MD_CTX_cleanup(context);
-	}
-}
-
-void
-isc_sha512_init(isc_sha512_t *context) {
-	if (context == (isc_sha512_t *)0) {
-		return;
-	}
-	EVP_DigestInit(context, EVP_sha512());
-}
-
-void
-isc_sha512_invalidate(isc_sha512_t *context) {
-	EVP_MD_CTX_cleanup(context);
-}
-
-void isc_sha512_update(isc_sha512_t *context, const isc_uint8_t *data, size_t len) {
-	if (len == 0U) {
-		/* Calling with no data is valid - we do nothing */
-		return;
-	}
-
-	/* Sanity check: */
-	REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0);
-
-	EVP_DigestUpdate(context, (const void *) data, len);
-}
-
-void isc_sha512_final(isc_uint8_t digest[], isc_sha512_t *context) {
-	/* Sanity check: */
-	REQUIRE(context != (isc_sha512_t *)0);
-
-	/* If no digest buffer is passed, we don't bother doing this: */
-	if (digest != (isc_uint8_t*)0) {
-		EVP_DigestFinal(context, digest, NULL);
-	} else {
-		EVP_MD_CTX_cleanup(context);
-	}
-}
-
-void
-isc_sha384_init(isc_sha384_t *context) {
-	if (context == (isc_sha384_t *)0) {
-		return;
-	}
-	EVP_DigestInit(context, EVP_sha384());
-}
-
-void
-isc_sha384_invalidate(isc_sha384_t *context) {
-	EVP_MD_CTX_cleanup(context);
-}
-
-void
-isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) {
-	if (len == 0U) {
-		/* Calling with no data is valid - we do nothing */
-		return;
-	}
-
-	/* Sanity check: */
-	REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0);
-
-	EVP_DigestUpdate(context, (const void *) data, len);
-}
-
-void
-isc_sha384_final(isc_uint8_t digest[], isc_sha384_t *context) {
-	/* Sanity check: */
-	REQUIRE(context != (isc_sha384_t *)0);
-
-	/* If no digest buffer is passed, we don't bother doing this: */
-	if (digest != (isc_uint8_t*)0) {
-		EVP_DigestFinal(context, digest, NULL);
-	} else {
-		EVP_MD_CTX_cleanup(context);
-	}
-}
-
-#else
-
-/*
- * UNROLLED TRANSFORM LOOP NOTE:
- * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
- * loop version for the hash transform rounds (defined using macros
- * later in this file).  Either define on the command line, for example:
- *
- *   cc -DISC_SHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
- *
- * or define below:
- *
- *   \#define ISC_SHA2_UNROLL_TRANSFORM
- *
- */
-
-/*** SHA-256/384/512 Machine Architecture Definitions *****************/
-/*
- * BYTE_ORDER NOTE:
- *
- * Please make sure that your system defines BYTE_ORDER.  If your
- * architecture is little-endian, make sure it also defines
- * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
- * equivalent.
- *
- * If your system does not define the above, then you can do so by
- * hand like this:
- *
- *   \#define LITTLE_ENDIAN 1234
- *   \#define BIG_ENDIAN    4321
- *
- * And for little-endian machines, add:
- *
- *   \#define BYTE_ORDER LITTLE_ENDIAN
- *
- * Or for big-endian machines:
- *
- *   \#define BYTE_ORDER BIG_ENDIAN
- *
- * The FreeBSD machine this was written on defines BYTE_ORDER
- * appropriately by including <sys/types.h> (which in turn includes
- * <machine/endian.h> where the appropriate definitions are actually
- * made).
- */
-#if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
-#ifndef BYTE_ORDER
-#ifndef BIG_ENDIAN
-#define BIG_ENDIAN 4321
-#endif
-#ifndef LITTLE_ENDIAN
-#define LITTLE_ENDIAN 1234
-#endif
-#ifdef WORDS_BIGENDIAN
-#define BYTE_ORDER BIG_ENDIAN
-#else
-#define BYTE_ORDER LITTLE_ENDIAN
-#endif
-#else
-#error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
-#endif
-#endif
-
-/*** SHA-256/384/512 Various Length Definitions ***********************/
-/* NOTE: Most of these are in sha2.h */
-#define ISC_SHA256_SHORT_BLOCK_LENGTH	(ISC_SHA256_BLOCK_LENGTH - 8)
-#define ISC_SHA384_SHORT_BLOCK_LENGTH	(ISC_SHA384_BLOCK_LENGTH - 16)
-#define ISC_SHA512_SHORT_BLOCK_LENGTH	(ISC_SHA512_BLOCK_LENGTH - 16)
-
-
-/*** ENDIAN REVERSAL MACROS *******************************************/
-#if BYTE_ORDER == LITTLE_ENDIAN
-#define REVERSE32(w,x)	{ \
-	isc_uint32_t tmp = (w); \
-	tmp = (tmp >> 16) | (tmp << 16); \
-	(x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
-}
-#ifdef WIN32
-#define REVERSE64(w,x)	{ \
-	isc_uint64_t tmp = (w); \
-	tmp = (tmp >> 32) | (tmp << 32); \
-	tmp = ((tmp & 0xff00ff00ff00ff00UL) >> 8) | \
-	      ((tmp & 0x00ff00ff00ff00ffUL) << 8); \
-	(x) = ((tmp & 0xffff0000ffff0000UL) >> 16) | \
-	      ((tmp & 0x0000ffff0000ffffUL) << 16); \
-}
-#else
-#define REVERSE64(w,x)	{ \
-	isc_uint64_t tmp = (w); \
-	tmp = (tmp >> 32) | (tmp << 32); \
-	tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
-	      ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
-	(x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
-	      ((tmp & 0x0000ffff0000ffffULL) << 16); \
-}
-#endif
-#endif /* BYTE_ORDER == LITTLE_ENDIAN */
-
-/*
- * Macro for incrementally adding the unsigned 64-bit integer n to the
- * unsigned 128-bit integer (represented using a two-element array of
- * 64-bit words):
- */
-#define ADDINC128(w,n)	{ \
-	(w)[0] += (isc_uint64_t)(n); \
-	if ((w)[0] < (n)) { \
-		(w)[1]++; \
-	} \
-}
-
-/*** THE SIX LOGICAL FUNCTIONS ****************************************/
-/*
- * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
- *
- *   NOTE:  The naming of R and S appears backwards here (R is a SHIFT and
- *   S is a ROTATION) because the SHA-256/384/512 description document
- *   (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
- *   same "backwards" definition.
- */
-/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
-#define R(b,x) 		((x) >> (b))
-/* 32-bit Rotate-right (used in SHA-256): */
-#define S32(b,x)	(((x) >> (b)) | ((x) << (32 - (b))))
-/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
-#define S64(b,x)	(((x) >> (b)) | ((x) << (64 - (b))))
-
-/* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
-#define Ch(x,y,z)	(((x) & (y)) ^ ((~(x)) & (z)))
-#define Maj(x,y,z)	(((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
-
-/* Four of six logical functions used in SHA-256: */
-#define Sigma0_256(x)	(S32(2,  (x)) ^ S32(13, (x)) ^ S32(22, (x)))
-#define Sigma1_256(x)	(S32(6,  (x)) ^ S32(11, (x)) ^ S32(25, (x)))
-#define sigma0_256(x)	(S32(7,  (x)) ^ S32(18, (x)) ^ R(3 ,   (x)))
-#define sigma1_256(x)	(S32(17, (x)) ^ S32(19, (x)) ^ R(10,   (x)))
-
-/* Four of six logical functions used in SHA-384 and SHA-512: */
-#define Sigma0_512(x)	(S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
-#define Sigma1_512(x)	(S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
-#define sigma0_512(x)	(S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7,   (x)))
-#define sigma1_512(x)	(S64(19, (x)) ^ S64(61, (x)) ^ R( 6,   (x)))
-
-/*** INTERNAL FUNCTION PROTOTYPES *************************************/
-/* NOTE: These should not be accessed directly from outside this
- * library -- they are intended for private internal visibility/use
- * only.
- */
-void isc_sha512_last(isc_sha512_t *);
-void isc_sha256_transform(isc_sha256_t *, const isc_uint32_t*);
-void isc_sha512_transform(isc_sha512_t *, const isc_uint64_t*);
-
-
-/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
-/* Hash constant words K for SHA-224 and SHA-256: */
-static const isc_uint32_t K256[64] = {
-	0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
-	0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
-	0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
-	0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
-	0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
-	0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
-	0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
-	0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
-	0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
-	0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
-	0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
-	0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
-	0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
-	0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
-	0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
-	0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
-};
-
-/* Initial hash value H for SHA-224: */
-static const isc_uint32_t sha224_initial_hash_value[8] = {
-	0xc1059ed8UL,
-	0x367cd507UL,
-	0x3070dd17UL,
-	0xf70e5939UL,
-	0xffc00b31UL,
-	0x68581511UL,
-	0x64f98fa7UL,
-	0xbefa4fa4UL
-};
-
-/* Initial hash value H for SHA-256: */
-static const isc_uint32_t sha256_initial_hash_value[8] = {
-	0x6a09e667UL,
-	0xbb67ae85UL,
-	0x3c6ef372UL,
-	0xa54ff53aUL,
-	0x510e527fUL,
-	0x9b05688cUL,
-	0x1f83d9abUL,
-	0x5be0cd19UL
-};
-
-#ifdef WIN32
-/* Hash constant words K for SHA-384 and SHA-512: */
-static const isc_uint64_t K512[80] = {
-	0x428a2f98d728ae22UL, 0x7137449123ef65cdUL,
-	0xb5c0fbcfec4d3b2fUL, 0xe9b5dba58189dbbcUL,
-	0x3956c25bf348b538UL, 0x59f111f1b605d019UL,
-	0x923f82a4af194f9bUL, 0xab1c5ed5da6d8118UL,
-	0xd807aa98a3030242UL, 0x12835b0145706fbeUL,
-	0x243185be4ee4b28cUL, 0x550c7dc3d5ffb4e2UL,
-	0x72be5d74f27b896fUL, 0x80deb1fe3b1696b1UL,
-	0x9bdc06a725c71235UL, 0xc19bf174cf692694UL,
-	0xe49b69c19ef14ad2UL, 0xefbe4786384f25e3UL,
-	0x0fc19dc68b8cd5b5UL, 0x240ca1cc77ac9c65UL,
-	0x2de92c6f592b0275UL, 0x4a7484aa6ea6e483UL,
-	0x5cb0a9dcbd41fbd4UL, 0x76f988da831153b5UL,
-	0x983e5152ee66dfabUL, 0xa831c66d2db43210UL,
-	0xb00327c898fb213fUL, 0xbf597fc7beef0ee4UL,
-	0xc6e00bf33da88fc2UL, 0xd5a79147930aa725UL,
-	0x06ca6351e003826fUL, 0x142929670a0e6e70UL,
-	0x27b70a8546d22ffcUL, 0x2e1b21385c26c926UL,
-	0x4d2c6dfc5ac42aedUL, 0x53380d139d95b3dfUL,
-	0x650a73548baf63deUL, 0x766a0abb3c77b2a8UL,
-	0x81c2c92e47edaee6UL, 0x92722c851482353bUL,
-	0xa2bfe8a14cf10364UL, 0xa81a664bbc423001UL,
-	0xc24b8b70d0f89791UL, 0xc76c51a30654be30UL,
-	0xd192e819d6ef5218UL, 0xd69906245565a910UL,
-	0xf40e35855771202aUL, 0x106aa07032bbd1b8UL,
-	0x19a4c116b8d2d0c8UL, 0x1e376c085141ab53UL,
-	0x2748774cdf8eeb99UL, 0x34b0bcb5e19b48a8UL,
-	0x391c0cb3c5c95a63UL, 0x4ed8aa4ae3418acbUL,
-	0x5b9cca4f7763e373UL, 0x682e6ff3d6b2b8a3UL,
-	0x748f82ee5defb2fcUL, 0x78a5636f43172f60UL,
-	0x84c87814a1f0ab72UL, 0x8cc702081a6439ecUL,
-	0x90befffa23631e28UL, 0xa4506cebde82bde9UL,
-	0xbef9a3f7b2c67915UL, 0xc67178f2e372532bUL,
-	0xca273eceea26619cUL, 0xd186b8c721c0c207UL,
-	0xeada7dd6cde0eb1eUL, 0xf57d4f7fee6ed178UL,
-	0x06f067aa72176fbaUL, 0x0a637dc5a2c898a6UL,
-	0x113f9804bef90daeUL, 0x1b710b35131c471bUL,
-	0x28db77f523047d84UL, 0x32caab7b40c72493UL,
-	0x3c9ebe0a15c9bebcUL, 0x431d67c49c100d4cUL,
-	0x4cc5d4becb3e42b6UL, 0x597f299cfc657e2aUL,
-	0x5fcb6fab3ad6faecUL, 0x6c44198c4a475817UL
-};
-
-/* Initial hash value H for SHA-384: */
-static const isc_uint64_t sha384_initial_hash_value[8] = {
-	0xcbbb9d5dc1059ed8UL,
-	0x629a292a367cd507UL,
-	0x9159015a3070dd17UL,
-	0x152fecd8f70e5939UL,
-	0x67332667ffc00b31UL,
-	0x8eb44a8768581511UL,
-	0xdb0c2e0d64f98fa7UL,
-	0x47b5481dbefa4fa4UL
-};
-
-/* Initial hash value H for SHA-512: */
-static const isc_uint64_t sha512_initial_hash_value[8] = {
-	0x6a09e667f3bcc908U,
-	0xbb67ae8584caa73bUL,
-	0x3c6ef372fe94f82bUL,
-	0xa54ff53a5f1d36f1UL,
-	0x510e527fade682d1UL,
-	0x9b05688c2b3e6c1fUL,
-	0x1f83d9abfb41bd6bUL,
-	0x5be0cd19137e2179UL
-};
-#else
-/* Hash constant words K for SHA-384 and SHA-512: */
-static const isc_uint64_t K512[80] = {
-	0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
-	0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
-	0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
-	0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
-	0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
-	0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
-	0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
-	0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
-	0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
-	0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
-	0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
-	0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
-	0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
-	0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
-	0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
-	0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
-	0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
-	0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
-	0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
-	0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
-	0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
-	0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
-	0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
-	0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
-	0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
-	0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
-	0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
-	0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
-	0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
-	0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
-	0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
-	0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
-	0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
-	0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
-	0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
-	0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
-	0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
-	0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
-	0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
-	0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
-};
-
-/* Initial hash value H for SHA-384: */
-static const isc_uint64_t sha384_initial_hash_value[8] = {
-	0xcbbb9d5dc1059ed8ULL,
-	0x629a292a367cd507ULL,
-	0x9159015a3070dd17ULL,
-	0x152fecd8f70e5939ULL,
-	0x67332667ffc00b31ULL,
-	0x8eb44a8768581511ULL,
-	0xdb0c2e0d64f98fa7ULL,
-	0x47b5481dbefa4fa4ULL
-};
-
-/* Initial hash value H for SHA-512: */
-static const isc_uint64_t sha512_initial_hash_value[8] = {
-	0x6a09e667f3bcc908ULL,
-	0xbb67ae8584caa73bULL,
-	0x3c6ef372fe94f82bULL,
-	0xa54ff53a5f1d36f1ULL,
-	0x510e527fade682d1ULL,
-	0x9b05688c2b3e6c1fULL,
-	0x1f83d9abfb41bd6bULL,
-	0x5be0cd19137e2179ULL
-};
-#endif
-
-
-/*** SHA-224: *********************************************************/
-void
-isc_sha224_init(isc_sha224_t *context) {
-	if (context == (isc_sha256_t *)0) {
-		return;
-	}
-	memcpy(context->state, sha224_initial_hash_value,
-	       ISC_SHA256_DIGESTLENGTH);
-	memset(context->buffer, 0, ISC_SHA256_BLOCK_LENGTH);
-	context->bitcount = 0;
-}
-
-void
-isc_sha224_invalidate(isc_sha224_t *context) {
-	memset(context, 0, sizeof(isc_sha224_t));
-}
-
-void
-isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) {
-	isc_sha256_update((isc_sha256_t *)context, data, len);
-}
-
-void
-isc_sha224_final(isc_uint8_t digest[], isc_sha224_t *context) {
-	isc_uint8_t sha256_digest[ISC_SHA256_DIGESTLENGTH];
-	isc_sha256_final(sha256_digest, (isc_sha256_t *)context);
-	memcpy(digest, sha256_digest, ISC_SHA224_DIGESTLENGTH);
-	memset(sha256_digest, 0, ISC_SHA256_DIGESTLENGTH);
-}
-
-/*** SHA-256: *********************************************************/
-void
-isc_sha256_init(isc_sha256_t *context) {
-	if (context == (isc_sha256_t *)0) {
-		return;
-	}
-	memcpy(context->state, sha256_initial_hash_value,
-	       ISC_SHA256_DIGESTLENGTH);
-	memset(context->buffer, 0, ISC_SHA256_BLOCK_LENGTH);
-	context->bitcount = 0;
-}
-
-void
-isc_sha256_invalidate(isc_sha256_t *context) {
-	memset(context, 0, sizeof(isc_sha256_t));
-}
-
-#ifdef ISC_SHA2_UNROLL_TRANSFORM
-
-/* Unrolled SHA-256 round macros: */
-
-#if BYTE_ORDER == LITTLE_ENDIAN
-
-#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h)	\
-	REVERSE32(*data++, W256[j]); \
-	T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
-	     K256[j] + W256[j]; \
-	(d) += T1; \
-	(h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
-	j++
-
-
-#else /* BYTE_ORDER == LITTLE_ENDIAN */
-
-#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h)	\
-	T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
-	     K256[j] + (W256[j] = *data++); \
-	(d) += T1; \
-	(h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
-	j++
-
-#endif /* BYTE_ORDER == LITTLE_ENDIAN */
-
-#define ROUND256(a,b,c,d,e,f,g,h)	\
-	s0 = W256[(j+1)&0x0f]; \
-	s0 = sigma0_256(s0); \
-	s1 = W256[(j+14)&0x0f]; \
-	s1 = sigma1_256(s1); \
-	T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \
-	     (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
-	(d) += T1; \
-	(h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
-	j++
-
-void isc_sha256_transform(isc_sha256_t *context, const isc_uint32_t* data) {
-	isc_uint32_t	a, b, c, d, e, f, g, h, s0, s1;
-	isc_uint32_t	T1, *W256;
-	int		j;
-
-	W256 = (isc_uint32_t*)context->buffer;
-
-	/* Initialize registers with the prev. intermediate value */
-	a = context->state[0];
-	b = context->state[1];
-	c = context->state[2];
-	d = context->state[3];
-	e = context->state[4];
-	f = context->state[5];
-	g = context->state[6];
-	h = context->state[7];
-
-	j = 0;
-	do {
-		/* Rounds 0 to 15 (unrolled): */
-		ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
-		ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
-		ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
-		ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
-		ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
-		ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
-		ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
-		ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
-	} while (j < 16);
-
-	/* Now for the remaining rounds to 64: */
-	do {
-		ROUND256(a,b,c,d,e,f,g,h);
-		ROUND256(h,a,b,c,d,e,f,g);
-		ROUND256(g,h,a,b,c,d,e,f);
-		ROUND256(f,g,h,a,b,c,d,e);
-		ROUND256(e,f,g,h,a,b,c,d);
-		ROUND256(d,e,f,g,h,a,b,c);
-		ROUND256(c,d,e,f,g,h,a,b);
-		ROUND256(b,c,d,e,f,g,h,a);
-	} while (j < 64);
-
-	/* Compute the current intermediate hash value */
-	context->state[0] += a;
-	context->state[1] += b;
-	context->state[2] += c;
-	context->state[3] += d;
-	context->state[4] += e;
-	context->state[5] += f;
-	context->state[6] += g;
-	context->state[7] += h;
-
-	/* Clean up */
-	a = b = c = d = e = f = g = h = T1 = 0;
-	/* Avoid compiler warnings */
-	POST(a); POST(b); POST(c); POST(d); POST(e); POST(f);
-	POST(g); POST(h); POST(T1);
-}
-
-#else /* ISC_SHA2_UNROLL_TRANSFORM */
-
-void
-isc_sha256_transform(isc_sha256_t *context, const isc_uint32_t* data) {
-	isc_uint32_t	a, b, c, d, e, f, g, h, s0, s1;
-	isc_uint32_t	T1, T2, *W256;
-	int		j;
-
-	W256 = (isc_uint32_t*)context->buffer;
-
-	/* Initialize registers with the prev. intermediate value */
-	a = context->state[0];
-	b = context->state[1];
-	c = context->state[2];
-	d = context->state[3];
-	e = context->state[4];
-	f = context->state[5];
-	g = context->state[6];
-	h = context->state[7];
-
-	j = 0;
-	do {
-#if BYTE_ORDER == LITTLE_ENDIAN
-		/* Copy data while converting to host byte order */
-		REVERSE32(*data++,W256[j]);
-		/* Apply the SHA-256 compression function to update a..h */
-		T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
-#else /* BYTE_ORDER == LITTLE_ENDIAN */
-		/* Apply the SHA-256 compression function to update a..h with copy */
-		T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++);
-#endif /* BYTE_ORDER == LITTLE_ENDIAN */
-		T2 = Sigma0_256(a) + Maj(a, b, c);
-		h = g;
-		g = f;
-		f = e;
-		e = d + T1;
-		d = c;
-		c = b;
-		b = a;
-		a = T1 + T2;
-
-		j++;
-	} while (j < 16);
-
-	do {
-		/* Part of the message block expansion: */
-		s0 = W256[(j+1)&0x0f];
-		s0 = sigma0_256(s0);
-		s1 = W256[(j+14)&0x0f];
-		s1 = sigma1_256(s1);
-
-		/* Apply the SHA-256 compression function to update a..h */
-		T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
-		     (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
-		T2 = Sigma0_256(a) + Maj(a, b, c);
-		h = g;
-		g = f;
-		f = e;
-		e = d + T1;
-		d = c;
-		c = b;
-		b = a;
-		a = T1 + T2;
-
-		j++;
-	} while (j < 64);
-
-	/* Compute the current intermediate hash value */
-	context->state[0] += a;
-	context->state[1] += b;
-	context->state[2] += c;
-	context->state[3] += d;
-	context->state[4] += e;
-	context->state[5] += f;
-	context->state[6] += g;
-	context->state[7] += h;
-
-	/* Clean up */
-	a = b = c = d = e = f = g = h = T1 = T2 = 0;
-	/* Avoid compiler warnings */
-	POST(a); POST(b); POST(c); POST(d); POST(e); POST(f);
-	POST(g); POST(h); POST(T1); POST(T2);
-}
-
-#endif /* ISC_SHA2_UNROLL_TRANSFORM */
-
-void
-isc_sha256_update(isc_sha256_t *context, const isc_uint8_t *data, size_t len) {
-	unsigned int	freespace, usedspace;
-
-	if (len == 0U) {
-		/* Calling with no data is valid - we do nothing */
-		return;
-	}
-
-	/* Sanity check: */
-	REQUIRE(context != (isc_sha256_t *)0 && data != (isc_uint8_t*)0);
-
-	usedspace = (unsigned int)((context->bitcount >> 3) %
-				   ISC_SHA256_BLOCK_LENGTH);
-	if (usedspace > 0) {
-		/* Calculate how much free space is available in the buffer */
-		freespace = ISC_SHA256_BLOCK_LENGTH - usedspace;
-
-		if (len >= freespace) {
-			/* Fill the buffer completely and process it */
-			memcpy(&context->buffer[usedspace], data, freespace);
-			context->bitcount += freespace << 3;
-			len -= freespace;
-			data += freespace;
-			isc_sha256_transform(context,
-					     (isc_uint32_t*)context->buffer);
-		} else {
-			/* The buffer is not yet full */
-			memcpy(&context->buffer[usedspace], data, len);
-			context->bitcount += len << 3;
-			/* Clean up: */
-			usedspace = freespace = 0;
-			/* Avoid compiler warnings: */
-			POST(usedspace); POST(freespace);
-			return;
-		}
-	}
-	while (len >= ISC_SHA256_BLOCK_LENGTH) {
-		/* Process as many complete blocks as we can */
-		memcpy(context->buffer, data, ISC_SHA256_BLOCK_LENGTH);
-		isc_sha256_transform(context, (isc_uint32_t*)context->buffer);
-		context->bitcount += ISC_SHA256_BLOCK_LENGTH << 3;
-		len -= ISC_SHA256_BLOCK_LENGTH;
-		data += ISC_SHA256_BLOCK_LENGTH;
-	}
-	if (len > 0U) {
-		/* There's left-overs, so save 'em */
-		memcpy(context->buffer, data, len);
-		context->bitcount += len << 3;
-	}
-	/* Clean up: */
-	usedspace = freespace = 0;
-	/* Avoid compiler warnings: */
-	POST(usedspace); POST(freespace);
-}
-
-void
-isc_sha256_final(isc_uint8_t digest[], isc_sha256_t *context) {
-	isc_uint32_t	*d = (isc_uint32_t*)digest;
-	unsigned int	usedspace;
-
-	/* Sanity check: */
-	REQUIRE(context != (isc_sha256_t *)0);
-
-	/* If no digest buffer is passed, we don't bother doing this: */
-	if (digest != (isc_uint8_t*)0) {
-		usedspace = (unsigned int)((context->bitcount >> 3) %
-					   ISC_SHA256_BLOCK_LENGTH);
-#if BYTE_ORDER == LITTLE_ENDIAN
-		/* Convert FROM host byte order */
-		REVERSE64(context->bitcount,context->bitcount);
-#endif
-		if (usedspace > 0) {
-			/* Begin padding with a 1 bit: */
-			context->buffer[usedspace++] = 0x80;
-
-			if (usedspace <= ISC_SHA256_SHORT_BLOCK_LENGTH) {
-				/* Set-up for the last transform: */
-				memset(&context->buffer[usedspace], 0,
-				       ISC_SHA256_SHORT_BLOCK_LENGTH - usedspace);
-			} else {
-				if (usedspace < ISC_SHA256_BLOCK_LENGTH) {
-					memset(&context->buffer[usedspace], 0,
-					       ISC_SHA256_BLOCK_LENGTH -
-					       usedspace);
-				}
-				/* Do second-to-last transform: */
-				isc_sha256_transform(context,
-					       (isc_uint32_t*)context->buffer);
-
-				/* And set-up for the last transform: */
-				memset(context->buffer, 0,
-				       ISC_SHA256_SHORT_BLOCK_LENGTH);
-			}
-		} else {
-			/* Set-up for the last transform: */
-			memset(context->buffer, 0, ISC_SHA256_SHORT_BLOCK_LENGTH);
-
-			/* Begin padding with a 1 bit: */
-			*context->buffer = 0x80;
-		}
-		/* Set the bit count: */
-		*(isc_uint64_t*)&context->buffer[ISC_SHA256_SHORT_BLOCK_LENGTH] = context->bitcount;
-
-		/* Final transform: */
-		isc_sha256_transform(context, (isc_uint32_t*)context->buffer);
-
-#if BYTE_ORDER == LITTLE_ENDIAN
-		{
-			/* Convert TO host byte order */
-			int	j;
-			for (j = 0; j < 8; j++) {
-				REVERSE32(context->state[j],context->state[j]);
-				*d++ = context->state[j];
-			}
-		}
-#else
-		memcpy(d, context->state, ISC_SHA256_DIGESTLENGTH);
-#endif
-	}
-
-	/* Clean up state data: */
-	memset(context, 0, sizeof(*context));
-	usedspace = 0;
-	POST(usedspace);
-}
-
-/*** SHA-512: *********************************************************/
-void
-isc_sha512_init(isc_sha512_t *context) {
-	if (context == (isc_sha512_t *)0) {
-		return;
-	}
-	memcpy(context->state, sha512_initial_hash_value,
-	       ISC_SHA512_DIGESTLENGTH);
-	memset(context->buffer, 0, ISC_SHA512_BLOCK_LENGTH);
-	context->bitcount[0] = context->bitcount[1] =  0;
-}
-
-void
-isc_sha512_invalidate(isc_sha512_t *context) {
-	memset(context, 0, sizeof(isc_sha512_t));
-}
-
-#ifdef ISC_SHA2_UNROLL_TRANSFORM
-
-/* Unrolled SHA-512 round macros: */
-#if BYTE_ORDER == LITTLE_ENDIAN
-
-#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h)	\
-	REVERSE64(*data++, W512[j]); \
-	T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
-	     K512[j] + W512[j]; \
-	(d) += T1, \
-	(h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
-	j++
-
-
-#else /* BYTE_ORDER == LITTLE_ENDIAN */
-
-#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h)	\
-	T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
-	     K512[j] + (W512[j] = *data++); \
-	(d) += T1; \
-	(h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
-	j++
-
-#endif /* BYTE_ORDER == LITTLE_ENDIAN */
-
-#define ROUND512(a,b,c,d,e,f,g,h)	\
-	s0 = W512[(j+1)&0x0f]; \
-	s0 = sigma0_512(s0); \
-	s1 = W512[(j+14)&0x0f]; \
-	s1 = sigma1_512(s1); \
-	T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
-	     (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
-	(d) += T1; \
-	(h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
-	j++
-
-void isc_sha512_transform(isc_sha512_t *context, const isc_uint64_t* data) {
-	isc_uint64_t	a, b, c, d, e, f, g, h, s0, s1;
-	isc_uint64_t	T1, *W512 = (isc_uint64_t*)context->buffer;
-	int		j;
-
-	/* Initialize registers with the prev. intermediate value */
-	a = context->state[0];
-	b = context->state[1];
-	c = context->state[2];
-	d = context->state[3];
-	e = context->state[4];
-	f = context->state[5];
-	g = context->state[6];
-	h = context->state[7];
-
-	j = 0;
-	do {
-		ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
-		ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
-		ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
-		ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
-		ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
-		ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
-		ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
-		ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
-	} while (j < 16);
-
-	/* Now for the remaining rounds up to 79: */
-	do {
-		ROUND512(a,b,c,d,e,f,g,h);
-		ROUND512(h,a,b,c,d,e,f,g);
-		ROUND512(g,h,a,b,c,d,e,f);
-		ROUND512(f,g,h,a,b,c,d,e);
-		ROUND512(e,f,g,h,a,b,c,d);
-		ROUND512(d,e,f,g,h,a,b,c);
-		ROUND512(c,d,e,f,g,h,a,b);
-		ROUND512(b,c,d,e,f,g,h,a);
-	} while (j < 80);
-
-	/* Compute the current intermediate hash value */
-	context->state[0] += a;
-	context->state[1] += b;
-	context->state[2] += c;
-	context->state[3] += d;
-	context->state[4] += e;
-	context->state[5] += f;
-	context->state[6] += g;
-	context->state[7] += h;
-
-	/* Clean up */
-	a = b = c = d = e = f = g = h = T1 = 0;
-	/* Avoid compiler warnings */
-	POST(a); POST(b); POST(c); POST(d); POST(e); POST(f);
-	POST(g); POST(h); POST(T1);
-}
-
-#else /* ISC_SHA2_UNROLL_TRANSFORM */
-
-void
-isc_sha512_transform(isc_sha512_t *context, const isc_uint64_t* data) {
-	isc_uint64_t	a, b, c, d, e, f, g, h, s0, s1;
-	isc_uint64_t	T1, T2, *W512 = (isc_uint64_t*)context->buffer;
-	int		j;
-
-	/* Initialize registers with the prev. intermediate value */
-	a = context->state[0];
-	b = context->state[1];
-	c = context->state[2];
-	d = context->state[3];
-	e = context->state[4];
-	f = context->state[5];
-	g = context->state[6];
-	h = context->state[7];
-
-	j = 0;
-	do {
-#if BYTE_ORDER == LITTLE_ENDIAN
-		/* Convert TO host byte order */
-		REVERSE64(*data++, W512[j]);
-		/* Apply the SHA-512 compression function to update a..h */
-		T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
-#else /* BYTE_ORDER == LITTLE_ENDIAN */
-		/* Apply the SHA-512 compression function to update a..h with copy */
-		T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++);
-#endif /* BYTE_ORDER == LITTLE_ENDIAN */
-		T2 = Sigma0_512(a) + Maj(a, b, c);
-		h = g;
-		g = f;
-		f = e;
-		e = d + T1;
-		d = c;
-		c = b;
-		b = a;
-		a = T1 + T2;
-
-		j++;
-	} while (j < 16);
-
-	do {
-		/* Part of the message block expansion: */
-		s0 = W512[(j+1)&0x0f];
-		s0 = sigma0_512(s0);
-		s1 = W512[(j+14)&0x0f];
-		s1 =  sigma1_512(s1);
-
-		/* Apply the SHA-512 compression function to update a..h */
-		T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
-		     (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
-		T2 = Sigma0_512(a) + Maj(a, b, c);
-		h = g;
-		g = f;
-		f = e;
-		e = d + T1;
-		d = c;
-		c = b;
-		b = a;
-		a = T1 + T2;
-
-		j++;
-	} while (j < 80);
-
-	/* Compute the current intermediate hash value */
-	context->state[0] += a;
-	context->state[1] += b;
-	context->state[2] += c;
-	context->state[3] += d;
-	context->state[4] += e;
-	context->state[5] += f;
-	context->state[6] += g;
-	context->state[7] += h;
-
-	/* Clean up */
-	a = b = c = d = e = f = g = h = T1 = T2 = 0;
-	/* Avoid compiler warnings */
-	POST(a); POST(b); POST(c); POST(d); POST(e); POST(f);
-	POST(g); POST(h); POST(T1); POST(T2);
-}
-
-#endif /* ISC_SHA2_UNROLL_TRANSFORM */
-
-void isc_sha512_update(isc_sha512_t *context, const isc_uint8_t *data, size_t len) {
-	unsigned int	freespace, usedspace;
-
-	if (len == 0U) {
-		/* Calling with no data is valid - we do nothing */
-		return;
-	}
-
-	/* Sanity check: */
-	REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0);
-
-	usedspace = (unsigned int)((context->bitcount[0] >> 3) %
-				   ISC_SHA512_BLOCK_LENGTH);
-	if (usedspace > 0) {
-		/* Calculate how much free space is available in the buffer */
-		freespace = ISC_SHA512_BLOCK_LENGTH - usedspace;
-
-		if (len >= freespace) {
-			/* Fill the buffer completely and process it */
-			memcpy(&context->buffer[usedspace], data, freespace);
-			ADDINC128(context->bitcount, freespace << 3);
-			len -= freespace;
-			data += freespace;
-			isc_sha512_transform(context,
-					     (isc_uint64_t*)context->buffer);
-		} else {
-			/* The buffer is not yet full */
-			memcpy(&context->buffer[usedspace], data, len);
-			ADDINC128(context->bitcount, len << 3);
-			/* Clean up: */
-			usedspace = freespace = 0;
-			/* Avoid compiler warnings: */
-			POST(usedspace); POST(freespace);
-			return;
-		}
-	}
-	while (len >= ISC_SHA512_BLOCK_LENGTH) {
-		/* Process as many complete blocks as we can */
-		memcpy(context->buffer, data, ISC_SHA512_BLOCK_LENGTH);
-		isc_sha512_transform(context, (isc_uint64_t*)context->buffer);
-		ADDINC128(context->bitcount, ISC_SHA512_BLOCK_LENGTH << 3);
-		len -= ISC_SHA512_BLOCK_LENGTH;
-		data += ISC_SHA512_BLOCK_LENGTH;
-	}
-	if (len > 0U) {
-		/* There's left-overs, so save 'em */
-		memcpy(context->buffer, data, len);
-		ADDINC128(context->bitcount, len << 3);
-	}
-	/* Clean up: */
-	usedspace = freespace = 0;
-	/* Avoid compiler warnings: */
-	POST(usedspace); POST(freespace);
-}
-
-void isc_sha512_last(isc_sha512_t *context) {
-	unsigned int	usedspace;
-
-	usedspace = (unsigned int)((context->bitcount[0] >> 3) %
-				    ISC_SHA512_BLOCK_LENGTH);
-#if BYTE_ORDER == LITTLE_ENDIAN
-	/* Convert FROM host byte order */
-	REVERSE64(context->bitcount[0],context->bitcount[0]);
-	REVERSE64(context->bitcount[1],context->bitcount[1]);
-#endif
-	if (usedspace > 0) {
-		/* Begin padding with a 1 bit: */
-		context->buffer[usedspace++] = 0x80;
-
-		if (usedspace <= ISC_SHA512_SHORT_BLOCK_LENGTH) {
-			/* Set-up for the last transform: */
-			memset(&context->buffer[usedspace], 0,
-			       ISC_SHA512_SHORT_BLOCK_LENGTH - usedspace);
-		} else {
-			if (usedspace < ISC_SHA512_BLOCK_LENGTH) {
-				memset(&context->buffer[usedspace], 0,
-				       ISC_SHA512_BLOCK_LENGTH - usedspace);
-			}
-			/* Do second-to-last transform: */
-			isc_sha512_transform(context,
-					    (isc_uint64_t*)context->buffer);
-
-			/* And set-up for the last transform: */
-			memset(context->buffer, 0, ISC_SHA512_BLOCK_LENGTH - 2);
-		}
-	} else {
-		/* Prepare for final transform: */
-		memset(context->buffer, 0, ISC_SHA512_SHORT_BLOCK_LENGTH);
-
-		/* Begin padding with a 1 bit: */
-		*context->buffer = 0x80;
-	}
-	/* Store the length of input data (in bits): */
-	*(isc_uint64_t*)&context->buffer[ISC_SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
-	*(isc_uint64_t*)&context->buffer[ISC_SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0];
-
-	/* Final transform: */
-	isc_sha512_transform(context, (isc_uint64_t*)context->buffer);
-}
-
-void isc_sha512_final(isc_uint8_t digest[], isc_sha512_t *context) {
-	isc_uint64_t	*d = (isc_uint64_t*)digest;
-
-	/* Sanity check: */
-	REQUIRE(context != (isc_sha512_t *)0);
-
-	/* If no digest buffer is passed, we don't bother doing this: */
-	if (digest != (isc_uint8_t*)0) {
-		isc_sha512_last(context);
-
-		/* Save the hash data for output: */
-#if BYTE_ORDER == LITTLE_ENDIAN
-		{
-			/* Convert TO host byte order */
-			int	j;
-			for (j = 0; j < 8; j++) {
-				REVERSE64(context->state[j],context->state[j]);
-				*d++ = context->state[j];
-			}
-		}
-#else
-		memcpy(d, context->state, ISC_SHA512_DIGESTLENGTH);
-#endif
-	}
-
-	/* Zero out state data */
-	memset(context, 0, sizeof(*context));
-}
-
-
-/*** SHA-384: *********************************************************/
-void
-isc_sha384_init(isc_sha384_t *context) {
-	if (context == (isc_sha384_t *)0) {
-		return;
-	}
-	memcpy(context->state, sha384_initial_hash_value,
-	       ISC_SHA512_DIGESTLENGTH);
-	memset(context->buffer, 0, ISC_SHA384_BLOCK_LENGTH);
-	context->bitcount[0] = context->bitcount[1] = 0;
-}
-
-void
-isc_sha384_invalidate(isc_sha384_t *context) {
-	memset(context, 0, sizeof(isc_sha384_t));
-}
-
-void
-isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) {
-	isc_sha512_update((isc_sha512_t *)context, data, len);
-}
-
-void
-isc_sha384_final(isc_uint8_t digest[], isc_sha384_t *context) {
-	isc_uint64_t	*d = (isc_uint64_t*)digest;
-
-	/* Sanity check: */
-	REQUIRE(context != (isc_sha384_t *)0);
-
-	/* If no digest buffer is passed, we don't bother doing this: */
-	if (digest != (isc_uint8_t*)0) {
-		isc_sha512_last((isc_sha512_t *)context);
-
-		/* Save the hash data for output: */
-#if BYTE_ORDER == LITTLE_ENDIAN
-		{
-			/* Convert TO host byte order */
-			int	j;
-			for (j = 0; j < 6; j++) {
-				REVERSE64(context->state[j],context->state[j]);
-				*d++ = context->state[j];
-			}
-		}
-#else
-		memcpy(d, context->state, ISC_SHA384_DIGESTLENGTH);
-#endif
-	}
-
-	/* Zero out state data */
-	memset(context, 0, sizeof(*context));
-}
-#endif /* !ISC_PLATFORM_OPENSSLHASH */
-
-/*
- * Constant used by SHA256/384/512_End() functions for converting the
- * digest to a readable hexadecimal character string:
- */
-static const char *sha2_hex_digits = "0123456789abcdef";
-
-char *
-isc_sha224_end(isc_sha224_t *context, char buffer[]) {
-	isc_uint8_t	digest[ISC_SHA224_DIGESTLENGTH], *d = digest;
-	unsigned int	i;
-
-	/* Sanity check: */
-	REQUIRE(context != (isc_sha224_t *)0);
-
-	if (buffer != (char*)0) {
-		isc_sha224_final(digest, context);
-
-		for (i = 0; i < ISC_SHA224_DIGESTLENGTH; i++) {
-			*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
-			*buffer++ = sha2_hex_digits[*d & 0x0f];
-			d++;
-		}
-		*buffer = (char)0;
-	} else {
-#ifdef ISC_PLATFORM_OPENSSLHASH
-		EVP_MD_CTX_cleanup(context);
-#else
-		memset(context, 0, sizeof(*context));
-#endif
-	}
-	memset(digest, 0, ISC_SHA224_DIGESTLENGTH);
-	return buffer;
-}
-
-char *
-isc_sha224_data(const isc_uint8_t *data, size_t len,
-		char digest[ISC_SHA224_DIGESTSTRINGLENGTH])
-{
-	isc_sha224_t context;
-
-	isc_sha224_init(&context);
-	isc_sha224_update(&context, data, len);
-	return (isc_sha224_end(&context, digest));
-}
-
-char *
-isc_sha256_end(isc_sha256_t *context, char buffer[]) {
-	isc_uint8_t	digest[ISC_SHA256_DIGESTLENGTH], *d = digest;
-	unsigned int	i;
-
-	/* Sanity check: */
-	REQUIRE(context != (isc_sha256_t *)0);
-
-	if (buffer != (char*)0) {
-		isc_sha256_final(digest, context);
-
-		for (i = 0; i < ISC_SHA256_DIGESTLENGTH; i++) {
-			*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
-			*buffer++ = sha2_hex_digits[*d & 0x0f];
-			d++;
-		}
-		*buffer = (char)0;
-	} else {
-#ifdef ISC_PLATFORM_OPENSSLHASH
-		EVP_MD_CTX_cleanup(context);
-#else
-		memset(context, 0, sizeof(*context));
-#endif
-	}
-	memset(digest, 0, ISC_SHA256_DIGESTLENGTH);
-	return buffer;
-}
-
-char *
-isc_sha256_data(const isc_uint8_t* data, size_t len,
-		char digest[ISC_SHA256_DIGESTSTRINGLENGTH])
-{
-	isc_sha256_t context;
-
-	isc_sha256_init(&context);
-	isc_sha256_update(&context, data, len);
-	return (isc_sha256_end(&context, digest));
-}
-
-char *
-isc_sha512_end(isc_sha512_t *context, char buffer[]) {
-	isc_uint8_t	digest[ISC_SHA512_DIGESTLENGTH], *d = digest;
-	unsigned int	i;
-
-	/* Sanity check: */
-	REQUIRE(context != (isc_sha512_t *)0);
-
-	if (buffer != (char*)0) {
-		isc_sha512_final(digest, context);
-
-		for (i = 0; i < ISC_SHA512_DIGESTLENGTH; i++) {
-			*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
-			*buffer++ = sha2_hex_digits[*d & 0x0f];
-			d++;
-		}
-		*buffer = (char)0;
-	} else {
-#ifdef ISC_PLATFORM_OPENSSLHASH
-		EVP_MD_CTX_cleanup(context);
-#else
-		memset(context, 0, sizeof(*context));
-#endif
-	}
-	memset(digest, 0, ISC_SHA512_DIGESTLENGTH);
-	return buffer;
-}
-
-char *
-isc_sha512_data(const isc_uint8_t *data, size_t len,
-		char digest[ISC_SHA512_DIGESTSTRINGLENGTH])
-{
-	isc_sha512_t 	context;
-
-	isc_sha512_init(&context);
-	isc_sha512_update(&context, data, len);
-	return (isc_sha512_end(&context, digest));
-}
-
-char *
-isc_sha384_end(isc_sha384_t *context, char buffer[]) {
-	isc_uint8_t	digest[ISC_SHA384_DIGESTLENGTH], *d = digest;
-	unsigned int	i;
-
-	/* Sanity check: */
-	REQUIRE(context != (isc_sha384_t *)0);
-
-	if (buffer != (char*)0) {
-		isc_sha384_final(digest, context);
-
-		for (i = 0; i < ISC_SHA384_DIGESTLENGTH; i++) {
-			*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
-			*buffer++ = sha2_hex_digits[*d & 0x0f];
-			d++;
-		}
-		*buffer = (char)0;
-	} else {
-#ifdef ISC_PLATFORM_OPENSSLHASH
-		EVP_MD_CTX_cleanup(context);
-#else
-		memset(context, 0, sizeof(*context));
-#endif
-	}
-	memset(digest, 0, ISC_SHA384_DIGESTLENGTH);
-	return buffer;
-}
-
-char *
-isc_sha384_data(const isc_uint8_t *data, size_t len,
-		char digest[ISC_SHA384_DIGESTSTRINGLENGTH])
-{
-	isc_sha384_t context;
-
-	isc_sha384_init(&context);
-	isc_sha384_update(&context, data, len);
-	return (isc_sha384_end(&context, digest));
-}
diff --git a/contrib/bind9/lib/isc/sockaddr.c b/contrib/bind9/lib/isc/sockaddr.c
deleted file mode 100644
index 91a949b..0000000
--- a/contrib/bind9/lib/isc/sockaddr.c
+++ /dev/null
@@ -1,505 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2010-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdio.h>
-
-#include <isc/buffer.h>
-#include <isc/hash.h>
-#include <isc/msgs.h>
-#include <isc/netaddr.h>
-#include <isc/print.h>
-#include <isc/region.h>
-#include <isc/sockaddr.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-isc_boolean_t
-isc_sockaddr_equal(const isc_sockaddr_t *a, const isc_sockaddr_t *b) {
-	return (isc_sockaddr_compare(a, b, ISC_SOCKADDR_CMPADDR|
-					   ISC_SOCKADDR_CMPPORT|
-					   ISC_SOCKADDR_CMPSCOPE));
-}
-
-isc_boolean_t
-isc_sockaddr_eqaddr(const isc_sockaddr_t *a, const isc_sockaddr_t *b) {
-	return (isc_sockaddr_compare(a, b, ISC_SOCKADDR_CMPADDR|
-					   ISC_SOCKADDR_CMPSCOPE));
-}
-
-isc_boolean_t
-isc_sockaddr_compare(const isc_sockaddr_t *a, const isc_sockaddr_t *b,
-		     unsigned int flags)
-{
-	REQUIRE(a != NULL && b != NULL);
-
-	if (a->length != b->length)
-		return (ISC_FALSE);
-
-	/*
-	 * We don't just memcmp because the sin_zero field isn't always
-	 * zero.
-	 */
-
-	if (a->type.sa.sa_family != b->type.sa.sa_family)
-		return (ISC_FALSE);
-	switch (a->type.sa.sa_family) {
-	case AF_INET:
-		if ((flags & ISC_SOCKADDR_CMPADDR) != 0 &&
-		    memcmp(&a->type.sin.sin_addr, &b->type.sin.sin_addr,
-			   sizeof(a->type.sin.sin_addr)) != 0)
-			return (ISC_FALSE);
-		if ((flags & ISC_SOCKADDR_CMPPORT) != 0 &&
-		    a->type.sin.sin_port != b->type.sin.sin_port)
-			return (ISC_FALSE);
-		break;
-	case AF_INET6:
-		if ((flags & ISC_SOCKADDR_CMPADDR) != 0 &&
-		    memcmp(&a->type.sin6.sin6_addr, &b->type.sin6.sin6_addr,
-			   sizeof(a->type.sin6.sin6_addr)) != 0)
-			return (ISC_FALSE);
-#ifdef ISC_PLATFORM_HAVESCOPEID
-		/*
-		 * If ISC_SOCKADDR_CMPSCOPEZERO is set then don't return
-		 * ISC_FALSE if one of the scopes in zero.
-		 */
-		if ((flags & ISC_SOCKADDR_CMPSCOPE) != 0 &&
-		    a->type.sin6.sin6_scope_id != b->type.sin6.sin6_scope_id &&
-		    ((flags & ISC_SOCKADDR_CMPSCOPEZERO) == 0 ||
-		      (a->type.sin6.sin6_scope_id != 0 &&
-		       b->type.sin6.sin6_scope_id != 0)))
-			return (ISC_FALSE);
-#endif
-		if ((flags & ISC_SOCKADDR_CMPPORT) != 0 &&
-		    a->type.sin6.sin6_port != b->type.sin6.sin6_port)
-			return (ISC_FALSE);
-		break;
-	default:
-		if (memcmp(&a->type, &b->type, a->length) != 0)
-			return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-isc_boolean_t
-isc_sockaddr_eqaddrprefix(const isc_sockaddr_t *a, const isc_sockaddr_t *b,
-			  unsigned int prefixlen)
-{
-	isc_netaddr_t na, nb;
-	isc_netaddr_fromsockaddr(&na, a);
-	isc_netaddr_fromsockaddr(&nb, b);
-	return (isc_netaddr_eqprefix(&na, &nb, prefixlen));
-}
-
-isc_result_t
-isc_sockaddr_totext(const isc_sockaddr_t *sockaddr, isc_buffer_t *target) {
-	isc_result_t result;
-	isc_netaddr_t netaddr;
-	char pbuf[sizeof("65000")];
-	unsigned int plen;
-	isc_region_t avail;
-
-	REQUIRE(sockaddr != NULL);
-
-	/*
-	 * Do the port first, giving us the opportunity to check for
-	 * unsupported address families before calling
-	 * isc_netaddr_fromsockaddr().
-	 */
-	switch (sockaddr->type.sa.sa_family) {
-	case AF_INET:
-		snprintf(pbuf, sizeof(pbuf), "%u", ntohs(sockaddr->type.sin.sin_port));
-		break;
-	case AF_INET6:
-		snprintf(pbuf, sizeof(pbuf), "%u", ntohs(sockaddr->type.sin6.sin6_port));
-		break;
-#ifdef ISC_PLAFORM_HAVESYSUNH
-	case AF_UNIX:
-		plen = strlen(sockaddr->type.sunix.sun_path);
-		if (plen >= isc_buffer_availablelength(target))
-			return (ISC_R_NOSPACE);
-
-		isc_buffer_putmem(target, sockaddr->type.sunix.sun_path, plen);
-
-		/*
-		 * Null terminate after used region.
-		 */
-		isc_buffer_availableregion(target, &avail);
-		INSIST(avail.length >= 1);
-		avail.base[0] = '\0';
-
-		return (ISC_R_SUCCESS);
-#endif
-	default:
-		return (ISC_R_FAILURE);
-	}
-
-	plen = strlen(pbuf);
-	INSIST(plen < sizeof(pbuf));
-
-	isc_netaddr_fromsockaddr(&netaddr, sockaddr);
-	result = isc_netaddr_totext(&netaddr, target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (1 + plen + 1 > isc_buffer_availablelength(target))
-		return (ISC_R_NOSPACE);
-
-	isc_buffer_putmem(target, (const unsigned char *)"#", 1);
-	isc_buffer_putmem(target, (const unsigned char *)pbuf, plen);
-
-	/*
-	 * Null terminate after used region.
-	 */
-	isc_buffer_availableregion(target, &avail);
-	INSIST(avail.length >= 1);
-	avail.base[0] = '\0';
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_sockaddr_format(const isc_sockaddr_t *sa, char *array, unsigned int size) {
-	isc_result_t result;
-	isc_buffer_t buf;
-
-	if (size == 0U)
-		return;
-
-	isc_buffer_init(&buf, array, size);
-	result = isc_sockaddr_totext(sa, &buf);
-	if (result != ISC_R_SUCCESS) {
-		/*
-		 * The message is the same as in netaddr.c.
-		 */
-		snprintf(array, size,
-			 isc_msgcat_get(isc_msgcat, ISC_MSGSET_NETADDR,
-					ISC_MSG_UNKNOWNADDR,
-					"<unknown address, family %u>"),
-			 sa->type.sa.sa_family);
-		array[size - 1] = '\0';
-	}
-}
-
-unsigned int
-isc_sockaddr_hash(const isc_sockaddr_t *sockaddr, isc_boolean_t address_only) {
-	unsigned int length = 0;
-	const unsigned char *s = NULL;
-	unsigned int h = 0;
-	unsigned int g;
-	unsigned int p = 0;
-	const struct in6_addr *in6;
-
-	REQUIRE(sockaddr != NULL);
-
-	switch (sockaddr->type.sa.sa_family) {
-	case AF_INET:
-		s = (const unsigned char *)&sockaddr->type.sin.sin_addr;
-		p = ntohs(sockaddr->type.sin.sin_port);
-		length = sizeof(sockaddr->type.sin.sin_addr.s_addr);
-		break;
-	case AF_INET6:
-		in6 = &sockaddr->type.sin6.sin6_addr;
-		s = (const unsigned char *)in6;
-		if (IN6_IS_ADDR_V4MAPPED(in6)) {
-			s += 12;
-			length = sizeof(sockaddr->type.sin.sin_addr.s_addr);
-		} else
-			length = sizeof(sockaddr->type.sin6.sin6_addr);
-		p = ntohs(sockaddr->type.sin6.sin6_port);
-		break;
-	default:
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 isc_msgcat_get(isc_msgcat,
-						ISC_MSGSET_SOCKADDR,
-						ISC_MSG_UNKNOWNFAMILY,
-						"unknown address family: %d"),
-					     (int)sockaddr->type.sa.sa_family);
-		s = (const unsigned char *)&sockaddr->type;
-		length = sockaddr->length;
-		p = 0;
-	}
-
-	h = isc_hash_calc(s, length, ISC_TRUE);
-	if (!address_only) {
-		g = isc_hash_calc((const unsigned char *)&p, sizeof(p),
-				  ISC_TRUE);
-		h = h ^ g; /* XXX: we should concatenate h and p first */
-	}
-
-	return (h);
-}
-
-void
-isc_sockaddr_any(isc_sockaddr_t *sockaddr)
-{
-	memset(sockaddr, 0, sizeof(*sockaddr));
-	sockaddr->type.sin.sin_family = AF_INET;
-#ifdef ISC_PLATFORM_HAVESALEN
-	sockaddr->type.sin.sin_len = sizeof(sockaddr->type.sin);
-#endif
-	sockaddr->type.sin.sin_addr.s_addr = INADDR_ANY;
-	sockaddr->type.sin.sin_port = 0;
-	sockaddr->length = sizeof(sockaddr->type.sin);
-	ISC_LINK_INIT(sockaddr, link);
-}
-
-void
-isc_sockaddr_any6(isc_sockaddr_t *sockaddr)
-{
-	memset(sockaddr, 0, sizeof(*sockaddr));
-	sockaddr->type.sin6.sin6_family = AF_INET6;
-#ifdef ISC_PLATFORM_HAVESALEN
-	sockaddr->type.sin6.sin6_len = sizeof(sockaddr->type.sin6);
-#endif
-	sockaddr->type.sin6.sin6_addr = in6addr_any;
-	sockaddr->type.sin6.sin6_port = 0;
-	sockaddr->length = sizeof(sockaddr->type.sin6);
-	ISC_LINK_INIT(sockaddr, link);
-}
-
-void
-isc_sockaddr_fromin(isc_sockaddr_t *sockaddr, const struct in_addr *ina,
-		    in_port_t port)
-{
-	memset(sockaddr, 0, sizeof(*sockaddr));
-	sockaddr->type.sin.sin_family = AF_INET;
-#ifdef ISC_PLATFORM_HAVESALEN
-	sockaddr->type.sin.sin_len = sizeof(sockaddr->type.sin);
-#endif
-	sockaddr->type.sin.sin_addr = *ina;
-	sockaddr->type.sin.sin_port = htons(port);
-	sockaddr->length = sizeof(sockaddr->type.sin);
-	ISC_LINK_INIT(sockaddr, link);
-}
-
-void
-isc_sockaddr_anyofpf(isc_sockaddr_t *sockaddr, int pf) {
-     switch (pf) {
-     case AF_INET:
-	     isc_sockaddr_any(sockaddr);
-	     break;
-     case AF_INET6:
-	     isc_sockaddr_any6(sockaddr);
-	     break;
-     default:
-	     INSIST(0);
-     }
-}
-
-void
-isc_sockaddr_fromin6(isc_sockaddr_t *sockaddr, const struct in6_addr *ina6,
-		     in_port_t port)
-{
-	memset(sockaddr, 0, sizeof(*sockaddr));
-	sockaddr->type.sin6.sin6_family = AF_INET6;
-#ifdef ISC_PLATFORM_HAVESALEN
-	sockaddr->type.sin6.sin6_len = sizeof(sockaddr->type.sin6);
-#endif
-	sockaddr->type.sin6.sin6_addr = *ina6;
-	sockaddr->type.sin6.sin6_port = htons(port);
-	sockaddr->length = sizeof(sockaddr->type.sin6);
-	ISC_LINK_INIT(sockaddr, link);
-}
-
-void
-isc_sockaddr_v6fromin(isc_sockaddr_t *sockaddr, const struct in_addr *ina,
-		      in_port_t port)
-{
-	memset(sockaddr, 0, sizeof(*sockaddr));
-	sockaddr->type.sin6.sin6_family = AF_INET6;
-#ifdef ISC_PLATFORM_HAVESALEN
-	sockaddr->type.sin6.sin6_len = sizeof(sockaddr->type.sin6);
-#endif
-	sockaddr->type.sin6.sin6_addr.s6_addr[10] = 0xff;
-	sockaddr->type.sin6.sin6_addr.s6_addr[11] = 0xff;
-	memcpy(&sockaddr->type.sin6.sin6_addr.s6_addr[12], ina, 4);
-	sockaddr->type.sin6.sin6_port = htons(port);
-	sockaddr->length = sizeof(sockaddr->type.sin6);
-	ISC_LINK_INIT(sockaddr, link);
-}
-
-int
-isc_sockaddr_pf(const isc_sockaddr_t *sockaddr) {
-
-	/*
-	 * Get the protocol family of 'sockaddr'.
-	 */
-
-#if (AF_INET == PF_INET && AF_INET6 == PF_INET6)
-	/*
-	 * Assume that PF_xxx == AF_xxx for all AF and PF.
-	 */
-	return (sockaddr->type.sa.sa_family);
-#else
-	switch (sockaddr->type.sa.sa_family) {
-	case AF_INET:
-		return (PF_INET);
-	case AF_INET6:
-		return (PF_INET6);
-	default:
-		FATAL_ERROR(__FILE__, __LINE__,
-			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKADDR,
-					   ISC_MSG_UNKNOWNFAMILY,
-					   "unknown address family: %d"),
-			    (int)sockaddr->type.sa.sa_family);
-	}
-#endif
-}
-
-void
-isc_sockaddr_fromnetaddr(isc_sockaddr_t *sockaddr, const isc_netaddr_t *na,
-		    in_port_t port)
-{
-	memset(sockaddr, 0, sizeof(*sockaddr));
-	sockaddr->type.sin.sin_family = na->family;
-	switch (na->family) {
-	case AF_INET:
-		sockaddr->length = sizeof(sockaddr->type.sin);
-#ifdef ISC_PLATFORM_HAVESALEN
-		sockaddr->type.sin.sin_len = sizeof(sockaddr->type.sin);
-#endif
-		sockaddr->type.sin.sin_addr = na->type.in;
-		sockaddr->type.sin.sin_port = htons(port);
-		break;
-	case AF_INET6:
-		sockaddr->length = sizeof(sockaddr->type.sin6);
-#ifdef ISC_PLATFORM_HAVESALEN
-		sockaddr->type.sin6.sin6_len = sizeof(sockaddr->type.sin6);
-#endif
-		memcpy(&sockaddr->type.sin6.sin6_addr, &na->type.in6, 16);
-#ifdef ISC_PLATFORM_HAVESCOPEID
-		sockaddr->type.sin6.sin6_scope_id = isc_netaddr_getzone(na);
-#endif
-		sockaddr->type.sin6.sin6_port = htons(port);
-		break;
-	default:
-		INSIST(0);
-	}
-	ISC_LINK_INIT(sockaddr, link);
-}
-
-void
-isc_sockaddr_setport(isc_sockaddr_t *sockaddr, in_port_t port) {
-	switch (sockaddr->type.sa.sa_family) {
-	case AF_INET:
-		sockaddr->type.sin.sin_port = htons(port);
-		break;
-	case AF_INET6:
-		sockaddr->type.sin6.sin6_port = htons(port);
-		break;
-	default:
-		FATAL_ERROR(__FILE__, __LINE__,
-			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKADDR,
-					   ISC_MSG_UNKNOWNFAMILY,
-					   "unknown address family: %d"),
-			    (int)sockaddr->type.sa.sa_family);
-	}
-}
-
-in_port_t
-isc_sockaddr_getport(const isc_sockaddr_t *sockaddr) {
-	in_port_t port = 0;
-
-	switch (sockaddr->type.sa.sa_family) {
-	case AF_INET:
-		port = ntohs(sockaddr->type.sin.sin_port);
-		break;
-	case AF_INET6:
-		port = ntohs(sockaddr->type.sin6.sin6_port);
-		break;
-	default:
-		FATAL_ERROR(__FILE__, __LINE__,
-			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKADDR,
-					   ISC_MSG_UNKNOWNFAMILY,
-					   "unknown address family: %d"),
-			    (int)sockaddr->type.sa.sa_family);
-	}
-
-	return (port);
-}
-
-isc_boolean_t
-isc_sockaddr_ismulticast(const isc_sockaddr_t *sockaddr) {
-	isc_netaddr_t netaddr;
-
-	if (sockaddr->type.sa.sa_family == AF_INET ||
-	    sockaddr->type.sa.sa_family == AF_INET6) {
-		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
-		return (isc_netaddr_ismulticast(&netaddr));
-	}
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-isc_sockaddr_isexperimental(const isc_sockaddr_t *sockaddr) {
-	isc_netaddr_t netaddr;
-
-	if (sockaddr->type.sa.sa_family == AF_INET) {
-		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
-		return (isc_netaddr_isexperimental(&netaddr));
-	}
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-isc_sockaddr_issitelocal(const isc_sockaddr_t *sockaddr) {
-	isc_netaddr_t netaddr;
-
-	if (sockaddr->type.sa.sa_family == AF_INET6) {
-		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
-		return (isc_netaddr_issitelocal(&netaddr));
-	}
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-isc_sockaddr_islinklocal(const isc_sockaddr_t *sockaddr) {
-	isc_netaddr_t netaddr;
-
-	if (sockaddr->type.sa.sa_family == AF_INET6) {
-		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
-		return (isc_netaddr_islinklocal(&netaddr));
-	}
-	return (ISC_FALSE);
-}
-
-isc_result_t
-isc_sockaddr_frompath(isc_sockaddr_t *sockaddr, const char *path) {
-#ifdef ISC_PLATFORM_HAVESYSUNH
-	if (strlen(path) >= sizeof(sockaddr->type.sunix.sun_path))
-		return (ISC_R_NOSPACE);
-	memset(sockaddr, 0, sizeof(*sockaddr));
-	sockaddr->length = sizeof(sockaddr->type.sunix);
-	sockaddr->type.sunix.sun_family = AF_UNIX;
-#ifdef ISC_PLATFORM_HAVESALEN
-	sockaddr->type.sunix.sun_len =
-			(unsigned char)sizeof(sockaddr->type.sunix);
-#endif
-	strcpy(sockaddr->type.sunix.sun_path, path);
-	return (ISC_R_SUCCESS);
-#else
-	UNUSED(sockaddr);
-	UNUSED(path);
-	return (ISC_R_NOTIMPLEMENTED);
-#endif
-}
diff --git a/contrib/bind9/lib/isc/socket_api.c b/contrib/bind9/lib/isc/socket_api.c
deleted file mode 100644
index 1fba3e0..0000000
--- a/contrib/bind9/lib/isc/socket_api.c
+++ /dev/null
@@ -1,254 +0,0 @@
-/*
- * Copyright (C) 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#include <config.h>
-
-#include <isc/app.h>
-#include <isc/magic.h>
-#include <isc/mutex.h>
-#include <isc/once.h>
-#include <isc/socket.h>
-#include <isc/util.h>
-
-static isc_mutex_t createlock;
-static isc_once_t once = ISC_ONCE_INIT;
-static isc_socketmgrcreatefunc_t socketmgr_createfunc = NULL;
-
-static void
-initialize(void) {
-	RUNTIME_CHECK(isc_mutex_init(&createlock) == ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_socket_register(isc_socketmgrcreatefunc_t createfunc) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
-
-	LOCK(&createlock);
-	if (socketmgr_createfunc == NULL)
-		socketmgr_createfunc = createfunc;
-	else
-		result = ISC_R_EXISTS;
-	UNLOCK(&createlock);
-
-	return (result);
-}
-
-isc_result_t
-isc_socketmgr_createinctx(isc_mem_t *mctx, isc_appctx_t *actx,
-			  isc_socketmgr_t **managerp)
-{
-	isc_result_t result;
-
-	LOCK(&createlock);
-
-	REQUIRE(socketmgr_createfunc != NULL);
-	result = (*socketmgr_createfunc)(mctx, managerp);
-
-	UNLOCK(&createlock);
-
-	if (result == ISC_R_SUCCESS)
-		isc_appctx_setsocketmgr(actx, *managerp);
-
-	return (result);
-}
-
-isc_result_t
-isc_socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp) {
-	isc_result_t result;
-
-	LOCK(&createlock);
-
-	REQUIRE(socketmgr_createfunc != NULL);
-	result = (*socketmgr_createfunc)(mctx, managerp);
-
-	UNLOCK(&createlock);
-
-	return (result);
-}
-
-void
-isc_socketmgr_destroy(isc_socketmgr_t **managerp) {
-	REQUIRE(managerp != NULL && ISCAPI_SOCKETMGR_VALID(*managerp));
-
-	(*managerp)->methods->destroy(managerp);
-
-	ENSURE(*managerp == NULL);
-}
-
-isc_result_t
-isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
-		  isc_socket_t **socketp)
-{
-	REQUIRE(ISCAPI_SOCKETMGR_VALID(manager));
-
-	return (manager->methods->socketcreate(manager, pf, type, socketp));
-}
-
-void
-isc_socket_attach(isc_socket_t *sock, isc_socket_t **socketp) {
-	REQUIRE(ISCAPI_SOCKET_VALID(sock));
-	REQUIRE(socketp != NULL && *socketp == NULL);
-
-	sock->methods->attach(sock, socketp);
-
-	ENSURE(*socketp == sock);
-}
-
-void
-isc_socket_detach(isc_socket_t **socketp) {
-	REQUIRE(socketp != NULL && ISCAPI_SOCKET_VALID(*socketp));
-
-	(*socketp)->methods->detach(socketp);
-
-	ENSURE(*socketp == NULL);
-}
-
-isc_result_t
-isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr,
-		unsigned int options)
-{
-	REQUIRE(ISCAPI_SOCKET_VALID(sock));
-
-	return (sock->methods->bind(sock, sockaddr, options));
-}
-
-isc_result_t
-isc_socket_sendto(isc_socket_t *sock, isc_region_t *region, isc_task_t *task,
-		  isc_taskaction_t action, const void *arg,
-		  isc_sockaddr_t *address, struct in6_pktinfo *pktinfo)
-{
-	REQUIRE(ISCAPI_SOCKET_VALID(sock));
-
-	return (sock->methods->sendto(sock, region, task, action, arg, address,
-				      pktinfo));
-}
-
-isc_result_t
-isc_socket_sendto2(isc_socket_t *sock, isc_region_t *region,
-		   isc_task_t *task, isc_sockaddr_t *address,
-		   struct in6_pktinfo *pktinfo, isc_socketevent_t *event,
-		   unsigned int flags)
-{
-	REQUIRE(ISCAPI_SOCKET_VALID(sock));
-
-	return (sock->methods->sendto2(sock, region, task, address,
-				       pktinfo, event, flags));
-}
-
-isc_result_t
-isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr, isc_task_t *task,
-		   isc_taskaction_t action, const void *arg)
-{
-	REQUIRE(ISCAPI_SOCKET_VALID(sock));
-
-	return (sock->methods->connect(sock, addr, task, action, arg));
-}
-
-isc_result_t
-isc_socket_recv(isc_socket_t *sock, isc_region_t *region, unsigned int minimum,
-		isc_task_t *task, isc_taskaction_t action, const void *arg)
-{
-	REQUIRE(ISCAPI_SOCKET_VALID(sock));
-
-	return (sock->methods->recv(sock, region, minimum, task, action, arg));
-}
-
-isc_result_t
-isc_socket_recv2(isc_socket_t *sock, isc_region_t *region,
-		 unsigned int minimum, isc_task_t *task,
-		 isc_socketevent_t *event, unsigned int flags)
-{
-	REQUIRE(ISCAPI_SOCKET_VALID(sock));
-
-	return (sock->methods->recv2(sock, region, minimum, task,
-				     event, flags));
-}
-
-void
-isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how) {
-	REQUIRE(ISCAPI_SOCKET_VALID(sock));
-
-	sock->methods->cancel(sock, task, how);
-}
-
-isc_result_t
-isc_socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp) {
-	REQUIRE(ISCAPI_SOCKET_VALID(sock));
-
-	return (sock->methods->getsockname(sock, addressp));
-}
-
-void
-isc_socket_ipv6only(isc_socket_t *sock, isc_boolean_t yes) {
-	REQUIRE(ISCAPI_SOCKET_VALID(sock));
-
-	sock->methods->ipv6only(sock, yes);
-}
-
-isc_sockettype_t
-isc_socket_gettype(isc_socket_t *sock) {
-	REQUIRE(ISCAPI_SOCKET_VALID(sock));
-
-	return (sock->methods->gettype(sock));
-}
-
-void
-isc_socket_setname(isc_socket_t *socket, const char *name, void *tag) {
-	REQUIRE(ISCAPI_SOCKET_VALID(socket));
-
-	UNUSED(socket);		/* in case REQUIRE() is empty */
-	UNUSED(name);
-	UNUSED(tag);
-}
-
-isc_result_t
-isc_socket_fdwatchcreate(isc_socketmgr_t *manager, int fd, int flags,
-			 isc_sockfdwatch_t callback, void *cbarg,
-			 isc_task_t *task, isc_socket_t **socketp)
-{
-	REQUIRE(ISCAPI_SOCKETMGR_VALID(manager));
-
-	return (manager->methods->fdwatchcreate(manager, fd, flags,
-						callback, cbarg, task,
-						socketp));
-}
-
-isc_result_t
-isc_socket_fdwatchpoke(isc_socket_t *sock, int flags)
-{
-	REQUIRE(ISCAPI_SOCKET_VALID(sock));
-
-	return(sock->methods->fdwatchpoke(sock, flags));
-}
-
-isc_result_t
-isc_socket_dup(isc_socket_t *sock, isc_socket_t **socketp) {
-	REQUIRE(ISCAPI_SOCKET_VALID(sock));
-	REQUIRE(socketp != NULL && *socketp == NULL);
-
-	return(sock->methods->dup(sock, socketp));
-}
-
-int
-isc_socket_getfd(isc_socket_t *sock) {
-	REQUIRE(ISCAPI_SOCKET_VALID(sock));
-
-	return(sock->methods->getfd(sock));
-}
diff --git a/contrib/bind9/lib/isc/sparc64/Makefile.in b/contrib/bind9/lib/isc/sparc64/Makefile.in
deleted file mode 100644
index 9c24cdf..0000000
--- a/contrib/bind9/lib/isc/sparc64/Makefile.in
+++ /dev/null
@@ -1,24 +0,0 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	include
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/sparc64/include/Makefile.in b/contrib/bind9/lib/isc/sparc64/include/Makefile.in
deleted file mode 100644
index e399559..0000000
--- a/contrib/bind9/lib/isc/sparc64/include/Makefile.in
+++ /dev/null
@@ -1,24 +0,0 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	isc
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/sparc64/include/isc/Makefile.in b/contrib/bind9/lib/isc/sparc64/include/isc/Makefile.in
deleted file mode 100644
index 4927e21..0000000
--- a/contrib/bind9/lib/isc/sparc64/include/isc/Makefile.in
+++ /dev/null
@@ -1,36 +0,0 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-HEADERS =	atomic.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc ; \
-	done
diff --git a/contrib/bind9/lib/isc/sparc64/include/isc/atomic.h b/contrib/bind9/lib/isc/sparc64/include/isc/atomic.h
deleted file mode 100644
index 4b36661..0000000
--- a/contrib/bind9/lib/isc/sparc64/include/isc/atomic.h
+++ /dev/null
@@ -1,126 +0,0 @@
-/*
- * Copyright (C) 2005, 2007, 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: atomic.h,v 1.5 2007/06/19 23:47:18 tbox Exp $ */
-
-/*
- * This code was written based on FreeBSD's kernel source whose copyright
- * follows:
- */
-
-/*-
- * Copyright (c) 1998 Doug Rabson.
- * Copyright (c) 2001 Jake Burkholder.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *	from: FreeBSD: src/sys/i386/include/atomic.h,v 1.20 2001/02/11
- * $FreeBSD$
- */
-
-#ifndef ISC_ATOMIC_H
-#define ISC_ATOMIC_H 1
-
-#include <isc/platform.h>
-#include <isc/types.h>
-
-#define	ASI_P	0x80		/* Primary Address Space Identifier */
-
-#ifdef ISC_PLATFORM_USEGCCASM
-
-/*
- * This routine atomically increments the value stored in 'p' by 'val', and
- * returns the previous value.
- */
-static inline isc_int32_t
-isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
-	isc_int32_t prev, swapped;
-
-	for (prev = *(volatile isc_int32_t *)p; ; prev = swapped) {
-		swapped = prev + val;
-		__asm__ volatile(
-			"casa [%2] %3, %4, %0"
-			: "+r"(swapped), "=m"(*p)
-			: "r"(p), "n"(ASI_P), "r"(prev), "m"(*p));
-		if (swapped == prev)
-			break;
-	}
-
-	return (prev);
-}
-
-/*
- * This routine atomically stores the value 'val' in 'p'.
- */
-static inline void
-isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
-	isc_int32_t prev, swapped;
-
-	for (prev = *(volatile isc_int32_t *)p; ; prev = swapped) {
-		swapped = val;
-		__asm__ volatile(
-			"casa [%2] %3, %4, %0"
-			: "+r"(swapped), "=m"(*p)
-			: "r"(p), "n"(ASI_P), "r"(prev), "m"(*p));
-		if (swapped == prev)
-			break;
-	}
-}
-
-/*
- * This routine atomically replaces the value in 'p' with 'val', if the
- * original value is equal to 'cmpval'.  The original value is returned in any
- * case.
- */
-static inline isc_int32_t
-isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
-	isc_int32_t temp = val;
-
-	__asm__ volatile(
-		"casa [%2] %3, %4, %0"
-		: "+r"(temp), "=m"(*p)
-		: "r"(p), "n"(ASI_P), "r"(cmpval), "m"(*p));
-
-	return (temp);
-}
-
-#else  /* ISC_PLATFORM_USEGCCASM */
-
-#error "unsupported compiler.  disable atomic ops by --disable-atomic"
-
-#endif /* ISC_PLATFORM_USEGCCASM */
-
-#endif /* ISC_ATOMIC_H */
diff --git a/contrib/bind9/lib/isc/stats.c b/contrib/bind9/lib/isc/stats.c
deleted file mode 100644
index 8b624b2..0000000
--- a/contrib/bind9/lib/isc/stats.c
+++ /dev/null
@@ -1,326 +0,0 @@
-/*
- * Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <string.h>
-
-#include <isc/atomic.h>
-#include <isc/buffer.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/platform.h>
-#include <isc/print.h>
-#include <isc/rwlock.h>
-#include <isc/stats.h>
-#include <isc/util.h>
-
-#define ISC_STATS_MAGIC			ISC_MAGIC('S', 't', 'a', 't')
-#define ISC_STATS_VALID(x)		ISC_MAGIC_VALID(x, ISC_STATS_MAGIC)
-
-#ifndef ISC_STATS_USEMULTIFIELDS
-#if defined(ISC_RWLOCK_USEATOMIC) && defined(ISC_PLATFORM_HAVEXADD) && !defined(ISC_PLATFORM_HAVEXADDQ)
-#define ISC_STATS_USEMULTIFIELDS 1
-#else
-#define ISC_STATS_USEMULTIFIELDS 0
-#endif
-#endif	/* ISC_STATS_USEMULTIFIELDS */
-
-#if ISC_STATS_USEMULTIFIELDS
-typedef struct {
-	isc_uint32_t hi;
-	isc_uint32_t lo;
-} isc_stat_t;
-#else
-typedef isc_uint64_t isc_stat_t;
-#endif
-
-struct isc_stats {
-	/*% Unlocked */
-	unsigned int	magic;
-	isc_mem_t	*mctx;
-	int		ncounters;
-
-	isc_mutex_t	lock;
-	unsigned int	references; /* locked by lock */
-
-	/*%
-	 * Locked by counterlock or unlocked if efficient rwlock is not
-	 * available.
-	 */
-#ifdef ISC_RWLOCK_USEATOMIC
-	isc_rwlock_t	counterlock;
-#endif
-	isc_stat_t	*counters;
-
-	/*%
-	 * We don't want to lock the counters while we are dumping, so we first
-	 * copy the current counter values into a local array.  This buffer
-	 * will be used as the copy destination.  It's allocated on creation
-	 * of the stats structure so that the dump operation won't fail due
-	 * to memory allocation failure.
-	 * XXX: this approach is weird for non-threaded build because the
-	 * additional memory and the copy overhead could be avoided.  We prefer
-	 * simplicity here, however, under the assumption that this function
-	 * should be only rarely called.
-	 */
-	isc_uint64_t	*copiedcounters;
-};
-
-static isc_result_t
-create_stats(isc_mem_t *mctx, int ncounters, isc_stats_t **statsp) {
-	isc_stats_t *stats;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(statsp != NULL && *statsp == NULL);
-
-	stats = isc_mem_get(mctx, sizeof(*stats));
-	if (stats == NULL)
-		return (ISC_R_NOMEMORY);
-
-	result = isc_mutex_init(&stats->lock);
-	if (result != ISC_R_SUCCESS)
-		goto clean_stats;
-
-	stats->counters = isc_mem_get(mctx, sizeof(isc_stat_t) * ncounters);
-	if (stats->counters == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto clean_mutex;
-	}
-	stats->copiedcounters = isc_mem_get(mctx,
-					    sizeof(isc_uint64_t) * ncounters);
-	if (stats->copiedcounters == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto clean_counters;
-	}
-
-#ifdef ISC_RWLOCK_USEATOMIC
-	result = isc_rwlock_init(&stats->counterlock, 0, 0);
-	if (result != ISC_R_SUCCESS)
-		goto clean_copiedcounters;
-#endif
-
-	stats->references = 1;
-	memset(stats->counters, 0, sizeof(isc_stat_t) * ncounters);
-	stats->mctx = NULL;
-	isc_mem_attach(mctx, &stats->mctx);
-	stats->ncounters = ncounters;
-	stats->magic = ISC_STATS_MAGIC;
-
-	*statsp = stats;
-
-	return (result);
-
-clean_counters:
-	isc_mem_put(mctx, stats->counters, sizeof(isc_stat_t) * ncounters);
-
-#ifdef ISC_RWLOCK_USEATOMIC
-clean_copiedcounters:
-	isc_mem_put(mctx, stats->copiedcounters,
-		    sizeof(isc_stat_t) * ncounters);
-#endif
-
-clean_mutex:
-	DESTROYLOCK(&stats->lock);
-
-clean_stats:
-	isc_mem_put(mctx, stats, sizeof(*stats));
-
-	return (result);
-}
-
-void
-isc_stats_attach(isc_stats_t *stats, isc_stats_t **statsp) {
-	REQUIRE(ISC_STATS_VALID(stats));
-	REQUIRE(statsp != NULL && *statsp == NULL);
-
-	LOCK(&stats->lock);
-	stats->references++;
-	UNLOCK(&stats->lock);
-
-	*statsp = stats;
-}
-
-void
-isc_stats_detach(isc_stats_t **statsp) {
-	isc_stats_t *stats;
-
-	REQUIRE(statsp != NULL && ISC_STATS_VALID(*statsp));
-
-	stats = *statsp;
-	*statsp = NULL;
-
-	LOCK(&stats->lock);
-	stats->references--;
-	UNLOCK(&stats->lock);
-
-	if (stats->references == 0) {
-		isc_mem_put(stats->mctx, stats->copiedcounters,
-			    sizeof(isc_stat_t) * stats->ncounters);
-		isc_mem_put(stats->mctx, stats->counters,
-			    sizeof(isc_stat_t) * stats->ncounters);
-		DESTROYLOCK(&stats->lock);
-#ifdef ISC_RWLOCK_USEATOMIC
-		isc_rwlock_destroy(&stats->counterlock);
-#endif
-		isc_mem_putanddetach(&stats->mctx, stats, sizeof(*stats));
-	}
-}
-
-int
-isc_stats_ncounters(isc_stats_t *stats) {
-	REQUIRE(ISC_STATS_VALID(stats));
-
-	return (stats->ncounters);
-}
-
-static inline void
-incrementcounter(isc_stats_t *stats, int counter) {
-	isc_int32_t prev;
-
-#ifdef ISC_RWLOCK_USEATOMIC
-	/*
-	 * We use a "read" lock to prevent other threads from reading the
-	 * counter while we "writing" a counter field.  The write access itself
-	 * is protected by the atomic operation.
-	 */
-	isc_rwlock_lock(&stats->counterlock, isc_rwlocktype_read);
-#endif
-
-#if ISC_STATS_USEMULTIFIELDS
-	prev = isc_atomic_xadd((isc_int32_t *)&stats->counters[counter].lo, 1);
-	/*
-	 * If the lower 32-bit field overflows, increment the higher field.
-	 * Note that it's *theoretically* possible that the lower field
-	 * overlaps again before the higher field is incremented.  It doesn't
-	 * matter, however, because we don't read the value until
-	 * isc_stats_copy() is called where the whole process is protected
-	 * by the write (exclusive) lock.
-	 */
-	if (prev == (isc_int32_t)0xffffffff)
-		isc_atomic_xadd((isc_int32_t *)&stats->counters[counter].hi, 1);
-#elif defined(ISC_PLATFORM_HAVEXADDQ)
-	UNUSED(prev);
-	isc_atomic_xaddq((isc_int64_t *)&stats->counters[counter], 1);
-#else
-	UNUSED(prev);
-	stats->counters[counter]++;
-#endif
-
-#ifdef ISC_RWLOCK_USEATOMIC
-	isc_rwlock_unlock(&stats->counterlock, isc_rwlocktype_read);
-#endif
-}
-
-static inline void
-decrementcounter(isc_stats_t *stats, int counter) {
-	isc_int32_t prev;
-
-#ifdef ISC_RWLOCK_USEATOMIC
-	isc_rwlock_lock(&stats->counterlock, isc_rwlocktype_read);
-#endif
-
-#if ISC_STATS_USEMULTIFIELDS
-	prev = isc_atomic_xadd((isc_int32_t *)&stats->counters[counter].lo, -1);
-	if (prev == 0)
-		isc_atomic_xadd((isc_int32_t *)&stats->counters[counter].hi,
-				-1);
-#elif defined(ISC_PLATFORM_HAVEXADDQ)
-	UNUSED(prev);
-	isc_atomic_xaddq((isc_int64_t *)&stats->counters[counter], -1);
-#else
-	UNUSED(prev);
-	stats->counters[counter]--;
-#endif
-
-#ifdef ISC_RWLOCK_USEATOMIC
-	isc_rwlock_unlock(&stats->counterlock, isc_rwlocktype_read);
-#endif
-}
-
-static void
-copy_counters(isc_stats_t *stats) {
-	int i;
-
-#ifdef ISC_RWLOCK_USEATOMIC
-	/*
-	 * We use a "write" lock before "reading" the statistics counters as
-	 * an exclusive lock.
-	 */
-	isc_rwlock_lock(&stats->counterlock, isc_rwlocktype_write);
-#endif
-
-#if ISC_STATS_USEMULTIFIELDS
-	for (i = 0; i < stats->ncounters; i++) {
-		stats->copiedcounters[i] =
-				(isc_uint64_t)(stats->counters[i].hi) << 32 |
-				stats->counters[i].lo;
-	}
-#else
-	UNUSED(i);
-	memcpy(stats->copiedcounters, stats->counters,
-	       stats->ncounters * sizeof(isc_stat_t));
-#endif
-
-#ifdef ISC_RWLOCK_USEATOMIC
-	isc_rwlock_unlock(&stats->counterlock, isc_rwlocktype_write);
-#endif
-}
-
-isc_result_t
-isc_stats_create(isc_mem_t *mctx, isc_stats_t **statsp, int ncounters) {
-	REQUIRE(statsp != NULL && *statsp == NULL);
-
-	return (create_stats(mctx, ncounters, statsp));
-}
-
-void
-isc_stats_increment(isc_stats_t *stats, isc_statscounter_t counter) {
-	REQUIRE(ISC_STATS_VALID(stats));
-	REQUIRE(counter < stats->ncounters);
-
-	incrementcounter(stats, (int)counter);
-}
-
-void
-isc_stats_decrement(isc_stats_t *stats, isc_statscounter_t counter) {
-	REQUIRE(ISC_STATS_VALID(stats));
-	REQUIRE(counter < stats->ncounters);
-
-	decrementcounter(stats, (int)counter);
-}
-
-void
-isc_stats_dump(isc_stats_t *stats, isc_stats_dumper_t dump_fn,
-	       void *arg, unsigned int options)
-{
-	int i;
-
-	REQUIRE(ISC_STATS_VALID(stats));
-
-	copy_counters(stats);
-
-	for (i = 0; i < stats->ncounters; i++) {
-		if ((options & ISC_STATSDUMP_VERBOSE) == 0 &&
-		    stats->copiedcounters[i] == 0)
-				continue;
-		dump_fn((isc_statscounter_t)i, stats->copiedcounters[i], arg);
-	}
-}
diff --git a/contrib/bind9/lib/isc/string.c b/contrib/bind9/lib/isc/string.c
deleted file mode 100644
index cba517c..0000000
--- a/contrib/bind9/lib/isc/string.c
+++ /dev/null
@@ -1,271 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <ctype.h>
-
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/region.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-static char digits[] = "0123456789abcdefghijklmnoprstuvwxyz";
-
-isc_uint64_t
-isc_string_touint64(char *source, char **end, int base) {
-	isc_uint64_t tmp;
-	isc_uint64_t overflow;
-	char *s = source;
-	char *o;
-	char c;
-
-	if ((base < 0) || (base == 1) || (base > 36)) {
-		*end = source;
-		return (0);
-	}
-
-	while (*s != 0 && isascii(*s&0xff) && isspace(*s&0xff))
-		s++;
-	if (*s == '+' /* || *s == '-' */)
-		s++;
-	if (base == 0) {
-		if (*s == '0' && (*(s+1) == 'X' || *(s+1) == 'x')) {
-			s += 2;
-			base = 16;
-		} else if (*s == '0')
-			base = 8;
-		else
-			base = 10;
-	}
-	if (*s == 0) {
-		*end = source;
-		return (0);
-	}
-	overflow = ~0;
-	overflow /= base;
-	tmp = 0;
-
-	while ((c = *s) != 0) {
-		c = tolower(c&0xff);
-		/* end ? */
-		if ((o = strchr(digits, c)) == NULL) {
-			*end = s;
-			return (tmp);
-		}
-		/* end ? */
-		if ((o - digits) >= base) {
-			*end = s;
-			return (tmp);
-		}
-		/* overflow ? */
-		if (tmp > overflow) {
-			*end = source;
-			return (0);
-		}
-		tmp *= base;
-		/* overflow ? */
-		if ((tmp + (o - digits)) < tmp) {
-			*end = source;
-			return (0);
-		}
-		tmp += o - digits;
-		s++;
-	}
-	*end = s;
-	return (tmp);
-}
-
-isc_result_t
-isc_string_copy(char *target, size_t size, const char *source) {
-	REQUIRE(size > 0U);
-
-	if (strlcpy(target, source, size) >= size) {
-		memset(target, ISC_STRING_MAGIC, size);
-		return (ISC_R_NOSPACE);
-	}
-
-	ENSURE(strlen(target) < size);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_string_copy_truncate(char *target, size_t size, const char *source) {
-	REQUIRE(size > 0U);
-
-	strlcpy(target, source, size);
-
-	ENSURE(strlen(target) < size);
-}
-
-isc_result_t
-isc_string_append(char *target, size_t size, const char *source) {
-	REQUIRE(size > 0U);
-	REQUIRE(strlen(target) < size);
-
-	if (strlcat(target, source, size) >= size) {
-		memset(target, ISC_STRING_MAGIC, size);
-		return (ISC_R_NOSPACE);
-	}
-
-	ENSURE(strlen(target) < size);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_string_append_truncate(char *target, size_t size, const char *source) {
-	REQUIRE(size > 0U);
-	REQUIRE(strlen(target) < size);
-
-	strlcat(target, source, size);
-
-	ENSURE(strlen(target) < size);
-}
-
-isc_result_t
-isc_string_printf(char *target, size_t size, const char *format, ...) {
-	va_list args;
-	size_t n;
-
-	REQUIRE(size > 0U);
-
-	va_start(args, format);
-	n = vsnprintf(target, size, format, args);
-	va_end(args);
-
-	if (n >= size) {
-		memset(target, ISC_STRING_MAGIC, size);
-		return (ISC_R_NOSPACE);
-	}
-
-	ENSURE(strlen(target) < size);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_string_printf_truncate(char *target, size_t size, const char *format, ...)
-{
-	va_list args;
-
-	REQUIRE(size > 0U);
-
-	va_start(args, format);
-	/* check return code? */
-	(void)vsnprintf(target, size, format, args);
-	va_end(args);
-
-	ENSURE(strlen(target) < size);
-}
-
-char *
-isc_string_regiondup(isc_mem_t *mctx, const isc_region_t *source) {
-	char *target;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(source != NULL);
-
-	target = (char *) isc_mem_allocate(mctx, source->length + 1);
-	if (target != NULL) {
-		memcpy(source->base, target, source->length);
-		target[source->length] = '\0';
-	}
-
-	return (target);
-}
-
-char *
-isc_string_separate(char **stringp, const char *delim) {
-	char *string = *stringp;
-	char *s;
-	const char *d;
-	char sc, dc;
-
-	if (string == NULL)
-		return (NULL);
-
-	for (s = string; (sc = *s) != '\0'; s++)
-		for (d = delim; (dc = *d) != '\0'; d++)
-			if (sc == dc) {
-				*s++ = '\0';
-				*stringp = s;
-				return (string);
-			}
-	*stringp = NULL;
-	return (string);
-}
-
-size_t
-isc_string_strlcpy(char *dst, const char *src, size_t size)
-{
-	char *d = dst;
-	const char *s = src;
-	size_t n = size;
-
-	/* Copy as many bytes as will fit */
-	if (n != 0U && --n != 0U) {
-		do {
-			if ((*d++ = *s++) == 0)
-				break;
-		} while (--n != 0U);
-	}
-
-	/* Not enough room in dst, add NUL and traverse rest of src */
-	if (n == 0U) {
-		if (size != 0U)
-			*d = '\0';		/* NUL-terminate dst */
-		while (*s++)
-			;
-	}
-
-	return(s - src - 1);	/* count does not include NUL */
-}
-
-size_t
-isc_string_strlcat(char *dst, const char *src, size_t size)
-{
-	char *d = dst;
-	const char *s = src;
-	size_t n = size;
-	size_t dlen;
-
-	/* Find the end of dst and adjust bytes left but don't go past end */
-	while (n-- != 0U && *d != '\0')
-		d++;
-	dlen = d - dst;
-	n = size - dlen;
-
-	if (n == 0U)
-		return(dlen + strlen(s));
-	while (*s != '\0') {
-		if (n != 1U) {
-			*d++ = *s;
-			n--;
-		}
-		s++;
-	}
-	*d = '\0';
-
-	return(dlen + (s - src));	/* count does not include NUL */
-}
diff --git a/contrib/bind9/lib/isc/strtoul.c b/contrib/bind9/lib/isc/strtoul.c
deleted file mode 100644
index 18d93e2..0000000
--- a/contrib/bind9/lib/isc/strtoul.c
+++ /dev/null
@@ -1,129 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Copyright (c) 1990, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*! \file */
-#if defined(LIBC_SCCS) && !defined(lint)
-static char sccsid[] = "@(#)strtoul.c	8.1 (Berkeley) 6/4/93";
-#endif /* LIBC_SCCS and not lint */
-
-/* $Id: strtoul.c,v 1.7 2007/06/19 23:47:17 tbox Exp $ */
-
-#include <config.h>
-
-#include <limits.h>
-#include <ctype.h>
-#include <errno.h>
-
-#include <isc/stdlib.h>
-#include <isc/util.h>
-
-/*!
- * Convert a string to an unsigned long integer.
- *
- * Ignores `locale' stuff.  Assumes that the upper and lower case
- * alphabets and digits are each contiguous.
- */
-unsigned long
-isc_strtoul(const char *nptr, char **endptr, int base) {
-	const char *s = nptr;
-	unsigned long acc;
-	unsigned char c;
-	unsigned long cutoff;
-	int neg = 0, any, cutlim;
-
-	/*
-	 * See strtol for comments as to the logic used.
-	 */
-	do {
-		c = *s++;
-	} while (isspace(c));
-	if (c == '-') {
-		neg = 1;
-		c = *s++;
-	} else if (c == '+')
-		c = *s++;
-	if ((base == 0 || base == 16) &&
-	    c == '0' && (*s == 'x' || *s == 'X')) {
-		c = s[1];
-		s += 2;
-		base = 16;
-	}
-	if (base == 0)
-		base = c == '0' ? 8 : 10;
-	cutoff = (unsigned long)ULONG_MAX / (unsigned long)base;
-	cutlim = (unsigned long)ULONG_MAX % (unsigned long)base;
-	for (acc = 0, any = 0;; c = *s++) {
-		if (!isascii(c))
-			break;
-		if (isdigit(c))
-			c -= '0';
-		else if (isalpha(c))
-			c -= isupper(c) ? 'A' - 10 : 'a' - 10;
-		else
-			break;
-		if (c >= base)
-			break;
-		if (any < 0 || acc > cutoff || (acc == cutoff && c > cutlim))
-			any = -1;
-		else {
-			any = 1;
-			acc *= base;
-			acc += c;
-		}
-	}
-	if (any < 0) {
-		acc = ULONG_MAX;
-		errno = ERANGE;
-	} else if (neg)
-		acc = -acc;
-	if (endptr != 0)
-		DE_CONST(any ? s - 1 : nptr, *endptr);
-	return (acc);
-}
diff --git a/contrib/bind9/lib/isc/symtab.c b/contrib/bind9/lib/isc/symtab.c
deleted file mode 100644
index 1f294fb..0000000
--- a/contrib/bind9/lib/isc/symtab.c
+++ /dev/null
@@ -1,303 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1996-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <ctype.h>
-
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/string.h>
-#include <isc/symtab.h>
-#include <isc/util.h>
-
-typedef struct elt {
-	char *				key;
-	unsigned int			type;
-	isc_symvalue_t			value;
-	LINK(struct elt)		link;
-} elt_t;
-
-typedef LIST(elt_t)			eltlist_t;
-
-#define SYMTAB_MAGIC			ISC_MAGIC('S', 'y', 'm', 'T')
-#define VALID_SYMTAB(st)		ISC_MAGIC_VALID(st, SYMTAB_MAGIC)
-
-struct isc_symtab {
-	/* Unlocked. */
-	unsigned int			magic;
-	isc_mem_t *			mctx;
-	unsigned int			size;
-	unsigned int			count;
-	unsigned int			maxload;
-	eltlist_t *			table;
-	isc_symtabaction_t		undefine_action;
-	void *				undefine_arg;
-	isc_boolean_t			case_sensitive;
-};
-
-isc_result_t
-isc_symtab_create(isc_mem_t *mctx, unsigned int size,
-		  isc_symtabaction_t undefine_action,
-		  void *undefine_arg,
-		  isc_boolean_t case_sensitive,
-		  isc_symtab_t **symtabp)
-{
-	isc_symtab_t *symtab;
-	unsigned int i;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(symtabp != NULL && *symtabp == NULL);
-	REQUIRE(size > 0);	/* Should be prime. */
-
-	symtab = (isc_symtab_t *)isc_mem_get(mctx, sizeof(*symtab));
-	if (symtab == NULL)
-		return (ISC_R_NOMEMORY);
-
-	symtab->mctx = NULL;
-	isc_mem_attach(mctx, &symtab->mctx);
-	symtab->table = (eltlist_t *)isc_mem_get(mctx,
-						 size * sizeof(eltlist_t));
-	if (symtab->table == NULL) {
-		isc_mem_putanddetach(&symtab->mctx, symtab, sizeof(*symtab));
-		return (ISC_R_NOMEMORY);
-	}
-	for (i = 0; i < size; i++)
-		INIT_LIST(symtab->table[i]);
-	symtab->size = size;
-	symtab->count = 0;
-	symtab->maxload = size * 3 / 4;
-	symtab->undefine_action = undefine_action;
-	symtab->undefine_arg = undefine_arg;
-	symtab->case_sensitive = case_sensitive;
-	symtab->magic = SYMTAB_MAGIC;
-
-	*symtabp = symtab;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_symtab_destroy(isc_symtab_t **symtabp) {
-	isc_symtab_t *symtab;
-	unsigned int i;
-	elt_t *elt, *nelt;
-
-	REQUIRE(symtabp != NULL);
-	symtab = *symtabp;
-	REQUIRE(VALID_SYMTAB(symtab));
-
-	for (i = 0; i < symtab->size; i++) {
-		for (elt = HEAD(symtab->table[i]); elt != NULL; elt = nelt) {
-			nelt = NEXT(elt, link);
-			if (symtab->undefine_action != NULL)
-			       (symtab->undefine_action)(elt->key,
-							 elt->type,
-							 elt->value,
-							 symtab->undefine_arg);
-			isc_mem_put(symtab->mctx, elt, sizeof(*elt));
-		}
-	}
-	isc_mem_put(symtab->mctx, symtab->table,
-		    symtab->size * sizeof(eltlist_t));
-	symtab->magic = 0;
-	isc_mem_putanddetach(&symtab->mctx, symtab, sizeof(*symtab));
-
-	*symtabp = NULL;
-}
-
-static inline unsigned int
-hash(const char *key, isc_boolean_t case_sensitive) {
-	const char *s;
-	unsigned int h = 0;
-	int c;
-
-	/*
-	 * This hash function is similar to the one Ousterhout
-	 * uses in Tcl.
-	 */
-
-	if (case_sensitive) {
-		for (s = key; *s != '\0'; s++) {
-			h += (h << 3) + *s;
-		}
-	} else {
-		for (s = key; *s != '\0'; s++) {
-			c = *s;
-			c = tolower((unsigned char)c);
-			h += (h << 3) + c;
-		}
-	}
-
-	return (h);
-}
-
-#define FIND(s, k, t, b, e) \
-	b = hash((k), (s)->case_sensitive) % (s)->size; \
-	if ((s)->case_sensitive) { \
-		for (e = HEAD((s)->table[b]); e != NULL; e = NEXT(e, link)) { \
-			if (((t) == 0 || e->type == (t)) && \
-			    strcmp(e->key, (k)) == 0) \
-				break; \
-		} \
-	} else { \
-		for (e = HEAD((s)->table[b]); e != NULL; e = NEXT(e, link)) { \
-			if (((t) == 0 || e->type == (t)) && \
-			    strcasecmp(e->key, (k)) == 0) \
-				break; \
-		} \
-	}
-
-isc_result_t
-isc_symtab_lookup(isc_symtab_t *symtab, const char *key, unsigned int type,
-		  isc_symvalue_t *value)
-{
-	unsigned int bucket;
-	elt_t *elt;
-
-	REQUIRE(VALID_SYMTAB(symtab));
-	REQUIRE(key != NULL);
-
-	FIND(symtab, key, type, bucket, elt);
-
-	if (elt == NULL)
-		return (ISC_R_NOTFOUND);
-
-	if (value != NULL)
-		*value = elt->value;
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-grow_table(isc_symtab_t *symtab) {
-	eltlist_t *newtable;
-	unsigned int i, newsize, newmax;
-
-	REQUIRE(symtab != NULL);
-
-	newsize = symtab->size * 2;
-	newmax = newsize * 3 / 4;
-	INSIST(newsize > 0U && newmax > 0U);
-
-	newtable = isc_mem_get(symtab->mctx, newsize * sizeof(eltlist_t));
-	if (newtable == NULL)
-		return;
-
-	for (i = 0; i < newsize; i++)
-		INIT_LIST(newtable[i]);
-
-	for (i = 0; i < symtab->size; i++) {
-		elt_t *elt, *nelt;
-
-		for (elt = HEAD(symtab->table[i]); elt != NULL; elt = nelt) {
-			unsigned int hv;
-
-			nelt = NEXT(elt, link);
-
-			UNLINK(symtab->table[i], elt, link);
-			hv = hash(elt->key, symtab->case_sensitive);
-			APPEND(newtable[hv % newsize], elt, link);
-		}
-	}
-
-	isc_mem_put(symtab->mctx, symtab->table,
-		    symtab->size * sizeof(eltlist_t));
-
-	symtab->table = newtable;
-	symtab->size = newsize;
-	symtab->maxload = newmax;
-}
-
-isc_result_t
-isc_symtab_define(isc_symtab_t *symtab, const char *key, unsigned int type,
-		  isc_symvalue_t value, isc_symexists_t exists_policy)
-{
-	unsigned int bucket;
-	elt_t *elt;
-
-	REQUIRE(VALID_SYMTAB(symtab));
-	REQUIRE(key != NULL);
-	REQUIRE(type != 0);
-
-	FIND(symtab, key, type, bucket, elt);
-
-	if (exists_policy != isc_symexists_add && elt != NULL) {
-		if (exists_policy == isc_symexists_reject)
-			return (ISC_R_EXISTS);
-		INSIST(exists_policy == isc_symexists_replace);
-		UNLINK(symtab->table[bucket], elt, link);
-		if (symtab->undefine_action != NULL)
-			(symtab->undefine_action)(elt->key, elt->type,
-						  elt->value,
-						  symtab->undefine_arg);
-	} else {
-		elt = (elt_t *)isc_mem_get(symtab->mctx, sizeof(*elt));
-		if (elt == NULL)
-			return (ISC_R_NOMEMORY);
-		ISC_LINK_INIT(elt, link);
-		symtab->count++;
-	}
-
-	/*
-	 * Though the "key" can be const coming in, it is not stored as const
-	 * so that the calling program can easily have writable access to
-	 * it in its undefine_action function.  In the event that it *was*
-	 * truly const coming in and then the caller modified it anyway ...
-	 * well, don't do that!
-	 */
-	DE_CONST(key, elt->key);
-	elt->type = type;
-	elt->value = value;
-
-	/*
-	 * We prepend so that the most recent definition will be found.
-	 */
-	PREPEND(symtab->table[bucket], elt, link);
-
-	if (symtab->count > symtab->maxload)
-		grow_table(symtab);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_symtab_undefine(isc_symtab_t *symtab, const char *key, unsigned int type) {
-	unsigned int bucket;
-	elt_t *elt;
-
-	REQUIRE(VALID_SYMTAB(symtab));
-	REQUIRE(key != NULL);
-
-	FIND(symtab, key, type, bucket, elt);
-
-	if (elt == NULL)
-		return (ISC_R_NOTFOUND);
-
-	if (symtab->undefine_action != NULL)
-		(symtab->undefine_action)(elt->key, elt->type,
-					  elt->value, symtab->undefine_arg);
-	UNLINK(symtab->table[bucket], elt, link);
-	isc_mem_put(symtab->mctx, elt, sizeof(*elt));
-	symtab->count--;
-
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/isc/task.c b/contrib/bind9/lib/isc/task.c
deleted file mode 100644
index b743271..0000000
--- a/contrib/bind9/lib/isc/task.c
+++ /dev/null
@@ -1,1860 +0,0 @@
-/*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file
- * \author Principal Author: Bob Halley
- */
-
-/*
- * XXXRTH  Need to document the states a task can be in, and the rules
- * for changing states.
- */
-
-#include <config.h>
-
-#include <isc/condition.h>
-#include <isc/event.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/msgs.h>
-#include <isc/platform.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/thread.h>
-#include <isc/util.h>
-#include <isc/xml.h>
-
-#ifdef OPENSSL_LEAKS
-#include <openssl/err.h>
-#endif
-
-/*%
- * For BIND9 internal applications:
- * when built with threads we use multiple worker threads shared by the whole
- * application.
- * when built without threads we share a single global task manager and use
- * an integrated event loop for socket, timer, and other generic task events.
- * For generic library:
- * we don't use either of them: an application can have multiple task managers
- * whether or not it's threaded, and if the application is threaded each thread
- * is expected to have a separate manager; no "worker threads" are shared by
- * the application threads.
- */
-#ifdef BIND9
-#ifdef ISC_PLATFORM_USETHREADS
-#define USE_WORKER_THREADS
-#else
-#define USE_SHARED_MANAGER
-#endif	/* ISC_PLATFORM_USETHREADS */
-#endif	/* BIND9 */
-
-#include "task_p.h"
-
-#ifdef ISC_TASK_TRACE
-#define XTRACE(m)		fprintf(stderr, "task %p thread %lu: %s\n", \
-				       task, isc_thread_self(), (m))
-#define XTTRACE(t, m)		fprintf(stderr, "task %p thread %lu: %s\n", \
-				       (t), isc_thread_self(), (m))
-#define XTHREADTRACE(m)		fprintf(stderr, "thread %lu: %s\n", \
-				       isc_thread_self(), (m))
-#else
-#define XTRACE(m)
-#define XTTRACE(t, m)
-#define XTHREADTRACE(m)
-#endif
-
-/***
- *** Types.
- ***/
-
-typedef enum {
-	task_state_idle, task_state_ready, task_state_running,
-	task_state_done
-} task_state_t;
-
-#if defined(HAVE_LIBXML2) && defined(BIND9)
-static const char *statenames[] = {
-	"idle", "ready", "running", "done",
-};
-#endif
-
-#define TASK_MAGIC			ISC_MAGIC('T', 'A', 'S', 'K')
-#define VALID_TASK(t)			ISC_MAGIC_VALID(t, TASK_MAGIC)
-
-typedef struct isc__task isc__task_t;
-typedef struct isc__taskmgr isc__taskmgr_t;
-
-struct isc__task {
-	/* Not locked. */
-	isc_task_t			common;
-	isc__taskmgr_t *		manager;
-	isc_mutex_t			lock;
-	/* Locked by task lock. */
-	task_state_t			state;
-	unsigned int			references;
-	isc_eventlist_t			events;
-	isc_eventlist_t			on_shutdown;
-	unsigned int			quantum;
-	unsigned int			flags;
-	isc_stdtime_t			now;
-	char				name[16];
-	void *				tag;
-	/* Locked by task manager lock. */
-	LINK(isc__task_t)		link;
-	LINK(isc__task_t)		ready_link;
-	LINK(isc__task_t)		ready_priority_link;
-};
-
-#define TASK_F_SHUTTINGDOWN		0x01
-#define TASK_F_PRIVILEGED		0x02
-
-#define TASK_SHUTTINGDOWN(t)		(((t)->flags & TASK_F_SHUTTINGDOWN) \
-					 != 0)
-
-#define TASK_MANAGER_MAGIC		ISC_MAGIC('T', 'S', 'K', 'M')
-#define VALID_MANAGER(m)		ISC_MAGIC_VALID(m, TASK_MANAGER_MAGIC)
-
-typedef ISC_LIST(isc__task_t)	isc__tasklist_t;
-
-struct isc__taskmgr {
-	/* Not locked. */
-	isc_taskmgr_t			common;
-	isc_mem_t *			mctx;
-	isc_mutex_t			lock;
-#ifdef ISC_PLATFORM_USETHREADS
-	unsigned int			workers;
-	isc_thread_t *			threads;
-#endif /* ISC_PLATFORM_USETHREADS */
-	/* Locked by task manager lock. */
-	unsigned int			default_quantum;
-	LIST(isc__task_t)		tasks;
-	isc__tasklist_t			ready_tasks;
-	isc__tasklist_t			ready_priority_tasks;
-	isc_taskmgrmode_t		mode;
-#ifdef ISC_PLATFORM_USETHREADS
-	isc_condition_t			work_available;
-	isc_condition_t			exclusive_granted;
-	isc_condition_t			paused;
-#endif /* ISC_PLATFORM_USETHREADS */
-	unsigned int			tasks_running;
-	isc_boolean_t			pause_requested;
-	isc_boolean_t			exclusive_requested;
-	isc_boolean_t			exiting;
-	isc__task_t			*excl;
-#ifdef USE_SHARED_MANAGER
-	unsigned int			refs;
-#endif /* ISC_PLATFORM_USETHREADS */
-};
-
-#define DEFAULT_TASKMGR_QUANTUM		10
-#define DEFAULT_DEFAULT_QUANTUM		5
-#define FINISHED(m)			((m)->exiting && EMPTY((m)->tasks))
-
-#ifdef USE_SHARED_MANAGER
-static isc__taskmgr_t *taskmgr = NULL;
-#endif /* USE_SHARED_MANAGER */
-
-/*%
- * The following can be either static or public, depending on build environment.
- */
-
-#ifdef BIND9
-#define ISC_TASKFUNC_SCOPE
-#else
-#define ISC_TASKFUNC_SCOPE static
-#endif
-
-ISC_TASKFUNC_SCOPE isc_result_t
-isc__task_create(isc_taskmgr_t *manager0, unsigned int quantum,
-		 isc_task_t **taskp);
-ISC_TASKFUNC_SCOPE void
-isc__task_attach(isc_task_t *source0, isc_task_t **targetp);
-ISC_TASKFUNC_SCOPE void
-isc__task_detach(isc_task_t **taskp);
-ISC_TASKFUNC_SCOPE void
-isc__task_send(isc_task_t *task0, isc_event_t **eventp);
-ISC_TASKFUNC_SCOPE void
-isc__task_sendanddetach(isc_task_t **taskp, isc_event_t **eventp);
-ISC_TASKFUNC_SCOPE unsigned int
-isc__task_purgerange(isc_task_t *task0, void *sender, isc_eventtype_t first,
-		     isc_eventtype_t last, void *tag);
-ISC_TASKFUNC_SCOPE unsigned int
-isc__task_purge(isc_task_t *task, void *sender, isc_eventtype_t type,
-		void *tag);
-ISC_TASKFUNC_SCOPE isc_boolean_t
-isc__task_purgeevent(isc_task_t *task0, isc_event_t *event);
-ISC_TASKFUNC_SCOPE unsigned int
-isc__task_unsendrange(isc_task_t *task, void *sender, isc_eventtype_t first,
-		      isc_eventtype_t last, void *tag,
-		      isc_eventlist_t *events);
-ISC_TASKFUNC_SCOPE unsigned int
-isc__task_unsend(isc_task_t *task, void *sender, isc_eventtype_t type,
-		 void *tag, isc_eventlist_t *events);
-ISC_TASKFUNC_SCOPE isc_result_t
-isc__task_onshutdown(isc_task_t *task0, isc_taskaction_t action,
-		     const void *arg);
-ISC_TASKFUNC_SCOPE void
-isc__task_shutdown(isc_task_t *task0);
-ISC_TASKFUNC_SCOPE void
-isc__task_destroy(isc_task_t **taskp);
-ISC_TASKFUNC_SCOPE void
-isc__task_setname(isc_task_t *task0, const char *name, void *tag);
-ISC_TASKFUNC_SCOPE const char *
-isc__task_getname(isc_task_t *task0);
-ISC_TASKFUNC_SCOPE void *
-isc__task_gettag(isc_task_t *task0);
-ISC_TASKFUNC_SCOPE void
-isc__task_getcurrenttime(isc_task_t *task0, isc_stdtime_t *t);
-ISC_TASKFUNC_SCOPE isc_result_t
-isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers,
-		    unsigned int default_quantum, isc_taskmgr_t **managerp);
-ISC_TASKFUNC_SCOPE void
-isc__taskmgr_destroy(isc_taskmgr_t **managerp);
-ISC_TASKFUNC_SCOPE void
-isc__taskmgr_setexcltask(isc_taskmgr_t *mgr0, isc_task_t *task0);
-ISC_TASKFUNC_SCOPE isc_result_t
-isc__taskmgr_excltask(isc_taskmgr_t *mgr0, isc_task_t **taskp);
-ISC_TASKFUNC_SCOPE isc_result_t
-isc__task_beginexclusive(isc_task_t *task);
-ISC_TASKFUNC_SCOPE void
-isc__task_endexclusive(isc_task_t *task0);
-ISC_TASKFUNC_SCOPE void
-isc__task_setprivilege(isc_task_t *task0, isc_boolean_t priv);
-ISC_TASKFUNC_SCOPE isc_boolean_t
-isc__task_privilege(isc_task_t *task0);
-ISC_TASKFUNC_SCOPE void
-isc__taskmgr_setmode(isc_taskmgr_t *manager0, isc_taskmgrmode_t mode);
-ISC_TASKFUNC_SCOPE isc_taskmgrmode_t
-isc__taskmgr_mode(isc_taskmgr_t *manager0);
-
-static inline isc_boolean_t
-empty_readyq(isc__taskmgr_t *manager);
-
-static inline isc__task_t *
-pop_readyq(isc__taskmgr_t *manager);
-
-static inline void
-push_readyq(isc__taskmgr_t *manager, isc__task_t *task);
-
-static struct isc__taskmethods {
-	isc_taskmethods_t methods;
-
-	/*%
-	 * The following are defined just for avoiding unused static functions.
-	 */
-#ifndef BIND9
-	void *purgeevent, *unsendrange, *getname, *gettag, *getcurrenttime;
-#endif
-} taskmethods = {
-	{
-		isc__task_attach,
-		isc__task_detach,
-		isc__task_destroy,
-		isc__task_send,
-		isc__task_sendanddetach,
-		isc__task_unsend,
-		isc__task_onshutdown,
-		isc__task_shutdown,
-		isc__task_setname,
-		isc__task_purge,
-		isc__task_purgerange,
-		isc__task_beginexclusive,
-		isc__task_endexclusive,
-		isc__task_setprivilege,
-		isc__task_privilege
-	}
-#ifndef BIND9
-	,
-	(void *)isc__task_purgeevent, (void *)isc__task_unsendrange,
-	(void *)isc__task_getname, (void *)isc__task_gettag,
-	(void *)isc__task_getcurrenttime
-#endif
-};
-
-static isc_taskmgrmethods_t taskmgrmethods = {
-	isc__taskmgr_destroy,
-	isc__taskmgr_setmode,
-	isc__taskmgr_mode,
-	isc__task_create,
-	isc__taskmgr_setexcltask,
-	isc__taskmgr_excltask
-};
-
-/***
- *** Tasks.
- ***/
-
-static void
-task_finished(isc__task_t *task) {
-	isc__taskmgr_t *manager = task->manager;
-
-	REQUIRE(EMPTY(task->events));
-	REQUIRE(EMPTY(task->on_shutdown));
-	REQUIRE(task->references == 0);
-	REQUIRE(task->state == task_state_done);
-
-	XTRACE("task_finished");
-
-	LOCK(&manager->lock);
-	UNLINK(manager->tasks, task, link);
-#ifdef USE_WORKER_THREADS
-	if (FINISHED(manager)) {
-		/*
-		 * All tasks have completed and the
-		 * task manager is exiting.  Wake up
-		 * any idle worker threads so they
-		 * can exit.
-		 */
-		BROADCAST(&manager->work_available);
-	}
-#endif /* USE_WORKER_THREADS */
-	UNLOCK(&manager->lock);
-
-	DESTROYLOCK(&task->lock);
-	task->common.impmagic = 0;
-	task->common.magic = 0;
-	isc_mem_put(manager->mctx, task, sizeof(*task));
-}
-
-ISC_TASKFUNC_SCOPE isc_result_t
-isc__task_create(isc_taskmgr_t *manager0, unsigned int quantum,
-		 isc_task_t **taskp)
-{
-	isc__taskmgr_t *manager = (isc__taskmgr_t *)manager0;
-	isc__task_t *task;
-	isc_boolean_t exiting;
-	isc_result_t result;
-
-	REQUIRE(VALID_MANAGER(manager));
-	REQUIRE(taskp != NULL && *taskp == NULL);
-
-	task = isc_mem_get(manager->mctx, sizeof(*task));
-	if (task == NULL)
-		return (ISC_R_NOMEMORY);
-	XTRACE("isc_task_create");
-	task->manager = manager;
-	result = isc_mutex_init(&task->lock);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(manager->mctx, task, sizeof(*task));
-		return (result);
-	}
-	task->state = task_state_idle;
-	task->references = 1;
-	INIT_LIST(task->events);
-	INIT_LIST(task->on_shutdown);
-	task->quantum = quantum;
-	task->flags = 0;
-	task->now = 0;
-	memset(task->name, 0, sizeof(task->name));
-	task->tag = NULL;
-	INIT_LINK(task, link);
-	INIT_LINK(task, ready_link);
-	INIT_LINK(task, ready_priority_link);
-
-	exiting = ISC_FALSE;
-	LOCK(&manager->lock);
-	if (!manager->exiting) {
-		if (task->quantum == 0)
-			task->quantum = manager->default_quantum;
-		APPEND(manager->tasks, task, link);
-	} else
-		exiting = ISC_TRUE;
-	UNLOCK(&manager->lock);
-
-	if (exiting) {
-		DESTROYLOCK(&task->lock);
-		isc_mem_put(manager->mctx, task, sizeof(*task));
-		return (ISC_R_SHUTTINGDOWN);
-	}
-
-	task->common.methods = (isc_taskmethods_t *)&taskmethods;
-	task->common.magic = ISCAPI_TASK_MAGIC;
-	task->common.impmagic = TASK_MAGIC;
-	*taskp = (isc_task_t *)task;
-
-	return (ISC_R_SUCCESS);
-}
-
-ISC_TASKFUNC_SCOPE void
-isc__task_attach(isc_task_t *source0, isc_task_t **targetp) {
-	isc__task_t *source = (isc__task_t *)source0;
-
-	/*
-	 * Attach *targetp to source.
-	 */
-
-	REQUIRE(VALID_TASK(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	XTTRACE(source, "isc_task_attach");
-
-	LOCK(&source->lock);
-	source->references++;
-	UNLOCK(&source->lock);
-
-	*targetp = (isc_task_t *)source;
-}
-
-static inline isc_boolean_t
-task_shutdown(isc__task_t *task) {
-	isc_boolean_t was_idle = ISC_FALSE;
-	isc_event_t *event, *prev;
-
-	/*
-	 * Caller must be holding the task's lock.
-	 */
-
-	XTRACE("task_shutdown");
-
-	if (! TASK_SHUTTINGDOWN(task)) {
-		XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-				      ISC_MSG_SHUTTINGDOWN, "shutting down"));
-		task->flags |= TASK_F_SHUTTINGDOWN;
-		if (task->state == task_state_idle) {
-			INSIST(EMPTY(task->events));
-			task->state = task_state_ready;
-			was_idle = ISC_TRUE;
-		}
-		INSIST(task->state == task_state_ready ||
-		       task->state == task_state_running);
-
-		/*
-		 * Note that we post shutdown events LIFO.
-		 */
-		for (event = TAIL(task->on_shutdown);
-		     event != NULL;
-		     event = prev) {
-			prev = PREV(event, ev_link);
-			DEQUEUE(task->on_shutdown, event, ev_link);
-			ENQUEUE(task->events, event, ev_link);
-		}
-	}
-
-	return (was_idle);
-}
-
-/*
- * Moves a task onto the appropriate run queue.
- *
- * Caller must NOT hold manager lock.
- */
-static inline void
-task_ready(isc__task_t *task) {
-	isc__taskmgr_t *manager = task->manager;
-#ifdef USE_WORKER_THREADS
-	isc_boolean_t has_privilege = isc__task_privilege((isc_task_t *) task);
-#endif /* USE_WORKER_THREADS */
-
-	REQUIRE(VALID_MANAGER(manager));
-	REQUIRE(task->state == task_state_ready);
-
-	XTRACE("task_ready");
-
-	LOCK(&manager->lock);
-	push_readyq(manager, task);
-#ifdef USE_WORKER_THREADS
-	if (manager->mode == isc_taskmgrmode_normal || has_privilege)
-		SIGNAL(&manager->work_available);
-#endif /* USE_WORKER_THREADS */
-	UNLOCK(&manager->lock);
-}
-
-static inline isc_boolean_t
-task_detach(isc__task_t *task) {
-
-	/*
-	 * Caller must be holding the task lock.
-	 */
-
-	REQUIRE(task->references > 0);
-
-	XTRACE("detach");
-
-	task->references--;
-	if (task->references == 0 && task->state == task_state_idle) {
-		INSIST(EMPTY(task->events));
-		/*
-		 * There are no references to this task, and no
-		 * pending events.  We could try to optimize and
-		 * either initiate shutdown or clean up the task,
-		 * depending on its state, but it's easier to just
-		 * make the task ready and allow run() or the event
-		 * loop to deal with shutting down and termination.
-		 */
-		task->state = task_state_ready;
-		return (ISC_TRUE);
-	}
-
-	return (ISC_FALSE);
-}
-
-ISC_TASKFUNC_SCOPE void
-isc__task_detach(isc_task_t **taskp) {
-	isc__task_t *task;
-	isc_boolean_t was_idle;
-
-	/*
-	 * Detach *taskp from its task.
-	 */
-
-	REQUIRE(taskp != NULL);
-	task = (isc__task_t *)*taskp;
-	REQUIRE(VALID_TASK(task));
-
-	XTRACE("isc_task_detach");
-
-	LOCK(&task->lock);
-	was_idle = task_detach(task);
-	UNLOCK(&task->lock);
-
-	if (was_idle)
-		task_ready(task);
-
-	*taskp = NULL;
-}
-
-static inline isc_boolean_t
-task_send(isc__task_t *task, isc_event_t **eventp) {
-	isc_boolean_t was_idle = ISC_FALSE;
-	isc_event_t *event;
-
-	/*
-	 * Caller must be holding the task lock.
-	 */
-
-	REQUIRE(eventp != NULL);
-	event = *eventp;
-	REQUIRE(event != NULL);
-	REQUIRE(event->ev_type > 0);
-	REQUIRE(task->state != task_state_done);
-
-	XTRACE("task_send");
-
-	if (task->state == task_state_idle) {
-		was_idle = ISC_TRUE;
-		INSIST(EMPTY(task->events));
-		task->state = task_state_ready;
-	}
-	INSIST(task->state == task_state_ready ||
-	       task->state == task_state_running);
-	ENQUEUE(task->events, event, ev_link);
-	*eventp = NULL;
-
-	return (was_idle);
-}
-
-ISC_TASKFUNC_SCOPE void
-isc__task_send(isc_task_t *task0, isc_event_t **eventp) {
-	isc__task_t *task = (isc__task_t *)task0;
-	isc_boolean_t was_idle;
-
-	/*
-	 * Send '*event' to 'task'.
-	 */
-
-	REQUIRE(VALID_TASK(task));
-
-	XTRACE("isc_task_send");
-
-	/*
-	 * We're trying hard to hold locks for as short a time as possible.
-	 * We're also trying to hold as few locks as possible.  This is why
-	 * some processing is deferred until after the lock is released.
-	 */
-	LOCK(&task->lock);
-	was_idle = task_send(task, eventp);
-	UNLOCK(&task->lock);
-
-	if (was_idle) {
-		/*
-		 * We need to add this task to the ready queue.
-		 *
-		 * We've waited until now to do it because making a task
-		 * ready requires locking the manager.  If we tried to do
-		 * this while holding the task lock, we could deadlock.
-		 *
-		 * We've changed the state to ready, so no one else will
-		 * be trying to add this task to the ready queue.  The
-		 * only way to leave the ready state is by executing the
-		 * task.  It thus doesn't matter if events are added,
-		 * removed, or a shutdown is started in the interval
-		 * between the time we released the task lock, and the time
-		 * we add the task to the ready queue.
-		 */
-		task_ready(task);
-	}
-}
-
-ISC_TASKFUNC_SCOPE void
-isc__task_sendanddetach(isc_task_t **taskp, isc_event_t **eventp) {
-	isc_boolean_t idle1, idle2;
-	isc__task_t *task;
-
-	/*
-	 * Send '*event' to '*taskp' and then detach '*taskp' from its
-	 * task.
-	 */
-
-	REQUIRE(taskp != NULL);
-	task = (isc__task_t *)*taskp;
-	REQUIRE(VALID_TASK(task));
-
-	XTRACE("isc_task_sendanddetach");
-
-	LOCK(&task->lock);
-	idle1 = task_send(task, eventp);
-	idle2 = task_detach(task);
-	UNLOCK(&task->lock);
-
-	/*
-	 * If idle1, then idle2 shouldn't be true as well since we're holding
-	 * the task lock, and thus the task cannot switch from ready back to
-	 * idle.
-	 */
-	INSIST(!(idle1 && idle2));
-
-	if (idle1 || idle2)
-		task_ready(task);
-
-	*taskp = NULL;
-}
-
-#define PURGE_OK(event)	(((event)->ev_attributes & ISC_EVENTATTR_NOPURGE) == 0)
-
-static unsigned int
-dequeue_events(isc__task_t *task, void *sender, isc_eventtype_t first,
-	       isc_eventtype_t last, void *tag,
-	       isc_eventlist_t *events, isc_boolean_t purging)
-{
-	isc_event_t *event, *next_event;
-	unsigned int count = 0;
-
-	REQUIRE(VALID_TASK(task));
-	REQUIRE(last >= first);
-
-	XTRACE("dequeue_events");
-
-	/*
-	 * Events matching 'sender', whose type is >= first and <= last, and
-	 * whose tag is 'tag' will be dequeued.  If 'purging', matching events
-	 * which are marked as unpurgable will not be dequeued.
-	 *
-	 * sender == NULL means "any sender", and tag == NULL means "any tag".
-	 */
-
-	LOCK(&task->lock);
-
-	for (event = HEAD(task->events); event != NULL; event = next_event) {
-		next_event = NEXT(event, ev_link);
-		if (event->ev_type >= first && event->ev_type <= last &&
-		    (sender == NULL || event->ev_sender == sender) &&
-		    (tag == NULL || event->ev_tag == tag) &&
-		    (!purging || PURGE_OK(event))) {
-			DEQUEUE(task->events, event, ev_link);
-			ENQUEUE(*events, event, ev_link);
-			count++;
-		}
-	}
-
-	UNLOCK(&task->lock);
-
-	return (count);
-}
-
-ISC_TASKFUNC_SCOPE unsigned int
-isc__task_purgerange(isc_task_t *task0, void *sender, isc_eventtype_t first,
-		     isc_eventtype_t last, void *tag)
-{
-	isc__task_t *task = (isc__task_t *)task0;
-	unsigned int count;
-	isc_eventlist_t events;
-	isc_event_t *event, *next_event;
-
-	/*
-	 * Purge events from a task's event queue.
-	 */
-
-	XTRACE("isc_task_purgerange");
-
-	ISC_LIST_INIT(events);
-
-	count = dequeue_events(task, sender, first, last, tag, &events,
-			       ISC_TRUE);
-
-	for (event = HEAD(events); event != NULL; event = next_event) {
-		next_event = NEXT(event, ev_link);
-		isc_event_free(&event);
-	}
-
-	/*
-	 * Note that purging never changes the state of the task.
-	 */
-
-	return (count);
-}
-
-ISC_TASKFUNC_SCOPE unsigned int
-isc__task_purge(isc_task_t *task, void *sender, isc_eventtype_t type,
-		void *tag)
-{
-	/*
-	 * Purge events from a task's event queue.
-	 */
-
-	XTRACE("isc_task_purge");
-
-	return (isc__task_purgerange(task, sender, type, type, tag));
-}
-
-ISC_TASKFUNC_SCOPE isc_boolean_t
-isc__task_purgeevent(isc_task_t *task0, isc_event_t *event) {
-	isc__task_t *task = (isc__task_t *)task0;
-	isc_event_t *curr_event, *next_event;
-
-	/*
-	 * Purge 'event' from a task's event queue.
-	 *
-	 * XXXRTH:  WARNING:  This method may be removed before beta.
-	 */
-
-	REQUIRE(VALID_TASK(task));
-
-	/*
-	 * If 'event' is on the task's event queue, it will be purged,
-	 * unless it is marked as unpurgeable.  'event' does not have to be
-	 * on the task's event queue; in fact, it can even be an invalid
-	 * pointer.  Purging only occurs if the event is actually on the task's
-	 * event queue.
-	 *
-	 * Purging never changes the state of the task.
-	 */
-
-	LOCK(&task->lock);
-	for (curr_event = HEAD(task->events);
-	     curr_event != NULL;
-	     curr_event = next_event) {
-		next_event = NEXT(curr_event, ev_link);
-		if (curr_event == event && PURGE_OK(event)) {
-			DEQUEUE(task->events, curr_event, ev_link);
-			break;
-		}
-	}
-	UNLOCK(&task->lock);
-
-	if (curr_event == NULL)
-		return (ISC_FALSE);
-
-	isc_event_free(&curr_event);
-
-	return (ISC_TRUE);
-}
-
-ISC_TASKFUNC_SCOPE unsigned int
-isc__task_unsendrange(isc_task_t *task, void *sender, isc_eventtype_t first,
-		      isc_eventtype_t last, void *tag,
-		      isc_eventlist_t *events)
-{
-	/*
-	 * Remove events from a task's event queue.
-	 */
-
-	XTRACE("isc_task_unsendrange");
-
-	return (dequeue_events((isc__task_t *)task, sender, first,
-			       last, tag, events, ISC_FALSE));
-}
-
-ISC_TASKFUNC_SCOPE unsigned int
-isc__task_unsend(isc_task_t *task, void *sender, isc_eventtype_t type,
-		 void *tag, isc_eventlist_t *events)
-{
-	/*
-	 * Remove events from a task's event queue.
-	 */
-
-	XTRACE("isc_task_unsend");
-
-	return (dequeue_events((isc__task_t *)task, sender, type,
-			       type, tag, events, ISC_FALSE));
-}
-
-ISC_TASKFUNC_SCOPE isc_result_t
-isc__task_onshutdown(isc_task_t *task0, isc_taskaction_t action,
-		     const void *arg)
-{
-	isc__task_t *task = (isc__task_t *)task0;
-	isc_boolean_t disallowed = ISC_FALSE;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_event_t *event;
-
-	/*
-	 * Send a shutdown event with action 'action' and argument 'arg' when
-	 * 'task' is shutdown.
-	 */
-
-	REQUIRE(VALID_TASK(task));
-	REQUIRE(action != NULL);
-
-	event = isc_event_allocate(task->manager->mctx,
-				   NULL,
-				   ISC_TASKEVENT_SHUTDOWN,
-				   action,
-				   arg,
-				   sizeof(*event));
-	if (event == NULL)
-		return (ISC_R_NOMEMORY);
-
-	LOCK(&task->lock);
-	if (TASK_SHUTTINGDOWN(task)) {
-		disallowed = ISC_TRUE;
-		result = ISC_R_SHUTTINGDOWN;
-	} else
-		ENQUEUE(task->on_shutdown, event, ev_link);
-	UNLOCK(&task->lock);
-
-	if (disallowed)
-		isc_mem_put(task->manager->mctx, event, sizeof(*event));
-
-	return (result);
-}
-
-ISC_TASKFUNC_SCOPE void
-isc__task_shutdown(isc_task_t *task0) {
-	isc__task_t *task = (isc__task_t *)task0;
-	isc_boolean_t was_idle;
-
-	/*
-	 * Shutdown 'task'.
-	 */
-
-	REQUIRE(VALID_TASK(task));
-
-	LOCK(&task->lock);
-	was_idle = task_shutdown(task);
-	UNLOCK(&task->lock);
-
-	if (was_idle)
-		task_ready(task);
-}
-
-ISC_TASKFUNC_SCOPE void
-isc__task_destroy(isc_task_t **taskp) {
-
-	/*
-	 * Destroy '*taskp'.
-	 */
-
-	REQUIRE(taskp != NULL);
-
-	isc_task_shutdown(*taskp);
-	isc_task_detach(taskp);
-}
-
-ISC_TASKFUNC_SCOPE void
-isc__task_setname(isc_task_t *task0, const char *name, void *tag) {
-	isc__task_t *task = (isc__task_t *)task0;
-
-	/*
-	 * Name 'task'.
-	 */
-
-	REQUIRE(VALID_TASK(task));
-
-	LOCK(&task->lock);
-	memset(task->name, 0, sizeof(task->name));
-	strncpy(task->name, name, sizeof(task->name) - 1);
-	task->tag = tag;
-	UNLOCK(&task->lock);
-}
-
-ISC_TASKFUNC_SCOPE const char *
-isc__task_getname(isc_task_t *task0) {
-	isc__task_t *task = (isc__task_t *)task0;
-
-	REQUIRE(VALID_TASK(task));
-
-	return (task->name);
-}
-
-ISC_TASKFUNC_SCOPE void *
-isc__task_gettag(isc_task_t *task0) {
-	isc__task_t *task = (isc__task_t *)task0;
-
-	REQUIRE(VALID_TASK(task));
-
-	return (task->tag);
-}
-
-ISC_TASKFUNC_SCOPE void
-isc__task_getcurrenttime(isc_task_t *task0, isc_stdtime_t *t) {
-	isc__task_t *task = (isc__task_t *)task0;
-
-	REQUIRE(VALID_TASK(task));
-	REQUIRE(t != NULL);
-
-	LOCK(&task->lock);
-	*t = task->now;
-	UNLOCK(&task->lock);
-}
-
-/***
- *** Task Manager.
- ***/
-
-/*
- * Return ISC_TRUE if the current ready list for the manager, which is
- * either ready_tasks or the ready_priority_tasks, depending on whether
- * the manager is currently in normal or privileged execution mode.
- *
- * Caller must hold the task manager lock.
- */
-static inline isc_boolean_t
-empty_readyq(isc__taskmgr_t *manager) {
-	isc__tasklist_t queue;
-
-	if (manager->mode == isc_taskmgrmode_normal)
-		queue = manager->ready_tasks;
-	else
-		queue = manager->ready_priority_tasks;
-
-	return (ISC_TF(EMPTY(queue)));
-}
-
-/*
- * Dequeue and return a pointer to the first task on the current ready
- * list for the manager.
- * If the task is privileged, dequeue it from the other ready list
- * as well.
- *
- * Caller must hold the task manager lock.
- */
-static inline isc__task_t *
-pop_readyq(isc__taskmgr_t *manager) {
-	isc__task_t *task;
-
-	if (manager->mode == isc_taskmgrmode_normal)
-		task = HEAD(manager->ready_tasks);
-	else
-		task = HEAD(manager->ready_priority_tasks);
-
-	if (task != NULL) {
-		DEQUEUE(manager->ready_tasks, task, ready_link);
-		if (ISC_LINK_LINKED(task, ready_priority_link))
-			DEQUEUE(manager->ready_priority_tasks, task,
-				ready_priority_link);
-	}
-
-	return (task);
-}
-
-/*
- * Push 'task' onto the ready_tasks queue.  If 'task' has the privilege
- * flag set, then also push it onto the ready_priority_tasks queue.
- *
- * Caller must hold the task manager lock.
- */
-static inline void
-push_readyq(isc__taskmgr_t *manager, isc__task_t *task) {
-	ENQUEUE(manager->ready_tasks, task, ready_link);
-	if ((task->flags & TASK_F_PRIVILEGED) != 0)
-		ENQUEUE(manager->ready_priority_tasks, task,
-			ready_priority_link);
-}
-
-static void
-dispatch(isc__taskmgr_t *manager) {
-	isc__task_t *task;
-#ifndef USE_WORKER_THREADS
-	unsigned int total_dispatch_count = 0;
-	isc__tasklist_t new_ready_tasks;
-	isc__tasklist_t new_priority_tasks;
-#endif /* USE_WORKER_THREADS */
-
-	REQUIRE(VALID_MANAGER(manager));
-
-	/*
-	 * Again we're trying to hold the lock for as short a time as possible
-	 * and to do as little locking and unlocking as possible.
-	 *
-	 * In both while loops, the appropriate lock must be held before the
-	 * while body starts.  Code which acquired the lock at the top of
-	 * the loop would be more readable, but would result in a lot of
-	 * extra locking.  Compare:
-	 *
-	 * Straightforward:
-	 *
-	 *	LOCK();
-	 *	...
-	 *	UNLOCK();
-	 *	while (expression) {
-	 *		LOCK();
-	 *		...
-	 *		UNLOCK();
-	 *
-	 *	       	Unlocked part here...
-	 *
-	 *		LOCK();
-	 *		...
-	 *		UNLOCK();
-	 *	}
-	 *
-	 * Note how if the loop continues we unlock and then immediately lock.
-	 * For N iterations of the loop, this code does 2N+1 locks and 2N+1
-	 * unlocks.  Also note that the lock is not held when the while
-	 * condition is tested, which may or may not be important, depending
-	 * on the expression.
-	 *
-	 * As written:
-	 *
-	 *	LOCK();
-	 *	while (expression) {
-	 *		...
-	 *		UNLOCK();
-	 *
-	 *	       	Unlocked part here...
-	 *
-	 *		LOCK();
-	 *		...
-	 *	}
-	 *	UNLOCK();
-	 *
-	 * For N iterations of the loop, this code does N+1 locks and N+1
-	 * unlocks.  The while expression is always protected by the lock.
-	 */
-
-#ifndef USE_WORKER_THREADS
-	ISC_LIST_INIT(new_ready_tasks);
-	ISC_LIST_INIT(new_priority_tasks);
-#endif
-	LOCK(&manager->lock);
-
-	while (!FINISHED(manager)) {
-#ifdef USE_WORKER_THREADS
-		/*
-		 * For reasons similar to those given in the comment in
-		 * isc_task_send() above, it is safe for us to dequeue
-		 * the task while only holding the manager lock, and then
-		 * change the task to running state while only holding the
-		 * task lock.
-		 *
-		 * If a pause has been requested, don't do any work
-		 * until it's been released.
-		 */
-		while ((empty_readyq(manager) || manager->pause_requested ||
-			manager->exclusive_requested) && !FINISHED(manager))
-		{
-			XTHREADTRACE(isc_msgcat_get(isc_msgcat,
-						    ISC_MSGSET_GENERAL,
-						    ISC_MSG_WAIT, "wait"));
-			WAIT(&manager->work_available, &manager->lock);
-			XTHREADTRACE(isc_msgcat_get(isc_msgcat,
-						    ISC_MSGSET_TASK,
-						    ISC_MSG_AWAKE, "awake"));
-		}
-#else /* USE_WORKER_THREADS */
-		if (total_dispatch_count >= DEFAULT_TASKMGR_QUANTUM ||
-		    empty_readyq(manager))
-			break;
-#endif /* USE_WORKER_THREADS */
-		XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TASK,
-					    ISC_MSG_WORKING, "working"));
-
-		task = pop_readyq(manager);
-		if (task != NULL) {
-			unsigned int dispatch_count = 0;
-			isc_boolean_t done = ISC_FALSE;
-			isc_boolean_t requeue = ISC_FALSE;
-			isc_boolean_t finished = ISC_FALSE;
-			isc_event_t *event;
-
-			INSIST(VALID_TASK(task));
-
-			/*
-			 * Note we only unlock the manager lock if we actually
-			 * have a task to do.  We must reacquire the manager
-			 * lock before exiting the 'if (task != NULL)' block.
-			 */
-			manager->tasks_running++;
-			UNLOCK(&manager->lock);
-
-			LOCK(&task->lock);
-			INSIST(task->state == task_state_ready);
-			task->state = task_state_running;
-			XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-					      ISC_MSG_RUNNING, "running"));
-			isc_stdtime_get(&task->now);
-			do {
-				if (!EMPTY(task->events)) {
-					event = HEAD(task->events);
-					DEQUEUE(task->events, event, ev_link);
-
-					/*
-					 * Execute the event action.
-					 */
-					XTRACE(isc_msgcat_get(isc_msgcat,
-							    ISC_MSGSET_TASK,
-							    ISC_MSG_EXECUTE,
-							    "execute action"));
-					if (event->ev_action != NULL) {
-						UNLOCK(&task->lock);
-						(event->ev_action)(
-							(isc_task_t *)task,
-							event);
-						LOCK(&task->lock);
-					}
-					dispatch_count++;
-#ifndef USE_WORKER_THREADS
-					total_dispatch_count++;
-#endif /* USE_WORKER_THREADS */
-				}
-
-				if (task->references == 0 &&
-				    EMPTY(task->events) &&
-				    !TASK_SHUTTINGDOWN(task)) {
-					isc_boolean_t was_idle;
-
-					/*
-					 * There are no references and no
-					 * pending events for this task,
-					 * which means it will not become
-					 * runnable again via an external
-					 * action (such as sending an event
-					 * or detaching).
-					 *
-					 * We initiate shutdown to prevent
-					 * it from becoming a zombie.
-					 *
-					 * We do this here instead of in
-					 * the "if EMPTY(task->events)" block
-					 * below because:
-					 *
-					 *	If we post no shutdown events,
-					 *	we want the task to finish.
-					 *
-					 *	If we did post shutdown events,
-					 *	will still want the task's
-					 *	quantum to be applied.
-					 */
-					was_idle = task_shutdown(task);
-					INSIST(!was_idle);
-				}
-
-				if (EMPTY(task->events)) {
-					/*
-					 * Nothing else to do for this task
-					 * right now.
-					 */
-					XTRACE(isc_msgcat_get(isc_msgcat,
-							      ISC_MSGSET_TASK,
-							      ISC_MSG_EMPTY,
-							      "empty"));
-					if (task->references == 0 &&
-					    TASK_SHUTTINGDOWN(task)) {
-						/*
-						 * The task is done.
-						 */
-						XTRACE(isc_msgcat_get(
-							       isc_msgcat,
-							       ISC_MSGSET_TASK,
-							       ISC_MSG_DONE,
-							       "done"));
-						finished = ISC_TRUE;
-						task->state = task_state_done;
-					} else
-						task->state = task_state_idle;
-					done = ISC_TRUE;
-				} else if (dispatch_count >= task->quantum) {
-					/*
-					 * Our quantum has expired, but
-					 * there is more work to be done.
-					 * We'll requeue it to the ready
-					 * queue later.
-					 *
-					 * We don't check quantum until
-					 * dispatching at least one event,
-					 * so the minimum quantum is one.
-					 */
-					XTRACE(isc_msgcat_get(isc_msgcat,
-							      ISC_MSGSET_TASK,
-							      ISC_MSG_QUANTUM,
-							      "quantum"));
-					task->state = task_state_ready;
-					requeue = ISC_TRUE;
-					done = ISC_TRUE;
-				}
-			} while (!done);
-			UNLOCK(&task->lock);
-
-			if (finished)
-				task_finished(task);
-
-			LOCK(&manager->lock);
-			manager->tasks_running--;
-#ifdef USE_WORKER_THREADS
-			if (manager->exclusive_requested &&
-			    manager->tasks_running == 1) {
-				SIGNAL(&manager->exclusive_granted);
-			} else if (manager->pause_requested &&
-				   manager->tasks_running == 0) {
-				SIGNAL(&manager->paused);
-			}
-#endif /* USE_WORKER_THREADS */
-			if (requeue) {
-				/*
-				 * We know we're awake, so we don't have
-				 * to wakeup any sleeping threads if the
-				 * ready queue is empty before we requeue.
-				 *
-				 * A possible optimization if the queue is
-				 * empty is to 'goto' the 'if (task != NULL)'
-				 * block, avoiding the ENQUEUE of the task
-				 * and the subsequent immediate DEQUEUE
-				 * (since it is the only executable task).
-				 * We don't do this because then we'd be
-				 * skipping the exit_requested check.  The
-				 * cost of ENQUEUE is low anyway, especially
-				 * when you consider that we'd have to do
-				 * an extra EMPTY check to see if we could
-				 * do the optimization.  If the ready queue
-				 * were usually nonempty, the 'optimization'
-				 * might even hurt rather than help.
-				 */
-#ifdef USE_WORKER_THREADS
-				push_readyq(manager, task);
-#else
-				ENQUEUE(new_ready_tasks, task, ready_link);
-				if ((task->flags & TASK_F_PRIVILEGED) != 0)
-					ENQUEUE(new_priority_tasks, task,
-						ready_priority_link);
-#endif
-			}
-		}
-
-#ifdef USE_WORKER_THREADS
-		/*
-		 * If we are in privileged execution mode and there are no
-		 * tasks remaining on the current ready queue, then
-		 * we're stuck.  Automatically drop privileges at that
-		 * point and continue with the regular ready queue.
-		 */
-		if (manager->tasks_running == 0 && empty_readyq(manager)) {
-			manager->mode = isc_taskmgrmode_normal;
-			if (!empty_readyq(manager))
-				BROADCAST(&manager->work_available);
-		}
-#endif
-	}
-
-#ifndef USE_WORKER_THREADS
-	ISC_LIST_APPENDLIST(manager->ready_tasks, new_ready_tasks, ready_link);
-	ISC_LIST_APPENDLIST(manager->ready_priority_tasks, new_priority_tasks,
-			    ready_priority_link);
-	if (empty_readyq(manager))
-		manager->mode = isc_taskmgrmode_normal;
-#endif
-
-	UNLOCK(&manager->lock);
-}
-
-#ifdef USE_WORKER_THREADS
-static isc_threadresult_t
-#ifdef _WIN32
-WINAPI
-#endif
-run(void *uap) {
-	isc__taskmgr_t *manager = uap;
-
-	XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-				    ISC_MSG_STARTING, "starting"));
-
-	dispatch(manager);
-
-	XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-				    ISC_MSG_EXITING, "exiting"));
-
-#ifdef OPENSSL_LEAKS
-	ERR_remove_state(0);
-#endif
-
-	return ((isc_threadresult_t)0);
-}
-#endif /* USE_WORKER_THREADS */
-
-static void
-manager_free(isc__taskmgr_t *manager) {
-	isc_mem_t *mctx;
-
-#ifdef USE_WORKER_THREADS
-	(void)isc_condition_destroy(&manager->exclusive_granted);
-	(void)isc_condition_destroy(&manager->work_available);
-	(void)isc_condition_destroy(&manager->paused);
-	isc_mem_free(manager->mctx, manager->threads);
-#endif /* USE_WORKER_THREADS */
-	DESTROYLOCK(&manager->lock);
-	manager->common.impmagic = 0;
-	manager->common.magic = 0;
-	mctx = manager->mctx;
-	isc_mem_put(mctx, manager, sizeof(*manager));
-	isc_mem_detach(&mctx);
-
-#ifdef USE_SHARED_MANAGER
-	taskmgr = NULL;
-#endif	/* USE_SHARED_MANAGER */
-}
-
-ISC_TASKFUNC_SCOPE isc_result_t
-isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers,
-		    unsigned int default_quantum, isc_taskmgr_t **managerp)
-{
-	isc_result_t result;
-	unsigned int i, started = 0;
-	isc__taskmgr_t *manager;
-
-	/*
-	 * Create a new task manager.
-	 */
-
-	REQUIRE(workers > 0);
-	REQUIRE(managerp != NULL && *managerp == NULL);
-
-#ifndef USE_WORKER_THREADS
-	UNUSED(i);
-	UNUSED(started);
-#endif
-
-#ifdef USE_SHARED_MANAGER
-	if (taskmgr != NULL) {
-		if (taskmgr->refs == 0)
-			return (ISC_R_SHUTTINGDOWN);
-		taskmgr->refs++;
-		*managerp = (isc_taskmgr_t *)taskmgr;
-		return (ISC_R_SUCCESS);
-	}
-#endif /* USE_SHARED_MANAGER */
-
-	manager = isc_mem_get(mctx, sizeof(*manager));
-	if (manager == NULL)
-		return (ISC_R_NOMEMORY);
-	manager->common.methods = &taskmgrmethods;
-	manager->common.impmagic = TASK_MANAGER_MAGIC;
-	manager->common.magic = ISCAPI_TASKMGR_MAGIC;
-	manager->mode = isc_taskmgrmode_normal;
-	manager->mctx = NULL;
-	result = isc_mutex_init(&manager->lock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_mgr;
-
-#ifdef USE_WORKER_THREADS
-	manager->workers = 0;
-	manager->threads = isc_mem_allocate(mctx,
-					    workers * sizeof(isc_thread_t));
-	if (manager->threads == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_lock;
-	}
-	if (isc_condition_init(&manager->work_available) != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_condition_init() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		result = ISC_R_UNEXPECTED;
-		goto cleanup_threads;
-	}
-	if (isc_condition_init(&manager->exclusive_granted) != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_condition_init() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		result = ISC_R_UNEXPECTED;
-		goto cleanup_workavailable;
-	}
-	if (isc_condition_init(&manager->paused) != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_condition_init() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		result = ISC_R_UNEXPECTED;
-		goto cleanup_exclusivegranted;
-	}
-#endif /* USE_WORKER_THREADS */
-	if (default_quantum == 0)
-		default_quantum = DEFAULT_DEFAULT_QUANTUM;
-	manager->default_quantum = default_quantum;
-	INIT_LIST(manager->tasks);
-	INIT_LIST(manager->ready_tasks);
-	INIT_LIST(manager->ready_priority_tasks);
-	manager->tasks_running = 0;
-	manager->exclusive_requested = ISC_FALSE;
-	manager->pause_requested = ISC_FALSE;
-	manager->exiting = ISC_FALSE;
-	manager->excl = NULL;
-
-	isc_mem_attach(mctx, &manager->mctx);
-
-#ifdef USE_WORKER_THREADS
-	LOCK(&manager->lock);
-	/*
-	 * Start workers.
-	 */
-	for (i = 0; i < workers; i++) {
-		if (isc_thread_create(run, manager,
-				      &manager->threads[manager->workers]) ==
-		    ISC_R_SUCCESS) {
-			manager->workers++;
-			started++;
-		}
-	}
-	UNLOCK(&manager->lock);
-
-	if (started == 0) {
-		manager_free(manager);
-		return (ISC_R_NOTHREADS);
-	}
-	isc_thread_setconcurrency(workers);
-#endif /* USE_WORKER_THREADS */
-#ifdef USE_SHARED_MANAGER
-	manager->refs = 1;
-	taskmgr = manager;
-#endif /* USE_SHARED_MANAGER */
-
-	*managerp = (isc_taskmgr_t *)manager;
-
-	return (ISC_R_SUCCESS);
-
-#ifdef USE_WORKER_THREADS
- cleanup_exclusivegranted:
-	(void)isc_condition_destroy(&manager->exclusive_granted);
- cleanup_workavailable:
-	(void)isc_condition_destroy(&manager->work_available);
- cleanup_threads:
-	isc_mem_free(mctx, manager->threads);
- cleanup_lock:
-	DESTROYLOCK(&manager->lock);
-#endif
- cleanup_mgr:
-	isc_mem_put(mctx, manager, sizeof(*manager));
-	return (result);
-}
-
-ISC_TASKFUNC_SCOPE void
-isc__taskmgr_destroy(isc_taskmgr_t **managerp) {
-	isc__taskmgr_t *manager;
-	isc__task_t *task;
-	unsigned int i;
-
-	/*
-	 * Destroy '*managerp'.
-	 */
-
-	REQUIRE(managerp != NULL);
-	manager = (isc__taskmgr_t *)*managerp;
-	REQUIRE(VALID_MANAGER(manager));
-
-#ifndef USE_WORKER_THREADS
-	UNUSED(i);
-#endif /* USE_WORKER_THREADS */
-
-#ifdef USE_SHARED_MANAGER
-	manager->refs--;
-	if (manager->refs > 0) {
-		*managerp = NULL;
-		return;
-	}
-#endif
-
-	XTHREADTRACE("isc_taskmgr_destroy");
-	/*
-	 * Only one non-worker thread may ever call this routine.
-	 * If a worker thread wants to initiate shutdown of the
-	 * task manager, it should ask some non-worker thread to call
-	 * isc_taskmgr_destroy(), e.g. by signalling a condition variable
-	 * that the startup thread is sleeping on.
-	 */
-
-	/*
-	 * Detach the exclusive task before acquiring the manager lock
-	 */
-	if (manager->excl != NULL)
-		isc__task_detach((isc_task_t **) &manager->excl);
-
-	/*
-	 * Unlike elsewhere, we're going to hold this lock a long time.
-	 * We need to do so, because otherwise the list of tasks could
-	 * change while we were traversing it.
-	 *
-	 * This is also the only function where we will hold both the
-	 * task manager lock and a task lock at the same time.
-	 */
-
-	LOCK(&manager->lock);
-
-	/*
-	 * Make sure we only get called once.
-	 */
-	INSIST(!manager->exiting);
-	manager->exiting = ISC_TRUE;
-
-	/*
-	 * If privileged mode was on, turn it off.
-	 */
-	manager->mode = isc_taskmgrmode_normal;
-
-	/*
-	 * Post shutdown event(s) to every task (if they haven't already been
-	 * posted).
-	 */
-	for (task = HEAD(manager->tasks);
-	     task != NULL;
-	     task = NEXT(task, link)) {
-		LOCK(&task->lock);
-		if (task_shutdown(task))
-			push_readyq(manager, task);
-		UNLOCK(&task->lock);
-	}
-#ifdef USE_WORKER_THREADS
-	/*
-	 * Wake up any sleeping workers.  This ensures we get work done if
-	 * there's work left to do, and if there are already no tasks left
-	 * it will cause the workers to see manager->exiting.
-	 */
-	BROADCAST(&manager->work_available);
-	UNLOCK(&manager->lock);
-
-	/*
-	 * Wait for all the worker threads to exit.
-	 */
-	for (i = 0; i < manager->workers; i++)
-		(void)isc_thread_join(manager->threads[i], NULL);
-#else /* USE_WORKER_THREADS */
-	/*
-	 * Dispatch the shutdown events.
-	 */
-	UNLOCK(&manager->lock);
-	while (isc__taskmgr_ready((isc_taskmgr_t *)manager))
-		(void)isc__taskmgr_dispatch((isc_taskmgr_t *)manager);
-#ifdef BIND9
-	if (!ISC_LIST_EMPTY(manager->tasks))
-		isc_mem_printallactive(stderr);
-#endif
-	INSIST(ISC_LIST_EMPTY(manager->tasks));
-#ifdef USE_SHARED_MANAGER
-	taskmgr = NULL;
-#endif
-#endif /* USE_WORKER_THREADS */
-
-	manager_free(manager);
-
-	*managerp = NULL;
-}
-
-ISC_TASKFUNC_SCOPE void
-isc__taskmgr_setmode(isc_taskmgr_t *manager0, isc_taskmgrmode_t mode) {
-	isc__taskmgr_t *manager = (isc__taskmgr_t *)manager0;
-
-	LOCK(&manager->lock);
-	manager->mode = mode;
-	UNLOCK(&manager->lock);
-}
-
-ISC_TASKFUNC_SCOPE isc_taskmgrmode_t
-isc__taskmgr_mode(isc_taskmgr_t *manager0) {
-	isc__taskmgr_t *manager = (isc__taskmgr_t *)manager0;
-	isc_taskmgrmode_t mode;
-	LOCK(&manager->lock);
-	mode = manager->mode;
-	UNLOCK(&manager->lock);
-	return (mode);
-}
-
-#ifndef USE_WORKER_THREADS
-isc_boolean_t
-isc__taskmgr_ready(isc_taskmgr_t *manager0) {
-	isc__taskmgr_t *manager = (isc__taskmgr_t *)manager0;
-	isc_boolean_t is_ready;
-
-#ifdef USE_SHARED_MANAGER
-	if (manager == NULL)
-		manager = taskmgr;
-#endif
-	if (manager == NULL)
-		return (ISC_FALSE);
-
-	LOCK(&manager->lock);
-	is_ready = !empty_readyq(manager);
-	UNLOCK(&manager->lock);
-
-	return (is_ready);
-}
-
-isc_result_t
-isc__taskmgr_dispatch(isc_taskmgr_t *manager0) {
-	isc__taskmgr_t *manager = (isc__taskmgr_t *)manager0;
-
-#ifdef USE_SHARED_MANAGER
-	if (manager == NULL)
-		manager = taskmgr;
-#endif
-	if (manager == NULL)
-		return (ISC_R_NOTFOUND);
-
-	dispatch(manager);
-
-	return (ISC_R_SUCCESS);
-}
-
-#else
-ISC_TASKFUNC_SCOPE void
-isc__taskmgr_pause(isc_taskmgr_t *manager0) {
-	isc__taskmgr_t *manager = (isc__taskmgr_t *)manager0;
-	LOCK(&manager->lock);
-	while (manager->tasks_running > 0) {
-		WAIT(&manager->paused, &manager->lock);
-	}
-	manager->pause_requested = ISC_TRUE;
-	UNLOCK(&manager->lock);
-}
-
-ISC_TASKFUNC_SCOPE void
-isc__taskmgr_resume(isc_taskmgr_t *manager0) {
-	isc__taskmgr_t *manager = (isc__taskmgr_t *)manager0;
-
-	LOCK(&manager->lock);
-	if (manager->pause_requested) {
-		manager->pause_requested = ISC_FALSE;
-		BROADCAST(&manager->work_available);
-	}
-	UNLOCK(&manager->lock);
-}
-#endif /* USE_WORKER_THREADS */
-
-ISC_TASKFUNC_SCOPE void
-isc__taskmgr_setexcltask(isc_taskmgr_t *mgr0, isc_task_t *task0) {
-	isc__taskmgr_t *mgr = (isc__taskmgr_t *) mgr0;
-	isc__task_t *task = (isc__task_t *) task0;
-
-	REQUIRE(VALID_MANAGER(mgr));
-	REQUIRE(VALID_TASK(task));
-	if (mgr->excl != NULL)
-		isc__task_detach((isc_task_t **) &mgr->excl);
-	isc__task_attach(task0, (isc_task_t **) &mgr->excl);
-}
-
-ISC_TASKFUNC_SCOPE isc_result_t
-isc__taskmgr_excltask(isc_taskmgr_t *mgr0, isc_task_t **taskp) {
-	isc__taskmgr_t *mgr = (isc__taskmgr_t *) mgr0;
-
-	REQUIRE(VALID_MANAGER(mgr));
-	REQUIRE(taskp != NULL && *taskp == NULL);
-
-	if (mgr->excl == NULL)
-		return (ISC_R_NOTFOUND);
-
-	isc__task_attach((isc_task_t *) mgr->excl, taskp);
-	return (ISC_R_SUCCESS);
-}
-
-ISC_TASKFUNC_SCOPE isc_result_t
-isc__task_beginexclusive(isc_task_t *task0) {
-#ifdef USE_WORKER_THREADS
-	isc__task_t *task = (isc__task_t *)task0;
-	isc__taskmgr_t *manager = task->manager;
-
-	REQUIRE(task->state == task_state_running);
-	/* XXX: Require task == manager->excl? */
-
-	LOCK(&manager->lock);
-	if (manager->exclusive_requested) {
-		UNLOCK(&manager->lock);
-		return (ISC_R_LOCKBUSY);
-	}
-	manager->exclusive_requested = ISC_TRUE;
-	while (manager->tasks_running > 1) {
-		WAIT(&manager->exclusive_granted, &manager->lock);
-	}
-	UNLOCK(&manager->lock);
-#else
-	UNUSED(task0);
-#endif
-	return (ISC_R_SUCCESS);
-}
-
-ISC_TASKFUNC_SCOPE void
-isc__task_endexclusive(isc_task_t *task0) {
-#ifdef USE_WORKER_THREADS
-	isc__task_t *task = (isc__task_t *)task0;
-	isc__taskmgr_t *manager = task->manager;
-
-	REQUIRE(task->state == task_state_running);
-	LOCK(&manager->lock);
-	REQUIRE(manager->exclusive_requested);
-	manager->exclusive_requested = ISC_FALSE;
-	BROADCAST(&manager->work_available);
-	UNLOCK(&manager->lock);
-#else
-	UNUSED(task0);
-#endif
-}
-
-ISC_TASKFUNC_SCOPE void
-isc__task_setprivilege(isc_task_t *task0, isc_boolean_t priv) {
-	isc__task_t *task = (isc__task_t *)task0;
-	isc__taskmgr_t *manager = task->manager;
-	isc_boolean_t oldpriv;
-
-	LOCK(&task->lock);
-	oldpriv = ISC_TF((task->flags & TASK_F_PRIVILEGED) != 0);
-	if (priv)
-		task->flags |= TASK_F_PRIVILEGED;
-	else
-		task->flags &= ~TASK_F_PRIVILEGED;
-	UNLOCK(&task->lock);
-
-	if (priv == oldpriv)
-		return;
-
-	LOCK(&manager->lock);
-	if (priv && ISC_LINK_LINKED(task, ready_link))
-		ENQUEUE(manager->ready_priority_tasks, task,
-			ready_priority_link);
-	else if (!priv && ISC_LINK_LINKED(task, ready_priority_link))
-		DEQUEUE(manager->ready_priority_tasks, task,
-			ready_priority_link);
-	UNLOCK(&manager->lock);
-}
-
-ISC_TASKFUNC_SCOPE isc_boolean_t
-isc__task_privilege(isc_task_t *task0) {
-	isc__task_t *task = (isc__task_t *)task0;
-	isc_boolean_t priv;
-
-	LOCK(&task->lock);
-	priv = ISC_TF((task->flags & TASK_F_PRIVILEGED) != 0);
-	UNLOCK(&task->lock);
-	return (priv);
-}
-
-#ifdef USE_SOCKETIMPREGISTER
-isc_result_t
-isc__task_register() {
-	return (isc_task_register(isc__taskmgr_create));
-}
-#endif
-
-isc_boolean_t
-isc_task_exiting(isc_task_t *t) {
-	isc__task_t *task = (isc__task_t *)t;
-
-	REQUIRE(VALID_TASK(task));
-	return (TASK_SHUTTINGDOWN(task));
-}
-
-
-#if defined(HAVE_LIBXML2) && defined(BIND9)
-#define TRY0(a) do { xmlrc = (a); if (xmlrc < 0) goto error; } while(0)
-int
-isc_taskmgr_renderxml(isc_taskmgr_t *mgr0, xmlTextWriterPtr writer) {
-	isc__taskmgr_t *mgr = (isc__taskmgr_t *)mgr0;
-	isc__task_t *task = NULL;
-	int xmlrc;
-
-	LOCK(&mgr->lock);
-
-	/*
-	 * Write out the thread-model, and some details about each depending
-	 * on which type is enabled.
-	 */
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "thread-model"));
-#ifdef ISC_PLATFORM_USETHREADS
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "type"));
-	TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR "threaded"));
-	TRY0(xmlTextWriterEndElement(writer)); /* type */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "worker-threads"));
-	TRY0(xmlTextWriterWriteFormatString(writer, "%d", mgr->workers));
-	TRY0(xmlTextWriterEndElement(writer)); /* worker-threads */
-#else /* ISC_PLATFORM_USETHREADS */
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "type"));
-	TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR "non-threaded"));
-	TRY0(xmlTextWriterEndElement(writer)); /* type */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "references"));
-	TRY0(xmlTextWriterWriteFormatString(writer, "%d", mgr->refs));
-	TRY0(xmlTextWriterEndElement(writer)); /* references */
-#endif /* ISC_PLATFORM_USETHREADS */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "default-quantum"));
-	TRY0(xmlTextWriterWriteFormatString(writer, "%d",
-					    mgr->default_quantum));
-	TRY0(xmlTextWriterEndElement(writer)); /* default-quantum */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "tasks-running"));
-	TRY0(xmlTextWriterWriteFormatString(writer, "%d", mgr->tasks_running));
-	TRY0(xmlTextWriterEndElement(writer)); /* tasks-running */
-
-	TRY0(xmlTextWriterEndElement(writer)); /* thread-model */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "tasks"));
-	task = ISC_LIST_HEAD(mgr->tasks);
-	while (task != NULL) {
-		LOCK(&task->lock);
-		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "task"));
-
-		if (task->name[0] != 0) {
-			TRY0(xmlTextWriterStartElement(writer,
-						       ISC_XMLCHAR "name"));
-			TRY0(xmlTextWriterWriteFormatString(writer, "%s",
-						       task->name));
-			TRY0(xmlTextWriterEndElement(writer)); /* name */
-		}
-
-		TRY0(xmlTextWriterStartElement(writer,
-					       ISC_XMLCHAR "references"));
-		TRY0(xmlTextWriterWriteFormatString(writer, "%d",
-						    task->references));
-		TRY0(xmlTextWriterEndElement(writer)); /* references */
-
-		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "id"));
-		TRY0(xmlTextWriterWriteFormatString(writer, "%p", task));
-		TRY0(xmlTextWriterEndElement(writer)); /* id */
-
-		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "state"));
-		TRY0(xmlTextWriterWriteFormatString(writer, "%s",
-					       statenames[task->state]));
-		TRY0(xmlTextWriterEndElement(writer)); /* state */
-
-		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "quantum"));
-		TRY0(xmlTextWriterWriteFormatString(writer, "%d",
-						    task->quantum));
-		TRY0(xmlTextWriterEndElement(writer)); /* quantum */
-
-		TRY0(xmlTextWriterEndElement(writer));
-
-		UNLOCK(&task->lock);
-		task = ISC_LIST_NEXT(task, link);
-	}
-	TRY0(xmlTextWriterEndElement(writer)); /* tasks */
-
- error:
-	if (task != NULL)
-		UNLOCK(&task->lock);
-	UNLOCK(&mgr->lock);
-
-	return (xmlrc);
-}
-#endif /* HAVE_LIBXML2 && BIND9 */
diff --git a/contrib/bind9/lib/isc/task_api.c b/contrib/bind9/lib/isc/task_api.c
deleted file mode 100644
index f49ab32..0000000
--- a/contrib/bind9/lib/isc/task_api.c
+++ /dev/null
@@ -1,255 +0,0 @@
-/*
- * Copyright (C) 2009-2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#include <config.h>
-
-#include <unistd.h>
-
-#include <isc/app.h>
-#include <isc/magic.h>
-#include <isc/mutex.h>
-#include <isc/once.h>
-#include <isc/task.h>
-#include <isc/util.h>
-
-static isc_mutex_t createlock;
-static isc_once_t once = ISC_ONCE_INIT;
-static isc_taskmgrcreatefunc_t taskmgr_createfunc = NULL;
-
-static void
-initialize(void) {
-	RUNTIME_CHECK(isc_mutex_init(&createlock) == ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_task_register(isc_taskmgrcreatefunc_t createfunc) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
-
-	LOCK(&createlock);
-	if (taskmgr_createfunc == NULL)
-		taskmgr_createfunc = createfunc;
-	else
-		result = ISC_R_EXISTS;
-	UNLOCK(&createlock);
-
-	return (result);
-}
-
-isc_result_t
-isc_taskmgr_createinctx(isc_mem_t *mctx, isc_appctx_t *actx,
-			unsigned int workers, unsigned int default_quantum,
-			isc_taskmgr_t **managerp)
-{
-	isc_result_t result;
-
-	LOCK(&createlock);
-
-	REQUIRE(taskmgr_createfunc != NULL);
-	result = (*taskmgr_createfunc)(mctx, workers, default_quantum,
-				       managerp);
-
-	UNLOCK(&createlock);
-
-	if (result == ISC_R_SUCCESS)
-		isc_appctx_settaskmgr(actx, *managerp);
-
-	return (result);
-}
-
-isc_result_t
-isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
-		   unsigned int default_quantum, isc_taskmgr_t **managerp)
-{
-	isc_result_t result;
-
-	LOCK(&createlock);
-
-	REQUIRE(taskmgr_createfunc != NULL);
-	result = (*taskmgr_createfunc)(mctx, workers, default_quantum,
-				       managerp);
-
-	UNLOCK(&createlock);
-
-	return (result);
-}
-
-void
-isc_taskmgr_destroy(isc_taskmgr_t **managerp) {
-	REQUIRE(managerp != NULL && ISCAPI_TASKMGR_VALID(*managerp));
-
-	(*managerp)->methods->destroy(managerp);
-
-	ENSURE(*managerp == NULL);
-}
-
-void
-isc_taskmgr_setmode(isc_taskmgr_t *manager, isc_taskmgrmode_t mode) {
-	REQUIRE(ISCAPI_TASKMGR_VALID(manager));
-
-	manager->methods->setmode(manager, mode);
-}
-
-isc_taskmgrmode_t
-isc_taskmgr_mode(isc_taskmgr_t *manager) {
-	REQUIRE(ISCAPI_TASKMGR_VALID(manager));
-
-	return (manager->methods->mode(manager));
-}
-
-isc_result_t
-isc_task_create(isc_taskmgr_t *manager, unsigned int quantum,
-		isc_task_t **taskp)
-{
-	REQUIRE(ISCAPI_TASKMGR_VALID(manager));
-	REQUIRE(taskp != NULL && *taskp == NULL);
-
-	return (manager->methods->taskcreate(manager, quantum, taskp));
-}
-
-void
-isc_task_attach(isc_task_t *source, isc_task_t **targetp) {
-	REQUIRE(ISCAPI_TASK_VALID(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	source->methods->attach(source, targetp);
-
-	ENSURE(*targetp == source);
-}
-
-void
-isc_task_detach(isc_task_t **taskp) {
-	REQUIRE(taskp != NULL && ISCAPI_TASK_VALID(*taskp));
-
-	(*taskp)->methods->detach(taskp);
-
-	ENSURE(*taskp == NULL);
-}
-
-void
-isc_task_send(isc_task_t *task, isc_event_t **eventp) {
-	REQUIRE(ISCAPI_TASK_VALID(task));
-	REQUIRE(eventp != NULL && *eventp != NULL);
-
-	task->methods->send(task, eventp);
-
-	ENSURE(*eventp == NULL);
-}
-
-void
-isc_task_sendanddetach(isc_task_t **taskp, isc_event_t **eventp) {
-	REQUIRE(taskp != NULL && ISCAPI_TASK_VALID(*taskp));
-	REQUIRE(eventp != NULL && *eventp != NULL);
-
-	(*taskp)->methods->sendanddetach(taskp, eventp);
-
-	ENSURE(*taskp == NULL && *eventp == NULL);
-}
-
-unsigned int
-isc_task_unsend(isc_task_t *task, void *sender, isc_eventtype_t type,
-		void *tag, isc_eventlist_t *events)
-{
-	REQUIRE(ISCAPI_TASK_VALID(task));
-
-	return (task->methods->unsend(task, sender, type, tag, events));
-}
-
-isc_result_t
-isc_task_onshutdown(isc_task_t *task, isc_taskaction_t action, const void *arg)
-{
-	REQUIRE(ISCAPI_TASK_VALID(task));
-
-	return (task->methods->onshutdown(task, action, arg));
-}
-
-void
-isc_task_shutdown(isc_task_t *task) {
-	REQUIRE(ISCAPI_TASK_VALID(task));
-
-	task->methods->shutdown(task);
-}
-
-void
-isc_task_setname(isc_task_t *task, const char *name, void *tag) {
-	REQUIRE(ISCAPI_TASK_VALID(task));
-
-	task->methods->setname(task, name, tag);
-}
-
-unsigned int
-isc_task_purge(isc_task_t *task, void *sender, isc_eventtype_t type, void *tag)
-{
-	REQUIRE(ISCAPI_TASK_VALID(task));
-
-	return (task->methods->purgeevents(task, sender, type, tag));
-}
-
-void
-isc_taskmgr_setexcltask(isc_taskmgr_t *mgr, isc_task_t *task) {
-	REQUIRE(ISCAPI_TASK_VALID(task));
-	return (mgr->methods->setexcltask(mgr, task));
-}
-
-isc_result_t
-isc_taskmgr_excltask(isc_taskmgr_t *mgr, isc_task_t **taskp) {
-	return (mgr->methods->excltask(mgr, taskp));
-}
-
-isc_result_t
-isc_task_beginexclusive(isc_task_t *task) {
-	REQUIRE(ISCAPI_TASK_VALID(task));
-
-	return (task->methods->beginexclusive(task));
-}
-
-void
-isc_task_endexclusive(isc_task_t *task) {
-	REQUIRE(ISCAPI_TASK_VALID(task));
-
-	task->methods->endexclusive(task);
-}
-
-void
-isc_task_setprivilege(isc_task_t *task, isc_boolean_t priv) {
-	REQUIRE(ISCAPI_TASK_VALID(task));
-
-	task->methods->setprivilege(task, priv);
-}
-
-isc_boolean_t
-isc_task_privilege(isc_task_t *task) {
-	REQUIRE(ISCAPI_TASK_VALID(task));
-
-	return (task->methods->privilege(task));
-}
-
-
-/*%
- * This is necessary for libisc's internal timer implementation.  Other
- * implementation might skip implementing this.
- */
-unsigned int
-isc_task_purgerange(isc_task_t *task, void *sender, isc_eventtype_t first,
-		    isc_eventtype_t last, void *tag)
-{
-	REQUIRE(ISCAPI_TASK_VALID(task));
-
-	return (task->methods->purgerange(task, sender, first, last, tag));
-}
diff --git a/contrib/bind9/lib/isc/task_p.h b/contrib/bind9/lib/isc/task_p.h
deleted file mode 100644
index 8c1e4c5..0000000
--- a/contrib/bind9/lib/isc/task_p.h
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef ISC_TASK_P_H
-#define ISC_TASK_P_H
-
-/*! \file */
-
-#if defined(BIND9) && defined(ISC_PLATFORM_USETHREADS)
-void
-isc__taskmgr_pause(isc_taskmgr_t *taskmgr);
-
-void
-isc__taskmgr_resume(isc_taskmgr_t *taskmgr);
-#else
-isc_boolean_t
-isc__taskmgr_ready(isc_taskmgr_t *taskmgr);
-
-isc_result_t
-isc__taskmgr_dispatch(isc_taskmgr_t *taskmgr);
-#endif /* !BIND9 || !ISC_PLATFORM_USETHREADS */
-
-#endif /* ISC_TASK_P_H */
diff --git a/contrib/bind9/lib/isc/taskpool.c b/contrib/bind9/lib/isc/taskpool.c
deleted file mode 100644
index a5ce0e8..0000000
--- a/contrib/bind9/lib/isc/taskpool.c
+++ /dev/null
@@ -1,187 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/random.h>
-#include <isc/taskpool.h>
-#include <isc/util.h>
-
-/***
- *** Types.
- ***/
-
-struct isc_taskpool {
-	isc_mem_t *			mctx;
-	isc_taskmgr_t *			tmgr;
-	unsigned int			ntasks;
-	unsigned int			quantum;
-	isc_task_t **			tasks;
-};
-
-/***
- *** Functions.
- ***/
-
-static isc_result_t
-alloc_pool(isc_taskmgr_t *tmgr, isc_mem_t *mctx, unsigned int ntasks,
-	   unsigned int quantum, isc_taskpool_t **poolp)
-{
-	isc_taskpool_t *pool;
-	unsigned int i;
-
-	pool = isc_mem_get(mctx, sizeof(*pool));
-	if (pool == NULL)
-		return (ISC_R_NOMEMORY);
-
-	pool->mctx = NULL;
-	isc_mem_attach(mctx, &pool->mctx);
-	pool->ntasks = ntasks;
-	pool->quantum = quantum;
-	pool->tmgr = tmgr;
-	pool->tasks = isc_mem_get(mctx, ntasks * sizeof(isc_task_t *));
-	if (pool->tasks == NULL) {
-		isc_mem_putanddetach(&pool->mctx, pool, sizeof(*pool));
-		return (ISC_R_NOMEMORY);
-	}
-	for (i = 0; i < ntasks; i++)
-		pool->tasks[i] = NULL;
-
-	*poolp = pool;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_taskpool_create(isc_taskmgr_t *tmgr, isc_mem_t *mctx,
-		    unsigned int ntasks, unsigned int quantum,
-		    isc_taskpool_t **poolp)
-{
-	unsigned int i;
-	isc_taskpool_t *pool = NULL;
-	isc_result_t result;
-
-	INSIST(ntasks > 0);
-
-	/* Allocate the pool structure */
-	result = alloc_pool(tmgr, mctx, ntasks, quantum, &pool);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/* Create the tasks */
-	for (i = 0; i < ntasks; i++) {
-		result = isc_task_create(tmgr, quantum, &pool->tasks[i]);
-		if (result != ISC_R_SUCCESS) {
-			isc_taskpool_destroy(&pool);
-			return (result);
-		}
-		isc_task_setname(pool->tasks[i], "taskpool", NULL);
-	}
-
-	*poolp = pool;
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_taskpool_gettask(isc_taskpool_t *pool, isc_task_t **targetp) {
-	isc_uint32_t i;
-	isc_random_get(&i);
-	isc_task_attach(pool->tasks[i % pool->ntasks], targetp);
-}
-
-int
-isc_taskpool_size(isc_taskpool_t *pool) {
-	REQUIRE(pool != NULL);
-	return (pool->ntasks);
-}
-
-isc_result_t
-isc_taskpool_expand(isc_taskpool_t **sourcep, unsigned int size,
-		    isc_taskpool_t **targetp)
-{
-	isc_result_t result;
-	isc_taskpool_t *pool;
-
-	REQUIRE(sourcep != NULL && *sourcep != NULL);
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	pool = *sourcep;
-	if (size > pool->ntasks) {
-		isc_taskpool_t *newpool = NULL;
-		unsigned int i;
-
-		/* Allocate a new pool structure */
-		result = alloc_pool(pool->tmgr, pool->mctx, size,
-				    pool->quantum, &newpool);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-
-		/* Copy over the tasks from the old pool */
-		for (i = 0; i < pool->ntasks; i++) {
-			newpool->tasks[i] = pool->tasks[i];
-			pool->tasks[i] = NULL;
-		}
-
-		/* Create new tasks */
-		for (i = pool->ntasks; i < size; i++) {
-			result = isc_task_create(pool->tmgr, pool->quantum,
-						 &newpool->tasks[i]);
-			if (result != ISC_R_SUCCESS) {
-				isc_taskpool_destroy(&newpool);
-				return (result);
-			}
-			isc_task_setname(newpool->tasks[i], "taskpool", NULL);
-		}
-
-		isc_taskpool_destroy(&pool);
-		pool = newpool;
-	}
-
-	*sourcep = NULL;
-	*targetp = pool;
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_taskpool_destroy(isc_taskpool_t **poolp) {
-	unsigned int i;
-	isc_taskpool_t *pool = *poolp;
-	for (i = 0; i < pool->ntasks; i++) {
-		if (pool->tasks[i] != NULL)
-			isc_task_detach(&pool->tasks[i]);
-	}
-	isc_mem_put(pool->mctx, pool->tasks,
-		    pool->ntasks * sizeof(isc_task_t *));
-	isc_mem_putanddetach(&pool->mctx, pool, sizeof(*pool));
-	*poolp = NULL;
-}
-
-void
-isc_taskpool_setprivilege(isc_taskpool_t *pool, isc_boolean_t priv) {
-	unsigned int i;
-
-	REQUIRE(pool != NULL);
-
-	for (i = 0; i < pool->ntasks; i++) {
-		if (pool->tasks[i] != NULL)
-			isc_task_setprivilege(pool->tasks[i], priv);
-	}
-}
diff --git a/contrib/bind9/lib/isc/timer.c b/contrib/bind9/lib/isc/timer.c
deleted file mode 100644
index 23fcbbe..0000000
--- a/contrib/bind9/lib/isc/timer.c
+++ /dev/null
@@ -1,1072 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/condition.h>
-#include <isc/heap.h>
-#include <isc/log.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/msgs.h>
-#include <isc/platform.h>
-#include <isc/task.h>
-#include <isc/thread.h>
-#include <isc/time.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#ifdef OPENSSL_LEAKS
-#include <openssl/err.h>
-#endif
-
-/* See task.c about the following definition: */
-#ifdef BIND9
-#ifdef ISC_PLATFORM_USETHREADS
-#define USE_TIMER_THREAD
-#else
-#define USE_SHARED_MANAGER
-#endif	/* ISC_PLATFORM_USETHREADS */
-#endif	/* BIND9 */
-
-#ifndef USE_TIMER_THREAD
-#include "timer_p.h"
-#endif /* USE_TIMER_THREAD */
-
-#ifdef ISC_TIMER_TRACE
-#define XTRACE(s)			fprintf(stderr, "%s\n", (s))
-#define XTRACEID(s, t)			fprintf(stderr, "%s %p\n", (s), (t))
-#define XTRACETIME(s, d)		fprintf(stderr, "%s %u.%09u\n", (s), \
-					       (d).seconds, (d).nanoseconds)
-#define XTRACETIME2(s, d, n)		fprintf(stderr, "%s %u.%09u %u.%09u\n", (s), \
-					       (d).seconds, (d).nanoseconds, (n).seconds, (n).nanoseconds)
-#define XTRACETIMER(s, t, d)		fprintf(stderr, "%s %p %u.%09u\n", (s), (t), \
-					       (d).seconds, (d).nanoseconds)
-#else
-#define XTRACE(s)
-#define XTRACEID(s, t)
-#define XTRACETIME(s, d)
-#define XTRACETIME2(s, d, n)
-#define XTRACETIMER(s, t, d)
-#endif /* ISC_TIMER_TRACE */
-
-#define TIMER_MAGIC			ISC_MAGIC('T', 'I', 'M', 'R')
-#define VALID_TIMER(t)			ISC_MAGIC_VALID(t, TIMER_MAGIC)
-
-typedef struct isc__timer isc__timer_t;
-typedef struct isc__timermgr isc__timermgr_t;
-
-struct isc__timer {
-	/*! Not locked. */
-	isc_timer_t			common;
-	isc__timermgr_t *		manager;
-	isc_mutex_t			lock;
-	/*! Locked by timer lock. */
-	unsigned int			references;
-	isc_time_t			idle;
-	/*! Locked by manager lock. */
-	isc_timertype_t			type;
-	isc_time_t			expires;
-	isc_interval_t			interval;
-	isc_task_t *			task;
-	isc_taskaction_t		action;
-	void *				arg;
-	unsigned int			index;
-	isc_time_t			due;
-	LINK(isc__timer_t)		link;
-};
-
-#define TIMER_MANAGER_MAGIC		ISC_MAGIC('T', 'I', 'M', 'M')
-#define VALID_MANAGER(m)		ISC_MAGIC_VALID(m, TIMER_MANAGER_MAGIC)
-
-struct isc__timermgr {
-	/* Not locked. */
-	isc_timermgr_t			common;
-	isc_mem_t *			mctx;
-	isc_mutex_t			lock;
-	/* Locked by manager lock. */
-	isc_boolean_t			done;
-	LIST(isc__timer_t)		timers;
-	unsigned int			nscheduled;
-	isc_time_t			due;
-#ifdef USE_TIMER_THREAD
-	isc_condition_t			wakeup;
-	isc_thread_t			thread;
-#endif	/* USE_TIMER_THREAD */
-#ifdef USE_SHARED_MANAGER
-	unsigned int			refs;
-#endif /* USE_SHARED_MANAGER */
-	isc_heap_t *			heap;
-};
-
-/*%
- * The followings can be either static or public, depending on build
- * environment.
- */
-
-#ifdef BIND9
-#define ISC_TIMERFUNC_SCOPE
-#else
-#define ISC_TIMERFUNC_SCOPE static
-#endif
-
-ISC_TIMERFUNC_SCOPE isc_result_t
-isc__timer_create(isc_timermgr_t *manager, isc_timertype_t type,
-		  const isc_time_t *expires, const isc_interval_t *interval,
-		  isc_task_t *task, isc_taskaction_t action, const void *arg,
-		  isc_timer_t **timerp);
-ISC_TIMERFUNC_SCOPE isc_result_t
-isc__timer_reset(isc_timer_t *timer, isc_timertype_t type,
-		 const  isc_time_t *expires, const isc_interval_t *interval,
-		 isc_boolean_t purge);
-ISC_TIMERFUNC_SCOPE isc_timertype_t
-isc__timer_gettype(isc_timer_t *timer);
-ISC_TIMERFUNC_SCOPE isc_result_t
-isc__timer_touch(isc_timer_t *timer);
-ISC_TIMERFUNC_SCOPE void
-isc__timer_attach(isc_timer_t *timer0, isc_timer_t **timerp);
-ISC_TIMERFUNC_SCOPE void
-isc__timer_detach(isc_timer_t **timerp);
-ISC_TIMERFUNC_SCOPE isc_result_t
-isc__timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp);
-ISC_TIMERFUNC_SCOPE void
-isc__timermgr_poke(isc_timermgr_t *manager0);
-ISC_TIMERFUNC_SCOPE void
-isc__timermgr_destroy(isc_timermgr_t **managerp);
-
-static struct isc__timermethods {
-	isc_timermethods_t methods;
-
-	/*%
-	 * The following are defined just for avoiding unused static functions.
-	 */
-#ifndef BIND9
-	void *gettype;
-#endif
-} timermethods = {
-	{
-		isc__timer_attach,
-		isc__timer_detach,
-		isc__timer_reset,
-		isc__timer_touch
-	}
-#ifndef BIND9
-	,
-	(void *)isc__timer_gettype
-#endif
-};
-
-static struct isc__timermgrmethods {
-	isc_timermgrmethods_t methods;
-#ifndef BIND9
-	void *poke;		/* see above */
-#endif
-} timermgrmethods = {
-	{
-		isc__timermgr_destroy,
-		isc__timer_create
-	}
-#ifndef BIND9
-	,
-	(void *)isc__timermgr_poke
-#endif
-};
-
-#ifdef USE_SHARED_MANAGER
-/*!
- * If the manager is supposed to be shared, there can be only one.
- */
-static isc__timermgr_t *timermgr = NULL;
-#endif /* USE_SHARED_MANAGER */
-
-static inline isc_result_t
-schedule(isc__timer_t *timer, isc_time_t *now, isc_boolean_t signal_ok) {
-	isc_result_t result;
-	isc__timermgr_t *manager;
-	isc_time_t due;
-	int cmp;
-#ifdef USE_TIMER_THREAD
-	isc_boolean_t timedwait;
-#endif
-
-	/*!
-	 * Note: the caller must ensure locking.
-	 */
-
-	REQUIRE(timer->type != isc_timertype_inactive);
-
-#ifndef USE_TIMER_THREAD
-	UNUSED(signal_ok);
-#endif /* USE_TIMER_THREAD */
-
-	manager = timer->manager;
-
-#ifdef USE_TIMER_THREAD
-	/*!
-	 * If the manager was timed wait, we may need to signal the
-	 * manager to force a wakeup.
-	 */
-	timedwait = ISC_TF(manager->nscheduled > 0 &&
-			   isc_time_seconds(&manager->due) != 0);
-#endif
-
-	/*
-	 * Compute the new due time.
-	 */
-	if (timer->type != isc_timertype_once) {
-		result = isc_time_add(now, &timer->interval, &due);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		if (timer->type == isc_timertype_limited &&
-		    isc_time_compare(&timer->expires, &due) < 0)
-			due = timer->expires;
-	} else {
-		if (isc_time_isepoch(&timer->idle))
-			due = timer->expires;
-		else if (isc_time_isepoch(&timer->expires))
-			due = timer->idle;
-		else if (isc_time_compare(&timer->idle, &timer->expires) < 0)
-			due = timer->idle;
-		else
-			due = timer->expires;
-	}
-
-	/*
-	 * Schedule the timer.
-	 */
-
-	if (timer->index > 0) {
-		/*
-		 * Already scheduled.
-		 */
-		cmp = isc_time_compare(&due, &timer->due);
-		timer->due = due;
-		switch (cmp) {
-		case -1:
-			isc_heap_increased(manager->heap, timer->index);
-			break;
-		case 1:
-			isc_heap_decreased(manager->heap, timer->index);
-			break;
-		case 0:
-			/* Nothing to do. */
-			break;
-		}
-	} else {
-		timer->due = due;
-		result = isc_heap_insert(manager->heap, timer);
-		if (result != ISC_R_SUCCESS) {
-			INSIST(result == ISC_R_NOMEMORY);
-			return (ISC_R_NOMEMORY);
-		}
-		manager->nscheduled++;
-	}
-
-	XTRACETIMER(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TIMER,
-				   ISC_MSG_SCHEDULE, "schedule"), timer, due);
-
-	/*
-	 * If this timer is at the head of the queue, we need to ensure
-	 * that we won't miss it if it has a more recent due time than
-	 * the current "next" timer.  We do this either by waking up the
-	 * run thread, or explicitly setting the value in the manager.
-	 */
-#ifdef USE_TIMER_THREAD
-
-	/*
-	 * This is a temporary (probably) hack to fix a bug on tru64 5.1
-	 * and 5.1a.  Sometimes, pthread_cond_timedwait() doesn't actually
-	 * return when the time expires, so here, we check to see if
-	 * we're 15 seconds or more behind, and if we are, we signal
-	 * the dispatcher.  This isn't such a bad idea as a general purpose
-	 * watchdog, so perhaps we should just leave it in here.
-	 */
-	if (signal_ok && timedwait) {
-		isc_interval_t fifteen;
-		isc_time_t then;
-
-		isc_interval_set(&fifteen, 15, 0);
-		result = isc_time_add(&manager->due, &fifteen, &then);
-
-		if (result == ISC_R_SUCCESS &&
-		    isc_time_compare(&then, now) < 0) {
-			SIGNAL(&manager->wakeup);
-			signal_ok = ISC_FALSE;
-			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-				      ISC_LOGMODULE_TIMER, ISC_LOG_WARNING,
-				      "*** POKED TIMER ***");
-		}
-	}
-
-	if (timer->index == 1 && signal_ok) {
-		XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TIMER,
-				      ISC_MSG_SIGNALSCHED,
-				      "signal (schedule)"));
-		SIGNAL(&manager->wakeup);
-	}
-#else /* USE_TIMER_THREAD */
-	if (timer->index == 1 &&
-	    isc_time_compare(&timer->due, &manager->due) < 0)
-		manager->due = timer->due;
-#endif /* USE_TIMER_THREAD */
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-deschedule(isc__timer_t *timer) {
-#ifdef USE_TIMER_THREAD
-	isc_boolean_t need_wakeup = ISC_FALSE;
-#endif
-	isc__timermgr_t *manager;
-
-	/*
-	 * The caller must ensure locking.
-	 */
-
-	manager = timer->manager;
-	if (timer->index > 0) {
-#ifdef USE_TIMER_THREAD
-		if (timer->index == 1)
-			need_wakeup = ISC_TRUE;
-#endif
-		isc_heap_delete(manager->heap, timer->index);
-		timer->index = 0;
-		INSIST(manager->nscheduled > 0);
-		manager->nscheduled--;
-#ifdef USE_TIMER_THREAD
-		if (need_wakeup) {
-			XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TIMER,
-					      ISC_MSG_SIGNALDESCHED,
-					      "signal (deschedule)"));
-			SIGNAL(&manager->wakeup);
-		}
-#endif /* USE_TIMER_THREAD */
-	}
-}
-
-static void
-destroy(isc__timer_t *timer) {
-	isc__timermgr_t *manager = timer->manager;
-
-	/*
-	 * The caller must ensure it is safe to destroy the timer.
-	 */
-
-	LOCK(&manager->lock);
-
-	(void)isc_task_purgerange(timer->task,
-				  timer,
-				  ISC_TIMEREVENT_FIRSTEVENT,
-				  ISC_TIMEREVENT_LASTEVENT,
-				  NULL);
-	deschedule(timer);
-	UNLINK(manager->timers, timer, link);
-
-	UNLOCK(&manager->lock);
-
-	isc_task_detach(&timer->task);
-	DESTROYLOCK(&timer->lock);
-	timer->common.impmagic = 0;
-	timer->common.magic = 0;
-	isc_mem_put(manager->mctx, timer, sizeof(*timer));
-}
-
-ISC_TIMERFUNC_SCOPE isc_result_t
-isc__timer_create(isc_timermgr_t *manager0, isc_timertype_t type,
-		  const isc_time_t *expires, const isc_interval_t *interval,
-		  isc_task_t *task, isc_taskaction_t action, const void *arg,
-		  isc_timer_t **timerp)
-{
-	isc__timermgr_t *manager = (isc__timermgr_t *)manager0;
-	isc__timer_t *timer;
-	isc_result_t result;
-	isc_time_t now;
-
-	/*
-	 * Create a new 'type' timer managed by 'manager'.  The timers
-	 * parameters are specified by 'expires' and 'interval'.  Events
-	 * will be posted to 'task' and when dispatched 'action' will be
-	 * called with 'arg' as the arg value.  The new timer is returned
-	 * in 'timerp'.
-	 */
-
-	REQUIRE(VALID_MANAGER(manager));
-	REQUIRE(task != NULL);
-	REQUIRE(action != NULL);
-	if (expires == NULL)
-		expires = isc_time_epoch;
-	if (interval == NULL)
-		interval = isc_interval_zero;
-	REQUIRE(type == isc_timertype_inactive ||
-		!(isc_time_isepoch(expires) && isc_interval_iszero(interval)));
-	REQUIRE(timerp != NULL && *timerp == NULL);
-	REQUIRE(type != isc_timertype_limited ||
-		!(isc_time_isepoch(expires) || isc_interval_iszero(interval)));
-
-	/*
-	 * Get current time.
-	 */
-	if (type != isc_timertype_inactive) {
-		TIME_NOW(&now);
-	} else {
-		/*
-		 * We don't have to do this, but it keeps the compiler from
-		 * complaining about "now" possibly being used without being
-		 * set, even though it will never actually happen.
-		 */
-		isc_time_settoepoch(&now);
-	}
-
-
-	timer = isc_mem_get(manager->mctx, sizeof(*timer));
-	if (timer == NULL)
-		return (ISC_R_NOMEMORY);
-
-	timer->manager = manager;
-	timer->references = 1;
-
-	if (type == isc_timertype_once && !isc_interval_iszero(interval)) {
-		result = isc_time_add(&now, interval, &timer->idle);
-		if (result != ISC_R_SUCCESS) {
-			isc_mem_put(manager->mctx, timer, sizeof(*timer));
-			return (result);
-		}
-	} else
-		isc_time_settoepoch(&timer->idle);
-
-	timer->type = type;
-	timer->expires = *expires;
-	timer->interval = *interval;
-	timer->task = NULL;
-	isc_task_attach(task, &timer->task);
-	timer->action = action;
-	/*
-	 * Removing the const attribute from "arg" is the best of two
-	 * evils here.  If the timer->arg member is made const, then
-	 * it affects a great many recipients of the timer event
-	 * which did not pass in an "arg" that was truly const.
-	 * Changing isc_timer_create() to not have "arg" prototyped as const,
-	 * though, can cause compilers warnings for calls that *do*
-	 * have a truly const arg.  The caller will have to carefully
-	 * keep track of whether arg started as a true const.
-	 */
-	DE_CONST(arg, timer->arg);
-	timer->index = 0;
-	result = isc_mutex_init(&timer->lock);
-	if (result != ISC_R_SUCCESS) {
-		isc_task_detach(&timer->task);
-		isc_mem_put(manager->mctx, timer, sizeof(*timer));
-		return (result);
-	}
-	ISC_LINK_INIT(timer, link);
-	timer->common.impmagic = TIMER_MAGIC;
-	timer->common.magic = ISCAPI_TIMER_MAGIC;
-	timer->common.methods = (isc_timermethods_t *)&timermethods;
-
-	LOCK(&manager->lock);
-
-	/*
-	 * Note we don't have to lock the timer like we normally would because
-	 * there are no external references to it yet.
-	 */
-
-	if (type != isc_timertype_inactive)
-		result = schedule(timer, &now, ISC_TRUE);
-	else
-		result = ISC_R_SUCCESS;
-	if (result == ISC_R_SUCCESS)
-		APPEND(manager->timers, timer, link);
-
-	UNLOCK(&manager->lock);
-
-	if (result != ISC_R_SUCCESS) {
-		timer->common.impmagic = 0;
-		timer->common.magic = 0;
-		DESTROYLOCK(&timer->lock);
-		isc_task_detach(&timer->task);
-		isc_mem_put(manager->mctx, timer, sizeof(*timer));
-		return (result);
-	}
-
-	*timerp = (isc_timer_t *)timer;
-
-	return (ISC_R_SUCCESS);
-}
-
-ISC_TIMERFUNC_SCOPE isc_result_t
-isc__timer_reset(isc_timer_t *timer0, isc_timertype_t type,
-		 const isc_time_t *expires, const isc_interval_t *interval,
-		 isc_boolean_t purge)
-{
-	isc__timer_t *timer = (isc__timer_t *)timer0;
-	isc_time_t now;
-	isc__timermgr_t *manager;
-	isc_result_t result;
-
-	/*
-	 * Change the timer's type, expires, and interval values to the given
-	 * values.  If 'purge' is ISC_TRUE, any pending events from this timer
-	 * are purged from its task's event queue.
-	 */
-
-	REQUIRE(VALID_TIMER(timer));
-	manager = timer->manager;
-	REQUIRE(VALID_MANAGER(manager));
-
-	if (expires == NULL)
-		expires = isc_time_epoch;
-	if (interval == NULL)
-		interval = isc_interval_zero;
-	REQUIRE(type == isc_timertype_inactive ||
-		!(isc_time_isepoch(expires) && isc_interval_iszero(interval)));
-	REQUIRE(type != isc_timertype_limited ||
-		!(isc_time_isepoch(expires) || isc_interval_iszero(interval)));
-
-	/*
-	 * Get current time.
-	 */
-	if (type != isc_timertype_inactive) {
-		TIME_NOW(&now);
-	} else {
-		/*
-		 * We don't have to do this, but it keeps the compiler from
-		 * complaining about "now" possibly being used without being
-		 * set, even though it will never actually happen.
-		 */
-		isc_time_settoepoch(&now);
-	}
-
-	LOCK(&manager->lock);
-	LOCK(&timer->lock);
-
-	if (purge)
-		(void)isc_task_purgerange(timer->task,
-					  timer,
-					  ISC_TIMEREVENT_FIRSTEVENT,
-					  ISC_TIMEREVENT_LASTEVENT,
-					  NULL);
-	timer->type = type;
-	timer->expires = *expires;
-	timer->interval = *interval;
-	if (type == isc_timertype_once && !isc_interval_iszero(interval)) {
-		result = isc_time_add(&now, interval, &timer->idle);
-	} else {
-		isc_time_settoepoch(&timer->idle);
-		result = ISC_R_SUCCESS;
-	}
-
-	if (result == ISC_R_SUCCESS) {
-		if (type == isc_timertype_inactive) {
-			deschedule(timer);
-			result = ISC_R_SUCCESS;
-		} else
-			result = schedule(timer, &now, ISC_TRUE);
-	}
-
-	UNLOCK(&timer->lock);
-	UNLOCK(&manager->lock);
-
-	return (result);
-}
-
-ISC_TIMERFUNC_SCOPE isc_timertype_t
-isc__timer_gettype(isc_timer_t *timer0) {
-	isc__timer_t *timer = (isc__timer_t *)timer0;
-	isc_timertype_t t;
-
-	REQUIRE(VALID_TIMER(timer));
-
-	LOCK(&timer->lock);
-	t = timer->type;
-	UNLOCK(&timer->lock);
-
-	return (t);
-}
-
-ISC_TIMERFUNC_SCOPE isc_result_t
-isc__timer_touch(isc_timer_t *timer0) {
-	isc__timer_t *timer = (isc__timer_t *)timer0;
-	isc_result_t result;
-	isc_time_t now;
-
-	/*
-	 * Set the last-touched time of 'timer' to the current time.
-	 */
-
-	REQUIRE(VALID_TIMER(timer));
-
-	LOCK(&timer->lock);
-
-	/*
-	 * We'd like to
-	 *
-	 *	REQUIRE(timer->type == isc_timertype_once);
-	 *
-	 * but we cannot without locking the manager lock too, which we
-	 * don't want to do.
-	 */
-
-	TIME_NOW(&now);
-	result = isc_time_add(&now, &timer->interval, &timer->idle);
-
-	UNLOCK(&timer->lock);
-
-	return (result);
-}
-
-ISC_TIMERFUNC_SCOPE void
-isc__timer_attach(isc_timer_t *timer0, isc_timer_t **timerp) {
-	isc__timer_t *timer = (isc__timer_t *)timer0;
-
-	/*
-	 * Attach *timerp to timer.
-	 */
-
-	REQUIRE(VALID_TIMER(timer));
-	REQUIRE(timerp != NULL && *timerp == NULL);
-
-	LOCK(&timer->lock);
-	timer->references++;
-	UNLOCK(&timer->lock);
-
-	*timerp = (isc_timer_t *)timer;
-}
-
-ISC_TIMERFUNC_SCOPE void
-isc__timer_detach(isc_timer_t **timerp) {
-	isc__timer_t *timer;
-	isc_boolean_t free_timer = ISC_FALSE;
-
-	/*
-	 * Detach *timerp from its timer.
-	 */
-
-	REQUIRE(timerp != NULL);
-	timer = (isc__timer_t *)*timerp;
-	REQUIRE(VALID_TIMER(timer));
-
-	LOCK(&timer->lock);
-	REQUIRE(timer->references > 0);
-	timer->references--;
-	if (timer->references == 0)
-		free_timer = ISC_TRUE;
-	UNLOCK(&timer->lock);
-
-	if (free_timer)
-		destroy(timer);
-
-	*timerp = NULL;
-}
-
-static void
-dispatch(isc__timermgr_t *manager, isc_time_t *now) {
-	isc_boolean_t done = ISC_FALSE, post_event, need_schedule;
-	isc_timerevent_t *event;
-	isc_eventtype_t type = 0;
-	isc__timer_t *timer;
-	isc_result_t result;
-	isc_boolean_t idle;
-
-	/*!
-	 * The caller must be holding the manager lock.
-	 */
-
-	while (manager->nscheduled > 0 && !done) {
-		timer = isc_heap_element(manager->heap, 1);
-		INSIST(timer != NULL && timer->type != isc_timertype_inactive);
-		if (isc_time_compare(now, &timer->due) >= 0) {
-			if (timer->type == isc_timertype_ticker) {
-				type = ISC_TIMEREVENT_TICK;
-				post_event = ISC_TRUE;
-				need_schedule = ISC_TRUE;
-			} else if (timer->type == isc_timertype_limited) {
-				int cmp;
-				cmp = isc_time_compare(now, &timer->expires);
-				if (cmp >= 0) {
-					type = ISC_TIMEREVENT_LIFE;
-					post_event = ISC_TRUE;
-					need_schedule = ISC_FALSE;
-				} else {
-					type = ISC_TIMEREVENT_TICK;
-					post_event = ISC_TRUE;
-					need_schedule = ISC_TRUE;
-				}
-			} else if (!isc_time_isepoch(&timer->expires) &&
-				   isc_time_compare(now,
-						    &timer->expires) >= 0) {
-				type = ISC_TIMEREVENT_LIFE;
-				post_event = ISC_TRUE;
-				need_schedule = ISC_FALSE;
-			} else {
-				idle = ISC_FALSE;
-
-				LOCK(&timer->lock);
-				if (!isc_time_isepoch(&timer->idle) &&
-				    isc_time_compare(now,
-						     &timer->idle) >= 0) {
-					idle = ISC_TRUE;
-				}
-				UNLOCK(&timer->lock);
-				if (idle) {
-					type = ISC_TIMEREVENT_IDLE;
-					post_event = ISC_TRUE;
-					need_schedule = ISC_FALSE;
-				} else {
-					/*
-					 * Idle timer has been touched;
-					 * reschedule.
-					 */
-					XTRACEID(isc_msgcat_get(isc_msgcat,
-								ISC_MSGSET_TIMER,
-								ISC_MSG_IDLERESCHED,
-								"idle reschedule"),
-						 timer);
-					post_event = ISC_FALSE;
-					need_schedule = ISC_TRUE;
-				}
-			}
-
-			if (post_event) {
-				XTRACEID(isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_TIMER,
-							ISC_MSG_POSTING,
-							"posting"), timer);
-				/*
-				 * XXX We could preallocate this event.
-				 */
-				event = (isc_timerevent_t *)isc_event_allocate(manager->mctx,
-							   timer,
-							   type,
-							   timer->action,
-							   timer->arg,
-							   sizeof(*event));
-
-				if (event != NULL) {
-					event->due = timer->due;
-					isc_task_send(timer->task,
-						      ISC_EVENT_PTR(&event));
-				} else
-					UNEXPECTED_ERROR(__FILE__, __LINE__, "%s",
-						 isc_msgcat_get(isc_msgcat,
-							 ISC_MSGSET_TIMER,
-							 ISC_MSG_EVENTNOTALLOC,
-							 "couldn't "
-							 "allocate event"));
-			}
-
-			timer->index = 0;
-			isc_heap_delete(manager->heap, 1);
-			manager->nscheduled--;
-
-			if (need_schedule) {
-				result = schedule(timer, now, ISC_FALSE);
-				if (result != ISC_R_SUCCESS)
-					UNEXPECTED_ERROR(__FILE__, __LINE__,
-							 "%s: %u",
-						isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_TIMER,
-							ISC_MSG_SCHEDFAIL,
-							"couldn't schedule "
-							"timer"),
-							 result);
-			}
-		} else {
-			manager->due = timer->due;
-			done = ISC_TRUE;
-		}
-	}
-}
-
-#ifdef USE_TIMER_THREAD
-static isc_threadresult_t
-#ifdef _WIN32			/* XXXDCL */
-WINAPI
-#endif
-run(void *uap) {
-	isc__timermgr_t *manager = uap;
-	isc_time_t now;
-	isc_result_t result;
-
-	LOCK(&manager->lock);
-	while (!manager->done) {
-		TIME_NOW(&now);
-
-		XTRACETIME(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-					  ISC_MSG_RUNNING,
-					  "running"), now);
-
-		dispatch(manager, &now);
-
-		if (manager->nscheduled > 0) {
-			XTRACETIME2(isc_msgcat_get(isc_msgcat,
-						   ISC_MSGSET_GENERAL,
-						   ISC_MSG_WAITUNTIL,
-						   "waituntil"),
-				    manager->due, now);
-			result = WAITUNTIL(&manager->wakeup, &manager->lock, &manager->due);
-			INSIST(result == ISC_R_SUCCESS ||
-			       result == ISC_R_TIMEDOUT);
-		} else {
-			XTRACETIME(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						  ISC_MSG_WAIT, "wait"), now);
-			WAIT(&manager->wakeup, &manager->lock);
-		}
-		XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TIMER,
-				      ISC_MSG_WAKEUP, "wakeup"));
-	}
-	UNLOCK(&manager->lock);
-
-#ifdef OPENSSL_LEAKS
-	ERR_remove_state(0);
-#endif
-
-	return ((isc_threadresult_t)0);
-}
-#endif /* USE_TIMER_THREAD */
-
-static isc_boolean_t
-sooner(void *v1, void *v2) {
-	isc__timer_t *t1, *t2;
-
-	t1 = v1;
-	t2 = v2;
-	REQUIRE(VALID_TIMER(t1));
-	REQUIRE(VALID_TIMER(t2));
-
-	if (isc_time_compare(&t1->due, &t2->due) < 0)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-static void
-set_index(void *what, unsigned int index) {
-	isc__timer_t *timer;
-
-	timer = what;
-	REQUIRE(VALID_TIMER(timer));
-
-	timer->index = index;
-}
-
-ISC_TIMERFUNC_SCOPE isc_result_t
-isc__timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
-	isc__timermgr_t *manager;
-	isc_result_t result;
-
-	/*
-	 * Create a timer manager.
-	 */
-
-	REQUIRE(managerp != NULL && *managerp == NULL);
-
-#ifdef USE_SHARED_MANAGER
-	if (timermgr != NULL) {
-		timermgr->refs++;
-		*managerp = (isc_timermgr_t *)timermgr;
-		return (ISC_R_SUCCESS);
-	}
-#endif /* USE_SHARED_MANAGER */
-
-	manager = isc_mem_get(mctx, sizeof(*manager));
-	if (manager == NULL)
-		return (ISC_R_NOMEMORY);
-
-	manager->common.impmagic = TIMER_MANAGER_MAGIC;
-	manager->common.magic = ISCAPI_TIMERMGR_MAGIC;
-	manager->common.methods = (isc_timermgrmethods_t *)&timermgrmethods;
-	manager->mctx = NULL;
-	manager->done = ISC_FALSE;
-	INIT_LIST(manager->timers);
-	manager->nscheduled = 0;
-	isc_time_settoepoch(&manager->due);
-	manager->heap = NULL;
-	result = isc_heap_create(mctx, sooner, set_index, 0, &manager->heap);
-	if (result != ISC_R_SUCCESS) {
-		INSIST(result == ISC_R_NOMEMORY);
-		isc_mem_put(mctx, manager, sizeof(*manager));
-		return (ISC_R_NOMEMORY);
-	}
-	result = isc_mutex_init(&manager->lock);
-	if (result != ISC_R_SUCCESS) {
-		isc_heap_destroy(&manager->heap);
-		isc_mem_put(mctx, manager, sizeof(*manager));
-		return (result);
-	}
-	isc_mem_attach(mctx, &manager->mctx);
-#ifdef USE_TIMER_THREAD
-	if (isc_condition_init(&manager->wakeup) != ISC_R_SUCCESS) {
-		isc_mem_detach(&manager->mctx);
-		DESTROYLOCK(&manager->lock);
-		isc_heap_destroy(&manager->heap);
-		isc_mem_put(mctx, manager, sizeof(*manager));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_condition_init() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		return (ISC_R_UNEXPECTED);
-	}
-	if (isc_thread_create(run, manager, &manager->thread) !=
-	    ISC_R_SUCCESS) {
-		isc_mem_detach(&manager->mctx);
-		(void)isc_condition_destroy(&manager->wakeup);
-		DESTROYLOCK(&manager->lock);
-		isc_heap_destroy(&manager->heap);
-		isc_mem_put(mctx, manager, sizeof(*manager));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_thread_create() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		return (ISC_R_UNEXPECTED);
-	}
-#endif
-#ifdef USE_SHARED_MANAGER
-	manager->refs = 1;
-	timermgr = manager;
-#endif /* USE_SHARED_MANAGER */
-
-	*managerp = (isc_timermgr_t *)manager;
-
-	return (ISC_R_SUCCESS);
-}
-
-ISC_TIMERFUNC_SCOPE void
-isc__timermgr_poke(isc_timermgr_t *manager0) {
-#ifdef USE_TIMER_THREAD
-	isc__timermgr_t *manager = (isc__timermgr_t *)manager0;
-
-	REQUIRE(VALID_MANAGER(manager));
-
-	SIGNAL(&manager->wakeup);
-#else
-	UNUSED(manager0);
-#endif
-}
-
-ISC_TIMERFUNC_SCOPE void
-isc__timermgr_destroy(isc_timermgr_t **managerp) {
-	isc__timermgr_t *manager;
-	isc_mem_t *mctx;
-
-	/*
-	 * Destroy a timer manager.
-	 */
-
-	REQUIRE(managerp != NULL);
-	manager = (isc__timermgr_t *)*managerp;
-	REQUIRE(VALID_MANAGER(manager));
-
-	LOCK(&manager->lock);
-
-#ifdef USE_SHARED_MANAGER
-	manager->refs--;
-	if (manager->refs > 0) {
-		UNLOCK(&manager->lock);
-		*managerp = NULL;
-		return;
-	}
-	timermgr = NULL;
-#endif /* USE_SHARED_MANAGER */
-
-#ifndef USE_TIMER_THREAD
-	isc__timermgr_dispatch((isc_timermgr_t *)manager);
-#endif
-
-	REQUIRE(EMPTY(manager->timers));
-	manager->done = ISC_TRUE;
-
-#ifdef USE_TIMER_THREAD
-	XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TIMER,
-			      ISC_MSG_SIGNALDESTROY, "signal (destroy)"));
-	SIGNAL(&manager->wakeup);
-#endif /* USE_TIMER_THREAD */
-
-	UNLOCK(&manager->lock);
-
-#ifdef USE_TIMER_THREAD
-	/*
-	 * Wait for thread to exit.
-	 */
-	if (isc_thread_join(manager->thread, NULL) != ISC_R_SUCCESS)
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_thread_join() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-#endif /* USE_TIMER_THREAD */
-
-	/*
-	 * Clean up.
-	 */
-#ifdef USE_TIMER_THREAD
-	(void)isc_condition_destroy(&manager->wakeup);
-#endif /* USE_TIMER_THREAD */
-	DESTROYLOCK(&manager->lock);
-	isc_heap_destroy(&manager->heap);
-	manager->common.impmagic = 0;
-	manager->common.magic = 0;
-	mctx = manager->mctx;
-	isc_mem_put(mctx, manager, sizeof(*manager));
-	isc_mem_detach(&mctx);
-
-	*managerp = NULL;
-
-#ifdef USE_SHARED_MANAGER
-	timermgr = NULL;
-#endif
-}
-
-#ifndef USE_TIMER_THREAD
-isc_result_t
-isc__timermgr_nextevent(isc_timermgr_t *manager0, isc_time_t *when) {
-	isc__timermgr_t *manager = (isc__timermgr_t *)manager0;
-
-#ifdef USE_SHARED_MANAGER
-	if (manager == NULL)
-		manager = timermgr;
-#endif
-	if (manager == NULL || manager->nscheduled == 0)
-		return (ISC_R_NOTFOUND);
-	*when = manager->due;
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc__timermgr_dispatch(isc_timermgr_t *manager0) {
-	isc__timermgr_t *manager = (isc__timermgr_t *)manager0;
-	isc_time_t now;
-
-#ifdef USE_SHARED_MANAGER
-	if (manager == NULL)
-		manager = timermgr;
-#endif
-	if (manager == NULL)
-		return;
-	TIME_NOW(&now);
-	dispatch(manager, &now);
-}
-#endif /* USE_TIMER_THREAD */
-
-#ifdef USE_TIMERIMPREGISTER
-isc_result_t
-isc__timer_register() {
-	return (isc_timer_register(isc__timermgr_create));
-}
-#endif
diff --git a/contrib/bind9/lib/isc/timer_api.c b/contrib/bind9/lib/isc/timer_api.c
deleted file mode 100644
index 39b33e3..0000000
--- a/contrib/bind9/lib/isc/timer_api.c
+++ /dev/null
@@ -1,144 +0,0 @@
-/*
- * Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: timer_api.c,v 1.4 2009/09/02 23:48:02 tbox Exp $ */
-
-#include <config.h>
-
-#include <unistd.h>
-
-#include <isc/app.h>
-#include <isc/magic.h>
-#include <isc/mutex.h>
-#include <isc/once.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-static isc_mutex_t createlock;
-static isc_once_t once = ISC_ONCE_INIT;
-static isc_timermgrcreatefunc_t timermgr_createfunc = NULL;
-
-static void
-initialize(void) {
-	RUNTIME_CHECK(isc_mutex_init(&createlock) == ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_timer_register(isc_timermgrcreatefunc_t createfunc) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
-
-	LOCK(&createlock);
-	if (timermgr_createfunc == NULL)
-		timermgr_createfunc = createfunc;
-	else
-		result = ISC_R_EXISTS;
-	UNLOCK(&createlock);
-
-	return (result);
-}
-
-isc_result_t
-isc_timermgr_createinctx(isc_mem_t *mctx, isc_appctx_t *actx,
-			 isc_timermgr_t **managerp)
-{
-	isc_result_t result;
-
-	LOCK(&createlock);
-
-	REQUIRE(timermgr_createfunc != NULL);
-	result = (*timermgr_createfunc)(mctx, managerp);
-
-	UNLOCK(&createlock);
-
-	if (result == ISC_R_SUCCESS)
-		isc_appctx_settimermgr(actx, *managerp);
-
-	return (result);
-}
-
-isc_result_t
-isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
-	isc_result_t result;
-
-	LOCK(&createlock);
-
-	REQUIRE(timermgr_createfunc != NULL);
-	result = (*timermgr_createfunc)(mctx, managerp);
-
-	UNLOCK(&createlock);
-
-	return (result);
-}
-
-void
-isc_timermgr_destroy(isc_timermgr_t **managerp) {
-	REQUIRE(*managerp != NULL && ISCAPI_TIMERMGR_VALID(*managerp));
-
-	(*managerp)->methods->destroy(managerp);
-
-	ENSURE(*managerp == NULL);
-}
-
-isc_result_t
-isc_timer_create(isc_timermgr_t *manager, isc_timertype_t type,
-		 const isc_time_t *expires, const isc_interval_t *interval,
-		 isc_task_t *task, isc_taskaction_t action, const void *arg,
-		 isc_timer_t **timerp)
-{
-	REQUIRE(ISCAPI_TIMERMGR_VALID(manager));
-
-	return (manager->methods->timercreate(manager, type, expires,
-					      interval, task, action, arg,
-					      timerp));
-}
-
-void
-isc_timer_attach(isc_timer_t *timer, isc_timer_t **timerp) {
-	REQUIRE(ISCAPI_TIMER_VALID(timer));
-	REQUIRE(timerp != NULL && *timerp == NULL);
-
-	timer->methods->attach(timer, timerp);
-
-	ENSURE(*timerp == timer);
-}
-
-void
-isc_timer_detach(isc_timer_t **timerp) {
-	REQUIRE(timerp != NULL && ISCAPI_TIMER_VALID(*timerp));
-
-	(*timerp)->methods->detach(timerp);
-
-	ENSURE(*timerp == NULL);
-}
-
-isc_result_t
-isc_timer_reset(isc_timer_t *timer, isc_timertype_t type,
-		const isc_time_t *expires, const isc_interval_t *interval,
-		isc_boolean_t purge)
-{
-	REQUIRE(ISCAPI_TIMER_VALID(timer));
-
-	return (timer->methods->reset(timer, type, expires, interval, purge));
-}
-
-isc_result_t
-isc_timer_touch(isc_timer_t *timer) {
-	REQUIRE(ISCAPI_TIMER_VALID(timer));
-
-	return (timer->methods->touch(timer));
-}
diff --git a/contrib/bind9/lib/isc/timer_p.h b/contrib/bind9/lib/isc/timer_p.h
deleted file mode 100644
index d6f7c99..0000000
--- a/contrib/bind9/lib/isc/timer_p.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: timer_p.h,v 1.12 2009/09/02 23:48:02 tbox Exp $ */
-
-#ifndef ISC_TIMER_P_H
-#define ISC_TIMER_P_H
-
-/*! \file */
-
-isc_result_t
-isc__timermgr_nextevent(isc_timermgr_t *timermgr, isc_time_t *when);
-
-void
-isc__timermgr_dispatch(isc_timermgr_t *timermgr);
-
-#endif /* ISC_TIMER_P_H */
diff --git a/contrib/bind9/lib/isc/unix/Makefile.in b/contrib/bind9/lib/isc/unix/Makefile.in
deleted file mode 100644
index c1411cb..0000000
--- a/contrib/bind9/lib/isc/unix/Makefile.in
+++ /dev/null
@@ -1,51 +0,0 @@
-# Copyright (C) 2004, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.44 2009/12/05 23:31:41 each Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-CINCLUDES =	-I${srcdir}/include \
-		-I${srcdir}/../@ISC_THREAD_DIR@/include \
-		-I../include \
-		-I${srcdir}/../include \
-		-I${srcdir}/..
-
-CDEFINES =
-CWARNINGS =
-
-# Alphabetically
-OBJS =		@ISC_IPV6_O@ \
-		app.@O@ dir.@O@ entropy.@O@ errno2result.@O@ file.@O@ \
-		fsaccess.@O@ interfaceiter.@O@ keyboard.@O@ net.@O@ \
-		os.@O@ resource.@O@ socket.@O@ stdio.@O@ stdtime.@O@ \
-		strerror.@O@ syslog.@O@ time.@O@
-
-# Alphabetically
-SRCS =		@ISC_IPV6_C@ \
-		app.c dir.c entropy.c errno2result.c file.c \
-		fsaccess.c interfaceiter.c keyboard.c net.c \
-		os.c resource.c socket.c stdio.c stdtime.c \
-		strerror.c syslog.c time.c
-
-SUBDIRS =	include
-TARGETS =	${OBJS}
-
-@BIND9_MAKE_RULES@
-
-interfaceiter.@O@: interfaceiter.c ifiter_ioctl.c ifiter_sysctl.c ifiter_getifaddrs.c
-
diff --git a/contrib/bind9/lib/isc/unix/app.c b/contrib/bind9/lib/isc/unix/app.c
deleted file mode 100644
index 5393be9..0000000
--- a/contrib/bind9/lib/isc/unix/app.c
+++ /dev/null
@@ -1,946 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: app.c,v 1.64 2009/11/04 05:58:46 marka Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <sys/param.h>	/* Openserver 5.0.6A and FD_SETSIZE */
-#include <sys/types.h>
-
-#include <stddef.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <unistd.h>
-#include <signal.h>
-#include <sys/time.h>
-#ifdef HAVE_EPOLL
-#include <sys/epoll.h>
-#endif
-
-#include <isc/app.h>
-#include <isc/boolean.h>
-#include <isc/condition.h>
-#include <isc/mem.h>
-#include <isc/msgs.h>
-#include <isc/mutex.h>
-#include <isc/event.h>
-#include <isc/platform.h>
-#include <isc/strerror.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/time.h>
-#include <isc/util.h>
-
-/*%
- * For BIND9 internal applications built with threads, we use a single app
- * context and let multiple worker, I/O, timer threads do actual jobs.
- * For other cases (including BIND9 built without threads) an app context acts
- * as an event loop dispatching various events.
- */
-#if defined(ISC_PLATFORM_USETHREADS) && defined(BIND9)
-#define USE_THREADS_SINGLECTX
-#endif
-
-#ifdef ISC_PLATFORM_USETHREADS
-#include <pthread.h>
-#endif
-
-#ifndef USE_THREADS_SINGLECTX
-#include "../timer_p.h"
-#include "../task_p.h"
-#include "socket_p.h"
-#endif /* USE_THREADS_SINGLECTX */
-
-#ifdef ISC_PLATFORM_USETHREADS
-static pthread_t		blockedthread;
-#endif /* ISC_PLATFORM_USETHREADS */
-
-/*%
- * The following can be either static or public, depending on build environment.
- */
-
-#ifdef BIND9
-#define ISC_APPFUNC_SCOPE
-#else
-#define ISC_APPFUNC_SCOPE static
-#endif
-
-ISC_APPFUNC_SCOPE isc_result_t isc__app_start(void);
-ISC_APPFUNC_SCOPE isc_result_t isc__app_ctxstart(isc_appctx_t *ctx);
-ISC_APPFUNC_SCOPE isc_result_t isc__app_onrun(isc_mem_t *mctx,
-					      isc_task_t *task,
-					      isc_taskaction_t action,
-					      void *arg);
-ISC_APPFUNC_SCOPE isc_result_t isc__app_ctxrun(isc_appctx_t *ctx);
-ISC_APPFUNC_SCOPE isc_result_t isc__app_run(void);
-ISC_APPFUNC_SCOPE isc_result_t isc__app_ctxshutdown(isc_appctx_t *ctx);
-ISC_APPFUNC_SCOPE isc_result_t isc__app_shutdown(void);
-ISC_APPFUNC_SCOPE isc_result_t isc__app_reload(void);
-ISC_APPFUNC_SCOPE isc_result_t isc__app_ctxsuspend(isc_appctx_t *ctx);
-ISC_APPFUNC_SCOPE void isc__app_ctxfinish(isc_appctx_t *ctx);
-ISC_APPFUNC_SCOPE void isc__app_finish(void);
-ISC_APPFUNC_SCOPE void isc__app_block(void);
-ISC_APPFUNC_SCOPE void isc__app_unblock(void);
-ISC_APPFUNC_SCOPE isc_result_t isc__appctx_create(isc_mem_t *mctx,
-						  isc_appctx_t **ctxp);
-ISC_APPFUNC_SCOPE void isc__appctx_destroy(isc_appctx_t **ctxp);
-ISC_APPFUNC_SCOPE void isc__appctx_settaskmgr(isc_appctx_t *ctx,
-					      isc_taskmgr_t *taskmgr);
-ISC_APPFUNC_SCOPE void isc__appctx_setsocketmgr(isc_appctx_t *ctx,
-						isc_socketmgr_t *socketmgr);
-ISC_APPFUNC_SCOPE void isc__appctx_settimermgr(isc_appctx_t *ctx,
-					       isc_timermgr_t *timermgr);
-
-/*
- * The application context of this module.  This implementation actually
- * doesn't use it. (This may change in the future).
- */
-#define APPCTX_MAGIC		ISC_MAGIC('A', 'p', 'c', 'x')
-#define VALID_APPCTX(c)		ISC_MAGIC_VALID(c, APPCTX_MAGIC)
-
-typedef struct isc__appctx {
-	isc_appctx_t		common;
-	isc_mem_t		*mctx;
-	isc_mutex_t		lock;
-	isc_eventlist_t		on_run;
-	isc_boolean_t		shutdown_requested;
-	isc_boolean_t		running;
-
-	/*!
-	 * We assume that 'want_shutdown' can be read and written atomically.
-	 */
-	isc_boolean_t		want_shutdown;
-	/*
-	 * We assume that 'want_reload' can be read and written atomically.
-	 */
-	isc_boolean_t		want_reload;
-
-	isc_boolean_t		blocked;
-
-	isc_taskmgr_t		*taskmgr;
-	isc_socketmgr_t		*socketmgr;
-	isc_timermgr_t		*timermgr;
-} isc__appctx_t;
-
-static isc__appctx_t isc_g_appctx;
-
-static struct {
-	isc_appmethods_t methods;
-
-	/*%
-	 * The following are defined just for avoiding unused static functions.
-	 */
-#ifndef BIND9
-	void *run, *shutdown, *start, *onrun, *reload, *finish,
-		*block, *unblock;
-#endif
-} appmethods = {
-	{
-		isc__appctx_destroy,
-		isc__app_ctxstart,
-		isc__app_ctxrun,
-		isc__app_ctxsuspend,
-		isc__app_ctxshutdown,
-		isc__app_ctxfinish,
-		isc__appctx_settaskmgr,
-		isc__appctx_setsocketmgr,
-		isc__appctx_settimermgr
-	}
-#ifndef BIND9
-	,
-	(void *)isc__app_run, (void *)isc__app_shutdown,
-	(void *)isc__app_start, (void *)isc__app_onrun, (void *)isc__app_reload,
-	(void *)isc__app_finish, (void *)isc__app_block,
-	(void *)isc__app_unblock
-#endif
-};
-
-#ifdef HAVE_LINUXTHREADS
-/*!
- * Linux has sigwait(), but it appears to prevent signal handlers from
- * running, even if they're not in the set being waited for.  This makes
- * it impossible to get the default actions for SIGILL, SIGSEGV, etc.
- * Instead of messing with it, we just use sigsuspend() instead.
- */
-#undef HAVE_SIGWAIT
-/*!
- * We need to remember which thread is the main thread...
- */
-static pthread_t		main_thread;
-#endif
-
-#ifndef HAVE_SIGWAIT
-static void
-exit_action(int arg) {
-	UNUSED(arg);
-	isc_g_appctx.want_shutdown = ISC_TRUE;
-}
-
-static void
-reload_action(int arg) {
-	UNUSED(arg);
-	isc_g_appctx.want_reload = ISC_TRUE;
-}
-#endif
-
-static isc_result_t
-handle_signal(int sig, void (*handler)(int)) {
-	struct sigaction sa;
-	char strbuf[ISC_STRERRORSIZE];
-
-	memset(&sa, 0, sizeof(sa));
-	sa.sa_handler = handler;
-
-	if (sigfillset(&sa.sa_mask) != 0 ||
-	    sigaction(sig, &sa, NULL) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_APP,
-					       ISC_MSG_SIGNALSETUP,
-					       "handle_signal() %d setup: %s"),
-				 sig, strbuf);
-		return (ISC_R_UNEXPECTED);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-ISC_APPFUNC_SCOPE isc_result_t
-isc__app_ctxstart(isc_appctx_t *ctx0) {
-	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
-	isc_result_t result;
-
-	REQUIRE(VALID_APPCTX(ctx));
-
-	/*
-	 * Start an ISC library application.
-	 */
-
-#ifdef NEED_PTHREAD_INIT
-	/*
-	 * BSDI 3.1 seg faults in pthread_sigmask() if we don't do this.
-	 */
-	presult = pthread_init();
-	if (presult != 0) {
-		isc__strerror(presult, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_app_start() pthread_init: %s", strbuf);
-		return (ISC_R_UNEXPECTED);
-	}
-#endif
-
-#ifdef HAVE_LINUXTHREADS
-	main_thread = pthread_self();
-#endif
-
-	result = isc_mutex_init(&ctx->lock);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	ISC_LIST_INIT(ctx->on_run);
-
-	ctx->shutdown_requested = ISC_FALSE;
-	ctx->running = ISC_FALSE;
-	ctx->want_shutdown = ISC_FALSE;
-	ctx->want_reload = ISC_FALSE;
-	ctx->blocked = ISC_FALSE;
-
-	return (ISC_R_SUCCESS);
-}
-
-ISC_APPFUNC_SCOPE isc_result_t
-isc__app_start(void) {
-	isc_result_t result;
-	int presult;
-	sigset_t sset;
-	char strbuf[ISC_STRERRORSIZE];
-
-	isc_g_appctx.common.impmagic = APPCTX_MAGIC;
-	isc_g_appctx.common.magic = ISCAPI_APPCTX_MAGIC;
-	isc_g_appctx.common.methods = &appmethods.methods;
-	isc_g_appctx.mctx = NULL;
-	/* The remaining members will be initialized in ctxstart() */
-
-	result = isc__app_ctxstart((isc_appctx_t *)&isc_g_appctx);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-#ifndef HAVE_SIGWAIT
-	/*
-	 * Install do-nothing handlers for SIGINT and SIGTERM.
-	 *
-	 * We install them now because BSDI 3.1 won't block
-	 * the default actions, regardless of what we do with
-	 * pthread_sigmask().
-	 */
-	result = handle_signal(SIGINT, exit_action);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	result = handle_signal(SIGTERM, exit_action);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-#endif
-
-	/*
-	 * Always ignore SIGPIPE.
-	 */
-	result = handle_signal(SIGPIPE, SIG_IGN);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * On Solaris 2, delivery of a signal whose action is SIG_IGN
-	 * will not cause sigwait() to return. We may have inherited
-	 * unexpected actions for SIGHUP, SIGINT, and SIGTERM from our parent
-	 * process (e.g, Solaris cron).  Set an action of SIG_DFL to make
-	 * sure sigwait() works as expected.  Only do this for SIGTERM and
-	 * SIGINT if we don't have sigwait(), since a different handler is
-	 * installed above.
-	 */
-	result = handle_signal(SIGHUP, SIG_DFL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-#ifdef HAVE_SIGWAIT
-	result = handle_signal(SIGTERM, SIG_DFL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	result = handle_signal(SIGINT, SIG_DFL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-#endif
-
-#ifdef ISC_PLATFORM_USETHREADS
-	/*
-	 * Block SIGHUP, SIGINT, SIGTERM.
-	 *
-	 * If isc_app_start() is called from the main thread before any other
-	 * threads have been created, then the pthread_sigmask() call below
-	 * will result in all threads having SIGHUP, SIGINT and SIGTERM
-	 * blocked by default, ensuring that only the thread that calls
-	 * sigwait() for them will get those signals.
-	 */
-	if (sigemptyset(&sset) != 0 ||
-	    sigaddset(&sset, SIGHUP) != 0 ||
-	    sigaddset(&sset, SIGINT) != 0 ||
-	    sigaddset(&sset, SIGTERM) != 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_app_start() sigsetops: %s", strbuf);
-		return (ISC_R_UNEXPECTED);
-	}
-	presult = pthread_sigmask(SIG_BLOCK, &sset, NULL);
-	if (presult != 0) {
-		isc__strerror(presult, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_app_start() pthread_sigmask: %s",
-				 strbuf);
-		return (ISC_R_UNEXPECTED);
-	}
-#else /* ISC_PLATFORM_USETHREADS */
-	/*
-	 * Unblock SIGHUP, SIGINT, SIGTERM.
-	 *
-	 * If we're not using threads, we need to make sure that SIGHUP,
-	 * SIGINT and SIGTERM are not inherited as blocked from the parent
-	 * process.
-	 */
-	if (sigemptyset(&sset) != 0 ||
-	    sigaddset(&sset, SIGHUP) != 0 ||
-	    sigaddset(&sset, SIGINT) != 0 ||
-	    sigaddset(&sset, SIGTERM) != 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_app_start() sigsetops: %s", strbuf);
-		return (ISC_R_UNEXPECTED);
-	}
-	presult = sigprocmask(SIG_UNBLOCK, &sset, NULL);
-	if (presult != 0) {
-		isc__strerror(presult, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_app_start() sigprocmask: %s", strbuf);
-		return (ISC_R_UNEXPECTED);
-	}
-#endif /* ISC_PLATFORM_USETHREADS */
-
-	return (ISC_R_SUCCESS);
-}
-
-ISC_APPFUNC_SCOPE isc_result_t
-isc__app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
-	      void *arg)
-{
-	isc_event_t *event;
-	isc_task_t *cloned_task = NULL;
-	isc_result_t result;
-
-	LOCK(&isc_g_appctx.lock);
-
-	if (isc_g_appctx.running) {
-		result = ISC_R_ALREADYRUNNING;
-		goto unlock;
-	}
-
-	/*
-	 * Note that we store the task to which we're going to send the event
-	 * in the event's "sender" field.
-	 */
-	isc_task_attach(task, &cloned_task);
-	event = isc_event_allocate(mctx, cloned_task, ISC_APPEVENT_SHUTDOWN,
-				   action, arg, sizeof(*event));
-	if (event == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto unlock;
-	}
-
-	ISC_LIST_APPEND(isc_g_appctx.on_run, event, ev_link);
-
-	result = ISC_R_SUCCESS;
-
- unlock:
-	UNLOCK(&isc_g_appctx.lock);
-
-	return (result);
-}
-
-#ifndef USE_THREADS_SINGLECTX
-/*!
- * Event loop for nonthreaded programs.
- */
-static isc_result_t
-evloop(isc__appctx_t *ctx) {
-	isc_result_t result;
-
-	while (!ctx->want_shutdown) {
-		int n;
-		isc_time_t when, now;
-		struct timeval tv, *tvp;
-		isc_socketwait_t *swait;
-		isc_boolean_t readytasks;
-		isc_boolean_t call_timer_dispatch = ISC_FALSE;
-
-		/*
-		 * Check the reload (or suspend) case first for exiting the
-		 * loop as fast as possible in case:
-		 *   - the direct call to isc__taskmgr_dispatch() in
-		 *     isc__app_ctxrun() completes all the tasks so far,
-		 *   - there is thus currently no active task, and
-		 *   - there is a timer event
-		 */
-		if (ctx->want_reload) {
-			ctx->want_reload = ISC_FALSE;
-			return (ISC_R_RELOAD);
-		}
-
-		readytasks = isc__taskmgr_ready(ctx->taskmgr);
-		if (readytasks) {
-			tv.tv_sec = 0;
-			tv.tv_usec = 0;
-			tvp = &tv;
-			call_timer_dispatch = ISC_TRUE;
-		} else {
-			result = isc__timermgr_nextevent(ctx->timermgr, &when);
-			if (result != ISC_R_SUCCESS)
-				tvp = NULL;
-			else {
-				isc_uint64_t us;
-
-				TIME_NOW(&now);
-				us = isc_time_microdiff(&when, &now);
-				if (us == 0)
-					call_timer_dispatch = ISC_TRUE;
-				tv.tv_sec = us / 1000000;
-				tv.tv_usec = us % 1000000;
-				tvp = &tv;
-			}
-		}
-
-		swait = NULL;
-		n = isc__socketmgr_waitevents(ctx->socketmgr, tvp, &swait);
-
-		if (n == 0 || call_timer_dispatch) {
-			/*
-			 * We call isc__timermgr_dispatch() only when
-			 * necessary, in order to reduce overhead.  If the
-			 * select() call indicates a timeout, we need the
-			 * dispatch.  Even if not, if we set the 0-timeout
-			 * for the select() call, we need to check the timer
-			 * events.  In the 'readytasks' case, there may be no
-			 * timeout event actually, but there is no other way
-			 * to reduce the overhead.
-			 * Note that we do not have to worry about the case
-			 * where a new timer is inserted during the select()
-			 * call, since this loop only runs in the non-thread
-			 * mode.
-			 */
-			isc__timermgr_dispatch(ctx->timermgr);
-		}
-		if (n > 0)
-			(void)isc__socketmgr_dispatch(ctx->socketmgr, swait);
-		(void)isc__taskmgr_dispatch(ctx->taskmgr);
-	}
-	return (ISC_R_SUCCESS);
-}
-#endif	/* USE_THREADS_SINGLECTX */
-
-#ifndef ISC_PLATFORM_USETHREADS
-/*
- * This is a gross hack to support waiting for condition
- * variables in nonthreaded programs in a limited way;
- * see lib/isc/nothreads/include/isc/condition.h.
- * We implement isc_condition_wait() by entering the
- * event loop recursively until the want_shutdown flag
- * is set by isc_condition_signal().
- */
-
-/*!
- * \brief True if we are currently executing in the recursive
- * event loop.
- */
-static isc_boolean_t in_recursive_evloop = ISC_FALSE;
-
-/*!
- * \brief True if we are exiting the event loop as the result of
- * a call to isc_condition_signal() rather than a shutdown
- * or reload.
- */
-static isc_boolean_t signalled = ISC_FALSE;
-
-isc_result_t
-isc__nothread_wait_hack(isc_condition_t *cp, isc_mutex_t *mp) {
-	isc_result_t result;
-
-	UNUSED(cp);
-	UNUSED(mp);
-
-	INSIST(!in_recursive_evloop);
-	in_recursive_evloop = ISC_TRUE;
-
-	INSIST(*mp == 1); /* Mutex must be locked on entry. */
-	--*mp;
-
-	result = evloop(&isc_g_appctx);
-	if (result == ISC_R_RELOAD)
-		isc_g_appctx.want_reload = ISC_TRUE;
-	if (signalled) {
-		isc_g_appctx.want_shutdown = ISC_FALSE;
-		signalled = ISC_FALSE;
-	}
-
-	++*mp;
-	in_recursive_evloop = ISC_FALSE;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc__nothread_signal_hack(isc_condition_t *cp) {
-
-	UNUSED(cp);
-
-	INSIST(in_recursive_evloop);
-
-	isc_g_appctx.want_shutdown = ISC_TRUE;
-	signalled = ISC_TRUE;
-	return (ISC_R_SUCCESS);
-}
-
-#endif /* ISC_PLATFORM_USETHREADS */
-
-ISC_APPFUNC_SCOPE isc_result_t
-isc__app_ctxrun(isc_appctx_t *ctx0) {
-	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
-	int result;
-	isc_event_t *event, *next_event;
-	isc_task_t *task;
-#ifdef USE_THREADS_SINGLECTX
-	sigset_t sset;
-	char strbuf[ISC_STRERRORSIZE];
-#ifdef HAVE_SIGWAIT
-	int sig;
-#endif
-#endif /* USE_THREADS_SINGLECTX */
-
-	REQUIRE(VALID_APPCTX(ctx));
-
-#ifdef HAVE_LINUXTHREADS
-	REQUIRE(main_thread == pthread_self());
-#endif
-
-	LOCK(&ctx->lock);
-
-	if (!ctx->running) {
-		ctx->running = ISC_TRUE;
-
-		/*
-		 * Post any on-run events (in FIFO order).
-		 */
-		for (event = ISC_LIST_HEAD(ctx->on_run);
-		     event != NULL;
-		     event = next_event) {
-			next_event = ISC_LIST_NEXT(event, ev_link);
-			ISC_LIST_UNLINK(ctx->on_run, event, ev_link);
-			task = event->ev_sender;
-			event->ev_sender = NULL;
-			isc_task_sendanddetach(&task, &event);
-		}
-
-	}
-
-	UNLOCK(&ctx->lock);
-
-#ifndef HAVE_SIGWAIT
-	/*
-	 * Catch SIGHUP.
-	 *
-	 * We do this here to ensure that the signal handler is installed
-	 * (i.e. that it wasn't a "one-shot" handler).
-	 */
-	if (ctx == &isc_g_appctx) {
-		result = handle_signal(SIGHUP, reload_action);
-		if (result != ISC_R_SUCCESS)
-			return (ISC_R_SUCCESS);
-	}
-#endif
-
-#ifdef USE_THREADS_SINGLECTX
-	/*
-	 * When we are using multiple contexts, we don't rely on signals.
-	 */
-	if (ctx != &isc_g_appctx)
-		return (ISC_R_SUCCESS);
-
-	/*
-	 * There is no danger if isc_app_shutdown() is called before we wait
-	 * for signals.  Signals are blocked, so any such signal will simply
-	 * be made pending and we will get it when we call sigwait().
-	 */
-
-	while (!ctx->want_shutdown) {
-#ifdef HAVE_SIGWAIT
-		/*
-		 * Wait for SIGHUP, SIGINT, or SIGTERM.
-		 */
-		if (sigemptyset(&sset) != 0 ||
-		    sigaddset(&sset, SIGHUP) != 0 ||
-		    sigaddset(&sset, SIGINT) != 0 ||
-		    sigaddset(&sset, SIGTERM) != 0) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_app_run() sigsetops: %s", strbuf);
-			return (ISC_R_UNEXPECTED);
-		}
-
-#ifndef HAVE_UNIXWARE_SIGWAIT
-		result = sigwait(&sset, &sig);
-		if (result == 0) {
-			if (sig == SIGINT || sig == SIGTERM)
-				ctx->want_shutdown = ISC_TRUE;
-			else if (sig == SIGHUP)
-				ctx->want_reload = ISC_TRUE;
-		}
-
-#else /* Using UnixWare sigwait semantics. */
-		sig = sigwait(&sset);
-		if (sig >= 0) {
-			if (sig == SIGINT || sig == SIGTERM)
-				ctx->want_shutdown = ISC_TRUE;
-			else if (sig == SIGHUP)
-				ctx->want_reload = ISC_TRUE;
-		}
-
-#endif /* HAVE_UNIXWARE_SIGWAIT */
-#else  /* Don't have sigwait(). */
-		/*
-		 * Listen for all signals.
-		 */
-		if (sigemptyset(&sset) != 0) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_app_run() sigsetops: %s",
-					 strbuf);
-			return (ISC_R_UNEXPECTED);
-		}
-		result = sigsuspend(&sset);
-#endif /* HAVE_SIGWAIT */
-
-		if (ctx->want_reload) {
-			ctx->want_reload = ISC_FALSE;
-			return (ISC_R_RELOAD);
-		}
-
-		if (ctx->want_shutdown && ctx->blocked)
-			exit(1);
-	}
-
-#else /* USE_THREADS_SINGLECTX */
-
-	(void)isc__taskmgr_dispatch(ctx->taskmgr);
-
-	result = evloop(ctx);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-#endif /* USE_THREADS_SINGLECTX */
-
-	return (ISC_R_SUCCESS);
-}
-
-ISC_APPFUNC_SCOPE isc_result_t
-isc__app_run() {
-	return (isc__app_ctxrun((isc_appctx_t *)&isc_g_appctx));
-}
-
-ISC_APPFUNC_SCOPE isc_result_t
-isc__app_ctxshutdown(isc_appctx_t *ctx0) {
-	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
-	isc_boolean_t want_kill = ISC_TRUE;
-	char strbuf[ISC_STRERRORSIZE];
-
-	REQUIRE(VALID_APPCTX(ctx));
-
-	LOCK(&ctx->lock);
-
-	REQUIRE(ctx->running);
-
-	if (ctx->shutdown_requested)
-		want_kill = ISC_FALSE;
-	else
-		ctx->shutdown_requested = ISC_TRUE;
-
-	UNLOCK(&ctx->lock);
-
-	if (want_kill) {
-		if (ctx != &isc_g_appctx)
-			ctx->want_shutdown = ISC_TRUE;
-		else {
-#ifdef HAVE_LINUXTHREADS
-			int result;
-
-			result = pthread_kill(main_thread, SIGTERM);
-			if (result != 0) {
-				isc__strerror(result, strbuf, sizeof(strbuf));
-				UNEXPECTED_ERROR(__FILE__, __LINE__,
-						 "isc_app_shutdown() "
-						 "pthread_kill: %s",
-						 strbuf);
-				return (ISC_R_UNEXPECTED);
-			}
-#else
-			if (kill(getpid(), SIGTERM) < 0) {
-				isc__strerror(errno, strbuf, sizeof(strbuf));
-				UNEXPECTED_ERROR(__FILE__, __LINE__,
-						 "isc_app_shutdown() "
-						 "kill: %s", strbuf);
-				return (ISC_R_UNEXPECTED);
-			}
-#endif	/* HAVE_LINUXTHREADS */
-		}
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-ISC_APPFUNC_SCOPE isc_result_t
-isc__app_shutdown() {
-	return (isc__app_ctxshutdown((isc_appctx_t *)&isc_g_appctx));
-}
-
-ISC_APPFUNC_SCOPE isc_result_t
-isc__app_ctxsuspend(isc_appctx_t *ctx0) {
-	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
-	isc_boolean_t want_kill = ISC_TRUE;
-	char strbuf[ISC_STRERRORSIZE];
-
-	REQUIRE(VALID_APPCTX(ctx));
-
-	LOCK(&ctx->lock);
-
-	REQUIRE(ctx->running);
-
-	/*
-	 * Don't send the reload signal if we're shutting down.
-	 */
-	if (ctx->shutdown_requested)
-		want_kill = ISC_FALSE;
-
-	UNLOCK(&ctx->lock);
-
-	if (want_kill) {
-		if (ctx != &isc_g_appctx)
-			ctx->want_reload = ISC_TRUE;
-		else {
-#ifdef HAVE_LINUXTHREADS
-			int result;
-
-			result = pthread_kill(main_thread, SIGHUP);
-			if (result != 0) {
-				isc__strerror(result, strbuf, sizeof(strbuf));
-				UNEXPECTED_ERROR(__FILE__, __LINE__,
-						 "isc_app_reload() "
-						 "pthread_kill: %s",
-						 strbuf);
-				return (ISC_R_UNEXPECTED);
-			}
-#else
-			if (kill(getpid(), SIGHUP) < 0) {
-				isc__strerror(errno, strbuf, sizeof(strbuf));
-				UNEXPECTED_ERROR(__FILE__, __LINE__,
-						 "isc_app_reload() "
-						 "kill: %s", strbuf);
-				return (ISC_R_UNEXPECTED);
-			}
-#endif
-		}
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-ISC_APPFUNC_SCOPE isc_result_t
-isc__app_reload(void) {
-	return (isc__app_ctxsuspend((isc_appctx_t *)&isc_g_appctx));
-}
-
-ISC_APPFUNC_SCOPE void
-isc__app_ctxfinish(isc_appctx_t *ctx0) {
-	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
-
-	REQUIRE(VALID_APPCTX(ctx));
-
-	DESTROYLOCK(&ctx->lock);
-}
-
-ISC_APPFUNC_SCOPE void
-isc__app_finish(void) {
-	isc__app_ctxfinish((isc_appctx_t *)&isc_g_appctx);
-}
-
-ISC_APPFUNC_SCOPE void
-isc__app_block(void) {
-#ifdef ISC_PLATFORM_USETHREADS
-	sigset_t sset;
-#endif /* ISC_PLATFORM_USETHREADS */
-	REQUIRE(isc_g_appctx.running);
-	REQUIRE(!isc_g_appctx.blocked);
-
-	isc_g_appctx.blocked = ISC_TRUE;
-#ifdef ISC_PLATFORM_USETHREADS
-	blockedthread = pthread_self();
-	RUNTIME_CHECK(sigemptyset(&sset) == 0 &&
-		      sigaddset(&sset, SIGINT) == 0 &&
-		      sigaddset(&sset, SIGTERM) == 0);
-	RUNTIME_CHECK(pthread_sigmask(SIG_UNBLOCK, &sset, NULL) == 0);
-#endif /* ISC_PLATFORM_USETHREADS */
-}
-
-ISC_APPFUNC_SCOPE void
-isc__app_unblock(void) {
-#ifdef ISC_PLATFORM_USETHREADS
-	sigset_t sset;
-#endif /* ISC_PLATFORM_USETHREADS */
-
-	REQUIRE(isc_g_appctx.running);
-	REQUIRE(isc_g_appctx.blocked);
-
-	isc_g_appctx.blocked = ISC_FALSE;
-
-#ifdef ISC_PLATFORM_USETHREADS
-	REQUIRE(blockedthread == pthread_self());
-
-	RUNTIME_CHECK(sigemptyset(&sset) == 0 &&
-		      sigaddset(&sset, SIGINT) == 0 &&
-		      sigaddset(&sset, SIGTERM) == 0);
-	RUNTIME_CHECK(pthread_sigmask(SIG_BLOCK, &sset, NULL) == 0);
-#endif /* ISC_PLATFORM_USETHREADS */
-}
-
-ISC_APPFUNC_SCOPE isc_result_t
-isc__appctx_create(isc_mem_t *mctx, isc_appctx_t **ctxp) {
-	isc__appctx_t *ctx;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(ctxp != NULL && *ctxp == NULL);
-
-	ctx = isc_mem_get(mctx, sizeof(*ctx));
-	if (ctx == NULL)
-		return (ISC_R_NOMEMORY);
-
-	ctx->common.impmagic = APPCTX_MAGIC;
-	ctx->common.magic = ISCAPI_APPCTX_MAGIC;
-	ctx->common.methods = &appmethods.methods;
-
-	ctx->mctx = NULL;
-	isc_mem_attach(mctx, &ctx->mctx);
-
-	ctx->taskmgr = NULL;
-	ctx->socketmgr = NULL;
-	ctx->timermgr = NULL;
-
-	*ctxp = (isc_appctx_t *)ctx;
-
-	return (ISC_R_SUCCESS);
-}
-
-ISC_APPFUNC_SCOPE void
-isc__appctx_destroy(isc_appctx_t **ctxp) {
-	isc__appctx_t *ctx;
-
-	REQUIRE(ctxp != NULL);
-	ctx = (isc__appctx_t *)*ctxp;
-	REQUIRE(VALID_APPCTX(ctx));
-
-	isc_mem_putanddetach(&ctx->mctx, ctx, sizeof(*ctx));
-
-	*ctxp = NULL;
-}
-
-ISC_APPFUNC_SCOPE void
-isc__appctx_settaskmgr(isc_appctx_t *ctx0, isc_taskmgr_t *taskmgr) {
-	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
-
-	REQUIRE(VALID_APPCTX(ctx));
-
-	ctx->taskmgr = taskmgr;
-}
-
-ISC_APPFUNC_SCOPE void
-isc__appctx_setsocketmgr(isc_appctx_t *ctx0, isc_socketmgr_t *socketmgr) {
-	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
-
-	REQUIRE(VALID_APPCTX(ctx));
-
-	ctx->socketmgr = socketmgr;
-}
-
-ISC_APPFUNC_SCOPE void
-isc__appctx_settimermgr(isc_appctx_t *ctx0, isc_timermgr_t *timermgr) {
-	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
-
-	REQUIRE(VALID_APPCTX(ctx));
-
-	ctx->timermgr = timermgr;
-}
-
-#ifdef USE_APPIMPREGISTER
-isc_result_t
-isc__app_register() {
-	return (isc_app_register(isc__appctx_create));
-}
-#endif
diff --git a/contrib/bind9/lib/isc/unix/dir.c b/contrib/bind9/lib/isc/unix/dir.c
deleted file mode 100644
index 0d64778..0000000
--- a/contrib/bind9/lib/isc/unix/dir.c
+++ /dev/null
@@ -1,251 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file
- * \author  Principal Authors: DCL */
-
-#include <config.h>
-
-#include <sys/types.h>
-#include <sys/stat.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <unistd.h>
-
-#include <isc/dir.h>
-#include <isc/magic.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include "errno2result.h"
-
-#define ISC_DIR_MAGIC		ISC_MAGIC('D', 'I', 'R', '*')
-#define VALID_DIR(dir)		ISC_MAGIC_VALID(dir, ISC_DIR_MAGIC)
-
-void
-isc_dir_init(isc_dir_t *dir) {
-	REQUIRE(dir != NULL);
-
-	dir->entry.name[0] = '\0';
-	dir->entry.length = 0;
-
-	dir->handle = NULL;
-
-	dir->magic = ISC_DIR_MAGIC;
-}
-
-/*!
- * \brief Allocate workspace and open directory stream. If either one fails,
- * NULL will be returned.
- */
-isc_result_t
-isc_dir_open(isc_dir_t *dir, const char *dirname) {
-	char *p;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(VALID_DIR(dir));
-	REQUIRE(dirname != NULL);
-
-	/*
-	 * Copy directory name.  Need to have enough space for the name,
-	 * a possible path separator, the wildcard, and the final NUL.
-	 */
-	if (strlen(dirname) + 3 > sizeof(dir->dirname))
-		/* XXXDCL ? */
-		return (ISC_R_NOSPACE);
-	strcpy(dir->dirname, dirname);
-
-	/*
-	 * Append path separator, if needed, and "*".
-	 */
-	p = dir->dirname + strlen(dir->dirname);
-	if (dir->dirname < p && *(p - 1) != '/')
-		*p++ = '/';
-	*p++ = '*';
-	*p = '\0';
-
-	/*
-	 * Open stream.
-	 */
-	dir->handle = opendir(dirname);
-
-	if (dir->handle == NULL)
-		return isc__errno2result(errno);
-
-	return (result);
-}
-
-/*!
- * \brief Return previously retrieved file or get next one.
-
- * Unix's dirent has
- * separate open and read functions, but the Win32 and DOS interfaces open
- * the dir stream and reads the first file in one operation.
- */
-isc_result_t
-isc_dir_read(isc_dir_t *dir) {
-	struct dirent *entry;
-
-	REQUIRE(VALID_DIR(dir) && dir->handle != NULL);
-
-	/*
-	 * Fetch next file in directory.
-	 */
-	entry = readdir(dir->handle);
-
-	if (entry == NULL)
-		return (ISC_R_NOMORE);
-
-	/*
-	 * Make sure that the space for the name is long enough.
-	 */
-	if (sizeof(dir->entry.name) <= strlen(entry->d_name))
-	    return (ISC_R_UNEXPECTED);
-
-	strcpy(dir->entry.name, entry->d_name);
-
-	/*
-	 * Some dirents have d_namlen, but it is not portable.
-	 */
-	dir->entry.length = strlen(entry->d_name);
-
-	return (ISC_R_SUCCESS);
-}
-
-/*!
- * \brief Close directory stream.
- */
-void
-isc_dir_close(isc_dir_t *dir) {
-       REQUIRE(VALID_DIR(dir) && dir->handle != NULL);
-
-       (void)closedir(dir->handle);
-       dir->handle = NULL;
-}
-
-/*!
- * \brief Reposition directory stream at start.
- */
-isc_result_t
-isc_dir_reset(isc_dir_t *dir) {
-	REQUIRE(VALID_DIR(dir) && dir->handle != NULL);
-
-	rewinddir(dir->handle);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_dir_chdir(const char *dirname) {
-	/*!
-	 * \brief Change the current directory to 'dirname'.
-	 */
-
-	REQUIRE(dirname != NULL);
-
-	if (chdir(dirname) < 0)
-		return (isc__errno2result(errno));
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_dir_chroot(const char *dirname) {
-
-	REQUIRE(dirname != NULL);
-
-#ifdef HAVE_CHROOT
-	if (chroot(dirname) < 0 || chdir("/") < 0)
-		return (isc__errno2result(errno));
-
-	return (ISC_R_SUCCESS);
-#else
-	return (ISC_R_NOTIMPLEMENTED);
-#endif
-}
-
-isc_result_t
-isc_dir_createunique(char *templet) {
-	isc_result_t result;
-	char *x;
-	char *p;
-	int i;
-	int pid;
-
-	REQUIRE(templet != NULL);
-
-	/*!
-	 * \brief mkdtemp is not portable, so this emulates it.
-	 */
-
-	pid = getpid();
-
-	/*
-	 * Replace trailing Xs with the process-id, zero-filled.
-	 */
-	for (x = templet + strlen(templet) - 1; *x == 'X' && x >= templet;
-	     x--, pid /= 10)
-		*x = pid % 10 + '0';
-
-	x++;			/* Set x to start of ex-Xs. */
-
-	do {
-		i = mkdir(templet, 0700);
-		if (i == 0 || errno != EEXIST)
-			break;
-
-		/*
-		 * The BSD algorithm.
-		 */
-		p = x;
-		while (*p != '\0') {
-			if (isdigit(*p & 0xff))
-				*p = 'a';
-			else if (*p != 'z')
-				++*p;
-			else {
-				/*
-				 * Reset character and move to next.
-				 */
-				*p++ = 'a';
-				continue;
-			}
-
-			break;
-		}
-
-		if (*p == '\0') {
-			/*
-			 * Tried all combinations.  errno should already
-			 * be EEXIST, but ensure it is anyway for
-			 * isc__errno2result().
-			 */
-			errno = EEXIST;
-			break;
-		}
-	} while (1);
-
-	if (i == -1)
-		result = isc__errno2result(errno);
-	else
-		result = ISC_R_SUCCESS;
-
-	return (result);
-}
diff --git a/contrib/bind9/lib/isc/unix/entropy.c b/contrib/bind9/lib/isc/unix/entropy.c
deleted file mode 100644
index 9c422b5..0000000
--- a/contrib/bind9/lib/isc/unix/entropy.c
+++ /dev/null
@@ -1,604 +0,0 @@
-/*
- * Copyright (C) 2004-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: entropy.c,v 1.82 2008/12/01 23:47:45 tbox Exp $ */
-
-/* \file unix/entropy.c
- * \brief
- * This is the system dependent part of the ISC entropy API.
- */
-
-#include <config.h>
-
-#include <sys/param.h>	/* Openserver 5.0.6A and FD_SETSIZE */
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/stat.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-
-#ifdef HAVE_NANOSLEEP
-#include <time.h>
-#endif
-#include <unistd.h>
-
-#include <isc/platform.h>
-#include <isc/strerror.h>
-
-#ifdef ISC_PLATFORM_NEEDSYSSELECTH
-#include <sys/select.h>
-#endif
-
-#include "errno2result.h"
-
-/*%
- * There is only one variable in the entropy data structures that is not
- * system independent, but pulling the structure that uses it into this file
- * ultimately means pulling several other independent structures here also to
- * resolve their interdependencies.  Thus only the problem variable's type
- * is defined here.
- */
-#define FILESOURCE_HANDLE_TYPE	int
-
-typedef struct {
-	int	handle;
-	enum	{
-		isc_usocketsource_disconnected,
-		isc_usocketsource_connecting,
-		isc_usocketsource_connected,
-		isc_usocketsource_ndesired,
-		isc_usocketsource_wrote,
-		isc_usocketsource_reading
-	} status;
-	size_t	sz_to_recv;
-} isc_entropyusocketsource_t;
-
-#include "../entropy.c"
-
-static unsigned int
-get_from_filesource(isc_entropysource_t *source, isc_uint32_t desired) {
-	isc_entropy_t *ent = source->ent;
-	unsigned char buf[128];
-	int fd = source->sources.file.handle;
-	ssize_t n, ndesired;
-	unsigned int added;
-
-	if (source->bad)
-		return (0);
-
-	desired = desired / 8 + (((desired & 0x07) > 0) ? 1 : 0);
-
-	added = 0;
-	while (desired > 0) {
-		ndesired = ISC_MIN(desired, sizeof(buf));
-		n = read(fd, buf, ndesired);
-		if (n < 0) {
-			if (errno == EAGAIN || errno == EINTR)
-				goto out;
-			goto err;
-		}
-		if (n == 0)
-			goto err;
-
-		entropypool_adddata(ent, buf, n, n * 8);
-		added += n * 8;
-		desired -= n;
-	}
-	goto out;
-
- err:
-	(void)close(fd);
-	source->sources.file.handle = -1;
-	source->bad = ISC_TRUE;
-
- out:
-	return (added);
-}
-
-static unsigned int
-get_from_usocketsource(isc_entropysource_t *source, isc_uint32_t desired) {
-	isc_entropy_t *ent = source->ent;
-	unsigned char buf[128];
-	int fd = source->sources.usocket.handle;
-	ssize_t n = 0, ndesired;
-	unsigned int added;
-	size_t sz_to_recv = source->sources.usocket.sz_to_recv;
-
-	if (source->bad)
-		return (0);
-
-	desired = desired / 8 + (((desired & 0x07) > 0) ? 1 : 0);
-
-	added = 0;
-	while (desired > 0) {
-		ndesired = ISC_MIN(desired, sizeof(buf));
- eagain_loop:
-
-		switch ( source->sources.usocket.status ) {
-		case isc_usocketsource_ndesired:
-			buf[0] = ndesired;
-			if ((n = sendto(fd, buf, 1, 0, NULL, 0)) < 0) {
-				if (errno == EWOULDBLOCK || errno == EINTR ||
-				    errno == ECONNRESET)
-					goto out;
-				goto err;
-			}
-			INSIST(n == 1);
-			source->sources.usocket.status =
-						isc_usocketsource_wrote;
-			goto eagain_loop;
-
-		case isc_usocketsource_connecting:
-		case isc_usocketsource_connected:
-			buf[0] = 1;
-			buf[1] = ndesired;
-			if ((n = sendto(fd, buf, 2, 0, NULL, 0)) < 0) {
-				if (errno == EWOULDBLOCK || errno == EINTR ||
-				    errno == ECONNRESET)
-					goto out;
-				goto err;
-			}
-			if (n == 1) {
-				source->sources.usocket.status =
-					isc_usocketsource_ndesired;
-				goto eagain_loop;
-			}
-			INSIST(n == 2);
-			source->sources.usocket.status =
-						isc_usocketsource_wrote;
-			/*FALLTHROUGH*/
-
-		case isc_usocketsource_wrote:
-			if (recvfrom(fd, buf, 1, 0, NULL, NULL) != 1) {
-				if (errno == EAGAIN) {
-					/*
-					 * The problem of EAGAIN (try again
-					 * later) is a major issue on HP-UX.
-					 * Solaris actually tries the recvfrom
-					 * call again, while HP-UX just dies.
-					 * This code is an attempt to let the
-					 * entropy pool fill back up (at least
-					 * that's what I think the problem is.)
-					 * We go to eagain_loop because if we
-					 * just "break", then the "desired"
-					 * amount gets borked.
-					 */
-#ifdef HAVE_NANOSLEEP
-					struct timespec ts;
-
-					ts.tv_sec = 0;
-					ts.tv_nsec = 1000000;
-					nanosleep(&ts, NULL);
-#else
-					usleep(1000);
-#endif
-					goto eagain_loop;
-				}
-				if (errno == EWOULDBLOCK || errno == EINTR)
-					goto out;
-				goto err;
-			}
-			source->sources.usocket.status =
-					isc_usocketsource_reading;
-			sz_to_recv = buf[0];
-			source->sources.usocket.sz_to_recv = sz_to_recv;
-			if (sz_to_recv > sizeof(buf))
-				goto err;
-			/*FALLTHROUGH*/
-
-		case isc_usocketsource_reading:
-			if (sz_to_recv != 0U) {
-				n = recv(fd, buf, sz_to_recv, 0);
-				if (n < 0) {
-					if (errno == EWOULDBLOCK ||
-					    errno == EINTR)
-						goto out;
-					goto err;
-				}
-			} else
-				n = 0;
-			break;
-
-		default:
-			goto err;
-		}
-
-		if ((size_t)n != sz_to_recv)
-			source->sources.usocket.sz_to_recv -= n;
-		else
-			source->sources.usocket.status =
-				isc_usocketsource_connected;
-
-		if (n == 0)
-			goto out;
-
-		entropypool_adddata(ent, buf, n, n * 8);
-		added += n * 8;
-		desired -= n;
-	}
-	goto out;
-
- err:
-	close(fd);
-	source->bad = ISC_TRUE;
-	source->sources.usocket.status = isc_usocketsource_disconnected;
-	source->sources.usocket.handle = -1;
-
- out:
-	return (added);
-}
-
-/*
- * Poll each source, trying to get data from it to stuff into the entropy
- * pool.
- */
-static void
-fillpool(isc_entropy_t *ent, unsigned int desired, isc_boolean_t blocking) {
-	unsigned int added;
-	unsigned int remaining;
-	unsigned int needed;
-	unsigned int nsource;
-	isc_entropysource_t *source;
-
-	REQUIRE(VALID_ENTROPY(ent));
-
-	needed = desired;
-
-	/*
-	 * This logic is a little strange, so an explanation is in order.
-	 *
-	 * If needed is 0, it means we are being asked to "fill to whatever
-	 * we think is best."  This means that if we have at least a
-	 * partially full pool (say, > 1/4th of the pool) we probably don't
-	 * need to add anything.
-	 *
-	 * Also, we will check to see if the "pseudo" count is too high.
-	 * If it is, try to mix in better data.  Too high is currently
-	 * defined as 1/4th of the pool.
-	 *
-	 * Next, if we are asked to add a specific bit of entropy, make
-	 * certain that we will do so.  Clamp how much we try to add to
-	 * (DIGEST_SIZE * 8 < needed < POOLBITS - entropy).
-	 *
-	 * Note that if we are in a blocking mode, we will only try to
-	 * get as much data as we need, not as much as we might want
-	 * to build up.
-	 */
-	if (needed == 0) {
-		REQUIRE(!blocking);
-
-		if ((ent->pool.entropy >= RND_POOLBITS / 4)
-		    && (ent->pool.pseudo <= RND_POOLBITS / 4))
-			return;
-
-		needed = THRESHOLD_BITS * 4;
-	} else {
-		needed = ISC_MAX(needed, THRESHOLD_BITS);
-		needed = ISC_MIN(needed, RND_POOLBITS);
-	}
-
-	/*
-	 * In any case, clamp how much we need to how much we can add.
-	 */
-	needed = ISC_MIN(needed, RND_POOLBITS - ent->pool.entropy);
-
-	/*
-	 * But wait!  If we're not yet initialized, we need at least
-	 *	THRESHOLD_BITS
-	 * of randomness.
-	 */
-	if (ent->initialized < THRESHOLD_BITS)
-		needed = ISC_MAX(needed, THRESHOLD_BITS - ent->initialized);
-
-	/*
-	 * Poll each file source to see if we can read anything useful from
-	 * it.  XXXMLG When where are multiple sources, we should keep a
-	 * record of which one we last used so we can start from it (or the
-	 * next one) to avoid letting some sources build up entropy while
-	 * others are always drained.
-	 */
-
-	added = 0;
-	remaining = needed;
-	if (ent->nextsource == NULL) {
-		ent->nextsource = ISC_LIST_HEAD(ent->sources);
-		if (ent->nextsource == NULL)
-			return;
-	}
-	source = ent->nextsource;
- again_file:
-	for (nsource = 0; nsource < ent->nsources; nsource++) {
-		unsigned int got;
-
-		if (remaining == 0)
-			break;
-
-		got = 0;
-
-		switch ( source->type ) {
-		case ENTROPY_SOURCETYPE_FILE:
-			got = get_from_filesource(source, remaining);
-			break;
-
-		case ENTROPY_SOURCETYPE_USOCKET:
-			got = get_from_usocketsource(source, remaining);
-			break;
-		}
-
-		added += got;
-
-		remaining -= ISC_MIN(remaining, got);
-
-		source = ISC_LIST_NEXT(source, link);
-		if (source == NULL)
-			source = ISC_LIST_HEAD(ent->sources);
-	}
-	ent->nextsource = source;
-
-	if (blocking && remaining != 0) {
-		int fds;
-
-		fds = wait_for_sources(ent);
-		if (fds > 0)
-			goto again_file;
-	}
-
-	/*
-	 * Here, if there are bits remaining to be had and we can block,
-	 * check to see if we have a callback source.  If so, call them.
-	 */
-	source = ISC_LIST_HEAD(ent->sources);
-	while ((remaining != 0) && (source != NULL)) {
-		unsigned int got;
-
-		got = 0;
-
-		if (source->type == ENTROPY_SOURCETYPE_CALLBACK)
-			got = get_from_callback(source, remaining, blocking);
-
-		added += got;
-		remaining -= ISC_MIN(remaining, got);
-
-		if (added >= needed)
-			break;
-
-		source = ISC_LIST_NEXT(source, link);
-	}
-
-	/*
-	 * Mark as initialized if we've added enough data.
-	 */
-	if (ent->initialized < THRESHOLD_BITS)
-		ent->initialized += added;
-}
-
-static int
-wait_for_sources(isc_entropy_t *ent) {
-	isc_entropysource_t *source;
-	int maxfd, fd;
-	int cc;
-	fd_set reads;
-	fd_set writes;
-
-	maxfd = -1;
-	FD_ZERO(&reads);
-	FD_ZERO(&writes);
-
-	source = ISC_LIST_HEAD(ent->sources);
-	while (source != NULL) {
-		if (source->type == ENTROPY_SOURCETYPE_FILE) {
-			fd = source->sources.file.handle;
-			if (fd >= 0) {
-				maxfd = ISC_MAX(maxfd, fd);
-				FD_SET(fd, &reads);
-			}
-		}
-		if (source->type == ENTROPY_SOURCETYPE_USOCKET) {
-			fd = source->sources.usocket.handle;
-			if (fd >= 0) {
-				switch (source->sources.usocket.status) {
-				case isc_usocketsource_disconnected:
-					break;
-				case isc_usocketsource_connecting:
-				case isc_usocketsource_connected:
-				case isc_usocketsource_ndesired:
-					maxfd = ISC_MAX(maxfd, fd);
-					FD_SET(fd, &writes);
-					break;
-				case isc_usocketsource_wrote:
-				case isc_usocketsource_reading:
-					maxfd = ISC_MAX(maxfd, fd);
-					FD_SET(fd, &reads);
-					break;
-				}
-			}
-		}
-		source = ISC_LIST_NEXT(source, link);
-	}
-
-	if (maxfd < 0)
-		return (-1);
-
-	cc = select(maxfd + 1, &reads, &writes, NULL, NULL);
-	if (cc < 0)
-		return (-1);
-
-	return (cc);
-}
-
-static void
-destroyfilesource(isc_entropyfilesource_t *source) {
-	(void)close(source->handle);
-}
-
-static void
-destroyusocketsource(isc_entropyusocketsource_t *source) {
-	close(source->handle);
-}
-
-/*
- * Make a fd non-blocking
- */
-static isc_result_t
-make_nonblock(int fd) {
-	int ret;
-	int flags;
-	char strbuf[ISC_STRERRORSIZE];
-#ifdef USE_FIONBIO_IOCTL
-	int on = 1;
-
-	ret = ioctl(fd, FIONBIO, (char *)&on);
-#else
-	flags = fcntl(fd, F_GETFL, 0);
-	flags |= PORT_NONBLOCK;
-	ret = fcntl(fd, F_SETFL, flags);
-#endif
-
-	if (ret == -1) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-#ifdef USE_FIONBIO_IOCTL
-				 "ioctl(%d, FIONBIO, &on): %s", fd,
-#else
-				 "fcntl(%d, F_SETFL, %d): %s", fd, flags,
-#endif
-				 strbuf);
-
-		return (ISC_R_UNEXPECTED);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname) {
-	int fd;
-	struct stat _stat;
-	isc_boolean_t is_usocket = ISC_FALSE;
-	isc_boolean_t is_connected = ISC_FALSE;
-	isc_result_t ret;
-	isc_entropysource_t *source;
-
-	REQUIRE(VALID_ENTROPY(ent));
-	REQUIRE(fname != NULL);
-
-	LOCK(&ent->lock);
-
-	if (stat(fname, &_stat) < 0) {
-		ret = isc__errno2result(errno);
-		goto errout;
-	}
-	/*
-	 * Solaris 2.5.1 does not have support for sockets (S_IFSOCK),
-	 * but it does return type S_IFIFO (the OS believes that
-	 * the socket is a fifo).  This may be an issue if we tell
-	 * the program to look at an actual FIFO as its source of
-	 * entropy.
-	 */
-#if defined(S_ISSOCK)
-	if (S_ISSOCK(_stat.st_mode))
-		is_usocket = ISC_TRUE;
-#endif
-#if defined(S_ISFIFO) && defined(sun)
-	if (S_ISFIFO(_stat.st_mode))
-		is_usocket = ISC_TRUE;
-#endif
-	if (is_usocket)
-		fd = socket(PF_UNIX, SOCK_STREAM, 0);
-	else
-		fd = open(fname, O_RDONLY | PORT_NONBLOCK, 0);
-
-	if (fd < 0) {
-		ret = isc__errno2result(errno);
-		goto errout;
-	}
-
-	ret = make_nonblock(fd);
-	if (ret != ISC_R_SUCCESS)
-		goto closefd;
-
-	if (is_usocket) {
-		struct sockaddr_un sname;
-
-		memset(&sname, 0, sizeof(sname));
-		sname.sun_family = AF_UNIX;
-		strlcpy(sname.sun_path, fname, sizeof(sname.sun_path));
-#ifdef ISC_PLATFORM_HAVESALEN
-#if !defined(SUN_LEN)
-#define SUN_LEN(su) \
-	(sizeof(*(su)) - sizeof((su)->sun_path) + strlen((su)->sun_path))
-#endif
-		sname.sun_len = SUN_LEN(&sname);
-#endif
-
-		if (connect(fd, (struct sockaddr *) &sname,
-			    sizeof(struct sockaddr_un)) < 0) {
-			if (errno != EINPROGRESS) {
-				ret = isc__errno2result(errno);
-				goto closefd;
-			}
-		} else
-			is_connected = ISC_TRUE;
-	}
-
-	source = isc_mem_get(ent->mctx, sizeof(isc_entropysource_t));
-	if (source == NULL) {
-		ret = ISC_R_NOMEMORY;
-		goto closefd;
-	}
-
-	/*
-	 * From here down, no failures can occur.
-	 */
-	source->magic = SOURCE_MAGIC;
-	source->ent = ent;
-	source->total = 0;
-	source->bad = ISC_FALSE;
-	memset(source->name, 0, sizeof(source->name));
-	ISC_LINK_INIT(source, link);
-	if (is_usocket) {
-		source->sources.usocket.handle = fd;
-		if (is_connected)
-			source->sources.usocket.status =
-					isc_usocketsource_connected;
-		else
-			source->sources.usocket.status =
-					isc_usocketsource_connecting;
-		source->sources.usocket.sz_to_recv = 0;
-		source->type = ENTROPY_SOURCETYPE_USOCKET;
-	} else {
-		source->sources.file.handle = fd;
-		source->type = ENTROPY_SOURCETYPE_FILE;
-	}
-
-	/*
-	 * Hook it into the entropy system.
-	 */
-	ISC_LIST_APPEND(ent->sources, source, link);
-	ent->nsources++;
-
-	UNLOCK(&ent->lock);
-	return (ISC_R_SUCCESS);
-
- closefd:
-	(void)close(fd);
-
- errout:
-	UNLOCK(&ent->lock);
-
-	return (ret);
-}
diff --git a/contrib/bind9/lib/isc/unix/errno2result.c b/contrib/bind9/lib/isc/unix/errno2result.c
deleted file mode 100644
index f20aa29..0000000
--- a/contrib/bind9/lib/isc/unix/errno2result.c
+++ /dev/null
@@ -1,122 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/result.h>
-#include <isc/strerror.h>
-#include <isc/util.h>
-
-#include "errno2result.h"
-
-/*%
- * Convert a POSIX errno value into an isc_result_t.  The
- * list of supported errno values is not complete; new users
- * of this function should add any expected errors that are
- * not already there.
- */
-isc_result_t
-isc___errno2result(int posixerrno, const char *file, unsigned int line) {
-	char strbuf[ISC_STRERRORSIZE];
-
-	switch (posixerrno) {
-	case ENOTDIR:
-	case ELOOP:
-	case EINVAL:		/* XXX sometimes this is not for files */
-	case ENAMETOOLONG:
-	case EBADF:
-		return (ISC_R_INVALIDFILE);
-	case ENOENT:
-		return (ISC_R_FILENOTFOUND);
-	case EACCES:
-	case EPERM:
-		return (ISC_R_NOPERM);
-	case EEXIST:
-		return (ISC_R_FILEEXISTS);
-	case EIO:
-		return (ISC_R_IOERROR);
-	case ENOMEM:
-		return (ISC_R_NOMEMORY);
-	case ENFILE:
-	case EMFILE:
-		return (ISC_R_TOOMANYOPENFILES);
-	case EPIPE:
-#ifdef ECONNRESET
-	case ECONNRESET:
-#endif
-#ifdef ECONNABORTED
-	case ECONNABORTED:
-#endif
-		return (ISC_R_CONNECTIONRESET);
-#ifdef ENOTCONN
-	case ENOTCONN:
-		return (ISC_R_NOTCONNECTED);
-#endif
-#ifdef ETIMEDOUT
-	case ETIMEDOUT:
-		return (ISC_R_TIMEDOUT);
-#endif
-#ifdef ENOBUFS
-	case ENOBUFS:
-		return (ISC_R_NORESOURCES);
-#endif
-#ifdef EAFNOSUPPORT
-	case EAFNOSUPPORT:
-		return (ISC_R_FAMILYNOSUPPORT);
-#endif
-#ifdef ENETDOWN
-	case ENETDOWN:
-		return (ISC_R_NETDOWN);
-#endif
-#ifdef EHOSTDOWN
-	case EHOSTDOWN:
-		return (ISC_R_HOSTDOWN);
-#endif
-#ifdef ENETUNREACH
-	case ENETUNREACH:
-		return (ISC_R_NETUNREACH);
-#endif
-#ifdef EHOSTUNREACH
-	case EHOSTUNREACH:
-		return (ISC_R_HOSTUNREACH);
-#endif
-#ifdef EADDRINUSE
-	case EADDRINUSE:
-		return (ISC_R_ADDRINUSE);
-#endif
-	case EADDRNOTAVAIL:
-		return (ISC_R_ADDRNOTAVAIL);
-	case ECONNREFUSED:
-		return (ISC_R_CONNREFUSED);
-	default:
-		isc__strerror(posixerrno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(file, line, "unable to convert errno "
-				 "to isc_result: %d: %s",
-				 posixerrno, strbuf);
-		/*
-		 * XXXDCL would be nice if perhaps this function could
-		 * return the system's error string, so the caller
-		 * might have something more descriptive than "unexpected
-		 * error" to log with.
-		 */
-		return (ISC_R_UNEXPECTED);
-	}
-}
diff --git a/contrib/bind9/lib/isc/unix/errno2result.h b/contrib/bind9/lib/isc/unix/errno2result.h
deleted file mode 100644
index 1e49ed1..0000000
--- a/contrib/bind9/lib/isc/unix/errno2result.h
+++ /dev/null
@@ -1,41 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef UNIX_ERRNO2RESULT_H
-#define UNIX_ERRNO2RESULT_H 1
-
-/*! \file */
-
-/* XXXDCL this should be moved to lib/isc/include/isc/errno2result.h. */
-
-#include <errno.h>		/* Provides errno. */
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-#define isc__errno2result(x) isc___errno2result(x, __FILE__, __LINE__)
-
-isc_result_t
-isc___errno2result(int posixerrno, const char *file, unsigned int line);
-
-ISC_LANG_ENDDECLS
-
-#endif /* UNIX_ERRNO2RESULT_H */
diff --git a/contrib/bind9/lib/isc/unix/file.c b/contrib/bind9/lib/isc/unix/file.c
deleted file mode 100644
index 7bb25d7..0000000
--- a/contrib/bind9/lib/isc/unix/file.c
+++ /dev/null
@@ -1,593 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Portions Copyright (c) 1987, 1993
- *      The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by the University of
- *      California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#include <limits.h>
-#include <stdlib.h>
-#include <time.h>		/* Required for utimes on some platforms. */
-#include <unistd.h>		/* Required for mkstemp on NetBSD. */
-
-
-#include <sys/stat.h>
-#include <sys/time.h>
-
-#include <isc/dir.h>
-#include <isc/file.h>
-#include <isc/log.h>
-#include <isc/mem.h>
-#include <isc/random.h>
-#include <isc/string.h>
-#include <isc/time.h>
-#include <isc/util.h>
-
-#include "errno2result.h"
-
-/*
- * XXXDCL As the API for accessing file statistics undoubtedly gets expanded,
- * it might be good to provide a mechanism that allows for the results
- * of a previous stat() to be used again without having to do another stat,
- * such as perl's mechanism of using "_" in place of a file name to indicate
- * that the results of the last stat should be used.  But then you get into
- * annoying MP issues.   BTW, Win32 has stat().
- */
-static isc_result_t
-file_stats(const char *file, struct stat *stats) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(file != NULL);
-	REQUIRE(stats != NULL);
-
-	if (stat(file, stats) != 0)
-		result = isc__errno2result(errno);
-
-	return (result);
-}
-
-isc_result_t
-isc_file_mode(const char *file, mode_t *modep) {
-	isc_result_t result;
-	struct stat stats;
-
-	REQUIRE(modep != NULL);
-
-	result = file_stats(file, &stats);
-	if (result == ISC_R_SUCCESS)
-		*modep = (stats.st_mode & 07777);
-
-	return (result);
-}
-
-isc_result_t
-isc_file_getmodtime(const char *file, isc_time_t *time) {
-	isc_result_t result;
-	struct stat stats;
-
-	REQUIRE(file != NULL);
-	REQUIRE(time != NULL);
-
-	result = file_stats(file, &stats);
-
-	if (result == ISC_R_SUCCESS)
-		/*
-		 * XXXDCL some operating systems provide nanoseconds, too,
-		 * such as BSD/OS via st_mtimespec.
-		 */
-		isc_time_set(time, stats.st_mtime, 0);
-
-	return (result);
-}
-
-isc_result_t
-isc_file_settime(const char *file, isc_time_t *time) {
-	struct timeval times[2];
-
-	REQUIRE(file != NULL && time != NULL);
-
-	/*
-	 * tv_sec is at least a 32 bit quantity on all platforms we're
-	 * dealing with, but it is signed on most (all?) of them,
-	 * so we need to make sure the high bit isn't set.  This unfortunately
-	 * loses when either:
-	 *   * tv_sec becomes a signed 64 bit integer but long is 32 bits
-	 *	and isc_time_seconds > LONG_MAX, or
-	 *   * isc_time_seconds is changed to be > 32 bits but long is 32 bits
-	 *      and isc_time_seconds has at least 33 significant bits.
-	 */
-	times[0].tv_sec = times[1].tv_sec = (long)isc_time_seconds(time);
-
-	/*
-	 * Here is the real check for the high bit being set.
-	 */
-	if ((times[0].tv_sec &
-	     (1ULL << (sizeof(times[0].tv_sec) * CHAR_BIT - 1))) != 0)
-		return (ISC_R_RANGE);
-
-	/*
-	 * isc_time_nanoseconds guarantees a value that divided by 1000 will
-	 * fit into the minimum possible size tv_usec field.  Unfortunately,
-	 * we don't know what that type is so can't cast directly ... but
-	 * we can at least cast to signed so the IRIX compiler shuts up.
-	 */
-	times[0].tv_usec = times[1].tv_usec =
-		(isc_int32_t)(isc_time_nanoseconds(time) / 1000);
-
-	if (utimes(file, times) < 0)
-		return (isc__errno2result(errno));
-
-	return (ISC_R_SUCCESS);
-}
-
-#undef TEMPLATE
-#define TEMPLATE "tmp-XXXXXXXXXX" /*%< 14 characters. */
-
-isc_result_t
-isc_file_mktemplate(const char *path, char *buf, size_t buflen) {
-	return (isc_file_template(path, TEMPLATE, buf, buflen));
-}
-
-isc_result_t
-isc_file_template(const char *path, const char *templet, char *buf,
-			size_t buflen) {
-	char *s;
-
-	REQUIRE(path != NULL);
-	REQUIRE(templet != NULL);
-	REQUIRE(buf != NULL);
-
-	s = strrchr(templet, '/');
-	if (s != NULL)
-		templet = s + 1;
-
-	s = strrchr(path, '/');
-
-	if (s != NULL) {
-		if ((s - path + 1 + strlen(templet) + 1) > buflen)
-			return (ISC_R_NOSPACE);
-
-		strncpy(buf, path, s - path + 1);
-		buf[s - path + 1] = '\0';
-		strcat(buf, templet);
-	} else {
-		if ((strlen(templet) + 1) > buflen)
-			return (ISC_R_NOSPACE);
-
-		strcpy(buf, templet);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static char alphnum[] =
-	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
-
-isc_result_t
-isc_file_renameunique(const char *file, char *templet) {
-	char *x;
-	char *cp;
-	isc_uint32_t which;
-
-	REQUIRE(file != NULL);
-	REQUIRE(templet != NULL);
-
-	cp = templet;
-	while (*cp != '\0')
-		cp++;
-	if (cp == templet)
-		return (ISC_R_FAILURE);
-
-	x = cp--;
-	while (cp >= templet && *cp == 'X') {
-		isc_random_get(&which);
-		*cp = alphnum[which % (sizeof(alphnum) - 1)];
-		x = cp--;
-	}
-	while (link(file, templet) == -1) {
-		if (errno != EEXIST)
-			return (isc__errno2result(errno));
-		for (cp = x;;) {
-			char *t;
-			if (*cp == '\0')
-				return (ISC_R_FAILURE);
-			t = strchr(alphnum, *cp);
-			if (t == NULL || *++t == '\0')
-				*cp++ = alphnum[0];
-			else {
-				*cp = *t;
-				break;
-			}
-		}
-	}
-	if (unlink(file) < 0)
-		if (errno != ENOENT)
-			return (isc__errno2result(errno));
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_file_openunique(char *templet, FILE **fp) {
-	int mode = S_IWUSR|S_IRUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH;
-	return (isc_file_openuniquemode(templet, mode, fp));
-}
-
-isc_result_t
-isc_file_openuniqueprivate(char *templet, FILE **fp) {
-	int mode = S_IWUSR|S_IRUSR;
-	return (isc_file_openuniquemode(templet, mode, fp));
-}
-
-isc_result_t
-isc_file_openuniquemode(char *templet, int mode, FILE **fp) {
-	int fd;
-	FILE *f;
-	isc_result_t result = ISC_R_SUCCESS;
-	char *x;
-	char *cp;
-	isc_uint32_t which;
-
-	REQUIRE(templet != NULL);
-	REQUIRE(fp != NULL && *fp == NULL);
-
-	cp = templet;
-	while (*cp != '\0')
-		cp++;
-	if (cp == templet)
-		return (ISC_R_FAILURE);
-
-	x = cp--;
-	while (cp >= templet && *cp == 'X') {
-		isc_random_get(&which);
-		*cp = alphnum[which % (sizeof(alphnum) - 1)];
-		x = cp--;
-	}
-
-
-	while ((fd = open(templet, O_RDWR|O_CREAT|O_EXCL, mode)) == -1) {
-		if (errno != EEXIST)
-			return (isc__errno2result(errno));
-		for (cp = x;;) {
-			char *t;
-			if (*cp == '\0')
-				return (ISC_R_FAILURE);
-			t = strchr(alphnum, *cp);
-			if (t == NULL || *++t == '\0')
-				*cp++ = alphnum[0];
-			else {
-				*cp = *t;
-				break;
-			}
-		}
-	}
-	f = fdopen(fd, "w+");
-	if (f == NULL) {
-		result = isc__errno2result(errno);
-		if (remove(templet) < 0) {
-			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-				      ISC_LOGMODULE_FILE, ISC_LOG_ERROR,
-				      "remove '%s': failed", templet);
-		}
-		(void)close(fd);
-	} else
-		*fp = f;
-
-	return (result);
-}
-
-isc_result_t
-isc_file_bopenunique(char *templet, FILE **fp) {
-	int mode = S_IWUSR|S_IRUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH;
-	return (isc_file_openuniquemode(templet, mode, fp));
-}
-
-isc_result_t
-isc_file_bopenuniqueprivate(char *templet, FILE **fp) {
-	int mode = S_IWUSR|S_IRUSR;
-	return (isc_file_openuniquemode(templet, mode, fp));
-}
-
-isc_result_t
-isc_file_bopenuniquemode(char *templet, int mode, FILE **fp) {
-	return (isc_file_openuniquemode(templet, mode, fp));
-}
-
-isc_result_t
-isc_file_remove(const char *filename) {
-	int r;
-
-	REQUIRE(filename != NULL);
-
-	r = unlink(filename);
-	if (r == 0)
-		return (ISC_R_SUCCESS);
-	else
-		return (isc__errno2result(errno));
-}
-
-isc_result_t
-isc_file_rename(const char *oldname, const char *newname) {
-	int r;
-
-	REQUIRE(oldname != NULL);
-	REQUIRE(newname != NULL);
-
-	r = rename(oldname, newname);
-	if (r == 0)
-		return (ISC_R_SUCCESS);
-	else
-		return (isc__errno2result(errno));
-}
-
-isc_boolean_t
-isc_file_exists(const char *pathname) {
-	struct stat stats;
-
-	REQUIRE(pathname != NULL);
-
-	return (ISC_TF(file_stats(pathname, &stats) == ISC_R_SUCCESS));
-}
-
-isc_result_t
-isc_file_isplainfile(const char *filename) {
-	/*
-	 * This function returns success if filename is a plain file.
-	 */
-	struct stat filestat;
-	memset(&filestat,0,sizeof(struct stat));
-
-	if ((stat(filename, &filestat)) == -1)
-		return(isc__errno2result(errno));
-
-	if(! S_ISREG(filestat.st_mode))
-		return(ISC_R_INVALIDFILE);
-
-	return(ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_file_isdirectory(const char *filename) {
-	/*
-	 * This function returns success if filename exists and is a
-	 * directory.
-	 */
-	struct stat filestat;
-	memset(&filestat,0,sizeof(struct stat));
-
-	if ((stat(filename, &filestat)) == -1)
-		return(isc__errno2result(errno));
-
-	if(! S_ISDIR(filestat.st_mode))
-		return(ISC_R_INVALIDFILE);
-
-	return(ISC_R_SUCCESS);
-}
-
-isc_boolean_t
-isc_file_isabsolute(const char *filename) {
-	REQUIRE(filename != NULL);
-	return (ISC_TF(filename[0] == '/'));
-}
-
-isc_boolean_t
-isc_file_iscurrentdir(const char *filename) {
-	REQUIRE(filename != NULL);
-	return (ISC_TF(filename[0] == '.' && filename[1] == '\0'));
-}
-
-isc_boolean_t
-isc_file_ischdiridempotent(const char *filename) {
-	REQUIRE(filename != NULL);
-	if (isc_file_isabsolute(filename))
-		return (ISC_TRUE);
-	if (isc_file_iscurrentdir(filename))
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-const char *
-isc_file_basename(const char *filename) {
-	char *s;
-
-	REQUIRE(filename != NULL);
-
-	s = strrchr(filename, '/');
-	if (s == NULL)
-		return (filename);
-
-	return (s + 1);
-}
-
-isc_result_t
-isc_file_progname(const char *filename, char *buf, size_t buflen) {
-	const char *base;
-	size_t len;
-
-	REQUIRE(filename != NULL);
-	REQUIRE(buf != NULL);
-
-	base = isc_file_basename(filename);
-	len = strlen(base) + 1;
-
-	if (len > buflen)
-		return (ISC_R_NOSPACE);
-	memcpy(buf, base, len);
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Put the absolute name of the current directory into 'dirname', which is
- * a buffer of at least 'length' characters.  End the string with the
- * appropriate path separator, such that the final product could be
- * concatenated with a relative pathname to make a valid pathname string.
- */
-static isc_result_t
-dir_current(char *dirname, size_t length) {
-	char *cwd;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(dirname != NULL);
-	REQUIRE(length > 0U);
-
-	cwd = getcwd(dirname, length);
-
-	if (cwd == NULL) {
-		if (errno == ERANGE)
-			result = ISC_R_NOSPACE;
-		else
-			result = isc__errno2result(errno);
-	} else {
-		if (strlen(dirname) + 1 == length)
-			result = ISC_R_NOSPACE;
-		else if (dirname[1] != '\0')
-			strcat(dirname, "/");
-	}
-
-	return (result);
-}
-
-isc_result_t
-isc_file_absolutepath(const char *filename, char *path, size_t pathlen) {
-	isc_result_t result;
-	result = dir_current(path, pathlen);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (strlen(path) + strlen(filename) + 1 > pathlen)
-		return (ISC_R_NOSPACE);
-	strcat(path, filename);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_file_truncate(const char *filename, isc_offset_t size) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	if (truncate(filename, size) < 0)
-		result = isc__errno2result(errno);
-	return (result);
-}
-
-isc_result_t
-isc_file_safecreate(const char *filename, FILE **fp) {
-	isc_result_t result;
-	int flags;
-	struct stat sb;
-	FILE *f;
-	int fd;
-
-	REQUIRE(filename != NULL);
-	REQUIRE(fp != NULL && *fp == NULL);
-
-	result = file_stats(filename, &sb);
-	if (result == ISC_R_SUCCESS) {
-		if ((sb.st_mode & S_IFREG) == 0)
-			return (ISC_R_INVALIDFILE);
-		flags = O_WRONLY | O_TRUNC;
-	} else if (result == ISC_R_FILENOTFOUND) {
-		flags = O_WRONLY | O_CREAT | O_EXCL;
-	} else
-		return (result);
-
-	fd = open(filename, flags, S_IRUSR | S_IWUSR);
-	if (fd == -1)
-		return (isc__errno2result(errno));
-
-	f = fdopen(fd, "w");
-	if (f == NULL) {
-		result = isc__errno2result(errno);
-		close(fd);
-		return (result);
-	}
-
-	*fp = f;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_file_splitpath(isc_mem_t *mctx, char *path, char **dirname, char **basename)
-{
-	char *dir, *file, *slash;
-
-	if (path == NULL)
-		return (ISC_R_INVALIDFILE);
-
-	slash = strrchr(path, '/');
-
-	if (slash == path) {
-		file = ++slash;
-		dir = isc_mem_strdup(mctx, "/");
-	} else if (slash != NULL) {
-		file = ++slash;
-		dir = isc_mem_allocate(mctx, slash - path);
-		if (dir != NULL)
-			strlcpy(dir, path, slash - path);
-	} else {
-		file = path;
-		dir = isc_mem_strdup(mctx, ".");
-	}
-
-	if (dir == NULL)
-		return (ISC_R_NOMEMORY);
-
-	if (*file == '\0') {
-		isc_mem_free(mctx, dir);
-		return (ISC_R_INVALIDFILE);
-	}
-
-	*dirname = dir;
-	*basename = file;
-
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/isc/unix/fsaccess.c b/contrib/bind9/lib/isc/unix/fsaccess.c
deleted file mode 100644
index a2bd89a..0000000
--- a/contrib/bind9/lib/isc/unix/fsaccess.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: fsaccess.c,v 1.13 2007/06/19 23:47:18 tbox Exp $ */
-
-#include <config.h>
-
-#include <sys/types.h>
-#include <sys/stat.h>
-
-#include <errno.h>
-
-#include "errno2result.h"
-
-/*! \file
- * \brief
- * The OS-independent part of the API is in lib/isc.
- */
-#include "../fsaccess.c"
-
-isc_result_t
-isc_fsaccess_set(const char *path, isc_fsaccess_t access) {
-	struct stat statb;
-	mode_t mode;
-	isc_boolean_t is_dir = ISC_FALSE;
-	isc_fsaccess_t bits;
-	isc_result_t result;
-
-	if (stat(path, &statb) != 0)
-		return (isc__errno2result(errno));
-
-	if ((statb.st_mode & S_IFDIR) != 0)
-		is_dir = ISC_TRUE;
-	else if ((statb.st_mode & S_IFREG) == 0)
-		return (ISC_R_INVALIDFILE);
-
-	result = check_bad_bits(access, is_dir);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Done with checking bad bits.  Set mode_t.
-	 */
-	mode = 0;
-
-#define SET_AND_CLEAR1(modebit) \
-	if ((access & bits) != 0) { \
-		mode |= modebit; \
-		access &= ~bits; \
-	}
-#define SET_AND_CLEAR(user, group, other) \
-	SET_AND_CLEAR1(user); \
-	bits <<= STEP; \
-	SET_AND_CLEAR1(group); \
-	bits <<= STEP; \
-	SET_AND_CLEAR1(other);
-
-	bits = ISC_FSACCESS_READ | ISC_FSACCESS_LISTDIRECTORY;
-
-	SET_AND_CLEAR(S_IRUSR, S_IRGRP, S_IROTH);
-
-	bits = ISC_FSACCESS_WRITE |
-	       ISC_FSACCESS_CREATECHILD |
-	       ISC_FSACCESS_DELETECHILD;
-
-	SET_AND_CLEAR(S_IWUSR, S_IWGRP, S_IWOTH);
-
-	bits = ISC_FSACCESS_EXECUTE |
-	       ISC_FSACCESS_ACCESSCHILD;
-
-	SET_AND_CLEAR(S_IXUSR, S_IXGRP, S_IXOTH);
-
-	INSIST(access == 0);
-
-	if (chmod(path, mode) < 0)
-		return (isc__errno2result(errno));
-
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/isc/unix/ifiter_getifaddrs.c b/contrib/bind9/lib/isc/unix/ifiter_getifaddrs.c
deleted file mode 100644
index 637450a..0000000
--- a/contrib/bind9/lib/isc/unix/ifiter_getifaddrs.c
+++ /dev/null
@@ -1,234 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ifiter_getifaddrs.c,v 1.13 2009/09/24 23:48:13 tbox Exp $ */
-
-/*! \file
- * \brief
- * Obtain the list of network interfaces using the getifaddrs(3) library.
- */
-
-#include <ifaddrs.h>
-
-/*% Iterator Magic */
-#define IFITER_MAGIC		ISC_MAGIC('I', 'F', 'I', 'G')
-/*% Valid Iterator */
-#define VALID_IFITER(t)		ISC_MAGIC_VALID(t, IFITER_MAGIC)
-
-#ifdef __linux
-static isc_boolean_t seenv6 = ISC_FALSE;
-#endif
-
-/*% Iterator structure */
-struct isc_interfaceiter {
-	unsigned int		magic;		/*%< Magic number. */
-	isc_mem_t		*mctx;
-	void			*buf;		/*%< (unused) */
-	unsigned int		bufsize;	/*%< (always 0) */
-	struct ifaddrs		*ifaddrs;	/*%< List of ifaddrs */
-	struct ifaddrs		*pos;		/*%< Ptr to current ifaddr */
-	isc_interface_t		current;	/*%< Current interface data. */
-	isc_result_t		result;		/*%< Last result code. */
-#ifdef  __linux
-	FILE *                  proc;
-	char                    entry[ISC_IF_INET6_SZ];
-	isc_result_t            valid;
-#endif
-};
-
-isc_result_t
-isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
-	isc_interfaceiter_t *iter;
-	isc_result_t result;
-	char strbuf[ISC_STRERRORSIZE];
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(iterp != NULL);
-	REQUIRE(*iterp == NULL);
-
-	iter = isc_mem_get(mctx, sizeof(*iter));
-	if (iter == NULL)
-		return (ISC_R_NOMEMORY);
-
-	iter->mctx = mctx;
-	iter->buf = NULL;
-	iter->bufsize = 0;
-	iter->ifaddrs = NULL;
-#ifdef __linux
-	/*
-	 * Only open "/proc/net/if_inet6" if we have never seen a IPv6
-	 * address returned by getifaddrs().
-	 */
-	if (!seenv6)
-		iter->proc = fopen("/proc/net/if_inet6", "r");
-	else
-		iter->proc = NULL;
-	iter->valid = ISC_R_FAILURE;
-#endif
-
-	if (getifaddrs(&iter->ifaddrs) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 isc_msgcat_get(isc_msgcat,
-						ISC_MSGSET_IFITERGETIFADDRS,
-						ISC_MSG_GETIFADDRS,
-						"getting interface "
-						"addresses: getifaddrs: %s"),
-				 strbuf);
-		result = ISC_R_UNEXPECTED;
-		goto failure;
-	}
-
-	/*
-	 * A newly created iterator has an undefined position
-	 * until isc_interfaceiter_first() is called.
-	 */
-	iter->pos = NULL;
-	iter->result = ISC_R_FAILURE;
-
-	iter->magic = IFITER_MAGIC;
-	*iterp = iter;
-	return (ISC_R_SUCCESS);
-
- failure:
-#ifdef __linux
-	if (iter->proc != NULL)
-		fclose(iter->proc);
-#endif
-	if (iter->ifaddrs != NULL) /* just in case */
-		freeifaddrs(iter->ifaddrs);
-	isc_mem_put(mctx, iter, sizeof(*iter));
-	return (result);
-}
-
-/*
- * Get information about the current interface to iter->current.
- * If successful, return ISC_R_SUCCESS.
- * If the interface has an unsupported address family,
- * return ISC_R_IGNORE.
- */
-
-static isc_result_t
-internal_current(isc_interfaceiter_t *iter) {
-	struct ifaddrs *ifa;
-	int family;
-	unsigned int namelen;
-
-	REQUIRE(VALID_IFITER(iter));
-
-	ifa = iter->pos;
-
-#ifdef __linux
-	if (iter->pos == NULL)
-		return (linux_if_inet6_current(iter));
-#endif
-
-	INSIST(ifa != NULL);
-	INSIST(ifa->ifa_name != NULL);
-
-	if (ifa->ifa_addr == NULL)
-		return (ISC_R_IGNORE);
-
-	family = ifa->ifa_addr->sa_family;
-	if (family != AF_INET && family != AF_INET6)
-		return (ISC_R_IGNORE);
-
-#ifdef __linux
-	if (family == AF_INET6)
-		seenv6 = ISC_TRUE;
-#endif
-
-	memset(&iter->current, 0, sizeof(iter->current));
-
-	namelen = strlen(ifa->ifa_name);
-	if (namelen > sizeof(iter->current.name) - 1)
-		namelen = sizeof(iter->current.name) - 1;
-
-	memset(iter->current.name, 0, sizeof(iter->current.name));
-	memcpy(iter->current.name, ifa->ifa_name, namelen);
-
-	iter->current.flags = 0;
-
-	if ((ifa->ifa_flags & IFF_UP) != 0)
-		iter->current.flags |= INTERFACE_F_UP;
-
-	if ((ifa->ifa_flags & IFF_POINTOPOINT) != 0)
-		iter->current.flags |= INTERFACE_F_POINTTOPOINT;
-
-	if ((ifa->ifa_flags & IFF_LOOPBACK) != 0)
-		iter->current.flags |= INTERFACE_F_LOOPBACK;
-
-	iter->current.af = family;
-
-	get_addr(family, &iter->current.address, ifa->ifa_addr, ifa->ifa_name);
-
-	if (ifa->ifa_netmask != NULL)
-		get_addr(family, &iter->current.netmask, ifa->ifa_netmask,
-			 ifa->ifa_name);
-
-	if (ifa->ifa_dstaddr != NULL &&
-	    (iter->current.flags & INTERFACE_F_POINTTOPOINT) != 0)
-		get_addr(family, &iter->current.dstaddress, ifa->ifa_dstaddr,
-			 ifa->ifa_name);
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Step the iterator to the next interface.  Unlike
- * isc_interfaceiter_next(), this may leave the iterator
- * positioned on an interface that will ultimately
- * be ignored.  Return ISC_R_NOMORE if there are no more
- * interfaces, otherwise ISC_R_SUCCESS.
- */
-static isc_result_t
-internal_next(isc_interfaceiter_t *iter) {
-
-	if (iter->pos != NULL)
-		iter->pos = iter->pos->ifa_next;
-	if (iter->pos == NULL) {
-#ifdef __linux
-		if (!seenv6)
-			return (linux_if_inet6_next(iter));
-#endif
-		return (ISC_R_NOMORE);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-internal_destroy(isc_interfaceiter_t *iter) {
-
-#ifdef __linux
-	if (iter->proc != NULL)
-		fclose(iter->proc);
-	iter->proc = NULL;
-#endif
-	if (iter->ifaddrs)
-		freeifaddrs(iter->ifaddrs);
-	iter->ifaddrs = NULL;
-}
-
-static
-void internal_first(isc_interfaceiter_t *iter) {
-
-#ifdef __linux
-	linux_if_inet6_first(iter);
-#endif
-	iter->pos = iter->ifaddrs;
-}
diff --git a/contrib/bind9/lib/isc/unix/ifiter_ioctl.c b/contrib/bind9/lib/isc/unix/ifiter_ioctl.c
deleted file mode 100644
index 38c34fd..0000000
--- a/contrib/bind9/lib/isc/unix/ifiter_ioctl.c
+++ /dev/null
@@ -1,931 +0,0 @@
-/*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ifiter_ioctl.c,v 1.62 2009/01/18 23:48:14 tbox Exp $ */
-
-/*! \file
- * \brief
- * Obtain the list of network interfaces using the SIOCGLIFCONF ioctl.
- * See netintro(4).
- */
-
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
-#ifdef ISC_PLATFORM_HAVEIF_LADDRCONF
-#define lifc_len iflc_len
-#define lifc_buf iflc_buf
-#define lifc_req iflc_req
-#define LIFCONF if_laddrconf
-#else
-#define ISC_HAVE_LIFC_FAMILY 1
-#define ISC_HAVE_LIFC_FLAGS 1
-#define LIFCONF lifconf
-#endif
-
-#ifdef ISC_PLATFORM_HAVEIF_LADDRREQ
-#define lifr_addr iflr_addr
-#define lifr_name iflr_name
-#define lifr_dstaddr iflr_dstaddr
-#define lifr_flags iflr_flags
-#define ss_family sa_family
-#define LIFREQ if_laddrreq
-#else
-#define LIFREQ lifreq
-#endif
-#endif
-
-#define IFITER_MAGIC		ISC_MAGIC('I', 'F', 'I', 'T')
-#define VALID_IFITER(t)		ISC_MAGIC_VALID(t, IFITER_MAGIC)
-
-struct isc_interfaceiter {
-	unsigned int		magic;		/* Magic number. */
-	isc_mem_t		*mctx;
-	int			mode;
-	int			socket;
-	struct ifconf 		ifc;
-	void			*buf;		/* Buffer for sysctl data. */
-	unsigned int		bufsize;	/* Bytes allocated. */
-	unsigned int		pos;		/* Current offset in
-						   SIOCGIFCONF data */
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
-	int			socket6;
-	struct LIFCONF 		lifc;
-	void			*buf6;		/* Buffer for sysctl data. */
-	unsigned int		bufsize6;	/* Bytes allocated. */
-	unsigned int		pos6;		/* Current offset in
-						   SIOCGLIFCONF data */
-	isc_result_t		result6;	/* Last result code. */
-	isc_boolean_t		first6;
-#endif
-#ifdef HAVE_TRUCLUSTER
-	int			clua_context;	/* Cluster alias context */
-	isc_boolean_t		clua_done;
-	struct sockaddr		clua_sa;
-#endif
-#ifdef	__linux
-	FILE *			proc;
-	char			entry[ISC_IF_INET6_SZ];
-	isc_result_t		valid;
-#endif
-	isc_interface_t		current;	/* Current interface data. */
-	isc_result_t		result;		/* Last result code. */
-};
-
-#ifdef HAVE_TRUCLUSTER
-#include <clua/clua.h>
-#include <sys/socket.h>
-#endif
-
-
-/*%
- * Size of buffer for SIOCGLIFCONF, in bytes.  We assume no sane system
- * will have more than a megabyte of interface configuration data.
- */
-#define IFCONF_BUFSIZE_INITIAL	4096
-#define IFCONF_BUFSIZE_MAX	1048576
-
-#ifdef __linux
-#ifndef IF_NAMESIZE
-# ifdef IFNAMSIZ
-#  define IF_NAMESIZE  IFNAMSIZ
-# else
-#  define IF_NAMESIZE 16
-# endif
-#endif
-#endif
-
-static isc_result_t
-getbuf4(isc_interfaceiter_t *iter) {
-	char strbuf[ISC_STRERRORSIZE];
-
-	iter->bufsize = IFCONF_BUFSIZE_INITIAL;
-
-	for (;;) {
-		iter->buf = isc_mem_get(iter->mctx, iter->bufsize);
-		if (iter->buf == NULL)
-			return (ISC_R_NOMEMORY);
-
-		memset(&iter->ifc.ifc_len, 0, sizeof(iter->ifc.ifc_len));
-		iter->ifc.ifc_len = iter->bufsize;
-		iter->ifc.ifc_buf = iter->buf;
-		/*
-		 * Ignore the HP/UX warning about "integer overflow during
-		 * conversion".  It comes from its own macro definition,
-		 * and is really hard to shut up.
-		 */
-		if (ioctl(iter->socket, SIOCGIFCONF, (char *)&iter->ifc)
-		    == -1) {
-			if (errno != EINVAL) {
-				isc__strerror(errno, strbuf, sizeof(strbuf));
-				UNEXPECTED_ERROR(__FILE__, __LINE__,
-						 isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_IFITERIOCTL,
-							ISC_MSG_GETIFCONFIG,
-							"get interface "
-							"configuration: %s"),
-						 strbuf);
-				goto unexpected;
-			}
-			/*
-			 * EINVAL.  Retry with a bigger buffer.
-			 */
-		} else {
-			/*
-			 * The ioctl succeeded.
-			 * Some OS's just return what will fit rather
-			 * than set EINVAL if the buffer is too small
-			 * to fit all the interfaces in.  If
-			 * ifc.lifc_len is too near to the end of the
-			 * buffer we will grow it just in case and
-			 * retry.
-			 */
-			if (iter->ifc.ifc_len + 2 * sizeof(struct ifreq)
-			    < iter->bufsize)
-				break;
-		}
-		if (iter->bufsize >= IFCONF_BUFSIZE_MAX) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_IFITERIOCTL,
-							ISC_MSG_BUFFERMAX,
-							"get interface "
-							"configuration: "
-							"maximum buffer "
-							"size exceeded"));
-			goto unexpected;
-		}
-		isc_mem_put(iter->mctx, iter->buf, iter->bufsize);
-
-		iter->bufsize *= 2;
-	}
-	return (ISC_R_SUCCESS);
-
- unexpected:
-	isc_mem_put(iter->mctx, iter->buf, iter->bufsize);
-	iter->buf = NULL;
-	return (ISC_R_UNEXPECTED);
-}
-
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
-static isc_result_t
-getbuf6(isc_interfaceiter_t *iter) {
-	char strbuf[ISC_STRERRORSIZE];
-	isc_result_t result;
-
-	iter->bufsize6 = IFCONF_BUFSIZE_INITIAL;
-
-	for (;;) {
-		iter->buf6 = isc_mem_get(iter->mctx, iter->bufsize6);
-		if (iter->buf6 == NULL)
-			return (ISC_R_NOMEMORY);
-
-		memset(&iter->lifc, 0, sizeof(iter->lifc));
-#ifdef ISC_HAVE_LIFC_FAMILY
-		iter->lifc.lifc_family = AF_INET6;
-#endif
-#ifdef ISC_HAVE_LIFC_FLAGS
-		iter->lifc.lifc_flags = 0;
-#endif
-		iter->lifc.lifc_len = iter->bufsize6;
-		iter->lifc.lifc_buf = iter->buf6;
-		/*
-		 * Ignore the HP/UX warning about "integer overflow during
-		 * conversion".  It comes from its own macro definition,
-		 * and is really hard to shut up.
-		 */
-		if (ioctl(iter->socket6, SIOCGLIFCONF, (char *)&iter->lifc)
-		    == -1) {
-#ifdef __hpux
-			/*
-			 * IPv6 interface scanning is not available on all
-			 * kernels w/ IPv6 sockets.
-			 */
-			if (errno == ENOENT) {
-				isc__strerror(errno, strbuf, sizeof(strbuf));
-				isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-					      ISC_LOGMODULE_INTERFACE,
-					      ISC_LOG_DEBUG(1),
-					      isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_IFITERIOCTL,
-							ISC_MSG_GETIFCONFIG,
-							"get interface "
-							"configuration: %s"),
-					       strbuf);
-				result = ISC_R_FAILURE;
-				goto cleanup;
-			}
-#endif
-			if (errno != EINVAL) {
-				isc__strerror(errno, strbuf, sizeof(strbuf));
-				UNEXPECTED_ERROR(__FILE__, __LINE__,
-						 isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_IFITERIOCTL,
-							ISC_MSG_GETIFCONFIG,
-							"get interface "
-							"configuration: %s"),
-						 strbuf);
-				result = ISC_R_UNEXPECTED;
-				goto cleanup;
-			}
-			/*
-			 * EINVAL.  Retry with a bigger buffer.
-			 */
-		} else {
-			/*
-			 * The ioctl succeeded.
-			 * Some OS's just return what will fit rather
-			 * than set EINVAL if the buffer is too small
-			 * to fit all the interfaces in.  If
-			 * ifc.ifc_len is too near to the end of the
-			 * buffer we will grow it just in case and
-			 * retry.
-			 */
-			if (iter->lifc.lifc_len + 2 * sizeof(struct LIFREQ)
-			    < iter->bufsize6)
-				break;
-		}
-		if (iter->bufsize6 >= IFCONF_BUFSIZE_MAX) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_IFITERIOCTL,
-							ISC_MSG_BUFFERMAX,
-							"get interface "
-							"configuration: "
-							"maximum buffer "
-							"size exceeded"));
-			result = ISC_R_UNEXPECTED;
-			goto cleanup;
-		}
-		isc_mem_put(iter->mctx, iter->buf6, iter->bufsize6);
-
-		iter->bufsize6 *= 2;
-	}
-
-	if (iter->lifc.lifc_len != 0)
-		iter->mode = 6;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	isc_mem_put(iter->mctx, iter->buf6, iter->bufsize6);
-	iter->buf6 = NULL;
-	return (result);
-}
-#endif
-
-isc_result_t
-isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
-	isc_interfaceiter_t *iter;
-	isc_result_t result;
-	char strbuf[ISC_STRERRORSIZE];
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(iterp != NULL);
-	REQUIRE(*iterp == NULL);
-
-	iter = isc_mem_get(mctx, sizeof(*iter));
-	if (iter == NULL)
-		return (ISC_R_NOMEMORY);
-
-	iter->mctx = mctx;
-	iter->mode = 4;
-	iter->buf = NULL;
-	iter->pos = (unsigned int) -1;
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
-	iter->buf6 = NULL;
-	iter->pos6 = (unsigned int) -1;
-	iter->result6 = ISC_R_NOMORE;
-	iter->socket6 = -1;
-	iter->first6 = ISC_FALSE;
-#endif
-
-	/*
-	 * Get the interface configuration, allocating more memory if
-	 * necessary.
-	 */
-
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
-	result = isc_net_probeipv6();
-	if (result == ISC_R_SUCCESS) {
-		/*
-		 * Create an unbound datagram socket to do the SIOCGLIFCONF
-		 * ioctl on.  HP/UX requires an AF_INET6 socket for
-		 * SIOCGLIFCONF to get IPv6 addresses.
-		 */
-		if ((iter->socket6 = socket(AF_INET6, SOCK_DGRAM, 0)) < 0) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_IFITERIOCTL,
-							ISC_MSG_MAKESCANSOCKET,
-							"making interface "
-							"scan socket: %s"),
-					 strbuf);
-			result = ISC_R_UNEXPECTED;
-			goto socket6_failure;
-		}
-		result = iter->result6 = getbuf6(iter);
-		if (result != ISC_R_NOTIMPLEMENTED && result != ISC_R_SUCCESS)
-			goto ioctl6_failure;
-	}
-#endif
-	if ((iter->socket = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 isc_msgcat_get(isc_msgcat,
-						ISC_MSGSET_IFITERIOCTL,
-						ISC_MSG_MAKESCANSOCKET,
-						"making interface "
-						"scan socket: %s"),
-				 strbuf);
-		result = ISC_R_UNEXPECTED;
-		goto socket_failure;
-	}
-	result = getbuf4(iter);
-	if (result != ISC_R_SUCCESS)
-		goto ioctl_failure;
-
-	/*
-	 * A newly created iterator has an undefined position
-	 * until isc_interfaceiter_first() is called.
-	 */
-#ifdef HAVE_TRUCLUSTER
-	iter->clua_context = -1;
-	iter->clua_done = ISC_TRUE;
-#endif
-#ifdef __linux
-	iter->proc = fopen("/proc/net/if_inet6", "r");
-	iter->valid = ISC_R_FAILURE;
-#endif
-	iter->result = ISC_R_FAILURE;
-
-	iter->magic = IFITER_MAGIC;
-	*iterp = iter;
-	return (ISC_R_SUCCESS);
-
- ioctl_failure:
-	if (iter->buf != NULL)
-		isc_mem_put(mctx, iter->buf, iter->bufsize);
-	(void) close(iter->socket);
-
- socket_failure:
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
-	if (iter->buf6 != NULL)
-		isc_mem_put(mctx, iter->buf6, iter->bufsize6);
-  ioctl6_failure:
-	if (iter->socket6 != -1)
-		(void) close(iter->socket6);
-  socket6_failure:
-#endif
-
-	isc_mem_put(mctx, iter, sizeof(*iter));
-	return (result);
-}
-
-#ifdef HAVE_TRUCLUSTER
-static void
-get_inaddr(isc_netaddr_t *dst, struct in_addr *src) {
-	dst->family = AF_INET;
-	memcpy(&dst->type.in, src, sizeof(struct in_addr));
-}
-
-static isc_result_t
-internal_current_clusteralias(isc_interfaceiter_t *iter) {
-	struct clua_info ci;
-	if (clua_getaliasinfo(&iter->clua_sa, &ci) != CLUA_SUCCESS)
-		return (ISC_R_IGNORE);
-	memset(&iter->current, 0, sizeof(iter->current));
-	iter->current.af = iter->clua_sa.sa_family;
-	memset(iter->current.name, 0, sizeof(iter->current.name));
-	sprintf(iter->current.name, "clua%d", ci.aliasid);
-	iter->current.flags = INTERFACE_F_UP;
-	get_inaddr(&iter->current.address, &ci.addr);
-	get_inaddr(&iter->current.netmask, &ci.netmask);
-	return (ISC_R_SUCCESS);
-}
-#endif
-
-/*
- * Get information about the current interface to iter->current.
- * If successful, return ISC_R_SUCCESS.
- * If the interface has an unsupported address family, or if
- * some operation on it fails, return ISC_R_IGNORE to make
- * the higher-level iterator code ignore it.
- */
-
-static isc_result_t
-internal_current4(isc_interfaceiter_t *iter) {
-	struct ifreq *ifrp;
-	struct ifreq ifreq;
-	int family;
-	char strbuf[ISC_STRERRORSIZE];
-#if !defined(ISC_PLATFORM_HAVEIF_LADDRREQ) && defined(SIOCGLIFADDR)
-	struct lifreq lifreq;
-#else
-	char sabuf[256];
-#endif
-	int i, bits, prefixlen;
-
-	REQUIRE(VALID_IFITER(iter));
-
-	if (iter->ifc.ifc_len == 0 ||
-	    iter->pos == (unsigned int)iter->ifc.ifc_len) {
-#ifdef __linux
-		return (linux_if_inet6_current(iter));
-#else
-		return (ISC_R_NOMORE);
-#endif
-	}
-
-	INSIST( iter->pos < (unsigned int) iter->ifc.ifc_len);
-
-	ifrp = (struct ifreq *)((char *) iter->ifc.ifc_req + iter->pos);
-
-	memset(&ifreq, 0, sizeof(ifreq));
-	memcpy(&ifreq, ifrp, sizeof(ifreq));
-
-	family = ifreq.ifr_addr.sa_family;
-#if defined(ISC_PLATFORM_HAVEIPV6)
-	if (family != AF_INET && family != AF_INET6)
-#else
-	if (family != AF_INET)
-#endif
-		return (ISC_R_IGNORE);
-
-	memset(&iter->current, 0, sizeof(iter->current));
-	iter->current.af = family;
-
-	INSIST(sizeof(ifreq.ifr_name) <= sizeof(iter->current.name));
-	memset(iter->current.name, 0, sizeof(iter->current.name));
-	memcpy(iter->current.name, ifreq.ifr_name, sizeof(ifreq.ifr_name));
-
-	get_addr(family, &iter->current.address,
-		 (struct sockaddr *)&ifrp->ifr_addr, ifreq.ifr_name);
-
-	/*
-	 * If the interface does not have a address ignore it.
-	 */
-	switch (family) {
-	case AF_INET:
-		if (iter->current.address.type.in.s_addr == htonl(INADDR_ANY))
-			return (ISC_R_IGNORE);
-		break;
-	case AF_INET6:
-		if (memcmp(&iter->current.address.type.in6, &in6addr_any,
-			   sizeof(in6addr_any)) == 0)
-			return (ISC_R_IGNORE);
-		break;
-	}
-
-	/*
-	 * Get interface flags.
-	 */
-
-	iter->current.flags = 0;
-
-	/*
-	 * Ignore the HP/UX warning about "integer overflow during
-	 * conversion.  It comes from its own macro definition,
-	 * and is really hard to shut up.
-	 */
-	if (ioctl(iter->socket, SIOCGIFFLAGS, (char *) &ifreq) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "%s: getting interface flags: %s",
-				 ifreq.ifr_name, strbuf);
-		return (ISC_R_IGNORE);
-	}
-
-	if ((ifreq.ifr_flags & IFF_UP) != 0)
-		iter->current.flags |= INTERFACE_F_UP;
-
-#ifdef IFF_POINTOPOINT
-	if ((ifreq.ifr_flags & IFF_POINTOPOINT) != 0)
-		iter->current.flags |= INTERFACE_F_POINTTOPOINT;
-#endif
-
-	if ((ifreq.ifr_flags & IFF_LOOPBACK) != 0)
-		iter->current.flags |= INTERFACE_F_LOOPBACK;
-
-	if (family == AF_INET)
-		goto inet;
-
-#if !defined(ISC_PLATFORM_HAVEIF_LADDRREQ) && defined(SIOCGLIFADDR)
-	memset(&lifreq, 0, sizeof(lifreq));
-	memcpy(lifreq.lifr_name, iter->current.name, sizeof(lifreq.lifr_name));
-	memcpy(&lifreq.lifr_addr, &iter->current.address.type.in6,
-	       sizeof(iter->current.address.type.in6));
-
-	if (ioctl(iter->socket, SIOCGLIFADDR, &lifreq) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "%s: getting interface address: %s",
-				 ifreq.ifr_name, strbuf);
-		return (ISC_R_IGNORE);
-	}
-	prefixlen = lifreq.lifr_addrlen;
-#else
-	isc_netaddr_format(&iter->current.address, sabuf, sizeof(sabuf));
-	isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-		      ISC_LOGMODULE_INTERFACE,
-		      ISC_LOG_INFO,
-		      isc_msgcat_get(isc_msgcat,
-				     ISC_MSGSET_IFITERIOCTL,
-				     ISC_MSG_GETIFCONFIG,
-				     "prefix length for %s is unknown "
-				     "(assume 128)"), sabuf);
-	prefixlen = 128;
-#endif
-
-	/*
-	 * Netmask already zeroed.
-	 */
-	iter->current.netmask.family = family;
-	for (i = 0; i < 16; i++) {
-		if (prefixlen > 8) {
-			bits = 0;
-			prefixlen -= 8;
-		} else {
-			bits = 8 - prefixlen;
-			prefixlen = 0;
-		}
-		iter->current.netmask.type.in6.s6_addr[i] = (~0 << bits) & 0xff;
-	}
-	return (ISC_R_SUCCESS);
-
- inet:
-	if (family != AF_INET)
-		return (ISC_R_IGNORE);
-#ifdef IFF_POINTOPOINT
-	/*
-	 * If the interface is point-to-point, get the destination address.
-	 */
-	if ((iter->current.flags & INTERFACE_F_POINTTOPOINT) != 0) {
-		/*
-		 * Ignore the HP/UX warning about "integer overflow during
-		 * conversion.  It comes from its own macro definition,
-		 * and is really hard to shut up.
-		 */
-		if (ioctl(iter->socket, SIOCGIFDSTADDR, (char *)&ifreq)
-		    < 0) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-				isc_msgcat_get(isc_msgcat,
-					       ISC_MSGSET_IFITERIOCTL,
-					       ISC_MSG_GETDESTADDR,
-					       "%s: getting "
-					       "destination address: %s"),
-					 ifreq.ifr_name, strbuf);
-			return (ISC_R_IGNORE);
-		}
-		get_addr(family, &iter->current.dstaddress,
-			 (struct sockaddr *)&ifreq.ifr_dstaddr, ifreq.ifr_name);
-	}
-#endif
-
-	/*
-	 * Get the network mask.
-	 */
-	memset(&ifreq, 0, sizeof(ifreq));
-	memcpy(&ifreq, ifrp, sizeof(ifreq));
-	/*
-	 * Ignore the HP/UX warning about "integer overflow during
-	 * conversion.  It comes from its own macro definition,
-	 * and is really hard to shut up.
-	 */
-	if (ioctl(iter->socket, SIOCGIFNETMASK, (char *)&ifreq) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-			isc_msgcat_get(isc_msgcat,
-				       ISC_MSGSET_IFITERIOCTL,
-				       ISC_MSG_GETNETMASK,
-				       "%s: getting netmask: %s"),
-				       ifreq.ifr_name, strbuf);
-		return (ISC_R_IGNORE);
-	}
-	get_addr(family, &iter->current.netmask,
-		 (struct sockaddr *)&ifreq.ifr_addr, ifreq.ifr_name);
-	return (ISC_R_SUCCESS);
-}
-
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
-static isc_result_t
-internal_current6(isc_interfaceiter_t *iter) {
-	struct LIFREQ *ifrp;
-	struct LIFREQ lifreq;
-	int family;
-	char strbuf[ISC_STRERRORSIZE];
-	int fd;
-
-	REQUIRE(VALID_IFITER(iter));
-	if (iter->result6 != ISC_R_SUCCESS)
-		return (iter->result6);
-	REQUIRE(iter->pos6 < (unsigned int) iter->lifc.lifc_len);
-
-	ifrp = (struct LIFREQ *)((char *) iter->lifc.lifc_req + iter->pos6);
-
-	memset(&lifreq, 0, sizeof(lifreq));
-	memcpy(&lifreq, ifrp, sizeof(lifreq));
-
-	family = lifreq.lifr_addr.ss_family;
-#ifdef ISC_PLATFORM_HAVEIPV6
-	if (family != AF_INET && family != AF_INET6)
-#else
-	if (family != AF_INET)
-#endif
-		return (ISC_R_IGNORE);
-
-	memset(&iter->current, 0, sizeof(iter->current));
-	iter->current.af = family;
-
-	INSIST(sizeof(lifreq.lifr_name) <= sizeof(iter->current.name));
-	memset(iter->current.name, 0, sizeof(iter->current.name));
-	memcpy(iter->current.name, lifreq.lifr_name, sizeof(lifreq.lifr_name));
-
-	get_addr(family, &iter->current.address,
-		 (struct sockaddr *)&lifreq.lifr_addr, lifreq.lifr_name);
-
-	/*
-	 * If the interface does not have a address ignore it.
-	 */
-	switch (family) {
-	case AF_INET:
-		if (iter->current.address.type.in.s_addr == htonl(INADDR_ANY))
-			return (ISC_R_IGNORE);
-		break;
-	case AF_INET6:
-		if (memcmp(&iter->current.address.type.in6, &in6addr_any,
-			   sizeof(in6addr_any)) == 0)
-			return (ISC_R_IGNORE);
-		break;
-	}
-
-	/*
-	 * Get interface flags.
-	 */
-
-	iter->current.flags = 0;
-
-	if (family == AF_INET6)
-		fd = iter->socket6;
-	else
-		fd = iter->socket;
-
-	/*
-	 * Ignore the HP/UX warning about "integer overflow during
-	 * conversion.  It comes from its own macro definition,
-	 * and is really hard to shut up.
-	 */
-	if (ioctl(fd, SIOCGLIFFLAGS, (char *) &lifreq) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "%s: getting interface flags: %s",
-				 lifreq.lifr_name, strbuf);
-		return (ISC_R_IGNORE);
-	}
-
-	if ((lifreq.lifr_flags & IFF_UP) != 0)
-		iter->current.flags |= INTERFACE_F_UP;
-
-#ifdef IFF_POINTOPOINT
-	if ((lifreq.lifr_flags & IFF_POINTOPOINT) != 0)
-		iter->current.flags |= INTERFACE_F_POINTTOPOINT;
-#endif
-
-	if ((lifreq.lifr_flags & IFF_LOOPBACK) != 0)
-		iter->current.flags |= INTERFACE_F_LOOPBACK;
-
-#ifdef IFF_POINTOPOINT
-	/*
-	 * If the interface is point-to-point, get the destination address.
-	 */
-	if ((iter->current.flags & INTERFACE_F_POINTTOPOINT) != 0) {
-		/*
-		 * Ignore the HP/UX warning about "integer overflow during
-		 * conversion.  It comes from its own macro definition,
-		 * and is really hard to shut up.
-		 */
-		if (ioctl(fd, SIOCGLIFDSTADDR, (char *)&lifreq)
-		    < 0) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-				isc_msgcat_get(isc_msgcat,
-					       ISC_MSGSET_IFITERIOCTL,
-					       ISC_MSG_GETDESTADDR,
-					       "%s: getting "
-					       "destination address: %s"),
-					 lifreq.lifr_name, strbuf);
-			return (ISC_R_IGNORE);
-		}
-		get_addr(family, &iter->current.dstaddress,
-			 (struct sockaddr *)&lifreq.lifr_dstaddr,
-			 lifreq.lifr_name);
-	}
-#endif
-
-	/*
-	 * Get the network mask.  Netmask already zeroed.
-	 */
-	memset(&lifreq, 0, sizeof(lifreq));
-	memcpy(&lifreq, ifrp, sizeof(lifreq));
-
-#ifdef lifr_addrlen
-	/*
-	 * Special case: if the system provides lifr_addrlen member, the
-	 * netmask of an IPv6 address can be derived from the length, since
-	 * an IPv6 address always has a contiguous mask.
-	 */
-	if (family == AF_INET6) {
-		int i, bits;
-
-		iter->current.netmask.family = family;
-		for (i = 0; i < lifreq.lifr_addrlen; i += 8) {
-			bits = lifreq.lifr_addrlen - i;
-			bits = (bits < 8) ? (8 - bits) : 0;
-			iter->current.netmask.type.in6.s6_addr[i / 8] =
-				(~0 << bits) & 0xff;
-		}
-
-		return (ISC_R_SUCCESS);
-	}
-#endif
-
-	/*
-	 * Ignore the HP/UX warning about "integer overflow during
-	 * conversion.  It comes from its own macro definition,
-	 * and is really hard to shut up.
-	 */
-	if (ioctl(fd, SIOCGLIFNETMASK, (char *)&lifreq) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 isc_msgcat_get(isc_msgcat,
-						ISC_MSGSET_IFITERIOCTL,
-						ISC_MSG_GETNETMASK,
-						"%s: getting netmask: %s"),
-				 lifreq.lifr_name, strbuf);
-		return (ISC_R_IGNORE);
-	}
-	get_addr(family, &iter->current.netmask,
-		 (struct sockaddr *)&lifreq.lifr_addr, lifreq.lifr_name);
-
-	return (ISC_R_SUCCESS);
-}
-#endif
-
-static isc_result_t
-internal_current(isc_interfaceiter_t *iter) {
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
-	if (iter->mode == 6) {
-		iter->result6 = internal_current6(iter);
-		if (iter->result6 != ISC_R_NOMORE)
-			return (iter->result6);
-	}
-#endif
-#ifdef HAVE_TRUCLUSTER
-	if (!iter->clua_done)
-		return(internal_current_clusteralias(iter));
-#endif
-	return (internal_current4(iter));
-}
-
-/*
- * Step the iterator to the next interface.  Unlike
- * isc_interfaceiter_next(), this may leave the iterator
- * positioned on an interface that will ultimately
- * be ignored.  Return ISC_R_NOMORE if there are no more
- * interfaces, otherwise ISC_R_SUCCESS.
- */
-static isc_result_t
-internal_next4(isc_interfaceiter_t *iter) {
-#ifdef ISC_PLATFORM_HAVESALEN
-	struct ifreq *ifrp;
-#endif
-
-	if (iter->pos < (unsigned int) iter->ifc.ifc_len) {
-#ifdef ISC_PLATFORM_HAVESALEN
-		ifrp = (struct ifreq *)((char *) iter->ifc.ifc_req + iter->pos);
-
-		if (ifrp->ifr_addr.sa_len > sizeof(struct sockaddr))
-			iter->pos += sizeof(ifrp->ifr_name) +
-				     ifrp->ifr_addr.sa_len;
-		else
-#endif
-			iter->pos += sizeof(struct ifreq);
-
-	} else {
-		INSIST(iter->pos == (unsigned int) iter->ifc.ifc_len);
-#ifdef __linux
-		return (linux_if_inet6_next(iter));
-#else
-		return (ISC_R_NOMORE);
-#endif
-	}
-	return (ISC_R_SUCCESS);
-}
-
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
-static isc_result_t
-internal_next6(isc_interfaceiter_t *iter) {
-#ifdef ISC_PLATFORM_HAVESALEN
-	struct LIFREQ *ifrp;
-#endif
-
-	if (iter->result6 != ISC_R_SUCCESS && iter->result6 != ISC_R_IGNORE)
-		return (iter->result6);
-
-	REQUIRE(iter->pos6 < (unsigned int) iter->lifc.lifc_len);
-
-#ifdef ISC_PLATFORM_HAVESALEN
-	ifrp = (struct LIFREQ *)((char *) iter->lifc.lifc_req + iter->pos6);
-
-	if (ifrp->lifr_addr.sa_len > sizeof(struct sockaddr))
-		iter->pos6 += sizeof(ifrp->lifr_name) + ifrp->lifr_addr.sa_len;
-	else
-#endif
-		iter->pos6 += sizeof(struct LIFREQ);
-
-	if (iter->pos6 >= (unsigned int) iter->lifc.lifc_len)
-		return (ISC_R_NOMORE);
-
-	return (ISC_R_SUCCESS);
-}
-#endif
-
-static isc_result_t
-internal_next(isc_interfaceiter_t *iter) {
-#ifdef HAVE_TRUCLUSTER
-	int clua_result;
-#endif
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
-	if (iter->mode == 6) {
-		iter->result6 = internal_next6(iter);
-		if (iter->result6 != ISC_R_NOMORE)
-			return (iter->result6);
-		if (iter->first6) {
-			iter->first6 = ISC_FALSE;
-			return (ISC_R_SUCCESS);
-		}
-	}
-#endif
-#ifdef HAVE_TRUCLUSTER
-	if (!iter->clua_done) {
-		clua_result = clua_getaliasaddress(&iter->clua_sa,
-						   &iter->clua_context);
-		if (clua_result != CLUA_SUCCESS)
-			iter->clua_done = ISC_TRUE;
-		return (ISC_R_SUCCESS);
-	}
-#endif
-	return (internal_next4(iter));
-}
-
-static void
-internal_destroy(isc_interfaceiter_t *iter) {
-	(void) close(iter->socket);
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
-	if (iter->socket6 != -1)
-		(void) close(iter->socket6);
-	if (iter->buf6 != NULL) {
-		isc_mem_put(iter->mctx, iter->buf6, iter->bufsize6);
-	}
-#endif
-#ifdef __linux
-	if (iter->proc != NULL)
-		fclose(iter->proc);
-#endif
-}
-
-static
-void internal_first(isc_interfaceiter_t *iter) {
-#ifdef HAVE_TRUCLUSTER
-	int clua_result;
-#endif
-	iter->pos = 0;
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
-	iter->pos6 = 0;
-	if (iter->result6 == ISC_R_NOMORE)
-		iter->result6 = ISC_R_SUCCESS;
-	iter->first6 = ISC_TRUE;
-#endif
-#ifdef HAVE_TRUCLUSTER
-	iter->clua_context = 0;
-	clua_result = clua_getaliasaddress(&iter->clua_sa,
-					   &iter->clua_context);
-	iter->clua_done = ISC_TF(clua_result != CLUA_SUCCESS);
-#endif
-#ifdef __linux
-	linux_if_inet6_first(iter);
-#endif
-}
diff --git a/contrib/bind9/lib/isc/unix/ifiter_sysctl.c b/contrib/bind9/lib/isc/unix/ifiter_sysctl.c
deleted file mode 100644
index 9d5bf6d..0000000
--- a/contrib/bind9/lib/isc/unix/ifiter_sysctl.c
+++ /dev/null
@@ -1,302 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ifiter_sysctl.c,v 1.25 2007/06/19 23:47:18 tbox Exp $ */
-
-/*! \file
- * \brief
- * Obtain the list of network interfaces using sysctl.
- * See TCP/IP Illustrated Volume 2, sections 19.8, 19.14,
- * and 19.16.
- */
-
-#include <sys/param.h>
-#include <sys/sysctl.h>
-
-#include <net/route.h>
-#include <net/if_dl.h>
-
-/* XXX what about Alpha? */
-#ifdef sgi
-#define ROUNDUP(a) ((a) > 0 ? \
-		(1 + (((a) - 1) | (sizeof(__uint64_t) - 1))) : \
-		sizeof(__uint64_t))
-#else
-#define ROUNDUP(a) ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) \
-                    : sizeof(long))
-#endif
-
-#define IFITER_MAGIC		ISC_MAGIC('I', 'F', 'I', 'S')
-#define VALID_IFITER(t)		ISC_MAGIC_VALID(t, IFITER_MAGIC)
-
-struct isc_interfaceiter {
-	unsigned int		magic;		/* Magic number. */
-	isc_mem_t		*mctx;
-	void			*buf;		/* Buffer for sysctl data. */
-	unsigned int		bufsize;	/* Bytes allocated. */
-	unsigned int		bufused;	/* Bytes used. */
-	unsigned int		pos;		/* Current offset in
-						   sysctl data. */
-	isc_interface_t		current;	/* Current interface data. */
-	isc_result_t		result;		/* Last result code. */
-};
-
-static int mib[6] = {
-	CTL_NET,
-	PF_ROUTE,
-        0,
-	0, 			/* Any address family. */
-        NET_RT_IFLIST,
-	0 			/* Flags. */
-};
-
-isc_result_t
-isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
-	isc_interfaceiter_t *iter;
-	isc_result_t result;
-	size_t bufsize;
-	size_t bufused;
-	char strbuf[ISC_STRERRORSIZE];
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(iterp != NULL);
-	REQUIRE(*iterp == NULL);
-
-	iter = isc_mem_get(mctx, sizeof(*iter));
-	if (iter == NULL)
-		return (ISC_R_NOMEMORY);
-
-	iter->mctx = mctx;
-	iter->buf = 0;
-
-	/*
-	 * Determine the amount of memory needed.
-	 */
-	bufsize = 0;
-	if (sysctl(mib, 6, NULL, &bufsize, NULL, (size_t) 0) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 isc_msgcat_get(isc_msgcat,
-						ISC_MSGSET_IFITERSYSCTL,
-						ISC_MSG_GETIFLISTSIZE,
-						"getting interface "
-						"list size: sysctl: %s"),
-				 strbuf);
-		result = ISC_R_UNEXPECTED;
-		goto failure;
-	}
-	iter->bufsize = bufsize;
-
-	iter->buf = isc_mem_get(iter->mctx, iter->bufsize);
-	if (iter->buf == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto failure;
-	}
-
-	bufused = bufsize;
-	if (sysctl(mib, 6, iter->buf, &bufused, NULL, (size_t) 0) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 isc_msgcat_get(isc_msgcat,
-						ISC_MSGSET_IFITERSYSCTL,
-						ISC_MSG_GETIFLIST,
-						"getting interface list: "
-						"sysctl: %s"),
-				 strbuf);
-		result = ISC_R_UNEXPECTED;
-		goto failure;
-	}
-	iter->bufused = bufused;
-	INSIST(iter->bufused <= iter->bufsize);
-
-	/*
-	 * A newly created iterator has an undefined position
-	 * until isc_interfaceiter_first() is called.
-	 */
-	iter->pos = (unsigned int) -1;
-	iter->result = ISC_R_FAILURE;
-
-	iter->magic = IFITER_MAGIC;
-	*iterp = iter;
-	return (ISC_R_SUCCESS);
-
- failure:
-	if (iter->buf != NULL)
-		isc_mem_put(mctx, iter->buf, iter->bufsize);
-	isc_mem_put(mctx, iter, sizeof(*iter));
-	return (result);
-}
-
-/*
- * Get information about the current interface to iter->current.
- * If successful, return ISC_R_SUCCESS.
- * If the interface has an unsupported address family,
- * return ISC_R_IGNORE.  In case of other failure,
- * return ISC_R_UNEXPECTED.
- */
-
-static isc_result_t
-internal_current(isc_interfaceiter_t *iter) {
-	struct ifa_msghdr *ifam, *ifam_end;
-
-	REQUIRE(VALID_IFITER(iter));
-	REQUIRE (iter->pos < (unsigned int) iter->bufused);
-
-	ifam = (struct ifa_msghdr *) ((char *) iter->buf + iter->pos);
-	ifam_end = (struct ifa_msghdr *) ((char *) iter->buf + iter->bufused);
-
-	if (ifam->ifam_type == RTM_IFINFO) {
-		struct if_msghdr *ifm = (struct if_msghdr *) ifam;
-		struct sockaddr_dl *sdl = (struct sockaddr_dl *) (ifm + 1);
-		unsigned int namelen;
-
-		memset(&iter->current, 0, sizeof(iter->current));
-
-		namelen = sdl->sdl_nlen;
-		if (namelen > sizeof(iter->current.name) - 1)
-			namelen = sizeof(iter->current.name) - 1;
-
-		memset(iter->current.name, 0, sizeof(iter->current.name));
-		memcpy(iter->current.name, sdl->sdl_data, namelen);
-
-		iter->current.flags = 0;
-
-		if ((ifam->ifam_flags & IFF_UP) != 0)
-			iter->current.flags |= INTERFACE_F_UP;
-
-		if ((ifam->ifam_flags & IFF_POINTOPOINT) != 0)
-			iter->current.flags |= INTERFACE_F_POINTTOPOINT;
-
-		if ((ifam->ifam_flags & IFF_LOOPBACK) != 0)
-			iter->current.flags |= INTERFACE_F_LOOPBACK;
-
-		/*
-		 * This is not an interface address.
-		 * Force another iteration.
-		 */
-		return (ISC_R_IGNORE);
-	} else if (ifam->ifam_type == RTM_NEWADDR) {
-		int i;
-		int family;
-		struct sockaddr *mask_sa = NULL;
-		struct sockaddr *addr_sa = NULL;
-		struct sockaddr *dst_sa = NULL;
-
-		struct sockaddr *sa = (struct sockaddr *)(ifam + 1);
-		family = sa->sa_family;
-
-		for (i = 0; i < RTAX_MAX; i++)
-		{
-			if ((ifam->ifam_addrs & (1 << i)) == 0)
-				continue;
-
-			INSIST(sa < (struct sockaddr *) ifam_end);
-
-			switch (i) {
-			case RTAX_NETMASK: /* Netmask */
-				mask_sa = sa;
-				break;
-			case RTAX_IFA: /* Interface address */
-				addr_sa = sa;
-				break;
-			case RTAX_BRD: /* Broadcast or destination address */
-				dst_sa = sa;
-				break;
-			}
-#ifdef ISC_PLATFORM_HAVESALEN
-			sa = (struct sockaddr *)((char*)(sa)
-					 + ROUNDUP(sa->sa_len));
-#else
-#ifdef sgi
-			/*
-			 * Do as the contributed SGI code does.
-			 */
-			sa = (struct sockaddr *)((char*)(sa)
-					 + ROUNDUP(_FAKE_SA_LEN_DST(sa)));
-#else
-			/* XXX untested. */
-			sa = (struct sockaddr *)((char*)(sa)
-					 + ROUNDUP(sizeof(struct sockaddr)));
-#endif
-#endif
-		}
-
-		if (addr_sa == NULL)
-			return (ISC_R_IGNORE);
-
-		family = addr_sa->sa_family;
-		if (family != AF_INET && family != AF_INET6)
-			return (ISC_R_IGNORE);
-
-		iter->current.af = family;
-
-		get_addr(family, &iter->current.address, addr_sa,
-			 iter->current.name);
-
-		if (mask_sa != NULL)
-			get_addr(family, &iter->current.netmask, mask_sa,
-				 iter->current.name);
-
-		if (dst_sa != NULL &&
-		    (iter->current.flags & INTERFACE_F_POINTTOPOINT) != 0)
-			get_addr(family, &iter->current.dstaddress, dst_sa,
-				 iter->current.name);
-
-		return (ISC_R_SUCCESS);
-	} else {
-		printf(isc_msgcat_get(isc_msgcat, ISC_MSGSET_IFITERSYSCTL,
-				      ISC_MSG_UNEXPECTEDTYPE,
-				      "warning: unexpected interface list "
-				      "message type\n"));
-		return (ISC_R_IGNORE);
-	}
-}
-
-/*
- * Step the iterator to the next interface.  Unlike
- * isc_interfaceiter_next(), this may leave the iterator
- * positioned on an interface that will ultimately
- * be ignored.  Return ISC_R_NOMORE if there are no more
- * interfaces, otherwise ISC_R_SUCCESS.
- */
-static isc_result_t
-internal_next(isc_interfaceiter_t *iter) {
-	struct ifa_msghdr *ifam;
-	REQUIRE (iter->pos < (unsigned int) iter->bufused);
-
-	ifam = (struct ifa_msghdr *) ((char *) iter->buf + iter->pos);
-
-	iter->pos += ifam->ifam_msglen;
-
-	if (iter->pos >= iter->bufused)
-		return (ISC_R_NOMORE);
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-internal_destroy(isc_interfaceiter_t *iter) {
-	UNUSED(iter); /* Unused. */
-	/*
-	 * Do nothing.
-	 */
-}
-
-static
-void internal_first(isc_interfaceiter_t *iter) {
-	iter->pos = 0;
-}
diff --git a/contrib/bind9/lib/isc/unix/include/Makefile.in b/contrib/bind9/lib/isc/unix/include/Makefile.in
deleted file mode 100644
index 46c243e..0000000
--- a/contrib/bind9/lib/isc/unix/include/Makefile.in
+++ /dev/null
@@ -1,25 +0,0 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.14 2007/06/19 23:47:18 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	isc
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/unix/include/isc/Makefile.in b/contrib/bind9/lib/isc/unix/include/isc/Makefile.in
deleted file mode 100644
index d3b5084..0000000
--- a/contrib/bind9/lib/isc/unix/include/isc/Makefile.in
+++ /dev/null
@@ -1,38 +0,0 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.30 2007/06/19 23:47:19 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-HEADERS =	dir.h int.h net.h netdb.h offset.h stdtime.h \
-		syslog.h time.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc ; \
-	done
diff --git a/contrib/bind9/lib/isc/unix/include/isc/dir.h b/contrib/bind9/lib/isc/unix/include/isc/dir.h
deleted file mode 100644
index e4a2ad0..0000000
--- a/contrib/bind9/lib/isc/unix/include/isc/dir.h
+++ /dev/null
@@ -1,94 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dir.h,v 1.21 2007/06/19 23:47:19 tbox Exp $ */
-
-/* Principal Authors: DCL */
-
-#ifndef ISC_DIR_H
-#define ISC_DIR_H 1
-
-/*! \file */
-
-#include <sys/types.h>		/* Required on some systems. */
-#include <dirent.h>
-
-#include <isc/lang.h>
-#include <isc/result.h>
-
-#define ISC_DIR_NAMEMAX 256
-#define ISC_DIR_PATHMAX 1024
-
-/*% Directory Entry */
-typedef struct isc_direntry {
-	/*!
-	 * Ideally, this should be NAME_MAX, but AIX does not define it by
-	 * default and dynamically allocating the space based on pathconf()
-	 * complicates things undesirably, as does adding special conditionals
-	 * just for AIX.  So a comfortably sized buffer is chosen instead.
-	 */
-	char 		name[ISC_DIR_NAMEMAX];
-	unsigned int	length;
-} isc_direntry_t;
-
-/*% Directory */
-typedef struct isc_dir {
-	unsigned int	magic;
-	/*!
-	 * As with isc_direntry_t->name, making this "right" for all systems
-	 * is slightly problematic because AIX does not define PATH_MAX.
-	 */
-	char		dirname[ISC_DIR_PATHMAX];
-	isc_direntry_t	entry;
-	DIR *		handle;
-} isc_dir_t;
-
-ISC_LANG_BEGINDECLS
-
-void
-isc_dir_init(isc_dir_t *dir);
-
-isc_result_t
-isc_dir_open(isc_dir_t *dir, const char *dirname);
-
-isc_result_t
-isc_dir_read(isc_dir_t *dir);
-
-isc_result_t
-isc_dir_reset(isc_dir_t *dir);
-
-void
-isc_dir_close(isc_dir_t *dir);
-
-isc_result_t
-isc_dir_chdir(const char *dirname);
-
-isc_result_t
-isc_dir_chroot(const char *dirname);
-
-isc_result_t
-isc_dir_createunique(char *templet);
-/*!<
- * Use a templet (such as from isc_file_mktemplate()) to create a uniquely
- * named, empty directory.  The templet string is modified in place.
- * If result == ISC_R_SUCCESS, it is the name of the directory that was
- * created.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_DIR_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/int.h b/contrib/bind9/lib/isc/unix/include/isc/int.h
deleted file mode 100644
index 73feb3b..0000000
--- a/contrib/bind9/lib/isc/unix/include/isc/int.h
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: int.h,v 1.16 2007/06/19 23:47:19 tbox Exp $ */
-
-#ifndef ISC_INT_H
-#define ISC_INT_H 1
-
-/*! \file */
-
-typedef char				isc_int8_t;
-typedef unsigned char			isc_uint8_t;
-typedef short				isc_int16_t;
-typedef unsigned short			isc_uint16_t;
-typedef int				isc_int32_t;
-typedef unsigned int			isc_uint32_t;
-typedef long long			isc_int64_t;
-typedef unsigned long long		isc_uint64_t;
-
-#define ISC_INT8_MIN	-128
-#define ISC_INT8_MAX	127
-#define ISC_UINT8_MAX	255
-
-#define ISC_INT16_MIN	-32768
-#define ISC_INT16_MAX	32767
-#define ISC_UINT16_MAX	65535
-
-/*%
- * Note that "int" is 32 bits on all currently supported Unix-like operating
- * systems, but "long" can be either 32 bits or 64 bits, thus the 32 bit
- * constants are not qualified with "L".
- */
-#define ISC_INT32_MIN	-2147483648
-#define ISC_INT32_MAX	2147483647
-#define ISC_UINT32_MAX	4294967295U
-
-#define ISC_INT64_MIN	-9223372036854775808LL
-#define ISC_INT64_MAX	9223372036854775807LL
-#define ISC_UINT64_MAX	18446744073709551615ULL
-
-#endif /* ISC_INT_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/keyboard.h b/contrib/bind9/lib/isc/unix/include/isc/keyboard.h
deleted file mode 100644
index 43f5e7e..0000000
--- a/contrib/bind9/lib/isc/unix/include/isc/keyboard.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: keyboard.h,v 1.11 2007/06/19 23:47:19 tbox Exp $ */
-
-#ifndef ISC_KEYBOARD_H
-#define ISC_KEYBOARD_H 1
-
-/*! \file */
-
-#include <termios.h>
-
-#include <isc/lang.h>
-#include <isc/result.h>
-
-ISC_LANG_BEGINDECLS
-
-typedef struct {
-	int fd;
-	struct termios saved_mode;
-	isc_result_t result;
-} isc_keyboard_t;
-
-isc_result_t
-isc_keyboard_open(isc_keyboard_t *keyboard);
-
-isc_result_t
-isc_keyboard_close(isc_keyboard_t *keyboard, unsigned int sleepseconds);
-
-isc_result_t
-isc_keyboard_getchar(isc_keyboard_t *keyboard, unsigned char *cp);
-
-isc_boolean_t
-isc_keyboard_canceled(isc_keyboard_t *keyboard);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_KEYBOARD_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/net.h b/contrib/bind9/lib/isc/unix/include/isc/net.h
deleted file mode 100644
index efa67c2..0000000
--- a/contrib/bind9/lib/isc/unix/include/isc/net.h
+++ /dev/null
@@ -1,364 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef ISC_NET_H
-#define ISC_NET_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file
- * \brief
- * Basic Networking Types
- *
- * This module is responsible for defining the following basic networking
- * types:
- *
- *\li		struct in_addr
- *\li		struct in6_addr
- *\li		struct in6_pktinfo
- *\li		struct sockaddr
- *\li		struct sockaddr_in
- *\li		struct sockaddr_in6
- *\li		in_port_t
- *
- * It ensures that the AF_ and PF_ macros are defined.
- *
- * It declares ntoh[sl]() and hton[sl]().
- *
- * It declares inet_aton(), inet_ntop(), and inet_pton().
- *
- * It ensures that #INADDR_LOOPBACK, #INADDR_ANY, #IN6ADDR_ANY_INIT,
- * in6addr_any, and in6addr_loopback are available.
- *
- * It ensures that IN_MULTICAST() is available to check for multicast
- * addresses.
- *
- * MP:
- *\li	No impact.
- *
- * Reliability:
- *\li	No anticipated impact.
- *
- * Resources:
- *\li	N/A.
- *
- * Security:
- *\li	No anticipated impact.
- *
- * Standards:
- *\li	BSD Socket API
- *\li	RFC2553
- */
-
-/***
- *** Imports.
- ***/
-#include <isc/platform.h>
-
-#include <sys/types.h>
-#include <sys/socket.h>		/* Contractual promise. */
-
-#include <net/if.h>
-
-#include <netinet/in.h>		/* Contractual promise. */
-#include <arpa/inet.h>		/* Contractual promise. */
-#ifdef ISC_PLATFORM_NEEDNETINETIN6H
-#include <netinet/in6.h>	/* Required on UnixWare. */
-#endif
-#ifdef ISC_PLATFORM_NEEDNETINET6IN6H
-#include <netinet6/in6.h>	/* Required on BSD/OS for in6_pktinfo. */
-#endif
-
-#ifndef ISC_PLATFORM_HAVEIPV6
-#include <isc/ipv6.h>		/* Contractual promise. */
-#endif
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-#ifdef ISC_PLATFORM_HAVEINADDR6
-#define in6_addr in_addr6	/*%< Required for pre RFC2133 implementations. */
-#endif
-
-#ifdef ISC_PLATFORM_HAVEIPV6
-#ifndef IN6ADDR_ANY_INIT
-#ifdef s6_addr
-/*%
- * Required for some pre RFC2133 implementations.
- * IN6ADDR_ANY_INIT and IN6ADDR_LOOPBACK_INIT were added in
- * draft-ietf-ipngwg-bsd-api-04.txt or draft-ietf-ipngwg-bsd-api-05.txt.
- * If 's6_addr' is defined then assume that there is a union and three
- * levels otherwise assume two levels required.
- */
-#define IN6ADDR_ANY_INIT { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } } }
-#else
-#define IN6ADDR_ANY_INIT { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } }
-#endif
-#endif
-
-#ifndef IN6ADDR_LOOPBACK_INIT
-#ifdef s6_addr
-/*% IPv6 address loopback init */
-#define IN6ADDR_LOOPBACK_INIT { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 } } }
-#else
-#define IN6ADDR_LOOPBACK_INIT { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 } }
-#endif
-#endif
-
-#ifndef IN6_IS_ADDR_V4MAPPED
-/*% Is IPv6 address V4 mapped? */
-#define IN6_IS_ADDR_V4MAPPED(x) \
-	 (memcmp((x)->s6_addr, in6addr_any.s6_addr, 10) == 0 && \
-	  (x)->s6_addr[10] == 0xff && (x)->s6_addr[11] == 0xff)
-#endif
-
-#ifndef IN6_IS_ADDR_V4COMPAT
-/*% Is IPv6 address V4 compatible? */
-#define IN6_IS_ADDR_V4COMPAT(x) \
-	 (memcmp((x)->s6_addr, in6addr_any.s6_addr, 12) == 0 && \
-	 ((x)->s6_addr[12] != 0 || (x)->s6_addr[13] != 0 || \
-	  (x)->s6_addr[14] != 0 || \
-	  ((x)->s6_addr[15] != 0 && (x)->s6_addr[15] != 1)))
-#endif
-
-#ifndef IN6_IS_ADDR_MULTICAST
-/*% Is IPv6 address multicast? */
-#define IN6_IS_ADDR_MULTICAST(a)        ((a)->s6_addr[0] == 0xff)
-#endif
-
-#ifndef IN6_IS_ADDR_LINKLOCAL
-/*% Is IPv6 address linklocal? */
-#define IN6_IS_ADDR_LINKLOCAL(a) \
-	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0x80))
-#endif
-
-#ifndef IN6_IS_ADDR_SITELOCAL
-/*% is IPv6 address sitelocal? */
-#define IN6_IS_ADDR_SITELOCAL(a) \
-	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0xc0))
-#endif
-
-
-#ifndef IN6_IS_ADDR_LOOPBACK
-/*% is IPv6 address loopback? */
-#define IN6_IS_ADDR_LOOPBACK(x) \
-	(memcmp((x)->s6_addr, in6addr_loopback.s6_addr, 16) == 0)
-#endif
-#endif
-
-#ifndef AF_INET6
-/*% IPv6 */
-#define AF_INET6 99
-#endif
-
-#ifndef PF_INET6
-/*% IPv6 */
-#define PF_INET6 AF_INET6
-#endif
-
-#ifndef INADDR_LOOPBACK
-/*% inaddr loopback */
-#define INADDR_LOOPBACK 0x7f000001UL
-#endif
-
-#ifndef ISC_PLATFORM_HAVEIN6PKTINFO
-/*% IPv6 packet info */
-struct in6_pktinfo {
-	struct in6_addr ipi6_addr;    /*%< src/dst IPv6 address */
-	unsigned int    ipi6_ifindex; /*%< send/recv interface index */
-};
-#endif
-
-#if defined(ISC_PLATFORM_HAVEIPV6) && defined(ISC_PLATFORM_NEEDIN6ADDRANY)
-extern const struct in6_addr isc_net_in6addrany;
-/*%
- * Cope with a missing in6addr_any and in6addr_loopback.
- */
-#define in6addr_any isc_net_in6addrany
-#endif
-
-#if defined(ISC_PLATFORM_HAVEIPV6) && defined(ISC_PLATFORM_NEEDIN6ADDRLOOPBACK)
-extern const struct in6_addr isc_net_in6addrloop;
-#define in6addr_loopback isc_net_in6addrloop
-#endif
-
-#ifdef ISC_PLATFORM_FIXIN6ISADDR
-#undef  IN6_IS_ADDR_GEOGRAPHIC
-/*!
- * \brief
- * Fix UnixWare 7.1.1's broken IN6_IS_ADDR_* definitions.
- */
-#define IN6_IS_ADDR_GEOGRAPHIC(a) (((a)->S6_un.S6_l[0] & 0xE0) == 0x80)
-#undef  IN6_IS_ADDR_IPX
-#define IN6_IS_ADDR_IPX(a)        (((a)->S6_un.S6_l[0] & 0xFE) == 0x04)
-#undef  IN6_IS_ADDR_LINKLOCAL
-#define IN6_IS_ADDR_LINKLOCAL(a)  (((a)->S6_un.S6_l[0] & 0xC0FF) == 0x80FE)
-#undef  IN6_IS_ADDR_MULTICAST
-#define IN6_IS_ADDR_MULTICAST(a)  (((a)->S6_un.S6_l[0] & 0xFF) == 0xFF)
-#undef  IN6_IS_ADDR_NSAP
-#define IN6_IS_ADDR_NSAP(a)       (((a)->S6_un.S6_l[0] & 0xFE) == 0x02)
-#undef  IN6_IS_ADDR_PROVIDER
-#define IN6_IS_ADDR_PROVIDER(a)   (((a)->S6_un.S6_l[0] & 0xE0) == 0x40)
-#undef  IN6_IS_ADDR_SITELOCAL
-#define IN6_IS_ADDR_SITELOCAL(a)  (((a)->S6_un.S6_l[0] & 0xC0FF) == 0xC0FE)
-#endif /* ISC_PLATFORM_FIXIN6ISADDR */
-
-#ifdef ISC_PLATFORM_NEEDPORTT
-/*%
- * Ensure type in_port_t is defined.
- */
-typedef isc_uint16_t in_port_t;
-#endif
-
-#ifndef MSG_TRUNC
-/*%
- * If this system does not have MSG_TRUNC (as returned from recvmsg())
- * ISC_PLATFORM_RECVOVERFLOW will be defined.  This will enable the MSG_TRUNC
- * faking code in socket.c.
- */
-#define ISC_PLATFORM_RECVOVERFLOW
-#endif
-
-/*% IP address. */
-#define ISC__IPADDR(x)	((isc_uint32_t)htonl((isc_uint32_t)(x)))
-
-/*% Is IP address multicast? */
-#define ISC_IPADDR_ISMULTICAST(i) \
-		(((isc_uint32_t)(i) & ISC__IPADDR(0xf0000000)) \
-		 == ISC__IPADDR(0xe0000000))
-
-#define ISC_IPADDR_ISEXPERIMENTAL(i) \
-		(((isc_uint32_t)(i) & ISC__IPADDR(0xf0000000)) \
-		 == ISC__IPADDR(0xf0000000))
-
-/***
- *** Functions.
- ***/
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isc_net_probeipv4(void);
-/*%<
- * Check if the system's kernel supports IPv4.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS		IPv4 is supported.
- *\li	#ISC_R_NOTFOUND		IPv4 is not supported.
- *\li	#ISC_R_DISABLED		IPv4 is disabled.
- *\li	#ISC_R_UNEXPECTED
- */
-
-isc_result_t
-isc_net_probeipv6(void);
-/*%<
- * Check if the system's kernel supports IPv6.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS		IPv6 is supported.
- *\li	#ISC_R_NOTFOUND		IPv6 is not supported.
- *\li	#ISC_R_DISABLED		IPv6 is disabled.
- *\li	#ISC_R_UNEXPECTED
- */
-
-isc_result_t
-isc_net_probe_ipv6only(void);
-/*%<
- * Check if the system's kernel supports the IPV6_V6ONLY socket option.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS		the option is supported for both TCP and UDP.
- *\li	#ISC_R_NOTFOUND		IPv6 itself or the option is not supported.
- *\li	#ISC_R_UNEXPECTED
- */
-
-isc_result_t
-isc_net_probe_ipv6pktinfo(void);
-/*
- * Check if the system's kernel supports the IPV6_(RECV)PKTINFO socket option
- * for UDP sockets.
- *
- * Returns:
- *
- * \li	#ISC_R_SUCCESS		the option is supported.
- * \li	#ISC_R_NOTFOUND		IPv6 itself or the option is not supported.
- * \li	#ISC_R_UNEXPECTED
- */
-
-void
-isc_net_disableipv4(void);
-
-void
-isc_net_disableipv6(void);
-
-void
-isc_net_enableipv4(void);
-
-void
-isc_net_enableipv6(void);
-
-isc_result_t
-isc_net_probeunix(void);
-/*
- * Returns whether UNIX domain sockets are supported.
- */
-
-isc_result_t
-isc_net_getudpportrange(int af, in_port_t *low, in_port_t *high);
-/*%<
- * Returns system's default range of ephemeral UDP ports, if defined.
- * If the range is not available or unknown, ISC_NET_PORTRANGELOW and
- * ISC_NET_PORTRANGEHIGH will be returned.
- *
- * Requires:
- *
- *\li	'low' and 'high' must be non NULL.
- *
- * Returns:
- *
- *\li	*low and *high will be the ports specifying the low and high ends of
- *	the range.
- */
-
-#ifdef ISC_PLATFORM_NEEDNTOP
-const char *
-isc_net_ntop(int af, const void *src, char *dst, size_t size);
-#define inet_ntop isc_net_ntop
-#endif
-
-#ifdef ISC_PLATFORM_NEEDPTON
-int
-isc_net_pton(int af, const char *src, void *dst);
-#undef inet_pton
-#define inet_pton isc_net_pton
-#endif
-
-int
-isc_net_aton(const char *cp, struct in_addr *addr);
-#undef inet_aton
-#define inet_aton isc_net_aton
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_NET_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/netdb.h b/contrib/bind9/lib/isc/unix/include/isc/netdb.h
deleted file mode 100644
index ff12a26..0000000
--- a/contrib/bind9/lib/isc/unix/include/isc/netdb.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: netdb.h,v 1.11 2007/06/19 23:47:19 tbox Exp $ */
-
-#ifndef ISC_NETDB_H
-#define ISC_NETDB_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file
- * \brief
- * Portable netdb.h support.
- *
- * This module is responsible for defining the get<x>by<y> APIs.
- *
- * MP:
- *\li	No impact.
- *
- * Reliability:
- *\li	No anticipated impact.
- *
- * Resources:
- *\li	N/A.
- *
- * Security:
- *\li	No anticipated impact.
- *
- * Standards:
- *\li	BSD API
- */
-
-/***
- *** Imports.
- ***/
-
-#include <isc/net.h>
-
-#include <netdb.h>
-
-#endif /* ISC_NETDB_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/offset.h b/contrib/bind9/lib/isc/unix/include/isc/offset.h
deleted file mode 100644
index 8bf3779..0000000
--- a/contrib/bind9/lib/isc/unix/include/isc/offset.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: offset.h,v 1.17 2008/12/01 23:47:45 tbox Exp $ */
-
-#ifndef ISC_OFFSET_H
-#define ISC_OFFSET_H 1
-
-/*! \file
- * \brief
- * File offsets are operating-system dependent.
- */
-#include <limits.h>             /* Required for CHAR_BIT. */
-#include <sys/types.h>
-#include <stddef.h>		/* For Linux Standard Base. */
-
-typedef off_t isc_offset_t;
-
-/*%
- * POSIX says "Additionally, blkcnt_t and off_t are extended signed integral
- * types", so the maximum value is all 1s except for the high bit.
- * This definition is more complex than it really needs to be because it was
- * crafted to keep both the SunOS 5.6 and the HP/UX 11 compilers quiet about
- * integer overflow.  For example, though this is equivalent to just left
- * shifting 1 to the high bit and then inverting the bits, the SunOS compiler
- * is unhappy about shifting a positive "1" to negative in a signed integer.
- */
-#define ISC_OFFSET_MAXIMUM \
-	(~(((off_t)-1 >> (sizeof(off_t) * CHAR_BIT - 1)) \
-		      << (sizeof(off_t) * CHAR_BIT - 1)))
-
-#endif /* ISC_OFFSET_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/stat.h b/contrib/bind9/lib/isc/unix/include/isc/stat.h
deleted file mode 100644
index b7a7986..0000000
--- a/contrib/bind9/lib/isc/unix/include/isc/stat.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: stat.h,v 1.5 2007/06/19 23:47:19 tbox Exp $ */
-
-#ifndef ISC_STAT_H
-#define ISC_STAT_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Portable netdb.h support.
- *
- * This module is responsible for defining S_IS??? macros.
- *
- * MP:
- *	No impact.
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	N/A.
- *
- * Security:
- *	No anticipated impact.
- *
- */
-
-/***
- *** Imports.
- ***/
-
-#include <sys/types.h>
-#include <sys/stat.h>
-
-#endif /* ISC_STAT_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/stdtime.h b/contrib/bind9/lib/isc/unix/include/isc/stdtime.h
deleted file mode 100644
index c4931bf..0000000
--- a/contrib/bind9/lib/isc/unix/include/isc/stdtime.h
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef ISC_STDTIME_H
-#define ISC_STDTIME_H 1
-
-/*! \file */
-
-#include <isc/lang.h>
-#include <isc/int.h>
-
-/*%
- * It's public information that 'isc_stdtime_t' is an unsigned integral type.
- * Applications that want maximum portability should not assume anything
- * about its size.
- */
-typedef isc_uint32_t isc_stdtime_t;
-
-/* but this flag helps... */
-#define STDTIME_ON_32BITS	1
-
-/*
- * isc_stdtime32_t is a 32-bit version of isc_stdtime_t.  A variable of this
- * type should only be used as an opaque integer (e.g.,) to compare two
- * time values.
- */
-typedef isc_uint32_t isc_stdtime32_t;
-
-ISC_LANG_BEGINDECLS
-/* */
-void
-isc_stdtime_get(isc_stdtime_t *t);
-/*%<
- * Set 't' to the number of seconds since 00:00:00 UTC, January 1, 1970.
- *
- * Requires:
- *
- *\li	't' is a valid pointer.
- */
-
-#define isc_stdtime_convert32(t, t32p) (*(t32p) = t)
-/*
- * Convert the standard time to its 32-bit version.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_STDTIME_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/strerror.h b/contrib/bind9/lib/isc/unix/include/isc/strerror.h
deleted file mode 100644
index 899043b..0000000
--- a/contrib/bind9/lib/isc/unix/include/isc/strerror.h
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: strerror.h,v 1.10 2008/12/01 23:47:45 tbox Exp $ */
-
-#ifndef ISC_STRERROR_H
-#define ISC_STRERROR_H
-
-/*! \file */
-
-#include <sys/types.h>
-
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
-/*% String Error Size */
-#define ISC_STRERRORSIZE 128
-
-/*%
- * Provide a thread safe wrapper to strerror().
- *
- * Requires:
- * 	'buf' to be non NULL.
- */
-void
-isc__strerror(int num, char *buf, size_t bufsize);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_STRERROR_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/syslog.h b/contrib/bind9/lib/isc/unix/include/isc/syslog.h
deleted file mode 100644
index 7e0c88c..0000000
--- a/contrib/bind9/lib/isc/unix/include/isc/syslog.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: syslog.h,v 1.7 2007/06/19 23:47:19 tbox Exp $ */
-
-#ifndef ISC_SYSLOG_H
-#define ISC_SYSLOG_H 1
-
-/*! \file */
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isc_syslog_facilityfromstring(const char *str, int *facilityp);
-/*%<
- * Convert 'str' to the appropriate syslog facility constant.
- *
- * Requires:
- *
- *\li	'str' is not NULL
- *\li	'facilityp' is not NULL
- *
- * Returns:
- * \li	#ISC_R_SUCCESS
- * \li	#ISC_R_NOTFOUND
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_SYSLOG_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/time.h b/contrib/bind9/lib/isc/unix/include/isc/time.h
deleted file mode 100644
index d81d854..0000000
--- a/contrib/bind9/lib/isc/unix/include/isc/time.h
+++ /dev/null
@@ -1,334 +0,0 @@
-/*
- * Copyright (C) 2004-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: time.h,v 1.40 2009/01/05 23:47:54 tbox Exp $ */
-
-#ifndef ISC_TIME_H
-#define ISC_TIME_H 1
-
-/*! \file */
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-/***
- *** Intervals
- ***/
-
-/*!
- *  \brief
- * The contents of this structure are private, and MUST NOT be accessed
- * directly by callers.
- *
- * The contents are exposed only to allow callers to avoid dynamic allocation.
- */
-struct isc_interval {
-	unsigned int seconds;
-	unsigned int nanoseconds;
-};
-
-extern const isc_interval_t * const isc_interval_zero;
-
-ISC_LANG_BEGINDECLS
-
-void
-isc_interval_set(isc_interval_t *i,
-		 unsigned int seconds, unsigned int nanoseconds);
-/*%<
- * Set 'i' to a value representing an interval of 'seconds' seconds and
- * 'nanoseconds' nanoseconds, suitable for use in isc_time_add() and
- * isc_time_subtract().
- *
- * Requires:
- *
- *\li	't' is a valid pointer.
- *\li	nanoseconds < 1000000000.
- */
-
-isc_boolean_t
-isc_interval_iszero(const isc_interval_t *i);
-/*%<
- * Returns ISC_TRUE iff. 'i' is the zero interval.
- *
- * Requires:
- *
- *\li	'i' is a valid pointer.
- */
-
-/***
- *** Absolute Times
- ***/
-
-/*%
- * The contents of this structure are private, and MUST NOT be accessed
- * directly by callers.
- *
- * The contents are exposed only to allow callers to avoid dynamic allocation.
- */
-
-struct isc_time {
-	unsigned int	seconds;
-	unsigned int	nanoseconds;
-};
-
-extern const isc_time_t * const isc_time_epoch;
-
-void
-isc_time_set(isc_time_t *t, unsigned int seconds, unsigned int nanoseconds);
-/*%<
- * Set 't' to a value which represents the given number of seconds and
- * nanoseconds since 00:00:00 January 1, 1970, UTC.
- *
- * Notes:
- *\li	The Unix version of this call is equivalent to:
- *\code
- *	isc_time_settoepoch(t);
- *	isc_interval_set(i, seconds, nanoseconds);
- *	isc_time_add(t, i, t);
- *\endcode
- *
- * Requires:
- *\li	't' is a valid pointer.
- *\li	nanoseconds < 1000000000.
- */
-
-void
-isc_time_settoepoch(isc_time_t *t);
-/*%<
- * Set 't' to the time of the epoch.
- *
- * Notes:
- *\li	The date of the epoch is platform-dependent.
- *
- * Requires:
- *
- *\li	't' is a valid pointer.
- */
-
-isc_boolean_t
-isc_time_isepoch(const isc_time_t *t);
-/*%<
- * Returns ISC_TRUE iff. 't' is the epoch ("time zero").
- *
- * Requires:
- *
- *\li	't' is a valid pointer.
- */
-
-isc_result_t
-isc_time_now(isc_time_t *t);
-/*%<
- * Set 't' to the current absolute time.
- *
- * Requires:
- *
- *\li	't' is a valid pointer.
- *
- * Returns:
- *
- *\li	Success
- *\li	Unexpected error
- *		Getting the time from the system failed.
- *\li	Out of range
- *		The time from the system is too large to be represented
- *		in the current definition of isc_time_t.
- */
-
-isc_result_t
-isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i);
-/*%<
- * Set *t to the current absolute time + i.
- *
- * Note:
- *\li	This call is equivalent to:
- *
- *\code
- *		isc_time_now(t);
- *		isc_time_add(t, i, t);
- *\endcode
- *
- * Requires:
- *
- *\li	't' and 'i' are valid pointers.
- *
- * Returns:
- *
- *\li	Success
- *\li	Unexpected error
- *		Getting the time from the system failed.
- *\li	Out of range
- *		The interval added to the time from the system is too large to
- *		be represented in the current definition of isc_time_t.
- */
-
-int
-isc_time_compare(const isc_time_t *t1, const isc_time_t *t2);
-/*%<
- * Compare the times referenced by 't1' and 't2'
- *
- * Requires:
- *
- *\li	't1' and 't2' are valid pointers.
- *
- * Returns:
- *
- *\li	-1		t1 < t2		(comparing times, not pointers)
- *\li	0		t1 = t2
- *\li	1		t1 > t2
- */
-
-isc_result_t
-isc_time_add(const isc_time_t *t, const isc_interval_t *i, isc_time_t *result);
-/*%<
- * Add 'i' to 't', storing the result in 'result'.
- *
- * Requires:
- *
- *\li	't', 'i', and 'result' are valid pointers.
- *
- * Returns:
- *\li	Success
- *\li	Out of range
- * 		The interval added to the time is too large to
- *		be represented in the current definition of isc_time_t.
- */
-
-isc_result_t
-isc_time_subtract(const isc_time_t *t, const isc_interval_t *i,
-		  isc_time_t *result);
-/*%<
- * Subtract 'i' from 't', storing the result in 'result'.
- *
- * Requires:
- *
- *\li	't', 'i', and 'result' are valid pointers.
- *
- * Returns:
- *\li	Success
- *\li	Out of range
- *		The interval is larger than the time since the epoch.
- */
-
-isc_uint64_t
-isc_time_microdiff(const isc_time_t *t1, const isc_time_t *t2);
-/*%<
- * Find the difference in microseconds between time t1 and time t2.
- * t2 is the subtrahend of t1; ie, difference = t1 - t2.
- *
- * Requires:
- *
- *\li	't1' and 't2' are valid pointers.
- *
- * Returns:
- *\li	The difference of t1 - t2, or 0 if t1 <= t2.
- */
-
-isc_uint32_t
-isc_time_seconds(const isc_time_t *t);
-/*%<
- * Return the number of seconds since the epoch stored in a time structure.
- *
- * Requires:
- *
- *\li	't' is a valid pointer.
- */
-
-isc_result_t
-isc_time_secondsastimet(const isc_time_t *t, time_t *secondsp);
-/*%<
- * Ensure the number of seconds in an isc_time_t is representable by a time_t.
- *
- * Notes:
- *\li	The number of seconds stored in an isc_time_t might be larger
- *	than the number of seconds a time_t is able to handle.  Since
- *	time_t is mostly opaque according to the ANSI/ISO standard
- *	(essentially, all you can be sure of is that it is an arithmetic type,
- *	not even necessarily integral), it can be tricky to ensure that
- *	the isc_time_t is in the range a time_t can handle.  Use this
- *	function in place of isc_time_seconds() any time you need to set a
- *	time_t from an isc_time_t.
- *
- * Requires:
- *\li	't' is a valid pointer.
- *
- * Returns:
- *\li	Success
- *\li	Out of range
- */
-
-isc_uint32_t
-isc_time_nanoseconds(const isc_time_t *t);
-/*%<
- * Return the number of nanoseconds stored in a time structure.
- *
- * Notes:
- *\li	This is the number of nanoseconds in excess of the number
- *	of seconds since the epoch; it will always be less than one
- *	full second.
- *
- * Requires:
- *\li	't' is a valid pointer.
- *
- * Ensures:
- *\li	The returned value is less than 1*10^9.
- */
-
-void
-isc_time_formattimestamp(const isc_time_t *t, char *buf, unsigned int len);
-/*%<
- * Format the time 't' into the buffer 'buf' of length 'len',
- * using a format like "30-Aug-2000 04:06:47.997" and the local time zone.
- * If the text does not fit in the buffer, the result is indeterminate,
- * but is always guaranteed to be null terminated.
- *
- *  Requires:
- *\li      'len' > 0
- *\li      'buf' points to an array of at least len chars
- *
- */
-
-void
-isc_time_formathttptimestamp(const isc_time_t *t, char *buf, unsigned int len);
-/*%<
- * Format the time 't' into the buffer 'buf' of length 'len',
- * using a format like "Mon, 30 Aug 2000 04:06:47 GMT"
- * If the text does not fit in the buffer, the result is indeterminate,
- * but is always guaranteed to be null terminated.
- *
- *  Requires:
- *\li      'len' > 0
- *\li      'buf' points to an array of at least len chars
- *
- */
-
-void
-isc_time_formatISO8601(const isc_time_t *t, char *buf, unsigned int len);
-/*%<
- * Format the time 't' into the buffer 'buf' of length 'len',
- * using the ISO8601 format: "yyyy-mm-ddThh:mm:ssZ"
- * If the text does not fit in the buffer, the result is indeterminate,
- * but is always guaranteed to be null terminated.
- *
- *  Requires:
- *\li      'len' > 0
- *\li      'buf' points to an array of at least len chars
- *
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_TIME_H */
diff --git a/contrib/bind9/lib/isc/unix/interfaceiter.c b/contrib/bind9/lib/isc/unix/interfaceiter.c
deleted file mode 100644
index af2b06d..0000000
--- a/contrib/bind9/lib/isc/unix/interfaceiter.c
+++ /dev/null
@@ -1,312 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: interfaceiter.c,v 1.45 2008/12/01 03:51:47 marka Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <sys/types.h>
-#include <sys/ioctl.h>
-#ifdef HAVE_SYS_SOCKIO_H
-#include <sys/sockio.h>		/* Required for ifiter_ioctl.c. */
-#endif
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <errno.h>
-
-#include <isc/interfaceiter.h>
-#include <isc/log.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/msgs.h>
-#include <isc/net.h>
-#include <isc/print.h>
-#include <isc/result.h>
-#include <isc/strerror.h>
-#include <isc/string.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-/* Must follow <isc/net.h>. */
-#ifdef HAVE_NET_IF6_H
-#include <net/if6.h>
-#endif
-#include <net/if.h>
-
-/* Common utility functions */
-
-/*%
- * Extract the network address part from a "struct sockaddr".
- * \brief
- * The address family is given explicitly
- * instead of using src->sa_family, because the latter does not work
- * for copying a network mask obtained by SIOCGIFNETMASK (it does
- * not have a valid address family).
- */
-
-static void
-get_addr(unsigned int family, isc_netaddr_t *dst, struct sockaddr *src,
-	 char *ifname)
-{
-	struct sockaddr_in6 *sa6;
-
-#if !defined(ISC_PLATFORM_HAVEIFNAMETOINDEX) || \
-    !defined(ISC_PLATFORM_HAVESCOPEID)
-	UNUSED(ifname);
-#endif
-
-	/* clear any remaining value for safety */
-	memset(dst, 0, sizeof(*dst));
-
-	dst->family = family;
-	switch (family) {
-	case AF_INET:
-		memcpy(&dst->type.in,
-		       &((struct sockaddr_in *) src)->sin_addr,
-		       sizeof(struct in_addr));
-		break;
-	case AF_INET6:
-		sa6 = (struct sockaddr_in6 *)src;
-		memcpy(&dst->type.in6, &sa6->sin6_addr,
-		       sizeof(struct in6_addr));
-#ifdef ISC_PLATFORM_HAVESCOPEID
-		if (sa6->sin6_scope_id != 0)
-			isc_netaddr_setzone(dst, sa6->sin6_scope_id);
-		else {
-			/*
-			 * BSD variants embed scope zone IDs in the 128bit
-			 * address as a kernel internal form.  Unfortunately,
-			 * the embedded IDs are not hidden from applications
-			 * when getting access to them by sysctl or ioctl.
-			 * We convert the internal format to the pure address
-			 * part and the zone ID part.
-			 * Since multicast addresses should not appear here
-			 * and they cannot be distinguished from netmasks,
-			 * we only consider unicast link-local addresses.
-			 */
-			if (IN6_IS_ADDR_LINKLOCAL(&sa6->sin6_addr)) {
-				isc_uint16_t zone16;
-
-				memcpy(&zone16, &sa6->sin6_addr.s6_addr[2],
-				       sizeof(zone16));
-				zone16 = ntohs(zone16);
-				if (zone16 != 0) {
-					/* the zone ID is embedded */
-					isc_netaddr_setzone(dst,
-							    (isc_uint32_t)zone16);
-					dst->type.in6.s6_addr[2] = 0;
-					dst->type.in6.s6_addr[3] = 0;
-#ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX
-				} else if (ifname != NULL) {
-					unsigned int zone;
-
-					/*
-					 * sin6_scope_id is still not provided,
-					 * but the corresponding interface name
-					 * is know.  Use the interface ID as
-					 * the link ID.
-					 */
-					zone = if_nametoindex(ifname);
-					if (zone != 0) {
-						isc_netaddr_setzone(dst,
-								    (isc_uint32_t)zone);
-					}
-#endif
-				}
-			}
-		}
-#endif
-		break;
-	default:
-		INSIST(0);
-		break;
-	}
-}
-
-/*
- * Include system-dependent code.
- */
-
-#ifdef __linux
-#define ISC_IF_INET6_SZ \
-    sizeof("00000000000000000000000000000001 01 80 10 80 XXXXXXloXXXXXXXX\n")
-static isc_result_t linux_if_inet6_next(isc_interfaceiter_t *);
-static isc_result_t linux_if_inet6_current(isc_interfaceiter_t *);
-static void linux_if_inet6_first(isc_interfaceiter_t *iter);
-#endif
-
-#if HAVE_GETIFADDRS
-#include "ifiter_getifaddrs.c"
-#elif HAVE_IFLIST_SYSCTL
-#include "ifiter_sysctl.c"
-#else
-#include "ifiter_ioctl.c"
-#endif
-
-#ifdef __linux
-static void
-linux_if_inet6_first(isc_interfaceiter_t *iter) {
-	if (iter->proc != NULL) {
-		rewind(iter->proc);
-		(void)linux_if_inet6_next(iter);
-	} else
-		iter->valid = ISC_R_NOMORE;
-}
-
-static isc_result_t
-linux_if_inet6_next(isc_interfaceiter_t *iter) {
-	if (iter->proc != NULL &&
-	    fgets(iter->entry, sizeof(iter->entry), iter->proc) != NULL)
-		iter->valid = ISC_R_SUCCESS;
-	else
-		iter->valid = ISC_R_NOMORE;
-	return (iter->valid);
-}
-
-static isc_result_t
-linux_if_inet6_current(isc_interfaceiter_t *iter) {
-	char address[33];
-	char name[IF_NAMESIZE+1];
-	struct in6_addr addr6;
-	int ifindex, prefix, flag3, flag4;
-	int res;
-	unsigned int i;
-
-	if (iter->valid != ISC_R_SUCCESS)
-		return (iter->valid);
-	if (iter->proc == NULL) {
-		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-			      ISC_LOGMODULE_INTERFACE, ISC_LOG_ERROR,
-			      "/proc/net/if_inet6:iter->proc == NULL");
-		return (ISC_R_FAILURE);
-	}
-
-	res = sscanf(iter->entry, "%32[a-f0-9] %x %x %x %x %16s\n",
-		     address, &ifindex, &prefix, &flag3, &flag4, name);
-	if (res != 6) {
-		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-			      ISC_LOGMODULE_INTERFACE, ISC_LOG_ERROR,
-			      "/proc/net/if_inet6:sscanf() -> %d (expected 6)",
-			      res);
-		return (ISC_R_FAILURE);
-	}
-	if (strlen(address) != 32) {
-		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-			      ISC_LOGMODULE_INTERFACE, ISC_LOG_ERROR,
-			      "/proc/net/if_inet6:strlen(%s) != 32", address);
-		return (ISC_R_FAILURE);
-	}
-	for (i = 0; i < 16; i++) {
-		unsigned char byte;
-		static const char hex[] = "0123456789abcdef";
-		byte = ((strchr(hex, address[i * 2]) - hex) << 4) |
-		       (strchr(hex, address[i * 2 + 1]) - hex);
-		addr6.s6_addr[i] = byte;
-	}
-	iter->current.af = AF_INET6;
-	iter->current.flags = INTERFACE_F_UP;
-	isc_netaddr_fromin6(&iter->current.address, &addr6);
-	if (isc_netaddr_islinklocal(&iter->current.address)) {
-		isc_netaddr_setzone(&iter->current.address,
-				    (isc_uint32_t)ifindex);
-	}
-	for (i = 0; i < 16; i++) {
-		if (prefix > 8) {
-			addr6.s6_addr[i] = 0xff;
-			prefix -= 8;
-		} else {
-			addr6.s6_addr[i] = (0xff << (8 - prefix)) & 0xff;
-			prefix = 0;
-		}
-	}
-	isc_netaddr_fromin6(&iter->current.netmask, &addr6);
-	strncpy(iter->current.name, name, sizeof(iter->current.name));
-	return (ISC_R_SUCCESS);
-}
-#endif
-
-/*
- * The remaining code is common to the sysctl and ioctl case.
- */
-
-isc_result_t
-isc_interfaceiter_current(isc_interfaceiter_t *iter,
-			  isc_interface_t *ifdata)
-{
-	REQUIRE(iter->result == ISC_R_SUCCESS);
-	memcpy(ifdata, &iter->current, sizeof(*ifdata));
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_interfaceiter_first(isc_interfaceiter_t *iter) {
-	isc_result_t result;
-
-	REQUIRE(VALID_IFITER(iter));
-
-	internal_first(iter);
-	for (;;) {
-		result = internal_current(iter);
-		if (result != ISC_R_IGNORE)
-			break;
-		result = internal_next(iter);
-		if (result != ISC_R_SUCCESS)
-			break;
-	}
-	iter->result = result;
-	return (result);
-}
-
-isc_result_t
-isc_interfaceiter_next(isc_interfaceiter_t *iter) {
-	isc_result_t result;
-
-	REQUIRE(VALID_IFITER(iter));
-	REQUIRE(iter->result == ISC_R_SUCCESS);
-
-	for (;;) {
-		result = internal_next(iter);
-		if (result != ISC_R_SUCCESS)
-			break;
-		result = internal_current(iter);
-		if (result != ISC_R_IGNORE)
-			break;
-	}
-	iter->result = result;
-	return (result);
-}
-
-void
-isc_interfaceiter_destroy(isc_interfaceiter_t **iterp)
-{
-	isc_interfaceiter_t *iter;
-	REQUIRE(iterp != NULL);
-	iter = *iterp;
-	REQUIRE(VALID_IFITER(iter));
-
-	internal_destroy(iter);
-	if (iter->buf != NULL)
-		isc_mem_put(iter->mctx, iter->buf, iter->bufsize);
-
-	iter->magic = 0;
-	isc_mem_put(iter->mctx, iter, sizeof(*iter));
-	*iterp = NULL;
-}
diff --git a/contrib/bind9/lib/isc/unix/ipv6.c b/contrib/bind9/lib/isc/unix/ipv6.c
deleted file mode 100644
index 61e984f..0000000
--- a/contrib/bind9/lib/isc/unix/ipv6.c
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ipv6.c,v 1.14 2007/06/19 23:47:18 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/ipv6.h>
-
-const struct in6_addr in6addr_any = IN6ADDR_ANY_INIT;
-const struct in6_addr in6addr_loopback = IN6ADDR_LOOPBACK_INIT;
diff --git a/contrib/bind9/lib/isc/unix/keyboard.c b/contrib/bind9/lib/isc/unix/keyboard.c
deleted file mode 100644
index 8ee62d3..0000000
--- a/contrib/bind9/lib/isc/unix/keyboard.c
+++ /dev/null
@@ -1,126 +0,0 @@
-/*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: keyboard.c,v 1.13 2007/06/19 23:47:18 tbox Exp $ */
-
-#include <config.h>
-
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/uio.h>
-
-#include <errno.h>
-#include <stdlib.h>
-#include <string.h>
-#include <termios.h>
-#include <unistd.h>
-#include <fcntl.h>
-
-#include <isc/keyboard.h>
-#include <isc/util.h>
-
-isc_result_t
-isc_keyboard_open(isc_keyboard_t *keyboard) {
-	int fd;
-	isc_result_t ret;
-	struct termios current_mode;
-
-	REQUIRE(keyboard != NULL);
-
-	fd = open("/dev/tty", O_RDONLY, 0);
-	if (fd < 0)
-		return (ISC_R_IOERROR);
-
-	keyboard->fd = fd;
-
-	if (tcgetattr(fd, &keyboard->saved_mode) < 0) {
-		ret = ISC_R_IOERROR;
-		goto errout;
-	}
-
-	current_mode = keyboard->saved_mode;
-
-	current_mode.c_iflag &=
-			~(IGNBRK|BRKINT|PARMRK|ISTRIP|INLCR|IGNCR|ICRNL|IXON);
-	current_mode.c_oflag &= ~OPOST;
-	current_mode.c_lflag &= ~(ECHO|ECHONL|ICANON|ISIG|IEXTEN);
-	current_mode.c_cflag &= ~(CSIZE|PARENB);
-	current_mode.c_cflag |= CS8;
-
-	current_mode.c_cc[VMIN] = 1;
-	current_mode.c_cc[VTIME] = 0;
-	if (tcsetattr(fd, TCSAFLUSH, &current_mode) < 0) {
-		ret = ISC_R_IOERROR;
-		goto errout;
-	}
-
-	keyboard->result = ISC_R_SUCCESS;
-
-	return (ISC_R_SUCCESS);
-
- errout:
-	close (fd);
-
-	return (ret);
-}
-
-isc_result_t
-isc_keyboard_close(isc_keyboard_t *keyboard, unsigned int sleeptime) {
-	REQUIRE(keyboard != NULL);
-
-	if (sleeptime > 0 && keyboard->result != ISC_R_CANCELED)
-		(void)sleep(sleeptime);
-
-	(void)tcsetattr(keyboard->fd, TCSAFLUSH, &keyboard->saved_mode);
-	(void)close(keyboard->fd);
-
-	keyboard->fd = -1;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_keyboard_getchar(isc_keyboard_t *keyboard, unsigned char *cp) {
-	ssize_t cc;
-	unsigned char c;
-	cc_t *controlchars;
-
-	REQUIRE(keyboard != NULL);
-	REQUIRE(cp != NULL);
-
-	cc = read(keyboard->fd, &c, 1);
-	if (cc < 0) {
-		keyboard->result = ISC_R_IOERROR;
-		return (keyboard->result);
-	}
-
-	controlchars = keyboard->saved_mode.c_cc;
-	if (c == controlchars[VINTR] || c == controlchars[VQUIT]) {
-		keyboard->result = ISC_R_CANCELED;
-		return (keyboard->result);
-	}
-
-	*cp = c;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_boolean_t
-isc_keyboard_canceled(isc_keyboard_t *keyboard) {
-	return (ISC_TF(keyboard->result == ISC_R_CANCELED));
-}
diff --git a/contrib/bind9/lib/isc/unix/net.c b/contrib/bind9/lib/isc/unix/net.c
deleted file mode 100644
index 1fedbc4..0000000
--- a/contrib/bind9/lib/isc/unix/net.c
+++ /dev/null
@@ -1,521 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#include <config.h>
-
-#include <sys/types.h>
-
-#if defined(HAVE_SYS_SYSCTL_H)
-#if defined(HAVE_SYS_PARAM_H)
-#include <sys/param.h>
-#endif
-#include <sys/sysctl.h>
-#endif
-
-#include <errno.h>
-#include <unistd.h>
-
-#include <isc/log.h>
-#include <isc/msgs.h>
-#include <isc/net.h>
-#include <isc/once.h>
-#include <isc/strerror.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-/*%
- * Definitions about UDP port range specification.  This is a total mess of
- * portability variants: some use sysctl (but the sysctl names vary), some use
- * system-specific interfaces, some have the same interface for IPv4 and IPv6,
- * some separate them, etc...
- */
-
-/*%
- * The last resort defaults: use all non well known port space
- */
-#ifndef ISC_NET_PORTRANGELOW
-#define ISC_NET_PORTRANGELOW 1024
-#endif	/* ISC_NET_PORTRANGELOW */
-#ifndef ISC_NET_PORTRANGEHIGH
-#define ISC_NET_PORTRANGEHIGH 65535
-#endif	/* ISC_NET_PORTRANGEHIGH */
-
-#ifdef HAVE_SYSCTLBYNAME
-
-/*%
- * sysctl variants
- */
-#if defined(__FreeBSD__) || defined(__APPLE__) || defined(__DragonFly__)
-#define USE_SYSCTL_PORTRANGE
-#define SYSCTL_V4PORTRANGE_LOW	"net.inet.ip.portrange.hifirst"
-#define SYSCTL_V4PORTRANGE_HIGH	"net.inet.ip.portrange.hilast"
-#define SYSCTL_V6PORTRANGE_LOW	"net.inet.ip.portrange.hifirst"
-#define SYSCTL_V6PORTRANGE_HIGH	"net.inet.ip.portrange.hilast"
-#endif
-
-#ifdef __NetBSD__
-#define USE_SYSCTL_PORTRANGE
-#define SYSCTL_V4PORTRANGE_LOW	"net.inet.ip.anonportmin"
-#define SYSCTL_V4PORTRANGE_HIGH	"net.inet.ip.anonportmax"
-#define SYSCTL_V6PORTRANGE_LOW	"net.inet6.ip6.anonportmin"
-#define SYSCTL_V6PORTRANGE_HIGH	"net.inet6.ip6.anonportmax"
-#endif
-
-#else /* !HAVE_SYSCTLBYNAME */
-
-#ifdef __OpenBSD__
-#define USE_SYSCTL_PORTRANGE
-#define SYSCTL_V4PORTRANGE_LOW	{ CTL_NET, PF_INET, IPPROTO_IP, \
-				  IPCTL_IPPORT_HIFIRSTAUTO }
-#define SYSCTL_V4PORTRANGE_HIGH	{ CTL_NET, PF_INET, IPPROTO_IP, \
-				  IPCTL_IPPORT_HILASTAUTO }
-/* Same for IPv6 */
-#define SYSCTL_V6PORTRANGE_LOW	SYSCTL_V4PORTRANGE_LOW
-#define SYSCTL_V6PORTRANGE_HIGH	SYSCTL_V4PORTRANGE_HIGH
-#endif
-
-#endif /* HAVE_SYSCTLBYNAME */
-
-#if defined(ISC_PLATFORM_HAVEIPV6)
-# if defined(ISC_PLATFORM_NEEDIN6ADDRANY)
-const struct in6_addr isc_net_in6addrany = IN6ADDR_ANY_INIT;
-# endif
-
-# if defined(ISC_PLATFORM_NEEDIN6ADDRLOOPBACK)
-const struct in6_addr isc_net_in6addrloop = IN6ADDR_LOOPBACK_INIT;
-# endif
-
-# if defined(WANT_IPV6)
-static isc_once_t 	once_ipv6only = ISC_ONCE_INIT;
-# endif
-
-# if defined(ISC_PLATFORM_HAVEIN6PKTINFO)
-static isc_once_t 	once_ipv6pktinfo = ISC_ONCE_INIT;
-# endif
-#endif /* ISC_PLATFORM_HAVEIPV6 */
-
-static isc_once_t 	once = ISC_ONCE_INIT;
-
-static isc_result_t	ipv4_result = ISC_R_NOTFOUND;
-static isc_result_t	ipv6_result = ISC_R_NOTFOUND;
-static isc_result_t	unix_result = ISC_R_NOTFOUND;
-static isc_result_t	ipv6only_result = ISC_R_NOTFOUND;
-static isc_result_t	ipv6pktinfo_result = ISC_R_NOTFOUND;
-
-static isc_result_t
-try_proto(int domain) {
-	int s;
-	isc_result_t result = ISC_R_SUCCESS;
-	char strbuf[ISC_STRERRORSIZE];
-
-	s = socket(domain, SOCK_STREAM, 0);
-	if (s == -1) {
-		switch (errno) {
-#ifdef EAFNOSUPPORT
-		case EAFNOSUPPORT:
-#endif
-#ifdef EPROTONOSUPPORT
-		case EPROTONOSUPPORT:
-#endif
-#ifdef EINVAL
-		case EINVAL:
-#endif
-			return (ISC_R_NOTFOUND);
-		default:
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "socket() %s: %s",
-					 isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_GENERAL,
-							ISC_MSG_FAILED,
-							"failed"),
-					 strbuf);
-			return (ISC_R_UNEXPECTED);
-		}
-	}
-
-#ifdef ISC_PLATFORM_HAVEIPV6
-#ifdef WANT_IPV6
-#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
-	if (domain == PF_INET6) {
-		struct sockaddr_in6 sin6;
-		unsigned int len;
-
-		/*
-		 * Check to see if IPv6 is broken, as is common on Linux.
-		 */
-		len = sizeof(sin6);
-		if (getsockname(s, (struct sockaddr *)&sin6, (void *)&len) < 0)
-		{
-			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-				      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
-				      "retrieving the address of an IPv6 "
-				      "socket from the kernel failed.");
-			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-				      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
-				      "IPv6 is not supported.");
-			result = ISC_R_NOTFOUND;
-		} else {
-			if (len == sizeof(struct sockaddr_in6))
-				result = ISC_R_SUCCESS;
-			else {
-				isc_log_write(isc_lctx,
-					      ISC_LOGCATEGORY_GENERAL,
-					      ISC_LOGMODULE_SOCKET,
-					      ISC_LOG_ERROR,
-					      "IPv6 structures in kernel and "
-					      "user space do not match.");
-				isc_log_write(isc_lctx,
-					      ISC_LOGCATEGORY_GENERAL,
-					      ISC_LOGMODULE_SOCKET,
-					      ISC_LOG_ERROR,
-					      "IPv6 is not supported.");
-				result = ISC_R_NOTFOUND;
-			}
-		}
-	}
-#endif
-#endif
-#endif
-
-	(void)close(s);
-
-	return (result);
-}
-
-static void
-initialize_action(void) {
-	ipv4_result = try_proto(PF_INET);
-#ifdef ISC_PLATFORM_HAVEIPV6
-#ifdef WANT_IPV6
-#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
-	ipv6_result = try_proto(PF_INET6);
-#endif
-#endif
-#endif
-#ifdef ISC_PLATFORM_HAVESYSUNH
-	unix_result = try_proto(PF_UNIX);
-#endif
-}
-
-static void
-initialize(void) {
-	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_net_probeipv4(void) {
-	initialize();
-	return (ipv4_result);
-}
-
-isc_result_t
-isc_net_probeipv6(void) {
-	initialize();
-	return (ipv6_result);
-}
-
-isc_result_t
-isc_net_probeunix(void) {
-	initialize();
-	return (unix_result);
-}
-
-#ifdef ISC_PLATFORM_HAVEIPV6
-#ifdef WANT_IPV6
-static void
-try_ipv6only(void) {
-#ifdef IPV6_V6ONLY
-	int s, on;
-	char strbuf[ISC_STRERRORSIZE];
-#endif
-	isc_result_t result;
-
-	result = isc_net_probeipv6();
-	if (result != ISC_R_SUCCESS) {
-		ipv6only_result = result;
-		return;
-	}
-
-#ifndef IPV6_V6ONLY
-	ipv6only_result = ISC_R_NOTFOUND;
-	return;
-#else
-	/* check for TCP sockets */
-	s = socket(PF_INET6, SOCK_STREAM, 0);
-	if (s == -1) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "socket() %s: %s",
-				 isc_msgcat_get(isc_msgcat,
-						ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED,
-						"failed"),
-				 strbuf);
-		ipv6only_result = ISC_R_UNEXPECTED;
-		return;
-	}
-
-	on = 1;
-	if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0) {
-		ipv6only_result = ISC_R_NOTFOUND;
-		goto close;
-	}
-
-	close(s);
-
-	/* check for UDP sockets */
-	s = socket(PF_INET6, SOCK_DGRAM, 0);
-	if (s == -1) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "socket() %s: %s",
-				 isc_msgcat_get(isc_msgcat,
-						ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED,
-						"failed"),
-				 strbuf);
-		ipv6only_result = ISC_R_UNEXPECTED;
-		return;
-	}
-
-	on = 1;
-	if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0) {
-		ipv6only_result = ISC_R_NOTFOUND;
-		goto close;
-	}
-
-	ipv6only_result = ISC_R_SUCCESS;
-
-close:
-	close(s);
-	return;
-#endif /* IPV6_V6ONLY */
-}
-
-static void
-initialize_ipv6only(void) {
-	RUNTIME_CHECK(isc_once_do(&once_ipv6only,
-				  try_ipv6only) == ISC_R_SUCCESS);
-}
-#endif /* WANT_IPV6 */
-
-#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
-static void
-try_ipv6pktinfo(void) {
-	int s, on;
-	char strbuf[ISC_STRERRORSIZE];
-	isc_result_t result;
-	int optname;
-
-	result = isc_net_probeipv6();
-	if (result != ISC_R_SUCCESS) {
-		ipv6pktinfo_result = result;
-		return;
-	}
-
-	/* we only use this for UDP sockets */
-	s = socket(PF_INET6, SOCK_DGRAM, IPPROTO_UDP);
-	if (s == -1) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "socket() %s: %s",
-				 isc_msgcat_get(isc_msgcat,
-						ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED,
-						"failed"),
-				 strbuf);
-		ipv6pktinfo_result = ISC_R_UNEXPECTED;
-		return;
-	}
-
-#ifdef IPV6_RECVPKTINFO
-	optname = IPV6_RECVPKTINFO;
-#else
-	optname = IPV6_PKTINFO;
-#endif
-	on = 1;
-	if (setsockopt(s, IPPROTO_IPV6, optname, &on, sizeof(on)) < 0) {
-		ipv6pktinfo_result = ISC_R_NOTFOUND;
-		goto close;
-	}
-
-	ipv6pktinfo_result = ISC_R_SUCCESS;
-
-close:
-	close(s);
-	return;
-}
-
-static void
-initialize_ipv6pktinfo(void) {
-	RUNTIME_CHECK(isc_once_do(&once_ipv6pktinfo,
-				  try_ipv6pktinfo) == ISC_R_SUCCESS);
-}
-#endif /* ISC_PLATFORM_HAVEIN6PKTINFO */
-#endif /* ISC_PLATFORM_HAVEIPV6 */
-
-isc_result_t
-isc_net_probe_ipv6only(void) {
-#ifdef ISC_PLATFORM_HAVEIPV6
-#ifdef WANT_IPV6
-	initialize_ipv6only();
-#else
-	ipv6only_result = ISC_R_NOTFOUND;
-#endif
-#endif
-	return (ipv6only_result);
-}
-
-isc_result_t
-isc_net_probe_ipv6pktinfo(void) {
-#ifdef ISC_PLATFORM_HAVEIPV6
-#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
-#ifdef WANT_IPV6
-	initialize_ipv6pktinfo();
-#else
-	ipv6pktinfo_result = ISC_R_NOTFOUND;
-#endif
-#endif
-#endif
-	return (ipv6pktinfo_result);
-}
-
-#if defined(USE_SYSCTL_PORTRANGE)
-#if defined(HAVE_SYSCTLBYNAME)
-static isc_result_t
-getudpportrange_sysctl(int af, in_port_t *low, in_port_t *high) {
-	int port_low, port_high;
-	size_t portlen;
-	const char *sysctlname_lowport, *sysctlname_hiport;
-
-	if (af == AF_INET) {
-		sysctlname_lowport = SYSCTL_V4PORTRANGE_LOW;
-		sysctlname_hiport = SYSCTL_V4PORTRANGE_HIGH;
-	} else {
-		sysctlname_lowport = SYSCTL_V6PORTRANGE_LOW;
-		sysctlname_hiport = SYSCTL_V6PORTRANGE_HIGH;
-	}
-	portlen = sizeof(portlen);
-	if (sysctlbyname(sysctlname_lowport, &port_low, &portlen,
-			 NULL, 0) < 0) {
-		return (ISC_R_FAILURE);
-	}
-	portlen = sizeof(portlen);
-	if (sysctlbyname(sysctlname_hiport, &port_high, &portlen,
-			 NULL, 0) < 0) {
-		return (ISC_R_FAILURE);
-	}
-	if ((port_low & ~0xffff) != 0 || (port_high & ~0xffff) != 0)
-		return (ISC_R_RANGE);
-
-	*low = (in_port_t)port_low;
-	*high = (in_port_t)port_high;
-
-	return (ISC_R_SUCCESS);
-}
-#else /* !HAVE_SYSCTLBYNAME */
-static isc_result_t
-getudpportrange_sysctl(int af, in_port_t *low, in_port_t *high) {
-	int mib_lo4[4] = SYSCTL_V4PORTRANGE_LOW;
-	int mib_hi4[4] = SYSCTL_V4PORTRANGE_HIGH;
-	int mib_lo6[4] = SYSCTL_V6PORTRANGE_LOW;
-	int mib_hi6[4] = SYSCTL_V6PORTRANGE_HIGH;
-	int *mib_lo, *mib_hi, miblen;
-	int port_low, port_high;
-	size_t portlen;
-
-	if (af == AF_INET) {
-		mib_lo = mib_lo4;
-		mib_hi = mib_hi4;
-		miblen = sizeof(mib_lo4) / sizeof(mib_lo4[0]);
-	} else {
-		mib_lo = mib_lo6;
-		mib_hi = mib_hi6;
-		miblen = sizeof(mib_lo6) / sizeof(mib_lo6[0]);
-	}
-
-	portlen = sizeof(portlen);
-	if (sysctl(mib_lo, miblen, &port_low, &portlen, NULL, 0) < 0) {
-		return (ISC_R_FAILURE);
-	}
-
-	portlen = sizeof(portlen);
-	if (sysctl(mib_hi, miblen, &port_high, &portlen, NULL, 0) < 0) {
-		return (ISC_R_FAILURE);
-	}
-
-	if ((port_low & ~0xffff) != 0 || (port_high & ~0xffff) != 0)
-		return (ISC_R_RANGE);
-
-	*low = (in_port_t) port_low;
-	*high = (in_port_t) port_high;
-
-	return (ISC_R_SUCCESS);
-}
-#endif /* HAVE_SYSCTLBYNAME */
-#endif /* USE_SYSCTL_PORTRANGE */
-
-isc_result_t
-isc_net_getudpportrange(int af, in_port_t *low, in_port_t *high) {
-	int result = ISC_R_FAILURE;
-
-	REQUIRE(low != NULL && high != NULL);
-
-#if defined(USE_SYSCTL_PORTRANGE)
-	result = getudpportrange_sysctl(af, low, high);
-#else
-	UNUSED(af);
-#endif
-
-	if (result != ISC_R_SUCCESS) {
-		*low = ISC_NET_PORTRANGELOW;
-		*high = ISC_NET_PORTRANGEHIGH;
-	}
-
-	return (ISC_R_SUCCESS);	/* we currently never fail in this function */
-}
-
-void
-isc_net_disableipv4(void) {
-	initialize();
-	if (ipv4_result == ISC_R_SUCCESS)
-		ipv4_result = ISC_R_DISABLED;
-}
-
-void
-isc_net_disableipv6(void) {
-	initialize();
-	if (ipv6_result == ISC_R_SUCCESS)
-		ipv6_result = ISC_R_DISABLED;
-}
-
-void
-isc_net_enableipv4(void) {
-	initialize();
-	if (ipv4_result == ISC_R_DISABLED)
-		ipv4_result = ISC_R_SUCCESS;
-}
-
-void
-isc_net_enableipv6(void) {
-	initialize();
-	if (ipv6_result == ISC_R_DISABLED)
-		ipv6_result = ISC_R_SUCCESS;
-}
diff --git a/contrib/bind9/lib/isc/unix/os.c b/contrib/bind9/lib/isc/unix/os.c
deleted file mode 100644
index c050d14..0000000
--- a/contrib/bind9/lib/isc/unix/os.c
+++ /dev/null
@@ -1,94 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: os.c,v 1.18 2007/06/19 23:47:18 tbox Exp $ */
-
-#include <config.h>
-
-#include <isc/os.h>
-
-
-#ifdef HAVE_SYSCONF
-
-#include <unistd.h>
-
-#ifndef __hpux
-static inline long
-sysconf_ncpus(void) {
-#if defined(_SC_NPROCESSORS_ONLN)
-	return sysconf((_SC_NPROCESSORS_ONLN));
-#elif defined(_SC_NPROC_ONLN)
-	return sysconf((_SC_NPROC_ONLN));
-#else
-	return (0);
-#endif
-}
-#endif
-#endif /* HAVE_SYSCONF */
-
-
-#ifdef __hpux
-
-#include <sys/pstat.h>
-
-static inline int
-hpux_ncpus(void) {
-	struct pst_dynamic psd;
-	if (pstat_getdynamic(&psd, sizeof(psd), 1, 0) != -1)
-		return (psd.psd_proc_cnt);
-	else
-		return (0);
-}
-
-#endif /* __hpux */
-
-#if defined(HAVE_SYS_SYSCTL_H) && defined(HAVE_SYSCTLBYNAME)
-#include <sys/types.h>  /* for FreeBSD */
-#include <sys/param.h>  /* for NetBSD */
-#include <sys/sysctl.h>
-
-static int
-sysctl_ncpus(void) {
-	int ncpu, result;
-	size_t len;
-
-	len = sizeof(ncpu);
-	result = sysctlbyname("hw.ncpu", &ncpu, &len , 0, 0);
-	if (result != -1)
-		return (ncpu);
-	return (0);
-}
-#endif
-
-unsigned int
-isc_os_ncpus(void) {
-	long ncpus = 0;
-
-#ifdef __hpux
-	ncpus = hpux_ncpus();
-#elif defined(HAVE_SYSCONF)
-	ncpus = sysconf_ncpus();
-#endif
-#if defined(HAVE_SYS_SYSCTL_H) && defined(HAVE_SYSCTLBYNAME)
-	if (ncpus <= 0)
-		ncpus = sysctl_ncpus();
-#endif
-	if (ncpus <= 0)
-		ncpus = 1;
-
-	return ((unsigned int)ncpus);
-}
diff --git a/contrib/bind9/lib/isc/unix/resource.c b/contrib/bind9/lib/isc/unix/resource.c
deleted file mode 100644
index 29596e2..0000000
--- a/contrib/bind9/lib/isc/unix/resource.c
+++ /dev/null
@@ -1,231 +0,0 @@
-/*
- * Copyright (C) 2004, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: resource.c,v 1.23 2009/02/13 23:48:14 tbox Exp $ */
-
-#include <config.h>
-
-#include <sys/types.h>
-#include <sys/time.h>	/* Required on some systems for <sys/resource.h>. */
-#include <sys/resource.h>
-
-#include <isc/platform.h>
-#include <isc/resource.h>
-#include <isc/result.h>
-#include <isc/util.h>
-
-#ifdef __linux__
-#include <linux/fs.h>	/* To get the large NR_OPEN. */
-#endif
-
-#if defined(__hpux) && defined(HAVE_SYS_DYNTUNE_H)
-#include <sys/dyntune.h>
-#endif
-
-#include "errno2result.h"
-
-static isc_result_t
-resource2rlim(isc_resource_t resource, int *rlim_resource) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	switch (resource) {
-	case isc_resource_coresize:
-		*rlim_resource = RLIMIT_CORE;
-		break;
-	case isc_resource_cputime:
-		*rlim_resource = RLIMIT_CPU;
-		break;
-	case isc_resource_datasize:
-		*rlim_resource = RLIMIT_DATA;
-		break;
-	case isc_resource_filesize:
-		*rlim_resource = RLIMIT_FSIZE;
-		break;
-	case isc_resource_lockedmemory:
-#ifdef RLIMIT_MEMLOCK
-		*rlim_resource = RLIMIT_MEMLOCK;
-#else
-		result = ISC_R_NOTIMPLEMENTED;
-#endif
-		break;
-	case isc_resource_openfiles:
-#ifdef RLIMIT_NOFILE
-		*rlim_resource = RLIMIT_NOFILE;
-#else
-		result = ISC_R_NOTIMPLEMENTED;
-#endif
-		break;
-	case isc_resource_processes:
-#ifdef RLIMIT_NPROC
-		*rlim_resource = RLIMIT_NPROC;
-#else
-		result = ISC_R_NOTIMPLEMENTED;
-#endif
-		break;
-	case isc_resource_residentsize:
-#ifdef RLIMIT_RSS
-		*rlim_resource = RLIMIT_RSS;
-#else
-		result = ISC_R_NOTIMPLEMENTED;
-#endif
-		break;
-	case isc_resource_stacksize:
-		*rlim_resource = RLIMIT_STACK;
-		break;
-	default:
-		/*
-		 * This test is not very robust if isc_resource_t
-		 * changes, but generates a clear assertion message.
-		 */
-		REQUIRE(resource >= isc_resource_coresize &&
-			resource <= isc_resource_stacksize);
-
-		result = ISC_R_RANGE;
-		break;
-	}
-
-	return (result);
-}
-
-isc_result_t
-isc_resource_setlimit(isc_resource_t resource, isc_resourcevalue_t value) {
-	struct rlimit rl;
-	ISC_PLATFORM_RLIMITTYPE rlim_value;
-	int unixresult;
-	int unixresource;
-	isc_result_t result;
-
-	result = resource2rlim(resource, &unixresource);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (value == ISC_RESOURCE_UNLIMITED)
-		rlim_value = RLIM_INFINITY;
-
-	else {
-		/*
-		 * isc_resourcevalue_t was chosen as an unsigned 64 bit
-		 * integer so that it could contain the maximum range of
-		 * reasonable values.  Unfortunately, this exceeds the typical
-		 * range on Unix systems.  Ensure the range of
-		 * ISC_PLATFORM_RLIMITTYPE is not overflowed.
-		 */
-		isc_resourcevalue_t rlim_max;
-		isc_boolean_t rlim_t_is_signed =
-			ISC_TF(((double)(ISC_PLATFORM_RLIMITTYPE)-1) < 0);
-
-		if (rlim_t_is_signed)
-			rlim_max = ~((ISC_PLATFORM_RLIMITTYPE)1 <<
-				     (sizeof(ISC_PLATFORM_RLIMITTYPE) * 8 - 1));
-		else
-			rlim_max = (ISC_PLATFORM_RLIMITTYPE)-1;
-
-		if (value > rlim_max)
-			value = rlim_max;
-
-		rlim_value = value;
-	}
-
-	rl.rlim_cur = rl.rlim_max = rlim_value;
-	unixresult = setrlimit(unixresource, &rl);
-
-	if (unixresult == 0)
-		return (ISC_R_SUCCESS);
-
-#if defined(OPEN_MAX) && defined(__APPLE__)
-	/*
-	 * The Darwin kernel doesn't accept RLIM_INFINITY for rlim_cur; the
-	 * maximum possible value is OPEN_MAX.  BIND8 used to use
-	 * sysconf(_SC_OPEN_MAX) for such a case, but this value is much
-	 * smaller than OPEN_MAX and is not really effective.
-	 */
-	if (resource == isc_resource_openfiles && rlim_value == RLIM_INFINITY) {
-		rl.rlim_cur = OPEN_MAX;
-		unixresult = setrlimit(unixresource, &rl);
-		if (unixresult == 0)
-			return (ISC_R_SUCCESS);
-	}
-#elif defined(__linux__)
-#ifndef NR_OPEN
-#define NR_OPEN (1024*1024)
-#endif
-
-	/*
-	 * Some Linux kernels don't accept RLIM_INFINIT; the maximum
-	 * possible value is the NR_OPEN defined in linux/fs.h.
-	 */
-	if (resource == isc_resource_openfiles && rlim_value == RLIM_INFINITY) {
-		rl.rlim_cur = rl.rlim_max = NR_OPEN;
-		unixresult = setrlimit(unixresource, &rl);
-		if (unixresult == 0)
-			return (ISC_R_SUCCESS);
-	}
-#elif defined(__hpux) && defined(HAVE_SYS_DYNTUNE_H)
-	if (resource == isc_resource_openfiles && rlim_value == RLIM_INFINITY) {
-		uint64_t maxfiles;
-		if (gettune("maxfiles_lim", &maxfiles) == 0) {
-			rl.rlim_cur = rl.rlim_max = maxfiles;
-			unixresult = setrlimit(unixresource, &rl);
-			if (unixresult == 0)
-				return (ISC_R_SUCCESS);
-		}
-	}
-#endif
-	if (resource == isc_resource_openfiles && rlim_value == RLIM_INFINITY) {
-		if (getrlimit(unixresource, &rl) == 0) {
-			rl.rlim_cur = rl.rlim_max;
-			unixresult = setrlimit(unixresource, &rl);
-			if (unixresult == 0)
-				return (ISC_R_SUCCESS);
-		}
-	}
-	return (isc__errno2result(errno));
-}
-
-isc_result_t
-isc_resource_getlimit(isc_resource_t resource, isc_resourcevalue_t *value) {
-	int unixresult;
-	int unixresource;
-	struct rlimit rl;
-	isc_result_t result;
-
-	result = resource2rlim(resource, &unixresource);
-	if (result == ISC_R_SUCCESS) {
-		unixresult = getrlimit(unixresource, &rl);
-		INSIST(unixresult == 0);
-		*value = rl.rlim_max;
-	}
-
-	return (result);
-}
-
-isc_result_t
-isc_resource_getcurlimit(isc_resource_t resource, isc_resourcevalue_t *value) {
-	int unixresult;
-	int unixresource;
-	struct rlimit rl;
-	isc_result_t result;
-
-	result = resource2rlim(resource, &unixresource);
-	if (result == ISC_R_SUCCESS) {
-		unixresult = getrlimit(unixresource, &rl);
-		INSIST(unixresult == 0);
-		*value = rl.rlim_cur;
-	}
-
-	return (result);
-}
diff --git a/contrib/bind9/lib/isc/unix/socket.c b/contrib/bind9/lib/isc/unix/socket.c
deleted file mode 100644
index 7bd12aa..0000000
--- a/contrib/bind9/lib/isc/unix/socket.c
+++ /dev/null
@@ -1,6043 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/stat.h>
-#include <sys/time.h>
-#include <sys/uio.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#include <stddef.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <isc/buffer.h>
-#include <isc/bufferlist.h>
-#include <isc/condition.h>
-#include <isc/formatcheck.h>
-#include <isc/list.h>
-#include <isc/log.h>
-#include <isc/mem.h>
-#include <isc/msgs.h>
-#include <isc/mutex.h>
-#include <isc/net.h>
-#include <isc/once.h>
-#include <isc/platform.h>
-#include <isc/print.h>
-#include <isc/region.h>
-#include <isc/socket.h>
-#include <isc/stats.h>
-#include <isc/strerror.h>
-#include <isc/task.h>
-#include <isc/thread.h>
-#include <isc/util.h>
-#include <isc/xml.h>
-
-#ifdef ISC_PLATFORM_HAVESYSUNH
-#include <sys/un.h>
-#endif
-#ifdef ISC_PLATFORM_HAVEKQUEUE
-#include <sys/event.h>
-#endif
-#ifdef ISC_PLATFORM_HAVEEPOLL
-#include <sys/epoll.h>
-#endif
-#ifdef ISC_PLATFORM_HAVEDEVPOLL
-#if defined(HAVE_SYS_DEVPOLL_H)
-#include <sys/devpoll.h>
-#elif defined(HAVE_DEVPOLL_H)
-#include <devpoll.h>
-#endif
-#endif
-
-#include "errno2result.h"
-
-/* See task.c about the following definition: */
-#ifdef BIND9
-#ifdef ISC_PLATFORM_USETHREADS
-#define USE_WATCHER_THREAD
-#else
-#define USE_SHARED_MANAGER
-#endif	/* ISC_PLATFORM_USETHREADS */
-#endif	/* BIND9 */
-
-#ifndef USE_WATCHER_THREAD
-#include "socket_p.h"
-#include "../task_p.h"
-#endif /* USE_WATCHER_THREAD */
-
-#if defined(SO_BSDCOMPAT) && defined(__linux__)
-#include <sys/utsname.h>
-#endif
-
-/*%
- * Choose the most preferable multiplex method.
- */
-#ifdef ISC_PLATFORM_HAVEKQUEUE
-#define USE_KQUEUE
-#elif defined (ISC_PLATFORM_HAVEEPOLL)
-#define USE_EPOLL
-#elif defined (ISC_PLATFORM_HAVEDEVPOLL)
-#define USE_DEVPOLL
-typedef struct {
-	unsigned int want_read : 1,
-		want_write : 1;
-} pollinfo_t;
-#else
-#define USE_SELECT
-#endif	/* ISC_PLATFORM_HAVEKQUEUE */
-
-#ifndef USE_WATCHER_THREAD
-#if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL)
-struct isc_socketwait {
-	int nevents;
-};
-#elif defined (USE_SELECT)
-struct isc_socketwait {
-	fd_set *readset;
-	fd_set *writeset;
-	int nfds;
-	int maxfd;
-};
-#endif	/* USE_KQUEUE */
-#endif /* !USE_WATCHER_THREAD */
-
-/*%
- * Maximum number of allowable open sockets.  This is also the maximum
- * allowable socket file descriptor.
- *
- * Care should be taken before modifying this value for select():
- * The API standard doesn't ensure select() accept more than (the system default
- * of) FD_SETSIZE descriptors, and the default size should in fact be fine in
- * the vast majority of cases.  This constant should therefore be increased only
- * when absolutely necessary and possible, i.e., the server is exhausting all
- * available file descriptors (up to FD_SETSIZE) and the select() function
- * and FD_xxx macros support larger values than FD_SETSIZE (which may not
- * always by true, but we keep using some of them to ensure as much
- * portability as possible).  Note also that overall server performance
- * may be rather worsened with a larger value of this constant due to
- * inherent scalability problems of select().
- *
- * As a special note, this value shouldn't have to be touched if
- * this is a build for an authoritative only DNS server.
- */
-#ifndef ISC_SOCKET_MAXSOCKETS
-#if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL)
-#define ISC_SOCKET_MAXSOCKETS 4096
-#elif defined(USE_SELECT)
-#define ISC_SOCKET_MAXSOCKETS FD_SETSIZE
-#endif	/* USE_KQUEUE... */
-#endif	/* ISC_SOCKET_MAXSOCKETS */
-
-#ifdef USE_SELECT
-/*%
- * Mac OS X needs a special definition to support larger values in select().
- * We always define this because a larger value can be specified run-time.
- */
-#ifdef __APPLE__
-#define _DARWIN_UNLIMITED_SELECT
-#endif	/* __APPLE__ */
-#endif	/* USE_SELECT */
-
-#ifdef ISC_SOCKET_USE_POLLWATCH
-/*%
- * If this macro is defined, enable workaround for a Solaris /dev/poll kernel
- * bug: DP_POLL ioctl could keep sleeping even if socket I/O is possible for
- * some of the specified FD.  The idea is based on the observation that it's
- * likely for a busy server to keep receiving packets.  It specifically works
- * as follows: the socket watcher is first initialized with the state of
- * "poll_idle".  While it's in the idle state it keeps sleeping until a socket
- * event occurs.  When it wakes up for a socket I/O event, it moves to the
- * poll_active state, and sets the poll timeout to a short period
- * (ISC_SOCKET_POLLWATCH_TIMEOUT msec).  If timeout occurs in this state, the
- * watcher goes to the poll_checking state with the same timeout period.
- * In this state, the watcher tries to detect whether this is a break
- * during intermittent events or the kernel bug is triggered.  If the next
- * polling reports an event within the short period, the previous timeout is
- * likely to be a kernel bug, and so the watcher goes back to the active state.
- * Otherwise, it moves to the idle state again.
- *
- * It's not clear whether this is a thread-related bug, but since we've only
- * seen this with threads, this workaround is used only when enabling threads.
- */
-
-typedef enum { poll_idle, poll_active, poll_checking } pollstate_t;
-
-#ifndef ISC_SOCKET_POLLWATCH_TIMEOUT
-#define ISC_SOCKET_POLLWATCH_TIMEOUT 10
-#endif	/* ISC_SOCKET_POLLWATCH_TIMEOUT */
-#endif	/* ISC_SOCKET_USE_POLLWATCH */
-
-/*%
- * Size of per-FD lock buckets.
- */
-#ifdef ISC_PLATFORM_USETHREADS
-#define FDLOCK_COUNT		1024
-#define FDLOCK_ID(fd)		((fd) % FDLOCK_COUNT)
-#else
-#define FDLOCK_COUNT		1
-#define FDLOCK_ID(fd)		0
-#endif	/* ISC_PLATFORM_USETHREADS */
-
-/*%
- * Maximum number of events communicated with the kernel.  There should normally
- * be no need for having a large number.
- */
-#if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL)
-#ifndef ISC_SOCKET_MAXEVENTS
-#define ISC_SOCKET_MAXEVENTS	64
-#endif
-#endif
-
-/*%
- * Some systems define the socket length argument as an int, some as size_t,
- * some as socklen_t.  This is here so it can be easily changed if needed.
- */
-#ifndef ISC_SOCKADDR_LEN_T
-#define ISC_SOCKADDR_LEN_T unsigned int
-#endif
-
-/*%
- * Define what the possible "soft" errors can be.  These are non-fatal returns
- * of various network related functions, like recv() and so on.
- *
- * For some reason, BSDI (and perhaps others) will sometimes return <0
- * from recv() but will have errno==0.  This is broken, but we have to
- * work around it here.
- */
-#define SOFT_ERROR(e)	((e) == EAGAIN || \
-			 (e) == EWOULDBLOCK || \
-			 (e) == EINTR || \
-			 (e) == 0)
-
-#define DLVL(x) ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(x)
-
-/*!<
- * DLVL(90)  --  Function entry/exit and other tracing.
- * DLVL(70)  --  Socket "correctness" -- including returning of events, etc.
- * DLVL(60)  --  Socket data send/receive
- * DLVL(50)  --  Event tracing, including receiving/sending completion events.
- * DLVL(20)  --  Socket creation/destruction.
- */
-#define TRACE_LEVEL		90
-#define CORRECTNESS_LEVEL	70
-#define IOEVENT_LEVEL		60
-#define EVENT_LEVEL		50
-#define CREATION_LEVEL		20
-
-#define TRACE		DLVL(TRACE_LEVEL)
-#define CORRECTNESS	DLVL(CORRECTNESS_LEVEL)
-#define IOEVENT		DLVL(IOEVENT_LEVEL)
-#define EVENT		DLVL(EVENT_LEVEL)
-#define CREATION	DLVL(CREATION_LEVEL)
-
-typedef isc_event_t intev_t;
-
-#define SOCKET_MAGIC		ISC_MAGIC('I', 'O', 'i', 'o')
-#define VALID_SOCKET(s)		ISC_MAGIC_VALID(s, SOCKET_MAGIC)
-
-/*!
- * IPv6 control information.  If the socket is an IPv6 socket we want
- * to collect the destination address and interface so the client can
- * set them on outgoing packets.
- */
-#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
-#ifndef USE_CMSG
-#define USE_CMSG	1
-#endif
-#endif
-
-/*%
- * NetBSD and FreeBSD can timestamp packets.  XXXMLG Should we have
- * a setsockopt() like interface to request timestamps, and if the OS
- * doesn't do it for us, call gettimeofday() on every UDP receive?
- */
-#ifdef SO_TIMESTAMP
-#ifndef USE_CMSG
-#define USE_CMSG	1
-#endif
-#endif
-
-/*%
- * The size to raise the receive buffer to (from BIND 8).
- */
-#define RCVBUFSIZE (32*1024)
-
-/*%
- * The number of times a send operation is repeated if the result is EINTR.
- */
-#define NRETRIES 10
-
-typedef struct isc__socket isc__socket_t;
-typedef struct isc__socketmgr isc__socketmgr_t;
-
-#define NEWCONNSOCK(ev) ((isc__socket_t *)(ev)->newsocket)
-
-struct isc__socket {
-	/* Not locked. */
-	isc_socket_t		common;
-	isc__socketmgr_t	*manager;
-	isc_mutex_t		lock;
-	isc_sockettype_t	type;
-	const isc_statscounter_t	*statsindex;
-
-	/* Locked by socket lock. */
-	ISC_LINK(isc__socket_t)	link;
-	unsigned int		references;
-	int			fd;
-	int			pf;
-	char				name[16];
-	void *				tag;
-
-	ISC_LIST(isc_socketevent_t)		send_list;
-	ISC_LIST(isc_socketevent_t)		recv_list;
-	ISC_LIST(isc_socket_newconnev_t)	accept_list;
-	isc_socket_connev_t		       *connect_ev;
-
-	/*
-	 * Internal events.  Posted when a descriptor is readable or
-	 * writable.  These are statically allocated and never freed.
-	 * They will be set to non-purgable before use.
-	 */
-	intev_t			readable_ev;
-	intev_t			writable_ev;
-
-	isc_sockaddr_t		peer_address;  /* remote address */
-
-	unsigned int		pending_recv : 1,
-				pending_send : 1,
-				pending_accept : 1,
-				listener : 1, /* listener socket */
-				connected : 1,
-				connecting : 1, /* connect pending */
-				bound : 1, /* bound to local addr */
-				dupped : 1;
-
-#ifdef ISC_NET_RECVOVERFLOW
-	unsigned char		overflow; /* used for MSG_TRUNC fake */
-#endif
-
-	char			*recvcmsgbuf;
-	ISC_SOCKADDR_LEN_T	recvcmsgbuflen;
-	char			*sendcmsgbuf;
-	ISC_SOCKADDR_LEN_T	sendcmsgbuflen;
-
-	void			*fdwatcharg;
-	isc_sockfdwatch_t	fdwatchcb;
-	int			fdwatchflags;
-	isc_task_t		*fdwatchtask;
-};
-
-#define SOCKET_MANAGER_MAGIC	ISC_MAGIC('I', 'O', 'm', 'g')
-#define VALID_MANAGER(m)	ISC_MAGIC_VALID(m, SOCKET_MANAGER_MAGIC)
-
-struct isc__socketmgr {
-	/* Not locked. */
-	isc_socketmgr_t		common;
-	isc_mem_t	       *mctx;
-	isc_mutex_t		lock;
-	isc_mutex_t		*fdlock;
-	isc_stats_t		*stats;
-#ifdef USE_KQUEUE
-	int			kqueue_fd;
-	int			nevents;
-	struct kevent		*events;
-#endif	/* USE_KQUEUE */
-#ifdef USE_EPOLL
-	int			epoll_fd;
-	int			nevents;
-	struct epoll_event	*events;
-#endif	/* USE_EPOLL */
-#ifdef USE_DEVPOLL
-	int			devpoll_fd;
-	int			nevents;
-	struct pollfd		*events;
-#endif	/* USE_DEVPOLL */
-#ifdef USE_SELECT
-	int			fd_bufsize;
-#endif	/* USE_SELECT */
-	unsigned int		maxsocks;
-#ifdef ISC_PLATFORM_USETHREADS
-	int			pipe_fds[2];
-#endif
-
-	/* Locked by fdlock. */
-	isc__socket_t	       **fds;
-	int			*fdstate;
-#ifdef USE_DEVPOLL
-	pollinfo_t		*fdpollinfo;
-#endif
-
-	/* Locked by manager lock. */
-	ISC_LIST(isc__socket_t)	socklist;
-#ifdef USE_SELECT
-	fd_set			*read_fds;
-	fd_set			*read_fds_copy;
-	fd_set			*write_fds;
-	fd_set			*write_fds_copy;
-	int			maxfd;
-#endif	/* USE_SELECT */
-	int			reserved;	/* unlocked */
-#ifdef USE_WATCHER_THREAD
-	isc_thread_t		watcher;
-	isc_condition_t		shutdown_ok;
-#else /* USE_WATCHER_THREAD */
-	unsigned int		refs;
-#endif /* USE_WATCHER_THREAD */
-	int			maxudp;
-};
-
-#ifdef USE_SHARED_MANAGER
-static isc__socketmgr_t *socketmgr = NULL;
-#endif /* USE_SHARED_MANAGER */
-
-#define CLOSED			0	/* this one must be zero */
-#define MANAGED			1
-#define CLOSE_PENDING		2
-
-/*
- * send() and recv() iovec counts
- */
-#define MAXSCATTERGATHER_SEND	(ISC_SOCKET_MAXSCATTERGATHER)
-#ifdef ISC_NET_RECVOVERFLOW
-# define MAXSCATTERGATHER_RECV	(ISC_SOCKET_MAXSCATTERGATHER + 1)
-#else
-# define MAXSCATTERGATHER_RECV	(ISC_SOCKET_MAXSCATTERGATHER)
-#endif
-
-static isc_result_t socket_create(isc_socketmgr_t *manager0, int pf,
-				  isc_sockettype_t type,
-				  isc_socket_t **socketp,
-				  isc_socket_t *dup_socket);
-static void send_recvdone_event(isc__socket_t *, isc_socketevent_t **);
-static void send_senddone_event(isc__socket_t *, isc_socketevent_t **);
-static void free_socket(isc__socket_t **);
-static isc_result_t allocate_socket(isc__socketmgr_t *, isc_sockettype_t,
-				    isc__socket_t **);
-static void destroy(isc__socket_t **);
-static void internal_accept(isc_task_t *, isc_event_t *);
-static void internal_connect(isc_task_t *, isc_event_t *);
-static void internal_recv(isc_task_t *, isc_event_t *);
-static void internal_send(isc_task_t *, isc_event_t *);
-static void internal_fdwatch_write(isc_task_t *, isc_event_t *);
-static void internal_fdwatch_read(isc_task_t *, isc_event_t *);
-static void process_cmsg(isc__socket_t *, struct msghdr *, isc_socketevent_t *);
-static void build_msghdr_send(isc__socket_t *, isc_socketevent_t *,
-			      struct msghdr *, struct iovec *, size_t *);
-static void build_msghdr_recv(isc__socket_t *, isc_socketevent_t *,
-			      struct msghdr *, struct iovec *, size_t *);
-#ifdef USE_WATCHER_THREAD
-static isc_boolean_t process_ctlfd(isc__socketmgr_t *manager);
-#endif
-
-/*%
- * The following can be either static or public, depending on build environment.
- */
-
-#ifdef BIND9
-#define ISC_SOCKETFUNC_SCOPE
-#else
-#define ISC_SOCKETFUNC_SCOPE static
-#endif
-
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
-		   isc_socket_t **socketp);
-ISC_SOCKETFUNC_SCOPE void
-isc__socket_attach(isc_socket_t *sock, isc_socket_t **socketp);
-ISC_SOCKETFUNC_SCOPE void
-isc__socket_detach(isc_socket_t **socketp);
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp);
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
-		       unsigned int maxsocks);
-ISC_SOCKETFUNC_SCOPE void
-isc__socketmgr_destroy(isc_socketmgr_t **managerp);
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_recvv(isc_socket_t *sock, isc_bufferlist_t *buflist,
-		 unsigned int minimum, isc_task_t *task,
-		  isc_taskaction_t action, const void *arg);
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_recv(isc_socket_t *sock, isc_region_t *region,
-		 unsigned int minimum, isc_task_t *task,
-		 isc_taskaction_t action, const void *arg);
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_recv2(isc_socket_t *sock, isc_region_t *region,
-		  unsigned int minimum, isc_task_t *task,
-		  isc_socketevent_t *event, unsigned int flags);
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_send(isc_socket_t *sock, isc_region_t *region,
-		 isc_task_t *task, isc_taskaction_t action, const void *arg);
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_sendto(isc_socket_t *sock, isc_region_t *region,
-		   isc_task_t *task, isc_taskaction_t action, const void *arg,
-		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo);
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_sendv(isc_socket_t *sock, isc_bufferlist_t *buflist,
-		  isc_task_t *task, isc_taskaction_t action, const void *arg);
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_sendtov(isc_socket_t *sock, isc_bufferlist_t *buflist,
-		    isc_task_t *task, isc_taskaction_t action, const void *arg,
-		    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo);
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_sendto2(isc_socket_t *sock, isc_region_t *region,
-		    isc_task_t *task,
-		    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
-		    isc_socketevent_t *event, unsigned int flags);
-ISC_SOCKETFUNC_SCOPE void
-isc__socket_cleanunix(isc_sockaddr_t *sockaddr, isc_boolean_t active);
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_permunix(isc_sockaddr_t *sockaddr, isc_uint32_t perm,
-		     isc_uint32_t owner, isc_uint32_t group);
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr,
-		 unsigned int options);
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_filter(isc_socket_t *sock, const char *filter);
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_listen(isc_socket_t *sock, unsigned int backlog);
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_accept(isc_socket_t *sock,
-		   isc_task_t *task, isc_taskaction_t action, const void *arg);
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
-		    isc_task_t *task, isc_taskaction_t action,
-		    const void *arg);
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp);
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp);
-ISC_SOCKETFUNC_SCOPE void
-isc__socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how);
-ISC_SOCKETFUNC_SCOPE isc_sockettype_t
-isc__socket_gettype(isc_socket_t *sock);
-ISC_SOCKETFUNC_SCOPE isc_boolean_t
-isc__socket_isbound(isc_socket_t *sock);
-ISC_SOCKETFUNC_SCOPE void
-isc__socket_ipv6only(isc_socket_t *sock, isc_boolean_t yes);
-#if defined(HAVE_LIBXML2) && defined(BIND9)
-ISC_SOCKETFUNC_SCOPE void
-isc__socketmgr_renderxml(isc_socketmgr_t *mgr0, xmlTextWriterPtr writer);
-#endif
-
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_fdwatchcreate(isc_socketmgr_t *manager, int fd, int flags,
-			  isc_sockfdwatch_t callback, void *cbarg,
-			  isc_task_t *task, isc_socket_t **socketp);
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_fdwatchpoke(isc_socket_t *sock, int flags);
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_dup(isc_socket_t *sock, isc_socket_t **socketp);
-ISC_SOCKETFUNC_SCOPE int
-isc__socket_getfd(isc_socket_t *sock);
-
-static struct {
-	isc_socketmethods_t methods;
-
-	/*%
-	 * The following are defined just for avoiding unused static functions.
-	 */
-#ifndef BIND9
-	void *recvv, *send, *sendv, *sendto2, *cleanunix, *permunix, *filter,
-		*listen, *accept, *getpeername, *isbound;
-#endif
-} socketmethods = {
-	{
-		isc__socket_attach,
-		isc__socket_detach,
-		isc__socket_bind,
-		isc__socket_sendto,
-		isc__socket_sendto2,
-		isc__socket_connect,
-		isc__socket_recv,
-		isc__socket_recv2,
-		isc__socket_cancel,
-		isc__socket_getsockname,
-		isc__socket_gettype,
-		isc__socket_ipv6only,
-		isc__socket_fdwatchpoke,
-		isc__socket_dup,
-		isc__socket_getfd
-	}
-#ifndef BIND9
-	,
-	(void *)isc__socket_recvv, (void *)isc__socket_send,
-	(void *)isc__socket_sendv, (void *)isc__socket_sendto2,
-	(void *)isc__socket_cleanunix, (void *)isc__socket_permunix,
-	(void *)isc__socket_filter, (void *)isc__socket_listen,
-	(void *)isc__socket_accept, (void *)isc__socket_getpeername,
-	(void *)isc__socket_isbound
-#endif
-};
-
-static isc_socketmgrmethods_t socketmgrmethods = {
-	isc__socketmgr_destroy,
-	isc__socket_create,
-	isc__socket_fdwatchcreate
-};
-
-#define SELECT_POKE_SHUTDOWN		(-1)
-#define SELECT_POKE_NOTHING		(-2)
-#define SELECT_POKE_READ		(-3)
-#define SELECT_POKE_ACCEPT		(-3) /*%< Same as _READ */
-#define SELECT_POKE_WRITE		(-4)
-#define SELECT_POKE_CONNECT		(-4) /*%< Same as _WRITE */
-#define SELECT_POKE_CLOSE		(-5)
-
-#define SOCK_DEAD(s)			((s)->references == 0)
-
-/*%
- * Shortcut index arrays to get access to statistics counters.
- */
-enum {
-	STATID_OPEN = 0,
-	STATID_OPENFAIL = 1,
-	STATID_CLOSE = 2,
-	STATID_BINDFAIL = 3,
-	STATID_CONNECTFAIL = 4,
-	STATID_CONNECT = 5,
-	STATID_ACCEPTFAIL = 6,
-	STATID_ACCEPT = 7,
-	STATID_SENDFAIL = 8,
-	STATID_RECVFAIL = 9
-};
-static const isc_statscounter_t udp4statsindex[] = {
-	isc_sockstatscounter_udp4open,
-	isc_sockstatscounter_udp4openfail,
-	isc_sockstatscounter_udp4close,
-	isc_sockstatscounter_udp4bindfail,
-	isc_sockstatscounter_udp4connectfail,
-	isc_sockstatscounter_udp4connect,
-	-1,
-	-1,
-	isc_sockstatscounter_udp4sendfail,
-	isc_sockstatscounter_udp4recvfail
-};
-static const isc_statscounter_t udp6statsindex[] = {
-	isc_sockstatscounter_udp6open,
-	isc_sockstatscounter_udp6openfail,
-	isc_sockstatscounter_udp6close,
-	isc_sockstatscounter_udp6bindfail,
-	isc_sockstatscounter_udp6connectfail,
-	isc_sockstatscounter_udp6connect,
-	-1,
-	-1,
-	isc_sockstatscounter_udp6sendfail,
-	isc_sockstatscounter_udp6recvfail
-};
-static const isc_statscounter_t tcp4statsindex[] = {
-	isc_sockstatscounter_tcp4open,
-	isc_sockstatscounter_tcp4openfail,
-	isc_sockstatscounter_tcp4close,
-	isc_sockstatscounter_tcp4bindfail,
-	isc_sockstatscounter_tcp4connectfail,
-	isc_sockstatscounter_tcp4connect,
-	isc_sockstatscounter_tcp4acceptfail,
-	isc_sockstatscounter_tcp4accept,
-	isc_sockstatscounter_tcp4sendfail,
-	isc_sockstatscounter_tcp4recvfail
-};
-static const isc_statscounter_t tcp6statsindex[] = {
-	isc_sockstatscounter_tcp6open,
-	isc_sockstatscounter_tcp6openfail,
-	isc_sockstatscounter_tcp6close,
-	isc_sockstatscounter_tcp6bindfail,
-	isc_sockstatscounter_tcp6connectfail,
-	isc_sockstatscounter_tcp6connect,
-	isc_sockstatscounter_tcp6acceptfail,
-	isc_sockstatscounter_tcp6accept,
-	isc_sockstatscounter_tcp6sendfail,
-	isc_sockstatscounter_tcp6recvfail
-};
-static const isc_statscounter_t unixstatsindex[] = {
-	isc_sockstatscounter_unixopen,
-	isc_sockstatscounter_unixopenfail,
-	isc_sockstatscounter_unixclose,
-	isc_sockstatscounter_unixbindfail,
-	isc_sockstatscounter_unixconnectfail,
-	isc_sockstatscounter_unixconnect,
-	isc_sockstatscounter_unixacceptfail,
-	isc_sockstatscounter_unixaccept,
-	isc_sockstatscounter_unixsendfail,
-	isc_sockstatscounter_unixrecvfail
-};
-static const isc_statscounter_t fdwatchstatsindex[] = {
-	-1,
-	-1,
-	isc_sockstatscounter_fdwatchclose,
-	isc_sockstatscounter_fdwatchbindfail,
-	isc_sockstatscounter_fdwatchconnectfail,
-	isc_sockstatscounter_fdwatchconnect,
-	-1,
-	-1,
-	isc_sockstatscounter_fdwatchsendfail,
-	isc_sockstatscounter_fdwatchrecvfail
-};
-
-#if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL) || \
-    defined(USE_WATCHER_THREAD)
-static void
-manager_log(isc__socketmgr_t *sockmgr,
-	    isc_logcategory_t *category, isc_logmodule_t *module, int level,
-	    const char *fmt, ...) ISC_FORMAT_PRINTF(5, 6);
-static void
-manager_log(isc__socketmgr_t *sockmgr,
-	    isc_logcategory_t *category, isc_logmodule_t *module, int level,
-	    const char *fmt, ...)
-{
-	char msgbuf[2048];
-	va_list ap;
-
-	if (! isc_log_wouldlog(isc_lctx, level))
-		return;
-
-	va_start(ap, fmt);
-	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
-	va_end(ap);
-
-	isc_log_write(isc_lctx, category, module, level,
-		      "sockmgr %p: %s", sockmgr, msgbuf);
-}
-#endif
-
-static void
-socket_log(isc__socket_t *sock, isc_sockaddr_t *address,
-	   isc_logcategory_t *category, isc_logmodule_t *module, int level,
-	   isc_msgcat_t *msgcat, int msgset, int message,
-	   const char *fmt, ...) ISC_FORMAT_PRINTF(9, 10);
-static void
-socket_log(isc__socket_t *sock, isc_sockaddr_t *address,
-	   isc_logcategory_t *category, isc_logmodule_t *module, int level,
-	   isc_msgcat_t *msgcat, int msgset, int message,
-	   const char *fmt, ...)
-{
-	char msgbuf[2048];
-	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
-	va_list ap;
-
-	if (! isc_log_wouldlog(isc_lctx, level))
-		return;
-
-	va_start(ap, fmt);
-	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
-	va_end(ap);
-
-	if (address == NULL) {
-		isc_log_iwrite(isc_lctx, category, module, level,
-			       msgcat, msgset, message,
-			       "socket %p: %s", sock, msgbuf);
-	} else {
-		isc_sockaddr_format(address, peerbuf, sizeof(peerbuf));
-		isc_log_iwrite(isc_lctx, category, module, level,
-			       msgcat, msgset, message,
-			       "socket %p %s: %s", sock, peerbuf, msgbuf);
-	}
-}
-
-#if defined(_AIX) && defined(ISC_NET_BSD44MSGHDR) && \
-    defined(USE_CMSG) && defined(IPV6_RECVPKTINFO)
-/*
- * AIX has a kernel bug where IPV6_RECVPKTINFO gets cleared by
- * setting IPV6_V6ONLY.
- */
-static void
-FIX_IPV6_RECVPKTINFO(isc__socket_t *sock)
-{
-	char strbuf[ISC_STRERRORSIZE];
-	int on = 1;
-
-	if (sock->pf != AF_INET6 || sock->type != isc_sockettype_udp)
-		return;
-
-	if (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_RECVPKTINFO,
-		       (void *)&on, sizeof(on)) < 0) {
-
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "setsockopt(%d, IPV6_RECVPKTINFO) "
-				 "%s: %s", sock->fd,
-				 isc_msgcat_get(isc_msgcat,
-						ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED,
-						"failed"),
-				 strbuf);
-	}
-}
-#else
-#define FIX_IPV6_RECVPKTINFO(sock) (void)0
-#endif
-
-/*%
- * Increment socket-related statistics counters.
- */
-static inline void
-inc_stats(isc_stats_t *stats, isc_statscounter_t counterid) {
-	REQUIRE(counterid != -1);
-
-	if (stats != NULL)
-		isc_stats_increment(stats, counterid);
-}
-
-static inline isc_result_t
-watch_fd(isc__socketmgr_t *manager, int fd, int msg) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-#ifdef USE_KQUEUE
-	struct kevent evchange;
-
-	memset(&evchange, 0, sizeof(evchange));
-	if (msg == SELECT_POKE_READ)
-		evchange.filter = EVFILT_READ;
-	else
-		evchange.filter = EVFILT_WRITE;
-	evchange.flags = EV_ADD;
-	evchange.ident = fd;
-	if (kevent(manager->kqueue_fd, &evchange, 1, NULL, 0, NULL) != 0)
-		result = isc__errno2result(errno);
-
-	return (result);
-#elif defined(USE_EPOLL)
-	struct epoll_event event;
-
-	if (msg == SELECT_POKE_READ)
-		event.events = EPOLLIN;
-	else
-		event.events = EPOLLOUT;
-	memset(&event.data, 0, sizeof(event.data));
-	event.data.fd = fd;
-	if (epoll_ctl(manager->epoll_fd, EPOLL_CTL_ADD, fd, &event) == -1 &&
-	    errno != EEXIST) {
-		result = isc__errno2result(errno);
-	}
-
-	return (result);
-#elif defined(USE_DEVPOLL)
-	struct pollfd pfd;
-	int lockid = FDLOCK_ID(fd);
-
-	memset(&pfd, 0, sizeof(pfd));
-	if (msg == SELECT_POKE_READ)
-		pfd.events = POLLIN;
-	else
-		pfd.events = POLLOUT;
-	pfd.fd = fd;
-	pfd.revents = 0;
-	LOCK(&manager->fdlock[lockid]);
-	if (write(manager->devpoll_fd, &pfd, sizeof(pfd)) == -1)
-		result = isc__errno2result(errno);
-	else {
-		if (msg == SELECT_POKE_READ)
-			manager->fdpollinfo[fd].want_read = 1;
-		else
-			manager->fdpollinfo[fd].want_write = 1;
-	}
-	UNLOCK(&manager->fdlock[lockid]);
-
-	return (result);
-#elif defined(USE_SELECT)
-	LOCK(&manager->lock);
-	if (msg == SELECT_POKE_READ)
-		FD_SET(fd, manager->read_fds);
-	if (msg == SELECT_POKE_WRITE)
-		FD_SET(fd, manager->write_fds);
-	UNLOCK(&manager->lock);
-
-	return (result);
-#endif
-}
-
-static inline isc_result_t
-unwatch_fd(isc__socketmgr_t *manager, int fd, int msg) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-#ifdef USE_KQUEUE
-	struct kevent evchange;
-
-	memset(&evchange, 0, sizeof(evchange));
-	if (msg == SELECT_POKE_READ)
-		evchange.filter = EVFILT_READ;
-	else
-		evchange.filter = EVFILT_WRITE;
-	evchange.flags = EV_DELETE;
-	evchange.ident = fd;
-	if (kevent(manager->kqueue_fd, &evchange, 1, NULL, 0, NULL) != 0)
-		result = isc__errno2result(errno);
-
-	return (result);
-#elif defined(USE_EPOLL)
-	struct epoll_event event;
-
-	if (msg == SELECT_POKE_READ)
-		event.events = EPOLLIN;
-	else
-		event.events = EPOLLOUT;
-	memset(&event.data, 0, sizeof(event.data));
-	event.data.fd = fd;
-	if (epoll_ctl(manager->epoll_fd, EPOLL_CTL_DEL, fd, &event) == -1 &&
-	    errno != ENOENT) {
-		char strbuf[ISC_STRERRORSIZE];
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "epoll_ctl(DEL), %d: %s", fd, strbuf);
-		result = ISC_R_UNEXPECTED;
-	}
-	return (result);
-#elif defined(USE_DEVPOLL)
-	struct pollfd pfds[2];
-	size_t writelen = sizeof(pfds[0]);
-	int lockid = FDLOCK_ID(fd);
-
-	memset(pfds, 0, sizeof(pfds));
-	pfds[0].events = POLLREMOVE;
-	pfds[0].fd = fd;
-
-	/*
-	 * Canceling read or write polling via /dev/poll is tricky.  Since it
-	 * only provides a way of canceling per FD, we may need to re-poll the
-	 * socket for the other operation.
-	 */
-	LOCK(&manager->fdlock[lockid]);
-	if (msg == SELECT_POKE_READ &&
-	    manager->fdpollinfo[fd].want_write == 1) {
-		pfds[1].events = POLLOUT;
-		pfds[1].fd = fd;
-		writelen += sizeof(pfds[1]);
-	}
-	if (msg == SELECT_POKE_WRITE &&
-	    manager->fdpollinfo[fd].want_read == 1) {
-		pfds[1].events = POLLIN;
-		pfds[1].fd = fd;
-		writelen += sizeof(pfds[1]);
-	}
-
-	if (write(manager->devpoll_fd, pfds, writelen) == -1)
-		result = isc__errno2result(errno);
-	else {
-		if (msg == SELECT_POKE_READ)
-			manager->fdpollinfo[fd].want_read = 0;
-		else
-			manager->fdpollinfo[fd].want_write = 0;
-	}
-	UNLOCK(&manager->fdlock[lockid]);
-
-	return (result);
-#elif defined(USE_SELECT)
-	LOCK(&manager->lock);
-	if (msg == SELECT_POKE_READ)
-		FD_CLR(fd, manager->read_fds);
-	else if (msg == SELECT_POKE_WRITE)
-		FD_CLR(fd, manager->write_fds);
-	UNLOCK(&manager->lock);
-
-	return (result);
-#endif
-}
-
-static void
-wakeup_socket(isc__socketmgr_t *manager, int fd, int msg) {
-	isc_result_t result;
-	int lockid = FDLOCK_ID(fd);
-
-	/*
-	 * This is a wakeup on a socket.  If the socket is not in the
-	 * process of being closed, start watching it for either reads
-	 * or writes.
-	 */
-
-	INSIST(fd >= 0 && fd < (int)manager->maxsocks);
-
-	if (msg == SELECT_POKE_CLOSE) {
-		/* No one should be updating fdstate, so no need to lock it */
-		INSIST(manager->fdstate[fd] == CLOSE_PENDING);
-		manager->fdstate[fd] = CLOSED;
-		(void)unwatch_fd(manager, fd, SELECT_POKE_READ);
-		(void)unwatch_fd(manager, fd, SELECT_POKE_WRITE);
-		(void)close(fd);
-		return;
-	}
-
-	LOCK(&manager->fdlock[lockid]);
-	if (manager->fdstate[fd] == CLOSE_PENDING) {
-		UNLOCK(&manager->fdlock[lockid]);
-
-		/*
-		 * We accept (and ignore) any error from unwatch_fd() as we are
-		 * closing the socket, hoping it doesn't leave dangling state in
-		 * the kernel.
-		 * Note that unwatch_fd() must be called after releasing the
-		 * fdlock; otherwise it could cause deadlock due to a lock order
-		 * reversal.
-		 */
-		(void)unwatch_fd(manager, fd, SELECT_POKE_READ);
-		(void)unwatch_fd(manager, fd, SELECT_POKE_WRITE);
-		return;
-	}
-	if (manager->fdstate[fd] != MANAGED) {
-		UNLOCK(&manager->fdlock[lockid]);
-		return;
-	}
-	UNLOCK(&manager->fdlock[lockid]);
-
-	/*
-	 * Set requested bit.
-	 */
-	result = watch_fd(manager, fd, msg);
-	if (result != ISC_R_SUCCESS) {
-		/*
-		 * XXXJT: what should we do?  Ignoring the failure of watching
-		 * a socket will make the application dysfunctional, but there
-		 * seems to be no reasonable recovery process.
-		 */
-		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-			      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
-			      "failed to start watching FD (%d): %s",
-			      fd, isc_result_totext(result));
-	}
-}
-
-#ifdef USE_WATCHER_THREAD
-/*
- * Poke the select loop when there is something for us to do.
- * The write is required (by POSIX) to complete.  That is, we
- * will not get partial writes.
- */
-static void
-select_poke(isc__socketmgr_t *mgr, int fd, int msg) {
-	int cc;
-	int buf[2];
-	char strbuf[ISC_STRERRORSIZE];
-
-	buf[0] = fd;
-	buf[1] = msg;
-
-	do {
-		cc = write(mgr->pipe_fds[1], buf, sizeof(buf));
-#ifdef ENOSR
-		/*
-		 * Treat ENOSR as EAGAIN but loop slowly as it is
-		 * unlikely to clear fast.
-		 */
-		if (cc < 0 && errno == ENOSR) {
-			sleep(1);
-			errno = EAGAIN;
-		}
-#endif
-	} while (cc < 0 && SOFT_ERROR(errno));
-
-	if (cc < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		FATAL_ERROR(__FILE__, __LINE__,
-			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKET,
-					   ISC_MSG_WRITEFAILED,
-					   "write() failed "
-					   "during watcher poke: %s"),
-			    strbuf);
-	}
-
-	INSIST(cc == sizeof(buf));
-}
-
-/*
- * Read a message on the internal fd.
- */
-static void
-select_readmsg(isc__socketmgr_t *mgr, int *fd, int *msg) {
-	int buf[2];
-	int cc;
-	char strbuf[ISC_STRERRORSIZE];
-
-	cc = read(mgr->pipe_fds[0], buf, sizeof(buf));
-	if (cc < 0) {
-		*msg = SELECT_POKE_NOTHING;
-		*fd = -1;	/* Silence compiler. */
-		if (SOFT_ERROR(errno))
-			return;
-
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		FATAL_ERROR(__FILE__, __LINE__,
-			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKET,
-					   ISC_MSG_READFAILED,
-					   "read() failed "
-					   "during watcher poke: %s"),
-			    strbuf);
-
-		return;
-	}
-	INSIST(cc == sizeof(buf));
-
-	*fd = buf[0];
-	*msg = buf[1];
-}
-#else /* USE_WATCHER_THREAD */
-/*
- * Update the state of the socketmgr when something changes.
- */
-static void
-select_poke(isc__socketmgr_t *manager, int fd, int msg) {
-	if (msg == SELECT_POKE_SHUTDOWN)
-		return;
-	else if (fd >= 0)
-		wakeup_socket(manager, fd, msg);
-	return;
-}
-#endif /* USE_WATCHER_THREAD */
-
-/*
- * Make a fd non-blocking.
- */
-static isc_result_t
-make_nonblock(int fd) {
-	int ret;
-	int flags;
-	char strbuf[ISC_STRERRORSIZE];
-#ifdef USE_FIONBIO_IOCTL
-	int on = 1;
-
-	ret = ioctl(fd, FIONBIO, (char *)&on);
-#else
-	flags = fcntl(fd, F_GETFL, 0);
-	flags |= PORT_NONBLOCK;
-	ret = fcntl(fd, F_SETFL, flags);
-#endif
-
-	if (ret == -1) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-#ifdef USE_FIONBIO_IOCTL
-				 "ioctl(%d, FIONBIO, &on): %s", fd,
-#else
-				 "fcntl(%d, F_SETFL, %d): %s", fd, flags,
-#endif
-				 strbuf);
-
-		return (ISC_R_UNEXPECTED);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-#ifdef USE_CMSG
-/*
- * Not all OSes support advanced CMSG macros: CMSG_LEN and CMSG_SPACE.
- * In order to ensure as much portability as possible, we provide wrapper
- * functions of these macros.
- * Note that cmsg_space() could run slow on OSes that do not have
- * CMSG_SPACE.
- */
-static inline ISC_SOCKADDR_LEN_T
-cmsg_len(ISC_SOCKADDR_LEN_T len) {
-#ifdef CMSG_LEN
-	return (CMSG_LEN(len));
-#else
-	ISC_SOCKADDR_LEN_T hdrlen;
-
-	/*
-	 * Cast NULL so that any pointer arithmetic performed by CMSG_DATA
-	 * is correct.
-	 */
-	hdrlen = (ISC_SOCKADDR_LEN_T)CMSG_DATA(((struct cmsghdr *)NULL));
-	return (hdrlen + len);
-#endif
-}
-
-static inline ISC_SOCKADDR_LEN_T
-cmsg_space(ISC_SOCKADDR_LEN_T len) {
-#ifdef CMSG_SPACE
-	return (CMSG_SPACE(len));
-#else
-	struct msghdr msg;
-	struct cmsghdr *cmsgp;
-	/*
-	 * XXX: The buffer length is an ad-hoc value, but should be enough
-	 * in a practical sense.
-	 */
-	char dummybuf[sizeof(struct cmsghdr) + 1024];
-
-	memset(&msg, 0, sizeof(msg));
-	msg.msg_control = dummybuf;
-	msg.msg_controllen = sizeof(dummybuf);
-
-	cmsgp = (struct cmsghdr *)dummybuf;
-	cmsgp->cmsg_len = cmsg_len(len);
-
-	cmsgp = CMSG_NXTHDR(&msg, cmsgp);
-	if (cmsgp != NULL)
-		return ((char *)cmsgp - (char *)msg.msg_control);
-	else
-		return (0);
-#endif
-}
-#endif /* USE_CMSG */
-
-/*
- * Process control messages received on a socket.
- */
-static void
-process_cmsg(isc__socket_t *sock, struct msghdr *msg, isc_socketevent_t *dev) {
-#ifdef USE_CMSG
-	struct cmsghdr *cmsgp;
-#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
-	struct in6_pktinfo *pktinfop;
-#endif
-#ifdef SO_TIMESTAMP
-	void *timevalp;
-#endif
-#endif
-
-	/*
-	 * sock is used only when ISC_NET_BSD44MSGHDR and USE_CMSG are defined.
-	 * msg and dev are used only when ISC_NET_BSD44MSGHDR is defined.
-	 * They are all here, outside of the CPP tests, because it is
-	 * more consistent with the usual ISC coding style.
-	 */
-	UNUSED(sock);
-	UNUSED(msg);
-	UNUSED(dev);
-
-#ifdef ISC_NET_BSD44MSGHDR
-
-#ifdef MSG_TRUNC
-	if ((msg->msg_flags & MSG_TRUNC) == MSG_TRUNC)
-		dev->attributes |= ISC_SOCKEVENTATTR_TRUNC;
-#endif
-
-#ifdef MSG_CTRUNC
-	if ((msg->msg_flags & MSG_CTRUNC) == MSG_CTRUNC)
-		dev->attributes |= ISC_SOCKEVENTATTR_CTRUNC;
-#endif
-
-#ifndef USE_CMSG
-	return;
-#else
-	if (msg->msg_controllen == 0U || msg->msg_control == NULL)
-		return;
-
-#ifdef SO_TIMESTAMP
-	timevalp = NULL;
-#endif
-#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
-	pktinfop = NULL;
-#endif
-
-	cmsgp = CMSG_FIRSTHDR(msg);
-	while (cmsgp != NULL) {
-		socket_log(sock, NULL, TRACE,
-			   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_PROCESSCMSG,
-			   "processing cmsg %p", cmsgp);
-
-#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
-		if (cmsgp->cmsg_level == IPPROTO_IPV6
-		    && cmsgp->cmsg_type == IPV6_PKTINFO) {
-
-			pktinfop = (struct in6_pktinfo *)CMSG_DATA(cmsgp);
-			memcpy(&dev->pktinfo, pktinfop,
-			       sizeof(struct in6_pktinfo));
-			dev->attributes |= ISC_SOCKEVENTATTR_PKTINFO;
-			socket_log(sock, NULL, TRACE,
-				   isc_msgcat, ISC_MSGSET_SOCKET,
-				   ISC_MSG_IFRECEIVED,
-				   "interface received on ifindex %u",
-				   dev->pktinfo.ipi6_ifindex);
-			if (IN6_IS_ADDR_MULTICAST(&pktinfop->ipi6_addr))
-				dev->attributes |= ISC_SOCKEVENTATTR_MULTICAST;
-			goto next;
-		}
-#endif
-
-#ifdef SO_TIMESTAMP
-		if (cmsgp->cmsg_level == SOL_SOCKET
-		    && cmsgp->cmsg_type == SCM_TIMESTAMP) {
-			struct timeval tv;
-			timevalp = CMSG_DATA(cmsgp);
-			memcpy(&tv, timevalp, sizeof(tv));
-			dev->timestamp.seconds = tv.tv_sec;
-			dev->timestamp.nanoseconds = tv.tv_usec * 1000;
-			dev->attributes |= ISC_SOCKEVENTATTR_TIMESTAMP;
-			goto next;
-		}
-#endif
-
-	next:
-		cmsgp = CMSG_NXTHDR(msg, cmsgp);
-	}
-#endif /* USE_CMSG */
-
-#endif /* ISC_NET_BSD44MSGHDR */
-}
-
-/*
- * Construct an iov array and attach it to the msghdr passed in.  This is
- * the SEND constructor, which will use the used region of the buffer
- * (if using a buffer list) or will use the internal region (if a single
- * buffer I/O is requested).
- *
- * Nothing can be NULL, and the done event must list at least one buffer
- * on the buffer linked list for this function to be meaningful.
- *
- * If write_countp != NULL, *write_countp will hold the number of bytes
- * this transaction can send.
- */
-static void
-build_msghdr_send(isc__socket_t *sock, isc_socketevent_t *dev,
-		  struct msghdr *msg, struct iovec *iov, size_t *write_countp)
-{
-	unsigned int iovcount;
-	isc_buffer_t *buffer;
-	isc_region_t used;
-	size_t write_count;
-	size_t skip_count;
-
-	memset(msg, 0, sizeof(*msg));
-
-	if (!sock->connected) {
-		msg->msg_name = (void *)&dev->address.type.sa;
-		msg->msg_namelen = dev->address.length;
-	} else {
-		msg->msg_name = NULL;
-		msg->msg_namelen = 0;
-	}
-
-	buffer = ISC_LIST_HEAD(dev->bufferlist);
-	write_count = 0;
-	iovcount = 0;
-
-	/*
-	 * Single buffer I/O?  Skip what we've done so far in this region.
-	 */
-	if (buffer == NULL) {
-		write_count = dev->region.length - dev->n;
-		iov[0].iov_base = (void *)(dev->region.base + dev->n);
-		iov[0].iov_len = write_count;
-		iovcount = 1;
-
-		goto config;
-	}
-
-	/*
-	 * Multibuffer I/O.
-	 * Skip the data in the buffer list that we have already written.
-	 */
-	skip_count = dev->n;
-	while (buffer != NULL) {
-		REQUIRE(ISC_BUFFER_VALID(buffer));
-		if (skip_count < isc_buffer_usedlength(buffer))
-			break;
-		skip_count -= isc_buffer_usedlength(buffer);
-		buffer = ISC_LIST_NEXT(buffer, link);
-	}
-
-	while (buffer != NULL) {
-		INSIST(iovcount < MAXSCATTERGATHER_SEND);
-
-		isc_buffer_usedregion(buffer, &used);
-
-		if (used.length > 0) {
-			iov[iovcount].iov_base = (void *)(used.base
-							  + skip_count);
-			iov[iovcount].iov_len = used.length - skip_count;
-			write_count += (used.length - skip_count);
-			skip_count = 0;
-			iovcount++;
-		}
-		buffer = ISC_LIST_NEXT(buffer, link);
-	}
-
-	INSIST(skip_count == 0U);
-
- config:
-	msg->msg_iov = iov;
-	msg->msg_iovlen = iovcount;
-
-#ifdef ISC_NET_BSD44MSGHDR
-	msg->msg_control = NULL;
-	msg->msg_controllen = 0;
-	msg->msg_flags = 0;
-#if defined(USE_CMSG) && defined(ISC_PLATFORM_HAVEIN6PKTINFO)
-	if ((sock->type == isc_sockettype_udp)
-	    && ((dev->attributes & ISC_SOCKEVENTATTR_PKTINFO) != 0)) {
-#if defined(IPV6_USE_MIN_MTU)
-		int use_min_mtu = 1;	/* -1, 0, 1 */
-#endif
-		struct cmsghdr *cmsgp;
-		struct in6_pktinfo *pktinfop;
-
-		socket_log(sock, NULL, TRACE,
-			   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_SENDTODATA,
-			   "sendto pktinfo data, ifindex %u",
-			   dev->pktinfo.ipi6_ifindex);
-
-		msg->msg_controllen = cmsg_space(sizeof(struct in6_pktinfo));
-		INSIST(msg->msg_controllen <= sock->sendcmsgbuflen);
-		msg->msg_control = (void *)sock->sendcmsgbuf;
-
-		cmsgp = (struct cmsghdr *)sock->sendcmsgbuf;
-		cmsgp->cmsg_level = IPPROTO_IPV6;
-		cmsgp->cmsg_type = IPV6_PKTINFO;
-		cmsgp->cmsg_len = cmsg_len(sizeof(struct in6_pktinfo));
-		pktinfop = (struct in6_pktinfo *)CMSG_DATA(cmsgp);
-		memcpy(pktinfop, &dev->pktinfo, sizeof(struct in6_pktinfo));
-#if defined(IPV6_USE_MIN_MTU)
-		/*
-		 * Set IPV6_USE_MIN_MTU as a per packet option as FreeBSD
-		 * ignores setsockopt(IPV6_USE_MIN_MTU) when IPV6_PKTINFO
-		 * is used.
-		 */
-		cmsgp = (struct cmsghdr *)(sock->sendcmsgbuf +
-					   msg->msg_controllen);
-		msg->msg_controllen += cmsg_space(sizeof(use_min_mtu));
-		INSIST(msg->msg_controllen <= sock->sendcmsgbuflen);
-
-		cmsgp->cmsg_level = IPPROTO_IPV6;
-		cmsgp->cmsg_type = IPV6_USE_MIN_MTU;
-		cmsgp->cmsg_len = cmsg_len(sizeof(use_min_mtu));
-		memcpy(CMSG_DATA(cmsgp), &use_min_mtu, sizeof(use_min_mtu));
-#endif
-	}
-#endif /* USE_CMSG && ISC_PLATFORM_HAVEIPV6 */
-#else /* ISC_NET_BSD44MSGHDR */
-	msg->msg_accrights = NULL;
-	msg->msg_accrightslen = 0;
-#endif /* ISC_NET_BSD44MSGHDR */
-
-	if (write_countp != NULL)
-		*write_countp = write_count;
-}
-
-/*
- * Construct an iov array and attach it to the msghdr passed in.  This is
- * the RECV constructor, which will use the available region of the buffer
- * (if using a buffer list) or will use the internal region (if a single
- * buffer I/O is requested).
- *
- * Nothing can be NULL, and the done event must list at least one buffer
- * on the buffer linked list for this function to be meaningful.
- *
- * If read_countp != NULL, *read_countp will hold the number of bytes
- * this transaction can receive.
- */
-static void
-build_msghdr_recv(isc__socket_t *sock, isc_socketevent_t *dev,
-		  struct msghdr *msg, struct iovec *iov, size_t *read_countp)
-{
-	unsigned int iovcount;
-	isc_buffer_t *buffer;
-	isc_region_t available;
-	size_t read_count;
-
-	memset(msg, 0, sizeof(struct msghdr));
-
-	if (sock->type == isc_sockettype_udp) {
-		memset(&dev->address, 0, sizeof(dev->address));
-#ifdef BROKEN_RECVMSG
-		if (sock->pf == AF_INET) {
-			msg->msg_name = (void *)&dev->address.type.sin;
-			msg->msg_namelen = sizeof(dev->address.type.sin6);
-		} else if (sock->pf == AF_INET6) {
-			msg->msg_name = (void *)&dev->address.type.sin6;
-			msg->msg_namelen = sizeof(dev->address.type.sin6);
-#ifdef ISC_PLATFORM_HAVESYSUNH
-		} else if (sock->pf == AF_UNIX) {
-			msg->msg_name = (void *)&dev->address.type.sunix;
-			msg->msg_namelen = sizeof(dev->address.type.sunix);
-#endif
-		} else {
-			msg->msg_name = (void *)&dev->address.type.sa;
-			msg->msg_namelen = sizeof(dev->address.type);
-		}
-#else
-		msg->msg_name = (void *)&dev->address.type.sa;
-		msg->msg_namelen = sizeof(dev->address.type);
-#endif
-#ifdef ISC_NET_RECVOVERFLOW
-		/* If needed, steal one iovec for overflow detection. */
-		maxiov--;
-#endif
-	} else { /* TCP */
-		msg->msg_name = NULL;
-		msg->msg_namelen = 0;
-		dev->address = sock->peer_address;
-	}
-
-	buffer = ISC_LIST_HEAD(dev->bufferlist);
-	read_count = 0;
-
-	/*
-	 * Single buffer I/O?  Skip what we've done so far in this region.
-	 */
-	if (buffer == NULL) {
-		read_count = dev->region.length - dev->n;
-		iov[0].iov_base = (void *)(dev->region.base + dev->n);
-		iov[0].iov_len = read_count;
-		iovcount = 1;
-
-		goto config;
-	}
-
-	/*
-	 * Multibuffer I/O.
-	 * Skip empty buffers.
-	 */
-	while (buffer != NULL) {
-		REQUIRE(ISC_BUFFER_VALID(buffer));
-		if (isc_buffer_availablelength(buffer) != 0)
-			break;
-		buffer = ISC_LIST_NEXT(buffer, link);
-	}
-
-	iovcount = 0;
-	while (buffer != NULL) {
-		INSIST(iovcount < MAXSCATTERGATHER_RECV);
-
-		isc_buffer_availableregion(buffer, &available);
-
-		if (available.length > 0) {
-			iov[iovcount].iov_base = (void *)(available.base);
-			iov[iovcount].iov_len = available.length;
-			read_count += available.length;
-			iovcount++;
-		}
-		buffer = ISC_LIST_NEXT(buffer, link);
-	}
-
- config:
-
-	/*
-	 * If needed, set up to receive that one extra byte.  Note that
-	 * we know there is at least one iov left, since we stole it
-	 * at the top of this function.
-	 */
-#ifdef ISC_NET_RECVOVERFLOW
-	if (sock->type == isc_sockettype_udp) {
-		iov[iovcount].iov_base = (void *)(&sock->overflow);
-		iov[iovcount].iov_len = 1;
-		iovcount++;
-	}
-#endif
-
-	msg->msg_iov = iov;
-	msg->msg_iovlen = iovcount;
-
-#ifdef ISC_NET_BSD44MSGHDR
-	msg->msg_control = NULL;
-	msg->msg_controllen = 0;
-	msg->msg_flags = 0;
-#if defined(USE_CMSG)
-	if (sock->type == isc_sockettype_udp) {
-		msg->msg_control = sock->recvcmsgbuf;
-		msg->msg_controllen = sock->recvcmsgbuflen;
-	}
-#endif /* USE_CMSG */
-#else /* ISC_NET_BSD44MSGHDR */
-	msg->msg_accrights = NULL;
-	msg->msg_accrightslen = 0;
-#endif /* ISC_NET_BSD44MSGHDR */
-
-	if (read_countp != NULL)
-		*read_countp = read_count;
-}
-
-static void
-set_dev_address(isc_sockaddr_t *address, isc__socket_t *sock,
-		isc_socketevent_t *dev)
-{
-	if (sock->type == isc_sockettype_udp) {
-		if (address != NULL)
-			dev->address = *address;
-		else
-			dev->address = sock->peer_address;
-	} else if (sock->type == isc_sockettype_tcp) {
-		INSIST(address == NULL);
-		dev->address = sock->peer_address;
-	}
-}
-
-static void
-destroy_socketevent(isc_event_t *event) {
-	isc_socketevent_t *ev = (isc_socketevent_t *)event;
-
-	INSIST(ISC_LIST_EMPTY(ev->bufferlist));
-
-	(ev->destroy)(event);
-}
-
-static isc_socketevent_t *
-allocate_socketevent(isc__socket_t *sock, isc_eventtype_t eventtype,
-		     isc_taskaction_t action, const void *arg)
-{
-	isc_socketevent_t *ev;
-
-	ev = (isc_socketevent_t *)isc_event_allocate(sock->manager->mctx,
-						     sock, eventtype,
-						     action, arg,
-						     sizeof(*ev));
-
-	if (ev == NULL)
-		return (NULL);
-
-	ev->result = ISC_R_UNSET;
-	ISC_LINK_INIT(ev, ev_link);
-	ISC_LIST_INIT(ev->bufferlist);
-	ev->region.base = NULL;
-	ev->n = 0;
-	ev->offset = 0;
-	ev->attributes = 0;
-	ev->destroy = ev->ev_destroy;
-	ev->ev_destroy = destroy_socketevent;
-
-	return (ev);
-}
-
-#if defined(ISC_SOCKET_DEBUG)
-static void
-dump_msg(struct msghdr *msg) {
-	unsigned int i;
-
-	printf("MSGHDR %p\n", msg);
-	printf("\tname %p, namelen %ld\n", msg->msg_name,
-	       (long) msg->msg_namelen);
-	printf("\tiov %p, iovlen %ld\n", msg->msg_iov,
-	       (long) msg->msg_iovlen);
-	for (i = 0; i < (unsigned int)msg->msg_iovlen; i++)
-		printf("\t\t%d\tbase %p, len %ld\n", i,
-		       msg->msg_iov[i].iov_base,
-		       (long) msg->msg_iov[i].iov_len);
-#ifdef ISC_NET_BSD44MSGHDR
-	printf("\tcontrol %p, controllen %ld\n", msg->msg_control,
-	       (long) msg->msg_controllen);
-#endif
-}
-#endif
-
-#define DOIO_SUCCESS		0	/* i/o ok, event sent */
-#define DOIO_SOFT		1	/* i/o ok, soft error, no event sent */
-#define DOIO_HARD		2	/* i/o error, event sent */
-#define DOIO_EOF		3	/* EOF, no event sent */
-
-static int
-doio_recv(isc__socket_t *sock, isc_socketevent_t *dev) {
-	int cc;
-	struct iovec iov[MAXSCATTERGATHER_RECV];
-	size_t read_count;
-	size_t actual_count;
-	struct msghdr msghdr;
-	isc_buffer_t *buffer;
-	int recv_errno;
-	char strbuf[ISC_STRERRORSIZE];
-
-	build_msghdr_recv(sock, dev, &msghdr, iov, &read_count);
-
-#if defined(ISC_SOCKET_DEBUG)
-	dump_msg(&msghdr);
-#endif
-
-	cc = recvmsg(sock->fd, &msghdr, 0);
-	recv_errno = errno;
-
-#if defined(ISC_SOCKET_DEBUG)
-	dump_msg(&msghdr);
-#endif
-
-	if (cc < 0) {
-		if (SOFT_ERROR(recv_errno))
-			return (DOIO_SOFT);
-
-		if (isc_log_wouldlog(isc_lctx, IOEVENT_LEVEL)) {
-			isc__strerror(recv_errno, strbuf, sizeof(strbuf));
-			socket_log(sock, NULL, IOEVENT,
-				   isc_msgcat, ISC_MSGSET_SOCKET,
-				   ISC_MSG_DOIORECV,
-				  "doio_recv: recvmsg(%d) %d bytes, err %d/%s",
-				   sock->fd, cc, recv_errno, strbuf);
-		}
-
-#define SOFT_OR_HARD(_system, _isc) \
-	if (recv_errno == _system) { \
-		if (sock->connected) { \
-			dev->result = _isc; \
-			inc_stats(sock->manager->stats, \
-				  sock->statsindex[STATID_RECVFAIL]); \
-			return (DOIO_HARD); \
-		} \
-		return (DOIO_SOFT); \
-	}
-#define ALWAYS_HARD(_system, _isc) \
-	if (recv_errno == _system) { \
-		dev->result = _isc; \
-		inc_stats(sock->manager->stats, \
-			  sock->statsindex[STATID_RECVFAIL]); \
-		return (DOIO_HARD); \
-	}
-
-		SOFT_OR_HARD(ECONNREFUSED, ISC_R_CONNREFUSED);
-		SOFT_OR_HARD(ENETUNREACH, ISC_R_NETUNREACH);
-		SOFT_OR_HARD(EHOSTUNREACH, ISC_R_HOSTUNREACH);
-		SOFT_OR_HARD(EHOSTDOWN, ISC_R_HOSTDOWN);
-		/* HPUX 11.11 can return EADDRNOTAVAIL. */
-		SOFT_OR_HARD(EADDRNOTAVAIL, ISC_R_ADDRNOTAVAIL);
-		ALWAYS_HARD(ENOBUFS, ISC_R_NORESOURCES);
-		/*
-		 * HPUX returns EPROTO and EINVAL on receiving some ICMP/ICMPv6
-		 * errors.
-		 */
-#ifdef EPROTO
-		SOFT_OR_HARD(EPROTO, ISC_R_HOSTUNREACH);
-#endif
-		SOFT_OR_HARD(EINVAL, ISC_R_HOSTUNREACH);
-
-#undef SOFT_OR_HARD
-#undef ALWAYS_HARD
-
-		dev->result = isc__errno2result(recv_errno);
-		inc_stats(sock->manager->stats,
-			  sock->statsindex[STATID_RECVFAIL]);
-		return (DOIO_HARD);
-	}
-
-	/*
-	 * On TCP and UNIX sockets, zero length reads indicate EOF,
-	 * while on UDP sockets, zero length reads are perfectly valid,
-	 * although strange.
-	 */
-	switch (sock->type) {
-	case isc_sockettype_tcp:
-	case isc_sockettype_unix:
-		if (cc == 0)
-			return (DOIO_EOF);
-		break;
-	case isc_sockettype_udp:
-		break;
-	case isc_sockettype_fdwatch:
-	default:
-		INSIST(0);
-	}
-
-	if (sock->type == isc_sockettype_udp) {
-		dev->address.length = msghdr.msg_namelen;
-		if (isc_sockaddr_getport(&dev->address) == 0) {
-			if (isc_log_wouldlog(isc_lctx, IOEVENT_LEVEL)) {
-				socket_log(sock, &dev->address, IOEVENT,
-					   isc_msgcat, ISC_MSGSET_SOCKET,
-					   ISC_MSG_ZEROPORT,
-					   "dropping source port zero packet");
-			}
-			return (DOIO_SOFT);
-		}
-		/*
-		 * Simulate a firewall blocking UDP responses bigger than
-		 * 512 bytes.
-		 */
-		if (sock->manager->maxudp != 0 && cc > sock->manager->maxudp)
-			return (DOIO_SOFT);
-	}
-
-	socket_log(sock, &dev->address, IOEVENT,
-		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_PKTRECV,
-		   "packet received correctly");
-
-	/*
-	 * Overflow bit detection.  If we received MORE bytes than we should,
-	 * this indicates an overflow situation.  Set the flag in the
-	 * dev entry and adjust how much we read by one.
-	 */
-#ifdef ISC_NET_RECVOVERFLOW
-	if ((sock->type == isc_sockettype_udp) && ((size_t)cc > read_count)) {
-		dev->attributes |= ISC_SOCKEVENTATTR_TRUNC;
-		cc--;
-	}
-#endif
-
-	/*
-	 * If there are control messages attached, run through them and pull
-	 * out the interesting bits.
-	 */
-	if (sock->type == isc_sockettype_udp)
-		process_cmsg(sock, &msghdr, dev);
-
-	/*
-	 * update the buffers (if any) and the i/o count
-	 */
-	dev->n += cc;
-	actual_count = cc;
-	buffer = ISC_LIST_HEAD(dev->bufferlist);
-	while (buffer != NULL && actual_count > 0U) {
-		REQUIRE(ISC_BUFFER_VALID(buffer));
-		if (isc_buffer_availablelength(buffer) <= actual_count) {
-			actual_count -= isc_buffer_availablelength(buffer);
-			isc_buffer_add(buffer,
-				       isc_buffer_availablelength(buffer));
-		} else {
-			isc_buffer_add(buffer, actual_count);
-			actual_count = 0;
-			POST(actual_count);
-			break;
-		}
-		buffer = ISC_LIST_NEXT(buffer, link);
-		if (buffer == NULL) {
-			INSIST(actual_count == 0U);
-		}
-	}
-
-	/*
-	 * If we read less than we expected, update counters,
-	 * and let the upper layer poke the descriptor.
-	 */
-	if (((size_t)cc != read_count) && (dev->n < dev->minimum))
-		return (DOIO_SOFT);
-
-	/*
-	 * Full reads are posted, or partials if partials are ok.
-	 */
-	dev->result = ISC_R_SUCCESS;
-	return (DOIO_SUCCESS);
-}
-
-/*
- * Returns:
- *	DOIO_SUCCESS	The operation succeeded.  dev->result contains
- *			ISC_R_SUCCESS.
- *
- *	DOIO_HARD	A hard or unexpected I/O error was encountered.
- *			dev->result contains the appropriate error.
- *
- *	DOIO_SOFT	A soft I/O error was encountered.  No senddone
- *			event was sent.  The operation should be retried.
- *
- *	No other return values are possible.
- */
-static int
-doio_send(isc__socket_t *sock, isc_socketevent_t *dev) {
-	int cc;
-	struct iovec iov[MAXSCATTERGATHER_SEND];
-	size_t write_count;
-	struct msghdr msghdr;
-	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
-	int attempts = 0;
-	int send_errno;
-	char strbuf[ISC_STRERRORSIZE];
-
-	build_msghdr_send(sock, dev, &msghdr, iov, &write_count);
-
- resend:
-	cc = sendmsg(sock->fd, &msghdr, 0);
-	send_errno = errno;
-
-	/*
-	 * Check for error or block condition.
-	 */
-	if (cc < 0) {
-		if (send_errno == EINTR && ++attempts < NRETRIES)
-			goto resend;
-
-		if (SOFT_ERROR(send_errno))
-			return (DOIO_SOFT);
-
-#define SOFT_OR_HARD(_system, _isc) \
-	if (send_errno == _system) { \
-		if (sock->connected) { \
-			dev->result = _isc; \
-			inc_stats(sock->manager->stats, \
-				  sock->statsindex[STATID_SENDFAIL]); \
-			return (DOIO_HARD); \
-		} \
-		return (DOIO_SOFT); \
-	}
-#define ALWAYS_HARD(_system, _isc) \
-	if (send_errno == _system) { \
-		dev->result = _isc; \
-		inc_stats(sock->manager->stats, \
-			  sock->statsindex[STATID_SENDFAIL]); \
-		return (DOIO_HARD); \
-	}
-
-		SOFT_OR_HARD(ECONNREFUSED, ISC_R_CONNREFUSED);
-		ALWAYS_HARD(EACCES, ISC_R_NOPERM);
-		ALWAYS_HARD(EAFNOSUPPORT, ISC_R_ADDRNOTAVAIL);
-		ALWAYS_HARD(EADDRNOTAVAIL, ISC_R_ADDRNOTAVAIL);
-		ALWAYS_HARD(EHOSTUNREACH, ISC_R_HOSTUNREACH);
-#ifdef EHOSTDOWN
-		ALWAYS_HARD(EHOSTDOWN, ISC_R_HOSTUNREACH);
-#endif
-		ALWAYS_HARD(ENETUNREACH, ISC_R_NETUNREACH);
-		ALWAYS_HARD(ENOBUFS, ISC_R_NORESOURCES);
-		ALWAYS_HARD(EPERM, ISC_R_HOSTUNREACH);
-		ALWAYS_HARD(EPIPE, ISC_R_NOTCONNECTED);
-		ALWAYS_HARD(ECONNRESET, ISC_R_CONNECTIONRESET);
-
-#undef SOFT_OR_HARD
-#undef ALWAYS_HARD
-
-		/*
-		 * The other error types depend on whether or not the
-		 * socket is UDP or TCP.  If it is UDP, some errors
-		 * that we expect to be fatal under TCP are merely
-		 * annoying, and are really soft errors.
-		 *
-		 * However, these soft errors are still returned as
-		 * a status.
-		 */
-		isc_sockaddr_format(&dev->address, addrbuf, sizeof(addrbuf));
-		isc__strerror(send_errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__, "internal_send: %s: %s",
-				 addrbuf, strbuf);
-		dev->result = isc__errno2result(send_errno);
-		inc_stats(sock->manager->stats,
-			  sock->statsindex[STATID_SENDFAIL]);
-		return (DOIO_HARD);
-	}
-
-	if (cc == 0) {
-		inc_stats(sock->manager->stats,
-			  sock->statsindex[STATID_SENDFAIL]);
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "doio_send: send() %s 0",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_RETURNED, "returned"));
-	}
-
-	/*
-	 * If we write less than we expected, update counters, poke.
-	 */
-	dev->n += cc;
-	if ((size_t)cc != write_count)
-		return (DOIO_SOFT);
-
-	/*
-	 * Exactly what we wanted to write.  We're done with this
-	 * entry.  Post its completion event.
-	 */
-	dev->result = ISC_R_SUCCESS;
-	return (DOIO_SUCCESS);
-}
-
-/*
- * Kill.
- *
- * Caller must ensure that the socket is not locked and no external
- * references exist.
- */
-static void
-closesocket(isc__socketmgr_t *manager, isc__socket_t *sock, int fd) {
-	isc_sockettype_t type = sock->type;
-	int lockid = FDLOCK_ID(fd);
-
-	/*
-	 * No one has this socket open, so the watcher doesn't have to be
-	 * poked, and the socket doesn't have to be locked.
-	 */
-	LOCK(&manager->fdlock[lockid]);
-	manager->fds[fd] = NULL;
-	if (type == isc_sockettype_fdwatch)
-		manager->fdstate[fd] = CLOSED;
-	else
-		manager->fdstate[fd] = CLOSE_PENDING;
-	UNLOCK(&manager->fdlock[lockid]);
-	if (type == isc_sockettype_fdwatch) {
-		/*
-		 * The caller may close the socket once this function returns,
-		 * and `fd' may be reassigned for a new socket.  So we do
-		 * unwatch_fd() here, rather than defer it via select_poke().
-		 * Note: this may complicate data protection among threads and
-		 * may reduce performance due to additional locks.  One way to
-		 * solve this would be to dup() the watched descriptor, but we
-		 * take a simpler approach at this moment.
-		 */
-		(void)unwatch_fd(manager, fd, SELECT_POKE_READ);
-		(void)unwatch_fd(manager, fd, SELECT_POKE_WRITE);
-	} else
-		select_poke(manager, fd, SELECT_POKE_CLOSE);
-
-	inc_stats(manager->stats, sock->statsindex[STATID_CLOSE]);
-
-	/*
-	 * update manager->maxfd here (XXX: this should be implemented more
-	 * efficiently)
-	 */
-#ifdef USE_SELECT
-	LOCK(&manager->lock);
-	if (manager->maxfd == fd) {
-		int i;
-
-		manager->maxfd = 0;
-		for (i = fd - 1; i >= 0; i--) {
-			lockid = FDLOCK_ID(i);
-
-			LOCK(&manager->fdlock[lockid]);
-			if (manager->fdstate[i] == MANAGED) {
-				manager->maxfd = i;
-				UNLOCK(&manager->fdlock[lockid]);
-				break;
-			}
-			UNLOCK(&manager->fdlock[lockid]);
-		}
-#ifdef ISC_PLATFORM_USETHREADS
-		if (manager->maxfd < manager->pipe_fds[0])
-			manager->maxfd = manager->pipe_fds[0];
-#endif
-	}
-	UNLOCK(&manager->lock);
-#endif	/* USE_SELECT */
-}
-
-static void
-destroy(isc__socket_t **sockp) {
-	int fd;
-	isc__socket_t *sock = *sockp;
-	isc__socketmgr_t *manager = sock->manager;
-
-	socket_log(sock, NULL, CREATION, isc_msgcat, ISC_MSGSET_SOCKET,
-		   ISC_MSG_DESTROYING, "destroying");
-
-	INSIST(ISC_LIST_EMPTY(sock->accept_list));
-	INSIST(ISC_LIST_EMPTY(sock->recv_list));
-	INSIST(ISC_LIST_EMPTY(sock->send_list));
-	INSIST(sock->connect_ev == NULL);
-	REQUIRE(sock->fd == -1 || sock->fd < (int)manager->maxsocks);
-
-	if (sock->fd >= 0) {
-		fd = sock->fd;
-		sock->fd = -1;
-		closesocket(manager, sock, fd);
-	}
-
-	LOCK(&manager->lock);
-
-	ISC_LIST_UNLINK(manager->socklist, sock, link);
-
-#ifdef USE_WATCHER_THREAD
-	if (ISC_LIST_EMPTY(manager->socklist))
-		SIGNAL(&manager->shutdown_ok);
-#endif /* USE_WATCHER_THREAD */
-
-	/* can't unlock manager as its memory context is still used */
-	free_socket(sockp);
-
-	UNLOCK(&manager->lock);
-}
-
-static isc_result_t
-allocate_socket(isc__socketmgr_t *manager, isc_sockettype_t type,
-		isc__socket_t **socketp)
-{
-	isc__socket_t *sock;
-	isc_result_t result;
-	ISC_SOCKADDR_LEN_T cmsgbuflen;
-
-	sock = isc_mem_get(manager->mctx, sizeof(*sock));
-
-	if (sock == NULL)
-		return (ISC_R_NOMEMORY);
-
-	sock->common.magic = 0;
-	sock->common.impmagic = 0;
-	sock->references = 0;
-
-	sock->manager = manager;
-	sock->type = type;
-	sock->fd = -1;
-	sock->dupped = 0;
-	sock->statsindex = NULL;
-
-	ISC_LINK_INIT(sock, link);
-
-	sock->recvcmsgbuf = NULL;
-	sock->sendcmsgbuf = NULL;
-
-	/*
-	 * Set up cmsg buffers.
-	 */
-	cmsgbuflen = 0;
-#if defined(USE_CMSG) && defined(ISC_PLATFORM_HAVEIN6PKTINFO)
-	cmsgbuflen += cmsg_space(sizeof(struct in6_pktinfo));
-#endif
-#if defined(USE_CMSG) && defined(SO_TIMESTAMP)
-	cmsgbuflen += cmsg_space(sizeof(struct timeval));
-#endif
-	sock->recvcmsgbuflen = cmsgbuflen;
-	if (sock->recvcmsgbuflen != 0U) {
-		sock->recvcmsgbuf = isc_mem_get(manager->mctx, cmsgbuflen);
-		if (sock->recvcmsgbuf == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto error;
-		}
-	}
-
-	cmsgbuflen = 0;
-#if defined(USE_CMSG) && defined(ISC_PLATFORM_HAVEIN6PKTINFO)
-	cmsgbuflen += cmsg_space(sizeof(struct in6_pktinfo));
-#if defined(IPV6_USE_MIN_MTU)
-	/*
-	 * Provide space for working around FreeBSD's broken IPV6_USE_MIN_MTU
-	 * support.
-	 */
-	cmsgbuflen += cmsg_space(sizeof(int));
-#endif
-#endif
-	sock->sendcmsgbuflen = cmsgbuflen;
-	if (sock->sendcmsgbuflen != 0U) {
-		sock->sendcmsgbuf = isc_mem_get(manager->mctx, cmsgbuflen);
-		if (sock->sendcmsgbuf == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto error;
-		}
-	}
-
-	memset(sock->name, 0, sizeof(sock->name));
-	sock->tag = NULL;
-
-	/*
-	 * Set up list of readers and writers to be initially empty.
-	 */
-	ISC_LIST_INIT(sock->recv_list);
-	ISC_LIST_INIT(sock->send_list);
-	ISC_LIST_INIT(sock->accept_list);
-	sock->connect_ev = NULL;
-	sock->pending_recv = 0;
-	sock->pending_send = 0;
-	sock->pending_accept = 0;
-	sock->listener = 0;
-	sock->connected = 0;
-	sock->connecting = 0;
-	sock->bound = 0;
-
-	/*
-	 * Initialize the lock.
-	 */
-	result = isc_mutex_init(&sock->lock);
-	if (result != ISC_R_SUCCESS) {
-		sock->common.magic = 0;
-		sock->common.impmagic = 0;
-		goto error;
-	}
-
-	/*
-	 * Initialize readable and writable events.
-	 */
-	ISC_EVENT_INIT(&sock->readable_ev, sizeof(intev_t),
-		       ISC_EVENTATTR_NOPURGE, NULL, ISC_SOCKEVENT_INTR,
-		       NULL, sock, sock, NULL, NULL);
-	ISC_EVENT_INIT(&sock->writable_ev, sizeof(intev_t),
-		       ISC_EVENTATTR_NOPURGE, NULL, ISC_SOCKEVENT_INTW,
-		       NULL, sock, sock, NULL, NULL);
-
-	sock->common.magic = ISCAPI_SOCKET_MAGIC;
-	sock->common.impmagic = SOCKET_MAGIC;
-	*socketp = sock;
-
-	return (ISC_R_SUCCESS);
-
- error:
-	if (sock->recvcmsgbuf != NULL)
-		isc_mem_put(manager->mctx, sock->recvcmsgbuf,
-			    sock->recvcmsgbuflen);
-	if (sock->sendcmsgbuf != NULL)
-		isc_mem_put(manager->mctx, sock->sendcmsgbuf,
-			    sock->sendcmsgbuflen);
-	isc_mem_put(manager->mctx, sock, sizeof(*sock));
-
-	return (result);
-}
-
-/*
- * This event requires that the various lists be empty, that the reference
- * count be 1, and that the magic number is valid.  The other socket bits,
- * like the lock, must be initialized as well.  The fd associated must be
- * marked as closed, by setting it to -1 on close, or this routine will
- * also close the socket.
- */
-static void
-free_socket(isc__socket_t **socketp) {
-	isc__socket_t *sock = *socketp;
-
-	INSIST(sock->references == 0);
-	INSIST(VALID_SOCKET(sock));
-	INSIST(!sock->connecting);
-	INSIST(!sock->pending_recv);
-	INSIST(!sock->pending_send);
-	INSIST(!sock->pending_accept);
-	INSIST(ISC_LIST_EMPTY(sock->recv_list));
-	INSIST(ISC_LIST_EMPTY(sock->send_list));
-	INSIST(ISC_LIST_EMPTY(sock->accept_list));
-	INSIST(!ISC_LINK_LINKED(sock, link));
-
-	if (sock->recvcmsgbuf != NULL)
-		isc_mem_put(sock->manager->mctx, sock->recvcmsgbuf,
-			    sock->recvcmsgbuflen);
-	if (sock->sendcmsgbuf != NULL)
-		isc_mem_put(sock->manager->mctx, sock->sendcmsgbuf,
-			    sock->sendcmsgbuflen);
-
-	sock->common.magic = 0;
-	sock->common.impmagic = 0;
-
-	DESTROYLOCK(&sock->lock);
-
-	isc_mem_put(sock->manager->mctx, sock, sizeof(*sock));
-
-	*socketp = NULL;
-}
-
-#ifdef SO_BSDCOMPAT
-/*
- * This really should not be necessary to do.  Having to workout
- * which kernel version we are on at run time so that we don't cause
- * the kernel to issue a warning about us using a deprecated socket option.
- * Such warnings should *never* be on by default in production kernels.
- *
- * We can't do this a build time because executables are moved between
- * machines and hence kernels.
- *
- * We can't just not set SO_BSDCOMAT because some kernels require it.
- */
-
-static isc_once_t         bsdcompat_once = ISC_ONCE_INIT;
-isc_boolean_t bsdcompat = ISC_TRUE;
-
-static void
-clear_bsdcompat(void) {
-#ifdef __linux__
-	 struct utsname buf;
-	 char *endp;
-	 long int major;
-	 long int minor;
-
-	 uname(&buf);    /* Can only fail if buf is bad in Linux. */
-
-	 /* Paranoia in parsing can be increased, but we trust uname(). */
-	 major = strtol(buf.release, &endp, 10);
-	 if (*endp == '.') {
-		minor = strtol(endp+1, &endp, 10);
-		if ((major > 2) || ((major == 2) && (minor >= 4))) {
-			bsdcompat = ISC_FALSE;
-		}
-	 }
-#endif /* __linux __ */
-}
-#endif
-
-static void
-use_min_mtu(isc__socket_t *sock) {
-#if !defined(IPV6_USE_MIN_MTU) && !defined(IPV6_MTU)
-	UNUSED(sock);
-#endif
-#ifdef IPV6_USE_MIN_MTU
-	/* use minimum MTU */
-	if (sock->pf == AF_INET6) {
-		int on = 1;
-		(void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
-				(void *)&on, sizeof(on));
-	}
-#endif
-#if defined(IPV6_MTU)
-	/*
-	 * Use minimum MTU on IPv6 sockets.
-	 */
-	if (sock->pf == AF_INET6) {
-		int mtu = 1280;
-		(void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_MTU,
-				 &mtu, sizeof(mtu));
-	}
-#endif
-}
-
-static isc_result_t
-opensocket(isc__socketmgr_t *manager, isc__socket_t *sock,
-	   isc__socket_t *dup_socket)
-{
-	isc_result_t result;
-	char strbuf[ISC_STRERRORSIZE];
-	const char *err = "socket";
-	int tries = 0;
-#if defined(USE_CMSG) || defined(SO_BSDCOMPAT) || defined(SO_NOSIGPIPE)
-	int on = 1;
-#endif
-#if defined(SO_RCVBUF)
-	ISC_SOCKADDR_LEN_T optlen;
-	int size;
-#endif
-
- again:
-	if (dup_socket == NULL) {
-		switch (sock->type) {
-		case isc_sockettype_udp:
-			sock->fd = socket(sock->pf, SOCK_DGRAM, IPPROTO_UDP);
-			break;
-		case isc_sockettype_tcp:
-			sock->fd = socket(sock->pf, SOCK_STREAM, IPPROTO_TCP);
-			break;
-		case isc_sockettype_unix:
-			sock->fd = socket(sock->pf, SOCK_STREAM, 0);
-			break;
-		case isc_sockettype_fdwatch:
-			/*
-			 * We should not be called for isc_sockettype_fdwatch
-			 * sockets.
-			 */
-			INSIST(0);
-			break;
-		}
-	} else {
-		sock->fd = dup(dup_socket->fd);
-		sock->dupped = 1;
-		sock->bound = dup_socket->bound;
-	}
-	if (sock->fd == -1 && errno == EINTR && tries++ < 42)
-		goto again;
-
-#ifdef F_DUPFD
-	/*
-	 * Leave a space for stdio and TCP to work in.
-	 */
-	if (manager->reserved != 0 && sock->type == isc_sockettype_udp &&
-	    sock->fd >= 0 && sock->fd < manager->reserved) {
-		int new, tmp;
-		new = fcntl(sock->fd, F_DUPFD, manager->reserved);
-		tmp = errno;
-		(void)close(sock->fd);
-		errno = tmp;
-		sock->fd = new;
-		err = "isc_socket_create: fcntl/reserved";
-	} else if (sock->fd >= 0 && sock->fd < 20) {
-		int new, tmp;
-		new = fcntl(sock->fd, F_DUPFD, 20);
-		tmp = errno;
-		(void)close(sock->fd);
-		errno = tmp;
-		sock->fd = new;
-		err = "isc_socket_create: fcntl";
-	}
-#endif
-
-	if (sock->fd >= (int)manager->maxsocks) {
-		(void)close(sock->fd);
-		isc_log_iwrite(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-			       ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
-			       isc_msgcat, ISC_MSGSET_SOCKET,
-			       ISC_MSG_TOOMANYFDS,
-			       "socket: file descriptor exceeds limit (%d/%u)",
-			       sock->fd, manager->maxsocks);
-		return (ISC_R_NORESOURCES);
-	}
-
-	if (sock->fd < 0) {
-		switch (errno) {
-		case EMFILE:
-		case ENFILE:
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			isc_log_iwrite(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-				       ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
-				       isc_msgcat, ISC_MSGSET_SOCKET,
-				       ISC_MSG_TOOMANYFDS,
-				       "%s: %s", err, strbuf);
-			/* fallthrough */
-		case ENOBUFS:
-			return (ISC_R_NORESOURCES);
-
-		case EPROTONOSUPPORT:
-		case EPFNOSUPPORT:
-		case EAFNOSUPPORT:
-		/*
-		 * Linux 2.2 (and maybe others) return EINVAL instead of
-		 * EAFNOSUPPORT.
-		 */
-		case EINVAL:
-			return (ISC_R_FAMILYNOSUPPORT);
-
-		default:
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "%s() %s: %s", err,
-					 isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_GENERAL,
-							ISC_MSG_FAILED,
-							"failed"),
-					 strbuf);
-			return (ISC_R_UNEXPECTED);
-		}
-	}
-
-	if (dup_socket != NULL)
-		goto setup_done;
-
-	result = make_nonblock(sock->fd);
-	if (result != ISC_R_SUCCESS) {
-		(void)close(sock->fd);
-		return (result);
-	}
-
-#ifdef SO_BSDCOMPAT
-	RUNTIME_CHECK(isc_once_do(&bsdcompat_once,
-				  clear_bsdcompat) == ISC_R_SUCCESS);
-	if (sock->type != isc_sockettype_unix && bsdcompat &&
-	    setsockopt(sock->fd, SOL_SOCKET, SO_BSDCOMPAT,
-		       (void *)&on, sizeof(on)) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "setsockopt(%d, SO_BSDCOMPAT) %s: %s",
-				 sock->fd,
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"),
-				 strbuf);
-		/* Press on... */
-	}
-#endif
-
-#ifdef SO_NOSIGPIPE
-	if (setsockopt(sock->fd, SOL_SOCKET, SO_NOSIGPIPE,
-		       (void *)&on, sizeof(on)) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "setsockopt(%d, SO_NOSIGPIPE) %s: %s",
-				 sock->fd,
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"),
-				 strbuf);
-		/* Press on... */
-	}
-#endif
-
-	/*
-	 * Use minimum mtu if possible.
-	 */
-	use_min_mtu(sock);
-
-#if defined(USE_CMSG) || defined(SO_RCVBUF)
-	if (sock->type == isc_sockettype_udp) {
-
-#if defined(USE_CMSG)
-#if defined(SO_TIMESTAMP)
-		if (setsockopt(sock->fd, SOL_SOCKET, SO_TIMESTAMP,
-			       (void *)&on, sizeof(on)) < 0
-		    && errno != ENOPROTOOPT) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "setsockopt(%d, SO_TIMESTAMP) %s: %s",
-					 sock->fd,
-					 isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_GENERAL,
-							ISC_MSG_FAILED,
-							"failed"),
-					 strbuf);
-			/* Press on... */
-		}
-#endif /* SO_TIMESTAMP */
-
-#if defined(ISC_PLATFORM_HAVEIPV6)
-		if (sock->pf == AF_INET6 && sock->recvcmsgbuflen == 0U) {
-			/*
-			 * Warn explicitly because this anomaly can be hidden
-			 * in usual operation (and unexpectedly appear later).
-			 */
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "No buffer available to receive "
-					 "IPv6 destination");
-		}
-#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
-#ifdef IPV6_RECVPKTINFO
-		/* RFC 3542 */
-		if ((sock->pf == AF_INET6)
-		    && (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_RECVPKTINFO,
-				   (void *)&on, sizeof(on)) < 0)) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "setsockopt(%d, IPV6_RECVPKTINFO) "
-					 "%s: %s", sock->fd,
-					 isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_GENERAL,
-							ISC_MSG_FAILED,
-							"failed"),
-					 strbuf);
-		}
-#else
-		/* RFC 2292 */
-		if ((sock->pf == AF_INET6)
-		    && (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_PKTINFO,
-				   (void *)&on, sizeof(on)) < 0)) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "setsockopt(%d, IPV6_PKTINFO) %s: %s",
-					 sock->fd,
-					 isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_GENERAL,
-							ISC_MSG_FAILED,
-							"failed"),
-					 strbuf);
-		}
-#endif /* IPV6_RECVPKTINFO */
-#endif /* ISC_PLATFORM_HAVEIN6PKTINFO */
-#if defined(IPV6_MTU_DISCOVER) && defined(IPV6_PMTUDISC_DONT)
-		/*
-		 * Turn off Path MTU discovery on IPv6/UDP sockets.
-		 */
-		if (sock->pf == AF_INET6) {
-			int action = IPV6_PMTUDISC_DONT;
-			(void)setsockopt(sock->fd, IPPROTO_IPV6,
-					 IPV6_MTU_DISCOVER, &action,
-					 sizeof(action));
-		}
-#endif
-#endif /* ISC_PLATFORM_HAVEIPV6 */
-#endif /* defined(USE_CMSG) */
-
-#if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
-		/*
-		 * Turn off Path MTU discovery on IPv4/UDP sockets.
-		 */
-		if (sock->pf == AF_INET) {
-			int action = IP_PMTUDISC_DONT;
-			(void)setsockopt(sock->fd, IPPROTO_IP, IP_MTU_DISCOVER,
-					 &action, sizeof(action));
-		}
-#endif
-#if defined(IP_DONTFRAG)
-		/*
-		 * Turn off Path MTU discovery on IPv4/UDP sockets.
-		 */
-		if (sock->pf == AF_INET) {
-			int off = 0;
-			(void)setsockopt(sock->fd, IPPROTO_IP, IP_DONTFRAG,
-					 &off, sizeof(off));
-		}
-#endif
-
-#if defined(SO_RCVBUF)
-		optlen = sizeof(size);
-		if (getsockopt(sock->fd, SOL_SOCKET, SO_RCVBUF,
-			       (void *)&size, &optlen) >= 0 &&
-		     size < RCVBUFSIZE) {
-			size = RCVBUFSIZE;
-			if (setsockopt(sock->fd, SOL_SOCKET, SO_RCVBUF,
-				       (void *)&size, sizeof(size)) == -1) {
-				isc__strerror(errno, strbuf, sizeof(strbuf));
-				UNEXPECTED_ERROR(__FILE__, __LINE__,
-					"setsockopt(%d, SO_RCVBUF, %d) %s: %s",
-					sock->fd, size,
-					isc_msgcat_get(isc_msgcat,
-						       ISC_MSGSET_GENERAL,
-						       ISC_MSG_FAILED,
-						       "failed"),
-					strbuf);
-			}
-		}
-#endif
-	}
-#endif /* defined(USE_CMSG) || defined(SO_RCVBUF) */
-
-setup_done:
-	inc_stats(manager->stats, sock->statsindex[STATID_OPEN]);
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Create a 'type' socket or duplicate an existing socket, managed
- * by 'manager'.  Events will be posted to 'task' and when dispatched
- * 'action' will be called with 'arg' as the arg value.  The new
- * socket is returned in 'socketp'.
- */
-static isc_result_t
-socket_create(isc_socketmgr_t *manager0, int pf, isc_sockettype_t type,
-	      isc_socket_t **socketp, isc_socket_t *dup_socket)
-{
-	isc__socket_t *sock = NULL;
-	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
-	isc_result_t result;
-	int lockid;
-
-	REQUIRE(VALID_MANAGER(manager));
-	REQUIRE(socketp != NULL && *socketp == NULL);
-	REQUIRE(type != isc_sockettype_fdwatch);
-
-	result = allocate_socket(manager, type, &sock);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	switch (sock->type) {
-	case isc_sockettype_udp:
-		sock->statsindex =
-			(pf == AF_INET) ? udp4statsindex : udp6statsindex;
-		break;
-	case isc_sockettype_tcp:
-		sock->statsindex =
-			(pf == AF_INET) ? tcp4statsindex : tcp6statsindex;
-		break;
-	case isc_sockettype_unix:
-		sock->statsindex = unixstatsindex;
-		break;
-	default:
-		INSIST(0);
-	}
-
-	sock->pf = pf;
-
-	result = opensocket(manager, sock, (isc__socket_t *)dup_socket);
-	if (result != ISC_R_SUCCESS) {
-		inc_stats(manager->stats, sock->statsindex[STATID_OPENFAIL]);
-		free_socket(&sock);
-		return (result);
-	}
-
-	sock->common.methods = (isc_socketmethods_t *)&socketmethods;
-	sock->references = 1;
-	*socketp = (isc_socket_t *)sock;
-
-	/*
-	 * Note we don't have to lock the socket like we normally would because
-	 * there are no external references to it yet.
-	 */
-
-	lockid = FDLOCK_ID(sock->fd);
-	LOCK(&manager->fdlock[lockid]);
-	manager->fds[sock->fd] = sock;
-	manager->fdstate[sock->fd] = MANAGED;
-#ifdef USE_DEVPOLL
-	INSIST(sock->manager->fdpollinfo[sock->fd].want_read == 0 &&
-	       sock->manager->fdpollinfo[sock->fd].want_write == 0);
-#endif
-	UNLOCK(&manager->fdlock[lockid]);
-
-	LOCK(&manager->lock);
-	ISC_LIST_APPEND(manager->socklist, sock, link);
-#ifdef USE_SELECT
-	if (manager->maxfd < sock->fd)
-		manager->maxfd = sock->fd;
-#endif
-	UNLOCK(&manager->lock);
-
-	socket_log(sock, NULL, CREATION, isc_msgcat, ISC_MSGSET_SOCKET,
-		   ISC_MSG_CREATED, dup_socket != NULL ? "dupped" : "created");
-
-	return (ISC_R_SUCCESS);
-}
-
-/*%
- * Create a new 'type' socket managed by 'manager'.  Events
- * will be posted to 'task' and when dispatched 'action' will be
- * called with 'arg' as the arg value.  The new socket is returned
- * in 'socketp'.
- */
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_create(isc_socketmgr_t *manager0, int pf, isc_sockettype_t type,
-		   isc_socket_t **socketp)
-{
-	return (socket_create(manager0, pf, type, socketp, NULL));
-}
-
-/*%
- * Duplicate an existing socket.  The new socket is returned
- * in 'socketp'.
- */
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_dup(isc_socket_t *sock0, isc_socket_t **socketp) {
-	isc__socket_t *sock = (isc__socket_t *)sock0;
-
-	REQUIRE(VALID_SOCKET(sock));
-	REQUIRE(socketp != NULL && *socketp == NULL);
-
-	return (socket_create((isc_socketmgr_t *) sock->manager,
-			      sock->pf, sock->type, socketp,
-			      sock0));
-}
-
-#ifdef BIND9
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_open(isc_socket_t *sock0) {
-	isc_result_t result;
-	isc__socket_t *sock = (isc__socket_t *)sock0;
-
-	REQUIRE(VALID_SOCKET(sock));
-
-	LOCK(&sock->lock);
-	REQUIRE(sock->references == 1);
-	REQUIRE(sock->type != isc_sockettype_fdwatch);
-	UNLOCK(&sock->lock);
-	/*
-	 * We don't need to retain the lock hereafter, since no one else has
-	 * this socket.
-	 */
-	REQUIRE(sock->fd == -1);
-
-	result = opensocket(sock->manager, sock, NULL);
-	if (result != ISC_R_SUCCESS)
-		sock->fd = -1;
-
-	if (result == ISC_R_SUCCESS) {
-		int lockid = FDLOCK_ID(sock->fd);
-
-		LOCK(&sock->manager->fdlock[lockid]);
-		sock->manager->fds[sock->fd] = sock;
-		sock->manager->fdstate[sock->fd] = MANAGED;
-#ifdef USE_DEVPOLL
-		INSIST(sock->manager->fdpollinfo[sock->fd].want_read == 0 &&
-		       sock->manager->fdpollinfo[sock->fd].want_write == 0);
-#endif
-		UNLOCK(&sock->manager->fdlock[lockid]);
-
-#ifdef USE_SELECT
-		LOCK(&sock->manager->lock);
-		if (sock->manager->maxfd < sock->fd)
-			sock->manager->maxfd = sock->fd;
-		UNLOCK(&sock->manager->lock);
-#endif
-	}
-
-	return (result);
-}
-#endif	/* BIND9 */
-
-/*
- * Create a new 'type' socket managed by 'manager'.  Events
- * will be posted to 'task' and when dispatched 'action' will be
- * called with 'arg' as the arg value.  The new socket is returned
- * in 'socketp'.
- */
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_fdwatchcreate(isc_socketmgr_t *manager0, int fd, int flags,
-			  isc_sockfdwatch_t callback, void *cbarg,
-			  isc_task_t *task, isc_socket_t **socketp)
-{
-	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
-	isc__socket_t *sock = NULL;
-	isc_result_t result;
-	int lockid;
-
-	REQUIRE(VALID_MANAGER(manager));
-	REQUIRE(socketp != NULL && *socketp == NULL);
-
-	result = allocate_socket(manager, isc_sockettype_fdwatch, &sock);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	sock->fd = fd;
-	sock->fdwatcharg = cbarg;
-	sock->fdwatchcb = callback;
-	sock->fdwatchflags = flags;
-	sock->fdwatchtask = task;
-	sock->statsindex = fdwatchstatsindex;
-
-	sock->common.methods = (isc_socketmethods_t *)&socketmethods;
-	sock->references = 1;
-	*socketp = (isc_socket_t *)sock;
-
-	/*
-	 * Note we don't have to lock the socket like we normally would because
-	 * there are no external references to it yet.
-	 */
-
-	lockid = FDLOCK_ID(sock->fd);
-	LOCK(&manager->fdlock[lockid]);
-	manager->fds[sock->fd] = sock;
-	manager->fdstate[sock->fd] = MANAGED;
-	UNLOCK(&manager->fdlock[lockid]);
-
-	LOCK(&manager->lock);
-	ISC_LIST_APPEND(manager->socklist, sock, link);
-#ifdef USE_SELECT
-	if (manager->maxfd < sock->fd)
-		manager->maxfd = sock->fd;
-#endif
-	UNLOCK(&manager->lock);
-
-	if (flags & ISC_SOCKFDWATCH_READ)
-		select_poke(sock->manager, sock->fd, SELECT_POKE_READ);
-	if (flags & ISC_SOCKFDWATCH_WRITE)
-		select_poke(sock->manager, sock->fd, SELECT_POKE_WRITE);
-
-	socket_log(sock, NULL, CREATION, isc_msgcat, ISC_MSGSET_SOCKET,
-		   ISC_MSG_CREATED, "fdwatch-created");
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Indicate to the manager that it should watch the socket again.
- * This can be used to restart watching if the previous event handler
- * didn't indicate there was more data to be processed.  Primarily
- * it is for writing but could be used for reading if desired
- */
-
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_fdwatchpoke(isc_socket_t *sock0, int flags)
-{
-	isc__socket_t *sock = (isc__socket_t *)sock0;
-
-	REQUIRE(VALID_SOCKET(sock));
-
-	/*
-	 * We check both flags first to allow us to get the lock
-	 * once but only if we need it.
-	 */
-
-	if ((flags & (ISC_SOCKFDWATCH_READ | ISC_SOCKFDWATCH_WRITE)) != 0) {
-		LOCK(&sock->lock);
-		if (((flags & ISC_SOCKFDWATCH_READ) != 0) &&
-		    !sock->pending_recv)
-			select_poke(sock->manager, sock->fd,
-				    SELECT_POKE_READ);
-		if (((flags & ISC_SOCKFDWATCH_WRITE) != 0) &&
-		    !sock->pending_send)
-			select_poke(sock->manager, sock->fd,
-				    SELECT_POKE_WRITE);
-		UNLOCK(&sock->lock);
-	}
-
-	socket_log(sock, NULL, TRACE, isc_msgcat, ISC_MSGSET_SOCKET,
-		   ISC_MSG_POKED, "fdwatch-poked flags: %d", flags);
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Attach to a socket.  Caller must explicitly detach when it is done.
- */
-ISC_SOCKETFUNC_SCOPE void
-isc__socket_attach(isc_socket_t *sock0, isc_socket_t **socketp) {
-	isc__socket_t *sock = (isc__socket_t *)sock0;
-
-	REQUIRE(VALID_SOCKET(sock));
-	REQUIRE(socketp != NULL && *socketp == NULL);
-
-	LOCK(&sock->lock);
-	sock->references++;
-	UNLOCK(&sock->lock);
-
-	*socketp = (isc_socket_t *)sock;
-}
-
-/*
- * Dereference a socket.  If this is the last reference to it, clean things
- * up by destroying the socket.
- */
-ISC_SOCKETFUNC_SCOPE void
-isc__socket_detach(isc_socket_t **socketp) {
-	isc__socket_t *sock;
-	isc_boolean_t kill_socket = ISC_FALSE;
-
-	REQUIRE(socketp != NULL);
-	sock = (isc__socket_t *)*socketp;
-	REQUIRE(VALID_SOCKET(sock));
-
-	LOCK(&sock->lock);
-	REQUIRE(sock->references > 0);
-	sock->references--;
-	if (sock->references == 0)
-		kill_socket = ISC_TRUE;
-	UNLOCK(&sock->lock);
-
-	if (kill_socket)
-		destroy(&sock);
-
-	*socketp = NULL;
-}
-
-#ifdef BIND9
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_close(isc_socket_t *sock0) {
-	isc__socket_t *sock = (isc__socket_t *)sock0;
-	int fd;
-	isc__socketmgr_t *manager;
-
-	fflush(stdout);
-	REQUIRE(VALID_SOCKET(sock));
-
-	LOCK(&sock->lock);
-
-	REQUIRE(sock->references == 1);
-	REQUIRE(sock->type != isc_sockettype_fdwatch);
-	REQUIRE(sock->fd >= 0 && sock->fd < (int)sock->manager->maxsocks);
-
-	INSIST(!sock->connecting);
-	INSIST(!sock->pending_recv);
-	INSIST(!sock->pending_send);
-	INSIST(!sock->pending_accept);
-	INSIST(ISC_LIST_EMPTY(sock->recv_list));
-	INSIST(ISC_LIST_EMPTY(sock->send_list));
-	INSIST(ISC_LIST_EMPTY(sock->accept_list));
-	INSIST(sock->connect_ev == NULL);
-
-	manager = sock->manager;
-	fd = sock->fd;
-	sock->fd = -1;
-	sock->dupped = 0;
-	memset(sock->name, 0, sizeof(sock->name));
-	sock->tag = NULL;
-	sock->listener = 0;
-	sock->connected = 0;
-	sock->connecting = 0;
-	sock->bound = 0;
-	isc_sockaddr_any(&sock->peer_address);
-
-	UNLOCK(&sock->lock);
-
-	closesocket(manager, sock, fd);
-
-	return (ISC_R_SUCCESS);
-}
-#endif	/* BIND9 */
-
-/*
- * I/O is possible on a given socket.  Schedule an event to this task that
- * will call an internal function to do the I/O.  This will charge the
- * task with the I/O operation and let our select loop handler get back
- * to doing something real as fast as possible.
- *
- * The socket and manager must be locked before calling this function.
- */
-static void
-dispatch_recv(isc__socket_t *sock) {
-	intev_t *iev;
-	isc_socketevent_t *ev;
-	isc_task_t *sender;
-
-	INSIST(!sock->pending_recv);
-
-	if (sock->type != isc_sockettype_fdwatch) {
-		ev = ISC_LIST_HEAD(sock->recv_list);
-		if (ev == NULL)
-			return;
-		socket_log(sock, NULL, EVENT, NULL, 0, 0,
-			   "dispatch_recv:  event %p -> task %p",
-			   ev, ev->ev_sender);
-		sender = ev->ev_sender;
-	} else {
-		sender = sock->fdwatchtask;
-	}
-
-	sock->pending_recv = 1;
-	iev = &sock->readable_ev;
-
-	sock->references++;
-	iev->ev_sender = sock;
-	if (sock->type == isc_sockettype_fdwatch)
-		iev->ev_action = internal_fdwatch_read;
-	else
-		iev->ev_action = internal_recv;
-	iev->ev_arg = sock;
-
-	isc_task_send(sender, (isc_event_t **)&iev);
-}
-
-static void
-dispatch_send(isc__socket_t *sock) {
-	intev_t *iev;
-	isc_socketevent_t *ev;
-	isc_task_t *sender;
-
-	INSIST(!sock->pending_send);
-
-	if (sock->type != isc_sockettype_fdwatch) {
-		ev = ISC_LIST_HEAD(sock->send_list);
-		if (ev == NULL)
-			return;
-		socket_log(sock, NULL, EVENT, NULL, 0, 0,
-			   "dispatch_send:  event %p -> task %p",
-			   ev, ev->ev_sender);
-		sender = ev->ev_sender;
-	} else {
-		sender = sock->fdwatchtask;
-	}
-
-	sock->pending_send = 1;
-	iev = &sock->writable_ev;
-
-	sock->references++;
-	iev->ev_sender = sock;
-	if (sock->type == isc_sockettype_fdwatch)
-		iev->ev_action = internal_fdwatch_write;
-	else
-		iev->ev_action = internal_send;
-	iev->ev_arg = sock;
-
-	isc_task_send(sender, (isc_event_t **)&iev);
-}
-
-/*
- * Dispatch an internal accept event.
- */
-static void
-dispatch_accept(isc__socket_t *sock) {
-	intev_t *iev;
-	isc_socket_newconnev_t *ev;
-
-	INSIST(!sock->pending_accept);
-
-	/*
-	 * Are there any done events left, or were they all canceled
-	 * before the manager got the socket lock?
-	 */
-	ev = ISC_LIST_HEAD(sock->accept_list);
-	if (ev == NULL)
-		return;
-
-	sock->pending_accept = 1;
-	iev = &sock->readable_ev;
-
-	sock->references++;  /* keep socket around for this internal event */
-	iev->ev_sender = sock;
-	iev->ev_action = internal_accept;
-	iev->ev_arg = sock;
-
-	isc_task_send(ev->ev_sender, (isc_event_t **)&iev);
-}
-
-static void
-dispatch_connect(isc__socket_t *sock) {
-	intev_t *iev;
-	isc_socket_connev_t *ev;
-
-	iev = &sock->writable_ev;
-
-	ev = sock->connect_ev;
-	INSIST(ev != NULL); /* XXX */
-
-	INSIST(sock->connecting);
-
-	sock->references++;  /* keep socket around for this internal event */
-	iev->ev_sender = sock;
-	iev->ev_action = internal_connect;
-	iev->ev_arg = sock;
-
-	isc_task_send(ev->ev_sender, (isc_event_t **)&iev);
-}
-
-/*
- * Dequeue an item off the given socket's read queue, set the result code
- * in the done event to the one provided, and send it to the task it was
- * destined for.
- *
- * If the event to be sent is on a list, remove it before sending.  If
- * asked to, send and detach from the socket as well.
- *
- * Caller must have the socket locked if the event is attached to the socket.
- */
-static void
-send_recvdone_event(isc__socket_t *sock, isc_socketevent_t **dev) {
-	isc_task_t *task;
-
-	task = (*dev)->ev_sender;
-
-	(*dev)->ev_sender = sock;
-
-	if (ISC_LINK_LINKED(*dev, ev_link))
-		ISC_LIST_DEQUEUE(sock->recv_list, *dev, ev_link);
-
-	if (((*dev)->attributes & ISC_SOCKEVENTATTR_ATTACHED)
-	    == ISC_SOCKEVENTATTR_ATTACHED)
-		isc_task_sendanddetach(&task, (isc_event_t **)dev);
-	else
-		isc_task_send(task, (isc_event_t **)dev);
-}
-
-/*
- * See comments for send_recvdone_event() above.
- *
- * Caller must have the socket locked if the event is attached to the socket.
- */
-static void
-send_senddone_event(isc__socket_t *sock, isc_socketevent_t **dev) {
-	isc_task_t *task;
-
-	INSIST(dev != NULL && *dev != NULL);
-
-	task = (*dev)->ev_sender;
-	(*dev)->ev_sender = sock;
-
-	if (ISC_LINK_LINKED(*dev, ev_link))
-		ISC_LIST_DEQUEUE(sock->send_list, *dev, ev_link);
-
-	if (((*dev)->attributes & ISC_SOCKEVENTATTR_ATTACHED)
-	    == ISC_SOCKEVENTATTR_ATTACHED)
-		isc_task_sendanddetach(&task, (isc_event_t **)dev);
-	else
-		isc_task_send(task, (isc_event_t **)dev);
-}
-
-/*
- * Call accept() on a socket, to get the new file descriptor.  The listen
- * socket is used as a prototype to create a new isc_socket_t.  The new
- * socket has one outstanding reference.  The task receiving the event
- * will be detached from just after the event is delivered.
- *
- * On entry to this function, the event delivered is the internal
- * readable event, and the first item on the accept_list should be
- * the done event we want to send.  If the list is empty, this is a no-op,
- * so just unlock and return.
- */
-static void
-internal_accept(isc_task_t *me, isc_event_t *ev) {
-	isc__socket_t *sock;
-	isc__socketmgr_t *manager;
-	isc_socket_newconnev_t *dev;
-	isc_task_t *task;
-	ISC_SOCKADDR_LEN_T addrlen;
-	int fd;
-	isc_result_t result = ISC_R_SUCCESS;
-	char strbuf[ISC_STRERRORSIZE];
-	const char *err = "accept";
-
-	UNUSED(me);
-
-	sock = ev->ev_sender;
-	INSIST(VALID_SOCKET(sock));
-
-	LOCK(&sock->lock);
-	socket_log(sock, NULL, TRACE,
-		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_ACCEPTLOCK,
-		   "internal_accept called, locked socket");
-
-	manager = sock->manager;
-	INSIST(VALID_MANAGER(manager));
-
-	INSIST(sock->listener);
-	INSIST(sock->pending_accept == 1);
-	sock->pending_accept = 0;
-
-	INSIST(sock->references > 0);
-	sock->references--;  /* the internal event is done with this socket */
-	if (sock->references == 0) {
-		UNLOCK(&sock->lock);
-		destroy(&sock);
-		return;
-	}
-
-	/*
-	 * Get the first item off the accept list.
-	 * If it is empty, unlock the socket and return.
-	 */
-	dev = ISC_LIST_HEAD(sock->accept_list);
-	if (dev == NULL) {
-		UNLOCK(&sock->lock);
-		return;
-	}
-
-	/*
-	 * Try to accept the new connection.  If the accept fails with
-	 * EAGAIN or EINTR, simply poke the watcher to watch this socket
-	 * again.  Also ignore ECONNRESET, which has been reported to
-	 * be spuriously returned on Linux 2.2.19 although it is not
-	 * a documented error for accept().  ECONNABORTED has been
-	 * reported for Solaris 8.  The rest are thrown in not because
-	 * we have seen them but because they are ignored by other
-	 * daemons such as BIND 8 and Apache.
-	 */
-
-	addrlen = sizeof(NEWCONNSOCK(dev)->peer_address.type);
-	memset(&NEWCONNSOCK(dev)->peer_address.type, 0, addrlen);
-	fd = accept(sock->fd, &NEWCONNSOCK(dev)->peer_address.type.sa,
-		    (void *)&addrlen);
-
-#ifdef F_DUPFD
-	/*
-	 * Leave a space for stdio to work in.
-	 */
-	if (fd >= 0 && fd < 20) {
-		int new, tmp;
-		new = fcntl(fd, F_DUPFD, 20);
-		tmp = errno;
-		(void)close(fd);
-		errno = tmp;
-		fd = new;
-		err = "accept/fcntl";
-	}
-#endif
-
-	if (fd < 0) {
-		if (SOFT_ERROR(errno))
-			goto soft_error;
-		switch (errno) {
-		case ENFILE:
-		case EMFILE:
-			isc_log_iwrite(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-				       ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
-				       isc_msgcat, ISC_MSGSET_SOCKET,
-				       ISC_MSG_TOOMANYFDS,
-				       "%s: too many open file descriptors",
-				       err);
-			goto soft_error;
-
-		case ENOBUFS:
-		case ENOMEM:
-		case ECONNRESET:
-		case ECONNABORTED:
-		case EHOSTUNREACH:
-		case EHOSTDOWN:
-		case ENETUNREACH:
-		case ENETDOWN:
-		case ECONNREFUSED:
-#ifdef EPROTO
-		case EPROTO:
-#endif
-#ifdef ENONET
-		case ENONET:
-#endif
-			goto soft_error;
-		default:
-			break;
-		}
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "internal_accept: %s() %s: %s", err,
-				 isc_msgcat_get(isc_msgcat,
-						ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED,
-						"failed"),
-				 strbuf);
-		fd = -1;
-		result = ISC_R_UNEXPECTED;
-	} else {
-		if (addrlen == 0U) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "internal_accept(): "
-					 "accept() failed to return "
-					 "remote address");
-
-			(void)close(fd);
-			goto soft_error;
-		} else if (NEWCONNSOCK(dev)->peer_address.type.sa.sa_family !=
-			   sock->pf)
-		{
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "internal_accept(): "
-					 "accept() returned peer address "
-					 "family %u (expected %u)",
-					 NEWCONNSOCK(dev)->peer_address.
-					 type.sa.sa_family,
-					 sock->pf);
-			(void)close(fd);
-			goto soft_error;
-		} else if (fd >= (int)manager->maxsocks) {
-			isc_log_iwrite(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-				       ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
-				       isc_msgcat, ISC_MSGSET_SOCKET,
-				       ISC_MSG_TOOMANYFDS,
-				       "accept: "
-				       "file descriptor exceeds limit (%d/%u)",
-				       fd, manager->maxsocks);
-			(void)close(fd);
-			goto soft_error;
-		}
-	}
-
-	if (fd != -1) {
-		NEWCONNSOCK(dev)->peer_address.length = addrlen;
-		NEWCONNSOCK(dev)->pf = sock->pf;
-	}
-
-	/*
-	 * Pull off the done event.
-	 */
-	ISC_LIST_UNLINK(sock->accept_list, dev, ev_link);
-
-	/*
-	 * Poke watcher if there are more pending accepts.
-	 */
-	if (!ISC_LIST_EMPTY(sock->accept_list))
-		select_poke(sock->manager, sock->fd, SELECT_POKE_ACCEPT);
-
-	UNLOCK(&sock->lock);
-
-	if (fd != -1) {
-		result = make_nonblock(fd);
-		if (result != ISC_R_SUCCESS) {
-			(void)close(fd);
-			fd = -1;
-		}
-	}
-
-	/*
-	 * -1 means the new socket didn't happen.
-	 */
-	if (fd != -1) {
-		int lockid = FDLOCK_ID(fd);
-
-		NEWCONNSOCK(dev)->fd = fd;
-		NEWCONNSOCK(dev)->bound = 1;
-		NEWCONNSOCK(dev)->connected = 1;
-
-		/*
-		 * Use minimum mtu if possible.
-		 */
-		use_min_mtu(NEWCONNSOCK(dev));
-
-		/*
-		 * Save away the remote address
-		 */
-		dev->address = NEWCONNSOCK(dev)->peer_address;
-
-		LOCK(&manager->fdlock[lockid]);
-		manager->fds[fd] = NEWCONNSOCK(dev);
-		manager->fdstate[fd] = MANAGED;
-		UNLOCK(&manager->fdlock[lockid]);
-
-		LOCK(&manager->lock);
-
-#ifdef USE_SELECT
-		if (manager->maxfd < fd)
-			manager->maxfd = fd;
-#endif
-
-		socket_log(sock, &NEWCONNSOCK(dev)->peer_address, CREATION,
-			   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_ACCEPTEDCXN,
-			   "accepted connection, new socket %p",
-			   dev->newsocket);
-
-		ISC_LIST_APPEND(manager->socklist, NEWCONNSOCK(dev), link);
-
-		UNLOCK(&manager->lock);
-
-		inc_stats(manager->stats, sock->statsindex[STATID_ACCEPT]);
-	} else {
-		inc_stats(manager->stats, sock->statsindex[STATID_ACCEPTFAIL]);
-		NEWCONNSOCK(dev)->references--;
-		free_socket((isc__socket_t **)&dev->newsocket);
-	}
-
-	/*
-	 * Fill in the done event details and send it off.
-	 */
-	dev->result = result;
-	task = dev->ev_sender;
-	dev->ev_sender = sock;
-
-	isc_task_sendanddetach(&task, ISC_EVENT_PTR(&dev));
-	return;
-
- soft_error:
-	select_poke(sock->manager, sock->fd, SELECT_POKE_ACCEPT);
-	UNLOCK(&sock->lock);
-
-	inc_stats(manager->stats, sock->statsindex[STATID_ACCEPTFAIL]);
-	return;
-}
-
-static void
-internal_recv(isc_task_t *me, isc_event_t *ev) {
-	isc_socketevent_t *dev;
-	isc__socket_t *sock;
-
-	INSIST(ev->ev_type == ISC_SOCKEVENT_INTR);
-
-	sock = ev->ev_sender;
-	INSIST(VALID_SOCKET(sock));
-
-	LOCK(&sock->lock);
-	socket_log(sock, NULL, IOEVENT,
-		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_INTERNALRECV,
-		   "internal_recv: task %p got event %p", me, ev);
-
-	INSIST(sock->pending_recv == 1);
-	sock->pending_recv = 0;
-
-	INSIST(sock->references > 0);
-	sock->references--;  /* the internal event is done with this socket */
-	if (sock->references == 0) {
-		UNLOCK(&sock->lock);
-		destroy(&sock);
-		return;
-	}
-
-	/*
-	 * Try to do as much I/O as possible on this socket.  There are no
-	 * limits here, currently.
-	 */
-	dev = ISC_LIST_HEAD(sock->recv_list);
-	while (dev != NULL) {
-		switch (doio_recv(sock, dev)) {
-		case DOIO_SOFT:
-			goto poke;
-
-		case DOIO_EOF:
-			/*
-			 * read of 0 means the remote end was closed.
-			 * Run through the event queue and dispatch all
-			 * the events with an EOF result code.
-			 */
-			do {
-				dev->result = ISC_R_EOF;
-				send_recvdone_event(sock, &dev);
-				dev = ISC_LIST_HEAD(sock->recv_list);
-			} while (dev != NULL);
-			goto poke;
-
-		case DOIO_SUCCESS:
-		case DOIO_HARD:
-			send_recvdone_event(sock, &dev);
-			break;
-		}
-
-		dev = ISC_LIST_HEAD(sock->recv_list);
-	}
-
- poke:
-	if (!ISC_LIST_EMPTY(sock->recv_list))
-		select_poke(sock->manager, sock->fd, SELECT_POKE_READ);
-
-	UNLOCK(&sock->lock);
-}
-
-static void
-internal_send(isc_task_t *me, isc_event_t *ev) {
-	isc_socketevent_t *dev;
-	isc__socket_t *sock;
-
-	INSIST(ev->ev_type == ISC_SOCKEVENT_INTW);
-
-	/*
-	 * Find out what socket this is and lock it.
-	 */
-	sock = (isc__socket_t *)ev->ev_sender;
-	INSIST(VALID_SOCKET(sock));
-
-	LOCK(&sock->lock);
-	socket_log(sock, NULL, IOEVENT,
-		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_INTERNALSEND,
-		   "internal_send: task %p got event %p", me, ev);
-
-	INSIST(sock->pending_send == 1);
-	sock->pending_send = 0;
-
-	INSIST(sock->references > 0);
-	sock->references--;  /* the internal event is done with this socket */
-	if (sock->references == 0) {
-		UNLOCK(&sock->lock);
-		destroy(&sock);
-		return;
-	}
-
-	/*
-	 * Try to do as much I/O as possible on this socket.  There are no
-	 * limits here, currently.
-	 */
-	dev = ISC_LIST_HEAD(sock->send_list);
-	while (dev != NULL) {
-		switch (doio_send(sock, dev)) {
-		case DOIO_SOFT:
-			goto poke;
-
-		case DOIO_HARD:
-		case DOIO_SUCCESS:
-			send_senddone_event(sock, &dev);
-			break;
-		}
-
-		dev = ISC_LIST_HEAD(sock->send_list);
-	}
-
- poke:
-	if (!ISC_LIST_EMPTY(sock->send_list))
-		select_poke(sock->manager, sock->fd, SELECT_POKE_WRITE);
-
-	UNLOCK(&sock->lock);
-}
-
-static void
-internal_fdwatch_write(isc_task_t *me, isc_event_t *ev) {
-	isc__socket_t *sock;
-	int more_data;
-
-	INSIST(ev->ev_type == ISC_SOCKEVENT_INTW);
-
-	/*
-	 * Find out what socket this is and lock it.
-	 */
-	sock = (isc__socket_t *)ev->ev_sender;
-	INSIST(VALID_SOCKET(sock));
-
-	LOCK(&sock->lock);
-	socket_log(sock, NULL, IOEVENT,
-		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_INTERNALSEND,
-		   "internal_fdwatch_write: task %p got event %p", me, ev);
-
-	INSIST(sock->pending_send == 1);
-
-	UNLOCK(&sock->lock);
-	more_data = (sock->fdwatchcb)(me, (isc_socket_t *)sock,
-				      sock->fdwatcharg, ISC_SOCKFDWATCH_WRITE);
-	LOCK(&sock->lock);
-
-	sock->pending_send = 0;
-
-	INSIST(sock->references > 0);
-	sock->references--;  /* the internal event is done with this socket */
-	if (sock->references == 0) {
-		UNLOCK(&sock->lock);
-		destroy(&sock);
-		return;
-	}
-
-	if (more_data)
-		select_poke(sock->manager, sock->fd, SELECT_POKE_WRITE);
-
-	UNLOCK(&sock->lock);
-}
-
-static void
-internal_fdwatch_read(isc_task_t *me, isc_event_t *ev) {
-	isc__socket_t *sock;
-	int more_data;
-
-	INSIST(ev->ev_type == ISC_SOCKEVENT_INTR);
-
-	/*
-	 * Find out what socket this is and lock it.
-	 */
-	sock = (isc__socket_t *)ev->ev_sender;
-	INSIST(VALID_SOCKET(sock));
-
-	LOCK(&sock->lock);
-	socket_log(sock, NULL, IOEVENT,
-		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_INTERNALRECV,
-		   "internal_fdwatch_read: task %p got event %p", me, ev);
-
-	INSIST(sock->pending_recv == 1);
-
-	UNLOCK(&sock->lock);
-	more_data = (sock->fdwatchcb)(me, (isc_socket_t *)sock,
-				      sock->fdwatcharg, ISC_SOCKFDWATCH_READ);
-	LOCK(&sock->lock);
-
-	sock->pending_recv = 0;
-
-	INSIST(sock->references > 0);
-	sock->references--;  /* the internal event is done with this socket */
-	if (sock->references == 0) {
-		UNLOCK(&sock->lock);
-		destroy(&sock);
-		return;
-	}
-
-	if (more_data)
-		select_poke(sock->manager, sock->fd, SELECT_POKE_READ);
-
-	UNLOCK(&sock->lock);
-}
-
-/*
- * Process read/writes on each fd here.  Avoid locking
- * and unlocking twice if both reads and writes are possible.
- */
-static void
-process_fd(isc__socketmgr_t *manager, int fd, isc_boolean_t readable,
-	   isc_boolean_t writeable)
-{
-	isc__socket_t *sock;
-	isc_boolean_t unlock_sock;
-	isc_boolean_t unwatch_read = ISC_FALSE, unwatch_write = ISC_FALSE;
-	int lockid = FDLOCK_ID(fd);
-
-	/*
-	 * If the socket is going to be closed, don't do more I/O.
-	 */
-	LOCK(&manager->fdlock[lockid]);
-	if (manager->fdstate[fd] == CLOSE_PENDING) {
-		UNLOCK(&manager->fdlock[lockid]);
-
-		(void)unwatch_fd(manager, fd, SELECT_POKE_READ);
-		(void)unwatch_fd(manager, fd, SELECT_POKE_WRITE);
-		return;
-	}
-
-	sock = manager->fds[fd];
-	unlock_sock = ISC_FALSE;
-	if (readable) {
-		if (sock == NULL) {
-			unwatch_read = ISC_TRUE;
-			goto check_write;
-		}
-		unlock_sock = ISC_TRUE;
-		LOCK(&sock->lock);
-		if (!SOCK_DEAD(sock)) {
-			if (sock->listener)
-				dispatch_accept(sock);
-			else
-				dispatch_recv(sock);
-		}
-		unwatch_read = ISC_TRUE;
-	}
-check_write:
-	if (writeable) {
-		if (sock == NULL) {
-			unwatch_write = ISC_TRUE;
-			goto unlock_fd;
-		}
-		if (!unlock_sock) {
-			unlock_sock = ISC_TRUE;
-			LOCK(&sock->lock);
-		}
-		if (!SOCK_DEAD(sock)) {
-			if (sock->connecting)
-				dispatch_connect(sock);
-			else
-				dispatch_send(sock);
-		}
-		unwatch_write = ISC_TRUE;
-	}
-	if (unlock_sock)
-		UNLOCK(&sock->lock);
-
- unlock_fd:
-	UNLOCK(&manager->fdlock[lockid]);
-	if (unwatch_read)
-		(void)unwatch_fd(manager, fd, SELECT_POKE_READ);
-	if (unwatch_write)
-		(void)unwatch_fd(manager, fd, SELECT_POKE_WRITE);
-
-}
-
-#ifdef USE_KQUEUE
-static isc_boolean_t
-process_fds(isc__socketmgr_t *manager, struct kevent *events, int nevents) {
-	int i;
-	isc_boolean_t readable, writable;
-	isc_boolean_t done = ISC_FALSE;
-#ifdef USE_WATCHER_THREAD
-	isc_boolean_t have_ctlevent = ISC_FALSE;
-#endif
-
-	if (nevents == manager->nevents) {
-		/*
-		 * This is not an error, but something unexpected.  If this
-		 * happens, it may indicate the need for increasing
-		 * ISC_SOCKET_MAXEVENTS.
-		 */
-		manager_log(manager, ISC_LOGCATEGORY_GENERAL,
-			    ISC_LOGMODULE_SOCKET, ISC_LOG_INFO,
-			    "maximum number of FD events (%d) received",
-			    nevents);
-	}
-
-	for (i = 0; i < nevents; i++) {
-		REQUIRE(events[i].ident < manager->maxsocks);
-#ifdef USE_WATCHER_THREAD
-		if (events[i].ident == (uintptr_t)manager->pipe_fds[0]) {
-			have_ctlevent = ISC_TRUE;
-			continue;
-		}
-#endif
-		readable = ISC_TF(events[i].filter == EVFILT_READ);
-		writable = ISC_TF(events[i].filter == EVFILT_WRITE);
-		process_fd(manager, events[i].ident, readable, writable);
-	}
-
-#ifdef USE_WATCHER_THREAD
-	if (have_ctlevent)
-		done = process_ctlfd(manager);
-#endif
-
-	return (done);
-}
-#elif defined(USE_EPOLL)
-static isc_boolean_t
-process_fds(isc__socketmgr_t *manager, struct epoll_event *events, int nevents)
-{
-	int i;
-	isc_boolean_t done = ISC_FALSE;
-#ifdef USE_WATCHER_THREAD
-	isc_boolean_t have_ctlevent = ISC_FALSE;
-#endif
-
-	if (nevents == manager->nevents) {
-		manager_log(manager, ISC_LOGCATEGORY_GENERAL,
-			    ISC_LOGMODULE_SOCKET, ISC_LOG_INFO,
-			    "maximum number of FD events (%d) received",
-			    nevents);
-	}
-
-	for (i = 0; i < nevents; i++) {
-		REQUIRE(events[i].data.fd < (int)manager->maxsocks);
-#ifdef USE_WATCHER_THREAD
-		if (events[i].data.fd == manager->pipe_fds[0]) {
-			have_ctlevent = ISC_TRUE;
-			continue;
-		}
-#endif
-		if ((events[i].events & EPOLLERR) != 0 ||
-		    (events[i].events & EPOLLHUP) != 0) {
-			/*
-			 * epoll does not set IN/OUT bits on an erroneous
-			 * condition, so we need to try both anyway.  This is a
-			 * bit inefficient, but should be okay for such rare
-			 * events.  Note also that the read or write attempt
-			 * won't block because we use non-blocking sockets.
-			 */
-			events[i].events |= (EPOLLIN | EPOLLOUT);
-		}
-		process_fd(manager, events[i].data.fd,
-			   (events[i].events & EPOLLIN) != 0,
-			   (events[i].events & EPOLLOUT) != 0);
-	}
-
-#ifdef USE_WATCHER_THREAD
-	if (have_ctlevent)
-		done = process_ctlfd(manager);
-#endif
-
-	return (done);
-}
-#elif defined(USE_DEVPOLL)
-static isc_boolean_t
-process_fds(isc__socketmgr_t *manager, struct pollfd *events, int nevents) {
-	int i;
-	isc_boolean_t done = ISC_FALSE;
-#ifdef USE_WATCHER_THREAD
-	isc_boolean_t have_ctlevent = ISC_FALSE;
-#endif
-
-	if (nevents == manager->nevents) {
-		manager_log(manager, ISC_LOGCATEGORY_GENERAL,
-			    ISC_LOGMODULE_SOCKET, ISC_LOG_INFO,
-			    "maximum number of FD events (%d) received",
-			    nevents);
-	}
-
-	for (i = 0; i < nevents; i++) {
-		REQUIRE(events[i].fd < (int)manager->maxsocks);
-#ifdef USE_WATCHER_THREAD
-		if (events[i].fd == manager->pipe_fds[0]) {
-			have_ctlevent = ISC_TRUE;
-			continue;
-		}
-#endif
-		process_fd(manager, events[i].fd,
-			   (events[i].events & POLLIN) != 0,
-			   (events[i].events & POLLOUT) != 0);
-	}
-
-#ifdef USE_WATCHER_THREAD
-	if (have_ctlevent)
-		done = process_ctlfd(manager);
-#endif
-
-	return (done);
-}
-#elif defined(USE_SELECT)
-static void
-process_fds(isc__socketmgr_t *manager, int maxfd, fd_set *readfds,
-	    fd_set *writefds)
-{
-	int i;
-
-	REQUIRE(maxfd <= (int)manager->maxsocks);
-
-	for (i = 0; i < maxfd; i++) {
-#ifdef USE_WATCHER_THREAD
-		if (i == manager->pipe_fds[0] || i == manager->pipe_fds[1])
-			continue;
-#endif /* USE_WATCHER_THREAD */
-		process_fd(manager, i, FD_ISSET(i, readfds),
-			   FD_ISSET(i, writefds));
-	}
-}
-#endif
-
-#ifdef USE_WATCHER_THREAD
-static isc_boolean_t
-process_ctlfd(isc__socketmgr_t *manager) {
-	int msg, fd;
-
-	for (;;) {
-		select_readmsg(manager, &fd, &msg);
-
-		manager_log(manager, IOEVENT,
-			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKET,
-					   ISC_MSG_WATCHERMSG,
-					   "watcher got message %d "
-					   "for socket %d"), msg, fd);
-
-		/*
-		 * Nothing to read?
-		 */
-		if (msg == SELECT_POKE_NOTHING)
-			break;
-
-		/*
-		 * Handle shutdown message.  We really should
-		 * jump out of this loop right away, but
-		 * it doesn't matter if we have to do a little
-		 * more work first.
-		 */
-		if (msg == SELECT_POKE_SHUTDOWN)
-			return (ISC_TRUE);
-
-		/*
-		 * This is a wakeup on a socket.  Look
-		 * at the event queue for both read and write,
-		 * and decide if we need to watch on it now
-		 * or not.
-		 */
-		wakeup_socket(manager, fd, msg);
-	}
-
-	return (ISC_FALSE);
-}
-
-/*
- * This is the thread that will loop forever, always in a select or poll
- * call.
- *
- * When select returns something to do, track down what thread gets to do
- * this I/O and post the event to it.
- */
-static isc_threadresult_t
-watcher(void *uap) {
-	isc__socketmgr_t *manager = uap;
-	isc_boolean_t done;
-	int cc;
-#ifdef USE_KQUEUE
-	const char *fnname = "kevent()";
-#elif defined (USE_EPOLL)
-	const char *fnname = "epoll_wait()";
-#elif defined(USE_DEVPOLL)
-	const char *fnname = "ioctl(DP_POLL)";
-	struct dvpoll dvp;
-#elif defined (USE_SELECT)
-	const char *fnname = "select()";
-	int maxfd;
-	int ctlfd;
-#endif
-	char strbuf[ISC_STRERRORSIZE];
-#ifdef ISC_SOCKET_USE_POLLWATCH
-	pollstate_t pollstate = poll_idle;
-#endif
-
-#if defined (USE_SELECT)
-	/*
-	 * Get the control fd here.  This will never change.
-	 */
-	ctlfd = manager->pipe_fds[0];
-#endif
-	done = ISC_FALSE;
-	while (!done) {
-		do {
-#ifdef USE_KQUEUE
-			cc = kevent(manager->kqueue_fd, NULL, 0,
-				    manager->events, manager->nevents, NULL);
-#elif defined(USE_EPOLL)
-			cc = epoll_wait(manager->epoll_fd, manager->events,
-					manager->nevents, -1);
-#elif defined(USE_DEVPOLL)
-			dvp.dp_fds = manager->events;
-			dvp.dp_nfds = manager->nevents;
-#ifndef ISC_SOCKET_USE_POLLWATCH
-			dvp.dp_timeout = -1;
-#else
-			if (pollstate == poll_idle)
-				dvp.dp_timeout = -1;
-			else
-				dvp.dp_timeout = ISC_SOCKET_POLLWATCH_TIMEOUT;
-#endif	/* ISC_SOCKET_USE_POLLWATCH */
-			cc = ioctl(manager->devpoll_fd, DP_POLL, &dvp);
-#elif defined(USE_SELECT)
-			LOCK(&manager->lock);
-			memcpy(manager->read_fds_copy, manager->read_fds,
-			       manager->fd_bufsize);
-			memcpy(manager->write_fds_copy, manager->write_fds,
-			       manager->fd_bufsize);
-			maxfd = manager->maxfd + 1;
-			UNLOCK(&manager->lock);
-
-			cc = select(maxfd, manager->read_fds_copy,
-				    manager->write_fds_copy, NULL, NULL);
-#endif	/* USE_KQUEUE */
-
-			if (cc < 0 && !SOFT_ERROR(errno)) {
-				isc__strerror(errno, strbuf, sizeof(strbuf));
-				FATAL_ERROR(__FILE__, __LINE__,
-					    "%s %s: %s", fnname,
-					    isc_msgcat_get(isc_msgcat,
-							   ISC_MSGSET_GENERAL,
-							   ISC_MSG_FAILED,
-							   "failed"), strbuf);
-			}
-
-#if defined(USE_DEVPOLL) && defined(ISC_SOCKET_USE_POLLWATCH)
-			if (cc == 0) {
-				if (pollstate == poll_active)
-					pollstate = poll_checking;
-				else if (pollstate == poll_checking)
-					pollstate = poll_idle;
-			} else if (cc > 0) {
-				if (pollstate == poll_checking) {
-					/*
-					 * XXX: We'd like to use a more
-					 * verbose log level as it's actually an
-					 * unexpected event, but the kernel bug
-					 * reportedly happens pretty frequently
-					 * (and it can also be a false positive)
-					 * so it would be just too noisy.
-					 */
-					manager_log(manager,
-						    ISC_LOGCATEGORY_GENERAL,
-						    ISC_LOGMODULE_SOCKET,
-						    ISC_LOG_DEBUG(1),
-						    "unexpected POLL timeout");
-				}
-				pollstate = poll_active;
-			}
-#endif
-		} while (cc < 0);
-
-#if defined(USE_KQUEUE) || defined (USE_EPOLL) || defined (USE_DEVPOLL)
-		done = process_fds(manager, manager->events, cc);
-#elif defined(USE_SELECT)
-		process_fds(manager, maxfd, manager->read_fds_copy,
-			    manager->write_fds_copy);
-
-		/*
-		 * Process reads on internal, control fd.
-		 */
-		if (FD_ISSET(ctlfd, manager->read_fds_copy))
-			done = process_ctlfd(manager);
-#endif
-	}
-
-	manager_log(manager, TRACE, "%s",
-		    isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-				   ISC_MSG_EXITING, "watcher exiting"));
-
-	return ((isc_threadresult_t)0);
-}
-#endif /* USE_WATCHER_THREAD */
-
-#ifdef BIND9
-ISC_SOCKETFUNC_SCOPE void
-isc__socketmgr_setreserved(isc_socketmgr_t *manager0, isc_uint32_t reserved) {
-	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
-
-	REQUIRE(VALID_MANAGER(manager));
-
-	manager->reserved = reserved;
-}
-
-ISC_SOCKETFUNC_SCOPE void
-isc___socketmgr_maxudp(isc_socketmgr_t *manager0, int maxudp) {
-	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
-
-	REQUIRE(VALID_MANAGER(manager));
-
-	manager->maxudp = maxudp;
-}
-#endif	/* BIND9 */
-
-/*
- * Create a new socket manager.
- */
-
-static isc_result_t
-setup_watcher(isc_mem_t *mctx, isc__socketmgr_t *manager) {
-	isc_result_t result;
-#if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL)
-	char strbuf[ISC_STRERRORSIZE];
-#endif
-
-#ifdef USE_KQUEUE
-	manager->nevents = ISC_SOCKET_MAXEVENTS;
-	manager->events = isc_mem_get(mctx, sizeof(struct kevent) *
-				      manager->nevents);
-	if (manager->events == NULL)
-		return (ISC_R_NOMEMORY);
-	manager->kqueue_fd = kqueue();
-	if (manager->kqueue_fd == -1) {
-		result = isc__errno2result(errno);
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "kqueue %s: %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"),
-				 strbuf);
-		isc_mem_put(mctx, manager->events,
-			    sizeof(struct kevent) * manager->nevents);
-		return (result);
-	}
-
-#ifdef USE_WATCHER_THREAD
-	result = watch_fd(manager, manager->pipe_fds[0], SELECT_POKE_READ);
-	if (result != ISC_R_SUCCESS) {
-		close(manager->kqueue_fd);
-		isc_mem_put(mctx, manager->events,
-			    sizeof(struct kevent) * manager->nevents);
-		return (result);
-	}
-#endif	/* USE_WATCHER_THREAD */
-#elif defined(USE_EPOLL)
-	manager->nevents = ISC_SOCKET_MAXEVENTS;
-	manager->events = isc_mem_get(mctx, sizeof(struct epoll_event) *
-				      manager->nevents);
-	if (manager->events == NULL)
-		return (ISC_R_NOMEMORY);
-	manager->epoll_fd = epoll_create(manager->nevents);
-	if (manager->epoll_fd == -1) {
-		result = isc__errno2result(errno);
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "epoll_create %s: %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"),
-				 strbuf);
-		isc_mem_put(mctx, manager->events,
-			    sizeof(struct epoll_event) * manager->nevents);
-		return (result);
-	}
-#ifdef USE_WATCHER_THREAD
-	result = watch_fd(manager, manager->pipe_fds[0], SELECT_POKE_READ);
-	if (result != ISC_R_SUCCESS) {
-		close(manager->epoll_fd);
-		isc_mem_put(mctx, manager->events,
-			    sizeof(struct epoll_event) * manager->nevents);
-		return (result);
-	}
-#endif	/* USE_WATCHER_THREAD */
-#elif defined(USE_DEVPOLL)
-	/*
-	 * XXXJT: /dev/poll seems to reject large numbers of events,
-	 * so we should be careful about redefining ISC_SOCKET_MAXEVENTS.
-	 */
-	manager->nevents = ISC_SOCKET_MAXEVENTS;
-	manager->events = isc_mem_get(mctx, sizeof(struct pollfd) *
-				      manager->nevents);
-	if (manager->events == NULL)
-		return (ISC_R_NOMEMORY);
-	/*
-	 * Note: fdpollinfo should be able to support all possible FDs, so
-	 * it must have maxsocks entries (not nevents).
-	 */
-	manager->fdpollinfo = isc_mem_get(mctx, sizeof(pollinfo_t) *
-					  manager->maxsocks);
-	if (manager->fdpollinfo == NULL) {
-		isc_mem_put(mctx, manager->events,
-			    sizeof(struct pollfd) * manager->nevents);
-		return (ISC_R_NOMEMORY);
-	}
-	memset(manager->fdpollinfo, 0, sizeof(pollinfo_t) * manager->maxsocks);
-	manager->devpoll_fd = open("/dev/poll", O_RDWR);
-	if (manager->devpoll_fd == -1) {
-		result = isc__errno2result(errno);
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "open(/dev/poll) %s: %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"),
-				 strbuf);
-		isc_mem_put(mctx, manager->events,
-			    sizeof(struct pollfd) * manager->nevents);
-		isc_mem_put(mctx, manager->fdpollinfo,
-			    sizeof(pollinfo_t) * manager->maxsocks);
-		return (result);
-	}
-#ifdef USE_WATCHER_THREAD
-	result = watch_fd(manager, manager->pipe_fds[0], SELECT_POKE_READ);
-	if (result != ISC_R_SUCCESS) {
-		close(manager->devpoll_fd);
-		isc_mem_put(mctx, manager->events,
-			    sizeof(struct pollfd) * manager->nevents);
-		isc_mem_put(mctx, manager->fdpollinfo,
-			    sizeof(pollinfo_t) * manager->maxsocks);
-		return (result);
-	}
-#endif	/* USE_WATCHER_THREAD */
-#elif defined(USE_SELECT)
-	UNUSED(result);
-
-#if ISC_SOCKET_MAXSOCKETS > FD_SETSIZE
-	/*
-	 * Note: this code should also cover the case of MAXSOCKETS <=
-	 * FD_SETSIZE, but we separate the cases to avoid possible portability
-	 * issues regarding howmany() and the actual representation of fd_set.
-	 */
-	manager->fd_bufsize = howmany(manager->maxsocks, NFDBITS) *
-		sizeof(fd_mask);
-#else
-	manager->fd_bufsize = sizeof(fd_set);
-#endif
-
-	manager->read_fds = NULL;
-	manager->read_fds_copy = NULL;
-	manager->write_fds = NULL;
-	manager->write_fds_copy = NULL;
-
-	manager->read_fds = isc_mem_get(mctx, manager->fd_bufsize);
-	if (manager->read_fds != NULL)
-		manager->read_fds_copy = isc_mem_get(mctx, manager->fd_bufsize);
-	if (manager->read_fds_copy != NULL)
-		manager->write_fds = isc_mem_get(mctx, manager->fd_bufsize);
-	if (manager->write_fds != NULL) {
-		manager->write_fds_copy = isc_mem_get(mctx,
-						      manager->fd_bufsize);
-	}
-	if (manager->write_fds_copy == NULL) {
-		if (manager->write_fds != NULL) {
-			isc_mem_put(mctx, manager->write_fds,
-				    manager->fd_bufsize);
-		}
-		if (manager->read_fds_copy != NULL) {
-			isc_mem_put(mctx, manager->read_fds_copy,
-				    manager->fd_bufsize);
-		}
-		if (manager->read_fds != NULL) {
-			isc_mem_put(mctx, manager->read_fds,
-				    manager->fd_bufsize);
-		}
-		return (ISC_R_NOMEMORY);
-	}
-	memset(manager->read_fds, 0, manager->fd_bufsize);
-	memset(manager->write_fds, 0, manager->fd_bufsize);
-
-#ifdef USE_WATCHER_THREAD
-	(void)watch_fd(manager, manager->pipe_fds[0], SELECT_POKE_READ);
-	manager->maxfd = manager->pipe_fds[0];
-#else /* USE_WATCHER_THREAD */
-	manager->maxfd = 0;
-#endif /* USE_WATCHER_THREAD */
-#endif	/* USE_KQUEUE */
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-cleanup_watcher(isc_mem_t *mctx, isc__socketmgr_t *manager) {
-#ifdef USE_WATCHER_THREAD
-	isc_result_t result;
-
-	result = unwatch_fd(manager, manager->pipe_fds[0], SELECT_POKE_READ);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "epoll_ctl(DEL) %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-	}
-#endif	/* USE_WATCHER_THREAD */
-
-#ifdef USE_KQUEUE
-	close(manager->kqueue_fd);
-	isc_mem_put(mctx, manager->events,
-		    sizeof(struct kevent) * manager->nevents);
-#elif defined(USE_EPOLL)
-	close(manager->epoll_fd);
-	isc_mem_put(mctx, manager->events,
-		    sizeof(struct epoll_event) * manager->nevents);
-#elif defined(USE_DEVPOLL)
-	close(manager->devpoll_fd);
-	isc_mem_put(mctx, manager->events,
-		    sizeof(struct pollfd) * manager->nevents);
-	isc_mem_put(mctx, manager->fdpollinfo,
-		    sizeof(pollinfo_t) * manager->maxsocks);
-#elif defined(USE_SELECT)
-	if (manager->read_fds != NULL)
-		isc_mem_put(mctx, manager->read_fds, manager->fd_bufsize);
-	if (manager->read_fds_copy != NULL)
-		isc_mem_put(mctx, manager->read_fds_copy, manager->fd_bufsize);
-	if (manager->write_fds != NULL)
-		isc_mem_put(mctx, manager->write_fds, manager->fd_bufsize);
-	if (manager->write_fds_copy != NULL)
-		isc_mem_put(mctx, manager->write_fds_copy, manager->fd_bufsize);
-#endif	/* USE_KQUEUE */
-}
-
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp) {
-	return (isc__socketmgr_create2(mctx, managerp, 0));
-}
-
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
-		       unsigned int maxsocks)
-{
-	int i;
-	isc__socketmgr_t *manager;
-#ifdef USE_WATCHER_THREAD
-	char strbuf[ISC_STRERRORSIZE];
-#endif
-	isc_result_t result;
-
-	REQUIRE(managerp != NULL && *managerp == NULL);
-
-#ifdef USE_SHARED_MANAGER
-	if (socketmgr != NULL) {
-		/* Don't allow maxsocks to be updated */
-		if (maxsocks > 0 && socketmgr->maxsocks != maxsocks)
-			return (ISC_R_EXISTS);
-
-		socketmgr->refs++;
-		*managerp = (isc_socketmgr_t *)socketmgr;
-		return (ISC_R_SUCCESS);
-	}
-#endif /* USE_SHARED_MANAGER */
-
-	if (maxsocks == 0)
-		maxsocks = ISC_SOCKET_MAXSOCKETS;
-
-	manager = isc_mem_get(mctx, sizeof(*manager));
-	if (manager == NULL)
-		return (ISC_R_NOMEMORY);
-
-	/* zero-clear so that necessary cleanup on failure will be easy */
-	memset(manager, 0, sizeof(*manager));
-	manager->maxsocks = maxsocks;
-	manager->reserved = 0;
-	manager->maxudp = 0;
-	manager->fds = isc_mem_get(mctx,
-				   manager->maxsocks * sizeof(isc__socket_t *));
-	if (manager->fds == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto free_manager;
-	}
-	manager->fdstate = isc_mem_get(mctx, manager->maxsocks * sizeof(int));
-	if (manager->fdstate == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto free_manager;
-	}
-	manager->stats = NULL;
-
-	manager->common.methods = &socketmgrmethods;
-	manager->common.magic = ISCAPI_SOCKETMGR_MAGIC;
-	manager->common.impmagic = SOCKET_MANAGER_MAGIC;
-	manager->mctx = NULL;
-	memset(manager->fds, 0, manager->maxsocks * sizeof(isc_socket_t *));
-	ISC_LIST_INIT(manager->socklist);
-	result = isc_mutex_init(&manager->lock);
-	if (result != ISC_R_SUCCESS)
-		goto free_manager;
-	manager->fdlock = isc_mem_get(mctx, FDLOCK_COUNT * sizeof(isc_mutex_t));
-	if (manager->fdlock == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_lock;
-	}
-	for (i = 0; i < FDLOCK_COUNT; i++) {
-		result = isc_mutex_init(&manager->fdlock[i]);
-		if (result != ISC_R_SUCCESS) {
-			while (--i >= 0)
-				DESTROYLOCK(&manager->fdlock[i]);
-			isc_mem_put(mctx, manager->fdlock,
-				    FDLOCK_COUNT * sizeof(isc_mutex_t));
-			manager->fdlock = NULL;
-			goto cleanup_lock;
-		}
-	}
-
-#ifdef USE_WATCHER_THREAD
-	if (isc_condition_init(&manager->shutdown_ok) != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_condition_init() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		result = ISC_R_UNEXPECTED;
-		goto cleanup_lock;
-	}
-
-	/*
-	 * Create the special fds that will be used to wake up the
-	 * select/poll loop when something internal needs to be done.
-	 */
-	if (pipe(manager->pipe_fds) != 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "pipe() %s: %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"),
-				 strbuf);
-		result = ISC_R_UNEXPECTED;
-		goto cleanup_condition;
-	}
-
-	RUNTIME_CHECK(make_nonblock(manager->pipe_fds[0]) == ISC_R_SUCCESS);
-#if 0
-	RUNTIME_CHECK(make_nonblock(manager->pipe_fds[1]) == ISC_R_SUCCESS);
-#endif
-#endif	/* USE_WATCHER_THREAD */
-
-#ifdef USE_SHARED_MANAGER
-	manager->refs = 1;
-#endif /* USE_SHARED_MANAGER */
-
-	/*
-	 * Set up initial state for the select loop
-	 */
-	result = setup_watcher(mctx, manager);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	memset(manager->fdstate, 0, manager->maxsocks * sizeof(int));
-#ifdef USE_WATCHER_THREAD
-	/*
-	 * Start up the select/poll thread.
-	 */
-	if (isc_thread_create(watcher, manager, &manager->watcher) !=
-	    ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_thread_create() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		cleanup_watcher(mctx, manager);
-		result = ISC_R_UNEXPECTED;
-		goto cleanup;
-	}
-#endif /* USE_WATCHER_THREAD */
-	isc_mem_attach(mctx, &manager->mctx);
-
-#ifdef USE_SHARED_MANAGER
-	socketmgr = manager;
-#endif /* USE_SHARED_MANAGER */
-	*managerp = (isc_socketmgr_t *)manager;
-
-	return (ISC_R_SUCCESS);
-
-cleanup:
-#ifdef USE_WATCHER_THREAD
-	(void)close(manager->pipe_fds[0]);
-	(void)close(manager->pipe_fds[1]);
-#endif	/* USE_WATCHER_THREAD */
-
-#ifdef USE_WATCHER_THREAD
-cleanup_condition:
-	(void)isc_condition_destroy(&manager->shutdown_ok);
-#endif	/* USE_WATCHER_THREAD */
-
-
-cleanup_lock:
-	if (manager->fdlock != NULL) {
-		for (i = 0; i < FDLOCK_COUNT; i++)
-			DESTROYLOCK(&manager->fdlock[i]);
-	}
-	DESTROYLOCK(&manager->lock);
-
-free_manager:
-	if (manager->fdlock != NULL) {
-		isc_mem_put(mctx, manager->fdlock,
-			    FDLOCK_COUNT * sizeof(isc_mutex_t));
-	}
-	if (manager->fdstate != NULL) {
-		isc_mem_put(mctx, manager->fdstate,
-			    manager->maxsocks * sizeof(int));
-	}
-	if (manager->fds != NULL) {
-		isc_mem_put(mctx, manager->fds,
-			    manager->maxsocks * sizeof(isc_socket_t *));
-	}
-	isc_mem_put(mctx, manager, sizeof(*manager));
-
-	return (result);
-}
-
-#ifdef BIND9
-isc_result_t
-isc__socketmgr_getmaxsockets(isc_socketmgr_t *manager0, unsigned int *nsockp) {
-	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
-	REQUIRE(VALID_MANAGER(manager));
-	REQUIRE(nsockp != NULL);
-
-	*nsockp = manager->maxsocks;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc__socketmgr_setstats(isc_socketmgr_t *manager0, isc_stats_t *stats) {
-	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
-
-	REQUIRE(VALID_MANAGER(manager));
-	REQUIRE(ISC_LIST_EMPTY(manager->socklist));
-	REQUIRE(manager->stats == NULL);
-	REQUIRE(isc_stats_ncounters(stats) == isc_sockstatscounter_max);
-
-	isc_stats_attach(stats, &manager->stats);
-}
-#endif
-
-ISC_SOCKETFUNC_SCOPE void
-isc__socketmgr_destroy(isc_socketmgr_t **managerp) {
-	isc__socketmgr_t *manager;
-	int i;
-	isc_mem_t *mctx;
-
-	/*
-	 * Destroy a socket manager.
-	 */
-
-	REQUIRE(managerp != NULL);
-	manager = (isc__socketmgr_t *)*managerp;
-	REQUIRE(VALID_MANAGER(manager));
-
-#ifdef USE_SHARED_MANAGER
-	manager->refs--;
-	if (manager->refs > 0) {
-		*managerp = NULL;
-		return;
-	}
-	socketmgr = NULL;
-#endif /* USE_SHARED_MANAGER */
-
-	LOCK(&manager->lock);
-
-	/*
-	 * Wait for all sockets to be destroyed.
-	 */
-	while (!ISC_LIST_EMPTY(manager->socklist)) {
-#ifdef USE_WATCHER_THREAD
-		manager_log(manager, CREATION, "%s",
-			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKET,
-					   ISC_MSG_SOCKETSREMAIN,
-					   "sockets exist"));
-		WAIT(&manager->shutdown_ok, &manager->lock);
-#else /* USE_WATCHER_THREAD */
-		UNLOCK(&manager->lock);
-		isc__taskmgr_dispatch(NULL);
-		LOCK(&manager->lock);
-#endif /* USE_WATCHER_THREAD */
-	}
-
-	UNLOCK(&manager->lock);
-
-	/*
-	 * Here, poke our select/poll thread.  Do this by closing the write
-	 * half of the pipe, which will send EOF to the read half.
-	 * This is currently a no-op in the non-threaded case.
-	 */
-	select_poke(manager, 0, SELECT_POKE_SHUTDOWN);
-
-#ifdef USE_WATCHER_THREAD
-	/*
-	 * Wait for thread to exit.
-	 */
-	if (isc_thread_join(manager->watcher, NULL) != ISC_R_SUCCESS)
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_thread_join() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-#endif /* USE_WATCHER_THREAD */
-
-	/*
-	 * Clean up.
-	 */
-	cleanup_watcher(manager->mctx, manager);
-
-#ifdef USE_WATCHER_THREAD
-	(void)close(manager->pipe_fds[0]);
-	(void)close(manager->pipe_fds[1]);
-	(void)isc_condition_destroy(&manager->shutdown_ok);
-#endif /* USE_WATCHER_THREAD */
-
-	for (i = 0; i < (int)manager->maxsocks; i++)
-		if (manager->fdstate[i] == CLOSE_PENDING) /* no need to lock */
-			(void)close(i);
-
-	isc_mem_put(manager->mctx, manager->fds,
-		    manager->maxsocks * sizeof(isc__socket_t *));
-	isc_mem_put(manager->mctx, manager->fdstate,
-		    manager->maxsocks * sizeof(int));
-
-	if (manager->stats != NULL)
-		isc_stats_detach(&manager->stats);
-
-	if (manager->fdlock != NULL) {
-		for (i = 0; i < FDLOCK_COUNT; i++)
-			DESTROYLOCK(&manager->fdlock[i]);
-		isc_mem_put(manager->mctx, manager->fdlock,
-			    FDLOCK_COUNT * sizeof(isc_mutex_t));
-	}
-	DESTROYLOCK(&manager->lock);
-	manager->common.magic = 0;
-	manager->common.impmagic = 0;
-	mctx= manager->mctx;
-	isc_mem_put(mctx, manager, sizeof(*manager));
-
-	isc_mem_detach(&mctx);
-
-	*managerp = NULL;
-
-#ifdef USE_SHARED_MANAGER
-	socketmgr = NULL;
-#endif
-}
-
-static isc_result_t
-socket_recv(isc__socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
-	    unsigned int flags)
-{
-	int io_state;
-	isc_boolean_t have_lock = ISC_FALSE;
-	isc_task_t *ntask = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	dev->ev_sender = task;
-
-	if (sock->type == isc_sockettype_udp) {
-		io_state = doio_recv(sock, dev);
-	} else {
-		LOCK(&sock->lock);
-		have_lock = ISC_TRUE;
-
-		if (ISC_LIST_EMPTY(sock->recv_list))
-			io_state = doio_recv(sock, dev);
-		else
-			io_state = DOIO_SOFT;
-	}
-
-	switch (io_state) {
-	case DOIO_SOFT:
-		/*
-		 * We couldn't read all or part of the request right now, so
-		 * queue it.
-		 *
-		 * Attach to socket and to task
-		 */
-		isc_task_attach(task, &ntask);
-		dev->attributes |= ISC_SOCKEVENTATTR_ATTACHED;
-
-		if (!have_lock) {
-			LOCK(&sock->lock);
-			have_lock = ISC_TRUE;
-		}
-
-		/*
-		 * Enqueue the request.  If the socket was previously not being
-		 * watched, poke the watcher to start paying attention to it.
-		 */
-		if (ISC_LIST_EMPTY(sock->recv_list) && !sock->pending_recv)
-			select_poke(sock->manager, sock->fd, SELECT_POKE_READ);
-		ISC_LIST_ENQUEUE(sock->recv_list, dev, ev_link);
-
-		socket_log(sock, NULL, EVENT, NULL, 0, 0,
-			   "socket_recv: event %p -> task %p",
-			   dev, ntask);
-
-		if ((flags & ISC_SOCKFLAG_IMMEDIATE) != 0)
-			result = ISC_R_INPROGRESS;
-		break;
-
-	case DOIO_EOF:
-		dev->result = ISC_R_EOF;
-		/* fallthrough */
-
-	case DOIO_HARD:
-	case DOIO_SUCCESS:
-		if ((flags & ISC_SOCKFLAG_IMMEDIATE) == 0)
-			send_recvdone_event(sock, &dev);
-		break;
-	}
-
-	if (have_lock)
-		UNLOCK(&sock->lock);
-
-	return (result);
-}
-
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_recvv(isc_socket_t *sock0, isc_bufferlist_t *buflist,
-		  unsigned int minimum, isc_task_t *task,
-		  isc_taskaction_t action, const void *arg)
-{
-	isc__socket_t *sock = (isc__socket_t *)sock0;
-	isc_socketevent_t *dev;
-	isc__socketmgr_t *manager;
-	unsigned int iocount;
-	isc_buffer_t *buffer;
-
-	REQUIRE(VALID_SOCKET(sock));
-	REQUIRE(buflist != NULL);
-	REQUIRE(!ISC_LIST_EMPTY(*buflist));
-	REQUIRE(task != NULL);
-	REQUIRE(action != NULL);
-
-	manager = sock->manager;
-	REQUIRE(VALID_MANAGER(manager));
-
-	iocount = isc_bufferlist_availablecount(buflist);
-	REQUIRE(iocount > 0);
-
-	INSIST(sock->bound);
-
-	dev = allocate_socketevent(sock, ISC_SOCKEVENT_RECVDONE, action, arg);
-	if (dev == NULL)
-		return (ISC_R_NOMEMORY);
-
-	/*
-	 * UDP sockets are always partial read
-	 */
-	if (sock->type == isc_sockettype_udp)
-		dev->minimum = 1;
-	else {
-		if (minimum == 0)
-			dev->minimum = iocount;
-		else
-			dev->minimum = minimum;
-	}
-
-	/*
-	 * Move each buffer from the passed in list to our internal one.
-	 */
-	buffer = ISC_LIST_HEAD(*buflist);
-	while (buffer != NULL) {
-		ISC_LIST_DEQUEUE(*buflist, buffer, link);
-		ISC_LIST_ENQUEUE(dev->bufferlist, buffer, link);
-		buffer = ISC_LIST_HEAD(*buflist);
-	}
-
-	return (socket_recv(sock, dev, task, 0));
-}
-
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_recv(isc_socket_t *sock0, isc_region_t *region,
-		 unsigned int minimum, isc_task_t *task,
-		 isc_taskaction_t action, const void *arg)
-{
-	isc__socket_t *sock = (isc__socket_t *)sock0;
-	isc_socketevent_t *dev;
-	isc__socketmgr_t *manager;
-
-	REQUIRE(VALID_SOCKET(sock));
-	REQUIRE(action != NULL);
-
-	manager = sock->manager;
-	REQUIRE(VALID_MANAGER(manager));
-
-	INSIST(sock->bound);
-
-	dev = allocate_socketevent(sock, ISC_SOCKEVENT_RECVDONE, action, arg);
-	if (dev == NULL)
-		return (ISC_R_NOMEMORY);
-
-	return (isc__socket_recv2(sock0, region, minimum, task, dev, 0));
-}
-
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_recv2(isc_socket_t *sock0, isc_region_t *region,
-		  unsigned int minimum, isc_task_t *task,
-		  isc_socketevent_t *event, unsigned int flags)
-{
-	isc__socket_t *sock = (isc__socket_t *)sock0;
-
-	event->ev_sender = sock;
-	event->result = ISC_R_UNSET;
-	ISC_LIST_INIT(event->bufferlist);
-	event->region = *region;
-	event->n = 0;
-	event->offset = 0;
-	event->attributes = 0;
-
-	/*
-	 * UDP sockets are always partial read.
-	 */
-	if (sock->type == isc_sockettype_udp)
-		event->minimum = 1;
-	else {
-		if (minimum == 0)
-			event->minimum = region->length;
-		else
-			event->minimum = minimum;
-	}
-
-	return (socket_recv(sock, event, task, flags));
-}
-
-static isc_result_t
-socket_send(isc__socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
-	    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
-	    unsigned int flags)
-{
-	int io_state;
-	isc_boolean_t have_lock = ISC_FALSE;
-	isc_task_t *ntask = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	dev->ev_sender = task;
-
-	set_dev_address(address, sock, dev);
-	if (pktinfo != NULL) {
-		dev->attributes |= ISC_SOCKEVENTATTR_PKTINFO;
-		dev->pktinfo = *pktinfo;
-
-		if (!isc_sockaddr_issitelocal(&dev->address) &&
-		    !isc_sockaddr_islinklocal(&dev->address)) {
-			socket_log(sock, NULL, TRACE, isc_msgcat,
-				   ISC_MSGSET_SOCKET, ISC_MSG_PKTINFOPROVIDED,
-				   "pktinfo structure provided, ifindex %u "
-				   "(set to 0)", pktinfo->ipi6_ifindex);
-
-			/*
-			 * Set the pktinfo index to 0 here, to let the
-			 * kernel decide what interface it should send on.
-			 */
-			dev->pktinfo.ipi6_ifindex = 0;
-		}
-	}
-
-	if (sock->type == isc_sockettype_udp)
-		io_state = doio_send(sock, dev);
-	else {
-		LOCK(&sock->lock);
-		have_lock = ISC_TRUE;
-
-		if (ISC_LIST_EMPTY(sock->send_list))
-			io_state = doio_send(sock, dev);
-		else
-			io_state = DOIO_SOFT;
-	}
-
-	switch (io_state) {
-	case DOIO_SOFT:
-		/*
-		 * We couldn't send all or part of the request right now, so
-		 * queue it unless ISC_SOCKFLAG_NORETRY is set.
-		 */
-		if ((flags & ISC_SOCKFLAG_NORETRY) == 0) {
-			isc_task_attach(task, &ntask);
-			dev->attributes |= ISC_SOCKEVENTATTR_ATTACHED;
-
-			if (!have_lock) {
-				LOCK(&sock->lock);
-				have_lock = ISC_TRUE;
-			}
-
-			/*
-			 * Enqueue the request.  If the socket was previously
-			 * not being watched, poke the watcher to start
-			 * paying attention to it.
-			 */
-			if (ISC_LIST_EMPTY(sock->send_list) &&
-			    !sock->pending_send)
-				select_poke(sock->manager, sock->fd,
-					    SELECT_POKE_WRITE);
-			ISC_LIST_ENQUEUE(sock->send_list, dev, ev_link);
-
-			socket_log(sock, NULL, EVENT, NULL, 0, 0,
-				   "socket_send: event %p -> task %p",
-				   dev, ntask);
-
-			if ((flags & ISC_SOCKFLAG_IMMEDIATE) != 0)
-				result = ISC_R_INPROGRESS;
-			break;
-		}
-
-	case DOIO_HARD:
-	case DOIO_SUCCESS:
-		if ((flags & ISC_SOCKFLAG_IMMEDIATE) == 0)
-			send_senddone_event(sock, &dev);
-		break;
-	}
-
-	if (have_lock)
-		UNLOCK(&sock->lock);
-
-	return (result);
-}
-
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_send(isc_socket_t *sock, isc_region_t *region,
-		 isc_task_t *task, isc_taskaction_t action, const void *arg)
-{
-	/*
-	 * REQUIRE() checking is performed in isc_socket_sendto().
-	 */
-	return (isc__socket_sendto(sock, region, task, action, arg, NULL,
-				   NULL));
-}
-
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_sendto(isc_socket_t *sock0, isc_region_t *region,
-		   isc_task_t *task, isc_taskaction_t action, const void *arg,
-		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo)
-{
-	isc__socket_t *sock = (isc__socket_t *)sock0;
-	isc_socketevent_t *dev;
-	isc__socketmgr_t *manager;
-
-	REQUIRE(VALID_SOCKET(sock));
-	REQUIRE(region != NULL);
-	REQUIRE(task != NULL);
-	REQUIRE(action != NULL);
-
-	manager = sock->manager;
-	REQUIRE(VALID_MANAGER(manager));
-
-	INSIST(sock->bound);
-
-	dev = allocate_socketevent(sock, ISC_SOCKEVENT_SENDDONE, action, arg);
-	if (dev == NULL)
-		return (ISC_R_NOMEMORY);
-
-	dev->region = *region;
-
-	return (socket_send(sock, dev, task, address, pktinfo, 0));
-}
-
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_sendv(isc_socket_t *sock, isc_bufferlist_t *buflist,
-		  isc_task_t *task, isc_taskaction_t action, const void *arg)
-{
-	return (isc__socket_sendtov(sock, buflist, task, action, arg, NULL,
-				    NULL));
-}
-
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_sendtov(isc_socket_t *sock0, isc_bufferlist_t *buflist,
-		    isc_task_t *task, isc_taskaction_t action, const void *arg,
-		    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo)
-{
-	isc__socket_t *sock = (isc__socket_t *)sock0;
-	isc_socketevent_t *dev;
-	isc__socketmgr_t *manager;
-	unsigned int iocount;
-	isc_buffer_t *buffer;
-
-	REQUIRE(VALID_SOCKET(sock));
-	REQUIRE(buflist != NULL);
-	REQUIRE(!ISC_LIST_EMPTY(*buflist));
-	REQUIRE(task != NULL);
-	REQUIRE(action != NULL);
-
-	manager = sock->manager;
-	REQUIRE(VALID_MANAGER(manager));
-
-	iocount = isc_bufferlist_usedcount(buflist);
-	REQUIRE(iocount > 0);
-
-	dev = allocate_socketevent(sock, ISC_SOCKEVENT_SENDDONE, action, arg);
-	if (dev == NULL)
-		return (ISC_R_NOMEMORY);
-
-	/*
-	 * Move each buffer from the passed in list to our internal one.
-	 */
-	buffer = ISC_LIST_HEAD(*buflist);
-	while (buffer != NULL) {
-		ISC_LIST_DEQUEUE(*buflist, buffer, link);
-		ISC_LIST_ENQUEUE(dev->bufferlist, buffer, link);
-		buffer = ISC_LIST_HEAD(*buflist);
-	}
-
-	return (socket_send(sock, dev, task, address, pktinfo, 0));
-}
-
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_sendto2(isc_socket_t *sock0, isc_region_t *region,
-		    isc_task_t *task,
-		    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
-		    isc_socketevent_t *event, unsigned int flags)
-{
-	isc__socket_t *sock = (isc__socket_t *)sock0;
-
-	REQUIRE(VALID_SOCKET(sock));
-	REQUIRE((flags & ~(ISC_SOCKFLAG_IMMEDIATE|ISC_SOCKFLAG_NORETRY)) == 0);
-	if ((flags & ISC_SOCKFLAG_NORETRY) != 0)
-		REQUIRE(sock->type == isc_sockettype_udp);
-	event->ev_sender = sock;
-	event->result = ISC_R_UNSET;
-	ISC_LIST_INIT(event->bufferlist);
-	event->region = *region;
-	event->n = 0;
-	event->offset = 0;
-	event->attributes = 0;
-
-	return (socket_send(sock, event, task, address, pktinfo, flags));
-}
-
-ISC_SOCKETFUNC_SCOPE void
-isc__socket_cleanunix(isc_sockaddr_t *sockaddr, isc_boolean_t active) {
-#ifdef ISC_PLATFORM_HAVESYSUNH
-	int s;
-	struct stat sb;
-	char strbuf[ISC_STRERRORSIZE];
-
-	if (sockaddr->type.sa.sa_family != AF_UNIX)
-		return;
-
-#ifndef S_ISSOCK
-#if defined(S_IFMT) && defined(S_IFSOCK)
-#define S_ISSOCK(mode) ((mode & S_IFMT)==S_IFSOCK)
-#elif defined(_S_IFMT) && defined(S_IFSOCK)
-#define S_ISSOCK(mode) ((mode & _S_IFMT)==S_IFSOCK)
-#endif
-#endif
-
-#ifndef S_ISFIFO
-#if defined(S_IFMT) && defined(S_IFIFO)
-#define S_ISFIFO(mode) ((mode & S_IFMT)==S_IFIFO)
-#elif defined(_S_IFMT) && defined(S_IFIFO)
-#define S_ISFIFO(mode) ((mode & _S_IFMT)==S_IFIFO)
-#endif
-#endif
-
-#if !defined(S_ISFIFO) && !defined(S_ISSOCK)
-#error You need to define S_ISFIFO and S_ISSOCK as appropriate for your platform.  See <sys/stat.h>.
-#endif
-
-#ifndef S_ISFIFO
-#define S_ISFIFO(mode) 0
-#endif
-
-#ifndef S_ISSOCK
-#define S_ISSOCK(mode) 0
-#endif
-
-	if (active) {
-		if (stat(sockaddr->type.sunix.sun_path, &sb) < 0) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-				      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
-				      "isc_socket_cleanunix: stat(%s): %s",
-				      sockaddr->type.sunix.sun_path, strbuf);
-			return;
-		}
-		if (!(S_ISSOCK(sb.st_mode) || S_ISFIFO(sb.st_mode))) {
-			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-				      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
-				      "isc_socket_cleanunix: %s: not a socket",
-				      sockaddr->type.sunix.sun_path);
-			return;
-		}
-		if (unlink(sockaddr->type.sunix.sun_path) < 0) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-				      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
-				      "isc_socket_cleanunix: unlink(%s): %s",
-				      sockaddr->type.sunix.sun_path, strbuf);
-		}
-		return;
-	}
-
-	s = socket(AF_UNIX, SOCK_STREAM, 0);
-	if (s < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-			      ISC_LOGMODULE_SOCKET, ISC_LOG_WARNING,
-			      "isc_socket_cleanunix: socket(%s): %s",
-			      sockaddr->type.sunix.sun_path, strbuf);
-		return;
-	}
-
-	if (stat(sockaddr->type.sunix.sun_path, &sb) < 0) {
-		switch (errno) {
-		case ENOENT:    /* We exited cleanly last time */
-			break;
-		default:
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-				      ISC_LOGMODULE_SOCKET, ISC_LOG_WARNING,
-				      "isc_socket_cleanunix: stat(%s): %s",
-				      sockaddr->type.sunix.sun_path, strbuf);
-			break;
-		}
-		goto cleanup;
-	}
-
-	if (!(S_ISSOCK(sb.st_mode) || S_ISFIFO(sb.st_mode))) {
-		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-			      ISC_LOGMODULE_SOCKET, ISC_LOG_WARNING,
-			      "isc_socket_cleanunix: %s: not a socket",
-			      sockaddr->type.sunix.sun_path);
-		goto cleanup;
-	}
-
-	if (connect(s, (struct sockaddr *)&sockaddr->type.sunix,
-		    sizeof(sockaddr->type.sunix)) < 0) {
-		switch (errno) {
-		case ECONNREFUSED:
-		case ECONNRESET:
-			if (unlink(sockaddr->type.sunix.sun_path) < 0) {
-				isc__strerror(errno, strbuf, sizeof(strbuf));
-				isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-					      ISC_LOGMODULE_SOCKET,
-					      ISC_LOG_WARNING,
-					      "isc_socket_cleanunix: "
-					      "unlink(%s): %s",
-					      sockaddr->type.sunix.sun_path,
-					      strbuf);
-			}
-			break;
-		default:
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-				      ISC_LOGMODULE_SOCKET, ISC_LOG_WARNING,
-				      "isc_socket_cleanunix: connect(%s): %s",
-				      sockaddr->type.sunix.sun_path, strbuf);
-			break;
-		}
-	}
- cleanup:
-	close(s);
-#else
-	UNUSED(sockaddr);
-	UNUSED(active);
-#endif
-}
-
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_permunix(isc_sockaddr_t *sockaddr, isc_uint32_t perm,
-		    isc_uint32_t owner, isc_uint32_t group)
-{
-#ifdef ISC_PLATFORM_HAVESYSUNH
-	isc_result_t result = ISC_R_SUCCESS;
-	char strbuf[ISC_STRERRORSIZE];
-	char path[sizeof(sockaddr->type.sunix.sun_path)];
-#ifdef NEED_SECURE_DIRECTORY
-	char *slash;
-#endif
-
-	REQUIRE(sockaddr->type.sa.sa_family == AF_UNIX);
-	INSIST(strlen(sockaddr->type.sunix.sun_path) < sizeof(path));
-	strcpy(path, sockaddr->type.sunix.sun_path);
-
-#ifdef NEED_SECURE_DIRECTORY
-	slash = strrchr(path, '/');
-	if (slash != NULL) {
-		if (slash != path)
-			*slash = '\0';
-		else
-			strcpy(path, "/");
-	} else
-		strcpy(path, ".");
-#endif
-
-	if (chmod(path, perm) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-			      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
-			      "isc_socket_permunix: chmod(%s, %d): %s",
-			      path, perm, strbuf);
-		result = ISC_R_FAILURE;
-	}
-	if (chown(path, owner, group) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-			      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
-			      "isc_socket_permunix: chown(%s, %d, %d): %s",
-			      path, owner, group,
-			      strbuf);
-		result = ISC_R_FAILURE;
-	}
-	return (result);
-#else
-	UNUSED(sockaddr);
-	UNUSED(perm);
-	UNUSED(owner);
-	UNUSED(group);
-	return (ISC_R_NOTIMPLEMENTED);
-#endif
-}
-
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_bind(isc_socket_t *sock0, isc_sockaddr_t *sockaddr,
-		 unsigned int options) {
-	isc__socket_t *sock = (isc__socket_t *)sock0;
-	char strbuf[ISC_STRERRORSIZE];
-	int on = 1;
-
-	REQUIRE(VALID_SOCKET(sock));
-
-	LOCK(&sock->lock);
-
-	INSIST(!sock->bound);
-	INSIST(!sock->dupped);
-
-	if (sock->pf != sockaddr->type.sa.sa_family) {
-		UNLOCK(&sock->lock);
-		return (ISC_R_FAMILYMISMATCH);
-	}
-
-	/*
-	 * Only set SO_REUSEADDR when we want a specific port.
-	 */
-#ifdef AF_UNIX
-	if (sock->pf == AF_UNIX)
-		goto bind_socket;
-#endif
-	if ((options & ISC_SOCKET_REUSEADDRESS) != 0 &&
-	    isc_sockaddr_getport(sockaddr) != (in_port_t)0 &&
-	    setsockopt(sock->fd, SOL_SOCKET, SO_REUSEADDR, (void *)&on,
-		       sizeof(on)) < 0) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "setsockopt(%d) %s", sock->fd,
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		/* Press on... */
-	}
-#ifdef AF_UNIX
- bind_socket:
-#endif
-	if (bind(sock->fd, &sockaddr->type.sa, sockaddr->length) < 0) {
-		inc_stats(sock->manager->stats,
-			  sock->statsindex[STATID_BINDFAIL]);
-
-		UNLOCK(&sock->lock);
-		switch (errno) {
-		case EACCES:
-			return (ISC_R_NOPERM);
-		case EADDRNOTAVAIL:
-			return (ISC_R_ADDRNOTAVAIL);
-		case EADDRINUSE:
-			return (ISC_R_ADDRINUSE);
-		case EINVAL:
-			return (ISC_R_BOUND);
-		default:
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__, "bind: %s",
-					 strbuf);
-			return (ISC_R_UNEXPECTED);
-		}
-	}
-
-	socket_log(sock, sockaddr, TRACE,
-		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_BOUND, "bound");
-	sock->bound = 1;
-
-	UNLOCK(&sock->lock);
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Enable this only for specific OS versions, and only when they have repaired
- * their problems with it.  Until then, this is is broken and needs to be
- * diabled by default.  See RT22589 for details.
- */
-#undef ENABLE_ACCEPTFILTER
-
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_filter(isc_socket_t *sock0, const char *filter) {
-	isc__socket_t *sock = (isc__socket_t *)sock0;
-#if defined(SO_ACCEPTFILTER) && defined(ENABLE_ACCEPTFILTER)
-	char strbuf[ISC_STRERRORSIZE];
-	struct accept_filter_arg afa;
-#else
-	UNUSED(sock);
-	UNUSED(filter);
-#endif
-
-	REQUIRE(VALID_SOCKET(sock));
-
-#if defined(SO_ACCEPTFILTER) && defined(ENABLE_ACCEPTFILTER)
-	bzero(&afa, sizeof(afa));
-	strncpy(afa.af_name, filter, sizeof(afa.af_name));
-	if (setsockopt(sock->fd, SOL_SOCKET, SO_ACCEPTFILTER,
-			 &afa, sizeof(afa)) == -1) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		socket_log(sock, NULL, CREATION, isc_msgcat, ISC_MSGSET_SOCKET,
-			   ISC_MSG_FILTER, "setsockopt(SO_ACCEPTFILTER): %s",
-			   strbuf);
-		return (ISC_R_FAILURE);
-	}
-	return (ISC_R_SUCCESS);
-#else
-	return (ISC_R_NOTIMPLEMENTED);
-#endif
-}
-
-/*
- * Set up to listen on a given socket.  We do this by creating an internal
- * event that will be dispatched when the socket has read activity.  The
- * watcher will send the internal event to the task when there is a new
- * connection.
- *
- * Unlike in read, we don't preallocate a done event here.  Every time there
- * is a new connection we'll have to allocate a new one anyway, so we might
- * as well keep things simple rather than having to track them.
- */
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_listen(isc_socket_t *sock0, unsigned int backlog) {
-	isc__socket_t *sock = (isc__socket_t *)sock0;
-	char strbuf[ISC_STRERRORSIZE];
-
-	REQUIRE(VALID_SOCKET(sock));
-
-	LOCK(&sock->lock);
-
-	REQUIRE(!sock->listener);
-	REQUIRE(sock->bound);
-	REQUIRE(sock->type == isc_sockettype_tcp ||
-		sock->type == isc_sockettype_unix);
-
-	if (backlog == 0)
-		backlog = SOMAXCONN;
-
-	if (listen(sock->fd, (int)backlog) < 0) {
-		UNLOCK(&sock->lock);
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-
-		UNEXPECTED_ERROR(__FILE__, __LINE__, "listen: %s", strbuf);
-
-		return (ISC_R_UNEXPECTED);
-	}
-
-	sock->listener = 1;
-
-	UNLOCK(&sock->lock);
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * This should try to do aggressive accept() XXXMLG
- */
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_accept(isc_socket_t *sock0,
-		  isc_task_t *task, isc_taskaction_t action, const void *arg)
-{
-	isc__socket_t *sock = (isc__socket_t *)sock0;
-	isc_socket_newconnev_t *dev;
-	isc__socketmgr_t *manager;
-	isc_task_t *ntask = NULL;
-	isc__socket_t *nsock;
-	isc_result_t result;
-	isc_boolean_t do_poke = ISC_FALSE;
-
-	REQUIRE(VALID_SOCKET(sock));
-	manager = sock->manager;
-	REQUIRE(VALID_MANAGER(manager));
-
-	LOCK(&sock->lock);
-
-	REQUIRE(sock->listener);
-
-	/*
-	 * Sender field is overloaded here with the task we will be sending
-	 * this event to.  Just before the actual event is delivered the
-	 * actual ev_sender will be touched up to be the socket.
-	 */
-	dev = (isc_socket_newconnev_t *)
-		isc_event_allocate(manager->mctx, task, ISC_SOCKEVENT_NEWCONN,
-				   action, arg, sizeof(*dev));
-	if (dev == NULL) {
-		UNLOCK(&sock->lock);
-		return (ISC_R_NOMEMORY);
-	}
-	ISC_LINK_INIT(dev, ev_link);
-
-	result = allocate_socket(manager, sock->type, &nsock);
-	if (result != ISC_R_SUCCESS) {
-		isc_event_free(ISC_EVENT_PTR(&dev));
-		UNLOCK(&sock->lock);
-		return (result);
-	}
-
-	/*
-	 * Attach to socket and to task.
-	 */
-	isc_task_attach(task, &ntask);
-	if (isc_task_exiting(ntask)) {
-		free_socket(&nsock);
-		isc_task_detach(&ntask);
-		isc_event_free(ISC_EVENT_PTR(&dev));
-		UNLOCK(&sock->lock);
-		return (ISC_R_SHUTTINGDOWN);
-	}
-	nsock->references++;
-	nsock->statsindex = sock->statsindex;
-
-	dev->ev_sender = ntask;
-	dev->newsocket = (isc_socket_t *)nsock;
-
-	/*
-	 * Poke watcher here.  We still have the socket locked, so there
-	 * is no race condition.  We will keep the lock for such a short
-	 * bit of time waking it up now or later won't matter all that much.
-	 */
-	if (ISC_LIST_EMPTY(sock->accept_list))
-		do_poke = ISC_TRUE;
-
-	ISC_LIST_ENQUEUE(sock->accept_list, dev, ev_link);
-
-	if (do_poke)
-		select_poke(manager, sock->fd, SELECT_POKE_ACCEPT);
-
-	UNLOCK(&sock->lock);
-	return (ISC_R_SUCCESS);
-}
-
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_connect(isc_socket_t *sock0, isc_sockaddr_t *addr,
-		   isc_task_t *task, isc_taskaction_t action, const void *arg)
-{
-	isc__socket_t *sock = (isc__socket_t *)sock0;
-	isc_socket_connev_t *dev;
-	isc_task_t *ntask = NULL;
-	isc__socketmgr_t *manager;
-	int cc;
-	char strbuf[ISC_STRERRORSIZE];
-	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
-
-	REQUIRE(VALID_SOCKET(sock));
-	REQUIRE(addr != NULL);
-	REQUIRE(task != NULL);
-	REQUIRE(action != NULL);
-
-	manager = sock->manager;
-	REQUIRE(VALID_MANAGER(manager));
-	REQUIRE(addr != NULL);
-
-	if (isc_sockaddr_ismulticast(addr))
-		return (ISC_R_MULTICAST);
-
-	LOCK(&sock->lock);
-
-	REQUIRE(!sock->connecting);
-
-	dev = (isc_socket_connev_t *)isc_event_allocate(manager->mctx, sock,
-							ISC_SOCKEVENT_CONNECT,
-							action,	arg,
-							sizeof(*dev));
-	if (dev == NULL) {
-		UNLOCK(&sock->lock);
-		return (ISC_R_NOMEMORY);
-	}
-	ISC_LINK_INIT(dev, ev_link);
-
-	/*
-	 * Try to do the connect right away, as there can be only one
-	 * outstanding, and it might happen to complete.
-	 */
-	sock->peer_address = *addr;
-	cc = connect(sock->fd, &addr->type.sa, addr->length);
-	if (cc < 0) {
-		/*
-		 * HP-UX "fails" to connect a UDP socket and sets errno to
-		 * EINPROGRESS if it's non-blocking.  We'd rather regard this as
-		 * a success and let the user detect it if it's really an error
-		 * at the time of sending a packet on the socket.
-		 */
-		if (sock->type == isc_sockettype_udp && errno == EINPROGRESS) {
-			cc = 0;
-			goto success;
-		}
-		if (SOFT_ERROR(errno) || errno == EINPROGRESS)
-			goto queue;
-
-		switch (errno) {
-#define ERROR_MATCH(a, b) case a: dev->result = b; goto err_exit;
-			ERROR_MATCH(EACCES, ISC_R_NOPERM);
-			ERROR_MATCH(EADDRNOTAVAIL, ISC_R_ADDRNOTAVAIL);
-			ERROR_MATCH(EAFNOSUPPORT, ISC_R_ADDRNOTAVAIL);
-			ERROR_MATCH(ECONNREFUSED, ISC_R_CONNREFUSED);
-			ERROR_MATCH(EHOSTUNREACH, ISC_R_HOSTUNREACH);
-#ifdef EHOSTDOWN
-			ERROR_MATCH(EHOSTDOWN, ISC_R_HOSTUNREACH);
-#endif
-			ERROR_MATCH(ENETUNREACH, ISC_R_NETUNREACH);
-			ERROR_MATCH(ENOBUFS, ISC_R_NORESOURCES);
-			ERROR_MATCH(EPERM, ISC_R_HOSTUNREACH);
-			ERROR_MATCH(EPIPE, ISC_R_NOTCONNECTED);
-			ERROR_MATCH(ECONNRESET, ISC_R_CONNECTIONRESET);
-#undef ERROR_MATCH
-		}
-
-		sock->connected = 0;
-
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__, "connect(%s) %d/%s",
-				 addrbuf, errno, strbuf);
-
-		UNLOCK(&sock->lock);
-		inc_stats(sock->manager->stats,
-			  sock->statsindex[STATID_CONNECTFAIL]);
-		isc_event_free(ISC_EVENT_PTR(&dev));
-		return (ISC_R_UNEXPECTED);
-
-	err_exit:
-		sock->connected = 0;
-		isc_task_send(task, ISC_EVENT_PTR(&dev));
-
-		UNLOCK(&sock->lock);
-		inc_stats(sock->manager->stats,
-			  sock->statsindex[STATID_CONNECTFAIL]);
-		return (ISC_R_SUCCESS);
-	}
-
-	/*
-	 * If connect completed, fire off the done event.
-	 */
- success:
-	if (cc == 0) {
-		sock->connected = 1;
-		sock->bound = 1;
-		dev->result = ISC_R_SUCCESS;
-		isc_task_send(task, ISC_EVENT_PTR(&dev));
-
-		UNLOCK(&sock->lock);
-
-		inc_stats(sock->manager->stats,
-			  sock->statsindex[STATID_CONNECT]);
-
-		return (ISC_R_SUCCESS);
-	}
-
- queue:
-
-	/*
-	 * Attach to task.
-	 */
-	isc_task_attach(task, &ntask);
-
-	sock->connecting = 1;
-
-	dev->ev_sender = ntask;
-
-	/*
-	 * Poke watcher here.  We still have the socket locked, so there
-	 * is no race condition.  We will keep the lock for such a short
-	 * bit of time waking it up now or later won't matter all that much.
-	 */
-	if (sock->connect_ev == NULL)
-		select_poke(manager, sock->fd, SELECT_POKE_CONNECT);
-
-	sock->connect_ev = dev;
-
-	UNLOCK(&sock->lock);
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Called when a socket with a pending connect() finishes.
- */
-static void
-internal_connect(isc_task_t *me, isc_event_t *ev) {
-	isc__socket_t *sock;
-	isc_socket_connev_t *dev;
-	isc_task_t *task;
-	int cc;
-	ISC_SOCKADDR_LEN_T optlen;
-	char strbuf[ISC_STRERRORSIZE];
-	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
-
-	UNUSED(me);
-	INSIST(ev->ev_type == ISC_SOCKEVENT_INTW);
-
-	sock = ev->ev_sender;
-	INSIST(VALID_SOCKET(sock));
-
-	LOCK(&sock->lock);
-
-	/*
-	 * When the internal event was sent the reference count was bumped
-	 * to keep the socket around for us.  Decrement the count here.
-	 */
-	INSIST(sock->references > 0);
-	sock->references--;
-	if (sock->references == 0) {
-		UNLOCK(&sock->lock);
-		destroy(&sock);
-		return;
-	}
-
-	/*
-	 * Has this event been canceled?
-	 */
-	dev = sock->connect_ev;
-	if (dev == NULL) {
-		INSIST(!sock->connecting);
-		UNLOCK(&sock->lock);
-		return;
-	}
-
-	INSIST(sock->connecting);
-	sock->connecting = 0;
-
-	/*
-	 * Get any possible error status here.
-	 */
-	optlen = sizeof(cc);
-	if (getsockopt(sock->fd, SOL_SOCKET, SO_ERROR,
-		       (void *)&cc, (void *)&optlen) < 0)
-		cc = errno;
-	else
-		errno = cc;
-
-	if (errno != 0) {
-		/*
-		 * If the error is EAGAIN, just re-select on this
-		 * fd and pretend nothing strange happened.
-		 */
-		if (SOFT_ERROR(errno) || errno == EINPROGRESS) {
-			sock->connecting = 1;
-			select_poke(sock->manager, sock->fd,
-				    SELECT_POKE_CONNECT);
-			UNLOCK(&sock->lock);
-
-			return;
-		}
-
-		inc_stats(sock->manager->stats,
-			  sock->statsindex[STATID_CONNECTFAIL]);
-
-		/*
-		 * Translate other errors into ISC_R_* flavors.
-		 */
-		switch (errno) {
-#define ERROR_MATCH(a, b) case a: dev->result = b; break;
-			ERROR_MATCH(EACCES, ISC_R_NOPERM);
-			ERROR_MATCH(EADDRNOTAVAIL, ISC_R_ADDRNOTAVAIL);
-			ERROR_MATCH(EAFNOSUPPORT, ISC_R_ADDRNOTAVAIL);
-			ERROR_MATCH(ECONNREFUSED, ISC_R_CONNREFUSED);
-			ERROR_MATCH(EHOSTUNREACH, ISC_R_HOSTUNREACH);
-#ifdef EHOSTDOWN
-			ERROR_MATCH(EHOSTDOWN, ISC_R_HOSTUNREACH);
-#endif
-			ERROR_MATCH(ENETUNREACH, ISC_R_NETUNREACH);
-			ERROR_MATCH(ENOBUFS, ISC_R_NORESOURCES);
-			ERROR_MATCH(EPERM, ISC_R_HOSTUNREACH);
-			ERROR_MATCH(EPIPE, ISC_R_NOTCONNECTED);
-			ERROR_MATCH(ETIMEDOUT, ISC_R_TIMEDOUT);
-			ERROR_MATCH(ECONNRESET, ISC_R_CONNECTIONRESET);
-#undef ERROR_MATCH
-		default:
-			dev->result = ISC_R_UNEXPECTED;
-			isc_sockaddr_format(&sock->peer_address, peerbuf,
-					    sizeof(peerbuf));
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "internal_connect: connect(%s) %s",
-					 peerbuf, strbuf);
-		}
-	} else {
-		inc_stats(sock->manager->stats,
-			  sock->statsindex[STATID_CONNECT]);
-		dev->result = ISC_R_SUCCESS;
-		sock->connected = 1;
-		sock->bound = 1;
-	}
-
-	sock->connect_ev = NULL;
-
-	UNLOCK(&sock->lock);
-
-	task = dev->ev_sender;
-	dev->ev_sender = sock;
-	isc_task_sendanddetach(&task, ISC_EVENT_PTR(&dev));
-}
-
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_getpeername(isc_socket_t *sock0, isc_sockaddr_t *addressp) {
-	isc__socket_t *sock = (isc__socket_t *)sock0;
-	isc_result_t result;
-
-	REQUIRE(VALID_SOCKET(sock));
-	REQUIRE(addressp != NULL);
-
-	LOCK(&sock->lock);
-
-	if (sock->connected) {
-		*addressp = sock->peer_address;
-		result = ISC_R_SUCCESS;
-	} else {
-		result = ISC_R_NOTCONNECTED;
-	}
-
-	UNLOCK(&sock->lock);
-
-	return (result);
-}
-
-ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_getsockname(isc_socket_t *sock0, isc_sockaddr_t *addressp) {
-	isc__socket_t *sock = (isc__socket_t *)sock0;
-	ISC_SOCKADDR_LEN_T len;
-	isc_result_t result;
-	char strbuf[ISC_STRERRORSIZE];
-
-	REQUIRE(VALID_SOCKET(sock));
-	REQUIRE(addressp != NULL);
-
-	LOCK(&sock->lock);
-
-	if (!sock->bound) {
-		result = ISC_R_NOTBOUND;
-		goto out;
-	}
-
-	result = ISC_R_SUCCESS;
-
-	len = sizeof(addressp->type);
-	if (getsockname(sock->fd, &addressp->type.sa, (void *)&len) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__, "getsockname: %s",
-				 strbuf);
-		result = ISC_R_UNEXPECTED;
-		goto out;
-	}
-	addressp->length = (unsigned int)len;
-
- out:
-	UNLOCK(&sock->lock);
-
-	return (result);
-}
-
-/*
- * Run through the list of events on this socket, and cancel the ones
- * queued for task "task" of type "how".  "how" is a bitmask.
- */
-ISC_SOCKETFUNC_SCOPE void
-isc__socket_cancel(isc_socket_t *sock0, isc_task_t *task, unsigned int how) {
-	isc__socket_t *sock = (isc__socket_t *)sock0;
-
-	REQUIRE(VALID_SOCKET(sock));
-
-	/*
-	 * Quick exit if there is nothing to do.  Don't even bother locking
-	 * in this case.
-	 */
-	if (how == 0)
-		return;
-
-	LOCK(&sock->lock);
-
-	/*
-	 * All of these do the same thing, more or less.
-	 * Each will:
-	 *	o If the internal event is marked as "posted" try to
-	 *	  remove it from the task's queue.  If this fails, mark it
-	 *	  as canceled instead, and let the task clean it up later.
-	 *	o For each I/O request for that task of that type, post
-	 *	  its done event with status of "ISC_R_CANCELED".
-	 *	o Reset any state needed.
-	 */
-	if (((how & ISC_SOCKCANCEL_RECV) == ISC_SOCKCANCEL_RECV)
-	    && !ISC_LIST_EMPTY(sock->recv_list)) {
-		isc_socketevent_t      *dev;
-		isc_socketevent_t      *next;
-		isc_task_t	       *current_task;
-
-		dev = ISC_LIST_HEAD(sock->recv_list);
-
-		while (dev != NULL) {
-			current_task = dev->ev_sender;
-			next = ISC_LIST_NEXT(dev, ev_link);
-
-			if ((task == NULL) || (task == current_task)) {
-				dev->result = ISC_R_CANCELED;
-				send_recvdone_event(sock, &dev);
-			}
-			dev = next;
-		}
-	}
-
-	if (((how & ISC_SOCKCANCEL_SEND) == ISC_SOCKCANCEL_SEND)
-	    && !ISC_LIST_EMPTY(sock->send_list)) {
-		isc_socketevent_t      *dev;
-		isc_socketevent_t      *next;
-		isc_task_t	       *current_task;
-
-		dev = ISC_LIST_HEAD(sock->send_list);
-
-		while (dev != NULL) {
-			current_task = dev->ev_sender;
-			next = ISC_LIST_NEXT(dev, ev_link);
-
-			if ((task == NULL) || (task == current_task)) {
-				dev->result = ISC_R_CANCELED;
-				send_senddone_event(sock, &dev);
-			}
-			dev = next;
-		}
-	}
-
-	if (((how & ISC_SOCKCANCEL_ACCEPT) == ISC_SOCKCANCEL_ACCEPT)
-	    && !ISC_LIST_EMPTY(sock->accept_list)) {
-		isc_socket_newconnev_t *dev;
-		isc_socket_newconnev_t *next;
-		isc_task_t	       *current_task;
-
-		dev = ISC_LIST_HEAD(sock->accept_list);
-		while (dev != NULL) {
-			current_task = dev->ev_sender;
-			next = ISC_LIST_NEXT(dev, ev_link);
-
-			if ((task == NULL) || (task == current_task)) {
-
-				ISC_LIST_UNLINK(sock->accept_list, dev,
-						ev_link);
-
-				NEWCONNSOCK(dev)->references--;
-				free_socket((isc__socket_t **)&dev->newsocket);
-
-				dev->result = ISC_R_CANCELED;
-				dev->ev_sender = sock;
-				isc_task_sendanddetach(&current_task,
-						       ISC_EVENT_PTR(&dev));
-			}
-
-			dev = next;
-		}
-	}
-
-	/*
-	 * Connecting is not a list.
-	 */
-	if (((how & ISC_SOCKCANCEL_CONNECT) == ISC_SOCKCANCEL_CONNECT)
-	    && sock->connect_ev != NULL) {
-		isc_socket_connev_t    *dev;
-		isc_task_t	       *current_task;
-
-		INSIST(sock->connecting);
-		sock->connecting = 0;
-
-		dev = sock->connect_ev;
-		current_task = dev->ev_sender;
-
-		if ((task == NULL) || (task == current_task)) {
-			sock->connect_ev = NULL;
-
-			dev->result = ISC_R_CANCELED;
-			dev->ev_sender = sock;
-			isc_task_sendanddetach(&current_task,
-					       ISC_EVENT_PTR(&dev));
-		}
-	}
-
-	UNLOCK(&sock->lock);
-}
-
-ISC_SOCKETFUNC_SCOPE isc_sockettype_t
-isc__socket_gettype(isc_socket_t *sock0) {
-	isc__socket_t *sock = (isc__socket_t *)sock0;
-
-	REQUIRE(VALID_SOCKET(sock));
-
-	return (sock->type);
-}
-
-ISC_SOCKETFUNC_SCOPE isc_boolean_t
-isc__socket_isbound(isc_socket_t *sock0) {
-	isc__socket_t *sock = (isc__socket_t *)sock0;
-	isc_boolean_t val;
-
-	REQUIRE(VALID_SOCKET(sock));
-
-	LOCK(&sock->lock);
-	val = ((sock->bound) ? ISC_TRUE : ISC_FALSE);
-	UNLOCK(&sock->lock);
-
-	return (val);
-}
-
-ISC_SOCKETFUNC_SCOPE void
-isc__socket_ipv6only(isc_socket_t *sock0, isc_boolean_t yes) {
-	isc__socket_t *sock = (isc__socket_t *)sock0;
-#if defined(IPV6_V6ONLY)
-	int onoff = yes ? 1 : 0;
-#else
-	UNUSED(yes);
-	UNUSED(sock);
-#endif
-
-	REQUIRE(VALID_SOCKET(sock));
-	INSIST(!sock->dupped);
-
-#ifdef IPV6_V6ONLY
-	if (sock->pf == AF_INET6) {
-		if (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_V6ONLY,
-			       (void *)&onoff, sizeof(int)) < 0) {
-			char strbuf[ISC_STRERRORSIZE];
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "setsockopt(%d, IPV6_V6ONLY) "
-					 "%s: %s", sock->fd,
-					 isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_GENERAL,
-							ISC_MSG_FAILED,
-							"failed"),
-					 strbuf);
-		}
-	}
-	FIX_IPV6_RECVPKTINFO(sock);	/* AIX */
-#endif
-}
-
-#ifndef USE_WATCHER_THREAD
-/*
- * In our assumed scenario, we can simply use a single static object.
- * XXX: this is not true if the application uses multiple threads with
- *      'multi-context' mode.  Fixing this is a future TODO item.
- */
-static isc_socketwait_t swait_private;
-
-int
-isc__socketmgr_waitevents(isc_socketmgr_t *manager0, struct timeval *tvp,
-			  isc_socketwait_t **swaitp)
-{
-	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
-
-
-	int n;
-#ifdef USE_KQUEUE
-	struct timespec ts, *tsp;
-#endif
-#ifdef USE_EPOLL
-	int timeout;
-#endif
-#ifdef USE_DEVPOLL
-	struct dvpoll dvp;
-#endif
-
-	REQUIRE(swaitp != NULL && *swaitp == NULL);
-
-#ifdef USE_SHARED_MANAGER
-	if (manager == NULL)
-		manager = socketmgr;
-#endif
-	if (manager == NULL)
-		return (0);
-
-#ifdef USE_KQUEUE
-	if (tvp != NULL) {
-		ts.tv_sec = tvp->tv_sec;
-		ts.tv_nsec = tvp->tv_usec * 1000;
-		tsp = &ts;
-	} else
-		tsp = NULL;
-	swait_private.nevents = kevent(manager->kqueue_fd, NULL, 0,
-				       manager->events, manager->nevents,
-				       tsp);
-	n = swait_private.nevents;
-#elif defined(USE_EPOLL)
-	if (tvp != NULL)
-		timeout = tvp->tv_sec * 1000 + (tvp->tv_usec + 999) / 1000;
-	else
-		timeout = -1;
-	swait_private.nevents = epoll_wait(manager->epoll_fd,
-					   manager->events,
-					   manager->nevents, timeout);
-	n = swait_private.nevents;
-#elif defined(USE_DEVPOLL)
-	dvp.dp_fds = manager->events;
-	dvp.dp_nfds = manager->nevents;
-	if (tvp != NULL) {
-		dvp.dp_timeout = tvp->tv_sec * 1000 +
-			(tvp->tv_usec + 999) / 1000;
-	} else
-		dvp.dp_timeout = -1;
-	swait_private.nevents = ioctl(manager->devpoll_fd, DP_POLL, &dvp);
-	n = swait_private.nevents;
-#elif defined(USE_SELECT)
-	memcpy(manager->read_fds_copy, manager->read_fds,  manager->fd_bufsize);
-	memcpy(manager->write_fds_copy, manager->write_fds,
-	       manager->fd_bufsize);
-
-	swait_private.readset = manager->read_fds_copy;
-	swait_private.writeset = manager->write_fds_copy;
-	swait_private.maxfd = manager->maxfd + 1;
-
-	n = select(swait_private.maxfd, swait_private.readset,
-		   swait_private.writeset, NULL, tvp);
-#endif
-
-	*swaitp = &swait_private;
-	return (n);
-}
-
-isc_result_t
-isc__socketmgr_dispatch(isc_socketmgr_t *manager0, isc_socketwait_t *swait) {
-	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
-
-	REQUIRE(swait == &swait_private);
-
-#ifdef USE_SHARED_MANAGER
-	if (manager == NULL)
-		manager = socketmgr;
-#endif
-	if (manager == NULL)
-		return (ISC_R_NOTFOUND);
-
-#if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL)
-	(void)process_fds(manager, manager->events, swait->nevents);
-	return (ISC_R_SUCCESS);
-#elif defined(USE_SELECT)
-	process_fds(manager, swait->maxfd, swait->readset, swait->writeset);
-	return (ISC_R_SUCCESS);
-#endif
-}
-#endif /* USE_WATCHER_THREAD */
-
-#ifdef BIND9
-void
-isc__socket_setname(isc_socket_t *socket0, const char *name, void *tag) {
-	isc__socket_t *socket = (isc__socket_t *)socket0;
-
-	/*
-	 * Name 'socket'.
-	 */
-
-	REQUIRE(VALID_SOCKET(socket));
-
-	LOCK(&socket->lock);
-	memset(socket->name, 0, sizeof(socket->name));
-	strncpy(socket->name, name, sizeof(socket->name) - 1);
-	socket->tag = tag;
-	UNLOCK(&socket->lock);
-}
-
-ISC_SOCKETFUNC_SCOPE const char *
-isc__socket_getname(isc_socket_t *socket0) {
-	isc__socket_t *socket = (isc__socket_t *)socket0;
-
-	return (socket->name);
-}
-
-void *
-isc__socket_gettag(isc_socket_t *socket0) {
-	isc__socket_t *socket = (isc__socket_t *)socket0;
-
-	return (socket->tag);
-}
-#endif	/* BIND9 */
-
-#ifdef USE_SOCKETIMPREGISTER
-isc_result_t
-isc__socket_register() {
-	return (isc_socket_register(isc__socketmgr_create));
-}
-#endif
-
-ISC_SOCKETFUNC_SCOPE int
-isc__socket_getfd(isc_socket_t *socket0) {
-	isc__socket_t *socket = (isc__socket_t *)socket0;
-
-	return ((short) socket->fd);
-}
-
-#if defined(HAVE_LIBXML2) && defined(BIND9)
-
-static const char *
-_socktype(isc_sockettype_t type)
-{
-	if (type == isc_sockettype_udp)
-		return ("udp");
-	else if (type == isc_sockettype_tcp)
-		return ("tcp");
-	else if (type == isc_sockettype_unix)
-		return ("unix");
-	else if (type == isc_sockettype_fdwatch)
-		return ("fdwatch");
-	else
-		return ("not-initialized");
-}
-
-#define TRY0(a) do { xmlrc = (a); if (xmlrc < 0) goto error; } while(0)
-ISC_SOCKETFUNC_SCOPE int
-isc_socketmgr_renderxml(isc_socketmgr_t *mgr0, xmlTextWriterPtr writer) {
-	isc__socketmgr_t *mgr = (isc__socketmgr_t *)mgr0;
-	isc__socket_t *sock = NULL;
-	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
-	isc_sockaddr_t addr;
-	ISC_SOCKADDR_LEN_T len;
-	int xmlrc;
-
-	LOCK(&mgr->lock);
-
-#ifdef USE_SHARED_MANAGER
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "references"));
-	TRY0(xmlTextWriterWriteFormatString(writer, "%d", mgr->refs));
-	TRY0(xmlTextWriterEndElement(writer));
-#endif	/* USE_SHARED_MANAGER */
-
-	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "sockets"));
-	sock = ISC_LIST_HEAD(mgr->socklist);
-	while (sock != NULL) {
-		LOCK(&sock->lock);
-		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "socket"));
-
-		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "id"));
-		TRY0(xmlTextWriterWriteFormatString(writer, "%p", sock));
-		TRY0(xmlTextWriterEndElement(writer));
-
-		if (sock->name[0] != 0) {
-			TRY0(xmlTextWriterStartElement(writer,
-						       ISC_XMLCHAR "name"));
-			TRY0(xmlTextWriterWriteFormatString(writer, "%s",
-							    sock->name));
-			TRY0(xmlTextWriterEndElement(writer)); /* name */
-		}
-
-		TRY0(xmlTextWriterStartElement(writer,
-					       ISC_XMLCHAR "references"));
-		TRY0(xmlTextWriterWriteFormatString(writer, "%d",
-						    sock->references));
-		TRY0(xmlTextWriterEndElement(writer));
-
-		TRY0(xmlTextWriterWriteElement(writer, ISC_XMLCHAR "type",
-					  ISC_XMLCHAR _socktype(sock->type)));
-
-		if (sock->connected) {
-			isc_sockaddr_format(&sock->peer_address, peerbuf,
-					    sizeof(peerbuf));
-			TRY0(xmlTextWriterWriteElement(writer,
-						  ISC_XMLCHAR "peer-address",
-						  ISC_XMLCHAR peerbuf));
-		}
-
-		len = sizeof(addr);
-		if (getsockname(sock->fd, &addr.type.sa, (void *)&len) == 0) {
-			isc_sockaddr_format(&addr, peerbuf, sizeof(peerbuf));
-			TRY0(xmlTextWriterWriteElement(writer,
-						  ISC_XMLCHAR "local-address",
-						  ISC_XMLCHAR peerbuf));
-		}
-
-		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "states"));
-		if (sock->pending_recv)
-			TRY0(xmlTextWriterWriteElement(writer,
-						ISC_XMLCHAR "state",
-						ISC_XMLCHAR "pending-receive"));
-		if (sock->pending_send)
-			TRY0(xmlTextWriterWriteElement(writer,
-						  ISC_XMLCHAR "state",
-						  ISC_XMLCHAR "pending-send"));
-		if (sock->pending_accept)
-			TRY0(xmlTextWriterWriteElement(writer,
-						 ISC_XMLCHAR "state",
-						 ISC_XMLCHAR "pending_accept"));
-		if (sock->listener)
-			TRY0(xmlTextWriterWriteElement(writer,
-						       ISC_XMLCHAR "state",
-						       ISC_XMLCHAR "listener"));
-		if (sock->connected)
-			TRY0(xmlTextWriterWriteElement(writer,
-						     ISC_XMLCHAR "state",
-						     ISC_XMLCHAR "connected"));
-		if (sock->connecting)
-			TRY0(xmlTextWriterWriteElement(writer,
-						    ISC_XMLCHAR "state",
-						    ISC_XMLCHAR "connecting"));
-		if (sock->bound)
-			TRY0(xmlTextWriterWriteElement(writer,
-						       ISC_XMLCHAR "state",
-						       ISC_XMLCHAR "bound"));
-
-		TRY0(xmlTextWriterEndElement(writer)); /* states */
-
-		TRY0(xmlTextWriterEndElement(writer)); /* socket */
-
-		UNLOCK(&sock->lock);
-		sock = ISC_LIST_NEXT(sock, link);
-	}
-	TRY0(xmlTextWriterEndElement(writer)); /* sockets */
-
- error:
-	if (sock != NULL)
-		UNLOCK(&sock->lock);
-
-	UNLOCK(&mgr->lock);
-
-	return (xmlrc);
-}
-#endif /* HAVE_LIBXML2 */
diff --git a/contrib/bind9/lib/isc/unix/socket_p.h b/contrib/bind9/lib/isc/unix/socket_p.h
deleted file mode 100644
index 1316011..0000000
--- a/contrib/bind9/lib/isc/unix/socket_p.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: socket_p.h,v 1.15 2009/09/02 23:48:03 tbox Exp $ */
-
-#ifndef ISC_SOCKET_P_H
-#define ISC_SOCKET_P_H
-
-/*! \file */
-
-#ifdef ISC_PLATFORM_NEEDSYSSELECTH
-#include <sys/select.h>
-#endif
-
-typedef struct isc_socketwait isc_socketwait_t;
-int isc__socketmgr_waitevents(isc_socketmgr_t *, struct timeval *,
-			      isc_socketwait_t **);
-isc_result_t isc__socketmgr_dispatch(isc_socketmgr_t *, isc_socketwait_t *);
-#endif /* ISC_SOCKET_P_H */
diff --git a/contrib/bind9/lib/isc/unix/stdio.c b/contrib/bind9/lib/isc/unix/stdio.c
deleted file mode 100644
index 360c8c6..0000000
--- a/contrib/bind9/lib/isc/unix/stdio.c
+++ /dev/null
@@ -1,129 +0,0 @@
-/*
- * Copyright (C) 2004, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#include <config.h>
-
-#include <errno.h>
-#include <unistd.h>
-
-#include <isc/stdio.h>
-#include <isc/stat.h>
-
-#include "errno2result.h"
-
-isc_result_t
-isc_stdio_open(const char *filename, const char *mode, FILE **fp) {
-	FILE *f;
-
-	f = fopen(filename, mode);
-	if (f == NULL)
-		return (isc__errno2result(errno));
-	*fp = f;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_stdio_close(FILE *f) {
-	int r;
-
-	r = fclose(f);
-	if (r == 0)
-		return (ISC_R_SUCCESS);
-	else
-		return (isc__errno2result(errno));
-}
-
-isc_result_t
-isc_stdio_seek(FILE *f, long offset, int whence) {
-	int r;
-
-	r = fseek(f, offset, whence);
-	if (r == 0)
-		return (ISC_R_SUCCESS);
-	else
-		return (isc__errno2result(errno));
-}
-
-isc_result_t
-isc_stdio_read(void *ptr, size_t size, size_t nmemb, FILE *f, size_t *nret) {
-	isc_result_t result = ISC_R_SUCCESS;
-	size_t r;
-
-	clearerr(f);
-	r = fread(ptr, size, nmemb, f);
-	if (r != nmemb) {
-		if (feof(f))
-			result = ISC_R_EOF;
-		else
-			result = isc__errno2result(errno);
-	}
-	if (nret != NULL)
-		*nret = r;
-	return (result);
-}
-
-isc_result_t
-isc_stdio_write(const void *ptr, size_t size, size_t nmemb, FILE *f,
-	       size_t *nret)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	size_t r;
-
-	clearerr(f);
-	r = fwrite(ptr, size, nmemb, f);
-	if (r != nmemb)
-		result = isc__errno2result(errno);
-	if (nret != NULL)
-		*nret = r;
-	return (result);
-}
-
-isc_result_t
-isc_stdio_flush(FILE *f) {
-	int r;
-
-	r = fflush(f);
-	if (r == 0)
-		return (ISC_R_SUCCESS);
-	else
-		return (isc__errno2result(errno));
-}
-
-/*
- * OpenBSD has deprecated ENOTSUP in favor of EOPNOTSUPP.
- */
-#if defined(EOPNOTSUPP) && !defined(ENOTSUP)
-#define ENOTSUP EOPNOTSUPP
-#endif
-
-isc_result_t
-isc_stdio_sync(FILE *f) {
-	int r;
-
-	r = fsync(fileno(f));
-	/*
-	 * fsync is not supported on sockets and pipes which
-	 * result in EINVAL / ENOTSUP.
-	 */
-	if (r == 0 || errno == EINVAL || errno == ENOTSUP)
-		return (ISC_R_SUCCESS);
-	else
-		return (isc__errno2result(errno));
-}
-
diff --git a/contrib/bind9/lib/isc/unix/stdtime.c b/contrib/bind9/lib/isc/unix/stdtime.c
deleted file mode 100644
index c5d0c47..0000000
--- a/contrib/bind9/lib/isc/unix/stdtime.c
+++ /dev/null
@@ -1,86 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: stdtime.c,v 1.19 2007/06/19 23:47:18 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stddef.h>	/* NULL */
-#include <stdlib.h>	/* NULL */
-#include <syslog.h>
-
-#include <sys/time.h>
-
-#include <isc/stdtime.h>
-#include <isc/util.h>
-
-#ifndef ISC_FIX_TV_USEC
-#define ISC_FIX_TV_USEC 1
-#endif
-
-#define US_PER_S 1000000
-
-#if ISC_FIX_TV_USEC
-static inline void
-fix_tv_usec(struct timeval *tv) {
-	isc_boolean_t fixed = ISC_FALSE;
-
-	if (tv->tv_usec < 0) {
-		fixed = ISC_TRUE;
-		do {
-			tv->tv_sec -= 1;
-			tv->tv_usec += US_PER_S;
-		} while (tv->tv_usec < 0);
-	} else if (tv->tv_usec >= US_PER_S) {
-		fixed = ISC_TRUE;
-		do {
-			tv->tv_sec += 1;
-			tv->tv_usec -= US_PER_S;
-		} while (tv->tv_usec >=US_PER_S);
-	}
-	/*
-	 * Call syslog directly as we are called from the logging functions.
-	 */
-	if (fixed)
-		(void)syslog(LOG_ERR, "gettimeofday returned bad tv_usec: corrected");
-}
-#endif
-
-void
-isc_stdtime_get(isc_stdtime_t *t) {
-	struct timeval tv;
-
-	/*
-	 * Set 't' to the number of seconds since 00:00:00 UTC, January 1,
-	 * 1970.
-	 */
-
-	REQUIRE(t != NULL);
-
-	RUNTIME_CHECK(gettimeofday(&tv, NULL) != -1);
-
-#if ISC_FIX_TV_USEC
-	fix_tv_usec(&tv);
-	INSIST(tv.tv_usec >= 0);
-#else
-	INSIST(tv.tv_usec >= 0 && tv.tv_usec < US_PER_S);
-#endif
-
-	*t = (unsigned int)tv.tv_sec;
-}
diff --git a/contrib/bind9/lib/isc/unix/strerror.c b/contrib/bind9/lib/isc/unix/strerror.c
deleted file mode 100644
index caa6659..0000000
--- a/contrib/bind9/lib/isc/unix/strerror.c
+++ /dev/null
@@ -1,74 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: strerror.c,v 1.10 2009/02/16 23:48:04 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <string.h>
-
-#include <isc/mutex.h>
-#include <isc/once.h>
-#include <isc/print.h>
-#include <isc/strerror.h>
-#include <isc/util.h>
-
-#ifdef HAVE_STRERROR
-/*%
- * We need to do this this way for profiled locks.
- */
-static isc_mutex_t isc_strerror_lock;
-static void init_lock(void) {
-	RUNTIME_CHECK(isc_mutex_init(&isc_strerror_lock) == ISC_R_SUCCESS);
-}
-#else
-extern const char * const sys_errlist[];
-extern const int sys_nerr;
-#endif
-
-void
-isc__strerror(int num, char *buf, size_t size) {
-#ifdef HAVE_STRERROR
-	char *msg;
-	unsigned int unum = (unsigned int)num;
-	static isc_once_t once = ISC_ONCE_INIT;
-
-	REQUIRE(buf != NULL);
-
-	RUNTIME_CHECK(isc_once_do(&once, init_lock) == ISC_R_SUCCESS);
-
-	LOCK(&isc_strerror_lock);
-	msg = strerror(num);
-	if (msg != NULL)
-		snprintf(buf, size, "%s", msg);
-	else
-		snprintf(buf, size, "Unknown error: %u", unum);
-	UNLOCK(&isc_strerror_lock);
-#else
-	unsigned int unum = (unsigned int)num;
-
-	REQUIRE(buf != NULL);
-
-	if (num >= 0 && num < sys_nerr)
-		snprintf(buf, size, "%s", sys_errlist[num]);
-	else
-		snprintf(buf, size, "Unknown error: %u", unum);
-#endif
-}
diff --git a/contrib/bind9/lib/isc/unix/syslog.c b/contrib/bind9/lib/isc/unix/syslog.c
deleted file mode 100644
index 997508e..0000000
--- a/contrib/bind9/lib/isc/unix/syslog.c
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: syslog.c,v 1.8 2007/09/13 04:45:18 each Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <syslog.h>
-
-#include <isc/result.h>
-#include <isc/string.h>
-#include <isc/syslog.h>
-#include <isc/util.h>
-
-static struct dsn_c_pvt_sfnt {
-	int val;
-	const char *strval;
-} facilities[] = {
-	{ LOG_KERN,			"kern" },
-	{ LOG_USER,			"user" },
-	{ LOG_MAIL,			"mail" },
-	{ LOG_DAEMON,			"daemon" },
-	{ LOG_AUTH,			"auth" },
-	{ LOG_SYSLOG,			"syslog" },
-	{ LOG_LPR,			"lpr" },
-#ifdef LOG_NEWS
-	{ LOG_NEWS,			"news" },
-#endif
-#ifdef LOG_UUCP
-	{ LOG_UUCP,			"uucp" },
-#endif
-#ifdef LOG_CRON
-	{ LOG_CRON,			"cron" },
-#endif
-#ifdef LOG_AUTHPRIV
-	{ LOG_AUTHPRIV,			"authpriv" },
-#endif
-#ifdef LOG_FTP
-	{ LOG_FTP,			"ftp" },
-#endif
-	{ LOG_LOCAL0,			"local0"},
-	{ LOG_LOCAL1,			"local1"},
-	{ LOG_LOCAL2,			"local2"},
-	{ LOG_LOCAL3,			"local3"},
-	{ LOG_LOCAL4,			"local4"},
-	{ LOG_LOCAL5,			"local5"},
-	{ LOG_LOCAL6,			"local6"},
-	{ LOG_LOCAL7,			"local7"},
-	{ 0,				NULL }
-};
-
-isc_result_t
-isc_syslog_facilityfromstring(const char *str, int *facilityp) {
-	int i;
-
-	REQUIRE(str != NULL);
-	REQUIRE(facilityp != NULL);
-
-	for (i = 0; facilities[i].strval != NULL; i++) {
-		if (strcasecmp(facilities[i].strval, str) == 0) {
-			*facilityp = facilities[i].val;
-			return (ISC_R_SUCCESS);
-		}
-	}
-	return (ISC_R_NOTFOUND);
-
-}
diff --git a/contrib/bind9/lib/isc/unix/time.c b/contrib/bind9/lib/isc/unix/time.c
deleted file mode 100644
index e820afb..0000000
--- a/contrib/bind9/lib/isc/unix/time.c
+++ /dev/null
@@ -1,420 +0,0 @@
-/*
- * Copyright (C) 2004-2008, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <errno.h>
-#include <limits.h>
-#include <syslog.h>
-#include <time.h>
-
-#include <sys/time.h>	/* Required for struct timeval on some platforms. */
-
-#include <isc/log.h>
-#include <isc/print.h>
-#include <isc/strerror.h>
-#include <isc/string.h>
-#include <isc/time.h>
-#include <isc/util.h>
-
-#define NS_PER_S	1000000000	/*%< Nanoseconds per second. */
-#define NS_PER_US	1000		/*%< Nanoseconds per microsecond. */
-#define US_PER_S	1000000		/*%< Microseconds per second. */
-
-/*
- * All of the INSIST()s checks of nanoseconds < NS_PER_S are for
- * consistency checking of the type. In lieu of magic numbers, it
- * is the best we've got.  The check is only performed on functions which
- * need an initialized type.
- */
-
-#ifndef ISC_FIX_TV_USEC
-#define ISC_FIX_TV_USEC 1
-#endif
-
-/*%
- *** Intervals
- ***/
-
-static const isc_interval_t zero_interval = { 0, 0 };
-const isc_interval_t * const isc_interval_zero = &zero_interval;
-
-#if ISC_FIX_TV_USEC
-static inline void
-fix_tv_usec(struct timeval *tv) {
-	isc_boolean_t fixed = ISC_FALSE;
-
-	if (tv->tv_usec < 0) {
-		fixed = ISC_TRUE;
-		do {
-			tv->tv_sec -= 1;
-			tv->tv_usec += US_PER_S;
-		} while (tv->tv_usec < 0);
-	} else if (tv->tv_usec >= US_PER_S) {
-		fixed = ISC_TRUE;
-		do {
-			tv->tv_sec += 1;
-			tv->tv_usec -= US_PER_S;
-		} while (tv->tv_usec >=US_PER_S);
-	}
-	/*
-	 * Call syslog directly as was are called from the logging functions.
-	 */
-	if (fixed)
-		(void)syslog(LOG_ERR, "gettimeofday returned bad tv_usec: corrected");
-}
-#endif
-
-void
-isc_interval_set(isc_interval_t *i,
-		 unsigned int seconds, unsigned int nanoseconds)
-{
-	REQUIRE(i != NULL);
-	REQUIRE(nanoseconds < NS_PER_S);
-
-	i->seconds = seconds;
-	i->nanoseconds = nanoseconds;
-}
-
-isc_boolean_t
-isc_interval_iszero(const isc_interval_t *i) {
-	REQUIRE(i != NULL);
-	INSIST(i->nanoseconds < NS_PER_S);
-
-	if (i->seconds == 0 && i->nanoseconds == 0)
-		return (ISC_TRUE);
-
-	return (ISC_FALSE);
-}
-
-
-/***
- *** Absolute Times
- ***/
-
-static const isc_time_t epoch = { 0, 0 };
-const isc_time_t * const isc_time_epoch = &epoch;
-
-void
-isc_time_set(isc_time_t *t, unsigned int seconds, unsigned int nanoseconds) {
-	REQUIRE(t != NULL);
-	REQUIRE(nanoseconds < NS_PER_S);
-
-	t->seconds = seconds;
-	t->nanoseconds = nanoseconds;
-}
-
-void
-isc_time_settoepoch(isc_time_t *t) {
-	REQUIRE(t != NULL);
-
-	t->seconds = 0;
-	t->nanoseconds = 0;
-}
-
-isc_boolean_t
-isc_time_isepoch(const isc_time_t *t) {
-	REQUIRE(t != NULL);
-	INSIST(t->nanoseconds < NS_PER_S);
-
-	if (t->seconds == 0 && t->nanoseconds == 0)
-		return (ISC_TRUE);
-
-	return (ISC_FALSE);
-}
-
-
-isc_result_t
-isc_time_now(isc_time_t *t) {
-	struct timeval tv;
-	char strbuf[ISC_STRERRORSIZE];
-
-	REQUIRE(t != NULL);
-
-	if (gettimeofday(&tv, NULL) == -1) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf);
-		return (ISC_R_UNEXPECTED);
-	}
-
-	/*
-	 * Does POSIX guarantee the signedness of tv_sec and tv_usec?  If not,
-	 * then this test will generate warnings for platforms on which it is
-	 * unsigned.  In any event, the chances of any of these problems
-	 * happening are pretty much zero, but since the libisc library ensures
-	 * certain things to be true ...
-	 */
-#if ISC_FIX_TV_USEC
-	fix_tv_usec(&tv);
-	if (tv.tv_sec < 0)
-		return (ISC_R_UNEXPECTED);
-#else
-	if (tv.tv_sec < 0 || tv.tv_usec < 0 || tv.tv_usec >= US_PER_S)
-		return (ISC_R_UNEXPECTED);
-#endif
-
-	/*
-	 * Ensure the tv_sec value fits in t->seconds.
-	 */
-	if (sizeof(tv.tv_sec) > sizeof(t->seconds) &&
-	    ((tv.tv_sec | (unsigned int)-1) ^ (unsigned int)-1) != 0U)
-		return (ISC_R_RANGE);
-
-	t->seconds = tv.tv_sec;
-	t->nanoseconds = tv.tv_usec * NS_PER_US;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i) {
-	struct timeval tv;
-	char strbuf[ISC_STRERRORSIZE];
-
-	REQUIRE(t != NULL);
-	REQUIRE(i != NULL);
-	INSIST(i->nanoseconds < NS_PER_S);
-
-	if (gettimeofday(&tv, NULL) == -1) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf);
-		return (ISC_R_UNEXPECTED);
-	}
-
-	/*
-	 * Does POSIX guarantee the signedness of tv_sec and tv_usec?  If not,
-	 * then this test will generate warnings for platforms on which it is
-	 * unsigned.  In any event, the chances of any of these problems
-	 * happening are pretty much zero, but since the libisc library ensures
-	 * certain things to be true ...
-	 */
-#if ISC_FIX_TV_USEC
-	fix_tv_usec(&tv);
-	if (tv.tv_sec < 0)
-		return (ISC_R_UNEXPECTED);
-#else
-	if (tv.tv_sec < 0 || tv.tv_usec < 0 || tv.tv_usec >= US_PER_S)
-		return (ISC_R_UNEXPECTED);
-#endif
-
-	/*
-	 * Ensure the resulting seconds value fits in the size of an
-	 * unsigned int.  (It is written this way as a slight optimization;
-	 * note that even if both values == INT_MAX, then when added
-	 * and getting another 1 added below the result is UINT_MAX.)
-	 */
-	if ((tv.tv_sec > INT_MAX || i->seconds > INT_MAX) &&
-	    ((long long)tv.tv_sec + i->seconds > UINT_MAX))
-		return (ISC_R_RANGE);
-
-	t->seconds = tv.tv_sec + i->seconds;
-	t->nanoseconds = tv.tv_usec * NS_PER_US + i->nanoseconds;
-	if (t->nanoseconds >= NS_PER_S) {
-		t->seconds++;
-		t->nanoseconds -= NS_PER_S;
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-int
-isc_time_compare(const isc_time_t *t1, const isc_time_t *t2) {
-	REQUIRE(t1 != NULL && t2 != NULL);
-	INSIST(t1->nanoseconds < NS_PER_S && t2->nanoseconds < NS_PER_S);
-
-	if (t1->seconds < t2->seconds)
-		return (-1);
-	if (t1->seconds > t2->seconds)
-		return (1);
-	if (t1->nanoseconds < t2->nanoseconds)
-		return (-1);
-	if (t1->nanoseconds > t2->nanoseconds)
-		return (1);
-	return (0);
-}
-
-isc_result_t
-isc_time_add(const isc_time_t *t, const isc_interval_t *i, isc_time_t *result)
-{
-	REQUIRE(t != NULL && i != NULL && result != NULL);
-	INSIST(t->nanoseconds < NS_PER_S && i->nanoseconds < NS_PER_S);
-
-	/*
-	 * Ensure the resulting seconds value fits in the size of an
-	 * unsigned int.  (It is written this way as a slight optimization;
-	 * note that even if both values == INT_MAX, then when added
-	 * and getting another 1 added below the result is UINT_MAX.)
-	 */
-	if ((t->seconds > INT_MAX || i->seconds > INT_MAX) &&
-	    ((long long)t->seconds + i->seconds > UINT_MAX))
-		return (ISC_R_RANGE);
-
-	result->seconds = t->seconds + i->seconds;
-	result->nanoseconds = t->nanoseconds + i->nanoseconds;
-	if (result->nanoseconds >= NS_PER_S) {
-		result->seconds++;
-		result->nanoseconds -= NS_PER_S;
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_time_subtract(const isc_time_t *t, const isc_interval_t *i,
-		  isc_time_t *result)
-{
-	REQUIRE(t != NULL && i != NULL && result != NULL);
-	INSIST(t->nanoseconds < NS_PER_S && i->nanoseconds < NS_PER_S);
-
-	if ((unsigned int)t->seconds < i->seconds ||
-	    ((unsigned int)t->seconds == i->seconds &&
-	     t->nanoseconds < i->nanoseconds))
-	    return (ISC_R_RANGE);
-
-	result->seconds = t->seconds - i->seconds;
-	if (t->nanoseconds >= i->nanoseconds)
-		result->nanoseconds = t->nanoseconds - i->nanoseconds;
-	else {
-		result->nanoseconds = NS_PER_S - i->nanoseconds +
-			t->nanoseconds;
-		result->seconds--;
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_uint64_t
-isc_time_microdiff(const isc_time_t *t1, const isc_time_t *t2) {
-	isc_uint64_t i1, i2, i3;
-
-	REQUIRE(t1 != NULL && t2 != NULL);
-	INSIST(t1->nanoseconds < NS_PER_S && t2->nanoseconds < NS_PER_S);
-
-	i1 = (isc_uint64_t)t1->seconds * NS_PER_S + t1->nanoseconds;
-	i2 = (isc_uint64_t)t2->seconds * NS_PER_S + t2->nanoseconds;
-
-	if (i1 <= i2)
-		return (0);
-
-	i3 = i1 - i2;
-
-	/*
-	 * Convert to microseconds.
-	 */
-	i3 /= NS_PER_US;
-
-	return (i3);
-}
-
-isc_uint32_t
-isc_time_seconds(const isc_time_t *t) {
-	REQUIRE(t != NULL);
-	INSIST(t->nanoseconds < NS_PER_S);
-
-	return ((isc_uint32_t)t->seconds);
-}
-
-isc_result_t
-isc_time_secondsastimet(const isc_time_t *t, time_t *secondsp) {
-	time_t seconds;
-
-	REQUIRE(t != NULL);
-	INSIST(t->nanoseconds < NS_PER_S);
-
-	/*
-	 * Ensure that the number of seconds represented by t->seconds
-	 * can be represented by a time_t.  Since t->seconds is an unsigned
-	 * int and since time_t is mostly opaque, this is trickier than
-	 * it seems.  (This standardized opaqueness of time_t is *very*
-	 * frustrating; time_t is not even limited to being an integral
-	 * type.)
-	 *
-	 * The mission, then, is to avoid generating any kind of warning
-	 * about "signed versus unsigned" while trying to determine if the
-	 * the unsigned int t->seconds is out range for tv_sec, which is
-	 * pretty much only true if time_t is a signed integer of the same
-	 * size as the return value of isc_time_seconds.
-	 *
-	 * If the paradox in the if clause below is true, t->seconds is out
-	 * of range for time_t.
-	 */
-	seconds = (time_t)t->seconds;
-
-	INSIST(sizeof(unsigned int) == sizeof(isc_uint32_t));
-	INSIST(sizeof(time_t) >= sizeof(isc_uint32_t));
-
-	if (t->seconds > (~0U>>1) && seconds <= (time_t)(~0U>>1))
-		return (ISC_R_RANGE);
-
-	*secondsp = seconds;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_uint32_t
-isc_time_nanoseconds(const isc_time_t *t) {
-	REQUIRE(t != NULL);
-
-	ENSURE(t->nanoseconds < NS_PER_S);
-
-	return ((isc_uint32_t)t->nanoseconds);
-}
-
-void
-isc_time_formattimestamp(const isc_time_t *t, char *buf, unsigned int len) {
-	time_t now;
-	unsigned int flen;
-
-	REQUIRE(len > 0);
-
-	now = (time_t) t->seconds;
-	flen = strftime(buf, len, "%d-%b-%Y %X", localtime(&now));
-	INSIST(flen < len);
-	if (flen != 0)
-		snprintf(buf + flen, len - flen,
-			 ".%03u", t->nanoseconds / 1000000);
-	else
-		snprintf(buf, len, "99-Bad-9999 99:99:99.999");
-}
-
-void
-isc_time_formathttptimestamp(const isc_time_t *t, char *buf, unsigned int len) {
-	time_t now;
-	unsigned int flen;
-
-	REQUIRE(len > 0);
-
-	now = (time_t)t->seconds;
-	flen = strftime(buf, len, "%a, %d %b %Y %H:%M:%S GMT", gmtime(&now));
-	INSIST(flen < len);
-}
-
-void
-isc_time_formatISO8601(const isc_time_t *t, char *buf, unsigned int len) {
-	time_t now;
-	unsigned int flen;
-
-	REQUIRE(len > 0);
-
-	now = (time_t)t->seconds;
-	flen = strftime(buf, len, "%Y-%m-%dT%H:%M:%SZ", gmtime(&now));
-	INSIST(flen < len);
-}
diff --git a/contrib/bind9/lib/isc/version.c b/contrib/bind9/lib/isc/version.c
deleted file mode 100644
index bfe4d6d..0000000
--- a/contrib/bind9/lib/isc/version.c
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: version.c,v 1.15 2007/06/19 23:47:17 tbox Exp $ */
-
-/*! \file */
-
-#include <isc/version.h>
-
-const char isc_version[] = VERSION;
-
-const unsigned int isc_libinterface = LIBINTERFACE;
-const unsigned int isc_librevision = LIBREVISION;
-const unsigned int isc_libage = LIBAGE;
diff --git a/contrib/bind9/lib/isc/x86_32/Makefile.in b/contrib/bind9/lib/isc/x86_32/Makefile.in
deleted file mode 100644
index 9c24cdf..0000000
--- a/contrib/bind9/lib/isc/x86_32/Makefile.in
+++ /dev/null
@@ -1,24 +0,0 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	include
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/x86_32/include/Makefile.in b/contrib/bind9/lib/isc/x86_32/include/Makefile.in
deleted file mode 100644
index e399559..0000000
--- a/contrib/bind9/lib/isc/x86_32/include/Makefile.in
+++ /dev/null
@@ -1,24 +0,0 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	isc
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/x86_32/include/isc/Makefile.in b/contrib/bind9/lib/isc/x86_32/include/isc/Makefile.in
deleted file mode 100644
index 4927e21..0000000
--- a/contrib/bind9/lib/isc/x86_32/include/isc/Makefile.in
+++ /dev/null
@@ -1,36 +0,0 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-HEADERS =	atomic.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc ; \
-	done
diff --git a/contrib/bind9/lib/isc/x86_32/include/isc/atomic.h b/contrib/bind9/lib/isc/x86_32/include/isc/atomic.h
deleted file mode 100644
index bf2148c..0000000
--- a/contrib/bind9/lib/isc/x86_32/include/isc/atomic.h
+++ /dev/null
@@ -1,176 +0,0 @@
-/*
- * Copyright (C) 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: atomic.h,v 1.10 2008/01/24 23:47:00 tbox Exp $ */
-
-#ifndef ISC_ATOMIC_H
-#define ISC_ATOMIC_H 1
-
-#include <isc/platform.h>
-#include <isc/types.h>
-
-#ifdef ISC_PLATFORM_USEGCCASM
-/*
- * This routine atomically increments the value stored in 'p' by 'val', and
- * returns the previous value.
- */
-static __inline__ isc_int32_t
-isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
-	isc_int32_t prev = val;
-
-	__asm__ volatile(
-#ifdef ISC_PLATFORM_USETHREADS
-		"lock;"
-#endif
-		"xadd %0, %1"
-		:"=q"(prev)
-		:"m"(*p), "0"(prev)
-		:"memory", "cc");
-
-	return (prev);
-}
-
-#ifdef ISC_PLATFORM_HAVEXADDQ
-static __inline__ isc_int64_t
-isc_atomic_xaddq(isc_int64_t *p, isc_int64_t val) {
-	isc_int64_t prev = val;
-
-	__asm__ volatile(
-#ifdef ISC_PLATFORM_USETHREADS
-	    "lock;"
-#endif
-	    "xaddq %0, %1"
-	    :"=q"(prev)
-	    :"m"(*p), "0"(prev)
-	    :"memory", "cc");
-
-	return (prev);
-}
-#endif /* ISC_PLATFORM_HAVEXADDQ */
-
-/*
- * This routine atomically stores the value 'val' in 'p'.
- */
-static __inline__ void
-isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
-	__asm__ volatile(
-#ifdef ISC_PLATFORM_USETHREADS
-		/*
-		 * xchg should automatically lock memory, but we add it
-		 * explicitly just in case (it at least doesn't harm)
-		 */
-		"lock;"
-#endif
-
-		"xchgl %1, %0"
-		:
-		: "r"(val), "m"(*p)
-		: "memory");
-}
-
-/*
- * This routine atomically replaces the value in 'p' with 'val', if the
- * original value is equal to 'cmpval'.  The original value is returned in any
- * case.
- */
-static __inline__ isc_int32_t
-isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
-	__asm__ volatile(
-#ifdef ISC_PLATFORM_USETHREADS
-		"lock;"
-#endif
-		"cmpxchgl %1, %2"
-		: "=a"(cmpval)
-		: "r"(val), "m"(*p), "a"(cmpval)
-		: "memory");
-
-	return (cmpval);
-}
-
-#elif defined(ISC_PLATFORM_USESTDASM)
-/*
- * The followings are "generic" assembly code which implements the same
- * functionality in case the gcc extension cannot be used.  It should be
- * better to avoid inlining below, since we directly refer to specific
- * positions of the stack frame, which would not actually point to the
- * intended address in the embedded mnemonic.
- */
-#include <isc/util.h>		/* for 'UNUSED' macro */
-
-static isc_int32_t
-isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
-	UNUSED(p);
-	UNUSED(val);
-
-	__asm (
-		"movl 8(%ebp), %ecx\n"
-		"movl 12(%ebp), %edx\n"
-#ifdef ISC_PLATFORM_USETHREADS
-		"lock;"
-#endif
-		"xadd %edx, (%ecx)\n"
-
-		/*
-		 * set the return value directly in the register so that we
-		 * can avoid guessing the correct position in the stack for a
-		 * local variable.
-		 */
-		"movl %edx, %eax"
-		);
-}
-
-static void
-isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
-	UNUSED(p);
-	UNUSED(val);
-
-	__asm (
-		"movl 8(%ebp), %ecx\n"
-		"movl 12(%ebp), %edx\n"
-#ifdef ISC_PLATFORM_USETHREADS
-		"lock;"
-#endif
-		"xchgl (%ecx), %edx\n"
-		);
-}
-
-static isc_int32_t
-isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
-	UNUSED(p);
-	UNUSED(cmpval);
-	UNUSED(val);
-
-	__asm (
-		"movl 8(%ebp), %ecx\n"
-		"movl 12(%ebp), %eax\n"	/* must be %eax for cmpxchgl */
-		"movl 16(%ebp), %edx\n"
-#ifdef ISC_PLATFORM_USETHREADS
-		"lock;"
-#endif
-
-		/*
-		 * If (%ecx) == %eax then (%ecx) := %edx.
-		 % %eax is set to old (%ecx), which will be the return value.
-		 */
-		"cmpxchgl %edx, (%ecx)"
-		);
-}
-#else /* !ISC_PLATFORM_USEGCCASM && !ISC_PLATFORM_USESTDASM */
-
-#error "unsupported compiler.  disable atomic ops by --disable-atomic"
-
-#endif
-#endif /* ISC_ATOMIC_H */
diff --git a/contrib/bind9/lib/isc/x86_64/Makefile.in b/contrib/bind9/lib/isc/x86_64/Makefile.in
deleted file mode 100644
index 9c24cdf..0000000
--- a/contrib/bind9/lib/isc/x86_64/Makefile.in
+++ /dev/null
@@ -1,24 +0,0 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	include
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/x86_64/include/Makefile.in b/contrib/bind9/lib/isc/x86_64/include/Makefile.in
deleted file mode 100644
index e399559..0000000
--- a/contrib/bind9/lib/isc/x86_64/include/Makefile.in
+++ /dev/null
@@ -1,24 +0,0 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	isc
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/x86_64/include/isc/Makefile.in b/contrib/bind9/lib/isc/x86_64/include/isc/Makefile.in
deleted file mode 100644
index 9a988bb..0000000
--- a/contrib/bind9/lib/isc/x86_64/include/isc/Makefile.in
+++ /dev/null
@@ -1,36 +0,0 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2 2007/09/14 04:10:00 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-HEADERS =	atomic.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc ; \
-	done
diff --git a/contrib/bind9/lib/isc/x86_64/include/isc/atomic.h b/contrib/bind9/lib/isc/x86_64/include/isc/atomic.h
deleted file mode 100644
index f57bd2a..0000000
--- a/contrib/bind9/lib/isc/x86_64/include/isc/atomic.h
+++ /dev/null
@@ -1,123 +0,0 @@
-/*
- * Copyright (C) 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: atomic.h,v 1.6 2008/01/24 23:47:00 tbox Exp $ */
-
-#ifndef ISC_ATOMIC_H
-#define ISC_ATOMIC_H 1
-
-#include <isc/platform.h>
-#include <isc/types.h>
-
-#ifdef ISC_PLATFORM_USEGCCASM
-
-/* We share the gcc-version with x86_32 */
-#error "impossible case.  check build configuration"
-
-#elif defined(ISC_PLATFORM_USESTDASM)
-/*
- * The followings are "generic" assembly code which implements the same
- * functionality in case the gcc extension cannot be used.  It should be
- * better to avoid inlining below, since we directly refer to specific
- * registers for arguments, which would not actually correspond to the
- * intended address or value in the embedded mnemonic.
- */
-#include <isc/util.h>		/* for 'UNUSED' macro */
-
-static isc_int32_t
-isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
-	UNUSED(p);
-	UNUSED(val);
-
-	__asm (
-		"movq %rdi, %rdx\n"
-		"movl %esi, %eax\n"
-#ifdef ISC_PLATFORM_USETHREADS
-		"lock;"
-#endif
-		"xadd %eax, (%rdx)\n"
-		/*
-		 * XXX: assume %eax will be used as the return value.
-		 */
-		);
-}
-
-#ifdef ISC_PLATFORM_HAVEXADDQ
-static isc_int64_t
-isc_atomic_xaddq(isc_int64_t *p, isc_int64_t val) {
-	UNUSED(p);
-	UNUSED(val);
-
-	__asm (
-		"movq %rdi, %rdx\n"
-		"movq %rsi, %rax\n"
-#ifdef ISC_PLATFORM_USETHREADS
-		"lock;"
-#endif
-		"xaddq %rax, (%rdx)\n"
-		/*
-		 * XXX: assume %rax will be used as the return value.
-		 */
-		);
-}
-#endif
-
-static void
-isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
-	UNUSED(p);
-	UNUSED(val);
-
-	__asm (
-		"movq %rdi, %rax\n"
-		"movl %esi, %edx\n"
-#ifdef ISC_PLATFORM_USETHREADS
-		"lock;"
-#endif
-		"xchgl (%rax), %edx\n"
-		/*
-		 * XXX: assume %rax will be used as the return value.
-		 */
-		);
-}
-
-static isc_int32_t
-isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
-	UNUSED(p);
-	UNUSED(cmpval);
-	UNUSED(val);
-
-	__asm (
-		"movl %edx, %ecx\n"
-		"movl %esi, %eax\n"
-		"movq %rdi, %rdx\n"
-
-#ifdef ISC_PLATFORM_USETHREADS
-		"lock;"
-#endif
-		/*
-		 * If (%rdi) == %eax then (%rdi) := %edx.
-		 * %eax is set to old (%ecx), which will be the return value.
-		 */
-		"cmpxchgl %ecx, (%rdx)"
-		);
-}
-
-#else /* !ISC_PLATFORM_USEGCCASM && !ISC_PLATFORM_USESTDASM */
-
-#error "unsupported compiler.  disable atomic ops by --disable-atomic"
-
-#endif
-#endif /* ISC_ATOMIC_H */
diff --git a/contrib/bind9/lib/isccc/Makefile.in b/contrib/bind9/lib/isccc/Makefile.in
deleted file mode 100644
index efa8341..0000000
--- a/contrib/bind9/lib/isccc/Makefile.in
+++ /dev/null
@@ -1,86 +0,0 @@
-# Copyright (C) 2004, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001, 2003  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id$
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-@LIBISCCC_API@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	-I. ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCC_INCLUDES}
-
-CDEFINES =
-CWARNINGS =
-
-ISCLIBS =	../../lib/isc/libisc.@A@
-ISCCCLIBS =	../../lib/isccc/libisccc.@A@
-
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
-ISCCCDEPLIBS =	libisccc.@A@
-
-LIBS =		@LIBS@
-
-SUBDIRS =	include
-
-# Alphabetically
-OBJS =		alist.@O@ base64.@O@ cc.@O@ ccmsg.@O@ \
-		lib.@O@ \
-		result.@O@ sexpr.@O@ symtab.@O@ version.@O@
-
-# Alphabetically
-SRCS =		alist.c base64.c cc.c ccmsg.c \
-		lib.c \
-		result.c sexpr.c symtab.c version.c
-
-
-TARGETS = 	timestamp
-
-@BIND9_MAKE_RULES@
-
-version.@O@: version.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DVERSION=\"${VERSION}\" \
-		-DLIBINTERFACE=${LIBINTERFACE} \
-		-DLIBREVISION=${LIBREVISION} \
-		-DLIBAGE=${LIBAGE} \
-		-c ${srcdir}/version.c
-
-libisccc.@SA@: ${OBJS}
-	${AR} ${ARFLAGS} $@ ${OBJS}
-	${RANLIB} $@
-
-libisccc.la: ${OBJS}
-	${LIBTOOL_MODE_LINK} \
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccc.la -rpath ${libdir} \
-		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
-		${OBJS} ${ISCLIBS} ${LIBS}
-
-timestamp: libisccc.@A@
-	touch timestamp
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
-
-install:: timestamp installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisccc.@A@ ${DESTDIR}${libdir}
-
-clean distclean::
-	rm -f libisccc.@A@ timestamp
diff --git a/contrib/bind9/lib/isccc/alist.c b/contrib/bind9/lib/isccc/alist.c
deleted file mode 100644
index 4f1743e..0000000
--- a/contrib/bind9/lib/isccc/alist.c
+++ /dev/null
@@ -1,312 +0,0 @@
-/*
- * Portions Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: alist.c,v 1.8 2007/08/28 07:20:43 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <string.h>
-
-#include <isccc/alist.h>
-#include <isc/assertions.h>
-#include <isccc/result.h>
-#include <isccc/sexpr.h>
-#include <isccc/util.h>
-
-#define CAR(s)			(s)->value.as_dottedpair.car
-#define CDR(s)			(s)->value.as_dottedpair.cdr
-
-#define ALIST_TAG		"*alist*"
-#define MAX_INDENT		64
-
-static char spaces[MAX_INDENT + 1] = 
-	"                                                                ";
-
-isccc_sexpr_t *
-isccc_alist_create(void)
-{
-	isccc_sexpr_t *alist, *tag;
-
-	tag = isccc_sexpr_fromstring(ALIST_TAG);
-	if (tag == NULL)
-		return (NULL);
-	alist = isccc_sexpr_cons(tag, NULL);
-	if (alist == NULL) {
-		isccc_sexpr_free(&tag);
-		return (NULL);
-	}
-
-	return (alist);
-}
-
-isc_boolean_t
-isccc_alist_alistp(isccc_sexpr_t *alist)
-{
-	isccc_sexpr_t *car;
-
-	if (alist == NULL || alist->type != ISCCC_SEXPRTYPE_DOTTEDPAIR)
-		return (ISC_FALSE);
-	car = CAR(alist);
-	if (car == NULL || car->type != ISCCC_SEXPRTYPE_STRING)
-		return (ISC_FALSE);
-	if (strcmp(car->value.as_string, ALIST_TAG) != 0)
-		return (ISC_FALSE);
-	return (ISC_TRUE);
-}
-
-isc_boolean_t
-isccc_alist_emptyp(isccc_sexpr_t *alist)
-{
-	REQUIRE(isccc_alist_alistp(alist));
-
-	if (CDR(alist) == NULL)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-isccc_sexpr_t *
-isccc_alist_first(isccc_sexpr_t *alist)
-{
-	REQUIRE(isccc_alist_alistp(alist));
-
-	return (CDR(alist));
-}
-
-isccc_sexpr_t *
-isccc_alist_assq(isccc_sexpr_t *alist, const char *key)
-{
-	isccc_sexpr_t *car, *caar;
-
-	REQUIRE(isccc_alist_alistp(alist));
-
-	/*
-	 * Skip alist type tag.
-	 */
-	alist = CDR(alist);
-
-	while (alist != NULL) {
-		INSIST(alist->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
-		car = CAR(alist);
-		INSIST(car->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
-		caar = CAR(car);
-		if (caar->type == ISCCC_SEXPRTYPE_STRING &&
-		    strcmp(caar->value.as_string, key) == 0)
-			return (car);
-		alist = CDR(alist);
-	}
-
-	return (NULL);
-}
-
-void
-isccc_alist_delete(isccc_sexpr_t *alist, const char *key)
-{
-	isccc_sexpr_t *car, *caar, *rest, *prev;
-
-	REQUIRE(isccc_alist_alistp(alist));
-
-	prev = alist;
-	rest = CDR(alist);
-	while (rest != NULL) {
-		INSIST(rest->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
-		car = CAR(rest);
-		INSIST(car != NULL && car->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
-		caar = CAR(car);
-		if (caar->type == ISCCC_SEXPRTYPE_STRING &&
-		    strcmp(caar->value.as_string, key) == 0) {
-			CDR(prev) = CDR(rest);
-			CDR(rest) = NULL;
-			isccc_sexpr_free(&rest);
-			break;
-		}
-		prev = rest;
-		rest = CDR(rest);
-	}
-}
-
-isccc_sexpr_t *
-isccc_alist_define(isccc_sexpr_t *alist, const char *key, isccc_sexpr_t *value)
-{
-	isccc_sexpr_t *kv, *k, *elt;
-
-	kv = isccc_alist_assq(alist, key);
-	if (kv == NULL) {
-		/*
-		 * New association.
-		 */
-		k = isccc_sexpr_fromstring(key);
-		if (k == NULL)
-			return (NULL);
-		kv = isccc_sexpr_cons(k, value);
-		if (kv == NULL) {
-			isccc_sexpr_free(&kv);
-			return (NULL);
-		}
-		elt = isccc_sexpr_addtolist(&alist, kv);
-		if (elt == NULL) {
-			isccc_sexpr_free(&kv);
-			return (NULL);
-		}
-	} else {
-		/*
-		 * We've already got an entry for this key.  Replace it.
-		 */
-		isccc_sexpr_free(&CDR(kv));
-		CDR(kv) = value;
-	}
-
-	return (kv);
-}
-
-isccc_sexpr_t *
-isccc_alist_definestring(isccc_sexpr_t *alist, const char *key, const char *str)
-{
-	isccc_sexpr_t *v, *kv;
-
-	v = isccc_sexpr_fromstring(str);
-	if (v == NULL)
-		return (NULL);
-	kv = isccc_alist_define(alist, key, v);
-	if (kv == NULL)
-		isccc_sexpr_free(&v);
-
-	return (kv);
-}
-
-isccc_sexpr_t *
-isccc_alist_definebinary(isccc_sexpr_t *alist, const char *key, isccc_region_t *r)
-{
-	isccc_sexpr_t *v, *kv;
-
-	v = isccc_sexpr_frombinary(r);
-	if (v == NULL)
-		return (NULL);
-	kv = isccc_alist_define(alist, key, v);
-	if (kv == NULL)
-		isccc_sexpr_free(&v);
-
-	return (kv);
-}
-
-isccc_sexpr_t *
-isccc_alist_lookup(isccc_sexpr_t *alist, const char *key)
-{
-	isccc_sexpr_t *kv;
-
-	kv = isccc_alist_assq(alist, key);
-	if (kv != NULL)
-		return (CDR(kv));
-	return (NULL);
-}
-
-isc_result_t
-isccc_alist_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp)
-{
-	isccc_sexpr_t *kv, *v;
-
-	kv = isccc_alist_assq(alist, key);
-	if (kv != NULL) {
-		v = CDR(kv);
-		if (isccc_sexpr_stringp(v)) {
-			if (strp != NULL)
-				*strp = isccc_sexpr_tostring(v);
-			return (ISC_R_SUCCESS);
-		} else
-			return (ISC_R_EXISTS);
-	}
-
-	return (ISC_R_NOTFOUND);
-}
-
-isc_result_t
-isccc_alist_lookupbinary(isccc_sexpr_t *alist, const char *key, isccc_region_t **r)
-{
-	isccc_sexpr_t *kv, *v;
-
-	kv = isccc_alist_assq(alist, key);
-	if (kv != NULL) {
-		v = CDR(kv);
-		if (isccc_sexpr_binaryp(v)) {
-			if (r != NULL)
-				*r = isccc_sexpr_tobinary(v);
-			return (ISC_R_SUCCESS);
-		} else
-			return (ISC_R_EXISTS);
-	}
-
-	return (ISC_R_NOTFOUND);
-}
-
-void
-isccc_alist_prettyprint(isccc_sexpr_t *sexpr, unsigned int indent, FILE *stream)
-{
-	isccc_sexpr_t *elt, *kv, *k, *v;
-
-	if (isccc_alist_alistp(sexpr)) {
-		fprintf(stream, "{\n");
-		indent += 4;
-		for (elt = isccc_alist_first(sexpr);
-		     elt != NULL;
-		     elt = CDR(elt)) {
-			kv = CAR(elt);
-			INSIST(isccc_sexpr_listp(kv));
-			k = CAR(kv);
-			v = CDR(kv);
-			INSIST(isccc_sexpr_stringp(k));
-			fprintf(stream, "%.*s%s => ", (int)indent, spaces,
-				isccc_sexpr_tostring(k));
-			isccc_alist_prettyprint(v, indent, stream);
-			if (CDR(elt) != NULL)
-				fprintf(stream, ",");
-			fprintf(stream, "\n");
-		}
-		indent -= 4;
-		fprintf(stream, "%.*s}", (int)indent, spaces);
-	} else if (isccc_sexpr_listp(sexpr)) {
-		fprintf(stream, "(\n");
-		indent += 4;
-		for (elt = sexpr;
-		     elt != NULL;
-		     elt = CDR(elt)) {
-			fprintf(stream, "%.*s", (int)indent, spaces);
-			isccc_alist_prettyprint(CAR(elt), indent, stream);
-			if (CDR(elt) != NULL)
-				fprintf(stream, ",");
-			fprintf(stream, "\n");
-		}
-		indent -= 4;
-		fprintf(stream, "%.*s)", (int)indent, spaces);
-	} else
-		isccc_sexpr_print(sexpr, stream);
-}
diff --git a/contrib/bind9/lib/isccc/api b/contrib/bind9/lib/isccc/api
deleted file mode 100644
index 47724c5..0000000
--- a/contrib/bind9/lib/isccc/api
+++ /dev/null
@@ -1,9 +0,0 @@
-# LIBINTERFACE ranges
-# 9.6: 50-59, 110-119
-# 9.7: 60-79
-# 9.8: 80-89, 120-129
-# 9.9: 90-109
-# 9.9-sub: 130-139
-LIBINTERFACE = 90
-LIBREVISION = 3
-LIBAGE = 0
diff --git a/contrib/bind9/lib/isccc/base64.c b/contrib/bind9/lib/isccc/base64.c
deleted file mode 100644
index 78b34ed..0000000
--- a/contrib/bind9/lib/isccc/base64.c
+++ /dev/null
@@ -1,78 +0,0 @@
-/*
- * Portions Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: base64.c,v 1.8 2007/08/28 07:20:43 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/base64.h>
-#include <isc/buffer.h>
-#include <isc/region.h>
-#include <isc/result.h>
-
-#include <isccc/base64.h>
-#include <isccc/result.h>
-#include <isccc/util.h>
-
-isc_result_t
-isccc_base64_encode(isccc_region_t *source, int wordlength,
-		  const char *wordbreak, isccc_region_t *target)
-{
-	isc_region_t sr;
-	isc_buffer_t tb;
-	isc_result_t result;
-
-	sr.base = source->rstart;
-	sr.length = source->rend - source->rstart;
-	isc_buffer_init(&tb, target->rstart, target->rend - target->rstart);
-
-	result = isc_base64_totext(&sr, wordlength, wordbreak, &tb);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	source->rstart = source->rend;
-	target->rstart = isc_buffer_used(&tb);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isccc_base64_decode(const char *cstr, isccc_region_t *target) {
-	isc_buffer_t b;
-	isc_result_t result;
-
-	isc_buffer_init(&b, target->rstart, target->rend - target->rstart);
-	result = isc_base64_decodestring(cstr, &b);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	target->rstart = isc_buffer_used(&b);
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/isccc/cc.c b/contrib/bind9/lib/isccc/cc.c
deleted file mode 100644
index 07f8157..0000000
--- a/contrib/bind9/lib/isccc/cc.c
+++ /dev/null
@@ -1,853 +0,0 @@
-/*
- * Portions Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: cc.c,v 1.18 2007/08/28 07:20:43 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-
-#include <isc/assertions.h>
-#include <isc/hmacmd5.h>
-#include <isc/print.h>
-#include <isc/stdlib.h>
-
-#include <isccc/alist.h>
-#include <isccc/base64.h>
-#include <isccc/cc.h>
-#include <isccc/result.h>
-#include <isccc/sexpr.h>
-#include <isccc/symtab.h>
-#include <isccc/symtype.h>
-#include <isccc/util.h>
-
-#define MAX_TAGS		256
-#define DUP_LIFETIME		900
-
-typedef isccc_sexpr_t *sexpr_ptr;
-
-static unsigned char auth_hmd5[] = {
-	0x05, 0x5f, 0x61, 0x75, 0x74, 0x68,		/*%< len + _auth */
-	ISCCC_CCMSGTYPE_TABLE,				/*%< message type */
-	0x00, 0x00, 0x00, 0x20,				/*%< length == 32 */
-	0x04, 0x68, 0x6d, 0x64, 0x35,			/*%< len + hmd5 */
-	ISCCC_CCMSGTYPE_BINARYDATA,			/*%< message type */
-	0x00, 0x00, 0x00, 0x16,				/*%< length == 22 */
-	/*
-	 * The base64 encoding of one of our HMAC-MD5 signatures is
-	 * 22 bytes.
-	 */
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-};
-
-#define HMD5_OFFSET	21		/*%< 21 = 6 + 1 + 4 + 5 + 1 + 4 */
-#define HMD5_LENGTH	22
-
-static isc_result_t
-table_towire(isccc_sexpr_t *alist, isccc_region_t *target);
-
-static isc_result_t
-list_towire(isccc_sexpr_t *alist, isccc_region_t *target);
-
-static isc_result_t
-value_towire(isccc_sexpr_t *elt, isccc_region_t *target)
-{
-	size_t len;
-	unsigned char *lenp;
-	isccc_region_t *vr;
-	isc_result_t result;
-
-	if (isccc_sexpr_binaryp(elt)) {
-		vr = isccc_sexpr_tobinary(elt);
-		len = REGION_SIZE(*vr);
-		if (REGION_SIZE(*target) < 1 + 4 + len)
-			return (ISC_R_NOSPACE);
-		PUT8(ISCCC_CCMSGTYPE_BINARYDATA, target->rstart);
-		PUT32(len, target->rstart);
-		if (REGION_SIZE(*target) < len)
-			return (ISC_R_NOSPACE);
-		PUT_MEM(vr->rstart, len, target->rstart);
-	} else if (isccc_alist_alistp(elt)) {
-		if (REGION_SIZE(*target) < 1 + 4)
-			return (ISC_R_NOSPACE);
-		PUT8(ISCCC_CCMSGTYPE_TABLE, target->rstart);
-		/*
-		 * Emit a placeholder length.
-		 */
-		lenp = target->rstart;
-		PUT32(0, target->rstart);
-		/*
-		 * Emit the table.
-		 */
-		result = table_towire(elt, target);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		len = (size_t)(target->rstart - lenp);
-		/*
-		 * 'len' is 4 bytes too big, since it counts
-		 * the placeholder length too.  Adjust and
-		 * emit.
-		 */
-		INSIST(len >= 4U);
-		len -= 4;
-		PUT32(len, lenp);
-	} else if (isccc_sexpr_listp(elt)) {
-		if (REGION_SIZE(*target) < 1 + 4)
-			return (ISC_R_NOSPACE);
-		PUT8(ISCCC_CCMSGTYPE_LIST, target->rstart);
-		/*
-		 * Emit a placeholder length and count.
-		 */
-		lenp = target->rstart;
-		PUT32(0, target->rstart);
-		/*
-		 * Emit the list.
-		 */
-		result = list_towire(elt, target);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		len = (size_t)(target->rstart - lenp);
-		/*
-		 * 'len' is 4 bytes too big, since it counts
-		 * the placeholder length.  Adjust and emit.
-		 */
-		INSIST(len >= 4U);
-		len -= 4;
-		PUT32(len, lenp);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-table_towire(isccc_sexpr_t *alist, isccc_region_t *target)
-{
-	isccc_sexpr_t *kv, *elt, *k, *v;
-	char *ks;
-	isc_result_t result;
-	size_t len;
-
-	for (elt = isccc_alist_first(alist);
-	     elt != NULL;
-	     elt = ISCCC_SEXPR_CDR(elt)) {
-		kv = ISCCC_SEXPR_CAR(elt);
-		k = ISCCC_SEXPR_CAR(kv);
-		ks = isccc_sexpr_tostring(k);
-		v = ISCCC_SEXPR_CDR(kv);
-		len = strlen(ks);
-		INSIST(len <= 255U);
-		/*
-		 * Emit the key name.
-		 */
-		if (REGION_SIZE(*target) < 1 + len)
-			return (ISC_R_NOSPACE);
-		PUT8(len, target->rstart);
-		PUT_MEM(ks, len, target->rstart);
-		/*
-		 * Emit the value.
-		 */
-		result = value_towire(v, target);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-list_towire(isccc_sexpr_t *list, isccc_region_t *target)
-{
-	isc_result_t result;
-
-	while (list != NULL) {
-		result = value_towire(ISCCC_SEXPR_CAR(list), target);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		list = ISCCC_SEXPR_CDR(list);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-sign(unsigned char *data, unsigned int length, unsigned char *hmd5,
-     isccc_region_t *secret)
-{
-	isc_hmacmd5_t ctx;
-	isc_result_t result;
-	isccc_region_t source, target;
-	unsigned char digest[ISC_MD5_DIGESTLENGTH];
-	unsigned char digestb64[ISC_MD5_DIGESTLENGTH * 4];
-
-	isc_hmacmd5_init(&ctx, secret->rstart, REGION_SIZE(*secret));
-	isc_hmacmd5_update(&ctx, data, length);
-	isc_hmacmd5_sign(&ctx, digest);
-	source.rstart = digest;
-	source.rend = digest + ISC_MD5_DIGESTLENGTH;
-	target.rstart = digestb64;
-	target.rend = digestb64 + ISC_MD5_DIGESTLENGTH * 4;
-	result = isccc_base64_encode(&source, 64, "", &target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	PUT_MEM(digestb64, HMD5_LENGTH, hmd5);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isccc_cc_towire(isccc_sexpr_t *alist, isccc_region_t *target,
-	      isccc_region_t *secret)
-{
-	unsigned char *hmd5_rstart, *signed_rstart;
-	isc_result_t result;
-
-	if (REGION_SIZE(*target) < 4 + sizeof(auth_hmd5))
-		return (ISC_R_NOSPACE);
-	/*
-	 * Emit protocol version.
-	 */
-	PUT32(1, target->rstart);
-	if (secret != NULL) {
-		/*
-		 * Emit _auth section with zeroed HMAC-MD5 signature.
-		 * We'll replace the zeros with the real signature once
-		 * we know what it is.
-		 */
-		hmd5_rstart = target->rstart + HMD5_OFFSET;
-		PUT_MEM(auth_hmd5, sizeof(auth_hmd5), target->rstart);
-	} else
-		hmd5_rstart = NULL;
-	signed_rstart = target->rstart;
-	/*
-	 * Delete any existing _auth section so that we don't try
-	 * to encode it.
-	 */
-	isccc_alist_delete(alist, "_auth");
-	/*
-	 * Emit the message.
-	 */
-	result = table_towire(alist, target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (secret != NULL)
-		return (sign(signed_rstart, (target->rstart - signed_rstart),
-			     hmd5_rstart, secret));
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
-       isccc_region_t *secret)
-{
-	isc_hmacmd5_t ctx;
-	isccc_region_t source;
-	isccc_region_t target;
-	isc_result_t result;
-	isccc_sexpr_t *_auth, *hmd5;
-	unsigned char digest[ISC_MD5_DIGESTLENGTH];
-	unsigned char digestb64[ISC_MD5_DIGESTLENGTH * 4];
-
-	/*
-	 * Extract digest.
-	 */
-	_auth = isccc_alist_lookup(alist, "_auth");
-	if (_auth == NULL)
-		return (ISC_R_FAILURE);
-	hmd5 = isccc_alist_lookup(_auth, "hmd5");
-	if (hmd5 == NULL)
-		return (ISC_R_FAILURE);
-	/*
-	 * Compute digest.
-	 */
-	isc_hmacmd5_init(&ctx, secret->rstart, REGION_SIZE(*secret));
-	isc_hmacmd5_update(&ctx, data, length);
-	isc_hmacmd5_sign(&ctx, digest);
-	source.rstart = digest;
-	source.rend = digest + ISC_MD5_DIGESTLENGTH;
-	target.rstart = digestb64;
-	target.rend = digestb64 + ISC_MD5_DIGESTLENGTH * 4;
-	result = isccc_base64_encode(&source, 64, "", &target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	/*
-	 * Strip trailing == and NUL terminate target.
-	 */
-	target.rstart -= 2;
-	*target.rstart++ = '\0';
-	/*
-	 * Verify.
-	 */
-	if (strcmp((char *)digestb64, isccc_sexpr_tostring(hmd5)) != 0)
-		return (ISCCC_R_BADAUTH);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-table_fromwire(isccc_region_t *source, isccc_region_t *secret,
-	       isccc_sexpr_t **alistp);
-
-static isc_result_t
-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp);
-
-static isc_result_t
-value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep)
-{
-	unsigned int msgtype;
-	isc_uint32_t len;
-	isccc_sexpr_t *value;
-	isccc_region_t active;
-	isc_result_t result;
-
-	if (REGION_SIZE(*source) < 1 + 4)
-		return (ISC_R_UNEXPECTEDEND);
-	GET8(msgtype, source->rstart);
-	GET32(len, source->rstart);
-	if (REGION_SIZE(*source) < len)
-		return (ISC_R_UNEXPECTEDEND);
-	active.rstart = source->rstart;
-	active.rend = active.rstart + len;
-	source->rstart = active.rend;
-	if (msgtype == ISCCC_CCMSGTYPE_BINARYDATA) {
-		value = isccc_sexpr_frombinary(&active);
-		if (value != NULL) {
-			*valuep = value;
-			result = ISC_R_SUCCESS;
-		} else
-			result = ISC_R_NOMEMORY;
-	} else if (msgtype == ISCCC_CCMSGTYPE_TABLE)
-		result = table_fromwire(&active, NULL, valuep);
-	else if (msgtype == ISCCC_CCMSGTYPE_LIST)
-		result = list_fromwire(&active, valuep);
-	else
-		result = ISCCC_R_SYNTAX;
-
-	return (result);
-}
-
-static isc_result_t
-table_fromwire(isccc_region_t *source, isccc_region_t *secret,
-	       isccc_sexpr_t **alistp)
-{
-	char key[256];
-	isc_uint32_t len;
-	isc_result_t result;
-	isccc_sexpr_t *alist, *value;
-	isc_boolean_t first_tag;
-	unsigned char *checksum_rstart;
-
-	REQUIRE(alistp != NULL && *alistp == NULL);
-
-	checksum_rstart = NULL;
-	first_tag = ISC_TRUE;
-	alist = isccc_alist_create();
-	if (alist == NULL)
-		return (ISC_R_NOMEMORY);
-
-	while (!REGION_EMPTY(*source)) {
-		GET8(len, source->rstart);
-		if (REGION_SIZE(*source) < len) {
-			result = ISC_R_UNEXPECTEDEND;
-			goto bad;
-		}
-		GET_MEM(key, len, source->rstart);
-		key[len] = '\0';	/* Ensure NUL termination. */
-		value = NULL;
-		result = value_fromwire(source, &value);
-		if (result != ISC_R_SUCCESS)
-			goto bad;
-		if (isccc_alist_define(alist, key, value) == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto bad;
-		}
-		if (first_tag && secret != NULL && strcmp(key, "_auth") == 0)
-			checksum_rstart = source->rstart;
-		first_tag = ISC_FALSE;
-	}
-
-	if (secret != NULL) {
-		if (checksum_rstart != NULL)
-			result = verify(alist, checksum_rstart,
-					(source->rend - checksum_rstart),
-					secret);
-		else
-			result = ISCCC_R_BADAUTH;
-	} else
-		result = ISC_R_SUCCESS;
-
- bad:
-	if (result == ISC_R_SUCCESS)
-		*alistp = alist;
-	else
-		isccc_sexpr_free(&alist);
-
-	return (result);
-}
-
-static isc_result_t
-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp)
-{
-	isccc_sexpr_t *list, *value;
-	isc_result_t result;
-
-	list = NULL;
-	while (!REGION_EMPTY(*source)) {
-		value = NULL;
-		result = value_fromwire(source, &value);
-		if (result != ISC_R_SUCCESS) {
-			isccc_sexpr_free(&list);
-			return (result);
-		}
-		if (isccc_sexpr_addtolist(&list, value) == NULL) {
-			isccc_sexpr_free(&value);
-			isccc_sexpr_free(&list);
-			return (result);
-		}
-	}
-
-	*listp = list;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
-		isccc_region_t *secret)
-{
-	unsigned int size;
-	isc_uint32_t version;
-
-	size = REGION_SIZE(*source);
-	if (size < 4)
-		return (ISC_R_UNEXPECTEDEND);
-	GET32(version, source->rstart);
-	if (version != 1)
-		return (ISCCC_R_UNKNOWNVERSION);
-
-	return (table_fromwire(source, secret, alistp));
-}
-
-static isc_result_t
-createmessage(isc_uint32_t version, const char *from, const char *to,
-	      isc_uint32_t serial, isccc_time_t now,
-	      isccc_time_t expires, isccc_sexpr_t **alistp,
-	      isc_boolean_t want_expires)
-{
-	isccc_sexpr_t *alist, *_ctrl, *_data;
-	isc_result_t result;
-
-	REQUIRE(alistp != NULL && *alistp == NULL);
-
-	if (version != 1)
-		return (ISCCC_R_UNKNOWNVERSION);
-
-	alist = isccc_alist_create();
-	if (alist == NULL)
-		return (ISC_R_NOMEMORY);
-
-	result = ISC_R_NOMEMORY;
-
-	_ctrl = isccc_alist_create();
-	if (_ctrl == NULL)
-		goto bad;
-	if (isccc_alist_define(alist, "_ctrl", _ctrl) == NULL) {
-		isccc_sexpr_free(&_ctrl);
-		goto bad;
-	}
-
-	_data = isccc_alist_create();
-	if (_data == NULL)
-		goto bad;
-	if (isccc_alist_define(alist, "_data", _data) == NULL) {
-		isccc_sexpr_free(&_data);
-		goto bad;
-	}
-
-	if (isccc_cc_defineuint32(_ctrl, "_ser", serial) == NULL ||
-	    isccc_cc_defineuint32(_ctrl, "_tim", now) == NULL ||
-	    (want_expires &&
-	     isccc_cc_defineuint32(_ctrl, "_exp", expires) == NULL))
-		goto bad;
-	if (from != NULL &&
-	    isccc_cc_definestring(_ctrl, "_frm", from) == NULL)
-		goto bad;
-	if (to != NULL &&
-	    isccc_cc_definestring(_ctrl, "_to", to) == NULL)
-		goto bad;
-
-	*alistp = alist;
-
-	return (ISC_R_SUCCESS);
-
- bad:
-	isccc_sexpr_free(&alist);
-
-	return (result);
-}
-
-isc_result_t
-isccc_cc_createmessage(isc_uint32_t version, const char *from, const char *to,
-		     isc_uint32_t serial, isccc_time_t now,
-		     isccc_time_t expires, isccc_sexpr_t **alistp)
-{
-	return (createmessage(version, from, to, serial, now, expires,
-			      alistp, ISC_TRUE));
-}
-
-isc_result_t
-isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
-		 isccc_sexpr_t **ackp)
-{
-	char *_frm, *_to;
-	isc_uint32_t serial;
-	isccc_sexpr_t *ack, *_ctrl;
-	isc_result_t result;
-	isccc_time_t t;
-
-	REQUIRE(ackp != NULL && *ackp == NULL);
-
-	_ctrl = isccc_alist_lookup(message, "_ctrl");
-	if (_ctrl == NULL ||
-	    isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
-	    isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS)
-		return (ISC_R_FAILURE);
-	/*
-	 * _frm and _to are optional.
-	 */
-	_frm = NULL;
-	(void)isccc_cc_lookupstring(_ctrl, "_frm", &_frm);
-	_to = NULL;
-	(void)isccc_cc_lookupstring(_ctrl, "_to", &_to);
-	/*
-	 * Create the ack.
-	 */
-	ack = NULL;
-	result = createmessage(1, _to, _frm, serial, t, 0, &ack, ISC_FALSE);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	_ctrl = isccc_alist_lookup(ack, "_ctrl");
-	if (_ctrl == NULL) {
-		result = ISC_R_FAILURE;
-		goto bad;
-	}
-	if (isccc_cc_definestring(ack, "_ack", (ok) ? "1" : "0") == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto bad;
-	}
-
-	*ackp = ack;
-
-	return (ISC_R_SUCCESS);
-
- bad:
-	isccc_sexpr_free(&ack);
-
-	return (result);
-}
-
-isc_boolean_t
-isccc_cc_isack(isccc_sexpr_t *message)
-{
-	isccc_sexpr_t *_ctrl;
-
-	_ctrl = isccc_alist_lookup(message, "_ctrl");
-	if (_ctrl == NULL)
-		return (ISC_FALSE);
-	if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-isccc_cc_isreply(isccc_sexpr_t *message)
-{
-	isccc_sexpr_t *_ctrl;
-
-	_ctrl = isccc_alist_lookup(message, "_ctrl");
-	if (_ctrl == NULL)
-		return (ISC_FALSE);
-	if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-isc_result_t
-isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
-		      isccc_time_t expires, isccc_sexpr_t **alistp)
-{
-	char *_frm, *_to, *type = NULL;
-	isc_uint32_t serial;
-	isccc_sexpr_t *alist, *_ctrl, *_data;
-	isc_result_t result;
-
-	REQUIRE(alistp != NULL && *alistp == NULL);
-
-	_ctrl = isccc_alist_lookup(message, "_ctrl");
-	_data = isccc_alist_lookup(message, "_data");
-	if (_ctrl == NULL || _data == NULL ||
-	    isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
-	    isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS)
-		return (ISC_R_FAILURE);
-	/*
-	 * _frm and _to are optional.
-	 */
-	_frm = NULL;
-	(void)isccc_cc_lookupstring(_ctrl, "_frm", &_frm);
-	_to = NULL;
-	(void)isccc_cc_lookupstring(_ctrl, "_to", &_to);
-	/*
-	 * Create the response.
-	 */
-	alist = NULL;
-	result = isccc_cc_createmessage(1, _to, _frm, serial, now, expires,
-					 &alist);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	_ctrl = isccc_alist_lookup(alist, "_ctrl");
-	if (_ctrl == NULL) {
-		result = ISC_R_FAILURE;
-		goto bad;
-	}
-
-	_data = isccc_alist_lookup(alist, "_data");
-	if (_data == NULL) {
-		result = ISC_R_FAILURE;
-		goto bad;
-	}
-
-	if (isccc_cc_definestring(_ctrl, "_rpl", "1") == NULL ||
-	    isccc_cc_definestring(_data, "type", type) == NULL)
-	{
-		result = ISC_R_NOMEMORY;
-		goto bad;
-	}
-
-	*alistp = alist;
-
-	return (ISC_R_SUCCESS);
-
- bad:
-	isccc_sexpr_free(&alist);
-	return (result);
-}
-
-isccc_sexpr_t *
-isccc_cc_definestring(isccc_sexpr_t *alist, const char *key, const char *str)
-{
-	size_t len;
-	isccc_region_t r;
-
-	len = strlen(str);
-	DE_CONST(str, r.rstart);
-	r.rend = r.rstart + len;
-
-	return (isccc_alist_definebinary(alist, key, &r));
-}
-
-isccc_sexpr_t *
-isccc_cc_defineuint32(isccc_sexpr_t *alist, const char *key, isc_uint32_t i)
-{
-	char b[100];
-	size_t len;
-	isccc_region_t r;
-
-	snprintf(b, sizeof(b), "%u", i);
-	len = strlen(b);
-	r.rstart = (unsigned char *)b;
-	r.rend = (unsigned char *)b + len;
-
-	return (isccc_alist_definebinary(alist, key, &r));
-}
-
-isc_result_t
-isccc_cc_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp)
-{
-	isccc_sexpr_t *kv, *v;
-
-	REQUIRE(strp == NULL || *strp == NULL);
-
-	kv = isccc_alist_assq(alist, key);
-	if (kv != NULL) {
-		v = ISCCC_SEXPR_CDR(kv);
-		if (isccc_sexpr_binaryp(v)) {
-			if (strp != NULL)
-				*strp = isccc_sexpr_tostring(v);
-			return (ISC_R_SUCCESS);
-		} else
-			return (ISC_R_EXISTS);
-	}
-
-	return (ISC_R_NOTFOUND);
-}
-
-isc_result_t
-isccc_cc_lookupuint32(isccc_sexpr_t *alist, const char *key,
-		       isc_uint32_t *uintp)
-{
-	isccc_sexpr_t *kv, *v;
-
-	kv = isccc_alist_assq(alist, key);
-	if (kv != NULL) {
-		v = ISCCC_SEXPR_CDR(kv);
-		if (isccc_sexpr_binaryp(v)) {
-			if (uintp != NULL)
-				*uintp = (isc_uint32_t)
-					strtoul(isccc_sexpr_tostring(v),
-						NULL, 10);
-			return (ISC_R_SUCCESS);
-		} else
-			return (ISC_R_EXISTS);
-	}
-
-	return (ISC_R_NOTFOUND);
-}
-
-static void
-symtab_undefine(char *key, unsigned int type, isccc_symvalue_t value,
-		void *arg)
-{
-	UNUSED(type);
-	UNUSED(value);
-	UNUSED(arg);
-
-	free(key);
-}
-
-static isc_boolean_t
-symtab_clean(char *key, unsigned int type, isccc_symvalue_t value,
-	     void *arg)
-{
-	isccc_time_t *now;
-
-	UNUSED(key);
-	UNUSED(type);
-
-	now = arg;
-
-	if (*now < value.as_uinteger)
-		return (ISC_FALSE);
-	if ((*now - value.as_uinteger) < DUP_LIFETIME)
-		return (ISC_FALSE);
-	return (ISC_TRUE);
-}
-
-isc_result_t
-isccc_cc_createsymtab(isccc_symtab_t **symtabp)
-{
-	return (isccc_symtab_create(11897, symtab_undefine, NULL, ISC_FALSE,
-				  symtabp));
-}
-
-void
-isccc_cc_cleansymtab(isccc_symtab_t *symtab, isccc_time_t now)
-{
-	isccc_symtab_foreach(symtab, symtab_clean, &now);
-}
-
-static isc_boolean_t
-has_whitespace(const char *str)
-{
-	char c;
-
-	if (str == NULL)
-		return (ISC_FALSE);
-	while ((c = *str++) != '\0') {
-		if (c == ' ' || c == '\t' || c == '\n')
-			return (ISC_TRUE);
-	}
-	return (ISC_FALSE);
-}
-
-isc_result_t
-isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
-		isccc_time_t now)
-{
-	const char *_frm;
-	const char *_to;
-	char *_ser = NULL, *_tim = NULL, *tmp;
-	isc_result_t result;
-	char *key;
-	size_t len;
-	isccc_symvalue_t value;
-	isccc_sexpr_t *_ctrl;
-
-	_ctrl = isccc_alist_lookup(message, "_ctrl");
-	if (_ctrl == NULL ||
-	    isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS ||
-	    isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS)
-		return (ISC_R_FAILURE);
-
-	INSIST(_ser != NULL);
-	INSIST(_tim != NULL);
-
-	/*
-	 * _frm and _to are optional.
-	 */
-	tmp = NULL;
-	if (isccc_cc_lookupstring(_ctrl, "_frm", &tmp) != ISC_R_SUCCESS)
-		_frm = "";
-	else
-		_frm = tmp;
-	tmp = NULL;
-	if (isccc_cc_lookupstring(_ctrl, "_to", &tmp) != ISC_R_SUCCESS)
-		_to = "";
-	else
-		_to = tmp;
-	/*
-	 * Ensure there is no newline in any of the strings.  This is so
-	 * we can write them to a file later.
-	 */
-	if (has_whitespace(_frm) || has_whitespace(_to) ||
-	    has_whitespace(_ser) || has_whitespace(_tim))
-		return (ISC_R_FAILURE);
-	len = strlen(_frm) + strlen(_to) + strlen(_ser) + strlen(_tim) + 4;
-	key = malloc(len);
-	if (key == NULL)
-		return (ISC_R_NOMEMORY);
-	snprintf(key, len, "%s;%s;%s;%s", _frm, _to, _ser, _tim);
-	value.as_uinteger = now;
-	result = isccc_symtab_define(symtab, key, ISCCC_SYMTYPE_CCDUP, value,
-				   isccc_symexists_reject);
-	if (result != ISC_R_SUCCESS) {
-		free(key);
-		return (result);
-	}
-
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/isccc/ccmsg.c b/contrib/bind9/lib/isccc/ccmsg.c
deleted file mode 100644
index 298fc22..0000000
--- a/contrib/bind9/lib/isccc/ccmsg.c
+++ /dev/null
@@ -1,235 +0,0 @@
-/*
- * Portions Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ccmsg.c,v 1.10 2007/08/28 07:20:43 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/result.h>
-#include <isc/task.h>
-#include <isc/util.h>
-
-#include <isccc/events.h>
-#include <isccc/ccmsg.h>
-
-#define CCMSG_MAGIC		ISC_MAGIC('C', 'C', 'm', 's')
-#define VALID_CCMSG(foo)	ISC_MAGIC_VALID(foo, CCMSG_MAGIC)
-
-static void recv_length(isc_task_t *, isc_event_t *);
-static void recv_message(isc_task_t *, isc_event_t *);
-
-
-static void
-recv_length(isc_task_t *task, isc_event_t *ev_in) {
-	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
-	isc_event_t *dev;
-	isccc_ccmsg_t *ccmsg = ev_in->ev_arg;
-	isc_region_t region;
-	isc_result_t result;
-
-	INSIST(VALID_CCMSG(ccmsg));
-
-	dev = &ccmsg->event;
-
-	if (ev->result != ISC_R_SUCCESS) {
-		ccmsg->result = ev->result;
-		goto send_and_free;
-	}
-
-	/*
-	 * Success.
-	 */
-	ccmsg->size = ntohl(ccmsg->size);
-	if (ccmsg->size == 0) {
-		ccmsg->result = ISC_R_UNEXPECTEDEND;
-		goto send_and_free;
-	}
-	if (ccmsg->size > ccmsg->maxsize) {
-		ccmsg->result = ISC_R_RANGE;
-		goto send_and_free;
-	}
-
-	region.base = isc_mem_get(ccmsg->mctx, ccmsg->size);
-	region.length = ccmsg->size;
-	if (region.base == NULL) {
-		ccmsg->result = ISC_R_NOMEMORY;
-		goto send_and_free;
-	}
-
-	isc_buffer_init(&ccmsg->buffer, region.base, region.length);
-	result = isc_socket_recv(ccmsg->sock, &region, 0,
-				 task, recv_message, ccmsg);
-	if (result != ISC_R_SUCCESS) {
-		ccmsg->result = result;
-		goto send_and_free;
-	}
-
-	isc_event_free(&ev_in);
-	return;
-
- send_and_free:
-	isc_task_send(ccmsg->task, &dev);
-	ccmsg->task = NULL;
-	isc_event_free(&ev_in);
-	return;
-}
-
-static void
-recv_message(isc_task_t *task, isc_event_t *ev_in) {
-	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
-	isc_event_t *dev;
-	isccc_ccmsg_t *ccmsg = ev_in->ev_arg;
-
-	(void)task;
-
-	INSIST(VALID_CCMSG(ccmsg));
-
-	dev = &ccmsg->event;
-
-	if (ev->result != ISC_R_SUCCESS) {
-		ccmsg->result = ev->result;
-		goto send_and_free;
-	}
-
-	ccmsg->result = ISC_R_SUCCESS;
-	isc_buffer_add(&ccmsg->buffer, ev->n);
-	ccmsg->address = ev->address;
-
- send_and_free:
-	isc_task_send(ccmsg->task, &dev);
-	ccmsg->task = NULL;
-	isc_event_free(&ev_in);
-}
-
-void
-isccc_ccmsg_init(isc_mem_t *mctx, isc_socket_t *sock, isccc_ccmsg_t *ccmsg) {
-	REQUIRE(mctx != NULL);
-	REQUIRE(sock != NULL);
-	REQUIRE(ccmsg != NULL);
-
-	ccmsg->magic = CCMSG_MAGIC;
-	ccmsg->size = 0;
-	ccmsg->buffer.base = NULL;
-	ccmsg->buffer.length = 0;
-	ccmsg->maxsize = 4294967295U;	/* Largest message possible. */
-	ccmsg->mctx = mctx;
-	ccmsg->sock = sock;
-	ccmsg->task = NULL;			/* None yet. */
-	ccmsg->result = ISC_R_UNEXPECTED;	/* None yet. */
-	/*
-	 * Should probably initialize the event here, but it can wait.
-	 */
-}
-
-
-void
-isccc_ccmsg_setmaxsize(isccc_ccmsg_t *ccmsg, unsigned int maxsize) {
-	REQUIRE(VALID_CCMSG(ccmsg));
-
-	ccmsg->maxsize = maxsize;
-}
-
-
-isc_result_t
-isccc_ccmsg_readmessage(isccc_ccmsg_t *ccmsg,
-		       isc_task_t *task, isc_taskaction_t action, void *arg)
-{
-	isc_result_t result;
-	isc_region_t region;
-
-	REQUIRE(VALID_CCMSG(ccmsg));
-	REQUIRE(task != NULL);
-	REQUIRE(ccmsg->task == NULL);  /* not currently in use */
-
-	if (ccmsg->buffer.base != NULL) {
-		isc_mem_put(ccmsg->mctx, ccmsg->buffer.base,
-			    ccmsg->buffer.length);
-		ccmsg->buffer.base = NULL;
-		ccmsg->buffer.length = 0;
-	}
-
-	ccmsg->task = task;
-	ccmsg->action = action;
-	ccmsg->arg = arg;
-	ccmsg->result = ISC_R_UNEXPECTED;  /* unknown right now */
-
-	ISC_EVENT_INIT(&ccmsg->event, sizeof(isc_event_t), 0, 0,
-		       ISCCC_EVENT_CCMSG, action, arg, ccmsg,
-		       NULL, NULL);
-
-	region.base = (unsigned char *)&ccmsg->size;
-	region.length = 4;  /* isc_uint32_t */
-	result = isc_socket_recv(ccmsg->sock, &region, 0,
-				 ccmsg->task, recv_length, ccmsg);
-
-	if (result != ISC_R_SUCCESS)
-		ccmsg->task = NULL;
-
-	return (result);
-}
-
-void
-isccc_ccmsg_cancelread(isccc_ccmsg_t *ccmsg) {
-	REQUIRE(VALID_CCMSG(ccmsg));
-
-	isc_socket_cancel(ccmsg->sock, NULL, ISC_SOCKCANCEL_RECV);
-}
-
-#if 0
-void
-isccc_ccmsg_freebuffer(isccc_ccmsg_t *ccmsg) {
-	REQUIRE(VALID_CCMSG(ccmsg));
-
-	if (ccmsg->buffer.base == NULL)
-		return;
-
-	isc_mem_put(ccmsg->mctx, ccmsg->buffer.base, ccmsg->buffer.length);
-	ccmsg->buffer.base = NULL;
-	ccmsg->buffer.length = 0;
-}
-#endif
-
-void
-isccc_ccmsg_invalidate(isccc_ccmsg_t *ccmsg) {
-	REQUIRE(VALID_CCMSG(ccmsg));
-
-	ccmsg->magic = 0;
-
-	if (ccmsg->buffer.base != NULL) {
-		isc_mem_put(ccmsg->mctx, ccmsg->buffer.base,
-			    ccmsg->buffer.length);
-		ccmsg->buffer.base = NULL;
-		ccmsg->buffer.length = 0;
-	}
-}
diff --git a/contrib/bind9/lib/isccc/include/Makefile.in b/contrib/bind9/lib/isccc/include/Makefile.in
deleted file mode 100644
index 6b222a5..0000000
--- a/contrib/bind9/lib/isccc/include/Makefile.in
+++ /dev/null
@@ -1,25 +0,0 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.5 2007/06/19 23:47:22 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	isccc
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isccc/include/isccc/Makefile.in b/contrib/bind9/lib/isccc/include/isccc/Makefile.in
deleted file mode 100644
index c4af19a..0000000
--- a/contrib/bind9/lib/isccc/include/isccc/Makefile.in
+++ /dev/null
@@ -1,42 +0,0 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.7 2007/06/19 23:47:22 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-#
-# Only list headers that are to be installed and are not
-# machine generated.  The latter are handled specially in the
-# install target below.
-#
-HEADERS =	alist.h base64.h cc.h ccmsg.h events.h lib.h result.h \
-		sexpr.h symtab.h symtype.h types.h util.h version.h
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isccc
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/isccc ; \
-	done
diff --git a/contrib/bind9/lib/isccc/include/isccc/alist.h b/contrib/bind9/lib/isccc/include/isccc/alist.h
deleted file mode 100644
index 29147a6..0000000
--- a/contrib/bind9/lib/isccc/include/isccc/alist.h
+++ /dev/null
@@ -1,87 +0,0 @@
-/*
- * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: alist.h,v 1.10 2007/08/28 07:20:43 tbox Exp $ */
-
-#ifndef ISCCC_ALIST_H
-#define ISCCC_ALIST_H 1
-
-/*! \file isccc/alist.h */
-
-#include <stdio.h>
-
-#include <isc/lang.h>
-#include <isccc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isccc_sexpr_t *
-isccc_alist_create(void);
-
-isc_boolean_t
-isccc_alist_alistp(isccc_sexpr_t *alist);
-
-isc_boolean_t
-isccc_alist_emptyp(isccc_sexpr_t *alist);
-
-isccc_sexpr_t *
-isccc_alist_first(isccc_sexpr_t *alist);
-
-isccc_sexpr_t *
-isccc_alist_assq(isccc_sexpr_t *alist, const char *key);
-
-void
-isccc_alist_delete(isccc_sexpr_t *alist, const char *key);
-
-isccc_sexpr_t *
-isccc_alist_define(isccc_sexpr_t *alist, const char *key, isccc_sexpr_t *value);
-
-isccc_sexpr_t *
-isccc_alist_definestring(isccc_sexpr_t *alist, const char *key, const char *str);
-
-isccc_sexpr_t *
-isccc_alist_definebinary(isccc_sexpr_t *alist, const char *key, isccc_region_t *r);
-
-isccc_sexpr_t *
-isccc_alist_lookup(isccc_sexpr_t *alist, const char *key);
-
-isc_result_t
-isccc_alist_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp);
-
-isc_result_t
-isccc_alist_lookupbinary(isccc_sexpr_t *alist, const char *key, isccc_region_t **r);
-
-void
-isccc_alist_prettyprint(isccc_sexpr_t *sexpr, unsigned int indent, FILE *stream);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISCCC_ALIST_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/base64.h b/contrib/bind9/lib/isccc/include/isccc/base64.h
deleted file mode 100644
index 795b044..0000000
--- a/contrib/bind9/lib/isccc/include/isccc/base64.h
+++ /dev/null
@@ -1,85 +0,0 @@
-/*
- * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: base64.h,v 1.10 2007/08/28 07:20:43 tbox Exp $ */
-
-#ifndef ISCCC_BASE64_H
-#define ISCCC_BASE64_H 1
-
-/*! \file isccc/base64.h */
-
-#include <isc/lang.h>
-#include <isccc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Functions
- ***/
-
-isc_result_t
-isccc_base64_encode(isccc_region_t *source, int wordlength,
-		  const char *wordbreak, isccc_region_t *target);
-/*%<
- * Convert data into base64 encoded text.
- *
- * Notes:
- *\li	The base64 encoded text in 'target' will be divided into
- *	words of at most 'wordlength' characters, separated by
- * 	the 'wordbreak' string.  No parentheses will surround
- *	the text.
- *
- * Requires:
- *\li	'source' is a region containing binary data.
- *\li	'target' is a text region containing available space.
- *\li	'wordbreak' points to a null-terminated string of
- *		zero or more whitespace characters.
- */
-
-isc_result_t
-isccc_base64_decode(const char *cstr, isccc_region_t *target);
-/*%<
- * Decode a null-terminated base64 string.
- *
- * Requires:
- *\li	'cstr' is non-null.
- *\li	'target' is a valid region.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS	-- the entire decoded representation of 'cstring'
- *			   fit in 'target'.
- *\li	#ISC_R_BADBASE64 -- 'cstr' is not a valid base64 encoding.
- *\li	#ISC_R_NOSPACE	-- 'target' is not big enough.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISCCC_BASE64_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/cc.h b/contrib/bind9/lib/isccc/include/isccc/cc.h
deleted file mode 100644
index 79393be..0000000
--- a/contrib/bind9/lib/isccc/include/isccc/cc.h
+++ /dev/null
@@ -1,122 +0,0 @@
-/*
- * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: cc.h,v 1.11 2007/08/28 07:20:43 tbox Exp $ */
-
-#ifndef ISCCC_CC_H
-#define ISCCC_CC_H 1
-
-/*! \file isccc/cc.h */
-
-#include <isc/lang.h>
-#include <isccc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*% Maximum Datagram Package */
-#define ISCCC_CC_MAXDGRAMPACKET		4096
-
-/*% Message Type String */
-#define ISCCC_CCMSGTYPE_STRING		0x00
-/*% Message Type Binary Data */
-#define ISCCC_CCMSGTYPE_BINARYDATA	0x01
-/*% Message Type Table */
-#define ISCCC_CCMSGTYPE_TABLE		0x02
-/*% Message Type List */
-#define ISCCC_CCMSGTYPE_LIST		0x03
-
-/*% Send to Wire */
-isc_result_t
-isccc_cc_towire(isccc_sexpr_t *alist, isccc_region_t *target,
-	      isccc_region_t *secret);
-
-/*% Get From Wire */
-isc_result_t
-isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
-		isccc_region_t *secret);
-
-/*% Create Message */
-isc_result_t
-isccc_cc_createmessage(isc_uint32_t version, const char *from, const char *to,
-		     isc_uint32_t serial, isccc_time_t now,
-		     isccc_time_t expires, isccc_sexpr_t **alistp);
-
-/*% Create Acknowledgment */
-isc_result_t
-isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
-		 isccc_sexpr_t **ackp);
-
-/*% Is Ack? */
-isc_boolean_t
-isccc_cc_isack(isccc_sexpr_t *message);
-
-/*% Is Reply? */
-isc_boolean_t
-isccc_cc_isreply(isccc_sexpr_t *message);
-
-/*% Create Response */
-isc_result_t
-isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
-		      isccc_time_t expires, isccc_sexpr_t **alistp);
-
-/*% Define String */
-isccc_sexpr_t *
-isccc_cc_definestring(isccc_sexpr_t *alist, const char *key, const char *str);
-
-/*% Define uint 32 */
-isccc_sexpr_t *
-isccc_cc_defineuint32(isccc_sexpr_t *alist, const char *key, isc_uint32_t i);
-
-/*% Lookup String */
-isc_result_t
-isccc_cc_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp);
-
-/*% Lookup uint 32 */
-isc_result_t
-isccc_cc_lookupuint32(isccc_sexpr_t *alist, const char *key,
-		    isc_uint32_t *uintp);
-
-/*% Create Symbol Table */
-isc_result_t
-isccc_cc_createsymtab(isccc_symtab_t **symtabp);
-
-/*% Clean up Symbol Table */
-void
-isccc_cc_cleansymtab(isccc_symtab_t *symtab, isccc_time_t now);
-
-/*% Check for Duplicates */
-isc_result_t
-isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
-		   isccc_time_t now);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISCCC_CC_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/ccmsg.h b/contrib/bind9/lib/isccc/include/isccc/ccmsg.h
deleted file mode 100644
index e25aa51..0000000
--- a/contrib/bind9/lib/isccc/include/isccc/ccmsg.h
+++ /dev/null
@@ -1,148 +0,0 @@
-/*
- * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ccmsg.h,v 1.11 2007/08/28 07:20:43 tbox Exp $ */
-
-#ifndef ISCCC_CCMSG_H
-#define ISCCC_CCMSG_H 1
-
-/*! \file isccc/ccmsg.h */
-
-#include <isc/buffer.h>
-#include <isc/lang.h>
-#include <isc/socket.h>
-
-/*% ISCCC Message Structure */
-typedef struct isccc_ccmsg {
-	/* private (don't touch!) */
-	unsigned int		magic;
-	isc_uint32_t		size;
-	isc_buffer_t		buffer;
-	unsigned int		maxsize;
-	isc_mem_t	       *mctx;
-	isc_socket_t	       *sock;
-	isc_task_t	       *task;
-	isc_taskaction_t	action;
-	void		       *arg;
-	isc_event_t		event;
-	/* public (read-only) */
-	isc_result_t		result;
-	isc_sockaddr_t		address;
-} isccc_ccmsg_t;
-
-ISC_LANG_BEGINDECLS
-
-void
-isccc_ccmsg_init(isc_mem_t *mctx, isc_socket_t *sock, isccc_ccmsg_t *ccmsg);
-/*%
- * Associate a cc message state with a given memory context and
- * TCP socket.
- *
- * Requires:
- *
- *\li	"mctx" and "sock" be non-NULL and valid types.
- *
- *\li	"sock" be a read/write TCP socket.
- *
- *\li	"ccmsg" be non-NULL and an uninitialized or invalidated structure.
- *
- * Ensures:
- *
- *\li	"ccmsg" is a valid structure.
- */
-
-void
-isccc_ccmsg_setmaxsize(isccc_ccmsg_t *ccmsg, unsigned int maxsize);
-/*%
- * Set the maximum packet size to "maxsize"
- *
- * Requires:
- *
- *\li	"ccmsg" be valid.
- *
- *\li	512 <= "maxsize" <= 4294967296
- */
-
-isc_result_t
-isccc_ccmsg_readmessage(isccc_ccmsg_t *ccmsg,
-		       isc_task_t *task, isc_taskaction_t action, void *arg);
-/*%
- * Schedule an event to be delivered when a command channel message is
- * readable, or when an error occurs on the socket.
- *
- * Requires:
- *
- *\li	"ccmsg" be valid.
- *
- *\li	"task", "taskaction", and "arg" be valid.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS		-- no error
- *\li	Anything that the isc_socket_recv() call can return.  XXXMLG
- *
- * Notes:
- *
- *\li	The event delivered is a fully generic event.  It will contain no
- *	actual data.  The sender will be a pointer to the isccc_ccmsg_t.
- *	The result code inside that structure should be checked to see
- *	what the final result was.
- */
-
-void
-isccc_ccmsg_cancelread(isccc_ccmsg_t *ccmsg);
-/*%
- * Cancel a readmessage() call.  The event will still be posted with a
- * CANCELED result code.
- *
- * Requires:
- *
- *\li	"ccmsg" be valid.
- */
-
-void
-isccc_ccmsg_invalidate(isccc_ccmsg_t *ccmsg);
-/*%
- * Clean up all allocated state, and invalidate the structure.
- *
- * Requires:
- *
- *\li	"ccmsg" be valid.
- *
- * Ensures:
- *
- *\li	"ccmsg" is invalidated and disassociated with all memory contexts,
- *	sockets, etc.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISCCC_CCMSG_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/events.h b/contrib/bind9/lib/isccc/include/isccc/events.h
deleted file mode 100644
index a3e1470..0000000
--- a/contrib/bind9/lib/isccc/include/isccc/events.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: events.h,v 1.10 2007/08/28 07:20:43 tbox Exp $ */
-
-#ifndef ISCCC_EVENTS_H
-#define ISCCC_EVENTS_H 1
-
-/*! \file isccc/events.h */
-
-#include <isc/eventclass.h>
-
-/*%
- * Registry of ISCCC event numbers.
- */
-
-#define ISCCC_EVENT_CCMSG			(ISC_EVENTCLASS_ISCCC + 0)
-
-#define ISCCC_EVENT_FIRSTEVENT			(ISC_EVENTCLASS_ISCCC + 0)
-#define ISCCC_EVENT_LASTEVENT			(ISC_EVENTCLASS_ISCCC + 65535)
-
-#endif /* ISCCC_EVENTS_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/lib.h b/contrib/bind9/lib/isccc/include/isccc/lib.h
deleted file mode 100644
index de74666..0000000
--- a/contrib/bind9/lib/isccc/include/isccc/lib.h
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lib.h,v 1.11 2007/08/28 07:20:43 tbox Exp $ */
-
-#ifndef ISCCC_LIB_H
-#define ISCCC_LIB_H 1
-
-/*! \file isccc/lib.h */
-
-#include <isc/types.h>
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
-LIBISCCC_EXTERNAL_DATA extern isc_msgcat_t *isccc_msgcat;
-
-void
-isccc_lib_initmsgcat(void);
-/*%
- * Initialize the ISCCC library's message catalog, isccc_msgcat, if it
- * has not already been initialized.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISCCC_LIB_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/result.h b/contrib/bind9/lib/isccc/include/isccc/result.h
deleted file mode 100644
index 2d54969..0000000
--- a/contrib/bind9/lib/isccc/include/isccc/result.h
+++ /dev/null
@@ -1,73 +0,0 @@
-/*
- * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: result.h,v 1.12 2007/08/28 07:20:43 tbox Exp $ */
-
-#ifndef ISCCC_RESULT_H
-#define ISCCC_RESULT_H 1
-
-/*! \file isccc/result.h */
-
-#include <isc/lang.h>
-#include <isc/resultclass.h>
-#include <isc/result.h>
-
-#include <isccc/types.h>
-
-/*% Unknown Version */
-#define ISCCC_R_UNKNOWNVERSION		(ISC_RESULTCLASS_ISCCC + 0)
-/*% Syntax Error */
-#define ISCCC_R_SYNTAX			(ISC_RESULTCLASS_ISCCC + 1)
-/*% Bad Authorization */
-#define ISCCC_R_BADAUTH			(ISC_RESULTCLASS_ISCCC + 2)
-/*% Expired */
-#define ISCCC_R_EXPIRED			(ISC_RESULTCLASS_ISCCC + 3)
-/*% Clock Skew */
-#define ISCCC_R_CLOCKSKEW		(ISC_RESULTCLASS_ISCCC + 4)
-/*% Duplicate */
-#define ISCCC_R_DUPLICATE		(ISC_RESULTCLASS_ISCCC + 5)
-
-#define ISCCC_R_NRESULTS 		6	/*%< Number of results */
-
-ISC_LANG_BEGINDECLS
-
-const char *
-isccc_result_totext(isc_result_t result);
-/*%
- * Convert a isccc_result_t into a string message describing the result.
- */
-
-void
-isccc_result_register(void);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISCCC_RESULT_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/sexpr.h b/contrib/bind9/lib/isccc/include/isccc/sexpr.h
deleted file mode 100644
index 6112631..0000000
--- a/contrib/bind9/lib/isccc/include/isccc/sexpr.h
+++ /dev/null
@@ -1,124 +0,0 @@
-/*
- * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: sexpr.h,v 1.11 2007/08/28 07:20:43 tbox Exp $ */
-
-#ifndef ISCCC_SEXPR_H
-#define ISCCC_SEXPR_H 1
-
-/*! \file isccc/sexpr.h */
-
-#include <stdio.h>
-
-#include <isc/lang.h>
-#include <isccc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*% dotted pair structure */
-struct isccc_dottedpair {
-	isccc_sexpr_t *car;
-	isccc_sexpr_t *cdr;
-};
-
-/*% iscc_sexpr structure */
-struct isccc_sexpr {
-	unsigned int			type;
-	union {
-		char *			as_string;
-		isccc_dottedpair_t	as_dottedpair;
-		isccc_region_t		as_region;
-	}				value;
-};
-
-#define ISCCC_SEXPRTYPE_NONE		0x00	/*%< Illegal. */
-#define ISCCC_SEXPRTYPE_T			0x01
-#define ISCCC_SEXPRTYPE_STRING		0x02
-#define ISCCC_SEXPRTYPE_DOTTEDPAIR	0x03
-#define ISCCC_SEXPRTYPE_BINARY		0x04
-
-#define ISCCC_SEXPR_CAR(s)		(s)->value.as_dottedpair.car
-#define ISCCC_SEXPR_CDR(s)		(s)->value.as_dottedpair.cdr
-
-isccc_sexpr_t *
-isccc_sexpr_cons(isccc_sexpr_t *car, isccc_sexpr_t *cdr);
-
-isccc_sexpr_t *
-isccc_sexpr_tconst(void);
-
-isccc_sexpr_t *
-isccc_sexpr_fromstring(const char *str);
-
-isccc_sexpr_t *
-isccc_sexpr_frombinary(const isccc_region_t *region);
-
-void
-isccc_sexpr_free(isccc_sexpr_t **sexprp);
-
-void
-isccc_sexpr_print(isccc_sexpr_t *sexpr, FILE *stream);
-
-isccc_sexpr_t *
-isccc_sexpr_car(isccc_sexpr_t *list);
-
-isccc_sexpr_t *
-isccc_sexpr_cdr(isccc_sexpr_t *list);
-
-void
-isccc_sexpr_setcar(isccc_sexpr_t *pair, isccc_sexpr_t *car);
-
-void
-isccc_sexpr_setcdr(isccc_sexpr_t *pair, isccc_sexpr_t *cdr);
-
-isccc_sexpr_t *
-isccc_sexpr_addtolist(isccc_sexpr_t **l1p, isccc_sexpr_t *l2);
-
-isc_boolean_t
-isccc_sexpr_listp(isccc_sexpr_t *sexpr);
-
-isc_boolean_t
-isccc_sexpr_emptyp(isccc_sexpr_t *sexpr);
-
-isc_boolean_t
-isccc_sexpr_stringp(isccc_sexpr_t *sexpr);
-
-isc_boolean_t
-isccc_sexpr_binaryp(isccc_sexpr_t *sexpr);
-
-char *
-isccc_sexpr_tostring(isccc_sexpr_t *sexpr);
-
-isccc_region_t *
-isccc_sexpr_tobinary(isccc_sexpr_t *sexpr);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISCCC_SEXPR_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/symtab.h b/contrib/bind9/lib/isccc/include/isccc/symtab.h
deleted file mode 100644
index 77a188a..0000000
--- a/contrib/bind9/lib/isccc/include/isccc/symtab.h
+++ /dev/null
@@ -1,135 +0,0 @@
-/*
- * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: symtab.h,v 1.10 2007/08/28 07:20:43 tbox Exp $ */
-
-#ifndef ISCCC_SYMTAB_H
-#define ISCCC_SYMTAB_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file isccc/symtab.h
- * \brief
- * Provides a simple memory-based symbol table.
- *
- * Keys are C strings.  A type may be specified when looking up,
- * defining, or undefining.  A type value of 0 means "match any type";
- * any other value will only match the given type.
- *
- * It's possible that a client will attempt to define a <key, type,
- * value> tuple when a tuple with the given key and type already
- * exists in the table.  What to do in this case is specified by the
- * client.  Possible policies are:
- *
- *\li	isccc_symexists_reject	Disallow the define, returning #ISC_R_EXISTS
- *\li	isccc_symexists_replace	Replace the old value with the new.  The
- *				undefine action (if provided) will be called
- *				with the old <key, type, value> tuple.
- *\li	isccc_symexists_add	Add the new tuple, leaving the old tuple in
- *				the table.  Subsequent lookups will retrieve
- *				the most-recently-defined tuple.
- *
- * A lookup of a key using type 0 will return the most-recently
- * defined symbol with that key.  An undefine of a key using type 0
- * will undefine the most-recently defined symbol with that key.
- * Trying to define a key with type 0 is illegal.
- *
- * The symbol table library does not make a copy the key field, so the
- * caller must ensure that any key it passes to isccc_symtab_define()
- * will not change until it calls isccc_symtab_undefine() or
- * isccc_symtab_destroy().
- *
- * A user-specified action will be called (if provided) when a symbol
- * is undefined.  It can be used to free memory associated with keys
- * and/or values.
- */
-
-/***
- *** Imports.
- ***/
-
-#include <isc/lang.h>
-#include <isccc/types.h>
-
-/***
- *** Symbol Tables.
- ***/
-
-typedef union isccc_symvalue {
-	void *				as_pointer;
-	int				as_integer;
-	unsigned int			as_uinteger;
-} isccc_symvalue_t;
-
-typedef void (*isccc_symtabundefaction_t)(char *key, unsigned int type,
-					isccc_symvalue_t value, void *userarg);
-
-typedef isc_boolean_t (*isccc_symtabforeachaction_t)(char *key,
-						   unsigned int type,
-						   isccc_symvalue_t value,
-						   void *userarg);
-
-typedef enum {
-	isccc_symexists_reject = 0,
-	isccc_symexists_replace = 1,
-	isccc_symexists_add = 2
-} isccc_symexists_t;
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isccc_symtab_create(unsigned int size,
-		  isccc_symtabundefaction_t undefine_action, void *undefine_arg,
-		  isc_boolean_t case_sensitive, isccc_symtab_t **symtabp);
-
-void
-isccc_symtab_destroy(isccc_symtab_t **symtabp);
-
-isc_result_t
-isccc_symtab_lookup(isccc_symtab_t *symtab, const char *key, unsigned int type,
-		  isccc_symvalue_t *value);
-
-isc_result_t
-isccc_symtab_define(isccc_symtab_t *symtab, char *key, unsigned int type,
-		  isccc_symvalue_t value, isccc_symexists_t exists_policy);
-
-isc_result_t
-isccc_symtab_undefine(isccc_symtab_t *symtab, const char *key, unsigned int type);
-
-void
-isccc_symtab_foreach(isccc_symtab_t *symtab, isccc_symtabforeachaction_t action,
-		   void *arg);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISCCC_SYMTAB_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/symtype.h b/contrib/bind9/lib/isccc/include/isccc/symtype.h
deleted file mode 100644
index c8e6868..0000000
--- a/contrib/bind9/lib/isccc/include/isccc/symtype.h
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: symtype.h,v 1.10 2007/08/28 07:20:43 tbox Exp $ */
-
-#ifndef ISCCC_SYMTYPE_H
-#define ISCCC_SYMTYPE_H 1
-
-/*! \file isccc/symtype.h */
-
-#define ISCCC_SYMTYPE_ZONESTATS			0x0001
-#define ISCCC_SYMTYPE_CCDUP			0x0002
-#define ISCCC_SYMTYPE_TELLSERVICE			0x0003
-#define ISCCC_SYMTYPE_TELLRESPONSE		0x0004
-
-#endif /* ISCCC_SYMTYPE_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/types.h b/contrib/bind9/lib/isccc/include/isccc/types.h
deleted file mode 100644
index fd5c9f3..0000000
--- a/contrib/bind9/lib/isccc/include/isccc/types.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: types.h,v 1.10 2007/08/28 07:20:43 tbox Exp $ */
-
-#ifndef ISCCC_TYPES_H
-#define ISCCC_TYPES_H 1
-
-/*! \file isccc/types.h */
-
-#include <isc/boolean.h>
-#include <isc/int.h>
-#include <isc/result.h>
-
-/*% isccc_time_t typedef */
-typedef isc_uint32_t isccc_time_t;
-
-/*% isccc_sexpr_t typedef */
-typedef struct isccc_sexpr isccc_sexpr_t;
-/*% isccc_dottedpair_t typedef */
-typedef struct isccc_dottedpair isccc_dottedpair_t;
-/*% isccc_symtab_t typedef */
-typedef struct isccc_symtab isccc_symtab_t;
-
-/*% iscc region structure */
-typedef struct isccc_region {
-	unsigned char *		rstart;
-	unsigned char *		rend;
-} isccc_region_t;
-
-#endif /* ISCCC_TYPES_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/util.h b/contrib/bind9/lib/isccc/include/isccc/util.h
deleted file mode 100644
index 2e36b6e..0000000
--- a/contrib/bind9/lib/isccc/include/isccc/util.h
+++ /dev/null
@@ -1,225 +0,0 @@
-/*
- * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: util.h,v 1.11 2007/08/28 07:20:43 tbox Exp $ */
-
-#ifndef ISCCC_UTIL_H
-#define ISCCC_UTIL_H 1
-
-#include <isc/util.h>
-
-/*! \file isccc/util.h
- * \brief
- * Macros for dealing with unaligned numbers.
- *
- * \note no side effects are allowed when invoking these macros!
- */
-
-#define GET8(v, w) \
-	do { \
-		v = *w; \
-		w++; \
-	} while (0)
-
-#define GET16(v, w) \
-	do { \
-		v = (unsigned int)w[0] << 8; \
- 		v |= (unsigned int)w[1]; \
-		w += 2; \
-	} while (0)
-
-#define GET24(v, w) \
-	do { \
- 		v = (unsigned int)w[0] << 16; \
- 		v |= (unsigned int)w[1] << 8; \
- 		v |= (unsigned int)w[2]; \
-		w += 3; \
-	} while (0)
-
-#define GET32(v, w) \
-	do { \
-		v = (unsigned int)w[0] << 24; \
- 		v |= (unsigned int)w[1] << 16; \
- 		v |= (unsigned int)w[2] << 8; \
- 		v |= (unsigned int)w[3]; \
-		w += 4; \
-	} while (0)
-
-#define GET64(v, w) \
-	do { \
-		v = (isc_uint64_t)w[0] << 56; \
- 		v |= (isc_uint64_t)w[1] << 48; \
- 		v |= (isc_uint64_t)w[2] << 40; \
- 		v |= (isc_uint64_t)w[3] << 32; \
- 		v |= (isc_uint64_t)w[4] << 24; \
- 		v |= (isc_uint64_t)w[5] << 16; \
- 		v |= (isc_uint64_t)w[6] << 8; \
- 		v |= (isc_uint64_t)w[7]; \
-		w += 8; \
-	} while (0)
-
-#define GETC16(v, w, d) \
-	do { \
-		GET8(v, w); \
-		if (v == 0) \
-			d = ISCCC_TRUE; \
- 		else { \
-			d = ISCCC_FALSE; \
-			if (v == 255) \
-				GET16(v, w); \
-		} \
-	} while (0)
-
-#define GETC32(v, w) \
-	do { \
-		GET24(v, w); \
- 		if (v == 0xffffffu) \
-			GET32(v, w); \
-	} while (0)
-
-#define GET_OFFSET(v, w)		GET32(v, w)
-
-#define GET_MEM(v, c, w) \
-	do { \
-		memcpy(v, w, c); \
-		w += c; \
-	} while (0)
-
-#define GET_TYPE(v, w) \
-	do { \
-		GET8(v, w); \
-		if (v > 127) { \
-			if (v < 255) \
-				v = ((v & 0x7f) << 16) | ISCCC_RDATATYPE_SIG; \
-			else \
-				GET32(v, w); \
-		} \
-	} while (0)
-
-#define PUT8(v, w) \
-	do { \
-		*w = (v & 0x000000ffU); \
-		w++; \
-	} while (0)
-
-#define PUT16(v, w) \
-	do { \
-		w[0] = (v & 0x0000ff00U) >> 8; \
-		w[1] = (v & 0x000000ffU); \
-		w += 2; \
-	} while (0)
-
-#define PUT24(v, w) \
-	do { \
-		w[0] = (v & 0x00ff0000U) >> 16; \
-		w[1] = (v & 0x0000ff00U) >> 8; \
-		w[2] = (v & 0x000000ffU); \
-		w += 3; \
-	} while (0)
-
-#define PUT32(v, w) \
-	do { \
-		w[0] = (v & 0xff000000U) >> 24; \
-		w[1] = (v & 0x00ff0000U) >> 16; \
-		w[2] = (v & 0x0000ff00U) >> 8; \
-		w[3] = (v & 0x000000ffU); \
-		w += 4; \
-	} while (0)
-
-#define PUT64(v, w) \
-	do { \
-		w[0] = (v & 0xff00000000000000ULL) >> 56; \
-		w[1] = (v & 0x00ff000000000000ULL) >> 48; \
-		w[2] = (v & 0x0000ff0000000000ULL) >> 40; \
-		w[3] = (v & 0x000000ff00000000ULL) >> 32; \
-		w[4] = (v & 0x00000000ff000000ULL) >> 24; \
-		w[5] = (v & 0x0000000000ff0000ULL) >> 16; \
-		w[6] = (v & 0x000000000000ff00ULL) >> 8; \
-		w[7] = (v & 0x00000000000000ffULL); \
-		w += 8; \
-	} while (0)
-
-#define PUTC16(v, w) \
-	do { \
-		if (v > 0 && v < 255) \
-			PUT8(v, w); \
-		else { \
-			PUT8(255, w); \
-			PUT16(v, w); \
-		} \
-	} while (0)
-
-#define PUTC32(v, w) \
-	do { \
-		if (v < 0xffffffU) \
-			PUT24(v, w); \
-		else { \
-			PUT24(0xffffffU, w); \
-			PUT32(v, w); \
-		} \
-	} while (0)
-
-#define PUT_OFFSET(v, w)		PUT32(v, w)
-
-#include <string.h>
-
-#define PUT_MEM(s, c, w) \
-	do { \
-		memcpy(w, s, c); \
-		w += c; \
-	} while (0)
-
-/*
- * Regions.
- */
-#define REGION_SIZE(r)		((unsigned int)((r).rend - (r).rstart))
-#define REGION_EMPTY(r)		((r).rstart == (r).rend)
-#define REGION_FROMSTRING(r, s) do { \
-	(r).rstart = (unsigned char *)s; \
-	(r).rend = (r).rstart + strlen(s); \
-} while (0)
-
-/*%
- * Use this to remove the const qualifier of a variable to assign it to
- * a non-const variable or pass it as a non-const function argument ...
- * but only when you are sure it won't then be changed!
- * This is necessary to sometimes shut up some compilers
- * (as with gcc -Wcast-qual) when there is just no other good way to avoid the
- * situation.
- */
-#define DE_CONST(konst, var) \
-	do { \
-		union { const void *k; void *v; } _u; \
-		_u.k = konst; \
-		var = _u.v; \
-	} while (0)
-
-#endif /* ISCCC_UTIL_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/version.h b/contrib/bind9/lib/isccc/include/isccc/version.h
deleted file mode 100644
index 869316c..0000000
--- a/contrib/bind9/lib/isccc/include/isccc/version.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: version.h,v 1.9 2007/06/19 23:47:22 tbox Exp $ */
-
-/*! \file isccc/version.h */
-
-#include <isc/platform.h>
-
-LIBISCCC_EXTERNAL_DATA extern const char isccc_version[];
-
-LIBISCCC_EXTERNAL_DATA extern const unsigned int isccc_libinterface;
-LIBISCCC_EXTERNAL_DATA extern const unsigned int isccc_librevision;
-LIBISCCC_EXTERNAL_DATA extern const unsigned int isccc_libage;
diff --git a/contrib/bind9/lib/isccc/lib.c b/contrib/bind9/lib/isccc/lib.c
deleted file mode 100644
index 17170f5..0000000
--- a/contrib/bind9/lib/isccc/lib.c
+++ /dev/null
@@ -1,78 +0,0 @@
-/*
- * Portions Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lib.c,v 1.9 2007/08/28 07:20:43 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stddef.h>
-
-#include <isc/once.h>
-#include <isc/msgcat.h>
-#include <isc/util.h>
-
-#include <isccc/lib.h>
-
-/***
- *** Globals
- ***/
-
-LIBISCCC_EXTERNAL_DATA isc_msgcat_t *		isccc_msgcat = NULL;
-
-
-/***
- *** Private
- ***/
-
-static isc_once_t		msgcat_once = ISC_ONCE_INIT;
-
-
-/***
- *** Functions
- ***/
-
-static void
-open_msgcat(void) {
-	isc_msgcat_open("libisccc.cat", &isccc_msgcat);
-}
-
-void
-isccc_lib_initmsgcat(void) {
-
-	/*
-	 * Initialize the DNS library's message catalog, isccc_msgcat, if it
-	 * has not already been initialized.
-	 */
-
-	RUNTIME_CHECK(isc_once_do(&msgcat_once, open_msgcat) == ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/isccc/result.c b/contrib/bind9/lib/isccc/result.c
deleted file mode 100644
index cbedc16..0000000
--- a/contrib/bind9/lib/isccc/result.c
+++ /dev/null
@@ -1,85 +0,0 @@
-/*
- * Portions Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: result.c,v 1.10 2007/08/28 07:20:43 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/once.h>
-#include <isc/util.h>
-
-#include <isccc/result.h>
-#include <isccc/lib.h>
-
-static const char *text[ISCCC_R_NRESULTS] = {
-	"unknown version",			/* 1 */
-	"syntax error",				/* 2 */
-	"bad auth",				/* 3 */
-	"expired",				/* 4 */
-	"clock skew",				/* 5 */
-	"duplicate"				/* 6 */
-};
-
-#define ISCCC_RESULT_RESULTSET			2
-
-static isc_once_t		once = ISC_ONCE_INIT;
-
-static void
-initialize_action(void) {
-	isc_result_t result;
-
-	result = isc_result_register(ISC_RESULTCLASS_ISCCC, ISCCC_R_NRESULTS,
-				     text, isccc_msgcat,
-				     ISCCC_RESULT_RESULTSET);
-	if (result != ISC_R_SUCCESS)
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_result_register() failed: %u", result);
-}
-
-static void
-initialize(void) {
-	isccc_lib_initmsgcat();
-	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
-}
-
-const char *
-isccc_result_totext(isc_result_t result) {
-	initialize();
-
-	return (isc_result_totext(result));
-}
-
-void
-isccc_result_register(void) {
-	initialize();
-}
diff --git a/contrib/bind9/lib/isccc/sexpr.c b/contrib/bind9/lib/isccc/sexpr.c
deleted file mode 100644
index e96536d..0000000
--- a/contrib/bind9/lib/isccc/sexpr.c
+++ /dev/null
@@ -1,325 +0,0 @@
-/*
- * Portions Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: sexpr.c,v 1.9 2007/08/28 07:20:43 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <ctype.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/assertions.h>
-#include <isccc/sexpr.h>
-#include <isccc/util.h>
-
-static isccc_sexpr_t sexpr_t = { ISCCC_SEXPRTYPE_T, { NULL } };
-
-#define CAR(s)			(s)->value.as_dottedpair.car
-#define CDR(s)			(s)->value.as_dottedpair.cdr
-
-isccc_sexpr_t *
-isccc_sexpr_cons(isccc_sexpr_t *car, isccc_sexpr_t *cdr)
-{
-	isccc_sexpr_t *sexpr;
-
-	sexpr = malloc(sizeof(*sexpr));
-	if (sexpr == NULL)
-		return (NULL);
-	sexpr->type = ISCCC_SEXPRTYPE_DOTTEDPAIR;
-	CAR(sexpr) = car;
-	CDR(sexpr) = cdr;
-
-	return (sexpr);
-}
-
-isccc_sexpr_t *
-isccc_sexpr_tconst(void)
-{
-	return (&sexpr_t);
-}
-
-isccc_sexpr_t *
-isccc_sexpr_fromstring(const char *str)
-{
-	isccc_sexpr_t *sexpr;
-
-	sexpr = malloc(sizeof(*sexpr));
-	if (sexpr == NULL)
-		return (NULL);
-	sexpr->type = ISCCC_SEXPRTYPE_STRING;
-	sexpr->value.as_string = strdup(str);
-	if (sexpr->value.as_string == NULL) {
-		free(sexpr);
-		return (NULL);
-	}
-
-	return (sexpr);
-}
-
-isccc_sexpr_t *
-isccc_sexpr_frombinary(const isccc_region_t *region)
-{
-	isccc_sexpr_t *sexpr;
-	unsigned int region_size;
-
-	sexpr = malloc(sizeof(*sexpr));
-	if (sexpr == NULL)
-		return (NULL);
-	sexpr->type = ISCCC_SEXPRTYPE_BINARY;
-	region_size = REGION_SIZE(*region);
-	/*
-	 * We add an extra byte when we malloc so we can NUL terminate
-	 * the binary data.  This allows the caller to use it as a C
-	 * string.  It's up to the caller to ensure this is safe.  We don't
-	 * add 1 to the length of the binary region, because the NUL is
-	 * not part of the binary data.
-	 */
-	sexpr->value.as_region.rstart = malloc(region_size + 1);
-	if (sexpr->value.as_region.rstart == NULL) {
-		free(sexpr);
-		return (NULL);
-	}
-	sexpr->value.as_region.rend = sexpr->value.as_region.rstart +
-		region_size;
-	memcpy(sexpr->value.as_region.rstart, region->rstart, region_size);
-	/*
-	 * NUL terminate.
-	 */
-	sexpr->value.as_region.rstart[region_size] = '\0';
-
-	return (sexpr);
-}
-
-void
-isccc_sexpr_free(isccc_sexpr_t **sexprp)
-{
-	isccc_sexpr_t *sexpr;
-	isccc_sexpr_t *item;
-
-	sexpr = *sexprp;
-	if (sexpr == NULL)
-		return;
-	switch (sexpr->type) {
-	case ISCCC_SEXPRTYPE_STRING:
-		free(sexpr->value.as_string);
-		break;
-	case ISCCC_SEXPRTYPE_DOTTEDPAIR:
-		item = CAR(sexpr);
-		if (item != NULL)
-			isccc_sexpr_free(&item);
-		item = CDR(sexpr);
-		if (item != NULL)
-			isccc_sexpr_free(&item);
-		break;
-	case ISCCC_SEXPRTYPE_BINARY:
-		free(sexpr->value.as_region.rstart);
-		break;
-	}
-	free(sexpr);
-
-	*sexprp = NULL;
-}
-
-static isc_boolean_t
-printable(isccc_region_t *r)
-{
-	unsigned char *curr;
-
-	curr = r->rstart;
-	while (curr != r->rend) {
-		if (!isprint(*curr))
-			return (ISC_FALSE);
-		curr++;
-	}
-
-	return (ISC_TRUE);
-}
-
-void
-isccc_sexpr_print(isccc_sexpr_t *sexpr, FILE *stream)
-{
-	isccc_sexpr_t *cdr;
-	unsigned int size, i;
-	unsigned char *curr;
-
-	if (sexpr == NULL) {
-		fprintf(stream, "nil");
-		return;
-	}
-
-	switch (sexpr->type) {
-	case ISCCC_SEXPRTYPE_T:
-		fprintf(stream, "t");
-		break;
-	case ISCCC_SEXPRTYPE_STRING:
-		fprintf(stream, "\"%s\"", sexpr->value.as_string);
-		break;
-	case ISCCC_SEXPRTYPE_DOTTEDPAIR:
-		fprintf(stream, "(");
-		do {
-			isccc_sexpr_print(CAR(sexpr), stream);
-			cdr = CDR(sexpr);
-			if (cdr != NULL) {
-				fprintf(stream, " ");
-				if (cdr->type != ISCCC_SEXPRTYPE_DOTTEDPAIR) {
-					fprintf(stream, ". ");
-					isccc_sexpr_print(cdr, stream);
-					cdr = NULL;
-				}
-			}
-			sexpr = cdr;
-		} while (sexpr != NULL);
-		fprintf(stream, ")");
-		break;
-	case ISCCC_SEXPRTYPE_BINARY:
-		size = REGION_SIZE(sexpr->value.as_region);
-		curr = sexpr->value.as_region.rstart;
-		if (printable(&sexpr->value.as_region)) {
-			fprintf(stream, "'%.*s'", (int)size, curr);
-		} else {
-			fprintf(stream, "0x");
-			for (i = 0; i < size; i++)
-				fprintf(stream, "%02x", *curr++);
-		}
-		break;
-	default:
-		INSIST(0);
-	}
-}
-
-isccc_sexpr_t *
-isccc_sexpr_car(isccc_sexpr_t *list)
-{
-	REQUIRE(list->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
-
-	return (CAR(list));
-}
-
-isccc_sexpr_t *
-isccc_sexpr_cdr(isccc_sexpr_t *list)
-{
-	REQUIRE(list->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
-
-	return (CDR(list));
-}
-
-void
-isccc_sexpr_setcar(isccc_sexpr_t *pair, isccc_sexpr_t *car)
-{
-	REQUIRE(pair->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
-
-	CAR(pair) = car;
-}
-
-void
-isccc_sexpr_setcdr(isccc_sexpr_t *pair, isccc_sexpr_t *cdr)
-{
-	REQUIRE(pair->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
-
-	CDR(pair) = cdr;
-}
-
-isccc_sexpr_t *
-isccc_sexpr_addtolist(isccc_sexpr_t **l1p, isccc_sexpr_t *l2)
-{
-	isccc_sexpr_t *last, *elt, *l1;
-
-	REQUIRE(l1p != NULL);
-	l1 = *l1p;
-	REQUIRE(l1 == NULL || l1->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
-
-	elt = isccc_sexpr_cons(l2, NULL);
-	if (elt == NULL)
-		return (NULL);
-	if (l1 == NULL) {
-		*l1p = elt;
-		return (elt);
-	}
-	for (last = l1; CDR(last) != NULL; last = CDR(last))
-		/* Nothing */;
-	CDR(last) = elt;
-
-	return (elt);
-}
-
-isc_boolean_t
-isccc_sexpr_listp(isccc_sexpr_t *sexpr)
-{
-	if (sexpr == NULL || sexpr->type == ISCCC_SEXPRTYPE_DOTTEDPAIR)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-isccc_sexpr_emptyp(isccc_sexpr_t *sexpr)
-{
-	if (sexpr == NULL)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-isccc_sexpr_stringp(isccc_sexpr_t *sexpr)
-{
-	if (sexpr != NULL && sexpr->type == ISCCC_SEXPRTYPE_STRING)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-isccc_sexpr_binaryp(isccc_sexpr_t *sexpr)
-{
-	if (sexpr != NULL && sexpr->type == ISCCC_SEXPRTYPE_BINARY)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-char *
-isccc_sexpr_tostring(isccc_sexpr_t *sexpr)
-{
-	REQUIRE(sexpr != NULL &&
-		(sexpr->type == ISCCC_SEXPRTYPE_STRING ||
-		 sexpr->type == ISCCC_SEXPRTYPE_BINARY));
-	
-	if (sexpr->type == ISCCC_SEXPRTYPE_BINARY)
-		return ((char *)sexpr->value.as_region.rstart);
-	return (sexpr->value.as_string);
-}
-
-isccc_region_t *
-isccc_sexpr_tobinary(isccc_sexpr_t *sexpr)
-{
-	REQUIRE(sexpr != NULL && sexpr->type == ISCCC_SEXPRTYPE_BINARY);
-	return (&sexpr->value.as_region);
-}
diff --git a/contrib/bind9/lib/isccc/symtab.c b/contrib/bind9/lib/isccc/symtab.c
deleted file mode 100644
index d7ae687..0000000
--- a/contrib/bind9/lib/isccc/symtab.c
+++ /dev/null
@@ -1,293 +0,0 @@
-/*
- * Portions Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: symtab.c,v 1.11 2007/09/13 04:45:18 each Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <ctype.h>
-#include <stdlib.h>
-
-#include <isc/assertions.h>
-#include <isc/magic.h>
-#include <isc/string.h>
-
-#include <isccc/result.h>
-#include <isccc/symtab.h>
-#include <isccc/util.h>
-
-typedef struct elt {
-	char *				key;
-	unsigned int			type;
-	isccc_symvalue_t			value;
-	ISC_LINK(struct elt)		link;
-} elt_t;
-
-typedef ISC_LIST(elt_t)			eltlist_t;
-
-#define SYMTAB_MAGIC			ISC_MAGIC('S', 'y', 'm', 'T')
-#define VALID_SYMTAB(st)		ISC_MAGIC_VALID(st, SYMTAB_MAGIC)
-
-struct isccc_symtab {
-	unsigned int			magic;
-	unsigned int			size;
-	eltlist_t *			table;
-	isccc_symtabundefaction_t		undefine_action;
-	void *				undefine_arg;
-	isc_boolean_t			case_sensitive;
-};
-
-isc_result_t
-isccc_symtab_create(unsigned int size,
-		  isccc_symtabundefaction_t undefine_action,
-		  void *undefine_arg,
-		  isc_boolean_t case_sensitive,
-		  isccc_symtab_t **symtabp)
-{
-	isccc_symtab_t *symtab;
-	unsigned int i;
-
-	REQUIRE(symtabp != NULL && *symtabp == NULL);
-	REQUIRE(size > 0);	/* Should be prime. */
-
-	symtab = malloc(sizeof(*symtab));
-	if (symtab == NULL)
-		return (ISC_R_NOMEMORY);
-	symtab->table = malloc(size * sizeof(eltlist_t));
-	if (symtab->table == NULL) {
-		free(symtab);
-		return (ISC_R_NOMEMORY);
-	}
-	for (i = 0; i < size; i++)
-		ISC_LIST_INIT(symtab->table[i]);
-	symtab->size = size;
-	symtab->undefine_action = undefine_action;
-	symtab->undefine_arg = undefine_arg;
-	symtab->case_sensitive = case_sensitive;
-	symtab->magic = SYMTAB_MAGIC;
-
-	*symtabp = symtab;
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-free_elt(isccc_symtab_t *symtab, unsigned int bucket, elt_t *elt) {
-	ISC_LIST_UNLINK(symtab->table[bucket], elt, link);
-	if (symtab->undefine_action != NULL)
-		(symtab->undefine_action)(elt->key, elt->type, elt->value,
-					  symtab->undefine_arg);
-	free(elt);
-}
-
-void
-isccc_symtab_destroy(isccc_symtab_t **symtabp) {
-	isccc_symtab_t *symtab;
-	unsigned int i;
-	elt_t *elt, *nelt;
-
-	REQUIRE(symtabp != NULL);
-	symtab = *symtabp;
-	REQUIRE(VALID_SYMTAB(symtab));
-
-	for (i = 0; i < symtab->size; i++) {
-		for (elt = ISC_LIST_HEAD(symtab->table[i]);
-		     elt != NULL;
-		     elt = nelt) {
-			nelt = ISC_LIST_NEXT(elt, link);
-			free_elt(symtab, i, elt);
-		}
-	}
-	free(symtab->table);
-	symtab->magic = 0;
-	free(symtab);
-
-	*symtabp = NULL;
-}
-
-static inline unsigned int
-hash(const char *key, isc_boolean_t case_sensitive) {
-	const char *s;
-	unsigned int h = 0;
-	unsigned int g;
-	int c;
-
-	/*
-	 * P. J. Weinberger's hash function, adapted from p. 436 of
-	 * _Compilers: Principles, Techniques, and Tools_, Aho, Sethi
-	 * and Ullman, Addison-Wesley, 1986, ISBN 0-201-10088-6.
-	 */
-
-	if (case_sensitive) {
-		for (s = key; *s != '\0'; s++) {
-			h = ( h << 4 ) + *s;
-			if ((g = ( h & 0xf0000000 )) != 0) {
-				h = h ^ (g >> 24);
-				h = h ^ g;
-			}
-		}
-	} else {
-		for (s = key; *s != '\0'; s++) {
-			c = *s;
-			c = tolower((unsigned char)c);
-			h = ( h << 4 ) + c;
-			if ((g = ( h & 0xf0000000 )) != 0) {
-				h = h ^ (g >> 24);
-				h = h ^ g;
-			}
-		}
-	}
-
-	return (h);
-}
-
-#define FIND(s, k, t, b, e) \
-	b = hash((k), (s)->case_sensitive) % (s)->size; \
-	if ((s)->case_sensitive) { \
-		for (e = ISC_LIST_HEAD((s)->table[b]); \
-		     e != NULL; \
-		     e = ISC_LIST_NEXT(e, link)) { \
-			if (((t) == 0 || e->type == (t)) && \
-			    strcmp(e->key, (k)) == 0) \
-				break; \
-		} \
-	} else { \
-		for (e = ISC_LIST_HEAD((s)->table[b]); \
-		     e != NULL; \
-		     e = ISC_LIST_NEXT(e, link)) { \
-			if (((t) == 0 || e->type == (t)) && \
-			    strcasecmp(e->key, (k)) == 0) \
-				break; \
-		} \
-	}
-
-isc_result_t
-isccc_symtab_lookup(isccc_symtab_t *symtab, const char *key, unsigned int type,
-		  isccc_symvalue_t *value)
-{
-	unsigned int bucket;
-	elt_t *elt;
-
-	REQUIRE(VALID_SYMTAB(symtab));
-	REQUIRE(key != NULL);
-
-	FIND(symtab, key, type, bucket, elt);
-
-	if (elt == NULL)
-		return (ISC_R_NOTFOUND);
-
-	if (value != NULL)
-		*value = elt->value;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isccc_symtab_define(isccc_symtab_t *symtab, char *key, unsigned int type,
-		  isccc_symvalue_t value, isccc_symexists_t exists_policy)
-{
-	unsigned int bucket;
-	elt_t *elt;
-
-	REQUIRE(VALID_SYMTAB(symtab));
-	REQUIRE(key != NULL);
-	REQUIRE(type != 0);
-
-	FIND(symtab, key, type, bucket, elt);
-
-	if (exists_policy != isccc_symexists_add && elt != NULL) {
-		if (exists_policy == isccc_symexists_reject)
-			return (ISC_R_EXISTS);
-		INSIST(exists_policy == isccc_symexists_replace);
-		ISC_LIST_UNLINK(symtab->table[bucket], elt, link);
-		if (symtab->undefine_action != NULL)
-			(symtab->undefine_action)(elt->key, elt->type,
-						  elt->value,
-						  symtab->undefine_arg);
-	} else {
-		elt = malloc(sizeof(*elt));
-		if (elt == NULL)
-			return (ISC_R_NOMEMORY);
-		ISC_LINK_INIT(elt, link);
-	}
-
-	elt->key = key;
-	elt->type = type;
-	elt->value = value;
-
-	/*
-	 * We prepend so that the most recent definition will be found.
-	 */
-	ISC_LIST_PREPEND(symtab->table[bucket], elt, link);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isccc_symtab_undefine(isccc_symtab_t *symtab, const char *key, unsigned int type) {
-	unsigned int bucket;
-	elt_t *elt;
-
-	REQUIRE(VALID_SYMTAB(symtab));
-	REQUIRE(key != NULL);
-
-	FIND(symtab, key, type, bucket, elt);
-
-	if (elt == NULL)
-		return (ISC_R_NOTFOUND);
-
-	free_elt(symtab, bucket, elt);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isccc_symtab_foreach(isccc_symtab_t *symtab, isccc_symtabforeachaction_t action,
-		   void *arg)
-{
-	unsigned int i;
-	elt_t *elt, *nelt;
-
-	REQUIRE(VALID_SYMTAB(symtab));
-	REQUIRE(action != NULL);
-
-	for (i = 0; i < symtab->size; i++) {
-		for (elt = ISC_LIST_HEAD(symtab->table[i]);
-		     elt != NULL;
-		     elt = nelt) {
-			nelt = ISC_LIST_NEXT(elt, link);
-			if ((action)(elt->key, elt->type, elt->value, arg))
-				free_elt(symtab, i, elt);
-		}
-	}
-}
diff --git a/contrib/bind9/lib/isccc/version.c b/contrib/bind9/lib/isccc/version.c
deleted file mode 100644
index c9d9124..0000000
--- a/contrib/bind9/lib/isccc/version.c
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: version.c,v 1.7 2007/06/19 23:47:22 tbox Exp $ */
-
-/*! \file */
-
-#include <isccc/version.h>
-
-const char isccc_version[] = VERSION;
-
-const unsigned int isccc_libinterface = LIBINTERFACE;
-const unsigned int isccc_librevision = LIBREVISION;
-const unsigned int isccc_libage = LIBAGE;
diff --git a/contrib/bind9/lib/isccfg/Makefile.in b/contrib/bind9/lib/isccfg/Makefile.in
deleted file mode 100644
index 19ec61e..0000000
--- a/contrib/bind9/lib/isccfg/Makefile.in
+++ /dev/null
@@ -1,84 +0,0 @@
-# Copyright (C) 2004, 2005, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001-2003  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id$
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-@LIBISCCFG_API@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	-I. ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES}
-
-CDEFINES =
-CWARNINGS =
-
-ISCLIBS =	../../lib/isc/libisc.@A@
-ISCCCLIBS =	../../lib/isccc/libisccc.@A@
-DNSLIBS =	../../lib/dns/libdns.@A@
-ISCCFGLIBS =	../../lib/cfg/libisccfg.@A@
-
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
-ISCCFGDEPLIBS =	libisccfg.@A@
-
-LIBS =		@LIBS@
-
-SUBDIRS =	include
-
-# Alphabetically
-OBJS =		aclconf.@O@ log.@O@ namedconf.@O@ parser.@O@ version.@O@
-
-# Alphabetically
-SRCS =		aclconf.c log.c namedconf.c parser.c version.c
-
-TARGETS = 	timestamp
-
-@BIND9_MAKE_RULES@
-
-version.@O@: version.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DVERSION=\"${VERSION}\" \
-		-DLIBINTERFACE=${LIBINTERFACE} \
-		-DLIBREVISION=${LIBREVISION} \
-		-DLIBAGE=${LIBAGE} \
-		-c ${srcdir}/version.c
-
-libisccfg.@SA@: ${OBJS}
-	${AR} ${ARFLAGS} $@ ${OBJS}
-	${RANLIB} $@
-
-libisccfg.la: ${OBJS}
-	 ${LIBTOOL_MODE_LINK} \
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg.la -rpath ${libdir} \
-		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
-		${OBJS} ${DNSLIBS} ${ISCCCLIBS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ \
-		${LIBS}
-
-timestamp: libisccfg.@A@
-	touch timestamp
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
-
-install:: timestamp installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisccfg.@A@ ${DESTDIR}${libdir}
-
-clean distclean::
-	rm -f libisccfg.@A@ timestamp
diff --git a/contrib/bind9/lib/isccfg/aclconf.c b/contrib/bind9/lib/isccfg/aclconf.c
deleted file mode 100644
index af56599..0000000
--- a/contrib/bind9/lib/isccfg/aclconf.c
+++ /dev/null
@@ -1,494 +0,0 @@
-/*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/util.h>
-
-#include <isccfg/namedconf.h>
-#include <isccfg/aclconf.h>
-
-#include <dns/acl.h>
-#include <dns/iptable.h>
-#include <dns/fixedname.h>
-#include <dns/log.h>
-
-#define LOOP_MAGIC ISC_MAGIC('L','O','O','P')
-
-isc_result_t
-cfg_aclconfctx_create(isc_mem_t *mctx, cfg_aclconfctx_t **ret) {
-	isc_result_t result;
-	cfg_aclconfctx_t *actx;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(ret != NULL && *ret == NULL);
-
-	actx = isc_mem_get(mctx, sizeof(*actx));
-	if (actx == NULL)
-		return (ISC_R_NOMEMORY);
-
-	result = isc_refcount_init(&actx->references, 1);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	actx->mctx = NULL;
-	isc_mem_attach(mctx, &actx->mctx);
-	ISC_LIST_INIT(actx->named_acl_cache);
-
-	*ret = actx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	isc_mem_put(mctx, actx, sizeof(*actx));
-	return (result);
-}
-
-void
-cfg_aclconfctx_attach(cfg_aclconfctx_t *src, cfg_aclconfctx_t **dest) {
-	REQUIRE(src != NULL);
-	REQUIRE(dest != NULL && *dest == NULL);
-
-	isc_refcount_increment(&src->references, NULL);
-	*dest = src;
-}
-
-void
-cfg_aclconfctx_detach(cfg_aclconfctx_t **actxp) {
-	cfg_aclconfctx_t *actx;
-	dns_acl_t *dacl, *next;
-	unsigned int refs;
-
-	REQUIRE(actxp != NULL && *actxp != NULL);
-
-	actx = *actxp;
-
-	isc_refcount_decrement(&actx->references, &refs);
-	if (refs == 0) {
-		for (dacl = ISC_LIST_HEAD(actx->named_acl_cache);
-		     dacl != NULL;
-		     dacl = next)
-		{
-			next = ISC_LIST_NEXT(dacl, nextincache);
-			ISC_LIST_UNLINK(actx->named_acl_cache, dacl,
-					nextincache);
-			dns_acl_detach(&dacl);
-		}
-		isc_mem_putanddetach(&actx->mctx, actx, sizeof(*actx));
-	}
-
-	*actxp = NULL;
-}
-
-/*
- * Find the definition of the named acl whose name is "name".
- */
-static isc_result_t
-get_acl_def(const cfg_obj_t *cctx, const char *name, const cfg_obj_t **ret) {
-	isc_result_t result;
-	const cfg_obj_t *acls = NULL;
-	const cfg_listelt_t *elt;
-
-	result = cfg_map_get(cctx, "acl", &acls);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	for (elt = cfg_list_first(acls);
-	     elt != NULL;
-	     elt = cfg_list_next(elt)) {
-		const cfg_obj_t *acl = cfg_listelt_value(elt);
-		const char *aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
-		if (strcasecmp(aclname, name) == 0) {
-			if (ret != NULL) {
-				*ret = cfg_tuple_get(acl, "value");
-			}
-			return (ISC_R_SUCCESS);
-		}
-	}
-	return (ISC_R_NOTFOUND);
-}
-
-static isc_result_t
-convert_named_acl(const cfg_obj_t *nameobj, const cfg_obj_t *cctx,
-		  isc_log_t *lctx, cfg_aclconfctx_t *ctx,
-		  isc_mem_t *mctx, unsigned int nest_level,
-		  dns_acl_t **target)
-{
-	isc_result_t result;
-	const cfg_obj_t *cacl = NULL;
-	dns_acl_t *dacl;
-	dns_acl_t loop;
-	const char *aclname = cfg_obj_asstring(nameobj);
-
-	/* Look for an already-converted version. */
-	for (dacl = ISC_LIST_HEAD(ctx->named_acl_cache);
-	     dacl != NULL;
-	     dacl = ISC_LIST_NEXT(dacl, nextincache))
-	{
-		if (strcasecmp(aclname, dacl->name) == 0) {
-			if (ISC_MAGIC_VALID(dacl, LOOP_MAGIC)) {
-				cfg_obj_log(nameobj, lctx, ISC_LOG_ERROR,
-					    "acl loop detected: %s", aclname);
-				return (ISC_R_FAILURE);
-			}
-			dns_acl_attach(dacl, target);
-			return (ISC_R_SUCCESS);
-		}
-	}
-	/* Not yet converted.  Convert now. */
-	result = get_acl_def(cctx, aclname, &cacl);
-	if (result != ISC_R_SUCCESS) {
-		cfg_obj_log(nameobj, lctx, ISC_LOG_WARNING,
-			    "undefined ACL '%s'", aclname);
-		return (result);
-	}
-	/*
-	 * Add a loop detection element.
-	 */
-	memset(&loop, 0, sizeof(loop));
-	ISC_LINK_INIT(&loop, nextincache);
-	DE_CONST(aclname, loop.name);
-	loop.magic = LOOP_MAGIC;
-	ISC_LIST_APPEND(ctx->named_acl_cache, &loop, nextincache);
-	result = cfg_acl_fromconfig(cacl, cctx, lctx, ctx, mctx,
-				    nest_level, &dacl);
-	ISC_LIST_UNLINK(ctx->named_acl_cache, &loop, nextincache);
-	loop.magic = 0;
-	loop.name = NULL;
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dacl->name = isc_mem_strdup(dacl->mctx, aclname);
-	if (dacl->name == NULL)
-		return (ISC_R_NOMEMORY);
-	ISC_LIST_APPEND(ctx->named_acl_cache, dacl, nextincache);
-	dns_acl_attach(dacl, target);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-convert_keyname(const cfg_obj_t *keyobj, isc_log_t *lctx, isc_mem_t *mctx,
-		dns_name_t *dnsname)
-{
-	isc_result_t result;
-	isc_buffer_t buf;
-	dns_fixedname_t fixname;
-	unsigned int keylen;
-	const char *txtname = cfg_obj_asstring(keyobj);
-
-	keylen = strlen(txtname);
-	isc_buffer_constinit(&buf, txtname, keylen);
-	isc_buffer_add(&buf, keylen);
-	dns_fixedname_init(&fixname);
-	result = dns_name_fromtext(dns_fixedname_name(&fixname), &buf,
-				   dns_rootname, 0, NULL);
-	if (result != ISC_R_SUCCESS) {
-		cfg_obj_log(keyobj, lctx, ISC_LOG_WARNING,
-			    "key name '%s' is not a valid domain name",
-			    txtname);
-		return (result);
-	}
-	return (dns_name_dup(dns_fixedname_name(&fixname), mctx, dnsname));
-}
-
-/*
- * Recursively pre-parse an ACL definition to find the total number
- * of non-IP-prefix elements (localhost, localnets, key) in all nested
- * ACLs, so that the parent will have enough space allocated for the
- * elements table after all the nested ACLs have been merged in to the
- * parent.
- */
-static int
-count_acl_elements(const cfg_obj_t *caml, const cfg_obj_t *cctx,
-		   isc_boolean_t *has_negative)
-{
-	const cfg_listelt_t *elt;
-	const cfg_obj_t *cacl = NULL;
-	isc_result_t result;
-	int n = 0;
-
-	if (has_negative != NULL)
-		*has_negative = ISC_FALSE;
-
-	for (elt = cfg_list_first(caml);
-	     elt != NULL;
-	     elt = cfg_list_next(elt)) {
-		const cfg_obj_t *ce = cfg_listelt_value(elt);
-
-		/* negated element; just get the value. */
-		if (cfg_obj_istuple(ce)) {
-			ce = cfg_tuple_get(ce, "value");
-			if (has_negative != NULL)
-				*has_negative = ISC_TRUE;
-		}
-
-		if (cfg_obj_istype(ce, &cfg_type_keyref)) {
-			n++;
-		} else if (cfg_obj_islist(ce)) {
-			isc_boolean_t negative;
-			n += count_acl_elements(ce, cctx, &negative);
-			if (negative)
-				n++;
-		} else if (cfg_obj_isstring(ce)) {
-			const char *name = cfg_obj_asstring(ce);
-			if (strcasecmp(name, "localhost") == 0 ||
-			    strcasecmp(name, "localnets") == 0) {
-				n++;
-			} else if (strcasecmp(name, "any") != 0 &&
-				   strcasecmp(name, "none") != 0) {
-				result = get_acl_def(cctx, name, &cacl);
-				if (result == ISC_R_SUCCESS)
-					n += count_acl_elements(cacl, cctx,
-								NULL) + 1;
-			}
-		}
-	}
-
-	return n;
-}
-
-isc_result_t
-cfg_acl_fromconfig(const cfg_obj_t *caml,
-		   const cfg_obj_t *cctx,
-		   isc_log_t *lctx,
-		   cfg_aclconfctx_t *ctx,
-		   isc_mem_t *mctx,
-		   unsigned int nest_level,
-		   dns_acl_t **target)
-{
-	isc_result_t result;
-	dns_acl_t *dacl = NULL, *inneracl = NULL;
-	dns_aclelement_t *de;
-	const cfg_listelt_t *elt;
-	dns_iptable_t *iptab;
-	int new_nest_level = 0;
-
-	if (nest_level != 0)
-		new_nest_level = nest_level - 1;
-
-	REQUIRE(target != NULL);
-	REQUIRE(*target == NULL || DNS_ACL_VALID(*target));
-
-	if (*target != NULL) {
-		/*
-		 * If target already points to an ACL, then we're being
-		 * called recursively to configure a nested ACL.  The
-		 * nested ACL's contents should just be absorbed into its
-		 * parent ACL.
-		 */
-		dns_acl_attach(*target, &dacl);
-		dns_acl_detach(target);
-	} else {
-		/*
-		 * Need to allocate a new ACL structure.  Count the items
-		 * in the ACL definition that will require space in the
-		 * elements table.  (Note that if nest_level is nonzero,
-		 * *everything* goes in the elements table.)
-		 */
-		int nelem;
-
-		if (nest_level == 0)
-			nelem = count_acl_elements(caml, cctx, NULL);
-		else
-			nelem = cfg_list_length(caml, ISC_FALSE);
-
-		result = dns_acl_create(mctx, nelem, &dacl);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	de = dacl->elements;
-	for (elt = cfg_list_first(caml);
-	     elt != NULL;
-	     elt = cfg_list_next(elt)) {
-		const cfg_obj_t *ce = cfg_listelt_value(elt);
-		isc_boolean_t	neg;
-
-		if (cfg_obj_istuple(ce)) {
-			/* This must be a negated element. */
-			ce = cfg_tuple_get(ce, "value");
-			neg = ISC_TRUE;
-			dacl->has_negatives = ISC_TRUE;
-		} else
-			neg = ISC_FALSE;
-
-		/*
-		 * If nest_level is nonzero, then every element is
-		 * to be stored as a separate, nested ACL rather than
-		 * merged into the main iptable.
-		 */
-		iptab = dacl->iptable;
-
-		if (nest_level != 0) {
-			result = dns_acl_create(mctx,
-						cfg_list_length(ce, ISC_FALSE),
-						&de->nestedacl);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-			iptab = de->nestedacl->iptable;
-		}
-
-		if (cfg_obj_isnetprefix(ce)) {
-			/* Network prefix */
-			isc_netaddr_t	addr;
-			unsigned int	bitlen;
-
-			cfg_obj_asnetprefix(ce, &addr, &bitlen);
-
-			/*
-			 * If nesting ACLs (nest_level != 0), we negate
-			 * the nestedacl element, not the iptable entry.
-			 */
-			result = dns_iptable_addprefix(iptab, &addr, bitlen,
-					      ISC_TF(nest_level != 0 || !neg));
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-
-			if (nest_level > 0) {
-				de->type = dns_aclelementtype_nestedacl;
-				de->negative = neg;
-			} else
-				continue;
-		} else if (cfg_obj_islist(ce)) {
-			/*
-			 * If we're nesting ACLs, put the nested
-			 * ACL onto the elements list; otherwise
-			 * merge it into *this* ACL.  We nest ACLs
-			 * in two cases: 1) sortlist, 2) if the
-			 * nested ACL contains negated members.
-			 */
-			if (inneracl != NULL)
-				dns_acl_detach(&inneracl);
-			result = cfg_acl_fromconfig(ce, cctx, lctx,
-						    ctx, mctx, new_nest_level,
-						    &inneracl);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-nested_acl:
-			if (nest_level > 0 || inneracl->has_negatives) {
-				de->type = dns_aclelementtype_nestedacl;
-				de->negative = neg;
-				if (de->nestedacl != NULL)
-					dns_acl_detach(&de->nestedacl);
-				dns_acl_attach(inneracl,
-					       &de->nestedacl);
-				dns_acl_detach(&inneracl);
-				/* Fall through. */
-			} else {
-				dns_acl_merge(dacl, inneracl,
-					      ISC_TF(!neg));
-				de += inneracl->length;  /* elements added */
-				dns_acl_detach(&inneracl);
-				continue;
-			}
-		} else if (cfg_obj_istype(ce, &cfg_type_keyref)) {
-			/* Key name. */
-			de->type = dns_aclelementtype_keyname;
-			de->negative = neg;
-			dns_name_init(&de->keyname, NULL);
-			result = convert_keyname(ce, lctx, mctx,
-						 &de->keyname);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-		} else if (cfg_obj_isstring(ce)) {
-			/* ACL name. */
-			const char *name = cfg_obj_asstring(ce);
-			if (strcasecmp(name, "any") == 0) {
-				/* Iptable entry with zero bit length. */
-				result = dns_iptable_addprefix(iptab, NULL, 0,
-					      ISC_TF(nest_level != 0 || !neg));
-				if (result != ISC_R_SUCCESS)
-					goto cleanup;
-
-				if (nest_level != 0) {
-					de->type = dns_aclelementtype_nestedacl;
-					de->negative = neg;
-				} else
-					continue;
-			} else if (strcasecmp(name, "none") == 0) {
-				/* none == !any */
-				/*
-				 * We don't unconditional set
-				 * dacl->has_negatives and
-				 * de->negative to true so we can handle
-				 * "!none;".
-				 */
-				result = dns_iptable_addprefix(iptab, NULL, 0,
-					      ISC_TF(nest_level != 0 || neg));
-				if (result != ISC_R_SUCCESS)
-					goto cleanup;
-
-				if (!neg)
-					dacl->has_negatives = !neg;
-
-				if (nest_level != 0) {
-					de->type = dns_aclelementtype_nestedacl;
-					de->negative = !neg;
-				} else
-					continue;
-			} else if (strcasecmp(name, "localhost") == 0) {
-				de->type = dns_aclelementtype_localhost;
-				de->negative = neg;
-			} else if (strcasecmp(name, "localnets") == 0) {
-				de->type = dns_aclelementtype_localnets;
-				de->negative = neg;
-			} else {
-				if (inneracl != NULL)
-					dns_acl_detach(&inneracl);
-				result = convert_named_acl(ce, cctx, lctx, ctx,
-							   mctx, new_nest_level,
-							   &inneracl);
-				if (result != ISC_R_SUCCESS)
-					goto cleanup;
-
-				goto nested_acl;
-			}
-		} else {
-			cfg_obj_log(ce, lctx, ISC_LOG_WARNING,
-				    "address match list contains "
-				    "unsupported element type");
-			result = ISC_R_FAILURE;
-			goto cleanup;
-		}
-
-		/*
-		 * This should only be reached for localhost, localnets
-		 * and keyname elements, and nested ACLs if nest_level is
-		 * nonzero (i.e., in sortlists).
-		 */
-		if (de->nestedacl != NULL &&
-		    de->type != dns_aclelementtype_nestedacl)
-			dns_acl_detach(&de->nestedacl);
-
-		dacl->node_count++;
-		de->node_num = dacl->node_count;
-
-		dacl->length++;
-		de++;
-		INSIST(dacl->length <= dacl->alloc);
-	}
-
-	dns_acl_attach(dacl, target);
-	result = ISC_R_SUCCESS;
-
- cleanup:
-	if (inneracl != NULL)
-		dns_acl_detach(&inneracl);
-	dns_acl_detach(&dacl);
-	return (result);
-}
diff --git a/contrib/bind9/lib/isccfg/api b/contrib/bind9/lib/isccfg/api
deleted file mode 100644
index 864bdc9..0000000
--- a/contrib/bind9/lib/isccfg/api
+++ /dev/null
@@ -1,9 +0,0 @@
-# LIBINTERFACE ranges
-# 9.6: 50-59, 110-119
-# 9.7: 60-79
-# 9.8: 80-89, 120-129
-# 9.9: 90-109
-# 9.9-sub: 130-139
-LIBINTERFACE = 90
-LIBREVISION = 6
-LIBAGE = 0
diff --git a/contrib/bind9/lib/isccfg/dnsconf.c b/contrib/bind9/lib/isccfg/dnsconf.c
deleted file mode 100644
index 704d383..0000000
--- a/contrib/bind9/lib/isccfg/dnsconf.c
+++ /dev/null
@@ -1,69 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dnsconf.c,v 1.4 2009/09/02 23:48:03 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isccfg/cfg.h>
-#include <isccfg/grammar.h>
-
-/*%
- * A trusted key, as used in the "trusted-keys" statement.
- */
-static cfg_tuplefielddef_t trustedkey_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "flags", &cfg_type_uint32, 0 },
-	{ "protocol", &cfg_type_uint32, 0 },
-	{ "algorithm", &cfg_type_uint32, 0 },
-	{ "key", &cfg_type_qstring, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_type_t cfg_type_trustedkey = {
-	"trustedkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
-	&cfg_rep_tuple, trustedkey_fields
-};
-
-static cfg_type_t cfg_type_trustedkeys = {
-	"trusted-keys", cfg_parse_bracketed_list, cfg_print_bracketed_list,
-	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_trustedkey
-};
-
-/*%
- * Clauses that can be found within the top level of the dns.conf
- * file only.
- */
-static cfg_clausedef_t
-dnsconf_clauses[] = {
-	{ "trusted-keys", &cfg_type_trustedkeys, CFG_CLAUSEFLAG_MULTI },
-	{ NULL, NULL, 0 }
-};
-
-/*% The top-level dns.conf syntax. */
-
-static cfg_clausedef_t *
-dnsconf_clausesets[] = {
-	dnsconf_clauses,
-	NULL
-};
-
-LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_dnsconf = {
-	"dnsconf", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
-	&cfg_rep_map, dnsconf_clausesets
-};
diff --git a/contrib/bind9/lib/isccfg/include/Makefile.in b/contrib/bind9/lib/isccfg/include/Makefile.in
deleted file mode 100644
index 5c6976a..0000000
--- a/contrib/bind9/lib/isccfg/include/Makefile.in
+++ /dev/null
@@ -1,25 +0,0 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.7 2007/06/19 23:47:22 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	isccfg
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/Makefile.in b/contrib/bind9/lib/isccfg/include/isccfg/Makefile.in
deleted file mode 100644
index 211583a..0000000
--- a/contrib/bind9/lib/isccfg/include/isccfg/Makefile.in
+++ /dev/null
@@ -1,42 +0,0 @@
-# Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001, 2002  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.12 2007/06/19 23:47:22 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-#
-# Only list headers that are to be installed and are not
-# machine generated.  The latter are handled specially in the
-# install target below.
-#
-HEADERS =	aclconf.h cfg.h grammar.h log.h namedconf.h version.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isccfg
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/isccfg ; \
-	done
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/aclconf.h b/contrib/bind9/lib/isccfg/include/isccfg/aclconf.h
deleted file mode 100644
index 38ab9f6..0000000
--- a/contrib/bind9/lib/isccfg/include/isccfg/aclconf.h
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2010-2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef ISCCFG_ACLCONF_H
-#define ISCCFG_ACLCONF_H 1
-
-#include <isc/lang.h>
-
-#include <isccfg/cfg.h>
-
-#include <dns/types.h>
-
-typedef struct cfg_aclconfctx {
-	ISC_LIST(dns_acl_t) named_acl_cache;
-	isc_mem_t *mctx;
-	isc_refcount_t references;
-} cfg_aclconfctx_t;
-
-/***
- *** Functions
- ***/
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-cfg_aclconfctx_create(isc_mem_t *mctx, cfg_aclconfctx_t **ret);
-/*
- * Creates and initializes an ACL configuration context.
- */
-
-void
-cfg_aclconfctx_detach(cfg_aclconfctx_t **actxp);
-/*
- * Removes a reference to an ACL configuration context; when references
- * reaches zero, clears the contents and deallocate the structure.
- */
-
-void
-cfg_aclconfctx_attach(cfg_aclconfctx_t *src, cfg_aclconfctx_t **dest);
-/*
- * Attaches a pointer to an existing ACL configuration context.
- */
-
-isc_result_t
-cfg_acl_fromconfig(const cfg_obj_t *caml,
-		   const cfg_obj_t *cctx,
-		   isc_log_t *lctx,
-		   cfg_aclconfctx_t *ctx,
-		   isc_mem_t *mctx,
-		   unsigned int nest_level,
-		   dns_acl_t **target);
-/*
- * Construct a new dns_acl_t from configuration data in 'caml' and
- * 'cctx'.  Memory is allocated through 'mctx'.
- *
- * Any named ACLs referred to within 'caml' will be be converted
- * into nested dns_acl_t objects.  Multiple references to the same
- * named ACLs will be converted into shared references to a single
- * nested dns_acl_t object when the referring objects were created
- * passing the same ACL configuration context 'ctx'.
- *
- * On success, attach '*target' to the new dns_acl_t object.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISCCFG_ACLCONF_H */
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/cfg.h b/contrib/bind9/lib/isccfg/include/isccfg/cfg.h
deleted file mode 100644
index b21a3d8..0000000
--- a/contrib/bind9/lib/isccfg/include/isccfg/cfg.h
+++ /dev/null
@@ -1,445 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2010, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: cfg.h,v 1.46 2010/08/13 23:47:04 tbox Exp $ */
-
-#ifndef ISCCFG_CFG_H
-#define ISCCFG_CFG_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file isccfg/cfg.h
- * \brief
- * This is the new, table-driven, YACC-free configuration file parser.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/formatcheck.h>
-#include <isc/lang.h>
-#include <isc/refcount.h>
-#include <isc/types.h>
-#include <isc/list.h>
-
-
-/***
- *** Types
- ***/
-
-/*%
- * A configuration parser.
- */
-typedef struct cfg_parser cfg_parser_t;
-
-/*%
- * A configuration type definition object.  There is a single
- * static cfg_type_t object for each data type supported by
- * the configuration parser.
- */
-typedef struct cfg_type cfg_type_t;
-
-/*%
- * A configuration object.  This is the basic building block of the
- * configuration parse tree.  It contains a value (which may be
- * of one of several types) and information identifying the file
- * and line number the value came from, for printing error
- * messages.
- */
-typedef struct cfg_obj cfg_obj_t;
-
-/*%
- * A configuration object list element.
- */
-typedef struct cfg_listelt cfg_listelt_t;
-
-/*%
- * A callback function to be called when parsing an option
- * that needs to be interpreted at parsing time, like
- * "directory".
- */
-typedef isc_result_t
-(*cfg_parsecallback_t)(const char *clausename, const cfg_obj_t *obj, void *arg);
-
-/***
- *** Functions
- ***/
-
-ISC_LANG_BEGINDECLS
-
-void
-cfg_parser_attach(cfg_parser_t *src, cfg_parser_t **dest);
-/*%<
- * Reference a parser object.
- */
-
-isc_result_t
-cfg_parser_create(isc_mem_t *mctx, isc_log_t *lctx, cfg_parser_t **ret);
-/*%<
- * Create a configuration file parser.  Any warning and error
- * messages will be logged to 'lctx'.
- *
- * The parser object returned can be used for a single call
- * to cfg_parse_file() or cfg_parse_buffer().  It must not
- * be reused for parsing multiple files or buffers.
- */
-
-void
-cfg_parser_setcallback(cfg_parser_t *pctx,
-		       cfg_parsecallback_t callback,
-		       void *arg);
-/*%<
- * Make the parser call 'callback' whenever it encounters
- * a configuration clause with the callback attribute,
- * passing it the clause name, the clause value,
- * and 'arg' as arguments.
- *
- * To restore the default of not invoking callbacks, pass
- * callback==NULL and arg==NULL.
- */
-
-isc_result_t
-cfg_parse_file(cfg_parser_t *pctx, const char *filename,
-	       const cfg_type_t *type, cfg_obj_t **ret);
-isc_result_t
-cfg_parse_buffer(cfg_parser_t *pctx, isc_buffer_t *buffer,
-		 const cfg_type_t *type, cfg_obj_t **ret);
-/*%<
- * Read a configuration containing data of type 'type'
- * and make '*ret' point to its parse tree.
- *
- * The configuration is read from the file 'filename'
- * (isc_parse_file()) or the buffer 'buffer'
- * (isc_parse_buffer()).
- *
- * Returns an error if the file does not parse correctly.
- *
- * Requires:
- *\li 	"filename" is valid.
- *\li 	"mem" is valid.
- *\li	"type" is valid.
- *\li 	"cfg" is non-NULL and "*cfg" is NULL.
- *
- * Returns:
- *     \li #ISC_R_SUCCESS                 - success
- *\li      #ISC_R_NOMEMORY                - no memory available
- *\li      #ISC_R_INVALIDFILE             - file doesn't exist or is unreadable
- *\li      others	                      - file contains errors
- */
-
-void
-cfg_parser_destroy(cfg_parser_t **pctxp);
-/*%<
- * Remove a reference to a configuration parser; destroy it if there are no
- * more references.
- */
-
-isc_boolean_t
-cfg_obj_isvoid(const cfg_obj_t *obj);
-/*%<
- * Return true iff 'obj' is of void type (e.g., an optional
- * value not specified).
- */
-
-isc_boolean_t
-cfg_obj_ismap(const cfg_obj_t *obj);
-/*%<
- * Return true iff 'obj' is of a map type.
- */
-
-isc_result_t
-cfg_map_get(const cfg_obj_t *mapobj, const char* name, const cfg_obj_t **obj);
-/*%<
- * Extract an element from a configuration object, which
- * must be of a map type.
- *
- * Requires:
- * \li     'mapobj' points to a valid configuration object of a map type.
- * \li     'name' points to a null-terminated string.
- * \li	'obj' is non-NULL and '*obj' is NULL.
- *
- * Returns:
- * \li     #ISC_R_SUCCESS                  - success
- * \li     #ISC_R_NOTFOUND                 - name not found in map
- */
-
-const cfg_obj_t *
-cfg_map_getname(const cfg_obj_t *mapobj);
-/*%<
- * Get the name of a named map object, like a server "key" clause.
- *
- * Requires:
- *    \li  'mapobj' points to a valid configuration object of a map type.
- *
- * Returns:
- * \li     A pointer to a configuration object naming the map object,
- *	or NULL if the map object does not have a name.
- */
-
-isc_boolean_t
-cfg_obj_istuple(const cfg_obj_t *obj);
-/*%<
- * Return true iff 'obj' is of a map type.
- */
-
-const cfg_obj_t *
-cfg_tuple_get(const cfg_obj_t *tupleobj, const char *name);
-/*%<
- * Extract an element from a configuration object, which
- * must be of a tuple type.
- *
- * Requires:
- * \li     'tupleobj' points to a valid configuration object of a tuple type.
- * \li     'name' points to a null-terminated string naming one of the
- *\li	fields of said tuple type.
- */
-
-isc_boolean_t
-cfg_obj_isuint32(const cfg_obj_t *obj);
-/*%<
- * Return true iff 'obj' is of integer type.
- */
-
-isc_uint32_t
-cfg_obj_asuint32(const cfg_obj_t *obj);
-/*%<
- * Returns the value of a configuration object of 32-bit integer type.
- *
- * Requires:
- * \li     'obj' points to a valid configuration object of 32-bit integer type.
- *
- * Returns:
- * \li     A 32-bit unsigned integer.
- */
-
-isc_boolean_t
-cfg_obj_isuint64(const cfg_obj_t *obj);
-/*%<
- * Return true iff 'obj' is of integer type.
- */
-
-isc_uint64_t
-cfg_obj_asuint64(const cfg_obj_t *obj);
-/*%<
- * Returns the value of a configuration object of 64-bit integer type.
- *
- * Requires:
- * \li     'obj' points to a valid configuration object of 64-bit integer type.
- *
- * Returns:
- * \li     A 64-bit unsigned integer.
- */
-
-isc_boolean_t
-cfg_obj_isstring(const cfg_obj_t *obj);
-/*%<
- * Return true iff 'obj' is of string type.
- */
-
-const char *
-cfg_obj_asstring(const cfg_obj_t *obj);
-/*%<
- * Returns the value of a configuration object of a string type
- * as a null-terminated string.
- *
- * Requires:
- * \li     'obj' points to a valid configuration object of a string type.
- *
- * Returns:
- * \li     A pointer to a null terminated string.
- */
-
-isc_boolean_t
-cfg_obj_isboolean(const cfg_obj_t *obj);
-/*%<
- * Return true iff 'obj' is of a boolean type.
- */
-
-isc_boolean_t
-cfg_obj_asboolean(const cfg_obj_t *obj);
-/*%<
- * Returns the value of a configuration object of a boolean type.
- *
- * Requires:
- * \li     'obj' points to a valid configuration object of a boolean type.
- *
- * Returns:
- * \li     A boolean value.
- */
-
-isc_boolean_t
-cfg_obj_issockaddr(const cfg_obj_t *obj);
-/*%<
- * Return true iff 'obj' is a socket address.
- */
-
-const isc_sockaddr_t *
-cfg_obj_assockaddr(const cfg_obj_t *obj);
-/*%<
- * Returns the value of a configuration object representing a socket address.
- *
- * Requires:
- * \li     'obj' points to a valid configuration object of a socket address type.
- *
- * Returns:
- * \li     A pointer to a sockaddr.  The sockaddr must be copied by the caller
- *      if necessary.
- */
-
-isc_boolean_t
-cfg_obj_isnetprefix(const cfg_obj_t *obj);
-/*%<
- * Return true iff 'obj' is a network prefix.
- */
-
-void
-cfg_obj_asnetprefix(const cfg_obj_t *obj, isc_netaddr_t *netaddr,
-		    unsigned int *prefixlen);
-/*%<
- * Gets the value of a configuration object representing a network
- * prefix.  The network address is returned through 'netaddr' and the
- * prefix length in bits through 'prefixlen'.
- *
- * Requires:
- * \li     'obj' points to a valid configuration object of network prefix type.
- *\li	'netaddr' and 'prefixlen' are non-NULL.
- */
-
-isc_boolean_t
-cfg_obj_islist(const cfg_obj_t *obj);
-/*%<
- * Return true iff 'obj' is of list type.
- */
-
-const cfg_listelt_t *
-cfg_list_first(const cfg_obj_t *obj);
-/*%<
- * Returns the first list element in a configuration object of a list type.
- *
- * Requires:
- * \li     'obj' points to a valid configuration object of a list type or NULL.
- *
- * Returns:
- *   \li   A pointer to a cfg_listelt_t representing the first list element,
- * 	or NULL if the list is empty or nonexistent.
- */
-
-const cfg_listelt_t *
-cfg_list_next(const cfg_listelt_t *elt);
-/*%<
- * Returns the next element of a list of configuration objects.
- *
- * Requires:
- * \li     'elt' points to cfg_listelt_t obtained from cfg_list_first() or
- *	a previous call to cfg_list_next().
- *
- * Returns:
- * \li     A pointer to a cfg_listelt_t representing the next element,
- * 	or NULL if there are no more elements.
- */
-
-unsigned int
-cfg_list_length(const cfg_obj_t *obj, isc_boolean_t recurse);
-/*%<
- * Returns the length of a list of configure objects.  If obj is
- * not a list, returns 0.  If recurse is true, add in the length of
- * all contained lists.
- */
-
-cfg_obj_t *
-cfg_listelt_value(const cfg_listelt_t *elt);
-/*%<
- * Returns the configuration object associated with cfg_listelt_t.
- *
- * Requires:
- * \li     'elt' points to cfg_listelt_t obtained from cfg_list_first() or
- *	cfg_list_next().
- *
- * Returns:
- * \li     A non-NULL pointer to a configuration object.
- */
-
-void
-cfg_print(const cfg_obj_t *obj,
-	  void (*f)(void *closure, const char *text, int textlen),
-	  void *closure);
-/*%<
- * Print the configuration object 'obj' by repeatedly calling the
- * function 'f', passing 'closure' and a region of text starting
- * at 'text' and comprising 'textlen' characters.
- */
-
-void
-cfg_print_grammar(const cfg_type_t *type,
-	  void (*f)(void *closure, const char *text, int textlen),
-	  void *closure);
-/*%<
- * Print a summary of the grammar of the configuration type 'type'.
- */
-
-isc_boolean_t
-cfg_obj_istype(const cfg_obj_t *obj, const cfg_type_t *type);
-/*%<
- * Return true iff 'obj' is of type 'type'.
- */
-
-void
-cfg_obj_attach(cfg_obj_t *src, cfg_obj_t **dest);
-/*%<
- * Reference a configuration object.
- */
-
-void
-cfg_obj_destroy(cfg_parser_t *pctx, cfg_obj_t **obj);
-/*%<
- * Delete a reference to a configuration object; destroy the object if
- * there are no more references.
- *
- * Require:
- * \li     '*obj' is a valid cfg_obj_t.
- * \li     'pctx' is a valid cfg_parser_t.
- */
-
-void
-cfg_obj_log(const cfg_obj_t *obj, isc_log_t *lctx, int level,
-	    const char *fmt, ...)
-	ISC_FORMAT_PRINTF(4, 5);
-/*%<
- * Log a message concerning configuration object 'obj' to the logging
- * channel of 'pctx', at log level 'level'.  The message will be prefixed
- * with the file name(s) and line number where 'obj' was defined.
- */
-
-const char *
-cfg_obj_file(const cfg_obj_t *obj);
-/*%<
- * Return the file that defined this object.
- */
-
-unsigned int
-cfg_obj_line(const cfg_obj_t *obj);
-/*%<
- * Return the line in file where this object was defined.
- */
-
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISCCFG_CFG_H */
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/dnsconf.h b/contrib/bind9/lib/isccfg/include/isccfg/dnsconf.h
deleted file mode 100644
index edc5e50..0000000
--- a/contrib/bind9/lib/isccfg/include/isccfg/dnsconf.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dnsconf.h,v 1.3 2009/09/02 23:48:03 tbox Exp $ */
-
-#ifndef ISCCFG_NAMEDCONF_H
-#define ISCCFG_NAMEDCONF_H 1
-
-/*! \file
- * \brief
- * This module defines the named.conf, rndc.conf, and rndc.key grammars.
- */
-
-#include <isccfg/cfg.h>
-
-/*
- * Configuration object types.
- */
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_dnsconf;
-/*%< A complete dns.conf file. */
-
-#endif /* ISCCFG_CFG_H */
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/grammar.h b/contrib/bind9/lib/isccfg/include/isccfg/grammar.h
deleted file mode 100644
index 2d7080c..0000000
--- a/contrib/bind9/lib/isccfg/include/isccfg/grammar.h
+++ /dev/null
@@ -1,474 +0,0 @@
-/*
- * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: grammar.h,v 1.24 2011/01/04 23:47:14 tbox Exp $ */
-
-#ifndef ISCCFG_GRAMMAR_H
-#define ISCCFG_GRAMMAR_H 1
-
-/*! \file isccfg/grammar.h */
-
-#include <isc/lex.h>
-#include <isc/netaddr.h>
-#include <isc/sockaddr.h>
-#include <isc/region.h>
-#include <isc/types.h>
-
-#include <isccfg/cfg.h>
-
-/*
- * Definitions shared between the configuration parser
- * and the grammars; not visible to users of the parser.
- */
-
-/*% Clause may occur multiple times (e.g., "zone") */
-#define CFG_CLAUSEFLAG_MULTI 		0x00000001
-/*% Clause is obsolete */
-#define CFG_CLAUSEFLAG_OBSOLETE 	0x00000002
-/*% Clause is not implemented, and may never be */
-#define CFG_CLAUSEFLAG_NOTIMP	 	0x00000004
-/*% Clause is not implemented yet */
-#define CFG_CLAUSEFLAG_NYI 		0x00000008
-/*% Default value has changed since earlier release */
-#define CFG_CLAUSEFLAG_NEWDEFAULT	0x00000010
-/*%
- * Clause needs to be interpreted during parsing
- * by calling a callback function, like the
- * "directory" option.
- */
-#define CFG_CLAUSEFLAG_CALLBACK		0x00000020
-/*% A option that is only used in testing. */
-#define CFG_CLAUSEFLAG_TESTONLY		0x00000040
-/*% A configuration option that was not configured at compile time. */
-#define CFG_CLAUSEFLAG_NOTCONFIGURED	0x00000080
-
-typedef struct cfg_clausedef cfg_clausedef_t;
-typedef struct cfg_tuplefielddef cfg_tuplefielddef_t;
-typedef struct cfg_printer cfg_printer_t;
-typedef ISC_LIST(cfg_listelt_t) cfg_list_t;
-typedef struct cfg_map cfg_map_t;
-typedef struct cfg_rep cfg_rep_t;
-
-/*
- * Function types for configuration object methods
- */
-
-typedef isc_result_t (*cfg_parsefunc_t)(cfg_parser_t *, const cfg_type_t *type,
-					cfg_obj_t **);
-typedef void	     (*cfg_printfunc_t)(cfg_printer_t *, const cfg_obj_t *);
-typedef void	     (*cfg_docfunc_t)(cfg_printer_t *, const cfg_type_t *);
-typedef void	     (*cfg_freefunc_t)(cfg_parser_t *, cfg_obj_t *);
-
-/*
- * Structure definitions
- */
-
-/*%
- * A configuration printer object.  This is an abstract
- * interface to a destination to which text can be printed
- * by calling the function 'f'.
- */
-struct cfg_printer {
-	void (*f)(void *closure, const char *text, int textlen);
-	void *closure;
-	int indent;
-};
-
-/*% A clause definition. */
-struct cfg_clausedef {
-	const char      *name;
-	cfg_type_t      *type;
-	unsigned int	flags;
-};
-
-/*% A tuple field definition. */
-struct cfg_tuplefielddef {
-	const char      *name;
-	cfg_type_t      *type;
-	unsigned int	flags;
-};
-
-/*% A configuration object type definition. */
-struct cfg_type {
-	const char *name;	/*%< For debugging purposes only */
-	cfg_parsefunc_t	parse;
-	cfg_printfunc_t print;
-	cfg_docfunc_t	doc;	/*%< Print grammar description */
-	cfg_rep_t *	rep;	/*%< Data representation */
-	const void *	of;	/*%< Additional data for meta-types */
-};
-
-/*% A keyword-type definition, for things like "port <integer>". */
-typedef struct {
-	const char *name;
-	const cfg_type_t *type;
-} keyword_type_t;
-
-struct cfg_map {
-	cfg_obj_t	 *id; /*%< Used for 'named maps' like keys, zones, &c */
-	const cfg_clausedef_t * const *clausesets; /*%< The clauses that
-						      can occur in this map;
-						      used for printing */
-	isc_symtab_t     *symtab;
-};
-
-typedef struct cfg_netprefix cfg_netprefix_t;
-
-struct cfg_netprefix {
-	isc_netaddr_t address; /* IP4/IP6 */
-	unsigned int prefixlen;
-};
-
-/*%
- * A configuration data representation.
- */
-struct cfg_rep {
-	const char *	name;	/*%< For debugging only */
-	cfg_freefunc_t 	free;	/*%< How to free this kind of data. */
-};
-
-/*%
- * A configuration object.  This is the main building block
- * of the configuration parse tree.
- */
-
-struct cfg_obj {
-	const cfg_type_t *type;
-	union {
-		isc_uint32_t  	uint32;
-		isc_uint64_t  	uint64;
-		isc_textregion_t string; /*%< null terminated, too */
-		isc_boolean_t 	boolean;
-		cfg_map_t	map;
-		cfg_list_t	list;
-		cfg_obj_t **	tuple;
-		isc_sockaddr_t	sockaddr;
-		cfg_netprefix_t netprefix;
-	}               value;
-	isc_refcount_t  references;     /*%< reference counter */
-	const char *	file;
-	unsigned int    line;
-};
-
-
-/*% A list element. */
-struct cfg_listelt {
-	cfg_obj_t               *obj;
-	ISC_LINK(cfg_listelt_t)  link;
-};
-
-/*% The parser object. */
-struct cfg_parser {
-	isc_mem_t *	mctx;
-	isc_log_t *	lctx;
-	isc_lex_t *	lexer;
-	unsigned int    errors;
-	unsigned int    warnings;
-	isc_token_t     token;
-
-	/*% We are at the end of all input. */
-	isc_boolean_t	seen_eof;
-
-	/*% The current token has been pushed back. */
-	isc_boolean_t	ungotten;
-
-	/*%
-	 * The stack of currently active files, represented
-	 * as a configuration list of configuration strings.
-	 * The head is the top-level file, subsequent elements
-	 * (if any) are the nested include files, and the
-	 * last element is the file currently being parsed.
-	 */
-	cfg_obj_t *	open_files;
-
-	/*%
-	 * Names of files that we have parsed and closed
-	 * and were previously on the open_file list.
-	 * We keep these objects around after closing
-	 * the files because the file names may still be
-	 * referenced from other configuration objects
-	 * for use in reporting semantic errors after
-	 * parsing is complete.
-	 */
-	cfg_obj_t *	closed_files;
-
-	/*%
-	 * Current line number.  We maintain our own
-	 * copy of this so that it is available even
-	 * when a file has just been closed.
-	 */
-	unsigned int	line;
-
-	/*%
-	 * Parser context flags, used for maintaining state
-	 * from one token to the next.
-	 */
-	unsigned int flags;
-
-	/*%< Reference counter */
-	isc_refcount_t  references;
-
-	cfg_parsecallback_t callback;
-	void *callbackarg;
-};
-
-/* Parser context flags */
-#define CFG_PCTX_SKIP		0x1
-
-/*@{*/
-/*%
- * Flags defining whether to accept certain types of network addresses.
- */
-#define CFG_ADDR_V4OK 		0x00000001
-#define CFG_ADDR_V4PREFIXOK 	0x00000002
-#define CFG_ADDR_V6OK 		0x00000004
-#define CFG_ADDR_WILDOK		0x00000008
-#define CFG_ADDR_MASK		(CFG_ADDR_V6OK|CFG_ADDR_V4OK)
-/*@}*/
-
-/*@{*/
-/*%
- * Predefined data representation types.
- */
-LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_uint32;
-LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_uint64;
-LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_string;
-LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_boolean;
-LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_map;
-LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_list;
-LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_tuple;
-LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_sockaddr;
-LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_netprefix;
-LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_void;
-/*@}*/
-
-/*@{*/
-/*%
- * Predefined configuration object types.
- */
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_boolean;
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_uint32;
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_uint64;
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_qstring;
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_astring;
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_ustring;
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_sockaddr;
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netaddr;
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netaddr4;
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netaddr4wild;
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netaddr6;
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netaddr6wild;
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netprefix;
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_void;
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_token;
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_unsupported;
-/*@}*/
-
-isc_result_t
-cfg_gettoken(cfg_parser_t *pctx, int options);
-
-isc_result_t
-cfg_peektoken(cfg_parser_t *pctx, int options);
-
-void
-cfg_ungettoken(cfg_parser_t *pctx);
-
-#define CFG_LEXOPT_QSTRING (ISC_LEXOPT_QSTRING | ISC_LEXOPT_QSTRINGMULTILINE)
-
-isc_result_t
-cfg_create_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **objp);
-
-void
-cfg_print_rawuint(cfg_printer_t *pctx, unsigned int u);
-
-isc_result_t
-cfg_parse_uint32(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-void
-cfg_print_uint32(cfg_printer_t *pctx, const cfg_obj_t *obj);
-
-void
-cfg_print_uint64(cfg_printer_t *pctx, const cfg_obj_t *obj);
-
-isc_result_t
-cfg_parse_qstring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-void
-cfg_print_ustring(cfg_printer_t *pctx, const cfg_obj_t *obj);
-
-isc_result_t
-cfg_parse_astring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-isc_result_t
-cfg_parse_rawaddr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na);
-
-void
-cfg_print_rawaddr(cfg_printer_t *pctx, const isc_netaddr_t *na);
-
-isc_boolean_t
-cfg_lookingat_netaddr(cfg_parser_t *pctx, unsigned int flags);
-
-isc_result_t
-cfg_parse_rawport(cfg_parser_t *pctx, unsigned int flags, in_port_t *port);
-
-isc_result_t
-cfg_parse_sockaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-isc_result_t
-cfg_parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-void
-cfg_print_sockaddr(cfg_printer_t *pctx, const cfg_obj_t *obj);
-
-void
-cfg_print_boolean(cfg_printer_t *pctx, const cfg_obj_t *obj);
-
-void
-cfg_doc_sockaddr(cfg_printer_t *pctx, const cfg_type_t *type);
-
-isc_result_t
-cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-isc_result_t
-cfg_parse_special(cfg_parser_t *pctx, int special);
-/*%< Parse a required special character 'special'. */
-
-isc_result_t
-cfg_create_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **objp);
-
-isc_result_t
-cfg_parse_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-void
-cfg_print_tuple(cfg_printer_t *pctx, const cfg_obj_t *obj);
-
-void
-cfg_doc_tuple(cfg_printer_t *pctx, const cfg_type_t *type);
-
-isc_result_t
-cfg_create_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **objp);
-
-isc_result_t
-cfg_parse_listelt(cfg_parser_t *pctx, const cfg_type_t *elttype,
-		  cfg_listelt_t **ret);
-
-isc_result_t
-cfg_parse_bracketed_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-void
-cfg_print_bracketed_list(cfg_printer_t *pctx, const cfg_obj_t *obj);
-
-void
-cfg_doc_bracketed_list(cfg_printer_t *pctx, const cfg_type_t *type);
-
-isc_result_t
-cfg_parse_spacelist(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-void
-cfg_print_spacelist(cfg_printer_t *pctx, const cfg_obj_t *obj);
-
-isc_result_t
-cfg_parse_enum(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-void
-cfg_doc_enum(cfg_printer_t *pctx, const cfg_type_t *type);
-
-void
-cfg_print_chars(cfg_printer_t *pctx, const char *text, int len);
-/*%< Print 'len' characters at 'text' */
-
-void
-cfg_print_cstr(cfg_printer_t *pctx, const char *s);
-/*%< Print the null-terminated string 's' */
-
-isc_result_t
-cfg_parse_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-isc_result_t
-cfg_parse_named_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-isc_result_t
-cfg_parse_addressed_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-isc_result_t
-cfg_parse_netprefix_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **
-ret);
-
-void
-cfg_print_map(cfg_printer_t *pctx, const cfg_obj_t *obj);
-
-void
-cfg_doc_map(cfg_printer_t *pctx, const cfg_type_t *type);
-
-isc_result_t
-cfg_parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-void
-cfg_print_mapbody(cfg_printer_t *pctx, const cfg_obj_t *obj);
-
-void
-cfg_doc_mapbody(cfg_printer_t *pctx, const cfg_type_t *type);
-
-isc_result_t
-cfg_parse_void(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-void
-cfg_print_void(cfg_printer_t *pctx, const cfg_obj_t *obj);
-
-void
-cfg_doc_void(cfg_printer_t *pctx, const cfg_type_t *type);
-
-isc_result_t
-cfg_parse_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-void
-cfg_print_obj(cfg_printer_t *pctx, const cfg_obj_t *obj);
-
-void
-cfg_doc_obj(cfg_printer_t *pctx, const cfg_type_t *type);
-/*%<
- * Print a description of the grammar of an arbitrary configuration
- * type 'type'
- */
-
-void
-cfg_doc_terminal(cfg_printer_t *pctx, const cfg_type_t *type);
-/*%<
- * Document the type 'type' as a terminal by printing its
- * name in angle brackets, e.g., &lt;uint32>.
- */
-
-void
-cfg_parser_error(cfg_parser_t *pctx, unsigned int flags,
-		 const char *fmt, ...) ISC_FORMAT_PRINTF(3, 4);
-/*!
- * Pass one of these flags to cfg_parser_error() to include the
- * token text in log message.
- */
-#define CFG_LOG_NEAR    0x00000001	/*%< Say "near <token>" */
-#define CFG_LOG_BEFORE  0x00000002	/*%< Say "before <token>" */
-#define CFG_LOG_NOPREP  0x00000004	/*%< Say just "<token>" */
-
-void
-cfg_parser_warning(cfg_parser_t *pctx, unsigned int flags,
-		   const char *fmt, ...) ISC_FORMAT_PRINTF(3, 4);
-
-isc_boolean_t
-cfg_is_enum(const char *s, const char *const *enums);
-/*%< Return true iff the string 's' is one of the strings in 'enums' */
-
-#endif /* ISCCFG_GRAMMAR_H */
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/log.h b/contrib/bind9/lib/isccfg/include/isccfg/log.h
deleted file mode 100644
index 1f9fc21..0000000
--- a/contrib/bind9/lib/isccfg/include/isccfg/log.h
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: log.h,v 1.14 2009/01/18 23:48:14 tbox Exp $ */
-
-#ifndef ISCCFG_LOG_H
-#define ISCCFG_LOG_H 1
-
-/*! \file isccfg/log.h */
-
-#include <isc/lang.h>
-#include <isc/log.h>
-
-LIBISCCFG_EXTERNAL_DATA extern isc_logcategory_t cfg_categories[];
-LIBISCCFG_EXTERNAL_DATA extern isc_logmodule_t cfg_modules[];
-
-#define CFG_LOGCATEGORY_CONFIG	(&cfg_categories[0])
-
-#define CFG_LOGMODULE_PARSER	(&cfg_modules[0])
-
-ISC_LANG_BEGINDECLS
-
-void
-cfg_log_init(isc_log_t *lctx);
-/*%<
- * Make the libisccfg categories and modules available for use with the
- * ISC logging library.
- *
- * Requires:
- *\li	lctx is a valid logging context.
- *
- *\li	cfg_log_init() is called only once.
- *
- * Ensures:
- * \li	The categories and modules defined above are available for
- * 	use by isc_log_usechannnel() and isc_log_write().
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISCCFG_LOG_H */
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/namedconf.h b/contrib/bind9/lib/isccfg/include/isccfg/namedconf.h
deleted file mode 100644
index 507da06..0000000
--- a/contrib/bind9/lib/isccfg/include/isccfg/namedconf.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * Copyright (C) 2004-2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: namedconf.h,v 1.18 2010/08/11 18:14:20 each Exp $ */
-
-#ifndef ISCCFG_NAMEDCONF_H
-#define ISCCFG_NAMEDCONF_H 1
-
-/*! \file isccfg/namedconf.h
- * \brief
- * This module defines the named.conf, rndc.conf, and rndc.key grammars.
- */
-
-#include <isccfg/cfg.h>
-
-/*
- * Configuration object types.
- */
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_namedconf;
-/*%< A complete named.conf file. */
-
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_bindkeys;
-/*%< A bind.keys file. */
-
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_newzones;
-/*%< A new-zones file (for zones added by 'rndc addzone'). */
-
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_addzoneconf;
-/*%< A single zone passed via the addzone rndc command. */
-
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_rndcconf;
-/*%< A complete rndc.conf file. */
-
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_rndckey;
-/*%< A complete rndc.key file. */
-
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_sessionkey;
-/*%< A complete session.key file. */
-
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_keyref;
-/*%< A key reference, used as an ACL element */
-
-#endif /* ISCCFG_NAMEDCONF_H */
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/version.h b/contrib/bind9/lib/isccfg/include/isccfg/version.h
deleted file mode 100644
index 8aed111..0000000
--- a/contrib/bind9/lib/isccfg/include/isccfg/version.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: version.h,v 1.9 2007/06/19 23:47:22 tbox Exp $ */
-
-/*! \file isccfg/version.h */
-
-#include <isc/platform.h>
-
-LIBISCCFG_EXTERNAL_DATA extern const char cfg_version[];
-
-LIBISCCFG_EXTERNAL_DATA extern const unsigned int cfg_libinterface;
-LIBISCCFG_EXTERNAL_DATA extern const unsigned int cfg_librevision;
-LIBISCCFG_EXTERNAL_DATA extern const unsigned int cfg_libage;
diff --git a/contrib/bind9/lib/isccfg/log.c b/contrib/bind9/lib/isccfg/log.c
deleted file mode 100644
index 8747fc0..0000000
--- a/contrib/bind9/lib/isccfg/log.c
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: log.c,v 1.11 2007/06/19 23:47:22 tbox Exp $ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/util.h>
-
-#include <isccfg/log.h>
-
-/*%
- * When adding a new category, be sure to add the appropriate
- * \#define to <isccfg/log.h>.
- */
-LIBISCCFG_EXTERNAL_DATA isc_logcategory_t cfg_categories[] = {
-	{ "config", 	0 },
-	{ NULL, 	0 }
-};
-
-/*%
- * When adding a new module, be sure to add the appropriate
- * \#define to <isccfg/log.h>.
- */
-LIBISCCFG_EXTERNAL_DATA isc_logmodule_t cfg_modules[] = {
-	{ "isccfg/parser",	0 },
-	{ NULL, 		0 }
-};
-
-void
-cfg_log_init(isc_log_t *lctx) {
-	REQUIRE(lctx != NULL);
-
-	isc_log_registercategories(lctx, cfg_categories);
-	isc_log_registermodules(lctx, cfg_modules);
-}
diff --git a/contrib/bind9/lib/isccfg/namedconf.c b/contrib/bind9/lib/isccfg/namedconf.c
deleted file mode 100644
index 431af74..0000000
--- a/contrib/bind9/lib/isccfg/namedconf.c
+++ /dev/null
@@ -1,2889 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <string.h>
-
-#include <isc/lex.h>
-#include <isc/mem.h>
-#include <isc/result.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <isccfg/cfg.h>
-#include <isccfg/grammar.h>
-#include <isccfg/log.h>
-
-#define TOKEN_STRING(pctx) (pctx->token.value.as_textregion.base)
-
-/*% Check a return value. */
-#define CHECK(op)						\
-	do { result = (op);					\
-		if (result != ISC_R_SUCCESS) goto cleanup;	\
-	} while (0)
-
-/*% Clean up a configuration object if non-NULL. */
-#define CLEANUP_OBJ(obj) \
-	do { if ((obj) != NULL) cfg_obj_destroy(pctx, &(obj)); } while (0)
-
-
-/*%
- * Forward declarations of static functions.
- */
-
-static isc_result_t
-parse_enum_or_other(cfg_parser_t *pctx, const cfg_type_t *enumtype,
-		    const cfg_type_t *othertype, cfg_obj_t **ret);
-
-static void
-doc_enum_or_other(cfg_printer_t *pctx, const cfg_type_t *type);
-
-static isc_result_t
-parse_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-static isc_result_t
-parse_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type,
-			cfg_obj_t **ret);
-
-static isc_result_t
-parse_updatepolicy(cfg_parser_t *pctx, const cfg_type_t *type,
-		   cfg_obj_t **ret);
-static void
-print_updatepolicy(cfg_printer_t *pctx, const cfg_obj_t *obj);
-
-static void
-doc_updatepolicy(cfg_printer_t *pctx, const cfg_type_t *type);
-
-static void
-print_keyvalue(cfg_printer_t *pctx, const cfg_obj_t *obj);
-
-static void
-doc_keyvalue(cfg_printer_t *pctx, const cfg_type_t *type);
-
-static void
-doc_optional_keyvalue(cfg_printer_t *pctx, const cfg_type_t *type);
-
-static cfg_type_t cfg_type_acl;
-static cfg_type_t cfg_type_addrmatchelt;
-static cfg_type_t cfg_type_bracketed_aml;
-static cfg_type_t cfg_type_bracketed_namesockaddrkeylist;
-static cfg_type_t cfg_type_bracketed_sockaddrlist;
-static cfg_type_t cfg_type_bracketed_sockaddrnameportlist;
-static cfg_type_t cfg_type_controls;
-static cfg_type_t cfg_type_controls_sockaddr;
-static cfg_type_t cfg_type_destinationlist;
-static cfg_type_t cfg_type_dialuptype;
-static cfg_type_t cfg_type_ixfrdifftype;
-static cfg_type_t cfg_type_key;
-static cfg_type_t cfg_type_logfile;
-static cfg_type_t cfg_type_logging;
-static cfg_type_t cfg_type_logseverity;
-static cfg_type_t cfg_type_lwres;
-static cfg_type_t cfg_type_masterselement;
-static cfg_type_t cfg_type_nameportiplist;
-static cfg_type_t cfg_type_negated;
-static cfg_type_t cfg_type_notifytype;
-static cfg_type_t cfg_type_optional_allow;
-static cfg_type_t cfg_type_optional_class;
-static cfg_type_t cfg_type_optional_facility;
-static cfg_type_t cfg_type_optional_keyref;
-static cfg_type_t cfg_type_optional_port;
-static cfg_type_t cfg_type_options;
-static cfg_type_t cfg_type_portiplist;
-static cfg_type_t cfg_type_querysource4;
-static cfg_type_t cfg_type_querysource6;
-static cfg_type_t cfg_type_querysource;
-static cfg_type_t cfg_type_server;
-static cfg_type_t cfg_type_server_key_kludge;
-static cfg_type_t cfg_type_size;
-static cfg_type_t cfg_type_sizenodefault;
-static cfg_type_t cfg_type_sockaddr4wild;
-static cfg_type_t cfg_type_sockaddr6wild;
-static cfg_type_t cfg_type_statschannels;
-static cfg_type_t cfg_type_view;
-static cfg_type_t cfg_type_viewopts;
-static cfg_type_t cfg_type_zone;
-static cfg_type_t cfg_type_zoneopts;
-static cfg_type_t cfg_type_dynamically_loadable_zones;
-static cfg_type_t cfg_type_dynamically_loadable_zones_opts;
-static cfg_type_t cfg_type_v4_aaaa;
-
-/*
- * Clauses that can be found in a 'dynamically loadable zones' statement
- */
-static cfg_clausedef_t
-dynamically_loadable_zones_clauses[] = {
-	{ "database", &cfg_type_astring, 0 },
-	{ NULL, NULL, 0 }
-};
-
-/*
- * A dynamically loadable zones statement.
- */
-static cfg_tuplefielddef_t dynamically_loadable_zones_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "options", &cfg_type_dynamically_loadable_zones_opts, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_type_t cfg_type_dynamically_loadable_zones = {
-	"dlz", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
-	&cfg_rep_tuple,
-	dynamically_loadable_zones_fields
-	};
-
-
-/*% tkey-dhkey */
-
-static cfg_tuplefielddef_t tkey_dhkey_fields[] = {
-	{ "name", &cfg_type_qstring, 0 },
-	{ "keyid", &cfg_type_uint32, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_type_t cfg_type_tkey_dhkey = {
-	"tkey-dhkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
-	tkey_dhkey_fields
-};
-
-/*% listen-on */
-
-static cfg_tuplefielddef_t listenon_fields[] = {
-	{ "port", &cfg_type_optional_port, 0 },
-	{ "acl", &cfg_type_bracketed_aml, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_listenon = {
-	"listenon", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, listenon_fields };
-
-/*% acl */
-
-static cfg_tuplefielddef_t acl_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "value", &cfg_type_bracketed_aml, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_type_t cfg_type_acl = {
-	"acl", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, acl_fields };
-
-/*% masters */
-static cfg_tuplefielddef_t masters_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "port", &cfg_type_optional_port, 0 },
-	{ "addresses", &cfg_type_bracketed_namesockaddrkeylist, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_type_t cfg_type_masters = {
-	"masters", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, masters_fields };
-
-/*%
- * "sockaddrkeylist", a list of socket addresses with optional keys
- * and an optional default port, as used in the masters option.
- * E.g.,
- *   "port 1234 { mymasters; 10.0.0.1 key foo; 1::2 port 69; }"
- */
-
-static cfg_tuplefielddef_t namesockaddrkey_fields[] = {
-	{ "masterselement", &cfg_type_masterselement, 0 },
-	{ "key", &cfg_type_optional_keyref, 0 },
-	{ NULL, NULL, 0 },
-};
-
-static cfg_type_t cfg_type_namesockaddrkey = {
-	"namesockaddrkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
-	namesockaddrkey_fields
-};
-
-static cfg_type_t cfg_type_bracketed_namesockaddrkeylist = {
-	"bracketed_namesockaddrkeylist", cfg_parse_bracketed_list,
-	cfg_print_bracketed_list, cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_namesockaddrkey
-};
-
-static cfg_tuplefielddef_t namesockaddrkeylist_fields[] = {
-	{ "port", &cfg_type_optional_port, 0 },
-	{ "addresses", &cfg_type_bracketed_namesockaddrkeylist, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_namesockaddrkeylist = {
-	"sockaddrkeylist", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
-	namesockaddrkeylist_fields
-};
-
-/*%
- * A list of socket addresses with an optional default port, as used
- * in the lwresd 'listen-on' option.  E.g., "{ 10.0.0.1; 1::2 port 69; }"
- */
-static cfg_tuplefielddef_t portiplist_fields[] = {
-	{ "port", &cfg_type_optional_port, 0 },
-	{ "addresses", &cfg_type_bracketed_sockaddrlist, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_portiplist = {
-	"portiplist", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
-	&cfg_rep_tuple, portiplist_fields
-};
-
-/*%
- * A public key, as in the "pubkey" statement.
- */
-static cfg_tuplefielddef_t pubkey_fields[] = {
-	{ "flags", &cfg_type_uint32, 0 },
-	{ "protocol", &cfg_type_uint32, 0 },
-	{ "algorithm", &cfg_type_uint32, 0 },
-	{ "key", &cfg_type_qstring, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_pubkey = {
-	"pubkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
-	&cfg_rep_tuple, pubkey_fields };
-
-/*%
- * A list of RR types, used in grant statements.
- * Note that the old parser allows quotes around the RR type names.
- */
-static cfg_type_t cfg_type_rrtypelist = {
-	"rrtypelist", cfg_parse_spacelist, cfg_print_spacelist,
-	cfg_doc_terminal, &cfg_rep_list, &cfg_type_astring
-};
-
-static const char *mode_enums[] = { "grant", "deny", NULL };
-static cfg_type_t cfg_type_mode = {
-	"mode", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
-	&cfg_rep_string, &mode_enums
-};
-
-static isc_result_t
-parse_matchtype(cfg_parser_t *pctx, const cfg_type_t *type,
-		cfg_obj_t **ret) {
-	isc_result_t result;
-
-	CHECK(cfg_peektoken(pctx, 0));
-	if (pctx->token.type == isc_tokentype_string &&
-	    strcasecmp(TOKEN_STRING(pctx), "zonesub") == 0) {
-		pctx->flags |= CFG_PCTX_SKIP;
-	}
-	return (cfg_parse_enum(pctx, type, ret));
-
- cleanup:
-	return (result);
-}
-
-static isc_result_t
-parse_matchname(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	cfg_obj_t *obj = NULL;
-
-	if ((pctx->flags & CFG_PCTX_SKIP) != 0) {
-		pctx->flags &= ~CFG_PCTX_SKIP;
-		CHECK(cfg_parse_void(pctx, NULL, &obj));
-	} else
-		result = cfg_parse_astring(pctx, type, &obj);
-
-	*ret = obj;
- cleanup:
-	return (result);
-}
-
-static void
-doc_matchname(cfg_printer_t *pctx, const cfg_type_t *type) {
-	cfg_print_chars(pctx, "[ ", 2);
-	cfg_doc_obj(pctx, type->of);
-	cfg_print_chars(pctx, " ]", 2);
-}
-
-static const char *matchtype_enums[] = {
-	"name", "subdomain", "wildcard", "self", "selfsub", "selfwild",
-	"krb5-self", "ms-self", "krb5-subdomain", "ms-subdomain",
-	"tcp-self", "6to4-self", "zonesub", "external", NULL };
-
-static cfg_type_t cfg_type_matchtype = {
-	"matchtype", parse_matchtype, cfg_print_ustring,
-	cfg_doc_enum, &cfg_rep_string, &matchtype_enums
-};
-
-static cfg_type_t cfg_type_matchname = {
-	"optional_matchname", parse_matchname, cfg_print_ustring,
-	&doc_matchname, &cfg_rep_tuple, &cfg_type_ustring
-};
-
-/*%
- * A grant statement, used in the update policy.
- */
-static cfg_tuplefielddef_t grant_fields[] = {
-	{ "mode", &cfg_type_mode, 0 },
-	{ "identity", &cfg_type_astring, 0 }, /* domain name */
-	{ "matchtype", &cfg_type_matchtype, 0 },
-	{ "name", &cfg_type_matchname, 0 }, /* domain name */
-	{ "types", &cfg_type_rrtypelist, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_grant = {
-	"grant", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
-	 &cfg_rep_tuple, grant_fields
-};
-
-static cfg_type_t cfg_type_updatepolicy = {
-	"update_policy", parse_updatepolicy, print_updatepolicy,
-	doc_updatepolicy, &cfg_rep_list, &cfg_type_grant
-};
-
-static isc_result_t
-parse_updatepolicy(cfg_parser_t *pctx, const cfg_type_t *type,
-		   cfg_obj_t **ret) {
-	isc_result_t result;
-	CHECK(cfg_gettoken(pctx, 0));
-	if (pctx->token.type == isc_tokentype_special &&
-	    pctx->token.value.as_char == '{') {
-		cfg_ungettoken(pctx);
-		return (cfg_parse_bracketed_list(pctx, type, ret));
-	}
-
-	if (pctx->token.type == isc_tokentype_string &&
-	    strcasecmp(TOKEN_STRING(pctx), "local") == 0) {
-		cfg_obj_t *obj = NULL;
-		CHECK(cfg_create_obj(pctx, &cfg_type_ustring, &obj));
-		obj->value.string.length = strlen("local");
-		obj->value.string.base	= isc_mem_get(pctx->mctx,
-						obj->value.string.length + 1);
-		if (obj->value.string.base == NULL) {
-			isc_mem_put(pctx->mctx, obj, sizeof(*obj));
-			return (ISC_R_NOMEMORY);
-		}
-		memcpy(obj->value.string.base, "local", 5);
-		obj->value.string.base[5] = '\0';
-		*ret = obj;
-		return (ISC_R_SUCCESS);
-	}
-
-	cfg_ungettoken(pctx);
-	return (ISC_R_UNEXPECTEDTOKEN);
-
- cleanup:
-	return (result);
-}
-
-static void
-print_updatepolicy(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	if (cfg_obj_isstring(obj))
-		cfg_print_ustring(pctx, obj);
-	else
-		cfg_print_bracketed_list(pctx, obj);
-}
-
-static void
-doc_updatepolicy(cfg_printer_t *pctx, const cfg_type_t *type) {
-	cfg_print_cstr(pctx, "( local | { ");
-	cfg_doc_obj(pctx, type->of);
-	cfg_print_cstr(pctx, "; ... }");
-}
-
-/*%
- * A view statement.
- */
-static cfg_tuplefielddef_t view_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "class", &cfg_type_optional_class, 0 },
-	{ "options", &cfg_type_viewopts, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_view = {
-	"view", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
-	 &cfg_rep_tuple, view_fields
-};
-
-/*%
- * A zone statement.
- */
-static cfg_tuplefielddef_t zone_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "class", &cfg_type_optional_class, 0 },
-	{ "options", &cfg_type_zoneopts, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_zone = {
-	"zone", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
-	&cfg_rep_tuple, zone_fields
-};
-
-/*%
- * A "category" clause in the "logging" statement.
- */
-static cfg_tuplefielddef_t category_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "destinations", &cfg_type_destinationlist,0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_category = {
-	"category", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
-	&cfg_rep_tuple, category_fields
-};
-
-
-/*%
- * A dnssec key, as used in the "trusted-keys" statement.
- */
-static cfg_tuplefielddef_t dnsseckey_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "flags", &cfg_type_uint32, 0 },
-	{ "protocol", &cfg_type_uint32, 0 },
-	{ "algorithm", &cfg_type_uint32, 0 },
-	{ "key", &cfg_type_qstring, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_dnsseckey = {
-	"dnsseckey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
-	&cfg_rep_tuple, dnsseckey_fields
-};
-
-/*%
- * A managed key initialization specifier, as used in the
- * "managed-keys" statement.
- */
-static cfg_tuplefielddef_t managedkey_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "init", &cfg_type_ustring, 0 },   /* must be literal "initial-key" */
-	{ "flags", &cfg_type_uint32, 0 },
-	{ "protocol", &cfg_type_uint32, 0 },
-	{ "algorithm", &cfg_type_uint32, 0 },
-	{ "key", &cfg_type_qstring, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_managedkey = {
-	"managedkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
-	&cfg_rep_tuple, managedkey_fields
-};
-
-static keyword_type_t wild_class_kw = { "class", &cfg_type_ustring };
-
-static cfg_type_t cfg_type_optional_wild_class = {
-	"optional_wild_class", parse_optional_keyvalue, print_keyvalue,
-	doc_optional_keyvalue, &cfg_rep_string, &wild_class_kw
-};
-
-static keyword_type_t wild_type_kw = { "type", &cfg_type_ustring };
-
-static cfg_type_t cfg_type_optional_wild_type = {
-	"optional_wild_type", parse_optional_keyvalue,
-	print_keyvalue, doc_optional_keyvalue, &cfg_rep_string, &wild_type_kw
-};
-
-static keyword_type_t wild_name_kw = { "name", &cfg_type_qstring };
-
-static cfg_type_t cfg_type_optional_wild_name = {
-	"optional_wild_name", parse_optional_keyvalue,
-	print_keyvalue, doc_optional_keyvalue, &cfg_rep_string, &wild_name_kw
-};
-
-/*%
- * An rrset ordering element.
- */
-static cfg_tuplefielddef_t rrsetorderingelement_fields[] = {
-	{ "class", &cfg_type_optional_wild_class, 0 },
-	{ "type", &cfg_type_optional_wild_type, 0 },
-	{ "name", &cfg_type_optional_wild_name, 0 },
-	{ "order", &cfg_type_ustring, 0 }, /* must be literal "order" */
-	{ "ordering", &cfg_type_ustring, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_rrsetorderingelement = {
-	"rrsetorderingelement", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
-	rrsetorderingelement_fields
-};
-
-/*%
- * A global or view "check-names" option.  Note that the zone
- * "check-names" option has a different syntax.
- */
-
-static const char *checktype_enums[] = { "master", "slave", "response", NULL };
-static cfg_type_t cfg_type_checktype = {
-	"checktype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
-	&cfg_rep_string, &checktype_enums
-};
-
-static const char *checkmode_enums[] = { "fail", "warn", "ignore", NULL };
-static cfg_type_t cfg_type_checkmode = {
-	"checkmode", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
-	&cfg_rep_string, &checkmode_enums
-};
-
-static const char *warn_enums[] = { "warn", "ignore", NULL };
-static cfg_type_t cfg_type_warn = {
-	"warn", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
-	&cfg_rep_string, &warn_enums
-};
-
-static cfg_tuplefielddef_t checknames_fields[] = {
-	{ "type", &cfg_type_checktype, 0 },
-	{ "mode", &cfg_type_checkmode, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_type_t cfg_type_checknames = {
-	"checknames", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
-	checknames_fields
-};
-
-static cfg_type_t cfg_type_bracketed_sockaddrlist = {
-	"bracketed_sockaddrlist", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list,
-	&cfg_rep_list, &cfg_type_sockaddr
-};
-
-static const char *autodnssec_enums[] = { "allow", "maintain", "off", NULL };
-static cfg_type_t cfg_type_autodnssec = {
-	"autodnssec", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
-	&cfg_rep_string, &autodnssec_enums
-};
-
-static const char *dnssecupdatemode_enums[] = { "maintain", "no-resign", NULL };
-static cfg_type_t cfg_type_dnssecupdatemode = {
-	"dnssecupdatemode", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
-	&cfg_rep_string, &dnssecupdatemode_enums
-};
-
-static const char *updatemethods_enums[] = { "increment", "unixtime", NULL };
-static cfg_type_t cfg_type_updatemethod = {
-	"updatemethod", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
-	&cfg_rep_string, &updatemethods_enums
-};
-
-/*
- * zone-statistics: full, terse, or none.
- *
- * for backward compatibility, we also support boolean values.
- * yes represents "full", no represents "terse". in the future we
- * may change no to mean "none".
- */
-static const char *zonestat_enums[] = { "full", "terse", "none", NULL };
-static isc_result_t
-parse_zonestat(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
-}
-static cfg_type_t cfg_type_zonestat = {
-	"zonestat", parse_zonestat, cfg_print_ustring, doc_enum_or_other,
-	&cfg_rep_string, zonestat_enums
-};
-
-static cfg_type_t cfg_type_rrsetorder = {
-	"rrsetorder", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list,
-	&cfg_rep_list, &cfg_type_rrsetorderingelement
-};
-
-static keyword_type_t port_kw = { "port", &cfg_type_uint32 };
-
-static cfg_type_t cfg_type_optional_port = {
-	"optional_port", parse_optional_keyvalue, print_keyvalue,
-	doc_optional_keyvalue, &cfg_rep_uint32, &port_kw
-};
-
-/*% A list of keys, as in the "key" clause of the controls statement. */
-static cfg_type_t cfg_type_keylist = {
-	"keylist", cfg_parse_bracketed_list, cfg_print_bracketed_list,
-	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_astring
-};
-
-/*% A list of dnssec keys, as in "trusted-keys" */
-static cfg_type_t cfg_type_dnsseckeys = {
-	"dnsseckeys", cfg_parse_bracketed_list, cfg_print_bracketed_list,
-	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_dnsseckey
-};
-
-/*%
- * A list of managed key entries, as in "trusted-keys".  Currently
- * (9.7.0) this has a format similar to dnssec keys, except the keyname
- * is followed by the keyword "initial-key".  In future releases, this
- * keyword may take other values indicating different methods for the
- * key to be initialized.
- */
-
-static cfg_type_t cfg_type_managedkeys = {
-	"managedkeys", cfg_parse_bracketed_list, cfg_print_bracketed_list,
-	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_managedkey
-};
-
-static const char *forwardtype_enums[] = { "first", "only", NULL };
-static cfg_type_t cfg_type_forwardtype = {
-	"forwardtype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
-	&forwardtype_enums
-};
-
-static const char *zonetype_enums[] = {
-	"master", "slave", "stub", "static-stub", "hint", "forward",
-	"delegation-only", "redirect", NULL };
-static cfg_type_t cfg_type_zonetype = {
-	"zonetype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
-	&cfg_rep_string, &zonetype_enums
-};
-
-static const char *loglevel_enums[] = {
-	"critical", "error", "warning", "notice", "info", "dynamic", NULL };
-static cfg_type_t cfg_type_loglevel = {
-	"loglevel", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
-	&loglevel_enums
-};
-
-static const char *transferformat_enums[] = {
-	"many-answers", "one-answer", NULL };
-static cfg_type_t cfg_type_transferformat = {
-	"transferformat", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
-	&transferformat_enums
-};
-
-/*%
- * The special keyword "none", as used in the pid-file option.
- */
-
-static void
-print_none(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	UNUSED(obj);
-	cfg_print_cstr(pctx, "none");
-}
-
-static cfg_type_t cfg_type_none = {
-	"none", NULL, print_none, NULL, &cfg_rep_void, NULL
-};
-
-/*%
- * A quoted string or the special keyword "none".  Used in the pid-file option.
- */
-static isc_result_t
-parse_qstringornone(cfg_parser_t *pctx, const cfg_type_t *type,
-		    cfg_obj_t **ret)
-{
-	isc_result_t result;
-
-	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
-	if (pctx->token.type == isc_tokentype_string &&
-	    strcasecmp(TOKEN_STRING(pctx), "none") == 0)
-		return (cfg_create_obj(pctx, &cfg_type_none, ret));
-	cfg_ungettoken(pctx);
-	return (cfg_parse_qstring(pctx, type, ret));
- cleanup:
-	return (result);
-}
-
-static void
-doc_qstringornone(cfg_printer_t *pctx, const cfg_type_t *type) {
-	UNUSED(type);
-	cfg_print_cstr(pctx, "( <quoted_string> | none )");
-}
-
-static cfg_type_t cfg_type_qstringornone = {
-	"qstringornone", parse_qstringornone, NULL, doc_qstringornone,
-	NULL, NULL
-};
-
-/*%
- * A boolean ("yes" or "no"), or the special keyword "auto".
- * Used in the dnssec-validation option.
- */
-static void
-print_auto(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	UNUSED(obj);
-	cfg_print_cstr(pctx, "auto");
-}
-
-static cfg_type_t cfg_type_auto = {
-	"auto", NULL, print_auto, NULL, &cfg_rep_void, NULL
-};
-
-static isc_result_t
-parse_boolorauto(cfg_parser_t *pctx, const cfg_type_t *type,
-		    cfg_obj_t **ret)
-{
-	isc_result_t result;
-
-	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
-	if (pctx->token.type == isc_tokentype_string &&
-	    strcasecmp(TOKEN_STRING(pctx), "auto") == 0)
-		return (cfg_create_obj(pctx, &cfg_type_auto, ret));
-	cfg_ungettoken(pctx);
-	return (cfg_parse_boolean(pctx, type, ret));
- cleanup:
-	return (result);
-}
-
-static void
-print_boolorauto(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	if (obj->type->rep == &cfg_rep_void)
-		cfg_print_chars(pctx, "auto", 4);
-	else if (obj->value.boolean)
-		cfg_print_chars(pctx, "yes", 3);
-	else
-		cfg_print_chars(pctx, "no", 2);
-}
-
-static void
-doc_boolorauto(cfg_printer_t *pctx, const cfg_type_t *type) {
-	UNUSED(type);
-	cfg_print_cstr(pctx, "( yes | no | auto )");
-}
-
-static cfg_type_t cfg_type_boolorauto = {
-	"boolorauto", parse_boolorauto, print_boolorauto,
-	doc_boolorauto, NULL, NULL
-};
-
-/*%
- * keyword hostname
- */
-static void
-print_hostname(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	UNUSED(obj);
-	cfg_print_cstr(pctx, "hostname");
-}
-
-static cfg_type_t cfg_type_hostname = {
-	"hostname", NULL, print_hostname, NULL, &cfg_rep_boolean, NULL
-};
-
-/*%
- * "server-id" argument.
- */
-
-static isc_result_t
-parse_serverid(cfg_parser_t *pctx, const cfg_type_t *type,
-		    cfg_obj_t **ret)
-{
-	isc_result_t result;
-	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
-	if (pctx->token.type == isc_tokentype_string &&
-	    strcasecmp(TOKEN_STRING(pctx), "none") == 0)
-		return (cfg_create_obj(pctx, &cfg_type_none, ret));
-	if (pctx->token.type == isc_tokentype_string &&
-	    strcasecmp(TOKEN_STRING(pctx), "hostname") == 0) {
-		return (cfg_create_obj(pctx, &cfg_type_hostname, ret));
-	}
-	cfg_ungettoken(pctx);
-	return (cfg_parse_qstring(pctx, type, ret));
- cleanup:
-	return (result);
-}
-
-static void
-doc_serverid(cfg_printer_t *pctx, const cfg_type_t *type) {
-	UNUSED(type);
-	cfg_print_cstr(pctx, "( <quoted_string> | none | hostname )");
-}
-
-static cfg_type_t cfg_type_serverid = {
-	"serverid", parse_serverid, NULL, doc_serverid, NULL, NULL };
-
-/*%
- * Port list.
- */
-static cfg_tuplefielddef_t porttuple_fields[] = {
-	{ "loport", &cfg_type_uint32, 0 },
-	{ "hiport", &cfg_type_uint32, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_porttuple = {
-	"porttuple", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
-	&cfg_rep_tuple, porttuple_fields
-};
-
-static isc_result_t
-parse_port(cfg_parser_t *pctx, cfg_obj_t **ret) {
-	isc_result_t result;
-
-	CHECK(cfg_parse_uint32(pctx, NULL, ret));
-	if ((*ret)->value.uint32 > 0xffff) {
-		cfg_parser_error(pctx, CFG_LOG_NEAR, "invalid port");
-		cfg_obj_destroy(pctx, ret);
-		result = ISC_R_RANGE;
-	}
-
- cleanup:
-	return (result);
-}
-
-static isc_result_t
-parse_portrange(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	cfg_obj_t *obj = NULL;
-
-	UNUSED(type);
-
-	CHECK(cfg_peektoken(pctx, ISC_LEXOPT_NUMBER | ISC_LEXOPT_CNUMBER));
-	if (pctx->token.type == isc_tokentype_number)
-		CHECK(parse_port(pctx, ret));
-	else {
-		CHECK(cfg_gettoken(pctx, 0));
-		if (pctx->token.type != isc_tokentype_string ||
-		    strcasecmp(TOKEN_STRING(pctx), "range") != 0) {
-			cfg_parser_error(pctx, CFG_LOG_NEAR,
-					 "expected integer or 'range'");
-			return (ISC_R_UNEXPECTEDTOKEN);
-		}
-		CHECK(cfg_create_tuple(pctx, &cfg_type_porttuple, &obj));
-		CHECK(parse_port(pctx, &obj->value.tuple[0]));
-		CHECK(parse_port(pctx, &obj->value.tuple[1]));
-		if (obj->value.tuple[0]->value.uint32 >
-		    obj->value.tuple[1]->value.uint32) {
-			cfg_parser_error(pctx, CFG_LOG_NOPREP,
-					 "low port '%u' must not be larger "
-					 "than high port",
-					 obj->value.tuple[0]->value.uint32);
-			result = ISC_R_RANGE;
-			goto cleanup;
-		}
-		*ret = obj;
-		obj = NULL;
-	}
-
- cleanup:
-	if (obj != NULL)
-		cfg_obj_destroy(pctx, &obj);
-	return (result);
-}
-
-static cfg_type_t cfg_type_portrange = {
-	"portrange", parse_portrange, NULL, cfg_doc_terminal,
-	NULL, NULL
-};
-
-static cfg_type_t cfg_type_bracketed_portlist = {
-	"bracketed_sockaddrlist", cfg_parse_bracketed_list,
-	cfg_print_bracketed_list, cfg_doc_bracketed_list,
-	&cfg_rep_list, &cfg_type_portrange
-};
-
-/*%
- * Clauses that can be found within the top level of the named.conf
- * file only.
- */
-static cfg_clausedef_t
-namedconf_clauses[] = {
-	{ "options", &cfg_type_options, 0 },
-	{ "controls", &cfg_type_controls, CFG_CLAUSEFLAG_MULTI },
-	{ "acl", &cfg_type_acl, CFG_CLAUSEFLAG_MULTI },
-	{ "masters", &cfg_type_masters, CFG_CLAUSEFLAG_MULTI },
-	{ "logging", &cfg_type_logging, 0 },
-	{ "view", &cfg_type_view, CFG_CLAUSEFLAG_MULTI },
-	{ "lwres", &cfg_type_lwres, CFG_CLAUSEFLAG_MULTI },
-	{ "statistics-channels", &cfg_type_statschannels,
-	  CFG_CLAUSEFLAG_MULTI },
-	{ NULL, NULL, 0 }
-};
-
-/*%
- * Clauses that can occur at the top level or in the view
- * statement, but not in the options block.
- */
-static cfg_clausedef_t
-namedconf_or_view_clauses[] = {
-	{ "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI },
-	{ "zone", &cfg_type_zone, CFG_CLAUSEFLAG_MULTI },
-	/* only 1 DLZ per view allowed */
-	{ "dlz", &cfg_type_dynamically_loadable_zones, 0 },
-	{ "server", &cfg_type_server, CFG_CLAUSEFLAG_MULTI },
-	{ "trusted-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
-	{ "managed-keys", &cfg_type_managedkeys, CFG_CLAUSEFLAG_MULTI },
-	{ NULL, NULL, 0 }
-};
-
-/*%
- * Clauses that can occur in the bind.keys file.
- */
-static cfg_clausedef_t
-bindkeys_clauses[] = {
-	{ "trusted-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
-	{ "managed-keys", &cfg_type_managedkeys, CFG_CLAUSEFLAG_MULTI },
-	{ NULL, NULL, 0 }
-};
-
-/*%
- * Clauses that can be found within the 'options' statement.
- */
-static cfg_clausedef_t
-options_clauses[] = {
-	{ "avoid-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
-	{ "avoid-v6-udp-ports", &cfg_type_bracketed_portlist, 0 },
-	{ "bindkeys-file", &cfg_type_qstring, 0 },
-	{ "blackhole", &cfg_type_bracketed_aml, 0 },
-	{ "coresize", &cfg_type_size, 0 },
-	{ "datasize", &cfg_type_size, 0 },
-	{ "session-keyfile", &cfg_type_qstringornone, 0 },
-	{ "session-keyname", &cfg_type_astring, 0 },
-	{ "session-keyalg", &cfg_type_astring, 0 },
-	{ "deallocate-on-exit", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "directory", &cfg_type_qstring, CFG_CLAUSEFLAG_CALLBACK },
-	{ "dump-file", &cfg_type_qstring, 0 },
-	{ "fake-iquery", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "files", &cfg_type_size, 0 },
-	{ "flush-zones-on-shutdown", &cfg_type_boolean, 0 },
-	{ "has-old-clients", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "heartbeat-interval", &cfg_type_uint32, 0 },
-	{ "host-statistics", &cfg_type_boolean, CFG_CLAUSEFLAG_NOTIMP },
-	{ "host-statistics-max", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP },
-	{ "hostname", &cfg_type_qstringornone, 0 },
-	{ "interface-interval", &cfg_type_uint32, 0 },
-	{ "listen-on", &cfg_type_listenon, CFG_CLAUSEFLAG_MULTI },
-	{ "listen-on-v6", &cfg_type_listenon, CFG_CLAUSEFLAG_MULTI },
-	{ "managed-keys-directory", &cfg_type_qstring, 0 },
-	{ "match-mapped-addresses", &cfg_type_boolean, 0 },
-	{ "max-rsa-exponent-size", &cfg_type_uint32, 0 },
-	{ "memstatistics-file", &cfg_type_qstring, 0 },
-	{ "memstatistics", &cfg_type_boolean, 0 },
-	{ "multiple-cnames", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "named-xfer", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "pid-file", &cfg_type_qstringornone, 0 },
-	{ "port", &cfg_type_uint32, 0 },
-	{ "querylog", &cfg_type_boolean, 0 },
-	{ "recursing-file", &cfg_type_qstring, 0 },
-	{ "random-device", &cfg_type_qstring, 0 },
-	{ "recursive-clients", &cfg_type_uint32, 0 },
-	{ "reserved-sockets", &cfg_type_uint32, 0 },
-	{ "secroots-file", &cfg_type_qstring, 0 },
-	{ "serial-queries", &cfg_type_uint32, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "serial-query-rate", &cfg_type_uint32, 0 },
-	{ "server-id", &cfg_type_serverid, 0 },
-	{ "stacksize", &cfg_type_size, 0 },
-	{ "statistics-file", &cfg_type_qstring, 0 },
-	{ "statistics-interval", &cfg_type_uint32, CFG_CLAUSEFLAG_NYI },
-	{ "tcp-clients", &cfg_type_uint32, 0 },
-	{ "tcp-listen-queue", &cfg_type_uint32, 0 },
-	{ "tkey-dhkey", &cfg_type_tkey_dhkey, 0 },
-	{ "tkey-gssapi-credential", &cfg_type_qstring, 0 },
-	{ "tkey-gssapi-keytab", &cfg_type_qstring, 0 },
-	{ "tkey-domain", &cfg_type_qstring, 0 },
-	{ "transfers-per-ns", &cfg_type_uint32, 0 },
-	{ "transfers-in", &cfg_type_uint32, 0 },
-	{ "transfers-out", &cfg_type_uint32, 0 },
-	{ "treat-cr-as-space", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "use-id-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "use-ixfr", &cfg_type_boolean, 0 },
-	{ "use-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
-	{ "use-v6-udp-ports", &cfg_type_bracketed_portlist, 0 },
-	{ "version", &cfg_type_qstringornone, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_type_t cfg_type_namelist = {
-	"namelist", cfg_parse_bracketed_list, cfg_print_bracketed_list,
-	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_qstring };
-
-static keyword_type_t exclude_kw = { "exclude", &cfg_type_namelist };
-
-static cfg_type_t cfg_type_optional_exclude = {
-	"optional_exclude", parse_optional_keyvalue, print_keyvalue,
-	doc_optional_keyvalue, &cfg_rep_list, &exclude_kw };
-
-static keyword_type_t exceptionnames_kw = { "except-from", &cfg_type_namelist };
-
-static cfg_type_t cfg_type_optional_exceptionnames = {
-	"optional_allow", parse_optional_keyvalue, print_keyvalue,
-	doc_optional_keyvalue, &cfg_rep_list, &exceptionnames_kw };
-
-static cfg_tuplefielddef_t denyaddresses_fields[] = {
-	{ "acl", &cfg_type_bracketed_aml, 0 },
-	{ "except-from", &cfg_type_optional_exceptionnames, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_type_t cfg_type_denyaddresses = {
-	"denyaddresses", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
-	&cfg_rep_tuple, denyaddresses_fields
-};
-
-static cfg_tuplefielddef_t denyaliases_fields[] = {
-	{ "name", &cfg_type_namelist, 0 },
-	{ "except-from", &cfg_type_optional_exceptionnames, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_type_t cfg_type_denyaliases = {
-	"denyaliases", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
-	&cfg_rep_tuple, denyaliases_fields
-};
-
-static cfg_type_t cfg_type_algorithmlist = {
-	"algorithmlist", cfg_parse_bracketed_list, cfg_print_bracketed_list,
-	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_astring };
-
-static cfg_tuplefielddef_t disablealgorithm_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "algorithms", &cfg_type_algorithmlist, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_type_t cfg_type_disablealgorithm = {
-	"disablealgorithm", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
-	&cfg_rep_tuple, disablealgorithm_fields
-};
-
-static cfg_tuplefielddef_t mustbesecure_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "value", &cfg_type_boolean, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_type_t cfg_type_mustbesecure = {
-	"mustbesecure", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
-	&cfg_rep_tuple, mustbesecure_fields
-};
-
-static const char *masterformat_enums[] = { "text", "raw", NULL };
-static cfg_type_t cfg_type_masterformat = {
-	"masterformat", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
-	&cfg_rep_string, &masterformat_enums
-};
-
-
-
-/*%
- *  response-policy {
- *	zone <string> [ policy (given|disabled|passthru|
- *					nxdomain|nodata|cname <domain> ) ]
- *		      [ recursive-only yes|no ] [ max-policy-ttl number ] ;
- *  } [ recursive-only yes|no ] [ max-policy-ttl number ] ;
- *	 [ break-dnssec yes|no ] [ min-ns-dots number ] ;
- */
-
-static void
-doc_rpz_policy(cfg_printer_t *pctx, const cfg_type_t *type) {
-	const char * const *p;
-	/*
-	 * This is cfg_doc_enum() without the trailing " )".
-	 */
-	cfg_print_chars(pctx, "( ", 2);
-	for (p = type->of; *p != NULL; p++) {
-		cfg_print_cstr(pctx, *p);
-		if (p[1] != NULL)
-			cfg_print_chars(pctx, " | ", 3);
-	}
-}
-
-static void
-doc_rpz_cname(cfg_printer_t *pctx, const cfg_type_t *type) {
-	cfg_doc_terminal(pctx, type);
-	cfg_print_chars(pctx, " )", 2);
-}
-
-/*
- * Parse
- *	given|disabled|passthru|nxdomain|nodata|cname <domain>
- */
-static isc_result_t
-cfg_parse_rpz_policy(cfg_parser_t *pctx, const cfg_type_t *type,
-		     cfg_obj_t **ret)
-{
-	isc_result_t result;
-	cfg_obj_t *obj;
-	const cfg_tuplefielddef_t *fields;
-
-	CHECK(cfg_create_tuple(pctx, type, &obj));
-
-	fields = type->of;
-	CHECK(cfg_parse_obj(pctx, fields[0].type, &obj->value.tuple[0]));
-	/*
-	 * parse cname domain only after "policy cname"
-	 */
-	if (strcasecmp("cname", cfg_obj_asstring(obj->value.tuple[0])) != 0) {
-		CHECK(cfg_parse_void(pctx, NULL, &obj->value.tuple[1]));
-	} else {
-		CHECK(cfg_parse_obj(pctx, fields[1].type,
-				    &obj->value.tuple[1]));
-	}
-
-	*ret = obj;
-	return (ISC_R_SUCCESS);
-
-cleanup:
-	CLEANUP_OBJ(obj);
-	return (result);
-}
-
-/*
- * Parse a tuple consisting of any kind of  required field followed
- * by 2 or more optional keyvalues that can be in any order.
- */
-static isc_result_t
-cfg_parse_kv_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	const cfg_tuplefielddef_t *fields, *f;
-	cfg_obj_t *obj;
-	int fn;
-	isc_result_t result;
-
-	obj = NULL;
-	CHECK(cfg_create_tuple(pctx, type, &obj));
-
-	/*
-	 * The zone first field is required and always first.
-	 */
-	fields = type->of;
-	CHECK(cfg_parse_obj(pctx, fields[0].type, &obj->value.tuple[0]));
-
-	for (;;) {
-		CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
-		if (pctx->token.type != isc_tokentype_string)
-			break;
-
-		for (fn = 1, f = &fields[1]; ; ++fn, ++f) {
-			if (f->name == NULL) {
-				cfg_parser_error(pctx, 0, "unexpected '%s'",
-						 TOKEN_STRING(pctx));
-				result = ISC_R_UNEXPECTEDTOKEN;
-				goto cleanup;
-			}
-			if (obj->value.tuple[fn] == NULL &&
-			    strcasecmp(f->name, TOKEN_STRING(pctx)) == 0)
-				break;
-		}
-
-		CHECK(cfg_gettoken(pctx, 0));
-		CHECK(cfg_parse_obj(pctx, f->type, &obj->value.tuple[fn]));
-	}
-
-	for (fn = 1, f = &fields[1]; f->name != NULL; ++fn, ++f) {
-		if (obj->value.tuple[fn] == NULL)
-			CHECK(cfg_parse_void(pctx, NULL,
-					     &obj->value.tuple[fn]));
-	}
-
-	*ret = obj;
-	return (ISC_R_SUCCESS);
-
-cleanup:
-	CLEANUP_OBJ(obj);
-	return (result);
-}
-
-static void
-cfg_print_kv_tuple(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	unsigned int i;
-	const cfg_tuplefielddef_t *fields, *f;
-	const cfg_obj_t *fieldobj;
-
-	fields = obj->type->of;
-	for (f = fields, i = 0; f->name != NULL; f++, i++) {
-		fieldobj = obj->value.tuple[i];
-		if (fieldobj->type->print == cfg_print_void)
-			continue;
-		if (i != 0) {
-			cfg_print_chars(pctx, " ", 1);
-			cfg_print_cstr(pctx, f->name);
-			cfg_print_chars(pctx, " ", 1);
-		}
-		cfg_print_obj(pctx, fieldobj);
-	}
-}
-
-static void
-cfg_doc_kv_tuple(cfg_printer_t *pctx, const cfg_type_t *type) {
-	const cfg_tuplefielddef_t *fields, *f;
-
-	fields = type->of;
-	for (f = fields; f->name != NULL; f++) {
-		if (f != fields) {
-			cfg_print_chars(pctx, " [ ", 3);
-			cfg_print_cstr(pctx, f->name);
-			if (f->type->doc != cfg_doc_void)
-				cfg_print_chars(pctx, " ", 1);
-		}
-		cfg_doc_obj(pctx, f->type);
-		if (f != fields)
-			cfg_print_chars(pctx, " ]", 2);
-	}
-}
-
-static keyword_type_t zone_kw = {"zone", &cfg_type_qstring};
-static cfg_type_t cfg_type_rpz_zone = {
-	"zone", parse_keyvalue, print_keyvalue,
-	doc_keyvalue, &cfg_rep_string,
-	&zone_kw
-};
-static const char *rpz_policies[] = {
-	"given", "disabled", "passthru", "no-op", "nxdomain", "nodata",
-	"cname", NULL
-};
-static cfg_type_t cfg_type_rpz_policy_name = {
-	"policy name", cfg_parse_enum, cfg_print_ustring,
-	doc_rpz_policy, &cfg_rep_string,
-	&rpz_policies
-};
-static cfg_type_t cfg_type_rpz_cname = {
-	"quoted_string", cfg_parse_astring, NULL,
-	doc_rpz_cname, &cfg_rep_string,
-	NULL
-};
-static cfg_tuplefielddef_t rpz_policy_fields[] = {
-	{ "policy name", &cfg_type_rpz_policy_name, 0 },
-	{ "cname", &cfg_type_rpz_cname, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_rpz_policy = {
-	"policy tuple", cfg_parse_rpz_policy,
-	cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
-	rpz_policy_fields
-};
-static cfg_tuplefielddef_t rpz_zone_fields[] = {
-	{ "zone name", &cfg_type_rpz_zone, 0 },
-	{ "policy", &cfg_type_rpz_policy, 0 },
-	{ "recursive-only", &cfg_type_boolean, 0 },
-	{ "max-policy-ttl", &cfg_type_uint32, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_rpz_tuple = {
-	"rpz tuple", cfg_parse_kv_tuple,
-	cfg_print_kv_tuple, cfg_doc_kv_tuple, &cfg_rep_tuple,
-	rpz_zone_fields
-};
-static cfg_type_t cfg_type_rpz_list = {
-	"zone list", cfg_parse_bracketed_list, cfg_print_bracketed_list,
-	cfg_doc_bracketed_list, &cfg_rep_list,
-	&cfg_type_rpz_tuple
-};
-static cfg_tuplefielddef_t rpz_fields[] = {
-	{ "zone list", &cfg_type_rpz_list, 0 },
-	{ "recursive-only", &cfg_type_boolean, 0 },
-	{ "break-dnssec", &cfg_type_boolean, 0 },
-	{ "max-policy-ttl", &cfg_type_uint32, 0 },
-	{ "min-ns-dots", &cfg_type_uint32, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_rpz = {
-	"rpz", cfg_parse_kv_tuple,
-	cfg_print_kv_tuple, cfg_doc_kv_tuple, &cfg_rep_tuple,
-	rpz_fields
-};
-
-
-/*%
- * dnssec-lookaside
- */
-
-static void
-print_lookaside(cfg_printer_t *pctx, const cfg_obj_t *obj)
-{
-	const cfg_obj_t *domain = obj->value.tuple[0];
-
-	if (domain->value.string.length == 4 &&
-	    strncmp(domain->value.string.base, "auto", 4) == 0)
-		cfg_print_cstr(pctx, "auto");
-	else
-		cfg_print_tuple(pctx, obj);
-}
-
-static void
-doc_lookaside(cfg_printer_t *pctx, const cfg_type_t *type) {
-	UNUSED(type);
-	cfg_print_cstr(pctx, "( <string> trust-anchor <string> | auto | no )");
-}
-
-static keyword_type_t trustanchor_kw = { "trust-anchor", &cfg_type_astring };
-
-static cfg_type_t cfg_type_optional_trustanchor = {
-	"optional_trustanchor", parse_optional_keyvalue, print_keyvalue,
-	doc_keyvalue, &cfg_rep_string, &trustanchor_kw
-};
-
-static cfg_tuplefielddef_t lookaside_fields[] = {
-	{ "domain", &cfg_type_astring, 0 },
-	{ "trust-anchor", &cfg_type_optional_trustanchor, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_type_t cfg_type_lookaside = {
-	"lookaside", cfg_parse_tuple, print_lookaside, doc_lookaside,
-	&cfg_rep_tuple, lookaside_fields
-};
-
-/*
- * DNS64.
- */
-static cfg_clausedef_t
-dns64_clauses[] = {
-	{ "clients", &cfg_type_bracketed_aml, 0 },
-	{ "mapped", &cfg_type_bracketed_aml, 0 },
-	{ "exclude", &cfg_type_bracketed_aml, 0 },
-	{ "suffix", &cfg_type_netaddr6, 0 },
-	{ "recursive-only", &cfg_type_boolean, 0 },
-	{ "break-dnssec", &cfg_type_boolean, 0 },
-	{ NULL, NULL, 0 },
-};
-
-static cfg_clausedef_t *
-dns64_clausesets[] = {
-	dns64_clauses,
-	NULL
-};
-
-static cfg_type_t cfg_type_dns64 = {
-	"dns64", cfg_parse_netprefix_map, cfg_print_map, cfg_doc_map,
-	&cfg_rep_map, dns64_clausesets
-};
-
-/*%
- * Clauses that can be found within the 'view' statement,
- * with defaults in the 'options' statement.
- */
-
-static cfg_clausedef_t
-view_clauses[] = {
-	{ "acache-cleaning-interval", &cfg_type_uint32, 0 },
-	{ "acache-enable", &cfg_type_boolean, 0 },
-	{ "additional-from-auth", &cfg_type_boolean, 0 },
-	{ "additional-from-cache", &cfg_type_boolean, 0 },
-	{ "allow-new-zones", &cfg_type_boolean, 0 },
-	{ "allow-query-cache", &cfg_type_bracketed_aml, 0 },
-	{ "allow-query-cache-on", &cfg_type_bracketed_aml, 0 },
-	{ "allow-recursion", &cfg_type_bracketed_aml, 0 },
-	{ "allow-recursion-on", &cfg_type_bracketed_aml, 0 },
-	{ "allow-v6-synthesis", &cfg_type_bracketed_aml,
-	  CFG_CLAUSEFLAG_OBSOLETE },
-	{ "attach-cache", &cfg_type_astring, 0 },
-	{ "auth-nxdomain", &cfg_type_boolean, CFG_CLAUSEFLAG_NEWDEFAULT },
-	{ "cache-file", &cfg_type_qstring, 0 },
-	{ "check-names", &cfg_type_checknames, CFG_CLAUSEFLAG_MULTI },
-	{ "cleaning-interval", &cfg_type_uint32, 0 },
-	{ "clients-per-query", &cfg_type_uint32, 0 },
-	{ "deny-answer-addresses", &cfg_type_denyaddresses, 0 },
-	{ "deny-answer-aliases", &cfg_type_denyaliases, 0 },
-	{ "disable-algorithms", &cfg_type_disablealgorithm,
-	  CFG_CLAUSEFLAG_MULTI },
-	{ "disable-empty-zone", &cfg_type_astring, CFG_CLAUSEFLAG_MULTI },
-	{ "dns64", &cfg_type_dns64, CFG_CLAUSEFLAG_MULTI },
-	{ "dns64-server", &cfg_type_astring, 0 },
-	{ "dns64-contact", &cfg_type_astring, 0 },
-	{ "dnssec-accept-expired", &cfg_type_boolean, 0 },
-	{ "dnssec-enable", &cfg_type_boolean, 0 },
-	{ "dnssec-lookaside", &cfg_type_lookaside, CFG_CLAUSEFLAG_MULTI },
-	{ "dnssec-must-be-secure",  &cfg_type_mustbesecure,
-	  CFG_CLAUSEFLAG_MULTI },
-	{ "dnssec-validation", &cfg_type_boolorauto, 0 },
-	{ "dual-stack-servers", &cfg_type_nameportiplist, 0 },
-	{ "edns-udp-size", &cfg_type_uint32, 0 },
-	{ "empty-contact", &cfg_type_astring, 0 },
-	{ "empty-server", &cfg_type_astring, 0 },
-	{ "empty-zones-enable", &cfg_type_boolean, 0 },
-	{ "fetch-glue", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "ixfr-from-differences", &cfg_type_ixfrdifftype, 0 },
-	{ "lame-ttl", &cfg_type_uint32, 0 },
-	{ "max-acache-size", &cfg_type_sizenodefault, 0 },
-	{ "max-cache-size", &cfg_type_sizenodefault, 0 },
-	{ "max-cache-ttl", &cfg_type_uint32, 0 },
-	{ "max-clients-per-query", &cfg_type_uint32, 0 },
-	{ "max-ncache-ttl", &cfg_type_uint32, 0 },
-	{ "max-udp-size", &cfg_type_uint32, 0 },
-	{ "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP },
-	{ "minimal-responses", &cfg_type_boolean, 0 },
-	{ "preferred-glue", &cfg_type_astring, 0 },
-	{ "provide-ixfr", &cfg_type_boolean, 0 },
-	/*
-	 * Note that the query-source option syntax is different
-	 * from the other -source options.
-	 */
-	{ "query-source", &cfg_type_querysource4, 0 },
-	{ "query-source-v6", &cfg_type_querysource6, 0 },
-	{ "queryport-pool-ports", &cfg_type_uint32, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "queryport-pool-updateinterval", &cfg_type_uint32,
-	  CFG_CLAUSEFLAG_OBSOLETE },
-	{ "recursion", &cfg_type_boolean, 0 },
-	{ "request-ixfr", &cfg_type_boolean, 0 },
-	{ "request-nsid", &cfg_type_boolean, 0 },
-	{ "resolver-query-timeout", &cfg_type_uint32, 0 },
-	{ "rfc2308-type1", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
-	{ "root-delegation-only",  &cfg_type_optional_exclude, 0 },
-	{ "rrset-order", &cfg_type_rrsetorder, 0 },
-	{ "sortlist", &cfg_type_bracketed_aml, 0 },
-	{ "suppress-initial-notify", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
-	{ "topology", &cfg_type_bracketed_aml, CFG_CLAUSEFLAG_NOTIMP },
-	{ "transfer-format", &cfg_type_transferformat, 0 },
-	{ "use-queryport-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "zero-no-soa-ttl-cache", &cfg_type_boolean, 0 },
-#ifdef ALLOW_FILTER_AAAA_ON_V4
-	{ "filter-aaaa", &cfg_type_bracketed_aml, 0 },
-	{ "filter-aaaa-on-v4", &cfg_type_v4_aaaa, 0 },
-#else
-	{ "filter-aaaa", &cfg_type_bracketed_aml,
-	   CFG_CLAUSEFLAG_NOTCONFIGURED },
-	{ "filter-aaaa-on-v4", &cfg_type_v4_aaaa,
-	   CFG_CLAUSEFLAG_NOTCONFIGURED },
-#endif
-	{ "response-policy", &cfg_type_rpz, 0 },
-	{ NULL, NULL, 0 }
-};
-
-/*%
- * Clauses that can be found within the 'view' statement only.
- */
-static cfg_clausedef_t
-view_only_clauses[] = {
-	{ "match-clients", &cfg_type_bracketed_aml, 0 },
-	{ "match-destinations", &cfg_type_bracketed_aml, 0 },
-	{ "match-recursive-only", &cfg_type_boolean, 0 },
-	{ NULL, NULL, 0 }
-};
-
-/*%
- * Sig-validity-interval.
- */
-static isc_result_t
-parse_optional_uint32(cfg_parser_t *pctx, const cfg_type_t *type,
-		      cfg_obj_t **ret)
-{
-	isc_result_t result;
-	UNUSED(type);
-
-	CHECK(cfg_peektoken(pctx, ISC_LEXOPT_NUMBER | ISC_LEXOPT_CNUMBER));
-	if (pctx->token.type == isc_tokentype_number) {
-		CHECK(cfg_parse_obj(pctx, &cfg_type_uint32, ret));
-	} else {
-		CHECK(cfg_parse_obj(pctx, &cfg_type_void, ret));
-	}
- cleanup:
-	return (result);
-}
-
-static void
-doc_optional_uint32(cfg_printer_t *pctx, const cfg_type_t *type) {
-	UNUSED(type);
-	cfg_print_cstr(pctx, "[ <integer> ]");
-}
-
-static cfg_type_t cfg_type_optional_uint32 = {
-	"optional_uint32", parse_optional_uint32, NULL, doc_optional_uint32,
-	NULL, NULL };
-
-static cfg_tuplefielddef_t validityinterval_fields[] = {
-	{ "validity", &cfg_type_uint32, 0 },
-	{ "re-sign", &cfg_type_optional_uint32, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_type_t cfg_type_validityinterval = {
-	"validityinterval", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
-	&cfg_rep_tuple, validityinterval_fields
-};
-
-/*%
- * Clauses that can be found in a 'zone' statement,
- * with defaults in the 'view' or 'options' statement.
- */
-static cfg_clausedef_t
-zone_clauses[] = {
-	{ "allow-notify", &cfg_type_bracketed_aml, 0 },
-	{ "allow-query", &cfg_type_bracketed_aml, 0 },
-	{ "allow-query-on", &cfg_type_bracketed_aml, 0 },
-	{ "allow-transfer", &cfg_type_bracketed_aml, 0 },
-	{ "allow-update", &cfg_type_bracketed_aml, 0 },
-	{ "allow-update-forwarding", &cfg_type_bracketed_aml, 0 },
-	{ "also-notify", &cfg_type_namesockaddrkeylist, 0 },
-	{ "alt-transfer-source", &cfg_type_sockaddr4wild, 0 },
-	{ "alt-transfer-source-v6", &cfg_type_sockaddr6wild, 0 },
-	{ "auto-dnssec", &cfg_type_autodnssec, 0 },
-	{ "check-dup-records", &cfg_type_checkmode, 0 },
-	{ "check-integrity", &cfg_type_boolean, 0 },
-	{ "check-mx", &cfg_type_checkmode, 0 },
-	{ "check-mx-cname", &cfg_type_checkmode, 0 },
-	{ "check-sibling", &cfg_type_boolean, 0 },
-	{ "check-spf", &cfg_type_warn, 0 },
-	{ "check-srv-cname", &cfg_type_checkmode, 0 },
-	{ "check-wildcard", &cfg_type_boolean, 0 },
-	{ "dialup", &cfg_type_dialuptype, 0 },
-	{ "dnssec-dnskey-kskonly", &cfg_type_boolean, 0 },
-	{ "dnssec-loadkeys-interval", &cfg_type_uint32, 0 },
-	{ "dnssec-secure-to-insecure", &cfg_type_boolean, 0 },
-	{ "dnssec-update-mode", &cfg_type_dnssecupdatemode, 0 },
-	{ "forward", &cfg_type_forwardtype, 0 },
-	{ "forwarders", &cfg_type_portiplist, 0 },
-	{ "key-directory", &cfg_type_qstring, 0 },
-	{ "maintain-ixfr-base", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "masterfile-format", &cfg_type_masterformat, 0 },
-	{ "max-ixfr-log-size", &cfg_type_size, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "max-journal-size", &cfg_type_sizenodefault, 0 },
-	{ "max-refresh-time", &cfg_type_uint32, 0 },
-	{ "max-retry-time", &cfg_type_uint32, 0 },
-	{ "max-transfer-idle-in", &cfg_type_uint32, 0 },
-	{ "max-transfer-idle-out", &cfg_type_uint32, 0 },
-	{ "max-transfer-time-in", &cfg_type_uint32, 0 },
-	{ "max-transfer-time-out", &cfg_type_uint32, 0 },
-	{ "min-refresh-time", &cfg_type_uint32, 0 },
-	{ "min-retry-time", &cfg_type_uint32, 0 },
-	{ "multi-master", &cfg_type_boolean, 0 },
-	{ "notify", &cfg_type_notifytype, 0 },
-	{ "notify-delay", &cfg_type_uint32, 0 },
-	{ "notify-source", &cfg_type_sockaddr4wild, 0 },
-	{ "notify-source-v6", &cfg_type_sockaddr6wild, 0 },
-	{ "notify-to-soa", &cfg_type_boolean, 0 },
-	{ "nsec3-test-zone", &cfg_type_boolean, CFG_CLAUSEFLAG_TESTONLY },
-	{ "serial-update-method", &cfg_type_updatemethod, 0 },
-	{ "request-ixfr", &cfg_type_boolean, 0 },
-	{ "sig-signing-nodes", &cfg_type_uint32, 0 },
-	{ "sig-signing-signatures", &cfg_type_uint32, 0 },
-	{ "sig-signing-type", &cfg_type_uint32, 0 },
-	{ "sig-validity-interval", &cfg_type_validityinterval, 0 },
-	{ "inline-signing", &cfg_type_boolean, 0 },
-	{ "transfer-source", &cfg_type_sockaddr4wild, 0 },
-	{ "transfer-source-v6", &cfg_type_sockaddr6wild, 0 },
-	{ "try-tcp-refresh", &cfg_type_boolean, 0 },
-	{ "update-check-ksk", &cfg_type_boolean, 0 },
-	{ "use-alt-transfer-source", &cfg_type_boolean, 0 },
-	{ "zero-no-soa-ttl", &cfg_type_boolean, 0 },
-	{ "zone-statistics", &cfg_type_zonestat, 0 },
-	{ NULL, NULL, 0 }
-};
-
-/*%
- * Clauses that can be found in a 'zone' statement
- * only.
- */
-static cfg_clausedef_t
-zone_only_clauses[] = {
-	{ "type", &cfg_type_zonetype, 0 },
-	{ "file", &cfg_type_qstring, 0 },
-	{ "journal", &cfg_type_qstring, 0 },
-	{ "ixfr-base", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "ixfr-tmp-file", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "masters", &cfg_type_namesockaddrkeylist, 0 },
-	{ "pubkey", &cfg_type_pubkey,
-	  CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_OBSOLETE },
-	{ "update-policy", &cfg_type_updatepolicy, 0 },
-	{ "database", &cfg_type_astring, 0 },
-	{ "delegation-only", &cfg_type_boolean, 0 },
-	/*
-	 * Note that the format of the check-names option is different between
-	 * the zone options and the global/view options.  Ugh.
-	 */
-	{ "check-names", &cfg_type_checkmode, 0 },
-	{ "ixfr-from-differences", &cfg_type_boolean, 0 },
-	{ "server-addresses", &cfg_type_bracketed_sockaddrlist, 0 },
-	{ "server-names", &cfg_type_namelist, 0 },
-	{ NULL, NULL, 0 }
-};
-
-
-/*% The top-level named.conf syntax. */
-
-static cfg_clausedef_t *
-namedconf_clausesets[] = {
-	namedconf_clauses,
-	namedconf_or_view_clauses,
-	NULL
-};
-LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_namedconf = {
-	"namedconf", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
-	&cfg_rep_map, namedconf_clausesets
-};
-
-/*% The bind.keys syntax (trusted-keys/managed-keys only). */
-static cfg_clausedef_t *
-bindkeys_clausesets[] = {
-	bindkeys_clauses,
-	NULL
-};
-LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_bindkeys = {
-	"bindkeys", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
-	&cfg_rep_map, bindkeys_clausesets
-};
-
-/*% The new-zone-file syntax (for zones added by 'rndc addzone') */
-static cfg_clausedef_t
-newzones_clauses[] = {
-	{ "zone", &cfg_type_zone, CFG_CLAUSEFLAG_MULTI },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_clausedef_t *
-newzones_clausesets[] = {
-	newzones_clauses,
-	NULL
-};
-
-LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_newzones = {
-	"newzones", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
-	&cfg_rep_map, newzones_clausesets
-};
-
-/*% The "options" statement syntax. */
-
-static cfg_clausedef_t *
-options_clausesets[] = {
-	options_clauses,
-	view_clauses,
-	zone_clauses,
-	NULL
-};
-static cfg_type_t cfg_type_options = {
-	"options", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map, options_clausesets };
-
-/*% The "view" statement syntax. */
-
-static cfg_clausedef_t *
-view_clausesets[] = {
-	view_only_clauses,
-	namedconf_or_view_clauses,
-	view_clauses,
-	zone_clauses,
-	dynamically_loadable_zones_clauses,
-	NULL
-};
-static cfg_type_t cfg_type_viewopts = {
-	"view", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map, view_clausesets };
-
-/*% The "zone" statement syntax. */
-
-static cfg_clausedef_t *
-zone_clausesets[] = {
-	zone_only_clauses,
-	zone_clauses,
-	NULL
-};
-static cfg_type_t cfg_type_zoneopts = {
-	"zoneopts", cfg_parse_map, cfg_print_map,
-	cfg_doc_map, &cfg_rep_map, zone_clausesets };
-
-/*% The "dynamically loadable zones" statement syntax. */
-
-static cfg_clausedef_t *
-dynamically_loadable_zones_clausesets[] = {
-	dynamically_loadable_zones_clauses,
-	NULL
-};
-static cfg_type_t cfg_type_dynamically_loadable_zones_opts = {
-	"dynamically_loadable_zones_opts", cfg_parse_map,
-	cfg_print_map, cfg_doc_map, &cfg_rep_map,
-	dynamically_loadable_zones_clausesets
-};
-
-/*%
- * Clauses that can be found within the 'key' statement.
- */
-static cfg_clausedef_t
-key_clauses[] = {
-	{ "algorithm", &cfg_type_astring, 0 },
-	{ "secret", &cfg_type_astring, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_clausedef_t *
-key_clausesets[] = {
-	key_clauses,
-	NULL
-};
-static cfg_type_t cfg_type_key = {
-	"key", cfg_parse_named_map, cfg_print_map,
-	cfg_doc_map, &cfg_rep_map, key_clausesets
-};
-
-
-/*%
- * Clauses that can be found in a 'server' statement.
- */
-static cfg_clausedef_t
-server_clauses[] = {
-	{ "bogus", &cfg_type_boolean, 0 },
-	{ "provide-ixfr", &cfg_type_boolean, 0 },
-	{ "request-ixfr", &cfg_type_boolean, 0 },
-	{ "support-ixfr", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "transfers", &cfg_type_uint32, 0 },
-	{ "transfer-format", &cfg_type_transferformat, 0 },
-	{ "keys", &cfg_type_server_key_kludge, 0 },
-	{ "edns", &cfg_type_boolean, 0 },
-	{ "edns-udp-size", &cfg_type_uint32, 0 },
-	{ "max-udp-size", &cfg_type_uint32, 0 },
-	{ "notify-source", &cfg_type_sockaddr4wild, 0 },
-	{ "notify-source-v6", &cfg_type_sockaddr6wild, 0 },
-	{ "query-source", &cfg_type_querysource4, 0 },
-	{ "query-source-v6", &cfg_type_querysource6, 0 },
-	{ "transfer-source", &cfg_type_sockaddr4wild, 0 },
-	{ "transfer-source-v6", &cfg_type_sockaddr6wild, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_clausedef_t *
-server_clausesets[] = {
-	server_clauses,
-	NULL
-};
-static cfg_type_t cfg_type_server = {
-	"server", cfg_parse_netprefix_map, cfg_print_map, cfg_doc_map, &cfg_rep_map,
-	server_clausesets
-};
-
-
-/*%
- * Clauses that can be found in a 'channel' clause in the
- * 'logging' statement.
- *
- * These have some additional constraints that need to be
- * checked after parsing:
- *  - There must exactly one of file/syslog/null/stderr
- *
- */
-static cfg_clausedef_t
-channel_clauses[] = {
-	/* Destinations.  We no longer require these to be first. */
-	{ "file", &cfg_type_logfile, 0 },
-	{ "syslog", &cfg_type_optional_facility, 0 },
-	{ "null", &cfg_type_void, 0 },
-	{ "stderr", &cfg_type_void, 0 },
-	/* Options.  We now accept these for the null channel, too. */
-	{ "severity", &cfg_type_logseverity, 0 },
-	{ "print-time", &cfg_type_boolean, 0 },
-	{ "print-severity", &cfg_type_boolean, 0 },
-	{ "print-category", &cfg_type_boolean, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_clausedef_t *
-channel_clausesets[] = {
-	channel_clauses,
-	NULL
-};
-static cfg_type_t cfg_type_channel = {
-	"channel", cfg_parse_named_map, cfg_print_map, cfg_doc_map,
-	&cfg_rep_map, channel_clausesets
-};
-
-/*% A list of log destination, used in the "category" clause. */
-static cfg_type_t cfg_type_destinationlist = {
-	"destinationlist", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list,
-	&cfg_rep_list, &cfg_type_astring };
-
-/*%
- * Clauses that can be found in a 'logging' statement.
- */
-static cfg_clausedef_t
-logging_clauses[] = {
-	{ "channel", &cfg_type_channel, CFG_CLAUSEFLAG_MULTI },
-	{ "category", &cfg_type_category, CFG_CLAUSEFLAG_MULTI },
-	{ NULL, NULL, 0 }
-};
-static cfg_clausedef_t *
-logging_clausesets[] = {
-	logging_clauses,
-	NULL
-};
-static cfg_type_t cfg_type_logging = {
-	"logging", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map, logging_clausesets };
-
-
-/*%
- * For parsing an 'addzone' statement
- */
-
-static cfg_tuplefielddef_t addzone_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "class", &cfg_type_optional_class, 0 },
-	{ "view", &cfg_type_optional_class, 0 },
-	{ "options", &cfg_type_zoneopts, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_addzone = {
-	"addzone", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, addzone_fields };
-
-static cfg_clausedef_t
-addzoneconf_clauses[] = {
-	{ "addzone", &cfg_type_addzone, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_clausedef_t *
-addzoneconf_clausesets[] = {
-	addzoneconf_clauses,
-	NULL
-};
-
-LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_addzoneconf = {
-	"addzoneconf", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
-	&cfg_rep_map, addzoneconf_clausesets
-};
-
-
-static isc_result_t
-parse_unitstring(char *str, isc_resourcevalue_t *valuep) {
-	char *endp;
-	unsigned int len;
-	isc_uint64_t value;
-	isc_uint64_t unit;
-
-	value = isc_string_touint64(str, &endp, 10);
-	if (*endp == 0) {
-		*valuep = value;
-		return (ISC_R_SUCCESS);
-	}
-
-	len = strlen(str);
-	if (len < 2 || endp[1] != '\0')
-		return (ISC_R_FAILURE);
-
-	switch (str[len - 1]) {
-	case 'k':
-	case 'K':
-		unit = 1024;
-		break;
-	case 'm':
-	case 'M':
-		unit = 1024 * 1024;
-		break;
-	case 'g':
-	case 'G':
-		unit = 1024 * 1024 * 1024;
-		break;
-	default:
-		return (ISC_R_FAILURE);
-	}
-	if (value > ISC_UINT64_MAX / unit)
-		return (ISC_R_FAILURE);
-	*valuep = value * unit;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-parse_sizeval(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	cfg_obj_t *obj = NULL;
-	isc_uint64_t val;
-
-	UNUSED(type);
-
-	CHECK(cfg_gettoken(pctx, 0));
-	if (pctx->token.type != isc_tokentype_string) {
-		result = ISC_R_UNEXPECTEDTOKEN;
-		goto cleanup;
-	}
-	CHECK(parse_unitstring(TOKEN_STRING(pctx), &val));
-
-	CHECK(cfg_create_obj(pctx, &cfg_type_uint64, &obj));
-	obj->value.uint64 = val;
-	*ret = obj;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	cfg_parser_error(pctx, CFG_LOG_NEAR, "expected integer and optional unit");
-	return (result);
-}
-
-/*%
- * A size value (number + optional unit).
- */
-static cfg_type_t cfg_type_sizeval = {
-	"sizeval", parse_sizeval, cfg_print_uint64, cfg_doc_terminal,
-	&cfg_rep_uint64, NULL };
-
-/*%
- * A size, "unlimited", or "default".
- */
-
-static isc_result_t
-parse_size(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	return (parse_enum_or_other(pctx, type, &cfg_type_sizeval, ret));
-}
-
-static const char *size_enums[] = { "unlimited", "default", NULL };
-static cfg_type_t cfg_type_size = {
-	"size", parse_size, cfg_print_ustring, cfg_doc_terminal,
-	&cfg_rep_string, size_enums
-};
-
-/*%
- * A size or "unlimited", but not "default".
- */
-static const char *sizenodefault_enums[] = { "unlimited", NULL };
-static cfg_type_t cfg_type_sizenodefault = {
-	"size_no_default", parse_size, cfg_print_ustring, cfg_doc_terminal,
-	&cfg_rep_string, sizenodefault_enums
-};
-
-/*%
- * optional_keyvalue
- */
-static isc_result_t
-parse_maybe_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type,
-			      isc_boolean_t optional, cfg_obj_t **ret)
-{
-	isc_result_t result;
-	cfg_obj_t *obj = NULL;
-	const keyword_type_t *kw = type->of;
-
-	CHECK(cfg_peektoken(pctx, 0));
-	if (pctx->token.type == isc_tokentype_string &&
-	    strcasecmp(TOKEN_STRING(pctx), kw->name) == 0) {
-		CHECK(cfg_gettoken(pctx, 0));
-		CHECK(kw->type->parse(pctx, kw->type, &obj));
-		obj->type = type; /* XXX kludge */
-	} else {
-		if (optional) {
-			CHECK(cfg_parse_void(pctx, NULL, &obj));
-		} else {
-			cfg_parser_error(pctx, CFG_LOG_NEAR, "expected '%s'",
-				     kw->name);
-			result = ISC_R_UNEXPECTEDTOKEN;
-			goto cleanup;
-		}
-	}
-	*ret = obj;
- cleanup:
-	return (result);
-}
-
-static isc_result_t
-parse_enum_or_other(cfg_parser_t *pctx, const cfg_type_t *enumtype,
-		    const cfg_type_t *othertype, cfg_obj_t **ret)
-{
-	isc_result_t result;
-	CHECK(cfg_peektoken(pctx, 0));
-	if (pctx->token.type == isc_tokentype_string &&
-	    cfg_is_enum(TOKEN_STRING(pctx), enumtype->of)) {
-		CHECK(cfg_parse_enum(pctx, enumtype, ret));
-	} else {
-		CHECK(cfg_parse_obj(pctx, othertype, ret));
-	}
- cleanup:
-	return (result);
-}
-
-static void
-doc_enum_or_other(cfg_printer_t *pctx, const cfg_type_t *type) {
-	cfg_doc_terminal(pctx, type);
-#if 0 /* XXX */
-	cfg_print_chars(pctx, "( ", 2);...
-#endif
-
-}
-
-static isc_result_t
-parse_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	return (parse_maybe_optional_keyvalue(pctx, type, ISC_FALSE, ret));
-}
-
-static isc_result_t
-parse_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	return (parse_maybe_optional_keyvalue(pctx, type, ISC_TRUE, ret));
-}
-
-static void
-print_keyvalue(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	const keyword_type_t *kw = obj->type->of;
-	cfg_print_cstr(pctx, kw->name);
-	cfg_print_chars(pctx, " ", 1);
-	kw->type->print(pctx, obj);
-}
-
-static void
-doc_keyvalue(cfg_printer_t *pctx, const cfg_type_t *type) {
-	const keyword_type_t *kw = type->of;
-	cfg_print_cstr(pctx, kw->name);
-	cfg_print_chars(pctx, " ", 1);
-	cfg_doc_obj(pctx, kw->type);
-}
-
-static void
-doc_optional_keyvalue(cfg_printer_t *pctx, const cfg_type_t *type) {
-	const keyword_type_t *kw = type->of;
-	cfg_print_chars(pctx, "[ ", 2);
-	cfg_print_cstr(pctx, kw->name);
-	cfg_print_chars(pctx, " ", 1);
-	cfg_doc_obj(pctx, kw->type);
-	cfg_print_chars(pctx, " ]", 2);
-}
-
-static const char *dialup_enums[] = {
-	"notify", "notify-passive", "refresh", "passive", NULL };
-static isc_result_t
-parse_dialup_type(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
-}
-static cfg_type_t cfg_type_dialuptype = {
-	"dialuptype", parse_dialup_type, cfg_print_ustring, doc_enum_or_other,
-	&cfg_rep_string, dialup_enums
-};
-
-static const char *notify_enums[] = { "explicit", "master-only", NULL };
-static isc_result_t
-parse_notify_type(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
-}
-static cfg_type_t cfg_type_notifytype = {
-	"notifytype", parse_notify_type, cfg_print_ustring, doc_enum_or_other,
-	&cfg_rep_string, notify_enums,
-};
-
-static const char *ixfrdiff_enums[] = { "master", "slave", NULL };
-static isc_result_t
-parse_ixfrdiff_type(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
-}
-static cfg_type_t cfg_type_ixfrdifftype = {
-	"ixfrdiff", parse_ixfrdiff_type, cfg_print_ustring, doc_enum_or_other,
-	&cfg_rep_string, ixfrdiff_enums,
-};
-
-static const char *v4_aaaa_enums[] = { "break-dnssec", NULL };
-static isc_result_t
-parse_v4_aaaa(cfg_parser_t *pctx, const cfg_type_t *type,
-		     cfg_obj_t **ret) {
-	return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
-}
-static cfg_type_t cfg_type_v4_aaaa = {
-	"v4_aaaa", parse_v4_aaaa, cfg_print_ustring,
-	doc_enum_or_other, &cfg_rep_string, v4_aaaa_enums,
-};
-
-static keyword_type_t key_kw = { "key", &cfg_type_astring };
-
-LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_keyref = {
-	"keyref", parse_keyvalue, print_keyvalue, doc_keyvalue,
-	&cfg_rep_string, &key_kw
-};
-
-static cfg_type_t cfg_type_optional_keyref = {
-	"optional_keyref", parse_optional_keyvalue, print_keyvalue,
-	doc_optional_keyvalue, &cfg_rep_string, &key_kw
-};
-
-/*%
- * A "controls" statement is represented as a map with the multivalued
- * "inet" and "unix" clauses.
- */
-
-static keyword_type_t controls_allow_kw = {
-	"allow", &cfg_type_bracketed_aml };
-
-static cfg_type_t cfg_type_controls_allow = {
-	"controls_allow", parse_keyvalue,
-	print_keyvalue, doc_keyvalue,
-	&cfg_rep_list, &controls_allow_kw
-};
-
-static keyword_type_t controls_keys_kw = {
-	"keys", &cfg_type_keylist };
-
-static cfg_type_t cfg_type_controls_keys = {
-	"controls_keys", parse_optional_keyvalue,
-	print_keyvalue, doc_optional_keyvalue,
-	&cfg_rep_list, &controls_keys_kw
-};
-
-static cfg_tuplefielddef_t inetcontrol_fields[] = {
-	{ "address", &cfg_type_controls_sockaddr, 0 },
-	{ "allow", &cfg_type_controls_allow, 0 },
-	{ "keys", &cfg_type_controls_keys, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_type_t cfg_type_inetcontrol = {
-	"inetcontrol", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
-	inetcontrol_fields
-};
-
-static keyword_type_t controls_perm_kw = {
-	"perm", &cfg_type_uint32 };
-
-static cfg_type_t cfg_type_controls_perm = {
-	"controls_perm", parse_keyvalue,
-	print_keyvalue, doc_keyvalue,
-	&cfg_rep_uint32, &controls_perm_kw
-};
-
-static keyword_type_t controls_owner_kw = {
-	"owner", &cfg_type_uint32 };
-
-static cfg_type_t cfg_type_controls_owner = {
-	"controls_owner", parse_keyvalue,
-	print_keyvalue, doc_keyvalue,
-	&cfg_rep_uint32, &controls_owner_kw
-};
-
-static keyword_type_t controls_group_kw = {
-	"group", &cfg_type_uint32 };
-
-static cfg_type_t cfg_type_controls_group = {
-	"controls_allow", parse_keyvalue,
-	print_keyvalue, doc_keyvalue,
-	&cfg_rep_uint32, &controls_group_kw
-};
-
-static cfg_tuplefielddef_t unixcontrol_fields[] = {
-	{ "path", &cfg_type_qstring, 0 },
-	{ "perm", &cfg_type_controls_perm, 0 },
-	{ "owner", &cfg_type_controls_owner, 0 },
-	{ "group", &cfg_type_controls_group, 0 },
-	{ "keys", &cfg_type_controls_keys, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_type_t cfg_type_unixcontrol = {
-	"unixcontrol", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
-	unixcontrol_fields
-};
-
-static cfg_clausedef_t
-controls_clauses[] = {
-	{ "inet", &cfg_type_inetcontrol, CFG_CLAUSEFLAG_MULTI },
-	{ "unix", &cfg_type_unixcontrol, CFG_CLAUSEFLAG_MULTI },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_clausedef_t *
-controls_clausesets[] = {
-	controls_clauses,
-	NULL
-};
-static cfg_type_t cfg_type_controls = {
-	"controls", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map,	&controls_clausesets
-};
-
-/*%
- * A "statistics-channels" statement is represented as a map with the
- * multivalued "inet" clauses.
- */
-static void
-doc_optional_bracketed_list(cfg_printer_t *pctx, const cfg_type_t *type) {
-	const keyword_type_t *kw = type->of;
-	cfg_print_chars(pctx, "[ ", 2);
-	cfg_print_cstr(pctx, kw->name);
-	cfg_print_chars(pctx, " ", 1);
-	cfg_doc_obj(pctx, kw->type);
-	cfg_print_chars(pctx, " ]", 2);
-}
-
-static cfg_type_t cfg_type_optional_allow = {
-	"optional_allow", parse_optional_keyvalue, print_keyvalue,
-	doc_optional_bracketed_list, &cfg_rep_list, &controls_allow_kw
-};
-
-static cfg_tuplefielddef_t statserver_fields[] = {
-	{ "address", &cfg_type_controls_sockaddr, 0 }, /* reuse controls def */
-	{ "allow", &cfg_type_optional_allow, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_type_t cfg_type_statschannel = {
-	"statschannel", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
-	&cfg_rep_tuple, statserver_fields
-};
-
-static cfg_clausedef_t
-statservers_clauses[] = {
-	{ "inet", &cfg_type_statschannel, CFG_CLAUSEFLAG_MULTI },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_clausedef_t *
-statservers_clausesets[] = {
-	statservers_clauses,
-	NULL
-};
-
-static cfg_type_t cfg_type_statschannels = {
-	"statistics-channels", cfg_parse_map, cfg_print_map, cfg_doc_map,
-	&cfg_rep_map,	&statservers_clausesets
-};
-
-/*%
- * An optional class, as used in view and zone statements.
- */
-static isc_result_t
-parse_optional_class(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	UNUSED(type);
-	CHECK(cfg_peektoken(pctx, 0));
-	if (pctx->token.type == isc_tokentype_string)
-		CHECK(cfg_parse_obj(pctx, &cfg_type_ustring, ret));
-	else
-		CHECK(cfg_parse_obj(pctx, &cfg_type_void, ret));
- cleanup:
-	return (result);
-}
-
-static cfg_type_t cfg_type_optional_class = {
-	"optional_class", parse_optional_class, NULL, cfg_doc_terminal,
-	NULL, NULL
-};
-
-static isc_result_t
-parse_querysource(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	cfg_obj_t *obj = NULL;
-	isc_netaddr_t netaddr;
-	in_port_t port;
-	unsigned int have_address = 0;
-	unsigned int have_port = 0;
-	const unsigned int *flagp = type->of;
-
-	if ((*flagp & CFG_ADDR_V4OK) != 0)
-		isc_netaddr_any(&netaddr);
-	else if ((*flagp & CFG_ADDR_V6OK) != 0)
-		isc_netaddr_any6(&netaddr);
-	else
-		INSIST(0);
-
-	port = 0;
-
-	for (;;) {
-		CHECK(cfg_peektoken(pctx, 0));
-		if (pctx->token.type == isc_tokentype_string) {
-			if (strcasecmp(TOKEN_STRING(pctx),
-				       "address") == 0)
-			{
-				/* read "address" */
-				CHECK(cfg_gettoken(pctx, 0));
-				CHECK(cfg_parse_rawaddr(pctx, *flagp,
-							&netaddr));
-				have_address++;
-			} else if (strcasecmp(TOKEN_STRING(pctx), "port") == 0)
-			{
-				/* read "port" */
-				CHECK(cfg_gettoken(pctx, 0));
-				CHECK(cfg_parse_rawport(pctx,
-							CFG_ADDR_WILDOK,
-							&port));
-				have_port++;
-			} else if (have_port == 0 && have_address == 0) {
-				return (cfg_parse_sockaddr(pctx, type, ret));
-			} else {
-				cfg_parser_error(pctx, CFG_LOG_NEAR,
-					     "expected 'address' or 'port'");
-				return (ISC_R_UNEXPECTEDTOKEN);
-			}
-		} else
-			break;
-	}
-	if (have_address > 1 || have_port > 1 ||
-	    have_address + have_port == 0) {
-		cfg_parser_error(pctx, 0, "expected one address and/or port");
-		return (ISC_R_UNEXPECTEDTOKEN);
-	}
-
-	CHECK(cfg_create_obj(pctx, &cfg_type_querysource, &obj));
-	isc_sockaddr_fromnetaddr(&obj->value.sockaddr, &netaddr, port);
-	*ret = obj;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	cfg_parser_error(pctx, CFG_LOG_NEAR, "invalid query source");
-	CLEANUP_OBJ(obj);
-	return (result);
-}
-
-static void
-print_querysource(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	isc_netaddr_t na;
-	isc_netaddr_fromsockaddr(&na, &obj->value.sockaddr);
-	cfg_print_cstr(pctx, "address ");
-	cfg_print_rawaddr(pctx, &na);
-	cfg_print_cstr(pctx, " port ");
-	cfg_print_rawuint(pctx, isc_sockaddr_getport(&obj->value.sockaddr));
-}
-
-static unsigned int sockaddr4wild_flags = CFG_ADDR_WILDOK | CFG_ADDR_V4OK;
-static unsigned int sockaddr6wild_flags = CFG_ADDR_WILDOK | CFG_ADDR_V6OK;
-
-static cfg_type_t cfg_type_querysource4 = {
-	"querysource4", parse_querysource, NULL, cfg_doc_terminal,
-	NULL, &sockaddr4wild_flags
-};
-
-static cfg_type_t cfg_type_querysource6 = {
-	"querysource6", parse_querysource, NULL, cfg_doc_terminal,
-	NULL, &sockaddr6wild_flags
-};
-
-static cfg_type_t cfg_type_querysource = {
-	"querysource", NULL, print_querysource, NULL, &cfg_rep_sockaddr, NULL
-};
-
-/*% addrmatchelt */
-
-static isc_result_t
-parse_addrmatchelt(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	UNUSED(type);
-
-	CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
-
-	if (pctx->token.type == isc_tokentype_string ||
-	    pctx->token.type == isc_tokentype_qstring) {
-		if (pctx->token.type == isc_tokentype_string &&
-		    (strcasecmp(TOKEN_STRING(pctx), "key") == 0)) {
-			CHECK(cfg_parse_obj(pctx, &cfg_type_keyref, ret));
-		} else {
-			if (cfg_lookingat_netaddr(pctx, CFG_ADDR_V4OK |
-						  CFG_ADDR_V4PREFIXOK |
-						  CFG_ADDR_V6OK))
-			{
-				CHECK(cfg_parse_netprefix(pctx, NULL, ret));
-			} else {
-				CHECK(cfg_parse_astring(pctx, NULL, ret));
-			}
-		}
-	} else if (pctx->token.type == isc_tokentype_special) {
-		if (pctx->token.value.as_char == '{') {
-			/* Nested match list. */
-			CHECK(cfg_parse_obj(pctx, &cfg_type_bracketed_aml, ret));
-		} else if (pctx->token.value.as_char == '!') {
-			CHECK(cfg_gettoken(pctx, 0)); /* read "!" */
-			CHECK(cfg_parse_obj(pctx, &cfg_type_negated, ret));
-		} else {
-			goto bad;
-		}
-	} else {
-	bad:
-		cfg_parser_error(pctx, CFG_LOG_NEAR,
-			     "expected IP match list element");
-		return (ISC_R_UNEXPECTEDTOKEN);
-	}
- cleanup:
-	return (result);
-}
-
-/*%
- * A negated address match list element (like "! 10.0.0.1").
- * Somewhat sneakily, the caller is expected to parse the
- * "!", but not to print it.
- */
-
-static cfg_tuplefielddef_t negated_fields[] = {
-	{ "value", &cfg_type_addrmatchelt, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static void
-print_negated(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	cfg_print_chars(pctx, "!", 1);
-	cfg_print_tuple(pctx, obj);
-}
-
-static cfg_type_t cfg_type_negated = {
-	"negated", cfg_parse_tuple, print_negated, NULL, &cfg_rep_tuple,
-	&negated_fields
-};
-
-/*% An address match list element */
-
-static cfg_type_t cfg_type_addrmatchelt = {
-	"address_match_element", parse_addrmatchelt, NULL, cfg_doc_terminal,
-	NULL, NULL
-};
-
-/*% A bracketed address match list */
-
-static cfg_type_t cfg_type_bracketed_aml = {
-	"bracketed_aml", cfg_parse_bracketed_list, cfg_print_bracketed_list,
-	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_addrmatchelt
-};
-
-/*%
- * The socket address syntax in the "controls" statement is silly.
- * It allows both socket address families, but also allows "*",
- * whis is gratuitously interpreted as the IPv4 wildcard address.
- */
-static unsigned int controls_sockaddr_flags =
-	CFG_ADDR_V4OK | CFG_ADDR_V6OK | CFG_ADDR_WILDOK;
-static cfg_type_t cfg_type_controls_sockaddr = {
-	"controls_sockaddr", cfg_parse_sockaddr, cfg_print_sockaddr,
-	cfg_doc_sockaddr, &cfg_rep_sockaddr, &controls_sockaddr_flags
-};
-
-/*%
- * Handle the special kludge syntax of the "keys" clause in the "server"
- * statement, which takes a single key with or without braces and semicolon.
- */
-static isc_result_t
-parse_server_key_kludge(cfg_parser_t *pctx, const cfg_type_t *type,
-			cfg_obj_t **ret)
-{
-	isc_result_t result;
-	isc_boolean_t braces = ISC_FALSE;
-	UNUSED(type);
-
-	/* Allow opening brace. */
-	CHECK(cfg_peektoken(pctx, 0));
-	if (pctx->token.type == isc_tokentype_special &&
-	    pctx->token.value.as_char == '{') {
-		CHECK(cfg_gettoken(pctx, 0));
-		braces = ISC_TRUE;
-	}
-
-	CHECK(cfg_parse_obj(pctx, &cfg_type_astring, ret));
-
-	if (braces) {
-		/* Skip semicolon if present. */
-		CHECK(cfg_peektoken(pctx, 0));
-		if (pctx->token.type == isc_tokentype_special &&
-		    pctx->token.value.as_char == ';')
-			CHECK(cfg_gettoken(pctx, 0));
-
-		CHECK(cfg_parse_special(pctx, '}'));
-	}
- cleanup:
-	return (result);
-}
-static cfg_type_t cfg_type_server_key_kludge = {
-	"server_key", parse_server_key_kludge, NULL, cfg_doc_terminal,
-	NULL, NULL
-};
-
-
-/*%
- * An optional logging facility.
- */
-
-static isc_result_t
-parse_optional_facility(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
-{
-	isc_result_t result;
-	UNUSED(type);
-
-	CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
-	if (pctx->token.type == isc_tokentype_string ||
-	    pctx->token.type == isc_tokentype_qstring) {
-		CHECK(cfg_parse_obj(pctx, &cfg_type_astring, ret));
-	} else {
-		CHECK(cfg_parse_obj(pctx, &cfg_type_void, ret));
-	}
- cleanup:
-	return (result);
-}
-
-static cfg_type_t cfg_type_optional_facility = {
-	"optional_facility", parse_optional_facility, NULL, cfg_doc_terminal,
-	NULL, NULL };
-
-
-/*%
- * A log severity.  Return as a string, except "debug N",
- * which is returned as a keyword object.
- */
-
-static keyword_type_t debug_kw = { "debug", &cfg_type_uint32 };
-static cfg_type_t cfg_type_debuglevel = {
-	"debuglevel", parse_keyvalue,
-	print_keyvalue, doc_keyvalue,
-	&cfg_rep_uint32, &debug_kw
-};
-
-static isc_result_t
-parse_logseverity(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	UNUSED(type);
-
-	CHECK(cfg_peektoken(pctx, 0));
-	if (pctx->token.type == isc_tokentype_string &&
-	    strcasecmp(TOKEN_STRING(pctx), "debug") == 0) {
-		CHECK(cfg_gettoken(pctx, 0)); /* read "debug" */
-		CHECK(cfg_peektoken(pctx, ISC_LEXOPT_NUMBER));
-		if (pctx->token.type == isc_tokentype_number) {
-			CHECK(cfg_parse_uint32(pctx, NULL, ret));
-		} else {
-			/*
-			 * The debug level is optional and defaults to 1.
-			 * This makes little sense, but we support it for
-			 * compatibility with BIND 8.
-			 */
-			CHECK(cfg_create_obj(pctx, &cfg_type_uint32, ret));
-			(*ret)->value.uint32 = 1;
-		}
-		(*ret)->type = &cfg_type_debuglevel; /* XXX kludge */
-	} else {
-		CHECK(cfg_parse_obj(pctx, &cfg_type_loglevel, ret));
-	}
- cleanup:
-	return (result);
-}
-
-static cfg_type_t cfg_type_logseverity = {
-	"log_severity", parse_logseverity, NULL, cfg_doc_terminal,
-	NULL, NULL };
-
-/*%
- * The "file" clause of the "channel" statement.
- * This is yet another special case.
- */
-
-static const char *logversions_enums[] = { "unlimited", NULL };
-static isc_result_t
-parse_logversions(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	return (parse_enum_or_other(pctx, type, &cfg_type_uint32, ret));
-}
-
-static cfg_type_t cfg_type_logversions = {
-	"logversions", parse_logversions, cfg_print_ustring, cfg_doc_terminal,
-	&cfg_rep_string, logversions_enums
-};
-
-static cfg_tuplefielddef_t logfile_fields[] = {
-	{ "file", &cfg_type_qstring, 0 },
-	{ "versions", &cfg_type_logversions, 0 },
-	{ "size", &cfg_type_size, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static isc_result_t
-parse_logfile(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	cfg_obj_t *obj = NULL;
-	const cfg_tuplefielddef_t *fields = type->of;
-
-	CHECK(cfg_create_tuple(pctx, type, &obj));
-
-	/* Parse the mandatory "file" field */
-	CHECK(cfg_parse_obj(pctx, fields[0].type, &obj->value.tuple[0]));
-
-	/* Parse "versions" and "size" fields in any order. */
-	for (;;) {
-		CHECK(cfg_peektoken(pctx, 0));
-		if (pctx->token.type == isc_tokentype_string) {
-			CHECK(cfg_gettoken(pctx, 0));
-			if (strcasecmp(TOKEN_STRING(pctx),
-				       "versions") == 0 &&
-			    obj->value.tuple[1] == NULL) {
-				CHECK(cfg_parse_obj(pctx, fields[1].type,
-					    &obj->value.tuple[1]));
-			} else if (strcasecmp(TOKEN_STRING(pctx),
-					      "size") == 0 &&
-				   obj->value.tuple[2] == NULL) {
-				CHECK(cfg_parse_obj(pctx, fields[2].type,
-					    &obj->value.tuple[2]));
-			} else {
-				break;
-			}
-		} else {
-			break;
-		}
-	}
-
-	/* Create void objects for missing optional values. */
-	if (obj->value.tuple[1] == NULL)
-		CHECK(cfg_parse_void(pctx, NULL, &obj->value.tuple[1]));
-	if (obj->value.tuple[2] == NULL)
-		CHECK(cfg_parse_void(pctx, NULL, &obj->value.tuple[2]));
-
-	*ret = obj;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	CLEANUP_OBJ(obj);
-	return (result);
-}
-
-static void
-print_logfile(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	cfg_print_obj(pctx, obj->value.tuple[0]); /* file */
-	if (obj->value.tuple[1]->type->print != cfg_print_void) {
-		cfg_print_cstr(pctx, " versions ");
-		cfg_print_obj(pctx, obj->value.tuple[1]);
-	}
-	if (obj->value.tuple[2]->type->print != cfg_print_void) {
-		cfg_print_cstr(pctx, " size ");
-		cfg_print_obj(pctx, obj->value.tuple[2]);
-	}
-}
-
-
-static void
-doc_logfile(cfg_printer_t *pctx, const cfg_type_t *type) {
-	UNUSED(type);
-	cfg_print_cstr(pctx, "<quoted_string>");
-	cfg_print_chars(pctx, " ", 1);
-	cfg_print_cstr(pctx, "[ versions ( \"unlimited\" | <integer> ) ]");
-	cfg_print_chars(pctx, " ", 1);
-	cfg_print_cstr(pctx, "[ size <size> ]");
-}
-
-static cfg_type_t cfg_type_logfile = {
-	"log_file", parse_logfile, print_logfile, doc_logfile,
-	&cfg_rep_tuple, logfile_fields
-};
-
-/*% An IPv4 address with optional port, "*" accepted as wildcard. */
-static cfg_type_t cfg_type_sockaddr4wild = {
-	"sockaddr4wild", cfg_parse_sockaddr, cfg_print_sockaddr,
-	cfg_doc_sockaddr, &cfg_rep_sockaddr, &sockaddr4wild_flags
-};
-
-/*% An IPv6 address with optional port, "*" accepted as wildcard. */
-static cfg_type_t cfg_type_sockaddr6wild = {
-	"v6addrportwild", cfg_parse_sockaddr, cfg_print_sockaddr,
-	cfg_doc_sockaddr, &cfg_rep_sockaddr, &sockaddr6wild_flags
-};
-
-/*%
- * lwres
- */
-
-static cfg_tuplefielddef_t lwres_view_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "class", &cfg_type_optional_class, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_lwres_view = {
-	"lwres_view", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
-	lwres_view_fields
-};
-
-static cfg_type_t cfg_type_lwres_searchlist = {
-	"lwres_searchlist", cfg_parse_bracketed_list, cfg_print_bracketed_list,
-	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_astring };
-
-static cfg_clausedef_t
-lwres_clauses[] = {
-	{ "listen-on", &cfg_type_portiplist, 0 },
-	{ "view", &cfg_type_lwres_view, 0 },
-	{ "search", &cfg_type_lwres_searchlist, 0 },
-	{ "ndots", &cfg_type_uint32, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_clausedef_t *
-lwres_clausesets[] = {
-	lwres_clauses,
-	NULL
-};
-static cfg_type_t cfg_type_lwres = {
-	"lwres", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map,
-	lwres_clausesets
-};
-
-/*%
- * rndc
- */
-
-static cfg_clausedef_t
-rndcconf_options_clauses[] = {
-	{ "default-key", &cfg_type_astring, 0 },
-	{ "default-port", &cfg_type_uint32, 0 },
-	{ "default-server", &cfg_type_astring, 0 },
-	{ "default-source-address", &cfg_type_netaddr4wild, 0 },
-	{ "default-source-address-v6", &cfg_type_netaddr6wild, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_clausedef_t *
-rndcconf_options_clausesets[] = {
-	rndcconf_options_clauses,
-	NULL
-};
-
-static cfg_type_t cfg_type_rndcconf_options = {
-	"rndcconf_options", cfg_parse_map, cfg_print_map, cfg_doc_map,
-	&cfg_rep_map, rndcconf_options_clausesets
-};
-
-static cfg_clausedef_t
-rndcconf_server_clauses[] = {
-	{ "key", &cfg_type_astring, 0 },
-	{ "port", &cfg_type_uint32, 0 },
-	{ "source-address", &cfg_type_netaddr4wild, 0 },
-	{ "source-address-v6", &cfg_type_netaddr6wild, 0 },
-	{ "addresses", &cfg_type_bracketed_sockaddrnameportlist, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_clausedef_t *
-rndcconf_server_clausesets[] = {
-	rndcconf_server_clauses,
-	NULL
-};
-
-static cfg_type_t cfg_type_rndcconf_server = {
-	"rndcconf_server", cfg_parse_named_map, cfg_print_map, cfg_doc_map,
-	&cfg_rep_map, rndcconf_server_clausesets
-};
-
-static cfg_clausedef_t
-rndcconf_clauses[] = {
-	{ "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI },
-	{ "server", &cfg_type_rndcconf_server, CFG_CLAUSEFLAG_MULTI },
-	{ "options", &cfg_type_rndcconf_options, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_clausedef_t *
-rndcconf_clausesets[] = {
-	rndcconf_clauses,
-	NULL
-};
-
-LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_rndcconf = {
-	"rndcconf", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
-	&cfg_rep_map, rndcconf_clausesets
-};
-
-static cfg_clausedef_t
-rndckey_clauses[] = {
-	{ "key", &cfg_type_key, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_clausedef_t *
-rndckey_clausesets[] = {
-	rndckey_clauses,
-	NULL
-};
-
-LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_rndckey = {
-	"rndckey", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
-	&cfg_rep_map, rndckey_clausesets
-};
-
-/*
- * session.key has exactly the same syntax as rndc.key, but it's defined
- * separately for clarity (and so we can extend it someday, if needed).
- */
-LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_sessionkey = {
-	"sessionkey", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
-	&cfg_rep_map, rndckey_clausesets
-};
-
-static cfg_tuplefielddef_t nameport_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "port", &cfg_type_optional_port, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_nameport = {
-	"nameport", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
-	&cfg_rep_tuple, nameport_fields
-};
-
-static void
-doc_sockaddrnameport(cfg_printer_t *pctx, const cfg_type_t *type) {
-	UNUSED(type);
-	cfg_print_chars(pctx, "( ", 2);
-	cfg_print_cstr(pctx, "<quoted_string>");
-	cfg_print_chars(pctx, " ", 1);
-	cfg_print_cstr(pctx, "[ port <integer> ]");
-	cfg_print_chars(pctx, " | ", 3);
-	cfg_print_cstr(pctx, "<ipv4_address>");
-	cfg_print_chars(pctx, " ", 1);
-	cfg_print_cstr(pctx, "[ port <integer> ]");
-	cfg_print_chars(pctx, " | ", 3);
-	cfg_print_cstr(pctx, "<ipv6_address>");
-	cfg_print_chars(pctx, " ", 1);
-	cfg_print_cstr(pctx, "[ port <integer> ]");
-	cfg_print_chars(pctx, " )", 2);
-}
-
-static isc_result_t
-parse_sockaddrnameport(cfg_parser_t *pctx, const cfg_type_t *type,
-		       cfg_obj_t **ret)
-{
-	isc_result_t result;
-	cfg_obj_t *obj = NULL;
-	UNUSED(type);
-
-	CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
-	if (pctx->token.type == isc_tokentype_string ||
-	    pctx->token.type == isc_tokentype_qstring) {
-		if (cfg_lookingat_netaddr(pctx, CFG_ADDR_V4OK | CFG_ADDR_V6OK))
-			CHECK(cfg_parse_sockaddr(pctx, &cfg_type_sockaddr, ret));
-		else {
-			const cfg_tuplefielddef_t *fields =
-						   cfg_type_nameport.of;
-			CHECK(cfg_create_tuple(pctx, &cfg_type_nameport,
-					       &obj));
-			CHECK(cfg_parse_obj(pctx, fields[0].type,
-					    &obj->value.tuple[0]));
-			CHECK(cfg_parse_obj(pctx, fields[1].type,
-					    &obj->value.tuple[1]));
-			*ret = obj;
-			obj = NULL;
-		}
-	} else {
-		cfg_parser_error(pctx, CFG_LOG_NEAR,
-			     "expected IP address or hostname");
-		return (ISC_R_UNEXPECTEDTOKEN);
-	}
- cleanup:
-	CLEANUP_OBJ(obj);
-	return (result);
-}
-
-static cfg_type_t cfg_type_sockaddrnameport = {
-	"sockaddrnameport_element", parse_sockaddrnameport, NULL,
-	 doc_sockaddrnameport, NULL, NULL
-};
-
-static cfg_type_t cfg_type_bracketed_sockaddrnameportlist = {
-	"bracketed_sockaddrnameportlist", cfg_parse_bracketed_list,
-	cfg_print_bracketed_list, cfg_doc_bracketed_list,
-	&cfg_rep_list, &cfg_type_sockaddrnameport
-};
-
-/*%
- * A list of socket addresses or name with an optional default port,
- * as used in the dual-stack-servers option.  E.g.,
- * "port 1234 { dual-stack-servers.net; 10.0.0.1; 1::2 port 69; }"
- */
-static cfg_tuplefielddef_t nameportiplist_fields[] = {
-	{ "port", &cfg_type_optional_port, 0 },
-	{ "addresses", &cfg_type_bracketed_sockaddrnameportlist, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_type_t cfg_type_nameportiplist = {
-	"nameportiplist", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
-	&cfg_rep_tuple, nameportiplist_fields
-};
-
-/*%
- * masters element.
- */
-
-static void
-doc_masterselement(cfg_printer_t *pctx, const cfg_type_t *type) {
-	UNUSED(type);
-	cfg_print_chars(pctx, "( ", 2);
-	cfg_print_cstr(pctx, "<masters>");
-	cfg_print_chars(pctx, " | ", 3);
-	cfg_print_cstr(pctx, "<ipv4_address>");
-	cfg_print_chars(pctx, " ", 1);
-	cfg_print_cstr(pctx, "[ port <integer> ]");
-	cfg_print_chars(pctx, " | ", 3);
-	cfg_print_cstr(pctx, "<ipv6_address>");
-	cfg_print_chars(pctx, " ", 1);
-	cfg_print_cstr(pctx, "[ port <integer> ]");
-	cfg_print_chars(pctx, " )", 2);
-}
-
-static isc_result_t
-parse_masterselement(cfg_parser_t *pctx, const cfg_type_t *type,
-		     cfg_obj_t **ret)
-{
-	isc_result_t result;
-	cfg_obj_t *obj = NULL;
-	UNUSED(type);
-
-	CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
-	if (pctx->token.type == isc_tokentype_string ||
-	    pctx->token.type == isc_tokentype_qstring) {
-		if (cfg_lookingat_netaddr(pctx, CFG_ADDR_V4OK | CFG_ADDR_V6OK))
-			CHECK(cfg_parse_sockaddr(pctx, &cfg_type_sockaddr, ret));
-		else
-			CHECK(cfg_parse_astring(pctx, &cfg_type_astring, ret));
-	} else {
-		cfg_parser_error(pctx, CFG_LOG_NEAR,
-			     "expected IP address or masters name");
-		return (ISC_R_UNEXPECTEDTOKEN);
-	}
- cleanup:
-	CLEANUP_OBJ(obj);
-	return (result);
-}
-
-static cfg_type_t cfg_type_masterselement = {
-	"masters_element", parse_masterselement, NULL,
-	 doc_masterselement, NULL, NULL
-};
diff --git a/contrib/bind9/lib/isccfg/parser.c b/contrib/bind9/lib/isccfg/parser.c
deleted file mode 100644
index de0fa31..0000000
--- a/contrib/bind9/lib/isccfg/parser.c
+++ /dev/null
@@ -1,2484 +0,0 @@
-/*
- * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-#include <config.h>
-
-#include <isc/buffer.h>
-#include <isc/dir.h>
-#include <isc/formatcheck.h>
-#include <isc/lex.h>
-#include <isc/log.h>
-#include <isc/mem.h>
-#include <isc/net.h>
-#include <isc/netaddr.h>
-#include <isc/netscope.h>
-#include <isc/print.h>
-#include <isc/string.h>
-#include <isc/sockaddr.h>
-#include <isc/symtab.h>
-#include <isc/util.h>
-
-#include <isccfg/cfg.h>
-#include <isccfg/grammar.h>
-#include <isccfg/log.h>
-
-/* Shorthand */
-#define CAT CFG_LOGCATEGORY_CONFIG
-#define MOD CFG_LOGMODULE_PARSER
-
-#define MAP_SYM 1 	/* Unique type for isc_symtab */
-
-#define TOKEN_STRING(pctx) (pctx->token.value.as_textregion.base)
-
-/* Check a return value. */
-#define CHECK(op) 						\
-	do { result = (op); 					\
-		if (result != ISC_R_SUCCESS) goto cleanup; 	\
-	} while (0)
-
-/* Clean up a configuration object if non-NULL. */
-#define CLEANUP_OBJ(obj) \
-	do { if ((obj) != NULL) cfg_obj_destroy(pctx, &(obj)); } while (0)
-
-
-/*
- * Forward declarations of static functions.
- */
-
-static void
-free_tuple(cfg_parser_t *pctx, cfg_obj_t *obj);
-
-static isc_result_t
-parse_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-static void
-print_list(cfg_printer_t *pctx, const cfg_obj_t *obj);
-
-static void
-free_list(cfg_parser_t *pctx, cfg_obj_t *obj);
-
-static isc_result_t
-create_listelt(cfg_parser_t *pctx, cfg_listelt_t **eltp);
-
-static isc_result_t
-create_string(cfg_parser_t *pctx, const char *contents, const cfg_type_t *type,
-	      cfg_obj_t **ret);
-
-static void
-free_string(cfg_parser_t *pctx, cfg_obj_t *obj);
-
-static isc_result_t
-create_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **objp);
-
-static void
-free_map(cfg_parser_t *pctx, cfg_obj_t *obj);
-
-static isc_result_t
-parse_symtab_elt(cfg_parser_t *pctx, const char *name,
-		 cfg_type_t *elttype, isc_symtab_t *symtab,
-		 isc_boolean_t callback);
-
-static void
-free_noop(cfg_parser_t *pctx, cfg_obj_t *obj);
-
-static isc_result_t
-cfg_getstringtoken(cfg_parser_t *pctx);
-
-static void
-parser_complain(cfg_parser_t *pctx, isc_boolean_t is_warning,
-		unsigned int flags, const char *format, va_list args);
-
-/*
- * Data representations.  These correspond to members of the
- * "value" union in struct cfg_obj (except "void", which does
- * not need a union member).
- */
-
-cfg_rep_t cfg_rep_uint32 = { "uint32", free_noop };
-cfg_rep_t cfg_rep_uint64 = { "uint64", free_noop };
-cfg_rep_t cfg_rep_string = { "string", free_string };
-cfg_rep_t cfg_rep_boolean = { "boolean", free_noop };
-cfg_rep_t cfg_rep_map = { "map", free_map };
-cfg_rep_t cfg_rep_list = { "list", free_list };
-cfg_rep_t cfg_rep_tuple = { "tuple", free_tuple };
-cfg_rep_t cfg_rep_sockaddr = { "sockaddr", free_noop };
-cfg_rep_t cfg_rep_netprefix = { "netprefix", free_noop };
-cfg_rep_t cfg_rep_void = { "void", free_noop };
-
-/*
- * Configuration type definitions.
- */
-
-/*%
- * An implicit list.  These are formed by clauses that occur multiple times.
- */
-static cfg_type_t cfg_type_implicitlist = {
-	"implicitlist", NULL, print_list, NULL, &cfg_rep_list, NULL };
-
-/* Functions. */
-
-void
-cfg_print_obj(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	obj->type->print(pctx, obj);
-}
-
-void
-cfg_print_chars(cfg_printer_t *pctx, const char *text, int len) {
-	pctx->f(pctx->closure, text, len);
-}
-
-static void
-print_open(cfg_printer_t *pctx) {
-	cfg_print_chars(pctx, "{\n", 2);
-	pctx->indent++;
-}
-
-static void
-print_indent(cfg_printer_t *pctx) {
-	int indent = pctx->indent;
-	while (indent > 0) {
-		cfg_print_chars(pctx, "\t", 1);
-		indent--;
-	}
-}
-
-static void
-print_close(cfg_printer_t *pctx) {
-	pctx->indent--;
-	print_indent(pctx);
-	cfg_print_chars(pctx, "}", 1);
-}
-
-isc_result_t
-cfg_parse_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	INSIST(ret != NULL && *ret == NULL);
-	result = type->parse(pctx, type, ret);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	INSIST(*ret != NULL);
-	return (ISC_R_SUCCESS);
-}
-
-void
-cfg_print(const cfg_obj_t *obj,
-	  void (*f)(void *closure, const char *text, int textlen),
-	  void *closure)
-{
-	cfg_printer_t pctx;
-	pctx.f = f;
-	pctx.closure = closure;
-	pctx.indent = 0;
-	obj->type->print(&pctx, obj);
-}
-
-
-/* Tuples. */
-
-isc_result_t
-cfg_create_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	const cfg_tuplefielddef_t *fields = type->of;
-	const cfg_tuplefielddef_t *f;
-	cfg_obj_t *obj = NULL;
-	unsigned int nfields = 0;
-	int i;
-
-	for (f = fields; f->name != NULL; f++)
-		nfields++;
-
-	CHECK(cfg_create_obj(pctx, type, &obj));
-	obj->value.tuple = isc_mem_get(pctx->mctx,
-				       nfields * sizeof(cfg_obj_t *));
-	if (obj->value.tuple == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
-	}
-	for (f = fields, i = 0; f->name != NULL; f++, i++)
-		obj->value.tuple[i] = NULL;
-	*ret = obj;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (obj != NULL)
-		isc_mem_put(pctx->mctx, obj, sizeof(*obj));
-	return (result);
-}
-
-isc_result_t
-cfg_parse_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
-{
-	isc_result_t result;
-	const cfg_tuplefielddef_t *fields = type->of;
-	const cfg_tuplefielddef_t *f;
-	cfg_obj_t *obj = NULL;
-	unsigned int i;
-
-	CHECK(cfg_create_tuple(pctx, type, &obj));
-	for (f = fields, i = 0; f->name != NULL; f++, i++)
-		CHECK(cfg_parse_obj(pctx, f->type, &obj->value.tuple[i]));
-
-	*ret = obj;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	CLEANUP_OBJ(obj);
-	return (result);
-}
-
-void
-cfg_print_tuple(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	unsigned int i;
-	const cfg_tuplefielddef_t *fields = obj->type->of;
-	const cfg_tuplefielddef_t *f;
-	isc_boolean_t need_space = ISC_FALSE;
-
-	for (f = fields, i = 0; f->name != NULL; f++, i++) {
-		const cfg_obj_t *fieldobj = obj->value.tuple[i];
-		if (need_space)
-			cfg_print_chars(pctx, " ", 1);
-		cfg_print_obj(pctx, fieldobj);
-		need_space = ISC_TF(fieldobj->type->print != cfg_print_void);
-	}
-}
-
-void
-cfg_doc_tuple(cfg_printer_t *pctx, const cfg_type_t *type) {
-	const cfg_tuplefielddef_t *fields = type->of;
-	const cfg_tuplefielddef_t *f;
-	isc_boolean_t need_space = ISC_FALSE;
-
-	for (f = fields; f->name != NULL; f++) {
-		if (need_space)
-			cfg_print_chars(pctx, " ", 1);
-		cfg_doc_obj(pctx, f->type);
-		need_space = ISC_TF(f->type->print != cfg_print_void);
-	}
-}
-
-static void
-free_tuple(cfg_parser_t *pctx, cfg_obj_t *obj) {
-	unsigned int i;
-	const cfg_tuplefielddef_t *fields = obj->type->of;
-	const cfg_tuplefielddef_t *f;
-	unsigned int nfields = 0;
-
-	if (obj->value.tuple == NULL)
-		return;
-
-	for (f = fields, i = 0; f->name != NULL; f++, i++) {
-		CLEANUP_OBJ(obj->value.tuple[i]);
-		nfields++;
-	}
-	isc_mem_put(pctx->mctx, obj->value.tuple,
-		    nfields * sizeof(cfg_obj_t *));
-}
-
-isc_boolean_t
-cfg_obj_istuple(const cfg_obj_t *obj) {
-	REQUIRE(obj != NULL);
-	return (ISC_TF(obj->type->rep == &cfg_rep_tuple));
-}
-
-const cfg_obj_t *
-cfg_tuple_get(const cfg_obj_t *tupleobj, const char* name) {
-	unsigned int i;
-	const cfg_tuplefielddef_t *fields;
-	const cfg_tuplefielddef_t *f;
-
-	REQUIRE(tupleobj != NULL && tupleobj->type->rep == &cfg_rep_tuple);
-
-	fields = tupleobj->type->of;
-	for (f = fields, i = 0; f->name != NULL; f++, i++) {
-		if (strcmp(f->name, name) == 0)
-			return (tupleobj->value.tuple[i]);
-	}
-	INSIST(0);
-	return (NULL);
-}
-
-isc_result_t
-cfg_parse_special(cfg_parser_t *pctx, int special) {
-	isc_result_t result;
-	CHECK(cfg_gettoken(pctx, 0));
-	if (pctx->token.type == isc_tokentype_special &&
-	    pctx->token.value.as_char == special)
-		return (ISC_R_SUCCESS);
-
-	cfg_parser_error(pctx, CFG_LOG_NEAR, "'%c' expected", special);
-	return (ISC_R_UNEXPECTEDTOKEN);
- cleanup:
-	return (result);
-}
-
-/*
- * Parse a required semicolon.  If it is not there, log
- * an error and increment the error count but continue
- * parsing.  Since the next token is pushed back,
- * care must be taken to make sure it is eventually
- * consumed or an infinite loop may result.
- */
-static isc_result_t
-parse_semicolon(cfg_parser_t *pctx) {
-	isc_result_t result;
-	CHECK(cfg_gettoken(pctx, 0));
-	if (pctx->token.type == isc_tokentype_special &&
-	    pctx->token.value.as_char == ';')
-		return (ISC_R_SUCCESS);
-
-	cfg_parser_error(pctx, CFG_LOG_BEFORE, "missing ';'");
-	cfg_ungettoken(pctx);
- cleanup:
-	return (result);
-}
-
-/*
- * Parse EOF, logging and returning an error if not there.
- */
-static isc_result_t
-parse_eof(cfg_parser_t *pctx) {
-	isc_result_t result;
-	CHECK(cfg_gettoken(pctx, 0));
-
-	if (pctx->token.type == isc_tokentype_eof)
-		return (ISC_R_SUCCESS);
-
-	cfg_parser_error(pctx, CFG_LOG_NEAR, "syntax error");
-	return (ISC_R_UNEXPECTEDTOKEN);
- cleanup:
-	return (result);
-}
-
-/* A list of files, used internally for pctx->files. */
-
-static cfg_type_t cfg_type_filelist = {
-	"filelist", NULL, print_list, NULL, &cfg_rep_list,
-	&cfg_type_qstring
-};
-
-isc_result_t
-cfg_parser_create(isc_mem_t *mctx, isc_log_t *lctx, cfg_parser_t **ret) {
-	isc_result_t result;
-	cfg_parser_t *pctx;
-	isc_lexspecials_t specials;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(ret != NULL && *ret == NULL);
-
-	pctx = isc_mem_get(mctx, sizeof(*pctx));
-	if (pctx == NULL)
-		return (ISC_R_NOMEMORY);
-
-	pctx->mctx = NULL;
-	isc_mem_attach(mctx, &pctx->mctx);
-
-	result = isc_refcount_init(&pctx->references, 1);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_putanddetach(&pctx->mctx, pctx, sizeof(*pctx));
-		return (result);
-	}
-
-	pctx->lctx = lctx;
-	pctx->lexer = NULL;
-	pctx->seen_eof = ISC_FALSE;
-	pctx->ungotten = ISC_FALSE;
-	pctx->errors = 0;
-	pctx->warnings = 0;
-	pctx->open_files = NULL;
-	pctx->closed_files = NULL;
-	pctx->line = 0;
-	pctx->callback = NULL;
-	pctx->callbackarg = NULL;
-	pctx->token.type = isc_tokentype_unknown;
-	pctx->flags = 0;
-
-	memset(specials, 0, sizeof(specials));
-	specials['{'] = 1;
-	specials['}'] = 1;
-	specials[';'] = 1;
-	specials['/'] = 1;
-	specials['"'] = 1;
-	specials['!'] = 1;
-
-	CHECK(isc_lex_create(pctx->mctx, 1024, &pctx->lexer));
-
-	isc_lex_setspecials(pctx->lexer, specials);
-	isc_lex_setcomments(pctx->lexer, (ISC_LEXCOMMENT_C |
-					 ISC_LEXCOMMENT_CPLUSPLUS |
-					 ISC_LEXCOMMENT_SHELL));
-
-	CHECK(cfg_create_list(pctx, &cfg_type_filelist, &pctx->open_files));
-	CHECK(cfg_create_list(pctx, &cfg_type_filelist, &pctx->closed_files));
-
-	*ret = pctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (pctx->lexer != NULL)
-		isc_lex_destroy(&pctx->lexer);
-	CLEANUP_OBJ(pctx->open_files);
-	CLEANUP_OBJ(pctx->closed_files);
-	isc_mem_putanddetach(&pctx->mctx, pctx, sizeof(*pctx));
-	return (result);
-}
-
-static isc_result_t
-parser_openfile(cfg_parser_t *pctx, const char *filename) {
-	isc_result_t result;
-	cfg_listelt_t *elt = NULL;
-	cfg_obj_t *stringobj = NULL;
-
-	result = isc_lex_openfile(pctx->lexer, filename);
-	if (result != ISC_R_SUCCESS) {
-		cfg_parser_error(pctx, 0, "open: %s: %s",
-			     filename, isc_result_totext(result));
-		goto cleanup;
-	}
-
-	CHECK(create_string(pctx, filename, &cfg_type_qstring, &stringobj));
-	CHECK(create_listelt(pctx, &elt));
-	elt->obj = stringobj;
-	ISC_LIST_APPEND(pctx->open_files->value.list, elt, link);
-
-	return (ISC_R_SUCCESS);
- cleanup:
-	CLEANUP_OBJ(stringobj);
-	return (result);
-}
-
-void
-cfg_parser_setcallback(cfg_parser_t *pctx,
-		       cfg_parsecallback_t callback,
-		       void *arg)
-{
-	pctx->callback = callback;
-	pctx->callbackarg = arg;
-}
-
-/*
- * Parse a configuration using a pctx where a lexer has already
- * been set up with a source.
- */
-static isc_result_t
-parse2(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	cfg_obj_t *obj = NULL;
-
-	result = cfg_parse_obj(pctx, type, &obj);
-
-	if (pctx->errors != 0) {
-		/* Errors have been logged. */
-		if (result == ISC_R_SUCCESS)
-			result = ISC_R_FAILURE;
-		goto cleanup;
-	}
-
-	if (result != ISC_R_SUCCESS) {
-		/* Parsing failed but no errors have been logged. */
-		cfg_parser_error(pctx, 0, "parsing failed");
-		goto cleanup;
-	}
-
-	CHECK(parse_eof(pctx));
-
-	*ret = obj;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	CLEANUP_OBJ(obj);
-	return (result);
-}
-
-isc_result_t
-cfg_parse_file(cfg_parser_t *pctx, const char *filename,
-	       const cfg_type_t *type, cfg_obj_t **ret)
-{
-	isc_result_t result;
-
-	REQUIRE(filename != NULL);
-
-	CHECK(parser_openfile(pctx, filename));
-	CHECK(parse2(pctx, type, ret));
- cleanup:
-	return (result);
-}
-
-
-isc_result_t
-cfg_parse_buffer(cfg_parser_t *pctx, isc_buffer_t *buffer,
-	const cfg_type_t *type, cfg_obj_t **ret)
-{
-	isc_result_t result;
-	REQUIRE(buffer != NULL);
-	CHECK(isc_lex_openbuffer(pctx->lexer, buffer));
-	CHECK(parse2(pctx, type, ret));
- cleanup:
-	return (result);
-}
-
-void
-cfg_parser_attach(cfg_parser_t *src, cfg_parser_t **dest) {
-	REQUIRE(src != NULL);
-	REQUIRE(dest != NULL && *dest == NULL);
-	isc_refcount_increment(&src->references, NULL);
-	*dest = src;
-}
-
-void
-cfg_parser_destroy(cfg_parser_t **pctxp) {
-	cfg_parser_t *pctx = *pctxp;
-	unsigned int refs;
-
-	isc_refcount_decrement(&pctx->references, &refs);
-	if (refs == 0) {
-		isc_lex_destroy(&pctx->lexer);
-		/*
-		 * Cleaning up open_files does not
-		 * close the files; that was already done
-		 * by closing the lexer.
-		 */
-		CLEANUP_OBJ(pctx->open_files);
-		CLEANUP_OBJ(pctx->closed_files);
-		isc_mem_putanddetach(&pctx->mctx, pctx, sizeof(*pctx));
-	}
-	*pctxp = NULL;
-}
-
-/*
- * void
- */
-isc_result_t
-cfg_parse_void(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	UNUSED(type);
-	return (cfg_create_obj(pctx, &cfg_type_void, ret));
-}
-
-void
-cfg_print_void(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	UNUSED(pctx);
-	UNUSED(obj);
-}
-
-void
-cfg_doc_void(cfg_printer_t *pctx, const cfg_type_t *type) {
-	UNUSED(pctx);
-	UNUSED(type);
-}
-
-isc_boolean_t
-cfg_obj_isvoid(const cfg_obj_t *obj) {
-	REQUIRE(obj != NULL);
-	return (ISC_TF(obj->type->rep == &cfg_rep_void));
-}
-
-cfg_type_t cfg_type_void = {
-	"void", cfg_parse_void, cfg_print_void, cfg_doc_void, &cfg_rep_void,
-	NULL };
-
-
-/*
- * uint32
- */
-isc_result_t
-cfg_parse_uint32(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	cfg_obj_t *obj = NULL;
-	UNUSED(type);
-
-	CHECK(cfg_gettoken(pctx, ISC_LEXOPT_NUMBER | ISC_LEXOPT_CNUMBER));
-	if (pctx->token.type != isc_tokentype_number) {
-		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected number");
-		return (ISC_R_UNEXPECTEDTOKEN);
-	}
-
-	CHECK(cfg_create_obj(pctx, &cfg_type_uint32, &obj));
-
-	obj->value.uint32 = pctx->token.value.as_ulong;
-	*ret = obj;
- cleanup:
-	return (result);
-}
-
-void
-cfg_print_cstr(cfg_printer_t *pctx, const char *s) {
-	cfg_print_chars(pctx, s, strlen(s));
-}
-
-void
-cfg_print_rawuint(cfg_printer_t *pctx, unsigned int u) {
-	char buf[32];
-	snprintf(buf, sizeof(buf), "%u", u);
-	cfg_print_cstr(pctx, buf);
-}
-
-void
-cfg_print_uint32(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	cfg_print_rawuint(pctx, obj->value.uint32);
-}
-
-isc_boolean_t
-cfg_obj_isuint32(const cfg_obj_t *obj) {
-	REQUIRE(obj != NULL);
-	return (ISC_TF(obj->type->rep == &cfg_rep_uint32));
-}
-
-isc_uint32_t
-cfg_obj_asuint32(const cfg_obj_t *obj) {
-	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_uint32);
-	return (obj->value.uint32);
-}
-
-cfg_type_t cfg_type_uint32 = {
-	"integer", cfg_parse_uint32, cfg_print_uint32, cfg_doc_terminal,
-	&cfg_rep_uint32, NULL
-};
-
-
-/*
- * uint64
- */
-isc_boolean_t
-cfg_obj_isuint64(const cfg_obj_t *obj) {
-	REQUIRE(obj != NULL);
-	return (ISC_TF(obj->type->rep == &cfg_rep_uint64));
-}
-
-isc_uint64_t
-cfg_obj_asuint64(const cfg_obj_t *obj) {
-	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_uint64);
-	return (obj->value.uint64);
-}
-
-void
-cfg_print_uint64(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	char buf[32];
-	snprintf(buf, sizeof(buf), "%" ISC_PRINT_QUADFORMAT "u",
-		 obj->value.uint64);
-	cfg_print_cstr(pctx, buf);
-}
-
-cfg_type_t cfg_type_uint64 = {
-	"64_bit_integer", NULL, cfg_print_uint64, cfg_doc_terminal,
-	&cfg_rep_uint64, NULL
-};
-
-/*
- * qstring (quoted string), ustring (unquoted string), astring
- * (any string)
- */
-
-/* Create a string object from a null-terminated C string. */
-static isc_result_t
-create_string(cfg_parser_t *pctx, const char *contents, const cfg_type_t *type,
-	      cfg_obj_t **ret)
-{
-	isc_result_t result;
-	cfg_obj_t *obj = NULL;
-	int len;
-
-	CHECK(cfg_create_obj(pctx, type, &obj));
-	len = strlen(contents);
-	obj->value.string.length = len;
-	obj->value.string.base = isc_mem_get(pctx->mctx, len + 1);
-	if (obj->value.string.base == 0) {
-		isc_mem_put(pctx->mctx, obj, sizeof(*obj));
-		return (ISC_R_NOMEMORY);
-	}
-	memcpy(obj->value.string.base, contents, len);
-	obj->value.string.base[len] = '\0';
-
-	*ret = obj;
- cleanup:
-	return (result);
-}
-
-isc_result_t
-cfg_parse_qstring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	UNUSED(type);
-
-	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
-	if (pctx->token.type != isc_tokentype_qstring) {
-		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected quoted string");
-		return (ISC_R_UNEXPECTEDTOKEN);
-	}
-	return (create_string(pctx,
-			      TOKEN_STRING(pctx),
-			      &cfg_type_qstring,
-			      ret));
- cleanup:
-	return (result);
-}
-
-static isc_result_t
-parse_ustring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	UNUSED(type);
-
-	CHECK(cfg_gettoken(pctx, 0));
-	if (pctx->token.type != isc_tokentype_string) {
-		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected unquoted string");
-		return (ISC_R_UNEXPECTEDTOKEN);
-	}
-	return (create_string(pctx,
-			      TOKEN_STRING(pctx),
-			      &cfg_type_ustring,
-			      ret));
- cleanup:
-	return (result);
-}
-
-isc_result_t
-cfg_parse_astring(cfg_parser_t *pctx, const cfg_type_t *type,
-		  cfg_obj_t **ret)
-{
-	isc_result_t result;
-	UNUSED(type);
-
-	CHECK(cfg_getstringtoken(pctx));
-	return (create_string(pctx,
-			      TOKEN_STRING(pctx),
-			      &cfg_type_qstring,
-			      ret));
- cleanup:
-	return (result);
-}
-
-isc_boolean_t
-cfg_is_enum(const char *s, const char *const *enums) {
-	const char * const *p;
-	for (p = enums; *p != NULL; p++) {
-		if (strcasecmp(*p, s) == 0)
-			return (ISC_TRUE);
-	}
-	return (ISC_FALSE);
-}
-
-static isc_result_t
-check_enum(cfg_parser_t *pctx, cfg_obj_t *obj, const char *const *enums) {
-	const char *s = obj->value.string.base;
-	if (cfg_is_enum(s, enums))
-		return (ISC_R_SUCCESS);
-	cfg_parser_error(pctx, 0, "'%s' unexpected", s);
-	return (ISC_R_UNEXPECTEDTOKEN);
-}
-
-isc_result_t
-cfg_parse_enum(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	cfg_obj_t *obj = NULL;
-	CHECK(parse_ustring(pctx, NULL, &obj));
-	CHECK(check_enum(pctx, obj, type->of));
-	*ret = obj;
-	return (ISC_R_SUCCESS);
- cleanup:
-	CLEANUP_OBJ(obj);
-	return (result);
-}
-
-void
-cfg_doc_enum(cfg_printer_t *pctx, const cfg_type_t *type) {
-	const char * const *p;
-	cfg_print_chars(pctx, "( ", 2);
-	for (p = type->of; *p != NULL; p++) {
-		cfg_print_cstr(pctx, *p);
-		if (p[1] != NULL)
-			cfg_print_chars(pctx, " | ", 3);
-	}
-	cfg_print_chars(pctx, " )", 2);
-}
-
-void
-cfg_print_ustring(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	cfg_print_chars(pctx, obj->value.string.base, obj->value.string.length);
-}
-
-static void
-print_qstring(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	cfg_print_chars(pctx, "\"", 1);
-	cfg_print_ustring(pctx, obj);
-	cfg_print_chars(pctx, "\"", 1);
-}
-
-static void
-free_string(cfg_parser_t *pctx, cfg_obj_t *obj) {
-	isc_mem_put(pctx->mctx, obj->value.string.base,
-		    obj->value.string.length + 1);
-}
-
-isc_boolean_t
-cfg_obj_isstring(const cfg_obj_t *obj) {
-	REQUIRE(obj != NULL);
-	return (ISC_TF(obj->type->rep == &cfg_rep_string));
-}
-
-const char *
-cfg_obj_asstring(const cfg_obj_t *obj) {
-	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_string);
-	return (obj->value.string.base);
-}
-
-/* Quoted string only */
-cfg_type_t cfg_type_qstring = {
-	"quoted_string", cfg_parse_qstring, print_qstring, cfg_doc_terminal,
-	&cfg_rep_string, NULL
-};
-
-/* Unquoted string only */
-cfg_type_t cfg_type_ustring = {
-	"string", parse_ustring, cfg_print_ustring, cfg_doc_terminal,
-	&cfg_rep_string, NULL
-};
-
-/* Any string (quoted or unquoted); printed with quotes */
-cfg_type_t cfg_type_astring = {
-	"string", cfg_parse_astring, print_qstring, cfg_doc_terminal,
-	&cfg_rep_string, NULL
-};
-
-/*
- * Booleans
- */
-
-isc_boolean_t
-cfg_obj_isboolean(const cfg_obj_t *obj) {
-	REQUIRE(obj != NULL);
-	return (ISC_TF(obj->type->rep == &cfg_rep_boolean));
-}
-
-isc_boolean_t
-cfg_obj_asboolean(const cfg_obj_t *obj) {
-	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_boolean);
-	return (obj->value.boolean);
-}
-
-isc_result_t
-cfg_parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
-{
-	isc_result_t result;
-	isc_boolean_t value;
-	cfg_obj_t *obj = NULL;
-	UNUSED(type);
-
-	result = cfg_gettoken(pctx, 0);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (pctx->token.type != isc_tokentype_string)
-		goto bad_boolean;
-
-	if ((strcasecmp(TOKEN_STRING(pctx), "true") == 0) ||
-	    (strcasecmp(TOKEN_STRING(pctx), "yes") == 0) ||
-	    (strcmp(TOKEN_STRING(pctx), "1") == 0)) {
-		value = ISC_TRUE;
-	} else if ((strcasecmp(TOKEN_STRING(pctx), "false") == 0) ||
-		   (strcasecmp(TOKEN_STRING(pctx), "no") == 0) ||
-		   (strcmp(TOKEN_STRING(pctx), "0") == 0)) {
-		value = ISC_FALSE;
-	} else {
-		goto bad_boolean;
-	}
-
-	CHECK(cfg_create_obj(pctx, &cfg_type_boolean, &obj));
-	obj->value.boolean = value;
-	*ret = obj;
-	return (result);
-
- bad_boolean:
-	cfg_parser_error(pctx, CFG_LOG_NEAR, "boolean expected");
-	return (ISC_R_UNEXPECTEDTOKEN);
-
- cleanup:
-	return (result);
-}
-
-void
-cfg_print_boolean(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	if (obj->value.boolean)
-		cfg_print_chars(pctx, "yes", 3);
-	else
-		cfg_print_chars(pctx, "no", 2);
-}
-
-cfg_type_t cfg_type_boolean = {
-	"boolean", cfg_parse_boolean, cfg_print_boolean, cfg_doc_terminal,
-	&cfg_rep_boolean, NULL
-};
-
-/*
- * Lists.
- */
-
-isc_result_t
-cfg_create_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **obj) {
-	isc_result_t result;
-	CHECK(cfg_create_obj(pctx, type, obj));
-	ISC_LIST_INIT((*obj)->value.list);
- cleanup:
-	return (result);
-}
-
-static isc_result_t
-create_listelt(cfg_parser_t *pctx, cfg_listelt_t **eltp) {
-	cfg_listelt_t *elt;
-	elt = isc_mem_get(pctx->mctx, sizeof(*elt));
-	if (elt == NULL)
-		return (ISC_R_NOMEMORY);
-	elt->obj = NULL;
-	ISC_LINK_INIT(elt, link);
-	*eltp = elt;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-free_list_elt(cfg_parser_t *pctx, cfg_listelt_t *elt) {
-	cfg_obj_destroy(pctx, &elt->obj);
-	isc_mem_put(pctx->mctx, elt, sizeof(*elt));
-}
-
-static void
-free_list(cfg_parser_t *pctx, cfg_obj_t *obj) {
-	cfg_listelt_t *elt, *next;
-	for (elt = ISC_LIST_HEAD(obj->value.list);
-	     elt != NULL;
-	     elt = next)
-	{
-		next = ISC_LIST_NEXT(elt, link);
-		free_list_elt(pctx, elt);
-	}
-}
-
-isc_result_t
-cfg_parse_listelt(cfg_parser_t *pctx, const cfg_type_t *elttype,
-		  cfg_listelt_t **ret)
-{
-	isc_result_t result;
-	cfg_listelt_t *elt = NULL;
-	cfg_obj_t *value = NULL;
-
-	CHECK(create_listelt(pctx, &elt));
-
-	result = cfg_parse_obj(pctx, elttype, &value);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	elt->obj = value;
-
-	*ret = elt;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	isc_mem_put(pctx->mctx, elt, sizeof(*elt));
-	return (result);
-}
-
-/*
- * Parse a homogeneous list whose elements are of type 'elttype'
- * and where each element is terminated by a semicolon.
- */
-static isc_result_t
-parse_list(cfg_parser_t *pctx, const cfg_type_t *listtype, cfg_obj_t **ret)
-{
-	cfg_obj_t *listobj = NULL;
-	const cfg_type_t *listof = listtype->of;
-	isc_result_t result;
-	cfg_listelt_t *elt = NULL;
-
-	CHECK(cfg_create_list(pctx, listtype, &listobj));
-
-	for (;;) {
-		CHECK(cfg_peektoken(pctx, 0));
-		if (pctx->token.type == isc_tokentype_special &&
-		    pctx->token.value.as_char == /*{*/ '}')
-			break;
-		CHECK(cfg_parse_listelt(pctx, listof, &elt));
-		CHECK(parse_semicolon(pctx));
-		ISC_LIST_APPEND(listobj->value.list, elt, link);
-		elt = NULL;
-	}
-	*ret = listobj;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (elt != NULL)
-		free_list_elt(pctx, elt);
-	CLEANUP_OBJ(listobj);
-	return (result);
-}
-
-static void
-print_list(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	const cfg_list_t *list = &obj->value.list;
-	const cfg_listelt_t *elt;
-
-	for (elt = ISC_LIST_HEAD(*list);
-	     elt != NULL;
-	     elt = ISC_LIST_NEXT(elt, link)) {
-		print_indent(pctx);
-		cfg_print_obj(pctx, elt->obj);
-		cfg_print_chars(pctx, ";\n", 2);
-	}
-}
-
-isc_result_t
-cfg_parse_bracketed_list(cfg_parser_t *pctx, const cfg_type_t *type,
-		     cfg_obj_t **ret)
-{
-	isc_result_t result;
-	CHECK(cfg_parse_special(pctx, '{'));
-	CHECK(parse_list(pctx, type, ret));
-	CHECK(cfg_parse_special(pctx, '}'));
- cleanup:
-	return (result);
-}
-
-void
-cfg_print_bracketed_list(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	print_open(pctx);
-	print_list(pctx, obj);
-	print_close(pctx);
-}
-
-void
-cfg_doc_bracketed_list(cfg_printer_t *pctx, const cfg_type_t *type) {
-	cfg_print_chars(pctx, "{ ", 2);
-	cfg_doc_obj(pctx, type->of);
-	cfg_print_chars(pctx, "; ... }", 7);
-}
-
-/*
- * Parse a homogeneous list whose elements are of type 'elttype'
- * and where elements are separated by space.  The list ends
- * before the first semicolon.
- */
-isc_result_t
-cfg_parse_spacelist(cfg_parser_t *pctx, const cfg_type_t *listtype,
-		    cfg_obj_t **ret)
-{
-	cfg_obj_t *listobj = NULL;
-	const cfg_type_t *listof = listtype->of;
-	isc_result_t result;
-
-	CHECK(cfg_create_list(pctx, listtype, &listobj));
-
-	for (;;) {
-		cfg_listelt_t *elt = NULL;
-
-		CHECK(cfg_peektoken(pctx, 0));
-		if (pctx->token.type == isc_tokentype_special &&
-		    pctx->token.value.as_char == ';')
-			break;
-		CHECK(cfg_parse_listelt(pctx, listof, &elt));
-		ISC_LIST_APPEND(listobj->value.list, elt, link);
-	}
-	*ret = listobj;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	CLEANUP_OBJ(listobj);
-	return (result);
-}
-
-void
-cfg_print_spacelist(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	const cfg_list_t *list = &obj->value.list;
-	const cfg_listelt_t *elt;
-
-	for (elt = ISC_LIST_HEAD(*list);
-	     elt != NULL;
-	     elt = ISC_LIST_NEXT(elt, link)) {
-		cfg_print_obj(pctx, elt->obj);
-		if (ISC_LIST_NEXT(elt, link) != NULL)
-			cfg_print_chars(pctx, " ", 1);
-	}
-}
-
-isc_boolean_t
-cfg_obj_islist(const cfg_obj_t *obj) {
-	REQUIRE(obj != NULL);
-	return (ISC_TF(obj->type->rep == &cfg_rep_list));
-}
-
-const cfg_listelt_t *
-cfg_list_first(const cfg_obj_t *obj) {
-	REQUIRE(obj == NULL || obj->type->rep == &cfg_rep_list);
-	if (obj == NULL)
-		return (NULL);
-	return (ISC_LIST_HEAD(obj->value.list));
-}
-
-const cfg_listelt_t *
-cfg_list_next(const cfg_listelt_t *elt) {
-	REQUIRE(elt != NULL);
-	return (ISC_LIST_NEXT(elt, link));
-}
-
-/*
- * Return the length of a list object.  If obj is NULL or is not
- * a list, return 0.
- */
-unsigned int
-cfg_list_length(const cfg_obj_t *obj, isc_boolean_t recurse) {
-	const cfg_listelt_t *elt;
-	unsigned int count = 0;
-
-	if (obj == NULL || !cfg_obj_islist(obj))
-		return (0U);
-	for (elt = cfg_list_first(obj);
-	     elt != NULL;
-	     elt = cfg_list_next(elt)) {
-		if (recurse && cfg_obj_islist(elt->obj)) {
-			count += cfg_list_length(elt->obj, recurse);
-		} else {
-			count++;
-		}
-	}
-	return (count);
-}
-
-cfg_obj_t *
-cfg_listelt_value(const cfg_listelt_t *elt) {
-	REQUIRE(elt != NULL);
-	return (elt->obj);
-}
-
-/*
- * Maps.
- */
-
-/*
- * Parse a map body.  That's something like
- *
- *   "foo 1; bar { glub; }; zap true; zap false;"
- *
- * i.e., a sequence of option names followed by values and
- * terminated by semicolons.  Used for the top level of
- * the named.conf syntax, as well as for the body of the
- * options, view, zone, and other statements.
- */
-isc_result_t
-cfg_parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
-{
-	const cfg_clausedef_t * const *clausesets = type->of;
-	isc_result_t result;
-	const cfg_clausedef_t * const *clauseset;
-	const cfg_clausedef_t *clause;
-	cfg_obj_t *value = NULL;
-	cfg_obj_t *obj = NULL;
-	cfg_obj_t *eltobj = NULL;
-	cfg_obj_t *includename = NULL;
-	isc_symvalue_t symval;
-	cfg_list_t *list = NULL;
-
-	CHECK(create_map(pctx, type, &obj));
-
-	obj->value.map.clausesets = clausesets;
-
-	for (;;) {
-		cfg_listelt_t *elt;
-
-	redo:
-		/*
-		 * Parse the option name and see if it is known.
-		 */
-		CHECK(cfg_gettoken(pctx, 0));
-
-		if (pctx->token.type != isc_tokentype_string) {
-			cfg_ungettoken(pctx);
-			break;
-		}
-
-		/*
-		 * We accept "include" statements wherever a map body
-		 * clause can occur.
-		 */
-		if (strcasecmp(TOKEN_STRING(pctx), "include") == 0) {
-			/*
-			 * Turn the file name into a temporary configuration
-			 * object just so that it is not overwritten by the
-			 * semicolon token.
-			 */
-			CHECK(cfg_parse_obj(pctx, &cfg_type_qstring, &includename));
-			CHECK(parse_semicolon(pctx));
-			CHECK(parser_openfile(pctx, includename->
-					      value.string.base));
-			 cfg_obj_destroy(pctx, &includename);
-			 goto redo;
-		}
-
-		clause = NULL;
-		for (clauseset = clausesets; *clauseset != NULL; clauseset++) {
-			for (clause = *clauseset;
-			     clause->name != NULL;
-			     clause++) {
-				if (strcasecmp(TOKEN_STRING(pctx),
-					   clause->name) == 0)
-					goto done;
-			}
-		}
-	done:
-		if (clause == NULL || clause->name == NULL) {
-			cfg_parser_error(pctx, CFG_LOG_NOPREP, "unknown option");
-			/*
-			 * Try to recover by parsing this option as an unknown
-			 * option and discarding it.
-			 */
-			CHECK(cfg_parse_obj(pctx, &cfg_type_unsupported, &eltobj));
-			cfg_obj_destroy(pctx, &eltobj);
-			CHECK(parse_semicolon(pctx));
-			continue;
-		}
-
-		/* Clause is known. */
-
-		/* Issue warnings if appropriate */
-		if ((clause->flags & CFG_CLAUSEFLAG_OBSOLETE) != 0)
-			cfg_parser_warning(pctx, 0, "option '%s' is obsolete",
-				       clause->name);
-		if ((clause->flags & CFG_CLAUSEFLAG_NOTIMP) != 0)
-			cfg_parser_warning(pctx, 0, "option '%s' is "
-				       "not implemented", clause->name);
-		if ((clause->flags & CFG_CLAUSEFLAG_NYI) != 0)
-			cfg_parser_warning(pctx, 0, "option '%s' is "
-				       "not implemented", clause->name);
-
-		if ((clause->flags & CFG_CLAUSEFLAG_NOTCONFIGURED) != 0) {
-			cfg_parser_warning(pctx, 0, "option '%s' is not "
-					   "configured", clause->name);
-			result = ISC_R_FAILURE;
-			goto cleanup;
-		}
-
-		/*
-		 * Don't log options with CFG_CLAUSEFLAG_NEWDEFAULT
-		 * set here - we need to log the *lack* of such an option,
-		 * not its presence.
-		 */
-
-		/* See if the clause already has a value; if not create one. */
-		result = isc_symtab_lookup(obj->value.map.symtab,
-					   clause->name, 0, &symval);
-
-		if ((clause->flags & CFG_CLAUSEFLAG_MULTI) != 0) {
-			/* Multivalued clause */
-			cfg_obj_t *listobj = NULL;
-			if (result == ISC_R_NOTFOUND) {
-				CHECK(cfg_create_list(pctx,
-						  &cfg_type_implicitlist,
-						  &listobj));
-				symval.as_pointer = listobj;
-				result = isc_symtab_define(obj->value.
-						   map.symtab,
-						   clause->name,
-						   1, symval,
-						   isc_symexists_reject);
-				if (result != ISC_R_SUCCESS) {
-					cfg_parser_error(pctx, CFG_LOG_NEAR,
-						     "isc_symtab_define(%s) "
-						     "failed", clause->name);
-					isc_mem_put(pctx->mctx, list,
-						    sizeof(cfg_list_t));
-					goto cleanup;
-				}
-			} else {
-				INSIST(result == ISC_R_SUCCESS);
-				listobj = symval.as_pointer;
-			}
-
-			elt = NULL;
-			CHECK(cfg_parse_listelt(pctx, clause->type, &elt));
-			CHECK(parse_semicolon(pctx));
-
-			ISC_LIST_APPEND(listobj->value.list, elt, link);
-		} else {
-			/* Single-valued clause */
-			if (result == ISC_R_NOTFOUND) {
-				isc_boolean_t callback =
-					ISC_TF((clause->flags &
-						CFG_CLAUSEFLAG_CALLBACK) != 0);
-				CHECK(parse_symtab_elt(pctx, clause->name,
-						       clause->type,
-						       obj->value.map.symtab,
-						       callback));
-				CHECK(parse_semicolon(pctx));
-			} else if (result == ISC_R_SUCCESS) {
-				cfg_parser_error(pctx, CFG_LOG_NEAR, "'%s' redefined",
-					     clause->name);
-				result = ISC_R_EXISTS;
-				goto cleanup;
-			} else {
-				cfg_parser_error(pctx, CFG_LOG_NEAR,
-					     "isc_symtab_define() failed");
-				goto cleanup;
-			}
-		}
-	}
-
-
-	*ret = obj;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	CLEANUP_OBJ(value);
-	CLEANUP_OBJ(obj);
-	CLEANUP_OBJ(eltobj);
-	CLEANUP_OBJ(includename);
-	return (result);
-}
-
-static isc_result_t
-parse_symtab_elt(cfg_parser_t *pctx, const char *name,
-		 cfg_type_t *elttype, isc_symtab_t *symtab,
-		 isc_boolean_t callback)
-{
-	isc_result_t result;
-	cfg_obj_t *obj = NULL;
-	isc_symvalue_t symval;
-
-	CHECK(cfg_parse_obj(pctx, elttype, &obj));
-
-	if (callback && pctx->callback != NULL)
-		CHECK(pctx->callback(name, obj, pctx->callbackarg));
-
-	symval.as_pointer = obj;
-	CHECK(isc_symtab_define(symtab, name,
-				1, symval,
-				isc_symexists_reject));
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	CLEANUP_OBJ(obj);
-	return (result);
-}
-
-/*
- * Parse a map; e.g., "{ foo 1; bar { glub; }; zap true; zap false; }"
- */
-isc_result_t
-cfg_parse_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	CHECK(cfg_parse_special(pctx, '{'));
-	CHECK(cfg_parse_mapbody(pctx, type, ret));
-	CHECK(cfg_parse_special(pctx, '}'));
- cleanup:
-	return (result);
-}
-
-/*
- * Subroutine for cfg_parse_named_map() and cfg_parse_addressed_map().
- */
-static isc_result_t
-parse_any_named_map(cfg_parser_t *pctx, cfg_type_t *nametype, const cfg_type_t *type,
-		    cfg_obj_t **ret)
-{
-	isc_result_t result;
-	cfg_obj_t *idobj = NULL;
-	cfg_obj_t *mapobj = NULL;
-
-	CHECK(cfg_parse_obj(pctx, nametype, &idobj));
-	CHECK(cfg_parse_map(pctx, type, &mapobj));
-	mapobj->value.map.id = idobj;
-	idobj = NULL;
-	*ret = mapobj;
- cleanup:
-	CLEANUP_OBJ(idobj);
-	return (result);
-}
-
-/*
- * Parse a map identified by a string name.  E.g., "name { foo 1; }".
- * Used for the "key" and "channel" statements.
- */
-isc_result_t
-cfg_parse_named_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	return (parse_any_named_map(pctx, &cfg_type_astring, type, ret));
-}
-
-/*
- * Parse a map identified by a network address.
- * Used to be used for the "server" statement.
- */
-isc_result_t
-cfg_parse_addressed_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	return (parse_any_named_map(pctx, &cfg_type_netaddr, type, ret));
-}
-
-/*
- * Parse a map identified by a network prefix.
- * Used for the "server" statement.
- */
-isc_result_t
-cfg_parse_netprefix_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	return (parse_any_named_map(pctx, &cfg_type_netprefix, type, ret));
-}
-
-void
-cfg_print_mapbody(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	const cfg_clausedef_t * const *clauseset;
-
-	for (clauseset = obj->value.map.clausesets;
-	     *clauseset != NULL;
-	     clauseset++)
-	{
-		isc_symvalue_t symval;
-		const cfg_clausedef_t *clause;
-
-		for (clause = *clauseset;
-		     clause->name != NULL;
-		     clause++) {
-			result = isc_symtab_lookup(obj->value.map.symtab,
-						   clause->name, 0, &symval);
-			if (result == ISC_R_SUCCESS) {
-				cfg_obj_t *obj = symval.as_pointer;
-				if (obj->type == &cfg_type_implicitlist) {
-					/* Multivalued. */
-					cfg_list_t *list = &obj->value.list;
-					cfg_listelt_t *elt;
-					for (elt = ISC_LIST_HEAD(*list);
-					     elt != NULL;
-					     elt = ISC_LIST_NEXT(elt, link)) {
-						print_indent(pctx);
-						cfg_print_cstr(pctx, clause->name);
-						cfg_print_chars(pctx, " ", 1);
-						cfg_print_obj(pctx, elt->obj);
-						cfg_print_chars(pctx, ";\n", 2);
-					}
-				} else {
-					/* Single-valued. */
-					print_indent(pctx);
-					cfg_print_cstr(pctx, clause->name);
-					cfg_print_chars(pctx, " ", 1);
-					cfg_print_obj(pctx, obj);
-					cfg_print_chars(pctx, ";\n", 2);
-				}
-			} else if (result == ISC_R_NOTFOUND) {
-				; /* do nothing */
-			} else {
-				INSIST(0);
-			}
-		}
-	}
-}
-
-void
-cfg_doc_mapbody(cfg_printer_t *pctx, const cfg_type_t *type) {
-	const cfg_clausedef_t * const *clauseset;
-	const cfg_clausedef_t *clause;
-
-	for (clauseset = type->of; *clauseset != NULL; clauseset++) {
-		for (clause = *clauseset;
-		     clause->name != NULL;
-		     clause++) {
-			cfg_print_cstr(pctx, clause->name);
-			cfg_print_chars(pctx, " ", 1);
-			cfg_doc_obj(pctx, clause->type);
-			cfg_print_chars(pctx, ";", 1);
-			/* XXX print flags here? */
-			cfg_print_chars(pctx, "\n\n", 2);
-		}
-	}
-}
-
-static struct flagtext {
-	unsigned int flag;
-	const char *text;
-} flagtexts[] = {
-	{ CFG_CLAUSEFLAG_NOTIMP, "not implemented" },
-	{ CFG_CLAUSEFLAG_NYI, "not yet implemented" },
-	{ CFG_CLAUSEFLAG_OBSOLETE, "obsolete" },
-	{ CFG_CLAUSEFLAG_NEWDEFAULT, "default changed" },
-	{ CFG_CLAUSEFLAG_TESTONLY, "test only" },
-	{ CFG_CLAUSEFLAG_NOTCONFIGURED, "not configured" },
-	{ 0, NULL }
-};
-
-void
-cfg_print_map(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	if (obj->value.map.id != NULL) {
-		cfg_print_obj(pctx, obj->value.map.id);
-		cfg_print_chars(pctx, " ", 1);
-	}
-	print_open(pctx);
-	cfg_print_mapbody(pctx, obj);
-	print_close(pctx);
-}
-
-static void
-print_clause_flags(cfg_printer_t *pctx, unsigned int flags) {
-	struct flagtext *p;
-	isc_boolean_t first = ISC_TRUE;
-	for (p = flagtexts; p->flag != 0; p++) {
-		if ((flags & p->flag) != 0) {
-			if (first)
-				cfg_print_chars(pctx, " // ", 4);
-			else
-				cfg_print_chars(pctx, ", ", 2);
-			cfg_print_cstr(pctx, p->text);
-			first = ISC_FALSE;
-		}
-	}
-}
-
-void
-cfg_doc_map(cfg_printer_t *pctx, const cfg_type_t *type) {
-	const cfg_clausedef_t * const *clauseset;
-	const cfg_clausedef_t *clause;
-
-	if (type->parse == cfg_parse_named_map) {
-		cfg_doc_obj(pctx, &cfg_type_astring);
-		cfg_print_chars(pctx, " ", 1);
-	} else if (type->parse == cfg_parse_addressed_map) {
-		cfg_doc_obj(pctx, &cfg_type_netaddr);
-		cfg_print_chars(pctx, " ", 1);
-	} else if (type->parse == cfg_parse_netprefix_map) {
-		cfg_doc_obj(pctx, &cfg_type_netprefix);
-		cfg_print_chars(pctx, " ", 1);
-	}
-
-	print_open(pctx);
-
-	for (clauseset = type->of; *clauseset != NULL; clauseset++) {
-		for (clause = *clauseset;
-		     clause->name != NULL;
-		     clause++) {
-			print_indent(pctx);
-			cfg_print_cstr(pctx, clause->name);
-			if (clause->type->print != cfg_print_void)
-				cfg_print_chars(pctx, " ", 1);
-			cfg_doc_obj(pctx, clause->type);
-			cfg_print_chars(pctx, ";", 1);
-			print_clause_flags(pctx, clause->flags);
-			cfg_print_chars(pctx, "\n", 1);
-		}
-	}
-	print_close(pctx);
-}
-
-isc_boolean_t
-cfg_obj_ismap(const cfg_obj_t *obj) {
-	REQUIRE(obj != NULL);
-	return (ISC_TF(obj->type->rep == &cfg_rep_map));
-}
-
-isc_result_t
-cfg_map_get(const cfg_obj_t *mapobj, const char* name, const cfg_obj_t **obj) {
-	isc_result_t result;
-	isc_symvalue_t val;
-	const cfg_map_t *map;
-
-	REQUIRE(mapobj != NULL && mapobj->type->rep == &cfg_rep_map);
-	REQUIRE(name != NULL);
-	REQUIRE(obj != NULL && *obj == NULL);
-
-	map = &mapobj->value.map;
-
-	result = isc_symtab_lookup(map->symtab, name, MAP_SYM, &val);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	*obj = val.as_pointer;
-	return (ISC_R_SUCCESS);
-}
-
-const cfg_obj_t *
-cfg_map_getname(const cfg_obj_t *mapobj) {
-	REQUIRE(mapobj != NULL && mapobj->type->rep == &cfg_rep_map);
-	return (mapobj->value.map.id);
-}
-
-
-/* Parse an arbitrary token, storing its raw text representation. */
-static isc_result_t
-parse_token(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	cfg_obj_t *obj = NULL;
-	isc_result_t result;
-	isc_region_t r;
-
-	UNUSED(type);
-
-	CHECK(cfg_create_obj(pctx, &cfg_type_token, &obj));
-	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
-	if (pctx->token.type == isc_tokentype_eof) {
-		cfg_ungettoken(pctx);
-		result = ISC_R_EOF;
-		goto cleanup;
-	}
-
-	isc_lex_getlasttokentext(pctx->lexer, &pctx->token, &r);
-
-	obj->value.string.base = isc_mem_get(pctx->mctx, r.length + 1);
-	if (obj->value.string.base == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
-	}
-	obj->value.string.length = r.length;
-	memcpy(obj->value.string.base, r.base, r.length);
-	obj->value.string.base[r.length] = '\0';
-	*ret = obj;
-	return (result);
-
- cleanup:
-	if (obj != NULL)
-		isc_mem_put(pctx->mctx, obj, sizeof(*obj));
-	return (result);
-}
-
-cfg_type_t cfg_type_token = {
-	"token", parse_token, cfg_print_ustring, cfg_doc_terminal,
-	&cfg_rep_string, NULL
-};
-
-/*
- * An unsupported option.  This is just a list of tokens with balanced braces
- * ending in a semicolon.
- */
-
-static isc_result_t
-parse_unsupported(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	cfg_obj_t *listobj = NULL;
-	isc_result_t result;
-	int braces = 0;
-
-	CHECK(cfg_create_list(pctx, type, &listobj));
-
-	for (;;) {
-		cfg_listelt_t *elt = NULL;
-
-		CHECK(cfg_peektoken(pctx, 0));
-		if (pctx->token.type == isc_tokentype_special) {
-			if (pctx->token.value.as_char == '{')
-				braces++;
-			else if (pctx->token.value.as_char == '}')
-				braces--;
-			else if (pctx->token.value.as_char == ';')
-				if (braces == 0)
-					break;
-		}
-		if (pctx->token.type == isc_tokentype_eof || braces < 0) {
-			cfg_parser_error(pctx, CFG_LOG_NEAR, "unexpected token");
-			result = ISC_R_UNEXPECTEDTOKEN;
-			goto cleanup;
-		}
-
-		CHECK(cfg_parse_listelt(pctx, &cfg_type_token, &elt));
-		ISC_LIST_APPEND(listobj->value.list, elt, link);
-	}
-	INSIST(braces == 0);
-	*ret = listobj;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	CLEANUP_OBJ(listobj);
-	return (result);
-}
-
-cfg_type_t cfg_type_unsupported = {
-	"unsupported", parse_unsupported, cfg_print_spacelist, cfg_doc_terminal,
-	&cfg_rep_list, NULL
-};
-
-/*
- * Try interpreting the current token as a network address.
- *
- * If CFG_ADDR_WILDOK is set in flags, "*" can be used as a wildcard
- * and at least one of CFG_ADDR_V4OK and CFG_ADDR_V6OK must also be set.  The
- * "*" is interpreted as the IPv4 wildcard address if CFG_ADDR_V4OK is
- * set (including the case where CFG_ADDR_V4OK and CFG_ADDR_V6OK are both set),
- * and the IPv6 wildcard address otherwise.
- */
-static isc_result_t
-token_addr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na) {
-	char *s;
-	struct in_addr in4a;
-	struct in6_addr in6a;
-
-	if (pctx->token.type != isc_tokentype_string)
-		return (ISC_R_UNEXPECTEDTOKEN);
-
-	s = TOKEN_STRING(pctx);
-	if ((flags & CFG_ADDR_WILDOK) != 0 && strcmp(s, "*") == 0) {
-		if ((flags & CFG_ADDR_V4OK) != 0) {
-			isc_netaddr_any(na);
-			return (ISC_R_SUCCESS);
-		} else if ((flags & CFG_ADDR_V6OK) != 0) {
-			isc_netaddr_any6(na);
-			return (ISC_R_SUCCESS);
-		} else {
-			INSIST(0);
-		}
-	} else {
-		if ((flags & (CFG_ADDR_V4OK | CFG_ADDR_V4PREFIXOK)) != 0) {
-			if (inet_pton(AF_INET, s, &in4a) == 1) {
-				isc_netaddr_fromin(na, &in4a);
-				return (ISC_R_SUCCESS);
-			}
-		}
-		if ((flags & CFG_ADDR_V4PREFIXOK) != 0 &&
-		    strlen(s) <= 15U) {
-			char buf[64];
-			int i;
-
-			strcpy(buf, s);
-			for (i = 0; i < 3; i++) {
-				strcat(buf, ".0");
-				if (inet_pton(AF_INET, buf, &in4a) == 1) {
-					isc_netaddr_fromin(na, &in4a);
-					return (ISC_R_SUCCESS);
-				}
-			}
-		}
-		if ((flags & CFG_ADDR_V6OK) != 0 &&
-		    strlen(s) <= 127U) {
-			char buf[128]; /* see lib/bind9/getaddresses.c */
-			char *d; /* zone delimiter */
-			isc_uint32_t zone = 0; /* scope zone ID */
-
-			strcpy(buf, s);
-			d = strchr(buf, '%');
-			if (d != NULL)
-				*d = '\0';
-
-			if (inet_pton(AF_INET6, buf, &in6a) == 1) {
-				if (d != NULL) {
-#ifdef ISC_PLATFORM_HAVESCOPEID
-					isc_result_t result;
-
-					result = isc_netscope_pton(AF_INET6,
-								   d + 1,
-								   &in6a,
-								   &zone);
-					if (result != ISC_R_SUCCESS)
-						return (result);
-#else
-				return (ISC_R_BADADDRESSFORM);
-#endif
-				}
-
-				isc_netaddr_fromin6(na, &in6a);
-				isc_netaddr_setzone(na, zone);
-				return (ISC_R_SUCCESS);
-			}
-		}
-	}
-	return (ISC_R_UNEXPECTEDTOKEN);
-}
-
-isc_result_t
-cfg_parse_rawaddr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na) {
-	isc_result_t result;
-	const char *wild = "";
-	const char *prefix = "";
-
-	CHECK(cfg_gettoken(pctx, 0));
-	result = token_addr(pctx, flags, na);
-	if (result == ISC_R_UNEXPECTEDTOKEN) {
-		if ((flags & CFG_ADDR_WILDOK) != 0)
-			wild = " or '*'";
-		if ((flags & CFG_ADDR_V4PREFIXOK) != 0)
-			wild = " or IPv4 prefix";
-		if ((flags & CFG_ADDR_MASK) == CFG_ADDR_V4OK)
-			cfg_parser_error(pctx, CFG_LOG_NEAR,
-					 "expected IPv4 address%s%s",
-					 prefix, wild);
-		else if ((flags & CFG_ADDR_MASK) == CFG_ADDR_V6OK)
-			cfg_parser_error(pctx, CFG_LOG_NEAR,
-					 "expected IPv6 address%s%s",
-					 prefix, wild);
-		else
-			cfg_parser_error(pctx, CFG_LOG_NEAR,
-					 "expected IP address%s%s",
-					 prefix, wild);
-	}
- cleanup:
-	return (result);
-}
-
-isc_boolean_t
-cfg_lookingat_netaddr(cfg_parser_t *pctx, unsigned int flags) {
-	isc_result_t result;
-	isc_netaddr_t na_dummy;
-	result = token_addr(pctx, flags, &na_dummy);
-	return (ISC_TF(result == ISC_R_SUCCESS));
-}
-
-isc_result_t
-cfg_parse_rawport(cfg_parser_t *pctx, unsigned int flags, in_port_t *port) {
-	isc_result_t result;
-
-	CHECK(cfg_gettoken(pctx, ISC_LEXOPT_NUMBER));
-
-	if ((flags & CFG_ADDR_WILDOK) != 0 &&
-	    pctx->token.type == isc_tokentype_string &&
-	    strcmp(TOKEN_STRING(pctx), "*") == 0) {
-		*port = 0;
-		return (ISC_R_SUCCESS);
-	}
-	if (pctx->token.type != isc_tokentype_number) {
-		cfg_parser_error(pctx, CFG_LOG_NEAR,
-			     "expected port number or '*'");
-		return (ISC_R_UNEXPECTEDTOKEN);
-	}
-	if (pctx->token.value.as_ulong >= 65536U) {
-		cfg_parser_error(pctx, CFG_LOG_NEAR,
-			     "port number out of range");
-		return (ISC_R_UNEXPECTEDTOKEN);
-	}
-	*port = (in_port_t)(pctx->token.value.as_ulong);
-	return (ISC_R_SUCCESS);
- cleanup:
-	return (result);
-}
-
-void
-cfg_print_rawaddr(cfg_printer_t *pctx, const isc_netaddr_t *na) {
-	isc_result_t result;
-	char text[128];
-	isc_buffer_t buf;
-
-	isc_buffer_init(&buf, text, sizeof(text));
-	result = isc_netaddr_totext(na, &buf);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	cfg_print_chars(pctx, isc_buffer_base(&buf), isc_buffer_usedlength(&buf));
-}
-
-/* netaddr */
-
-static unsigned int netaddr_flags = CFG_ADDR_V4OK | CFG_ADDR_V6OK;
-static unsigned int netaddr4_flags = CFG_ADDR_V4OK;
-static unsigned int netaddr4wild_flags = CFG_ADDR_V4OK | CFG_ADDR_WILDOK;
-static unsigned int netaddr6_flags = CFG_ADDR_V6OK;
-static unsigned int netaddr6wild_flags = CFG_ADDR_V6OK | CFG_ADDR_WILDOK;
-
-static isc_result_t
-parse_netaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	cfg_obj_t *obj = NULL;
-	isc_netaddr_t netaddr;
-	unsigned int flags = *(const unsigned int *)type->of;
-
-	CHECK(cfg_create_obj(pctx, type, &obj));
-	CHECK(cfg_parse_rawaddr(pctx, flags, &netaddr));
-	isc_sockaddr_fromnetaddr(&obj->value.sockaddr, &netaddr, 0);
-	*ret = obj;
-	return (ISC_R_SUCCESS);
- cleanup:
-	CLEANUP_OBJ(obj);
-	return (result);
-}
-
-static void
-cfg_doc_netaddr(cfg_printer_t *pctx, const cfg_type_t *type) {
-	const unsigned int *flagp = type->of;
-	int n = 0;
-	if (*flagp != CFG_ADDR_V4OK && *flagp != CFG_ADDR_V6OK)
-		cfg_print_chars(pctx, "( ", 2);
-	if (*flagp & CFG_ADDR_V4OK) {
-		cfg_print_cstr(pctx, "<ipv4_address>");
-		n++;
-	}
-	if (*flagp & CFG_ADDR_V6OK) {
-		if (n != 0)
-			cfg_print_chars(pctx, " | ", 3);
-		cfg_print_cstr(pctx, "<ipv6_address>");
-		n++;
-	}
-	if (*flagp & CFG_ADDR_WILDOK) {
-		if (n != 0)
-			cfg_print_chars(pctx, " | ", 3);
-		cfg_print_chars(pctx, "*", 1);
-		n++;
-		POST(n);
-	}
-	if (*flagp != CFG_ADDR_V4OK && *flagp != CFG_ADDR_V6OK)
-		cfg_print_chars(pctx, " )", 2);
-}
-
-cfg_type_t cfg_type_netaddr = {
-	"netaddr", parse_netaddr, cfg_print_sockaddr, cfg_doc_netaddr,
-	&cfg_rep_sockaddr, &netaddr_flags
-};
-
-cfg_type_t cfg_type_netaddr4 = {
-	"netaddr4", parse_netaddr, cfg_print_sockaddr, cfg_doc_netaddr,
-	&cfg_rep_sockaddr, &netaddr4_flags
-};
-
-cfg_type_t cfg_type_netaddr4wild = {
-	"netaddr4wild", parse_netaddr, cfg_print_sockaddr, cfg_doc_netaddr,
-	&cfg_rep_sockaddr, &netaddr4wild_flags
-};
-
-cfg_type_t cfg_type_netaddr6 = {
-	"netaddr6", parse_netaddr, cfg_print_sockaddr, cfg_doc_netaddr,
-	&cfg_rep_sockaddr, &netaddr6_flags
-};
-
-cfg_type_t cfg_type_netaddr6wild = {
-	"netaddr6wild", parse_netaddr, cfg_print_sockaddr, cfg_doc_netaddr,
-	&cfg_rep_sockaddr, &netaddr6wild_flags
-};
-
-/* netprefix */
-
-isc_result_t
-cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type,
-		    cfg_obj_t **ret)
-{
-	cfg_obj_t *obj = NULL;
-	isc_result_t result;
-	isc_netaddr_t netaddr;
-	unsigned int addrlen = 0, prefixlen;
-	UNUSED(type);
-
-	CHECK(cfg_parse_rawaddr(pctx, CFG_ADDR_V4OK | CFG_ADDR_V4PREFIXOK |
-				CFG_ADDR_V6OK, &netaddr));
-	switch (netaddr.family) {
-	case AF_INET:
-		addrlen = 32;
-		break;
-	case AF_INET6:
-		addrlen = 128;
-		break;
-	default:
-		INSIST(0);
-		break;
-	}
-	CHECK(cfg_peektoken(pctx, 0));
-	if (pctx->token.type == isc_tokentype_special &&
-	    pctx->token.value.as_char == '/') {
-		CHECK(cfg_gettoken(pctx, 0)); /* read "/" */
-		CHECK(cfg_gettoken(pctx, ISC_LEXOPT_NUMBER));
-		if (pctx->token.type != isc_tokentype_number) {
-			cfg_parser_error(pctx, CFG_LOG_NEAR,
-				     "expected prefix length");
-			return (ISC_R_UNEXPECTEDTOKEN);
-		}
-		prefixlen = pctx->token.value.as_ulong;
-		if (prefixlen > addrlen) {
-			cfg_parser_error(pctx, CFG_LOG_NOPREP,
-				     "invalid prefix length");
-			return (ISC_R_RANGE);
-		}
-	} else {
-		prefixlen = addrlen;
-	}
-	CHECK(cfg_create_obj(pctx, &cfg_type_netprefix, &obj));
-	obj->value.netprefix.address = netaddr;
-	obj->value.netprefix.prefixlen = prefixlen;
-	*ret = obj;
-	return (ISC_R_SUCCESS);
- cleanup:
-	cfg_parser_error(pctx, CFG_LOG_NEAR, "expected network prefix");
-	return (result);
-}
-
-static void
-print_netprefix(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	const cfg_netprefix_t *p = &obj->value.netprefix;
-
-	cfg_print_rawaddr(pctx, &p->address);
-	cfg_print_chars(pctx, "/", 1);
-	cfg_print_rawuint(pctx, p->prefixlen);
-}
-
-isc_boolean_t
-cfg_obj_isnetprefix(const cfg_obj_t *obj) {
-	REQUIRE(obj != NULL);
-	return (ISC_TF(obj->type->rep == &cfg_rep_netprefix));
-}
-
-void
-cfg_obj_asnetprefix(const cfg_obj_t *obj, isc_netaddr_t *netaddr,
-		    unsigned int *prefixlen)
-{
-	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_netprefix);
-	REQUIRE(netaddr != NULL);
-	REQUIRE(prefixlen != NULL);
-
-	*netaddr = obj->value.netprefix.address;
-	*prefixlen = obj->value.netprefix.prefixlen;
-}
-
-cfg_type_t cfg_type_netprefix = {
-	"netprefix", cfg_parse_netprefix, print_netprefix, cfg_doc_terminal,
-	&cfg_rep_netprefix, NULL
-};
-
-static isc_result_t
-parse_sockaddrsub(cfg_parser_t *pctx, const cfg_type_t *type,
-		  int flags, cfg_obj_t **ret)
-{
-	isc_result_t result;
-	isc_netaddr_t netaddr;
-	in_port_t port = 0;
-	cfg_obj_t *obj = NULL;
-
-	CHECK(cfg_create_obj(pctx, type, &obj));
-	CHECK(cfg_parse_rawaddr(pctx, flags, &netaddr));
-	CHECK(cfg_peektoken(pctx, 0));
-	if (pctx->token.type == isc_tokentype_string &&
-	    strcasecmp(TOKEN_STRING(pctx), "port") == 0) {
-		CHECK(cfg_gettoken(pctx, 0)); /* read "port" */
-		CHECK(cfg_parse_rawport(pctx, flags, &port));
-	}
-	isc_sockaddr_fromnetaddr(&obj->value.sockaddr, &netaddr, port);
-	*ret = obj;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	CLEANUP_OBJ(obj);
-	return (result);
-}
-
-static unsigned int sockaddr_flags = CFG_ADDR_V4OK | CFG_ADDR_V6OK;
-cfg_type_t cfg_type_sockaddr = {
-	"sockaddr", cfg_parse_sockaddr, cfg_print_sockaddr, cfg_doc_sockaddr,
-	&cfg_rep_sockaddr, &sockaddr_flags
-};
-
-isc_result_t
-cfg_parse_sockaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	const unsigned int *flagp = type->of;
-	return (parse_sockaddrsub(pctx, &cfg_type_sockaddr, *flagp, ret));
-}
-
-void
-cfg_print_sockaddr(cfg_printer_t *pctx, const cfg_obj_t *obj) {
-	isc_netaddr_t netaddr;
-	in_port_t port;
-	char buf[ISC_NETADDR_FORMATSIZE];
-
-	isc_netaddr_fromsockaddr(&netaddr, &obj->value.sockaddr);
-	isc_netaddr_format(&netaddr, buf, sizeof(buf));
-	cfg_print_cstr(pctx, buf);
-	port = isc_sockaddr_getport(&obj->value.sockaddr);
-	if (port != 0) {
-		cfg_print_chars(pctx, " port ", 6);
-		cfg_print_rawuint(pctx, port);
-	}
-}
-
-void
-cfg_doc_sockaddr(cfg_printer_t *pctx, const cfg_type_t *type) {
-	const unsigned int *flagp = type->of;
-	int n = 0;
-	cfg_print_chars(pctx, "( ", 2);
-	if (*flagp & CFG_ADDR_V4OK) {
-		cfg_print_cstr(pctx, "<ipv4_address>");
-		n++;
-	}
-	if (*flagp & CFG_ADDR_V6OK) {
-		if (n != 0)
-			cfg_print_chars(pctx, " | ", 3);
-		cfg_print_cstr(pctx, "<ipv6_address>");
-		n++;
-	}
-	if (*flagp & CFG_ADDR_WILDOK) {
-		if (n != 0)
-			cfg_print_chars(pctx, " | ", 3);
-		cfg_print_chars(pctx, "*", 1);
-		n++;
-		POST(n);
-	}
-	cfg_print_chars(pctx, " ) ", 3);
-	if (*flagp & CFG_ADDR_WILDOK) {
-		cfg_print_cstr(pctx, "[ port ( <integer> | * ) ]");
-	} else {
-		cfg_print_cstr(pctx, "[ port <integer> ]");
-	}
-}
-
-isc_boolean_t
-cfg_obj_issockaddr(const cfg_obj_t *obj) {
-	REQUIRE(obj != NULL);
-	return (ISC_TF(obj->type->rep == &cfg_rep_sockaddr));
-}
-
-const isc_sockaddr_t *
-cfg_obj_assockaddr(const cfg_obj_t *obj) {
-	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_sockaddr);
-	return (&obj->value.sockaddr);
-}
-
-isc_result_t
-cfg_gettoken(cfg_parser_t *pctx, int options) {
-	isc_result_t result;
-
-	if (pctx->seen_eof)
-		return (ISC_R_SUCCESS);
-
-	options |= (ISC_LEXOPT_EOF | ISC_LEXOPT_NOMORE);
-
- redo:
-	pctx->token.type = isc_tokentype_unknown;
-	result = isc_lex_gettoken(pctx->lexer, options, &pctx->token);
-	pctx->ungotten = ISC_FALSE;
-	pctx->line = isc_lex_getsourceline(pctx->lexer);
-
-	switch (result) {
-	case ISC_R_SUCCESS:
-		if (pctx->token.type == isc_tokentype_eof) {
-			result = isc_lex_close(pctx->lexer);
-			INSIST(result == ISC_R_NOMORE ||
-			       result == ISC_R_SUCCESS);
-
-			if (isc_lex_getsourcename(pctx->lexer) != NULL) {
-				/*
-				 * Closed an included file, not the main file.
-				 */
-				cfg_listelt_t *elt;
-				elt = ISC_LIST_TAIL(pctx->open_files->
-						    value.list);
-				INSIST(elt != NULL);
-				ISC_LIST_UNLINK(pctx->open_files->
-						value.list, elt, link);
-				ISC_LIST_APPEND(pctx->closed_files->
-						value.list, elt, link);
-				goto redo;
-			}
-			pctx->seen_eof = ISC_TRUE;
-		}
-		break;
-
-	case ISC_R_NOSPACE:
-		/* More understandable than "ran out of space". */
-		cfg_parser_error(pctx, CFG_LOG_NEAR, "token too big");
-		break;
-
-	case ISC_R_IOERROR:
-		cfg_parser_error(pctx, 0, "%s",
-				 isc_result_totext(result));
-		break;
-
-	default:
-		cfg_parser_error(pctx, CFG_LOG_NEAR, "%s",
-				 isc_result_totext(result));
-		break;
-	}
-	return (result);
-}
-
-void
-cfg_ungettoken(cfg_parser_t *pctx) {
-	if (pctx->seen_eof)
-		return;
-	isc_lex_ungettoken(pctx->lexer, &pctx->token);
-	pctx->ungotten = ISC_TRUE;
-}
-
-isc_result_t
-cfg_peektoken(cfg_parser_t *pctx, int options) {
-	isc_result_t result;
-	CHECK(cfg_gettoken(pctx, options));
-	cfg_ungettoken(pctx);
- cleanup:
-	return (result);
-}
-
-/*
- * Get a string token, accepting both the quoted and the unquoted form.
- * Log an error if the next token is not a string.
- */
-static isc_result_t
-cfg_getstringtoken(cfg_parser_t *pctx) {
-	isc_result_t result;
-
-	result = cfg_gettoken(pctx, CFG_LEXOPT_QSTRING);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (pctx->token.type != isc_tokentype_string &&
-	    pctx->token.type != isc_tokentype_qstring) {
-		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected string");
-		return (ISC_R_UNEXPECTEDTOKEN);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-void
-cfg_parser_error(cfg_parser_t *pctx, unsigned int flags, const char *fmt, ...) {
-	va_list args;
-	va_start(args, fmt);
-	parser_complain(pctx, ISC_FALSE, flags, fmt, args);
-	va_end(args);
-	pctx->errors++;
-}
-
-void
-cfg_parser_warning(cfg_parser_t *pctx, unsigned int flags, const char *fmt, ...) {
-	va_list args;
-	va_start(args, fmt);
-	parser_complain(pctx, ISC_TRUE, flags, fmt, args);
-	va_end(args);
-	pctx->warnings++;
-}
-
-#define MAX_LOG_TOKEN 30 /* How much of a token to quote in log messages. */
-
-static isc_boolean_t
-have_current_file(cfg_parser_t *pctx) {
-	cfg_listelt_t *elt;
-	if (pctx->open_files == NULL)
-		return (ISC_FALSE);
-
-	elt = ISC_LIST_TAIL(pctx->open_files->value.list);
-	if (elt == NULL)
-	      return (ISC_FALSE);
-
-	return (ISC_TRUE);
-}
-
-static char *
-current_file(cfg_parser_t *pctx) {
-	static char none[] = "none";
-	cfg_listelt_t *elt;
-	cfg_obj_t *fileobj;
-
-	if (!have_current_file(pctx))
-		return (none);
-
-	elt = ISC_LIST_TAIL(pctx->open_files->value.list);
-	if (elt == NULL)	/* shouldn't be possible, but... */
-	      return (none);
-
-	fileobj = elt->obj;
-	INSIST(fileobj->type == &cfg_type_qstring);
-	return (fileobj->value.string.base);
-}
-
-static void
-parser_complain(cfg_parser_t *pctx, isc_boolean_t is_warning,
-		unsigned int flags, const char *format,
-		va_list args)
-{
-	char tokenbuf[MAX_LOG_TOKEN + 10];
-	static char where[ISC_DIR_PATHMAX + 100];
-	static char message[2048];
-	int level = ISC_LOG_ERROR;
-	const char *prep = "";
-	size_t len;
-
-	if (is_warning)
-		level = ISC_LOG_WARNING;
-
-	where[0] = '\0';
-	if (have_current_file(pctx))
-		snprintf(where, sizeof(where), "%s:%u: ",
-			 current_file(pctx), pctx->line);
-
-	len = vsnprintf(message, sizeof(message), format, args);
-	if (len >= sizeof(message))
-		FATAL_ERROR(__FILE__, __LINE__,
-			    "error message would overflow");
-
-	if ((flags & (CFG_LOG_NEAR|CFG_LOG_BEFORE|CFG_LOG_NOPREP)) != 0) {
-		isc_region_t r;
-
-		if (pctx->ungotten)
-			(void)cfg_gettoken(pctx, 0);
-
-		if (pctx->token.type == isc_tokentype_eof) {
-			snprintf(tokenbuf, sizeof(tokenbuf), "end of file");
-		} else if (pctx->token.type == isc_tokentype_unknown) {
-			flags = 0;
-			tokenbuf[0] = '\0';
-		} else {
-			isc_lex_getlasttokentext(pctx->lexer,
-						 &pctx->token, &r);
-			if (r.length > MAX_LOG_TOKEN)
-				snprintf(tokenbuf, sizeof(tokenbuf),
-					 "'%.*s...'", MAX_LOG_TOKEN, r.base);
-			else
-				snprintf(tokenbuf, sizeof(tokenbuf),
-					 "'%.*s'", (int)r.length, r.base);
-		}
-
-		/* Choose a preposition. */
-		if (flags & CFG_LOG_NEAR)
-			prep = " near ";
-		else if (flags & CFG_LOG_BEFORE)
-			prep = " before ";
-		else
-			prep = " ";
-	} else {
-		tokenbuf[0] = '\0';
-	}
-	isc_log_write(pctx->lctx, CAT, MOD, level,
-		      "%s%s%s%s", where, message, prep, tokenbuf);
-}
-
-void
-cfg_obj_log(const cfg_obj_t *obj, isc_log_t *lctx, int level,
-	    const char *fmt, ...) {
-	va_list ap;
-	char msgbuf[2048];
-
-	if (! isc_log_wouldlog(lctx, level))
-		return;
-
-	va_start(ap, fmt);
-
-	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
-	isc_log_write(lctx, CAT, MOD, level,
-		      "%s:%u: %s",
-		      obj->file == NULL ? "<unknown file>" : obj->file,
-		      obj->line, msgbuf);
-	va_end(ap);
-}
-
-const char *
-cfg_obj_file(const cfg_obj_t *obj) {
-	return (obj->file);
-}
-
-unsigned int
-cfg_obj_line(const cfg_obj_t *obj) {
-	return (obj->line);
-}
-
-isc_result_t
-cfg_create_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	cfg_obj_t *obj;
-
-	obj = isc_mem_get(pctx->mctx, sizeof(cfg_obj_t));
-	if (obj == NULL)
-		return (ISC_R_NOMEMORY);
-	obj->type = type;
-	obj->file = current_file(pctx);
-	obj->line = pctx->line;
-	result = isc_refcount_init(&obj->references, 1);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(pctx->mctx, obj, sizeof(cfg_obj_t));
-		return (result);
-	}
-	*ret = obj;
-	return (ISC_R_SUCCESS);
-}
-
-
-static void
-map_symtabitem_destroy(char *key, unsigned int type,
-		       isc_symvalue_t symval, void *userarg)
-{
-	cfg_obj_t *obj = symval.as_pointer;
-	cfg_parser_t *pctx = (cfg_parser_t *)userarg;
-
-	UNUSED(key);
-	UNUSED(type);
-
-	cfg_obj_destroy(pctx, &obj);
-}
-
-
-static isc_result_t
-create_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	isc_symtab_t *symtab = NULL;
-	cfg_obj_t *obj = NULL;
-
-	CHECK(cfg_create_obj(pctx, type, &obj));
-	CHECK(isc_symtab_create(pctx->mctx, 5, /* XXX */
-				map_symtabitem_destroy,
-				pctx, ISC_FALSE, &symtab));
-	obj->value.map.symtab = symtab;
-	obj->value.map.id = NULL;
-
-	*ret = obj;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (obj != NULL)
-		isc_mem_put(pctx->mctx, obj, sizeof(*obj));
-	return (result);
-}
-
-static void
-free_map(cfg_parser_t *pctx, cfg_obj_t *obj) {
-	CLEANUP_OBJ(obj->value.map.id);
-	isc_symtab_destroy(&obj->value.map.symtab);
-}
-
-isc_boolean_t
-cfg_obj_istype(const cfg_obj_t *obj, const cfg_type_t *type) {
-	return (ISC_TF(obj->type == type));
-}
-
-/*
- * Destroy 'obj', a configuration object created in 'pctx'.
- */
-void
-cfg_obj_destroy(cfg_parser_t *pctx, cfg_obj_t **objp) {
-	cfg_obj_t *obj;
-	unsigned int refs;
-
-	REQUIRE(objp != NULL && *objp != NULL);
-	REQUIRE(pctx != NULL);
-
-	obj = *objp;
-
-	isc_refcount_decrement(&obj->references, &refs);
-	if (refs == 0) {
-		obj->type->rep->free(pctx, obj);
-		isc_refcount_destroy(&obj->references);
-		isc_mem_put(pctx->mctx, obj, sizeof(cfg_obj_t));
-	}
-	*objp = NULL;
-}
-
-void
-cfg_obj_attach(cfg_obj_t *src, cfg_obj_t **dest) {
-    REQUIRE(src != NULL);
-    REQUIRE(dest != NULL && *dest == NULL);
-    isc_refcount_increment(&src->references, NULL);
-    *dest = src;
-}
-
-static void
-free_noop(cfg_parser_t *pctx, cfg_obj_t *obj) {
-	UNUSED(pctx);
-	UNUSED(obj);
-}
-
-void
-cfg_doc_obj(cfg_printer_t *pctx, const cfg_type_t *type) {
-	type->doc(pctx, type);
-}
-
-void
-cfg_doc_terminal(cfg_printer_t *pctx, const cfg_type_t *type) {
-	cfg_print_chars(pctx, "<", 1);
-	cfg_print_cstr(pctx, type->name);
-	cfg_print_chars(pctx, ">", 1);
-}
-
-void
-cfg_print_grammar(const cfg_type_t *type,
-	void (*f)(void *closure, const char *text, int textlen),
-	void *closure)
-{
-	cfg_printer_t pctx;
-	pctx.f = f;
-	pctx.closure = closure;
-	pctx.indent = 0;
-	cfg_doc_obj(&pctx, type);
-}
diff --git a/contrib/bind9/lib/isccfg/version.c b/contrib/bind9/lib/isccfg/version.c
deleted file mode 100644
index 25b98c6..0000000
--- a/contrib/bind9/lib/isccfg/version.c
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: version.c,v 1.7 2007/06/19 23:47:22 tbox Exp $ */
-
-/*! \file */
-
-#include <isccfg/version.h>
-
-const char cfg_version[] = VERSION;
-
-const unsigned int cfg_libinterface = LIBINTERFACE;
-const unsigned int cfg_librevision = LIBREVISION;
-const unsigned int cfg_libage = LIBAGE;
-
diff --git a/contrib/bind9/lib/lwres/Makefile.in b/contrib/bind9/lib/lwres/Makefile.in
deleted file mode 100644
index 0cf873b..0000000
--- a/contrib/bind9/lib/lwres/Makefile.in
+++ /dev/null
@@ -1,84 +0,0 @@
-# Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.34 2007/06/19 23:47:22 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-@LIBLWRES_API@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	-I${srcdir}/unix/include \
-		-I. -I./include -I${srcdir}/include ${ISC_INCLUDES}
-CDEFINES =
-CWARNINGS =
-
-# Alphabetically
-OBJS =		context.@O@ gai_strerror.@O@ getaddrinfo.@O@ gethost.@O@ \
-		getipnode.@O@ getnameinfo.@O@ getrrset.@O@ herror.@O@ \
-		lwbuffer.@O@ lwconfig.@O@ lwpacket.@O@ lwresutil.@O@ \
-		lwres_gabn.@O@ lwres_gnba.@O@ lwres_grbn.@O@ lwres_noop.@O@ \
-		lwinetaton.@O@ lwinetpton.@O@ lwinetntop.@O@ print.@O@ \
-		strtoul.@O@
-
-# Alphabetically
-SRCS =		context.c gai_strerror.c getaddrinfo.c gethost.c \
-		getipnode.c getnameinfo.c getrrset.c herror.c \
-		lwbuffer.c lwconfig.c lwpacket.c lwresutil.c \
-		lwres_gabn.c lwres_gnba.c lwres_grbn.c lwres_noop.c \
-		lwinetaton.c lwinetpton.c lwinetntop.c print.c \
-		strtoul.c
-
-LIBS =		@LIBS@
-
-SUBDIRS =	include man unix
-TARGETS =	timestamp
-
-@BIND9_MAKE_RULES@
-
-version.@O@: version.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DVERSION=\"${VERSION}\" \
-		-DLIBINTERFACE=${LIBINTERFACE} \
-		-DLIBREVISION=${LIBREVISION} \
-		-DLIBAGE=${LIBAGE} \
-		-c ${srcdir}/version.c
-
-liblwres.@SA@: ${OBJS} version.@O@
-	${AR} ${ARFLAGS} $@ ${OBJS} version.@O@
-	${RANLIB} $@
-
-liblwres.la: ${OBJS} version.@O@
-	${LIBTOOL_MODE_LINK} \
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o liblwres.la -rpath ${libdir} \
-		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
-		${OBJS} version.@O@ ${LIBS}
-
-timestamp: liblwres.@A@
-	touch timestamp
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
-
-install:: timestamp installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} liblwres.@A@ ${DESTDIR}${libdir}
-
-clean distclean::
-	rm -f liblwres.@A@ liblwres.la timestamp
diff --git a/contrib/bind9/lib/lwres/api b/contrib/bind9/lib/lwres/api
deleted file mode 100644
index 95bd204..0000000
--- a/contrib/bind9/lib/lwres/api
+++ /dev/null
@@ -1,9 +0,0 @@
-# LIBINTERFACE ranges
-# 9.6: 50-59, 110-119
-# 9.7: 60-79
-# 9.8: 80-89, 120-129
-# 9.9: 90-109
-# 9.9-sub: 130-139
-LIBINTERFACE = 90
-LIBREVISION = 4
-LIBAGE = 0
diff --git a/contrib/bind9/lib/lwres/assert_p.h b/contrib/bind9/lib/lwres/assert_p.h
deleted file mode 100644
index 930fcdc..0000000
--- a/contrib/bind9/lib/lwres/assert_p.h
+++ /dev/null
@@ -1,36 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef LWRES_ASSERT_P_H
-#define LWRES_ASSERT_P_H 1
-
-/*! \file */
-
-#include <assert.h>		/* Required for assert() prototype. */
-
-#define REQUIRE(x)		assert(x)
-#define INSIST(x)		assert(x)
-
-#define UNUSED(x)		((void)(x))
-#define POST(x)			((void)(x))
-
-#define SPACE_OK(b, s)		(LWRES_BUFFER_AVAILABLECOUNT(b) >= (s))
-#define SPACE_REMAINING(b, s)	(LWRES_BUFFER_REMAINING(b) >= (s))
-
-#endif /* LWRES_ASSERT_P_H */
diff --git a/contrib/bind9/lib/lwres/context.c b/contrib/bind9/lib/lwres/context.c
deleted file mode 100644
index 047707f..0000000
--- a/contrib/bind9/lib/lwres/context.c
+++ /dev/null
@@ -1,504 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: context.c,v 1.55 2009/09/02 23:48:03 tbox Exp $ */
-
-/*! \file context.c
-   lwres_context_create() creates a #lwres_context_t structure for use in
-   lightweight resolver operations. It holds a socket and other data
-   needed for communicating with a resolver daemon. The new
-   lwres_context_t is returned through contextp, a pointer to a
-   lwres_context_t pointer. This lwres_context_t pointer must initially
-   be NULL, and is modified to point to the newly created
-   lwres_context_t.
-
-   When the lightweight resolver needs to perform dynamic memory
-   allocation, it will call malloc_function to allocate memory and
-   free_function to free it. If malloc_function and free_function are
-   NULL, memory is allocated using malloc and free. It is not
-   permitted to have a NULL malloc_function and a non-NULL free_function
-   or vice versa. arg is passed as the first parameter to the memory
-   allocation functions. If malloc_function and free_function are NULL,
-   arg is unused and should be passed as NULL.
-
-   Once memory for the structure has been allocated, it is initialized
-   using lwres_conf_init() and returned via *contextp.
-
-   lwres_context_destroy() destroys a #lwres_context_t, closing its
-   socket. contextp is a pointer to a pointer to the context that is to
-   be destroyed. The pointer will be set to NULL when the context has
-   been destroyed.
-
-   The context holds a serial number that is used to identify resolver
-   request packets and associate responses with the corresponding
-   requests. This serial number is controlled using
-   lwres_context_initserial() and lwres_context_nextserial().
-   lwres_context_initserial() sets the serial number for context *ctx to
-   serial. lwres_context_nextserial() increments the serial number and
-   returns the previous value.
-
-   Memory for a lightweight resolver context is allocated and freed using
-   lwres_context_allocmem() and lwres_context_freemem(). These use
-   whatever allocations were defined when the context was created with
-   lwres_context_create(). lwres_context_allocmem() allocates len bytes
-   of memory and if successful returns a pointer to the allocated
-   storage. lwres_context_freemem() frees len bytes of space starting at
-   location mem.
-
-   lwres_context_sendrecv() performs I/O for the context ctx. Data are
-   read and written from the context's socket. It writes data from
-   sendbase -- typically a lightweight resolver query packet -- and waits
-   for a reply which is copied to the receive buffer at recvbase. The
-   number of bytes that were written to this receive buffer is returned
-   in *recvd_len.
-
-\section context_return Return Values
-
-   lwres_context_create() returns #LWRES_R_NOMEMORY if memory for the
-   struct lwres_context could not be allocated, #LWRES_R_SUCCESS
-   otherwise.
-
-   Successful calls to the memory allocator lwres_context_allocmem()
-   return a pointer to the start of the allocated space. It returns NULL
-   if memory could not be allocated.
-
-   #LWRES_R_SUCCESS is returned when lwres_context_sendrecv() completes
-   successfully. #LWRES_R_IOERROR is returned if an I/O error occurs and
-   #LWRES_R_TIMEOUT is returned if lwres_context_sendrecv() times out
-   waiting for a response.
-
-\section context_see See Also
-
-   lwres_conf_init(), malloc, free.
- */
-#include <config.h>
-
-#include <fcntl.h>
-#include <limits.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include <unistd.h>
-
-#include <lwres/lwres.h>
-#include <lwres/net.h>
-#include <lwres/platform.h>
-
-#ifdef LWRES_PLATFORM_NEEDSYSSELECTH
-#include <sys/select.h>
-#endif
-
-#include "context_p.h"
-#include "assert_p.h"
-
-/*!
- * Some systems define the socket length argument as an int, some as size_t,
- * some as socklen_t.  The last is what the current POSIX standard mandates.
- * This definition is here so it can be portable but easily changed if needed.
- */
-#ifndef LWRES_SOCKADDR_LEN_T
-#define LWRES_SOCKADDR_LEN_T unsigned int
-#endif
-
-/*!
- * Make a socket nonblocking.
- */
-#ifndef MAKE_NONBLOCKING
-#define MAKE_NONBLOCKING(sd, retval) \
-do { \
-	retval = fcntl(sd, F_GETFL, 0); \
-	if (retval != -1) { \
-		retval |= O_NONBLOCK; \
-		retval = fcntl(sd, F_SETFL, retval); \
-	} \
-} while (0)
-#endif
-
-LIBLWRES_EXTERNAL_DATA lwres_uint16_t lwres_udp_port = LWRES_UDP_PORT;
-LIBLWRES_EXTERNAL_DATA const char *lwres_resolv_conf = LWRES_RESOLV_CONF;
-
-static void *
-lwres_malloc(void *, size_t);
-
-static void
-lwres_free(void *, void *, size_t);
-
-/*!
- * lwres_result_t
- */
-static lwres_result_t
-context_connect(lwres_context_t *);
-
-/*%
- * Creates a #lwres_context_t structure for use in
- *  lightweight resolver operations.
- */
-lwres_result_t
-lwres_context_create(lwres_context_t **contextp, void *arg,
-		     lwres_malloc_t malloc_function,
-		     lwres_free_t free_function,
-		     unsigned int flags)
-{
-	lwres_context_t *ctx;
-
-	REQUIRE(contextp != NULL && *contextp == NULL);
-
-	/*
-	 * If we were not given anything special to use, use our own
-	 * functions.  These are just wrappers around malloc() and free().
-	 */
-	if (malloc_function == NULL || free_function == NULL) {
-		REQUIRE(malloc_function == NULL);
-		REQUIRE(free_function == NULL);
-		malloc_function = lwres_malloc;
-		free_function = lwres_free;
-	}
-
-	ctx = malloc_function(arg, sizeof(lwres_context_t));
-	if (ctx == NULL)
-		return (LWRES_R_NOMEMORY);
-
-	/*
-	 * Set up the context.
-	 */
-	ctx->malloc = malloc_function;
-	ctx->free = free_function;
-	ctx->arg = arg;
-	ctx->sock = -1;
-
-	ctx->timeout = LWRES_DEFAULT_TIMEOUT;
-	ctx->serial = time(NULL); /* XXXMLG or BEW */
-
-	ctx->use_ipv4 = 1;
-	ctx->use_ipv6 = 1;
-	if ((flags & (LWRES_CONTEXT_USEIPV4 | LWRES_CONTEXT_USEIPV6)) ==
-	    LWRES_CONTEXT_USEIPV6) {
-		ctx->use_ipv4 = 0;
-	}
-	if ((flags & (LWRES_CONTEXT_USEIPV4 | LWRES_CONTEXT_USEIPV6)) ==
-	    LWRES_CONTEXT_USEIPV4) {
-		ctx->use_ipv6 = 0;
-	}
-
-	/*
-	 * Init resolv.conf bits.
-	 */
-	lwres_conf_init(ctx);
-
-	*contextp = ctx;
-	return (LWRES_R_SUCCESS);
-}
-
-/*%
-Destroys a #lwres_context_t, closing its socket.
-contextp is a pointer to a pointer to the context that is
-to be destroyed. The pointer will be set to NULL
-when the context has been destroyed.
- */
-void
-lwres_context_destroy(lwres_context_t **contextp) {
-	lwres_context_t *ctx;
-
-	REQUIRE(contextp != NULL && *contextp != NULL);
-
-	ctx = *contextp;
-	*contextp = NULL;
-
-	if (ctx->sock != -1) {
-#ifdef WIN32
-		DestroySockets();
-#endif
-		(void)close(ctx->sock);
-		ctx->sock = -1;
-	}
-
-	CTXFREE(ctx, sizeof(lwres_context_t));
-}
-/*% Increments the serial number and returns the previous value. */
-lwres_uint32_t
-lwres_context_nextserial(lwres_context_t *ctx) {
-	REQUIRE(ctx != NULL);
-
-	return (ctx->serial++);
-}
-
-/*% Sets the serial number for context *ctx to serial. */
-void
-lwres_context_initserial(lwres_context_t *ctx, lwres_uint32_t serial) {
-	REQUIRE(ctx != NULL);
-
-	ctx->serial = serial;
-}
-
-/*% Frees len bytes of space starting at location mem. */
-void
-lwres_context_freemem(lwres_context_t *ctx, void *mem, size_t len) {
-	REQUIRE(mem != NULL);
-	REQUIRE(len != 0U);
-
-	CTXFREE(mem, len);
-}
-
-/*% Allocates len bytes of memory and if successful returns a pointer to the allocated storage. */
-void *
-lwres_context_allocmem(lwres_context_t *ctx, size_t len) {
-	REQUIRE(len != 0U);
-
-	return (CTXMALLOC(len));
-}
-
-static void *
-lwres_malloc(void *arg, size_t len) {
-	void *mem;
-
-	UNUSED(arg);
-
-	mem = malloc(len);
-	if (mem == NULL)
-		return (NULL);
-
-	memset(mem, 0xe5, len);
-
-	return (mem);
-}
-
-static void
-lwres_free(void *arg, void *mem, size_t len) {
-	UNUSED(arg);
-
-	memset(mem, 0xa9, len);
-	free(mem);
-}
-
-static lwres_result_t
-context_connect(lwres_context_t *ctx) {
-	int s;
-	int ret;
-	struct sockaddr_in sin;
-	struct sockaddr_in6 sin6;
-	struct sockaddr *sa;
-	LWRES_SOCKADDR_LEN_T salen;
-	int domain;
-
-	if (ctx->confdata.lwnext != 0) {
-		memcpy(&ctx->address, &ctx->confdata.lwservers[0],
-		       sizeof(lwres_addr_t));
-		LWRES_LINK_INIT(&ctx->address, link);
-	} else {
-		/* The default is the IPv4 loopback address 127.0.0.1. */
-		memset(&ctx->address, 0, sizeof(ctx->address));
-		ctx->address.family = LWRES_ADDRTYPE_V4;
-		ctx->address.length = 4;
-		ctx->address.address[0] = 127;
-		ctx->address.address[1] = 0;
-		ctx->address.address[2] = 0;
-		ctx->address.address[3] = 1;
-	}
-
-	if (ctx->address.family == LWRES_ADDRTYPE_V4) {
-		memcpy(&sin.sin_addr, ctx->address.address,
-		       sizeof(sin.sin_addr));
-		sin.sin_port = htons(lwres_udp_port);
-		sin.sin_family = AF_INET;
-		sa = (struct sockaddr *)&sin;
-		salen = sizeof(sin);
-		domain = PF_INET;
-	} else if (ctx->address.family == LWRES_ADDRTYPE_V6) {
-		memcpy(&sin6.sin6_addr, ctx->address.address,
-		       sizeof(sin6.sin6_addr));
-		sin6.sin6_port = htons(lwres_udp_port);
-		sin6.sin6_family = AF_INET6;
-		sa = (struct sockaddr *)&sin6;
-		salen = sizeof(sin6);
-		domain = PF_INET6;
-	} else
-		return (LWRES_R_IOERROR);
-
-#ifdef WIN32
-	InitSockets();
-#endif
-	s = socket(domain, SOCK_DGRAM, IPPROTO_UDP);
-	if (s < 0) {
-#ifdef WIN32
-		DestroySockets();
-#endif
-		return (LWRES_R_IOERROR);
-	}
-
-	ret = connect(s, sa, salen);
-	if (ret != 0) {
-#ifdef WIN32
-		DestroySockets();
-#endif
-		(void)close(s);
-		return (LWRES_R_IOERROR);
-	}
-
-	MAKE_NONBLOCKING(s, ret);
-	if (ret < 0) {
-#ifdef WIN32
-		DestroySockets();
-#endif
-		(void)close(s);
-		return (LWRES_R_IOERROR);
-	}
-
-	ctx->sock = s;
-
-	return (LWRES_R_SUCCESS);
-}
-
-int
-lwres_context_getsocket(lwres_context_t *ctx) {
-	return (ctx->sock);
-}
-
-lwres_result_t
-lwres_context_send(lwres_context_t *ctx,
-		   void *sendbase, int sendlen) {
-	int ret;
-	lwres_result_t lwresult;
-
-	if (ctx->sock == -1) {
-		lwresult = context_connect(ctx);
-		if (lwresult != LWRES_R_SUCCESS)
-			return (lwresult);
-		INSIST(ctx->sock >= 0);
-	}
-
-	ret = sendto(ctx->sock, sendbase, sendlen, 0, NULL, 0);
-	if (ret < 0)
-		return (LWRES_R_IOERROR);
-	if (ret != sendlen)
-		return (LWRES_R_IOERROR);
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_context_recv(lwres_context_t *ctx,
-		   void *recvbase, int recvlen,
-		   int *recvd_len)
-{
-	LWRES_SOCKADDR_LEN_T fromlen;
-	struct sockaddr_in sin;
-	struct sockaddr_in6 sin6;
-	struct sockaddr *sa;
-	int ret;
-
-	if (ctx->address.family == LWRES_ADDRTYPE_V4) {
-		sa = (struct sockaddr *)&sin;
-		fromlen = sizeof(sin);
-	} else {
-		sa = (struct sockaddr *)&sin6;
-		fromlen = sizeof(sin6);
-	}
-
-	/*
-	 * The address of fromlen is cast to void * to shut up compiler
-	 * warnings, namely on systems that have the sixth parameter
-	 * prototyped as a signed int when LWRES_SOCKADDR_LEN_T is
-	 * defined as unsigned.
-	 */
-	ret = recvfrom(ctx->sock, recvbase, recvlen, 0, sa, (void *)&fromlen);
-
-	if (ret < 0)
-		return (LWRES_R_IOERROR);
-
-	if (ret == recvlen)
-		return (LWRES_R_TOOLARGE);
-
-	/*
-	 * If we got something other than what we expect, have the caller
-	 * wait for another packet.  This can happen if an old result
-	 * comes in, or if someone is sending us random stuff.
-	 */
-	if (ctx->address.family == LWRES_ADDRTYPE_V4) {
-		if (fromlen != sizeof(sin)
-		    || memcmp(&sin.sin_addr, ctx->address.address,
-			      sizeof(sin.sin_addr)) != 0
-		    || sin.sin_port != htons(lwres_udp_port))
-			return (LWRES_R_RETRY);
-	} else {
-		if (fromlen != sizeof(sin6)
-		    || memcmp(&sin6.sin6_addr, ctx->address.address,
-			      sizeof(sin6.sin6_addr)) != 0
-		    || sin6.sin6_port != htons(lwres_udp_port))
-			return (LWRES_R_RETRY);
-	}
-
-	if (recvd_len != NULL)
-		*recvd_len = ret;
-
-	return (LWRES_R_SUCCESS);
-}
-
-/*% performs I/O for the context ctx. */
-lwres_result_t
-lwres_context_sendrecv(lwres_context_t *ctx,
-		       void *sendbase, int sendlen,
-		       void *recvbase, int recvlen,
-		       int *recvd_len)
-{
-	lwres_result_t result;
-	int ret2;
-	fd_set readfds;
-	struct timeval timeout;
-
-	/*
-	 * Type of tv_sec is 32 bits long.
-	 */
-	if (ctx->timeout <= 0x7FFFFFFFU)
-		timeout.tv_sec = (int)ctx->timeout;
-	else
-		timeout.tv_sec = 0x7FFFFFFF;
-
-	timeout.tv_usec = 0;
-
-	result = lwres_context_send(ctx, sendbase, sendlen);
-	if (result != LWRES_R_SUCCESS)
-		return (result);
-
-	/*
-	 * If this is not checked, select() can overflow,
-	 * causing corruption elsewhere.
-	 */
-	if (ctx->sock >= (int)FD_SETSIZE) {
-		close(ctx->sock);
-		ctx->sock = -1;
-		return (LWRES_R_IOERROR);
-	}
-
- again:
-	FD_ZERO(&readfds);
-	FD_SET(ctx->sock, &readfds);
-	ret2 = select(ctx->sock + 1, &readfds, NULL, NULL, &timeout);
-
-	/*
-	 * What happened with select?
-	 */
-	if (ret2 < 0)
-		return (LWRES_R_IOERROR);
-	if (ret2 == 0)
-		return (LWRES_R_TIMEOUT);
-
-	result = lwres_context_recv(ctx, recvbase, recvlen, recvd_len);
-	if (result == LWRES_R_RETRY)
-		goto again;
-
-	return (result);
-}
diff --git a/contrib/bind9/lib/lwres/context_p.h b/contrib/bind9/lib/lwres/context_p.h
deleted file mode 100644
index baac07f..0000000
--- a/contrib/bind9/lib/lwres/context_p.h
+++ /dev/null
@@ -1,67 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: context_p.h,v 1.19 2008/12/17 23:47:58 tbox Exp $ */
-
-#ifndef LWRES_CONTEXT_P_H
-#define LWRES_CONTEXT_P_H 1
-
-/*! \file */
-
-/*@{*/
-/**
- * Helper functions, assuming the context is always called "ctx" in
- * the scope these functions are called from.
- */
-#define CTXMALLOC(len)		ctx->malloc(ctx->arg, (len))
-#define CTXFREE(addr, len)	ctx->free(ctx->arg, (addr), (len))
-/*@}*/
-
-#define LWRES_DEFAULT_TIMEOUT	120	/* 120 seconds for a reply */
-
-/**
- * Not all the attributes here are actually settable by the application at
- * this time.
- */
-struct lwres_context {
-	unsigned int		timeout;	/*%< time to wait for reply */
-	lwres_uint32_t		serial;		/*%< serial number state */
-
-	/*
-	 * For network I/O.
-	 */
-	int			sock;		/*%< socket to send on */
-	lwres_addr_t		address;	/*%< address to send to */
-	int			use_ipv4;	/*%< use IPv4 transaction */
-	int			use_ipv6;	/*%< use IPv6 transaction */
-
-	/*@{*/
-	/*
-	 * Function pointers for allocating memory.
-	 */
-	lwres_malloc_t		malloc;
-	lwres_free_t		free;
-	void		       *arg;
-	/*@}*/
-
-	/*%
-	 * resolv.conf-like data
-	 */
-	lwres_conf_t		confdata;
-};
-
-#endif /* LWRES_CONTEXT_P_H */
diff --git a/contrib/bind9/lib/lwres/gai_strerror.c b/contrib/bind9/lib/lwres/gai_strerror.c
deleted file mode 100644
index 70b35b0..0000000
--- a/contrib/bind9/lib/lwres/gai_strerror.c
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: gai_strerror.c,v 1.22 2007/06/19 23:47:22 tbox Exp $ */
-
-/*! \file gai_strerror.c
- * lwres_gai_strerror() returns an error message corresponding to an
- * error code returned by getaddrinfo(). The following error codes and
- * their meaning are defined in \link netdb.h include/lwres/netdb.h.\endlink
- *
- * \li #EAI_ADDRFAMILY address family for hostname not supported
- * \li #EAI_AGAIN temporary failure in name resolution
- * \li #EAI_BADFLAGS invalid value for #ai_flags
- * \li #EAI_FAIL non-recoverable failure in name resolution
- * \li #EAI_FAMILY ai_family not supported
- * \li #EAI_MEMORY memory allocation failure
- * \li #EAI_NODATA no address associated with hostname
- * \li #EAI_NONAME hostname or servname not provided, or not known
- * \li #EAI_SERVICE servname not supported for ai_socktype
- * \li #EAI_SOCKTYPE ai_socktype not supported
- * \li #EAI_SYSTEM system error returned in errno
- *
- * The message invalid error code is returned if ecode is out of range.
- *
- * ai_flags, ai_family and ai_socktype are elements of the struct
- * addrinfo used by lwres_getaddrinfo().
- *
- * \section gai_strerror_see See Also
- *
- * strerror, lwres_getaddrinfo(), getaddrinfo(), RFC2133.
- */
-
-#include <config.h>
-
-#include <lwres/netdb.h>
-
-/*% Text of error messages. */
-static const char *gai_messages[] = {
-	"no error",
-	"address family for hostname not supported",
-	"temporary failure in name resolution",
-	"invalid value for ai_flags",
-	"non-recoverable failure in name resolution",
-	"ai_family not supported",
-	"memory allocation failure",
-	"no address associated with hostname",
-	"hostname nor servname provided, or not known",
-	"servname not supported for ai_socktype",
-	"ai_socktype not supported",
-	"system error returned in errno",
-	"bad hints",
-	"bad protocol"
-};
-
-/*% Returns an error message corresponding to an error code returned by getaddrinfo() */
-char *
-lwres_gai_strerror(int ecode) {
-	union {
-		const char *const_ptr;
-		char *deconst_ptr;
-	} ptr;
-
-	if ((ecode < 0) ||
-	    (ecode >= (int)(sizeof(gai_messages)/sizeof(*gai_messages))))
-		ptr.const_ptr = "invalid error code";
-	else
-		ptr.const_ptr = gai_messages[ecode];
-	return (ptr.deconst_ptr);
-}
diff --git a/contrib/bind9/lib/lwres/getaddrinfo.c b/contrib/bind9/lib/lwres/getaddrinfo.c
deleted file mode 100644
index 7d5f2fb..0000000
--- a/contrib/bind9/lib/lwres/getaddrinfo.c
+++ /dev/null
@@ -1,800 +0,0 @@
-/*
- * Copyright (C) 2004-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * This code is derived from software contributed to ISC by
- * Berkeley Software Design, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND BERKELEY SOFTWARE DESIGN, INC.
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: getaddrinfo.c,v 1.54 2008/11/25 23:47:23 tbox Exp $ */
-
-/*! \file */
-
-/**
- *    lwres_getaddrinfo() is used to get a list of IP addresses and port
- *    numbers for host hostname and service servname. The function is the
- *    lightweight resolver's implementation of getaddrinfo() as defined in
- *    RFC2133. hostname and servname are pointers to null-terminated strings
- *    or NULL. hostname is either a host name or a numeric host address
- *    string: a dotted decimal IPv4 address or an IPv6 address. servname is
- *    either a decimal port number or a service name as listed in
- *    /etc/services.
- *
- *    If the operating system does not provide a struct addrinfo, the
- *    following structure is used:
- *
- * \code
- * struct  addrinfo {
- *         int             ai_flags;       // AI_PASSIVE, AI_CANONNAME
- *         int             ai_family;      // PF_xxx
- *         int             ai_socktype;    // SOCK_xxx
- *         int             ai_protocol;    // 0 or IPPROTO_xxx for IPv4 and IPv6
- *         size_t          ai_addrlen;     // length of ai_addr
- *         char            *ai_canonname;  // canonical name for hostname
- *         struct sockaddr *ai_addr;       // binary address
- *         struct addrinfo *ai_next;       // next structure in linked list
- * };
- * \endcode
- *
- *
- *    hints is an optional pointer to a struct addrinfo. This structure can
- *    be used to provide hints concerning the type of socket that the caller
- *    supports or wishes to use. The caller can supply the following
- *    structure elements in *hints:
- *
- * <ul>
- *    <li>ai_family:
- *           The protocol family that should be used. When ai_family is set
- *           to PF_UNSPEC, it means the caller will accept any protocol
- *           family supported by the operating system.</li>
- *
- *    <li>ai_socktype:
- *           denotes the type of socket -- SOCK_STREAM, SOCK_DGRAM or
- *           SOCK_RAW -- that is wanted. When ai_socktype is zero the caller
- *           will accept any socket type.</li>
- *
- *    <li>ai_protocol:
- *           indicates which transport protocol is wanted: IPPROTO_UDP or
- *           IPPROTO_TCP. If ai_protocol is zero the caller will accept any
- *           protocol.</li>
- *
- *    <li>ai_flags:
- *           Flag bits. If the AI_CANONNAME bit is set, a successful call to
- *           lwres_getaddrinfo() will return a null-terminated string
- *           containing the canonical name of the specified hostname in
- *           ai_canonname of the first addrinfo structure returned. Setting
- *           the AI_PASSIVE bit indicates that the returned socket address
- *           structure is intended for used in a call to bind(2). In this
- *           case, if the hostname argument is a NULL pointer, then the IP
- *           address portion of the socket address structure will be set to
- *           INADDR_ANY for an IPv4 address or IN6ADDR_ANY_INIT for an IPv6
- *           address.<br /><br />
- *
- *           When ai_flags does not set the AI_PASSIVE bit, the returned
- *           socket address structure will be ready for use in a call to
- *           connect(2) for a connection-oriented protocol or connect(2),
- *           sendto(2), or sendmsg(2) if a connectionless protocol was
- *           chosen. The IP address portion of the socket address structure
- *           will be set to the loopback address if hostname is a NULL
- *           pointer and AI_PASSIVE is not set in ai_flags.<br /><br />
- *
- *           If ai_flags is set to AI_NUMERICHOST it indicates that hostname
- *           should be treated as a numeric string defining an IPv4 or IPv6
- *           address and no name resolution should be attempted.
- * </li></ul>
- *
- *    All other elements of the struct addrinfo passed via hints must be
- *    zero.
- *
- *    A hints of NULL is treated as if the caller provided a struct addrinfo
- *    initialized to zero with ai_familyset to PF_UNSPEC.
- *
- *    After a successful call to lwres_getaddrinfo(), *res is a pointer to a
- *    linked list of one or more addrinfo structures. Each struct addrinfo
- *    in this list cn be processed by following the ai_next pointer, until a
- *    NULL pointer is encountered. The three members ai_family, ai_socktype,
- *    and ai_protocol in each returned addrinfo structure contain the
- *    corresponding arguments for a call to socket(2). For each addrinfo
- *    structure in the list, the ai_addr member points to a filled-in socket
- *    address structure of length ai_addrlen.
- *
- *    All of the information returned by lwres_getaddrinfo() is dynamically
- *    allocated: the addrinfo structures, and the socket address structures
- *    and canonical host name strings pointed to by the addrinfostructures.
- *    Memory allocated for the dynamically allocated structures created by a
- *    successful call to lwres_getaddrinfo() is released by
- *    lwres_freeaddrinfo(). ai is a pointer to a struct addrinfo created by
- *    a call to lwres_getaddrinfo().
- *
- * \section lwresreturn RETURN VALUES
- *
- *    lwres_getaddrinfo() returns zero on success or one of the error codes
- *    listed in gai_strerror() if an error occurs. If both hostname and
- *    servname are NULL lwres_getaddrinfo() returns #EAI_NONAME.
- *
- * \section lwressee SEE ALSO
- *
- *    lwres(3), lwres_getaddrinfo(), lwres_freeaddrinfo(),
- *    lwres_gai_strerror(), RFC2133, getservbyname(3), connect(2),
- *    sendto(2), sendmsg(2), socket(2).
- */
-
-#include <config.h>
-
-#include <errno.h>
-
-#include <isc/string.h>
-
-#include <lwres/lwres.h>
-#include <lwres/net.h>
-#include <lwres/netdb.h>
-#include <lwres/stdlib.h>
-
-#define SA(addr)	((struct sockaddr *)(addr))
-#define SIN(addr)	((struct sockaddr_in *)(addr))
-#define SIN6(addr)	((struct sockaddr_in6 *)(addr))
-#define SLOCAL(addr)	((struct sockaddr_un *)(addr))
-
-/*! \struct addrinfo
- */
-static struct addrinfo
-	*ai_reverse(struct addrinfo *oai),
-	*ai_clone(struct addrinfo *oai, int family),
-	*ai_alloc(int family, int addrlen);
-#ifdef AF_LOCAL
-static int get_local(const char *name, int socktype, struct addrinfo **res);
-#endif
-
-static int add_ipv4(const char *hostname, int flags, struct addrinfo **aip,
-    int socktype, int port);
-static int add_ipv6(const char *hostname, int flags, struct addrinfo **aip,
-    int socktype, int port);
-static void set_order(int, int (**)(const char *, int, struct addrinfo **,
-	 int, int));
-
-#define FOUND_IPV4	0x1
-#define FOUND_IPV6	0x2
-#define FOUND_MAX	2
-
-#define ISC_AI_MASK (AI_PASSIVE|AI_CANONNAME|AI_NUMERICHOST)
-/*% Get a list of IP addresses and port numbers for host hostname and service servname. */
-int
-lwres_getaddrinfo(const char *hostname, const char *servname,
-	const struct addrinfo *hints, struct addrinfo **res)
-{
-	struct servent *sp;
-	const char *proto;
-	int family, socktype, flags, protocol;
-	struct addrinfo *ai, *ai_list;
-	int port, err, i;
-	int (*net_order[FOUND_MAX+1])(const char *, int, struct addrinfo **,
-		 int, int);
-
-	if (hostname == NULL && servname == NULL)
-		return (EAI_NONAME);
-
-	proto = NULL;
-	if (hints != NULL) {
-		if ((hints->ai_flags & ~(ISC_AI_MASK)) != 0)
-			return (EAI_BADFLAGS);
-		if (hints->ai_addrlen || hints->ai_canonname ||
-		    hints->ai_addr || hints->ai_next) {
-			errno = EINVAL;
-			return (EAI_SYSTEM);
-		}
-		family = hints->ai_family;
-		socktype = hints->ai_socktype;
-		protocol = hints->ai_protocol;
-		flags = hints->ai_flags;
-		switch (family) {
-		case AF_UNSPEC:
-			switch (hints->ai_socktype) {
-			case SOCK_STREAM:
-				proto = "tcp";
-				break;
-			case SOCK_DGRAM:
-				proto = "udp";
-				break;
-			}
-			break;
-		case AF_INET:
-		case AF_INET6:
-			switch (hints->ai_socktype) {
-			case 0:
-				break;
-			case SOCK_STREAM:
-				proto = "tcp";
-				break;
-			case SOCK_DGRAM:
-				proto = "udp";
-				break;
-			case SOCK_RAW:
-				break;
-			default:
-				return (EAI_SOCKTYPE);
-			}
-			break;
-#ifdef	AF_LOCAL
-		case AF_LOCAL:
-			switch (hints->ai_socktype) {
-			case 0:
-				break;
-			case SOCK_STREAM:
-				break;
-			case SOCK_DGRAM:
-				break;
-			default:
-				return (EAI_SOCKTYPE);
-			}
-			break;
-#endif
-		default:
-			return (EAI_FAMILY);
-		}
-	} else {
-		protocol = 0;
-		family = 0;
-		socktype = 0;
-		flags = 0;
-	}
-
-#ifdef	AF_LOCAL
-	/*!
-	 * First, deal with AF_LOCAL.  If the family was not set,
-	 * then assume AF_LOCAL if the first character of the
-	 * hostname/servname is '/'.
-	 */
-
-	if (hostname != NULL &&
-	    (family == AF_LOCAL || (family == 0 && *hostname == '/')))
-		return (get_local(hostname, socktype, res));
-
-	if (servname != NULL &&
-	    (family == AF_LOCAL || (family == 0 && *servname == '/')))
-		return (get_local(servname, socktype, res));
-#endif
-
-	/*
-	 * Ok, only AF_INET and AF_INET6 left.
-	 */
-	ai_list = NULL;
-
-	/*
-	 * First, look up the service name (port) if it was
-	 * requested.  If the socket type wasn't specified, then
-	 * try and figure it out.
-	 */
-	if (servname != NULL) {
-		char *e;
-
-		port = strtol(servname, &e, 10);
-		if (*e == '\0') {
-			if (socktype == 0)
-				return (EAI_SOCKTYPE);
-			if (port < 0 || port > 65535)
-				return (EAI_SERVICE);
-			port = htons((unsigned short) port);
-		} else {
-			sp = getservbyname(servname, proto);
-			if (sp == NULL)
-				return (EAI_SERVICE);
-			port = sp->s_port;
-			if (socktype == 0) {
-				if (strcmp(sp->s_proto, "tcp") == 0)
-					socktype = SOCK_STREAM;
-				else if (strcmp(sp->s_proto, "udp") == 0)
-					socktype = SOCK_DGRAM;
-			}
-		}
-	} else
-		port = 0;
-
-	/*
-	 * Next, deal with just a service name, and no hostname.
-	 * (we verified that one of them was non-null up above).
-	 */
-	if (hostname == NULL && (flags & AI_PASSIVE) != 0) {
-		if (family == AF_INET || family == 0) {
-			ai = ai_alloc(AF_INET, sizeof(struct sockaddr_in));
-			if (ai == NULL)
-				return (EAI_MEMORY);
-			ai->ai_socktype = socktype;
-			ai->ai_protocol = protocol;
-			SIN(ai->ai_addr)->sin_port = port;
-			ai->ai_next = ai_list;
-			ai_list = ai;
-		}
-
-		if (family == AF_INET6 || family == 0) {
-			ai = ai_alloc(AF_INET6, sizeof(struct sockaddr_in6));
-			if (ai == NULL) {
-				lwres_freeaddrinfo(ai_list);
-				return (EAI_MEMORY);
-			}
-			ai->ai_socktype = socktype;
-			ai->ai_protocol = protocol;
-			SIN6(ai->ai_addr)->sin6_port = port;
-			ai->ai_next = ai_list;
-			ai_list = ai;
-		}
-
-		*res = ai_list;
-		return (0);
-	}
-
-	/*
-	 * If the family isn't specified or AI_NUMERICHOST specified,
-	 * check first to see if it is a numeric address.
-	 * Though the gethostbyname2() routine
-	 * will recognize numeric addresses, it will only recognize
-	 * the format that it is being called for.  Thus, a numeric
-	 * AF_INET address will be treated by the AF_INET6 call as
-	 * a domain name, and vice versa.  Checking for both numerics
-	 * here avoids that.
-	 */
-	if (hostname != NULL &&
-	    (family == 0 || (flags & AI_NUMERICHOST) != 0)) {
-		char abuf[sizeof(struct in6_addr)];
-		char nbuf[NI_MAXHOST];
-		int addrsize, addroff;
-#ifdef LWRES_HAVE_SIN6_SCOPE_ID
-		char *p, *ep;
-		char ntmp[NI_MAXHOST];
-		lwres_uint32_t scopeid;
-#endif
-
-#ifdef LWRES_HAVE_SIN6_SCOPE_ID
-		/*
-		 * Scope identifier portion.
-		 */
-		ntmp[0] = '\0';
-		if (strchr(hostname, '%') != NULL) {
-			strncpy(ntmp, hostname, sizeof(ntmp) - 1);
-			ntmp[sizeof(ntmp) - 1] = '\0';
-			p = strchr(ntmp, '%');
-			ep = NULL;
-
-			/*
-			 * Vendors may want to support non-numeric
-			 * scopeid around here.
-			 */
-
-			if (p != NULL)
-				scopeid = (lwres_uint32_t)strtoul(p + 1,
-								  &ep, 10);
-			if (p != NULL && ep != NULL && ep[0] == '\0')
-				*p = '\0';
-			else {
-				ntmp[0] = '\0';
-				scopeid = 0;
-			}
-		} else
-			scopeid = 0;
-#endif
-
-	       if (lwres_net_pton(AF_INET, hostname, (struct in_addr *)abuf)
-		   == 1)
-	       {
-			if (family == AF_INET6) {
-				/*
-				 * Convert to a V4 mapped address.
-				 */
-				struct in6_addr *a6 = (struct in6_addr *)abuf;
-				memcpy(&a6->s6_addr[12], &a6->s6_addr[0], 4);
-				memset(&a6->s6_addr[10], 0xff, 2);
-				memset(&a6->s6_addr[0], 0, 10);
-				goto inet6_addr;
-			}
-			addrsize = sizeof(struct in_addr);
-			addroff = offsetof(struct sockaddr_in, sin_addr);
-			family = AF_INET;
-			goto common;
-#ifdef LWRES_HAVE_SIN6_SCOPE_ID
-		} else if (ntmp[0] != '\0' &&
-			   lwres_net_pton(AF_INET6, ntmp, abuf) == 1)
-		{
-			if (family && family != AF_INET6)
-				return (EAI_NONAME);
-			addrsize = sizeof(struct in6_addr);
-			addroff = offsetof(struct sockaddr_in6, sin6_addr);
-			family = AF_INET6;
-			goto common;
-#endif
-		} else if (lwres_net_pton(AF_INET6, hostname, abuf) == 1) {
-			if (family != 0 && family != AF_INET6)
-				return (EAI_NONAME);
-		inet6_addr:
-			addrsize = sizeof(struct in6_addr);
-			addroff = offsetof(struct sockaddr_in6, sin6_addr);
-			family = AF_INET6;
-
-		common:
-			ai = ai_clone(ai_list, family);
-			if (ai == NULL)
-				return (EAI_MEMORY);
-			ai_list = ai;
-			ai->ai_socktype = socktype;
-			SIN(ai->ai_addr)->sin_port = port;
-			memcpy((char *)ai->ai_addr + addroff, abuf, addrsize);
-			if (flags & AI_CANONNAME) {
-#if defined(LWRES_HAVE_SIN6_SCOPE_ID)
-				if (ai->ai_family == AF_INET6)
-					SIN6(ai->ai_addr)->sin6_scope_id =
-									scopeid;
-#endif
-				if (lwres_getnameinfo(ai->ai_addr,
-				    ai->ai_addrlen, nbuf, sizeof(nbuf),
-						      NULL, 0,
-						      NI_NUMERICHOST) == 0) {
-					ai->ai_canonname = strdup(nbuf);
-					if (ai->ai_canonname == NULL) {
-						lwres_freeaddrinfo(ai_list);
-						return (EAI_MEMORY);
-					}
-				} else {
-					/* XXX raise error? */
-					ai->ai_canonname = NULL;
-				}
-			}
-			goto done;
-		} else if ((flags & AI_NUMERICHOST) != 0) {
-			return (EAI_NONAME);
-		}
-	}
-
-	set_order(family, net_order);
-	for (i = 0; i < FOUND_MAX; i++) {
-		if (net_order[i] == NULL)
-			break;
-		err = (net_order[i])(hostname, flags, &ai_list,
-				     socktype, port);
-		if (err != 0)
-			return (err);
-	}
-
-	if (ai_list == NULL)
-		return (EAI_NODATA);
-
-done:
-	ai_list = ai_reverse(ai_list);
-
-	*res = ai_list;
-	return (0);
-}
-
-static char *
-lwres_strsep(char **stringp, const char *delim) {
-	char *string = *stringp;
-	char *s;
-	const char *d;
-	char sc, dc;
-
-	if (string == NULL)
-		return (NULL);
-
-	for (s = string; *s != '\0'; s++) {
-		sc = *s;
-		for (d = delim; (dc = *d) != '\0'; d++)
-			if (sc == dc) {
-				*s++ = '\0';
-				*stringp = s;
-				return (string);
-			}
-	}
-	*stringp = NULL;
-	return (string);
-}
-
-static void
-set_order(int family, int (**net_order)(const char *, int, struct addrinfo **,
-					int, int))
-{
-	char *order, *tok;
-	int found;
-
-	if (family) {
-		switch (family) {
-		case AF_INET:
-			*net_order++ = add_ipv4;
-			break;
-		case AF_INET6:
-			*net_order++ = add_ipv6;
-			break;
-		}
-	} else {
-		order = getenv("NET_ORDER");
-		found = 0;
-		while (order != NULL) {
-			/*
-			 * We ignore any unknown names.
-			 */
-			tok = lwres_strsep(&order, ":");
-			if (strcasecmp(tok, "inet6") == 0) {
-				if ((found & FOUND_IPV6) == 0)
-					*net_order++ = add_ipv6;
-				found |= FOUND_IPV6;
-			} else if (strcasecmp(tok, "inet") == 0 ||
-			    strcasecmp(tok, "inet4") == 0) {
-				if ((found & FOUND_IPV4) == 0)
-					*net_order++ = add_ipv4;
-				found |= FOUND_IPV4;
-			}
-		}
-
-		/*
-		 * Add in anything that we didn't find.
-		 */
-		if ((found & FOUND_IPV4) == 0)
-			*net_order++ = add_ipv4;
-		if ((found & FOUND_IPV6) == 0)
-			*net_order++ = add_ipv6;
-	}
-	*net_order = NULL;
-	return;
-}
-
-static char v4_loop[4] = { 127, 0, 0, 1 };
-
-/*
- * The test against 0 is there to keep the Solaris compiler
- * from complaining about "end-of-loop code not reached".
- */
-#define SETERROR(code) \
-	do { result = (code);			\
-		if (result != 0) goto cleanup;	\
-	} while (0)
-
-static int
-add_ipv4(const char *hostname, int flags, struct addrinfo **aip,
-	int socktype, int port)
-{
-	struct addrinfo *ai;
-	lwres_context_t *lwrctx = NULL;
-	lwres_gabnresponse_t *by = NULL;
-	lwres_addr_t *addr;
-	lwres_result_t lwres;
-	int result = 0;
-
-	lwres = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
-	if (lwres != LWRES_R_SUCCESS)
-		SETERROR(EAI_FAIL);
-	(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
-	if (hostname == NULL && (flags & AI_PASSIVE) == 0) {
-		ai = ai_clone(*aip, AF_INET);
-		if (ai == NULL)
-			SETERROR(EAI_MEMORY);
-
-		*aip = ai;
-		ai->ai_socktype = socktype;
-		SIN(ai->ai_addr)->sin_port = port;
-		memcpy(&SIN(ai->ai_addr)->sin_addr, v4_loop, 4);
-	} else {
-		lwres = lwres_getaddrsbyname(lwrctx, hostname,
-					     LWRES_ADDRTYPE_V4, &by);
-		if (lwres != LWRES_R_SUCCESS) {
-			if (lwres == LWRES_R_NOTFOUND)
-				goto cleanup;
-			else
-				SETERROR(EAI_FAIL);
-		}
-		addr = LWRES_LIST_HEAD(by->addrs);
-		while (addr != NULL) {
-			ai = ai_clone(*aip, AF_INET);
-			if (ai == NULL)
-				SETERROR(EAI_MEMORY);
-			*aip = ai;
-			ai->ai_socktype = socktype;
-			SIN(ai->ai_addr)->sin_port = port;
-			memcpy(&SIN(ai->ai_addr)->sin_addr,
-			       addr->address, 4);
-			if (flags & AI_CANONNAME) {
-				ai->ai_canonname = strdup(by->realname);
-				if (ai->ai_canonname == NULL)
-					SETERROR(EAI_MEMORY);
-			}
-			addr = LWRES_LIST_NEXT(addr, link);
-		}
-	}
- cleanup:
-	if (by != NULL)
-		lwres_gabnresponse_free(lwrctx, &by);
-	if (lwrctx != NULL) {
-		lwres_conf_clear(lwrctx);
-		lwres_context_destroy(&lwrctx);
-	}
-	return (result);
-}
-
-static char v6_loop[16] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1 };
-
-static int
-add_ipv6(const char *hostname, int flags, struct addrinfo **aip,
-	 int socktype, int port)
-{
-	struct addrinfo *ai;
-	lwres_context_t *lwrctx = NULL;
-	lwres_gabnresponse_t *by = NULL;
-	lwres_addr_t *addr;
-	lwres_result_t lwres;
-	int result = 0;
-
-	lwres = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
-	if (lwres != LWRES_R_SUCCESS)
-		SETERROR(EAI_FAIL);
-	(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
-
-	if (hostname == NULL && (flags & AI_PASSIVE) == 0) {
-		ai = ai_clone(*aip, AF_INET6);
-		if (ai == NULL)
-			SETERROR(EAI_MEMORY);
-
-		*aip = ai;
-		ai->ai_socktype = socktype;
-		SIN6(ai->ai_addr)->sin6_port = port;
-		memcpy(&SIN6(ai->ai_addr)->sin6_addr, v6_loop, 16);
-	} else {
-		lwres = lwres_getaddrsbyname(lwrctx, hostname,
-					     LWRES_ADDRTYPE_V6, &by);
-		if (lwres != LWRES_R_SUCCESS) {
-			if (lwres == LWRES_R_NOTFOUND)
-				goto cleanup;
-			else
-				SETERROR(EAI_FAIL);
-		}
-		addr = LWRES_LIST_HEAD(by->addrs);
-		while (addr != NULL) {
-			ai = ai_clone(*aip, AF_INET6);
-			if (ai == NULL)
-				SETERROR(EAI_MEMORY);
-			*aip = ai;
-			ai->ai_socktype = socktype;
-			SIN6(ai->ai_addr)->sin6_port = port;
-			memcpy(&SIN6(ai->ai_addr)->sin6_addr,
-			       addr->address, 16);
-			if (flags & AI_CANONNAME) {
-				ai->ai_canonname = strdup(by->realname);
-				if (ai->ai_canonname == NULL)
-					SETERROR(EAI_MEMORY);
-			}
-			addr = LWRES_LIST_NEXT(addr, link);
-		}
-	}
- cleanup:
-	if (by != NULL)
-		lwres_gabnresponse_free(lwrctx, &by);
-	if (lwrctx != NULL) {
-		lwres_conf_clear(lwrctx);
-		lwres_context_destroy(&lwrctx);
-	}
-	return (result);
-}
-
-/*% Free address info. */
-void
-lwres_freeaddrinfo(struct addrinfo *ai) {
-	struct addrinfo *ai_next;
-
-	while (ai != NULL) {
-		ai_next = ai->ai_next;
-		if (ai->ai_addr != NULL)
-			free(ai->ai_addr);
-		if (ai->ai_canonname)
-			free(ai->ai_canonname);
-		free(ai);
-		ai = ai_next;
-	}
-}
-
-#ifdef AF_LOCAL
-static int
-get_local(const char *name, int socktype, struct addrinfo **res) {
-	struct addrinfo *ai;
-	struct sockaddr_un *slocal;
-
-	if (socktype == 0)
-		return (EAI_SOCKTYPE);
-
-	ai = ai_alloc(AF_LOCAL, sizeof(*slocal));
-	if (ai == NULL)
-		return (EAI_MEMORY);
-
-	slocal = SLOCAL(ai->ai_addr);
-	strncpy(slocal->sun_path, name, sizeof(slocal->sun_path));
-
-	ai->ai_socktype = socktype;
-	/*
-	 * ai->ai_flags, ai->ai_protocol, ai->ai_canonname,
-	 * and ai->ai_next were initialized to zero.
-	 */
-
-	*res = ai;
-	return (0);
-}
-#endif
-
-/*!
- * Allocate an addrinfo structure, and a sockaddr structure
- * of the specificed length.  We initialize:
- *	ai_addrlen
- *	ai_family
- *	ai_addr
- *	ai_addr->sa_family
- *	ai_addr->sa_len	(LWRES_PLATFORM_HAVESALEN)
- * and everything else is initialized to zero.
- */
-static struct addrinfo *
-ai_alloc(int family, int addrlen) {
-	struct addrinfo *ai;
-
-	ai = (struct addrinfo *)calloc(1, sizeof(*ai));
-	if (ai == NULL)
-		return (NULL);
-
-	ai->ai_addr = SA(calloc(1, addrlen));
-	if (ai->ai_addr == NULL) {
-		free(ai);
-		return (NULL);
-	}
-	ai->ai_addrlen = addrlen;
-	ai->ai_family = family;
-	ai->ai_addr->sa_family = family;
-#ifdef LWRES_PLATFORM_HAVESALEN
-	ai->ai_addr->sa_len = addrlen;
-#endif
-	return (ai);
-}
-
-static struct addrinfo *
-ai_clone(struct addrinfo *oai, int family) {
-	struct addrinfo *ai;
-
-	ai = ai_alloc(family, ((family == AF_INET6) ?
-	    sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in)));
-
-	if (ai == NULL) {
-		lwres_freeaddrinfo(oai);
-		return (NULL);
-	}
-	if (oai == NULL)
-		return (ai);
-
-	ai->ai_flags = oai->ai_flags;
-	ai->ai_socktype = oai->ai_socktype;
-	ai->ai_protocol = oai->ai_protocol;
-	ai->ai_canonname = NULL;
-	ai->ai_next = oai;
-	return (ai);
-}
-
-static struct addrinfo *
-ai_reverse(struct addrinfo *oai) {
-	struct addrinfo *nai, *tai;
-
-	nai = NULL;
-
-	while (oai != NULL) {
-		/*
-		 * Grab one off the old list.
-		 */
-		tai = oai;
-		oai = oai->ai_next;
-		/*
-		 * Put it on the front of the new list.
-		 */
-		tai->ai_next = nai;
-		nai = tai;
-	}
-	return (nai);
-}
diff --git a/contrib/bind9/lib/lwres/gethost.c b/contrib/bind9/lib/lwres/gethost.c
deleted file mode 100644
index 1a1efd4..0000000
--- a/contrib/bind9/lib/lwres/gethost.c
+++ /dev/null
@@ -1,362 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: gethost.c,v 1.34 2007/06/19 23:47:22 tbox Exp $ */
-
-/*! \file */
-
-/**
- *    These functions provide hostname-to-address and address-to-hostname
- *    lookups by means of the lightweight resolver. They are similar to the
- *    standard gethostent(3) functions provided by most operating systems.
- *    They use a struct hostent which is usually defined in <namedb.h>.
- * 
- * \code
- * struct  hostent {
- *         char    *h_name;        // official name of host
- * 	   char    **h_aliases;    // alias list
- *         int     h_addrtype;     // host address type
- *         int     h_length;       // length of address
- *         char    **h_addr_list;  // list of addresses from name server
- * };
- * #define h_addr  h_addr_list[0]  // address, for backward compatibility
- * \endcode
- * 
- *    The members of this structure are:
- * 
- * \li   h_name:
- *           The official (canonical) name of the host.
- * 
- * \li   h_aliases:
- *           A NULL-terminated array of alternate names (nicknames) for the
- *           host.
- * 
- * \li   h_addrtype:
- *           The type of address being returned -- PF_INET or PF_INET6.
- * 
- * \li   h_length:
- *           The length of the address in bytes.
- * 
- * \li   h_addr_list:
- *           A NULL terminated array of network addresses for the host. Host
- *           addresses are returned in network byte order.
- * 
- *    For backward compatibility with very old software, h_addr is the first
- *    address in h_addr_list.
- * 
- *    lwres_gethostent(), lwres_sethostent(), lwres_endhostent(),
- *    lwres_gethostent_r(), lwres_sethostent_r() and lwres_endhostent_r()
- *    provide iteration over the known host entries on systems that provide
- *    such functionality through facilities like /etc/hosts or NIS. The
- *    lightweight resolver does not currently implement these functions; it
- *    only provides them as stub functions that always return failure.
- * 
- *    lwres_gethostbyname() and lwres_gethostbyname2() look up the hostname
- *    name. lwres_gethostbyname() always looks for an IPv4 address while
- *    lwres_gethostbyname2() looks for an address of protocol family af:
- *    either PF_INET or PF_INET6 -- IPv4 or IPV6 addresses respectively.
- *    Successful calls of the functions return a struct hostent for the name
- *    that was looked up. NULL is returned if the lookups by
- *    lwres_gethostbyname() or lwres_gethostbyname2() fail.
- * 
- *    Reverse lookups of addresses are performed by lwres_gethostbyaddr().
- *    addr is an address of length len bytes and protocol family type --
- *    PF_INET or PF_INET6. lwres_gethostbyname_r() is a thread-safe function
- *    for forward lookups. If an error occurs, an error code is returned in
- *    *error. resbuf is a pointer to a struct hostent which is initialised
- *    by a successful call to lwres_gethostbyname_r() . buf is a buffer of
- *    length len bytes which is used to store the h_name, h_aliases, and
- *    h_addr_list elements of the struct hostent returned in resbuf.
- *    Successful calls to lwres_gethostbyname_r() return resbuf, which is a
- *    pointer to the struct hostent it created.
- * 
- *    lwres_gethostbyaddr_r() is a thread-safe function that performs a
- *    reverse lookup of address addr which is len bytes long and is of
- *    protocol family type -- PF_INET or PF_INET6. If an error occurs, the
- *    error code is returned in *error. The other function parameters are
- *    identical to those in lwres_gethostbyname_r(). resbuf is a pointer to
- *    a struct hostent which is initialised by a successful call to
- *    lwres_gethostbyaddr_r(). buf is a buffer of length len bytes which is
- *    used to store the h_name, h_aliases, and h_addr_list elements of the
- *    struct hostent returned in resbuf. Successful calls to
- *    lwres_gethostbyaddr_r() return resbuf, which is a pointer to the
- *    struct hostent it created.
- * 
- * \section gethost_return Return Values
- * 
- *    The functions lwres_gethostbyname(), lwres_gethostbyname2(),
- *    lwres_gethostbyaddr(), and lwres_gethostent() return NULL to indicate
- *    an error. In this case the global variable lwres_h_errno will contain
- *    one of the following error codes defined in \link netdb.h <lwres/netdb.h>:\endlink
- * 
- * \li #HOST_NOT_FOUND:
- *           The host or address was not found.
- * 
- * \li #TRY_AGAIN:
- *           A recoverable error occurred, e.g., a timeout. Retrying the
- *           lookup may succeed.
- * 
- * \li #NO_RECOVERY:
- *           A non-recoverable error occurred.
- * 
- * \li #NO_DATA:
- *           The name exists, but has no address information associated with
- *           it (or vice versa in the case of a reverse lookup). The code
- *           NO_ADDRESS is accepted as a synonym for NO_DATA for backwards
- *           compatibility.
- * 
- *    lwres_hstrerror() translates these error codes to suitable error
- *    messages.
- * 
- *    lwres_gethostent() and lwres_gethostent_r() always return NULL.
- * 
- *    Successful calls to lwres_gethostbyname_r() and
- *    lwres_gethostbyaddr_r() return resbuf, a pointer to the struct hostent
- *    that was initialised by these functions. They return NULL if the
- *    lookups fail or if buf was too small to hold the list of addresses and
- *    names referenced by the h_name, h_aliases, and h_addr_list elements of
- *    the struct hostent. If buf was too small, both lwres_gethostbyname_r()
- *    and lwres_gethostbyaddr_r() set the global variable errno to ERANGE.
- * 
- * \section gethost_see See Also
- * 
- *    gethostent(), \link getipnode.c getipnode\endlink, lwres_hstrerror()
- * 
- * \section gethost_bugs Bugs
- * 
- *    lwres_gethostbyname(), lwres_gethostbyname2(), lwres_gethostbyaddr()
- *    and lwres_endhostent() are not thread safe; they return pointers to
- *    static data and provide error codes through a global variable.
- *    Thread-safe versions for name and address lookup are provided by
- *    lwres_gethostbyname_r(), and lwres_gethostbyaddr_r() respectively.
- * 
- *    The resolver daemon does not currently support any non-DNS name
- *    services such as /etc/hosts or NIS, consequently the above functions
- *    don't, either.
- */
-
-#include <config.h>
-
-#include <errno.h>
-#include <string.h>
-
-#include <lwres/net.h>
-#include <lwres/netdb.h>
-
-#include "assert_p.h"
-
-#define LWRES_ALIGNBYTES (sizeof(char *) - 1)
-#define LWRES_ALIGN(p) \
-	(((unsigned long)(p) + LWRES_ALIGNBYTES) &~ LWRES_ALIGNBYTES)
-
-static struct hostent *he = NULL;
-static int copytobuf(struct hostent *, struct hostent *, char *, int);
-
-/*% Always looks for an IPv4 address. */
-struct hostent *
-lwres_gethostbyname(const char *name) {
-
-	if (he != NULL)
-		lwres_freehostent(he);
-
-	he = lwres_getipnodebyname(name, AF_INET, 0, &lwres_h_errno);
-	return (he);
-}
-
-/*% Looks for either an IPv4 or IPv6 address. */
-struct hostent *
-lwres_gethostbyname2(const char *name, int af) {
-	if (he != NULL)
-		lwres_freehostent(he);
-
-	he = lwres_getipnodebyname(name, af, 0, &lwres_h_errno);
-	return (he);
-}
-
-/*% Reverse lookup of addresses. */
-struct hostent *
-lwres_gethostbyaddr(const char *addr, int len, int type) {
-
-	if (he != NULL)
-		lwres_freehostent(he);
-
-	he = lwres_getipnodebyaddr(addr, len, type, &lwres_h_errno);
-	return (he);
-}
-
-/*% Stub function.  Always returns failure. */
-struct hostent *
-lwres_gethostent(void) {
-	if (he != NULL)
-		lwres_freehostent(he);
-
-	return (NULL);
-}
-
-/*% Stub function.  Always returns failure. */
-void
-lwres_sethostent(int stayopen) {
-	/*
-	 * Empty.
-	 */
-	UNUSED(stayopen);
-}
-
-/*% Stub function.  Always returns failure. */
-void
-lwres_endhostent(void) {
-	/*
-	 * Empty.
-	 */
-}
-
-/*% Thread-safe function for forward lookups. */
-struct hostent *
-lwres_gethostbyname_r(const char *name, struct hostent *resbuf,
-		char *buf, int buflen, int *error)
-{
-	struct hostent *he;
-	int res;
-
-	he = lwres_getipnodebyname(name, AF_INET, 0, error);
-	if (he == NULL)
-		return (NULL);
-	res = copytobuf(he, resbuf, buf, buflen);
-	lwres_freehostent(he);
-	if (res != 0) {
-		errno = ERANGE;
-		return (NULL);
-	}
-	return (resbuf);
-}
-
-/*% Thread-safe reverse lookup. */
-struct hostent  *
-lwres_gethostbyaddr_r(const char *addr, int len, int type,
-		      struct hostent *resbuf, char *buf, int buflen,
-		      int *error)
-{
-	struct hostent *he;
-	int res;
-
-	he = lwres_getipnodebyaddr(addr, len, type, error);
-	if (he == NULL)
-		return (NULL);
-	res = copytobuf(he, resbuf, buf, buflen);
-	lwres_freehostent(he);
-	if (res != 0) {
-		errno = ERANGE;
-		return (NULL);
-	}
-	return (resbuf);
-}
-
-/*% Stub function.  Always returns failure. */
-struct hostent  *
-lwres_gethostent_r(struct hostent *resbuf, char *buf, int buflen, int *error) {
-	UNUSED(resbuf);
-	UNUSED(buf);
-	UNUSED(buflen);
-	*error = 0;
-	return (NULL);
-}
-
-/*% Stub function.  Always returns failure. */
-void
-lwres_sethostent_r(int stayopen) {
-	/*
-	 * Empty.
-	 */
-	UNUSED(stayopen);
-}
-
-/*% Stub function.  Always returns failure. */
-void
-lwres_endhostent_r(void) {
-	/*
-	 * Empty.
-	 */
-}
-
-static int
-copytobuf(struct hostent *he, struct hostent *hptr, char *buf, int buflen) {
-        char *cp;
-        char **ptr;
-        int i, n;
-        int nptr, len;
-
-        /*
-	 * Find out the amount of space required to store the answer.
-	 */
-        nptr = 2; /* NULL ptrs */
-        len = (char *)LWRES_ALIGN(buf) - buf;
-        for (i = 0; he->h_addr_list[i]; i++, nptr++) {
-                len += he->h_length;
-        }
-        for (i = 0; he->h_aliases[i]; i++, nptr++) {
-                len += strlen(he->h_aliases[i]) + 1;
-        }
-        len += strlen(he->h_name) + 1;
-        len += nptr * sizeof(char*);
-
-        if (len > buflen) {
-                return (-1);
-        }
-
-        /*
-	 * Copy address size and type.
-	 */
-        hptr->h_addrtype = he->h_addrtype;
-        n = hptr->h_length = he->h_length;
-
-        ptr = (char **)LWRES_ALIGN(buf);
-        cp = (char *)LWRES_ALIGN(buf) + nptr * sizeof(char *);
-
-        /*
-	 * Copy address list.
-	 */
-        hptr->h_addr_list = ptr;
-        for (i = 0; he->h_addr_list[i]; i++, ptr++) {
-                memcpy(cp, he->h_addr_list[i], n);
-                hptr->h_addr_list[i] = cp;
-                cp += n;
-        }
-        hptr->h_addr_list[i] = NULL;
-        ptr++;
-
-        /*
-	 * Copy official name.
-	 */
-        n = strlen(he->h_name) + 1;
-        strcpy(cp, he->h_name);
-        hptr->h_name = cp;
-        cp += n;
-
-        /*
-	 * Copy aliases.
-	 */
-        hptr->h_aliases = ptr;
-        for (i = 0; he->h_aliases[i]; i++) {
-                n = strlen(he->h_aliases[i]) + 1;
-                strcpy(cp, he->h_aliases[i]);
-                hptr->h_aliases[i] = cp;
-                cp += n;
-        }
-        hptr->h_aliases[i] = NULL;
-
-        return (0);
-}
diff --git a/contrib/bind9/lib/lwres/getipnode.c b/contrib/bind9/lib/lwres/getipnode.c
deleted file mode 100644
index 300376e..0000000
--- a/contrib/bind9/lib/lwres/getipnode.c
+++ /dev/null
@@ -1,1166 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: getipnode.c,v 1.47 2009/09/01 23:47:45 tbox Exp $ */
-
-/*! \file */
-
-/**
- *    These functions perform thread safe, protocol independent
- *    nodename-to-address and address-to-nodename translation as defined in
- *    RFC2553.  This use a struct hostent which is defined in namedb.h:
- *
- * \code
- * struct  hostent {
- *         char    *h_name;        // official name of host
- *         char    **h_aliases;    // alias list
- *         int     h_addrtype;     // host address type
- *         int     h_length;       // length of address
- *         char    **h_addr_list;  // list of addresses from name server
- * };
- * #define h_addr  h_addr_list[0]  // address, for backward compatibility
- * \endcode
- *
- *    The members of this structure are:
- *
- * \li   h_name:
- *           The official (canonical) name of the host.
- *
- * \li   h_aliases:
- *           A NULL-terminated array of alternate names (nicknames) for the
- *           host.
- *
- * \li   h_addrtype:
- *           The type of address being returned - usually PF_INET or
- *           PF_INET6.
- *
- * \li   h_length:
- *           The length of the address in bytes.
- *
- * \li   h_addr_list:
- *           A NULL terminated array of network addresses for the host. Host
- *           addresses are returned in network byte order.
- *
- *    lwres_getipnodebyname() looks up addresses of protocol family af for
- *    the hostname name. The flags parameter contains ORed flag bits to
- *    specify the types of addresses that are searched for, and the types of
- *    addresses that are returned. The flag bits are:
- *
- * \li   #AI_V4MAPPED:
- *           This is used with an af of #AF_INET6, and causes IPv4 addresses
- *           to be returned as IPv4-mapped IPv6 addresses.
- *
- * \li   #AI_ALL:
- *           This is used with an af of #AF_INET6, and causes all known
- *           addresses (IPv6 and IPv4) to be returned. If #AI_V4MAPPED is
- *           also set, the IPv4 addresses are return as mapped IPv6
- *           addresses.
- *
- * \li   #AI_ADDRCONFIG:
- *           Only return an IPv6 or IPv4 address if here is an active
- *           network interface of that type. This is not currently
- *           implemented in the BIND 9 lightweight resolver, and the flag is
- *           ignored.
- *
- * \li   #AI_DEFAULT:
- *           This default sets the #AI_V4MAPPED and #AI_ADDRCONFIG flag bits.
- *
- *    lwres_getipnodebyaddr() performs a reverse lookup of address src which
- *    is len bytes long. af denotes the protocol family, typically PF_INET
- *    or PF_INET6.
- *
- *    lwres_freehostent() releases all the memory associated with the struct
- *    hostent pointer. Any memory allocated for the h_name, h_addr_list
- *    and h_aliases is freed, as is the memory for the hostent structure
- *    itself.
- *
- * \section getipnode_return Return Values
- *
- *    If an error occurs, lwres_getipnodebyname() and
- *    lwres_getipnodebyaddr() set *error_num to an appropriate error code
- *    and the function returns a NULL pointer. The error codes and their
- *    meanings are defined in \link netdb.h <lwres/netdb.h>\endlink:
- *
- * \li   #HOST_NOT_FOUND:
- *           No such host is known.
- *
- * \li   #NO_ADDRESS:
- *           The server recognised the request and the name but no address
- *           is available. Another type of request to the name server for
- *           the domain might return an answer.
- *
- * \li   #TRY_AGAIN:
- *           A temporary and possibly transient error occurred, such as a
- *           failure of a server to respond. The request may succeed if
- *           retried.
- *
- * \li   #NO_RECOVERY:
- *           An unexpected failure occurred, and retrying the request is
- *           pointless.
- *
- *    lwres_hstrerror() translates these error codes to suitable error
- *    messages.
- *
- * \section getipnode_see See Also
- *
- * getaddrinfo.c, gethost.c, getnameinfo.c, herror.c, RFC2553
- */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <errno.h>
-
-#include <lwres/lwres.h>
-#include <lwres/net.h>
-#include <lwres/netdb.h>	/* XXX #include <netdb.h> */
-
-#include "assert_p.h"
-
-#ifndef INADDRSZ
-#define INADDRSZ 4
-#endif
-#ifndef IN6ADDRSZ
-#define IN6ADDRSZ 16
-#endif
-
-#ifdef LWRES_PLATFORM_NEEDIN6ADDRANY
-LIBLWRES_EXTERNAL_DATA const struct in6_addr in6addr_any = IN6ADDR_ANY_INIT;
-#endif
-
-#ifndef IN6_IS_ADDR_V4COMPAT
-static const unsigned char in6addr_compat[12] = {
-	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
-};
-#define IN6_IS_ADDR_V4COMPAT(x) (!memcmp((x)->s6_addr, in6addr_compat, 12) && \
-				 ((x)->s6_addr[12] != 0 || \
-				  (x)->s6_addr[13] != 0 || \
-				  (x)->s6_addr[14] != 0 || \
-				   ((x)->s6_addr[15] != 0 && \
-				    (x)->s6_addr[15] != 1)))
-#endif
-#ifndef IN6_IS_ADDR_V4MAPPED
-#define IN6_IS_ADDR_V4MAPPED(x) (!memcmp((x)->s6_addr, in6addr_mapped, 12))
-#endif
-
-static const unsigned char in6addr_mapped[12] = {
-	0, 0, 0, 0,  0, 0, 0, 0,  0, 0, 0xff, 0xff
-};
-
-/***
- ***	Forward declarations.
- ***/
-
-static int
-scan_interfaces(int *, int *);
-
-static struct hostent *
-copyandmerge(struct hostent *, struct hostent *, int, int *);
-
-static struct hostent *
-hostfromaddr(lwres_gnbaresponse_t *addr, int af, const void *src);
-
-static struct hostent *
-hostfromname(lwres_gabnresponse_t *name, int af);
-
-/***
- ***	Public functions.
- ***/
-
-/*!
- *	AI_V4MAPPED + AF_INET6
- *	If no IPv6 address then a query for IPv4 and map returned values.
- *
- *	AI_ALL + AI_V4MAPPED + AF_INET6
- *	Return IPv6 and IPv4 mapped.
- *
- *	AI_ADDRCONFIG
- *	Only return IPv6 / IPv4 address if there is an interface of that
- *	type active.
- */
-
-struct hostent *
-lwres_getipnodebyname(const char *name, int af, int flags, int *error_num) {
-	int have_v4 = 1, have_v6 = 1;
-	struct in_addr in4;
-	struct in6_addr in6;
-	struct hostent he, *he1 = NULL, *he2 = NULL, *he3 = NULL;
-	int v4 = 0, v6 = 0;
-	int tmp_err = 0;
-	lwres_context_t *lwrctx = NULL;
-	lwres_gabnresponse_t *by = NULL;
-	int n;
-
-	/*
-	 * If we care about active interfaces then check.
-	 */
-	if ((flags & AI_ADDRCONFIG) != 0)
-		if (scan_interfaces(&have_v4, &have_v6) == -1) {
-			*error_num = NO_RECOVERY;
-			return (NULL);
-		}
-
-	/* Check for literal address. */
-	if ((v4 = lwres_net_pton(AF_INET, name, &in4)) != 1)
-		v6 = lwres_net_pton(AF_INET6, name, &in6);
-
-	/*
-	 * Impossible combination?
-	 */
-	if ((af == AF_INET6 && (flags & AI_V4MAPPED) == 0 && v4 == 1) ||
-	    (af == AF_INET && v6 == 1) ||
-	    (have_v4 == 0 && v4 == 1) ||
-	    (have_v6 == 0 && v6 == 1) ||
-	    (have_v4 == 0 && af == AF_INET) ||
-	    (have_v6 == 0 && af == AF_INET6 &&
-	     (((flags & AI_V4MAPPED) != 0 && have_v4) ||
-	      (flags & AI_V4MAPPED) == 0))) {
-		*error_num = HOST_NOT_FOUND;
-		return (NULL);
-	}
-
-	/*
-	 * Literal address?
-	 */
-	if (v4 == 1 || v6 == 1) {
-		char *addr_list[2];
-		char *aliases[1];
-		char mappedname[sizeof("::ffff:123.123.123.123")];
-		union {
-			const char *const_name;
-			char *deconst_name;
-		} u;
-
-		u.const_name = name;
-		if (v4 == 1 && af == AF_INET6) {
-			strcpy(mappedname, "::ffff:");
-			lwres_net_ntop(AF_INET, (char *)&in4,
-				       mappedname + sizeof("::ffff:") - 1,
-				       sizeof(mappedname) - sizeof("::ffff:")
-				       + 1);
-			he.h_name = mappedname;
-		} else
-			he.h_name = u.deconst_name;
-		he.h_addr_list = addr_list;
-		he.h_addr_list[0] = (v4 == 1) ? (char *)&in4 : (char *)&in6;
-		he.h_addr_list[1] = NULL;
-		he.h_aliases = aliases;
-		he.h_aliases[0] = NULL;
-		he.h_length = (v4 == 1) ? INADDRSZ : IN6ADDRSZ;
-		he.h_addrtype = (v4 == 1) ? AF_INET : AF_INET6;
-		return (copyandmerge(&he, NULL, af, error_num));
-	}
-
-	n = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
-	if (n != 0) {
-		*error_num = NO_RECOVERY;
-		goto cleanup;
-	}
-	(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
-	tmp_err = NO_RECOVERY;
-	if (have_v6 && af == AF_INET6) {
-		n = lwres_getaddrsbyname(lwrctx, name, LWRES_ADDRTYPE_V6, &by);
-		if (n == 0) {
-			he1 = hostfromname(by, AF_INET6);
-			lwres_gabnresponse_free(lwrctx, &by);
-			if (he1 == NULL) {
-				*error_num = NO_RECOVERY;
-				goto cleanup;
-			}
-		} else {
-			if (n == LWRES_R_NOTFOUND)
-				tmp_err = HOST_NOT_FOUND;
-			else {
-				*error_num = NO_RECOVERY;
-				goto cleanup;
-			}
-		}
-	}
-
-	if (have_v4 &&
-	    ((af == AF_INET) ||
-	     (af == AF_INET6 && (flags & AI_V4MAPPED) != 0 &&
-	      (he1 == NULL || (flags & AI_ALL) != 0)))) {
-		n = lwres_getaddrsbyname(lwrctx, name, LWRES_ADDRTYPE_V4, &by);
-		if (n == 0) {
-			he2 = hostfromname(by, AF_INET);
-			lwres_gabnresponse_free(lwrctx, &by);
-			if (he2 == NULL) {
-				*error_num = NO_RECOVERY;
-				goto cleanup;
-			}
-		} else if (he1 == NULL) {
-			if (n == LWRES_R_NOTFOUND)
-				*error_num = HOST_NOT_FOUND;
-			else
-				*error_num = NO_RECOVERY;
-			goto cleanup;
-		}
-	} else
-		*error_num = tmp_err;
-
-	he3 = copyandmerge(he1, he2, af, error_num);
-
- cleanup:
-	if (he1 != NULL)
-		lwres_freehostent(he1);
-	if (he2 != NULL)
-		lwres_freehostent(he2);
-	if (lwrctx != NULL) {
-		lwres_conf_clear(lwrctx);
-		lwres_context_destroy(&lwrctx);
-	}
-	return (he3);
-}
-
-/*% performs a reverse lookup of address src which is len bytes long. af denotes the protocol family, typically #PF_INET or PF_INET6. */
-struct hostent *
-lwres_getipnodebyaddr(const void *src, size_t len, int af, int *error_num) {
-	struct hostent *he1, *he2;
-	lwres_context_t *lwrctx = NULL;
-	lwres_gnbaresponse_t *by = NULL;
-	lwres_result_t n;
-	union {
-		const void *konst;
-		struct in6_addr *in6;
-	} u;
-
-	/*
-	 * Sanity checks.
-	 */
-	if (src == NULL) {
-		*error_num = NO_RECOVERY;
-		return (NULL);
-	}
-
-	switch (af) {
-	case AF_INET:
-		if (len != (unsigned int)INADDRSZ) {
-			*error_num = NO_RECOVERY;
-			return (NULL);
-		}
-		break;
-	case AF_INET6:
-		if (len != (unsigned int)IN6ADDRSZ) {
-			*error_num = NO_RECOVERY;
-			return (NULL);
-		}
-		break;
-	default:
-		*error_num = NO_RECOVERY;
-		return (NULL);
-	}
-
-	/*
-	 * The de-"const"-ing game is done because at least one
-	 * vendor's system (RedHat 6.0) defines the IN6_IS_ADDR_*
-	 * macros in such a way that they discard the const with
-	 * internal casting, and gcc ends up complaining.  Rather
-	 * than replacing their own (possibly optimized) definitions
-	 * with our own, cleanly discarding the const is the easiest
-	 * thing to do.
-	 */
-	u.konst = src;
-
-	/*
-	 * Look up IPv4 and IPv4 mapped/compatible addresses.
-	 */
-	if ((af == AF_INET6 && IN6_IS_ADDR_V4COMPAT(u.in6)) ||
-	    (af == AF_INET6 && IN6_IS_ADDR_V4MAPPED(u.in6)) ||
-	    (af == AF_INET)) {
-		const unsigned char *cp = src;
-
-		if (af == AF_INET6)
-			cp += 12;
-		n = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
-		if (n == LWRES_R_SUCCESS)
-			(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
-		if (n == LWRES_R_SUCCESS)
-			n = lwres_getnamebyaddr(lwrctx, LWRES_ADDRTYPE_V4,
-						INADDRSZ, cp, &by);
-		if (n != LWRES_R_SUCCESS) {
-			lwres_conf_clear(lwrctx);
-			lwres_context_destroy(&lwrctx);
-			if (n == LWRES_R_NOTFOUND)
-				*error_num = HOST_NOT_FOUND;
-			else
-				*error_num = NO_RECOVERY;
-			return (NULL);
-		}
-		he1 = hostfromaddr(by, AF_INET, cp);
-		lwres_gnbaresponse_free(lwrctx, &by);
-		lwres_conf_clear(lwrctx);
-		lwres_context_destroy(&lwrctx);
-		if (af != AF_INET6)
-			return (he1);
-
-		/*
-		 * Convert from AF_INET to AF_INET6.
-		 */
-		he2 = copyandmerge(he1, NULL, af, error_num);
-		lwres_freehostent(he1);
-		if (he2 == NULL)
-			return (NULL);
-		/*
-		 * Restore original address.
-		 */
-		memcpy(he2->h_addr, src, len);
-		return (he2);
-	}
-
-	/*
-	 * Lookup IPv6 address.
-	 */
-	if (memcmp(src, &in6addr_any, IN6ADDRSZ) == 0) {
-		*error_num = HOST_NOT_FOUND;
-		return (NULL);
-	}
-
-	n = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
-	if (n == LWRES_R_SUCCESS)
-		(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
-	if (n == LWRES_R_SUCCESS)
-		n = lwres_getnamebyaddr(lwrctx, LWRES_ADDRTYPE_V6, IN6ADDRSZ,
-					src, &by);
-	if (n != 0) {
-		lwres_conf_clear(lwrctx);
-		lwres_context_destroy(&lwrctx);
-
-		if (n == LWRES_R_NOTFOUND)
-		       *error_num = HOST_NOT_FOUND;
-		else
-		       *error_num = NO_RECOVERY;
-
-		return (NULL);
-	}
-
-	he1 = hostfromaddr(by, AF_INET6, src);
-	lwres_gnbaresponse_free(lwrctx, &by);
-	if (he1 == NULL)
-		*error_num = NO_RECOVERY;
-	lwres_conf_clear(lwrctx);
-	lwres_context_destroy(&lwrctx);
-	return (he1);
-}
-
-/*% releases all the memory associated with the struct hostent pointer */
-void
-lwres_freehostent(struct hostent *he) {
-	char **cpp;
-	int names = 1;
-	int addresses = 1;
-
-	if (he == NULL)
-		return;
-
-	free(he->h_name);
-
-	cpp = he->h_addr_list;
-	while (*cpp != NULL) {
-		free(*cpp);
-		*cpp = NULL;
-		cpp++;
-		addresses++;
-	}
-
-	cpp = he->h_aliases;
-	while (*cpp != NULL) {
-		free(*cpp);
-		cpp++;
-		names++;
-	}
-
-	free(he->h_aliases);
-	free(he->h_addr_list);
-	free(he);
-}
-
-/*
- * Private
- */
-
-/*
- * Scan the interface table and set have_v4 and have_v6 depending
- * upon whether there are IPv4 and IPv6 interface addresses.
- *
- * Returns:
- *	0 on success
- *	-1 on failure.
- */
-
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR) && \
-    !defined(IRIX_EMUL_IOCTL_SIOCGIFCONF)
-
-#ifdef __hpux
-#define lifc_len iflc_len
-#define lifc_buf iflc_buf
-#define lifc_req iflc_req
-#define LIFCONF if_laddrconf
-#else
-#define ISC_HAVE_LIFC_FAMILY 1
-#define ISC_HAVE_LIFC_FLAGS 1
-#define LIFCONF lifconf
-#endif
-
-#ifdef __hpux
-#define lifr_addr iflr_addr
-#define lifr_name iflr_name
-#define lifr_dstaddr iflr_dstaddr
-#define lifr_flags iflr_flags
-#define ss_family sa_family
-#define LIFREQ if_laddrreq
-#else
-#define LIFREQ lifreq
-#endif
-
-static int
-scan_interfaces6(int *have_v4, int *have_v6) {
-	struct LIFCONF lifc;
-	struct LIFREQ lifreq;
-	struct in_addr in4;
-	struct in6_addr in6;
-	char *buf = NULL, *cp, *cplim;
-	static unsigned int bufsiz = 4095;
-	int s, cpsize, n;
-
-	/*
-	 * Set to zero.  Used as loop terminators below.
-	 */
-	*have_v4 = *have_v6 = 0;
-
-	/*
-	 * Get interface list from system.
-	 */
-	if ((s = socket(AF_INET6, SOCK_DGRAM, 0)) == -1)
-		goto err_ret;
-
-	/*
-	 * Grow buffer until large enough to contain all interface
-	 * descriptions.
-	 */
-	for (;;) {
-		buf = malloc(bufsiz);
-		if (buf == NULL)
-			goto err_ret;
-#ifdef ISC_HAVE_LIFC_FAMILY
-		lifc.lifc_family = AF_UNSPEC;	/* request all families */
-#endif
-#ifdef ISC_HAVE_LIFC_FLAGS
-		lifc.lifc_flags = 0;
-#endif
-		lifc.lifc_len = bufsiz;
-		lifc.lifc_buf = buf;
-		if ((n = ioctl(s, SIOCGLIFCONF, (char *)&lifc)) != -1) {
-			/*
-			 * Some OS's just return what will fit rather
-			 * than set EINVAL if the buffer is too small
-			 * to fit all the interfaces in.  If
-			 * lifc.lifc_len is too near to the end of the
-			 * buffer we will grow it just in case and
-			 * retry.
-			 */
-			if (lifc.lifc_len + 2 * sizeof(lifreq) < bufsiz)
-				break;
-		}
-		if ((n == -1) && errno != EINVAL)
-			goto err_ret;
-
-		if (bufsiz > 1000000)
-			goto err_ret;
-
-		free(buf);
-		bufsiz += 4096;
-	}
-
-	/*
-	 * Parse system's interface list.
-	 */
-	cplim = buf + lifc.lifc_len;    /* skip over if's with big ifr_addr's */
-	for (cp = buf;
-	     (*have_v4 == 0 || *have_v6 == 0) && cp < cplim;
-	     cp += cpsize) {
-		memcpy(&lifreq, cp, sizeof(lifreq));
-#ifdef LWRES_PLATFORM_HAVESALEN
-#ifdef FIX_ZERO_SA_LEN
-		if (lifreq.lifr_addr.sa_len == 0)
-			lifreq.lifr_addr.sa_len = 16;
-#endif
-#ifdef HAVE_MINIMUM_IFREQ
-		cpsize = sizeof(lifreq);
-		if (lifreq.lifr_addr.sa_len > sizeof(struct sockaddr))
-			cpsize += (int)lifreq.lifr_addr.sa_len -
-				(int)(sizeof(struct sockaddr));
-#else
-		cpsize = sizeof(lifreq.lifr_name) + lifreq.lifr_addr.sa_len;
-#endif /* HAVE_MINIMUM_IFREQ */
-#elif defined SIOCGIFCONF_ADDR
-		cpsize = sizeof(lifreq);
-#else
-		cpsize = sizeof(lifreq.lifr_name);
-		/* XXX maybe this should be a hard error? */
-		if (ioctl(s, SIOCGLIFADDR, (char *)&lifreq) < 0)
-			continue;
-#endif
-		switch (lifreq.lifr_addr.ss_family) {
-		case AF_INET:
-			if (*have_v4 == 0) {
-				memcpy(&in4,
-				       &((struct sockaddr_in *)
-				       &lifreq.lifr_addr)->sin_addr,
-				       sizeof(in4));
-				if (in4.s_addr == INADDR_ANY)
-					break;
-				n = ioctl(s, SIOCGLIFFLAGS, (char *)&lifreq);
-				if (n < 0)
-					break;
-				if ((lifreq.lifr_flags & IFF_UP) == 0)
-					break;
-				*have_v4 = 1;
-			}
-			break;
-		case AF_INET6:
-			if (*have_v6 == 0) {
-				memcpy(&in6,
-				       &((struct sockaddr_in6 *)
-				       &lifreq.lifr_addr)->sin6_addr,
-				       sizeof(in6));
-				if (memcmp(&in6, &in6addr_any,
-					   sizeof(in6)) == 0)
-					break;
-				n = ioctl(s, SIOCGLIFFLAGS, (char *)&lifreq);
-				if (n < 0)
-					break;
-				if ((lifreq.lifr_flags & IFF_UP) == 0)
-					break;
-				*have_v6 = 1;
-			}
-			break;
-		}
-	}
-	if (buf != NULL)
-		free(buf);
-	close(s);
-	return (0);
- err_ret:
-	if (buf != NULL)
-		free(buf);
-	if (s != -1)
-		close(s);
-	return (-1);
-}
-#endif
-
-static int
-scan_interfaces(int *have_v4, int *have_v6) {
-#if !defined(SIOCGIFCONF) || !defined(SIOCGIFADDR)
-	*have_v4 = *have_v6 = 1;
-	return (0);
-#else
-	struct ifconf ifc;
-	union {
-		char _pad[256];		/* leave space for IPv6 addresses */
-		struct ifreq ifreq;
-	} u;
-	struct in_addr in4;
-	struct in6_addr in6;
-	char *buf = NULL, *cp, *cplim;
-	static unsigned int bufsiz = 4095;
-	int s, n;
-	size_t cpsize;
-
-#ifdef WIN32
-	InitSockets();
-#endif
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR) && \
-    !defined(IRIX_EMUL_IOCTL_SIOCGIFCONF)
-	/*
-	 * Try to scan the interfaces using IPv6 ioctls().
-	 */
-	if (!scan_interfaces6(have_v4, have_v6)) {
-#ifdef WIN32
-		DestroySockets();
-#endif
-		return (0);
-	}
-#endif
-
-	/*
-	 * Set to zero.  Used as loop terminators below.
-	 */
-	*have_v4 = *have_v6 = 0;
-
-	/*
-	 * Get interface list from system.
-	 */
-	if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
-		goto err_ret;
-
-	/*
-	 * Grow buffer until large enough to contain all interface
-	 * descriptions.
-	 */
-	for (;;) {
-		buf = malloc(bufsiz);
-		if (buf == NULL)
-			goto err_ret;
-		ifc.ifc_len = bufsiz;
-		ifc.ifc_buf = buf;
-#ifdef IRIX_EMUL_IOCTL_SIOCGIFCONF
-		/*
-		 * This is a fix for IRIX OS in which the call to ioctl with
-		 * the flag SIOCGIFCONF may not return an entry for all the
-		 * interfaces like most flavors of Unix.
-		 */
-		if (emul_ioctl(&ifc) >= 0)
-			break;
-#else
-		if ((n = ioctl(s, SIOCGIFCONF, (char *)&ifc)) != -1) {
-			/*
-			 * Some OS's just return what will fit rather
-			 * than set EINVAL if the buffer is too small
-			 * to fit all the interfaces in.  If
-			 * ifc.ifc_len is too near to the end of the
-			 * buffer we will grow it just in case and
-			 * retry.
-			 */
-			if (ifc.ifc_len + 2 * sizeof(u.ifreq) < bufsiz)
-				break;
-		}
-#endif
-		if ((n == -1) && errno != EINVAL)
-			goto err_ret;
-
-		if (bufsiz > 1000000)
-			goto err_ret;
-
-		free(buf);
-		bufsiz += 4096;
-	}
-
-	/*
-	 * Parse system's interface list.
-	 */
-	cplim = buf + ifc.ifc_len;    /* skip over if's with big ifr_addr's */
-	for (cp = buf;
-	     (*have_v4 == 0 || *have_v6 == 0) && cp < cplim;
-	     cp += cpsize) {
-		memcpy(&u.ifreq, cp, sizeof(u.ifreq));
-#ifdef LWRES_PLATFORM_HAVESALEN
-#ifdef FIX_ZERO_SA_LEN
-		if (u.ifreq.ifr_addr.sa_len == 0)
-			u.ifreq.ifr_addr.sa_len = 16;
-#endif
-#ifdef HAVE_MINIMUM_IFREQ
-		cpsize = sizeof(u.ifreq);
-		if (u.ifreq.ifr_addr.sa_len > sizeof(struct sockaddr))
-			cpsize += (int)u.ifreq.ifr_addr.sa_len -
-				(int)(sizeof(struct sockaddr));
-#else
-		cpsize = sizeof(u.ifreq.ifr_name) + u.ifreq.ifr_addr.sa_len;
-#endif /* HAVE_MINIMUM_IFREQ */
-		if (cpsize > sizeof(u.ifreq) && cpsize <= sizeof(u))
-			memcpy(&u.ifreq, cp, cpsize);
-#elif defined SIOCGIFCONF_ADDR
-		cpsize = sizeof(u.ifreq);
-#else
-		cpsize = sizeof(u.ifreq.ifr_name);
-		/* XXX maybe this should be a hard error? */
-		if (ioctl(s, SIOCGIFADDR, (char *)&u.ifreq) < 0)
-			continue;
-#endif
-		switch (u.ifreq.ifr_addr.sa_family) {
-		case AF_INET:
-			if (*have_v4 == 0) {
-				memcpy(&in4,
-				       &((struct sockaddr_in *)
-				       &u.ifreq.ifr_addr)->sin_addr,
-				       sizeof(in4));
-				if (in4.s_addr == INADDR_ANY)
-					break;
-				n = ioctl(s, SIOCGIFFLAGS, (char *)&u.ifreq);
-				if (n < 0)
-					break;
-				if ((u.ifreq.ifr_flags & IFF_UP) == 0)
-					break;
-				*have_v4 = 1;
-			}
-			break;
-		case AF_INET6:
-			if (*have_v6 == 0) {
-				memcpy(&in6,
-				       &((struct sockaddr_in6 *)
-				       &u.ifreq.ifr_addr)->sin6_addr,
-				       sizeof(in6));
-				if (memcmp(&in6, &in6addr_any,
-					   sizeof(in6)) == 0)
-					break;
-				n = ioctl(s, SIOCGIFFLAGS, (char *)&u.ifreq);
-				if (n < 0)
-					break;
-				if ((u.ifreq.ifr_flags & IFF_UP) == 0)
-					break;
-				*have_v6 = 1;
-			}
-			break;
-		}
-	}
-	if (buf != NULL)
-		free(buf);
-#ifdef WIN32
-	DestroySockets();
-#endif
-	close(s);
-	return (0);
-
- err_ret:
-	if (buf != NULL)
-		free(buf);
-	if (s != -1)
-		close(s);
-#ifdef WIN32
-	DestroySockets();
-#endif
-	return (-1);
-#endif
-}
-
-static struct hostent *
-copyandmerge(struct hostent *he1, struct hostent *he2, int af, int *error_num)
-{
-	struct hostent *he = NULL;
-	int addresses = 1;	/* NULL terminator */
-	int names = 1;		/* NULL terminator */
-	int len = 0;
-	char **cpp, **npp;
-
-	/*
-	 * Work out array sizes.
-	 */
-	if (he1 != NULL) {
-		cpp = he1->h_addr_list;
-		while (*cpp != NULL) {
-			addresses++;
-			cpp++;
-		}
-		cpp = he1->h_aliases;
-		while (*cpp != NULL) {
-			names++;
-			cpp++;
-		}
-	}
-
-	if (he2 != NULL) {
-		cpp = he2->h_addr_list;
-		while (*cpp != NULL) {
-			addresses++;
-			cpp++;
-		}
-		if (he1 == NULL) {
-			cpp = he2->h_aliases;
-			while (*cpp != NULL) {
-				names++;
-				cpp++;
-			}
-		}
-	}
-
-	if (addresses == 1) {
-		*error_num = NO_ADDRESS;
-		return (NULL);
-	}
-
-	he = malloc(sizeof(*he));
-	if (he == NULL)
-		goto no_recovery;
-
-	he->h_addr_list = malloc(sizeof(char *) * (addresses));
-	if (he->h_addr_list == NULL)
-		goto cleanup0;
-	memset(he->h_addr_list, 0, sizeof(char *) * (addresses));
-
-	/*
-	 * Copy addresses.
-	 */
-	npp = he->h_addr_list;
-	if (he1 != NULL) {
-		cpp = he1->h_addr_list;
-		while (*cpp != NULL) {
-			*npp = malloc((af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
-			if (*npp == NULL)
-				goto cleanup1;
-			/*
-			 * Convert to mapped if required.
-			 */
-			if (af == AF_INET6 && he1->h_addrtype == AF_INET) {
-				memcpy(*npp, in6addr_mapped,
-				       sizeof(in6addr_mapped));
-				memcpy(*npp + sizeof(in6addr_mapped), *cpp,
-				       INADDRSZ);
-			} else {
-				memcpy(*npp, *cpp,
-				       (af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
-			}
-			cpp++;
-			npp++;
-		}
-	}
-
-	if (he2 != NULL) {
-		cpp = he2->h_addr_list;
-		while (*cpp != NULL) {
-			*npp = malloc((af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
-			if (*npp == NULL)
-				goto cleanup1;
-			/*
-			 * Convert to mapped if required.
-			 */
-			if (af == AF_INET6 && he2->h_addrtype == AF_INET) {
-				memcpy(*npp, in6addr_mapped,
-				       sizeof(in6addr_mapped));
-				memcpy(*npp + sizeof(in6addr_mapped), *cpp,
-				       INADDRSZ);
-			} else {
-				memcpy(*npp, *cpp,
-				       (af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
-			}
-			cpp++;
-			npp++;
-		}
-	}
-
-	he->h_aliases = malloc(sizeof(char *) * (names));
-	if (he->h_aliases == NULL)
-		goto cleanup1;
-	memset(he->h_aliases, 0, sizeof(char *) * (names));
-
-	/*
-	 * Copy aliases.
-	 */
-	npp = he->h_aliases;
-	cpp = (he1 != NULL) ? he1->h_aliases
-		: ((he2 != NULL) ?  he2->h_aliases : NULL);
-	while (cpp != NULL && *cpp != NULL) {
-		len = strlen (*cpp) + 1;
-		*npp = malloc(len);
-		if (*npp == NULL)
-			goto cleanup2;
-		strcpy(*npp, *cpp);
-		npp++;
-		cpp++;
-	}
-
-	/*
-	 * Copy hostname.
-	 */
-	he->h_name = malloc(strlen((he1 != NULL) ?
-			    he1->h_name : he2->h_name) + 1);
-	if (he->h_name == NULL)
-		goto cleanup2;
-	strcpy(he->h_name, (he1 != NULL) ? he1->h_name : he2->h_name);
-
-	/*
-	 * Set address type and length.
-	 */
-	he->h_addrtype = af;
-	he->h_length = (af == AF_INET) ? INADDRSZ : IN6ADDRSZ;
-	return (he);
-
- cleanup2:
-	cpp = he->h_aliases;
-	while (*cpp != NULL) {
-		free(*cpp);
-		cpp++;
-	}
-	free(he->h_aliases);
-
- cleanup1:
-	cpp = he->h_addr_list;
-	while (*cpp != NULL) {
-		free(*cpp);
-		*cpp = NULL;
-		cpp++;
-	}
-	free(he->h_addr_list);
-
- cleanup0:
-	free(he);
-
- no_recovery:
-	*error_num = NO_RECOVERY;
-	return (NULL);
-}
-
-static struct hostent *
-hostfromaddr(lwres_gnbaresponse_t *addr, int af, const void *src) {
-	struct hostent *he;
-	int i;
-
-	he = malloc(sizeof(*he));
-	if (he == NULL)
-		goto cleanup;
-	memset(he, 0, sizeof(*he));
-
-	/*
-	 * Set family and length.
-	 */
-	he->h_addrtype = af;
-	switch (af) {
-	case AF_INET:
-		he->h_length = INADDRSZ;
-		break;
-	case AF_INET6:
-		he->h_length = IN6ADDRSZ;
-		break;
-	default:
-		INSIST(0);
-	}
-
-	/*
-	 * Copy name.
-	 */
-	he->h_name = strdup(addr->realname);
-	if (he->h_name == NULL)
-		goto cleanup;
-
-	/*
-	 * Copy aliases.
-	 */
-	he->h_aliases = malloc(sizeof(char *) * (addr->naliases + 1));
-	if (he->h_aliases == NULL)
-		goto cleanup;
-	for (i = 0; i < addr->naliases; i++) {
-		he->h_aliases[i] = strdup(addr->aliases[i]);
-		if (he->h_aliases[i] == NULL)
-			goto cleanup;
-	}
-	he->h_aliases[i] = NULL;
-
-	/*
-	 * Copy address.
-	 */
-	he->h_addr_list = malloc(sizeof(char *) * 2);
-	if (he->h_addr_list == NULL)
-		goto cleanup;
-	he->h_addr_list[0] = malloc(he->h_length);
-	if (he->h_addr_list[0] == NULL)
-		goto cleanup;
-	memcpy(he->h_addr_list[0], src, he->h_length);
-	he->h_addr_list[1] = NULL;
-	return (he);
-
- cleanup:
-	if (he != NULL && he->h_addr_list != NULL) {
-		for (i = 0; he->h_addr_list[i] != NULL; i++)
-			free(he->h_addr_list[i]);
-		free(he->h_addr_list);
-	}
-	if (he != NULL && he->h_aliases != NULL) {
-		for (i = 0; he->h_aliases[i] != NULL; i++)
-			free(he->h_aliases[i]);
-		free(he->h_aliases);
-	}
-	if (he != NULL && he->h_name != NULL)
-		free(he->h_name);
-	if (he != NULL)
-		free(he);
-	return (NULL);
-}
-
-static struct hostent *
-hostfromname(lwres_gabnresponse_t *name, int af) {
-	struct hostent *he;
-	int i;
-	lwres_addr_t *addr;
-
-	he = malloc(sizeof(*he));
-	if (he == NULL)
-		goto cleanup;
-	memset(he, 0, sizeof(*he));
-
-	/*
-	 * Set family and length.
-	 */
-	he->h_addrtype = af;
-	switch (af) {
-	case AF_INET:
-		he->h_length = INADDRSZ;
-		break;
-	case AF_INET6:
-		he->h_length = IN6ADDRSZ;
-		break;
-	default:
-		INSIST(0);
-	}
-
-	/*
-	 * Copy name.
-	 */
-	he->h_name = strdup(name->realname);
-	if (he->h_name == NULL)
-		goto cleanup;
-
-	/*
-	 * Copy aliases.
-	 */
-	he->h_aliases = malloc(sizeof(char *) * (name->naliases + 1));
-	if (he->h_aliases == NULL)
-		goto cleanup;
-	for (i = 0; i < name->naliases; i++) {
-		he->h_aliases[i] = strdup(name->aliases[i]);
-		if (he->h_aliases[i] == NULL)
-			goto cleanup;
-	}
-	he->h_aliases[i] = NULL;
-
-	/*
-	 * Copy addresses.
-	 */
-	he->h_addr_list = malloc(sizeof(char *) * (name->naddrs + 1));
-	if (he->h_addr_list == NULL)
-		goto cleanup;
-	addr = LWRES_LIST_HEAD(name->addrs);
-	i = 0;
-	while (addr != NULL) {
-		he->h_addr_list[i] = malloc(he->h_length);
-		if (he->h_addr_list[i] == NULL)
-			goto cleanup;
-		memcpy(he->h_addr_list[i], addr->address, he->h_length);
-		addr = LWRES_LIST_NEXT(addr, link);
-		i++;
-	}
-	he->h_addr_list[i] = NULL;
-	return (he);
-
- cleanup:
-	if (he != NULL && he->h_addr_list != NULL) {
-		for (i = 0; he->h_addr_list[i] != NULL; i++)
-			free(he->h_addr_list[i]);
-		free(he->h_addr_list);
-	}
-	if (he != NULL && he->h_aliases != NULL) {
-		for (i = 0; he->h_aliases[i] != NULL; i++)
-			free(he->h_aliases[i]);
-		free(he->h_aliases);
-	}
-	if (he != NULL && he->h_name != NULL)
-		free(he->h_name);
-	if (he != NULL)
-		free(he);
-	return (NULL);
-}
diff --git a/contrib/bind9/lib/lwres/getnameinfo.c b/contrib/bind9/lib/lwres/getnameinfo.c
deleted file mode 100644
index 08ebf93..0000000
--- a/contrib/bind9/lib/lwres/getnameinfo.c
+++ /dev/null
@@ -1,347 +0,0 @@
-/*
- * Portions Copyright (C) 2004, 2005, 2007, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * XXX
- * Issues to be discussed:
- * - Return values.  There seems to be no standard for return value (RFC2553)
- *   but INRIA implementation returns EAI_xxx defined for getaddrinfo().
- */
-
-
-/**
- *    This function is equivalent to the getnameinfo(3) function defined in
- *    RFC2133. lwres_getnameinfo() returns the hostname for the struct
- *    sockaddr sa which is salen bytes long. The hostname is of length
- *    hostlen and is returned via *host. The maximum length of the hostname
- *    is 1025 bytes: #NI_MAXHOST.
- *
- *    The name of the service associated with the port number in sa is
- *    returned in *serv. It is servlen bytes long. The maximum length of the
- *    service name is #NI_MAXSERV - 32 bytes.
- *
- *    The flags argument sets the following bits:
- *
- * \li   #NI_NOFQDN:
- *           A fully qualified domain name is not required for local hosts.
- *           The local part of the fully qualified domain name is returned
- *           instead.
- *
- * \li   #NI_NUMERICHOST
- *           Return the address in numeric form, as if calling inet_ntop(),
- *           instead of a host name.
- *
- * \li   #NI_NAMEREQD
- *           A name is required. If the hostname cannot be found in the DNS
- *           and this flag is set, a non-zero error code is returned. If the
- *           hostname is not found and the flag is not set, the address is
- *           returned in numeric form.
- *
- * \li   #NI_NUMERICSERV
- *           The service name is returned as a digit string representing the
- *           port number.
- *
- * \li   #NI_DGRAM
- *           Specifies that the service being looked up is a datagram
- *           service, and causes getservbyport() to be called with a second
- *           argument of "udp" instead of its default of "tcp". This is
- *           required for the few ports (512-514) that have different
- *           services for UDP and TCP.
- *
- * \section getnameinfo_return Return Values
- *
- *    lwres_getnameinfo() returns 0 on success or a non-zero error code if
- *    an error occurs.
- *
- * \section getname_see See Also
- *
- *    RFC2133, getservbyport(),
- *    lwres_getnamebyaddr(). lwres_net_ntop().
- *
- * \section getnameinfo_bugs Bugs
- *
- *    RFC2133 fails to define what the nonzero return values of
- *    getnameinfo() are.
- */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <string.h>
-
-#include <lwres/lwres.h>
-#include <lwres/net.h>
-#include <lwres/netdb.h>
-#include "print_p.h"
-
-#include "assert_p.h"
-
-#define SUCCESS 0
-
-/*% afd structure definition */
-static struct afd {
-	int a_af;
-	size_t a_addrlen;
-	size_t a_socklen;
-} afdl [] = {
-	/*!
-	 * First entry is linked last...
-	 */
-	{ AF_INET, sizeof(struct in_addr), sizeof(struct sockaddr_in) },
-	{ AF_INET6, sizeof(struct in6_addr), sizeof(struct sockaddr_in6) },
-	{0, 0, 0},
-};
-
-#define ENI_NOSERVNAME	1
-#define ENI_NOHOSTNAME	2
-#define ENI_MEMORY	3
-#define ENI_SYSTEM	4
-#define ENI_FAMILY	5
-#define ENI_SALEN	6
-#define ENI_NOSOCKET 	7
-
-/*!
- * The test against 0 is there to keep the Solaris compiler
- * from complaining about "end-of-loop code not reached".
- */
-#define ERR(code) \
-	do { result = (code);			\
-		if (result != 0) goto cleanup;	\
-	} while (0)
-
-/*% lightweight resolver socket address structure to hostname and service name */
-int
-lwres_getnameinfo(const struct sockaddr *sa, size_t salen, char *host,
-		  size_t hostlen, char *serv, size_t servlen, int flags)
-{
-	struct afd *afd = NULL;
-	struct servent *sp;
-	unsigned short port;
-#ifdef LWRES_PLATFORM_HAVESALEN
-	size_t len;
-#endif
-	int family, i;
-	const void *addr;
-	char *p;
-#if 0
-	unsigned long v4a;
-	unsigned char pfx;
-#endif
-	char numserv[sizeof("65000")];
-	char numaddr[sizeof("abcd:abcd:abcd:abcd:abcd:abcd:255.255.255.255")
-		    + 1 + sizeof("4294967295")];
-	const char *proto;
-	lwres_uint32_t lwf = 0;
-	lwres_context_t *lwrctx = NULL;
-	lwres_gnbaresponse_t *by = NULL;
-	int result = SUCCESS;
-	int n;
-
-	if (sa == NULL)
-		ERR(ENI_NOSOCKET);
-
-#ifdef LWRES_PLATFORM_HAVESALEN
-	len = sa->sa_len;
-	if (len != salen)
-		ERR(ENI_SALEN);
-#endif
-
-	family = sa->sa_family;
-	for (i = 0; afdl[i].a_af; i++)
-		if (afdl[i].a_af == family) {
-			afd = &afdl[i];
-			goto found;
-		}
-	ERR(ENI_FAMILY);
-
- found:
-	if (salen != afd->a_socklen)
-		ERR(ENI_SALEN);
-
-	switch (family) {
-	case AF_INET:
-		port = ((const struct sockaddr_in *)sa)->sin_port;
-		addr = &((const struct sockaddr_in *)sa)->sin_addr.s_addr;
-		break;
-
-	case AF_INET6:
-		port = ((const struct sockaddr_in6 *)sa)->sin6_port;
-		addr = ((const struct sockaddr_in6 *)sa)->sin6_addr.s6_addr;
-		break;
-
-	default:
-		port = 0;
-		addr = NULL;
-		POST(port); POST(addr);
-		INSIST(0);
-	}
-	proto = (flags & NI_DGRAM) ? "udp" : "tcp";
-
-	if (serv == NULL || servlen == 0U) {
-		/*
-		 * Caller does not want service.
-		 */
-	} else if ((flags & NI_NUMERICSERV) != 0 ||
-		   (sp = getservbyport(port, proto)) == NULL) {
-		snprintf(numserv, sizeof(numserv), "%d", ntohs(port));
-		if ((strlen(numserv) + 1) > servlen)
-			ERR(ENI_MEMORY);
-		strcpy(serv, numserv);
-	} else {
-		if ((strlen(sp->s_name) + 1) > servlen)
-			ERR(ENI_MEMORY);
-		strcpy(serv, sp->s_name);
-	}
-
-#if 0
-	switch (sa->sa_family) {
-	case AF_INET:
-		v4a = ((struct sockaddr_in *)sa)->sin_addr.s_addr;
-		if (IN_MULTICAST(v4a) || IN_EXPERIMENTAL(v4a))
-			flags |= NI_NUMERICHOST;
-		v4a >>= IN_CLASSA_NSHIFT;
-		if (v4a == 0 || v4a == IN_LOOPBACKNET)
-			flags |= NI_NUMERICHOST;
-		break;
-
-	case AF_INET6:
-		pfx = ((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr[0];
-		if (pfx == 0 || pfx == 0xfe || pfx == 0xff)
-			flags |= NI_NUMERICHOST;
-		break;
-	}
-#endif
-
-	if (host == NULL || hostlen == 0U) {
-		/*
-		 * What should we do?
-		 */
-	} else if (flags & NI_NUMERICHOST) {
-		if (lwres_net_ntop(afd->a_af, addr, numaddr, sizeof(numaddr))
-		    == NULL)
-			ERR(ENI_SYSTEM);
-#if defined(LWRES_HAVE_SIN6_SCOPE_ID)
-		if (afd->a_af == AF_INET6 &&
-		    ((const struct sockaddr_in6 *)sa)->sin6_scope_id) {
-			char *p = numaddr + strlen(numaddr);
-			const char *stringscope = NULL;
-#if 0
-			if ((flags & NI_NUMERICSCOPE) == 0) {
-				/*
-				 * Vendors may want to add support for
-				 * non-numeric scope identifier.
-				 */
-				stringscope = foo;
-			}
-#endif
-			if (stringscope == NULL) {
-				snprintf(p, sizeof(numaddr) - (p - numaddr),
-				    "%%%u",
-				    ((const struct sockaddr_in6 *)sa)->sin6_scope_id);
-			} else {
-				snprintf(p, sizeof(numaddr) - (p - numaddr),
-				    "%%%s", stringscope);
-			}
-		}
-#endif
-		if (strlen(numaddr) + 1 > hostlen)
-			ERR(ENI_MEMORY);
-		strcpy(host, numaddr);
-	} else {
-		switch (family) {
-		case AF_INET:
-			lwf = LWRES_ADDRTYPE_V4;
-			break;
-		case AF_INET6:
-			lwf = LWRES_ADDRTYPE_V6;
-			break;
-		default:
-			INSIST(0);
-		}
-
-		n = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
-		if (n == 0)
-			(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
-
-		if (n == 0)
-			n = lwres_getnamebyaddr(lwrctx, lwf,
-						(lwres_uint16_t)afd->a_addrlen,
-						addr, &by);
-		if (n == 0) {
-			if (flags & NI_NOFQDN) {
-				p = strchr(by->realname, '.');
-				if (p)
-					*p = '\0';
-			}
-			if ((strlen(by->realname) + 1) > hostlen)
-				ERR(ENI_MEMORY);
-			strcpy(host, by->realname);
-		} else {
-			if (flags & NI_NAMEREQD)
-				ERR(ENI_NOHOSTNAME);
-			if (lwres_net_ntop(afd->a_af, addr, numaddr,
-					   sizeof(numaddr))
-			    == NULL)
-				ERR(ENI_NOHOSTNAME);
-			if ((strlen(numaddr) + 1) > hostlen)
-				ERR(ENI_MEMORY);
-			strcpy(host, numaddr);
-		}
-	}
-	result = SUCCESS;
- cleanup:
-	if (by != NULL)
-		lwres_gnbaresponse_free(lwrctx, &by);
-	if (lwrctx != NULL) {
-		lwres_conf_clear(lwrctx);
-		lwres_context_destroy(&lwrctx);
-	}
-	return (result);
-}
diff --git a/contrib/bind9/lib/lwres/getrrset.c b/contrib/bind9/lib/lwres/getrrset.c
deleted file mode 100644
index 16af741..0000000
--- a/contrib/bind9/lib/lwres/getrrset.c
+++ /dev/null
@@ -1,292 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: getrrset.c,v 1.18 2007/06/19 23:47:22 tbox Exp $ */
-
-/*! \file */
-
-/**
- * DESCRIPTION
- *
- *    lwres_getrrsetbyname() gets a set of resource records associated with
- *    a hostname, class, and type. hostname is a pointer a to
- *    null-terminated string. The flags field is currently unused and must
- *    be zero.
- *
- *    After a successful call to lwres_getrrsetbyname(), *res is a pointer
- *    to an #rrsetinfo structure, containing a list of one or more #rdatainfo
- *    structures containing resource records and potentially another list of
- *    rdatainfo structures containing SIG resource records associated with
- *    those records. The members #rri_rdclass and #rri_rdtype are copied from
- *    the parameters. #rri_ttl and #rri_name are properties of the obtained
- *    rrset. The resource records contained in #rri_rdatas and #rri_sigs are
- *    in uncompressed DNS wire format. Properties of the rdataset are
- *    represented in the #rri_flags bitfield. If the #RRSET_VALIDATED bit is
- *    set, the data has been DNSSEC validated and the signatures verified.
- *
- *    All of the information returned by lwres_getrrsetbyname() is
- *    dynamically allocated: the rrsetinfo and rdatainfo structures, and the
- *    canonical host name strings pointed to by the rrsetinfostructure.
- *    Memory allocated for the dynamically allocated structures created by a
- *    successful call to lwres_getrrsetbyname() is released by
- *    lwres_freerrset(). rrset is a pointer to a struct rrset created by a
- *    call to lwres_getrrsetbyname().
- *
- *    The following structures are used:
- *
- * \code
- * struct  rdatainfo {
- *         unsigned int            rdi_length;     // length of data
- *         unsigned char           *rdi_data;      // record data
- * };
- *
- * struct  rrsetinfo {
- *         unsigned int            rri_flags;      // RRSET_VALIDATED...
- *         unsigned int            rri_rdclass;    // class number
- *         unsigned int            rri_rdtype;     // RR type number
- *         unsigned int            rri_ttl;        // time to live
- *         unsigned int            rri_nrdatas;    // size of rdatas array
- *         unsigned int            rri_nsigs;      // size of sigs array
- *         char                    *rri_name;      // canonical name
- *         struct rdatainfo        *rri_rdatas;    // individual records
- *         struct rdatainfo        *rri_sigs;      // individual signatures
- * };
- * \endcode
- *
- * \section getrrset_return Return Values
- *
- *    lwres_getrrsetbyname() returns zero on success, and one of the
- *    following error codes if an error occurred:
- *
- * \li   #ERRSET_NONAME: the name does not exist
- *
- * \li   #ERRSET_NODATA:
- *           the name exists, but does not have data of the desired type
- *
- * \li   #ERRSET_NOMEMORY:
- *           memory could not be allocated
- *
- * \li   #ERRSET_INVAL:
- *           a parameter is invalid
- *
- * \li   #ERRSET_FAIL:
- *           other failure
- */
-
-#include <config.h>
-
-#include <string.h>
-#include <errno.h>
-#include <stdlib.h>
-
-#include <lwres/lwres.h>
-#include <lwres/net.h>
-#include <lwres/netdb.h>	/* XXX #include <netdb.h> */
-
-#include "assert_p.h"
-
-/*!
- * Structure to map results
- */
-static unsigned int
-lwresult_to_result(lwres_result_t lwresult) {
-	switch (lwresult) {
-	case LWRES_R_SUCCESS:	return (ERRSET_SUCCESS);
-	case LWRES_R_NOMEMORY:	return (ERRSET_NOMEMORY);
-	case LWRES_R_NOTFOUND:	return (ERRSET_NONAME);
-	case LWRES_R_TYPENOTFOUND: return (ERRSET_NODATA);
-	default:		return (ERRSET_FAIL);
-	}
-}
-
-/*@{*/
-/*!
- * malloc / calloc functions that guarantee to only
- * return NULL if there is an error, like they used
- * to before the ANSI C committee broke them.
- */
-
-static void *
-sane_malloc(size_t size) {
-	if (size == 0U)
-		size = 1;
-	return (malloc(size));
-}
-
-static void *
-sane_calloc(size_t number, size_t size) {
-	size_t len = number * size;
-	void *mem  = sane_malloc(len);
-	if (mem != NULL)
-		memset(mem, 0, len);
-	return (mem);
-}
-/*@}*/
-
-/*% Returns a set of resource records associated with a hostname, class, and type. hostname is a pointer a to null-terminated string. */
-int
-lwres_getrrsetbyname(const char *hostname, unsigned int rdclass,
-		     unsigned int rdtype, unsigned int flags,
-		     struct rrsetinfo **res)
-{
-	lwres_context_t *lwrctx = NULL;
-	lwres_result_t lwresult;
-	lwres_grbnresponse_t *response = NULL;
-	struct rrsetinfo *rrset = NULL;
-	unsigned int i;
-	unsigned int lwflags;
-	unsigned int result;
-
-	if (rdclass > 0xffff || rdtype > 0xffff) {
-		result = ERRSET_INVAL;
-		goto fail;
-	}
-
-	/*
-	 * Don't allow queries of class or type ANY
-	 */
-	if (rdclass == 0xff || rdtype == 0xff) {
-		result = ERRSET_INVAL;
-		goto fail;
-	}
-
-	lwresult = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
-	if (lwresult != LWRES_R_SUCCESS) {
-		result = lwresult_to_result(lwresult);
-		goto fail;
-	}
-	(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
-
-	/*
-	 * If any input flags were defined, lwflags would be set here
-	 * based on them
-	 */
-	UNUSED(flags);
-	lwflags = 0;
-
-	lwresult = lwres_getrdatabyname(lwrctx, hostname,
-					(lwres_uint16_t)rdclass,
-					(lwres_uint16_t)rdtype,
-					lwflags, &response);
-	if (lwresult != LWRES_R_SUCCESS) {
-		result = lwresult_to_result(lwresult);
-		goto fail;
-	}
-
-	rrset = sane_malloc(sizeof(struct rrsetinfo));
-	if (rrset == NULL) {
-		result = ERRSET_NOMEMORY;
-		goto fail;
-	}
-	rrset->rri_name = NULL;
-	rrset->rri_rdclass = response->rdclass;
-	rrset->rri_rdtype = response->rdtype;
-	rrset->rri_ttl = response->ttl;
-	rrset->rri_flags = 0;
-	rrset->rri_nrdatas = 0;
-	rrset->rri_rdatas = NULL;
-	rrset->rri_nsigs = 0;
-	rrset->rri_sigs = NULL;
-
-	rrset->rri_name = sane_malloc(response->realnamelen + 1);
-	if (rrset->rri_name == NULL) {
-		result = ERRSET_NOMEMORY;
-		goto fail;
-	}
-	strncpy(rrset->rri_name, response->realname, response->realnamelen);
-	rrset->rri_name[response->realnamelen] = 0;
-
-	if ((response->flags & LWRDATA_VALIDATED) != 0)
-		rrset->rri_flags |= RRSET_VALIDATED;
-
-	rrset->rri_nrdatas = response->nrdatas;
-	rrset->rri_rdatas = sane_calloc(rrset->rri_nrdatas,
-				   sizeof(struct rdatainfo));
-	if (rrset->rri_rdatas == NULL) {
-		result = ERRSET_NOMEMORY;
-		goto fail;
-	}
-	for (i = 0; i < rrset->rri_nrdatas; i++) {
-		rrset->rri_rdatas[i].rdi_length = response->rdatalen[i];
-		rrset->rri_rdatas[i].rdi_data =
-				sane_malloc(rrset->rri_rdatas[i].rdi_length);
-		if (rrset->rri_rdatas[i].rdi_data == NULL) {
-			result = ERRSET_NOMEMORY;
-			goto fail;
-		}
-		memcpy(rrset->rri_rdatas[i].rdi_data, response->rdatas[i],
-		       rrset->rri_rdatas[i].rdi_length);
-	}
-	rrset->rri_nsigs = response->nsigs;
-	rrset->rri_sigs = sane_calloc(rrset->rri_nsigs,
-				      sizeof(struct rdatainfo));
-	if (rrset->rri_sigs == NULL) {
-		result = ERRSET_NOMEMORY;
-		goto fail;
-	}
-	for (i = 0; i < rrset->rri_nsigs; i++) {
-		rrset->rri_sigs[i].rdi_length = response->siglen[i];
-		rrset->rri_sigs[i].rdi_data =
-				sane_malloc(rrset->rri_sigs[i].rdi_length);
-		if (rrset->rri_sigs[i].rdi_data == NULL) {
-			result = ERRSET_NOMEMORY;
-			goto fail;
-		}
-		memcpy(rrset->rri_sigs[i].rdi_data, response->sigs[i],
-		       rrset->rri_sigs[i].rdi_length);
-	}
-
-	lwres_grbnresponse_free(lwrctx, &response);
-	lwres_conf_clear(lwrctx);
-	lwres_context_destroy(&lwrctx);
-	*res = rrset;
-	return (ERRSET_SUCCESS);
- fail:
-	if (rrset != NULL)
-		lwres_freerrset(rrset);
-	if (response != NULL)
-		lwres_grbnresponse_free(lwrctx, &response);
-	if (lwrctx != NULL) {
-		lwres_conf_clear(lwrctx);
-		lwres_context_destroy(&lwrctx);
-	}
-	return (result);
-}
-
-/*% Releases memory allocated for the dynamically allocated structures created by a successful call to lwres_getrrsetbyname(). */
-void
-lwres_freerrset(struct rrsetinfo *rrset) {
-	unsigned int i;
-	if (rrset->rri_rdatas != NULL) {
-		for (i = 0; i < rrset->rri_nrdatas; i++) {
-			if (rrset->rri_rdatas[i].rdi_data == NULL)
-				break;
-			free(rrset->rri_rdatas[i].rdi_data);
-		}
-		free(rrset->rri_rdatas);
-	}
-	if (rrset->rri_sigs != NULL) {
-		for (i = 0; i < rrset->rri_nsigs; i++) {
-			if (rrset->rri_sigs[i].rdi_data == NULL)
-				break;
-			free(rrset->rri_sigs[i].rdi_data);
-		}
-		free(rrset->rri_sigs);
-	}
-	free(rrset->rri_name);
-	free(rrset);
-}
diff --git a/contrib/bind9/lib/lwres/herror.c b/contrib/bind9/lib/lwres/herror.c
deleted file mode 100644
index 49de797..0000000
--- a/contrib/bind9/lib/lwres/herror.c
+++ /dev/null
@@ -1,122 +0,0 @@
-/*
- * Portions Copyright (C) 2004, 2005, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Copyright (c) 1987, 1993
- *    The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*! \file herror.c
-   lwres_herror() prints the string s on stderr followed by the string
-   generated by lwres_hstrerror() for the error code stored in the global
-   variable lwres_h_errno.
-
-   lwres_hstrerror() returns an appropriate string for the error code
-   gievn by err. The values of the error codes and messages are as
-   follows:
-
-\li   #NETDB_SUCCESS: Resolver Error 0 (no error)
-
-\li   #HOST_NOT_FOUND: Unknown host
-
-\li #TRY_AGAIN: Host name lookup failure
-
-\li   #NO_RECOVERY: Unknown server error
-
-\li   #NO_DATA: No address associated with name
-
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char sccsid[] = "@(#)herror.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] =
-	"$Id$";
-#endif /* LIBC_SCCS and not lint */
-
-#include <config.h>
-
-#include <stdio.h>
-
-#include <lwres/netdb.h>
-#include <lwres/platform.h>
-
-LIBLWRES_EXTERNAL_DATA int	lwres_h_errno;
-
-/*!
- * these have never been declared in any header file so make them static
- */
-
-static const char *h_errlist[] = {
-	"Resolver Error 0 (no error)",		/*%< 0 no error */
-	"Unknown host",				/*%< 1 HOST_NOT_FOUND */
-	"Host name lookup failure",		/*%< 2 TRY_AGAIN */
-	"Unknown server error",			/*%< 3 NO_RECOVERY */
-	"No address associated with name",	/*%< 4 NO_ADDRESS */
-};
-
-static int	h_nerr = sizeof(h_errlist) / sizeof(h_errlist[0]);
-
-
-/*!
- * herror --
- *	print the error indicated by the h_errno value.
- */
-void
-lwres_herror(const char *s) {
-	fprintf(stderr, "%s: %s\n", s, lwres_hstrerror(lwres_h_errno));
-}
-
-/*!
- * hstrerror --
- *	return the string associated with a given "host" errno value.
- */
-const char *
-lwres_hstrerror(int err) {
-	if (err < 0)
-		return ("Resolver internal error");
-	else if (err < h_nerr)
-		return (h_errlist[err]);
-	return ("Unknown resolver error");
-}
diff --git a/contrib/bind9/lib/lwres/include/Makefile.in b/contrib/bind9/lib/lwres/include/Makefile.in
deleted file mode 100644
index 6c3d07f..0000000
--- a/contrib/bind9/lib/lwres/include/Makefile.in
+++ /dev/null
@@ -1,25 +0,0 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.8 2007/06/19 23:47:22 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	lwres
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/lwres/include/lwres/Makefile.in b/contrib/bind9/lib/lwres/include/lwres/Makefile.in
deleted file mode 100644
index 36b8b03..0000000
--- a/contrib/bind9/lib/lwres/include/lwres/Makefile.in
+++ /dev/null
@@ -1,46 +0,0 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.23 2007/06/19 23:47:22 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-#
-# Only list headers that are to be installed and are not
-# machine generated.  The latter are handled specially in the
-# install target below.
-#
-HEADERS =	context.h lwbuffer.h lwpacket.h lwres.h result.h \
-		int.h lang.h list.h ipv6.h version.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/lwres
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/lwres ; \
-	done
-	${INSTALL_DATA} netdb.h ${DESTDIR}${includedir}/lwres
-	${INSTALL_DATA} platform.h ${DESTDIR}${includedir}/lwres
-
-distclean::
-	rm -f netdb.h platform.h
diff --git a/contrib/bind9/lib/lwres/include/lwres/context.h b/contrib/bind9/lib/lwres/include/lwres/context.h
deleted file mode 100644
index 434573c..0000000
--- a/contrib/bind9/lib/lwres/include/lwres/context.h
+++ /dev/null
@@ -1,136 +0,0 @@
-/*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: context.h,v 1.23 2008/12/17 23:47:58 tbox Exp $ */
-
-#ifndef LWRES_CONTEXT_H
-#define LWRES_CONTEXT_H 1
-
-/*! \file lwres/context.h */
-
-#include <stddef.h>
-
-#include <lwres/lang.h>
-#include <lwres/int.h>
-#include <lwres/result.h>
-
-/*!
- * Used to set various options such as timeout, authentication, etc
- */
-typedef struct lwres_context lwres_context_t;
-
-LWRES_LANG_BEGINDECLS
-
-typedef void *(*lwres_malloc_t)(void *arg, size_t length);
-typedef void (*lwres_free_t)(void *arg, void *mem, size_t length);
-
-/*
- * XXXMLG
- *
- * Make the server reload /etc/resolv.conf periodically.
- *
- * Make the server do sortlist/searchlist.
- *
- * Client side can disable the search/sortlist processing.
- *
- * Use an array of addresses/masks and searchlist for client-side, and
- * if added to the client disable the processing on the server.
- *
- * Share /etc/resolv.conf data between contexts.
- */
-
-/*!
- * _SERVERMODE
- *	Don't allocate and connect a socket to the server, since the
- *	caller _is_ a server.
- *
- * _USEIPV4, _USEIPV6
- *	Use IPv4 and IPv6 transactions with remote servers, respectively.
- *	For backward compatibility, regard both flags as being set when both
- *	are cleared.
- */
-#define LWRES_CONTEXT_SERVERMODE	0x00000001U
-#define LWRES_CONTEXT_USEIPV4		0x00000002U
-#define LWRES_CONTEXT_USEIPV6		0x00000004U
-
-lwres_result_t
-lwres_context_create(lwres_context_t **contextp, void *arg,
-		     lwres_malloc_t malloc_function,
-		     lwres_free_t free_function,
-		     unsigned int flags);
-/**<
- * Allocate a lwres context.  This is used in all lwres calls.
- *
- * Memory management can be replaced here by passing in two functions.
- * If one is non-NULL, they must both be non-NULL.  "arg" is passed to
- * these functions.
- *
- * Contexts are not thread safe.  Document at the top of the file.
- * XXXMLG
- *
- * If they are NULL, the standard malloc() and free() will be used.
- *
- *\pre	contextp != NULL && contextp == NULL.
- *
- *\return	Returns 0 on success, non-zero on failure.
- */
-
-void
-lwres_context_destroy(lwres_context_t **contextp);
-/**<
- * Frees all memory associated with a lwres context.
- *
- *\pre	contextp != NULL && contextp == NULL.
- */
-
-lwres_uint32_t
-lwres_context_nextserial(lwres_context_t *ctx);
-/**<
- * XXXMLG Document
- */
-
-void
-lwres_context_initserial(lwres_context_t *ctx, lwres_uint32_t serial);
-
-void
-lwres_context_freemem(lwres_context_t *ctx, void *mem, size_t len);
-
-void *
-lwres_context_allocmem(lwres_context_t *ctx, size_t len);
-
-int
-lwres_context_getsocket(lwres_context_t *ctx);
-
-lwres_result_t
-lwres_context_send(lwres_context_t *ctx,
-		   void *sendbase, int sendlen);
-
-lwres_result_t
-lwres_context_recv(lwres_context_t *ctx,
-		   void *recvbase, int recvlen,
-		   int *recvd_len);
-
-lwres_result_t
-lwres_context_sendrecv(lwres_context_t *ctx,
-		       void *sendbase, int sendlen,
-		       void *recvbase, int recvlen,
-		       int *recvd_len);
-
-LWRES_LANG_ENDDECLS
-
-#endif /* LWRES_CONTEXT_H */
-
diff --git a/contrib/bind9/lib/lwres/include/lwres/int.h b/contrib/bind9/lib/lwres/include/lwres/int.h
deleted file mode 100644
index 3fb0c4f..0000000
--- a/contrib/bind9/lib/lwres/include/lwres/int.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: int.h,v 1.14 2007/06/19 23:47:23 tbox Exp $ */
-
-#ifndef LWRES_INT_H
-#define LWRES_INT_H 1
-
-/*! \file lwres/int.h */
-
-typedef char				lwres_int8_t;
-typedef unsigned char			lwres_uint8_t;
-typedef short				lwres_int16_t;
-typedef unsigned short			lwres_uint16_t;
-typedef int				lwres_int32_t;
-typedef unsigned int			lwres_uint32_t;
-typedef long long			lwres_int64_t;
-typedef unsigned long long		lwres_uint64_t;
-
-#endif /* LWRES_INT_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/ipv6.h b/contrib/bind9/lib/lwres/include/lwres/ipv6.h
deleted file mode 100644
index 5d54b29..0000000
--- a/contrib/bind9/lib/lwres/include/lwres/ipv6.h
+++ /dev/null
@@ -1,124 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ipv6.h,v 1.16 2007/06/19 23:47:23 tbox Exp $ */
-
-#ifndef LWRES_IPV6_H
-#define LWRES_IPV6_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file lwres/ipv6.h
- * IPv6 definitions for systems which do not support IPv6.
- */
-
-/***
- *** Imports.
- ***/
-
-#include <lwres/int.h>
-#include <lwres/platform.h>
-
-/***
- *** Types.
- ***/
-
-/*% in6_addr structure */
-struct in6_addr {
-        union {
-		lwres_uint8_t	_S6_u8[16];
-		lwres_uint16_t	_S6_u16[8];
-		lwres_uint32_t	_S6_u32[4];
-        } _S6_un;
-};
-/*@{*/
-/*% IP v6 types */
-#define s6_addr		_S6_un._S6_u8
-#define s6_addr8	_S6_un._S6_u8
-#define s6_addr16	_S6_un._S6_u16
-#define s6_addr32	_S6_un._S6_u32
-/*@}*/
-
-#define IN6ADDR_ANY_INIT 	{{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }}}
-#define IN6ADDR_LOOPBACK_INIT 	{{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 }}}
-
-LIBLWRES_EXTERNAL_DATA extern const struct in6_addr in6addr_any;
-LIBLWRES_EXTERNAL_DATA extern const struct in6_addr in6addr_loopback;
-
-/*% used in getaddrinfo.c and getnameinfo.c */
-struct sockaddr_in6 {
-#ifdef LWRES_PLATFORM_HAVESALEN
-	lwres_uint8_t		sin6_len;
-	lwres_uint8_t		sin6_family;
-#else
-	lwres_uint16_t		sin6_family;
-#endif
-	lwres_uint16_t		sin6_port;
-	lwres_uint32_t		sin6_flowinfo;
-	struct in6_addr		sin6_addr;
-	lwres_uint32_t		sin6_scope_id;
-};
-
-#ifdef LWRES_PLATFORM_HAVESALEN
-#define SIN6_LEN 1
-#endif
-
-/*% in6_pktinfo structure */
-struct in6_pktinfo {
-	struct in6_addr ipi6_addr;    /*%< src/dst IPv6 address */
-	unsigned int    ipi6_ifindex; /*%< send/recv interface index */
-};
-
-/*!
- * Unspecified IPv6 address
- */
-#define IN6_IS_ADDR_UNSPECIFIED(a)      \
-        (((a)->s6_addr32[0] == 0) &&    \
-         ((a)->s6_addr32[1] == 0) &&    \
-         ((a)->s6_addr32[2] == 0) &&    \
-         ((a)->s6_addr32[3] == 0))
-
-/*
- * Loopback
- */
-#define IN6_IS_ADDR_LOOPBACK(a)         \
-        (((a)->s6_addr32[0] == 0) &&    \
-         ((a)->s6_addr32[1] == 0) &&    \
-         ((a)->s6_addr32[2] == 0) &&    \
-         ((a)->s6_addr32[3] == htonl(1)))
-
-/*
- * IPv4 compatible
- */
-#define IN6_IS_ADDR_V4COMPAT(a)         \
-        (((a)->s6_addr32[0] == 0) &&    \
-         ((a)->s6_addr32[1] == 0) &&    \
-         ((a)->s6_addr32[2] == 0) &&    \
-         ((a)->s6_addr32[3] != 0) &&    \
-         ((a)->s6_addr32[3] != htonl(1)))
-
-/*
- * Mapped
- */
-#define IN6_IS_ADDR_V4MAPPED(a)               \
-        (((a)->s6_addr32[0] == 0) &&          \
-         ((a)->s6_addr32[1] == 0) &&          \
-         ((a)->s6_addr32[2] == htonl(0x0000ffff)))
-
-#endif /* LWRES_IPV6_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/lang.h b/contrib/bind9/lib/lwres/include/lwres/lang.h
deleted file mode 100644
index b680e4b..0000000
--- a/contrib/bind9/lib/lwres/include/lwres/lang.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lang.h,v 1.13 2007/06/19 23:47:23 tbox Exp $ */
-
-#ifndef LWRES_LANG_H
-#define LWRES_LANG_H 1
-
-/*! \file lwres/lang.h */
-
-#ifdef __cplusplus
-#define LWRES_LANG_BEGINDECLS	extern "C" {
-#define LWRES_LANG_ENDDECLS	}
-#else
-#define LWRES_LANG_BEGINDECLS
-#define LWRES_LANG_ENDDECLS
-#endif
-
-#endif /* LWRES_LANG_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/list.h b/contrib/bind9/lib/lwres/include/lwres/list.h
deleted file mode 100644
index c6ab096..0000000
--- a/contrib/bind9/lib/lwres/include/lwres/list.h
+++ /dev/null
@@ -1,121 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1997-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: list.h,v 1.14 2007/06/19 23:47:23 tbox Exp $ */
-
-#ifndef LWRES_LIST_H
-#define LWRES_LIST_H 1
-
-/*! \file lwres/list.h */
-
-#define LWRES_LIST(type) struct { type *head, *tail; }
-#define LWRES_LIST_INIT(list) \
-	do { (list).head = NULL; (list).tail = NULL; } while (0)
-
-#define LWRES_LINK(type) struct { type *prev, *next; }
-#define LWRES_LINK_INIT(elt, link) \
-	do { \
-		(elt)->link.prev = (void *)(-1); \
-		(elt)->link.next = (void *)(-1); \
-	} while (0)
-#define LWRES_LINK_LINKED(elt, link) \
-	((void *)((elt)->link.prev) != (void *)(-1))
-
-#define LWRES_LIST_HEAD(list) ((list).head)
-#define LWRES_LIST_TAIL(list) ((list).tail)
-#define LWRES_LIST_EMPTY(list) LWRES_TF((list).head == NULL)
-
-#define LWRES_LIST_PREPEND(list, elt, link) \
-	do { \
-		if ((list).head != NULL) \
-			(list).head->link.prev = (elt); \
-		else \
-			(list).tail = (elt); \
-		(elt)->link.prev = NULL; \
-		(elt)->link.next = (list).head; \
-		(list).head = (elt); \
-	} while (0)
-
-#define LWRES_LIST_APPEND(list, elt, link) \
-	do { \
-		if ((list).tail != NULL) \
-			(list).tail->link.next = (elt); \
-		else \
-			(list).head = (elt); \
-		(elt)->link.prev = (list).tail; \
-		(elt)->link.next = NULL; \
-		(list).tail = (elt); \
-	} while (0)
-
-#define LWRES_LIST_UNLINK(list, elt, link) \
-	do { \
-		if ((elt)->link.next != NULL) \
-			(elt)->link.next->link.prev = (elt)->link.prev; \
-		else \
-			(list).tail = (elt)->link.prev; \
-		if ((elt)->link.prev != NULL) \
-			(elt)->link.prev->link.next = (elt)->link.next; \
-		else \
-			(list).head = (elt)->link.next; \
-		(elt)->link.prev = (void *)(-1); \
-		(elt)->link.next = (void *)(-1); \
-	} while (0)
-
-#define LWRES_LIST_PREV(elt, link) ((elt)->link.prev)
-#define LWRES_LIST_NEXT(elt, link) ((elt)->link.next)
-
-#define LWRES_LIST_INSERTBEFORE(list, before, elt, link) \
-	do { \
-		if ((before)->link.prev == NULL) \
-			LWRES_LIST_PREPEND(list, elt, link); \
-		else { \
-			(elt)->link.prev = (before)->link.prev; \
-			(before)->link.prev = (elt); \
-			(elt)->link.prev->link.next = (elt); \
-			(elt)->link.next = (before); \
-		} \
-	} while (0)
-
-#define LWRES_LIST_INSERTAFTER(list, after, elt, link) \
-	do { \
-		if ((after)->link.next == NULL) \
-			LWRES_LIST_APPEND(list, elt, link); \
-		else { \
-			(elt)->link.next = (after)->link.next; \
-			(after)->link.next = (elt); \
-			(elt)->link.next->link.prev = (elt); \
-			(elt)->link.prev = (after); \
-		} \
-	} while (0)
-
-#define LWRES_LIST_APPENDLIST(list1, list2, link) \
-	do { \
-		if (LWRES_LIST_EMPTY(list1)) \
-			(list1) = (list2); \
-		else if (!LWRES_LIST_EMPTY(list2)) { \
-			(list1).tail->link.next = (list2).head; \
-			(list2).head->link.prev = (list1).tail; \
-			(list1).tail = (list2).tail; \
-		} \
-		(list2).head = NULL; \
-		(list2).tail = NULL; \
-	} while (0)
-
-#define LWRES_LIST_ENQUEUE(list, elt, link) LWRES_LIST_APPEND(list, elt, link)
-#define LWRES_LIST_DEQUEUE(list, elt, link) LWRES_LIST_UNLINK(list, elt, link)
-
-#endif /* LWRES_LIST_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/lwbuffer.h b/contrib/bind9/lib/lwres/include/lwres/lwbuffer.h
deleted file mode 100644
index e3cf343..0000000
--- a/contrib/bind9/lib/lwres/include/lwres/lwbuffer.h
+++ /dev/null
@@ -1,406 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwbuffer.h,v 1.22 2007/06/19 23:47:23 tbox Exp $ */
-
-
-/*! \file lwres/lwbuffer.h
- *
- * A buffer is a region of memory, together with a set of related subregions.
- * Buffers are used for parsing and I/O operations.
- *
- * The 'used region' and the 'available' region are disjoint, and their
- * union is the buffer's region.  The used region extends from the beginning
- * of the buffer region to the last used byte.  The available region
- * extends from one byte greater than the last used byte to the end of the
- * buffer's region.  The size of the used region can be changed using various
- * buffer commands.  Initially, the used region is empty.
- *
- * The used region is further subdivided into two disjoint regions: the
- * 'consumed region' and the 'remaining region'.  The union of these two
- * regions is the used region.  The consumed region extends from the beginning
- * of the used region to the byte before the 'current' offset (if any).  The
- * 'remaining' region the current pointer to the end of the used
- * region.  The size of the consumed region can be changed using various
- * buffer commands.  Initially, the consumed region is empty.
- *
- * The 'active region' is an (optional) subregion of the remaining region.
- * It extends from the current offset to an offset in the remaining region
- * that is selected with lwres_buffer_setactive().  Initially, the active
- * region is empty.  If the current offset advances beyond the chosen offset,
- * the active region will also be empty.
- *
- * \verbatim
- *  /----- used region -----\/-- available --\
- *  +----------------------------------------+
- *  | consumed  | remaining |                |
- *  +----------------------------------------+
- *  a           b     c     d                e
- *
- * a == base of buffer.
- * b == current pointer.  Can be anywhere between a and d.
- * c == active pointer.  Meaningful between b and d.
- * d == used pointer.
- * e == length of buffer.
- *
- * a-e == entire (length) of buffer.
- * a-d == used region.
- * a-b == consumed region.
- * b-d == remaining region.
- * b-c == optional active region.
- * \endverbatim
- *
- * The following invariants are maintained by all routines:
- *
- *\verbatim
- *	length > 0
- *
- *	base is a valid pointer to length bytes of memory
- *
- *	0 <= used <= length
- *
- *	0 <= current <= used
- *
- *	0 <= active <= used
- *	(although active < current implies empty active region)
- *\endverbatim
- *
- * \li MP:
- *	Buffers have no synchronization.  Clients must ensure exclusive
- *	access.
- *
- * \li Reliability:
- *	No anticipated impact.
- *
- * \li Resources:
- *	Memory: 1 pointer + 6 unsigned integers per buffer.
- *
- * \li Security:
- *	No anticipated impact.
- *
- * \li Standards:
- *	None.
- */
-
-#ifndef LWRES_LWBUFFER_H
-#define LWRES_LWBUFFER_H 1
-
-/***
- *** Imports
- ***/
-
-#include <lwres/lang.h>
-#include <lwres/int.h>
-
-LWRES_LANG_BEGINDECLS
-
-/***
- *** Magic numbers
- ***/
-#define LWRES_BUFFER_MAGIC		0x4275663fU	/* Buf?. */
-
-#define LWRES_BUFFER_VALID(b)		((b) != NULL && \
-					 (b)->magic == LWRES_BUFFER_MAGIC)
-
-/*!
- * The following macros MUST be used only on valid buffers.  It is the
- * caller's responsibility to ensure this by using the LWRES_BUFFER_VALID
- * check above, or by calling another lwres_buffer_*() function (rather than
- * another macro.)
- */
-
-/*!
- * Get the length of the used region of buffer "b"
- */
-#define LWRES_BUFFER_USEDCOUNT(b)	((b)->used)
-
-/*!
- * Get the length of the available region of buffer "b"
- */
-#define LWRES_BUFFER_AVAILABLECOUNT(b)	((b)->length - (b)->used)
-
-#define LWRES_BUFFER_REMAINING(b)	((b)->used - (b)->current)
-
-/*!
- * Note that the buffer structure is public.  This is principally so buffer
- * operations can be implemented using macros.  Applications are strongly
- * discouraged from directly manipulating the structure.
- */
-
-typedef struct lwres_buffer lwres_buffer_t;
-/*!
- * Buffer data structure
- */
-struct lwres_buffer {
-	unsigned int		magic;
-	unsigned char 	       *base;
-	/* The following integers are byte offsets from 'base'. */
-	unsigned int		length;
-	unsigned int		used;
-	unsigned int 		current;
-	unsigned int 		active;
-};
-
-/***
- *** Functions
- ***/
-
-void
-lwres_buffer_init(lwres_buffer_t *b, void *base, unsigned int length);
-/**<
- * Make 'b' refer to the 'length'-byte region starting at base.
- *
- * Requires:
- *
- *	'length' > 0
- *
- *	'base' is a pointer to a sequence of 'length' bytes.
- *
- */
-
-void
-lwres_buffer_invalidate(lwres_buffer_t *b);
-/**<
- * Make 'b' an invalid buffer.
- *
- * Requires:
- *	'b' is a valid buffer.
- *
- * Ensures:
- *	If assertion checking is enabled, future attempts to use 'b' without
- *	calling lwres_buffer_init() on it will cause an assertion failure.
- */
-
-void
-lwres_buffer_add(lwres_buffer_t *b, unsigned int n);
-/**<
- * Increase the 'used' region of 'b' by 'n' bytes.
- *
- * Requires:
- *
- *	'b' is a valid buffer
- *
- *	used + n <= length
- *
- */
-
-void
-lwres_buffer_subtract(lwres_buffer_t *b, unsigned int n);
-/**<
- * Decrease the 'used' region of 'b' by 'n' bytes.
- *
- * Requires:
- *
- *	'b' is a valid buffer
- *
- *	used >= n
- *
- */
-
-void
-lwres_buffer_clear(lwres_buffer_t *b);
-/**<
- * Make the used region empty.
- *
- * Requires:
- *
- *	'b' is a valid buffer
- *
- * Ensures:
- *
- *	used = 0
- *
- */
-
-
-void
-lwres_buffer_first(lwres_buffer_t *b);
-/**<
- * Make the consumed region empty.
- *
- * Requires:
- *
- *	'b' is a valid buffer
- *
- * Ensures:
- *
- *	current == 0
- *
- */
-
-void
-lwres_buffer_forward(lwres_buffer_t *b, unsigned int n);
-/**<
- * Increase the 'consumed' region of 'b' by 'n' bytes.
- *
- * Requires:
- *
- *	'b' is a valid buffer
- *
- *	current + n <= used
- *
- */
-
-void
-lwres_buffer_back(lwres_buffer_t *b, unsigned int n);
-/**<
- * Decrease the 'consumed' region of 'b' by 'n' bytes.
- *
- * Requires:
- *
- *	'b' is a valid buffer
- *
- *	n <= current
- *
- */
-
-lwres_uint8_t
-lwres_buffer_getuint8(lwres_buffer_t *b);
-/**<
- * Read an unsigned 8-bit integer from 'b' and return it.
- *
- * Requires:
- *
- *	'b' is a valid buffer.
- *
- *	The length of the available region of 'b' is at least 1.
- *
- * Ensures:
- *
- *	The current pointer in 'b' is advanced by 1.
- *
- * Returns:
- *
- *	A 8-bit unsigned integer.
- */
-
-void
-lwres_buffer_putuint8(lwres_buffer_t *b, lwres_uint8_t val);
-/**<
- * Store an unsigned 8-bit integer from 'val' into 'b'.
- *
- * Requires:
- *	'b' is a valid buffer.
- *
- *	The length of the unused region of 'b' is at least 1.
- *
- * Ensures:
- *	The used pointer in 'b' is advanced by 1.
- */
-
-lwres_uint16_t
-lwres_buffer_getuint16(lwres_buffer_t *b);
-/**<
- * Read an unsigned 16-bit integer in network byte order from 'b', convert
- * it to host byte order, and return it.
- *
- * Requires:
- *
- *	'b' is a valid buffer.
- *
- *	The length of the available region of 'b' is at least 2.
- *
- * Ensures:
- *
- *	The current pointer in 'b' is advanced by 2.
- *
- * Returns:
- *
- *	A 16-bit unsigned integer.
- */
-
-void
-lwres_buffer_putuint16(lwres_buffer_t *b, lwres_uint16_t val);
-/**<
- * Store an unsigned 16-bit integer in host byte order from 'val'
- * into 'b' in network byte order.
- *
- * Requires:
- *	'b' is a valid buffer.
- *
- *	The length of the unused region of 'b' is at least 2.
- *
- * Ensures:
- *	The used pointer in 'b' is advanced by 2.
- */
-
-lwres_uint32_t
-lwres_buffer_getuint32(lwres_buffer_t *b);
-/**<
- * Read an unsigned 32-bit integer in network byte order from 'b', convert
- * it to host byte order, and return it.
- *
- * Requires:
- *
- *	'b' is a valid buffer.
- *
- *	The length of the available region of 'b' is at least 2.
- *
- * Ensures:
- *
- *	The current pointer in 'b' is advanced by 2.
- *
- * Returns:
- *
- *	A 32-bit unsigned integer.
- */
-
-void
-lwres_buffer_putuint32(lwres_buffer_t *b, lwres_uint32_t val);
-/**<
- * Store an unsigned 32-bit integer in host byte order from 'val'
- * into 'b' in network byte order.
- *
- * Requires:
- *	'b' is a valid buffer.
- *
- *	The length of the unused region of 'b' is at least 4.
- *
- * Ensures:
- *	The used pointer in 'b' is advanced by 4.
- */
-
-void
-lwres_buffer_putmem(lwres_buffer_t *b, const unsigned char *base,
-		    unsigned int length);
-/**<
- * Copy 'length' bytes of memory at 'base' into 'b'.
- *
- * Requires:
- *	'b' is a valid buffer.
- *
- *	'base' points to 'length' bytes of valid memory.
- *
- */
-
-void
-lwres_buffer_getmem(lwres_buffer_t *b, unsigned char *base,
-		    unsigned int length);
-/**<
- * Copy 'length' bytes of memory from 'b' into 'base'.
- *
- * Requires:
- *	'b' is a valid buffer.
- *
- *	'base' points to at least 'length' bytes of valid memory.
- *
- *	'b' have at least 'length' bytes remaining.
- */
-
-LWRES_LANG_ENDDECLS
-
-#endif /* LWRES_LWBUFFER_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/lwpacket.h b/contrib/bind9/lib/lwres/include/lwres/lwpacket.h
deleted file mode 100644
index 96f8e54..0000000
--- a/contrib/bind9/lib/lwres/include/lwres/lwpacket.h
+++ /dev/null
@@ -1,159 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwpacket.h,v 1.24 2007/06/19 23:47:23 tbox Exp $ */
-
-#ifndef LWRES_LWPACKET_H
-#define LWRES_LWPACKET_H 1
-
-#include <lwres/lang.h>
-#include <lwres/lwbuffer.h>
-#include <lwres/result.h>
-
-/*% lwres_lwpacket_t */
-typedef struct lwres_lwpacket lwres_lwpacket_t;
-
-/*% lwres_lwpacket structure */
-struct lwres_lwpacket {
-	/*! The overall packet length, including the 
-	 *  entire packet header.
-	 *  This field is filled in by the
-	 *  \link lwres_gabn.c lwres_gabn_*()\endlink 
-	 *  and \link lwres_gnba.c lwres_gnba_*()\endlink calls.
-	 */
-	lwres_uint32_t		length;
-	/*! Specifies the header format.  Currently, 
-	 *  there is only one format, #LWRES_LWPACKETVERSION_0.
-	 *  This field is filled in by the
-	 *  \link lwres_gabn.c lwres_gabn_*()\endlink 
-	 *  and \link lwres_gnba.c lwres_gnba_*()\endlink calls.
-         */
-	lwres_uint16_t		version;
- 	/*! Specifies library-defined flags for this packet, such as
-	 *  whether the packet is a request or a reply.  None of 
-	 *  these are definable by the caller, but library-defined values 
-	 *  can be set by the caller.  For example, one bit in this field 
-	 *  indicates if the packet is a request or a response.
-	 *  This field is filled in by
-	 *  the application wits the exception of the
-	 *  #LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library
-	 *  in the
-	 *  \link lwres_gabn.c lwres_gabn_*()\endlink 
-	 *  and \link lwres_gnba.c lwres_gnba_*()\endlink calls.
-         */
-	lwres_uint16_t		pktflags;
- 	/*! Set by the requestor and is returned in all replies.  
-	 *  If two packets from the same source have the same serial 
-	 *  number and are from the same source, they are assumed to 
-	 *  be duplicates and the latter ones may be dropped.  
-	 *  (The library does not do this by default on replies, but
- 	 * does so on requests.)
-         */
-	lwres_uint32_t		serial;
- 	/*! Opcodes between 0x04000000 and 0xffffffff
- 	 *  are application defined.  Opcodes between 
-	 *  0x00000000 and 0x03ffffff are
- 	 * reserved for library use.
-	 *  This field is filled in by the
-	 *  \link lwres_gabn.c lwres_gabn_*()\endlink 
-	 *  and \link lwres_gnba.c lwres_gnba_*()\endlink calls.
-	 */
-	lwres_uint32_t		opcode;
- 	/*! Only valid for results.  
-	 *  Results between 0x04000000 and 0xffffffff are application 
-	 *  defined.
- 	 * Results between 0x00000000 and 0x03ffffff are reserved for 
-	 * library use.
- 	 * (This is the same reserved range defined in <isc/resultclass.h>, 
-	 * so it
- 	 * would be trivial to map ISC_R_* result codes into packet result 
-	 * codes when appropriate.)
-	 *  This field is filled in by the
-	 *  \link lwres_gabn.c lwres_gabn_*()\endlink 
-	 *  and \link lwres_gnba.c lwres_gnba_*()\endlink calls.
-	 */
-	lwres_uint32_t		result;
- 	/*! Set to the maximum buffer size that the receiver can
- 	 *  handle on requests, and the size of the buffer needed to 
-	 *  satisfy a request
- 	 *  when the buffer is too large for replies.
-	 *  This field is supplied by the application.
-	 */
-	lwres_uint32_t		recvlength;
- 	/*! The packet level auth type used.
- 	 *  Authtypes between 0x1000 and 0xffff are application defined.  
-	 *  Authtypes
- 	 *  between 0x0000 and 0x0fff are reserved for library use.  
-	 *  This is currently
- 	 *  unused and MUST be set to zero.
-	 */
-	lwres_uint16_t		authtype;
- 	/*! The length of the authentication data.  
-	 *  See the specific
- 	 * authtypes for more information on what is contained 
-	 * in this field.  This is currently unused, and 
-	 * MUST be set to zero.
-	 */
-	lwres_uint16_t		authlength;
-};
-
-#define LWRES_LWPACKET_LENGTH		(4 * 5 + 2 * 4) /*%< Overall length. */
-
-#define LWRES_LWPACKETFLAG_RESPONSE	0x0001U	/*%< If set, pkt is a response. */
-
-
-#define LWRES_LWPACKETVERSION_0		0	/*%< Header format. */
-
-/*! \file lwres/lwpacket.h
- *
- *
- * The remainder of the packet consists of two regions, one described by
- * "authlen" and one of "length - authlen - sizeof(lwres_lwpacket_t)".
- *
- * That is:
- *
- * \code
- *	pkt header
- *	authlen bytes of auth information
- *	data bytes
- * \endcode
- *
- * Currently defined opcodes:
- *
- *\li	#LWRES_OPCODE_NOOP.  Success is always returned, with the packet contents echoed.
- *
- *\li	#LWRES_OPCODE_GETADDRSBYNAME.  Return all known addresses for a given name.
- *		This may return NIS or /etc/hosts info as well as DNS
- *		information.  Flags will be provided to indicate ip4/ip6
- *		addresses are desired.
- *
- *\li	#LWRES_OPCODE_GETNAMEBYADDR.	Return the hostname for the given address.  Once
- *		again, it will return data from multiple sources.
- */
-
-LWRES_LANG_BEGINDECLS
-
-/* XXXMLG document */
-lwres_result_t
-lwres_lwpacket_renderheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt);
-
-lwres_result_t
-lwres_lwpacket_parseheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt);
-
-LWRES_LANG_ENDDECLS
-
-#endif /* LWRES_LWPACKET_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/lwres.h b/contrib/bind9/lib/lwres/include/lwres/lwres.h
deleted file mode 100644
index 6912448..0000000
--- a/contrib/bind9/lib/lwres/include/lwres/lwres.h
+++ /dev/null
@@ -1,579 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwres.h,v 1.57 2007/06/19 23:47:23 tbox Exp $ */
-
-#ifndef LWRES_LWRES_H
-#define LWRES_LWRES_H 1
-
-#include <stdio.h>
-
-#include <lwres/context.h>
-#include <lwres/lang.h>
-#include <lwres/list.h>
-#include <lwres/lwpacket.h>
-#include <lwres/platform.h>
-
-/*! \file lwres/lwres.h */
-
-/*!
- * Design notes:
- *
- * Each opcode has two structures and three functions which operate on each
- * structure.  For example, using the "no operation/ping" opcode as an
- * example:
- *
- *	<ul><li>lwres_nooprequest_t:
- *
- *		lwres_nooprequest_render() takes a lwres_nooprequest_t and
- *		and renders it into wire format, storing the allocated
- *		buffer information in a passed-in buffer.  When this buffer
- *		is no longer needed, it must be freed by
- *		lwres_context_freemem().  All other memory used by the
- *		caller must be freed manually, including the
- *		lwres_nooprequest_t passed in.<br /><br />
- *
- *		lwres_nooprequest_parse() takes a wire format message and
- *		breaks it out into a lwres_nooprequest_t.  The structure
- *		must be freed via lwres_nooprequest_free() when it is no longer
- *		needed.<br /><br />
- *
- *		lwres_nooprequest_free() releases into the lwres_context_t
- *		any space allocated during parsing.</li>
- *
- *	<li>lwres_noopresponse_t:
- *
- *		The functions used are similar to the three used for
- *		requests, just with different names.</li></ul>
- *
- * Typically, the client will use request_render, response_parse, and
- * response_free, while the daemon will use request_parse, response_render,
- * and request_free.
- *
- * The basic flow of a typical client is:
- *
- *	\li fill in a request_t, and call the render function.
- *
- *	\li Transmit the buffer returned to the daemon.
- *
- *	\li Wait for a response.
- *
- *	\li When a response is received, parse it into a response_t.
- *
- *	\li free the request buffer using lwres_context_freemem().
- *
- *	\li free the response structure and its associated buffer using
- *	response_free().
- */
-
-#define LWRES_UDP_PORT		921	/*%< UDP Port Number */
-#define LWRES_RECVLENGTH	16384 /*%< Maximum Packet Length */
-#define LWRES_ADDR_MAXLEN	16	/*%< changing this breaks ABI */
-#define LWRES_RESOLV_CONF	"/etc/resolv.conf" /*%< Location of resolv.conf */
-
-/*% DNSSEC is not required (input).  Only relevant to rrset queries. */
-#define LWRES_FLAG_TRUSTNOTREQUIRED	0x00000001U
-/*% The data was crypto-verified with DNSSEC (output). */
-#define LWRES_FLAG_SECUREDATA		0x00000002U
-
-/*% no-op */
-#define LWRES_OPCODE_NOOP		0x00000000U
-
-/*% lwres_nooprequest_t */
-typedef struct {
-	/* public */
-	lwres_uint16_t			datalength;
-	unsigned char		       *data;
-} lwres_nooprequest_t;
-
-/*% lwres_noopresponse_t */
-typedef struct {
-	/* public */
-	lwres_uint16_t			datalength;
-	unsigned char		       *data;
-} lwres_noopresponse_t;
-
-/*% get addresses by name */
-#define LWRES_OPCODE_GETADDRSBYNAME	0x00010001U
-
-/*% lwres_addr_t */
-typedef struct lwres_addr lwres_addr_t;
-
-/*% LWRES_LIST */
-typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
-
-/*% lwres_addr */
-struct lwres_addr {
-	lwres_uint32_t			family;
-	lwres_uint16_t			length;
-	unsigned char			address[LWRES_ADDR_MAXLEN];
-	LWRES_LINK(lwres_addr_t)	link;
-};
-
-/*% lwres_gabnrequest_t */
-typedef struct {
-	/* public */
-	lwres_uint32_t			flags;
-	lwres_uint32_t			addrtypes;
-	lwres_uint16_t			namelen;
-	char			       *name;
-} lwres_gabnrequest_t;
-
-/*% lwres_gabnresponse_t */
-typedef struct {
-	/* public */
-	lwres_uint32_t			flags;
-	lwres_uint16_t			naliases;
-	lwres_uint16_t			naddrs;
-	char			       *realname;
-	char			      **aliases;
-	lwres_uint16_t			realnamelen;
-	lwres_uint16_t		       *aliaslen;
-	lwres_addrlist_t		addrs;
-	/*! if base != NULL, it will be freed when this structure is freed. */
-	void			       *base;
-	size_t				baselen;
-} lwres_gabnresponse_t;
-
-/*% get name by address */
-#define LWRES_OPCODE_GETNAMEBYADDR	0x00010002U
-
-/*% lwres_gnbarequest_t */
-typedef struct {
-	/* public */
-	lwres_uint32_t			flags;
-	lwres_addr_t			addr;
-} lwres_gnbarequest_t;
-
-/*% lwres_gnbaresponse_t */
-typedef struct {
-	/* public */
-	lwres_uint32_t			flags;
-	lwres_uint16_t			naliases;
-	char			       *realname;
-	char			      **aliases;
-	lwres_uint16_t			realnamelen;
-	lwres_uint16_t		       *aliaslen;
-	/*! if base != NULL, it will be freed when this structure is freed. */
-	void			       *base;
-	size_t				baselen;
-} lwres_gnbaresponse_t;
-
-/*% get rdata by name */
-#define LWRES_OPCODE_GETRDATABYNAME	0x00010003U
-
-/*% lwres_grbnrequest_t */
-typedef struct {
-	/* public */
-	lwres_uint32_t			flags;
-	lwres_uint16_t			rdclass;
-	lwres_uint16_t			rdtype;
-	lwres_uint16_t			namelen;
-	char			       *name;
-} lwres_grbnrequest_t;
-
-/*% lwres_grbnresponse_t */
-typedef struct {
-	/* public */
-	lwres_uint32_t			flags;
-	lwres_uint16_t			rdclass;
-	lwres_uint16_t			rdtype;
-	lwres_uint32_t			ttl;
-	lwres_uint16_t			nrdatas;
-	lwres_uint16_t			nsigs;
-	char			       *realname;
-	lwres_uint16_t			realnamelen;
-	unsigned char		      **rdatas;
-	lwres_uint16_t		       *rdatalen;
-	unsigned char		      **sigs;
-	lwres_uint16_t		       *siglen;
-	/*% if base != NULL, it will be freed when this structure is freed. */
-	void			       *base;
-	size_t				baselen;
-} lwres_grbnresponse_t;
-
-/*% Used by lwres_getrrsetbyname() */
-#define LWRDATA_VALIDATED	0x00000001
-
-/*!
- * resolv.conf data
- */
-
-#define LWRES_CONFMAXNAMESERVERS 3	/*%< max 3 "nameserver" entries */
-#define LWRES_CONFMAXLWSERVERS 1	/*%< max 1 "lwserver" entry */
-#define LWRES_CONFMAXSEARCH 8		/*%< max 8 domains in "search" entry */
-#define LWRES_CONFMAXLINELEN 256	/*%< max size of a line */
-#define LWRES_CONFMAXSORTLIST 10	/*%< max 10 */
-
-/*% lwres_conf_t */
-typedef struct {
-	lwres_context_t *lwctx;
-	lwres_addr_t    nameservers[LWRES_CONFMAXNAMESERVERS];
-	lwres_uint8_t	nsnext;		/*%< index for next free slot */
-
-	lwres_addr_t	lwservers[LWRES_CONFMAXLWSERVERS];
-	lwres_uint8_t	lwnext;		/*%< index for next free slot */
-
-	char	       *domainname;
-
-	char 	       *search[LWRES_CONFMAXSEARCH];
-	lwres_uint8_t	searchnxt;	/*%< index for next free slot */
-
-	struct {
-		lwres_addr_t addr;
-		/*% mask has a non-zero 'family' and 'length' if set */
-		lwres_addr_t mask;
-	} sortlist[LWRES_CONFMAXSORTLIST];
-	lwres_uint8_t	sortlistnxt;
-
-	lwres_uint8_t	resdebug;      /*%< non-zero if 'options debug' set */
-	lwres_uint8_t	ndots;	       /*%< set to n in 'options ndots:n' */
-	lwres_uint8_t	no_tld_query;  /*%< non-zero if 'options no_tld_query' */
-} lwres_conf_t;
-
-#define LWRES_ADDRTYPE_V4		0x00000001U	/*%< ipv4 */
-#define LWRES_ADDRTYPE_V6		0x00000002U	/*%< ipv6 */
-
-#define LWRES_MAX_ALIASES		16		/*%< max # of aliases */
-#define LWRES_MAX_ADDRS			64		/*%< max # of addrs */
-
-LWRES_LANG_BEGINDECLS
-
-/*% This is in host byte order. */
-LIBLWRES_EXTERNAL_DATA extern lwres_uint16_t lwres_udp_port;
-
-LIBLWRES_EXTERNAL_DATA extern const char *lwres_resolv_conf;
-
-lwres_result_t
-lwres_gabnrequest_render(lwres_context_t *ctx, lwres_gabnrequest_t *req,
-			 lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-
-lwres_result_t
-lwres_gabnresponse_render(lwres_context_t *ctx, lwres_gabnresponse_t *req,
-			  lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-
-lwres_result_t
-lwres_gabnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_gabnrequest_t **structp);
-
-lwres_result_t
-lwres_gabnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			 lwres_lwpacket_t *pkt,
-			 lwres_gabnresponse_t **structp);
-
-void
-lwres_gabnrequest_free(lwres_context_t *ctx, lwres_gabnrequest_t **structp);
-/**<
- * Frees any dynamically allocated memory for this structure.
- *
- * Requires:
- *
- *	ctx != NULL, and be a context returned via lwres_context_create().
- *
- *	structp != NULL && *structp != NULL.
- *
- * Ensures:
- *
- *	*structp == NULL.
- *
- *	All memory allocated by this structure will be returned to the
- *	system via the context's free function.
- */
-
-void
-lwres_gabnresponse_free(lwres_context_t *ctx, lwres_gabnresponse_t **structp);
-/**<
- * Frees any dynamically allocated memory for this structure.
- *
- * Requires:
- *
- *	ctx != NULL, and be a context returned via lwres_context_create().
- *
- *	structp != NULL && *structp != NULL.
- *
- * Ensures:
- *
- *	*structp == NULL.
- *
- *	All memory allocated by this structure will be returned to the
- *	system via the context's free function.
- */
-
-
-lwres_result_t
-lwres_gnbarequest_render(lwres_context_t *ctx, lwres_gnbarequest_t *req,
-			 lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-
-lwres_result_t
-lwres_gnbaresponse_render(lwres_context_t *ctx, lwres_gnbaresponse_t *req,
-			  lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-
-lwres_result_t
-lwres_gnbarequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_gnbarequest_t **structp);
-
-lwres_result_t
-lwres_gnbaresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			 lwres_lwpacket_t *pkt,
-			 lwres_gnbaresponse_t **structp);
-
-void
-lwres_gnbarequest_free(lwres_context_t *ctx, lwres_gnbarequest_t **structp);
-/**<
- * Frees any dynamically allocated memory for this structure.
- *
- * Requires:
- *
- *	ctx != NULL, and be a context returned via lwres_context_create().
- *
- *	structp != NULL && *structp != NULL.
- *
- * Ensures:
- *
- *	*structp == NULL.
- *
- *	All memory allocated by this structure will be returned to the
- *	system via the context's free function.
- */
-
-void
-lwres_gnbaresponse_free(lwres_context_t *ctx, lwres_gnbaresponse_t **structp);
-/**<
- * Frees any dynamically allocated memory for this structure.
- *
- * Requires:
- *
- *	ctx != NULL, and be a context returned via lwres_context_create().
- *
- *	structp != NULL && *structp != NULL.
- *
- * Ensures:
- *
- *	*structp == NULL.
- *
- *	All memory allocated by this structure will be returned to the
- *	system via the context's free function.
- */
-
-lwres_result_t
-lwres_grbnrequest_render(lwres_context_t *ctx, lwres_grbnrequest_t *req,
-			 lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-
-lwres_result_t
-lwres_grbnresponse_render(lwres_context_t *ctx, lwres_grbnresponse_t *req,
-			  lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-
-lwres_result_t
-lwres_grbnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_grbnrequest_t **structp);
-
-lwres_result_t
-lwres_grbnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			 lwres_lwpacket_t *pkt,
-			 lwres_grbnresponse_t **structp);
-
-void
-lwres_grbnrequest_free(lwres_context_t *ctx, lwres_grbnrequest_t **structp);
-/**<
- * Frees any dynamically allocated memory for this structure.
- *
- * Requires:
- *
- *	ctx != NULL, and be a context returned via lwres_context_create().
- *
- *	structp != NULL && *structp != NULL.
- *
- * Ensures:
- *
- *	*structp == NULL.
- *
- *	All memory allocated by this structure will be returned to the
- *	system via the context's free function.
- */
-
-void
-lwres_grbnresponse_free(lwres_context_t *ctx, lwres_grbnresponse_t **structp);
-/**<
- * Frees any dynamically allocated memory for this structure.
- *
- * Requires:
- *
- *	ctx != NULL, and be a context returned via lwres_context_create().
- *
- *	structp != NULL && *structp != NULL.
- *
- * Ensures:
- *
- *	*structp == NULL.
- *
- *	All memory allocated by this structure will be returned to the
- *	system via the context's free function.
- */
-
-lwres_result_t
-lwres_nooprequest_render(lwres_context_t *ctx, lwres_nooprequest_t *req,
-			 lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-/**<
- * Allocate space and render into wire format a noop request packet.
- *
- * Requires:
- *
- *	ctx != NULL, and be a context returned via lwres_context_create().
- *
- *	b != NULL, and points to a lwres_buffer_t.  The contents of the
- *	buffer structure will be initialized to contain the wire-format
- *	noop request packet.
- *
- *	Caller needs to fill in parts of "pkt" before calling:
- *		serial, maxrecv, result.
- *
- * Returns:
- *
- *	Returns 0 on success, non-zero on failure.
- *
- *	On successful return, *b will contain data about the wire-format
- *	packet.  It can be transmitted in any way, including lwres_sendblock().
- */
-
-lwres_result_t
-lwres_noopresponse_render(lwres_context_t *ctx, lwres_noopresponse_t *req,
-			  lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-
-lwres_result_t
-lwres_nooprequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_nooprequest_t **structp);
-/**<
- * Parse a noop request.  Note that to get here, the lwpacket must have
- * already been parsed and removed by the caller, otherwise it would be
- * pretty hard for it to know this is the right function to call.
- *
- * The function verifies bits of the header, but does not modify it.
- */
-
-lwres_result_t
-lwres_noopresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			 lwres_lwpacket_t *pkt,
-			 lwres_noopresponse_t **structp);
-
-void
-lwres_nooprequest_free(lwres_context_t *ctx, lwres_nooprequest_t **structp);
-
-void
-lwres_noopresponse_free(lwres_context_t *ctx, lwres_noopresponse_t **structp);
-
-/**<
- * Frees any dynamically allocated memory for this structure.
- *
- * Requires:
- *
- *	ctx != NULL, and be a context returned via lwres_context_create().
- *
- *	structp != NULL && *structp != NULL.
- *
- * Ensures:
- *
- *	*structp == NULL.
- *
- *	All memory allocated by this structure will be returned to the
- *	system via the context's free function.
- */
-
-lwres_result_t
-lwres_conf_parse(lwres_context_t *ctx, const char *filename);
-/**<
- * parses a resolv.conf-format file and stores the results in the structure
- * pointed to by *ctx.
- *
- * Requires:
- *	ctx != NULL
- *	filename != NULL && strlen(filename) > 0
- *
- * Returns:
- *	LWRES_R_SUCCESS on a successful parse.
- *	Anything else on error, although the structure may be partially filled
- *	in.
- */
-
-lwres_result_t
-lwres_conf_print(lwres_context_t *ctx, FILE *fp);
-/**<
- * Prints a resolv.conf-format of confdata output to fp.
- *
- * Requires:
- *	ctx != NULL
- */
-
-void
-lwres_conf_init(lwres_context_t *ctx);
-/**<
- * sets all internal fields to a default state. Used to initialize a new
- * lwres_conf_t structure (not reset a used on).
- *
- * Requires:
- *	ctx != NULL
- */
-
-void
-lwres_conf_clear(lwres_context_t *ctx);
-/**<
- * frees all internally allocated memory in confdata. Uses the memory
- * routines supplied by ctx.
- *
- * Requires:
- *	ctx != NULL
- */
-
-lwres_conf_t *
-lwres_conf_get(lwres_context_t *ctx);
-/**<
- * Be extremely cautions in modifying the contents of this structure; it
- * needs an API to return the various bits of data, walk lists, etc.
- *
- * Requires:
- *	ctx != NULL
- */
-
-/*
- * Helper functions
- */
-
-lwres_result_t
-lwres_data_parse(lwres_buffer_t *b, unsigned char **p, lwres_uint16_t *len);
-
-lwres_result_t
-lwres_string_parse(lwres_buffer_t *b, char **c, lwres_uint16_t *len);
-
-lwres_result_t
-lwres_addr_parse(lwres_buffer_t *b, lwres_addr_t *addr);
-
-lwres_result_t
-lwres_getaddrsbyname(lwres_context_t *ctx, const char *name,
-		     lwres_uint32_t addrtypes, lwres_gabnresponse_t **structp);
-
-lwres_result_t
-lwres_getnamebyaddr(lwres_context_t *ctx, lwres_uint32_t addrtype,
-		    lwres_uint16_t addrlen, const unsigned char *addr,
-		    lwres_gnbaresponse_t **structp);
-
-lwres_result_t
-lwres_getrdatabyname(lwres_context_t *ctx, const char *name,
-		     lwres_uint16_t rdclass, lwres_uint16_t rdtype,
-		     lwres_uint32_t flags, lwres_grbnresponse_t **structp);
-
-LWRES_LANG_ENDDECLS
-
-#endif /* LWRES_LWRES_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/netdb.h.in b/contrib/bind9/lib/lwres/include/lwres/netdb.h.in
deleted file mode 100644
index 0844384..0000000
--- a/contrib/bind9/lib/lwres/include/lwres/netdb.h.in
+++ /dev/null
@@ -1,520 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: netdb.h.in,v 1.41 2009/01/18 23:48:14 tbox Exp $ */
-
-/*! \file */
-
-#ifndef LWRES_NETDB_H
-#define LWRES_NETDB_H 1
-
-#include <stddef.h>	/* Required on FreeBSD (and  others?) for size_t. */
-#include <netdb.h>	/* Contractual provision. */
-
-#include <lwres/lang.h>
-
-/*
- * Define if <netdb.h> does not declare struct addrinfo.
- */
-@ISC_LWRES_NEEDADDRINFO@
-
-#ifdef ISC_LWRES_NEEDADDRINFO
-struct addrinfo {
-	int		ai_flags;      /* AI_PASSIVE, AI_CANONNAME */
-	int		ai_family;     /* PF_xxx */
-	int		ai_socktype;   /* SOCK_xxx */
-	int		ai_protocol;   /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
-	size_t		ai_addrlen;    /* Length of ai_addr */
-	char		*ai_canonname; /* Canonical name for hostname */
-	struct sockaddr	*ai_addr;      /* Binary address */
-	struct addrinfo	*ai_next;      /* Next structure in linked list */
-};
-#endif
-
-/*
- * Undefine all #defines we are interested in as <netdb.h> may or may not have
- * defined them.
- */
-
-/*
- * Error return codes from gethostbyname() and gethostbyaddr()
- * (left in extern int h_errno).
- */
-
-#undef	NETDB_INTERNAL
-#undef	NETDB_SUCCESS
-#undef	HOST_NOT_FOUND
-#undef	TRY_AGAIN
-#undef	NO_RECOVERY
-#undef	NO_DATA
-#undef	NO_ADDRESS
-
-#define	NETDB_INTERNAL	-1	/* see errno */
-#define	NETDB_SUCCESS	0	/* no problem */
-#define	HOST_NOT_FOUND	1 /* Authoritative Answer Host not found */
-#define	TRY_AGAIN	2 /* Non-Authoritative Host not found, or SERVERFAIL */
-#define	NO_RECOVERY	3 /* Non recoverable errors, FORMERR, REFUSED, NOTIMP */
-#define	NO_DATA		4 /* Valid name, no data record of requested type */
-#define	NO_ADDRESS	NO_DATA		/* no address, look for MX record */
-
-/*
- * Error return codes from getaddrinfo()
- */
-
-#undef	EAI_ADDRFAMILY
-#undef	EAI_AGAIN
-#undef	EAI_BADFLAGS
-#undef	EAI_FAIL
-#undef	EAI_FAMILY
-#undef	EAI_MEMORY
-#undef	EAI_NODATA
-#undef	EAI_NONAME
-#undef	EAI_SERVICE
-#undef	EAI_SOCKTYPE
-#undef	EAI_SYSTEM
-#undef	EAI_BADHINTS
-#undef	EAI_PROTOCOL
-#undef	EAI_MAX
-
-#define	EAI_ADDRFAMILY	 1	/* address family for hostname not supported */
-#define	EAI_AGAIN	 2	/* temporary failure in name resolution */
-#define	EAI_BADFLAGS	 3	/* invalid value for ai_flags */
-#define	EAI_FAIL	 4	/* non-recoverable failure in name resolution */
-#define	EAI_FAMILY	 5	/* ai_family not supported */
-#define	EAI_MEMORY	 6	/* memory allocation failure */
-#define	EAI_NODATA	 7	/* no address associated with hostname */
-#define	EAI_NONAME	 8	/* hostname nor servname provided, or not known */
-#define	EAI_SERVICE	 9	/* servname not supported for ai_socktype */
-#define	EAI_SOCKTYPE	10	/* ai_socktype not supported */
-#define	EAI_SYSTEM	11	/* system error returned in errno */
-#define EAI_BADHINTS	12
-#define EAI_PROTOCOL	13
-#define EAI_MAX		14
-
-/*
- * Flag values for getaddrinfo()
- */
-#undef	AI_PASSIVE
-#undef	AI_CANONNAME
-#undef	AI_NUMERICHOST
-
-#define	AI_PASSIVE	0x00000001
-#define	AI_CANONNAME	0x00000002
-#define AI_NUMERICHOST	0x00000004
-
-/*
- * Flag values for getipnodebyname()
- */
-#undef AI_V4MAPPED
-#undef AI_ALL
-#undef AI_ADDRCONFIG
-#undef AI_DEFAULT
-
-#define AI_V4MAPPED	0x00000008
-#define AI_ALL		0x00000010
-#define AI_ADDRCONFIG	0x00000020
-#define AI_DEFAULT	(AI_V4MAPPED|AI_ADDRCONFIG)
-
-/*
- * Constants for lwres_getnameinfo()
- */
-#undef	NI_MAXHOST
-#undef	NI_MAXSERV
-
-#define	NI_MAXHOST	1025
-#define	NI_MAXSERV	32
-
-/*
- * Flag values for lwres_getnameinfo()
- */
-#undef	NI_NOFQDN
-#undef	NI_NUMERICHOST
-#undef	NI_NAMEREQD
-#undef	NI_NUMERICSERV
-#undef	NI_DGRAM
-#undef	NI_NUMERICSCOPE
-
-#define	NI_NOFQDN	0x00000001
-#define	NI_NUMERICHOST	0x00000002
-#define	NI_NAMEREQD	0x00000004
-#define	NI_NUMERICSERV	0x00000008
-#define	NI_DGRAM	0x00000010
-#define	NI_NUMERICSCOPE	0x00000020	/*2553bis-00*/
-
-/*
- * Define if <netdb.h> does not declare struct rrsetinfo.
- */
-@ISC_LWRES_NEEDRRSETINFO@
-
-#ifdef ISC_LWRES_NEEDRRSETINFO
-/*
- * Structures for getrrsetbyname()
- */
-struct rdatainfo {
-	unsigned int		rdi_length;
-	unsigned char		*rdi_data;
-};
-
-struct rrsetinfo {
-	unsigned int		rri_flags;
-	int			rri_rdclass;
-	int			rri_rdtype;
-	unsigned int		rri_ttl;
-	unsigned int		rri_nrdatas;
-	unsigned int		rri_nsigs;
-	char			*rri_name;
-	struct rdatainfo	*rri_rdatas;
-	struct rdatainfo	*rri_sigs;
-};
-
-/*
- * Flags for getrrsetbyname()
- */
-#define RRSET_VALIDATED		0x00000001
-	/* Set was dnssec validated */
-
-/*
- * Return codes for getrrsetbyname()
- */
-#define ERRSET_SUCCESS		0
-#define ERRSET_NOMEMORY		1
-#define ERRSET_FAIL		2
-#define ERRSET_INVAL		3
-#define	ERRSET_NONAME	 	4
-#define	ERRSET_NODATA	 	5
-#endif
-
-/*
- * Define to map into lwres_ namespace.
- */
-
-#define LWRES_NAMESPACE
-
-#ifdef LWRES_NAMESPACE
-
-/*
- * Use our versions not the ones from the C library.
- */
-
-#ifdef getnameinfo
-#undef getnameinfo
-#endif
-#define getnameinfo lwres_getnameinfo
-
-#ifdef getaddrinfo
-#undef getaddrinfo
-#endif
-#define getaddrinfo lwres_getaddrinfo
-
-#ifdef freeaddrinfo
-#undef freeaddrinfo
-#endif
-#define freeaddrinfo lwres_freeaddrinfo
-
-#ifdef gai_strerror
-#undef gai_strerror
-#endif
-#define gai_strerror lwres_gai_strerror
-
-#ifdef herror
-#undef herror
-#endif
-#define herror lwres_herror
-
-#ifdef hstrerror
-#undef hstrerror
-#endif
-#define hstrerror lwres_hstrerror
-
-#ifdef getipnodebyname
-#undef getipnodebyname
-#endif
-#define getipnodebyname lwres_getipnodebyname
-
-#ifdef getipnodebyaddr
-#undef getipnodebyaddr
-#endif
-#define getipnodebyaddr lwres_getipnodebyaddr
-
-#ifdef freehostent
-#undef freehostent
-#endif
-#define freehostent lwres_freehostent
-
-#ifdef gethostbyname
-#undef gethostbyname
-#endif
-#define gethostbyname lwres_gethostbyname
-
-#ifdef gethostbyname2
-#undef gethostbyname2
-#endif
-#define gethostbyname2 lwres_gethostbyname2
-
-#ifdef gethostbyaddr
-#undef gethostbyaddr
-#endif
-#define gethostbyaddr lwres_gethostbyaddr
-
-#ifdef gethostent
-#undef gethostent
-#endif
-#define gethostent lwres_gethostent
-
-#ifdef sethostent
-#undef sethostent
-#endif
-#define sethostent lwres_sethostent
-
-#ifdef endhostent
-#undef endhostent
-#endif
-#define endhostent lwres_endhostent
-
-/* #define sethostfile lwres_sethostfile */
-
-#ifdef gethostbyname_r
-#undef gethostbyname_r
-#endif
-#define gethostbyname_r lwres_gethostbyname_r
-
-#ifdef gethostbyaddr_r
-#undef gethostbyaddr_r
-#endif
-#define gethostbyaddr_r lwres_gethostbyaddr_r
-
-#ifdef gethostent_r
-#undef gethostent_r
-#endif
-#define gethostent_r lwres_gethostent_r
-
-#ifdef sethostent_r
-#undef sethostent_r
-#endif
-#define sethostent_r lwres_sethostent_r
-
-#ifdef endhostent_r
-#undef endhostent_r
-#endif
-#define endhostent_r lwres_endhostent_r
-
-#ifdef getrrsetbyname
-#undef getrrsetbyname
-#endif
-#define getrrsetbyname lwres_getrrsetbyname
-
-#ifdef freerrset
-#undef freerrset
-#endif
-#define freerrset lwres_freerrset
-
-#ifdef notyet
-#define getservbyname lwres_getservbyname
-#define getservbyport lwres_getservbyport
-#define getservent lwres_getservent
-#define setservent lwres_setservent
-#define endservent lwres_endservent
-
-#define getservbyname_r lwres_getservbyname_r
-#define getservbyport_r lwres_getservbyport_r
-#define getservent_r lwres_getservent_r
-#define setservent_r lwres_setservent_r
-#define endservent_r lwres_endservent_r
-
-#define getprotobyname lwres_getprotobyname
-#define getprotobynumber lwres_getprotobynumber
-#define getprotoent lwres_getprotoent
-#define setprotoent lwres_setprotoent
-#define endprotoent lwres_endprotoent
-
-#define getprotobyname_r lwres_getprotobyname_r
-#define getprotobynumber_r lwres_getprotobynumber_r
-#define getprotoent_r lwres_getprotoent_r
-#define setprotoent_r lwres_setprotoent_r
-#define endprotoent_r lwres_endprotoent_r
-
-#ifdef getnetbyname
-#undef getnetbyname
-#endif
-#define getnetbyname lwres_getnetbyname
-
-#ifdef getnetbyaddr
-#undef getnetbyaddr
-#endif
-#define getnetbyaddr lwres_getnetbyaddr
-
-#ifdef getnetent
-#undef getnetent
-#endif
-#define getnetent lwres_getnetent
-
-#ifdef setnetent
-#undef setnetent
-#endif
-#define setnetent lwres_setnetent
-
-#ifdef endnetent
-#undef endnetent
-#endif
-#define endnetent lwres_endnetent
-
-
-#ifdef getnetbyname_r
-#undef getnetbyname_r
-#endif
-#define getnetbyname_r lwres_getnetbyname_r
-
-#ifdef getnetbyaddr_r
-#undef getnetbyaddr_r
-#endif
-#define getnetbyaddr_r lwres_getnetbyaddr_r
-
-#ifdef getnetent_r
-#undef getnetent_r
-#endif
-#define getnetent_r lwres_getnetent_r
-
-#ifdef setnetent_r
-#undef setnetent_r
-#endif
-#define setnetent_r lwres_setnetent_r
-
-#ifdef endnetent_r
-#undef endnetent_r
-#endif
-#define endnetent_r lwres_endnetent_r
-#endif	/* notyet */
-
-#ifdef h_errno
-#undef h_errno
-#endif
-#define h_errno lwres_h_errno
-
-#endif	/* LWRES_NAMESPACE */
-
-LWRES_LANG_BEGINDECLS
-
-extern int lwres_h_errno;
-
-int		lwres_getaddrinfo(const char *, const char *,
-				 const struct addrinfo *, struct addrinfo **);
-int		lwres_getnameinfo(const struct sockaddr *, size_t, char *,
-				 size_t, char *, size_t, int);
-void		lwres_freeaddrinfo(struct addrinfo *);
-char		*lwres_gai_strerror(int);
-
-struct hostent	*lwres_gethostbyaddr(const char *, int, int);
-struct hostent	*lwres_gethostbyname(const char *);
-struct hostent	*lwres_gethostbyname2(const char *, int);
-struct hostent	*lwres_gethostent(void);
-struct hostent	*lwres_getipnodebyname(const char *, int, int, int *);
-struct hostent	*lwres_getipnodebyaddr(const void *, size_t, int, int *);
-void		lwres_endhostent(void);
-void		lwres_sethostent(int);
-/* void		lwres_sethostfile(const char *); */
-void		lwres_freehostent(struct hostent *);
-
-int		lwres_getrrsetbyname(const char *, unsigned int, unsigned int,
-				     unsigned int, struct rrsetinfo **);
-void		lwres_freerrset(struct rrsetinfo *);
-
-#ifdef notyet
-struct netent	*lwres_getnetbyaddr(unsigned long, int);
-struct netent	*lwres_getnetbyname(const char *);
-struct netent	*lwres_getnetent(void);
-void		lwres_endnetent(void);
-void		lwres_setnetent(int);
-
-struct protoent	*lwres_getprotobyname(const char *);
-struct protoent	*lwres_getprotobynumber(int);
-struct protoent	*lwres_getprotoent(void);
-void		lwres_endprotoent(void);
-void		lwres_setprotoent(int);
-
-struct servent	*lwres_getservbyname(const char *, const char *);
-struct servent	*lwres_getservbyport(int, const char *);
-struct servent	*lwres_getservent(void);
-void		lwres_endservent(void);
-void		lwres_setservent(int);
-#endif /* notyet */
-
-void		lwres_herror(const char *);
-const char	*lwres_hstrerror(int);
-
-
-struct hostent	*lwres_gethostbyaddr_r(const char *, int, int, struct hostent *,
-					char *, int, int *);
-struct hostent	*lwres_gethostbyname_r(const char *, struct hostent *,
-					char *, int, int *);
-struct hostent	*lwres_gethostent_r(struct hostent *, char *, int, int *);
-void		lwres_sethostent_r(int);
-void		lwres_endhostent_r(void);
-
-#ifdef notyet
-struct netent	*lwres_getnetbyname_r(const char *, struct netent *,
-					char *, int);
-struct netent	*lwres_getnetbyaddr_r(long, int, struct netent *,
-					char *, int);
-struct netent	*lwres_getnetent_r(struct netent *, char *, int);
-void		lwres_setnetent_r(int);
-void		lwres_endnetent_r(void);
-
-struct protoent	*lwres_getprotobyname_r(const char *,
-				struct protoent *, char *, int);
-struct protoent	*lwres_getprotobynumber_r(int,
-				struct protoent *, char *, int);
-struct protoent	*lwres_getprotoent_r(struct protoent *, char *, int);
-void		lwres_setprotoent_r(int);
-void		lwres_endprotoent_r(void);
-
-struct servent	*lwres_getservbyname_r(const char *name, const char *,
-					struct servent *, char *, int);
-struct servent	*lwres_getservbyport_r(int port, const char *,
-					struct servent *, char *, int);
-struct servent	*lwres_getservent_r(struct servent *, char *, int);
-void		lwres_setservent_r(int);
-void		lwres_endservent_r(void);
-#endif	/* notyet */
-
-LWRES_LANG_ENDDECLS
-
-#ifdef notyet
-/* This is nec'y to make this include file properly replace the sun version. */
-#ifdef sun
-#ifdef __GNU_LIBRARY__
-#include <rpc/netdb.h>		/* Required. */
-#else /* !__GNU_LIBRARY__ */
-struct rpcent {
-	char	*r_name;	/* name of server for this rpc program */
-	char	**r_aliases;	/* alias list */
-	int	r_number;	/* rpc program number */
-};
-struct rpcent	*lwres_getrpcbyname();
-struct rpcent	*lwres_getrpcbynumber(),
-struct rpcent	*lwres_getrpcent();
-#endif /* __GNU_LIBRARY__ */
-#endif /* sun */
-#endif /* notyet */
-
-/*
- * Tell Emacs to use C mode on this file.
- * Local variables:
- * mode: c
- * End:
- */
-
-#endif /* LWRES_NETDB_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/platform.h.in b/contrib/bind9/lib/lwres/include/lwres/platform.h.in
deleted file mode 100644
index bb4f6ee..0000000
--- a/contrib/bind9/lib/lwres/include/lwres/platform.h.in
+++ /dev/null
@@ -1,120 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: platform.h.in,v 1.21 2007/06/19 23:47:23 tbox Exp $ */
-
-/*! \file */
-
-#ifndef LWRES_PLATFORM_H
-#define LWRES_PLATFORM_H 1
-
-/*****
- ***** Platform-dependent defines.
- *****/
-
-/***
- *** Network.
- ***/
-
-/*
- * Define if this system needs the <netinet/in6.h> header file for IPv6.
- */
-@LWRES_PLATFORM_NEEDNETINETIN6H@
-
-/*
- * Define if this system needs the <netinet6/in6.h> header file for IPv6.
- */
-@LWRES_PLATFORM_NEEDNETINET6IN6H@
-
-/*
- * If sockaddrs on this system have an sa_len field, LWRES_PLATFORM_HAVESALEN
- * will be defined.
- */
-@LWRES_PLATFORM_HAVESALEN@
-
-/*
- * If this system has the IPv6 structure definitions, LWRES_PLATFORM_HAVEIPV6
- * will be defined.
- */
-@LWRES_PLATFORM_HAVEIPV6@
-
-/*
- * If this system is missing in6addr_any, LWRES_PLATFORM_NEEDIN6ADDRANY will
- * be defined.
- */
-@LWRES_PLATFORM_NEEDIN6ADDRANY@
-
-/*
- * If this system is missing in6addr_loopback, 
- * LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK will be defined.
- */
-@LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK@
-
-/*
- * If this system has in_addr6, rather than in6_addr,
- * LWRES_PLATFORM_HAVEINADDR6 will be defined.
- */
-@LWRES_PLATFORM_HAVEINADDR6@
-
-/*
- * Defined if unistd.h does not cause fd_set to be delared.
- */
-@LWRES_PLATFORM_NEEDSYSSELECTH@
-
-/*
- * Used to control how extern data is linked; needed for Win32 platforms.
- */
-@LWRES_PLATFORM_USEDECLSPEC@
-
-/*
- * Defined this system needs vsnprintf() and snprintf().
- */
-@LWRES_PLATFORM_NEEDVSNPRINTF@
- 
-/*
- * If this system need a modern sprintf() that returns (int) not (char*).
- */
-@LWRES_PLATFORM_NEEDSPRINTF@
-
-/*
- * The printf format string modifier to use with lwres_uint64_t values.
- */
-@LWRES_PLATFORM_QUADFORMAT@
-
-/*! \brief
- * Define if this system needs strtoul.
- */
-@LWRES_PLATFORM_NEEDSTRTOUL@
-
-#ifndef LWRES_PLATFORM_USEDECLSPEC
-#define LIBLWRES_EXTERNAL_DATA
-#else
-#ifdef LIBLWRES_EXPORTS
-#define LIBLWRES_EXTERNAL_DATA __declspec(dllexport)
-#else
-#define LIBLWRES_EXTERNAL_DATA __declspec(dllimport)
-#endif
-#endif
-
-/*
- * Tell Emacs to use C mode on this file.
- * Local Variables:
- * mode: c
- * End:
- */
-
-#endif /* LWRES_PLATFORM_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/result.h b/contrib/bind9/lib/lwres/include/lwres/result.h
deleted file mode 100644
index cfcf166..0000000
--- a/contrib/bind9/lib/lwres/include/lwres/result.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: result.h,v 1.21 2007/06/19 23:47:23 tbox Exp $ */
-
-#ifndef LWRES_RESULT_H
-#define LWRES_RESULT_H 1
-
-/*! \file lwres/result.h */
-
-typedef unsigned int lwres_result_t;
-
-#define LWRES_R_SUCCESS			0
-#define LWRES_R_NOMEMORY		1
-#define LWRES_R_TIMEOUT			2
-#define LWRES_R_NOTFOUND		3
-#define LWRES_R_UNEXPECTEDEND		4	/* unexpected end of input */
-#define LWRES_R_FAILURE			5	/* generic failure */
-#define LWRES_R_IOERROR			6
-#define LWRES_R_NOTIMPLEMENTED		7
-#define LWRES_R_UNEXPECTED		8
-#define LWRES_R_TRAILINGDATA		9
-#define LWRES_R_INCOMPLETE		10
-#define LWRES_R_RETRY			11
-#define LWRES_R_TYPENOTFOUND		12
-#define LWRES_R_TOOLARGE		13
-
-#endif /* LWRES_RESULT_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/stdlib.h b/contrib/bind9/lib/lwres/include/lwres/stdlib.h
deleted file mode 100644
index 25a109e..0000000
--- a/contrib/bind9/lib/lwres/include/lwres/stdlib.h
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: stdlib.h,v 1.6 2007/06/19 23:47:23 tbox Exp $ */
-
-#ifndef LWRES_STDLIB_H
-#define LWRES_STDLIB_H 1
-
-/*! \file lwres/stdlib.h */
-
-#include <stdlib.h>
-
-#include <lwres/lang.h>
-#include <lwres/platform.h>
-
-#ifdef LWRES_PLATFORM_NEEDSTRTOUL
-#define strtoul lwres_strtoul
-#endif
-
-LWRES_LANG_BEGINDECLS
-
-unsigned long lwres_strtoul(const char *, char **, int);
-
-LWRES_LANG_ENDDECLS
-
-#endif
diff --git a/contrib/bind9/lib/lwres/include/lwres/version.h b/contrib/bind9/lib/lwres/include/lwres/version.h
deleted file mode 100644
index 9efc86d..0000000
--- a/contrib/bind9/lib/lwres/include/lwres/version.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: version.h,v 1.9 2007/06/19 23:47:23 tbox Exp $ */
-
-/*! \file lwres/version.h */
-
-#include <lwres/platform.h>
-
-LIBLWRES_EXTERNAL_DATA extern const char lwres_version[];
-
-LIBLWRES_EXTERNAL_DATA extern const unsigned int lwres_libinterface;
-LIBLWRES_EXTERNAL_DATA extern const unsigned int lwres_librevision;
-LIBLWRES_EXTERNAL_DATA extern const unsigned int lwres_libage;
diff --git a/contrib/bind9/lib/lwres/lwbuffer.c b/contrib/bind9/lib/lwres/lwbuffer.c
deleted file mode 100644
index 49aaeb7..0000000
--- a/contrib/bind9/lib/lwres/lwbuffer.c
+++ /dev/null
@@ -1,361 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwbuffer.c,v 1.15 2007/06/19 23:47:22 tbox Exp $ */
-
-/*! \file */
-
-/**
- *    These functions provide bounds checked access to a region of memory
- *    where data is being read or written. They are based on, and similar
- *    to, the isc_buffer_ functions in the ISC library.
- * 
- *    A buffer is a region of memory, together with a set of related
- *    subregions. The used region and the available region are disjoint, and
- *    their union is the buffer's region. The used region extends from the
- *    beginning of the buffer region to the last used byte. The available
- *    region extends from one byte greater than the last used byte to the
- *    end of the buffer's region. The size of the used region can be changed
- *    using various buffer commands. Initially, the used region is empty.
- * 
- *    The used region is further subdivided into two disjoint regions: the
- *    consumed region and the remaining region. The union of these two
- *    regions is the used region. The consumed region extends from the
- *    beginning of the used region to the byte before the current offset (if
- *    any). The remaining region the current pointer to the end of the used
- *    region. The size of the consumed region can be changed using various
- *    buffer commands. Initially, the consumed region is empty.
- * 
- *    The active region is an (optional) subregion of the remaining region.
- *    It extends from the current offset to an offset in the remaining
- *    region. Initially, the active region is empty. If the current offset
- *    advances beyond the chosen offset, the active region will also be
- *    empty.
- * 
- * 
- * \verbatim
- *    /------------entire length---------------\\
- *    /----- used region -----\\/-- available --\\
- *    +----------------------------------------+
- *    | consumed  | remaining |                |
- *    +----------------------------------------+
- *    a           b     c     d                e
- * 
- *   a == base of buffer.
- *   b == current pointer.  Can be anywhere between a and d.
- *   c == active pointer.  Meaningful between b and d.
- *   d == used pointer.
- *   e == length of buffer.
- * 
- *   a-e == entire length of buffer.
- *   a-d == used region.
- *   a-b == consumed region.
- *   b-d == remaining region.
- *   b-c == optional active region.
- * \endverbatim
- * 
- *    lwres_buffer_init() initializes the lwres_buffer_t *b and assocates it
- *    with the memory region of size length bytes starting at location base.
- * 
- *    lwres_buffer_invalidate() marks the buffer *b as invalid. Invalidating
- *    a buffer after use is not required, but makes it possible to catch its
- *    possible accidental use.
- * 
- *    The functions lwres_buffer_add() and lwres_buffer_subtract()
- *    respectively increase and decrease the used space in buffer *b by n
- *    bytes. lwres_buffer_add() checks for buffer overflow and
- *    lwres_buffer_subtract() checks for underflow. These functions do not
- *    allocate or deallocate memory. They just change the value of used.
- * 
- *    A buffer is re-initialised by lwres_buffer_clear(). The function sets
- *    used , current and active to zero.
- * 
- *    lwres_buffer_first() makes the consumed region of buffer *p empty by
- *    setting current to zero (the start of the buffer).
- * 
- *    lwres_buffer_forward() increases the consumed region of buffer *b by n
- *    bytes, checking for overflow. Similarly, lwres_buffer_back() decreases
- *    buffer b's consumed region by n bytes and checks for underflow.
- * 
- *    lwres_buffer_getuint8() reads an unsigned 8-bit integer from *b and
- *    returns it. lwres_buffer_putuint8() writes the unsigned 8-bit integer
- *    val to buffer *b.
- * 
- *    lwres_buffer_getuint16() and lwres_buffer_getuint32() are identical to
- *    lwres_buffer_putuint8() except that they respectively read an unsigned
- *    16-bit or 32-bit integer in network byte order from b. Similarly,
- *    lwres_buffer_putuint16() and lwres_buffer_putuint32() writes the
- *    unsigned 16-bit or 32-bit integer val to buffer b, in network byte
- *    order.
- * 
- *    Arbitrary amounts of data are read or written from a lightweight
- *    resolver buffer with lwres_buffer_getmem() and lwres_buffer_putmem()
- *    respectively. lwres_buffer_putmem() copies length bytes of memory at
- *    base to b. Conversely, lwres_buffer_getmem() copies length bytes of
- *    memory from b to base.
- */
-
-#include <config.h>
-
-#include <string.h>
-
-#include <lwres/lwbuffer.h>
-
-#include "assert_p.h"
-
-void
-lwres_buffer_init(lwres_buffer_t *b, void *base, unsigned int length)
-{
-	/*
-	 * Make 'b' refer to the 'length'-byte region starting at base.
-	 */
-
-	REQUIRE(b != NULL);
-
-	b->magic = LWRES_BUFFER_MAGIC;
-	b->base = base;
-	b->length = length;
-	b->used = 0;
-	b->current = 0;
-	b->active = 0;
-}
-
-/*  Make 'b' an invalid buffer. */
-void
-lwres_buffer_invalidate(lwres_buffer_t *b)
-{
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-
-	b->magic = 0;
-	b->base = NULL;
-	b->length = 0;
-	b->used = 0;
-	b->current = 0;
-	b->active = 0;
-}
-
-/* Increase the 'used' region of 'b' by 'n' bytes. */
-void
-lwres_buffer_add(lwres_buffer_t *b, unsigned int n)
-{
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used + n <= b->length);
-
-	b->used += n;
-}
-
-/* Decrease the 'used' region of 'b' by 'n' bytes. */
-void
-lwres_buffer_subtract(lwres_buffer_t *b, unsigned int n)
-{
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used >= n);
-
-	b->used -= n;
-	if (b->current > b->used)
-		b->current = b->used;
-	if (b->active > b->used)
-		b->active = b->used;
-}
-
-/* Make the used region empty. */
-void
-lwres_buffer_clear(lwres_buffer_t *b)
-{
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-
-	b->used = 0;
-	b->current = 0;
-	b->active = 0;
-}
-
-/* Make the consumed region empty. */
-void
-lwres_buffer_first(lwres_buffer_t *b)
-{
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-
-	b->current = 0;
-}
-
-/* Increase the 'consumed' region of 'b' by 'n' bytes. */
-void
-lwres_buffer_forward(lwres_buffer_t *b, unsigned int n)
-{
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->current + n <= b->used);
-
-	b->current += n;
-}
-
-/* Decrease the 'consumed' region of 'b' by 'n' bytes. */
-void
-lwres_buffer_back(lwres_buffer_t *b, unsigned int n)
-{
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(n <= b->current);
-
-	b->current -= n;
-}
-
-/* Read an unsigned 8-bit integer from 'b' and return it. */
-lwres_uint8_t
-lwres_buffer_getuint8(lwres_buffer_t *b)
-{
-	unsigned char *cp;
-	lwres_uint8_t result;
-
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used - b->current >= 1);
-
-	cp = b->base;
-	cp += b->current;
-	b->current += 1;
-	result = ((unsigned int)(cp[0]));
-
-	return (result);
-}
-
-/* Put an unsigned 8-bit integer */
-void
-lwres_buffer_putuint8(lwres_buffer_t *b, lwres_uint8_t val)
-{
-	unsigned char *cp;
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used + 1 <= b->length);
-
-	cp = b->base;
-	cp += b->used;
-	b->used += 1;
-	cp[0] = (val & 0x00ff);
-}
-
-/*  Read an unsigned 16-bit integer in network byte order from 'b', convert it to host byte order, and return it. */
-lwres_uint16_t
-lwres_buffer_getuint16(lwres_buffer_t *b)
-{
-	unsigned char *cp;
-	lwres_uint16_t result;
-
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used - b->current >= 2);
-
-	cp = b->base;
-	cp += b->current;
-	b->current += 2;
-	result = ((unsigned int)(cp[0])) << 8;
-	result |= ((unsigned int)(cp[1]));
-
-	return (result);
-}
-
-/* Put an unsigned 16-bit integer. */
-void
-lwres_buffer_putuint16(lwres_buffer_t *b, lwres_uint16_t val)
-{
-	unsigned char *cp;
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used + 2 <= b->length);
-
-	cp = b->base;
-	cp += b->used;
-	b->used += 2;
-	cp[0] = (val & 0xff00) >> 8;
-	cp[1] = (val & 0x00ff);
-}
-
-/*  Read an unsigned 32-bit integer in network byte order from 'b', convert it to host byte order, and return it. */
-lwres_uint32_t
-lwres_buffer_getuint32(lwres_buffer_t *b)
-{
-	unsigned char *cp;
-	lwres_uint32_t result;
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used - b->current >= 4);
-
-	cp = b->base;
-	cp += b->current;
-	b->current += 4;
-	result = ((unsigned int)(cp[0])) << 24;
-	result |= ((unsigned int)(cp[1])) << 16;
-	result |= ((unsigned int)(cp[2])) << 8;
-	result |= ((unsigned int)(cp[3]));
-
-	return (result);
-}
-
-/* Put an unsigned 32-bit integer. */
-void
-lwres_buffer_putuint32(lwres_buffer_t *b, lwres_uint32_t val)
-{
-	unsigned char *cp;
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used + 4 <= b->length);
-
-	cp = b->base;
-	cp += b->used;
-	b->used += 4;
-	cp[0] = (unsigned char)((val & 0xff000000) >> 24);
-	cp[1] = (unsigned char)((val & 0x00ff0000) >> 16);
-	cp[2] = (unsigned char)((val & 0x0000ff00) >> 8);
-	cp[3] = (unsigned char)(val & 0x000000ff);
-}
-
-/* copies length bytes of memory at base to b */
-void
-lwres_buffer_putmem(lwres_buffer_t *b, const unsigned char *base,
-		    unsigned int length)
-{
-	unsigned char *cp;
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used + length <= b->length);
-
-	cp = (unsigned char *)b->base + b->used;
-	memcpy(cp, base, length);
-	b->used += length;
-}
-
-/* copies length bytes of memory at b to base */
-void
-lwres_buffer_getmem(lwres_buffer_t *b, unsigned char *base,
-		    unsigned int length)
-{
-	unsigned char *cp;
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used - b->current >= length);
-
-	cp = b->base;
-	cp += b->current;
-	b->current += length;
-
-	memcpy(base, cp, length);
-}
diff --git a/contrib/bind9/lib/lwres/lwconfig.c b/contrib/bind9/lib/lwres/lwconfig.c
deleted file mode 100644
index e9a8671..0000000
--- a/contrib/bind9/lib/lwres/lwconfig.c
+++ /dev/null
@@ -1,729 +0,0 @@
-/*
- * Copyright (C) 2004-2008, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-/*! \file */
-
-/**
- * Module for parsing resolv.conf files.
- *
- *    lwres_conf_init() creates an empty lwres_conf_t structure for
- *    lightweight resolver context ctx.
- *
- *    lwres_conf_clear() frees up all the internal memory used by that
- *    lwres_conf_t structure in resolver context ctx.
- *
- *    lwres_conf_parse() opens the file filename and parses it to initialise
- *    the resolver context ctx's lwres_conf_t structure.
- *
- *    lwres_conf_print() prints the lwres_conf_t structure for resolver
- *    context ctx to the FILE fp.
- *
- * \section lwconfig_return Return Values
- *
- *    lwres_conf_parse() returns #LWRES_R_SUCCESS if it successfully read and
- *    parsed filename. It returns #LWRES_R_FAILURE if filename could not be
- *    opened or contained incorrect resolver statements.
- *
- *    lwres_conf_print() returns #LWRES_R_SUCCESS unless an error occurred
- *    when converting the network addresses to a numeric host address
- *    string. If this happens, the function returns #LWRES_R_FAILURE.
- *
- * \section lwconfig_see See Also
- *
- *    stdio(3), \link resolver resolver \endlink
- *
- * \section files Files
- *
- *    /etc/resolv.conf
- */
-
-#include <config.h>
-
-#include <assert.h>
-#include <ctype.h>
-#include <errno.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <lwres/lwbuffer.h>
-#include <lwres/lwres.h>
-#include <lwres/net.h>
-#include <lwres/result.h>
-
-#include "assert_p.h"
-#include "context_p.h"
-
-
-#if ! defined(NS_INADDRSZ)
-#define NS_INADDRSZ	 4
-#endif
-
-#if ! defined(NS_IN6ADDRSZ)
-#define NS_IN6ADDRSZ	16
-#endif
-
-static lwres_result_t
-lwres_conf_parsenameserver(lwres_context_t *ctx,  FILE *fp);
-
-static lwres_result_t
-lwres_conf_parselwserver(lwres_context_t *ctx,  FILE *fp);
-
-static lwres_result_t
-lwres_conf_parsedomain(lwres_context_t *ctx, FILE *fp);
-
-static lwres_result_t
-lwres_conf_parsesearch(lwres_context_t *ctx,  FILE *fp);
-
-static lwres_result_t
-lwres_conf_parsesortlist(lwres_context_t *ctx,  FILE *fp);
-
-static lwres_result_t
-lwres_conf_parseoption(lwres_context_t *ctx,  FILE *fp);
-
-static void
-lwres_resetaddr(lwres_addr_t *addr);
-
-static lwres_result_t
-lwres_create_addr(const char *buff, lwres_addr_t *addr, int convert_zero);
-
-static int lwresaddr2af(int lwresaddrtype);
-
-
-static int
-lwresaddr2af(int lwresaddrtype)
-{
-	int af = 0;
-
-	switch (lwresaddrtype) {
-	case LWRES_ADDRTYPE_V4:
-		af = AF_INET;
-		break;
-
-	case LWRES_ADDRTYPE_V6:
-		af = AF_INET6;
-		break;
-	}
-
-	return (af);
-}
-
-
-/*!
- * Eat characters from FP until EOL or EOF. Returns EOF or '\n'
- */
-static int
-eatline(FILE *fp) {
-	int ch;
-
-	ch = fgetc(fp);
-	while (ch != '\n' && ch != EOF)
-		ch = fgetc(fp);
-
-	return (ch);
-}
-
-
-/*!
- * Eats white space up to next newline or non-whitespace character (of
- * EOF). Returns the last character read. Comments are considered white
- * space.
- */
-static int
-eatwhite(FILE *fp) {
-	int ch;
-
-	ch = fgetc(fp);
-	while (ch != '\n' && ch != EOF && isspace((unsigned char)ch))
-		ch = fgetc(fp);
-
-	if (ch == ';' || ch == '#')
-		ch = eatline(fp);
-
-	return (ch);
-}
-
-
-/*!
- * Skip over any leading whitespace and then read in the next sequence of
- * non-whitespace characters. In this context newline is not considered
- * whitespace. Returns EOF on end-of-file, or the character
- * that caused the reading to stop.
- */
-static int
-getword(FILE *fp, char *buffer, size_t size) {
-	int ch;
-	char *p = buffer;
-
-	REQUIRE(buffer != NULL);
-	REQUIRE(size > 0U);
-
-	*p = '\0';
-
-	ch = eatwhite(fp);
-
-	if (ch == EOF)
-		return (EOF);
-
-	do {
-		*p = '\0';
-
-		if (ch == EOF || isspace((unsigned char)ch))
-			break;
-		else if ((size_t) (p - buffer) == size - 1)
-			return (EOF);	/* Not enough space. */
-
-		*p++ = (char)ch;
-		ch = fgetc(fp);
-	} while (1);
-
-	return (ch);
-}
-
-static void
-lwres_resetaddr(lwres_addr_t *addr) {
-	REQUIRE(addr != NULL);
-
-	memset(addr->address, 0, LWRES_ADDR_MAXLEN);
-	addr->family = 0;
-	addr->length = 0;
-}
-
-static char *
-lwres_strdup(lwres_context_t *ctx, const char *str) {
-	char *p;
-
-	REQUIRE(str != NULL);
-	REQUIRE(strlen(str) > 0U);
-
-	p = CTXMALLOC(strlen(str) + 1);
-	if (p != NULL)
-		strcpy(p, str);
-
-	return (p);
-}
-
-/*% intializes data structure for subsequent config parsing. */
-void
-lwres_conf_init(lwres_context_t *ctx) {
-	int i;
-	lwres_conf_t *confdata;
-
-	REQUIRE(ctx != NULL);
-	confdata = &ctx->confdata;
-
-	confdata->nsnext = 0;
-	confdata->lwnext = 0;
-	confdata->domainname = NULL;
-	confdata->searchnxt = 0;
-	confdata->sortlistnxt = 0;
-	confdata->resdebug = 0;
-	confdata->ndots = 1;
-	confdata->no_tld_query = 0;
-
-	for (i = 0; i < LWRES_CONFMAXNAMESERVERS; i++)
-		lwres_resetaddr(&confdata->nameservers[i]);
-
-	for (i = 0; i < LWRES_CONFMAXSEARCH; i++)
-		confdata->search[i] = NULL;
-
-	for (i = 0; i < LWRES_CONFMAXSORTLIST; i++) {
-		lwres_resetaddr(&confdata->sortlist[i].addr);
-		lwres_resetaddr(&confdata->sortlist[i].mask);
-	}
-}
-
-/*% Frees up all the internal memory used by the config data structure, returning it to the lwres_context_t. */
-void
-lwres_conf_clear(lwres_context_t *ctx) {
-	int i;
-	lwres_conf_t *confdata;
-
-	REQUIRE(ctx != NULL);
-	confdata = &ctx->confdata;
-
-	for (i = 0; i < confdata->nsnext; i++)
-		lwres_resetaddr(&confdata->nameservers[i]);
-
-	if (confdata->domainname != NULL) {
-		CTXFREE(confdata->domainname,
-			strlen(confdata->domainname) + 1);
-		confdata->domainname = NULL;
-	}
-
-	for (i = 0; i < confdata->searchnxt; i++) {
-		if (confdata->search[i] != NULL) {
-			CTXFREE(confdata->search[i],
-				strlen(confdata->search[i]) + 1);
-			confdata->search[i] = NULL;
-		}
-	}
-
-	for (i = 0; i < LWRES_CONFMAXSORTLIST; i++) {
-		lwres_resetaddr(&confdata->sortlist[i].addr);
-		lwres_resetaddr(&confdata->sortlist[i].mask);
-	}
-
-	confdata->nsnext = 0;
-	confdata->lwnext = 0;
-	confdata->domainname = NULL;
-	confdata->searchnxt = 0;
-	confdata->sortlistnxt = 0;
-	confdata->resdebug = 0;
-	confdata->ndots = 1;
-	confdata->no_tld_query = 0;
-}
-
-static lwres_result_t
-lwres_conf_parsenameserver(lwres_context_t *ctx,  FILE *fp) {
-	char word[LWRES_CONFMAXLINELEN];
-	int res;
-	lwres_conf_t *confdata;
-	lwres_addr_t address;
-
-	confdata = &ctx->confdata;
-
-	if (confdata->nsnext == LWRES_CONFMAXNAMESERVERS)
-		return (LWRES_R_SUCCESS);
-
-	res = getword(fp, word, sizeof(word));
-	if (strlen(word) == 0U)
-		return (LWRES_R_FAILURE); /* Nothing on line. */
-	else if (res == ' ' || res == '\t')
-		res = eatwhite(fp);
-
-	if (res != EOF && res != '\n')
-		return (LWRES_R_FAILURE); /* Extra junk on line. */
-
-	res = lwres_create_addr(word, &address, 1);
-	if (res == LWRES_R_SUCCESS &&
-	    ((address.family == LWRES_ADDRTYPE_V4 && ctx->use_ipv4 == 1) ||
-	     (address.family == LWRES_ADDRTYPE_V6 && ctx->use_ipv6 == 1))) {
-		confdata->nameservers[confdata->nsnext++] = address;
-	}
-
-	return (LWRES_R_SUCCESS);
-}
-
-static lwres_result_t
-lwres_conf_parselwserver(lwres_context_t *ctx,  FILE *fp) {
-	char word[LWRES_CONFMAXLINELEN];
-	int res;
-	lwres_conf_t *confdata;
-
-	confdata = &ctx->confdata;
-
-	if (confdata->lwnext == LWRES_CONFMAXLWSERVERS)
-		return (LWRES_R_SUCCESS);
-
-	res = getword(fp, word, sizeof(word));
-	if (strlen(word) == 0U)
-		return (LWRES_R_FAILURE); /* Nothing on line. */
-	else if (res == ' ' || res == '\t')
-		res = eatwhite(fp);
-
-	if (res != EOF && res != '\n')
-		return (LWRES_R_FAILURE); /* Extra junk on line. */
-
-	res = lwres_create_addr(word,
-				&confdata->lwservers[confdata->lwnext++], 1);
-	if (res != LWRES_R_SUCCESS)
-		return (res);
-
-	return (LWRES_R_SUCCESS);
-}
-
-static lwres_result_t
-lwres_conf_parsedomain(lwres_context_t *ctx,  FILE *fp) {
-	char word[LWRES_CONFMAXLINELEN];
-	int res, i;
-	lwres_conf_t *confdata;
-
-	confdata = &ctx->confdata;
-
-	res = getword(fp, word, sizeof(word));
-	if (strlen(word) == 0U)
-		return (LWRES_R_FAILURE); /* Nothing else on line. */
-	else if (res == ' ' || res == '\t')
-		res = eatwhite(fp);
-
-	if (res != EOF && res != '\n')
-		return (LWRES_R_FAILURE); /* Extra junk on line. */
-
-	if (confdata->domainname != NULL)
-		CTXFREE(confdata->domainname,
-			strlen(confdata->domainname) + 1); /*  */
-
-	/*
-	 * Search and domain are mutually exclusive.
-	 */
-	for (i = 0; i < LWRES_CONFMAXSEARCH; i++) {
-		if (confdata->search[i] != NULL) {
-			CTXFREE(confdata->search[i],
-				strlen(confdata->search[i])+1);
-			confdata->search[i] = NULL;
-		}
-	}
-	confdata->searchnxt = 0;
-
-	confdata->domainname = lwres_strdup(ctx, word);
-
-	if (confdata->domainname == NULL)
-		return (LWRES_R_FAILURE);
-
-	return (LWRES_R_SUCCESS);
-}
-
-static lwres_result_t
-lwres_conf_parsesearch(lwres_context_t *ctx,  FILE *fp) {
-	int idx, delim;
-	char word[LWRES_CONFMAXLINELEN];
-	lwres_conf_t *confdata;
-
-	confdata = &ctx->confdata;
-
-	if (confdata->domainname != NULL) {
-		/*
-		 * Search and domain are mutually exclusive.
-		 */
-		CTXFREE(confdata->domainname,
-			strlen(confdata->domainname) + 1);
-		confdata->domainname = NULL;
-	}
-
-	/*
-	 * Remove any previous search definitions.
-	 */
-	for (idx = 0; idx < LWRES_CONFMAXSEARCH; idx++) {
-		if (confdata->search[idx] != NULL) {
-			CTXFREE(confdata->search[idx],
-				strlen(confdata->search[idx])+1);
-			confdata->search[idx] = NULL;
-		}
-	}
-	confdata->searchnxt = 0;
-
-	delim = getword(fp, word, sizeof(word));
-	if (strlen(word) == 0U)
-		return (LWRES_R_FAILURE); /* Nothing else on line. */
-
-	idx = 0;
-	while (strlen(word) > 0U) {
-		if (confdata->searchnxt == LWRES_CONFMAXSEARCH)
-			goto ignore; /* Too many domains. */
-
-		confdata->search[idx] = lwres_strdup(ctx, word);
-		if (confdata->search[idx] == NULL)
-			return (LWRES_R_FAILURE);
-		idx++;
-		confdata->searchnxt++;
-
-	ignore:
-		if (delim == EOF || delim == '\n')
-			break;
-		else
-			delim = getword(fp, word, sizeof(word));
-	}
-
-	return (LWRES_R_SUCCESS);
-}
-
-static lwres_result_t
-lwres_create_addr(const char *buffer, lwres_addr_t *addr, int convert_zero) {
-	struct in_addr v4;
-	struct in6_addr v6;
-
-	if (lwres_net_aton(buffer, &v4) == 1) {
-		if (convert_zero) {
-			unsigned char zeroaddress[] = {0, 0, 0, 0};
-			unsigned char loopaddress[] = {127, 0, 0, 1};
-			if (memcmp(&v4, zeroaddress, 4) == 0)
-				memcpy(&v4, loopaddress, 4);
-		}
-		addr->family = LWRES_ADDRTYPE_V4;
-		addr->length = NS_INADDRSZ;
-		memcpy((void *)addr->address, &v4, NS_INADDRSZ);
-
-	} else if (lwres_net_pton(AF_INET6, buffer, &v6) == 1) {
-		addr->family = LWRES_ADDRTYPE_V6;
-		addr->length = NS_IN6ADDRSZ;
-		memcpy((void *)addr->address, &v6, NS_IN6ADDRSZ);
-	} else {
-		return (LWRES_R_FAILURE); /* Unrecognised format. */
-	}
-
-	return (LWRES_R_SUCCESS);
-}
-
-static lwres_result_t
-lwres_conf_parsesortlist(lwres_context_t *ctx,  FILE *fp) {
-	int delim, res, idx;
-	char word[LWRES_CONFMAXLINELEN];
-	char *p;
-	lwres_conf_t *confdata;
-
-	confdata = &ctx->confdata;
-
-	delim = getword(fp, word, sizeof(word));
-	if (strlen(word) == 0U)
-		return (LWRES_R_FAILURE); /* Empty line after keyword. */
-
-	while (strlen(word) > 0U) {
-		if (confdata->sortlistnxt == LWRES_CONFMAXSORTLIST)
-			return (LWRES_R_FAILURE); /* Too many values. */
-
-		p = strchr(word, '/');
-		if (p != NULL)
-			*p++ = '\0';
-
-		idx = confdata->sortlistnxt;
-		res = lwres_create_addr(word, &confdata->sortlist[idx].addr, 1);
-		if (res != LWRES_R_SUCCESS)
-			return (res);
-
-		if (p != NULL) {
-			res = lwres_create_addr(p,
-						&confdata->sortlist[idx].mask,
-						0);
-			if (res != LWRES_R_SUCCESS)
-				return (res);
-		} else {
-			/*
-			 * Make up a mask.
-			 */
-			confdata->sortlist[idx].mask =
-				confdata->sortlist[idx].addr;
-
-			memset(&confdata->sortlist[idx].mask.address, 0xff,
-			       confdata->sortlist[idx].addr.length);
-		}
-
-		confdata->sortlistnxt++;
-
-		if (delim == EOF || delim == '\n')
-			break;
-		else
-			delim = getword(fp, word, sizeof(word));
-	}
-
-	return (LWRES_R_SUCCESS);
-}
-
-static lwres_result_t
-lwres_conf_parseoption(lwres_context_t *ctx,  FILE *fp) {
-	int delim;
-	long ndots;
-	char *p;
-	char word[LWRES_CONFMAXLINELEN];
-	lwres_conf_t *confdata;
-
-	REQUIRE(ctx != NULL);
-	confdata = &ctx->confdata;
-
-	delim = getword(fp, word, sizeof(word));
-	if (strlen(word) == 0U)
-		return (LWRES_R_FAILURE); /* Empty line after keyword. */
-
-	while (strlen(word) > 0U) {
-		if (strcmp("debug", word) == 0) {
-			confdata->resdebug = 1;
-		} else if (strcmp("no_tld_query", word) == 0) {
-			confdata->no_tld_query = 1;
-		} else if (strncmp("ndots:", word, 6) == 0) {
-			ndots = strtol(word + 6, &p, 10);
-			if (*p != '\0') /* Bad string. */
-				return (LWRES_R_FAILURE);
-			if (ndots < 0 || ndots > 0xff) /* Out of range. */
-				return (LWRES_R_FAILURE);
-			confdata->ndots = (lwres_uint8_t)ndots;
-		}
-
-		if (delim == EOF || delim == '\n')
-			break;
-		else
-			delim = getword(fp, word, sizeof(word));
-	}
-
-	return (LWRES_R_SUCCESS);
-}
-
-/*% parses a file and fills in the data structure. */
-lwres_result_t
-lwres_conf_parse(lwres_context_t *ctx, const char *filename) {
-	FILE *fp = NULL;
-	char word[256];
-	lwres_result_t rval, ret;
-	lwres_conf_t *confdata;
-	int stopchar;
-
-	REQUIRE(ctx != NULL);
-	confdata = &ctx->confdata;
-
-	REQUIRE(filename != NULL);
-	REQUIRE(strlen(filename) > 0U);
-	REQUIRE(confdata != NULL);
-
-	errno = 0;
-	if ((fp = fopen(filename, "r")) == NULL)
-		return (LWRES_R_NOTFOUND);
-
-	ret = LWRES_R_SUCCESS;
-	do {
-		stopchar = getword(fp, word, sizeof(word));
-		if (stopchar == EOF) {
-			rval = LWRES_R_SUCCESS;
-			POST(rval);
-			break;
-		}
-
-		if (strlen(word) == 0U)
-			rval = LWRES_R_SUCCESS;
-		else if (strcmp(word, "nameserver") == 0)
-			rval = lwres_conf_parsenameserver(ctx, fp);
-		else if (strcmp(word, "lwserver") == 0)
-			rval = lwres_conf_parselwserver(ctx, fp);
-		else if (strcmp(word, "domain") == 0)
-			rval = lwres_conf_parsedomain(ctx, fp);
-		else if (strcmp(word, "search") == 0)
-			rval = lwres_conf_parsesearch(ctx, fp);
-		else if (strcmp(word, "sortlist") == 0)
-			rval = lwres_conf_parsesortlist(ctx, fp);
-		else if (strcmp(word, "options") == 0)
-			rval = lwres_conf_parseoption(ctx, fp);
-		else {
-			/* unrecognised word. Ignore entire line */
-			rval = LWRES_R_SUCCESS;
-			stopchar = eatline(fp);
-			if (stopchar == EOF) {
-				break;
-			}
-		}
-		if (ret == LWRES_R_SUCCESS && rval != LWRES_R_SUCCESS)
-			ret = rval;
-	} while (1);
-
-	fclose(fp);
-
-	return (ret);
-}
-
-/*% Prints the config data structure to the FILE. */
-lwres_result_t
-lwres_conf_print(lwres_context_t *ctx, FILE *fp) {
-	int i;
-	int af;
-	char tmp[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")];
-	const char *p;
-	lwres_conf_t *confdata;
-	lwres_addr_t tmpaddr;
-
-	REQUIRE(ctx != NULL);
-	confdata = &ctx->confdata;
-
-	REQUIRE(confdata->nsnext <= LWRES_CONFMAXNAMESERVERS);
-
-	for (i = 0; i < confdata->nsnext; i++) {
-		af = lwresaddr2af(confdata->nameservers[i].family);
-
-		p = lwres_net_ntop(af, confdata->nameservers[i].address,
-				   tmp, sizeof(tmp));
-		if (p != tmp)
-			return (LWRES_R_FAILURE);
-
-		fprintf(fp, "nameserver %s\n", tmp);
-	}
-
-	for (i = 0; i < confdata->lwnext; i++) {
-		af = lwresaddr2af(confdata->lwservers[i].family);
-
-		p = lwres_net_ntop(af, confdata->lwservers[i].address,
-				   tmp, sizeof(tmp));
-		if (p != tmp)
-			return (LWRES_R_FAILURE);
-
-		fprintf(fp, "lwserver %s\n", tmp);
-	}
-
-	if (confdata->domainname != NULL) {
-		fprintf(fp, "domain %s\n", confdata->domainname);
-	} else if (confdata->searchnxt > 0) {
-		REQUIRE(confdata->searchnxt <= LWRES_CONFMAXSEARCH);
-
-		fprintf(fp, "search");
-		for (i = 0; i < confdata->searchnxt; i++)
-			fprintf(fp, " %s", confdata->search[i]);
-		fputc('\n', fp);
-	}
-
-	REQUIRE(confdata->sortlistnxt <= LWRES_CONFMAXSORTLIST);
-
-	if (confdata->sortlistnxt > 0) {
-		fputs("sortlist", fp);
-		for (i = 0; i < confdata->sortlistnxt; i++) {
-			af = lwresaddr2af(confdata->sortlist[i].addr.family);
-
-			p = lwres_net_ntop(af,
-					   confdata->sortlist[i].addr.address,
-					   tmp, sizeof(tmp));
-			if (p != tmp)
-				return (LWRES_R_FAILURE);
-
-			fprintf(fp, " %s", tmp);
-
-			tmpaddr = confdata->sortlist[i].mask;
-			memset(&tmpaddr.address, 0xff, tmpaddr.length);
-
-			if (memcmp(&tmpaddr.address,
-				   confdata->sortlist[i].mask.address,
-				   confdata->sortlist[i].mask.length) != 0) {
-				af = lwresaddr2af(
-					    confdata->sortlist[i].mask.family);
-				p = lwres_net_ntop
-					(af,
-					 confdata->sortlist[i].mask.address,
-					 tmp, sizeof(tmp));
-				if (p != tmp)
-					return (LWRES_R_FAILURE);
-
-				fprintf(fp, "/%s", tmp);
-			}
-		}
-		fputc('\n', fp);
-	}
-
-	if (confdata->resdebug)
-		fprintf(fp, "options debug\n");
-
-	if (confdata->ndots > 0)
-		fprintf(fp, "options ndots:%d\n", confdata->ndots);
-
-	if (confdata->no_tld_query)
-		fprintf(fp, "options no_tld_query\n");
-
-	return (LWRES_R_SUCCESS);
-}
-
-/*% Returns a pointer to the current config structure. */
-lwres_conf_t *
-lwres_conf_get(lwres_context_t *ctx) {
-	REQUIRE(ctx != NULL);
-
-	return (&ctx->confdata);
-}
diff --git a/contrib/bind9/lib/lwres/lwinetaton.c b/contrib/bind9/lib/lwres/lwinetaton.c
deleted file mode 100644
index 5a0d85a..0000000
--- a/contrib/bind9/lib/lwres/lwinetaton.c
+++ /dev/null
@@ -1,205 +0,0 @@
-/*
- * Portions Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1996-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Copyright (c) 1983, 1990, 1993
- *    The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Portions Copyright (c) 1993 by Digital Equipment Corporation.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies, and that
- * the name of Digital Equipment Corporation not be used in advertising or
- * publicity pertaining to distribution of the document or software without
- * specific, written prior permission.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
- * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-/*! \file lwinetaton.c
- */
-#if defined(LIBC_SCCS) && !defined(lint)
-static char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
-static char rcsid[] = "$Id: lwinetaton.c,v 1.16 2007/06/19 23:47:22 tbox Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <config.h>
-
-#include <ctype.h>
-
-#include <stddef.h>
-
-#include <lwres/int.h>
-#include <lwres/net.h>
-
-#include "assert_p.h"
-
-/*!
- * Check whether "cp" is a valid ascii representation
- * of an Internet address and convert to a binary address.
- * Returns 1 if the address is valid, 0 if not.
- * This replaces inet_addr, the return value from which
- * cannot distinguish between failure and a local broadcast address.
- */
-int
-lwres_net_aton(const char *cp, struct in_addr *addr) {
-	lwres_uint32_t val;
-	int base, n;
-	unsigned char c;
-	lwres_uint8_t parts[4];
-	lwres_uint8_t *pp = parts;
-	int digit;
-
-	REQUIRE(cp != NULL);
-
-	c = *cp;
-	for (;;) {
-		/*
-		 * Collect number up to ``.''.
-		 * Values are specified as for C:
-		 * 0x=hex, 0=octal, isdigit=decimal.
-		 */
-		if (!isdigit(c & 0xff))
-			return (0);
-		val = 0;
-		base = 10;
-		digit = 0;
-		if (c == '0') {
-			c = *++cp;
-			if (c == 'x' || c == 'X') {
-				base = 16;
-				c = *++cp;
-			} else {
-				base = 8;
-				digit = 1;
-			}
-		}
-		for (;;) {
-			/*
-			 * isascii() is valid for all integer values, and
-			 * when it is true, c is known to be in scope
-			 * for isdigit().  No cast necessary.  Similar
-			 * comment applies for later ctype uses.
-			 */
-			if (isascii(c) && isdigit(c)) {
-				if (base == 8 && (c == '8' || c == '9'))
-					return (0);
-				val = (val * base) + (c - '0');
-				c = *++cp;
-				digit = 1;
-			} else if (base == 16 && isascii(c) && isxdigit(c)) {
-				val = (val << 4) |
-					(c + 10 - (islower(c) ? 'a' : 'A'));
-				c = *++cp;
-				digit = 1;
-			} else
-				break;
-		}
-		if (c == '.') {
-			/*
-			 * Internet format:
-			 *	a.b.c.d
-			 *	a.b.c	(with c treated as 16 bits)
-			 *	a.b	(with b treated as 24 bits)
-			 */
-			if (pp >= parts + 3 || val > 0xffU)
-				return (0);
-			*pp++ = (lwres_uint8_t)val;
-			c = *++cp;
-		} else
-			break;
-	}
-	/*
-	 * Check for trailing characters.
-	 */
-	if (c != '\0' && (!isascii(c) || !isspace(c)))
-		return (0);
-	/*
-	 * Did we get a valid digit?
-	 */
-	if (!digit)
-		return (0);
-	/*
-	 * Concoct the address according to
-	 * the number of parts specified.
-	 */
-	n = pp - parts + 1;
-	switch (n) {
-	case 1:				/* a -- 32 bits */
-		break;
-
-	case 2:				/* a.b -- 8.24 bits */
-		if (val > 0xffffffU)
-			return (0);
-		val |= parts[0] << 24;
-		break;
-
-	case 3:				/* a.b.c -- 8.8.16 bits */
-		if (val > 0xffffU)
-			return (0);
-		val |= (parts[0] << 24) | (parts[1] << 16);
-		break;
-
-	case 4:				/* a.b.c.d -- 8.8.8.8 bits */
-		if (val > 0xffU)
-			return (0);
-		val |= (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8);
-		break;
-	}
-	if (addr != NULL)
-		addr->s_addr = htonl(val);
-
-	return (1);
-}
diff --git a/contrib/bind9/lib/lwres/lwinetntop.c b/contrib/bind9/lib/lwres/lwinetntop.c
deleted file mode 100644
index cf3bdfe..0000000
--- a/contrib/bind9/lib/lwres/lwinetntop.c
+++ /dev/null
@@ -1,197 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1996-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*! \file lwinetntop.c
- */
-#if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] =
-	"$Id: lwinetntop.c,v 1.18 2007/06/19 23:47:22 tbox Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <config.h>
-
-#include <errno.h>
-#include <stdio.h>
-#include <string.h>
-
-#include <lwres/net.h>
-#include "print_p.h"
-
-#define NS_INT16SZ	 2
-#define NS_IN6ADDRSZ	16
-
-/*
- * WARNING: Don't even consider trying to compile this on a system where
- * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
- */
-
-static const char *inet_ntop4(const unsigned char *src, char *dst,
-			      size_t size);
-
-#ifdef AF_INET6
-static const char *inet_ntop6(const unsigned char *src, char *dst,
-			      size_t size);
-#endif
-
-/*! char *
- * lwres_net_ntop(af, src, dst, size)
- *	convert a network format address to presentation format.
- * return:
- *	pointer to presentation format address (`dst'), or NULL (see errno).
- * author:
- *	Paul Vixie, 1996.
- */
-const char *
-lwres_net_ntop(int af, const void *src, char *dst, size_t size) {
-	switch (af) {
-	case AF_INET:
-		return (inet_ntop4(src, dst, size));
-#ifdef AF_INET6
-	case AF_INET6:
-		return (inet_ntop6(src, dst, size));
-#endif
-	default:
-		errno = EAFNOSUPPORT;
-		return (NULL);
-	}
-	/* NOTREACHED */
-}
-
-/*! const char *
- * inet_ntop4(src, dst, size)
- *	format an IPv4 address
- * return:
- *	`dst' (as a const)
- * notes:
- *	(1) uses no statics
- *	(2) takes a unsigned char* not an in_addr as input
- * author:
- *	Paul Vixie, 1996.
- */
-static const char *
-inet_ntop4(const unsigned char *src, char *dst, size_t size) {
-	static const char fmt[] = "%u.%u.%u.%u";
-	char tmp[sizeof("255.255.255.255")];
-	size_t len;
-
-	len = snprintf(tmp, sizeof(tmp), fmt, src[0], src[1], src[2], src[3]);
-	if (len >= size) {
-		errno = ENOSPC;
-		return (NULL);
-	}
-	strcpy(dst, tmp);
-
-	return (dst);
-}
-
-/*! const char *
- * inet_ntop6(src, dst, size)
- *	convert IPv6 binary address into presentation (printable) format
- * author:
- *	Paul Vixie, 1996.
- */
-#ifdef AF_INET6
-static const char *
-inet_ntop6(const unsigned char *src, char *dst, size_t size) {
-	/*!
-	 * Note that int32_t and int16_t need only be "at least" large enough
-	 * to contain a value of the specified size.  On some systems, like
-	 * Crays, there is no such thing as an integer variable with 16 bits.
-	 * Keep this in mind if you think this function should have been coded
-	 * to use pointer overlays.  All the world's not a VAX.
-	 */
-	char tmp[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")], *tp;
-	struct { int base, len; } best, cur;
-	unsigned int words[NS_IN6ADDRSZ / NS_INT16SZ];
-	int i;
-
-	/*
-	 * Preprocess:
-	 *	Copy the input (bytewise) array into a wordwise array.
-	 *	Find the longest run of 0x00's in src[] for :: shorthanding.
-	 */
-	memset(words, '\0', sizeof(words));
-	for (i = 0; i < NS_IN6ADDRSZ; i++)
-		words[i / 2] |= (src[i] << ((1 - (i % 2)) << 3));
-	best.base = -1;
-	best.len = 0;
-	cur.base = -1;
-	cur.len = 0;
-	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
-		if (words[i] == 0) {
-			if (cur.base == -1)
-				cur.base = i, cur.len = 1;
-			else
-				cur.len++;
-		} else {
-			if (cur.base != -1) {
-				if (best.base == -1 || cur.len > best.len)
-					best = cur;
-				cur.base = -1;
-			}
-		}
-	}
-	if (cur.base != -1) {
-		if (best.base == -1 || cur.len > best.len)
-			best = cur;
-	}
-	if (best.base != -1 && best.len < 2)
-		best.base = -1;
-
-	/*
-	 * Format the result.
-	 */
-	tp = tmp;
-	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
-		/* Are we inside the best run of 0x00's? */
-		if (best.base != -1 && i >= best.base &&
-		    i < (best.base + best.len)) {
-			if (i == best.base)
-				*tp++ = ':';
-			continue;
-		}
-		/* Are we following an initial run of 0x00s or any real hex? */
-		if (i != 0)
-			*tp++ = ':';
-		/* Is this address an encapsulated IPv4? */
-		if (i == 6 && best.base == 0 &&
-		    (best.len == 6 || (best.len == 5 && words[5] == 0xffff))) {
-			if (!inet_ntop4(src+12, tp,
-					sizeof(tmp) - (tp - tmp)))
-				return (NULL);
-			tp += strlen(tp);
-			break;
-		}
-		tp += sprintf(tp, "%x", words[i]); /* XXX */
-	}
-	/* Was it a trailing run of 0x00's? */
-	if (best.base != -1 && (best.base + best.len) ==
-	    (NS_IN6ADDRSZ / NS_INT16SZ))
-		*tp++ = ':';
-	*tp++ = '\0';
-
-	/*
-	 * Check for overflow, copy, and we're done.
-	 */
-	if ((size_t)(tp - tmp) > size) {
-		errno = ENOSPC;
-		return (NULL);
-	}
-	strcpy(dst, tmp);
-	return (dst);
-}
-#endif /* AF_INET6 */
diff --git a/contrib/bind9/lib/lwres/lwinetpton.c b/contrib/bind9/lib/lwres/lwinetpton.c
deleted file mode 100644
index e0ea85d..0000000
--- a/contrib/bind9/lib/lwres/lwinetpton.c
+++ /dev/null
@@ -1,214 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1996-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*! \file lwinetpton.c
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$Id$";
-#endif /* LIBC_SCCS and not lint */
-
-#include <config.h>
-
-#include <errno.h>
-#include <string.h>
-
-#include <lwres/net.h>
-
-#define NS_INT16SZ	 2
-#define NS_INADDRSZ	 4
-#define NS_IN6ADDRSZ	16
-
-/*
- * WARNING: Don't even consider trying to compile this on a system where
- * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
- */
-
-static int inet_pton4(const char *src, unsigned char *dst);
-static int inet_pton6(const char *src, unsigned char *dst);
-
-/*!
- * int
- * lwres_net_pton(af, src, dst)
- *	convert from presentation format (which usually means ASCII printable)
- *	to network format (which is usually some kind of binary format).
- * return:
- *	1 if the address was valid for the specified address family
- *	0 if the address wasn't valid (`dst' is untouched in this case)
- *	-1 if some other error occurred (`dst' is untouched in this case, too)
- * author:
- *	Paul Vixie, 1996.
- */
-int
-lwres_net_pton(int af, const char *src, void *dst) {
-	switch (af) {
-	case AF_INET:
-		return (inet_pton4(src, dst));
-	case AF_INET6:
-		return (inet_pton6(src, dst));
-	default:
-		errno = EAFNOSUPPORT;
-		return (-1);
-	}
-	/* NOTREACHED */
-}
-
-/*! int
- * inet_pton4(src, dst)
- *	like inet_aton() but without all the hexadecimal and shorthand.
- * return:
- *	1 if `src' is a valid dotted quad, else 0.
- * notice:
- *	does not touch `dst' unless it's returning 1.
- * author:
- *	Paul Vixie, 1996.
- */
-static int
-inet_pton4(const char *src, unsigned char *dst) {
-	static const char digits[] = "0123456789";
-	int saw_digit, octets, ch;
-	unsigned char tmp[NS_INADDRSZ], *tp;
-
-	saw_digit = 0;
-	octets = 0;
-	*(tp = tmp) = 0;
-	while ((ch = *src++) != '\0') {
-		const char *pch;
-
-		if ((pch = strchr(digits, ch)) != NULL) {
-			unsigned int new = *tp * 10 + (pch - digits);
-
-			if (new > 255)
-				return (0);
-			*tp = new;
-			if (! saw_digit) {
-				if (++octets > 4)
-					return (0);
-				saw_digit = 1;
-			}
-		} else if (ch == '.' && saw_digit) {
-			if (octets == 4)
-				return (0);
-			/*
-			 * "clang --analyse" generates warnings using:
-			 * 		*++tp = 0;
-			 */
-			tp++;
-			*tp = 0;
-			saw_digit = 0;
-		} else
-			return (0);
-	}
-	if (octets < 4)
-		return (0);
-	memcpy(dst, tmp, NS_INADDRSZ);
-	return (1);
-}
-
-/*! int
- * inet_pton6(src, dst)
- *	convert presentation level address to network order binary form.
- * return:
- *	1 if `src' is a valid [RFC1884 2.2] address, else 0.
- * notice:
- *	(1) does not touch `dst' unless it's returning 1.
- *	(2) :: in a full address is silently ignored.
- * credit:
- *	inspired by Mark Andrews.
- * author:
- *	Paul Vixie, 1996.
- */
-static int
-inet_pton6(const char *src, unsigned char *dst) {
-	static const char xdigits_l[] = "0123456789abcdef",
-			  xdigits_u[] = "0123456789ABCDEF";
-	unsigned char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;
-	const char *xdigits, *curtok;
-	int ch, seen_xdigits;
-	unsigned int val;
-
-	memset((tp = tmp), '\0', NS_IN6ADDRSZ);
-	endp = tp + NS_IN6ADDRSZ;
-	colonp = NULL;
-	/* Leading :: requires some special handling. */
-	if (*src == ':')
-		if (*++src != ':')
-			return (0);
-	curtok = src;
-	seen_xdigits = 0;
-	val = 0;
-	while ((ch = *src++) != '\0') {
-		const char *pch;
-
-		if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)
-			pch = strchr((xdigits = xdigits_u), ch);
-		if (pch != NULL) {
-			val <<= 4;
-			val |= (pch - xdigits);
-			if (++seen_xdigits > 4)
-				return (0);
-			continue;
-		}
-		if (ch == ':') {
-			curtok = src;
-			if (!seen_xdigits) {
-				if (colonp)
-					return (0);
-				colonp = tp;
-				continue;
-			}
-			if (tp + NS_INT16SZ > endp)
-				return (0);
-			*tp++ = (unsigned char) (val >> 8) & 0xff;
-			*tp++ = (unsigned char) val & 0xff;
-			seen_xdigits = 0;
-			val = 0;
-			continue;
-		}
-		if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) &&
-		    inet_pton4(curtok, tp) > 0) {
-			tp += NS_INADDRSZ;
-			seen_xdigits = 0;
-			break;	/* '\0' was seen by inet_pton4(). */
-		}
-		return (0);
-	}
-	if (seen_xdigits) {
-		if (tp + NS_INT16SZ > endp)
-			return (0);
-		*tp++ = (unsigned char) (val >> 8) & 0xff;
-		*tp++ = (unsigned char) val & 0xff;
-	}
-	if (colonp != NULL) {
-		/*
-		 * Since some memmove()'s erroneously fail to handle
-		 * overlapping regions, we'll do the shift by hand.
-		 */
-		const int n = tp - colonp;
-		int i;
-
-		for (i = 1; i <= n; i++) {
-			endp[- i] = colonp[n - i];
-			colonp[n - i] = 0;
-		}
-		tp = endp;
-	}
-	if (tp != endp)
-		return (0);
-	memcpy(dst, tmp, NS_IN6ADDRSZ);
-	return (1);
-}
diff --git a/contrib/bind9/lib/lwres/lwpacket.c b/contrib/bind9/lib/lwres/lwpacket.c
deleted file mode 100644
index cfa2723..0000000
--- a/contrib/bind9/lib/lwres/lwpacket.c
+++ /dev/null
@@ -1,129 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwpacket.c,v 1.18 2007/06/19 23:47:22 tbox Exp $ */
-
-/*! \file */
-
-/**
- *    These functions rely on a struct lwres_lwpacket which is defined in
- *    \link lwpacket.h lwres/lwpacket.h.\endlink
- * 
- *    The following opcodes are currently defined:   
- * 
- * \li   #LWRES_OPCODE_NOOP
- *           Success is always returned and the packet contents are
- *           echoed. The \link lwres_noop.c lwres_noop_*()\endlink functions should be used for this
- *           type.
- * 
- * \li   #LWRES_OPCODE_GETADDRSBYNAME
- *           returns all known addresses for a given name. The
- *           \link lwres_gabn.c lwres_gabn_*()\endlink functions should be used for this type.
- * 
- * \li   #LWRES_OPCODE_GETNAMEBYADDR
- *           return the hostname for the given address. The
- *           \link lwres_gnba.c lwres_gnba_*() \endlink functions should be used for this type.     
- * 
- *    lwres_lwpacket_renderheader() transfers the contents of lightweight
- *    resolver packet structure #lwres_lwpacket_t *pkt in network byte
- *    order to the lightweight resolver buffer, *b.
- * 
- *    lwres_lwpacket_parseheader() performs the converse operation. It
- *    transfers data in network byte order from buffer *b to resolver
- *    packet *pkt. The contents of the buffer b should correspond to a   
- *    #lwres_lwpacket_t.
- * 
- * \section lwpacket_return Return Values
- * 
- *    Successful calls to lwres_lwpacket_renderheader() and
- *    lwres_lwpacket_parseheader() return #LWRES_R_SUCCESS. If there is
- *    insufficient space to copy data between the buffer *b and
- *    lightweight resolver packet *pkt both functions return
- *    #LWRES_R_UNEXPECTEDEND.
- */
-
-#include <config.h>
-
-#include <assert.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <lwres/lwbuffer.h>
-#include <lwres/lwpacket.h>
-#include <lwres/result.h>
-
-#include "assert_p.h"
-
-/*% Length of Packet */
-#define LWPACKET_LENGTH \
-	(sizeof(lwres_uint16_t) * 4 + sizeof(lwres_uint32_t) * 5)
-
-/*% transfers the contents of lightweight resolver packet structure lwres_lwpacket_t *pkt in network byte order to the lightweight resolver buffer, *b. */
-
-lwres_result_t
-lwres_lwpacket_renderheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt) {
-	REQUIRE(b != NULL);
-	REQUIRE(pkt != NULL);
-
-	if (!SPACE_OK(b, LWPACKET_LENGTH))
-		return (LWRES_R_UNEXPECTEDEND);
-
-	lwres_buffer_putuint32(b, pkt->length);
-	lwres_buffer_putuint16(b, pkt->version);
-	lwres_buffer_putuint16(b, pkt->pktflags);
-	lwres_buffer_putuint32(b, pkt->serial);
-	lwres_buffer_putuint32(b, pkt->opcode);
-	lwres_buffer_putuint32(b, pkt->result);
-	lwres_buffer_putuint32(b, pkt->recvlength);
-	lwres_buffer_putuint16(b, pkt->authtype);
-	lwres_buffer_putuint16(b, pkt->authlength);
-
-	return (LWRES_R_SUCCESS);
-}
-
-/*% transfers data in network byte order from buffer *b to resolver packet *pkt. The contents of the buffer b should correspond to a lwres_lwpacket_t. */
-
-lwres_result_t
-lwres_lwpacket_parseheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt) {
-	lwres_uint32_t space;
-
-	REQUIRE(b != NULL);
-	REQUIRE(pkt != NULL);
-
-	space = LWRES_BUFFER_REMAINING(b);
-	if (space < LWPACKET_LENGTH)
-		return (LWRES_R_UNEXPECTEDEND);
-
-	pkt->length = lwres_buffer_getuint32(b);
-	/*
-	 * XXXBEW/MLG Checking that the buffer is long enough probably
-	 * shouldn't be done here, since this function is supposed to just
-	 * parse the header.
-	 */
-	if (pkt->length > space)
-		return (LWRES_R_UNEXPECTEDEND);
-	pkt->version = lwres_buffer_getuint16(b);
-	pkt->pktflags = lwres_buffer_getuint16(b);
-	pkt->serial = lwres_buffer_getuint32(b);
-	pkt->opcode = lwres_buffer_getuint32(b);
-	pkt->result = lwres_buffer_getuint32(b);
-	pkt->recvlength = lwres_buffer_getuint32(b);
-	pkt->authtype = lwres_buffer_getuint16(b);
-	pkt->authlength = lwres_buffer_getuint16(b);
-
-	return (LWRES_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/lwres/lwres_gabn.c b/contrib/bind9/lib/lwres/lwres_gabn.c
deleted file mode 100644
index 3363e66..0000000
--- a/contrib/bind9/lib/lwres/lwres_gabn.c
+++ /dev/null
@@ -1,505 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwres_gabn.c,v 1.33 2007/06/19 23:47:22 tbox Exp $ */
-
-/*! \file lwres_gabn.c
-   These are low-level routines for creating and parsing lightweight
-   resolver name-to-address lookup request and response messages.
-
-   There are four main functions for the getaddrbyname opcode. One render
-   function converts a getaddrbyname request structure --
-   lwres_gabnrequest_t -- to the lighweight resolver's canonical format.
-   It is complemented by a parse function that converts a packet in this
-   canonical format to a getaddrbyname request structure. Another render
-   function converts the getaddrbyname response structure --
-   lwres_gabnresponse_t -- to the canonical format. This is complemented
-   by a parse function which converts a packet in canonical format to a
-   getaddrbyname response structure.
-
-   These structures are defined in \link lwres.h <lwres/lwres.h>.\endlink They are shown below.
-
-\code
-#define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
-
-typedef struct lwres_addr lwres_addr_t;
-typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
-
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_uint32_t  addrtypes;
-        lwres_uint16_t  namelen;
-        char           *name;
-} lwres_gabnrequest_t;
-
-typedef struct {
-        lwres_uint32_t          flags;
-        lwres_uint16_t          naliases;
-        lwres_uint16_t          naddrs;
-        char                   *realname;
-        char                  **aliases;
-        lwres_uint16_t          realnamelen;
-        lwres_uint16_t         *aliaslen;
-        lwres_addrlist_t        addrs;
-        void                   *base;
-        size_t                  baselen;
-} lwres_gabnresponse_t;
-\endcode
-
-   lwres_gabnrequest_render() uses resolver context ctx to convert
-   getaddrbyname request structure req to canonical format. The packet
-   header structure pkt is initialised and transferred to buffer b. The
-   contents of *req are then appended to the buffer in canonical format.
-   lwres_gabnresponse_render() performs the same task, except it converts
-   a getaddrbyname response structure lwres_gabnresponse_t to the
-   lightweight resolver's canonical format.
-
-   lwres_gabnrequest_parse() uses context ctx to convert the contents of
-   packet pkt to a lwres_gabnrequest_t structure. Buffer b provides space
-   to be used for storing this structure. When the function succeeds, the
-   resulting lwres_gabnrequest_t is made available through *structp.
-   lwres_gabnresponse_parse() offers the same semantics as
-   lwres_gabnrequest_parse() except it yields a lwres_gabnresponse_t
-   structure.
-
-   lwres_gabnresponse_free() and lwres_gabnrequest_free() release the
-   memory in resolver context ctx that was allocated to the
-   lwres_gabnresponse_t or lwres_gabnrequest_t structures referenced via
-   structp. Any memory associated with ancillary buffers and strings for
-   those structures is also discarded.
-
-\section lwres_gabn_return Return Values
-
-   The getaddrbyname opcode functions lwres_gabnrequest_render(),
-   lwres_gabnresponse_render() lwres_gabnrequest_parse() and
-   lwres_gabnresponse_parse() all return #LWRES_R_SUCCESS on success. They
-   return #LWRES_R_NOMEMORY if memory allocation fails.
-   #LWRES_R_UNEXPECTEDEND is returned if the available space in the buffer
-   b is too small to accommodate the packet header or the
-   lwres_gabnrequest_t and lwres_gabnresponse_t structures.
-   lwres_gabnrequest_parse() and lwres_gabnresponse_parse() will return
-   #LWRES_R_UNEXPECTEDEND if the buffer is not empty after decoding the
-   received packet. These functions will return #LWRES_R_FAILURE if
-   pktflags in the packet header structure #lwres_lwpacket_t indicate that
-   the packet is not a response to an earlier query.
-
-\section lwres_gabn_see See Also
-
-   \link lwpacket.c lwres_lwpacket \endlink
- */
-
-#include <config.h>
-
-#include <assert.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <lwres/lwbuffer.h>
-#include <lwres/lwpacket.h>
-#include <lwres/lwres.h>
-#include <lwres/result.h>
-
-#include "context_p.h"
-#include "assert_p.h"
-
-/*% uses resolver context ctx to convert getaddrbyname request structure req to canonical format. */
-lwres_result_t
-lwres_gabnrequest_render(lwres_context_t *ctx, lwres_gabnrequest_t *req,
-			 lwres_lwpacket_t *pkt, lwres_buffer_t *b)
-{
-	unsigned char *buf;
-	size_t buflen;
-	int ret;
-	size_t payload_length;
-	lwres_uint16_t datalen;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(req != NULL);
-	REQUIRE(req->name != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-
-	datalen = strlen(req->name);
-
-	payload_length = 4 + 4 + 2 + req->namelen + 1;
-
-	buflen = LWRES_LWPACKET_LENGTH + payload_length;
-	buf = CTXMALLOC(buflen);
-	if (buf == NULL)
-		return (LWRES_R_NOMEMORY);
-
-	lwres_buffer_init(b, buf, buflen);
-
-	pkt->length = buflen;
-	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->pktflags &= ~LWRES_LWPACKETFLAG_RESPONSE;
-	pkt->opcode = LWRES_OPCODE_GETADDRSBYNAME;
-	pkt->result = 0;
-	pkt->authtype = 0;
-	pkt->authlength = 0;
-
-	ret = lwres_lwpacket_renderheader(b, pkt);
-	if (ret != LWRES_R_SUCCESS) {
-		lwres_buffer_invalidate(b);
-		CTXFREE(buf, buflen);
-		return (ret);
-	}
-
-	INSIST(SPACE_OK(b, payload_length));
-
-	/*
-	 * Flags.
-	 */
-	lwres_buffer_putuint32(b, req->flags);
-
-	/*
-	 * Address types we'll accept.
-	 */
-	lwres_buffer_putuint32(b, req->addrtypes);
-
-	/*
-	 * Put the length and the data.  We know this will fit because we
-	 * just checked for it.
-	 */
-	lwres_buffer_putuint16(b, datalen);
-	lwres_buffer_putmem(b, (unsigned char *)req->name, datalen);
-	lwres_buffer_putuint8(b, 0); /* trailing NUL */
-
-	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
-
-	return (LWRES_R_SUCCESS);
-}
-/*% converts a getaddrbyname response structure lwres_gabnresponse_t to the lightweight resolver's canonical format. */
-lwres_result_t
-lwres_gabnresponse_render(lwres_context_t *ctx, lwres_gabnresponse_t *req,
-			  lwres_lwpacket_t *pkt, lwres_buffer_t *b)
-{
-	unsigned char *buf;
-	size_t buflen;
-	int ret;
-	size_t payload_length;
-	lwres_uint16_t datalen;
-	lwres_addr_t *addr;
-	int x;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(req != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-
-	/* naliases, naddrs */
-	payload_length = 4 + 2 + 2;
-	/* real name encoding */
-	payload_length += 2 + req->realnamelen + 1;
-	/* each alias */
-	for (x = 0; x < req->naliases; x++)
-		payload_length += 2 + req->aliaslen[x] + 1;
-	/* each address */
-	x = 0;
-	addr = LWRES_LIST_HEAD(req->addrs);
-	while (addr != NULL) {
-		payload_length += 4 + 2;
-		payload_length += addr->length;
-		addr = LWRES_LIST_NEXT(addr, link);
-		x++;
-	}
-	INSIST(x == req->naddrs);
-
-	buflen = LWRES_LWPACKET_LENGTH + payload_length;
-	buf = CTXMALLOC(buflen);
-	if (buf == NULL)
-		return (LWRES_R_NOMEMORY);
-	lwres_buffer_init(b, buf, buflen);
-
-	pkt->length = buflen;
-	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->pktflags |= LWRES_LWPACKETFLAG_RESPONSE;
-	pkt->opcode = LWRES_OPCODE_GETADDRSBYNAME;
-	pkt->authtype = 0;
-	pkt->authlength = 0;
-
-	ret = lwres_lwpacket_renderheader(b, pkt);
-	if (ret != LWRES_R_SUCCESS) {
-		lwres_buffer_invalidate(b);
-		CTXFREE(buf, buflen);
-		return (ret);
-	}
-
-	/*
-	 * Check space needed here.
-	 */
-	INSIST(SPACE_OK(b, payload_length));
-
-	/* Flags. */
-	lwres_buffer_putuint32(b, req->flags);
-
-	/* encode naliases and naddrs */
-	lwres_buffer_putuint16(b, req->naliases);
-	lwres_buffer_putuint16(b, req->naddrs);
-
-	/* encode the real name */
-	datalen = req->realnamelen;
-	lwres_buffer_putuint16(b, datalen);
-	lwres_buffer_putmem(b, (unsigned char *)req->realname, datalen);
-	lwres_buffer_putuint8(b, 0);
-
-	/* encode the aliases */
-	for (x = 0; x < req->naliases; x++) {
-		datalen = req->aliaslen[x];
-		lwres_buffer_putuint16(b, datalen);
-		lwres_buffer_putmem(b, (unsigned char *)req->aliases[x],
-				    datalen);
-		lwres_buffer_putuint8(b, 0);
-	}
-
-	/* encode the addresses */
-	addr = LWRES_LIST_HEAD(req->addrs);
-	while (addr != NULL) {
-		lwres_buffer_putuint32(b, addr->family);
-		lwres_buffer_putuint16(b, addr->length);
-		lwres_buffer_putmem(b, addr->address, addr->length);
-		addr = LWRES_LIST_NEXT(addr, link);
-	}
-
-	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
-	INSIST(LWRES_BUFFER_USEDCOUNT(b) == pkt->length);
-
-	return (LWRES_R_SUCCESS);
-}
-/*% Uses context ctx to convert the contents of packet pkt to a lwres_gabnrequest_t structure. */
-lwres_result_t
-lwres_gabnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_gabnrequest_t **structp)
-{
-	int ret;
-	char *name;
-	lwres_gabnrequest_t *gabn;
-	lwres_uint32_t addrtypes;
-	lwres_uint32_t flags;
-	lwres_uint16_t namelen;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) != 0)
-		return (LWRES_R_FAILURE);
-
-	if (!SPACE_REMAINING(b, 4 + 4))
-		return (LWRES_R_UNEXPECTEDEND);
-
-	flags = lwres_buffer_getuint32(b);
-	addrtypes = lwres_buffer_getuint32(b);
-
-	/*
-	 * Pull off the name itself
-	 */
-	ret = lwres_string_parse(b, &name, &namelen);
-	if (ret != LWRES_R_SUCCESS)
-		return (ret);
-
-	if (LWRES_BUFFER_REMAINING(b) != 0)
-		return (LWRES_R_TRAILINGDATA);
-
-	gabn = CTXMALLOC(sizeof(lwres_gabnrequest_t));
-	if (gabn == NULL)
-		return (LWRES_R_NOMEMORY);
-
-	gabn->flags = flags;
-	gabn->addrtypes = addrtypes;
-	gabn->name = name;
-	gabn->namelen = namelen;
-
-	*structp = gabn;
-	return (LWRES_R_SUCCESS);
-}
-
-/*% Offers the same semantics as lwres_gabnrequest_parse() except it yields a lwres_gabnresponse_t structure. */
-
-lwres_result_t
-lwres_gabnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_gabnresponse_t **structp)
-{
-	lwres_result_t ret;
-	unsigned int x;
-	lwres_uint32_t flags;
-	lwres_uint16_t naliases;
-	lwres_uint16_t naddrs;
-	lwres_gabnresponse_t *gabn;
-	lwres_addrlist_t addrlist;
-	lwres_addr_t *addr;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	gabn = NULL;
-
-	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) == 0)
-		return (LWRES_R_FAILURE);
-
-	/*
-	 * Pull off the name itself
-	 */
-	if (!SPACE_REMAINING(b, 4 + 2 + 2))
-		return (LWRES_R_UNEXPECTEDEND);
-	flags = lwres_buffer_getuint32(b);
-	naliases = lwres_buffer_getuint16(b);
-	naddrs = lwres_buffer_getuint16(b);
-
-	gabn = CTXMALLOC(sizeof(lwres_gabnresponse_t));
-	if (gabn == NULL)
-		return (LWRES_R_NOMEMORY);
-	gabn->aliases = NULL;
-	gabn->aliaslen = NULL;
-	LWRES_LIST_INIT(gabn->addrs);
-	gabn->base = NULL;
-
-	gabn->flags = flags;
-	gabn->naliases = naliases;
-	gabn->naddrs = naddrs;
-
-	LWRES_LIST_INIT(addrlist);
-
-	if (naliases > 0) {
-		gabn->aliases = CTXMALLOC(sizeof(char *) * naliases);
-		if (gabn->aliases == NULL) {
-			ret = LWRES_R_NOMEMORY;
-			goto out;
-		}
-
-		gabn->aliaslen = CTXMALLOC(sizeof(lwres_uint16_t) * naliases);
-		if (gabn->aliaslen == NULL) {
-			ret = LWRES_R_NOMEMORY;
-			goto out;
-		}
-	}
-
-	for (x = 0; x < naddrs; x++) {
-		addr = CTXMALLOC(sizeof(lwres_addr_t));
-		if (addr == NULL) {
-			ret = LWRES_R_NOMEMORY;
-			goto out;
-		}
-		LWRES_LINK_INIT(addr, link);
-		LWRES_LIST_APPEND(addrlist, addr, link);
-	}
-
-	/*
-	 * Now, pull off the real name.
-	 */
-	ret = lwres_string_parse(b, &gabn->realname, &gabn->realnamelen);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	/*
-	 * Parse off the aliases.
-	 */
-	for (x = 0; x < gabn->naliases; x++) {
-		ret = lwres_string_parse(b, &gabn->aliases[x],
-					 &gabn->aliaslen[x]);
-		if (ret != LWRES_R_SUCCESS)
-			goto out;
-	}
-
-	/*
-	 * Pull off the addresses.  We already strung the linked list
-	 * up above.
-	 */
-	addr = LWRES_LIST_HEAD(addrlist);
-	for (x = 0; x < gabn->naddrs; x++) {
-		INSIST(addr != NULL);
-		ret = lwres_addr_parse(b, addr);
-		if (ret != LWRES_R_SUCCESS)
-			goto out;
-		addr = LWRES_LIST_NEXT(addr, link);
-	}
-
-	if (LWRES_BUFFER_REMAINING(b) != 0) {
-		ret = LWRES_R_TRAILINGDATA;
-		goto out;
-	}
-
-	gabn->addrs = addrlist;
-
-	*structp = gabn;
-	return (LWRES_R_SUCCESS);
-
- out:
-	if (gabn != NULL) {
-		if (gabn->aliases != NULL)
-			CTXFREE(gabn->aliases, sizeof(char *) * naliases);
-		if (gabn->aliaslen != NULL)
-			CTXFREE(gabn->aliaslen,
-				sizeof(lwres_uint16_t) * naliases);
-		addr = LWRES_LIST_HEAD(addrlist);
-		while (addr != NULL) {
-			LWRES_LIST_UNLINK(addrlist, addr, link);
-			CTXFREE(addr, sizeof(lwres_addr_t));
-			addr = LWRES_LIST_HEAD(addrlist);
-		}
-		CTXFREE(gabn, sizeof(lwres_gabnresponse_t));
-	}
-
-	return (ret);
-}
-
-/*% Release the memory in resolver context ctx that was allocated to the lwres_gabnrequest_t. */
-void
-lwres_gabnrequest_free(lwres_context_t *ctx, lwres_gabnrequest_t **structp)
-{
-	lwres_gabnrequest_t *gabn;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(structp != NULL && *structp != NULL);
-
-	gabn = *structp;
-	*structp = NULL;
-
-	CTXFREE(gabn, sizeof(lwres_gabnrequest_t));
-}
-
-/*% Release the memory in resolver context ctx that was allocated to the lwres_gabnresponse_t. */
-void
-lwres_gabnresponse_free(lwres_context_t *ctx, lwres_gabnresponse_t **structp)
-{
-	lwres_gabnresponse_t *gabn;
-	lwres_addr_t *addr;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(structp != NULL && *structp != NULL);
-
-	gabn = *structp;
-	*structp = NULL;
-
-	if (gabn->naliases > 0) {
-		CTXFREE(gabn->aliases, sizeof(char *) * gabn->naliases);
-		CTXFREE(gabn->aliaslen,
-			sizeof(lwres_uint16_t) * gabn->naliases);
-	}
-	addr = LWRES_LIST_HEAD(gabn->addrs);
-	while (addr != NULL) {
-		LWRES_LIST_UNLINK(gabn->addrs, addr, link);
-		CTXFREE(addr, sizeof(lwres_addr_t));
-		addr = LWRES_LIST_HEAD(gabn->addrs);
-	}
-	if (gabn->base != NULL)
-		CTXFREE(gabn->base, gabn->baselen);
-	CTXFREE(gabn, sizeof(lwres_gabnresponse_t));
-}
diff --git a/contrib/bind9/lib/lwres/lwres_gnba.c b/contrib/bind9/lib/lwres/lwres_gnba.c
deleted file mode 100644
index d18ae15..0000000
--- a/contrib/bind9/lib/lwres/lwres_gnba.c
+++ /dev/null
@@ -1,415 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwres_gnba.c,v 1.28 2007/09/24 17:18:25 each Exp $ */
-
-/*! \file lwres_gnba.c
-   These are low-level routines for creating and parsing lightweight
-   resolver address-to-name lookup request and response messages.
-
-   There are four main functions for the getnamebyaddr opcode. One
- render function converts a getnamebyaddr request structure --
-   lwres_gnbarequest_t -- to the lightweight resolver's canonical
-   format. It is complemented by a parse function that converts a
-   packet in this canonical format to a getnamebyaddr request
-   structure. Another render function converts the getnamebyaddr
-   response structure -- lwres_gnbaresponse_t to the canonical format.
-   This is complemented by a parse function which converts a packet in
-   canonical format to a getnamebyaddr response structure.       
-
-   These structures are defined in \link lwres.h <lwres/lwres.h.>\endlink They are shown
-   below.
-
-\code
-#define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
-
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_addr_t    addr;
-} lwres_gnbarequest_t;
-
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_uint16_t  naliases;
-        char           *realname;
-        char          **aliases;
-        lwres_uint16_t  realnamelen;
-        lwres_uint16_t *aliaslen;
-        void           *base;
-        size_t          baselen;
-} lwres_gnbaresponse_t;
-\endcode
-
-   lwres_gnbarequest_render() uses resolver context ctx to convert
-   getnamebyaddr request structure req to canonical format. The packet
-   header structure pkt is initialised and transferred to buffer b.
-   The contents of *req are then appended to the buffer in canonical
-   format. lwres_gnbaresponse_render() performs the same task, except
-   it converts a getnamebyaddr response structure lwres_gnbaresponse_t
-   to the lightweight resolver's canonical format.
-
-   lwres_gnbarequest_parse() uses context ctx to convert the contents
-   of packet pkt to a lwres_gnbarequest_t structure. Buffer b provides
-   space to be used for storing this structure. When the function
-   succeeds, the resulting lwres_gnbarequest_t is made available
-   through *structp. lwres_gnbaresponse_parse() offers the same   
-semantics as lwres_gnbarequest_parse() except it yields a    
-   lwres_gnbaresponse_t structure.
-
-   lwres_gnbaresponse_free() and lwres_gnbarequest_free() release the
-   memory in resolver context ctx that was allocated to the     
-   lwres_gnbaresponse_t or lwres_gnbarequest_t structures referenced  
-   via structp. Any memory associated with ancillary buffers and      
-   strings for those structures is also discarded.
-
-\section lwres_gbna_return Return Values
-
-   The getnamebyaddr opcode functions lwres_gnbarequest_render(),
-   lwres_gnbaresponse_render() lwres_gnbarequest_parse() and
-   lwres_gnbaresponse_parse() all return #LWRES_R_SUCCESS on success.
-   They return #LWRES_R_NOMEMORY if memory allocation fails.
-   #LWRES_R_UNEXPECTEDEND is returned if the available space in the
-   buffer b is too small to accommodate the packet header or the
-   lwres_gnbarequest_t and lwres_gnbaresponse_t structures.
-   lwres_gnbarequest_parse() and lwres_gnbaresponse_parse() will
-   return #LWRES_R_UNEXPECTEDEND if the buffer is not empty after
-   decoding the received packet. These functions will return
-   #LWRES_R_FAILURE if pktflags in the packet header structure
-   #lwres_lwpacket_t indicate that the packet is not a response to an
-   earlier query.
-
-\section lwres_gbna_see See Also
-
-   \link lwpacket.c lwres_packet\endlink
-
- */
-
-#include <config.h>
-
-#include <assert.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <lwres/lwbuffer.h>
-#include <lwres/lwpacket.h>
-#include <lwres/lwres.h>
-#include <lwres/result.h>
-
-#include "context_p.h"
-#include "assert_p.h"
-
-/*% Uses resolver context ctx to convert getnamebyaddr request structure req to canonical format. */
-lwres_result_t
-lwres_gnbarequest_render(lwres_context_t *ctx, lwres_gnbarequest_t *req,
-			 lwres_lwpacket_t *pkt, lwres_buffer_t *b)
-{
-	unsigned char *buf;
-	size_t buflen;
-	int ret;
-	size_t payload_length;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(req != NULL);
-	REQUIRE(req->addr.family != 0);
-	REQUIRE(req->addr.length != 0);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-
-	payload_length = 4 + 4 + 2 + + req->addr.length;
-
-	buflen = LWRES_LWPACKET_LENGTH + payload_length;
-	buf = CTXMALLOC(buflen);
-	if (buf == NULL)
-		return (LWRES_R_NOMEMORY);
-	lwres_buffer_init(b, buf, buflen);
-
-	pkt->length = buflen;
-	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->pktflags &= ~LWRES_LWPACKETFLAG_RESPONSE;
-	pkt->opcode = LWRES_OPCODE_GETNAMEBYADDR;
-	pkt->result = 0;
-	pkt->authtype = 0;
-	pkt->authlength = 0;
-
-	ret = lwres_lwpacket_renderheader(b, pkt);
-	if (ret != LWRES_R_SUCCESS) {
-		lwres_buffer_invalidate(b);
-		CTXFREE(buf, buflen);
-		return (ret);
-	}
-
-	INSIST(SPACE_OK(b, payload_length));
-
-	/*
-	 * Put the length and the data.  We know this will fit because we
-	 * just checked for it.
-	 */
-	lwres_buffer_putuint32(b, req->flags);
-	lwres_buffer_putuint32(b, req->addr.family);
-	lwres_buffer_putuint16(b, req->addr.length);
-	lwres_buffer_putmem(b, (unsigned char *)req->addr.address,
-			    req->addr.length);
-
-	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
-
-	return (LWRES_R_SUCCESS);
-}
-
-/*% Converts a getnamebyaddr response structure lwres_gnbaresponse_t to the lightweight resolver's canonical format. */
-lwres_result_t
-lwres_gnbaresponse_render(lwres_context_t *ctx, lwres_gnbaresponse_t *req,
-			  lwres_lwpacket_t *pkt, lwres_buffer_t *b)
-{
-	unsigned char *buf;
-	size_t buflen;
-	int ret;
-	size_t payload_length;
-	lwres_uint16_t datalen;
-	int x;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(req != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-
-	/*
-	 * Calculate packet size.
-	 */
-	payload_length = 4;			       /* flags */
-	payload_length += 2;			       /* naliases */
-	payload_length += 2 + req->realnamelen + 1;    /* real name encoding */
-	for (x = 0; x < req->naliases; x++)	       /* each alias */
-		payload_length += 2 + req->aliaslen[x] + 1;
-
-	buflen = LWRES_LWPACKET_LENGTH + payload_length;
-	buf = CTXMALLOC(buflen);
-	if (buf == NULL)
-		return (LWRES_R_NOMEMORY);
-	lwres_buffer_init(b, buf, buflen);
-
-	pkt->length = buflen;
-	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->pktflags |= LWRES_LWPACKETFLAG_RESPONSE;
-	pkt->opcode = LWRES_OPCODE_GETNAMEBYADDR;
-	pkt->authtype = 0;
-	pkt->authlength = 0;
-
-	ret = lwres_lwpacket_renderheader(b, pkt);
-	if (ret != LWRES_R_SUCCESS) {
-		lwres_buffer_invalidate(b);
-		CTXFREE(buf, buflen);
-		return (ret);
-	}
-
-	INSIST(SPACE_OK(b, payload_length));
-	lwres_buffer_putuint32(b, req->flags);
-
-	/* encode naliases */
-	lwres_buffer_putuint16(b, req->naliases);
-
-	/* encode the real name */
-	datalen = req->realnamelen;
-	lwres_buffer_putuint16(b, datalen);
-	lwres_buffer_putmem(b, (unsigned char *)req->realname, datalen);
-	lwres_buffer_putuint8(b, 0);
-
-	/* encode the aliases */
-	for (x = 0; x < req->naliases; x++) {
-		datalen = req->aliaslen[x];
-		lwres_buffer_putuint16(b, datalen);
-		lwres_buffer_putmem(b, (unsigned char *)req->aliases[x],
-				    datalen);
-		lwres_buffer_putuint8(b, 0);
-	}
-
-	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
-
-	return (LWRES_R_SUCCESS);
-}
-
-/*% Uses context ctx to convert the contents of packet pkt to a lwres_gnbarequest_t structure. */
-lwres_result_t
-lwres_gnbarequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_gnbarequest_t **structp)
-{
-	int ret;
-	lwres_gnbarequest_t *gnba;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) != 0)
-		return (LWRES_R_FAILURE);
-
-	if (!SPACE_REMAINING(b, 4))
-		return (LWRES_R_UNEXPECTEDEND);
-
-	gnba = CTXMALLOC(sizeof(lwres_gnbarequest_t));
-	if (gnba == NULL)
-		return (LWRES_R_NOMEMORY);
-
-	gnba->flags = lwres_buffer_getuint32(b);
-
-	ret = lwres_addr_parse(b, &gnba->addr);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	if (LWRES_BUFFER_REMAINING(b) != 0) {
-		ret = LWRES_R_TRAILINGDATA;
-		goto out;
-	}
-
-	*structp = gnba;
-	return (LWRES_R_SUCCESS);
-
- out:
-	if (gnba != NULL)
-		lwres_gnbarequest_free(ctx, &gnba);
-
-	return (ret);
-}
-
-/*% Offers the same semantics as lwres_gnbarequest_parse() except it yields a lwres_gnbaresponse_t structure. */
-
-lwres_result_t
-lwres_gnbaresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			 lwres_lwpacket_t *pkt, lwres_gnbaresponse_t **structp)
-{
-	int ret;
-	unsigned int x;
-	lwres_uint32_t flags;
-	lwres_uint16_t naliases;
-	lwres_gnbaresponse_t *gnba;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	gnba = NULL;
-
-	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) == 0)
-		return (LWRES_R_FAILURE);
-
-	/*
-	 * Pull off flags & naliases
-	 */
-	if (!SPACE_REMAINING(b, 4 + 2))
-		return (LWRES_R_UNEXPECTEDEND);
-	flags = lwres_buffer_getuint32(b);
-	naliases = lwres_buffer_getuint16(b);
-
-	gnba = CTXMALLOC(sizeof(lwres_gnbaresponse_t));
-	if (gnba == NULL)
-		return (LWRES_R_NOMEMORY);
-	gnba->base = NULL;
-	gnba->aliases = NULL;
-	gnba->aliaslen = NULL;
-
-	gnba->flags = flags;
-	gnba->naliases = naliases;
-
-	if (naliases > 0) {
-		gnba->aliases = CTXMALLOC(sizeof(char *) * naliases);
-		if (gnba->aliases == NULL) {
-			ret = LWRES_R_NOMEMORY;
-			goto out;
-		}
-
-		gnba->aliaslen = CTXMALLOC(sizeof(lwres_uint16_t) * naliases);
-		if (gnba->aliaslen == NULL) {
-			ret = LWRES_R_NOMEMORY;
-			goto out;
-		}
-	}
-
-	/*
-	 * Now, pull off the real name.
-	 */
-	ret = lwres_string_parse(b, &gnba->realname, &gnba->realnamelen);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	/*
-	 * Parse off the aliases.
-	 */
-	for (x = 0; x < gnba->naliases; x++) {
-		ret = lwres_string_parse(b, &gnba->aliases[x],
-					 &gnba->aliaslen[x]);
-		if (ret != LWRES_R_SUCCESS)
-			goto out;
-	}
-
-	if (LWRES_BUFFER_REMAINING(b) != 0) {
-		ret = LWRES_R_TRAILINGDATA;
-		goto out;
-	}
-
-	*structp = gnba;
-	return (LWRES_R_SUCCESS);
-
- out:
-	if (gnba != NULL) {
-		if (gnba->aliases != NULL)
-			CTXFREE(gnba->aliases, sizeof(char *) * naliases);
-		if (gnba->aliaslen != NULL)
-			CTXFREE(gnba->aliaslen,
-				sizeof(lwres_uint16_t) * naliases);
-		CTXFREE(gnba, sizeof(lwres_gnbaresponse_t));
-	}
-
-	return (ret);
-}
-
-/*% Release the memory in resolver context ctx that was allocated to the lwres_gnbarequest_t. */
-void
-lwres_gnbarequest_free(lwres_context_t *ctx, lwres_gnbarequest_t **structp)
-{
-	lwres_gnbarequest_t *gnba;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(structp != NULL && *structp != NULL);
-
-	gnba = *structp;
-	*structp = NULL;
-
-	CTXFREE(gnba, sizeof(lwres_gnbarequest_t));
-}
-
-/*% Release the memory in resolver context ctx that was allocated to the lwres_gnbaresponse_t. */
-void
-lwres_gnbaresponse_free(lwres_context_t *ctx, lwres_gnbaresponse_t **structp)
-{
-	lwres_gnbaresponse_t *gnba;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(structp != NULL && *structp != NULL);
-
-	gnba = *structp;
-	*structp = NULL;
-
-	if (gnba->naliases > 0) {
-		CTXFREE(gnba->aliases, sizeof(char *) * gnba->naliases);
-		CTXFREE(gnba->aliaslen,
-			sizeof(lwres_uint16_t) * gnba->naliases);
-	}
-	if (gnba->base != NULL)
-		CTXFREE(gnba->base, gnba->baselen);
-	CTXFREE(gnba, sizeof(lwres_gnbaresponse_t));
-}
diff --git a/contrib/bind9/lib/lwres/lwres_grbn.c b/contrib/bind9/lib/lwres/lwres_grbn.c
deleted file mode 100644
index 72718ba..0000000
--- a/contrib/bind9/lib/lwres/lwres_grbn.c
+++ /dev/null
@@ -1,426 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwres_grbn.c,v 1.10 2007/06/19 23:47:22 tbox Exp $ */
-
-/*! \file lwres_grbn.c
-
- */
-
-#include <config.h>
-
-#include <assert.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <lwres/lwbuffer.h>
-#include <lwres/lwpacket.h>
-#include <lwres/lwres.h>
-#include <lwres/result.h>
-
-#include "context_p.h"
-#include "assert_p.h"
-
-/*% Thread-save equivalent to \link lwres_gabn.c lwres_gabn* \endlink routines. */
-lwres_result_t
-lwres_grbnrequest_render(lwres_context_t *ctx, lwres_grbnrequest_t *req,
-			 lwres_lwpacket_t *pkt, lwres_buffer_t *b)
-{
-	unsigned char *buf;
-	size_t buflen;
-	int ret;
-	size_t payload_length;
-	lwres_uint16_t datalen;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(req != NULL);
-	REQUIRE(req->name != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-
-	datalen = strlen(req->name);
-
-	payload_length = 4 + 2 + 2 + 2 + req->namelen + 1;
-
-	buflen = LWRES_LWPACKET_LENGTH + payload_length;
-	buf = CTXMALLOC(buflen);
-	if (buf == NULL)
-		return (LWRES_R_NOMEMORY);
-
-	lwres_buffer_init(b, buf, buflen);
-
-	pkt->length = buflen;
-	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->pktflags &= ~LWRES_LWPACKETFLAG_RESPONSE;
-	pkt->opcode = LWRES_OPCODE_GETRDATABYNAME;
-	pkt->result = 0;
-	pkt->authtype = 0;
-	pkt->authlength = 0;
-
-	ret = lwres_lwpacket_renderheader(b, pkt);
-	if (ret != LWRES_R_SUCCESS) {
-		lwres_buffer_invalidate(b);
-		CTXFREE(buf, buflen);
-		return (ret);
-	}
-
-	INSIST(SPACE_OK(b, payload_length));
-
-	/*
-	 * Flags.
-	 */
-	lwres_buffer_putuint32(b, req->flags);
-
-	/*
-	 * Class.
-	 */
-	lwres_buffer_putuint16(b, req->rdclass);
-
-	/*
-	 * Type.
-	 */
-	lwres_buffer_putuint16(b, req->rdtype);
-
-	/*
-	 * Put the length and the data.  We know this will fit because we
-	 * just checked for it.
-	 */
-	lwres_buffer_putuint16(b, datalen);
-	lwres_buffer_putmem(b, (unsigned char *)req->name, datalen);
-	lwres_buffer_putuint8(b, 0); /* trailing NUL */
-
-	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
-
-	return (LWRES_R_SUCCESS);
-}
-
-/*% Thread-save equivalent to \link lwres_gabn.c lwres_gabn* \endlink routines. */
-lwres_result_t
-lwres_grbnresponse_render(lwres_context_t *ctx, lwres_grbnresponse_t *req,
-			  lwres_lwpacket_t *pkt, lwres_buffer_t *b)
-{
-	unsigned char *buf;
-	size_t buflen;
-	int ret;
-	size_t payload_length;
-	lwres_uint16_t datalen;
-	int x;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(req != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-
-	/* flags, class, type, ttl, nrdatas, nsigs */
-	payload_length = 4 + 2 + 2 + 4 + 2 + 2;
-	/* real name encoding */
-	payload_length += 2 + req->realnamelen + 1;
-	/* each rr */
-	for (x = 0; x < req->nrdatas; x++)
-		payload_length += 2 + req->rdatalen[x];
-	for (x = 0; x < req->nsigs; x++)
-		payload_length += 2 + req->siglen[x];
-
-	buflen = LWRES_LWPACKET_LENGTH + payload_length;
-	buf = CTXMALLOC(buflen);
-	if (buf == NULL)
-		return (LWRES_R_NOMEMORY);
-	lwres_buffer_init(b, buf, buflen);
-
-	pkt->length = buflen;
-	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->pktflags |= LWRES_LWPACKETFLAG_RESPONSE;
-	pkt->opcode = LWRES_OPCODE_GETRDATABYNAME;
-	pkt->authtype = 0;
-	pkt->authlength = 0;
-
-	ret = lwres_lwpacket_renderheader(b, pkt);
-	if (ret != LWRES_R_SUCCESS) {
-		lwres_buffer_invalidate(b);
-		CTXFREE(buf, buflen);
-		return (ret);
-	}
-
-	/*
-	 * Check space needed here.
-	 */
-	INSIST(SPACE_OK(b, payload_length));
-
-	/* Flags. */
-	lwres_buffer_putuint32(b, req->flags);
-
-	/* encode class, type, ttl, and nrdatas */
-	lwres_buffer_putuint16(b, req->rdclass);
-	lwres_buffer_putuint16(b, req->rdtype);
-	lwres_buffer_putuint32(b, req->ttl);
-	lwres_buffer_putuint16(b, req->nrdatas);
-	lwres_buffer_putuint16(b, req->nsigs);
-
-	/* encode the real name */
-	datalen = req->realnamelen;
-	lwres_buffer_putuint16(b, datalen);
-	lwres_buffer_putmem(b, (unsigned char *)req->realname, datalen);
-	lwres_buffer_putuint8(b, 0);
-
-	/* encode the rdatas */
-	for (x = 0; x < req->nrdatas; x++) {
-		datalen = req->rdatalen[x];
-		lwres_buffer_putuint16(b, datalen);
-		lwres_buffer_putmem(b, req->rdatas[x], datalen);
-	}
-
-	/* encode the signatures */
-	for (x = 0; x < req->nsigs; x++) {
-		datalen = req->siglen[x];
-		lwres_buffer_putuint16(b, datalen);
-		lwres_buffer_putmem(b, req->sigs[x], datalen);
-	}
-
-	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
-	INSIST(LWRES_BUFFER_USEDCOUNT(b) == pkt->length);
-
-	return (LWRES_R_SUCCESS);
-}
-
-/*% Thread-save equivalent to \link lwres_gabn.c lwres_gabn* \endlink routines. */
-lwres_result_t
-lwres_grbnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_grbnrequest_t **structp)
-{
-	int ret;
-	char *name;
-	lwres_grbnrequest_t *grbn;
-	lwres_uint32_t flags;
-	lwres_uint16_t rdclass, rdtype;
-	lwres_uint16_t namelen;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) != 0)
-		return (LWRES_R_FAILURE);
-
-	if (!SPACE_REMAINING(b, 4 + 2 + 2))
-		return (LWRES_R_UNEXPECTEDEND);
-
-	/*
-	 * Pull off the flags, class, and type.
-	 */
-	flags = lwres_buffer_getuint32(b);
-	rdclass = lwres_buffer_getuint16(b);
-	rdtype = lwres_buffer_getuint16(b);
-
-	/*
-	 * Pull off the name itself
-	 */
-	ret = lwres_string_parse(b, &name, &namelen);
-	if (ret != LWRES_R_SUCCESS)
-		return (ret);
-
-	if (LWRES_BUFFER_REMAINING(b) != 0)
-		return (LWRES_R_TRAILINGDATA);
-
-	grbn = CTXMALLOC(sizeof(lwres_grbnrequest_t));
-	if (grbn == NULL)
-		return (LWRES_R_NOMEMORY);
-
-	grbn->flags = flags;
-	grbn->rdclass = rdclass;
-	grbn->rdtype = rdtype;
-	grbn->name = name;
-	grbn->namelen = namelen;
-
-	*structp = grbn;
-	return (LWRES_R_SUCCESS);
-}
-
-/*% Thread-save equivalent to \link lwres_gabn.c lwres_gabn* \endlink routines. */
-lwres_result_t
-lwres_grbnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_grbnresponse_t **structp)
-{
-	lwres_result_t ret;
-	unsigned int x;
-	lwres_uint32_t flags;
-	lwres_uint16_t rdclass, rdtype;
-	lwres_uint32_t ttl;
-	lwres_uint16_t nrdatas, nsigs;
-	lwres_grbnresponse_t *grbn;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	grbn = NULL;
-
-	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) == 0)
-		return (LWRES_R_FAILURE);
-
-	/*
-	 * Pull off the flags, class, type, ttl, nrdatas, and nsigs
-	 */
-	if (!SPACE_REMAINING(b, 4 + 2 + 2 + 4 + 2 + 2))
-		return (LWRES_R_UNEXPECTEDEND);
-	flags = lwres_buffer_getuint32(b);
-	rdclass = lwres_buffer_getuint16(b);
-	rdtype = lwres_buffer_getuint16(b);
-	ttl = lwres_buffer_getuint32(b);
-	nrdatas = lwres_buffer_getuint16(b);
-	nsigs = lwres_buffer_getuint16(b);
-
-	/*
-	 * Pull off the name itself
-	 */
-
-	grbn = CTXMALLOC(sizeof(lwres_grbnresponse_t));
-	if (grbn == NULL)
-		return (LWRES_R_NOMEMORY);
-	grbn->rdatas = NULL;
-	grbn->rdatalen = NULL;
-	grbn->sigs = NULL;
-	grbn->siglen = NULL;
-	grbn->base = NULL;
-
-	grbn->flags = flags;
-	grbn->rdclass = rdclass;
-	grbn->rdtype = rdtype;
-	grbn->ttl = ttl;
-	grbn->nrdatas = nrdatas;
-	grbn->nsigs = nsigs;
-
-	if (nrdatas > 0) {
-		grbn->rdatas = CTXMALLOC(sizeof(char *) * nrdatas);
-		if (grbn->rdatas == NULL) {
-			ret = LWRES_R_NOMEMORY;
-			goto out;
-		}
-
-		grbn->rdatalen = CTXMALLOC(sizeof(lwres_uint16_t) * nrdatas);
-		if (grbn->rdatalen == NULL) {
-			ret = LWRES_R_NOMEMORY;
-			goto out;
-		}
-	}
-
-	if (nsigs > 0) {
-		grbn->sigs = CTXMALLOC(sizeof(char *) * nsigs);
-		if (grbn->sigs == NULL) {
-			ret = LWRES_R_NOMEMORY;
-			goto out;
-		}
-
-		grbn->siglen = CTXMALLOC(sizeof(lwres_uint16_t) * nsigs);
-		if (grbn->siglen == NULL) {
-			ret = LWRES_R_NOMEMORY;
-			goto out;
-		}
-	}
-
-	/*
-	 * Now, pull off the real name.
-	 */
-	ret = lwres_string_parse(b, &grbn->realname, &grbn->realnamelen);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	/*
-	 * Parse off the rdatas.
-	 */
-	for (x = 0; x < grbn->nrdatas; x++) {
-		ret = lwres_data_parse(b, &grbn->rdatas[x],
-					 &grbn->rdatalen[x]);
-		if (ret != LWRES_R_SUCCESS)
-			goto out;
-	}
-
-	/*
-	 * Parse off the signatures.
-	 */
-	for (x = 0; x < grbn->nsigs; x++) {
-		ret = lwres_data_parse(b, &grbn->sigs[x], &grbn->siglen[x]);
-		if (ret != LWRES_R_SUCCESS)
-			goto out;
-	}
-
-	if (LWRES_BUFFER_REMAINING(b) != 0) {
-		ret = LWRES_R_TRAILINGDATA;
-		goto out;
-	}
-
-	*structp = grbn;
-	return (LWRES_R_SUCCESS);
-
- out:
-	if (grbn != NULL) {
-		if (grbn->rdatas != NULL)
-			CTXFREE(grbn->rdatas, sizeof(char *) * nrdatas);
-		if (grbn->rdatalen != NULL)
-			CTXFREE(grbn->rdatalen,
-				sizeof(lwres_uint16_t) * nrdatas);
-		if (grbn->sigs != NULL)
-			CTXFREE(grbn->sigs, sizeof(char *) * nsigs);
-		if (grbn->siglen != NULL)
-			CTXFREE(grbn->siglen, sizeof(lwres_uint16_t) * nsigs);
-		CTXFREE(grbn, sizeof(lwres_grbnresponse_t));
-	}
-
-	return (ret);
-}
-
-/*% Thread-save equivalent to \link lwres_gabn.c lwres_gabn* \endlink routines. */
-void
-lwres_grbnrequest_free(lwres_context_t *ctx, lwres_grbnrequest_t **structp)
-{
-	lwres_grbnrequest_t *grbn;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(structp != NULL && *structp != NULL);
-
-	grbn = *structp;
-	*structp = NULL;
-
-	CTXFREE(grbn, sizeof(lwres_grbnrequest_t));
-}
-
-/*% Thread-save equivalent to \link lwres_gabn.c lwres_gabn* \endlink routines. */
-void
-lwres_grbnresponse_free(lwres_context_t *ctx, lwres_grbnresponse_t **structp)
-{
-	lwres_grbnresponse_t *grbn;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(structp != NULL && *structp != NULL);
-
-	grbn = *structp;
-	*structp = NULL;
-
-	if (grbn->nrdatas > 0) {
-		CTXFREE(grbn->rdatas, sizeof(char *) * grbn->nrdatas);
-		CTXFREE(grbn->rdatalen,
-			sizeof(lwres_uint16_t) * grbn->nrdatas);
-	}
-	if (grbn->nsigs > 0) {
-		CTXFREE(grbn->sigs, sizeof(char *) * grbn->nsigs);
-		CTXFREE(grbn->siglen, sizeof(lwres_uint16_t) * grbn->nsigs);
-	}
-	if (grbn->base != NULL)
-		CTXFREE(grbn->base, grbn->baselen);
-	CTXFREE(grbn, sizeof(lwres_grbnresponse_t));
-}
diff --git a/contrib/bind9/lib/lwres/lwres_noop.c b/contrib/bind9/lib/lwres/lwres_noop.c
deleted file mode 100644
index 369fe4e..0000000
--- a/contrib/bind9/lib/lwres/lwres_noop.c
+++ /dev/null
@@ -1,342 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwres_noop.c,v 1.19 2007/06/19 23:47:22 tbox Exp $ */
-
-/*! \file */
-
-/**
- *    These are low-level routines for creating and parsing lightweight
- *    resolver no-op request and response messages.
- * 
- *    The no-op message is analogous to a ping packet: a packet is sent to
- *    the resolver daemon and is simply echoed back. The opcode is intended
- *    to allow a client to determine if the server is operational or not.
- * 
- *    There are four main functions for the no-op opcode. One render
- *    function converts a no-op request structure -- lwres_nooprequest_t --
- *    to the lighweight resolver's canonical format. It is complemented by a
- *    parse function that converts a packet in this canonical format to a
- *    no-op request structure. Another render function converts the no-op
- *    response structure -- lwres_noopresponse_t to the canonical format.
- *    This is complemented by a parse function which converts a packet in
- *    canonical format to a no-op response structure.
- * 
- *    These structures are defined in \link lwres.h <lwres/lwres.h.> \endlink They are shown below.
- * 
- * \code
- * #define LWRES_OPCODE_NOOP       0x00000000U
- * 
- * typedef struct {
- *         lwres_uint16_t  datalength;
- *         unsigned char   *data;
- * } lwres_nooprequest_t;
- * 
- * typedef struct {
- *         lwres_uint16_t  datalength;
- *         unsigned char   *data;
- * } lwres_noopresponse_t;
- * \endcode
- * 
- *    Although the structures have different types, they are identical. This
- *    is because the no-op opcode simply echos whatever data was sent: the
- *    response is therefore identical to the request.
- * 
- *    lwres_nooprequest_render() uses resolver context ctx to convert no-op
- *    request structure req to canonical format. The packet header structure
- *    pkt is initialised and transferred to buffer b. The contents of *req
- *    are then appended to the buffer in canonical format.
- *    lwres_noopresponse_render() performs the same task, except it converts
- *    a no-op response structure lwres_noopresponse_t to the lightweight
- *    resolver's canonical format.
- * 
- *    lwres_nooprequest_parse() uses context ctx to convert the contents of
- *    packet pkt to a lwres_nooprequest_t structure. Buffer b provides space
- *    to be used for storing this structure. When the function succeeds, the
- *    resulting lwres_nooprequest_t is made available through *structp.
- *    lwres_noopresponse_parse() offers the same semantics as
- *    lwres_nooprequest_parse() except it yields a lwres_noopresponse_t
- *    structure.
- * 
- *    lwres_noopresponse_free() and lwres_nooprequest_free() release the
- *    memory in resolver context ctx that was allocated to the
- *    lwres_noopresponse_t or lwres_nooprequest_t structures referenced via
- *    structp.
- * 
- * \section lwres_noop_return Return Values
- * 
- *    The no-op opcode functions lwres_nooprequest_render(),
- *    lwres_noopresponse_render() lwres_nooprequest_parse() and
- *    lwres_noopresponse_parse() all return #LWRES_R_SUCCESS on success. They
- *    return #LWRES_R_NOMEMORY if memory allocation fails.
- *    #LWRES_R_UNEXPECTEDEND is returned if the available space in the buffer
- *    b is too small to accommodate the packet header or the
- *    lwres_nooprequest_t and lwres_noopresponse_t structures.
- *    lwres_nooprequest_parse() and lwres_noopresponse_parse() will return
- *    #LWRES_R_UNEXPECTEDEND if the buffer is not empty after decoding the
- *    received packet. These functions will return #LWRES_R_FAILURE if
- *    pktflags in the packet header structure #lwres_lwpacket_t indicate that
- *    the packet is not a response to an earlier query.
- * 
- * \section lwres_noop_see See Also
- * 
- *    lwpacket.c
- */
-
-#include <config.h>
-
-#include <assert.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <lwres/lwbuffer.h>
-#include <lwres/lwpacket.h>
-#include <lwres/lwres.h>
-#include <lwres/result.h>
-
-#include "context_p.h"
-#include "assert_p.h"
-
-/*% Uses resolver context ctx to convert no-op request structure req to canonical format. */
-lwres_result_t
-lwres_nooprequest_render(lwres_context_t *ctx, lwres_nooprequest_t *req,
-			 lwres_lwpacket_t *pkt, lwres_buffer_t *b)
-{
-	unsigned char *buf;
-	size_t buflen;
-	int ret;
-	size_t payload_length;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(req != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-
-	payload_length = sizeof(lwres_uint16_t) + req->datalength;
-
-	buflen = LWRES_LWPACKET_LENGTH + payload_length;
-	buf = CTXMALLOC(buflen);
-	if (buf == NULL)
-		return (LWRES_R_NOMEMORY);
-	lwres_buffer_init(b, buf, buflen);
-
-	pkt->length = buflen;
-	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->pktflags &= ~LWRES_LWPACKETFLAG_RESPONSE;
-	pkt->opcode = LWRES_OPCODE_NOOP;
-	pkt->result = 0;
-	pkt->authtype = 0;
-	pkt->authlength = 0;
-
-	ret = lwres_lwpacket_renderheader(b, pkt);
-	if (ret != LWRES_R_SUCCESS) {
-		lwres_buffer_invalidate(b);
-		CTXFREE(buf, buflen);
-		return (ret);
-	}
-
-	INSIST(SPACE_OK(b, payload_length));
-
-	/*
-	 * Put the length and the data.  We know this will fit because we
-	 * just checked for it.
-	 */
-	lwres_buffer_putuint16(b, req->datalength);
-	lwres_buffer_putmem(b, req->data, req->datalength);
-
-	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
-
-	return (LWRES_R_SUCCESS);
-}
-
-/*% Converts a no-op response structure lwres_noopresponse_t to the lightweight resolver's canonical format. */
-
-lwres_result_t
-lwres_noopresponse_render(lwres_context_t *ctx, lwres_noopresponse_t *req,
-			  lwres_lwpacket_t *pkt, lwres_buffer_t *b)
-{
-	unsigned char *buf;
-	size_t buflen;
-	int ret;
-	size_t payload_length;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(req != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-
-	payload_length = sizeof(lwres_uint16_t) + req->datalength;
-
-	buflen = LWRES_LWPACKET_LENGTH + payload_length;
-	buf = CTXMALLOC(buflen);
-	if (buf == NULL)
-		return (LWRES_R_NOMEMORY);
-	lwres_buffer_init(b, buf, buflen);
-
-	pkt->length = buflen;
-	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->pktflags |= LWRES_LWPACKETFLAG_RESPONSE;
-	pkt->opcode = LWRES_OPCODE_NOOP;
-	pkt->authtype = 0;
-	pkt->authlength = 0;
-
-	ret = lwres_lwpacket_renderheader(b, pkt);
-	if (ret != LWRES_R_SUCCESS) {
-		lwres_buffer_invalidate(b);
-		CTXFREE(buf, buflen);
-		return (ret);
-	}
-
-	INSIST(SPACE_OK(b, payload_length));
-
-	/*
-	 * Put the length and the data.  We know this will fit because we
-	 * just checked for it.
-	 */
-	lwres_buffer_putuint16(b, req->datalength);
-	lwres_buffer_putmem(b, req->data, req->datalength);
-
-	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
-
-	return (LWRES_R_SUCCESS);
-}
-
-/*% Uses context ctx to convert the contents of packet pkt to a lwres_nooprequest_t structure. */
-lwres_result_t
-lwres_nooprequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_nooprequest_t **structp)
-{
-	int ret;
-	lwres_nooprequest_t *req;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(b != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) != 0)
-		return (LWRES_R_FAILURE);
-
-	req = CTXMALLOC(sizeof(lwres_nooprequest_t));
-	if (req == NULL)
-		return (LWRES_R_NOMEMORY);
-
-	if (!SPACE_REMAINING(b, sizeof(lwres_uint16_t))) {
-		ret = LWRES_R_UNEXPECTEDEND;
-		goto out;
-	}
-	req->datalength = lwres_buffer_getuint16(b);
-
-	if (!SPACE_REMAINING(b, req->datalength)) {
-		ret = LWRES_R_UNEXPECTEDEND;
-		goto out;
-	}
-	req->data = b->base + b->current;
-	lwres_buffer_forward(b, req->datalength);
-
-	if (LWRES_BUFFER_REMAINING(b) != 0) {
-		ret = LWRES_R_TRAILINGDATA;
-		goto out;
-	}
-
-	/* success! */
-	*structp = req;
-	return (LWRES_R_SUCCESS);
-
-	/* Error return */
- out:
-	CTXFREE(req, sizeof(lwres_nooprequest_t));
-	return (ret);
-}
-
-/*% Offers the same semantics as lwres_nooprequest_parse() except it yields a lwres_noopresponse_t structure. */
-lwres_result_t
-lwres_noopresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			 lwres_lwpacket_t *pkt, lwres_noopresponse_t **structp)
-{
-	int ret;
-	lwres_noopresponse_t *req;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(b != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) == 0)
-		return (LWRES_R_FAILURE);
-
-	req = CTXMALLOC(sizeof(lwres_noopresponse_t));
-	if (req == NULL)
-		return (LWRES_R_NOMEMORY);
-
-	if (!SPACE_REMAINING(b, sizeof(lwres_uint16_t))) {
-		ret = LWRES_R_UNEXPECTEDEND;
-		goto out;
-	}
-	req->datalength = lwres_buffer_getuint16(b);
-
-	if (!SPACE_REMAINING(b, req->datalength)) {
-		ret = LWRES_R_UNEXPECTEDEND;
-		goto out;
-	}
-	req->data = b->base + b->current;
-
-	lwres_buffer_forward(b, req->datalength);
-	if (LWRES_BUFFER_REMAINING(b) != 0) {
-		ret = LWRES_R_TRAILINGDATA;
-		goto out;
-	}
-
-	/* success! */
-	*structp = req;
-	return (LWRES_R_SUCCESS);
-
-	/* Error return */
- out:
-	CTXFREE(req, sizeof(lwres_noopresponse_t));
-	return (ret);
-}
-
-/*% Release the memory in resolver context ctx. */
-void
-lwres_noopresponse_free(lwres_context_t *ctx, lwres_noopresponse_t **structp)
-{
-	lwres_noopresponse_t *noop;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(structp != NULL && *structp != NULL);
-
-	noop = *structp;
-	*structp = NULL;
-
-	CTXFREE(noop, sizeof(lwres_noopresponse_t));
-}
-
-/*% Release the memory in resolver context ctx. */
-void
-lwres_nooprequest_free(lwres_context_t *ctx, lwres_nooprequest_t **structp)
-{
-	lwres_nooprequest_t *noop;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(structp != NULL && *structp != NULL);
-
-	noop = *structp;
-	*structp = NULL;
-
-	CTXFREE(noop, sizeof(lwres_nooprequest_t));
-}
diff --git a/contrib/bind9/lib/lwres/lwresutil.c b/contrib/bind9/lib/lwres/lwresutil.c
deleted file mode 100644
index 3bf5660..0000000
--- a/contrib/bind9/lib/lwres/lwresutil.c
+++ /dev/null
@@ -1,576 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwresutil.c,v 1.34 2007/06/19 23:47:22 tbox Exp $ */
-
-/*! \file */
-
-/**
- *    lwres_string_parse() retrieves a DNS-encoded string starting the
- *    current pointer of lightweight resolver buffer b: i.e. b->current.
- *    When the function returns, the address of the first byte of the
- *    encoded string is returned via *c and the length of that string is
- *    given by *len. The buffer's current pointer is advanced to point at
- *    the character following the string length, the encoded string, and
- *    the trailing NULL character.
- * 
- *    lwres_addr_parse() extracts an address from the buffer b. The
- *    buffer's current pointer b->current is presumed to point at an
- *    encoded address: the address preceded by a 32-bit protocol family
- *    identifier and a 16-bit length field. The encoded address is copied
- *    to addr->address and addr->length indicates the size in bytes of
- *    the address that was copied. b->current is advanced to point at the
- *  next byte of available data in the buffer following the encoded
- *    address.
- * 
- *    lwres_getaddrsbyname() and lwres_getnamebyaddr() use the
- *    lwres_gnbaresponse_t structure defined below:
- * 
- * \code
- * typedef struct {
- *         lwres_uint32_t          flags;
- *         lwres_uint16_t          naliases;
- *         lwres_uint16_t          naddrs;
- *         char                   *realname;
- *         char                  **aliases;
- *         lwres_uint16_t          realnamelen;
- *         lwres_uint16_t         *aliaslen;
- *         lwres_addrlist_t        addrs;
- *         void                   *base;
- *         size_t                  baselen;
- * } lwres_gabnresponse_t;
- * \endcode
- * 
- *    The contents of this structure are not manipulated directly but
- *    they are controlled through the \link lwres_gabn.c lwres_gabn*\endlink functions.  
- * 
- *    The lightweight resolver uses lwres_getaddrsbyname() to perform
- *    foward lookups. Hostname name is looked up using the resolver
- *    context ctx for memory allocation. addrtypes is a bitmask      
- *    indicating which type of addresses are to be looked up. Current
- *    values for this bitmask are #LWRES_ADDRTYPE_V4 for IPv4 addresses
- *    and #LWRES_ADDRTYPE_V6 for IPv6 addresses. Results of the lookup are
- *    returned in *structp.
- * 
- *    lwres_getnamebyaddr() performs reverse lookups. Resolver context  
- *    ctx is used for memory allocation. The address type is indicated by
- *    addrtype: #LWRES_ADDRTYPE_V4 or #LWRES_ADDRTYPE_V6. The address to be
- *    looked up is given by addr and its length is addrlen bytes. The    
- *    result of the function call is made available through *structp.   
- * 
- * \section lwresutil_return Return Values
- * 
- *    Successful calls to lwres_string_parse() and lwres_addr_parse()
- *    return #LWRES_R_SUCCESS. Both functions return #LWRES_R_FAILURE if 
- *    the buffer is corrupt or #LWRES_R_UNEXPECTEDEND if the buffer has   
- *    less space than expected for the components of the encoded string
- *    or address.
- * 
- * lwres_getaddrsbyname() returns #LWRES_R_SUCCESS on success and it
- *    returns #LWRES_R_NOTFOUND if the hostname name could not be found.
- * 
- *    #LWRES_R_SUCCESS is returned by a successful call to
- *    lwres_getnamebyaddr().
- * 
- *    Both lwres_getaddrsbyname() and lwres_getnamebyaddr() return
- *    #LWRES_R_NOMEMORY when memory allocation requests fail and
- *    #LWRES_R_UNEXPECTEDEND if the buffers used for sending queries and
- *    receiving replies are too small.     
- * 
- * \section lwresutil_see See Also
- * 
- *    lwbuffer.c, lwres_gabn.c
- */
-
-#include <config.h>
-
-#include <assert.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <lwres/lwbuffer.h>
-#include <lwres/lwres.h>
-#include <lwres/result.h>
-
-#include "assert_p.h"
-#include "context_p.h"
-
-/*% Parse data. */
-/*!
- * Requires:
- *
- *	The "current" pointer in "b" points to encoded raw data.
- *
- * Ensures:
- *
- *	The address of the first byte of the data is returned via "p",
- *	and the length is returned via "len".  If NULL, they are not
- *	set.
- *
- *	On return, the current pointer of "b" will point to the character
- *	following the data length and the data.
- *
- */
-lwres_result_t
-lwres_data_parse(lwres_buffer_t *b, unsigned char **p, lwres_uint16_t *len)
-{
-	lwres_uint16_t datalen;
-	unsigned char *data;
-
-	REQUIRE(b != NULL);
-
-	/*
-	 * Pull off the length (2 bytes)
-	 */
-	if (!SPACE_REMAINING(b, 2))
-		return (LWRES_R_UNEXPECTEDEND);
-	datalen = lwres_buffer_getuint16(b);
-
-	/*
-	 * Set the pointer to this string to the right place, then
-	 * advance the buffer pointer.
-	 */
-	if (!SPACE_REMAINING(b, datalen))
-		return (LWRES_R_UNEXPECTEDEND);
-	data = b->base + b->current;
-	lwres_buffer_forward(b, datalen);
-
-	if (len != NULL)
-		*len = datalen;
-	if (p != NULL)
-		*p = data;
-
-	return (LWRES_R_SUCCESS);
-}
-
-/*% Retrieves a DNS-encoded string. */
-/*!
- * Requires:
- *
- *	The "current" pointer in "b" point to an encoded string.
- *
- * Ensures:
- *
- *	The address of the first byte of the string is returned via "c",
- *	and the length is returned via "len".  If NULL, they are not
- *	set.
- *
- *	On return, the current pointer of "b" will point to the character
- *	following the string length, the string, and the trailing NULL.
- *
- */
-lwres_result_t
-lwres_string_parse(lwres_buffer_t *b, char **c, lwres_uint16_t *len)
-{
-	lwres_uint16_t datalen;
-	char *string;
-
-	REQUIRE(b != NULL);
-
-	/*
-	 * Pull off the length (2 bytes)
-	 */
-	if (!SPACE_REMAINING(b, 2))
-		return (LWRES_R_UNEXPECTEDEND);
-	datalen = lwres_buffer_getuint16(b);
-
-	/*
-	 * Set the pointer to this string to the right place, then
-	 * advance the buffer pointer.
-	 */
-	if (!SPACE_REMAINING(b, datalen))
-		return (LWRES_R_UNEXPECTEDEND);
-	string = (char *)b->base + b->current;
-	lwres_buffer_forward(b, datalen);
-
-	/*
-	 * Skip the "must be zero" byte.
-	 */
-	if (!SPACE_REMAINING(b, 1))
-		return (LWRES_R_UNEXPECTEDEND);
-	if (0 != lwres_buffer_getuint8(b))
-		return (LWRES_R_FAILURE);
-
-	if (len != NULL)
-		*len = datalen;
-	if (c != NULL)
-		*c = string;
-
-	return (LWRES_R_SUCCESS);
-}
-
-/*% Extracts an address from the buffer b. */
-lwres_result_t
-lwres_addr_parse(lwres_buffer_t *b, lwres_addr_t *addr)
-{
-	REQUIRE(addr != NULL);
-
-	if (!SPACE_REMAINING(b, 6))
-		return (LWRES_R_UNEXPECTEDEND);
-
-	addr->family = lwres_buffer_getuint32(b);
-	addr->length = lwres_buffer_getuint16(b);
-
-	if (!SPACE_REMAINING(b, addr->length))
-		return (LWRES_R_UNEXPECTEDEND);
-	if (addr->length > LWRES_ADDR_MAXLEN)
-		return (LWRES_R_FAILURE);
-
-	lwres_buffer_getmem(b, addr->address, addr->length);
-
-	return (LWRES_R_SUCCESS);
-}
-
-/*% Used to perform forward lookups. */
-lwres_result_t
-lwres_getaddrsbyname(lwres_context_t *ctx, const char *name,
-		     lwres_uint32_t addrtypes, lwres_gabnresponse_t **structp)
-{
-	lwres_gabnrequest_t request;
-	lwres_gabnresponse_t *response;
-	int ret;
-	int recvlen;
-	lwres_buffer_t b_in, b_out;
-	lwres_lwpacket_t pkt;
-	lwres_uint32_t serial;
-	char *buffer;
-	char target_name[1024];
-	unsigned int target_length;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(name != NULL);
-	REQUIRE(addrtypes != 0);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	b_in.base = NULL;
-	b_out.base = NULL;
-	response = NULL;
-	buffer = NULL;
-	serial = lwres_context_nextserial(ctx);
-
-	buffer = CTXMALLOC(LWRES_RECVLENGTH);
-	if (buffer == NULL) {
-		ret = LWRES_R_NOMEMORY;
-		goto out;
-	}
-
-	target_length = strlen(name);
-	if (target_length >= sizeof(target_name))
-		return (LWRES_R_FAILURE);
-	strcpy(target_name, name); /* strcpy is safe */
-
-	/*
-	 * Set up our request and render it to a buffer.
-	 */
-	request.flags = 0;
-	request.addrtypes = addrtypes;
-	request.name = target_name;
-	request.namelen = target_length;
-	pkt.pktflags = 0;
-	pkt.serial = serial;
-	pkt.result = 0;
-	pkt.recvlength = LWRES_RECVLENGTH;
-
- again:
-	ret = lwres_gabnrequest_render(ctx, &request, &pkt, &b_out);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	ret = lwres_context_sendrecv(ctx, b_out.base, b_out.length, buffer,
-				     LWRES_RECVLENGTH, &recvlen);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	lwres_buffer_init(&b_in, buffer, recvlen);
-	b_in.used = recvlen;
-
-	/*
-	 * Parse the packet header.
-	 */
-	ret = lwres_lwpacket_parseheader(&b_in, &pkt);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	/*
-	 * Sanity check.
-	 */
-	if (pkt.serial != serial)
-		goto again;
-	if (pkt.opcode != LWRES_OPCODE_GETADDRSBYNAME)
-		goto again;
-
-	/*
-	 * Free what we've transmitted
-	 */
-	CTXFREE(b_out.base, b_out.length);
-	b_out.base = NULL;
-	b_out.length = 0;
-
-	if (pkt.result != LWRES_R_SUCCESS) {
-		ret = pkt.result;
-		goto out;
-	}
-
-	/*
-	 * Parse the response.
-	 */
-	ret = lwres_gabnresponse_parse(ctx, &b_in, &pkt, &response);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-	response->base = buffer;
-	response->baselen = LWRES_RECVLENGTH;
-	buffer = NULL; /* don't free this below */
-
-	*structp = response;
-	return (LWRES_R_SUCCESS);
-
- out:
-	if (b_out.base != NULL)
-		CTXFREE(b_out.base, b_out.length);
-	if (buffer != NULL)
-		CTXFREE(buffer, LWRES_RECVLENGTH);
-	if (response != NULL)
-		lwres_gabnresponse_free(ctx, &response);
-
-	return (ret);
-}
-
-
-/*% Used to perform reverse lookups. */
-lwres_result_t
-lwres_getnamebyaddr(lwres_context_t *ctx, lwres_uint32_t addrtype,
-		    lwres_uint16_t addrlen, const unsigned char *addr,
-		    lwres_gnbaresponse_t **structp)
-{
-	lwres_gnbarequest_t request;
-	lwres_gnbaresponse_t *response;
-	int ret;
-	int recvlen;
-	lwres_buffer_t b_in, b_out;
-	lwres_lwpacket_t pkt;
-	lwres_uint32_t serial;
-	char *buffer;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(addrtype != 0);
-	REQUIRE(addrlen != 0);
-	REQUIRE(addr != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	b_in.base = NULL;
-	b_out.base = NULL;
-	response = NULL;
-	buffer = NULL;
-	serial = lwres_context_nextserial(ctx);
-
-	buffer = CTXMALLOC(LWRES_RECVLENGTH);
-	if (buffer == NULL) {
-		ret = LWRES_R_NOMEMORY;
-		goto out;
-	}
-
-	/*
-	 * Set up our request and render it to a buffer.
-	 */
-	request.flags = 0;
-	request.addr.family = addrtype;
-	request.addr.length = addrlen;
-	memcpy(request.addr.address, addr, addrlen);
-	pkt.pktflags = 0;
-	pkt.serial = serial;
-	pkt.result = 0;
-	pkt.recvlength = LWRES_RECVLENGTH;
-
- again:
-	ret = lwres_gnbarequest_render(ctx, &request, &pkt, &b_out);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	ret = lwres_context_sendrecv(ctx, b_out.base, b_out.length, buffer,
-				     LWRES_RECVLENGTH, &recvlen);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	lwres_buffer_init(&b_in, buffer, recvlen);
-	b_in.used = recvlen;
-
-	/*
-	 * Parse the packet header.
-	 */
-	ret = lwres_lwpacket_parseheader(&b_in, &pkt);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	/*
-	 * Sanity check.
-	 */
-	if (pkt.serial != serial)
-		goto again;
-	if (pkt.opcode != LWRES_OPCODE_GETNAMEBYADDR)
-		goto again;
-
-	/*
-	 * Free what we've transmitted
-	 */
-	CTXFREE(b_out.base, b_out.length);
-	b_out.base = NULL;
-	b_out.length = 0;
-
-	if (pkt.result != LWRES_R_SUCCESS) {
-		ret = pkt.result;
-		goto out;
-	}
-
-	/*
-	 * Parse the response.
-	 */
-	ret = lwres_gnbaresponse_parse(ctx, &b_in, &pkt, &response);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-	response->base = buffer;
-	response->baselen = LWRES_RECVLENGTH;
-	buffer = NULL; /* don't free this below */
-
-	*structp = response;
-	return (LWRES_R_SUCCESS);
-
- out:
-	if (b_out.base != NULL)
-		CTXFREE(b_out.base, b_out.length);
-	if (buffer != NULL)
-		CTXFREE(buffer, LWRES_RECVLENGTH);
-	if (response != NULL)
-		lwres_gnbaresponse_free(ctx, &response);
-
-	return (ret);
-}
-
-/*% Get rdata by name. */
-lwres_result_t
-lwres_getrdatabyname(lwres_context_t *ctx, const char *name,
-		     lwres_uint16_t rdclass, lwres_uint16_t rdtype,
-		     lwres_uint32_t flags, lwres_grbnresponse_t **structp)
-{
-	int ret;
-	int recvlen;
-	lwres_buffer_t b_in, b_out;
-	lwres_lwpacket_t pkt;
-	lwres_uint32_t serial;
-	char *buffer;
-	lwres_grbnrequest_t request;
-	lwres_grbnresponse_t *response;
-	char target_name[1024];
-	unsigned int target_length;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(name != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	b_in.base = NULL;
-	b_out.base = NULL;
-	response = NULL;
-	buffer = NULL;
-	serial = lwres_context_nextserial(ctx);
-
-	buffer = CTXMALLOC(LWRES_RECVLENGTH);
-	if (buffer == NULL) {
-		ret = LWRES_R_NOMEMORY;
-		goto out;
-	}
-
-	target_length = strlen(name);
-	if (target_length >= sizeof(target_name))
-		return (LWRES_R_FAILURE);
-	strcpy(target_name, name); /* strcpy is safe */
-
-	/*
-	 * Set up our request and render it to a buffer.
-	 */
-	request.rdclass = rdclass;
-	request.rdtype = rdtype;
-	request.flags = flags;
-	request.name = target_name;
-	request.namelen = target_length;
-	pkt.pktflags = 0;
-	pkt.serial = serial;
-	pkt.result = 0;
-	pkt.recvlength = LWRES_RECVLENGTH;
-
- again:
-	ret = lwres_grbnrequest_render(ctx, &request, &pkt, &b_out);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	ret = lwres_context_sendrecv(ctx, b_out.base, b_out.length, buffer,
-				     LWRES_RECVLENGTH, &recvlen);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	lwres_buffer_init(&b_in, buffer, recvlen);
-	b_in.used = recvlen;
-
-	/*
-	 * Parse the packet header.
-	 */
-	ret = lwres_lwpacket_parseheader(&b_in, &pkt);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	/*
-	 * Sanity check.
-	 */
-	if (pkt.serial != serial)
-		goto again;
-	if (pkt.opcode != LWRES_OPCODE_GETRDATABYNAME)
-		goto again;
-
-	/*
-	 * Free what we've transmitted
-	 */
-	CTXFREE(b_out.base, b_out.length);
-	b_out.base = NULL;
-	b_out.length = 0;
-
-	if (pkt.result != LWRES_R_SUCCESS) {
-		ret = pkt.result;
-		goto out;
-	}
-
-	/*
-	 * Parse the response.
-	 */
-	ret = lwres_grbnresponse_parse(ctx, &b_in, &pkt, &response);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-	response->base = buffer;
-	response->baselen = LWRES_RECVLENGTH;
-	buffer = NULL; /* don't free this below */
-
-	*structp = response;
-	return (LWRES_R_SUCCESS);
-
- out:
-	if (b_out.base != NULL)
-		CTXFREE(b_out.base, b_out.length);
-	if (buffer != NULL)
-		CTXFREE(buffer, LWRES_RECVLENGTH);
-	if (response != NULL)
-		lwres_grbnresponse_free(ctx, &response);
-
-	return (ret);
-}
diff --git a/contrib/bind9/lib/lwres/man/Makefile.in b/contrib/bind9/lib/lwres/man/Makefile.in
deleted file mode 100644
index 80db9f2..0000000
--- a/contrib/bind9/lib/lwres/man/Makefile.in
+++ /dev/null
@@ -1,232 +0,0 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.9 2007/06/19 23:47:23 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-@BIND9_MAKE_RULES@
-
-# Alphabetically
-#MANPAGES =	lwres.3 lwres_addr_parse.3 lwres_buffer.3 \
-#		lwres_buffer_add.3 lwres_buffer_back.3 lwres_buffer_clear.3 \
-#		lwres_buffer_first.3 lwres_buffer_forward.3 \
-#		lwres_buffer_getmem.3 lwres_buffer_getuint16.3 \
-#		lwres_buffer_getuint32.3 lwres_buffer_getuint8.3 \
-#		lwres_buffer_init.3 lwres_buffer_invalidate.3 \
-#		lwres_buffer_putmem.3 lwres_buffer_putuint16.3 \
-#		lwres_buffer_putuint32.3 lwres_buffer_putuint8.3 \
-#		lwres_buffer_subtract.3 lwres_conf_clear.3 \
-#		lwres_conf_get.3 lwres_conf_init.3 \
-#		lwres_conf_parse.3 lwres_conf_print.3 \
-#		lwres_config.3 lwres_context.3 \
-#		lwres_context_allocmem.3 lwres_context_create.3 \
-#		lwres_context_destroy.3 lwres_context_freemem.3 \
-#		lwres_context_initserial.3 lwres_context_nextserial.3 \
-#		lwres_context_sendrecv.3 lwres_endhostent.3 \
-#		lwres_endhostent_r.3 lwres_freeaddrinfo.3 \
-#		lwres_freehostent.3 lwres_gabn.3 \
-#		lwres_gabnrequest_free.3 lwres_gabnrequest_parse.3 \
-#		lwres_gabnrequest_render.3 lwres_gabnresponse_free.3 \
-#		lwres_gabnresponse_parse.3 lwres_gabnresponse_render.3 \
-#		lwres_gai_strerror.3 lwres_getaddrinfo.3 \
-#		lwres_getaddrsbyname.3 lwres_gethostbyaddr.3 \
-#		lwres_gethostbyaddr_r.3 lwres_gethostbyname.3 \
-#		lwres_gethostbyname2.3 lwres_gethostbyname_r.3 \
-#		lwres_gethostent.3 lwres_gethostent_r.3 \
-#		lwres_getipnode.3 lwres_getipnodebyaddr.3 \
-#		lwres_getipnodebyname.3 lwres_getnamebyaddr.3 \
-#		lwres_getnameinfo.3 lwres_getrrsetbyname.3 \
-#		lwres_gnba.3 lwres_gnbarequest_free.3 \
-#		lwres_gnbarequest_parse.3 lwres_gnbarequest_render.3 \
-#		lwres_gnbaresponse_free.3 lwres_gnbaresponse_parse.3 \
-#		lwres_gnbaresponse_render.3 lwres_herror.3 \
-#		lwres_hstrerror.3 lwres_inetntop.3 \
-#		lwres_lwpacket_parseheader.3 lwres_lwpacket_renderheader.3 \
-#		lwres_net_ntop.3 lwres_noop.3 \
-#		lwres_nooprequest_free.3 lwres_nooprequest_parse.3 \
-#		lwres_nooprequest_render.3 lwres_noopresponse_free.3 \
-#		lwres_noopresponse_parse.3 lwres_noopresponse_render.3 \
-#		lwres_packet.3 lwres_resutil.3 \
-#		lwres_sethostent.3 lwres_sethostent_r.3 \
-#		lwres_string_parse.3
-
-
-MANPAGES = 	lwres.3 lwres_buffer.3 lwres_config.3 lwres_context.3	\
-		lwres_gabn.3 lwres_gai_strerror.3 lwres_getaddrinfo.3			\
-		lwres_gethostent.3 lwres_getipnode.3 lwres_getnameinfo.3		\
-		lwres_getrrsetbyname.3 lwres_gnba.3 lwres_hstrerror.3 lwres_inetntop.3	\
-		lwres_noop.3 lwres_packet.3 lwres_resutil.3
-
-HTMLPAGES = 	lwres.html lwres_buffer.html lwres_config.html lwres_context.html	\
-		lwres_gabn.html lwres_gai_strerror.html lwres_getaddrinfo.html			\
-		lwres_gethostent.html lwres_getipnode.html lwres_getnameinfo.html		\
-		lwres_getrrsetbyname.html lwres_gnba.html lwres_hstrerror.html lwres_inetntop.html	\
-		lwres_noop.html lwres_packet.html lwres_resutil.html
-
-MANOBJS =	${MANPAGES} ${HTMLPAGES}
-
-doc man:: ${MANOBJS}
-
-docclean manclean maintainer-clean::
-	rm -f ${MANOBJS}
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man3
-
-man3 = ${DESTDIR}${mandir}/man3
-
-install:: installdirs
-	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man3; done
-	rm -f ${man3}/lwres_addr_parse.3
-	@LN@ ${man3}/lwres_resutil.3 ${man3}/lwres_addr_parse.3
-	rm -f ${man3}/lwres_buffer_add.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_add.3
-	rm -f ${man3}/lwres_buffer_back.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_back.3
-	rm -f ${man3}/lwres_buffer_clear.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_clear.3
-	rm -f ${man3}/lwres_buffer_first.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_first.3
-	rm -f ${man3}/lwres_buffer_forward.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_forward.3
-	rm -f ${man3}/lwres_buffer_getmem.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_getmem.3
-	rm -f ${man3}/lwres_buffer_getuint16.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_getuint16.3
-	rm -f ${man3}/lwres_buffer_getuint32.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_getuint32.3
-	rm -f ${man3}/lwres_buffer_getuint8.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_getuint8.3
-	rm -f ${man3}/lwres_buffer_init.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_init.3
-	rm -f ${man3}/lwres_buffer_invalidate.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_invalidate.3
-	rm -f ${man3}/lwres_buffer_putmem.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_putmem.3
-	rm -f ${man3}/lwres_buffer_putuint16.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_putuint16.3
-	rm -f ${man3}/lwres_buffer_putuint32.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_putuint32.3
-	rm -f ${man3}/lwres_buffer_putuint8.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_putuint8.3
-	rm -f ${man3}/lwres_buffer_subtract.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_subtract.3
-	rm -f ${man3}/lwres_conf_clear.3
-	@LN@ ${man3}/lwres_config.3 ${man3}/lwres_conf_clear.3
-	rm -f ${man3}/lwres_conf_get.3
-	@LN@ ${man3}/lwres_config.3 ${man3}/lwres_conf_get.3
-	rm -f ${man3}/lwres_conf_init.3
-	@LN@ ${man3}/lwres_config.3 ${man3}/lwres_conf_init.3
-	rm -f ${man3}/lwres_conf_parse.3
-	@LN@ ${man3}/lwres_config.3 ${man3}/lwres_conf_parse.3
-	rm -f ${man3}/lwres_conf_print.3
-	@LN@ ${man3}/lwres_config.3 ${man3}/lwres_conf_print.3
-	rm -f ${man3}/lwres_context_allocmem.3
-	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_allocmem.3
-	rm -f ${man3}/lwres_context_create.3
-	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_create.3
-	rm -f ${man3}/lwres_context_destroy.3
-	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_destroy.3
-	rm -f ${man3}/lwres_context_freemem.3
-	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_freemem.3
-	rm -f ${man3}/lwres_context_initserial.3
-	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_initserial.3
-	rm -f ${man3}/lwres_context_nextserial.3
-	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_nextserial.3
-	rm -f ${man3}/lwres_context_sendrecv.3
-	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_sendrecv.3
-	rm -f ${man3}/lwres_endhostent.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_endhostent.3
-	rm -f ${man3}/lwres_endhostent_r.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_endhostent_r.3
-	rm -f ${man3}/lwres_freeaddrinfo.3
-	@LN@ ${man3}/lwres_getaddrinfo.3 ${man3}/lwres_freeaddrinfo.3
-	rm -f ${man3}/lwres_freehostent.3
-	@LN@ ${man3}/lwres_getipnode.3 ${man3}/lwres_freehostent.3
-	rm -f ${man3}/lwres_gabnrequest_free.3
-	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnrequest_free.3
-	rm -f ${man3}/lwres_gabnrequest_parse.3
-	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnrequest_parse.3
-	rm -f ${man3}/lwres_gabnrequest_render.3
-	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnrequest_render.3
-	rm -f ${man3}/lwres_gabnresponse_free.3
-	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnresponse_free.3
-	rm -f ${man3}/lwres_gabnresponse_parse.3
-	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnresponse_parse.3
-	rm -f ${man3}/lwres_gabnresponse_render.3
-	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnresponse_render.3
-	rm -f ${man3}/lwres_getaddrsbyname.3
-	@LN@ ${man3}/lwres_resutil.3 ${man3}/lwres_getaddrsbyname.3
-	rm -f ${man3}/lwres_gethostbyaddr.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostbyaddr.3
-	rm -f ${man3}/lwres_gethostbyaddr_r.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostbyaddr_r.3
-	rm -f ${man3}/lwres_gethostbyname.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostbyname.3
-	rm -f ${man3}/lwres_gethostbyname2.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostbyname2.3
-	rm -f ${man3}/lwres_gethostbyname_r.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostbyname_r.3
-	rm -f ${man3}/lwres_gethostent_r.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostent_r.3
-	rm -f ${man3}/lwres_getipnodebyaddr.3
-	@LN@ ${man3}/lwres_getipnode.3 ${man3}/lwres_getipnodebyaddr.3
-	rm -f ${man3}/lwres_getipnodebyname.3
-	@LN@ ${man3}/lwres_getipnode.3 ${man3}/lwres_getipnodebyname.3
-	rm -f ${man3}/lwres_getnamebyaddr.3
-	@LN@ ${man3}/lwres_resutil.3 ${man3}/lwres_getnamebyaddr.3
-	rm -f ${man3}/lwres_gnbarequest_free.3
-	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbarequest_free.3
-	rm -f ${man3}/lwres_gnbarequest_parse.3
-	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbarequest_parse.3
-	rm -f ${man3}/lwres_gnbarequest_render.3
-	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbarequest_render.3
-	rm -f ${man3}/lwres_gnbaresponse_free.3
-	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbaresponse_free.3
-	rm -f ${man3}/lwres_gnbaresponse_parse.3
-	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbaresponse_parse.3
-	rm -f ${man3}/lwres_gnbaresponse_render.3
-	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbaresponse_render.3
-	rm -f ${man3}/lwres_herror.3
-	@LN@ ${man3}/lwres_hstrerror.3 ${man3}/lwres_herror.3
-	rm -f ${man3}/lwres_lwpacket_parseheader.3
-	@LN@ ${man3}/lwres_packet.3 ${man3}/lwres_lwpacket_parseheader.3
-	rm -f ${man3}/lwres_lwpacket_renderheader.3
-	@LN@ ${man3}/lwres_packet.3 ${man3}/lwres_lwpacket_renderheader.3
-	rm -f ${man3}/lwres_net_ntop.3
-	@LN@ ${man3}/lwres_inetntop.3 ${man3}/lwres_net_ntop.3
-	rm -f ${man3}/lwres_nooprequest_free.3
-	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_nooprequest_free.3
-	rm -f ${man3}/lwres_nooprequest_parse.3
-	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_nooprequest_parse.3
-	rm -f ${man3}/lwres_nooprequest_render.3
-	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_nooprequest_render.3
-	rm -f ${man3}/lwres_noopresponse_free.3
-	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_noopresponse_free.3
-	rm -f ${man3}/lwres_noopresponse_parse.3
-	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_noopresponse_parse.3
-	rm -f ${man3}/lwres_noopresponse_render.3
-	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_noopresponse_render.3
-	rm -f ${man3}/lwres_sethostent.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_sethostent.3
-	rm -f ${man3}/lwres_sethostent_r.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_sethostent_r.3
-	rm -f ${man3}/lwres_string_parse.3
-	@LN@ ${man3}/lwres_resutil.3 ${man3}/lwres_string_parse.3
diff --git a/contrib/bind9/lib/lwres/man/lwres.3 b/contrib/bind9/lib/lwres/man/lwres.3
deleted file mode 100644
index 8ce65f3..0000000
--- a/contrib/bind9/lib/lwres/man/lwres.3
+++ /dev/null
@@ -1,165 +0,0 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: lwres
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "LWRES" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres \- introduction to the lightweight resolver library
-.SH "SYNOPSIS"
-.nf
-#include <lwres/lwres.h>
-.fi
-.SH "DESCRIPTION"
-.PP
-The BIND 9 lightweight resolver library is a simple, name service independent stub resolver library. It provides hostname\-to\-address and address\-to\-hostname lookup services to applications by transmitting lookup requests to a resolver daemon
-\fBlwresd\fR
-running on the local host. The resover daemon performs the lookup using the DNS or possibly other name service protocols, and returns the results to the application through the library. The library and resolver daemon communicate using a simple UDP\-based protocol.
-.SH "OVERVIEW"
-.PP
-The lwresd library implements multiple name service APIs. The standard
-\fBgethostbyname()\fR,
-\fBgethostbyaddr()\fR,
-\fBgethostbyname_r()\fR,
-\fBgethostbyaddr_r()\fR,
-\fBgetaddrinfo()\fR,
-\fBgetipnodebyname()\fR, and
-\fBgetipnodebyaddr()\fR
-functions are all supported. To allow the lwres library to coexist with system libraries that define functions of the same name, the library defines these functions with names prefixed by
-lwres_. To define the standard names, applications must include the header file
-\fI<lwres/netdb.h>\fR
-which contains macro definitions mapping the standard function names into
-lwres_
-prefixed ones. Operating system vendors who integrate the lwres library into their base distributions should rename the functions in the library proper so that the renaming macros are not needed.
-.PP
-The library also provides a native API consisting of the functions
-\fBlwres_getaddrsbyname()\fR
-and
-\fBlwres_getnamebyaddr()\fR. These may be called by applications that require more detailed control over the lookup process than the standard functions provide.
-.PP
-In addition to these name service independent address lookup functions, the library implements a new, experimental API for looking up arbitrary DNS resource records, using the
-\fBlwres_getaddrsbyname()\fR
-function.
-.PP
-Finally, there is a low\-level API for converting lookup requests and responses to and from raw lwres protocol packets. This API can be used by clients requiring nonblocking operation, and is also used when implementing the server side of the lwres protocol, for example in the
-\fBlwresd\fR
-resolver daemon. The use of this low\-level API in clients and servers is outlined in the following sections.
-.SH "CLIENT\-SIDE LOW\-LEVEL API CALL FLOW"
-.PP
-When a client program wishes to make an lwres request using the native low\-level API, it typically performs the following sequence of actions.
-.PP
-(1) Allocate or use an existing
-\fBlwres_packet_t\fR, called
-\fIpkt\fR
-below.
-.PP
-(2) Set
-pkt.recvlength
-to the maximum length we will accept. This is done so the receiver of our packets knows how large our receive buffer is. The "default" is a constant in
-\fIlwres.h\fR:
-\fBLWRES_RECVLENGTH = 4096\fR.
-.PP
-(3) Set
-pkt.serial
-to a unique serial number. This value is echoed back to the application by the remote server.
-.PP
-(4) Set
-pkt.pktflags. Usually this is set to 0.
-.PP
-(5) Set
-pkt.result
-to 0.
-.PP
-(6) Call
-\fBlwres_*request_render()\fR, or marshall in the data using the primitives such as
-\fBlwres_packet_render()\fR
-and storing the packet data.
-.PP
-(7) Transmit the resulting buffer.
-.PP
-(8) Call
-\fBlwres_*response_parse()\fR
-to parse any packets received.
-.PP
-(9) Verify that the opcode and serial match a request, and process the packet specific information contained in the body.
-.SH "SERVER\-SIDE LOW\-LEVEL API CALL FLOW"
-.PP
-When implementing the server side of the lightweight resolver protocol using the lwres library, a sequence of actions like the following is typically involved in processing each request packet.
-.PP
-Note that the same
-\fBlwres_packet_t\fR
-is used in both the
-\fB_parse()\fR
-and
-\fB_render()\fR
-calls, with only a few modifications made to the packet header's contents between uses. This method is recommended as it keeps the serial, opcode, and other fields correct.
-.PP
-(1) When a packet is received, call
-\fBlwres_*request_parse()\fR
-to unmarshall it. This returns a
-\fBlwres_packet_t\fR
-(also called
-\fIpkt\fR, below) as well as a data specific type, such as
-\fBlwres_gabnrequest_t\fR.
-.PP
-(2) Process the request in the data specific type.
-.PP
-(3) Set the
-pkt.result,
-pkt.recvlength
-as above. All other fields can be left untouched since they were filled in by the
-\fB*_parse()\fR
-call above. If using
-\fBlwres_*response_render()\fR,
-pkt.pktflags
-will be set up properly. Otherwise, the
-\fBLWRES_LWPACKETFLAG_RESPONSE\fR
-bit should be set.
-.PP
-(4) Call the data specific rendering function, such as
-\fBlwres_gabnresponse_render()\fR.
-.PP
-(5) Send the resulting packet to the client.
-.PP
-.SH "SEE ALSO"
-.PP
-\fBlwres_gethostent\fR(3),
-\fBlwres_getipnode\fR(3),
-\fBlwres_getnameinfo\fR(3),
-\fBlwres_noop\fR(3),
-\fBlwres_gabn\fR(3),
-\fBlwres_gnba\fR(3),
-\fBlwres_context\fR(3),
-\fBlwres_config\fR(3),
-\fBresolver\fR(5),
-\fBlwresd\fR(8).
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/lib/lwres/man/lwres.docbook b/contrib/bind9/lib/lwres/man/lwres.docbook
deleted file mode 100644
index 97d591c..0000000
--- a/contrib/bind9/lib/lwres/man/lwres.docbook
+++ /dev/null
@@ -1,266 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres.docbook,v 1.10 2007/06/18 23:47:51 tbox Exp $ -->
-<refentry>
-
-  <refentryinfo>
-    <date>Jun 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>lwres</refentrytitle>
-    <manvolnum>3</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-  <refnamediv>
-    <refname>lwres</refname>
-    <refpurpose>introduction to the lightweight resolver library</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
-</funcsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para>
-      The BIND 9 lightweight resolver library is a simple, name service
-      independent stub resolver library.  It provides hostname-to-address
-      and address-to-hostname lookup services to applications by
-      transmitting lookup requests to a resolver daemon
-      <command>lwresd</command>
-      running on the local host. The resover daemon performs the
-      lookup using the DNS or possibly other name service protocols,
-      and returns the results to the application through the library.
-      The library and resolver daemon communicate using a simple
-      UDP-based protocol.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>OVERVIEW</title>
-    <para>
-      The lwresd library implements multiple name service APIs.
-      The standard
-      <function>gethostbyname()</function>,
-      <function>gethostbyaddr()</function>,
-      <function>gethostbyname_r()</function>,
-      <function>gethostbyaddr_r()</function>,
-      <function>getaddrinfo()</function>,
-      <function>getipnodebyname()</function>,
-      and
-      <function>getipnodebyaddr()</function>
-      functions are all supported.  To allow the lwres library to coexist
-      with system libraries that define functions of the same name,
-      the library defines these functions with names prefixed by
-      <literal>lwres_</literal>.
-      To define the standard names, applications must include the
-      header file
-      <filename>&lt;lwres/netdb.h&gt;</filename>
-      which contains macro definitions mapping the standard function names
-      into
-      <literal>lwres_</literal>
-      prefixed ones.  Operating system vendors who integrate the lwres
-      library into their base distributions should rename the functions
-      in the library proper so that the renaming macros are not needed.
-    </para>
-    <para>
-      The library also provides a native API consisting of the functions
-      <function>lwres_getaddrsbyname()</function>
-      and
-      <function>lwres_getnamebyaddr()</function>.
-      These may be called by applications that require more detailed
-      control over the lookup process than the standard functions
-      provide.
-    </para>
-    <para>
-      In addition to these name service independent address lookup
-      functions, the library implements a new, experimental API
-      for looking up arbitrary DNS resource records, using the
-      <function>lwres_getaddrsbyname()</function>
-      function.
-    </para>
-    <para>
-      Finally, there is a low-level API for converting lookup
-      requests and responses to and from raw lwres protocol packets.
-      This API can be used by clients requiring nonblocking operation,
-      and is also used when implementing the server side of the lwres
-      protocol, for example in the
-      <command>lwresd</command>
-      resolver daemon.  The use of this low-level API in clients
-      and servers is outlined in the following sections.
-    </para>
-  </refsect1>
-  <refsect1>
-    <title>CLIENT-SIDE LOW-LEVEL API CALL FLOW</title>
-    <para>
-      When a client program wishes to make an lwres request using the
-      native low-level API, it typically performs the following
-      sequence of actions.
-    </para>
-    <para>
-      (1) Allocate or use an existing <type>lwres_packet_t</type>,
-      called <varname>pkt</varname> below.
-    </para>
-    <para>
-      (2) Set <structfield>pkt.recvlength</structfield> to the maximum length
-      we will accept.
-      This is done so the receiver of our packets knows how large our receive
-      buffer is.  The "default" is a constant in
-      <filename>lwres.h</filename>: <constant>LWRES_RECVLENGTH = 4096</constant>.
-    </para>
-    <para>
-      (3) Set <structfield>pkt.serial</structfield>
-      to a unique serial number.  This value is echoed
-      back to the application by the remote server.
-    </para>
-    <para>
-      (4) Set <structfield>pkt.pktflags</structfield>.  Usually this is set to
-      0.
-    </para>
-    <para>
-      (5) Set <structfield>pkt.result</structfield> to 0.
-    </para>
-    <para>
-      (6) Call <function>lwres_*request_render()</function>,
-      or marshall in the data using the primitives
-      such as <function>lwres_packet_render()</function>
-      and storing the packet data.
-    </para>
-    <para>
-      (7) Transmit the resulting buffer.
-    </para>
-    <para>
-      (8) Call <function>lwres_*response_parse()</function>
-      to parse any packets received.
-    </para>
-    <para>
-      (9) Verify that the opcode and serial match a request, and process the
-      packet specific information contained in the body.
-    </para>
-  </refsect1>
-  <refsect1>
-    <title>SERVER-SIDE LOW-LEVEL API CALL FLOW</title>
-    <para>
-      When implementing the server side of the lightweight resolver
-      protocol using the lwres library, a sequence of actions like the
-      following is typically involved in processing each request packet.
-    </para>
-    <para>
-      Note that the same <type>lwres_packet_t</type> is used
-      in both the <function>_parse()</function> and <function>_render()</function> calls,
-      with only a few modifications made
-      to the packet header's contents between uses.  This method is
-      recommended
-      as it keeps the serial, opcode, and other fields correct.
-    </para>
-    <para>
-      (1) When a packet is received, call <function>lwres_*request_parse()</function> to
-      unmarshall it.  This returns a <type>lwres_packet_t</type> (also called <varname>pkt</varname>, below)
-      as well as a data specific type, such as <type>lwres_gabnrequest_t</type>.
-    </para>
-    <para>
-      (2) Process the request in the data specific type.
-    </para>
-    <para>
-      (3) Set the <structfield>pkt.result</structfield>,
-      <structfield>pkt.recvlength</structfield> as above.  All other fields
-      can
-      be left untouched since they were filled in by the <function>*_parse()</function> call
-      above.  If using <function>lwres_*response_render()</function>,
-      <structfield>pkt.pktflags</structfield> will be set up
-      properly.  Otherwise, the <constant>LWRES_LWPACKETFLAG_RESPONSE</constant> bit should be
-      set.
-    </para>
-    <para>
-      (4) Call the data specific rendering function, such as
-      <function>lwres_gabnresponse_render()</function>.
-    </para>
-    <para>
-      (5) Send the resulting packet to the client.
-    </para>
-    <para></para>
-  </refsect1>
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>lwres_gethostent</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>lwres_getipnode</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>lwres_getnameinfo</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>lwres_noop</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>lwres_gabn</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>lwres_gnba</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>lwres_context</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>lwres_config</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>resolver</refentrytitle><manvolnum>5</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>lwresd</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>.
-
-    </para>
-  </refsect1>
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/lib/lwres/man/lwres.html b/contrib/bind9/lib/lwres/man/lwres.html
deleted file mode 100644
index 84008b6..0000000
--- a/contrib/bind9/lib/lwres/man/lwres.html
+++ /dev/null
@@ -1,218 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476274"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres &#8212; introduction to the lightweight resolver library</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis"><pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543350"></a><h2>DESCRIPTION</h2>
-<p>
-      The BIND 9 lightweight resolver library is a simple, name service
-      independent stub resolver library.  It provides hostname-to-address
-      and address-to-hostname lookup services to applications by
-      transmitting lookup requests to a resolver daemon
-      <span><strong class="command">lwresd</strong></span>
-      running on the local host. The resover daemon performs the
-      lookup using the DNS or possibly other name service protocols,
-      and returns the results to the application through the library.
-      The library and resolver daemon communicate using a simple
-      UDP-based protocol.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543363"></a><h2>OVERVIEW</h2>
-<p>
-      The lwresd library implements multiple name service APIs.
-      The standard
-      <code class="function">gethostbyname()</code>,
-      <code class="function">gethostbyaddr()</code>,
-      <code class="function">gethostbyname_r()</code>,
-      <code class="function">gethostbyaddr_r()</code>,
-      <code class="function">getaddrinfo()</code>,
-      <code class="function">getipnodebyname()</code>,
-      and
-      <code class="function">getipnodebyaddr()</code>
-      functions are all supported.  To allow the lwres library to coexist
-      with system libraries that define functions of the same name,
-      the library defines these functions with names prefixed by
-      <code class="literal">lwres_</code>.
-      To define the standard names, applications must include the
-      header file
-      <code class="filename">&lt;lwres/netdb.h&gt;</code>
-      which contains macro definitions mapping the standard function names
-      into
-      <code class="literal">lwres_</code>
-      prefixed ones.  Operating system vendors who integrate the lwres
-      library into their base distributions should rename the functions
-      in the library proper so that the renaming macros are not needed.
-    </p>
-<p>
-      The library also provides a native API consisting of the functions
-      <code class="function">lwres_getaddrsbyname()</code>
-      and
-      <code class="function">lwres_getnamebyaddr()</code>.
-      These may be called by applications that require more detailed
-      control over the lookup process than the standard functions
-      provide.
-    </p>
-<p>
-      In addition to these name service independent address lookup
-      functions, the library implements a new, experimental API
-      for looking up arbitrary DNS resource records, using the
-      <code class="function">lwres_getaddrsbyname()</code>
-      function.
-    </p>
-<p>
-      Finally, there is a low-level API for converting lookup
-      requests and responses to and from raw lwres protocol packets.
-      This API can be used by clients requiring nonblocking operation,
-      and is also used when implementing the server side of the lwres
-      protocol, for example in the
-      <span><strong class="command">lwresd</strong></span>
-      resolver daemon.  The use of this low-level API in clients
-      and servers is outlined in the following sections.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543427"></a><h2>CLIENT-SIDE LOW-LEVEL API CALL FLOW</h2>
-<p>
-      When a client program wishes to make an lwres request using the
-      native low-level API, it typically performs the following
-      sequence of actions.
-    </p>
-<p>
-      (1) Allocate or use an existing <span class="type">lwres_packet_t</span>,
-      called <code class="varname">pkt</code> below.
-    </p>
-<p>
-      (2) Set <em class="structfield"><code>pkt.recvlength</code></em> to the maximum length
-      we will accept.
-      This is done so the receiver of our packets knows how large our receive
-      buffer is.  The "default" is a constant in
-      <code class="filename">lwres.h</code>: <code class="constant">LWRES_RECVLENGTH = 4096</code>.
-    </p>
-<p>
-      (3) Set <em class="structfield"><code>pkt.serial</code></em>
-      to a unique serial number.  This value is echoed
-      back to the application by the remote server.
-    </p>
-<p>
-      (4) Set <em class="structfield"><code>pkt.pktflags</code></em>.  Usually this is set to
-      0.
-    </p>
-<p>
-      (5) Set <em class="structfield"><code>pkt.result</code></em> to 0.
-    </p>
-<p>
-      (6) Call <code class="function">lwres_*request_render()</code>,
-      or marshall in the data using the primitives
-      such as <code class="function">lwres_packet_render()</code>
-      and storing the packet data.
-    </p>
-<p>
-      (7) Transmit the resulting buffer.
-    </p>
-<p>
-      (8) Call <code class="function">lwres_*response_parse()</code>
-      to parse any packets received.
-    </p>
-<p>
-      (9) Verify that the opcode and serial match a request, and process the
-      packet specific information contained in the body.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543575"></a><h2>SERVER-SIDE LOW-LEVEL API CALL FLOW</h2>
-<p>
-      When implementing the server side of the lightweight resolver
-      protocol using the lwres library, a sequence of actions like the
-      following is typically involved in processing each request packet.
-    </p>
-<p>
-      Note that the same <span class="type">lwres_packet_t</span> is used
-      in both the <code class="function">_parse()</code> and <code class="function">_render()</code> calls,
-      with only a few modifications made
-      to the packet header's contents between uses.  This method is
-      recommended
-      as it keeps the serial, opcode, and other fields correct.
-    </p>
-<p>
-      (1) When a packet is received, call <code class="function">lwres_*request_parse()</code> to
-      unmarshall it.  This returns a <span class="type">lwres_packet_t</span> (also called <code class="varname">pkt</code>, below)
-      as well as a data specific type, such as <span class="type">lwres_gabnrequest_t</span>.
-    </p>
-<p>
-      (2) Process the request in the data specific type.
-    </p>
-<p>
-      (3) Set the <em class="structfield"><code>pkt.result</code></em>,
-      <em class="structfield"><code>pkt.recvlength</code></em> as above.  All other fields
-      can
-      be left untouched since they were filled in by the <code class="function">*_parse()</code> call
-      above.  If using <code class="function">lwres_*response_render()</code>,
-      <em class="structfield"><code>pkt.pktflags</code></em> will be set up
-      properly.  Otherwise, the <code class="constant">LWRES_LWPACKETFLAG_RESPONSE</code> bit should be
-      set.
-    </p>
-<p>
-      (4) Call the data specific rendering function, such as
-      <code class="function">lwres_gabnresponse_render()</code>.
-    </p>
-<p>
-      (5) Send the resulting packet to the client.
-    </p>
-<p></p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543658"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">lwres_gethostent</span>(3)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">lwres_getipnode</span>(3)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">lwres_getnameinfo</span>(3)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">lwres_noop</span>(3)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">lwres_gabn</span>(3)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">lwres_gnba</span>(3)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">lwres_context</span>(3)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">lwres_config</span>(3)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>.
-
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_buffer.3 b/contrib/bind9/lib/lwres/man/lwres_buffer.3
deleted file mode 100644
index 1ec6013..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_buffer.3
+++ /dev/null
@@ -1,233 +0,0 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: lwres_buffer
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "LWRES_BUFFER" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtract, lwres_buffer_clear, lwres_buffer_first, lwres_buffer_forward, lwres_buffer_back, lwres_buffer_getuint8, lwres_buffer_putuint8, lwres_buffer_getuint16, lwres_buffer_putuint16, lwres_buffer_getuint32, lwres_buffer_putuint32, lwres_buffer_putmem, lwres_buffer_getmem \- lightweight resolver buffer management
-.SH "SYNOPSIS"
-.nf
-#include <lwres/lwbuffer.h>
-.fi
-.HP 23
-.BI "void lwres_buffer_init(lwres_buffer_t\ *" "b" ", void\ *" "base" ", unsigned\ int\ " "length" ");"
-.HP 29
-.BI "void lwres_buffer_invalidate(lwres_buffer_t\ *" "b" ");"
-.HP 22
-.BI "void lwres_buffer_add(lwres_buffer_t\ *" "b" ", unsigned\ int\ " "n" ");"
-.HP 27
-.BI "void lwres_buffer_subtract(lwres_buffer_t\ *" "b" ", unsigned\ int\ " "n" ");"
-.HP 24
-.BI "void lwres_buffer_clear(lwres_buffer_t\ *" "b" ");"
-.HP 24
-.BI "void lwres_buffer_first(lwres_buffer_t\ *" "b" ");"
-.HP 26
-.BI "void lwres_buffer_forward(lwres_buffer_t\ *" "b" ", unsigned\ int\ " "n" ");"
-.HP 23
-.BI "void lwres_buffer_back(lwres_buffer_t\ *" "b" ", unsigned\ int\ " "n" ");"
-.HP 36
-.BI "lwres_uint8_t lwres_buffer_getuint8(lwres_buffer_t\ *" "b" ");"
-.HP 27
-.BI "void lwres_buffer_putuint8(lwres_buffer_t\ *" "b" ", lwres_uint8_t\ " "val" ");"
-.HP 38
-.BI "lwres_uint16_t lwres_buffer_getuint16(lwres_buffer_t\ *" "b" ");"
-.HP 28
-.BI "void lwres_buffer_putuint16(lwres_buffer_t\ *" "b" ", lwres_uint16_t\ " "val" ");"
-.HP 38
-.BI "lwres_uint32_t lwres_buffer_getuint32(lwres_buffer_t\ *" "b" ");"
-.HP 28
-.BI "void lwres_buffer_putuint32(lwres_buffer_t\ *" "b" ", lwres_uint32_t\ " "val" ");"
-.HP 25
-.BI "void lwres_buffer_putmem(lwres_buffer_t\ *" "b" ", const\ unsigned\ char\ *" "base" ", unsigned\ int\ " "length" ");"
-.HP 25
-.BI "void lwres_buffer_getmem(lwres_buffer_t\ *" "b" ", unsigned\ char\ *" "base" ", unsigned\ int\ " "length" ");"
-.SH "DESCRIPTION"
-.PP
-These functions provide bounds checked access to a region of memory where data is being read or written. They are based on, and similar to, the
-isc_buffer_
-functions in the ISC library.
-.PP
-A buffer is a region of memory, together with a set of related subregions. The
-\fIused region\fR
-and the
-\fIavailable\fR
-region are disjoint, and their union is the buffer's region. The used region extends from the beginning of the buffer region to the last used byte. The available region extends from one byte greater than the last used byte to the end of the buffer's region. The size of the used region can be changed using various buffer commands. Initially, the used region is empty.
-.PP
-The used region is further subdivided into two disjoint regions: the
-\fIconsumed region\fR
-and the
-\fIremaining region\fR. The union of these two regions is the used region. The consumed region extends from the beginning of the used region to the byte before the
-\fIcurrent\fR
-offset (if any). The
-\fIremaining\fR
-region the current pointer to the end of the used region. The size of the consumed region can be changed using various buffer commands. Initially, the consumed region is empty.
-.PP
-The
-\fIactive region\fR
-is an (optional) subregion of the remaining region. It extends from the current offset to an offset in the remaining region. Initially, the active region is empty. If the current offset advances beyond the chosen offset, the active region will also be empty.
-.PP
-.RS 4
-.nf
-   /\-\-\-\-\-\-\-\-\-\-\-\-entire length\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\\\\
-   /\-\-\-\-\- used region \-\-\-\-\-\\\\/\-\- available \-\-\\\\
-   +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
-   | consumed  | remaining |                |
-   +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
-   a           b     c     d                e
-.fi
-.RE
-.sp
-.PP
-.RS 4
-.nf
-  a == base of buffer.
-  b == current pointer.  Can be anywhere between a and d.
-  c == active pointer.  Meaningful between b and d.
-  d == used pointer.
-  e == length of buffer.
-.fi
-.RE
-.sp
-.PP
-.RS 4
-.nf
-  a\-e == entire length of buffer.
-  a\-d == used region.
-  a\-b == consumed region.
-  b\-d == remaining region.
-  b\-c == optional active region.
-.fi
-.RE
-.sp
-.PP
-\fBlwres_buffer_init()\fR
-initializes the
-\fBlwres_buffer_t\fR
-\fI*b\fR
-and assocates it with the memory region of size
-\fIlength\fR
-bytes starting at location
-\fIbase.\fR
-.PP
-\fBlwres_buffer_invalidate()\fR
-marks the buffer
-\fI*b\fR
-as invalid. Invalidating a buffer after use is not required, but makes it possible to catch its possible accidental use.
-.PP
-The functions
-\fBlwres_buffer_add()\fR
-and
-\fBlwres_buffer_subtract()\fR
-respectively increase and decrease the used space in buffer
-\fI*b\fR
-by
-\fIn\fR
-bytes.
-\fBlwres_buffer_add()\fR
-checks for buffer overflow and
-\fBlwres_buffer_subtract()\fR
-checks for underflow. These functions do not allocate or deallocate memory. They just change the value of
-used.
-.PP
-A buffer is re\-initialised by
-\fBlwres_buffer_clear()\fR. The function sets
-used,
-current
-and
-active
-to zero.
-.PP
-\fBlwres_buffer_first\fR
-makes the consumed region of buffer
-\fI*p\fR
-empty by setting
-current
-to zero (the start of the buffer).
-.PP
-\fBlwres_buffer_forward()\fR
-increases the consumed region of buffer
-\fI*b\fR
-by
-\fIn\fR
-bytes, checking for overflow. Similarly,
-\fBlwres_buffer_back()\fR
-decreases buffer
-\fIb\fR's consumed region by
-\fIn\fR
-bytes and checks for underflow.
-.PP
-\fBlwres_buffer_getuint8()\fR
-reads an unsigned 8\-bit integer from
-\fI*b\fR
-and returns it.
-\fBlwres_buffer_putuint8()\fR
-writes the unsigned 8\-bit integer
-\fIval\fR
-to buffer
-\fI*b\fR.
-.PP
-\fBlwres_buffer_getuint16()\fR
-and
-\fBlwres_buffer_getuint32()\fR
-are identical to
-\fBlwres_buffer_putuint8()\fR
-except that they respectively read an unsigned 16\-bit or 32\-bit integer in network byte order from
-\fIb\fR. Similarly,
-\fBlwres_buffer_putuint16()\fR
-and
-\fBlwres_buffer_putuint32()\fR
-writes the unsigned 16\-bit or 32\-bit integer
-\fIval\fR
-to buffer
-\fIb\fR, in network byte order.
-.PP
-Arbitrary amounts of data are read or written from a lightweight resolver buffer with
-\fBlwres_buffer_getmem()\fR
-and
-\fBlwres_buffer_putmem()\fR
-respectively.
-\fBlwres_buffer_putmem()\fR
-copies
-\fIlength\fR
-bytes of memory at
-\fIbase\fR
-to
-\fIb\fR. Conversely,
-\fBlwres_buffer_getmem()\fR
-copies
-\fIlength\fR
-bytes of memory from
-\fIb\fR
-to
-\fIbase\fR.
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_buffer.docbook b/contrib/bind9/lib/lwres/man/lwres_buffer.docbook
deleted file mode 100644
index 97c52bd..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_buffer.docbook
+++ /dev/null
@@ -1,394 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_buffer.docbook,v 1.10 2007/06/18 23:47:51 tbox Exp $ -->
-<refentry>
-  <refentryinfo>
-    <date>Jun 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>lwres_buffer</refentrytitle>
-    <manvolnum>3</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname>lwres_buffer_init</refname>
-    <refname>lwres_buffer_invalidate</refname>
-    <refname>lwres_buffer_add</refname>
-    <refname>lwres_buffer_subtract</refname>
-    <refname>lwres_buffer_clear</refname>
-    <refname>lwres_buffer_first</refname>
-    <refname>lwres_buffer_forward</refname>
-    <refname>lwres_buffer_back</refname>
-    <refname>lwres_buffer_getuint8</refname>
-    <refname>lwres_buffer_putuint8</refname>
-    <refname>lwres_buffer_getuint16</refname>
-    <refname>lwres_buffer_putuint16</refname>
-    <refname>lwres_buffer_getuint32</refname>
-    <refname>lwres_buffer_putuint32</refname>
-    <refname>lwres_buffer_putmem</refname>
-    <refname>lwres_buffer_getmem</refname>
-    <refpurpose>lightweight resolver buffer management</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-
-    <funcsynopsis>
-<funcsynopsisinfo>
-#include &lt;lwres/lwbuffer.h&gt;
-</funcsynopsisinfo>
-
-<funcprototype>
-
-        <funcdef>
-void
-<function>lwres_buffer_init</function></funcdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        <paramdef>void *<parameter>base</parameter></paramdef>
-        <paramdef>unsigned int <parameter>length</parameter></paramdef>
-        </funcprototype>
-
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_buffer_invalidate</function></funcdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_buffer_add</function></funcdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        <paramdef>unsigned int <parameter>n</parameter></paramdef>
-        </funcprototype>
-
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_buffer_subtract</function></funcdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        <paramdef>unsigned int <parameter>n</parameter></paramdef>
-        </funcprototype>
-
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_buffer_clear</function></funcdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        </funcprototype>
-
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_buffer_first</function></funcdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        </funcprototype>
-
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_buffer_forward</function></funcdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        <paramdef>unsigned int <parameter>n</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-
-        <funcdef>
-void
-<function>lwres_buffer_back</function></funcdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        <paramdef>unsigned int <parameter>n</parameter></paramdef>
-        </funcprototype>
-
-<funcprototype>
-        <funcdef>
-lwres_uint8_t
-<function>lwres_buffer_getuint8</function></funcdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        </funcprototype>
-
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_buffer_putuint8</function></funcdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        <paramdef>lwres_uint8_t <parameter>val</parameter></paramdef>
-        </funcprototype>
-
-<funcprototype>
-        <funcdef>
-lwres_uint16_t
-<function>lwres_buffer_getuint16</function></funcdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        </funcprototype>
-
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_buffer_putuint16</function></funcdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        <paramdef>lwres_uint16_t <parameter>val</parameter></paramdef>
-        </funcprototype>
-
-<funcprototype>
-        <funcdef>
-lwres_uint32_t
-<function>lwres_buffer_getuint32</function></funcdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        </funcprototype>
-
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_buffer_putuint32</function></funcdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        <paramdef>lwres_uint32_t <parameter>val</parameter></paramdef>
-        </funcprototype>
-
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_buffer_putmem</function></funcdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        <paramdef>const unsigned char *<parameter>base</parameter></paramdef>
-        <paramdef>unsigned int <parameter>length</parameter></paramdef>
-        </funcprototype>
-
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_buffer_getmem</function></funcdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        <paramdef>unsigned char *<parameter>base</parameter></paramdef>
-        <paramdef>unsigned int <parameter>length</parameter></paramdef>
-      </funcprototype>
-
-</funcsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-
-    <title>DESCRIPTION</title>
-    <para>
-      These functions provide bounds checked access to a region of memory
-      where data is being read or written.
-      They are based on, and similar to, the
-      <literal>isc_buffer_</literal>
-      functions in the ISC library.
-    </para>
-    <para>
-      A buffer is a region of memory, together with a set of related
-      subregions.
-      The <emphasis>used region</emphasis> and the
-      <emphasis>available</emphasis> region are disjoint, and
-      their union is the buffer's region.
-      The used region extends from the beginning of the buffer region to the
-      last used byte.
-      The available region extends from one byte greater than the last used
-      byte to the end of the  buffer's region.
-      The size of the used region can be changed using various
-      buffer commands.
-      Initially, the used region is empty.
-    </para>
-    <para>
-      The used region is further subdivided into two disjoint regions: the
-      <emphasis>consumed region</emphasis> and the <emphasis>remaining region</emphasis>.
-      The union of these two regions is the used region.
-      The consumed region extends from the beginning of the used region to
-      the byte before the <emphasis>current</emphasis> offset (if any).
-      The <emphasis>remaining</emphasis> region the current pointer to the end
-      of the used
-      region.
-      The size of the consumed region can be changed using various
-      buffer commands.
-      Initially, the consumed region is empty.
-    </para>
-    <para>
-      The <emphasis>active region</emphasis> is an (optional) subregion of the
-      remaining
-      region.
-      It extends from the current offset to an offset in the
-      remaining region.
-      Initially, the active region is empty.
-      If the current offset advances beyond the chosen offset,
-      the active region will also be empty.
-    </para>
-    <para><programlisting>
-   /------------entire length---------------\\
-   /----- used region -----\\/-- available --\\
-   +----------------------------------------+
-   | consumed  | remaining |                |
-   +----------------------------------------+
-   a           b     c     d                e
-      </programlisting>
-    </para>
-    <para><programlisting>
-  a == base of buffer.
-  b == current pointer.  Can be anywhere between a and d.
-  c == active pointer.  Meaningful between b and d.
-  d == used pointer.
-  e == length of buffer.
-      </programlisting>
-    </para>
-    <para><programlisting>
-  a-e == entire length of buffer.
-  a-d == used region.
-  a-b == consumed region.
-  b-d == remaining region.
-  b-c == optional active region.
-</programlisting>
-    </para>
-    <para><function>lwres_buffer_init()</function>
-      initializes the
-      <type>lwres_buffer_t</type>
-      <parameter>*b</parameter>
-      and assocates it with the memory region of size
-      <parameter>length</parameter>
-      bytes starting at location
-      <parameter>base.</parameter>
-    </para>
-    <para><function>lwres_buffer_invalidate()</function>
-      marks the buffer <parameter>*b</parameter>
-      as invalid.  Invalidating a buffer after use is not required,
-      but makes it possible to catch its possible accidental use.
-    </para>
-    <para>
-      The functions
-      <function>lwres_buffer_add()</function>
-      and
-      <function>lwres_buffer_subtract()</function>
-      respectively increase and decrease the used space in
-      buffer
-      <parameter>*b</parameter>
-      by
-      <parameter>n</parameter>
-      bytes.
-      <function>lwres_buffer_add()</function>
-      checks for buffer overflow and
-      <function>lwres_buffer_subtract()</function>
-      checks for underflow.
-      These functions do not allocate or deallocate memory.
-      They just change the value of
-      <structfield>used</structfield>.
-    </para>
-    <para>
-      A buffer is re-initialised by
-      <function>lwres_buffer_clear()</function>.
-      The function sets
-      <structfield>used</structfield>,
-      <structfield>current</structfield>
-      and
-      <structfield>active</structfield>
-      to zero.
-    </para>
-    <para><function>lwres_buffer_first</function>
-      makes the consumed region of buffer
-      <parameter>*p</parameter>
-      empty by setting
-      <structfield>current</structfield>
-      to zero (the start of the buffer).
-    </para>
-    <para><function>lwres_buffer_forward()</function>
-      increases the consumed region of buffer
-      <parameter>*b</parameter>
-      by
-      <parameter>n</parameter>
-      bytes, checking for overflow.
-      Similarly,
-      <function>lwres_buffer_back()</function>
-      decreases buffer
-      <parameter>b</parameter>'s
-      consumed region by
-      <parameter>n</parameter>
-      bytes and checks for underflow.
-    </para>
-    <para><function>lwres_buffer_getuint8()</function>
-      reads an unsigned 8-bit integer from
-      <parameter>*b</parameter>
-      and returns it.
-      <function>lwres_buffer_putuint8()</function>
-      writes the unsigned 8-bit integer
-      <parameter>val</parameter>
-      to buffer
-      <parameter>*b</parameter>.
-    </para>
-    <para><function>lwres_buffer_getuint16()</function>
-      and
-      <function>lwres_buffer_getuint32()</function>
-      are identical to
-      <function>lwres_buffer_putuint8()</function>
-      except that they respectively read an unsigned 16-bit or 32-bit integer
-      in network byte order from
-      <parameter>b</parameter>.
-      Similarly,
-      <function>lwres_buffer_putuint16()</function>
-      and
-      <function>lwres_buffer_putuint32()</function>
-      writes the unsigned 16-bit or 32-bit integer
-      <parameter>val</parameter>
-      to buffer
-      <parameter>b</parameter>,
-      in network byte order.
-    </para>
-    <para>
-      Arbitrary amounts of data are read or written from a lightweight
-      resolver buffer with
-      <function>lwres_buffer_getmem()</function>
-      and
-      <function>lwres_buffer_putmem()</function>
-      respectively.
-      <function>lwres_buffer_putmem()</function>
-      copies
-      <parameter>length</parameter>
-      bytes of memory at
-      <parameter>base</parameter>
-      to
-      <parameter>b</parameter>.
-      Conversely,
-      <function>lwres_buffer_getmem()</function>
-      copies
-      <parameter>length</parameter>
-      bytes of memory from
-      <parameter>b</parameter>
-      to
-      <parameter>base</parameter>.
-    </para>
-  </refsect1>
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/lib/lwres/man/lwres_buffer.html b/contrib/bind9/lib/lwres/man/lwres_buffer.html
deleted file mode 100644
index b2a9bfc..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_buffer.html
+++ /dev/null
@@ -1,455 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_buffer</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtract, lwres_buffer_clear, lwres_buffer_first, lwres_buffer_forward, lwres_buffer_back, lwres_buffer_getuint8, lwres_buffer_putuint8, lwres_buffer_getuint16, lwres_buffer_putuint16, lwres_buffer_getuint32, lwres_buffer_putuint32, lwres_buffer_putmem, lwres_buffer_getmem &#8212; lightweight resolver buffer management</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">
-#include &lt;lwres/lwbuffer.h&gt;
-</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_init</b>(</code></td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>void * </td>
-<td>
-<var class="pdparam">base</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>unsigned int  </td>
-<td>
-<var class="pdparam">length</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_invalidate</b>(</code></td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var><code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_add</b>(</code></td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>unsigned int  </td>
-<td>
-<var class="pdparam">n</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_subtract</b>(</code></td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>unsigned int  </td>
-<td>
-<var class="pdparam">n</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_clear</b>(</code></td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var><code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_first</b>(</code></td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var><code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_forward</b>(</code></td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>unsigned int  </td>
-<td>
-<var class="pdparam">n</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_back</b>(</code></td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>unsigned int  </td>
-<td>
-<var class="pdparam">n</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-lwres_uint8_t
-<b class="fsfunc">lwres_buffer_getuint8</b>(</code></td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var><code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_putuint8</b>(</code></td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_uint8_t  </td>
-<td>
-<var class="pdparam">val</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-lwres_uint16_t
-<b class="fsfunc">lwres_buffer_getuint16</b>(</code></td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var><code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_putuint16</b>(</code></td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_uint16_t  </td>
-<td>
-<var class="pdparam">val</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-lwres_uint32_t
-<b class="fsfunc">lwres_buffer_getuint32</b>(</code></td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var><code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_putuint32</b>(</code></td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_uint32_t  </td>
-<td>
-<var class="pdparam">val</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_putmem</b>(</code></td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>const unsigned char * </td>
-<td>
-<var class="pdparam">base</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>unsigned int  </td>
-<td>
-<var class="pdparam">length</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_getmem</b>(</code></td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>unsigned char * </td>
-<td>
-<var class="pdparam">base</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>unsigned int  </td>
-<td>
-<var class="pdparam">length</var><code>)</code>;</td>
-</tr>
-</table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543893"></a><h2>DESCRIPTION</h2>
-<p>
-      These functions provide bounds checked access to a region of memory
-      where data is being read or written.
-      They are based on, and similar to, the
-      <code class="literal">isc_buffer_</code>
-      functions in the ISC library.
-    </p>
-<p>
-      A buffer is a region of memory, together with a set of related
-      subregions.
-      The <span class="emphasis"><em>used region</em></span> and the
-      <span class="emphasis"><em>available</em></span> region are disjoint, and
-      their union is the buffer's region.
-      The used region extends from the beginning of the buffer region to the
-      last used byte.
-      The available region extends from one byte greater than the last used
-      byte to the end of the  buffer's region.
-      The size of the used region can be changed using various
-      buffer commands.
-      Initially, the used region is empty.
-    </p>
-<p>
-      The used region is further subdivided into two disjoint regions: the
-      <span class="emphasis"><em>consumed region</em></span> and the <span class="emphasis"><em>remaining region</em></span>.
-      The union of these two regions is the used region.
-      The consumed region extends from the beginning of the used region to
-      the byte before the <span class="emphasis"><em>current</em></span> offset (if any).
-      The <span class="emphasis"><em>remaining</em></span> region the current pointer to the end
-      of the used
-      region.
-      The size of the consumed region can be changed using various
-      buffer commands.
-      Initially, the consumed region is empty.
-    </p>
-<p>
-      The <span class="emphasis"><em>active region</em></span> is an (optional) subregion of the
-      remaining
-      region.
-      It extends from the current offset to an offset in the
-      remaining region.
-      Initially, the active region is empty.
-      If the current offset advances beyond the chosen offset,
-      the active region will also be empty.
-    </p>
-<pre class="programlisting">
-   /------------entire length---------------\\
-   /----- used region -----\\/-- available --\\
-   +----------------------------------------+
-   | consumed  | remaining |                |
-   +----------------------------------------+
-   a           b     c     d                e
-      </pre>
-<p>
-    </p>
-<pre class="programlisting">
-  a == base of buffer.
-  b == current pointer.  Can be anywhere between a and d.
-  c == active pointer.  Meaningful between b and d.
-  d == used pointer.
-  e == length of buffer.
-      </pre>
-<p>
-    </p>
-<pre class="programlisting">
-  a-e == entire length of buffer.
-  a-d == used region.
-  a-b == consumed region.
-  b-d == remaining region.
-  b-c == optional active region.
-</pre>
-<p>
-    </p>
-<p><code class="function">lwres_buffer_init()</code>
-      initializes the
-      <span class="type">lwres_buffer_t</span>
-      <em class="parameter"><code>*b</code></em>
-      and assocates it with the memory region of size
-      <em class="parameter"><code>length</code></em>
-      bytes starting at location
-      <em class="parameter"><code>base.</code></em>
-    </p>
-<p><code class="function">lwres_buffer_invalidate()</code>
-      marks the buffer <em class="parameter"><code>*b</code></em>
-      as invalid.  Invalidating a buffer after use is not required,
-      but makes it possible to catch its possible accidental use.
-    </p>
-<p>
-      The functions
-      <code class="function">lwres_buffer_add()</code>
-      and
-      <code class="function">lwres_buffer_subtract()</code>
-      respectively increase and decrease the used space in
-      buffer
-      <em class="parameter"><code>*b</code></em>
-      by
-      <em class="parameter"><code>n</code></em>
-      bytes.
-      <code class="function">lwres_buffer_add()</code>
-      checks for buffer overflow and
-      <code class="function">lwres_buffer_subtract()</code>
-      checks for underflow.
-      These functions do not allocate or deallocate memory.
-      They just change the value of
-      <em class="structfield"><code>used</code></em>.
-    </p>
-<p>
-      A buffer is re-initialised by
-      <code class="function">lwres_buffer_clear()</code>.
-      The function sets
-      <em class="structfield"><code>used</code></em>,
-      <em class="structfield"><code>current</code></em>
-      and
-      <em class="structfield"><code>active</code></em>
-      to zero.
-    </p>
-<p><code class="function">lwres_buffer_first</code>
-      makes the consumed region of buffer
-      <em class="parameter"><code>*p</code></em>
-      empty by setting
-      <em class="structfield"><code>current</code></em>
-      to zero (the start of the buffer).
-    </p>
-<p><code class="function">lwres_buffer_forward()</code>
-      increases the consumed region of buffer
-      <em class="parameter"><code>*b</code></em>
-      by
-      <em class="parameter"><code>n</code></em>
-      bytes, checking for overflow.
-      Similarly,
-      <code class="function">lwres_buffer_back()</code>
-      decreases buffer
-      <em class="parameter"><code>b</code></em>'s
-      consumed region by
-      <em class="parameter"><code>n</code></em>
-      bytes and checks for underflow.
-    </p>
-<p><code class="function">lwres_buffer_getuint8()</code>
-      reads an unsigned 8-bit integer from
-      <em class="parameter"><code>*b</code></em>
-      and returns it.
-      <code class="function">lwres_buffer_putuint8()</code>
-      writes the unsigned 8-bit integer
-      <em class="parameter"><code>val</code></em>
-      to buffer
-      <em class="parameter"><code>*b</code></em>.
-    </p>
-<p><code class="function">lwres_buffer_getuint16()</code>
-      and
-      <code class="function">lwres_buffer_getuint32()</code>
-      are identical to
-      <code class="function">lwres_buffer_putuint8()</code>
-      except that they respectively read an unsigned 16-bit or 32-bit integer
-      in network byte order from
-      <em class="parameter"><code>b</code></em>.
-      Similarly,
-      <code class="function">lwres_buffer_putuint16()</code>
-      and
-      <code class="function">lwres_buffer_putuint32()</code>
-      writes the unsigned 16-bit or 32-bit integer
-      <em class="parameter"><code>val</code></em>
-      to buffer
-      <em class="parameter"><code>b</code></em>,
-      in network byte order.
-    </p>
-<p>
-      Arbitrary amounts of data are read or written from a lightweight
-      resolver buffer with
-      <code class="function">lwres_buffer_getmem()</code>
-      and
-      <code class="function">lwres_buffer_putmem()</code>
-      respectively.
-      <code class="function">lwres_buffer_putmem()</code>
-      copies
-      <em class="parameter"><code>length</code></em>
-      bytes of memory at
-      <em class="parameter"><code>base</code></em>
-      to
-      <em class="parameter"><code>b</code></em>.
-      Conversely,
-      <code class="function">lwres_buffer_getmem()</code>
-      copies
-      <em class="parameter"><code>length</code></em>
-      bytes of memory from
-      <em class="parameter"><code>b</code></em>
-      to
-      <em class="parameter"><code>base</code></em>.
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_config.3 b/contrib/bind9/lib/lwres/man/lwres_config.3
deleted file mode 100644
index 42f0e69..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_config.3
+++ /dev/null
@@ -1,106 +0,0 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: lwres_config
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "LWRES_CONFIG" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_conf_get \- lightweight resolver configuration
-.SH "SYNOPSIS"
-.nf
-#include <lwres/lwres.h>
-.fi
-.HP 21
-.BI "void lwres_conf_init(lwres_context_t\ *" "ctx" ");"
-.HP 22
-.BI "void lwres_conf_clear(lwres_context_t\ *" "ctx" ");"
-.HP 32
-.BI "lwres_result_t lwres_conf_parse(lwres_context_t\ *" "ctx" ", const\ char\ *" "filename" ");"
-.HP 32
-.BI "lwres_result_t lwres_conf_print(lwres_context_t\ *" "ctx" ", FILE\ *" "fp" ");"
-.HP 30
-.BI "lwres_conf_t * lwres_conf_get(lwres_context_t\ *" "ctx" ");"
-.SH "DESCRIPTION"
-.PP
-\fBlwres_conf_init()\fR
-creates an empty
-\fBlwres_conf_t\fR
-structure for lightweight resolver context
-\fIctx\fR.
-.PP
-\fBlwres_conf_clear()\fR
-frees up all the internal memory used by that
-\fBlwres_conf_t\fR
-structure in resolver context
-\fIctx\fR.
-.PP
-\fBlwres_conf_parse()\fR
-opens the file
-\fIfilename\fR
-and parses it to initialise the resolver context
-\fIctx\fR's
-\fBlwres_conf_t\fR
-structure.
-.PP
-\fBlwres_conf_print()\fR
-prints the
-\fBlwres_conf_t\fR
-structure for resolver context
-\fIctx\fR
-to the
-\fBFILE\fR
-\fIfp\fR.
-.SH "RETURN VALUES"
-.PP
-\fBlwres_conf_parse()\fR
-returns
-\fBLWRES_R_SUCCESS\fR
-if it successfully read and parsed
-\fIfilename\fR. It returns
-\fBLWRES_R_FAILURE\fR
-if
-\fIfilename\fR
-could not be opened or contained incorrect resolver statements.
-.PP
-\fBlwres_conf_print()\fR
-returns
-\fBLWRES_R_SUCCESS\fR
-unless an error occurred when converting the network addresses to a numeric host address string. If this happens, the function returns
-\fBLWRES_R_FAILURE\fR.
-.SH "SEE ALSO"
-.PP
-\fBstdio\fR(3),
-\fBresolver\fR(5).
-.SH "FILES"
-.PP
-\fI/etc/resolv.conf\fR
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_config.docbook b/contrib/bind9/lib/lwres/man/lwres_config.docbook
deleted file mode 100644
index 5736ef3..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_config.docbook
+++ /dev/null
@@ -1,173 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_config.docbook,v 1.9 2007/06/18 23:47:51 tbox Exp $ -->
-<refentry>
-  <refentryinfo>
-
-    <date>Jun 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>lwres_config</refentrytitle>
-    <manvolnum>3</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname>lwres_conf_init</refname>
-    <refname>lwres_conf_clear</refname>
-    <refname>lwres_conf_parse</refname>
-    <refname>lwres_conf_print</refname>
-    <refname>lwres_conf_get</refname>
-    <refpurpose>lightweight resolver configuration</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_conf_init</function></funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_conf_clear</function></funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-lwres_result_t
-<function>lwres_conf_parse</function></funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        <paramdef>const char *<parameter>filename</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-lwres_result_t
-<function>lwres_conf_print</function></funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        <paramdef>FILE *<parameter>fp</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-lwres_conf_t *
-<function>lwres_conf_get</function></funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-      </funcprototype>
-</funcsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-
-    <para><function>lwres_conf_init()</function>
-      creates an empty
-      <type>lwres_conf_t</type>
-      structure for lightweight resolver context
-      <parameter>ctx</parameter>.
-    </para>
-
-    <para><function>lwres_conf_clear()</function>
-      frees up all the internal memory used by
-      that
-      <type>lwres_conf_t</type>
-      structure in resolver context
-      <parameter>ctx</parameter>.
-    </para>
-
-    <para><function>lwres_conf_parse()</function>
-      opens the file
-      <parameter>filename</parameter>
-      and parses it to initialise the resolver context
-      <parameter>ctx</parameter>'s
-      <type>lwres_conf_t</type>
-      structure.
-    </para>
-
-    <para><function>lwres_conf_print()</function>
-      prints the
-      <type>lwres_conf_t</type>
-      structure for resolver context
-      <parameter>ctx</parameter>
-      to the
-      <type>FILE</type>
-      <parameter>fp</parameter>.
-    </para>
-  </refsect1>
-  <refsect1>
-
-    <title>RETURN VALUES</title>
-
-    <para><function>lwres_conf_parse()</function>
-      returns <errorcode>LWRES_R_SUCCESS</errorcode>
-      if it successfully read and parsed
-      <parameter>filename</parameter>.
-      It returns <errorcode>LWRES_R_FAILURE</errorcode>
-      if <parameter>filename</parameter>
-      could not be opened or contained incorrect
-      resolver statements.
-    </para>
-
-    <para><function>lwres_conf_print()</function>
-      returns <errorcode>LWRES_R_SUCCESS</errorcode>
-      unless an error occurred when converting the network addresses to a
-      numeric host address string.
-      If this happens, the function returns
-      <errorcode>LWRES_R_FAILURE</errorcode>.
-    </para>
-  </refsect1>
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>stdio</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>resolver</refentrytitle><manvolnum>5</manvolnum>
-      </citerefentry>.
-    </para>
-  </refsect1>
-  <refsect1>
-    <title>FILES</title>
-    <para><filename>/etc/resolv.conf</filename>
-    </para>
-  </refsect1>
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/lib/lwres/man/lwres_config.html b/contrib/bind9/lib/lwres/man/lwres_config.html
deleted file mode 100644
index ed10069..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_config.html
+++ /dev/null
@@ -1,156 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_config</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_conf_get &#8212; lightweight resolver configuration</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_conf_init</b>(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var><code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_conf_clear</b>(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var><code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_conf_parse</b>(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>const char * </td>
-<td>
-<var class="pdparam">filename</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_conf_print</b>(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>FILE * </td>
-<td>
-<var class="pdparam">fp</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
-<td><code class="funcdef">
-lwres_conf_t *
-<b class="fsfunc">lwres_conf_get</b>(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var><code>)</code>;</td>
-</tr></table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543442"></a><h2>DESCRIPTION</h2>
-<p><code class="function">lwres_conf_init()</code>
-      creates an empty
-      <span class="type">lwres_conf_t</span>
-      structure for lightweight resolver context
-      <em class="parameter"><code>ctx</code></em>.
-    </p>
-<p><code class="function">lwres_conf_clear()</code>
-      frees up all the internal memory used by
-      that
-      <span class="type">lwres_conf_t</span>
-      structure in resolver context
-      <em class="parameter"><code>ctx</code></em>.
-    </p>
-<p><code class="function">lwres_conf_parse()</code>
-      opens the file
-      <em class="parameter"><code>filename</code></em>
-      and parses it to initialise the resolver context
-      <em class="parameter"><code>ctx</code></em>'s
-      <span class="type">lwres_conf_t</span>
-      structure.
-    </p>
-<p><code class="function">lwres_conf_print()</code>
-      prints the
-      <span class="type">lwres_conf_t</span>
-      structure for resolver context
-      <em class="parameter"><code>ctx</code></em>
-      to the
-      <span class="type">FILE</span>
-      <em class="parameter"><code>fp</code></em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543509"></a><h2>RETURN VALUES</h2>
-<p><code class="function">lwres_conf_parse()</code>
-      returns <span class="errorcode">LWRES_R_SUCCESS</span>
-      if it successfully read and parsed
-      <em class="parameter"><code>filename</code></em>.
-      It returns <span class="errorcode">LWRES_R_FAILURE</span>
-      if <em class="parameter"><code>filename</code></em>
-      could not be opened or contained incorrect
-      resolver statements.
-    </p>
-<p><code class="function">lwres_conf_print()</code>
-      returns <span class="errorcode">LWRES_R_SUCCESS</span>
-      unless an error occurred when converting the network addresses to a
-      numeric host address string.
-      If this happens, the function returns
-      <span class="errorcode">LWRES_R_FAILURE</span>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543546"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">stdio</span>(3)</span>,
-      <span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543572"></a><h2>FILES</h2>
-<p><code class="filename">/etc/resolv.conf</code>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_context.3 b/contrib/bind9/lib/lwres/man/lwres_context.3
deleted file mode 100644
index 5764809..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_context.3
+++ /dev/null
@@ -1,170 +0,0 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: lwres_context
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "LWRES_CONTEXT" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv \- lightweight resolver context management
-.SH "SYNOPSIS"
-.nf
-#include <lwres/lwres.h>
-.fi
-.HP 36
-.BI "lwres_result_t lwres_context_create(lwres_context_t\ **" "contextp" ", void\ *" "arg" ", lwres_malloc_t\ " "malloc_function" ", lwres_free_t\ " "free_function" ");"
-.HP 37
-.BI "lwres_result_t lwres_context_destroy(lwres_context_t\ **" "contextp" ");"
-.HP 30
-.BI "void lwres_context_initserial(lwres_context_t\ *" "ctx" ", lwres_uint32_t\ " "serial" ");"
-.HP 40
-.BI "lwres_uint32_t lwres_context_nextserial(lwres_context_t\ *" "ctx" ");"
-.HP 27
-.BI "void lwres_context_freemem(lwres_context_t\ *" "ctx" ", void\ *" "mem" ", size_t\ " "len" ");"
-.HP 28
-.BI "void lwres_context_allocmem(lwres_context_t\ *" "ctx" ", size_t\ " "len" ");"
-.HP 30
-.BI "void * lwres_context_sendrecv(lwres_context_t\ *" "ctx" ", void\ *" "sendbase" ", int\ " "sendlen" ", void\ *" "recvbase" ", int\ " "recvlen" ", int\ *" "recvd_len" ");"
-.SH "DESCRIPTION"
-.PP
-\fBlwres_context_create()\fR
-creates a
-\fBlwres_context_t\fR
-structure for use in lightweight resolver operations. It holds a socket and other data needed for communicating with a resolver daemon. The new
-\fBlwres_context_t\fR
-is returned through
-\fIcontextp\fR, a pointer to a
-\fBlwres_context_t\fR
-pointer. This
-\fBlwres_context_t\fR
-pointer must initially be NULL, and is modified to point to the newly created
-\fBlwres_context_t\fR.
-.PP
-When the lightweight resolver needs to perform dynamic memory allocation, it will call
-\fImalloc_function\fR
-to allocate memory and
-\fIfree_function\fR
-to free it. If
-\fImalloc_function\fR
-and
-\fIfree_function\fR
-are NULL, memory is allocated using
-\fBmalloc\fR(3). and
-\fBfree\fR(3). It is not permitted to have a NULL
-\fImalloc_function\fR
-and a non\-NULL
-\fIfree_function\fR
-or vice versa.
-\fIarg\fR
-is passed as the first parameter to the memory allocation functions. If
-\fImalloc_function\fR
-and
-\fIfree_function\fR
-are NULL,
-\fIarg\fR
-is unused and should be passed as NULL.
-.PP
-Once memory for the structure has been allocated, it is initialized using
-\fBlwres_conf_init\fR(3)
-and returned via
-\fI*contextp\fR.
-.PP
-\fBlwres_context_destroy()\fR
-destroys a
-\fBlwres_context_t\fR, closing its socket.
-\fIcontextp\fR
-is a pointer to a pointer to the context that is to be destroyed. The pointer will be set to NULL when the context has been destroyed.
-.PP
-The context holds a serial number that is used to identify resolver request packets and associate responses with the corresponding requests. This serial number is controlled using
-\fBlwres_context_initserial()\fR
-and
-\fBlwres_context_nextserial()\fR.
-\fBlwres_context_initserial()\fR
-sets the serial number for context
-\fI*ctx\fR
-to
-\fIserial\fR.
-\fBlwres_context_nextserial()\fR
-increments the serial number and returns the previous value.
-.PP
-Memory for a lightweight resolver context is allocated and freed using
-\fBlwres_context_allocmem()\fR
-and
-\fBlwres_context_freemem()\fR. These use whatever allocations were defined when the context was created with
-\fBlwres_context_create()\fR.
-\fBlwres_context_allocmem()\fR
-allocates
-\fIlen\fR
-bytes of memory and if successful returns a pointer to the allocated storage.
-\fBlwres_context_freemem()\fR
-frees
-\fIlen\fR
-bytes of space starting at location
-\fImem\fR.
-.PP
-\fBlwres_context_sendrecv()\fR
-performs I/O for the context
-\fIctx\fR. Data are read and written from the context's socket. It writes data from
-\fIsendbase\fR
-\(em typically a lightweight resolver query packet \(em and waits for a reply which is copied to the receive buffer at
-\fIrecvbase\fR. The number of bytes that were written to this receive buffer is returned in
-\fI*recvd_len\fR.
-.SH "RETURN VALUES"
-.PP
-\fBlwres_context_create()\fR
-returns
-\fBLWRES_R_NOMEMORY\fR
-if memory for the
-\fBstruct lwres_context\fR
-could not be allocated,
-\fBLWRES_R_SUCCESS\fR
-otherwise.
-.PP
-Successful calls to the memory allocator
-\fBlwres_context_allocmem()\fR
-return a pointer to the start of the allocated space. It returns NULL if memory could not be allocated.
-.PP
-\fBLWRES_R_SUCCESS\fR
-is returned when
-\fBlwres_context_sendrecv()\fR
-completes successfully.
-\fBLWRES_R_IOERROR\fR
-is returned if an I/O error occurs and
-\fBLWRES_R_TIMEOUT\fR
-is returned if
-\fBlwres_context_sendrecv()\fR
-times out waiting for a response.
-.SH "SEE ALSO"
-.PP
-\fBlwres_conf_init\fR(3),
-\fBmalloc\fR(3),
-\fBfree\fR(3).
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001, 2003 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_context.docbook b/contrib/bind9/lib/lwres/man/lwres_context.docbook
deleted file mode 100644
index ad0392e..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_context.docbook
+++ /dev/null
@@ -1,262 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_context.docbook,v 1.11 2007/06/18 23:47:51 tbox Exp $ -->
-<refentry>
-
-  <refentryinfo>
-    <date>Jun 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>lwres_context</refentrytitle>
-    <manvolnum>3</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname>lwres_context_create</refname>
-    <refname>lwres_context_destroy</refname>
-    <refname>lwres_context_nextserial</refname>
-    <refname>lwres_context_initserial</refname>
-    <refname>lwres_context_freemem</refname>
-    <refname>lwres_context_allocmem</refname>
-    <refname>lwres_context_sendrecv</refname>
-    <refpurpose>lightweight resolver context management</refpurpose>
-  </refnamediv>
-  <refsynopsisdiv>
-    <funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
-<funcprototype>
-        <funcdef>
-lwres_result_t
-<function>lwres_context_create</function></funcdef>
-        <paramdef>lwres_context_t **<parameter>contextp</parameter></paramdef>
-        <paramdef>void *<parameter>arg</parameter></paramdef>
-        <paramdef>lwres_malloc_t <parameter>malloc_function</parameter></paramdef>
-        <paramdef>lwres_free_t <parameter>free_function</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-lwres_result_t
-<function>lwres_context_destroy</function></funcdef>
-        <paramdef>lwres_context_t **<parameter>contextp</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_context_initserial</function></funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        <paramdef>lwres_uint32_t <parameter>serial</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-lwres_uint32_t
-<function>lwres_context_nextserial</function></funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_context_freemem</function></funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        <paramdef>void *<parameter>mem</parameter></paramdef>
-        <paramdef>size_t <parameter>len</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_context_allocmem</function></funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        <paramdef>size_t <parameter>len</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-void *
-<function>lwres_context_sendrecv</function></funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        <paramdef>void *<parameter>sendbase</parameter></paramdef>
-        <paramdef>int <parameter>sendlen</parameter></paramdef>
-        <paramdef>void *<parameter>recvbase</parameter></paramdef>
-        <paramdef>int <parameter>recvlen</parameter></paramdef>
-        <paramdef>int *<parameter>recvd_len</parameter></paramdef>
-      </funcprototype>
-</funcsynopsis>
-  </refsynopsisdiv>
-  <refsect1>
-    <title>DESCRIPTION</title>
-
-    <para><function>lwres_context_create()</function>
-      creates a <type>lwres_context_t</type> structure for use in
-      lightweight resolver operations.  It holds a socket and other
-      data needed for communicating with a resolver daemon.  The new
-      <type>lwres_context_t</type> is returned through
-      <parameter>contextp</parameter>, a pointer to a
-      <type>lwres_context_t</type> pointer.  This
-      <type>lwres_context_t</type> pointer must initially be NULL, and
-      is modified to point to the newly created
-      <type>lwres_context_t</type>.
-    </para>
-    <para>
-      When the lightweight resolver needs to perform dynamic memory
-      allocation, it will call
-      <parameter>malloc_function</parameter>
-      to allocate memory and
-      <parameter>free_function</parameter>
-      to free it.  If
-      <parameter>malloc_function</parameter>
-      and
-      <parameter>free_function</parameter>
-      are NULL, memory is allocated using
-      <citerefentry>
-        <refentrytitle>malloc</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>.
-      and
-      <citerefentry>
-        <refentrytitle>free</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>.
-
-      It is not permitted to have a NULL
-      <parameter>malloc_function</parameter> and a non-NULL
-      <parameter>free_function</parameter> or vice versa.
-      <parameter>arg</parameter> is passed as the first parameter to
-      the memory allocation functions.  If
-      <parameter>malloc_function</parameter> and
-      <parameter>free_function</parameter> are NULL,
-      <parameter>arg</parameter> is unused and should be passed as
-      NULL.
-    </para>
-
-    <para>
-      Once memory for the structure has been allocated,
-      it is initialized using
-      <citerefentry>
-        <refentrytitle>lwres_conf_init</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>
-      and returned via <parameter>*contextp</parameter>.
-    </para>
-
-    <para><function>lwres_context_destroy()</function>
-      destroys a <type>lwres_context_t</type>, closing its socket.
-      <parameter>contextp</parameter> is a pointer to a pointer to the
-      context that is to be destroyed.  The pointer will be set to
-      NULL when the context has been destroyed.
-    </para>
-
-    <para>
-      The context holds a serial number that is used to identify
-      resolver request packets and associate responses with the
-      corresponding requests.  This serial number is controlled using
-      <function>lwres_context_initserial()</function> and
-      <function>lwres_context_nextserial()</function>.
-      <function>lwres_context_initserial()</function> sets the serial
-      number for context <parameter>*ctx</parameter> to
-      <parameter>serial</parameter>.
-      <function>lwres_context_nextserial()</function> increments the
-      serial number and returns the previous value.
-    </para>
-
-    <para>
-      Memory for a lightweight resolver context is allocated and freed
-      using <function>lwres_context_allocmem()</function> and
-      <function>lwres_context_freemem()</function>.  These use
-      whatever allocations were defined when the context was created
-      with <function>lwres_context_create()</function>.
-      <function>lwres_context_allocmem()</function> allocates
-      <parameter>len</parameter> bytes of memory and if successful
-      returns a pointer to the allocated storage.
-      <function>lwres_context_freemem()</function> frees
-      <parameter>len</parameter> bytes of space starting at location
-      <parameter>mem</parameter>.
-    </para>
-
-    <para><function>lwres_context_sendrecv()</function>
-      performs I/O for the context <parameter>ctx</parameter>.  Data
-      are read and written from the context's socket.  It writes data
-      from <parameter>sendbase</parameter> &mdash; typically a
-      lightweight resolver query packet &mdash; and waits for a reply
-      which is copied to the receive buffer at
-      <parameter>recvbase</parameter>.  The number of bytes that were
-      written to this receive buffer is returned in
-      <parameter>*recvd_len</parameter>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>RETURN VALUES</title>
-
-    <para><function>lwres_context_create()</function>
-      returns <errorcode>LWRES_R_NOMEMORY</errorcode> if memory for
-      the <type>struct lwres_context</type> could not be allocated,
-      <errorcode>LWRES_R_SUCCESS</errorcode> otherwise.
-    </para>
-    <para>
-      Successful calls to the memory allocator
-      <function>lwres_context_allocmem()</function>
-      return a pointer to the start of the allocated space.
-      It returns NULL if memory could not be allocated.
-    </para>
-    <para><errorcode>LWRES_R_SUCCESS</errorcode>
-      is returned when
-      <function>lwres_context_sendrecv()</function>
-      completes successfully.
-      <errorcode>LWRES_R_IOERROR</errorcode>
-      is returned if an I/O error occurs and
-      <errorcode>LWRES_R_TIMEOUT</errorcode>
-      is returned if
-      <function>lwres_context_sendrecv()</function>
-      times out waiting for a response.
-    </para>
-  </refsect1>
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>lwres_conf_init</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>malloc</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>free</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>.
-    </para>
-  </refsect1>
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/lib/lwres/man/lwres_context.html b/contrib/bind9/lib/lwres/man/lwres_context.html
deleted file mode 100644
index e13539d..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_context.html
+++ /dev/null
@@ -1,295 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_context</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv &#8212; lightweight resolver context management</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_context_create</b>(</code></td>
-<td>lwres_context_t ** </td>
-<td>
-<var class="pdparam">contextp</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>void * </td>
-<td>
-<var class="pdparam">arg</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_malloc_t  </td>
-<td>
-<var class="pdparam">malloc_function</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_free_t  </td>
-<td>
-<var class="pdparam">free_function</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_context_destroy</b>(</code></td>
-<td>lwres_context_t ** </td>
-<td>
-<var class="pdparam">contextp</var><code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_context_initserial</b>(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_uint32_t  </td>
-<td>
-<var class="pdparam">serial</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-lwres_uint32_t
-<b class="fsfunc">lwres_context_nextserial</b>(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var><code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_context_freemem</b>(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>void * </td>
-<td>
-<var class="pdparam">mem</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>size_t  </td>
-<td>
-<var class="pdparam">len</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_context_allocmem</b>(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>size_t  </td>
-<td>
-<var class="pdparam">len</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
-<td><code class="funcdef">
-void *
-<b class="fsfunc">lwres_context_sendrecv</b>(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>void * </td>
-<td>
-<var class="pdparam">sendbase</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>int  </td>
-<td>
-<var class="pdparam">sendlen</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>void * </td>
-<td>
-<var class="pdparam">recvbase</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>int  </td>
-<td>
-<var class="pdparam">recvlen</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>int * </td>
-<td>
-<var class="pdparam">recvd_len</var><code>)</code>;</td>
-</tr>
-</table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543532"></a><h2>DESCRIPTION</h2>
-<p><code class="function">lwres_context_create()</code>
-      creates a <span class="type">lwres_context_t</span> structure for use in
-      lightweight resolver operations.  It holds a socket and other
-      data needed for communicating with a resolver daemon.  The new
-      <span class="type">lwres_context_t</span> is returned through
-      <em class="parameter"><code>contextp</code></em>, a pointer to a
-      <span class="type">lwres_context_t</span> pointer.  This
-      <span class="type">lwres_context_t</span> pointer must initially be NULL, and
-      is modified to point to the newly created
-      <span class="type">lwres_context_t</span>.
-    </p>
-<p>
-      When the lightweight resolver needs to perform dynamic memory
-      allocation, it will call
-      <em class="parameter"><code>malloc_function</code></em>
-      to allocate memory and
-      <em class="parameter"><code>free_function</code></em>
-      to free it.  If
-      <em class="parameter"><code>malloc_function</code></em>
-      and
-      <em class="parameter"><code>free_function</code></em>
-      are NULL, memory is allocated using
-      <span class="citerefentry"><span class="refentrytitle">malloc</span>(3)</span>.
-      and
-      <span class="citerefentry"><span class="refentrytitle">free</span>(3)</span>.
-
-      It is not permitted to have a NULL
-      <em class="parameter"><code>malloc_function</code></em> and a non-NULL
-      <em class="parameter"><code>free_function</code></em> or vice versa.
-      <em class="parameter"><code>arg</code></em> is passed as the first parameter to
-      the memory allocation functions.  If
-      <em class="parameter"><code>malloc_function</code></em> and
-      <em class="parameter"><code>free_function</code></em> are NULL,
-      <em class="parameter"><code>arg</code></em> is unused and should be passed as
-      NULL.
-    </p>
-<p>
-      Once memory for the structure has been allocated,
-      it is initialized using
-      <span class="citerefentry"><span class="refentrytitle">lwres_conf_init</span>(3)</span>
-      and returned via <em class="parameter"><code>*contextp</code></em>.
-    </p>
-<p><code class="function">lwres_context_destroy()</code>
-      destroys a <span class="type">lwres_context_t</span>, closing its socket.
-      <em class="parameter"><code>contextp</code></em> is a pointer to a pointer to the
-      context that is to be destroyed.  The pointer will be set to
-      NULL when the context has been destroyed.
-    </p>
-<p>
-      The context holds a serial number that is used to identify
-      resolver request packets and associate responses with the
-      corresponding requests.  This serial number is controlled using
-      <code class="function">lwres_context_initserial()</code> and
-      <code class="function">lwres_context_nextserial()</code>.
-      <code class="function">lwres_context_initserial()</code> sets the serial
-      number for context <em class="parameter"><code>*ctx</code></em> to
-      <em class="parameter"><code>serial</code></em>.
-      <code class="function">lwres_context_nextserial()</code> increments the
-      serial number and returns the previous value.
-    </p>
-<p>
-      Memory for a lightweight resolver context is allocated and freed
-      using <code class="function">lwres_context_allocmem()</code> and
-      <code class="function">lwres_context_freemem()</code>.  These use
-      whatever allocations were defined when the context was created
-      with <code class="function">lwres_context_create()</code>.
-      <code class="function">lwres_context_allocmem()</code> allocates
-      <em class="parameter"><code>len</code></em> bytes of memory and if successful
-      returns a pointer to the allocated storage.
-      <code class="function">lwres_context_freemem()</code> frees
-      <em class="parameter"><code>len</code></em> bytes of space starting at location
-      <em class="parameter"><code>mem</code></em>.
-    </p>
-<p><code class="function">lwres_context_sendrecv()</code>
-      performs I/O for the context <em class="parameter"><code>ctx</code></em>.  Data
-      are read and written from the context's socket.  It writes data
-      from <em class="parameter"><code>sendbase</code></em> &#8212; typically a
-      lightweight resolver query packet &#8212; and waits for a reply
-      which is copied to the receive buffer at
-      <em class="parameter"><code>recvbase</code></em>.  The number of bytes that were
-      written to this receive buffer is returned in
-      <em class="parameter"><code>*recvd_len</code></em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543720"></a><h2>RETURN VALUES</h2>
-<p><code class="function">lwres_context_create()</code>
-      returns <span class="errorcode">LWRES_R_NOMEMORY</span> if memory for
-      the <span class="type">struct lwres_context</span> could not be allocated,
-      <span class="errorcode">LWRES_R_SUCCESS</span> otherwise.
-    </p>
-<p>
-      Successful calls to the memory allocator
-      <code class="function">lwres_context_allocmem()</code>
-      return a pointer to the start of the allocated space.
-      It returns NULL if memory could not be allocated.
-    </p>
-<p><span class="errorcode">LWRES_R_SUCCESS</span>
-      is returned when
-      <code class="function">lwres_context_sendrecv()</code>
-      completes successfully.
-      <span class="errorcode">LWRES_R_IOERROR</span>
-      is returned if an I/O error occurs and
-      <span class="errorcode">LWRES_R_TIMEOUT</span>
-      is returned if
-      <code class="function">lwres_context_sendrecv()</code>
-      times out waiting for a response.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543770"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">lwres_conf_init</span>(3)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">malloc</span>(3)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">free</span>(3)</span>.
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gabn.3 b/contrib/bind9/lib/lwres/man/lwres_gabn.3
deleted file mode 100644
index ea74690..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_gabn.3
+++ /dev/null
@@ -1,195 +0,0 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: lwres_gabn
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "LWRES_GABN" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free \- lightweight resolver getaddrbyname message handling
-.SH "SYNOPSIS"
-.nf
-#include <lwres/lwres.h>
-.fi
-.HP 40
-.BI "lwres_result_t lwres_gabnrequest_render(lwres_context_t\ *" "ctx" ", lwres_gabnrequest_t\ *" "req" ", lwres_lwpacket_t\ *" "pkt" ", lwres_buffer_t\ *" "b" ");"
-.HP 41
-.BI "lwres_result_t lwres_gabnresponse_render(lwres_context_t\ *" "ctx" ", lwres_gabnresponse_t\ *" "req" ", lwres_lwpacket_t\ *" "pkt" ", lwres_buffer_t\ *" "b" ");"
-.HP 39
-.BI "lwres_result_t lwres_gabnrequest_parse(lwres_context_t\ *" "ctx" ", lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ", lwres_gabnrequest_t\ **" "structp" ");"
-.HP 40
-.BI "lwres_result_t lwres_gabnresponse_parse(lwres_context_t\ *" "ctx" ", lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ", lwres_gabnresponse_t\ **" "structp" ");"
-.HP 29
-.BI "void lwres_gabnresponse_free(lwres_context_t\ *" "ctx" ", lwres_gabnresponse_t\ **" "structp" ");"
-.HP 28
-.BI "void lwres_gabnrequest_free(lwres_context_t\ *" "ctx" ", lwres_gabnrequest_t\ **" "structp" ");"
-.SH "DESCRIPTION"
-.PP
-These are low\-level routines for creating and parsing lightweight resolver name\-to\-address lookup request and response messages.
-.PP
-There are four main functions for the getaddrbyname opcode. One render function converts a getaddrbyname request structure \(em
-\fBlwres_gabnrequest_t\fR
-\(em to the lighweight resolver's canonical format. It is complemented by a parse function that converts a packet in this canonical format to a getaddrbyname request structure. Another render function converts the getaddrbyname response structure \(em
-\fBlwres_gabnresponse_t\fR
-\(em to the canonical format. This is complemented by a parse function which converts a packet in canonical format to a getaddrbyname response structure.
-.PP
-These structures are defined in
-\fI<lwres/lwres.h>\fR. They are shown below.
-.PP
-.RS 4
-.nf
-#define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
-.fi
-.RE
-.sp
-.PP
-.RS 4
-.nf
-typedef struct lwres_addr lwres_addr_t;
-typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
-.fi
-.RE
-.sp
-.PP
-.RS 4
-.nf
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_uint32_t  addrtypes;
-        lwres_uint16_t  namelen;
-        char           *name;
-} lwres_gabnrequest_t;
-.fi
-.RE
-.sp
-.PP
-.RS 4
-.nf
-typedef struct {
-        lwres_uint32_t          flags;
-        lwres_uint16_t          naliases;
-        lwres_uint16_t          naddrs;
-        char                   *realname;
-        char                  **aliases;
-        lwres_uint16_t          realnamelen;
-        lwres_uint16_t         *aliaslen;
-        lwres_addrlist_t        addrs;
-        void                   *base;
-        size_t                  baselen;
-} lwres_gabnresponse_t;
-.fi
-.RE
-.sp
-.PP
-\fBlwres_gabnrequest_render()\fR
-uses resolver context
-\fIctx\fR
-to convert getaddrbyname request structure
-\fIreq\fR
-to canonical format. The packet header structure
-\fIpkt\fR
-is initialised and transferred to buffer
-\fIb\fR. The contents of
-\fI*req\fR
-are then appended to the buffer in canonical format.
-\fBlwres_gabnresponse_render()\fR
-performs the same task, except it converts a getaddrbyname response structure
-\fBlwres_gabnresponse_t\fR
-to the lightweight resolver's canonical format.
-.PP
-\fBlwres_gabnrequest_parse()\fR
-uses context
-\fIctx\fR
-to convert the contents of packet
-\fIpkt\fR
-to a
-\fBlwres_gabnrequest_t\fR
-structure. Buffer
-\fIb\fR
-provides space to be used for storing this structure. When the function succeeds, the resulting
-\fBlwres_gabnrequest_t\fR
-is made available through
-\fI*structp\fR.
-\fBlwres_gabnresponse_parse()\fR
-offers the same semantics as
-\fBlwres_gabnrequest_parse()\fR
-except it yields a
-\fBlwres_gabnresponse_t\fR
-structure.
-.PP
-\fBlwres_gabnresponse_free()\fR
-and
-\fBlwres_gabnrequest_free()\fR
-release the memory in resolver context
-\fIctx\fR
-that was allocated to the
-\fBlwres_gabnresponse_t\fR
-or
-\fBlwres_gabnrequest_t\fR
-structures referenced via
-\fIstructp\fR. Any memory associated with ancillary buffers and strings for those structures is also discarded.
-.SH "RETURN VALUES"
-.PP
-The getaddrbyname opcode functions
-\fBlwres_gabnrequest_render()\fR,
-\fBlwres_gabnresponse_render()\fR
-\fBlwres_gabnrequest_parse()\fR
-and
-\fBlwres_gabnresponse_parse()\fR
-all return
-\fBLWRES_R_SUCCESS\fR
-on success. They return
-\fBLWRES_R_NOMEMORY\fR
-if memory allocation fails.
-\fBLWRES_R_UNEXPECTEDEND\fR
-is returned if the available space in the buffer
-\fIb\fR
-is too small to accommodate the packet header or the
-\fBlwres_gabnrequest_t\fR
-and
-\fBlwres_gabnresponse_t\fR
-structures.
-\fBlwres_gabnrequest_parse()\fR
-and
-\fBlwres_gabnresponse_parse()\fR
-will return
-\fBLWRES_R_UNEXPECTEDEND\fR
-if the buffer is not empty after decoding the received packet. These functions will return
-\fBLWRES_R_FAILURE\fR
-if
-pktflags
-in the packet header structure
-\fBlwres_lwpacket_t\fR
-indicate that the packet is not a response to an earlier query.
-.SH "SEE ALSO"
-.PP
-\fBlwres_packet\fR(3)
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_gabn.docbook b/contrib/bind9/lib/lwres/man/lwres_gabn.docbook
deleted file mode 100644
index d0b5c19..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_gabn.docbook
+++ /dev/null
@@ -1,260 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_gabn.docbook,v 1.10 2007/06/18 23:47:51 tbox Exp $ -->
-<refentry>
-
-  <refentryinfo>
-    <date>Jun 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>lwres_gabn</refentrytitle>
-    <manvolnum>3</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname>lwres_gabnrequest_render</refname>
-    <refname>lwres_gabnresponse_render</refname>
-    <refname>lwres_gabnrequest_parse</refname>
-    <refname>lwres_gabnresponse_parse</refname>
-    <refname>lwres_gabnresponse_free</refname>
-    <refname>lwres_gabnrequest_free</refname>
-    <refpurpose>lightweight resolver getaddrbyname message handling</refpurpose>
-  </refnamediv>
-  <refsynopsisdiv>
-    <funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
-<funcprototype>
-        <funcdef>
-lwres_result_t
-<function>lwres_gabnrequest_render</function></funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        <paramdef>lwres_gabnrequest_t *<parameter>req</parameter></paramdef>
-        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-lwres_result_t
-<function>lwres_gabnresponse_render</function></funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        <paramdef>lwres_gabnresponse_t *<parameter>req</parameter></paramdef>
-        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-lwres_result_t
-<function>lwres_gabnrequest_parse</function></funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
-        <paramdef>lwres_gabnrequest_t **<parameter>structp</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-lwres_result_t
-<function>lwres_gabnresponse_parse</function></funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
-        <paramdef>lwres_gabnresponse_t **<parameter>structp</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_gabnresponse_free</function></funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        <paramdef>lwres_gabnresponse_t **<parameter>structp</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_gabnrequest_free</function></funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        <paramdef>lwres_gabnrequest_t **<parameter>structp</parameter></paramdef>
-      </funcprototype>
-</funcsynopsis>
-  </refsynopsisdiv>
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para>
-      These are low-level routines for creating and parsing
-      lightweight resolver name-to-address lookup request and
-      response messages.
-    </para>
-    <para>
-      There are four main functions for the getaddrbyname opcode.
-      One render function converts a getaddrbyname request structure &mdash;
-      <type>lwres_gabnrequest_t</type> &mdash;
-      to the lighweight resolver's canonical format.
-      It is complemented by a parse function that converts a packet in this
-      canonical format to a getaddrbyname request structure.
-      Another render function converts the getaddrbyname response structure
-      &mdash; <type>lwres_gabnresponse_t</type> &mdash;
-      to the canonical format.
-      This is complemented by a parse function which converts a packet in
-      canonical format to a getaddrbyname response structure.
-    </para>
-    <para>
-      These structures are defined in
-      <filename>&lt;lwres/lwres.h&gt;</filename>.
-      They are shown below.
-    </para>
-    <para><programlisting>
-#define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
-</programlisting>
-    </para>
-    <para><programlisting>
-typedef struct lwres_addr lwres_addr_t;
-typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
-</programlisting>
-    </para>
-    <para><programlisting>
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_uint32_t  addrtypes;
-        lwres_uint16_t  namelen;
-        char           *name;
-} lwres_gabnrequest_t;
-</programlisting>
-    </para>
-    <para><programlisting>
-typedef struct {
-        lwres_uint32_t          flags;
-        lwres_uint16_t          naliases;
-        lwres_uint16_t          naddrs;
-        char                   *realname;
-        char                  **aliases;
-        lwres_uint16_t          realnamelen;
-        lwres_uint16_t         *aliaslen;
-        lwres_addrlist_t        addrs;
-        void                   *base;
-        size_t                  baselen;
-} lwres_gabnresponse_t;
-</programlisting>
-    </para>
-
-    <para><function>lwres_gabnrequest_render()</function>
-      uses resolver context <parameter>ctx</parameter> to convert
-      getaddrbyname request structure <parameter>req</parameter> to
-      canonical format.  The packet header structure
-      <parameter>pkt</parameter> is initialised and transferred to
-      buffer <parameter>b</parameter>.
-
-      The contents of <parameter>*req</parameter> are then appended to
-      the buffer in canonical format.
-      <function>lwres_gabnresponse_render()</function> performs the
-      same task, except it converts a getaddrbyname response structure
-      <type>lwres_gabnresponse_t</type> to the lightweight resolver's
-      canonical format.
-    </para>
-
-    <para><function>lwres_gabnrequest_parse()</function>
-      uses context <parameter>ctx</parameter> to convert the contents
-      of packet <parameter>pkt</parameter> to a
-      <type>lwres_gabnrequest_t</type> structure.  Buffer
-      <parameter>b</parameter> provides space to be used for storing
-      this structure.  When the function succeeds, the resulting
-      <type>lwres_gabnrequest_t</type> is made available through
-      <parameter>*structp</parameter>.
-
-      <function>lwres_gabnresponse_parse()</function> offers the same
-      semantics as <function>lwres_gabnrequest_parse()</function>
-      except it yields a <type>lwres_gabnresponse_t</type> structure.
-    </para>
-
-    <para><function>lwres_gabnresponse_free()</function>
-      and <function>lwres_gabnrequest_free()</function> release the
-      memory in resolver context <parameter>ctx</parameter> that was
-      allocated to the <type>lwres_gabnresponse_t</type> or
-      <type>lwres_gabnrequest_t</type> structures referenced via
-      <parameter>structp</parameter>.
-
-      Any memory associated with ancillary buffers and strings for
-      those structures is also discarded.
-    </para>
-  </refsect1>
-  <refsect1>
-    <title>RETURN VALUES</title>
-    <para>
-      The getaddrbyname opcode functions
-      <function>lwres_gabnrequest_render()</function>,
-      <function>lwres_gabnresponse_render()</function>
-      <function>lwres_gabnrequest_parse()</function>
-      and
-      <function>lwres_gabnresponse_parse()</function>
-      all return
-      <errorcode>LWRES_R_SUCCESS</errorcode>
-      on success.
-      They return
-      <errorcode>LWRES_R_NOMEMORY</errorcode>
-      if memory allocation fails.
-      <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-      is returned if the available space in the buffer
-      <parameter>b</parameter>
-      is too small to accommodate the packet header or the
-      <type>lwres_gabnrequest_t</type>
-      and
-      <type>lwres_gabnresponse_t</type>
-      structures.
-      <function>lwres_gabnrequest_parse()</function>
-      and
-      <function>lwres_gabnresponse_parse()</function>
-      will return
-      <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-      if the buffer is not empty after decoding the received packet.
-      These functions will return
-      <errorcode>LWRES_R_FAILURE</errorcode>
-      if
-      <structfield>pktflags</structfield>
-      in the packet header structure
-      <type>lwres_lwpacket_t</type>
-      indicate that the packet is not a response to an earlier query.
-    </para>
-  </refsect1>
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>lwres_packet</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>
-    </para>
-  </refsect1>
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/lib/lwres/man/lwres_gabn.html b/contrib/bind9/lib/lwres/man/lwres_gabn.html
deleted file mode 100644
index 270620d..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_gabn.html
+++ /dev/null
@@ -1,324 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_gabn</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476274"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free &#8212; lightweight resolver getaddrbyname message handling</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_gabnrequest_render</b>(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_gabnrequest_t * </td>
-<td>
-<var class="pdparam">req</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_lwpacket_t * </td>
-<td>
-<var class="pdparam">pkt</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_gabnresponse_render</b>(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_gabnresponse_t * </td>
-<td>
-<var class="pdparam">req</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_lwpacket_t * </td>
-<td>
-<var class="pdparam">pkt</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_gabnrequest_parse</b>(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_lwpacket_t * </td>
-<td>
-<var class="pdparam">pkt</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_gabnrequest_t ** </td>
-<td>
-<var class="pdparam">structp</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_gabnresponse_parse</b>(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_lwpacket_t * </td>
-<td>
-<var class="pdparam">pkt</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_gabnresponse_t ** </td>
-<td>
-<var class="pdparam">structp</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_gabnresponse_free</b>(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_gabnresponse_t ** </td>
-<td>
-<var class="pdparam">structp</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_gabnrequest_free</b>(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_gabnrequest_t ** </td>
-<td>
-<var class="pdparam">structp</var><code>)</code>;</td>
-</tr>
-</table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543524"></a><h2>DESCRIPTION</h2>
-<p>
-      These are low-level routines for creating and parsing
-      lightweight resolver name-to-address lookup request and
-      response messages.
-    </p>
-<p>
-      There are four main functions for the getaddrbyname opcode.
-      One render function converts a getaddrbyname request structure &#8212;
-      <span class="type">lwres_gabnrequest_t</span> &#8212;
-      to the lighweight resolver's canonical format.
-      It is complemented by a parse function that converts a packet in this
-      canonical format to a getaddrbyname request structure.
-      Another render function converts the getaddrbyname response structure
-      &#8212; <span class="type">lwres_gabnresponse_t</span> &#8212;
-      to the canonical format.
-      This is complemented by a parse function which converts a packet in
-      canonical format to a getaddrbyname response structure.
-    </p>
-<p>
-      These structures are defined in
-      <code class="filename">&lt;lwres/lwres.h&gt;</code>.
-      They are shown below.
-    </p>
-<pre class="programlisting">
-#define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
-</pre>
-<p>
-    </p>
-<pre class="programlisting">
-typedef struct lwres_addr lwres_addr_t;
-typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
-</pre>
-<p>
-    </p>
-<pre class="programlisting">
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_uint32_t  addrtypes;
-        lwres_uint16_t  namelen;
-        char           *name;
-} lwres_gabnrequest_t;
-</pre>
-<p>
-    </p>
-<pre class="programlisting">
-typedef struct {
-        lwres_uint32_t          flags;
-        lwres_uint16_t          naliases;
-        lwres_uint16_t          naddrs;
-        char                   *realname;
-        char                  **aliases;
-        lwres_uint16_t          realnamelen;
-        lwres_uint16_t         *aliaslen;
-        lwres_addrlist_t        addrs;
-        void                   *base;
-        size_t                  baselen;
-} lwres_gabnresponse_t;
-</pre>
-<p>
-    </p>
-<p><code class="function">lwres_gabnrequest_render()</code>
-      uses resolver context <em class="parameter"><code>ctx</code></em> to convert
-      getaddrbyname request structure <em class="parameter"><code>req</code></em> to
-      canonical format.  The packet header structure
-      <em class="parameter"><code>pkt</code></em> is initialised and transferred to
-      buffer <em class="parameter"><code>b</code></em>.
-
-      The contents of <em class="parameter"><code>*req</code></em> are then appended to
-      the buffer in canonical format.
-      <code class="function">lwres_gabnresponse_render()</code> performs the
-      same task, except it converts a getaddrbyname response structure
-      <span class="type">lwres_gabnresponse_t</span> to the lightweight resolver's
-      canonical format.
-    </p>
-<p><code class="function">lwres_gabnrequest_parse()</code>
-      uses context <em class="parameter"><code>ctx</code></em> to convert the contents
-      of packet <em class="parameter"><code>pkt</code></em> to a
-      <span class="type">lwres_gabnrequest_t</span> structure.  Buffer
-      <em class="parameter"><code>b</code></em> provides space to be used for storing
-      this structure.  When the function succeeds, the resulting
-      <span class="type">lwres_gabnrequest_t</span> is made available through
-      <em class="parameter"><code>*structp</code></em>.
-
-      <code class="function">lwres_gabnresponse_parse()</code> offers the same
-      semantics as <code class="function">lwres_gabnrequest_parse()</code>
-      except it yields a <span class="type">lwres_gabnresponse_t</span> structure.
-    </p>
-<p><code class="function">lwres_gabnresponse_free()</code>
-      and <code class="function">lwres_gabnrequest_free()</code> release the
-      memory in resolver context <em class="parameter"><code>ctx</code></em> that was
-      allocated to the <span class="type">lwres_gabnresponse_t</span> or
-      <span class="type">lwres_gabnrequest_t</span> structures referenced via
-      <em class="parameter"><code>structp</code></em>.
-
-      Any memory associated with ancillary buffers and strings for
-      those structures is also discarded.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543669"></a><h2>RETURN VALUES</h2>
-<p>
-      The getaddrbyname opcode functions
-      <code class="function">lwres_gabnrequest_render()</code>,
-      <code class="function">lwres_gabnresponse_render()</code>
-      <code class="function">lwres_gabnrequest_parse()</code>
-      and
-      <code class="function">lwres_gabnresponse_parse()</code>
-      all return
-      <span class="errorcode">LWRES_R_SUCCESS</span>
-      on success.
-      They return
-      <span class="errorcode">LWRES_R_NOMEMORY</span>
-      if memory allocation fails.
-      <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
-      is returned if the available space in the buffer
-      <em class="parameter"><code>b</code></em>
-      is too small to accommodate the packet header or the
-      <span class="type">lwres_gabnrequest_t</span>
-      and
-      <span class="type">lwres_gabnresponse_t</span>
-      structures.
-      <code class="function">lwres_gabnrequest_parse()</code>
-      and
-      <code class="function">lwres_gabnresponse_parse()</code>
-      will return
-      <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
-      if the buffer is not empty after decoding the received packet.
-      These functions will return
-      <span class="errorcode">LWRES_R_FAILURE</span>
-      if
-      <em class="structfield"><code>pktflags</code></em>
-      in the packet header structure
-      <span class="type">lwres_lwpacket_t</span>
-      indicate that the packet is not a response to an earlier query.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543735"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3)</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gai_strerror.3 b/contrib/bind9/lib/lwres/man/lwres_gai_strerror.3
deleted file mode 100644
index fa3f494..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_gai_strerror.3
+++ /dev/null
@@ -1,129 +0,0 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: lwres_gai_strerror
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "LWRES_GAI_STRERROR" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_gai_strerror \- print suitable error string
-.SH "SYNOPSIS"
-.nf
-#include <lwres/netdb.h>
-.fi
-.HP 20
-.BI "char * gai_strerror(int\ " "ecode" ");"
-.SH "DESCRIPTION"
-.PP
-\fBlwres_gai_strerror()\fR
-returns an error message corresponding to an error code returned by
-\fBgetaddrinfo()\fR. The following error codes and their meaning are defined in
-\fIinclude/lwres/netdb.h\fR.
-.PP
-\fBEAI_ADDRFAMILY\fR
-.RS 4
-address family for hostname not supported
-.RE
-.PP
-\fBEAI_AGAIN\fR
-.RS 4
-temporary failure in name resolution
-.RE
-.PP
-\fBEAI_BADFLAGS\fR
-.RS 4
-invalid value for
-\fBai_flags\fR
-.RE
-.PP
-\fBEAI_FAIL\fR
-.RS 4
-non\-recoverable failure in name resolution
-.RE
-.PP
-\fBEAI_FAMILY\fR
-.RS 4
-\fBai_family\fR
-not supported
-.RE
-.PP
-\fBEAI_MEMORY\fR
-.RS 4
-memory allocation failure
-.RE
-.PP
-\fBEAI_NODATA\fR
-.RS 4
-no address associated with hostname
-.RE
-.PP
-\fBEAI_NONAME\fR
-.RS 4
-hostname or servname not provided, or not known
-.RE
-.PP
-\fBEAI_SERVICE\fR
-.RS 4
-servname not supported for
-\fBai_socktype\fR
-.RE
-.PP
-\fBEAI_SOCKTYPE\fR
-.RS 4
-\fBai_socktype\fR
-not supported
-.RE
-.PP
-\fBEAI_SYSTEM\fR
-.RS 4
-system error returned in errno
-.RE
-The message
-invalid error code
-is returned if
-\fIecode\fR
-is out of range.
-.PP
-\fBai_flags\fR,
-\fBai_family\fR
-and
-\fBai_socktype\fR
-are elements of the
-\fBstruct addrinfo\fR
-used by
-\fBlwres_getaddrinfo()\fR.
-.SH "SEE ALSO"
-.PP
-\fBstrerror\fR(3),
-\fBlwres_getaddrinfo\fR(3),
-\fBgetaddrinfo\fR(3),
-\fBRFC2133\fR().
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_gai_strerror.docbook b/contrib/bind9/lib/lwres/man/lwres_gai_strerror.docbook
deleted file mode 100644
index c33fee5..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_gai_strerror.docbook
+++ /dev/null
@@ -1,200 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_gai_strerror.docbook,v 1.10 2007/06/18 23:47:51 tbox Exp $ -->
-<refentry>
-
-  <refentryinfo>
-    <date>Jun 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>lwres_gai_strerror</refentrytitle>
-    <manvolnum>3</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname>lwres_gai_strerror</refname>
-    <refpurpose>print suitable error string</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
-<funcprototype>
-        <funcdef>
-char *
-<function>gai_strerror</function></funcdef>
-        <paramdef>int <parameter>ecode</parameter></paramdef>
-      </funcprototype>
-</funcsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-
-    <para><function>lwres_gai_strerror()</function>
-      returns an error message corresponding to an error code returned by
-      <function>getaddrinfo()</function>.
-      The following error codes and their meaning are defined in
-      <filename>include/lwres/netdb.h</filename>.
-      <variablelist>
-        <varlistentry>
-          <term><errorcode>EAI_ADDRFAMILY</errorcode></term>
-          <listitem>
-            <para>
-              address family for hostname not supported
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><errorcode>EAI_AGAIN</errorcode></term>
-          <listitem>
-            <para>
-              temporary failure in name resolution
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><errorcode>EAI_BADFLAGS</errorcode></term>
-          <listitem>
-            <para>
-              invalid value for
-              <constant>ai_flags</constant>
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><errorcode>EAI_FAIL</errorcode></term>
-          <listitem>
-            <para>
-              non-recoverable failure in name resolution
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><errorcode>EAI_FAMILY</errorcode></term>
-          <listitem>
-            <para><constant>ai_family</constant> not supported
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><errorcode>EAI_MEMORY</errorcode></term>
-          <listitem>
-            <para>
-              memory allocation failure
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><errorcode>EAI_NODATA</errorcode></term>
-          <listitem>
-            <para>
-              no address associated with hostname
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><errorcode>EAI_NONAME</errorcode></term>
-          <listitem>
-            <para>
-              hostname or servname not provided, or not known
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><errorcode>EAI_SERVICE</errorcode></term>
-          <listitem>
-            <para>
-              servname not supported for <constant>ai_socktype</constant>
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><errorcode>EAI_SOCKTYPE</errorcode></term>
-          <listitem>
-            <para><constant>ai_socktype</constant> not supported
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><errorcode>EAI_SYSTEM</errorcode></term>
-          <listitem>
-            <para>
-              system error returned in errno
-            </para>
-          </listitem>
-        </varlistentry>
-      </variablelist>
-      The message <errorname>invalid error code</errorname> is returned if
-      <parameter>ecode</parameter>
-      is out of range.
-    </para>
-    <para><constant>ai_flags</constant>,
-      <constant>ai_family</constant>
-      and
-      <constant>ai_socktype</constant>
-      are elements of the
-      <type>struct  addrinfo</type>
-      used by
-      <function>lwres_getaddrinfo()</function>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>strerror</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>lwres_getaddrinfo</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>getaddrinfo</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>RFC2133</refentrytitle>
-      </citerefentry>.
-    </para>
-  </refsect1>
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html b/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html
deleted file mode 100644
index f2faace..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html
+++ /dev/null
@@ -1,124 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_gai_strerror</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_gai_strerror &#8212; print suitable error string</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
-<td><code class="funcdef">
-char *
-<b class="fsfunc">gai_strerror</b>(</code></td>
-<td>int  </td>
-<td>
-<var class="pdparam">ecode</var><code>)</code>;</td>
-</tr></table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543362"></a><h2>DESCRIPTION</h2>
-<p><code class="function">lwres_gai_strerror()</code>
-      returns an error message corresponding to an error code returned by
-      <code class="function">getaddrinfo()</code>.
-      The following error codes and their meaning are defined in
-      <code class="filename">include/lwres/netdb.h</code>.
-      </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span class="errorcode">EAI_ADDRFAMILY</span></span></dt>
-<dd><p>
-              address family for hostname not supported
-            </p></dd>
-<dt><span class="term"><span class="errorcode">EAI_AGAIN</span></span></dt>
-<dd><p>
-              temporary failure in name resolution
-            </p></dd>
-<dt><span class="term"><span class="errorcode">EAI_BADFLAGS</span></span></dt>
-<dd><p>
-              invalid value for
-              <code class="constant">ai_flags</code>
-            </p></dd>
-<dt><span class="term"><span class="errorcode">EAI_FAIL</span></span></dt>
-<dd><p>
-              non-recoverable failure in name resolution
-            </p></dd>
-<dt><span class="term"><span class="errorcode">EAI_FAMILY</span></span></dt>
-<dd><p><code class="constant">ai_family</code> not supported
-            </p></dd>
-<dt><span class="term"><span class="errorcode">EAI_MEMORY</span></span></dt>
-<dd><p>
-              memory allocation failure
-            </p></dd>
-<dt><span class="term"><span class="errorcode">EAI_NODATA</span></span></dt>
-<dd><p>
-              no address associated with hostname
-            </p></dd>
-<dt><span class="term"><span class="errorcode">EAI_NONAME</span></span></dt>
-<dd><p>
-              hostname or servname not provided, or not known
-            </p></dd>
-<dt><span class="term"><span class="errorcode">EAI_SERVICE</span></span></dt>
-<dd><p>
-              servname not supported for <code class="constant">ai_socktype</code>
-            </p></dd>
-<dt><span class="term"><span class="errorcode">EAI_SOCKTYPE</span></span></dt>
-<dd><p><code class="constant">ai_socktype</code> not supported
-            </p></dd>
-<dt><span class="term"><span class="errorcode">EAI_SYSTEM</span></span></dt>
-<dd><p>
-              system error returned in errno
-            </p></dd>
-</dl></div>
-<p>
-      The message <span class="errorname">invalid error code</span> is returned if
-      <em class="parameter"><code>ecode</code></em>
-      is out of range.
-    </p>
-<p><code class="constant">ai_flags</code>,
-      <code class="constant">ai_family</code>
-      and
-      <code class="constant">ai_socktype</code>
-      are elements of the
-      <span class="type">struct  addrinfo</span>
-      used by
-      <code class="function">lwres_getaddrinfo()</code>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543577"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">strerror</span>(3)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">lwres_getaddrinfo</span>(3)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">getaddrinfo</span>(3)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">RFC2133</span></span>.
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.3 b/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.3
deleted file mode 100644
index a80904b..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.3
+++ /dev/null
@@ -1,246 +0,0 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: lwres_getaddrinfo
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "LWRES_GETADDRINFO" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_getaddrinfo, lwres_freeaddrinfo \- socket address structure to host and service name
-.SH "SYNOPSIS"
-.nf
-#include <lwres/netdb.h>
-.fi
-.HP 22
-.BI "int lwres_getaddrinfo(const\ char\ *" "hostname" ", const\ char\ *" "servname" ", const\ struct\ addrinfo\ *" "hints" ", struct\ addrinfo\ **" "res" ");"
-.HP 24
-.BI "void lwres_freeaddrinfo(struct\ addrinfo\ *" "ai" ");"
-.PP
-If the operating system does not provide a
-\fBstruct addrinfo\fR, the following structure is used:
-.PP
-.RS 4
-.nf
-struct  addrinfo {
-        int             ai_flags;       /* AI_PASSIVE, AI_CANONNAME */
-        int             ai_family;      /* PF_xxx */
-        int             ai_socktype;    /* SOCK_xxx */
-        int             ai_protocol;    /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
-        size_t          ai_addrlen;     /* length of ai_addr */
-        char            *ai_canonname;  /* canonical name for hostname */
-        struct sockaddr *ai_addr;       /* binary address */
-        struct addrinfo *ai_next;       /* next structure in linked list */
-};
-.fi
-.RE
-.sp
-.SH "DESCRIPTION"
-.PP
-\fBlwres_getaddrinfo()\fR
-is used to get a list of IP addresses and port numbers for host
-\fIhostname\fR
-and service
-\fIservname\fR. The function is the lightweight resolver's implementation of
-\fBgetaddrinfo()\fR
-as defined in RFC2133.
-\fIhostname\fR
-and
-\fIservname\fR
-are pointers to null\-terminated strings or
-\fBNULL\fR.
-\fIhostname\fR
-is either a host name or a numeric host address string: a dotted decimal IPv4 address or an IPv6 address.
-\fIservname\fR
-is either a decimal port number or a service name as listed in
-\fI/etc/services\fR.
-.PP
-\fIhints\fR
-is an optional pointer to a
-\fBstruct addrinfo\fR. This structure can be used to provide hints concerning the type of socket that the caller supports or wishes to use. The caller can supply the following structure elements in
-\fI*hints\fR:
-.PP
-\fBai_family\fR
-.RS 4
-The protocol family that should be used. When
-\fBai_family\fR
-is set to
-\fBPF_UNSPEC\fR, it means the caller will accept any protocol family supported by the operating system.
-.RE
-.PP
-\fBai_socktype\fR
-.RS 4
-denotes the type of socket \(em
-\fBSOCK_STREAM\fR,
-\fBSOCK_DGRAM\fR
-or
-\fBSOCK_RAW\fR
-\(em that is wanted. When
-\fBai_socktype\fR
-is zero the caller will accept any socket type.
-.RE
-.PP
-\fBai_protocol\fR
-.RS 4
-indicates which transport protocol is wanted: IPPROTO_UDP or IPPROTO_TCP. If
-\fBai_protocol\fR
-is zero the caller will accept any protocol.
-.RE
-.PP
-\fBai_flags\fR
-.RS 4
-Flag bits. If the
-\fBAI_CANONNAME\fR
-bit is set, a successful call to
-\fBlwres_getaddrinfo()\fR
-will return a null\-terminated string containing the canonical name of the specified hostname in
-\fBai_canonname\fR
-of the first
-\fBaddrinfo\fR
-structure returned. Setting the
-\fBAI_PASSIVE\fR
-bit indicates that the returned socket address structure is intended for used in a call to
-\fBbind\fR(2). In this case, if the hostname argument is a
-\fBNULL\fR
-pointer, then the IP address portion of the socket address structure will be set to
-\fBINADDR_ANY\fR
-for an IPv4 address or
-\fBIN6ADDR_ANY_INIT\fR
-for an IPv6 address.
-.sp
-When
-\fBai_flags\fR
-does not set the
-\fBAI_PASSIVE\fR
-bit, the returned socket address structure will be ready for use in a call to
-\fBconnect\fR(2)
-for a connection\-oriented protocol or
-\fBconnect\fR(2),
-\fBsendto\fR(2), or
-\fBsendmsg\fR(2)
-if a connectionless protocol was chosen. The IP address portion of the socket address structure will be set to the loopback address if
-\fIhostname\fR
-is a
-\fBNULL\fR
-pointer and
-\fBAI_PASSIVE\fR
-is not set in
-\fBai_flags\fR.
-.sp
-If
-\fBai_flags\fR
-is set to
-\fBAI_NUMERICHOST\fR
-it indicates that
-\fIhostname\fR
-should be treated as a numeric string defining an IPv4 or IPv6 address and no name resolution should be attempted.
-.RE
-.PP
-All other elements of the
-\fBstruct addrinfo\fR
-passed via
-\fIhints\fR
-must be zero.
-.PP
-A
-\fIhints\fR
-of
-\fBNULL\fR
-is treated as if the caller provided a
-\fBstruct addrinfo\fR
-initialized to zero with
-\fBai_family\fRset to
-\fBPF_UNSPEC\fR.
-.PP
-After a successful call to
-\fBlwres_getaddrinfo()\fR,
-\fI*res\fR
-is a pointer to a linked list of one or more
-\fBaddrinfo\fR
-structures. Each
-\fBstruct addrinfo\fR
-in this list cn be processed by following the
-\fBai_next\fR
-pointer, until a
-\fBNULL\fR
-pointer is encountered. The three members
-\fBai_family\fR,
-\fBai_socktype\fR, and
-\fBai_protocol\fR
-in each returned
-\fBaddrinfo\fR
-structure contain the corresponding arguments for a call to
-\fBsocket\fR(2). For each
-\fBaddrinfo\fR
-structure in the list, the
-\fBai_addr\fR
-member points to a filled\-in socket address structure of length
-\fBai_addrlen\fR.
-.PP
-All of the information returned by
-\fBlwres_getaddrinfo()\fR
-is dynamically allocated: the addrinfo structures, and the socket address structures and canonical host name strings pointed to by the
-\fBaddrinfo\fRstructures. Memory allocated for the dynamically allocated structures created by a successful call to
-\fBlwres_getaddrinfo()\fR
-is released by
-\fBlwres_freeaddrinfo()\fR.
-\fIai\fR
-is a pointer to a
-\fBstruct addrinfo\fR
-created by a call to
-\fBlwres_getaddrinfo()\fR.
-.SH "RETURN VALUES"
-.PP
-\fBlwres_getaddrinfo()\fR
-returns zero on success or one of the error codes listed in
-\fBgai_strerror\fR(3)
-if an error occurs. If both
-\fIhostname\fR
-and
-\fIservname\fR
-are
-\fBNULL\fR
-\fBlwres_getaddrinfo()\fR
-returns
-\fBEAI_NONAME\fR.
-.SH "SEE ALSO"
-.PP
-\fBlwres\fR(3),
-\fBlwres_getaddrinfo\fR(3),
-\fBlwres_freeaddrinfo\fR(3),
-\fBlwres_gai_strerror\fR(3),
-\fBRFC2133\fR(),
-\fBgetservbyname\fR(3),
-\fBbind\fR(2),
-\fBconnect\fR(2),
-\fBsendto\fR(2),
-\fBsendmsg\fR(2),
-\fBsocket\fR(2).
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001, 2003 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.docbook b/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.docbook
deleted file mode 100644
index a328764..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.docbook
+++ /dev/null
@@ -1,387 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_getaddrinfo.docbook,v 1.13 2007/06/18 23:47:51 tbox Exp $ -->
-<refentry>
-
-  <refentryinfo>
-    <date>Jun 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>lwres_getaddrinfo</refentrytitle>
-    <manvolnum>3</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname>lwres_getaddrinfo</refname>
-    <refname>lwres_freeaddrinfo</refname>
-    <refpurpose>socket address structure to host and service name</refpurpose>
-  </refnamediv>
-  <refsynopsisdiv>
-    <funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
-<funcprototype>
-        <funcdef>
-int
-<function>lwres_getaddrinfo</function></funcdef>
-        <paramdef>const char *<parameter>hostname</parameter></paramdef>
-        <paramdef>const char *<parameter>servname</parameter></paramdef>
-        <paramdef>const struct addrinfo *<parameter>hints</parameter></paramdef>
-        <paramdef>struct addrinfo **<parameter>res</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_freeaddrinfo</function></funcdef>
-        <paramdef>struct addrinfo *<parameter>ai</parameter></paramdef>
-      </funcprototype>
-</funcsynopsis>
-
-    <para>
-      If the operating system does not provide a
-      <type>struct addrinfo</type>,
-      the following structure is used:
-    </para>
-    <para><programlisting>
-struct  addrinfo {
-        int             ai_flags;       /* AI_PASSIVE, AI_CANONNAME */
-        int             ai_family;      /* PF_xxx */
-        int             ai_socktype;    /* SOCK_xxx */
-        int             ai_protocol;    /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
-        size_t          ai_addrlen;     /* length of ai_addr */
-        char            *ai_canonname;  /* canonical name for hostname */
-        struct sockaddr *ai_addr;       /* binary address */
-        struct addrinfo *ai_next;       /* next structure in linked list */
-};
-</programlisting>
-    </para>
-
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-
-    <para><function>lwres_getaddrinfo()</function>
-      is used to get a list of IP addresses and port numbers for host
-      <parameter>hostname</parameter> and service
-      <parameter>servname</parameter>.
-
-      The function is the lightweight resolver's implementation of
-      <function>getaddrinfo()</function> as defined in RFC2133.
-      <parameter>hostname</parameter> and
-      <parameter>servname</parameter> are pointers to null-terminated
-      strings or <type>NULL</type>.
-
-      <parameter>hostname</parameter> is either a host name or a
-      numeric host address string: a dotted decimal IPv4 address or an
-      IPv6 address.  <parameter>servname</parameter> is either a
-      decimal port number or a service name as listed in
-      <filename>/etc/services</filename>.
-    </para>
-
-    <para><parameter>hints</parameter>
-      is an optional pointer to a
-      <type>struct addrinfo</type>.
-      This structure can be used to provide hints concerning the type of
-      socket
-      that the caller supports or wishes to use.
-      The caller can supply the following structure elements in
-      <parameter>*hints</parameter>:
-
-      <variablelist>
-        <varlistentry>
-          <term><constant>ai_family</constant></term>
-          <listitem>
-            <para>
-              The protocol family that should be used.
-              When
-              <constant>ai_family</constant>
-              is set to
-              <type>PF_UNSPEC</type>,
-              it means the caller will accept any protocol family supported by
-              the
-              operating system.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>ai_socktype</constant></term>
-          <listitem>
-            <para>
-              denotes the type of socket &mdash;
-              <type>SOCK_STREAM</type>,
-              <type>SOCK_DGRAM</type>
-              or
-              <type>SOCK_RAW</type>
-              &mdash; that is wanted.
-              When
-              <constant>ai_socktype</constant>
-              is zero the caller will accept any socket type.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>ai_protocol</constant></term>
-          <listitem>
-            <para>
-              indicates which transport protocol is wanted: IPPROTO_UDP or
-              IPPROTO_TCP.
-              If
-              <constant>ai_protocol</constant>
-              is zero the caller will accept any protocol.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>ai_flags</constant></term>
-          <listitem>
-            <para>
-              Flag bits.
-              If the
-              <type>AI_CANONNAME</type>
-              bit is set, a successful call to
-              <function>lwres_getaddrinfo()</function>
-              will return a null-terminated string containing the canonical
-              name
-              of the specified hostname in
-              <constant>ai_canonname</constant>
-              of the first
-              <type>addrinfo</type>
-              structure returned.
-              Setting the
-              <type>AI_PASSIVE</type>
-              bit indicates that the returned socket address structure is
-              intended
-              for used in a call to
-              <citerefentry>
-                <refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum>
-              </citerefentry>.
-
-              In this case, if the hostname argument is a
-              <type>NULL</type>
-              pointer, then the IP address portion of the socket
-              address structure will be set to
-              <type>INADDR_ANY</type>
-              for an IPv4 address or
-              <type>IN6ADDR_ANY_INIT</type>
-              for an IPv6 address.
-            </para>
-            <para>
-              When
-              <constant>ai_flags</constant>
-              does not set the
-              <type>AI_PASSIVE</type>
-              bit, the returned socket address structure will be ready
-              for use in a call to
-              <citerefentry>
-                <refentrytitle>connect</refentrytitle><manvolnum>2</manvolnum>
-              </citerefentry>
-              for a connection-oriented protocol or
-              <citerefentry>
-                <refentrytitle>connect</refentrytitle><manvolnum>2</manvolnum>
-              </citerefentry>,
-
-              <citerefentry>
-                <refentrytitle>sendto</refentrytitle><manvolnum>2</manvolnum>
-              </citerefentry>,
-
-              or
-              <citerefentry>
-                <refentrytitle>sendmsg</refentrytitle><manvolnum>2</manvolnum>
-              </citerefentry>
-              if a connectionless protocol was chosen.
-              The IP address portion of the socket address structure will be
-              set to the loopback address if
-              <parameter>hostname</parameter>
-              is a
-              <type>NULL</type>
-              pointer and
-              <type>AI_PASSIVE</type>
-              is not set in
-              <constant>ai_flags</constant>.
-            </para>
-            <para>
-              If
-              <constant>ai_flags</constant>
-              is set to
-              <type>AI_NUMERICHOST</type>
-              it indicates that
-              <parameter>hostname</parameter>
-              should be treated as a numeric string defining an IPv4 or IPv6
-              address
-              and no name resolution should be attempted.
-            </para>
-          </listitem>
-        </varlistentry>
-      </variablelist>
-    </para>
-
-    <para>
-      All other elements of the <type>struct addrinfo</type> passed
-      via <parameter>hints</parameter> must be zero.
-    </para>
-
-    <para>
-      A <parameter>hints</parameter> of <type>NULL</type> is
-      treated as if
-      the caller provided a <type>struct addrinfo</type> initialized to zero
-      with <constant>ai_family</constant>set to
-      <constant>PF_UNSPEC</constant>.
-    </para>
-
-    <para>
-      After a successful call to
-      <function>lwres_getaddrinfo()</function>,
-      <parameter>*res</parameter>
-      is a pointer to a linked list of one or more
-      <type>addrinfo</type>
-      structures.
-      Each
-      <type>struct addrinfo</type>
-      in this list cn be processed by following
-      the
-      <constant>ai_next</constant>
-      pointer, until a
-      <type>NULL</type>
-      pointer is encountered.
-      The three members
-      <constant>ai_family</constant>,
-      <constant>ai_socktype</constant>,
-      and
-      <constant>ai_protocol</constant>
-      in each
-      returned
-      <type>addrinfo</type>
-      structure contain the corresponding arguments for a call to
-      <citerefentry>
-        <refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum>
-      </citerefentry>.
-      For each
-      <type>addrinfo</type>
-      structure in the list, the
-      <constant>ai_addr</constant>
-      member points to a filled-in socket address structure of length
-      <constant>ai_addrlen</constant>.
-    </para>
-
-    <para>
-      All of the information returned by
-      <function>lwres_getaddrinfo()</function>
-      is dynamically allocated: the addrinfo structures, and the socket
-      address structures and canonical host name strings pointed to by the
-      <constant>addrinfo</constant>structures.
-      Memory allocated for the dynamically allocated structures created by
-      a successful call to
-      <function>lwres_getaddrinfo()</function>
-      is released by
-      <function>lwres_freeaddrinfo()</function>.
-      <parameter>ai</parameter>
-      is a pointer to a
-      <type>struct addrinfo</type>
-      created by a call to
-      <function>lwres_getaddrinfo()</function>.
-    </para>
-
-  </refsect1>
-
-  <refsect1>
-    <title>RETURN VALUES</title>
-
-    <para><function>lwres_getaddrinfo()</function>
-      returns zero on success or one of the error codes listed in
-      <citerefentry>
-        <refentrytitle>gai_strerror</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>
-      if an error occurs.  If both <parameter>hostname</parameter> and
-      <parameter>servname</parameter> are <type>NULL</type>
-      <function>lwres_getaddrinfo()</function> returns
-      <errorcode>EAI_NONAME</errorcode>.
-    </para>
-  </refsect1>
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>lwres_getaddrinfo</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>lwres_freeaddrinfo</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>lwres_gai_strerror</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>RFC2133</refentrytitle>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>getservbyname</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>connect</refentrytitle><manvolnum>2</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>sendto</refentrytitle><manvolnum>2</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>sendmsg</refentrytitle><manvolnum>2</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum>
-      </citerefentry>.
-    </para>
-
-  </refsect1>
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html b/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html
deleted file mode 100644
index 2702367..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html
+++ /dev/null
@@ -1,322 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_getaddrinfo</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_getaddrinfo, lwres_freeaddrinfo &#8212; socket address structure to host and service name</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-int
-<b class="fsfunc">lwres_getaddrinfo</b>(</code></td>
-<td>const char * </td>
-<td>
-<var class="pdparam">hostname</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>const char * </td>
-<td>
-<var class="pdparam">servname</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>const struct addrinfo * </td>
-<td>
-<var class="pdparam">hints</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>struct addrinfo ** </td>
-<td>
-<var class="pdparam">res</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_freeaddrinfo</b>(</code></td>
-<td>struct addrinfo * </td>
-<td>
-<var class="pdparam">ai</var><code>)</code>;</td>
-</tr></table>
-</div>
-<p>
-      If the operating system does not provide a
-      <span class="type">struct addrinfo</span>,
-      the following structure is used:
-    </p>
-<pre class="programlisting">
-struct  addrinfo {
-        int             ai_flags;       /* AI_PASSIVE, AI_CANONNAME */
-        int             ai_family;      /* PF_xxx */
-        int             ai_socktype;    /* SOCK_xxx */
-        int             ai_protocol;    /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
-        size_t          ai_addrlen;     /* length of ai_addr */
-        char            *ai_canonname;  /* canonical name for hostname */
-        struct sockaddr *ai_addr;       /* binary address */
-        struct addrinfo *ai_next;       /* next structure in linked list */
-};
-</pre>
-<p>
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543413"></a><h2>DESCRIPTION</h2>
-<p><code class="function">lwres_getaddrinfo()</code>
-      is used to get a list of IP addresses and port numbers for host
-      <em class="parameter"><code>hostname</code></em> and service
-      <em class="parameter"><code>servname</code></em>.
-
-      The function is the lightweight resolver's implementation of
-      <code class="function">getaddrinfo()</code> as defined in RFC2133.
-      <em class="parameter"><code>hostname</code></em> and
-      <em class="parameter"><code>servname</code></em> are pointers to null-terminated
-      strings or <span class="type">NULL</span>.
-
-      <em class="parameter"><code>hostname</code></em> is either a host name or a
-      numeric host address string: a dotted decimal IPv4 address or an
-      IPv6 address.  <em class="parameter"><code>servname</code></em> is either a
-      decimal port number or a service name as listed in
-      <code class="filename">/etc/services</code>.
-    </p>
-<p><em class="parameter"><code>hints</code></em>
-      is an optional pointer to a
-      <span class="type">struct addrinfo</span>.
-      This structure can be used to provide hints concerning the type of
-      socket
-      that the caller supports or wishes to use.
-      The caller can supply the following structure elements in
-      <em class="parameter"><code>*hints</code></em>:
-
-      </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">ai_family</code></span></dt>
-<dd><p>
-              The protocol family that should be used.
-              When
-              <code class="constant">ai_family</code>
-              is set to
-              <span class="type">PF_UNSPEC</span>,
-              it means the caller will accept any protocol family supported by
-              the
-              operating system.
-            </p></dd>
-<dt><span class="term"><code class="constant">ai_socktype</code></span></dt>
-<dd><p>
-              denotes the type of socket &#8212;
-              <span class="type">SOCK_STREAM</span>,
-              <span class="type">SOCK_DGRAM</span>
-              or
-              <span class="type">SOCK_RAW</span>
-              &#8212; that is wanted.
-              When
-              <code class="constant">ai_socktype</code>
-              is zero the caller will accept any socket type.
-            </p></dd>
-<dt><span class="term"><code class="constant">ai_protocol</code></span></dt>
-<dd><p>
-              indicates which transport protocol is wanted: IPPROTO_UDP or
-              IPPROTO_TCP.
-              If
-              <code class="constant">ai_protocol</code>
-              is zero the caller will accept any protocol.
-            </p></dd>
-<dt><span class="term"><code class="constant">ai_flags</code></span></dt>
-<dd>
-<p>
-              Flag bits.
-              If the
-              <span class="type">AI_CANONNAME</span>
-              bit is set, a successful call to
-              <code class="function">lwres_getaddrinfo()</code>
-              will return a null-terminated string containing the canonical
-              name
-              of the specified hostname in
-              <code class="constant">ai_canonname</code>
-              of the first
-              <span class="type">addrinfo</span>
-              structure returned.
-              Setting the
-              <span class="type">AI_PASSIVE</span>
-              bit indicates that the returned socket address structure is
-              intended
-              for used in a call to
-              <span class="citerefentry"><span class="refentrytitle">bind</span>(2)</span>.
-
-              In this case, if the hostname argument is a
-              <span class="type">NULL</span>
-              pointer, then the IP address portion of the socket
-              address structure will be set to
-              <span class="type">INADDR_ANY</span>
-              for an IPv4 address or
-              <span class="type">IN6ADDR_ANY_INIT</span>
-              for an IPv6 address.
-            </p>
-<p>
-              When
-              <code class="constant">ai_flags</code>
-              does not set the
-              <span class="type">AI_PASSIVE</span>
-              bit, the returned socket address structure will be ready
-              for use in a call to
-              <span class="citerefentry"><span class="refentrytitle">connect</span>(2)</span>
-              for a connection-oriented protocol or
-              <span class="citerefentry"><span class="refentrytitle">connect</span>(2)</span>,
-
-              <span class="citerefentry"><span class="refentrytitle">sendto</span>(2)</span>,
-
-              or
-              <span class="citerefentry"><span class="refentrytitle">sendmsg</span>(2)</span>
-              if a connectionless protocol was chosen.
-              The IP address portion of the socket address structure will be
-              set to the loopback address if
-              <em class="parameter"><code>hostname</code></em>
-              is a
-              <span class="type">NULL</span>
-              pointer and
-              <span class="type">AI_PASSIVE</span>
-              is not set in
-              <code class="constant">ai_flags</code>.
-            </p>
-<p>
-              If
-              <code class="constant">ai_flags</code>
-              is set to
-              <span class="type">AI_NUMERICHOST</span>
-              it indicates that
-              <em class="parameter"><code>hostname</code></em>
-              should be treated as a numeric string defining an IPv4 or IPv6
-              address
-              and no name resolution should be attempted.
-            </p>
-</dd>
-</dl></div>
-<p>
-    </p>
-<p>
-      All other elements of the <span class="type">struct addrinfo</span> passed
-      via <em class="parameter"><code>hints</code></em> must be zero.
-    </p>
-<p>
-      A <em class="parameter"><code>hints</code></em> of <span class="type">NULL</span> is
-      treated as if
-      the caller provided a <span class="type">struct addrinfo</span> initialized to zero
-      with <code class="constant">ai_family</code>set to
-      <code class="constant">PF_UNSPEC</code>.
-    </p>
-<p>
-      After a successful call to
-      <code class="function">lwres_getaddrinfo()</code>,
-      <em class="parameter"><code>*res</code></em>
-      is a pointer to a linked list of one or more
-      <span class="type">addrinfo</span>
-      structures.
-      Each
-      <span class="type">struct addrinfo</span>
-      in this list cn be processed by following
-      the
-      <code class="constant">ai_next</code>
-      pointer, until a
-      <span class="type">NULL</span>
-      pointer is encountered.
-      The three members
-      <code class="constant">ai_family</code>,
-      <code class="constant">ai_socktype</code>,
-      and
-      <code class="constant">ai_protocol</code>
-      in each
-      returned
-      <span class="type">addrinfo</span>
-      structure contain the corresponding arguments for a call to
-      <span class="citerefentry"><span class="refentrytitle">socket</span>(2)</span>.
-      For each
-      <span class="type">addrinfo</span>
-      structure in the list, the
-      <code class="constant">ai_addr</code>
-      member points to a filled-in socket address structure of length
-      <code class="constant">ai_addrlen</code>.
-    </p>
-<p>
-      All of the information returned by
-      <code class="function">lwres_getaddrinfo()</code>
-      is dynamically allocated: the addrinfo structures, and the socket
-      address structures and canonical host name strings pointed to by the
-      <code class="constant">addrinfo</code>structures.
-      Memory allocated for the dynamically allocated structures created by
-      a successful call to
-      <code class="function">lwres_getaddrinfo()</code>
-      is released by
-      <code class="function">lwres_freeaddrinfo()</code>.
-      <em class="parameter"><code>ai</code></em>
-      is a pointer to a
-      <span class="type">struct addrinfo</span>
-      created by a call to
-      <code class="function">lwres_getaddrinfo()</code>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543790"></a><h2>RETURN VALUES</h2>
-<p><code class="function">lwres_getaddrinfo()</code>
-      returns zero on success or one of the error codes listed in
-      <span class="citerefentry"><span class="refentrytitle">gai_strerror</span>(3)</span>
-      if an error occurs.  If both <em class="parameter"><code>hostname</code></em> and
-      <em class="parameter"><code>servname</code></em> are <span class="type">NULL</span>
-      <code class="function">lwres_getaddrinfo()</code> returns
-      <span class="errorcode">EAI_NONAME</span>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543828"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">lwres_getaddrinfo</span>(3)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">lwres_freeaddrinfo</span>(3)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">lwres_gai_strerror</span>(3)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">RFC2133</span></span>,
-
-      <span class="citerefentry"><span class="refentrytitle">getservbyname</span>(3)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">bind</span>(2)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">connect</span>(2)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">sendto</span>(2)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">sendmsg</span>(2)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">socket</span>(2)</span>.
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gethostent.3 b/contrib/bind9/lib/lwres/man/lwres_gethostent.3
deleted file mode 100644
index 3706727..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_gethostent.3
+++ /dev/null
@@ -1,315 +0,0 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: lwres_gethostent
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "LWRES_GETHOSTENT" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent, lwres_sethostent, lwres_endhostent, lwres_gethostbyname_r, lwres_gethostbyaddr_r, lwres_gethostent_r, lwres_sethostent_r, lwres_endhostent_r \- lightweight resolver get network host entry
-.SH "SYNOPSIS"
-.nf
-#include <lwres/netdb.h>
-.fi
-.HP 37
-.BI "struct hostent * lwres_gethostbyname(const\ char\ *" "name" ");"
-.HP 38
-.BI "struct hostent * lwres_gethostbyname2(const\ char\ *" "name" ", int\ " "af" ");"
-.HP 37
-.BI "struct hostent * lwres_gethostbyaddr(const\ char\ *" "addr" ", int\ " "len" ", int\ " "type" ");"
-.HP 34
-.BI "struct hostent * lwres_gethostent(void);"
-.HP 22
-.BI "void lwres_sethostent(int\ " "stayopen" ");"
-.HP 22
-.BI "void lwres_endhostent(void);"
-.HP 39
-.BI "struct hostent * lwres_gethostbyname_r(const\ char\ *" "name" ", struct\ hostent\ *" "resbuf" ", char\ *" "buf" ", int\ " "buflen" ", int\ *" "error" ");"
-.HP 39
-.BI "struct hostent * lwres_gethostbyaddr_r(const\ char\ *" "addr" ", int\ " "len" ", int\ " "type" ", struct\ hostent\ *" "resbuf" ", char\ *" "buf" ", int\ " "buflen" ", int\ *" "error" ");"
-.HP 36
-.BI "struct hostent * lwres_gethostent_r(struct\ hostent\ *" "resbuf" ", char\ *" "buf" ", int\ " "buflen" ", int\ *" "error" ");"
-.HP 24
-.BI "void lwres_sethostent_r(int\ " "stayopen" ");"
-.HP 24
-.BI "void lwres_endhostent_r(void);"
-.SH "DESCRIPTION"
-.PP
-These functions provide hostname\-to\-address and address\-to\-hostname lookups by means of the lightweight resolver. They are similar to the standard
-\fBgethostent\fR(3)
-functions provided by most operating systems. They use a
-\fBstruct hostent\fR
-which is usually defined in
-\fI<namedb.h>\fR.
-.PP
-.RS 4
-.nf
-struct  hostent {
-        char    *h_name;        /* official name of host */
-        char    **h_aliases;    /* alias list */
-        int     h_addrtype;     /* host address type */
-        int     h_length;       /* length of address */
-        char    **h_addr_list;  /* list of addresses from name server */
-};
-#define h_addr  h_addr_list[0]  /* address, for backward compatibility */
-.fi
-.RE
-.sp
-.PP
-The members of this structure are:
-.PP
-\fBh_name\fR
-.RS 4
-The official (canonical) name of the host.
-.RE
-.PP
-\fBh_aliases\fR
-.RS 4
-A NULL\-terminated array of alternate names (nicknames) for the host.
-.RE
-.PP
-\fBh_addrtype\fR
-.RS 4
-The type of address being returned \(em
-\fBPF_INET\fR
-or
-\fBPF_INET6\fR.
-.RE
-.PP
-\fBh_length\fR
-.RS 4
-The length of the address in bytes.
-.RE
-.PP
-\fBh_addr_list\fR
-.RS 4
-A
-\fBNULL\fR
-terminated array of network addresses for the host. Host addresses are returned in network byte order.
-.RE
-.PP
-For backward compatibility with very old software,
-\fBh_addr\fR
-is the first address in
-\fBh_addr_list.\fR
-.PP
-\fBlwres_gethostent()\fR,
-\fBlwres_sethostent()\fR,
-\fBlwres_endhostent()\fR,
-\fBlwres_gethostent_r()\fR,
-\fBlwres_sethostent_r()\fR
-and
-\fBlwres_endhostent_r()\fR
-provide iteration over the known host entries on systems that provide such functionality through facilities like
-\fI/etc/hosts\fR
-or NIS. The lightweight resolver does not currently implement these functions; it only provides them as stub functions that always return failure.
-.PP
-\fBlwres_gethostbyname()\fR
-and
-\fBlwres_gethostbyname2()\fR
-look up the hostname
-\fIname\fR.
-\fBlwres_gethostbyname()\fR
-always looks for an IPv4 address while
-\fBlwres_gethostbyname2()\fR
-looks for an address of protocol family
-\fIaf\fR: either
-\fBPF_INET\fR
-or
-\fBPF_INET6\fR
-\(em IPv4 or IPV6 addresses respectively. Successful calls of the functions return a
-\fBstruct hostent\fRfor the name that was looked up.
-\fBNULL\fR
-is returned if the lookups by
-\fBlwres_gethostbyname()\fR
-or
-\fBlwres_gethostbyname2()\fR
-fail.
-.PP
-Reverse lookups of addresses are performed by
-\fBlwres_gethostbyaddr()\fR.
-\fIaddr\fR
-is an address of length
-\fIlen\fR
-bytes and protocol family
-\fItype\fR
-\(em
-\fBPF_INET\fR
-or
-\fBPF_INET6\fR.
-\fBlwres_gethostbyname_r()\fR
-is a thread\-safe function for forward lookups. If an error occurs, an error code is returned in
-\fI*error\fR.
-\fIresbuf\fR
-is a pointer to a
-\fBstruct hostent\fR
-which is initialised by a successful call to
-\fBlwres_gethostbyname_r()\fR.
-\fIbuf\fR
-is a buffer of length
-\fIlen\fR
-bytes which is used to store the
-\fBh_name\fR,
-\fBh_aliases\fR, and
-\fBh_addr_list\fR
-elements of the
-\fBstruct hostent\fR
-returned in
-\fIresbuf\fR. Successful calls to
-\fBlwres_gethostbyname_r()\fR
-return
-\fIresbuf\fR, which is a pointer to the
-\fBstruct hostent\fR
-it created.
-.PP
-\fBlwres_gethostbyaddr_r()\fR
-is a thread\-safe function that performs a reverse lookup of address
-\fIaddr\fR
-which is
-\fIlen\fR
-bytes long and is of protocol family
-\fItype\fR
-\(em
-\fBPF_INET\fR
-or
-\fBPF_INET6\fR. If an error occurs, the error code is returned in
-\fI*error\fR. The other function parameters are identical to those in
-\fBlwres_gethostbyname_r()\fR.
-\fIresbuf\fR
-is a pointer to a
-\fBstruct hostent\fR
-which is initialised by a successful call to
-\fBlwres_gethostbyaddr_r()\fR.
-\fIbuf\fR
-is a buffer of length
-\fIlen\fR
-bytes which is used to store the
-\fBh_name\fR,
-\fBh_aliases\fR, and
-\fBh_addr_list\fR
-elements of the
-\fBstruct hostent\fR
-returned in
-\fIresbuf\fR. Successful calls to
-\fBlwres_gethostbyaddr_r()\fR
-return
-\fIresbuf\fR, which is a pointer to the
-\fBstruct hostent()\fR
-it created.
-.SH "RETURN VALUES"
-.PP
-The functions
-\fBlwres_gethostbyname()\fR,
-\fBlwres_gethostbyname2()\fR,
-\fBlwres_gethostbyaddr()\fR, and
-\fBlwres_gethostent()\fR
-return NULL to indicate an error. In this case the global variable
-\fBlwres_h_errno\fR
-will contain one of the following error codes defined in
-\fI<lwres/netdb.h>\fR:
-.PP
-\fBHOST_NOT_FOUND\fR
-.RS 4
-The host or address was not found.
-.RE
-.PP
-\fBTRY_AGAIN\fR
-.RS 4
-A recoverable error occurred, e.g., a timeout. Retrying the lookup may succeed.
-.RE
-.PP
-\fBNO_RECOVERY\fR
-.RS 4
-A non\-recoverable error occurred.
-.RE
-.PP
-\fBNO_DATA\fR
-.RS 4
-The name exists, but has no address information associated with it (or vice versa in the case of a reverse lookup). The code NO_ADDRESS is accepted as a synonym for NO_DATA for backwards compatibility.
-.RE
-.PP
-\fBlwres_hstrerror\fR(3)
-translates these error codes to suitable error messages.
-.PP
-\fBlwres_gethostent()\fR
-and
-\fBlwres_gethostent_r()\fR
-always return
-\fBNULL\fR.
-.PP
-Successful calls to
-\fBlwres_gethostbyname_r()\fR
-and
-\fBlwres_gethostbyaddr_r()\fR
-return
-\fIresbuf\fR, a pointer to the
-\fBstruct hostent\fR
-that was initialised by these functions. They return
-\fBNULL\fR
-if the lookups fail or if
-\fIbuf\fR
-was too small to hold the list of addresses and names referenced by the
-\fBh_name\fR,
-\fBh_aliases\fR, and
-\fBh_addr_list\fR
-elements of the
-\fBstruct hostent\fR. If
-\fIbuf\fR
-was too small, both
-\fBlwres_gethostbyname_r()\fR
-and
-\fBlwres_gethostbyaddr_r()\fR
-set the global variable
-\fBerrno\fR
-to
-\fBERANGE\fR.
-.SH "SEE ALSO"
-.PP
-\fBgethostent\fR(3),
-\fBlwres_getipnode\fR(3),
-\fBlwres_hstrerror\fR(3)
-.SH "BUGS"
-.PP
-\fBlwres_gethostbyname()\fR,
-\fBlwres_gethostbyname2()\fR,
-\fBlwres_gethostbyaddr()\fR
-and
-\fBlwres_endhostent()\fR
-are not thread safe; they return pointers to static data and provide error codes through a global variable. Thread\-safe versions for name and address lookup are provided by
-\fBlwres_gethostbyname_r()\fR, and
-\fBlwres_gethostbyaddr_r()\fR
-respectively.
-.PP
-The resolver daemon does not currently support any non\-DNS name services such as
-\fI/etc/hosts\fR
-or
-\fBNIS\fR, consequently the above functions don't, either.
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2001 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_gethostent.docbook b/contrib/bind9/lib/lwres/man/lwres_gethostent.docbook
deleted file mode 100644
index a3f084b..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_gethostent.docbook
+++ /dev/null
@@ -1,439 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_gethostent.docbook,v 1.11 2007/06/18 23:47:51 tbox Exp $ -->
-<refentry>
-
-  <refentryinfo>
-    <date>Jun 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>lwres_gethostent</refentrytitle>
-    <manvolnum>3</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname>lwres_gethostbyname</refname>
-    <refname>lwres_gethostbyname2</refname>
-    <refname>lwres_gethostbyaddr</refname>
-    <refname>lwres_gethostent</refname>
-    <refname>lwres_sethostent</refname>
-    <refname>lwres_endhostent</refname>
-    <refname>lwres_gethostbyname_r</refname>
-    <refname>lwres_gethostbyaddr_r</refname>
-    <refname>lwres_gethostent_r</refname>
-    <refname>lwres_sethostent_r</refname>
-    <refname>lwres_endhostent_r</refname>
-    <refpurpose>lightweight resolver get network host entry</refpurpose>
-  </refnamediv>
-  <refsynopsisdiv>
-    <funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
-<funcprototype>
-        <funcdef>
-struct hostent *
-<function>lwres_gethostbyname</function></funcdef>
-        <paramdef>const char *<parameter>name</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-struct hostent *
-<function>lwres_gethostbyname2</function></funcdef>
-        <paramdef>const char *<parameter>name</parameter></paramdef>
-        <paramdef>int <parameter>af</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-struct hostent *
-<function>lwres_gethostbyaddr</function></funcdef>
-        <paramdef>const char *<parameter>addr</parameter></paramdef>
-        <paramdef>int <parameter>len</parameter></paramdef>
-        <paramdef>int <parameter>type</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-struct hostent *
-<function>lwres_gethostent</function></funcdef>
-        <paramdef>void</paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_sethostent</function></funcdef>
-        <paramdef>int <parameter>stayopen</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_endhostent</function></funcdef>
-        <paramdef>void</paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-struct hostent *
-<function>lwres_gethostbyname_r</function></funcdef>
-        <paramdef>const char *<parameter>name</parameter></paramdef>
-        <paramdef>struct hostent *<parameter>resbuf</parameter></paramdef>
-        <paramdef>char *<parameter>buf</parameter></paramdef>
-        <paramdef>int <parameter>buflen</parameter></paramdef>
-        <paramdef>int *<parameter>error</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-struct hostent  *
-<function>lwres_gethostbyaddr_r</function></funcdef>
-        <paramdef>const char *<parameter>addr</parameter></paramdef>
-        <paramdef>int <parameter>len</parameter></paramdef>
-        <paramdef>int <parameter>type</parameter></paramdef>
-        <paramdef>struct hostent *<parameter>resbuf</parameter></paramdef>
-        <paramdef>char *<parameter>buf</parameter></paramdef>
-        <paramdef>int <parameter>buflen</parameter></paramdef>
-        <paramdef>int *<parameter>error</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-struct hostent  *
-<function>lwres_gethostent_r</function></funcdef>
-        <paramdef>struct hostent *<parameter>resbuf</parameter></paramdef>
-        <paramdef>char *<parameter>buf</parameter></paramdef>
-        <paramdef>int <parameter>buflen</parameter></paramdef>
-        <paramdef>int *<parameter>error</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_sethostent_r</function></funcdef>
-        <paramdef>int <parameter>stayopen</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_endhostent_r</function></funcdef>
-        <paramdef>void</paramdef>
-      </funcprototype>
-</funcsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para>
-      These functions provide hostname-to-address and
-      address-to-hostname lookups by means of the lightweight resolver.
-      They are similar to the standard
-      <citerefentry>
-        <refentrytitle>gethostent</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>
-      functions provided by most operating systems.
-      They use a
-      <type>struct hostent</type>
-      which is usually defined in
-      <filename>&lt;namedb.h&gt;</filename>.
-    </para>
-    <para><programlisting>
-struct  hostent {
-        char    *h_name;        /* official name of host */
-        char    **h_aliases;    /* alias list */
-        int     h_addrtype;     /* host address type */
-        int     h_length;       /* length of address */
-        char    **h_addr_list;  /* list of addresses from name server */
-};
-#define h_addr  h_addr_list[0]  /* address, for backward compatibility */
-</programlisting>
-    </para>
-    <para>
-      The members of this structure are:
-      <variablelist>
-        <varlistentry>
-          <term><constant>h_name</constant></term>
-          <listitem>
-            <para>
-              The official (canonical) name of the host.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>h_aliases</constant></term>
-          <listitem>
-            <para>
-              A NULL-terminated array of alternate names (nicknames) for the
-              host.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>h_addrtype</constant></term>
-          <listitem>
-            <para>
-              The type of address being returned &mdash;
-              <type>PF_INET</type>
-              or
-              <type>PF_INET6</type>.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>h_length</constant></term>
-          <listitem>
-            <para>
-              The length of the address in bytes.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>h_addr_list</constant></term>
-          <listitem>
-            <para>
-              A <type>NULL</type>
-              terminated array of network addresses for the host.
-              Host addresses are returned in network byte order.
-            </para>
-          </listitem>
-        </varlistentry>
-      </variablelist>
-    </para>
-    <para>
-      For backward compatibility with very old software,
-      <constant>h_addr</constant>
-      is the first address in
-      <constant>h_addr_list.</constant>
-    </para>
-    <para><function>lwres_gethostent()</function>,
-      <function>lwres_sethostent()</function>,
-      <function>lwres_endhostent()</function>,
-      <function>lwres_gethostent_r()</function>,
-      <function>lwres_sethostent_r()</function>
-      and
-      <function>lwres_endhostent_r()</function>
-      provide iteration over the known host entries on systems that
-      provide such functionality through facilities like
-      <filename>/etc/hosts</filename>
-      or NIS.  The lightweight resolver does not currently implement
-      these functions; it only provides them as stub functions that always
-      return failure.
-    </para>
-
-    <para><function>lwres_gethostbyname()</function>
-      and <function>lwres_gethostbyname2()</function> look up the
-      hostname <parameter>name</parameter>.
-      <function>lwres_gethostbyname()</function> always looks for an
-      IPv4 address while <function>lwres_gethostbyname2()</function>
-      looks for an address of protocol family
-      <parameter>af</parameter>: either <type>PF_INET</type> or
-      <type>PF_INET6</type> &mdash; IPv4 or IPV6 addresses
-      respectively.  Successful calls of the functions return a
-      <type>struct hostent</type>for the name that was looked up.
-      <type>NULL</type> is returned if the lookups by
-      <function>lwres_gethostbyname()</function> or
-      <function>lwres_gethostbyname2()</function> fail.
-    </para>
-
-    <para>
-      Reverse lookups of addresses are performed by
-      <function>lwres_gethostbyaddr()</function>.
-      <parameter>addr</parameter> is an address of length
-      <parameter>len</parameter> bytes and protocol family
-      <parameter>type</parameter> &mdash; <type>PF_INET</type> or
-      <type>PF_INET6</type>.
-      <function>lwres_gethostbyname_r()</function> is a
-      thread-safe function
-      for forward lookups.  If an error occurs, an error code is returned in
-      <parameter>*error</parameter>.
-      <parameter>resbuf</parameter> is a pointer to a
-      <type>struct hostent</type> which is initialised by a successful call to
-      <function>lwres_gethostbyname_r()</function>.
-      <parameter>buf</parameter> is a buffer of length
-      <parameter>len</parameter> bytes which is used to store the
-      <constant>h_name</constant>, <constant>h_aliases</constant>, and
-      <constant>h_addr_list</constant> elements of the
-      <type>struct hostent</type> returned in <parameter>resbuf</parameter>.
-      Successful calls to <function>lwres_gethostbyname_r()</function>
-      return <parameter>resbuf</parameter>,
-      which is a pointer to the <type>struct hostent</type> it created.
-    </para>
-
-    <para><function>lwres_gethostbyaddr_r()</function>
-      is a thread-safe function
-      that performs a reverse lookup of address <parameter>addr</parameter>
-      which is <parameter>len</parameter> bytes long and is of
-      protocol
-      family <parameter>type</parameter> &mdash; <type>PF_INET</type> or
-      <type>PF_INET6</type>.  If an error occurs, the error code is returned
-      in <parameter>*error</parameter>.  The other function
-      parameters are
-      identical to those in <function>lwres_gethostbyname_r()</function>.
-      <parameter>resbuf</parameter> is a pointer to a
-      <type>struct hostent</type> which is initialised by a successful call to
-      <function>lwres_gethostbyaddr_r()</function>.
-      <parameter>buf</parameter> is a buffer of length
-      <parameter>len</parameter> bytes which is used to store the
-      <constant>h_name</constant>, <constant>h_aliases</constant>, and
-      <constant>h_addr_list</constant> elements of the
-      <type>struct hostent</type> returned in <parameter>resbuf</parameter>.
-      Successful calls to <function>lwres_gethostbyaddr_r()</function> return
-      <parameter>resbuf</parameter>, which is a pointer to the
-      <function>struct hostent()</function> it created.
-    </para>
-
-  </refsect1>
-
-  <refsect1>
-    <title>RETURN VALUES</title>
-    <para>
-      The functions
-      <function>lwres_gethostbyname()</function>,
-      <function>lwres_gethostbyname2()</function>,
-      <function>lwres_gethostbyaddr()</function>,
-      and
-      <function>lwres_gethostent()</function>
-      return NULL to indicate an error.  In this case the global variable
-      <type>lwres_h_errno</type>
-      will contain one of the following error codes defined in
-      <filename>&lt;lwres/netdb.h&gt;</filename>:
-
-      <variablelist>
-        <varlistentry>
-          <term><constant>HOST_NOT_FOUND</constant></term>
-          <listitem>
-            <para>
-              The host or address was not found.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>TRY_AGAIN</constant></term>
-          <listitem>
-            <para>
-              A recoverable error occurred, e.g., a timeout.
-              Retrying the lookup may succeed.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>NO_RECOVERY</constant></term>
-          <listitem>
-            <para>
-              A non-recoverable error occurred.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>NO_DATA</constant></term>
-          <listitem>
-            <para>
-              The name exists, but has no address information
-              associated with it (or vice versa in the case
-              of a reverse lookup).  The code NO_ADDRESS
-              is accepted as a synonym for NO_DATA for backwards
-              compatibility.
-            </para>
-          </listitem>
-        </varlistentry>
-      </variablelist>
-    </para>
-
-    <para><citerefentry>
-        <refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>
-      translates these error codes to suitable error messages.
-    </para>
-
-    <para><function>lwres_gethostent()</function>
-      and <function>lwres_gethostent_r()</function>
-      always return <type>NULL</type>.
-    </para>
-
-    <para>
-      Successful calls to <function>lwres_gethostbyname_r()</function> and
-      <function>lwres_gethostbyaddr_r()</function> return
-      <parameter>resbuf</parameter>, a pointer to the
-      <type>struct hostent</type> that was initialised by these functions.  They return
-      <type>NULL</type> if the lookups fail or if <parameter>buf</parameter>
-      was too small to hold the list of addresses and names referenced by
-      the <constant>h_name</constant>, <constant>h_aliases</constant>, and
-      <constant>h_addr_list</constant> elements of the
-      <type>struct hostent</type>.
-      If <parameter>buf</parameter> was too small, both
-      <function>lwres_gethostbyname_r()</function> and
-      <function>lwres_gethostbyaddr_r()</function> set the global
-      variable
-      <type>errno</type> to <errorcode>ERANGE</errorcode>.
-    </para>
-
-  </refsect1>
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>gethostent</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>lwres_getipnode</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>BUGS</title>
-    <para><function>lwres_gethostbyname()</function>,
-      <function>lwres_gethostbyname2()</function>,
-      <function>lwres_gethostbyaddr()</function>
-      and
-      <function>lwres_endhostent()</function>
-      are not thread safe; they return pointers to static data and
-      provide error codes through a global variable.
-      Thread-safe versions for name and address lookup are provided by
-      <function>lwres_gethostbyname_r()</function>,
-      and
-      <function>lwres_gethostbyaddr_r()</function>
-      respectively.
-    </para>
-    <para>
-      The resolver daemon does not currently support any non-DNS
-      name services such as
-      <filename>/etc/hosts</filename>
-      or
-      <type>NIS</type>,
-      consequently the above functions don't, either.
-    </para>
-  </refsect1>
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/lib/lwres/man/lwres_gethostent.html b/contrib/bind9/lib/lwres/man/lwres_gethostent.html
deleted file mode 100644
index 2c99085..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_gethostent.html
+++ /dev/null
@@ -1,466 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_gethostent</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent, lwres_sethostent, lwres_endhostent, lwres_gethostbyname_r, lwres_gethostbyaddr_r, lwres_gethostent_r, lwres_sethostent_r, lwres_endhostent_r &#8212; lightweight resolver get network host entry</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-struct hostent *
-<b class="fsfunc">lwres_gethostbyname</b>(</code></td>
-<td>const char * </td>
-<td>
-<var class="pdparam">name</var><code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-struct hostent *
-<b class="fsfunc">lwres_gethostbyname2</b>(</code></td>
-<td>const char * </td>
-<td>
-<var class="pdparam">name</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>int  </td>
-<td>
-<var class="pdparam">af</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-struct hostent *
-<b class="fsfunc">lwres_gethostbyaddr</b>(</code></td>
-<td>const char * </td>
-<td>
-<var class="pdparam">addr</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>int  </td>
-<td>
-<var class="pdparam">len</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>int  </td>
-<td>
-<var class="pdparam">type</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-struct hostent *
-<b class="fsfunc">lwres_gethostent</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_sethostent</b>(</code></td>
-<td>int  </td>
-<td>
-<var class="pdparam">stayopen</var><code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_endhostent</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-struct hostent *
-<b class="fsfunc">lwres_gethostbyname_r</b>(</code></td>
-<td>const char * </td>
-<td>
-<var class="pdparam">name</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>struct hostent * </td>
-<td>
-<var class="pdparam">resbuf</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>char * </td>
-<td>
-<var class="pdparam">buf</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>int  </td>
-<td>
-<var class="pdparam">buflen</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>int * </td>
-<td>
-<var class="pdparam">error</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-struct hostent  *
-<b class="fsfunc">lwres_gethostbyaddr_r</b>(</code></td>
-<td>const char * </td>
-<td>
-<var class="pdparam">addr</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>int  </td>
-<td>
-<var class="pdparam">len</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>int  </td>
-<td>
-<var class="pdparam">type</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>struct hostent * </td>
-<td>
-<var class="pdparam">resbuf</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>char * </td>
-<td>
-<var class="pdparam">buf</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>int  </td>
-<td>
-<var class="pdparam">buflen</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>int * </td>
-<td>
-<var class="pdparam">error</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-struct hostent  *
-<b class="fsfunc">lwres_gethostent_r</b>(</code></td>
-<td>struct hostent * </td>
-<td>
-<var class="pdparam">resbuf</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>char * </td>
-<td>
-<var class="pdparam">buf</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>int  </td>
-<td>
-<var class="pdparam">buflen</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>int * </td>
-<td>
-<var class="pdparam">error</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_sethostent_r</b>(</code></td>
-<td>int  </td>
-<td>
-<var class="pdparam">stayopen</var><code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_endhostent_r</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543609"></a><h2>DESCRIPTION</h2>
-<p>
-      These functions provide hostname-to-address and
-      address-to-hostname lookups by means of the lightweight resolver.
-      They are similar to the standard
-      <span class="citerefentry"><span class="refentrytitle">gethostent</span>(3)</span>
-      functions provided by most operating systems.
-      They use a
-      <span class="type">struct hostent</span>
-      which is usually defined in
-      <code class="filename">&lt;namedb.h&gt;</code>.
-    </p>
-<pre class="programlisting">
-struct  hostent {
-        char    *h_name;        /* official name of host */
-        char    **h_aliases;    /* alias list */
-        int     h_addrtype;     /* host address type */
-        int     h_length;       /* length of address */
-        char    **h_addr_list;  /* list of addresses from name server */
-};
-#define h_addr  h_addr_list[0]  /* address, for backward compatibility */
-</pre>
-<p>
-    </p>
-<p>
-      The members of this structure are:
-      </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">h_name</code></span></dt>
-<dd><p>
-              The official (canonical) name of the host.
-            </p></dd>
-<dt><span class="term"><code class="constant">h_aliases</code></span></dt>
-<dd><p>
-              A NULL-terminated array of alternate names (nicknames) for the
-              host.
-            </p></dd>
-<dt><span class="term"><code class="constant">h_addrtype</code></span></dt>
-<dd><p>
-              The type of address being returned &#8212;
-              <span class="type">PF_INET</span>
-              or
-              <span class="type">PF_INET6</span>.
-            </p></dd>
-<dt><span class="term"><code class="constant">h_length</code></span></dt>
-<dd><p>
-              The length of the address in bytes.
-            </p></dd>
-<dt><span class="term"><code class="constant">h_addr_list</code></span></dt>
-<dd><p>
-              A <span class="type">NULL</span>
-              terminated array of network addresses for the host.
-              Host addresses are returned in network byte order.
-            </p></dd>
-</dl></div>
-<p>
-    </p>
-<p>
-      For backward compatibility with very old software,
-      <code class="constant">h_addr</code>
-      is the first address in
-      <code class="constant">h_addr_list.</code>
-    </p>
-<p><code class="function">lwres_gethostent()</code>,
-      <code class="function">lwres_sethostent()</code>,
-      <code class="function">lwres_endhostent()</code>,
-      <code class="function">lwres_gethostent_r()</code>,
-      <code class="function">lwres_sethostent_r()</code>
-      and
-      <code class="function">lwres_endhostent_r()</code>
-      provide iteration over the known host entries on systems that
-      provide such functionality through facilities like
-      <code class="filename">/etc/hosts</code>
-      or NIS.  The lightweight resolver does not currently implement
-      these functions; it only provides them as stub functions that always
-      return failure.
-    </p>
-<p><code class="function">lwres_gethostbyname()</code>
-      and <code class="function">lwres_gethostbyname2()</code> look up the
-      hostname <em class="parameter"><code>name</code></em>.
-      <code class="function">lwres_gethostbyname()</code> always looks for an
-      IPv4 address while <code class="function">lwres_gethostbyname2()</code>
-      looks for an address of protocol family
-      <em class="parameter"><code>af</code></em>: either <span class="type">PF_INET</span> or
-      <span class="type">PF_INET6</span> &#8212; IPv4 or IPV6 addresses
-      respectively.  Successful calls of the functions return a
-      <span class="type">struct hostent</span>for the name that was looked up.
-      <span class="type">NULL</span> is returned if the lookups by
-      <code class="function">lwres_gethostbyname()</code> or
-      <code class="function">lwres_gethostbyname2()</code> fail.
-    </p>
-<p>
-      Reverse lookups of addresses are performed by
-      <code class="function">lwres_gethostbyaddr()</code>.
-      <em class="parameter"><code>addr</code></em> is an address of length
-      <em class="parameter"><code>len</code></em> bytes and protocol family
-      <em class="parameter"><code>type</code></em> &#8212; <span class="type">PF_INET</span> or
-      <span class="type">PF_INET6</span>.
-      <code class="function">lwres_gethostbyname_r()</code> is a
-      thread-safe function
-      for forward lookups.  If an error occurs, an error code is returned in
-      <em class="parameter"><code>*error</code></em>.
-      <em class="parameter"><code>resbuf</code></em> is a pointer to a
-      <span class="type">struct hostent</span> which is initialised by a successful call to
-      <code class="function">lwres_gethostbyname_r()</code>.
-      <em class="parameter"><code>buf</code></em> is a buffer of length
-      <em class="parameter"><code>len</code></em> bytes which is used to store the
-      <code class="constant">h_name</code>, <code class="constant">h_aliases</code>, and
-      <code class="constant">h_addr_list</code> elements of the
-      <span class="type">struct hostent</span> returned in <em class="parameter"><code>resbuf</code></em>.
-      Successful calls to <code class="function">lwres_gethostbyname_r()</code>
-      return <em class="parameter"><code>resbuf</code></em>,
-      which is a pointer to the <span class="type">struct hostent</span> it created.
-    </p>
-<p><code class="function">lwres_gethostbyaddr_r()</code>
-      is a thread-safe function
-      that performs a reverse lookup of address <em class="parameter"><code>addr</code></em>
-      which is <em class="parameter"><code>len</code></em> bytes long and is of
-      protocol
-      family <em class="parameter"><code>type</code></em> &#8212; <span class="type">PF_INET</span> or
-      <span class="type">PF_INET6</span>.  If an error occurs, the error code is returned
-      in <em class="parameter"><code>*error</code></em>.  The other function
-      parameters are
-      identical to those in <code class="function">lwres_gethostbyname_r()</code>.
-      <em class="parameter"><code>resbuf</code></em> is a pointer to a
-      <span class="type">struct hostent</span> which is initialised by a successful call to
-      <code class="function">lwres_gethostbyaddr_r()</code>.
-      <em class="parameter"><code>buf</code></em> is a buffer of length
-      <em class="parameter"><code>len</code></em> bytes which is used to store the
-      <code class="constant">h_name</code>, <code class="constant">h_aliases</code>, and
-      <code class="constant">h_addr_list</code> elements of the
-      <span class="type">struct hostent</span> returned in <em class="parameter"><code>resbuf</code></em>.
-      Successful calls to <code class="function">lwres_gethostbyaddr_r()</code> return
-      <em class="parameter"><code>resbuf</code></em>, which is a pointer to the
-      <code class="function">struct hostent()</code> it created.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543960"></a><h2>RETURN VALUES</h2>
-<p>
-      The functions
-      <code class="function">lwres_gethostbyname()</code>,
-      <code class="function">lwres_gethostbyname2()</code>,
-      <code class="function">lwres_gethostbyaddr()</code>,
-      and
-      <code class="function">lwres_gethostent()</code>
-      return NULL to indicate an error.  In this case the global variable
-      <span class="type">lwres_h_errno</span>
-      will contain one of the following error codes defined in
-      <code class="filename">&lt;lwres/netdb.h&gt;</code>:
-
-      </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">HOST_NOT_FOUND</code></span></dt>
-<dd><p>
-              The host or address was not found.
-            </p></dd>
-<dt><span class="term"><code class="constant">TRY_AGAIN</code></span></dt>
-<dd><p>
-              A recoverable error occurred, e.g., a timeout.
-              Retrying the lookup may succeed.
-            </p></dd>
-<dt><span class="term"><code class="constant">NO_RECOVERY</code></span></dt>
-<dd><p>
-              A non-recoverable error occurred.
-            </p></dd>
-<dt><span class="term"><code class="constant">NO_DATA</code></span></dt>
-<dd><p>
-              The name exists, but has no address information
-              associated with it (or vice versa in the case
-              of a reverse lookup).  The code NO_ADDRESS
-              is accepted as a synonym for NO_DATA for backwards
-              compatibility.
-            </p></dd>
-</dl></div>
-<p>
-    </p>
-<p><span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>
-      translates these error codes to suitable error messages.
-    </p>
-<p><code class="function">lwres_gethostent()</code>
-      and <code class="function">lwres_gethostent_r()</code>
-      always return <span class="type">NULL</span>.
-    </p>
-<p>
-      Successful calls to <code class="function">lwres_gethostbyname_r()</code> and
-      <code class="function">lwres_gethostbyaddr_r()</code> return
-      <em class="parameter"><code>resbuf</code></em>, a pointer to the
-      <span class="type">struct hostent</span> that was initialised by these functions.  They return
-      <span class="type">NULL</span> if the lookups fail or if <em class="parameter"><code>buf</code></em>
-      was too small to hold the list of addresses and names referenced by
-      the <code class="constant">h_name</code>, <code class="constant">h_aliases</code>, and
-      <code class="constant">h_addr_list</code> elements of the
-      <span class="type">struct hostent</span>.
-      If <em class="parameter"><code>buf</code></em> was too small, both
-      <code class="function">lwres_gethostbyname_r()</code> and
-      <code class="function">lwres_gethostbyaddr_r()</code> set the global
-      variable
-      <span class="type">errno</span> to <span class="errorcode">ERANGE</span>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544194"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">gethostent</span>(3)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">lwres_getipnode</span>(3)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544228"></a><h2>BUGS</h2>
-<p><code class="function">lwres_gethostbyname()</code>,
-      <code class="function">lwres_gethostbyname2()</code>,
-      <code class="function">lwres_gethostbyaddr()</code>
-      and
-      <code class="function">lwres_endhostent()</code>
-      are not thread safe; they return pointers to static data and
-      provide error codes through a global variable.
-      Thread-safe versions for name and address lookup are provided by
-      <code class="function">lwres_gethostbyname_r()</code>,
-      and
-      <code class="function">lwres_gethostbyaddr_r()</code>
-      respectively.
-    </p>
-<p>
-      The resolver daemon does not currently support any non-DNS
-      name services such as
-      <code class="filename">/etc/hosts</code>
-      or
-      <span class="type">NIS</span>,
-      consequently the above functions don't, either.
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getipnode.3 b/contrib/bind9/lib/lwres/man/lwres_getipnode.3
deleted file mode 100644
index 3632e64..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_getipnode.3
+++ /dev/null
@@ -1,206 +0,0 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: lwres_getipnode
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "LWRES_GETIPNODE" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent \- lightweight resolver nodename / address translation API
-.SH "SYNOPSIS"
-.nf
-#include <lwres/netdb.h>
-.fi
-.HP 39
-.BI "struct hostent * lwres_getipnodebyname(const\ char\ *" "name" ", int\ " "af" ", int\ " "flags" ", int\ *" "error_num" ");"
-.HP 39
-.BI "struct hostent * lwres_getipnodebyaddr(const\ void\ *" "src" ", size_t\ " "len" ", int\ " "af" ", int\ *" "error_num" ");"
-.HP 23
-.BI "void lwres_freehostent(struct\ hostent\ *" "he" ");"
-.SH "DESCRIPTION"
-.PP
-These functions perform thread safe, protocol independent nodename\-to\-address and address\-to\-nodename translation as defined in RFC2553.
-.PP
-They use a
-\fBstruct hostent\fR
-which is defined in
-\fInamedb.h\fR:
-.PP
-.RS 4
-.nf
-struct  hostent {
-        char    *h_name;        /* official name of host */
-        char    **h_aliases;    /* alias list */
-        int     h_addrtype;     /* host address type */
-        int     h_length;       /* length of address */
-        char    **h_addr_list;  /* list of addresses from name server */
-};
-#define h_addr  h_addr_list[0]  /* address, for backward compatibility */
-.fi
-.RE
-.sp
-.PP
-The members of this structure are:
-.PP
-\fBh_name\fR
-.RS 4
-The official (canonical) name of the host.
-.RE
-.PP
-\fBh_aliases\fR
-.RS 4
-A NULL\-terminated array of alternate names (nicknames) for the host.
-.RE
-.PP
-\fBh_addrtype\fR
-.RS 4
-The type of address being returned \- usually
-\fBPF_INET\fR
-or
-\fBPF_INET6\fR.
-.RE
-.PP
-\fBh_length\fR
-.RS 4
-The length of the address in bytes.
-.RE
-.PP
-\fBh_addr_list\fR
-.RS 4
-A
-\fBNULL\fR
-terminated array of network addresses for the host. Host addresses are returned in network byte order.
-.RE
-.PP
-\fBlwres_getipnodebyname()\fR
-looks up addresses of protocol family
-\fIaf\fR
-for the hostname
-\fIname\fR. The
-\fIflags\fR
-parameter contains ORed flag bits to specify the types of addresses that are searched for, and the types of addresses that are returned. The flag bits are:
-.PP
-\fBAI_V4MAPPED\fR
-.RS 4
-This is used with an
-\fIaf\fR
-of AF_INET6, and causes IPv4 addresses to be returned as IPv4\-mapped IPv6 addresses.
-.RE
-.PP
-\fBAI_ALL\fR
-.RS 4
-This is used with an
-\fIaf\fR
-of AF_INET6, and causes all known addresses (IPv6 and IPv4) to be returned. If AI_V4MAPPED is also set, the IPv4 addresses are return as mapped IPv6 addresses.
-.RE
-.PP
-\fBAI_ADDRCONFIG\fR
-.RS 4
-Only return an IPv6 or IPv4 address if here is an active network interface of that type. This is not currently implemented in the BIND 9 lightweight resolver, and the flag is ignored.
-.RE
-.PP
-\fBAI_DEFAULT\fR
-.RS 4
-This default sets the
-\fBAI_V4MAPPED\fR
-and
-\fBAI_ADDRCONFIG\fR
-flag bits.
-.RE
-.PP
-\fBlwres_getipnodebyaddr()\fR
-performs a reverse lookup of address
-\fIsrc\fR
-which is
-\fIlen\fR
-bytes long.
-\fIaf\fR
-denotes the protocol family, typically
-\fBPF_INET\fR
-or
-\fBPF_INET6\fR.
-.PP
-\fBlwres_freehostent()\fR
-releases all the memory associated with the
-\fBstruct hostent\fR
-pointer
-\fIhe\fR. Any memory allocated for the
-\fBh_name\fR,
-\fBh_addr_list\fR
-and
-\fBh_aliases\fR
-is freed, as is the memory for the
-\fBhostent\fR
-structure itself.
-.SH "RETURN VALUES"
-.PP
-If an error occurs,
-\fBlwres_getipnodebyname()\fR
-and
-\fBlwres_getipnodebyaddr()\fR
-set
-\fI*error_num\fR
-to an appropriate error code and the function returns a
-\fBNULL\fR
-pointer. The error codes and their meanings are defined in
-\fI<lwres/netdb.h>\fR:
-.PP
-\fBHOST_NOT_FOUND\fR
-.RS 4
-No such host is known.
-.RE
-.PP
-\fBNO_ADDRESS\fR
-.RS 4
-The server recognised the request and the name but no address is available. Another type of request to the name server for the domain might return an answer.
-.RE
-.PP
-\fBTRY_AGAIN\fR
-.RS 4
-A temporary and possibly transient error occurred, such as a failure of a server to respond. The request may succeed if retried.
-.RE
-.PP
-\fBNO_RECOVERY\fR
-.RS 4
-An unexpected failure occurred, and retrying the request is pointless.
-.RE
-.PP
-\fBlwres_hstrerror\fR(3)
-translates these error codes to suitable error messages.
-.SH "SEE ALSO"
-.PP
-\fBRFC2553\fR(),
-\fBlwres\fR(3),
-\fBlwres_gethostent\fR(3),
-\fBlwres_getaddrinfo\fR(3),
-\fBlwres_getnameinfo\fR(3),
-\fBlwres_hstrerror\fR(3).
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001, 2003 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_getipnode.docbook b/contrib/bind9/lib/lwres/man/lwres_getipnode.docbook
deleted file mode 100644
index 825f462..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_getipnode.docbook
+++ /dev/null
@@ -1,331 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_getipnode.docbook,v 1.12 2007/06/18 23:47:51 tbox Exp $ -->
-<refentry>
-
-  <refentryinfo>
-    <date>Jun 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>lwres_getipnode</refentrytitle>
-    <manvolnum>3</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname>lwres_getipnodebyname</refname>
-    <refname>lwres_getipnodebyaddr</refname>
-    <refname>lwres_freehostent</refname>
-    <refpurpose>lightweight resolver nodename / address translation API</refpurpose>
-  </refnamediv>
-  <refsynopsisdiv>
-    <funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
-<funcprototype>
-        <funcdef>
-struct hostent *
-<function>lwres_getipnodebyname</function></funcdef>
-        <paramdef>const char *<parameter>name</parameter></paramdef>
-        <paramdef>int <parameter>af</parameter></paramdef>
-        <paramdef>int <parameter>flags</parameter></paramdef>
-        <paramdef>int *<parameter>error_num</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-struct hostent *
-<function>lwres_getipnodebyaddr</function></funcdef>
-        <paramdef>const void *<parameter>src</parameter></paramdef>
-        <paramdef>size_t <parameter>len</parameter></paramdef>
-        <paramdef>int <parameter>af</parameter></paramdef>
-        <paramdef>int *<parameter>error_num</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_freehostent</function></funcdef>
-        <paramdef>struct hostent *<parameter>he</parameter></paramdef>
-      </funcprototype>
-</funcsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-
-    <para>
-      These functions perform thread safe, protocol independent
-      nodename-to-address and address-to-nodename
-      translation as defined in RFC2553.
-    </para>
-
-    <para>
-      They use a
-      <type>struct hostent</type>
-      which is defined in
-      <filename>namedb.h</filename>:
-    </para>
-    <para><programlisting>
-struct  hostent {
-        char    *h_name;        /* official name of host */
-        char    **h_aliases;    /* alias list */
-        int     h_addrtype;     /* host address type */
-        int     h_length;       /* length of address */
-        char    **h_addr_list;  /* list of addresses from name server */
-};
-#define h_addr  h_addr_list[0]  /* address, for backward compatibility */
-</programlisting>
-    </para>
-
-    <para>
-      The members of this structure are:
-      <variablelist>
-        <varlistentry>
-          <term><constant>h_name</constant></term>
-          <listitem>
-            <para>
-              The official (canonical) name of the host.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>h_aliases</constant></term>
-          <listitem>
-            <para>
-              A NULL-terminated array of alternate names (nicknames) for the
-              host.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>h_addrtype</constant></term>
-          <listitem>
-            <para>
-              The type of address being returned - usually
-              <type>PF_INET</type>
-              or
-              <type>PF_INET6</type>.
-
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>h_length</constant></term>
-          <listitem>
-            <para>
-              The length of the address in bytes.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>h_addr_list</constant></term>
-          <listitem>
-            <para>
-              A
-              <type>NULL</type>
-              terminated array of network addresses for the host.
-              Host addresses are returned in network byte order.
-            </para>
-          </listitem>
-        </varlistentry>
-      </variablelist>
-    </para>
-
-    <para><function>lwres_getipnodebyname()</function>
-      looks up addresses of protocol family <parameter>af</parameter>
-      for the hostname <parameter>name</parameter>.  The
-      <parameter>flags</parameter> parameter contains ORed flag bits
-      to specify the types of addresses that are searched for, and the
-      types of addresses that are returned.  The flag bits are:
-
-      <variablelist>
-        <varlistentry>
-          <term><constant>AI_V4MAPPED</constant></term>
-          <listitem>
-            <para>
-              This is used with an
-              <parameter>af</parameter>
-              of AF_INET6, and causes IPv4 addresses to be returned as
-              IPv4-mapped
-              IPv6 addresses.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>AI_ALL</constant></term>
-          <listitem>
-            <para>
-              This is used with an
-              <parameter>af</parameter>
-              of AF_INET6, and causes all known addresses (IPv6 and IPv4) to
-              be returned.
-              If AI_V4MAPPED is also set, the IPv4 addresses are return as
-              mapped
-              IPv6 addresses.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>AI_ADDRCONFIG</constant></term>
-          <listitem>
-            <para>
-              Only return an IPv6 or IPv4 address if here is an active network
-              interface of that type.  This is not currently implemented
-              in the BIND 9 lightweight resolver, and the flag is ignored.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>AI_DEFAULT</constant></term>
-          <listitem>
-            <para>
-              This default sets the
-              <constant>AI_V4MAPPED</constant>
-              and
-              <constant>AI_ADDRCONFIG</constant>
-              flag bits.
-            </para>
-          </listitem>
-        </varlistentry>
-      </variablelist>
-    </para>
-
-    <para><function>lwres_getipnodebyaddr()</function>
-      performs a reverse lookup of address <parameter>src</parameter>
-      which is <parameter>len</parameter> bytes long.
-      <parameter>af</parameter> denotes the protocol family, typically
-      <type>PF_INET</type> or <type>PF_INET6</type>.
-    </para>
-    <para><function>lwres_freehostent()</function>
-      releases all the memory associated with the <type>struct
-      hostent</type> pointer <parameter>he</parameter>.  Any memory
-      allocated for the <constant>h_name</constant>,
-      <constant>h_addr_list</constant> and
-      <constant>h_aliases</constant> is freed, as is the memory for
-      the <type>hostent</type> structure itself.
-    </para>
-  </refsect1>
-  <refsect1>
-    <title>RETURN VALUES</title>
-    <para>
-      If an error occurs,
-      <function>lwres_getipnodebyname()</function>
-      and
-      <function>lwres_getipnodebyaddr()</function>
-      set
-      <parameter>*error_num</parameter>
-      to an appropriate error code and the function returns a
-      <type>NULL</type>
-      pointer.
-      The error codes and their meanings are defined in
-      <filename>&lt;lwres/netdb.h&gt;</filename>:
-      <variablelist>
-        <varlistentry>
-          <term><constant>HOST_NOT_FOUND</constant></term>
-          <listitem>
-            <para>
-              No such host is known.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>NO_ADDRESS</constant></term>
-          <listitem>
-            <para>
-              The server recognised the request and the name but no address is
-              available.  Another type of request to the name server for the
-              domain might return an answer.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>TRY_AGAIN</constant></term>
-          <listitem>
-            <para>
-              A temporary and possibly transient error occurred, such as a
-              failure of a server to respond.  The request may succeed if
-              retried.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>NO_RECOVERY</constant></term>
-          <listitem>
-            <para>
-              An unexpected failure occurred, and retrying the request
-              is pointless.
-            </para>
-          </listitem>
-        </varlistentry>
-      </variablelist>
-    </para>
-    <para><citerefentry>
-        <refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>
-      translates these error codes to suitable error messages.
-    </para>
-  </refsect1>
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>RFC2553</refentrytitle>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>lwres_gethostent</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>lwres_getaddrinfo</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>lwres_getnameinfo</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>.
-    </para>
-  </refsect1>
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/lib/lwres/man/lwres_getipnode.html b/contrib/bind9/lib/lwres/man/lwres_getipnode.html
deleted file mode 100644
index 0fc483d..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_getipnode.html
+++ /dev/null
@@ -1,279 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_getipnode</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent &#8212; lightweight resolver nodename / address translation API</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-struct hostent *
-<b class="fsfunc">lwres_getipnodebyname</b>(</code></td>
-<td>const char * </td>
-<td>
-<var class="pdparam">name</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>int  </td>
-<td>
-<var class="pdparam">af</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>int  </td>
-<td>
-<var class="pdparam">flags</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>int * </td>
-<td>
-<var class="pdparam">error_num</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-struct hostent *
-<b class="fsfunc">lwres_getipnodebyaddr</b>(</code></td>
-<td>const void * </td>
-<td>
-<var class="pdparam">src</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>size_t  </td>
-<td>
-<var class="pdparam">len</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>int  </td>
-<td>
-<var class="pdparam">af</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>int * </td>
-<td>
-<var class="pdparam">error_num</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_freehostent</b>(</code></td>
-<td>struct hostent * </td>
-<td>
-<var class="pdparam">he</var><code>)</code>;</td>
-</tr></table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543432"></a><h2>DESCRIPTION</h2>
-<p>
-      These functions perform thread safe, protocol independent
-      nodename-to-address and address-to-nodename
-      translation as defined in RFC2553.
-    </p>
-<p>
-      They use a
-      <span class="type">struct hostent</span>
-      which is defined in
-      <code class="filename">namedb.h</code>:
-    </p>
-<pre class="programlisting">
-struct  hostent {
-        char    *h_name;        /* official name of host */
-        char    **h_aliases;    /* alias list */
-        int     h_addrtype;     /* host address type */
-        int     h_length;       /* length of address */
-        char    **h_addr_list;  /* list of addresses from name server */
-};
-#define h_addr  h_addr_list[0]  /* address, for backward compatibility */
-</pre>
-<p>
-    </p>
-<p>
-      The members of this structure are:
-      </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">h_name</code></span></dt>
-<dd><p>
-              The official (canonical) name of the host.
-            </p></dd>
-<dt><span class="term"><code class="constant">h_aliases</code></span></dt>
-<dd><p>
-              A NULL-terminated array of alternate names (nicknames) for the
-              host.
-            </p></dd>
-<dt><span class="term"><code class="constant">h_addrtype</code></span></dt>
-<dd><p>
-              The type of address being returned - usually
-              <span class="type">PF_INET</span>
-              or
-              <span class="type">PF_INET6</span>.
-
-            </p></dd>
-<dt><span class="term"><code class="constant">h_length</code></span></dt>
-<dd><p>
-              The length of the address in bytes.
-            </p></dd>
-<dt><span class="term"><code class="constant">h_addr_list</code></span></dt>
-<dd><p>
-              A
-              <span class="type">NULL</span>
-              terminated array of network addresses for the host.
-              Host addresses are returned in network byte order.
-            </p></dd>
-</dl></div>
-<p>
-    </p>
-<p><code class="function">lwres_getipnodebyname()</code>
-      looks up addresses of protocol family <em class="parameter"><code>af</code></em>
-      for the hostname <em class="parameter"><code>name</code></em>.  The
-      <em class="parameter"><code>flags</code></em> parameter contains ORed flag bits
-      to specify the types of addresses that are searched for, and the
-      types of addresses that are returned.  The flag bits are:
-
-      </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">AI_V4MAPPED</code></span></dt>
-<dd><p>
-              This is used with an
-              <em class="parameter"><code>af</code></em>
-              of AF_INET6, and causes IPv4 addresses to be returned as
-              IPv4-mapped
-              IPv6 addresses.
-            </p></dd>
-<dt><span class="term"><code class="constant">AI_ALL</code></span></dt>
-<dd><p>
-              This is used with an
-              <em class="parameter"><code>af</code></em>
-              of AF_INET6, and causes all known addresses (IPv6 and IPv4) to
-              be returned.
-              If AI_V4MAPPED is also set, the IPv4 addresses are return as
-              mapped
-              IPv6 addresses.
-            </p></dd>
-<dt><span class="term"><code class="constant">AI_ADDRCONFIG</code></span></dt>
-<dd><p>
-              Only return an IPv6 or IPv4 address if here is an active network
-              interface of that type.  This is not currently implemented
-              in the BIND 9 lightweight resolver, and the flag is ignored.
-            </p></dd>
-<dt><span class="term"><code class="constant">AI_DEFAULT</code></span></dt>
-<dd><p>
-              This default sets the
-              <code class="constant">AI_V4MAPPED</code>
-              and
-              <code class="constant">AI_ADDRCONFIG</code>
-              flag bits.
-            </p></dd>
-</dl></div>
-<p>
-    </p>
-<p><code class="function">lwres_getipnodebyaddr()</code>
-      performs a reverse lookup of address <em class="parameter"><code>src</code></em>
-      which is <em class="parameter"><code>len</code></em> bytes long.
-      <em class="parameter"><code>af</code></em> denotes the protocol family, typically
-      <span class="type">PF_INET</span> or <span class="type">PF_INET6</span>.
-    </p>
-<p><code class="function">lwres_freehostent()</code>
-      releases all the memory associated with the <span class="type">struct
-      hostent</span> pointer <em class="parameter"><code>he</code></em>.  Any memory
-      allocated for the <code class="constant">h_name</code>,
-      <code class="constant">h_addr_list</code> and
-      <code class="constant">h_aliases</code> is freed, as is the memory for
-      the <span class="type">hostent</span> structure itself.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543690"></a><h2>RETURN VALUES</h2>
-<p>
-      If an error occurs,
-      <code class="function">lwres_getipnodebyname()</code>
-      and
-      <code class="function">lwres_getipnodebyaddr()</code>
-      set
-      <em class="parameter"><code>*error_num</code></em>
-      to an appropriate error code and the function returns a
-      <span class="type">NULL</span>
-      pointer.
-      The error codes and their meanings are defined in
-      <code class="filename">&lt;lwres/netdb.h&gt;</code>:
-      </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">HOST_NOT_FOUND</code></span></dt>
-<dd><p>
-              No such host is known.
-            </p></dd>
-<dt><span class="term"><code class="constant">NO_ADDRESS</code></span></dt>
-<dd><p>
-              The server recognised the request and the name but no address is
-              available.  Another type of request to the name server for the
-              domain might return an answer.
-            </p></dd>
-<dt><span class="term"><code class="constant">TRY_AGAIN</code></span></dt>
-<dd><p>
-              A temporary and possibly transient error occurred, such as a
-              failure of a server to respond.  The request may succeed if
-              retried.
-            </p></dd>
-<dt><span class="term"><code class="constant">NO_RECOVERY</code></span></dt>
-<dd><p>
-              An unexpected failure occurred, and retrying the request
-              is pointless.
-            </p></dd>
-</dl></div>
-<p>
-    </p>
-<p><span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>
-      translates these error codes to suitable error messages.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543787"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">RFC2553</span></span>,
-
-      <span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">lwres_gethostent</span>(3)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">lwres_getaddrinfo</span>(3)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">lwres_getnameinfo</span>(3)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>.
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getnameinfo.3 b/contrib/bind9/lib/lwres/man/lwres_getnameinfo.3
deleted file mode 100644
index 8ceb47c..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_getnameinfo.3
+++ /dev/null
@@ -1,117 +0,0 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: lwres_getnameinfo
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "LWRES_GETNAMEINFO" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_getnameinfo \- lightweight resolver socket address structure to hostname and service name
-.SH "SYNOPSIS"
-.nf
-#include <lwres/netdb.h>
-.fi
-.HP 22
-.BI "int lwres_getnameinfo(const\ struct\ sockaddr\ *" "sa" ", size_t\ " "salen" ", char\ *" "host" ", size_t\ " "hostlen" ", char\ *" "serv" ", size_t\ " "servlen" ", int\ " "flags" ");"
-.SH "DESCRIPTION"
-.PP
-This function is equivalent to the
-\fBgetnameinfo\fR(3)
-function defined in RFC2133.
-\fBlwres_getnameinfo()\fR
-returns the hostname for the
-\fBstruct sockaddr\fR
-\fIsa\fR
-which is
-\fIsalen\fR
-bytes long. The hostname is of length
-\fIhostlen\fR
-and is returned via
-\fI*host.\fR
-The maximum length of the hostname is 1025 bytes:
-\fBNI_MAXHOST\fR.
-.PP
-The name of the service associated with the port number in
-\fIsa\fR
-is returned in
-\fI*serv.\fR
-It is
-\fIservlen\fR
-bytes long. The maximum length of the service name is
-\fBNI_MAXSERV\fR
-\- 32 bytes.
-.PP
-The
-\fIflags\fR
-argument sets the following bits:
-.PP
-\fBNI_NOFQDN\fR
-.RS 4
-A fully qualified domain name is not required for local hosts. The local part of the fully qualified domain name is returned instead.
-.RE
-.PP
-\fBNI_NUMERICHOST\fR
-.RS 4
-Return the address in numeric form, as if calling inet_ntop(), instead of a host name.
-.RE
-.PP
-\fBNI_NAMEREQD\fR
-.RS 4
-A name is required. If the hostname cannot be found in the DNS and this flag is set, a non\-zero error code is returned. If the hostname is not found and the flag is not set, the address is returned in numeric form.
-.RE
-.PP
-\fBNI_NUMERICSERV\fR
-.RS 4
-The service name is returned as a digit string representing the port number.
-.RE
-.PP
-\fBNI_DGRAM\fR
-.RS 4
-Specifies that the service being looked up is a datagram service, and causes getservbyport() to be called with a second argument of "udp" instead of its default of "tcp". This is required for the few ports (512\-514) that have different services for UDP and TCP.
-.RE
-.SH "RETURN VALUES"
-.PP
-\fBlwres_getnameinfo()\fR
-returns 0 on success or a non\-zero error code if an error occurs.
-.SH "SEE ALSO"
-.PP
-\fBRFC2133\fR(),
-\fBgetservbyport\fR(3),
-\fBlwres\fR(3),
-\fBlwres_getnameinfo\fR(3),
-\fBlwres_getnamebyaddr\fR(3).
-\fBlwres_net_ntop\fR(3).
-.SH "BUGS"
-.PP
-RFC2133 fails to define what the nonzero return values of
-\fBgetnameinfo\fR(3)
-are.
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_getnameinfo.docbook b/contrib/bind9/lib/lwres/man/lwres_getnameinfo.docbook
deleted file mode 100644
index 504dfb7..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_getnameinfo.docbook
+++ /dev/null
@@ -1,205 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_getnameinfo.docbook,v 1.10 2007/06/18 23:47:51 tbox Exp $ -->
-<refentry>
-
-  <refentryinfo>
-    <date>Jun 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>lwres_getnameinfo</refentrytitle>
-    <manvolnum>3</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname>lwres_getnameinfo</refname>
-    <refpurpose>lightweight resolver socket address structure to hostname and
-      service name
-    </refpurpose>
-  </refnamediv>
-  <refsynopsisdiv>
-    <funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
-<funcprototype>
-        <funcdef>
-int
-<function>lwres_getnameinfo</function></funcdef>
-        <paramdef>const struct sockaddr *<parameter>sa</parameter></paramdef>
-        <paramdef>size_t <parameter>salen</parameter></paramdef>
-        <paramdef>char *<parameter>host</parameter></paramdef>
-        <paramdef>size_t <parameter>hostlen</parameter></paramdef>
-        <paramdef>char *<parameter>serv</parameter></paramdef>
-        <paramdef>size_t <parameter>servlen</parameter></paramdef>
-        <paramdef>int <parameter>flags</parameter></paramdef>
-      </funcprototype>
-</funcsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-
-    <para>
-       This function is equivalent to the
-      <citerefentry>
-        <refentrytitle>getnameinfo</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry> function defined in RFC2133.
-      <function>lwres_getnameinfo()</function> returns the
-      hostname for the
-      <type>struct sockaddr</type> <parameter>sa</parameter> which
-      is
-      <parameter>salen</parameter> bytes long.  The hostname is of
-      length
-      <parameter>hostlen</parameter> and is returned via
-      <parameter>*host.</parameter> The maximum length of the
-      hostname is
-      1025 bytes: <constant>NI_MAXHOST</constant>.
-    </para>
-
-    <para> The name of the service associated with the port number in
-      <parameter>sa</parameter> is returned in <parameter>*serv.</parameter>
-      It is <parameter>servlen</parameter> bytes long.  The
-      maximum length
-      of the service name is <constant>NI_MAXSERV</constant> - 32
-      bytes.
-    </para>
-
-    <para>
-       The <parameter>flags</parameter> argument sets the
-      following
-      bits:
-      <variablelist>
-        <varlistentry>
-          <term><constant>NI_NOFQDN</constant></term>
-          <listitem>
-            <para>
-              A fully qualified domain name is not required for local hosts.
-              The local part of the fully qualified domain name is returned
-              instead.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>NI_NUMERICHOST</constant></term>
-          <listitem>
-            <para>
-              Return the address in numeric form, as if calling inet_ntop(),
-              instead of a host name.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>NI_NAMEREQD</constant></term>
-          <listitem>
-            <para>
-              A name is required. If the hostname cannot be found in the DNS
-              and
-              this flag is set, a non-zero error code is returned.
-              If the hostname is not found and the flag is not set, the
-              address is returned in numeric form.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>NI_NUMERICSERV</constant></term>
-          <listitem>
-            <para>
-              The service name is returned as a digit string representing the
-              port number.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>NI_DGRAM</constant></term>
-          <listitem>
-            <para>
-              Specifies that the service being looked up is a datagram
-              service,  and causes getservbyport() to be called with a second
-              argument of "udp" instead of its default of "tcp".  This is
-              required
-              for the few ports (512-514) that have different services for UDP
-              and
-              TCP.
-            </para>
-          </listitem>
-        </varlistentry>
-      </variablelist>
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>RETURN VALUES</title>
-    <para><function>lwres_getnameinfo()</function>
-      returns 0 on success or a non-zero error code if an error occurs.
-    </para>
-  </refsect1>
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>RFC2133</refentrytitle>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>getservbyport</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>lwres_getnameinfo</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>lwres_getnamebyaddr</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>.
-      <citerefentry>
-        <refentrytitle>lwres_net_ntop</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>.
-    </para>
-  </refsect1>
-  <refsect1>
-    <title>BUGS</title>
-    <para>
-      RFC2133 fails to define what the nonzero return values of
-      <citerefentry>
-        <refentrytitle>getnameinfo</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>
-      are.
-    </para>
-  </refsect1>
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html b/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html
deleted file mode 100644
index 9cc7d5a..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html
+++ /dev/null
@@ -1,176 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_getnameinfo</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_getnameinfo &#8212; lightweight resolver socket address structure to hostname and
-      service name
-    </p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
-<td><code class="funcdef">
-int
-<b class="fsfunc">lwres_getnameinfo</b>(</code></td>
-<td>const struct sockaddr * </td>
-<td>
-<var class="pdparam">sa</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>size_t  </td>
-<td>
-<var class="pdparam">salen</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>char * </td>
-<td>
-<var class="pdparam">host</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>size_t  </td>
-<td>
-<var class="pdparam">hostlen</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>char * </td>
-<td>
-<var class="pdparam">serv</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>size_t  </td>
-<td>
-<var class="pdparam">servlen</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>int  </td>
-<td>
-<var class="pdparam">flags</var><code>)</code>;</td>
-</tr>
-</table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543394"></a><h2>DESCRIPTION</h2>
-<p>
-       This function is equivalent to the
-      <span class="citerefentry"><span class="refentrytitle">getnameinfo</span>(3)</span> function defined in RFC2133.
-      <code class="function">lwres_getnameinfo()</code> returns the
-      hostname for the
-      <span class="type">struct sockaddr</span> <em class="parameter"><code>sa</code></em> which
-      is
-      <em class="parameter"><code>salen</code></em> bytes long.  The hostname is of
-      length
-      <em class="parameter"><code>hostlen</code></em> and is returned via
-      <em class="parameter"><code>*host.</code></em> The maximum length of the
-      hostname is
-      1025 bytes: <code class="constant">NI_MAXHOST</code>.
-    </p>
-<p> The name of the service associated with the port number in
-      <em class="parameter"><code>sa</code></em> is returned in <em class="parameter"><code>*serv.</code></em>
-      It is <em class="parameter"><code>servlen</code></em> bytes long.  The
-      maximum length
-      of the service name is <code class="constant">NI_MAXSERV</code> - 32
-      bytes.
-    </p>
-<p>
-       The <em class="parameter"><code>flags</code></em> argument sets the
-      following
-      bits:
-      </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">NI_NOFQDN</code></span></dt>
-<dd><p>
-              A fully qualified domain name is not required for local hosts.
-              The local part of the fully qualified domain name is returned
-              instead.
-            </p></dd>
-<dt><span class="term"><code class="constant">NI_NUMERICHOST</code></span></dt>
-<dd><p>
-              Return the address in numeric form, as if calling inet_ntop(),
-              instead of a host name.
-            </p></dd>
-<dt><span class="term"><code class="constant">NI_NAMEREQD</code></span></dt>
-<dd><p>
-              A name is required. If the hostname cannot be found in the DNS
-              and
-              this flag is set, a non-zero error code is returned.
-              If the hostname is not found and the flag is not set, the
-              address is returned in numeric form.
-            </p></dd>
-<dt><span class="term"><code class="constant">NI_NUMERICSERV</code></span></dt>
-<dd><p>
-              The service name is returned as a digit string representing the
-              port number.
-            </p></dd>
-<dt><span class="term"><code class="constant">NI_DGRAM</code></span></dt>
-<dd><p>
-              Specifies that the service being looked up is a datagram
-              service,  and causes getservbyport() to be called with a second
-              argument of "udp" instead of its default of "tcp".  This is
-              required
-              for the few ports (512-514) that have different services for UDP
-              and
-              TCP.
-            </p></dd>
-</dl></div>
-<p>
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543536"></a><h2>RETURN VALUES</h2>
-<p><code class="function">lwres_getnameinfo()</code>
-      returns 0 on success or a non-zero error code if an error occurs.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543547"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">RFC2133</span></span>,
-      <span class="citerefentry"><span class="refentrytitle">getservbyport</span>(3)</span>,
-      <span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
-      <span class="citerefentry"><span class="refentrytitle">lwres_getnameinfo</span>(3)</span>,
-      <span class="citerefentry"><span class="refentrytitle">lwres_getnamebyaddr</span>(3)</span>.
-      <span class="citerefentry"><span class="refentrytitle">lwres_net_ntop</span>(3)</span>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543605"></a><h2>BUGS</h2>
-<p>
-      RFC2133 fails to define what the nonzero return values of
-      <span class="citerefentry"><span class="refentrytitle">getnameinfo</span>(3)</span>
-      are.
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.3 b/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.3
deleted file mode 100644
index f2e3341..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.3
+++ /dev/null
@@ -1,164 +0,0 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: lwres_getrrsetbyname
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Oct 18, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "LWRES_GETRRSETBYNAME" "3" "Oct 18, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_getrrsetbyname, lwres_freerrset \- retrieve DNS records
-.SH "SYNOPSIS"
-.nf
-#include <lwres/netdb.h>
-.fi
-.HP 25
-.BI "int lwres_getrrsetbyname(const\ char\ *" "hostname" ", unsigned\ int\ " "rdclass" ", unsigned\ int\ " "rdtype" ", unsigned\ int\ " "flags" ", struct\ rrsetinfo\ **" "res" ");"
-.HP 21
-.BI "void lwres_freerrset(struct\ rrsetinfo\ *" "rrset" ");"
-.PP
-The following structures are used:
-.PP
-.RS 4
-.nf
-struct  rdatainfo {
-        unsigned int            rdi_length;     /* length of data */
-        unsigned char           *rdi_data;      /* record data */
-};
-.fi
-.RE
-.sp
-.PP
-.RS 4
-.nf
-struct  rrsetinfo {
-        unsigned int            rri_flags;      /* RRSET_VALIDATED... */
-        unsigned int            rri_rdclass;    /* class number */
-        unsigned int            rri_rdtype;     /* RR type number */
-        unsigned int            rri_ttl;        /* time to live */
-        unsigned int            rri_nrdatas;    /* size of rdatas array */
-        unsigned int            rri_nsigs;      /* size of sigs array */
-        char                    *rri_name;      /* canonical name */
-        struct rdatainfo        *rri_rdatas;    /* individual records */
-        struct rdatainfo        *rri_sigs;      /* individual signatures */
-};
-.fi
-.RE
-.sp
-.SH "DESCRIPTION"
-.PP
-\fBlwres_getrrsetbyname()\fR
-gets a set of resource records associated with a
-\fIhostname\fR,
-\fIclass\fR, and
-\fItype\fR.
-\fIhostname\fR
-is a pointer a to null\-terminated string. The
-\fIflags\fR
-field is currently unused and must be zero.
-.PP
-After a successful call to
-\fBlwres_getrrsetbyname()\fR,
-\fI*res\fR
-is a pointer to an
-\fBrrsetinfo\fR
-structure, containing a list of one or more
-\fBrdatainfo\fR
-structures containing resource records and potentially another list of
-\fBrdatainfo\fR
-structures containing SIG resource records associated with those records. The members
-\fBrri_rdclass\fR
-and
-\fBrri_rdtype\fR
-are copied from the parameters.
-\fBrri_ttl\fR
-and
-\fBrri_name\fR
-are properties of the obtained rrset. The resource records contained in
-\fBrri_rdatas\fR
-and
-\fBrri_sigs\fR
-are in uncompressed DNS wire format. Properties of the rdataset are represented in the
-\fBrri_flags\fR
-bitfield. If the RRSET_VALIDATED bit is set, the data has been DNSSEC validated and the signatures verified.
-.PP
-All of the information returned by
-\fBlwres_getrrsetbyname()\fR
-is dynamically allocated: the
-\fBrrsetinfo\fR
-and
-\fBrdatainfo\fR
-structures, and the canonical host name strings pointed to by the
-\fBrrsetinfo\fRstructure. Memory allocated for the dynamically allocated structures created by a successful call to
-\fBlwres_getrrsetbyname()\fR
-is released by
-\fBlwres_freerrset()\fR.
-\fIrrset\fR
-is a pointer to a
-\fBstruct rrset\fR
-created by a call to
-\fBlwres_getrrsetbyname()\fR.
-.PP
-.SH "RETURN VALUES"
-.PP
-\fBlwres_getrrsetbyname()\fR
-returns zero on success, and one of the following error codes if an error occurred:
-.PP
-\fBERRSET_NONAME\fR
-.RS 4
-the name does not exist
-.RE
-.PP
-\fBERRSET_NODATA\fR
-.RS 4
-the name exists, but does not have data of the desired type
-.RE
-.PP
-\fBERRSET_NOMEMORY\fR
-.RS 4
-memory could not be allocated
-.RE
-.PP
-\fBERRSET_INVAL\fR
-.RS 4
-a parameter is invalid
-.RE
-.PP
-\fBERRSET_FAIL\fR
-.RS 4
-other failure
-.RE
-.PP
-.RS 4
-.RE
-.SH "SEE ALSO"
-.PP
-\fBlwres\fR(3).
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.docbook b/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.docbook
deleted file mode 100644
index 5f2a68d..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.docbook
+++ /dev/null
@@ -1,223 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_getrrsetbyname.docbook,v 1.10 2007/06/18 23:47:51 tbox Exp $ -->
-<refentry>
-
-  <refentryinfo>
-    <date>Oct 18, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>lwres_getrrsetbyname</refentrytitle>
-    <manvolnum>3</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname>lwres_getrrsetbyname</refname>
-    <refname>lwres_freerrset</refname>
-    <refpurpose>retrieve DNS records</refpurpose>
-  </refnamediv>
-  <refsynopsisdiv>
-    <funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
-<funcprototype>
-        <funcdef>
-int
-<function>lwres_getrrsetbyname</function></funcdef>
-        <paramdef>const char *<parameter>hostname</parameter></paramdef>
-        <paramdef>unsigned int <parameter>rdclass</parameter></paramdef>
-        <paramdef>unsigned int <parameter>rdtype</parameter></paramdef>
-        <paramdef>unsigned int <parameter>flags</parameter></paramdef>
-        <paramdef>struct rrsetinfo **<parameter>res</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_freerrset</function></funcdef>
-        <paramdef>struct rrsetinfo *<parameter>rrset</parameter></paramdef>
-      </funcprototype>
-</funcsynopsis>
-
-    <para>
-      The following structures are used:
-    </para>
-    <para><programlisting>
-struct  rdatainfo {
-        unsigned int            rdi_length;     /* length of data */
-        unsigned char           *rdi_data;      /* record data */
-};
-</programlisting>
-    </para>
-    <para><programlisting>
-struct  rrsetinfo {
-        unsigned int            rri_flags;      /* RRSET_VALIDATED... */
-        unsigned int            rri_rdclass;    /* class number */
-        unsigned int            rri_rdtype;     /* RR type number */
-        unsigned int            rri_ttl;        /* time to live */
-        unsigned int            rri_nrdatas;    /* size of rdatas array */
-        unsigned int            rri_nsigs;      /* size of sigs array */
-        char                    *rri_name;      /* canonical name */
-        struct rdatainfo        *rri_rdatas;    /* individual records */
-        struct rdatainfo        *rri_sigs;      /* individual signatures */
-};
-</programlisting>
-    </para>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para><function>lwres_getrrsetbyname()</function>
-      gets a set of resource records associated with a
-      <parameter>hostname</parameter>, <parameter>class</parameter>,
-      and <parameter>type</parameter>.
-      <parameter>hostname</parameter> is a pointer a to
-      null-terminated string.  The <parameter>flags</parameter> field
-      is currently unused and must be zero.
-    </para>
-    <para>
-      After a successful call to
-      <function>lwres_getrrsetbyname()</function>,
-      <parameter>*res</parameter> is a pointer to an
-      <type>rrsetinfo</type> structure, containing a list of one or
-      more <type>rdatainfo</type> structures containing resource
-      records and potentially another list of <type>rdatainfo</type>
-      structures containing SIG resource records associated with those
-      records.  The members <constant>rri_rdclass</constant> and
-      <constant>rri_rdtype</constant> are copied from the parameters.
-      <constant>rri_ttl</constant> and <constant>rri_name</constant>
-      are properties of the obtained rrset.  The resource records
-      contained in <constant>rri_rdatas</constant> and
-      <constant>rri_sigs</constant> are in uncompressed DNS wire
-      format.  Properties of the rdataset are represented in the
-      <constant>rri_flags</constant> bitfield.  If the RRSET_VALIDATED
-      bit is set, the data has been DNSSEC validated and the
-      signatures verified.
-    </para>
-    <para>
-      All of the information returned by
-      <function>lwres_getrrsetbyname()</function> is dynamically
-      allocated: the <constant>rrsetinfo</constant> and
-      <constant>rdatainfo</constant> structures, and the canonical
-      host name strings pointed to by the
-      <constant>rrsetinfo</constant>structure.
-
-      Memory allocated for the dynamically allocated structures
-      created by a successful call to
-      <function>lwres_getrrsetbyname()</function> is released by
-      <function>lwres_freerrset()</function>.
-
-      <parameter>rrset</parameter> is a pointer to a <type>struct
-      rrset</type> created by a call to
-      <function>lwres_getrrsetbyname()</function>.
-    </para>
-    <para></para>
-  </refsect1>
-  <refsect1>
-    <title>RETURN VALUES</title>
-    <para><function>lwres_getrrsetbyname()</function>
-      returns zero on success, and one of the following error codes if
-      an error occurred:
-      <variablelist>
-
-        <varlistentry>
-          <term><constant>ERRSET_NONAME</constant></term>
-          <listitem>
-            <para>
-              the name does not exist
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><constant>ERRSET_NODATA</constant></term>
-          <listitem>
-            <para>
-              the name exists, but does not have data of the desired type
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><constant>ERRSET_NOMEMORY</constant></term>
-          <listitem>
-            <para>
-              memory could not be allocated
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><constant>ERRSET_INVAL</constant></term>
-          <listitem>
-            <para>
-              a parameter is invalid
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><constant>ERRSET_FAIL</constant></term>
-          <listitem>
-            <para>
-              other failure
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term><constant/></term>
-          <listitem>
-            <para></para>
-          </listitem>
-        </varlistentry>
-
-      </variablelist>
-
-    </para>
-  </refsect1>
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>.
-    </para>
-
-  </refsect1>
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html b/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html
deleted file mode 100644
index e7d68bb..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html
+++ /dev/null
@@ -1,192 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_getrrsetbyname</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_getrrsetbyname, lwres_freerrset &#8212; retrieve DNS records</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-int
-<b class="fsfunc">lwres_getrrsetbyname</b>(</code></td>
-<td>const char * </td>
-<td>
-<var class="pdparam">hostname</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>unsigned int  </td>
-<td>
-<var class="pdparam">rdclass</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>unsigned int  </td>
-<td>
-<var class="pdparam">rdtype</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>unsigned int  </td>
-<td>
-<var class="pdparam">flags</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>struct rrsetinfo ** </td>
-<td>
-<var class="pdparam">res</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_freerrset</b>(</code></td>
-<td>struct rrsetinfo * </td>
-<td>
-<var class="pdparam">rrset</var><code>)</code>;</td>
-</tr></table>
-</div>
-<p>
-      The following structures are used:
-    </p>
-<pre class="programlisting">
-struct  rdatainfo {
-        unsigned int            rdi_length;     /* length of data */
-        unsigned char           *rdi_data;      /* record data */
-};
-</pre>
-<p>
-    </p>
-<pre class="programlisting">
-struct  rrsetinfo {
-        unsigned int            rri_flags;      /* RRSET_VALIDATED... */
-        unsigned int            rri_rdclass;    /* class number */
-        unsigned int            rri_rdtype;     /* RR type number */
-        unsigned int            rri_ttl;        /* time to live */
-        unsigned int            rri_nrdatas;    /* size of rdatas array */
-        unsigned int            rri_nsigs;      /* size of sigs array */
-        char                    *rri_name;      /* canonical name */
-        struct rdatainfo        *rri_rdatas;    /* individual records */
-        struct rdatainfo        *rri_sigs;      /* individual signatures */
-};
-</pre>
-<p>
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543415"></a><h2>DESCRIPTION</h2>
-<p><code class="function">lwres_getrrsetbyname()</code>
-      gets a set of resource records associated with a
-      <em class="parameter"><code>hostname</code></em>, <em class="parameter"><code>class</code></em>,
-      and <em class="parameter"><code>type</code></em>.
-      <em class="parameter"><code>hostname</code></em> is a pointer a to
-      null-terminated string.  The <em class="parameter"><code>flags</code></em> field
-      is currently unused and must be zero.
-    </p>
-<p>
-      After a successful call to
-      <code class="function">lwres_getrrsetbyname()</code>,
-      <em class="parameter"><code>*res</code></em> is a pointer to an
-      <span class="type">rrsetinfo</span> structure, containing a list of one or
-      more <span class="type">rdatainfo</span> structures containing resource
-      records and potentially another list of <span class="type">rdatainfo</span>
-      structures containing SIG resource records associated with those
-      records.  The members <code class="constant">rri_rdclass</code> and
-      <code class="constant">rri_rdtype</code> are copied from the parameters.
-      <code class="constant">rri_ttl</code> and <code class="constant">rri_name</code>
-      are properties of the obtained rrset.  The resource records
-      contained in <code class="constant">rri_rdatas</code> and
-      <code class="constant">rri_sigs</code> are in uncompressed DNS wire
-      format.  Properties of the rdataset are represented in the
-      <code class="constant">rri_flags</code> bitfield.  If the RRSET_VALIDATED
-      bit is set, the data has been DNSSEC validated and the
-      signatures verified.
-    </p>
-<p>
-      All of the information returned by
-      <code class="function">lwres_getrrsetbyname()</code> is dynamically
-      allocated: the <code class="constant">rrsetinfo</code> and
-      <code class="constant">rdatainfo</code> structures, and the canonical
-      host name strings pointed to by the
-      <code class="constant">rrsetinfo</code>structure.
-
-      Memory allocated for the dynamically allocated structures
-      created by a successful call to
-      <code class="function">lwres_getrrsetbyname()</code> is released by
-      <code class="function">lwres_freerrset()</code>.
-
-      <em class="parameter"><code>rrset</code></em> is a pointer to a <span class="type">struct
-      rrset</span> created by a call to
-      <code class="function">lwres_getrrsetbyname()</code>.
-    </p>
-<p></p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543527"></a><h2>RETURN VALUES</h2>
-<p><code class="function">lwres_getrrsetbyname()</code>
-      returns zero on success, and one of the following error codes if
-      an error occurred:
-      </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">ERRSET_NONAME</code></span></dt>
-<dd><p>
-              the name does not exist
-            </p></dd>
-<dt><span class="term"><code class="constant">ERRSET_NODATA</code></span></dt>
-<dd><p>
-              the name exists, but does not have data of the desired type
-            </p></dd>
-<dt><span class="term"><code class="constant">ERRSET_NOMEMORY</code></span></dt>
-<dd><p>
-              memory could not be allocated
-            </p></dd>
-<dt><span class="term"><code class="constant">ERRSET_INVAL</code></span></dt>
-<dd><p>
-              a parameter is invalid
-            </p></dd>
-<dt><span class="term"><code class="constant">ERRSET_FAIL</code></span></dt>
-<dd><p>
-              other failure
-            </p></dd>
-<dt><span class="term"><code class="constant"></code></span></dt>
-<dd><p></p></dd>
-</dl></div>
-<p>
-
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543627"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>.
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gnba.3 b/contrib/bind9/lib/lwres/man/lwres_gnba.3
deleted file mode 100644
index 4135190..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_gnba.3
+++ /dev/null
@@ -1,183 +0,0 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: lwres_gnba
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "LWRES_GNBA" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free \- lightweight resolver getnamebyaddress message handling
-.SH "SYNOPSIS"
-.nf
-#include <lwres/lwres.h>
-.fi
-.HP 40
-.BI "lwres_result_t lwres_gnbarequest_render(lwres_context_t\ *" "ctx" ", lwres_gnbarequest_t\ *" "req" ", lwres_lwpacket_t\ *" "pkt" ", lwres_buffer_t\ *" "b" ");"
-.HP 41
-.BI "lwres_result_t lwres_gnbaresponse_render(lwres_context_t\ *" "ctx" ", lwres_gnbaresponse_t\ *" "req" ", lwres_lwpacket_t\ *" "pkt" ", lwres_buffer_t\ *" "b" ");"
-.HP 39
-.BI "lwres_result_t lwres_gnbarequest_parse(lwres_context_t\ *" "ctx" ", lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ", lwres_gnbarequest_t\ **" "structp" ");"
-.HP 40
-.BI "lwres_result_t lwres_gnbaresponse_parse(lwres_context_t\ *" "ctx" ", lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ", lwres_gnbaresponse_t\ **" "structp" ");"
-.HP 29
-.BI "void lwres_gnbaresponse_free(lwres_context_t\ *" "ctx" ", lwres_gnbaresponse_t\ **" "structp" ");"
-.HP 28
-.BI "void lwres_gnbarequest_free(lwres_context_t\ *" "ctx" ", lwres_gnbarequest_t\ **" "structp" ");"
-.SH "DESCRIPTION"
-.PP
-These are low\-level routines for creating and parsing lightweight resolver address\-to\-name lookup request and response messages.
-.PP
-There are four main functions for the getnamebyaddr opcode. One render function converts a getnamebyaddr request structure \(em
-\fBlwres_gnbarequest_t\fR
-\(em to the lightweight resolver's canonical format. It is complemented by a parse function that converts a packet in this canonical format to a getnamebyaddr request structure. Another render function converts the getnamebyaddr response structure \(em
-\fBlwres_gnbaresponse_t\fR
-to the canonical format. This is complemented by a parse function which converts a packet in canonical format to a getnamebyaddr response structure.
-.PP
-These structures are defined in
-\fIlwres/lwres.h\fR. They are shown below.
-.PP
-.RS 4
-.nf
-#define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
-.fi
-.RE
-.sp
-.PP
-.RS 4
-.nf
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_addr_t    addr;
-} lwres_gnbarequest_t;
-.fi
-.RE
-.sp
-.PP
-.RS 4
-.nf
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_uint16_t  naliases;
-        char           *realname;
-        char          **aliases;
-        lwres_uint16_t  realnamelen;
-        lwres_uint16_t *aliaslen;
-        void           *base;
-        size_t          baselen;
-} lwres_gnbaresponse_t;
-.fi
-.RE
-.sp
-.PP
-\fBlwres_gnbarequest_render()\fR
-uses resolver context
-\fIctx\fR
-to convert getnamebyaddr request structure
-\fIreq\fR
-to canonical format. The packet header structure
-\fIpkt\fR
-is initialised and transferred to buffer
-\fIb\fR. The contents of
-\fI*req\fR
-are then appended to the buffer in canonical format.
-\fBlwres_gnbaresponse_render()\fR
-performs the same task, except it converts a getnamebyaddr response structure
-\fBlwres_gnbaresponse_t\fR
-to the lightweight resolver's canonical format.
-.PP
-\fBlwres_gnbarequest_parse()\fR
-uses context
-\fIctx\fR
-to convert the contents of packet
-\fIpkt\fR
-to a
-\fBlwres_gnbarequest_t\fR
-structure. Buffer
-\fIb\fR
-provides space to be used for storing this structure. When the function succeeds, the resulting
-\fBlwres_gnbarequest_t\fR
-is made available through
-\fI*structp\fR.
-\fBlwres_gnbaresponse_parse()\fR
-offers the same semantics as
-\fBlwres_gnbarequest_parse()\fR
-except it yields a
-\fBlwres_gnbaresponse_t\fR
-structure.
-.PP
-\fBlwres_gnbaresponse_free()\fR
-and
-\fBlwres_gnbarequest_free()\fR
-release the memory in resolver context
-\fIctx\fR
-that was allocated to the
-\fBlwres_gnbaresponse_t\fR
-or
-\fBlwres_gnbarequest_t\fR
-structures referenced via
-\fIstructp\fR. Any memory associated with ancillary buffers and strings for those structures is also discarded.
-.SH "RETURN VALUES"
-.PP
-The getnamebyaddr opcode functions
-\fBlwres_gnbarequest_render()\fR,
-\fBlwres_gnbaresponse_render()\fR
-\fBlwres_gnbarequest_parse()\fR
-and
-\fBlwres_gnbaresponse_parse()\fR
-all return
-\fBLWRES_R_SUCCESS\fR
-on success. They return
-\fBLWRES_R_NOMEMORY\fR
-if memory allocation fails.
-\fBLWRES_R_UNEXPECTEDEND\fR
-is returned if the available space in the buffer
-\fIb\fR
-is too small to accommodate the packet header or the
-\fBlwres_gnbarequest_t\fR
-and
-\fBlwres_gnbaresponse_t\fR
-structures.
-\fBlwres_gnbarequest_parse()\fR
-and
-\fBlwres_gnbaresponse_parse()\fR
-will return
-\fBLWRES_R_UNEXPECTEDEND\fR
-if the buffer is not empty after decoding the received packet. These functions will return
-\fBLWRES_R_FAILURE\fR
-if
-pktflags
-in the packet header structure
-\fBlwres_lwpacket_t\fR
-indicate that the packet is not a response to an earlier query.
-.SH "SEE ALSO"
-.PP
-\fBlwres_packet\fR(3).
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_gnba.docbook b/contrib/bind9/lib/lwres/man/lwres_gnba.docbook
deleted file mode 100644
index 452cdfc..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_gnba.docbook
+++ /dev/null
@@ -1,261 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_gnba.docbook,v 1.11 2007/06/18 23:47:51 tbox Exp $ -->
-<refentry>
-
-  <refentryinfo>
-    <date>Jun 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>lwres_gnba</refentrytitle>
-    <manvolnum>3</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname>lwres_gnbarequest_render</refname>
-    <refname>lwres_gnbaresponse_render</refname>
-    <refname>lwres_gnbarequest_parse</refname>
-    <refname>lwres_gnbaresponse_parse</refname>
-    <refname>lwres_gnbaresponse_free</refname>
-    <refname>lwres_gnbarequest_free</refname>
-    <refpurpose>lightweight resolver getnamebyaddress message handling</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-
-    <funcsynopsis>
-<funcsynopsisinfo>
-#include &lt;lwres/lwres.h&gt;
-</funcsynopsisinfo>
-
-<funcprototype>
-        <funcdef>
-lwres_result_t
-<function>lwres_gnbarequest_render</function>
-</funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        <paramdef>lwres_gnbarequest_t *<parameter>req</parameter></paramdef>
-        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        </funcprototype>
-
-<funcprototype>
-        <funcdef>
-lwres_result_t
-<function>lwres_gnbaresponse_render</function>
-</funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        <paramdef>lwres_gnbaresponse_t *<parameter>req</parameter></paramdef>
-        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-lwres_result_t
-<function>lwres_gnbarequest_parse</function></funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
-        <paramdef>lwres_gnbarequest_t **<parameter>structp</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-lwres_result_t
-<function>lwres_gnbaresponse_parse</function></funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
-        <paramdef>lwres_gnbaresponse_t **<parameter>structp</parameter></paramdef>
-        </funcprototype>
-
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_gnbaresponse_free</function>
-</funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        <paramdef>lwres_gnbaresponse_t **<parameter>structp</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_gnbarequest_free</function></funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        <paramdef>lwres_gnbarequest_t **<parameter>structp</parameter></paramdef>
-      </funcprototype>
-</funcsynopsis>
-
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para>
-      These are low-level routines for creating and parsing
-      lightweight resolver address-to-name lookup request and
-      response messages.
-    </para>
-    <para>
-      There are four main functions for the getnamebyaddr opcode.
-      One render function converts a getnamebyaddr request structure &mdash;
-      <type>lwres_gnbarequest_t</type> &mdash;
-      to the lightweight resolver's canonical format.
-      It is complemented by a parse function that converts a packet in this
-      canonical format to a getnamebyaddr request structure.
-      Another render function converts the getnamebyaddr response structure
-      &mdash;
-      <type>lwres_gnbaresponse_t</type>
-      to the canonical format.
-      This is complemented by a parse function which converts a packet in
-      canonical format to a getnamebyaddr response structure.
-    </para>
-    <para>
-      These structures are defined in
-      <filename>lwres/lwres.h</filename>.
-      They are shown below.
-    </para>
-    <para><programlisting>
-#define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
-</programlisting>
-    </para>
-    <para><programlisting>
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_addr_t    addr;
-} lwres_gnbarequest_t;
-</programlisting>
-    </para>
-    <para><programlisting>
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_uint16_t  naliases;
-        char           *realname;
-        char          **aliases;
-        lwres_uint16_t  realnamelen;
-        lwres_uint16_t *aliaslen;
-        void           *base;
-        size_t          baselen;
-} lwres_gnbaresponse_t;
-</programlisting>
-    </para>
-
-    <para><function>lwres_gnbarequest_render()</function>
-      uses resolver context <varname>ctx</varname> to convert
-      getnamebyaddr request structure <varname>req</varname> to
-      canonical format.  The packet header structure
-      <varname>pkt</varname> is initialised and transferred to buffer
-      <varname>b</varname>.  The contents of <varname>*req</varname>
-      are then appended to the buffer in canonical format.
-      <function>lwres_gnbaresponse_render()</function> performs the
-      same task, except it converts a getnamebyaddr response structure
-      <type>lwres_gnbaresponse_t</type> to the lightweight resolver's
-      canonical format.
-    </para>
-
-    <para><function>lwres_gnbarequest_parse()</function>
-      uses context <varname>ctx</varname> to convert the contents of
-      packet <varname>pkt</varname> to a
-      <type>lwres_gnbarequest_t</type> structure.  Buffer
-      <varname>b</varname> provides space to be used for storing this
-      structure.  When the function succeeds, the resulting
-      <type>lwres_gnbarequest_t</type> is made available through
-      <varname>*structp</varname>.
-      <function>lwres_gnbaresponse_parse()</function> offers the same
-      semantics as <function>lwres_gnbarequest_parse()</function>
-      except it yields a <type>lwres_gnbaresponse_t</type> structure.
-    </para>
-
-    <para><function>lwres_gnbaresponse_free()</function>
-      and <function>lwres_gnbarequest_free()</function> release the
-      memory in resolver context <varname>ctx</varname> that was
-      allocated to the <type>lwres_gnbaresponse_t</type> or
-      <type>lwres_gnbarequest_t</type> structures referenced via
-      <varname>structp</varname>.  Any memory associated with
-      ancillary buffers and strings for those structures is also
-      discarded.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>RETURN VALUES</title>
-    <para>
-      The getnamebyaddr opcode functions
-      <function>lwres_gnbarequest_render()</function>,
-      <function>lwres_gnbaresponse_render()</function>
-      <function>lwres_gnbarequest_parse()</function>
-      and
-      <function>lwres_gnbaresponse_parse()</function>
-      all return
-      <errorcode>LWRES_R_SUCCESS</errorcode>
-      on success.
-      They return
-      <errorcode>LWRES_R_NOMEMORY</errorcode>
-      if memory allocation fails.
-      <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-      is returned if the available space in the buffer
-      <varname>b</varname>
-      is too small to accommodate the packet header or the
-      <type>lwres_gnbarequest_t</type>
-      and
-      <type>lwres_gnbaresponse_t</type>
-      structures.
-      <function>lwres_gnbarequest_parse()</function>
-      and
-      <function>lwres_gnbaresponse_parse()</function>
-      will return
-      <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-      if the buffer is not empty after decoding the received packet.
-      These functions will return
-      <errorcode>LWRES_R_FAILURE</errorcode>
-      if
-      <structfield>pktflags</structfield>
-      in the packet header structure
-      <type>lwres_lwpacket_t</type>
-      indicate that the packet is not a response to an earlier query.
-    </para>
-  </refsect1>
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>lwres_packet</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>.
-    </para>
-  </refsect1>
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/lib/lwres/man/lwres_gnba.html b/contrib/bind9/lib/lwres/man/lwres_gnba.html
deleted file mode 100644
index 6d61b87..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_gnba.html
+++ /dev/null
@@ -1,316 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_gnba</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476274"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free &#8212; lightweight resolver getnamebyaddress message handling</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">
-#include &lt;lwres/lwres.h&gt;
-</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_gnbarequest_render</b>
-(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_gnbarequest_t * </td>
-<td>
-<var class="pdparam">req</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_lwpacket_t * </td>
-<td>
-<var class="pdparam">pkt</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_gnbaresponse_render</b>
-(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_gnbaresponse_t * </td>
-<td>
-<var class="pdparam">req</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_lwpacket_t * </td>
-<td>
-<var class="pdparam">pkt</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_gnbarequest_parse</b>(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_lwpacket_t * </td>
-<td>
-<var class="pdparam">pkt</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_gnbarequest_t ** </td>
-<td>
-<var class="pdparam">structp</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_gnbaresponse_parse</b>(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_lwpacket_t * </td>
-<td>
-<var class="pdparam">pkt</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_gnbaresponse_t ** </td>
-<td>
-<var class="pdparam">structp</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_gnbaresponse_free</b>
-(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_gnbaresponse_t ** </td>
-<td>
-<var class="pdparam">structp</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_gnbarequest_free</b>(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_gnbarequest_t ** </td>
-<td>
-<var class="pdparam">structp</var><code>)</code>;</td>
-</tr>
-</table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543527"></a><h2>DESCRIPTION</h2>
-<p>
-      These are low-level routines for creating and parsing
-      lightweight resolver address-to-name lookup request and
-      response messages.
-    </p>
-<p>
-      There are four main functions for the getnamebyaddr opcode.
-      One render function converts a getnamebyaddr request structure &#8212;
-      <span class="type">lwres_gnbarequest_t</span> &#8212;
-      to the lightweight resolver's canonical format.
-      It is complemented by a parse function that converts a packet in this
-      canonical format to a getnamebyaddr request structure.
-      Another render function converts the getnamebyaddr response structure
-      &#8212;
-      <span class="type">lwres_gnbaresponse_t</span>
-      to the canonical format.
-      This is complemented by a parse function which converts a packet in
-      canonical format to a getnamebyaddr response structure.
-    </p>
-<p>
-      These structures are defined in
-      <code class="filename">lwres/lwres.h</code>.
-      They are shown below.
-    </p>
-<pre class="programlisting">
-#define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
-</pre>
-<p>
-    </p>
-<pre class="programlisting">
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_addr_t    addr;
-} lwres_gnbarequest_t;
-</pre>
-<p>
-    </p>
-<pre class="programlisting">
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_uint16_t  naliases;
-        char           *realname;
-        char          **aliases;
-        lwres_uint16_t  realnamelen;
-        lwres_uint16_t *aliaslen;
-        void           *base;
-        size_t          baselen;
-} lwres_gnbaresponse_t;
-</pre>
-<p>
-    </p>
-<p><code class="function">lwres_gnbarequest_render()</code>
-      uses resolver context <code class="varname">ctx</code> to convert
-      getnamebyaddr request structure <code class="varname">req</code> to
-      canonical format.  The packet header structure
-      <code class="varname">pkt</code> is initialised and transferred to buffer
-      <code class="varname">b</code>.  The contents of <code class="varname">*req</code>
-      are then appended to the buffer in canonical format.
-      <code class="function">lwres_gnbaresponse_render()</code> performs the
-      same task, except it converts a getnamebyaddr response structure
-      <span class="type">lwres_gnbaresponse_t</span> to the lightweight resolver's
-      canonical format.
-    </p>
-<p><code class="function">lwres_gnbarequest_parse()</code>
-      uses context <code class="varname">ctx</code> to convert the contents of
-      packet <code class="varname">pkt</code> to a
-      <span class="type">lwres_gnbarequest_t</span> structure.  Buffer
-      <code class="varname">b</code> provides space to be used for storing this
-      structure.  When the function succeeds, the resulting
-      <span class="type">lwres_gnbarequest_t</span> is made available through
-      <code class="varname">*structp</code>.
-      <code class="function">lwres_gnbaresponse_parse()</code> offers the same
-      semantics as <code class="function">lwres_gnbarequest_parse()</code>
-      except it yields a <span class="type">lwres_gnbaresponse_t</span> structure.
-    </p>
-<p><code class="function">lwres_gnbaresponse_free()</code>
-      and <code class="function">lwres_gnbarequest_free()</code> release the
-      memory in resolver context <code class="varname">ctx</code> that was
-      allocated to the <span class="type">lwres_gnbaresponse_t</span> or
-      <span class="type">lwres_gnbarequest_t</span> structures referenced via
-      <code class="varname">structp</code>.  Any memory associated with
-      ancillary buffers and strings for those structures is also
-      discarded.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543667"></a><h2>RETURN VALUES</h2>
-<p>
-      The getnamebyaddr opcode functions
-      <code class="function">lwres_gnbarequest_render()</code>,
-      <code class="function">lwres_gnbaresponse_render()</code>
-      <code class="function">lwres_gnbarequest_parse()</code>
-      and
-      <code class="function">lwres_gnbaresponse_parse()</code>
-      all return
-      <span class="errorcode">LWRES_R_SUCCESS</span>
-      on success.
-      They return
-      <span class="errorcode">LWRES_R_NOMEMORY</span>
-      if memory allocation fails.
-      <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
-      is returned if the available space in the buffer
-      <code class="varname">b</code>
-      is too small to accommodate the packet header or the
-      <span class="type">lwres_gnbarequest_t</span>
-      and
-      <span class="type">lwres_gnbaresponse_t</span>
-      structures.
-      <code class="function">lwres_gnbarequest_parse()</code>
-      and
-      <code class="function">lwres_gnbaresponse_parse()</code>
-      will return
-      <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
-      if the buffer is not empty after decoding the received packet.
-      These functions will return
-      <span class="errorcode">LWRES_R_FAILURE</span>
-      if
-      <em class="structfield"><code>pktflags</code></em>
-      in the packet header structure
-      <span class="type">lwres_lwpacket_t</span>
-      indicate that the packet is not a response to an earlier query.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543733"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3)</span>.
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_hstrerror.3 b/contrib/bind9/lib/lwres/man/lwres_hstrerror.3
deleted file mode 100644
index 6d24cf6..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_hstrerror.3
+++ /dev/null
@@ -1,99 +0,0 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: lwres_hstrerror
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "LWRES_HSTRERROR" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_herror, lwres_hstrerror \- lightweight resolver error message generation
-.SH "SYNOPSIS"
-.nf
-#include <lwres/netdb.h>
-.fi
-.HP 18
-.BI "void lwres_herror(const\ char\ *" "s" ");"
-.HP 29
-.BI "const char * lwres_hstrerror(int\ " "err" ");"
-.SH "DESCRIPTION"
-.PP
-\fBlwres_herror()\fR
-prints the string
-\fIs\fR
-on
-\fBstderr\fR
-followed by the string generated by
-\fBlwres_hstrerror()\fR
-for the error code stored in the global variable
-\fBlwres_h_errno\fR.
-.PP
-\fBlwres_hstrerror()\fR
-returns an appropriate string for the error code gievn by
-\fIerr\fR. The values of the error codes and messages are as follows:
-.PP
-\fBNETDB_SUCCESS\fR
-.RS 4
-Resolver Error 0 (no error)
-.RE
-.PP
-\fBHOST_NOT_FOUND\fR
-.RS 4
-Unknown host
-.RE
-.PP
-\fBTRY_AGAIN\fR
-.RS 4
-Host name lookup failure
-.RE
-.PP
-\fBNO_RECOVERY\fR
-.RS 4
-Unknown server error
-.RE
-.PP
-\fBNO_DATA\fR
-.RS 4
-No address associated with name
-.RE
-.SH "RETURN VALUES"
-.PP
-The string
-Unknown resolver error
-is returned by
-\fBlwres_hstrerror()\fR
-when the value of
-\fBlwres_h_errno\fR
-is not a valid error code.
-.SH "SEE ALSO"
-.PP
-\fBherror\fR(3),
-\fBlwres_hstrerror\fR(3).
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_hstrerror.docbook b/contrib/bind9/lib/lwres/man/lwres_hstrerror.docbook
deleted file mode 100644
index ca4589e..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_hstrerror.docbook
+++ /dev/null
@@ -1,152 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_hstrerror.docbook,v 1.11 2007/06/18 23:47:51 tbox Exp $ -->
-<refentry>
-
-  <refentryinfo>
-    <date>Jun 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>lwres_hstrerror</refentrytitle>
-    <manvolnum>3</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname>lwres_herror</refname>
-    <refname>lwres_hstrerror</refname>
-    <refpurpose>lightweight resolver error message generation</refpurpose>
-  </refnamediv>
-  <refsynopsisdiv>
-    <funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_herror</function></funcdef>
-        <paramdef>const char *<parameter>s</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-const char *
-<function>lwres_hstrerror</function></funcdef>
-        <paramdef>int <parameter>err</parameter></paramdef>
-      </funcprototype>
-</funcsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-
-    <para><function>lwres_herror()</function>
-      prints the string <parameter>s</parameter> on
-      <type>stderr</type> followed by the string generated by
-      <function>lwres_hstrerror()</function> for the error code stored
-      in the global variable <constant>lwres_h_errno</constant>.
-    </para>
-
-    <para><function>lwres_hstrerror()</function>
-      returns an appropriate string for the error code gievn by
-      <parameter>err</parameter>.  The values of the error codes and
-      messages are as follows:
-
-      <variablelist>
-        <varlistentry>
-          <term><errorcode>NETDB_SUCCESS</errorcode></term>
-          <listitem>
-            <para><errorname>Resolver Error 0 (no error)</errorname>
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><errorcode>HOST_NOT_FOUND</errorcode></term>
-          <listitem>
-            <para><errorname>Unknown host</errorname>
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><errorcode>TRY_AGAIN</errorcode></term>
-          <listitem>
-            <para><errorname>Host name lookup failure</errorname>
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><errorcode>NO_RECOVERY</errorcode></term>
-          <listitem>
-            <para><errorname>Unknown server error</errorname>
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><errorcode>NO_DATA</errorcode></term>
-          <listitem>
-            <para><errorname>No address associated with name</errorname>
-            </para>
-          </listitem>
-        </varlistentry>
-      </variablelist>
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>RETURN VALUES</title>
-    <para>
-      The string <errorname>Unknown resolver error</errorname> is returned by
-      <function>lwres_hstrerror()</function>
-      when the value of
-      <constant>lwres_h_errno</constant>
-      is not a valid error code.
-    </para>
-  </refsect1>
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>herror</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>.
-    </para>
-
-  </refsect1>
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/lib/lwres/man/lwres_hstrerror.html b/contrib/bind9/lib/lwres/man/lwres_hstrerror.html
deleted file mode 100644
index 8d4e9d6..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_hstrerror.html
+++ /dev/null
@@ -1,104 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_hstrerror</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_herror, lwres_hstrerror &#8212; lightweight resolver error message generation</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_herror</b>(</code></td>
-<td>const char * </td>
-<td>
-<var class="pdparam">s</var><code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
-<td><code class="funcdef">
-const char *
-<b class="fsfunc">lwres_hstrerror</b>(</code></td>
-<td>int  </td>
-<td>
-<var class="pdparam">err</var><code>)</code>;</td>
-</tr></table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543380"></a><h2>DESCRIPTION</h2>
-<p><code class="function">lwres_herror()</code>
-      prints the string <em class="parameter"><code>s</code></em> on
-      <span class="type">stderr</span> followed by the string generated by
-      <code class="function">lwres_hstrerror()</code> for the error code stored
-      in the global variable <code class="constant">lwres_h_errno</code>.
-    </p>
-<p><code class="function">lwres_hstrerror()</code>
-      returns an appropriate string for the error code gievn by
-      <em class="parameter"><code>err</code></em>.  The values of the error codes and
-      messages are as follows:
-
-      </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span class="errorcode">NETDB_SUCCESS</span></span></dt>
-<dd><p><span class="errorname">Resolver Error 0 (no error)</span>
-            </p></dd>
-<dt><span class="term"><span class="errorcode">HOST_NOT_FOUND</span></span></dt>
-<dd><p><span class="errorname">Unknown host</span>
-            </p></dd>
-<dt><span class="term"><span class="errorcode">TRY_AGAIN</span></span></dt>
-<dd><p><span class="errorname">Host name lookup failure</span>
-            </p></dd>
-<dt><span class="term"><span class="errorcode">NO_RECOVERY</span></span></dt>
-<dd><p><span class="errorname">Unknown server error</span>
-            </p></dd>
-<dt><span class="term"><span class="errorcode">NO_DATA</span></span></dt>
-<dd><p><span class="errorname">No address associated with name</span>
-            </p></dd>
-</dl></div>
-<p>
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543498"></a><h2>RETURN VALUES</h2>
-<p>
-      The string <span class="errorname">Unknown resolver error</span> is returned by
-      <code class="function">lwres_hstrerror()</code>
-      when the value of
-      <code class="constant">lwres_h_errno</code>
-      is not a valid error code.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543518"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">herror</span>(3)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>.
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_inetntop.3 b/contrib/bind9/lib/lwres/man/lwres_inetntop.3
deleted file mode 100644
index 0dfe5e6..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_inetntop.3
+++ /dev/null
@@ -1,77 +0,0 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: lwres_inetntop
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "LWRES_INETNTOP" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_net_ntop \- lightweight resolver IP address presentation
-.SH "SYNOPSIS"
-.nf
-#include <lwres/net.h>
-.fi
-.HP 28
-.BI "const char * lwres_net_ntop(int\ " "af" ", const\ void\ *" "src" ", char\ *" "dst" ", size_t\ " "size" ");"
-.SH "DESCRIPTION"
-.PP
-\fBlwres_net_ntop()\fR
-converts an IP address of protocol family
-\fIaf\fR
-\(em IPv4 or IPv6 \(em at location
-\fIsrc\fR
-from network format to its conventional representation as a string. For IPv4 addresses, that string would be a dotted\-decimal. An IPv6 address would be represented in colon notation as described in RFC1884.
-.PP
-The generated string is copied to
-\fIdst\fR
-provided
-\fIsize\fR
-indicates it is long enough to store the ASCII representation of the address.
-.SH "RETURN VALUES"
-.PP
-If successful, the function returns
-\fIdst\fR: a pointer to a string containing the presentation format of the address.
-\fBlwres_net_ntop()\fR
-returns
-\fBNULL\fR
-and sets the global variable
-\fBerrno\fR
-to
-\fBEAFNOSUPPORT\fR
-if the protocol family given in
-\fIaf\fR
-is not supported.
-.SH "SEE ALSO"
-.PP
-\fBRFC1884\fR(),
-\fBinet_ntop\fR(3),
-\fBerrno\fR(3).
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_inetntop.docbook b/contrib/bind9/lib/lwres/man/lwres_inetntop.docbook
deleted file mode 100644
index 26f1779..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_inetntop.docbook
+++ /dev/null
@@ -1,120 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_inetntop.docbook,v 1.10 2007/06/18 23:47:51 tbox Exp $ -->
-<refentry>
-
-  <refentryinfo>
-    <date>Jun 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>lwres_inetntop</refentrytitle>
-    <manvolnum>3</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname>lwres_net_ntop</refname>
-    <refpurpose>lightweight resolver IP address presentation</refpurpose>
-  </refnamediv>
-  <refsynopsisdiv>
-    <funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/net.h&gt;</funcsynopsisinfo>
-<funcprototype>
-        <funcdef>
-const char *
-<function>lwres_net_ntop</function></funcdef>
-        <paramdef>int <parameter>af</parameter></paramdef>
-        <paramdef>const void *<parameter>src</parameter></paramdef>
-        <paramdef>char *<parameter>dst</parameter></paramdef>
-        <paramdef>size_t <parameter>size</parameter></paramdef>
-      </funcprototype>
-</funcsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-
-    <para><function>lwres_net_ntop()</function>
-      converts an IP address of protocol family
-      <parameter>af</parameter> &mdash; IPv4 or IPv6 &mdash; at
-      location <parameter>src</parameter> from network format to its
-      conventional representation as a string.  For IPv4 addresses,
-      that string would be a dotted-decimal.  An IPv6 address would be
-      represented in colon notation as described in RFC1884.
-    </para>
-
-    <para>
-      The generated string is copied to <parameter>dst</parameter>
-      provided
-      <parameter>size</parameter> indicates it is long enough to
-      store the
-      ASCII representation of the address.
-    </para>
-
-  </refsect1>
-  <refsect1>
-    <title>RETURN VALUES</title>
-
-    <para>
-      If successful, the function returns <parameter>dst</parameter>:
-      a pointer to a string containing the presentation format of the
-      address.  <function>lwres_net_ntop()</function> returns
-      <type>NULL</type> and sets the global variable
-      <constant>errno</constant> to <errorcode>EAFNOSUPPORT</errorcode> if
-      the protocol family given in <parameter>af</parameter> is
-      not
-      supported.
-    </para>
-
-  </refsect1>
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>RFC1884</refentrytitle>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>inet_ntop</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>errno</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>.
-    </para>
-  </refsect1>
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/lib/lwres/man/lwres_inetntop.html b/contrib/bind9/lib/lwres/man/lwres_inetntop.html
deleted file mode 100644
index 6f1a37f..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_inetntop.html
+++ /dev/null
@@ -1,103 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_inetntop</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_net_ntop &#8212; lightweight resolver IP address presentation</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/net.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
-<td><code class="funcdef">
-const char *
-<b class="fsfunc">lwres_net_ntop</b>(</code></td>
-<td>int  </td>
-<td>
-<var class="pdparam">af</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>const void * </td>
-<td>
-<var class="pdparam">src</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>char * </td>
-<td>
-<var class="pdparam">dst</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>size_t  </td>
-<td>
-<var class="pdparam">size</var><code>)</code>;</td>
-</tr>
-</table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543380"></a><h2>DESCRIPTION</h2>
-<p><code class="function">lwres_net_ntop()</code>
-      converts an IP address of protocol family
-      <em class="parameter"><code>af</code></em> &#8212; IPv4 or IPv6 &#8212; at
-      location <em class="parameter"><code>src</code></em> from network format to its
-      conventional representation as a string.  For IPv4 addresses,
-      that string would be a dotted-decimal.  An IPv6 address would be
-      represented in colon notation as described in RFC1884.
-    </p>
-<p>
-      The generated string is copied to <em class="parameter"><code>dst</code></em>
-      provided
-      <em class="parameter"><code>size</code></em> indicates it is long enough to
-      store the
-      ASCII representation of the address.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543412"></a><h2>RETURN VALUES</h2>
-<p>
-      If successful, the function returns <em class="parameter"><code>dst</code></em>:
-      a pointer to a string containing the presentation format of the
-      address.  <code class="function">lwres_net_ntop()</code> returns
-      <span class="type">NULL</span> and sets the global variable
-      <code class="constant">errno</code> to <span class="errorcode">EAFNOSUPPORT</span> if
-      the protocol family given in <em class="parameter"><code>af</code></em> is
-      not
-      supported.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543445"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">RFC1884</span></span>,
-      <span class="citerefentry"><span class="refentrytitle">inet_ntop</span>(3)</span>,
-      <span class="citerefentry"><span class="refentrytitle">errno</span>(3)</span>.
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_noop.3 b/contrib/bind9/lib/lwres/man/lwres_noop.3
deleted file mode 100644
index c0fc47e..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_noop.3
+++ /dev/null
@@ -1,183 +0,0 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: lwres_noop
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "LWRES_NOOP" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free \- lightweight resolver no\-op message handling
-.SH "SYNOPSIS"
-.nf
-#include <lwres/lwres.h>
-.fi
-.HP 40
-.BI "lwres_result_t lwres_nooprequest_render(lwres_context_t\ *" "ctx" ", lwres_nooprequest_t\ *" "req" ", lwres_lwpacket_t\ *" "pkt" ", lwres_buffer_t\ *" "b" ");"
-.HP 41
-.BI "lwres_result_t lwres_noopresponse_render(lwres_context_t\ *" "ctx" ", lwres_noopresponse_t\ *" "req" ", lwres_lwpacket_t\ *" "pkt" ", lwres_buffer_t\ *" "b" ");"
-.HP 39
-.BI "lwres_result_t lwres_nooprequest_parse(lwres_context_t\ *" "ctx" ", lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ", lwres_nooprequest_t\ **" "structp" ");"
-.HP 40
-.BI "lwres_result_t lwres_noopresponse_parse(lwres_context_t\ *" "ctx" ", lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ", lwres_noopresponse_t\ **" "structp" ");"
-.HP 29
-.BI "void lwres_noopresponse_free(lwres_context_t\ *" "ctx" ", lwres_noopresponse_t\ **" "structp" ");"
-.HP 28
-.BI "void lwres_nooprequest_free(lwres_context_t\ *" "ctx" ", lwres_nooprequest_t\ **" "structp" ");"
-.SH "DESCRIPTION"
-.PP
-These are low\-level routines for creating and parsing lightweight resolver no\-op request and response messages.
-.PP
-The no\-op message is analogous to a
-\fBping\fR
-packet: a packet is sent to the resolver daemon and is simply echoed back. The opcode is intended to allow a client to determine if the server is operational or not.
-.PP
-There are four main functions for the no\-op opcode. One render function converts a no\-op request structure \(em
-\fBlwres_nooprequest_t\fR
-\(em to the lighweight resolver's canonical format. It is complemented by a parse function that converts a packet in this canonical format to a no\-op request structure. Another render function converts the no\-op response structure \(em
-\fBlwres_noopresponse_t\fR
-to the canonical format. This is complemented by a parse function which converts a packet in canonical format to a no\-op response structure.
-.PP
-These structures are defined in
-\fIlwres/lwres.h\fR. They are shown below.
-.PP
-.RS 4
-.nf
-#define LWRES_OPCODE_NOOP       0x00000000U
-.fi
-.RE
-.sp
-.PP
-.RS 4
-.nf
-typedef struct {
-        lwres_uint16_t  datalength;
-        unsigned char   *data;
-} lwres_nooprequest_t;
-.fi
-.RE
-.sp
-.PP
-.RS 4
-.nf
-typedef struct {
-        lwres_uint16_t  datalength;
-        unsigned char   *data;
-} lwres_noopresponse_t;
-.fi
-.RE
-.sp
-.PP
-Although the structures have different types, they are identical. This is because the no\-op opcode simply echos whatever data was sent: the response is therefore identical to the request.
-.PP
-\fBlwres_nooprequest_render()\fR
-uses resolver context
-\fIctx\fR
-to convert no\-op request structure
-\fIreq\fR
-to canonical format. The packet header structure
-\fIpkt\fR
-is initialised and transferred to buffer
-\fIb\fR. The contents of
-\fI*req\fR
-are then appended to the buffer in canonical format.
-\fBlwres_noopresponse_render()\fR
-performs the same task, except it converts a no\-op response structure
-\fBlwres_noopresponse_t\fR
-to the lightweight resolver's canonical format.
-.PP
-\fBlwres_nooprequest_parse()\fR
-uses context
-\fIctx\fR
-to convert the contents of packet
-\fIpkt\fR
-to a
-\fBlwres_nooprequest_t\fR
-structure. Buffer
-\fIb\fR
-provides space to be used for storing this structure. When the function succeeds, the resulting
-\fBlwres_nooprequest_t\fR
-is made available through
-\fI*structp\fR.
-\fBlwres_noopresponse_parse()\fR
-offers the same semantics as
-\fBlwres_nooprequest_parse()\fR
-except it yields a
-\fBlwres_noopresponse_t\fR
-structure.
-.PP
-\fBlwres_noopresponse_free()\fR
-and
-\fBlwres_nooprequest_free()\fR
-release the memory in resolver context
-\fIctx\fR
-that was allocated to the
-\fBlwres_noopresponse_t\fR
-or
-\fBlwres_nooprequest_t\fR
-structures referenced via
-\fIstructp\fR.
-.SH "RETURN VALUES"
-.PP
-The no\-op opcode functions
-\fBlwres_nooprequest_render()\fR,
-\fBlwres_noopresponse_render()\fR
-\fBlwres_nooprequest_parse()\fR
-and
-\fBlwres_noopresponse_parse()\fR
-all return
-\fBLWRES_R_SUCCESS\fR
-on success. They return
-\fBLWRES_R_NOMEMORY\fR
-if memory allocation fails.
-\fBLWRES_R_UNEXPECTEDEND\fR
-is returned if the available space in the buffer
-\fIb\fR
-is too small to accommodate the packet header or the
-\fBlwres_nooprequest_t\fR
-and
-\fBlwres_noopresponse_t\fR
-structures.
-\fBlwres_nooprequest_parse()\fR
-and
-\fBlwres_noopresponse_parse()\fR
-will return
-\fBLWRES_R_UNEXPECTEDEND\fR
-if the buffer is not empty after decoding the received packet. These functions will return
-\fBLWRES_R_FAILURE\fR
-if
-\fBpktflags\fR
-in the packet header structure
-\fBlwres_lwpacket_t\fR
-indicate that the packet is not a response to an earlier query.
-.SH "SEE ALSO"
-.PP
-\fBlwres_packet\fR(3)
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_noop.docbook b/contrib/bind9/lib/lwres/man/lwres_noop.docbook
deleted file mode 100644
index eb823b7..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_noop.docbook
+++ /dev/null
@@ -1,255 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_noop.docbook,v 1.11 2007/06/18 23:47:51 tbox Exp $ -->
-<refentry>
-
-  <refentryinfo>
-    <date>Jun 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>lwres_noop</refentrytitle>
-    <manvolnum>3</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname>lwres_nooprequest_render</refname>
-    <refname>lwres_noopresponse_render</refname>
-    <refname>lwres_nooprequest_parse</refname>
-    <refname>lwres_noopresponse_parse</refname>
-    <refname>lwres_noopresponse_free</refname>
-    <refname>lwres_nooprequest_free</refname>
-    <refpurpose>lightweight resolver no-op message handling</refpurpose>
-  </refnamediv>
-  <refsynopsisdiv>
-    <funcsynopsis>
-<funcsynopsisinfo>
-#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
-<funcprototype>
-        <funcdef>
-lwres_result_t
-<function>lwres_nooprequest_render</function></funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        <paramdef>lwres_nooprequest_t *<parameter>req</parameter></paramdef>
-        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-lwres_result_t
-<function>lwres_noopresponse_render</function></funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        <paramdef>lwres_noopresponse_t *<parameter>req</parameter></paramdef>
-        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-lwres_result_t
-<function>lwres_nooprequest_parse</function></funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
-        <paramdef>lwres_nooprequest_t **<parameter>structp</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-lwres_result_t
-<function>lwres_noopresponse_parse</function></funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
-        <paramdef>lwres_noopresponse_t **<parameter>structp</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_noopresponse_free</function></funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        <paramdef>lwres_noopresponse_t **<parameter>structp</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-void
-<function>lwres_nooprequest_free</function></funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        <paramdef>lwres_nooprequest_t **<parameter>structp</parameter></paramdef>
-      </funcprototype>
-</funcsynopsis>
-  </refsynopsisdiv>
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para>
-      These are low-level routines for creating and parsing
-      lightweight resolver no-op request and response messages.
-    </para>
-    <para>
-      The no-op message is analogous to a <command>ping</command>
-      packet:
-      a packet is sent to the resolver daemon and is simply echoed back.
-      The opcode is intended to allow a client to determine if the server is
-      operational or not.
-    </para>
-    <para>
-      There are four main functions for the no-op opcode.
-      One render function converts a no-op request structure &mdash;
-      <type>lwres_nooprequest_t</type> &mdash;
-      to the lighweight resolver's canonical format.
-      It is complemented by a parse function that converts a packet in this
-      canonical format to a no-op request structure.
-      Another render function converts the no-op response structure &mdash;
-      <type>lwres_noopresponse_t</type>
-      to the canonical format.
-      This is complemented by a parse function which converts a packet in
-      canonical format to a no-op response structure.
-    </para>
-    <para>
-      These structures are defined in
-      <filename>lwres/lwres.h</filename>.
-
-      They are shown below.
-    </para>
-    <para><programlisting>
-#define LWRES_OPCODE_NOOP       0x00000000U
-</programlisting>
-    </para>
-    <para><programlisting>
-typedef struct {
-        lwres_uint16_t  datalength;
-        unsigned char   *data;
-} lwres_nooprequest_t;
-</programlisting>
-    </para>
-    <para><programlisting>
-typedef struct {
-        lwres_uint16_t  datalength;
-        unsigned char   *data;
-} lwres_noopresponse_t;
-</programlisting>
-    </para>
-    <para>
-      Although the structures have different types, they are identical.
-      This is because the no-op opcode simply echos whatever data was sent:
-      the response is therefore identical to the request.
-    </para>
-
-    <para><function>lwres_nooprequest_render()</function>
-      uses resolver context <parameter>ctx</parameter> to convert
-      no-op request structure <parameter>req</parameter> to canonical
-      format.  The packet header structure <parameter>pkt</parameter>
-      is initialised and transferred to buffer
-      <parameter>b</parameter>.  The contents of
-      <parameter>*req</parameter> are then appended to the buffer in
-      canonical format.
-      <function>lwres_noopresponse_render()</function> performs the
-      same task, except it converts a no-op response structure
-      <type>lwres_noopresponse_t</type> to the lightweight resolver's
-      canonical format.
-    </para>
-
-    <para><function>lwres_nooprequest_parse()</function>
-      uses context <parameter>ctx</parameter> to convert the contents
-      of packet <parameter>pkt</parameter> to a
-      <type>lwres_nooprequest_t</type> structure.  Buffer
-      <parameter>b</parameter> provides space to be used for storing
-      this structure.  When the function succeeds, the resulting
-      <type>lwres_nooprequest_t</type> is made available through
-      <parameter>*structp</parameter>.
-      <function>lwres_noopresponse_parse()</function> offers the same
-      semantics as <function>lwres_nooprequest_parse()</function>
-      except it yields a <type>lwres_noopresponse_t</type> structure.
-    </para>
-
-    <para><function>lwres_noopresponse_free()</function>
-      and <function>lwres_nooprequest_free()</function> release the
-      memory in resolver context <parameter>ctx</parameter> that was
-      allocated to the <type>lwres_noopresponse_t</type> or
-      <type>lwres_nooprequest_t</type> structures referenced via
-      <parameter>structp</parameter>.
-    </para>
-
-  </refsect1>
-  <refsect1>
-    <title>RETURN VALUES</title>
-    <para>
-      The no-op opcode functions
-      <function>lwres_nooprequest_render()</function>,
-
-      <function>lwres_noopresponse_render()</function>
-      <function>lwres_nooprequest_parse()</function>
-      and
-      <function>lwres_noopresponse_parse()</function>
-      all return
-      <errorcode>LWRES_R_SUCCESS</errorcode>
-      on success.
-      They return
-      <errorcode>LWRES_R_NOMEMORY</errorcode>
-      if memory allocation fails.
-      <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-      is returned if the available space in the buffer
-      <parameter>b</parameter>
-      is too small to accommodate the packet header or the
-      <type>lwres_nooprequest_t</type>
-      and
-      <type>lwres_noopresponse_t</type>
-      structures.
-      <function>lwres_nooprequest_parse()</function>
-      and
-      <function>lwres_noopresponse_parse()</function>
-      will return
-      <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-      if the buffer is not empty after decoding the received packet.
-      These functions will return
-      <errorcode>LWRES_R_FAILURE</errorcode>
-      if
-      <constant>pktflags</constant>
-      in the packet header structure
-      <type>lwres_lwpacket_t</type>
-      indicate that the packet is not a response to an earlier query.
-    </para>
-  </refsect1>
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>lwres_packet</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>
-    </para>
-  </refsect1>
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/lib/lwres/man/lwres_noop.html b/contrib/bind9/lib/lwres/man/lwres_noop.html
deleted file mode 100644
index 69d0d38..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_noop.html
+++ /dev/null
@@ -1,317 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_noop</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476274"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free &#8212; lightweight resolver no-op message handling</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">
-#include &lt;lwres/lwres.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_nooprequest_render</b>(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_nooprequest_t * </td>
-<td>
-<var class="pdparam">req</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_lwpacket_t * </td>
-<td>
-<var class="pdparam">pkt</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_noopresponse_render</b>(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_noopresponse_t * </td>
-<td>
-<var class="pdparam">req</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_lwpacket_t * </td>
-<td>
-<var class="pdparam">pkt</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_nooprequest_parse</b>(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_lwpacket_t * </td>
-<td>
-<var class="pdparam">pkt</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_nooprequest_t ** </td>
-<td>
-<var class="pdparam">structp</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_noopresponse_parse</b>(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_lwpacket_t * </td>
-<td>
-<var class="pdparam">pkt</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_noopresponse_t ** </td>
-<td>
-<var class="pdparam">structp</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_noopresponse_free</b>(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_noopresponse_t ** </td>
-<td>
-<var class="pdparam">structp</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_nooprequest_free</b>(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_nooprequest_t ** </td>
-<td>
-<var class="pdparam">structp</var><code>)</code>;</td>
-</tr>
-</table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543524"></a><h2>DESCRIPTION</h2>
-<p>
-      These are low-level routines for creating and parsing
-      lightweight resolver no-op request and response messages.
-    </p>
-<p>
-      The no-op message is analogous to a <span><strong class="command">ping</strong></span>
-      packet:
-      a packet is sent to the resolver daemon and is simply echoed back.
-      The opcode is intended to allow a client to determine if the server is
-      operational or not.
-    </p>
-<p>
-      There are four main functions for the no-op opcode.
-      One render function converts a no-op request structure &#8212;
-      <span class="type">lwres_nooprequest_t</span> &#8212;
-      to the lighweight resolver's canonical format.
-      It is complemented by a parse function that converts a packet in this
-      canonical format to a no-op request structure.
-      Another render function converts the no-op response structure &#8212;
-      <span class="type">lwres_noopresponse_t</span>
-      to the canonical format.
-      This is complemented by a parse function which converts a packet in
-      canonical format to a no-op response structure.
-    </p>
-<p>
-      These structures are defined in
-      <code class="filename">lwres/lwres.h</code>.
-
-      They are shown below.
-    </p>
-<pre class="programlisting">
-#define LWRES_OPCODE_NOOP       0x00000000U
-</pre>
-<p>
-    </p>
-<pre class="programlisting">
-typedef struct {
-        lwres_uint16_t  datalength;
-        unsigned char   *data;
-} lwres_nooprequest_t;
-</pre>
-<p>
-    </p>
-<pre class="programlisting">
-typedef struct {
-        lwres_uint16_t  datalength;
-        unsigned char   *data;
-} lwres_noopresponse_t;
-</pre>
-<p>
-    </p>
-<p>
-      Although the structures have different types, they are identical.
-      This is because the no-op opcode simply echos whatever data was sent:
-      the response is therefore identical to the request.
-    </p>
-<p><code class="function">lwres_nooprequest_render()</code>
-      uses resolver context <em class="parameter"><code>ctx</code></em> to convert
-      no-op request structure <em class="parameter"><code>req</code></em> to canonical
-      format.  The packet header structure <em class="parameter"><code>pkt</code></em>
-      is initialised and transferred to buffer
-      <em class="parameter"><code>b</code></em>.  The contents of
-      <em class="parameter"><code>*req</code></em> are then appended to the buffer in
-      canonical format.
-      <code class="function">lwres_noopresponse_render()</code> performs the
-      same task, except it converts a no-op response structure
-      <span class="type">lwres_noopresponse_t</span> to the lightweight resolver's
-      canonical format.
-    </p>
-<p><code class="function">lwres_nooprequest_parse()</code>
-      uses context <em class="parameter"><code>ctx</code></em> to convert the contents
-      of packet <em class="parameter"><code>pkt</code></em> to a
-      <span class="type">lwres_nooprequest_t</span> structure.  Buffer
-      <em class="parameter"><code>b</code></em> provides space to be used for storing
-      this structure.  When the function succeeds, the resulting
-      <span class="type">lwres_nooprequest_t</span> is made available through
-      <em class="parameter"><code>*structp</code></em>.
-      <code class="function">lwres_noopresponse_parse()</code> offers the same
-      semantics as <code class="function">lwres_nooprequest_parse()</code>
-      except it yields a <span class="type">lwres_noopresponse_t</span> structure.
-    </p>
-<p><code class="function">lwres_noopresponse_free()</code>
-      and <code class="function">lwres_nooprequest_free()</code> release the
-      memory in resolver context <em class="parameter"><code>ctx</code></em> that was
-      allocated to the <span class="type">lwres_noopresponse_t</span> or
-      <span class="type">lwres_nooprequest_t</span> structures referenced via
-      <em class="parameter"><code>structp</code></em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543674"></a><h2>RETURN VALUES</h2>
-<p>
-      The no-op opcode functions
-      <code class="function">lwres_nooprequest_render()</code>,
-
-      <code class="function">lwres_noopresponse_render()</code>
-      <code class="function">lwres_nooprequest_parse()</code>
-      and
-      <code class="function">lwres_noopresponse_parse()</code>
-      all return
-      <span class="errorcode">LWRES_R_SUCCESS</span>
-      on success.
-      They return
-      <span class="errorcode">LWRES_R_NOMEMORY</span>
-      if memory allocation fails.
-      <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
-      is returned if the available space in the buffer
-      <em class="parameter"><code>b</code></em>
-      is too small to accommodate the packet header or the
-      <span class="type">lwres_nooprequest_t</span>
-      and
-      <span class="type">lwres_noopresponse_t</span>
-      structures.
-      <code class="function">lwres_nooprequest_parse()</code>
-      and
-      <code class="function">lwres_noopresponse_parse()</code>
-      will return
-      <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
-      if the buffer is not empty after decoding the received packet.
-      These functions will return
-      <span class="errorcode">LWRES_R_FAILURE</span>
-      if
-      <code class="constant">pktflags</code>
-      in the packet header structure
-      <span class="type">lwres_lwpacket_t</span>
-      indicate that the packet is not a response to an earlier query.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543740"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3)</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_packet.3 b/contrib/bind9/lib/lwres/man/lwres_packet.3
deleted file mode 100644
index 49ebff7..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_packet.3
+++ /dev/null
@@ -1,170 +0,0 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: lwres_packet
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "LWRES_PACKET" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_lwpacket_renderheader, lwres_lwpacket_parseheader \- lightweight resolver packet handling functions
-.SH "SYNOPSIS"
-.nf
-#include <lwres/lwpacket.h>
-.fi
-.HP 43
-.BI "lwres_result_t lwres_lwpacket_renderheader(lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ");"
-.HP 42
-.BI "lwres_result_t lwres_lwpacket_parseheader(lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ");"
-.SH "DESCRIPTION"
-.PP
-These functions rely on a
-\fBstruct lwres_lwpacket\fR
-which is defined in
-\fIlwres/lwpacket.h\fR.
-.PP
-.RS 4
-.nf
-typedef struct lwres_lwpacket lwres_lwpacket_t;
-.fi
-.RE
-.sp
-.PP
-.RS 4
-.nf
-struct lwres_lwpacket {
-        lwres_uint32_t          length;
-        lwres_uint16_t          version;
-        lwres_uint16_t          pktflags;
-        lwres_uint32_t          serial;
-        lwres_uint32_t          opcode;
-        lwres_uint32_t          result;
-        lwres_uint32_t          recvlength;
-        lwres_uint16_t          authtype;
-        lwres_uint16_t          authlength;
-};
-.fi
-.RE
-.sp
-.PP
-The elements of this structure are:
-.PP
-\fBlength\fR
-.RS 4
-the overall packet length, including the entire packet header. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls.
-.RE
-.PP
-\fBversion\fR
-.RS 4
-the header format. There is currently only one format,
-\fBLWRES_LWPACKETVERSION_0\fR. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls.
-.RE
-.PP
-\fBpktflags\fR
-.RS 4
-library\-defined flags for this packet: for instance whether the packet is a request or a reply. Flag values can be set, but not defined by the caller. This field is filled in by the application wit the exception of the LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in the lwres_gabn_*() and lwres_gnba_*() calls.
-.RE
-.PP
-\fBserial\fR
-.RS 4
-is set by the requestor and is returned in all replies. If two or more packets from the same source have the same serial number and are from the same source, they are assumed to be duplicates and the latter ones may be dropped. This field must be set by the application.
-.RE
-.PP
-\fBopcode\fR
-.RS 4
-indicates the operation. Opcodes between 0x00000000 and 0x03ffffff are reserved for use by the lightweight resolver library. Opcodes between 0x04000000 and 0xffffffff are application defined. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls.
-.RE
-.PP
-\fBresult\fR
-.RS 4
-is only valid for replies. Results between 0x04000000 and 0xffffffff are application defined. Results between 0x00000000 and 0x03ffffff are reserved for library use. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls.
-.RE
-.PP
-\fBrecvlength\fR
-.RS 4
-is the maximum buffer size that the receiver can handle on requests and the size of the buffer needed to satisfy a request when the buffer is too large for replies. This field is supplied by the application.
-.RE
-.PP
-\fBauthtype\fR
-.RS 4
-defines the packet level authentication that is used. Authorisation types between 0x1000 and 0xffff are application defined and types between 0x0000 and 0x0fff are reserved for library use. Currently these are not used and must be zero.
-.RE
-.PP
-\fBauthlen\fR
-.RS 4
-gives the length of the authentication data. Since packet authentication is currently not used, this must be zero.
-.RE
-.PP
-The following opcodes are currently defined:
-.PP
-\fBNOOP\fR
-.RS 4
-Success is always returned and the packet contents are echoed. The lwres_noop_*() functions should be used for this type.
-.RE
-.PP
-\fBGETADDRSBYNAME\fR
-.RS 4
-returns all known addresses for a given name. The lwres_gabn_*() functions should be used for this type.
-.RE
-.PP
-\fBGETNAMEBYADDR\fR
-.RS 4
-return the hostname for the given address. The lwres_gnba_*() functions should be used for this type.
-.RE
-.PP
-\fBlwres_lwpacket_renderheader()\fR
-transfers the contents of lightweight resolver packet structure
-\fBlwres_lwpacket_t\fR
-\fI*pkt\fR
-in network byte order to the lightweight resolver buffer,
-\fI*b\fR.
-.PP
-\fBlwres_lwpacket_parseheader()\fR
-performs the converse operation. It transfers data in network byte order from buffer
-\fI*b\fR
-to resolver packet
-\fI*pkt\fR. The contents of the buffer
-\fIb\fR
-should correspond to a
-\fBlwres_lwpacket_t\fR.
-.SH "RETURN VALUES"
-.PP
-Successful calls to
-\fBlwres_lwpacket_renderheader()\fR
-and
-\fBlwres_lwpacket_parseheader()\fR
-return
-\fBLWRES_R_SUCCESS\fR. If there is insufficient space to copy data between the buffer
-\fI*b\fR
-and lightweight resolver packet
-\fI*pkt\fR
-both functions return
-\fBLWRES_R_UNEXPECTEDEND\fR.
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_packet.docbook b/contrib/bind9/lib/lwres/man/lwres_packet.docbook
deleted file mode 100644
index 87841db..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_packet.docbook
+++ /dev/null
@@ -1,291 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_packet.docbook,v 1.13 2007/06/18 23:47:51 tbox Exp $ -->
-<refentry>
-
-  <refentryinfo>
-    <date>Jun 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>lwres_packet</refentrytitle>
-    <manvolnum>3</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname>lwres_lwpacket_renderheader</refname>
-    <refname>lwres_lwpacket_parseheader</refname>
-    <refpurpose>lightweight resolver packet handling functions</refpurpose>
-  </refnamediv>
-  <refsynopsisdiv>
-    <funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/lwpacket.h&gt;</funcsynopsisinfo>
-<funcprototype>
-        <funcdef>
-lwres_result_t
-<function>lwres_lwpacket_renderheader</function></funcdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-lwres_result_t
-<function>lwres_lwpacket_parseheader</function></funcdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
-      </funcprototype>
-</funcsynopsis>
-  </refsynopsisdiv>
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para>
-      These functions rely on a
-      <type>struct lwres_lwpacket</type>
-      which is defined in
-      <filename>lwres/lwpacket.h</filename>.
-    </para>
-
-    <para><programlisting>
-typedef struct lwres_lwpacket lwres_lwpacket_t;
-      </programlisting>
-    </para>
-    <para><programlisting>
-struct lwres_lwpacket {
-        lwres_uint32_t          length;
-        lwres_uint16_t          version;
-        lwres_uint16_t          pktflags;
-        lwres_uint32_t          serial;
-        lwres_uint32_t          opcode;
-        lwres_uint32_t          result;
-        lwres_uint32_t          recvlength;
-        lwres_uint16_t          authtype;
-        lwres_uint16_t          authlength;
-};
-</programlisting>
-    </para>
-
-    <para>
-      The elements of this structure are:
-      <variablelist>
-        <varlistentry>
-          <term><constant>length</constant></term>
-          <listitem>
-            <para>
-              the overall packet length, including the entire packet header.
-              This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-              calls.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>version</constant></term>
-          <listitem>
-            <para>
-              the header format. There is currently only one format,
-              <type>LWRES_LWPACKETVERSION_0</type>.
-
-              This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-              calls.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>pktflags</constant></term>
-          <listitem>
-            <para>
-              library-defined flags for this packet: for instance whether the
-              packet
-              is a request or a reply. Flag values can be set, but not defined
-              by
-              the caller.
-              This field is filled in by the application wit the exception of
-              the
-              LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in
-              the
-              lwres_gabn_*() and lwres_gnba_*() calls.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>serial</constant></term>
-          <listitem>
-            <para>
-              is set by the requestor and is returned in all replies. If two
-              or more
-              packets from the same source have the same serial number and are
-              from
-              the same source, they are assumed to be duplicates and the
-              latter ones
-              may be dropped.
-              This field must be set by the application.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>opcode</constant></term>
-          <listitem>
-            <para>
-              indicates the operation.
-              Opcodes between 0x00000000 and 0x03ffffff are
-              reserved for use by the lightweight resolver library. Opcodes
-              between
-              0x04000000 and 0xffffffff are application defined.
-              This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-              calls.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>result</constant></term>
-          <listitem>
-            <para>
-              is only valid for replies.
-              Results between 0x04000000 and 0xffffffff are application
-              defined.
-              Results between 0x00000000 and 0x03ffffff are reserved for
-              library use.
-              This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-              calls.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>recvlength</constant></term>
-          <listitem>
-            <para>
-              is the maximum buffer size that the receiver can handle on
-              requests
-              and the size of the buffer needed to satisfy a request when the
-              buffer
-              is too large for replies.
-              This field is supplied by the application.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>authtype</constant></term>
-          <listitem>
-            <para>
-              defines the packet level authentication that is used.
-              Authorisation types between 0x1000 and 0xffff are application
-              defined
-              and types between 0x0000 and 0x0fff are reserved for library
-              use.
-              Currently these are not used and must be zero.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>authlen</constant></term>
-          <listitem>
-            <para>
-              gives the length of the authentication data.
-              Since packet authentication is currently not used, this must be
-              zero.
-            </para>
-          </listitem>
-        </varlistentry>
-      </variablelist>
-    </para>
-    <para>
-      The following opcodes are currently defined:
-      <variablelist>
-        <varlistentry>
-          <term><constant>NOOP</constant></term>
-          <listitem>
-            <para>
-              Success is always returned and the packet contents are echoed.
-              The lwres_noop_*() functions should be used for this type.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>GETADDRSBYNAME</constant></term>
-          <listitem>
-            <para>
-              returns all known addresses for a given name.
-              The lwres_gabn_*() functions should be used for this type.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><constant>GETNAMEBYADDR</constant></term>
-          <listitem>
-            <para>
-              return the hostname for the given address.
-              The lwres_gnba_*() functions should be used for this type.
-            </para>
-          </listitem>
-        </varlistentry>
-      </variablelist>
-    </para>
-
-    <para><function>lwres_lwpacket_renderheader()</function>
-      transfers the contents of lightweight resolver packet structure
-      <type>lwres_lwpacket_t</type> <parameter>*pkt</parameter> in
-      network byte order to the lightweight resolver buffer,
-      <parameter>*b</parameter>.
-    </para>
-
-    <para><function>lwres_lwpacket_parseheader()</function>
-      performs the converse operation.  It transfers data in network
-      byte order from buffer <parameter>*b</parameter> to resolver
-      packet <parameter>*pkt</parameter>.  The contents of the buffer
-      <parameter>b</parameter> should correspond to a
-      <type>lwres_lwpacket_t</type>.
-    </para>
-
-  </refsect1>
-
-  <refsect1>
-    <title>RETURN VALUES</title>
-    <para>
-      Successful calls to
-      <function>lwres_lwpacket_renderheader()</function> and
-      <function>lwres_lwpacket_parseheader()</function> return
-      <errorcode>LWRES_R_SUCCESS</errorcode>.  If there is insufficient
-      space to copy data between the buffer <parameter>*b</parameter> and
-      lightweight resolver packet <parameter>*pkt</parameter> both
-      functions
-      return <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>.
-    </para>
-
-  </refsect1>
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/lib/lwres/man/lwres_packet.html b/contrib/bind9/lib/lwres/man/lwres_packet.html
deleted file mode 100644
index fad9076..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_packet.html
+++ /dev/null
@@ -1,235 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_packet</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_lwpacket_renderheader, lwres_lwpacket_parseheader &#8212; lightweight resolver packet handling functions</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/lwpacket.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_lwpacket_renderheader</b>(</code></td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_lwpacket_t * </td>
-<td>
-<var class="pdparam">pkt</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_lwpacket_parseheader</b>(</code></td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_lwpacket_t * </td>
-<td>
-<var class="pdparam">pkt</var><code>)</code>;</td>
-</tr>
-</table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543390"></a><h2>DESCRIPTION</h2>
-<p>
-      These functions rely on a
-      <span class="type">struct lwres_lwpacket</span>
-      which is defined in
-      <code class="filename">lwres/lwpacket.h</code>.
-    </p>
-<pre class="programlisting">
-typedef struct lwres_lwpacket lwres_lwpacket_t;
-      </pre>
-<p>
-    </p>
-<pre class="programlisting">
-struct lwres_lwpacket {
-        lwres_uint32_t          length;
-        lwres_uint16_t          version;
-        lwres_uint16_t          pktflags;
-        lwres_uint32_t          serial;
-        lwres_uint32_t          opcode;
-        lwres_uint32_t          result;
-        lwres_uint32_t          recvlength;
-        lwres_uint16_t          authtype;
-        lwres_uint16_t          authlength;
-};
-</pre>
-<p>
-    </p>
-<p>
-      The elements of this structure are:
-      </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">length</code></span></dt>
-<dd><p>
-              the overall packet length, including the entire packet header.
-              This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-              calls.
-            </p></dd>
-<dt><span class="term"><code class="constant">version</code></span></dt>
-<dd><p>
-              the header format. There is currently only one format,
-              <span class="type">LWRES_LWPACKETVERSION_0</span>.
-
-              This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-              calls.
-            </p></dd>
-<dt><span class="term"><code class="constant">pktflags</code></span></dt>
-<dd><p>
-              library-defined flags for this packet: for instance whether the
-              packet
-              is a request or a reply. Flag values can be set, but not defined
-              by
-              the caller.
-              This field is filled in by the application wit the exception of
-              the
-              LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in
-              the
-              lwres_gabn_*() and lwres_gnba_*() calls.
-            </p></dd>
-<dt><span class="term"><code class="constant">serial</code></span></dt>
-<dd><p>
-              is set by the requestor and is returned in all replies. If two
-              or more
-              packets from the same source have the same serial number and are
-              from
-              the same source, they are assumed to be duplicates and the
-              latter ones
-              may be dropped.
-              This field must be set by the application.
-            </p></dd>
-<dt><span class="term"><code class="constant">opcode</code></span></dt>
-<dd><p>
-              indicates the operation.
-              Opcodes between 0x00000000 and 0x03ffffff are
-              reserved for use by the lightweight resolver library. Opcodes
-              between
-              0x04000000 and 0xffffffff are application defined.
-              This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-              calls.
-            </p></dd>
-<dt><span class="term"><code class="constant">result</code></span></dt>
-<dd><p>
-              is only valid for replies.
-              Results between 0x04000000 and 0xffffffff are application
-              defined.
-              Results between 0x00000000 and 0x03ffffff are reserved for
-              library use.
-              This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-              calls.
-            </p></dd>
-<dt><span class="term"><code class="constant">recvlength</code></span></dt>
-<dd><p>
-              is the maximum buffer size that the receiver can handle on
-              requests
-              and the size of the buffer needed to satisfy a request when the
-              buffer
-              is too large for replies.
-              This field is supplied by the application.
-            </p></dd>
-<dt><span class="term"><code class="constant">authtype</code></span></dt>
-<dd><p>
-              defines the packet level authentication that is used.
-              Authorisation types between 0x1000 and 0xffff are application
-              defined
-              and types between 0x0000 and 0x0fff are reserved for library
-              use.
-              Currently these are not used and must be zero.
-            </p></dd>
-<dt><span class="term"><code class="constant">authlen</code></span></dt>
-<dd><p>
-              gives the length of the authentication data.
-              Since packet authentication is currently not used, this must be
-              zero.
-            </p></dd>
-</dl></div>
-<p>
-    </p>
-<p>
-      The following opcodes are currently defined:
-      </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">NOOP</code></span></dt>
-<dd><p>
-              Success is always returned and the packet contents are echoed.
-              The lwres_noop_*() functions should be used for this type.
-            </p></dd>
-<dt><span class="term"><code class="constant">GETADDRSBYNAME</code></span></dt>
-<dd><p>
-              returns all known addresses for a given name.
-              The lwres_gabn_*() functions should be used for this type.
-            </p></dd>
-<dt><span class="term"><code class="constant">GETNAMEBYADDR</code></span></dt>
-<dd><p>
-              return the hostname for the given address.
-              The lwres_gnba_*() functions should be used for this type.
-            </p></dd>
-</dl></div>
-<p>
-    </p>
-<p><code class="function">lwres_lwpacket_renderheader()</code>
-      transfers the contents of lightweight resolver packet structure
-      <span class="type">lwres_lwpacket_t</span> <em class="parameter"><code>*pkt</code></em> in
-      network byte order to the lightweight resolver buffer,
-      <em class="parameter"><code>*b</code></em>.
-    </p>
-<p><code class="function">lwres_lwpacket_parseheader()</code>
-      performs the converse operation.  It transfers data in network
-      byte order from buffer <em class="parameter"><code>*b</code></em> to resolver
-      packet <em class="parameter"><code>*pkt</code></em>.  The contents of the buffer
-      <em class="parameter"><code>b</code></em> should correspond to a
-      <span class="type">lwres_lwpacket_t</span>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543707"></a><h2>RETURN VALUES</h2>
-<p>
-      Successful calls to
-      <code class="function">lwres_lwpacket_renderheader()</code> and
-      <code class="function">lwres_lwpacket_parseheader()</code> return
-      <span class="errorcode">LWRES_R_SUCCESS</span>.  If there is insufficient
-      space to copy data between the buffer <em class="parameter"><code>*b</code></em> and
-      lightweight resolver packet <em class="parameter"><code>*pkt</code></em> both
-      functions
-      return <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>.
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_resutil.3 b/contrib/bind9/lib/lwres/man/lwres_resutil.3
deleted file mode 100644
index 0e9cf6f..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_resutil.3
+++ /dev/null
@@ -1,170 +0,0 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id$
-.\"
-.hy 0
-.ad l
-.\"     Title: lwres_resutil
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
-.\"    Manual: BIND9
-.\"    Source: BIND9
-.\"
-.TH "LWRES_RESUTIL" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr \- lightweight resolver utility functions
-.SH "SYNOPSIS"
-.nf
-#include <lwres/lwres.h>
-.fi
-.HP 34
-.BI "lwres_result_t lwres_string_parse(lwres_buffer_t\ *" "b" ", char\ **" "c" ", lwres_uint16_t\ *" "len" ");"
-.HP 32
-.BI "lwres_result_t lwres_addr_parse(lwres_buffer_t\ *" "b" ", lwres_addr_t\ *" "addr" ");"
-.HP 36
-.BI "lwres_result_t lwres_getaddrsbyname(lwres_context_t\ *" "ctx" ", const\ char\ *" "name" ", lwres_uint32_t\ " "addrtypes" ", lwres_gabnresponse_t\ **" "structp" ");"
-.HP 35
-.BI "lwres_result_t lwres_getnamebyaddr(lwres_context_t\ *" "ctx" ", lwres_uint32_t\ " "addrtype" ", lwres_uint16_t\ " "addrlen" ", const\ unsigned\ char\ *" "addr" ", lwres_gnbaresponse_t\ **" "structp" ");"
-.SH "DESCRIPTION"
-.PP
-\fBlwres_string_parse()\fR
-retrieves a DNS\-encoded string starting the current pointer of lightweight resolver buffer
-\fIb\fR: i.e.
-\fBb\->current\fR. When the function returns, the address of the first byte of the encoded string is returned via
-\fI*c\fR
-and the length of that string is given by
-\fI*len\fR. The buffer's current pointer is advanced to point at the character following the string length, the encoded string, and the trailing
-\fBNULL\fR
-character.
-.PP
-\fBlwres_addr_parse()\fR
-extracts an address from the buffer
-\fIb\fR. The buffer's current pointer
-\fBb\->current\fR
-is presumed to point at an encoded address: the address preceded by a 32\-bit protocol family identifier and a 16\-bit length field. The encoded address is copied to
-\fBaddr\->address\fR
-and
-\fBaddr\->length\fR
-indicates the size in bytes of the address that was copied.
-\fBb\->current\fR
-is advanced to point at the next byte of available data in the buffer following the encoded address.
-.PP
-\fBlwres_getaddrsbyname()\fR
-and
-\fBlwres_getnamebyaddr()\fR
-use the
-\fBlwres_gnbaresponse_t\fR
-structure defined below:
-.PP
-.RS 4
-.nf
-typedef struct {
-        lwres_uint32_t          flags;
-        lwres_uint16_t          naliases;
-        lwres_uint16_t          naddrs;
-        char                   *realname;
-        char                  **aliases;
-        lwres_uint16_t          realnamelen;
-        lwres_uint16_t         *aliaslen;
-        lwres_addrlist_t        addrs;
-        void                   *base;
-        size_t                  baselen;
-} lwres_gabnresponse_t;
-.fi
-.RE
-.PP
-The contents of this structure are not manipulated directly but they are controlled through the
-\fBlwres_gabn\fR(3)
-functions.
-.PP
-The lightweight resolver uses
-\fBlwres_getaddrsbyname()\fR
-to perform foward lookups. Hostname
-\fIname\fR
-is looked up using the resolver context
-\fIctx\fR
-for memory allocation.
-\fIaddrtypes\fR
-is a bitmask indicating which type of addresses are to be looked up. Current values for this bitmask are
-\fBLWRES_ADDRTYPE_V4\fR
-for IPv4 addresses and
-\fBLWRES_ADDRTYPE_V6\fR
-for IPv6 addresses. Results of the lookup are returned in
-\fI*structp\fR.
-.PP
-\fBlwres_getnamebyaddr()\fR
-performs reverse lookups. Resolver context
-\fIctx\fR
-is used for memory allocation. The address type is indicated by
-\fIaddrtype\fR:
-\fBLWRES_ADDRTYPE_V4\fR
-or
-\fBLWRES_ADDRTYPE_V6\fR. The address to be looked up is given by
-\fIaddr\fR
-and its length is
-\fIaddrlen\fR
-bytes. The result of the function call is made available through
-\fI*structp\fR.
-.SH "RETURN VALUES"
-.PP
-Successful calls to
-\fBlwres_string_parse()\fR
-and
-\fBlwres_addr_parse()\fR
-return
-\fBLWRES_R_SUCCESS.\fR
-Both functions return
-\fBLWRES_R_FAILURE\fR
-if the buffer is corrupt or
-\fBLWRES_R_UNEXPECTEDEND\fR
-if the buffer has less space than expected for the components of the encoded string or address.
-.PP
-\fBlwres_getaddrsbyname()\fR
-returns
-\fBLWRES_R_SUCCESS\fR
-on success and it returns
-\fBLWRES_R_NOTFOUND\fR
-if the hostname
-\fIname\fR
-could not be found.
-.PP
-\fBLWRES_R_SUCCESS\fR
-is returned by a successful call to
-\fBlwres_getnamebyaddr()\fR.
-.PP
-Both
-\fBlwres_getaddrsbyname()\fR
-and
-\fBlwres_getnamebyaddr()\fR
-return
-\fBLWRES_R_NOMEMORY\fR
-when memory allocation requests fail and
-\fBLWRES_R_UNEXPECTEDEND\fR
-if the buffers used for sending queries and receiving replies are too small.
-.SH "SEE ALSO"
-.PP
-\fBlwres_buffer\fR(3),
-\fBlwres_gabn\fR(3).
-.SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
-.br
diff --git a/contrib/bind9/lib/lwres/man/lwres_resutil.docbook b/contrib/bind9/lib/lwres/man/lwres_resutil.docbook
deleted file mode 100644
index e6184d9..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_resutil.docbook
+++ /dev/null
@@ -1,238 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_resutil.docbook,v 1.12 2007/06/18 23:47:51 tbox Exp $ -->
-<refentry>
-
-  <refentryinfo>
-    <date>Jun 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>lwres_resutil</refentrytitle>
-    <manvolnum>3</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2007</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname>lwres_string_parse</refname>
-    <refname>lwres_addr_parse</refname>
-    <refname>lwres_getaddrsbyname</refname>
-    <refname>lwres_getnamebyaddr</refname>
-    <refpurpose>lightweight resolver utility functions</refpurpose>
-  </refnamediv>
-  <refsynopsisdiv>
-    <funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
-<funcprototype>
-        <funcdef>
-lwres_result_t
-<function>lwres_string_parse</function></funcdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        <paramdef>char **<parameter>c</parameter></paramdef>
-        <paramdef>lwres_uint16_t *<parameter>len</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-lwres_result_t
-<function>lwres_addr_parse</function></funcdef>
-        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-        <paramdef>lwres_addr_t *<parameter>addr</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-lwres_result_t
-<function>lwres_getaddrsbyname</function></funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        <paramdef>const char *<parameter>name</parameter></paramdef>
-        <paramdef>lwres_uint32_t <parameter>addrtypes</parameter></paramdef>
-        <paramdef>lwres_gabnresponse_t **<parameter>structp</parameter></paramdef>
-        </funcprototype>
-<funcprototype>
-        <funcdef>
-lwres_result_t
-<function>lwres_getnamebyaddr</function></funcdef>
-        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-        <paramdef>lwres_uint32_t <parameter>addrtype</parameter></paramdef>
-        <paramdef>lwres_uint16_t <parameter>addrlen</parameter></paramdef>
-        <paramdef>const unsigned char *<parameter>addr</parameter></paramdef>
-        <paramdef>lwres_gnbaresponse_t **<parameter>structp</parameter></paramdef>
-      </funcprototype>
-</funcsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-
-    <para><function>lwres_string_parse()</function>
-      retrieves a DNS-encoded string starting the current pointer of
-      lightweight resolver buffer <parameter>b</parameter>: i.e.
-      <constant>b-&gt;current</constant>.  When the function returns,
-      the address of the first byte of the encoded string is returned
-      via <parameter>*c</parameter> and the length of that string is
-      given by <parameter>*len</parameter>.  The buffer's current
-      pointer is advanced to point at the character following the
-      string length, the encoded string, and the trailing
-      <type>NULL</type> character.
-    </para>
-
-    <para><function>lwres_addr_parse()</function>
-      extracts an address from the buffer <parameter>b</parameter>.
-      The buffer's current pointer <constant>b-&gt;current</constant>
-      is presumed to point at an encoded address: the address preceded
-      by a 32-bit protocol family identifier and a 16-bit length
-      field.  The encoded address is copied to
-      <constant>addr-&gt;address</constant> and
-      <constant>addr-&gt;length</constant> indicates the size in bytes
-      of the address that was copied.
-      <constant>b-&gt;current</constant> is advanced to point at the
-      next byte of available data in the buffer following the encoded
-      address.
-    </para>
-
-    <para><function>lwres_getaddrsbyname()</function>
-      and <function>lwres_getnamebyaddr()</function> use the
-      <type>lwres_gnbaresponse_t</type> structure defined below:
-    </para>
-
-<para><programlisting>
-typedef struct {
-        lwres_uint32_t          flags;
-        lwres_uint16_t          naliases;
-        lwres_uint16_t          naddrs;
-        char                   *realname;
-        char                  **aliases;
-        lwres_uint16_t          realnamelen;
-        lwres_uint16_t         *aliaslen;
-        lwres_addrlist_t        addrs;
-        void                   *base;
-        size_t                  baselen;
-} lwres_gabnresponse_t;
-</programlisting></para>
-
-    <para>
-      The contents of this structure are not manipulated directly but
-      they are controlled through the
-      <citerefentry>
-        <refentrytitle>lwres_gabn</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>
-      functions.
-    </para>
-
-    <para>
-      The lightweight resolver uses
-      <function>lwres_getaddrsbyname()</function> to perform
-      foward lookups.
-      Hostname <parameter>name</parameter> is looked up using the
-      resolver
-      context <parameter>ctx</parameter> for memory allocation.
-      <parameter>addrtypes</parameter> is a bitmask indicating
-      which type of
-      addresses are to be looked up.  Current values for this bitmask are
-      <type>LWRES_ADDRTYPE_V4</type> for IPv4 addresses and
-      <type>LWRES_ADDRTYPE_V6</type> for IPv6 addresses.  Results of the
-      lookup are returned in <parameter>*structp</parameter>.
-    </para>
-
-    <para><function>lwres_getnamebyaddr()</function>
-      performs reverse lookups.  Resolver context
-      <parameter>ctx</parameter> is used for memory allocation.  The
-      address type is indicated by <parameter>addrtype</parameter>:
-      <type>LWRES_ADDRTYPE_V4</type> or
-      <type>LWRES_ADDRTYPE_V6</type>.  The address to be looked up is
-      given by <parameter>addr</parameter> and its length is
-      <parameter>addrlen</parameter> bytes.  The result of the
-      function call is made available through
-      <parameter>*structp</parameter>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>RETURN VALUES</title>
-    <para>
-      Successful calls to
-      <function>lwres_string_parse()</function>
-      and
-      <function>lwres_addr_parse()</function>
-      return
-      <errorcode>LWRES_R_SUCCESS.</errorcode>
-      Both functions return
-      <errorcode>LWRES_R_FAILURE</errorcode>
-      if the buffer is corrupt or
-      <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-      if the buffer has less space than expected for the components of the
-      encoded string or address.
-    </para>
-
-    <para><function>lwres_getaddrsbyname()</function>
-      returns <errorcode>LWRES_R_SUCCESS</errorcode> on success and it
-      returns <errorcode>LWRES_R_NOTFOUND</errorcode> if the hostname
-      <parameter>name</parameter> could not be found.
-    </para>
-    <para><errorcode>LWRES_R_SUCCESS</errorcode>
-      is returned by a successful call to
-      <function>lwres_getnamebyaddr()</function>.
-    </para>
-
-    <para>
-      Both
-      <function>lwres_getaddrsbyname()</function>
-      and
-      <function>lwres_getnamebyaddr()</function>
-      return
-      <errorcode>LWRES_R_NOMEMORY</errorcode>
-      when memory allocation requests fail and
-      <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-      if the buffers used for sending queries and receiving replies are too
-      small.
-    </para>
-
-  </refsect1>
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>lwres_buffer</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-
-      <citerefentry>
-        <refentrytitle>lwres_gabn</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>.
-    </para>
-
-  </refsect1>
-</refentry><!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/lib/lwres/man/lwres_resutil.html b/contrib/bind9/lib/lwres/man/lwres_resutil.html
deleted file mode 100644
index 4db7610..0000000
--- a/contrib/bind9/lib/lwres/man/lwres_resutil.html
+++ /dev/null
@@ -1,258 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id$ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_resutil</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr &#8212; lightweight resolver utility functions</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_string_parse</b>(</code></td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>char ** </td>
-<td>
-<var class="pdparam">c</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_uint16_t * </td>
-<td>
-<var class="pdparam">len</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_addr_parse</b>(</code></td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_addr_t * </td>
-<td>
-<var class="pdparam">addr</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_getaddrsbyname</b>(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>const char * </td>
-<td>
-<var class="pdparam">name</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_uint32_t  </td>
-<td>
-<var class="pdparam">addrtypes</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_gabnresponse_t ** </td>
-<td>
-<var class="pdparam">structp</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_getnamebyaddr</b>(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_uint32_t  </td>
-<td>
-<var class="pdparam">addrtype</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_uint16_t  </td>
-<td>
-<var class="pdparam">addrlen</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>const unsigned char * </td>
-<td>
-<var class="pdparam">addr</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_gnbaresponse_t ** </td>
-<td>
-<var class="pdparam">structp</var><code>)</code>;</td>
-</tr>
-</table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543467"></a><h2>DESCRIPTION</h2>
-<p><code class="function">lwres_string_parse()</code>
-      retrieves a DNS-encoded string starting the current pointer of
-      lightweight resolver buffer <em class="parameter"><code>b</code></em>: i.e.
-      <code class="constant">b-&gt;current</code>.  When the function returns,
-      the address of the first byte of the encoded string is returned
-      via <em class="parameter"><code>*c</code></em> and the length of that string is
-      given by <em class="parameter"><code>*len</code></em>.  The buffer's current
-      pointer is advanced to point at the character following the
-      string length, the encoded string, and the trailing
-      <span class="type">NULL</span> character.
-    </p>
-<p><code class="function">lwres_addr_parse()</code>
-      extracts an address from the buffer <em class="parameter"><code>b</code></em>.
-      The buffer's current pointer <code class="constant">b-&gt;current</code>
-      is presumed to point at an encoded address: the address preceded
-      by a 32-bit protocol family identifier and a 16-bit length
-      field.  The encoded address is copied to
-      <code class="constant">addr-&gt;address</code> and
-      <code class="constant">addr-&gt;length</code> indicates the size in bytes
-      of the address that was copied.
-      <code class="constant">b-&gt;current</code> is advanced to point at the
-      next byte of available data in the buffer following the encoded
-      address.
-    </p>
-<p><code class="function">lwres_getaddrsbyname()</code>
-      and <code class="function">lwres_getnamebyaddr()</code> use the
-      <span class="type">lwres_gnbaresponse_t</span> structure defined below:
-    </p>
-<pre class="programlisting">
-typedef struct {
-        lwres_uint32_t          flags;
-        lwres_uint16_t          naliases;
-        lwres_uint16_t          naddrs;
-        char                   *realname;
-        char                  **aliases;
-        lwres_uint16_t          realnamelen;
-        lwres_uint16_t         *aliaslen;
-        lwres_addrlist_t        addrs;
-        void                   *base;
-        size_t                  baselen;
-} lwres_gabnresponse_t;
-</pre>
-<p>
-      The contents of this structure are not manipulated directly but
-      they are controlled through the
-      <span class="citerefentry"><span class="refentrytitle">lwres_gabn</span>(3)</span>
-      functions.
-    </p>
-<p>
-      The lightweight resolver uses
-      <code class="function">lwres_getaddrsbyname()</code> to perform
-      foward lookups.
-      Hostname <em class="parameter"><code>name</code></em> is looked up using the
-      resolver
-      context <em class="parameter"><code>ctx</code></em> for memory allocation.
-      <em class="parameter"><code>addrtypes</code></em> is a bitmask indicating
-      which type of
-      addresses are to be looked up.  Current values for this bitmask are
-      <span class="type">LWRES_ADDRTYPE_V4</span> for IPv4 addresses and
-      <span class="type">LWRES_ADDRTYPE_V6</span> for IPv6 addresses.  Results of the
-      lookup are returned in <em class="parameter"><code>*structp</code></em>.
-    </p>
-<p><code class="function">lwres_getnamebyaddr()</code>
-      performs reverse lookups.  Resolver context
-      <em class="parameter"><code>ctx</code></em> is used for memory allocation.  The
-      address type is indicated by <em class="parameter"><code>addrtype</code></em>:
-      <span class="type">LWRES_ADDRTYPE_V4</span> or
-      <span class="type">LWRES_ADDRTYPE_V6</span>.  The address to be looked up is
-      given by <em class="parameter"><code>addr</code></em> and its length is
-      <em class="parameter"><code>addrlen</code></em> bytes.  The result of the
-      function call is made available through
-      <em class="parameter"><code>*structp</code></em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543606"></a><h2>RETURN VALUES</h2>
-<p>
-      Successful calls to
-      <code class="function">lwres_string_parse()</code>
-      and
-      <code class="function">lwres_addr_parse()</code>
-      return
-      <span class="errorcode">LWRES_R_SUCCESS.</span>
-      Both functions return
-      <span class="errorcode">LWRES_R_FAILURE</span>
-      if the buffer is corrupt or
-      <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
-      if the buffer has less space than expected for the components of the
-      encoded string or address.
-    </p>
-<p><code class="function">lwres_getaddrsbyname()</code>
-      returns <span class="errorcode">LWRES_R_SUCCESS</span> on success and it
-      returns <span class="errorcode">LWRES_R_NOTFOUND</span> if the hostname
-      <em class="parameter"><code>name</code></em> could not be found.
-    </p>
-<p><span class="errorcode">LWRES_R_SUCCESS</span>
-      is returned by a successful call to
-      <code class="function">lwres_getnamebyaddr()</code>.
-    </p>
-<p>
-      Both
-      <code class="function">lwres_getaddrsbyname()</code>
-      and
-      <code class="function">lwres_getnamebyaddr()</code>
-      return
-      <span class="errorcode">LWRES_R_NOMEMORY</span>
-      when memory allocation requests fail and
-      <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
-      if the buffers used for sending queries and receiving replies are too
-      small.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543677"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">lwres_buffer</span>(3)</span>,
-
-      <span class="citerefentry"><span class="refentrytitle">lwres_gabn</span>(3)</span>.
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/print.c b/contrib/bind9/lib/lwres/print.c
deleted file mode 100644
index 87f3032..0000000
--- a/contrib/bind9/lib/lwres/print.c
+++ /dev/null
@@ -1,565 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#include <config.h>
-
-#include <ctype.h>
-#include <stdio.h>		/* for sprintf */
-#include <string.h>
-
-#define	LWRES__PRINT_SOURCE	/* Used to get the lwres_print_* prototypes. */
-
-#include <lwres/stdlib.h>
-
-#include "assert_p.h"
-#include "print_p.h"
-
-#define LWRES_PRINT_QUADFORMAT LWRES_PLATFORM_QUADFORMAT
-
-int
-lwres__print_sprintf(char *str, const char *format, ...) {
-	va_list ap;
-
-	va_start(ap, format);
-	vsprintf(str, format, ap);
-	va_end(ap);
-	return (strlen(str));
-}
-
-/*
- * Return length of string that would have been written if not truncated.
- */
-
-int
-lwres__print_snprintf(char *str, size_t size, const char *format, ...) {
-	va_list ap;
-	int ret;
-
-	va_start(ap, format);
-	ret = vsnprintf(str, size, format, ap);
-	va_end(ap);
-	return (ret);
-
-}
-
-/*
- * Return length of string that would have been written if not truncated.
- */
-
-int
-lwres__print_vsnprintf(char *str, size_t size, const char *format, va_list ap) {
-	int h;
-	int l;
-	int q;
-	int alt;
-	int zero;
-	int left;
-	int plus;
-	int space;
-	long long tmpi;
-	unsigned long long tmpui;
-	unsigned long width;
-	unsigned long precision;
-	unsigned int length;
-	char buf[1024];
-	char c;
-	void *v;
-	char *save = str;
-	const char *cp;
-	const char *head;
-	int count = 0;
-	int pad;
-	int zeropad;
-	int dot;
-	double dbl;
-#ifdef HAVE_LONG_DOUBLE
-	long double ldbl;
-#endif
-	char fmt[32];
-
-	INSIST(str != NULL);
-	INSIST(format != NULL);
-
-	while (*format != '\0') {
-		if (*format != '%') {
-			if (size > 1U) {
-				*str++ = *format;
-				size--;
-			}
-			count++;
-			format++;
-			continue;
-		}
-		format++;
-
-		/*
-		 * Reset flags.
-		 */
-		dot = space = plus = left = zero = alt = h = l = q = 0;
-		width = precision = 0;
-		head = "";
-		length = pad = zeropad = 0;
-		POST(length);
-
-		do {
-			if (*format == '#') {
-				alt = 1;
-				format++;
-			} else if (*format == '-') {
-				left = 1;
-				zero = 0;
-				format++;
-			} else if (*format == ' ') {
-				if (!plus)
-					space = 1;
-				format++;
-			} else if (*format == '+') {
-				plus = 1;
-				space = 0;
-				format++;
-			} else if (*format == '0') {
-				if (!left)
-					zero = 1;
-				format++;
-			} else
-				break;
-		} while (1);
-
-		/*
-		 * Width.
-		 */
-		if (*format == '*') {
-			width = va_arg(ap, int);
-			format++;
-		} else if (isdigit((unsigned char)*format)) {
-			char *e;
-			width = strtoul(format, &e, 10);
-			format = e;
-		}
-
-		/*
-		 * Precision.
-		 */
-		if (*format == '.') {
-			format++;
-			dot = 1;
-			if (*format == '*') {
-				precision = va_arg(ap, int);
-				format++;
-			} else if (isdigit((unsigned char)*format)) {
-				char *e;
-				precision = strtoul(format, &e, 10);
-				format = e;
-			}
-		}
-
-		switch (*format) {
-		case '\0':
-			continue;
-		case '%':
-			if (size > 1U) {
-				*str++ = *format;
-				size--;
-			}
-			count++;
-			break;
-		case 'q':
-			q = 1;
-			format++;
-			goto doint;
-		case 'h':
-			h = 1;
-			format++;
-			goto doint;
-		case 'l':
-			l = 1;
-			format++;
-			if (*format == 'l') {
-				q = 1;
-				format++;
-			}
-			goto doint;
-		case 'n':
-		case 'i':
-		case 'd':
-		case 'o':
-		case 'u':
-		case 'x':
-		case 'X':
-		doint:
-			if (precision != 0U)
-				zero = 0;
-			switch (*format) {
-			case 'n':
-				if (h) {
-					short int *p;
-					p = va_arg(ap, short *);
-					REQUIRE(p != NULL);
-					*p = str - save;
-				} else if (l) {
-					long int *p;
-					p = va_arg(ap, long *);
-					REQUIRE(p != NULL);
-					*p = str - save;
-				} else {
-					int *p;
-					p = va_arg(ap, int *);
-					REQUIRE(p != NULL);
-					*p = str - save;
-				}
-				break;
-			case 'i':
-			case 'd':
-				if (q)
-					tmpi = va_arg(ap, long long int);
-				else if (l)
-					tmpi = va_arg(ap, long int);
-				else
-					tmpi = va_arg(ap, int);
-				if (tmpi < 0) {
-					head = "-";
-					tmpui = -tmpi;
-				} else {
-					if (plus)
-						head = "+";
-					else if (space)
-						head = " ";
-					else
-						head = "";
-					tmpui = tmpi;
-				}
-				sprintf(buf, "%" LWRES_PRINT_QUADFORMAT "u",
-					tmpui);
-				goto printint;
-			case 'o':
-				if (q)
-					tmpui = va_arg(ap,
-						       unsigned long long int);
-				else if (l)
-					tmpui = va_arg(ap, long int);
-				else
-					tmpui = va_arg(ap, int);
-				sprintf(buf,
-					alt ? "%#" LWRES_PRINT_QUADFORMAT "o"
-					    : "%" LWRES_PRINT_QUADFORMAT "o",
-					tmpui);
-				goto printint;
-			case 'u':
-				if (q)
-					tmpui = va_arg(ap,
-						       unsigned long long int);
-				else if (l)
-					tmpui = va_arg(ap, unsigned long int);
-				else
-					tmpui = va_arg(ap, unsigned int);
-				sprintf(buf, "%" LWRES_PRINT_QUADFORMAT "u",
-					tmpui);
-				goto printint;
-			case 'x':
-				if (q)
-					tmpui = va_arg(ap,
-						       unsigned long long int);
-				else if (l)
-					tmpui = va_arg(ap, unsigned long int);
-				else
-					tmpui = va_arg(ap, unsigned int);
-				if (alt) {
-					head = "0x";
-					if (precision > 2U)
-						precision -= 2;
-				}
-				sprintf(buf, "%" LWRES_PRINT_QUADFORMAT "x",
-					tmpui);
-				goto printint;
-			case 'X':
-				if (q)
-					tmpui = va_arg(ap,
-						       unsigned long long int);
-				else if (l)
-					tmpui = va_arg(ap, unsigned long int);
-				else
-					tmpui = va_arg(ap, unsigned int);
-				if (alt) {
-					head = "0X";
-					if (precision > 2U)
-						precision -= 2;
-				}
-				sprintf(buf, "%" LWRES_PRINT_QUADFORMAT "X",
-					tmpui);
-				goto printint;
-			printint:
-				if (precision != 0U || width != 0U) {
-					length = strlen(buf);
-					if (length < precision)
-						zeropad = precision - length;
-					else if (length < width && zero)
-						zeropad = width - length;
-					if (width != 0U) {
-						pad = width - length -
-						      zeropad - strlen(head);
-						if (pad < 0)
-							pad = 0;
-					}
-				}
-				count += strlen(head) + strlen(buf) + pad +
-					 zeropad;
-				if (!left) {
-					while (pad > 0 && size > 1U) {
-						*str++ = ' ';
-						size--;
-						pad--;
-					}
-				}
-				cp = head;
-				while (*cp != '\0' && size > 1U) {
-					*str++ = *cp++;
-					size--;
-				}
-				while (zeropad > 0 && size > 1U) {
-					*str++ = '0';
-					size--;
-					zeropad--;
-				}
-				cp = buf;
-				while (*cp != '\0' && size > 1U) {
-					*str++ = *cp++;
-					size--;
-				}
-				while (pad > 0 && size > 1U) {
-					*str++ = ' ';
-					size--;
-					pad--;
-				}
-				break;
-			default:
-				break;
-			}
-			break;
-		case 's':
-			cp = va_arg(ap, char *);
-			REQUIRE(cp != NULL);
-
-			if (precision != 0U) {
-				/*
-				 * cp need not be NULL terminated.
-				 */
-				const char *tp;
-				unsigned long n;
-
-				n = precision;
-				tp = cp;
-				while (n != 0U && *tp != '\0')
-					n--, tp++;
-				length = precision - n;
-			} else {
-				length = strlen(cp);
-			}
-			if (width != 0U) {
-				pad = width - length;
-				if (pad < 0)
-					pad = 0;
-			}
-			count += pad + length;
-			if (!left)
-				while (pad > 0 && size > 1U) {
-					*str++ = ' ';
-					size--;
-					pad--;
-				}
-			if (precision != 0U)
-				while (precision > 0U && *cp != '\0' &&
-				       size > 1U) {
-					*str++ = *cp++;
-					size--;
-					precision--;
-				}
-			else
-				while (*cp != '\0' && size > 1U) {
-					*str++ = *cp++;
-					size--;
-				}
-			while (pad > 0 && size > 1U) {
-				*str++ = ' ';
-				size--;
-				pad--;
-			}
-			break;
-		case 'c':
-			c = va_arg(ap, int);
-			if (width > 0U) {
-				count += width;
-				width--;
-				if (left) {
-					*str++ = c;
-					size--;
-				}
-				while (width-- > 0U && size > 1U) {
-					*str++ = ' ';
-					size--;
-				}
-				if (!left && size > 1U) {
-					*str++ = c;
-					size--;
-				}
-			} else {
-				count++;
-				if (size > 1U) {
-					*str++ = c;
-					size--;
-				}
-			}
-			break;
-		case 'p':
-			v = va_arg(ap, void *);
-			sprintf(buf, "%p", v);
-			length = strlen(buf);
-			if (precision > length)
-				zeropad = precision - length;
-			if (width > 0U) {
-				pad = width - length - zeropad;
-				if (pad < 0)
-					pad = 0;
-			}
-			count += length + pad + zeropad;
-			if (!left)
-				while (pad > 0 && size > 1U) {
-					*str++ = ' ';
-					size--;
-					pad--;
-				}
-			cp = buf;
-			if (zeropad > 0 && buf[0] == '0' &&
-			    (buf[1] == 'x' || buf[1] == 'X')) {
-				if (size > 1U) {
-					*str++ = *cp++;
-					size--;
-				}
-				if (size > 1U) {
-					*str++ = *cp++;
-					size--;
-				}
-				while (zeropad > 0 && size > 1U) {
-					*str++ = '0';
-					size--;
-					zeropad--;
-				}
-			}
-			while (*cp != '\0' && size > 1U) {
-				*str++ = *cp++;
-				size--;
-			}
-			while (pad > 0 && size > 1U) {
-				*str++ = ' ';
-				size--;
-				pad--;
-			}
-			break;
-
-		case 'D':	/*deprecated*/
-			INSIST("use %ld instead of %D" == NULL);
-			break;
-		case 'O':	/*deprecated*/
-			INSIST("use %lo instead of %O" == NULL);
-			break;
-		case 'U':	/*deprecated*/
-			INSIST("use %lu instead of %U" == NULL);
-			break;
-
-		case 'L':
-#ifdef HAVE_LONG_DOUBLE
-			l = 1;
-#else
-			INSIST("long doubles are not supported" == NULL);
-#endif
-			/*FALLTHROUGH*/
-		case 'e':
-		case 'E':
-		case 'f':
-		case 'g':
-		case 'G':
-			if (!dot)
-				precision = 6;
-			/*
-			 * IEEE floating point.
-			 * MIN 2.2250738585072014E-308
-			 * MAX 1.7976931348623157E+308
-			 * VAX floating point has a smaller range than IEEE.
-			 *
-			 * precisions > 324 don't make much sense.
-			 * if we cap the precision at 512 we will not
-			 * overflow buf.
-			 */
-			if (precision > 512U)
-				precision = 512;
-			sprintf(fmt, "%%%s%s.%lu%s%c", alt ? "#" : "",
-				plus ? "+" : space ? " " : "",
-				precision, l ? "L" : "", *format);
-			switch (*format) {
-			case 'e':
-			case 'E':
-			case 'f':
-			case 'g':
-			case 'G':
-#ifdef HAVE_LONG_DOUBLE
-				if (l) {
-					ldbl = va_arg(ap, long double);
-					sprintf(buf, fmt, ldbl);
-				} else
-#endif
-				{
-					dbl = va_arg(ap, double);
-					sprintf(buf, fmt, dbl);
-				}
-				length = strlen(buf);
-				if (width > 0U) {
-					pad = width - length;
-					if (pad < 0)
-						pad = 0;
-				}
-				count += length + pad;
-				if (!left)
-					while (pad > 0 && size > 1U) {
-						*str++ = ' ';
-						size--;
-						pad--;
-					}
-				cp = buf;
-				while (*cp != ' ' && size > 1U) {
-					*str++ = *cp++;
-					size--;
-				}
-				while (pad > 0 && size > 1U) {
-					*str++ = ' ';
-					size--;
-					pad--;
-				}
-				break;
-			default:
-				continue;
-			}
-			break;
-		default:
-			continue;
-		}
-		format++;
-	}
-	if (size > 0U)
-		*str = '\0';
-	return (count);
-}
diff --git a/contrib/bind9/lib/lwres/print_p.h b/contrib/bind9/lib/lwres/print_p.h
deleted file mode 100644
index c8b8896..0000000
--- a/contrib/bind9/lib/lwres/print_p.h
+++ /dev/null
@@ -1,95 +0,0 @@
-/*
- * Copyright (C) 2004, 2007, 2010  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: print_p.h,v 1.6 2010/08/16 23:46:52 tbox Exp $ */
-
-#ifndef LWRES_PRINT_P_H
-#define LWRES_PRINT_P_H 1
-
-/***
- *** Imports
- ***/
-
-#include <lwres/lang.h>
-#include <lwres/platform.h>
-
-/*
- * This block allows lib/lwres/print.c to be cleanly compiled even if
- * the platform does not need it.  The standard Makefile will still
- * not compile print.c or archive print.o, so this is just to make test
- * compilation ("make print.o") easier.
- */
-#if !defined(LWRES_PLATFORM_NEEDVSNPRINTF) && defined(LWRES__PRINT_SOURCE)
-#define LWRES_PLATFORM_NEEDVSNPRINTF
-#endif
-
-#if !defined(LWRES_PLATFORM_NEEDSPRINTF) && defined(LWRES__PRINT_SOURCE)
-#define LWRES_PLATFORM_NEEDSPRINTF
-#endif
-
-/***
- *** Macros.
- ***/
-
-#ifdef __GNUC__
-#define LWRES_FORMAT_PRINTF(fmt, args) \
-	__attribute__((__format__(__printf__, fmt, args)))
-#else
-#define LWRES_FORMAT_PRINTF(fmt, args)
-#endif
-
-/***
- *** Functions
- ***/
-
-#ifdef LWRES_PLATFORM_NEEDVSNPRINTF
-#include <stdarg.h>
-#include <stddef.h>
-#endif
-
-LWRES_LANG_BEGINDECLS
-
-#ifdef LWRES_PLATFORM_NEEDVSNPRINTF
-int
-lwres__print_vsnprintf(char *str, size_t size, const char *format, va_list ap)
-     LWRES_FORMAT_PRINTF(3, 0);
-#ifdef vsnprintf
-#undef vsnprintf
-#endif
-#define vsnprintf lwres__print_vsnprintf
-
-int
-lwres__print_snprintf(char *str, size_t size, const char *format, ...)
-     LWRES_FORMAT_PRINTF(3, 4);
-#ifdef snprintf
-#undef snprintf
-#endif
-#define snprintf lwres__print_snprintf
-#endif /* LWRES_PLATFORM_NEEDVSNPRINTF */
-
-#ifdef LWRES_PLATFORM_NEEDSPRINTF
-int
-lwres__print_sprintf(char *str, const char *format, ...) LWRES_FORMAT_PRINTF(2, 3);
-#ifdef sprintf
-#undef sprintf
-#endif
-#define sprintf lwres__print_sprintf
-#endif
-
-LWRES_LANG_ENDDECLS
-
-#endif /* LWRES_PRINT_P_H */
diff --git a/contrib/bind9/lib/lwres/strtoul.c b/contrib/bind9/lib/lwres/strtoul.c
deleted file mode 100644
index f16896c..0000000
--- a/contrib/bind9/lib/lwres/strtoul.c
+++ /dev/null
@@ -1,135 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Copyright (c) 1990, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*! \file */
-#if defined(LIBC_SCCS) && !defined(lint)
-static char sccsid[] = "@(#)strtoul.c	8.1 (Berkeley) 6/4/93";
-#endif /* LIBC_SCCS and not lint */
-
-/* $Id: strtoul.c,v 1.4 2007/06/19 23:47:22 tbox Exp $ */
-
-#include <config.h>
-
-#include <limits.h>
-#include <ctype.h>
-#include <errno.h>
-
-#include <lwres/stdlib.h>
-
-#define DE_CONST(konst, var) \
-	do { \
-		union { const void *k; void *v; } _u; \
-		_u.k = konst; \
-		var = _u.v; \
-	} while (0)
-
-/*!
- * Convert a string to an unsigned long integer.
- *
- * Ignores `locale' stuff.  Assumes that the upper and lower case
- * alphabets and digits are each contiguous.
- */
-unsigned long
-lwres_strtoul(const char *nptr, char **endptr, int base) {
-	const char *s = nptr;
-	unsigned long acc;
-	unsigned char c;
-	unsigned long cutoff;
-	int neg = 0, any, cutlim;
-
-	/*
-	 * See strtol for comments as to the logic used.
-	 */
-	do {
-		c = *s++;
-	} while (isspace(c));
-	if (c == '-') {
-		neg = 1;
-		c = *s++;
-	} else if (c == '+')
-		c = *s++;
-	if ((base == 0 || base == 16) &&
-	    c == '0' && (*s == 'x' || *s == 'X')) {
-		c = s[1];
-		s += 2;
-		base = 16;
-	}
-	if (base == 0)
-		base = c == '0' ? 8 : 10;
-	cutoff = (unsigned long)ULONG_MAX / (unsigned long)base;
-	cutlim = (unsigned long)ULONG_MAX % (unsigned long)base;
-	for (acc = 0, any = 0;; c = *s++) {
-		if (!isascii(c))
-			break;
-		if (isdigit(c))
-			c -= '0';
-		else if (isalpha(c))
-			c -= isupper(c) ? 'A' - 10 : 'a' - 10;
-		else
-			break;
-		if (c >= base)
-			break;
-		if (any < 0 || acc > cutoff || (acc == cutoff && c > cutlim))
-			any = -1;
-		else {
-			any = 1;
-			acc *= base;
-			acc += c;
-		}
-	}
-	if (any < 0) {
-		acc = ULONG_MAX;
-		errno = ERANGE;
-	} else if (neg)
-		acc = -acc;
-	if (endptr != 0)
-		DE_CONST(any ? s - 1 : nptr, *endptr);
-	return (acc);
-}
diff --git a/contrib/bind9/lib/lwres/unix/Makefile.in b/contrib/bind9/lib/lwres/unix/Makefile.in
deleted file mode 100644
index 26ca4fb..0000000
--- a/contrib/bind9/lib/lwres/unix/Makefile.in
+++ /dev/null
@@ -1,25 +0,0 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.4 2007/06/19 23:47:23 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	include
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/lwres/unix/include/Makefile.in b/contrib/bind9/lib/lwres/unix/include/Makefile.in
deleted file mode 100644
index 5372543..0000000
--- a/contrib/bind9/lib/lwres/unix/include/Makefile.in
+++ /dev/null
@@ -1,25 +0,0 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.4 2007/06/19 23:47:23 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	lwres
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/lwres/unix/include/lwres/Makefile.in b/contrib/bind9/lib/lwres/unix/include/lwres/Makefile.in
deleted file mode 100644
index 4f60ce8..0000000
--- a/contrib/bind9/lib/lwres/unix/include/lwres/Makefile.in
+++ /dev/null
@@ -1,34 +0,0 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.4 2007/06/19 23:47:23 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-HEADERS =	net.h
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/lwres
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/lwres ; \
-	done
diff --git a/contrib/bind9/lib/lwres/unix/include/lwres/net.h b/contrib/bind9/lib/lwres/unix/include/lwres/net.h
deleted file mode 100644
index 0b16178..0000000
--- a/contrib/bind9/lib/lwres/unix/include/lwres/net.h
+++ /dev/null
@@ -1,135 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: net.h,v 1.9 2007/06/19 23:47:23 tbox Exp $ */
-
-#ifndef LWRES_NET_H
-#define LWRES_NET_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*! \file net.h
- * This module is responsible for defining the following basic networking
- * types:
- *
- *\li		struct in_addr
- *\li		struct in6_addr
- *\li		struct sockaddr
- *\li		struct sockaddr_in
- *\li		struct sockaddr_in6
- *
- * It ensures that the AF_ and PF_ macros are defined.
- *
- * It declares ntoh[sl]() and hton[sl]().
- *
- * It declares lwres_net_aton(), lwres_net_ntop(), and lwres_net_pton().
- *
- * It ensures that #INADDR_LOOPBACK, #INADDR_ANY and #IN6ADDR_ANY_INIT
- * are defined.
- */
-
-/***
- *** Imports.
- ***/
-
-#include <lwres/platform.h>	/* Required for LWRES_PLATFORM_*. */
-
-#include <unistd.h>
-#include <sys/types.h>
-#include <sys/socket.h>		/* Contractual promise. */
-#include <sys/ioctl.h>
-#include <sys/time.h>
-#include <sys/un.h>
-
-#include <netinet/in.h>		/* Contractual promise. */
-#include <arpa/inet.h>		/* Contractual promise. */
-#ifdef LWRES_PLATFORM_NEEDNETINETIN6H
-#include <netinet/in6.h>	/* Required on UnixWare. */
-#endif
-#ifdef LWRES_PLATFORM_NEEDNETINET6IN6H
-#include <netinet6/in6.h>	/* Required on BSD/OS for in6_pktinfo. */
-#endif
-#include <net/if.h>	
-
-#include <lwres/lang.h>
-
-#ifndef LWRES_PLATFORM_HAVEIPV6
-#include <lwres/ipv6.h>		/* Contractual promise. */
-#endif
-
-#ifdef LWRES_PLATFORM_HAVEINADDR6
-#define in6_addr in_addr6	/* Required for pre RFC2133 implementations. */
-#endif
-
-/*!
- * Required for some pre RFC2133 implementations.
- * IN6ADDR_ANY_INIT and IN6ADDR_LOOPBACK_INIT were added in
- * draft-ietf-ipngwg-bsd-api-04.txt or draft-ietf-ipngwg-bsd-api-05.txt.  
- * If 's6_addr' is defined then assume that there is a union and three
- * levels otherwise assume two levels required.
- */
-#ifndef IN6ADDR_ANY_INIT
-#ifdef s6_addr
-#define IN6ADDR_ANY_INIT { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } } }
-#else
-#define IN6ADDR_ANY_INIT { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } }
-#endif
-#endif
-
-/*!
- * Initialize address loopback.  See IN6ADDR_ANY_INIT
- */
-#ifndef IN6ADDR_LOOPBACK_INIT
-#ifdef s6_addr
-#define IN6ADDR_LOOPBACK_INIT { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 } } }
-#else
-#define IN6ADDR_LOOPBACK_INIT { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 } }
-#endif
-#endif
-
-/*% Used by AI_ALL */
-#ifndef AF_INET6
-#define AF_INET6 99
-#endif
-
-
-/*% Used to return IPV6 address types. */
-#ifndef PF_INET6
-#define PF_INET6 AF_INET6
-#endif
-
-/*% inaddr Loopback */
-#ifndef INADDR_LOOPBACK
-#define INADDR_LOOPBACK 0x7f000001UL
-#endif
-
-LWRES_LANG_BEGINDECLS
-
-const char *
-lwres_net_ntop(int af, const void *src, char *dst, size_t size);
-
-int
-lwres_net_pton(int af, const char *src, void *dst);
-
-int
-lwres_net_aton(const char *cp, struct in_addr *addr);
-
-LWRES_LANG_ENDDECLS
-
-#endif /* LWRES_NET_H */
diff --git a/contrib/bind9/lib/lwres/version.c b/contrib/bind9/lib/lwres/version.c
deleted file mode 100644
index cc52c51..0000000
--- a/contrib/bind9/lib/lwres/version.c
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: version.c,v 1.12 2007/06/19 23:47:22 tbox Exp $ */
-
-/*! \file */
-
-#include <lwres/version.h>
-
-const char lwres_version[] = VERSION;
-
-const unsigned int lwres_libinterface = LIBINTERFACE;
-const unsigned int lwres_librevision = LIBREVISION;
-const unsigned int lwres_libage = LIBAGE;
diff --git a/contrib/bind9/libtool.m4/libtool.m4 b/contrib/bind9/libtool.m4/libtool.m4
deleted file mode 100644
index 44e0ecf..0000000
--- a/contrib/bind9/libtool.m4/libtool.m4
+++ /dev/null
@@ -1,7982 +0,0 @@
-# libtool.m4 - Configure libtool for the host system. -*-Autoconf-*-
-#
-#   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005,
-#                 2006, 2007, 2008, 2009, 2010, 2011 Free Software
-#                 Foundation, Inc.
-#   Written by Gordon Matzigkeit, 1996
-#
-# This file is free software; the Free Software Foundation gives
-# unlimited permission to copy and/or distribute it, with or without
-# modifications, as long as this notice is preserved.
-
-m4_define([_LT_COPYING], [dnl
-#   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005,
-#                 2006, 2007, 2008, 2009, 2010, 2011 Free Software
-#                 Foundation, Inc.
-#   Written by Gordon Matzigkeit, 1996
-#
-#   This file is part of GNU Libtool.
-#
-# GNU Libtool is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License as
-# published by the Free Software Foundation; either version 2 of
-# the License, or (at your option) any later version.
-#
-# As a special exception to the GNU General Public License,
-# if you distribute this file as part of a program or library that
-# is built using GNU Libtool, you may include this file under the
-# same distribution terms that you use for the rest of that program.
-#
-# GNU Libtool is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with GNU Libtool; see the file COPYING.  If not, a copy
-# can be downloaded from http://www.gnu.org/licenses/gpl.html, or
-# obtained by writing to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-])
-
-# serial 57 LT_INIT
-
-
-# LT_PREREQ(VERSION)
-# ------------------
-# Complain and exit if this libtool version is less that VERSION.
-m4_defun([LT_PREREQ],
-[m4_if(m4_version_compare(m4_defn([LT_PACKAGE_VERSION]), [$1]), -1,
-       [m4_default([$3],
-		   [m4_fatal([Libtool version $1 or higher is required],
-		             63)])],
-       [$2])])
-
-
-# _LT_CHECK_BUILDDIR
-# ------------------
-# Complain if the absolute build directory name contains unusual characters
-m4_defun([_LT_CHECK_BUILDDIR],
-[case `pwd` in
-  *\ * | *\	*)
-    AC_MSG_WARN([Libtool does not cope well with whitespace in `pwd`]) ;;
-esac
-])
-
-
-# LT_INIT([OPTIONS])
-# ------------------
-AC_DEFUN([LT_INIT],
-[AC_PREREQ([2.58])dnl We use AC_INCLUDES_DEFAULT
-AC_REQUIRE([AC_CONFIG_AUX_DIR_DEFAULT])dnl
-AC_BEFORE([$0], [LT_LANG])dnl
-AC_BEFORE([$0], [LT_OUTPUT])dnl
-AC_BEFORE([$0], [LTDL_INIT])dnl
-m4_require([_LT_CHECK_BUILDDIR])dnl
-
-dnl Autoconf doesn't catch unexpanded LT_ macros by default:
-m4_pattern_forbid([^_?LT_[A-Z_]+$])dnl
-m4_pattern_allow([^(_LT_EOF|LT_DLGLOBAL|LT_DLLAZY_OR_NOW|LT_MULTI_MODULE)$])dnl
-dnl aclocal doesn't pull ltoptions.m4, ltsugar.m4, or ltversion.m4
-dnl unless we require an AC_DEFUNed macro:
-AC_REQUIRE([LTOPTIONS_VERSION])dnl
-AC_REQUIRE([LTSUGAR_VERSION])dnl
-AC_REQUIRE([LTVERSION_VERSION])dnl
-AC_REQUIRE([LTOBSOLETE_VERSION])dnl
-m4_require([_LT_PROG_LTMAIN])dnl
-
-_LT_SHELL_INIT([SHELL=${CONFIG_SHELL-/bin/sh}])
-
-dnl Parse OPTIONS
-_LT_SET_OPTIONS([$0], [$1])
-
-# This can be used to rebuild libtool when needed
-LIBTOOL_DEPS="$ltmain"
-
-# Always use our own libtool.
-LIBTOOL='$(SHELL) $(top_builddir)/libtool'
-AC_SUBST(LIBTOOL)dnl
-
-_LT_SETUP
-
-# Only expand once:
-m4_define([LT_INIT])
-])# LT_INIT
-
-# Old names:
-AU_ALIAS([AC_PROG_LIBTOOL], [LT_INIT])
-AU_ALIAS([AM_PROG_LIBTOOL], [LT_INIT])
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AC_PROG_LIBTOOL], [])
-dnl AC_DEFUN([AM_PROG_LIBTOOL], [])
-
-
-# _LT_CC_BASENAME(CC)
-# -------------------
-# Calculate cc_basename.  Skip known compiler wrappers and cross-prefix.
-m4_defun([_LT_CC_BASENAME],
-[for cc_temp in $1""; do
-  case $cc_temp in
-    compile | *[[\\/]]compile | ccache | *[[\\/]]ccache ) ;;
-    distcc | *[[\\/]]distcc | purify | *[[\\/]]purify ) ;;
-    \-*) ;;
-    *) break;;
-  esac
-done
-cc_basename=`$ECHO "$cc_temp" | $SED "s%.*/%%; s%^$host_alias-%%"`
-])
-
-
-# _LT_FILEUTILS_DEFAULTS
-# ----------------------
-# It is okay to use these file commands and assume they have been set
-# sensibly after `m4_require([_LT_FILEUTILS_DEFAULTS])'.
-m4_defun([_LT_FILEUTILS_DEFAULTS],
-[: ${CP="cp -f"}
-: ${MV="mv -f"}
-: ${RM="rm -f"}
-])# _LT_FILEUTILS_DEFAULTS
-
-
-# _LT_SETUP
-# ---------
-m4_defun([_LT_SETUP],
-[AC_REQUIRE([AC_CANONICAL_HOST])dnl
-AC_REQUIRE([AC_CANONICAL_BUILD])dnl
-AC_REQUIRE([_LT_PREPARE_SED_QUOTE_VARS])dnl
-AC_REQUIRE([_LT_PROG_ECHO_BACKSLASH])dnl
-
-_LT_DECL([], [PATH_SEPARATOR], [1], [The PATH separator for the build system])dnl
-dnl
-_LT_DECL([], [host_alias], [0], [The host system])dnl
-_LT_DECL([], [host], [0])dnl
-_LT_DECL([], [host_os], [0])dnl
-dnl
-_LT_DECL([], [build_alias], [0], [The build system])dnl
-_LT_DECL([], [build], [0])dnl
-_LT_DECL([], [build_os], [0])dnl
-dnl
-AC_REQUIRE([AC_PROG_CC])dnl
-AC_REQUIRE([LT_PATH_LD])dnl
-AC_REQUIRE([LT_PATH_NM])dnl
-dnl
-AC_REQUIRE([AC_PROG_LN_S])dnl
-test -z "$LN_S" && LN_S="ln -s"
-_LT_DECL([], [LN_S], [1], [Whether we need soft or hard links])dnl
-dnl
-AC_REQUIRE([LT_CMD_MAX_LEN])dnl
-_LT_DECL([objext], [ac_objext], [0], [Object file suffix (normally "o")])dnl
-_LT_DECL([], [exeext], [0], [Executable file suffix (normally "")])dnl
-dnl
-m4_require([_LT_FILEUTILS_DEFAULTS])dnl
-m4_require([_LT_CHECK_SHELL_FEATURES])dnl
-m4_require([_LT_PATH_CONVERSION_FUNCTIONS])dnl
-m4_require([_LT_CMD_RELOAD])dnl
-m4_require([_LT_CHECK_MAGIC_METHOD])dnl
-m4_require([_LT_CHECK_SHAREDLIB_FROM_LINKLIB])dnl
-m4_require([_LT_CMD_OLD_ARCHIVE])dnl
-m4_require([_LT_CMD_GLOBAL_SYMBOLS])dnl
-m4_require([_LT_WITH_SYSROOT])dnl
-
-_LT_CONFIG_LIBTOOL_INIT([
-# See if we are running on zsh, and set the options which allow our
-# commands through without removal of \ escapes INIT.
-if test -n "\${ZSH_VERSION+set}" ; then
-   setopt NO_GLOB_SUBST
-fi
-])
-if test -n "${ZSH_VERSION+set}" ; then
-   setopt NO_GLOB_SUBST
-fi
-
-_LT_CHECK_OBJDIR
-
-m4_require([_LT_TAG_COMPILER])dnl
-
-case $host_os in
-aix3*)
-  # AIX sometimes has problems with the GCC collect2 program.  For some
-  # reason, if we set the COLLECT_NAMES environment variable, the problems
-  # vanish in a puff of smoke.
-  if test "X${COLLECT_NAMES+set}" != Xset; then
-    COLLECT_NAMES=
-    export COLLECT_NAMES
-  fi
-  ;;
-esac
-
-# Global variables:
-ofile=libtool
-can_build_shared=yes
-
-# All known linkers require a `.a' archive for static linking (except MSVC,
-# which needs '.lib').
-libext=a
-
-with_gnu_ld="$lt_cv_prog_gnu_ld"
-
-old_CC="$CC"
-old_CFLAGS="$CFLAGS"
-
-# Set sane defaults for various variables
-test -z "$CC" && CC=cc
-test -z "$LTCC" && LTCC=$CC
-test -z "$LTCFLAGS" && LTCFLAGS=$CFLAGS
-test -z "$LD" && LD=ld
-test -z "$ac_objext" && ac_objext=o
-
-_LT_CC_BASENAME([$compiler])
-
-# Only perform the check for file, if the check method requires it
-test -z "$MAGIC_CMD" && MAGIC_CMD=file
-case $deplibs_check_method in
-file_magic*)
-  if test "$file_magic_cmd" = '$MAGIC_CMD'; then
-    _LT_PATH_MAGIC
-  fi
-  ;;
-esac
-
-# Use C for the default configuration in the libtool script
-LT_SUPPORTED_TAG([CC])
-_LT_LANG_C_CONFIG
-_LT_LANG_DEFAULT_CONFIG
-_LT_CONFIG_COMMANDS
-])# _LT_SETUP
-
-
-# _LT_PREPARE_SED_QUOTE_VARS
-# --------------------------
-# Define a few sed substitution that help us do robust quoting.
-m4_defun([_LT_PREPARE_SED_QUOTE_VARS],
-[# Backslashify metacharacters that are still active within
-# double-quoted strings.
-sed_quote_subst='s/\([["`$\\]]\)/\\\1/g'
-
-# Same as above, but do not quote variable references.
-double_quote_subst='s/\([["`\\]]\)/\\\1/g'
-
-# Sed substitution to delay expansion of an escaped shell variable in a
-# double_quote_subst'ed string.
-delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
-
-# Sed substitution to delay expansion of an escaped single quote.
-delay_single_quote_subst='s/'\''/'\'\\\\\\\'\''/g'
-
-# Sed substitution to avoid accidental globbing in evaled expressions
-no_glob_subst='s/\*/\\\*/g'
-])
-
-# _LT_PROG_LTMAIN
-# ---------------
-# Note that this code is called both from `configure', and `config.status'
-# now that we use AC_CONFIG_COMMANDS to generate libtool.  Notably,
-# `config.status' has no value for ac_aux_dir unless we are using Automake,
-# so we pass a copy along to make sure it has a sensible value anyway.
-m4_defun([_LT_PROG_LTMAIN],
-[m4_ifdef([AC_REQUIRE_AUX_FILE], [AC_REQUIRE_AUX_FILE([ltmain.sh])])dnl
-_LT_CONFIG_LIBTOOL_INIT([ac_aux_dir='$ac_aux_dir'])
-ltmain="$ac_aux_dir/ltmain.sh"
-])# _LT_PROG_LTMAIN
-
-
-## ------------------------------------- ##
-## Accumulate code for creating libtool. ##
-## ------------------------------------- ##
-
-# So that we can recreate a full libtool script including additional
-# tags, we accumulate the chunks of code to send to AC_CONFIG_COMMANDS
-# in macros and then make a single call at the end using the `libtool'
-# label.
-
-
-# _LT_CONFIG_LIBTOOL_INIT([INIT-COMMANDS])
-# ----------------------------------------
-# Register INIT-COMMANDS to be passed to AC_CONFIG_COMMANDS later.
-m4_define([_LT_CONFIG_LIBTOOL_INIT],
-[m4_ifval([$1],
-          [m4_append([_LT_OUTPUT_LIBTOOL_INIT],
-                     [$1
-])])])
-
-# Initialize.
-m4_define([_LT_OUTPUT_LIBTOOL_INIT])
-
-
-# _LT_CONFIG_LIBTOOL([COMMANDS])
-# ------------------------------
-# Register COMMANDS to be passed to AC_CONFIG_COMMANDS later.
-m4_define([_LT_CONFIG_LIBTOOL],
-[m4_ifval([$1],
-          [m4_append([_LT_OUTPUT_LIBTOOL_COMMANDS],
-                     [$1
-])])])
-
-# Initialize.
-m4_define([_LT_OUTPUT_LIBTOOL_COMMANDS])
-
-
-# _LT_CONFIG_SAVE_COMMANDS([COMMANDS], [INIT_COMMANDS])
-# -----------------------------------------------------
-m4_defun([_LT_CONFIG_SAVE_COMMANDS],
-[_LT_CONFIG_LIBTOOL([$1])
-_LT_CONFIG_LIBTOOL_INIT([$2])
-])
-
-
-# _LT_FORMAT_COMMENT([COMMENT])
-# -----------------------------
-# Add leading comment marks to the start of each line, and a trailing
-# full-stop to the whole comment if one is not present already.
-m4_define([_LT_FORMAT_COMMENT],
-[m4_ifval([$1], [
-m4_bpatsubst([m4_bpatsubst([$1], [^ *], [# ])],
-              [['`$\]], [\\\&])]m4_bmatch([$1], [[!?.]$], [], [.])
-)])
-
-
-
-## ------------------------ ##
-## FIXME: Eliminate VARNAME ##
-## ------------------------ ##
-
-
-# _LT_DECL([CONFIGNAME], VARNAME, VALUE, [DESCRIPTION], [IS-TAGGED?])
-# -------------------------------------------------------------------
-# CONFIGNAME is the name given to the value in the libtool script.
-# VARNAME is the (base) name used in the configure script.
-# VALUE may be 0, 1 or 2 for a computed quote escaped value based on
-# VARNAME.  Any other value will be used directly.
-m4_define([_LT_DECL],
-[lt_if_append_uniq([lt_decl_varnames], [$2], [, ],
-    [lt_dict_add_subkey([lt_decl_dict], [$2], [libtool_name],
-	[m4_ifval([$1], [$1], [$2])])
-    lt_dict_add_subkey([lt_decl_dict], [$2], [value], [$3])
-    m4_ifval([$4],
-	[lt_dict_add_subkey([lt_decl_dict], [$2], [description], [$4])])
-    lt_dict_add_subkey([lt_decl_dict], [$2],
-	[tagged?], [m4_ifval([$5], [yes], [no])])])
-])
-
-
-# _LT_TAGDECL([CONFIGNAME], VARNAME, VALUE, [DESCRIPTION])
-# --------------------------------------------------------
-m4_define([_LT_TAGDECL], [_LT_DECL([$1], [$2], [$3], [$4], [yes])])
-
-
-# lt_decl_tag_varnames([SEPARATOR], [VARNAME1...])
-# ------------------------------------------------
-m4_define([lt_decl_tag_varnames],
-[_lt_decl_filter([tagged?], [yes], $@)])
-
-
-# _lt_decl_filter(SUBKEY, VALUE, [SEPARATOR], [VARNAME1..])
-# ---------------------------------------------------------
-m4_define([_lt_decl_filter],
-[m4_case([$#],
-  [0], [m4_fatal([$0: too few arguments: $#])],
-  [1], [m4_fatal([$0: too few arguments: $#: $1])],
-  [2], [lt_dict_filter([lt_decl_dict], [$1], [$2], [], lt_decl_varnames)],
-  [3], [lt_dict_filter([lt_decl_dict], [$1], [$2], [$3], lt_decl_varnames)],
-  [lt_dict_filter([lt_decl_dict], $@)])[]dnl
-])
-
-
-# lt_decl_quote_varnames([SEPARATOR], [VARNAME1...])
-# --------------------------------------------------
-m4_define([lt_decl_quote_varnames],
-[_lt_decl_filter([value], [1], $@)])
-
-
-# lt_decl_dquote_varnames([SEPARATOR], [VARNAME1...])
-# ---------------------------------------------------
-m4_define([lt_decl_dquote_varnames],
-[_lt_decl_filter([value], [2], $@)])
-
-
-# lt_decl_varnames_tagged([SEPARATOR], [VARNAME1...])
-# ---------------------------------------------------
-m4_define([lt_decl_varnames_tagged],
-[m4_assert([$# <= 2])dnl
-_$0(m4_quote(m4_default([$1], [[, ]])),
-    m4_ifval([$2], [[$2]], [m4_dquote(lt_decl_tag_varnames)]),
-    m4_split(m4_normalize(m4_quote(_LT_TAGS)), [ ]))])
-m4_define([_lt_decl_varnames_tagged],
-[m4_ifval([$3], [lt_combine([$1], [$2], [_], $3)])])
-
-
-# lt_decl_all_varnames([SEPARATOR], [VARNAME1...])
-# ------------------------------------------------
-m4_define([lt_decl_all_varnames],
-[_$0(m4_quote(m4_default([$1], [[, ]])),
-     m4_if([$2], [],
-	   m4_quote(lt_decl_varnames),
-	m4_quote(m4_shift($@))))[]dnl
-])
-m4_define([_lt_decl_all_varnames],
-[lt_join($@, lt_decl_varnames_tagged([$1],
-			lt_decl_tag_varnames([[, ]], m4_shift($@))))dnl
-])
-
-
-# _LT_CONFIG_STATUS_DECLARE([VARNAME])
-# ------------------------------------
-# Quote a variable value, and forward it to `config.status' so that its
-# declaration there will have the same value as in `configure'.  VARNAME
-# must have a single quote delimited value for this to work.
-m4_define([_LT_CONFIG_STATUS_DECLARE],
-[$1='`$ECHO "$][$1" | $SED "$delay_single_quote_subst"`'])
-
-
-# _LT_CONFIG_STATUS_DECLARATIONS
-# ------------------------------
-# We delimit libtool config variables with single quotes, so when
-# we write them to config.status, we have to be sure to quote all
-# embedded single quotes properly.  In configure, this macro expands
-# each variable declared with _LT_DECL (and _LT_TAGDECL) into:
-#
-#    <var>='`$ECHO "$<var>" | $SED "$delay_single_quote_subst"`'
-m4_defun([_LT_CONFIG_STATUS_DECLARATIONS],
-[m4_foreach([_lt_var], m4_quote(lt_decl_all_varnames),
-    [m4_n([_LT_CONFIG_STATUS_DECLARE(_lt_var)])])])
-
-
-# _LT_LIBTOOL_TAGS
-# ----------------
-# Output comment and list of tags supported by the script
-m4_defun([_LT_LIBTOOL_TAGS],
-[_LT_FORMAT_COMMENT([The names of the tagged configurations supported by this script])dnl
-available_tags="_LT_TAGS"dnl
-])
-
-
-# _LT_LIBTOOL_DECLARE(VARNAME, [TAG])
-# -----------------------------------
-# Extract the dictionary values for VARNAME (optionally with TAG) and
-# expand to a commented shell variable setting:
-#
-#    # Some comment about what VAR is for.
-#    visible_name=$lt_internal_name
-m4_define([_LT_LIBTOOL_DECLARE],
-[_LT_FORMAT_COMMENT(m4_quote(lt_dict_fetch([lt_decl_dict], [$1],
-					   [description])))[]dnl
-m4_pushdef([_libtool_name],
-    m4_quote(lt_dict_fetch([lt_decl_dict], [$1], [libtool_name])))[]dnl
-m4_case(m4_quote(lt_dict_fetch([lt_decl_dict], [$1], [value])),
-    [0], [_libtool_name=[$]$1],
-    [1], [_libtool_name=$lt_[]$1],
-    [2], [_libtool_name=$lt_[]$1],
-    [_libtool_name=lt_dict_fetch([lt_decl_dict], [$1], [value])])[]dnl
-m4_ifval([$2], [_$2])[]m4_popdef([_libtool_name])[]dnl
-])
-
-
-# _LT_LIBTOOL_CONFIG_VARS
-# -----------------------
-# Produce commented declarations of non-tagged libtool config variables
-# suitable for insertion in the LIBTOOL CONFIG section of the `libtool'
-# script.  Tagged libtool config variables (even for the LIBTOOL CONFIG
-# section) are produced by _LT_LIBTOOL_TAG_VARS.
-m4_defun([_LT_LIBTOOL_CONFIG_VARS],
-[m4_foreach([_lt_var],
-    m4_quote(_lt_decl_filter([tagged?], [no], [], lt_decl_varnames)),
-    [m4_n([_LT_LIBTOOL_DECLARE(_lt_var)])])])
-
-
-# _LT_LIBTOOL_TAG_VARS(TAG)
-# -------------------------
-m4_define([_LT_LIBTOOL_TAG_VARS],
-[m4_foreach([_lt_var], m4_quote(lt_decl_tag_varnames),
-    [m4_n([_LT_LIBTOOL_DECLARE(_lt_var, [$1])])])])
-
-
-# _LT_TAGVAR(VARNAME, [TAGNAME])
-# ------------------------------
-m4_define([_LT_TAGVAR], [m4_ifval([$2], [$1_$2], [$1])])
-
-
-# _LT_CONFIG_COMMANDS
-# -------------------
-# Send accumulated output to $CONFIG_STATUS.  Thanks to the lists of
-# variables for single and double quote escaping we saved from calls
-# to _LT_DECL, we can put quote escaped variables declarations
-# into `config.status', and then the shell code to quote escape them in
-# for loops in `config.status'.  Finally, any additional code accumulated
-# from calls to _LT_CONFIG_LIBTOOL_INIT is expanded.
-m4_defun([_LT_CONFIG_COMMANDS],
-[AC_PROVIDE_IFELSE([LT_OUTPUT],
-	dnl If the libtool generation code has been placed in $CONFIG_LT,
-	dnl instead of duplicating it all over again into config.status,
-	dnl then we will have config.status run $CONFIG_LT later, so it
-	dnl needs to know what name is stored there:
-        [AC_CONFIG_COMMANDS([libtool],
-            [$SHELL $CONFIG_LT || AS_EXIT(1)], [CONFIG_LT='$CONFIG_LT'])],
-    dnl If the libtool generation code is destined for config.status,
-    dnl expand the accumulated commands and init code now:
-    [AC_CONFIG_COMMANDS([libtool],
-        [_LT_OUTPUT_LIBTOOL_COMMANDS], [_LT_OUTPUT_LIBTOOL_COMMANDS_INIT])])
-])#_LT_CONFIG_COMMANDS
-
-
-# Initialize.
-m4_define([_LT_OUTPUT_LIBTOOL_COMMANDS_INIT],
-[
-
-# The HP-UX ksh and POSIX shell print the target directory to stdout
-# if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
-
-sed_quote_subst='$sed_quote_subst'
-double_quote_subst='$double_quote_subst'
-delay_variable_subst='$delay_variable_subst'
-_LT_CONFIG_STATUS_DECLARATIONS
-LTCC='$LTCC'
-LTCFLAGS='$LTCFLAGS'
-compiler='$compiler_DEFAULT'
-
-# A function that is used when there is no print builtin or printf.
-func_fallback_echo ()
-{
-  eval 'cat <<_LTECHO_EOF
-\$[]1
-_LTECHO_EOF'
-}
-
-# Quote evaled strings.
-for var in lt_decl_all_varnames([[ \
-]], lt_decl_quote_varnames); do
-    case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in
-    *[[\\\\\\\`\\"\\\$]]*)
-      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED \\"\\\$sed_quote_subst\\"\\\`\\\\\\""
-      ;;
-    *)
-      eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\""
-      ;;
-    esac
-done
-
-# Double-quote double-evaled strings.
-for var in lt_decl_all_varnames([[ \
-]], lt_decl_dquote_varnames); do
-    case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in
-    *[[\\\\\\\`\\"\\\$]]*)
-      eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED -e \\"\\\$double_quote_subst\\" -e \\"\\\$sed_quote_subst\\" -e \\"\\\$delay_variable_subst\\"\\\`\\\\\\""
-      ;;
-    *)
-      eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\""
-      ;;
-    esac
-done
-
-_LT_OUTPUT_LIBTOOL_INIT
-])
-
-# _LT_GENERATED_FILE_INIT(FILE, [COMMENT])
-# ------------------------------------
-# Generate a child script FILE with all initialization necessary to
-# reuse the environment learned by the parent script, and make the
-# file executable.  If COMMENT is supplied, it is inserted after the
-# `#!' sequence but before initialization text begins.  After this
-# macro, additional text can be appended to FILE to form the body of
-# the child script.  The macro ends with non-zero status if the
-# file could not be fully written (such as if the disk is full).
-m4_ifdef([AS_INIT_GENERATED],
-[m4_defun([_LT_GENERATED_FILE_INIT],[AS_INIT_GENERATED($@)])],
-[m4_defun([_LT_GENERATED_FILE_INIT],
-[m4_require([AS_PREPARE])]dnl
-[m4_pushdef([AS_MESSAGE_LOG_FD])]dnl
-[lt_write_fail=0
-cat >$1 <<_ASEOF || lt_write_fail=1
-#! $SHELL
-# Generated by $as_me.
-$2
-SHELL=\${CONFIG_SHELL-$SHELL}
-export SHELL
-_ASEOF
-cat >>$1 <<\_ASEOF || lt_write_fail=1
-AS_SHELL_SANITIZE
-_AS_PREPARE
-exec AS_MESSAGE_FD>&1
-_ASEOF
-test $lt_write_fail = 0 && chmod +x $1[]dnl
-m4_popdef([AS_MESSAGE_LOG_FD])])])# _LT_GENERATED_FILE_INIT
-
-# LT_OUTPUT
-# ---------
-# This macro allows early generation of the libtool script (before
-# AC_OUTPUT is called), incase it is used in configure for compilation
-# tests.
-AC_DEFUN([LT_OUTPUT],
-[: ${CONFIG_LT=./config.lt}
-AC_MSG_NOTICE([creating $CONFIG_LT])
-_LT_GENERATED_FILE_INIT(["$CONFIG_LT"],
-[# Run this file to recreate a libtool stub with the current configuration.])
-
-cat >>"$CONFIG_LT" <<\_LTEOF
-lt_cl_silent=false
-exec AS_MESSAGE_LOG_FD>>config.log
-{
-  echo
-  AS_BOX([Running $as_me.])
-} >&AS_MESSAGE_LOG_FD
-
-lt_cl_help="\
-\`$as_me' creates a local libtool stub from the current configuration,
-for use in further configure time tests before the real libtool is
-generated.
-
-Usage: $[0] [[OPTIONS]]
-
-  -h, --help      print this help, then exit
-  -V, --version   print version number, then exit
-  -q, --quiet     do not print progress messages
-  -d, --debug     don't remove temporary files
-
-Report bugs to <bug-libtool@gnu.org>."
-
-lt_cl_version="\
-m4_ifset([AC_PACKAGE_NAME], [AC_PACKAGE_NAME ])config.lt[]dnl
-m4_ifset([AC_PACKAGE_VERSION], [ AC_PACKAGE_VERSION])
-configured by $[0], generated by m4_PACKAGE_STRING.
-
-Copyright (C) 2011 Free Software Foundation, Inc.
-This config.lt script is free software; the Free Software Foundation
-gives unlimited permision to copy, distribute and modify it."
-
-while test $[#] != 0
-do
-  case $[1] in
-    --version | --v* | -V )
-      echo "$lt_cl_version"; exit 0 ;;
-    --help | --h* | -h )
-      echo "$lt_cl_help"; exit 0 ;;
-    --debug | --d* | -d )
-      debug=: ;;
-    --quiet | --q* | --silent | --s* | -q )
-      lt_cl_silent=: ;;
-
-    -*) AC_MSG_ERROR([unrecognized option: $[1]
-Try \`$[0] --help' for more information.]) ;;
-
-    *) AC_MSG_ERROR([unrecognized argument: $[1]
-Try \`$[0] --help' for more information.]) ;;
-  esac
-  shift
-done
-
-if $lt_cl_silent; then
-  exec AS_MESSAGE_FD>/dev/null
-fi
-_LTEOF
-
-cat >>"$CONFIG_LT" <<_LTEOF
-_LT_OUTPUT_LIBTOOL_COMMANDS_INIT
-_LTEOF
-
-cat >>"$CONFIG_LT" <<\_LTEOF
-AC_MSG_NOTICE([creating $ofile])
-_LT_OUTPUT_LIBTOOL_COMMANDS
-AS_EXIT(0)
-_LTEOF
-chmod +x "$CONFIG_LT"
-
-# configure is writing to config.log, but config.lt does its own redirection,
-# appending to config.log, which fails on DOS, as config.log is still kept
-# open by configure.  Here we exec the FD to /dev/null, effectively closing
-# config.log, so it can be properly (re)opened and appended to by config.lt.
-lt_cl_success=:
-test "$silent" = yes &&
-  lt_config_lt_args="$lt_config_lt_args --quiet"
-exec AS_MESSAGE_LOG_FD>/dev/null
-$SHELL "$CONFIG_LT" $lt_config_lt_args || lt_cl_success=false
-exec AS_MESSAGE_LOG_FD>>config.log
-$lt_cl_success || AS_EXIT(1)
-])# LT_OUTPUT
-
-
-# _LT_CONFIG(TAG)
-# ---------------
-# If TAG is the built-in tag, create an initial libtool script with a
-# default configuration from the untagged config vars.  Otherwise add code
-# to config.status for appending the configuration named by TAG from the
-# matching tagged config vars.
-m4_defun([_LT_CONFIG],
-[m4_require([_LT_FILEUTILS_DEFAULTS])dnl
-_LT_CONFIG_SAVE_COMMANDS([
-  m4_define([_LT_TAG], m4_if([$1], [], [C], [$1]))dnl
-  m4_if(_LT_TAG, [C], [
-    # See if we are running on zsh, and set the options which allow our
-    # commands through without removal of \ escapes.
-    if test -n "${ZSH_VERSION+set}" ; then
-      setopt NO_GLOB_SUBST
-    fi
-
-    cfgfile="${ofile}T"
-    trap "$RM \"$cfgfile\"; exit 1" 1 2 15
-    $RM "$cfgfile"
-
-    cat <<_LT_EOF >> "$cfgfile"
-#! $SHELL
-
-# `$ECHO "$ofile" | sed 's%^.*/%%'` - Provide generalized library-building support services.
-# Generated automatically by $as_me ($PACKAGE$TIMESTAMP) $VERSION
-# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
-# NOTE: Changes made to this file will be lost: look at ltmain.sh.
-#
-_LT_COPYING
-_LT_LIBTOOL_TAGS
-
-# ### BEGIN LIBTOOL CONFIG
-_LT_LIBTOOL_CONFIG_VARS
-_LT_LIBTOOL_TAG_VARS
-# ### END LIBTOOL CONFIG
-
-_LT_EOF
-
-  case $host_os in
-  aix3*)
-    cat <<\_LT_EOF >> "$cfgfile"
-# AIX sometimes has problems with the GCC collect2 program.  For some
-# reason, if we set the COLLECT_NAMES environment variable, the problems
-# vanish in a puff of smoke.
-if test "X${COLLECT_NAMES+set}" != Xset; then
-  COLLECT_NAMES=
-  export COLLECT_NAMES
-fi
-_LT_EOF
-    ;;
-  esac
-
-  _LT_PROG_LTMAIN
-
-  # We use sed instead of cat because bash on DJGPP gets confused if
-  # if finds mixed CR/LF and LF-only lines.  Since sed operates in
-  # text mode, it properly converts lines to CR/LF.  This bash problem
-  # is reportedly fixed, but why not run on old versions too?
-  sed '$q' "$ltmain" >> "$cfgfile" \
-     || (rm -f "$cfgfile"; exit 1)
-
-  _LT_PROG_REPLACE_SHELLFNS
-
-   mv -f "$cfgfile" "$ofile" ||
-    (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile")
-  chmod +x "$ofile"
-],
-[cat <<_LT_EOF >> "$ofile"
-
-dnl Unfortunately we have to use $1 here, since _LT_TAG is not expanded
-dnl in a comment (ie after a #).
-# ### BEGIN LIBTOOL TAG CONFIG: $1
-_LT_LIBTOOL_TAG_VARS(_LT_TAG)
-# ### END LIBTOOL TAG CONFIG: $1
-_LT_EOF
-])dnl /m4_if
-],
-[m4_if([$1], [], [
-    PACKAGE='$PACKAGE'
-    VERSION='$VERSION'
-    TIMESTAMP='$TIMESTAMP'
-    RM='$RM'
-    ofile='$ofile'], [])
-])dnl /_LT_CONFIG_SAVE_COMMANDS
-])# _LT_CONFIG
-
-
-# LT_SUPPORTED_TAG(TAG)
-# ---------------------
-# Trace this macro to discover what tags are supported by the libtool
-# --tag option, using:
-#    autoconf --trace 'LT_SUPPORTED_TAG:$1'
-AC_DEFUN([LT_SUPPORTED_TAG], [])
-
-
-# C support is built-in for now
-m4_define([_LT_LANG_C_enabled], [])
-m4_define([_LT_TAGS], [])
-
-
-# LT_LANG(LANG)
-# -------------
-# Enable libtool support for the given language if not already enabled.
-AC_DEFUN([LT_LANG],
-[AC_BEFORE([$0], [LT_OUTPUT])dnl
-m4_case([$1],
-  [C],			[_LT_LANG(C)],
-  [C++],		[_LT_LANG(CXX)],
-  [Go],			[_LT_LANG(GO)],
-  [Java],		[_LT_LANG(GCJ)],
-  [Fortran 77],		[_LT_LANG(F77)],
-  [Fortran],		[_LT_LANG(FC)],
-  [Windows Resource],	[_LT_LANG(RC)],
-  [m4_ifdef([_LT_LANG_]$1[_CONFIG],
-    [_LT_LANG($1)],
-    [m4_fatal([$0: unsupported language: "$1"])])])dnl
-])# LT_LANG
-
-
-# _LT_LANG(LANGNAME)
-# ------------------
-m4_defun([_LT_LANG],
-[m4_ifdef([_LT_LANG_]$1[_enabled], [],
-  [LT_SUPPORTED_TAG([$1])dnl
-  m4_append([_LT_TAGS], [$1 ])dnl
-  m4_define([_LT_LANG_]$1[_enabled], [])dnl
-  _LT_LANG_$1_CONFIG($1)])dnl
-])# _LT_LANG
-
-
-m4_ifndef([AC_PROG_GO], [
-############################################################
-# NOTE: This macro has been submitted for inclusion into   #
-#  GNU Autoconf as AC_PROG_GO.  When it is available in    #
-#  a released version of Autoconf we should remove this    #
-#  macro and use it instead.                               #
-############################################################
-m4_defun([AC_PROG_GO],
-[AC_LANG_PUSH(Go)dnl
-AC_ARG_VAR([GOC],     [Go compiler command])dnl
-AC_ARG_VAR([GOFLAGS], [Go compiler flags])dnl
-_AC_ARG_VAR_LDFLAGS()dnl
-AC_CHECK_TOOL(GOC, gccgo)
-if test -z "$GOC"; then
-  if test -n "$ac_tool_prefix"; then
-    AC_CHECK_PROG(GOC, [${ac_tool_prefix}gccgo], [${ac_tool_prefix}gccgo])
-  fi
-fi
-if test -z "$GOC"; then
-  AC_CHECK_PROG(GOC, gccgo, gccgo, false)
-fi
-])#m4_defun
-])#m4_ifndef
-
-
-# _LT_LANG_DEFAULT_CONFIG
-# -----------------------
-m4_defun([_LT_LANG_DEFAULT_CONFIG],
-[AC_PROVIDE_IFELSE([AC_PROG_CXX],
-  [LT_LANG(CXX)],
-  [m4_define([AC_PROG_CXX], defn([AC_PROG_CXX])[LT_LANG(CXX)])])
-
-AC_PROVIDE_IFELSE([AC_PROG_F77],
-  [LT_LANG(F77)],
-  [m4_define([AC_PROG_F77], defn([AC_PROG_F77])[LT_LANG(F77)])])
-
-AC_PROVIDE_IFELSE([AC_PROG_FC],
-  [LT_LANG(FC)],
-  [m4_define([AC_PROG_FC], defn([AC_PROG_FC])[LT_LANG(FC)])])
-
-dnl The call to [A][M_PROG_GCJ] is quoted like that to stop aclocal
-dnl pulling things in needlessly.
-AC_PROVIDE_IFELSE([AC_PROG_GCJ],
-  [LT_LANG(GCJ)],
-  [AC_PROVIDE_IFELSE([A][M_PROG_GCJ],
-    [LT_LANG(GCJ)],
-    [AC_PROVIDE_IFELSE([LT_PROG_GCJ],
-      [LT_LANG(GCJ)],
-      [m4_ifdef([AC_PROG_GCJ],
-	[m4_define([AC_PROG_GCJ], defn([AC_PROG_GCJ])[LT_LANG(GCJ)])])
-       m4_ifdef([A][M_PROG_GCJ],
-	[m4_define([A][M_PROG_GCJ], defn([A][M_PROG_GCJ])[LT_LANG(GCJ)])])
-       m4_ifdef([LT_PROG_GCJ],
-	[m4_define([LT_PROG_GCJ], defn([LT_PROG_GCJ])[LT_LANG(GCJ)])])])])])
-
-AC_PROVIDE_IFELSE([AC_PROG_GO],
-  [LT_LANG(GO)],
-  [m4_define([AC_PROG_GO], defn([AC_PROG_GO])[LT_LANG(GO)])])
-
-AC_PROVIDE_IFELSE([LT_PROG_RC],
-  [LT_LANG(RC)],
-  [m4_define([LT_PROG_RC], defn([LT_PROG_RC])[LT_LANG(RC)])])
-])# _LT_LANG_DEFAULT_CONFIG
-
-# Obsolete macros:
-AU_DEFUN([AC_LIBTOOL_CXX], [LT_LANG(C++)])
-AU_DEFUN([AC_LIBTOOL_F77], [LT_LANG(Fortran 77)])
-AU_DEFUN([AC_LIBTOOL_FC], [LT_LANG(Fortran)])
-AU_DEFUN([AC_LIBTOOL_GCJ], [LT_LANG(Java)])
-AU_DEFUN([AC_LIBTOOL_RC], [LT_LANG(Windows Resource)])
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AC_LIBTOOL_CXX], [])
-dnl AC_DEFUN([AC_LIBTOOL_F77], [])
-dnl AC_DEFUN([AC_LIBTOOL_FC], [])
-dnl AC_DEFUN([AC_LIBTOOL_GCJ], [])
-dnl AC_DEFUN([AC_LIBTOOL_RC], [])
-
-
-# _LT_TAG_COMPILER
-# ----------------
-m4_defun([_LT_TAG_COMPILER],
-[AC_REQUIRE([AC_PROG_CC])dnl
-
-_LT_DECL([LTCC], [CC], [1], [A C compiler])dnl
-_LT_DECL([LTCFLAGS], [CFLAGS], [1], [LTCC compiler flags])dnl
-_LT_TAGDECL([CC], [compiler], [1], [A language specific compiler])dnl
-_LT_TAGDECL([with_gcc], [GCC], [0], [Is the compiler the GNU compiler?])dnl
-
-# If no C compiler was specified, use CC.
-LTCC=${LTCC-"$CC"}
-
-# If no C compiler flags were specified, use CFLAGS.
-LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
-
-# Allow CC to be a program name with arguments.
-compiler=$CC
-])# _LT_TAG_COMPILER
-
-
-# _LT_COMPILER_BOILERPLATE
-# ------------------------
-# Check for compiler boilerplate output or warnings with
-# the simple compiler test code.
-m4_defun([_LT_COMPILER_BOILERPLATE],
-[m4_require([_LT_DECL_SED])dnl
-ac_outfile=conftest.$ac_objext
-echo "$lt_simple_compile_test_code" >conftest.$ac_ext
-eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
-_lt_compiler_boilerplate=`cat conftest.err`
-$RM conftest*
-])# _LT_COMPILER_BOILERPLATE
-
-
-# _LT_LINKER_BOILERPLATE
-# ----------------------
-# Check for linker boilerplate output or warnings with
-# the simple link test code.
-m4_defun([_LT_LINKER_BOILERPLATE],
-[m4_require([_LT_DECL_SED])dnl
-ac_outfile=conftest.$ac_objext
-echo "$lt_simple_link_test_code" >conftest.$ac_ext
-eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
-_lt_linker_boilerplate=`cat conftest.err`
-$RM -r conftest*
-])# _LT_LINKER_BOILERPLATE
-
-# _LT_REQUIRED_DARWIN_CHECKS
-# -------------------------
-m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
-  case $host_os in
-    rhapsody* | darwin*)
-    AC_CHECK_TOOL([DSYMUTIL], [dsymutil], [:])
-    AC_CHECK_TOOL([NMEDIT], [nmedit], [:])
-    AC_CHECK_TOOL([LIPO], [lipo], [:])
-    AC_CHECK_TOOL([OTOOL], [otool], [:])
-    AC_CHECK_TOOL([OTOOL64], [otool64], [:])
-    _LT_DECL([], [DSYMUTIL], [1],
-      [Tool to manipulate archived DWARF debug symbol files on Mac OS X])
-    _LT_DECL([], [NMEDIT], [1],
-      [Tool to change global to local symbols on Mac OS X])
-    _LT_DECL([], [LIPO], [1],
-      [Tool to manipulate fat objects and archives on Mac OS X])
-    _LT_DECL([], [OTOOL], [1],
-      [ldd/readelf like tool for Mach-O binaries on Mac OS X])
-    _LT_DECL([], [OTOOL64], [1],
-      [ldd/readelf like tool for 64 bit Mach-O binaries on Mac OS X 10.4])
-
-    AC_CACHE_CHECK([for -single_module linker flag],[lt_cv_apple_cc_single_mod],
-      [lt_cv_apple_cc_single_mod=no
-      if test -z "${LT_MULTI_MODULE}"; then
-	# By default we will add the -single_module flag. You can override
-	# by either setting the environment variable LT_MULTI_MODULE
-	# non-empty at configure time, or by adding -multi_module to the
-	# link flags.
-	rm -rf libconftest.dylib*
-	echo "int foo(void){return 1;}" > conftest.c
-	echo "$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
--dynamiclib -Wl,-single_module conftest.c" >&AS_MESSAGE_LOG_FD
-	$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
-	  -dynamiclib -Wl,-single_module conftest.c 2>conftest.err
-        _lt_result=$?
-	# If there is a non-empty error log, and "single_module"
-	# appears in it, assume the flag caused a linker warning
-        if test -s conftest.err && $GREP single_module conftest.err; then
-	  cat conftest.err >&AS_MESSAGE_LOG_FD
-	# Otherwise, if the output was created with a 0 exit code from
-	# the compiler, it worked.
-	elif test -f libconftest.dylib && test $_lt_result -eq 0; then
-	  lt_cv_apple_cc_single_mod=yes
-	else
-	  cat conftest.err >&AS_MESSAGE_LOG_FD
-	fi
-	rm -rf libconftest.dylib*
-	rm -f conftest.*
-      fi])
-
-    AC_CACHE_CHECK([for -exported_symbols_list linker flag],
-      [lt_cv_ld_exported_symbols_list],
-      [lt_cv_ld_exported_symbols_list=no
-      save_LDFLAGS=$LDFLAGS
-      echo "_main" > conftest.sym
-      LDFLAGS="$LDFLAGS -Wl,-exported_symbols_list,conftest.sym"
-      AC_LINK_IFELSE([AC_LANG_PROGRAM([],[])],
-	[lt_cv_ld_exported_symbols_list=yes],
-	[lt_cv_ld_exported_symbols_list=no])
-	LDFLAGS="$save_LDFLAGS"
-    ])
-
-    AC_CACHE_CHECK([for -force_load linker flag],[lt_cv_ld_force_load],
-      [lt_cv_ld_force_load=no
-      cat > conftest.c << _LT_EOF
-int forced_loaded() { return 2;}
-_LT_EOF
-      echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&AS_MESSAGE_LOG_FD
-      $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&AS_MESSAGE_LOG_FD
-      echo "$AR cru libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD
-      $AR cru libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD
-      echo "$RANLIB libconftest.a" >&AS_MESSAGE_LOG_FD
-      $RANLIB libconftest.a 2>&AS_MESSAGE_LOG_FD
-      cat > conftest.c << _LT_EOF
-int main() { return 0;}
-_LT_EOF
-      echo "$LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a" >&AS_MESSAGE_LOG_FD
-      $LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a 2>conftest.err
-      _lt_result=$?
-      if test -s conftest.err && $GREP force_load conftest.err; then
-	cat conftest.err >&AS_MESSAGE_LOG_FD
-      elif test -f conftest && test $_lt_result -eq 0 && $GREP forced_load conftest >/dev/null 2>&1 ; then
-	lt_cv_ld_force_load=yes
-      else
-	cat conftest.err >&AS_MESSAGE_LOG_FD
-      fi
-        rm -f conftest.err libconftest.a conftest conftest.c
-        rm -rf conftest.dSYM
-    ])
-    case $host_os in
-    rhapsody* | darwin1.[[012]])
-      _lt_dar_allow_undefined='${wl}-undefined ${wl}suppress' ;;
-    darwin1.*)
-      _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;;
-    darwin*) # darwin 5.x on
-      # if running on 10.5 or later, the deployment target defaults
-      # to the OS version, if on x86, and 10.4, the deployment
-      # target defaults to 10.4. Don't you love it?
-      case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in
-	10.0,*86*-darwin8*|10.0,*-darwin[[91]]*)
-	  _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;;
-	10.[[012]]*)
-	  _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;;
-	10.*)
-	  _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;;
-      esac
-    ;;
-  esac
-    if test "$lt_cv_apple_cc_single_mod" = "yes"; then
-      _lt_dar_single_mod='$single_module'
-    fi
-    if test "$lt_cv_ld_exported_symbols_list" = "yes"; then
-      _lt_dar_export_syms=' ${wl}-exported_symbols_list,$output_objdir/${libname}-symbols.expsym'
-    else
-      _lt_dar_export_syms='~$NMEDIT -s $output_objdir/${libname}-symbols.expsym ${lib}'
-    fi
-    if test "$DSYMUTIL" != ":" && test "$lt_cv_ld_force_load" = "no"; then
-      _lt_dsymutil='~$DSYMUTIL $lib || :'
-    else
-      _lt_dsymutil=
-    fi
-    ;;
-  esac
-])
-
-
-# _LT_DARWIN_LINKER_FEATURES([TAG])
-# ---------------------------------
-# Checks for linker and compiler features on darwin
-m4_defun([_LT_DARWIN_LINKER_FEATURES],
-[
-  m4_require([_LT_REQUIRED_DARWIN_CHECKS])
-  _LT_TAGVAR(archive_cmds_need_lc, $1)=no
-  _LT_TAGVAR(hardcode_direct, $1)=no
-  _LT_TAGVAR(hardcode_automatic, $1)=yes
-  _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
-  if test "$lt_cv_ld_force_load" = "yes"; then
-    _LT_TAGVAR(whole_archive_flag_spec, $1)='`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience ${wl}-force_load,$conv\"; done; func_echo_all \"$new_convenience\"`'
-    m4_case([$1], [F77], [_LT_TAGVAR(compiler_needs_object, $1)=yes],
-                  [FC],  [_LT_TAGVAR(compiler_needs_object, $1)=yes])
-  else
-    _LT_TAGVAR(whole_archive_flag_spec, $1)=''
-  fi
-  _LT_TAGVAR(link_all_deplibs, $1)=yes
-  _LT_TAGVAR(allow_undefined_flag, $1)="$_lt_dar_allow_undefined"
-  case $cc_basename in
-     ifort*) _lt_dar_can_shared=yes ;;
-     *) _lt_dar_can_shared=$GCC ;;
-  esac
-  if test "$_lt_dar_can_shared" = "yes"; then
-    output_verbose_link_cmd=func_echo_all
-    _LT_TAGVAR(archive_cmds, $1)="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
-    _LT_TAGVAR(module_cmds, $1)="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
-    _LT_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
-    _LT_TAGVAR(module_expsym_cmds, $1)="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}"
-    m4_if([$1], [CXX],
-[   if test "$lt_cv_apple_cc_single_mod" != "yes"; then
-      _LT_TAGVAR(archive_cmds, $1)="\$CC -r -keep_private_externs -nostdlib -o \${lib}-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \${lib}-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring${_lt_dsymutil}"
-      _LT_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -r -keep_private_externs -nostdlib -o \${lib}-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \${lib}-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring${_lt_dar_export_syms}${_lt_dsymutil}"
-    fi
-],[])
-  else
-  _LT_TAGVAR(ld_shlibs, $1)=no
-  fi
-])
-
-# _LT_SYS_MODULE_PATH_AIX([TAGNAME])
-# ----------------------------------
-# Links a minimal program and checks the executable
-# for the system default hardcoded library path. In most cases,
-# this is /usr/lib:/lib, but when the MPI compilers are used
-# the location of the communication and MPI libs are included too.
-# If we don't find anything, use the default library path according
-# to the aix ld manual.
-# Store the results from the different compilers for each TAGNAME.
-# Allow to override them for all tags through lt_cv_aix_libpath.
-m4_defun([_LT_SYS_MODULE_PATH_AIX],
-[m4_require([_LT_DECL_SED])dnl
-if test "${lt_cv_aix_libpath+set}" = set; then
-  aix_libpath=$lt_cv_aix_libpath
-else
-  AC_CACHE_VAL([_LT_TAGVAR([lt_cv_aix_libpath_], [$1])],
-  [AC_LINK_IFELSE([AC_LANG_PROGRAM],[
-  lt_aix_libpath_sed='[
-      /Import File Strings/,/^$/ {
-	  /^0/ {
-	      s/^0  *\([^ ]*\) *$/\1/
-	      p
-	  }
-      }]'
-  _LT_TAGVAR([lt_cv_aix_libpath_], [$1])=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-  # Check for a 64-bit object if we didn't find anything.
-  if test -z "$_LT_TAGVAR([lt_cv_aix_libpath_], [$1])"; then
-    _LT_TAGVAR([lt_cv_aix_libpath_], [$1])=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
-  fi],[])
-  if test -z "$_LT_TAGVAR([lt_cv_aix_libpath_], [$1])"; then
-    _LT_TAGVAR([lt_cv_aix_libpath_], [$1])="/usr/lib:/lib"
-  fi
-  ])
-  aix_libpath=$_LT_TAGVAR([lt_cv_aix_libpath_], [$1])
-fi
-])# _LT_SYS_MODULE_PATH_AIX
-
-
-# _LT_SHELL_INIT(ARG)
-# -------------------
-m4_define([_LT_SHELL_INIT],
-[m4_divert_text([M4SH-INIT], [$1
-])])# _LT_SHELL_INIT
-
-
-
-# _LT_PROG_ECHO_BACKSLASH
-# -----------------------
-# Find how we can fake an echo command that does not interpret backslash.
-# In particular, with Autoconf 2.60 or later we add some code to the start
-# of the generated configure script which will find a shell with a builtin
-# printf (which we can use as an echo command).
-m4_defun([_LT_PROG_ECHO_BACKSLASH],
-[ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
-ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO
-ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO$ECHO
-
-AC_MSG_CHECKING([how to print strings])
-# Test print first, because it will be a builtin if present.
-if test "X`( print -r -- -n ) 2>/dev/null`" = X-n && \
-   test "X`print -r -- $ECHO 2>/dev/null`" = "X$ECHO"; then
-  ECHO='print -r --'
-elif test "X`printf %s $ECHO 2>/dev/null`" = "X$ECHO"; then
-  ECHO='printf %s\n'
-else
-  # Use this function as a fallback that always works.
-  func_fallback_echo ()
-  {
-    eval 'cat <<_LTECHO_EOF
-$[]1
-_LTECHO_EOF'
-  }
-  ECHO='func_fallback_echo'
-fi
-
-# func_echo_all arg...
-# Invoke $ECHO with all args, space-separated.
-func_echo_all ()
-{
-    $ECHO "$*" 
-}
-
-case "$ECHO" in
-  printf*) AC_MSG_RESULT([printf]) ;;
-  print*) AC_MSG_RESULT([print -r]) ;;
-  *) AC_MSG_RESULT([cat]) ;;
-esac
-
-m4_ifdef([_AS_DETECT_SUGGESTED],
-[_AS_DETECT_SUGGESTED([
-  test -n "${ZSH_VERSION+set}${BASH_VERSION+set}" || (
-    ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
-    ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO
-    ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO$ECHO
-    PATH=/empty FPATH=/empty; export PATH FPATH
-    test "X`printf %s $ECHO`" = "X$ECHO" \
-      || test "X`print -r -- $ECHO`" = "X$ECHO" )])])
-
-_LT_DECL([], [SHELL], [1], [Shell to use when invoking shell scripts])
-_LT_DECL([], [ECHO], [1], [An echo program that protects backslashes])
-])# _LT_PROG_ECHO_BACKSLASH
-
-
-# _LT_WITH_SYSROOT
-# ----------------
-AC_DEFUN([_LT_WITH_SYSROOT],
-[AC_MSG_CHECKING([for sysroot])
-AC_ARG_WITH([sysroot],
-[  --with-sysroot[=DIR] Search for dependent libraries within DIR
-                        (or the compiler's sysroot if not specified).],
-[], [with_sysroot=no])
-
-dnl lt_sysroot will always be passed unquoted.  We quote it here
-dnl in case the user passed a directory name.
-lt_sysroot=
-case ${with_sysroot} in #(
- yes)
-   if test "$GCC" = yes; then
-     lt_sysroot=`$CC --print-sysroot 2>/dev/null`
-   fi
-   ;; #(
- /*)
-   lt_sysroot=`echo "$with_sysroot" | sed -e "$sed_quote_subst"`
-   ;; #(
- no|'')
-   ;; #(
- *)
-   AC_MSG_RESULT([${with_sysroot}])
-   AC_MSG_ERROR([The sysroot must be an absolute path.])
-   ;;
-esac
-
- AC_MSG_RESULT([${lt_sysroot:-no}])
-_LT_DECL([], [lt_sysroot], [0], [The root where to search for ]dnl
-[dependent libraries, and in which our libraries should be installed.])])
-
-# _LT_ENABLE_LOCK
-# ---------------
-m4_defun([_LT_ENABLE_LOCK],
-[AC_ARG_ENABLE([libtool-lock],
-  [AS_HELP_STRING([--disable-libtool-lock],
-    [avoid locking (might break parallel builds)])])
-test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
-
-# Some flags need to be propagated to the compiler or linker for good
-# libtool support.
-case $host in
-ia64-*-hpux*)
-  # Find out which ABI we are using.
-  echo 'int i;' > conftest.$ac_ext
-  if AC_TRY_EVAL(ac_compile); then
-    case `/usr/bin/file conftest.$ac_objext` in
-      *ELF-32*)
-	HPUX_IA64_MODE="32"
-	;;
-      *ELF-64*)
-	HPUX_IA64_MODE="64"
-	;;
-    esac
-  fi
-  rm -rf conftest*
-  ;;
-*-*-irix6*)
-  # Find out which ABI we are using.
-  echo '[#]line '$LINENO' "configure"' > conftest.$ac_ext
-  if AC_TRY_EVAL(ac_compile); then
-    if test "$lt_cv_prog_gnu_ld" = yes; then
-      case `/usr/bin/file conftest.$ac_objext` in
-	*32-bit*)
-	  LD="${LD-ld} -melf32bsmip"
-	  ;;
-	*N32*)
-	  LD="${LD-ld} -melf32bmipn32"
-	  ;;
-	*64-bit*)
-	  LD="${LD-ld} -melf64bmip"
-	;;
-      esac
-    else
-      case `/usr/bin/file conftest.$ac_objext` in
-	*32-bit*)
-	  LD="${LD-ld} -32"
-	  ;;
-	*N32*)
-	  LD="${LD-ld} -n32"
-	  ;;
-	*64-bit*)
-	  LD="${LD-ld} -64"
-	  ;;
-      esac
-    fi
-  fi
-  rm -rf conftest*
-  ;;
-
-x86_64-*kfreebsd*-gnu|x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*| \
-s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
-  # Find out which ABI we are using.
-  echo 'int i;' > conftest.$ac_ext
-  if AC_TRY_EVAL(ac_compile); then
-    case `/usr/bin/file conftest.o` in
-      *32-bit*)
-	case $host in
-	  x86_64-*kfreebsd*-gnu)
-	    LD="${LD-ld} -m elf_i386_fbsd"
-	    ;;
-	  x86_64-*linux*)
-	    LD="${LD-ld} -m elf_i386"
-	    ;;
-	  ppc64-*linux*|powerpc64-*linux*)
-	    LD="${LD-ld} -m elf32ppclinux"
-	    ;;
-	  s390x-*linux*)
-	    LD="${LD-ld} -m elf_s390"
-	    ;;
-	  sparc64-*linux*)
-	    LD="${LD-ld} -m elf32_sparc"
-	    ;;
-	esac
-	;;
-      *64-bit*)
-	case $host in
-	  x86_64-*kfreebsd*-gnu)
-	    LD="${LD-ld} -m elf_x86_64_fbsd"
-	    ;;
-	  x86_64-*linux*)
-	    LD="${LD-ld} -m elf_x86_64"
-	    ;;
-	  ppc*-*linux*|powerpc*-*linux*)
-	    LD="${LD-ld} -m elf64ppc"
-	    ;;
-	  s390*-*linux*|s390*-*tpf*)
-	    LD="${LD-ld} -m elf64_s390"
-	    ;;
-	  sparc*-*linux*)
-	    LD="${LD-ld} -m elf64_sparc"
-	    ;;
-	esac
-	;;
-    esac
-  fi
-  rm -rf conftest*
-  ;;
-
-*-*-sco3.2v5*)
-  # On SCO OpenServer 5, we need -belf to get full-featured binaries.
-  SAVE_CFLAGS="$CFLAGS"
-  CFLAGS="$CFLAGS -belf"
-  AC_CACHE_CHECK([whether the C compiler needs -belf], lt_cv_cc_needs_belf,
-    [AC_LANG_PUSH(C)
-     AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],[[]])],[lt_cv_cc_needs_belf=yes],[lt_cv_cc_needs_belf=no])
-     AC_LANG_POP])
-  if test x"$lt_cv_cc_needs_belf" != x"yes"; then
-    # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
-    CFLAGS="$SAVE_CFLAGS"
-  fi
-  ;;
-*-*solaris*)
-  # Find out which ABI we are using.
-  echo 'int i;' > conftest.$ac_ext
-  if AC_TRY_EVAL(ac_compile); then
-    case `/usr/bin/file conftest.o` in
-    *64-bit*)
-      case $lt_cv_prog_gnu_ld in
-      yes*)
-        case $host in
-        i?86-*-solaris*)
-          LD="${LD-ld} -m elf_x86_64"
-          ;;
-        sparc*-*-solaris*)
-          LD="${LD-ld} -m elf64_sparc"
-          ;;
-        esac
-        # GNU ld 2.21 introduced _sol2 emulations.  Use them if available.
-        if ${LD-ld} -V | grep _sol2 >/dev/null 2>&1; then
-          LD="${LD-ld}_sol2"
-        fi
-        ;;
-      *)
-	if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then
-	  LD="${LD-ld} -64"
-	fi
-	;;
-      esac
-      ;;
-    esac
-  fi
-  rm -rf conftest*
-  ;;
-esac
-
-need_locks="$enable_libtool_lock"
-])# _LT_ENABLE_LOCK
-
-
-# _LT_PROG_AR
-# -----------
-m4_defun([_LT_PROG_AR],
-[AC_CHECK_TOOLS(AR, [ar], false)
-: ${AR=ar}
-: ${AR_FLAGS=cru}
-_LT_DECL([], [AR], [1], [The archiver])
-_LT_DECL([], [AR_FLAGS], [1], [Flags to create an archive])
-
-AC_CACHE_CHECK([for archiver @FILE support], [lt_cv_ar_at_file],
-  [lt_cv_ar_at_file=no
-   AC_COMPILE_IFELSE([AC_LANG_PROGRAM],
-     [echo conftest.$ac_objext > conftest.lst
-      lt_ar_try='$AR $AR_FLAGS libconftest.a @conftest.lst >&AS_MESSAGE_LOG_FD'
-      AC_TRY_EVAL([lt_ar_try])
-      if test "$ac_status" -eq 0; then
-	# Ensure the archiver fails upon bogus file names.
-	rm -f conftest.$ac_objext libconftest.a
-	AC_TRY_EVAL([lt_ar_try])
-	if test "$ac_status" -ne 0; then
-          lt_cv_ar_at_file=@
-        fi
-      fi
-      rm -f conftest.* libconftest.a
-     ])
-  ])
-
-if test "x$lt_cv_ar_at_file" = xno; then
-  archiver_list_spec=
-else
-  archiver_list_spec=$lt_cv_ar_at_file
-fi
-_LT_DECL([], [archiver_list_spec], [1],
-  [How to feed a file listing to the archiver])
-])# _LT_PROG_AR
-
-
-# _LT_CMD_OLD_ARCHIVE
-# -------------------
-m4_defun([_LT_CMD_OLD_ARCHIVE],
-[_LT_PROG_AR
-
-AC_CHECK_TOOL(STRIP, strip, :)
-test -z "$STRIP" && STRIP=:
-_LT_DECL([], [STRIP], [1], [A symbol stripping program])
-
-AC_CHECK_TOOL(RANLIB, ranlib, :)
-test -z "$RANLIB" && RANLIB=:
-_LT_DECL([], [RANLIB], [1],
-    [Commands used to install an old-style archive])
-
-# Determine commands to create old-style static archives.
-old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs'
-old_postinstall_cmds='chmod 644 $oldlib'
-old_postuninstall_cmds=
-
-if test -n "$RANLIB"; then
-  case $host_os in
-  openbsd*)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$tool_oldlib"
-    ;;
-  *)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$tool_oldlib"
-    ;;
-  esac
-  old_archive_cmds="$old_archive_cmds~\$RANLIB \$tool_oldlib"
-fi
-
-case $host_os in
-  darwin*)
-    lock_old_archive_extraction=yes ;;
-  *)
-    lock_old_archive_extraction=no ;;
-esac
-_LT_DECL([], [old_postinstall_cmds], [2])
-_LT_DECL([], [old_postuninstall_cmds], [2])
-_LT_TAGDECL([], [old_archive_cmds], [2],
-    [Commands used to build an old-style archive])
-_LT_DECL([], [lock_old_archive_extraction], [0],
-    [Whether to use a lock for old archive extraction])
-])# _LT_CMD_OLD_ARCHIVE
-
-
-# _LT_COMPILER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS,
-#		[OUTPUT-FILE], [ACTION-SUCCESS], [ACTION-FAILURE])
-# ----------------------------------------------------------------
-# Check whether the given compiler option works
-AC_DEFUN([_LT_COMPILER_OPTION],
-[m4_require([_LT_FILEUTILS_DEFAULTS])dnl
-m4_require([_LT_DECL_SED])dnl
-AC_CACHE_CHECK([$1], [$2],
-  [$2=no
-   m4_if([$4], , [ac_outfile=conftest.$ac_objext], [ac_outfile=$4])
-   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-   lt_compiler_flag="$3"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   # The option is referenced via a variable to avoid confusing sed.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-   -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
-   (eval "$lt_compile" 2>conftest.err)
-   ac_status=$?
-   cat conftest.err >&AS_MESSAGE_LOG_FD
-   echo "$as_me:$LINENO: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
-   if (exit $ac_status) && test -s "$ac_outfile"; then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings other than the usual output.
-     $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' >conftest.exp
-     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
-     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
-       $2=yes
-     fi
-   fi
-   $RM conftest*
-])
-
-if test x"[$]$2" = xyes; then
-    m4_if([$5], , :, [$5])
-else
-    m4_if([$6], , :, [$6])
-fi
-])# _LT_COMPILER_OPTION
-
-# Old name:
-AU_ALIAS([AC_LIBTOOL_COMPILER_OPTION], [_LT_COMPILER_OPTION])
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AC_LIBTOOL_COMPILER_OPTION], [])
-
-
-# _LT_LINKER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS,
-#                  [ACTION-SUCCESS], [ACTION-FAILURE])
-# ----------------------------------------------------
-# Check whether the given linker option works
-AC_DEFUN([_LT_LINKER_OPTION],
-[m4_require([_LT_FILEUTILS_DEFAULTS])dnl
-m4_require([_LT_DECL_SED])dnl
-AC_CACHE_CHECK([$1], [$2],
-  [$2=no
-   save_LDFLAGS="$LDFLAGS"
-   LDFLAGS="$LDFLAGS $3"
-   echo "$lt_simple_link_test_code" > conftest.$ac_ext
-   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
-     # The linker can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test -s conftest.err; then
-       # Append any errors to the config.log.
-       cat conftest.err 1>&AS_MESSAGE_LOG_FD
-       $ECHO "$_lt_linker_boilerplate" | $SED '/^$/d' > conftest.exp
-       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
-       if diff conftest.exp conftest.er2 >/dev/null; then
-         $2=yes
-       fi
-     else
-       $2=yes
-     fi
-   fi
-   $RM -r conftest*
-   LDFLAGS="$save_LDFLAGS"
-])
-
-if test x"[$]$2" = xyes; then
-    m4_if([$4], , :, [$4])
-else
-    m4_if([$5], , :, [$5])
-fi
-])# _LT_LINKER_OPTION
-
-# Old name:
-AU_ALIAS([AC_LIBTOOL_LINKER_OPTION], [_LT_LINKER_OPTION])
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AC_LIBTOOL_LINKER_OPTION], [])
-
-
-# LT_CMD_MAX_LEN
-#---------------
-AC_DEFUN([LT_CMD_MAX_LEN],
-[AC_REQUIRE([AC_CANONICAL_HOST])dnl
-# find the maximum length of command line arguments
-AC_MSG_CHECKING([the maximum length of command line arguments])
-AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
-  i=0
-  teststring="ABCD"
-
-  case $build_os in
-  msdosdjgpp*)
-    # On DJGPP, this test can blow up pretty badly due to problems in libc
-    # (any single argument exceeding 2000 bytes causes a buffer overrun
-    # during glob expansion).  Even if it were fixed, the result of this
-    # check would be larger than it should be.
-    lt_cv_sys_max_cmd_len=12288;    # 12K is about right
-    ;;
-
-  gnu*)
-    # Under GNU Hurd, this test is not required because there is
-    # no limit to the length of command line arguments.
-    # Libtool will interpret -1 as no limit whatsoever
-    lt_cv_sys_max_cmd_len=-1;
-    ;;
-
-  cygwin* | mingw* | cegcc*)
-    # On Win9x/ME, this test blows up -- it succeeds, but takes
-    # about 5 minutes as the teststring grows exponentially.
-    # Worse, since 9x/ME are not pre-emptively multitasking,
-    # you end up with a "frozen" computer, even though with patience
-    # the test eventually succeeds (with a max line length of 256k).
-    # Instead, let's just punt: use the minimum linelength reported by
-    # all of the supported platforms: 8192 (on NT/2K/XP).
-    lt_cv_sys_max_cmd_len=8192;
-    ;;
-
-  mint*)
-    # On MiNT this can take a long time and run out of memory.
-    lt_cv_sys_max_cmd_len=8192;
-    ;;
-
-  amigaos*)
-    # On AmigaOS with pdksh, this test takes hours, literally.
-    # So we just punt and use a minimum line length of 8192.
-    lt_cv_sys_max_cmd_len=8192;
-    ;;
-
-  netbsd* | freebsd* | openbsd* | darwin* | dragonfly*)
-    # This has been around since 386BSD, at least.  Likely further.
-    if test -x /sbin/sysctl; then
-      lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax`
-    elif test -x /usr/sbin/sysctl; then
-      lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax`
-    else
-      lt_cv_sys_max_cmd_len=65536	# usable default for all BSDs
-    fi
-    # And add a safety zone
-    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
-    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
-    ;;
-
-  interix*)
-    # We know the value 262144 and hardcode it with a safety zone (like BSD)
-    lt_cv_sys_max_cmd_len=196608
-    ;;
-
-  os2*)
-    # The test takes a long time on OS/2.
-    lt_cv_sys_max_cmd_len=8192
-    ;;
-
-  osf*)
-    # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure
-    # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not
-    # nice to cause kernel panics so lets avoid the loop below.
-    # First set a reasonable default.
-    lt_cv_sys_max_cmd_len=16384
-    #
-    if test -x /sbin/sysconfig; then
-      case `/sbin/sysconfig -q proc exec_disable_arg_limit` in
-        *1*) lt_cv_sys_max_cmd_len=-1 ;;
-      esac
-    fi
-    ;;
-  sco3.2v5*)
-    lt_cv_sys_max_cmd_len=102400
-    ;;
-  sysv5* | sco5v6* | sysv4.2uw2*)
-    kargmax=`grep ARG_MAX /etc/conf/cf.d/stune 2>/dev/null`
-    if test -n "$kargmax"; then
-      lt_cv_sys_max_cmd_len=`echo $kargmax | sed 's/.*[[	 ]]//'`
-    else
-      lt_cv_sys_max_cmd_len=32768
-    fi
-    ;;
-  *)
-    lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null`
-    if test -n "$lt_cv_sys_max_cmd_len"; then
-      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
-      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
-    else
-      # Make teststring a little bigger before we do anything with it.
-      # a 1K string should be a reasonable start.
-      for i in 1 2 3 4 5 6 7 8 ; do
-        teststring=$teststring$teststring
-      done
-      SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}}
-      # If test is not a shell built-in, we'll probably end up computing a
-      # maximum length that is only half of the actual maximum length, but
-      # we can't tell.
-      while { test "X"`env echo "$teststring$teststring" 2>/dev/null` \
-	         = "X$teststring$teststring"; } >/dev/null 2>&1 &&
-	      test $i != 17 # 1/2 MB should be enough
-      do
-        i=`expr $i + 1`
-        teststring=$teststring$teststring
-      done
-      # Only check the string length outside the loop.
-      lt_cv_sys_max_cmd_len=`expr "X$teststring" : ".*" 2>&1`
-      teststring=
-      # Add a significant safety factor because C++ compilers can tack on
-      # massive amounts of additional arguments before passing them to the
-      # linker.  It appears as though 1/2 is a usable value.
-      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2`
-    fi
-    ;;
-  esac
-])
-if test -n $lt_cv_sys_max_cmd_len ; then
-  AC_MSG_RESULT($lt_cv_sys_max_cmd_len)
-else
-  AC_MSG_RESULT(none)
-fi
-max_cmd_len=$lt_cv_sys_max_cmd_len
-_LT_DECL([], [max_cmd_len], [0],
-    [What is the maximum length of a command?])
-])# LT_CMD_MAX_LEN
-
-# Old name:
-AU_ALIAS([AC_LIBTOOL_SYS_MAX_CMD_LEN], [LT_CMD_MAX_LEN])
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AC_LIBTOOL_SYS_MAX_CMD_LEN], [])
-
-
-# _LT_HEADER_DLFCN
-# ----------------
-m4_defun([_LT_HEADER_DLFCN],
-[AC_CHECK_HEADERS([dlfcn.h], [], [], [AC_INCLUDES_DEFAULT])dnl
-])# _LT_HEADER_DLFCN
-
-
-# _LT_TRY_DLOPEN_SELF (ACTION-IF-TRUE, ACTION-IF-TRUE-W-USCORE,
-#                      ACTION-IF-FALSE, ACTION-IF-CROSS-COMPILING)
-# ----------------------------------------------------------------
-m4_defun([_LT_TRY_DLOPEN_SELF],
-[m4_require([_LT_HEADER_DLFCN])dnl
-if test "$cross_compiling" = yes; then :
-  [$4]
-else
-  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
-  lt_status=$lt_dlunknown
-  cat > conftest.$ac_ext <<_LT_EOF
-[#line $LINENO "configure"
-#include "confdefs.h"
-
-#if HAVE_DLFCN_H
-#include <dlfcn.h>
-#endif
-
-#include <stdio.h>
-
-#ifdef RTLD_GLOBAL
-#  define LT_DLGLOBAL		RTLD_GLOBAL
-#else
-#  ifdef DL_GLOBAL
-#    define LT_DLGLOBAL		DL_GLOBAL
-#  else
-#    define LT_DLGLOBAL		0
-#  endif
-#endif
-
-/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
-   find out it does not work in some platform. */
-#ifndef LT_DLLAZY_OR_NOW
-#  ifdef RTLD_LAZY
-#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
-#  else
-#    ifdef DL_LAZY
-#      define LT_DLLAZY_OR_NOW		DL_LAZY
-#    else
-#      ifdef RTLD_NOW
-#        define LT_DLLAZY_OR_NOW	RTLD_NOW
-#      else
-#        ifdef DL_NOW
-#          define LT_DLLAZY_OR_NOW	DL_NOW
-#        else
-#          define LT_DLLAZY_OR_NOW	0
-#        endif
-#      endif
-#    endif
-#  endif
-#endif
-
-/* When -fvisbility=hidden is used, assume the code has been annotated
-   correspondingly for the symbols needed.  */
-#if defined(__GNUC__) && (((__GNUC__ == 3) && (__GNUC_MINOR__ >= 3)) || (__GNUC__ > 3))
-int fnord () __attribute__((visibility("default")));
-#endif
-
-int fnord () { return 42; }
-int main ()
-{
-  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
-  int status = $lt_dlunknown;
-
-  if (self)
-    {
-      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
-      else
-        {
-	  if (dlsym( self,"_fnord"))  status = $lt_dlneed_uscore;
-          else puts (dlerror ());
-	}
-      /* dlclose (self); */
-    }
-  else
-    puts (dlerror ());
-
-  return status;
-}]
-_LT_EOF
-  if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext} 2>/dev/null; then
-    (./conftest; exit; ) >&AS_MESSAGE_LOG_FD 2>/dev/null
-    lt_status=$?
-    case x$lt_status in
-      x$lt_dlno_uscore) $1 ;;
-      x$lt_dlneed_uscore) $2 ;;
-      x$lt_dlunknown|x*) $3 ;;
-    esac
-  else :
-    # compilation failed
-    $3
-  fi
-fi
-rm -fr conftest*
-])# _LT_TRY_DLOPEN_SELF
-
-
-# LT_SYS_DLOPEN_SELF
-# ------------------
-AC_DEFUN([LT_SYS_DLOPEN_SELF],
-[m4_require([_LT_HEADER_DLFCN])dnl
-if test "x$enable_dlopen" != xyes; then
-  enable_dlopen=unknown
-  enable_dlopen_self=unknown
-  enable_dlopen_self_static=unknown
-else
-  lt_cv_dlopen=no
-  lt_cv_dlopen_libs=
-
-  case $host_os in
-  beos*)
-    lt_cv_dlopen="load_add_on"
-    lt_cv_dlopen_libs=
-    lt_cv_dlopen_self=yes
-    ;;
-
-  mingw* | pw32* | cegcc*)
-    lt_cv_dlopen="LoadLibrary"
-    lt_cv_dlopen_libs=
-    ;;
-
-  cygwin*)
-    lt_cv_dlopen="dlopen"
-    lt_cv_dlopen_libs=
-    ;;
-
-  darwin*)
-  # if libdl is installed we need to link against it
-    AC_CHECK_LIB([dl], [dlopen],
-		[lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"],[
-    lt_cv_dlopen="dyld"
-    lt_cv_dlopen_libs=
-    lt_cv_dlopen_self=yes
-    ])
-    ;;
-
-  *)
-    AC_CHECK_FUNC([shl_load],
-	  [lt_cv_dlopen="shl_load"],
-      [AC_CHECK_LIB([dld], [shl_load],
-	    [lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld"],
-	[AC_CHECK_FUNC([dlopen],
-	      [lt_cv_dlopen="dlopen"],
-	  [AC_CHECK_LIB([dl], [dlopen],
-		[lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"],
-	    [AC_CHECK_LIB([svld], [dlopen],
-		  [lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"],
-	      [AC_CHECK_LIB([dld], [dld_link],
-		    [lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld"])
-	      ])
-	    ])
-	  ])
-	])
-      ])
-    ;;
-  esac
-
-  if test "x$lt_cv_dlopen" != xno; then
-    enable_dlopen=yes
-  else
-    enable_dlopen=no
-  fi
-
-  case $lt_cv_dlopen in
-  dlopen)
-    save_CPPFLAGS="$CPPFLAGS"
-    test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
-
-    save_LDFLAGS="$LDFLAGS"
-    wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
-
-    save_LIBS="$LIBS"
-    LIBS="$lt_cv_dlopen_libs $LIBS"
-
-    AC_CACHE_CHECK([whether a program can dlopen itself],
-	  lt_cv_dlopen_self, [dnl
-	  _LT_TRY_DLOPEN_SELF(
-	    lt_cv_dlopen_self=yes, lt_cv_dlopen_self=yes,
-	    lt_cv_dlopen_self=no, lt_cv_dlopen_self=cross)
-    ])
-
-    if test "x$lt_cv_dlopen_self" = xyes; then
-      wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\"
-      AC_CACHE_CHECK([whether a statically linked program can dlopen itself],
-	  lt_cv_dlopen_self_static, [dnl
-	  _LT_TRY_DLOPEN_SELF(
-	    lt_cv_dlopen_self_static=yes, lt_cv_dlopen_self_static=yes,
-	    lt_cv_dlopen_self_static=no,  lt_cv_dlopen_self_static=cross)
-      ])
-    fi
-
-    CPPFLAGS="$save_CPPFLAGS"
-    LDFLAGS="$save_LDFLAGS"
-    LIBS="$save_LIBS"
-    ;;
-  esac
-
-  case $lt_cv_dlopen_self in
-  yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;;
-  *) enable_dlopen_self=unknown ;;
-  esac
-
-  case $lt_cv_dlopen_self_static in
-  yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;;
-  *) enable_dlopen_self_static=unknown ;;
-  esac
-fi
-_LT_DECL([dlopen_support], [enable_dlopen], [0],
-	 [Whether dlopen is supported])
-_LT_DECL([dlopen_self], [enable_dlopen_self], [0],
-	 [Whether dlopen of programs is supported])
-_LT_DECL([dlopen_self_static], [enable_dlopen_self_static], [0],
-	 [Whether dlopen of statically linked programs is supported])
-])# LT_SYS_DLOPEN_SELF
-
-# Old name:
-AU_ALIAS([AC_LIBTOOL_DLOPEN_SELF], [LT_SYS_DLOPEN_SELF])
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AC_LIBTOOL_DLOPEN_SELF], [])
-
-
-# _LT_COMPILER_C_O([TAGNAME])
-# ---------------------------
-# Check to see if options -c and -o are simultaneously supported by compiler.
-# This macro does not hard code the compiler like AC_PROG_CC_C_O.
-m4_defun([_LT_COMPILER_C_O],
-[m4_require([_LT_DECL_SED])dnl
-m4_require([_LT_FILEUTILS_DEFAULTS])dnl
-m4_require([_LT_TAG_COMPILER])dnl
-AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext],
-  [_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)],
-  [_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=no
-   $RM -r conftest 2>/dev/null
-   mkdir conftest
-   cd conftest
-   mkdir out
-   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-
-   lt_compiler_flag="-o out/conftest2.$ac_objext"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-   -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
-   (eval "$lt_compile" 2>out/conftest.err)
-   ac_status=$?
-   cat out/conftest.err >&AS_MESSAGE_LOG_FD
-   echo "$as_me:$LINENO: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
-   if (exit $ac_status) && test -s out/conftest2.$ac_objext
-   then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' > out/conftest.exp
-     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
-     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
-       _LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
-     fi
-   fi
-   chmod u+w . 2>&AS_MESSAGE_LOG_FD
-   $RM conftest*
-   # SGI C++ compiler will create directory out/ii_files/ for
-   # template instantiation
-   test -d out/ii_files && $RM out/ii_files/* && rmdir out/ii_files
-   $RM out/* && rmdir out
-   cd ..
-   $RM -r conftest
-   $RM conftest*
-])
-_LT_TAGDECL([compiler_c_o], [lt_cv_prog_compiler_c_o], [1],
-	[Does compiler simultaneously support -c and -o options?])
-])# _LT_COMPILER_C_O
-
-
-# _LT_COMPILER_FILE_LOCKS([TAGNAME])
-# ----------------------------------
-# Check to see if we can do hard links to lock some files if needed
-m4_defun([_LT_COMPILER_FILE_LOCKS],
-[m4_require([_LT_ENABLE_LOCK])dnl
-m4_require([_LT_FILEUTILS_DEFAULTS])dnl
-_LT_COMPILER_C_O([$1])
-
-hard_links="nottested"
-if test "$_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)" = no && test "$need_locks" != no; then
-  # do not overwrite the value of need_locks provided by the user
-  AC_MSG_CHECKING([if we can lock with hard links])
-  hard_links=yes
-  $RM conftest*
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  touch conftest.a
-  ln conftest.a conftest.b 2>&5 || hard_links=no
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  AC_MSG_RESULT([$hard_links])
-  if test "$hard_links" = no; then
-    AC_MSG_WARN([`$CC' does not support `-c -o', so `make -j' may be unsafe])
-    need_locks=warn
-  fi
-else
-  need_locks=no
-fi
-_LT_DECL([], [need_locks], [1], [Must we lock files when doing compilation?])
-])# _LT_COMPILER_FILE_LOCKS
-
-
-# _LT_CHECK_OBJDIR
-# ----------------
-m4_defun([_LT_CHECK_OBJDIR],
-[AC_CACHE_CHECK([for objdir], [lt_cv_objdir],
-[rm -f .libs 2>/dev/null
-mkdir .libs 2>/dev/null
-if test -d .libs; then
-  lt_cv_objdir=.libs
-else
-  # MS-DOS does not allow filenames that begin with a dot.
-  lt_cv_objdir=_libs
-fi
-rmdir .libs 2>/dev/null])
-objdir=$lt_cv_objdir
-_LT_DECL([], [objdir], [0],
-         [The name of the directory that contains temporary libtool files])dnl
-m4_pattern_allow([LT_OBJDIR])dnl
-AC_DEFINE_UNQUOTED(LT_OBJDIR, "$lt_cv_objdir/",
-  [Define to the sub-directory in which libtool stores uninstalled libraries.])
-])# _LT_CHECK_OBJDIR
-
-
-# _LT_LINKER_HARDCODE_LIBPATH([TAGNAME])
-# --------------------------------------
-# Check hardcoding attributes.
-m4_defun([_LT_LINKER_HARDCODE_LIBPATH],
-[AC_MSG_CHECKING([how to hardcode library paths into programs])
-_LT_TAGVAR(hardcode_action, $1)=
-if test -n "$_LT_TAGVAR(hardcode_libdir_flag_spec, $1)" ||
-   test -n "$_LT_TAGVAR(runpath_var, $1)" ||
-   test "X$_LT_TAGVAR(hardcode_automatic, $1)" = "Xyes" ; then
-
-  # We can hardcode non-existent directories.
-  if test "$_LT_TAGVAR(hardcode_direct, $1)" != no &&
-     # If the only mechanism to avoid hardcoding is shlibpath_var, we
-     # have to relink, otherwise we might link with an installed library
-     # when we should be linking with a yet-to-be-installed one
-     ## test "$_LT_TAGVAR(hardcode_shlibpath_var, $1)" != no &&
-     test "$_LT_TAGVAR(hardcode_minus_L, $1)" != no; then
-    # Linking always hardcodes the temporary library directory.
-    _LT_TAGVAR(hardcode_action, $1)=relink
-  else
-    # We can link without hardcoding, and we can hardcode nonexisting dirs.
-    _LT_TAGVAR(hardcode_action, $1)=immediate
-  fi
-else
-  # We cannot hardcode anything, or else we can only hardcode existing
-  # directories.
-  _LT_TAGVAR(hardcode_action, $1)=unsupported
-fi
-AC_MSG_RESULT([$_LT_TAGVAR(hardcode_action, $1)])
-
-if test "$_LT_TAGVAR(hardcode_action, $1)" = relink ||
-   test "$_LT_TAGVAR(inherit_rpath, $1)" = yes; then
-  # Fast installation is not supported
-  enable_fast_install=no
-elif test "$shlibpath_overrides_runpath" = yes ||
-     test "$enable_shared" = no; then
-  # Fast installation is not necessary
-  enable_fast_install=needless
-fi
-_LT_TAGDECL([], [hardcode_action], [0],
-    [How to hardcode a shared library path into an executable])
-])# _LT_LINKER_HARDCODE_LIBPATH
-
-
-# _LT_CMD_STRIPLIB
-# ----------------
-m4_defun([_LT_CMD_STRIPLIB],
-[m4_require([_LT_DECL_EGREP])
-striplib=
-old_striplib=
-AC_MSG_CHECKING([whether stripping libraries is possible])
-if test -n "$STRIP" && $STRIP -V 2>&1 | $GREP "GNU strip" >/dev/null; then
-  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
-  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
-  AC_MSG_RESULT([yes])
-else
-# FIXME - insert some real tests, host_os isn't really good enough
-  case $host_os in
-  darwin*)
-    if test -n "$STRIP" ; then
-      striplib="$STRIP -x"
-      old_striplib="$STRIP -S"
-      AC_MSG_RESULT([yes])
-    else
-      AC_MSG_RESULT([no])
-    fi
-    ;;
-  *)
-    AC_MSG_RESULT([no])
-    ;;
-  esac
-fi
-_LT_DECL([], [old_striplib], [1], [Commands to strip libraries])
-_LT_DECL([], [striplib], [1])
-])# _LT_CMD_STRIPLIB
-
-
-# _LT_SYS_DYNAMIC_LINKER([TAG])
-# -----------------------------
-# PORTME Fill in your ld.so characteristics
-m4_defun([_LT_SYS_DYNAMIC_LINKER],
-[AC_REQUIRE([AC_CANONICAL_HOST])dnl
-m4_require([_LT_DECL_EGREP])dnl
-m4_require([_LT_FILEUTILS_DEFAULTS])dnl
-m4_require([_LT_DECL_OBJDUMP])dnl
-m4_require([_LT_DECL_SED])dnl
-m4_require([_LT_CHECK_SHELL_FEATURES])dnl
-AC_MSG_CHECKING([dynamic linker characteristics])
-m4_if([$1],
-	[], [
-if test "$GCC" = yes; then
-  case $host_os in
-    darwin*) lt_awk_arg="/^libraries:/,/LR/" ;;
-    *) lt_awk_arg="/^libraries:/" ;;
-  esac
-  case $host_os in
-    mingw* | cegcc*) lt_sed_strip_eq="s,=\([[A-Za-z]]:\),\1,g" ;;
-    *) lt_sed_strip_eq="s,=/,/,g" ;;
-  esac
-  lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e $lt_sed_strip_eq`
-  case $lt_search_path_spec in
-  *\;*)
-    # if the path contains ";" then we assume it to be the separator
-    # otherwise default to the standard path separator (i.e. ":") - it is
-    # assumed that no part of a normal pathname contains ";" but that should
-    # okay in the real world where ";" in dirpaths is itself problematic.
-    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED 's/;/ /g'`
-    ;;
-  *)
-    lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED "s/$PATH_SEPARATOR/ /g"`
-    ;;
-  esac
-  # Ok, now we have the path, separated by spaces, we can step through it
-  # and add multilib dir if necessary.
-  lt_tmp_lt_search_path_spec=
-  lt_multi_os_dir=`$CC $CPPFLAGS $CFLAGS $LDFLAGS -print-multi-os-directory 2>/dev/null`
-  for lt_sys_path in $lt_search_path_spec; do
-    if test -d "$lt_sys_path/$lt_multi_os_dir"; then
-      lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path/$lt_multi_os_dir"
-    else
-      test -d "$lt_sys_path" && \
-	lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path"
-    fi
-  done
-  lt_search_path_spec=`$ECHO "$lt_tmp_lt_search_path_spec" | awk '
-BEGIN {RS=" "; FS="/|\n";} {
-  lt_foo="";
-  lt_count=0;
-  for (lt_i = NF; lt_i > 0; lt_i--) {
-    if ($lt_i != "" && $lt_i != ".") {
-      if ($lt_i == "..") {
-        lt_count++;
-      } else {
-        if (lt_count == 0) {
-          lt_foo="/" $lt_i lt_foo;
-        } else {
-          lt_count--;
-        }
-      }
-    }
-  }
-  if (lt_foo != "") { lt_freq[[lt_foo]]++; }
-  if (lt_freq[[lt_foo]] == 1) { print lt_foo; }
-}'`
-  # AWK program above erroneously prepends '/' to C:/dos/paths
-  # for these hosts.
-  case $host_os in
-    mingw* | cegcc*) lt_search_path_spec=`$ECHO "$lt_search_path_spec" |\
-      $SED 's,/\([[A-Za-z]]:\),\1,g'` ;;
-  esac
-  sys_lib_search_path_spec=`$ECHO "$lt_search_path_spec" | $lt_NL2SP`
-else
-  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
-fi])
-library_names_spec=
-libname_spec='lib$name'
-soname_spec=
-shrext_cmds=".so"
-postinstall_cmds=
-postuninstall_cmds=
-finish_cmds=
-finish_eval=
-shlibpath_var=
-shlibpath_overrides_runpath=unknown
-version_type=none
-dynamic_linker="$host_os ld.so"
-sys_lib_dlsearch_path_spec="/lib /usr/lib"
-need_lib_prefix=unknown
-hardcode_into_libs=no
-
-# when you set need_version to no, make sure it does not cause -set_version
-# flags to be left without arguments
-need_version=unknown
-
-case $host_os in
-aix3*)
-  version_type=linux # correct to gnu/linux during the next big refactor
-  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
-  shlibpath_var=LIBPATH
-
-  # AIX 3 has no versioning support, so we append a major version to the name.
-  soname_spec='${libname}${release}${shared_ext}$major'
-  ;;
-
-aix[[4-9]]*)
-  version_type=linux # correct to gnu/linux during the next big refactor
-  need_lib_prefix=no
-  need_version=no
-  hardcode_into_libs=yes
-  if test "$host_cpu" = ia64; then
-    # AIX 5 supports IA64
-    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
-    shlibpath_var=LD_LIBRARY_PATH
-  else
-    # With GCC up to 2.95.x, collect2 would create an import file
-    # for dependence libraries.  The import file would start with
-    # the line `#! .'.  This would cause the generated library to
-    # depend on `.', always an invalid library.  This was fixed in
-    # development snapshots of GCC prior to 3.0.
-    case $host_os in
-      aix4 | aix4.[[01]] | aix4.[[01]].*)
-      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
-	   echo ' yes '
-	   echo '#endif'; } | ${CC} -E - | $GREP yes > /dev/null; then
-	:
-      else
-	can_build_shared=no
-      fi
-      ;;
-    esac
-    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
-    # soname into executable. Probably we can add versioning support to
-    # collect2, so additional links can be useful in future.
-    if test "$aix_use_runtimelinking" = yes; then
-      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
-      # instead of lib<name>.a to let people know that these are not
-      # typical AIX shared libraries.
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    else
-      # We preserve .a as extension for shared libraries through AIX4.2
-      # and later when we are not doing run time linking.
-      library_names_spec='${libname}${release}.a $libname.a'
-      soname_spec='${libname}${release}${shared_ext}$major'
-    fi
-    shlibpath_var=LIBPATH
-  fi
-  ;;
-
-amigaos*)
-  case $host_cpu in
-  powerpc)
-    # Since July 2007 AmigaOS4 officially supports .so libraries.
-    # When compiling the executable, add -use-dynld -Lsobjs: to the compileline.
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    ;;
-  m68k)
-    library_names_spec='$libname.ixlibrary $libname.a'
-    # Create ${libname}_ixlibrary.a entries in /sys/libs.
-    finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`func_echo_all "$lib" | $SED '\''s%^.*/\([[^/]]*\)\.ixlibrary$%\1%'\''`; test $RM /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
-    ;;
-  esac
-  ;;
-
-beos*)
-  library_names_spec='${libname}${shared_ext}'
-  dynamic_linker="$host_os ld.so"
-  shlibpath_var=LIBRARY_PATH
-  ;;
-
-bsdi[[45]]*)
-  version_type=linux # correct to gnu/linux during the next big refactor
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
-  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
-  # the default ld.so.conf also contains /usr/contrib/lib and
-  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
-  # libtool to hard-code these into programs
-  ;;
-
-cygwin* | mingw* | pw32* | cegcc*)
-  version_type=windows
-  shrext_cmds=".dll"
-  need_version=no
-  need_lib_prefix=no
-
-  case $GCC,$cc_basename in
-  yes,*)
-    # gcc
-    library_names_spec='$libname.dll.a'
-    # DLL is installed to $(libdir)/../bin by postinstall_cmds
-    postinstall_cmds='base_file=`basename \${file}`~
-      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i; echo \$dlname'\''`~
-      dldir=$destdir/`dirname \$dlpath`~
-      test -d \$dldir || mkdir -p \$dldir~
-      $install_prog $dir/$dlname \$dldir/$dlname~
-      chmod a+x \$dldir/$dlname~
-      if test -n '\''$stripme'\'' && test -n '\''$striplib'\''; then
-        eval '\''$striplib \$dldir/$dlname'\'' || exit \$?;
-      fi'
-    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
-      dlpath=$dir/\$dldll~
-       $RM \$dlpath'
-    shlibpath_overrides_runpath=yes
-
-    case $host_os in
-    cygwin*)
-      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
-      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
-m4_if([$1], [],[
-      sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/lib/w32api"])
-      ;;
-    mingw* | cegcc*)
-      # MinGW DLLs use traditional 'lib' prefix
-      soname_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
-      ;;
-    pw32*)
-      # pw32 DLLs use 'pw' prefix rather than 'lib'
-      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
-      ;;
-    esac
-    dynamic_linker='Win32 ld.exe'
-    ;;
-
-  *,cl*)
-    # Native MSVC
-    libname_spec='$name'
-    soname_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
-    library_names_spec='${libname}.dll.lib'
-
-    case $build_os in
-    mingw*)
-      sys_lib_search_path_spec=
-      lt_save_ifs=$IFS
-      IFS=';'
-      for lt_path in $LIB
-      do
-        IFS=$lt_save_ifs
-        # Let DOS variable expansion print the short 8.3 style file name.
-        lt_path=`cd "$lt_path" 2>/dev/null && cmd //C "for %i in (".") do @echo %~si"`
-        sys_lib_search_path_spec="$sys_lib_search_path_spec $lt_path"
-      done
-      IFS=$lt_save_ifs
-      # Convert to MSYS style.
-      sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | sed -e 's|\\\\|/|g' -e 's| \\([[a-zA-Z]]\\):| /\\1|g' -e 's|^ ||'`
-      ;;
-    cygwin*)
-      # Convert to unix form, then to dos form, then back to unix form
-      # but this time dos style (no spaces!) so that the unix form looks
-      # like /cygdrive/c/PROGRA~1:/cygdr...
-      sys_lib_search_path_spec=`cygpath --path --unix "$LIB"`
-      sys_lib_search_path_spec=`cygpath --path --dos "$sys_lib_search_path_spec" 2>/dev/null`
-      sys_lib_search_path_spec=`cygpath --path --unix "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"`
-      ;;
-    *)
-      sys_lib_search_path_spec="$LIB"
-      if $ECHO "$sys_lib_search_path_spec" | [$GREP ';[c-zC-Z]:/' >/dev/null]; then
-        # It is most probably a Windows format PATH.
-        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-      else
-        sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"`
-      fi
-      # FIXME: find the short name or the path components, as spaces are
-      # common. (e.g. "Program Files" -> "PROGRA~1")
-      ;;
-    esac
-
-    # DLL is installed to $(libdir)/../bin by postinstall_cmds
-    postinstall_cmds='base_file=`basename \${file}`~
-      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i; echo \$dlname'\''`~
-      dldir=$destdir/`dirname \$dlpath`~
-      test -d \$dldir || mkdir -p \$dldir~
-      $install_prog $dir/$dlname \$dldir/$dlname'
-    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
-      dlpath=$dir/\$dldll~
-       $RM \$dlpath'
-    shlibpath_overrides_runpath=yes
-    dynamic_linker='Win32 link.exe'
-    ;;
-
-  *)
-    # Assume MSVC wrapper
-    library_names_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext} $libname.lib'
-    dynamic_linker='Win32 ld.exe'
-    ;;
-  esac
-  # FIXME: first we should search . and the directory the executable is in
-  shlibpath_var=PATH
-  ;;
-
-darwin* | rhapsody*)
-  dynamic_linker="$host_os dyld"
-  version_type=darwin
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${major}$shared_ext ${libname}$shared_ext'
-  soname_spec='${libname}${release}${major}$shared_ext'
-  shlibpath_overrides_runpath=yes
-  shlibpath_var=DYLD_LIBRARY_PATH
-  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
-m4_if([$1], [],[
-  sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/local/lib"])
-  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
-  ;;
-
-dgux*)
-  version_type=linux # correct to gnu/linux during the next big refactor
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-freebsd* | dragonfly*)
-  # DragonFly does not have aout.  When/if they implement a new
-  # versioning mechanism, adjust this.
-  if test -x /usr/bin/objformat; then
-    objformat=`/usr/bin/objformat`
-  else
-    case $host_os in
-    freebsd[[23]].*) objformat=aout ;;
-    *) objformat=elf ;;
-    esac
-  fi
-  version_type=freebsd-$objformat
-  case $version_type in
-    freebsd-elf*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
-      need_version=no
-      need_lib_prefix=no
-      ;;
-    freebsd-*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
-      need_version=yes
-      ;;
-  esac
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_os in
-  freebsd2.*)
-    shlibpath_overrides_runpath=yes
-    ;;
-  freebsd3.[[01]]* | freebsdelf3.[[01]]*)
-    shlibpath_overrides_runpath=yes
-    hardcode_into_libs=yes
-    ;;
-  freebsd3.[[2-9]]* | freebsdelf3.[[2-9]]* | \
-  freebsd4.[[0-5]] | freebsdelf4.[[0-5]] | freebsd4.1.1 | freebsdelf4.1.1)
-    shlibpath_overrides_runpath=no
-    hardcode_into_libs=yes
-    ;;
-  *) # from 4.6 on, and DragonFly
-    shlibpath_overrides_runpath=yes
-    hardcode_into_libs=yes
-    ;;
-  esac
-  ;;
-
-gnu*)
-  version_type=linux # correct to gnu/linux during the next big refactor
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  ;;
-
-haiku*)
-  version_type=linux # correct to gnu/linux during the next big refactor
-  need_lib_prefix=no
-  need_version=no
-  dynamic_linker="$host_os runtime_loader"
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib'
-  hardcode_into_libs=yes
-  ;;
-
-hpux9* | hpux10* | hpux11*)
-  # Give a soname corresponding to the major version so that dld.sl refuses to
-  # link against other versions.
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  case $host_cpu in
-  ia64*)
-    shrext_cmds='.so'
-    hardcode_into_libs=yes
-    dynamic_linker="$host_os dld.so"
-    shlibpath_var=LD_LIBRARY_PATH
-    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    if test "X$HPUX_IA64_MODE" = X32; then
-      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
-    else
-      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
-    fi
-    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-    ;;
-  hppa*64*)
-    shrext_cmds='.sl'
-    hardcode_into_libs=yes
-    dynamic_linker="$host_os dld.sl"
-    shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
-    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
-    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-    ;;
-  *)
-    shrext_cmds='.sl'
-    dynamic_linker="$host_os dld.sl"
-    shlibpath_var=SHLIB_PATH
-    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    ;;
-  esac
-  # HP-UX runs *really* slowly unless shared libraries are mode 555, ...
-  postinstall_cmds='chmod 555 $lib'
-  # or fails outright, so override atomically:
-  install_override_mode=555
-  ;;
-
-interix[[3-9]]*)
-  version_type=linux # correct to gnu/linux during the next big refactor
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  ;;
-
-irix5* | irix6* | nonstopux*)
-  case $host_os in
-    nonstopux*) version_type=nonstopux ;;
-    *)
-	if test "$lt_cv_prog_gnu_ld" = yes; then
-		version_type=linux # correct to gnu/linux during the next big refactor
-	else
-		version_type=irix
-	fi ;;
-  esac
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
-  case $host_os in
-  irix5* | nonstopux*)
-    libsuff= shlibsuff=
-    ;;
-  *)
-    case $LD in # libtool.m4 will add one of these switches to LD
-    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
-      libsuff= shlibsuff= libmagic=32-bit;;
-    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
-      libsuff=32 shlibsuff=N32 libmagic=N32;;
-    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
-      libsuff=64 shlibsuff=64 libmagic=64-bit;;
-    *) libsuff= shlibsuff= libmagic=never-match;;
-    esac
-    ;;
-  esac
-  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
-  shlibpath_overrides_runpath=no
-  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
-  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
-  hardcode_into_libs=yes
-  ;;
-
-# No shared lib support for Linux oldld, aout, or coff.
-linux*oldld* | linux*aout* | linux*coff*)
-  dynamic_linker=no
-  ;;
-
-# This must be glibc/ELF.
-linux* | k*bsd*-gnu | kopensolaris*-gnu)
-  version_type=linux # correct to gnu/linux during the next big refactor
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-
-  # Some binutils ld are patched to set DT_RUNPATH
-  AC_CACHE_VAL([lt_cv_shlibpath_overrides_runpath],
-    [lt_cv_shlibpath_overrides_runpath=no
-    save_LDFLAGS=$LDFLAGS
-    save_libdir=$libdir
-    eval "libdir=/foo; wl=\"$_LT_TAGVAR(lt_prog_compiler_wl, $1)\"; \
-	 LDFLAGS=\"\$LDFLAGS $_LT_TAGVAR(hardcode_libdir_flag_spec, $1)\""
-    AC_LINK_IFELSE([AC_LANG_PROGRAM([],[])],
-      [AS_IF([ ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null],
-	 [lt_cv_shlibpath_overrides_runpath=yes])])
-    LDFLAGS=$save_LDFLAGS
-    libdir=$save_libdir
-    ])
-  shlibpath_overrides_runpath=$lt_cv_shlibpath_overrides_runpath
-
-  # This implies no fast_install, which is unacceptable.
-  # Some rework will be needed to allow for fast_install
-  # before this can be enabled.
-  hardcode_into_libs=yes
-
-  # Append ld.so.conf contents to the search path
-  if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
-  fi
-
-  # We used to test for /lib/ld.so.1 and disable shared libraries on
-  # powerpc, because MkLinux only supported shared libraries with the
-  # GNU dynamic linker.  Since this was broken with cross compilers,
-  # most powerpc-linux boxes support dynamic linking these days and
-  # people can always --disable-shared, the test was removed, and we
-  # assume the GNU/Linux dynamic linker is in use.
-  dynamic_linker='GNU/Linux ld.so'
-  ;;
-
-netbsd*)
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-    dynamic_linker='NetBSD (a.out) ld.so'
-  else
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    dynamic_linker='NetBSD ld.elf_so'
-  fi
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  ;;
-
-newsos6)
-  version_type=linux # correct to gnu/linux during the next big refactor
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
-
-*nto* | *qnx*)
-  version_type=qnx
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='ldqnx.so'
-  ;;
-
-openbsd*)
-  version_type=sunos
-  sys_lib_dlsearch_path_spec="/usr/lib"
-  need_lib_prefix=no
-  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
-  case $host_os in
-    openbsd3.3 | openbsd3.3.*)	need_version=yes ;;
-    *)				need_version=no  ;;
-  esac
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-    case $host_os in
-      openbsd2.[[89]] | openbsd2.[[89]].*)
-	shlibpath_overrides_runpath=no
-	;;
-      *)
-	shlibpath_overrides_runpath=yes
-	;;
-      esac
-  else
-    shlibpath_overrides_runpath=yes
-  fi
-  ;;
-
-os2*)
-  libname_spec='$name'
-  shrext_cmds=".dll"
-  need_lib_prefix=no
-  library_names_spec='$libname${shared_ext} $libname.a'
-  dynamic_linker='OS/2 ld.exe'
-  shlibpath_var=LIBPATH
-  ;;
-
-osf3* | osf4* | osf5*)
-  version_type=osf
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
-  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
-  ;;
-
-rdos*)
-  dynamic_linker=no
-  ;;
-
-solaris*)
-  version_type=linux # correct to gnu/linux during the next big refactor
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  # ldd complains unless libraries are executable
-  postinstall_cmds='chmod +x $lib'
-  ;;
-
-sunos4*)
-  version_type=sunos
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  if test "$with_gnu_ld" = yes; then
-    need_lib_prefix=no
-  fi
-  need_version=yes
-  ;;
-
-sysv4 | sysv4.3*)
-  version_type=linux # correct to gnu/linux during the next big refactor
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_vendor in
-    sni)
-      shlibpath_overrides_runpath=no
-      need_lib_prefix=no
-      runpath_var=LD_RUN_PATH
-      ;;
-    siemens)
-      need_lib_prefix=no
-      ;;
-    motorola)
-      need_lib_prefix=no
-      need_version=no
-      shlibpath_overrides_runpath=no
-      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
-      ;;
-  esac
-  ;;
-
-sysv4*MP*)
-  if test -d /usr/nec ;then
-    version_type=linux # correct to gnu/linux during the next big refactor
-    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
-    soname_spec='$libname${shared_ext}.$major'
-    shlibpath_var=LD_LIBRARY_PATH
-  fi
-  ;;
-
-sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
-  version_type=freebsd-elf
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  if test "$with_gnu_ld" = yes; then
-    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
-  else
-    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
-    case $host_os in
-      sco3.2v5*)
-        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
-	;;
-    esac
-  fi
-  sys_lib_dlsearch_path_spec='/usr/lib'
-  ;;
-
-tpf*)
-  # TPF is a cross-target only.  Preferred cross-host = GNU/Linux.
-  version_type=linux # correct to gnu/linux during the next big refactor
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  ;;
-
-uts4*)
-  version_type=linux # correct to gnu/linux during the next big refactor
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-*)
-  dynamic_linker=no
-  ;;
-esac
-AC_MSG_RESULT([$dynamic_linker])
-test "$dynamic_linker" = no && can_build_shared=no
-
-variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
-if test "$GCC" = yes; then
-  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
-fi
-
-if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then
-  sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec"
-fi
-if test "${lt_cv_sys_lib_dlsearch_path_spec+set}" = set; then
-  sys_lib_dlsearch_path_spec="$lt_cv_sys_lib_dlsearch_path_spec"
-fi
-
-_LT_DECL([], [variables_saved_for_relink], [1],
-    [Variables whose values should be saved in libtool wrapper scripts and
-    restored at link time])
-_LT_DECL([], [need_lib_prefix], [0],
-    [Do we need the "lib" prefix for modules?])
-_LT_DECL([], [need_version], [0], [Do we need a version for libraries?])
-_LT_DECL([], [version_type], [0], [Library versioning type])
-_LT_DECL([], [runpath_var], [0],  [Shared library runtime path variable])
-_LT_DECL([], [shlibpath_var], [0],[Shared library path variable])
-_LT_DECL([], [shlibpath_overrides_runpath], [0],
-    [Is shlibpath searched before the hard-coded library search path?])
-_LT_DECL([], [libname_spec], [1], [Format of library name prefix])
-_LT_DECL([], [library_names_spec], [1],
-    [[List of archive names.  First name is the real one, the rest are links.
-    The last name is the one that the linker finds with -lNAME]])
-_LT_DECL([], [soname_spec], [1],
-    [[The coded name of the library, if different from the real name]])
-_LT_DECL([], [install_override_mode], [1],
-    [Permission mode override for installation of shared libraries])
-_LT_DECL([], [postinstall_cmds], [2],
-    [Command to use after installation of a shared archive])
-_LT_DECL([], [postuninstall_cmds], [2],
-    [Command to use after uninstallation of a shared archive])
-_LT_DECL([], [finish_cmds], [2],
-    [Commands used to finish a libtool library installation in a directory])
-_LT_DECL([], [finish_eval], [1],
-    [[As "finish_cmds", except a single script fragment to be evaled but
-    not shown]])
-_LT_DECL([], [hardcode_into_libs], [0],
-    [Whether we should hardcode library paths into libraries])
-_LT_DECL([], [sys_lib_search_path_spec], [2],
-    [Compile-time system search path for libraries])
-_LT_DECL([], [sys_lib_dlsearch_path_spec], [2],
-    [Run-time system search path for libraries])
-])# _LT_SYS_DYNAMIC_LINKER
-
-
-# _LT_PATH_TOOL_PREFIX(TOOL)
-# --------------------------
-# find a file program which can recognize shared library
-AC_DEFUN([_LT_PATH_TOOL_PREFIX],
-[m4_require([_LT_DECL_EGREP])dnl
-AC_MSG_CHECKING([for $1])
-AC_CACHE_VAL(lt_cv_path_MAGIC_CMD,
-[case $MAGIC_CMD in
-[[\\/*] |  ?:[\\/]*])
-  lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path.
-  ;;
-*)
-  lt_save_MAGIC_CMD="$MAGIC_CMD"
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-dnl $ac_dummy forces splitting on constant user-supplied paths.
-dnl POSIX.2 word splitting is done only on the output of word expansions,
-dnl not every word.  This closes a longstanding sh security hole.
-  ac_dummy="m4_if([$2], , $PATH, [$2])"
-  for ac_dir in $ac_dummy; do
-    IFS="$lt_save_ifs"
-    test -z "$ac_dir" && ac_dir=.
-    if test -f $ac_dir/$1; then
-      lt_cv_path_MAGIC_CMD="$ac_dir/$1"
-      if test -n "$file_magic_test_file"; then
-	case $deplibs_check_method in
-	"file_magic "*)
-	  file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"`
-	  MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
-	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
-	    $EGREP "$file_magic_regex" > /dev/null; then
-	    :
-	  else
-	    cat <<_LT_EOF 1>&2
-
-*** Warning: the command libtool uses to detect shared libraries,
-*** $file_magic_cmd, produces output that libtool cannot recognize.
-*** The result is that libtool may fail to recognize shared libraries
-*** as such.  This will affect the creation of libtool libraries that
-*** depend on shared libraries, but programs linked with such libtool
-*** libraries will work regardless of this problem.  Nevertheless, you
-*** may want to report the problem to your system manager and/or to
-*** bug-libtool@gnu.org
-
-_LT_EOF
-	  fi ;;
-	esac
-      fi
-      break
-    fi
-  done
-  IFS="$lt_save_ifs"
-  MAGIC_CMD="$lt_save_MAGIC_CMD"
-  ;;
-esac])
-MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
-if test -n "$MAGIC_CMD"; then
-  AC_MSG_RESULT($MAGIC_CMD)
-else
-  AC_MSG_RESULT(no)
-fi
-_LT_DECL([], [MAGIC_CMD], [0],
-	 [Used to examine libraries when file_magic_cmd begins with "file"])dnl
-])# _LT_PATH_TOOL_PREFIX
-
-# Old name:
-AU_ALIAS([AC_PATH_TOOL_PREFIX], [_LT_PATH_TOOL_PREFIX])
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AC_PATH_TOOL_PREFIX], [])
-
-
-# _LT_PATH_MAGIC
-# --------------
-# find a file program which can recognize a shared library
-m4_defun([_LT_PATH_MAGIC],
-[_LT_PATH_TOOL_PREFIX(${ac_tool_prefix}file, /usr/bin$PATH_SEPARATOR$PATH)
-if test -z "$lt_cv_path_MAGIC_CMD"; then
-  if test -n "$ac_tool_prefix"; then
-    _LT_PATH_TOOL_PREFIX(file, /usr/bin$PATH_SEPARATOR$PATH)
-  else
-    MAGIC_CMD=:
-  fi
-fi
-])# _LT_PATH_MAGIC
-
-
-# LT_PATH_LD
-# ----------
-# find the pathname to the GNU or non-GNU linker
-AC_DEFUN([LT_PATH_LD],
-[AC_REQUIRE([AC_PROG_CC])dnl
-AC_REQUIRE([AC_CANONICAL_HOST])dnl
-AC_REQUIRE([AC_CANONICAL_BUILD])dnl
-m4_require([_LT_DECL_SED])dnl
-m4_require([_LT_DECL_EGREP])dnl
-m4_require([_LT_PROG_ECHO_BACKSLASH])dnl
-
-AC_ARG_WITH([gnu-ld],
-    [AS_HELP_STRING([--with-gnu-ld],
-	[assume the C compiler uses GNU ld @<:@default=no@:>@])],
-    [test "$withval" = no || with_gnu_ld=yes],
-    [with_gnu_ld=no])dnl
-
-ac_prog=ld
-if test "$GCC" = yes; then
-  # Check if gcc -print-prog-name=ld gives a path.
-  AC_MSG_CHECKING([for ld used by $CC])
-  case $host in
-  *-*-mingw*)
-    # gcc leaves a trailing carriage return which upsets mingw
-    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
-  *)
-    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
-  esac
-  case $ac_prog in
-    # Accept absolute paths.
-    [[\\/]]* | ?:[[\\/]]*)
-      re_direlt='/[[^/]][[^/]]*/\.\./'
-      # Canonicalize the pathname of ld
-      ac_prog=`$ECHO "$ac_prog"| $SED 's%\\\\%/%g'`
-      while $ECHO "$ac_prog" | $GREP "$re_direlt" > /dev/null 2>&1; do
-	ac_prog=`$ECHO $ac_prog| $SED "s%$re_direlt%/%"`
-      done
-      test -z "$LD" && LD="$ac_prog"
-      ;;
-  "")
-    # If it fails, then pretend we aren't using GCC.
-    ac_prog=ld
-    ;;
-  *)
-    # If it is relative, then search for the first ld in PATH.
-    with_gnu_ld=unknown
-    ;;
-  esac
-elif test "$with_gnu_ld" = yes; then
-  AC_MSG_CHECKING([for GNU ld])
-else
-  AC_MSG_CHECKING([for non-GNU ld])
-fi
-AC_CACHE_VAL(lt_cv_path_LD,
-[if test -z "$LD"; then
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-  for ac_dir in $PATH; do
-    IFS="$lt_save_ifs"
-    test -z "$ac_dir" && ac_dir=.
-    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
-      lt_cv_path_LD="$ac_dir/$ac_prog"
-      # Check to see if the program is GNU ld.  I'd rather use --version,
-      # but apparently some variants of GNU ld only accept -v.
-      # Break only if it was the GNU/non-GNU ld that we prefer.
-      case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
-      *GNU* | *'with BFD'*)
-	test "$with_gnu_ld" != no && break
-	;;
-      *)
-	test "$with_gnu_ld" != yes && break
-	;;
-      esac
-    fi
-  done
-  IFS="$lt_save_ifs"
-else
-  lt_cv_path_LD="$LD" # Let the user override the test with a path.
-fi])
-LD="$lt_cv_path_LD"
-if test -n "$LD"; then
-  AC_MSG_RESULT($LD)
-else
-  AC_MSG_RESULT(no)
-fi
-test -z "$LD" && AC_MSG_ERROR([no acceptable ld found in \$PATH])
-_LT_PATH_LD_GNU
-AC_SUBST([LD])
-
-_LT_TAGDECL([], [LD], [1], [The linker used to build libraries])
-])# LT_PATH_LD
-
-# Old names:
-AU_ALIAS([AM_PROG_LD], [LT_PATH_LD])
-AU_ALIAS([AC_PROG_LD], [LT_PATH_LD])
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AM_PROG_LD], [])
-dnl AC_DEFUN([AC_PROG_LD], [])
-
-
-# _LT_PATH_LD_GNU
-#- --------------
-m4_defun([_LT_PATH_LD_GNU],
-[AC_CACHE_CHECK([if the linker ($LD) is GNU ld], lt_cv_prog_gnu_ld,
-[# I'd rather use --version here, but apparently some GNU lds only accept -v.
-case `$LD -v 2>&1 </dev/null` in
-*GNU* | *'with BFD'*)
-  lt_cv_prog_gnu_ld=yes
-  ;;
-*)
-  lt_cv_prog_gnu_ld=no
-  ;;
-esac])
-with_gnu_ld=$lt_cv_prog_gnu_ld
-])# _LT_PATH_LD_GNU
-
-
-# _LT_CMD_RELOAD
-# --------------
-# find reload flag for linker
-#   -- PORTME Some linkers may need a different reload flag.
-m4_defun([_LT_CMD_RELOAD],
-[AC_CACHE_CHECK([for $LD option to reload object files],
-  lt_cv_ld_reload_flag,
-  [lt_cv_ld_reload_flag='-r'])
-reload_flag=$lt_cv_ld_reload_flag
-case $reload_flag in
-"" | " "*) ;;
-*) reload_flag=" $reload_flag" ;;
-esac
-reload_cmds='$LD$reload_flag -o $output$reload_objs'
-case $host_os in
-  cygwin* | mingw* | pw32* | cegcc*)
-    if test "$GCC" != yes; then
-      reload_cmds=false
-    fi
-    ;;
-  darwin*)
-    if test "$GCC" = yes; then
-      reload_cmds='$LTCC $LTCFLAGS -nostdlib ${wl}-r -o $output$reload_objs'
-    else
-      reload_cmds='$LD$reload_flag -o $output$reload_objs'
-    fi
-    ;;
-esac
-_LT_TAGDECL([], [reload_flag], [1], [How to create reloadable object files])dnl
-_LT_TAGDECL([], [reload_cmds], [2])dnl
-])# _LT_CMD_RELOAD
-
-
-# _LT_CHECK_MAGIC_METHOD
-# ----------------------
-# how to check for library dependencies
-#  -- PORTME fill in with the dynamic library characteristics
-m4_defun([_LT_CHECK_MAGIC_METHOD],
-[m4_require([_LT_DECL_EGREP])
-m4_require([_LT_DECL_OBJDUMP])
-AC_CACHE_CHECK([how to recognize dependent libraries],
-lt_cv_deplibs_check_method,
-[lt_cv_file_magic_cmd='$MAGIC_CMD'
-lt_cv_file_magic_test_file=
-lt_cv_deplibs_check_method='unknown'
-# Need to set the preceding variable on all platforms that support
-# interlibrary dependencies.
-# 'none' -- dependencies not supported.
-# `unknown' -- same as none, but documents that we really don't know.
-# 'pass_all' -- all dependencies passed with no checks.
-# 'test_compile' -- check by making test program.
-# 'file_magic [[regex]]' -- check by looking for files in library path
-# which responds to the $file_magic_cmd with a given extended regex.
-# If you have `file' or equivalent on your system and you're not sure
-# whether `pass_all' will *always* work, you probably want this one.
-
-case $host_os in
-aix[[4-9]]*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-beos*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-bsdi[[45]]*)
-  lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib)'
-  lt_cv_file_magic_cmd='/usr/bin/file -L'
-  lt_cv_file_magic_test_file=/shlib/libc.so
-  ;;
-
-cygwin*)
-  # func_win32_libid is a shell function defined in ltmain.sh
-  lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
-  lt_cv_file_magic_cmd='func_win32_libid'
-  ;;
-
-mingw* | pw32*)
-  # Base MSYS/MinGW do not provide the 'file' command needed by
-  # func_win32_libid shell function, so use a weaker test based on 'objdump',
-  # unless we find 'file', for example because we are cross-compiling.
-  # func_win32_libid assumes BSD nm, so disallow it if using MS dumpbin.
-  if ( test "$lt_cv_nm_interface" = "BSD nm" && file / ) >/dev/null 2>&1; then
-    lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
-    lt_cv_file_magic_cmd='func_win32_libid'
-  else
-    # Keep this pattern in sync with the one in func_win32_libid.
-    lt_cv_deplibs_check_method='file_magic file format (pei*-i386(.*architecture: i386)?|pe-arm-wince|pe-x86-64)'
-    lt_cv_file_magic_cmd='$OBJDUMP -f'
-  fi
-  ;;
-
-cegcc*)
-  # use the weaker test based on 'objdump'. See mingw*.
-  lt_cv_deplibs_check_method='file_magic file format pe-arm-.*little(.*architecture: arm)?'
-  lt_cv_file_magic_cmd='$OBJDUMP -f'
-  ;;
-
-darwin* | rhapsody*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-freebsd* | dragonfly*)
-  if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
-    case $host_cpu in
-    i*86 )
-      # Not sure whether the presence of OpenBSD here was a mistake.
-      # Let's accept both of them until this is cleared up.
-      lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD|DragonFly)/i[[3-9]]86 (compact )?demand paged shared library'
-      lt_cv_file_magic_cmd=/usr/bin/file
-      lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
-      ;;
-    esac
-  else
-    lt_cv_deplibs_check_method=pass_all
-  fi
-  ;;
-
-gnu*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-haiku*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-hpux10.20* | hpux11*)
-  lt_cv_file_magic_cmd=/usr/bin/file
-  case $host_cpu in
-  ia64*)
-    lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|ELF-[[0-9]][[0-9]]) shared object file - IA64'
-    lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so
-    ;;
-  hppa*64*)
-    [lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF[ -][0-9][0-9])(-bit)?( [LM]SB)? shared object( file)?[, -]* PA-RISC [0-9]\.[0-9]']
-    lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl
-    ;;
-  *)
-    lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|PA-RISC[[0-9]]\.[[0-9]]) shared library'
-    lt_cv_file_magic_test_file=/usr/lib/libc.sl
-    ;;
-  esac
-  ;;
-
-interix[[3-9]]*)
-  # PIC code is broken on Interix 3.x, that's why |\.a not |_pic\.a here
-  lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|\.a)$'
-  ;;
-
-irix5* | irix6* | nonstopux*)
-  case $LD in
-  *-32|*"-32 ") libmagic=32-bit;;
-  *-n32|*"-n32 ") libmagic=N32;;
-  *-64|*"-64 ") libmagic=64-bit;;
-  *) libmagic=never-match;;
-  esac
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-# This must be glibc/ELF.
-linux* | k*bsd*-gnu | kopensolaris*-gnu)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-netbsd*)
-  if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
-    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
-  else
-    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|_pic\.a)$'
-  fi
-  ;;
-
-newos6*)
-  lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (executable|dynamic lib)'
-  lt_cv_file_magic_cmd=/usr/bin/file
-  lt_cv_file_magic_test_file=/usr/lib/libnls.so
-  ;;
-
-*nto* | *qnx*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-openbsd*)
-  if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|\.so|_pic\.a)$'
-  else
-    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
-  fi
-  ;;
-
-osf3* | osf4* | osf5*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-rdos*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-solaris*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-sysv4 | sysv4.3*)
-  case $host_vendor in
-  motorola)
-    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib) M[[0-9]][[0-9]]* Version [[0-9]]'
-    lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*`
-    ;;
-  ncr)
-    lt_cv_deplibs_check_method=pass_all
-    ;;
-  sequent)
-    lt_cv_file_magic_cmd='/bin/file'
-    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB (shared object|dynamic lib )'
-    ;;
-  sni)
-    lt_cv_file_magic_cmd='/bin/file'
-    lt_cv_deplibs_check_method="file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB dynamic lib"
-    lt_cv_file_magic_test_file=/lib/libc.so
-    ;;
-  siemens)
-    lt_cv_deplibs_check_method=pass_all
-    ;;
-  pc)
-    lt_cv_deplibs_check_method=pass_all
-    ;;
-  esac
-  ;;
-
-tpf*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-esac
-])
-
-file_magic_glob=
-want_nocaseglob=no
-if test "$build" = "$host"; then
-  case $host_os in
-  mingw* | pw32*)
-    if ( shopt | grep nocaseglob ) >/dev/null 2>&1; then
-      want_nocaseglob=yes
-    else
-      file_magic_glob=`echo aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ | $SED -e "s/\(..\)/s\/[[\1]]\/[[\1]]\/g;/g"`
-    fi
-    ;;
-  esac
-fi
-
-file_magic_cmd=$lt_cv_file_magic_cmd
-deplibs_check_method=$lt_cv_deplibs_check_method
-test -z "$deplibs_check_method" && deplibs_check_method=unknown
-
-_LT_DECL([], [deplibs_check_method], [1],
-    [Method to check whether dependent libraries are shared objects])
-_LT_DECL([], [file_magic_cmd], [1],
-    [Command to use when deplibs_check_method = "file_magic"])
-_LT_DECL([], [file_magic_glob], [1],
-    [How to find potential files when deplibs_check_method = "file_magic"])
-_LT_DECL([], [want_nocaseglob], [1],
-    [Find potential files using nocaseglob when deplibs_check_method = "file_magic"])
-])# _LT_CHECK_MAGIC_METHOD
-
-
-# LT_PATH_NM
-# ----------
-# find the pathname to a BSD- or MS-compatible name lister
-AC_DEFUN([LT_PATH_NM],
-[AC_REQUIRE([AC_PROG_CC])dnl
-AC_CACHE_CHECK([for BSD- or MS-compatible name lister (nm)], lt_cv_path_NM,
-[if test -n "$NM"; then
-  # Let the user override the test.
-  lt_cv_path_NM="$NM"
-else
-  lt_nm_to_check="${ac_tool_prefix}nm"
-  if test -n "$ac_tool_prefix" && test "$build" = "$host"; then
-    lt_nm_to_check="$lt_nm_to_check nm"
-  fi
-  for lt_tmp_nm in $lt_nm_to_check; do
-    lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-    for ac_dir in $PATH /usr/ccs/bin/elf /usr/ccs/bin /usr/ucb /bin; do
-      IFS="$lt_save_ifs"
-      test -z "$ac_dir" && ac_dir=.
-      tmp_nm="$ac_dir/$lt_tmp_nm"
-      if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext" ; then
-	# Check to see if the nm accepts a BSD-compat flag.
-	# Adding the `sed 1q' prevents false positives on HP-UX, which says:
-	#   nm: unknown option "B" ignored
-	# Tru64's nm complains that /dev/null is an invalid object file
-	case `"$tmp_nm" -B /dev/null 2>&1 | sed '1q'` in
-	*/dev/null* | *'Invalid file or object type'*)
-	  lt_cv_path_NM="$tmp_nm -B"
-	  break
-	  ;;
-	*)
-	  case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in
-	  */dev/null*)
-	    lt_cv_path_NM="$tmp_nm -p"
-	    break
-	    ;;
-	  *)
-	    lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but
-	    continue # so that we can try to find one that supports BSD flags
-	    ;;
-	  esac
-	  ;;
-	esac
-      fi
-    done
-    IFS="$lt_save_ifs"
-  done
-  : ${lt_cv_path_NM=no}
-fi])
-if test "$lt_cv_path_NM" != "no"; then
-  NM="$lt_cv_path_NM"
-else
-  # Didn't find any BSD compatible name lister, look for dumpbin.
-  if test -n "$DUMPBIN"; then :
-    # Let the user override the test.
-  else
-    AC_CHECK_TOOLS(DUMPBIN, [dumpbin "link -dump"], :)
-    case `$DUMPBIN -symbols /dev/null 2>&1 | sed '1q'` in
-    *COFF*)
-      DUMPBIN="$DUMPBIN -symbols"
-      ;;
-    *)
-      DUMPBIN=:
-      ;;
-    esac
-  fi
-  AC_SUBST([DUMPBIN])
-  if test "$DUMPBIN" != ":"; then
-    NM="$DUMPBIN"
-  fi
-fi
-test -z "$NM" && NM=nm
-AC_SUBST([NM])
-_LT_DECL([], [NM], [1], [A BSD- or MS-compatible name lister])dnl
-
-AC_CACHE_CHECK([the name lister ($NM) interface], [lt_cv_nm_interface],
-  [lt_cv_nm_interface="BSD nm"
-  echo "int some_variable = 0;" > conftest.$ac_ext
-  (eval echo "\"\$as_me:$LINENO: $ac_compile\"" >&AS_MESSAGE_LOG_FD)
-  (eval "$ac_compile" 2>conftest.err)
-  cat conftest.err >&AS_MESSAGE_LOG_FD
-  (eval echo "\"\$as_me:$LINENO: $NM \\\"conftest.$ac_objext\\\"\"" >&AS_MESSAGE_LOG_FD)
-  (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
-  cat conftest.err >&AS_MESSAGE_LOG_FD
-  (eval echo "\"\$as_me:$LINENO: output\"" >&AS_MESSAGE_LOG_FD)
-  cat conftest.out >&AS_MESSAGE_LOG_FD
-  if $GREP 'External.*some_variable' conftest.out > /dev/null; then
-    lt_cv_nm_interface="MS dumpbin"
-  fi
-  rm -f conftest*])
-])# LT_PATH_NM
-
-# Old names:
-AU_ALIAS([AM_PROG_NM], [LT_PATH_NM])
-AU_ALIAS([AC_PROG_NM], [LT_PATH_NM])
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AM_PROG_NM], [])
-dnl AC_DEFUN([AC_PROG_NM], [])
-
-# _LT_CHECK_SHAREDLIB_FROM_LINKLIB
-# --------------------------------
-# how to determine the name of the shared library
-# associated with a specific link library.
-#  -- PORTME fill in with the dynamic library characteristics
-m4_defun([_LT_CHECK_SHAREDLIB_FROM_LINKLIB],
-[m4_require([_LT_DECL_EGREP])
-m4_require([_LT_DECL_OBJDUMP])
-m4_require([_LT_DECL_DLLTOOL])
-AC_CACHE_CHECK([how to associate runtime and link libraries],
-lt_cv_sharedlib_from_linklib_cmd,
-[lt_cv_sharedlib_from_linklib_cmd='unknown'
-
-case $host_os in
-cygwin* | mingw* | pw32* | cegcc*)
-  # two different shell functions defined in ltmain.sh
-  # decide which to use based on capabilities of $DLLTOOL
-  case `$DLLTOOL --help 2>&1` in
-  *--identify-strict*)
-    lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib
-    ;;
-  *)
-    lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib_fallback
-    ;;
-  esac
-  ;;
-*)
-  # fallback: assume linklib IS sharedlib
-  lt_cv_sharedlib_from_linklib_cmd="$ECHO"
-  ;;
-esac
-])
-sharedlib_from_linklib_cmd=$lt_cv_sharedlib_from_linklib_cmd
-test -z "$sharedlib_from_linklib_cmd" && sharedlib_from_linklib_cmd=$ECHO
-
-_LT_DECL([], [sharedlib_from_linklib_cmd], [1],
-    [Command to associate shared and link libraries])
-])# _LT_CHECK_SHAREDLIB_FROM_LINKLIB
-
-
-# _LT_PATH_MANIFEST_TOOL
-# ----------------------
-# locate the manifest tool
-m4_defun([_LT_PATH_MANIFEST_TOOL],
-[AC_CHECK_TOOL(MANIFEST_TOOL, mt, :)
-test -z "$MANIFEST_TOOL" && MANIFEST_TOOL=mt
-AC_CACHE_CHECK([if $MANIFEST_TOOL is a manifest tool], [lt_cv_path_mainfest_tool],
-  [lt_cv_path_mainfest_tool=no
-  echo "$as_me:$LINENO: $MANIFEST_TOOL '-?'" >&AS_MESSAGE_LOG_FD
-  $MANIFEST_TOOL '-?' 2>conftest.err > conftest.out
-  cat conftest.err >&AS_MESSAGE_LOG_FD
-  if $GREP 'Manifest Tool' conftest.out > /dev/null; then
-    lt_cv_path_mainfest_tool=yes
-  fi
-  rm -f conftest*])
-if test "x$lt_cv_path_mainfest_tool" != xyes; then
-  MANIFEST_TOOL=:
-fi
-_LT_DECL([], [MANIFEST_TOOL], [1], [Manifest tool])dnl
-])# _LT_PATH_MANIFEST_TOOL
-
-
-# LT_LIB_M
-# --------
-# check for math library
-AC_DEFUN([LT_LIB_M],
-[AC_REQUIRE([AC_CANONICAL_HOST])dnl
-LIBM=
-case $host in
-*-*-beos* | *-*-cegcc* | *-*-cygwin* | *-*-haiku* | *-*-pw32* | *-*-darwin*)
-  # These system don't have libm, or don't need it
-  ;;
-*-ncr-sysv4.3*)
-  AC_CHECK_LIB(mw, _mwvalidcheckl, LIBM="-lmw")
-  AC_CHECK_LIB(m, cos, LIBM="$LIBM -lm")
-  ;;
-*)
-  AC_CHECK_LIB(m, cos, LIBM="-lm")
-  ;;
-esac
-AC_SUBST([LIBM])
-])# LT_LIB_M
-
-# Old name:
-AU_ALIAS([AC_CHECK_LIBM], [LT_LIB_M])
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AC_CHECK_LIBM], [])
-
-
-# _LT_COMPILER_NO_RTTI([TAGNAME])
-# -------------------------------
-m4_defun([_LT_COMPILER_NO_RTTI],
-[m4_require([_LT_TAG_COMPILER])dnl
-
-_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
-
-if test "$GCC" = yes; then
-  case $cc_basename in
-  nvcc*)
-    _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -Xcompiler -fno-builtin' ;;
-  *)
-    _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin' ;;
-  esac
-
-  _LT_COMPILER_OPTION([if $compiler supports -fno-rtti -fno-exceptions],
-    lt_cv_prog_compiler_rtti_exceptions,
-    [-fno-rtti -fno-exceptions], [],
-    [_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)="$_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) -fno-rtti -fno-exceptions"])
-fi
-_LT_TAGDECL([no_builtin_flag], [lt_prog_compiler_no_builtin_flag], [1],
-	[Compiler flag to turn off builtin functions])
-])# _LT_COMPILER_NO_RTTI
-
-
-# _LT_CMD_GLOBAL_SYMBOLS
-# ----------------------
-m4_defun([_LT_CMD_GLOBAL_SYMBOLS],
-[AC_REQUIRE([AC_CANONICAL_HOST])dnl
-AC_REQUIRE([AC_PROG_CC])dnl
-AC_REQUIRE([AC_PROG_AWK])dnl
-AC_REQUIRE([LT_PATH_NM])dnl
-AC_REQUIRE([LT_PATH_LD])dnl
-m4_require([_LT_DECL_SED])dnl
-m4_require([_LT_DECL_EGREP])dnl
-m4_require([_LT_TAG_COMPILER])dnl
-
-# Check for command to grab the raw symbol name followed by C symbol from nm.
-AC_MSG_CHECKING([command to parse $NM output from $compiler object])
-AC_CACHE_VAL([lt_cv_sys_global_symbol_pipe],
-[
-# These are sane defaults that work on at least a few old systems.
-# [They come from Ultrix.  What could be older than Ultrix?!! ;)]
-
-# Character class describing NM global symbol codes.
-symcode='[[BCDEGRST]]'
-
-# Regexp to match symbols that can be accessed directly from C.
-sympat='\([[_A-Za-z]][[_A-Za-z0-9]]*\)'
-
-# Define system-specific variables.
-case $host_os in
-aix*)
-  symcode='[[BCDT]]'
-  ;;
-cygwin* | mingw* | pw32* | cegcc*)
-  symcode='[[ABCDGISTW]]'
-  ;;
-hpux*)
-  if test "$host_cpu" = ia64; then
-    symcode='[[ABCDEGRST]]'
-  fi
-  ;;
-irix* | nonstopux*)
-  symcode='[[BCDEGRST]]'
-  ;;
-osf*)
-  symcode='[[BCDEGQRST]]'
-  ;;
-solaris*)
-  symcode='[[BDRT]]'
-  ;;
-sco3.2v5*)
-  symcode='[[DT]]'
-  ;;
-sysv4.2uw2*)
-  symcode='[[DT]]'
-  ;;
-sysv5* | sco5v6* | unixware* | OpenUNIX*)
-  symcode='[[ABDT]]'
-  ;;
-sysv4)
-  symcode='[[DFNSTU]]'
-  ;;
-esac
-
-# If we're using GNU nm, then use its standard symbol codes.
-case `$NM -V 2>&1` in
-*GNU* | *'with BFD'*)
-  symcode='[[ABCDGIRSTW]]' ;;
-esac
-
-# Transform an extracted symbol line into a proper C declaration.
-# Some systems (esp. on ia64) link data and code symbols differently,
-# so use this general approach.
-lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
-
-# Transform an extracted symbol line into symbol name and symbol address
-lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\)[[ ]]*$/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (void *) \&\2},/p'"
-lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n -e 's/^: \([[^ ]]*\)[[ ]]*$/  {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \(lib[[^ ]]*\)$/  {\"\2\", (void *) \&\2},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"lib\2\", (void *) \&\2},/p'"
-
-# Handle CRLF in mingw tool chain
-opt_cr=
-case $build_os in
-mingw*)
-  opt_cr=`$ECHO 'x\{0,1\}' | tr x '\015'` # option cr in regexp
-  ;;
-esac
-
-# Try without a prefix underscore, then with it.
-for ac_symprfx in "" "_"; do
-
-  # Transform symcode, sympat, and symprfx into a raw symbol and a C symbol.
-  symxfrm="\\1 $ac_symprfx\\2 \\2"
-
-  # Write the raw and C identifiers.
-  if test "$lt_cv_nm_interface" = "MS dumpbin"; then
-    # Fake it for dumpbin and say T for any non-static function
-    # and D for any global variable.
-    # Also find C++ and __fastcall symbols from MSVC++,
-    # which start with @ or ?.
-    lt_cv_sys_global_symbol_pipe="$AWK ['"\
-"     {last_section=section; section=\$ 3};"\
-"     /^COFF SYMBOL TABLE/{for(i in hide) delete hide[i]};"\
-"     /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\
-"     \$ 0!~/External *\|/{next};"\
-"     / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\
-"     {if(hide[section]) next};"\
-"     {f=0}; \$ 0~/\(\).*\|/{f=1}; {printf f ? \"T \" : \"D \"};"\
-"     {split(\$ 0, a, /\||\r/); split(a[2], s)};"\
-"     s[1]~/^[@?]/{print s[1], s[1]; next};"\
-"     s[1]~prfx {split(s[1],t,\"@\"); print t[1], substr(t[1],length(prfx))}"\
-"     ' prfx=^$ac_symprfx]"
-  else
-    lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[[	 ]]\($symcode$symcode*\)[[	 ]][[	 ]]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'"
-  fi
-  lt_cv_sys_global_symbol_pipe="$lt_cv_sys_global_symbol_pipe | sed '/ __gnu_lto/d'"
-
-  # Check to see that the pipe works correctly.
-  pipe_works=no
-
-  rm -f conftest*
-  cat > conftest.$ac_ext <<_LT_EOF
-#ifdef __cplusplus
-extern "C" {
-#endif
-char nm_test_var;
-void nm_test_func(void);
-void nm_test_func(void){}
-#ifdef __cplusplus
-}
-#endif
-int main(){nm_test_var='a';nm_test_func();return(0);}
-_LT_EOF
-
-  if AC_TRY_EVAL(ac_compile); then
-    # Now try to grab the symbols.
-    nlist=conftest.nm
-    if AC_TRY_EVAL(NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) && test -s "$nlist"; then
-      # Try sorting and uniquifying the output.
-      if sort "$nlist" | uniq > "$nlist"T; then
-	mv -f "$nlist"T "$nlist"
-      else
-	rm -f "$nlist"T
-      fi
-
-      # Make sure that we snagged all the symbols we need.
-      if $GREP ' nm_test_var$' "$nlist" >/dev/null; then
-	if $GREP ' nm_test_func$' "$nlist" >/dev/null; then
-	  cat <<_LT_EOF > conftest.$ac_ext
-/* Keep this code in sync between libtool.m4, ltmain, lt_system.h, and tests.  */
-#if defined(_WIN32) || defined(__CYGWIN__) || defined(_WIN32_WCE)
-/* DATA imports from DLLs on WIN32 con't be const, because runtime
-   relocations are performed -- see ld's documentation on pseudo-relocs.  */
-# define LT@&t@_DLSYM_CONST
-#elif defined(__osf__)
-/* This system does not cope well with relocations in const data.  */
-# define LT@&t@_DLSYM_CONST
-#else
-# define LT@&t@_DLSYM_CONST const
-#endif
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-_LT_EOF
-	  # Now generate the symbol file.
-	  eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | $GREP -v main >> conftest.$ac_ext'
-
-	  cat <<_LT_EOF >> conftest.$ac_ext
-
-/* The mapping between symbol names and symbols.  */
-LT@&t@_DLSYM_CONST struct {
-  const char *name;
-  void       *address;
-}
-lt__PROGRAM__LTX_preloaded_symbols[[]] =
-{
-  { "@PROGRAM@", (void *) 0 },
-_LT_EOF
-	  $SED "s/^$symcode$symcode* \(.*\) \(.*\)$/  {\"\2\", (void *) \&\2},/" < "$nlist" | $GREP -v main >> conftest.$ac_ext
-	  cat <<\_LT_EOF >> conftest.$ac_ext
-  {0, (void *) 0}
-};
-
-/* This works around a problem in FreeBSD linker */
-#ifdef FREEBSD_WORKAROUND
-static const void *lt_preloaded_setup() {
-  return lt__PROGRAM__LTX_preloaded_symbols;
-}
-#endif
-
-#ifdef __cplusplus
-}
-#endif
-_LT_EOF
-	  # Now try linking the two files.
-	  mv conftest.$ac_objext conftstm.$ac_objext
-	  lt_globsym_save_LIBS=$LIBS
-	  lt_globsym_save_CFLAGS=$CFLAGS
-	  LIBS="conftstm.$ac_objext"
-	  CFLAGS="$CFLAGS$_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)"
-	  if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext}; then
-	    pipe_works=yes
-	  fi
-	  LIBS=$lt_globsym_save_LIBS
-	  CFLAGS=$lt_globsym_save_CFLAGS
-	else
-	  echo "cannot find nm_test_func in $nlist" >&AS_MESSAGE_LOG_FD
-	fi
-      else
-	echo "cannot find nm_test_var in $nlist" >&AS_MESSAGE_LOG_FD
-      fi
-    else
-      echo "cannot run $lt_cv_sys_global_symbol_pipe" >&AS_MESSAGE_LOG_FD
-    fi
-  else
-    echo "$progname: failed program was:" >&AS_MESSAGE_LOG_FD
-    cat conftest.$ac_ext >&5
-  fi
-  rm -rf conftest* conftst*
-
-  # Do not use the global_symbol_pipe unless it works.
-  if test "$pipe_works" = yes; then
-    break
-  else
-    lt_cv_sys_global_symbol_pipe=
-  fi
-done
-])
-if test -z "$lt_cv_sys_global_symbol_pipe"; then
-  lt_cv_sys_global_symbol_to_cdecl=
-fi
-if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then
-  AC_MSG_RESULT(failed)
-else
-  AC_MSG_RESULT(ok)
-fi
-
-# Response file support.
-if test "$lt_cv_nm_interface" = "MS dumpbin"; then
-  nm_file_list_spec='@'
-elif $NM --help 2>/dev/null | grep '[[@]]FILE' >/dev/null; then
-  nm_file_list_spec='@'
-fi
-
-_LT_DECL([global_symbol_pipe], [lt_cv_sys_global_symbol_pipe], [1],
-    [Take the output of nm and produce a listing of raw symbols and C names])
-_LT_DECL([global_symbol_to_cdecl], [lt_cv_sys_global_symbol_to_cdecl], [1],
-    [Transform the output of nm in a proper C declaration])
-_LT_DECL([global_symbol_to_c_name_address],
-    [lt_cv_sys_global_symbol_to_c_name_address], [1],
-    [Transform the output of nm in a C name address pair])
-_LT_DECL([global_symbol_to_c_name_address_lib_prefix],
-    [lt_cv_sys_global_symbol_to_c_name_address_lib_prefix], [1],
-    [Transform the output of nm in a C name address pair when lib prefix is needed])
-_LT_DECL([], [nm_file_list_spec], [1],
-    [Specify filename containing input files for $NM])
-]) # _LT_CMD_GLOBAL_SYMBOLS
-
-
-# _LT_COMPILER_PIC([TAGNAME])
-# ---------------------------
-m4_defun([_LT_COMPILER_PIC],
-[m4_require([_LT_TAG_COMPILER])dnl
-_LT_TAGVAR(lt_prog_compiler_wl, $1)=
-_LT_TAGVAR(lt_prog_compiler_pic, $1)=
-_LT_TAGVAR(lt_prog_compiler_static, $1)=
-
-m4_if([$1], [CXX], [
-  # C++ specific cases for pic, static, wl, etc.
-  if test "$GXX" = yes; then
-    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-    _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
-
-    case $host_os in
-    aix*)
-      # All AIX code is PIC.
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      fi
-      ;;
-
-    amigaos*)
-      case $host_cpu in
-      powerpc)
-            # see comment about AmigaOS4 .so support
-            _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-        ;;
-      m68k)
-            # FIXME: we need at least 68020 code to build shared libraries, but
-            # adding the `-m68020' flag to GCC prevents building anything better,
-            # like `-m68040'.
-            _LT_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
-        ;;
-      esac
-      ;;
-
-    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
-      # PIC is the default for these OSes.
-      ;;
-    mingw* | cygwin* | os2* | pw32* | cegcc*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      # Although the cygwin gcc ignores -fPIC, still need this for old-style
-      # (--disable-auto-import) libraries
-      m4_if([$1], [GCJ], [],
-	[_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
-      ;;
-    darwin* | rhapsody*)
-      # PIC is the default on this platform
-      # Common symbols not allowed in MH_DYLIB files
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
-      ;;
-    *djgpp*)
-      # DJGPP does not support shared libraries at all
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)=
-      ;;
-    haiku*)
-      # PIC is the default for Haiku.
-      # The "-static" flag exists, but is broken.
-      _LT_TAGVAR(lt_prog_compiler_static, $1)=
-      ;;
-    interix[[3-9]]*)
-      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
-      # Instead, we relocate shared libraries at runtime.
-      ;;
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	_LT_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic
-      fi
-      ;;
-    hpux*)
-      # PIC is the default for 64-bit PA HP-UX, but not for 32-bit
-      # PA HP-UX.  On IA64 HP-UX, PIC is the default but the pic flag
-      # sets the default TLS model and affects inlining.
-      case $host_cpu in
-      hppa*64*)
-	;;
-      *)
-	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-	;;
-      esac
-      ;;
-    *qnx* | *nto*)
-      # QNX uses GNU C++, but need to define -shared option too, otherwise
-      # it will coredump.
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared'
-      ;;
-    *)
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-      ;;
-    esac
-  else
-    case $host_os in
-      aix[[4-9]]*)
-	# All AIX code is PIC.
-	if test "$host_cpu" = ia64; then
-	  # AIX 5 now supports IA64 processor
-	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	else
-	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp'
-	fi
-	;;
-      chorus*)
-	case $cc_basename in
-	cxch68*)
-	  # Green Hills C++ Compiler
-	  # _LT_TAGVAR(lt_prog_compiler_static, $1)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a"
-	  ;;
-	esac
-	;;
-      mingw* | cygwin* | os2* | pw32* | cegcc*)
-	# This hack is so that the source file can tell whether it is being
-	# built for inclusion in a dll (and should export symbols for example).
-	m4_if([$1], [GCJ], [],
-	  [_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
-	;;
-      dgux*)
-	case $cc_basename in
-	  ec++*)
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	    ;;
-	  ghcx*)
-	    # Green Hills C++ Compiler
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      freebsd* | dragonfly*)
-	# FreeBSD uses GNU C++
-	;;
-      hpux9* | hpux10* | hpux11*)
-	case $cc_basename in
-	  CC*)
-	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
-	    if test "$host_cpu" != ia64; then
-	      _LT_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
-	    fi
-	    ;;
-	  aCC*)
-	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
-	    case $host_cpu in
-	    hppa*64*|ia64*)
-	      # +Z the default
-	      ;;
-	    *)
-	      _LT_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
-	      ;;
-	    esac
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      interix*)
-	# This is c89, which is MS Visual C++ (no shared libs)
-	# Anyone wants to do a port?
-	;;
-      irix5* | irix6* | nonstopux*)
-	case $cc_basename in
-	  CC*)
-	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-	    # CC pic flag -KPIC is the default.
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      linux* | k*bsd*-gnu | kopensolaris*-gnu)
-	case $cc_basename in
-	  KCC*)
-	    # KAI C++ Compiler
-	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-	    ;;
-	  ecpc* )
-	    # old Intel C++ for x86_64 which still supported -KPIC.
-	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
-	    ;;
-	  icpc* )
-	    # Intel C++, used to be incompatible with GCC.
-	    # ICC 10 doesn't accept -KPIC any more.
-	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
-	    ;;
-	  pgCC* | pgcpp*)
-	    # Portland Group C++ compiler
-	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
-	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	    ;;
-	  cxx*)
-	    # Compaq C++
-	    # Make sure the PIC flag is empty.  It appears that all Alpha
-	    # Linux and Compaq Tru64 Unix objects are PIC.
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)=
-	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-	    ;;
-	  xlc* | xlC* | bgxl[[cC]]* | mpixl[[cC]]*)
-	    # IBM XL 8.0, 9.0 on PPC and BlueGene
-	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-qpic'
-	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-qstaticlink'
-	    ;;
-	  *)
-	    case `$CC -V 2>&1 | sed 5q` in
-	    *Sun\ C*)
-	      # Sun C++ 5.9
-	      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
-	      ;;
-	    esac
-	    ;;
-	esac
-	;;
-      lynxos*)
-	;;
-      m88k*)
-	;;
-      mvs*)
-	case $cc_basename in
-	  cxx*)
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-W c,exportall'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      netbsd*)
-	;;
-      *qnx* | *nto*)
-        # QNX uses GNU C++, but need to define -shared option too, otherwise
-        # it will coredump.
-        _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared'
-        ;;
-      osf3* | osf4* | osf5*)
-	case $cc_basename in
-	  KCC*)
-	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
-	    ;;
-	  RCC*)
-	    # Rational C++ 2.4.1
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
-	    ;;
-	  cxx*)
-	    # Digital/Compaq C++
-	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    # Make sure the PIC flag is empty.  It appears that all Alpha
-	    # Linux and Compaq Tru64 Unix objects are PIC.
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)=
-	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      psos*)
-	;;
-      solaris*)
-	case $cc_basename in
-	  CC* | sunCC*)
-	    # Sun C++ 4.2, 5.x and Centerline C++
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
-	    ;;
-	  gcx*)
-	    # Green Hills C++ Compiler
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      sunos4*)
-	case $cc_basename in
-	  CC*)
-	    # Sun C++ 4.x
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
-	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	    ;;
-	  lcc*)
-	    # Lucid
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
-	case $cc_basename in
-	  CC*)
-	    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	    _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	    ;;
-	esac
-	;;
-      tandem*)
-	case $cc_basename in
-	  NCC*)
-	    # NonStop-UX NCC 3.20
-	    _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      vxworks*)
-	;;
-      *)
-	_LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
-	;;
-    esac
-  fi
-],
-[
-  if test "$GCC" = yes; then
-    _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-    _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
-
-    case $host_os in
-      aix*)
-      # All AIX code is PIC.
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      fi
-      ;;
-
-    amigaos*)
-      case $host_cpu in
-      powerpc)
-            # see comment about AmigaOS4 .so support
-            _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-        ;;
-      m68k)
-            # FIXME: we need at least 68020 code to build shared libraries, but
-            # adding the `-m68020' flag to GCC prevents building anything better,
-            # like `-m68040'.
-            _LT_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
-        ;;
-      esac
-      ;;
-
-    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
-      # PIC is the default for these OSes.
-      ;;
-
-    mingw* | cygwin* | pw32* | os2* | cegcc*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      # Although the cygwin gcc ignores -fPIC, still need this for old-style
-      # (--disable-auto-import) libraries
-      m4_if([$1], [GCJ], [],
-	[_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
-      ;;
-
-    darwin* | rhapsody*)
-      # PIC is the default on this platform
-      # Common symbols not allowed in MH_DYLIB files
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
-      ;;
-
-    haiku*)
-      # PIC is the default for Haiku.
-      # The "-static" flag exists, but is broken.
-      _LT_TAGVAR(lt_prog_compiler_static, $1)=
-      ;;
-
-    hpux*)
-      # PIC is the default for 64-bit PA HP-UX, but not for 32-bit
-      # PA HP-UX.  On IA64 HP-UX, PIC is the default but the pic flag
-      # sets the default TLS model and affects inlining.
-      case $host_cpu in
-      hppa*64*)
-	# +Z the default
-	;;
-      *)
-	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-	;;
-      esac
-      ;;
-
-    interix[[3-9]]*)
-      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
-      # Instead, we relocate shared libraries at runtime.
-      ;;
-
-    msdosdjgpp*)
-      # Just because we use GCC doesn't mean we suddenly get shared libraries
-      # on systems that don't support them.
-      _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
-      enable_shared=no
-      ;;
-
-    *nto* | *qnx*)
-      # QNX uses GNU C++, but need to define -shared option too, otherwise
-      # it will coredump.
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared'
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	_LT_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic
-      fi
-      ;;
-
-    *)
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-      ;;
-    esac
-
-    case $cc_basename in
-    nvcc*) # Cuda Compiler Driver 2.2
-      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Xlinker '
-      if test -n "$_LT_TAGVAR(lt_prog_compiler_pic, $1)"; then
-        _LT_TAGVAR(lt_prog_compiler_pic, $1)="-Xcompiler $_LT_TAGVAR(lt_prog_compiler_pic, $1)"
-      fi
-      ;;
-    esac
-  else
-    # PORTME Check for flag to pass linker flags through the system compiler.
-    case $host_os in
-    aix*)
-      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      else
-	_LT_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp'
-      fi
-      ;;
-
-    mingw* | cygwin* | pw32* | os2* | cegcc*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      m4_if([$1], [GCJ], [],
-	[_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
-      ;;
-
-    hpux9* | hpux10* | hpux11*)
-      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case $host_cpu in
-      hppa*64*|ia64*)
-	# +Z the default
-	;;
-      *)
-	_LT_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
-	;;
-      esac
-      # Is there a better lt_prog_compiler_static that works with the bundled CC?
-      _LT_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
-      ;;
-
-    irix5* | irix6* | nonstopux*)
-      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      # PIC (with -KPIC) is the default.
-      _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-      ;;
-
-    linux* | k*bsd*-gnu | kopensolaris*-gnu)
-      case $cc_basename in
-      # old Intel for x86_64 which still supported -KPIC.
-      ecc*)
-	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	_LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
-        ;;
-      # icc used to be incompatible with GCC.
-      # ICC 10 doesn't accept -KPIC any more.
-      icc* | ifort*)
-	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-	_LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
-        ;;
-      # Lahey Fortran 8.1.
-      lf95*)
-	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	_LT_TAGVAR(lt_prog_compiler_pic, $1)='--shared'
-	_LT_TAGVAR(lt_prog_compiler_static, $1)='--static'
-	;;
-      nagfor*)
-	# NAG Fortran compiler
-	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,-Wl,,'
-	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
-	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	;;
-      pgcc* | pgf77* | pgf90* | pgf95* | pgfortran*)
-        # Portland Group compilers (*not* the Pentium gcc compiler,
-	# which looks to be a dead project)
-	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
-	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-        ;;
-      ccc*)
-        _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-        # All Alpha code is PIC.
-        _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-        ;;
-      xl* | bgxl* | bgf* | mpixl*)
-	# IBM XL C 8.0/Fortran 10.1, 11.1 on PPC and BlueGene
-	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-qpic'
-	_LT_TAGVAR(lt_prog_compiler_static, $1)='-qstaticlink'
-	;;
-      *)
-	case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ Ceres\ Fortran* | *Sun*Fortran*\ [[1-7]].* | *Sun*Fortran*\ 8.[[0-3]]*)
-	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
-	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	  _LT_TAGVAR(lt_prog_compiler_wl, $1)=''
-	  ;;
-	*Sun\ F* | *Sun*Fortran*)
-	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
-	  ;;
-	*Sun\ C*)
-	  # Sun C 5.9
-	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	  ;;
-        *Intel*\ [[CF]]*Compiler*)
-	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
-	  ;;
-	*Portland\ Group*)
-	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
-	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	  ;;
-	esac
-	;;
-      esac
-      ;;
-
-    newsos6)
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      ;;
-
-    *nto* | *qnx*)
-      # QNX uses GNU C++, but need to define -shared option too, otherwise
-      # it will coredump.
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared'
-      ;;
-
-    osf3* | osf4* | osf5*)
-      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      # All OSF/1 code is PIC.
-      _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-      ;;
-
-    rdos*)
-      _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-      ;;
-
-    solaris*)
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      case $cc_basename in
-      f77* | f90* | f95* | sunf77* | sunf90* | sunf95*)
-	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ';;
-      *)
-	_LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,';;
-      esac
-      ;;
-
-    sunos4*)
-      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
-      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      ;;
-
-    sysv4 | sysv4.2uw2* | sysv4.3*)
-      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec ;then
-	_LT_TAGVAR(lt_prog_compiler_pic, $1)='-Kconform_pic'
-	_LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      fi
-      ;;
-
-    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
-      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      ;;
-
-    unicos*)
-      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
-      ;;
-
-    uts4*)
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
-      _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      ;;
-
-    *)
-      _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
-      ;;
-    esac
-  fi
-])
-case $host_os in
-  # For platforms which do not support PIC, -DPIC is meaningless:
-  *djgpp*)
-    _LT_TAGVAR(lt_prog_compiler_pic, $1)=
-    ;;
-  *)
-    _LT_TAGVAR(lt_prog_compiler_pic, $1)="$_LT_TAGVAR(lt_prog_compiler_pic, $1)@&t@m4_if([$1],[],[ -DPIC],[m4_if([$1],[CXX],[ -DPIC],[])])"
-    ;;
-esac
-
-AC_CACHE_CHECK([for $compiler option to produce PIC],
-  [_LT_TAGVAR(lt_cv_prog_compiler_pic, $1)],
-  [_LT_TAGVAR(lt_cv_prog_compiler_pic, $1)=$_LT_TAGVAR(lt_prog_compiler_pic, $1)])
-_LT_TAGVAR(lt_prog_compiler_pic, $1)=$_LT_TAGVAR(lt_cv_prog_compiler_pic, $1)
-
-#
-# Check to make sure the PIC flag actually works.
-#
-if test -n "$_LT_TAGVAR(lt_prog_compiler_pic, $1)"; then
-  _LT_COMPILER_OPTION([if $compiler PIC flag $_LT_TAGVAR(lt_prog_compiler_pic, $1) works],
-    [_LT_TAGVAR(lt_cv_prog_compiler_pic_works, $1)],
-    [$_LT_TAGVAR(lt_prog_compiler_pic, $1)@&t@m4_if([$1],[],[ -DPIC],[m4_if([$1],[CXX],[ -DPIC],[])])], [],
-    [case $_LT_TAGVAR(lt_prog_compiler_pic, $1) in
-     "" | " "*) ;;
-     *) _LT_TAGVAR(lt_prog_compiler_pic, $1)=" $_LT_TAGVAR(lt_prog_compiler_pic, $1)" ;;
-     esac],
-    [_LT_TAGVAR(lt_prog_compiler_pic, $1)=
-     _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no])
-fi
-_LT_TAGDECL([pic_flag], [lt_prog_compiler_pic], [1],
-	[Additional compiler flags for building library objects])
-
-_LT_TAGDECL([wl], [lt_prog_compiler_wl], [1],
-	[How to pass a linker flag through the compiler])
-#
-# Check to make sure the static flag actually works.
-#
-wl=$_LT_TAGVAR(lt_prog_compiler_wl, $1) eval lt_tmp_static_flag=\"$_LT_TAGVAR(lt_prog_compiler_static, $1)\"
-_LT_LINKER_OPTION([if $compiler static flag $lt_tmp_static_flag works],
-  _LT_TAGVAR(lt_cv_prog_compiler_static_works, $1),
-  $lt_tmp_static_flag,
-  [],
-  [_LT_TAGVAR(lt_prog_compiler_static, $1)=])
-_LT_TAGDECL([link_static_flag], [lt_prog_compiler_static], [1],
-	[Compiler flag to prevent dynamic linking])
-])# _LT_COMPILER_PIC
-
-
-# _LT_LINKER_SHLIBS([TAGNAME])
-# ----------------------------
-# See if the linker supports building shared libraries.
-m4_defun([_LT_LINKER_SHLIBS],
-[AC_REQUIRE([LT_PATH_LD])dnl
-AC_REQUIRE([LT_PATH_NM])dnl
-m4_require([_LT_PATH_MANIFEST_TOOL])dnl
-m4_require([_LT_FILEUTILS_DEFAULTS])dnl
-m4_require([_LT_DECL_EGREP])dnl
-m4_require([_LT_DECL_SED])dnl
-m4_require([_LT_CMD_GLOBAL_SYMBOLS])dnl
-m4_require([_LT_TAG_COMPILER])dnl
-AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
-m4_if([$1], [CXX], [
-  _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  _LT_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*']
-  case $host_os in
-  aix[[4-9]]*)
-    # If we're using GNU nm, then we don't want the "-C" option.
-    # -C means demangle to AIX nm, but means don't demangle with GNU nm
-    # Also, AIX nm treats weak defined symbols like other global defined
-    # symbols, whereas GNU nm marks them as "W".
-    if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then
-      _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
-    else
-      _LT_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
-    fi
-    ;;
-  pw32*)
-    _LT_TAGVAR(export_symbols_cmds, $1)="$ltdll_cmds"
-    ;;
-  cygwin* | mingw* | cegcc*)
-    case $cc_basename in
-    cl*)
-      _LT_TAGVAR(exclude_expsyms, $1)='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*'
-      ;;
-    *)
-      _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols'
-      _LT_TAGVAR(exclude_expsyms, $1)=['[_]+GLOBAL_OFFSET_TABLE_|[_]+GLOBAL__[FID]_.*|[_]+head_[A-Za-z0-9_]+_dll|[A-Za-z0-9_]+_dll_iname']
-      ;;
-    esac
-    ;;
-  *)
-    _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-    ;;
-  esac
-], [
-  runpath_var=
-  _LT_TAGVAR(allow_undefined_flag, $1)=
-  _LT_TAGVAR(always_export_symbols, $1)=no
-  _LT_TAGVAR(archive_cmds, $1)=
-  _LT_TAGVAR(archive_expsym_cmds, $1)=
-  _LT_TAGVAR(compiler_needs_object, $1)=no
-  _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
-  _LT_TAGVAR(export_dynamic_flag_spec, $1)=
-  _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  _LT_TAGVAR(hardcode_automatic, $1)=no
-  _LT_TAGVAR(hardcode_direct, $1)=no
-  _LT_TAGVAR(hardcode_direct_absolute, $1)=no
-  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-  _LT_TAGVAR(hardcode_libdir_separator, $1)=
-  _LT_TAGVAR(hardcode_minus_L, $1)=no
-  _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
-  _LT_TAGVAR(inherit_rpath, $1)=no
-  _LT_TAGVAR(link_all_deplibs, $1)=unknown
-  _LT_TAGVAR(module_cmds, $1)=
-  _LT_TAGVAR(module_expsym_cmds, $1)=
-  _LT_TAGVAR(old_archive_from_new_cmds, $1)=
-  _LT_TAGVAR(old_archive_from_expsyms_cmds, $1)=
-  _LT_TAGVAR(thread_safe_flag_spec, $1)=
-  _LT_TAGVAR(whole_archive_flag_spec, $1)=
-  # include_expsyms should be a list of space-separated symbols to be *always*
-  # included in the symbol list
-  _LT_TAGVAR(include_expsyms, $1)=
-  # exclude_expsyms can be an extended regexp of symbols to exclude
-  # it will be wrapped by ` (' and `)$', so one must not match beginning or
-  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
-  # as well as any symbol that contains `d'.
-  _LT_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*']
-  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
-  # platforms (ab)use it in PIC code, but their linkers get confused if
-  # the symbol is explicitly referenced.  Since portable code cannot
-  # rely on this symbol name, it's probably fine to never include it in
-  # preloaded symbol tables.
-  # Exclude shared library initialization/finalization symbols.
-dnl Note also adjust exclude_expsyms for C++ above.
-  extract_expsyms_cmds=
-
-  case $host_os in
-  cygwin* | mingw* | pw32* | cegcc*)
-    # FIXME: the MSVC++ port hasn't been tested in a loooong time
-    # When not using gcc, we currently assume that we are using
-    # Microsoft Visual C++.
-    if test "$GCC" != yes; then
-      with_gnu_ld=no
-    fi
-    ;;
-  interix*)
-    # we just hope/assume this is gcc and not c89 (= MSVC++)
-    with_gnu_ld=yes
-    ;;
-  openbsd*)
-    with_gnu_ld=no
-    ;;
-  esac
-
-  _LT_TAGVAR(ld_shlibs, $1)=yes
-
-  # On some targets, GNU ld is compatible enough with the native linker
-  # that we're better off using the native interface for both.
-  lt_use_gnu_ld_interface=no
-  if test "$with_gnu_ld" = yes; then
-    case $host_os in
-      aix*)
-	# The AIX port of GNU ld has always aspired to compatibility
-	# with the native linker.  However, as the warning in the GNU ld
-	# block says, versions before 2.19.5* couldn't really create working
-	# shared libraries, regardless of the interface used.
-	case `$LD -v 2>&1` in
-	  *\ \(GNU\ Binutils\)\ 2.19.5*) ;;
-	  *\ \(GNU\ Binutils\)\ 2.[[2-9]]*) ;;
-	  *\ \(GNU\ Binutils\)\ [[3-9]]*) ;;
-	  *)
-	    lt_use_gnu_ld_interface=yes
-	    ;;
-	esac
-	;;
-      *)
-	lt_use_gnu_ld_interface=yes
-	;;
-    esac
-  fi
-
-  if test "$lt_use_gnu_ld_interface" = yes; then
-    # If archive_cmds runs LD, not CC, wlarc should be empty
-    wlarc='${wl}'
-
-    # Set some defaults for GNU ld with shared library support. These
-    # are reset later if shared libraries are not supported. Putting them
-    # here allows them to be overridden if necessary.
-    runpath_var=LD_RUN_PATH
-    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-    # ancient GNU ld didn't support --whole-archive et. al.
-    if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then
-      _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-    else
-      _LT_TAGVAR(whole_archive_flag_spec, $1)=
-    fi
-    supports_anon_versioning=no
-    case `$LD -v 2>&1` in
-      *GNU\ gold*) supports_anon_versioning=yes ;;
-      *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11
-      *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
-      *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
-      *\ 2.11.*) ;; # other 2.11 versions
-      *) supports_anon_versioning=yes ;;
-    esac
-
-    # See if GNU ld supports shared libraries.
-    case $host_os in
-    aix[[3-9]]*)
-      # On AIX/PPC, the GNU linker is very broken
-      if test "$host_cpu" != ia64; then
-	_LT_TAGVAR(ld_shlibs, $1)=no
-	cat <<_LT_EOF 1>&2
-
-*** Warning: the GNU linker, at least up to release 2.19, is reported
-*** to be unable to reliably create shared libraries on AIX.
-*** Therefore, libtool is disabling shared libraries support.  If you
-*** really care for shared libraries, you may want to install binutils
-*** 2.20 or above, or modify your PATH so that a non-GNU linker is found.
-*** You will then need to restart the configuration process.
-
-_LT_EOF
-      fi
-      ;;
-
-    amigaos*)
-      case $host_cpu in
-      powerpc)
-            # see comment about AmigaOS4 .so support
-            _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-            _LT_TAGVAR(archive_expsym_cmds, $1)=''
-        ;;
-      m68k)
-            _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
-            _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-            _LT_TAGVAR(hardcode_minus_L, $1)=yes
-        ;;
-      esac
-      ;;
-
-    beos*)
-      if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
-	_LT_TAGVAR(allow_undefined_flag, $1)=unsupported
-	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
-	# support --undefined.  This deserves some investigation.  FIXME
-	_LT_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-      else
-	_LT_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
-
-    cygwin* | mingw* | pw32* | cegcc*)
-      # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
-      # as there is no search path for DLLs.
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-all-symbols'
-      _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
-      _LT_TAGVAR(always_export_symbols, $1)=no
-      _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
-      _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols'
-      _LT_TAGVAR(exclude_expsyms, $1)=['[_]+GLOBAL_OFFSET_TABLE_|[_]+GLOBAL__[FID]_.*|[_]+head_[A-Za-z0-9_]+_dll|[A-Za-z0-9_]+_dll_iname']
-
-      if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then
-        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-	# If the export-symbols file already is a .def file (1st line
-	# is EXPORTS), use it as is; otherwise, prepend...
-	_LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
-	  cp $export_symbols $output_objdir/$soname.def;
-	else
-	  echo EXPORTS > $output_objdir/$soname.def;
-	  cat $export_symbols >> $output_objdir/$soname.def;
-	fi~
-	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-      else
-	_LT_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
-
-    haiku*)
-      _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-      _LT_TAGVAR(link_all_deplibs, $1)=yes
-      ;;
-
-    interix[[3-9]]*)
-      _LT_TAGVAR(hardcode_direct, $1)=no
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-      _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-      # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
-      # Instead, shared libraries are loaded at an image base (0x10000000 by
-      # default) and relocated if they conflict, which is a slow very memory
-      # consuming and fragmenting process.  To avoid this, we pick a random,
-      # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
-      # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
-      _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-      _LT_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-      ;;
-
-    gnu* | linux* | tpf* | k*bsd*-gnu | kopensolaris*-gnu)
-      tmp_diet=no
-      if test "$host_os" = linux-dietlibc; then
-	case $cc_basename in
-	  diet\ *) tmp_diet=yes;;	# linux-dietlibc with static linking (!diet-dyn)
-	esac
-      fi
-      if $LD --help 2>&1 | $EGREP ': supported targets:.* elf' > /dev/null \
-	 && test "$tmp_diet" = no
-      then
-	tmp_addflag=' $pic_flag'
-	tmp_sharedflag='-shared'
-	case $cc_basename,$host_cpu in
-        pgcc*)				# Portland Group C compiler
-	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
-	  tmp_addflag=' $pic_flag'
-	  ;;
-	pgf77* | pgf90* | pgf95* | pgfortran*)
-					# Portland Group f77 and f90 compilers
-	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
-	  tmp_addflag=' $pic_flag -Mnomain' ;;
-	ecc*,ia64* | icc*,ia64*)	# Intel C compiler on ia64
-	  tmp_addflag=' -i_dynamic' ;;
-	efc*,ia64* | ifort*,ia64*)	# Intel Fortran compiler on ia64
-	  tmp_addflag=' -i_dynamic -nofor_main' ;;
-	ifc* | ifort*)			# Intel Fortran compiler
-	  tmp_addflag=' -nofor_main' ;;
-	lf95*)				# Lahey Fortran 8.1
-	  _LT_TAGVAR(whole_archive_flag_spec, $1)=
-	  tmp_sharedflag='--shared' ;;
-	xl[[cC]]* | bgxl[[cC]]* | mpixl[[cC]]*) # IBM XL C 8.0 on PPC (deal with xlf below)
-	  tmp_sharedflag='-qmkshrobj'
-	  tmp_addflag= ;;
-	nvcc*)	# Cuda Compiler Driver 2.2
-	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
-	  _LT_TAGVAR(compiler_needs_object, $1)=yes
-	  ;;
-	esac
-	case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ C*)			# Sun C 5.9
-	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
-	  _LT_TAGVAR(compiler_needs_object, $1)=yes
-	  tmp_sharedflag='-G' ;;
-	*Sun\ F*)			# Sun Fortran 8.3
-	  tmp_sharedflag='-G' ;;
-	esac
-	_LT_TAGVAR(archive_cmds, $1)='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-
-        if test "x$supports_anon_versioning" = xyes; then
-          _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~
-	    cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
-	    echo "local: *; };" >> $output_objdir/$libname.ver~
-	    $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
-        fi
-
-	case $cc_basename in
-	xlf* | bgf* | bgxlf* | mpixlf*)
-	  # IBM XL Fortran 10.1 on PPC cannot create shared libs itself
-	  _LT_TAGVAR(whole_archive_flag_spec, $1)='--whole-archive$convenience --no-whole-archive'
-	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-	  _LT_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib'
-	  if test "x$supports_anon_versioning" = xyes; then
-	    _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~
-	      cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
-	      echo "local: *; };" >> $output_objdir/$libname.ver~
-	      $LD -shared $libobjs $deplibs $linker_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib'
-	  fi
-	  ;;
-	esac
-      else
-        _LT_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
-
-    netbsd*)
-      if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
-	_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
-	wlarc=
-      else
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      fi
-      ;;
-
-    solaris*)
-      if $LD -v 2>&1 | $GREP 'BFD 2\.8' > /dev/null; then
-	_LT_TAGVAR(ld_shlibs, $1)=no
-	cat <<_LT_EOF 1>&2
-
-*** Warning: The releases 2.8.* of the GNU linker cannot reliably
-*** create shared libraries on Solaris systems.  Therefore, libtool
-*** is disabling shared libraries support.  We urge you to upgrade GNU
-*** binutils to release 2.9.1 or newer.  Another option is to modify
-*** your PATH or compiler configuration so that the native linker is
-*** used, and then restart.
-
-_LT_EOF
-      elif $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      else
-	_LT_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
-
-    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
-      case `$LD -v 2>&1` in
-        *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.1[[0-5]].*)
-	_LT_TAGVAR(ld_shlibs, $1)=no
-	cat <<_LT_EOF 1>&2
-
-*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not
-*** reliably create shared libraries on SCO systems.  Therefore, libtool
-*** is disabling shared libraries support.  We urge you to upgrade GNU
-*** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
-*** your PATH or compiler configuration so that the native linker is
-*** used, and then restart.
-
-_LT_EOF
-	;;
-	*)
-	  # For security reasons, it is highly recommended that you always
-	  # use absolute paths for naming shared libraries, and exclude the
-	  # DT_RUNPATH tag from executables and libraries.  But doing so
-	  # requires that you compile everything twice, which is a pain.
-	  if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
-	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-	  else
-	    _LT_TAGVAR(ld_shlibs, $1)=no
-	  fi
-	;;
-      esac
-      ;;
-
-    sunos4*)
-      _LT_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-      wlarc=
-      _LT_TAGVAR(hardcode_direct, $1)=yes
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    *)
-      if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      else
-	_LT_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
-    esac
-
-    if test "$_LT_TAGVAR(ld_shlibs, $1)" = no; then
-      runpath_var=
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-      _LT_TAGVAR(export_dynamic_flag_spec, $1)=
-      _LT_TAGVAR(whole_archive_flag_spec, $1)=
-    fi
-  else
-    # PORTME fill in a description of your system's linker (not GNU ld)
-    case $host_os in
-    aix3*)
-      _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
-      _LT_TAGVAR(always_export_symbols, $1)=yes
-      _LT_TAGVAR(archive_expsym_cmds, $1)='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
-      # Note: this linker hardcodes the directories in LIBPATH if there
-      # are no directories specified by -L.
-      _LT_TAGVAR(hardcode_minus_L, $1)=yes
-      if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then
-	# Neither direct hardcoding nor static linking is supported with a
-	# broken collect2.
-	_LT_TAGVAR(hardcode_direct, $1)=unsupported
-      fi
-      ;;
-
-    aix[[4-9]]*)
-      if test "$host_cpu" = ia64; then
-	# On IA64, the linker does run time linking by default, so we don't
-	# have to do anything special.
-	aix_use_runtimelinking=no
-	exp_sym_flag='-Bexport'
-	no_entry_flag=""
-      else
-	# If we're using GNU nm, then we don't want the "-C" option.
-	# -C means demangle to AIX nm, but means don't demangle with GNU nm
-	# Also, AIX nm treats weak defined symbols like other global
-	# defined symbols, whereas GNU nm marks them as "W".
-	if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then
-	  _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
-	else
-	  _LT_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols'
-	fi
-	aix_use_runtimelinking=no
-
-	# Test if we are trying to use run time linking or normal
-	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
-	# need to do runtime linking.
-	case $host_os in aix4.[[23]]|aix4.[[23]].*|aix[[5-9]]*)
-	  for ld_flag in $LDFLAGS; do
-	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
-	    aix_use_runtimelinking=yes
-	    break
-	  fi
-	  done
-	  ;;
-	esac
-
-	exp_sym_flag='-bexport'
-	no_entry_flag='-bnoentry'
-      fi
-
-      # When large executables or shared objects are built, AIX ld can
-      # have problems creating the table of contents.  If linking a library
-      # or program results in "error TOC overflow" add -mminimal-toc to
-      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
-      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
-
-      _LT_TAGVAR(archive_cmds, $1)=''
-      _LT_TAGVAR(hardcode_direct, $1)=yes
-      _LT_TAGVAR(hardcode_direct_absolute, $1)=yes
-      _LT_TAGVAR(hardcode_libdir_separator, $1)=':'
-      _LT_TAGVAR(link_all_deplibs, $1)=yes
-      _LT_TAGVAR(file_list_spec, $1)='${wl}-f,'
-
-      if test "$GCC" = yes; then
-	case $host_os in aix4.[[012]]|aix4.[[012]].*)
-	# We only want to do this on AIX 4.2 and lower, the check
-	# below for broken collect2 doesn't work under 4.3+
-	  collect2name=`${CC} -print-prog-name=collect2`
-	  if test -f "$collect2name" &&
-	   strings "$collect2name" | $GREP resolve_lib_name >/dev/null
-	  then
-	  # We have reworked collect2
-	  :
-	  else
-	  # We have old collect2
-	  _LT_TAGVAR(hardcode_direct, $1)=unsupported
-	  # It fails to find uninstalled libraries when the uninstalled
-	  # path is not listed in the libpath.  Setting hardcode_minus_L
-	  # to unsupported forces relinking
-	  _LT_TAGVAR(hardcode_minus_L, $1)=yes
-	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-	  _LT_TAGVAR(hardcode_libdir_separator, $1)=
-	  fi
-	  ;;
-	esac
-	shared_flag='-shared'
-	if test "$aix_use_runtimelinking" = yes; then
-	  shared_flag="$shared_flag "'${wl}-G'
-	fi
-      else
-	# not using gcc
-	if test "$host_cpu" = ia64; then
-	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
-	# chokes on -Wl,-G. The following line is correct:
-	  shared_flag='-G'
-	else
-	  if test "$aix_use_runtimelinking" = yes; then
-	    shared_flag='${wl}-G'
-	  else
-	    shared_flag='${wl}-bM:SRE'
-	  fi
-	fi
-      fi
-
-      _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-bexpall'
-      # It seems that -bexpall does not export symbols beginning with
-      # underscore (_), so it is better to generate a list of symbols to export.
-      _LT_TAGVAR(always_export_symbols, $1)=yes
-      if test "$aix_use_runtimelinking" = yes; then
-	# Warning - without using the other runtime loading flags (-brtl),
-	# -berok will link without error, but may produce a broken library.
-	_LT_TAGVAR(allow_undefined_flag, $1)='-berok'
-        # Determine the default libpath from the value encoded in an
-        # empty executable.
-        _LT_SYS_MODULE_PATH_AIX([$1])
-        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
-        _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then func_echo_all "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
-      else
-	if test "$host_cpu" = ia64; then
-	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
-	  _LT_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
-	  _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
-	else
-	 # Determine the default libpath from the value encoded in an
-	 # empty executable.
-	 _LT_SYS_MODULE_PATH_AIX([$1])
-	 _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
-	  # Warning - without using the other run time loading flags,
-	  # -berok will link without error, but may produce a broken library.
-	  _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
-	  _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
-	  if test "$with_gnu_ld" = yes; then
-	    # We only use this code for GNU lds that support --whole-archive.
-	    _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
-	  else
-	    # Exported symbols can be pulled into shared objects from archives
-	    _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
-	  fi
-	  _LT_TAGVAR(archive_cmds_need_lc, $1)=yes
-	  # This is similar to how AIX traditionally builds its shared libraries.
-	  _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
-	fi
-      fi
-      ;;
-
-    amigaos*)
-      case $host_cpu in
-      powerpc)
-            # see comment about AmigaOS4 .so support
-            _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-            _LT_TAGVAR(archive_expsym_cmds, $1)=''
-        ;;
-      m68k)
-            _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
-            _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-            _LT_TAGVAR(hardcode_minus_L, $1)=yes
-        ;;
-      esac
-      ;;
-
-    bsdi[[45]]*)
-      _LT_TAGVAR(export_dynamic_flag_spec, $1)=-rdynamic
-      ;;
-
-    cygwin* | mingw* | pw32* | cegcc*)
-      # When not using gcc, we currently assume that we are using
-      # Microsoft Visual C++.
-      # hardcode_libdir_flag_spec is actually meaningless, as there is
-      # no search path for DLLs.
-      case $cc_basename in
-      cl*)
-	# Native MSVC
-	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
-	_LT_TAGVAR(allow_undefined_flag, $1)=unsupported
-	_LT_TAGVAR(always_export_symbols, $1)=yes
-	_LT_TAGVAR(file_list_spec, $1)='@'
-	# Tell ltmain to make .lib files, not .a files.
-	libext=lib
-	# Tell ltmain to make .dll files, not .so files.
-	shrext_cmds=".dll"
-	# FIXME: Setting linknames here is a bad hack.
-	_LT_TAGVAR(archive_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $compiler_flags $deplibs -Wl,-dll~linknames='
-	_LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
-	    sed -n -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' -e '1\\\!p' < $export_symbols > $output_objdir/$soname.exp;
-	  else
-	    sed -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' < $export_symbols > $output_objdir/$soname.exp;
-	  fi~
-	  $CC -o $tool_output_objdir$soname $libobjs $compiler_flags $deplibs "@$tool_output_objdir$soname.exp" -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~
-	  linknames='
-	# The linker will not automatically build a static lib if we build a DLL.
-	# _LT_TAGVAR(old_archive_from_new_cmds, $1)='true'
-	_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
-	_LT_TAGVAR(exclude_expsyms, $1)='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*'
-	_LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1,DATA/'\'' | $SED -e '\''/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols'
-	# Don't use ranlib
-	_LT_TAGVAR(old_postinstall_cmds, $1)='chmod 644 $oldlib'
-	_LT_TAGVAR(postlink_cmds, $1)='lt_outputfile="@OUTPUT@"~
-	  lt_tool_outputfile="@TOOL_OUTPUT@"~
-	  case $lt_outputfile in
-	    *.exe|*.EXE) ;;
-	    *)
-	      lt_outputfile="$lt_outputfile.exe"
-	      lt_tool_outputfile="$lt_tool_outputfile.exe"
-	      ;;
-	  esac~
-	  if test "$MANIFEST_TOOL" != ":" && test -f "$lt_outputfile.manifest"; then
-	    $MANIFEST_TOOL -manifest "$lt_tool_outputfile.manifest" -outputresource:"$lt_tool_outputfile" || exit 1;
-	    $RM "$lt_outputfile.manifest";
-	  fi'
-	;;
-      *)
-	# Assume MSVC wrapper
-	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
-	_LT_TAGVAR(allow_undefined_flag, $1)=unsupported
-	# Tell ltmain to make .lib files, not .a files.
-	libext=lib
-	# Tell ltmain to make .dll files, not .so files.
-	shrext_cmds=".dll"
-	# FIXME: Setting linknames here is a bad hack.
-	_LT_TAGVAR(archive_cmds, $1)='$CC -o $lib $libobjs $compiler_flags `func_echo_all "$deplibs" | $SED '\''s/ -lc$//'\''` -link -dll~linknames='
-	# The linker will automatically build a .lib file if we build a DLL.
-	_LT_TAGVAR(old_archive_from_new_cmds, $1)='true'
-	# FIXME: Should let the user specify the lib program.
-	_LT_TAGVAR(old_archive_cmds, $1)='lib -OUT:$oldlib$oldobjs$old_deplibs'
-	_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
-	;;
-      esac
-      ;;
-
-    darwin* | rhapsody*)
-      _LT_DARWIN_LINKER_FEATURES($1)
-      ;;
-
-    dgux*)
-      _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
-    # support.  Future versions do this automatically, but an explicit c++rt0.o
-    # does not break anything, and helps significantly (at the cost of a little
-    # extra space).
-    freebsd2.2*)
-      _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-      _LT_TAGVAR(hardcode_direct, $1)=yes
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
-    freebsd2.*)
-      _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-      _LT_TAGVAR(hardcode_direct, $1)=yes
-      _LT_TAGVAR(hardcode_minus_L, $1)=yes
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
-    freebsd* | dragonfly*)
-      _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-      _LT_TAGVAR(hardcode_direct, $1)=yes
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    hpux9*)
-      if test "$GCC" = yes; then
-	_LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared $pic_flag ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      else
-	_LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      fi
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
-      _LT_TAGVAR(hardcode_direct, $1)=yes
-
-      # hardcode_minus_L: Not really in the search PATH,
-      # but as the default location of the library.
-      _LT_TAGVAR(hardcode_minus_L, $1)=yes
-      _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-      ;;
-
-    hpux10*)
-      if test "$GCC" = yes && test "$with_gnu_ld" = no; then
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	_LT_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
-      fi
-      if test "$with_gnu_ld" = no; then
-	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-	_LT_TAGVAR(hardcode_libdir_separator, $1)=:
-	_LT_TAGVAR(hardcode_direct, $1)=yes
-	_LT_TAGVAR(hardcode_direct_absolute, $1)=yes
-	_LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-	# hardcode_minus_L: Not really in the search PATH,
-	# but as the default location of the library.
-	_LT_TAGVAR(hardcode_minus_L, $1)=yes
-      fi
-      ;;
-
-    hpux11*)
-      if test "$GCC" = yes && test "$with_gnu_ld" = no; then
-	case $host_cpu in
-	hppa*64*)
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	ia64*)
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	*)
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	esac
-      else
-	case $host_cpu in
-	hppa*64*)
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	ia64*)
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	*)
-	m4_if($1, [], [
-	  # Older versions of the 11.00 compiler do not understand -b yet
-	  # (HP92453-01 A.11.01.20 doesn't, HP92453-01 B.11.X.35175-35176.GP does)
-	  _LT_LINKER_OPTION([if $CC understands -b],
-	    _LT_TAGVAR(lt_cv_prog_compiler__b, $1), [-b],
-	    [_LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'],
-	    [_LT_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'])],
-	  [_LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'])
-	  ;;
-	esac
-      fi
-      if test "$with_gnu_ld" = no; then
-	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-	_LT_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	case $host_cpu in
-	hppa*64*|ia64*)
-	  _LT_TAGVAR(hardcode_direct, $1)=no
-	  _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-	  ;;
-	*)
-	  _LT_TAGVAR(hardcode_direct, $1)=yes
-	  _LT_TAGVAR(hardcode_direct_absolute, $1)=yes
-	  _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-
-	  # hardcode_minus_L: Not really in the search PATH,
-	  # but as the default location of the library.
-	  _LT_TAGVAR(hardcode_minus_L, $1)=yes
-	  ;;
-	esac
-      fi
-      ;;
-
-    irix5* | irix6* | nonstopux*)
-      if test "$GCC" = yes; then
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-	# Try to use the -exported_symbol ld option, if it does not
-	# work, assume that -exports_file does not work either and
-	# implicitly export all symbols.
-	# This should be the same for all languages, so no per-tag cache variable.
-	AC_CACHE_CHECK([whether the $host_os linker accepts -exported_symbol],
-	  [lt_cv_irix_exported_symbol],
-	  [save_LDFLAGS="$LDFLAGS"
-	   LDFLAGS="$LDFLAGS -shared ${wl}-exported_symbol ${wl}foo ${wl}-update_registry ${wl}/dev/null"
-	   AC_LINK_IFELSE(
-	     [AC_LANG_SOURCE(
-	        [AC_LANG_CASE([C], [[int foo (void) { return 0; }]],
-			      [C++], [[int foo (void) { return 0; }]],
-			      [Fortran 77], [[
-      subroutine foo
-      end]],
-			      [Fortran], [[
-      subroutine foo
-      end]])])],
-	      [lt_cv_irix_exported_symbol=yes],
-	      [lt_cv_irix_exported_symbol=no])
-           LDFLAGS="$save_LDFLAGS"])
-	if test "$lt_cv_irix_exported_symbol" = yes; then
-          _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations ${wl}-exports_file ${wl}$export_symbols -o $lib'
-	fi
-      else
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -exports_file $export_symbols -o $lib'
-      fi
-      _LT_TAGVAR(archive_cmds_need_lc, $1)='no'
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
-      _LT_TAGVAR(inherit_rpath, $1)=yes
-      _LT_TAGVAR(link_all_deplibs, $1)=yes
-      ;;
-
-    netbsd*)
-      if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
-	_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
-      else
-	_LT_TAGVAR(archive_cmds, $1)='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
-      fi
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-      _LT_TAGVAR(hardcode_direct, $1)=yes
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    newsos6)
-      _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      _LT_TAGVAR(hardcode_direct, $1)=yes
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    *nto* | *qnx*)
-      ;;
-
-    openbsd*)
-      if test -f /usr/libexec/ld.so; then
-	_LT_TAGVAR(hardcode_direct, $1)=yes
-	_LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-	_LT_TAGVAR(hardcode_direct_absolute, $1)=yes
-	if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	  _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
-	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	  _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-	else
-	  case $host_os in
-	   openbsd[[01]].* | openbsd2.[[0-7]] | openbsd2.[[0-7]].*)
-	     _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-	     _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-	     ;;
-	   *)
-	     _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	     _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	     ;;
-	  esac
-	fi
-      else
-	_LT_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
-
-    os2*)
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_TAGVAR(hardcode_minus_L, $1)=yes
-      _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
-      _LT_TAGVAR(archive_cmds, $1)='$ECHO "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~echo DATA >> $output_objdir/$libname.def~echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
-      _LT_TAGVAR(old_archive_from_new_cmds, $1)='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
-      ;;
-
-    osf3*)
-      if test "$GCC" = yes; then
-	_LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-      else
-	_LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
-      fi
-      _LT_TAGVAR(archive_cmds_need_lc, $1)='no'
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
-      ;;
-
-    osf4* | osf5*)	# as osf3* with the addition of -msym flag
-      if test "$GCC" = yes; then
-	_LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $pic_flag $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-      else
-	_LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; printf "%s\\n" "-hidden">> $lib.exp~
-	$CC -shared${allow_undefined_flag} ${wl}-input ${wl}$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib~$RM $lib.exp'
-
-	# Both c and cxx compiler support -rpath directly
-	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
-      fi
-      _LT_TAGVAR(archive_cmds_need_lc, $1)='no'
-      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
-      ;;
-
-    solaris*)
-      _LT_TAGVAR(no_undefined_flag, $1)=' -z defs'
-      if test "$GCC" = yes; then
-	wlarc='${wl}'
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag ${wl}-z ${wl}text ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
-	  $CC -shared $pic_flag ${wl}-z ${wl}text ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp'
-      else
-	case `$CC -V 2>&1` in
-	*"Compilers 5.0"*)
-	  wlarc=''
-	  _LT_TAGVAR(archive_cmds, $1)='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
-	  $LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$RM $lib.exp'
-	  ;;
-	*)
-	  wlarc='${wl}'
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $compiler_flags'
-	  _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
-	  $CC -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp'
-	  ;;
-	esac
-      fi
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      case $host_os in
-      solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
-      *)
-	# The compiler driver will combine and reorder linker options,
-	# but understands `-z linker_flag'.  GCC discards it without `$wl',
-	# but is careful enough not to reorder.
-	# Supported since Solaris 2.6 (maybe 2.5.1?)
-	if test "$GCC" = yes; then
-	  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
-	else
-	  _LT_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract'
-	fi
-	;;
-      esac
-      _LT_TAGVAR(link_all_deplibs, $1)=yes
-      ;;
-
-    sunos4*)
-      if test "x$host_vendor" = xsequent; then
-	# Use $CC to link under sequent, because it throws in some extra .o
-	# files that make .init and .fini sections work.
-	_LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	_LT_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
-      fi
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_TAGVAR(hardcode_direct, $1)=yes
-      _LT_TAGVAR(hardcode_minus_L, $1)=yes
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    sysv4)
-      case $host_vendor in
-	sni)
-	  _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  _LT_TAGVAR(hardcode_direct, $1)=yes # is this really true???
-	;;
-	siemens)
-	  ## LD is ld it makes a PLAMLIB
-	  ## CC just makes a GrossModule.
-	  _LT_TAGVAR(archive_cmds, $1)='$LD -G -o $lib $libobjs $deplibs $linker_flags'
-	  _LT_TAGVAR(reload_cmds, $1)='$CC -r -o $output$reload_objs'
-	  _LT_TAGVAR(hardcode_direct, $1)=no
-        ;;
-	motorola)
-	  _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  _LT_TAGVAR(hardcode_direct, $1)=no #Motorola manual says yes, but my tests say they lie
-	;;
-      esac
-      runpath_var='LD_RUN_PATH'
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    sysv4.3*)
-      _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      _LT_TAGVAR(export_dynamic_flag_spec, $1)='-Bexport'
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	_LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	_LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-	runpath_var=LD_RUN_PATH
-	hardcode_runpath_var=yes
-	_LT_TAGVAR(ld_shlibs, $1)=yes
-      fi
-      ;;
-
-    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*)
-      _LT_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
-      _LT_TAGVAR(archive_cmds_need_lc, $1)=no
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      runpath_var='LD_RUN_PATH'
-
-      if test "$GCC" = yes; then
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	_LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-      fi
-      ;;
-
-    sysv5* | sco3.2v5* | sco5v6*)
-      # Note: We can NOT use -z defs as we might desire, because we do not
-      # link with -lc, and that would cause any symbols used from libc to
-      # always be unresolved, which means just about no library would
-      # ever link correctly.  If we're not using GNU ld we use -z text
-      # though, which does catch some bad symbols but isn't as heavy-handed
-      # as -z defs.
-      _LT_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
-      _LT_TAGVAR(allow_undefined_flag, $1)='${wl}-z,nodefs'
-      _LT_TAGVAR(archive_cmds_need_lc, $1)=no
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R,$libdir'
-      _LT_TAGVAR(hardcode_libdir_separator, $1)=':'
-      _LT_TAGVAR(link_all_deplibs, $1)=yes
-      _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport'
-      runpath_var='LD_RUN_PATH'
-
-      if test "$GCC" = yes; then
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	_LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-      fi
-      ;;
-
-    uts4*)
-      _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    *)
-      _LT_TAGVAR(ld_shlibs, $1)=no
-      ;;
-    esac
-
-    if test x$host_vendor = xsni; then
-      case $host in
-      sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
-	_LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Blargedynsym'
-	;;
-      esac
-    fi
-  fi
-])
-AC_MSG_RESULT([$_LT_TAGVAR(ld_shlibs, $1)])
-test "$_LT_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
-
-_LT_TAGVAR(with_gnu_ld, $1)=$with_gnu_ld
-
-_LT_DECL([], [libext], [0], [Old archive suffix (normally "a")])dnl
-_LT_DECL([], [shrext_cmds], [1], [Shared library suffix (normally ".so")])dnl
-_LT_DECL([], [extract_expsyms_cmds], [2],
-    [The commands to extract the exported symbol list from a shared archive])
-
-#
-# Do we need to explicitly link libc?
-#
-case "x$_LT_TAGVAR(archive_cmds_need_lc, $1)" in
-x|xyes)
-  # Assume -lc should be added
-  _LT_TAGVAR(archive_cmds_need_lc, $1)=yes
-
-  if test "$enable_shared" = yes && test "$GCC" = yes; then
-    case $_LT_TAGVAR(archive_cmds, $1) in
-    *'~'*)
-      # FIXME: we may have to deal with multi-command sequences.
-      ;;
-    '$CC '*)
-      # Test whether the compiler implicitly links with -lc since on some
-      # systems, -lgcc has to come before -lc. If gcc already passes -lc
-      # to ld, don't add -lc before -lgcc.
-      AC_CACHE_CHECK([whether -lc should be explicitly linked in],
-	[lt_cv_]_LT_TAGVAR(archive_cmds_need_lc, $1),
-	[$RM conftest*
-	echo "$lt_simple_compile_test_code" > conftest.$ac_ext
-
-	if AC_TRY_EVAL(ac_compile) 2>conftest.err; then
-	  soname=conftest
-	  lib=conftest
-	  libobjs=conftest.$ac_objext
-	  deplibs=
-	  wl=$_LT_TAGVAR(lt_prog_compiler_wl, $1)
-	  pic_flag=$_LT_TAGVAR(lt_prog_compiler_pic, $1)
-	  compiler_flags=-v
-	  linker_flags=-v
-	  verstring=
-	  output_objdir=.
-	  libname=conftest
-	  lt_save_allow_undefined_flag=$_LT_TAGVAR(allow_undefined_flag, $1)
-	  _LT_TAGVAR(allow_undefined_flag, $1)=
-	  if AC_TRY_EVAL(_LT_TAGVAR(archive_cmds, $1) 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1)
-	  then
-	    lt_cv_[]_LT_TAGVAR(archive_cmds_need_lc, $1)=no
-	  else
-	    lt_cv_[]_LT_TAGVAR(archive_cmds_need_lc, $1)=yes
-	  fi
-	  _LT_TAGVAR(allow_undefined_flag, $1)=$lt_save_allow_undefined_flag
-	else
-	  cat conftest.err 1>&5
-	fi
-	$RM conftest*
-	])
-      _LT_TAGVAR(archive_cmds_need_lc, $1)=$lt_cv_[]_LT_TAGVAR(archive_cmds_need_lc, $1)
-      ;;
-    esac
-  fi
-  ;;
-esac
-
-_LT_TAGDECL([build_libtool_need_lc], [archive_cmds_need_lc], [0],
-    [Whether or not to add -lc for building shared libraries])
-_LT_TAGDECL([allow_libtool_libs_with_static_runtimes],
-    [enable_shared_with_static_runtimes], [0],
-    [Whether or not to disallow shared libs when runtime libs are static])
-_LT_TAGDECL([], [export_dynamic_flag_spec], [1],
-    [Compiler flag to allow reflexive dlopens])
-_LT_TAGDECL([], [whole_archive_flag_spec], [1],
-    [Compiler flag to generate shared objects directly from archives])
-_LT_TAGDECL([], [compiler_needs_object], [1],
-    [Whether the compiler copes with passing no objects directly])
-_LT_TAGDECL([], [old_archive_from_new_cmds], [2],
-    [Create an old-style archive from a shared archive])
-_LT_TAGDECL([], [old_archive_from_expsyms_cmds], [2],
-    [Create a temporary old-style archive to link instead of a shared archive])
-_LT_TAGDECL([], [archive_cmds], [2], [Commands used to build a shared archive])
-_LT_TAGDECL([], [archive_expsym_cmds], [2])
-_LT_TAGDECL([], [module_cmds], [2],
-    [Commands used to build a loadable module if different from building
-    a shared archive.])
-_LT_TAGDECL([], [module_expsym_cmds], [2])
-_LT_TAGDECL([], [with_gnu_ld], [1],
-    [Whether we are building with GNU ld or not])
-_LT_TAGDECL([], [allow_undefined_flag], [1],
-    [Flag that allows shared libraries with undefined symbols to be built])
-_LT_TAGDECL([], [no_undefined_flag], [1],
-    [Flag that enforces no undefined symbols])
-_LT_TAGDECL([], [hardcode_libdir_flag_spec], [1],
-    [Flag to hardcode $libdir into a binary during linking.
-    This must work even if $libdir does not exist])
-_LT_TAGDECL([], [hardcode_libdir_separator], [1],
-    [Whether we need a single "-rpath" flag with a separated argument])
-_LT_TAGDECL([], [hardcode_direct], [0],
-    [Set to "yes" if using DIR/libNAME${shared_ext} during linking hardcodes
-    DIR into the resulting binary])
-_LT_TAGDECL([], [hardcode_direct_absolute], [0],
-    [Set to "yes" if using DIR/libNAME${shared_ext} during linking hardcodes
-    DIR into the resulting binary and the resulting library dependency is
-    "absolute", i.e impossible to change by setting ${shlibpath_var} if the
-    library is relocated])
-_LT_TAGDECL([], [hardcode_minus_L], [0],
-    [Set to "yes" if using the -LDIR flag during linking hardcodes DIR
-    into the resulting binary])
-_LT_TAGDECL([], [hardcode_shlibpath_var], [0],
-    [Set to "yes" if using SHLIBPATH_VAR=DIR during linking hardcodes DIR
-    into the resulting binary])
-_LT_TAGDECL([], [hardcode_automatic], [0],
-    [Set to "yes" if building a shared library automatically hardcodes DIR
-    into the library and all subsequent libraries and executables linked
-    against it])
-_LT_TAGDECL([], [inherit_rpath], [0],
-    [Set to yes if linker adds runtime paths of dependent libraries
-    to runtime path list])
-_LT_TAGDECL([], [link_all_deplibs], [0],
-    [Whether libtool must link a program against all its dependency libraries])
-_LT_TAGDECL([], [always_export_symbols], [0],
-    [Set to "yes" if exported symbols are required])
-_LT_TAGDECL([], [export_symbols_cmds], [2],
-    [The commands to list exported symbols])
-_LT_TAGDECL([], [exclude_expsyms], [1],
-    [Symbols that should not be listed in the preloaded symbols])
-_LT_TAGDECL([], [include_expsyms], [1],
-    [Symbols that must always be exported])
-_LT_TAGDECL([], [prelink_cmds], [2],
-    [Commands necessary for linking programs (against libraries) with templates])
-_LT_TAGDECL([], [postlink_cmds], [2],
-    [Commands necessary for finishing linking programs])
-_LT_TAGDECL([], [file_list_spec], [1],
-    [Specify filename containing input files])
-dnl FIXME: Not yet implemented
-dnl _LT_TAGDECL([], [thread_safe_flag_spec], [1],
-dnl    [Compiler flag to generate thread safe objects])
-])# _LT_LINKER_SHLIBS
-
-
-# _LT_LANG_C_CONFIG([TAG])
-# ------------------------
-# Ensure that the configuration variables for a C compiler are suitably
-# defined.  These variables are subsequently used by _LT_CONFIG to write
-# the compiler configuration to `libtool'.
-m4_defun([_LT_LANG_C_CONFIG],
-[m4_require([_LT_DECL_EGREP])dnl
-lt_save_CC="$CC"
-AC_LANG_PUSH(C)
-
-# Source file extension for C test sources.
-ac_ext=c
-
-# Object file extension for compiled C test sources.
-objext=o
-_LT_TAGVAR(objext, $1)=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="int some_variable = 0;"
-
-# Code to be used in simple link tests
-lt_simple_link_test_code='int main(){return(0);}'
-
-_LT_TAG_COMPILER
-# Save the default compiler, since it gets overwritten when the other
-# tags are being tested, and _LT_TAGVAR(compiler, []) is a NOP.
-compiler_DEFAULT=$CC
-
-# save warnings/boilerplate of simple test code
-_LT_COMPILER_BOILERPLATE
-_LT_LINKER_BOILERPLATE
-
-## CAVEAT EMPTOR:
-## There is no encapsulation within the following macros, do not change
-## the running order or otherwise move them around unless you know exactly
-## what you are doing...
-if test -n "$compiler"; then
-  _LT_COMPILER_NO_RTTI($1)
-  _LT_COMPILER_PIC($1)
-  _LT_COMPILER_C_O($1)
-  _LT_COMPILER_FILE_LOCKS($1)
-  _LT_LINKER_SHLIBS($1)
-  _LT_SYS_DYNAMIC_LINKER($1)
-  _LT_LINKER_HARDCODE_LIBPATH($1)
-  LT_SYS_DLOPEN_SELF
-  _LT_CMD_STRIPLIB
-
-  # Report which library types will actually be built
-  AC_MSG_CHECKING([if libtool supports shared libraries])
-  AC_MSG_RESULT([$can_build_shared])
-
-  AC_MSG_CHECKING([whether to build shared libraries])
-  test "$can_build_shared" = "no" && enable_shared=no
-
-  # On AIX, shared libraries and static libraries use the same namespace, and
-  # are all built from PIC.
-  case $host_os in
-  aix3*)
-    test "$enable_shared" = yes && enable_static=no
-    if test -n "$RANLIB"; then
-      archive_cmds="$archive_cmds~\$RANLIB \$lib"
-      postinstall_cmds='$RANLIB $lib'
-    fi
-    ;;
-
-  aix[[4-9]]*)
-    if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
-      test "$enable_shared" = yes && enable_static=no
-    fi
-    ;;
-  esac
-  AC_MSG_RESULT([$enable_shared])
-
-  AC_MSG_CHECKING([whether to build static libraries])
-  # Make sure either enable_shared or enable_static is yes.
-  test "$enable_shared" = yes || enable_static=yes
-  AC_MSG_RESULT([$enable_static])
-
-  _LT_CONFIG($1)
-fi
-AC_LANG_POP
-CC="$lt_save_CC"
-])# _LT_LANG_C_CONFIG
-
-
-# _LT_LANG_CXX_CONFIG([TAG])
-# --------------------------
-# Ensure that the configuration variables for a C++ compiler are suitably
-# defined.  These variables are subsequently used by _LT_CONFIG to write
-# the compiler configuration to `libtool'.
-m4_defun([_LT_LANG_CXX_CONFIG],
-[m4_require([_LT_FILEUTILS_DEFAULTS])dnl
-m4_require([_LT_DECL_EGREP])dnl
-m4_require([_LT_PATH_MANIFEST_TOOL])dnl
-if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
-    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
-    (test "X$CXX" != "Xg++"))) ; then
-  AC_PROG_CXXCPP
-else
-  _lt_caught_CXX_error=yes
-fi
-
-AC_LANG_PUSH(C++)
-_LT_TAGVAR(archive_cmds_need_lc, $1)=no
-_LT_TAGVAR(allow_undefined_flag, $1)=
-_LT_TAGVAR(always_export_symbols, $1)=no
-_LT_TAGVAR(archive_expsym_cmds, $1)=
-_LT_TAGVAR(compiler_needs_object, $1)=no
-_LT_TAGVAR(export_dynamic_flag_spec, $1)=
-_LT_TAGVAR(hardcode_direct, $1)=no
-_LT_TAGVAR(hardcode_direct_absolute, $1)=no
-_LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-_LT_TAGVAR(hardcode_libdir_separator, $1)=
-_LT_TAGVAR(hardcode_minus_L, $1)=no
-_LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
-_LT_TAGVAR(hardcode_automatic, $1)=no
-_LT_TAGVAR(inherit_rpath, $1)=no
-_LT_TAGVAR(module_cmds, $1)=
-_LT_TAGVAR(module_expsym_cmds, $1)=
-_LT_TAGVAR(link_all_deplibs, $1)=unknown
-_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
-_LT_TAGVAR(reload_flag, $1)=$reload_flag
-_LT_TAGVAR(reload_cmds, $1)=$reload_cmds
-_LT_TAGVAR(no_undefined_flag, $1)=
-_LT_TAGVAR(whole_archive_flag_spec, $1)=
-_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
-
-# Source file extension for C++ test sources.
-ac_ext=cpp
-
-# Object file extension for compiled C++ test sources.
-objext=o
-_LT_TAGVAR(objext, $1)=$objext
-
-# No sense in running all these tests if we already determined that
-# the CXX compiler isn't working.  Some variables (like enable_shared)
-# are currently assumed to apply to all compilers on this platform,
-# and will be corrupted by setting them based on a non-working compiler.
-if test "$_lt_caught_CXX_error" != yes; then
-  # Code to be used in simple compile tests
-  lt_simple_compile_test_code="int some_variable = 0;"
-
-  # Code to be used in simple link tests
-  lt_simple_link_test_code='int main(int, char *[[]]) { return(0); }'
-
-  # ltmain only uses $CC for tagged configurations so make sure $CC is set.
-  _LT_TAG_COMPILER
-
-  # save warnings/boilerplate of simple test code
-  _LT_COMPILER_BOILERPLATE
-  _LT_LINKER_BOILERPLATE
-
-  # Allow CC to be a program name with arguments.
-  lt_save_CC=$CC
-  lt_save_CFLAGS=$CFLAGS
-  lt_save_LD=$LD
-  lt_save_GCC=$GCC
-  GCC=$GXX
-  lt_save_with_gnu_ld=$with_gnu_ld
-  lt_save_path_LD=$lt_cv_path_LD
-  if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then
-    lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx
-  else
-    $as_unset lt_cv_prog_gnu_ld
-  fi
-  if test -n "${lt_cv_path_LDCXX+set}"; then
-    lt_cv_path_LD=$lt_cv_path_LDCXX
-  else
-    $as_unset lt_cv_path_LD
-  fi
-  test -z "${LDCXX+set}" || LD=$LDCXX
-  CC=${CXX-"c++"}
-  CFLAGS=$CXXFLAGS
-  compiler=$CC
-  _LT_TAGVAR(compiler, $1)=$CC
-  _LT_CC_BASENAME([$compiler])
-
-  if test -n "$compiler"; then
-    # We don't want -fno-exception when compiling C++ code, so set the
-    # no_builtin_flag separately
-    if test "$GXX" = yes; then
-      _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
-    else
-      _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
-    fi
-
-    if test "$GXX" = yes; then
-      # Set up default GNU C++ configuration
-
-      LT_PATH_LD
-
-      # Check if GNU C++ uses GNU ld as the underlying linker, since the
-      # archiving commands below assume that GNU ld is being used.
-      if test "$with_gnu_ld" = yes; then
-        _LT_TAGVAR(archive_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-        _LT_TAGVAR(archive_expsym_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-
-        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-        _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-
-        # If archive_cmds runs LD, not CC, wlarc should be empty
-        # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to
-        #     investigate it a little bit more. (MM)
-        wlarc='${wl}'
-
-        # ancient GNU ld didn't support --whole-archive et. al.
-        if eval "`$CC -print-prog-name=ld` --help 2>&1" |
-	  $GREP 'no-whole-archive' > /dev/null; then
-          _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-        else
-          _LT_TAGVAR(whole_archive_flag_spec, $1)=
-        fi
-      else
-        with_gnu_ld=no
-        wlarc=
-
-        # A generic and very simple default shared library creation
-        # command for GNU C++ for the case where it uses the native
-        # linker, instead of GNU ld.  If possible, this setting should
-        # overridden to take advantage of the native linker features on
-        # the platform it is being used on.
-        _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
-      fi
-
-      # Commands to make compiler produce verbose output that lists
-      # what "hidden" libraries, object files and flags are used when
-      # linking a shared library.
-      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
-
-    else
-      GXX=no
-      with_gnu_ld=no
-      wlarc=
-    fi
-
-    # PORTME: fill in a description of your system's C++ link characteristics
-    AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
-    _LT_TAGVAR(ld_shlibs, $1)=yes
-    case $host_os in
-      aix3*)
-        # FIXME: insert proper C++ library support
-        _LT_TAGVAR(ld_shlibs, $1)=no
-        ;;
-      aix[[4-9]]*)
-        if test "$host_cpu" = ia64; then
-          # On IA64, the linker does run time linking by default, so we don't
-          # have to do anything special.
-          aix_use_runtimelinking=no
-          exp_sym_flag='-Bexport'
-          no_entry_flag=""
-        else
-          aix_use_runtimelinking=no
-
-          # Test if we are trying to use run time linking or normal
-          # AIX style linking. If -brtl is somewhere in LDFLAGS, we
-          # need to do runtime linking.
-          case $host_os in aix4.[[23]]|aix4.[[23]].*|aix[[5-9]]*)
-	    for ld_flag in $LDFLAGS; do
-	      case $ld_flag in
-	      *-brtl*)
-	        aix_use_runtimelinking=yes
-	        break
-	        ;;
-	      esac
-	    done
-	    ;;
-          esac
-
-          exp_sym_flag='-bexport'
-          no_entry_flag='-bnoentry'
-        fi
-
-        # When large executables or shared objects are built, AIX ld can
-        # have problems creating the table of contents.  If linking a library
-        # or program results in "error TOC overflow" add -mminimal-toc to
-        # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
-        # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
-
-        _LT_TAGVAR(archive_cmds, $1)=''
-        _LT_TAGVAR(hardcode_direct, $1)=yes
-        _LT_TAGVAR(hardcode_direct_absolute, $1)=yes
-        _LT_TAGVAR(hardcode_libdir_separator, $1)=':'
-        _LT_TAGVAR(link_all_deplibs, $1)=yes
-        _LT_TAGVAR(file_list_spec, $1)='${wl}-f,'
-
-        if test "$GXX" = yes; then
-          case $host_os in aix4.[[012]]|aix4.[[012]].*)
-          # We only want to do this on AIX 4.2 and lower, the check
-          # below for broken collect2 doesn't work under 4.3+
-	  collect2name=`${CC} -print-prog-name=collect2`
-	  if test -f "$collect2name" &&
-	     strings "$collect2name" | $GREP resolve_lib_name >/dev/null
-	  then
-	    # We have reworked collect2
-	    :
-	  else
-	    # We have old collect2
-	    _LT_TAGVAR(hardcode_direct, $1)=unsupported
-	    # It fails to find uninstalled libraries when the uninstalled
-	    # path is not listed in the libpath.  Setting hardcode_minus_L
-	    # to unsupported forces relinking
-	    _LT_TAGVAR(hardcode_minus_L, $1)=yes
-	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-	    _LT_TAGVAR(hardcode_libdir_separator, $1)=
-	  fi
-          esac
-          shared_flag='-shared'
-	  if test "$aix_use_runtimelinking" = yes; then
-	    shared_flag="$shared_flag "'${wl}-G'
-	  fi
-        else
-          # not using gcc
-          if test "$host_cpu" = ia64; then
-	  # VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
-	  # chokes on -Wl,-G. The following line is correct:
-	  shared_flag='-G'
-          else
-	    if test "$aix_use_runtimelinking" = yes; then
-	      shared_flag='${wl}-G'
-	    else
-	      shared_flag='${wl}-bM:SRE'
-	    fi
-          fi
-        fi
-
-        _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-bexpall'
-        # It seems that -bexpall does not export symbols beginning with
-        # underscore (_), so it is better to generate a list of symbols to
-	# export.
-        _LT_TAGVAR(always_export_symbols, $1)=yes
-        if test "$aix_use_runtimelinking" = yes; then
-          # Warning - without using the other runtime loading flags (-brtl),
-          # -berok will link without error, but may produce a broken library.
-          _LT_TAGVAR(allow_undefined_flag, $1)='-berok'
-          # Determine the default libpath from the value encoded in an empty
-          # executable.
-          _LT_SYS_MODULE_PATH_AIX([$1])
-          _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
-
-          _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then func_echo_all "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
-        else
-          if test "$host_cpu" = ia64; then
-	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
-	    _LT_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
-	    _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
-          else
-	    # Determine the default libpath from the value encoded in an
-	    # empty executable.
-	    _LT_SYS_MODULE_PATH_AIX([$1])
-	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
-	    # Warning - without using the other run time loading flags,
-	    # -berok will link without error, but may produce a broken library.
-	    _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
-	    _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
-	    if test "$with_gnu_ld" = yes; then
-	      # We only use this code for GNU lds that support --whole-archive.
-	      _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
-	    else
-	      # Exported symbols can be pulled into shared objects from archives
-	      _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
-	    fi
-	    _LT_TAGVAR(archive_cmds_need_lc, $1)=yes
-	    # This is similar to how AIX traditionally builds its shared
-	    # libraries.
-	    _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
-          fi
-        fi
-        ;;
-
-      beos*)
-	if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
-	  _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
-	  # Joseph Beckenbach <jrb3@best.com> says some releases of gcc
-	  # support --undefined.  This deserves some investigation.  FIXME
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	else
-	  _LT_TAGVAR(ld_shlibs, $1)=no
-	fi
-	;;
-
-      chorus*)
-        case $cc_basename in
-          *)
-	  # FIXME: insert proper C++ library support
-	  _LT_TAGVAR(ld_shlibs, $1)=no
-	  ;;
-        esac
-        ;;
-
-      cygwin* | mingw* | pw32* | cegcc*)
-	case $GXX,$cc_basename in
-	,cl* | no,cl*)
-	  # Native MSVC
-	  # hardcode_libdir_flag_spec is actually meaningless, as there is
-	  # no search path for DLLs.
-	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
-	  _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
-	  _LT_TAGVAR(always_export_symbols, $1)=yes
-	  _LT_TAGVAR(file_list_spec, $1)='@'
-	  # Tell ltmain to make .lib files, not .a files.
-	  libext=lib
-	  # Tell ltmain to make .dll files, not .so files.
-	  shrext_cmds=".dll"
-	  # FIXME: Setting linknames here is a bad hack.
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $compiler_flags $deplibs -Wl,-dll~linknames='
-	  _LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
-	      $SED -n -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' -e '1\\\!p' < $export_symbols > $output_objdir/$soname.exp;
-	    else
-	      $SED -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' < $export_symbols > $output_objdir/$soname.exp;
-	    fi~
-	    $CC -o $tool_output_objdir$soname $libobjs $compiler_flags $deplibs "@$tool_output_objdir$soname.exp" -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~
-	    linknames='
-	  # The linker will not automatically build a static lib if we build a DLL.
-	  # _LT_TAGVAR(old_archive_from_new_cmds, $1)='true'
-	  _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
-	  # Don't use ranlib
-	  _LT_TAGVAR(old_postinstall_cmds, $1)='chmod 644 $oldlib'
-	  _LT_TAGVAR(postlink_cmds, $1)='lt_outputfile="@OUTPUT@"~
-	    lt_tool_outputfile="@TOOL_OUTPUT@"~
-	    case $lt_outputfile in
-	      *.exe|*.EXE) ;;
-	      *)
-		lt_outputfile="$lt_outputfile.exe"
-		lt_tool_outputfile="$lt_tool_outputfile.exe"
-		;;
-	    esac~
-	    func_to_tool_file "$lt_outputfile"~
-	    if test "$MANIFEST_TOOL" != ":" && test -f "$lt_outputfile.manifest"; then
-	      $MANIFEST_TOOL -manifest "$lt_tool_outputfile.manifest" -outputresource:"$lt_tool_outputfile" || exit 1;
-	      $RM "$lt_outputfile.manifest";
-	    fi'
-	  ;;
-	*)
-	  # g++
-	  # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
-	  # as there is no search path for DLLs.
-	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-	  _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-all-symbols'
-	  _LT_TAGVAR(allow_undefined_flag, $1)=unsupported
-	  _LT_TAGVAR(always_export_symbols, $1)=no
-	  _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
-
-	  if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then
-	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-	    # If the export-symbols file already is a .def file (1st line
-	    # is EXPORTS), use it as is; otherwise, prepend...
-	    _LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
-	      cp $export_symbols $output_objdir/$soname.def;
-	    else
-	      echo EXPORTS > $output_objdir/$soname.def;
-	      cat $export_symbols >> $output_objdir/$soname.def;
-	    fi~
-	    $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
-	  else
-	    _LT_TAGVAR(ld_shlibs, $1)=no
-	  fi
-	  ;;
-	esac
-	;;
-      darwin* | rhapsody*)
-        _LT_DARWIN_LINKER_FEATURES($1)
-	;;
-
-      dgux*)
-        case $cc_basename in
-          ec++*)
-	    # FIXME: insert proper C++ library support
-	    _LT_TAGVAR(ld_shlibs, $1)=no
-	    ;;
-          ghcx*)
-	    # Green Hills C++ Compiler
-	    # FIXME: insert proper C++ library support
-	    _LT_TAGVAR(ld_shlibs, $1)=no
-	    ;;
-          *)
-	    # FIXME: insert proper C++ library support
-	    _LT_TAGVAR(ld_shlibs, $1)=no
-	    ;;
-        esac
-        ;;
-
-      freebsd2.*)
-        # C++ shared libraries reported to be fairly broken before
-	# switch to ELF
-        _LT_TAGVAR(ld_shlibs, $1)=no
-        ;;
-
-      freebsd-elf*)
-        _LT_TAGVAR(archive_cmds_need_lc, $1)=no
-        ;;
-
-      freebsd* | dragonfly*)
-        # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF
-        # conventions
-        _LT_TAGVAR(ld_shlibs, $1)=yes
-        ;;
-
-      gnu*)
-        ;;
-
-      haiku*)
-        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-        _LT_TAGVAR(link_all_deplibs, $1)=yes
-        ;;
-
-      hpux9*)
-        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-        _LT_TAGVAR(hardcode_libdir_separator, $1)=:
-        _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-        _LT_TAGVAR(hardcode_direct, $1)=yes
-        _LT_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
-				             # but as the default
-				             # location of the library.
-
-        case $cc_basename in
-          CC*)
-            # FIXME: insert proper C++ library support
-            _LT_TAGVAR(ld_shlibs, $1)=no
-            ;;
-          aCC*)
-            _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -b ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-            # Commands to make compiler produce verbose output that lists
-            # what "hidden" libraries, object files and flags are used when
-            # linking a shared library.
-            #
-            # There doesn't appear to be a way to prevent this compiler from
-            # explicitly linking system object files so we need to strip them
-            # from the output so that they don't get included in the library
-            # dependencies.
-            output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
-            ;;
-          *)
-            if test "$GXX" = yes; then
-              _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared -nostdlib $pic_flag ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-            else
-              # FIXME: insert proper C++ library support
-              _LT_TAGVAR(ld_shlibs, $1)=no
-            fi
-            ;;
-        esac
-        ;;
-
-      hpux10*|hpux11*)
-        if test $with_gnu_ld = no; then
-	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-	  _LT_TAGVAR(hardcode_libdir_separator, $1)=:
-
-          case $host_cpu in
-            hppa*64*|ia64*)
-              ;;
-            *)
-	      _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-              ;;
-          esac
-        fi
-        case $host_cpu in
-          hppa*64*|ia64*)
-            _LT_TAGVAR(hardcode_direct, $1)=no
-            _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-            ;;
-          *)
-            _LT_TAGVAR(hardcode_direct, $1)=yes
-            _LT_TAGVAR(hardcode_direct_absolute, $1)=yes
-            _LT_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
-					         # but as the default
-					         # location of the library.
-            ;;
-        esac
-
-        case $cc_basename in
-          CC*)
-	    # FIXME: insert proper C++ library support
-	    _LT_TAGVAR(ld_shlibs, $1)=no
-	    ;;
-          aCC*)
-	    case $host_cpu in
-	      hppa*64*)
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	        ;;
-	      ia64*)
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	        ;;
-	      *)
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	        ;;
-	    esac
-	    # Commands to make compiler produce verbose output that lists
-	    # what "hidden" libraries, object files and flags are used when
-	    # linking a shared library.
-	    #
-	    # There doesn't appear to be a way to prevent this compiler from
-	    # explicitly linking system object files so we need to strip them
-	    # from the output so that they don't get included in the library
-	    # dependencies.
-	    output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
-	    ;;
-          *)
-	    if test "$GXX" = yes; then
-	      if test $with_gnu_ld = no; then
-	        case $host_cpu in
-	          hppa*64*)
-	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	            ;;
-	          ia64*)
-	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $pic_flag ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	            ;;
-	          *)
-	            _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $pic_flag ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	            ;;
-	        esac
-	      fi
-	    else
-	      # FIXME: insert proper C++ library support
-	      _LT_TAGVAR(ld_shlibs, $1)=no
-	    fi
-	    ;;
-        esac
-        ;;
-
-      interix[[3-9]]*)
-	_LT_TAGVAR(hardcode_direct, $1)=no
-	_LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	_LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-	# Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
-	# Instead, shared libraries are loaded at an image base (0x10000000 by
-	# default) and relocated if they conflict, which is a slow very memory
-	# consuming and fragmenting process.  To avoid this, we pick a random,
-	# 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
-	# time.  Moving up from 0x10000000 also allows more sbrk(2) space.
-	_LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-	_LT_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
-	;;
-      irix5* | irix6*)
-        case $cc_basename in
-          CC*)
-	    # SGI C++
-	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
-
-	    # Archives containing C++ object files must be created using
-	    # "CC -ar", where "CC" is the IRIX C++ compiler.  This is
-	    # necessary to make sure instantiated templates are included
-	    # in the archive.
-	    _LT_TAGVAR(old_archive_cmds, $1)='$CC -ar -WR,-u -o $oldlib $oldobjs'
-	    ;;
-          *)
-	    if test "$GXX" = yes; then
-	      if test "$with_gnu_ld" = no; then
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-	      else
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` -o $lib'
-	      fi
-	    fi
-	    _LT_TAGVAR(link_all_deplibs, $1)=yes
-	    ;;
-        esac
-        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-        _LT_TAGVAR(hardcode_libdir_separator, $1)=:
-        _LT_TAGVAR(inherit_rpath, $1)=yes
-        ;;
-
-      linux* | k*bsd*-gnu | kopensolaris*-gnu)
-        case $cc_basename in
-          KCC*)
-	    # Kuck and Associates, Inc. (KAI) C++ Compiler
-
-	    # KCC will only create a shared library if the output file
-	    # ends with ".so" (or ".sl" for HP-UX), so rename the library
-	    # to its proper name (with version) after linking.
-	    _LT_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
-	    _LT_TAGVAR(archive_expsym_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib ${wl}-retain-symbols-file,$export_symbols; mv \$templib $lib'
-	    # Commands to make compiler produce verbose output that lists
-	    # what "hidden" libraries, object files and flags are used when
-	    # linking a shared library.
-	    #
-	    # There doesn't appear to be a way to prevent this compiler from
-	    # explicitly linking system object files so we need to strip them
-	    # from the output so that they don't get included in the library
-	    # dependencies.
-	    output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | $GREP "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
-
-	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-
-	    # Archives containing C++ object files must be created using
-	    # "CC -Bstatic", where "CC" is the KAI C++ compiler.
-	    _LT_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs'
-	    ;;
-	  icpc* | ecpc* )
-	    # Intel C++
-	    with_gnu_ld=yes
-	    # version 8.0 and above of icpc choke on multiply defined symbols
-	    # if we add $predep_objects and $postdep_objects, however 7.1 and
-	    # earlier do not add the objects themselves.
-	    case `$CC -V 2>&1` in
-	      *"Version 7."*)
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-		_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-		;;
-	      *)  # Version 8.0 or newer
-	        tmp_idyn=
-	        case $host_cpu in
-		  ia64*) tmp_idyn=' -i_dynamic';;
-		esac
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-		_LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-		;;
-	    esac
-	    _LT_TAGVAR(archive_cmds_need_lc, $1)=no
-	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-	    _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
-	    ;;
-          pgCC* | pgcpp*)
-            # Portland Group C++ compiler
-	    case `$CC -V` in
-	    *pgCC\ [[1-5]].* | *pgcpp\ [[1-5]].*)
-	      _LT_TAGVAR(prelink_cmds, $1)='tpldir=Template.dir~
-		rm -rf $tpldir~
-		$CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
-		compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
-	      _LT_TAGVAR(old_archive_cmds, $1)='tpldir=Template.dir~
-		rm -rf $tpldir~
-		$CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
-		$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
-		$RANLIB $oldlib'
-	      _LT_TAGVAR(archive_cmds, $1)='tpldir=Template.dir~
-		rm -rf $tpldir~
-		$CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
-		$CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
-	      _LT_TAGVAR(archive_expsym_cmds, $1)='tpldir=Template.dir~
-		rm -rf $tpldir~
-		$CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
-		$CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
-	      ;;
-	    *) # Version 6 and above use weak symbols
-	      _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
-	      _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
-	      ;;
-	    esac
-
-	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
-	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-	    _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
-            ;;
-	  cxx*)
-	    # Compaq C++
-	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname  -o $lib ${wl}-retain-symbols-file $wl$export_symbols'
-
-	    runpath_var=LD_RUN_PATH
-	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
-	    _LT_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	    # Commands to make compiler produce verbose output that lists
-	    # what "hidden" libraries, object files and flags are used when
-	    # linking a shared library.
-	    #
-	    # There doesn't appear to be a way to prevent this compiler from
-	    # explicitly linking system object files so we need to strip them
-	    # from the output so that they don't get included in the library
-	    # dependencies.
-	    output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld"`; templist=`func_echo_all "$templist" | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "X$list" | $Xsed'
-	    ;;
-	  xl* | mpixl* | bgxl*)
-	    # IBM XL 8.0 on PPC, with GNU ld
-	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-	    _LT_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	    if test "x$supports_anon_versioning" = xyes; then
-	      _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~
-		cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
-		echo "local: *; };" >> $output_objdir/$libname.ver~
-		$CC -qmkshrobj $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
-	    fi
-	    ;;
-	  *)
-	    case `$CC -V 2>&1 | sed 5q` in
-	    *Sun\ C*)
-	      # Sun C++ 5.9
-	      _LT_TAGVAR(no_undefined_flag, $1)=' -zdefs'
-	      _LT_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	      _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file ${wl}$export_symbols'
-	      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-	      _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive'
-	      _LT_TAGVAR(compiler_needs_object, $1)=yes
-
-	      # Not sure whether something based on
-	      # $CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1
-	      # would be better.
-	      output_verbose_link_cmd='func_echo_all'
-
-	      # Archives containing C++ object files must be created using
-	      # "CC -xar", where "CC" is the Sun C++ compiler.  This is
-	      # necessary to make sure instantiated templates are included
-	      # in the archive.
-	      _LT_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs'
-	      ;;
-	    esac
-	    ;;
-	esac
-	;;
-
-      lynxos*)
-        # FIXME: insert proper C++ library support
-	_LT_TAGVAR(ld_shlibs, $1)=no
-	;;
-
-      m88k*)
-        # FIXME: insert proper C++ library support
-        _LT_TAGVAR(ld_shlibs, $1)=no
-	;;
-
-      mvs*)
-        case $cc_basename in
-          cxx*)
-	    # FIXME: insert proper C++ library support
-	    _LT_TAGVAR(ld_shlibs, $1)=no
-	    ;;
-	  *)
-	    # FIXME: insert proper C++ library support
-	    _LT_TAGVAR(ld_shlibs, $1)=no
-	    ;;
-	esac
-	;;
-
-      netbsd*)
-        if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
-	  _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable  -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags'
-	  wlarc=
-	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-	  _LT_TAGVAR(hardcode_direct, $1)=yes
-	  _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-	fi
-	# Workaround some broken pre-1.5 toolchains
-	output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"'
-	;;
-
-      *nto* | *qnx*)
-        _LT_TAGVAR(ld_shlibs, $1)=yes
-	;;
-
-      openbsd2*)
-        # C++ shared libraries are fairly broken
-	_LT_TAGVAR(ld_shlibs, $1)=no
-	;;
-
-      openbsd*)
-	if test -f /usr/libexec/ld.so; then
-	  _LT_TAGVAR(hardcode_direct, $1)=yes
-	  _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-	  _LT_TAGVAR(hardcode_direct_absolute, $1)=yes
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
-	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib'
-	    _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-	    _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-	  fi
-	  output_verbose_link_cmd=func_echo_all
-	else
-	  _LT_TAGVAR(ld_shlibs, $1)=no
-	fi
-	;;
-
-      osf3* | osf4* | osf5*)
-        case $cc_basename in
-          KCC*)
-	    # Kuck and Associates, Inc. (KAI) C++ Compiler
-
-	    # KCC will only create a shared library if the output file
-	    # ends with ".so" (or ".sl" for HP-UX), so rename the library
-	    # to its proper name (with version) after linking.
-	    _LT_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo "$lib" | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
-
-	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	    _LT_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	    # Archives containing C++ object files must be created using
-	    # the KAI C++ compiler.
-	    case $host in
-	      osf3*) _LT_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs' ;;
-	      *) _LT_TAGVAR(old_archive_cmds, $1)='$CC -o $oldlib $oldobjs' ;;
-	    esac
-	    ;;
-          RCC*)
-	    # Rational C++ 2.4.1
-	    # FIXME: insert proper C++ library support
-	    _LT_TAGVAR(ld_shlibs, $1)=no
-	    ;;
-          cxx*)
-	    case $host in
-	      osf3*)
-	        _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && func_echo_all "${wl}-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
-	        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-		;;
-	      *)
-	        _LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib'
-	        _LT_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~
-	          echo "-hidden">> $lib.exp~
-	          $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname ${wl}-input ${wl}$lib.exp  `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib~
-	          $RM $lib.exp'
-	        _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
-		;;
-	    esac
-
-	    _LT_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	    # Commands to make compiler produce verbose output that lists
-	    # what "hidden" libraries, object files and flags are used when
-	    # linking a shared library.
-	    #
-	    # There doesn't appear to be a way to prevent this compiler from
-	    # explicitly linking system object files so we need to strip them
-	    # from the output so that they don't get included in the library
-	    # dependencies.
-	    output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld" | $GREP -v "ld:"`; templist=`func_echo_all "$templist" | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"'
-	    ;;
-	  *)
-	    if test "$GXX" = yes && test "$with_gnu_ld" = no; then
-	      _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	      case $host in
-	        osf3*)
-	          _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-		  ;;
-	        *)
-	          _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-		  ;;
-	      esac
-
-	      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-	      _LT_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	      # Commands to make compiler produce verbose output that lists
-	      # what "hidden" libraries, object files and flags are used when
-	      # linking a shared library.
-	      output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
-
-	    else
-	      # FIXME: insert proper C++ library support
-	      _LT_TAGVAR(ld_shlibs, $1)=no
-	    fi
-	    ;;
-        esac
-        ;;
-
-      psos*)
-        # FIXME: insert proper C++ library support
-        _LT_TAGVAR(ld_shlibs, $1)=no
-        ;;
-
-      sunos4*)
-        case $cc_basename in
-          CC*)
-	    # Sun C++ 4.x
-	    # FIXME: insert proper C++ library support
-	    _LT_TAGVAR(ld_shlibs, $1)=no
-	    ;;
-          lcc*)
-	    # Lucid
-	    # FIXME: insert proper C++ library support
-	    _LT_TAGVAR(ld_shlibs, $1)=no
-	    ;;
-          *)
-	    # FIXME: insert proper C++ library support
-	    _LT_TAGVAR(ld_shlibs, $1)=no
-	    ;;
-        esac
-        ;;
-
-      solaris*)
-        case $cc_basename in
-          CC* | sunCC*)
-	    # Sun C++ 4.2, 5.x and Centerline C++
-            _LT_TAGVAR(archive_cmds_need_lc,$1)=yes
-	    _LT_TAGVAR(no_undefined_flag, $1)=' -zdefs'
-	    _LT_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag}  -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	    _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
-	      $CC -G${allow_undefined_flag} ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp'
-
-	    _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-	    _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-	    case $host_os in
-	      solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
-	      *)
-		# The compiler driver will combine and reorder linker options,
-		# but understands `-z linker_flag'.
-	        # Supported since Solaris 2.6 (maybe 2.5.1?)
-		_LT_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract'
-	        ;;
-	    esac
-	    _LT_TAGVAR(link_all_deplibs, $1)=yes
-
-	    output_verbose_link_cmd='func_echo_all'
-
-	    # Archives containing C++ object files must be created using
-	    # "CC -xar", where "CC" is the Sun C++ compiler.  This is
-	    # necessary to make sure instantiated templates are included
-	    # in the archive.
-	    _LT_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs'
-	    ;;
-          gcx*)
-	    # Green Hills C++ Compiler
-	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
-
-	    # The C++ compiler must be used to create the archive.
-	    _LT_TAGVAR(old_archive_cmds, $1)='$CC $LDFLAGS -archive -o $oldlib $oldobjs'
-	    ;;
-          *)
-	    # GNU C++ compiler with Solaris linker
-	    if test "$GXX" = yes && test "$with_gnu_ld" = no; then
-	      _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-z ${wl}defs'
-	      if $CC --version | $GREP -v '^2\.7' > /dev/null; then
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
-	        _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
-		  $CC -shared $pic_flag -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp'
-
-	        # Commands to make compiler produce verbose output that lists
-	        # what "hidden" libraries, object files and flags are used when
-	        # linking a shared library.
-	        output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
-	      else
-	        # g++ 2.7 appears to require `-G' NOT `-shared' on this
-	        # platform.
-	        _LT_TAGVAR(archive_cmds, $1)='$CC -G -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
-	        _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~
-		  $CC -G -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp'
-
-	        # Commands to make compiler produce verbose output that lists
-	        # what "hidden" libraries, object files and flags are used when
-	        # linking a shared library.
-	        output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"'
-	      fi
-
-	      _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $wl$libdir'
-	      case $host_os in
-		solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
-		*)
-		  _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
-		  ;;
-	      esac
-	    fi
-	    ;;
-        esac
-        ;;
-
-    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*)
-      _LT_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
-      _LT_TAGVAR(archive_cmds_need_lc, $1)=no
-      _LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-      runpath_var='LD_RUN_PATH'
-
-      case $cc_basename in
-        CC*)
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	*)
-	  _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-      esac
-      ;;
-
-      sysv5* | sco3.2v5* | sco5v6*)
-	# Note: We can NOT use -z defs as we might desire, because we do not
-	# link with -lc, and that would cause any symbols used from libc to
-	# always be unresolved, which means just about no library would
-	# ever link correctly.  If we're not using GNU ld we use -z text
-	# though, which does catch some bad symbols but isn't as heavy-handed
-	# as -z defs.
-	_LT_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
-	_LT_TAGVAR(allow_undefined_flag, $1)='${wl}-z,nodefs'
-	_LT_TAGVAR(archive_cmds_need_lc, $1)=no
-	_LT_TAGVAR(hardcode_shlibpath_var, $1)=no
-	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R,$libdir'
-	_LT_TAGVAR(hardcode_libdir_separator, $1)=':'
-	_LT_TAGVAR(link_all_deplibs, $1)=yes
-	_LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport'
-	runpath_var='LD_RUN_PATH'
-
-	case $cc_basename in
-          CC*)
-	    _LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	    _LT_TAGVAR(old_archive_cmds, $1)='$CC -Tprelink_objects $oldobjs~
-	      '"$_LT_TAGVAR(old_archive_cmds, $1)"
-	    _LT_TAGVAR(reload_cmds, $1)='$CC -Tprelink_objects $reload_objs~
-	      '"$_LT_TAGVAR(reload_cmds, $1)"
-	    ;;
-	  *)
-	    _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	    _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
-	    ;;
-	esac
-      ;;
-
-      tandem*)
-        case $cc_basename in
-          NCC*)
-	    # NonStop-UX NCC 3.20
-	    # FIXME: insert proper C++ library support
-	    _LT_TAGVAR(ld_shlibs, $1)=no
-	    ;;
-          *)
-	    # FIXME: insert proper C++ library support
-	    _LT_TAGVAR(ld_shlibs, $1)=no
-	    ;;
-        esac
-        ;;
-
-      vxworks*)
-        # FIXME: insert proper C++ library support
-        _LT_TAGVAR(ld_shlibs, $1)=no
-        ;;
-
-      *)
-        # FIXME: insert proper C++ library support
-        _LT_TAGVAR(ld_shlibs, $1)=no
-        ;;
-    esac
-
-    AC_MSG_RESULT([$_LT_TAGVAR(ld_shlibs, $1)])
-    test "$_LT_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
-
-    _LT_TAGVAR(GCC, $1)="$GXX"
-    _LT_TAGVAR(LD, $1)="$LD"
-
-    ## CAVEAT EMPTOR:
-    ## There is no encapsulation within the following macros, do not change
-    ## the running order or otherwise move them around unless you know exactly
-    ## what you are doing...
-    _LT_SYS_HIDDEN_LIBDEPS($1)
-    _LT_COMPILER_PIC($1)
-    _LT_COMPILER_C_O($1)
-    _LT_COMPILER_FILE_LOCKS($1)
-    _LT_LINKER_SHLIBS($1)
-    _LT_SYS_DYNAMIC_LINKER($1)
-    _LT_LINKER_HARDCODE_LIBPATH($1)
-
-    _LT_CONFIG($1)
-  fi # test -n "$compiler"
-
-  CC=$lt_save_CC
-  CFLAGS=$lt_save_CFLAGS
-  LDCXX=$LD
-  LD=$lt_save_LD
-  GCC=$lt_save_GCC
-  with_gnu_ld=$lt_save_with_gnu_ld
-  lt_cv_path_LDCXX=$lt_cv_path_LD
-  lt_cv_path_LD=$lt_save_path_LD
-  lt_cv_prog_gnu_ldcxx=$lt_cv_prog_gnu_ld
-  lt_cv_prog_gnu_ld=$lt_save_with_gnu_ld
-fi # test "$_lt_caught_CXX_error" != yes
-
-AC_LANG_POP
-])# _LT_LANG_CXX_CONFIG
-
-
-# _LT_FUNC_STRIPNAME_CNF
-# ----------------------
-# func_stripname_cnf prefix suffix name
-# strip PREFIX and SUFFIX off of NAME.
-# PREFIX and SUFFIX must not contain globbing or regex special
-# characters, hashes, percent signs, but SUFFIX may contain a leading
-# dot (in which case that matches only a dot).
-#
-# This function is identical to the (non-XSI) version of func_stripname,
-# except this one can be used by m4 code that may be executed by configure,
-# rather than the libtool script.
-m4_defun([_LT_FUNC_STRIPNAME_CNF],[dnl
-AC_REQUIRE([_LT_DECL_SED])
-AC_REQUIRE([_LT_PROG_ECHO_BACKSLASH])
-func_stripname_cnf ()
-{
-  case ${2} in
-  .*) func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%\\\\${2}\$%%"`;;
-  *)  func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%${2}\$%%"`;;
-  esac
-} # func_stripname_cnf
-])# _LT_FUNC_STRIPNAME_CNF
-
-# _LT_SYS_HIDDEN_LIBDEPS([TAGNAME])
-# ---------------------------------
-# Figure out "hidden" library dependencies from verbose
-# compiler output when linking a shared library.
-# Parse the compiler output and extract the necessary
-# objects, libraries and library flags.
-m4_defun([_LT_SYS_HIDDEN_LIBDEPS],
-[m4_require([_LT_FILEUTILS_DEFAULTS])dnl
-AC_REQUIRE([_LT_FUNC_STRIPNAME_CNF])dnl
-# Dependencies to place before and after the object being linked:
-_LT_TAGVAR(predep_objects, $1)=
-_LT_TAGVAR(postdep_objects, $1)=
-_LT_TAGVAR(predeps, $1)=
-_LT_TAGVAR(postdeps, $1)=
-_LT_TAGVAR(compiler_lib_search_path, $1)=
-
-dnl we can't use the lt_simple_compile_test_code here,
-dnl because it contains code intended for an executable,
-dnl not a library.  It's possible we should let each
-dnl tag define a new lt_????_link_test_code variable,
-dnl but it's only used here...
-m4_if([$1], [], [cat > conftest.$ac_ext <<_LT_EOF
-int a;
-void foo (void) { a = 0; }
-_LT_EOF
-], [$1], [CXX], [cat > conftest.$ac_ext <<_LT_EOF
-class Foo
-{
-public:
-  Foo (void) { a = 0; }
-private:
-  int a;
-};
-_LT_EOF
-], [$1], [F77], [cat > conftest.$ac_ext <<_LT_EOF
-      subroutine foo
-      implicit none
-      integer*4 a
-      a=0
-      return
-      end
-_LT_EOF
-], [$1], [FC], [cat > conftest.$ac_ext <<_LT_EOF
-      subroutine foo
-      implicit none
-      integer a
-      a=0
-      return
-      end
-_LT_EOF
-], [$1], [GCJ], [cat > conftest.$ac_ext <<_LT_EOF
-public class foo {
-  private int a;
-  public void bar (void) {
-    a = 0;
-  }
-};
-_LT_EOF
-], [$1], [GO], [cat > conftest.$ac_ext <<_LT_EOF
-package foo
-func foo() {
-}
-_LT_EOF
-])
-
-_lt_libdeps_save_CFLAGS=$CFLAGS
-case "$CC $CFLAGS " in #(
-*\ -flto*\ *) CFLAGS="$CFLAGS -fno-lto" ;;
-*\ -fwhopr*\ *) CFLAGS="$CFLAGS -fno-whopr" ;;
-*\ -fuse-linker-plugin*\ *) CFLAGS="$CFLAGS -fno-use-linker-plugin" ;;
-esac
-
-dnl Parse the compiler output and extract the necessary
-dnl objects, libraries and library flags.
-if AC_TRY_EVAL(ac_compile); then
-  # Parse the compiler output and extract the necessary
-  # objects, libraries and library flags.
-
-  # Sentinel used to keep track of whether or not we are before
-  # the conftest object file.
-  pre_test_object_deps_done=no
-
-  for p in `eval "$output_verbose_link_cmd"`; do
-    case ${prev}${p} in
-
-    -L* | -R* | -l*)
-       # Some compilers place space between "-{L,R}" and the path.
-       # Remove the space.
-       if test $p = "-L" ||
-          test $p = "-R"; then
-	 prev=$p
-	 continue
-       fi
-
-       # Expand the sysroot to ease extracting the directories later.
-       if test -z "$prev"; then
-         case $p in
-         -L*) func_stripname_cnf '-L' '' "$p"; prev=-L; p=$func_stripname_result ;;
-         -R*) func_stripname_cnf '-R' '' "$p"; prev=-R; p=$func_stripname_result ;;
-         -l*) func_stripname_cnf '-l' '' "$p"; prev=-l; p=$func_stripname_result ;;
-         esac
-       fi
-       case $p in
-       =*) func_stripname_cnf '=' '' "$p"; p=$lt_sysroot$func_stripname_result ;;
-       esac
-       if test "$pre_test_object_deps_done" = no; then
-	 case ${prev} in
-	 -L | -R)
-	   # Internal compiler library paths should come after those
-	   # provided the user.  The postdeps already come after the
-	   # user supplied libs so there is no need to process them.
-	   if test -z "$_LT_TAGVAR(compiler_lib_search_path, $1)"; then
-	     _LT_TAGVAR(compiler_lib_search_path, $1)="${prev}${p}"
-	   else
-	     _LT_TAGVAR(compiler_lib_search_path, $1)="${_LT_TAGVAR(compiler_lib_search_path, $1)} ${prev}${p}"
-	   fi
-	   ;;
-	 # The "-l" case would never come before the object being
-	 # linked, so don't bother handling this case.
-	 esac
-       else
-	 if test -z "$_LT_TAGVAR(postdeps, $1)"; then
-	   _LT_TAGVAR(postdeps, $1)="${prev}${p}"
-	 else
-	   _LT_TAGVAR(postdeps, $1)="${_LT_TAGVAR(postdeps, $1)} ${prev}${p}"
-	 fi
-       fi
-       prev=
-       ;;
-
-    *.lto.$objext) ;; # Ignore GCC LTO objects
-    *.$objext)
-       # This assumes that the test object file only shows up
-       # once in the compiler output.
-       if test "$p" = "conftest.$objext"; then
-	 pre_test_object_deps_done=yes
-	 continue
-       fi
-
-       if test "$pre_test_object_deps_done" = no; then
-	 if test -z "$_LT_TAGVAR(predep_objects, $1)"; then
-	   _LT_TAGVAR(predep_objects, $1)="$p"
-	 else
-	   _LT_TAGVAR(predep_objects, $1)="$_LT_TAGVAR(predep_objects, $1) $p"
-	 fi
-       else
-	 if test -z "$_LT_TAGVAR(postdep_objects, $1)"; then
-	   _LT_TAGVAR(postdep_objects, $1)="$p"
-	 else
-	   _LT_TAGVAR(postdep_objects, $1)="$_LT_TAGVAR(postdep_objects, $1) $p"
-	 fi
-       fi
-       ;;
-
-    *) ;; # Ignore the rest.
-
-    esac
-  done
-
-  # Clean up.
-  rm -f a.out a.exe
-else
-  echo "libtool.m4: error: problem compiling $1 test program"
-fi
-
-$RM -f confest.$objext
-CFLAGS=$_lt_libdeps_save_CFLAGS
-
-# PORTME: override above test on systems where it is broken
-m4_if([$1], [CXX],
-[case $host_os in
-interix[[3-9]]*)
-  # Interix 3.5 installs completely hosed .la files for C++, so rather than
-  # hack all around it, let's just trust "g++" to DTRT.
-  _LT_TAGVAR(predep_objects,$1)=
-  _LT_TAGVAR(postdep_objects,$1)=
-  _LT_TAGVAR(postdeps,$1)=
-  ;;
-
-linux*)
-  case `$CC -V 2>&1 | sed 5q` in
-  *Sun\ C*)
-    # Sun C++ 5.9
-
-    # The more standards-conforming stlport4 library is
-    # incompatible with the Cstd library. Avoid specifying
-    # it if it's in CXXFLAGS. Ignore libCrun as
-    # -library=stlport4 depends on it.
-    case " $CXX $CXXFLAGS " in
-    *" -library=stlport4 "*)
-      solaris_use_stlport4=yes
-      ;;
-    esac
-
-    if test "$solaris_use_stlport4" != yes; then
-      _LT_TAGVAR(postdeps,$1)='-library=Cstd -library=Crun'
-    fi
-    ;;
-  esac
-  ;;
-
-solaris*)
-  case $cc_basename in
-  CC* | sunCC*)
-    # The more standards-conforming stlport4 library is
-    # incompatible with the Cstd library. Avoid specifying
-    # it if it's in CXXFLAGS. Ignore libCrun as
-    # -library=stlport4 depends on it.
-    case " $CXX $CXXFLAGS " in
-    *" -library=stlport4 "*)
-      solaris_use_stlport4=yes
-      ;;
-    esac
-
-    # Adding this requires a known-good setup of shared libraries for
-    # Sun compiler versions before 5.6, else PIC objects from an old
-    # archive will be linked into the output, leading to subtle bugs.
-    if test "$solaris_use_stlport4" != yes; then
-      _LT_TAGVAR(postdeps,$1)='-library=Cstd -library=Crun'
-    fi
-    ;;
-  esac
-  ;;
-esac
-])
-
-case " $_LT_TAGVAR(postdeps, $1) " in
-*" -lc "*) _LT_TAGVAR(archive_cmds_need_lc, $1)=no ;;
-esac
- _LT_TAGVAR(compiler_lib_search_dirs, $1)=
-if test -n "${_LT_TAGVAR(compiler_lib_search_path, $1)}"; then
- _LT_TAGVAR(compiler_lib_search_dirs, $1)=`echo " ${_LT_TAGVAR(compiler_lib_search_path, $1)}" | ${SED} -e 's! -L! !g' -e 's!^ !!'`
-fi
-_LT_TAGDECL([], [compiler_lib_search_dirs], [1],
-    [The directories searched by this compiler when creating a shared library])
-_LT_TAGDECL([], [predep_objects], [1],
-    [Dependencies to place before and after the objects being linked to
-    create a shared library])
-_LT_TAGDECL([], [postdep_objects], [1])
-_LT_TAGDECL([], [predeps], [1])
-_LT_TAGDECL([], [postdeps], [1])
-_LT_TAGDECL([], [compiler_lib_search_path], [1],
-    [The library search path used internally by the compiler when linking
-    a shared library])
-])# _LT_SYS_HIDDEN_LIBDEPS
-
-
-# _LT_LANG_F77_CONFIG([TAG])
-# --------------------------
-# Ensure that the configuration variables for a Fortran 77 compiler are
-# suitably defined.  These variables are subsequently used by _LT_CONFIG
-# to write the compiler configuration to `libtool'.
-m4_defun([_LT_LANG_F77_CONFIG],
-[AC_LANG_PUSH(Fortran 77)
-if test -z "$F77" || test "X$F77" = "Xno"; then
-  _lt_disable_F77=yes
-fi
-
-_LT_TAGVAR(archive_cmds_need_lc, $1)=no
-_LT_TAGVAR(allow_undefined_flag, $1)=
-_LT_TAGVAR(always_export_symbols, $1)=no
-_LT_TAGVAR(archive_expsym_cmds, $1)=
-_LT_TAGVAR(export_dynamic_flag_spec, $1)=
-_LT_TAGVAR(hardcode_direct, $1)=no
-_LT_TAGVAR(hardcode_direct_absolute, $1)=no
-_LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-_LT_TAGVAR(hardcode_libdir_separator, $1)=
-_LT_TAGVAR(hardcode_minus_L, $1)=no
-_LT_TAGVAR(hardcode_automatic, $1)=no
-_LT_TAGVAR(inherit_rpath, $1)=no
-_LT_TAGVAR(module_cmds, $1)=
-_LT_TAGVAR(module_expsym_cmds, $1)=
-_LT_TAGVAR(link_all_deplibs, $1)=unknown
-_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
-_LT_TAGVAR(reload_flag, $1)=$reload_flag
-_LT_TAGVAR(reload_cmds, $1)=$reload_cmds
-_LT_TAGVAR(no_undefined_flag, $1)=
-_LT_TAGVAR(whole_archive_flag_spec, $1)=
-_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
-
-# Source file extension for f77 test sources.
-ac_ext=f
-
-# Object file extension for compiled f77 test sources.
-objext=o
-_LT_TAGVAR(objext, $1)=$objext
-
-# No sense in running all these tests if we already determined that
-# the F77 compiler isn't working.  Some variables (like enable_shared)
-# are currently assumed to apply to all compilers on this platform,
-# and will be corrupted by setting them based on a non-working compiler.
-if test "$_lt_disable_F77" != yes; then
-  # Code to be used in simple compile tests
-  lt_simple_compile_test_code="\
-      subroutine t
-      return
-      end
-"
-
-  # Code to be used in simple link tests
-  lt_simple_link_test_code="\
-      program t
-      end
-"
-
-  # ltmain only uses $CC for tagged configurations so make sure $CC is set.
-  _LT_TAG_COMPILER
-
-  # save warnings/boilerplate of simple test code
-  _LT_COMPILER_BOILERPLATE
-  _LT_LINKER_BOILERPLATE
-
-  # Allow CC to be a program name with arguments.
-  lt_save_CC="$CC"
-  lt_save_GCC=$GCC
-  lt_save_CFLAGS=$CFLAGS
-  CC=${F77-"f77"}
-  CFLAGS=$FFLAGS
-  compiler=$CC
-  _LT_TAGVAR(compiler, $1)=$CC
-  _LT_CC_BASENAME([$compiler])
-  GCC=$G77
-  if test -n "$compiler"; then
-    AC_MSG_CHECKING([if libtool supports shared libraries])
-    AC_MSG_RESULT([$can_build_shared])
-
-    AC_MSG_CHECKING([whether to build shared libraries])
-    test "$can_build_shared" = "no" && enable_shared=no
-
-    # On AIX, shared libraries and static libraries use the same namespace, and
-    # are all built from PIC.
-    case $host_os in
-      aix3*)
-        test "$enable_shared" = yes && enable_static=no
-        if test -n "$RANLIB"; then
-          archive_cmds="$archive_cmds~\$RANLIB \$lib"
-          postinstall_cmds='$RANLIB $lib'
-        fi
-        ;;
-      aix[[4-9]]*)
-	if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
-	  test "$enable_shared" = yes && enable_static=no
-	fi
-        ;;
-    esac
-    AC_MSG_RESULT([$enable_shared])
-
-    AC_MSG_CHECKING([whether to build static libraries])
-    # Make sure either enable_shared or enable_static is yes.
-    test "$enable_shared" = yes || enable_static=yes
-    AC_MSG_RESULT([$enable_static])
-
-    _LT_TAGVAR(GCC, $1)="$G77"
-    _LT_TAGVAR(LD, $1)="$LD"
-
-    ## CAVEAT EMPTOR:
-    ## There is no encapsulation within the following macros, do not change
-    ## the running order or otherwise move them around unless you know exactly
-    ## what you are doing...
-    _LT_COMPILER_PIC($1)
-    _LT_COMPILER_C_O($1)
-    _LT_COMPILER_FILE_LOCKS($1)
-    _LT_LINKER_SHLIBS($1)
-    _LT_SYS_DYNAMIC_LINKER($1)
-    _LT_LINKER_HARDCODE_LIBPATH($1)
-
-    _LT_CONFIG($1)
-  fi # test -n "$compiler"
-
-  GCC=$lt_save_GCC
-  CC="$lt_save_CC"
-  CFLAGS="$lt_save_CFLAGS"
-fi # test "$_lt_disable_F77" != yes
-
-AC_LANG_POP
-])# _LT_LANG_F77_CONFIG
-
-
-# _LT_LANG_FC_CONFIG([TAG])
-# -------------------------
-# Ensure that the configuration variables for a Fortran compiler are
-# suitably defined.  These variables are subsequently used by _LT_CONFIG
-# to write the compiler configuration to `libtool'.
-m4_defun([_LT_LANG_FC_CONFIG],
-[AC_LANG_PUSH(Fortran)
-
-if test -z "$FC" || test "X$FC" = "Xno"; then
-  _lt_disable_FC=yes
-fi
-
-_LT_TAGVAR(archive_cmds_need_lc, $1)=no
-_LT_TAGVAR(allow_undefined_flag, $1)=
-_LT_TAGVAR(always_export_symbols, $1)=no
-_LT_TAGVAR(archive_expsym_cmds, $1)=
-_LT_TAGVAR(export_dynamic_flag_spec, $1)=
-_LT_TAGVAR(hardcode_direct, $1)=no
-_LT_TAGVAR(hardcode_direct_absolute, $1)=no
-_LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-_LT_TAGVAR(hardcode_libdir_separator, $1)=
-_LT_TAGVAR(hardcode_minus_L, $1)=no
-_LT_TAGVAR(hardcode_automatic, $1)=no
-_LT_TAGVAR(inherit_rpath, $1)=no
-_LT_TAGVAR(module_cmds, $1)=
-_LT_TAGVAR(module_expsym_cmds, $1)=
-_LT_TAGVAR(link_all_deplibs, $1)=unknown
-_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
-_LT_TAGVAR(reload_flag, $1)=$reload_flag
-_LT_TAGVAR(reload_cmds, $1)=$reload_cmds
-_LT_TAGVAR(no_undefined_flag, $1)=
-_LT_TAGVAR(whole_archive_flag_spec, $1)=
-_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no
-
-# Source file extension for fc test sources.
-ac_ext=${ac_fc_srcext-f}
-
-# Object file extension for compiled fc test sources.
-objext=o
-_LT_TAGVAR(objext, $1)=$objext
-
-# No sense in running all these tests if we already determined that
-# the FC compiler isn't working.  Some variables (like enable_shared)
-# are currently assumed to apply to all compilers on this platform,
-# and will be corrupted by setting them based on a non-working compiler.
-if test "$_lt_disable_FC" != yes; then
-  # Code to be used in simple compile tests
-  lt_simple_compile_test_code="\
-      subroutine t
-      return
-      end
-"
-
-  # Code to be used in simple link tests
-  lt_simple_link_test_code="\
-      program t
-      end
-"
-
-  # ltmain only uses $CC for tagged configurations so make sure $CC is set.
-  _LT_TAG_COMPILER
-
-  # save warnings/boilerplate of simple test code
-  _LT_COMPILER_BOILERPLATE
-  _LT_LINKER_BOILERPLATE
-
-  # Allow CC to be a program name with arguments.
-  lt_save_CC="$CC"
-  lt_save_GCC=$GCC
-  lt_save_CFLAGS=$CFLAGS
-  CC=${FC-"f95"}
-  CFLAGS=$FCFLAGS
-  compiler=$CC
-  GCC=$ac_cv_fc_compiler_gnu
-
-  _LT_TAGVAR(compiler, $1)=$CC
-  _LT_CC_BASENAME([$compiler])
-
-  if test -n "$compiler"; then
-    AC_MSG_CHECKING([if libtool supports shared libraries])
-    AC_MSG_RESULT([$can_build_shared])
-
-    AC_MSG_CHECKING([whether to build shared libraries])
-    test "$can_build_shared" = "no" && enable_shared=no
-
-    # On AIX, shared libraries and static libraries use the same namespace, and
-    # are all built from PIC.
-    case $host_os in
-      aix3*)
-        test "$enable_shared" = yes && enable_static=no
-        if test -n "$RANLIB"; then
-          archive_cmds="$archive_cmds~\$RANLIB \$lib"
-          postinstall_cmds='$RANLIB $lib'
-        fi
-        ;;
-      aix[[4-9]]*)
-	if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
-	  test "$enable_shared" = yes && enable_static=no
-	fi
-        ;;
-    esac
-    AC_MSG_RESULT([$enable_shared])
-
-    AC_MSG_CHECKING([whether to build static libraries])
-    # Make sure either enable_shared or enable_static is yes.
-    test "$enable_shared" = yes || enable_static=yes
-    AC_MSG_RESULT([$enable_static])
-
-    _LT_TAGVAR(GCC, $1)="$ac_cv_fc_compiler_gnu"
-    _LT_TAGVAR(LD, $1)="$LD"
-
-    ## CAVEAT EMPTOR:
-    ## There is no encapsulation within the following macros, do not change
-    ## the running order or otherwise move them around unless you know exactly
-    ## what you are doing...
-    _LT_SYS_HIDDEN_LIBDEPS($1)
-    _LT_COMPILER_PIC($1)
-    _LT_COMPILER_C_O($1)
-    _LT_COMPILER_FILE_LOCKS($1)
-    _LT_LINKER_SHLIBS($1)
-    _LT_SYS_DYNAMIC_LINKER($1)
-    _LT_LINKER_HARDCODE_LIBPATH($1)
-
-    _LT_CONFIG($1)
-  fi # test -n "$compiler"
-
-  GCC=$lt_save_GCC
-  CC=$lt_save_CC
-  CFLAGS=$lt_save_CFLAGS
-fi # test "$_lt_disable_FC" != yes
-
-AC_LANG_POP
-])# _LT_LANG_FC_CONFIG
-
-
-# _LT_LANG_GCJ_CONFIG([TAG])
-# --------------------------
-# Ensure that the configuration variables for the GNU Java Compiler compiler
-# are suitably defined.  These variables are subsequently used by _LT_CONFIG
-# to write the compiler configuration to `libtool'.
-m4_defun([_LT_LANG_GCJ_CONFIG],
-[AC_REQUIRE([LT_PROG_GCJ])dnl
-AC_LANG_SAVE
-
-# Source file extension for Java test sources.
-ac_ext=java
-
-# Object file extension for compiled Java test sources.
-objext=o
-_LT_TAGVAR(objext, $1)=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="class foo {}"
-
-# Code to be used in simple link tests
-lt_simple_link_test_code='public class conftest { public static void main(String[[]] argv) {}; }'
-
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
-_LT_TAG_COMPILER
-
-# save warnings/boilerplate of simple test code
-_LT_COMPILER_BOILERPLATE
-_LT_LINKER_BOILERPLATE
-
-# Allow CC to be a program name with arguments.
-lt_save_CC=$CC
-lt_save_CFLAGS=$CFLAGS
-lt_save_GCC=$GCC
-GCC=yes
-CC=${GCJ-"gcj"}
-CFLAGS=$GCJFLAGS
-compiler=$CC
-_LT_TAGVAR(compiler, $1)=$CC
-_LT_TAGVAR(LD, $1)="$LD"
-_LT_CC_BASENAME([$compiler])
-
-# GCJ did not exist at the time GCC didn't implicitly link libc in.
-_LT_TAGVAR(archive_cmds_need_lc, $1)=no
-
-_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
-_LT_TAGVAR(reload_flag, $1)=$reload_flag
-_LT_TAGVAR(reload_cmds, $1)=$reload_cmds
-
-## CAVEAT EMPTOR:
-## There is no encapsulation within the following macros, do not change
-## the running order or otherwise move them around unless you know exactly
-## what you are doing...
-if test -n "$compiler"; then
-  _LT_COMPILER_NO_RTTI($1)
-  _LT_COMPILER_PIC($1)
-  _LT_COMPILER_C_O($1)
-  _LT_COMPILER_FILE_LOCKS($1)
-  _LT_LINKER_SHLIBS($1)
-  _LT_LINKER_HARDCODE_LIBPATH($1)
-
-  _LT_CONFIG($1)
-fi
-
-AC_LANG_RESTORE
-
-GCC=$lt_save_GCC
-CC=$lt_save_CC
-CFLAGS=$lt_save_CFLAGS
-])# _LT_LANG_GCJ_CONFIG
-
-
-# _LT_LANG_GO_CONFIG([TAG])
-# --------------------------
-# Ensure that the configuration variables for the GNU Go compiler
-# are suitably defined.  These variables are subsequently used by _LT_CONFIG
-# to write the compiler configuration to `libtool'.
-m4_defun([_LT_LANG_GO_CONFIG],
-[AC_REQUIRE([LT_PROG_GO])dnl
-AC_LANG_SAVE
-
-# Source file extension for Go test sources.
-ac_ext=go
-
-# Object file extension for compiled Go test sources.
-objext=o
-_LT_TAGVAR(objext, $1)=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="package main; func main() { }"
-
-# Code to be used in simple link tests
-lt_simple_link_test_code='package main; func main() { }'
-
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
-_LT_TAG_COMPILER
-
-# save warnings/boilerplate of simple test code
-_LT_COMPILER_BOILERPLATE
-_LT_LINKER_BOILERPLATE
-
-# Allow CC to be a program name with arguments.
-lt_save_CC=$CC
-lt_save_CFLAGS=$CFLAGS
-lt_save_GCC=$GCC
-GCC=yes
-CC=${GOC-"gccgo"}
-CFLAGS=$GOFLAGS
-compiler=$CC
-_LT_TAGVAR(compiler, $1)=$CC
-_LT_TAGVAR(LD, $1)="$LD"
-_LT_CC_BASENAME([$compiler])
-
-# Go did not exist at the time GCC didn't implicitly link libc in.
-_LT_TAGVAR(archive_cmds_need_lc, $1)=no
-
-_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
-_LT_TAGVAR(reload_flag, $1)=$reload_flag
-_LT_TAGVAR(reload_cmds, $1)=$reload_cmds
-
-## CAVEAT EMPTOR:
-## There is no encapsulation within the following macros, do not change
-## the running order or otherwise move them around unless you know exactly
-## what you are doing...
-if test -n "$compiler"; then
-  _LT_COMPILER_NO_RTTI($1)
-  _LT_COMPILER_PIC($1)
-  _LT_COMPILER_C_O($1)
-  _LT_COMPILER_FILE_LOCKS($1)
-  _LT_LINKER_SHLIBS($1)
-  _LT_LINKER_HARDCODE_LIBPATH($1)
-
-  _LT_CONFIG($1)
-fi
-
-AC_LANG_RESTORE
-
-GCC=$lt_save_GCC
-CC=$lt_save_CC
-CFLAGS=$lt_save_CFLAGS
-])# _LT_LANG_GO_CONFIG
-
-
-# _LT_LANG_RC_CONFIG([TAG])
-# -------------------------
-# Ensure that the configuration variables for the Windows resource compiler
-# are suitably defined.  These variables are subsequently used by _LT_CONFIG
-# to write the compiler configuration to `libtool'.
-m4_defun([_LT_LANG_RC_CONFIG],
-[AC_REQUIRE([LT_PROG_RC])dnl
-AC_LANG_SAVE
-
-# Source file extension for RC test sources.
-ac_ext=rc
-
-# Object file extension for compiled RC test sources.
-objext=o
-_LT_TAGVAR(objext, $1)=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }'
-
-# Code to be used in simple link tests
-lt_simple_link_test_code="$lt_simple_compile_test_code"
-
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
-_LT_TAG_COMPILER
-
-# save warnings/boilerplate of simple test code
-_LT_COMPILER_BOILERPLATE
-_LT_LINKER_BOILERPLATE
-
-# Allow CC to be a program name with arguments.
-lt_save_CC="$CC"
-lt_save_CFLAGS=$CFLAGS
-lt_save_GCC=$GCC
-GCC=
-CC=${RC-"windres"}
-CFLAGS=
-compiler=$CC
-_LT_TAGVAR(compiler, $1)=$CC
-_LT_CC_BASENAME([$compiler])
-_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
-
-if test -n "$compiler"; then
-  :
-  _LT_CONFIG($1)
-fi
-
-GCC=$lt_save_GCC
-AC_LANG_RESTORE
-CC=$lt_save_CC
-CFLAGS=$lt_save_CFLAGS
-])# _LT_LANG_RC_CONFIG
-
-
-# LT_PROG_GCJ
-# -----------
-AC_DEFUN([LT_PROG_GCJ],
-[m4_ifdef([AC_PROG_GCJ], [AC_PROG_GCJ],
-  [m4_ifdef([A][M_PROG_GCJ], [A][M_PROG_GCJ],
-    [AC_CHECK_TOOL(GCJ, gcj,)
-      test "x${GCJFLAGS+set}" = xset || GCJFLAGS="-g -O2"
-      AC_SUBST(GCJFLAGS)])])[]dnl
-])
-
-# Old name:
-AU_ALIAS([LT_AC_PROG_GCJ], [LT_PROG_GCJ])
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([LT_AC_PROG_GCJ], [])
-
-
-# LT_PROG_GO
-# ----------
-AC_DEFUN([LT_PROG_GO],
-[AC_CHECK_TOOL(GOC, gccgo,)
-])
-
-
-# LT_PROG_RC
-# ----------
-AC_DEFUN([LT_PROG_RC],
-[AC_CHECK_TOOL(RC, windres,)
-])
-
-# Old name:
-AU_ALIAS([LT_AC_PROG_RC], [LT_PROG_RC])
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([LT_AC_PROG_RC], [])
-
-
-# _LT_DECL_EGREP
-# --------------
-# If we don't have a new enough Autoconf to choose the best grep
-# available, choose the one first in the user's PATH.
-m4_defun([_LT_DECL_EGREP],
-[AC_REQUIRE([AC_PROG_EGREP])dnl
-AC_REQUIRE([AC_PROG_FGREP])dnl
-test -z "$GREP" && GREP=grep
-_LT_DECL([], [GREP], [1], [A grep program that handles long lines])
-_LT_DECL([], [EGREP], [1], [An ERE matcher])
-_LT_DECL([], [FGREP], [1], [A literal string matcher])
-dnl Non-bleeding-edge autoconf doesn't subst GREP, so do it here too
-AC_SUBST([GREP])
-])
-
-
-# _LT_DECL_OBJDUMP
-# --------------
-# If we don't have a new enough Autoconf to choose the best objdump
-# available, choose the one first in the user's PATH.
-m4_defun([_LT_DECL_OBJDUMP],
-[AC_CHECK_TOOL(OBJDUMP, objdump, false)
-test -z "$OBJDUMP" && OBJDUMP=objdump
-_LT_DECL([], [OBJDUMP], [1], [An object symbol dumper])
-AC_SUBST([OBJDUMP])
-])
-
-# _LT_DECL_DLLTOOL
-# ----------------
-# Ensure DLLTOOL variable is set.
-m4_defun([_LT_DECL_DLLTOOL],
-[AC_CHECK_TOOL(DLLTOOL, dlltool, false)
-test -z "$DLLTOOL" && DLLTOOL=dlltool
-_LT_DECL([], [DLLTOOL], [1], [DLL creation program])
-AC_SUBST([DLLTOOL])
-])
-
-# _LT_DECL_SED
-# ------------
-# Check for a fully-functional sed program, that truncates
-# as few characters as possible.  Prefer GNU sed if found.
-m4_defun([_LT_DECL_SED],
-[AC_PROG_SED
-test -z "$SED" && SED=sed
-Xsed="$SED -e 1s/^X//"
-_LT_DECL([], [SED], [1], [A sed program that does not truncate output])
-_LT_DECL([], [Xsed], ["\$SED -e 1s/^X//"],
-    [Sed that helps us avoid accidentally triggering echo(1) options like -n])
-])# _LT_DECL_SED
-
-m4_ifndef([AC_PROG_SED], [
-############################################################
-# NOTE: This macro has been submitted for inclusion into   #
-#  GNU Autoconf as AC_PROG_SED.  When it is available in   #
-#  a released version of Autoconf we should remove this    #
-#  macro and use it instead.                               #
-############################################################
-
-m4_defun([AC_PROG_SED],
-[AC_MSG_CHECKING([for a sed that does not truncate output])
-AC_CACHE_VAL(lt_cv_path_SED,
-[# Loop through the user's path and test for sed and gsed.
-# Then use that list of sed's as ones to test for truncation.
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for lt_ac_prog in sed gsed; do
-    for ac_exec_ext in '' $ac_executable_extensions; do
-      if $as_executable_p "$as_dir/$lt_ac_prog$ac_exec_ext"; then
-        lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext"
-      fi
-    done
-  done
-done
-IFS=$as_save_IFS
-lt_ac_max=0
-lt_ac_count=0
-# Add /usr/xpg4/bin/sed as it is typically found on Solaris
-# along with /bin/sed that truncates output.
-for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
-  test ! -f $lt_ac_sed && continue
-  cat /dev/null > conftest.in
-  lt_ac_count=0
-  echo $ECHO_N "0123456789$ECHO_C" >conftest.in
-  # Check for GNU sed and select it if it is found.
-  if "$lt_ac_sed" --version 2>&1 < /dev/null | grep 'GNU' > /dev/null; then
-    lt_cv_path_SED=$lt_ac_sed
-    break
-  fi
-  while true; do
-    cat conftest.in conftest.in >conftest.tmp
-    mv conftest.tmp conftest.in
-    cp conftest.in conftest.nl
-    echo >>conftest.nl
-    $lt_ac_sed -e 's/a$//' < conftest.nl >conftest.out || break
-    cmp -s conftest.out conftest.nl || break
-    # 10000 chars as input seems more than enough
-    test $lt_ac_count -gt 10 && break
-    lt_ac_count=`expr $lt_ac_count + 1`
-    if test $lt_ac_count -gt $lt_ac_max; then
-      lt_ac_max=$lt_ac_count
-      lt_cv_path_SED=$lt_ac_sed
-    fi
-  done
-done
-])
-SED=$lt_cv_path_SED
-AC_SUBST([SED])
-AC_MSG_RESULT([$SED])
-])#AC_PROG_SED
-])#m4_ifndef
-
-# Old name:
-AU_ALIAS([LT_AC_PROG_SED], [AC_PROG_SED])
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([LT_AC_PROG_SED], [])
-
-
-# _LT_CHECK_SHELL_FEATURES
-# ------------------------
-# Find out whether the shell is Bourne or XSI compatible,
-# or has some other useful features.
-m4_defun([_LT_CHECK_SHELL_FEATURES],
-[AC_MSG_CHECKING([whether the shell understands some XSI constructs])
-# Try some XSI features
-xsi_shell=no
-( _lt_dummy="a/b/c"
-  test "${_lt_dummy##*/},${_lt_dummy%/*},${_lt_dummy#??}"${_lt_dummy%"$_lt_dummy"}, \
-      = c,a/b,b/c, \
-    && eval 'test $(( 1 + 1 )) -eq 2 \
-    && test "${#_lt_dummy}" -eq 5' ) >/dev/null 2>&1 \
-  && xsi_shell=yes
-AC_MSG_RESULT([$xsi_shell])
-_LT_CONFIG_LIBTOOL_INIT([xsi_shell='$xsi_shell'])
-
-AC_MSG_CHECKING([whether the shell understands "+="])
-lt_shell_append=no
-( foo=bar; set foo baz; eval "$[1]+=\$[2]" && test "$foo" = barbaz ) \
-    >/dev/null 2>&1 \
-  && lt_shell_append=yes
-AC_MSG_RESULT([$lt_shell_append])
-_LT_CONFIG_LIBTOOL_INIT([lt_shell_append='$lt_shell_append'])
-
-if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
-  lt_unset=unset
-else
-  lt_unset=false
-fi
-_LT_DECL([], [lt_unset], [0], [whether the shell understands "unset"])dnl
-
-# test EBCDIC or ASCII
-case `echo X|tr X '\101'` in
- A) # ASCII based system
-    # \n is not interpreted correctly by Solaris 8 /usr/ucb/tr
-  lt_SP2NL='tr \040 \012'
-  lt_NL2SP='tr \015\012 \040\040'
-  ;;
- *) # EBCDIC based system
-  lt_SP2NL='tr \100 \n'
-  lt_NL2SP='tr \r\n \100\100'
-  ;;
-esac
-_LT_DECL([SP2NL], [lt_SP2NL], [1], [turn spaces into newlines])dnl
-_LT_DECL([NL2SP], [lt_NL2SP], [1], [turn newlines into spaces])dnl
-])# _LT_CHECK_SHELL_FEATURES
-
-
-# _LT_PROG_FUNCTION_REPLACE (FUNCNAME, REPLACEMENT-BODY)
-# ------------------------------------------------------
-# In `$cfgfile', look for function FUNCNAME delimited by `^FUNCNAME ()$' and
-# '^} FUNCNAME ', and replace its body with REPLACEMENT-BODY.
-m4_defun([_LT_PROG_FUNCTION_REPLACE],
-[dnl {
-sed -e '/^$1 ()$/,/^} # $1 /c\
-$1 ()\
-{\
-m4_bpatsubsts([$2], [$], [\\], [^\([	 ]\)], [\\\1])
-} # Extended-shell $1 implementation' "$cfgfile" > $cfgfile.tmp \
-  && mv -f "$cfgfile.tmp" "$cfgfile" \
-    || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
-test 0 -eq $? || _lt_function_replace_fail=:
-])
-
-
-# _LT_PROG_REPLACE_SHELLFNS
-# -------------------------
-# Replace existing portable implementations of several shell functions with
-# equivalent extended shell implementations where those features are available..
-m4_defun([_LT_PROG_REPLACE_SHELLFNS],
-[if test x"$xsi_shell" = xyes; then
-  _LT_PROG_FUNCTION_REPLACE([func_dirname], [dnl
-    case ${1} in
-      */*) func_dirname_result="${1%/*}${2}" ;;
-      *  ) func_dirname_result="${3}" ;;
-    esac])
-
-  _LT_PROG_FUNCTION_REPLACE([func_basename], [dnl
-    func_basename_result="${1##*/}"])
-
-  _LT_PROG_FUNCTION_REPLACE([func_dirname_and_basename], [dnl
-    case ${1} in
-      */*) func_dirname_result="${1%/*}${2}" ;;
-      *  ) func_dirname_result="${3}" ;;
-    esac
-    func_basename_result="${1##*/}"])
-
-  _LT_PROG_FUNCTION_REPLACE([func_stripname], [dnl
-    # pdksh 5.2.14 does not do ${X%$Y} correctly if both X and Y are
-    # positional parameters, so assign one to ordinary parameter first.
-    func_stripname_result=${3}
-    func_stripname_result=${func_stripname_result#"${1}"}
-    func_stripname_result=${func_stripname_result%"${2}"}])
-
-  _LT_PROG_FUNCTION_REPLACE([func_split_long_opt], [dnl
-    func_split_long_opt_name=${1%%=*}
-    func_split_long_opt_arg=${1#*=}])
-
-  _LT_PROG_FUNCTION_REPLACE([func_split_short_opt], [dnl
-    func_split_short_opt_arg=${1#??}
-    func_split_short_opt_name=${1%"$func_split_short_opt_arg"}])
-
-  _LT_PROG_FUNCTION_REPLACE([func_lo2o], [dnl
-    case ${1} in
-      *.lo) func_lo2o_result=${1%.lo}.${objext} ;;
-      *)    func_lo2o_result=${1} ;;
-    esac])
-
-  _LT_PROG_FUNCTION_REPLACE([func_xform], [    func_xform_result=${1%.*}.lo])
-
-  _LT_PROG_FUNCTION_REPLACE([func_arith], [    func_arith_result=$(( $[*] ))])
-
-  _LT_PROG_FUNCTION_REPLACE([func_len], [    func_len_result=${#1}])
-fi
-
-if test x"$lt_shell_append" = xyes; then
-  _LT_PROG_FUNCTION_REPLACE([func_append], [    eval "${1}+=\\${2}"])
-
-  _LT_PROG_FUNCTION_REPLACE([func_append_quoted], [dnl
-    func_quote_for_eval "${2}"
-dnl m4 expansion turns \\\\ into \\, and then the shell eval turns that into \
-    eval "${1}+=\\\\ \\$func_quote_for_eval_result"])
-
-  # Save a `func_append' function call where possible by direct use of '+='
-  sed -e 's%func_append \([[a-zA-Z_]]\{1,\}\) "%\1+="%g' $cfgfile > $cfgfile.tmp \
-    && mv -f "$cfgfile.tmp" "$cfgfile" \
-      || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
-  test 0 -eq $? || _lt_function_replace_fail=:
-else
-  # Save a `func_append' function call even when '+=' is not available
-  sed -e 's%func_append \([[a-zA-Z_]]\{1,\}\) "%\1="$\1%g' $cfgfile > $cfgfile.tmp \
-    && mv -f "$cfgfile.tmp" "$cfgfile" \
-      || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp")
-  test 0 -eq $? || _lt_function_replace_fail=:
-fi
-
-if test x"$_lt_function_replace_fail" = x":"; then
-  AC_MSG_WARN([Unable to substitute extended shell functions in $ofile])
-fi
-])
-
-# _LT_PATH_CONVERSION_FUNCTIONS
-# -----------------------------
-# Determine which file name conversion functions should be used by
-# func_to_host_file (and, implicitly, by func_to_host_path).  These are needed
-# for certain cross-compile configurations and native mingw.
-m4_defun([_LT_PATH_CONVERSION_FUNCTIONS],
-[AC_REQUIRE([AC_CANONICAL_HOST])dnl
-AC_REQUIRE([AC_CANONICAL_BUILD])dnl
-AC_MSG_CHECKING([how to convert $build file names to $host format])
-AC_CACHE_VAL(lt_cv_to_host_file_cmd,
-[case $host in
-  *-*-mingw* )
-    case $build in
-      *-*-mingw* ) # actually msys
-        lt_cv_to_host_file_cmd=func_convert_file_msys_to_w32
-        ;;
-      *-*-cygwin* )
-        lt_cv_to_host_file_cmd=func_convert_file_cygwin_to_w32
-        ;;
-      * ) # otherwise, assume *nix
-        lt_cv_to_host_file_cmd=func_convert_file_nix_to_w32
-        ;;
-    esac
-    ;;
-  *-*-cygwin* )
-    case $build in
-      *-*-mingw* ) # actually msys
-        lt_cv_to_host_file_cmd=func_convert_file_msys_to_cygwin
-        ;;
-      *-*-cygwin* )
-        lt_cv_to_host_file_cmd=func_convert_file_noop
-        ;;
-      * ) # otherwise, assume *nix
-        lt_cv_to_host_file_cmd=func_convert_file_nix_to_cygwin
-        ;;
-    esac
-    ;;
-  * ) # unhandled hosts (and "normal" native builds)
-    lt_cv_to_host_file_cmd=func_convert_file_noop
-    ;;
-esac
-])
-to_host_file_cmd=$lt_cv_to_host_file_cmd
-AC_MSG_RESULT([$lt_cv_to_host_file_cmd])
-_LT_DECL([to_host_file_cmd], [lt_cv_to_host_file_cmd],
-         [0], [convert $build file names to $host format])dnl
-
-AC_MSG_CHECKING([how to convert $build file names to toolchain format])
-AC_CACHE_VAL(lt_cv_to_tool_file_cmd,
-[#assume ordinary cross tools, or native build.
-lt_cv_to_tool_file_cmd=func_convert_file_noop
-case $host in
-  *-*-mingw* )
-    case $build in
-      *-*-mingw* ) # actually msys
-        lt_cv_to_tool_file_cmd=func_convert_file_msys_to_w32
-        ;;
-    esac
-    ;;
-esac
-])
-to_tool_file_cmd=$lt_cv_to_tool_file_cmd
-AC_MSG_RESULT([$lt_cv_to_tool_file_cmd])
-_LT_DECL([to_tool_file_cmd], [lt_cv_to_tool_file_cmd],
-         [0], [convert $build files to toolchain format])dnl
-])# _LT_PATH_CONVERSION_FUNCTIONS
diff --git a/contrib/bind9/libtool.m4/ltoptions.m4 b/contrib/bind9/libtool.m4/ltoptions.m4
deleted file mode 100644
index 5d9acd8..0000000
--- a/contrib/bind9/libtool.m4/ltoptions.m4
+++ /dev/null
@@ -1,384 +0,0 @@
-# Helper functions for option handling.                    -*- Autoconf -*-
-#
-#   Copyright (C) 2004, 2005, 2007, 2008, 2009 Free Software Foundation,
-#   Inc.
-#   Written by Gary V. Vaughan, 2004
-#
-# This file is free software; the Free Software Foundation gives
-# unlimited permission to copy and/or distribute it, with or without
-# modifications, as long as this notice is preserved.
-
-# serial 7 ltoptions.m4
-
-# This is to help aclocal find these macros, as it can't see m4_define.
-AC_DEFUN([LTOPTIONS_VERSION], [m4_if([1])])
-
-
-# _LT_MANGLE_OPTION(MACRO-NAME, OPTION-NAME)
-# ------------------------------------------
-m4_define([_LT_MANGLE_OPTION],
-[[_LT_OPTION_]m4_bpatsubst($1__$2, [[^a-zA-Z0-9_]], [_])])
-
-
-# _LT_SET_OPTION(MACRO-NAME, OPTION-NAME)
-# ---------------------------------------
-# Set option OPTION-NAME for macro MACRO-NAME, and if there is a
-# matching handler defined, dispatch to it.  Other OPTION-NAMEs are
-# saved as a flag.
-m4_define([_LT_SET_OPTION],
-[m4_define(_LT_MANGLE_OPTION([$1], [$2]))dnl
-m4_ifdef(_LT_MANGLE_DEFUN([$1], [$2]),
-        _LT_MANGLE_DEFUN([$1], [$2]),
-    [m4_warning([Unknown $1 option `$2'])])[]dnl
-])
-
-
-# _LT_IF_OPTION(MACRO-NAME, OPTION-NAME, IF-SET, [IF-NOT-SET])
-# ------------------------------------------------------------
-# Execute IF-SET if OPTION is set, IF-NOT-SET otherwise.
-m4_define([_LT_IF_OPTION],
-[m4_ifdef(_LT_MANGLE_OPTION([$1], [$2]), [$3], [$4])])
-
-
-# _LT_UNLESS_OPTIONS(MACRO-NAME, OPTION-LIST, IF-NOT-SET)
-# -------------------------------------------------------
-# Execute IF-NOT-SET unless all options in OPTION-LIST for MACRO-NAME
-# are set.
-m4_define([_LT_UNLESS_OPTIONS],
-[m4_foreach([_LT_Option], m4_split(m4_normalize([$2])),
-	    [m4_ifdef(_LT_MANGLE_OPTION([$1], _LT_Option),
-		      [m4_define([$0_found])])])[]dnl
-m4_ifdef([$0_found], [m4_undefine([$0_found])], [$3
-])[]dnl
-])
-
-
-# _LT_SET_OPTIONS(MACRO-NAME, OPTION-LIST)
-# ----------------------------------------
-# OPTION-LIST is a space-separated list of Libtool options associated
-# with MACRO-NAME.  If any OPTION has a matching handler declared with
-# LT_OPTION_DEFINE, dispatch to that macro; otherwise complain about
-# the unknown option and exit.
-m4_defun([_LT_SET_OPTIONS],
-[# Set options
-m4_foreach([_LT_Option], m4_split(m4_normalize([$2])),
-    [_LT_SET_OPTION([$1], _LT_Option)])
-
-m4_if([$1],[LT_INIT],[
-  dnl
-  dnl Simply set some default values (i.e off) if boolean options were not
-  dnl specified:
-  _LT_UNLESS_OPTIONS([LT_INIT], [dlopen], [enable_dlopen=no
-  ])
-  _LT_UNLESS_OPTIONS([LT_INIT], [win32-dll], [enable_win32_dll=no
-  ])
-  dnl
-  dnl If no reference was made to various pairs of opposing options, then
-  dnl we run the default mode handler for the pair.  For example, if neither
-  dnl `shared' nor `disable-shared' was passed, we enable building of shared
-  dnl archives by default:
-  _LT_UNLESS_OPTIONS([LT_INIT], [shared disable-shared], [_LT_ENABLE_SHARED])
-  _LT_UNLESS_OPTIONS([LT_INIT], [static disable-static], [_LT_ENABLE_STATIC])
-  _LT_UNLESS_OPTIONS([LT_INIT], [pic-only no-pic], [_LT_WITH_PIC])
-  _LT_UNLESS_OPTIONS([LT_INIT], [fast-install disable-fast-install],
-  		   [_LT_ENABLE_FAST_INSTALL])
-  ])
-])# _LT_SET_OPTIONS
-
-
-## --------------------------------- ##
-## Macros to handle LT_INIT options. ##
-## --------------------------------- ##
-
-# _LT_MANGLE_DEFUN(MACRO-NAME, OPTION-NAME)
-# -----------------------------------------
-m4_define([_LT_MANGLE_DEFUN],
-[[_LT_OPTION_DEFUN_]m4_bpatsubst(m4_toupper([$1__$2]), [[^A-Z0-9_]], [_])])
-
-
-# LT_OPTION_DEFINE(MACRO-NAME, OPTION-NAME, CODE)
-# -----------------------------------------------
-m4_define([LT_OPTION_DEFINE],
-[m4_define(_LT_MANGLE_DEFUN([$1], [$2]), [$3])[]dnl
-])# LT_OPTION_DEFINE
-
-
-# dlopen
-# ------
-LT_OPTION_DEFINE([LT_INIT], [dlopen], [enable_dlopen=yes
-])
-
-AU_DEFUN([AC_LIBTOOL_DLOPEN],
-[_LT_SET_OPTION([LT_INIT], [dlopen])
-AC_DIAGNOSE([obsolete],
-[$0: Remove this warning and the call to _LT_SET_OPTION when you
-put the `dlopen' option into LT_INIT's first parameter.])
-])
-
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AC_LIBTOOL_DLOPEN], [])
-
-
-# win32-dll
-# ---------
-# Declare package support for building win32 dll's.
-LT_OPTION_DEFINE([LT_INIT], [win32-dll],
-[enable_win32_dll=yes
-
-case $host in
-*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-cegcc*)
-  AC_CHECK_TOOL(AS, as, false)
-  AC_CHECK_TOOL(DLLTOOL, dlltool, false)
-  AC_CHECK_TOOL(OBJDUMP, objdump, false)
-  ;;
-esac
-
-test -z "$AS" && AS=as
-_LT_DECL([], [AS],      [1], [Assembler program])dnl
-
-test -z "$DLLTOOL" && DLLTOOL=dlltool
-_LT_DECL([], [DLLTOOL], [1], [DLL creation program])dnl
-
-test -z "$OBJDUMP" && OBJDUMP=objdump
-_LT_DECL([], [OBJDUMP], [1], [Object dumper program])dnl
-])# win32-dll
-
-AU_DEFUN([AC_LIBTOOL_WIN32_DLL],
-[AC_REQUIRE([AC_CANONICAL_HOST])dnl
-_LT_SET_OPTION([LT_INIT], [win32-dll])
-AC_DIAGNOSE([obsolete],
-[$0: Remove this warning and the call to _LT_SET_OPTION when you
-put the `win32-dll' option into LT_INIT's first parameter.])
-])
-
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AC_LIBTOOL_WIN32_DLL], [])
-
-
-# _LT_ENABLE_SHARED([DEFAULT])
-# ----------------------------
-# implement the --enable-shared flag, and supports the `shared' and
-# `disable-shared' LT_INIT options.
-# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
-m4_define([_LT_ENABLE_SHARED],
-[m4_define([_LT_ENABLE_SHARED_DEFAULT], [m4_if($1, no, no, yes)])dnl
-AC_ARG_ENABLE([shared],
-    [AS_HELP_STRING([--enable-shared@<:@=PKGS@:>@],
-	[build shared libraries @<:@default=]_LT_ENABLE_SHARED_DEFAULT[@:>@])],
-    [p=${PACKAGE-default}
-    case $enableval in
-    yes) enable_shared=yes ;;
-    no) enable_shared=no ;;
-    *)
-      enable_shared=no
-      # Look at the argument we got.  We use all the common list separators.
-      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-      for pkg in $enableval; do
-	IFS="$lt_save_ifs"
-	if test "X$pkg" = "X$p"; then
-	  enable_shared=yes
-	fi
-      done
-      IFS="$lt_save_ifs"
-      ;;
-    esac],
-    [enable_shared=]_LT_ENABLE_SHARED_DEFAULT)
-
-    _LT_DECL([build_libtool_libs], [enable_shared], [0],
-	[Whether or not to build shared libraries])
-])# _LT_ENABLE_SHARED
-
-LT_OPTION_DEFINE([LT_INIT], [shared], [_LT_ENABLE_SHARED([yes])])
-LT_OPTION_DEFINE([LT_INIT], [disable-shared], [_LT_ENABLE_SHARED([no])])
-
-# Old names:
-AC_DEFUN([AC_ENABLE_SHARED],
-[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[shared])
-])
-
-AC_DEFUN([AC_DISABLE_SHARED],
-[_LT_SET_OPTION([LT_INIT], [disable-shared])
-])
-
-AU_DEFUN([AM_ENABLE_SHARED], [AC_ENABLE_SHARED($@)])
-AU_DEFUN([AM_DISABLE_SHARED], [AC_DISABLE_SHARED($@)])
-
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AM_ENABLE_SHARED], [])
-dnl AC_DEFUN([AM_DISABLE_SHARED], [])
-
-
-
-# _LT_ENABLE_STATIC([DEFAULT])
-# ----------------------------
-# implement the --enable-static flag, and support the `static' and
-# `disable-static' LT_INIT options.
-# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
-m4_define([_LT_ENABLE_STATIC],
-[m4_define([_LT_ENABLE_STATIC_DEFAULT], [m4_if($1, no, no, yes)])dnl
-AC_ARG_ENABLE([static],
-    [AS_HELP_STRING([--enable-static@<:@=PKGS@:>@],
-	[build static libraries @<:@default=]_LT_ENABLE_STATIC_DEFAULT[@:>@])],
-    [p=${PACKAGE-default}
-    case $enableval in
-    yes) enable_static=yes ;;
-    no) enable_static=no ;;
-    *)
-     enable_static=no
-      # Look at the argument we got.  We use all the common list separators.
-      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-      for pkg in $enableval; do
-	IFS="$lt_save_ifs"
-	if test "X$pkg" = "X$p"; then
-	  enable_static=yes
-	fi
-      done
-      IFS="$lt_save_ifs"
-      ;;
-    esac],
-    [enable_static=]_LT_ENABLE_STATIC_DEFAULT)
-
-    _LT_DECL([build_old_libs], [enable_static], [0],
-	[Whether or not to build static libraries])
-])# _LT_ENABLE_STATIC
-
-LT_OPTION_DEFINE([LT_INIT], [static], [_LT_ENABLE_STATIC([yes])])
-LT_OPTION_DEFINE([LT_INIT], [disable-static], [_LT_ENABLE_STATIC([no])])
-
-# Old names:
-AC_DEFUN([AC_ENABLE_STATIC],
-[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[static])
-])
-
-AC_DEFUN([AC_DISABLE_STATIC],
-[_LT_SET_OPTION([LT_INIT], [disable-static])
-])
-
-AU_DEFUN([AM_ENABLE_STATIC], [AC_ENABLE_STATIC($@)])
-AU_DEFUN([AM_DISABLE_STATIC], [AC_DISABLE_STATIC($@)])
-
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AM_ENABLE_STATIC], [])
-dnl AC_DEFUN([AM_DISABLE_STATIC], [])
-
-
-
-# _LT_ENABLE_FAST_INSTALL([DEFAULT])
-# ----------------------------------
-# implement the --enable-fast-install flag, and support the `fast-install'
-# and `disable-fast-install' LT_INIT options.
-# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
-m4_define([_LT_ENABLE_FAST_INSTALL],
-[m4_define([_LT_ENABLE_FAST_INSTALL_DEFAULT], [m4_if($1, no, no, yes)])dnl
-AC_ARG_ENABLE([fast-install],
-    [AS_HELP_STRING([--enable-fast-install@<:@=PKGS@:>@],
-    [optimize for fast installation @<:@default=]_LT_ENABLE_FAST_INSTALL_DEFAULT[@:>@])],
-    [p=${PACKAGE-default}
-    case $enableval in
-    yes) enable_fast_install=yes ;;
-    no) enable_fast_install=no ;;
-    *)
-      enable_fast_install=no
-      # Look at the argument we got.  We use all the common list separators.
-      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-      for pkg in $enableval; do
-	IFS="$lt_save_ifs"
-	if test "X$pkg" = "X$p"; then
-	  enable_fast_install=yes
-	fi
-      done
-      IFS="$lt_save_ifs"
-      ;;
-    esac],
-    [enable_fast_install=]_LT_ENABLE_FAST_INSTALL_DEFAULT)
-
-_LT_DECL([fast_install], [enable_fast_install], [0],
-	 [Whether or not to optimize for fast installation])dnl
-])# _LT_ENABLE_FAST_INSTALL
-
-LT_OPTION_DEFINE([LT_INIT], [fast-install], [_LT_ENABLE_FAST_INSTALL([yes])])
-LT_OPTION_DEFINE([LT_INIT], [disable-fast-install], [_LT_ENABLE_FAST_INSTALL([no])])
-
-# Old names:
-AU_DEFUN([AC_ENABLE_FAST_INSTALL],
-[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[fast-install])
-AC_DIAGNOSE([obsolete],
-[$0: Remove this warning and the call to _LT_SET_OPTION when you put
-the `fast-install' option into LT_INIT's first parameter.])
-])
-
-AU_DEFUN([AC_DISABLE_FAST_INSTALL],
-[_LT_SET_OPTION([LT_INIT], [disable-fast-install])
-AC_DIAGNOSE([obsolete],
-[$0: Remove this warning and the call to _LT_SET_OPTION when you put
-the `disable-fast-install' option into LT_INIT's first parameter.])
-])
-
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AC_ENABLE_FAST_INSTALL], [])
-dnl AC_DEFUN([AM_DISABLE_FAST_INSTALL], [])
-
-
-# _LT_WITH_PIC([MODE])
-# --------------------
-# implement the --with-pic flag, and support the `pic-only' and `no-pic'
-# LT_INIT options.
-# MODE is either `yes' or `no'.  If omitted, it defaults to `both'.
-m4_define([_LT_WITH_PIC],
-[AC_ARG_WITH([pic],
-    [AS_HELP_STRING([--with-pic@<:@=PKGS@:>@],
-	[try to use only PIC/non-PIC objects @<:@default=use both@:>@])],
-    [lt_p=${PACKAGE-default}
-    case $withval in
-    yes|no) pic_mode=$withval ;;
-    *)
-      pic_mode=default
-      # Look at the argument we got.  We use all the common list separators.
-      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-      for lt_pkg in $withval; do
-	IFS="$lt_save_ifs"
-	if test "X$lt_pkg" = "X$lt_p"; then
-	  pic_mode=yes
-	fi
-      done
-      IFS="$lt_save_ifs"
-      ;;
-    esac],
-    [pic_mode=default])
-
-test -z "$pic_mode" && pic_mode=m4_default([$1], [default])
-
-_LT_DECL([], [pic_mode], [0], [What type of objects to build])dnl
-])# _LT_WITH_PIC
-
-LT_OPTION_DEFINE([LT_INIT], [pic-only], [_LT_WITH_PIC([yes])])
-LT_OPTION_DEFINE([LT_INIT], [no-pic], [_LT_WITH_PIC([no])])
-
-# Old name:
-AU_DEFUN([AC_LIBTOOL_PICMODE],
-[_LT_SET_OPTION([LT_INIT], [pic-only])
-AC_DIAGNOSE([obsolete],
-[$0: Remove this warning and the call to _LT_SET_OPTION when you
-put the `pic-only' option into LT_INIT's first parameter.])
-])
-
-dnl aclocal-1.4 backwards compatibility:
-dnl AC_DEFUN([AC_LIBTOOL_PICMODE], [])
-
-## ----------------- ##
-## LTDL_INIT Options ##
-## ----------------- ##
-
-m4_define([_LTDL_MODE], [])
-LT_OPTION_DEFINE([LTDL_INIT], [nonrecursive],
-		 [m4_define([_LTDL_MODE], [nonrecursive])])
-LT_OPTION_DEFINE([LTDL_INIT], [recursive],
-		 [m4_define([_LTDL_MODE], [recursive])])
-LT_OPTION_DEFINE([LTDL_INIT], [subproject],
-		 [m4_define([_LTDL_MODE], [subproject])])
-
-m4_define([_LTDL_TYPE], [])
-LT_OPTION_DEFINE([LTDL_INIT], [installable],
-		 [m4_define([_LTDL_TYPE], [installable])])
-LT_OPTION_DEFINE([LTDL_INIT], [convenience],
-		 [m4_define([_LTDL_TYPE], [convenience])])
diff --git a/contrib/bind9/libtool.m4/ltsugar.m4 b/contrib/bind9/libtool.m4/ltsugar.m4
deleted file mode 100644
index 9000a05..0000000
--- a/contrib/bind9/libtool.m4/ltsugar.m4
+++ /dev/null
@@ -1,123 +0,0 @@
-# ltsugar.m4 -- libtool m4 base layer.                         -*-Autoconf-*-
-#
-# Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation, Inc.
-# Written by Gary V. Vaughan, 2004
-#
-# This file is free software; the Free Software Foundation gives
-# unlimited permission to copy and/or distribute it, with or without
-# modifications, as long as this notice is preserved.
-
-# serial 6 ltsugar.m4
-
-# This is to help aclocal find these macros, as it can't see m4_define.
-AC_DEFUN([LTSUGAR_VERSION], [m4_if([0.1])])
-
-
-# lt_join(SEP, ARG1, [ARG2...])
-# -----------------------------
-# Produce ARG1SEPARG2...SEPARGn, omitting [] arguments and their
-# associated separator.
-# Needed until we can rely on m4_join from Autoconf 2.62, since all earlier
-# versions in m4sugar had bugs.
-m4_define([lt_join],
-[m4_if([$#], [1], [],
-       [$#], [2], [[$2]],
-       [m4_if([$2], [], [], [[$2]_])$0([$1], m4_shift(m4_shift($@)))])])
-m4_define([_lt_join],
-[m4_if([$#$2], [2], [],
-       [m4_if([$2], [], [], [[$1$2]])$0([$1], m4_shift(m4_shift($@)))])])
-
-
-# lt_car(LIST)
-# lt_cdr(LIST)
-# ------------
-# Manipulate m4 lists.
-# These macros are necessary as long as will still need to support
-# Autoconf-2.59 which quotes differently.
-m4_define([lt_car], [[$1]])
-m4_define([lt_cdr],
-[m4_if([$#], 0, [m4_fatal([$0: cannot be called without arguments])],
-       [$#], 1, [],
-       [m4_dquote(m4_shift($@))])])
-m4_define([lt_unquote], $1)
-
-
-# lt_append(MACRO-NAME, STRING, [SEPARATOR])
-# ------------------------------------------
-# Redefine MACRO-NAME to hold its former content plus `SEPARATOR'`STRING'.
-# Note that neither SEPARATOR nor STRING are expanded; they are appended
-# to MACRO-NAME as is (leaving the expansion for when MACRO-NAME is invoked).
-# No SEPARATOR is output if MACRO-NAME was previously undefined (different
-# than defined and empty).
-#
-# This macro is needed until we can rely on Autoconf 2.62, since earlier
-# versions of m4sugar mistakenly expanded SEPARATOR but not STRING.
-m4_define([lt_append],
-[m4_define([$1],
-	   m4_ifdef([$1], [m4_defn([$1])[$3]])[$2])])
-
-
-
-# lt_combine(SEP, PREFIX-LIST, INFIX, SUFFIX1, [SUFFIX2...])
-# ----------------------------------------------------------
-# Produce a SEP delimited list of all paired combinations of elements of
-# PREFIX-LIST with SUFFIX1 through SUFFIXn.  Each element of the list
-# has the form PREFIXmINFIXSUFFIXn.
-# Needed until we can rely on m4_combine added in Autoconf 2.62.
-m4_define([lt_combine],
-[m4_if(m4_eval([$# > 3]), [1],
-       [m4_pushdef([_Lt_sep], [m4_define([_Lt_sep], m4_defn([lt_car]))])]]dnl
-[[m4_foreach([_Lt_prefix], [$2],
-	     [m4_foreach([_Lt_suffix],
-		]m4_dquote(m4_dquote(m4_shift(m4_shift(m4_shift($@)))))[,
-	[_Lt_sep([$1])[]m4_defn([_Lt_prefix])[$3]m4_defn([_Lt_suffix])])])])])
-
-
-# lt_if_append_uniq(MACRO-NAME, VARNAME, [SEPARATOR], [UNIQ], [NOT-UNIQ])
-# -----------------------------------------------------------------------
-# Iff MACRO-NAME does not yet contain VARNAME, then append it (delimited
-# by SEPARATOR if supplied) and expand UNIQ, else NOT-UNIQ.
-m4_define([lt_if_append_uniq],
-[m4_ifdef([$1],
-	  [m4_if(m4_index([$3]m4_defn([$1])[$3], [$3$2$3]), [-1],
-		 [lt_append([$1], [$2], [$3])$4],
-		 [$5])],
-	  [lt_append([$1], [$2], [$3])$4])])
-
-
-# lt_dict_add(DICT, KEY, VALUE)
-# -----------------------------
-m4_define([lt_dict_add],
-[m4_define([$1($2)], [$3])])
-
-
-# lt_dict_add_subkey(DICT, KEY, SUBKEY, VALUE)
-# --------------------------------------------
-m4_define([lt_dict_add_subkey],
-[m4_define([$1($2:$3)], [$4])])
-
-
-# lt_dict_fetch(DICT, KEY, [SUBKEY])
-# ----------------------------------
-m4_define([lt_dict_fetch],
-[m4_ifval([$3],
-	m4_ifdef([$1($2:$3)], [m4_defn([$1($2:$3)])]),
-    m4_ifdef([$1($2)], [m4_defn([$1($2)])]))])
-
-
-# lt_if_dict_fetch(DICT, KEY, [SUBKEY], VALUE, IF-TRUE, [IF-FALSE])
-# -----------------------------------------------------------------
-m4_define([lt_if_dict_fetch],
-[m4_if(lt_dict_fetch([$1], [$2], [$3]), [$4],
-	[$5],
-    [$6])])
-
-
-# lt_dict_filter(DICT, [SUBKEY], VALUE, [SEPARATOR], KEY, [...])
-# --------------------------------------------------------------
-m4_define([lt_dict_filter],
-[m4_if([$5], [], [],
-  [lt_join(m4_quote(m4_default([$4], [[, ]])),
-           lt_unquote(m4_split(m4_normalize(m4_foreach(_Lt_key, lt_car([m4_shiftn(4, $@)]),
-		      [lt_if_dict_fetch([$1], _Lt_key, [$2], [$3], [_Lt_key ])])))))])[]dnl
-])
diff --git a/contrib/bind9/libtool.m4/ltversion.m4 b/contrib/bind9/libtool.m4/ltversion.m4
deleted file mode 100644
index 07a8602..0000000
--- a/contrib/bind9/libtool.m4/ltversion.m4
+++ /dev/null
@@ -1,23 +0,0 @@
-# ltversion.m4 -- version numbers			-*- Autoconf -*-
-#
-#   Copyright (C) 2004 Free Software Foundation, Inc.
-#   Written by Scott James Remnant, 2004
-#
-# This file is free software; the Free Software Foundation gives
-# unlimited permission to copy and/or distribute it, with or without
-# modifications, as long as this notice is preserved.
-
-# @configure_input@
-
-# serial 3337 ltversion.m4
-# This file is part of GNU Libtool
-
-m4_define([LT_PACKAGE_VERSION], [2.4.2])
-m4_define([LT_PACKAGE_REVISION], [1.3337])
-
-AC_DEFUN([LTVERSION_VERSION],
-[macro_version='2.4.2'
-macro_revision='1.3337'
-_LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?])
-_LT_DECL(, macro_revision, 0)
-])
diff --git a/contrib/bind9/ltmain.sh b/contrib/bind9/ltmain.sh
deleted file mode 100644
index 16ddbf8..0000000
--- a/contrib/bind9/ltmain.sh
+++ /dev/null
@@ -1,9706 +0,0 @@
-
-# libtool (GNU libtool) 2.4.2
-# Written by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
-
-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006,
-# 2007, 2008, 2009, 2010, 2011 Free Software Foundation, Inc.
-# This is free software; see the source for copying conditions.  There is NO
-# warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
-
-# GNU Libtool is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# As a special exception to the GNU General Public License,
-# if you distribute this file as part of a program or library that
-# is built using GNU Libtool, you may include this file under the
-# same distribution terms that you use for the rest of that program.
-#
-# GNU Libtool is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with GNU Libtool; see the file COPYING.  If not, a copy
-# can be downloaded from http://www.gnu.org/licenses/gpl.html,
-# or obtained by writing to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-
-# Usage: $progname [OPTION]... [MODE-ARG]...
-#
-# Provide generalized library-building support services.
-#
-#       --config             show all configuration variables
-#       --debug              enable verbose shell tracing
-#   -n, --dry-run            display commands without modifying any files
-#       --features           display basic configuration information and exit
-#       --mode=MODE          use operation mode MODE
-#       --preserve-dup-deps  don't remove duplicate dependency libraries
-#       --quiet, --silent    don't print informational messages
-#       --no-quiet, --no-silent
-#                            print informational messages (default)
-#       --no-warn            don't display warning messages
-#       --tag=TAG            use configuration variables from tag TAG
-#   -v, --verbose            print more informational messages than default
-#       --no-verbose         don't print the extra informational messages
-#       --version            print version information
-#   -h, --help, --help-all   print short, long, or detailed help message
-#
-# MODE must be one of the following:
-#
-#         clean              remove files from the build directory
-#         compile            compile a source file into a libtool object
-#         execute            automatically set library path, then run a program
-#         finish             complete the installation of libtool libraries
-#         install            install libraries or executables
-#         link               create a library or an executable
-#         uninstall          remove libraries from an installed directory
-#
-# MODE-ARGS vary depending on the MODE.  When passed as first option,
-# `--mode=MODE' may be abbreviated as `MODE' or a unique abbreviation of that.
-# Try `$progname --help --mode=MODE' for a more detailed description of MODE.
-#
-# When reporting a bug, please describe a test case to reproduce it and
-# include the following information:
-#
-#         host-triplet:	$host
-#         shell:		$SHELL
-#         compiler:		$LTCC
-#         compiler flags:		$LTCFLAGS
-#         linker:		$LD (gnu? $with_gnu_ld)
-#         $progname:	(GNU libtool) 2.4.2
-#         automake:	$automake_version
-#         autoconf:	$autoconf_version
-#
-# Report bugs to <bug-libtool@gnu.org>.
-# GNU libtool home page: <http://www.gnu.org/software/libtool/>.
-# General help using GNU software: <http://www.gnu.org/gethelp/>.
-
-PROGRAM=libtool
-PACKAGE=libtool
-VERSION=2.4.2
-TIMESTAMP=""
-package_revision=1.3337
-
-# Be Bourne compatible
-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
-  emulate sh
-  NULLCMD=:
-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
-  # is contrary to our usage.  Disable this feature.
-  alias -g '${1+"$@"}'='"$@"'
-  setopt NO_GLOB_SUBST
-else
-  case `(set -o) 2>/dev/null` in *posix*) set -o posix;; esac
-fi
-BIN_SH=xpg4; export BIN_SH # for Tru64
-DUALCASE=1; export DUALCASE # for MKS sh
-
-# A function that is used when there is no print builtin or printf.
-func_fallback_echo ()
-{
-  eval 'cat <<_LTECHO_EOF
-$1
-_LTECHO_EOF'
-}
-
-# NLS nuisances: We save the old values to restore during execute mode.
-lt_user_locale=
-lt_safe_locale=
-for lt_var in LANG LANGUAGE LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES
-do
-  eval "if test \"\${$lt_var+set}\" = set; then
-          save_$lt_var=\$$lt_var
-          $lt_var=C
-	  export $lt_var
-	  lt_user_locale=\"$lt_var=\\\$save_\$lt_var; \$lt_user_locale\"
-	  lt_safe_locale=\"$lt_var=C; \$lt_safe_locale\"
-	fi"
-done
-LC_ALL=C
-LANGUAGE=C
-export LANGUAGE LC_ALL
-
-$lt_unset CDPATH
-
-
-# Work around backward compatibility issue on IRIX 6.5. On IRIX 6.4+, sh
-# is ksh but when the shell is invoked as "sh" and the current value of
-# the _XPG environment variable is not equal to 1 (one), the special
-# positional parameter $0, within a function call, is the name of the
-# function.
-progpath="$0"
-
-
-
-: ${CP="cp -f"}
-test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'}
-: ${MAKE="make"}
-: ${MKDIR="mkdir"}
-: ${MV="mv -f"}
-: ${RM="rm -f"}
-: ${SHELL="${CONFIG_SHELL-/bin/sh}"}
-: ${Xsed="$SED -e 1s/^X//"}
-
-# Global variables:
-EXIT_SUCCESS=0
-EXIT_FAILURE=1
-EXIT_MISMATCH=63  # $? = 63 is used to indicate version mismatch to missing.
-EXIT_SKIP=77	  # $? = 77 is used to indicate a skipped test to automake.
-
-exit_status=$EXIT_SUCCESS
-
-# Make sure IFS has a sensible default
-lt_nl='
-'
-IFS=" 	$lt_nl"
-
-dirname="s,/[^/]*$,,"
-basename="s,^.*/,,"
-
-# func_dirname file append nondir_replacement
-# Compute the dirname of FILE.  If nonempty, add APPEND to the result,
-# otherwise set result to NONDIR_REPLACEMENT.
-func_dirname ()
-{
-    func_dirname_result=`$ECHO "${1}" | $SED "$dirname"`
-    if test "X$func_dirname_result" = "X${1}"; then
-      func_dirname_result="${3}"
-    else
-      func_dirname_result="$func_dirname_result${2}"
-    fi
-} # func_dirname may be replaced by extended shell implementation
-
-
-# func_basename file
-func_basename ()
-{
-    func_basename_result=`$ECHO "${1}" | $SED "$basename"`
-} # func_basename may be replaced by extended shell implementation
-
-
-# func_dirname_and_basename file append nondir_replacement
-# perform func_basename and func_dirname in a single function
-# call:
-#   dirname:  Compute the dirname of FILE.  If nonempty,
-#             add APPEND to the result, otherwise set result
-#             to NONDIR_REPLACEMENT.
-#             value returned in "$func_dirname_result"
-#   basename: Compute filename of FILE.
-#             value retuned in "$func_basename_result"
-# Implementation must be kept synchronized with func_dirname
-# and func_basename. For efficiency, we do not delegate to
-# those functions but instead duplicate the functionality here.
-func_dirname_and_basename ()
-{
-    # Extract subdirectory from the argument.
-    func_dirname_result=`$ECHO "${1}" | $SED -e "$dirname"`
-    if test "X$func_dirname_result" = "X${1}"; then
-      func_dirname_result="${3}"
-    else
-      func_dirname_result="$func_dirname_result${2}"
-    fi
-    func_basename_result=`$ECHO "${1}" | $SED -e "$basename"`
-} # func_dirname_and_basename may be replaced by extended shell implementation
-
-
-# func_stripname prefix suffix name
-# strip PREFIX and SUFFIX off of NAME.
-# PREFIX and SUFFIX must not contain globbing or regex special
-# characters, hashes, percent signs, but SUFFIX may contain a leading
-# dot (in which case that matches only a dot).
-# func_strip_suffix prefix name
-func_stripname ()
-{
-    case ${2} in
-      .*) func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%\\\\${2}\$%%"`;;
-      *)  func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%${2}\$%%"`;;
-    esac
-} # func_stripname may be replaced by extended shell implementation
-
-
-# These SED scripts presuppose an absolute path with a trailing slash.
-pathcar='s,^/\([^/]*\).*$,\1,'
-pathcdr='s,^/[^/]*,,'
-removedotparts=':dotsl
-		s@/\./@/@g
-		t dotsl
-		s,/\.$,/,'
-collapseslashes='s@/\{1,\}@/@g'
-finalslash='s,/*$,/,'
-
-# func_normal_abspath PATH
-# Remove doubled-up and trailing slashes, "." path components,
-# and cancel out any ".." path components in PATH after making
-# it an absolute path.
-#             value returned in "$func_normal_abspath_result"
-func_normal_abspath ()
-{
-  # Start from root dir and reassemble the path.
-  func_normal_abspath_result=
-  func_normal_abspath_tpath=$1
-  func_normal_abspath_altnamespace=
-  case $func_normal_abspath_tpath in
-    "")
-      # Empty path, that just means $cwd.
-      func_stripname '' '/' "`pwd`"
-      func_normal_abspath_result=$func_stripname_result
-      return
-    ;;
-    # The next three entries are used to spot a run of precisely
-    # two leading slashes without using negated character classes;
-    # we take advantage of case's first-match behaviour.
-    ///*)
-      # Unusual form of absolute path, do nothing.
-    ;;
-    //*)
-      # Not necessarily an ordinary path; POSIX reserves leading '//'
-      # and for example Cygwin uses it to access remote file shares
-      # over CIFS/SMB, so we conserve a leading double slash if found.
-      func_normal_abspath_altnamespace=/
-    ;;
-    /*)
-      # Absolute path, do nothing.
-    ;;
-    *)
-      # Relative path, prepend $cwd.
-      func_normal_abspath_tpath=`pwd`/$func_normal_abspath_tpath
-    ;;
-  esac
-  # Cancel out all the simple stuff to save iterations.  We also want
-  # the path to end with a slash for ease of parsing, so make sure
-  # there is one (and only one) here.
-  func_normal_abspath_tpath=`$ECHO "$func_normal_abspath_tpath" | $SED \
-        -e "$removedotparts" -e "$collapseslashes" -e "$finalslash"`
-  while :; do
-    # Processed it all yet?
-    if test "$func_normal_abspath_tpath" = / ; then
-      # If we ascended to the root using ".." the result may be empty now.
-      if test -z "$func_normal_abspath_result" ; then
-        func_normal_abspath_result=/
-      fi
-      break
-    fi
-    func_normal_abspath_tcomponent=`$ECHO "$func_normal_abspath_tpath" | $SED \
-        -e "$pathcar"`
-    func_normal_abspath_tpath=`$ECHO "$func_normal_abspath_tpath" | $SED \
-        -e "$pathcdr"`
-    # Figure out what to do with it
-    case $func_normal_abspath_tcomponent in
-      "")
-        # Trailing empty path component, ignore it.
-      ;;
-      ..)
-        # Parent dir; strip last assembled component from result.
-        func_dirname "$func_normal_abspath_result"
-        func_normal_abspath_result=$func_dirname_result
-      ;;
-      *)
-        # Actual path component, append it.
-        func_normal_abspath_result=$func_normal_abspath_result/$func_normal_abspath_tcomponent
-      ;;
-    esac
-  done
-  # Restore leading double-slash if one was found on entry.
-  func_normal_abspath_result=$func_normal_abspath_altnamespace$func_normal_abspath_result
-}
-
-# func_relative_path SRCDIR DSTDIR
-# generates a relative path from SRCDIR to DSTDIR, with a trailing
-# slash if non-empty, suitable for immediately appending a filename
-# without needing to append a separator.
-#             value returned in "$func_relative_path_result"
-func_relative_path ()
-{
-  func_relative_path_result=
-  func_normal_abspath "$1"
-  func_relative_path_tlibdir=$func_normal_abspath_result
-  func_normal_abspath "$2"
-  func_relative_path_tbindir=$func_normal_abspath_result
-
-  # Ascend the tree starting from libdir
-  while :; do
-    # check if we have found a prefix of bindir
-    case $func_relative_path_tbindir in
-      $func_relative_path_tlibdir)
-        # found an exact match
-        func_relative_path_tcancelled=
-        break
-        ;;
-      $func_relative_path_tlibdir*)
-        # found a matching prefix
-        func_stripname "$func_relative_path_tlibdir" '' "$func_relative_path_tbindir"
-        func_relative_path_tcancelled=$func_stripname_result
-        if test -z "$func_relative_path_result"; then
-          func_relative_path_result=.
-        fi
-        break
-        ;;
-      *)
-        func_dirname $func_relative_path_tlibdir
-        func_relative_path_tlibdir=${func_dirname_result}
-        if test "x$func_relative_path_tlibdir" = x ; then
-          # Have to descend all the way to the root!
-          func_relative_path_result=../$func_relative_path_result
-          func_relative_path_tcancelled=$func_relative_path_tbindir
-          break
-        fi
-        func_relative_path_result=../$func_relative_path_result
-        ;;
-    esac
-  done
-
-  # Now calculate path; take care to avoid doubling-up slashes.
-  func_stripname '' '/' "$func_relative_path_result"
-  func_relative_path_result=$func_stripname_result
-  func_stripname '/' '/' "$func_relative_path_tcancelled"
-  if test "x$func_stripname_result" != x ; then
-    func_relative_path_result=${func_relative_path_result}/${func_stripname_result}
-  fi
-
-  # Normalisation. If bindir is libdir, return empty string,
-  # else relative path ending with a slash; either way, target
-  # file name can be directly appended.
-  if test ! -z "$func_relative_path_result"; then
-    func_stripname './' '' "$func_relative_path_result/"
-    func_relative_path_result=$func_stripname_result
-  fi
-}
-
-# The name of this program:
-func_dirname_and_basename "$progpath"
-progname=$func_basename_result
-
-# Make sure we have an absolute path for reexecution:
-case $progpath in
-  [\\/]*|[A-Za-z]:\\*) ;;
-  *[\\/]*)
-     progdir=$func_dirname_result
-     progdir=`cd "$progdir" && pwd`
-     progpath="$progdir/$progname"
-     ;;
-  *)
-     save_IFS="$IFS"
-     IFS=${PATH_SEPARATOR-:}
-     for progdir in $PATH; do
-       IFS="$save_IFS"
-       test -x "$progdir/$progname" && break
-     done
-     IFS="$save_IFS"
-     test -n "$progdir" || progdir=`pwd`
-     progpath="$progdir/$progname"
-     ;;
-esac
-
-# Sed substitution that helps us do robust quoting.  It backslashifies
-# metacharacters that are still active within double-quoted strings.
-Xsed="${SED}"' -e 1s/^X//'
-sed_quote_subst='s/\([`"$\\]\)/\\\1/g'
-
-# Same as above, but do not quote variable references.
-double_quote_subst='s/\(["`\\]\)/\\\1/g'
-
-# Sed substitution that turns a string into a regex matching for the
-# string literally.
-sed_make_literal_regex='s,[].[^$\\*\/],\\&,g'
-
-# Sed substitution that converts a w32 file name or path
-# which contains forward slashes, into one that contains
-# (escaped) backslashes.  A very naive implementation.
-lt_sed_naive_backslashify='s|\\\\*|\\|g;s|/|\\|g;s|\\|\\\\|g'
-
-# Re-`\' parameter expansions in output of double_quote_subst that were
-# `\'-ed in input to the same.  If an odd number of `\' preceded a '$'
-# in input to double_quote_subst, that '$' was protected from expansion.
-# Since each input `\' is now two `\'s, look for any number of runs of
-# four `\'s followed by two `\'s and then a '$'.  `\' that '$'.
-bs='\\'
-bs2='\\\\'
-bs4='\\\\\\\\'
-dollar='\$'
-sed_double_backslash="\
-  s/$bs4/&\\
-/g
-  s/^$bs2$dollar/$bs&/
-  s/\\([^$bs]\\)$bs2$dollar/\\1$bs2$bs$dollar/g
-  s/\n//g"
-
-# Standard options:
-opt_dry_run=false
-opt_help=false
-opt_quiet=false
-opt_verbose=false
-opt_warning=:
-
-# func_echo arg...
-# Echo program name prefixed message, along with the current mode
-# name if it has been set yet.
-func_echo ()
-{
-    $ECHO "$progname: ${opt_mode+$opt_mode: }$*"
-}
-
-# func_verbose arg...
-# Echo program name prefixed message in verbose mode only.
-func_verbose ()
-{
-    $opt_verbose && func_echo ${1+"$@"}
-
-    # A bug in bash halts the script if the last line of a function
-    # fails when set -e is in force, so we need another command to
-    # work around that:
-    :
-}
-
-# func_echo_all arg...
-# Invoke $ECHO with all args, space-separated.
-func_echo_all ()
-{
-    $ECHO "$*"
-}
-
-# func_error arg...
-# Echo program name prefixed message to standard error.
-func_error ()
-{
-    $ECHO "$progname: ${opt_mode+$opt_mode: }"${1+"$@"} 1>&2
-}
-
-# func_warning arg...
-# Echo program name prefixed warning message to standard error.
-func_warning ()
-{
-    $opt_warning && $ECHO "$progname: ${opt_mode+$opt_mode: }warning: "${1+"$@"} 1>&2
-
-    # bash bug again:
-    :
-}
-
-# func_fatal_error arg...
-# Echo program name prefixed message to standard error, and exit.
-func_fatal_error ()
-{
-    func_error ${1+"$@"}
-    exit $EXIT_FAILURE
-}
-
-# func_fatal_help arg...
-# Echo program name prefixed message to standard error, followed by
-# a help hint, and exit.
-func_fatal_help ()
-{
-    func_error ${1+"$@"}
-    func_fatal_error "$help"
-}
-help="Try \`$progname --help' for more information."  ## default
-
-
-# func_grep expression filename
-# Check whether EXPRESSION matches any line of FILENAME, without output.
-func_grep ()
-{
-    $GREP "$1" "$2" >/dev/null 2>&1
-}
-
-
-# func_mkdir_p directory-path
-# Make sure the entire path to DIRECTORY-PATH is available.
-func_mkdir_p ()
-{
-    my_directory_path="$1"
-    my_dir_list=
-
-    if test -n "$my_directory_path" && test "$opt_dry_run" != ":"; then
-
-      # Protect directory names starting with `-'
-      case $my_directory_path in
-        -*) my_directory_path="./$my_directory_path" ;;
-      esac
-
-      # While some portion of DIR does not yet exist...
-      while test ! -d "$my_directory_path"; do
-        # ...make a list in topmost first order.  Use a colon delimited
-	# list incase some portion of path contains whitespace.
-        my_dir_list="$my_directory_path:$my_dir_list"
-
-        # If the last portion added has no slash in it, the list is done
-        case $my_directory_path in */*) ;; *) break ;; esac
-
-        # ...otherwise throw away the child directory and loop
-        my_directory_path=`$ECHO "$my_directory_path" | $SED -e "$dirname"`
-      done
-      my_dir_list=`$ECHO "$my_dir_list" | $SED 's,:*$,,'`
-
-      save_mkdir_p_IFS="$IFS"; IFS=':'
-      for my_dir in $my_dir_list; do
-	IFS="$save_mkdir_p_IFS"
-        # mkdir can fail with a `File exist' error if two processes
-        # try to create one of the directories concurrently.  Don't
-        # stop in that case!
-        $MKDIR "$my_dir" 2>/dev/null || :
-      done
-      IFS="$save_mkdir_p_IFS"
-
-      # Bail out if we (or some other process) failed to create a directory.
-      test -d "$my_directory_path" || \
-        func_fatal_error "Failed to create \`$1'"
-    fi
-}
-
-
-# func_mktempdir [string]
-# Make a temporary directory that won't clash with other running
-# libtool processes, and avoids race conditions if possible.  If
-# given, STRING is the basename for that directory.
-func_mktempdir ()
-{
-    my_template="${TMPDIR-/tmp}/${1-$progname}"
-
-    if test "$opt_dry_run" = ":"; then
-      # Return a directory name, but don't create it in dry-run mode
-      my_tmpdir="${my_template}-$$"
-    else
-
-      # If mktemp works, use that first and foremost
-      my_tmpdir=`mktemp -d "${my_template}-XXXXXXXX" 2>/dev/null`
-
-      if test ! -d "$my_tmpdir"; then
-        # Failing that, at least try and use $RANDOM to avoid a race
-        my_tmpdir="${my_template}-${RANDOM-0}$$"
-
-        save_mktempdir_umask=`umask`
-        umask 0077
-        $MKDIR "$my_tmpdir"
-        umask $save_mktempdir_umask
-      fi
-
-      # If we're not in dry-run mode, bomb out on failure
-      test -d "$my_tmpdir" || \
-        func_fatal_error "cannot create temporary directory \`$my_tmpdir'"
-    fi
-
-    $ECHO "$my_tmpdir"
-}
-
-
-# func_quote_for_eval arg
-# Aesthetically quote ARG to be evaled later.
-# This function returns two values: FUNC_QUOTE_FOR_EVAL_RESULT
-# is double-quoted, suitable for a subsequent eval, whereas
-# FUNC_QUOTE_FOR_EVAL_UNQUOTED_RESULT has merely all characters
-# which are still active within double quotes backslashified.
-func_quote_for_eval ()
-{
-    case $1 in
-      *[\\\`\"\$]*)
-	func_quote_for_eval_unquoted_result=`$ECHO "$1" | $SED "$sed_quote_subst"` ;;
-      *)
-        func_quote_for_eval_unquoted_result="$1" ;;
-    esac
-
-    case $func_quote_for_eval_unquoted_result in
-      # Double-quote args containing shell metacharacters to delay
-      # word splitting, command substitution and and variable
-      # expansion for a subsequent eval.
-      # Many Bourne shells cannot handle close brackets correctly
-      # in scan sets, so we specify it separately.
-      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-        func_quote_for_eval_result="\"$func_quote_for_eval_unquoted_result\""
-        ;;
-      *)
-        func_quote_for_eval_result="$func_quote_for_eval_unquoted_result"
-    esac
-}
-
-
-# func_quote_for_expand arg
-# Aesthetically quote ARG to be evaled later; same as above,
-# but do not quote variable references.
-func_quote_for_expand ()
-{
-    case $1 in
-      *[\\\`\"]*)
-	my_arg=`$ECHO "$1" | $SED \
-	    -e "$double_quote_subst" -e "$sed_double_backslash"` ;;
-      *)
-        my_arg="$1" ;;
-    esac
-
-    case $my_arg in
-      # Double-quote args containing shell metacharacters to delay
-      # word splitting and command substitution for a subsequent eval.
-      # Many Bourne shells cannot handle close brackets correctly
-      # in scan sets, so we specify it separately.
-      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-        my_arg="\"$my_arg\""
-        ;;
-    esac
-
-    func_quote_for_expand_result="$my_arg"
-}
-
-
-# func_show_eval cmd [fail_exp]
-# Unless opt_silent is true, then output CMD.  Then, if opt_dryrun is
-# not true, evaluate CMD.  If the evaluation of CMD fails, and FAIL_EXP
-# is given, then evaluate it.
-func_show_eval ()
-{
-    my_cmd="$1"
-    my_fail_exp="${2-:}"
-
-    ${opt_silent-false} || {
-      func_quote_for_expand "$my_cmd"
-      eval "func_echo $func_quote_for_expand_result"
-    }
-
-    if ${opt_dry_run-false}; then :; else
-      eval "$my_cmd"
-      my_status=$?
-      if test "$my_status" -eq 0; then :; else
-	eval "(exit $my_status); $my_fail_exp"
-      fi
-    fi
-}
-
-
-# func_show_eval_locale cmd [fail_exp]
-# Unless opt_silent is true, then output CMD.  Then, if opt_dryrun is
-# not true, evaluate CMD.  If the evaluation of CMD fails, and FAIL_EXP
-# is given, then evaluate it.  Use the saved locale for evaluation.
-func_show_eval_locale ()
-{
-    my_cmd="$1"
-    my_fail_exp="${2-:}"
-
-    ${opt_silent-false} || {
-      func_quote_for_expand "$my_cmd"
-      eval "func_echo $func_quote_for_expand_result"
-    }
-
-    if ${opt_dry_run-false}; then :; else
-      eval "$lt_user_locale
-	    $my_cmd"
-      my_status=$?
-      eval "$lt_safe_locale"
-      if test "$my_status" -eq 0; then :; else
-	eval "(exit $my_status); $my_fail_exp"
-      fi
-    fi
-}
-
-# func_tr_sh
-# Turn $1 into a string suitable for a shell variable name.
-# Result is stored in $func_tr_sh_result.  All characters
-# not in the set a-zA-Z0-9_ are replaced with '_'. Further,
-# if $1 begins with a digit, a '_' is prepended as well.
-func_tr_sh ()
-{
-  case $1 in
-  [0-9]* | *[!a-zA-Z0-9_]*)
-    func_tr_sh_result=`$ECHO "$1" | $SED 's/^\([0-9]\)/_\1/; s/[^a-zA-Z0-9_]/_/g'`
-    ;;
-  * )
-    func_tr_sh_result=$1
-    ;;
-  esac
-}
-
-
-# func_version
-# Echo version message to standard output and exit.
-func_version ()
-{
-    $opt_debug
-
-    $SED -n '/(C)/!b go
-	:more
-	/\./!{
-	  N
-	  s/\n# / /
-	  b more
-	}
-	:go
-	/^# '$PROGRAM' (GNU /,/# warranty; / {
-        s/^# //
-	s/^# *$//
-        s/\((C)\)[ 0-9,-]*\( [1-9][0-9]*\)/\1\2/
-        p
-     }' < "$progpath"
-     exit $?
-}
-
-# func_usage
-# Echo short help message to standard output and exit.
-func_usage ()
-{
-    $opt_debug
-
-    $SED -n '/^# Usage:/,/^#  *.*--help/ {
-        s/^# //
-	s/^# *$//
-	s/\$progname/'$progname'/
-	p
-    }' < "$progpath"
-    echo
-    $ECHO "run \`$progname --help | more' for full usage"
-    exit $?
-}
-
-# func_help [NOEXIT]
-# Echo long help message to standard output and exit,
-# unless 'noexit' is passed as argument.
-func_help ()
-{
-    $opt_debug
-
-    $SED -n '/^# Usage:/,/# Report bugs to/ {
-	:print
-        s/^# //
-	s/^# *$//
-	s*\$progname*'$progname'*
-	s*\$host*'"$host"'*
-	s*\$SHELL*'"$SHELL"'*
-	s*\$LTCC*'"$LTCC"'*
-	s*\$LTCFLAGS*'"$LTCFLAGS"'*
-	s*\$LD*'"$LD"'*
-	s/\$with_gnu_ld/'"$with_gnu_ld"'/
-	s/\$automake_version/'"`(${AUTOMAKE-automake} --version) 2>/dev/null |$SED 1q`"'/
-	s/\$autoconf_version/'"`(${AUTOCONF-autoconf} --version) 2>/dev/null |$SED 1q`"'/
-	p
-	d
-     }
-     /^# .* home page:/b print
-     /^# General help using/b print
-     ' < "$progpath"
-    ret=$?
-    if test -z "$1"; then
-      exit $ret
-    fi
-}
-
-# func_missing_arg argname
-# Echo program name prefixed message to standard error and set global
-# exit_cmd.
-func_missing_arg ()
-{
-    $opt_debug
-
-    func_error "missing argument for $1."
-    exit_cmd=exit
-}
-
-
-# func_split_short_opt shortopt
-# Set func_split_short_opt_name and func_split_short_opt_arg shell
-# variables after splitting SHORTOPT after the 2nd character.
-func_split_short_opt ()
-{
-    my_sed_short_opt='1s/^\(..\).*$/\1/;q'
-    my_sed_short_rest='1s/^..\(.*\)$/\1/;q'
-
-    func_split_short_opt_name=`$ECHO "$1" | $SED "$my_sed_short_opt"`
-    func_split_short_opt_arg=`$ECHO "$1" | $SED "$my_sed_short_rest"`
-} # func_split_short_opt may be replaced by extended shell implementation
-
-
-# func_split_long_opt longopt
-# Set func_split_long_opt_name and func_split_long_opt_arg shell
-# variables after splitting LONGOPT at the `=' sign.
-func_split_long_opt ()
-{
-    my_sed_long_opt='1s/^\(--[^=]*\)=.*/\1/;q'
-    my_sed_long_arg='1s/^--[^=]*=//'
-
-    func_split_long_opt_name=`$ECHO "$1" | $SED "$my_sed_long_opt"`
-    func_split_long_opt_arg=`$ECHO "$1" | $SED "$my_sed_long_arg"`
-} # func_split_long_opt may be replaced by extended shell implementation
-
-exit_cmd=:
-
-
-
-
-
-magic="%%%MAGIC variable%%%"
-magic_exe="%%%MAGIC EXE variable%%%"
-
-# Global variables.
-nonopt=
-preserve_args=
-lo2o="s/\\.lo\$/.${objext}/"
-o2lo="s/\\.${objext}\$/.lo/"
-extracted_archives=
-extracted_serial=0
-
-# If this variable is set in any of the actions, the command in it
-# will be execed at the end.  This prevents here-documents from being
-# left over by shells.
-exec_cmd=
-
-# func_append var value
-# Append VALUE to the end of shell variable VAR.
-func_append ()
-{
-    eval "${1}=\$${1}\${2}"
-} # func_append may be replaced by extended shell implementation
-
-# func_append_quoted var value
-# Quote VALUE and append to the end of shell variable VAR, separated
-# by a space.
-func_append_quoted ()
-{
-    func_quote_for_eval "${2}"
-    eval "${1}=\$${1}\\ \$func_quote_for_eval_result"
-} # func_append_quoted may be replaced by extended shell implementation
-
-
-# func_arith arithmetic-term...
-func_arith ()
-{
-    func_arith_result=`expr "${@}"`
-} # func_arith may be replaced by extended shell implementation
-
-
-# func_len string
-# STRING may not start with a hyphen.
-func_len ()
-{
-    func_len_result=`expr "${1}" : ".*" 2>/dev/null || echo $max_cmd_len`
-} # func_len may be replaced by extended shell implementation
-
-
-# func_lo2o object
-func_lo2o ()
-{
-    func_lo2o_result=`$ECHO "${1}" | $SED "$lo2o"`
-} # func_lo2o may be replaced by extended shell implementation
-
-
-# func_xform libobj-or-source
-func_xform ()
-{
-    func_xform_result=`$ECHO "${1}" | $SED 's/\.[^.]*$/.lo/'`
-} # func_xform may be replaced by extended shell implementation
-
-
-# func_fatal_configuration arg...
-# Echo program name prefixed message to standard error, followed by
-# a configuration failure hint, and exit.
-func_fatal_configuration ()
-{
-    func_error ${1+"$@"}
-    func_error "See the $PACKAGE documentation for more information."
-    func_fatal_error "Fatal configuration error."
-}
-
-
-# func_config
-# Display the configuration for all the tags in this script.
-func_config ()
-{
-    re_begincf='^# ### BEGIN LIBTOOL'
-    re_endcf='^# ### END LIBTOOL'
-
-    # Default configuration.
-    $SED "1,/$re_begincf CONFIG/d;/$re_endcf CONFIG/,\$d" < "$progpath"
-
-    # Now print the configurations for the tags.
-    for tagname in $taglist; do
-      $SED -n "/$re_begincf TAG CONFIG: $tagname\$/,/$re_endcf TAG CONFIG: $tagname\$/p" < "$progpath"
-    done
-
-    exit $?
-}
-
-# func_features
-# Display the features supported by this script.
-func_features ()
-{
-    echo "host: $host"
-    if test "$build_libtool_libs" = yes; then
-      echo "enable shared libraries"
-    else
-      echo "disable shared libraries"
-    fi
-    if test "$build_old_libs" = yes; then
-      echo "enable static libraries"
-    else
-      echo "disable static libraries"
-    fi
-
-    exit $?
-}
-
-# func_enable_tag tagname
-# Verify that TAGNAME is valid, and either flag an error and exit, or
-# enable the TAGNAME tag.  We also add TAGNAME to the global $taglist
-# variable here.
-func_enable_tag ()
-{
-  # Global variable:
-  tagname="$1"
-
-  re_begincf="^# ### BEGIN LIBTOOL TAG CONFIG: $tagname\$"
-  re_endcf="^# ### END LIBTOOL TAG CONFIG: $tagname\$"
-  sed_extractcf="/$re_begincf/,/$re_endcf/p"
-
-  # Validate tagname.
-  case $tagname in
-    *[!-_A-Za-z0-9,/]*)
-      func_fatal_error "invalid tag name: $tagname"
-      ;;
-  esac
-
-  # Don't test for the "default" C tag, as we know it's
-  # there but not specially marked.
-  case $tagname in
-    CC) ;;
-    *)
-      if $GREP "$re_begincf" "$progpath" >/dev/null 2>&1; then
-	taglist="$taglist $tagname"
-
-	# Evaluate the configuration.  Be careful to quote the path
-	# and the sed script, to avoid splitting on whitespace, but
-	# also don't use non-portable quotes within backquotes within
-	# quotes we have to do it in 2 steps:
-	extractedcf=`$SED -n -e "$sed_extractcf" < "$progpath"`
-	eval "$extractedcf"
-      else
-	func_error "ignoring unknown tag $tagname"
-      fi
-      ;;
-  esac
-}
-
-# func_check_version_match
-# Ensure that we are using m4 macros, and libtool script from the same
-# release of libtool.
-func_check_version_match ()
-{
-  if test "$package_revision" != "$macro_revision"; then
-    if test "$VERSION" != "$macro_version"; then
-      if test -z "$macro_version"; then
-        cat >&2 <<_LT_EOF
-$progname: Version mismatch error.  This is $PACKAGE $VERSION, but the
-$progname: definition of this LT_INIT comes from an older release.
-$progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION
-$progname: and run autoconf again.
-_LT_EOF
-      else
-        cat >&2 <<_LT_EOF
-$progname: Version mismatch error.  This is $PACKAGE $VERSION, but the
-$progname: definition of this LT_INIT comes from $PACKAGE $macro_version.
-$progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION
-$progname: and run autoconf again.
-_LT_EOF
-      fi
-    else
-      cat >&2 <<_LT_EOF
-$progname: Version mismatch error.  This is $PACKAGE $VERSION, revision $package_revision,
-$progname: but the definition of this LT_INIT comes from revision $macro_revision.
-$progname: You should recreate aclocal.m4 with macros from revision $package_revision
-$progname: of $PACKAGE $VERSION and run autoconf again.
-_LT_EOF
-    fi
-
-    exit $EXIT_MISMATCH
-  fi
-}
-
-
-# Shorthand for --mode=foo, only valid as the first argument
-case $1 in
-clean|clea|cle|cl)
-  shift; set dummy --mode clean ${1+"$@"}; shift
-  ;;
-compile|compil|compi|comp|com|co|c)
-  shift; set dummy --mode compile ${1+"$@"}; shift
-  ;;
-execute|execut|execu|exec|exe|ex|e)
-  shift; set dummy --mode execute ${1+"$@"}; shift
-  ;;
-finish|finis|fini|fin|fi|f)
-  shift; set dummy --mode finish ${1+"$@"}; shift
-  ;;
-install|instal|insta|inst|ins|in|i)
-  shift; set dummy --mode install ${1+"$@"}; shift
-  ;;
-link|lin|li|l)
-  shift; set dummy --mode link ${1+"$@"}; shift
-  ;;
-uninstall|uninstal|uninsta|uninst|unins|unin|uni|un|u)
-  shift; set dummy --mode uninstall ${1+"$@"}; shift
-  ;;
-esac
-
-
-
-# Option defaults:
-opt_debug=:
-opt_dry_run=false
-opt_config=false
-opt_preserve_dup_deps=false
-opt_features=false
-opt_finish=false
-opt_help=false
-opt_help_all=false
-opt_silent=:
-opt_warning=:
-opt_verbose=:
-opt_silent=false
-opt_verbose=false
-
-
-# Parse options once, thoroughly.  This comes as soon as possible in the
-# script to make things like `--version' happen as quickly as we can.
-{
-  # this just eases exit handling
-  while test $# -gt 0; do
-    opt="$1"
-    shift
-    case $opt in
-      --debug|-x)	opt_debug='set -x'
-			func_echo "enabling shell trace mode"
-			$opt_debug
-			;;
-      --dry-run|--dryrun|-n)
-			opt_dry_run=:
-			;;
-      --config)
-			opt_config=:
-func_config
-			;;
-      --dlopen|-dlopen)
-			optarg="$1"
-			opt_dlopen="${opt_dlopen+$opt_dlopen
-}$optarg"
-			shift
-			;;
-      --preserve-dup-deps)
-			opt_preserve_dup_deps=:
-			;;
-      --features)
-			opt_features=:
-func_features
-			;;
-      --finish)
-			opt_finish=:
-set dummy --mode finish ${1+"$@"}; shift
-			;;
-      --help)
-			opt_help=:
-			;;
-      --help-all)
-			opt_help_all=:
-opt_help=': help-all'
-			;;
-      --mode)
-			test $# = 0 && func_missing_arg $opt && break
-			optarg="$1"
-			opt_mode="$optarg"
-case $optarg in
-  # Valid mode arguments:
-  clean|compile|execute|finish|install|link|relink|uninstall) ;;
-
-  # Catch anything else as an error
-  *) func_error "invalid argument for $opt"
-     exit_cmd=exit
-     break
-     ;;
-esac
-			shift
-			;;
-      --no-silent|--no-quiet)
-			opt_silent=false
-func_append preserve_args " $opt"
-			;;
-      --no-warning|--no-warn)
-			opt_warning=false
-func_append preserve_args " $opt"
-			;;
-      --no-verbose)
-			opt_verbose=false
-func_append preserve_args " $opt"
-			;;
-      --silent|--quiet)
-			opt_silent=:
-func_append preserve_args " $opt"
-        opt_verbose=false
-			;;
-      --verbose|-v)
-			opt_verbose=:
-func_append preserve_args " $opt"
-opt_silent=false
-			;;
-      --tag)
-			test $# = 0 && func_missing_arg $opt && break
-			optarg="$1"
-			opt_tag="$optarg"
-func_append preserve_args " $opt $optarg"
-func_enable_tag "$optarg"
-			shift
-			;;
-
-      -\?|-h)		func_usage				;;
-      --help)		func_help				;;
-      --version)	func_version				;;
-
-      # Separate optargs to long options:
-      --*=*)
-			func_split_long_opt "$opt"
-			set dummy "$func_split_long_opt_name" "$func_split_long_opt_arg" ${1+"$@"}
-			shift
-			;;
-
-      # Separate non-argument short options:
-      -\?*|-h*|-n*|-v*)
-			func_split_short_opt "$opt"
-			set dummy "$func_split_short_opt_name" "-$func_split_short_opt_arg" ${1+"$@"}
-			shift
-			;;
-
-      --)		break					;;
-      -*)		func_fatal_help "unrecognized option \`$opt'" ;;
-      *)		set dummy "$opt" ${1+"$@"};	shift; break  ;;
-    esac
-  done
-
-  # Validate options:
-
-  # save first non-option argument
-  if test "$#" -gt 0; then
-    nonopt="$opt"
-    shift
-  fi
-
-  # preserve --debug
-  test "$opt_debug" = : || func_append preserve_args " --debug"
-
-  case $host in
-    *cygwin* | *mingw* | *pw32* | *cegcc*)
-      # don't eliminate duplications in $postdeps and $predeps
-      opt_duplicate_compiler_generated_deps=:
-      ;;
-    *)
-      opt_duplicate_compiler_generated_deps=$opt_preserve_dup_deps
-      ;;
-  esac
-
-  $opt_help || {
-    # Sanity checks first:
-    func_check_version_match
-
-    if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then
-      func_fatal_configuration "not configured to build any kind of library"
-    fi
-
-    # Darwin sucks
-    eval std_shrext=\"$shrext_cmds\"
-
-    # Only execute mode is allowed to have -dlopen flags.
-    if test -n "$opt_dlopen" && test "$opt_mode" != execute; then
-      func_error "unrecognized option \`-dlopen'"
-      $ECHO "$help" 1>&2
-      exit $EXIT_FAILURE
-    fi
-
-    # Change the help message to a mode-specific one.
-    generic_help="$help"
-    help="Try \`$progname --help --mode=$opt_mode' for more information."
-  }
-
-
-  # Bail if the options were screwed
-  $exit_cmd $EXIT_FAILURE
-}
-
-
-
-
-## ----------- ##
-##    Main.    ##
-## ----------- ##
-
-# func_lalib_p file
-# True iff FILE is a libtool `.la' library or `.lo' object file.
-# This function is only a basic sanity check; it will hardly flush out
-# determined imposters.
-func_lalib_p ()
-{
-    test -f "$1" &&
-      $SED -e 4q "$1" 2>/dev/null \
-        | $GREP "^# Generated by .*$PACKAGE" > /dev/null 2>&1
-}
-
-# func_lalib_unsafe_p file
-# True iff FILE is a libtool `.la' library or `.lo' object file.
-# This function implements the same check as func_lalib_p without
-# resorting to external programs.  To this end, it redirects stdin and
-# closes it afterwards, without saving the original file descriptor.
-# As a safety measure, use it only where a negative result would be
-# fatal anyway.  Works if `file' does not exist.
-func_lalib_unsafe_p ()
-{
-    lalib_p=no
-    if test -f "$1" && test -r "$1" && exec 5<&0 <"$1"; then
-	for lalib_p_l in 1 2 3 4
-	do
-	    read lalib_p_line
-	    case "$lalib_p_line" in
-		\#\ Generated\ by\ *$PACKAGE* ) lalib_p=yes; break;;
-	    esac
-	done
-	exec 0<&5 5<&-
-    fi
-    test "$lalib_p" = yes
-}
-
-# func_ltwrapper_script_p file
-# True iff FILE is a libtool wrapper script
-# This function is only a basic sanity check; it will hardly flush out
-# determined imposters.
-func_ltwrapper_script_p ()
-{
-    func_lalib_p "$1"
-}
-
-# func_ltwrapper_executable_p file
-# True iff FILE is a libtool wrapper executable
-# This function is only a basic sanity check; it will hardly flush out
-# determined imposters.
-func_ltwrapper_executable_p ()
-{
-    func_ltwrapper_exec_suffix=
-    case $1 in
-    *.exe) ;;
-    *) func_ltwrapper_exec_suffix=.exe ;;
-    esac
-    $GREP "$magic_exe" "$1$func_ltwrapper_exec_suffix" >/dev/null 2>&1
-}
-
-# func_ltwrapper_scriptname file
-# Assumes file is an ltwrapper_executable
-# uses $file to determine the appropriate filename for a
-# temporary ltwrapper_script.
-func_ltwrapper_scriptname ()
-{
-    func_dirname_and_basename "$1" "" "."
-    func_stripname '' '.exe' "$func_basename_result"
-    func_ltwrapper_scriptname_result="$func_dirname_result/$objdir/${func_stripname_result}_ltshwrapper"
-}
-
-# func_ltwrapper_p file
-# True iff FILE is a libtool wrapper script or wrapper executable
-# This function is only a basic sanity check; it will hardly flush out
-# determined imposters.
-func_ltwrapper_p ()
-{
-    func_ltwrapper_script_p "$1" || func_ltwrapper_executable_p "$1"
-}
-
-
-# func_execute_cmds commands fail_cmd
-# Execute tilde-delimited COMMANDS.
-# If FAIL_CMD is given, eval that upon failure.
-# FAIL_CMD may read-access the current command in variable CMD!
-func_execute_cmds ()
-{
-    $opt_debug
-    save_ifs=$IFS; IFS='~'
-    for cmd in $1; do
-      IFS=$save_ifs
-      eval cmd=\"$cmd\"
-      func_show_eval "$cmd" "${2-:}"
-    done
-    IFS=$save_ifs
-}
-
-
-# func_source file
-# Source FILE, adding directory component if necessary.
-# Note that it is not necessary on cygwin/mingw to append a dot to
-# FILE even if both FILE and FILE.exe exist: automatic-append-.exe
-# behavior happens only for exec(3), not for open(2)!  Also, sourcing
-# `FILE.' does not work on cygwin managed mounts.
-func_source ()
-{
-    $opt_debug
-    case $1 in
-    */* | *\\*)	. "$1" ;;
-    *)		. "./$1" ;;
-    esac
-}
-
-
-# func_resolve_sysroot PATH
-# Replace a leading = in PATH with a sysroot.  Store the result into
-# func_resolve_sysroot_result
-func_resolve_sysroot ()
-{
-  func_resolve_sysroot_result=$1
-  case $func_resolve_sysroot_result in
-  =*)
-    func_stripname '=' '' "$func_resolve_sysroot_result"
-    func_resolve_sysroot_result=$lt_sysroot$func_stripname_result
-    ;;
-  esac
-}
-
-# func_replace_sysroot PATH
-# If PATH begins with the sysroot, replace it with = and
-# store the result into func_replace_sysroot_result.
-func_replace_sysroot ()
-{
-  case "$lt_sysroot:$1" in
-  ?*:"$lt_sysroot"*)
-    func_stripname "$lt_sysroot" '' "$1"
-    func_replace_sysroot_result="=$func_stripname_result"
-    ;;
-  *)
-    # Including no sysroot.
-    func_replace_sysroot_result=$1
-    ;;
-  esac
-}
-
-# func_infer_tag arg
-# Infer tagged configuration to use if any are available and
-# if one wasn't chosen via the "--tag" command line option.
-# Only attempt this if the compiler in the base compile
-# command doesn't match the default compiler.
-# arg is usually of the form 'gcc ...'
-func_infer_tag ()
-{
-    $opt_debug
-
-    # FreeBSD-specific: where we install compilers with non-standard names
-    tag_compilers_CC="*cc cc* *gcc gcc* clang"
-    tag_compilers_CXX="*c++ c++* *g++ g++* clang++"
-    base_compiler=`set -- "$@"; echo $1`
-
-    # If $tagname isn't set, then try to infer if the default "CC" tag applies
-    if test -z "$tagname"; then
-      for zp in $tag_compilers_CC; do
-        case $base_compiler in
-	 $zp) tagname="CC"; break;;
-	esac
-      done
-    fi
-
-    if test -n "$available_tags" && test -z "$tagname"; then
-      CC_quoted=
-      for arg in $CC; do
-	func_append_quoted CC_quoted "$arg"
-      done
-      CC_expanded=`func_echo_all $CC`
-      CC_quoted_expanded=`func_echo_all $CC_quoted`
-      case $@ in
-      # Blanks in the command may have been stripped by the calling shell,
-      # but not from the CC environment variable when configure was run.
-      " $CC "* | "$CC "* | " $CC_expanded "* | "$CC_expanded "* | \
-      " $CC_quoted"* | "$CC_quoted "* | " $CC_quoted_expanded "* | "$CC_quoted_expanded "*) ;;
-      # Blanks at the start of $base_compile will cause this to fail
-      # if we don't check for them as well.
-      *)
-	for z in $available_tags; do
-	  if $GREP "^# ### BEGIN LIBTOOL TAG CONFIG: $z$" < "$progpath" > /dev/null; then
-	    # Evaluate the configuration.
-	    eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$z'$/,/^# ### END LIBTOOL TAG CONFIG: '$z'$/p' < $progpath`"
-	    CC_quoted=
-	    for arg in $CC; do
-	      # Double-quote args containing other shell metacharacters.
-	      func_append_quoted CC_quoted "$arg"
-	    done
-	    CC_expanded=`func_echo_all $CC`
-	    CC_quoted_expanded=`func_echo_all $CC_quoted`
-	    case "$@ " in
-	    " $CC "* | "$CC "* | " $CC_expanded "* | "$CC_expanded "* | \
-	    " $CC_quoted"* | "$CC_quoted "* | " $CC_quoted_expanded "* | "$CC_quoted_expanded "*)
-	      # The compiler in the base compile command matches
-	      # the one in the tagged configuration.
-	      # Assume this is the tagged configuration we want.
-	      tagname=$z
-	      break
-	      ;;
-	    esac
-
-	    # FreeBSD-specific: try compilers based on inferred tag
-	    if test -z "$tagname"; then
-	      eval "tag_compilers=\$tag_compilers_${z}"
-	      if test -n "$tag_compilers"; then
-		for zp in $tag_compilers; do
-		  case $base_compiler in   
-		    $zp) tagname=$z; break;;
-		  esac
-		done
-		if test -n "$tagname"; then
-		  break
-		fi
-	      fi
-            fi
-          fi
-	done
-	# If $tagname still isn't set, then no tagged configuration
-	# was found and let the user know that the "--tag" command
-	# line option must be used.
-	if test -z "$tagname"; then
-	  func_echo "unable to infer tagged configuration"
-	  func_fatal_error "specify a tag with \`--tag'"
-#	else
-#	  func_verbose "using $tagname tagged configuration"
-	fi
-	;;
-      esac
-    fi
-}
-
-
-
-# func_write_libtool_object output_name pic_name nonpic_name
-# Create a libtool object file (analogous to a ".la" file),
-# but don't create it if we're doing a dry run.
-func_write_libtool_object ()
-{
-    write_libobj=${1}
-    if test "$build_libtool_libs" = yes; then
-      write_lobj=\'${2}\'
-    else
-      write_lobj=none
-    fi
-
-    if test "$build_old_libs" = yes; then
-      write_oldobj=\'${3}\'
-    else
-      write_oldobj=none
-    fi
-
-    $opt_dry_run || {
-      cat >${write_libobj}T <<EOF
-# $write_libobj - a libtool object file
-# Generated by $PROGRAM (GNU $PACKAGE$TIMESTAMP) $VERSION
-#
-# Please DO NOT delete this file!
-# It is necessary for linking the library.
-
-# Name of the PIC object.
-pic_object=$write_lobj
-
-# Name of the non-PIC object
-non_pic_object=$write_oldobj
-
-EOF
-      $MV "${write_libobj}T" "${write_libobj}"
-    }
-}
-
-
-##################################################
-# FILE NAME AND PATH CONVERSION HELPER FUNCTIONS #
-##################################################
-
-# func_convert_core_file_wine_to_w32 ARG
-# Helper function used by file name conversion functions when $build is *nix,
-# and $host is mingw, cygwin, or some other w32 environment. Relies on a
-# correctly configured wine environment available, with the winepath program
-# in $build's $PATH.
-#
-# ARG is the $build file name to be converted to w32 format.
-# Result is available in $func_convert_core_file_wine_to_w32_result, and will
-# be empty on error (or when ARG is empty)
-func_convert_core_file_wine_to_w32 ()
-{
-  $opt_debug
-  func_convert_core_file_wine_to_w32_result="$1"
-  if test -n "$1"; then
-    # Unfortunately, winepath does not exit with a non-zero error code, so we
-    # are forced to check the contents of stdout. On the other hand, if the
-    # command is not found, the shell will set an exit code of 127 and print
-    # *an error message* to stdout. So we must check for both error code of
-    # zero AND non-empty stdout, which explains the odd construction:
-    func_convert_core_file_wine_to_w32_tmp=`winepath -w "$1" 2>/dev/null`
-    if test "$?" -eq 0 && test -n "${func_convert_core_file_wine_to_w32_tmp}"; then
-      func_convert_core_file_wine_to_w32_result=`$ECHO "$func_convert_core_file_wine_to_w32_tmp" |
-        $SED -e "$lt_sed_naive_backslashify"`
-    else
-      func_convert_core_file_wine_to_w32_result=
-    fi
-  fi
-}
-# end: func_convert_core_file_wine_to_w32
-
-
-# func_convert_core_path_wine_to_w32 ARG
-# Helper function used by path conversion functions when $build is *nix, and
-# $host is mingw, cygwin, or some other w32 environment. Relies on a correctly
-# configured wine environment available, with the winepath program in $build's
-# $PATH. Assumes ARG has no leading or trailing path separator characters.
-#
-# ARG is path to be converted from $build format to win32.
-# Result is available in $func_convert_core_path_wine_to_w32_result.
-# Unconvertible file (directory) names in ARG are skipped; if no directory names
-# are convertible, then the result may be empty.
-func_convert_core_path_wine_to_w32 ()
-{
-  $opt_debug
-  # unfortunately, winepath doesn't convert paths, only file names
-  func_convert_core_path_wine_to_w32_result=""
-  if test -n "$1"; then
-    oldIFS=$IFS
-    IFS=:
-    for func_convert_core_path_wine_to_w32_f in $1; do
-      IFS=$oldIFS
-      func_convert_core_file_wine_to_w32 "$func_convert_core_path_wine_to_w32_f"
-      if test -n "$func_convert_core_file_wine_to_w32_result" ; then
-        if test -z "$func_convert_core_path_wine_to_w32_result"; then
-          func_convert_core_path_wine_to_w32_result="$func_convert_core_file_wine_to_w32_result"
-        else
-          func_append func_convert_core_path_wine_to_w32_result ";$func_convert_core_file_wine_to_w32_result"
-        fi
-      fi
-    done
-    IFS=$oldIFS
-  fi
-}
-# end: func_convert_core_path_wine_to_w32
-
-
-# func_cygpath ARGS...
-# Wrapper around calling the cygpath program via LT_CYGPATH. This is used when
-# when (1) $build is *nix and Cygwin is hosted via a wine environment; or (2)
-# $build is MSYS and $host is Cygwin, or (3) $build is Cygwin. In case (1) or
-# (2), returns the Cygwin file name or path in func_cygpath_result (input
-# file name or path is assumed to be in w32 format, as previously converted
-# from $build's *nix or MSYS format). In case (3), returns the w32 file name
-# or path in func_cygpath_result (input file name or path is assumed to be in
-# Cygwin format). Returns an empty string on error.
-#
-# ARGS are passed to cygpath, with the last one being the file name or path to
-# be converted.
-#
-# Specify the absolute *nix (or w32) name to cygpath in the LT_CYGPATH
-# environment variable; do not put it in $PATH.
-func_cygpath ()
-{
-  $opt_debug
-  if test -n "$LT_CYGPATH" && test -f "$LT_CYGPATH"; then
-    func_cygpath_result=`$LT_CYGPATH "$@" 2>/dev/null`
-    if test "$?" -ne 0; then
-      # on failure, ensure result is empty
-      func_cygpath_result=
-    fi
-  else
-    func_cygpath_result=
-    func_error "LT_CYGPATH is empty or specifies non-existent file: \`$LT_CYGPATH'"
-  fi
-}
-#end: func_cygpath
-
-
-# func_convert_core_msys_to_w32 ARG
-# Convert file name or path ARG from MSYS format to w32 format.  Return
-# result in func_convert_core_msys_to_w32_result.
-func_convert_core_msys_to_w32 ()
-{
-  $opt_debug
-  # awkward: cmd appends spaces to result
-  func_convert_core_msys_to_w32_result=`( cmd //c echo "$1" ) 2>/dev/null |
-    $SED -e 's/[ ]*$//' -e "$lt_sed_naive_backslashify"`
-}
-#end: func_convert_core_msys_to_w32
-
-
-# func_convert_file_check ARG1 ARG2
-# Verify that ARG1 (a file name in $build format) was converted to $host
-# format in ARG2. Otherwise, emit an error message, but continue (resetting
-# func_to_host_file_result to ARG1).
-func_convert_file_check ()
-{
-  $opt_debug
-  if test -z "$2" && test -n "$1" ; then
-    func_error "Could not determine host file name corresponding to"
-    func_error "  \`$1'"
-    func_error "Continuing, but uninstalled executables may not work."
-    # Fallback:
-    func_to_host_file_result="$1"
-  fi
-}
-# end func_convert_file_check
-
-
-# func_convert_path_check FROM_PATHSEP TO_PATHSEP FROM_PATH TO_PATH
-# Verify that FROM_PATH (a path in $build format) was converted to $host
-# format in TO_PATH. Otherwise, emit an error message, but continue, resetting
-# func_to_host_file_result to a simplistic fallback value (see below).
-func_convert_path_check ()
-{
-  $opt_debug
-  if test -z "$4" && test -n "$3"; then
-    func_error "Could not determine the host path corresponding to"
-    func_error "  \`$3'"
-    func_error "Continuing, but uninstalled executables may not work."
-    # Fallback.  This is a deliberately simplistic "conversion" and
-    # should not be "improved".  See libtool.info.
-    if test "x$1" != "x$2"; then
-      lt_replace_pathsep_chars="s|$1|$2|g"
-      func_to_host_path_result=`echo "$3" |
-        $SED -e "$lt_replace_pathsep_chars"`
-    else
-      func_to_host_path_result="$3"
-    fi
-  fi
-}
-# end func_convert_path_check
-
-
-# func_convert_path_front_back_pathsep FRONTPAT BACKPAT REPL ORIG
-# Modifies func_to_host_path_result by prepending REPL if ORIG matches FRONTPAT
-# and appending REPL if ORIG matches BACKPAT.
-func_convert_path_front_back_pathsep ()
-{
-  $opt_debug
-  case $4 in
-  $1 ) func_to_host_path_result="$3$func_to_host_path_result"
-    ;;
-  esac
-  case $4 in
-  $2 ) func_append func_to_host_path_result "$3"
-    ;;
-  esac
-}
-# end func_convert_path_front_back_pathsep
-
-
-##################################################
-# $build to $host FILE NAME CONVERSION FUNCTIONS #
-##################################################
-# invoked via `$to_host_file_cmd ARG'
-#
-# In each case, ARG is the path to be converted from $build to $host format.
-# Result will be available in $func_to_host_file_result.
-
-
-# func_to_host_file ARG
-# Converts the file name ARG from $build format to $host format. Return result
-# in func_to_host_file_result.
-func_to_host_file ()
-{
-  $opt_debug
-  $to_host_file_cmd "$1"
-}
-# end func_to_host_file
-
-
-# func_to_tool_file ARG LAZY
-# converts the file name ARG from $build format to toolchain format. Return
-# result in func_to_tool_file_result.  If the conversion in use is listed
-# in (the comma separated) LAZY, no conversion takes place.
-func_to_tool_file ()
-{
-  $opt_debug
-  case ,$2, in
-    *,"$to_tool_file_cmd",*)
-      func_to_tool_file_result=$1
-      ;;
-    *)
-      $to_tool_file_cmd "$1"
-      func_to_tool_file_result=$func_to_host_file_result
-      ;;
-  esac
-}
-# end func_to_tool_file
-
-
-# func_convert_file_noop ARG
-# Copy ARG to func_to_host_file_result.
-func_convert_file_noop ()
-{
-  func_to_host_file_result="$1"
-}
-# end func_convert_file_noop
-
-
-# func_convert_file_msys_to_w32 ARG
-# Convert file name ARG from (mingw) MSYS to (mingw) w32 format; automatic
-# conversion to w32 is not available inside the cwrapper.  Returns result in
-# func_to_host_file_result.
-func_convert_file_msys_to_w32 ()
-{
-  $opt_debug
-  func_to_host_file_result="$1"
-  if test -n "$1"; then
-    func_convert_core_msys_to_w32 "$1"
-    func_to_host_file_result="$func_convert_core_msys_to_w32_result"
-  fi
-  func_convert_file_check "$1" "$func_to_host_file_result"
-}
-# end func_convert_file_msys_to_w32
-
-
-# func_convert_file_cygwin_to_w32 ARG
-# Convert file name ARG from Cygwin to w32 format.  Returns result in
-# func_to_host_file_result.
-func_convert_file_cygwin_to_w32 ()
-{
-  $opt_debug
-  func_to_host_file_result="$1"
-  if test -n "$1"; then
-    # because $build is cygwin, we call "the" cygpath in $PATH; no need to use
-    # LT_CYGPATH in this case.
-    func_to_host_file_result=`cygpath -m "$1"`
-  fi
-  func_convert_file_check "$1" "$func_to_host_file_result"
-}
-# end func_convert_file_cygwin_to_w32
-
-
-# func_convert_file_nix_to_w32 ARG
-# Convert file name ARG from *nix to w32 format.  Requires a wine environment
-# and a working winepath. Returns result in func_to_host_file_result.
-func_convert_file_nix_to_w32 ()
-{
-  $opt_debug
-  func_to_host_file_result="$1"
-  if test -n "$1"; then
-    func_convert_core_file_wine_to_w32 "$1"
-    func_to_host_file_result="$func_convert_core_file_wine_to_w32_result"
-  fi
-  func_convert_file_check "$1" "$func_to_host_file_result"
-}
-# end func_convert_file_nix_to_w32
-
-
-# func_convert_file_msys_to_cygwin ARG
-# Convert file name ARG from MSYS to Cygwin format.  Requires LT_CYGPATH set.
-# Returns result in func_to_host_file_result.
-func_convert_file_msys_to_cygwin ()
-{
-  $opt_debug
-  func_to_host_file_result="$1"
-  if test -n "$1"; then
-    func_convert_core_msys_to_w32 "$1"
-    func_cygpath -u "$func_convert_core_msys_to_w32_result"
-    func_to_host_file_result="$func_cygpath_result"
-  fi
-  func_convert_file_check "$1" "$func_to_host_file_result"
-}
-# end func_convert_file_msys_to_cygwin
-
-
-# func_convert_file_nix_to_cygwin ARG
-# Convert file name ARG from *nix to Cygwin format.  Requires Cygwin installed
-# in a wine environment, working winepath, and LT_CYGPATH set.  Returns result
-# in func_to_host_file_result.
-func_convert_file_nix_to_cygwin ()
-{
-  $opt_debug
-  func_to_host_file_result="$1"
-  if test -n "$1"; then
-    # convert from *nix to w32, then use cygpath to convert from w32 to cygwin.
-    func_convert_core_file_wine_to_w32 "$1"
-    func_cygpath -u "$func_convert_core_file_wine_to_w32_result"
-    func_to_host_file_result="$func_cygpath_result"
-  fi
-  func_convert_file_check "$1" "$func_to_host_file_result"
-}
-# end func_convert_file_nix_to_cygwin
-
-
-#############################################
-# $build to $host PATH CONVERSION FUNCTIONS #
-#############################################
-# invoked via `$to_host_path_cmd ARG'
-#
-# In each case, ARG is the path to be converted from $build to $host format.
-# The result will be available in $func_to_host_path_result.
-#
-# Path separators are also converted from $build format to $host format.  If
-# ARG begins or ends with a path separator character, it is preserved (but
-# converted to $host format) on output.
-#
-# All path conversion functions are named using the following convention:
-#   file name conversion function    : func_convert_file_X_to_Y ()
-#   path conversion function         : func_convert_path_X_to_Y ()
-# where, for any given $build/$host combination the 'X_to_Y' value is the
-# same.  If conversion functions are added for new $build/$host combinations,
-# the two new functions must follow this pattern, or func_init_to_host_path_cmd
-# will break.
-
-
-# func_init_to_host_path_cmd
-# Ensures that function "pointer" variable $to_host_path_cmd is set to the
-# appropriate value, based on the value of $to_host_file_cmd.
-to_host_path_cmd=
-func_init_to_host_path_cmd ()
-{
-  $opt_debug
-  if test -z "$to_host_path_cmd"; then
-    func_stripname 'func_convert_file_' '' "$to_host_file_cmd"
-    to_host_path_cmd="func_convert_path_${func_stripname_result}"
-  fi
-}
-
-
-# func_to_host_path ARG
-# Converts the path ARG from $build format to $host format. Return result
-# in func_to_host_path_result.
-func_to_host_path ()
-{
-  $opt_debug
-  func_init_to_host_path_cmd
-  $to_host_path_cmd "$1"
-}
-# end func_to_host_path
-
-
-# func_convert_path_noop ARG
-# Copy ARG to func_to_host_path_result.
-func_convert_path_noop ()
-{
-  func_to_host_path_result="$1"
-}
-# end func_convert_path_noop
-
-
-# func_convert_path_msys_to_w32 ARG
-# Convert path ARG from (mingw) MSYS to (mingw) w32 format; automatic
-# conversion to w32 is not available inside the cwrapper.  Returns result in
-# func_to_host_path_result.
-func_convert_path_msys_to_w32 ()
-{
-  $opt_debug
-  func_to_host_path_result="$1"
-  if test -n "$1"; then
-    # Remove leading and trailing path separator characters from ARG.  MSYS
-    # behavior is inconsistent here; cygpath turns them into '.;' and ';.';
-    # and winepath ignores them completely.
-    func_stripname : : "$1"
-    func_to_host_path_tmp1=$func_stripname_result
-    func_convert_core_msys_to_w32 "$func_to_host_path_tmp1"
-    func_to_host_path_result="$func_convert_core_msys_to_w32_result"
-    func_convert_path_check : ";" \
-      "$func_to_host_path_tmp1" "$func_to_host_path_result"
-    func_convert_path_front_back_pathsep ":*" "*:" ";" "$1"
-  fi
-}
-# end func_convert_path_msys_to_w32
-
-
-# func_convert_path_cygwin_to_w32 ARG
-# Convert path ARG from Cygwin to w32 format.  Returns result in
-# func_to_host_file_result.
-func_convert_path_cygwin_to_w32 ()
-{
-  $opt_debug
-  func_to_host_path_result="$1"
-  if test -n "$1"; then
-    # See func_convert_path_msys_to_w32:
-    func_stripname : : "$1"
-    func_to_host_path_tmp1=$func_stripname_result
-    func_to_host_path_result=`cygpath -m -p "$func_to_host_path_tmp1"`
-    func_convert_path_check : ";" \
-      "$func_to_host_path_tmp1" "$func_to_host_path_result"
-    func_convert_path_front_back_pathsep ":*" "*:" ";" "$1"
-  fi
-}
-# end func_convert_path_cygwin_to_w32
-
-
-# func_convert_path_nix_to_w32 ARG
-# Convert path ARG from *nix to w32 format.  Requires a wine environment and
-# a working winepath.  Returns result in func_to_host_file_result.
-func_convert_path_nix_to_w32 ()
-{
-  $opt_debug
-  func_to_host_path_result="$1"
-  if test -n "$1"; then
-    # See func_convert_path_msys_to_w32:
-    func_stripname : : "$1"
-    func_to_host_path_tmp1=$func_stripname_result
-    func_convert_core_path_wine_to_w32 "$func_to_host_path_tmp1"
-    func_to_host_path_result="$func_convert_core_path_wine_to_w32_result"
-    func_convert_path_check : ";" \
-      "$func_to_host_path_tmp1" "$func_to_host_path_result"
-    func_convert_path_front_back_pathsep ":*" "*:" ";" "$1"
-  fi
-}
-# end func_convert_path_nix_to_w32
-
-
-# func_convert_path_msys_to_cygwin ARG
-# Convert path ARG from MSYS to Cygwin format.  Requires LT_CYGPATH set.
-# Returns result in func_to_host_file_result.
-func_convert_path_msys_to_cygwin ()
-{
-  $opt_debug
-  func_to_host_path_result="$1"
-  if test -n "$1"; then
-    # See func_convert_path_msys_to_w32:
-    func_stripname : : "$1"
-    func_to_host_path_tmp1=$func_stripname_result
-    func_convert_core_msys_to_w32 "$func_to_host_path_tmp1"
-    func_cygpath -u -p "$func_convert_core_msys_to_w32_result"
-    func_to_host_path_result="$func_cygpath_result"
-    func_convert_path_check : : \
-      "$func_to_host_path_tmp1" "$func_to_host_path_result"
-    func_convert_path_front_back_pathsep ":*" "*:" : "$1"
-  fi
-}
-# end func_convert_path_msys_to_cygwin
-
-
-# func_convert_path_nix_to_cygwin ARG
-# Convert path ARG from *nix to Cygwin format.  Requires Cygwin installed in a
-# a wine environment, working winepath, and LT_CYGPATH set.  Returns result in
-# func_to_host_file_result.
-func_convert_path_nix_to_cygwin ()
-{
-  $opt_debug
-  func_to_host_path_result="$1"
-  if test -n "$1"; then
-    # Remove leading and trailing path separator characters from
-    # ARG. msys behavior is inconsistent here, cygpath turns them
-    # into '.;' and ';.', and winepath ignores them completely.
-    func_stripname : : "$1"
-    func_to_host_path_tmp1=$func_stripname_result
-    func_convert_core_path_wine_to_w32 "$func_to_host_path_tmp1"
-    func_cygpath -u -p "$func_convert_core_path_wine_to_w32_result"
-    func_to_host_path_result="$func_cygpath_result"
-    func_convert_path_check : : \
-      "$func_to_host_path_tmp1" "$func_to_host_path_result"
-    func_convert_path_front_back_pathsep ":*" "*:" : "$1"
-  fi
-}
-# end func_convert_path_nix_to_cygwin
-
-
-# func_mode_compile arg...
-func_mode_compile ()
-{
-    $opt_debug
-    # Get the compilation command and the source file.
-    base_compile=
-    srcfile="$nonopt"  #  always keep a non-empty value in "srcfile"
-    suppress_opt=yes
-    suppress_output=
-    arg_mode=normal
-    libobj=
-    later=
-    pie_flag=
-
-    for arg
-    do
-      case $arg_mode in
-      arg  )
-	# do not "continue".  Instead, add this to base_compile
-	lastarg="$arg"
-	arg_mode=normal
-	;;
-
-      target )
-	libobj="$arg"
-	arg_mode=normal
-	continue
-	;;
-
-      normal )
-	# Accept any command-line options.
-	case $arg in
-	-o)
-	  test -n "$libobj" && \
-	    func_fatal_error "you cannot specify \`-o' more than once"
-	  arg_mode=target
-	  continue
-	  ;;
-
-	-pie | -fpie | -fPIE)
-          func_append pie_flag " $arg"
-	  continue
-	  ;;
-
-	-shared | -static | -prefer-pic | -prefer-non-pic)
-	  func_append later " $arg"
-	  continue
-	  ;;
-
-	-no-suppress)
-	  suppress_opt=no
-	  continue
-	  ;;
-
-	-Xcompiler)
-	  arg_mode=arg  #  the next one goes into the "base_compile" arg list
-	  continue      #  The current "srcfile" will either be retained or
-	  ;;            #  replaced later.  I would guess that would be a bug.
-
-	-Wc,*)
-	  func_stripname '-Wc,' '' "$arg"
-	  args=$func_stripname_result
-	  lastarg=
-	  save_ifs="$IFS"; IFS=','
-	  for arg in $args; do
-	    IFS="$save_ifs"
-	    func_append_quoted lastarg "$arg"
-	  done
-	  IFS="$save_ifs"
-	  func_stripname ' ' '' "$lastarg"
-	  lastarg=$func_stripname_result
-
-	  # Add the arguments to base_compile.
-	  func_append base_compile " $lastarg"
-	  continue
-	  ;;
-
-	*)
-	  # Accept the current argument as the source file.
-	  # The previous "srcfile" becomes the current argument.
-	  #
-	  lastarg="$srcfile"
-	  srcfile="$arg"
-	  ;;
-	esac  #  case $arg
-	;;
-      esac    #  case $arg_mode
-
-      # Aesthetically quote the previous argument.
-      func_append_quoted base_compile "$lastarg"
-    done # for arg
-
-    case $arg_mode in
-    arg)
-      func_fatal_error "you must specify an argument for -Xcompile"
-      ;;
-    target)
-      func_fatal_error "you must specify a target with \`-o'"
-      ;;
-    *)
-      # Get the name of the library object.
-      test -z "$libobj" && {
-	func_basename "$srcfile"
-	libobj="$func_basename_result"
-      }
-      ;;
-    esac
-
-    # Recognize several different file suffixes.
-    # If the user specifies -o file.o, it is replaced with file.lo
-    case $libobj in
-    *.[cCFSifmso] | \
-    *.ada | *.adb | *.ads | *.asm | \
-    *.c++ | *.cc | *.ii | *.class | *.cpp | *.cxx | \
-    *.[fF][09]? | *.for | *.java | *.go | *.obj | *.sx | *.cu | *.cup)
-      func_xform "$libobj"
-      libobj=$func_xform_result
-      ;;
-    esac
-
-    case $libobj in
-    *.lo) func_lo2o "$libobj"; obj=$func_lo2o_result ;;
-    *)
-      func_fatal_error "cannot determine name of library object from \`$libobj'"
-      ;;
-    esac
-
-    func_infer_tag $base_compile
-
-    for arg in $later; do
-      case $arg in
-      -shared)
-	test "$build_libtool_libs" != yes && \
-	  func_fatal_configuration "can not build a shared library"
-	build_old_libs=no
-	continue
-	;;
-
-      -static)
-	build_libtool_libs=no
-	build_old_libs=yes
-	continue
-	;;
-
-      -prefer-pic)
-	pic_mode=yes
-	continue
-	;;
-
-      -prefer-non-pic)
-	pic_mode=no
-	continue
-	;;
-      esac
-    done
-
-    func_quote_for_eval "$libobj"
-    test "X$libobj" != "X$func_quote_for_eval_result" \
-      && $ECHO "X$libobj" | $GREP '[]~#^*{};<>?"'"'"'	 &()|`$[]' \
-      && func_warning "libobj name \`$libobj' may not contain shell special characters."
-    func_dirname_and_basename "$obj" "/" ""
-    objname="$func_basename_result"
-    xdir="$func_dirname_result"
-    lobj=${xdir}$objdir/$objname
-
-    test -z "$base_compile" && \
-      func_fatal_help "you must specify a compilation command"
-
-    # Delete any leftover library objects.
-    if test "$build_old_libs" = yes; then
-      removelist="$obj $lobj $libobj ${libobj}T"
-    else
-      removelist="$lobj $libobj ${libobj}T"
-    fi
-
-    # On Cygwin there's no "real" PIC flag so we must build both object types
-    case $host_os in
-    cygwin* | mingw* | pw32* | os2* | cegcc*)
-      pic_mode=default
-      ;;
-    esac
-    if test "$pic_mode" = no && test "$deplibs_check_method" != pass_all; then
-      # non-PIC code in shared libraries is not supported
-      pic_mode=default
-    fi
-
-    # Calculate the filename of the output object if compiler does
-    # not support -o with -c
-    if test "$compiler_c_o" = no; then
-      output_obj=`$ECHO "$srcfile" | $SED 's%^.*/%%; s%\.[^.]*$%%'`.${objext}
-      lockfile="$output_obj.lock"
-    else
-      output_obj=
-      need_locks=no
-      lockfile=
-    fi
-
-    # Lock this critical section if it is needed
-    # We use this script file to make the link, it avoids creating a new file
-    if test "$need_locks" = yes; then
-      until $opt_dry_run || ln "$progpath" "$lockfile" 2>/dev/null; do
-	func_echo "Waiting for $lockfile to be removed"
-	sleep 2
-      done
-    elif test "$need_locks" = warn; then
-      if test -f "$lockfile"; then
-	$ECHO "\
-*** ERROR, $lockfile exists and contains:
-`cat $lockfile 2>/dev/null`
-
-This indicates that another process is trying to use the same
-temporary object file, and libtool could not work around it because
-your compiler does not support \`-c' and \`-o' together.  If you
-repeat this compilation, it may succeed, by chance, but you had better
-avoid parallel builds (make -j) in this platform, or get a better
-compiler."
-
-	$opt_dry_run || $RM $removelist
-	exit $EXIT_FAILURE
-      fi
-      func_append removelist " $output_obj"
-      $ECHO "$srcfile" > "$lockfile"
-    fi
-
-    $opt_dry_run || $RM $removelist
-    func_append removelist " $lockfile"
-    trap '$opt_dry_run || $RM $removelist; exit $EXIT_FAILURE' 1 2 15
-
-    func_to_tool_file "$srcfile" func_convert_file_msys_to_w32
-    srcfile=$func_to_tool_file_result
-    func_quote_for_eval "$srcfile"
-    qsrcfile=$func_quote_for_eval_result
-
-    # Only build a PIC object if we are building libtool libraries.
-    if test "$build_libtool_libs" = yes; then
-      # Without this assignment, base_compile gets emptied.
-      fbsd_hideous_sh_bug=$base_compile
-
-      if test "$pic_mode" != no; then
-	command="$base_compile $qsrcfile $pic_flag"
-      else
-	# Don't build PIC code
-	command="$base_compile $qsrcfile"
-      fi
-
-      func_mkdir_p "$xdir$objdir"
-
-      if test -z "$output_obj"; then
-	# Place PIC objects in $objdir
-	func_append command " -o $lobj"
-      fi
-
-      func_show_eval_locale "$command"	\
-          'test -n "$output_obj" && $RM $removelist; exit $EXIT_FAILURE'
-
-      if test "$need_locks" = warn &&
-	 test "X`cat $lockfile 2>/dev/null`" != "X$srcfile"; then
-	$ECHO "\
-*** ERROR, $lockfile contains:
-`cat $lockfile 2>/dev/null`
-
-but it should contain:
-$srcfile
-
-This indicates that another process is trying to use the same
-temporary object file, and libtool could not work around it because
-your compiler does not support \`-c' and \`-o' together.  If you
-repeat this compilation, it may succeed, by chance, but you had better
-avoid parallel builds (make -j) in this platform, or get a better
-compiler."
-
-	$opt_dry_run || $RM $removelist
-	exit $EXIT_FAILURE
-      fi
-
-      # Just move the object if needed, then go on to compile the next one
-      if test -n "$output_obj" && test "X$output_obj" != "X$lobj"; then
-	func_show_eval '$MV "$output_obj" "$lobj"' \
-	  'error=$?; $opt_dry_run || $RM $removelist; exit $error'
-      fi
-
-      # Allow error messages only from the first compilation.
-      if test "$suppress_opt" = yes; then
-	suppress_output=' >/dev/null 2>&1'
-      fi
-    fi
-
-    # Only build a position-dependent object if we build old libraries.
-    if test "$build_old_libs" = yes; then
-      if test "$pic_mode" != yes; then
-	# Don't build PIC code
-	command="$base_compile $qsrcfile$pie_flag"
-      else
-	command="$base_compile $qsrcfile $pic_flag"
-      fi
-      if test "$compiler_c_o" = yes; then
-	func_append command " -o $obj"
-      fi
-
-      # Suppress compiler output if we already did a PIC compilation.
-      func_append command "$suppress_output"
-      func_show_eval_locale "$command" \
-        '$opt_dry_run || $RM $removelist; exit $EXIT_FAILURE'
-
-      if test "$need_locks" = warn &&
-	 test "X`cat $lockfile 2>/dev/null`" != "X$srcfile"; then
-	$ECHO "\
-*** ERROR, $lockfile contains:
-`cat $lockfile 2>/dev/null`
-
-but it should contain:
-$srcfile
-
-This indicates that another process is trying to use the same
-temporary object file, and libtool could not work around it because
-your compiler does not support \`-c' and \`-o' together.  If you
-repeat this compilation, it may succeed, by chance, but you had better
-avoid parallel builds (make -j) in this platform, or get a better
-compiler."
-
-	$opt_dry_run || $RM $removelist
-	exit $EXIT_FAILURE
-      fi
-
-      # Just move the object if needed
-      if test -n "$output_obj" && test "X$output_obj" != "X$obj"; then
-	func_show_eval '$MV "$output_obj" "$obj"' \
-	  'error=$?; $opt_dry_run || $RM $removelist; exit $error'
-      fi
-    fi
-
-    $opt_dry_run || {
-      func_write_libtool_object "$libobj" "$objdir/$objname" "$objname"
-
-      # Unlock the critical section if it was locked
-      if test "$need_locks" != no; then
-	removelist=$lockfile
-        $RM "$lockfile"
-      fi
-    }
-
-    exit $EXIT_SUCCESS
-}
-
-$opt_help || {
-  test "$opt_mode" = compile && func_mode_compile ${1+"$@"}
-}
-
-func_mode_help ()
-{
-    # We need to display help for each of the modes.
-    case $opt_mode in
-      "")
-        # Generic help is extracted from the usage comments
-        # at the start of this file.
-        func_help
-        ;;
-
-      clean)
-        $ECHO \
-"Usage: $progname [OPTION]... --mode=clean RM [RM-OPTION]... FILE...
-
-Remove files from the build directory.
-
-RM is the name of the program to use to delete files associated with each FILE
-(typically \`/bin/rm').  RM-OPTIONS are options (such as \`-f') to be passed
-to RM.
-
-If FILE is a libtool library, object or program, all the files associated
-with it are deleted. Otherwise, only FILE itself is deleted using RM."
-        ;;
-
-      compile)
-      $ECHO \
-"Usage: $progname [OPTION]... --mode=compile COMPILE-COMMAND... SOURCEFILE
-
-Compile a source file into a libtool library object.
-
-This mode accepts the following additional options:
-
-  -o OUTPUT-FILE    set the output file name to OUTPUT-FILE
-  -no-suppress      do not suppress compiler output for multiple passes
-  -prefer-pic       try to build PIC objects only
-  -prefer-non-pic   try to build non-PIC objects only
-  -shared           do not build a \`.o' file suitable for static linking
-  -static           only build a \`.o' file suitable for static linking
-  -Wc,FLAG          pass FLAG directly to the compiler
-
-COMPILE-COMMAND is a command to be used in creating a \`standard' object file
-from the given SOURCEFILE.
-
-The output file name is determined by removing the directory component from
-SOURCEFILE, then substituting the C source code suffix \`.c' with the
-library object suffix, \`.lo'."
-        ;;
-
-      execute)
-        $ECHO \
-"Usage: $progname [OPTION]... --mode=execute COMMAND [ARGS]...
-
-Automatically set library path, then run a program.
-
-This mode accepts the following additional options:
-
-  -dlopen FILE      add the directory containing FILE to the library path
-
-This mode sets the library path environment variable according to \`-dlopen'
-flags.
-
-If any of the ARGS are libtool executable wrappers, then they are translated
-into their corresponding uninstalled binary, and any of their required library
-directories are added to the library path.
-
-Then, COMMAND is executed, with ARGS as arguments."
-        ;;
-
-      finish)
-        $ECHO \
-"Usage: $progname [OPTION]... --mode=finish [LIBDIR]...
-
-Complete the installation of libtool libraries.
-
-Each LIBDIR is a directory that contains libtool libraries.
-
-The commands that this mode executes may require superuser privileges.  Use
-the \`--dry-run' option if you just want to see what would be executed."
-        ;;
-
-      install)
-        $ECHO \
-"Usage: $progname [OPTION]... --mode=install INSTALL-COMMAND...
-
-Install executables or libraries.
-
-INSTALL-COMMAND is the installation command.  The first component should be
-either the \`install' or \`cp' program.
-
-The following components of INSTALL-COMMAND are treated specially:
-
-  -inst-prefix-dir PREFIX-DIR  Use PREFIX-DIR as a staging area for installation
-
-The rest of the components are interpreted as arguments to that command (only
-BSD-compatible install options are recognized)."
-        ;;
-
-      link)
-        $ECHO \
-"Usage: $progname [OPTION]... --mode=link LINK-COMMAND...
-
-Link object files or libraries together to form another library, or to
-create an executable program.
-
-LINK-COMMAND is a command using the C compiler that you would use to create
-a program from several object files.
-
-The following components of LINK-COMMAND are treated specially:
-
-  -all-static       do not do any dynamic linking at all
-  -avoid-version    do not add a version suffix if possible
-  -bindir BINDIR    specify path to binaries directory (for systems where
-                    libraries must be found in the PATH setting at runtime)
-  -dlopen FILE      \`-dlpreopen' FILE if it cannot be dlopened at runtime
-  -dlpreopen FILE   link in FILE and add its symbols to lt_preloaded_symbols
-  -export-dynamic   allow symbols from OUTPUT-FILE to be resolved with dlsym(3)
-  -export-symbols SYMFILE
-                    try to export only the symbols listed in SYMFILE
-  -export-symbols-regex REGEX
-                    try to export only the symbols matching REGEX
-  -LLIBDIR          search LIBDIR for required installed libraries
-  -lNAME            OUTPUT-FILE requires the installed library libNAME
-  -module           build a library that can dlopened
-  -no-fast-install  disable the fast-install mode
-  -no-install       link a not-installable executable
-  -no-undefined     declare that a library does not refer to external symbols
-  -o OUTPUT-FILE    create OUTPUT-FILE from the specified objects
-  -objectlist FILE  Use a list of object files found in FILE to specify objects
-  -precious-files-regex REGEX
-                    don't remove output files matching REGEX
-  -release RELEASE  specify package release information
-  -rpath LIBDIR     the created library will eventually be installed in LIBDIR
-  -R[ ]LIBDIR       add LIBDIR to the runtime path of programs and libraries
-  -shared           only do dynamic linking of libtool libraries
-  -shrext SUFFIX    override the standard shared library file extension
-  -static           do not do any dynamic linking of uninstalled libtool libraries
-  -static-libtool-libs
-                    do not do any dynamic linking of libtool libraries
-  -version-info CURRENT[:REVISION[:AGE]]
-                    specify library version info [each variable defaults to 0]
-  -weak LIBNAME     declare that the target provides the LIBNAME interface
-  -Wc,FLAG
-  -Xcompiler FLAG   pass linker-specific FLAG directly to the compiler
-  -Wl,FLAG
-  -Xlinker FLAG     pass linker-specific FLAG directly to the linker
-  -XCClinker FLAG   pass link-specific FLAG to the compiler driver (CC)
-
-All other options (arguments beginning with \`-') are ignored.
-
-Every other argument is treated as a filename.  Files ending in \`.la' are
-treated as uninstalled libtool libraries, other files are standard or library
-object files.
-
-If the OUTPUT-FILE ends in \`.la', then a libtool library is created,
-only library objects (\`.lo' files) may be specified, and \`-rpath' is
-required, except when creating a convenience library.
-
-If OUTPUT-FILE ends in \`.a' or \`.lib', then a standard library is created
-using \`ar' and \`ranlib', or on Windows using \`lib'.
-
-If OUTPUT-FILE ends in \`.lo' or \`.${objext}', then a reloadable object file
-is created, otherwise an executable program is created."
-        ;;
-
-      uninstall)
-        $ECHO \
-"Usage: $progname [OPTION]... --mode=uninstall RM [RM-OPTION]... FILE...
-
-Remove libraries from an installation directory.
-
-RM is the name of the program to use to delete files associated with each FILE
-(typically \`/bin/rm').  RM-OPTIONS are options (such as \`-f') to be passed
-to RM.
-
-If FILE is a libtool library, all the files associated with it are deleted.
-Otherwise, only FILE itself is deleted using RM."
-        ;;
-
-      *)
-        func_fatal_help "invalid operation mode \`$opt_mode'"
-        ;;
-    esac
-
-    echo
-    $ECHO "Try \`$progname --help' for more information about other modes."
-}
-
-# Now that we've collected a possible --mode arg, show help if necessary
-if $opt_help; then
-  if test "$opt_help" = :; then
-    func_mode_help
-  else
-    {
-      func_help noexit
-      for opt_mode in compile link execute install finish uninstall clean; do
-	func_mode_help
-      done
-    } | sed -n '1p; 2,$s/^Usage:/  or: /p'
-    {
-      func_help noexit
-      for opt_mode in compile link execute install finish uninstall clean; do
-	echo
-	func_mode_help
-      done
-    } |
-    sed '1d
-      /^When reporting/,/^Report/{
-	H
-	d
-      }
-      $x
-      /information about other modes/d
-      /more detailed .*MODE/d
-      s/^Usage:.*--mode=\([^ ]*\) .*/Description of \1 mode:/'
-  fi
-  exit $?
-fi
-
-
-# func_mode_execute arg...
-func_mode_execute ()
-{
-    $opt_debug
-    # The first argument is the command name.
-    cmd="$nonopt"
-    test -z "$cmd" && \
-      func_fatal_help "you must specify a COMMAND"
-
-    # Handle -dlopen flags immediately.
-    for file in $opt_dlopen; do
-      test -f "$file" \
-	|| func_fatal_help "\`$file' is not a file"
-
-      dir=
-      case $file in
-      *.la)
-	func_resolve_sysroot "$file"
-	file=$func_resolve_sysroot_result
-
-	# Check to see that this really is a libtool archive.
-	func_lalib_unsafe_p "$file" \
-	  || func_fatal_help "\`$lib' is not a valid libtool archive"
-
-	# Read the libtool library.
-	dlname=
-	library_names=
-	func_source "$file"
-
-	# Skip this library if it cannot be dlopened.
-	if test -z "$dlname"; then
-	  # Warn if it was a shared library.
-	  test -n "$library_names" && \
-	    func_warning "\`$file' was not linked with \`-export-dynamic'"
-	  continue
-	fi
-
-	func_dirname "$file" "" "."
-	dir="$func_dirname_result"
-
-	if test -f "$dir/$objdir/$dlname"; then
-	  func_append dir "/$objdir"
-	else
-	  if test ! -f "$dir/$dlname"; then
-	    func_fatal_error "cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'"
-	  fi
-	fi
-	;;
-
-      *.lo)
-	# Just add the directory containing the .lo file.
-	func_dirname "$file" "" "."
-	dir="$func_dirname_result"
-	;;
-
-      *)
-	func_warning "\`-dlopen' is ignored for non-libtool libraries and objects"
-	continue
-	;;
-      esac
-
-      # Get the absolute pathname.
-      absdir=`cd "$dir" && pwd`
-      test -n "$absdir" && dir="$absdir"
-
-      # Now add the directory to shlibpath_var.
-      if eval "test -z \"\$$shlibpath_var\""; then
-	eval "$shlibpath_var=\"\$dir\""
-      else
-	eval "$shlibpath_var=\"\$dir:\$$shlibpath_var\""
-      fi
-    done
-
-    # This variable tells wrapper scripts just to set shlibpath_var
-    # rather than running their programs.
-    libtool_execute_magic="$magic"
-
-    # Check if any of the arguments is a wrapper script.
-    args=
-    for file
-    do
-      case $file in
-      -* | *.la | *.lo ) ;;
-      *)
-	# Do a test to see if this is really a libtool program.
-	if func_ltwrapper_script_p "$file"; then
-	  func_source "$file"
-	  # Transform arg to wrapped name.
-	  file="$progdir/$program"
-	elif func_ltwrapper_executable_p "$file"; then
-	  func_ltwrapper_scriptname "$file"
-	  func_source "$func_ltwrapper_scriptname_result"
-	  # Transform arg to wrapped name.
-	  file="$progdir/$program"
-	fi
-	;;
-      esac
-      # Quote arguments (to preserve shell metacharacters).
-      func_append_quoted args "$file"
-    done
-
-    if test "X$opt_dry_run" = Xfalse; then
-      if test -n "$shlibpath_var"; then
-	# Export the shlibpath_var.
-	eval "export $shlibpath_var"
-      fi
-
-      # Restore saved environment variables
-      for lt_var in LANG LANGUAGE LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES
-      do
-	eval "if test \"\${save_$lt_var+set}\" = set; then
-                $lt_var=\$save_$lt_var; export $lt_var
-	      else
-		$lt_unset $lt_var
-	      fi"
-      done
-
-      # Now prepare to actually exec the command.
-      exec_cmd="\$cmd$args"
-    else
-      # Display what would be done.
-      if test -n "$shlibpath_var"; then
-	eval "\$ECHO \"\$shlibpath_var=\$$shlibpath_var\""
-	echo "export $shlibpath_var"
-      fi
-      $ECHO "$cmd$args"
-      exit $EXIT_SUCCESS
-    fi
-}
-
-test "$opt_mode" = execute && func_mode_execute ${1+"$@"}
-
-
-# func_mode_finish arg...
-func_mode_finish ()
-{
-    $opt_debug
-    libs=
-    libdirs=
-    admincmds=
-
-    for opt in "$nonopt" ${1+"$@"}
-    do
-      if test -d "$opt"; then
-	func_append libdirs " $opt"
-
-      elif test -f "$opt"; then
-	if func_lalib_unsafe_p "$opt"; then
-	  func_append libs " $opt"
-	else
-	  func_warning "\`$opt' is not a valid libtool archive"
-	fi
-
-      else
-	func_fatal_error "invalid argument \`$opt'"
-      fi
-    done
-
-    if test -n "$libs"; then
-      if test -n "$lt_sysroot"; then
-        sysroot_regex=`$ECHO "$lt_sysroot" | $SED "$sed_make_literal_regex"`
-        sysroot_cmd="s/\([ ']\)$sysroot_regex/\1/g;"
-      else
-        sysroot_cmd=
-      fi
-
-      # Remove sysroot references
-      if $opt_dry_run; then
-        for lib in $libs; do
-          echo "removing references to $lt_sysroot and \`=' prefixes from $lib"
-        done
-      else
-        tmpdir=`func_mktempdir`
-        for lib in $libs; do
-	  sed -e "${sysroot_cmd} s/\([ ']-[LR]\)=/\1/g; s/\([ ']\)=/\1/g" $lib \
-	    > $tmpdir/tmp-la
-	  mv -f $tmpdir/tmp-la $lib
-	done
-        ${RM}r "$tmpdir"
-      fi
-    fi
-
-    if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then
-      for libdir in $libdirs; do
-	if test -n "$finish_cmds"; then
-	  # Do each command in the finish commands.
-	  func_execute_cmds "$finish_cmds" 'admincmds="$admincmds
-'"$cmd"'"'
-	fi
-	if test -n "$finish_eval"; then
-	  # Do the single finish_eval.
-	  eval cmds=\"$finish_eval\"
-	  $opt_dry_run || eval "$cmds" || func_append admincmds "
-       $cmds"
-	fi
-      done
-    fi
-
-    # Exit here if they wanted silent mode.
-    $opt_silent && exit $EXIT_SUCCESS
-
-    if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then
-      echo "----------------------------------------------------------------------"
-      echo "Libraries have been installed in:"
-      for libdir in $libdirs; do
-	$ECHO "   $libdir"
-      done
-      echo
-      echo "If you ever happen to want to link against installed libraries"
-      echo "in a given directory, LIBDIR, you must either use libtool, and"
-      echo "specify the full pathname of the library, or use the \`-LLIBDIR'"
-      echo "flag during linking and do at least one of the following:"
-      if test -n "$shlibpath_var"; then
-	echo "   - add LIBDIR to the \`$shlibpath_var' environment variable"
-	echo "     during execution"
-      fi
-      if test -n "$runpath_var"; then
-	echo "   - add LIBDIR to the \`$runpath_var' environment variable"
-	echo "     during linking"
-      fi
-      if test -n "$hardcode_libdir_flag_spec"; then
-	libdir=LIBDIR
-	eval flag=\"$hardcode_libdir_flag_spec\"
-
-	$ECHO "   - use the \`$flag' linker flag"
-      fi
-      if test -n "$admincmds"; then
-	$ECHO "   - have your system administrator run these commands:$admincmds"
-      fi
-      if test -f /etc/ld.so.conf; then
-	echo "   - have your system administrator add LIBDIR to \`/etc/ld.so.conf'"
-      fi
-      echo
-
-      echo "See any operating system documentation about shared libraries for"
-      case $host in
-	solaris2.[6789]|solaris2.1[0-9])
-	  echo "more information, such as the ld(1), crle(1) and ld.so(8) manual"
-	  echo "pages."
-	  ;;
-	*)
-	  echo "more information, such as the ld(1) and ld.so(8) manual pages."
-	  ;;
-      esac
-      echo "----------------------------------------------------------------------"
-    fi
-    exit $EXIT_SUCCESS
-}
-
-test "$opt_mode" = finish && func_mode_finish ${1+"$@"}
-
-
-# func_mode_install arg...
-func_mode_install ()
-{
-    $opt_debug
-    # There may be an optional sh(1) argument at the beginning of
-    # install_prog (especially on Windows NT).
-    if test "$nonopt" = "$SHELL" || test "$nonopt" = /bin/sh ||
-       # Allow the use of GNU shtool's install command.
-       case $nonopt in *shtool*) :;; *) false;; esac; then
-      # Aesthetically quote it.
-      func_quote_for_eval "$nonopt"
-      install_prog="$func_quote_for_eval_result "
-      arg=$1
-      shift
-    else
-      install_prog=
-      arg=$nonopt
-    fi
-
-    # The real first argument should be the name of the installation program.
-    # Aesthetically quote it.
-    func_quote_for_eval "$arg"
-    func_append install_prog "$func_quote_for_eval_result"
-    install_shared_prog=$install_prog
-    case " $install_prog " in
-      *[\\\ /]cp\ *) install_cp=: ;;
-      *) install_cp=false ;;
-    esac
-
-    # We need to accept at least all the BSD install flags.
-    dest=
-    files=
-    opts=
-    prev=
-    install_type=
-    isdir=no
-    stripme=
-    no_mode=:
-    for arg
-    do
-      arg2=
-      if test -n "$dest"; then
-	func_append files " $dest"
-	dest=$arg
-	continue
-      fi
-
-      case $arg in
-      -d) isdir=yes ;;
-      -f)
-	if $install_cp; then :; else
-	  prev=$arg
-	fi
-	;;
-      -g | -m | -o)
-	prev=$arg
-	;;
-      -s)
-	stripme=" -s"
-	continue
-	;;
-      -*)
-	;;
-      *)
-	# If the previous option needed an argument, then skip it.
-	if test -n "$prev"; then
-	  if test "x$prev" = x-m && test -n "$install_override_mode"; then
-	    arg2=$install_override_mode
-	    no_mode=false
-	  fi
-	  prev=
-	else
-	  dest=$arg
-	  continue
-	fi
-	;;
-      esac
-
-      # Aesthetically quote the argument.
-      func_quote_for_eval "$arg"
-      func_append install_prog " $func_quote_for_eval_result"
-      if test -n "$arg2"; then
-	func_quote_for_eval "$arg2"
-      fi
-      func_append install_shared_prog " $func_quote_for_eval_result"
-    done
-
-    test -z "$install_prog" && \
-      func_fatal_help "you must specify an install program"
-
-    test -n "$prev" && \
-      func_fatal_help "the \`$prev' option requires an argument"
-
-    if test -n "$install_override_mode" && $no_mode; then
-      if $install_cp; then :; else
-	func_quote_for_eval "$install_override_mode"
-	func_append install_shared_prog " -m $func_quote_for_eval_result"
-      fi
-    fi
-
-    if test -z "$files"; then
-      if test -z "$dest"; then
-	func_fatal_help "no file or destination specified"
-      else
-	func_fatal_help "you must specify a destination"
-      fi
-    fi
-
-    # Strip any trailing slash from the destination.
-    func_stripname '' '/' "$dest"
-    dest=$func_stripname_result
-
-    # Check to see that the destination is a directory.
-    test -d "$dest" && isdir=yes
-    if test "$isdir" = yes; then
-      destdir="$dest"
-      destname=
-    else
-      func_dirname_and_basename "$dest" "" "."
-      destdir="$func_dirname_result"
-      destname="$func_basename_result"
-
-      # Not a directory, so check to see that there is only one file specified.
-      set dummy $files; shift
-      test "$#" -gt 1 && \
-	func_fatal_help "\`$dest' is not a directory"
-    fi
-    case $destdir in
-    [\\/]* | [A-Za-z]:[\\/]*) ;;
-    *)
-      for file in $files; do
-	case $file in
-	*.lo) ;;
-	*)
-	  func_fatal_help "\`$destdir' must be an absolute directory name"
-	  ;;
-	esac
-      done
-      ;;
-    esac
-
-    # This variable tells wrapper scripts just to set variables rather
-    # than running their programs.
-    libtool_install_magic="$magic"
-
-    staticlibs=
-    future_libdirs=
-    current_libdirs=
-    for file in $files; do
-
-      # Do each installation.
-      case $file in
-      *.$libext)
-	# Do the static libraries later.
-	func_append staticlibs " $file"
-	;;
-
-      *.la)
-	func_resolve_sysroot "$file"
-	file=$func_resolve_sysroot_result
-
-	# Check to see that this really is a libtool archive.
-	func_lalib_unsafe_p "$file" \
-	  || func_fatal_help "\`$file' is not a valid libtool archive"
-
-	library_names=
-	old_library=
-	relink_command=
-	func_source "$file"
-
-	# Add the libdir to current_libdirs if it is the destination.
-	if test "X$destdir" = "X$libdir"; then
-	  case "$current_libdirs " in
-	  *" $libdir "*) ;;
-	  *) func_append current_libdirs " $libdir" ;;
-	  esac
-	else
-	  # Note the libdir as a future libdir.
-	  case "$future_libdirs " in
-	  *" $libdir "*) ;;
-	  *) func_append future_libdirs " $libdir" ;;
-	  esac
-	fi
-
-	func_dirname "$file" "/" ""
-	dir="$func_dirname_result"
-	func_append dir "$objdir"
-
-	if test -n "$relink_command"; then
-	  # Determine the prefix the user has applied to our future dir.
-	  inst_prefix_dir=`$ECHO "$destdir" | $SED -e "s%$libdir\$%%"`
-
-	  # Don't allow the user to place us outside of our expected
-	  # location b/c this prevents finding dependent libraries that
-	  # are installed to the same prefix.
-	  # At present, this check doesn't affect windows .dll's that
-	  # are installed into $libdir/../bin (currently, that works fine)
-	  # but it's something to keep an eye on.
-	  test "$inst_prefix_dir" = "$destdir" && \
-	    func_fatal_error "error: cannot install \`$file' to a directory not ending in $libdir"
-
-	  if test -n "$inst_prefix_dir"; then
-	    # Stick the inst_prefix_dir data into the link command.
-	    relink_command=`$ECHO "$relink_command" | $SED "s%@inst_prefix_dir@%-inst-prefix-dir $inst_prefix_dir%"`
-	  else
-	    relink_command=`$ECHO "$relink_command" | $SED "s%@inst_prefix_dir@%%"`
-	  fi
-
-	  func_warning "relinking \`$file'"
-	  func_show_eval "$relink_command" \
-	    'func_fatal_error "error: relink \`$file'\'' with the above command before installing it"'
-	fi
-
-	# See the names of the shared library.
-	set dummy $library_names; shift
-	if test -n "$1"; then
-	  realname="$1"
-	  shift
-
-	  srcname="$realname"
-	  test -n "$relink_command" && srcname="$realname"T
-
-	  # Install the shared library and build the symlinks.
-	  func_show_eval "$install_shared_prog $dir/$srcname $destdir/$realname" \
-	      'exit $?'
-	  tstripme="$stripme"
-	  case $host_os in
-	  cygwin* | mingw* | pw32* | cegcc*)
-	    case $realname in
-	    *.dll.a)
-	      tstripme=""
-	      ;;
-	    esac
-	    ;;
-	  esac
-	  if test -n "$tstripme" && test -n "$striplib"; then
-	    func_show_eval "$striplib $destdir/$realname" 'exit $?'
-	  fi
-
-	  if test "$#" -gt 0; then
-	    # Delete the old symlinks, and create new ones.
-	    # Try `ln -sf' first, because the `ln' binary might depend on
-	    # the symlink we replace!  Solaris /bin/ln does not understand -f,
-	    # so we also need to try rm && ln -s.
-	    for linkname
-	    do
-	      test "$linkname" != "$realname" \
-		&& func_show_eval "(cd $destdir && { $LN_S -f $realname $linkname || { $RM $linkname && $LN_S $realname $linkname; }; })"
-	    done
-	  fi
-
-	  # Do each command in the postinstall commands.
-	  lib="$destdir/$realname"
-	  func_execute_cmds "$postinstall_cmds" 'exit $?'
-	fi
-
-	# Install the pseudo-library for information purposes.
-	func_basename "$file"
-	name="$func_basename_result"
-	instname="$dir/$name"i
-	func_show_eval "$install_prog $instname $destdir/$name" 'exit $?'
-
-	# Maybe install the static library, too.
-	test -n "$old_library" && func_append staticlibs " $dir/$old_library"
-	;;
-
-      *.lo)
-	# Install (i.e. copy) a libtool object.
-
-	# Figure out destination file name, if it wasn't already specified.
-	if test -n "$destname"; then
-	  destfile="$destdir/$destname"
-	else
-	  func_basename "$file"
-	  destfile="$func_basename_result"
-	  destfile="$destdir/$destfile"
-	fi
-
-	# Deduce the name of the destination old-style object file.
-	case $destfile in
-	*.lo)
-	  func_lo2o "$destfile"
-	  staticdest=$func_lo2o_result
-	  ;;
-	*.$objext)
-	  staticdest="$destfile"
-	  destfile=
-	  ;;
-	*)
-	  func_fatal_help "cannot copy a libtool object to \`$destfile'"
-	  ;;
-	esac
-
-	# Install the libtool object if requested.
-	test -n "$destfile" && \
-	  func_show_eval "$install_prog $file $destfile" 'exit $?'
-
-	# Install the old object if enabled.
-	if test "$build_old_libs" = yes; then
-	  # Deduce the name of the old-style object file.
-	  func_lo2o "$file"
-	  staticobj=$func_lo2o_result
-	  func_show_eval "$install_prog \$staticobj \$staticdest" 'exit $?'
-	fi
-	exit $EXIT_SUCCESS
-	;;
-
-      *)
-	# Figure out destination file name, if it wasn't already specified.
-	if test -n "$destname"; then
-	  destfile="$destdir/$destname"
-	else
-	  func_basename "$file"
-	  destfile="$func_basename_result"
-	  destfile="$destdir/$destfile"
-	fi
-
-	# If the file is missing, and there is a .exe on the end, strip it
-	# because it is most likely a libtool script we actually want to
-	# install
-	stripped_ext=""
-	case $file in
-	  *.exe)
-	    if test ! -f "$file"; then
-	      func_stripname '' '.exe' "$file"
-	      file=$func_stripname_result
-	      stripped_ext=".exe"
-	    fi
-	    ;;
-	esac
-
-	# Do a test to see if this is really a libtool program.
-	case $host in
-	*cygwin* | *mingw*)
-	    if func_ltwrapper_executable_p "$file"; then
-	      func_ltwrapper_scriptname "$file"
-	      wrapper=$func_ltwrapper_scriptname_result
-	    else
-	      func_stripname '' '.exe' "$file"
-	      wrapper=$func_stripname_result
-	    fi
-	    ;;
-	*)
-	    wrapper=$file
-	    ;;
-	esac
-	if func_ltwrapper_script_p "$wrapper"; then
-	  notinst_deplibs=
-	  relink_command=
-
-	  func_source "$wrapper"
-
-	  # Check the variables that should have been set.
-	  test -z "$generated_by_libtool_version" && \
-	    func_fatal_error "invalid libtool wrapper script \`$wrapper'"
-
-	  finalize=yes
-	  for lib in $notinst_deplibs; do
-	    # Check to see that each library is installed.
-	    libdir=
-	    if test -f "$lib"; then
-	      func_source "$lib"
-	    fi
-	    libfile="$libdir/"`$ECHO "$lib" | $SED 's%^.*/%%g'` ### testsuite: skip nested quoting test
-	    if test -n "$libdir" && test ! -f "$libfile"; then
-	      func_warning "\`$lib' has not been installed in \`$libdir'"
-	      finalize=no
-	    fi
-	  done
-
-	  relink_command=
-	  func_source "$wrapper"
-
-	  outputname=
-	  if test "$fast_install" = no && test -n "$relink_command"; then
-	    $opt_dry_run || {
-	      if test "$finalize" = yes; then
-	        tmpdir=`func_mktempdir`
-		func_basename "$file$stripped_ext"
-		file="$func_basename_result"
-	        outputname="$tmpdir/$file"
-	        # Replace the output file specification.
-	        relink_command=`$ECHO "$relink_command" | $SED 's%@OUTPUT@%'"$outputname"'%g'`
-
-	        $opt_silent || {
-	          func_quote_for_expand "$relink_command"
-		  eval "func_echo $func_quote_for_expand_result"
-	        }
-	        if eval "$relink_command"; then :
-	          else
-		  func_error "error: relink \`$file' with the above command before installing it"
-		  $opt_dry_run || ${RM}r "$tmpdir"
-		  continue
-	        fi
-	        file="$outputname"
-	      else
-	        func_warning "cannot relink \`$file'"
-	      fi
-	    }
-	  else
-	    # Install the binary that we compiled earlier.
-	    file=`$ECHO "$file$stripped_ext" | $SED "s%\([^/]*\)$%$objdir/\1%"`
-	  fi
-	fi
-
-	# remove .exe since cygwin /usr/bin/install will append another
-	# one anyway
-	case $install_prog,$host in
-	*/usr/bin/install*,*cygwin*)
-	  case $file:$destfile in
-	  *.exe:*.exe)
-	    # this is ok
-	    ;;
-	  *.exe:*)
-	    destfile=$destfile.exe
-	    ;;
-	  *:*.exe)
-	    func_stripname '' '.exe' "$destfile"
-	    destfile=$func_stripname_result
-	    ;;
-	  esac
-	  ;;
-	esac
-	func_show_eval "$install_prog\$stripme \$file \$destfile" 'exit $?'
-	$opt_dry_run || if test -n "$outputname"; then
-	  ${RM}r "$tmpdir"
-	fi
-	;;
-      esac
-    done
-
-    for file in $staticlibs; do
-      func_basename "$file"
-      name="$func_basename_result"
-
-      # Set up the ranlib parameters.
-      oldlib="$destdir/$name"
-      func_to_tool_file "$oldlib" func_convert_file_msys_to_w32
-      tool_oldlib=$func_to_tool_file_result
-
-      func_show_eval "$install_prog \$file \$oldlib" 'exit $?'
-
-      if test -n "$stripme" && test -n "$old_striplib"; then
-	func_show_eval "$old_striplib $tool_oldlib" 'exit $?'
-      fi
-
-      # Do each command in the postinstall commands.
-      func_execute_cmds "$old_postinstall_cmds" 'exit $?'
-    done
-
-    test -n "$future_libdirs" && \
-      func_warning "remember to run \`$progname --finish$future_libdirs'"
-
-    if test -n "$current_libdirs"; then
-      # Maybe just do a dry run.
-      $opt_dry_run && current_libdirs=" -n$current_libdirs"
-      exec_cmd='$SHELL $progpath $preserve_args --finish$current_libdirs'
-    else
-      exit $EXIT_SUCCESS
-    fi
-}
-
-test "$opt_mode" = install && func_mode_install ${1+"$@"}
-
-
-# func_generate_dlsyms outputname originator pic_p
-# Extract symbols from dlprefiles and create ${outputname}S.o with
-# a dlpreopen symbol table.
-func_generate_dlsyms ()
-{
-    $opt_debug
-    my_outputname="$1"
-    my_originator="$2"
-    my_pic_p="${3-no}"
-    my_prefix=`$ECHO "$my_originator" | sed 's%[^a-zA-Z0-9]%_%g'`
-    my_dlsyms=
-
-    if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
-      if test -n "$NM" && test -n "$global_symbol_pipe"; then
-	my_dlsyms="${my_outputname}S.c"
-      else
-	func_error "not configured to extract global symbols from dlpreopened files"
-      fi
-    fi
-
-    if test -n "$my_dlsyms"; then
-      case $my_dlsyms in
-      "") ;;
-      *.c)
-	# Discover the nlist of each of the dlfiles.
-	nlist="$output_objdir/${my_outputname}.nm"
-
-	func_show_eval "$RM $nlist ${nlist}S ${nlist}T"
-
-	# Parse the name list into a source file.
-	func_verbose "creating $output_objdir/$my_dlsyms"
-
-	$opt_dry_run || $ECHO > "$output_objdir/$my_dlsyms" "\
-/* $my_dlsyms - symbol resolution table for \`$my_outputname' dlsym emulation. */
-/* Generated by $PROGRAM (GNU $PACKAGE$TIMESTAMP) $VERSION */
-
-#ifdef __cplusplus
-extern \"C\" {
-#endif
-
-#if defined(__GNUC__) && (((__GNUC__ == 4) && (__GNUC_MINOR__ >= 4)) || (__GNUC__ > 4))
-#pragma GCC diagnostic ignored \"-Wstrict-prototypes\"
-#endif
-
-/* Keep this code in sync between libtool.m4, ltmain, lt_system.h, and tests.  */
-#if defined(_WIN32) || defined(__CYGWIN__) || defined(_WIN32_WCE)
-/* DATA imports from DLLs on WIN32 con't be const, because runtime
-   relocations are performed -- see ld's documentation on pseudo-relocs.  */
-# define LT_DLSYM_CONST
-#elif defined(__osf__)
-/* This system does not cope well with relocations in const data.  */
-# define LT_DLSYM_CONST
-#else
-# define LT_DLSYM_CONST const
-#endif
-
-/* External symbol declarations for the compiler. */\
-"
-
-	if test "$dlself" = yes; then
-	  func_verbose "generating symbol list for \`$output'"
-
-	  $opt_dry_run || echo ': @PROGRAM@ ' > "$nlist"
-
-	  # Add our own program objects to the symbol list.
-	  progfiles=`$ECHO "$objs$old_deplibs" | $SP2NL | $SED "$lo2o" | $NL2SP`
-	  for progfile in $progfiles; do
-	    func_to_tool_file "$progfile" func_convert_file_msys_to_w32
-	    func_verbose "extracting global C symbols from \`$func_to_tool_file_result'"
-	    $opt_dry_run || eval "$NM $func_to_tool_file_result | $global_symbol_pipe >> '$nlist'"
-	  done
-
-	  if test -n "$exclude_expsyms"; then
-	    $opt_dry_run || {
-	      eval '$EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T'
-	      eval '$MV "$nlist"T "$nlist"'
-	    }
-	  fi
-
-	  if test -n "$export_symbols_regex"; then
-	    $opt_dry_run || {
-	      eval '$EGREP -e "$export_symbols_regex" "$nlist" > "$nlist"T'
-	      eval '$MV "$nlist"T "$nlist"'
-	    }
-	  fi
-
-	  # Prepare the list of exported symbols
-	  if test -z "$export_symbols"; then
-	    export_symbols="$output_objdir/$outputname.exp"
-	    $opt_dry_run || {
-	      $RM $export_symbols
-	      eval "${SED} -n -e '/^: @PROGRAM@ $/d' -e 's/^.* \(.*\)$/\1/p' "'< "$nlist" > "$export_symbols"'
-	      case $host in
-	      *cygwin* | *mingw* | *cegcc* )
-                eval "echo EXPORTS "'> "$output_objdir/$outputname.def"'
-                eval 'cat "$export_symbols" >> "$output_objdir/$outputname.def"'
-	        ;;
-	      esac
-	    }
-	  else
-	    $opt_dry_run || {
-	      eval "${SED} -e 's/\([].[*^$]\)/\\\\\1/g' -e 's/^/ /' -e 's/$/$/'"' < "$export_symbols" > "$output_objdir/$outputname.exp"'
-	      eval '$GREP -f "$output_objdir/$outputname.exp" < "$nlist" > "$nlist"T'
-	      eval '$MV "$nlist"T "$nlist"'
-	      case $host in
-	        *cygwin* | *mingw* | *cegcc* )
-	          eval "echo EXPORTS "'> "$output_objdir/$outputname.def"'
-	          eval 'cat "$nlist" >> "$output_objdir/$outputname.def"'
-	          ;;
-	      esac
-	    }
-	  fi
-	fi
-
-	for dlprefile in $dlprefiles; do
-	  func_verbose "extracting global C symbols from \`$dlprefile'"
-	  func_basename "$dlprefile"
-	  name="$func_basename_result"
-          case $host in
-	    *cygwin* | *mingw* | *cegcc* )
-	      # if an import library, we need to obtain dlname
-	      if func_win32_import_lib_p "$dlprefile"; then
-	        func_tr_sh "$dlprefile"
-	        eval "curr_lafile=\$libfile_$func_tr_sh_result"
-	        dlprefile_dlbasename=""
-	        if test -n "$curr_lafile" && func_lalib_p "$curr_lafile"; then
-	          # Use subshell, to avoid clobbering current variable values
-	          dlprefile_dlname=`source "$curr_lafile" && echo "$dlname"`
-	          if test -n "$dlprefile_dlname" ; then
-	            func_basename "$dlprefile_dlname"
-	            dlprefile_dlbasename="$func_basename_result"
-	          else
-	            # no lafile. user explicitly requested -dlpreopen <import library>.
-	            $sharedlib_from_linklib_cmd "$dlprefile"
-	            dlprefile_dlbasename=$sharedlib_from_linklib_result
-	          fi
-	        fi
-	        $opt_dry_run || {
-	          if test -n "$dlprefile_dlbasename" ; then
-	            eval '$ECHO ": $dlprefile_dlbasename" >> "$nlist"'
-	          else
-	            func_warning "Could not compute DLL name from $name"
-	            eval '$ECHO ": $name " >> "$nlist"'
-	          fi
-	          func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32
-	          eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe |
-	            $SED -e '/I __imp/d' -e 's/I __nm_/D /;s/_nm__//' >> '$nlist'"
-	        }
-	      else # not an import lib
-	        $opt_dry_run || {
-	          eval '$ECHO ": $name " >> "$nlist"'
-	          func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32
-	          eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe >> '$nlist'"
-	        }
-	      fi
-	    ;;
-	    *)
-	      $opt_dry_run || {
-	        eval '$ECHO ": $name " >> "$nlist"'
-	        func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32
-	        eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe >> '$nlist'"
-	      }
-	    ;;
-          esac
-	done
-
-	$opt_dry_run || {
-	  # Make sure we have at least an empty file.
-	  test -f "$nlist" || : > "$nlist"
-
-	  if test -n "$exclude_expsyms"; then
-	    $EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T
-	    $MV "$nlist"T "$nlist"
-	  fi
-
-	  # Try sorting and uniquifying the output.
-	  if $GREP -v "^: " < "$nlist" |
-	      if sort -k 3 </dev/null >/dev/null 2>&1; then
-		sort -k 3
-	      else
-		sort +2
-	      fi |
-	      uniq > "$nlist"S; then
-	    :
-	  else
-	    $GREP -v "^: " < "$nlist" > "$nlist"S
-	  fi
-
-	  if test -f "$nlist"S; then
-	    eval "$global_symbol_to_cdecl"' < "$nlist"S >> "$output_objdir/$my_dlsyms"'
-	  else
-	    echo '/* NONE */' >> "$output_objdir/$my_dlsyms"
-	  fi
-
-	  echo >> "$output_objdir/$my_dlsyms" "\
-
-/* The mapping between symbol names and symbols.  */
-typedef struct {
-  const char *name;
-  void *address;
-} lt_dlsymlist;
-extern LT_DLSYM_CONST lt_dlsymlist
-lt_${my_prefix}_LTX_preloaded_symbols[];
-LT_DLSYM_CONST lt_dlsymlist
-lt_${my_prefix}_LTX_preloaded_symbols[] =
-{\
-  { \"$my_originator\", (void *) 0 },"
-
-	  case $need_lib_prefix in
-	  no)
-	    eval "$global_symbol_to_c_name_address" < "$nlist" >> "$output_objdir/$my_dlsyms"
-	    ;;
-	  *)
-	    eval "$global_symbol_to_c_name_address_lib_prefix" < "$nlist" >> "$output_objdir/$my_dlsyms"
-	    ;;
-	  esac
-	  echo >> "$output_objdir/$my_dlsyms" "\
-  {0, (void *) 0}
-};
-
-/* This works around a problem in FreeBSD linker */
-#ifdef FREEBSD_WORKAROUND
-static const void *lt_preloaded_setup() {
-  return lt_${my_prefix}_LTX_preloaded_symbols;
-}
-#endif
-
-#ifdef __cplusplus
-}
-#endif\
-"
-	} # !$opt_dry_run
-
-	pic_flag_for_symtable=
-	case "$compile_command " in
-	*" -static "*) ;;
-	*)
-	  case $host in
-	  # compiling the symbol table file with pic_flag works around
-	  # a FreeBSD bug that causes programs to crash when -lm is
-	  # linked before any other PIC object.  But we must not use
-	  # pic_flag when linking with -static.  The problem exists in
-	  # FreeBSD 2.2.6 and is fixed in FreeBSD 3.1.
-	  *-*-freebsd2.*|*-*-freebsd3.0*|*-*-freebsdelf3.0*)
-	    pic_flag_for_symtable=" $pic_flag -DFREEBSD_WORKAROUND" ;;
-	  *-*-hpux*)
-	    pic_flag_for_symtable=" $pic_flag"  ;;
-	  *)
-	    if test "X$my_pic_p" != Xno; then
-	      pic_flag_for_symtable=" $pic_flag"
-	    fi
-	    ;;
-	  esac
-	  ;;
-	esac
-	symtab_cflags=
-	for arg in $LTCFLAGS; do
-	  case $arg in
-	  -pie | -fpie | -fPIE) ;;
-	  *) func_append symtab_cflags " $arg" ;;
-	  esac
-	done
-
-	# Now compile the dynamic symbol file.
-	func_show_eval '(cd $output_objdir && $LTCC$symtab_cflags -c$no_builtin_flag$pic_flag_for_symtable "$my_dlsyms")' 'exit $?'
-
-	# Clean up the generated files.
-	func_show_eval '$RM "$output_objdir/$my_dlsyms" "$nlist" "${nlist}S" "${nlist}T"'
-
-	# Transform the symbol file into the correct name.
-	symfileobj="$output_objdir/${my_outputname}S.$objext"
-	case $host in
-	*cygwin* | *mingw* | *cegcc* )
-	  if test -f "$output_objdir/$my_outputname.def"; then
-	    compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"`
-	    finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"`
-	  else
-	    compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$symfileobj%"`
-	    finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$symfileobj%"`
-	  fi
-	  ;;
-	*)
-	  compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$symfileobj%"`
-	  finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$symfileobj%"`
-	  ;;
-	esac
-	;;
-      *-*-freebsd*)
-	# FreeBSD doesn't need this...
-	;;
-      *)
-	func_fatal_error "unknown suffix for \`$my_dlsyms'"
-	;;
-      esac
-    else
-      # We keep going just in case the user didn't refer to
-      # lt_preloaded_symbols.  The linker will fail if global_symbol_pipe
-      # really was required.
-
-      # Nullify the symbol file.
-      compile_command=`$ECHO "$compile_command" | $SED "s% @SYMFILE@%%"`
-      finalize_command=`$ECHO "$finalize_command" | $SED "s% @SYMFILE@%%"`
-    fi
-}
-
-# func_win32_libid arg
-# return the library type of file 'arg'
-#
-# Need a lot of goo to handle *both* DLLs and import libs
-# Has to be a shell function in order to 'eat' the argument
-# that is supplied when $file_magic_command is called.
-# Despite the name, also deal with 64 bit binaries.
-func_win32_libid ()
-{
-  $opt_debug
-  win32_libid_type="unknown"
-  win32_fileres=`file -L $1 2>/dev/null`
-  case $win32_fileres in
-  *ar\ archive\ import\ library*) # definitely import
-    win32_libid_type="x86 archive import"
-    ;;
-  *ar\ archive*) # could be an import, or static
-    # Keep the egrep pattern in sync with the one in _LT_CHECK_MAGIC_METHOD.
-    if eval $OBJDUMP -f $1 | $SED -e '10q' 2>/dev/null |
-       $EGREP 'file format (pei*-i386(.*architecture: i386)?|pe-arm-wince|pe-x86-64)' >/dev/null; then
-      func_to_tool_file "$1" func_convert_file_msys_to_w32
-      win32_nmres=`eval $NM -f posix -A \"$func_to_tool_file_result\" |
-	$SED -n -e '
-	    1,100{
-		/ I /{
-		    s,.*,import,
-		    p
-		    q
-		}
-	    }'`
-      case $win32_nmres in
-      import*)  win32_libid_type="x86 archive import";;
-      *)        win32_libid_type="x86 archive static";;
-      esac
-    fi
-    ;;
-  *DLL*)
-    win32_libid_type="x86 DLL"
-    ;;
-  *executable*) # but shell scripts are "executable" too...
-    case $win32_fileres in
-    *MS\ Windows\ PE\ Intel*)
-      win32_libid_type="x86 DLL"
-      ;;
-    esac
-    ;;
-  esac
-  $ECHO "$win32_libid_type"
-}
-
-# func_cygming_dll_for_implib ARG
-#
-# Platform-specific function to extract the
-# name of the DLL associated with the specified
-# import library ARG.
-# Invoked by eval'ing the libtool variable
-#    $sharedlib_from_linklib_cmd
-# Result is available in the variable
-#    $sharedlib_from_linklib_result
-func_cygming_dll_for_implib ()
-{
-  $opt_debug
-  sharedlib_from_linklib_result=`$DLLTOOL --identify-strict --identify "$1"`
-}
-
-# func_cygming_dll_for_implib_fallback_core SECTION_NAME LIBNAMEs
-#
-# The is the core of a fallback implementation of a
-# platform-specific function to extract the name of the
-# DLL associated with the specified import library LIBNAME.
-#
-# SECTION_NAME is either .idata$6 or .idata$7, depending
-# on the platform and compiler that created the implib.
-#
-# Echos the name of the DLL associated with the
-# specified import library.
-func_cygming_dll_for_implib_fallback_core ()
-{
-  $opt_debug
-  match_literal=`$ECHO "$1" | $SED "$sed_make_literal_regex"`
-  $OBJDUMP -s --section "$1" "$2" 2>/dev/null |
-    $SED '/^Contents of section '"$match_literal"':/{
-      # Place marker at beginning of archive member dllname section
-      s/.*/====MARK====/
-      p
-      d
-    }
-    # These lines can sometimes be longer than 43 characters, but
-    # are always uninteresting
-    /:[	 ]*file format pe[i]\{,1\}-/d
-    /^In archive [^:]*:/d
-    # Ensure marker is printed
-    /^====MARK====/p
-    # Remove all lines with less than 43 characters
-    /^.\{43\}/!d
-    # From remaining lines, remove first 43 characters
-    s/^.\{43\}//' |
-    $SED -n '
-      # Join marker and all lines until next marker into a single line
-      /^====MARK====/ b para
-      H
-      $ b para
-      b
-      :para
-      x
-      s/\n//g
-      # Remove the marker
-      s/^====MARK====//
-      # Remove trailing dots and whitespace
-      s/[\. \t]*$//
-      # Print
-      /./p' |
-    # we now have a list, one entry per line, of the stringified
-    # contents of the appropriate section of all members of the
-    # archive which possess that section. Heuristic: eliminate
-    # all those which have a first or second character that is
-    # a '.' (that is, objdump's representation of an unprintable
-    # character.) This should work for all archives with less than
-    # 0x302f exports -- but will fail for DLLs whose name actually
-    # begins with a literal '.' or a single character followed by
-    # a '.'.
-    #
-    # Of those that remain, print the first one.
-    $SED -e '/^\./d;/^.\./d;q'
-}
-
-# func_cygming_gnu_implib_p ARG
-# This predicate returns with zero status (TRUE) if
-# ARG is a GNU/binutils-style import library. Returns
-# with nonzero status (FALSE) otherwise.
-func_cygming_gnu_implib_p ()
-{
-  $opt_debug
-  func_to_tool_file "$1" func_convert_file_msys_to_w32
-  func_cygming_gnu_implib_tmp=`$NM "$func_to_tool_file_result" | eval "$global_symbol_pipe" | $EGREP ' (_head_[A-Za-z0-9_]+_[ad]l*|[A-Za-z0-9_]+_[ad]l*_iname)$'`
-  test -n "$func_cygming_gnu_implib_tmp"
-}
-
-# func_cygming_ms_implib_p ARG
-# This predicate returns with zero status (TRUE) if
-# ARG is an MS-style import library. Returns
-# with nonzero status (FALSE) otherwise.
-func_cygming_ms_implib_p ()
-{
-  $opt_debug
-  func_to_tool_file "$1" func_convert_file_msys_to_w32
-  func_cygming_ms_implib_tmp=`$NM "$func_to_tool_file_result" | eval "$global_symbol_pipe" | $GREP '_NULL_IMPORT_DESCRIPTOR'`
-  test -n "$func_cygming_ms_implib_tmp"
-}
-
-# func_cygming_dll_for_implib_fallback ARG
-# Platform-specific function to extract the
-# name of the DLL associated with the specified
-# import library ARG.
-#
-# This fallback implementation is for use when $DLLTOOL
-# does not support the --identify-strict option.
-# Invoked by eval'ing the libtool variable
-#    $sharedlib_from_linklib_cmd
-# Result is available in the variable
-#    $sharedlib_from_linklib_result
-func_cygming_dll_for_implib_fallback ()
-{
-  $opt_debug
-  if func_cygming_gnu_implib_p "$1" ; then
-    # binutils import library
-    sharedlib_from_linklib_result=`func_cygming_dll_for_implib_fallback_core '.idata$7' "$1"`
-  elif func_cygming_ms_implib_p "$1" ; then
-    # ms-generated import library
-    sharedlib_from_linklib_result=`func_cygming_dll_for_implib_fallback_core '.idata$6' "$1"`
-  else
-    # unknown
-    sharedlib_from_linklib_result=""
-  fi
-}
-
-
-# func_extract_an_archive dir oldlib
-func_extract_an_archive ()
-{
-    $opt_debug
-    f_ex_an_ar_dir="$1"; shift
-    f_ex_an_ar_oldlib="$1"
-    if test "$lock_old_archive_extraction" = yes; then
-      lockfile=$f_ex_an_ar_oldlib.lock
-      until $opt_dry_run || ln "$progpath" "$lockfile" 2>/dev/null; do
-	func_echo "Waiting for $lockfile to be removed"
-	sleep 2
-      done
-    fi
-    func_show_eval "(cd \$f_ex_an_ar_dir && $AR x \"\$f_ex_an_ar_oldlib\")" \
-		   'stat=$?; rm -f "$lockfile"; exit $stat'
-    if test "$lock_old_archive_extraction" = yes; then
-      $opt_dry_run || rm -f "$lockfile"
-    fi
-    if ($AR t "$f_ex_an_ar_oldlib" | sort | sort -uc >/dev/null 2>&1); then
-     :
-    else
-      func_fatal_error "object name conflicts in archive: $f_ex_an_ar_dir/$f_ex_an_ar_oldlib"
-    fi
-}
-
-
-# func_extract_archives gentop oldlib ...
-func_extract_archives ()
-{
-    $opt_debug
-    my_gentop="$1"; shift
-    my_oldlibs=${1+"$@"}
-    my_oldobjs=""
-    my_xlib=""
-    my_xabs=""
-    my_xdir=""
-
-    for my_xlib in $my_oldlibs; do
-      # Extract the objects.
-      case $my_xlib in
-	[\\/]* | [A-Za-z]:[\\/]*) my_xabs="$my_xlib" ;;
-	*) my_xabs=`pwd`"/$my_xlib" ;;
-      esac
-      func_basename "$my_xlib"
-      my_xlib="$func_basename_result"
-      my_xlib_u=$my_xlib
-      while :; do
-        case " $extracted_archives " in
-	*" $my_xlib_u "*)
-	  func_arith $extracted_serial + 1
-	  extracted_serial=$func_arith_result
-	  my_xlib_u=lt$extracted_serial-$my_xlib ;;
-	*) break ;;
-	esac
-      done
-      extracted_archives="$extracted_archives $my_xlib_u"
-      my_xdir="$my_gentop/$my_xlib_u"
-
-      func_mkdir_p "$my_xdir"
-
-      case $host in
-      *-darwin*)
-	func_verbose "Extracting $my_xabs"
-	# Do not bother doing anything if just a dry run
-	$opt_dry_run || {
-	  darwin_orig_dir=`pwd`
-	  cd $my_xdir || exit $?
-	  darwin_archive=$my_xabs
-	  darwin_curdir=`pwd`
-	  darwin_base_archive=`basename "$darwin_archive"`
-	  darwin_arches=`$LIPO -info "$darwin_archive" 2>/dev/null | $GREP Architectures 2>/dev/null || true`
-	  if test -n "$darwin_arches"; then
-	    darwin_arches=`$ECHO "$darwin_arches" | $SED -e 's/.*are://'`
-	    darwin_arch=
-	    func_verbose "$darwin_base_archive has multiple architectures $darwin_arches"
-	    for darwin_arch in  $darwin_arches ; do
-	      func_mkdir_p "unfat-$$/${darwin_base_archive}-${darwin_arch}"
-	      $LIPO -thin $darwin_arch -output "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}" "${darwin_archive}"
-	      cd "unfat-$$/${darwin_base_archive}-${darwin_arch}"
-	      func_extract_an_archive "`pwd`" "${darwin_base_archive}"
-	      cd "$darwin_curdir"
-	      $RM "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}"
-	    done # $darwin_arches
-            ## Okay now we've a bunch of thin objects, gotta fatten them up :)
-	    darwin_filelist=`find unfat-$$ -type f -name \*.o -print -o -name \*.lo -print | $SED -e "$basename" | sort -u`
-	    darwin_file=
-	    darwin_files=
-	    for darwin_file in $darwin_filelist; do
-	      darwin_files=`find unfat-$$ -name $darwin_file -print | sort | $NL2SP`
-	      $LIPO -create -output "$darwin_file" $darwin_files
-	    done # $darwin_filelist
-	    $RM -rf unfat-$$
-	    cd "$darwin_orig_dir"
-	  else
-	    cd $darwin_orig_dir
-	    func_extract_an_archive "$my_xdir" "$my_xabs"
-	  fi # $darwin_arches
-	} # !$opt_dry_run
-	;;
-      *)
-        func_extract_an_archive "$my_xdir" "$my_xabs"
-	;;
-      esac
-      my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | sort | $NL2SP`
-    done
-
-    func_extract_archives_result="$my_oldobjs"
-}
-
-
-# func_emit_wrapper [arg=no]
-#
-# Emit a libtool wrapper script on stdout.
-# Don't directly open a file because we may want to
-# incorporate the script contents within a cygwin/mingw
-# wrapper executable.  Must ONLY be called from within
-# func_mode_link because it depends on a number of variables
-# set therein.
-#
-# ARG is the value that the WRAPPER_SCRIPT_BELONGS_IN_OBJDIR
-# variable will take.  If 'yes', then the emitted script
-# will assume that the directory in which it is stored is
-# the $objdir directory.  This is a cygwin/mingw-specific
-# behavior.
-func_emit_wrapper ()
-{
-	func_emit_wrapper_arg1=${1-no}
-
-	$ECHO "\
-#! $SHELL
-
-# $output - temporary wrapper script for $objdir/$outputname
-# Generated by $PROGRAM (GNU $PACKAGE$TIMESTAMP) $VERSION
-#
-# The $output program cannot be directly executed until all the libtool
-# libraries that it depends on are installed.
-#
-# This wrapper script should never be moved out of the build directory.
-# If it is, it will not operate correctly.
-
-# Sed substitution that helps us do robust quoting.  It backslashifies
-# metacharacters that are still active within double-quoted strings.
-sed_quote_subst='$sed_quote_subst'
-
-# Be Bourne compatible
-if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then
-  emulate sh
-  NULLCMD=:
-  # Zsh 3.x and 4.x performs word splitting on \${1+\"\$@\"}, which
-  # is contrary to our usage.  Disable this feature.
-  alias -g '\${1+\"\$@\"}'='\"\$@\"'
-  setopt NO_GLOB_SUBST
-else
-  case \`(set -o) 2>/dev/null\` in *posix*) set -o posix;; esac
-fi
-BIN_SH=xpg4; export BIN_SH # for Tru64
-DUALCASE=1; export DUALCASE # for MKS sh
-
-# The HP-UX ksh and POSIX shell print the target directory to stdout
-# if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
-
-relink_command=\"$relink_command\"
-
-# This environment variable determines our operation mode.
-if test \"\$libtool_install_magic\" = \"$magic\"; then
-  # install mode needs the following variables:
-  generated_by_libtool_version='$macro_version'
-  notinst_deplibs='$notinst_deplibs'
-else
-  # When we are sourced in execute mode, \$file and \$ECHO are already set.
-  if test \"\$libtool_execute_magic\" != \"$magic\"; then
-    file=\"\$0\""
-
-    qECHO=`$ECHO "$ECHO" | $SED "$sed_quote_subst"`
-    $ECHO "\
-
-# A function that is used when there is no print builtin or printf.
-func_fallback_echo ()
-{
-  eval 'cat <<_LTECHO_EOF
-\$1
-_LTECHO_EOF'
-}
-    ECHO=\"$qECHO\"
-  fi
-
-# Very basic option parsing. These options are (a) specific to
-# the libtool wrapper, (b) are identical between the wrapper
-# /script/ and the wrapper /executable/ which is used only on
-# windows platforms, and (c) all begin with the string "--lt-"
-# (application programs are unlikely to have options which match
-# this pattern).
-#
-# There are only two supported options: --lt-debug and
-# --lt-dump-script. There is, deliberately, no --lt-help.
-#
-# The first argument to this parsing function should be the
-# script's $0 value, followed by "$@".
-lt_option_debug=
-func_parse_lt_options ()
-{
-  lt_script_arg0=\$0
-  shift
-  for lt_opt
-  do
-    case \"\$lt_opt\" in
-    --lt-debug) lt_option_debug=1 ;;
-    --lt-dump-script)
-        lt_dump_D=\`\$ECHO \"X\$lt_script_arg0\" | $SED -e 's/^X//' -e 's%/[^/]*$%%'\`
-        test \"X\$lt_dump_D\" = \"X\$lt_script_arg0\" && lt_dump_D=.
-        lt_dump_F=\`\$ECHO \"X\$lt_script_arg0\" | $SED -e 's/^X//' -e 's%^.*/%%'\`
-        cat \"\$lt_dump_D/\$lt_dump_F\"
-        exit 0
-      ;;
-    --lt-*)
-        \$ECHO \"Unrecognized --lt- option: '\$lt_opt'\" 1>&2
-        exit 1
-      ;;
-    esac
-  done
-
-  # Print the debug banner immediately:
-  if test -n \"\$lt_option_debug\"; then
-    echo \"${outputname}:${output}:\${LINENO}: libtool wrapper (GNU $PACKAGE$TIMESTAMP) $VERSION\" 1>&2
-  fi
-}
-
-# Used when --lt-debug. Prints its arguments to stdout
-# (redirection is the responsibility of the caller)
-func_lt_dump_args ()
-{
-  lt_dump_args_N=1;
-  for lt_arg
-  do
-    \$ECHO \"${outputname}:${output}:\${LINENO}: newargv[\$lt_dump_args_N]: \$lt_arg\"
-    lt_dump_args_N=\`expr \$lt_dump_args_N + 1\`
-  done
-}
-
-# Core function for launching the target application
-func_exec_program_core ()
-{
-"
-  case $host in
-  # Backslashes separate directories on plain windows
-  *-*-mingw | *-*-os2* | *-cegcc*)
-    $ECHO "\
-      if test -n \"\$lt_option_debug\"; then
-        \$ECHO \"${outputname}:${output}:\${LINENO}: newargv[0]: \$progdir\\\\\$program\" 1>&2
-        func_lt_dump_args \${1+\"\$@\"} 1>&2
-      fi
-      exec \"\$progdir\\\\\$program\" \${1+\"\$@\"}
-"
-    ;;
-
-  *)
-    $ECHO "\
-      if test -n \"\$lt_option_debug\"; then
-        \$ECHO \"${outputname}:${output}:\${LINENO}: newargv[0]: \$progdir/\$program\" 1>&2
-        func_lt_dump_args \${1+\"\$@\"} 1>&2
-      fi
-      exec \"\$progdir/\$program\" \${1+\"\$@\"}
-"
-    ;;
-  esac
-  $ECHO "\
-      \$ECHO \"\$0: cannot exec \$program \$*\" 1>&2
-      exit 1
-}
-
-# A function to encapsulate launching the target application
-# Strips options in the --lt-* namespace from \$@ and
-# launches target application with the remaining arguments.
-func_exec_program ()
-{
-  case \" \$* \" in
-  *\\ --lt-*)
-    for lt_wr_arg
-    do
-      case \$lt_wr_arg in
-      --lt-*) ;;
-      *) set x \"\$@\" \"\$lt_wr_arg\"; shift;;
-      esac
-      shift
-    done ;;
-  esac
-  func_exec_program_core \${1+\"\$@\"}
-}
-
-  # Parse options
-  func_parse_lt_options \"\$0\" \${1+\"\$@\"}
-
-  # Find the directory that this script lives in.
-  thisdir=\`\$ECHO \"\$file\" | $SED 's%/[^/]*$%%'\`
-  test \"x\$thisdir\" = \"x\$file\" && thisdir=.
-
-  # Follow symbolic links until we get to the real thisdir.
-  file=\`ls -ld \"\$file\" | $SED -n 's/.*-> //p'\`
-  while test -n \"\$file\"; do
-    destdir=\`\$ECHO \"\$file\" | $SED 's%/[^/]*\$%%'\`
-
-    # If there was a directory component, then change thisdir.
-    if test \"x\$destdir\" != \"x\$file\"; then
-      case \"\$destdir\" in
-      [\\\\/]* | [A-Za-z]:[\\\\/]*) thisdir=\"\$destdir\" ;;
-      *) thisdir=\"\$thisdir/\$destdir\" ;;
-      esac
-    fi
-
-    file=\`\$ECHO \"\$file\" | $SED 's%^.*/%%'\`
-    file=\`ls -ld \"\$thisdir/\$file\" | $SED -n 's/.*-> //p'\`
-  done
-
-  # Usually 'no', except on cygwin/mingw when embedded into
-  # the cwrapper.
-  WRAPPER_SCRIPT_BELONGS_IN_OBJDIR=$func_emit_wrapper_arg1
-  if test \"\$WRAPPER_SCRIPT_BELONGS_IN_OBJDIR\" = \"yes\"; then
-    # special case for '.'
-    if test \"\$thisdir\" = \".\"; then
-      thisdir=\`pwd\`
-    fi
-    # remove .libs from thisdir
-    case \"\$thisdir\" in
-    *[\\\\/]$objdir ) thisdir=\`\$ECHO \"\$thisdir\" | $SED 's%[\\\\/][^\\\\/]*$%%'\` ;;
-    $objdir )   thisdir=. ;;
-    esac
-  fi
-
-  # Try to get the absolute directory name.
-  absdir=\`cd \"\$thisdir\" && pwd\`
-  test -n \"\$absdir\" && thisdir=\"\$absdir\"
-"
-
-	if test "$fast_install" = yes; then
-	  $ECHO "\
-  program=lt-'$outputname'$exeext
-  progdir=\"\$thisdir/$objdir\"
-
-  if test ! -f \"\$progdir/\$program\" ||
-     { file=\`ls -1dt \"\$progdir/\$program\" \"\$progdir/../\$program\" 2>/dev/null | ${SED} 1q\`; \\
-       test \"X\$file\" != \"X\$progdir/\$program\"; }; then
-
-    file=\"\$\$-\$program\"
-
-    if test ! -d \"\$progdir\"; then
-      $MKDIR \"\$progdir\"
-    else
-      $RM \"\$progdir/\$file\"
-    fi"
-
-	  $ECHO "\
-
-    # relink executable if necessary
-    if test -n \"\$relink_command\"; then
-      if relink_command_output=\`eval \$relink_command 2>&1\`; then :
-      else
-	$ECHO \"\$relink_command_output\" >&2
-	$RM \"\$progdir/\$file\"
-	exit 1
-      fi
-    fi
-
-    $MV \"\$progdir/\$file\" \"\$progdir/\$program\" 2>/dev/null ||
-    { $RM \"\$progdir/\$program\";
-      $MV \"\$progdir/\$file\" \"\$progdir/\$program\"; }
-    $RM \"\$progdir/\$file\"
-  fi"
-	else
-	  $ECHO "\
-  program='$outputname'
-  progdir=\"\$thisdir/$objdir\"
-"
-	fi
-
-	$ECHO "\
-
-  if test -f \"\$progdir/\$program\"; then"
-
-	# fixup the dll searchpath if we need to.
-	#
-	# Fix the DLL searchpath if we need to.  Do this before prepending
-	# to shlibpath, because on Windows, both are PATH and uninstalled
-	# libraries must come first.
-	if test -n "$dllsearchpath"; then
-	  $ECHO "\
-    # Add the dll search path components to the executable PATH
-    PATH=$dllsearchpath:\$PATH
-"
-	fi
-
-	# Export our shlibpath_var if we have one.
-	if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then
-	  $ECHO "\
-    # Add our own library path to $shlibpath_var
-    $shlibpath_var=\"$temp_rpath\$$shlibpath_var\"
-
-    # Some systems cannot cope with colon-terminated $shlibpath_var
-    # The second colon is a workaround for a bug in BeOS R4 sed
-    $shlibpath_var=\`\$ECHO \"\$$shlibpath_var\" | $SED 's/::*\$//'\`
-
-    export $shlibpath_var
-"
-	fi
-
-	$ECHO "\
-    if test \"\$libtool_execute_magic\" != \"$magic\"; then
-      # Run the actual program with our arguments.
-      func_exec_program \${1+\"\$@\"}
-    fi
-  else
-    # The program doesn't exist.
-    \$ECHO \"\$0: error: \\\`\$progdir/\$program' does not exist\" 1>&2
-    \$ECHO \"This script is just a wrapper for \$program.\" 1>&2
-    \$ECHO \"See the $PACKAGE documentation for more information.\" 1>&2
-    exit 1
-  fi
-fi\
-"
-}
-
-
-# func_emit_cwrapperexe_src
-# emit the source code for a wrapper executable on stdout
-# Must ONLY be called from within func_mode_link because
-# it depends on a number of variable set therein.
-func_emit_cwrapperexe_src ()
-{
-	cat <<EOF
-
-/* $cwrappersource - temporary wrapper executable for $objdir/$outputname
-   Generated by $PROGRAM (GNU $PACKAGE$TIMESTAMP) $VERSION
-
-   The $output program cannot be directly executed until all the libtool
-   libraries that it depends on are installed.
-
-   This wrapper executable should never be moved out of the build directory.
-   If it is, it will not operate correctly.
-*/
-EOF
-	    cat <<"EOF"
-#ifdef _MSC_VER
-# define _CRT_SECURE_NO_DEPRECATE 1
-#endif
-#include <stdio.h>
-#include <stdlib.h>
-#ifdef _MSC_VER
-# include <direct.h>
-# include <process.h>
-# include <io.h>
-#else
-# include <unistd.h>
-# include <stdint.h>
-# ifdef __CYGWIN__
-#  include <io.h>
-# endif
-#endif
-#include <malloc.h>
-#include <stdarg.h>
-#include <assert.h>
-#include <string.h>
-#include <ctype.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <sys/stat.h>
-
-/* declarations of non-ANSI functions */
-#if defined(__MINGW32__)
-# ifdef __STRICT_ANSI__
-int _putenv (const char *);
-# endif
-#elif defined(__CYGWIN__)
-# ifdef __STRICT_ANSI__
-char *realpath (const char *, char *);
-int putenv (char *);
-int setenv (const char *, const char *, int);
-# endif
-/* #elif defined (other platforms) ... */
-#endif
-
-/* portability defines, excluding path handling macros */
-#if defined(_MSC_VER)
-# define setmode _setmode
-# define stat    _stat
-# define chmod   _chmod
-# define getcwd  _getcwd
-# define putenv  _putenv
-# define S_IXUSR _S_IEXEC
-# ifndef _INTPTR_T_DEFINED
-#  define _INTPTR_T_DEFINED
-#  define intptr_t int
-# endif
-#elif defined(__MINGW32__)
-# define setmode _setmode
-# define stat    _stat
-# define chmod   _chmod
-# define getcwd  _getcwd
-# define putenv  _putenv
-#elif defined(__CYGWIN__)
-# define HAVE_SETENV
-# define FOPEN_WB "wb"
-/* #elif defined (other platforms) ... */
-#endif
-
-#if defined(PATH_MAX)
-# define LT_PATHMAX PATH_MAX
-#elif defined(MAXPATHLEN)
-# define LT_PATHMAX MAXPATHLEN
-#else
-# define LT_PATHMAX 1024
-#endif
-
-#ifndef S_IXOTH
-# define S_IXOTH 0
-#endif
-#ifndef S_IXGRP
-# define S_IXGRP 0
-#endif
-
-/* path handling portability macros */
-#ifndef DIR_SEPARATOR
-# define DIR_SEPARATOR '/'
-# define PATH_SEPARATOR ':'
-#endif
-
-#if defined (_WIN32) || defined (__MSDOS__) || defined (__DJGPP__) || \
-  defined (__OS2__)
-# define HAVE_DOS_BASED_FILE_SYSTEM
-# define FOPEN_WB "wb"
-# ifndef DIR_SEPARATOR_2
-#  define DIR_SEPARATOR_2 '\\'
-# endif
-# ifndef PATH_SEPARATOR_2
-#  define PATH_SEPARATOR_2 ';'
-# endif
-#endif
-
-#ifndef DIR_SEPARATOR_2
-# define IS_DIR_SEPARATOR(ch) ((ch) == DIR_SEPARATOR)
-#else /* DIR_SEPARATOR_2 */
-# define IS_DIR_SEPARATOR(ch) \
-	(((ch) == DIR_SEPARATOR) || ((ch) == DIR_SEPARATOR_2))
-#endif /* DIR_SEPARATOR_2 */
-
-#ifndef PATH_SEPARATOR_2
-# define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR)
-#else /* PATH_SEPARATOR_2 */
-# define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR_2)
-#endif /* PATH_SEPARATOR_2 */
-
-#ifndef FOPEN_WB
-# define FOPEN_WB "w"
-#endif
-#ifndef _O_BINARY
-# define _O_BINARY 0
-#endif
-
-#define XMALLOC(type, num)      ((type *) xmalloc ((num) * sizeof(type)))
-#define XFREE(stale) do { \
-  if (stale) { free ((void *) stale); stale = 0; } \
-} while (0)
-
-#if defined(LT_DEBUGWRAPPER)
-static int lt_debug = 1;
-#else
-static int lt_debug = 0;
-#endif
-
-const char *program_name = "libtool-wrapper"; /* in case xstrdup fails */
-
-void *xmalloc (size_t num);
-char *xstrdup (const char *string);
-const char *base_name (const char *name);
-char *find_executable (const char *wrapper);
-char *chase_symlinks (const char *pathspec);
-int make_executable (const char *path);
-int check_executable (const char *path);
-char *strendzap (char *str, const char *pat);
-void lt_debugprintf (const char *file, int line, const char *fmt, ...);
-void lt_fatal (const char *file, int line, const char *message, ...);
-static const char *nonnull (const char *s);
-static const char *nonempty (const char *s);
-void lt_setenv (const char *name, const char *value);
-char *lt_extend_str (const char *orig_value, const char *add, int to_end);
-void lt_update_exe_path (const char *name, const char *value);
-void lt_update_lib_path (const char *name, const char *value);
-char **prepare_spawn (char **argv);
-void lt_dump_script (FILE *f);
-EOF
-
-	    cat <<EOF
-volatile const char * MAGIC_EXE = "$magic_exe";
-const char * LIB_PATH_VARNAME = "$shlibpath_var";
-EOF
-
-	    if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then
-              func_to_host_path "$temp_rpath"
-	      cat <<EOF
-const char * LIB_PATH_VALUE   = "$func_to_host_path_result";
-EOF
-	    else
-	      cat <<"EOF"
-const char * LIB_PATH_VALUE   = "";
-EOF
-	    fi
-
-	    if test -n "$dllsearchpath"; then
-              func_to_host_path "$dllsearchpath:"
-	      cat <<EOF
-const char * EXE_PATH_VARNAME = "PATH";
-const char * EXE_PATH_VALUE   = "$func_to_host_path_result";
-EOF
-	    else
-	      cat <<"EOF"
-const char * EXE_PATH_VARNAME = "";
-const char * EXE_PATH_VALUE   = "";
-EOF
-	    fi
-
-	    if test "$fast_install" = yes; then
-	      cat <<EOF
-const char * TARGET_PROGRAM_NAME = "lt-$outputname"; /* hopefully, no .exe */
-EOF
-	    else
-	      cat <<EOF
-const char * TARGET_PROGRAM_NAME = "$outputname"; /* hopefully, no .exe */
-EOF
-	    fi
-
-
-	    cat <<"EOF"
-
-#define LTWRAPPER_OPTION_PREFIX         "--lt-"
-
-static const char *ltwrapper_option_prefix = LTWRAPPER_OPTION_PREFIX;
-static const char *dumpscript_opt       = LTWRAPPER_OPTION_PREFIX "dump-script";
-static const char *debug_opt            = LTWRAPPER_OPTION_PREFIX "debug";
-
-int
-main (int argc, char *argv[])
-{
-  char **newargz;
-  int  newargc;
-  char *tmp_pathspec;
-  char *actual_cwrapper_path;
-  char *actual_cwrapper_name;
-  char *target_name;
-  char *lt_argv_zero;
-  intptr_t rval = 127;
-
-  int i;
-
-  program_name = (char *) xstrdup (base_name (argv[0]));
-  newargz = XMALLOC (char *, argc + 1);
-
-  /* very simple arg parsing; don't want to rely on getopt
-   * also, copy all non cwrapper options to newargz, except
-   * argz[0], which is handled differently
-   */
-  newargc=0;
-  for (i = 1; i < argc; i++)
-    {
-      if (strcmp (argv[i], dumpscript_opt) == 0)
-	{
-EOF
-	    case "$host" in
-	      *mingw* | *cygwin* )
-		# make stdout use "unix" line endings
-		echo "          setmode(1,_O_BINARY);"
-		;;
-	      esac
-
-	    cat <<"EOF"
-	  lt_dump_script (stdout);
-	  return 0;
-	}
-      if (strcmp (argv[i], debug_opt) == 0)
-	{
-          lt_debug = 1;
-          continue;
-	}
-      if (strcmp (argv[i], ltwrapper_option_prefix) == 0)
-        {
-          /* however, if there is an option in the LTWRAPPER_OPTION_PREFIX
-             namespace, but it is not one of the ones we know about and
-             have already dealt with, above (inluding dump-script), then
-             report an error. Otherwise, targets might begin to believe
-             they are allowed to use options in the LTWRAPPER_OPTION_PREFIX
-             namespace. The first time any user complains about this, we'll
-             need to make LTWRAPPER_OPTION_PREFIX a configure-time option
-             or a configure.ac-settable value.
-           */
-          lt_fatal (__FILE__, __LINE__,
-		    "unrecognized %s option: '%s'",
-                    ltwrapper_option_prefix, argv[i]);
-        }
-      /* otherwise ... */
-      newargz[++newargc] = xstrdup (argv[i]);
-    }
-  newargz[++newargc] = NULL;
-
-EOF
-	    cat <<EOF
-  /* The GNU banner must be the first non-error debug message */
-  lt_debugprintf (__FILE__, __LINE__, "libtool wrapper (GNU $PACKAGE$TIMESTAMP) $VERSION\n");
-EOF
-	    cat <<"EOF"
-  lt_debugprintf (__FILE__, __LINE__, "(main) argv[0]: %s\n", argv[0]);
-  lt_debugprintf (__FILE__, __LINE__, "(main) program_name: %s\n", program_name);
-
-  tmp_pathspec = find_executable (argv[0]);
-  if (tmp_pathspec == NULL)
-    lt_fatal (__FILE__, __LINE__, "couldn't find %s", argv[0]);
-  lt_debugprintf (__FILE__, __LINE__,
-                  "(main) found exe (before symlink chase) at: %s\n",
-		  tmp_pathspec);
-
-  actual_cwrapper_path = chase_symlinks (tmp_pathspec);
-  lt_debugprintf (__FILE__, __LINE__,
-                  "(main) found exe (after symlink chase) at: %s\n",
-		  actual_cwrapper_path);
-  XFREE (tmp_pathspec);
-
-  actual_cwrapper_name = xstrdup (base_name (actual_cwrapper_path));
-  strendzap (actual_cwrapper_path, actual_cwrapper_name);
-
-  /* wrapper name transforms */
-  strendzap (actual_cwrapper_name, ".exe");
-  tmp_pathspec = lt_extend_str (actual_cwrapper_name, ".exe", 1);
-  XFREE (actual_cwrapper_name);
-  actual_cwrapper_name = tmp_pathspec;
-  tmp_pathspec = 0;
-
-  /* target_name transforms -- use actual target program name; might have lt- prefix */
-  target_name = xstrdup (base_name (TARGET_PROGRAM_NAME));
-  strendzap (target_name, ".exe");
-  tmp_pathspec = lt_extend_str (target_name, ".exe", 1);
-  XFREE (target_name);
-  target_name = tmp_pathspec;
-  tmp_pathspec = 0;
-
-  lt_debugprintf (__FILE__, __LINE__,
-		  "(main) libtool target name: %s\n",
-		  target_name);
-EOF
-
-	    cat <<EOF
-  newargz[0] =
-    XMALLOC (char, (strlen (actual_cwrapper_path) +
-		    strlen ("$objdir") + 1 + strlen (actual_cwrapper_name) + 1));
-  strcpy (newargz[0], actual_cwrapper_path);
-  strcat (newargz[0], "$objdir");
-  strcat (newargz[0], "/");
-EOF
-
-	    cat <<"EOF"
-  /* stop here, and copy so we don't have to do this twice */
-  tmp_pathspec = xstrdup (newargz[0]);
-
-  /* do NOT want the lt- prefix here, so use actual_cwrapper_name */
-  strcat (newargz[0], actual_cwrapper_name);
-
-  /* DO want the lt- prefix here if it exists, so use target_name */
-  lt_argv_zero = lt_extend_str (tmp_pathspec, target_name, 1);
-  XFREE (tmp_pathspec);
-  tmp_pathspec = NULL;
-EOF
-
-	    case $host_os in
-	      mingw*)
-	    cat <<"EOF"
-  {
-    char* p;
-    while ((p = strchr (newargz[0], '\\')) != NULL)
-      {
-	*p = '/';
-      }
-    while ((p = strchr (lt_argv_zero, '\\')) != NULL)
-      {
-	*p = '/';
-      }
-  }
-EOF
-	    ;;
-	    esac
-
-	    cat <<"EOF"
-  XFREE (target_name);
-  XFREE (actual_cwrapper_path);
-  XFREE (actual_cwrapper_name);
-
-  lt_setenv ("BIN_SH", "xpg4"); /* for Tru64 */
-  lt_setenv ("DUALCASE", "1");  /* for MSK sh */
-  /* Update the DLL searchpath.  EXE_PATH_VALUE ($dllsearchpath) must
-     be prepended before (that is, appear after) LIB_PATH_VALUE ($temp_rpath)
-     because on Windows, both *_VARNAMEs are PATH but uninstalled
-     libraries must come first. */
-  lt_update_exe_path (EXE_PATH_VARNAME, EXE_PATH_VALUE);
-  lt_update_lib_path (LIB_PATH_VARNAME, LIB_PATH_VALUE);
-
-  lt_debugprintf (__FILE__, __LINE__, "(main) lt_argv_zero: %s\n",
-		  nonnull (lt_argv_zero));
-  for (i = 0; i < newargc; i++)
-    {
-      lt_debugprintf (__FILE__, __LINE__, "(main) newargz[%d]: %s\n",
-		      i, nonnull (newargz[i]));
-    }
-
-EOF
-
-	    case $host_os in
-	      mingw*)
-		cat <<"EOF"
-  /* execv doesn't actually work on mingw as expected on unix */
-  newargz = prepare_spawn (newargz);
-  rval = _spawnv (_P_WAIT, lt_argv_zero, (const char * const *) newargz);
-  if (rval == -1)
-    {
-      /* failed to start process */
-      lt_debugprintf (__FILE__, __LINE__,
-		      "(main) failed to launch target \"%s\": %s\n",
-		      lt_argv_zero, nonnull (strerror (errno)));
-      return 127;
-    }
-  return rval;
-EOF
-		;;
-	      *)
-		cat <<"EOF"
-  execv (lt_argv_zero, newargz);
-  return rval; /* =127, but avoids unused variable warning */
-EOF
-		;;
-	    esac
-
-	    cat <<"EOF"
-}
-
-void *
-xmalloc (size_t num)
-{
-  void *p = (void *) malloc (num);
-  if (!p)
-    lt_fatal (__FILE__, __LINE__, "memory exhausted");
-
-  return p;
-}
-
-char *
-xstrdup (const char *string)
-{
-  return string ? strcpy ((char *) xmalloc (strlen (string) + 1),
-			  string) : NULL;
-}
-
-const char *
-base_name (const char *name)
-{
-  const char *base;
-
-#if defined (HAVE_DOS_BASED_FILE_SYSTEM)
-  /* Skip over the disk name in MSDOS pathnames. */
-  if (isalpha ((unsigned char) name[0]) && name[1] == ':')
-    name += 2;
-#endif
-
-  for (base = name; *name; name++)
-    if (IS_DIR_SEPARATOR (*name))
-      base = name + 1;
-  return base;
-}
-
-int
-check_executable (const char *path)
-{
-  struct stat st;
-
-  lt_debugprintf (__FILE__, __LINE__, "(check_executable): %s\n",
-                  nonempty (path));
-  if ((!path) || (!*path))
-    return 0;
-
-  if ((stat (path, &st) >= 0)
-      && (st.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH)))
-    return 1;
-  else
-    return 0;
-}
-
-int
-make_executable (const char *path)
-{
-  int rval = 0;
-  struct stat st;
-
-  lt_debugprintf (__FILE__, __LINE__, "(make_executable): %s\n",
-                  nonempty (path));
-  if ((!path) || (!*path))
-    return 0;
-
-  if (stat (path, &st) >= 0)
-    {
-      rval = chmod (path, st.st_mode | S_IXOTH | S_IXGRP | S_IXUSR);
-    }
-  return rval;
-}
-
-/* Searches for the full path of the wrapper.  Returns
-   newly allocated full path name if found, NULL otherwise
-   Does not chase symlinks, even on platforms that support them.
-*/
-char *
-find_executable (const char *wrapper)
-{
-  int has_slash = 0;
-  const char *p;
-  const char *p_next;
-  /* static buffer for getcwd */
-  char tmp[LT_PATHMAX + 1];
-  int tmp_len;
-  char *concat_name;
-
-  lt_debugprintf (__FILE__, __LINE__, "(find_executable): %s\n",
-                  nonempty (wrapper));
-
-  if ((wrapper == NULL) || (*wrapper == '\0'))
-    return NULL;
-
-  /* Absolute path? */
-#if defined (HAVE_DOS_BASED_FILE_SYSTEM)
-  if (isalpha ((unsigned char) wrapper[0]) && wrapper[1] == ':')
-    {
-      concat_name = xstrdup (wrapper);
-      if (check_executable (concat_name))
-	return concat_name;
-      XFREE (concat_name);
-    }
-  else
-    {
-#endif
-      if (IS_DIR_SEPARATOR (wrapper[0]))
-	{
-	  concat_name = xstrdup (wrapper);
-	  if (check_executable (concat_name))
-	    return concat_name;
-	  XFREE (concat_name);
-	}
-#if defined (HAVE_DOS_BASED_FILE_SYSTEM)
-    }
-#endif
-
-  for (p = wrapper; *p; p++)
-    if (*p == '/')
-      {
-	has_slash = 1;
-	break;
-      }
-  if (!has_slash)
-    {
-      /* no slashes; search PATH */
-      const char *path = getenv ("PATH");
-      if (path != NULL)
-	{
-	  for (p = path; *p; p = p_next)
-	    {
-	      const char *q;
-	      size_t p_len;
-	      for (q = p; *q; q++)
-		if (IS_PATH_SEPARATOR (*q))
-		  break;
-	      p_len = q - p;
-	      p_next = (*q == '\0' ? q : q + 1);
-	      if (p_len == 0)
-		{
-		  /* empty path: current directory */
-		  if (getcwd (tmp, LT_PATHMAX) == NULL)
-		    lt_fatal (__FILE__, __LINE__, "getcwd failed: %s",
-                              nonnull (strerror (errno)));
-		  tmp_len = strlen (tmp);
-		  concat_name =
-		    XMALLOC (char, tmp_len + 1 + strlen (wrapper) + 1);
-		  memcpy (concat_name, tmp, tmp_len);
-		  concat_name[tmp_len] = '/';
-		  strcpy (concat_name + tmp_len + 1, wrapper);
-		}
-	      else
-		{
-		  concat_name =
-		    XMALLOC (char, p_len + 1 + strlen (wrapper) + 1);
-		  memcpy (concat_name, p, p_len);
-		  concat_name[p_len] = '/';
-		  strcpy (concat_name + p_len + 1, wrapper);
-		}
-	      if (check_executable (concat_name))
-		return concat_name;
-	      XFREE (concat_name);
-	    }
-	}
-      /* not found in PATH; assume curdir */
-    }
-  /* Relative path | not found in path: prepend cwd */
-  if (getcwd (tmp, LT_PATHMAX) == NULL)
-    lt_fatal (__FILE__, __LINE__, "getcwd failed: %s",
-              nonnull (strerror (errno)));
-  tmp_len = strlen (tmp);
-  concat_name = XMALLOC (char, tmp_len + 1 + strlen (wrapper) + 1);
-  memcpy (concat_name, tmp, tmp_len);
-  concat_name[tmp_len] = '/';
-  strcpy (concat_name + tmp_len + 1, wrapper);
-
-  if (check_executable (concat_name))
-    return concat_name;
-  XFREE (concat_name);
-  return NULL;
-}
-
-char *
-chase_symlinks (const char *pathspec)
-{
-#ifndef S_ISLNK
-  return xstrdup (pathspec);
-#else
-  char buf[LT_PATHMAX];
-  struct stat s;
-  char *tmp_pathspec = xstrdup (pathspec);
-  char *p;
-  int has_symlinks = 0;
-  while (strlen (tmp_pathspec) && !has_symlinks)
-    {
-      lt_debugprintf (__FILE__, __LINE__,
-		      "checking path component for symlinks: %s\n",
-		      tmp_pathspec);
-      if (lstat (tmp_pathspec, &s) == 0)
-	{
-	  if (S_ISLNK (s.st_mode) != 0)
-	    {
-	      has_symlinks = 1;
-	      break;
-	    }
-
-	  /* search backwards for last DIR_SEPARATOR */
-	  p = tmp_pathspec + strlen (tmp_pathspec) - 1;
-	  while ((p > tmp_pathspec) && (!IS_DIR_SEPARATOR (*p)))
-	    p--;
-	  if ((p == tmp_pathspec) && (!IS_DIR_SEPARATOR (*p)))
-	    {
-	      /* no more DIR_SEPARATORS left */
-	      break;
-	    }
-	  *p = '\0';
-	}
-      else
-	{
-	  lt_fatal (__FILE__, __LINE__,
-		    "error accessing file \"%s\": %s",
-		    tmp_pathspec, nonnull (strerror (errno)));
-	}
-    }
-  XFREE (tmp_pathspec);
-
-  if (!has_symlinks)
-    {
-      return xstrdup (pathspec);
-    }
-
-  tmp_pathspec = realpath (pathspec, buf);
-  if (tmp_pathspec == 0)
-    {
-      lt_fatal (__FILE__, __LINE__,
-		"could not follow symlinks for %s", pathspec);
-    }
-  return xstrdup (tmp_pathspec);
-#endif
-}
-
-char *
-strendzap (char *str, const char *pat)
-{
-  size_t len, patlen;
-
-  assert (str != NULL);
-  assert (pat != NULL);
-
-  len = strlen (str);
-  patlen = strlen (pat);
-
-  if (patlen <= len)
-    {
-      str += len - patlen;
-      if (strcmp (str, pat) == 0)
-	*str = '\0';
-    }
-  return str;
-}
-
-void
-lt_debugprintf (const char *file, int line, const char *fmt, ...)
-{
-  va_list args;
-  if (lt_debug)
-    {
-      (void) fprintf (stderr, "%s:%s:%d: ", program_name, file, line);
-      va_start (args, fmt);
-      (void) vfprintf (stderr, fmt, args);
-      va_end (args);
-    }
-}
-
-static void
-lt_error_core (int exit_status, const char *file,
-	       int line, const char *mode,
-	       const char *message, va_list ap)
-{
-  fprintf (stderr, "%s:%s:%d: %s: ", program_name, file, line, mode);
-  vfprintf (stderr, message, ap);
-  fprintf (stderr, ".\n");
-
-  if (exit_status >= 0)
-    exit (exit_status);
-}
-
-void
-lt_fatal (const char *file, int line, const char *message, ...)
-{
-  va_list ap;
-  va_start (ap, message);
-  lt_error_core (EXIT_FAILURE, file, line, "FATAL", message, ap);
-  va_end (ap);
-}
-
-static const char *
-nonnull (const char *s)
-{
-  return s ? s : "(null)";
-}
-
-static const char *
-nonempty (const char *s)
-{
-  return (s && !*s) ? "(empty)" : nonnull (s);
-}
-
-void
-lt_setenv (const char *name, const char *value)
-{
-  lt_debugprintf (__FILE__, __LINE__,
-		  "(lt_setenv) setting '%s' to '%s'\n",
-                  nonnull (name), nonnull (value));
-  {
-#ifdef HAVE_SETENV
-    /* always make a copy, for consistency with !HAVE_SETENV */
-    char *str = xstrdup (value);
-    setenv (name, str, 1);
-#else
-    int len = strlen (name) + 1 + strlen (value) + 1;
-    char *str = XMALLOC (char, len);
-    sprintf (str, "%s=%s", name, value);
-    if (putenv (str) != EXIT_SUCCESS)
-      {
-        XFREE (str);
-      }
-#endif
-  }
-}
-
-char *
-lt_extend_str (const char *orig_value, const char *add, int to_end)
-{
-  char *new_value;
-  if (orig_value && *orig_value)
-    {
-      int orig_value_len = strlen (orig_value);
-      int add_len = strlen (add);
-      new_value = XMALLOC (char, add_len + orig_value_len + 1);
-      if (to_end)
-        {
-          strcpy (new_value, orig_value);
-          strcpy (new_value + orig_value_len, add);
-        }
-      else
-        {
-          strcpy (new_value, add);
-          strcpy (new_value + add_len, orig_value);
-        }
-    }
-  else
-    {
-      new_value = xstrdup (add);
-    }
-  return new_value;
-}
-
-void
-lt_update_exe_path (const char *name, const char *value)
-{
-  lt_debugprintf (__FILE__, __LINE__,
-		  "(lt_update_exe_path) modifying '%s' by prepending '%s'\n",
-                  nonnull (name), nonnull (value));
-
-  if (name && *name && value && *value)
-    {
-      char *new_value = lt_extend_str (getenv (name), value, 0);
-      /* some systems can't cope with a ':'-terminated path #' */
-      int len = strlen (new_value);
-      while (((len = strlen (new_value)) > 0) && IS_PATH_SEPARATOR (new_value[len-1]))
-        {
-          new_value[len-1] = '\0';
-        }
-      lt_setenv (name, new_value);
-      XFREE (new_value);
-    }
-}
-
-void
-lt_update_lib_path (const char *name, const char *value)
-{
-  lt_debugprintf (__FILE__, __LINE__,
-		  "(lt_update_lib_path) modifying '%s' by prepending '%s'\n",
-                  nonnull (name), nonnull (value));
-
-  if (name && *name && value && *value)
-    {
-      char *new_value = lt_extend_str (getenv (name), value, 0);
-      lt_setenv (name, new_value);
-      XFREE (new_value);
-    }
-}
-
-EOF
-	    case $host_os in
-	      mingw*)
-		cat <<"EOF"
-
-/* Prepares an argument vector before calling spawn().
-   Note that spawn() does not by itself call the command interpreter
-     (getenv ("COMSPEC") != NULL ? getenv ("COMSPEC") :
-      ({ OSVERSIONINFO v; v.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
-         GetVersionEx(&v);
-         v.dwPlatformId == VER_PLATFORM_WIN32_NT;
-      }) ? "cmd.exe" : "command.com").
-   Instead it simply concatenates the arguments, separated by ' ', and calls
-   CreateProcess().  We must quote the arguments since Win32 CreateProcess()
-   interprets characters like ' ', '\t', '\\', '"' (but not '<' and '>') in a
-   special way:
-   - Space and tab are interpreted as delimiters. They are not treated as
-     delimiters if they are surrounded by double quotes: "...".
-   - Unescaped double quotes are removed from the input. Their only effect is
-     that within double quotes, space and tab are treated like normal
-     characters.
-   - Backslashes not followed by double quotes are not special.
-   - But 2*n+1 backslashes followed by a double quote become
-     n backslashes followed by a double quote (n >= 0):
-       \" -> "
-       \\\" -> \"
-       \\\\\" -> \\"
- */
-#define SHELL_SPECIAL_CHARS "\"\\ \001\002\003\004\005\006\007\010\011\012\013\014\015\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037"
-#define SHELL_SPACE_CHARS " \001\002\003\004\005\006\007\010\011\012\013\014\015\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037"
-char **
-prepare_spawn (char **argv)
-{
-  size_t argc;
-  char **new_argv;
-  size_t i;
-
-  /* Count number of arguments.  */
-  for (argc = 0; argv[argc] != NULL; argc++)
-    ;
-
-  /* Allocate new argument vector.  */
-  new_argv = XMALLOC (char *, argc + 1);
-
-  /* Put quoted arguments into the new argument vector.  */
-  for (i = 0; i < argc; i++)
-    {
-      const char *string = argv[i];
-
-      if (string[0] == '\0')
-	new_argv[i] = xstrdup ("\"\"");
-      else if (strpbrk (string, SHELL_SPECIAL_CHARS) != NULL)
-	{
-	  int quote_around = (strpbrk (string, SHELL_SPACE_CHARS) != NULL);
-	  size_t length;
-	  unsigned int backslashes;
-	  const char *s;
-	  char *quoted_string;
-	  char *p;
-
-	  length = 0;
-	  backslashes = 0;
-	  if (quote_around)
-	    length++;
-	  for (s = string; *s != '\0'; s++)
-	    {
-	      char c = *s;
-	      if (c == '"')
-		length += backslashes + 1;
-	      length++;
-	      if (c == '\\')
-		backslashes++;
-	      else
-		backslashes = 0;
-	    }
-	  if (quote_around)
-	    length += backslashes + 1;
-
-	  quoted_string = XMALLOC (char, length + 1);
-
-	  p = quoted_string;
-	  backslashes = 0;
-	  if (quote_around)
-	    *p++ = '"';
-	  for (s = string; *s != '\0'; s++)
-	    {
-	      char c = *s;
-	      if (c == '"')
-		{
-		  unsigned int j;
-		  for (j = backslashes + 1; j > 0; j--)
-		    *p++ = '\\';
-		}
-	      *p++ = c;
-	      if (c == '\\')
-		backslashes++;
-	      else
-		backslashes = 0;
-	    }
-	  if (quote_around)
-	    {
-	      unsigned int j;
-	      for (j = backslashes; j > 0; j--)
-		*p++ = '\\';
-	      *p++ = '"';
-	    }
-	  *p = '\0';
-
-	  new_argv[i] = quoted_string;
-	}
-      else
-	new_argv[i] = (char *) string;
-    }
-  new_argv[argc] = NULL;
-
-  return new_argv;
-}
-EOF
-		;;
-	    esac
-
-            cat <<"EOF"
-void lt_dump_script (FILE* f)
-{
-EOF
-	    func_emit_wrapper yes |
-	      $SED -n -e '
-s/^\(.\{79\}\)\(..*\)/\1\
-\2/
-h
-s/\([\\"]\)/\\\1/g
-s/$/\\n/
-s/\([^\n]*\).*/  fputs ("\1", f);/p
-g
-D'
-            cat <<"EOF"
-}
-EOF
-}
-# end: func_emit_cwrapperexe_src
-
-# func_win32_import_lib_p ARG
-# True if ARG is an import lib, as indicated by $file_magic_cmd
-func_win32_import_lib_p ()
-{
-    $opt_debug
-    case `eval $file_magic_cmd \"\$1\" 2>/dev/null | $SED -e 10q` in
-    *import*) : ;;
-    *) false ;;
-    esac
-}
-
-# func_mode_link arg...
-func_mode_link ()
-{
-    $opt_debug
-    case $host in
-    *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*)
-      # It is impossible to link a dll without this setting, and
-      # we shouldn't force the makefile maintainer to figure out
-      # which system we are compiling for in order to pass an extra
-      # flag for every libtool invocation.
-      # allow_undefined=no
-
-      # FIXME: Unfortunately, there are problems with the above when trying
-      # to make a dll which has undefined symbols, in which case not
-      # even a static library is built.  For now, we need to specify
-      # -no-undefined on the libtool link line when we can be certain
-      # that all symbols are satisfied, otherwise we get a static library.
-      allow_undefined=yes
-      ;;
-    *)
-      allow_undefined=yes
-      ;;
-    esac
-    libtool_args=$nonopt
-    base_compile="$nonopt $@"
-    compile_command=$nonopt
-    finalize_command=$nonopt
-
-    compile_rpath=
-    finalize_rpath=
-    compile_shlibpath=
-    finalize_shlibpath=
-    convenience=
-    old_convenience=
-    deplibs=
-    old_deplibs=
-    compiler_flags=
-    linker_flags=
-    dllsearchpath=
-    lib_search_path=`pwd`
-    inst_prefix_dir=
-    new_inherited_linker_flags=
-
-    avoid_version=no
-    bindir=
-    dlfiles=
-    dlprefiles=
-    dlself=no
-    export_dynamic=no
-    export_symbols=
-    export_symbols_regex=
-    generated=
-    libobjs=
-    ltlibs=
-    module=no
-    no_install=no
-    objs=
-    non_pic_objects=
-    precious_files_regex=
-    prefer_static_libs=no
-    preload=no
-    prev=
-    prevarg=
-    release=
-    rpath=
-    xrpath=
-    perm_rpath=
-    temp_rpath=
-    thread_safe=no
-    vinfo=
-    vinfo_number=no
-    weak_libs=
-    single_module="${wl}-single_module"
-    func_infer_tag $base_compile
-
-    # We need to know -static, to get the right output filenames.
-    for arg
-    do
-      case $arg in
-      -shared)
-	test "$build_libtool_libs" != yes && \
-	  func_fatal_configuration "can not build a shared library"
-	build_old_libs=no
-	break
-	;;
-      -all-static | -static | -static-libtool-libs)
-	case $arg in
-	-all-static)
-	  if test "$build_libtool_libs" = yes && test -z "$link_static_flag"; then
-	    func_warning "complete static linking is impossible in this configuration"
-	  fi
-	  if test -n "$link_static_flag"; then
-	    dlopen_self=$dlopen_self_static
-	  fi
-	  prefer_static_libs=yes
-	  ;;
-	-static)
-	  if test -z "$pic_flag" && test -n "$link_static_flag"; then
-	    dlopen_self=$dlopen_self_static
-	  fi
-	  prefer_static_libs=built
-	  ;;
-	-static-libtool-libs)
-	  if test -z "$pic_flag" && test -n "$link_static_flag"; then
-	    dlopen_self=$dlopen_self_static
-	  fi
-	  prefer_static_libs=yes
-	  ;;
-	esac
-	build_libtool_libs=no
-	build_old_libs=yes
-	break
-	;;
-      esac
-    done
-
-    # See if our shared archives depend on static archives.
-    test -n "$old_archive_from_new_cmds" && build_old_libs=yes
-
-    # Go through the arguments, transforming them on the way.
-    while test "$#" -gt 0; do
-      arg="$1"
-      shift
-      func_quote_for_eval "$arg"
-      qarg=$func_quote_for_eval_unquoted_result
-      func_append libtool_args " $func_quote_for_eval_result"
-
-      # If the previous option needs an argument, assign it.
-      if test -n "$prev"; then
-	case $prev in
-	output)
-	  func_append compile_command " @OUTPUT@"
-	  func_append finalize_command " @OUTPUT@"
-	  ;;
-	esac
-
-	case $prev in
-	bindir)
-	  bindir="$arg"
-	  prev=
-	  continue
-	  ;;
-	dlfiles|dlprefiles)
-	  if test "$preload" = no; then
-	    # Add the symbol object into the linking commands.
-	    func_append compile_command " @SYMFILE@"
-	    func_append finalize_command " @SYMFILE@"
-	    preload=yes
-	  fi
-	  case $arg in
-	  *.la | *.lo) ;;  # We handle these cases below.
-	  force)
-	    if test "$dlself" = no; then
-	      dlself=needless
-	      export_dynamic=yes
-	    fi
-	    prev=
-	    continue
-	    ;;
-	  self)
-	    if test "$prev" = dlprefiles; then
-	      dlself=yes
-	    elif test "$prev" = dlfiles && test "$dlopen_self" != yes; then
-	      dlself=yes
-	    else
-	      dlself=needless
-	      export_dynamic=yes
-	    fi
-	    prev=
-	    continue
-	    ;;
-	  *)
-	    if test "$prev" = dlfiles; then
-	      func_append dlfiles " $arg"
-	    else
-	      func_append dlprefiles " $arg"
-	    fi
-	    prev=
-	    continue
-	    ;;
-	  esac
-	  ;;
-	expsyms)
-	  export_symbols="$arg"
-	  test -f "$arg" \
-	    || func_fatal_error "symbol file \`$arg' does not exist"
-	  prev=
-	  continue
-	  ;;
-	expsyms_regex)
-	  export_symbols_regex="$arg"
-	  prev=
-	  continue
-	  ;;
-	framework)
-	  case $host in
-	    *-*-darwin*)
-	      case "$deplibs " in
-		*" $qarg.ltframework "*) ;;
-		*) func_append deplibs " $qarg.ltframework" # this is fixed later
-		   ;;
-	      esac
-	      ;;
-	  esac
-	  prev=
-	  continue
-	  ;;
-	inst_prefix)
-	  inst_prefix_dir="$arg"
-	  prev=
-	  continue
-	  ;;
-	objectlist)
-	  if test -f "$arg"; then
-	    save_arg=$arg
-	    moreargs=
-	    for fil in `cat "$save_arg"`
-	    do
-#	      func_append moreargs " $fil"
-	      arg=$fil
-	      # A libtool-controlled object.
-
-	      # Check to see that this really is a libtool object.
-	      if func_lalib_unsafe_p "$arg"; then
-		pic_object=
-		non_pic_object=
-
-		# Read the .lo file
-		func_source "$arg"
-
-		if test -z "$pic_object" ||
-		   test -z "$non_pic_object" ||
-		   test "$pic_object" = none &&
-		   test "$non_pic_object" = none; then
-		  func_fatal_error "cannot find name of object for \`$arg'"
-		fi
-
-		# Extract subdirectory from the argument.
-		func_dirname "$arg" "/" ""
-		xdir="$func_dirname_result"
-
-		if test "$pic_object" != none; then
-		  # Prepend the subdirectory the object is found in.
-		  pic_object="$xdir$pic_object"
-
-		  if test "$prev" = dlfiles; then
-		    if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then
-		      func_append dlfiles " $pic_object"
-		      prev=
-		      continue
-		    else
-		      # If libtool objects are unsupported, then we need to preload.
-		      prev=dlprefiles
-		    fi
-		  fi
-
-		  # CHECK ME:  I think I busted this.  -Ossama
-		  if test "$prev" = dlprefiles; then
-		    # Preload the old-style object.
-		    func_append dlprefiles " $pic_object"
-		    prev=
-		  fi
-
-		  # A PIC object.
-		  func_append libobjs " $pic_object"
-		  arg="$pic_object"
-		fi
-
-		# Non-PIC object.
-		if test "$non_pic_object" != none; then
-		  # Prepend the subdirectory the object is found in.
-		  non_pic_object="$xdir$non_pic_object"
-
-		  # A standard non-PIC object
-		  func_append non_pic_objects " $non_pic_object"
-		  if test -z "$pic_object" || test "$pic_object" = none ; then
-		    arg="$non_pic_object"
-		  fi
-		else
-		  # If the PIC object exists, use it instead.
-		  # $xdir was prepended to $pic_object above.
-		  non_pic_object="$pic_object"
-		  func_append non_pic_objects " $non_pic_object"
-		fi
-	      else
-		# Only an error if not doing a dry-run.
-		if $opt_dry_run; then
-		  # Extract subdirectory from the argument.
-		  func_dirname "$arg" "/" ""
-		  xdir="$func_dirname_result"
-
-		  func_lo2o "$arg"
-		  pic_object=$xdir$objdir/$func_lo2o_result
-		  non_pic_object=$xdir$func_lo2o_result
-		  func_append libobjs " $pic_object"
-		  func_append non_pic_objects " $non_pic_object"
-	        else
-		  func_fatal_error "\`$arg' is not a valid libtool object"
-		fi
-	      fi
-	    done
-	  else
-	    func_fatal_error "link input file \`$arg' does not exist"
-	  fi
-	  arg=$save_arg
-	  prev=
-	  continue
-	  ;;
-	precious_regex)
-	  precious_files_regex="$arg"
-	  prev=
-	  continue
-	  ;;
-	release)
-	  release="-$arg"
-	  prev=
-	  continue
-	  ;;
-	rpath | xrpath)
-	  # We need an absolute path.
-	  case $arg in
-	  [\\/]* | [A-Za-z]:[\\/]*) ;;
-	  *)
-	    func_fatal_error "only absolute run-paths are allowed"
-	    ;;
-	  esac
-	  if test "$prev" = rpath; then
-	    case "$rpath " in
-	    *" $arg "*) ;;
-	    *) func_append rpath " $arg" ;;
-	    esac
-	  else
-	    case "$xrpath " in
-	    *" $arg "*) ;;
-	    *) func_append xrpath " $arg" ;;
-	    esac
-	  fi
-	  prev=
-	  continue
-	  ;;
-	shrext)
-	  shrext_cmds="$arg"
-	  prev=
-	  continue
-	  ;;
-	weak)
-	  func_append weak_libs " $arg"
-	  prev=
-	  continue
-	  ;;
-	xcclinker)
-	  func_append linker_flags " $qarg"
-	  func_append compiler_flags " $qarg"
-	  prev=
-	  func_append compile_command " $qarg"
-	  func_append finalize_command " $qarg"
-	  continue
-	  ;;
-	xcompiler)
-	  func_append compiler_flags " $qarg"
-	  prev=
-	  func_append compile_command " $qarg"
-	  func_append finalize_command " $qarg"
-	  continue
-	  ;;
-	xlinker)
-	  func_append linker_flags " $qarg"
-	  func_append compiler_flags " $wl$qarg"
-	  prev=
-	  func_append compile_command " $wl$qarg"
-	  func_append finalize_command " $wl$qarg"
-	  continue
-	  ;;
-	*)
-	  eval "$prev=\"\$arg\""
-	  prev=
-	  continue
-	  ;;
-	esac
-      fi # test -n "$prev"
-
-      prevarg="$arg"
-
-      case $arg in
-      -all-static)
-	if test -n "$link_static_flag"; then
-	  # See comment for -static flag below, for more details.
-	  func_append compile_command " $link_static_flag"
-	  func_append finalize_command " $link_static_flag"
-	fi
-	continue
-	;;
-
-      -allow-undefined)
-	# FIXME: remove this flag sometime in the future.
-	func_fatal_error "\`-allow-undefined' must not be used because it is the default"
-	;;
-
-      -avoid-version)
-	avoid_version=yes
-	continue
-	;;
-
-      -bindir)
-	prev=bindir
-	continue
-	;;
-
-      -dlopen)
-	prev=dlfiles
-	continue
-	;;
-
-      -dlpreopen)
-	prev=dlprefiles
-	continue
-	;;
-
-      -export-dynamic)
-	export_dynamic=yes
-	continue
-	;;
-
-      -export-symbols | -export-symbols-regex)
-	if test -n "$export_symbols" || test -n "$export_symbols_regex"; then
-	  func_fatal_error "more than one -exported-symbols argument is not allowed"
-	fi
-	if test "X$arg" = "X-export-symbols"; then
-	  prev=expsyms
-	else
-	  prev=expsyms_regex
-	fi
-	continue
-	;;
-
-      -framework)
-	prev=framework
-	continue
-	;;
-
-      -inst-prefix-dir)
-	prev=inst_prefix
-	continue
-	;;
-
-      # The native IRIX linker understands -LANG:*, -LIST:* and -LNO:*
-      # so, if we see these flags be careful not to treat them like -L
-      -L[A-Z][A-Z]*:*)
-	case $with_gcc/$host in
-	no/*-*-irix* | /*-*-irix*)
-	  func_append compile_command " $arg"
-	  func_append finalize_command " $arg"
-	  ;;
-	esac
-	continue
-	;;
-
-      -L*)
-	func_stripname "-L" '' "$arg"
-	if test -z "$func_stripname_result"; then
-	  if test "$#" -gt 0; then
-	    func_fatal_error "require no space between \`-L' and \`$1'"
-	  else
-	    func_fatal_error "need path for \`-L' option"
-	  fi
-	fi
-	func_resolve_sysroot "$func_stripname_result"
-	dir=$func_resolve_sysroot_result
-	# We need an absolute path.
-	case $dir in
-	[\\/]* | [A-Za-z]:[\\/]*) ;;
-	*)
-	  absdir=`cd "$dir" && pwd`
-	  test -z "$absdir" && \
-	    func_fatal_error "cannot determine absolute directory name of \`$dir'"
-	  dir="$absdir"
-	  ;;
-	esac
-	case "$deplibs " in
-	*" -L$dir "* | *" $arg "*)
-	  # Will only happen for absolute or sysroot arguments
-	  ;;
-	*)
-	  # Preserve sysroot, but never include relative directories
-	  case $dir in
-	    [\\/]* | [A-Za-z]:[\\/]* | =*) func_append deplibs " $arg" ;;
-	    *) func_append deplibs " -L$dir" ;;
-	  esac
-	  func_append lib_search_path " $dir"
-	  ;;
-	esac
-	case $host in
-	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*)
-	  testbindir=`$ECHO "$dir" | $SED 's*/lib$*/bin*'`
-	  case :$dllsearchpath: in
-	  *":$dir:"*) ;;
-	  ::) dllsearchpath=$dir;;
-	  *) func_append dllsearchpath ":$dir";;
-	  esac
-	  case :$dllsearchpath: in
-	  *":$testbindir:"*) ;;
-	  ::) dllsearchpath=$testbindir;;
-	  *) func_append dllsearchpath ":$testbindir";;
-	  esac
-	  ;;
-	esac
-	deplibs="$deplibs $arg"
-	continue
-	;;
-
-      -l*)
-	if test "X$arg" = "X-lc" || test "X$arg" = "X-lm"; then
-	  case $host in
-	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-beos* | *-cegcc* | *-*-haiku*)
-	    # These systems don't actually have a C or math library (as such)
-	    continue
-	    ;;
-	  *-*-os2*)
-	    # These systems don't actually have a C library (as such)
-	    test "X$arg" = "X-lc" && continue
-	    ;;
-	  *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*)
-	    # Do not include libc due to us having libc/libc_r.
-	    test "X$arg" = "X-lc" && continue
-	    ;;
-	  *-*-rhapsody* | *-*-darwin1.[012])
-	    # Rhapsody C and math libraries are in the System framework
-	    func_append deplibs " System.ltframework"
-	    continue
-	    ;;
-	  *-*-sco3.2v5* | *-*-sco5v6*)
-	    # Causes problems with __ctype
-	    test "X$arg" = "X-lc" && continue
-	    ;;
-	  *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*)
-	    # Compiler inserts libc in the correct place for threads to work
-	    test "X$arg" = "X-lc" && continue
-	    ;;
-	  esac
-	elif test "X$arg" = "X-lc_r"; then
-	 case $host in
-	 *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*)
-	   # Do not include libc_r directly, use -pthread flag.
-	   continue
-	   ;;
-	 esac
-	fi
-	func_append deplibs " $arg"
-	continue
-	;;
-
-      -module)
-	module=yes
-	continue
-	;;
-
-      # Tru64 UNIX uses -model [arg] to determine the layout of C++
-      # classes, name mangling, and exception handling.
-      # Darwin uses the -arch flag to determine output architecture.
-      -model|-arch|-isysroot|--sysroot)
-	func_append compiler_flags " $arg"
-	func_append compile_command " $arg"
-	func_append finalize_command " $arg"
-	prev=xcompiler
-	continue
-	;;
-
-      -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \
-      |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*)
-	func_append compiler_flags " $arg"
-	func_append compile_command " $arg"
-	func_append finalize_command " $arg"
-	case "$new_inherited_linker_flags " in
-	    *" $arg "*) ;;
-	    * ) func_append new_inherited_linker_flags " $arg" ;;
-	esac
-	continue
-	;;
-
-      -multi_module)
-	single_module="${wl}-multi_module"
-	continue
-	;;
-
-      -no-fast-install)
-	fast_install=no
-	continue
-	;;
-
-      -no-install)
-	case $host in
-	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-darwin* | *-cegcc*)
-	  # The PATH hackery in wrapper scripts is required on Windows
-	  # and Darwin in order for the loader to find any dlls it needs.
-	  func_warning "\`-no-install' is ignored for $host"
-	  func_warning "assuming \`-no-fast-install' instead"
-	  fast_install=no
-	  ;;
-	*) no_install=yes ;;
-	esac
-	continue
-	;;
-
-      -no-undefined)
-	allow_undefined=no
-	continue
-	;;
-
-      -objectlist)
-	prev=objectlist
-	continue
-	;;
-
-      -o) prev=output ;;
-
-      -precious-files-regex)
-	prev=precious_regex
-	continue
-	;;
-
-      -release)
-	prev=release
-	continue
-	;;
-
-      -rpath)
-	prev=rpath
-	continue
-	;;
-
-      -R)
-	prev=xrpath
-	continue
-	;;
-
-      -R*)
-	func_stripname '-R' '' "$arg"
-	dir=$func_stripname_result
-	# We need an absolute path.
-	case $dir in
-	[\\/]* | [A-Za-z]:[\\/]*) ;;
-	=*)
-	  func_stripname '=' '' "$dir"
-	  dir=$lt_sysroot$func_stripname_result
-	  ;;
-	*)
-	  func_fatal_error "only absolute run-paths are allowed"
-	  ;;
-	esac
-	case "$xrpath " in
-	*" $dir "*) ;;
-	*) func_append xrpath " $dir" ;;
-	esac
-	continue
-	;;
-
-      -shared)
-	# The effects of -shared are defined in a previous loop.
-	continue
-	;;
-
-      -shrext)
-	prev=shrext
-	continue
-	;;
-
-      -static | -static-libtool-libs)
-	# The effects of -static are defined in a previous loop.
-	# We used to do the same as -all-static on platforms that
-	# didn't have a PIC flag, but the assumption that the effects
-	# would be equivalent was wrong.  It would break on at least
-	# Digital Unix and AIX.
-	continue
-	;;
-
-      -thread-safe)
-	thread_safe=yes
-	continue
-	;;
-
-      -version-info)
-	prev=vinfo
-	continue
-	;;
-
-      -version-number)
-	prev=vinfo
-	vinfo_number=yes
-	continue
-	;;
-
-      -weak)
-        prev=weak
-	continue
-	;;
-
-      -Wc,*)
-	func_stripname '-Wc,' '' "$arg"
-	args=$func_stripname_result
-	arg=
-	save_ifs="$IFS"; IFS=','
-	for flag in $args; do
-	  IFS="$save_ifs"
-          func_quote_for_eval "$flag"
-	  func_append arg " $func_quote_for_eval_result"
-	  func_append compiler_flags " $func_quote_for_eval_result"
-	done
-	IFS="$save_ifs"
-	func_stripname ' ' '' "$arg"
-	arg=$func_stripname_result
-	;;
-
-      -Wl,*)
-	func_stripname '-Wl,' '' "$arg"
-	args=$func_stripname_result
-	arg=
-	save_ifs="$IFS"; IFS=','
-	for flag in $args; do
-	  IFS="$save_ifs"
-          func_quote_for_eval "$flag"
-	  func_append arg " $wl$func_quote_for_eval_result"
-	  func_append compiler_flags " $wl$func_quote_for_eval_result"
-	  func_append linker_flags " $func_quote_for_eval_result"
-	done
-	IFS="$save_ifs"
-	func_stripname ' ' '' "$arg"
-	arg=$func_stripname_result
-	;;
-
-      -Xcompiler)
-	prev=xcompiler
-	continue
-	;;
-
-      -Xlinker)
-	prev=xlinker
-	continue
-	;;
-
-      -XCClinker)
-	prev=xcclinker
-	continue
-	;;
-
-      # -msg_* for osf cc
-      -msg_*)
-	func_quote_for_eval "$arg"
-	arg="$func_quote_for_eval_result"
-	;;
-
-      # Flags to be passed through unchanged, with rationale:
-      # -64, -mips[0-9]      enable 64-bit mode for the SGI compiler
-      # -r[0-9][0-9]*        specify processor for the SGI compiler
-      # -xarch=*, -xtarget=* enable 64-bit mode for the Sun compiler
-      # +DA*, +DD*           enable 64-bit mode for the HP compiler
-      # -q*                  compiler args for the IBM compiler
-      # -m*, -t[45]*, -txscale* architecture-specific flags for GCC
-      # -F/path              path to uninstalled frameworks, gcc on darwin
-      # -p, -pg, --coverage, -fprofile-*  profiling flags for GCC
-      # @file                GCC response files
-      # -tp=*                Portland pgcc target processor selection
-      # --sysroot=*          for sysroot support
-      # -O*, -flto*, -fwhopr*, -fuse-linker-plugin GCC link-time optimization
-      -64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*| \
-      -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*|-tp=*|--sysroot=*| \
-      -O*|-flto*|-fwhopr*|-fuse-linker-plugin)
-        func_quote_for_eval "$arg"
-	arg="$func_quote_for_eval_result"
-        func_append compile_command " $arg"
-        func_append finalize_command " $arg"
-        func_append compiler_flags " $arg"
-        continue
-        ;;
-
-      # Some other compiler flag.
-      -* | +*)
-        func_quote_for_eval "$arg"
-	arg="$func_quote_for_eval_result"
-	;;
-
-      *.$objext)
-	# A standard object.
-	func_append objs " $arg"
-	;;
-
-      *.lo)
-	# A libtool-controlled object.
-
-	# Check to see that this really is a libtool object.
-	if func_lalib_unsafe_p "$arg"; then
-	  pic_object=
-	  non_pic_object=
-
-	  # Read the .lo file
-	  func_source "$arg"
-
-	  if test -z "$pic_object" ||
-	     test -z "$non_pic_object" ||
-	     test "$pic_object" = none &&
-	     test "$non_pic_object" = none; then
-	    func_fatal_error "cannot find name of object for \`$arg'"
-	  fi
-
-	  # Extract subdirectory from the argument.
-	  func_dirname "$arg" "/" ""
-	  xdir="$func_dirname_result"
-
-	  if test "$pic_object" != none; then
-	    # Prepend the subdirectory the object is found in.
-	    pic_object="$xdir$pic_object"
-
-	    if test "$prev" = dlfiles; then
-	      if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then
-		func_append dlfiles " $pic_object"
-		prev=
-		continue
-	      else
-		# If libtool objects are unsupported, then we need to preload.
-		prev=dlprefiles
-	      fi
-	    fi
-
-	    # CHECK ME:  I think I busted this.  -Ossama
-	    if test "$prev" = dlprefiles; then
-	      # Preload the old-style object.
-	      func_append dlprefiles " $pic_object"
-	      prev=
-	    fi
-
-	    # A PIC object.
-	    func_append libobjs " $pic_object"
-	    arg="$pic_object"
-	  fi
-
-	  # Non-PIC object.
-	  if test "$non_pic_object" != none; then
-	    # Prepend the subdirectory the object is found in.
-	    non_pic_object="$xdir$non_pic_object"
-
-	    # A standard non-PIC object
-	    func_append non_pic_objects " $non_pic_object"
-	    if test -z "$pic_object" || test "$pic_object" = none ; then
-	      arg="$non_pic_object"
-	    fi
-	  else
-	    # If the PIC object exists, use it instead.
-	    # $xdir was prepended to $pic_object above.
-	    non_pic_object="$pic_object"
-	    func_append non_pic_objects " $non_pic_object"
-	  fi
-	else
-	  # Only an error if not doing a dry-run.
-	  if $opt_dry_run; then
-	    # Extract subdirectory from the argument.
-	    func_dirname "$arg" "/" ""
-	    xdir="$func_dirname_result"
-
-	    func_lo2o "$arg"
-	    pic_object=$xdir$objdir/$func_lo2o_result
-	    non_pic_object=$xdir$func_lo2o_result
-	    func_append libobjs " $pic_object"
-	    func_append non_pic_objects " $non_pic_object"
-	  else
-	    func_fatal_error "\`$arg' is not a valid libtool object"
-	  fi
-	fi
-	;;
-
-      *.$libext)
-	# An archive.
-	func_append deplibs " $arg"
-	func_append old_deplibs " $arg"
-	continue
-	;;
-
-      *.la)
-	# A libtool-controlled library.
-
-	func_resolve_sysroot "$arg"
-	if test "$prev" = dlfiles; then
-	  # This library was specified with -dlopen.
-	  func_append dlfiles " $func_resolve_sysroot_result"
-	  prev=
-	elif test "$prev" = dlprefiles; then
-	  # The library was specified with -dlpreopen.
-	  func_append dlprefiles " $func_resolve_sysroot_result"
-	  prev=
-	else
-	  func_append deplibs " $func_resolve_sysroot_result"
-	fi
-	continue
-	;;
-
-      # Some other compiler argument.
-      *)
-	# Unknown arguments in both finalize_command and compile_command need
-	# to be aesthetically quoted because they are evaled later.
-	func_quote_for_eval "$arg"
-	arg="$func_quote_for_eval_result"
-	;;
-      esac # arg
-
-      # Now actually substitute the argument into the commands.
-      if test -n "$arg"; then
-	func_append compile_command " $arg"
-	func_append finalize_command " $arg"
-      fi
-    done # argument parsing loop
-
-    test -n "$prev" && \
-      func_fatal_help "the \`$prevarg' option requires an argument"
-
-    if test "$export_dynamic" = yes && test -n "$export_dynamic_flag_spec"; then
-      eval arg=\"$export_dynamic_flag_spec\"
-      func_append compile_command " $arg"
-      func_append finalize_command " $arg"
-    fi
-
-    oldlibs=
-    # calculate the name of the file, without its directory
-    func_basename "$output"
-    outputname="$func_basename_result"
-    libobjs_save="$libobjs"
-
-    if test -n "$shlibpath_var"; then
-      # get the directories listed in $shlibpath_var
-      eval shlib_search_path=\`\$ECHO \"\${$shlibpath_var}\" \| \$SED \'s/:/ /g\'\`
-    else
-      shlib_search_path=
-    fi
-    eval sys_lib_search_path=\"$sys_lib_search_path_spec\"
-    eval sys_lib_dlsearch_path=\"$sys_lib_dlsearch_path_spec\"
-
-    func_dirname "$output" "/" ""
-    output_objdir="$func_dirname_result$objdir"
-    func_to_tool_file "$output_objdir/"
-    tool_output_objdir=$func_to_tool_file_result
-    # Create the object directory.
-    func_mkdir_p "$output_objdir"
-
-    # Determine the type of output
-    case $output in
-    "")
-      func_fatal_help "you must specify an output file"
-      ;;
-    *.$libext) linkmode=oldlib ;;
-    *.lo | *.$objext) linkmode=obj ;;
-    *.la) linkmode=lib ;;
-    *) linkmode=prog ;; # Anything else should be a program.
-    esac
-
-    specialdeplibs=
-
-    libs=
-    # Find all interdependent deplibs by searching for libraries
-    # that are linked more than once (e.g. -la -lb -la)
-    for deplib in $deplibs; do
-      if $opt_preserve_dup_deps ; then
-	case "$libs " in
-	*" $deplib "*) func_append specialdeplibs " $deplib" ;;
-	esac
-      fi
-      func_append libs " $deplib"
-    done
-
-    if test "$linkmode" = lib; then
-      libs="$predeps $libs $compiler_lib_search_path $postdeps"
-
-      # Compute libraries that are listed more than once in $predeps
-      # $postdeps and mark them as special (i.e., whose duplicates are
-      # not to be eliminated).
-      pre_post_deps=
-      if $opt_duplicate_compiler_generated_deps; then
-	for pre_post_dep in $predeps $postdeps; do
-	  case "$pre_post_deps " in
-	  *" $pre_post_dep "*) func_append specialdeplibs " $pre_post_deps" ;;
-	  esac
-	  func_append pre_post_deps " $pre_post_dep"
-	done
-      fi
-      pre_post_deps=
-    fi
-
-    deplibs=
-    newdependency_libs=
-    newlib_search_path=
-    need_relink=no # whether we're linking any uninstalled libtool libraries
-    notinst_deplibs= # not-installed libtool libraries
-    notinst_path= # paths that contain not-installed libtool libraries
-
-    case $linkmode in
-    lib)
-	passes="conv dlpreopen link"
-	for file in $dlfiles $dlprefiles; do
-	  case $file in
-	  *.la) ;;
-	  *)
-	    func_fatal_help "libraries can \`-dlopen' only libtool libraries: $file"
-	    ;;
-	  esac
-	done
-	;;
-    prog)
-	compile_deplibs=
-	finalize_deplibs=
-	alldeplibs=no
-	newdlfiles=
-	newdlprefiles=
-	passes="conv scan dlopen dlpreopen link"
-	;;
-    *)  passes="conv"
-	;;
-    esac
-
-    for pass in $passes; do
-      # The preopen pass in lib mode reverses $deplibs; put it back here
-      # so that -L comes before libs that need it for instance...
-      if test "$linkmode,$pass" = "lib,link"; then
-	## FIXME: Find the place where the list is rebuilt in the wrong
-	##        order, and fix it there properly
-        tmp_deplibs=
-	for deplib in $deplibs; do
-	  tmp_deplibs="$deplib $tmp_deplibs"
-	done
-	deplibs="$tmp_deplibs"
-      fi
-
-      if test "$linkmode,$pass" = "lib,link" ||
-	 test "$linkmode,$pass" = "prog,scan"; then
-	libs="$deplibs"
-	deplibs=
-      fi
-      if test "$linkmode" = prog; then
-	case $pass in
-	dlopen) libs="$dlfiles" ;;
-	dlpreopen) libs="$dlprefiles" ;;
-	link) libs="$deplibs %DEPLIBS% $dependency_libs" ;;
-	esac
-      fi
-      if test "$linkmode,$pass" = "lib,dlpreopen"; then
-	# Collect and forward deplibs of preopened libtool libs
-	for lib in $dlprefiles; do
-	  # Ignore non-libtool-libs
-	  dependency_libs=
-	  func_resolve_sysroot "$lib"
-	  case $lib in
-	  *.la)	func_source "$func_resolve_sysroot_result" ;;
-	  esac
-
-	  # Collect preopened libtool deplibs, except any this library
-	  # has declared as weak libs
-	  for deplib in $dependency_libs; do
-	    func_basename "$deplib"
-            deplib_base=$func_basename_result
-	    case " $weak_libs " in
-	    *" $deplib_base "*) ;;
-	    *) func_append deplibs " $deplib" ;;
-	    esac
-	  done
-	done
-	libs="$dlprefiles"
-      fi
-      if test "$pass" = dlopen; then
-	# Collect dlpreopened libraries
-	save_deplibs="$deplibs"
-	deplibs=
-      fi
-
-      for deplib in $libs; do
-	lib=
-	found=no
-	case $deplib in
-	-mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \
-        |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*)
-	  if test "$linkmode,$pass" = "prog,link"; then
-	    compile_deplibs="$deplib $compile_deplibs"
-	    finalize_deplibs="$deplib $finalize_deplibs"
-	  else
-	    func_append compiler_flags " $deplib"
-	  fi
-
-	  case $linkmode in
-	  lib)
-	    deplibs="$deplib $deplibs"
-	    test "$pass" = conv && continue
-	    newdependency_libs="$deplib $newdependency_libs"
-	    ;;
-	  prog)
-	    if test "$pass" = conv; then
-	      deplibs="$deplib $deplibs"
-	      continue
-	    fi
-	    if test "$pass" = scan; then
-	      deplibs="$deplib $deplibs"
-	    else
-	      compile_deplibs="$deplib $compile_deplibs"
-	      finalize_deplibs="$deplib $finalize_deplibs"
-	    fi
-	    ;;
-	  *)
-	    ;;
-	  esac # linkmode
-
-	  continue
-	  ;;
-	-l*)
-	  if test "$linkmode" != lib && test "$linkmode" != prog; then
-	    func_warning "\`-l' is ignored for archives/objects"
-	    continue
-	  fi
-	  func_stripname '-l' '' "$deplib"
-	  name=$func_stripname_result
-	  if test "$linkmode" = lib; then
-	    searchdirs="$newlib_search_path $lib_search_path $compiler_lib_search_dirs $sys_lib_search_path $shlib_search_path"
-	  else
-	    searchdirs="$newlib_search_path $lib_search_path $sys_lib_search_path $shlib_search_path"
-	  fi
-	  for searchdir in $searchdirs; do
-	    for search_ext in .la $std_shrext .so .a; do
-	      # Search the libtool library
-	      lib="$searchdir/lib${name}${search_ext}"
-	      if test -f "$lib"; then
-		if test "$search_ext" = ".la"; then
-		  found=yes
-		else
-		  found=no
-		fi
-		break 2
-	      fi
-	    done
-	  done
-	  if test "$found" != yes; then
-	    # deplib doesn't seem to be a libtool library
-	    if test "$linkmode,$pass" = "prog,link"; then
-	      compile_deplibs="$deplib $compile_deplibs"
-	      finalize_deplibs="$deplib $finalize_deplibs"
-	    else
-	      deplibs="$deplib $deplibs"
-	      test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs"
-	    fi
-	    continue
-	  else # deplib is a libtool library
-	    # If $allow_libtool_libs_with_static_runtimes && $deplib is a stdlib,
-	    # We need to do some special things here, and not later.
-	    if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
-	      case " $predeps $postdeps " in
-	      *" $deplib "*)
-		if func_lalib_p "$lib"; then
-		  library_names=
-		  old_library=
-		  func_source "$lib"
-		  for l in $old_library $library_names; do
-		    ll="$l"
-		  done
-		  if test "X$ll" = "X$old_library" ; then # only static version available
-		    found=no
-		    func_dirname "$lib" "" "."
-		    ladir="$func_dirname_result"
-		    lib=$ladir/$old_library
-		    if test "$linkmode,$pass" = "prog,link"; then
-		      compile_deplibs="$deplib $compile_deplibs"
-		      finalize_deplibs="$deplib $finalize_deplibs"
-		    else
-		      deplibs="$deplib $deplibs"
-		      test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs"
-		    fi
-		    continue
-		  fi
-		fi
-		;;
-	      *) ;;
-	      esac
-	    fi
-	  fi
-	  ;; # -l
-	*.ltframework)
-	  if test "$linkmode,$pass" = "prog,link"; then
-	    compile_deplibs="$deplib $compile_deplibs"
-	    finalize_deplibs="$deplib $finalize_deplibs"
-	  else
-	    deplibs="$deplib $deplibs"
-	    if test "$linkmode" = lib ; then
-		case "$new_inherited_linker_flags " in
-		    *" $deplib "*) ;;
-		    * ) func_append new_inherited_linker_flags " $deplib" ;;
-		esac
-	    fi
-	  fi
-	  continue
-	  ;;
-	-L*)
-	  case $linkmode in
-	  lib)
-	    deplibs="$deplib $deplibs"
-	    test "$pass" = conv && continue
-	    newdependency_libs="$deplib $newdependency_libs"
-	    func_stripname '-L' '' "$deplib"
-	    func_resolve_sysroot "$func_stripname_result"
-	    func_append newlib_search_path " $func_resolve_sysroot_result"
-	    ;;
-	  prog)
-	    if test "$pass" = conv; then
-	      deplibs="$deplib $deplibs"
-	      continue
-	    fi
-	    if test "$pass" = scan; then
-	      deplibs="$deplib $deplibs"
-	    else
-	      compile_deplibs="$deplib $compile_deplibs"
-	      finalize_deplibs="$deplib $finalize_deplibs"
-	    fi
-	    func_stripname '-L' '' "$deplib"
-	    func_resolve_sysroot "$func_stripname_result"
-	    func_append newlib_search_path " $func_resolve_sysroot_result"
-	    ;;
-	  *)
-	    func_warning "\`-L' is ignored for archives/objects"
-	    ;;
-	  esac # linkmode
-	  continue
-	  ;; # -L
-	-R*)
-	  if test "$pass" = link; then
-	    func_stripname '-R' '' "$deplib"
-	    func_resolve_sysroot "$func_stripname_result"
-	    dir=$func_resolve_sysroot_result
-	    # Make sure the xrpath contains only unique directories.
-	    case "$xrpath " in
-	    *" $dir "*) ;;
-	    *) func_append xrpath " $dir" ;;
-	    esac
-	  fi
-	  deplibs="$deplib $deplibs"
-	  continue
-	  ;;
-	*.la)
-	  func_resolve_sysroot "$deplib"
-	  lib=$func_resolve_sysroot_result
-	  ;;
-	*.$libext)
-	  if test "$pass" = conv; then
-	    deplibs="$deplib $deplibs"
-	    continue
-	  fi
-	  case $linkmode in
-	  lib)
-	    # Linking convenience modules into shared libraries is allowed,
-	    # but linking other static libraries is non-portable.
-	    case " $dlpreconveniencelibs " in
-	    *" $deplib "*) ;;
-	    *)
-	      valid_a_lib=no
-	      case $deplibs_check_method in
-		match_pattern*)
-		  set dummy $deplibs_check_method; shift
-		  match_pattern_regex=`expr "$deplibs_check_method" : "$1 \(.*\)"`
-		  if eval "\$ECHO \"$deplib\"" 2>/dev/null | $SED 10q \
-		    | $EGREP "$match_pattern_regex" > /dev/null; then
-		    valid_a_lib=yes
-		  fi
-		;;
-		pass_all)
-		  valid_a_lib=yes
-		;;
-	      esac
-	      if test "$valid_a_lib" != yes; then
-		echo
-		$ECHO "*** Warning: Trying to link with static lib archive $deplib."
-		echo "*** I have the capability to make that library automatically link in when"
-		echo "*** you link to this library.  But I can only do this if you have a"
-		echo "*** shared version of the library, which you do not appear to have"
-		echo "*** because the file extensions .$libext of this argument makes me believe"
-		echo "*** that it is just a static archive that I should not use here."
-	      else
-		echo
-		$ECHO "*** Warning: Linking the shared library $output against the"
-		$ECHO "*** static library $deplib is not portable!"
-		deplibs="$deplib $deplibs"
-	      fi
-	      ;;
-	    esac
-	    continue
-	    ;;
-	  prog)
-	    if test "$pass" != link; then
-	      deplibs="$deplib $deplibs"
-	    else
-	      compile_deplibs="$deplib $compile_deplibs"
-	      finalize_deplibs="$deplib $finalize_deplibs"
-	    fi
-	    continue
-	    ;;
-	  esac # linkmode
-	  ;; # *.$libext
-	*.lo | *.$objext)
-	  if test "$pass" = conv; then
-	    deplibs="$deplib $deplibs"
-	  elif test "$linkmode" = prog; then
-	    if test "$pass" = dlpreopen || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then
-	      # If there is no dlopen support or we're linking statically,
-	      # we need to preload.
-	      func_append newdlprefiles " $deplib"
-	      compile_deplibs="$deplib $compile_deplibs"
-	      finalize_deplibs="$deplib $finalize_deplibs"
-	    else
-	      func_append newdlfiles " $deplib"
-	    fi
-	  fi
-	  continue
-	  ;;
-	%DEPLIBS%)
-	  alldeplibs=yes
-	  continue
-	  ;;
-	esac # case $deplib
-
-	if test "$found" = yes || test -f "$lib"; then :
-	else
-	  func_fatal_error "cannot find the library \`$lib' or unhandled argument \`$deplib'"
-	fi
-
-	# Check to see that this really is a libtool archive.
-	func_lalib_unsafe_p "$lib" \
-	  || func_fatal_error "\`$lib' is not a valid libtool archive"
-
-	func_dirname "$lib" "" "."
-	ladir="$func_dirname_result"
-
-	dlname=
-	dlopen=
-	dlpreopen=
-	libdir=
-	library_names=
-	old_library=
-	inherited_linker_flags=
-	# If the library was installed with an old release of libtool,
-	# it will not redefine variables installed, or shouldnotlink
-	installed=yes
-	shouldnotlink=no
-	avoidtemprpath=
-
-
-	# Read the .la file
-	func_source "$lib"
-
-	# Convert "-framework foo" to "foo.ltframework"
-	if test -n "$inherited_linker_flags"; then
-	  tmp_inherited_linker_flags=`$ECHO "$inherited_linker_flags" | $SED 's/-framework \([^ $]*\)/\1.ltframework/g'`
-	  for tmp_inherited_linker_flag in $tmp_inherited_linker_flags; do
-	    case " $new_inherited_linker_flags " in
-	      *" $tmp_inherited_linker_flag "*) ;;
-	      *) func_append new_inherited_linker_flags " $tmp_inherited_linker_flag";;
-	    esac
-	  done
-	fi
-	dependency_libs=`$ECHO " $dependency_libs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
-	if test "$linkmode,$pass" = "lib,link" ||
-	   test "$linkmode,$pass" = "prog,scan" ||
-	   { test "$linkmode" != prog && test "$linkmode" != lib; }; then
-	  test -n "$dlopen" && func_append dlfiles " $dlopen"
-	  test -n "$dlpreopen" && func_append dlprefiles " $dlpreopen"
-	fi
-
-	if test "$pass" = conv; then
-	  # Only check for convenience libraries
-	  deplibs="$lib $deplibs"
-	  if test -z "$libdir"; then
-	    if test -z "$old_library"; then
-	      func_fatal_error "cannot find name of link library for \`$lib'"
-	    fi
-	    # It is a libtool convenience library, so add in its objects.
-	    func_append convenience " $ladir/$objdir/$old_library"
-	    func_append old_convenience " $ladir/$objdir/$old_library"
-	  elif test "$linkmode" != prog && test "$linkmode" != lib; then
-	    func_fatal_error "\`$lib' is not a convenience library"
-	  fi
-	  tmp_libs=
-	  for deplib in $dependency_libs; do
-	    deplibs="$deplib $deplibs"
-	    if $opt_preserve_dup_deps ; then
-	      case "$tmp_libs " in
-	      *" $deplib "*) func_append specialdeplibs " $deplib" ;;
-	      esac
-	    fi
-	    func_append tmp_libs " $deplib"
-	  done
-	  continue
-	fi # $pass = conv
-
-
-	# Get the name of the library we link against.
-	linklib=
-	if test -n "$old_library" &&
-	   { test "$prefer_static_libs" = yes ||
-	     test "$prefer_static_libs,$installed" = "built,no"; }; then
-	  linklib=$old_library
-	else
-	  for l in $old_library $library_names; do
-	    linklib="$l"
-	  done
-	fi
-	if test -z "$linklib"; then
-	  func_fatal_error "cannot find name of link library for \`$lib'"
-	fi
-
-	# This library was specified with -dlopen.
-	if test "$pass" = dlopen; then
-	  if test -z "$libdir"; then
-	    func_fatal_error "cannot -dlopen a convenience library: \`$lib'"
-	  fi
-	  if test -z "$dlname" ||
-	     test "$dlopen_support" != yes ||
-	     test "$build_libtool_libs" = no; then
-	    # If there is no dlname, no dlopen support or we're linking
-	    # statically, we need to preload.  We also need to preload any
-	    # dependent libraries so libltdl's deplib preloader doesn't
-	    # bomb out in the load deplibs phase.
-	    func_append dlprefiles " $lib $dependency_libs"
-	  else
-	    func_append newdlfiles " $lib"
-	  fi
-	  continue
-	fi # $pass = dlopen
-
-	# We need an absolute path.
-	case $ladir in
-	[\\/]* | [A-Za-z]:[\\/]*) abs_ladir="$ladir" ;;
-	*)
-	  abs_ladir=`cd "$ladir" && pwd`
-	  if test -z "$abs_ladir"; then
-	    func_warning "cannot determine absolute directory name of \`$ladir'"
-	    func_warning "passing it literally to the linker, although it might fail"
-	    abs_ladir="$ladir"
-	  fi
-	  ;;
-	esac
-	func_basename "$lib"
-	laname="$func_basename_result"
-
-	# Find the relevant object directory and library name.
-	if test "X$installed" = Xyes; then
-	  if test ! -f "$lt_sysroot$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then
-	    func_warning "library \`$lib' was moved."
-	    dir="$ladir"
-	    absdir="$abs_ladir"
-	    libdir="$abs_ladir"
-	  else
-	    dir="$lt_sysroot$libdir"
-	    absdir="$lt_sysroot$libdir"
-	  fi
-	  test "X$hardcode_automatic" = Xyes && avoidtemprpath=yes
-	else
-	  if test ! -f "$ladir/$objdir/$linklib" && test -f "$abs_ladir/$linklib"; then
-	    dir="$ladir"
-	    absdir="$abs_ladir"
-	    # Remove this search path later
-	    func_append notinst_path " $abs_ladir"
-	  else
-	    dir="$ladir/$objdir"
-	    absdir="$abs_ladir/$objdir"
-	    # Remove this search path later
-	    func_append notinst_path " $abs_ladir"
-	  fi
-	fi # $installed = yes
-	func_stripname 'lib' '.la' "$laname"
-	name=$func_stripname_result
-
-	# This library was specified with -dlpreopen.
-	if test "$pass" = dlpreopen; then
-	  if test -z "$libdir" && test "$linkmode" = prog; then
-	    func_fatal_error "only libraries may -dlpreopen a convenience library: \`$lib'"
-	  fi
-	  case "$host" in
-	    # special handling for platforms with PE-DLLs.
-	    *cygwin* | *mingw* | *cegcc* )
-	      # Linker will automatically link against shared library if both
-	      # static and shared are present.  Therefore, ensure we extract
-	      # symbols from the import library if a shared library is present
-	      # (otherwise, the dlopen module name will be incorrect).  We do
-	      # this by putting the import library name into $newdlprefiles.
-	      # We recover the dlopen module name by 'saving' the la file
-	      # name in a special purpose variable, and (later) extracting the
-	      # dlname from the la file.
-	      if test -n "$dlname"; then
-	        func_tr_sh "$dir/$linklib"
-	        eval "libfile_$func_tr_sh_result=\$abs_ladir/\$laname"
-	        func_append newdlprefiles " $dir/$linklib"
-	      else
-	        func_append newdlprefiles " $dir/$old_library"
-	        # Keep a list of preopened convenience libraries to check
-	        # that they are being used correctly in the link pass.
-	        test -z "$libdir" && \
-	          func_append dlpreconveniencelibs " $dir/$old_library"
-	      fi
-	    ;;
-	    * )
-	      # Prefer using a static library (so that no silly _DYNAMIC symbols
-	      # are required to link).
-	      if test -n "$old_library"; then
-	        func_append newdlprefiles " $dir/$old_library"
-	        # Keep a list of preopened convenience libraries to check
-	        # that they are being used correctly in the link pass.
-	        test -z "$libdir" && \
-	          func_append dlpreconveniencelibs " $dir/$old_library"
-	      # Otherwise, use the dlname, so that lt_dlopen finds it.
-	      elif test -n "$dlname"; then
-	        func_append newdlprefiles " $dir/$dlname"
-	      else
-	        func_append newdlprefiles " $dir/$linklib"
-	      fi
-	    ;;
-	  esac
-	fi # $pass = dlpreopen
-
-	if test -z "$libdir"; then
-	  # Link the convenience library
-	  if test "$linkmode" = lib; then
-	    deplibs="$dir/$old_library $deplibs"
-	  elif test "$linkmode,$pass" = "prog,link"; then
-	    compile_deplibs="$dir/$old_library $compile_deplibs"
-	    finalize_deplibs="$dir/$old_library $finalize_deplibs"
-	  else
-	    deplibs="$lib $deplibs" # used for prog,scan pass
-	  fi
-	  continue
-	fi
-
-
-	if test "$linkmode" = prog && test "$pass" != link; then
-	  func_append newlib_search_path " $ladir"
-	  deplibs="$lib $deplibs"
-
-	  linkalldeplibs=no
-	  if test "$link_all_deplibs" != no || test -z "$library_names" ||
-	     test "$build_libtool_libs" = no; then
-	    linkalldeplibs=yes
-	  fi
-
-	  tmp_libs=
-	  for deplib in $dependency_libs; do
-	    case $deplib in
-	    -L*) func_stripname '-L' '' "$deplib"
-	         func_resolve_sysroot "$func_stripname_result"
-	         func_append newlib_search_path " $func_resolve_sysroot_result"
-		 ;;
-	    esac
-	    # Need to link against all dependency_libs?
-	    if test "$linkalldeplibs" = yes; then
-	      deplibs="$deplib $deplibs"
-	    else
-	      # Need to hardcode shared library paths
-	      # or/and link against static libraries
-	      newdependency_libs="$deplib $newdependency_libs"
-	    fi
-	    if $opt_preserve_dup_deps ; then
-	      case "$tmp_libs " in
-	      *" $deplib "*) func_append specialdeplibs " $deplib" ;;
-	      esac
-	    fi
-	    func_append tmp_libs " $deplib"
-	  done # for deplib
-	  continue
-	fi # $linkmode = prog...
-
-	if test "$linkmode,$pass" = "prog,link"; then
-	  if test -n "$library_names" &&
-	     { { test "$prefer_static_libs" = no ||
-	         test "$prefer_static_libs,$installed" = "built,yes"; } ||
-	       test -z "$old_library"; }; then
-	    # We need to hardcode the library path
-	    if test -n "$shlibpath_var" && test -z "$avoidtemprpath" ; then
-	      # Make sure the rpath contains only unique directories.
-	      case "$temp_rpath:" in
-	      *"$absdir:"*) ;;
-	      *) func_append temp_rpath "$absdir:" ;;
-	      esac
-	    fi
-
-	    # Hardcode the library path.
-	    # Skip directories that are in the system default run-time
-	    # search path.
-	    case " $sys_lib_dlsearch_path " in
-	    *" $absdir "*) ;;
-	    *)
-	      case "$compile_rpath " in
-	      *" $absdir "*) ;;
-	      *) func_append compile_rpath " $absdir" ;;
-	      esac
-	      ;;
-	    esac
-	    case " $sys_lib_dlsearch_path " in
-	    *" $libdir "*) ;;
-	    *)
-	      case "$finalize_rpath " in
-	      *" $libdir "*) ;;
-	      *) func_append finalize_rpath " $libdir" ;;
-	      esac
-	      ;;
-	    esac
-	  fi # $linkmode,$pass = prog,link...
-
-	  if test "$alldeplibs" = yes &&
-	     { test "$deplibs_check_method" = pass_all ||
-	       { test "$build_libtool_libs" = yes &&
-		 test -n "$library_names"; }; }; then
-	    # We only need to search for static libraries
-	    continue
-	  fi
-	fi
-
-	link_static=no # Whether the deplib will be linked statically
-	use_static_libs=$prefer_static_libs
-	if test "$use_static_libs" = built && test "$installed" = yes; then
-	  use_static_libs=no
-	fi
-	if test -n "$library_names" &&
-	   { test "$use_static_libs" = no || test -z "$old_library"; }; then
-	  case $host in
-	  *cygwin* | *mingw* | *cegcc*)
-	      # No point in relinking DLLs because paths are not encoded
-	      func_append notinst_deplibs " $lib"
-	      need_relink=no
-	    ;;
-	  *)
-	    if test "$installed" = no; then
-	      func_append notinst_deplibs " $lib"
-	      need_relink=yes
-	    fi
-	    ;;
-	  esac
-	  # This is a shared library
-
-	  # Warn about portability, can't link against -module's on some
-	  # systems (darwin).  Don't bleat about dlopened modules though!
-	  dlopenmodule=""
-	  for dlpremoduletest in $dlprefiles; do
-	    if test "X$dlpremoduletest" = "X$lib"; then
-	      dlopenmodule="$dlpremoduletest"
-	      break
-	    fi
-	  done
-	  if test -z "$dlopenmodule" && test "$shouldnotlink" = yes && test "$pass" = link; then
-	    echo
-	    if test "$linkmode" = prog; then
-	      $ECHO "*** Warning: Linking the executable $output against the loadable module"
-	    else
-	      $ECHO "*** Warning: Linking the shared library $output against the loadable module"
-	    fi
-	    $ECHO "*** $linklib is not portable!"
-	  fi
-	  if test "$linkmode" = lib &&
-	     test "$hardcode_into_libs" = yes; then
-	    # Hardcode the library path.
-	    # Skip directories that are in the system default run-time
-	    # search path.
-	    case " $sys_lib_dlsearch_path " in
-	    *" $absdir "*) ;;
-	    *)
-	      case "$compile_rpath " in
-	      *" $absdir "*) ;;
-	      *) func_append compile_rpath " $absdir" ;;
-	      esac
-	      ;;
-	    esac
-	    case " $sys_lib_dlsearch_path " in
-	    *" $libdir "*) ;;
-	    *)
-	      case "$finalize_rpath " in
-	      *" $libdir "*) ;;
-	      *) func_append finalize_rpath " $libdir" ;;
-	      esac
-	      ;;
-	    esac
-	  fi
-
-	  if test -n "$old_archive_from_expsyms_cmds"; then
-	    # figure out the soname
-	    set dummy $library_names
-	    shift
-	    realname="$1"
-	    shift
-	    libname=`eval "\\$ECHO \"$libname_spec\""`
-	    # use dlname if we got it. it's perfectly good, no?
-	    if test -n "$dlname"; then
-	      soname="$dlname"
-	    elif test -n "$soname_spec"; then
-	      # bleh windows
-	      case $host in
-	      *cygwin* | mingw* | *cegcc*)
-	        func_arith $current - $age
-		major=$func_arith_result
-		versuffix="-$major"
-		;;
-	      esac
-	      eval soname=\"$soname_spec\"
-	    else
-	      soname="$realname"
-	    fi
-
-	    # Make a new name for the extract_expsyms_cmds to use
-	    soroot="$soname"
-	    func_basename "$soroot"
-	    soname="$func_basename_result"
-	    func_stripname 'lib' '.dll' "$soname"
-	    newlib=libimp-$func_stripname_result.a
-
-	    # If the library has no export list, then create one now
-	    if test -f "$output_objdir/$soname-def"; then :
-	    else
-	      func_verbose "extracting exported symbol list from \`$soname'"
-	      func_execute_cmds "$extract_expsyms_cmds" 'exit $?'
-	    fi
-
-	    # Create $newlib
-	    if test -f "$output_objdir/$newlib"; then :; else
-	      func_verbose "generating import library for \`$soname'"
-	      func_execute_cmds "$old_archive_from_expsyms_cmds" 'exit $?'
-	    fi
-	    # make sure the library variables are pointing to the new library
-	    dir=$output_objdir
-	    linklib=$newlib
-	  fi # test -n "$old_archive_from_expsyms_cmds"
-
-	  if test "$linkmode" = prog || test "$opt_mode" != relink; then
-	    add_shlibpath=
-	    add_dir=
-	    add=
-	    lib_linked=yes
-	    case $hardcode_action in
-	    immediate | unsupported)
-	      if test "$hardcode_direct" = no; then
-		add="$dir/$linklib"
-		case $host in
-		  *-*-sco3.2v5.0.[024]*) add_dir="-L$dir" ;;
-		  *-*-sysv4*uw2*) add_dir="-L$dir" ;;
-		  *-*-sysv5OpenUNIX* | *-*-sysv5UnixWare7.[01].[10]* | \
-		    *-*-unixware7*) add_dir="-L$dir" ;;
-		  *-*-darwin* )
-		    # if the lib is a (non-dlopened) module then we can not
-		    # link against it, someone is ignoring the earlier warnings
-		    if /usr/bin/file -L $add 2> /dev/null |
-			 $GREP ": [^:]* bundle" >/dev/null ; then
-		      if test "X$dlopenmodule" != "X$lib"; then
-			$ECHO "*** Warning: lib $linklib is a module, not a shared library"
-			if test -z "$old_library" ; then
-			  echo
-			  echo "*** And there doesn't seem to be a static archive available"
-			  echo "*** The link will probably fail, sorry"
-			else
-			  add="$dir/$old_library"
-			fi
-		      elif test -n "$old_library"; then
-			add="$dir/$old_library"
-		      fi
-		    fi
-		esac
-	      elif test "$hardcode_minus_L" = no; then
-		case $host in
-		*-*-sunos*) add_shlibpath="$dir" ;;
-		esac
-		add_dir="-L$dir"
-		add="-l$name"
-	      elif test "$hardcode_shlibpath_var" = no; then
-		add_shlibpath="$dir"
-		add="-l$name"
-	      else
-		lib_linked=no
-	      fi
-	      ;;
-	    relink)
-	      if test "$hardcode_direct" = yes &&
-	         test "$hardcode_direct_absolute" = no; then
-		add="$dir/$linklib"
-	      elif test "$hardcode_minus_L" = yes; then
-		add_dir="-L$absdir"
-		# Try looking first in the location we're being installed to.
-		if test -n "$inst_prefix_dir"; then
-		  case $libdir in
-		    [\\/]*)
-		      func_append add_dir " -L$inst_prefix_dir$libdir"
-		      ;;
-		  esac
-		fi
-		add="-l$name"
-	      elif test "$hardcode_shlibpath_var" = yes; then
-		add_shlibpath="$dir"
-		add="-l$name"
-	      else
-		lib_linked=no
-	      fi
-	      ;;
-	    *) lib_linked=no ;;
-	    esac
-
-	    if test "$lib_linked" != yes; then
-	      func_fatal_configuration "unsupported hardcode properties"
-	    fi
-
-	    if test -n "$add_shlibpath"; then
-	      case :$compile_shlibpath: in
-	      *":$add_shlibpath:"*) ;;
-	      *) func_append compile_shlibpath "$add_shlibpath:" ;;
-	      esac
-	    fi
-	    if test "$linkmode" = prog; then
-	      test -n "$add_dir" && compile_deplibs="$add_dir $compile_deplibs"
-	      test -n "$add" && compile_deplibs="$add $compile_deplibs"
-	    else
-	      test -n "$add_dir" && deplibs="$add_dir $deplibs"
-	      test -n "$add" && deplibs="$add $deplibs"
-	      if test "$hardcode_direct" != yes &&
-		 test "$hardcode_minus_L" != yes &&
-		 test "$hardcode_shlibpath_var" = yes; then
-		case :$finalize_shlibpath: in
-		*":$libdir:"*) ;;
-		*) func_append finalize_shlibpath "$libdir:" ;;
-		esac
-	      fi
-	    fi
-	  fi
-
-	  if test "$linkmode" = prog || test "$opt_mode" = relink; then
-	    add_shlibpath=
-	    add_dir=
-	    add=
-	    # Finalize command for both is simple: just hardcode it.
-	    if test "$hardcode_direct" = yes &&
-	       test "$hardcode_direct_absolute" = no; then
-	      add="$libdir/$linklib"
-	    elif test "$hardcode_minus_L" = yes; then
-	      add_dir="-L$libdir"
-	      add="-l$name"
-	    elif test "$hardcode_shlibpath_var" = yes; then
-	      case :$finalize_shlibpath: in
-	      *":$libdir:"*) ;;
-	      *) func_append finalize_shlibpath "$libdir:" ;;
-	      esac
-	      add="-l$name"
-	    elif test "$hardcode_automatic" = yes; then
-	      if test -n "$inst_prefix_dir" &&
-		 test -f "$inst_prefix_dir$libdir/$linklib" ; then
-		add="$inst_prefix_dir$libdir/$linklib"
-	      else
-		add="$libdir/$linklib"
-	      fi
-	    else
-	      # We cannot seem to hardcode it, guess we'll fake it.
-	      add_dir="-L$libdir"
-	      # Try looking first in the location we're being installed to.
-	      if test -n "$inst_prefix_dir"; then
-		case $libdir in
-		  [\\/]*)
-		    func_append add_dir " -L$inst_prefix_dir$libdir"
-		    ;;
-		esac
-	      fi
-	      add="-l$name"
-	    fi
-
-	    if test "$linkmode" = prog; then
-	      test -n "$add_dir" && finalize_deplibs="$add_dir $finalize_deplibs"
-	      test -n "$add" && finalize_deplibs="$add $finalize_deplibs"
-	    else
-	      test -n "$add_dir" && deplibs="$add_dir $deplibs"
-	      test -n "$add" && deplibs="$add $deplibs"
-	    fi
-	  fi
-	elif test "$linkmode" = prog; then
-	  # Here we assume that one of hardcode_direct or hardcode_minus_L
-	  # is not unsupported.  This is valid on all known static and
-	  # shared platforms.
-	  if test "$hardcode_direct" != unsupported; then
-	    test -n "$old_library" && linklib="$old_library"
-	    compile_deplibs="$dir/$linklib $compile_deplibs"
-	    finalize_deplibs="$dir/$linklib $finalize_deplibs"
-	  else
-	    compile_deplibs="-l$name -L$dir $compile_deplibs"
-	    finalize_deplibs="-l$name -L$dir $finalize_deplibs"
-	  fi
-	elif test "$build_libtool_libs" = yes; then
-	  # Not a shared library
-	  if test "$deplibs_check_method" != pass_all; then
-	    # We're trying link a shared library against a static one
-	    # but the system doesn't support it.
-
-	    # Just print a warning and add the library to dependency_libs so
-	    # that the program can be linked against the static library.
-	    echo
-	    $ECHO "*** Warning: This system can not link to static lib archive $lib."
-	    echo "*** I have the capability to make that library automatically link in when"
-	    echo "*** you link to this library.  But I can only do this if you have a"
-	    echo "*** shared version of the library, which you do not appear to have."
-	    if test "$module" = yes; then
-	      echo "*** But as you try to build a module library, libtool will still create "
-	      echo "*** a static module, that should work as long as the dlopening application"
-	      echo "*** is linked with the -dlopen flag to resolve symbols at runtime."
-	      if test -z "$global_symbol_pipe"; then
-		echo
-		echo "*** However, this would only work if libtool was able to extract symbol"
-		echo "*** lists from a program, using \`nm' or equivalent, but libtool could"
-		echo "*** not find such a program.  So, this module is probably useless."
-		echo "*** \`nm' from GNU binutils and a full rebuild may help."
-	      fi
-	      if test "$build_old_libs" = no; then
-		build_libtool_libs=module
-		build_old_libs=yes
-	      else
-		build_libtool_libs=no
-	      fi
-	    fi
-	  else
-	    deplibs="$dir/$old_library $deplibs"
-	    link_static=yes
-	  fi
-	fi # link shared/static library?
-
-	if test "$linkmode" = lib; then
-	  if test -n "$dependency_libs" &&
-	     { test "$hardcode_into_libs" != yes ||
-	       test "$build_old_libs" = yes ||
-	       test "$link_static" = yes; }; then
-	    # Extract -R from dependency_libs
-	    temp_deplibs=
-	    for libdir in $dependency_libs; do
-	      case $libdir in
-	      -R*) func_stripname '-R' '' "$libdir"
-	           temp_xrpath=$func_stripname_result
-		   case " $xrpath " in
-		   *" $temp_xrpath "*) ;;
-		   *) func_append xrpath " $temp_xrpath";;
-		   esac;;
-	      *) func_append temp_deplibs " $libdir";;
-	      esac
-	    done
-	    dependency_libs="$temp_deplibs"
-	  fi
-
-	  func_append newlib_search_path " $absdir"
-	  # Link against this library
-	  test "$link_static" = no && newdependency_libs="$abs_ladir/$laname $newdependency_libs"
-	  # ... and its dependency_libs
-	  tmp_libs=
-	  for deplib in $dependency_libs; do
-	    newdependency_libs="$deplib $newdependency_libs"
-	    case $deplib in
-              -L*) func_stripname '-L' '' "$deplib"
-                   func_resolve_sysroot "$func_stripname_result";;
-              *) func_resolve_sysroot "$deplib" ;;
-            esac
-	    if $opt_preserve_dup_deps ; then
-	      case "$tmp_libs " in
-	      *" $func_resolve_sysroot_result "*)
-                func_append specialdeplibs " $func_resolve_sysroot_result" ;;
-	      esac
-	    fi
-	    func_append tmp_libs " $func_resolve_sysroot_result"
-	  done
-
-	  if test "$link_all_deplibs" != no; then
-	    # Add the search paths of all dependency libraries
-	    for deplib in $dependency_libs; do
-	      path=
-	      case $deplib in
-	      -L*) path="$deplib" ;;
-	      *.la)
-	        func_resolve_sysroot "$deplib"
-	        deplib=$func_resolve_sysroot_result
-	        func_dirname "$deplib" "" "."
-		dir=$func_dirname_result
-		# We need an absolute path.
-		case $dir in
-		[\\/]* | [A-Za-z]:[\\/]*) absdir="$dir" ;;
-		*)
-		  absdir=`cd "$dir" && pwd`
-		  if test -z "$absdir"; then
-		    func_warning "cannot determine absolute directory name of \`$dir'"
-		    absdir="$dir"
-		  fi
-		  ;;
-		esac
-		if $GREP "^installed=no" $deplib > /dev/null; then
-		case $host in
-		*-*-darwin*)
-		  depdepl=
-		  eval deplibrary_names=`${SED} -n -e 's/^library_names=\(.*\)$/\1/p' $deplib`
-		  if test -n "$deplibrary_names" ; then
-		    for tmp in $deplibrary_names ; do
-		      depdepl=$tmp
-		    done
-		    if test -f "$absdir/$objdir/$depdepl" ; then
-		      depdepl="$absdir/$objdir/$depdepl"
-		      darwin_install_name=`${OTOOL} -L $depdepl | awk '{if (NR == 2) {print $1;exit}}'`
-                      if test -z "$darwin_install_name"; then
-                          darwin_install_name=`${OTOOL64} -L $depdepl  | awk '{if (NR == 2) {print $1;exit}}'`
-                      fi
-		      func_append compiler_flags " ${wl}-dylib_file ${wl}${darwin_install_name}:${depdepl}"
-		      func_append linker_flags " -dylib_file ${darwin_install_name}:${depdepl}"
-		      path=
-		    fi
-		  fi
-		  ;;
-		*)
-		  path="-L$absdir/$objdir"
-		  ;;
-		esac
-		else
-		  eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
-		  test -z "$libdir" && \
-		    func_fatal_error "\`$deplib' is not a valid libtool archive"
-		  test "$absdir" != "$libdir" && \
-		    func_warning "\`$deplib' seems to be moved"
-
-		  path="-L$absdir"
-		fi
-		;;
-	      esac
-	      case " $deplibs " in
-	      *" $path "*) ;;
-	      *) deplibs="$path $deplibs" ;;
-	      esac
-	    done
-	  fi # link_all_deplibs != no
-	fi # linkmode = lib
-      done # for deplib in $libs
-      if test "$pass" = link; then
-	if test "$linkmode" = "prog"; then
-	  compile_deplibs="$new_inherited_linker_flags $compile_deplibs"
-	  finalize_deplibs="$new_inherited_linker_flags $finalize_deplibs"
-	else
-	  compiler_flags="$compiler_flags "`$ECHO " $new_inherited_linker_flags" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
-	fi
-      fi
-      dependency_libs="$newdependency_libs"
-      if test "$pass" = dlpreopen; then
-	# Link the dlpreopened libraries before other libraries
-	for deplib in $save_deplibs; do
-	  deplibs="$deplib $deplibs"
-	done
-      fi
-      if test "$pass" != dlopen; then
-	if test "$pass" != conv; then
-	  # Make sure lib_search_path contains only unique directories.
-	  lib_search_path=
-	  for dir in $newlib_search_path; do
-	    case "$lib_search_path " in
-	    *" $dir "*) ;;
-	    *) func_append lib_search_path " $dir" ;;
-	    esac
-	  done
-	  newlib_search_path=
-	fi
-
-	if test "$linkmode,$pass" != "prog,link"; then
-	  vars="deplibs"
-	else
-	  vars="compile_deplibs finalize_deplibs"
-	fi
-	for var in $vars dependency_libs; do
-	  # Add libraries to $var in reverse order
-	  eval tmp_libs=\"\$$var\"
-	  new_libs=
-	  for deplib in $tmp_libs; do
-	    # FIXME: Pedantically, this is the right thing to do, so
-	    #        that some nasty dependency loop isn't accidentally
-	    #        broken:
-	    #new_libs="$deplib $new_libs"
-	    # Pragmatically, this seems to cause very few problems in
-	    # practice:
-	    case $deplib in
-	    -L*) new_libs="$deplib $new_libs" ;;
-	    -R*) ;;
-	    *)
-	      # And here is the reason: when a library appears more
-	      # than once as an explicit dependence of a library, or
-	      # is implicitly linked in more than once by the
-	      # compiler, it is considered special, and multiple
-	      # occurrences thereof are not removed.  Compare this
-	      # with having the same library being listed as a
-	      # dependency of multiple other libraries: in this case,
-	      # we know (pedantically, we assume) the library does not
-	      # need to be listed more than once, so we keep only the
-	      # last copy.  This is not always right, but it is rare
-	      # enough that we require users that really mean to play
-	      # such unportable linking tricks to link the library
-	      # using -Wl,-lname, so that libtool does not consider it
-	      # for duplicate removal.
-	      case " $specialdeplibs " in
-	      *" $deplib "*) new_libs="$deplib $new_libs" ;;
-	      *)
-		case " $new_libs " in
-		*" $deplib "*) ;;
-		*) new_libs="$deplib $new_libs" ;;
-		esac
-		;;
-	      esac
-	      ;;
-	    esac
-	  done
-	  tmp_libs=
-	  for deplib in $new_libs; do
-	    case $deplib in
-	    -L*)
-	      case " $tmp_libs " in
-	      *" $deplib "*) ;;
-	      *) func_append tmp_libs " $deplib" ;;
-	      esac
-	      ;;
-	    *) func_append tmp_libs " $deplib" ;;
-	    esac
-	  done
-	  eval $var=\"$tmp_libs\"
-	done # for var
-      fi
-      # Last step: remove runtime libs from dependency_libs
-      # (they stay in deplibs)
-      tmp_libs=
-      for i in $dependency_libs ; do
-	case " $predeps $postdeps $compiler_lib_search_path " in
-	*" $i "*)
-	  i=""
-	  ;;
-	esac
-	if test -n "$i" ; then
-	  func_append tmp_libs " $i"
-	fi
-      done
-      dependency_libs=$tmp_libs
-    done # for pass
-    if test "$linkmode" = prog; then
-      dlfiles="$newdlfiles"
-    fi
-    if test "$linkmode" = prog || test "$linkmode" = lib; then
-      dlprefiles="$newdlprefiles"
-    fi
-
-    case $linkmode in
-    oldlib)
-      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
-	func_warning "\`-dlopen' is ignored for archives"
-      fi
-
-      case " $deplibs" in
-      *\ -l* | *\ -L*)
-	func_warning "\`-l' and \`-L' are ignored for archives" ;;
-      esac
-
-      test -n "$rpath" && \
-	func_warning "\`-rpath' is ignored for archives"
-
-      test -n "$xrpath" && \
-	func_warning "\`-R' is ignored for archives"
-
-      test -n "$vinfo" && \
-	func_warning "\`-version-info/-version-number' is ignored for archives"
-
-      test -n "$release" && \
-	func_warning "\`-release' is ignored for archives"
-
-      test -n "$export_symbols$export_symbols_regex" && \
-	func_warning "\`-export-symbols' is ignored for archives"
-
-      # Now set the variables for building old libraries.
-      build_libtool_libs=no
-      oldlibs="$output"
-      func_append objs "$old_deplibs"
-      ;;
-
-    lib)
-      # Make sure we only generate libraries of the form `libNAME.la'.
-      case $outputname in
-      lib*)
-	func_stripname 'lib' '.la' "$outputname"
-	name=$func_stripname_result
-	eval shared_ext=\"$shrext_cmds\"
-	eval libname=\"$libname_spec\"
-	;;
-      *)
-	test "$module" = no && \
-	  func_fatal_help "libtool library \`$output' must begin with \`lib'"
-
-	if test "$need_lib_prefix" != no; then
-	  # Add the "lib" prefix for modules if required
-	  func_stripname '' '.la' "$outputname"
-	  name=$func_stripname_result
-	  eval shared_ext=\"$shrext_cmds\"
-	  eval libname=\"$libname_spec\"
-	else
-	  func_stripname '' '.la' "$outputname"
-	  libname=$func_stripname_result
-	fi
-	;;
-      esac
-
-      if test -n "$objs"; then
-	if test "$deplibs_check_method" != pass_all; then
-	  func_fatal_error "cannot build libtool library \`$output' from non-libtool objects on this host:$objs"
-	else
-	  echo
-	  $ECHO "*** Warning: Linking the shared library $output against the non-libtool"
-	  $ECHO "*** objects $objs is not portable!"
-	  func_append libobjs " $objs"
-	fi
-      fi
-
-      test "$dlself" != no && \
-	func_warning "\`-dlopen self' is ignored for libtool libraries"
-
-      set dummy $rpath
-      shift
-      test "$#" -gt 1 && \
-	func_warning "ignoring multiple \`-rpath's for a libtool library"
-
-      install_libdir="$1"
-
-      oldlibs=
-      if test -z "$rpath"; then
-	if test "$build_libtool_libs" = yes; then
-	  # Building a libtool convenience library.
-	  # Some compilers have problems with a `.al' extension so
-	  # convenience libraries should have the same extension an
-	  # archive normally would.
-	  oldlibs="$output_objdir/$libname.$libext $oldlibs"
-	  build_libtool_libs=convenience
-	  build_old_libs=yes
-	fi
-
-	test -n "$vinfo" && \
-	  func_warning "\`-version-info/-version-number' is ignored for convenience libraries"
-
-	test -n "$release" && \
-	  func_warning "\`-release' is ignored for convenience libraries"
-      else
-
-	# Parse the version information argument.
-	save_ifs="$IFS"; IFS=':'
-	set dummy $vinfo 0 0 0
-	shift
-	IFS="$save_ifs"
-
-	test -n "$7" && \
-	  func_fatal_help "too many parameters to \`-version-info'"
-
-	# convert absolute version numbers to libtool ages
-	# this retains compatibility with .la files and attempts
-	# to make the code below a bit more comprehensible
-
-	case $vinfo_number in
-	yes)
-	  number_major="$1"
-	  number_minor="$2"
-	  number_revision="$3"
-	  #
-	  # There are really only two kinds -- those that
-	  # use the current revision as the major version
-	  # and those that subtract age and use age as
-	  # a minor version.  But, then there is irix
-	  # which has an extra 1 added just for fun
-	  #
-	  case $version_type in
-	  # correct linux to gnu/linux during the next big refactor
-	  darwin|linux|osf|windows|none)
-	    func_arith $number_major + $number_minor
-	    current=$func_arith_result
-	    age="$number_minor"
-	    revision="$number_revision"
-	    ;;
-	  freebsd-aout|freebsd-elf|qnx|sunos)
-	    current="$number_major"
-	    revision="$number_minor"
-	    age="0"
-	    ;;
-	  irix|nonstopux)
-	    func_arith $number_major + $number_minor
-	    current=$func_arith_result
-	    age="$number_minor"
-	    revision="$number_minor"
-	    lt_irix_increment=no
-	    ;;
-	  esac
-	  ;;
-	no)
-	  current="$1"
-	  revision="$2"
-	  age="$3"
-	  ;;
-	esac
-
-	# Check that each of the things are valid numbers.
-	case $current in
-	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
-	*)
-	  func_error "CURRENT \`$current' must be a nonnegative integer"
-	  func_fatal_error "\`$vinfo' is not valid version information"
-	  ;;
-	esac
-
-	case $revision in
-	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
-	*)
-	  func_error "REVISION \`$revision' must be a nonnegative integer"
-	  func_fatal_error "\`$vinfo' is not valid version information"
-	  ;;
-	esac
-
-	case $age in
-	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
-	*)
-	  func_error "AGE \`$age' must be a nonnegative integer"
-	  func_fatal_error "\`$vinfo' is not valid version information"
-	  ;;
-	esac
-
-	if test "$age" -gt "$current"; then
-	  func_error "AGE \`$age' is greater than the current interface number \`$current'"
-	  func_fatal_error "\`$vinfo' is not valid version information"
-	fi
-
-	# Calculate the version variables.
-	major=
-	versuffix=
-	verstring=
-	case $version_type in
-	none) ;;
-
-	darwin)
-	  # Like Linux, but with the current version available in
-	  # verstring for coding it into the library header
-	  func_arith $current - $age
-	  major=.$func_arith_result
-	  versuffix="$major.$age.$revision"
-	  # Darwin ld doesn't like 0 for these options...
-	  func_arith $current + 1
-	  minor_current=$func_arith_result
-	  xlcverstring="${wl}-compatibility_version ${wl}$minor_current ${wl}-current_version ${wl}$minor_current.$revision"
-	  verstring="-compatibility_version $minor_current -current_version $minor_current.$revision"
-	  ;;
-
-	freebsd-aout)
-	  major=".$current"
-	  versuffix=".$current.$revision";
-	  ;;
-
-	freebsd-elf)
-	  major=".$current"
-	  versuffix=".$current"
-	  ;;
-
-	irix | nonstopux)
-	  if test "X$lt_irix_increment" = "Xno"; then
-	    func_arith $current - $age
-	  else
-	    func_arith $current - $age + 1
-	  fi
-	  major=$func_arith_result
-
-	  case $version_type in
-	    nonstopux) verstring_prefix=nonstopux ;;
-	    *)         verstring_prefix=sgi ;;
-	  esac
-	  verstring="$verstring_prefix$major.$revision"
-
-	  # Add in all the interfaces that we are compatible with.
-	  loop=$revision
-	  while test "$loop" -ne 0; do
-	    func_arith $revision - $loop
-	    iface=$func_arith_result
-	    func_arith $loop - 1
-	    loop=$func_arith_result
-	    verstring="$verstring_prefix$major.$iface:$verstring"
-	  done
-
-	  # Before this point, $major must not contain `.'.
-	  major=.$major
-	  versuffix="$major.$revision"
-	  ;;
-
-	linux) # correct to gnu/linux during the next big refactor
-	  func_arith $current - $age
-	  major=.$func_arith_result
-	  versuffix="$major.$age.$revision"
-	  ;;
-
-	osf)
-	  func_arith $current - $age
-	  major=.$func_arith_result
-	  versuffix=".$current.$age.$revision"
-	  verstring="$current.$age.$revision"
-
-	  # Add in all the interfaces that we are compatible with.
-	  loop=$age
-	  while test "$loop" -ne 0; do
-	    func_arith $current - $loop
-	    iface=$func_arith_result
-	    func_arith $loop - 1
-	    loop=$func_arith_result
-	    verstring="$verstring:${iface}.0"
-	  done
-
-	  # Make executables depend on our current version.
-	  func_append verstring ":${current}.0"
-	  ;;
-
-	qnx)
-	  major=".$current"
-	  versuffix=".$current"
-	  ;;
-
-	sunos)
-	  major=".$current"
-	  versuffix=".$current.$revision"
-	  ;;
-
-	windows)
-	  # Use '-' rather than '.', since we only want one
-	  # extension on DOS 8.3 filesystems.
-	  func_arith $current - $age
-	  major=$func_arith_result
-	  versuffix="-$major"
-	  ;;
-
-	*)
-	  func_fatal_configuration "unknown library version type \`$version_type'"
-	  ;;
-	esac
-
-	# Clear the version info if we defaulted, and they specified a release.
-	if test -z "$vinfo" && test -n "$release"; then
-	  major=
-	  case $version_type in
-	  darwin)
-	    # we can't check for "0.0" in archive_cmds due to quoting
-	    # problems, so we reset it completely
-	    verstring=
-	    ;;
-	  *)
-	    verstring="0.0"
-	    ;;
-	  esac
-	  if test "$need_version" = no; then
-	    versuffix=
-	  else
-	    versuffix=".0.0"
-	  fi
-	fi
-
-	# Remove version info from name if versioning should be avoided
-	if test "$avoid_version" = yes && test "$need_version" = no; then
-	  major=
-	  versuffix=
-	  verstring=""
-	fi
-
-	# Check to see if the archive will have undefined symbols.
-	if test "$allow_undefined" = yes; then
-	  if test "$allow_undefined_flag" = unsupported; then
-	    func_warning "undefined symbols not allowed in $host shared libraries"
-	    build_libtool_libs=no
-	    build_old_libs=yes
-	  fi
-	else
-	  # Don't allow undefined symbols.
-	  allow_undefined_flag="$no_undefined_flag"
-	fi
-
-      fi
-
-      func_generate_dlsyms "$libname" "$libname" "yes"
-      func_append libobjs " $symfileobj"
-      test "X$libobjs" = "X " && libobjs=
-
-      if test "$opt_mode" != relink; then
-	# Remove our outputs, but don't remove object files since they
-	# may have been created when compiling PIC objects.
-	removelist=
-	tempremovelist=`$ECHO "$output_objdir/*"`
-	for p in $tempremovelist; do
-	  case $p in
-	    *.$objext | *.gcno)
-	       ;;
-	    $output_objdir/$outputname | $output_objdir/$libname.* | $output_objdir/${libname}${release}.*)
-	       if test "X$precious_files_regex" != "X"; then
-		 if $ECHO "$p" | $EGREP -e "$precious_files_regex" >/dev/null 2>&1
-		 then
-		   continue
-		 fi
-	       fi
-	       func_append removelist " $p"
-	       ;;
-	    *) ;;
-	  esac
-	done
-	test -n "$removelist" && \
-	  func_show_eval "${RM}r \$removelist"
-      fi
-
-      # Now set the variables for building old libraries.
-      if test "$build_old_libs" = yes && test "$build_libtool_libs" != convenience ; then
-	func_append oldlibs " $output_objdir/$libname.$libext"
-
-	# Transform .lo files to .o files.
-	oldobjs="$objs "`$ECHO "$libobjs" | $SP2NL | $SED "/\.${libext}$/d; $lo2o" | $NL2SP`
-      fi
-
-      # Eliminate all temporary directories.
-      #for path in $notinst_path; do
-      #	lib_search_path=`$ECHO "$lib_search_path " | $SED "s% $path % %g"`
-      #	deplibs=`$ECHO "$deplibs " | $SED "s% -L$path % %g"`
-      #	dependency_libs=`$ECHO "$dependency_libs " | $SED "s% -L$path % %g"`
-      #done
-
-      if test -n "$xrpath"; then
-	# If the user specified any rpath flags, then add them.
-	temp_xrpath=
-	for libdir in $xrpath; do
-	  func_replace_sysroot "$libdir"
-	  func_append temp_xrpath " -R$func_replace_sysroot_result"
-	  case "$finalize_rpath " in
-	  *" $libdir "*) ;;
-	  *) func_append finalize_rpath " $libdir" ;;
-	  esac
-	done
-	if test "$hardcode_into_libs" != yes || test "$build_old_libs" = yes; then
-	  dependency_libs="$temp_xrpath $dependency_libs"
-	fi
-      fi
-
-      # Make sure dlfiles contains only unique files that won't be dlpreopened
-      old_dlfiles="$dlfiles"
-      dlfiles=
-      for lib in $old_dlfiles; do
-	case " $dlprefiles $dlfiles " in
-	*" $lib "*) ;;
-	*) func_append dlfiles " $lib" ;;
-	esac
-      done
-
-      # Make sure dlprefiles contains only unique files
-      old_dlprefiles="$dlprefiles"
-      dlprefiles=
-      for lib in $old_dlprefiles; do
-	case "$dlprefiles " in
-	*" $lib "*) ;;
-	*) func_append dlprefiles " $lib" ;;
-	esac
-      done
-
-      if test "$build_libtool_libs" = yes; then
-	if test -n "$rpath"; then
-	  case $host in
-	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos* | *-cegcc* | *-*-haiku*)
-	    # these systems don't actually have a c library (as such)!
-	    ;;
-	  *-*-rhapsody* | *-*-darwin1.[012])
-	    # Rhapsody C library is in the System framework
-	    func_append deplibs " System.ltframework"
-	    ;;
-	  *-*-netbsd*)
-	    # Don't link with libc until the a.out ld.so is fixed.
-	    ;;
-	  *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*)
-	    # Do not include libc due to us having libc/libc_r.
-	    ;;
-	  *-*-sco3.2v5* | *-*-sco5v6*)
-	    # Causes problems with __ctype
-	    ;;
-	  *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*)
-	    # Compiler inserts libc in the correct place for threads to work
-	    ;;
-	  *)
-	    # Add libc to deplibs on all other systems if necessary.
-	    if test "$build_libtool_need_lc" = "yes"; then
-	      func_append deplibs " -lc"
-	    fi
-	    ;;
-	  esac
-	fi
-
-	# Transform deplibs into only deplibs that can be linked in shared.
-	name_save=$name
-	libname_save=$libname
-	release_save=$release
-	versuffix_save=$versuffix
-	major_save=$major
-	# I'm not sure if I'm treating the release correctly.  I think
-	# release should show up in the -l (ie -lgmp5) so we don't want to
-	# add it in twice.  Is that correct?
-	release=""
-	versuffix=""
-	major=""
-	newdeplibs=
-	droppeddeps=no
-	case $deplibs_check_method in
-	pass_all)
-	  # Don't check for shared/static.  Everything works.
-	  # This might be a little naive.  We might want to check
-	  # whether the library exists or not.  But this is on
-	  # osf3 & osf4 and I'm not really sure... Just
-	  # implementing what was already the behavior.
-	  newdeplibs=$deplibs
-	  ;;
-	test_compile)
-	  # This code stresses the "libraries are programs" paradigm to its
-	  # limits. Maybe even breaks it.  We compile a program, linking it
-	  # against the deplibs as a proxy for the library.  Then we can check
-	  # whether they linked in statically or dynamically with ldd.
-	  $opt_dry_run || $RM conftest.c
-	  cat > conftest.c <<EOF
-	  int main() { return 0; }
-EOF
-	  $opt_dry_run || $RM conftest
-	  if $LTCC $LTCFLAGS -o conftest conftest.c $deplibs; then
-	    ldd_output=`ldd conftest`
-	    for i in $deplibs; do
-	      case $i in
-	      -l*)
-		func_stripname -l '' "$i"
-		name=$func_stripname_result
-		if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
-		  case " $predeps $postdeps " in
-		  *" $i "*)
-		    func_append newdeplibs " $i"
-		    i=""
-		    ;;
-		  esac
-		fi
-		if test -n "$i" ; then
-		  libname=`eval "\\$ECHO \"$libname_spec\""`
-		  deplib_matches=`eval "\\$ECHO \"$library_names_spec\""`
-		  set dummy $deplib_matches; shift
-		  deplib_match=$1
-		  if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
-		    func_append newdeplibs " $i"
-		  else
-		    droppeddeps=yes
-		    echo
-		    $ECHO "*** Warning: dynamic linker does not accept needed library $i."
-		    echo "*** I have the capability to make that library automatically link in when"
-		    echo "*** you link to this library.  But I can only do this if you have a"
-		    echo "*** shared version of the library, which I believe you do not have"
-		    echo "*** because a test_compile did reveal that the linker did not use it for"
-		    echo "*** its dynamic dependency list that programs get resolved with at runtime."
-		  fi
-		fi
-		;;
-	      *)
-		func_append newdeplibs " $i"
-		;;
-	      esac
-	    done
-	  else
-	    # Error occurred in the first compile.  Let's try to salvage
-	    # the situation: Compile a separate program for each library.
-	    for i in $deplibs; do
-	      case $i in
-	      -l*)
-		func_stripname -l '' "$i"
-		name=$func_stripname_result
-		$opt_dry_run || $RM conftest
-		if $LTCC $LTCFLAGS -o conftest conftest.c $i; then
-		  ldd_output=`ldd conftest`
-		  if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
-		    case " $predeps $postdeps " in
-		    *" $i "*)
-		      func_append newdeplibs " $i"
-		      i=""
-		      ;;
-		    esac
-		  fi
-		  if test -n "$i" ; then
-		    libname=`eval "\\$ECHO \"$libname_spec\""`
-		    deplib_matches=`eval "\\$ECHO \"$library_names_spec\""`
-		    set dummy $deplib_matches; shift
-		    deplib_match=$1
-		    if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
-		      func_append newdeplibs " $i"
-		    else
-		      droppeddeps=yes
-		      echo
-		      $ECHO "*** Warning: dynamic linker does not accept needed library $i."
-		      echo "*** I have the capability to make that library automatically link in when"
-		      echo "*** you link to this library.  But I can only do this if you have a"
-		      echo "*** shared version of the library, which you do not appear to have"
-		      echo "*** because a test_compile did reveal that the linker did not use this one"
-		      echo "*** as a dynamic dependency that programs can get resolved with at runtime."
-		    fi
-		  fi
-		else
-		  droppeddeps=yes
-		  echo
-		  $ECHO "*** Warning!  Library $i is needed by this library but I was not able to"
-		  echo "*** make it link in!  You will probably need to install it or some"
-		  echo "*** library that it depends on before this library will be fully"
-		  echo "*** functional.  Installing it before continuing would be even better."
-		fi
-		;;
-	      *)
-		func_append newdeplibs " $i"
-		;;
-	      esac
-	    done
-	  fi
-	  ;;
-	file_magic*)
-	  set dummy $deplibs_check_method; shift
-	  file_magic_regex=`expr "$deplibs_check_method" : "$1 \(.*\)"`
-	  for a_deplib in $deplibs; do
-	    case $a_deplib in
-	    -l*)
-	      func_stripname -l '' "$a_deplib"
-	      name=$func_stripname_result
-	      if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
-		case " $predeps $postdeps " in
-		*" $a_deplib "*)
-		  func_append newdeplibs " $a_deplib"
-		  a_deplib=""
-		  ;;
-		esac
-	      fi
-	      if test -n "$a_deplib" ; then
-		libname=`eval "\\$ECHO \"$libname_spec\""`
-		if test -n "$file_magic_glob"; then
-		  libnameglob=`func_echo_all "$libname" | $SED -e $file_magic_glob`
-		else
-		  libnameglob=$libname
-		fi
-		test "$want_nocaseglob" = yes && nocaseglob=`shopt -p nocaseglob`
-		for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
-		  if test "$want_nocaseglob" = yes; then
-		    shopt -s nocaseglob
-		    potential_libs=`ls $i/$libnameglob[.-]* 2>/dev/null`
-		    $nocaseglob
-		  else
-		    potential_libs=`ls $i/$libnameglob[.-]* 2>/dev/null`
-		  fi
-		  for potent_lib in $potential_libs; do
-		      # Follow soft links.
-		      if ls -lLd "$potent_lib" 2>/dev/null |
-			 $GREP " -> " >/dev/null; then
-			continue
-		      fi
-		      # The statement above tries to avoid entering an
-		      # endless loop below, in case of cyclic links.
-		      # We might still enter an endless loop, since a link
-		      # loop can be closed while we follow links,
-		      # but so what?
-		      potlib="$potent_lib"
-		      while test -h "$potlib" 2>/dev/null; do
-			potliblink=`ls -ld $potlib | ${SED} 's/.* -> //'`
-			case $potliblink in
-			[\\/]* | [A-Za-z]:[\\/]*) potlib="$potliblink";;
-			*) potlib=`$ECHO "$potlib" | $SED 's,[^/]*$,,'`"$potliblink";;
-			esac
-		      done
-		      if eval $file_magic_cmd \"\$potlib\" 2>/dev/null |
-			 $SED -e 10q |
-			 $EGREP "$file_magic_regex" > /dev/null; then
-			func_append newdeplibs " $a_deplib"
-			a_deplib=""
-			break 2
-		      fi
-		  done
-		done
-	      fi
-	      if test -n "$a_deplib" ; then
-		droppeddeps=yes
-		echo
-		$ECHO "*** Warning: linker path does not have real file for library $a_deplib."
-		echo "*** I have the capability to make that library automatically link in when"
-		echo "*** you link to this library.  But I can only do this if you have a"
-		echo "*** shared version of the library, which you do not appear to have"
-		echo "*** because I did check the linker path looking for a file starting"
-		if test -z "$potlib" ; then
-		  $ECHO "*** with $libname but no candidates were found. (...for file magic test)"
-		else
-		  $ECHO "*** with $libname and none of the candidates passed a file format test"
-		  $ECHO "*** using a file magic. Last file checked: $potlib"
-		fi
-	      fi
-	      ;;
-	    *)
-	      # Add a -L argument.
-	      func_append newdeplibs " $a_deplib"
-	      ;;
-	    esac
-	  done # Gone through all deplibs.
-	  ;;
-	match_pattern*)
-	  set dummy $deplibs_check_method; shift
-	  match_pattern_regex=`expr "$deplibs_check_method" : "$1 \(.*\)"`
-	  for a_deplib in $deplibs; do
-	    case $a_deplib in
-	    -l*)
-	      func_stripname -l '' "$a_deplib"
-	      name=$func_stripname_result
-	      if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
-		case " $predeps $postdeps " in
-		*" $a_deplib "*)
-		  func_append newdeplibs " $a_deplib"
-		  a_deplib=""
-		  ;;
-		esac
-	      fi
-	      if test -n "$a_deplib" ; then
-		libname=`eval "\\$ECHO \"$libname_spec\""`
-		for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
-		  potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
-		  for potent_lib in $potential_libs; do
-		    potlib="$potent_lib" # see symlink-check above in file_magic test
-		    if eval "\$ECHO \"$potent_lib\"" 2>/dev/null | $SED 10q | \
-		       $EGREP "$match_pattern_regex" > /dev/null; then
-		      func_append newdeplibs " $a_deplib"
-		      a_deplib=""
-		      break 2
-		    fi
-		  done
-		done
-	      fi
-	      if test -n "$a_deplib" ; then
-		droppeddeps=yes
-		echo
-		$ECHO "*** Warning: linker path does not have real file for library $a_deplib."
-		echo "*** I have the capability to make that library automatically link in when"
-		echo "*** you link to this library.  But I can only do this if you have a"
-		echo "*** shared version of the library, which you do not appear to have"
-		echo "*** because I did check the linker path looking for a file starting"
-		if test -z "$potlib" ; then
-		  $ECHO "*** with $libname but no candidates were found. (...for regex pattern test)"
-		else
-		  $ECHO "*** with $libname and none of the candidates passed a file format test"
-		  $ECHO "*** using a regex pattern. Last file checked: $potlib"
-		fi
-	      fi
-	      ;;
-	    *)
-	      # Add a -L argument.
-	      func_append newdeplibs " $a_deplib"
-	      ;;
-	    esac
-	  done # Gone through all deplibs.
-	  ;;
-	none | unknown | *)
-	  newdeplibs=""
-	  tmp_deplibs=`$ECHO " $deplibs" | $SED 's/ -lc$//; s/ -[LR][^ ]*//g'`
-	  if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
-	    for i in $predeps $postdeps ; do
-	      # can't use Xsed below, because $i might contain '/'
-	      tmp_deplibs=`$ECHO " $tmp_deplibs" | $SED "s,$i,,"`
-	    done
-	  fi
-	  case $tmp_deplibs in
-	  *[!\	\ ]*)
-	    echo
-	    if test "X$deplibs_check_method" = "Xnone"; then
-	      echo "*** Warning: inter-library dependencies are not supported in this platform."
-	    else
-	      echo "*** Warning: inter-library dependencies are not known to be supported."
-	    fi
-	    echo "*** All declared inter-library dependencies are being dropped."
-	    droppeddeps=yes
-	    ;;
-	  esac
-	  ;;
-	esac
-	versuffix=$versuffix_save
-	major=$major_save
-	release=$release_save
-	libname=$libname_save
-	name=$name_save
-
-	case $host in
-	*-*-rhapsody* | *-*-darwin1.[012])
-	  # On Rhapsody replace the C library with the System framework
-	  newdeplibs=`$ECHO " $newdeplibs" | $SED 's/ -lc / System.ltframework /'`
-	  ;;
-	esac
-
-	if test "$droppeddeps" = yes; then
-	  if test "$module" = yes; then
-	    echo
-	    echo "*** Warning: libtool could not satisfy all declared inter-library"
-	    $ECHO "*** dependencies of module $libname.  Therefore, libtool will create"
-	    echo "*** a static module, that should work as long as the dlopening"
-	    echo "*** application is linked with the -dlopen flag."
-	    if test -z "$global_symbol_pipe"; then
-	      echo
-	      echo "*** However, this would only work if libtool was able to extract symbol"
-	      echo "*** lists from a program, using \`nm' or equivalent, but libtool could"
-	      echo "*** not find such a program.  So, this module is probably useless."
-	      echo "*** \`nm' from GNU binutils and a full rebuild may help."
-	    fi
-	    if test "$build_old_libs" = no; then
-	      oldlibs="$output_objdir/$libname.$libext"
-	      build_libtool_libs=module
-	      build_old_libs=yes
-	    else
-	      build_libtool_libs=no
-	    fi
-	  else
-	    echo "*** The inter-library dependencies that have been dropped here will be"
-	    echo "*** automatically added whenever a program is linked with this library"
-	    echo "*** or is declared to -dlopen it."
-
-	    if test "$allow_undefined" = no; then
-	      echo
-	      echo "*** Since this library must not contain undefined symbols,"
-	      echo "*** because either the platform does not support them or"
-	      echo "*** it was explicitly requested with -no-undefined,"
-	      echo "*** libtool will only create a static version of it."
-	      if test "$build_old_libs" = no; then
-		oldlibs="$output_objdir/$libname.$libext"
-		build_libtool_libs=module
-		build_old_libs=yes
-	      else
-		build_libtool_libs=no
-	      fi
-	    fi
-	  fi
-	fi
-	# Done checking deplibs!
-	deplibs=$newdeplibs
-      fi
-      # Time to change all our "foo.ltframework" stuff back to "-framework foo"
-      case $host in
-	*-*-darwin*)
-	  newdeplibs=`$ECHO " $newdeplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
-	  new_inherited_linker_flags=`$ECHO " $new_inherited_linker_flags" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
-	  deplibs=`$ECHO " $deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
-	  ;;
-      esac
-
-      # move library search paths that coincide with paths to not yet
-      # installed libraries to the beginning of the library search list
-      new_libs=
-      for path in $notinst_path; do
-	case " $new_libs " in
-	*" -L$path/$objdir "*) ;;
-	*)
-	  case " $deplibs " in
-	  *" -L$path/$objdir "*)
-	    func_append new_libs " -L$path/$objdir" ;;
-	  esac
-	  ;;
-	esac
-      done
-      for deplib in $deplibs; do
-	case $deplib in
-	-L*)
-	  case " $new_libs " in
-	  *" $deplib "*) ;;
-	  *) func_append new_libs " $deplib" ;;
-	  esac
-	  ;;
-	*) func_append new_libs " $deplib" ;;
-	esac
-      done
-      deplibs="$new_libs"
-
-      # All the library-specific variables (install_libdir is set above).
-      library_names=
-      old_library=
-      dlname=
-
-      # Test again, we may have decided not to build it any more
-      if test "$build_libtool_libs" = yes; then
-	# Remove ${wl} instances when linking with ld.
-	# FIXME: should test the right _cmds variable.
-	case $archive_cmds in
-	  *\$LD\ *) wl= ;;
-        esac
-	if test "$hardcode_into_libs" = yes; then
-	  # Hardcode the library paths
-	  hardcode_libdirs=
-	  dep_rpath=
-	  rpath="$finalize_rpath"
-	  test "$opt_mode" != relink && rpath="$compile_rpath$rpath"
-	  for libdir in $rpath; do
-	    if test -n "$hardcode_libdir_flag_spec"; then
-	      if test -n "$hardcode_libdir_separator"; then
-		func_replace_sysroot "$libdir"
-		libdir=$func_replace_sysroot_result
-		if test -z "$hardcode_libdirs"; then
-		  hardcode_libdirs="$libdir"
-		else
-		  # Just accumulate the unique libdirs.
-		  case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
-		  *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
-		    ;;
-		  *)
-		    func_append hardcode_libdirs "$hardcode_libdir_separator$libdir"
-		    ;;
-		  esac
-		fi
-	      else
-		eval flag=\"$hardcode_libdir_flag_spec\"
-		func_append dep_rpath " $flag"
-	      fi
-	    elif test -n "$runpath_var"; then
-	      case "$perm_rpath " in
-	      *" $libdir "*) ;;
-	      *) func_append perm_rpath " $libdir" ;;
-	      esac
-	    fi
-	  done
-	  # Substitute the hardcoded libdirs into the rpath.
-	  if test -n "$hardcode_libdir_separator" &&
-	     test -n "$hardcode_libdirs"; then
-	    libdir="$hardcode_libdirs"
-	    eval "dep_rpath=\"$hardcode_libdir_flag_spec\""
-	  fi
-	  if test -n "$runpath_var" && test -n "$perm_rpath"; then
-	    # We should set the runpath_var.
-	    rpath=
-	    for dir in $perm_rpath; do
-	      func_append rpath "$dir:"
-	    done
-	    eval "$runpath_var='$rpath\$$runpath_var'; export $runpath_var"
-	  fi
-	  test -n "$dep_rpath" && deplibs="$dep_rpath $deplibs"
-	fi
-
-	shlibpath="$finalize_shlibpath"
-	test "$opt_mode" != relink && shlibpath="$compile_shlibpath$shlibpath"
-	if test -n "$shlibpath"; then
-	  eval "$shlibpath_var='$shlibpath\$$shlibpath_var'; export $shlibpath_var"
-	fi
-
-	# Get the real and link names of the library.
-	eval shared_ext=\"$shrext_cmds\"
-	eval library_names=\"$library_names_spec\"
-	set dummy $library_names
-	shift
-	realname="$1"
-	shift
-
-	if test -n "$soname_spec"; then
-	  eval soname=\"$soname_spec\"
-	else
-	  soname="$realname"
-	fi
-	if test -z "$dlname"; then
-	  dlname=$soname
-	fi
-
-	lib="$output_objdir/$realname"
-	linknames=
-	for link
-	do
-	  func_append linknames " $link"
-	done
-
-	# Use standard objects if they are pic
-	test -z "$pic_flag" && libobjs=`$ECHO "$libobjs" | $SP2NL | $SED "$lo2o" | $NL2SP`
-	test "X$libobjs" = "X " && libobjs=
-
-	delfiles=
-	if test -n "$export_symbols" && test -n "$include_expsyms"; then
-	  $opt_dry_run || cp "$export_symbols" "$output_objdir/$libname.uexp"
-	  export_symbols="$output_objdir/$libname.uexp"
-	  func_append delfiles " $export_symbols"
-	fi
-
-	orig_export_symbols=
-	case $host_os in
-	cygwin* | mingw* | cegcc*)
-	  if test -n "$export_symbols" && test -z "$export_symbols_regex"; then
-	    # exporting using user supplied symfile
-	    if test "x`$SED 1q $export_symbols`" != xEXPORTS; then
-	      # and it's NOT already a .def file. Must figure out
-	      # which of the given symbols are data symbols and tag
-	      # them as such. So, trigger use of export_symbols_cmds.
-	      # export_symbols gets reassigned inside the "prepare
-	      # the list of exported symbols" if statement, so the
-	      # include_expsyms logic still works.
-	      orig_export_symbols="$export_symbols"
-	      export_symbols=
-	      always_export_symbols=yes
-	    fi
-	  fi
-	  ;;
-	esac
-
-	# Prepare the list of exported symbols
-	if test -z "$export_symbols"; then
-	  if test "$always_export_symbols" = yes || test -n "$export_symbols_regex"; then
-	    func_verbose "generating symbol list for \`$libname.la'"
-	    export_symbols="$output_objdir/$libname.exp"
-	    $opt_dry_run || $RM $export_symbols
-	    cmds=$export_symbols_cmds
-	    save_ifs="$IFS"; IFS='~'
-	    for cmd1 in $cmds; do
-	      IFS="$save_ifs"
-	      # Take the normal branch if the nm_file_list_spec branch
-	      # doesn't work or if tool conversion is not needed.
-	      case $nm_file_list_spec~$to_tool_file_cmd in
-		*~func_convert_file_noop | *~func_convert_file_msys_to_w32 | ~*)
-		  try_normal_branch=yes
-		  eval cmd=\"$cmd1\"
-		  func_len " $cmd"
-		  len=$func_len_result
-		  ;;
-		*)
-		  try_normal_branch=no
-		  ;;
-	      esac
-	      if test "$try_normal_branch" = yes \
-		 && { test "$len" -lt "$max_cmd_len" \
-		      || test "$max_cmd_len" -le -1; }
-	      then
-		func_show_eval "$cmd" 'exit $?'
-		skipped_export=false
-	      elif test -n "$nm_file_list_spec"; then
-		func_basename "$output"
-		output_la=$func_basename_result
-		save_libobjs=$libobjs
-		save_output=$output
-		output=${output_objdir}/${output_la}.nm
-		func_to_tool_file "$output"
-		libobjs=$nm_file_list_spec$func_to_tool_file_result
-		func_append delfiles " $output"
-		func_verbose "creating $NM input file list: $output"
-		for obj in $save_libobjs; do
-		  func_to_tool_file "$obj"
-		  $ECHO "$func_to_tool_file_result"
-		done > "$output"
-		eval cmd=\"$cmd1\"
-		func_show_eval "$cmd" 'exit $?'
-		output=$save_output
-		libobjs=$save_libobjs
-		skipped_export=false
-	      else
-		# The command line is too long to execute in one step.
-		func_verbose "using reloadable object file for export list..."
-		skipped_export=:
-		# Break out early, otherwise skipped_export may be
-		# set to false by a later but shorter cmd.
-		break
-	      fi
-	    done
-	    IFS="$save_ifs"
-	    if test -n "$export_symbols_regex" && test "X$skipped_export" != "X:"; then
-	      func_show_eval '$EGREP -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"'
-	      func_show_eval '$MV "${export_symbols}T" "$export_symbols"'
-	    fi
-	  fi
-	fi
-
-	if test -n "$export_symbols" && test -n "$include_expsyms"; then
-	  tmp_export_symbols="$export_symbols"
-	  test -n "$orig_export_symbols" && tmp_export_symbols="$orig_export_symbols"
-	  $opt_dry_run || eval '$ECHO "$include_expsyms" | $SP2NL >> "$tmp_export_symbols"'
-	fi
-
-	if test "X$skipped_export" != "X:" && test -n "$orig_export_symbols"; then
-	  # The given exports_symbols file has to be filtered, so filter it.
-	  func_verbose "filter symbol list for \`$libname.la' to tag DATA exports"
-	  # FIXME: $output_objdir/$libname.filter potentially contains lots of
-	  # 's' commands which not all seds can handle. GNU sed should be fine
-	  # though. Also, the filter scales superlinearly with the number of
-	  # global variables. join(1) would be nice here, but unfortunately
-	  # isn't a blessed tool.
-	  $opt_dry_run || $SED -e '/[ ,]DATA/!d;s,\(.*\)\([ \,].*\),s|^\1$|\1\2|,' < $export_symbols > $output_objdir/$libname.filter
-	  func_append delfiles " $export_symbols $output_objdir/$libname.filter"
-	  export_symbols=$output_objdir/$libname.def
-	  $opt_dry_run || $SED -f $output_objdir/$libname.filter < $orig_export_symbols > $export_symbols
-	fi
-
-	tmp_deplibs=
-	for test_deplib in $deplibs; do
-	  case " $convenience " in
-	  *" $test_deplib "*) ;;
-	  *)
-	    func_append tmp_deplibs " $test_deplib"
-	    ;;
-	  esac
-	done
-	deplibs="$tmp_deplibs"
-
-	if test -n "$convenience"; then
-	  if test -n "$whole_archive_flag_spec" &&
-	    test "$compiler_needs_object" = yes &&
-	    test -z "$libobjs"; then
-	    # extract the archives, so we have objects to list.
-	    # TODO: could optimize this to just extract one archive.
-	    whole_archive_flag_spec=
-	  fi
-	  if test -n "$whole_archive_flag_spec"; then
-	    save_libobjs=$libobjs
-	    eval libobjs=\"\$libobjs $whole_archive_flag_spec\"
-	    test "X$libobjs" = "X " && libobjs=
-	  else
-	    gentop="$output_objdir/${outputname}x"
-	    func_append generated " $gentop"
-
-	    func_extract_archives $gentop $convenience
-	    func_append libobjs " $func_extract_archives_result"
-	    test "X$libobjs" = "X " && libobjs=
-	  fi
-	fi
-
-	if test "$thread_safe" = yes && test -n "$thread_safe_flag_spec"; then
-	  eval flag=\"$thread_safe_flag_spec\"
-	  func_append linker_flags " $flag"
-	fi
-
-	# Make a backup of the uninstalled library when relinking
-	if test "$opt_mode" = relink; then
-	  $opt_dry_run || eval '(cd $output_objdir && $RM ${realname}U && $MV $realname ${realname}U)' || exit $?
-	fi
-
-	# Do each of the archive commands.
-	if test "$module" = yes && test -n "$module_cmds" ; then
-	  if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then
-	    eval test_cmds=\"$module_expsym_cmds\"
-	    cmds=$module_expsym_cmds
-	  else
-	    eval test_cmds=\"$module_cmds\"
-	    cmds=$module_cmds
-	  fi
-	else
-	  if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then
-	    eval test_cmds=\"$archive_expsym_cmds\"
-	    cmds=$archive_expsym_cmds
-	  else
-	    eval test_cmds=\"$archive_cmds\"
-	    cmds=$archive_cmds
-	  fi
-	fi
-
-	if test "X$skipped_export" != "X:" &&
-	   func_len " $test_cmds" &&
-	   len=$func_len_result &&
-	   test "$len" -lt "$max_cmd_len" || test "$max_cmd_len" -le -1; then
-	  :
-	else
-	  # The command line is too long to link in one step, link piecewise
-	  # or, if using GNU ld and skipped_export is not :, use a linker
-	  # script.
-
-	  # Save the value of $output and $libobjs because we want to
-	  # use them later.  If we have whole_archive_flag_spec, we
-	  # want to use save_libobjs as it was before
-	  # whole_archive_flag_spec was expanded, because we can't
-	  # assume the linker understands whole_archive_flag_spec.
-	  # This may have to be revisited, in case too many
-	  # convenience libraries get linked in and end up exceeding
-	  # the spec.
-	  if test -z "$convenience" || test -z "$whole_archive_flag_spec"; then
-	    save_libobjs=$libobjs
-	  fi
-	  save_output=$output
-	  func_basename "$output"
-	  output_la=$func_basename_result
-
-	  # Clear the reloadable object creation command queue and
-	  # initialize k to one.
-	  test_cmds=
-	  concat_cmds=
-	  objlist=
-	  last_robj=
-	  k=1
-
-	  if test -n "$save_libobjs" && test "X$skipped_export" != "X:" && test "$with_gnu_ld" = yes; then
-	    output=${output_objdir}/${output_la}.lnkscript
-	    func_verbose "creating GNU ld script: $output"
-	    echo 'INPUT (' > $output
-	    for obj in $save_libobjs
-	    do
-	      func_to_tool_file "$obj"
-	      $ECHO "$func_to_tool_file_result" >> $output
-	    done
-	    echo ')' >> $output
-	    func_append delfiles " $output"
-	    func_to_tool_file "$output"
-	    output=$func_to_tool_file_result
-	  elif test -n "$save_libobjs" && test "X$skipped_export" != "X:" && test "X$file_list_spec" != X; then
-	    output=${output_objdir}/${output_la}.lnk
-	    func_verbose "creating linker input file list: $output"
-	    : > $output
-	    set x $save_libobjs
-	    shift
-	    firstobj=
-	    if test "$compiler_needs_object" = yes; then
-	      firstobj="$1 "
-	      shift
-	    fi
-	    for obj
-	    do
-	      func_to_tool_file "$obj"
-	      $ECHO "$func_to_tool_file_result" >> $output
-	    done
-	    func_append delfiles " $output"
-	    func_to_tool_file "$output"
-	    output=$firstobj\"$file_list_spec$func_to_tool_file_result\"
-	  else
-	    if test -n "$save_libobjs"; then
-	      func_verbose "creating reloadable object files..."
-	      output=$output_objdir/$output_la-${k}.$objext
-	      eval test_cmds=\"$reload_cmds\"
-	      func_len " $test_cmds"
-	      len0=$func_len_result
-	      len=$len0
-
-	      # Loop over the list of objects to be linked.
-	      for obj in $save_libobjs
-	      do
-		func_len " $obj"
-		func_arith $len + $func_len_result
-		len=$func_arith_result
-		if test "X$objlist" = X ||
-		   test "$len" -lt "$max_cmd_len"; then
-		  func_append objlist " $obj"
-		else
-		  # The command $test_cmds is almost too long, add a
-		  # command to the queue.
-		  if test "$k" -eq 1 ; then
-		    # The first file doesn't have a previous command to add.
-		    reload_objs=$objlist
-		    eval concat_cmds=\"$reload_cmds\"
-		  else
-		    # All subsequent reloadable object files will link in
-		    # the last one created.
-		    reload_objs="$objlist $last_robj"
-		    eval concat_cmds=\"\$concat_cmds~$reload_cmds~\$RM $last_robj\"
-		  fi
-		  last_robj=$output_objdir/$output_la-${k}.$objext
-		  func_arith $k + 1
-		  k=$func_arith_result
-		  output=$output_objdir/$output_la-${k}.$objext
-		  objlist=" $obj"
-		  func_len " $last_robj"
-		  func_arith $len0 + $func_len_result
-		  len=$func_arith_result
-		fi
-	      done
-	      # Handle the remaining objects by creating one last
-	      # reloadable object file.  All subsequent reloadable object
-	      # files will link in the last one created.
-	      test -z "$concat_cmds" || concat_cmds=$concat_cmds~
-	      reload_objs="$objlist $last_robj"
-	      eval concat_cmds=\"\${concat_cmds}$reload_cmds\"
-	      if test -n "$last_robj"; then
-	        eval concat_cmds=\"\${concat_cmds}~\$RM $last_robj\"
-	      fi
-	      func_append delfiles " $output"
-
-	    else
-	      output=
-	    fi
-
-	    if ${skipped_export-false}; then
-	      func_verbose "generating symbol list for \`$libname.la'"
-	      export_symbols="$output_objdir/$libname.exp"
-	      $opt_dry_run || $RM $export_symbols
-	      libobjs=$output
-	      # Append the command to create the export file.
-	      test -z "$concat_cmds" || concat_cmds=$concat_cmds~
-	      eval concat_cmds=\"\$concat_cmds$export_symbols_cmds\"
-	      if test -n "$last_robj"; then
-		eval concat_cmds=\"\$concat_cmds~\$RM $last_robj\"
-	      fi
-	    fi
-
-	    test -n "$save_libobjs" &&
-	      func_verbose "creating a temporary reloadable object file: $output"
-
-	    # Loop through the commands generated above and execute them.
-	    save_ifs="$IFS"; IFS='~'
-	    for cmd in $concat_cmds; do
-	      IFS="$save_ifs"
-	      $opt_silent || {
-		  func_quote_for_expand "$cmd"
-		  eval "func_echo $func_quote_for_expand_result"
-	      }
-	      $opt_dry_run || eval "$cmd" || {
-		lt_exit=$?
-
-		# Restore the uninstalled library and exit
-		if test "$opt_mode" = relink; then
-		  ( cd "$output_objdir" && \
-		    $RM "${realname}T" && \
-		    $MV "${realname}U" "$realname" )
-		fi
-
-		exit $lt_exit
-	      }
-	    done
-	    IFS="$save_ifs"
-
-	    if test -n "$export_symbols_regex" && ${skipped_export-false}; then
-	      func_show_eval '$EGREP -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"'
-	      func_show_eval '$MV "${export_symbols}T" "$export_symbols"'
-	    fi
-	  fi
-
-          if ${skipped_export-false}; then
-	    if test -n "$export_symbols" && test -n "$include_expsyms"; then
-	      tmp_export_symbols="$export_symbols"
-	      test -n "$orig_export_symbols" && tmp_export_symbols="$orig_export_symbols"
-	      $opt_dry_run || eval '$ECHO "$include_expsyms" | $SP2NL >> "$tmp_export_symbols"'
-	    fi
-
-	    if test -n "$orig_export_symbols"; then
-	      # The given exports_symbols file has to be filtered, so filter it.
-	      func_verbose "filter symbol list for \`$libname.la' to tag DATA exports"
-	      # FIXME: $output_objdir/$libname.filter potentially contains lots of
-	      # 's' commands which not all seds can handle. GNU sed should be fine
-	      # though. Also, the filter scales superlinearly with the number of
-	      # global variables. join(1) would be nice here, but unfortunately
-	      # isn't a blessed tool.
-	      $opt_dry_run || $SED -e '/[ ,]DATA/!d;s,\(.*\)\([ \,].*\),s|^\1$|\1\2|,' < $export_symbols > $output_objdir/$libname.filter
-	      func_append delfiles " $export_symbols $output_objdir/$libname.filter"
-	      export_symbols=$output_objdir/$libname.def
-	      $opt_dry_run || $SED -f $output_objdir/$libname.filter < $orig_export_symbols > $export_symbols
-	    fi
-	  fi
-
-	  libobjs=$output
-	  # Restore the value of output.
-	  output=$save_output
-
-	  if test -n "$convenience" && test -n "$whole_archive_flag_spec"; then
-	    eval libobjs=\"\$libobjs $whole_archive_flag_spec\"
-	    test "X$libobjs" = "X " && libobjs=
-	  fi
-	  # Expand the library linking commands again to reset the
-	  # value of $libobjs for piecewise linking.
-
-	  # Do each of the archive commands.
-	  if test "$module" = yes && test -n "$module_cmds" ; then
-	    if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then
-	      cmds=$module_expsym_cmds
-	    else
-	      cmds=$module_cmds
-	    fi
-	  else
-	    if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then
-	      cmds=$archive_expsym_cmds
-	    else
-	      cmds=$archive_cmds
-	    fi
-	  fi
-	fi
-
-	if test -n "$delfiles"; then
-	  # Append the command to remove temporary files to $cmds.
-	  eval cmds=\"\$cmds~\$RM $delfiles\"
-	fi
-
-	# Add any objects from preloaded convenience libraries
-	if test -n "$dlprefiles"; then
-	  gentop="$output_objdir/${outputname}x"
-	  func_append generated " $gentop"
-
-	  func_extract_archives $gentop $dlprefiles
-	  func_append libobjs " $func_extract_archives_result"
-	  test "X$libobjs" = "X " && libobjs=
-	fi
-
-	save_ifs="$IFS"; IFS='~'
-	for cmd in $cmds; do
-	  IFS="$save_ifs"
-	  eval cmd=\"$cmd\"
-	  $opt_silent || {
-	    func_quote_for_expand "$cmd"
-	    eval "func_echo $func_quote_for_expand_result"
-	  }
-	  $opt_dry_run || eval "$cmd" || {
-	    lt_exit=$?
-
-	    # Restore the uninstalled library and exit
-	    if test "$opt_mode" = relink; then
-	      ( cd "$output_objdir" && \
-	        $RM "${realname}T" && \
-		$MV "${realname}U" "$realname" )
-	    fi
-
-	    exit $lt_exit
-	  }
-	done
-	IFS="$save_ifs"
-
-	# Restore the uninstalled library and exit
-	if test "$opt_mode" = relink; then
-	  $opt_dry_run || eval '(cd $output_objdir && $RM ${realname}T && $MV $realname ${realname}T && $MV ${realname}U $realname)' || exit $?
-
-	  if test -n "$convenience"; then
-	    if test -z "$whole_archive_flag_spec"; then
-	      func_show_eval '${RM}r "$gentop"'
-	    fi
-	  fi
-
-	  exit $EXIT_SUCCESS
-	fi
-
-	# Create links to the real library.
-	for linkname in $linknames; do
-	  if test "$realname" != "$linkname"; then
-	    func_show_eval '(cd "$output_objdir" && $RM "$linkname" && $LN_S "$realname" "$linkname")' 'exit $?'
-	  fi
-	done
-
-	# If -module or -export-dynamic was specified, set the dlname.
-	if test "$module" = yes || test "$export_dynamic" = yes; then
-	  # On all known operating systems, these are identical.
-	  dlname="$soname"
-	fi
-      fi
-      ;;
-
-    obj)
-      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
-	func_warning "\`-dlopen' is ignored for objects"
-      fi
-
-      case " $deplibs" in
-      *\ -l* | *\ -L*)
-	func_warning "\`-l' and \`-L' are ignored for objects" ;;
-      esac
-
-      test -n "$rpath" && \
-	func_warning "\`-rpath' is ignored for objects"
-
-      test -n "$xrpath" && \
-	func_warning "\`-R' is ignored for objects"
-
-      test -n "$vinfo" && \
-	func_warning "\`-version-info' is ignored for objects"
-
-      test -n "$release" && \
-	func_warning "\`-release' is ignored for objects"
-
-      case $output in
-      *.lo)
-	test -n "$objs$old_deplibs" && \
-	  func_fatal_error "cannot build library object \`$output' from non-libtool objects"
-
-	libobj=$output
-	func_lo2o "$libobj"
-	obj=$func_lo2o_result
-	;;
-      *)
-	libobj=
-	obj="$output"
-	;;
-      esac
-
-      # Delete the old objects.
-      $opt_dry_run || $RM $obj $libobj
-
-      # Objects from convenience libraries.  This assumes
-      # single-version convenience libraries.  Whenever we create
-      # different ones for PIC/non-PIC, this we'll have to duplicate
-      # the extraction.
-      reload_conv_objs=
-      gentop=
-      # reload_cmds runs $LD directly, so let us get rid of
-      # -Wl from whole_archive_flag_spec and hope we can get by with
-      # turning comma into space..
-      wl=
-
-      if test -n "$convenience"; then
-	if test -n "$whole_archive_flag_spec"; then
-	  eval tmp_whole_archive_flags=\"$whole_archive_flag_spec\"
-	  reload_conv_objs=$reload_objs\ `$ECHO "$tmp_whole_archive_flags" | $SED 's|,| |g'`
-	else
-	  gentop="$output_objdir/${obj}x"
-	  func_append generated " $gentop"
-
-	  func_extract_archives $gentop $convenience
-	  reload_conv_objs="$reload_objs $func_extract_archives_result"
-	fi
-      fi
-
-      # If we're not building shared, we need to use non_pic_objs
-      test "$build_libtool_libs" != yes && libobjs="$non_pic_objects"
-
-      # Create the old-style object.
-      reload_objs="$objs$old_deplibs "`$ECHO "$libobjs" | $SP2NL | $SED "/\.${libext}$/d; /\.lib$/d; $lo2o" | $NL2SP`" $reload_conv_objs" ### testsuite: skip nested quoting test
-
-      output="$obj"
-      func_execute_cmds "$reload_cmds" 'exit $?'
-
-      # Exit if we aren't doing a library object file.
-      if test -z "$libobj"; then
-	if test -n "$gentop"; then
-	  func_show_eval '${RM}r "$gentop"'
-	fi
-
-	exit $EXIT_SUCCESS
-      fi
-
-      if test "$build_libtool_libs" != yes; then
-	if test -n "$gentop"; then
-	  func_show_eval '${RM}r "$gentop"'
-	fi
-
-	# Create an invalid libtool object if no PIC, so that we don't
-	# accidentally link it into a program.
-	# $show "echo timestamp > $libobj"
-	# $opt_dry_run || eval "echo timestamp > $libobj" || exit $?
-	exit $EXIT_SUCCESS
-      fi
-
-      if test -n "$pic_flag" || test "$pic_mode" != default; then
-	# Only do commands if we really have different PIC objects.
-	reload_objs="$libobjs $reload_conv_objs"
-	output="$libobj"
-	func_execute_cmds "$reload_cmds" 'exit $?'
-      fi
-
-      if test -n "$gentop"; then
-	func_show_eval '${RM}r "$gentop"'
-      fi
-
-      exit $EXIT_SUCCESS
-      ;;
-
-    prog)
-      case $host in
-	*cygwin*) func_stripname '' '.exe' "$output"
-	          output=$func_stripname_result.exe;;
-      esac
-      test -n "$vinfo" && \
-	func_warning "\`-version-info' is ignored for programs"
-
-      test -n "$release" && \
-	func_warning "\`-release' is ignored for programs"
-
-      test "$preload" = yes \
-        && test "$dlopen_support" = unknown \
-	&& test "$dlopen_self" = unknown \
-	&& test "$dlopen_self_static" = unknown && \
-	  func_warning "\`LT_INIT([dlopen])' not used. Assuming no dlopen support."
-
-      case $host in
-      *-*-rhapsody* | *-*-darwin1.[012])
-	# On Rhapsody replace the C library is the System framework
-	compile_deplibs=`$ECHO " $compile_deplibs" | $SED 's/ -lc / System.ltframework /'`
-	finalize_deplibs=`$ECHO " $finalize_deplibs" | $SED 's/ -lc / System.ltframework /'`
-	;;
-      esac
-
-      case $host in
-      *-*-darwin*)
-	# Don't allow lazy linking, it breaks C++ global constructors
-	# But is supposedly fixed on 10.4 or later (yay!).
-	if test "$tagname" = CXX ; then
-	  case ${MACOSX_DEPLOYMENT_TARGET-10.0} in
-	    10.[0123])
-	      func_append compile_command " ${wl}-bind_at_load"
-	      func_append finalize_command " ${wl}-bind_at_load"
-	    ;;
-	  esac
-	fi
-	# Time to change all our "foo.ltframework" stuff back to "-framework foo"
-	compile_deplibs=`$ECHO " $compile_deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
-	finalize_deplibs=`$ECHO " $finalize_deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
-	;;
-      esac
-
-
-      # move library search paths that coincide with paths to not yet
-      # installed libraries to the beginning of the library search list
-      new_libs=
-      for path in $notinst_path; do
-	case " $new_libs " in
-	*" -L$path/$objdir "*) ;;
-	*)
-	  case " $compile_deplibs " in
-	  *" -L$path/$objdir "*)
-	    func_append new_libs " -L$path/$objdir" ;;
-	  esac
-	  ;;
-	esac
-      done
-      for deplib in $compile_deplibs; do
-	case $deplib in
-	-L*)
-	  case " $new_libs " in
-	  *" $deplib "*) ;;
-	  *) func_append new_libs " $deplib" ;;
-	  esac
-	  ;;
-	*) func_append new_libs " $deplib" ;;
-	esac
-      done
-      compile_deplibs="$new_libs"
-
-
-      func_append compile_command " $compile_deplibs"
-      func_append finalize_command " $finalize_deplibs"
-
-      if test -n "$rpath$xrpath"; then
-	# If the user specified any rpath flags, then add them.
-	for libdir in $rpath $xrpath; do
-	  # This is the magic to use -rpath.
-	  case "$finalize_rpath " in
-	  *" $libdir "*) ;;
-	  *) func_append finalize_rpath " $libdir" ;;
-	  esac
-	done
-      fi
-
-      # Now hardcode the library paths
-      rpath=
-      hardcode_libdirs=
-      for libdir in $compile_rpath $finalize_rpath; do
-	if test -n "$hardcode_libdir_flag_spec"; then
-	  if test -n "$hardcode_libdir_separator"; then
-	    if test -z "$hardcode_libdirs"; then
-	      hardcode_libdirs="$libdir"
-	    else
-	      # Just accumulate the unique libdirs.
-	      case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
-	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
-		;;
-	      *)
-		func_append hardcode_libdirs "$hardcode_libdir_separator$libdir"
-		;;
-	      esac
-	    fi
-	  else
-	    eval flag=\"$hardcode_libdir_flag_spec\"
-	    func_append rpath " $flag"
-	  fi
-	elif test -n "$runpath_var"; then
-	  case "$perm_rpath " in
-	  *" $libdir "*) ;;
-	  *) func_append perm_rpath " $libdir" ;;
-	  esac
-	fi
-	case $host in
-	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*)
-	  testbindir=`${ECHO} "$libdir" | ${SED} -e 's*/lib$*/bin*'`
-	  case :$dllsearchpath: in
-	  *":$libdir:"*) ;;
-	  ::) dllsearchpath=$libdir;;
-	  *) func_append dllsearchpath ":$libdir";;
-	  esac
-	  case :$dllsearchpath: in
-	  *":$testbindir:"*) ;;
-	  ::) dllsearchpath=$testbindir;;
-	  *) func_append dllsearchpath ":$testbindir";;
-	  esac
-	  ;;
-	esac
-      done
-      # Substitute the hardcoded libdirs into the rpath.
-      if test -n "$hardcode_libdir_separator" &&
-	 test -n "$hardcode_libdirs"; then
-	libdir="$hardcode_libdirs"
-	eval rpath=\" $hardcode_libdir_flag_spec\"
-      fi
-      compile_rpath="$rpath"
-
-      rpath=
-      hardcode_libdirs=
-      for libdir in $finalize_rpath; do
-	if test -n "$hardcode_libdir_flag_spec"; then
-	  if test -n "$hardcode_libdir_separator"; then
-	    if test -z "$hardcode_libdirs"; then
-	      hardcode_libdirs="$libdir"
-	    else
-	      # Just accumulate the unique libdirs.
-	      case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
-	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
-		;;
-	      *)
-		func_append hardcode_libdirs "$hardcode_libdir_separator$libdir"
-		;;
-	      esac
-	    fi
-	  else
-	    eval flag=\"$hardcode_libdir_flag_spec\"
-	    func_append rpath " $flag"
-	  fi
-	elif test -n "$runpath_var"; then
-	  case "$finalize_perm_rpath " in
-	  *" $libdir "*) ;;
-	  *) func_append finalize_perm_rpath " $libdir" ;;
-	  esac
-	fi
-      done
-      # Substitute the hardcoded libdirs into the rpath.
-      if test -n "$hardcode_libdir_separator" &&
-	 test -n "$hardcode_libdirs"; then
-	libdir="$hardcode_libdirs"
-	eval rpath=\" $hardcode_libdir_flag_spec\"
-      fi
-      finalize_rpath="$rpath"
-
-      if test -n "$libobjs" && test "$build_old_libs" = yes; then
-	# Transform all the library objects into standard objects.
-	compile_command=`$ECHO "$compile_command" | $SP2NL | $SED "$lo2o" | $NL2SP`
-	finalize_command=`$ECHO "$finalize_command" | $SP2NL | $SED "$lo2o" | $NL2SP`
-      fi
-
-      func_generate_dlsyms "$outputname" "@PROGRAM@" "no"
-
-      # template prelinking step
-      if test -n "$prelink_cmds"; then
-	func_execute_cmds "$prelink_cmds" 'exit $?'
-      fi
-
-      wrappers_required=yes
-      case $host in
-      *cegcc* | *mingw32ce*)
-        # Disable wrappers for cegcc and mingw32ce hosts, we are cross compiling anyway.
-        wrappers_required=no
-        ;;
-      *cygwin* | *mingw* )
-        if test "$build_libtool_libs" != yes; then
-          wrappers_required=no
-        fi
-        ;;
-      *)
-        if test "$need_relink" = no || test "$build_libtool_libs" != yes; then
-          wrappers_required=no
-        fi
-        ;;
-      esac
-      if test "$wrappers_required" = no; then
-	# Replace the output file specification.
-	compile_command=`$ECHO "$compile_command" | $SED 's%@OUTPUT@%'"$output"'%g'`
-	link_command="$compile_command$compile_rpath"
-
-	# We have no uninstalled library dependencies, so finalize right now.
-	exit_status=0
-	func_show_eval "$link_command" 'exit_status=$?'
-
-	if test -n "$postlink_cmds"; then
-	  func_to_tool_file "$output"
-	  postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'`
-	  func_execute_cmds "$postlink_cmds" 'exit $?'
-	fi
-
-	# Delete the generated files.
-	if test -f "$output_objdir/${outputname}S.${objext}"; then
-	  func_show_eval '$RM "$output_objdir/${outputname}S.${objext}"'
-	fi
-
-	exit $exit_status
-      fi
-
-      if test -n "$compile_shlibpath$finalize_shlibpath"; then
-	compile_command="$shlibpath_var=\"$compile_shlibpath$finalize_shlibpath\$$shlibpath_var\" $compile_command"
-      fi
-      if test -n "$finalize_shlibpath"; then
-	finalize_command="$shlibpath_var=\"$finalize_shlibpath\$$shlibpath_var\" $finalize_command"
-      fi
-
-      compile_var=
-      finalize_var=
-      if test -n "$runpath_var"; then
-	if test -n "$perm_rpath"; then
-	  # We should set the runpath_var.
-	  rpath=
-	  for dir in $perm_rpath; do
-	    func_append rpath "$dir:"
-	  done
-	  compile_var="$runpath_var=\"$rpath\$$runpath_var\" "
-	fi
-	if test -n "$finalize_perm_rpath"; then
-	  # We should set the runpath_var.
-	  rpath=
-	  for dir in $finalize_perm_rpath; do
-	    func_append rpath "$dir:"
-	  done
-	  finalize_var="$runpath_var=\"$rpath\$$runpath_var\" "
-	fi
-      fi
-
-      if test "$no_install" = yes; then
-	# We don't need to create a wrapper script.
-	link_command="$compile_var$compile_command$compile_rpath"
-	# Replace the output file specification.
-	link_command=`$ECHO "$link_command" | $SED 's%@OUTPUT@%'"$output"'%g'`
-	# Delete the old output file.
-	$opt_dry_run || $RM $output
-	# Link the executable and exit
-	func_show_eval "$link_command" 'exit $?'
-
-	if test -n "$postlink_cmds"; then
-	  func_to_tool_file "$output"
-	  postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'`
-	  func_execute_cmds "$postlink_cmds" 'exit $?'
-	fi
-
-	exit $EXIT_SUCCESS
-      fi
-
-      if test "$hardcode_action" = relink; then
-	# Fast installation is not supported
-	link_command="$compile_var$compile_command$compile_rpath"
-	relink_command="$finalize_var$finalize_command$finalize_rpath"
-
-	func_warning "this platform does not like uninstalled shared libraries"
-	func_warning "\`$output' will be relinked during installation"
-      else
-	if test "$fast_install" != no; then
-	  link_command="$finalize_var$compile_command$finalize_rpath"
-	  if test "$fast_install" = yes; then
-	    relink_command=`$ECHO "$compile_var$compile_command$compile_rpath" | $SED 's%@OUTPUT@%\$progdir/\$file%g'`
-	  else
-	    # fast_install is set to needless
-	    relink_command=
-	  fi
-	else
-	  link_command="$compile_var$compile_command$compile_rpath"
-	  relink_command="$finalize_var$finalize_command$finalize_rpath"
-	fi
-      fi
-
-      # Replace the output file specification.
-      link_command=`$ECHO "$link_command" | $SED 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'`
-
-      # Delete the old output files.
-      $opt_dry_run || $RM $output $output_objdir/$outputname $output_objdir/lt-$outputname
-
-      func_show_eval "$link_command" 'exit $?'
-
-      if test -n "$postlink_cmds"; then
-	func_to_tool_file "$output_objdir/$outputname"
-	postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'`
-	func_execute_cmds "$postlink_cmds" 'exit $?'
-      fi
-
-      # Now create the wrapper script.
-      func_verbose "creating $output"
-
-      # Quote the relink command for shipping.
-      if test -n "$relink_command"; then
-	# Preserve any variables that may affect compiler behavior
-	for var in $variables_saved_for_relink; do
-	  if eval test -z \"\${$var+set}\"; then
-	    relink_command="{ test -z \"\${$var+set}\" || $lt_unset $var || { $var=; export $var; }; }; $relink_command"
-	  elif eval var_value=\$$var; test -z "$var_value"; then
-	    relink_command="$var=; export $var; $relink_command"
-	  else
-	    func_quote_for_eval "$var_value"
-	    relink_command="$var=$func_quote_for_eval_result; export $var; $relink_command"
-	  fi
-	done
-	relink_command="(cd `pwd`; $relink_command)"
-	relink_command=`$ECHO "$relink_command" | $SED "$sed_quote_subst"`
-      fi
-
-      # Only actually do things if not in dry run mode.
-      $opt_dry_run || {
-	# win32 will think the script is a binary if it has
-	# a .exe suffix, so we strip it off here.
-	case $output in
-	  *.exe) func_stripname '' '.exe' "$output"
-	         output=$func_stripname_result ;;
-	esac
-	# test for cygwin because mv fails w/o .exe extensions
-	case $host in
-	  *cygwin*)
-	    exeext=.exe
-	    func_stripname '' '.exe' "$outputname"
-	    outputname=$func_stripname_result ;;
-	  *) exeext= ;;
-	esac
-	case $host in
-	  *cygwin* | *mingw* )
-	    func_dirname_and_basename "$output" "" "."
-	    output_name=$func_basename_result
-	    output_path=$func_dirname_result
-	    cwrappersource="$output_path/$objdir/lt-$output_name.c"
-	    cwrapper="$output_path/$output_name.exe"
-	    $RM $cwrappersource $cwrapper
-	    trap "$RM $cwrappersource $cwrapper; exit $EXIT_FAILURE" 1 2 15
-
-	    func_emit_cwrapperexe_src > $cwrappersource
-
-	    # The wrapper executable is built using the $host compiler,
-	    # because it contains $host paths and files. If cross-
-	    # compiling, it, like the target executable, must be
-	    # executed on the $host or under an emulation environment.
-	    $opt_dry_run || {
-	      $LTCC $LTCFLAGS -o $cwrapper $cwrappersource
-	      $STRIP $cwrapper
-	    }
-
-	    # Now, create the wrapper script for func_source use:
-	    func_ltwrapper_scriptname $cwrapper
-	    $RM $func_ltwrapper_scriptname_result
-	    trap "$RM $func_ltwrapper_scriptname_result; exit $EXIT_FAILURE" 1 2 15
-	    $opt_dry_run || {
-	      # note: this script will not be executed, so do not chmod.
-	      if test "x$build" = "x$host" ; then
-		$cwrapper --lt-dump-script > $func_ltwrapper_scriptname_result
-	      else
-		func_emit_wrapper no > $func_ltwrapper_scriptname_result
-	      fi
-	    }
-	  ;;
-	  * )
-	    $RM $output
-	    trap "$RM $output; exit $EXIT_FAILURE" 1 2 15
-
-	    func_emit_wrapper no > $output
-	    chmod +x $output
-	  ;;
-	esac
-      }
-      exit $EXIT_SUCCESS
-      ;;
-    esac
-
-    # See if we need to build an old-fashioned archive.
-    for oldlib in $oldlibs; do
-
-      if test "$build_libtool_libs" = convenience; then
-	oldobjs="$libobjs_save $symfileobj"
-	addlibs="$convenience"
-	build_libtool_libs=no
-      else
-	if test "$build_libtool_libs" = module; then
-	  oldobjs="$libobjs_save"
-	  build_libtool_libs=no
-	else
-	  oldobjs="$old_deplibs $non_pic_objects"
-	  if test "$preload" = yes && test -f "$symfileobj"; then
-	    func_append oldobjs " $symfileobj"
-	  fi
-	fi
-	addlibs="$old_convenience"
-      fi
-
-      if test -n "$addlibs"; then
-	gentop="$output_objdir/${outputname}x"
-	func_append generated " $gentop"
-
-	func_extract_archives $gentop $addlibs
-	func_append oldobjs " $func_extract_archives_result"
-      fi
-
-      # Do each command in the archive commands.
-      if test -n "$old_archive_from_new_cmds" && test "$build_libtool_libs" = yes; then
-	cmds=$old_archive_from_new_cmds
-      else
-
-	# Add any objects from preloaded convenience libraries
-	if test -n "$dlprefiles"; then
-	  gentop="$output_objdir/${outputname}x"
-	  func_append generated " $gentop"
-
-	  func_extract_archives $gentop $dlprefiles
-	  func_append oldobjs " $func_extract_archives_result"
-	fi
-
-	# POSIX demands no paths to be encoded in archives.  We have
-	# to avoid creating archives with duplicate basenames if we
-	# might have to extract them afterwards, e.g., when creating a
-	# static archive out of a convenience library, or when linking
-	# the entirety of a libtool archive into another (currently
-	# not supported by libtool).
-	if (for obj in $oldobjs
-	    do
-	      func_basename "$obj"
-	      $ECHO "$func_basename_result"
-	    done | sort | sort -uc >/dev/null 2>&1); then
-	  :
-	else
-	  echo "copying selected object files to avoid basename conflicts..."
-	  gentop="$output_objdir/${outputname}x"
-	  func_append generated " $gentop"
-	  func_mkdir_p "$gentop"
-	  save_oldobjs=$oldobjs
-	  oldobjs=
-	  counter=1
-	  for obj in $save_oldobjs
-	  do
-	    func_basename "$obj"
-	    objbase="$func_basename_result"
-	    case " $oldobjs " in
-	    " ") oldobjs=$obj ;;
-	    *[\ /]"$objbase "*)
-	      while :; do
-		# Make sure we don't pick an alternate name that also
-		# overlaps.
-		newobj=lt$counter-$objbase
-		func_arith $counter + 1
-		counter=$func_arith_result
-		case " $oldobjs " in
-		*[\ /]"$newobj "*) ;;
-		*) if test ! -f "$gentop/$newobj"; then break; fi ;;
-		esac
-	      done
-	      func_show_eval "ln $obj $gentop/$newobj || cp $obj $gentop/$newobj"
-	      func_append oldobjs " $gentop/$newobj"
-	      ;;
-	    *) func_append oldobjs " $obj" ;;
-	    esac
-	  done
-	fi
-	func_to_tool_file "$oldlib" func_convert_file_msys_to_w32
-	tool_oldlib=$func_to_tool_file_result
-	eval cmds=\"$old_archive_cmds\"
-
-	func_len " $cmds"
-	len=$func_len_result
-	if test "$len" -lt "$max_cmd_len" || test "$max_cmd_len" -le -1; then
-	  cmds=$old_archive_cmds
-	elif test -n "$archiver_list_spec"; then
-	  func_verbose "using command file archive linking..."
-	  for obj in $oldobjs
-	  do
-	    func_to_tool_file "$obj"
-	    $ECHO "$func_to_tool_file_result"
-	  done > $output_objdir/$libname.libcmd
-	  func_to_tool_file "$output_objdir/$libname.libcmd"
-	  oldobjs=" $archiver_list_spec$func_to_tool_file_result"
-	  cmds=$old_archive_cmds
-	else
-	  # the command line is too long to link in one step, link in parts
-	  func_verbose "using piecewise archive linking..."
-	  save_RANLIB=$RANLIB
-	  RANLIB=:
-	  objlist=
-	  concat_cmds=
-	  save_oldobjs=$oldobjs
-	  oldobjs=
-	  # Is there a better way of finding the last object in the list?
-	  for obj in $save_oldobjs
-	  do
-	    last_oldobj=$obj
-	  done
-	  eval test_cmds=\"$old_archive_cmds\"
-	  func_len " $test_cmds"
-	  len0=$func_len_result
-	  len=$len0
-	  for obj in $save_oldobjs
-	  do
-	    func_len " $obj"
-	    func_arith $len + $func_len_result
-	    len=$func_arith_result
-	    func_append objlist " $obj"
-	    if test "$len" -lt "$max_cmd_len"; then
-	      :
-	    else
-	      # the above command should be used before it gets too long
-	      oldobjs=$objlist
-	      if test "$obj" = "$last_oldobj" ; then
-		RANLIB=$save_RANLIB
-	      fi
-	      test -z "$concat_cmds" || concat_cmds=$concat_cmds~
-	      eval concat_cmds=\"\${concat_cmds}$old_archive_cmds\"
-	      objlist=
-	      len=$len0
-	    fi
-	  done
-	  RANLIB=$save_RANLIB
-	  oldobjs=$objlist
-	  if test "X$oldobjs" = "X" ; then
-	    eval cmds=\"\$concat_cmds\"
-	  else
-	    eval cmds=\"\$concat_cmds~\$old_archive_cmds\"
-	  fi
-	fi
-      fi
-      func_execute_cmds "$cmds" 'exit $?'
-    done
-
-    test -n "$generated" && \
-      func_show_eval "${RM}r$generated"
-
-    # Now create the libtool archive.
-    case $output in
-    *.la)
-      old_library=
-      test "$build_old_libs" = yes && old_library="$libname.$libext"
-      func_verbose "creating $output"
-
-      # Preserve any variables that may affect compiler behavior
-      for var in $variables_saved_for_relink; do
-	if eval test -z \"\${$var+set}\"; then
-	  relink_command="{ test -z \"\${$var+set}\" || $lt_unset $var || { $var=; export $var; }; }; $relink_command"
-	elif eval var_value=\$$var; test -z "$var_value"; then
-	  relink_command="$var=; export $var; $relink_command"
-	else
-	  func_quote_for_eval "$var_value"
-	  relink_command="$var=$func_quote_for_eval_result; export $var; $relink_command"
-	fi
-      done
-      # Quote the link command for shipping.
-      relink_command="(cd `pwd`; $SHELL $progpath $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)"
-      relink_command=`$ECHO "$relink_command" | $SED "$sed_quote_subst"`
-      if test "$hardcode_automatic" = yes ; then
-	relink_command=
-      fi
-
-      # Only create the output if not a dry run.
-      $opt_dry_run || {
-	for installed in no yes; do
-	  if test "$installed" = yes; then
-	    if test -z "$install_libdir"; then
-	      break
-	    fi
-	    output="$output_objdir/$outputname"i
-	    # Replace all uninstalled libtool libraries with the installed ones
-	    newdependency_libs=
-	    for deplib in $dependency_libs; do
-	      case $deplib in
-	      *.la)
-		func_basename "$deplib"
-		name="$func_basename_result"
-		func_resolve_sysroot "$deplib"
-		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $func_resolve_sysroot_result`
-		test -z "$libdir" && \
-		  func_fatal_error "\`$deplib' is not a valid libtool archive"
-		func_append newdependency_libs " ${lt_sysroot:+=}$libdir/$name"
-		;;
-	      -L*)
-		func_stripname -L '' "$deplib"
-		func_replace_sysroot "$func_stripname_result"
-		func_append newdependency_libs " -L$func_replace_sysroot_result"
-		;;
-	      -R*)
-		func_stripname -R '' "$deplib"
-		func_replace_sysroot "$func_stripname_result"
-		func_append newdependency_libs " -R$func_replace_sysroot_result"
-		;;
-	      *) func_append newdependency_libs " $deplib" ;;
-	      esac
-	    done
-	    dependency_libs="$newdependency_libs"
-	    newdlfiles=
-
-	    for lib in $dlfiles; do
-	      case $lib in
-	      *.la)
-	        func_basename "$lib"
-		name="$func_basename_result"
-		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
-		test -z "$libdir" && \
-		  func_fatal_error "\`$lib' is not a valid libtool archive"
-		func_append newdlfiles " ${lt_sysroot:+=}$libdir/$name"
-		;;
-	      *) func_append newdlfiles " $lib" ;;
-	      esac
-	    done
-	    dlfiles="$newdlfiles"
-	    newdlprefiles=
-	    for lib in $dlprefiles; do
-	      case $lib in
-	      *.la)
-		# Only pass preopened files to the pseudo-archive (for
-		# eventual linking with the app. that links it) if we
-		# didn't already link the preopened objects directly into
-		# the library:
-		func_basename "$lib"
-		name="$func_basename_result"
-		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
-		test -z "$libdir" && \
-		  func_fatal_error "\`$lib' is not a valid libtool archive"
-		func_append newdlprefiles " ${lt_sysroot:+=}$libdir/$name"
-		;;
-	      esac
-	    done
-	    dlprefiles="$newdlprefiles"
-	  else
-	    newdlfiles=
-	    for lib in $dlfiles; do
-	      case $lib in
-		[\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;;
-		*) abs=`pwd`"/$lib" ;;
-	      esac
-	      func_append newdlfiles " $abs"
-	    done
-	    dlfiles="$newdlfiles"
-	    newdlprefiles=
-	    for lib in $dlprefiles; do
-	      case $lib in
-		[\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;;
-		*) abs=`pwd`"/$lib" ;;
-	      esac
-	      func_append newdlprefiles " $abs"
-	    done
-	    dlprefiles="$newdlprefiles"
-	  fi
-	  $RM $output
-	  # place dlname in correct position for cygwin
-	  # In fact, it would be nice if we could use this code for all target
-	  # systems that can't hard-code library paths into their executables
-	  # and that have no shared library path variable independent of PATH,
-	  # but it turns out we can't easily determine that from inspecting
-	  # libtool variables, so we have to hard-code the OSs to which it
-	  # applies here; at the moment, that means platforms that use the PE
-	  # object format with DLL files.  See the long comment at the top of
-	  # tests/bindir.at for full details.
-	  tdlname=$dlname
-	  case $host,$output,$installed,$module,$dlname in
-	    *cygwin*,*lai,yes,no,*.dll | *mingw*,*lai,yes,no,*.dll | *cegcc*,*lai,yes,no,*.dll)
-	      # If a -bindir argument was supplied, place the dll there.
-	      if test "x$bindir" != x ;
-	      then
-		func_relative_path "$install_libdir" "$bindir"
-		tdlname=$func_relative_path_result$dlname
-	      else
-		# Otherwise fall back on heuristic.
-		tdlname=../bin/$dlname
-	      fi
-	      ;;
-	  esac
-	  $ECHO > $output "\
-# $outputname - a libtool library file
-# Generated by $PROGRAM (GNU $PACKAGE$TIMESTAMP) $VERSION
-#
-# Please DO NOT delete this file!
-# It is necessary for linking the library.
-
-# The name that we can dlopen(3).
-dlname='$tdlname'
-
-# Names of this library.
-library_names='$library_names'
-
-# The name of the static archive.
-old_library='$old_library'
-
-# Linker flags that can not go in dependency_libs.
-inherited_linker_flags='$new_inherited_linker_flags'
-
-# Libraries that this one depends upon.
-dependency_libs='$dependency_libs'
-
-# Names of additional weak libraries provided by this library
-weak_library_names='$weak_libs'
-
-# Version information for $libname.
-current=$current
-age=$age
-revision=$revision
-
-# Is this an already installed library?
-installed=$installed
-
-# Should we warn about portability when linking against -modules?
-shouldnotlink=$module
-
-# Files to dlopen/dlpreopen
-dlopen='$dlfiles'
-dlpreopen='$dlprefiles'
-
-# Directory that this library needs to be installed in:
-libdir='$install_libdir'"
-	  if test "$installed" = no && test "$need_relink" = yes; then
-	    $ECHO >> $output "\
-relink_command=\"$relink_command\""
-	  fi
-	done
-      }
-
-      # Do a symbolic link so that the libtool archive can be found in
-      # LD_LIBRARY_PATH before the program is installed.
-      func_show_eval '( cd "$output_objdir" && $RM "$outputname" && $LN_S "../$outputname" "$outputname" )' 'exit $?'
-      ;;
-    esac
-    exit $EXIT_SUCCESS
-}
-
-{ test "$opt_mode" = link || test "$opt_mode" = relink; } &&
-    func_mode_link ${1+"$@"}
-
-
-# func_mode_uninstall arg...
-func_mode_uninstall ()
-{
-    $opt_debug
-    RM="$nonopt"
-    files=
-    rmforce=
-    exit_status=0
-
-    # This variable tells wrapper scripts just to set variables rather
-    # than running their programs.
-    libtool_install_magic="$magic"
-
-    for arg
-    do
-      case $arg in
-      -f) func_append RM " $arg"; rmforce=yes ;;
-      -*) func_append RM " $arg" ;;
-      *) func_append files " $arg" ;;
-      esac
-    done
-
-    test -z "$RM" && \
-      func_fatal_help "you must specify an RM program"
-
-    rmdirs=
-
-    for file in $files; do
-      func_dirname "$file" "" "."
-      dir="$func_dirname_result"
-      if test "X$dir" = X.; then
-	odir="$objdir"
-      else
-	odir="$dir/$objdir"
-      fi
-      func_basename "$file"
-      name="$func_basename_result"
-      test "$opt_mode" = uninstall && odir="$dir"
-
-      # Remember odir for removal later, being careful to avoid duplicates
-      if test "$opt_mode" = clean; then
-	case " $rmdirs " in
-	  *" $odir "*) ;;
-	  *) func_append rmdirs " $odir" ;;
-	esac
-      fi
-
-      # Don't error if the file doesn't exist and rm -f was used.
-      if { test -L "$file"; } >/dev/null 2>&1 ||
-	 { test -h "$file"; } >/dev/null 2>&1 ||
-	 test -f "$file"; then
-	:
-      elif test -d "$file"; then
-	exit_status=1
-	continue
-      elif test "$rmforce" = yes; then
-	continue
-      fi
-
-      rmfiles="$file"
-
-      case $name in
-      *.la)
-	# Possibly a libtool archive, so verify it.
-	if func_lalib_p "$file"; then
-	  func_source $dir/$name
-
-	  # Delete the libtool libraries and symlinks.
-	  for n in $library_names; do
-	    func_append rmfiles " $odir/$n"
-	  done
-	  test -n "$old_library" && func_append rmfiles " $odir/$old_library"
-
-	  case "$opt_mode" in
-	  clean)
-	    case " $library_names " in
-	    *" $dlname "*) ;;
-	    *) test -n "$dlname" && func_append rmfiles " $odir/$dlname" ;;
-	    esac
-	    test -n "$libdir" && func_append rmfiles " $odir/$name $odir/${name}i"
-	    ;;
-	  uninstall)
-	    if test -n "$library_names"; then
-	      # Do each command in the postuninstall commands.
-	      func_execute_cmds "$postuninstall_cmds" 'test "$rmforce" = yes || exit_status=1'
-	    fi
-
-	    if test -n "$old_library"; then
-	      # Do each command in the old_postuninstall commands.
-	      func_execute_cmds "$old_postuninstall_cmds" 'test "$rmforce" = yes || exit_status=1'
-	    fi
-	    # FIXME: should reinstall the best remaining shared library.
-	    ;;
-	  esac
-	fi
-	;;
-
-      *.lo)
-	# Possibly a libtool object, so verify it.
-	if func_lalib_p "$file"; then
-
-	  # Read the .lo file
-	  func_source $dir/$name
-
-	  # Add PIC object to the list of files to remove.
-	  if test -n "$pic_object" &&
-	     test "$pic_object" != none; then
-	    func_append rmfiles " $dir/$pic_object"
-	  fi
-
-	  # Add non-PIC object to the list of files to remove.
-	  if test -n "$non_pic_object" &&
-	     test "$non_pic_object" != none; then
-	    func_append rmfiles " $dir/$non_pic_object"
-	  fi
-	fi
-	;;
-
-      *)
-	if test "$opt_mode" = clean ; then
-	  noexename=$name
-	  case $file in
-	  *.exe)
-	    func_stripname '' '.exe' "$file"
-	    file=$func_stripname_result
-	    func_stripname '' '.exe' "$name"
-	    noexename=$func_stripname_result
-	    # $file with .exe has already been added to rmfiles,
-	    # add $file without .exe
-	    func_append rmfiles " $file"
-	    ;;
-	  esac
-	  # Do a test to see if this is a libtool program.
-	  if func_ltwrapper_p "$file"; then
-	    if func_ltwrapper_executable_p "$file"; then
-	      func_ltwrapper_scriptname "$file"
-	      relink_command=
-	      func_source $func_ltwrapper_scriptname_result
-	      func_append rmfiles " $func_ltwrapper_scriptname_result"
-	    else
-	      relink_command=
-	      func_source $dir/$noexename
-	    fi
-
-	    # note $name still contains .exe if it was in $file originally
-	    # as does the version of $file that was added into $rmfiles
-	    func_append rmfiles " $odir/$name $odir/${name}S.${objext}"
-	    if test "$fast_install" = yes && test -n "$relink_command"; then
-	      func_append rmfiles " $odir/lt-$name"
-	    fi
-	    if test "X$noexename" != "X$name" ; then
-	      func_append rmfiles " $odir/lt-${noexename}.c"
-	    fi
-	  fi
-	fi
-	;;
-      esac
-      func_show_eval "$RM $rmfiles" 'exit_status=1'
-    done
-
-    # Try to remove the ${objdir}s in the directories where we deleted files
-    for dir in $rmdirs; do
-      if test -d "$dir"; then
-	func_show_eval "rmdir $dir >/dev/null 2>&1"
-      fi
-    done
-
-    exit $exit_status
-}
-
-{ test "$opt_mode" = uninstall || test "$opt_mode" = clean; } &&
-    func_mode_uninstall ${1+"$@"}
-
-test -z "$opt_mode" && {
-  help="$generic_help"
-  func_fatal_help "you must specify a MODE"
-}
-
-test -z "$exec_cmd" && \
-  func_fatal_help "invalid operation mode \`$opt_mode'"
-
-if test -n "$exec_cmd"; then
-  eval exec "$exec_cmd"
-  exit $EXIT_FAILURE
-fi
-
-exit $exit_status
-
-
-# The TAGs below are defined such that we never get into a situation
-# in which we disable both kinds of libraries.  Given conflicting
-# choices, we go for a static library, that is the most portable,
-# since we can't tell whether shared libraries were disabled because
-# the user asked for that or because the platform doesn't support
-# them.  This is particularly important on AIX, because we don't
-# support having both static and shared libraries enabled at the same
-# time on that platform, so we default to a shared-only configuration.
-# If a disable-shared tag is given, we'll fallback to a static-only
-# configuration.  But we'll never go from static-only to shared-only.
-
-# ### BEGIN LIBTOOL TAG CONFIG: disable-shared
-build_libtool_libs=no
-build_old_libs=yes
-# ### END LIBTOOL TAG CONFIG: disable-shared
-
-# ### BEGIN LIBTOOL TAG CONFIG: disable-static
-build_old_libs=`case $build_libtool_libs in yes) echo no;; *) echo yes;; esac`
-# ### END LIBTOOL TAG CONFIG: disable-static
-
-# Local Variables:
-# mode:shell-script
-# sh-indentation:2
-# End:
-# vi:sw=2
-
diff --git a/contrib/bind9/make/Makefile.in b/contrib/bind9/make/Makefile.in
deleted file mode 100644
index 86c93e7..0000000
--- a/contrib/bind9/make/Makefile.in
+++ /dev/null
@@ -1,28 +0,0 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.16 2007/06/19 23:47:24 tbox Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS=
-TARGETS=
-
-@BIND9_MAKE_RULES@
-
-distclean::
-	rm -f rules mkdep includes
diff --git a/contrib/bind9/make/includes.in b/contrib/bind9/make/includes.in
deleted file mode 100644
index f2f1b3f..0000000
--- a/contrib/bind9/make/includes.in
+++ /dev/null
@@ -1,48 +0,0 @@
-# Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1999-2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: includes.in,v 1.21 2007/06/19 23:47:24 tbox Exp $
-
-# Search for machine-generated header files in the build tree,
-# and for normal headers in the source tree (${top_srcdir}).
-# We only need to look in OS-specific subdirectories for the
-# latter case, because there are no machine-generated OS-specific
-# headers.
-
-ISC_INCLUDES = @BIND9_ISC_BUILDINCLUDE@ \
-	-I${top_srcdir}/lib/isc \
-	-I${top_srcdir}/lib/isc/include \
-	-I${top_srcdir}/lib/isc/unix/include \
-	-I${top_srcdir}/lib/isc/@ISC_THREAD_DIR@/include \
-	-I${top_srcdir}/lib/isc/@ISC_ARCH_DIR@/include
-
-ISCCC_INCLUDES = @BIND9_ISCCC_BUILDINCLUDE@ \
-       -I${top_srcdir}/lib/isccc/include
-
-ISCCFG_INCLUDES = @BIND9_ISCCFG_BUILDINCLUDE@ \
-       -I${top_srcdir}/lib/isccfg/include
-
-DNS_INCLUDES = @BIND9_DNS_BUILDINCLUDE@ \
-	-I${top_srcdir}/lib/dns/include
-
-LWRES_INCLUDES = @BIND9_LWRES_BUILDINCLUDE@ \
-	-I${top_srcdir}/lib/lwres/unix/include \
-	-I${top_srcdir}/lib/lwres/include
-
-BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
-	-I${top_srcdir}/lib/bind9/include
-
-TEST_INCLUDES = \
-	-I${top_srcdir}/lib/tests/include
diff --git a/contrib/bind9/make/mkdep.in b/contrib/bind9/make/mkdep.in
deleted file mode 100644
index 8c2201f4..0000000
--- a/contrib/bind9/make/mkdep.in
+++ /dev/null
@@ -1,187 +0,0 @@
-#!/bin/sh -
-
-##
-## Modified to handle -vpath <path> option by Michael Graff, ISC.
-## The purpose of this is to allow this script to run outside of the
-## source directory, for instance when running configure with
-##   ../bind9-mainline/configure
-## and still have "make depend" work.
-##
-
-## ++Copyright++ 1987
-## -
-## Copyright (c) 1987 Regents of the University of California.
-## All rights reserved.
-##
-## Redistribution and use in source and binary forms, with or without
-## modification, are permitted provided that the following conditions
-## are met:
-## 1. Redistributions of source code must retain the above copyright
-##    notice, this list of conditions and the following disclaimer.
-## 2. Redistributions in binary form must reproduce the above copyright
-##    notice, this list of conditions and the following disclaimer in the
-##    documentation and/or other materials provided with the distribution.
-## 3. All advertising materials mentioning features or use of this software
-##    must display the following acknowledgement:
-## This product includes software developed by the University of
-## California, Berkeley and its contributors.
-## 4. Neither the name of the University nor the names of its contributors
-##    may be used to endorse or promote products derived from this software
-##    without specific prior written permission.
-## THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
-## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-## ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
-## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-## SUCH DAMAGE.
-## -
-## Portions Copyright (c) 1993 by Digital Equipment Corporation.
-##
-## Permission to use, copy, modify, and distribute this software for any
-## purpose with or without fee is hereby granted, provided that the above
-## copyright notice and this permission notice appear in all copies, and that
-## the name of Digital Equipment Corporation not be used in advertising or
-## publicity pertaining to distribution of the document or software without
-## specific, written prior permission.
-##
-## THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
-## WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
-## OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
-## CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
-## DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
-## PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
-## ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
-## SOFTWARE.
-## -
-## --Copyright--
-
-#
-#	@(#)mkdep.sh	5.12 (Berkeley) 6/30/88
-#
-
-MAKE=Makefile			# default makefile name is "Makefile"
-
-while :
-	do case "$1" in
-		# -vpath allows one to select a virtual path for .c files
-		-vpath)
-			VPATH=$2;
-			shift; shift ;;
-		# -f allows you to select a makefile name
-		-f)
-			MAKE=$2
-			shift; shift ;;
-
-		# the -p flag produces "program: program.c" style dependencies
-		# so .o's don't get produced
-		-p)
-			SED='s;\.o;;'
-			shift ;;
-		*)
-			break ;;
-	esac
-done
-
-if [ $# = 0 ] ; then
-	echo 'usage: mkdep [-vpath path] [-p] [-f makefile] [flags] file ...'
-	exit 1
-fi
-
-if [ ! -w $MAKE ]; then
-	echo "mkdep: no writeable file \"$MAKE\""
-	exit 1
-fi
-
-TMP=mkdep$$
-
-trap 'rm -f $TMP ; exit 1' 1 2 3 13 15
-
-cp $MAKE ${MAKE}.bak
-
-sed -e '/DO NOT DELETE THIS LINE/,$d' < $MAKE > $TMP
-
-cat << _EOF_ >> $TMP
-# DO NOT DELETE THIS LINE -- mkdep uses it.
-# DO NOT PUT ANYTHING AFTER THIS LINE, IT WILL GO AWAY.
-
-_EOF_
-
-# If your compiler doesn't have -M, add it.  If you can't, the next two
-# lines will try and replace the "cc -M".  The real problem is that this
-# hack can't deal with anything that requires a search path, and doesn't
-# even try for anything using bracket (<>) syntax.
-#
-# egrep '^#include[ 	]*".*"' /dev/null $* |
-# sed -e 's/:[^"]*"\([^"]*\)".*/: \1/' -e 's/\.c/.o/' |
-
-if [ X"${VPATH}" != X ] ; then
-    for arg in $* ; do
-	case "$arg" in
-	    -*)
-		newargs="$newargs $arg"
-		;;
-	    *)
-		newargs="$newargs $VPATH/$arg"
-		;;
-	esac
-    done
-else
-    newargs="$*";
-fi
-
-MKDEPPROG="@MKDEPPROG@"
-if [ X"${MKDEPPROG}" != X ]; then
-    @SHELL@ -c "${MKDEPPROG} ${newargs}"
-else
-    @MKDEPCC@ @MKDEPCFLAGS@ ${newargs} |
-    sed "
-	s; \\./; ;g
-	s; \\\\; ;g
-	@LIBTOOL_MKDEP_SED@
-	$SED" |
-    awk '$1 ~ /:$/ {
-		if (rec != "")
-			 print rec;
-		if (NF == 1)
-			rec = $1;
-		else
-			rec = $1 " " $2;
-		for (i = 3; i <= NF; i++) {
-			if (length(rec $i) > 76) {
-				print rec " \\";
-				rec = "    " $i;
-			} else {
-				rec = rec " " $i;
-			}
-		}
-		next;
-	}
-	{
-		for (i = 1; i <= NF; i++) {
-			if (length(rec $i) > 76) {
-				print rec, "\\";
-				rec =  "    " $i;
-			} else {
-				rec = rec " " $i;
-			}
-		}
-	}
-    END {
-	print rec
-    }' >> $TMP
-fi
-
-cat << _EOF_ >> $TMP
-
-# IF YOU PUT ANYTHING HERE IT WILL GO AWAY
-_EOF_
-
-# copy to preserve permissions
-cp $TMP $MAKE
-rm -f ${MAKE}.bak $TMP
-exit 0
diff --git a/contrib/bind9/make/rules.in b/contrib/bind9/make/rules.in
deleted file mode 100644
index 37bc50d..0000000
--- a/contrib/bind9/make/rules.in
+++ /dev/null
@@ -1,369 +0,0 @@
-# Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2003  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id$
-
-###
-### Common Makefile rules for BIND 9.
-###
-
-###
-### Paths
-###
-### Note: paths that vary by Makefile MUST NOT be listed
-### here, or they won't get expanded correctly.
-
-prefix =	@prefix@
-exec_prefix =	@exec_prefix@
-bindir =	@bindir@
-sbindir =	@sbindir@
-includedir =	@includedir@
-libdir =	@libdir@
-sysconfdir =	@sysconfdir@
-localstatedir =	@localstatedir@
-mandir =	@mandir@
-datarootdir =   @datarootdir@
-export_libdir =	@export_libdir@
-export_includedir = @export_includedir@
-
-DESTDIR =
-
-@SET_MAKE@
-
-top_builddir =	@BIND9_TOP_BUILDDIR@
-
-###
-### All
-###
-### Makefile may define:
-###	TARGETS
-
-all: subdirs ${TARGETS} testdirs
-
-###
-### Subdirectories
-###
-### Makefile may define:
-###	SUBDIRS
-
-ALL_SUBDIRS = ${SUBDIRS} nulldir
-ALL_TESTDIRS = ${TESTDIRS} nulldir
-
-#
-# We use a single-colon rule so that additional dependencies of
-# subdirectories can be specified after the inclusion of this file.
-# The "depend" and "testdirs" targets are treated the same way.
-#
-subdirs:
-	@for i in ${ALL_SUBDIRS}; do \
-		if [ "$$i" != "nulldir" -a -d $$i ]; then \
-			echo "making all in `pwd`/$$i"; \
-			(cd $$i; ${MAKE} ${MAKEDEFS} DESTDIR="${DESTDIR}" all) || exit 1; \
-		fi; \
-	done
-
-#
-# Tests are built after the targets instead of before
-#
-testdirs:
-	@for i in ${ALL_TESTDIRS}; do \
-		if [ "$$i" != "nulldir" -a -d $$i ]; then \
-			echo "making all in `pwd`/$$i"; \
-			(cd $$i; ${MAKE} ${MAKEDEFS} DESTDIR="${DESTDIR}" all) || exit 1; \
-		fi; \
-	done
-
-install:: all
-
-install clean distclean maintainer-clean doc docclean man manclean::
-	@for i in ${ALL_SUBDIRS} ${ALL_TESTDIRS}; do \
-		if [ "$$i" != "nulldir" -a -d $$i ]; then \
-			echo "making $@ in `pwd`/$$i"; \
-			(cd $$i; ${MAKE} ${MAKEDEFS} DESTDIR="${DESTDIR}" $@) || exit 1; \
-		fi; \
-	done
-
-###
-### C Programs
-###
-### Makefile must define
-###	CC
-### Makefile may define
-###	CFLAGS
-###	LDFLAGS
-###	CINCLUDES
-###	CDEFINES
-###	CWARNINGS
-### User may define externally
-###     EXT_CFLAGS
-
-CC = 		@CC@
-CFLAGS =	@CFLAGS@
-LDFLAGS =	@LDFLAGS@
-STD_CINCLUDES =	@STD_CINCLUDES@
-STD_CDEFINES =	@STD_CDEFINES@
-STD_CWARNINGS =	@STD_CWARNINGS@
-
-BUILD_CC = @BUILD_CC@
-BUILD_CFLAGS = @BUILD_CFLAGS@
-BUILD_CPPFLAGS = @BUILD_CPPFLAGS@
-BUILD_LDFLAGS = @BUILD_LDFLAGS@
-BUILD_LIBS = @BUILD_LIBS@
-
-.SUFFIXES:
-.SUFFIXES: .c .@O@
-
-ALWAYS_INCLUDES = -I${top_builddir}
-ALWAYS_DEFINES = @ALWAYS_DEFINES@
-ALWAYS_WARNINGS =
-
-ALL_CPPFLAGS = \
-	${ALWAYS_INCLUDES} ${CINCLUDES} ${STD_CINCLUDES} \
-	${ALWAYS_DEFINES} ${CDEFINES} ${STD_CDEFINES}
-
-ALL_CFLAGS = ${EXT_CFLAGS} ${ALL_CPPFLAGS} ${CFLAGS} \
-	${ALWAYS_WARNINGS} ${STD_CWARNINGS} ${CWARNINGS}
-
-@BIND9_CO_RULE@
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c $<
-
-SHELL = @SHELL@
-LIBTOOL = @LIBTOOL@
-LIBTOOL_MODE_COMPILE = ${LIBTOOL} @LIBTOOL_MODE_COMPILE@
-LIBTOOL_MODE_INSTALL = ${LIBTOOL} @LIBTOOL_MODE_INSTALL@
-LIBTOOL_MODE_LINK = ${LIBTOOL} @LIBTOOL_MODE_LINK@
-PURIFY = @PURIFY@
-
-MKDEP = ${SHELL} ${top_builddir}/make/mkdep
-
-###
-### This is a template compound command to build an executable binary with
-### an internal symbol table.
-### This process is tricky.  We first link all objects including a tentative
-### empty symbol table, then get a tentative list of symbols from the resulting
-### binary ($@tmp0).  Next, we re-link all objects, but this time with the
-### symbol table just created ($tmp@1).  The set of symbols should be the same,
-### but the corresponding addresses would be changed due to the difference on
-### the size of symbol tables.  So we create the symbol table and re-create the
-### objects once again.  Finally, we check the symbol table embedded in the
-### final binaryis consistent with the binary itself; otherwise the process is
-### terminated.
-###
-### To minimize the overhead of creating symbol tables, the autoconf switch
-### --enable-symtable takes an argument so that the symbol table can be created
-### on a per application basis: unless the argument is set to "all", the symbol
-### table is created only when a shell (environment) variable "MAKE_SYMTABLE" is
-### set to a non-null value in the rule to build the executable binary.
-###
-### Each Makefile.in that uses this macro is expected to define "LIBS" and
-### "NOSYMLIBS"; the former includes libisc with an empty symbol table, and
-### the latter includes libisc without the definition of a symbol table.
-### The rule to make the executable binary will look like this
-### binary@EXEEXT@: ${OBJS}
-###     #export MAKE_SYMTABLE="yes"; \  <- enable if symtable is always needed
-###	export BASEOBJS="${OBJS}"; \
-###	${FINALBUILDCMD}
-###
-### Normally, ${LIBS} includes all necessary libraries to build the binary;
-### there are some exceptions however, where the rule lists some of the
-### necessary libraries explicitly in addition to (or instead of) ${LIBS},
-### like this:
-### binary@EXEEXT@: ${OBJS}
-###     cc -o $@ ${OBJS} ${OTHERLIB1} ${OTHERLIB2} ${lIBS}
-### in order to modify such a rule to use this compound command, a separate
-### variable "LIBS0" should be deinfed for the explicitly listed libraries,
-### while making sure ${LIBS} still includes libisc.  So the above rule would
-### be modified as follows:
-### binary@EXEEXT@: ${OBJS}
-###	export BASEOBJS="${OBJS}"; \
-###	export LIBS0="${OTHERLIB1} ${OTHERLIB2}"; \
-###     ${FINALBUILDCMD}
-### See bin/check/Makefile.in for a complete example of the use of LIBS0.
-###
-FINALBUILDCMD = if [ X"${MKSYMTBL_PROGRAM}" = X -o X"$${MAKE_SYMTABLE:-${ALWAYS_MAKE_SYMTABLE}}" = X ] ; then \
-		${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
-		-o $@ $${BASEOBJS} $${LIBS0} ${LIBS}; \
-	else \
-		rm -f $@tmp0; \
-		${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
-		-o $@tmp0 $${BASEOBJS} $${LIBS0} ${LIBS} || exit 1; \
-		rm -f $@-symtbl.c $@-symtbl.@O@; \
-		${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \
-		-o $@-symtbl.c $@tmp0 || exit 1; \
-		$(MAKE) $@-symtbl.@O@ || exit 1; \
-		rm -f $@tmp1; \
-		${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
-		-o $@tmp1 $${BASEOBJS} $@-symtbl.@O@ $${LIBS0} ${NOSYMLIBS} || exit 1; \
-		rm -f $@-symtbl.c $@-symtbl.@O@; \
-		${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \
-		-o $@-symtbl.c $@tmp1 || exit 1; \
-		$(MAKE) $@-symtbl.@O@ || exit 1; \
-		${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
-		-o $@tmp2 $${BASEOBJS} $@-symtbl.@O@ $${LIBS0} ${NOSYMLIBS}; \
-		${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \
-		-o $@-symtbl2.c $@tmp2; \
-		count=0; \
-		until diff $@-symtbl.c $@-symtbl2.c > /dev/null ; \
-		do \
-			count=`expr $$count + 1` ; \
-			test $$count = 42 && exit 1 ; \
-			rm -f $@-symtbl.c $@-symtbl.@O@; \
-			${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \
-			-o $@-symtbl.c $@tmp2 || exit 1; \
-			$(MAKE) $@-symtbl.@O@ || exit 1; \
-			${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} \
-			${LDFLAGS} -o $@tmp2 $${BASEOBJS} $@-symtbl.@O@ \
-			$${LIBS0} ${NOSYMLIBS}; \
-			${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \
-			-o $@-symtbl2.c $@tmp2; \
-		done ; \
-		mv $@tmp2 $@; \
-		rm -f $@tmp0 $@tmp1 $@tmp2 $@-symtbl2.c; \
-	fi
-
-cleandir: distclean
-superclean: maintainer-clean
-
-clean distclean maintainer-clean::
-	rm -f *.@O@ *.o *.lo *.la core *.core *-symtbl.c *tmp0 *tmp1 *tmp2
-	rm -rf .depend .libs
-
-distclean maintainer-clean::
-	rm -f Makefile
-
-depend:
-	@for i in ${ALL_SUBDIRS}; do \
-		if [ "$$i" != "nulldir" -a -d $$i ]; then \
-			echo "making depend in `pwd`/$$i"; \
-			(cd $$i; ${MAKE} ${MAKEDEFS} DESTDIR="${DESTDIR}" $@) || exit 1; \
-		fi; \
-	done
-	@if [ X"${srcdir}" != X. ] ; then \
-		if [ X"${SRCS}" != X -a X"${PSRCS}" != X ] ; then \
-			echo ${MKDEP} -vpath ${srcdir} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
-			${MKDEP} -vpath ${srcdir} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
-			echo ${MKDEP} -vpath ${srcdir} -ap ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
-			${MKDEP} -vpath ${srcdir} -ap ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
-			${DEPENDEXTRA} \
-		elif [ X"${SRCS}" != X ] ; then \
-			echo ${MKDEP} -vpath ${srcdir} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
-			${MKDEP} -vpath ${srcdir} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
-			${DEPENDEXTRA} \
-		elif [ X"${PSRCS}" != X ] ; then \
-			echo ${MKDEP} -vpath ${srcdir} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
-			${MKDEP} -vpath ${srcdir} -p ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
-			${DEPENDEXTRA} \
-		fi \
-	else \
-		if [ X"${SRCS}" != X -a X"${PSRCS}" != X ] ; then \
-			echo ${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
-			${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
-			echo ${MKDEP} -ap ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
-			${MKDEP} -ap ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
-			${DEPENDEXTRA} \
-		elif [ X"${SRCS}" != X ] ; then \
-			echo ${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
-			${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
-			${DEPENDEXTRA} \
-		elif [ X"${PSRCS}" != X ] ; then \
-			echo ${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
-			${MKDEP} -p ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
-			${DEPENDEXTRA} \
-		fi \
-	fi
-
-FORCE:
-
-###
-### Libraries
-###
-
-AR =		@AR@
-ARFLAGS =	@ARFLAGS@
-RANLIB =	@RANLIB@
-
-###
-### Installation
-###
-
-INSTALL =		@INSTALL@
-INSTALL_PROGRAM =	@INSTALL_PROGRAM@
-LINK_PROGRAM =		@LN_S@
-INSTALL_SCRIPT =	@INSTALL_SCRIPT@
-INSTALL_DATA =		@INSTALL_DATA@
-
-###
-### Programs used when generating documentation.  It's ok for these
-### not to exist when not generating documentation.
-###
-
-XSLTPROC =		@XSLTPROC@ --novalid --xinclude --nonet
-PERL =			@PERL@
-LATEX =			@LATEX@
-PDFLATEX =		@PDFLATEX@
-W3M =			@W3M@
-
-###
-### Script language program used to create internal symbol tables
-###
-MKSYMTBL_PROGRAM =	@MKSYMTBL_PROGRAM@
-
-###
-### Switch to create internal symbol table selectively
-###
-ALWAYS_MAKE_SYMTABLE =	@ALWAYS_MAKE_SYMTABLE@
-
-###
-### DocBook -> HTML
-### DocBook -> man page
-###
-
-.SUFFIXES: .docbook .html .1 .2 .3 .4 .5 .6 .7 .8
-
-.docbook.html:
-	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-docbook-html.xsl $<
-
-.docbook.1:
-	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
-
-.docbook.2:
-	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
-
-.docbook.3:
-	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
-
-.docbook.4:
-	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
-
-.docbook.5:
-	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
-
-.docbook.6:
-	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
-
-.docbook.7:
-	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
-
-.docbook.8:
-	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
-
-###
-### Python executable
-###
-.SUFFIXES: .py
-.py:
-	cp -f $< $@
-	chmod +x $@
-
diff --git a/contrib/bind9/mkinstalldirs b/contrib/bind9/mkinstalldirs
deleted file mode 100755
index 4992567..0000000
--- a/contrib/bind9/mkinstalldirs
+++ /dev/null
@@ -1,40 +0,0 @@
-#! /bin/sh
-# mkinstalldirs --- make directory hierarchy
-# Author: Noah Friedman <friedman@prep.ai.mit.edu>
-# Created: 1993-05-16
-# Public domain
-
-# $Id: mkinstalldirs,v 1.1 2000/09/20 19:05:51 gson Exp $
-
-errstatus=0
-
-for file
-do
-   set fnord `echo ":$file" | sed -ne 's/^:\//#/;s/^://;s/\// /g;s/^#/\//;p'`
-   shift
-
-   pathcomp=
-   for d
-   do
-     pathcomp="$pathcomp$d"
-     case "$pathcomp" in
-       -* ) pathcomp=./$pathcomp ;;
-     esac
-
-     if test ! -d "$pathcomp"; then
-        echo "mkdir $pathcomp" 1>&2
-
-        mkdir "$pathcomp" || lasterr=$?
-
-        if test ! -d "$pathcomp"; then
-  	  errstatus=$lasterr
-        fi
-     fi
-
-     pathcomp="$pathcomp/"
-   done
-done
-
-exit $errstatus
-
-# mkinstalldirs ends here
diff --git a/contrib/bind9/version b/contrib/bind9/version
deleted file mode 100644
index 039f4a1..0000000
--- a/contrib/bind9/version
+++ /dev/null
@@ -1,12 +0,0 @@
-# $Id$
-# 
-# This file must follow /bin/sh rules.  It is imported directly via
-# configure.
-#
-PRODUCT=BIND
-DESCRIPTION="(Extended Support Version)"
-MAJORVER=9
-MINORVER=9
-PATCHVER=3
-RELEASETYPE=-P
-RELEASEVER=2
diff --git a/etc/Makefile b/etc/Makefile
index ddd1abb..ff8efc5 100644
--- a/etc/Makefile
+++ b/etc/Makefile
@@ -142,12 +142,6 @@ MTREE=	BSD.include.dist BSD.root.dist BSD.usr.dist BSD.var.dist
 .if ${MK_SENDMAIL} != "no"
 MTREE+=	BSD.sendmail.dist
 .endif
-.if ${MK_BIND} != "no"
-MTREE+=	BIND.chroot.dist
-.if ${MK_BIND_LIBS} != "no"
-MTREE+=	BIND.include.dist
-.endif
-.endif
 .if ${MK_DEBUG_FILES} != "no"
 MTREE+=	BSD.debug.dist
 .endif
@@ -242,14 +236,6 @@ distribution:
 	    ${BSM_ETC_RESTRICTED_FILES} ${BSM_ETC_DIR}
 	cd ${.CURDIR}; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 0500 \
 	    ${BSM_ETC_EXEC_FILES} ${BSM_ETC_DIR}
-.if ${MK_BIND_MTREE} != "no"
-	if [ ! -e ${DESTDIR}/etc/namedb ]; then \
-		ln -s ../var/named/etc/namedb ${DESTDIR}/etc/namedb; \
-	fi
-.endif
-.if ${MK_BIND_ETC} != "no"
-	${_+_}cd ${.CURDIR}/namedb; ${MAKE} install
-.endif
 .if ${MK_UNBOUND} != "no"
 	if [ ! -e ${DESTDIR}/etc/unbound ]; then \
 		${INSTALL_SYMLINK} ../var/unbound ${DESTDIR}/etc/unbound; \
@@ -328,12 +314,6 @@ MTREES=		mtree/BSD.root.dist		/		\
 .if ${MK_DEBUG_FILES} != "no"
 MTREES+=	mtree/BSD.debug.dist		/usr/lib
 .endif
-.if ${MK_BIND_LIBS} != "no"
-MTREES+=	mtree/BIND.include.dist		/usr/include
-.endif
-.if ${MK_BIND_MTREE} != "no"
-MTREES+=	mtree/BIND.chroot.dist		/var/named
-.endif
 .if ${MK_GROFF} != "no"
 MTREES+=	mtree/BSD.groff.dist		/usr
 .endif
diff --git a/etc/mtree/BIND.chroot.dist b/etc/mtree/BIND.chroot.dist
deleted file mode 100644
index 95423db..0000000
--- a/etc/mtree/BIND.chroot.dist
+++ /dev/null
@@ -1,35 +0,0 @@
-# $FreeBSD$
-#
-# Please see the file src/etc/mtree/README before making changes to this file.
-#
-
-/set type=dir uname=root gname=wheel mode=0755
-.
-    dev             mode=0555
-    ..
-    etc
-        namedb
-            dynamic uname=bind
-            ..
-            master
-            ..
-            slave   uname=bind
-            ..
-            working uname=bind
-            ..
-        ..
-    ..
-/set type=dir uname=bind gname=wheel mode=0755
-    var             uname=root
-        dump
-        ..
-        log
-        ..
-        run
-            named
-            ..
-        ..
-        stats
-        ..
-    ..
-..
diff --git a/etc/mtree/BIND.include.dist b/etc/mtree/BIND.include.dist
deleted file mode 100644
index 534794a..0000000
--- a/etc/mtree/BIND.include.dist
+++ /dev/null
@@ -1,22 +0,0 @@
-# $FreeBSD$
-#
-# Please see the file src/etc/mtree/README before making changes to this file.
-#
-
-/set type=dir uname=root gname=wheel mode=0755
-.
-    bind
-    ..
-    bind9
-    ..
-    dns
-    ..
-    dst
-    ..
-    isc
-    ..
-    isccc
-    ..
-    isccfg
-    ..
-..
diff --git a/etc/mtree/BSD.var.dist b/etc/mtree/BSD.var.dist
index 63ab015..f4faeed 100644
--- a/etc/mtree/BSD.var.dist
+++ b/etc/mtree/BSD.var.dist
@@ -63,13 +63,9 @@
     ..
     msgs            uname=daemon
     ..
-    named
-    ..
     preserve
     ..
     run
-        named           uname=bind gname=bind
-        ..
         ppp             gname=network mode=0770
         ..
         wpa_supplicant
diff --git a/include/Makefile b/include/Makefile
index fd15613..1f55f4e 100644
--- a/include/Makefile
+++ b/include/Makefile
@@ -149,11 +149,6 @@ compat:
 	mtree -deU ${MTREE_FOLLOWS_SYMLINKS} \
 	    -f ${.CURDIR}/../etc/mtree/BSD.include.dist \
 	    -p ${DESTDIR}${INCLUDEDIR}
-.if ${MK_BIND_LIBS} != "no"
-	mtree -deU ${MTREE_FOLLOWS_SYMLINKS} \
-	    -f ${.CURDIR}/../etc/mtree/BIND.include.dist \
-	    -p ${DESTDIR}${INCLUDEDIR}
-.endif
 
 copies:
 .for i in ${LDIRS} ${LSUBDIRS} ${LSUBSUBDIRS} altq crypto machine machine/pc \
diff --git a/lib/Makefile b/lib/Makefile
index 5fb8ec4..9ac8945 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -127,7 +127,6 @@ SUBDIR=	${SUBDIR_ORDERED} \
 	libyaml \
 	libz \
 	${_atf} \
-	${_bind} \
 	${_clang}
 
 .if exists(${.CURDIR}/csu/${MACHINE_ARCH}-elf)
@@ -150,10 +149,6 @@ _atf=		atf
 _libngatm=	libngatm
 .endif
 
-.if ${MK_BIND} != "no"
-_bind=		bind
-.endif
-
 .if ${MK_BLUETOOTH} != "no"
 _libbluetooth=	libbluetooth
 _libsdp=	libsdp
diff --git a/lib/bind/Makefile b/lib/bind/Makefile
deleted file mode 100644
index e2457b7..0000000
--- a/lib/bind/Makefile
+++ /dev/null
@@ -1,5 +0,0 @@
-# $FreeBSD$
-
-SUBDIR=		isc isccc dns isccfg bind9 lwres
-
-.include <bsd.subdir.mk>
diff --git a/lib/bind/bind9/Makefile b/lib/bind/bind9/Makefile
deleted file mode 100644
index 5abbeb1..0000000
--- a/lib/bind/bind9/Makefile
+++ /dev/null
@@ -1,31 +0,0 @@
-# $FreeBSD$
-
-.include <bsd.own.mk>
-
-BIND_DIR=	${.CURDIR}/../../../contrib/bind9
-LIB_BIND_REL=	..
-LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
-SRCDIR=		${BIND_DIR}/lib/bind9
-
-.include	"${LIB_BIND_DIR}/config.mk"
-
-LIB=		bind9
-
-.PATH:		${SRCDIR}
-SRCS=		check.c getaddresses.c version.c
-
-CFLAGS+=	-I${SRCDIR}/include
-CFLAGS+=	-I${BIND_DIR}/lib/isc/${ISC_ATOMIC_ARCH}/include
-
-DPADD=		${PTHREAD_DPADD}
-LDADD=		${PTHREAD_LDADD}
-
-.if ${MK_BIND_LIBS} != "no"
-INCS=		${SRCDIR}/include/bind9/check.h \
-		${SRCDIR}/include/bind9/getaddresses.h \
-		${SRCDIR}/include/bind9/version.h
-
-INCSDIR=	${INCLUDEDIR}/bind9
-.endif
-
-.include <bsd.lib.mk>
diff --git a/lib/bind/config.h b/lib/bind/config.h
deleted file mode 100644
index d720a77..0000000
--- a/lib/bind/config.h
+++ /dev/null
@@ -1,463 +0,0 @@
-/* $FreeBSD$ */
-
-/* config.h.  Generated from config.h.in by configure.  */
-/* config.h.in.  Generated from configure.in by autoheader.  */
-/*
- * Copyright (C) 2004, 2005, 2007, 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: acconfig.h,v 1.53 2008/12/01 23:47:44 tbox Exp $ */
-
-/*! \file */
-
-/***
- *** This file is not to be included by any public header files, because
- *** it does not get installed.
- ***/
-
-/** define on DEC OSF to enable 4.4BSD style sa_len support */
-/* #undef _SOCKADDR_LEN */
-
-/** define if your system needs pthread_init() before using pthreads */
-/* #undef NEED_PTHREAD_INIT */
-
-/** define if your system has sigwait() */
-#define HAVE_SIGWAIT 1
-
-/** define if sigwait() is the UnixWare flavor */
-/* #undef HAVE_UNIXWARE_SIGWAIT */
-
-/** define on Solaris to get sigwait() to work using pthreads semantics */
-/* #undef _POSIX_PTHREAD_SEMANTICS */
-
-/** define if LinuxThreads is in use */
-/* #undef HAVE_LINUXTHREADS */
-
-/** define if sysconf() is available */
-#define HAVE_SYSCONF 1
-
-/** define if sysctlbyname() is available */
-#define HAVE_SYSCTLBYNAME 1
-
-/** define if catgets() is available */
-#define HAVE_CATGETS 1
-
-/** define if getifaddrs() exists */
-#define HAVE_GETIFADDRS 1
-
-/** define if you have the NET_RT_IFLIST sysctl variable and sys/sysctl.h */
-#define HAVE_IFLIST_SYSCTL 1
-
-/** define if tzset() is available */
-#define HAVE_TZSET 1
-
-/** define if struct addrinfo exists */
-#define HAVE_ADDRINFO 1
-
-/** define if getaddrinfo() exists */
-#define HAVE_GETADDRINFO 1
-
-/** define if gai_strerror() exists */
-#define HAVE_GAISTRERROR 1
-
-/** define if arc4random() exists */
-#define HAVE_ARC4RANDOM 1
-
-/**
- * define if pthread_setconcurrency() should be called to tell the
- * OS how many threads we might want to run.
- */
-/* #undef CALL_PTHREAD_SETCONCURRENCY */
-
-/** define if IPv6 is not disabled */
-/* #undef WANT_IPV6 */
-
-/** define if flockfile() is available */
-#define HAVE_FLOCKFILE 1
-
-/** define if getc_unlocked() is available */
-#define HAVE_GETCUNLOCKED 1
-
-/** Shut up warnings about sputaux in stdio.h on BSD/OS pre-4.1 */
-/* #undef SHUTUP_SPUTAUX */
-#ifdef SHUTUP_SPUTAUX
-struct __sFILE;
-extern __inline int __sputaux(int _c, struct __sFILE *_p);
-#endif
-
-/** Shut up warnings about missing sigwait prototype on BSD/OS 4.0* */
-/* #undef SHUTUP_SIGWAIT */
-#ifdef SHUTUP_SIGWAIT
-int sigwait(const unsigned int *set, int *sig);
-#endif
-
-/** Shut up warnings from gcc -Wcast-qual on BSD/OS 4.1. */
-/* #undef SHUTUP_STDARG_CAST */
-#if defined(SHUTUP_STDARG_CAST) && defined(__GNUC__)
-#include <stdarg.h>		/** Grr.  Must be included *every time*. */
-/**
- * The silly continuation line is to keep configure from
- * commenting out the #undef.
- */
-
-#undef \
-	va_start
-#define	va_start(ap, last) \
-	do { \
-		union { const void *konst; long *var; } _u; \
-		_u.konst = &(last); \
-		ap = (va_list)(_u.var + __va_words(__typeof(last))); \
-	} while (0)
-#endif /** SHUTUP_STDARG_CAST && __GNUC__ */
-
-/** define if the system has a random number generating device */
-#define PATH_RANDOMDEV "/dev/random"
-
-/** define if pthread_attr_getstacksize() is available */
-#define HAVE_PTHREAD_ATTR_GETSTACKSIZE 1
-
-/** define if pthread_attr_setstacksize() is available */
-#define HAVE_PTHREAD_ATTR_SETSTACKSIZE 1
-
-/** define if you have strerror in the C library. */
-#define HAVE_STRERROR 1
-
-/** Define if you are running under Compaq TruCluster. */
-/* #undef HAVE_TRUCLUSTER */
-
-/* Define if OpenSSL includes DSA support */
-#define HAVE_OPENSSL_DSA 1
-
-/* Define if OpenSSL includes ECDSA support */
-#define HAVE_OPENSSL_ECDSA 1
-
-/* Define to the length type used by the socket API (socklen_t, size_t, int). */
-#define ISC_SOCKADDR_LEN_T socklen_t
-
-/* Define if threads need PTHREAD_SCOPE_SYSTEM */
-/* #undef NEED_PTHREAD_SCOPE_SYSTEM */
-
-/* Define if building universal (internal helper macro) */
-/* #undef AC_APPLE_UNIVERSAL_BUILD */
-
-/* Define to enable the "filter-aaaa-on-v4" option. */
-/* #undef ALLOW_FILTER_AAAA_ON_V4 */
-
-/* Define if recvmsg() does not meet all of the BSD socket API specifications.
-   */
-/* #undef BROKEN_RECVMSG */
-
-/* Define if you cannot bind() before connect() for TCP sockets. */
-/* #undef BROKEN_TCP_BIND_BEFORE_CONNECT */
-
-/* Define to enable "rrset-order fixed" syntax. */
-/* #undef DNS_RDATASET_FIXED */
-
-/* Define to enable rpz-nsdname rules. */
-/* #undef ENABLE_RPZ_NSDNAME */
-
-/* Define to enable rpz-nsip rules. */
-/* #undef ENABLE_RPZ_NSIP */
-
-/* Solaris hack to get select_large_fdset. */
-/* #undef FD_SETSIZE */
-
-/* Define to nothing if C supports flexible array members, and to 1 if it does
-   not. That way, with a declaration like `struct s { int n; double
-   d[FLEXIBLE_ARRAY_MEMBER]; };', the struct hack can be used with pre-C99
-   compilers. When computing the size of such an object, don't use 'sizeof
-   (struct s)' as it overestimates the size. Use 'offsetof (struct s, d)'
-   instead. Don't use 'offsetof (struct s, d[0])', as this doesn't work with
-   MSVC and with C++ compilers. */
-#define FLEXIBLE_ARRAY_MEMBER /**/
-
-/* Define to 1 if you have the `chroot' function. */
-#define HAVE_CHROOT 1
-
-/* Define to 1 if you have the <devpoll.h> header file. */
-/* #undef HAVE_DEVPOLL_H */
-
-/* Define to 1 if you have the `dlclose' function. */
-#define HAVE_DLCLOSE 1
-
-/* Define to 1 if you have the <dlfcn.h> header file. */
-#define HAVE_DLFCN_H 1
-
-/* Define to 1 if you have the `dlopen' function. */
-#define HAVE_DLOPEN 1
-
-/* Define to 1 if you have the `dlsym' function. */
-#define HAVE_DLSYM 1
-
-/* Define to 1 if you have the `EVP_sha256' function. */
-#define HAVE_EVP_SHA256 1
-
-/* Define to 1 if you have the `EVP_sha384' function. */
-#define HAVE_EVP_SHA384 1
-
-/* Define to 1 if you have the `EVP_sha512' function. */
-#define HAVE_EVP_SHA512 1
-
-/* Define to 1 if you have the <fcntl.h> header file. */
-#define HAVE_FCNTL_H 1
-
-/* Define to 1 if you have the <gssapi/gssapi.h> header file. */
-/* #undef HAVE_GSSAPI_GSSAPI_H */
-
-/* Define to 1 if you have the <gssapi/gssapi_krb5.h> header file. */
-/* #undef HAVE_GSSAPI_GSSAPI_KRB5_H */
-
-/* Define to 1 if you have the <gssapi.h> header file. */
-/* #undef HAVE_GSSAPI_H */
-
-/* Define to 1 if you have the <gssapi_krb5.h> header file. */
-/* #undef HAVE_GSSAPI_KRB5_H */
-
-/* Define to 1 if you have the <inttypes.h> header file. */
-#define HAVE_INTTYPES_H 1
-
-/* Define to 1 if you have the <kerberosv5/krb5.h> header file. */
-/* #undef HAVE_KERBEROSV5_KRB5_H */
-
-/* Define to 1 if you have the <krb5.h> header file. */
-/* #undef HAVE_KRB5_H */
-
-/* Define to 1 if you have the <krb5/krb5.h> header file. */
-/* #undef HAVE_KRB5_KRB5_H */
-
-/* Define to 1 if you have the `c' library (-lc). */
-/* #undef HAVE_LIBC */
-
-/* Define to 1 if you have the `cap' library (-lcap). */
-/* #undef HAVE_LIBCAP */
-
-/* if system have backtrace function */
-/* #undef HAVE_LIBCTRACE */
-
-/* Define to 1 if you have the `c_r' library (-lc_r). */
-/* #undef HAVE_LIBC_R */
-
-/* Define to 1 if you have the `nsl' library (-lnsl). */
-/* #undef HAVE_LIBNSL */
-
-/* Define to 1 if you have the `pthread' library (-lpthread). */
-/* #undef HAVE_LIBPTHREAD */
-
-/* Define to 1 if you have the `scf' library (-lscf). */
-/* #undef HAVE_LIBSCF */
-
-/* Define to 1 if you have the `socket' library (-lsocket). */
-/* #undef HAVE_LIBSOCKET */
-
-/* Define to 1 if you have the `thr' library (-lthr). */
-/* #undef HAVE_LIBTHR */
-
-/* Define if libxml2 was found */
-/* #undef HAVE_LIBXML2 */
-
-/* Define to 1 if you have the <linux/capability.h> header file. */
-/* #undef HAVE_LINUX_CAPABILITY_H */
-
-/* Define to 1 if you have the <locale.h> header file. */
-#define HAVE_LOCALE_H 1
-
-/* Define to 1 if you have the <memory.h> header file. */
-#define HAVE_MEMORY_H 1
-
-/* Define to 1 if you have the `nanosleep' function. */
-#define HAVE_NANOSLEEP 1
-
-/* Define to 1 if you have the <net/if6.h> header file. */
-/* #undef HAVE_NET_IF6_H */
-
-/* Define if your OpenSSL version supports ECDSA. */
-#define HAVE_OPENSSL_ECDSA 1
-
-/* Define if your OpenSSL version supports GOST. */
-/* #undef HAVE_OPENSSL_GOST */
-
-/* Define to 1 if you have the `readline' function. */
-#define HAVE_READLINE 1
- 
-/* Define to 1 if you have the <regex.h> header file. */
-#define HAVE_REGEX_H 1
-
-/* Define to 1 if you have the `setegid' function. */
-#define HAVE_SETEGID 1
-
-/* Define to 1 if you have the `seteuid' function. */
-#define HAVE_SETEUID 1
-
-/* Define to 1 if you have the `setlocale' function. */
-#define HAVE_SETLOCALE 1
-
-/* Define to 1 if you have the `setresgid' function. */
-#define HAVE_SETRESGID 1
-
-/* Define to 1 if you have the `setresuid' function. */
-#define HAVE_SETRESUID 1
-
-/* Define to 1 if you have the <stdint.h> header file. */
-#define HAVE_STDINT_H 1
-
-/* Define to 1 if you have the <stdlib.h> header file. */
-#define HAVE_STDLIB_H 1
-
-/* Define to 1 if you have the <strings.h> header file. */
-#define HAVE_STRINGS_H 1
-
-/* Define to 1 if you have the <string.h> header file. */
-#define HAVE_STRING_H 1
-
-/* Define to 1 if you have the <sys/capability.h> header file. */
-/* #undef HAVE_SYS_CAPABILITY_H */
-
-/* Define to 1 if you have the <sys/devpoll.h> header file. */
-/* #undef HAVE_SYS_DEVPOLL_H */
-
-/* Define to 1 if you have the <sys/dyntune.h> header file. */
-/* #undef HAVE_SYS_DYNTUNE_H */
-
-/* Define to 1 if you have the <sys/param.h> header file. */
-#define HAVE_SYS_PARAM_H 1
-
-/* Define to 1 if you have the <sys/prctl.h> header file. */
-/* #undef HAVE_SYS_PRCTL_H */
-
-/* Define to 1 if you have the <sys/select.h> header file. */
-#define HAVE_SYS_SELECT_H 1
-
-/* Define to 1 if you have the <sys/sockio.h> header file. */
-#define HAVE_SYS_SOCKIO_H 1
-
-/* Define to 1 if you have the <sys/stat.h> header file. */
-#define HAVE_SYS_STAT_H 1
-
-/* Define to 1 if you have the <sys/sysctl.h> header file. */
-#define HAVE_SYS_SYSCTL_H 1
-
-/* Define to 1 if you have the <sys/time.h> header file. */
-#define HAVE_SYS_TIME_H 1
-
-/* Define to 1 if you have the <sys/types.h> header file. */
-#define HAVE_SYS_TYPES_H 1
-
-/* Define to 1 if you have the <sys/un.h> header file. */
-#define HAVE_SYS_UN_H 1
-
-/* Define if running under Compaq TruCluster */
-/* #undef HAVE_TRUCLUSTER */
-
-/* Define to 1 if you have the <unistd.h> header file. */
-#define HAVE_UNISTD_H 1
-
-/* Define to 1 if you have the `usleep' function. */
-#define HAVE_USLEEP 1
-
-/* return type of gai_strerror */
-#define IRS_GAISTRERROR_RETURN_T const char *
-
-/* Define to the buffer length type used by getnameinfo(3). */
-#define IRS_GETNAMEINFO_BUFLEN_T size_t
-
-/* Define to the flags type used by getnameinfo(3). */
-#define IRS_GETNAMEINFO_FLAGS_T int
-
-/* Define to allow building of objects for dlopen(). */
-#define ISC_DLZ_DLOPEN 1
-
-/* Define to the sub-directory in which libtool stores uninstalled libraries.
-   */
-#define LT_OBJDIR ".libs/"
-
-/* Defined if extern char *optarg is not declared. */
-/* #undef NEED_OPTARG */
-
-/* Define if connect does not honour the permission on the UNIX domain socket.
-   */
-/* #undef NEED_SECURE_DIRECTORY */
-
-/* Use the new XML schema for statistics */
-/* #undef NEWSTATS */
-
-/* Define to the address where bug reports for this package should be sent. */
-#define PACKAGE_BUGREPORT ""
-
-/* Define to the full name of this package. */
-#define PACKAGE_NAME ""
-
-/* Define to the full name and version of this package. */
-#define PACKAGE_STRING ""
-
-/* Define to the one symbol short name of this package. */
-#define PACKAGE_TARNAME ""
-
-/* Define to the home page for this package. */
-#define PACKAGE_URL ""
-
-/* Define to the version of this package. */
-#define PACKAGE_VERSION ""
-
-/* Sets which flag to pass to open/fcntl to make non-blocking
-   (O_NDELAY/O_NONBLOCK). */
-#define PORT_NONBLOCK O_NONBLOCK
-
-/* The size of `void *', as computed by sizeof. */
-#define SIZEOF_VOID_P 8
-
-/* Define to 1 if you have the ANSI C header files. */
-#define STDC_HEADERS 1
-
-/* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */
-#define TIME_WITH_SYS_TIME 1
-
-/* Defined if you need to use ioctl(FIONBIO) instead a fcntl call to make
-   non-blocking. */
-/* #undef USE_FIONBIO_IOCTL */
-
-/* define if idnkit support is to be included. */
-/* #undef WITH_IDN */
-
-/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
-   significant byte first (like Motorola and SPARC, unlike Intel). */
-#if defined AC_APPLE_UNIVERSAL_BUILD
-# if defined __BIG_ENDIAN__
-#  define WORDS_BIGENDIAN 1
-# endif
-#else
-# ifndef WORDS_BIGENDIAN
-/* #  undef WORDS_BIGENDIAN */
-# endif
-#endif
-
-/* Define to empty if `const' does not conform to ANSI C. */
-/* #undef const */
-
-/* Define to empty if your compiler does not support "static inline". */
-#define inline /**/
-
-/* Define to `unsigned int' if <sys/types.h> does not define. */
-/* #undef size_t */
-
-/* Define to `int' if <sys/types.h> does not define. */
-/* #undef ssize_t */
-
-/* Define to `unsigned long' if <sys/types.h> does not define. */
-/* #undef uintptr_t */
-
-/* Define to empty if the keyword `volatile' does not work. Warning: valid
-   code using `volatile' can become incorrect without. Disable with care. */
-/* #undef volatile */
diff --git a/lib/bind/config.mk b/lib/bind/config.mk
deleted file mode 100644
index ebac59a..0000000
--- a/lib/bind/config.mk
+++ /dev/null
@@ -1,139 +0,0 @@
-# $FreeBSD$
-
-.include <bsd.own.mk>
-.include <bsd.endian.mk>
-
-# BIND version number
-.if defined(BIND_DIR) && exists(${BIND_DIR}/version)
-.include	"${BIND_DIR}/version"
-BIND_VERSION=	${MAJORVER}.${MINORVER}.${PATCHVER}${RELEASETYPE}${RELEASEVER}
-CFLAGS+=	-DVERSION='"${BIND_VERSION}"'
-.endif
-
-CFLAGS+=	-DHAVE_CONFIG_H
-CFLAGS+=	-D_REENTRANT -D_THREAD_SAFE
-
-# Get version numbers (for libraries)
-.if defined(SRCDIR) && exists(${SRCDIR}/api)
-.include	"${SRCDIR}/api"
-CFLAGS+=	-DLIBINTERFACE=${LIBINTERFACE}
-CFLAGS+=	-DLIBREVISION=${LIBREVISION}
-CFLAGS+=	-DLIBAGE=${LIBAGE}
-.if ${MK_BIND_LIBS} != "no"
-SHLIB_MAJOR=	${LIBINTERFACE}
-SHLIB_MINOR=	${LIBINTERFACE}
-.else
-INTERNALLIB=
-.endif
-.endif
-
-# GSSAPI support is incomplete in 9.3.0
-#.if ${MK_KERBEROS} != "no"
-#CFLAGS+=	-DGSSAPI
-#.endif
-
-# Enable IPv6 support if available
-.if ${MK_INET6_SUPPORT} != "no"
-CFLAGS+=	-DWANT_IPV6
-.endif
-
-# Enable crypto if available
-.if ${MK_OPENSSL} != "no"
-CFLAGS+=	-DOPENSSL
-.endif
-
-# Enable MD5 - BIND has its own implementation
-CFLAGS+=	-DUSE_MD5
-
-# Endianness
-.if ${TARGET_ENDIANNESS} == 4321
-CFLAGS+=	-DWORDS_BIGENDIAN
-.endif
-
-# Default file locations
-LOCALSTATEDIR=	/var
-SYSCONFDIR=	/etc/namedb
-CFLAGS+=	-DNS_LOCALSTATEDIR='"${LOCALSTATEDIR}"'
-CFLAGS+=	-DNS_SYSCONFDIR='"${SYSCONFDIR}"'
-CFLAGS+=	-DNAMED_CONFFILE='"${SYSCONFDIR}/named.conf"'
-CFLAGS+=	-DRNDC_CONFFILE='"${SYSCONFDIR}/rndc.conf"'
-CFLAGS+=	-DRNDC_KEYFILE='"${SYSCONFDIR}/rndc.key"'
-
-# Add correct include path for config.h
-.if defined(LIB_BIND_DIR) && exists(${LIB_BIND_DIR}/config.h)
-CFLAGS+=	-I${LIB_BIND_DIR}
-.endif
-
-# Use the right version of the atomic.h file from lib/isc
-.if ${MACHINE_ARCH} == "amd64" || ${MACHINE_ARCH} == "i386"
-ISC_ATOMIC_ARCH=	x86_32
-.elif ${MACHINE_ARCH} == "ia64"
-ISC_ATOMIC_ARCH=	ia64
-.else
-ISC_ATOMIC_ARCH=	noatomic
-.endif
-
-# Optional features
-.if ${MK_BIND_LARGE_FILE} == "yes"
-CFLAGS+=	-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
-.endif
-.if ${MK_BIND_SIGCHASE} == "yes"
-CFLAGS+=	-DDIG_SIGCHASE
-.endif
-
-# Link against BIND libraries
-.if ${MK_BIND_LIBS} == "no"
-LIBBIND9=	${LIB_BIND_REL}/bind9/libbind9.a
-CFLAGS+=	-I${BIND_DIR}/lib/bind9/include
-LIBDNS=		${LIB_BIND_REL}/dns/libdns.a
-CFLAGS+=	-I${BIND_DIR}/lib/dns/include/dst \
-		-I${BIND_DIR}/lib/dns/include \
-		-I${LIB_BIND_DIR}/dns
-LIBISCCC=	${LIB_BIND_REL}/isccc/libisccc.a
-CFLAGS+=	-I${BIND_DIR}/lib/isccc/include
-LIBISCCFG=	${LIB_BIND_REL}/isccfg/libisccfg.a
-CFLAGS+=	-I${BIND_DIR}/lib/isccfg/include
-LIBISC=		${LIB_BIND_REL}/isc/libisc.a
-CFLAGS+=	-I${BIND_DIR}/lib/isc/unix/include \
-		-I${BIND_DIR}/lib/isc/pthreads/include \
-		-I${BIND_DIR}/lib/isc/include \
-		-I${LIB_BIND_DIR}/isc
-LIBLWRES=	${LIB_BIND_REL}/lwres/liblwres.a
-CFLAGS+=	-I${BIND_DIR}/lib/lwres/unix/include \
-		-I${BIND_DIR}/lib/lwres/include \
-		-I${LIB_BIND_DIR}/lwres
-.endif
-BIND_DPADD=	${LIBBIND9} ${LIBDNS} ${LIBISCCC} ${LIBISCCFG} \
-		${LIBISC} ${LIBLWRES}
-.if ${MK_BIND_LIBS} != "no"
-BIND_LDADD=	-lbind9 -ldns -lisccc -lisccfg -lisc -llwres
-CFLAGS+=	-I${BIND_DIR}/lib/isc/include
-CFLAGS+=	-I${BIND_DIR}/lib/isc/unix/include
-CFLAGS+=	-I${BIND_DIR}/lib/isc/pthreads/include
-CFLAGS+=	-I${.CURDIR}/../dns
-CFLAGS+=	-I${BIND_DIR}/lib/dns/include
-CFLAGS+=	-I${BIND_DIR}/lib/isccfg/include
-CFLAGS+=	-I${.CURDIR}/../isc
-.else
-BIND_LDADD=	${BIND_DPADD}
-.endif
-
-# Link against crypto library
-.if ${MK_OPENSSL} != "no"
-CRYPTO_DPADD=	${LIBCRYPTO}
-CRYPTO_LDADD=	-lcrypto
-.endif
-
-.if ${MK_BIND_XML} == "yes"
-CFLAGS+=	-DHAVE_LIBXML2
-CFLAGS+=	-I/usr/local/include -I/usr/local/include/libxml2
-.if ${MK_BIND_LIBS} != "no"
-BIND_LDADD+=	-L/usr/local/lib -lxml2 -lz -liconv -lm
-.else
-BIND_DPADD+=	/usr/local/lib/libxml2.a ${LIBZ} 
-BIND_DPADD+=	/usr/local/lib/libiconv.a ${LIBM}
-.endif
-.endif
-
-PTHREAD_DPADD=	${LIBPTHREAD}
-PTHREAD_LDADD=	-lpthread
diff --git a/lib/bind/dns/Makefile b/lib/bind/dns/Makefile
deleted file mode 100644
index 01925b7..0000000
--- a/lib/bind/dns/Makefile
+++ /dev/null
@@ -1,159 +0,0 @@
-# $FreeBSD$
-
-.include <bsd.own.mk>
-
-BIND_DIR=	${.CURDIR}/../../../contrib/bind9
-LIB_BIND_REL=	..
-LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
-SRCDIR=		${BIND_DIR}/lib/dns
-
-.include	"${LIB_BIND_DIR}/config.mk"
-
-LIB=		dns
-
-.PATH:		${SRCDIR}
-SRCS+=		acache.c acl.c adb.c byaddr.c \
-		cache.c callbacks.c clientinfo.c compress.c \
-		db.c dbiterator.c dbtable.c diff.c dispatch.c \
-		dlz.c dns64.c dnssec.c ds.c \
-		dst_api.c dst_lib.c dst_parse.c dst_result.c \
-		forward.c \
-		gssapi_link.c gssapictx.c hmac_link.c \
-		iptable.c journal.c \
-		key.c \
-		keydata.c keytable.c lib.c log.c lookup.c \
-		master.c masterdump.c message.c \
-		name.c ncache.c nsec.c nsec3.c \
-		openssl_link.c openssldh_link.c \
-		openssldsa_link.c opensslgost_link.c opensslrsa_link.c \
-		opensslecdsa_link.c \
-		order.c peer.c portlist.c private.c \
-		rbt.c rbtdb.c rbtdb64.c rcode.c rdata.c rdatalist.c \
-		rdataset.c rdatasetiter.c rdataslab.c request.c \
-		resolver.c result.c rootns.c rpz.c rriterator.c \
-		sdb.c sdlz.c soa.c ssu.c ssu_external.c \
-		stats.c tcpmsg.c time.c timer.c tkey.c \
-		tsec.c tsig.c ttl.c update.c validator.c \
-		version.c view.c xfrin.c zone.c zonekey.c zt.c
-
-CFLAGS+=	-I${SRCDIR}/include/dst -I${SRCDIR}/include -I${SRCDIR}
-CFLAGS+=	-I${.CURDIR}
-CFLAGS+=	-I${BIND_DIR}/lib/isc/${ISC_ATOMIC_ARCH}/include
-
-DPADD=		${CRYPTO_DPADD} ${PTHREAD_DPADD}
-LDADD=		${CRYPTO_LDADD} ${PTHREAD_LDADD}
-
-.if ${MK_BIND_LIBS} != "no"
-DNSINCS=	${SRCDIR}/include/dns/acache.h \
-		${SRCDIR}/include/dns/acl.h \
-		${SRCDIR}/include/dns/adb.h \
-		${SRCDIR}/include/dns/bit.h \
-		${SRCDIR}/include/dns/byaddr.h \
-		${SRCDIR}/include/dns/cache.h \
-		${SRCDIR}/include/dns/callbacks.h \
-		${SRCDIR}/include/dns/cert.h \
-		${SRCDIR}/include/dns/clientinfo.h \
-		${SRCDIR}/include/dns/compress.h \
-		${SRCDIR}/include/dns/db.h \
-		${SRCDIR}/include/dns/dbiterator.h \
-		${SRCDIR}/include/dns/dbtable.h \
-		${SRCDIR}/include/dns/diff.h \
-		${SRCDIR}/include/dns/dispatch.h \
-		${SRCDIR}/include/dns/dlz.h \
-		${SRCDIR}/include/dns/dnssec.h \
-		${SRCDIR}/include/dns/ds.h \
-		${SRCDIR}/include/dns/events.h \
-		${SRCDIR}/include/dns/fixedname.h \
-		${SRCDIR}/include/dns/forward.h \
-		${SRCDIR}/include/dns/iptable.h \
-		${SRCDIR}/include/dns/journal.h \
-		${SRCDIR}/include/dns/keyflags.h \
-		${SRCDIR}/include/dns/keytable.h \
-		${SRCDIR}/include/dns/keyvalues.h \
-		${SRCDIR}/include/dns/lib.h \
-		${SRCDIR}/include/dns/log.h \
-		${SRCDIR}/include/dns/lookup.h \
-		${SRCDIR}/include/dns/master.h \
-		${SRCDIR}/include/dns/masterdump.h \
-		${SRCDIR}/include/dns/message.h \
-		${SRCDIR}/include/dns/name.h \
-		${SRCDIR}/include/dns/ncache.h \
-		${SRCDIR}/include/dns/nsec.h \
-		${SRCDIR}/include/dns/nsec3.h \
-		${SRCDIR}/include/dns/opcode.h \
-		${SRCDIR}/include/dns/order.h \
-		${SRCDIR}/include/dns/peer.h \
-		${SRCDIR}/include/dns/portlist.h \
-		${SRCDIR}/include/dns/private.h \
-		${SRCDIR}/include/dns/rbt.h \
-		${SRCDIR}/include/dns/rcode.h \
-		${SRCDIR}/include/dns/rdata.h \
-		${SRCDIR}/include/dns/rdatasetiter.h \
-		${SRCDIR}/include/dns/rdataclass.h \
-		${SRCDIR}/include/dns/rdatalist.h \
-		${SRCDIR}/include/dns/rdataset.h \
-		${SRCDIR}/include/dns/rdataslab.h \
-		${SRCDIR}/include/dns/rdatatype.h \
-		${SRCDIR}/include/dns/request.h \
-		${SRCDIR}/include/dns/resolver.h \
-		${SRCDIR}/include/dns/result.h \
-		${SRCDIR}/include/dns/rootns.h \
-		${SRCDIR}/include/dns/sdb.h \
-		${SRCDIR}/include/dns/sdlz.h \
-		${SRCDIR}/include/dns/secalg.h \
-		${SRCDIR}/include/dns/secproto.h \
-		${SRCDIR}/include/dns/soa.h \
-		${SRCDIR}/include/dns/ssu.h \
-		${SRCDIR}/include/dns/stats.h \
-		${SRCDIR}/include/dns/tcpmsg.h \
-		${SRCDIR}/include/dns/time.h \
-		${SRCDIR}/include/dns/timer.h \
-		${SRCDIR}/include/dns/tkey.h \
-		${SRCDIR}/include/dns/tsig.h \
-		${SRCDIR}/include/dns/ttl.h \
-		${SRCDIR}/include/dns/types.h \
-		${SRCDIR}/include/dns/update.h \
-		${SRCDIR}/include/dns/validator.h \
-		${SRCDIR}/include/dns/version.h \
-		${SRCDIR}/include/dns/view.h \
-		${SRCDIR}/include/dns/xfrin.h \
-		${SRCDIR}/include/dns/zone.h \
-		${SRCDIR}/include/dns/zonekey.h \
-		${SRCDIR}/include/dns/zt.h \
-		dns/enumtype.h \
-		dns/enumclass.h \
-		dns/rdatastruct.h
-
-DNSINCSDIR=	${INCLUDEDIR}/dns
-
-DSTINCS=	${SRCDIR}/include/dst/dst.h \
-		${SRCDIR}/include/dst/gssapi.h \
-		${SRCDIR}/include/dst/lib.h \
-		${SRCDIR}/include/dst/result.h
-
-DSTINCSDIR=	${INCLUDEDIR}/dst
-
-INCSGROUPS=	DNSINCS DSTINCS
-.endif
-
-.if defined(MAINTAINER_MODE)
-generate: ${.CURDIR}/dns/enumtype.h ${.CURDIR}/dns/enumclass.h \
-	${.CURDIR}/dns/rdatastruct.h ${.CURDIR}/code.h
-
-gen: ${SRCDIR}/gen.c
-
-${.CURDIR}/dns/enumtype.h: gen
-	(cd ${SRCDIR} && ${.OBJDIR}/gen -t) >${.TARGET}
-
-${.CURDIR}/dns/enumclass.h: gen
-	(cd ${SRCDIR} && ${.OBJDIR}/gen -c) >${.TARGET}
-
-${.CURDIR}/dns/rdatastruct.h: gen
-	(cd ${SRCDIR} && ${.OBJDIR}/gen -i -P rdata/rdatastructpre.h \
-	    -S rdata/rdatastructsuf.h) >${.TARGET}
-
-${.CURDIR}/code.h: gen
-	(cd ${SRCDIR} && ${.OBJDIR}/gen) >${.TARGET}
-.endif
-
-.include <bsd.lib.mk>
diff --git a/lib/bind/dns/code.h b/lib/bind/dns/code.h
deleted file mode 100644
index 4626017..0000000
--- a/lib/bind/dns/code.h
+++ /dev/null
@@ -1,1990 +0,0 @@
-/* $FreeBSD$ */
-
-/*
- * Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003 Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/***************
- ***************
- ***************   THIS FILE IS AUTOMATICALLY GENERATED BY gen.c.
- ***************   DO NOT EDIT!
- ***************
- ***************/
-
-/*! \file */
-
-#ifndef DNS_CODE_H
-#define DNS_CODE_H 1
-
-#include <isc/boolean.h>
-#include <isc/result.h>
-
-#include <dns/name.h>
-
-#include "rdata/in_1/a_1.c"
-#include "rdata/ch_3/a_1.c"
-#include "rdata/hs_4/a_1.c"
-#include "rdata/generic/ns_2.c"
-#include "rdata/generic/md_3.c"
-#include "rdata/generic/mf_4.c"
-#include "rdata/generic/cname_5.c"
-#include "rdata/generic/soa_6.c"
-#include "rdata/generic/mb_7.c"
-#include "rdata/generic/mg_8.c"
-#include "rdata/generic/mr_9.c"
-#include "rdata/generic/null_10.c"
-#include "rdata/in_1/wks_11.c"
-#include "rdata/generic/ptr_12.c"
-#include "rdata/generic/hinfo_13.c"
-#include "rdata/generic/minfo_14.c"
-#include "rdata/generic/mx_15.c"
-#include "rdata/generic/txt_16.c"
-#include "rdata/generic/rp_17.c"
-#include "rdata/generic/afsdb_18.c"
-#include "rdata/generic/x25_19.c"
-#include "rdata/generic/isdn_20.c"
-#include "rdata/generic/rt_21.c"
-#include "rdata/in_1/nsap_22.c"
-#include "rdata/in_1/nsap-ptr_23.c"
-#include "rdata/generic/sig_24.c"
-#include "rdata/generic/key_25.c"
-#include "rdata/in_1/px_26.c"
-#include "rdata/generic/gpos_27.c"
-#include "rdata/in_1/aaaa_28.c"
-#include "rdata/generic/loc_29.c"
-#include "rdata/generic/nxt_30.c"
-#include "rdata/in_1/srv_33.c"
-#include "rdata/generic/naptr_35.c"
-#include "rdata/in_1/kx_36.c"
-#include "rdata/generic/cert_37.c"
-#include "rdata/in_1/a6_38.c"
-#include "rdata/generic/dname_39.c"
-#include "rdata/generic/opt_41.c"
-#include "rdata/in_1/apl_42.c"
-#include "rdata/generic/ds_43.c"
-#include "rdata/generic/sshfp_44.c"
-#include "rdata/generic/ipseckey_45.c"
-#include "rdata/generic/rrsig_46.c"
-#include "rdata/generic/nsec_47.c"
-#include "rdata/generic/dnskey_48.c"
-#include "rdata/in_1/dhcid_49.c"
-#include "rdata/generic/nsec3_50.c"
-#include "rdata/generic/nsec3param_51.c"
-#include "rdata/generic/tlsa_52.c"
-#include "rdata/generic/hip_55.c"
-#include "rdata/generic/spf_99.c"
-#include "rdata/generic/unspec_103.c"
-#include "rdata/generic/nid_104.c"
-#include "rdata/generic/l32_105.c"
-#include "rdata/generic/l64_106.c"
-#include "rdata/generic/lp_107.c"
-#include "rdata/generic/eui48_108.c"
-#include "rdata/generic/eui64_109.c"
-#include "rdata/generic/tkey_249.c"
-#include "rdata/any_255/tsig_250.c"
-#include "rdata/generic/uri_256.c"
-#include "rdata/generic/dlv_32769.c"
-#include "rdata/generic/keydata_65533.c"
-
-
-
-#define FROMTEXTSWITCH \
-	switch (type) { \
-	case 1: switch (rdclass) { \
-		case 1: result = fromtext_in_a(rdclass, type, lexer, origin, options, target, callbacks); break; \
-		case 3: result = fromtext_ch_a(rdclass, type, lexer, origin, options, target, callbacks); break; \
-		case 4: result = fromtext_hs_a(rdclass, type, lexer, origin, options, target, callbacks); break; \
-		default: result = DNS_R_UNKNOWN; break; \
-		} \
-		break; \
-	case 2: result = fromtext_ns(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 3: result = fromtext_md(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 4: result = fromtext_mf(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 5: result = fromtext_cname(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 6: result = fromtext_soa(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 7: result = fromtext_mb(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 8: result = fromtext_mg(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 9: result = fromtext_mr(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 10: result = fromtext_null(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 11: switch (rdclass) { \
-		case 1: result = fromtext_in_wks(rdclass, type, lexer, origin, options, target, callbacks); break; \
-		default: result = DNS_R_UNKNOWN; break; \
-		} \
-		break; \
-	case 12: result = fromtext_ptr(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 13: result = fromtext_hinfo(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 14: result = fromtext_minfo(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 15: result = fromtext_mx(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 16: result = fromtext_txt(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 17: result = fromtext_rp(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 18: result = fromtext_afsdb(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 19: result = fromtext_x25(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 20: result = fromtext_isdn(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 21: result = fromtext_rt(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 22: switch (rdclass) { \
-		case 1: result = fromtext_in_nsap(rdclass, type, lexer, origin, options, target, callbacks); break; \
-		default: result = DNS_R_UNKNOWN; break; \
-		} \
-		break; \
-	case 23: switch (rdclass) { \
-		case 1: result = fromtext_in_nsap_ptr(rdclass, type, lexer, origin, options, target, callbacks); break; \
-		default: result = DNS_R_UNKNOWN; break; \
-		} \
-		break; \
-	case 24: result = fromtext_sig(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 25: result = fromtext_key(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 26: switch (rdclass) { \
-		case 1: result = fromtext_in_px(rdclass, type, lexer, origin, options, target, callbacks); break; \
-		default: result = DNS_R_UNKNOWN; break; \
-		} \
-		break; \
-	case 27: result = fromtext_gpos(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 28: switch (rdclass) { \
-		case 1: result = fromtext_in_aaaa(rdclass, type, lexer, origin, options, target, callbacks); break; \
-		default: result = DNS_R_UNKNOWN; break; \
-		} \
-		break; \
-	case 29: result = fromtext_loc(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 30: result = fromtext_nxt(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 33: switch (rdclass) { \
-		case 1: result = fromtext_in_srv(rdclass, type, lexer, origin, options, target, callbacks); break; \
-		default: result = DNS_R_UNKNOWN; break; \
-		} \
-		break; \
-	case 35: result = fromtext_naptr(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 36: switch (rdclass) { \
-		case 1: result = fromtext_in_kx(rdclass, type, lexer, origin, options, target, callbacks); break; \
-		default: result = DNS_R_UNKNOWN; break; \
-		} \
-		break; \
-	case 37: result = fromtext_cert(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 38: switch (rdclass) { \
-		case 1: result = fromtext_in_a6(rdclass, type, lexer, origin, options, target, callbacks); break; \
-		default: result = DNS_R_UNKNOWN; break; \
-		} \
-		break; \
-	case 39: result = fromtext_dname(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 41: result = fromtext_opt(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 42: switch (rdclass) { \
-		case 1: result = fromtext_in_apl(rdclass, type, lexer, origin, options, target, callbacks); break; \
-		default: result = DNS_R_UNKNOWN; break; \
-		} \
-		break; \
-	case 43: result = fromtext_ds(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 44: result = fromtext_sshfp(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 45: result = fromtext_ipseckey(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 46: result = fromtext_rrsig(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 47: result = fromtext_nsec(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 48: result = fromtext_dnskey(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 49: switch (rdclass) { \
-		case 1: result = fromtext_in_dhcid(rdclass, type, lexer, origin, options, target, callbacks); break; \
-		default: result = DNS_R_UNKNOWN; break; \
-		} \
-		break; \
-	case 50: result = fromtext_nsec3(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 51: result = fromtext_nsec3param(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 52: result = fromtext_tlsa(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 55: result = fromtext_hip(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 99: result = fromtext_spf(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 103: result = fromtext_unspec(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 104: result = fromtext_nid(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 105: result = fromtext_l32(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 106: result = fromtext_l64(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 107: result = fromtext_lp(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 108: result = fromtext_eui48(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 109: result = fromtext_eui64(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 249: result = fromtext_tkey(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 250: switch (rdclass) { \
-		case 255: result = fromtext_any_tsig(rdclass, type, lexer, origin, options, target, callbacks); break; \
-		default: result = DNS_R_UNKNOWN; break; \
-		} \
-		break; \
-	case 256: result = fromtext_uri(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 32769: result = fromtext_dlv(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	case 65533: result = fromtext_keydata(rdclass, type, lexer, origin, options, target, callbacks); break; \
-	default: result = DNS_R_UNKNOWN; break; \
-	}
-
-#define TOTEXTSWITCH \
-	switch (rdata->type) { \
-	case 1: switch (rdata->rdclass) { \
-		case 1: result = totext_in_a(rdata, tctx, target); break; \
-		case 3: result = totext_ch_a(rdata, tctx, target); break; \
-		case 4: result = totext_hs_a(rdata, tctx, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 2: result = totext_ns(rdata, tctx, target); break; \
-	case 3: result = totext_md(rdata, tctx, target); break; \
-	case 4: result = totext_mf(rdata, tctx, target); break; \
-	case 5: result = totext_cname(rdata, tctx, target); break; \
-	case 6: result = totext_soa(rdata, tctx, target); break; \
-	case 7: result = totext_mb(rdata, tctx, target); break; \
-	case 8: result = totext_mg(rdata, tctx, target); break; \
-	case 9: result = totext_mr(rdata, tctx, target); break; \
-	case 10: result = totext_null(rdata, tctx, target); break; \
-	case 11: switch (rdata->rdclass) { \
-		case 1: result = totext_in_wks(rdata, tctx, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 12: result = totext_ptr(rdata, tctx, target); break; \
-	case 13: result = totext_hinfo(rdata, tctx, target); break; \
-	case 14: result = totext_minfo(rdata, tctx, target); break; \
-	case 15: result = totext_mx(rdata, tctx, target); break; \
-	case 16: result = totext_txt(rdata, tctx, target); break; \
-	case 17: result = totext_rp(rdata, tctx, target); break; \
-	case 18: result = totext_afsdb(rdata, tctx, target); break; \
-	case 19: result = totext_x25(rdata, tctx, target); break; \
-	case 20: result = totext_isdn(rdata, tctx, target); break; \
-	case 21: result = totext_rt(rdata, tctx, target); break; \
-	case 22: switch (rdata->rdclass) { \
-		case 1: result = totext_in_nsap(rdata, tctx, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 23: switch (rdata->rdclass) { \
-		case 1: result = totext_in_nsap_ptr(rdata, tctx, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 24: result = totext_sig(rdata, tctx, target); break; \
-	case 25: result = totext_key(rdata, tctx, target); break; \
-	case 26: switch (rdata->rdclass) { \
-		case 1: result = totext_in_px(rdata, tctx, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 27: result = totext_gpos(rdata, tctx, target); break; \
-	case 28: switch (rdata->rdclass) { \
-		case 1: result = totext_in_aaaa(rdata, tctx, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 29: result = totext_loc(rdata, tctx, target); break; \
-	case 30: result = totext_nxt(rdata, tctx, target); break; \
-	case 33: switch (rdata->rdclass) { \
-		case 1: result = totext_in_srv(rdata, tctx, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 35: result = totext_naptr(rdata, tctx, target); break; \
-	case 36: switch (rdata->rdclass) { \
-		case 1: result = totext_in_kx(rdata, tctx, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 37: result = totext_cert(rdata, tctx, target); break; \
-	case 38: switch (rdata->rdclass) { \
-		case 1: result = totext_in_a6(rdata, tctx, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 39: result = totext_dname(rdata, tctx, target); break; \
-	case 41: result = totext_opt(rdata, tctx, target); break; \
-	case 42: switch (rdata->rdclass) { \
-		case 1: result = totext_in_apl(rdata, tctx, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 43: result = totext_ds(rdata, tctx, target); break; \
-	case 44: result = totext_sshfp(rdata, tctx, target); break; \
-	case 45: result = totext_ipseckey(rdata, tctx, target); break; \
-	case 46: result = totext_rrsig(rdata, tctx, target); break; \
-	case 47: result = totext_nsec(rdata, tctx, target); break; \
-	case 48: result = totext_dnskey(rdata, tctx, target); break; \
-	case 49: switch (rdata->rdclass) { \
-		case 1: result = totext_in_dhcid(rdata, tctx, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 50: result = totext_nsec3(rdata, tctx, target); break; \
-	case 51: result = totext_nsec3param(rdata, tctx, target); break; \
-	case 52: result = totext_tlsa(rdata, tctx, target); break; \
-	case 55: result = totext_hip(rdata, tctx, target); break; \
-	case 99: result = totext_spf(rdata, tctx, target); break; \
-	case 103: result = totext_unspec(rdata, tctx, target); break; \
-	case 104: result = totext_nid(rdata, tctx, target); break; \
-	case 105: result = totext_l32(rdata, tctx, target); break; \
-	case 106: result = totext_l64(rdata, tctx, target); break; \
-	case 107: result = totext_lp(rdata, tctx, target); break; \
-	case 108: result = totext_eui48(rdata, tctx, target); break; \
-	case 109: result = totext_eui64(rdata, tctx, target); break; \
-	case 249: result = totext_tkey(rdata, tctx, target); break; \
-	case 250: switch (rdata->rdclass) { \
-		case 255: result = totext_any_tsig(rdata, tctx, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 256: result = totext_uri(rdata, tctx, target); break; \
-	case 32769: result = totext_dlv(rdata, tctx, target); break; \
-	case 65533: result = totext_keydata(rdata, tctx, target); break; \
-	default: use_default = ISC_TRUE; break; \
-	}
-
-#define FROMWIRESWITCH \
-	switch (type) { \
-	case 1: switch (rdclass) { \
-		case 1: result = fromwire_in_a(rdclass, type, source, dctx, options, target); break; \
-		case 3: result = fromwire_ch_a(rdclass, type, source, dctx, options, target); break; \
-		case 4: result = fromwire_hs_a(rdclass, type, source, dctx, options, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 2: result = fromwire_ns(rdclass, type, source, dctx, options, target); break; \
-	case 3: result = fromwire_md(rdclass, type, source, dctx, options, target); break; \
-	case 4: result = fromwire_mf(rdclass, type, source, dctx, options, target); break; \
-	case 5: result = fromwire_cname(rdclass, type, source, dctx, options, target); break; \
-	case 6: result = fromwire_soa(rdclass, type, source, dctx, options, target); break; \
-	case 7: result = fromwire_mb(rdclass, type, source, dctx, options, target); break; \
-	case 8: result = fromwire_mg(rdclass, type, source, dctx, options, target); break; \
-	case 9: result = fromwire_mr(rdclass, type, source, dctx, options, target); break; \
-	case 10: result = fromwire_null(rdclass, type, source, dctx, options, target); break; \
-	case 11: switch (rdclass) { \
-		case 1: result = fromwire_in_wks(rdclass, type, source, dctx, options, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 12: result = fromwire_ptr(rdclass, type, source, dctx, options, target); break; \
-	case 13: result = fromwire_hinfo(rdclass, type, source, dctx, options, target); break; \
-	case 14: result = fromwire_minfo(rdclass, type, source, dctx, options, target); break; \
-	case 15: result = fromwire_mx(rdclass, type, source, dctx, options, target); break; \
-	case 16: result = fromwire_txt(rdclass, type, source, dctx, options, target); break; \
-	case 17: result = fromwire_rp(rdclass, type, source, dctx, options, target); break; \
-	case 18: result = fromwire_afsdb(rdclass, type, source, dctx, options, target); break; \
-	case 19: result = fromwire_x25(rdclass, type, source, dctx, options, target); break; \
-	case 20: result = fromwire_isdn(rdclass, type, source, dctx, options, target); break; \
-	case 21: result = fromwire_rt(rdclass, type, source, dctx, options, target); break; \
-	case 22: switch (rdclass) { \
-		case 1: result = fromwire_in_nsap(rdclass, type, source, dctx, options, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 23: switch (rdclass) { \
-		case 1: result = fromwire_in_nsap_ptr(rdclass, type, source, dctx, options, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 24: result = fromwire_sig(rdclass, type, source, dctx, options, target); break; \
-	case 25: result = fromwire_key(rdclass, type, source, dctx, options, target); break; \
-	case 26: switch (rdclass) { \
-		case 1: result = fromwire_in_px(rdclass, type, source, dctx, options, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 27: result = fromwire_gpos(rdclass, type, source, dctx, options, target); break; \
-	case 28: switch (rdclass) { \
-		case 1: result = fromwire_in_aaaa(rdclass, type, source, dctx, options, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 29: result = fromwire_loc(rdclass, type, source, dctx, options, target); break; \
-	case 30: result = fromwire_nxt(rdclass, type, source, dctx, options, target); break; \
-	case 33: switch (rdclass) { \
-		case 1: result = fromwire_in_srv(rdclass, type, source, dctx, options, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 35: result = fromwire_naptr(rdclass, type, source, dctx, options, target); break; \
-	case 36: switch (rdclass) { \
-		case 1: result = fromwire_in_kx(rdclass, type, source, dctx, options, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 37: result = fromwire_cert(rdclass, type, source, dctx, options, target); break; \
-	case 38: switch (rdclass) { \
-		case 1: result = fromwire_in_a6(rdclass, type, source, dctx, options, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 39: result = fromwire_dname(rdclass, type, source, dctx, options, target); break; \
-	case 41: result = fromwire_opt(rdclass, type, source, dctx, options, target); break; \
-	case 42: switch (rdclass) { \
-		case 1: result = fromwire_in_apl(rdclass, type, source, dctx, options, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 43: result = fromwire_ds(rdclass, type, source, dctx, options, target); break; \
-	case 44: result = fromwire_sshfp(rdclass, type, source, dctx, options, target); break; \
-	case 45: result = fromwire_ipseckey(rdclass, type, source, dctx, options, target); break; \
-	case 46: result = fromwire_rrsig(rdclass, type, source, dctx, options, target); break; \
-	case 47: result = fromwire_nsec(rdclass, type, source, dctx, options, target); break; \
-	case 48: result = fromwire_dnskey(rdclass, type, source, dctx, options, target); break; \
-	case 49: switch (rdclass) { \
-		case 1: result = fromwire_in_dhcid(rdclass, type, source, dctx, options, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 50: result = fromwire_nsec3(rdclass, type, source, dctx, options, target); break; \
-	case 51: result = fromwire_nsec3param(rdclass, type, source, dctx, options, target); break; \
-	case 52: result = fromwire_tlsa(rdclass, type, source, dctx, options, target); break; \
-	case 55: result = fromwire_hip(rdclass, type, source, dctx, options, target); break; \
-	case 99: result = fromwire_spf(rdclass, type, source, dctx, options, target); break; \
-	case 103: result = fromwire_unspec(rdclass, type, source, dctx, options, target); break; \
-	case 104: result = fromwire_nid(rdclass, type, source, dctx, options, target); break; \
-	case 105: result = fromwire_l32(rdclass, type, source, dctx, options, target); break; \
-	case 106: result = fromwire_l64(rdclass, type, source, dctx, options, target); break; \
-	case 107: result = fromwire_lp(rdclass, type, source, dctx, options, target); break; \
-	case 108: result = fromwire_eui48(rdclass, type, source, dctx, options, target); break; \
-	case 109: result = fromwire_eui64(rdclass, type, source, dctx, options, target); break; \
-	case 249: result = fromwire_tkey(rdclass, type, source, dctx, options, target); break; \
-	case 250: switch (rdclass) { \
-		case 255: result = fromwire_any_tsig(rdclass, type, source, dctx, options, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 256: result = fromwire_uri(rdclass, type, source, dctx, options, target); break; \
-	case 32769: result = fromwire_dlv(rdclass, type, source, dctx, options, target); break; \
-	case 65533: result = fromwire_keydata(rdclass, type, source, dctx, options, target); break; \
-	default: use_default = ISC_TRUE; break; \
-	}
-
-#define TOWIRESWITCH \
-	switch (rdata->type) { \
-	case 1: switch (rdata->rdclass) { \
-		case 1: result = towire_in_a(rdata, cctx, target); break; \
-		case 3: result = towire_ch_a(rdata, cctx, target); break; \
-		case 4: result = towire_hs_a(rdata, cctx, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 2: result = towire_ns(rdata, cctx, target); break; \
-	case 3: result = towire_md(rdata, cctx, target); break; \
-	case 4: result = towire_mf(rdata, cctx, target); break; \
-	case 5: result = towire_cname(rdata, cctx, target); break; \
-	case 6: result = towire_soa(rdata, cctx, target); break; \
-	case 7: result = towire_mb(rdata, cctx, target); break; \
-	case 8: result = towire_mg(rdata, cctx, target); break; \
-	case 9: result = towire_mr(rdata, cctx, target); break; \
-	case 10: result = towire_null(rdata, cctx, target); break; \
-	case 11: switch (rdata->rdclass) { \
-		case 1: result = towire_in_wks(rdata, cctx, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 12: result = towire_ptr(rdata, cctx, target); break; \
-	case 13: result = towire_hinfo(rdata, cctx, target); break; \
-	case 14: result = towire_minfo(rdata, cctx, target); break; \
-	case 15: result = towire_mx(rdata, cctx, target); break; \
-	case 16: result = towire_txt(rdata, cctx, target); break; \
-	case 17: result = towire_rp(rdata, cctx, target); break; \
-	case 18: result = towire_afsdb(rdata, cctx, target); break; \
-	case 19: result = towire_x25(rdata, cctx, target); break; \
-	case 20: result = towire_isdn(rdata, cctx, target); break; \
-	case 21: result = towire_rt(rdata, cctx, target); break; \
-	case 22: switch (rdata->rdclass) { \
-		case 1: result = towire_in_nsap(rdata, cctx, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 23: switch (rdata->rdclass) { \
-		case 1: result = towire_in_nsap_ptr(rdata, cctx, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 24: result = towire_sig(rdata, cctx, target); break; \
-	case 25: result = towire_key(rdata, cctx, target); break; \
-	case 26: switch (rdata->rdclass) { \
-		case 1: result = towire_in_px(rdata, cctx, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 27: result = towire_gpos(rdata, cctx, target); break; \
-	case 28: switch (rdata->rdclass) { \
-		case 1: result = towire_in_aaaa(rdata, cctx, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 29: result = towire_loc(rdata, cctx, target); break; \
-	case 30: result = towire_nxt(rdata, cctx, target); break; \
-	case 33: switch (rdata->rdclass) { \
-		case 1: result = towire_in_srv(rdata, cctx, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 35: result = towire_naptr(rdata, cctx, target); break; \
-	case 36: switch (rdata->rdclass) { \
-		case 1: result = towire_in_kx(rdata, cctx, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 37: result = towire_cert(rdata, cctx, target); break; \
-	case 38: switch (rdata->rdclass) { \
-		case 1: result = towire_in_a6(rdata, cctx, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 39: result = towire_dname(rdata, cctx, target); break; \
-	case 41: result = towire_opt(rdata, cctx, target); break; \
-	case 42: switch (rdata->rdclass) { \
-		case 1: result = towire_in_apl(rdata, cctx, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 43: result = towire_ds(rdata, cctx, target); break; \
-	case 44: result = towire_sshfp(rdata, cctx, target); break; \
-	case 45: result = towire_ipseckey(rdata, cctx, target); break; \
-	case 46: result = towire_rrsig(rdata, cctx, target); break; \
-	case 47: result = towire_nsec(rdata, cctx, target); break; \
-	case 48: result = towire_dnskey(rdata, cctx, target); break; \
-	case 49: switch (rdata->rdclass) { \
-		case 1: result = towire_in_dhcid(rdata, cctx, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 50: result = towire_nsec3(rdata, cctx, target); break; \
-	case 51: result = towire_nsec3param(rdata, cctx, target); break; \
-	case 52: result = towire_tlsa(rdata, cctx, target); break; \
-	case 55: result = towire_hip(rdata, cctx, target); break; \
-	case 99: result = towire_spf(rdata, cctx, target); break; \
-	case 103: result = towire_unspec(rdata, cctx, target); break; \
-	case 104: result = towire_nid(rdata, cctx, target); break; \
-	case 105: result = towire_l32(rdata, cctx, target); break; \
-	case 106: result = towire_l64(rdata, cctx, target); break; \
-	case 107: result = towire_lp(rdata, cctx, target); break; \
-	case 108: result = towire_eui48(rdata, cctx, target); break; \
-	case 109: result = towire_eui64(rdata, cctx, target); break; \
-	case 249: result = towire_tkey(rdata, cctx, target); break; \
-	case 250: switch (rdata->rdclass) { \
-		case 255: result = towire_any_tsig(rdata, cctx, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 256: result = towire_uri(rdata, cctx, target); break; \
-	case 32769: result = towire_dlv(rdata, cctx, target); break; \
-	case 65533: result = towire_keydata(rdata, cctx, target); break; \
-	default: use_default = ISC_TRUE; break; \
-	}
-
-#define COMPARESWITCH \
-	switch (rdata1->type) { \
-	case 1: switch (rdata1->rdclass) { \
-		case 1: result = compare_in_a(rdata1, rdata2); break; \
-		case 3: result = compare_ch_a(rdata1, rdata2); break; \
-		case 4: result = compare_hs_a(rdata1, rdata2); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 2: result = compare_ns(rdata1, rdata2); break; \
-	case 3: result = compare_md(rdata1, rdata2); break; \
-	case 4: result = compare_mf(rdata1, rdata2); break; \
-	case 5: result = compare_cname(rdata1, rdata2); break; \
-	case 6: result = compare_soa(rdata1, rdata2); break; \
-	case 7: result = compare_mb(rdata1, rdata2); break; \
-	case 8: result = compare_mg(rdata1, rdata2); break; \
-	case 9: result = compare_mr(rdata1, rdata2); break; \
-	case 10: result = compare_null(rdata1, rdata2); break; \
-	case 11: switch (rdata1->rdclass) { \
-		case 1: result = compare_in_wks(rdata1, rdata2); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 12: result = compare_ptr(rdata1, rdata2); break; \
-	case 13: result = compare_hinfo(rdata1, rdata2); break; \
-	case 14: result = compare_minfo(rdata1, rdata2); break; \
-	case 15: result = compare_mx(rdata1, rdata2); break; \
-	case 16: result = compare_txt(rdata1, rdata2); break; \
-	case 17: result = compare_rp(rdata1, rdata2); break; \
-	case 18: result = compare_afsdb(rdata1, rdata2); break; \
-	case 19: result = compare_x25(rdata1, rdata2); break; \
-	case 20: result = compare_isdn(rdata1, rdata2); break; \
-	case 21: result = compare_rt(rdata1, rdata2); break; \
-	case 22: switch (rdata1->rdclass) { \
-		case 1: result = compare_in_nsap(rdata1, rdata2); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 23: switch (rdata1->rdclass) { \
-		case 1: result = compare_in_nsap_ptr(rdata1, rdata2); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 24: result = compare_sig(rdata1, rdata2); break; \
-	case 25: result = compare_key(rdata1, rdata2); break; \
-	case 26: switch (rdata1->rdclass) { \
-		case 1: result = compare_in_px(rdata1, rdata2); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 27: result = compare_gpos(rdata1, rdata2); break; \
-	case 28: switch (rdata1->rdclass) { \
-		case 1: result = compare_in_aaaa(rdata1, rdata2); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 29: result = compare_loc(rdata1, rdata2); break; \
-	case 30: result = compare_nxt(rdata1, rdata2); break; \
-	case 33: switch (rdata1->rdclass) { \
-		case 1: result = compare_in_srv(rdata1, rdata2); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 35: result = compare_naptr(rdata1, rdata2); break; \
-	case 36: switch (rdata1->rdclass) { \
-		case 1: result = compare_in_kx(rdata1, rdata2); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 37: result = compare_cert(rdata1, rdata2); break; \
-	case 38: switch (rdata1->rdclass) { \
-		case 1: result = compare_in_a6(rdata1, rdata2); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 39: result = compare_dname(rdata1, rdata2); break; \
-	case 41: result = compare_opt(rdata1, rdata2); break; \
-	case 42: switch (rdata1->rdclass) { \
-		case 1: result = compare_in_apl(rdata1, rdata2); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 43: result = compare_ds(rdata1, rdata2); break; \
-	case 44: result = compare_sshfp(rdata1, rdata2); break; \
-	case 45: result = compare_ipseckey(rdata1, rdata2); break; \
-	case 46: result = compare_rrsig(rdata1, rdata2); break; \
-	case 47: result = compare_nsec(rdata1, rdata2); break; \
-	case 48: result = compare_dnskey(rdata1, rdata2); break; \
-	case 49: switch (rdata1->rdclass) { \
-		case 1: result = compare_in_dhcid(rdata1, rdata2); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 50: result = compare_nsec3(rdata1, rdata2); break; \
-	case 51: result = compare_nsec3param(rdata1, rdata2); break; \
-	case 52: result = compare_tlsa(rdata1, rdata2); break; \
-	case 55: result = compare_hip(rdata1, rdata2); break; \
-	case 99: result = compare_spf(rdata1, rdata2); break; \
-	case 103: result = compare_unspec(rdata1, rdata2); break; \
-	case 104: result = compare_nid(rdata1, rdata2); break; \
-	case 105: result = compare_l32(rdata1, rdata2); break; \
-	case 106: result = compare_l64(rdata1, rdata2); break; \
-	case 107: result = compare_lp(rdata1, rdata2); break; \
-	case 108: result = compare_eui48(rdata1, rdata2); break; \
-	case 109: result = compare_eui64(rdata1, rdata2); break; \
-	case 249: result = compare_tkey(rdata1, rdata2); break; \
-	case 250: switch (rdata1->rdclass) { \
-		case 255: result = compare_any_tsig(rdata1, rdata2); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 256: result = compare_uri(rdata1, rdata2); break; \
-	case 32769: result = compare_dlv(rdata1, rdata2); break; \
-	case 65533: result = compare_keydata(rdata1, rdata2); break; \
-	default: use_default = ISC_TRUE; break; \
-	}
-
-#define CASECOMPARESWITCH \
-	switch (rdata1->type) { \
-	case 1: switch (rdata1->rdclass) { \
-		case 1: result = casecompare_in_a(rdata1, rdata2); break; \
-		case 3: result = casecompare_ch_a(rdata1, rdata2); break; \
-		case 4: result = casecompare_hs_a(rdata1, rdata2); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 2: result = casecompare_ns(rdata1, rdata2); break; \
-	case 3: result = casecompare_md(rdata1, rdata2); break; \
-	case 4: result = casecompare_mf(rdata1, rdata2); break; \
-	case 5: result = casecompare_cname(rdata1, rdata2); break; \
-	case 6: result = casecompare_soa(rdata1, rdata2); break; \
-	case 7: result = casecompare_mb(rdata1, rdata2); break; \
-	case 8: result = casecompare_mg(rdata1, rdata2); break; \
-	case 9: result = casecompare_mr(rdata1, rdata2); break; \
-	case 10: result = casecompare_null(rdata1, rdata2); break; \
-	case 11: switch (rdata1->rdclass) { \
-		case 1: result = casecompare_in_wks(rdata1, rdata2); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 12: result = casecompare_ptr(rdata1, rdata2); break; \
-	case 13: result = casecompare_hinfo(rdata1, rdata2); break; \
-	case 14: result = casecompare_minfo(rdata1, rdata2); break; \
-	case 15: result = casecompare_mx(rdata1, rdata2); break; \
-	case 16: result = casecompare_txt(rdata1, rdata2); break; \
-	case 17: result = casecompare_rp(rdata1, rdata2); break; \
-	case 18: result = casecompare_afsdb(rdata1, rdata2); break; \
-	case 19: result = casecompare_x25(rdata1, rdata2); break; \
-	case 20: result = casecompare_isdn(rdata1, rdata2); break; \
-	case 21: result = casecompare_rt(rdata1, rdata2); break; \
-	case 22: switch (rdata1->rdclass) { \
-		case 1: result = casecompare_in_nsap(rdata1, rdata2); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 23: switch (rdata1->rdclass) { \
-		case 1: result = casecompare_in_nsap_ptr(rdata1, rdata2); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 24: result = casecompare_sig(rdata1, rdata2); break; \
-	case 25: result = casecompare_key(rdata1, rdata2); break; \
-	case 26: switch (rdata1->rdclass) { \
-		case 1: result = casecompare_in_px(rdata1, rdata2); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 27: result = casecompare_gpos(rdata1, rdata2); break; \
-	case 28: switch (rdata1->rdclass) { \
-		case 1: result = casecompare_in_aaaa(rdata1, rdata2); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 29: result = casecompare_loc(rdata1, rdata2); break; \
-	case 30: result = casecompare_nxt(rdata1, rdata2); break; \
-	case 33: switch (rdata1->rdclass) { \
-		case 1: result = casecompare_in_srv(rdata1, rdata2); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 35: result = casecompare_naptr(rdata1, rdata2); break; \
-	case 36: switch (rdata1->rdclass) { \
-		case 1: result = casecompare_in_kx(rdata1, rdata2); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 37: result = casecompare_cert(rdata1, rdata2); break; \
-	case 38: switch (rdata1->rdclass) { \
-		case 1: result = casecompare_in_a6(rdata1, rdata2); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 39: result = casecompare_dname(rdata1, rdata2); break; \
-	case 41: result = casecompare_opt(rdata1, rdata2); break; \
-	case 42: switch (rdata1->rdclass) { \
-		case 1: result = casecompare_in_apl(rdata1, rdata2); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 43: result = casecompare_ds(rdata1, rdata2); break; \
-	case 44: result = casecompare_sshfp(rdata1, rdata2); break; \
-	case 45: result = casecompare_ipseckey(rdata1, rdata2); break; \
-	case 46: result = casecompare_rrsig(rdata1, rdata2); break; \
-	case 47: result = casecompare_nsec(rdata1, rdata2); break; \
-	case 48: result = casecompare_dnskey(rdata1, rdata2); break; \
-	case 49: switch (rdata1->rdclass) { \
-		case 1: result = casecompare_in_dhcid(rdata1, rdata2); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 50: result = casecompare_nsec3(rdata1, rdata2); break; \
-	case 51: result = casecompare_nsec3param(rdata1, rdata2); break; \
-	case 52: result = casecompare_tlsa(rdata1, rdata2); break; \
-	case 55: result = casecompare_hip(rdata1, rdata2); break; \
-	case 99: result = casecompare_spf(rdata1, rdata2); break; \
-	case 103: result = casecompare_unspec(rdata1, rdata2); break; \
-	case 104: result = casecompare_nid(rdata1, rdata2); break; \
-	case 105: result = casecompare_l32(rdata1, rdata2); break; \
-	case 106: result = casecompare_l64(rdata1, rdata2); break; \
-	case 107: result = casecompare_lp(rdata1, rdata2); break; \
-	case 108: result = casecompare_eui48(rdata1, rdata2); break; \
-	case 109: result = casecompare_eui64(rdata1, rdata2); break; \
-	case 249: result = casecompare_tkey(rdata1, rdata2); break; \
-	case 250: switch (rdata1->rdclass) { \
-		case 255: result = casecompare_any_tsig(rdata1, rdata2); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 256: result = casecompare_uri(rdata1, rdata2); break; \
-	case 32769: result = casecompare_dlv(rdata1, rdata2); break; \
-	case 65533: result = casecompare_keydata(rdata1, rdata2); break; \
-	default: use_default = ISC_TRUE; break; \
-	}
-
-#define FROMSTRUCTSWITCH \
-	switch (type) { \
-	case 1: switch (rdclass) { \
-		case 1: result = fromstruct_in_a(rdclass, type, source, target); break; \
-		case 3: result = fromstruct_ch_a(rdclass, type, source, target); break; \
-		case 4: result = fromstruct_hs_a(rdclass, type, source, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 2: result = fromstruct_ns(rdclass, type, source, target); break; \
-	case 3: result = fromstruct_md(rdclass, type, source, target); break; \
-	case 4: result = fromstruct_mf(rdclass, type, source, target); break; \
-	case 5: result = fromstruct_cname(rdclass, type, source, target); break; \
-	case 6: result = fromstruct_soa(rdclass, type, source, target); break; \
-	case 7: result = fromstruct_mb(rdclass, type, source, target); break; \
-	case 8: result = fromstruct_mg(rdclass, type, source, target); break; \
-	case 9: result = fromstruct_mr(rdclass, type, source, target); break; \
-	case 10: result = fromstruct_null(rdclass, type, source, target); break; \
-	case 11: switch (rdclass) { \
-		case 1: result = fromstruct_in_wks(rdclass, type, source, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 12: result = fromstruct_ptr(rdclass, type, source, target); break; \
-	case 13: result = fromstruct_hinfo(rdclass, type, source, target); break; \
-	case 14: result = fromstruct_minfo(rdclass, type, source, target); break; \
-	case 15: result = fromstruct_mx(rdclass, type, source, target); break; \
-	case 16: result = fromstruct_txt(rdclass, type, source, target); break; \
-	case 17: result = fromstruct_rp(rdclass, type, source, target); break; \
-	case 18: result = fromstruct_afsdb(rdclass, type, source, target); break; \
-	case 19: result = fromstruct_x25(rdclass, type, source, target); break; \
-	case 20: result = fromstruct_isdn(rdclass, type, source, target); break; \
-	case 21: result = fromstruct_rt(rdclass, type, source, target); break; \
-	case 22: switch (rdclass) { \
-		case 1: result = fromstruct_in_nsap(rdclass, type, source, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 23: switch (rdclass) { \
-		case 1: result = fromstruct_in_nsap_ptr(rdclass, type, source, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 24: result = fromstruct_sig(rdclass, type, source, target); break; \
-	case 25: result = fromstruct_key(rdclass, type, source, target); break; \
-	case 26: switch (rdclass) { \
-		case 1: result = fromstruct_in_px(rdclass, type, source, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 27: result = fromstruct_gpos(rdclass, type, source, target); break; \
-	case 28: switch (rdclass) { \
-		case 1: result = fromstruct_in_aaaa(rdclass, type, source, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 29: result = fromstruct_loc(rdclass, type, source, target); break; \
-	case 30: result = fromstruct_nxt(rdclass, type, source, target); break; \
-	case 33: switch (rdclass) { \
-		case 1: result = fromstruct_in_srv(rdclass, type, source, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 35: result = fromstruct_naptr(rdclass, type, source, target); break; \
-	case 36: switch (rdclass) { \
-		case 1: result = fromstruct_in_kx(rdclass, type, source, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 37: result = fromstruct_cert(rdclass, type, source, target); break; \
-	case 38: switch (rdclass) { \
-		case 1: result = fromstruct_in_a6(rdclass, type, source, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 39: result = fromstruct_dname(rdclass, type, source, target); break; \
-	case 41: result = fromstruct_opt(rdclass, type, source, target); break; \
-	case 42: switch (rdclass) { \
-		case 1: result = fromstruct_in_apl(rdclass, type, source, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 43: result = fromstruct_ds(rdclass, type, source, target); break; \
-	case 44: result = fromstruct_sshfp(rdclass, type, source, target); break; \
-	case 45: result = fromstruct_ipseckey(rdclass, type, source, target); break; \
-	case 46: result = fromstruct_rrsig(rdclass, type, source, target); break; \
-	case 47: result = fromstruct_nsec(rdclass, type, source, target); break; \
-	case 48: result = fromstruct_dnskey(rdclass, type, source, target); break; \
-	case 49: switch (rdclass) { \
-		case 1: result = fromstruct_in_dhcid(rdclass, type, source, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 50: result = fromstruct_nsec3(rdclass, type, source, target); break; \
-	case 51: result = fromstruct_nsec3param(rdclass, type, source, target); break; \
-	case 52: result = fromstruct_tlsa(rdclass, type, source, target); break; \
-	case 55: result = fromstruct_hip(rdclass, type, source, target); break; \
-	case 99: result = fromstruct_spf(rdclass, type, source, target); break; \
-	case 103: result = fromstruct_unspec(rdclass, type, source, target); break; \
-	case 104: result = fromstruct_nid(rdclass, type, source, target); break; \
-	case 105: result = fromstruct_l32(rdclass, type, source, target); break; \
-	case 106: result = fromstruct_l64(rdclass, type, source, target); break; \
-	case 107: result = fromstruct_lp(rdclass, type, source, target); break; \
-	case 108: result = fromstruct_eui48(rdclass, type, source, target); break; \
-	case 109: result = fromstruct_eui64(rdclass, type, source, target); break; \
-	case 249: result = fromstruct_tkey(rdclass, type, source, target); break; \
-	case 250: switch (rdclass) { \
-		case 255: result = fromstruct_any_tsig(rdclass, type, source, target); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 256: result = fromstruct_uri(rdclass, type, source, target); break; \
-	case 32769: result = fromstruct_dlv(rdclass, type, source, target); break; \
-	case 65533: result = fromstruct_keydata(rdclass, type, source, target); break; \
-	default: use_default = ISC_TRUE; break; \
-	}
-
-#define TOSTRUCTSWITCH \
-	switch (rdata->type) { \
-	case 1: switch (rdata->rdclass) { \
-		case 1: result = tostruct_in_a(rdata, target, mctx); break; \
-		case 3: result = tostruct_ch_a(rdata, target, mctx); break; \
-		case 4: result = tostruct_hs_a(rdata, target, mctx); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 2: result = tostruct_ns(rdata, target, mctx); break; \
-	case 3: result = tostruct_md(rdata, target, mctx); break; \
-	case 4: result = tostruct_mf(rdata, target, mctx); break; \
-	case 5: result = tostruct_cname(rdata, target, mctx); break; \
-	case 6: result = tostruct_soa(rdata, target, mctx); break; \
-	case 7: result = tostruct_mb(rdata, target, mctx); break; \
-	case 8: result = tostruct_mg(rdata, target, mctx); break; \
-	case 9: result = tostruct_mr(rdata, target, mctx); break; \
-	case 10: result = tostruct_null(rdata, target, mctx); break; \
-	case 11: switch (rdata->rdclass) { \
-		case 1: result = tostruct_in_wks(rdata, target, mctx); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 12: result = tostruct_ptr(rdata, target, mctx); break; \
-	case 13: result = tostruct_hinfo(rdata, target, mctx); break; \
-	case 14: result = tostruct_minfo(rdata, target, mctx); break; \
-	case 15: result = tostruct_mx(rdata, target, mctx); break; \
-	case 16: result = tostruct_txt(rdata, target, mctx); break; \
-	case 17: result = tostruct_rp(rdata, target, mctx); break; \
-	case 18: result = tostruct_afsdb(rdata, target, mctx); break; \
-	case 19: result = tostruct_x25(rdata, target, mctx); break; \
-	case 20: result = tostruct_isdn(rdata, target, mctx); break; \
-	case 21: result = tostruct_rt(rdata, target, mctx); break; \
-	case 22: switch (rdata->rdclass) { \
-		case 1: result = tostruct_in_nsap(rdata, target, mctx); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 23: switch (rdata->rdclass) { \
-		case 1: result = tostruct_in_nsap_ptr(rdata, target, mctx); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 24: result = tostruct_sig(rdata, target, mctx); break; \
-	case 25: result = tostruct_key(rdata, target, mctx); break; \
-	case 26: switch (rdata->rdclass) { \
-		case 1: result = tostruct_in_px(rdata, target, mctx); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 27: result = tostruct_gpos(rdata, target, mctx); break; \
-	case 28: switch (rdata->rdclass) { \
-		case 1: result = tostruct_in_aaaa(rdata, target, mctx); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 29: result = tostruct_loc(rdata, target, mctx); break; \
-	case 30: result = tostruct_nxt(rdata, target, mctx); break; \
-	case 33: switch (rdata->rdclass) { \
-		case 1: result = tostruct_in_srv(rdata, target, mctx); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 35: result = tostruct_naptr(rdata, target, mctx); break; \
-	case 36: switch (rdata->rdclass) { \
-		case 1: result = tostruct_in_kx(rdata, target, mctx); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 37: result = tostruct_cert(rdata, target, mctx); break; \
-	case 38: switch (rdata->rdclass) { \
-		case 1: result = tostruct_in_a6(rdata, target, mctx); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 39: result = tostruct_dname(rdata, target, mctx); break; \
-	case 41: result = tostruct_opt(rdata, target, mctx); break; \
-	case 42: switch (rdata->rdclass) { \
-		case 1: result = tostruct_in_apl(rdata, target, mctx); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 43: result = tostruct_ds(rdata, target, mctx); break; \
-	case 44: result = tostruct_sshfp(rdata, target, mctx); break; \
-	case 45: result = tostruct_ipseckey(rdata, target, mctx); break; \
-	case 46: result = tostruct_rrsig(rdata, target, mctx); break; \
-	case 47: result = tostruct_nsec(rdata, target, mctx); break; \
-	case 48: result = tostruct_dnskey(rdata, target, mctx); break; \
-	case 49: switch (rdata->rdclass) { \
-		case 1: result = tostruct_in_dhcid(rdata, target, mctx); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 50: result = tostruct_nsec3(rdata, target, mctx); break; \
-	case 51: result = tostruct_nsec3param(rdata, target, mctx); break; \
-	case 52: result = tostruct_tlsa(rdata, target, mctx); break; \
-	case 55: result = tostruct_hip(rdata, target, mctx); break; \
-	case 99: result = tostruct_spf(rdata, target, mctx); break; \
-	case 103: result = tostruct_unspec(rdata, target, mctx); break; \
-	case 104: result = tostruct_nid(rdata, target, mctx); break; \
-	case 105: result = tostruct_l32(rdata, target, mctx); break; \
-	case 106: result = tostruct_l64(rdata, target, mctx); break; \
-	case 107: result = tostruct_lp(rdata, target, mctx); break; \
-	case 108: result = tostruct_eui48(rdata, target, mctx); break; \
-	case 109: result = tostruct_eui64(rdata, target, mctx); break; \
-	case 249: result = tostruct_tkey(rdata, target, mctx); break; \
-	case 250: switch (rdata->rdclass) { \
-		case 255: result = tostruct_any_tsig(rdata, target, mctx); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 256: result = tostruct_uri(rdata, target, mctx); break; \
-	case 32769: result = tostruct_dlv(rdata, target, mctx); break; \
-	case 65533: result = tostruct_keydata(rdata, target, mctx); break; \
-	default: use_default = ISC_TRUE; break; \
-	}
-
-#define FREESTRUCTSWITCH \
-	switch (common->rdtype) { \
-	case 1: switch (common->rdclass) { \
-		case 1: freestruct_in_a(source); break; \
-		case 3: freestruct_ch_a(source); break; \
-		case 4: freestruct_hs_a(source); break; \
-		default: break; \
-		} \
-		break; \
-	case 2: freestruct_ns(source); break; \
-	case 3: freestruct_md(source); break; \
-	case 4: freestruct_mf(source); break; \
-	case 5: freestruct_cname(source); break; \
-	case 6: freestruct_soa(source); break; \
-	case 7: freestruct_mb(source); break; \
-	case 8: freestruct_mg(source); break; \
-	case 9: freestruct_mr(source); break; \
-	case 10: freestruct_null(source); break; \
-	case 11: switch (common->rdclass) { \
-		case 1: freestruct_in_wks(source); break; \
-		default: break; \
-		} \
-		break; \
-	case 12: freestruct_ptr(source); break; \
-	case 13: freestruct_hinfo(source); break; \
-	case 14: freestruct_minfo(source); break; \
-	case 15: freestruct_mx(source); break; \
-	case 16: freestruct_txt(source); break; \
-	case 17: freestruct_rp(source); break; \
-	case 18: freestruct_afsdb(source); break; \
-	case 19: freestruct_x25(source); break; \
-	case 20: freestruct_isdn(source); break; \
-	case 21: freestruct_rt(source); break; \
-	case 22: switch (common->rdclass) { \
-		case 1: freestruct_in_nsap(source); break; \
-		default: break; \
-		} \
-		break; \
-	case 23: switch (common->rdclass) { \
-		case 1: freestruct_in_nsap_ptr(source); break; \
-		default: break; \
-		} \
-		break; \
-	case 24: freestruct_sig(source); break; \
-	case 25: freestruct_key(source); break; \
-	case 26: switch (common->rdclass) { \
-		case 1: freestruct_in_px(source); break; \
-		default: break; \
-		} \
-		break; \
-	case 27: freestruct_gpos(source); break; \
-	case 28: switch (common->rdclass) { \
-		case 1: freestruct_in_aaaa(source); break; \
-		default: break; \
-		} \
-		break; \
-	case 29: freestruct_loc(source); break; \
-	case 30: freestruct_nxt(source); break; \
-	case 33: switch (common->rdclass) { \
-		case 1: freestruct_in_srv(source); break; \
-		default: break; \
-		} \
-		break; \
-	case 35: freestruct_naptr(source); break; \
-	case 36: switch (common->rdclass) { \
-		case 1: freestruct_in_kx(source); break; \
-		default: break; \
-		} \
-		break; \
-	case 37: freestruct_cert(source); break; \
-	case 38: switch (common->rdclass) { \
-		case 1: freestruct_in_a6(source); break; \
-		default: break; \
-		} \
-		break; \
-	case 39: freestruct_dname(source); break; \
-	case 41: freestruct_opt(source); break; \
-	case 42: switch (common->rdclass) { \
-		case 1: freestruct_in_apl(source); break; \
-		default: break; \
-		} \
-		break; \
-	case 43: freestruct_ds(source); break; \
-	case 44: freestruct_sshfp(source); break; \
-	case 45: freestruct_ipseckey(source); break; \
-	case 46: freestruct_rrsig(source); break; \
-	case 47: freestruct_nsec(source); break; \
-	case 48: freestruct_dnskey(source); break; \
-	case 49: switch (common->rdclass) { \
-		case 1: freestruct_in_dhcid(source); break; \
-		default: break; \
-		} \
-		break; \
-	case 50: freestruct_nsec3(source); break; \
-	case 51: freestruct_nsec3param(source); break; \
-	case 52: freestruct_tlsa(source); break; \
-	case 55: freestruct_hip(source); break; \
-	case 99: freestruct_spf(source); break; \
-	case 103: freestruct_unspec(source); break; \
-	case 104: freestruct_nid(source); break; \
-	case 105: freestruct_l32(source); break; \
-	case 106: freestruct_l64(source); break; \
-	case 107: freestruct_lp(source); break; \
-	case 108: freestruct_eui48(source); break; \
-	case 109: freestruct_eui64(source); break; \
-	case 249: freestruct_tkey(source); break; \
-	case 250: switch (common->rdclass) { \
-		case 255: freestruct_any_tsig(source); break; \
-		default: break; \
-		} \
-		break; \
-	case 256: freestruct_uri(source); break; \
-	case 32769: freestruct_dlv(source); break; \
-	case 65533: freestruct_keydata(source); break; \
-	default: break; \
-	}
-
-#define ADDITIONALDATASWITCH \
-	switch (rdata->type) { \
-	case 1: switch (rdata->rdclass) { \
-		case 1: result = additionaldata_in_a(rdata, add, arg); break; \
-		case 3: result = additionaldata_ch_a(rdata, add, arg); break; \
-		case 4: result = additionaldata_hs_a(rdata, add, arg); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 2: result = additionaldata_ns(rdata, add, arg); break; \
-	case 3: result = additionaldata_md(rdata, add, arg); break; \
-	case 4: result = additionaldata_mf(rdata, add, arg); break; \
-	case 5: result = additionaldata_cname(rdata, add, arg); break; \
-	case 6: result = additionaldata_soa(rdata, add, arg); break; \
-	case 7: result = additionaldata_mb(rdata, add, arg); break; \
-	case 8: result = additionaldata_mg(rdata, add, arg); break; \
-	case 9: result = additionaldata_mr(rdata, add, arg); break; \
-	case 10: result = additionaldata_null(rdata, add, arg); break; \
-	case 11: switch (rdata->rdclass) { \
-		case 1: result = additionaldata_in_wks(rdata, add, arg); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 12: result = additionaldata_ptr(rdata, add, arg); break; \
-	case 13: result = additionaldata_hinfo(rdata, add, arg); break; \
-	case 14: result = additionaldata_minfo(rdata, add, arg); break; \
-	case 15: result = additionaldata_mx(rdata, add, arg); break; \
-	case 16: result = additionaldata_txt(rdata, add, arg); break; \
-	case 17: result = additionaldata_rp(rdata, add, arg); break; \
-	case 18: result = additionaldata_afsdb(rdata, add, arg); break; \
-	case 19: result = additionaldata_x25(rdata, add, arg); break; \
-	case 20: result = additionaldata_isdn(rdata, add, arg); break; \
-	case 21: result = additionaldata_rt(rdata, add, arg); break; \
-	case 22: switch (rdata->rdclass) { \
-		case 1: result = additionaldata_in_nsap(rdata, add, arg); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 23: switch (rdata->rdclass) { \
-		case 1: result = additionaldata_in_nsap_ptr(rdata, add, arg); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 24: result = additionaldata_sig(rdata, add, arg); break; \
-	case 25: result = additionaldata_key(rdata, add, arg); break; \
-	case 26: switch (rdata->rdclass) { \
-		case 1: result = additionaldata_in_px(rdata, add, arg); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 27: result = additionaldata_gpos(rdata, add, arg); break; \
-	case 28: switch (rdata->rdclass) { \
-		case 1: result = additionaldata_in_aaaa(rdata, add, arg); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 29: result = additionaldata_loc(rdata, add, arg); break; \
-	case 30: result = additionaldata_nxt(rdata, add, arg); break; \
-	case 33: switch (rdata->rdclass) { \
-		case 1: result = additionaldata_in_srv(rdata, add, arg); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 35: result = additionaldata_naptr(rdata, add, arg); break; \
-	case 36: switch (rdata->rdclass) { \
-		case 1: result = additionaldata_in_kx(rdata, add, arg); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 37: result = additionaldata_cert(rdata, add, arg); break; \
-	case 38: switch (rdata->rdclass) { \
-		case 1: result = additionaldata_in_a6(rdata, add, arg); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 39: result = additionaldata_dname(rdata, add, arg); break; \
-	case 41: result = additionaldata_opt(rdata, add, arg); break; \
-	case 42: switch (rdata->rdclass) { \
-		case 1: result = additionaldata_in_apl(rdata, add, arg); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 43: result = additionaldata_ds(rdata, add, arg); break; \
-	case 44: result = additionaldata_sshfp(rdata, add, arg); break; \
-	case 45: result = additionaldata_ipseckey(rdata, add, arg); break; \
-	case 46: result = additionaldata_rrsig(rdata, add, arg); break; \
-	case 47: result = additionaldata_nsec(rdata, add, arg); break; \
-	case 48: result = additionaldata_dnskey(rdata, add, arg); break; \
-	case 49: switch (rdata->rdclass) { \
-		case 1: result = additionaldata_in_dhcid(rdata, add, arg); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 50: result = additionaldata_nsec3(rdata, add, arg); break; \
-	case 51: result = additionaldata_nsec3param(rdata, add, arg); break; \
-	case 52: result = additionaldata_tlsa(rdata, add, arg); break; \
-	case 55: result = additionaldata_hip(rdata, add, arg); break; \
-	case 99: result = additionaldata_spf(rdata, add, arg); break; \
-	case 103: result = additionaldata_unspec(rdata, add, arg); break; \
-	case 104: result = additionaldata_nid(rdata, add, arg); break; \
-	case 105: result = additionaldata_l32(rdata, add, arg); break; \
-	case 106: result = additionaldata_l64(rdata, add, arg); break; \
-	case 107: result = additionaldata_lp(rdata, add, arg); break; \
-	case 108: result = additionaldata_eui48(rdata, add, arg); break; \
-	case 109: result = additionaldata_eui64(rdata, add, arg); break; \
-	case 249: result = additionaldata_tkey(rdata, add, arg); break; \
-	case 250: switch (rdata->rdclass) { \
-		case 255: result = additionaldata_any_tsig(rdata, add, arg); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 256: result = additionaldata_uri(rdata, add, arg); break; \
-	case 32769: result = additionaldata_dlv(rdata, add, arg); break; \
-	case 65533: result = additionaldata_keydata(rdata, add, arg); break; \
-	default: use_default = ISC_TRUE; break; \
-	}
-
-#define DIGESTSWITCH \
-	switch (rdata->type) { \
-	case 1: switch (rdata->rdclass) { \
-		case 1: result = digest_in_a(rdata, digest, arg); break; \
-		case 3: result = digest_ch_a(rdata, digest, arg); break; \
-		case 4: result = digest_hs_a(rdata, digest, arg); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 2: result = digest_ns(rdata, digest, arg); break; \
-	case 3: result = digest_md(rdata, digest, arg); break; \
-	case 4: result = digest_mf(rdata, digest, arg); break; \
-	case 5: result = digest_cname(rdata, digest, arg); break; \
-	case 6: result = digest_soa(rdata, digest, arg); break; \
-	case 7: result = digest_mb(rdata, digest, arg); break; \
-	case 8: result = digest_mg(rdata, digest, arg); break; \
-	case 9: result = digest_mr(rdata, digest, arg); break; \
-	case 10: result = digest_null(rdata, digest, arg); break; \
-	case 11: switch (rdata->rdclass) { \
-		case 1: result = digest_in_wks(rdata, digest, arg); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 12: result = digest_ptr(rdata, digest, arg); break; \
-	case 13: result = digest_hinfo(rdata, digest, arg); break; \
-	case 14: result = digest_minfo(rdata, digest, arg); break; \
-	case 15: result = digest_mx(rdata, digest, arg); break; \
-	case 16: result = digest_txt(rdata, digest, arg); break; \
-	case 17: result = digest_rp(rdata, digest, arg); break; \
-	case 18: result = digest_afsdb(rdata, digest, arg); break; \
-	case 19: result = digest_x25(rdata, digest, arg); break; \
-	case 20: result = digest_isdn(rdata, digest, arg); break; \
-	case 21: result = digest_rt(rdata, digest, arg); break; \
-	case 22: switch (rdata->rdclass) { \
-		case 1: result = digest_in_nsap(rdata, digest, arg); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 23: switch (rdata->rdclass) { \
-		case 1: result = digest_in_nsap_ptr(rdata, digest, arg); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 24: result = digest_sig(rdata, digest, arg); break; \
-	case 25: result = digest_key(rdata, digest, arg); break; \
-	case 26: switch (rdata->rdclass) { \
-		case 1: result = digest_in_px(rdata, digest, arg); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 27: result = digest_gpos(rdata, digest, arg); break; \
-	case 28: switch (rdata->rdclass) { \
-		case 1: result = digest_in_aaaa(rdata, digest, arg); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 29: result = digest_loc(rdata, digest, arg); break; \
-	case 30: result = digest_nxt(rdata, digest, arg); break; \
-	case 33: switch (rdata->rdclass) { \
-		case 1: result = digest_in_srv(rdata, digest, arg); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 35: result = digest_naptr(rdata, digest, arg); break; \
-	case 36: switch (rdata->rdclass) { \
-		case 1: result = digest_in_kx(rdata, digest, arg); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 37: result = digest_cert(rdata, digest, arg); break; \
-	case 38: switch (rdata->rdclass) { \
-		case 1: result = digest_in_a6(rdata, digest, arg); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 39: result = digest_dname(rdata, digest, arg); break; \
-	case 41: result = digest_opt(rdata, digest, arg); break; \
-	case 42: switch (rdata->rdclass) { \
-		case 1: result = digest_in_apl(rdata, digest, arg); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 43: result = digest_ds(rdata, digest, arg); break; \
-	case 44: result = digest_sshfp(rdata, digest, arg); break; \
-	case 45: result = digest_ipseckey(rdata, digest, arg); break; \
-	case 46: result = digest_rrsig(rdata, digest, arg); break; \
-	case 47: result = digest_nsec(rdata, digest, arg); break; \
-	case 48: result = digest_dnskey(rdata, digest, arg); break; \
-	case 49: switch (rdata->rdclass) { \
-		case 1: result = digest_in_dhcid(rdata, digest, arg); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 50: result = digest_nsec3(rdata, digest, arg); break; \
-	case 51: result = digest_nsec3param(rdata, digest, arg); break; \
-	case 52: result = digest_tlsa(rdata, digest, arg); break; \
-	case 55: result = digest_hip(rdata, digest, arg); break; \
-	case 99: result = digest_spf(rdata, digest, arg); break; \
-	case 103: result = digest_unspec(rdata, digest, arg); break; \
-	case 104: result = digest_nid(rdata, digest, arg); break; \
-	case 105: result = digest_l32(rdata, digest, arg); break; \
-	case 106: result = digest_l64(rdata, digest, arg); break; \
-	case 107: result = digest_lp(rdata, digest, arg); break; \
-	case 108: result = digest_eui48(rdata, digest, arg); break; \
-	case 109: result = digest_eui64(rdata, digest, arg); break; \
-	case 249: result = digest_tkey(rdata, digest, arg); break; \
-	case 250: switch (rdata->rdclass) { \
-		case 255: result = digest_any_tsig(rdata, digest, arg); break; \
-		default: use_default = ISC_TRUE; break; \
-		} \
-		break; \
-	case 256: result = digest_uri(rdata, digest, arg); break; \
-	case 32769: result = digest_dlv(rdata, digest, arg); break; \
-	case 65533: result = digest_keydata(rdata, digest, arg); break; \
-	default: use_default = ISC_TRUE; break; \
-	}
-
-#define CHECKOWNERSWITCH \
-	switch (type) { \
-	case 1: switch (rdclass) { \
-		case 1: result = checkowner_in_a(name, rdclass, type, wildcard); break; \
-		case 3: result = checkowner_ch_a(name, rdclass, type, wildcard); break; \
-		case 4: result = checkowner_hs_a(name, rdclass, type, wildcard); break; \
-		default: result = ISC_TRUE; break; \
-		} \
-		break; \
-	case 2: result = checkowner_ns(name, rdclass, type, wildcard); break; \
-	case 3: result = checkowner_md(name, rdclass, type, wildcard); break; \
-	case 4: result = checkowner_mf(name, rdclass, type, wildcard); break; \
-	case 5: result = checkowner_cname(name, rdclass, type, wildcard); break; \
-	case 6: result = checkowner_soa(name, rdclass, type, wildcard); break; \
-	case 7: result = checkowner_mb(name, rdclass, type, wildcard); break; \
-	case 8: result = checkowner_mg(name, rdclass, type, wildcard); break; \
-	case 9: result = checkowner_mr(name, rdclass, type, wildcard); break; \
-	case 10: result = checkowner_null(name, rdclass, type, wildcard); break; \
-	case 11: switch (rdclass) { \
-		case 1: result = checkowner_in_wks(name, rdclass, type, wildcard); break; \
-		default: result = ISC_TRUE; break; \
-		} \
-		break; \
-	case 12: result = checkowner_ptr(name, rdclass, type, wildcard); break; \
-	case 13: result = checkowner_hinfo(name, rdclass, type, wildcard); break; \
-	case 14: result = checkowner_minfo(name, rdclass, type, wildcard); break; \
-	case 15: result = checkowner_mx(name, rdclass, type, wildcard); break; \
-	case 16: result = checkowner_txt(name, rdclass, type, wildcard); break; \
-	case 17: result = checkowner_rp(name, rdclass, type, wildcard); break; \
-	case 18: result = checkowner_afsdb(name, rdclass, type, wildcard); break; \
-	case 19: result = checkowner_x25(name, rdclass, type, wildcard); break; \
-	case 20: result = checkowner_isdn(name, rdclass, type, wildcard); break; \
-	case 21: result = checkowner_rt(name, rdclass, type, wildcard); break; \
-	case 22: switch (rdclass) { \
-		case 1: result = checkowner_in_nsap(name, rdclass, type, wildcard); break; \
-		default: result = ISC_TRUE; break; \
-		} \
-		break; \
-	case 23: switch (rdclass) { \
-		case 1: result = checkowner_in_nsap_ptr(name, rdclass, type, wildcard); break; \
-		default: result = ISC_TRUE; break; \
-		} \
-		break; \
-	case 24: result = checkowner_sig(name, rdclass, type, wildcard); break; \
-	case 25: result = checkowner_key(name, rdclass, type, wildcard); break; \
-	case 26: switch (rdclass) { \
-		case 1: result = checkowner_in_px(name, rdclass, type, wildcard); break; \
-		default: result = ISC_TRUE; break; \
-		} \
-		break; \
-	case 27: result = checkowner_gpos(name, rdclass, type, wildcard); break; \
-	case 28: switch (rdclass) { \
-		case 1: result = checkowner_in_aaaa(name, rdclass, type, wildcard); break; \
-		default: result = ISC_TRUE; break; \
-		} \
-		break; \
-	case 29: result = checkowner_loc(name, rdclass, type, wildcard); break; \
-	case 30: result = checkowner_nxt(name, rdclass, type, wildcard); break; \
-	case 33: switch (rdclass) { \
-		case 1: result = checkowner_in_srv(name, rdclass, type, wildcard); break; \
-		default: result = ISC_TRUE; break; \
-		} \
-		break; \
-	case 35: result = checkowner_naptr(name, rdclass, type, wildcard); break; \
-	case 36: switch (rdclass) { \
-		case 1: result = checkowner_in_kx(name, rdclass, type, wildcard); break; \
-		default: result = ISC_TRUE; break; \
-		} \
-		break; \
-	case 37: result = checkowner_cert(name, rdclass, type, wildcard); break; \
-	case 38: switch (rdclass) { \
-		case 1: result = checkowner_in_a6(name, rdclass, type, wildcard); break; \
-		default: result = ISC_TRUE; break; \
-		} \
-		break; \
-	case 39: result = checkowner_dname(name, rdclass, type, wildcard); break; \
-	case 41: result = checkowner_opt(name, rdclass, type, wildcard); break; \
-	case 42: switch (rdclass) { \
-		case 1: result = checkowner_in_apl(name, rdclass, type, wildcard); break; \
-		default: result = ISC_TRUE; break; \
-		} \
-		break; \
-	case 43: result = checkowner_ds(name, rdclass, type, wildcard); break; \
-	case 44: result = checkowner_sshfp(name, rdclass, type, wildcard); break; \
-	case 45: result = checkowner_ipseckey(name, rdclass, type, wildcard); break; \
-	case 46: result = checkowner_rrsig(name, rdclass, type, wildcard); break; \
-	case 47: result = checkowner_nsec(name, rdclass, type, wildcard); break; \
-	case 48: result = checkowner_dnskey(name, rdclass, type, wildcard); break; \
-	case 49: switch (rdclass) { \
-		case 1: result = checkowner_in_dhcid(name, rdclass, type, wildcard); break; \
-		default: result = ISC_TRUE; break; \
-		} \
-		break; \
-	case 50: result = checkowner_nsec3(name, rdclass, type, wildcard); break; \
-	case 51: result = checkowner_nsec3param(name, rdclass, type, wildcard); break; \
-	case 52: result = checkowner_tlsa(name, rdclass, type, wildcard); break; \
-	case 55: result = checkowner_hip(name, rdclass, type, wildcard); break; \
-	case 99: result = checkowner_spf(name, rdclass, type, wildcard); break; \
-	case 103: result = checkowner_unspec(name, rdclass, type, wildcard); break; \
-	case 104: result = checkowner_nid(name, rdclass, type, wildcard); break; \
-	case 105: result = checkowner_l32(name, rdclass, type, wildcard); break; \
-	case 106: result = checkowner_l64(name, rdclass, type, wildcard); break; \
-	case 107: result = checkowner_lp(name, rdclass, type, wildcard); break; \
-	case 108: result = checkowner_eui48(name, rdclass, type, wildcard); break; \
-	case 109: result = checkowner_eui64(name, rdclass, type, wildcard); break; \
-	case 249: result = checkowner_tkey(name, rdclass, type, wildcard); break; \
-	case 250: switch (rdclass) { \
-		case 255: result = checkowner_any_tsig(name, rdclass, type, wildcard); break; \
-		default: result = ISC_TRUE; break; \
-		} \
-		break; \
-	case 256: result = checkowner_uri(name, rdclass, type, wildcard); break; \
-	case 32769: result = checkowner_dlv(name, rdclass, type, wildcard); break; \
-	case 65533: result = checkowner_keydata(name, rdclass, type, wildcard); break; \
-	default: result = ISC_TRUE; break; \
-	}
-
-#define CHECKNAMESSWITCH \
-	switch (rdata->type) { \
-	case 1: switch (rdata->rdclass) { \
-		case 1: result = checknames_in_a(rdata, owner, bad); break; \
-		case 3: result = checknames_ch_a(rdata, owner, bad); break; \
-		case 4: result = checknames_hs_a(rdata, owner, bad); break; \
-		default: result = ISC_TRUE; break; \
-		} \
-		break; \
-	case 2: result = checknames_ns(rdata, owner, bad); break; \
-	case 3: result = checknames_md(rdata, owner, bad); break; \
-	case 4: result = checknames_mf(rdata, owner, bad); break; \
-	case 5: result = checknames_cname(rdata, owner, bad); break; \
-	case 6: result = checknames_soa(rdata, owner, bad); break; \
-	case 7: result = checknames_mb(rdata, owner, bad); break; \
-	case 8: result = checknames_mg(rdata, owner, bad); break; \
-	case 9: result = checknames_mr(rdata, owner, bad); break; \
-	case 10: result = checknames_null(rdata, owner, bad); break; \
-	case 11: switch (rdata->rdclass) { \
-		case 1: result = checknames_in_wks(rdata, owner, bad); break; \
-		default: result = ISC_TRUE; break; \
-		} \
-		break; \
-	case 12: result = checknames_ptr(rdata, owner, bad); break; \
-	case 13: result = checknames_hinfo(rdata, owner, bad); break; \
-	case 14: result = checknames_minfo(rdata, owner, bad); break; \
-	case 15: result = checknames_mx(rdata, owner, bad); break; \
-	case 16: result = checknames_txt(rdata, owner, bad); break; \
-	case 17: result = checknames_rp(rdata, owner, bad); break; \
-	case 18: result = checknames_afsdb(rdata, owner, bad); break; \
-	case 19: result = checknames_x25(rdata, owner, bad); break; \
-	case 20: result = checknames_isdn(rdata, owner, bad); break; \
-	case 21: result = checknames_rt(rdata, owner, bad); break; \
-	case 22: switch (rdata->rdclass) { \
-		case 1: result = checknames_in_nsap(rdata, owner, bad); break; \
-		default: result = ISC_TRUE; break; \
-		} \
-		break; \
-	case 23: switch (rdata->rdclass) { \
-		case 1: result = checknames_in_nsap_ptr(rdata, owner, bad); break; \
-		default: result = ISC_TRUE; break; \
-		} \
-		break; \
-	case 24: result = checknames_sig(rdata, owner, bad); break; \
-	case 25: result = checknames_key(rdata, owner, bad); break; \
-	case 26: switch (rdata->rdclass) { \
-		case 1: result = checknames_in_px(rdata, owner, bad); break; \
-		default: result = ISC_TRUE; break; \
-		} \
-		break; \
-	case 27: result = checknames_gpos(rdata, owner, bad); break; \
-	case 28: switch (rdata->rdclass) { \
-		case 1: result = checknames_in_aaaa(rdata, owner, bad); break; \
-		default: result = ISC_TRUE; break; \
-		} \
-		break; \
-	case 29: result = checknames_loc(rdata, owner, bad); break; \
-	case 30: result = checknames_nxt(rdata, owner, bad); break; \
-	case 33: switch (rdata->rdclass) { \
-		case 1: result = checknames_in_srv(rdata, owner, bad); break; \
-		default: result = ISC_TRUE; break; \
-		} \
-		break; \
-	case 35: result = checknames_naptr(rdata, owner, bad); break; \
-	case 36: switch (rdata->rdclass) { \
-		case 1: result = checknames_in_kx(rdata, owner, bad); break; \
-		default: result = ISC_TRUE; break; \
-		} \
-		break; \
-	case 37: result = checknames_cert(rdata, owner, bad); break; \
-	case 38: switch (rdata->rdclass) { \
-		case 1: result = checknames_in_a6(rdata, owner, bad); break; \
-		default: result = ISC_TRUE; break; \
-		} \
-		break; \
-	case 39: result = checknames_dname(rdata, owner, bad); break; \
-	case 41: result = checknames_opt(rdata, owner, bad); break; \
-	case 42: switch (rdata->rdclass) { \
-		case 1: result = checknames_in_apl(rdata, owner, bad); break; \
-		default: result = ISC_TRUE; break; \
-		} \
-		break; \
-	case 43: result = checknames_ds(rdata, owner, bad); break; \
-	case 44: result = checknames_sshfp(rdata, owner, bad); break; \
-	case 45: result = checknames_ipseckey(rdata, owner, bad); break; \
-	case 46: result = checknames_rrsig(rdata, owner, bad); break; \
-	case 47: result = checknames_nsec(rdata, owner, bad); break; \
-	case 48: result = checknames_dnskey(rdata, owner, bad); break; \
-	case 49: switch (rdata->rdclass) { \
-		case 1: result = checknames_in_dhcid(rdata, owner, bad); break; \
-		default: result = ISC_TRUE; break; \
-		} \
-		break; \
-	case 50: result = checknames_nsec3(rdata, owner, bad); break; \
-	case 51: result = checknames_nsec3param(rdata, owner, bad); break; \
-	case 52: result = checknames_tlsa(rdata, owner, bad); break; \
-	case 55: result = checknames_hip(rdata, owner, bad); break; \
-	case 99: result = checknames_spf(rdata, owner, bad); break; \
-	case 103: result = checknames_unspec(rdata, owner, bad); break; \
-	case 104: result = checknames_nid(rdata, owner, bad); break; \
-	case 105: result = checknames_l32(rdata, owner, bad); break; \
-	case 106: result = checknames_l64(rdata, owner, bad); break; \
-	case 107: result = checknames_lp(rdata, owner, bad); break; \
-	case 108: result = checknames_eui48(rdata, owner, bad); break; \
-	case 109: result = checknames_eui64(rdata, owner, bad); break; \
-	case 249: result = checknames_tkey(rdata, owner, bad); break; \
-	case 250: switch (rdata->rdclass) { \
-		case 255: result = checknames_any_tsig(rdata, owner, bad); break; \
-		default: result = ISC_TRUE; break; \
-		} \
-		break; \
-	case 256: result = checknames_uri(rdata, owner, bad); break; \
-	case 32769: result = checknames_dlv(rdata, owner, bad); break; \
-	case 65533: result = checknames_keydata(rdata, owner, bad); break; \
-	default: result = ISC_TRUE; break; \
-	}
-#define RDATATYPE_COMPARE(_s, _d, _tn, _n, _tp) \
-	do { \
-		if (sizeof(_s) - 1 == _n && \
-		    strncasecmp(_s,(_tn),(sizeof(_s) - 1)) == 0) { \
-			if ((dns_rdatatype_attributes(_d) & DNS_RDATATYPEATTR_RESERVED) != 0) \
-				return (ISC_R_NOTIMPLEMENTED); \
-			*(_tp) = _d; \
-			return (ISC_R_SUCCESS); \
-		} \
-	} while (0)
-
-#define RDATATYPE_FROMTEXT_SW(_hash,_typename,_length,_typep) \
-	switch (_hash) { \
-		case 16: \
-			RDATATYPE_COMPARE("reserved0", 0, _typename, _length, _typep); \
-			break; \
-		case 34: \
-			RDATATYPE_COMPARE("a", 1, _typename, _length, _typep); \
-			break; \
-		case 80: \
-			RDATATYPE_COMPARE("ns", 2, _typename, _length, _typep); \
-			break; \
-		case 92: \
-			RDATATYPE_COMPARE("md", 3, _typename, _length, _typep); \
-			break; \
-		case 58: \
-			RDATATYPE_COMPARE("mf", 4, _typename, _length, _typep); \
-			break; \
-		case 8: \
-			RDATATYPE_COMPARE("cname", 5, _typename, _length, _typep); \
-			RDATATYPE_COMPARE("mx", 15, _typename, _length, _typep); \
-			break; \
-		case 182: \
-			RDATATYPE_COMPARE("soa", 6, _typename, _length, _typep); \
-			break; \
-		case 126: \
-			RDATATYPE_COMPARE("mb", 7, _typename, _length, _typep); \
-			break; \
-		case 169: \
-			RDATATYPE_COMPARE("mg", 8, _typename, _length, _typep); \
-			break; \
-		case 110: \
-			RDATATYPE_COMPARE("mr", 9, _typename, _length, _typep); \
-			RDATATYPE_COMPARE("minfo", 14, _typename, _length, _typep); \
-			break; \
-		case 24: \
-			RDATATYPE_COMPARE("null", 10, _typename, _length, _typep); \
-			RDATATYPE_COMPARE("kx", 36, _typename, _length, _typep); \
-			RDATATYPE_COMPARE("nsec3param", 51, _typename, _length, _typep); \
-			break; \
-		case 206: \
-			RDATATYPE_COMPARE("wks", 11, _typename, _length, _typep); \
-			break; \
-		case 54: \
-			RDATATYPE_COMPARE("ptr", 12, _typename, _length, _typep); \
-			RDATATYPE_COMPARE("naptr", 35, _typename, _length, _typep); \
-			break; \
-		case 67: \
-			RDATATYPE_COMPARE("hinfo", 13, _typename, _length, _typep); \
-			break; \
-		case 236: \
-			RDATATYPE_COMPARE("txt", 16, _typename, _length, _typep); \
-			break; \
-		case 192: \
-			RDATATYPE_COMPARE("rp", 17, _typename, _length, _typep); \
-			break; \
-		case 12: \
-			RDATATYPE_COMPARE("afsdb", 18, _typename, _length, _typep); \
-			break; \
-		case 119: \
-			RDATATYPE_COMPARE("x25", 19, _typename, _length, _typep); \
-			break; \
-		case 214: \
-			RDATATYPE_COMPARE("isdn", 20, _typename, _length, _typep); \
-			break; \
-		case 144: \
-			RDATATYPE_COMPARE("rt", 21, _typename, _length, _typep); \
-			break; \
-		case 224: \
-			RDATATYPE_COMPARE("nsap", 22, _typename, _length, _typep); \
-			RDATATYPE_COMPARE("uid", 101, _typename, _length, _typep); \
-			break; \
-		case 140: \
-			RDATATYPE_COMPARE("nsap-ptr", 23, _typename, _length, _typep); \
-			RDATATYPE_COMPARE("l64", 106, _typename, _length, _typep); \
-			break; \
-		case 122: \
-			RDATATYPE_COMPARE("sig", 24, _typename, _length, _typep); \
-			RDATATYPE_COMPARE("dlv", 32769, _typename, _length, _typep); \
-			break; \
-		case 254: \
-			RDATATYPE_COMPARE("key", 25, _typename, _length, _typep); \
-			break; \
-		case 112: \
-			RDATATYPE_COMPARE("px", 26, _typename, _length, _typep); \
-			break; \
-		case 17: \
-			RDATATYPE_COMPARE("gpos", 27, _typename, _length, _typep); \
-			break; \
-		case 69: \
-			RDATATYPE_COMPARE("aaaa", 28, _typename, _length, _typep); \
-			RDATATYPE_COMPARE("atma", 34, _typename, _length, _typep); \
-			break; \
-		case 237: \
-			RDATATYPE_COMPARE("loc", 29, _typename, _length, _typep); \
-			break; \
-		case 52: \
-			RDATATYPE_COMPARE("nxt", 30, _typename, _length, _typep); \
-			break; \
-		case 160: \
-			RDATATYPE_COMPARE("eid", 31, _typename, _length, _typep); \
-			break; \
-		case 220: \
-			RDATATYPE_COMPARE("nimloc", 32, _typename, _length, _typep); \
-			break; \
-		case 100: \
-			RDATATYPE_COMPARE("srv", 33, _typename, _length, _typep); \
-			break; \
-		case 172: \
-			RDATATYPE_COMPARE("cert", 37, _typename, _length, _typep); \
-			break; \
-		case 226: \
-			RDATATYPE_COMPARE("a6", 38, _typename, _length, _typep); \
-			break; \
-		case 109: \
-			RDATATYPE_COMPARE("dname", 39, _typename, _length, _typep); \
-			break; \
-		case 168: \
-			RDATATYPE_COMPARE("opt", 41, _typename, _length, _typep); \
-			break; \
-		case 48: \
-			RDATATYPE_COMPARE("apl", 42, _typename, _length, _typep); \
-			RDATATYPE_COMPARE("eui48", 108, _typename, _length, _typep); \
-			break; \
-		case 210: \
-			RDATATYPE_COMPARE("ds", 43, _typename, _length, _typep); \
-			break; \
-		case 128: \
-			RDATATYPE_COMPARE("sshfp", 44, _typename, _length, _typep); \
-			break; \
-		case 105: \
-			RDATATYPE_COMPARE("ipseckey", 45, _typename, _length, _typep); \
-			break; \
-		case 225: \
-			RDATATYPE_COMPARE("rrsig", 46, _typename, _length, _typep); \
-			break; \
-		case 22: \
-			RDATATYPE_COMPARE("nsec", 47, _typename, _length, _typep); \
-			break; \
-		case 26: \
-			RDATATYPE_COMPARE("dnskey", 48, _typename, _length, _typep); \
-			break; \
-		case 4: \
-			RDATATYPE_COMPARE("dhcid", 49, _typename, _length, _typep); \
-			RDATATYPE_COMPARE("spf", 99, _typename, _length, _typep); \
-			break; \
-		case 233: \
-			RDATATYPE_COMPARE("nsec3", 50, _typename, _length, _typep); \
-			break; \
-		case 120: \
-			RDATATYPE_COMPARE("tlsa", 52, _typename, _length, _typep); \
-			break; \
-		case 208: \
-			RDATATYPE_COMPARE("hip", 55, _typename, _length, _typep); \
-			break; \
-		case 230: \
-			RDATATYPE_COMPARE("uinfo", 100, _typename, _length, _typep); \
-			break; \
-		case 104: \
-			RDATATYPE_COMPARE("gid", 102, _typename, _length, _typep); \
-			break; \
-		case 145: \
-			RDATATYPE_COMPARE("unspec", 103, _typename, _length, _typep); \
-			break; \
-		case 36: \
-			RDATATYPE_COMPARE("nid", 104, _typename, _length, _typep); \
-			break; \
-		case 174: \
-			RDATATYPE_COMPARE("l32", 105, _typename, _length, _typep); \
-			break; \
-		case 32: \
-			RDATATYPE_COMPARE("lp", 107, _typename, _length, _typep); \
-			break; \
-		case 136: \
-			RDATATYPE_COMPARE("eui64", 109, _typename, _length, _typep); \
-			break; \
-		case 184: \
-			RDATATYPE_COMPARE("tkey", 249, _typename, _length, _typep); \
-			break; \
-		case 72: \
-			RDATATYPE_COMPARE("tsig", 250, _typename, _length, _typep); \
-			break; \
-		case 138: \
-			RDATATYPE_COMPARE("ixfr", 251, _typename, _length, _typep); \
-			break; \
-		case 250: \
-			RDATATYPE_COMPARE("axfr", 252, _typename, _length, _typep); \
-			break; \
-		case 164: \
-			RDATATYPE_COMPARE("mailb", 253, _typename, _length, _typep); \
-			break; \
-		case 50: \
-			RDATATYPE_COMPARE("maila", 254, _typename, _length, _typep); \
-			RDATATYPE_COMPARE("keydata", 65533, _typename, _length, _typep); \
-			break; \
-		case 68: \
-			RDATATYPE_COMPARE("any", 255, _typename, _length, _typep); \
-			break; \
-		case 56: \
-			RDATATYPE_COMPARE("uri", 256, _typename, _length, _typep); \
-			break; \
-	}
-#define RDATATYPE_ATTRIBUTE_SW \
-	switch (type) { \
-	case 0: return (DNS_RDATATYPEATTR_RESERVED); \
-	case 1: return (RRTYPE_A_ATTRIBUTES); \
-	case 2: return (RRTYPE_NS_ATTRIBUTES); \
-	case 3: return (RRTYPE_MD_ATTRIBUTES); \
-	case 4: return (RRTYPE_MF_ATTRIBUTES); \
-	case 5: return (RRTYPE_CNAME_ATTRIBUTES); \
-	case 6: return (RRTYPE_SOA_ATTRIBUTES); \
-	case 7: return (RRTYPE_MB_ATTRIBUTES); \
-	case 8: return (RRTYPE_MG_ATTRIBUTES); \
-	case 9: return (RRTYPE_MR_ATTRIBUTES); \
-	case 10: return (RRTYPE_NULL_ATTRIBUTES); \
-	case 11: return (RRTYPE_WKS_ATTRIBUTES); \
-	case 12: return (RRTYPE_PTR_ATTRIBUTES); \
-	case 13: return (RRTYPE_HINFO_ATTRIBUTES); \
-	case 14: return (RRTYPE_MINFO_ATTRIBUTES); \
-	case 15: return (RRTYPE_MX_ATTRIBUTES); \
-	case 16: return (RRTYPE_TXT_ATTRIBUTES); \
-	case 17: return (RRTYPE_RP_ATTRIBUTES); \
-	case 18: return (RRTYPE_AFSDB_ATTRIBUTES); \
-	case 19: return (RRTYPE_X25_ATTRIBUTES); \
-	case 20: return (RRTYPE_ISDN_ATTRIBUTES); \
-	case 21: return (RRTYPE_RT_ATTRIBUTES); \
-	case 22: return (RRTYPE_NSAP_ATTRIBUTES); \
-	case 23: return (RRTYPE_NSAP_PTR_ATTRIBUTES); \
-	case 24: return (RRTYPE_SIG_ATTRIBUTES); \
-	case 25: return (RRTYPE_KEY_ATTRIBUTES); \
-	case 26: return (RRTYPE_PX_ATTRIBUTES); \
-	case 27: return (RRTYPE_GPOS_ATTRIBUTES); \
-	case 28: return (RRTYPE_AAAA_ATTRIBUTES); \
-	case 29: return (RRTYPE_LOC_ATTRIBUTES); \
-	case 30: return (RRTYPE_NXT_ATTRIBUTES); \
-	case 31: return (DNS_RDATATYPEATTR_RESERVED); \
-	case 32: return (DNS_RDATATYPEATTR_RESERVED); \
-	case 33: return (RRTYPE_SRV_ATTRIBUTES); \
-	case 34: return (DNS_RDATATYPEATTR_RESERVED); \
-	case 35: return (RRTYPE_NAPTR_ATTRIBUTES); \
-	case 36: return (RRTYPE_KX_ATTRIBUTES); \
-	case 37: return (RRTYPE_CERT_ATTRIBUTES); \
-	case 38: return (RRTYPE_A6_ATTRIBUTES); \
-	case 39: return (RRTYPE_DNAME_ATTRIBUTES); \
-	case 41: return (RRTYPE_OPT_ATTRIBUTES); \
-	case 42: return (RRTYPE_APL_ATTRIBUTES); \
-	case 43: return (RRTYPE_DS_ATTRIBUTES); \
-	case 44: return (RRTYPE_SSHFP_ATTRIBUTES); \
-	case 45: return (RRTYPE_IPSECKEY_ATTRIBUTES); \
-	case 46: return (RRTYPE_RRSIG_ATTRIBUTES); \
-	case 47: return (RRTYPE_NSEC_ATTRIBUTES); \
-	case 48: return (RRTYPE_DNSKEY_ATTRIBUTES); \
-	case 49: return (RRTYPE_DHCID_ATTRIBUTES); \
-	case 50: return (RRTYPE_NSEC3_ATTRIBUTES); \
-	case 51: return (RRTYPE_NSEC3PARAM_ATTRIBUTES); \
-	case 52: return (RRTYPE_TLSA_ATTRIBUTES); \
-	case 55: return (RRTYPE_HIP_ATTRIBUTES); \
-	case 99: return (RRTYPE_SPF_ATTRIBUTES); \
-	case 100: return (DNS_RDATATYPEATTR_RESERVED); \
-	case 101: return (DNS_RDATATYPEATTR_RESERVED); \
-	case 102: return (DNS_RDATATYPEATTR_RESERVED); \
-	case 103: return (RRTYPE_UNSPEC_ATTRIBUTES); \
-	case 104: return (RRTYPE_NID_ATTRIBUTES); \
-	case 105: return (RRTYPE_L32_ATTRIBUTES); \
-	case 106: return (RRTYPE_L64_ATTRIBUTES); \
-	case 107: return (RRTYPE_LP_ATTRIBUTES); \
-	case 108: return (RRTYPE_EUI48_ATTRIBUTES); \
-	case 109: return (RRTYPE_EUI64_ATTRIBUTES); \
-	case 249: return (RRTYPE_TKEY_ATTRIBUTES); \
-	case 250: return (RRTYPE_TSIG_ATTRIBUTES); \
-	case 251: return (DNS_RDATATYPEATTR_META | DNS_RDATATYPEATTR_QUESTIONONLY); \
-	case 252: return (DNS_RDATATYPEATTR_META | DNS_RDATATYPEATTR_QUESTIONONLY); \
-	case 253: return (DNS_RDATATYPEATTR_META | DNS_RDATATYPEATTR_QUESTIONONLY); \
-	case 254: return (DNS_RDATATYPEATTR_META | DNS_RDATATYPEATTR_QUESTIONONLY); \
-	case 255: return (DNS_RDATATYPEATTR_META | DNS_RDATATYPEATTR_QUESTIONONLY); \
-	case 256: return (RRTYPE_URI_ATTRIBUTES); \
-	case 32769: return (RRTYPE_DLV_ATTRIBUTES); \
-	case 65533: return (RRTYPE_KEYDATA_ATTRIBUTES); \
-	}
-#define RDATATYPE_TOTEXT_SW \
-	switch (type) { \
-	case 0: return (str_totext("RESERVED0", target)); \
-	case 1: return (str_totext("A", target)); \
-	case 2: return (str_totext("NS", target)); \
-	case 3: return (str_totext("MD", target)); \
-	case 4: return (str_totext("MF", target)); \
-	case 5: return (str_totext("CNAME", target)); \
-	case 6: return (str_totext("SOA", target)); \
-	case 7: return (str_totext("MB", target)); \
-	case 8: return (str_totext("MG", target)); \
-	case 9: return (str_totext("MR", target)); \
-	case 10: return (str_totext("NULL", target)); \
-	case 11: return (str_totext("WKS", target)); \
-	case 12: return (str_totext("PTR", target)); \
-	case 13: return (str_totext("HINFO", target)); \
-	case 14: return (str_totext("MINFO", target)); \
-	case 15: return (str_totext("MX", target)); \
-	case 16: return (str_totext("TXT", target)); \
-	case 17: return (str_totext("RP", target)); \
-	case 18: return (str_totext("AFSDB", target)); \
-	case 19: return (str_totext("X25", target)); \
-	case 20: return (str_totext("ISDN", target)); \
-	case 21: return (str_totext("RT", target)); \
-	case 22: return (str_totext("NSAP", target)); \
-	case 23: return (str_totext("NSAP-PTR", target)); \
-	case 24: return (str_totext("SIG", target)); \
-	case 25: return (str_totext("KEY", target)); \
-	case 26: return (str_totext("PX", target)); \
-	case 27: return (str_totext("GPOS", target)); \
-	case 28: return (str_totext("AAAA", target)); \
-	case 29: return (str_totext("LOC", target)); \
-	case 30: return (str_totext("NXT", target)); \
-	case 31: return (str_totext("EID", target)); \
-	case 32: return (str_totext("NIMLOC", target)); \
-	case 33: return (str_totext("SRV", target)); \
-	case 34: return (str_totext("ATMA", target)); \
-	case 35: return (str_totext("NAPTR", target)); \
-	case 36: return (str_totext("KX", target)); \
-	case 37: return (str_totext("CERT", target)); \
-	case 38: return (str_totext("A6", target)); \
-	case 39: return (str_totext("DNAME", target)); \
-	case 41: return (str_totext("OPT", target)); \
-	case 42: return (str_totext("APL", target)); \
-	case 43: return (str_totext("DS", target)); \
-	case 44: return (str_totext("SSHFP", target)); \
-	case 45: return (str_totext("IPSECKEY", target)); \
-	case 46: return (str_totext("RRSIG", target)); \
-	case 47: return (str_totext("NSEC", target)); \
-	case 48: return (str_totext("DNSKEY", target)); \
-	case 49: return (str_totext("DHCID", target)); \
-	case 50: return (str_totext("NSEC3", target)); \
-	case 51: return (str_totext("NSEC3PARAM", target)); \
-	case 52: return (str_totext("TLSA", target)); \
-	case 55: return (str_totext("HIP", target)); \
-	case 99: return (str_totext("SPF", target)); \
-	case 100: return (str_totext("UINFO", target)); \
-	case 101: return (str_totext("UID", target)); \
-	case 102: return (str_totext("GID", target)); \
-	case 103: return (str_totext("UNSPEC", target)); \
-	case 104: return (str_totext("NID", target)); \
-	case 105: return (str_totext("L32", target)); \
-	case 106: return (str_totext("L64", target)); \
-	case 107: return (str_totext("LP", target)); \
-	case 108: return (str_totext("EUI48", target)); \
-	case 109: return (str_totext("EUI64", target)); \
-	case 249: return (str_totext("TKEY", target)); \
-	case 250: return (str_totext("TSIG", target)); \
-	case 251: return (str_totext("IXFR", target)); \
-	case 252: return (str_totext("AXFR", target)); \
-	case 253: return (str_totext("MAILB", target)); \
-	case 254: return (str_totext("MAILA", target)); \
-	case 255: return (str_totext("ANY", target)); \
-	case 256: return (str_totext("URI", target)); \
-	case 32769: return (str_totext("DLV", target)); \
-	case 65533: return (str_totext("KEYDATA", target)); \
-	}
-#endif /* DNS_CODE_H */
diff --git a/lib/bind/dns/dns/enumclass.h b/lib/bind/dns/dns/enumclass.h
deleted file mode 100644
index f9249ec..0000000
--- a/lib/bind/dns/dns/enumclass.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/* $FreeBSD$ */
-
-/*
- * Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003 Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/***************
- ***************
- ***************   THIS FILE IS AUTOMATICALLY GENERATED BY gen.c.
- ***************   DO NOT EDIT!
- ***************
- ***************/
-
-/*! \file */
-
-#ifndef DNS_ENUMCLASS_H
-#define DNS_ENUMCLASS_H 1
-
-enum {
-	dns_rdataclass_reserved0 = 0,
-#define dns_rdataclass_reserved0 \
-				((dns_rdataclass_t)dns_rdataclass_reserved0)
-	dns_rdataclass_in = 1,
-#define dns_rdataclass_in	((dns_rdataclass_t)dns_rdataclass_in)
-	dns_rdataclass_chaos = 3,
-#define dns_rdataclass_chaos	((dns_rdataclass_t)dns_rdataclass_chaos)
-	dns_rdataclass_ch = 3,
-#define dns_rdataclass_ch	((dns_rdataclass_t)dns_rdataclass_ch)
-	dns_rdataclass_hs = 4,
-#define dns_rdataclass_hs	((dns_rdataclass_t)dns_rdataclass_hs)
-	dns_rdataclass_none = 254,
-#define dns_rdataclass_none	((dns_rdataclass_t)dns_rdataclass_none)
-	dns_rdataclass_any = 255
-#define dns_rdataclass_any	((dns_rdataclass_t)dns_rdataclass_any)
-};
-
-#endif /* DNS_ENUMCLASS_H */
diff --git a/lib/bind/dns/dns/enumtype.h b/lib/bind/dns/dns/enumtype.h
deleted file mode 100644
index aa53689..0000000
--- a/lib/bind/dns/dns/enumtype.h
+++ /dev/null
@@ -1,172 +0,0 @@
-/* $FreeBSD$ */
-
-/*
- * Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003 Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/***************
- ***************
- ***************   THIS FILE IS AUTOMATICALLY GENERATED BY gen.c.
- ***************   DO NOT EDIT!
- ***************
- ***************/
-
-/*! \file */
-
-#ifndef DNS_ENUMTYPE_H
-#define DNS_ENUMTYPE_H 1
-
-enum {
-	dns_rdatatype_none = 0,
-	dns_rdatatype_a = 1,
-	dns_rdatatype_ns = 2,
-	dns_rdatatype_md = 3,
-	dns_rdatatype_mf = 4,
-	dns_rdatatype_cname = 5,
-	dns_rdatatype_soa = 6,
-	dns_rdatatype_mb = 7,
-	dns_rdatatype_mg = 8,
-	dns_rdatatype_mr = 9,
-	dns_rdatatype_null = 10,
-	dns_rdatatype_wks = 11,
-	dns_rdatatype_ptr = 12,
-	dns_rdatatype_hinfo = 13,
-	dns_rdatatype_minfo = 14,
-	dns_rdatatype_mx = 15,
-	dns_rdatatype_txt = 16,
-	dns_rdatatype_rp = 17,
-	dns_rdatatype_afsdb = 18,
-	dns_rdatatype_x25 = 19,
-	dns_rdatatype_isdn = 20,
-	dns_rdatatype_rt = 21,
-	dns_rdatatype_nsap = 22,
-	dns_rdatatype_nsap_ptr = 23,
-	dns_rdatatype_sig = 24,
-	dns_rdatatype_key = 25,
-	dns_rdatatype_px = 26,
-	dns_rdatatype_gpos = 27,
-	dns_rdatatype_aaaa = 28,
-	dns_rdatatype_loc = 29,
-	dns_rdatatype_nxt = 30,
-	dns_rdatatype_srv = 33,
-	dns_rdatatype_naptr = 35,
-	dns_rdatatype_kx = 36,
-	dns_rdatatype_cert = 37,
-	dns_rdatatype_a6 = 38,
-	dns_rdatatype_dname = 39,
-	dns_rdatatype_opt = 41,
-	dns_rdatatype_apl = 42,
-	dns_rdatatype_ds = 43,
-	dns_rdatatype_sshfp = 44,
-	dns_rdatatype_ipseckey = 45,
-	dns_rdatatype_rrsig = 46,
-	dns_rdatatype_nsec = 47,
-	dns_rdatatype_dnskey = 48,
-	dns_rdatatype_dhcid = 49,
-	dns_rdatatype_nsec3 = 50,
-	dns_rdatatype_nsec3param = 51,
-	dns_rdatatype_tlsa = 52,
-	dns_rdatatype_hip = 55,
-	dns_rdatatype_spf = 99,
-	dns_rdatatype_unspec = 103,
-	dns_rdatatype_nid = 104,
-	dns_rdatatype_l32 = 105,
-	dns_rdatatype_l64 = 106,
-	dns_rdatatype_lp = 107,
-	dns_rdatatype_eui48 = 108,
-	dns_rdatatype_eui64 = 109,
-	dns_rdatatype_tkey = 249,
-	dns_rdatatype_tsig = 250,
-	dns_rdatatype_uri = 256,
-	dns_rdatatype_dlv = 32769,
-	dns_rdatatype_keydata = 65533,
-	dns_rdatatype_ixfr = 251,
-	dns_rdatatype_axfr = 252,
-	dns_rdatatype_mailb = 253,
-	dns_rdatatype_maila = 254,
-	dns_rdatatype_any = 255
-};
-
-#define dns_rdatatype_none	((dns_rdatatype_t)dns_rdatatype_none)
-#define dns_rdatatype_a		((dns_rdatatype_t)dns_rdatatype_a)
-#define dns_rdatatype_ns	((dns_rdatatype_t)dns_rdatatype_ns)
-#define dns_rdatatype_md	((dns_rdatatype_t)dns_rdatatype_md)
-#define dns_rdatatype_mf	((dns_rdatatype_t)dns_rdatatype_mf)
-#define dns_rdatatype_cname	((dns_rdatatype_t)dns_rdatatype_cname)
-#define dns_rdatatype_soa	((dns_rdatatype_t)dns_rdatatype_soa)
-#define dns_rdatatype_mb	((dns_rdatatype_t)dns_rdatatype_mb)
-#define dns_rdatatype_mg	((dns_rdatatype_t)dns_rdatatype_mg)
-#define dns_rdatatype_mr	((dns_rdatatype_t)dns_rdatatype_mr)
-#define dns_rdatatype_null	((dns_rdatatype_t)dns_rdatatype_null)
-#define dns_rdatatype_wks	((dns_rdatatype_t)dns_rdatatype_wks)
-#define dns_rdatatype_ptr	((dns_rdatatype_t)dns_rdatatype_ptr)
-#define dns_rdatatype_hinfo	((dns_rdatatype_t)dns_rdatatype_hinfo)
-#define dns_rdatatype_minfo	((dns_rdatatype_t)dns_rdatatype_minfo)
-#define dns_rdatatype_mx	((dns_rdatatype_t)dns_rdatatype_mx)
-#define dns_rdatatype_txt	((dns_rdatatype_t)dns_rdatatype_txt)
-#define dns_rdatatype_rp	((dns_rdatatype_t)dns_rdatatype_rp)
-#define dns_rdatatype_afsdb	((dns_rdatatype_t)dns_rdatatype_afsdb)
-#define dns_rdatatype_x25	((dns_rdatatype_t)dns_rdatatype_x25)
-#define dns_rdatatype_isdn	((dns_rdatatype_t)dns_rdatatype_isdn)
-#define dns_rdatatype_rt	((dns_rdatatype_t)dns_rdatatype_rt)
-#define dns_rdatatype_nsap	((dns_rdatatype_t)dns_rdatatype_nsap)
-#define dns_rdatatype_nsap_ptr	((dns_rdatatype_t)dns_rdatatype_nsap_ptr)
-#define dns_rdatatype_sig	((dns_rdatatype_t)dns_rdatatype_sig)
-#define dns_rdatatype_key	((dns_rdatatype_t)dns_rdatatype_key)
-#define dns_rdatatype_px	((dns_rdatatype_t)dns_rdatatype_px)
-#define dns_rdatatype_gpos	((dns_rdatatype_t)dns_rdatatype_gpos)
-#define dns_rdatatype_aaaa	((dns_rdatatype_t)dns_rdatatype_aaaa)
-#define dns_rdatatype_loc	((dns_rdatatype_t)dns_rdatatype_loc)
-#define dns_rdatatype_nxt	((dns_rdatatype_t)dns_rdatatype_nxt)
-#define dns_rdatatype_srv	((dns_rdatatype_t)dns_rdatatype_srv)
-#define dns_rdatatype_naptr	((dns_rdatatype_t)dns_rdatatype_naptr)
-#define dns_rdatatype_kx	((dns_rdatatype_t)dns_rdatatype_kx)
-#define dns_rdatatype_cert	((dns_rdatatype_t)dns_rdatatype_cert)
-#define dns_rdatatype_a6	((dns_rdatatype_t)dns_rdatatype_a6)
-#define dns_rdatatype_dname	((dns_rdatatype_t)dns_rdatatype_dname)
-#define dns_rdatatype_opt	((dns_rdatatype_t)dns_rdatatype_opt)
-#define dns_rdatatype_apl	((dns_rdatatype_t)dns_rdatatype_apl)
-#define dns_rdatatype_ds	((dns_rdatatype_t)dns_rdatatype_ds)
-#define dns_rdatatype_sshfp	((dns_rdatatype_t)dns_rdatatype_sshfp)
-#define dns_rdatatype_ipseckey	((dns_rdatatype_t)dns_rdatatype_ipseckey)
-#define dns_rdatatype_rrsig	((dns_rdatatype_t)dns_rdatatype_rrsig)
-#define dns_rdatatype_nsec	((dns_rdatatype_t)dns_rdatatype_nsec)
-#define dns_rdatatype_dnskey	((dns_rdatatype_t)dns_rdatatype_dnskey)
-#define dns_rdatatype_dhcid	((dns_rdatatype_t)dns_rdatatype_dhcid)
-#define dns_rdatatype_nsec3	((dns_rdatatype_t)dns_rdatatype_nsec3)
-#define dns_rdatatype_nsec3param	((dns_rdatatype_t)dns_rdatatype_nsec3param)
-#define dns_rdatatype_tlsa	((dns_rdatatype_t)dns_rdatatype_tlsa)
-#define dns_rdatatype_hip	((dns_rdatatype_t)dns_rdatatype_hip)
-#define dns_rdatatype_spf	((dns_rdatatype_t)dns_rdatatype_spf)
-#define dns_rdatatype_unspec	((dns_rdatatype_t)dns_rdatatype_unspec)
-#define dns_rdatatype_nid	((dns_rdatatype_t)dns_rdatatype_nid)
-#define dns_rdatatype_l32	((dns_rdatatype_t)dns_rdatatype_l32)
-#define dns_rdatatype_l64	((dns_rdatatype_t)dns_rdatatype_l64)
-#define dns_rdatatype_lp	((dns_rdatatype_t)dns_rdatatype_lp)
-#define dns_rdatatype_eui48	((dns_rdatatype_t)dns_rdatatype_eui48)
-#define dns_rdatatype_eui64	((dns_rdatatype_t)dns_rdatatype_eui64)
-#define dns_rdatatype_tkey	((dns_rdatatype_t)dns_rdatatype_tkey)
-#define dns_rdatatype_tsig	((dns_rdatatype_t)dns_rdatatype_tsig)
-#define dns_rdatatype_uri	((dns_rdatatype_t)dns_rdatatype_uri)
-#define dns_rdatatype_dlv	((dns_rdatatype_t)dns_rdatatype_dlv)
-#define dns_rdatatype_keydata	((dns_rdatatype_t)dns_rdatatype_keydata)
-#define dns_rdatatype_ixfr	((dns_rdatatype_t)dns_rdatatype_ixfr)
-#define dns_rdatatype_axfr	((dns_rdatatype_t)dns_rdatatype_axfr)
-#define dns_rdatatype_mailb	((dns_rdatatype_t)dns_rdatatype_mailb)
-#define dns_rdatatype_maila	((dns_rdatatype_t)dns_rdatatype_maila)
-#define dns_rdatatype_any	((dns_rdatatype_t)dns_rdatatype_any)
-
-#endif /* DNS_ENUMTYPE_H */
diff --git a/lib/bind/dns/dns/rdatastruct.h b/lib/bind/dns/dns/rdatastruct.h
deleted file mode 100644
index 3828c8e..0000000
--- a/lib/bind/dns/dns/rdatastruct.h
+++ /dev/null
@@ -1,2391 +0,0 @@
-/* $FreeBSD$ */
-
-/*
- * Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003 Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/***************
- ***************
- ***************   THIS FILE IS AUTOMATICALLY GENERATED BY gen.c.
- ***************   DO NOT EDIT!
- ***************
- ***************/
-
-/*! \file */
-
-/*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rdatastructpre.h,v 1.16 2007/06/19 23:47:17 tbox Exp $ */
-
-#ifndef DNS_RDATASTRUCT_H
-#define DNS_RDATASTRUCT_H 1
-
-#include <isc/lang.h>
-#include <isc/sockaddr.h>
-
-#include <dns/name.h>
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-typedef struct dns_rdatacommon {
-	dns_rdataclass_t			rdclass;
-	dns_rdatatype_t				rdtype;
-	ISC_LINK(struct dns_rdatacommon)	link;
-} dns_rdatacommon_t;
-
-#define DNS_RDATACOMMON_INIT(_data, _rdtype, _rdclass) \
-	do { \
-		(_data)->common.rdtype = (_rdtype); \
-		(_data)->common.rdclass = (_rdclass); \
-		ISC_LINK_INIT(&(_data)->common, link); \
-	} while (0)
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef IN_1_A_1_H
-#define IN_1_A_1_H 1
-
-/* $Id: a_1.h,v 1.28 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_in_a {
-	dns_rdatacommon_t	common;
-	struct in_addr          in_addr;
-} dns_rdata_in_a_t;
-
-#endif /* IN_1_A_1_H */
-/*
- * Copyright (C) 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: a_1.h,v 1.5 2007/06/19 23:47:17 tbox Exp $ */
-
-/* by Bjorn.Victor@it.uu.se, 2005-05-07 */
-/* Based on generic/mx_15.h */
-
-#ifndef CH_3_A_1_H
-#define CH_3_A_1_H 1
-
-typedef isc_uint16_t ch_addr_t;
-
-typedef struct dns_rdata_ch_a {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-  	dns_name_t		ch_addr_dom; /* ch-addr domain for back mapping */
-	ch_addr_t		ch_addr; /* chaos address (16 bit) network order */
-} dns_rdata_ch_a_t;
-
-#endif /* CH_3_A_1_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef HS_4_A_1_H
-#define HS_4_A_1_H 1
-
-/* $Id: a_1.h,v 1.12 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_hs_a {
-	dns_rdatacommon_t	common;
-	struct in_addr          in_addr;
-} dns_rdata_hs_a_t;
-
-#endif /* HS_4_A_1_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_NS_2_H
-#define GENERIC_NS_2_H 1
-
-/* $Id: ns_2.h,v 1.27 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_ns {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		name;
-} dns_rdata_ns_t;
-
-
-#endif /* GENERIC_NS_2_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_MD_3_H
-#define GENERIC_MD_3_H 1
-
-/* $Id: md_3.h,v 1.28 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_md {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		md;
-} dns_rdata_md_t;
-
-
-#endif /* GENERIC_MD_3_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_MF_4_H
-#define GENERIC_MF_4_H 1
-
-/* $Id: mf_4.h,v 1.26 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_mf {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		mf;
-} dns_rdata_mf_t;
-
-#endif /* GENERIC_MF_4_H */
-/*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: cname_5.h,v 1.26 2007/06/19 23:47:17 tbox Exp $ */
-
-#ifndef GENERIC_CNAME_5_H
-#define GENERIC_CNAME_5_H 1
-
-typedef struct dns_rdata_cname {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		cname;
-} dns_rdata_cname_t;
-
-#endif /* GENERIC_CNAME_5_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_SOA_6_H
-#define GENERIC_SOA_6_H 1
-
-/* $Id: soa_6.h,v 1.32 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_soa {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		origin;
-	dns_name_t		contact;
-	isc_uint32_t		serial;		/*%< host order */
-	isc_uint32_t		refresh;	/*%< host order */
-	isc_uint32_t		retry;		/*%< host order */
-	isc_uint32_t		expire;		/*%< host order */
-	isc_uint32_t		minimum;	/*%< host order */
-} dns_rdata_soa_t;
-
-
-#endif /* GENERIC_SOA_6_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_MB_7_H
-#define GENERIC_MB_7_H 1
-
-/* $Id: mb_7.h,v 1.27 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_mb {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		mb;
-} dns_rdata_mb_t;
-
-#endif /* GENERIC_MB_7_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_MG_8_H
-#define GENERIC_MG_8_H 1
-
-/* $Id: mg_8.h,v 1.26 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_mg {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		mg;
-} dns_rdata_mg_t;
-
-#endif /* GENERIC_MG_8_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_MR_9_H
-#define GENERIC_MR_9_H 1
-
-/* $Id: mr_9.h,v 1.26 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_mr {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		mr;
-} dns_rdata_mr_t;
-
-#endif /* GENERIC_MR_9_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_NULL_10_H
-#define GENERIC_NULL_10_H 1
-
-/* $Id: null_10.h,v 1.25 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_null {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		length;
-	unsigned char		*data;
-} dns_rdata_null_t;
-
-
-#endif /* GENERIC_NULL_10_H */
-/*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef IN_1_WKS_11_H
-#define IN_1_WKS_11_H 1
-
-/* $Id: wks_11.h,v 1.22 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef	struct dns_rdata_in_wks {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	struct in_addr		in_addr;
-	isc_uint16_t		protocol;
-	unsigned char		*map;
-	isc_uint16_t		map_len;
-} dns_rdata_in_wks_t;
-
-#endif /* IN_1_WKS_11_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_PTR_12_H
-#define GENERIC_PTR_12_H 1
-
-/* $Id: ptr_12.h,v 1.27 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_ptr {
-        dns_rdatacommon_t       common;
-        isc_mem_t               *mctx;
-        dns_name_t              ptr;
-} dns_rdata_ptr_t;
-
-#endif /* GENERIC_PTR_12_H */
-/*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_HINFO_13_H
-#define GENERIC_HINFO_13_H 1
-
-/* $Id: hinfo_13.h,v 1.25 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_hinfo {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	char			*cpu;
-	char			*os;
-	isc_uint8_t		cpu_len;
-	isc_uint8_t		os_len;
-} dns_rdata_hinfo_t;
-
-#endif /* GENERIC_HINFO_13_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_MINFO_14_H
-#define GENERIC_MINFO_14_H 1
-
-/* $Id: minfo_14.h,v 1.27 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_minfo {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		rmailbox;
-	dns_name_t		emailbox;
-} dns_rdata_minfo_t;
-
-#endif /* GENERIC_MINFO_14_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_MX_15_H
-#define GENERIC_MX_15_H 1
-
-/* $Id: mx_15.h,v 1.29 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_mx {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		pref;
-	dns_name_t		mx;
-} dns_rdata_mx_t;
-
-#endif /* GENERIC_MX_15_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_TXT_16_H
-#define GENERIC_TXT_16_H 1
-
-/* $Id: txt_16.h,v 1.28 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_txt_string {
-                isc_uint8_t    length;
-                unsigned char   *data;
-} dns_rdata_txt_string_t;
-
-typedef struct dns_rdata_txt {
-        dns_rdatacommon_t       common;
-        isc_mem_t               *mctx;
-        unsigned char           *txt;
-        isc_uint16_t            txt_len;
-        /* private */
-        isc_uint16_t            offset;
-} dns_rdata_txt_t;
-
-/*
- * ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS are already done
- * via rdatastructpre.h and rdatastructsuf.h.
- */
-
-isc_result_t
-dns_rdata_txt_first(dns_rdata_txt_t *);
-
-isc_result_t
-dns_rdata_txt_next(dns_rdata_txt_t *);
-
-isc_result_t
-dns_rdata_txt_current(dns_rdata_txt_t *, dns_rdata_txt_string_t *);
-
-#endif /* GENERIC_TXT_16_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_RP_17_H
-#define GENERIC_RP_17_H 1
-
-/* $Id: rp_17.h,v 1.21 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- *  \brief Per RFC1183 */
-
-typedef struct dns_rdata_rp {
-        dns_rdatacommon_t       common;
-        isc_mem_t               *mctx;
-        dns_name_t              mail;
-        dns_name_t              text;
-} dns_rdata_rp_t;
-
-
-#endif /* GENERIC_RP_17_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_AFSDB_18_H
-#define GENERIC_AFSDB_18_H 1
-
-/* $Id: afsdb_18.h,v 1.20 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- *  \brief Per RFC1183 */
-
-typedef struct dns_rdata_afsdb {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		subtype;
-	dns_name_t		server;
-} dns_rdata_afsdb_t;
-
-#endif /* GENERIC_AFSDB_18_H */
-
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_X25_19_H
-#define GENERIC_X25_19_H 1
-
-/* $Id: x25_19.h,v 1.18 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- *  \brief Per RFC1183 */
-
-typedef struct dns_rdata_x25 {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	unsigned char		*x25;
-	isc_uint8_t		x25_len;
-} dns_rdata_x25_t;
-
-#endif /* GENERIC_X25_19_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_ISDN_20_H
-#define GENERIC_ISDN_20_H 1
-
-/* $Id: isdn_20.h,v 1.18 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- * \brief Per RFC1183 */
-
-typedef struct dns_rdata_isdn {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	char			*isdn;
-	char			*subaddress;
-	isc_uint8_t		isdn_len;
-	isc_uint8_t		subaddress_len;
-} dns_rdata_isdn_t;
-
-#endif /* GENERIC_ISDN_20_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_RT_21_H
-#define GENERIC_RT_21_H 1
-
-/* $Id: rt_21.h,v 1.21 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- *  \brief Per RFC1183 */
-
-typedef struct dns_rdata_rt {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		preference;
-	dns_name_t		host;
-} dns_rdata_rt_t;
-
-#endif /* GENERIC_RT_21_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef IN_1_NSAP_22_H
-#define IN_1_NSAP_22_H 1
-
-/* $Id: nsap_22.h,v 1.18 2007/06/19 23:47:17 tbox Exp $ */
-
-/*! 
- *  \brief Per RFC1706 */
-
-typedef struct dns_rdata_in_nsap {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	unsigned char		*nsap;
-	isc_uint16_t		nsap_len;
-} dns_rdata_in_nsap_t;
-
-#endif /* IN_1_NSAP_22_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef IN_1_NSAP_PTR_23_H
-#define IN_1_NSAP_PTR_23_H 1
-
-/* $Id: nsap-ptr_23.h,v 1.19 2007/06/19 23:47:17 tbox Exp $ */
-
-/*! 
- *  \brief Per RFC1348.  Obsoleted in RFC 1706 - use PTR instead. */
-
-typedef struct dns_rdata_in_nsap_ptr {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		owner;
-} dns_rdata_in_nsap_ptr_t;
-
-#endif /* IN_1_NSAP_PTR_23_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_SIG_24_H
-#define GENERIC_SIG_24_H 1
-
-/* $Id: sig_24.h,v 1.26 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- *  \brief Per RFC2535 */
-
-typedef struct dns_rdata_sig_t {
-	dns_rdatacommon_t	common;
-	isc_mem_t *		mctx;
-	dns_rdatatype_t		covered;
-	dns_secalg_t		algorithm;
-	isc_uint8_t		labels;
-	isc_uint32_t		originalttl;
-	isc_uint32_t		timeexpire;
-	isc_uint32_t		timesigned;
-	isc_uint16_t		keyid;
-        dns_name_t		signer;
-	isc_uint16_t		siglen;
-	unsigned char *		signature;
-} dns_rdata_sig_t;
-
-
-#endif /* GENERIC_SIG_24_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_KEY_25_H
-#define GENERIC_KEY_25_H 1
-
-/* $Id: key_25.h,v 1.19 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- * \brief Per RFC2535 */
-
-typedef struct dns_rdata_key_t {
-        dns_rdatacommon_t	common;
-        isc_mem_t *		mctx;
-        isc_uint16_t		flags;
-        isc_uint8_t		protocol;
-        isc_uint8_t		algorithm;
-        isc_uint16_t		datalen;
-        unsigned char *		data;
-} dns_rdata_key_t;
-
-
-#endif /* GENERIC_KEY_25_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef IN_1_PX_26_H
-#define IN_1_PX_26_H 1
-
-/* $Id: px_26.h,v 1.19 2007/06/19 23:47:17 tbox Exp $ */
-
-/*! 
- *  \brief Per RFC2163 */
-
-typedef struct dns_rdata_in_px {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		preference;
-	dns_name_t		map822;
-	dns_name_t		mapx400;
-} dns_rdata_in_px_t;
-
-#endif /* IN_1_PX_26_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_GPOS_27_H
-#define GENERIC_GPOS_27_H 1
-
-/* $Id: gpos_27.h,v 1.17 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- *  \brief per RFC1712 */
-
-typedef struct dns_rdata_gpos {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	char			*longitude;
-	char			*latitude;
-	char			*altitude;
-	isc_uint8_t		long_len;
-	isc_uint8_t		lat_len;
-	isc_uint8_t		alt_len;
-} dns_rdata_gpos_t;
-
-#endif /* GENERIC_GPOS_27_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef IN_1_AAAA_28_H
-#define IN_1_AAAA_28_H 1
-
-/* $Id: aaaa_28.h,v 1.21 2007/06/19 23:47:17 tbox Exp $ */
-
-/*! 
- *  \brief Per RFC1886 */
-
-typedef struct dns_rdata_in_aaaa {
-	dns_rdatacommon_t	common;
-	struct in6_addr		in6_addr;
-} dns_rdata_in_aaaa_t;
-
-#endif /* IN_1_AAAA_28_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_LOC_29_H
-#define GENERIC_LOC_29_H 1
-
-/* $Id: loc_29.h,v 1.19 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- * \brief Per RFC1876 */
-
-typedef struct dns_rdata_loc_0 {
-	isc_uint8_t	version;	/* must be first and zero */
-	isc_uint8_t	size;
-	isc_uint8_t	horizontal;
-	isc_uint8_t	vertical;
-	isc_uint32_t	latitude;
-	isc_uint32_t	longitude;
-	isc_uint32_t	altitude;
-} dns_rdata_loc_0_t;
-
-typedef struct dns_rdata_loc {
-	dns_rdatacommon_t	common;
-	union {
-		dns_rdata_loc_0_t v0;
-	} v;
-} dns_rdata_loc_t;
-
-#endif /* GENERIC_LOC_29_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_NXT_30_H
-#define GENERIC_NXT_30_H 1
-
-/* $Id: nxt_30.h,v 1.25 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- *  \brief RFC2535 */
-
-typedef struct dns_rdata_nxt {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		next;
-	unsigned char		*typebits;
-	isc_uint16_t		len;
-} dns_rdata_nxt_t;
-
-#endif /* GENERIC_NXT_30_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef IN_1_SRV_33_H
-#define IN_1_SRV_33_H 1
-
-/* $Id: srv_33.h,v 1.19 2007/06/19 23:47:17 tbox Exp $ */
-
-/* Reviewed: Fri Mar 17 13:01:00 PST 2000 by bwelling */
-
-/*! 
- *  \brief Per RFC2782 */
-
-typedef struct dns_rdata_in_srv {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		priority;
-	isc_uint16_t		weight;
-	isc_uint16_t		port;
-	dns_name_t		target;
-} dns_rdata_in_srv_t;
-
-#endif /* IN_1_SRV_33_H */
-/*
- * Copyright (C) 2004, 2005, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_NAPTR_35_H
-#define GENERIC_NAPTR_35_H 1
-
-/* $Id$ */
-
-/*!
- *  \brief Per RFC2915 */
-
-typedef struct dns_rdata_naptr {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		order;
-	isc_uint16_t		preference;
-	char			*flags;
-	isc_uint8_t		flags_len;
-	char			*service;
-	isc_uint8_t		service_len;
-	char			*regexp;
-	isc_uint8_t		regexp_len;
-	dns_name_t		replacement;
-} dns_rdata_naptr_t;
-
-#endif /* GENERIC_NAPTR_35_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef IN_1_KX_36_H
-#define IN_1_KX_36_H 1
-
-/* $Id: kx_36.h,v 1.20 2007/06/19 23:47:17 tbox Exp $ */
-
-/*! 
- *  \brief Per RFC2230 */
-
-typedef struct dns_rdata_in_kx {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		preference;
-	dns_name_t		exchange;
-} dns_rdata_in_kx_t;
-
-#endif /* IN_1_KX_36_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: cert_37.h,v 1.20 2007/06/19 23:47:17 tbox Exp $ */
-
-#ifndef GENERIC_CERT_37_H
-#define GENERIC_CERT_37_H 1
-
-/*% RFC2538 */
-typedef struct dns_rdata_cert {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		type;
-	isc_uint16_t		key_tag;
-	isc_uint8_t		algorithm;
-	isc_uint16_t		length;
-	unsigned char		*certificate;
-} dns_rdata_cert_t;
-
-#endif /* GENERIC_CERT_37_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef IN_1_A6_38_H
-#define IN_1_A6_38_H 1
-
-/* $Id: a6_38.h,v 1.24 2007/06/19 23:47:17 tbox Exp $ */
-
-/*! 
- *  \brief Per RFC2874 */
-
-typedef struct dns_rdata_in_a6 {
-        dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		prefix;
-	isc_uint8_t		prefixlen;
-	struct in6_addr		in6_addr;
-} dns_rdata_in_a6_t;
-
-#endif /* IN_1_A6_38_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_DNAME_39_H
-#define GENERIC_DNAME_39_H 1
-
-/* $Id: dname_39.h,v 1.21 2007/06/19 23:47:17 tbox Exp $ */
-
-/*! 
- *  \brief per RFC2672 */
-
-typedef struct dns_rdata_dname {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		dname;
-} dns_rdata_dname_t;
-
-#endif /* GENERIC_DNAME_39_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_OPT_41_H
-#define GENERIC_OPT_41_H 1
-
-/* $Id: opt_41.h,v 1.18 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- *  \brief Per RFC2671 */
-
-typedef struct dns_rdata_opt_opcode {
-		isc_uint16_t	opcode;
-		isc_uint16_t	length;
-		unsigned char	*data;
-} dns_rdata_opt_opcode_t;
-
-typedef struct dns_rdata_opt {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	unsigned char		*options;
-	isc_uint16_t		length;
-	/* private */
-	isc_uint16_t		offset;
-} dns_rdata_opt_t;
-
-/*
- * ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS are already done
- * via rdatastructpre.h and rdatastructsuf.h.
- */
-
-isc_result_t
-dns_rdata_opt_first(dns_rdata_opt_t *);
-
-isc_result_t
-dns_rdata_opt_next(dns_rdata_opt_t *);
-
-isc_result_t
-dns_rdata_opt_current(dns_rdata_opt_t *, dns_rdata_opt_opcode_t *);
-
-#endif /* GENERIC_OPT_41_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef IN_1_APL_42_H
-#define IN_1_APL_42_H 1
-
-/* $Id: apl_42.h,v 1.6 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_apl_ent {
-	isc_boolean_t	negative;
-	isc_uint16_t	family;
-	isc_uint8_t	prefix;
-	isc_uint8_t	length;
-	unsigned char	*data;
-} dns_rdata_apl_ent_t;
-
-typedef struct dns_rdata_in_apl {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	/* type & class specific elements */
-	unsigned char           *apl;
-        isc_uint16_t            apl_len;
-        /* private */
-        isc_uint16_t            offset;
-} dns_rdata_in_apl_t;
-
-/*
- * ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS are already done
- * via rdatastructpre.h and rdatastructsuf.h.
- */
-
-isc_result_t
-dns_rdata_apl_first(dns_rdata_in_apl_t *);
-
-isc_result_t
-dns_rdata_apl_next(dns_rdata_in_apl_t *);
-
-isc_result_t
-dns_rdata_apl_current(dns_rdata_in_apl_t *, dns_rdata_apl_ent_t *);
-
-#endif /* IN_1_APL_42_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ds_43.h,v 1.7 2007/06/19 23:47:17 tbox Exp $ */
-
-#ifndef GENERIC_DS_43_H
-#define GENERIC_DS_43_H 1
-
-/*!
- *  \brief per draft-ietf-dnsext-delegation-signer-05.txt */
-typedef struct dns_rdata_ds {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		key_tag;
-	isc_uint8_t		algorithm;
-	isc_uint8_t		digest_type;
-	isc_uint16_t		length;
-	unsigned char		*digest;
-} dns_rdata_ds_t;
-
-#endif /* GENERIC_DS_43_H */
-/*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: sshfp_44.h,v 1.8 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- *  \brief Per RFC 4255 */
-
-#ifndef GENERIC_SSHFP_44_H
-#define GENERIC_SSHFP_44_H 1
-
-typedef struct dns_rdata_sshfp {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint8_t		algorithm;
-	isc_uint8_t		digest_type;
-	isc_uint16_t		length;
-	unsigned char		*digest;
-} dns_rdata_sshfp_t;
-
-#endif /* GENERIC_SSHFP_44_H */
-/*
- * Copyright (C) 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ipseckey_45.h,v 1.4 2007/06/19 23:47:17 tbox Exp $ */
-
-#ifndef GENERIC_IPSECKEY_45_H
-#define GENERIC_IPSECKEY_45_H 1
-
-typedef struct dns_rdata_ipseckey {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint8_t		precedence;
-	isc_uint8_t		gateway_type;
-	isc_uint8_t		algorithm;
-	struct in_addr		in_addr;	/* gateway type 1 */
-	struct in6_addr		in6_addr;	/* gateway type 2 */
-	dns_name_t		gateway;	/* gateway type 3 */
-	unsigned char		*key;
-	isc_uint16_t		keylength;
-} dns_rdata_ipseckey_t;
-
-#endif /* GENERIC_IPSECKEY_45_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_DNSSIG_46_H
-#define GENERIC_DNSSIG_46_H 1
-
-/* $Id: rrsig_46.h,v 1.7 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- *  \brief Per RFC2535 */
-typedef struct dns_rdata_rrsig {
-	dns_rdatacommon_t	common;
-	isc_mem_t *		mctx;
-	dns_rdatatype_t		covered;
-	dns_secalg_t		algorithm;
-	isc_uint8_t		labels;
-	isc_uint32_t		originalttl;
-	isc_uint32_t		timeexpire;
-	isc_uint32_t		timesigned;
-	isc_uint16_t		keyid;
-        dns_name_t		signer;
-	isc_uint16_t		siglen;
-	unsigned char *		signature;
-} dns_rdata_rrsig_t;
-
-
-#endif /* GENERIC_DNSSIG_46_H */
-/*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_NSEC_47_H
-#define GENERIC_NSEC_47_H 1
-
-/* $Id: nsec_47.h,v 1.10 2008/07/15 23:47:21 tbox Exp $ */
-
-/*!
- * \brief Per RFC 3845 */
-
-typedef struct dns_rdata_nsec {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		next;
-	unsigned char		*typebits;
-	isc_uint16_t		len;
-} dns_rdata_nsec_t;
-
-#endif /* GENERIC_NSEC_47_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_DNSKEY_48_H
-#define GENERIC_DNSKEY_48_H 1
-
-/* $Id: dnskey_48.h,v 1.7 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- *  \brief per RFC2535 */
-
-typedef struct dns_rdata_dnskey {
-        dns_rdatacommon_t	common;
-        isc_mem_t *		mctx;
-        isc_uint16_t		flags;
-        isc_uint8_t		protocol;
-        isc_uint8_t		algorithm;
-        isc_uint16_t		datalen;
-        unsigned char *		data;
-} dns_rdata_dnskey_t;
-
-
-#endif /* GENERIC_DNSKEY_48_H */
-/*
- * Copyright (C) 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef IN_1_DHCID_49_H
-#define IN_1_DHCID_49_H 1
-
-/* $Id: dhcid_49.h,v 1.5 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_in_dhcid {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	unsigned char		*dhcid;
-	unsigned int		length;
-} dns_rdata_in_dhcid_t;
-
-#endif /* IN_1_DHCID_49_H */
-/*
- * Copyright (C) 2008, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-
-#ifndef GENERIC_NSEC3_50_H
-#define GENERIC_NSEC3_50_H 1
-
-/* $Id$ */
-
-/*!
- * \brief Per RFC 5155 */
-
-#include <isc/iterated_hash.h>
-
-typedef struct dns_rdata_nsec3 {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_hash_t		hash;
-	unsigned char		flags;
-	dns_iterations_t	iterations;
-	unsigned char		salt_length;
-	unsigned char		next_length;
-	isc_uint16_t		len;
-	unsigned char		*salt;
-	unsigned char		*next;
-	unsigned char		*typebits;
-} dns_rdata_nsec3_t;
-
-/*
- * The corresponding NSEC3 interval is OPTOUT indicating possible
- * insecure delegations.
- */
-#define DNS_NSEC3FLAG_OPTOUT 0x01U
-
-/*%
- * The following flags are used in the private-type record (implemented in
- * lib/dns/private.c) which is used to store NSEC3PARAM data during the
- * time when it is not legal to have an actual NSEC3PARAM record in the
- * zone.  They are defined here because the private-type record uses the
- * same flags field for the OPTOUT flag above and for the private flags
- * below.  XXX: This should be considered for refactoring.
- */
-
-/*%
- * Non-standard, private type only.
- *
- * Create a corresponding NSEC3 chain.
- * Once the NSEC3 chain is complete this flag will be removed to signal
- * that there is a complete chain.
- *
- * This flag is automatically set when a NSEC3PARAM record is added to
- * the zone via UPDATE.
- *
- * NSEC3PARAM records containing this flag should never be published,
- * but if they are, they should be ignored by RFC 5155 compliant
- * nameservers.
- */
-#define DNS_NSEC3FLAG_CREATE 0x80U
-
-/*%
- * Non-standard, private type only.
- *
- * The corresponding NSEC3 set is to be removed once the NSEC chain
- * has been generated.
- *
- * This flag is automatically set when the last active NSEC3PARAM record
- * is removed from the zone via UPDATE.
- *
- * NSEC3PARAM records containing this flag should never be published,
- * but if they are, they should be ignored by RFC 5155 compliant
- * nameservers.
- */
-#define DNS_NSEC3FLAG_REMOVE 0x40U
-
-/*%
- * Non-standard, private type only.
- *
- * When set with the CREATE flag, a corresponding NSEC3 chain will be
- * created when the zone becomes capable of supporting one (i.e., when it
- * has a DNSKEY RRset containing at least one NSEC3-capable algorithm).
- * Without this flag, NSEC3 chain creation would be attempted immediately,
- * fail, and the private type record would be removed.  With it, the NSEC3
- * parameters are stored until they can be used.  When the zone has the
- * necessary prerequisites for NSEC3, then the INITIAL flag can be cleared,
- * and the record will be cleaned up normally.
- *
- * NSEC3PARAM records containing this flag should never be published, but
- * if they are, they should be ignored by RFC 5155 compliant nameservers.
- */
-#define DNS_NSEC3FLAG_INITIAL 0x20U
-
-/*%
- * Non-standard, private type only.
- *
- * Prevent the creation of a NSEC chain before the last NSEC3 chain
- * is removed.  This will normally only be set when the zone is
- * transitioning from secure with NSEC3 chains to insecure.
- *
- * NSEC3PARAM records containing this flag should never be published,
- * but if they are, they should be ignored by RFC 5155 compliant
- * nameservers.
- */
-#define DNS_NSEC3FLAG_NONSEC 0x10U
-
-#endif /* GENERIC_NSEC3_50_H */
-/*
- * Copyright (C) 2008  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-
-#ifndef GENERIC_NSEC3PARAM_51_H
-#define GENERIC_NSEC3PARAM_51_H 1
-
-/* $Id: nsec3param_51.h,v 1.4 2008/09/25 04:02:39 tbox Exp $ */
-
-/*!
- * \brief Per RFC 5155 */
-
-#include <isc/iterated_hash.h>
-
-typedef struct dns_rdata_nsec3param {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_hash_t		hash;
-	unsigned char		flags;		/* DNS_NSEC3FLAG_* */
-	dns_iterations_t	iterations;
-	unsigned char		salt_length;
-	unsigned char		*salt;
-} dns_rdata_nsec3param_t;
-
-#endif /* GENERIC_NSEC3PARAM_51_H */
-/*
- * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id$ */
-
-#ifndef GENERIC_TLSA_52_H
-#define GENERIC_TLSA_52_H 1
-
-/*!
- *  \brief per draft-ietf-dane-protocol-19.txt
- */
-typedef struct dns_rdata_tlsa {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint8_t		usage;
-	isc_uint8_t		selector;
-	isc_uint8_t		match;
-	isc_uint16_t		length;
-	unsigned char		*data;
-} dns_rdata_tlsa_t;
-
-#endif /* GENERIC_TLSA_52_H */
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: hip_55.h,v 1.2 2009/02/26 06:09:19 marka Exp $ */
-
-#ifndef GENERIC_HIP_5_H
-#define GENERIC_HIP_5_H 1
-
-/* RFC 5205 */
-
-typedef struct dns_rdata_hip {
-	dns_rdatacommon_t	common;
-	isc_mem_t *		mctx;
-	unsigned char *		hit;
-	unsigned char *		key;
-	unsigned char *		servers;
-	isc_uint8_t		algorithm;
-	isc_uint8_t		hit_len;
-	isc_uint16_t		key_len;
-	isc_uint16_t		servers_len;
-	/* Private */
-	isc_uint16_t		offset;
-} dns_rdata_hip_t;
-
-isc_result_t
-dns_rdata_hip_first(dns_rdata_hip_t *);
-
-isc_result_t
-dns_rdata_hip_next(dns_rdata_hip_t *);
-
-void
-dns_rdata_hip_current(dns_rdata_hip_t *, dns_name_t *);
-
-#endif /* GENERIC_HIP_5_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_SPF_99_H
-#define GENERIC_SPF_99_H 1
-
-/* $Id: spf_99.h,v 1.4 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_spf_string {
-                isc_uint8_t    length;
-                unsigned char   *data;
-} dns_rdata_spf_string_t;
-
-typedef struct dns_rdata_spf {
-        dns_rdatacommon_t       common;
-        isc_mem_t               *mctx;
-        unsigned char           *txt;
-        isc_uint16_t            txt_len;
-        /* private */
-        isc_uint16_t            offset;
-} dns_rdata_spf_t;
-
-/*
- * ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS are already done
- * via rdatastructpre.h and rdatastructsuf.h.
- */
-
-isc_result_t
-dns_rdata_spf_first(dns_rdata_spf_t *);
-
-isc_result_t
-dns_rdata_spf_next(dns_rdata_spf_t *);
-
-isc_result_t
-dns_rdata_spf_current(dns_rdata_spf_t *, dns_rdata_spf_string_t *);
-
-#endif /* GENERIC_SPF_99_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_UNSPEC_103_H
-#define GENERIC_UNSPEC_103_H 1
-
-/* $Id: unspec_103.h,v 1.17 2007/06/19 23:47:17 tbox Exp $ */
-
-typedef struct dns_rdata_unspec_t {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	unsigned char		*data;
-	isc_uint16_t		datalen;
-} dns_rdata_unspec_t;
-
-#endif /* GENERIC_UNSPEC_103_H */
-/*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_NID_104_H
-#define GENERIC_NID_104_H 1
-
-typedef struct dns_rdata_nid {
-	dns_rdatacommon_t	common;
-	isc_uint16_t		pref;
-	unsigned char		nid[8];
-} dns_rdata_nid_t;
-
-#endif /* GENERIC_NID_104_H */
-/*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_L32_105_H
-#define GENERIC_L32_105_H 1
-
-typedef struct dns_rdata_l32 {
-	dns_rdatacommon_t	common;
-	isc_uint16_t		pref;
-	struct in_addr		l32;
-} dns_rdata_l32_t;
-
-#endif /* GENERIC_L32_105_H */
-/*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_L64_106_H
-#define GENERIC_L64_106_H 1
-
-typedef struct dns_rdata_l64 {
-	dns_rdatacommon_t	common;
-	isc_uint16_t		pref;
-	unsigned char		l64[8];
-} dns_rdata_l64_t;
-
-#endif /* GENERIC_L64_106_H */
-/*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_LP_107_H
-#define GENERIC_LP_107_H 1
-
-typedef struct dns_rdata_lp {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		pref;
-	dns_name_t		lp;
-} dns_rdata_lp_t;
-
-#endif /* GENERIC_LP_107_H */
-/*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_EUI48_108_H
-#define GENERIC_EUI48_108_H 1
-
-typedef struct dns_rdata_eui48 {
-	dns_rdatacommon_t	common;
-	unsigned char		eui48[6];
-} dns_rdata_eui48_t;
-
-#endif /* GENERIC_EUI48_10k_H */
-/*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* */
-#ifndef GENERIC_EUI64_109_H
-#define GENERIC_EUI64_109_H 1
-
-typedef struct dns_rdata_eui64 {
-	dns_rdatacommon_t	common;
-	unsigned char		eui64[8];
-} dns_rdata_eui64_t;
-
-#endif /* GENERIC_EUI64_10k_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_TKEY_249_H
-#define GENERIC_TKEY_249_H 1
-
-/* $Id: tkey_249.h,v 1.24 2007/06/19 23:47:17 tbox Exp $ */
-
-/*!
- *  \brief Per draft-ietf-dnsind-tkey-00.txt */
-
-typedef struct dns_rdata_tkey {
-        dns_rdatacommon_t	common;
-        isc_mem_t *		mctx;
-        dns_name_t		algorithm;
-        isc_uint32_t		inception;
-        isc_uint32_t		expire;
-        isc_uint16_t		mode;
-        isc_uint16_t		error;
-        isc_uint16_t		keylen;
-        unsigned char *		key;
-        isc_uint16_t		otherlen;
-        unsigned char *		other;
-} dns_rdata_tkey_t;
-
-
-#endif /* GENERIC_TKEY_249_H */
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: tsig_250.h,v 1.25 2007/06/19 23:47:17 tbox Exp $ */
-
-#ifndef ANY_255_TSIG_250_H
-#define ANY_255_TSIG_250_H 1
-
-/*% RFC2845 */
-typedef struct dns_rdata_any_tsig {
-	dns_rdatacommon_t	common;
-	isc_mem_t *		mctx;
-	dns_name_t		algorithm;
-	isc_uint64_t		timesigned;
-	isc_uint16_t		fudge;
-	isc_uint16_t		siglen;
-	unsigned char *		signature;
-	isc_uint16_t		originalid;
-	isc_uint16_t		error;
-	isc_uint16_t		otherlen;
-	unsigned char *		other;
-} dns_rdata_any_tsig_t;
-
-#endif /* ANY_255_TSIG_250_H */
-/*
- * Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_URI_256_H
-#define GENERIC_URI_256_H 1
-
-/* $Id$ */
-
-typedef struct dns_rdata_uri {
-	dns_rdatacommon_t	common;
-	isc_mem_t *		mctx;
-	isc_uint16_t		priority;
-	isc_uint16_t		weight;
-	unsigned char *		target;
-	isc_uint16_t		tgt_len;
-} dns_rdata_uri_t;
-
-#endif /* GENERIC_URI_256_H */
-/*
- * Copyright (C) 2004, 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dlv_32769.h,v 1.5 2007/06/19 23:47:17 tbox Exp $ */
-
-/* draft-ietf-dnsext-delegation-signer-05.txt */
-#ifndef GENERIC_DLV_32769_H
-#define GENERIC_DLV_32769_H 1
-
-typedef struct dns_rdata_dlv {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		key_tag;
-	isc_uint8_t		algorithm;
-	isc_uint8_t		digest_type;
-	isc_uint16_t		length;
-	unsigned char		*digest;
-} dns_rdata_dlv_t;
-
-#endif /* GENERIC_DLV_32769_H */
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_KEYDATA_65533_H
-#define GENERIC_KEYDATA_65533_H 1
-
-/* $Id: keydata_65533.h,v 1.2 2009/06/30 02:52:32 each Exp $ */
-
-typedef struct dns_rdata_keydata {
-	dns_rdatacommon_t	common;
-	isc_mem_t *		mctx;
-	isc_uint32_t		refresh;      /* Timer for refreshing data */
-	isc_uint32_t		addhd;	      /* Hold-down timer for adding */
-	isc_uint32_t		removehd;     /* Hold-down timer for removing */
-	isc_uint16_t		flags;	      /* Copy of DNSKEY_48 */
-	isc_uint8_t		protocol;
-	isc_uint8_t		algorithm;
-	isc_uint16_t		datalen;
-	unsigned char *		data;
-} dns_rdata_keydata_t;
-
-#endif /* GENERIC_KEYDATA_65533_H */
-/*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rdatastructsuf.h,v 1.10 2007/06/19 23:47:17 tbox Exp $ */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RDATASTRUCT_H */
diff --git a/lib/bind/isc/Makefile b/lib/bind/isc/Makefile
deleted file mode 100644
index 773666e..0000000
--- a/lib/bind/isc/Makefile
+++ /dev/null
@@ -1,155 +0,0 @@
-# $FreeBSD$
-
-.include <bsd.own.mk>
-
-BIND_DIR=	${.CURDIR}/../../../contrib/bind9
-LIB_BIND_REL=	..
-LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
-SRCDIR=		${BIND_DIR}/lib/isc
-
-.include	"${LIB_BIND_DIR}/config.mk"
-
-LIB=		isc
-
-.PATH:		${SRCDIR}/unix
-SRCS+=		app.c dir.c entropy.c \
-		errno2result.c file.c fsaccess.c \
-		interfaceiter.c keyboard.c net.c \
-		os.c resource.c socket.c stdio.c \
-		stdtime.c strerror.c syslog.c time.c \
-
-.PATH:		${SRCDIR}/nls
-SRCS+=		msgcat.c \
-
-.PATH:		${SRCDIR}/pthreads
-SRCS+=		condition.c mutex.c \
-		thread.c
-
-.PATH:		${SRCDIR}
-SRCS+=		inet_pton.c \
-		assertions.c backtrace.c base32.c base64.c bitstring.c \
-		buffer.c bufferlist.c commandline.c error.c event.c \
-		fsaccess.c hash.c \
-		heap.c hex.c hmacmd5.c hmacsha.c \
-		httpd.c inet_aton.c \
-		inet_ntop.c \
-		iterated_hash.c \
-		lex.c lfsr.c lib.c log.c \
-		md5.c mem.c mutexblock.c \
-		netaddr.c netscope.c ondestroy.c \
-		parseint.c pool.c portset.c \
-		print.c \
-		quota.c radix.c random.c \
-		ratelimiter.c refcount.c region.c regex.c result.c rwlock.c \
-		serial.c sha1.c sha2.c sockaddr.c stats.c string.c strtoul.c \
-		symtab.c task.c taskpool.c timer.c version.c
-
-.PATH:		${.CURDIR}
-SRCS+=		backtrace-emptytbl.c
-
-CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/pthreads/include
-CFLAGS+=	-I${SRCDIR}/include -I${.CURDIR}
-CFLAGS+=	-I${SRCDIR}/${ISC_ATOMIC_ARCH}/include
-
-DPADD=		${PTHREAD_DPADD}
-LDADD=		${PTHREAD_LDADD}
-
-.if ${MK_BIND_LIBS} != "no"
-INCS=		${SRCDIR}/include/isc/app.h \
-		${SRCDIR}/include/isc/assertions.h \
-		${SRCDIR}/include/isc/base32.h \
-		${SRCDIR}/include/isc/base64.h \
-		${SRCDIR}/include/isc/bind9.h \
-		${SRCDIR}/include/isc/bitstring.h \
-		${SRCDIR}/include/isc/boolean.h \
-		${SRCDIR}/include/isc/buffer.h \
-		${SRCDIR}/include/isc/bufferlist.h \
-		${SRCDIR}/include/isc/commandline.h \
-		${SRCDIR}/include/isc/entropy.h \
-		${SRCDIR}/include/isc/error.h \
-		${SRCDIR}/include/isc/event.h \
-		${SRCDIR}/include/isc/eventclass.h \
-		${SRCDIR}/include/isc/file.h \
-		${SRCDIR}/include/isc/formatcheck.h \
-		${SRCDIR}/include/isc/fsaccess.h \
-		${SRCDIR}/include/isc/hash.h \
-		${SRCDIR}/include/isc/heap.h \
-		${SRCDIR}/include/isc/hex.h \
-		${SRCDIR}/include/isc/hmacmd5.h \
-		${SRCDIR}/include/isc/hmacsha.h \
-		${SRCDIR}/include/isc/httpd.h \
-		${SRCDIR}/include/isc/iterated_hash.h \
-		${SRCDIR}/include/isc/interfaceiter.h \
-		${SRCDIR}/include/isc/ipv6.h \
-		${SRCDIR}/include/isc/lang.h \
-		${SRCDIR}/include/isc/lex.h \
-		${SRCDIR}/include/isc/lfsr.h \
-		${SRCDIR}/include/isc/lib.h \
-		${SRCDIR}/include/isc/list.h \
-		${SRCDIR}/include/isc/log.h \
-		${SRCDIR}/include/isc/magic.h \
-		${SRCDIR}/include/isc/md5.h \
-		${SRCDIR}/include/isc/mem.h \
-		${SRCDIR}/include/isc/msgcat.h \
-		${SRCDIR}/include/isc/msgs.h \
-		${SRCDIR}/include/isc/mutexblock.h \
-		${SRCDIR}/include/isc/namespace.h \
-		${SRCDIR}/include/isc/netaddr.h \
-		${SRCDIR}/include/isc/netscope.h \
-		${SRCDIR}/include/isc/ondestroy.h \
-		${SRCDIR}/include/isc/os.h \
-		${SRCDIR}/include/isc/parseint.h \
-		${SRCDIR}/include/isc/pool.h \
-		${SRCDIR}/include/isc/portset.h \
-		${SRCDIR}/include/isc/print.h \
-		${SRCDIR}/include/isc/queue.h \
-		${SRCDIR}/include/isc/quota.h \
-		${SRCDIR}/include/isc/radix.h \
-		${SRCDIR}/include/isc/random.h \
-		${SRCDIR}/include/isc/ratelimiter.h \
-		${SRCDIR}/include/isc/refcount.h \
-		${SRCDIR}/include/isc/region.h \
-		${SRCDIR}/include/isc/regex.h \
-		${SRCDIR}/include/isc/resource.h \
-		${SRCDIR}/include/isc/result.h \
-		${SRCDIR}/include/isc/resultclass.h \
-		${SRCDIR}/include/isc/rwlock.h \
-		${SRCDIR}/include/isc/serial.h \
-		${SRCDIR}/include/isc/sha1.h \
-		${SRCDIR}/include/isc/sha2.h \
-		${SRCDIR}/include/isc/sockaddr.h \
-		${SRCDIR}/include/isc/socket.h \
-		${SRCDIR}/include/isc/stats.h \
-		${SRCDIR}/include/isc/stdio.h \
-		${SRCDIR}/include/isc/stdlib.h \
-		${SRCDIR}/include/isc/string.h \
-		${SRCDIR}/include/isc/symtab.h \
-		${SRCDIR}/include/isc/task.h \
-		${SRCDIR}/include/isc/taskpool.h \
-		${SRCDIR}/include/isc/timer.h \
-		${SRCDIR}/include/isc/types.h \
-		${SRCDIR}/include/isc/util.h \
-		${SRCDIR}/include/isc/version.h \
-		${SRCDIR}/include/isc/xml.h \
-		${SRCDIR}/pthreads/include/isc/condition.h \
-		${SRCDIR}/pthreads/include/isc/mutex.h \
-		${SRCDIR}/pthreads/include/isc/once.h \
-		${SRCDIR}/pthreads/include/isc/thread.h \
-		${SRCDIR}/unix/include/isc/dir.h \
-		${SRCDIR}/unix/include/isc/int.h \
-		${SRCDIR}/unix/include/isc/keyboard.h \
-		${SRCDIR}/unix/include/isc/net.h \
-		${SRCDIR}/unix/include/isc/netdb.h \
-		${SRCDIR}/unix/include/isc/offset.h \
-		${SRCDIR}/unix/include/isc/stat.h \
-		${SRCDIR}/unix/include/isc/stdtime.h \
-		${SRCDIR}/unix/include/isc/strerror.h \
-		${SRCDIR}/unix/include/isc/syslog.h \
-		${SRCDIR}/unix/include/isc/time.h \
-		${SRCDIR}/${ISC_ATOMIC_ARCH}/include/isc/atomic.h \
-		isc/platform.h
-
-INCSDIR=	${INCLUDEDIR}/isc
-.endif
-
-.include <bsd.lib.mk>
diff --git a/lib/bind/isc/backtrace-emptytbl.c b/lib/bind/isc/backtrace-emptytbl.c
deleted file mode 100644
index 9c50d95..0000000
--- a/lib/bind/isc/backtrace-emptytbl.c
+++ /dev/null
@@ -1,36 +0,0 @@
-/* $FreeBSD$ */
-
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: backtrace-emptytbl.c,v 1.3 2009-09-01 20:13:44 each Exp $ */
-
-/*! \file */
-
-/*
- * This file defines an empty (default) symbol table used in backtrace.c
- * If the application wants to have a complete symbol table, it should redefine
- * isc__backtrace_symtable with the complete table in some way, and link the
- * version of the library not including this definition
- * (e.g. libisc-nosymbol.a).
- */
-
-#include <config.h>
-
-#include <isc/backtrace.h>
-
-const int isc__backtrace_nsymbols = 0;
-const isc_backtrace_symmap_t isc__backtrace_symtable[] = { { NULL, "" } };
diff --git a/lib/bind/isc/isc/platform.h b/lib/bind/isc/isc/platform.h
deleted file mode 100644
index 61630f4..0000000
--- a/lib/bind/isc/isc/platform.h
+++ /dev/null
@@ -1,404 +0,0 @@
-/* $FreeBSD$ */
-
-/*
- * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: platform.h.in,v 1.56 2010/12/18 01:56:23 each Exp $ */
-
-#ifndef ISC_PLATFORM_H
-#define ISC_PLATFORM_H 1
-
-/*! \file */
-
-/*****
- ***** Platform-dependent defines.
- *****/
-
-/***
- *** Network.
- ***/
-
-/*! \brief
- * Define if this system needs the <netinet/in6.h> header file included
- * for full IPv6 support (pretty much only UnixWare).
- */
-#undef ISC_PLATFORM_NEEDNETINETIN6H
-
-/*! \brief
- * Define if this system needs the <netinet6/in6.h> header file included
- * to support in6_pkinfo (pretty much only BSD/OS).
- */
-#undef ISC_PLATFORM_NEEDNETINET6IN6H
-
-/*! \brief
- * If sockaddrs on this system have an sa_len field, ISC_PLATFORM_HAVESALEN
- * will be defined.
- */
-#define ISC_PLATFORM_HAVESALEN 1
-
-/*! \brief
- * If this system has the IPv6 structure definitions, ISC_PLATFORM_HAVEIPV6
- * will be defined.
- */
-#define ISC_PLATFORM_HAVEIPV6 1
-
-/*! \brief
- * If this system is missing in6addr_any, ISC_PLATFORM_NEEDIN6ADDRANY will
- * be defined.
- */
-#undef ISC_PLATFORM_NEEDIN6ADDRANY
-
-/*! \brief
- * If this system is missing in6addr_loopback, ISC_PLATFORM_NEEDIN6ADDRLOOPBACK
- * will be defined.
- */
-#undef ISC_PLATFORM_NEEDIN6ADDRLOOPBACK
-
-/*! \brief
- * If this system has in6_pktinfo, ISC_PLATFORM_HAVEIN6PKTINFO will be
- * defined.
- */
-#define ISC_PLATFORM_HAVEIN6PKTINFO 1
-
-/*! \brief
- * If this system has in_addr6, rather than in6_addr, ISC_PLATFORM_HAVEINADDR6
- * will be defined.
- */
-#undef ISC_PLATFORM_HAVEINADDR6
-
-/*! \brief
- * If this system has sin6_scope_id, ISC_PLATFORM_HAVESCOPEID will be defined.
- */
-#define ISC_PLATFORM_HAVESCOPEID 1
-
-/*! \brief
- * If this system needs inet_ntop(), ISC_PLATFORM_NEEDNTOP will be defined.
- */
-#undef ISC_PLATFORM_NEEDNTOP
-
-/*! \brief
- * If this system needs inet_pton(), ISC_PLATFORM_NEEDPTON will be defined.
- */
-#undef ISC_PLATFORM_NEEDPTON
-
-/*! \brief
- * If this system needs in_port_t, ISC_PLATFORM_NEEDPORTT will be defined.
- */
-#undef ISC_PLATFORM_NEEDPORTT
-
-/*! \brief
- * Define if the system has struct lifconf which is a extended struct ifconf
- * for IPv6.
- */
-#undef ISC_PLATFORM_HAVELIFCONF
-
-/*! \brief
- * Define if the system has struct if_laddrconf which is a extended struct
- * ifconf for IPv6.
- */
-#undef ISC_PLATFORM_HAVEIF_LADDRCONF
-
-/*! \brief
- * Define if the system has struct if_laddrreq.
- */
-#undef ISC_PLATFORM_HAVEIF_LADDRREQ
-
-/*! \brief
- * Define either ISC_PLATFORM_BSD44MSGHDR or ISC_PLATFORM_BSD43MSGHDR.
- */
-#define ISC_NET_BSD44MSGHDR 1
-
-/*! \brief
- * Define if the system supports if_nametoindex.
- */
-#define ISC_PLATFORM_HAVEIFNAMETOINDEX 1
-
-/*! \brief
- * Define on some UnixWare systems to fix erroneous definitions of various
- * IN6_IS_ADDR_* macros.
- */
-#undef ISC_PLATFORM_FIXIN6ISADDR
-
-/*! \brief
- * Define if the system supports kqueue multiplexing
- */
-#define ISC_PLATFORM_HAVEKQUEUE 1
-
-/*! \brief
- * Define if the system supports epoll multiplexing
- */
-#undef ISC_PLATFORM_HAVEEPOLL
-
-/*! \brief
- * Define if the system supports /dev/poll multiplexing
- */
-#undef ISC_PLATFORM_HAVEDEVPOLL
-
-/*! \brief
- * Define if we want to log backtrace
- */
-#define ISC_PLATFORM_USEBACKTRACE 1
-
-/*
- *** Printing.
- ***/
-
-/*! \brief
- * If this system needs vsnprintf() and snprintf(), ISC_PLATFORM_NEEDVSNPRINTF
- * will be defined.
- */
-#undef ISC_PLATFORM_NEEDVSNPRINTF
-
-/*! \brief
- * If this system need a modern sprintf() that returns (int) not (char*).
- */
-#undef ISC_PLATFORM_NEEDSPRINTF
-
-/*! \brief
- * The printf format string modifier to use with isc_uint64_t values.
- */
-#define ISC_PLATFORM_QUADFORMAT "ll"
-
-/***
- *** String functions.
- ***/
-/*
- * If the system needs strsep(), ISC_PLATFORM_NEEDSTRSEP will be defined.
- */
-#undef ISC_PLATFORM_NEEDSTRSEP
-
-/*
- * If the system needs strlcpy(), ISC_PLATFORM_NEEDSTRLCPY will be defined.
- */
-#undef ISC_PLATFORM_NEEDSTRLCPY
-
-/*
- * If the system needs strlcat(), ISC_PLATFORM_NEEDSTRLCAT will be defined.
- */
-#undef ISC_PLATFORM_NEEDSTRLCAT
-
-/*
- * Define if this system needs strtoul.
- */
-#undef ISC_PLATFORM_NEEDSTRTOUL
-
-/*
- * Define if this system needs memmove.
- */
-#undef ISC_PLATFORM_NEEDMEMMOVE
-
-/***
- *** Miscellaneous.
- ***/
-
-/*
- * Defined if we are using threads.
- */
-#define ISC_PLATFORM_USETHREADS 1
-
-/*
- * Defined if unistd.h does not cause fd_set to be delared.
- */
-#undef ISC_PLATFORM_NEEDSYSSELECTH
-
-/*
- * Defined to <gssapi.h> or <gssapi/gssapi.h> for how to include
- * the GSSAPI header.
- */
-#define ISC_PLATFORM_GSSAPIHEADER <gssapi/gssapi.h>
-
-/*
- * Defined to <gssapi_krb5.h> or <gssapi/gssapi_krb5.h> for how to
- * include the GSSAPI KRB5 header.
- */
-#define ISC_PLATFORM_GSSAPI_KRB5_HEADER <gssapi/gssapi_krb5.h>
-
-/*
- * Defined to <krb5.h> or <krb5/krb5.h> for how to include
- * the KRB5 header.
- */
-#define ISC_PLATFORM_KRB5HEADER <krb5.h>
-
-/*
- * Type used for resource limits.
- */
-#define ISC_PLATFORM_RLIMITTYPE rlim_t
-
-/*
- * Define if your compiler supports "long long int".
- */
-#define ISC_PLATFORM_HAVELONGLONG 1
-
-/*
- * Define if PTHREAD_ONCE_INIT should be surrounded by braces to
- * prevent compiler warnings (such as with gcc on Solaris 2.8).
- */
-#undef ISC_PLATFORM_BRACEPTHREADONCEINIT
-
-/*
- * Used to control how extern data is linked; needed for Win32 platforms.
- */
-#undef ISC_PLATFORM_USEDECLSPEC
-
-/*
- * Define if the platform has <sys/un.h>.
- */
-#define ISC_PLATFORM_HAVESYSUNH 1
-
-/*
- * If the "xadd" operation is available on this architecture,
- * ISC_PLATFORM_HAVEXADD will be defined.
- */
-/*
- * FreeBSD local modification, preserve this over upgrades
- */
-#if defined (__i386__) || defined (__amd64__) || defined (__ia64__)
-#define ISC_PLATFORM_HAVEXADD 1
-#else
-#undef ISC_PLATFORM_HAVEXADD
-#endif
-
-/*
- * If the "xaddq" operation (64bit xadd) is available on this architecture,
- * ISC_PLATFORM_HAVEXADDQ will be defined.
- */
-/*
- * FreeBSD local modification, preserve this over upgrades
- */
-#ifdef __amd64__
-#define ISC_PLATFORM_HAVEXADDQ 1
-#else
-#undef ISC_PLATFORM_HAVEXADDQ
-#endif
-
-/*
- * If the "atomic swap" operation is available on this architecture,
- * ISC_PLATFORM_HAVEATOMICSTORE" will be defined.
- */
-/*
- * FreeBSD local modification, preserve this over upgrades
- */
-#if defined (__i386__) || defined (__amd64__) || defined (__ia64__)
-#define ISC_PLATFORM_HAVEATOMICSTORE 1
-#else
-#undef ISC_PLATFORM_HAVEATOMICSTORE
-#endif
-
-/*
- * If the "compare-and-exchange" operation is available on this architecture,
- * ISC_PLATFORM_HAVECMPXCHG will be defined.
- */
-/*
- * FreeBSD local modification, preserve this over upgrades
- */
-#if defined (__i386__) || defined (__amd64__) || defined (__ia64__)
-#define ISC_PLATFORM_HAVECMPXCHG 1
-#else
-#undef ISC_PLATFORM_HAVECMPXCHG
-#endif
-
-/*
- * Define if gcc ASM extension is available
- */
-/*
- * FreeBSD local modification, preserve this over upgrades
- */
-#if defined (__i386__) || defined (__amd64__) || defined (__ia64__)
-#define ISC_PLATFORM_USEGCCASM 1
-#else
-#undef ISC_PLATFORM_USEGCCASM
-#endif
-
-/*
- * Define if Tru64 style ASM syntax must be used.
- */
-#undef ISC_PLATFORM_USEOSFASM
-
-/*
- * Define if the standard __asm function must be used.
- */
-
-
-/*
- * Define if the platform has <strings.h>.
- */
-#define ISC_PLATFORM_HAVESTRINGSH 1
-
-/*
- * Define if the hash functions must be provided by OpenSSL.
- */
-#undef ISC_PLATFORM_OPENSSLHASH
-
-/*
- * Defines for the noreturn attribute.
- */
-#define ISC_PLATFORM_NORETURN_PRE
-#define ISC_PLATFORM_NORETURN_POST __attribute__((noreturn))
-
-/***
- ***	Windows dll support.
- ***/
-
-/*
- * Define if MacOS style of PPC assembly must be used.
- * e.g. "r6", not "6", for register six.
- */
-
-
-#ifndef ISC_PLATFORM_USEDECLSPEC
-#define LIBISC_EXTERNAL_DATA
-#define LIBDNS_EXTERNAL_DATA
-#define LIBISCCC_EXTERNAL_DATA
-#define LIBISCCFG_EXTERNAL_DATA
-#define LIBBIND9_EXTERNAL_DATA
-#else /*! \brief ISC_PLATFORM_USEDECLSPEC */
-#ifdef LIBISC_EXPORTS
-#define LIBISC_EXTERNAL_DATA __declspec(dllexport)
-#else
-#define LIBISC_EXTERNAL_DATA __declspec(dllimport)
-#endif
-#ifdef LIBDNS_EXPORTS
-#define LIBDNS_EXTERNAL_DATA __declspec(dllexport)
-#else
-#define LIBDNS_EXTERNAL_DATA __declspec(dllimport)
-#endif
-#ifdef LIBISCCC_EXPORTS
-#define LIBISCCC_EXTERNAL_DATA __declspec(dllexport)
-#else
-#define LIBISCCC_EXTERNAL_DATA __declspec(dllimport)
-#endif
-#ifdef LIBISCCFG_EXPORTS
-#define LIBISCCFG_EXTERNAL_DATA __declspec(dllexport)
-#else
-#define LIBISCCFG_EXTERNAL_DATA __declspec(dllimport)
-#endif
-#ifdef LIBBIND9_EXPORTS
-#define LIBBIND9_EXTERNAL_DATA __declspec(dllexport)
-#else
-#define LIBBIND9_EXTERNAL_DATA __declspec(dllimport)
-#endif
-#endif /*! \brief ISC_PLATFORM_USEDECLSPEC */
-
-/*
- * Tell emacs to use C mode for this file.
- *
- * Local Variables:
- * mode: c
- * End:
- */
-
-#endif /* ISC_PLATFORM_H */
diff --git a/lib/bind/isccc/Makefile b/lib/bind/isccc/Makefile
deleted file mode 100644
index 19fc2bf..0000000
--- a/lib/bind/isccc/Makefile
+++ /dev/null
@@ -1,43 +0,0 @@
-# $FreeBSD$
-
-.include <bsd.own.mk>
-
-BIND_DIR=	${.CURDIR}/../../../contrib/bind9
-LIB_BIND_REL=	..
-LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
-SRCDIR=		${BIND_DIR}/lib/isccc
-
-.include	"${LIB_BIND_DIR}/config.mk"
-
-LIB=		isccc
-
-.PATH:		${SRCDIR}
-SRCS=		alist.c base64.c cc.c ccmsg.c \
-		lib.c \
-		result.c sexpr.c symtab.c version.c
-
-CFLAGS+=	-I${SRCDIR}/include
-CFLAGS+=	-I${BIND_DIR}/lib/isc/${ISC_ATOMIC_ARCH}/include
-
-DPADD=		${PTHREAD_DPADD}
-LDADD=		${PTHREAD_LDADD}
-
-.if ${MK_BIND_LIBS} != "no"
-INCS=		${SRCDIR}/include/isccc/alist.h \
-		${SRCDIR}/include/isccc/base64.h \
-		${SRCDIR}/include/isccc/cc.h \
-		${SRCDIR}/include/isccc/ccmsg.h \
-		${SRCDIR}/include/isccc/events.h \
-		${SRCDIR}/include/isccc/lib.h \
-		${SRCDIR}/include/isccc/result.h \
-		${SRCDIR}/include/isccc/sexpr.h \
-		${SRCDIR}/include/isccc/symtab.h \
-		${SRCDIR}/include/isccc/symtype.h \
-		${SRCDIR}/include/isccc/types.h \
-		${SRCDIR}/include/isccc/util.h \
-		${SRCDIR}/include/isccc/version.h
-
-INCSDIR=	${INCLUDEDIR}/isccc
-.endif
-
-.include <bsd.lib.mk>
diff --git a/lib/bind/isccfg/Makefile b/lib/bind/isccfg/Makefile
deleted file mode 100644
index a4f5785..0000000
--- a/lib/bind/isccfg/Makefile
+++ /dev/null
@@ -1,34 +0,0 @@
-# $FreeBSD$
-
-.include <bsd.own.mk>
-
-BIND_DIR=	${.CURDIR}/../../../contrib/bind9
-LIB_BIND_REL=	..
-LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
-SRCDIR=		${BIND_DIR}/lib/isccfg
-
-.include	"${LIB_BIND_DIR}/config.mk"
-
-LIB=		isccfg
-
-.PATH:		${SRCDIR}
-SRCS=		aclconf.c log.c namedconf.c parser.c version.c
-
-CFLAGS+=	-I${SRCDIR}/include -I${.CURDIR}
-CFLAGS+=	-I${BIND_DIR}/lib/isc/${ISC_ATOMIC_ARCH}/include
-
-DPADD=		${PTHREAD_DPADD}
-LDADD=		${PTHREAD_LDADD}
-
-.if ${MK_BIND_LIBS} != "no"
-INCS=		${SRCDIR}/include/isccfg/aclconf.h \
-		${SRCDIR}/include/isccfg/cfg.h \
-		${SRCDIR}/include/isccfg/grammar.h \
-		${SRCDIR}/include/isccfg/log.h \
-		${SRCDIR}/include/isccfg/namedconf.h \
-		${SRCDIR}/include/isccfg/version.h
-
-INCSDIR=	${INCLUDEDIR}/isccfg
-.endif
-
-.include <bsd.lib.mk>
diff --git a/lib/bind/lwres/Makefile b/lib/bind/lwres/Makefile
deleted file mode 100644
index d4a94d7..0000000
--- a/lib/bind/lwres/Makefile
+++ /dev/null
@@ -1,130 +0,0 @@
-# $FreeBSD$
-
-.include <bsd.own.mk>
-
-BIND_DIR=	${.CURDIR}/../../../contrib/bind9
-LIB_BIND_REL=	..
-LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
-SRCDIR=		${BIND_DIR}/lib/lwres
-
-# Unlike other BIND libs, this should be installed unless the user says NO.
-.if ${MK_BIND_LIBS_LWRES} != "no"
-MK_BIND_LIBS=	yes
-.endif
-
-.include	"${LIB_BIND_DIR}/config.mk"
-
-LIB=		lwres
-
-.PATH:		${SRCDIR} ${SRCDIR}/man
-SRCS+=		context.c gai_strerror.c getaddrinfo.c gethost.c \
-		getipnode.c getnameinfo.c getrrset.c herror.c \
-		lwbuffer.c lwconfig.c lwpacket.c lwresutil.c \
-		lwres_gabn.c lwres_gnba.c lwres_grbn.c lwres_noop.c \
-		lwinetaton.c lwinetpton.c lwinetntop.c print.c \
-		strtoul.c
-
-CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/include
-CFLAGS+=	-I${.CURDIR}
-CFLAGS+=	-I${BIND_DIR}/lib/isc/${ISC_ATOMIC_ARCH}/include
-CFLAGS+=	-I${BIND_DIR}/lib/isc/include
-CFLAGS+=	-I${BIND_DIR}/lib/isc/unix/include
-CFLAGS+=	-I${LIB_BIND_DIR}/isc
-
-DPADD=		${PTHREAD_DPADD}
-LDADD=		${PTHREAD_LDADD}
-
-.if ${MK_BIND_LIBS} != "no"
-MAN=		lwres.3 lwres_buffer.3 lwres_config.3 lwres_context.3 \
-		lwres_gabn.3 lwres_gai_strerror.3 lwres_getaddrinfo.3 \
-		lwres_gethostent.3 lwres_getipnode.3 lwres_getnameinfo.3 \
-		lwres_getrrsetbyname.3 lwres_gnba.3 lwres_hstrerror.3 \
-		lwres_inetntop.3 lwres_noop.3 lwres_packet.3 lwres_resutil.3
-
-MLINKS=		lwres_buffer.3 lwres_buffer_add.3 \
-		lwres_buffer.3 lwres_buffer_back.3 \
-		lwres_buffer.3 lwres_buffer_clear.3 \
-		lwres_buffer.3 lwres_buffer_first.3 \
-		lwres_buffer.3 lwres_buffer_forward.3 \
-		lwres_buffer.3 lwres_buffer_getmem.3 \
-		lwres_buffer.3 lwres_buffer_getuint16.3 \
-		lwres_buffer.3 lwres_buffer_getuint32.3 \
-		lwres_buffer.3 lwres_buffer_getuint8.3 \
-		lwres_buffer.3 lwres_buffer_init.3 \
-		lwres_buffer.3 lwres_buffer_invalidate.3 \
-		lwres_buffer.3 lwres_buffer_putmem.3 \
-		lwres_buffer.3 lwres_buffer_putuint16.3 \
-		lwres_buffer.3 lwres_buffer_putuint32.3 \
-		lwres_buffer.3 lwres_buffer_putuint8.3 \
-		lwres_buffer.3 lwres_buffer_subtract.3 \
-		lwres_config.3 lwres_conf_clear.3 \
-		lwres_config.3 lwres_conf_get.3 \
-		lwres_config.3 lwres_conf_init.3 \
-		lwres_config.3 lwres_conf_parse.3 \
-		lwres_config.3 lwres_conf_print.3 \
-		lwres_context.3 lwres_context_allocmem.3 \
-		lwres_context.3 lwres_context_create.3 \
-		lwres_context.3 lwres_context_destroy.3 \
-		lwres_context.3 lwres_context_freemem.3 \
-		lwres_context.3 lwres_context_initserial.3 \
-		lwres_context.3 lwres_context_nextserial.3 \
-		lwres_context.3 lwres_context_sendrecv.3 \
-		lwres_gabn.3 lwres_gabnrequest_free.3 \
-		lwres_gabn.3 lwres_gabnrequest_parse.3 \
-		lwres_gabn.3 lwres_gabnrequest_render.3 \
-		lwres_gabn.3 lwres_gabnresponse_free.3 \
-		lwres_gabn.3 lwres_gabnresponse_parse.3 \
-		lwres_gabn.3 lwres_gabnresponse_render.3 \
-		lwres_getaddrinfo.3 lwres_freeaddrinfo.3 \
-		lwres_gethostent.3 lwres_endhostent.3 \
-		lwres_gethostent.3 lwres_endhostent_r.3 \
-		lwres_gethostent.3 lwres_gethostbyaddr.3 \
-		lwres_gethostent.3 lwres_gethostbyaddr_r.3 \
-		lwres_gethostent.3 lwres_gethostbyname.3 \
-		lwres_gethostent.3 lwres_gethostbyname2.3 \
-		lwres_gethostent.3 lwres_gethostbyname_r.3 \
-		lwres_gethostent.3 lwres_gethostent_r.3 \
-		lwres_gethostent.3 lwres_sethostent.3 \
-		lwres_gethostent.3 lwres_sethostent_r.3 \
-		lwres_getipnode.3 lwres_freehostent.3 \
-		lwres_getipnode.3 lwres_getipnodebyaddr.3 \
-		lwres_getipnode.3 lwres_getipnodebyname.3 \
-		lwres_gnba.3 lwres_gnbarequest_free.3 \
-		lwres_gnba.3 lwres_gnbarequest_parse.3 \
-		lwres_gnba.3 lwres_gnbarequest_render.3 \
-		lwres_gnba.3 lwres_gnbaresponse_free.3 \
-		lwres_gnba.3 lwres_gnbaresponse_parse.3 \
-		lwres_gnba.3 lwres_gnbaresponse_render.3 \
-		lwres_hstrerror.3 lwres_herror.3 \
-		lwres_inetntop.3 lwres_net_ntop.3 \
-		lwres_noop.3 lwres_nooprequest_free.3 \
-		lwres_noop.3 lwres_nooprequest_parse.3 \
-		lwres_noop.3 lwres_nooprequest_render.3 \
-		lwres_noop.3 lwres_noopresponse_free.3 \
-		lwres_noop.3 lwres_noopresponse_parse.3 \
-		lwres_noop.3 lwres_noopresponse_render.3 \
-		lwres_packet.3 lwres_lwpacket_parseheader.3 \
-		lwres_packet.3 lwres_lwpacket_renderheader.3 \
-		lwres_resutil.3 lwres_addr_parse.3 \
-		lwres_resutil.3 lwres_getaddrsbyname.3 \
-		lwres_resutil.3 lwres_getnamebyaddr.3 \
-		lwres_resutil.3 lwres_string_parse.3
-
-INCS=		${SRCDIR}/include/lwres/context.h \
-		${SRCDIR}/include/lwres/int.h \
-		${SRCDIR}/include/lwres/ipv6.h \
-		${SRCDIR}/include/lwres/lang.h \
-		${SRCDIR}/include/lwres/list.h \
-		${SRCDIR}/include/lwres/lwbuffer.h \
-		${SRCDIR}/include/lwres/lwpacket.h \
-		${SRCDIR}/include/lwres/lwres.h \
-		${SRCDIR}/include/lwres/result.h \
-		${SRCDIR}/include/lwres/version.h \
-		${SRCDIR}/unix/include/lwres/net.h \
-		lwres/netdb.h \
-		lwres/platform.h
-
-INCSDIR=	${INCLUDEDIR}/lwres
-.endif
-
-.include <bsd.lib.mk>
diff --git a/lib/bind/lwres/lwres/netdb.h b/lib/bind/lwres/lwres/netdb.h
deleted file mode 100644
index 55dc7a1..0000000
--- a/lib/bind/lwres/lwres/netdb.h
+++ /dev/null
@@ -1,522 +0,0 @@
-/* $FreeBSD$ */
-
-/*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: netdb.h.in,v 1.41 2009/01/18 23:48:14 tbox Exp $ */
-
-/*! \file */
-
-#ifndef LWRES_NETDB_H
-#define LWRES_NETDB_H 1
-
-#include <stddef.h>	/* Required on FreeBSD (and  others?) for size_t. */
-#include <netdb.h>	/* Contractual provision. */
-
-#include <lwres/lang.h>
-
-/*
- * Define if <netdb.h> does not declare struct addrinfo.
- */
-#undef ISC_LWRES_NEEDADDRINFO
-
-#ifdef ISC_LWRES_NEEDADDRINFO
-struct addrinfo {
-	int		ai_flags;      /* AI_PASSIVE, AI_CANONNAME */
-	int		ai_family;     /* PF_xxx */
-	int		ai_socktype;   /* SOCK_xxx */
-	int		ai_protocol;   /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
-	size_t		ai_addrlen;    /* Length of ai_addr */
-	char		*ai_canonname; /* Canonical name for hostname */
-	struct sockaddr	*ai_addr;      /* Binary address */
-	struct addrinfo	*ai_next;      /* Next structure in linked list */
-};
-#endif
-
-/*
- * Undefine all #defines we are interested in as <netdb.h> may or may not have
- * defined them.
- */
-
-/*
- * Error return codes from gethostbyname() and gethostbyaddr()
- * (left in extern int h_errno).
- */
-
-#undef	NETDB_INTERNAL
-#undef	NETDB_SUCCESS
-#undef	HOST_NOT_FOUND
-#undef	TRY_AGAIN
-#undef	NO_RECOVERY
-#undef	NO_DATA
-#undef	NO_ADDRESS
-
-#define	NETDB_INTERNAL	-1	/* see errno */
-#define	NETDB_SUCCESS	0	/* no problem */
-#define	HOST_NOT_FOUND	1 /* Authoritative Answer Host not found */
-#define	TRY_AGAIN	2 /* Non-Authoritative Host not found, or SERVERFAIL */
-#define	NO_RECOVERY	3 /* Non recoverable errors, FORMERR, REFUSED, NOTIMP */
-#define	NO_DATA		4 /* Valid name, no data record of requested type */
-#define	NO_ADDRESS	NO_DATA		/* no address, look for MX record */
-
-/*
- * Error return codes from getaddrinfo()
- */
-
-#undef	EAI_ADDRFAMILY
-#undef	EAI_AGAIN
-#undef	EAI_BADFLAGS
-#undef	EAI_FAIL
-#undef	EAI_FAMILY
-#undef	EAI_MEMORY
-#undef	EAI_NODATA
-#undef	EAI_NONAME
-#undef	EAI_SERVICE
-#undef	EAI_SOCKTYPE
-#undef	EAI_SYSTEM
-#undef	EAI_BADHINTS
-#undef	EAI_PROTOCOL
-#undef	EAI_MAX
-
-#define	EAI_ADDRFAMILY	 1	/* address family for hostname not supported */
-#define	EAI_AGAIN	 2	/* temporary failure in name resolution */
-#define	EAI_BADFLAGS	 3	/* invalid value for ai_flags */
-#define	EAI_FAIL	 4	/* non-recoverable failure in name resolution */
-#define	EAI_FAMILY	 5	/* ai_family not supported */
-#define	EAI_MEMORY	 6	/* memory allocation failure */
-#define	EAI_NODATA	 7	/* no address associated with hostname */
-#define	EAI_NONAME	 8	/* hostname nor servname provided, or not known */
-#define	EAI_SERVICE	 9	/* servname not supported for ai_socktype */
-#define	EAI_SOCKTYPE	10	/* ai_socktype not supported */
-#define	EAI_SYSTEM	11	/* system error returned in errno */
-#define EAI_BADHINTS	12
-#define EAI_PROTOCOL	13
-#define EAI_MAX		14
-
-/*
- * Flag values for getaddrinfo()
- */
-#undef	AI_PASSIVE
-#undef	AI_CANONNAME
-#undef	AI_NUMERICHOST
-
-#define	AI_PASSIVE	0x00000001
-#define	AI_CANONNAME	0x00000002
-#define AI_NUMERICHOST	0x00000004
-
-/*
- * Flag values for getipnodebyname()
- */
-#undef AI_V4MAPPED
-#undef AI_ALL
-#undef AI_ADDRCONFIG
-#undef AI_DEFAULT
-
-#define AI_V4MAPPED	0x00000008
-#define AI_ALL		0x00000010
-#define AI_ADDRCONFIG	0x00000020
-#define AI_DEFAULT	(AI_V4MAPPED|AI_ADDRCONFIG)
-
-/*
- * Constants for lwres_getnameinfo()
- */
-#undef	NI_MAXHOST
-#undef	NI_MAXSERV
-
-#define	NI_MAXHOST	1025
-#define	NI_MAXSERV	32
-
-/*
- * Flag values for lwres_getnameinfo()
- */
-#undef	NI_NOFQDN
-#undef	NI_NUMERICHOST
-#undef	NI_NAMEREQD
-#undef	NI_NUMERICSERV
-#undef	NI_DGRAM
-#undef	NI_NUMERICSCOPE
-
-#define	NI_NOFQDN	0x00000001
-#define	NI_NUMERICHOST	0x00000002
-#define	NI_NAMEREQD	0x00000004
-#define	NI_NUMERICSERV	0x00000008
-#define	NI_DGRAM	0x00000010
-#define	NI_NUMERICSCOPE	0x00000020	/*2553bis-00*/
-
-/*
- * Define if <netdb.h> does not declare struct rrsetinfo.
- */
-#define ISC_LWRES_NEEDRRSETINFO 1
-
-#ifdef ISC_LWRES_NEEDRRSETINFO
-/*
- * Structures for getrrsetbyname()
- */
-struct rdatainfo {
-	unsigned int		rdi_length;
-	unsigned char		*rdi_data;
-};
-
-struct rrsetinfo {
-	unsigned int		rri_flags;
-	int			rri_rdclass;
-	int			rri_rdtype;
-	unsigned int		rri_ttl;
-	unsigned int		rri_nrdatas;
-	unsigned int		rri_nsigs;
-	char			*rri_name;
-	struct rdatainfo	*rri_rdatas;
-	struct rdatainfo	*rri_sigs;
-};
-
-/*
- * Flags for getrrsetbyname()
- */
-#define RRSET_VALIDATED		0x00000001
-	/* Set was dnssec validated */
-
-/*
- * Return codes for getrrsetbyname()
- */
-#define ERRSET_SUCCESS		0
-#define ERRSET_NOMEMORY		1
-#define ERRSET_FAIL		2
-#define ERRSET_INVAL		3
-#define	ERRSET_NONAME	 	4
-#define	ERRSET_NODATA	 	5
-#endif
-
-/*
- * Define to map into lwres_ namespace.
- */
-
-#define LWRES_NAMESPACE
-
-#ifdef LWRES_NAMESPACE
-
-/*
- * Use our versions not the ones from the C library.
- */
-
-#ifdef getnameinfo
-#undef getnameinfo
-#endif
-#define getnameinfo lwres_getnameinfo
-
-#ifdef getaddrinfo
-#undef getaddrinfo
-#endif
-#define getaddrinfo lwres_getaddrinfo
-
-#ifdef freeaddrinfo
-#undef freeaddrinfo
-#endif
-#define freeaddrinfo lwres_freeaddrinfo
-
-#ifdef gai_strerror
-#undef gai_strerror
-#endif
-#define gai_strerror lwres_gai_strerror
-
-#ifdef herror
-#undef herror
-#endif
-#define herror lwres_herror
-
-#ifdef hstrerror
-#undef hstrerror
-#endif
-#define hstrerror lwres_hstrerror
-
-#ifdef getipnodebyname
-#undef getipnodebyname
-#endif
-#define getipnodebyname lwres_getipnodebyname
-
-#ifdef getipnodebyaddr
-#undef getipnodebyaddr
-#endif
-#define getipnodebyaddr lwres_getipnodebyaddr
-
-#ifdef freehostent
-#undef freehostent
-#endif
-#define freehostent lwres_freehostent
-
-#ifdef gethostbyname
-#undef gethostbyname
-#endif
-#define gethostbyname lwres_gethostbyname
-
-#ifdef gethostbyname2
-#undef gethostbyname2
-#endif
-#define gethostbyname2 lwres_gethostbyname2
-
-#ifdef gethostbyaddr
-#undef gethostbyaddr
-#endif
-#define gethostbyaddr lwres_gethostbyaddr
-
-#ifdef gethostent
-#undef gethostent
-#endif
-#define gethostent lwres_gethostent
-
-#ifdef sethostent
-#undef sethostent
-#endif
-#define sethostent lwres_sethostent
-
-#ifdef endhostent
-#undef endhostent
-#endif
-#define endhostent lwres_endhostent
-
-/* #define sethostfile lwres_sethostfile */
-
-#ifdef gethostbyname_r
-#undef gethostbyname_r
-#endif
-#define gethostbyname_r lwres_gethostbyname_r
-
-#ifdef gethostbyaddr_r
-#undef gethostbyaddr_r
-#endif
-#define gethostbyaddr_r lwres_gethostbyaddr_r
-
-#ifdef gethostent_r
-#undef gethostent_r
-#endif
-#define gethostent_r lwres_gethostent_r
-
-#ifdef sethostent_r
-#undef sethostent_r
-#endif
-#define sethostent_r lwres_sethostent_r
-
-#ifdef endhostent_r
-#undef endhostent_r
-#endif
-#define endhostent_r lwres_endhostent_r
-
-#ifdef getrrsetbyname
-#undef getrrsetbyname
-#endif
-#define getrrsetbyname lwres_getrrsetbyname
-
-#ifdef freerrset
-#undef freerrset
-#endif
-#define freerrset lwres_freerrset
-
-#ifdef notyet
-#define getservbyname lwres_getservbyname
-#define getservbyport lwres_getservbyport
-#define getservent lwres_getservent
-#define setservent lwres_setservent
-#define endservent lwres_endservent
-
-#define getservbyname_r lwres_getservbyname_r
-#define getservbyport_r lwres_getservbyport_r
-#define getservent_r lwres_getservent_r
-#define setservent_r lwres_setservent_r
-#define endservent_r lwres_endservent_r
-
-#define getprotobyname lwres_getprotobyname
-#define getprotobynumber lwres_getprotobynumber
-#define getprotoent lwres_getprotoent
-#define setprotoent lwres_setprotoent
-#define endprotoent lwres_endprotoent
-
-#define getprotobyname_r lwres_getprotobyname_r
-#define getprotobynumber_r lwres_getprotobynumber_r
-#define getprotoent_r lwres_getprotoent_r
-#define setprotoent_r lwres_setprotoent_r
-#define endprotoent_r lwres_endprotoent_r
-
-#ifdef getnetbyname
-#undef getnetbyname
-#endif
-#define getnetbyname lwres_getnetbyname
-
-#ifdef getnetbyaddr
-#undef getnetbyaddr
-#endif
-#define getnetbyaddr lwres_getnetbyaddr
-
-#ifdef getnetent
-#undef getnetent
-#endif
-#define getnetent lwres_getnetent
-
-#ifdef setnetent
-#undef setnetent
-#endif
-#define setnetent lwres_setnetent
-
-#ifdef endnetent
-#undef endnetent
-#endif
-#define endnetent lwres_endnetent
-
-
-#ifdef getnetbyname_r
-#undef getnetbyname_r
-#endif
-#define getnetbyname_r lwres_getnetbyname_r
-
-#ifdef getnetbyaddr_r
-#undef getnetbyaddr_r
-#endif
-#define getnetbyaddr_r lwres_getnetbyaddr_r
-
-#ifdef getnetent_r
-#undef getnetent_r
-#endif
-#define getnetent_r lwres_getnetent_r
-
-#ifdef setnetent_r
-#undef setnetent_r
-#endif
-#define setnetent_r lwres_setnetent_r
-
-#ifdef endnetent_r
-#undef endnetent_r
-#endif
-#define endnetent_r lwres_endnetent_r
-#endif	/* notyet */
-
-#ifdef h_errno
-#undef h_errno
-#endif
-#define h_errno lwres_h_errno
-
-#endif	/* LWRES_NAMESPACE */
-
-LWRES_LANG_BEGINDECLS
-
-extern int lwres_h_errno;
-
-int		lwres_getaddrinfo(const char *, const char *,
-				 const struct addrinfo *, struct addrinfo **);
-int		lwres_getnameinfo(const struct sockaddr *, size_t, char *,
-				 size_t, char *, size_t, int);
-void		lwres_freeaddrinfo(struct addrinfo *);
-char		*lwres_gai_strerror(int);
-
-struct hostent	*lwres_gethostbyaddr(const char *, int, int);
-struct hostent	*lwres_gethostbyname(const char *);
-struct hostent	*lwres_gethostbyname2(const char *, int);
-struct hostent	*lwres_gethostent(void);
-struct hostent	*lwres_getipnodebyname(const char *, int, int, int *);
-struct hostent	*lwres_getipnodebyaddr(const void *, size_t, int, int *);
-void		lwres_endhostent(void);
-void		lwres_sethostent(int);
-/* void		lwres_sethostfile(const char *); */
-void		lwres_freehostent(struct hostent *);
-
-int		lwres_getrrsetbyname(const char *, unsigned int, unsigned int,
-				     unsigned int, struct rrsetinfo **);
-void		lwres_freerrset(struct rrsetinfo *);
-
-#ifdef notyet
-struct netent	*lwres_getnetbyaddr(unsigned long, int);
-struct netent	*lwres_getnetbyname(const char *);
-struct netent	*lwres_getnetent(void);
-void		lwres_endnetent(void);
-void		lwres_setnetent(int);
-
-struct protoent	*lwres_getprotobyname(const char *);
-struct protoent	*lwres_getprotobynumber(int);
-struct protoent	*lwres_getprotoent(void);
-void		lwres_endprotoent(void);
-void		lwres_setprotoent(int);
-
-struct servent	*lwres_getservbyname(const char *, const char *);
-struct servent	*lwres_getservbyport(int, const char *);
-struct servent	*lwres_getservent(void);
-void		lwres_endservent(void);
-void		lwres_setservent(int);
-#endif /* notyet */
-
-void		lwres_herror(const char *);
-const char	*lwres_hstrerror(int);
-
-
-struct hostent	*lwres_gethostbyaddr_r(const char *, int, int, struct hostent *,
-					char *, int, int *);
-struct hostent	*lwres_gethostbyname_r(const char *, struct hostent *,
-					char *, int, int *);
-struct hostent	*lwres_gethostent_r(struct hostent *, char *, int, int *);
-void		lwres_sethostent_r(int);
-void		lwres_endhostent_r(void);
-
-#ifdef notyet
-struct netent	*lwres_getnetbyname_r(const char *, struct netent *,
-					char *, int);
-struct netent	*lwres_getnetbyaddr_r(long, int, struct netent *,
-					char *, int);
-struct netent	*lwres_getnetent_r(struct netent *, char *, int);
-void		lwres_setnetent_r(int);
-void		lwres_endnetent_r(void);
-
-struct protoent	*lwres_getprotobyname_r(const char *,
-				struct protoent *, char *, int);
-struct protoent	*lwres_getprotobynumber_r(int,
-				struct protoent *, char *, int);
-struct protoent	*lwres_getprotoent_r(struct protoent *, char *, int);
-void		lwres_setprotoent_r(int);
-void		lwres_endprotoent_r(void);
-
-struct servent	*lwres_getservbyname_r(const char *name, const char *,
-					struct servent *, char *, int);
-struct servent	*lwres_getservbyport_r(int port, const char *,
-					struct servent *, char *, int);
-struct servent	*lwres_getservent_r(struct servent *, char *, int);
-void		lwres_setservent_r(int);
-void		lwres_endservent_r(void);
-#endif	/* notyet */
-
-LWRES_LANG_ENDDECLS
-
-#ifdef notyet
-/* This is nec'y to make this include file properly replace the sun version. */
-#ifdef sun
-#ifdef __GNU_LIBRARY__
-#include <rpc/netdb.h>		/* Required. */
-#else /* !__GNU_LIBRARY__ */
-struct rpcent {
-	char	*r_name;	/* name of server for this rpc program */
-	char	**r_aliases;	/* alias list */
-	int	r_number;	/* rpc program number */
-};
-struct rpcent	*lwres_getrpcbyname();
-struct rpcent	*lwres_getrpcbynumber(),
-struct rpcent	*lwres_getrpcent();
-#endif /* __GNU_LIBRARY__ */
-#endif /* sun */
-#endif /* notyet */
-
-/*
- * Tell Emacs to use C mode on this file.
- * Local variables:
- * mode: c
- * End:
- */
-
-#endif /* LWRES_NETDB_H */
diff --git a/lib/bind/lwres/lwres/platform.h b/lib/bind/lwres/lwres/platform.h
deleted file mode 100644
index 608bb72..0000000
--- a/lib/bind/lwres/lwres/platform.h
+++ /dev/null
@@ -1,122 +0,0 @@
-/* $FreeBSD$ */
-
-/*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: platform.h.in,v 1.21 2007/06/19 23:47:23 tbox Exp $ */
-
-/*! \file */
-
-#ifndef LWRES_PLATFORM_H
-#define LWRES_PLATFORM_H 1
-
-/*****
- ***** Platform-dependent defines.
- *****/
-
-/***
- *** Network.
- ***/
-
-/*
- * Define if this system needs the <netinet/in6.h> header file for IPv6.
- */
-#undef LWRES_PLATFORM_NEEDNETINETIN6H
-
-/*
- * Define if this system needs the <netinet6/in6.h> header file for IPv6.
- */
-#undef LWRES_PLATFORM_NEEDNETINET6IN6H
-
-/*
- * If sockaddrs on this system have an sa_len field, LWRES_PLATFORM_HAVESALEN
- * will be defined.
- */
-#define LWRES_PLATFORM_HAVESALEN 1
-
-/*
- * If this system has the IPv6 structure definitions, LWRES_PLATFORM_HAVEIPV6
- * will be defined.
- */
-#define LWRES_PLATFORM_HAVEIPV6 1
-
-/*
- * If this system is missing in6addr_any, LWRES_PLATFORM_NEEDIN6ADDRANY will
- * be defined.
- */
-#undef LWRES_PLATFORM_NEEDIN6ADDRANY
-
-/*
- * If this system is missing in6addr_loopback, 
- * LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK will be defined.
- */
-#undef LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK
-
-/*
- * If this system has in_addr6, rather than in6_addr,
- * LWRES_PLATFORM_HAVEINADDR6 will be defined.
- */
-#undef LWRES_PLATFORM_HAVEINADDR6
-
-/*
- * Defined if unistd.h does not cause fd_set to be delared.
- */
-#undef LWRES_PLATFORM_NEEDSYSSELECTH
-
-/*
- * Used to control how extern data is linked; needed for Win32 platforms.
- */
-#undef LWRES_PLATFORM_USEDECLSPEC
-
-/*
- * Defined this system needs vsnprintf() and snprintf().
- */
-#undef LWRES_PLATFORM_NEEDVSNPRINTF
- 
-/*
- * If this system need a modern sprintf() that returns (int) not (char*).
- */
-#undef LWRES_PLATFORM_NEEDSPRINTF
-
-/*
- * The printf format string modifier to use with lwres_uint64_t values.
- */
-#define LWRES_PLATFORM_QUADFORMAT "ll"
-
-/*! \brief
- * Define if this system needs strtoul.
- */
-#undef LWRES_PLATFORM_NEEDSTRTOUL
-
-#ifndef LWRES_PLATFORM_USEDECLSPEC
-#define LIBLWRES_EXTERNAL_DATA
-#else
-#ifdef LIBLWRES_EXPORTS
-#define LIBLWRES_EXTERNAL_DATA __declspec(dllexport)
-#else
-#define LIBLWRES_EXTERNAL_DATA __declspec(dllimport)
-#endif
-#endif
-
-/*
- * Tell Emacs to use C mode on this file.
- * Local Variables:
- * mode: c
- * End:
- */
-
-#endif /* LWRES_PLATFORM_H */
diff --git a/release/Makefile b/release/Makefile
index ffe78b0..4921a0c 100644
--- a/release/Makefile
+++ b/release/Makefile
@@ -142,8 +142,7 @@ bootonly: packagesystem
 	mkdir -p bootonly
 	cd ${WORLDDIR} && ${IMAKE} installkernel installworld distribution \
 	    DESTDIR=${.OBJDIR}/bootonly WITHOUT_AMD=1 WITHOUT_AT=1 \
-	    WITHOUT_BIND_DNSSEC=1 WITHOUT_BIND_ETC=1 WITHOUT_BIND_MTREE=1 \
-	    WITHOUT_BIND_NAMED=1 WITHOUT_GAMES=1 WITHOUT_GROFF=1 \
+	    WITHOUT_GAMES=1 WITHOUT_GROFF=1 \
 	    WITHOUT_INSTALLLIB=1 WITHOUT_LIB32=1 WITHOUT_MAIL=1 \
 	    WITHOUT_NCP=1 WITHOUT_TOOLCHAIN=1 WITHOUT_PROFILE=1 \
 	    WITHOUT_INSTALLIB=1 WITHOUT_RESCUE=1 WITHOUT_DICT=1 \
diff --git a/share/doc/Makefile b/share/doc/Makefile
index 3f36375..1ec57e8 100644
--- a/share/doc/Makefile
+++ b/share/doc/Makefile
@@ -5,7 +5,6 @@
 
 SUBDIR=	${_IPv6} \
 	${_atf} \
-	${_bind9} \
 	legal \
 	${_llvm} \
 	${_roffdocs}
@@ -14,10 +13,6 @@ SUBDIR=	${_IPv6} \
 _atf= atf
 .endif
 
-.if ${MK_BIND} != "no"
-_bind9=	bind9
-.endif
-
 .if ${MK_CLANG} != "no"
 _llvm=	llvm
 .endif
diff --git a/share/doc/bind9/Makefile b/share/doc/bind9/Makefile
deleted file mode 100644
index f215fe3..0000000
--- a/share/doc/bind9/Makefile
+++ /dev/null
@@ -1,32 +0,0 @@
-# $FreeBSD$
-
-BIND_DIR=	${.CURDIR}/../../../contrib/bind9
-SRCDIR=		${BIND_DIR}/doc
-
-.PATH: ${BIND_DIR} ${SRCDIR}/arm ${SRCDIR}/misc
-
-NO_OBJ=
-
-FILESGROUPS=	TOP ARM MISC
-TOP=		CHANGES COPYRIGHT FAQ HISTORY README
-TOPDIR=		${DOCDIR}/bind9
-ARM=		Bv9ARM.ch01.html Bv9ARM.ch02.html Bv9ARM.ch03.html \
-		Bv9ARM.ch04.html Bv9ARM.ch05.html Bv9ARM.ch06.html \
-		Bv9ARM.ch07.html Bv9ARM.ch08.html Bv9ARM.ch09.html \
-		Bv9ARM.ch10.html Bv9ARM.html Bv9ARM.pdf \
-		man.arpaname.html man.ddns-confgen.html man.dig.html \
-		man.dnssec-dsfromkey.html man.dnssec-keyfromlabel.html \
-		man.dnssec-keygen.html man.dnssec-revoke.html \
-		man.dnssec-settime.html man.dnssec-signzone.html \
-		man.dnssec-verify.html \
-		man.genrandom.html man.host.html man.isc-hmac-fixup.html \
-		man.named-checkconf.html man.named-checkzone.html \
-		man.named-journalprint.html man.named.html \
-		man.nsec3hash.html man.nsupdate.html \
-		man.rndc-confgen.html man.rndc.conf.html man.rndc.html
-ARMDIR=		${TOPDIR}/arm
-MISC=		dnssec format-options.pl ipv6 migration migration-4to9 \
-		options rfc-compliance roadmap sdb sort-options.pl
-MISCDIR=	${TOPDIR}/misc
-
-.include <bsd.prog.mk>
diff --git a/share/mk/bsd.libnames.mk b/share/mk/bsd.libnames.mk
index 0fa6b34..8ef6e7a 100644
--- a/share/mk/bsd.libnames.mk
+++ b/share/mk/bsd.libnames.mk
@@ -19,10 +19,6 @@ LIBATM?=	${DESTDIR}${LIBDIR}/libatm.a
 LIBAUDITD?=	${DESTDIR}${LIBDIR}/libauditd.a
 LIBAVL?=	${DESTDIR}${LIBDIR}/libavl.a
 LIBBEGEMOT?=	${DESTDIR}${LIBDIR}/libbegemot.a
-.if ${MK_BIND_LIBS} != "no"
-LIBBIND?=	${DESTDIR}${LIBDIR}/libbind.a
-LIBBIND9?=	${DESTDIR}${LIBDIR}/libbind9.a
-.endif
 LIBBLUETOOTH?=	${DESTDIR}${LIBDIR}/libbluetooth.a
 LIBBSDXML?=	${DESTDIR}${LIBDIR}/libbsdxml.a
 LIBBSDYML?=	${DESTDIR}${LIBDIR}/libbsdyml.a
@@ -74,11 +70,6 @@ LIBIPSEC?=	${DESTDIR}${LIBDIR}/libipsec.a
 .if ${MK_IPX} != "no"
 LIBIPX?=	${DESTDIR}${LIBDIR}/libipx.a
 .endif
-.if ${MK_BIND_LIBS} != "no"
-LIBISC?=	${DESTDIR}${LIBDIR}/libisc.a
-LIBISCCC?=	${DESTDIR}${LIBDIR}/libisccc.a
-LIBISCCFG?=	${DESTDIR}${LIBDIR}/libisccfg.a
-.endif
 LIBJAIL?=	${DESTDIR}${LIBDIR}/libjail.a
 LIBKADM5CLNT?=	${DESTDIR}${LIBDIR}/libkadm5clnt.a
 LIBKADM5SRV?=	${DESTDIR}${LIBDIR}/libkadm5srv.a
@@ -93,9 +84,6 @@ LIBL?=		${DESTDIR}${LIBDIR}/libl.a
 LIBLDNS?=	${DESTDIR}${LIBPRIVATEDIR}/libldns.a
 .endif
 LIBLN?=		"don't use LIBLN, use LIBL"
-.if ${MK_BIND} != "no"
-LIBLWRES?=	${DESTDIR}${LIBDIR}/liblwres.a
-.endif
 LIBLZMA?=	${DESTDIR}${LIBDIR}/liblzma.a
 LIBM?=		${DESTDIR}${LIBDIR}/libm.a
 LIBMAGIC?=	${DESTDIR}${LIBDIR}/libmagic.a
diff --git a/share/mk/bsd.own.mk b/share/mk/bsd.own.mk
index 74764c7..a1b6c44 100644
--- a/share/mk/bsd.own.mk
+++ b/share/mk/bsd.own.mk
@@ -255,12 +255,6 @@ __DEFAULT_YES_OPTIONS = \
     ATM \
     AUDIT \
     AUTHPF \
-    BIND_DNSSEC \
-    BIND_ETC \
-    BIND_LIBS_LWRES \
-    BIND_MTREE \
-    BIND_NAMED \
-    BIND_UTILS \
     BINUTILS \
     BLUETOOTH \
     BMAKE \
@@ -367,12 +361,6 @@ __DEFAULT_YES_OPTIONS = \
     ZONEINFO
 
 __DEFAULT_NO_OPTIONS = \
-    BIND \
-    BIND_IDN \
-    BIND_LARGE_FILE \
-    BIND_LIBS \
-    BIND_SIGCHASE \
-    BIND_XML \
     BSD_GREP \
     CLANG_EXTRAS \
     CTF \
@@ -503,20 +491,6 @@ MK_${var}:=	no
 MK_LIBTHR:=	no
 .endif
 
-.if ${MK_LIBTHR} == "no"
-MK_BIND:=	no
-.endif
-
-.if ${MK_BIND} == "no"
-MK_BIND_DNSSEC:= no
-MK_BIND_ETC:=	no
-MK_BIND_LIBS:=	no
-MK_BIND_LIBS_LWRES:= no
-MK_BIND_MTREE:=	no
-MK_BIND_NAMED:=	no
-MK_BIND_UTILS:=	no
-.endif
-
 .if ${MK_ICONV} == "no"
 MK_LIBICONV_COMPAT:=	no
 .endif
@@ -526,14 +500,6 @@ MK_LDNS_UTILS:=	no
 MK_UNBOUND:= no
 .endif
 
-.if ${MK_LDNS_UTILS} != "no"
-MK_BIND_UTILS:=	no
-.endif
-
-.if ${MK_BIND_MTREE} == "no"
-MK_BIND_ETC:=	no
-.endif
-
 .if ${MK_SOURCELESS} == "no"
 MK_SOURCELESS_HOST:=	no
 MK_SOURCELESS_UCODE:= no
diff --git a/tools/build/mk/OptionalObsoleteFiles.inc b/tools/build/mk/OptionalObsoleteFiles.inc
index e32d334..dada14d 100644
--- a/tools/build/mk/OptionalObsoleteFiles.inc
+++ b/tools/build/mk/OptionalObsoleteFiles.inc
@@ -211,254 +211,6 @@ OLD_FILES+=usr/share/man/man8/authpf.8.gz
 OLD_FILES+=usr/share/man/man8/authpf-noip.8.gz
 .endif
 
-.if ${MK_BIND} == no
-OLD_FILES+=etc/periodic/daily/470.status-named
-OLD_FILES+=usr/bin/dig
-OLD_FILES+=usr/bin/nslookup
-OLD_FILES+=usr/bin/nsupdate
-OLD_FILES+=usr/include/lwres/context.h
-OLD_FILES+=usr/include/lwres/int.h
-OLD_FILES+=usr/include/lwres/ipv6.h
-OLD_FILES+=usr/include/lwres/lang.h
-OLD_FILES+=usr/include/lwres/list.h
-OLD_FILES+=usr/include/lwres/lwbuffer.h
-OLD_FILES+=usr/include/lwres/lwpacket.h
-OLD_FILES+=usr/include/lwres/lwres.h
-OLD_FILES+=usr/include/lwres/result.h
-OLD_FILES+=usr/include/lwres/version.h
-OLD_FILES+=usr/include/lwres/net.h
-OLD_FILES+=usr/include/lwres/netdb.h
-OLD_FILES+=usr/include/lwres/platform.h
-OLD_DIRS+=usr/include/lwres
-OLD_FILES+=usr/lib/liblwres.a
-OLD_FILES+=usr/lib/liblwres_p.a
-OLD_LIBS+=usr/lib/liblwres.so.50
-OLD_FILES+=usr/lib/liblwres.so
-OLD_FILES+=usr/sbin/arpaname
-OLD_FILES+=usr/sbin/ddns-confgen
-OLD_FILES+=usr/sbin/genrandom
-OLD_FILES+=usr/sbin/isc-hmac-fixup
-OLD_FILES+=usr/sbin/nsec3hash
-OLD_FILES+=usr/sbin/named
-OLD_FILES+=usr/sbin/lwresd
-OLD_FILES+=usr/sbin/named-checkconf
-OLD_FILES+=usr/sbin/named-checkzone
-OLD_FILES+=usr/sbin/named-compilezone
-OLD_FILES+=usr/sbin/named-journalprint
-OLD_FILES+=usr/sbin/named.reload
-OLD_FILES+=usr/sbin/named.reconfig
-OLD_FILES+=usr/sbin/rndc
-OLD_FILES+=usr/sbin/rndc-confgen
-OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch01.html
-OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch02.html
-OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch03.html
-OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch04.html
-OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch05.html
-OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch06.html
-OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch07.html
-OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch08.html
-OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch09.html
-OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch10.html
-OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.html
-OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.pdf
-OLD_FILES+=usr/share/doc/bind9/arm/man.arpaname.html
-OLD_FILES+=usr/share/doc/bind9/arm/man.ddns-confgen.html
-OLD_FILES+=usr/share/doc/bind9/arm/man.dig.html
-OLD_FILES+=usr/share/doc/bind9/arm/man.dnssec-dsfromkey.html
-OLD_FILES+=usr/share/doc/bind9/arm/man.dnssec-keyfromlabel.html
-OLD_FILES+=usr/share/doc/bind9/arm/man.dnssec-keygen.html
-OLD_FILES+=usr/share/doc/bind9/arm/man.dnssec-revoke.html
-OLD_FILES+=usr/share/doc/bind9/arm/man.dnssec-settime.html
-OLD_FILES+=usr/share/doc/bind9/arm/man.dnssec-signzone.html
-OLD_FILES+=usr/share/doc/bind9/arm/man.dnssec-verify.html
-OLD_FILES+=usr/share/doc/bind9/arm/man.genrandom.html
-OLD_FILES+=usr/share/doc/bind9/arm/man.host.html
-OLD_FILES+=usr/share/doc/bind9/arm/man.isc-hmac-fixup.html
-OLD_FILES+=usr/share/doc/bind9/arm/man.named-checkconf.html
-OLD_FILES+=usr/share/doc/bind9/arm/man.named-checkzone.html
-OLD_FILES+=usr/share/doc/bind9/arm/man.named-journalprint.html
-OLD_FILES+=usr/share/doc/bind9/arm/man.named.html
-OLD_FILES+=usr/share/doc/bind9/arm/man.nsec3hash.html
-OLD_FILES+=usr/share/doc/bind9/arm/man.nsupdate.html
-OLD_FILES+=usr/share/doc/bind9/arm/man.rndc-confgen.html
-OLD_FILES+=usr/share/doc/bind9/arm/man.rndc.conf.html
-OLD_FILES+=usr/share/doc/bind9/arm/man.rndc.html
-OLD_DIRS+=usr/share/doc/bind9/arm
-OLD_FILES+=usr/share/doc/bind9/misc
-OLD_FILES+=usr/share/doc/bind9/misc/dnssec
-OLD_FILES+=usr/share/doc/bind9/misc/format-options.pl
-OLD_FILES+=usr/share/doc/bind9/misc/ipv6
-OLD_FILES+=usr/share/doc/bind9/misc/migration
-OLD_FILES+=usr/share/doc/bind9/misc/migration-4to9
-OLD_FILES+=usr/share/doc/bind9/misc/options
-OLD_FILES+=usr/share/doc/bind9/misc/rfc-compliance
-OLD_FILES+=usr/share/doc/bind9/misc/roadmap
-OLD_FILES+=usr/share/doc/bind9/misc/sdb
-OLD_FILES+=usr/share/doc/bind9/misc/sort-options.pl
-OLD_DIRS+=usr/share/doc/bind9/misc
-OLD_DIRS+=usr/share/doc/bind9
-OLD_FILES+=usr/share/doc/bind9/CHANGES
-OLD_FILES+=usr/share/doc/bind9/COPYRIGHT
-OLD_FILES+=usr/share/doc/bind9/FAQ
-OLD_FILES+=usr/share/doc/bind9/HISTORY
-OLD_FILES+=usr/share/doc/bind9/README
-OLD_FILES+=usr/share/man/man1/arpaname.1.gz
-OLD_FILES+=usr/share/man/man1/dig.1.gz
-OLD_FILES+=usr/share/man/man1/nslookup.1.gz
-OLD_FILES+=usr/share/man/man1/nsupdate.1.gz
-OLD_FILES+=usr/share/man/man3/lwres.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_buffer.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_config.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_context.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_gabn.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_gai_strerror.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_getaddrinfo.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_gethostent.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_getipnode.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_getnameinfo.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_getrrsetbyname.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_gnba.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_inetntop.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_hstrerror.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_noop.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_packet.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_resutil.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_buffer_add.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_buffer_back.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_buffer_clear.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_buffer_first.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_buffer_forward.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_buffer_getmem.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_buffer_getuint16.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_buffer_getuint32.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_buffer_getuint8.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_buffer_init.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_buffer_invalidate.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_buffer_putmem.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_buffer_putuint16.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_buffer_putuint32.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_buffer_putuint8.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_buffer_subtract.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_conf_clear.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_conf_get.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_conf_init.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_conf_parse.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_conf_print.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_context_allocmem.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_context_create.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_context_destroy.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_context_freemem.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_freeaddrinfo.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_context_initserial.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_context_nextserial.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_context_sendrecv.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_gabnrequest_free.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_gabnrequest_parse.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_gabnrequest_render.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_gabnresponse_free.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_gabnresponse_parse.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_gabnresponse_render.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_endhostent.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_endhostent_r.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_gethostbyaddr.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_gethostbyaddr_r.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_gethostbyname.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_gethostbyname2.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_gethostbyname_r.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_gethostent_r.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_sethostent.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_sethostent_r.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_freehostent.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_getipnodebyaddr.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_getipnodebyname.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_gnbarequest_free.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_gnbarequest_parse.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_gnbarequest_render.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_gnbaresponse_free.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_gnbaresponse_parse.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_gnbaresponse_render.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_herror.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_net_ntop.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_nooprequest_free.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_nooprequest_parse.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_nooprequest_render.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_noopresponse_free.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_noopresponse_parse.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_noopresponse_render.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_lwpacket_parseheader.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_lwpacket_renderheader.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_addr_parse.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_getaddrsbyname.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_getnamebyaddr.3.gz
-OLD_FILES+=usr/share/man/man3/lwres_string_parse.3.gz
-OLD_FILES+=usr/share/man/man5/named.conf.5.gz
-OLD_FILES+=usr/share/man/man5/rndc.conf.5.gz
-OLD_FILES+=usr/share/man/man8/ddns-confgen.8.gz
-OLD_FILES+=usr/share/man/man8/genrandom.8.gz
-OLD_FILES+=usr/share/man/man8/isc-hmac-fixup.8.gz
-OLD_FILES+=usr/share/man/man8/named-checkconf.8.gz
-OLD_FILES+=usr/share/man/man8/named-checkzone.8.gz
-OLD_FILES+=usr/share/man/man8/named-compilezone.8.gz
-OLD_FILES+=usr/share/man/man8/named-journalprint.8.gz
-OLD_FILES+=usr/share/man/man8/named.reload.8.gz
-OLD_FILES+=usr/share/man/man8/named.reconfig.8.gz
-OLD_FILES+=usr/share/man/man8/named.8.gz
-OLD_FILES+=usr/share/man/man8/nsec3hash.8.gz
-OLD_FILES+=usr/share/man/man8/lwresd.8.gz
-OLD_FILES+=usr/share/man/man8/rndc.8.gz
-OLD_FILES+=usr/share/man/man8/rndc-confgen.8.gz
-OLD_DIRS+=var/named/dev
-OLD_DIRS+=var/named/var/stats
-OLD_DIRS+=var/named/var/run/named
-OLD_DIRS+=var/named/var/run
-OLD_DIRS+=var/named/var/log
-OLD_DIRS+=var/named/var/dump
-OLD_DIRS+=var/named/var
-.endif
-
-.if ${MK_BIND_DNSSEC} == no || ${MK_BIND} == no
-OLD_FILES+=usr/sbin/dnssec-dsfromkey
-OLD_FILES+=usr/sbin/dnssec-keyfromlabel
-OLD_FILES+=usr/sbin/dnssec-keygen
-OLD_FILES+=usr/sbin/dnssec-revoke
-OLD_FILES+=usr/sbin/dnssec-settime
-OLD_FILES+=usr/sbin/dnssec-signzone
-OLD_FILES+=usr/share/man/man8/dnssec-dsfromkey.8.gz
-OLD_FILES+=usr/share/man/man8/dnssec-keyfromlabel.8.gz
-OLD_FILES+=usr/share/man/man8/dnssec-keygen.8.gz
-OLD_FILES+=usr/share/man/man8/dnssec-revoke.8.gz
-OLD_FILES+=usr/share/man/man8/dnssec-settime.8.gz
-OLD_FILES+=usr/share/man/man8/dnssec-signzone.8.gz
-.endif
-
-.if ${MK_BIND_ETC} == no || ${MK_BIND} == no
-OLD_FILES+=var/named/etc/namedb/PROTO.localhost-v6.rev
-OLD_FILES+=var/named/etc/namedb/PROTO.localhost.rev
-OLD_FILES+=var/named/etc/namedb/make-localhost
-#OLD_FILES+=var/named/etc/namedb/named.conf	# intentionally left out
-OLD_FILES+=var/named/etc/namedb/named.root
-OLD_FILES+=var/named/etc/namedb/master/empty.db
-OLD_FILES+=var/named/etc/namedb/master/localhost-forward.db
-OLD_FILES+=var/named/etc/namedb/master/localhost-reverse.db
-OLD_DIRS+=var/named/etc/namedb/slave
-OLD_DIRS+=var/named/etc/namedb/master
-OLD_DIRS+=var/named/etc/namedb/dynamic
-#OLD_DIRS+=var/named/etc/namedb
-#OLD_DIRS+=var/named/etc
-.endif
-
-#.if ${MK_BIND_LIBS} == no || ${MK_BIND} == no
-# to be filled in and removed above
-#.endif
-
-#.if ${MK_BIND_LIBS_LWRES} == no || ${MK_BIND} == no
-# to be filled in and removed above
-#.endif
-
-#.if ${MK_BIND_NAMED} == no || ${MK_BIND} == no
-# to be filled in and removed above
-#.endif
-
 .if ${MK_BLUETOOTH} == no
 OLD_FILES+=etc/bluetooth/hcsecd.conf
 OLD_FILES+=etc/bluetooth/hosts
@@ -3452,11 +3204,9 @@ OLD_FILES+=usr/lib32/private/libldns_p.a
 .if ${MK_LDNS_UTILS} == no
 OLD_FILES+=usr/bin/drill
 OLD_FILES+=usr/share/man/man1/drill.1.gz
-.if ${MK_BIND} == no
 OLD_FILES+=usr/bin/host
 OLD_FILES+=usr/share/man/man1/host.1.gz
 .endif
-.endif
 
 #.if ${MK_LIB32} == no
 # to be filled in
diff --git a/tools/build/options/WITHOUT_BIND_DNSSEC b/tools/build/options/WITHOUT_BIND_DNSSEC
deleted file mode 100644
index 12d0b5f..0000000
--- a/tools/build/options/WITHOUT_BIND_DNSSEC
+++ /dev/null
@@ -1,5 +0,0 @@
-.\" $FreeBSD$
-Set to avoid building or installing the DNSSEC related binaries,
-.Xr dnssec-keygen 8
-and
-.Xr dnssec-signzone 8 .
diff --git a/tools/build/options/WITHOUT_BIND_ETC b/tools/build/options/WITHOUT_BIND_ETC
deleted file mode 100644
index 48a2a7e..0000000
--- a/tools/build/options/WITHOUT_BIND_ETC
+++ /dev/null
@@ -1,3 +0,0 @@
-.\" $FreeBSD$
-Set to avoid installing the default files to
-.Pa /var/named/etc/namedb .
diff --git a/tools/build/options/WITHOUT_BIND_LIBS_LWRES b/tools/build/options/WITHOUT_BIND_LIBS_LWRES
deleted file mode 100644
index b4c9d4c..0000000
--- a/tools/build/options/WITHOUT_BIND_LIBS_LWRES
+++ /dev/null
@@ -1,3 +0,0 @@
-.\" $FreeBSD$
-Set to avoid installing the lightweight resolver library in
-.Pa /usr/lib .
diff --git a/tools/build/options/WITHOUT_BIND_MTREE b/tools/build/options/WITHOUT_BIND_MTREE
deleted file mode 100644
index 84b2512..0000000
--- a/tools/build/options/WITHOUT_BIND_MTREE
+++ /dev/null
@@ -1,8 +0,0 @@
-.\" $FreeBSD$
-Set to avoid running
-.Xr mtree 8
-to create the chroot directory structure under
-.Pa /var/named ,
-and avoid creating an
-.Pa /etc/namedb
-symlink to the chroot directory.
diff --git a/tools/build/options/WITHOUT_BIND_NAMED b/tools/build/options/WITHOUT_BIND_NAMED
deleted file mode 100644
index fddc005..0000000
--- a/tools/build/options/WITHOUT_BIND_NAMED
+++ /dev/null
@@ -1,9 +0,0 @@
-.\" $FreeBSD$
-Set to avoid building or installing
-.Xr named 8 ,
-.Xr named.reload 8 ,
-.Xr named-checkconf 8 ,
-.Xr named-checkzone 8 ,
-.Xr rndc 8 ,
-and
-.Xr rndc-confgen 8 .
diff --git a/tools/build/options/WITHOUT_BIND_UTILS b/tools/build/options/WITHOUT_BIND_UTILS
deleted file mode 100644
index 0269590..0000000
--- a/tools/build/options/WITHOUT_BIND_UTILS
+++ /dev/null
@@ -1,7 +0,0 @@
-.\" $FreeBSD$
-Set to avoid building or installing the BIND userland utilities,
-.Xr dig 1 ,
-.Xr host 1 ,
-.Xr nslookup 1 ,
-and
-.Xr nsupdate 8 .
diff --git a/tools/build/options/WITH_BIND b/tools/build/options/WITH_BIND
deleted file mode 100644
index e3f70e1..0000000
--- a/tools/build/options/WITH_BIND
+++ /dev/null
@@ -1,2 +0,0 @@
-.\" $FreeBSD$
-Setting this variable will enable BIND.
diff --git a/tools/build/options/WITH_BIND_IDN b/tools/build/options/WITH_BIND_IDN
deleted file mode 100644
index 35d6628..0000000
--- a/tools/build/options/WITH_BIND_IDN
+++ /dev/null
@@ -1,3 +0,0 @@
-.\" $FreeBSD$
-Set to enable IDN support for dig, host, and nslookup.
-This requires ports/dns/idnkit to be installed in /usr/local.
diff --git a/tools/build/options/WITH_BIND_LARGE_FILE b/tools/build/options/WITH_BIND_LARGE_FILE
deleted file mode 100644
index 00e48eb..0000000
--- a/tools/build/options/WITH_BIND_LARGE_FILE
+++ /dev/null
@@ -1,2 +0,0 @@
-.\" $FreeBSD$
-Set to enable 64-bit file support.
diff --git a/tools/build/options/WITH_BIND_LIBS b/tools/build/options/WITH_BIND_LIBS
deleted file mode 100644
index 92312c8..0000000
--- a/tools/build/options/WITH_BIND_LIBS
+++ /dev/null
@@ -1,2 +0,0 @@
-.\" $FreeBSD$
-Set to install BIND libraries and include files.
diff --git a/tools/build/options/WITH_BIND_SIGCHASE b/tools/build/options/WITH_BIND_SIGCHASE
deleted file mode 100644
index 889e6ec..0000000
--- a/tools/build/options/WITH_BIND_SIGCHASE
+++ /dev/null
@@ -1,2 +0,0 @@
-.\" $FreeBSD$
-Set to enable DNSSEC validation support for dig, host, and nslookup.
diff --git a/tools/build/options/WITH_BIND_XML b/tools/build/options/WITH_BIND_XML
deleted file mode 100644
index 67ba3a5..0000000
--- a/tools/build/options/WITH_BIND_XML
+++ /dev/null
@@ -1,3 +0,0 @@
-.\" $FreeBSD$
-Set to enable the http statistics interface for named.
-This requires ports/textproc/libxml2 to be installed in /usr/local.
diff --git a/usr.bin/Makefile b/usr.bin/Makefile
index 6852c7a..985c2df 100644
--- a/usr.bin/Makefile
+++ b/usr.bin/Makefile
@@ -218,13 +218,6 @@ _atf=		atf
 SUBDIR+=	atm
 .endif
 
-.if ${MK_BIND_UTILS} != "no"
-SUBDIR+=	dig
-SUBDIR+=	host
-SUBDIR+=	nslookup
-SUBDIR+=	nsupdate
-.endif
-
 .if ${MK_BLUETOOTH} != "no"
 SUBDIR+=	bluetooth
 .endif
diff --git a/usr.bin/host/Makefile b/usr.bin/host/Makefile
index 25dfd2d..5962454 100644
--- a/usr.bin/host/Makefile
+++ b/usr.bin/host/Makefile
@@ -1,9 +1,5 @@
 # $FreeBSD$
 
-.include <bsd.own.mk>
-
-.if ${MK_LDNS_UTILS} != "no"
-
 LDNSDIR=	${.CURDIR}/../../contrib/ldns
 LDNSHOSTDIR=	${.CURDIR}/../../contrib/ldns-host
 
@@ -22,28 +18,4 @@ DPADD+=		${LIBLDNS} ${LIBCRYPTO}
 LDADD+=		-lldns -lcrypto
 USEPRIVATELIB=	ldns
 
-.else
-
-BIND_DIR=	${.CURDIR}/../../contrib/bind9
-LIB_BIND_REL=	../../lib/bind
-LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
-SRCDIR=		${BIND_DIR}/bin/dig
-
-.include	"${LIB_BIND_DIR}/config.mk"
-
-PROG=		host
-
-.PATH: ${SRCDIR}
-SRCS+=		dighost.c host.c
-
-CFLAGS+=	-I${SRCDIR}/include
-CFLAGS+=	-I${BIND_DIR}/lib/isc/${ISC_ATOMIC_ARCH}/include
-
-WARNS?=		0
-
-DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
-LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
-
-.endif
-
 .include <bsd.prog.mk>
diff --git a/usr.bin/nslookup/Makefile b/usr.bin/nslookup/Makefile
deleted file mode 100644
index 4ed0e92..0000000
--- a/usr.bin/nslookup/Makefile
+++ /dev/null
@@ -1,25 +0,0 @@
-# $FreeBSD$
-
-BIND_DIR=	${.CURDIR}/../../contrib/bind9
-LIB_BIND_REL=	../../lib/bind
-LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
-SRCDIR=		${BIND_DIR}/bin/dig
-
-.include	"${LIB_BIND_DIR}/config.mk"
-
-PROG=		nslookup
-
-.PATH: ${SRCDIR}
-SRCS+=		dighost.c nslookup.c
-
-CFLAGS+=	-I${SRCDIR}/include -ledit
-CFLAGS+=	-I${BIND_DIR}/lib/isc/${ISC_ATOMIC_ARCH}/include
-
-DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD} ${LIBEDIT}
-LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD} ${LIBEDIT}
-
-WARNS?=		0
-
-MANFILTER=	sed -e "s@^host \[server\]@\\\fBhost\\\fR \\\fI[server]\\\fR@"
-
-.include <bsd.prog.mk>
diff --git a/usr.bin/nsupdate/Makefile b/usr.bin/nsupdate/Makefile
deleted file mode 100644
index 593d589..0000000
--- a/usr.bin/nsupdate/Makefile
+++ /dev/null
@@ -1,29 +0,0 @@
-# $FreeBSD$
-
-BIND_DIR=	${.CURDIR}/../../contrib/bind9
-LIB_BIND_REL=	../../lib/bind
-LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
-SRCDIR=		${BIND_DIR}/bin/nsupdate
-
-.include	"${LIB_BIND_DIR}/config.mk"
-
-PROG=		nsupdate
-
-.PATH: ${SRCDIR}
-SRCS+=		nsupdate.c
-
-CFLAGS+=	-I${SRCDIR}/include -ledit
-CFLAGS+=	-I${BIND_DIR}/lib/isc/${ISC_ATOMIC_ARCH}/include
-CFLAGS+=	-DSESSION_KEYFILE=\"/var/run/named/session.key\"
-
-DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD} ${LIBEDIT}
-LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD} ${LIBEDIT}
-
-WARNS?=		1
-
-MAN=		nsupdate.1
-
-MANFILTER=	sed -e "s@/etc/named\.conf@/etc/namedb/named.conf@g" \
-		-e "s@^\.HP [0-9]* @@"
-
-.include <bsd.prog.mk>
diff --git a/usr.sbin/Makefile b/usr.sbin/Makefile
index 102593b..ba44cd3 100644
--- a/usr.sbin/Makefile
+++ b/usr.sbin/Makefile
@@ -124,29 +124,6 @@ SUBDIR+=	praudit
 SUBDIR+=	authpf
 .endif
 
-.if ${MK_BIND_DNSSEC} != "no" && ${MK_OPENSSL} != "no"
-SUBDIR+=	dnssec-dsfromkey
-SUBDIR+=	dnssec-keyfromlabel
-SUBDIR+=	dnssec-keygen
-SUBDIR+=	dnssec-revoke
-SUBDIR+=	dnssec-settime
-SUBDIR+=	dnssec-signzone
-SUBDIR+=	dnssec-verify
-.endif
-.if ${MK_BIND_NAMED} != "no"
-SUBDIR+=	arpaname
-SUBDIR+=	ddns-confgen
-SUBDIR+=	genrandom
-SUBDIR+=	isc-hmac-fixup
-SUBDIR+=	named
-SUBDIR+=	named-checkconf
-SUBDIR+=	named-checkzone
-SUBDIR+=	named-journalprint
-SUBDIR+=	nsec3hash
-SUBDIR+=	rndc
-SUBDIR+=	rndc-confgen
-.endif
-
 .if ${MK_BLUETOOTH} != "no"
 SUBDIR+=	bluetooth
 .endif
diff --git a/usr.sbin/arpaname/Makefile b/usr.sbin/arpaname/Makefile
deleted file mode 100644
index 145d18a..0000000
--- a/usr.sbin/arpaname/Makefile
+++ /dev/null
@@ -1,24 +0,0 @@
-# $FreeBSD$
-
-BIND_DIR=	${.CURDIR}/../../contrib/bind9
-LIB_BIND_REL=	../../lib/bind
-LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
-SRCDIR=		${BIND_DIR}/bin/tools
-
-.include	"${LIB_BIND_DIR}/config.mk"
-
-PROG=		arpaname
-
-.PATH: ${SRCDIR}
-SRCS+=		arpaname.c
-
-CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/include
-
-DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
-LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
-
-WARNS?=		3
-
-MAN=		arpaname.1
-
-.include <bsd.prog.mk>
diff --git a/usr.sbin/ddns-confgen/Makefile b/usr.sbin/ddns-confgen/Makefile
deleted file mode 100644
index a33bea3..0000000
--- a/usr.sbin/ddns-confgen/Makefile
+++ /dev/null
@@ -1,31 +0,0 @@
-# $FreeBSD$
-
-BIND_DIR=	${.CURDIR}/../../contrib/bind9
-LIB_BIND_REL=	../../lib/bind
-LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
-SRCDIR=		${BIND_DIR}/bin/confgen
-
-.include	"${LIB_BIND_DIR}/config.mk"
-
-PROG=		ddns-confgen
-
-.PATH: ${SRCDIR}/unix
-SRCS+=		os.c
-
-.PATH: ${SRCDIR}
-SRCS+=		ddns-confgen.c keygen.c util.c
-
-CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/include -I${LIB_BIND_DIR}
-
-WARNS?=		3
-
-DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
-LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
-
-MAN=		ddns-confgen.8
-
-MANFILTER=	sed -e 's@fI/etc\\fR.*@fI/etc/namedb\\fR@' \
-		-e '/^sysconfdir$$/d' \
-		-e '/was specified as when BIND was built)/d'
-
-.include <bsd.prog.mk>
diff --git a/usr.sbin/dnssec-dsfromkey/Makefile b/usr.sbin/dnssec-dsfromkey/Makefile
deleted file mode 100644
index 0b57eb5..0000000
--- a/usr.sbin/dnssec-dsfromkey/Makefile
+++ /dev/null
@@ -1,24 +0,0 @@
-# $FreeBSD$
-
-BIND_DIR=	${.CURDIR}/../../contrib/bind9
-LIB_BIND_REL=	../../lib/bind
-LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
-SRCDIR=		${BIND_DIR}/bin/dnssec
-
-.include	"${LIB_BIND_DIR}/config.mk"
-
-PROG=		dnssec-dsfromkey
-
-.PATH: ${SRCDIR}
-SRCS+=		dnssec-dsfromkey.c dnssectool.c
-
-CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/include
-
-DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
-LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
-
-WARNS?=		3
-
-MAN=		dnssec-dsfromkey.8
-
-.include <bsd.prog.mk>
diff --git a/usr.sbin/dnssec-keyfromlabel/Makefile b/usr.sbin/dnssec-keyfromlabel/Makefile
deleted file mode 100644
index fd6a341..0000000
--- a/usr.sbin/dnssec-keyfromlabel/Makefile
+++ /dev/null
@@ -1,24 +0,0 @@
-# $FreeBSD$
-
-BIND_DIR=	${.CURDIR}/../../contrib/bind9
-LIB_BIND_REL=	../../lib/bind
-LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
-SRCDIR=		${BIND_DIR}/bin/dnssec
-
-.include	"${LIB_BIND_DIR}/config.mk"
-
-PROG=		dnssec-keyfromlabel
-
-.PATH: ${SRCDIR}
-SRCS+=		dnssec-keyfromlabel.c dnssectool.c
-
-CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/include
-
-DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
-LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
-
-WARNS?=		3
-
-MAN=		dnssec-keyfromlabel.8
-
-.include <bsd.prog.mk>
diff --git a/usr.sbin/dnssec-keygen/Makefile b/usr.sbin/dnssec-keygen/Makefile
deleted file mode 100644
index 1bdf0c0..0000000
--- a/usr.sbin/dnssec-keygen/Makefile
+++ /dev/null
@@ -1,24 +0,0 @@
-# $FreeBSD$
-
-BIND_DIR=	${.CURDIR}/../../contrib/bind9
-LIB_BIND_REL=	../../lib/bind
-LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
-SRCDIR=		${BIND_DIR}/bin/dnssec
-
-.include	"${LIB_BIND_DIR}/config.mk"
-
-PROG=		dnssec-keygen
-
-.PATH: ${SRCDIR}
-SRCS+=		dnssec-keygen.c dnssectool.c
-
-CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/include
-
-DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
-LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
-
-WARNS?=		3
-
-MAN=		dnssec-keygen.8
-
-.include <bsd.prog.mk>
diff --git a/usr.sbin/dnssec-revoke/Makefile b/usr.sbin/dnssec-revoke/Makefile
deleted file mode 100644
index 7889d96..0000000
--- a/usr.sbin/dnssec-revoke/Makefile
+++ /dev/null
@@ -1,24 +0,0 @@
-# $FreeBSD$
-
-BIND_DIR=	${.CURDIR}/../../contrib/bind9
-LIB_BIND_REL=	../../lib/bind
-LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
-SRCDIR=		${BIND_DIR}/bin/dnssec
-
-.include	"${LIB_BIND_DIR}/config.mk"
-
-PROG=		dnssec-revoke
-
-.PATH: ${SRCDIR}
-SRCS+=		dnssec-revoke.c dnssectool.c
-
-CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/include
-
-DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
-LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
-
-WARNS?=		3
-
-MAN=		dnssec-revoke.8
-
-.include <bsd.prog.mk>
diff --git a/usr.sbin/dnssec-settime/Makefile b/usr.sbin/dnssec-settime/Makefile
deleted file mode 100644
index 4ab7fb5..0000000
--- a/usr.sbin/dnssec-settime/Makefile
+++ /dev/null
@@ -1,24 +0,0 @@
-# $FreeBSD$
-
-BIND_DIR=	${.CURDIR}/../../contrib/bind9
-LIB_BIND_REL=	../../lib/bind
-LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
-SRCDIR=		${BIND_DIR}/bin/dnssec
-
-.include	"${LIB_BIND_DIR}/config.mk"
-
-PROG=		dnssec-settime
-
-.PATH: ${SRCDIR}
-SRCS+=		dnssec-settime.c dnssectool.c
-
-CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/include
-
-DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
-LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
-
-WARNS?=		3
-
-MAN=		dnssec-settime.8
-
-.include <bsd.prog.mk>
diff --git a/usr.sbin/dnssec-signzone/Makefile b/usr.sbin/dnssec-signzone/Makefile
deleted file mode 100644
index 7f56b8d..0000000
--- a/usr.sbin/dnssec-signzone/Makefile
+++ /dev/null
@@ -1,24 +0,0 @@
-# $FreeBSD$
-
-BIND_DIR=	${.CURDIR}/../../contrib/bind9
-LIB_BIND_REL=	../../lib/bind
-LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
-SRCDIR=		${BIND_DIR}/bin/dnssec
-
-.include	"${LIB_BIND_DIR}/config.mk"
-
-PROG=		dnssec-signzone
-
-.PATH: ${SRCDIR}
-SRCS+=		dnssec-signzone.c dnssectool.c
-
-CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/include
-
-DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
-LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
-
-WARNS?=		2
-
-MAN=		dnssec-signzone.8
-
-.include <bsd.prog.mk>
diff --git a/usr.sbin/dnssec-verify/Makefile b/usr.sbin/dnssec-verify/Makefile
deleted file mode 100644
index 1d1dc9d..0000000
--- a/usr.sbin/dnssec-verify/Makefile
+++ /dev/null
@@ -1,25 +0,0 @@
-# $FreeBSD$
-
-BIND_DIR=	${.CURDIR}/../../contrib/bind9
-LIB_BIND_REL=	../../lib/bind
-LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
-SRCDIR=		${BIND_DIR}/bin/dnssec
-
-.include	"${LIB_BIND_DIR}/config.mk"
-
-PROG=		dnssec-verify
-
-.PATH: ${SRCDIR}
-SRCS+=		dnssec-verify.c dnssectool.c
-
-CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/include
-CFLAGS+=	-fsigned-char
-
-DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
-LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
-
-WARNS?=		3
-
-MAN=		dnssec-verify.8
-
-.include <bsd.prog.mk>
diff --git a/usr.sbin/genrandom/Makefile b/usr.sbin/genrandom/Makefile
deleted file mode 100644
index 975d84b..0000000
--- a/usr.sbin/genrandom/Makefile
+++ /dev/null
@@ -1,24 +0,0 @@
-# $FreeBSD$
-
-BIND_DIR=	${.CURDIR}/../../contrib/bind9
-LIB_BIND_REL=	../../lib/bind
-LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
-SRCDIR=		${BIND_DIR}/bin/tools
-
-.include	"${LIB_BIND_DIR}/config.mk"
-
-PROG=		genrandom
-
-.PATH: ${SRCDIR}
-SRCS+=		genrandom.c
-
-CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/include
-
-DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
-LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
-
-WARNS?=		3
-
-MAN=		genrandom.8
-
-.include <bsd.prog.mk>
diff --git a/usr.sbin/isc-hmac-fixup/Makefile b/usr.sbin/isc-hmac-fixup/Makefile
deleted file mode 100644
index 1313855..0000000
--- a/usr.sbin/isc-hmac-fixup/Makefile
+++ /dev/null
@@ -1,24 +0,0 @@
-# $FreeBSD$
-
-BIND_DIR=	${.CURDIR}/../../contrib/bind9
-LIB_BIND_REL=	../../lib/bind
-LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
-SRCDIR=		${BIND_DIR}/bin/tools
-
-.include	"${LIB_BIND_DIR}/config.mk"
-
-PROG=		isc-hmac-fixup
-
-.PATH: ${SRCDIR}
-SRCS+=		isc-hmac-fixup.c
-
-CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/include
-
-DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
-LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
-
-WARNS?=		3
-
-MAN=		isc-hmac-fixup.8
-
-.include <bsd.prog.mk>
diff --git a/usr.sbin/named-checkconf/Makefile b/usr.sbin/named-checkconf/Makefile
deleted file mode 100644
index abee068..0000000
--- a/usr.sbin/named-checkconf/Makefile
+++ /dev/null
@@ -1,27 +0,0 @@
-# $FreeBSD$
-
-BIND_DIR=	${.CURDIR}/../../contrib/bind9
-LIB_BIND_REL=	../../lib/bind
-LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
-SRCDIR=		${BIND_DIR}/bin/check
-
-.include	"${LIB_BIND_DIR}/config.mk"
-
-PROG=		named-checkconf
-
-.PATH: ${SRCDIR}
-SRCS+=		named-checkconf.c check-tool.c
-
-CFLAGS+=	-I${LIB_BIND_DIR}
-CFLAGS+=	-I${BIND_DIR}/lib/isc/${ISC_ATOMIC_ARCH}/include
-
-WARNS?=		3
-
-DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
-LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
-
-MAN=		named-checkconf.8
-
-MANFILTER=	sed -e "s@/etc/named\.conf@/etc/namedb/named.conf@g"
-
-.include <bsd.prog.mk>
diff --git a/usr.sbin/named-checkzone/Makefile b/usr.sbin/named-checkzone/Makefile
deleted file mode 100644
index 05cc9f2..0000000
--- a/usr.sbin/named-checkzone/Makefile
+++ /dev/null
@@ -1,28 +0,0 @@
-# $FreeBSD$
-
-BIND_DIR=	${.CURDIR}/../../contrib/bind9
-LIB_BIND_REL=	../../lib/bind
-LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
-SRCDIR=		${BIND_DIR}/bin/check
-
-.include	"${LIB_BIND_DIR}/config.mk"
-
-PROG=		named-checkzone
-
-.PATH: ${SRCDIR}
-SRCS+=		named-checkzone.c check-tool.c
-
-CFLAGS+=	-I${LIB_BIND_DIR}
-
-WARNS?=		3
-
-DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
-LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
-
-LINKS=		${BINDIR}/named-checkzone ${BINDIR}/named-compilezone
-
-MAN=		named-checkzone.8
-
-MLINKS=		named-checkzone.8 named-compilezone.8
-
-.include <bsd.prog.mk>
diff --git a/usr.sbin/named-journalprint/Makefile b/usr.sbin/named-journalprint/Makefile
deleted file mode 100644
index cdf4016..0000000
--- a/usr.sbin/named-journalprint/Makefile
+++ /dev/null
@@ -1,24 +0,0 @@
-# $FreeBSD$
-
-BIND_DIR=	${.CURDIR}/../../contrib/bind9
-LIB_BIND_REL=	../../lib/bind
-LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
-SRCDIR=		${BIND_DIR}/bin/tools
-
-.include	"${LIB_BIND_DIR}/config.mk"
-
-PROG=		named-journalprint
-
-.PATH: ${SRCDIR}
-SRCS+=		named-journalprint.c
-
-CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/include
-
-DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
-LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
-
-WARNS?=		3
-
-MAN=		named-journalprint.8
-
-.include <bsd.prog.mk>
diff --git a/usr.sbin/named/Makefile b/usr.sbin/named/Makefile
deleted file mode 100644
index f092880..0000000
--- a/usr.sbin/named/Makefile
+++ /dev/null
@@ -1,68 +0,0 @@
-# $FreeBSD$
-
-BIND_DIR=	${.CURDIR}/../../contrib/bind9
-LIB_BIND_REL=	../../lib/bind
-LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
-SRCDIR=		${BIND_DIR}/bin/named
-
-.include	"${LIB_BIND_DIR}/config.mk"
-
-PROG=		named
-
-CONFIGARGS='--prefix=/usr' '--infodir=/usr/share/info' '--mandir=/usr/share/man' '--enable-threads' '--enable-getifaddrs' '--disable-linux-caps' '--with-openssl=/usr' '--with-randomdev=/dev/random'
-
-# Optional features
-.if ${MK_BIND_LARGE_FILE} == "yes"
-CONFIGARGS+='--enable-largefile'
-.endif
-.if ${MK_BIND_SIGCHASE} == "yes"
-CONFIGARGS+='STD_CDEFINES=-DDIG_SIGCHASE=1'
-.endif
-.if ${MK_BIND_IDN} == "yes"
-CONFIGARGS+='--with-idn=/usr/local'
-.else
-CONFIGARGS+='--without-idn'
-.endif
-.if ${MK_BIND_XML} == "yes"
-CONFIGARGS+='--with-libxml2=/usr/local'
-.else
-CONFIGARGS+='--without-libxml2'
-.endif
-
-.PATH: ${SRCDIR}/unix
-SRCS+=		os.c dlz_dlopen_driver.c
-
-.PATH: ${SRCDIR}
-SRCS+=		builtin.c client.c config.c control.c \
-		controlconf.c interfacemgr.c \
-		listenlist.c log.c logconf.c main.c notify.c \
-		query.c server.c sortlist.c statschannel.c \
-		tkeyconf.c tsigconf.c update.c xfrout.c \
-		zoneconf.c \
-		lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
-		lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c
-
-CFLAGS+=	-DCONFIGARGS="\"${CONFIGARGS}\"" \
-		-DPRODUCT=\"${PRODUCT}\" \
-		-DDESCRIPTION=\"${DESCRIPTION}\" \
-		-DSRCID=\"${SRCID}\"
-
-CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/include -I${LIB_BIND_DIR}
-CFLAGS+=	-I${BIND_DIR}/lib/isc/${ISC_ATOMIC_ARCH}/include
-
-# Remove the date stamp to make it more obvious when real changes happen
-CFLAGS+=	-DNO_VERSION_DATE
-
-WARNS?=		0
-
-DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
-LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
-
-MAN=		named.8 lwresd.8 named.conf.5
-
-MANFILTER=	sed -e "s@/etc/named\.conf@/etc/namedb/named.conf@g" \
-		-e "s@/var\/run\/named\/named.pid@/var/run/named/pid@"
-
-LINKS=		${BINDIR}/named ${BINDIR}/lwresd
-
-.include <bsd.prog.mk>
diff --git a/usr.sbin/nsec3hash/Makefile b/usr.sbin/nsec3hash/Makefile
deleted file mode 100644
index 6dbea09..0000000
--- a/usr.sbin/nsec3hash/Makefile
+++ /dev/null
@@ -1,24 +0,0 @@
-# $FreeBSD$
-
-BIND_DIR=	${.CURDIR}/../../contrib/bind9
-LIB_BIND_REL=	../../lib/bind
-LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
-SRCDIR=		${BIND_DIR}/bin/tools
-
-.include	"${LIB_BIND_DIR}/config.mk"
-
-PROG=		nsec3hash
-
-.PATH: ${SRCDIR}
-SRCS+=		nsec3hash.c
-
-CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/include
-
-DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
-LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
-
-WARNS?=		2
-
-MAN=		nsec3hash.8
-
-.include <bsd.prog.mk>
diff --git a/usr.sbin/rndc-confgen/Makefile b/usr.sbin/rndc-confgen/Makefile
deleted file mode 100644
index 2474920..0000000
--- a/usr.sbin/rndc-confgen/Makefile
+++ /dev/null
@@ -1,31 +0,0 @@
-# $FreeBSD$
-
-BIND_DIR=	${.CURDIR}/../../contrib/bind9
-LIB_BIND_REL=	../../lib/bind
-LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
-SRCDIR=		${BIND_DIR}/bin/confgen
-
-.include	"${LIB_BIND_DIR}/config.mk"
-
-PROG=		rndc-confgen
-
-.PATH: ${SRCDIR}/unix
-SRCS+=		os.c
-
-.PATH: ${SRCDIR}
-SRCS+=		rndc-confgen.c keygen.c util.c
-
-CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/include -I${LIB_BIND_DIR}
-
-WARNS?=		3
-
-DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
-LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
-
-MAN=		rndc-confgen.8
-
-MANFILTER=	sed -e 's@fI/etc\\fR.*@fI/etc/namedb\\fR@' \
-		-e '/^sysconfdir$$/d' \
-		-e '/was specified as when BIND was built)/d'
-
-.include <bsd.prog.mk>
diff --git a/usr.sbin/rndc/Makefile b/usr.sbin/rndc/Makefile
deleted file mode 100644
index 66d8452..0000000
--- a/usr.sbin/rndc/Makefile
+++ /dev/null
@@ -1,28 +0,0 @@
-# $FreeBSD$
-
-BIND_DIR=	${.CURDIR}/../../contrib/bind9
-LIB_BIND_REL=	../../lib/bind
-LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
-SRCDIR=		${BIND_DIR}/bin/rndc
-
-.include	"${LIB_BIND_DIR}/config.mk"
-
-PROG=		rndc
-
-.PATH: ${SRCDIR}
-SRCS+=		rndc.c util.c
-
-CFLAGS+=	-I${SRCDIR}/include -I${LIB_BIND_DIR}
-CFLAGS+=	-I${BIND_DIR}/lib/isc/${ISC_ATOMIC_ARCH}/include
-
-WARNS?=		3
-
-DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
-LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
-
-MAN=		rndc.8 rndc.conf.5
-
-MANFILTER=	sed -e "s@/etc/rndc\.conf@/etc/namedb/rndc.conf@g" \
-		-e "s@/etc/rndc\.key@/etc/namedb/rndc.key@g"
-
-.include <bsd.prog.mk>